Add an option for adding rules based on source interface.
The default 0.0.0.0/0 src and destination ip addresses has been removed. It is unclear
how the 'any' family of rules would have worked, as it appears each rule always required an
ipv4 or ipv6 address src and destination address. With this change, the any family will work
again.
I also cleaned up a bunch of repeated code around adding the iptables rules for
ipv4/ipv6/any in making the change.
Signed-off-by: Aaron Goodman <aaronjg@stanford.edu>
With this change it is now possible to combine interface action events.
If an interface action is generated by netifd or mwan3 for example ifup,
ifdown, connectd or disconnected and this action is configured in the inteface
uci section, then the conntrack table is flushed by mwan3.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
This bug was introduced since dd206b7d0b
mwan3_remon_ipv4 and mwan3_remon_ipv6 is command to run not a variable
I add some comments on them hopefully people will notice it
Signed-off-by: Chen Minqiang <ptpt52@gmail.com>
If we set the option "local_source" in the globals mwan3 section to "none",
traffic generated by the router it self will always use the default route from
the wan interface with the lowest metric. If this interface is down
the router traffic still uses the connection with the lowest metric but
this is disconnected. Load balancing and failover from the lan site is
still possible. Only router generated traffic is not load balanced and
could not use failover.
To solve this issue with router initiated traffic add the additional
option "online_metric" to the mwan3 interface section.
If the interface is connected then this lower "online metric" is set in the
default routing table.
With this change we have at least a failover with router initiated
traffic.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
During runntime of mwan3 we could add dynamicly networks to this ipset
which would then treated as connected networks by mwan3.
This is also usefull for ipsec.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
With the list param "rt_table_lookup" in the mwan3 section globals,
it is now possible to add a additional routing table numbers which would get
also parsed and will be added to the connected network.
So mwan3 will treat them as they are directly connected to this device.
This could be usefull if we use ipsec.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
The generation for reporting the policies uses the same code add a
common function to reduce duplication.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
- The original copy process is to delete all routing tables first,
then add new routing table. This process is too slow and very dirty.
- We use grep to identify the changes and apply them.
- ignore ipv6 unreachable routes
- update version number
Signed-off-by: Chen Minqiang <ptpt52@gmail.com>
The IPsec ip route table has the default number 220.
If mwan3 has more then 7 bits set (124 interfaces) then if mwan3 down is
executed the table is also cleared. To solve this set default max 7
bits in the mmx_mask for mwan3.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
We need always three of the firewall mask value for
* default routing table
* blackhole
* unreachable
the other will be used for the interfaces.
* If we have set the mmx_mask to max 0xFF00 (8 bit set) we could use max 252
interfaces.
* If we have set the mmx_mask to min 0x0E00 (3 bit set) we could use max 4
interfaces.
Only the ones are counting from the firewall mask value.
Minimal three firewall mask bit vaules must be set.
Maximal eight firewall mask bit vaules could be set.
Table overview mmx_mask value bits vs. max interfaces
mmx_mask value bits set 1 -> not usefull
mmx_mask value bits set 2 -> not usefull
mmx_mask value bits set 3 -> 4 Interfaces (mask example 0x0E)
mmx_mask value bits set 4 -> 12 Interfaces
mmx_mask value bits set 5 -> 28 Interfaces
mmx_mask value bits set 6 -> 60 Interfaces
mmx_mask value bits set 7 -> 124 Interfaces
mmx_mask value bits set 8 -> 252 Interfaces (mask example 0xFF)
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Move all shell commands which are executed during /lib/mwan3/mwan3.sh
sourceing into a seperate init function which must be called at first.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
In some situation it is not enough to send a SIGTERM to mwan3track to
ask service to stop accurate. If this does not work send him a SIGKILL
to prevent mwan3track running more then once per interface.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
If metric of member interface is bigger then 256, it is not
appended to policy, now at least warn message is printed into
syslog
Signed-off-by: Jakub Janco <kubco2@gmail.com>
Interfaces of some PtP protocols do not have a real gateway. In that
case ubus may fill them with '0.0.0.0' or even leave it blank. This
will cause error when adding new routing rule.
Signed-off-by: David Yang <mmyangfl@gmail.com>
This commit fixed what 6d99b602 was supposed to fix without affecting
interface-bound traffic.
Before 6d99b602 interface-bound traffic was working normally as long
as at least one interface was online. However when the last interface
went offline, it was impossible to ping and such state was
unrecoverable.
Commit 6d99b602 fixed unrecoverable offline state problem (it was
possible to ping -I iface) but messed inteface-bound traffic. Traffic
with interface source address was not working if the interface was in
"offline" state, even if another interface was online.
The problem was caused by an inconsistent "offline" interface state:
iptables-related rules were kept while routing table and policy were
deleted.
The idea behind this commit is to:
1. Keep all the rules for each interface (iptables, routing table,
policy) regardless of its state. This ensures consistency,
2. Make interface state hotplug events affect only iptables'
mwan3_policy_* rules. Interface-related iptables, routing table
and policy is removed only when mwan3 is manually stopped.
To make such changes possible, it's necessary to change the way
mwan3_policy_* rule generator keeps track of interface state hotplug
events.
Until now, it checked for the existence of custom interface-related
routing table (table id 1, 2, 3, ...). Clearly we can no longer rely
on that so each interface state is stored explicitly in file.
Signed-off-by: Marcin Jurkowski <marcin1j@gmail.com>
Add new interface config option "inital_state".
If interface comeing up the first time(mwan3 start, boot),
there are now two option for interface behaviour:
- online (default as is now)
Set up interface regardless wether tracking ip are reachable or not.
- offline
Set up interface first to ping tracking ip and if they are reachable set up
the interface completely.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
If two interface have the same prefix "wan" for example "wan" and "wan1"
pgrep returns the PID for wan1 also "pgrep -f mwan3track wan".
Before this fix "wan1" was also killed! This is not what we want.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Adds support for interface tracking using either ping, arping or
httping. This allows to track interface status on networks with filtered
ICMP traffic or simply to monitor data link layer etc.
To facilitate binding to a specified interface its IP address is passed
as a new mwan3track parameter. It's currently required by httping
and possibly by other tools that may be added in the future.
Signed-off-by: Marcin Jurkowski <marcin1j@gmail.com>
If more then one interface get up/down at once mwan3 could be in a
undefined state, because more then one mwan3 hotplug script are running
and editing the iptables.
Lock the critical section should solve this issue.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
If mwan3track will not stop immediately after sending the kill signal,
the clean_up handler will delete the pid file later while the new mwan3track is
already running.
This could result in a situation that mwan3track is running
more then once because the old mwan3track service could not be killed,
because the pid file is missing.
Using pgrep to kill all mwan3track for the tracked interface and not using
pid file should fix this issue.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
If interface is getting down by netifd (unplug ethernet cable)
mwan3track will not recognize this change. It will also generate an
additional down event when he notice does his tracking interface is offline.
Mwan3track will now be informed by a signal (trap) USR1 during down event
that the interface is already down. An additional down event will not be
generated.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
If mwan3track detects a failure the interval check will change to
"failure_interval" value until this interface is declared "offline".
After interface gets "offline" normal "interval" value is used again.
If interface ping is successful again "recovery_interval" value is used until
interface is declared "online" again.
Using the different intervals will accelerate the wan line detections on
failure and recovery.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
On interfaces with interface proto "qmi|ncm" and option dhcp
enabled the interface will be changed to $iface_4 | $iface_6. The
interface mapping in mwan3 will not recognize this interface. To fix
this issue an ubus call will check if an upper interface exists.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Local variable declarations outside of functions are illegal since the Busybox
update to v1.25.0, therfore remove them from the appropriate places.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Fix iptables issue where a needed ipset was not created if first wan that came online was not a member of policy.
Signed-off-by: Jeroen Louwes <jeroen.louwes@gmail.com>
Fix issue with sticky sessions not working correctly
Fix issue where user created ipsets were not applied
Signed-off-by: Jeroen Louwes <jeroen.louwes@gmail.com>
