Why "Custom User File" PBR not working

octopus · January 31, 2025, 11:42pm

I have PBR working fine, two openvpn and one wireguard .

I'm trying to find why "Custom User File" not working.
I can see my script populate all rule.
Only I get it working with File (file://).
Must be something with /etc/init.d/pbr

Not working:

add element inet fw4 pbr_wan_4_dst_ip_user { 23.88.65.58,79.136.2.55,185.84.52.117,194.132.118.112,212.116.79.247,213.80.100.184,213.136.33.1,213.136.63.73 }

pbr nft sets
        set pbr_wan_4_dst_ip_user { # handle 581
                type ipv4_addr
                flags interval
                counter
                auto-merge
                comment ""
                elements = { 23.88.65.58 counter packets 0 bytes 0, 79.136.2.55 counter packets 0 bytes 0,
                             185.84.52.117 counter packets 0 bytes 0, 194.132.118.112 counter packets 0 bytes 0,
                             212.116.79.247 counter packets 0 bytes 0, 213.80.100.184 counter packets 0 bytes 0,
                             213.136.33.1 counter packets 0 bytes 0, 213.136.63.73 counter packets 0 bytes 0 }

Working

chain pbr_prerouting { # handle 40
        ip daddr { 23.88.65.58, 79.136.2.55, 185.84.52.117, 194.132.118.112, 212.116.79.247, 213.80.100.184, 213.136.33.1, 213.136.63.73 } counter packets 13 bytes 1661 goto pbr_mark_0x010000 comment "From_file" # handle 1368
		
add rule inet fw4 pbr_prerouting ip daddr { 23.88.65.58, 79.136.2.55, 185.84.52.117, 194.132.118.112, 212.116.79.247, 213.80.100.184, 213.136.33.1, 213.136.63.73 } counter goto pbr_mark_0x010000 comment "From_file"

@stangri

octopus · February 4, 2025, 5:07pm

Anything above this will not work.
Only what is shown in the picture will work.

@stangri

egc · February 4, 2025, 6:05pm

What do you mean by this?

octopus · February 4, 2025, 9:21pm

Sorry if I was a little unclear.
What I really mean is that the posting above does not work as it should.
I have working is according to the picture.
It allocates all the rules that I can see as a beginner with openwrt.

egc · February 5, 2025, 9:36am

If you want I can test your list of domains if it is not to long just post the list here.

octopus · February 5, 2025, 11:41am

Thank you

The above pic with Policies working just fine.

I'm using this modified script for "Custom User File Includes".

#!/bin/sh
# DEBUG=; set -x # comment/uncomment to disable/enable debug mode

logger -t "pbr_wan_4_dst_ip_user" "STARTING Custom User File."

(
TARGET_INTERFACE='wan'
TARGET_NFTSET_4="pbr_${TARGET_INTERFACE}_4_dst_ip_user"
TARGET_NFTSET_6="pbr_${TARGET_INTERFACE}_6_dst_ip_user"
TARGET_TABLE='inet fw4'

  TARGET_DL_FILE_4="/usr/share/pbr/pbr_${TARGET_INTERFACE}_dst_ip.ipv4"
  TARGET_DL_FILE_6="/usr/share/pbr/pbr_${TARGET_INTERFACE}_dst_ip.ipv6"

_ret=0

if [ -s "$TARGET_DL_FILE_4" ]; then
    
     params=$(tr '\n' ',' < "$TARGET_DL_FILE_4" | sed 's/,/, /g; s/, $//')
    if [ -n "$params" ]; then
        nft "add element $TARGET_TABLE $TARGET_NFTSET_4 { $params }"
    else
        _ret=1
    fi
fi

if [ -s "$TARGET_DL_FILE_6" ]; then
    
     params=$(tr '\n' ',' < "$TARGET_DL_FILE_6" | sed 's/,/, /g; s/, $//')
    if [ -n "$params" ]; then
        nft "add element $TARGET_TABLE $TARGET_NFTSET_6 { $params }"
    else
        _ret=1
    fi
fi

return $_ret

) 2>&1 | logger $([ ${DEBUG+x} ] && echo '-p user.debug') \
    -t $(echo $(basename "$0") | grep -Eo '^.{0,23}')[$$] &

cat /usr/share/pbr/pbr_wan_dst_ip.ipv4

23.88.65.58
79.136.2.55
185.84.52.117
194.132.118.112
212.116.79.247
213.80.100.184
213.136.33.1
213.136.63.73

egc · February 5, 2025, 12:56pm

You only add elements to pbr_wan_4_dst_ip_user without further setup nothing is calling this set, so the necessary plumbing is lacking.

octopus · February 5, 2025, 4:11pm

Okey,

I thought this added to "pbr_wan_4_dst_ip_user" with nft.
Rewrote the script from "/usr/share/pbr/pbr.user.netflix"

TARGET_TABLE='inet fw4'
TARGET_NFTSET_4="pbr_${TARGET_INTERFACE}_4_dst_ip_user"
**nft** "add element $TARGET_TABLE $TARGET_NFTSET_4 { $params }"

table inet fw4 {
        set pbr_wan_4_dst_ip_user {
                type ipv4_addr
                flags interval
                counter
                auto-merge
                comment ""
                elements = { 23.88.65.58 counter packets 0 bytes 0, 79.136.2.55 counter packets 0 bytes 0,
                             185.84.52.117 counter packets 0 bytes 0, 194.132.118.112 counter packets 0 bytes 0,
                             212.116.79.247 counter packets 0 bytes 0, 213.80.100.184 counter packets 0 bytes 0,
                             213.136.33.1 counter packets 0 bytes 0, 213.136.63.73 counter packets 0 bytes 0 }
        }

egc · February 5, 2025, 4:12pm

Yes you made a set but nothing is calling this set so without that it does not work

octopus · February 5, 2025, 4:16pm

Then script from "/usr/share/pbr/pbr.user.netflix" not working either.
Is ther any "working" script I can look at?

egc · February 5, 2025, 4:24pm

I do not know and have no time to look at it at the moment, will put it on my list but has no high priority.

Scripts are as is.
For a good working script it needs to source the pbr script to query for the necessary parameters

octopus · February 5, 2025, 4:44pm

No problem. I use Policy which is working. All is good.