pbr: update to 1.1.4-5 #23684
pbr: update to 1.1.4-5 #23684
Conversation
| [ -z "$nft" ] && nft="$(command -v nft)" | ||
| _ret=1 | ||
| #DB_SOURCE='api.bgpview.io' | ||
| REGEX_IPV4='[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\/[0-9]\{1,\}' |
There was a problem hiding this comment.
Nitpick... Are there ever cases when the mask is > 32? Perhaps it's sensible to close the range?:
REGEX_IPV4='[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\/[0-9]\{1,2\}'
There was a problem hiding this comment.
Paul, thank you for your review. As I don't use these scripts myself, I have no way of testing for the desired result, so I don't want to change things in them unless I have to. If things work as is, I'd prefer to keep code as is.
| _ret=1 | ||
| #DB_SOURCE='api.bgpview.io' | ||
| REGEX_IPV4='[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\/[0-9]\{1,\}' | ||
| REGEX_IPV6='.*::.*' |
There was a problem hiding this comment.
I know we like simple expressions, but... Does this match if someone/something provides a non-abbreviated IPv6?
2001:0db8:0000:0000:0000:8a2e:0370:7334? I don't know what the likelihood of that is here.
Is a workaround to look for [ and ]?
There was a problem hiding this comment.
If iPv4 don't have ports in them, perhaps just check for :
There was a problem hiding this comment.
Paul, thank you for your review. As I don't use these scripts myself, I have no way of testing for the desired result, so I don't want to change things in them unless I have to. If things work as is, I'd prefer to keep code as is.
|
@stangri I can not compile it, I get error:
Take the .keep file from your repo and now it compile |
Yeah, test cases fail at this stage. |
stangri
force-pushed
the
master-pbr
branch
3 times, most recently
from
b0522c3
to
44cf2f6
Compare
|
Currently failing with: |
It's only failing for some architectures and not others. I actually build and test on x86_64, and CI is failing that arch. I believe this was also the case with the previous PR. Can anyone shed any light on why CI is trying to run the service and where failed ubus calls are coming from? |
Where the build is fine seems that the test with docker container is skipped. |
This update includes the following changes:
1. Makefile
* update copyright
* attempt to implement the proper variants to avoid luci-app dependency on both variants
* quietly stop service on uninstall
2. Config-file
* add the list of dnsmasq instances to target in supported dnsmasq modes
* for default pbr variant, set the `resolver_set` to `dnsmasq.nftset`
* for iptables pbr variant, set the `resolver_set` to `dnsmasq.ipset`
* add the `nft_file_support` (disabled by default)
* introduce `procd_boot_delay` to delay service start on boot
* introduce the following nft set creation options:
* nft_set_auto_merge
* nft_set_counter
* nft_set_flags_interval
* nft_set_flags_timeout
* nft_set_gc_interval
* nft_set_policy
* nft_set_timeout
* add the pbr.user.wg_server_and_client custom user script to allow running wg server and
client at the same time
* add the "Ignore Local Requests" sample policy
3. Hotplug firewall/interface scripts
* better logged messages
4. The pbr and pbr-iptables uci defaults script
* use functions from the init script
* improve vpn-policy-routing migration
5. The pbr-netifd uci defaults script
* use functions from the init script
* improve uci operations
6. Introduce the firewall.include file
7. Improve pbr.user.aws custom user script
8. Improve pbr.user.netflix custom user script
9. Introduce pbr.user.wg_server_and_client custom user script
10. Update the init file:
* refactor some code to allow the init script file to be sourced by the uci defaults scripts
and the luci rpcd script for shared functions
* add support for `nft_file_mode` in which service prepares the fw4-compatible atomic nft/include
file for faster operations on service reload
* improve Tor support (nft mode only)
* implement support for nft set options
* update validation functions for new options/parameters
Signed-off-by: Stan Grishin <stangri@melmac.ca>
|
Green across the board 🥳 |
|
Can you please update to 1.1.4.-r7 thanks? Sorry, I have just see the PR. Thanks a lot |
|
@hnyman Hannu, could you please do me a favor and have a look at/comment on the Makefile? I believe I was following your instructions from the mail-list or forum trying to do the variants better, but some users on the forum still say that for them when installing |
Looking at the luci app, it actually depends on the "pbr-service", not "pbr" ??? And all your variants provide "pbr-service". I think that the most clear naming and dependency might be something like "pbr-nftables" and "pbr-legacy-iptables", and both of them would provide "pbr". and pbr-nftables would be the DEFAULT_VARIANT I haven't worked with variants for a while, so my thoughts might be out of date... It might also be something simple, like that your declaration of DEFAULT_VARIANT:=1 is before the VARIANT line in the definition of "pbr". One clear example of working variant is libustreamssl: |
Thank you for your prompt reply. I really want to keep the name of the default package just Looking at Or do I misunderstand the intention of My goals for user experience are:
I thought I achieved that with the Makefile in this commit, but evidently I was wrong. Can you help me please? |
Maintainer: me
Compile tested: x86_64, Sophos XG-135r3, OpenWrt 23.05.2
Run tested: x86_64, Sophos XG-135r3, OpenWrt 23.05.2
Description:
This update includes the following changes:
resolver_settodnsmasq.nftsetresolver_settodnsmasq.ipsetnft_file_support(disabled by default)procd_boot_delayto delay service start on bootIntroduce the firewall.include file
Improve pbr.user.aws custom user script
Improve pbr.user.netflix custom user script
Introduce pbr.user.wg_server_and_client custom user script
Update the init file:
nft_file_modein which service prepares the fw4-compatible atomic nft/include file for faster operations on service reload