'config route' extension for more compact notation

Philip Prindeville philipp_subx at redfish-solutions.com
Tue May 25 14:31:09 PDT 2021


Hi,

I'm thinking about something like (taken from my home router):

config route
        option target '103.136.220.0/22'
        option interface 'wan'
        option type 'blackhole'

config route
        option target '103.123.116.0/22'
        option interface 'wan'
        option type 'blackhole'

config route
        option target '130.44.212.0/22'
        option interface 'wan'
        option type 'blackhole'

etc.  Kudos to you if you spotted these as being ByteDance TikTok servers in China which US subscribers aren't supposed to have their traffic sent to, but (surprise!!!) it still is anyway.

A nicer (more compact) notation might be:

config route
	list target '103.123.116.0/22'
        list target '103.136.220.0/22'
	list target '130.44.212.0/22'
        option interface 'wan'
        option type 'blackhole'

So, how about a change to config/route where, if it doesn't find 'option target', then it searches for 'list target' instead, and populates an ipset instead, using that for the match criteria?

We could probably do something similar for config/rule in the firewall, for the src_ip, src_port, dst_ip, dst_port, etc. using 'list' instead of 'option', and ipsets to compactly match multiple addresses, ports, etc.

But then, firewall would depend on ipset functionality being baked in.  On x86_64, this isn't big:

-rw-r--r--   1 philipp  philipp       823 May 10 22:15 bin/targets/x86/64/packages/kmod-ipt-ipset_5.4.110-1_x86_64.ipk
-rw-r--r--   1 philipp  philipp      2036 Mar 19 16:57 bin/packages/x86_64/base/ipset_7.6-1_x86_64.ipk

What do you all think?

-Philip




More information about the openwrt-devel mailing list