'config route' extension for more compact notation

Philip Prindeville philipp_subx at redfish-solutions.com
Tue Jun 1 11:04:19 PDT 2021 

Replies...


> On May 26, 2021, at 12:12 AM, Vincent Wiemann <vincent.wiemann at ironai.com> wrote:
> 
> On 5/25/21 11:31 PM, Philip Prindeville wrote:
>> Hi,
>> I'm thinking about something like (taken from my home router):
>> config route
>>         option target '103.136.220.0/22'
>>         option interface 'wan'
>>         option type 'blackhole'
>> config route
>>         option target '103.123.116.0/22'
>>         option interface 'wan'
>>         option type 'blackhole'
>> config route
>>         option target '130.44.212.0/22'
>>         option interface 'wan'
>>         option type 'blackhole'
>> etc.  Kudos to you if you spotted these as being ByteDance TikTok servers in China which US subscribers aren't supposed to have their traffic sent to, but (surprise!!!) it still is anyway.
>> A nicer (more compact) notation might be:
>> config route
>> 	list target '103.123.116.0/22'
>>         list target '103.136.220.0/22'
>> 	list target '130.44.212.0/22'
>>         option interface 'wan'
>>         option type 'blackhole'
>> So, how about a change to config/route where, if it doesn't find 'option target', then it searches for 'list target' instead, and populates an ipset instead, using that for the match criteria?
>> We could probably do something similar for config/rule in the firewall, for the src_ip, src_port, dst_ip, dst_port, etc. using 'list' instead of 'option', and ipsets to compactly match multiple addresses, ports, etc.
>> But then, firewall would depend on ipset functionality being baked in.  On x86_64, this isn't big:
>> -rw-r--r--   1 philipp  philipp       823 May 10 22:15 bin/targets/x86/64/packages/kmod-ipt-ipset_5.4.110-1_x86_64.ipk
>> -rw-r--r--   1 philipp  philipp      2036 Mar 19 16:57 bin/packages/x86_64/base/ipset_7.6-1_x86_64.ipk
>> What do you all think?
>> -Philip
> 
> I like the idea of baking in ipset, but it would be very strange to have
> a blackhole route which creates an ipset filter.
> 
> It would avoid user confusion if we stick to the approach here:
> https://openwrt.org/docs/guide-user/firewall/fw3_configurations/fw3_config_ipset
> 
> Best,
> 
> Vincent


Point taken.  Okay, what about adding ipset support to routes then?

-Philip

More information about the openwrt-devel mailing list