diff --git a/common/base.sh b/common/base.sh index 38ebf42..d7277c6 100644 --- a/common/base.sh +++ b/common/base.sh @@ -49,23 +49,31 @@ end_with_newline() local c=$(tail -c 1) [ "$c" = "" ] } -make_separator_list() + +append_separator_list() { # $1 - var name to receive result # $2 - separator - # $3,$4,... - elements - local var="$1" sep="$2" i + # $3 - quoter + # $4,$5,... - elements + local _var="$1" sep="$2" quo="$3" i - shift; shift + eval i="\$$_var" + shift; shift; shift while [ -n "$1" ]; do if [ -n "$i" ] ; then - i=$i$sep$1 + i="$i$sep$quo$1$quo" else - i=$1 + i="$quo$1$quo" fi shift done - eval $var=$i + eval $_var="\$i" +} +make_separator_list() +{ + eval $1='' + append_separator_list "$@" } make_comma_list() { @@ -73,7 +81,7 @@ make_comma_list() # $2,$3,... - elements local var="$1" shift - make_separator_list $var , "$@" + make_separator_list $var , '' "$@" } unique() { diff --git a/common/linux_iphelper.sh b/common/linux_iphelper.sh index 35af497..db0516f 100644 --- a/common/linux_iphelper.sh +++ b/common/linux_iphelper.sh @@ -109,3 +109,20 @@ unprepare_route_localnet() { set_route_localnet 0 "$@" } + +resolve_lower_devices() +{ + # $1 - bridge interface name + [ -d "/sys/class/net/$1" ] && { + find "/sys/class/net/$1" -follow -maxdepth 1 -name "lower_*" | + { + local l lower lowers + while read lower; do + lower=$(basename "$lower") + l="${lower#lower_*}" + [ "$l" != "$lower" ] && append_separator_list lowers ' ' '' "$l" + done + printf "$lowers" + } + } +} diff --git a/common/nft.sh b/common/nft.sh index 004d274..879f3e9 100644 --- a/common/nft.sh +++ b/common/nft.sh @@ -235,7 +235,7 @@ nft_script_add_ifset_element() # $2 - space separated elements local elements [ -n "$2" ] && { - make_comma_list elements $2 + make_separator_list elements ' ' '"' $2 script="${script} add element inet $ZAPRET_NFT_TABLE $1 { $elements }" } @@ -246,7 +246,7 @@ nft_fill_ifsets() # $2 - space separated wan interface names # $3 - space separated wan6 interface names - local script i ALLDEVS + local script i j ALLDEVS devs # if large sets exist nft works very ineffectively # looks like it analyzes the whole table blob to find required data pieces @@ -274,7 +274,17 @@ flush set inet $ZAPRET_NFT_TABLE lanif" nft_create_or_update_flowtable 'offload' 2>/dev/null # then add elements. some of them can cause error because unsupported for i in $ALLDEVS; do - nft_hw_offload_supported $i && nft_create_or_update_flowtable 'offload' $i + if nft_hw_offload_supported $i; then + nft_create_or_update_flowtable 'offload' $i + else + # bridge members must be added instead of the bridge itself + devs=$(resolve_lower_devices $i) + [ -n "$devs" ] && nft_hw_offload_supported $devs && { + for j in $devs; do + nft_create_or_update_flowtable 'offload' $j + done + } + fi done ;; esac