[Policy base routing] Custom User File Setup [Q]

I have Policy base routing working.

Now I thought of adding Custom User File, but I get error from PBR program.

How is it supposed to work?
Do I need dnsmasq full package?

Use DNSMASQ nft sets Support

The pbr package can be configured to utilize dnsmasq’s nft sets support,
which requires the dnsmasq-full package with nft sets support to be installed

See attached pictures.

config pbr 'config'
	option enabled '1'
	option verbosity '2'
	option strict_enforcement '1'
	option resolver_set 'none'
	list resolver_instance '*'
	option ipv6_enabled '1'
	list ignored_interface 'vpnserver'
	option boot_timeout '30'
	option rule_create_option 'add'
	option procd_boot_delay '15'
	option procd_reload_delay '1'
	option webui_show_ignore_target '0'
	option nft_rule_counter '1'
	option nft_set_auto_merge '1'
	option nft_set_counter '1'
	option nft_set_flags_interval '1'
	option nft_set_flags_timeout '0'
	option nft_set_policy 'performance'
	list webui_supported_protocol 'all'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'

config include
	option path '/usr/share/pbr/pbr.user.aws'
	option enabled '0'

config include
	option path '/usr/share/pbr/pbr.user.netflix'
	option enabled '0'

config dns_policy
	option name 'xxxxxn-ipv4/6'
	option src_addr '38:0B:40:2A:C2:6C'
	option dest_dns '213.80.98.2 2001:9b0::53:1'

config dns_policy
	option name 'xxxxn-laptop-ipv4/6'
	option src_addr '74:C6:3B:8C:C9:91'
	option dest_dns '213.80.98.2 2001:9b0::53:1'

config dns_policy
	option name 'dns-iplocation'
	option src_addr 'iplocation.com'
	option dest_dns '213.80.98.2 2001:9b0::53:1'

config dns_policy
	option name 'Redirect Local IP DNS'
	option src_addr '192.168.1.5'
	option dest_dns '1.1.1.1'
	option enabled '0'

config policy
	option name 'Ignore Local Requests'
	option interface 'ignore'
	option dest_addr '10.0.0.0/24 10.0.1.0/24 192.168.100.0/24 192.168.1.0/24'
	option enabled '0'

config policy
	option name 'Plex/Emby Local Server'
	option interface 'wan'
	option src_port '8096 8920 32400'
	option enabled '0'

config policy
	option name 'Plex/Emby Remote Servers'
	option interface 'wan'
	option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
	option enabled '0'

config policy
	option name 'wan-access'
	option dest_addr '192.168.1.1'
	option interface 'wan'
	option enabled '0'

config policy
	option name 'ipleak.net'
	option interface 'wan'
	option dest_addr 'ipleak.net'
	option enabled '0'

config policy
	option name 'iplocation'
	option dest_addr 'iplocation.com'
	option interface 'wan'

config policy
	option name 'xxxxxn'
	option src_addr '192.168.1.151'
	option interface 'wan'

config policy
	option name 'xxxxn-PC-lan'
	option src_addr '192.168.1.133'
	option interface 'OpenVPN'

config policy
	option name 'xxxxxs-S24'
	option src_addr '192.168.1.199'
	option interface 'OpenVPN2'

config include
	option enabled '0'
	option path '/usr/share/pbr/pbr_interface_4_dst_ip_user'

We do not know what is in the user file but if it is related to domain names and using nftset then yes you need DNSMasq-full as stated in the readme

I have a bunch of IP numbers that I want to bypass to the wan interface.

Can't I have both IP numbers and domain names, tried with 9 IP numbers.

Or is it one or the other?
@egc

That works, least for me, if you are using nftresolver for domain names you might run into DNS cache problems so it does not seem to work at first.
to be sure reboot router and client.
Usually only doing this on the router will work:

service pbr stop && service dnsmasq stop && service dnsmasq start && service pbr start

nft list ruleset should show the result

I've tried but I'm not quite there yet.
It seems like nft won't start so I get an error.
When I try with "nft list ruleset"

pbr 1.1.8-r4 (fw4 nft file mode) stopped [✓]
Running /usr/share/pbr/pbr_wan_4_dst_ip_user /etc/rc.common: /usr/share/pbr/pbr_wan_4_dst_ip_user: line 1: iplocation.com: not found
ERROR: Error running custom user file '/usr/share/pbr/pbr_wan_4_dst_ip_user'!

This is just to test.
Inside: pbr_wan_4_dst_ip_user

iplocation.com

or is it only working for:
pbr_interface_4_dst_ip_user: for destination/remote IPv4 addresses and IPv4 CIDR netblocks
@egc

Custom user files are just shell scripts, you have to take care of everything yourself.
In that directory there are some examples which can help you make the script you want

I'm not sure what I need, any examples to start with?
Found this on : stangri Github.

I think I got it working, modified scripts from "user.netflix" but can't se packet counter moving. I have probably missed something importent.

table inet fw4 {
        set pbr_wan_4_dst_ip_user {
                type ipv4_addr
                flags interval
                counter
                auto-merge
                comment ""
                elements = { 23.88.65.58 counter packets 0 bytes 0, 35.71.185.87 counter packets 0 bytes 0,
                             52.223.48.227 counter packets 0 bytes 0, 79.136.2.55 counter packets 0 bytes 0,
                             185.84.52.117 counter packets 0 bytes 0, 194.132.118.112 counter packets 0 bytes 0,
                             212.116.79.247 counter packets 0 bytes 0, 213.80.100.184 counter packets 0 bytes 0,
                             213.136.33.1 counter packets 0 bytes 0, 213.136.63.73 counter packets 0 bytes 0 }
        }

add element inet fw4 pbr_wan_4_dst_ip_user { 23.88.65.58, 35.71.185.87, 52.223.48.227, 79.136.2.55, 185.84.52.117, 194.132.118.112, 212.116.79.247, 213.80.100.184, 213.136.33.1, 213.136.63.73 }

@egc

FFS, there are two sample scripts which come with every install of pbr and they are even defined (although disabled) in configs, so visible in both uci/config file and the WebUI. How much more visible do they have to be?

Sorry if you get offended.

I have seen them but they not fits my needs.
One get ASN2906 all IP range for Netflix to pass to wan.
The other get ip to amazonaws.

• /etc/pbr/pbr.user.aws: provided to pull the Continental US AWS IPv4 addresses into the WAN IPv4 sets that the service sets up.
• /etc/pbr/pbr.user.netflix: provided to pull the Continental US Netflix IPv4 addresses into the WAN IPv4 sets that the service sets up.

I need my own ip's to pass to wan. Therefor I rewrote Netflix script.
I want the ip numbers to pass to the wan and the ip number stored in a file.
I have used Processing Custom User Files (nft mode)

Can you post an example of the file with addresses so that I can have a look?

This is what I have in ip-file, have tested with both ipnumber and ex for test: ipleak.net

pbr_wan_dst_ip.ipv4

23.88.65.58
35.71.185.87 
52.223.48.227 
79.136.2.55 
185.84.52.117 
194.132.118.112 
212.116.79.247 
213.80.100.184 
213.136.33.1 
213.136.63.73

If you have curl installed you do not need to use a script.

You can just use file:// see the PBR guide and also the discussion here: Policy-Based-Routing (pbr) package discussion - #1922 by egc

I have tried using file:// and it works if you have it at the top of Policies.
Can see in the counter that it has traffic.

chain pbr_prerouting { # handle 40
                ip daddr { 23.88.65.58, 35.71.185.87, 52.223.48.227, 79.136.2.55, 185.84.52.117, 194.132.118.112, 212.116.79.247, 213.80.100.184, 213.136.33.1, 213.136.63.73 } counter packets 46 bytes 4156 goto pbr_mark_0x010000 comment "From_file" # handle 1082              
        }

My script works but you can't get it at the top of "chain pbr_prerouting" (Policies) and therefore it doesn't get activated.

Shouldn't "Custom user file includes" be in policies so you can rearrange them as you like. Haven't found how to do it manually.
(Or can you write it in Policies chain?)

It's your custom file, feel free to insert/rearrange nft policies however you like.

The current implementation of pbr doesn't support sorting policies and custom user files within the same big list. First the policies and dns policies get processed and then the custom user files. If you only have a handful of static addresses tho, it's better to create a policy listing them all or linking a local text file like @egc suggested.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.