[PATCH v12 5/6] vpn-select: Use keyxchangev2data instead of fastd_fff_output
mail at adrianschmutzler.de
mail at adrianschmutzler.de
Di Okt 3 01:08:00 CEST 2017
Hallo,
ich glaube Christian (?) hatte ja eingeworfen, dass ein zentrales Setzen des
L2TP-Status die Flexibilität einschränkt.
Dem würde ich mich zunächst anschließen.
Grüße
Adrian
> -----Original Message-----
> From: franken-dev [mailto:franken-dev-bounces at freifunk.net] On Behalf
> Of Robert Langhammer
> Sent: Montag, 2. Oktober 2017 22:44
> To: franken-dev at freifunk.net
> Subject: Re: [PATCH v12 5/6] vpn-select: Use keyxchangev2data instead of
> fastd_fff_output
>
>
>
> Hi,
> Am 2. Oktober 2017 18:57:42 MESZ schrieb Tim Niemeyer <tim at tn-x.org>:
> >Hi
> >
> >Am Montag, den 02.10.2017, 18:05 +0200 schrieb Adrian Schmutzler:
> >> This is a first consolidation step which gets rid of
> >> /tmp/fastd_fff_output, but still requires /etc/fastd/fff/peers/*
> >>
> >> Signed-off-by: Adrian Schmutzler <freifunk at adrianschmutzler.de>
> >> ---
> >> .../fff/fff-hoods/files/usr/sbin/configurehood | 27 +----
> >> .../fff/fff-vpn-select/files/usr/sbin/vpn-select | 121
> >++++++++++++---------
> >> 2 files changed, 69 insertions(+), 79 deletions(-)
> >>
> >> diff --git a/src/packages/fff/fff-hoods/files/usr/sbin/configurehood
> >b/src/packages/fff/fff-hoods/files/usr/sbin/configurehood
> >> index 5346a90..ac800f4 100755
> >> --- a/src/packages/fff/fff-hoods/files/usr/sbin/configurehood
> >> +++ b/src/packages/fff/fff-hoods/files/usr/sbin/configurehood
> >> @@ -176,32 +176,7 @@ if [ -s /tmp/keyxchangev2data ]; then
> >> exit 0
> >> fi
> >>
> >> - # and now we read the VPN Data and give this data to fff-vpn
> >> - json_select vpn
> >> - Index=1
> >> - rm /tmp/fastd_fff_output
> >> - touch /tmp/fastd_fff_output
> >> - while json_select "$Index" > /dev/null
> >> - do
> >> - json_get_var protocol protocol
> >> - if [ "$protocol" == "fastd" ]; then
> >> - json_get_var servername name
> >> - echo "####${servername}.conf" >>
> /tmp/fastd_fff_output
> >> - echo "#name \"${servername}\";" >>
> /tmp/fastd_fff_output
> >> - json_get_var key key
> >> - echo "key \"${key}\";" >> /tmp/fastd_fff_output
> >> - json_get_var address address
> >> - json_get_var port port
> >> - echo "remote ipv4 \"${address}\" port $port float;"
> >>
> >/tmp/fastd_fff_output
> >> - fi
> >> - echo "" >> /tmp/fastd_fff_output
> >> - json_select ".." # back to vpn
> >> - Index=$(( Index + 1 ))
> >> - done
> >> - echo "###" >> /tmp/fastd_fff_output
> >> - json_select ".." # back to root
> >> - #this we do every 5 minutes, because it can change the VPN Protocol
> >> - #and now we get to vpn-select Script and load VPNs
> >> + # and now we get to vpn-select script and load VPNs directly from
> >/tmp/keyxchangev2data
> >> sh /usr/sbin/vpn-select
> >>
> >> else
> >> diff --git
> >a/src/packages/fff/fff-vpn-select/files/usr/sbin/vpn-select
> >b/src/packages/fff/fff-vpn-select/files/usr/sbin/vpn-select
> >> index bb4c933..32e2ab4 100755
> >> --- a/src/packages/fff/fff-vpn-select/files/usr/sbin/vpn-select
> >> +++ b/src/packages/fff/fff-vpn-select/files/usr/sbin/vpn-select
> >> @@ -2,72 +2,87 @@
> >>
> >> test -f /tmp/started || exit
> >>
> >> +. /usr/share/libubox/jshn.sh
> >> +
> >> make_config() {
> >> # remove old config
> >> >/etc/config/tunneldigger
> >Gut, das ist ein symlink auf ein tmpfs.. Passt.
> >
> >> rm /tmp/fastd_fff_peers/*
> >> count=0
> >> +Index=1
> >> +json_load "$(cat /tmp/keyxchangev2data)"
> >> +json_select vpn
> >> # get fastd peers
> >> -filecounts=$(awk '/^####/ { gsub(/^####/, "", $0); gsub(/.conf/, "",
> >$0); print $0; }' /tmp/fastd_fff_output)
> >> -for file in $filecounts; do
> >> - awk "{ if(a) print }; /^####$file.conf$/{a=1}; /^$/{a=0};"
> >/tmp/fastd_fff_output | sed 's/ float;/;/g' >
> >/etc/fastd/fff/peers/$file
> >> - echo 'float yes;' >> /etc/fastd/fff/peers/$file
> >> -
> >> - # ask for Broker and select the tunnel
> >> - IP=$(awk -F\" '/remote/ {print $2}' /etc/fastd/fff/peers/$file)
> >> - if [ "l2tp" = "$(wget -T10 $IP/vpn.txt -O - 2>/dev/null)" ];
> >then
> >> - # Gateway offers l2tp
> >> - FDPORT=$(awk '/remote/{gsub(";", ""); print $5}'
> >/etc/fastd/fff/peers/$file)
> >> - L2PORT=$((FDPORT + 10000))
> >> - UUID=$hostname
> >> +while json_select "$Index" > /dev/null
> >> +do
> >> + json_get_var protocol protocol
> >> + if [ "$protocol" == "fastd" ]; then
> >> + json_get_var servername name
> >> + filename="/etc/fastd/fff/peers/$servername"
> >> + echo "#name \"${servername}\";" > "$filename"
> >> + json_get_var key key
> >> + echo "key \"${key}\";" >> "$filename"
> >> + json_get_var address address
> >> + json_get_var port port
> >> + echo "remote ipv4 \"${address}\" port ${port};" >>
> "$filename"
> >> + echo "" >> "$filename"
> >> + echo "float yes;" >> "$filename"
> >
> >Hier fänd ich ein
> > else if [ "$protocol" == "l2tpv3" ]; then
> >besser als das hier:
> >> + # ask for Broker and select the tunnel
> >> + if [ "l2tp" = "$(wget -T10 "${address}/vpn.txt" -O -
> 2>/dev/null)"
> >]; then
> >Aber bisher bin ich wohl der einzige der lieber so will. :(
> Nein, da bist du nicht alleine. Ich hab diese Krücken damals blos
eingebaut,
> weil man nichts am KeyXchange ändern wollte.
>
> Robert
> >
> >> + # Gateway offers l2tp
> >> + L2PORT=$((port + 10000))
> >> + UUID=$hostname
> >Nur ne Kleinigkeit, aber es wäre mMn übersichtlicher wenn man hier
> >einfach _immer_ die MAC nimmt anstatt den hostname. Ist aber im Grunde
> >auch nicht so wichtig..
> >
> >>
> >> - uci set tunneldigger.$count=broker
> >> - uci set tunneldigger.$count.address="$IP:$L2PORT"
> >> - uci set tunneldigger.$count.uuid="$UUID"
> >> - uci set tunneldigger.$count.interface="l2tp$count"
> >> - uci set tunneldigger.$count.enabled="1"
> >> - uci set
> >tunneldigger.$count.hook_script='/etc/tunneldigger/tunneldigger.hook'
> >> - uci -c /tmp commit tunneldigger
> >> - count=$((count + 1))
> >> - # remove this fastd-peer
> >> - rm /etc/fastd/fff/peers/$file
> >> - fi
> >> + uci set tunneldigger.$count=broker
> >> + uci set
> tunneldigger.$count.address="${address}:$L2PORT"
> >> + uci set tunneldigger.$count.uuid="$UUID"
> >> + uci set tunneldigger.$count.interface="l2tp$count"
> >> + uci set tunneldigger.$count.enabled="1"
> >> + uci set
> >tunneldigger.$count.hook_script='/etc/tunneldigger/tunneldigger.hook'
> >> + uci -c /tmp commit tunneldigger
> >> + count=$((count + 1))
> >> + # remove this fastd-peer
> >> + rm "$filename"
> >> + fi
> >> + fi
> >> + json_select ".." # back to vpn
> >> + Index=$(( Index + 1 ))
> >> done
> >> +json_select ".." # back to root
> >> }
> >>
> >> # main
> >>
> >> # Only do something when file is here and greater 0 byte
> >> -if [ -s /tmp/fastd_fff_output ]; then
> >> -
> >> - # set some vars
> >> - hostname=$(cat /proc/sys/kernel/hostname)
> >> - mac=$(awk '{ mac=toupper($1); gsub(":", "", mac); print mac }'
> >/sys/class/net/br-mesh/address 2>/dev/null)
> >> - [ "$hostname" = "OpenWrt" ] && hostname=""
> >> - [ "$hostname" = "" ] && hostname="$mac"
> >> -
> >> - if [ ! -d /tmp/fastd_fff_peers ]; then
> >> - # first run after reboot
> >> - mkdir /tmp/fastd_fff_peers
> >> - make_config
> >> - # start fastd only if there are some peers left
> >> - [ "$(ls /etc/fastd/fff/peers/* 2>/dev/null)" ] &&
> >/etc/init.d/fastd start
> >> - /etc/init.d/tunneldigger start
> >> - else
> >> - # check if new tunneldigger conf is different
> >> - sumold=$(sha256sum /etc/config/tunneldigger)
> >> - make_config
> >> - sumnew=$(sha256sum /etc/config/tunneldigger)
> >> - [ "$sumnew" != "$sumold" ] && /etc/init.d/tunneldigger
> >restart
> >> - /etc/init.d/fastd reload
> >> +if [ -s /tmp/keyxchangev2data ]; then
> >> + # set some vars
> >> + hostname=$(cat /proc/sys/kernel/hostname)
> >> + mac=$(awk '{ mac=toupper($1); gsub(":", "", mac); print mac }'
> >/sys/class/net/br-mesh/address 2>/dev/null)
> >> + [ "$hostname" = "LEDE" ] && hostname=""
> >> + [ "$hostname" = "" ] && hostname="$mac"
> >Das ganze hin und her ge'if'fe könnte man sich durch den obigen
> >Kommentar sparen.
> >
> >Wie gesagt, meine Anmerkungen sind entweder nicht so wichtig oder nicht
> >konsensreif, von daher:
> >
> >Reviewed-by: Tim Niemeyer <tim at tn-x.org>
> >
> >Tim
> >
> >>
> >> - # fastd start/stop for various situations
> >> - pidfile="/tmp/run/fastd.fff.pid"
> >> - if [ "$(ls /etc/fastd/fff/peers/* 2>/dev/null)" ]; then
> >> - ([ -s "$pidfile" ] && [ -d "/proc/$(cat "$pidfile")" ])
> >|| /etc/init.d/fastd start
> >> - else
> >> - ([ -s "$pidfile" ] && [ -d "/proc/$(cat "$pidfile")" ])
> >&& /etc/init.d/fastd stop
> >> - fi
> >> + if [ ! -d /tmp/fastd_fff_peers ]; then
> >> + # first run after reboot
> >> + mkdir /tmp/fastd_fff_peers
> >> + make_config
> >> + # start fastd only if there are some peers left
> >> + [ "$(ls /etc/fastd/fff/peers/* 2>/dev/null)" ] &&
> >/etc/init.d/fastd start
> >> + /etc/init.d/tunneldigger start
> >> + else
> >> + # check if new tunneldigger conf is different
> >> + sumold=$(sha256sum /etc/config/tunneldigger)
> >> + make_config
> >> + sumnew=$(sha256sum /etc/config/tunneldigger)
> >> + [ "$sumnew" != "$sumold" ] && /etc/init.d/tunneldigger
> restart
> >> + /etc/init.d/fastd reload
> >>
> >> - fi
> >> + # fastd start/stop for various situations
> >> + pidfile="/tmp/run/fastd.fff.pid"
> >> + if [ "$(ls /etc/fastd/fff/peers/* 2>/dev/null)" ]; then
> >> + ([ -s "$pidfile" ] && [ -d "/proc/$(cat "$pidfile")"
]) ||
> >/etc/init.d/fastd start
> >> + else
> >> + ([ -s "$pidfile" ] && [ -d "/proc/$(cat "$pidfile")"
]) &&
> >/etc/init.d/fastd stop
> >> + fi
> >> + fi
> >> fi
> >> --
> >> 2.7.4
> >>
> --
> franken-dev mailing list
> franken-dev at freifunk.net
> http://lists.freifunk.net/mailman/listinfo/franken-dev-freifunk.net
Mehr Informationen über die Mailingliste franken-dev