mirror of
https://github.com/openwrt/packages.git
synced 2025-12-25 18:24:51 +04:00
3492a48b02
*** MAKEFILE ***
* remove libubus dependency as it was causing issues
https://forum.openwrt.org/t/policy-based-routing-pbr-package-discussion/140639/318
* move firewall hotplug directory/file creation out of default section into
pbr and pbr-iptables packages sections in preparation for dropping it from pbr
* fix no new line after output when uninstalling packages
*** UCI-DEFAULTS ***
* only add firewall include to firewall config if the include file exists
* add shellcheck exception to netifd uci-defaults file
*** SCRIPTS ***
* more informative logging for firewall and iface hotplug scripts
* more informative logging for firewall include script
*** SERVICE ***
* introduce lock-file to prevent package starting on external events if it hasn't
been auto- or manually started before
* use the `ip`, not `ip-full` command to prevent errors on OpenWrt 21.02
* parse firewall WAN zone to append list of interfaces
* append error and warning "arrays" with new messages
* used shared memory to store the service output/logging messages
* improve is_ovpn function to filter out false positives when interface names started
with `tun`
* introduce is_valid_ovpn to find OpenVPN tunnels where the device name in OpenVPN config
matches the device name in network config
* introduce opkg_get_version to compare versions of principal and luci packages
* better code to obtain AdGuardHome version with betas installed
* optimize code and add better logging for errors when inserting policies with iptables
* optimize code and add better logging for errors when inserting policies with nft
* bugfix: insert policies in all specified protocols
* bugfix: support using physical devices in policies in nft mode
* bugfix: use iptPrefix, not nftPrefix in iptables commands
* implement Tor support in nft mode
* bugfix: fix spelling for User File Syntax error
* restart service fully (instead of quick reload) for OpenVPN interface events, as
the order/number of supported interfaces
* more verbose output (showing handles) of status in nft mode
* improve `icmp_interface`, `ignored_interface`, `supported_interface` validation
regexes
* improve `interface`, validation regex
Signed-off-by: Stan Grishin <stangri@melmac.ca>
(cherry picked from commit cdfff4a693)
196 lines
5.7 KiB
Makefile
196 lines
5.7 KiB
Makefile
# Copyright 2017-2022 Stan Grishin (stangri@melmac.ca)
|
|
# This is free software, licensed under the GNU General Public License v3.
|
|
|
|
include $(TOPDIR)/rules.mk
|
|
|
|
PKG_NAME:=pbr
|
|
PKG_VERSION:=1.1.1
|
|
PKG_RELEASE:=1
|
|
PKG_LICENSE:=GPL-3.0-or-later
|
|
PKG_MAINTAINER:=Stan Grishin <stangri@melmac.ca>
|
|
|
|
include $(INCLUDE_DIR)/package.mk
|
|
|
|
define Package/pbr/default
|
|
SECTION:=net
|
|
CATEGORY:=Network
|
|
SUBMENU:=VPN
|
|
PROVIDES:=pbr
|
|
TITLE:=Policy Based Routing Service
|
|
URL:=https://docs.openwrt.melmac.net/pbr/
|
|
DEPENDS:=+ip-full +jshn +jsonfilter +resolveip
|
|
CONFLICTS:=vpnbypass vpn-policy-routing
|
|
PROVIDES:=vpnbypass vpn-policy-routing
|
|
PKGARCH:=all
|
|
endef
|
|
|
|
define Package/pbr
|
|
$(call Package/pbr/default)
|
|
TITLE+= with nft/nft set support
|
|
DEPENDS+=+firewall4 +kmod-nft-core +kmod-nft-nat +nftables-json
|
|
endef
|
|
|
|
define Package/pbr-iptables
|
|
$(call Package/pbr/default)
|
|
TITLE+= with iptables/ipset support
|
|
DEPENDS+=+ipset +iptables +kmod-ipt-ipset +iptables-mod-ipopt
|
|
endef
|
|
|
|
define Package/pbr-netifd
|
|
$(call Package/pbr/default)
|
|
TITLE+= with netifd support
|
|
endef
|
|
|
|
define Package/pbr/description
|
|
This service enables policy-based routing for WAN interfaces and various VPN tunnels.
|
|
This version supports OpenWrt with both fw3/ipset/iptables and fw4/nft.
|
|
endef
|
|
|
|
define Package/pbr-iptables/description
|
|
This service enables policy-based routing for WAN interfaces and various VPN tunnels.
|
|
This version supports OpenWrt with fw3/ipset/iptables.
|
|
endef
|
|
|
|
define Package/pbr-netifd/description
|
|
This service enables policy-based routing for WAN interfaces and various VPN tunnels.
|
|
This version supports OpenWrt with both fw3/ipset/iptables and fw4/nft.
|
|
This version uses OpenWrt native netifd/tables to set up interfaces. This is WIP.
|
|
endef
|
|
|
|
define Package/pbr/conffiles
|
|
/etc/config/pbr
|
|
endef
|
|
|
|
Package/pbr-iptables/conffiles = $(Package/pbr/conffiles)
|
|
Package/pbr-netifd/conffiles = $(Package/pbr/conffiles)
|
|
|
|
define Build/Configure
|
|
endef
|
|
|
|
define Build/Compile
|
|
endef
|
|
|
|
define Package/pbr/default/install
|
|
$(INSTALL_DIR) $(1)/etc/init.d
|
|
$(INSTALL_BIN) ./files/etc/init.d/pbr.init $(1)/etc/init.d/pbr
|
|
$(SED) "s|^\(readonly PKG_VERSION\).*|\1='$(PKG_VERSION)-$(PKG_RELEASE)'|" $(1)/etc/init.d/pbr
|
|
$(INSTALL_DIR) $(1)/etc/hotplug.d/iface
|
|
$(INSTALL_DATA) ./files/etc/hotplug.d/iface/70-pbr $(1)/etc/hotplug.d/iface/70-pbr
|
|
$(INSTALL_DIR) $(1)/etc/uci-defaults
|
|
$(INSTALL_BIN) ./files/etc/uci-defaults/90-pbr $(1)/etc/uci-defaults/90-pbr
|
|
$(INSTALL_DIR) $(1)/usr/share/pbr
|
|
$(INSTALL_DATA) ./files/usr/share/pbr/pbr.user.aws $(1)/usr/share/pbr/pbr.user.aws
|
|
$(INSTALL_DATA) ./files/usr/share/pbr/pbr.user.netflix $(1)/usr/share/pbr/pbr.user.netflix
|
|
endef
|
|
|
|
define Package/pbr/install
|
|
$(call Package/pbr/default/install,$(1))
|
|
$(INSTALL_DIR) $(1)/etc/config
|
|
$(INSTALL_CONF) ./files/etc/config/pbr $(1)/etc/config/pbr
|
|
$(INSTALL_DIR) $(1)/usr/share/pbr
|
|
$(INSTALL_DATA) ./files/usr/share/pbr/pbr.firewall.include $(1)/usr/share/pbr/pbr.firewall.include
|
|
$(INSTALL_DIR) $(1)/usr/share/nftables.d
|
|
$(CP) ./files/usr/share/nftables.d/* $(1)/usr/share/nftables.d/
|
|
endef
|
|
|
|
define Package/pbr-iptables/install
|
|
$(call Package/pbr/default/install,$(1))
|
|
$(INSTALL_DIR) $(1)/etc/hotplug.d/firewall
|
|
$(INSTALL_DATA) ./files/etc/hotplug.d/firewall/70-pbr $(1)/etc/hotplug.d/firewall/70-pbr
|
|
$(INSTALL_DIR) $(1)/etc/config
|
|
$(INSTALL_CONF) ./files/etc/config/pbr.iptables $(1)/etc/config/pbr
|
|
endef
|
|
|
|
define Package/pbr-netifd/install
|
|
$(call Package/pbr/default/install,$(1))
|
|
$(INSTALL_DIR) $(1)/etc/config
|
|
$(INSTALL_CONF) ./files/etc/config/pbr $(1)/etc/config/pbr
|
|
$(INSTALL_DIR) $(1)/etc/uci-defaults
|
|
$(INSTALL_BIN) ./files/etc/uci-defaults/91-pbr $(1)/etc/uci-defaults/91-pbr
|
|
endef
|
|
|
|
define Package/pbr/postinst
|
|
#!/bin/sh
|
|
# check if we are on real system
|
|
if [ -z "$${IPKG_INSTROOT}" ]; then
|
|
chmod -x /etc/init.d/pbr || true
|
|
fw4 -q reload || true
|
|
chmod +x /etc/init.d/pbr || true
|
|
echo -n "Installing rc.d symlink for pbr... "
|
|
/etc/init.d/pbr enable && echo "OK" || echo "FAIL"
|
|
fi
|
|
exit 0
|
|
endef
|
|
|
|
define Package/pbr/prerm
|
|
#!/bin/sh
|
|
# check if we are on real system
|
|
if [ -z "$${IPKG_INSTROOT}" ]; then
|
|
uci -q delete firewall.pbr || true
|
|
echo "Stopping pbr service... "
|
|
/etc/init.d/pbr stop && echo "OK" || echo "FAIL"
|
|
echo -n "Removing rc.d symlink for pbr... "
|
|
/etc/init.d/pbr disable && echo "OK" || echo "FAIL"
|
|
fi
|
|
exit 0
|
|
endef
|
|
|
|
define Package/pbr/postrm
|
|
#!/bin/sh
|
|
# check if we are on real system
|
|
if [ -z "$${IPKG_INSTROOT}" ]; then
|
|
fw4 -q reload || true
|
|
fi
|
|
exit 0
|
|
endef
|
|
|
|
define Package/pbr-iptables/postinst
|
|
#!/bin/sh
|
|
# check if we are on real system
|
|
if [ -z "$${IPKG_INSTROOT}" ]; then
|
|
echo -n "Installing rc.d symlink for pbr-iptables... "
|
|
/etc/init.d/pbr enable && echo "OK" || echo "FAIL"
|
|
fi
|
|
exit 0
|
|
endef
|
|
|
|
define Package/pbr-iptables/prerm
|
|
#!/bin/sh
|
|
# check if we are on real system
|
|
if [ -z "$${IPKG_INSTROOT}" ]; then
|
|
uci -q delete firewall.pbr || true
|
|
echo "Stopping pbr-iptables service... "
|
|
/etc/init.d/pbr stop && echo "OK" || echo "FAIL"
|
|
echo -n "Removing rc.d symlink for pbr-iptables... "
|
|
/etc/init.d/pbr disable && echo "OK" || echo "FAIL"
|
|
fi
|
|
exit 0
|
|
endef
|
|
|
|
define Package/pbr-netifd/postinst
|
|
#!/bin/sh
|
|
# check if we are on real system
|
|
if [ -z "$${IPKG_INSTROOT}" ]; then
|
|
echo -n "Installing rc.d symlink for pbr-netifd... "
|
|
/etc/init.d/pbr enable && echo "OK" || echo "FAIL"
|
|
fi
|
|
exit 0
|
|
endef
|
|
|
|
define Package/pbr-netifd/prerm
|
|
#!/bin/sh
|
|
# check if we are on real system
|
|
if [ -z "$${IPKG_INSTROOT}" ]; then
|
|
uci -q delete firewall.pbr || true
|
|
echo "Stopping pbr-netifd service... "
|
|
/etc/init.d/pbr stop && echo "OK" || echo "FAIL"
|
|
echo -n "Removing rc.d symlink for pbr... "
|
|
/etc/init.d/pbr disable && echo "OK" || echo "FAIL"
|
|
fi
|
|
exit 0
|
|
endef
|
|
|
|
$(eval $(call BuildPackage,pbr))
|
|
$(eval $(call BuildPackage,pbr-iptables))
|
|
#$(eval $(call BuildPackage,pbr-netifd))
|