TSG-13114 TFE的Decrypted Traffic Steering功能支持IPv6协议

tfe-env.service中增加Decrypted Traffic Steering的策略路由
2022-12-20 16:59:55 +08:00
parent 4142c18ddf
commit 9d12fe7304
4 changed files with 137 additions and 162 deletions
--- a/common/src/tfe_tcp_restore.cpp
+++ b/common/src/tfe_tcp_restore.cpp
@@ -88,6 +88,14 @@ int tfe_tcp_restore_fd_create(const struct tcp_restore_endpoint *endpoint, const
 		goto errout;
 	}

+	sockopt = fd_so_mask;
+	result = setsockopt(sockfd, SOL_SOCKET, SO_MARK, (char *)&sockopt, sizeof(sockopt));
+	if (result < 0)
+	{
+		TFE_LOG_ERROR(g_default_logger, "failed at setsockopt(SO_MARK), %d: %s", errno, strerror(errno));
+		goto errout;
+	}
+	
 	result = setsockopt(sockfd, SOL_SOCKET, SO_BINDTODEVICE, devname, strlen(devname));
 	if (result < 0)
 	{
@@ -128,14 +136,6 @@ int tfe_tcp_restore_fd_create(const struct tcp_restore_endpoint *endpoint, const
 		goto errout;
 	}

-	sockopt = fd_so_mask;
-	result = setsockopt(sockfd, SOL_SOCKET, SO_MARK, (char *)&sockopt, sizeof(sockopt));
-	if (result < 0)
-	{
-		TFE_LOG_ERROR(g_default_logger, "failed at setsockopt(SO_MARK), %d: %s", errno, strerror(errno));
-		goto errout;
-	}
-
 	// Setup SEQ/ACK and TCP options
 	sockopt = TCP_SEND_QUEUE;
 	result = setsockopt(sockfd, IPPROTO_TCP, TCP_REPAIR_QUEUE, (char *)&sockopt, sizeof(sockopt));
--- a/platform/src/tcp_stream.cpp
+++ b/platform/src/tcp_stream.cpp
@@ -595,12 +595,10 @@ static void __stream_bev_readcb(struct bufferevent * bev, void * arg)
 	{
 		if (bev == _stream->conn_downstream->bev)
 		{
-			this_conn = _stream->conn_downstream;
 			peer_conn = _stream->conn_fake_c;
 		}
 		else if (bev == _stream->conn_upstream->bev)
 		{
-			this_conn = _stream->conn_upstream;
 			peer_conn = _stream->conn_fake_s;
 		}
 		else
@@ -608,20 +606,31 @@ static void __stream_bev_readcb(struct bufferevent * bev, void * arg)
 			assert(0);
 		}

+		/*
+		 * Peer connection is terminated, drain all data.
+	 	 * This connection will be destoryed in __event_cb
+		 */
 		inbuf = bufferevent_get_input(bev);
-		int data_len =  evbuffer_get_length(inbuf);
-		outbuf = bufferevent_get_output(peer_conn->bev);
-		assert(inbuf != NULL && outbuf != NULL);
-		evbuffer_add_buffer(outbuf, inbuf);
+		if (peer_conn == NULL)
+		{
+			evbuffer_drain(inbuf, evbuffer_get_length(inbuf));
+			return;
+		}

 		// TODO 增加计数

-		TFE_LOG_DEBUG(__STREAM_LOGGER(_stream), "decrypted traffic steering, send %d bytes form %s to %s",
-					  data_len, bev == _stream->conn_downstream->bev ? "conn_downstream" : "conn_upstream",
+		TFE_LOG_DEBUG(__STREAM_LOGGER(_stream), "decrypted traffic steering, %s send %d bytes from %s to %s",
+			_stream->str_stream_addr,
+			evbuffer_get_length(inbuf),
+			bev == _stream->conn_downstream->bev ? "conn_downstream" : "conn_upstream",
 			bev == _stream->conn_downstream->bev ? "conn_fake_c" : "conn_fake_s");

+		outbuf = bufferevent_get_output(peer_conn->bev);
+		evbuffer_add_buffer(outbuf, inbuf);
+
 		return;
 	}
+
 	this_conn = __this_conn(_stream, dir);
 	peer_conn = __peer_conn(_stream, dir);

@@ -781,7 +790,9 @@ static void __stream_bev_writecb(struct bufferevent * bev, void * arg)
 		(STREAM_PROTO_SSL == _stream->session_type &&_stream->proxy_ref->traffic_steering_options.enable_steering_ssl)))
 	{
 		// TODO 增加计数
-		TFE_LOG_DEBUG(__STREAM_LOGGER(_stream), "decrypted traffic steering, %s run writecb",  bev == _stream->conn_downstream->bev ? "conn_downstream" : "conn_upstream");
+		TFE_LOG_DEBUG(__STREAM_LOGGER(_stream), "decrypted traffic steering, %s %s run writecb",
+			_stream->str_stream_addr,
+			bev == _stream->conn_downstream->bev ? "conn_downstream" : "conn_upstream");
 		return;
 	}

@@ -846,7 +857,13 @@ static void __stream_bev_eventcb(struct bufferevent * bev, short events, void *
 		(STREAM_PROTO_SSL == _stream->session_type &&_stream->proxy_ref->traffic_steering_options.enable_steering_ssl)))
 	{
 		// TODO 增加计数
-		TFE_LOG_DEBUG(__STREAM_LOGGER(_stream), "decrypted traffic steering, %s run eventcb",  bev == _stream->conn_downstream->bev ? "conn_downstream" : "conn_upstream");
+		TFE_LOG_DEBUG(__STREAM_LOGGER(_stream), "decrypted traffic steering, %s %s run eventcb, %s %s",
+			_stream->str_stream_addr,
+			bev == _stream->conn_downstream->bev ? "conn_downstream" : "conn_upstream",
+			events & BEV_EVENT_ERROR ? "BEV_EVENT_ERROR" : "BEV_EVENT_EOF",
+			errno == 0 ? "" : strerror(errno)
+		);
+		tfe_stream_destory(_stream);
 		return;
 	}

@@ -1035,7 +1052,7 @@ __errout:

 static void __steering_stream_bev_readcb(struct bufferevent * bev, void * arg)
 {
-	struct tfe_stream_private * _stream = (struct tfe_stream_private *) arg;
+	struct tfe_stream_private * _stream = (struct tfe_stream_private *)arg;
 	struct tfe_conn_private * peer_conn = NULL;

 	if (bev == _stream->conn_fake_c->bev)
@@ -1051,150 +1068,50 @@ static void __steering_stream_bev_readcb(struct bufferevent * bev, void * arg)
 		assert(0);
 	}

-	struct evbuffer * __input_buffer = bufferevent_get_input(bev);
+	/*
+	 * Peer connection is terminated, drain all data.
+	 * This connection will be destoryed in __event_cb
+	 */
+	struct evbuffer * inbuf = bufferevent_get_input(bev);
 	if (peer_conn == NULL)
 	{
-		evbuffer_drain(__input_buffer, evbuffer_get_length(__input_buffer));
+		evbuffer_drain(inbuf, evbuffer_get_length(inbuf));
 		return;
 	}

 	// TODO 增加计数

-	TFE_LOG_DEBUG(__STREAM_LOGGER(_stream), "decrypted traffic steering, send %d bytes form %s to %s",
-		evbuffer_get_length(__input_buffer), bev == _stream->conn_fake_c->bev ? "conn_fake_c" : "conn_fake_s",
+	TFE_LOG_DEBUG(__STREAM_LOGGER(_stream), "decrypted traffic steering, %s send %d bytes form %s to %s",
+		_stream->str_stream_addr,
+		evbuffer_get_length(inbuf),
+		bev == _stream->conn_fake_c->bev ? "conn_fake_c" : "conn_fake_s",
 		bev == _stream->conn_fake_c->bev ? "conn_downstream" : "conn_upstream"
 	);

-	struct evbuffer * __output_buffer = bufferevent_get_output(peer_conn->bev);
-	evbuffer_add_buffer(__output_buffer, __input_buffer);
+	struct evbuffer * outbuf = bufferevent_get_output(peer_conn->bev);
+	evbuffer_add_buffer(outbuf, inbuf);
 }

 static void __steering_stream_bev_writecb(struct bufferevent * bev, void * arg)
 {
 	struct tfe_stream_private * _stream = (struct tfe_stream_private *) arg;
-	struct tfe_conn_private ** ref_this_conn{};
-	struct tfe_conn_private ** ref_peer_conn{};

-	if (bev == _stream->conn_fake_c->bev)
-	{
-		ref_this_conn = &_stream->conn_fake_c;
-		ref_peer_conn = &_stream->conn_downstream;
-	}
-	else if (bev == _stream->conn_fake_s->bev)
-	{
-		ref_this_conn = &_stream->conn_fake_s;
-		ref_peer_conn = &_stream->conn_upstream;
-	}
-	else
-	{
-		assert(0);
-	}
-
-	TFE_LOG_DEBUG(__STREAM_LOGGER(_stream), "decrypted traffic steering, %s run write cb", bev == _stream->conn_fake_c->bev ? "conn_fake_c" : "conn_fake_s");
-
-	struct evbuffer * __output_buffer = bufferevent_get_output(bev);
-	assert(__output_buffer != NULL);
-
-	// TODO 资源释放
-	// TODO 资源释放
-	// TODO 资源释放
-	// TODO 资源释放
-
-	if (*ref_peer_conn == NULL && evbuffer_get_length(__output_buffer) == 0)
-	{
-		__conn_private_destory(*ref_this_conn);
-		*ref_this_conn = NULL;
-	}
-
-	if (*ref_peer_conn == NULL && *ref_this_conn == NULL)
-	{
-		// TODO call_plugin_close(_stream);
-		tfe_stream_destory(_stream);
-	}
+	TFE_LOG_DEBUG(__STREAM_LOGGER(_stream), "decrypted traffic steering, %s %s run writecb",
+		_stream->str_stream_addr,
+		bev == _stream->conn_fake_c->bev ? "conn_fake_c" : "conn_fake_s");
 }

 static void __steering_stream_bev_eventcb(struct bufferevent *bev, short events, void *arg)
 {
 	struct tfe_stream_private *_stream = (struct tfe_stream_private *)arg;
-	struct tfe_conn_private **ref_this_conn{};
-	struct tfe_conn_private **ref_peer_conn{};

-	if (bev == _stream->conn_fake_c->bev)
-	{
-		ref_this_conn = &_stream->conn_fake_c;
-		ref_peer_conn = &_stream->conn_downstream;
-	}
-	else if (bev == _stream->conn_fake_s->bev)
-	{
-		ref_this_conn = &_stream->conn_fake_s;
-		ref_peer_conn = &_stream->conn_upstream;
-	}
-	else
-	{
-		assert(0);
-	}
-
-	TFE_LOG_DEBUG(__STREAM_LOGGER(_stream), "decrypted traffic steering, %s run event cb", bev == _stream->conn_fake_c->bev ? "conn_fake_c" : "conn_fake_s");
-
-	if (events & BEV_EVENT_ERROR || events & BEV_EVENT_EOF)
-	{
-		if (evbuffer_get_length(bufferevent_get_input(bev)))
-		{
-			__steering_stream_bev_readcb(bev, arg);
-		}
-
-		if (events & BEV_EVENT_ERROR)
-		{
-			unsigned long err;
-			while ((err = (bufferevent_get_openssl_error(bev))))
-			{
-				const char *msg = (const char *)ERR_reason_error_string(err);
-				const char *lib = (const char *)ERR_lib_error_string(err);
-				const char *func = (const char *)ERR_func_error_string(err);
-				TFE_LOG_INFO(g_default_logger, "%s connection error, bufferevent_get_openssl_error() = %lu: %s %s %s", _stream->str_stream_addr, err, lib, func, msg);
-			}
-
-			if (errno)
-			{
-				TFE_LOG_INFO(g_default_logger, "%s connection error, errno = %d, %s", _stream->str_stream_addr, errno, strerror(errno));
-			}
-		}
-
-		goto __close_connection;
-	}
-
-	return;
-
-__close_connection:
-	// TODO 资源释放
-	// TODO 资源释放
-	// TODO 资源释放
-	// TODO 资源释放
-	if (*ref_peer_conn != NULL)
-	{
-		struct bufferevent *__peer_bev = (*ref_peer_conn)->bev;
-		struct evbuffer *__peer_output_buffer = bufferevent_get_output(__peer_bev);
-
-		if (evbuffer_get_length(__peer_output_buffer) == 0)
-		{
-			__conn_private_destory(*ref_peer_conn);
-			*ref_peer_conn = NULL;
-		}
-	}
-
-	if (*ref_this_conn != NULL)
-	{
-		__conn_private_destory(*ref_this_conn);
-		*ref_this_conn = NULL;
-	}
-
-	if (*ref_this_conn == NULL && *ref_peer_conn == NULL)
-	{
-		// TODO call_plugin_close(_stream);
+	TFE_LOG_DEBUG(__STREAM_LOGGER(_stream), "decrypted traffic steering, %s %s run eventcb, %s %s",
+		_stream->str_stream_addr,
+		bev == _stream->conn_fake_c->bev ? "conn_fake_c" : "conn_fake_s",
+		events & BEV_EVENT_ERROR ? "BEV_EVENT_ERROR" : "BEV_EVENT_EOF",
+		errno == 0 ? "" : strerror(errno)
+		);
 	tfe_stream_destory(_stream);
-	}
-
-	return;
 }

 static tfe_conn_private *__conn_private_create_by_fake_fd(struct tfe_stream_private *stream, evutil_socket_t fd)
@@ -1258,9 +1175,7 @@ void ssl_downstream_create_on_success(future_result_t * result, void * user)
 	__conn_private_enable(_stream->conn_downstream);
 	__conn_private_enable(_stream->conn_upstream);

-	if (steering_device_is_available() && (
-		(STREAM_PROTO_PLAIN == _stream->session_type && _stream->proxy_ref->traffic_steering_options.enable_steering_http) ||
-		(STREAM_PROTO_SSL == _stream->session_type &&_stream->proxy_ref->traffic_steering_options.enable_steering_ssl)))
+	if (steering_device_is_available() && _stream->proxy_ref->traffic_steering_options.enable_steering_ssl)
 	{
 		__conn_private_enable(_stream->conn_fake_c);
 		__conn_private_enable(_stream->conn_fake_s);
@@ -1427,7 +1342,6 @@ void tfe_stream_destory(struct tfe_stream_private * stream)

 	if (__is_ssl(stream) && stream->ssl_downstream)
 	{
-		// TODO core dump
 		ssl_stream_free(stream->ssl_downstream, ev_base, stream->conn_downstream->bev);
 	}

@@ -1788,12 +1702,6 @@ int tfe_stream_init_by_fds(struct tfe_stream * stream, evutil_socket_t fd_downst

 		assert(_stream->conn_fake_s != NULL);
 		assert(_stream->conn_fake_c != NULL);
-
-		// enable on upsteam and downsteam success
-		// __conn_private_enable(_stream->conn_fake_s);
-		// __conn_private_enable(_stream->conn_fake_c);
-
-		// TFE_PROXY_STAT_INCREASE(STAT_STREAM_STEERING, 1);
 	}

 	if (_stream->session_type == STREAM_PROTO_PLAIN)
@@ -1824,9 +1732,7 @@ int tfe_stream_init_by_fds(struct tfe_stream * stream, evutil_socket_t fd_downst
 		__conn_private_enable(_stream->conn_downstream);
 		__conn_private_enable(_stream->conn_upstream);

-		if (steering_device_is_available() && (
-			(STREAM_PROTO_PLAIN == _stream->session_type && _stream->proxy_ref->traffic_steering_options.enable_steering_http) ||
-			(STREAM_PROTO_SSL == _stream->session_type &&_stream->proxy_ref->traffic_steering_options.enable_steering_ssl)))
+		if (steering_device_is_available() && _stream->proxy_ref->traffic_steering_options.enable_steering_http)
 		{
 			__conn_private_enable(_stream->conn_fake_s);
 			__conn_private_enable(_stream->conn_fake_c);
--- a/script/service/tfe-env-config
+++ b/script/service/tfe-env-config
@@ -3,5 +3,7 @@ TFE_LOCAL_MAC_DATA_INCOMING=fe:65:b7:00:00:01
 TFE_PEER_MAC_DATA_INCOMING=aa:bb:cc:dd:ee:ff
 TFE_LOCAL_IP_DATA_INCOMING=172.16.241.2
 TFE_PEER_IP_DATA_INCOMING=172.16.241.1
-TFE_WATCHDOG_DEVICE=enp2s0
-TFE_WATCHDOG_IP=192.168.100.1
+STEERING_CLIENT_DEV_NAME=ens18f2
+STEERING_SERVER_DEV_NAME=ens18f3
+STEERING_CLIENT_DEV_MAC=80:61:5f:0f:97:e5
+STEERING_SERVER_DEV_MAC=80:61:5f:0f:97:e6
--- a/script/service/tfe-env.service
+++ b/script/service/tfe-env.service
@@ -13,7 +13,6 @@ RemainAfterExit=yes
 ExecStart=/bin/true
 ExecStop=/bin/true

-# ExecStartPost=/usr/sbin/modprobe tfe-kmod
 ExecStartPost=/usr/sbin/ip link set ${TFE_DEVICE_DATA_INCOMING} address ${TFE_LOCAL_MAC_DATA_INCOMING}
 ExecStartPost=/usr/sbin/ip link set ${TFE_DEVICE_DATA_INCOMING} up
 ExecStartPost=/usr/sbin/ip addr flush dev ${TFE_DEVICE_DATA_INCOMING}
@@ -31,9 +30,10 @@ ExecStartPost=/usr/sbin/ip route add default dev ${TFE_DEVICE_DATA_INCOMING} via

 # policy route v6
 ExecStartPost=/usr/sbin/ip addr add fd00::02/64 dev ${TFE_DEVICE_DATA_INCOMING}
-ExecStartPost=/usr/sbin/ip -6 route add default via fd00::01
 ExecStartPost=/usr/sbin/ip -6 rule add iif ${TFE_DEVICE_DATA_INCOMING} tab 102
 ExecStartPost=/usr/sbin/ip -6 route add local default dev lo table 102
+ExecStartPost=/usr/sbin/ip -6 rule add fwmark 0x65 lookup 202
+ExecStartPost=/usr/sbin/ip -6 route add default dev tap0 via fd00::01 table 202
 ExecStartPost=/usr/sbin/ip -6 neigh add fd00::01 lladdr ${TFE_PEER_MAC_DATA_INCOMING} dev ${TFE_DEVICE_DATA_INCOMING} nud permanent

 # stop
@@ -43,12 +43,79 @@ ExecStopPost=/usr/sbin/ip rule del iif ${TFE_DEVICE_DATA_INCOMING} tab 100
 ExecStopPost=/usr/sbin/ip route del local default dev lo table 100
 ExecStopPost=/usr/sbin/ip rule del fwmark 0x65 lookup 101
 ExecStopPost=/usr/sbin/ip route del default dev ${TFE_DEVICE_DATA_INCOMING} via ${TFE_PEER_IP_DATA_INCOMING} table 101
+ExecStopPost=/usr/sbin/ip -6 rule del fwmark 0x65 lookup 202
+ExecStopPost=/usr/sbin/ip -6 route del default dev tap0 via fd00::01 table 202
 ExecStopPost=/usr/sbin/ip -6 rule del iif ${TFE_DEVICE_DATA_INCOMING} tab 102
-ExecStopPost=/usr/sbin/ip -6 route del default via fd00::01
 ExecStopPost=/usr/sbin/ip -6 route del local default dev lo table 102
 ExecStopPost=/usr/sbin/ip addr del fd00::02/64 dev ${TFE_DEVICE_DATA_INCOMING}
 ExecStopPost=/usr/sbin/ip link set ${TFE_DEVICE_DATA_INCOMING} down
-# ExecStopPost=/usr/sbin/modprobe -r tfe-kmod
+
+###########################################################
+# Add Decrypted Traffic Steering Policy Route
+###########################################################
+
+ExecStartPost=/usr/sbin/ethtool --offload ${STEERING_CLIENT_DEV_NAME} rx off tx off
+ExecStartPost=/usr/sbin/ethtool --offload ${STEERING_SERVER_DEV_NAME} rx off tx off
+
+ExecStartPost=/usr/sbin/ip link set ${STEERING_CLIENT_DEV_NAME} up
+ExecStartPost=/usr/sbin/ip link set ${STEERING_SERVER_DEV_NAME} up
+ExecStartPost=/usr/sbin/ip addr flush dev ${STEERING_CLIENT_DEV_NAME}
+ExecStartPost=/usr/sbin/ip addr flush dev ${STEERING_SERVER_DEV_NAME}
+
+ExecStartPost=/usr/sbin/ip addr add 2.2.2.2/24 dev ${STEERING_CLIENT_DEV_NAME}
+ExecStartPost=/usr/sbin/ip addr add 3.3.3.3/24 dev ${STEERING_SERVER_DEV_NAME}
+ExecStartPost=/usr/sbin/ip -4 neigh flush dev ${STEERING_CLIENT_DEV_NAME}
+ExecStartPost=/usr/sbin/ip -4 neigh flush dev ${STEERING_SERVER_DEV_NAME}
+ExecStartPost=/usr/sbin/ip -4 neigh add 2.2.2.1 lladdr ${STEERING_SERVER_DEV_MAC} dev ${STEERING_CLIENT_DEV_NAME} nud permanent
+ExecStartPost=/usr/sbin/ip -4 neigh add 3.3.3.1 lladdr ${STEERING_CLIENT_DEV_MAC} dev ${STEERING_SERVER_DEV_NAME} nud permanent
+ExecStartPost=/usr/sbin/ip -4 rule add fwmark 0x11 lookup 111
+ExecStartPost=/usr/sbin/ip -4 rule add fwmark 0x22 lookup 222
+ExecStartPost=/usr/sbin/ip -4 route add default dev ${STEERING_CLIENT_DEV_NAME} via 2.2.2.1 table 111
+ExecStartPost=/usr/sbin/ip -4 route add default dev ${STEERING_SERVER_DEV_NAME} via 3.3.3.1 table 222
+ExecStartPost=/usr/sbin/ip -4 rule add iif ${STEERING_CLIENT_DEV_NAME} tab 100
+ExecStartPost=/usr/sbin/ip -4 rule add iif ${STEERING_SERVER_DEV_NAME} tab 100
+
+ExecStartPost=/usr/sbin/ip addr add fd02::02/64 dev ${STEERING_CLIENT_DEV_NAME}
+ExecStartPost=/usr/sbin/ip addr add fd03::03/64 dev ${STEERING_SERVER_DEV_NAME}
+ExecStartPost=/usr/sbin/ip -6 neigh flush dev ${STEERING_CLIENT_DEV_NAME}
+ExecStartPost=/usr/sbin/ip -6 neigh flush dev ${STEERING_SERVER_DEV_NAME}
+ExecStartPost=/usr/sbin/ip -6 neigh add fd02::01 lladdr ${STEERING_SERVER_DEV_MAC} dev ${STEERING_CLIENT_DEV_NAME} nud permanent
+ExecStartPost=/usr/sbin/ip -6 neigh add fd03::01 lladdr ${STEERING_CLIENT_DEV_MAC} dev ${STEERING_SERVER_DEV_NAME} nud permanent
+ExecStartPost=/usr/sbin/ip -6 rule add fwmark 0x11 lookup 333
+ExecStartPost=/usr/sbin/ip -6 rule add fwmark 0x22 lookup 444
+ExecStartPost=/usr/sbin/ip -6 route add default dev ${STEERING_CLIENT_DEV_NAME} via fd02::01 table 333
+ExecStartPost=/usr/sbin/ip -6 route add default dev ${STEERING_SERVER_DEV_NAME} via fd03::01 table 444
+ExecStartPost=/usr/sbin/ip -6 rule add iif ${STEERING_CLIENT_DEV_NAME} tab 102
+ExecStartPost=/usr/sbin/ip -6 rule add iif ${STEERING_SERVER_DEV_NAME} tab 102
+
+###########################################################
+# Del Decrypted Traffic Steering Policy Route
+###########################################################
+
+ExecStopPost=/usr/sbin/ip -6 rule del iif ${STEERING_CLIENT_DEV_NAME} tab 102
+ExecStopPost=/usr/sbin/ip -6 rule del iif ${STEERING_SERVER_DEV_NAME} tab 102
+ExecStopPost=/usr/sbin/ip -6 route del default dev ${STEERING_CLIENT_DEV_NAME} via fd02::01 table 333
+ExecStopPost=/usr/sbin/ip -6 route del default dev ${STEERING_SERVER_DEV_NAME} via fd03::01 table 444
+ExecStopPost=/usr/sbin/ip -6 rule del fwmark 0x11 lookup 333
+ExecStopPost=/usr/sbin/ip -6 rule del fwmark 0x22 lookup 444
+ExecStopPost=/usr/sbin/ip -6 neigh del fd02::01 lladdr ${STEERING_SERVER_DEV_MAC} dev ${STEERING_CLIENT_DEV_NAME} nud permanent
+ExecStopPost=/usr/sbin/ip -6 neigh del fd03::01 lladdr ${STEERING_CLIENT_DEV_MAC} dev ${STEERING_SERVER_DEV_NAME} nud permanent
+ExecStopPost=/usr/sbin/ip addr del fd02::02/64 dev ${STEERING_CLIENT_DEV_NAME}
+ExecStopPost=/usr/sbin/ip addr del fd03::03/64 dev ${STEERING_SERVER_DEV_NAME}
+
+ExecStopPost=/usr/sbin/ip -4 rule del iif ${STEERING_CLIENT_DEV_NAME} tab 100
+ExecStopPost=/usr/sbin/ip -4 rule del iif ${STEERING_SERVER_DEV_NAME} tab 100
+ExecStopPost=/usr/sbin/ip -4 route del default dev ${STEERING_CLIENT_DEV_NAME} via 2.2.2.1 table 111
+ExecStopPost=/usr/sbin/ip -4 route del default dev ${STEERING_SERVER_DEV_NAME} via 3.3.3.1 table 222
+ExecStopPost=/usr/sbin/ip -4 rule del fwmark 0x11 lookup 111
+ExecStopPost=/usr/sbin/ip -4 rule del fwmark 0x22 lookup 222
+ExecStopPost=/usr/sbin/ip -4 neigh del 2.2.2.1 lladdr ${STEERING_SERVER_DEV_MAC} dev ${STEERING_CLIENT_DEV_NAME} nud permanent
+ExecStopPost=/usr/sbin/ip -4 neigh del 3.3.3.1 lladdr ${STEERING_CLIENT_DEV_MAC} dev ${STEERING_SERVER_DEV_NAME} nud permanent
+ExecStopPost=/usr/sbin/ip -4 addr del 2.2.2.2/24 dev ${STEERING_CLIENT_DEV_NAME}
+ExecStopPost=/usr/sbin/ip -4 addr del 3.3.3.3/24 dev ${STEERING_SERVER_DEV_NAME}
+
+ExecStopPost=/usr/sbin/ip link set ${STEERING_CLIENT_DEV_NAME} down
+ExecStopPost=/usr/sbin/ip link set ${STEERING_SERVER_DEV_NAME} down

 [Install]
 RequiredBy=tfe.service