Squashed 'einat-ebpf/' content from commit 3ca81b6

git-subtree-dir: einat-ebpf git-subtree-split: 3ca81b661559606ef42023e2e9a9dd4b74a3ed18
2025-04-21 13:52:45 +08:00 · 2025-04-21 13:52:45 +08:00 · 23fa869d86
commit 23fa869d86
9 changed files with 794 additions and 0 deletions
--- a/files/capabilities.json
+++ b/files/capabilities.json
@ -0,0 +1,10 @@
+{
+	"ambient": [
+		"CAP_SYS_ADMIN",
+		"CAP_NET_ADMIN"
+	],
+	"bounding": [
+		"CAP_SYS_ADMIN",
+		"CAP_NET_ADMIN"
+	]
+}
--- a/files/einat.config
+++ b/files/einat.config
@ -0,0 +1,13 @@
+config einat 'config'
+	option enabled '0'
+	option bpf_log_level '0'
+	option nat44 '1'
+	option ifname 'eth1'
+	option ports '20000-29999'
+	option hairpin_enabled '0'
+	list hairpinif 'lo'
+	list hairpinif 'br-lan'
+	list internal_subnets '192.168.0.0/16'
+	list internal_subnets '172.16.0.0/12'
+	list internal_subnets '10.0.0.0/8'
+
--- a/files/einat.init
+++ b/files/einat.init
@ -0,0 +1,176 @@
+#!/bin/sh /etc/rc.common
+
+. "${IPKG_INSTROOT}/lib/functions/network.sh"
+
+START=60
+STOP=60
+USE_PROCD=1
+
+# einat
+CONF=einat
+CONFIGSECTION=config
+PROG=/usr/bin/einat
+
+config_load "$CONF"
+
+network_find_wan DEF_WAN true
+network_find_wan6 DEF_WAN6 true
+
+
+
+load_interfaces() {
+	local n ifname hairpin_enabled hairpinif
+
+	config_get ifname "$1" ifname
+	config_get hairpinif "$1" hairpinif
+
+	[ "$hairpin_enabled" = 1 ] && ifname="$ifname $hairpinif"
+
+	for n in $ifname; do
+		interfaces=" $(uci -q show network|grep "device='$n'"|cut -f2 -d'.') $interfaces"
+	done
+}
+
+validate_section_config() {
+	uci_load_validate "$CONF" "$CONFIGSECTION" "$1" "$2" \
+		'enabled:bool:0' \
+		'bpf_log_level:range(0, 5):0' \
+		'bpf_loader:or("aya", "libbpf")' \
+		'nat44:bool:1' \
+		'nat66:bool:0' \
+		'ifname:network' \
+		'ports:portrange:20000-29999' \
+		'internal_ifaces:list(network)' \
+		'internal_subnets:list(cidr)' \
+		'hairpin_enabled:bool:0' \
+		'hairpinif:list(network)'
+}
+
+einat_instance() {
+
+	procd_open_instance "$CONF"
+	procd_set_param command "$PROG" \
+		--bpf-log "$bpf_log_level" \
+		${bpf_loader:+--bpf-loader "$bpf_loader"} \
+		-i "$ifname" \
+		--ports "$ports"
+
+	[ "$nat44" = 1 ] && procd_append_param command --nat44
+	#[ "$nat66" = 1 ] && procd_append_param command --nat66
+
+	local subnets internal_iface
+	for internal_iface in $internal_ifaces; do
+		network_get_subnets subnets $internal_iface
+		internal_subnets="${subnets:+$subnets }$internal_subnets"
+	done
+	[ -z "$internal_subnets" ] || procd_append_param command --internal $internal_subnets
+		
+	procd_append_param netdev "$ifname"
+
+	if [ "$hairpin_enabled" = 1 -a -n "$hairpinif" ]; then
+		procd_append_param command --hairpin-if lo $hairpinif
+		for n in $hairpinif; do
+			procd_append_param netdev "$n"
+		done
+	fi
+
+	#procd_set_param capabilities "/etc/capabilities/einat.json"
+
+	procd_set_param stdout 1
+	procd_set_param stderr 1
+	procd_set_param respawn
+
+	procd_open_data
+	# configure firewall
+	json_add_array firewall
+		# IPv4 input (Optional. Relax the localhost firewall)
+		#json_add_object ''
+		#json_add_string type rule
+		#json_add_string target 'ACCEPT'
+		#json_add_string name "Relax input limits"
+		#json_add_string family 'ipv4'
+		#json_add_string proto 'tcp udp'
+		#json_add_string src "$(fw4 -q device $ifname)"
+		#json_add_string dest_port "$ports"
+		#json_close_object
+		# IPv4 accept forward wan -> lan
+		json_add_object ''
+		json_add_string type rule
+		json_add_string target 'ACCEPT'
+		json_add_string name "Forward wan 2 lan"
+		json_add_string family 'ipv4'
+		json_add_string proto 'tcp udp icmp'
+		json_add_string src "$(fw4 -q device $ifname)"
+		json_add_string dest "$(fw4 -q device br-lan)"
+		json_close_object
+		# IPv4 disable Masquerade
+		json_add_object ''
+		json_add_string type nat
+		json_add_string target 'ACCEPT'
+		json_add_string name "Disable Masquerade"
+		json_add_string family 'ipv4'
+		json_add_string proto 'tcp udp icmp'
+		json_add_string src "$(fw4 -q device $ifname)"
+		json_close_object
+	json_close_array
+	procd_close_data
+
+	procd_close_instance
+}
+
+launcher() {
+	[ "$2" = 0 ] || { >&2 echo "$(basename $0): section $1 validation failed"; return 1; }
+	[ "$enabled" = 0 ] && return 0
+
+	local error=0
+	local wanifname
+
+	# ifname
+	case "$nat66$nat44" in
+		00) network_get_device wanifname "$DEF_WAN";;
+		01) network_get_device wanifname "$DEF_WAN";;
+		10) network_get_device wanifname "$DEF_WAN6";;
+		11) network_get_device wanifname "$DEF_WAN6";;
+	esac
+	local ifname="${ifname:-$wanifname}"
+	[ -z "$ifname" ] && >&2 echo "$(basename $0): section $1 option ifname parsing failed, there may be no network connection" && let error++
+
+	# review
+	[ -n "$EINAT_DEBUG" ] && {
+		local v ucivv="enabled bpf_log_level bpf_loader nat44 nat66 ifname ports internal_ifaces internal_subnets hairpin_enabled hairpinif"
+		for v in $ucivv; do eval "echo $1 $v=\'\$$v\'"; done # ash not support ${!v}
+	}
+	[ "$error" -gt 0 ] && return 1
+
+	einat_instance "$1"
+}
+
+service_triggers() {
+	procd_add_reload_trigger "$CONF" 'network'
+
+	local interfaces
+
+	load_interfaces $CONFIGSECTION
+	[ -n "$interfaces" ] && {
+		procd_add_reload_interface_trigger $interfaces
+	} || {
+		for n in $DEF_WAN $DEF_WAN6; do
+			procd_add_reload_interface_trigger $n
+		done
+	}
+
+	procd_add_validation validate_section_config
+}
+
+start_service() {
+	validate_section_config "$CONFIGSECTION" launcher
+}
+
+reload_service() {
+	stop
+	start
+}
+
+service_started() { procd_set_config_changed firewall; }
+
+service_stopped() { procd_set_config_changed firewall; }