All, This is the updated dynamic firewall script for OpenWrt 22.03 >= 22.03. This script will not reload firewall counters upon processing new endpoints into the set. Please be advised - a firewall bug on the release version will not recognize empty or missing files - and hence keeps this from working without an upgrade of the firewall. The script posted in the original email (attached below), contains the script that will work without the patch. You may run the following to patch OpenWrt and use this:
opkg update; opkg upgrade firewall4reboot
Reference: https://forum.openwrt.org/t/re-22-03-translate-extra-raw-firewall-rules/1406...
-- 73, -LynwoodKB3VWG-- #########################!/bin/sh# load encap.txt into ipipfilter list PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" cd /tmp || exit 1 ########################### rm /tmp/ipip_filter.txt echo 169.228.34.84 >> /tmp/ipip_filter.txt grep addprivate /var/lib/ampr-ripd/encap.txt | sed -e 's/.*encap //' | sort -u | while read ipdo echo $ip >> /tmp/ipip_filter.txtdone fw4 reload-sets exit 0 ######################3 -------- Original message --------From: lleachii@aol.com Date: 10/4/22 19:15 (GMT-05:00) To: AMPRNet Working Group 44net@mailman.ampr.org Subject: Re: [44net] Re: [FYI] OpenWrt Nodes - 22.03.0 with dynamic firewall Old comments removed:
#!/bin/sh# load encap.txt into ipipfilter list PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" cd /var/lib/ampr-ripd || exit 1 nft flush set inet fw4 ipipfilter nft add element inet fw4 ipipfilter { 169.228.34.84 } grep addprivate encap.txt | sed -e 's/.*encap //' | sort -u | while read ipdo nft add element inet fw4 ipipfilter { $ip }done
All, Those running the update and new script should edit their firewall setting to the following:
config ipset option name 'ipipfilter' option match 'src_net' list entry '169.228.34.84' option loadfile '/tmp/ipip_filter.txt' # <--- ADD
- KB3VWG
On Tuesday, October 25, 2022 at 06:23:32 PM EDT, lleachii--- via 44net 44net@mailman.ampr.org wrote:
All, This is the updated dynamic firewall script for OpenWrt 22.03 >= 22.03. This script will not reload firewall counters upon processing new endpoints into the set. Please be advised - a firewall bug on the release version will not recognize empty or missing files - and hence keeps this from working without an upgrade of the firewall. The script posted in the original email (attached below), contains the script that will work without the patch. You may run the following to patch OpenWrt and use this:
opkg update; opkg upgrade firewall4reboot
Reference: https://forum.openwrt.org/t/re-22-03-translate-extra-raw-firewall-rules/1406...
-- 73, -LynwoodKB3VWG-- #########################!/bin/sh# load encap.txt into ipipfilter list PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" cd /tmp || exit 1 ########################### rm /tmp/ipip_filter.txt echo 169.228.34.84 >> /tmp/ipip_filter.txt grep addprivate /var/lib/ampr-ripd/encap.txt | sed -e 's/.*encap //' | sort -u | while read ipdo echo $ip >> /tmp/ipip_filter.txtdone fw4 reload-sets exit 0 ###################### -------- Original message --------From: lleachii@aol.com Date: 10/4/22 19:15 (GMT-05:00) To: AMPRNet Working Group 44net@mailman.ampr.org Subject: Re: [44net] Re: [FYI] OpenWrt Nodes - 22.03.0 with dynamic firewall Old comments removed:
#!/bin/sh# load encap.txt into ipipfilter list PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" cd /var/lib/ampr-ripd || exit 1 nft flush set inet fw4 ipipfilter nft add element inet fw4 ipipfilter { 169.228.34.84 } grep addprivate encap.txt | sed -e 's/.*encap //' | sort -u | while read ipdo nft add element inet fw4 ipipfilter { $ip }done _______________________________________________ 44net mailing list -- 44net@mailman.ampr.org To unsubscribe send an email to 44net-leave@mailman.ampr.org
-
lleachii@aol.com