All,
FYI if you upgrade an OpenWrt node to 22.03.0 with a dynamic firewall script. The script will need to be updates to nftables. In addition, I am running on x86_64, but those who use consumer hardware may experience loads when iptables rules were in the Wiki versus "ipset" (which is an iptables feature). See the archives about that issue. On larger sets of IPs, the load times are slower. I'm not sure if that's due to our routing table already being in a "least-specific" notation. Nonetheless, if anyone wishes to try, feel free to have me as a resource during your upgrade. If anyone want to test installing the additional needed packages to continue using, let me know too for documenting to the Wiki. I can test on consumer software too - and you can forward the routes to it using the setting in ampr-ripd.
-- 73,
- Lynwood KB3VWG
All,
Here is a test script - updated for OpenWrt 22.03.0. Thanks to all on the 44list who previously worked on the iptables/ipset version in the Wiki now. Feel free to ask me any questions, provide feedback, etc. Any OpenWrt operators, please let me know the performance of this script, so I can update the Wiki. No additional packages should be needed (except the the C/C++ library already required to run ampr-ripd).
#!/bin/sh# load encap.txt into ipipfilter list PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" cd /var/lib/ampr-ripd || exit 1 #ipset -N ipipfilter hash:ip 2>/dev/null#ipset flush ipipfilter#ipset -A ipipfilter 169.228.34.84 nft flush set inet fw4 ipipfilternft add element inet fw4 ipipfilter { 169.228.34.84 } grep addprivate encap.txt | sed -e 's/.*encap //' | sort -u | while read ipdo nft add element inet fw4 ipipfilter { $ip }done
-- 73,
- Lynwood KB3VWG
Old comments removed:
#!/bin/sh# load encap.txt into ipipfilter list PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" cd /var/lib/ampr-ripd || exit 1 nft flush set inet fw4 ipipfilter nft add element inet fw4 ipipfilter { 169.228.34.84 } grep addprivate encap.txt | sed -e 's/.*encap //' | sort -u | while read ipdo nft add element inet fw4 ipipfilter { $ip }done
-
lleachii@aol.com