pbr: initial commit

* The makefile produces the nft and iptables capable `pbr` package
  and the `pbr-iptables` package for legacy setups
* This replaces `vpnbypass` and `vpn-policy-routing` packages
* I'm soliciting feedback on this package and my intention is to
  update the version to 1.0.0 before this is merged, but I need the
  feedback on this and luci-app-pbr before then.

Signed-off-by: Stan Grishin <stangri@melmac.ca>

net/pbr/Makefile

@@ -0,0 +1,201 @@
+# Copyright 2017-2022 Stan Grishin (stangri@melmac.ca)
+# This is free software, licensed under the GNU General Public License v3.
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=pbr
+PKG_VERSION:=1.0.0
+PKG_RELEASE:=1
+PKG_LICENSE:=GPL-3.0-or-later
+PKG_MAINTAINER:=Stan Grishin <stangri@melmac.ca>
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/pbr/default
+  SECTION:=net
+  CATEGORY:=Network
+  SUBMENU:=VPN
+  PROVIDES:=pbr
+  TITLE:=Policy Based Routing Service
+  URL:=https://docs.openwrt.melmac.net/pbr/
+  DEPENDS:=+ip-full +jshn +jsonfilter +resolveip
+  CONFLICTS:=vpnbypass vpn-policy-routing
+  PROVIDES:=vpnbypass vpn-policy-routing
+  PKGARCH:=all
+endef
+
+define Package/pbr
+$(call Package/pbr/default)
+	TITLE+= with nft/nft set support
+	DEPENDS+=+firewall4 +kmod-nft-core +kmod-nft-nat +nftables-json
+endef
+
+define Package/pbr-iptables
+$(call Package/pbr/default)
+	TITLE+= with iptables/ipset support
+	DEPENDS+=+ipset +iptables +kmod-ipt-ipset +iptables-mod-ipopt
+endef
+
+define Package/pbr-netifd
+$(call Package/pbr/default)
+	TITLE+= with netifd support
+endef
+
+define Package/pbr/description
+This service enables policy-based routing for WAN interfaces and various VPN tunnels.
+This version supports OpenWrt with both fw3/ipset/iptables and fw4/nft.
+endef
+
+define Package/pbr-iptables/description
+This service enables policy-based routing for WAN interfaces and various VPN tunnels.
+This version supports OpenWrt with fw3/ipset/iptables.
+endef
+
+define Package/pbr-netifd/description
+This service enables policy-based routing for WAN interfaces and various VPN tunnels.
+This version supports OpenWrt with both fw3/ipset/iptables and fw4/nft.
+This version uses OpenWrt native netifd/tables to set up interfaces. This is WIP.
+endef
+
+define Package/pbr/conffiles
+/etc/config/pbr
+endef
+
+Package/pbr-iptables/conffiles = $(Package/pbr/conffiles)
+Package/pbr-netifd/conffiles = $(Package/pbr/conffiles)
+
+define Build/Configure
+endef
+
+define Build/Compile
+endef
+
+define Package/pbr/default/install
+	$(INSTALL_DIR) $(1)/etc/init.d
+	$(INSTALL_BIN) ./files/etc/init.d/pbr.init $(1)/etc/init.d/pbr
+	$(SED) "s|^\(readonly PKG_VERSION\).*|\1='$(PKG_VERSION)-$(PKG_RELEASE)'|" $(1)/etc/init.d/pbr
+	$(INSTALL_DIR) $(1)/etc/hotplug.d/firewall
+	$(INSTALL_DIR) $(1)/etc/hotplug.d/iface
+	$(INSTALL_DATA) ./files/etc/hotplug.d/iface/70-pbr $(1)/etc/hotplug.d/iface/70-pbr
+	$(INSTALL_DIR) $(1)/etc/uci-defaults
+	$(INSTALL_BIN)  ./files/etc/uci-defaults/90-pbr $(1)/etc/uci-defaults/90-pbr
+	$(INSTALL_DIR) $(1)/usr/share/pbr
+	$(INSTALL_DATA) ./files/usr/share/pbr/pbr.firewall.include $(1)/usr/share/pbr/pbr.firewall.include
+	$(INSTALL_DATA) ./files/usr/share/pbr/pbr.user.aws $(1)/usr/share/pbr/pbr.user.aws
+	$(INSTALL_DATA) ./files/usr/share/pbr/pbr.user.netflix $(1)/usr/share/pbr/pbr.user.netflix
+endef
+
+define Package/pbr/install
+$(call Package/pbr/default/install,$(1))
+	$(INSTALL_DIR) $(1)/etc/config
+	$(INSTALL_CONF) ./files/etc/config/pbr $(1)/etc/config/pbr
+	$(INSTALL_DIR) $(1)/usr/share/nftables.d
+	$(CP) ./files/usr/share/nftables.d/* $(1)/usr/share/nftables.d/
+endef
+
+define Package/pbr-iptables/install
+$(call Package/pbr/default/install,$(1))
+	$(INSTALL_DIR) $(1)/etc/config
+	$(INSTALL_CONF) ./files/etc/config/pbr.iptables $(1)/etc/config/pbr
+endef
+
+define Package/pbr-netifd/install
+$(call Package/pbr/default/install,$(1))
+	$(INSTALL_DIR) $(1)/etc/config
+	$(INSTALL_CONF) ./files/etc/config/pbr $(1)/etc/config/pbr
+	$(INSTALL_DIR) $(1)/etc/uci-defaults
+	$(INSTALL_BIN)  ./files/etc/uci-defaults/91-pbr $(1)/etc/uci-defaults/91-pbr
+endef
+
+define Package/pbr/postinst
+	#!/bin/sh
+	# check if we are on real system
+	if [ -z "$${IPKG_INSTROOT}" ]; then
+		chmod -x /etc/init.d/pbr || true
+		fw4 -q reload || true
+		chmod +x /etc/init.d/pbr || true
+		echo -n "Installing rc.d symlink for pbr... "
+		/etc/init.d/pbr enable && echo "OK" || echo "FAIL"
+	fi
+	exit 0
+endef
+
+define Package/pbr/prerm
+	#!/bin/sh
+	# check if we are on real system
+	if [ -z "$${IPKG_INSTROOT}" ]; then
+		uci -q delete firewall.pbr || true
+		echo "Stopping pbr service... "
+		/etc/init.d/pbr stop || true
+		echo -n "Removing rc.d symlink for pbr... "
+		/etc/init.d/pbr disable && echo "OK" || echo "FAIL"
+	fi
+	exit 0
+endef
+
+define Package/pbr/postrm
+	#!/bin/sh
+	# check if we are on real system
+	if [ -z "$${IPKG_INSTROOT}" ]; then
+		fw4 -q reload || true
+	fi
+	exit 0
+endef
+
+define Package/pbr-iptables/postinst
+	#!/bin/sh
+	# check if we are on real system
+	if [ -z "$${IPKG_INSTROOT}" ]; then
+		echo -n "Installing rc.d symlink for pbr... "
+		/etc/init.d/pbr enable && echo "OK" || echo "FAIL"
+	fi
+	exit 0
+endef
+
+define Package/pbr-iptables/prerm
+	#!/bin/sh
+	# check if we are on real system
+	if [ -z "$${IPKG_INSTROOT}" ]; then
+		uci -q delete firewall.pbr || true
+		echo "Stopping pbr service... "
+		/etc/init.d/pbr stop || true
+		echo -n "Removing rc.d symlink for pbr... "
+		/etc/init.d/pbr disable && echo "OK" || echo "FAIL"
+	fi
+	exit 0
+endef
+
+define Package/pbr-netifd/postinst
+	#!/bin/sh
+	# check if we are on real system
+	if [ -z "$${IPKG_INSTROOT}" ]; then
+		echo -n "Installing rc.d symlink for pbr... "
+		/etc/init.d/pbr enable && echo "OK" || echo "FAIL"
+	#	echo -n "Installing netifd support for pbr... "
+	#	/etc/init.d/pbr netifd install && echo "OK" || echo "FAIL"
+	#	echo -n "Restarting network... "
+	#	/etc/init.d/network restart && echo "OK" || echo "FAIL"
+	fi
+	exit 0
+endef
+
+define Package/pbr-netifd/prerm
+	#!/bin/sh
+	# check if we are on real system
+	if [ -z "$${IPKG_INSTROOT}" ]; then
+		uci -q delete firewall.pbr || true
+		echo "Stopping pbr service... "
+		/etc/init.d/pbr stop || true
+	#	echo -n "Removing netifd support for pbr... "
+	#	/etc/init.d/pbr netifd remove && echo "OK" || echo "FAIL"
+		echo -n "Removing rc.d symlink for pbr... "
+		/etc/init.d/pbr disable && echo "OK" || echo "FAIL"
+	#	echo -n "Restarting network... "
+	#	/etc/init.d/network restart && echo "OK" || echo "FAIL"
+	fi
+	exit 0
+endef
+
+$(eval $(call BuildPackage,pbr))
+$(eval $(call BuildPackage,pbr-iptables))
+#$(eval $(call BuildPackage,pbr-netifd))

net/pbr/files/README.md

@@ -0,0 +1,3 @@
+# README
+
+README is available at [https://docs.openwrt.melmac.net/pbr/](https://docs.openwrt.melmac.net/pbr/).

net/pbr/files/etc/config/pbr

@@ -0,0 +1,45 @@
+config pbr 'config'
+	option enabled '0'
+	option verbosity '2'
+	option strict_enforcement '1'
+	option resolver_set 'none'
+	option ipv6_enabled '0'
+	list ignored_interface 'vpnserver'
+	list ignored_interface 'wgserver'
+	option boot_timeout '30'
+	option rule_create_option 'add'
+	option procd_reload_delay '1'
+	option webui_show_ignore_target '0'
+	list webui_supported_protocol 'all'
+	list webui_supported_protocol 'tcp'
+	list webui_supported_protocol 'udp'
+	list webui_supported_protocol 'tcp udp'
+	list webui_supported_protocol 'icmp'
+
+config include
+	option path '/usr/share/pbr/pbr.user.aws'
+	option enabled 0
+
+config include
+	option path '/usr/share/pbr/pbr.user.netflix'
+	option enabled 0
+
+config policy
+	option name 'Plex/Emby Local Server'
+	option interface 'wan'
+	option src_port '8096 8920 32400'
+	option enabled '0'
+
+config policy
+	option name 'Plex/Emby Remote Servers'
+	option interface 'wan'
+	option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
+	option enabled '0'
+
+config policy
+	option name 'WireGuard Server'
+	option interface 'wan'
+	option src_port '51820'
+	option chain 'OUTPUT'
+	option proto 'udp'
+	option enabled '0'

net/pbr/files/etc/config/pbr.iptables

@@ -0,0 +1,45 @@
+config pbr 'config'
+	option enabled '0'
+	option verbosity '2'
+	option strict_enforcement '1'
+	option resolver_set 'dnsmasq.ipset'
+	option ipv6_enabled '0'
+	list ignored_interface 'vpnserver'
+	list ignored_interface 'wgserver'
+	option boot_timeout '30'
+	option rule_create_option 'add'
+	option procd_reload_delay '1'
+	option webui_show_ignore_target '0'
+	list webui_supported_protocol 'all'
+	list webui_supported_protocol 'tcp'
+	list webui_supported_protocol 'udp'
+	list webui_supported_protocol 'tcp udp'
+	list webui_supported_protocol 'icmp'
+
+config include
+	option path '/usr/share/pbr/pbr.user.aws'
+	option enabled 0
+
+config include
+	option path '/usr/share/pbr/pbr.user.netflix'
+	option enabled 0
+
+config policy
+	option name 'Plex/Emby Local Server'
+	option interface 'wan'
+	option src_port '8096 8920 32400'
+	option enabled '0'
+
+config policy
+	option name 'Plex/Emby Remote Servers'
+	option interface 'wan'
+	option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
+	option enabled '0'
+
+config policy
+	option name 'WireGuard Server'
+	option interface 'wan'
+	option src_port '51820'
+	option chain 'OUTPUT'
+	option proto 'udp'
+	option enabled '0'

net/pbr/files/etc/hotplug.d/firewall/70-pbr

@@ -0,0 +1,6 @@
+#!/bin/sh
+[ "$ACTION" = "reload" ] ||[ "$ACTION" = "restart" ] || exit 0
+if [ -x /etc/init.d/pbr ] && /etc/init.d/pbr enabled; then
+	logger -t "pbr" "Reloading pbr due to $ACTION of firewall"
+	/etc/init.d/pbr reload
+fi

net/pbr/files/etc/hotplug.d/iface/70-pbr

@@ -0,0 +1,8 @@
+#!/bin/sh
+# shellcheck disable=SC1091,SC3060
+[ -s /etc/openwrt_release ] && . /etc/openwrt_release
+[ "${DISTRIB_RELEASE//19.07}" = "$DISTRIB_RELEASE" ] && exit 0
+if [ -x /etc/init.d/pbr ] && /etc/init.d/pbr enabled; then
+	logger -t pbr "Reloading pbr $INTERFACE due to $ACTION of $INTERFACE ($DEVICE)"
+	/etc/init.d/pbr reload_interface "$INTERFACE"
+fi

net/pbr/files/etc/uci-defaults/90-pbr

@@ -0,0 +1,34 @@
+#!/bin/sh
+# shellcheck disable=SC1091,SC3037,SC3043
+
+readonly __OK__='\033[0;32m[\xe2\x9c\x93]\033[0m'
+
+# Transition from vpn-policy-routing
+if [ -s '/etc/config/vpn-policy-routing' ] && [ ! -s '/etc/config/pbr-opkg' ]; then
+	echo "Migrating vpn-policy-routing config file."
+	mv '/etc/config/pbr' '/etc/config/pbr-opkg'
+	sed 's/vpn-policy-routing/pbr/g' /etc/config/vpn-policy-routing > /etc/config/pbr
+	uci set vpn-policy-routing.config.enabled=0; uci commit vpn-policy-routing;
+fi
+
+# Transition from older versions of pbr
+sed -i 's/resolver_ipset/resolver_set/g' /etc/config/pbr
+sed -i 's/iptables_rule_option/rule_create_option/g' /etc/config/pbr
+sed -i "s/'FORWARD'/'forward'/g" /etc/config/pbr
+sed -i "s/'INPUT'/'input'/g" /etc/config/pbr
+sed -i "s/'OUTPUT'/'output'/g" /etc/config/pbr
+sed -i "s/'PREROUTING'/'prerouting'/g" /etc/config/pbr
+sed -i "s/'POSTROUTING'/'postrouting'/g" /etc/config/pbr
+sed -i "s/option fw_mask '0x\(.*\)'/option fw_mask '\1'/g" /etc/config/pbr
+sed -i "s/option wan_mark '0x\(.*\)'/option wan_mark '\1'/g" /etc/config/pbr
+
+uci -q batch <<-EOT
+	delete firewall.pbr
+	set firewall.pbr='include'
+	set firewall.pbr.fw4_compatible='1'
+	set firewall.pbr.type='script'
+	set firewall.pbr.path='/usr/share/pbr/pbr.firewall.include'
+	commit firewall
+EOT
+
+exit 0

net/pbr/files/etc/uci-defaults/91-pbr

@@ -0,0 +1,58 @@
+#!/bin/sh
+# shellcheck disable=SC1091,SC3037,SC3043
+
+readonly packageName='pbr'
+readonly __OK__='\033[0;32m[\xe2\x9c\x93]\033[0m'
+
+pbr_iface_setup() {
+	local iface="${1}"
+	local proto
+	config_get proto "${iface}" proto
+	case "${iface}" in
+		(lan|loopback) return 0 ;;
+	esac
+	case "${proto}" in
+		(gre*|nebula|relay|vti*|vxlan|xfrm) return 0 ;;
+		(none)
+			uci -q set "network.${iface}_rt=route"
+			uci -q set "network.${iface}_rt.interface=${iface}"
+			uci -q set "network.${iface}_rt.target=0.0.0.0/0"
+			uci -q set "network.${iface}_rt6=route6"
+			uci -q set "network.${iface}_rt6.interface=${iface}"
+			uci -q set "network.${iface}_rt6.target=::/0"
+		;;
+	esac
+	echo -en "Setting up ${packageName} routing tables for ${iface}... "
+	uci -q set "network.${iface}.ip4table=${packageName}_${iface%6}"
+	uci -q set "network.${iface}.ip6table=${packageName}_${iface%6}"
+	if ! grep -q -E -e "^[0-9]+\s+${packageName}_${iface%6}$" /etc/iproute2/rt_tables; then
+		sed -i -e "\$a $(($(sort -r -n /etc/iproute2/rt_tables | grep -o -E -m 1 "^[0-9]+")+1))\t${packageName}_${iface%6}" \
+			/etc/iproute2/rt_tables
+	fi
+	echo -e "${__OK__}"
+}
+
+. /lib/functions.sh
+. /lib/functions/network.sh
+config_load network
+config_foreach pbr_iface_setup interface
+network_flush_cache
+network_find_wan iface
+network_find_wan6 iface6
+# shellcheck disable=SC2154
+[ -n "$iface" ] && uci -q batch << EOF
+set network.default='rule'
+set network.default.lookup='${packageName}_${iface%6}'
+set network.default.priority='80000'
+EOF
+[ -n "$iface6" ] && uci -q batch << EOF
+set network.default6='rule6'
+set network.default6.lookup='${packageName}_${iface6%6}'
+set network.default6.priority='80000'
+EOF
+uci commit network
+echo -en "Restarting network... "
+/etc/init.d/network restart
+echo -e "${__OK__}"
+
+exit 0

net/pbr/files/usr/share/nftables.d/chain-post/mangle_forward/30-pbr.nft

@@ -0,0 +1 @@
+jump pbr_forward comment "Jump into pbr forward chain";

net/pbr/files/usr/share/nftables.d/chain-post/mangle_input/30-pbr.nft

@@ -0,0 +1 @@
+jump pbr_input comment "Jump into pbr input chain";

net/pbr/files/usr/share/nftables.d/chain-post/mangle_output/30-pbr.nft

@@ -0,0 +1 @@
+jump pbr_output comment "Jump into pbr output chain";

net/pbr/files/usr/share/nftables.d/chain-post/mangle_postrouting/30-pbr.nft

@@ -0,0 +1 @@
+jump pbr_postrouting comment "Jump into pbr postrouting chain";

net/pbr/files/usr/share/nftables.d/chain-post/mangle_prerouting/30-pbr.nft

@@ -0,0 +1 @@
+jump pbr_prerouting comment "Jump into pbr prerouting chain";

net/pbr/files/usr/share/nftables.d/table-post/30-pbr.nft

@@ -0,0 +1,5 @@
+chain pbr_forward {}
+chain pbr_input {}
+chain pbr_output {}
+chain pbr_prerouting {}
+chain pbr_postrouting {}

net/pbr/files/usr/share/pbr/pbr.firewall.include

@@ -0,0 +1,5 @@
+#!/bin/sh
+if [ -x /etc/init.d/pbr ] && /etc/init.d/pbr enabled; then
+	logger -t "pbr" "Reloading pbr due to $ACTION of firewall"
+	/etc/init.d/pbr on_firewall_reload "$ACTION"
+fi

net/pbr/files/usr/share/pbr/pbr.user.aws

@@ -0,0 +1,33 @@
+#!/bin/sh
+# This file is heavily based on code from https://github.com/Xentrk/netflix-vpn-bypass/blob/master/IPSET_Netflix.sh
+
+TARGET_SET='pbr_wan_4_dst_ip_user'
+TARGET_IPSET='pbr_wan_4_dst_net_user'
+TARGET_TABLE='inet fw4'
+TARGET_URL="https://ip-ranges.amazonaws.com/ip-ranges.json"
+TARGET_DL_FILE="/var/pbr_tmp_aws_ip_ranges"
+TARGET_NFT_FILE="/var/pbr_tmp_aws_ip_ranges.nft"
+[ -z "$nft" ] && nft="$(command -v nft)"
+_ret=1
+
+if [ ! -s "$TARGET_DL_FILE" ]; then
+	uclient-fetch --no-check-certificate -qO- "$TARGET_URL" 2>/dev/null | grep "ip_prefix" | sed 's/^.*\"ip_prefix\": \"//; s/\",//' > "$TARGET_DL_FILE"
+fi
+
+if [ -s "$TARGET_DL_FILE" ]; then
+	if ipset -q list "$TARGET_IPSET" >/dev/null 2>&1; then
+		if awk -v ipset="$TARGET_IPSET" '{print "add " ipset " " $1}' "$TARGET_DL_FILE" | ipset restore -!; then
+			_ret=0
+		fi
+	elif [ -n "$nft" ] && [ -x "$nft" ] && "$nft" list set "$TARGET_TABLE" "$TARGET_SET" >/dev/null 2>&1; then
+		printf "add element %s %s { " "$TARGET_TABLE" "$TARGET_SET" > "$TARGET_NFT_FILE"
+		awk '{printf $1 ", "}' "$TARGET_DL_FILE" >> "$TARGET_NFT_FILE"
+		printf " } " >> "$TARGET_NFT_FILE"
+		if "$nft" -f "$TARGET_NFT_FILE"; then
+			rm -f "$TARGET_NFT_FILE"
+			_ret=0
+		fi
+	fi
+fi
+
+return $_ret

net/pbr/files/usr/share/pbr/pbr.user.netflix

@@ -0,0 +1,49 @@
+#!/bin/sh
+# This file is heavily based on code from https://github.com/Xentrk/netflix-vpn-bypass/blob/master/IPSET_Netflix.sh
+# Credits to https://forum.openwrt.org/u/dscpl for api.hackertarget.com code.
+# Credits to https://github.com/kkeker and https://github.com/tophirsch for api.bgpview.io code.
+
+TARGET_SET='pbr_wan_4_dst_ip_user'
+TARGET_IPSET='pbr_wan_4_dst_net_user'
+TARGET_TABLE='inet fw4'
+TARGET_ASN='2906'
+TARGET_DL_FILE="/var/pbr_tmp_AS${TARGET_ASN}"
+TARGET_NFT_FILE="/var/pbr_tmp_AS${TARGET_ASN}.nft"
+#DB_SOURCE='ipinfo.io'
+#DB_SOURCE='api.hackertarget.com'
+DB_SOURCE='api.bgpview.io'
+[ -z "$nft" ] && nft="$(command -v nft)"
+_ret=1
+
+if [ ! -s "$TARGET_DL_FILE" ]; then
+	if [ "$DB_SOURCE" = "ipinfo.io" ]; then
+		TARGET_URL="https://ipinfo.io/AS${TARGET_ASN}"
+		uclient-fetch --no-check-certificate -qO- "$TARGET_URL" 2>/dev/null | grep -E "a href.*${TARGET_ASN}\/" | grep -v ":" | sed "s/^.*<a href=\"\/AS${TARGET_ASN}\///; s/\" >//" > "$TARGET_DL_FILE"
+	fi
+	if [ "$DB_SOURCE" = "api.hackertarget.com" ]; then
+		TARGET_URL="https://api.hackertarget.com/aslookup/?q=AS${TARGET_ASN}"
+		uclient-fetch --no-check-certificate -qO- "$TARGET_URL" 2>/dev/null | sed '1d' > "$TARGET_DL_FILE"
+	fi
+	if [ "$DB_SOURCE" = "api.bgpview.io" ]; then
+		TARGET_URL="https://api.bgpview.io/asn/${TARGET_ASN}/prefixes"
+		uclient-fetch --no-check-certificate -qO- "$TARGET_URL" 2>/dev/null | jsonfilter -e '@.data.ipv4_prefixes[*].prefix' > "$TARGET_DL_FILE"
+	fi
+fi
+
+if [ -s "$TARGET_DL_FILE" ]; then
+	if ipset -q list "$TARGET_IPSET" >/dev/null 2>&1; then
+			if awk -v ipset="$TARGET_IPSET" '{print "add " ipset " " $1}' "$TARGET_DL_FILE" | ipset restore -!; then
+				_ret=0
+			fi
+	elif [ -n "$nft" ] && [ -x "$nft" ] && "$nft" list set "$TARGET_TABLE" "$TARGET_SET" >/dev/null 2>&1; then
+		printf "add element %s %s { " "$TARGET_TABLE" "$TARGET_SET" > "$TARGET_NFT_FILE"
+		awk '{printf $1 ", "}' "$TARGET_DL_FILE" >> "$TARGET_NFT_FILE"
+		printf " } " >> "$TARGET_NFT_FILE"
+		if "$nft" -f "$TARGET_NFT_FILE"; then
+			rm -f "$TARGET_NFT_FILE"
+			_ret=0
+		fi
+	fi
+fi
+
+return $_ret

net/vpn-policy-routing/Makefile

@@ -1,68 +0,0 @@
-# Copyright 2017-2018 Stan Grishin (stangri@melmac.net)
-# This is free software, licensed under the GNU General Public License v3.
-
-include $(TOPDIR)/rules.mk
-
-PKG_NAME:=vpn-policy-routing
-PKG_VERSION:=0.3.4
-PKG_RELEASE:=8
-PKG_LICENSE:=GPL-3.0-or-later
-PKG_MAINTAINER:=Stan Grishin <stangri@melmac.net>
-
-include $(INCLUDE_DIR)/package.mk
-
-define Package/vpn-policy-routing
-	SECTION:=net
-	CATEGORY:=Network
-	TITLE:=VPN Policy-Based Routing Service
-	URL:=https://docs.openwrt.melmac.net/vpn-policy-routing/
-	DEPENDS:=+jshn +ipset +iptables +resolveip +kmod-ipt-ipset +iptables-mod-ipopt +ip-full
-	PKGARCH:=all
-endef
-
-define Package/vpn-policy-routing/description
-This service allows policy-based routing for L2TP, Openconnect, OpenVPN, PPTP and Wireguard tunnels and WAN interface.
-Policies can specify domains, local IPs/subnets and ports, as well as remote IPs/subnets and ports.
-endef
-
-define Package/vpn-policy-routing/conffiles
-/etc/config/vpn-policy-routing
-endef
-
-define Build/Configure
-endef
-
-define Build/Compile
-endef
-
-define Package/vpn-policy-routing/install
-	$(INSTALL_DIR) $(1)/etc/init.d $(1)/etc/config $(1)/etc/hotplug.d/firewall $(1)/etc/
-	$(INSTALL_BIN) ./files/vpn-policy-routing.init $(1)/etc/init.d/vpn-policy-routing
-	$(SED) "s|^\(PKG_VERSION\).*|\1='$(PKG_VERSION)-$(PKG_RELEASE)'|" $(1)/etc/init.d/vpn-policy-routing
-	$(INSTALL_CONF) ./files/vpn-policy-routing.config $(1)/etc/config/vpn-policy-routing
-	$(INSTALL_DATA) ./files/vpn-policy-routing.firewall.hotplug $(1)/etc/hotplug.d/firewall/70-vpn-policy-routing
-	$(INSTALL_DATA) ./files/vpn-policy-routing.aws.user $(1)/etc/vpn-policy-routing.aws.user
-	$(INSTALL_DATA) ./files/vpn-policy-routing.netflix.user $(1)/etc/vpn-policy-routing.netflix.user
-endef
-
-define Package/vpn-policy-routing/postinst
-	#!/bin/sh
-	# check if we are on real system
-	if [ -z "$${IPKG_INSTROOT}" ]; then
-		/etc/init.d/vpn-policy-routing enable
-	fi
-	exit 0
-endef
-
-define Package/vpn-policy-routing/prerm
-	#!/bin/sh
-	# check if we are on real system
-	if [ -z "$${IPKG_INSTROOT}" ]; then
-		echo "Stopping service and removing rc.d symlink for vpn-policy-routing"
-		/etc/init.d/vpn-policy-routing stop || true
-		/etc/init.d/vpn-policy-routing disable || true
-	fi
-	exit 0
-endef
-
-$(eval $(call BuildPackage,vpn-policy-routing))

net/vpn-policy-routing/files/README.md

@@ -1,3 +0,0 @@
-# README
-
-README has been moved to [https://docs.openwrt.melmac.net/vpn-policy-routing/](https://docs.openwrt.melmac.net/vpn-policy-routing/).

net/vpn-policy-routing/files/vpn-policy-routing.aws.user

@@ -1,19 +0,0 @@
-#!/bin/sh
-# This file is heavily based on code from https://github.com/Xentrk/netflix-vpn-bypass/blob/master/IPSET_Netflix.sh
-
-TARGET_IPSET='wan'
-
-TARGET_URL="https://ip-ranges.amazonaws.com/ip-ranges.json"
-TARGET_FNAME="/var/vpn-policy-routing_tmp_aws_ip_ranges"
-
-_ret=1
-
-if [ ! -s "$TARGET_FNAME" ]; then
-	curl "$TARGET_URL" 2>/dev/null | grep "ip_prefix" | sed 's/^.*\"ip_prefix\": \"//; s/\",//' > "$TARGET_FNAME"
-fi
-if [ -s "$TARGET_FNAME" ]; then
-	awk -v ipset="$TARGET_IPSET" '{print "add " ipset " " $1}' "$TARGET_FNAME" | ipset restore -! && _ret=0
-fi
-rm -f "$TARGET_FNAME"
-
-return $_ret

net/vpn-policy-routing/files/vpn-policy-routing.config

@@ -1,30 +0,0 @@
-config vpn-policy-routing 'config'
-	option enabled '0'
-	option verbosity '2'
-	option strict_enforcement '1'
-	option src_ipset '0'
-	option dest_ipset '0'
-	option resolver_ipset 'dnsmasq.ipset'
-	option ipv6_enabled '0'
-	list ignored_interface 'vpnserver wgserver'
-	option boot_timeout '30'
-	option iptables_rule_option 'append'
-	option procd_reload_delay '1'
-	option webui_enable_column '0'
-	option webui_protocol_column '0'
-	option webui_chain_column '0'
-	option webui_show_ignore_target '0'
-	option webui_sorting '1'
-	list webui_supported_protocol 'tcp'
-	list webui_supported_protocol 'udp'
-	list webui_supported_protocol 'tcp udp'
-	list webui_supported_protocol 'icmp'
-	list webui_supported_protocol 'all'
-
-config include
-	option path '/etc/vpn-policy-routing.netflix.user'
-	option enabled 0
-
-config include
-	option path '/etc/vpn-policy-routing.aws.user'
-	option enabled 0

net/vpn-policy-routing/files/vpn-policy-routing.firewall.hotplug

@@ -1,6 +0,0 @@
-#!/bin/sh
-
-[ "$ACTION" = "reload" ] || exit 0
-
-logger -t "vpn-policy-routing" "Reloading vpn-policy-routing due to $ACTION of firewall"
-/etc/init.d/vpn-policy-routing reload

net/vpn-policy-routing/files/vpn-policy-routing.netflix.user

@@ -1,37 +0,0 @@
-#!/bin/sh
-# This file is heavily based on code from https://github.com/Xentrk/netflix-vpn-bypass/blob/master/IPSET_Netflix.sh
-# Credits to https://forum.openwrt.org/u/dscpl for api.hackertarget.com code.
-# Credits to https://github.com/kkeker and https://github.com/tophirsch for api.bgpview.io code.
-
-TARGET_IPSET='wan'
-TARGET_ASN='2906'
-TARGET_FNAME="/var/vpn-policy-routing_tmp_AS${TARGET_ASN}"
-#DB_SOURCE='ipinfo.io'
-#DB_SOURCE='api.hackertarget.com'
-DB_SOURCE='api.bgpview.io'
-
-_ret=1
-
-if [ ! -s "$TARGET_FNAME" ]; then
-	if [ "$DB_SOURCE" = "ipinfo.io" ]; then
-		TARGET_URL="https://ipinfo.io/AS${TARGET_ASN}"
-		curl "$TARGET_URL" 2>/dev/null | grep -E "a href.*${TARGET_ASN}\/" | grep -v ":" | sed "s/^.*<a href=\"\/AS${TARGET_ASN}\///; s/\" >//" > "$TARGET_FNAME"
-	fi
-
-	if [ "$DB_SOURCE" = "api.hackertarget.com" ]; then
-		TARGET_URL="https://api.hackertarget.com/aslookup/?q=AS${TARGET_ASN}"
-		curl "$TARGET_URL" 2>/dev/null | sed '1d' > "$TARGET_FNAME"
-	fi
-
-	if [ "$DB_SOURCE" = "api.bgpview.io" ]; then
-		TARGET_URL="https://api.bgpview.io/asn/${TARGET_ASN}/prefixes"
-		curl -s "$TARGET_URL" 2>/dev/null | jsonfilter -e '@.data.ipv4_prefixes[*].prefix' > "$TARGET_FNAME"
-	fi
-fi
-
-if [ -s "$TARGET_FNAME" ]; then
-	awk -v ipset="$TARGET_IPSET" '{print "add " ipset " " $1}' "$TARGET_FNAME" | ipset restore -! && _ret=0
-fi
-rm -f "$TARGET_FNAME"
-
-return $_ret

net/vpnbypass/Makefile

@@ -1,69 +0,0 @@
-# Copyright 2017-2018 Stan Grishin (stangri@melmac.net)
-# This is free software, licensed under the GNU General Public License v3.
-
-include $(TOPDIR)/rules.mk
-
-PKG_NAME:=vpnbypass
-PKG_VERSION:=1.3.2
-PKG_RELEASE:=1
-PKG_LICENSE:=GPL-3.0-or-later
-PKG_MAINTAINER:=Stan Grishin <stangri@melmac.net>
-
-include $(INCLUDE_DIR)/package.mk
-
-define Package/vpnbypass
-	SECTION:=net
-	CATEGORY:=Network
-	TITLE:=VPN Bypass Service
-	URL:=https://docs.openwrt.melmac.net/vpnbypass/
-	DEPENDS:=+ipset +iptables
-	PKGARCH:=all
-endef
-
-define Package/vpnbypass/description
-This service can be used to enable simple VPN split tunnelling.
-Supports accessing domains, IP ranges outside of your VPN tunnel.
-Also supports dedicating local ports/IP ranges for direct
-internet access (outside of your VPN tunnel).
-Please see the README for further information.
-endef
-
-define Package/vpnbypass/conffiles
-/etc/config/vpnbypass
-endef
-
-define Build/Configure
-endef
-
-define Build/Compile
-endef
-
-define Package/vpnbypass/install
-	$(INSTALL_DIR) $(1)/etc/init.d $(1)/etc/config $(1)/etc/hotplug.d/firewall
-	$(INSTALL_BIN) ./files/vpnbypass.init $(1)/etc/init.d/vpnbypass
-	$(SED) "s|^\(PKG_VERSION\).*|\1='$(PKG_VERSION)-$(PKG_RELEASE)'|" $(1)/etc/init.d/vpnbypass
-	$(INSTALL_CONF) ./files/vpnbypass.config $(1)/etc/config/vpnbypass
-	$(INSTALL_DATA) ./files/vpnbypass.hotplug $(1)/etc/hotplug.d/firewall/94-vpnbypass
-endef
-
-define Package/vpnbypass/postinst
-	#!/bin/sh
-	# check if we are on real system
-	if [ -z "$${IPKG_INSTROOT}" ]; then
-		/etc/init.d/vpnbypass enable
-	fi
-	exit 0
-endef
-
-define Package/vpnbypass/prerm
-	#!/bin/sh
-	# check if we are on real system
-	if [ -z "$${IPKG_INSTROOT}" ]; then
-		echo "Stopping service and removing rc.d symlink for vpnbypass"
-		/etc/init.d/vpnbypass stop || true
-		/etc/init.d/vpnbypass disable || true
-	fi
-	exit 0
-endef
-
-$(eval $(call BuildPackage,vpnbypass))

net/vpnbypass/files/README.md

@@ -1,3 +0,0 @@
-# README
-
-README has been moved to [https://docs.openwrt.melmac.net/vpnbypass/](https://docs.openwrt.melmac.net/vpnbypass/).

net/vpnbypass/files/vpnbypass.config

@@ -1,5 +0,0 @@
-config vpnbypass 'config'
-	option enabled		'0'
-	list localport		'32400'
-	list localsubnet	'192.168.1.81/29'
-	list remotesubnet	'25.0.0.0/8'

net/vpnbypass/files/vpnbypass.hotplug

@@ -1,2 +0,0 @@
-#!/bin/sh
-[ "$ACTION" = "reload" ] && /etc/init.d/vpnbypass reload

net/vpnbypass/files/vpnbypass.init

@@ -1,146 +0,0 @@
-#!/bin/sh /etc/rc.common
-# Copyright 2017-2020 Stan Grishin (stangri@melmac.net)
-# shellcheck disable=SC2039,SC1091,SC2086,SC3043,SC3057,SC3060
-PKG_VERSION='dev-test'
-
-# shellcheck disable=SC2034
-START=94
-# shellcheck disable=SC2034
-USE_PROCD=1
-
-if type extra_command 1>/dev/null 2>&1; then
-	extra_command 'version' 'Show version information'
-else
-# shellcheck disable=SC2034
-	EXTRA_COMMANDS='version'
-fi
-
-version() { echo "$PKG_VERSION"; }
-
-readonly __ERROR__='\033[0;31mERROR\033[0m'
-
-# shellcheck disable=SC2034
-serviceEnabled=0
-verbosity=2
-TID='200'
-IPSET='vpnbypass'
-FW_MARK='0x010000'
-FW_MASK='0xff0000'
-wan_if4=''
-wan_gw=''
-
-readonly packageName='vpnbypass'
-readonly serviceName="$packageName $PKG_VERSION"
-readonly sharedMemoryOutput="/dev/shm/$packageName-output"
-
-output() {
-# Can take a single parameter (text) to be output at any verbosity
-# Or target verbosity level and text to be output at specifc verbosity
-	local msg memmsg logmsg
-	if [ $# -ne 1 ]; then
-		if [ $((verbosity & $1)) -gt 0 ] || [ "$verbosity" = "$1" ]; then shift; else return 0; fi
-	fi
-	[ -t 1 ] && printf "%b" "$1"
-	msg="${1//$serviceName /service }";
-	if [ "$(printf "%b" "$msg" | wc -l)" -gt 0 ]; then
-		[ -s "$sharedMemoryOutput" ] && memmsg="$(cat "$sharedMemoryOutput")"
-		logmsg="$(printf "%b" "${memmsg}${msg}" | sed 's/\x1b\[[0-9;]*m//g')"
-		logger -t "${packageName:-service} [$$]" "$(printf "%b" "$logmsg")"
-		rm -f "$sharedMemoryOutput"
-	else
-		printf "%b" "$msg" >> "$sharedMemoryOutput"
-	fi
-}
-load_package_config() {
-	config_load "$packageName"
-	config_get_bool serviceEnabled 'config' 'enabled' 1
-	config_get verbosity           'config' 'verbosity' '2'
-	if [ -z "${verbosity##*[!0-9]*}" ] || [ "$verbosity" -lt 0 ] || [ "$verbosity" -gt 2 ]; then
-		verbosity=1
-	fi
-	. /lib/functions/network.sh
-}
-
-is_enabled() {
-	local sleepCount=1
-	load_package_config
-	while : ; do
-		network_find_wan wan_if4
-		[ "$serviceEnabled" -gt 0 ] || return 1
-		[ -n "$wan_if4" ] && network_get_gateway wan_gw "$wan_if4"
-		if [ $sleepCount -ge 25 ] || [ -n "$wan_gw" ]; then break; fi
-		output "$serviceName waiting for wan gateway...\\n"
-		sleep 2; network_flush_cache; sleepCount=$((sleepCount+1));
-	done
-	[ -n "$wan_gw" ] && return 0
-	output "$__ERROR__: $serviceName failed to discover WAN gateway.\\n"; return 1;
-}
-
-is_ovpn() { local dev i; for i in ifname device; do [ -z "$dev" ] && dev="$(uci -q get "network.${1}.${i}")"; done; if [ "${dev:0:3}" = "tun" ] || [ "${dev:0:3}" = "tap" ] || [ -f "/sys/devices/virtual/net/${dev}/tun_flags" ]; then return 0; else return 1; fi; }
-is_wan() { if [ -n "$wan_if4" ] && [ "$1" = "$wan_if4" ]; then return 0; else return 1; fi; }
-is_supported_interface() { if is_wan "$1" || is_ovpn "$1"; then return 0; else return 1; fi; }
-
-ipt() {
-	local d; 
-	d="${*//-A/-D}"; [ "$d" != "$*" ] && iptables $d >/dev/null 2>&1
-	d="${*//-I/-D}"; [ "$d" != "$*" ] && iptables $d >/dev/null 2>&1
-	d="${*//-N/-F}"; [ "$d" != "$*" ] && iptables $d >/dev/null 2>&1
-	d="${*//-N/-X}"; [ "$d" != "$*" ] && iptables $d >/dev/null 2>&1
-	d="$*"; iptables $d >/dev/null 2>&1 || output "\\n$__ERROR__: iptables $d\\n"
-}
-
-start_service() {
-	local ll lports rports routes ranges
-	is_enabled || return 1
-	config_get lports   'config' 'localport'
-	config_get rports   'config' 'remoteport'
-	config_get routes   'config' 'remotesubnet'
-	config_get ranges   'config' 'localsubnet'
-
-	procd_open_instance "main"
-	procd_set_param command /bin/true
-	procd_set_param stdout 1
-	procd_set_param stderr 1
-	procd_close_instance
-
-	ip rule del fwmark "$FW_MARK" table "$TID" >/dev/null 2>&1; 
-	ipset -q flush "$IPSET"; ipset -q destroy "$IPSET";
-	ip route flush table "$TID"; ip route flush cache;
-	ip route add default via "$wan_gw" table "$TID"; ip route flush cache;
-	ip rule add fwmark "$FW_MARK" table "$TID"
-	ipset -q -exist create "$IPSET" hash:ip; ipset -q flush "$IPSET"
-	{ modprobe xt_set; modprobe ip_set; modprobe ip_set_hash_ip; } >/dev/null 2>&1
-	ipt -t mangle -D PREROUTING -m mark --mark 0x00/${FW_MASK} -g VPNBYPASS >/dev/null 2>&1
-	{ ipt -t mangle -N VPNBYPASS; ipt -t mangle -A PREROUTING -m mark --mark 0x00/${FW_MASK} -g VPNBYPASS; } >/dev/null 2>&1
-	ipt -t mangle -A VPNBYPASS -m set --match-set $IPSET dst -j MARK --set-mark ${FW_MARK}/${FW_MASK} >/dev/null 2>&1
-	for ll in ${ranges}; do ipt -t mangle -A VPNBYPASS -j MARK --set-mark ${FW_MARK}/${FW_MASK} -s "$ll"; done
-	for ll in ${lports}; do ipt -t mangle -A VPNBYPASS -j MARK --set-mark ${FW_MARK}/${FW_MASK} -p tcp -m multiport --sport "${ll//-/:}"; done
-	for ll in ${routes}; do ipt -t mangle -A VPNBYPASS -j MARK --set-mark ${FW_MARK}/${FW_MASK} -d "$ll"; done
-	for ll in ${rports}; do ipt -t mangle -A VPNBYPASS -j MARK --set-mark ${FW_MARK}/${FW_MASK} -p tcp -m multiport --dport "${ll//-/:}"; done
-	output "$serviceName started with TID: $TID; FW_MARK: $FW_MARK\\n"
-}
-
-stop_service() {
-	load_package_config
-	ip rule del fwmark "$FW_MARK" table "$TID" >/dev/null 2>&1; 
-	ipset -q flush "$IPSET"; ipset -q destroy "$IPSET";
-	ip route flush table "$TID"; ip route flush cache;
-	ipt -t mangle -D PREROUTING -m mark --mark 0x00/${FW_MASK} -g VPNBYPASS >/dev/null 2>&1
-	{ ipt -t mangle -F VPNBYPASS; ipt -t mangle -X VPNBYPASS; } >/dev/null 2>&1
-	output "$serviceName stopped\\n"
-}
-
-service_triggers_load_interface() { is_supported_interface "$1" && ifaces="${ifaces}${1} "; }
-service_triggers() {
-	local ifaces n
-	config_load network; config_foreach service_triggers_load_interface 'interface';
-	procd_open_trigger
-		procd_add_reload_trigger 'openvpn'
-		if type procd_add_service_trigger 1>/dev/null 2>&1; then
-			procd_add_service_trigger "service.restart" "firewall" /etc/init.d/${packageName} reload
-		fi
-		procd_add_config_trigger "config.change" "${packageName}" /etc/init.d/${packageName} reload
-		for n in $ifaces; do procd_add_reload_interface_trigger "$n"; procd_add_interface_trigger "interface.*" "$n" /etc/init.d/vpnbypass reload; done;
-		output "$serviceName monitoring interfaces: $ifaces\\n"
-	procd_close_trigger
-}

net/vpnbypass/test.sh

@@ -1,3 +0,0 @@
-#!/bin/sh
-
-/etc/init.d/"$1" version 2>&1 | grep "$2"