-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathcake-dual-ifb.nft
203 lines (146 loc) · 4.86 KB
/
cake-dual-ifb.nft
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
table inet cake-dual-ifb-inet
flush table inet cake-dual-ifb-inet
table bridge cake-dual-ifb-bridge
flush table bridge cake-dual-ifb-bridge
# local interfaces to collect traffic from
# ingress traffic through forward hook is sent to ifb-ul
# egress traffic through forward hook is sent to ifb-dl
define IFACE_NAMES = {
br-lan,
br-guest
}
# local interface IP addresses
# traffic with these destination addresses is skipped
define IFACE_IPS = {
192.168.1.1,
192.168.2.1
}
# local MAC addresses to set to bulk (e.g. IoT devices)
define BULK_MACS = {
XX,
YY
}
table inet cake-dual-ifb-inet {
chain hook-output {
type filter hook output priority filter
# OpenWrt->wan
oifname wan mark !=3 mark set 2 goto process-openwrt-to-wan
}
chain hook-forward {
type filter hook forward priority filter
# lan->wan
iifname $IFACE_NAMES goto process-lan-to-wan
# wan->lan
oifname $IFACE_NAMES goto process-wan-to-lan
}
chain hook-postrouting {
type filter hook postrouting priority filter
# fix ttl to help disguise use of router over mobile network
# for bridge mode set ttl to 64
# for USB tethering set ttl to 65
oifname wan ip ttl set 64
}
chain process-openwrt-to-wan {
jump classify-dscp
jump store-dscp-in-conntrack
# mark special bit '256' in conntrack for tc filtering on wan ingress
ct mark set ct mark or 256
}
chain process-lan-to-wan {
# Handle DNS hijacking (effectively resulting in openwrt-to-wan)
tcp dport 53 mark set 2 goto process-openwrt-to-wan
udp dport 53 mark set 2 goto process-openwrt-to-wan
}
chain process-wan-to-lan {
oifname $IFACE_NAMES mark set 1
# Handle DNS hijacking
tcp sport 53 mark set 0
udp sport 53 mark set 0
}
# OpenWrt->wan dscp classication by router
chain classify-dscp {
meta l4proto . th dport vmap @rules_proto_dport
}
map rules_proto_dport {
type inet_proto . inet_service : verdict
elements = {
tcp . 53 : goto dscp_set_voice, # DNS
udp . 53 : goto dscp_set_voice, # DNS
tcp . 853 : goto dscp_set_voice, # DNS-over-TLS
udp . 853 : goto dscp_set_voice, # DNS-over-TLS
udp . 123 : goto dscp_set_voice # NTP
}
}
# designate packet for cake tin: bulk
chain dscp_set_bulk {
ip dscp set cs1
}
# designate packet for cake tin: besteffort
chain dscp_set_besteffort {
ip dscp set cs0
}
# designate packet for cake tin: video
chain dscp_set_video {
ip dscp set cs2
}
# designate packet for cake tin: voice
chain dscp_set_voice {
ip dscp set cs4
}
chain store-dscp-in-conntrack {
# store DSCPs in conntracks
ip version 4 ct mark set (@nh,8,8 & 252) >> 2
ip6 version 6 ct mark set (@nh,0,16 & 4032) >> 6
ct mark set ct mark or 128
}
}
table bridge cake-dual-ifb-bridge {
chain hook-input {
type filter hook input priority filter
# lan->wan
meta pkttype unicast ip daddr != $IFACE_IPS goto process-lan-to-wan
}
chain process-lan-to-wan {
ibrname $IFACE_NAMES mark set 1
# Handle DNS hijacking
tcp dport 53 mark set 0
udp dport 53 mark set 0
jump classify-dscp
goto store-dscp-in-conntrack
}
# lan->wan dscp classication by router
# set/override DHCP classifications on lan-originating traffic
chain classify-dscp {
meta l4proto . th dport vmap @rules_proto_dport
# IoT devices (put mac addresses here)
ibrname $IFACE_NAMES ether saddr $BULK_MACS goto dscp_set_bulk
}
map rules_proto_dport {
type inet_proto . inet_service : verdict
elements = {
udp . 123 : goto dscp_set_voice # NTP
}
}
# designate packet for cake tin: bulk
chain dscp_set_bulk {
ip dscp set cs1
}
# designate packet for cake tin: besteffort
chain dscp_set_besteffort {
ip dscp set cs0
}
# designate packet for cake tin: video
chain dscp_set_video {
ip dscp set cs2
}
# designate packet for cake tin: voice
chain dscp_set_voice {
ip dscp set cs4
}
chain store-dscp-in-conntrack {
# store DSCPs in conntracks
ip version 4 ct mark set (@nh,8,8 & 252) >> 2
ip6 version 6 ct mark set (@nh,0,16 & 4032) >> 6
ct mark set ct mark or 128
}
}