OpenWrt
/
packages
mirror of https://git.openwrt.org/feed/packages.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

pbr: update to 1.1.6-20 

This version is the final version supporting iptables and:

* it separates the old iptables/nft-capable init script from the new nft-only init script
* the new nft-script is a significant rewrite of the old recursive calls/policy parsing
  and tries to create inline nft sets which offers performance improvements

Signed-off-by: Stan Grishin <stangri@melmac.ca>
This commit is contained in:
Stan Grishin 2024-08-03 23:17:13 +00:00
parent ee1df08108
commit 920d64734a
14 changed files with 4102 additions and 1150 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
net/pbr/Makefile
View File

@ -1,11 +1,11 @@
# Copyright 2017-2023 MOSSDeF, Stan Grishin (stangri@melmac.ca) # Copyright 2017-2024 MOSSDeF, Stan Grishin (stangri@melmac.ca).
# This is free software, licensed under the GNU General Public License v3. # This is free software, licensed under AGPL-3.0-or-later.
include $(TOPDIR)/rules.mk include $(TOPDIR)/rules.mk
PKG_NAME:=pbr PKG_NAME:=pbr
PKG_VERSION:=1.1.4 PKG_VERSION:=1.1.6
PKG_RELEASE:=16 PKG_RELEASE:=20
PKG_LICENSE:=AGPL-3.0-or-later PKG_LICENSE:=AGPL-3.0-or-later
PKG_MAINTAINER:=Stan Grishin <stangri@melmac.ca> PKG_MAINTAINER:=Stan Grishin <stangri@melmac.ca>
@ -16,12 +16,11 @@ define Package/pbr/default
CATEGORY:=Network CATEGORY:=Network
SUBMENU:=Routing and Redirection SUBMENU:=Routing and Redirection
TITLE:=Policy Based Routing Service TITLE:=Policy Based Routing Service
URL:=https://docs.openwrt.melmac.net/pbr/ URL:=https://github.com/stangri/pbr/
DEPENDS:=+ip-full +jshn +jsonfilter +resolveip DEPENDS:=+ip-full +jshn +jsonfilter +resolveip
DEPENDS+=+!BUSYBOX_DEFAULT_AWK:gawk DEPENDS+=+!BUSYBOX_DEFAULT_AWK:gawk
DEPENDS+=+!BUSYBOX_DEFAULT_GREP:grep DEPENDS+=+!BUSYBOX_DEFAULT_GREP:grep
DEPENDS+=+!BUSYBOX_DEFAULT_SED:sed DEPENDS+=+!BUSYBOX_DEFAULT_SED:sed
CONFLICTS:=vpnbypass vpn-policy-routing
PROVIDES:=pbr PROVIDES:=pbr
PKGARCH:=all PKGARCH:=all
endef endef
@ -32,7 +31,6 @@ $(call Package/pbr/default)
DEPENDS+=+kmod-nft-core +kmod-nft-nat +nftables-json DEPENDS+=+kmod-nft-core +kmod-nft-nat +nftables-json
VARIANT:=nftables VARIANT:=nftables
DEFAULT_VARIANT:=1 DEFAULT_VARIANT:=1
PROVIDES+=vpnbypass vpn-policy-routing
endef endef
define Package/pbr-iptables define Package/pbr-iptables
@ -44,7 +42,7 @@ endef
define Package/pbr-netifd define Package/pbr-netifd
$(call Package/pbr/default) $(call Package/pbr/default)
TITLE+= with netifd support TITLE+= with nft/nft set and netifd support
VARIANT:=netifd VARIANT:=netifd
endef endef
@ -54,18 +52,18 @@ endef
define Package/pbr/description define Package/pbr/description
$(call Package/pbr/default/description) $(call Package/pbr/default/description)
This version supports OpenWrt with both firewall3/ipset/iptables and firewall4/nft. This version supports OpenWrt (23.05 and newer) with firewall4/nft.
endef endef
define Package/pbr-iptables/description define Package/pbr-iptables/description
$(call Package/pbr/default/description) $(call Package/pbr/default/description)
This version supports OpenWrt with firewall3/ipset/iptables. This version supports OpenWrt (22.03 and older) with firewall3/ipset/iptables.
endef endef
define Package/pbr-netifd/description define Package/pbr-netifd/description
$(call Package/pbr/default/description) $(call Package/pbr/default/description)
This version supports OpenWrt with both firewall3/ipset/iptables and firewall4/nft. This version supports OpenWrt with (23.05 and newer) firewall4/nft.
This version uses OpenWrt native netifd/tables to set up interfaces. This is WIP. This version uses OpenWrt native netifd/tables to set up interfaces. This is a WIP.
endef endef
define Package/pbr/default/conffiles define Package/pbr/default/conffiles
@ -83,26 +81,24 @@ define Build/Compile
endef endef
define Package/pbr/default/install define Package/pbr/default/install
$(INSTALL_DIR) $(1)/etc/init.d
$(INSTALL_BIN) ./files/etc/init.d/pbr $(1)/etc/init.d/pbr
$(SED) "s|^\(readonly PKG_VERSION\).*|\1='$(PKG_VERSION)-$(PKG_RELEASE)'|" $(1)/etc/init.d/pbr
$(INSTALL_DIR) $(1)/etc/uci-defaults $(INSTALL_DIR) $(1)/etc/uci-defaults
$(INSTALL_BIN) ./files/etc/uci-defaults/90-pbr $(1)/etc/uci-defaults/90-pbr $(INSTALL_BIN) ./files/etc/uci-defaults/90-pbr $(1)/etc/uci-defaults/90-pbr
$(INSTALL_DIR) $(1)/usr/share/pbr $(INSTALL_DIR) $(1)/usr/share/pbr
$(INSTALL_DATA) ./files/usr/share/pbr/.keep $(1)/usr/share/pbr/.keep $(INSTALL_DATA) ./files/usr/share/pbr/.keep $(1)/usr/share/pbr/.keep
$(INSTALL_DATA) ./files/usr/share/pbr/pbr.user.aws $(1)/usr/share/pbr/pbr.user.aws
$(INSTALL_DATA) ./files/usr/share/pbr/pbr.user.netflix $(1)/usr/share/pbr/pbr.user.netflix
$(INSTALL_DATA) ./files/usr/share/pbr/pbr.user.wg_server_and_client $(1)/usr/share/pbr/pbr.user.wg_server_and_client $(INSTALL_DATA) ./files/usr/share/pbr/pbr.user.wg_server_and_client $(1)/usr/share/pbr/pbr.user.wg_server_and_client
endef endef
# $(INSTALL_DIR) $(1)/etc/hotplug.d/iface
# $(INSTALL_DATA) ./files/etc/hotplug.d/iface/70-pbr $(1)/etc/hotplug.d/iface/70-pbr
define Package/pbr/install define Package/pbr/install
$(call Package/pbr/default/install,$(1)) $(call Package/pbr/default/install,$(1))
$(INSTALL_DIR) $(1)/etc/init.d
$(INSTALL_BIN) ./files/etc/init.d/pbr $(1)/etc/init.d/pbr
$(SED) "s|^\(readonly PKG_VERSION\).*|\1='$(PKG_VERSION)-$(PKG_RELEASE)'|" $(1)/etc/init.d/pbr
$(INSTALL_DIR) $(1)/etc/config $(INSTALL_DIR) $(1)/etc/config
$(INSTALL_CONF) ./files/etc/config/pbr $(1)/etc/config/pbr $(INSTALL_CONF) ./files/etc/config/pbr $(1)/etc/config/pbr
$(INSTALL_DIR) $(1)/usr/share/pbr $(INSTALL_DIR) $(1)/usr/share/pbr
$(INSTALL_DATA) ./files/usr/share/pbr/firewall.include $(1)/usr/share/pbr/firewall.include $(INSTALL_DATA) ./files/usr/share/pbr/firewall.include $(1)/usr/share/pbr/firewall.include
$(INSTALL_DATA) ./files/usr/share/pbr/pbr.user.aws $(1)/usr/share/pbr/pbr.user.aws
$(INSTALL_DATA) ./files/usr/share/pbr/pbr.user.netflix $(1)/usr/share/pbr/pbr.user.netflix
$(INSTALL_DIR) $(1)/usr/share/nftables.d $(INSTALL_DIR) $(1)/usr/share/nftables.d
$(CP) ./files/usr/share/nftables.d/* $(1)/usr/share/nftables.d/ $(CP) ./files/usr/share/nftables.d/* $(1)/usr/share/nftables.d/
$(INSTALL_DIR) $(1)/etc/uci-defaults $(INSTALL_DIR) $(1)/etc/uci-defaults
@ -111,16 +107,24 @@ endef
define Package/pbr-iptables/install define Package/pbr-iptables/install
$(call Package/pbr/default/install,$(1)) $(call Package/pbr/default/install,$(1))
$(INSTALL_DIR) $(1)/etc/init.d
$(INSTALL_BIN) ./files/etc/init.d/pbr-iptables $(1)/etc/init.d/pbr
$(SED) "s|^\(readonly PKG_VERSION\).*|\1='$(PKG_VERSION)-$(PKG_RELEASE)'|" $(1)/etc/init.d/pbr
$(INSTALL_DIR) $(1)/etc/hotplug.d/firewall $(INSTALL_DIR) $(1)/etc/hotplug.d/firewall
$(INSTALL_DATA) ./files/etc/hotplug.d/firewall/70-pbr $(1)/etc/hotplug.d/firewall/70-pbr $(INSTALL_DATA) ./files/etc/hotplug.d/firewall/70-pbr $(1)/etc/hotplug.d/firewall/70-pbr
$(INSTALL_DIR) $(1)/etc/config $(INSTALL_DIR) $(1)/etc/config
$(INSTALL_CONF) ./files/etc/config/pbr.iptables $(1)/etc/config/pbr $(INSTALL_CONF) ./files/etc/config/pbr-iptables $(1)/etc/config/pbr
$(INSTALL_DIR) $(1)/usr/share/pbr
$(INSTALL_DATA) ./files/usr/share/pbr/pbr.user.aws-iptables $(1)/usr/share/pbr/pbr.user.aws
$(INSTALL_DATA) ./files/usr/share/pbr/pbr.user.netflix-iptables $(1)/usr/share/pbr/pbr.user.netflix
$(INSTALL_DIR) $(1)/etc/uci-defaults $(INSTALL_DIR) $(1)/etc/uci-defaults
$(INSTALL_BIN) ./files/etc/uci-defaults/91-pbr-iptables $(1)/etc/uci-defaults/91-pbr-iptables $(INSTALL_BIN) ./files/etc/uci-defaults/91-pbr-iptables $(1)/etc/uci-defaults/91-pbr-iptables
endef endef
define Package/pbr-netifd/install define Package/pbr-netifd/install
$(call Package/pbr/default/install,$(1)) $(call Package/pbr/default/install,$(1))
$(INSTALL_DIR) $(1)/etc/init.d
$(INSTALL_BIN) ./files/etc/init.d/pbr $(1)/etc/init.d/pbr
$(INSTALL_DIR) $(1)/etc/config $(INSTALL_DIR) $(1)/etc/config
$(INSTALL_CONF) ./files/etc/config/pbr $(1)/etc/config/pbr $(INSTALL_CONF) ./files/etc/config/pbr $(1)/etc/config/pbr
$(INSTALL_DIR) $(1)/etc/uci-defaults $(INSTALL_DIR) $(1)/etc/uci-defaults

4
net/pbr/README.md Normal file
View File

@ -0,0 +1,4 @@
# README
Documentation for this project is available at [https://docs.openwrt.melmac.net/pbr/](https://docs.openwrt.melmac.net/pbr/).

10
net/pbr/files/etc/config/pbr
View File

@ -6,14 +6,14 @@ config pbr 'config'
list resolver_instance '*' list resolver_instance '*'
option ipv6_enabled '0' option ipv6_enabled '0'
list ignored_interface 'vpnserver' list ignored_interface 'vpnserver'
option nft_file_support '0'
option boot_timeout '30' option boot_timeout '30'
option rule_create_option 'add' option rule_create_option 'add'
option procd_boot_delay '0' option procd_boot_delay '0'
option procd_reload_delay '1' option procd_reload_delay '1'
option webui_show_ignore_target '0' option webui_show_ignore_target '0'
option nft_rule_counter '0'
option nft_set_auto_merge '1' option nft_set_auto_merge '1'
option nft_set_counter '1' option nft_set_counter '0'
option nft_set_flags_interval '1' option nft_set_flags_interval '1'
option nft_set_flags_timeout '0' option nft_set_flags_timeout '0'
option nft_set_gc_interval '' option nft_set_gc_interval ''
@ -37,6 +37,12 @@ config include
option path '/usr/share/pbr/pbr.user.wg_server_and_client' option path '/usr/share/pbr/pbr.user.wg_server_and_client'
option enabled '0' option enabled '0'
config dns_policy
option name 'Redirect Local IP DNS'
option src_addr '192.168.1.5'
option dest_dns '1.1.1.1'
option enabled '0'
config policy config policy
option name 'Ignore Local Requests' option name 'Ignore Local Requests'
option interface 'ignore' option interface 'ignore'

50
net/pbr/files/etc/config/pbr-iptables Normal file
View File

@ -0,0 +1,50 @@
config pbr 'config'
option enabled '0'
option verbosity '2'
option strict_enforcement '1'
option resolver_set 'dnsmasq.ipset'
list resolver_instance '*'
option ipv6_enabled '0'
list ignored_interface 'vpnserver'
option boot_timeout '30'
option rule_create_option 'add'
option procd_boot_delay '0'
option procd_reload_delay '1'
option webui_show_ignore_target '0'
list webui_supported_protocol 'all'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
config include
option path '/usr/share/pbr/pbr.user.aws'
option enabled 0
config include
option path '/usr/share/pbr/pbr.user.netflix'
option enabled 0
config include
option path '/usr/share/pbr/pbr.user.wg_server_and_client'
option enabled 0
config policy
option name 'Plex/Emby Local Server'
option interface 'wan'
option src_port '8096 8920 32400'
option enabled '0'
config policy
option name 'Plex/Emby Remote Servers'
option interface 'wan'
option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
option enabled '0'
config policy
option name 'WireGuard Server'
option interface 'wan'
option src_port '51820'
option chain 'OUTPUT'
option proto 'udp'
option enabled '0'

1586
net/pbr/files/etc/init.d/pbr
View File

File diff suppressed because it is too large Load Diff

3279
net/pbr/files/etc/init.d/pbr-iptables Executable file
View File

File diff suppressed because it is too large Load Diff

6
net/pbr/files/etc/uci-defaults/91-pbr-nft
View File

@ -14,12 +14,6 @@ if [ "$(uci_get pbr config resolver_set)" != 'dnsmasq.nftset' ]; then
if check_dnsmasq_nftset; then if check_dnsmasq_nftset; then
output "Setting resolver_set to 'dnsmasq.nftset'... " output "Setting resolver_set to 'dnsmasq.nftset'... "
uci_set pbr config resolver_set 'dnsmasq.nftset' && output_okn || output_failn uci_set pbr config resolver_set 'dnsmasq.nftset' && output_okn || output_failn
elif check_agh_ipset; then
output "Setting resolver_set to 'adguardhome.ipset'... "
uci_set pbr config resolver_set 'adguardhome.ipset' && output_okn || output_failn
elif check_dnsmasq_ipset; then
output "Setting resolver_set to 'dnsmasq.ipset'... "
uci_set pbr config resolver_set 'dnsmasq.ipset' && output_okn || output_failn
else else
output "Setting resolver_set to 'none'... " output "Setting resolver_set to 'none'... "
uci_set pbr config resolver_set 'none' && output_okn || output_failn uci_set pbr config resolver_set 'none' && output_okn || output_failn

1
net/pbr/files/usr/share/nftables.d/chain-post/dstnat_lan/30-pbr.nft Normal file
View File

@ -0,0 +1 @@
jump pbr_dstnat_lan comment "Jump into pbr dstnat_lan chain";

1
net/pbr/files/usr/share/nftables.d/table-post/30-pbr.nft
View File

@ -1,3 +1,4 @@
chain pbr_dstnat_lan {}
chain pbr_forward {} chain pbr_forward {}
chain pbr_input {} chain pbr_input {}
chain pbr_output {} chain pbr_output {}

28
net/pbr/files/usr/share/pbr/pbr.user.aws
View File

@ -4,8 +4,6 @@
TARGET_INTERFACE='wan' TARGET_INTERFACE='wan'
TARGET_NFTSET_4="pbr_${TARGET_INTERFACE}_4_dst_ip_user" TARGET_NFTSET_4="pbr_${TARGET_INTERFACE}_4_dst_ip_user"
TARGET_NFTSET_6="pbr_${TARGET_INTERFACE}_6_dst_ip_user" TARGET_NFTSET_6="pbr_${TARGET_INTERFACE}_6_dst_ip_user"
TARGET_IPSET_4="pbr_${TARGET_INTERFACE}_4_dst_net_user"
TARGET_IPSET_6="pbr_${TARGET_INTERFACE}_6_dst_net_user"
TARGET_TABLE='inet fw4' TARGET_TABLE='inet fw4'
TARGET_URL="https://ip-ranges.amazonaws.com/ip-ranges.json" TARGET_URL="https://ip-ranges.amazonaws.com/ip-ranges.json"
TARGET_DL_FILE_4="/var/pbr_tmp_aws_ip_ranges.ipv4" TARGET_DL_FILE_4="/var/pbr_tmp_aws_ip_ranges.ipv4"
@ -16,31 +14,21 @@ _ret=0
if [ ! -s "$TARGET_DL_FILE_4" ]; then if [ ! -s "$TARGET_DL_FILE_4" ]; then
uclient-fetch --no-check-certificate -qO- "$TARGET_URL" 2>/dev/null | grep "ip_prefix" | sed 's/^.*\"ip_prefix\": \"//; s/\",//' > "$TARGET_DL_FILE_4" uclient-fetch --no-check-certificate -qO- "$TARGET_URL" 2>/dev/null | grep "ip_prefix" | sed 's/^.*\"ip_prefix\": \"//; s/\",//' > "$TARGET_DL_FILE_4"
fi fi
if [ -s "$TARGET_DL_FILE_4" ]; then if [ -s "$TARGET_DL_FILE_4" ]; then
if [ -n "$nft" ] && [ -x "$nft" ]; then params=
while read -r p; do "$nft" "add element $TARGET_TABLE $TARGET_NFTSET_4 { $p }" || _ret=1; done < "$TARGET_DL_FILE_4" while read -r p; do params="${params:+$params, }${p}"; done < "$TARGET_DL_FILE_4"
elif ipset -q list "$TARGET_IPSET_4" >/dev/null 2>&1; then [ -n "$params" ] && nft "add element $TARGET_TABLE $TARGET_NFTSET_4 { $params }" || _ret=1
if awk -v ipset="$TARGET_IPSET_4" '{print "add " ipset " " $1}' "$TARGET_DL_FILE_4" | ipset restore -!; then
_ret=0
else
_ret=1
fi
fi
fi fi
if [ -n "$TARGET_DL_FILE_6" ] && [ ! -s "$TARGET_DL_FILE_6" ]; then if [ -n "$TARGET_DL_FILE_6" ] && [ ! -s "$TARGET_DL_FILE_6" ]; then
uclient-fetch --no-check-certificate -qO- "$TARGET_URL" 2>/dev/null | grep "ipv6_prefix" | sed 's/^.*\"ipv6_prefix\": \"//; s/\",//' > "$TARGET_DL_FILE_6" uclient-fetch --no-check-certificate -qO- "$TARGET_URL" 2>/dev/null | grep "ipv6_prefix" | sed 's/^.*\"ipv6_prefix\": \"//; s/\",//' > "$TARGET_DL_FILE_6"
fi fi
if [ -s "$TARGET_DL_FILE_6" ]; then if [ -s "$TARGET_DL_FILE_6" ]; then
if [ -n "$nft" ] && [ -x "$nft" ]; then params=
while read -r p; do "$nft" "add element $TARGET_TABLE $TARGET_NFTSET_6 { $p }" || _ret=1; done < "$TARGET_DL_FILE_6" while read -r p; do params="${params:+$params, }${p}"; done < "$TARGET_DL_FILE_6"
elif ipset -q list "$TARGET_IPSET_6" >/dev/null 2>&1; then [ -n "$params" ] && nft "add element $TARGET_TABLE $TARGET_NFTSET_6 { $params }" || _ret=1
if awk -v ipset="$TARGET_IPSET_6" '{print "add " ipset " " $1}' "$TARGET_DL_FILE_6" | ipset restore -!; then
_ret=0
else
_ret=1
fi
fi
fi fi
return $_ret return $_ret

46
net/pbr/files/usr/share/pbr/pbr.user.aws-iptables Normal file
View File

@ -0,0 +1,46 @@
#!/bin/sh
# This file is heavily based on code from https://github.com/Xentrk/netflix-vpn-bypass/blob/master/IPSET_Netflix.sh
TARGET_INTERFACE='wan'
TARGET_NFTSET_4="pbr_${TARGET_INTERFACE}_4_dst_ip_user"
TARGET_NFTSET_6="pbr_${TARGET_INTERFACE}_6_dst_ip_user"
TARGET_IPSET_4="pbr_${TARGET_INTERFACE}_4_dst_net_user"
TARGET_IPSET_6="pbr_${TARGET_INTERFACE}_6_dst_net_user"
TARGET_TABLE='inet fw4'
TARGET_URL="https://ip-ranges.amazonaws.com/ip-ranges.json"
TARGET_DL_FILE_4="/var/pbr_tmp_aws_ip_ranges.ipv4"
# Uncomment the following line if you enabled ipv6 for pbr and want IPv6 entries added to the IPv6 set
# TARGET_DL_FILE_6="/var/pbr_tmp_aws_ip_ranges.ipv6"
_ret=0
if [ ! -s "$TARGET_DL_FILE_4" ]; then
uclient-fetch --no-check-certificate -qO- "$TARGET_URL" 2>/dev/null | grep "ip_prefix" | sed 's/^.*\"ip_prefix\": \"//; s/\",//' > "$TARGET_DL_FILE_4"
fi
if [ -s "$TARGET_DL_FILE_4" ]; then
if [ -n "$nft" ] && [ -x "$nft" ]; then
while read -r p; do nft "add element $TARGET_TABLE $TARGET_NFTSET_4 { $p }" || _ret=1; done < "$TARGET_DL_FILE_4"
elif ipset -q list "$TARGET_IPSET_4" >/dev/null 2>&1; then
if awk -v ipset="$TARGET_IPSET_4" '{print "add " ipset " " $1}' "$TARGET_DL_FILE_4" | ipset restore -!; then
_ret=0
else
_ret=1
fi
fi
fi
if [ -n "$TARGET_DL_FILE_6" ] && [ ! -s "$TARGET_DL_FILE_6" ]; then
uclient-fetch --no-check-certificate -qO- "$TARGET_URL" 2>/dev/null | grep "ipv6_prefix" | sed 's/^.*\"ipv6_prefix\": \"//; s/\",//' > "$TARGET_DL_FILE_6"
fi
if [ -s "$TARGET_DL_FILE_6" ]; then
if [ -n "$nft" ] && [ -x "$nft" ]; then
while read -r p; do nft "add element $TARGET_TABLE $TARGET_NFTSET_6 { $p }" || _ret=1; done < "$TARGET_DL_FILE_6"
elif ipset -q list "$TARGET_IPSET_6" >/dev/null 2>&1; then
if awk -v ipset="$TARGET_IPSET_6" '{print "add " ipset " " $1}' "$TARGET_DL_FILE_6" | ipset restore -!; then
_ret=0
else
_ret=1
fi
fi
fi
return $_ret

27
net/pbr/files/usr/share/pbr/pbr.user.netflix
View File

@ -6,8 +6,6 @@
TARGET_INTERFACE='wan' TARGET_INTERFACE='wan'
TARGET_NFTSET_4="pbr_${TARGET_INTERFACE}_4_dst_ip_user" TARGET_NFTSET_4="pbr_${TARGET_INTERFACE}_4_dst_ip_user"
TARGET_NFTSET_6="pbr_${TARGET_INTERFACE}_6_dst_ip_user" TARGET_NFTSET_6="pbr_${TARGET_INTERFACE}_6_dst_ip_user"
TARGET_IPSET_4="pbr_${TARGET_INTERFACE}_4_dst_net_user"
TARGET_IPSET_6="pbr_${TARGET_INTERFACE}_6_dst_net_user"
TARGET_TABLE='inet fw4' TARGET_TABLE='inet fw4'
TARGET_ASN='2906' TARGET_ASN='2906'
TARGET_DL_FILE_4="/var/pbr_tmp_AS${TARGET_ASN}.ipv4" TARGET_DL_FILE_4="/var/pbr_tmp_AS${TARGET_ASN}.ipv4"
@ -34,16 +32,11 @@ if [ ! -s "$TARGET_DL_FILE_4" ]; then
uclient-fetch --no-check-certificate -qO- "$TARGET_URL" 2>/dev/null | jsonfilter -e '@.data.ipv4_prefixes[*].prefix' > "$TARGET_DL_FILE_4" uclient-fetch --no-check-certificate -qO- "$TARGET_URL" 2>/dev/null | jsonfilter -e '@.data.ipv4_prefixes[*].prefix' > "$TARGET_DL_FILE_4"
fi fi
fi fi
if [ -s "$TARGET_DL_FILE_4" ]; then if [ -s "$TARGET_DL_FILE_4" ]; then
if [ -n "$nft" ] && [ -x "$nft" ]; then params=
while read -r p; do "$nft" "add element $TARGET_TABLE $TARGET_NFTSET_4 { $p }" || _ret=1; done < "$TARGET_DL_FILE_4" while read -r p; do params="${params:+$params, }${p}"; done < "$TARGET_DL_FILE_4"
elif ipset -q list "$TARGET_IPSET_4" >/dev/null 2>&1; then [ -n "$params" ] && nft "add element $TARGET_TABLE $TARGET_NFTSET_4 { $params }" || _ret=1
if awk -v ipset="$TARGET_IPSET_4" '{print "add " ipset " " $1}' "$TARGET_DL_FILE_4" | ipset restore -!; then
_ret=0
else
_ret=1
fi
fi
fi fi
if [ -n "$TARGET_DL_FILE_6" ] && [ ! -s "$TARGET_DL_FILE_6" ]; then if [ -n "$TARGET_DL_FILE_6" ] && [ ! -s "$TARGET_DL_FILE_6" ]; then
@ -53,15 +46,9 @@ if [ -n "$TARGET_DL_FILE_6" ] && [ ! -s "$TARGET_DL_FILE_6" ]; then
fi fi
fi fi
if [ -s "$TARGET_DL_FILE_6" ]; then if [ -s "$TARGET_DL_FILE_6" ]; then
if [ -n "$nft" ] && [ -x "$nft" ]; then params=
while read -r p; do "$nft" "add element $TARGET_TABLE $TARGET_NFTSET_6 { $p }" || _ret=1; done < "$TARGET_DL_FILE_6" while read -r p; do params="${params:+$params, }${p}"; done < "$TARGET_DL_FILE_6"
elif ipset -q list "$TARGET_IPSET_6" >/dev/null 2>&1; then [ -n "$params" ] && nft "add element $TARGET_TABLE $TARGET_NFTSET_6 { $params }" || _ret=1
if awk -v ipset="$TARGET_IPSET_6" '{print "add " ipset " " $1}' "$TARGET_DL_FILE_6" | ipset restore -!; then
_ret=0
else
_ret=1
fi
fi
fi fi
return $_ret return $_ret

67
net/pbr/files/usr/share/pbr/pbr.user.netflix-iptables Normal file
View File

@ -0,0 +1,67 @@
#!/bin/sh
# This file is heavily based on code from https://github.com/Xentrk/netflix-vpn-bypass/blob/master/IPSET_Netflix.sh
# Credits to https://forum.openwrt.org/u/dscpl for api.hackertarget.com code.
# Credits to https://github.com/kkeker and https://github.com/tophirsch for api.bgpview.io code.
TARGET_INTERFACE='wan'
TARGET_NFTSET_4="pbr_${TARGET_INTERFACE}_4_dst_ip_user"
TARGET_NFTSET_6="pbr_${TARGET_INTERFACE}_6_dst_ip_user"
TARGET_IPSET_4="pbr_${TARGET_INTERFACE}_4_dst_net_user"
TARGET_IPSET_6="pbr_${TARGET_INTERFACE}_6_dst_net_user"
TARGET_TABLE='inet fw4'
TARGET_ASN='2906'
TARGET_DL_FILE_4="/var/pbr_tmp_AS${TARGET_ASN}.ipv4"
# Uncomment the following line if you enabled ipv6 for pbr and want IPv6 entries added to the IPv6 set
# TARGET_DL_FILE_6="/var/pbr_tmp_AS${TARGET_ASN}.ipv6"
DB_SOURCE='ipinfo.io'
#DB_SOURCE='api.hackertarget.com'
#DB_SOURCE='api.bgpview.io'
REGEX_IPV4='[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\/[0-9]\{1,\}'
REGEX_IPV6='.*::.*'
_ret=0
if [ ! -s "$TARGET_DL_FILE_4" ]; then
if [ "$DB_SOURCE" = "ipinfo.io" ]; then
TARGET_URL="https://ipinfo.io/AS${TARGET_ASN}"
uclient-fetch --no-check-certificate -qO- "$TARGET_URL" 2>/dev/null | sed -n "s|\(.*\)/AS${TARGET_ASN}/\($REGEX_IPV4\)\"|\2|p" > "$TARGET_DL_FILE_4"
fi
if [ "$DB_SOURCE" = "api.hackertarget.com" ]; then
TARGET_URL="https://api.hackertarget.com/aslookup/?q=AS${TARGET_ASN}"
uclient-fetch --no-check-certificate -qO- "$TARGET_URL" 2>/dev/null | sed '1d' > "$TARGET_DL_FILE_4"
fi
if [ "$DB_SOURCE" = "api.bgpview.io" ]; then
TARGET_URL="https://api.bgpview.io/asn/${TARGET_ASN}/prefixes"
uclient-fetch --no-check-certificate -qO- "$TARGET_URL" 2>/dev/null | jsonfilter -e '@.data.ipv4_prefixes[*].prefix' > "$TARGET_DL_FILE_4"
fi
fi
if [ -s "$TARGET_DL_FILE_4" ]; then
if [ -n "$nft" ] && [ -x "$nft" ]; then
while read -r p; do nft "add element $TARGET_TABLE $TARGET_NFTSET_4 { $p }" || _ret=1; done < "$TARGET_DL_FILE_4"
elif ipset -q list "$TARGET_IPSET_4" >/dev/null 2>&1; then
if awk -v ipset="$TARGET_IPSET_4" '{print "add " ipset " " $1}' "$TARGET_DL_FILE_4" | ipset restore -!; then
_ret=0
else
_ret=1
fi
fi
fi
if [ -n "$TARGET_DL_FILE_6" ] && [ ! -s "$TARGET_DL_FILE_6" ]; then
if [ "$DB_SOURCE" = "ipinfo.io" ]; then
TARGET_URL="https://ipinfo.io/AS${TARGET_ASN}"
uclient-fetch --no-check-certificate -qO- "$TARGET_URL" 2>/dev/null | sed -n "s|\(.*\)/AS${TARGET_ASN}/\($REGEX_IPV6\)\"|\2|p" > "$TARGET_DL_FILE_6"
fi
fi
if [ -s "$TARGET_DL_FILE_6" ]; then
if [ -n "$nft" ] && [ -x "$nft" ]; then
while read -r p; do nft "add element $TARGET_TABLE $TARGET_NFTSET_6 { $p }" || _ret=1; done < "$TARGET_DL_FILE_6"
elif ipset -q list "$TARGET_IPSET_6" >/dev/null 2>&1; then
if awk -v ipset="$TARGET_IPSET_6" '{print "add " ipset " " $1}' "$TARGET_DL_FILE_6" | ipset restore -!; then
_ret=0
else
_ret=1
fi
fi
fi
return $_ret

5
net/pbr/files/usr/share/pbr/pbr.user.wg_server_and_client
View File

@ -6,10 +6,11 @@ WAN_INTERFACE='wan'
_ret='1' _ret='1'
insert_ip_rule() { insert_ip_rule() {
local proto listen_port local disabled proto listen_port
config_get disabled "$1" disabled "0"
config_get proto "$1" proto config_get proto "$1" proto
config_get listen_port "$1" listen_port config_get listen_port "$1" listen_port
if [ "$proto" = 'wireguard' ] && [ -n "$listen_port" ]; then if [ "$disabled" -ne '1' ] && [ "$proto" = 'wireguard' ] && [ -n "$listen_port" ]; then
ip rule del sport "$listen_port" table "pbr_${WAN_INTERFACE}" >/dev/null 2>&1 ip rule del sport "$listen_port" table "pbr_${WAN_INTERFACE}" >/dev/null 2>&1
ip rule add sport "$listen_port" table "pbr_${WAN_INTERFACE}" >/dev/null 2>&1 && _ret=0 ip rule add sport "$listen_port" table "pbr_${WAN_INTERFACE}" >/dev/null 2>&1 && _ret=0
fi fi