As of today there is still no post-up
/pre-down
action implemented?
I could not find a better source, sorry about that, but there was a patch from 2020, which never got upstream: https://patchwork.ozlabs.org/project/openwrt/patch/20200319120320.28651-1-fe@dev.tdt.de/#2390966
I changed this patch slightly to
if_call() {
local interface="$1"
for mode in $modes; do
env -i ACTION="pre-${mode}" INTERFACE="$interface" /sbin/hotplug-call iface
ubus call network.interface $mode "{ \"interface\" : \"$interface\" }"
env -i ACTION="post-${mode}" INTERFACE="$interface" /sbin/hotplug-call iface
done
}
To make the following possibe:
root@cpe:~# cat /etc/hotplug.d/iface/10-wg
#!/bin/sh
test "${ACTION}" = "ifup" && {
case "${INTERFACE}" in
wg*)
sh /root/add-npt.sh ${INTERFACE}
;;
esac
}
test "${ACTION}" = "pre-down" && {
case "${INTERFACE}" in
wg*)
sh /root/del-npt.sh ${INTERFACE}
;;
esac
}
For completeness both scripts:
root@cpe:~# cat ./add-npt.sh
Summary
#!/bin/sh
test ! -z "${1}" && iface="${1}" || exit 1
. /lib/functions/network.sh
network_get_subnets6 subnets6 "${iface}"
gua=
ula=
for _s in ${subnets6}
do
# Find GUA and ULA prefix, and removing host-part to form a proper prefix
__t="$( echo "${_s}" | grep -Ee '^(2|3)' | sed -e 's/::1/::/' )"
test ! -z ${__t} && gua="${__t}"
unset __t
__t="$( echo "${_s}" | grep -Ee '^(fc|fd)' | sed -e 's/::1/::/' )"
test ! -z ${__t} && ula="${__t}"
unset __t
done
# Add a default route for hosts on the ULA subnet
ip -6 route add default from "${ula}" dev pppoe-wan
# Add NPT rule
ip6tables \
-t nat \
-A POSTROUTING \
-s "${ula}" \
-o pppoe-wan \
-j NETMAP \
--to "${gua}"
root@cpe:~# cat ./del-npt.sh
Summary
#!/bin/sh
test ! -z "${1}" && iface="${1}" || exit 1
ip link show dev "${iface}" >/dev/null 2>&1 || exit 1
. /lib/functions/network.sh
network_get_subnets6 subnets6 "${iface}"
gua=
ula=
for _s in ${subnets6}
do
# Find GUA and ULA prefix, and removing host-part to form a proper prefix
__t="$( echo "${_s}" | grep -Ee '^(2|3)' | sed -e 's/::1/::/' )"
test ! -z ${__t} && gua="${__t}"
unset __t
__t="$( echo "${_s}" | grep -Ee '^(fc|fd)' | sed -e 's/::1/::/' )"
test ! -z ${__t} && ula="${__t}"
unset __t
done
# Delete a default route for hosts on the ULA subnet
ip -6 route del default from "${ula}" dev pppoe-wan
# Delete NPT rule
ip6tables \
-t nat \
-D POSTROUTING \
-s "${ula}" \
-o pppoe-wan \
-j NETMAP \
--to "${gua}"
I "need" this, because for the lack of other options, if someone has a better idea, feel free to share it.
So my use case is:
- having an ULA prefix on a wireguard interface,
- set default route like:
ip route add default from <ula> dev <wanif>
, and - Set an NPT/NAT66 with
ip6tables -A POSTROUTING -s <ula> -o pppoe-wan -j NETMAP --to <gua>
.
With the current behaviour of hotplug, the ifdown
event is to late to get the prefix/subnet information from an interface.
By the time the ifdown
is triggered, the interface is gone, and I have no way to get subnet6
.
Therefor I can not find my default route and firewall rule, and can not cleanup.
Either someone has a slightly better idea how I could implement my usecase;
OR I would like to get some hints / guidance how to extent if_call()
from ./package/network/config/netifd/files/sbin/ifup
in a proper manner to make post-up
and pre-down
possible, before I start creating a pull request.
PS: My current implementation has still a major downside, and I'd be happy to get hints how to resolve that too:
On i.e. a reboot or full /etc/init.d/network restart
, the wireguard interface is already up way before the wan and wan6 interface have gotten a (dhcp/dhcp6) lease. I'm still looking for an hotplug options to call a script after wan6
has gotten a lease OR after the wireguard interface has gotten a GUA prefix.
I assign a static IPv4 and a (random) static LL IPv6, and using ip6assign
together with ip6hint
to get a prefix from ula_prefix
and the wan6
lease.
config device
option name 'wg15'
option multicast '1'
config interface 'wg15'
option proto 'wireguard'
option listen_port '16399'
option private_key
list addresses '192.168.255.1/24'
list addresses 'fe80::30f7:3dff:fe9c:26d9/64'
option mtu '1280'
option ip6assign '64'
option ip6hint 'ff'
list ip6ifaceid 'eui64'
list ip6ifaceid '::1'
(Even that wireguard peers are using only statically configured address out of that ULA prefix.)