From 9d12fe730408f175dfa12ea65362068f69d0ff1f Mon Sep 17 00:00:00 2001 From: luwenpeng Date: Tue, 20 Dec 2022 16:59:55 +0800 Subject: [PATCH] =?UTF-8?q?TSG-13114=20TFE=E7=9A=84Decrypted=20Traffic=20S?= =?UTF-8?q?teering=E5=8A=9F=E8=83=BD=E6=94=AF=E6=8C=81IPv6=E5=8D=8F?= =?UTF-8?q?=E8=AE=AE=20=20=20=20=20tfe-env.service=E4=B8=AD=E5=A2=9E?= =?UTF-8?q?=E5=8A=A0Decrypted=20Traffic=20Steering=E7=9A=84=E7=AD=96?= =?UTF-8?q?=E7=95=A5=E8=B7=AF=E7=94=B1?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- common/src/tfe_tcp_restore.cpp | 16 +-- platform/src/tcp_stream.cpp | 202 +++++++++------------------------ script/service/tfe-env-config | 6 +- script/service/tfe-env.service | 75 +++++++++++- 4 files changed, 137 insertions(+), 162 deletions(-) diff --git a/common/src/tfe_tcp_restore.cpp b/common/src/tfe_tcp_restore.cpp index d66c9be..55f0537 100644 --- a/common/src/tfe_tcp_restore.cpp +++ b/common/src/tfe_tcp_restore.cpp @@ -88,6 +88,14 @@ int tfe_tcp_restore_fd_create(const struct tcp_restore_endpoint *endpoint, const goto errout; } + sockopt = fd_so_mask; + result = setsockopt(sockfd, SOL_SOCKET, SO_MARK, (char *)&sockopt, sizeof(sockopt)); + if (result < 0) + { + TFE_LOG_ERROR(g_default_logger, "failed at setsockopt(SO_MARK), %d: %s", errno, strerror(errno)); + goto errout; + } + result = setsockopt(sockfd, SOL_SOCKET, SO_BINDTODEVICE, devname, strlen(devname)); if (result < 0) { @@ -128,14 +136,6 @@ int tfe_tcp_restore_fd_create(const struct tcp_restore_endpoint *endpoint, const goto errout; } - sockopt = fd_so_mask; - result = setsockopt(sockfd, SOL_SOCKET, SO_MARK, (char *)&sockopt, sizeof(sockopt)); - if (result < 0) - { - TFE_LOG_ERROR(g_default_logger, "failed at setsockopt(SO_MARK), %d: %s", errno, strerror(errno)); - goto errout; - } - // Setup SEQ/ACK and TCP options sockopt = TCP_SEND_QUEUE; result = setsockopt(sockfd, IPPROTO_TCP, TCP_REPAIR_QUEUE, (char *)&sockopt, sizeof(sockopt)); diff --git a/platform/src/tcp_stream.cpp b/platform/src/tcp_stream.cpp index 16bbfcb..2d124da 100644 --- a/platform/src/tcp_stream.cpp +++ b/platform/src/tcp_stream.cpp @@ -595,12 +595,10 @@ static void __stream_bev_readcb(struct bufferevent * bev, void * arg) { if (bev == _stream->conn_downstream->bev) { - this_conn = _stream->conn_downstream; peer_conn = _stream->conn_fake_c; } else if (bev == _stream->conn_upstream->bev) { - this_conn = _stream->conn_upstream; peer_conn = _stream->conn_fake_s; } else @@ -608,26 +606,37 @@ static void __stream_bev_readcb(struct bufferevent * bev, void * arg) assert(0); } + /* + * Peer connection is terminated, drain all data. + * This connection will be destoryed in __event_cb + */ inbuf = bufferevent_get_input(bev); - int data_len = evbuffer_get_length(inbuf); - outbuf = bufferevent_get_output(peer_conn->bev); - assert(inbuf != NULL && outbuf != NULL); - evbuffer_add_buffer(outbuf, inbuf); + if (peer_conn == NULL) + { + evbuffer_drain(inbuf, evbuffer_get_length(inbuf)); + return; + } // TODO 增加计数 - TFE_LOG_DEBUG(__STREAM_LOGGER(_stream), "decrypted traffic steering, send %d bytes form %s to %s", - data_len, bev == _stream->conn_downstream->bev ? "conn_downstream" : "conn_upstream", - bev == _stream->conn_downstream->bev ? "conn_fake_c" : "conn_fake_s"); + TFE_LOG_DEBUG(__STREAM_LOGGER(_stream), "decrypted traffic steering, %s send %d bytes from %s to %s", + _stream->str_stream_addr, + evbuffer_get_length(inbuf), + bev == _stream->conn_downstream->bev ? "conn_downstream" : "conn_upstream", + bev == _stream->conn_downstream->bev ? "conn_fake_c" : "conn_fake_s"); + + outbuf = bufferevent_get_output(peer_conn->bev); + evbuffer_add_buffer(outbuf, inbuf); return; } + this_conn = __this_conn(_stream, dir); peer_conn = __peer_conn(_stream, dir); /* Peer connection is terminated, drain all data. * This connection will be destoryed in __event_cb */ - inbuf = bufferevent_get_input(bev); + inbuf = bufferevent_get_input(bev); size_t contigous_len = evbuffer_get_length(inbuf); if (peer_conn == NULL) { @@ -781,7 +790,9 @@ static void __stream_bev_writecb(struct bufferevent * bev, void * arg) (STREAM_PROTO_SSL == _stream->session_type &&_stream->proxy_ref->traffic_steering_options.enable_steering_ssl))) { // TODO 增加计数 - TFE_LOG_DEBUG(__STREAM_LOGGER(_stream), "decrypted traffic steering, %s run writecb", bev == _stream->conn_downstream->bev ? "conn_downstream" : "conn_upstream"); + TFE_LOG_DEBUG(__STREAM_LOGGER(_stream), "decrypted traffic steering, %s %s run writecb", + _stream->str_stream_addr, + bev == _stream->conn_downstream->bev ? "conn_downstream" : "conn_upstream"); return; } @@ -846,7 +857,13 @@ static void __stream_bev_eventcb(struct bufferevent * bev, short events, void * (STREAM_PROTO_SSL == _stream->session_type &&_stream->proxy_ref->traffic_steering_options.enable_steering_ssl))) { // TODO 增加计数 - TFE_LOG_DEBUG(__STREAM_LOGGER(_stream), "decrypted traffic steering, %s run eventcb", bev == _stream->conn_downstream->bev ? "conn_downstream" : "conn_upstream"); + TFE_LOG_DEBUG(__STREAM_LOGGER(_stream), "decrypted traffic steering, %s %s run eventcb, %s %s", + _stream->str_stream_addr, + bev == _stream->conn_downstream->bev ? "conn_downstream" : "conn_upstream", + events & BEV_EVENT_ERROR ? "BEV_EVENT_ERROR" : "BEV_EVENT_EOF", + errno == 0 ? "" : strerror(errno) + ); + tfe_stream_destory(_stream); return; } @@ -1035,7 +1052,7 @@ __errout: static void __steering_stream_bev_readcb(struct bufferevent * bev, void * arg) { - struct tfe_stream_private * _stream = (struct tfe_stream_private *) arg; + struct tfe_stream_private * _stream = (struct tfe_stream_private *)arg; struct tfe_conn_private * peer_conn = NULL; if (bev == _stream->conn_fake_c->bev) @@ -1051,150 +1068,50 @@ static void __steering_stream_bev_readcb(struct bufferevent * bev, void * arg) assert(0); } - struct evbuffer * __input_buffer = bufferevent_get_input(bev); + /* + * Peer connection is terminated, drain all data. + * This connection will be destoryed in __event_cb + */ + struct evbuffer * inbuf = bufferevent_get_input(bev); if (peer_conn == NULL) { - evbuffer_drain(__input_buffer, evbuffer_get_length(__input_buffer)); + evbuffer_drain(inbuf, evbuffer_get_length(inbuf)); return; } // TODO 增加计数 - TFE_LOG_DEBUG(__STREAM_LOGGER(_stream), "decrypted traffic steering, send %d bytes form %s to %s", - evbuffer_get_length(__input_buffer), bev == _stream->conn_fake_c->bev ? "conn_fake_c" : "conn_fake_s", + TFE_LOG_DEBUG(__STREAM_LOGGER(_stream), "decrypted traffic steering, %s send %d bytes form %s to %s", + _stream->str_stream_addr, + evbuffer_get_length(inbuf), + bev == _stream->conn_fake_c->bev ? "conn_fake_c" : "conn_fake_s", bev == _stream->conn_fake_c->bev ? "conn_downstream" : "conn_upstream" ); - struct evbuffer * __output_buffer = bufferevent_get_output(peer_conn->bev); - evbuffer_add_buffer(__output_buffer, __input_buffer); + struct evbuffer * outbuf = bufferevent_get_output(peer_conn->bev); + evbuffer_add_buffer(outbuf, inbuf); } static void __steering_stream_bev_writecb(struct bufferevent * bev, void * arg) { struct tfe_stream_private * _stream = (struct tfe_stream_private *) arg; - struct tfe_conn_private ** ref_this_conn{}; - struct tfe_conn_private ** ref_peer_conn{}; - if (bev == _stream->conn_fake_c->bev) - { - ref_this_conn = &_stream->conn_fake_c; - ref_peer_conn = &_stream->conn_downstream; - } - else if (bev == _stream->conn_fake_s->bev) - { - ref_this_conn = &_stream->conn_fake_s; - ref_peer_conn = &_stream->conn_upstream; - } - else - { - assert(0); - } - - TFE_LOG_DEBUG(__STREAM_LOGGER(_stream), "decrypted traffic steering, %s run write cb", bev == _stream->conn_fake_c->bev ? "conn_fake_c" : "conn_fake_s"); - - struct evbuffer * __output_buffer = bufferevent_get_output(bev); - assert(__output_buffer != NULL); - - // TODO 资源释放 - // TODO 资源释放 - // TODO 资源释放 - // TODO 资源释放 - - if (*ref_peer_conn == NULL && evbuffer_get_length(__output_buffer) == 0) - { - __conn_private_destory(*ref_this_conn); - *ref_this_conn = NULL; - } - - if (*ref_peer_conn == NULL && *ref_this_conn == NULL) - { - // TODO call_plugin_close(_stream); - tfe_stream_destory(_stream); - } + TFE_LOG_DEBUG(__STREAM_LOGGER(_stream), "decrypted traffic steering, %s %s run writecb", + _stream->str_stream_addr, + bev == _stream->conn_fake_c->bev ? "conn_fake_c" : "conn_fake_s"); } static void __steering_stream_bev_eventcb(struct bufferevent *bev, short events, void *arg) { struct tfe_stream_private *_stream = (struct tfe_stream_private *)arg; - struct tfe_conn_private **ref_this_conn{}; - struct tfe_conn_private **ref_peer_conn{}; - if (bev == _stream->conn_fake_c->bev) - { - ref_this_conn = &_stream->conn_fake_c; - ref_peer_conn = &_stream->conn_downstream; - } - else if (bev == _stream->conn_fake_s->bev) - { - ref_this_conn = &_stream->conn_fake_s; - ref_peer_conn = &_stream->conn_upstream; - } - else - { - assert(0); - } - - TFE_LOG_DEBUG(__STREAM_LOGGER(_stream), "decrypted traffic steering, %s run event cb", bev == _stream->conn_fake_c->bev ? "conn_fake_c" : "conn_fake_s"); - - if (events & BEV_EVENT_ERROR || events & BEV_EVENT_EOF) - { - if (evbuffer_get_length(bufferevent_get_input(bev))) - { - __steering_stream_bev_readcb(bev, arg); - } - - if (events & BEV_EVENT_ERROR) - { - unsigned long err; - while ((err = (bufferevent_get_openssl_error(bev)))) - { - const char *msg = (const char *)ERR_reason_error_string(err); - const char *lib = (const char *)ERR_lib_error_string(err); - const char *func = (const char *)ERR_func_error_string(err); - TFE_LOG_INFO(g_default_logger, "%s connection error, bufferevent_get_openssl_error() = %lu: %s %s %s", _stream->str_stream_addr, err, lib, func, msg); - } - - if (errno) - { - TFE_LOG_INFO(g_default_logger, "%s connection error, errno = %d, %s", _stream->str_stream_addr, errno, strerror(errno)); - } - } - - goto __close_connection; - } - - return; - -__close_connection: - // TODO 资源释放 - // TODO 资源释放 - // TODO 资源释放 - // TODO 资源释放 - if (*ref_peer_conn != NULL) - { - struct bufferevent *__peer_bev = (*ref_peer_conn)->bev; - struct evbuffer *__peer_output_buffer = bufferevent_get_output(__peer_bev); - - if (evbuffer_get_length(__peer_output_buffer) == 0) - { - __conn_private_destory(*ref_peer_conn); - *ref_peer_conn = NULL; - } - } - - if (*ref_this_conn != NULL) - { - __conn_private_destory(*ref_this_conn); - *ref_this_conn = NULL; - } - - if (*ref_this_conn == NULL && *ref_peer_conn == NULL) - { - // TODO call_plugin_close(_stream); - tfe_stream_destory(_stream); - } - - return; + TFE_LOG_DEBUG(__STREAM_LOGGER(_stream), "decrypted traffic steering, %s %s run eventcb, %s %s", + _stream->str_stream_addr, + bev == _stream->conn_fake_c->bev ? "conn_fake_c" : "conn_fake_s", + events & BEV_EVENT_ERROR ? "BEV_EVENT_ERROR" : "BEV_EVENT_EOF", + errno == 0 ? "" : strerror(errno) + ); + tfe_stream_destory(_stream); } static tfe_conn_private *__conn_private_create_by_fake_fd(struct tfe_stream_private *stream, evutil_socket_t fd) @@ -1258,9 +1175,7 @@ void ssl_downstream_create_on_success(future_result_t * result, void * user) __conn_private_enable(_stream->conn_downstream); __conn_private_enable(_stream->conn_upstream); - if (steering_device_is_available() && ( - (STREAM_PROTO_PLAIN == _stream->session_type && _stream->proxy_ref->traffic_steering_options.enable_steering_http) || - (STREAM_PROTO_SSL == _stream->session_type &&_stream->proxy_ref->traffic_steering_options.enable_steering_ssl))) + if (steering_device_is_available() && _stream->proxy_ref->traffic_steering_options.enable_steering_ssl) { __conn_private_enable(_stream->conn_fake_c); __conn_private_enable(_stream->conn_fake_s); @@ -1427,7 +1342,6 @@ void tfe_stream_destory(struct tfe_stream_private * stream) if (__is_ssl(stream) && stream->ssl_downstream) { - // TODO core dump ssl_stream_free(stream->ssl_downstream, ev_base, stream->conn_downstream->bev); } @@ -1788,12 +1702,6 @@ int tfe_stream_init_by_fds(struct tfe_stream * stream, evutil_socket_t fd_downst assert(_stream->conn_fake_s != NULL); assert(_stream->conn_fake_c != NULL); - - // enable on upsteam and downsteam success - // __conn_private_enable(_stream->conn_fake_s); - // __conn_private_enable(_stream->conn_fake_c); - - // TFE_PROXY_STAT_INCREASE(STAT_STREAM_STEERING, 1); } if (_stream->session_type == STREAM_PROTO_PLAIN) @@ -1824,9 +1732,7 @@ int tfe_stream_init_by_fds(struct tfe_stream * stream, evutil_socket_t fd_downst __conn_private_enable(_stream->conn_downstream); __conn_private_enable(_stream->conn_upstream); - if (steering_device_is_available() && ( - (STREAM_PROTO_PLAIN == _stream->session_type && _stream->proxy_ref->traffic_steering_options.enable_steering_http) || - (STREAM_PROTO_SSL == _stream->session_type &&_stream->proxy_ref->traffic_steering_options.enable_steering_ssl))) + if (steering_device_is_available() && _stream->proxy_ref->traffic_steering_options.enable_steering_http) { __conn_private_enable(_stream->conn_fake_s); __conn_private_enable(_stream->conn_fake_c); diff --git a/script/service/tfe-env-config b/script/service/tfe-env-config index 310b95c..8401f33 100644 --- a/script/service/tfe-env-config +++ b/script/service/tfe-env-config @@ -3,5 +3,7 @@ TFE_LOCAL_MAC_DATA_INCOMING=fe:65:b7:00:00:01 TFE_PEER_MAC_DATA_INCOMING=aa:bb:cc:dd:ee:ff TFE_LOCAL_IP_DATA_INCOMING=172.16.241.2 TFE_PEER_IP_DATA_INCOMING=172.16.241.1 -TFE_WATCHDOG_DEVICE=enp2s0 -TFE_WATCHDOG_IP=192.168.100.1 +STEERING_CLIENT_DEV_NAME=ens18f2 +STEERING_SERVER_DEV_NAME=ens18f3 +STEERING_CLIENT_DEV_MAC=80:61:5f:0f:97:e5 +STEERING_SERVER_DEV_MAC=80:61:5f:0f:97:e6 \ No newline at end of file diff --git a/script/service/tfe-env.service b/script/service/tfe-env.service index f83ea4a..2fa7f3f 100644 --- a/script/service/tfe-env.service +++ b/script/service/tfe-env.service @@ -13,7 +13,6 @@ RemainAfterExit=yes ExecStart=/bin/true ExecStop=/bin/true -# ExecStartPost=/usr/sbin/modprobe tfe-kmod ExecStartPost=/usr/sbin/ip link set ${TFE_DEVICE_DATA_INCOMING} address ${TFE_LOCAL_MAC_DATA_INCOMING} ExecStartPost=/usr/sbin/ip link set ${TFE_DEVICE_DATA_INCOMING} up ExecStartPost=/usr/sbin/ip addr flush dev ${TFE_DEVICE_DATA_INCOMING} @@ -31,9 +30,10 @@ ExecStartPost=/usr/sbin/ip route add default dev ${TFE_DEVICE_DATA_INCOMING} via # policy route v6 ExecStartPost=/usr/sbin/ip addr add fd00::02/64 dev ${TFE_DEVICE_DATA_INCOMING} -ExecStartPost=/usr/sbin/ip -6 route add default via fd00::01 ExecStartPost=/usr/sbin/ip -6 rule add iif ${TFE_DEVICE_DATA_INCOMING} tab 102 ExecStartPost=/usr/sbin/ip -6 route add local default dev lo table 102 +ExecStartPost=/usr/sbin/ip -6 rule add fwmark 0x65 lookup 202 +ExecStartPost=/usr/sbin/ip -6 route add default dev tap0 via fd00::01 table 202 ExecStartPost=/usr/sbin/ip -6 neigh add fd00::01 lladdr ${TFE_PEER_MAC_DATA_INCOMING} dev ${TFE_DEVICE_DATA_INCOMING} nud permanent # stop @@ -43,12 +43,79 @@ ExecStopPost=/usr/sbin/ip rule del iif ${TFE_DEVICE_DATA_INCOMING} tab 100 ExecStopPost=/usr/sbin/ip route del local default dev lo table 100 ExecStopPost=/usr/sbin/ip rule del fwmark 0x65 lookup 101 ExecStopPost=/usr/sbin/ip route del default dev ${TFE_DEVICE_DATA_INCOMING} via ${TFE_PEER_IP_DATA_INCOMING} table 101 +ExecStopPost=/usr/sbin/ip -6 rule del fwmark 0x65 lookup 202 +ExecStopPost=/usr/sbin/ip -6 route del default dev tap0 via fd00::01 table 202 ExecStopPost=/usr/sbin/ip -6 rule del iif ${TFE_DEVICE_DATA_INCOMING} tab 102 -ExecStopPost=/usr/sbin/ip -6 route del default via fd00::01 ExecStopPost=/usr/sbin/ip -6 route del local default dev lo table 102 ExecStopPost=/usr/sbin/ip addr del fd00::02/64 dev ${TFE_DEVICE_DATA_INCOMING} ExecStopPost=/usr/sbin/ip link set ${TFE_DEVICE_DATA_INCOMING} down -# ExecStopPost=/usr/sbin/modprobe -r tfe-kmod + +########################################################### +# Add Decrypted Traffic Steering Policy Route +########################################################### + +ExecStartPost=/usr/sbin/ethtool --offload ${STEERING_CLIENT_DEV_NAME} rx off tx off +ExecStartPost=/usr/sbin/ethtool --offload ${STEERING_SERVER_DEV_NAME} rx off tx off + +ExecStartPost=/usr/sbin/ip link set ${STEERING_CLIENT_DEV_NAME} up +ExecStartPost=/usr/sbin/ip link set ${STEERING_SERVER_DEV_NAME} up +ExecStartPost=/usr/sbin/ip addr flush dev ${STEERING_CLIENT_DEV_NAME} +ExecStartPost=/usr/sbin/ip addr flush dev ${STEERING_SERVER_DEV_NAME} + +ExecStartPost=/usr/sbin/ip addr add 2.2.2.2/24 dev ${STEERING_CLIENT_DEV_NAME} +ExecStartPost=/usr/sbin/ip addr add 3.3.3.3/24 dev ${STEERING_SERVER_DEV_NAME} +ExecStartPost=/usr/sbin/ip -4 neigh flush dev ${STEERING_CLIENT_DEV_NAME} +ExecStartPost=/usr/sbin/ip -4 neigh flush dev ${STEERING_SERVER_DEV_NAME} +ExecStartPost=/usr/sbin/ip -4 neigh add 2.2.2.1 lladdr ${STEERING_SERVER_DEV_MAC} dev ${STEERING_CLIENT_DEV_NAME} nud permanent +ExecStartPost=/usr/sbin/ip -4 neigh add 3.3.3.1 lladdr ${STEERING_CLIENT_DEV_MAC} dev ${STEERING_SERVER_DEV_NAME} nud permanent +ExecStartPost=/usr/sbin/ip -4 rule add fwmark 0x11 lookup 111 +ExecStartPost=/usr/sbin/ip -4 rule add fwmark 0x22 lookup 222 +ExecStartPost=/usr/sbin/ip -4 route add default dev ${STEERING_CLIENT_DEV_NAME} via 2.2.2.1 table 111 +ExecStartPost=/usr/sbin/ip -4 route add default dev ${STEERING_SERVER_DEV_NAME} via 3.3.3.1 table 222 +ExecStartPost=/usr/sbin/ip -4 rule add iif ${STEERING_CLIENT_DEV_NAME} tab 100 +ExecStartPost=/usr/sbin/ip -4 rule add iif ${STEERING_SERVER_DEV_NAME} tab 100 + +ExecStartPost=/usr/sbin/ip addr add fd02::02/64 dev ${STEERING_CLIENT_DEV_NAME} +ExecStartPost=/usr/sbin/ip addr add fd03::03/64 dev ${STEERING_SERVER_DEV_NAME} +ExecStartPost=/usr/sbin/ip -6 neigh flush dev ${STEERING_CLIENT_DEV_NAME} +ExecStartPost=/usr/sbin/ip -6 neigh flush dev ${STEERING_SERVER_DEV_NAME} +ExecStartPost=/usr/sbin/ip -6 neigh add fd02::01 lladdr ${STEERING_SERVER_DEV_MAC} dev ${STEERING_CLIENT_DEV_NAME} nud permanent +ExecStartPost=/usr/sbin/ip -6 neigh add fd03::01 lladdr ${STEERING_CLIENT_DEV_MAC} dev ${STEERING_SERVER_DEV_NAME} nud permanent +ExecStartPost=/usr/sbin/ip -6 rule add fwmark 0x11 lookup 333 +ExecStartPost=/usr/sbin/ip -6 rule add fwmark 0x22 lookup 444 +ExecStartPost=/usr/sbin/ip -6 route add default dev ${STEERING_CLIENT_DEV_NAME} via fd02::01 table 333 +ExecStartPost=/usr/sbin/ip -6 route add default dev ${STEERING_SERVER_DEV_NAME} via fd03::01 table 444 +ExecStartPost=/usr/sbin/ip -6 rule add iif ${STEERING_CLIENT_DEV_NAME} tab 102 +ExecStartPost=/usr/sbin/ip -6 rule add iif ${STEERING_SERVER_DEV_NAME} tab 102 + +########################################################### +# Del Decrypted Traffic Steering Policy Route +########################################################### + +ExecStopPost=/usr/sbin/ip -6 rule del iif ${STEERING_CLIENT_DEV_NAME} tab 102 +ExecStopPost=/usr/sbin/ip -6 rule del iif ${STEERING_SERVER_DEV_NAME} tab 102 +ExecStopPost=/usr/sbin/ip -6 route del default dev ${STEERING_CLIENT_DEV_NAME} via fd02::01 table 333 +ExecStopPost=/usr/sbin/ip -6 route del default dev ${STEERING_SERVER_DEV_NAME} via fd03::01 table 444 +ExecStopPost=/usr/sbin/ip -6 rule del fwmark 0x11 lookup 333 +ExecStopPost=/usr/sbin/ip -6 rule del fwmark 0x22 lookup 444 +ExecStopPost=/usr/sbin/ip -6 neigh del fd02::01 lladdr ${STEERING_SERVER_DEV_MAC} dev ${STEERING_CLIENT_DEV_NAME} nud permanent +ExecStopPost=/usr/sbin/ip -6 neigh del fd03::01 lladdr ${STEERING_CLIENT_DEV_MAC} dev ${STEERING_SERVER_DEV_NAME} nud permanent +ExecStopPost=/usr/sbin/ip addr del fd02::02/64 dev ${STEERING_CLIENT_DEV_NAME} +ExecStopPost=/usr/sbin/ip addr del fd03::03/64 dev ${STEERING_SERVER_DEV_NAME} + +ExecStopPost=/usr/sbin/ip -4 rule del iif ${STEERING_CLIENT_DEV_NAME} tab 100 +ExecStopPost=/usr/sbin/ip -4 rule del iif ${STEERING_SERVER_DEV_NAME} tab 100 +ExecStopPost=/usr/sbin/ip -4 route del default dev ${STEERING_CLIENT_DEV_NAME} via 2.2.2.1 table 111 +ExecStopPost=/usr/sbin/ip -4 route del default dev ${STEERING_SERVER_DEV_NAME} via 3.3.3.1 table 222 +ExecStopPost=/usr/sbin/ip -4 rule del fwmark 0x11 lookup 111 +ExecStopPost=/usr/sbin/ip -4 rule del fwmark 0x22 lookup 222 +ExecStopPost=/usr/sbin/ip -4 neigh del 2.2.2.1 lladdr ${STEERING_SERVER_DEV_MAC} dev ${STEERING_CLIENT_DEV_NAME} nud permanent +ExecStopPost=/usr/sbin/ip -4 neigh del 3.3.3.1 lladdr ${STEERING_CLIENT_DEV_MAC} dev ${STEERING_SERVER_DEV_NAME} nud permanent +ExecStopPost=/usr/sbin/ip -4 addr del 2.2.2.2/24 dev ${STEERING_CLIENT_DEV_NAME} +ExecStopPost=/usr/sbin/ip -4 addr del 3.3.3.3/24 dev ${STEERING_SERVER_DEV_NAME} + +ExecStopPost=/usr/sbin/ip link set ${STEERING_CLIENT_DEV_NAME} down +ExecStopPost=/usr/sbin/ip link set ${STEERING_SERVER_DEV_NAME} down [Install] RequiredBy=tfe.service