From a9e217fb7ca6e0964ec7b5acd88fddd5038f10cf Mon Sep 17 00:00:00 2001 From: "Ycarus (Yannick Chabanois)" Date: Fri, 9 Feb 2024 10:42:55 +0000 Subject: [PATCH] Add omr-bypass service --- omr-bypass | 82 +++++++++++++++++++++++++++++++++++++++++++ omr-bypass.service.in | 12 +++++++ omr-bypass.timer.in | 8 +++++ 3 files changed, 102 insertions(+) create mode 100755 omr-bypass create mode 100644 omr-bypass.service.in create mode 100644 omr-bypass.timer.in diff --git a/omr-bypass b/omr-bypass new file mode 100755 index 0000000..5aa8e02 --- /dev/null +++ b/omr-bypass @@ -0,0 +1,82 @@ +#!/bin/sh +# Copyright (C) 2023 Ycarus (Yannick Chabanois) for OpenMPTCProuter +# Released under GPL 3. See LICENSE for the full terms. + +[ ! -f /etc/openmptcprouter-vps-admin/omr-bypass.json ] && exit 0 + +# Configuration +INTERFACE="$(jq -M -r .bypass_intf /etc/openmptcprouter-vps-admin/omr-admin-config.json | tr -d '\n')" +[ "$INTERFACE" = "null" ] && INTERFACE="vpn1" +GATEWAY="$(ip r show dev ${INTERFACE} | awk '/via/ {print $3}' | tr -d '\n')" +GATEWAY6="$(ip -6 r show dev ${INTERFACE} | awk '/via/ {print $3}' | tr -d '\n')" +TABLE="991337" +MARK="0x539" + +CHECKSUM="$(md5sum /etc/openmptcprouter-vps-admin/omr-bypass.json | awk '{print $1}' | tr -d '\n')" +PREVIOUS_CHECKSUM="$(jq -M -r .bypass_checksum /etc/openmptcprouter-vps-admin/omr-admin-config.json | tr -d '\n')" +[ "$CHECKSUM" = "$PREVIOUS_CHECKSUM" ] && exit 0 +jq -M --arg c "$CHECKSUM" '.bypass_checksum = $c' /etc/openmptcprouter-vps-admin/omr-admin-config.json > /etc/openmptcprouter-vps-admin/omr-admin-config.json.tmp +mv /etc/openmptcprouter-vps-admin/omr-admin-config.json.tmp /etc/openmptcprouter-vps-admin/omr-admin-config.json +# Action +ipset -q flush omr_dst_bypass_srv_${INTERFACE} 2>&1 > /dev/null +ipset -q flush omr6_dst_bypass_srv_${INTERFACE} 2>&1 > /dev/null +ipset -q --exist restore <<-EOF +create omr_dst_bypass_srv_${INTERFACE} hash:net hashsize 64 +create omr6_dst_bypass_srv_${INTERFACE} hash:net family inet6 hashsize 64 +EOF +ipv4=$(cat /etc/openmptcprouter-vps-admin/omr-bypass.json | jq -r .${INTERFACE}.ipv4[]) +for ip in $ipv4; do + ipset -q add omr_dst_bypass_srv_${INTERFACE} $ip +done +ipv6=$(cat /etc/openmptcprouter-vps-admin/omr-bypass.json | jq -r .${INTERFACE}.ipv6[]) +for ip in $ipv6; do + ipset -q add omr6_dst_bypass_srv_${INTERFACE} $ip +done +iptables-save --counters 2>/dev/null | grep -v omr-bypass | iptables-restore -w --counters 2>/dev/null +iptables-restore -w --wait=60 --noflush <<-EOF +*mangle +:omr-bypass - +-A PREROUTING -j omr-bypass +COMMIT +EOF +iptables-restore -w --wait=60 --noflush <<-EOF +*mangle +:omr-bypass-local - +-A OUTPUT -m addrtype ! --dst-type LOCAL -j omr-bypass-local +COMMIT +EOF +iptables-restore -w --wait=60 --noflush <<-EOF +*mangle +-A omr-bypass -m set --match-set omr_dst_bypass_srv_${INTERFACE} dst -j MARK --set-mark ${MARK} +-A omr-bypass -m mark --mark ${MARK} -j RETURN +-A omr-bypass-local -m set --match-set omr_dst_bypass_srv_${INTERFACE} dst -j MARK --set-mark ${MARK} +-A omr-bypass-local -m mark --mark ${MARK} -j RETURN +COMMIT +EOF +ip rule add prio 1 fwmark ${MARK} lookup ${TABLE} > /dev/null 2>&1 +ip route replace default via ${GATEWAY} dev ${INTERFACE} table ${TABLE} +ip6tables-save --counters 2>/dev/null | grep -v omr-bypass | ip6tables-restore -w --counters 2>/dev/null +ip6tables-restore -w --wait=60 --noflush <<-EOF +*mangle +:omr-bypass - +-A PREROUTING -j omr-bypass +COMMIT +EOF +ip6tables-restore -w --wait=60 --noflush <<-EOF +*mangle +:omr-bypass-local - +-A OUTPUT -m addrtype ! --dst-type LOCAL -j omr-bypass-local +COMMIT +EOF +ip6tables-restore -w --wait=60 --noflush <<-EOF +*mangle +-A omr-bypass -m set --match-set omr6_dst_bypass_srv_${INTERFACE} dst -j MARK --set-mark ${MARK} +-A omr-bypass -m mark --mark ${MARK} -j RETURN +-A omr-bypass-local -m set --match-set omr6_dst_bypass_srv_${INTERFACE} dst -j MARK --set-mark ${MARK} +-A omr-bypass-local -m mark --mark ${MARK} -j RETURN +COMMIT +EOF +if [ -n "$GATEWAY6" ]; then + ip rule add prio 1 fwmark ${MARK} lookup ${TABLE} > /dev/null 2>&1 + ip route replace default via ${GATEWAY6} dev ${INTERFACE} table ${TABLE} +fi \ No newline at end of file diff --git a/omr-bypass.service.in b/omr-bypass.service.in new file mode 100644 index 0000000..0d49437 --- /dev/null +++ b/omr-bypass.service.in @@ -0,0 +1,12 @@ +[Unit] +Description=OMR-ByPass +After=network.target network-online.target shorewall.service + +[Service] +Type=simple +ExecStart=/usr/local/bin/omr-bypass +KillSignal=9 +CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW + +[Install] +WantedBy=multi-user.target diff --git a/omr-bypass.timer.in b/omr-bypass.timer.in new file mode 100644 index 0000000..85d7eb7 --- /dev/null +++ b/omr-bypass.timer.in @@ -0,0 +1,8 @@ +[Unit] +Description=Timer for omr-bypass + +[Timer] +OnUnitActiveSec=300 + +[Install] +WantedBy=timers.target