The mwan3 with IPsec does not work in a failover scenario as expected.
Because the default table is used for an lookup which traffic should be
encrypt.
The traffic for encryption is sent out on the interface with the lowest
metric. No matter which interface is currently seen as connected by the
mwan3.
In order for this that mwan3 could work with IPsec, an additional metric
is set that indicates which interface is currently connected. And the
interface with the lowest 'online_metric' is used as the IPsec interface.
If the interface is not considered connected by the mwan3, then the
online_metric for this interface is not set and the next route with an
higher metric is used.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
It turns out that under high system load, ipsets cannot be deleted. This
is because there is still a reference in iptables. A short sleep should
give the system time to clean this up.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Nft does not directly support ipsets, nft sets must be used instead.
The mwan3 uses ipsets for certain tasks. They can be combinded. So called
an ipset of ipsets. This list type is not available in nft. So that
mwan3 could be ported to nft in the feature, the ipset handling should be
split. So we have for each ipset an iptables rule.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
In the procd refactor, support for interfaces with no tracking IPs was
inadvertentiy removed. This commit restores the previous behavior
Signed-off-by: Aaron Goodman <aaronjg@stanford.edu>
It was somewhat opaque how the variable a is questioned. To show this
better the variable is now a string and not a boolean. So you can see
directly what should happen. With a boolean you always have to think
about what it means when 0 or 1 is used.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Replace locks on /var/run/mwan3.lock with locks via procd.
This fixes a deadlock issue where mwan3 stop would have a procd
lock, but a hotplug script would have the /var/run/mwan3.lock
Locking can be removed from mwan3rtmon since:
1) procd will have sent the KILL signal to the process during
shutdown, so it will not add routes to already removed interfaces on
mwan3 shutdown and
2) mwan3rtmon checks if an interface is active based on the
mwan3_iface_in_<IFACE> entry in iptables, and the hotplug script
always adds this before creating the route table and removes it
before deleting the route table
Fixes github issue #13704
(https://github.com/openwrt/packages/issues/13704)
When the interface section was changed, the changed configuration
options were not applied.
This commit adds the service reload handling again.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
start all mwan3mon and mwan3track instances on mwan3 start
if an interface is down when mwan3track starts, it waits
for a signal from the hotplug script to start
procd can then handle stopping all of the scripts when mwan3
is halted
Signed-off-by: Aaron Goodman <aaronjg@stanford.edu>
improve startup and runtime performance by
1) moving common startup procedures out of hotplug script when called
from mwan3 start
2) reducing calls to iptables to check status of rules
3) consolidating iptables updates and updating with iptables-restore
4) do not wait for kill if nothing was killed
5) running interface hotplug scripts in parallel
6) eliminate operations in hotplug script that check status on every
single interface unnecessarily
7) consolidate how mwan3track makes hotplug calls
8) do not restart mwan3track on connected events
This is a significant refactor, but should not result in any breaking
changes or require users to update their configurations.
version bump to 2.9.0
Signed-off-by: Aaron Goodman <aaronjg@stanford.edu>
Move setting global enabled flag from /etc/init.d/mwan3 to mwan3
command. So we could start mwan3 from the cmd mwan3 as well.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Fixed issue where an manual ifup-ed interface would immediatly go down again
Remove from init as mwan3 is not a service
Signed-off-by: Jeroen Louwes <jeroen.louwes@gmail.com>
Florian Eckert