Merge pull request #23684 from stangri/master-pbr

pbr: update to 1.1.4-5

net/pbr/Makefile

@@ -1,113 +1,122 @@
-# Copyright 2017-2022 Stan Grishin (stangri@melmac.ca)
+# Copyright 2017-2023 MOSSDeF, Stan Grishin (stangri@melmac.ca)
 # This is free software, licensed under the GNU General Public License v3.
 
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=pbr
-PKG_VERSION:=1.1.1
-PKG_RELEASE:=7
+PKG_VERSION:=1.1.4
+PKG_RELEASE:=5
 PKG_LICENSE:=GPL-3.0-or-later
 PKG_MAINTAINER:=Stan Grishin <stangri@melmac.ca>
 
 include $(INCLUDE_DIR)/package.mk
 
-define Package/pbr/Default
+define Package/pbr-service/Default
   SECTION:=net
   CATEGORY:=Network
   SUBMENU:=Routing and Redirection
   TITLE:=Policy Based Routing Service
   URL:=https://docs.openwrt.melmac.net/pbr/
   DEPENDS:=+ip-full +jshn +jsonfilter +resolveip
+	DEPENDS+=+!BUSYBOX_DEFAULT_AWK:gawk
+	DEPENDS+=+!BUSYBOX_DEFAULT_GREP:grep
+	DEPENDS+=+!BUSYBOX_DEFAULT_SED:sed
+  PROVIDES:=pbr-service
   CONFLICTS:=vpnbypass vpn-policy-routing
   PKGARCH:=all
 endef
 
 define Package/pbr
-$(call Package/pbr/Default)
+$(call Package/pbr-service/Default)
   TITLE+= with nft/nft set support
   DEPENDS+=+kmod-nft-core +kmod-nft-nat +nftables-json
-  VARIANT:=nftables
-  PROVIDES:=vpnbypass vpn-policy-routing
   DEFAULT_VARIANT:=1
+  VARIANT:=nftables
+  PROVIDES+=pbr vpnbypass vpn-policy-routing
 endef
 
 define Package/pbr-iptables
-$(call Package/pbr/Default)
+$(call Package/pbr-service/Default)
   TITLE+= with iptables/ipset support
   DEPENDS+=+ipset +iptables +kmod-ipt-ipset +iptables-mod-ipopt
   VARIANT:=iptables
-  PROVIDES:=pbr
 endef
 
 define Package/pbr-netifd
-$(call Package/pbr/Default)
+$(call Package/pbr-service/Default)
   TITLE+= with netifd support
   VARIANT:=netifd
-  PROVIDES:=pbr
+endef
+
+define Package/pbr-service/description
+  This service enables policy-based routing for WAN interfaces and various VPN tunnels.
 endef
 
 define Package/pbr/description
-This service enables policy-based routing for WAN interfaces and various VPN tunnels.
-This version supports OpenWrt with both firewall3/ipset/iptables and firewall4/nft.
+  $(call Package/pbr-service/description)
+  This version supports OpenWrt with both firewall3/ipset/iptables and firewall4/nft.
 endef
 
 define Package/pbr-iptables/description
-This service enables policy-based routing for WAN interfaces and various VPN tunnels.
-This version supports OpenWrt with firewall3/ipset/iptables.
+  $(call Package/pbr-service/description)
+  This version supports OpenWrt with firewall3/ipset/iptables.
 endef
 
 define Package/pbr-netifd/description
-This service enables policy-based routing for WAN interfaces and various VPN tunnels.
-This version supports OpenWrt with both firewall3/ipset/iptables and firewall4/nft.
-This version uses OpenWrt native netifd/tables to set up interfaces. This is WIP.
+  $(call Package/pbr-service/description)
+  This version supports OpenWrt with both firewall3/ipset/iptables and firewall4/nft.
+  This version uses OpenWrt native netifd/tables to set up interfaces. This is WIP.
 endef
 
-define Package/pbr/conffiles
+define Package/pbr-service/conffiles
 /etc/config/pbr
 endef
 
-Package/pbr-iptables/conffiles = $(Package/pbr/conffiles)
-Package/pbr-netifd/conffiles = $(Package/pbr/conffiles)
+Package/pbr/conffiles = $(Package/pbr-service/conffiles)
+Package/pbr-iptables/conffiles = $(Package/pbr-service/conffiles)
+Package/pbr-netifd/conffiles = $(Package/pbr-service/conffiles)
 
 define Build/Configure
 endef
 
 define Build/Compile
 endef
 
-define Package/pbr/default/install
+define Package/pbr-service/install
 	$(INSTALL_DIR) $(1)/etc/init.d
-	$(INSTALL_BIN) ./files/etc/init.d/pbr.init $(1)/etc/init.d/pbr
+	$(INSTALL_BIN) ./files/etc/init.d/pbr $(1)/etc/init.d/pbr
 	$(SED) "s|^\(readonly PKG_VERSION\).*|\1='$(PKG_VERSION)-$(PKG_RELEASE)'|" $(1)/etc/init.d/pbr
-	$(INSTALL_DIR) $(1)/etc/hotplug.d/iface
-	$(INSTALL_DATA) ./files/etc/hotplug.d/iface/70-pbr $(1)/etc/hotplug.d/iface/70-pbr
 	$(INSTALL_DIR) $(1)/etc/uci-defaults
 	$(INSTALL_BIN)  ./files/etc/uci-defaults/90-pbr $(1)/etc/uci-defaults/90-pbr
 	$(INSTALL_DIR) $(1)/usr/share/pbr
+	$(INSTALL_DATA) ./files/usr/share/pbr/.keep $(1)/usr/share/pbr/.keep
 	$(INSTALL_DATA) ./files/usr/share/pbr/pbr.user.aws $(1)/usr/share/pbr/pbr.user.aws
 	$(INSTALL_DATA) ./files/usr/share/pbr/pbr.user.netflix $(1)/usr/share/pbr/pbr.user.netflix
+	$(INSTALL_DATA) ./files/usr/share/pbr/pbr.user.wg_server_and_client $(1)/usr/share/pbr/pbr.user.wg_server_and_client
 endef
+#	$(INSTALL_DIR) $(1)/etc/hotplug.d/iface
+#	$(INSTALL_DATA) ./files/etc/hotplug.d/iface/70-pbr $(1)/etc/hotplug.d/iface/70-pbr
 
 define Package/pbr/install
-$(call Package/pbr/default/install,$(1))
+$(call Package/pbr-service/install,$(1))
 	$(INSTALL_DIR) $(1)/etc/config
 	$(INSTALL_CONF) ./files/etc/config/pbr $(1)/etc/config/pbr
 	$(INSTALL_DIR) $(1)/usr/share/pbr
-	$(INSTALL_DATA) ./files/usr/share/pbr/pbr.firewall.include $(1)/usr/share/pbr/pbr.firewall.include
+	$(INSTALL_DATA) ./files/usr/share/pbr/firewall.include $(1)/usr/share/pbr/firewall.include
 	$(INSTALL_DIR) $(1)/usr/share/nftables.d
 	$(CP) ./files/usr/share/nftables.d/* $(1)/usr/share/nftables.d/
 endef
 
 define Package/pbr-iptables/install
-$(call Package/pbr/default/install,$(1))
+$(call Package/pbr-service/install,$(1))
 	$(INSTALL_DIR) $(1)/etc/hotplug.d/firewall
 	$(INSTALL_DATA) ./files/etc/hotplug.d/firewall/70-pbr $(1)/etc/hotplug.d/firewall/70-pbr
 	$(INSTALL_DIR) $(1)/etc/config
 	$(INSTALL_CONF) ./files/etc/config/pbr.iptables $(1)/etc/config/pbr
 endef
 
 define Package/pbr-netifd/install
-$(call Package/pbr/default/install,$(1))
+$(call Package/pbr-service/install,$(1))
 	$(INSTALL_DIR) $(1)/etc/config
 	$(INSTALL_CONF) ./files/etc/config/pbr $(1)/etc/config/pbr
 	$(INSTALL_DIR) $(1)/etc/uci-defaults
@@ -133,7 +142,7 @@ define Package/pbr/prerm
 	if [ -z "$${IPKG_INSTROOT}" ]; then
 		uci -q delete firewall.pbr || true
 		echo "Stopping pbr service... "
-		/etc/init.d/pbr stop && echo "OK" || echo "FAIL"
+		/etc/init.d/pbr stop quiet && echo "OK" || echo "FAIL"
 		echo -n "Removing rc.d symlink for pbr... "
 		/etc/init.d/pbr disable && echo "OK" || echo "FAIL"
 	fi
@@ -165,7 +174,7 @@ define Package/pbr-iptables/prerm
 	if [ -z "$${IPKG_INSTROOT}" ]; then
 		uci -q delete firewall.pbr || true
 		echo "Stopping pbr-iptables service... "
-		/etc/init.d/pbr stop && echo "OK" || echo "FAIL"
+		/etc/init.d/pbr stop quiet && echo "OK" || echo "FAIL"
 		echo -n "Removing rc.d symlink for pbr-iptables... "
 		/etc/init.d/pbr disable && echo "OK" || echo "FAIL"
 	fi
@@ -188,7 +197,7 @@ define Package/pbr-netifd/prerm
 	if [ -z "$${IPKG_INSTROOT}" ]; then
 		uci -q delete firewall.pbr || true
 		echo "Stopping pbr-netifd service... "
-		/etc/init.d/pbr stop && echo "OK" || echo "FAIL"
+		/etc/init.d/pbr stop quiet && echo "OK" || echo "FAIL"
 		echo -n "Removing rc.d symlink for pbr... "
 		/etc/init.d/pbr disable && echo "OK" || echo "FAIL"
 	fi

net/pbr/files/etc/config/pbr

@@ -2,14 +2,23 @@ config pbr 'config'
 	option enabled '0'
 	option verbosity '2'
 	option strict_enforcement '1'
-	option resolver_set 'none'
+	option resolver_set 'dnsmasq.nftset'
+	list resolver_instance '*'
 	option ipv6_enabled '0'
 	list ignored_interface 'vpnserver'
-	list ignored_interface 'wgserver'
+	option nft_file_support '0'
 	option boot_timeout '30'
 	option rule_create_option 'add'
+	option procd_boot_delay '0'
 	option procd_reload_delay '1'
 	option webui_show_ignore_target '0'
+	option nft_set_auto_merge '1'
+	option nft_set_counter '1'
+	option nft_set_flags_interval '1'
+	option nft_set_flags_timeout '0'
+	option nft_set_gc_interval ''
+	option nft_set_policy 'performance'
+	option nft_set_timeout ''
 	list webui_supported_protocol 'all'
 	list webui_supported_protocol 'tcp'
 	list webui_supported_protocol 'udp'
@@ -18,11 +27,21 @@ config pbr 'config'
 
 config include
 	option path '/usr/share/pbr/pbr.user.aws'
-	option enabled 0
+	option enabled '0'
 
 config include
 	option path '/usr/share/pbr/pbr.user.netflix'
-	option enabled 0
+	option enabled '0'
+
+config include
+	option path '/usr/share/pbr/pbr.user.wg_server_and_client'
+	option enabled '0'
+
+config policy
+	option name 'Ignore Local Requests'
+	option interface 'ignore'
+	option dest_addr '10.0.0.0/24 10.0.1.0/24 192.168.100.0/24 192.168.1.0/24'
+	option enabled '0'
 
 config policy
 	option name 'Plex/Emby Local Server'

net/pbr/files/etc/config/pbr.iptables

@@ -3,11 +3,12 @@ config pbr 'config'
 	option verbosity '2'
 	option strict_enforcement '1'
 	option resolver_set 'dnsmasq.ipset'
+	list resolver_instance '*'
 	option ipv6_enabled '0'
 	list ignored_interface 'vpnserver'
-	list ignored_interface 'wgserver'
 	option boot_timeout '30'
 	option rule_create_option 'add'
+	option procd_boot_delay '0'
 	option procd_reload_delay '1'
 	option webui_show_ignore_target '0'
 	list webui_supported_protocol 'all'
@@ -24,6 +25,10 @@ config include
 	option path '/usr/share/pbr/pbr.user.netflix'
 	option enabled 0
 
+config include
+	option path '/usr/share/pbr/pbr.user.wg_server_and_client'
+	option enabled 0
+
 config policy
 	option name 'Plex/Emby Local Server'
 	option interface 'wan'

net/pbr/files/etc/hotplug.d/firewall/70-pbr

@@ -1,6 +1,6 @@
 #!/bin/sh
 [ "$ACTION" = "reload" ] || [ "$ACTION" = "restart" ] || exit 0
 if [ -x /etc/init.d/pbr ] && /etc/init.d/pbr enabled; then
-	logger -t "pbr" "Reloading pbr due to firewall action: $ACTION"
+	logger -t "pbr" "Sending reload signal to pbr due to firewall action: $ACTION"
 	/etc/init.d/pbr reload
 fi

net/pbr/files/etc/hotplug.d/iface/70-pbr

@@ -1,6 +1,6 @@
 #!/bin/sh
 # shellcheck disable=SC1091,SC3060
 if [ -x /etc/init.d/pbr ] && /etc/init.d/pbr enabled; then
-	logger -t pbr "Reloading pbr $INTERFACE interface routing due to $ACTION of $INTERFACE ($DEVICE)"
-	/etc/init.d/pbr on_interface_reload "$INTERFACE"
+	logger -t pbr "Sending reload signal to pbr for $INTERFACE due to $ACTION of $INTERFACE${DEVICE:+ ($DEVICE)}"
+	/etc/init.d/pbr on_interface_reload "$INTERFACE" "$ACTION"
 fi