From 051abe8e182080e233751cbab238fe6a9b8529e9 Mon Sep 17 00:00:00 2001 From: Stan Grishin Date: Sun, 18 Jul 2021 00:10:39 +0000 Subject: [PATCH] vpn-policy-routing: update to 0.3.5-1 support for 21.02.0-rc2 and up support for reloading a single interface on ifup/ifupdate rename config file updated shellcheck compatibility remove obsolete create/remove_lock interface processing optimizations to speed up reloads drop dependency on curl in user scripts uniform styling of functions Signed-off-by: Stan Grishin --- net/vpn-policy-routing/Makefile | 8 +- .../files/vpn-policy-routing.aws.user | 2 +- ...routing.conf => vpn-policy-routing.config} | 0 .../files/vpn-policy-routing.init | 311 +++++++++++------- .../files/vpn-policy-routing.netflix.user | 6 +- 5 files changed, 203 insertions(+), 124 deletions(-) rename net/vpn-policy-routing/files/{vpn-policy-routing.conf => vpn-policy-routing.config} (100%) diff --git a/net/vpn-policy-routing/Makefile b/net/vpn-policy-routing/Makefile index f5ac833384..d1476bbc42 100644 --- a/net/vpn-policy-routing/Makefile +++ b/net/vpn-policy-routing/Makefile @@ -4,8 +4,8 @@ include $(TOPDIR)/rules.mk PKG_NAME:=vpn-policy-routing -PKG_VERSION:=0.3.2 -PKG_RELEASE:=20 +PKG_VERSION:=0.3.5 +PKG_RELEASE:=1 PKG_LICENSE:=GPL-3.0-or-later PKG_MAINTAINER:=Stan Grishin @@ -39,8 +39,8 @@ define Package/vpn-policy-routing/install $(INSTALL_DIR) $(1)/etc/init.d $(1)/etc/config $(1)/etc/hotplug.d/firewall $(1)/etc/ $(INSTALL_BIN) ./files/vpn-policy-routing.init $(1)/etc/init.d/vpn-policy-routing $(SED) "s|^\(PKG_VERSION\).*|\1='$(PKG_VERSION)-$(PKG_RELEASE)'|" $(1)/etc/init.d/vpn-policy-routing - $(INSTALL_CONF) ./files/vpn-policy-routing.conf $(1)/etc/config/vpn-policy-routing - $(INSTALL_DATA) ./files/vpn-policy-routing.firewall.hotplug $(1)/etc/hotplug.d/firewall/99-vpn-policy-routing + $(INSTALL_CONF) ./files/vpn-policy-routing.config $(1)/etc/config/vpn-policy-routing + $(INSTALL_DATA) ./files/vpn-policy-routing.firewall.hotplug $(1)/etc/hotplug.d/firewall/70-vpn-policy-routing $(INSTALL_DATA) ./files/vpn-policy-routing.aws.user $(1)/etc/vpn-policy-routing.aws.user $(INSTALL_DATA) ./files/vpn-policy-routing.netflix.user $(1)/etc/vpn-policy-routing.netflix.user endef diff --git a/net/vpn-policy-routing/files/vpn-policy-routing.aws.user b/net/vpn-policy-routing/files/vpn-policy-routing.aws.user index a00770be75..4f99ed5e43 100644 --- a/net/vpn-policy-routing/files/vpn-policy-routing.aws.user +++ b/net/vpn-policy-routing/files/vpn-policy-routing.aws.user @@ -9,7 +9,7 @@ TARGET_FNAME="/var/vpn-policy-routing_tmp_aws_ip_ranges" _ret=1 if [ ! -s "$TARGET_FNAME" ]; then - curl "$TARGET_URL" 2>/dev/null | grep "ip_prefix" | sed 's/^.*\"ip_prefix\": \"//; s/\",//' > "$TARGET_FNAME" + uclient-fetch --no-check-certificate -qO- "$TARGET_URL" 2>/dev/null | grep "ip_prefix" | sed 's/^.*\"ip_prefix\": \"//; s/\",//' > "$TARGET_FNAME" fi if [ -s "$TARGET_FNAME" ]; then awk -v ipset="$TARGET_IPSET" '{print "add " ipset " " $1}' "$TARGET_FNAME" | ipset restore -! && _ret=0 diff --git a/net/vpn-policy-routing/files/vpn-policy-routing.conf b/net/vpn-policy-routing/files/vpn-policy-routing.config similarity index 100% rename from net/vpn-policy-routing/files/vpn-policy-routing.conf rename to net/vpn-policy-routing/files/vpn-policy-routing.config diff --git a/net/vpn-policy-routing/files/vpn-policy-routing.init b/net/vpn-policy-routing/files/vpn-policy-routing.init index 0950698232..b15b1af498 100755 --- a/net/vpn-policy-routing/files/vpn-policy-routing.init +++ b/net/vpn-policy-routing/files/vpn-policy-routing.init @@ -1,6 +1,6 @@ #!/bin/sh /etc/rc.common # Copyright 2017-2020 Stan Grishin (stangri@melmac.net) -# shellcheck disable=SC2039,SC1091,SC2018,SC2019 +# shellcheck disable=SC2039,SC1091,SC2018,SC2019,SC3043,SC3057,SC3060 PKG_VERSION='dev-test' # sysctl net.ipv4.conf.default.rp_filter=1 @@ -18,9 +18,10 @@ if type extra_command 1>/dev/null 2>&1; then WARNING: while paste.ee uploads are unlisted, they are still publicly available List domain names after options to include their lookup in report" extra_command 'version' 'Show version information' + extra_command 'reload_interface' 'Reload specific interface only' else # shellcheck disable=SC2034 - EXTRA_COMMANDS='support version' + EXTRA_COMMANDS='reload_interface support version' # shellcheck disable=SC2034 EXTRA_HELP=" support Generates output required to troubleshoot routing issues Use '-d' option for more detailed output @@ -50,15 +51,12 @@ wanIface4=''; wanIface6=''; ifaceMark=''; ifaceTableID=''; ifAll=''; ifSupported=''; ignoredIfaces=''; supportedIfaces=''; icmpIface=''; wanGW4=''; wanGW6=''; bootTimeout=''; insertOption=''; webuiChainColumn=''; webuiShowIgnore=''; dnsmasqIpsetSupported=''; -procdReloadDelay=''; +procdReloadDelay=''; mainTableListing=''; usedChainsList='PREROUTING' ipsetSupported='true' configLoaded='false' version() { echo "$PKG_VERSION"; } -create_lock() { [ -e "$PIDFile" ] && return 1; touch "$PIDFile"; } -remove_lock() { [ -e "$PIDFile" ] && rm -f "$PIDFile"; } -trap remove_lock EXIT output_ok() { output 1 "$_OK_"; output 2 "$__OK__\\n"; } output_okn() { output 1 "$_OK_\\n"; output 2 "$__OK__\\n"; } output_fail() { s=1; output 1 "$_FAIL_"; output 2 "$__FAIL__\\n"; } @@ -75,7 +73,7 @@ output() { # Can take a single parameter (text) to be output at any verbosity # Or target verbosity level and text to be output at specifc verbosity local msg memmsg logmsg - if [ $# -ne 1 ]; then + if [ "$#" -ne 1 ]; then if [ $((verbosity & $1)) -gt 0 ] || [ "$verbosity" = "$1" ]; then shift; else return 0; fi fi [ -t 1 ] && printf "%b" "$1" @@ -125,7 +123,7 @@ vpr_get_gateway6() { } is_l2tp() { local proto; proto=$(uci -q get network."$1".proto); [ "${proto:0:4}" = "l2tp" ]; } is_oc() { local proto; proto=$(uci -q get network."$1".proto); [ "${proto:0:11}" = "openconnect" ]; } -is_ovpn() { local dev; dev=$(uci -q get network."$1".ifname); [ "${dev:0:3}" = "tun" ] || [ "${dev:0:3}" = "tap" ] || [ -f "/sys/devices/virtual/net/${dev}/tun_flags" ]; } +is_ovpn() { local dev i; for i in ifname device; do [ -z "$dev" ] && dev="$(uci -q get "network.${1}.${i}")"; done; [ "${dev:0:3}" = "tun" ] || [ "${dev:0:3}" = "tap" ] || [ -f "/sys/devices/virtual/net/${dev}/tun_flags" ]; } is_pptp() { local proto; proto=$(uci -q get network."$1".proto); [ "${proto:0:4}" = "pptp" ]; } is_tor() { [ "$(str_to_lower "$1")" = "tor" ]; } is_tor_running() { @@ -160,13 +158,15 @@ dnsmasq_kill() { killall -q -HUP dnsmasq; } dnsmasq_restart() { output 3 'Restarting DNSMASQ '; if /etc/init.d/dnsmasq restart >/dev/null 2>&1; then output_okn; else output_failn; fi; } is_default_dev() { [ "$1" = "$(ip -4 r | grep -m1 'dev' | grep -Eso 'dev [^ ]*' | awk '{print $2}')" ]; } is_supported_iface_dev() { + local n for n in $ifSupported; do if [ "$1" = "$(uci -q get "network.${n}.ifname" || echo "$n")" ] || \ + [ "$1" = "$(uci -q get "network.${n}.device" || echo "$n")" ] || \ [ "$1" = "$(uci -q get "network.${n}.proto")-${n}" ] ; then return 0; fi done return 1 } -is_supported_protocol () { grep -o '^[^#]*' /etc/protocols | grep -w -v '0' | grep . | awk '{print $1}' | grep -q "$1"; } +is_supported_protocol() { grep -o '^[^#]*' /etc/protocols | grep -w -v '0' | grep . | awk '{print $1}' | grep -q "$1"; } append_chains_targets() { local chain iface name config_get name "$1" 'name' 'blank' @@ -195,6 +195,7 @@ load_package_config() { config_get_bool ipv6Enabled 'config' 'ipv6_enabled' 0 config_get_bool srcIpset 'config' 'src_ipset' 0 config_get_bool destIpset 'config' 'dest_ipset' 0 + config_get_bool mainTableListing 'config' 'quick_table_create' 0 config_get resolverIpset 'config' 'resolver_ipset' 'dnsmasq.ipset' config_get verbosity 'config' 'verbosity' '2' config_get wanTableID 'config' 'wan_tid' '201' @@ -220,6 +221,12 @@ load_package_config() { mkdir -p "${jsonFile%/*}" mkdir -p "${dnsmasqFile%/*}" + if [ "$mainTableListing" -ne 0 ]; then + mainTableListing='default' + else + mainTableListing='' + fi + if [ -n "$icmpIface" ] && ! str_contains_word "$usedChainsList" 'OUTPUT'; then usedChainsList="$usedChainsList OUTPUT" fi @@ -482,7 +489,7 @@ insert_policy() { return 0 } -r_process_policy(){ +r_process_policy() { local comment="$1" iface="$2" laddr="$3" lport="$4" raddr="$5" rport="$6" proto="$7" chain="$8" resolved_laddr resolved_raddr i ipsFailFlag if str_contains "$laddr" '[ ;\{\}]'; then for i in $(str_extras_to_space "$laddr"); do [ -n "$i" ] && r_process_policy "$comment" "$iface" "$i" "$lport" "$raddr" "$rport" "$proto" "$chain"; done @@ -546,7 +553,7 @@ r_process_policy(){ fi } -process_policy(){ +process_policy() { local name comment iface laddr lport raddr rport param mark processPolicyError processPolicyWarning proto chain enabled config_get comment "$1" 'comment' config_get name "$1" 'name' 'blank' @@ -597,22 +604,18 @@ process_policy(){ fi } -table_destroy(){ +table_destroy() { local tid="$1" iface="$2" mark="$3" if [ -n "$tid" ] && [ -n "$iface" ] && [ -n "$mark" ]; then ipt -t mangle -F "VPR_MARK${mark}" ipt -t mangle -X "VPR_MARK${mark}" - ip -4 rule del fwmark "$mark" table "$tid" >/dev/null 2>&1 - ip -6 rule del fwmark "$mark" table "$tid" >/dev/null 2>&1 - ip -4 rule del table "$tid" >/dev/null 2>&1 - ip -6 rule del table "$tid" >/dev/null 2>&1 - ip -4 route flush table "$tid" >/dev/null 2>&1 - ip -6 route flush table "$tid" >/dev/null 2>&1 + ip rule del fwmark "$mark" table "$tid" >/dev/null 2>&1 + ip rule del table "$tid" >/dev/null 2>&1 + ip route flush table "$tid" >/dev/null 2>&1 ips 'flush' "${iface}"; ips 'destroy' "${iface}"; ips 'flush' "${iface}_ip"; ips 'destroy' "${iface}_ip"; ips 'flush' "${iface}_mac"; ips 'destroy' "${iface}_mac"; - ip -4 route flush cache - ip -6 route flush cache + ip route flush cache sed -i "/$iface/d" /etc/iproute2/rt_tables return 0 else @@ -621,31 +624,33 @@ table_destroy(){ } # shellcheck disable=SC2086 -table_create(){ - local tid="$1" mark="$2" iface="$3" gw4="$4" dev="$5" gw6="$6" dev6="$7" dscp s=0 i ipv4_error=0 ipv6_error=1 +table_create() { + local tid="$1" mark="$2" iface="$3" gw4="$4" dev="$5" gw6="$6" dev6="$7" match="$8" dscp s=0 i ipv4_error=0 ipv6_error=1 if [ -z "$tid" ] || [ -z "$mark" ] || [ -z "$iface" ]; then return 1 fi - table_destroy "$tid" "$iface" "$mark" + sed -i "/$iface/d" /etc/iproute2/rt_tables + ip route flush table "$tid" >/dev/null 2>&1 if [ -n "$gw4" ] || [ "$strictMode" -ne 0 ]; then - echo "$tid" "$iface" >> /etc/iproute2/rt_tables + echo "$tid $iface" >> /etc/iproute2/rt_tables if [ -z "$gw4" ]; then ip -4 route add unreachable default table "$tid" >/dev/null 2>&1 || ipv4_error=1 else ip -4 route add default via "$gw4" dev "$dev" table "$tid" >/dev/null 2>&1 || ipv4_error=1 fi -# ip -4 route list table main | grep -v 'br-lan' | while read -r i; do - ip -4 route list table main | while read -r i; do + while read -r i; do idev="$(echo "$i" | grep -Eso 'dev [^ ]*' | awk '{print $2}')" if ! is_supported_iface_dev "$idev"; then ip -4 route add $i table "$tid" >/dev/null 2>&1 || ipv4_error=1 fi - done - ip -4 route flush cache || ipv4_error=1 - ip -4 rule add fwmark "${mark}/${fwMask}" table "$tid" || ipv4_error=1 + done << EOF +$(ip -4 route list $mainTableListing table main) +EOF + [ -n "$(ip rule list fwmark "${mark}/${fwMask}" table "$tid")" ] || \ + ip rule add fwmark "${mark}/${fwMask}" table "$tid" || ipv4_error=1 ipt -t mangle -N "VPR_MARK${mark}" || ipv4_error=1 ipt -t mangle -A "VPR_MARK${mark}" -j MARK --set-xmark "${mark}/${fwMask}" || ipv4_error=1 ipt -t mangle -A "VPR_MARK${mark}" -j RETURN || ipv4_error=1 @@ -657,16 +662,16 @@ table_create(){ if [ -z "$gw6" ] || [ "$gw6" = "::/0" ]; then ip -6 route add unreachable default table "$tid" || ipv6_error=1 else - ip -6 route list table main | grep " dev $dev6 " | while read -r i; do + while read -r i; do ip -6 route add $i table "$tid" >/dev/null 2>&1 || ipv6_error=1 - done + done << EOF +$(ip -6 route list $mainTableListing table main | grep " dev $dev6 ") +EOF fi - ip -6 route flush cache || ipv6_error=1 - ip -6 rule add fwmark "${mark}/${fwMask}" table "$tid" || ipv6_error=1 fi fi - if [ $ipv4_error -eq 0 ] || [ $ipv6_error -eq 0 ]; then + if [ "$ipv4_error" -eq 0 ] || [ "$ipv6_error" -eq 0 ]; then dscp="$(uci -q get "${packageName}".config."${iface}"_dscp)" if [ "${dscp:-0}" -ge 1 ] && [ "${dscp:-0}" -le 63 ]; then ipt -t mangle -I VPR_PREROUTING -m dscp --dscp "${dscp}" -g "VPR_MARK${mark}" || s=1 @@ -704,8 +709,59 @@ table_create(){ return $s } -process_interface(){ - local gw4 gw6 dev dev6 s=0 dscp iface="$1" action="$2" displayText +table_reload() { + local tid="$1" mark="$2" iface="$3" gw4="$4" dev="$5" gw6="$6" dev6="$7" match="$8" dscp s=0 i ipv4_error=0 ipv6_error=1 + + if [ -z "$tid" ] || [ -z "$mark" ] || [ -z "$iface" ]; then + return 1 + fi + + ip -4 route del default table "$tid" >/dev/null 2>&1 + if [ -n "$gw4" ] || [ "$strictMode" -ne 0 ]; then + if [ -z "$gw4" ]; then + ip -4 route add unreachable default table "$tid" >/dev/null 2>&1 || ipv4_error=1 + else + ip -4 route add default via "$gw4" dev "$dev" table "$tid" >/dev/null 2>&1 || ipv4_error=1 + fi + ip -4 route flush cache || ipv4_error=1 + ip -4 rule del fwmark "${mark}/${fwMask}" table "$tid" >/dev/null 2>&1 + ip -4 rule add fwmark "${mark}/${fwMask}" table "$tid" || ipv4_error=1 + fi + + if [ "$ipv6Enabled" -ne 0 ]; then + ip -6 route del default table "$tid" >/dev/null 2>&1 + ipv6_error=0 + if { [ -n "$gw6" ] && [ "$gw6" != "::/0" ]; } || [ "$strictMode" -ne 0 ]; then + if [ -z "$gw6" ] || [ "$gw6" = "::/0" ]; then + ip -6 route add unreachable default table "$tid" || ipv6_error=1 + else + ip -6 route list table main | grep " dev $dev6 " | while read -r i; do + ip -6 route add "$i" table "$tid" >/dev/null 2>&1 || ipv6_error=1 + done + fi + ip -6 route flush cache || ipv6_error=1 + ip -6 rule del fwmark "${mark}/${fwMask}" table "$tid" >/dev/null 2>&1 + ip -6 rule add fwmark "${mark}/${fwMask}" table "$tid" || ipv6_error=1 + fi + fi + + if [ "$ipv4_error" -eq 0 ] || [ "$ipv6_error" -eq 0 ]; then + dscp="$(uci -q get "${packageName}".config."${iface}"_dscp)" + if [ "${dscp:-0}" -ge 1 ] && [ "${dscp:-0}" -le 63 ]; then + ipt -t mangle -I VPR_PREROUTING -m dscp --dscp "${dscp}" -g "VPR_MARK${mark}" || s=1 + fi + if [ "$iface" = "$icmpIface" ]; then + ipt -t mangle -I VPR_OUTPUT -p icmp -g "VPR_MARK${mark}" || s=1 + fi + else + s=1 + fi + + return $s +} + +process_interface() { + local gw4 gw6 dev dev6 s=0 dscp iface="$1" action="$2" match="$3" displayText is_supported_interface "$iface" || return 0 is_wan6 "$iface" && return 0 @@ -713,9 +769,11 @@ process_interface(){ network_get_device dev "$iface" [ -z "$dev" ] && config_get dev "$iface" 'ifname' + [ -z "$dev" ] && config_get dev "$iface" 'device' if is_wan "$iface" && [ -n "$wanIface6" ]; then network_get_device dev6 "$wanIface6" [ -z "$dev6" ] && config_get dev6 "$wanIface6" 'ifname' + [ -z "$dev6" ] && config_get dev6 "$wanIface6" 'device' fi [ -z "$dev6" ] && dev6="$dev" @@ -729,7 +787,6 @@ process_interface(){ create) eval "mark_${iface//-/_}"='$ifaceMark' eval "tid_${iface//-/_}"='$ifaceTableID' - table_destroy "${ifaceTableID}" "${iface}" vpr_get_gateway gw4 "$iface" "$dev" vpr_get_gateway6 gw6 "$iface" "$dev6" if [ "$iface" = "$dev" ]; then @@ -738,14 +795,29 @@ process_interface(){ displayText="${iface}/${dev}/${gw4:-0.0.0.0}" fi [ "$ipv6Enabled" -ne 0 ] && displayText="${displayText}/${gw6:-::/0}" - output 2 "Creating table '$displayText' " - is_default_dev "$dev" && displayText="${displayText} ${__OK__}" - if table_create "$ifaceTableID" "$ifaceMark" "$iface" "$gw4" "$dev" "$gw6" "$dev6"; then - gatewaySummary="${gatewaySummary}${displayText}\\n" - output_ok + if [ -z "$match" ]; then + output 2 "Creating table '$displayText' " + is_default_dev "$dev" && displayText="${displayText} ${__OK__}" + if table_create "$ifaceTableID" "$ifaceMark" "$iface" "$gw4" "$dev" "$gw6" "$dev6" "$match"; then + gatewaySummary="${gatewaySummary}${displayText}\\n" + output_ok + else + errorSummary="${errorSummary}${_ERROR_}: Failed to set up '$displayText'\\n" + output_fail + fi + elif [ "$iface" = "$match" ]; then + output 2 "Reloading table '$displayText' " + is_default_dev "$dev" && displayText="${displayText} ${__OK__}" + if table_reload "$ifaceTableID" "$ifaceMark" "$iface" "$gw4" "$dev" "$gw6" "$dev6" "$match"; then + gatewaySummary="${gatewaySummary}${displayText}\\n" + output_ok + else + errorSummary="${errorSummary}${_ERROR_}: Failed to reload '$displayText'\\n" + output_fail + fi else - errorSummary="${errorSummary}${_ERROR_}: Failed to set up '$displayText'\\n" - output_fail + is_default_dev "$dev" && displayText="${displayText} ${__OK__}" + gatewaySummary="${gatewaySummary}${displayText}\\n" fi ifaceTableID="$((ifaceTableID + 1))"; ifaceMark="$(printf '0x%06x' $((ifaceMark + wanMark)))"; ;; @@ -753,7 +825,7 @@ process_interface(){ return $s } -process_tor_interface(){ +process_tor_interface() { local s=0 iface="$1" action="$2" displayText case "$action" in destroy) @@ -783,7 +855,7 @@ process_tor_interface(){ s=1 fi displayText="${iface}/53->${dnsPort}/80,443->${transPort}" - if [ "$s" -eq "0" ]; then + if [ "$s" -eq 0 ]; then gatewaySummary="${gatewaySummary}${displayText}\\n" output_ok else @@ -795,7 +867,7 @@ process_tor_interface(){ return $s } -convert_config(){ +convert_config() { local i src_ipset dest_ipset resolver_ipset [ -s "/etc/config/${packageName}" ] || return 0 grep -q "ignored_interfaces" "/etc/config/${packageName}" && sed -i 's/ignored_interfaces/ignored_interface/g' "/etc/config/${packageName}" @@ -853,8 +925,8 @@ convert_config(){ done } -check_config(){ local en; config_get_bool en "$1" 'enabled' 1; [ "$en" -gt 0 ] && _cfg_enabled=0; } -is_config_enabled(){ +check_config() { local en; config_get_bool en "$1" 'enabled' 1; [ "$en" -gt 0 ] && _cfg_enabled=0; } +is_config_enabled() { local cfg="$1" _cfg_enabled=1 [ -n "$1" ] || return 1 config_load "$packageName" @@ -862,7 +934,7 @@ is_config_enabled(){ return "$_cfg_enabled" } -process_user_file(){ +process_user_file() { local path enabled shellBin="${SHELL:-/bin/ash}" config_get_bool enabled "$1" 'enabled' 1 config_get path "$1" 'path' @@ -893,37 +965,46 @@ process_user_file(){ fi } +boot() { rc_procd start_service && rc_procd service_triggers; } + start_service() { - local dnsmasqStoredHash dnsmasqNewHash i modprobeStatus=0 + local dnsmasqStoredHash dnsmasqNewHash i modprobeStatus=0 reloadedIface="$1" convert_config is_enabled 'on_start' || return 1 is_wan_up || return 1 - if create_lock; then - if [ -s "$dnsmasqFile" ]; then - dnsmasqStoredHash="$(md5sum $dnsmasqFile | awk '{ print $1; }')" - rm -f "$dnsmasqFile" - fi - for i in xt_set ip_set ip_set_hash_ip; do - modprobe "$i" >/dev/null 2>/dev/null || modprobeStatus=$((modprobeStatus + 1)) - done + iptables -t 'mangle' --list 'VPR_PREROUTING' >/dev/null 2>&1 || unset reloadedIface + [ -n "$(tmpfs get status)" ] || unset reloadedIface - if [ "$modprobeStatus" -gt 0 ] && ! is_chaos_calmer; then - errorSummary="${errorSummary}${_ERROR_}: Failed to load kernel modules\\n" - fi + if [ -s "$dnsmasqFile" ]; then + dnsmasqStoredHash="$(md5sum $dnsmasqFile | awk '{ print $1; }')" + rm -f "$dnsmasqFile" + fi + for i in xt_set ip_set ip_set_hash_ip; do + modprobe "$i" >/dev/null 2>/dev/null || modprobeStatus=$((modprobeStatus + 1)) + done + + if [ "$modprobeStatus" -gt 0 ] && ! is_chaos_calmer; then + errorSummary="${errorSummary}${_ERROR_}: Failed to load kernel modules\\n" + fi + + if [ -z "$reloadedIface" ]; then for i in $usedChainsList; do ipt -t mangle -N "VPR_${i}" ipt -t mangle "$insertOption" "$i" -m mark --mark "0x0/${fwMask}" -j "VPR_${i}" done + fi + if [ -z "$reloadedIface" ]; then output 1 'Processing Interfaces ' config_load 'network'; config_foreach process_interface 'interface' 'create'; process_tor_interface 'tor' 'destroy'; is_tor_running && process_tor_interface 'tor' 'create'; + ip route flush cache output 1 '\n' if is_config_enabled 'policy'; then output 1 'Processing Policies ' - config_load "$packageName"; config_foreach process_policy 'policy'; + config_load "$packageName"; config_foreach process_policy 'policy' "$reloadedIface"; output 1 '\n' fi if is_config_enabled 'include'; then @@ -931,38 +1012,37 @@ start_service() { config_load "$packageName"; config_foreach process_user_file 'include'; output 1 '\n' fi + else + output 1 "Reloading Interface: $reloadedIface " + config_load 'network'; config_foreach process_interface 'interface' 'create' "$reloadedIface"; + output 1 '\n' + fi - if [ -s "$dnsmasqFile" ]; then - dnsmasqNewHash="$(md5sum $dnsmasqFile | awk '{ print $1; }')" - fi - [ "$dnsmasqNewHash" != "$dnsmasqStoredHash" ] && dnsmasq_restart + if [ -s "$dnsmasqFile" ]; then + dnsmasqNewHash="$(md5sum $dnsmasqFile | awk '{ print $1; }')" + fi + [ "$dnsmasqNewHash" != "$dnsmasqStoredHash" ] && dnsmasq_restart - if [ -z "$gatewaySummary" ]; then - errorSummary="${errorSummary}${_ERROR_}: failed to set up any gateway!\\n" - fi - procd_open_instance "main" - procd_set_param command /bin/true - procd_set_param stdout 1 - procd_set_param stderr 1 - procd_open_data - json_add_array 'status' - json_add_object '' - [ -n "$gatewaySummary" ] && json_add_string gateway "$gatewaySummary" - [ -n "$errorSummary" ] && json_add_string error "$errorSummary" - [ -n "$warningSummary" ] && json_add_string warning "$warningSummary" - if [ "$strictMode" -ne 0 ] && str_contains "$gatewaySummary" '0.0.0.0'; then - json_add_string mode "strict" - fi - json_close_object - json_close_array - procd_close_data - procd_close_instance - remove_lock - else - output "$serviceName: another instance of ${packageName} is currently running " - output_failn - return 1 + if [ -z "$gatewaySummary" ]; then + errorSummary="${errorSummary}${_ERROR_}: failed to set up any gateway!\\n" fi + procd_open_instance "main" + procd_set_param command /bin/true + procd_set_param stdout 1 + procd_set_param stderr 1 + procd_open_data + json_add_array 'status' + json_add_object '' + [ -n "$gatewaySummary" ] && json_add_string gateway "$gatewaySummary" + [ -n "$errorSummary" ] && json_add_string error "$errorSummary" + [ -n "$warningSummary" ] && json_add_string warning "$warningSummary" + if [ "$strictMode" -ne 0 ] && str_contains "$gatewaySummary" '0.0.0.0'; then + json_add_string mode "strict" + fi + json_close_object + json_close_array + procd_close_data + procd_close_instance } tmpfs() { @@ -1025,30 +1105,25 @@ service_started() { stop_service() { local i iptables -t mangle -L | grep -q VPR_PREROUTING || return 0 - if create_lock; then - load_package_config - for i in PREROUTING FORWARD INPUT OUTPUT; do - ipt -t mangle -D "${i}" -m mark --mark "0x0/${fwMask}" -j "VPR_${i}" - ipt -t mangle -F "VPR_${i}"; ipt -t mangle -X "VPR_${i}"; - done - config_load 'network'; config_foreach process_interface 'interface' 'destroy'; - process_tor_interface 'tor' 'destroy' - unset ifaceTableID; unset ifaceMark; - if [ -s "$dnsmasqFile" ]; then - rm -f "$dnsmasqFile" - dnsmasq_restart - fi - if [ "$serviceEnabled" -ne 0 ]; then - output "$serviceName stopped "; output_okn; - fi - remove_lock - else - output "$serviceName: another instance of ${packageName} is currently running "; output_failn; - return 1 + load_package_config + for i in PREROUTING FORWARD INPUT OUTPUT; do + ipt -t mangle -D "${i}" -m mark --mark "0x0/${fwMask}" -j "VPR_${i}" + ipt -t mangle -F "VPR_${i}"; ipt -t mangle -X "VPR_${i}"; + done + config_load 'network'; config_foreach process_interface 'interface' 'destroy'; + process_tor_interface 'tor' 'destroy' + unset ifaceTableID; unset ifaceMark; + if [ -s "$dnsmasqFile" ]; then + rm -f "$dnsmasqFile" + dnsmasq_restart + fi + if [ "$serviceEnabled" -ne 0 ]; then + output "$serviceName stopped "; output_okn; fi } -# shellcheck disable=SC2119 +reload_interface() { rc_procd start_service "$1"; } + service_triggers() { local n is_enabled || return 1 @@ -1070,7 +1145,9 @@ service_triggers() { procd_add_service_trigger "service.restart" "firewall" /etc/init.d/${packageName} reload fi procd_add_config_trigger "config.change" "${packageName}" /etc/init.d/${packageName} reload - for n in $ifSupported; do procd_add_reload_interface_trigger "$n"; procd_add_interface_trigger "interface.*" "$n" /etc/init.d/${packageName} reload; done; + for n in $ifSupported; do + procd_add_interface_trigger "interface.*" "$n" /etc/init.d/${packageName} reload_interface "$n" + done procd_close_trigger output 3 "$serviceName monitoring interfaces: $ifSupported"; output_okn; @@ -1085,10 +1162,12 @@ support() { json_load "$(ubus call system board)"; json_select release; json_get_var dist distribution; json_get_var vers version if [ -n "$wanIface4" ]; then network_get_gateway wanGW4 "$wanIface4" - dev="$(uci -q get network."${wanIface4}".ifname)" + [ -z "$dev" ] && dev="$(uci -q get network."${wanIface4}".ifname)" + [ -z "$dev" ] && dev="$(uci -q get network."${wanIface4}".device)" fi if [ -n "$wanIface6" ]; then - dev6="$(uci -q get network."${wanIface6}".ifname)" + [ -z "$dev6" ] && dev6="$(uci -q get network."${wanIface6}".ifname)" + [ -z "$dev6" ] && dev6="$(uci -q get network."${wanIface6}".device)" wanGW6=$(ip -6 route show | grep -m1 " dev $dev6 " | awk '{print $1}') [ "$wanGW6" = "default" ] && wanGW6=$(ip -6 route show | grep -m1 " dev $dev6 " | awk '{print $3}') fi diff --git a/net/vpn-policy-routing/files/vpn-policy-routing.netflix.user b/net/vpn-policy-routing/files/vpn-policy-routing.netflix.user index 02335c4b35..1a287d5678 100644 --- a/net/vpn-policy-routing/files/vpn-policy-routing.netflix.user +++ b/net/vpn-policy-routing/files/vpn-policy-routing.netflix.user @@ -15,17 +15,17 @@ _ret=1 if [ ! -s "$TARGET_FNAME" ]; then if [ "$DB_SOURCE" = "ipinfo.io" ]; then TARGET_URL="https://ipinfo.io/AS${TARGET_ASN}" - curl "$TARGET_URL" 2>/dev/null | grep -E "a href.*${TARGET_ASN}\/" | grep -v ":" | sed "s/^.*//" > "$TARGET_FNAME" + uclient-fetch --no-check-certificate -qO- "$TARGET_URL" 2>/dev/null | grep -E "a href.*${TARGET_ASN}\/" | grep -v ":" | sed "s/^.*//" > "$TARGET_FNAME" fi if [ "$DB_SOURCE" = "api.hackertarget.com" ]; then TARGET_URL="https://api.hackertarget.com/aslookup/?q=AS${TARGET_ASN}" - curl "$TARGET_URL" 2>/dev/null | sed '1d' > "$TARGET_FNAME" + uclient-fetch --no-check-certificate -qO- "$TARGET_URL" 2>/dev/null | sed '1d' > "$TARGET_FNAME" fi if [ "$DB_SOURCE" = "api.bgpview.io" ]; then TARGET_URL="https://api.bgpview.io/asn/${TARGET_ASN}/prefixes" - curl -s "$TARGET_URL" 2>/dev/null | jsonfilter -e '@.data.ipv4_prefixes[*].prefix' > "$TARGET_FNAME" + uclient-fetch --no-check-certificate -qO- "$TARGET_URL" 2>/dev/null | jsonfilter -e '@.data.ipv4_prefixes[*].prefix' > "$TARGET_FNAME" fi fi -- 2.30.2