From 3e3753d726f8a02d98368f20f77dd9fa739e3d80 Mon Sep 17 00:00:00 2001 From: Evgeny Zinoviev Date: Sat, 3 Jun 2023 01:00:49 +0300 Subject: add various scripts to not lose them --- doc/common_requirements.md | 2 +- misc/openwrt/etc/hotplug.d/iface/99-ifup | 21 ++++++++++ misc/openwrt/etc/rc.local | 70 ++++++++++++++++++++++++++++++++ misc/openwrt/root/bin/setup-routing.sh | 53 ++++++++++++++++++++++++ misc/openwrt/setup-routing.sh | 53 ------------------------ misc/scripts/ipcam_capture_restart.sh | 7 ++++ misc/scripts/ipcam_rtsp2hls_restart.sh | 8 ++++ misc/scripts/make_netns_per_upstream.sh | 38 +++++++++++++++++ systemd/ipcam_capture@.service | 2 +- systemd/ipcam_rtsp2hls@.service | 1 + systemd/ipcam_server.service | 3 +- 11 files changed, 202 insertions(+), 56 deletions(-) create mode 100644 misc/openwrt/etc/hotplug.d/iface/99-ifup create mode 100644 misc/openwrt/etc/rc.local create mode 100644 misc/openwrt/root/bin/setup-routing.sh delete mode 100644 misc/openwrt/setup-routing.sh create mode 100644 misc/scripts/ipcam_capture_restart.sh create mode 100644 misc/scripts/ipcam_rtsp2hls_restart.sh create mode 100644 misc/scripts/make_netns_per_upstream.sh diff --git a/doc/common_requirements.md b/doc/common_requirements.md index 4a85888..a928bde 100644 --- a/doc/common_requirements.md +++ b/doc/common_requirements.md @@ -1,4 +1,4 @@ Debian packages: ``` -apt-get install git cmake build-essential python3-dev python3-wheel python3-pip python3-build python3-yaml python3-toml python3-psutil python3-aiohttp python3-requests python3-apscheduler python3-smbus +apt-get install git cmake build-essential python3-dev python3-wheel python3-pip python3-build python3-yaml python3-toml python3-psutil python3-aiohttp python3-requests python3-apscheduler python3-smbus traceroute tcpdump ``` diff --git a/misc/openwrt/etc/hotplug.d/iface/99-ifup b/misc/openwrt/etc/hotplug.d/iface/99-ifup new file mode 100644 index 0000000..e3562cd --- /dev/null +++ b/misc/openwrt/etc/hotplug.d/iface/99-ifup @@ -0,0 +1,21 @@ +#!/bin/sh + +tables="mts-azov rt-azov mts-il" +net= + +case "$ACTION" in + ifup) + case "$INTERFACE" in + eth2) + net=192.168.7 + ;; + eth3) + net=192.168.8 + ;; + esac + if [ -z "$net" ]; then exit; fi + for t in $tables; do + ip r add ${net}.0/24 via ${net}.1 table $t + done + ;; +esac \ No newline at end of file diff --git a/misc/openwrt/etc/rc.local b/misc/openwrt/etc/rc.local new file mode 100644 index 0000000..407d1eb --- /dev/null +++ b/misc/openwrt/etc/rc.local @@ -0,0 +1,70 @@ +# Put your custom commands here that should be executed once +# the system init finished. By default this file does nothing. + +TABLES="mts-azov rt-azov mts-il" + +# create ip sets +for _table in $TABLES; do + ipset create $_table hash:net +done + +# add untrusted cameras set +ipset create ipcam hash:net +for addr in $(seq 21 69); do + ipset add ipcam 192.168.5.${addr} +done + +sleep 0.1 + +# block internet access for untrusted cameras +iptables -I FORWARD 1 -m set --match-set ipcam src ! -d 192.168.5.0 -j REJECT + +# add some default routing rules +ipset add mts-azov 192.168.5.0/24 # everybody +ipset add mts-azov 192.168.5.163 # cs1 +ipset add mts-azov 192.168.5.212 # cs2 +ipset add mts-azov 192.168.5.161 # cs3 + +ipset add rt-azov 192.168.5.133 # roof2 +ipset add rt-azov 192.168.5.115 # room +ipset add rt-azov 192.168.5.170 # room + +ipset add mts-il 192.168.5.120 # inv +ipset add mts-il 192.168.5.223 # inv +ipset add mts-il 192.168.5.143 # roof1 + +# create rules +ip rule add fwmark 100 table mts-azov +ip rule add fwmark 101 table rt-azov +ip rule add fwmark 102 table mts-il + +# set default route for each custom routing table +ip route add default via 192.168.7.1 table mts-azov +ip route add default via 192.168.8.1 table rt-azov +ip route add default via 192.168.88.1 table mts-il # via mikrotik + +# fix local routes +for _table in $TABLES; do + ip route add 192.168.5.0/24 via 192.168.5.1 table $_table + ip route add 192.168.6.0/24 via 192.168.88.1 table $_table + ip route add 192.168.7.0/24 via 192.168.7.1 table $_table + ip route add 192.168.8.0/24 via 192.168.8.1 table $_table + ip route add 192.168.88.0/24 via 192.168.88.1 table $_table +done + +# iptables rules (see also /etc/firewall.user) +sleep 0.5 + +# pass already-marked packets +iptables -t mangle -A PREROUTING -m mark ! --mark 0x0 -j ACCEPT + +iptables -t mangle -A PREROUTING -m set --match-set mts-azov src -j MARK --set-mark 0x64 +iptables -t mangle -A OUTPUT -m set --match-set mts-azov src -j MARK --set-mark 0x64 + +iptables -t mangle -A PREROUTING -m set --match-set mts-il src -j MARK --set-mark 0x66 +iptables -t mangle -A OUTPUT -m set --match-set mts-il src -j MARK --set-mark 0x66 + +iptables -t mangle -A PREROUTING -m set --match-set rt-azov src -j MARK --set-mark 0x65 +iptables -t mangle -A OUTPUT -m set --match-set rt-azov src -j MARK --set-mark 0x65 + +exit 0 diff --git a/misc/openwrt/root/bin/setup-routing.sh b/misc/openwrt/root/bin/setup-routing.sh new file mode 100644 index 0000000..b384541 --- /dev/null +++ b/misc/openwrt/root/bin/setup-routing.sh @@ -0,0 +1,53 @@ +#!/bin/sh + +list_ipset() { + skip=1 + while read -r line; do + if [ "$line" = "Members:" ]; then skip=0; continue; fi; + [ "$skip" = "1" ] && continue + echo "$line" + done +} + +case "$1" in + dhcp-leases) + cat /tmp/dhcp.leases + ;; + + ipset-add) + addr="$3" + addr="${addr/_/\/}" + ipset add "$2" "$addr" + ;; + + ipset-del) + addr="$3" + addr="${addr/_/\/}"s + ipset del "$2" "$addr" + ;; + +# ipset_list) +# ipset list "$2" | list_ipset +# ;; + + ipset-list-all) + shift + while [ -n "$1" ]; do + echo ">$1" + skip=1 + ipset list "$1" | list_ipset + shift + done + ;; + +# rule-show) +# ;; +# +# route-show) +# ;; + + *) + 2>&1 echo "error: invalid command" + exit 1 + ;; +esac \ No newline at end of file diff --git a/misc/openwrt/setup-routing.sh b/misc/openwrt/setup-routing.sh deleted file mode 100644 index b384541..0000000 --- a/misc/openwrt/setup-routing.sh +++ /dev/null @@ -1,53 +0,0 @@ -#!/bin/sh - -list_ipset() { - skip=1 - while read -r line; do - if [ "$line" = "Members:" ]; then skip=0; continue; fi; - [ "$skip" = "1" ] && continue - echo "$line" - done -} - -case "$1" in - dhcp-leases) - cat /tmp/dhcp.leases - ;; - - ipset-add) - addr="$3" - addr="${addr/_/\/}" - ipset add "$2" "$addr" - ;; - - ipset-del) - addr="$3" - addr="${addr/_/\/}"s - ipset del "$2" "$addr" - ;; - -# ipset_list) -# ipset list "$2" | list_ipset -# ;; - - ipset-list-all) - shift - while [ -n "$1" ]; do - echo ">$1" - skip=1 - ipset list "$1" | list_ipset - shift - done - ;; - -# rule-show) -# ;; -# -# route-show) -# ;; - - *) - 2>&1 echo "error: invalid command" - exit 1 - ;; -esac \ No newline at end of file diff --git a/misc/scripts/ipcam_capture_restart.sh b/misc/scripts/ipcam_capture_restart.sh new file mode 100644 index 0000000..85144da --- /dev/null +++ b/misc/scripts/ipcam_capture_restart.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +for f in $(ls /etc/ipcam_capture.conf.d/ | xargs); do + camera="${f/.conf/}" + echo "restarting $camera" + systemctl restart ipcam_capture@${camera} +done \ No newline at end of file diff --git a/misc/scripts/ipcam_rtsp2hls_restart.sh b/misc/scripts/ipcam_rtsp2hls_restart.sh new file mode 100644 index 0000000..61ee623 --- /dev/null +++ b/misc/scripts/ipcam_rtsp2hls_restart.sh @@ -0,0 +1,8 @@ +#!/bin/bash +cd /etc/ipcam_rtsp2hls.conf.d/ +for f in *-low.conf; do + f=${f/-low.conf/} + echo "restarting $f" + systemctl restart ipcam_rtsp2hls@${f} + systemctl restart ipcam_rtsp2hls@${f}-low +done diff --git a/misc/scripts/make_netns_per_upstream.sh b/misc/scripts/make_netns_per_upstream.sh new file mode 100644 index 0000000..fb152fa --- /dev/null +++ b/misc/scripts/make_netns_per_upstream.sh @@ -0,0 +1,38 @@ +#!/bin/bash + +set -x +set -e + +get_default_iface() { + ip -4 r show default | awk '{print $5}' +} + +declare -A UPSTREAMS=( + [mtsil]=102 + [mtsazov]=100 + [rtazov]=101 +) + +for name in "${!UPSTREAMS[@]}"; do + mark=${UPSTREAMS[$name]} + veth_addr=10.${mark}.1.1 + vpeer_addr=10.${mark}.1.2 + veth_if=veth${name} + vpeer_if=vpeer${name} + + ip netns add $name + ip link add $veth_if type veth peer name $vpeer_if + ip link set $vpeer_if netns $name + ip addr add $veth_addr/24 dev $veth_if + ip link set $veth_if up + + ip netns exec $name ip addr add $vpeer_addr/24 dev $vpeer_if + ip netns exec $name ip link set $vpeer_if up + ip netns exec $name ip link set lo up + ip netns exec $name ip route add default via $veth_addr + + iptables -t mangle -A PREROUTING -s $vpeer_addr/24 -j MARK --set-mark $mark + iptables -t nat -A POSTROUTING -s $vpeer_addr/24 -o "$(get_default_iface)" -j MASQUERADE +done + +sysctl net.ipv4.ip_forward=1 diff --git a/systemd/ipcam_capture@.service b/systemd/ipcam_capture@.service index 9196613..b1c363e 100644 --- a/systemd/ipcam_capture@.service +++ b/systemd/ipcam_capture@.service @@ -4,12 +4,12 @@ After=network-online.target [Service] Restart=always +RestartSec=3 User=user Group=user EnvironmentFile=/etc/ipcam_capture.conf.d/%i.conf ExecStart=/home/user/homekit/tools/ipcam_capture.sh --outdir $OUTDIR --creds $CREDS --ip $IP --port $PORT $ARGS Restart=always -RestartSec=2 [Install] WantedBy=multi-user.target diff --git a/systemd/ipcam_rtsp2hls@.service b/systemd/ipcam_rtsp2hls@.service index 244a192..addd819 100644 --- a/systemd/ipcam_rtsp2hls@.service +++ b/systemd/ipcam_rtsp2hls@.service @@ -4,6 +4,7 @@ After=network-online.target [Service] Restart=always +RestartSec=3 User=user Group=user EnvironmentFile=/etc/ipcam_rtsp2hls.conf.d/%i.conf diff --git a/systemd/ipcam_server.service b/systemd/ipcam_server.service index 8897363..07ac95f 100644 --- a/systemd/ipcam_server.service +++ b/systemd/ipcam_server.service @@ -5,7 +5,8 @@ After=network-online.target [Service] User=user Group=user -Restart=on-failure +Restart=always +RestartSec=10 ExecStart=/home/user/homekit/src/ipcam_server.py WorkingDirectory=/home/user -- cgit v1.2.3