On Tuesday, October 25, 2022 at 06:23:32 PM EDT, lleachii--- via 44net <44net@mailman.ampr.org> wrote:

All,

This is the updated dynamic firewall script for OpenWrt 22.03 >= 22.03. This script will not reload firewall counters upon processing new endpoints into the set.

Please be advised - a firewall bug on the release version will not recognize empty or missing files - and hence keeps this from working without an upgrade of the firewall. The script posted in the original email (attached below), contains the script that will work without the patch.

You may run the following to patch OpenWrt and use this:

opkg update; opkg upgrade firewall4
reboot

Reference: https://forum.openwrt.org/t/re-22-03-translate-extra-raw-firewall-rules/140618/3?u=lleachii

73,

-Lynwood

KB3VWG

########################

#!/bin/sh

# load encap.txt into ipipfilter list

PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

cd /tmp || exit 1

###########################

rm /tmp/ipip_filter.txt

echo 169.228.34.84 >> /tmp/ipip_filter.txt

grep addprivate /var/lib/ampr-ripd/encap.txt | sed -e 's/.*encap //' | sort -u | while read ip

echo $ip >> /tmp/ipip_filter.txt

done

fw4 reload-sets

exit 0

######################

-------- Original message --------

From: lleachii@aol.com

Date: 10/4/22 19:15 (GMT-05:00)

To: AMPRNet Working Group <44net@mailman.ampr.org>

Subject: Re: [44net] Re: [FYI] OpenWrt Nodes - 22.03.0 with dynamic firewall

Old comments removed:

#!/bin/sh

# load encap.txt into ipipfilter list

PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

cd /var/lib/ampr-ripd || exit 1

nft flush set inet fw4 ipipfilter

nft add element inet fw4 ipipfilter { 169.228.34.84 }

grep addprivate encap.txt | sed -e 's/.*encap //' | sort -u | while read ip

nft add element inet fw4 ipipfilter { $ip }

done

_______________________________________________
44net mailing list -- 44net@mailman.ampr.org
To unsubscribe send an email to 44net-leave@mailman.ampr.org