From c269268e00241bf4b90883d225d2107ab6a36000 Mon Sep 17 00:00:00 2001 From: "Ycarus (Yannick Chabanois)" Date: Mon, 9 Dec 2024 15:32:01 +0100 Subject: [PATCH 1/5] Fix OMR-ByPass protocols/services issues --- omr-bypass/files/etc/init.d/omr-bypass-nft | 67 +++++++++++----------- 1 file changed, 34 insertions(+), 33 deletions(-) diff --git a/omr-bypass/files/etc/init.d/omr-bypass-nft b/omr-bypass/files/etc/init.d/omr-bypass-nft index e81ecbd3c..2b237601f 100755 --- a/omr-bypass/files/etc/init.d/omr-bypass-nft +++ b/omr-bypass/files/etc/init.d/omr-bypass-nft @@ -435,39 +435,39 @@ _bypass_proto_without_ndpi() { if [ -n "$ALLIPS" ]; then if [ "$vpn" != "1" ]; then uci -q batch <<-EOF >/dev/null - set firewall.bypass_$proto=ipset - set firewall.bypass_$proto.name="bypass_$proto" - set firewall.bypass_$proto.match='dest_net' - set firewall.bypass_$proto.family='ipv4' - set firewall.bypass_$proto.enabled='1' - set firewall.bypass_$proto_rule=rule - set firewall.bypass_$proto_rule.name="bypass_$proto_rule" - set firewall.bypass_$proto_rule.src='lan' - set firewall.bypass_$proto_rule.proto='all' - set firewall.bypass_$proto_rule.dest='*' - set firewall.bypass_$proto_rule.family='ipv4' - set firewall.bypass_$proto_rule.target='MARK' - set firewall.bypass_$proto_rule.ipset="bypass_$proto" - set firewall.bypass_$proto_rule.enabled='1' - set firewall.bypass_$proto_rule.set_xmark="0x4539${intfid}" + set firewall.bypass_${proto}=ipset + set firewall.bypass_${proto}.name="bypass_${proto}" + set firewall.bypass_${proto}.match='dest_net' + set firewall.bypass_${proto}.family='ipv4' + set firewall.bypass_${proto}.enabled='1' + set firewall.bypass_${proto}_rule=rule + set firewall.bypass_${proto}_rule.name="bypass_${proto}_rule" + set firewall.bypass_${proto}_rule.src='lan' + set firewall.bypass_${proto}_rule.proto='all' + set firewall.bypass_${proto}_rule.dest='*' + set firewall.bypass_${proto}_rule.family='ipv4' + set firewall.bypass_${proto}_rule.target='MARK' + set firewall.bypass_${proto}_rule.ipset="bypass_${proto}" + set firewall.bypass_${proto}_rule.enabled='1' + set firewall.bypass_${proto}_rule.set_xmark="0x4539${intfid}" commit firewall EOF uci -q batch <<-EOF >/dev/null - set firewall.bypass6_$proto=ipset - set firewall.bypass6_$proto.name="bypass6_$proto" - set firewall.bypass6_$proto.match='dest_net' - set firewall.bypass6_$proto.family='ipv6' - set firewall.bypass6_$proto.enabled='1' - set firewall.bypass6_$proto_rule=rule - set firewall.bypass6_$proto_rule.name="bypass6_$proto_rule" - set firewall.bypass6_$proto_rule.src='lan' - set firewall.bypass6_$proto_rule.family='ipv6' - set firewall.bypass6_$proto_rule.dest='*' - set firewall.bypass6_$proto_rule.proto='all' - set firewall.bypass6_$proto_rule.target='MARK' - set firewall.bypass6_$proto_rule.set_xmark="0x6539${intfid}" - set firewall.bypass6_$proto_rule.ipset="bypass6_$proto" - set firewall.bypass6_$proto_rule.enabled='1' + set firewall.bypass6_${proto}=ipset + set firewall.bypass6_${proto}.name="bypass6_${proto}" + set firewall.bypass6_${proto}.match='dest_net' + set firewall.bypass6_${proto}.family='ipv6' + set firewall.bypass6_${proto}.enabled='1' + set firewall.bypass6_${proto}_rule=rule + set firewall.bypass6_${proto}_rule.name="bypass6_${proto}_rule" + set firewall.bypass6_${proto}_rule.src='lan' + set firewall.bypass6_${proto}_rule.family='ipv6' + set firewall.bypass6_${proto}_rule.dest='*' + set firewall.bypass6_${proto}_rule.proto='all' + set firewall.bypass6_${proto}_rule.target='MARK' + set firewall.bypass6_${proto}_rule.set_xmark="0x6539${intfid}" + set firewall.bypass6_${proto}_rule.ipset="bypass6_${proto}" + set firewall.bypass6_${proto}_rule.enabled='1' commit firewall EOF #if [ "$intfid" != "" ]; then @@ -499,7 +499,7 @@ _bypass_proto_without_ndpi() { if [ "$valid_ip4" = "ok" ]; then if [ "$vpn" != "1" ]; then #ipset -q add bypass_$proto $ip - uci -q add_list firewall.bypass_$proto.entry="$ip" + uci -q add_list firewall.bypass_${proto}.entry="$ip" else #ipset -q add omr_dst_bypass_$intf $ip uci -q add_list firewall.omr_dst_bypass_${intf}_4.entry="$ip" @@ -507,7 +507,7 @@ _bypass_proto_without_ndpi() { elif [ "$valid_ip6" = "ok" ]; then if [ "$vpn" != "1" ]; then #ipset -q add bypass6_$proto $ip - uci -q add_list firewall.bypass6_$proto.entry=$ip + uci -q add_list firewall.bypass6_${proto}.entry=$ip else #ipset -q add omr6_dst_bypass_$intf $ip uci -q add_list firewall.omr_dst_bypass_${intf}_6.entry="$ip" @@ -864,7 +864,7 @@ _delete_dhcp_ipset() { } _delete_firewall_rules() { - ([ -n "$(echo $1 | grep omr_dst_bypass)" ] || [ -n "$(echo $1 | grep omr6_dst_bypass)" ]) && { + ([ -n "$(echo $1 | grep omr_dst_bypass)" ] || [ -n "$(echo $1 | grep omr6_dst_bypass)" ] || [ -n "$(echo $1 | grep bypass_)" ] || [ -n "$(echo $1 | grep bypass6_)" ]) && { uci -q delete firewall.$1 } } @@ -886,6 +886,7 @@ start_service() { config_load dhcp config_foreach _delete_dhcp_ipset ipset + uci -q delete dhcp.@dnsmasq[0].noipv6 #uci -q commit dhcp config_load firewall config_foreach _delete_firewall_rules rule From c2899354224c1fcb7a70c800311912b115fb4ff7 Mon Sep 17 00:00:00 2001 From: "Ycarus (Yannick Chabanois)" Date: Tue, 10 Dec 2024 15:32:18 +0100 Subject: [PATCH 2/5] Limit dnsmasq and unbound listening interfaces and remove old hidden config files in OMR-Schedule script --- .../usr/share/omr/schedule.d/010-services | 30 +++++++++++++++---- 1 file changed, 25 insertions(+), 5 deletions(-) diff --git a/omr-schedule/files/usr/share/omr/schedule.d/010-services b/omr-schedule/files/usr/share/omr/schedule.d/010-services index 311831f99..9b5ebe5e9 100755 --- a/omr-schedule/files/usr/share/omr/schedule.d/010-services +++ b/omr-schedule/files/usr/share/omr/schedule.d/010-services @@ -158,9 +158,18 @@ set_lan_ips() { [ -n "$(echo $device | grep -)" ] && uci -q set openmptcprouter.settings.restrict_to_lan="0" && uci commit openmptcprouter uci -q del_list shadowsocks-libev.ss_rules.ifnames="$device" uci -q del_list shadowsocks-rust.ss_rules.ifnames="$device" + uci -q del_list unbound.ub_main.iface_lan="$1" + uci -q del_list unbound.ub_main.iface_wan="$1" + uci -q del_list dhcp.@dnsmasq[0].interface="$1" + uci -q del_list dhcp.@dnsmasq[0].notinterface="$1" if [ "$multipath" != "on" ] && [ "$multipath" != "master" ] && [ -n "$device" ] && [ -z "$(echo $device | grep @)" ] && ([ "$proto" = "dhcp" ] || [ "$proto" = "static" ]); then uci -q add_list shadowsocks-libev.ss_rules.ifnames="$device" uci -q add_list shadowsocks-rust.ss_rules.ifnames="$device" + uci -q add_list unbound.ub_main.iface_lan="$1" + uci -q add_list dhcp.@dnsmasq[0].interface="$1" + elif [ "$multipath" = "on" ] || [ "$multipath" = "master" ]; then + uci -q add_list unbound.ub_main.iface_wan="$1" + uci -q add_list dhcp.@dnsmasq[0].notinterface="$1" fi } config_load network @@ -168,15 +177,23 @@ config_foreach restart_omrtracker interface [ "$(uci -q get openmptcprouter.settings.restrict_to_lan)" = "1" ] && config_foreach set_lan_ips interface [ "$(uci -q get openmptcprouter.settings.restrict_to_lan)" = "0" ] && ([ -n "$(uci -q get shadowsocks-libev.ss_rules.ifnames)" ] || [ -n "$(uci -q get shadowsocks-rust.ss_rules.ifnames)" ]) && { uci -q batch <<-EOF - delete shadowsocks-libev.ss_rules.ifnames="$device" - delete shadowsocks-rust.ss_rules.ifnames="$device" + delete shadowsocks-libev.ss_rules.ifnames + delete shadowsocks-rust.ss_rules.ifnames + delete unbound.ub_main.lan + delete unbound.ub_main.wan + delete dhcp.@dnsmasq[0].interface + delete dhcp.@dnsmasq[0].notinterface EOF } -[ -n "$(uci -q changes shadowsocks-libev)" ] && uci -q commit shadowsocks-libev.ss_rules -[ -n "$(uci -q changes shadowsocks-rust)" ] && uci -q commit shadowsocks-rust.ss_rules +[ -n "$(uci -q changes shadowsocks-libev)" ] && uci -q commit shadowsocks-libev +[ -n "$(uci -q changes shadowsocks-rust)" ] && uci -q commit shadowsocks-rust +[ -n "$(uci -q changes unbound)" ] && uci -q commit unbound +[ -n "$(uci -q changes dhcp)" ] && uci -q commit dhcp multipath_fix() { config_get multipath "$1" multipath [ "$multipath" != "off" ] && return + config_get device "$1" device + { "$(echo $device | grep '@')" ] && return interface="$(ifstatus $1 | jsonfilter -q -e '@.l3_device' | tr -d '\n')" [ -n "$interface" ] && [ -z "$(multipath $interface | grep deactivated)" ] && { _log "Fix Multipath status on $1 ($interface)" @@ -293,4 +310,7 @@ if [ "$(uci -q get openmptcprouter.latest_versions.lc)" = "" ] || [ $(($(date +" uci -q set openmptcprouter.latest_versions.lc=$(date +"%s") uci -q commit openmptcprouter } -fi \ No newline at end of file +fi + +# Remove old hidden config files +find /etc/config/ -mtime +1 -type f -name '\.*' -exec rm {} + From bf18da86f683a3b1eb4618b7dd89432d3c27e7c1 Mon Sep 17 00:00:00 2001 From: "Ycarus (Yannick Chabanois)" Date: Tue, 10 Dec 2024 16:36:34 +0100 Subject: [PATCH 3/5] Reload mptcp in more case --- mptcp/files/etc/hotplug.d/iface/30-mptcp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/mptcp/files/etc/hotplug.d/iface/30-mptcp b/mptcp/files/etc/hotplug.d/iface/30-mptcp index 3c4e940cc..d16e22a7a 100644 --- a/mptcp/files/etc/hotplug.d/iface/30-mptcp +++ b/mptcp/files/etc/hotplug.d/iface/30-mptcp @@ -1,15 +1,15 @@ #!/bin/sh -[ "$ACTION" = ifup -o "$ACTION" = ifupdate -o "$ACTION" = ifdown -o "$ACTION" = iflink ] || exit 0 +[ "$ACTION" = ifup -o "$ACTION" = ifupdate -o "$ACTION" = ifdown -o "$ACTION" = iflink -o "$ACTION" = link-up -o "$ACTION" = link-down ] || exit 0 #[ "$ACTION" = ifupdate -a -z "$IFUPDATE_ADDRESSES" -a -z "$IFUPDATE_DATA" ] && exit 0 /etc/init.d/mptcp enabled || exit 0 -if [ "$ACTION" = ifupdate -o "$ACTION" = iflink ] && [ -z "$(echo $DEVICE | grep oip | grep gre)" ] && [ -n "$(uci -q get network.$INTERFACE.multipath)" ] && [ "$(uci -q get network.$INTERFACE.multipath)" != "off" ]; then +if [ "$ACTION" = ifup -o "$ACTION" = ifupdate -o "$ACTION" = iflink -o "$ACTION" = link-up ] && [ -z "$(echo $DEVICE | grep oip | grep gre)" ] && [ -n "$(uci -q get network.$INTERFACE.multipath)" ] && [ "$(uci -q get network.$INTERFACE.multipath)" != "off" ]; then logger -t "mptcp" "Reloading mptcp config due to $ACTION of $INTERFACE ($DEVICE)" /etc/init.d/mptcp reload "$DEVICE" >/dev/null || exit 0 -elif [ "$ACTION" = ifdown ]; then +elif [ "$ACTION" = ifdown -o "$ACTION" = link-down ]; then multipath $DEVICE off 2>&1 >/dev/null || exit 0 fi From e5046ae6328778164dc41c3f732c83f4476c477c Mon Sep 17 00:00:00 2001 From: "Ycarus (Yannick Chabanois)" Date: Tue, 10 Dec 2024 16:37:06 +0100 Subject: [PATCH 4/5] blocklanfw script is not yet migrated to nft, ignore it when nft is used --- openmptcprouter/files/bin/blocklanfw | 2 ++ 1 file changed, 2 insertions(+) diff --git a/openmptcprouter/files/bin/blocklanfw b/openmptcprouter/files/bin/blocklanfw index 5b476da4a..8395c731e 100755 --- a/openmptcprouter/files/bin/blocklanfw +++ b/openmptcprouter/files/bin/blocklanfw @@ -1,5 +1,7 @@ #!/bin/sh +[ -e /usr/sbin/nft ] && exit 0 + if [ -e /usr/sbin/iptables-legacy ]; then IPTABLES="/usr/sbin/iptables-legacy" IP6TABLES="/usr/sbin/ip6tables-legacy" From bc68e4194ab5a36c2f0e03353adc23eef8d86d2f Mon Sep 17 00:00:00 2001 From: "Ycarus (Yannick Chabanois)" Date: Tue, 10 Dec 2024 16:37:39 +0100 Subject: [PATCH 5/5] Commit firewall changes in /etc/firewall.omr-server only if there is real changes --- openmptcprouter/files/etc/firewall.omr-server | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openmptcprouter/files/etc/firewall.omr-server b/openmptcprouter/files/etc/firewall.omr-server index cbd8d719d..7d949fc86 100644 --- a/openmptcprouter/files/etc/firewall.omr-server +++ b/openmptcprouter/files/etc/firewall.omr-server @@ -11,6 +11,6 @@ _enable_firewall_check() { logger -t "firewall.omr-server" "Firewall reload, set server part firewall reloading" config_load openmptcprouter config_foreach _enable_firewall_check server -uci -q commit firewall +[ -n "$(uci -q changes firewall)" ] && uci -q commit firewall #/etc/init.d/openmptcprouter-vps set_vps_firewall & /bin/blocklanfw 2>&1 >/dev/null