All,

This is the updated dynamic firewall script for OpenWrt 22.03 >= 22.03. This script will not reload firewall counters upon processing new endpoints into the set.

Please be advised - a firewall bug on the release version will not recognize empty or missing files - and hence keeps this from working without an upgrade of the firewall. The script posted in the original email (attached below), contains the script that will work without the patch.

You may run the following to patch OpenWrt and use this:


opkg update; opkg upgrade firewall4
reboot


Reference: https://forum.openwrt.org/t/re-22-03-translate-extra-raw-firewall-rules/140618/3?u=lleachii


--

73,

-Lynwood
KB3VWG
--

########################
#!/bin/sh
# load encap.txt into ipipfilter list

PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

cd /tmp || exit 1

###########################

rm /tmp/ipip_filter.txt
 
echo 169.228.34.84 >> /tmp/ipip_filter.txt

grep addprivate /var/lib/ampr-ripd/encap.txt | sed -e 's/.*encap //' | sort -u | while read ip
do
        echo $ip >> /tmp/ipip_filter.txt
done

fw4 reload-sets

exit 0

######################3

-------- Original message --------
From: lleachii@aol.com
Date: 10/4/22 19:15 (GMT-05:00)
To: AMPRNet Working Group <44net@mailman.ampr.org>
Subject: Re: [44net] Re: [FYI] OpenWrt Nodes - 22.03.0 with dynamic firewall

Old comments removed:


#!/bin/sh
# load encap.txt into ipipfilter list

PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

cd /var/lib/ampr-ripd || exit 1

nft flush set inet fw4 ipipfilter
nft add element inet fw4 ipipfilter { 169.228.34.84 }

grep addprivate encap.txt | sed -e 's/.*encap //' | sort -u | while read ip
do
     nft add element inet fw4 ipipfilter { $ip }
done