Understanding nftsets in pbr

I installed PBR, and it's working now. What I want to do is use custom user files. I use the /usr/share/pbr/pbr.user.netflix file as reference. I understand what it should do. I notice that I'm running in NFT mode (PBR).

Running (version: 1.1.1-7 using nft)

root@OpenWrt:~# cat /usr/share/pbr/pbr.user.netflix

TARGET_SET='pbr_wan_4_dst_ip_user'
TARGET_IPSET='pbr_wan_4_dst_net_user'
TARGET_TABLE='inet fw4'
TARGET_ASN='2906'
TARGET_DL_FILE="/var/pbr_tmp_AS${TARGET_ASN}"
TARGET_NFT_FILE="/var/pbr_tmp_AS${TARGET_ASN}.nft"

DB_SOURCE='api.bgpview.io'
[ -z "$nft" ] && nft="$(command -v nft)"
_ret=1

if [ ! -s "$TARGET_DL_FILE" ]; then
        if [ "$DB_SOURCE" = "ipinfo.io" ]; then
                TARGET_URL="https://ipinfo.io/AS${TARGET_ASN}"
                uclient-fetch --no-check-certificate -qO- "$TARGET_URL" 2>/dev/null | grep -E "a href.*${TARGET_ASN}\/" | grep -v ":" | sed "s/^.*<a href=\"\/AS${TARGET_ASN}\///; s/\" >//" > "$TARGET_DL_FILE"
        fi
        if [ "$DB_SOURCE" = "api.hackertarget.com" ]; then
                TARGET_URL="https://api.hackertarget.com/aslookup/?q=AS${TARGET_ASN}"
                uclient-fetch --no-check-certificate -qO- "$TARGET_URL" 2>/dev/null | sed '1d' > "$TARGET_DL_FILE"
        fi
        if [ "$DB_SOURCE" = "api.bgpview.io" ]; then
                TARGET_URL="https://api.bgpview.io/asn/${TARGET_ASN}/prefixes"
                uclient-fetch --no-check-certificate -qO- "$TARGET_URL" 2>/dev/null | jsonfilter -e '@.data.ipv4_prefixes[*].prefix' > "$TARGET_DL_FILE"
        fi
fi

if [ -s "$TARGET_DL_FILE" ]; then
        if ipset -q list "$TARGET_IPSET" >/dev/null 2>&1; then
                        if awk -v ipset="$TARGET_IPSET" '{print "add " ipset " " $1}' "$TARGET_DL_FILE" | ipset restore -!; then
                                _ret=0
                        fi
        elif [ -n "$nft" ] && [ -x "$nft" ] && "$nft" list set "$TARGET_TABLE" "$TARGET_SET" >/dev/null 2>&1; then
                printf "add element %s %s { " "$TARGET_TABLE" "$TARGET_SET" > "$TARGET_NFT_FILE"
                awk '{printf $1 ", "}' "$TARGET_DL_FILE" >> "$TARGET_NFT_FILE"
                printf " } " >> "$TARGET_NFT_FILE"
                if "$nft" -f "$TARGET_NFT_FILE"; then
                        rm -f "$TARGET_NFT_FILE"
                        _ret=0
                fi
        fi
fi

return $_ret

I already know that this line if ipset -q list "$TARGET_IPSET" >/dev/null 2>&1; will always return false, so it will go to elif [ -n "$nft" ] && [ -x "$nft" ] && "$nft" list set "$TARGET_TABLE" "$TARGET_SET" >/dev/null 2>&1;.

Now I don't understand what TARGET_SET: pbr_wan_4_dst_ip_user is. I read the documentation, but it seems I don't understand it. What I want is to point to an interface, such as wan2 or wan, because I looked on the internet and got this code from somewhere.

#!/bin/sh

TARGET_IPSET='your_wan_interface'
TARGET_FNAME="link_to_IP_list"

_ret=1

if [ -s "$TARGET_FNAME" ]; then
	awk -v ipset="$TARGET_IPSET" '{print "add " ipset " " $1}' "$TARGET_FNAME" | ipset restore -! && _ret=0
fi

return $_ret

So, I understand that the TARGET_IPSET can point to your WAN interface. However, I don't understand the Netflix code or what pbr_wan_4_dst_ip_user is. How can I create it to point to an interface?

I try to run in CLI and i get this error:

root@OpenWrt:~# nft list set "inet fw4" "pbr_wan_4_dst_ip_user" >/dev/null
Error: No such file or directory
list set inet fw4 pbr_wan_4_dst_ip_user
                  ^^^^^^^^^^^^^^^^^^^^^

So, in this code, it basically does nothing because it always returns false

root@OpenWrt:~# nft list set "inet fw4" "pbr_wan_4_dst_ip_user" >/dev/null 2>&1 && echo "true" || echo "false"
false

Any help would be greatly appreciated.

Do you have any custom user files enabled in pbr? If no user file is enabled, this set is not created.

Enable either netflix or amazon custom user file, restart pbr and check the output of service pbr status to see all nft sets created by pbr for all supported interfaces.

it create sets

pbr nft sets
        set pbr_wan2_4_dst_ip_cfg046ff5 { # handle 563
                type ipv4_addr
                flags interval
                counter
                auto-merge
                comment "Ip info"
        }
        set pbr_wan2_4_dst_ip_cfg056ff5 { # handle 565
                type ipv4_addr
                flags interval
                counter
                auto-merge
                comment "Ifconfig.me"
        }
        set pbr_wan2_4_dst_ip_cfg076ff5 { # handle 567
                type ipv4_addr
                flags interval
                counter
                auto-merge
                comment "Fast.com"
        }
        set pbr_wan_4_dst_ip_user { # handle 569
                type ipv4_addr
                policy memory
                flags interval
                auto-merge
                comment ""
                elements = { 23.246.0.0/18, 37.77.184.0/21,
                             45.57.0.0/17, 64.120.128.0/17,
                             66.197.128.0/17, 69.53.224.0/19,
                             108.175.32.0/20, 185.2.220.0/22,
                             185.9.188.0/22, 192.173.64.0/18,
                             198.38.96.0/19, 198.45.48.0/20,
                             208.75.76.0/22 }
        }
        set pbr_wan_4_src_ip_user { # handle 571
                type ipv4_addr
                policy memory
                flags interval
                auto-merge
                comment ""
        }
        set pbr_wan_4_src_mac_user { # handle 573
                type ether_addr
                policy memory
                flags interval
                auto-merge
                comment ""
        }
        set pbr_wan2_4_dst_ip_user { # handle 575
                type ipv4_addr
                policy memory
                flags interval
                auto-merge
                comment ""
        }
        set pbr_wan2_4_src_ip_user { # handle 577
                type ipv4_addr
                policy memory
                flags interval
                auto-merge
                comment ""
        }
        set pbr_wan2_4_src_mac_user { # handle 579
                type ether_addr
                policy memory
                flags interval
                auto-merge
                comment ""
        }
============================================================
dnsmasq sets
nftset=/ipinfo.io/4#inet#fw4#pbr_wan2_4_dst_ip_cfg046ff5 # Ip info
nftset=/ifconfig.me/4#inet#fw4#pbr_wan2_4_dst_ip_cfg056ff5 # Ifconfig.me
nftset=/fast.com/4#inet#fw4#pbr_wan2_4_dst_ip_cfg076ff5 # Fast.com
nftset=/netflix.com/4#inet#fw4#pbr_wan2_4_dst_ip_cfg076ff5 # Fast.com
nftset=/nflxvideo.net/4#inet#fw4#pbr_wan2_4_dst_ip_cfg076ff5 # Fast.com
============================================================
IPv4 table 256 route: default via 192.168.254.254 dev eth0.2
IPv4 table 256 rule(s):
30000:  from all fwmark 0x10000/0xff0000 lookup pbr_wan
IPv4 table 257 route: default via 192.168.1.1 dev eth0.3
IPv4 table 257 rule(s):
30001:  from all fwmark 0x20000/0xff0000 lookup pbr_wan2
root@OpenWrt:~#

i dont understand what interface is pointing

Now it seems working, pbr_<interface>_4_src_ip_user, since my interface name wan2 then replace the with pbr_wan2_4_src_ip_user

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.