25 Oct
2022
25 Oct
'22
11:22 p.m.
All,
This is the updated dynamic firewall script for OpenWrt 22.03 >= 22.03. This script
will not reload firewall counters upon processing new endpoints into the set.
Please be advised - a firewall bug on the release version will not recognize empty or
missing files - and hence keeps this from working without an upgrade of the firewall. The
script posted in the original email (attached below), contains the script that will work
without the patch.
You may run the following to patch OpenWrt and use this:
opkg update; opkg upgrade firewall4reboot
Reference: https://forum.openwrt.org/t/re-22-03-translate-extra-raw-firewall-rules/140…
--
73,
-LynwoodKB3VWG--
#########################!/bin/sh# load encap.txt into ipipfilter list
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
cd /tmp || exit 1
###########################
rm /tmp/ipip_filter.txt echo 169.228.34.84 >> /tmp/ipip_filter.txt
grep addprivate /var/lib/ampr-ripd/encap.txt | sed -e 's/.*encap //' | sort -u |
while read ipdo echo $ip >> /tmp/ipip_filter.txtdone
fw4 reload-sets
exit 0
######################3
-------- Original message --------From: lleachii(a)aol.com Date: 10/4/22 19:15 (GMT-05:00)
To: AMPRNet Working Group <44net(a)mailman.ampr.org> Subject: Re: [44net] Re: [FYI]
OpenWrt Nodes - 22.03.0 with dynamic firewall
Old comments removed:
#!/bin/sh# load encap.txt into ipipfilter list
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
cd /var/lib/ampr-ripd || exit 1
nft flush set inet fw4 ipipfilter
nft add element inet fw4 ipipfilter { 169.228.34.84 }
grep addprivate encap.txt | sed -e 's/.*encap //' | sort -u | while read ipdo
nft add element inet fw4 ipipfilter { $ip }done
25 Oct
25 Oct
11:33 p.m.
New subject: [FYI] OpenWrt Nodes - 22.03.0 with dynamic firewall
All,
Those running the update and new script should edit their firewall setting to the
following:
config ipset option name 'ipipfilter' option match
'src_net' list entry '169.228.34.84' option loadfile
'/tmp/ipip_filter.txt' # <--- ADD
- KB3VWG
On Tuesday, October 25, 2022 at 06:23:32 PM EDT, lleachii--- via 44net
<44net(a)mailman.ampr.org> wrote:
All,
This is the updated dynamic firewall script for OpenWrt 22.03 >= 22.03. This script
will not reload firewall counters upon processing new endpoints into the set.
Please be advised - a firewall bug on the release version will not recognize empty or
missing files - and hence keeps this from working without an upgrade of the firewall. The
script posted in the original email (attached below), contains the script that will work
without the patch.
You may run the following to patch OpenWrt and use this:
opkg update; opkg upgrade firewall4reboot
Reference: https://forum.openwrt.org/t/re-22-03-translate-extra-raw-firewall-rules/140…
--
73,
-LynwoodKB3VWG--
#########################!/bin/sh# load encap.txt into ipipfilter list
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
cd /tmp || exit 1
###########################
rm /tmp/ipip_filter.txt echo 169.228.34.84 >> /tmp/ipip_filter.txt
grep addprivate /var/lib/ampr-ripd/encap.txt | sed -e 's/.*encap //' | sort -u |
while read ipdo echo $ip >> /tmp/ipip_filter.txtdone
fw4 reload-sets
exit 0
######################
-------- Original message --------From: lleachii(a)aol.com Date: 10/4/22 19:15 (GMT-05:00)
To: AMPRNet Working Group <44net(a)mailman.ampr.org> Subject: Re: [44net] Re: [FYI]
OpenWrt Nodes - 22.03.0 with dynamic firewall
Old comments removed:
#!/bin/sh# load encap.txt into ipipfilter list
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
cd /var/lib/ampr-ripd || exit 1
nft flush set inet fw4 ipipfilter
nft add element inet fw4 ipipfilter { 169.228.34.84 }
grep addprivate encap.txt | sed -e 's/.*encap //' | sort -u | while read ipdo
nft add element inet fw4 ipipfilter { $ip }done
_______________________________________________
44net mailing list -- 44net(a)mailman.ampr.org
To unsubscribe send an email to 44net-leave(a)mailman.ampr.org
559
days inactive
559
days old
1 comments
1 participants
participants (1)
-
lleachii@aol.com