Re: Lightweight policy-based routing

2020-12-06 Thread Baptiste Jonglez 
On 04-12-20, Philip Prindeville wrote:
> But I’m trying:
> 
> config rule
>   option src '192.168.3.6'
>   option lookup 200
> 
> Per the cheatsheet and it’s resulting in:
> 
> root@OpenWrt2:~# ip rule ls
> 0:from all lookup local
> 1:from all lookup 200
> 32766:from all lookup main
> 32767:from all lookup default
> 
> i.e. the ’src’ is being ignored.

Several years ago (probably with LEDE 17.01) I was using this
configuration and it worked:

config rule   
option in 'lan'
option src '172.23.184.111/32'
option lookup '666'

Try with the /32.  If it still doesn't work, then it's a regression.

> Also trying:
> 
> config route
>   option target '151.101.0.0/16'
>   option interface ‘xfrm0'
>   option gateway '192.168.1.252'
>   option table 200
>   option proto ‘static'
> 
> But that works great.
> 
> 
> > On Dec 4, 2020, at 1:00 PM, Jo-Philipp Wich  wrote:
> > 
> > Hi Philip,
> > 
> > ip rules are possible in uci, but not sure if all the bits you require are
> > covered:
> > 
> > https://openwrt.org/docs/guide-user/network/ucicheatsheet#ip_rules_for_both_rule_and_rule6
> > 
> > `config route` sections allow specifying `option table` as well to stage the
> > routes in the non-main rttable.
> > 
> > Since the device options for uci rules and routes require logical networks 
> > and
> > not Linux network device names, you might need to declare a dummy interface
> > for xfrm0, like this:
> > 
> > config interface vpn
> >  option proto static
> >  option ifname xfrm0
> > 
> > It might be that netifd will clear out any IP addresses on the xfrm0
> > interface, so you would need to encode those in uci as well:
> > 
> > config interface vpn
> >  option proto static
> >  option ifname xfrm0
> >  option ipaddr 192.168.1.0/24
> >  option table 200   # will instruct netifd to put any related routes into
> > table 200
> > 
> > 
> > Netifd understands aliases set up in /etc/iproute2/rt_tables but there is no
> > uci way to declare new symbolic aliases. So either you need to manage that
> > file externally or you stick to numeric table IDs.
> > 
> > ~ Jo
> > 
> > ___
> > openwrt-devel mailing list
> > openwrt-devel@lists.openwrt.org
> > https://lists.openwrt.org/mailman/listinfo/openwrt-devel
> 
> 
> ___
> openwrt-devel mailing list
> openwrt-devel@lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel


signature.asc
Description: PGP signature
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Re: Lightweight policy-based routing

2020-12-04 Thread Philip Prindeville 
But I’m trying:

config rule
option src '192.168.3.6'
option lookup 200

Per the cheatsheet and it’s resulting in:

root@OpenWrt2:~# ip rule ls
0:  from all lookup local
1:  from all lookup 200
32766:  from all lookup main
32767:  from all lookup default

i.e. the ’src’ is being ignored.  Also trying:

config route
option target '151.101.0.0/16'
option interface ‘xfrm0'
option gateway '192.168.1.252'
option table 200
option proto ‘static'

But that works great.


> On Dec 4, 2020, at 1:00 PM, Jo-Philipp Wich  wrote:
> 
> Hi Philip,
> 
> ip rules are possible in uci, but not sure if all the bits you require are
> covered:
> 
> https://openwrt.org/docs/guide-user/network/ucicheatsheet#ip_rules_for_both_rule_and_rule6
> 
> `config route` sections allow specifying `option table` as well to stage the
> routes in the non-main rttable.
> 
> Since the device options for uci rules and routes require logical networks and
> not Linux network device names, you might need to declare a dummy interface
> for xfrm0, like this:
> 
> config interface vpn
>  option proto static
>  option ifname xfrm0
> 
> It might be that netifd will clear out any IP addresses on the xfrm0
> interface, so you would need to encode those in uci as well:
> 
> config interface vpn
>  option proto static
>  option ifname xfrm0
>  option ipaddr 192.168.1.0/24
>  option table 200   # will instruct netifd to put any related routes into
> table 200
> 
> 
> Netifd understands aliases set up in /etc/iproute2/rt_tables but there is no
> uci way to declare new symbolic aliases. So either you need to manage that
> file externally or you stick to numeric table IDs.
> 
> ~ Jo
> 
> ___
> openwrt-devel mailing list
> openwrt-devel@lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel


___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Re: Lightweight policy-based routing

2020-12-04 Thread Jo-Philipp Wich 
Hi Philip,

ip rules are possible in uci, but not sure if all the bits you require are
covered:

https://openwrt.org/docs/guide-user/network/ucicheatsheet#ip_rules_for_both_rule_and_rule6

`config route` sections allow specifying `option table` as well to stage the
routes in the non-main rttable.

Since the device options for uci rules and routes require logical networks and
not Linux network device names, you might need to declare a dummy interface
for xfrm0, like this:

config interface vpn
  option proto static
  option ifname xfrm0

It might be that netifd will clear out any IP addresses on the xfrm0
interface, so you would need to encode those in uci as well:

config interface vpn
  option proto static
  option ifname xfrm0
  option ipaddr 192.168.1.0/24
  option table 200   # will instruct netifd to put any related routes into
table 200


Netifd understands aliases set up in /etc/iproute2/rt_tables but there is no
uci way to declare new symbolic aliases. So either you need to manage that
file externally or you stick to numeric table IDs.

~ Jo



signature.asc
Description: OpenPGP digital signature
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Lightweight policy-based routing

2020-12-04 Thread Philip Prindeville 
Hi.

I’m currently manually doing the following in a script but was wondering if 
there was an easy way to do this in UCI, such as in /etc/config/network:

#!/bin/sh

INTF=xfrm0
STB=192.168.3.6/24
TABLE=stb
GW2=192.168.1.252
NETS="151.101.0.0/16"

eval `ipcalc -n -p $STB`

if ! grep -q "^200 $TABLE" /etc/iproute2/rt_tables; then
echo "200 $TABLE" >> /etc/iproute2/rt_tables
fi

for NET in $NETS; do
ip route add $NET via $GW2 dev $INTF table $TABLE
done
ip route add $NETWORK/$PREFIX dev br-lan table $TABLE

ip route flush cache

ip rule add from ${STB%%/*} table $TABLE


Basically, I have an STB that I travel with that mostly works on the road, but 
one of the services is anchored to my home IP so I have to backhaul that with 
VPN to get it to work, and that service is hosted on fastly.

Is there any easy way to integrate this into my OpenWRT config?  (Yes, I also 
have a RPi4 that I use as a portable pocket firewall/hotspot…)

Thanks,

-Philip




___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel