Comments (6)
Overlap of
192.168.1.0/24
between two rules:config policy option name 'hulu.com' option src_addr '192.168.1.0/24' option dest_addr 'hulu.com' option interface 'wan' config policy option name 'ticketmaster.com' option src_addr '192.168.1.0/24' option dest_addr 'ticketmaster.com' option interface 'wan'
I can't reproduce, I've added those two policies to my test OpenWrt config and pbr started just fine in the nft_file mode.
from source.openwrt.melmac.net.
I can't reproduce, I've added those two policies to my test OpenWrt config and pbr started just fine in the nft_file mode.
Hmmm ... that's odd. I might have misunderstood when I received the error. What about with this?
config policy
option name 'lan-to-wan'
option src_addr '192.168.101.0/23'
option dest_addr 'hulu.com'
option interface 'wan'
config policy
option name 'lan-guest-to-wan'
option src_addr '192.168.101.0/23 192.168.102.0/23'
option dest_addr 'espn.api.edge.bamgrid.com d2f2ekwwtg17a.cloudfront.net'
option interface 'wan'
config policy
option name 'to-vpn'
option dest_addr 'espn.com'
option interface 'vpn' # or any VPN interface
from source.openwrt.melmac.net.
Yeah, that fails. I don't understand why nft sees a collision there. But if you split the middle policy into two, this works:
config policy
option name 'lan-guest-to-wan'
option src_addr '192.168.100.0/23'
option dest_addr 'espn.api.edge.bamgrid.com d2f2ekwwtg17a.cloudfront.net'
option interface 'wan'
config policy
option name 'lan-guest-to-wan2'
option src_addr '192.168.102.0/23'
option dest_addr 'espn.api.edge.bamgrid.com d2f2ekwwtg17a.cloudfront.net'
option interface 'wan'
from source.openwrt.melmac.net.
I can see several options here:
- Do the requisite set manipulation in
pbr
to accommodate the use case (my favorite, since it preserves the ergonomics of the documented parameters); - Detect the failure mode in
pbr
, intercept it, and notify the user how to correct it (possibly with a reference to updated docs providing a more thorough explanation); - Enumerate known failure modes with
nft
in the docs, and when anynft
failure occurs, detect it and direct the user there to diagnose on their own (not nearly as ergonomic as either of the above, but probably less time to implement); - Only update the docs (my least favorite, since it requires the user to map the cryptic error to the appropriate place in the docs, and doesn't work well for people like me, who've experienced a degradation post upgrade); or
- Fix the problem in
nft
(probably not viable; that workflow looks awful to me; even submitting/searching for a bug looks unnecessarily cumbersome given that it's 2024).
By "set manipulation", I mean that pbr
could read the example from my #194 (comment) and (de?)normalize it to entries without any overlap, like that in your #194 (comment).
from source.openwrt.melmac.net.
You're welcome to contribute any improvement to both pbr and pbr docs on the matter.
Additionally it may be helpful to post the example of nft ip collision on the OpenWrt forum and if the nft gurus can suggest an easy way to create the nft file from this policy which would not be rejected by nft I'm game to implement it.
from source.openwrt.melmac.net.
Related Issues (20)
- [pbr] wish: populate ipset automatically HOT 7
- [pbr][wish] support adguardhome.ipset as resolver_set option HOT 28
- [PBR] Issue: Service starts with "ip: bad line 11: 1 tokens found, 2 needed" HOT 6
- [PBR] Issue: Database /etc/iproute2/rt_tables is corrupted HOT 5
- [pbr] Issue: failed to set up HOT 8
- [wireshark-helper] Issue: cannot find dependency luci-lua-runtime for luci-app-wireshark-helper HOT 10
- [pbr] Issue: No place to file `pbr` issues? HOT 1
- [pbr] Issue: resolvers are unavailable despite installing all requirements HOT 8
- [pbr] issue: Inconsistent routing with PBR/OpenVPN HOT 10
- [pbr] issue: cannot chose routing via wireguard interface if wan is default interface, only wan interface available for pbr rules HOT 10
- pbr service error: failed to set up interfaces HOT 6
- [pbr] wish: interface specific rule reload on interface restart - wireguard interface restart causes pbr to re-apply rules for all interfaces HOT 6
- [pbr] issue: timeout waiting for wan gateway on USB-based WAN HOT 4
- [https-dns-proxy] Incorrect error code checking
- [pbr] issue: Switch from uci <command> to uci_<command> causes segfault HOT 27
- [pbr] issue: PBR intermittently ineffective after a few hours and all traffic routed over VPN HOT 8
- [pbr] error on ipv6 only network: ERROR: The pbr 1.1.4-1 service failed to discover WAN gateway! HOT 17
- [pbr] wish:https-dns-proxy support custom address h3:// HOT 1
- [fakeinternet] Issue: cannot find dependency luci-lua-runtime for luci-app-fakeinternet HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from source.openwrt.melmac.net.