1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
|
include $(TOPDIR)/rules.mk
PKG_NAME:=external-protocol
PKG_VERSION:=20231119
PKG_RELEASE:=1
PKG_MAINTAINER:=Oskari Rauta <oskari.rauta@gmail.com>
include $(INCLUDE_DIR)/package.mk
define Package/external-protocol
SECTION:=net
CATEGORY:=Network
TITLE:=externally managed protocol
PKGARCH:=all
endef
define Package/external-protocol/description
external protocol is a general protocol for assisting
setup of many virtual devices that lack proper
protocol support in openwrt. Such as netavark, cni and
netbird for example. External protocol is supposed
to be managed with external software, not directly.
external protocol works automaticly on the background
and sets up netifd details when interface comes up or
goes down. This allows one to easily add interface to
a firewall zone.
as a example use case, podman, with network where it's
internal firewall and portmapper are disabled, control
of firewalling, whether it was exposing ports or
limiting/accepting access between networks, such as
lan can be made through openwrt's own firewalling
configuration if you used external protocol.
podman example configuration could be as following:
- lan network: 10.0.0.0/16 (255.255.0.0)
- container network: 10.129.0.1/24 (255.255.255.0)
Add a network configuration for your container network
using external protocol. Then create firewall zone for it.
You could create a new container/pod with static ip
address 10.129.0.2 (as 10.129.0.1 as container network's
gateway).
Easily define permissions so that local networks can
connect to container network, but not the other way around.
Also you want to allow forwarding from/to wan.
Now, as container cannot access local dns, make a rule for
your firewall to accept connections from container network
to port 53 (dns).
Now all you have to do, is make redirects to your firewall
and point them to 10.129.0.2 and connections from wan are
redirectered to containers/pods.
external protocol also works for other applications as
well that are using veth/tun/etc devices and don't have
a hand-tailored protocol available, such as vpn service
netbird.
Protocol has 3 settings: device, searchdomain and delay.
Sometimes polling interfaces takes some time, and in
that case you might want to add few seconds to delay.
Otherwise, it can be excluded from configuration.
Option for searchdomain is also completely optional.
package was previously known as cni protocol but as
it can be used on so many other things, naming became
mis-leading and it was renamed to external protocol.
endef
define Build/Configure
endef
define Build/Compile
endef
define Package/external-protocol/install
$(INSTALL_DIR) $(1)/lib/netifd/proto
$(INSTALL_BIN) ./files/external.sh $(1)/lib/netifd/proto/external.sh
endef
$(eval $(call BuildPackage,external-protocol))
|