'config route' extension for more compact notation
Philip Prindeville
philipp_subx at redfish-solutions.com
Tue May 25 14:31:09 PDT 2021
Hi,
I'm thinking about something like (taken from my home router):
config route
option target '103.136.220.0/22'
option interface 'wan'
option type 'blackhole'
config route
option target '103.123.116.0/22'
option interface 'wan'
option type 'blackhole'
config route
option target '130.44.212.0/22'
option interface 'wan'
option type 'blackhole'
etc. Kudos to you if you spotted these as being ByteDance TikTok servers in China which US subscribers aren't supposed to have their traffic sent to, but (surprise!!!) it still is anyway.
A nicer (more compact) notation might be:
config route
list target '103.123.116.0/22'
list target '103.136.220.0/22'
list target '130.44.212.0/22'
option interface 'wan'
option type 'blackhole'
So, how about a change to config/route where, if it doesn't find 'option target', then it searches for 'list target' instead, and populates an ipset instead, using that for the match criteria?
We could probably do something similar for config/rule in the firewall, for the src_ip, src_port, dst_ip, dst_port, etc. using 'list' instead of 'option', and ipsets to compactly match multiple addresses, ports, etc.
But then, firewall would depend on ipset functionality being baked in. On x86_64, this isn't big:
-rw-r--r-- 1 philipp philipp 823 May 10 22:15 bin/targets/x86/64/packages/kmod-ipt-ipset_5.4.110-1_x86_64.ipk
-rw-r--r-- 1 philipp philipp 2036 Mar 19 16:57 bin/packages/x86_64/base/ipset_7.6-1_x86_64.ipk
What do you all think?
-Philip
More information about the openwrt-devel
mailing list