From b2343ec464b203dd20f7068c7cbcfbe25a030679 Mon Sep 17 00:00:00 2001
From: Ycarus <ycarus@zugaina.org>
Date: Sun, 2 Dec 2018 08:02:18 +0100
Subject: [PATCH] Fix and better omr-bypass rules

---
 .../root/etc/init.d/omr-bypass                | 59 +++++++++++--------
 mptcp/files/etc/init.d/mptcp                  |  6 +-
 2 files changed, 39 insertions(+), 26 deletions(-)

diff --git a/luci-app-omr-bypass/root/etc/init.d/omr-bypass b/luci-app-omr-bypass/root/etc/init.d/omr-bypass
index e8307cfa7..3ef734ef7 100755
--- a/luci-app-omr-bypass/root/etc/init.d/omr-bypass
+++ b/luci-app-omr-bypass/root/etc/init.d/omr-bypass
@@ -62,23 +62,23 @@ _bypass_mac() {
 	if [ "$intf" = "all" ]; then
 		iptables-restore --wait=60  --noflush <<-EOF
 		*mangle
-		-A PREROUTING -m mac --mac-source $mac -j MARK --set-mark 0x539
+		-A omr-bypass -m mac --mac-source $mac -j MARK --set-mark 0x539
 		COMMIT
 		EOF
 		ip6tables-restore --wait=60  --noflush <<-EOF
 		*mangle
-		-A PREROUTING -m mac --mac-source $mac -j MARK --set-mark 0x6539
+		-A omr-bypass -m mac --mac-source $mac -j MARK --set-mark 0x6539
 		COMMIT
 		EOF
 	else
 		iptables-restore --wait=60  --noflush <<-EOF
 		*mangle
-		-A PREROUTING -m mac --mac-source $mac -j MARK --set-mark 0x539$intfid
+		-A omr-bypass -m mac --mac-source $mac -j MARK --set-mark 0x539$intfid
 		COMMIT
 		EOF
 		ip6tables-restore --wait=60  --noflush <<-EOF
 		*mangle
-		-A PREROUTING -m mac --mac-source $mac -j MARK --set-mark 0x6539$intfid
+		-A omr-bypass -m mac --mac-source $mac -j MARK --set-mark 0x6539$intfid
 		COMMIT
 		EOF
 	fi
@@ -96,23 +96,23 @@ _bypass_lan_ip() {
 	if [ "$intf" = "all" ]; then
 		iptables-restore --wait=60  --noflush <<-EOF
 		*mangle
-		-A PREROUTING -s $ip -j MARK --set-mark 0x539
+		-A omr-bypass -s $ip -j MARK --set-mark 0x539
 		COMMIT
 		EOF
 		ip6tables-restore --wait=60  --noflush <<-EOF
 		*mangle
-		-A PREROUTING -s $ip -j MARK --set-mark 0x6539
+		-A omr-bypass -s $ip -j MARK --set-mark 0x6539
 		COMMIT
 		EOF
 	else
 		iptables-restore --wait=60  --noflush <<-EOF
 		*mangle
-		-A PREROUTING -s $ip -j MARK --set-mark 0x539$intfid
+		-A omr-bypass -s $ip -j MARK --set-mark 0x539$intfid
 		COMMIT
 		EOF
 		ip6tables-restore --wait=60  --noflush <<-EOF
 		*mangle
-		-A PREROUTING -s $ip -j MARK --set-mark 0x6539$intfid
+		-A omr-bypass -s $ip -j MARK --set-mark 0x6539$intfid
 		COMMIT
 		EOF
 	fi
@@ -176,12 +176,12 @@ _intf_rule() {
 	create omr_rules_dst_bypass_$intf hash:net hashsize 64
 	create omr_rules6_dst_bypass_$intf hash:net family inet6 hashsize 64
 	EOF
-	ip rule add prio 1 fwmark 0x539$count lookup $count > /dev/null 2>&1
+	ip rule add prio 1 fwmark 0x539$count lookup $count pref 1 > /dev/null 2>&1
 	ip -6 rule add prio 1 fwmark 0x6539$count lookup 6$count > /dev/null 2>&1
 	if [ "$(iptables -w 40 -t mangle -L | grep omr_rules_dst_bypass_$intf)" = "" ]; then
 		iptables-restore --wait=60 --noflush <<-EOF
 		*mangle
-		-I PREROUTING 1 -m set --match-set omr_rules_dst_bypass_$intf dst -j MARK --set-mark 0x539$count
+		-I omr-bypass 1 -m set --match-set omr_rules_dst_bypass_$intf dst -j MARK --set-mark 0x539$count
 		COMMIT
 		EOF
 	fi
@@ -192,15 +192,14 @@ _intf_rule() {
 		-I ss_rules_local_out 1 -m set --match-set omr_rules_dst_bypass_$intf dst -j RETURN
 		-I ss_rules_local_out 2 -m mark --mark 0x539$count -j RETURN
 		-I ss_rules_pre_src 1 -m set --match-set omr_rules_dst_bypass_$intf dst -j MARK --set-mark 0x539$count
-		-I ss_rules_pre_src 2 -m set --match-set omr_rules_dst_bypass_$intf dst -j RETURN
-		-I ss_rules_pre_src 3 -m mark --mark 0x539$count -j RETURN
+		-I ss_rules_pre_src 2 -m mark --mark 0x539$count -j RETURN
 		COMMIT
 		EOF
 	fi
 	if [ "$(ip6tables -w 40 -t mangle -L | grep omr_rules6_dst_bypass_$intf)" = "" ]; then
 		ip6tables-restore --wait=60 --noflush <<-EOF
 		*mangle
-		-I PREROUTING 1 -m set --match-set omr_rules6_dst_bypass_$intf dst -j MARK --set-mark 0x6539$count
+		-I omr-bypass 1 -m set --match-set omr_rules6_dst_bypass_$intf dst -j MARK --set-mark 0x6539$count
 		COMMIT
 		EOF
 	fi
@@ -211,8 +210,7 @@ _intf_rule() {
 		-I ss_rules6_local_out 1 -m set --match-set omr_rules6_dst_bypass_$intf dst -j RETURN
 		-I ss_rules6_local_out 2 -m mark --mark 0x539$count -j RETURN
 		-I ss_rules6_pre_src 1 -m set --match-set omr_rules6_dst_bypass_$intf dst -j MARK --set-mark 0x6539$count
-		-I ss_rules6_pre_src 2 -m set --match-set omr_rules6_dst_bypass_$intf dst -j RETURN
-		-I ss_rules6_pre_src 3 -m mark --mark 0x539$count -j RETURN
+		-I ss_rules6_pre_src 2 -m mark --mark 0x539$count -j RETURN
 		COMMIT
 		EOF
 	fi
@@ -243,6 +241,22 @@ start_service() {
 	create omr_rules6_dst_bypass_all hash:net family inet6 hashsize 64
 	EOF
 
+	iptables-save --counters | grep -v omr-bypass | iptables-restore --counters
+	iptables-restore --wait=60  --noflush <<-EOF
+	*mangle
+	:omr-bypass -
+	-I PREROUTING 1 -m addrtype ! --dst-type LOCAL -j omr-bypass
+	COMMIT
+	EOF
+	ip6tables-save --counters | grep -v omr-bypass | ip6tables-restore --counters
+	ip6tables-restore --wait=60  --noflush <<-EOF
+	*mangle
+	:omr-bypass -
+	-I PREROUTING 1 -m addrtype ! --dst-type LOCAL -j omr-bypass
+	COMMIT
+	EOF
+
+
 	config_load network
 	config_foreach _intf_rule interface
 
@@ -261,7 +275,7 @@ start_service() {
 	if [ "$(iptables -w 40 -t mangle -L | grep 'match-set omr_rules_dst_bypass_all dst MARK set')" = "" ]; then
 		iptables-restore --wait=60 --noflush <<-EOF
 		*mangle
-		-A PREROUTING -m set --match-set omr_rules_dst_bypass_all dst -j MARK --set-mark 0x539
+		-A omr-bypass -m set --match-set omr_rules_dst_bypass_all dst -j MARK --set-mark 0x539
 		COMMIT
 		EOF
 	fi
@@ -272,15 +286,14 @@ start_service() {
 		-I ss_rules_local_out 1 -m set --match-set omr_rules_dst_bypass_all dst -j RETURN
 		-I ss_rules_local_out 2 -m mark --mark 0x539 -j RETURN
 		-I ss_rules_pre_src 1 -m set --match-set omr_rules_dst_bypass_all dst -j MARK --set-mark 0x539
-		-I ss_rules_pre_src 2 -m set --match-set omr_rules_dst_bypass_all dst -j RETURN
-		-I ss_rules_pre_src 3 -m mark --mark 0x539 -j RETURN
+		-I ss_rules_pre_src 2 -m mark --mark 0x539 -j RETURN
 		COMMIT
 		EOF
 	fi
 	if [ "$(ip6tables -w 40 -t mangle -L | grep 'match-set omr_rules6_dst_bypass_all dst MARK set')" = "" ]; then
 		ip6tables-restore --wait=60 --noflush <<-EOF
 		*mangle
-		-A PREROUTING -m set --match-set omr_rules6_dst_bypass_all dst -j MARK --set-mark 0x6539
+		-A omr-bypass -m set --match-set omr_rules6_dst_bypass_all dst -j MARK --set-mark 0x6539
 		COMMIT
 		EOF
 	fi
@@ -291,8 +304,7 @@ start_service() {
 		-I ss_rules6_local_out 1 -m set --match-set omr_rules6_dst_bypass_all dst -j RETURN
 		-I ss_rules6_local_out 2 -m mark --mark 0x6539 -j RETURN
 		-I ss_rules6_pre_src 1 -m set --match-set omr_rules6_dst_bypass_all dst -j MARK --set-mark 0x6539
-		-I ss_rules6_pre_src 2 -m set --match-set omr_rules6_dst_bypass_all dst -j RETURN
-		-I ss_rules6_pre_src 3 -m mark --mark 0x6539 -j RETURN
+		-I ss_rules6_pre_src 2 -m mark --mark 0x6539 -j RETURN
 		COMMIT
 		EOF
 	fi
@@ -320,8 +332,9 @@ start_service() {
 	logger -t "omr-bypass" "OMR-ByPass is running"
 }
 
-stop() {
+stop_service() {
 	iptables-save --counters | grep -v omr-bypass | iptables-restore --counters
+	iptables-save --counters | grep -v omr_rules | iptables-restore --counters
 	for setname in $(ipset -n list | grep "omr_"); do
 		ipset destroy "$setname" 2>/dev/null || true
 	done
@@ -334,6 +347,6 @@ service_triggers() {
 }
 
 reload_service() {
-	[ "$(ipset -n list | grep omr_)" = "" ] && return 0
+	[ "$( ipset -n list | grep omr_ )" = "" ] && return 0
 	start
 }
diff --git a/mptcp/files/etc/init.d/mptcp b/mptcp/files/etc/init.d/mptcp
index 0535336da..1460b8f91 100755
--- a/mptcp/files/etc/init.d/mptcp
+++ b/mptcp/files/etc/init.d/mptcp
@@ -44,11 +44,11 @@ interface_multipath_settings() {
 
 	config_get enabled "$config" auto "1"
 	config_get iface "$config" ifname
+	count=$(($count+1))
 	[ -z "$iface" ] && iface=$(ifstatus "$config" | jsonfilter -q -e '@["l3_device"]')
 
 	[ "$enabled" = "0" ] && return 0
 
-	count=$(($count+1))
 	id=$count
 	[ -n "$intf" ] && [ "$iface" != "$intf" ] && return 0
 	[ -z "$iface" ] && return 0
@@ -93,7 +93,7 @@ interface_multipath_settings() {
 	ip rule del table $id > /dev/null 2>&1
 	ip route flush $id > /dev/null 2>&1
 	if [ -n "$gateway" ] && [ -n "$network" ]; then
-		ip rule add from $ipaddr iif $iface oif $iface table $id
+		ip rule add from $ipaddr iif $iface oif $iface table $id pref 0
 		ip route replace $network/$netmask dev $iface scope link table $id
 		ip route replace default via $gateway dev $iface table $id
 		ip route flush $id
@@ -141,7 +141,7 @@ interface_multipath_settings() {
 		ip -6 rule del table 6$id > /dev/null 2>&1
 		ip -6 route flush 6$id > /dev/null 2>&1
 		if [ -n "$ip6addr" ] && [ -n "$gateway6" ] && [ -n "$network6" ]; then
-			ip -6 rule add from $ip6addr iif $iface oif $iface table 6$id
+			ip -6 rule add from $ip6addr iif $iface oif $iface table 6$id pref 0
 			ip -6 route replace $network6/$netmask6 dev $iface scope link table 6$id
 			ip -6 route replace default via $gateway6 dev $iface table 6$id
 			ip -6 route flush 6$id