summaryrefslogtreecommitdiff
path: root/net/mwan3/files/etc/hotplug.d/iface/15-mwan3
blob: ab2cd745baf589935291d04a872ff2717de80865 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
#!/bin/sh

mwan3_get_iface_id()
{
	let iface_count++
	[ "$1" == "$INTERFACE" ] && iface_id=$iface_count
}

mwan3_set_general_iptables()
{
	if ! $IPT -S mwan3_ifaces &> /dev/null; then
		$IPT -N mwan3_ifaces
	fi

	if ! $IPT -S mwan3_rules &> /dev/null; then
		$IPT -N mwan3_rules
	fi

	if ! $IPT -S mwan3_connected &> /dev/null; then
		$IPT -N mwan3_connected
	fi

	if ! $IPT -S mwan3_hook &> /dev/null; then
		$IPT -N mwan3_hook
		$IPT -A mwan3_hook -j CONNMARK --restore-mark --nfmask 0xff00 --ctmask 0xff00
		$IPT -A mwan3_hook -m mark --mark 0x0/0xff00 -j mwan3_ifaces
		$IPT -A mwan3_hook -m mark --mark 0x0/0xff00 -j mwan3_connected
		$IPT -A mwan3_hook -m mark --mark 0x0/0xff00 -j mwan3_rules
		$IPT -A mwan3_hook -j CONNMARK --save-mark --nfmask 0xff00 --ctmask 0xff00
		$IPT -A mwan3_hook -m mark ! --mark 0xff00/0xff00 -j mwan3_connected
	fi

	if ! $IPT -S mwan3_output_hook &> /dev/null; then
		$IPT -N mwan3_output_hook
	fi

	if ! $IPT -S PREROUTING | grep mwan3_hook &> /dev/null; then
		$IPT -A PREROUTING -j mwan3_hook
	fi

	if ! $IPT -S OUTPUT | grep mwan3_hook &> /dev/null; then
		$IPT -A OUTPUT -j mwan3_hook
	fi

	if ! $IPT -S OUTPUT | grep mwan3_output_hook &> /dev/null; then
		$IPT -A OUTPUT -j mwan3_output_hook
	fi

	$IPT -F mwan3_rules
}

mwan3_set_connected_iptables()
{
	local connected_networks

	if $IPT -S mwan3_connected &> /dev/null; then
		$IPT -F mwan3_connected

		for connected_networks in $($IP route | awk '{print $1}' | egrep '[0-9]{1,3}(\.[0-9]{1,3}){3}'); do
			$IPT -A mwan3_connected -d $connected_networks -j MARK --set-xmark 0xff00/0xff00
		done

		$IPT -I mwan3_connected -d 224.0.0.0/3 -j MARK --set-xmark 0xff00/0xff00
		$IPT -I mwan3_connected -d 127.0.0.0/8 -j MARK --set-xmark 0xff00/0xff00
	fi
}

mwan3_set_iface_iptables()
{
	local local_net local_nets

	local_net=$($IP route list dev $DEVICE scope link | awk '{print $1}' | egrep '[0-9]{1,3}(\.[0-9]{1,3}){3}')

	if ! $IPT -S mwan3_iface_$INTERFACE &> /dev/null; then
		$IPT -N mwan3_iface_$INTERFACE
	fi

	$IPT -F mwan3_iface_$INTERFACE
	$IPT -D mwan3_ifaces -i $DEVICE -m mark --mark 0x0/0xff00 -j mwan3_iface_$INTERFACE &> /dev/null

	if [ $ACTION == "ifup" ]; then
		if [ -n "$local_net" ]; then
			for local_nets in $local_net ; do
				if [ $ACTION == "ifup" ]; then
					$IPT -I mwan3_iface_$INTERFACE -s $local_net -m mark --mark 0x0/0xff00 -m comment --comment "$INTERFACE" -j MARK --set-xmark 0xff00/0xff00
				fi
			done
		fi

		$IPT -A mwan3_iface_$INTERFACE -m mark --mark 0x0/0xff00 -m comment --comment "$INTERFACE" -j MARK --set-xmark $(($iface_id*256))/0xff00
		$IPT -A mwan3_ifaces -i $DEVICE -m mark --mark 0x0/0xff00 -j mwan3_iface_$INTERFACE
	fi

	if [ $ACTION == "ifdown" ]; then
		$IPT -X mwan3_iface_$INTERFACE
	fi
}

mwan3_set_iface_route()
{
	$IP route flush table $iface_id
	[ $ACTION == "ifup" ] && $IP route add table $iface_id default $route_args
}

mwan3_set_iface_rules()
{
	while [ -n "$($IP rule list | awk '$1 == "'$(($iface_id+1000)):'"')" ]; do
		$IP rule del pref $(($iface_id+1000))
	done

	while [ -n "$($IP rule list | awk '$1 == "'$(($iface_id+2000)):'"')" ]; do
		$IP rule del pref $(($iface_id+2000))
	done

	while [ -n "$($IP rule list | awk '$1 == "2254:"')" ]; do
		$IP rule del pref 2254
	done

	[ $ACTION == "ifup" ] && $IP rule add pref $(($iface_id+1000)) iif $DEVICE lookup main
	[ $ACTION == "ifup" ] && $IP rule add pref $(($iface_id+2000)) fwmark $(($iface_id*256))/0xff00 lookup $iface_id
        $IP rule add pref 2254 fwmark 0xfe00/0xff00 unreachable                                   
}

mwan3_track()
{
	local track_ip track_ips reliability count timeout interval down up

	mwan3_list_track_ips()
	{
		track_ips="$1 $track_ips"
	}
	config_list_foreach $INTERFACE track_ip mwan3_list_track_ips

	if [ -n "$track_ips" ]; then
		config_get reliability $INTERFACE reliability 1
		config_get count $INTERFACE count 1
		config_get timeout $INTERFACE timeout 4
		config_get interval $INTERFACE interval 10
		config_get down $INTERFACE down 5
		config_get up $INTERFACE up 5

		if ! $IPT -S mwan3_track_$INTERFACE &> /dev/null; then
			$IPT -N mwan3_track_$INTERFACE
			$IPT -A mwan3_output_hook -p icmp -m icmp --icmp-type 8 -m length --length 32 -j mwan3_track_$INTERFACE
		fi

		$IPT -F mwan3_track_$INTERFACE

		for track_ip in $track_ips; do
			$IPT -A mwan3_track_$INTERFACE -d $track_ip -j MARK --set-xmark 0xff00/0xff00
		done

		[ -x /usr/sbin/mwan3track ] && /usr/sbin/mwan3track $INTERFACE $DEVICE $reliability $count $timeout $interval $down $up $track_ips &
	else
		$IPT -D mwan3_output_hook -p icmp -m icmp --icmp-type 8 -m length --length 32 -j mwan3_track_$INTERFACE &> /dev/null
		$IPT -F mwan3_track_$INTERFACE &> /dev/null
		$IPT -X mwan3_track_$INTERFACE &> /dev/null
	fi
}

mwan3_set_policy()
{
	local iface_count iface_id INTERFACE metric probability weight

	config_get INTERFACE $1 interface
	config_get metric $1 metric 1
	config_get weight $1 weight 1

	[ -n "$INTERFACE" ] || return 0
	
	config_foreach mwan3_get_iface_id interface

	[ -n "$iface_id" ] || return 0

	if $IPT -S mwan3_iface_$INTERFACE &> /dev/null; then
		if [ "$metric" -lt "$lowest_metric" ]; then

			total_weight=$weight
			$IPT -F mwan3_policy_$policy
			$IPT -A mwan3_policy_$policy -m mark --mark 0x0/0xff00 -m comment --comment "$INTERFACE $weight $weight" -j MARK --set-xmark $(($iface_id*256))/0xff00

			lowest_metric=$metric

		elif [ "$metric" -eq "$lowest_metric" ]; then

			total_weight=$(($total_weight+$weight))
			probability=$(($weight*1000/$total_weight))
			
			if [ "$probability" -lt 10 ]; then
				probability="0.00$probability"
				elif [ $probability -lt 100 ]; then
				probability="0.0$probability"
				elif [ $probability -lt 1000 ]; then
				probability="0.$probability"
			else
				probability="1"
			fi

			probability="-m statistic --mode random --probability $probability"
			
			$IPT -I mwan3_policy_$policy -m mark --mark 0x0/0xff00 $probability -m comment --comment "$INTERFACE $weight $total_weight" -j MARK --set-xmark $(($iface_id*256))/0xff00
		fi
	fi
}

mwan3_set_policies_iptables()
{
	local lowest_metric policy total_weight

	policy=$1

	if [ "$policy" != $(echo "$policy" | cut -c1-15) ]; then
		$LOG warn "Policy $policy exceeds max of 15 chars. Not setting policy" && return 0
	fi

	if ! $IPT -S mwan3_policy_$policy &> /dev/null; then
		$IPT -N mwan3_policy_$policy
	fi

	$IPT -F mwan3_policy_$policy
	$IPT -A mwan3_policy_$policy -m mark --mark 0x0/0xff00 -m comment --comment "unreachable" -j MARK --set-xmark 0xfe00/0xff00

	lowest_metric=256
	total_weight=0

	config_list_foreach $policy use_member mwan3_set_policy
}

mwan3_set_user_rules_iptables()
{
	local proto src_ip src_port dest_ip dest_port use_policy

	config_get proto $1 proto all
	config_get src_ip $1 src_ip 0.0.0.0/0
	config_get src_port $1 src_port 0:65535
	config_get dest_ip $1 dest_ip 0.0.0.0/0
	config_get dest_port $1 dest_port 0:65535
	config_get use_policy $1 use_policy

	if [ -n "$use_policy" ]; then
		if [ "$use_policy" == "default" ]; then
			use_policy="MARK --set-xmark 0xff00/0xff00"
		elif [ "$use_policy" == "unreachable" ]; then
			use_policy="MARK --set-xmark 0xfe00/0xff00"
		else
			use_policy="mwan3_policy_$use_policy"
		fi

		case $proto in
			tcp|udp)
			$IPT -A mwan3_rules -p $proto -s $src_ip -d $dest_ip -m multiport --sports $src_port -m multiport --dports $dest_port -m mark --mark 0/0xff00 -m comment --comment "$1" -j $use_policy &> /dev/null
			;;
			*)
			$IPT -A mwan3_rules -p $proto -s $src_ip -d $dest_ip -m mark --mark 0/0xff00 -m comment --comment "$1" -j $use_policy &> /dev/null
			;;
		esac
	fi
}

mwan3_ifupdown()
{
	local counter enabled iface_count iface_id route_args wan_metric

	config_load mwan3
	config_foreach mwan3_get_iface_id interface

	[ -n "$iface_id" ] || return 0
	[ "$iface_count" -le 250 ] || return 0
	unset iface_count

	config_get enabled $INTERFACE enabled 0

	counter=0

	if [ $ACTION == "ifup" ]; then
		[ "$enabled" -eq 1 ] || return 0

		while [ -z "$($IP route list dev $DEVICE default | head -1)" -a "$counter" -lt 10 ]; do
			sleep 1
			let counter++
			if [ "$counter" -ge 10 ]; then
				$LOG warn "Could not find gateway for interface $INTERFACE ($DEVICE)" && return 0
			fi
		done

		route_args=$($IP route list dev $DEVICE default | head -1 | sed '/.*via \([^ ]*\) .*$/!d;s//via \1/;q' | egrep '[0-9]{1,3}(\.[0-9]{1,3}){3}')
		route_args="nexthop $route_args dev $DEVICE"
	fi

	while [ "$(pgrep -f -o hotplug-call)" -ne $$ -a "$counter" -lt 60 ]; do
		sleep 1
		let counter++
		if [ "$counter" -ge 60 ]; then
			$LOG warn "Timeout waiting for older hotplug processes to finish. $ACTION interface $INTERFACE ($DEVICE) aborted" && return 0
		fi
	done

	$LOG notice "$ACTION interface $INTERFACE ($DEVICE)"

	mwan3_set_general_iptables
	mwan3_set_iface_iptables
	mwan3_set_iface_route
	mwan3_set_iface_rules

	[ $ACTION == "ifup" ] && mwan3_track

	config_foreach mwan3_set_policies_iptables policy
	config_foreach mwan3_set_user_rules_iptables rule
}

[ -n "$DEVICE" ] || exit 0
[ -n "$INTERFACE" ] || exit 0

local IP IPT LOG

IP="/usr/sbin/ip -4"
IPT="/usr/sbin/iptables -t mangle -w"
LOG="/usr/bin/logger -t mwan3 -p"

case "$ACTION" in
	ifup|ifdown)
		mwan3_ifupdown
		mwan3_set_connected_iptables
	;;
esac

exit 0