usage() {
cat <<'EOF'
-Usage: mail-route start|stop|show
+Usage: mail-route up|down|show
Marks tcp packets on port 25 and 143 to be routed through
-a vpn ip.
+a vpn ip. If called from --up/--down in openvpn, (we have multiple args) $1 is the
+tun_dev, and action is from $script_type.
+
+Is idempotent.
EOF
exit $1
}
-if (( $# != 1 )); then
+if (( $# < 1 )); then
usage 1
fi
-start() {
+up() {
start=true
stop=false
iptables_op=-A
ip_op=add
- # systemd around stretch release time, would wait until openvpn actually connected,
- # so this was unnecessary, but now it returns immediately.
- found=false
- for ((i=1; i<=30; i++)); do
- tun_dev=$(ip a show to 10.8.0.4/24 | sed -rn '1s/^\S+\s+([^:]+).*/\1/p')
- if [[ $tun_dev == tun* ]]; then
- found=true
- break
+ if [[ ! $tun_dev ]]; then
+ # delays because I was running this outside of openvpn before
+ found=false
+ for ((i=1; i<=30; i++)); do
+ tun_dev=$(ip a show to 10.8.0.4/24 | sed -rn '1s/^\S+\s+([^:]+).*/\1/p')
+ if [[ $tun_dev == tun* ]]; then
+ found=true
+ break
+ fi
+ sleep 1
+ done
+ if ! $found; then
+ echo "$0: error: timeout waiting for valid tun_dev, currently:$tun_dev"
+ exit 1
fi
- sleep 1
- done
- if ! $found; then
- echo "$0: error: timeout waiting for valid tun_dev, currently:$tun_dev"
- exit 1
fi
e() { echo "$0: $*"; "$@"; }
_errcatch_cleanup=stop
# to change the default is for every device, and I want to avoid that, even though I wouldn't mind, others users of this script might.
e sysctl net.ipv4.conf.$tun_dev.rp_filter=2
}
-stop() {
+down() {
start=false
stop=true
iptables_op=-D
ip_op=del
+ # note, this is not going to work if the interface has been deleted.
+ # we could also check for an iptable rule that on some tun interface like the one
+ # we use, but meh, the way I'm using the script now, tun_dev is supplied by openvpn
+ if [[ ! tun_dev ]]; then
tun_dev=$(ip a show to 10.8.0.4/24 | sed -rn '1s/^\S+\s+([^:]+).*/\1/p')
+ fi
e() { echo "$0: $*"; "$@" || printf "maybe ok failure: %s\n" "$*"; }
modify
}
if [[ $tun_dev ]]; then
# when $tun_dev goes away, so does this rul
- iptmod iptables -t nat $iptables_op POSTROUTING -o $tun_dev -m mark --mark 0x1 -j SNAT --to-source 10.8.0.4
+ iptmod iptables -t nat $iptables_op POSTROUTING -o $tun_dev -m mark --mark 0x1 -j SNAT --to-source 10.8.0.4
fi
# so, eh, might as well. some rhel docs recommend using it.
- exit 0
}
-case $1 in
- start|stop|show) $1 ;;
- *) usage 1 ;;
-esac
+if (( $# > 1 )); then
+tun_dev=$1
+$script_type
+else
+ case $1 in
+ up|down|show) $1 ;;
+ *) usage 1 ;;
+ esac
+fi
+
+
+
+exit 0
# background: something like this does not work for packets which