fixing lots of problems with getting link local address after reboot

2025-05-24 22:32:58 +03:00 · 2019-05-14 18:26:09 +03:00
parent b0f0cd1c75
commit 38d5b639de
23 changed files with 114 additions and 24 deletions
--- a/init.d/openwrt/firewall.zapret.nfqws_ipset
+++ b/init.d/openwrt/firewall.zapret.nfqws_ipset
@@ -3,4 +3,5 @@ IPT_FILTER_POST="-p tcp --dport 80 -m set --match-set zapret dst"

 . /opt/zapret/init.d/openwrt/functions

+create_ipset no-update
 fw_nfqws
--- a/init.d/openwrt/firewall.zapret.nfqws_ipset6
+++ b/init.d/openwrt/firewall.zapret.nfqws_ipset6
@@ -3,4 +3,5 @@ IPT_FILTER_POST="-p tcp --dport 80 -m set --match-set zapret6 dst"

 . /opt/zapret/init.d/openwrt/functions

+create_ipset no-update
 fw_nfqws6
--- a/init.d/openwrt/firewall.zapret.nfqws_ipset_https
+++ b/init.d/openwrt/firewall.zapret.nfqws_ipset_https
@@ -3,4 +3,5 @@ IPT_FILTER_POST="-p tcp --dport 80 -m set --match-set zapret dst"

 . /opt/zapret/init.d/openwrt/functions

+create_ipset no-update
 fw_nfqws
--- a/init.d/openwrt/firewall.zapret.nfqws_ipset_https6
+++ b/init.d/openwrt/firewall.zapret.nfqws_ipset_https6
@@ -3,4 +3,5 @@ IPT_FILTER_POST="-p tcp --dport 80 -m set --match-set zapret6 dst"

 . /opt/zapret/init.d/openwrt/functions

+create_ipset no-update
 fw_nfqws6
--- a/init.d/openwrt/firewall.zapret.tpws_ipset
+++ b/init.d/openwrt/firewall.zapret.tpws_ipset
@@ -2,4 +2,5 @@ IPT_FILTER_HTTP="-p tcp --dport 80 -m set --match-set zapret dst"

 . /opt/zapret/init.d/openwrt/functions

+create_ipset no-update
 fw_tpws
--- a/init.d/openwrt/firewall.zapret.tpws_ipset6
+++ b/init.d/openwrt/firewall.zapret.tpws_ipset6
@@ -2,4 +2,5 @@ IPT_FILTER_HTTP="-p tcp --dport 80 -m set --match-set zapret6 dst"

 . /opt/zapret/init.d/openwrt/functions

+create_ipset no-update
 fw_tpws6
--- a/init.d/openwrt/firewall.zapret.tpws_ipset_https
+++ b/init.d/openwrt/firewall.zapret.tpws_ipset_https
@@ -3,4 +3,5 @@ IPT_FILTER_HTTPS="-p tcp --dport 443 -m set --match-set zapret dst"

 . /opt/zapret/init.d/openwrt/functions

+create_ipset no-update
 fw_tpws_https
--- a/init.d/openwrt/firewall.zapret.tpws_ipset_https6
+++ b/init.d/openwrt/firewall.zapret.tpws_ipset_https6
@@ -3,4 +3,5 @@ IPT_FILTER_HTTPS="-p tcp --dport 443 -m set --match-set zapret6 dst"

 . /opt/zapret/init.d/openwrt/functions

+create_ipset no-update
 fw_tpws_https6
--- a/init.d/openwrt/functions
+++ b/init.d/openwrt/functions
@@ -5,6 +5,12 @@ TPPORT_HTTP=1188
 TPPORT_HTTPS=1189
 TPWS_USER=daemon

+# max wait time for the link local ipv6 on the LAN interface
+LINKLOCAL_WAIT_SEC=5
+
+[ -n "$ZAPRET_BASE" ] || ZAPRET_BASE=/opt/zapret
+IPSET_CR=$ZAPRET_BASE/ipset/create_ipset.sh
+
 exists()
 {
 which $1 >/dev/null 2>/dev/null
@@ -71,16 +77,32 @@ dnat6_target()
 {
 # get target ip address for DNAT. prefer link locals
 # tpws should be as inaccessible from outside as possible
+ # link local address can appear not immediately after ifup
 [ -n "$DNAT6_TARGET" ] || {
+    # no reason to query if its down
+    network_is_up lan || return
+
    local DEVICE
    network_get_device DEVICE lan
-    DNAT6_TARGET=$(get_ipv6_linklocal $DEVICE)
-    [ -z "$DNAT6_TARGET" ] && DNAT6_TARGET=$(get_ipv6_global $DEVICE)
+
+    local ct=0
+    while 
+      DNAT6_TARGET=$(get_ipv6_linklocal $DEVICE)
+      [ -n "$DNAT6_TARGET" ] && break
+      [ "$ct" -ge "$LINKLOCAL_WAIT_SEC" ] && break
+      echo waiting for the link local for another $(($LINKLOCAL_WAIT_SEC - $ct)) seconds ...
+      ct=$(($ct+1))
+      sleep 1
+    do :; done
+
+    [ -z "$DNAT6_TARGET" ] && {
+    	echo no link local. getting global
+    	DNAT6_TARGET=$(get_ipv6_global $DEVICE)
+    }
 }
 }


-
 fw_nfqws()
 {
 local DEVICE wan_iface
@@ -150,3 +172,11 @@ fw_tpws_https6()
 {
 __fw_tpws6 1
 }
+
+
+
+create_ipset()
+{
+	echo "Creating ipset"
+	"$IPSET_CR" $1
+}
--- a/init.d/openwrt/zapret
+++ b/init.d/openwrt/zapret
@@ -1,8 +1,8 @@
 #!/bin/sh /etc/rc.common

 USE_PROCD=1
-# start betfore firewall - we need ipset populated
-START=18
+# after network
+START=21

 . /lib/functions/network.sh

@@ -13,7 +13,6 @@ ZAPRET_BASE=/opt/zapret
 # !!!!! in openwrt firewall rules are configured separately

 PIDDIR=/var/run
-IPSET_CR=$ZAPRET_BASE/ipset/create_ipset.sh

 QNUM=200
 NFQWS=$ZAPRET_BASE/nfq/nfqws
@@ -27,7 +26,8 @@ TPWS_HOSTLIST=$ZAPRET_BASE/ipset/zapret-hosts.txt.gz
 [ -f "$TPWS_HOSTLIST" ] || TPWS_HOSTLIST=$ZAPRET_BASE/ipset/zapret-hosts-user.txt
 TPWS_OPT_BASE="--user=$TPWS_USER --bind-addr=127.0.0.1"
 TPWS_OPT_BASE6="--user=$TPWS_USER --bind-addr=::1"
-TPWS_OPT_BASE6_PRE="--user=$TPWS_USER --bind-linklocal=prefer"
+# first wait for lan to ifup, then wait for bind-wait-ip-linklocal seconds for link local address and bind-wait-ip for any ipv6 as the worst case
+TPWS_OPT_BASE6_PRE="--user=$TPWS_USER --bind-linklocal=prefer --bind-wait-ifup=30 --bind-wait-ip=30 --bind-wait-ip-linklocal=3"
 TPWS_OPT_BASE_HTTP="--port=$TPPORT_HTTP"
 TPWS_OPT_BASE_HTTPS="--port=$TPPORT_HTTPS"

@@ -46,12 +46,6 @@ run_daemon()
 	procd_close_instance
 }

-create_ipset()
-{
-	echo "Creating ipset"
-	$IPSET_CR
-}
-
 run_tpws()
 {
 	[ "$DISABLE_IPV4" != "1" ] && run_daemon $1 $TPWS "$TPWS_OPT_BASE $2"
@@ -77,16 +71,13 @@ start_service() {
 			run_tpws 1 "$TPWS_OPT_BASE_HTTP $TPWS_OPT_HTTP --hostlist=$TPWS_HOSTLIST"
 			;;
 	    tpws_ipset|tpws_all)
-			create_ipset
 			run_tpws 1 "$TPWS_OPT_BASE_HTTP $TPWS_OPT_HTTP"
 			;;
 	    tpws_ipset_https|tpws_all_https)
-			create_ipset
 			run_tpws 1 "$TPWS_OPT_BASE_HTTP $TPWS_OPT_HTTP"
 			run_tpws 2 "$TPWS_OPT_BASE_HTTPS $TPWS_OPT_HTTPS"
 			;;
 	    nfqws_ipset|nfqws_ipset_https)
-			create_ipset
 			run_daemon 1 $NFQWS "$NFQWS_OPT_BASE $NFQWS_OPT"
 			;;
 	    nfqws_all|nfqws_all_https)