Created
May 29, 2017 18:22
-
-
Save anonymous/0fdec75fa20a7f1ce4806391d6b0429b to your computer and use it in GitHub Desktop.
OpenWrt map-e (JPNE v6plus) において、割当ポート240個をちゃんと使わせるための設定。
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## /etc/firewall.user | |
| # This file is interpreted as shell script. | |
| # Put your custom iptables rules here, they will | |
| # be executed with each firewall (re-)start. | |
| # Internal uci firewall chains are flushed and recreated on reload, so | |
| # put custom rules into the root chains e.g. INPUT or FORWARD or into the | |
| # special user chains, e.g. input_wan_rule or postrouting_lan_rule. | |
| iptables -t nat -A PREROUTING -m statistic --mode nth --every 15 --packet 0 -j MARK --set-mark 10 | |
| iptables -t nat -A PREROUTING -m statistic --mode nth --every 15 --packet 1 -j MARK --set-mark 11 | |
| iptables -t nat -A PREROUTING -m statistic --mode nth --every 15 --packet 2 -j MARK --set-mark 12 | |
| iptables -t nat -A PREROUTING -m statistic --mode nth --every 15 --packet 3 -j MARK --set-mark 13 | |
| iptables -t nat -A PREROUTING -m statistic --mode nth --every 15 --packet 4 -j MARK --set-mark 14 | |
| iptables -t nat -A PREROUTING -m statistic --mode nth --every 15 --packet 5 -j MARK --set-mark 15 | |
| iptables -t nat -A PREROUTING -m statistic --mode nth --every 15 --packet 6 -j MARK --set-mark 16 | |
| iptables -t nat -A PREROUTING -m statistic --mode nth --every 15 --packet 7 -j MARK --set-mark 17 | |
| iptables -t nat -A PREROUTING -m statistic --mode nth --every 15 --packet 8 -j MARK --set-mark 18 | |
| iptables -t nat -A PREROUTING -m statistic --mode nth --every 15 --packet 9 -j MARK --set-mark 19 | |
| iptables -t nat -A PREROUTING -m statistic --mode nth --every 15 --packet 10 -j MARK --set-mark 20 | |
| iptables -t nat -A PREROUTING -m statistic --mode nth --every 15 --packet 11 -j MARK --set-mark 21 | |
| iptables -t nat -A PREROUTING -m statistic --mode nth --every 15 --packet 12 -j MARK --set-mark 22 | |
| iptables -t nat -A PREROUTING -m statistic --mode nth --every 15 --packet 13 -j MARK --set-mark 23 | |
| iptables -t nat -A PREROUTING -m statistic --mode nth --every 15 --packet 14 -j MARK --set-mark 24 | |
| iptables -t nat -A OUTPUT -m statistic --mode nth --every 15 --packet 0 -j MARK --set-mark 10 | |
| iptables -t nat -A OUTPUT -m statistic --mode nth --every 15 --packet 1 -j MARK --set-mark 11 | |
| iptables -t nat -A OUTPUT -m statistic --mode nth --every 15 --packet 2 -j MARK --set-mark 12 | |
| iptables -t nat -A OUTPUT -m statistic --mode nth --every 15 --packet 3 -j MARK --set-mark 13 | |
| iptables -t nat -A OUTPUT -m statistic --mode nth --every 15 --packet 4 -j MARK --set-mark 14 | |
| iptables -t nat -A OUTPUT -m statistic --mode nth --every 15 --packet 5 -j MARK --set-mark 15 | |
| iptables -t nat -A OUTPUT -m statistic --mode nth --every 15 --packet 6 -j MARK --set-mark 16 | |
| iptables -t nat -A OUTPUT -m statistic --mode nth --every 15 --packet 7 -j MARK --set-mark 17 | |
| iptables -t nat -A OUTPUT -m statistic --mode nth --every 15 --packet 8 -j MARK --set-mark 18 | |
| iptables -t nat -A OUTPUT -m statistic --mode nth --every 15 --packet 9 -j MARK --set-mark 19 | |
| iptables -t nat -A OUTPUT -m statistic --mode nth --every 15 --packet 10 -j MARK --set-mark 20 | |
| iptables -t nat -A OUTPUT -m statistic --mode nth --every 15 --packet 11 -j MARK --set-mark 21 | |
| iptables -t nat -A OUTPUT -m statistic --mode nth --every 15 --packet 12 -j MARK --set-mark 22 | |
| iptables -t nat -A OUTPUT -m statistic --mode nth --every 15 --packet 13 -j MARK --set-mark 23 | |
| iptables -t nat -A OUTPUT -m statistic --mode nth --every 15 --packet 14 -j MARK --set-mark 24 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #$ diff -c /lib/netifd/proto/map.sh.orig /lib/netifd/proto/map.sh | |
| *** /lib/netifd/proto/map.sh.orig 2017-05-30 02:45:19.000000000 +0900 | |
| --- /lib/netifd/proto/map.sh 2017-05-30 02:45:18.000000000 +0900 | |
| *************** | |
| *** 135,140 **** | |
| --- 135,141 ---- | |
| json_add_string snat_ip $(eval "echo \$RULE_${k}_IPV4ADDR") | |
| json_close_object | |
| else | |
| + local mark=10 | |
| for portset in $(eval "echo \$RULE_${k}_PORTSETS"); do | |
| for proto in icmp tcp udp; do | |
| json_add_object "" | |
| *************** | |
| *** 142,152 **** | |
| --- 143,155 ---- | |
| json_add_string target SNAT | |
| json_add_string family inet | |
| json_add_string proto "$proto" | |
| + json_add_string mark "$mark" | |
| json_add_boolean connlimit_ports 1 | |
| json_add_string snat_ip $(eval "echo \$RULE_${k}_IPV4ADDR") | |
| json_add_string snat_port "$portset" | |
| json_close_object | |
| done | |
| + mark=`expr $mark + 1` | |
| done | |
| fi | |
| if [ "$type" = "map-t" ]; then | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
@pantan-cymk さんの見つけた json_add_string extra に刺激を受けて標準のmap.sh への改造だけで
icmp,udp の --connlimit-mask 0 化 と tcp の statistic 化ができましたので参考まで。
パラメータがちゃんと指定されていればポートセットの数の違うサービスでも動的に対応できます。
https://gist.github.com/kurobee-dev/4107b18683e01d17a9b8678e770d272c
--connlimit-mask 32 の時に一番上のセットしか使われていないというのは、数分から数時間程度では使われないので当然なのですが、数日単位で放置してたら他のポートセットもカウントアップされてる事が分かるかと思います。いわゆるYAMAHAのポートセービングNATですね。JPNEみたいな240しか使えないサービスでポート使用量節約のためにそういう設定になっているのですから、ポンポン次のセットに移られても困ります。とはいえ、TCPではなぜか調子が悪いのでそれだけ statistic にしたかったのも事実。