Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PBR: Always miss something when using #20352

Closed
PussAzuki opened this issue Jan 20, 2023 · 11 comments · Fixed by #20372
Closed

PBR: Always miss something when using #20352

PussAzuki opened this issue Jan 20, 2023 · 11 comments · Fixed by #20372
Assignees
@stangri

Comments

@PussAzuki
Copy link

Maintainer: @stangri
Environment: aarch64 ,Redmi AX6000 stock version, snapshot (r21861-5dee596501)

Description:
Since yesterday, I officially learned to use PBR and everything felt fine until today when I realized that the system and browser only access IPv4 addresses for some websites. Up until just now, I thought I was searching for the wrong IP range until I connected to the router and took a look at the nftables and realized that some of the IPv6 addresses were not being imported into the sets correctly.

sets
luci

You can see that there have been some IPv6 segments that have been ignored.
@stangri
Copy link
Member

stangri commented Jan 20, 2023

Looks like they were merged.

If you can edit /etc/init.d/pbr on your router and remove the auto-merge; from lines 596-608 and restart service, does it change things?

@stangri stangri self-assigned this Jan 20, 2023
@PussAzuki
Copy link
Author

No, they were not merged at all. You can see that there is no possibility of merging the ipv6 segments of google.

PBR
Still the same.

@stangri
Copy link
Member

stangri commented Jan 21, 2023

I have no further insight into this, you can try adding some debug output into nftset function to ensure they it tries to add missing segments, but I have no idea why it silently fails.

You can also try moving the missing segments into a different policy(ies) to see if that works.

@PussAzuki
Copy link
Author

I found that the nftables sets file of dnsmasq is stored in /var/dnsmasq.d/pbr , I opened it and saw that some of the addresses are missing. So the question becomes which ones are not translated by default and why.

PBR
As you can see, there are still some IPv6 segments that are being ignored.

@PussAzuki
Copy link
Author

PussAzuki commented Jan 22, 2023
edited
Loading

init
In this way, I gathered this image:

pbr1
pbr2

Some pure IPv4/IPv6 segments go through the add process, while others go through the add_dnsmasq_element process.

So the location of the problem is found.

@stangri
Copy link
Member

stangri commented Jan 22, 2023

Please post complete /etc/config/pbr and the output of service pbr status after service has ran.

@PussAzuki
Copy link
Author

config:
https://pastebin.com/rw6j4Hz2
status:
https://pastebin.com/RU455cPQ

Public IP address deleted

@stangri
Copy link
Member

stangri commented Jan 22, 2023

@PussAzuki thanks!

The IPv6 addresses should never end up in the dnsmasq file, I believe the is_domain() wasn't properly transferred from vpn-policy-routing code and introduced this issue.
If you're willing to test a fix, please install pbr 1.0.1-16 from my repo or you can apply the fix directly.

@PussAzuki
Copy link
Author

I tried the latest version and it looks like he's separating out the ipv6 addresses properly.
Thanks a lot.

stangri added a commit to stangri/packages that referenced this issue Jan 22, 2023
@stangri
pbr: bugfix: fix is_domain()
e7e4a01 
* fixes openwrt#20352

Signed-off-by: Stan Grishin <stangri@melmac.ca>
@stangri stangri mentioned this issue Jan 22, 2023
Merged
stangri added a commit to stangri/packages that referenced this issue Jan 22, 2023
@stangri
pbr: bugfix: fix is_domain()
0804660 
* fixes openwrt#20352

Signed-off-by: Stan Grishin <stangri@melmac.ca>
(cherry picked from commit e7e4a01)
@stangri stangri mentioned this issue Jan 22, 2023
Merged
@PussAzuki
Copy link
Author

PussAzuki commented Jan 23, 2023
edited
Loading

图片
图片
ipv4 routing has been handled well...but
图片
图片
there is no routing for ipv6 (the rules are there), maybe it needs to be fixed all together?

I have added masq6 to the vpn zone according to the openwrt.org documentation, and IPv6 NAT works fine when using the static routing function under Network - Routing, so there is still a problem to be solved...

@stangri
Copy link
Member

stangri commented Jan 23, 2023

You may want to open a new issue dedicated to IPv6 routing and provide the configs (not screenshots) requested in the Help section of the README, as this will be automatically closed when I merge the linked PR.

SibrenVasse pushed a commit to SibrenVasse/packages that referenced this issue Feb 26, 2023
@stangri @SibrenVasse
pbr: bugfix: fix is_domain()
7d425f3 
* fixes openwrt#20352

Signed-off-by: Stan Grishin <stangri@melmac.ca>
(cherry picked from commit e7e4a01)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@stangri stangri

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

pbr: bugfix: fix is_domain() stangri/packages
2 participants
@stangri @PussAzuki