Last active
March 8, 2024 14:47
-
-
Save kurobee-dev/4107b18683e01d17a9b8678e770d272c to your computer and use it in GitHub Desktop.
21.02.RC2_map.sh Portset範囲指定カスタム
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| OpenWrt 21.02.rc2のmap.shでは従来から変わった点として、日本のMAP-E実装で使用されているLEGACYモードの対応について | |
| option legacymap '0' or '1' を指定することができるようになった。'0'がRFC標準仕様、'1'がDraft仕様。 | |
| これにより手動でスクリプトを書き換える必要が無くなる。 | |
| しかし私はDNATの設定の為にSNATのポートセットの範囲を制限したいので下記のカスタマイズを行う。 | |
| 標準状態からの変更点についてはこのgistのRevisionsをご参照ください。 | |
| /etc/config/network のmap-e interfaceに下記のoptionを追加することでiptablesのSNATルールを範囲指定可能とした。 | |
| option snatstartps '32' (default 0) | |
| option snatendps '62' (default 4095) | |
| map-e interface にて割り当てられたportsetの内、任意のportをDNATする為に指定範囲から除外されたportsetを利用可能にする。 | |
| optionを指定しない時(または存在しない時)はdefault値の範囲でSNATされる。 | |
| default 4095 の根拠は、16port/set * 4096 = 65536 (port上限)である。 | |
| map.sh内で追加したuci optionがシステムを再起動しないと利用できなかったので一度再起動してください。 | |
| service reload や uci関連のコマンド発行でこれらの変更を適用する方法をご存知でしたら教えて下さると幸いです。 | |
| 【2022.05.25 改版】 | |
| -バージョン 21.2.3 での対応を確認 | |
| -ポートセットの範囲指定を1~4096から0~4095に変更 | |
| -json_add_string extra により自由にマッチ文を書けるようになったので次の変更を追加した | |
| -iptables-mod-ipopt のインストールが必要。 | |
| -tcpについて statistic のマッチでポートセットを利用することでニチバンベンチに対応 | |
| -udp,icmp で --connlimit-mask 0 となるようにした。(なぜ32が嫌われているのか判らない) | |
| 【2022.05.26 ファイル追加】 | |
| ポートセットの範囲指定カスタマイズについて、おそらく私しか使わないと思われるのでそこだけ抜いたファイルを追加しました。 | |
| [map.sh.rangeommit]: https://gist.github.com/kurobee-dev/4107b18683e01d17a9b8678e770d272c#file-map-sh-rangeommit | |
| luciの設定保存で改変したスクリプトをバックアップに含めるには次のファイルに保存したいファイルを指定する。 | |
| #/etc/sysupgrade.conf | |
| /etc/sysupgrade.conf | |
| /lib/netifd/proto/map.sh* | |
| 新規やアップグレード時にリストアする時は先に `opkg install map` しておく事 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # map.sh - IPv4-in-IPv6 tunnel backend | |
| # | |
| # Author: Steven Barth <[email protected]> | |
| # Copyright (c) 2014 cisco Systems, Inc. | |
| # | |
| # This program is free software; you can redistribute it and/or modify | |
| # it under the terms of the GNU General Public License version 2 | |
| # as published by the Free Software Foundation | |
| # | |
| # This program is distributed in the hope that it will be useful, | |
| # but WITHOUT ANY WARRANTY; without even the implied warranty of | |
| # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
| # GNU General Public License for more details. | |
| [ -n "$INCLUDE_ONLY" ] || { | |
| . /lib/functions.sh | |
| . /lib/functions/network.sh | |
| . ../netifd-proto.sh | |
| init_proto "$@" | |
| } | |
| proto_map_setup() { | |
| local cfg="$1" | |
| local iface="$2" | |
| local link="map-$cfg" | |
| local maptype type legacymap mtu ttl tunlink zone encaplimit snatstartps snatendps | |
| local rule ipaddr ip4prefixlen ip6prefix ip6prefixlen peeraddr ealen psidlen psid offset | |
| json_get_vars maptype type legacymap mtu ttl tunlink zone encaplimit snatstartps snatendps | |
| json_get_vars rule ipaddr ip4prefixlen ip6prefix ip6prefixlen peeraddr ealen psidlen psid offset | |
| [ "$zone" = "-" ] && zone="" | |
| # Compatibility with older config: use $type if $maptype is missing | |
| [ -z "$maptype" ] && maptype="$type" | |
| [ -z "$maptype" ] && maptype="map-e" | |
| [ -z "$ip4prefixlen" ] && ip4prefixlen=32 | |
| ( proto_add_host_dependency "$cfg" "::" "$tunlink" ) | |
| # fixme: handle RA/DHCPv6 address race for LW | |
| [ "$maptype" = lw4o6 ] && sleep 5 | |
| if [ -z "$rule" ]; then | |
| rule="type=$maptype,ipv6prefix=$ip6prefix,prefix6len=$ip6prefixlen,ipv4prefix=$ipaddr,prefix4len=$ip4prefixlen" | |
| [ -n "$psid" ] && rule="$rule,psid=$psid" | |
| [ -n "$psidlen" ] && rule="$rule,psidlen=$psidlen" | |
| [ -n "$offset" ] && rule="$rule,offset=$offset" | |
| [ -n "$ealen" ] && rule="$rule,ealen=$ealen" | |
| if [ "$maptype" = "map-t" ]; then | |
| rule="$rule,dmr=$peeraddr" | |
| else | |
| rule="$rule,br=$peeraddr" | |
| fi | |
| fi | |
| echo "rule=$rule" > /tmp/map-$cfg.rules | |
| RULE_DATA=$(LEGACY="$legacymap" mapcalc ${tunlink:-\*} $rule) | |
| if [ "$?" != 0 ]; then | |
| proto_notify_error "$cfg" "INVALID_MAP_RULE" | |
| proto_block_restart "$cfg" | |
| return | |
| fi | |
| echo "$RULE_DATA" >> /tmp/map-$cfg.rules | |
| eval $RULE_DATA | |
| if [ -z "$RULE_BMR" ]; then | |
| proto_notify_error "$cfg" "NO_MATCHING_PD" | |
| proto_block_restart "$cfg" | |
| return | |
| fi | |
| k=$RULE_BMR | |
| if [ "$maptype" = "lw4o6" -o "$maptype" = "map-e" ]; then | |
| proto_init_update "$link" 1 | |
| proto_add_ipv4_address $(eval "echo \$RULE_${k}_IPV4ADDR") "" "" "" | |
| proto_add_tunnel | |
| json_add_string mode ipip6 | |
| json_add_int mtu "${mtu:-1280}" | |
| json_add_int ttl "${ttl:-64}" | |
| json_add_string local $(eval "echo \$RULE_${k}_IPV6ADDR") | |
| json_add_string remote $(eval "echo \$RULE_${k}_BR") | |
| json_add_string link $(eval "echo \$RULE_${k}_PD6IFACE") | |
| json_add_object "data" | |
| [ -n "$encaplimit" ] && json_add_string encaplimit "$encaplimit" | |
| if [ "$maptype" = "map-e" ]; then | |
| json_add_array "fmrs" | |
| for i in $(seq $RULE_COUNT); do | |
| [ "$(eval "echo \$RULE_${i}_FMR")" != 1 ] && continue | |
| json_add_object "" | |
| json_add_string prefix6 "$(eval "echo \$RULE_${i}_IPV6PREFIX")/$(eval "echo \$RULE_${i}_PREFIX6LEN")" | |
| json_add_string prefix4 "$(eval "echo \$RULE_${i}_IPV4PREFIX")/$(eval "echo \$RULE_${i}_PREFIX4LEN")" | |
| json_add_int ealen $(eval "echo \$RULE_${i}_EALEN") | |
| json_add_int offset $(eval "echo \$RULE_${i}_OFFSET") | |
| json_close_object | |
| done | |
| json_close_array | |
| fi | |
| json_close_object | |
| proto_close_tunnel | |
| elif [ "$maptype" = "map-t" -a -f "/proc/net/nat46/control" ]; then | |
| proto_init_update "$link" 1 | |
| local style="MAP" | |
| [ "$legacymap" = 1 ] && style="MAP0" | |
| echo add $link > /proc/net/nat46/control | |
| local cfgstr="local.style $style local.v4 $(eval "echo \$RULE_${k}_IPV4PREFIX")/$(eval "echo \$RULE_${k}_PREFIX4LEN")" | |
| cfgstr="$cfgstr local.v6 $(eval "echo \$RULE_${k}_IPV6PREFIX")/$(eval "echo \$RULE_${k}_PREFIX6LEN")" | |
| cfgstr="$cfgstr local.ea-len $(eval "echo \$RULE_${k}_EALEN") local.psid-offset $(eval "echo \$RULE_${k}_OFFSET")" | |
| cfgstr="$cfgstr remote.v4 0.0.0.0/0 remote.v6 $(eval "echo \$RULE_${k}_DMR") remote.style RFC6052 remote.ea-len 0 remote.psid-offset 0" | |
| echo config $link $cfgstr > /proc/net/nat46/control | |
| for i in $(seq $RULE_COUNT); do | |
| [ "$(eval "echo \$RULE_${i}_FMR")" != 1 ] && continue | |
| local cfgstr="remote.style $style remote.v4 $(eval "echo \$RULE_${i}_IPV4PREFIX")/$(eval "echo \$RULE_${i}_PREFIX4LEN")" | |
| cfgstr="$cfgstr remote.v6 $(eval "echo \$RULE_${i}_IPV6PREFIX")/$(eval "echo \$RULE_${i}_PREFIX6LEN")" | |
| cfgstr="$cfgstr remote.ea-len $(eval "echo \$RULE_${i}_EALEN") remote.psid-offset $(eval "echo \$RULE_${i}_OFFSET")" | |
| echo insert $link $cfgstr > /proc/net/nat46/control | |
| done | |
| else | |
| proto_notify_error "$cfg" "UNSUPPORTED_TYPE" | |
| proto_block_restart "$cfg" | |
| fi | |
| proto_add_ipv4_route "0.0.0.0" 0 | |
| proto_add_data | |
| [ -n "$zone" ] && json_add_string zone "$zone" | |
| json_add_array firewall | |
| if [ -z "$(eval "echo \$RULE_${k}_PORTSETS")" ]; then | |
| json_add_object "" | |
| json_add_string type nat | |
| json_add_string target SNAT | |
| json_add_string family inet | |
| json_add_string snat_ip $(eval "echo \$RULE_${k}_IPV4ADDR") | |
| json_close_object | |
| else | |
| local pscount=0 | |
| local pslen=1 | |
| for i in $(eval "echo \$RULE_${k}_PORTSETS"); do pslen=`expr $pslen + 1`; done | |
| [ "$pslen" -gt `expr ${snatendps:-4095} - ${snatstartps:-0}` ] && pslen=`expr ${snatendps:-4095} - ${snatstartps:-0} + 1 ` | |
| for portset in $(eval "echo \$RULE_${k}_PORTSETS"); do | |
| if [ "$pscount" -ge "${snatstartps:-0}" -a "$pscount" -le "${snatendps:-4095}" ]; then | |
| for proto in icmp tcp udp; do | |
| json_add_object "" | |
| json_add_string type nat | |
| json_add_string target SNAT | |
| json_add_string family inet | |
| json_add_string proto "$proto" | |
| if [ "$proto" = "tcp" ]; then | |
| json_add_string extra " -m statistic --mode nth --every ${pslen} --packet ${pscount} " | |
| else | |
| # json_add_boolean connlimit_ports 1 | |
| json_add_string extra " -m connlimit --connlimit-daddr --connlimit-upto 16 --connlimit-mask 0 " | |
| fi | |
| json_add_string snat_ip $(eval "echo \$RULE_${k}_IPV4ADDR") | |
| json_add_string snat_port "$portset" | |
| json_close_object | |
| done | |
| fi | |
| pscount=`expr $pscount + 1` | |
| done | |
| fi | |
| if [ "$maptype" = "map-t" ]; then | |
| [ -z "$zone" ] && zone=$(fw3 -q network $iface 2>/dev/null) | |
| [ -n "$zone" ] && { | |
| json_add_object "" | |
| json_add_string type rule | |
| json_add_string family inet6 | |
| json_add_string proto all | |
| json_add_string direction in | |
| json_add_string dest "$zone" | |
| json_add_string src "$zone" | |
| json_add_string src_ip $(eval "echo \$RULE_${k}_IPV6ADDR") | |
| json_add_string target ACCEPT | |
| json_close_object | |
| json_add_object "" | |
| json_add_string type rule | |
| json_add_string family inet6 | |
| json_add_string proto all | |
| json_add_string direction out | |
| json_add_string dest "$zone" | |
| json_add_string src "$zone" | |
| json_add_string dest_ip $(eval "echo \$RULE_${k}_IPV6ADDR") | |
| json_add_string target ACCEPT | |
| json_close_object | |
| } | |
| proto_add_ipv6_route $(eval "echo \$RULE_${k}_IPV6ADDR") 128 | |
| fi | |
| json_close_array | |
| proto_close_data | |
| proto_send_update "$cfg" | |
| if [ "$maptype" = "lw4o6" -o "$maptype" = "map-e" ]; then | |
| json_init | |
| json_add_string name "${cfg}_" | |
| json_add_string ifname "@$(eval "echo \$RULE_${k}_PD6IFACE")" | |
| json_add_string proto "static" | |
| json_add_array ip6addr | |
| json_add_string "" "$(eval "echo \$RULE_${k}_IPV6ADDR")" | |
| json_close_array | |
| json_close_object | |
| ubus call network add_dynamic "$(json_dump)" | |
| fi | |
| } | |
| proto_map_teardown() { | |
| local cfg="$1" | |
| local link="map-$cfg" | |
| json_get_var type type | |
| [ -z "$maptype" ] && maptype="$type" | |
| [ -z "$maptype" ] && maptype="map-e" | |
| case "$maptype" in | |
| "map-e"|"lw4o6") ifdown "${cfg}_" ;; | |
| "map-t") [ -f "/proc/net/nat46/control" ] && echo del $link > /proc/net/nat46/control ;; | |
| esac | |
| rm -f /tmp/map-$cfg.rules | |
| } | |
| proto_map_init_config() { | |
| no_device=1 | |
| available=1 | |
| proto_config_add_string "maptype" | |
| proto_config_add_string "rule" | |
| proto_config_add_string "ipaddr" | |
| proto_config_add_int "ip4prefixlen" | |
| proto_config_add_string "ip6prefix" | |
| proto_config_add_int "ip6prefixlen" | |
| proto_config_add_string "peeraddr" | |
| proto_config_add_int "ealen" | |
| proto_config_add_int "psidlen" | |
| proto_config_add_int "psid" | |
| proto_config_add_int "offset" | |
| proto_config_add_boolean "legacymap" | |
| proto_config_add_string "tunlink" | |
| proto_config_add_int "mtu" | |
| proto_config_add_int "ttl" | |
| proto_config_add_string "zone" | |
| proto_config_add_string "encaplimit" | |
| proto_config_add_int "snatstartps" | |
| proto_config_add_int "snatendps" | |
| } | |
| [ -n "$INCLUDE_ONLY" ] || { | |
| add_protocol map | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # map.sh - IPv4-in-IPv6 tunnel backend | |
| # | |
| # Author: Steven Barth <[email protected]> | |
| # Copyright (c) 2014 cisco Systems, Inc. | |
| # | |
| # This program is free software; you can redistribute it and/or modify | |
| # it under the terms of the GNU General Public License version 2 | |
| # as published by the Free Software Foundation | |
| # | |
| # This program is distributed in the hope that it will be useful, | |
| # but WITHOUT ANY WARRANTY; without even the implied warranty of | |
| # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
| # GNU General Public License for more details. | |
| [ -n "$INCLUDE_ONLY" ] || { | |
| . /lib/functions.sh | |
| . /lib/functions/network.sh | |
| . ../netifd-proto.sh | |
| init_proto "$@" | |
| } | |
| proto_map_setup() { | |
| local cfg="$1" | |
| local iface="$2" | |
| local link="map-$cfg" | |
| local maptype type legacymap mtu ttl tunlink zone encaplimit | |
| local rule ipaddr ip4prefixlen ip6prefix ip6prefixlen peeraddr ealen psidlen psid offset | |
| json_get_vars maptype type legacymap mtu ttl tunlink zone encaplimit | |
| json_get_vars rule ipaddr ip4prefixlen ip6prefix ip6prefixlen peeraddr ealen psidlen psid offset | |
| [ "$zone" = "-" ] && zone="" | |
| # Compatibility with older config: use $type if $maptype is missing | |
| [ -z "$maptype" ] && maptype="$type" | |
| [ -z "$maptype" ] && maptype="map-e" | |
| [ -z "$ip4prefixlen" ] && ip4prefixlen=32 | |
| ( proto_add_host_dependency "$cfg" "::" "$tunlink" ) | |
| # fixme: handle RA/DHCPv6 address race for LW | |
| [ "$maptype" = lw4o6 ] && sleep 5 | |
| if [ -z "$rule" ]; then | |
| rule="type=$maptype,ipv6prefix=$ip6prefix,prefix6len=$ip6prefixlen,ipv4prefix=$ipaddr,prefix4len=$ip4prefixlen" | |
| [ -n "$psid" ] && rule="$rule,psid=$psid" | |
| [ -n "$psidlen" ] && rule="$rule,psidlen=$psidlen" | |
| [ -n "$offset" ] && rule="$rule,offset=$offset" | |
| [ -n "$ealen" ] && rule="$rule,ealen=$ealen" | |
| if [ "$maptype" = "map-t" ]; then | |
| rule="$rule,dmr=$peeraddr" | |
| else | |
| rule="$rule,br=$peeraddr" | |
| fi | |
| fi | |
| echo "rule=$rule" > /tmp/map-$cfg.rules | |
| RULE_DATA=$(LEGACY="$legacymap" mapcalc ${tunlink:-\*} $rule) | |
| if [ "$?" != 0 ]; then | |
| proto_notify_error "$cfg" "INVALID_MAP_RULE" | |
| proto_block_restart "$cfg" | |
| return | |
| fi | |
| echo "$RULE_DATA" >> /tmp/map-$cfg.rules | |
| eval $RULE_DATA | |
| if [ -z "$RULE_BMR" ]; then | |
| proto_notify_error "$cfg" "NO_MATCHING_PD" | |
| proto_block_restart "$cfg" | |
| return | |
| fi | |
| k=$RULE_BMR | |
| if [ "$maptype" = "lw4o6" -o "$maptype" = "map-e" ]; then | |
| proto_init_update "$link" 1 | |
| proto_add_ipv4_address $(eval "echo \$RULE_${k}_IPV4ADDR") "" "" "" | |
| proto_add_tunnel | |
| json_add_string mode ipip6 | |
| json_add_int mtu "${mtu:-1280}" | |
| json_add_int ttl "${ttl:-64}" | |
| json_add_string local $(eval "echo \$RULE_${k}_IPV6ADDR") | |
| json_add_string remote $(eval "echo \$RULE_${k}_BR") | |
| json_add_string link $(eval "echo \$RULE_${k}_PD6IFACE") | |
| json_add_object "data" | |
| [ -n "$encaplimit" ] && json_add_string encaplimit "$encaplimit" | |
| if [ "$maptype" = "map-e" ]; then | |
| json_add_array "fmrs" | |
| for i in $(seq $RULE_COUNT); do | |
| [ "$(eval "echo \$RULE_${i}_FMR")" != 1 ] && continue | |
| json_add_object "" | |
| json_add_string prefix6 "$(eval "echo \$RULE_${i}_IPV6PREFIX")/$(eval "echo \$RULE_${i}_PREFIX6LEN")" | |
| json_add_string prefix4 "$(eval "echo \$RULE_${i}_IPV4PREFIX")/$(eval "echo \$RULE_${i}_PREFIX4LEN")" | |
| json_add_int ealen $(eval "echo \$RULE_${i}_EALEN") | |
| json_add_int offset $(eval "echo \$RULE_${i}_OFFSET") | |
| json_close_object | |
| done | |
| json_close_array | |
| fi | |
| json_close_object | |
| proto_close_tunnel | |
| elif [ "$maptype" = "map-t" -a -f "/proc/net/nat46/control" ]; then | |
| proto_init_update "$link" 1 | |
| local style="MAP" | |
| [ "$legacymap" = 1 ] && style="MAP0" | |
| echo add $link > /proc/net/nat46/control | |
| local cfgstr="local.style $style local.v4 $(eval "echo \$RULE_${k}_IPV4PREFIX")/$(eval "echo \$RULE_${k}_PREFIX4LEN")" | |
| cfgstr="$cfgstr local.v6 $(eval "echo \$RULE_${k}_IPV6PREFIX")/$(eval "echo \$RULE_${k}_PREFIX6LEN")" | |
| cfgstr="$cfgstr local.ea-len $(eval "echo \$RULE_${k}_EALEN") local.psid-offset $(eval "echo \$RULE_${k}_OFFSET")" | |
| cfgstr="$cfgstr remote.v4 0.0.0.0/0 remote.v6 $(eval "echo \$RULE_${k}_DMR") remote.style RFC6052 remote.ea-len 0 remote.psid-offset 0" | |
| echo config $link $cfgstr > /proc/net/nat46/control | |
| for i in $(seq $RULE_COUNT); do | |
| [ "$(eval "echo \$RULE_${i}_FMR")" != 1 ] && continue | |
| local cfgstr="remote.style $style remote.v4 $(eval "echo \$RULE_${i}_IPV4PREFIX")/$(eval "echo \$RULE_${i}_PREFIX4LEN")" | |
| cfgstr="$cfgstr remote.v6 $(eval "echo \$RULE_${i}_IPV6PREFIX")/$(eval "echo \$RULE_${i}_PREFIX6LEN")" | |
| cfgstr="$cfgstr remote.ea-len $(eval "echo \$RULE_${i}_EALEN") remote.psid-offset $(eval "echo \$RULE_${i}_OFFSET")" | |
| echo insert $link $cfgstr > /proc/net/nat46/control | |
| done | |
| else | |
| proto_notify_error "$cfg" "UNSUPPORTED_TYPE" | |
| proto_block_restart "$cfg" | |
| fi | |
| proto_add_ipv4_route "0.0.0.0" 0 | |
| proto_add_data | |
| [ -n "$zone" ] && json_add_string zone "$zone" | |
| json_add_array firewall | |
| if [ -z "$(eval "echo \$RULE_${k}_PORTSETS")" ]; then | |
| json_add_object "" | |
| json_add_string type nat | |
| json_add_string target SNAT | |
| json_add_string family inet | |
| json_add_string snat_ip $(eval "echo \$RULE_${k}_IPV4ADDR") | |
| json_close_object | |
| else | |
| local pscount=0 | |
| local pslen=1 | |
| for i in $(eval "echo \$RULE_${k}_PORTSETS"); do pslen=`expr $pslen + 1`; done | |
| for portset in $(eval "echo \$RULE_${k}_PORTSETS"); do | |
| for proto in icmp tcp udp; do | |
| json_add_object "" | |
| json_add_string type nat | |
| json_add_string target SNAT | |
| json_add_string family inet | |
| json_add_string proto "$proto" | |
| if [ "$proto" = "tcp" ]; then | |
| json_add_string extra " -m statistic --mode nth --every ${pslen} --packet ${pscount} " | |
| else | |
| json_add_boolean connlimit_ports 1 | |
| # json_add_string extra " -m connlimit --connlimit-daddr --connlimit-upto 16 --connlimit-mask 0 " | |
| fi | |
| json_add_string snat_ip $(eval "echo \$RULE_${k}_IPV4ADDR") | |
| json_add_string snat_port "$portset" | |
| json_close_object | |
| done | |
| pscount=`expr $pscount + 1` | |
| done | |
| fi | |
| if [ "$maptype" = "map-t" ]; then | |
| [ -z "$zone" ] && zone=$(fw3 -q network $iface 2>/dev/null) | |
| [ -n "$zone" ] && { | |
| json_add_object "" | |
| json_add_string type rule | |
| json_add_string family inet6 | |
| json_add_string proto all | |
| json_add_string direction in | |
| json_add_string dest "$zone" | |
| json_add_string src "$zone" | |
| json_add_string src_ip $(eval "echo \$RULE_${k}_IPV6ADDR") | |
| json_add_string target ACCEPT | |
| json_close_object | |
| json_add_object "" | |
| json_add_string type rule | |
| json_add_string family inet6 | |
| json_add_string proto all | |
| json_add_string direction out | |
| json_add_string dest "$zone" | |
| json_add_string src "$zone" | |
| json_add_string dest_ip $(eval "echo \$RULE_${k}_IPV6ADDR") | |
| json_add_string target ACCEPT | |
| json_close_object | |
| } | |
| proto_add_ipv6_route $(eval "echo \$RULE_${k}_IPV6ADDR") 128 | |
| fi | |
| json_close_array | |
| proto_close_data | |
| proto_send_update "$cfg" | |
| if [ "$maptype" = "lw4o6" -o "$maptype" = "map-e" ]; then | |
| json_init | |
| json_add_string name "${cfg}_" | |
| json_add_string ifname "@$(eval "echo \$RULE_${k}_PD6IFACE")" | |
| json_add_string proto "static" | |
| json_add_array ip6addr | |
| json_add_string "" "$(eval "echo \$RULE_${k}_IPV6ADDR")" | |
| json_close_array | |
| json_close_object | |
| ubus call network add_dynamic "$(json_dump)" | |
| fi | |
| } | |
| proto_map_teardown() { | |
| local cfg="$1" | |
| local link="map-$cfg" | |
| json_get_var type type | |
| [ -z "$maptype" ] && maptype="$type" | |
| [ -z "$maptype" ] && maptype="map-e" | |
| case "$maptype" in | |
| "map-e"|"lw4o6") ifdown "${cfg}_" ;; | |
| "map-t") [ -f "/proc/net/nat46/control" ] && echo del $link > /proc/net/nat46/control ;; | |
| esac | |
| rm -f /tmp/map-$cfg.rules | |
| } | |
| proto_map_init_config() { | |
| no_device=1 | |
| available=1 | |
| proto_config_add_string "maptype" | |
| proto_config_add_string "rule" | |
| proto_config_add_string "ipaddr" | |
| proto_config_add_int "ip4prefixlen" | |
| proto_config_add_string "ip6prefix" | |
| proto_config_add_int "ip6prefixlen" | |
| proto_config_add_string "peeraddr" | |
| proto_config_add_int "ealen" | |
| proto_config_add_int "psidlen" | |
| proto_config_add_int "psid" | |
| proto_config_add_int "offset" | |
| proto_config_add_boolean "legacymap" | |
| proto_config_add_string "tunlink" | |
| proto_config_add_int "mtu" | |
| proto_config_add_int "ttl" | |
| proto_config_add_string "zone" | |
| proto_config_add_string "encaplimit" | |
| } | |
| [ -n "$INCLUDE_ONLY" ] || { | |
| add_protocol map | |
| } |
line:158 - 159 について
icmp,udpを『 json_add_boolean connlimit_ports 1 』として --connlimit-mask 32 で使うことで不具合に遭遇していないので、新たに uci の option を追加してこの設定をスイッチできるようにすることは考えていない。
もし、不具合が有れば具体的な事例を教えてほしい。自分でも検証したいと考えている。
22.03.0 では動きません。てか、無改造でも22.03ではmap動きません。
interfaceはつくられるが、fw4の対応が追いついてないように思います。
最新のOpenWRTで、fw4で働くmap.shとfirewall.userを添付します。
自作で不粋だと思いますが…
まず、firewall.userを有効化するには、/etc/config/firewall に:
config include
option path '/etc/firewall.user'
option fw4_compatible '1'
を追加。
そして添付ファイルを/etc/firewall.user 、 /lib/netifd/proto/map.sh に入れれば完全動作。
firewall.user
https://pastebin.com/raw/jmt0UVJa
https://github.com/openwrt/firewall4/blob/master/root/usr/share/ucode/fw4.uc
fw4の実装状況見てみましたが、Cからluaに切り替え、extraフラグはUNSUPPORTEDで無意味に、connlimit_portはboolはあるみたいですが、中身が無いという状況・・・
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
修正完了
利用可能なポートセットの数とoptionで指定したポートセット範囲の数を比較して数の少ない方で --every のパラメータとする事で動的に対処