'config route' extension for more compact notation
Vincent Wiemann
vincent.wiemann at ironai.com
Tue May 25 23:12:11 PDT 2021
On 5/25/21 11:31 PM, Philip Prindeville wrote:
> Hi,
>
> I'm thinking about something like (taken from my home router):
>
> config route
> option target '103.136.220.0/22'
> option interface 'wan'
> option type 'blackhole'
>
> config route
> option target '103.123.116.0/22'
> option interface 'wan'
> option type 'blackhole'
>
> config route
> option target '130.44.212.0/22'
> option interface 'wan'
> option type 'blackhole'
>
> etc. Kudos to you if you spotted these as being ByteDance TikTok servers in China which US subscribers aren't supposed to have their traffic sent to, but (surprise!!!) it still is anyway.
>
> A nicer (more compact) notation might be:
>
> config route
> list target '103.123.116.0/22'
> list target '103.136.220.0/22'
> list target '130.44.212.0/22'
> option interface 'wan'
> option type 'blackhole'
>
> So, how about a change to config/route where, if it doesn't find 'option target', then it searches for 'list target' instead, and populates an ipset instead, using that for the match criteria?
>
> We could probably do something similar for config/rule in the firewall, for the src_ip, src_port, dst_ip, dst_port, etc. using 'list' instead of 'option', and ipsets to compactly match multiple addresses, ports, etc.
>
> But then, firewall would depend on ipset functionality being baked in. On x86_64, this isn't big:
>
> -rw-r--r-- 1 philipp philipp 823 May 10 22:15 bin/targets/x86/64/packages/kmod-ipt-ipset_5.4.110-1_x86_64.ipk
> -rw-r--r-- 1 philipp philipp 2036 Mar 19 16:57 bin/packages/x86_64/base/ipset_7.6-1_x86_64.ipk
>
> What do you all think?
>
> -Philip
>
I like the idea of baking in ipset, but it would be very strange to have
a blackhole route which creates an ipset filter.
It would avoid user confusion if we stick to the approach here:
https://openwrt.org/docs/guide-user/firewall/fw3_configurations/fw3_config_ipset
Best,
Vincent
More information about the openwrt-devel
mailing list