You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Appears incorrect as curl (unless I’m misreading this):
root@sparrow:/mnt/USB/wireguard# curl
curl: try 'curl --help' for more information
root@sparrow:/mnt/USB/wireguard# curl --help
Usage: curl [options...] <url>
-d, --data <data> HTTP POST data
-f, --fail Fail fast with no output on HTTP errors
-h, --help <category> Get help for commands
-i, --include Include protocol response headers in the output
-o, --output <file> Write to file instead of stdout
-O, --remote-name Write output to a file named as the remote file
-s, --silent Silent mode
-T, --upload-file <file> Transfer local FILE to destination
-u, --user user:password Server user and password
-A, --user-agent <name> Send User-Agent <name> to server
-v, --verbose Make the operation more talkative
-V, --version Show version number and quit
This is not the full help, this menu is stripped into categories.
Use "--help category" to get an overview of all categories.
For all options use the manual or "--help all".
doesn’t support -k nor -I so the correct syntax i would expect to be:
rs232 reporter
edited description
2023-08-22
pedro repo owner
curl --help all
Usage: curl [options...] <url>
…
-D, --dump-header <filename> Write the received headers to <filename>
--egd-file <file> EGD socket path for random data
--engine <name> Crypto engine to use
--etag-compare <file> Pass an ETag from a file as a custom header
--etag-save <file> Parse ETag from a request and save it to a file
--expect100-timeout <seconds> How long to wait for 100-continue
-f, --fail Fail fast with no output on HTTP errors
--fail-early Fail on first transfer error, do not continue
--fail-with-body Fail on HTTP errors but save the body
--false-start Enable TLS False Start
…
-G, --get Put the post data in the URL and use GET
-g, --globoff Disable URL sequences and ranges using {} and []
--happy-eyeballs-timeout-ms <milliseconds> Time for IPv6 before trying IPv4
--haproxy-protocol Send HAProxy PROXY protocol v1 header
--haproxy-clientip Sets the HAProxy PROXY protocol v1 client IP
-I, --head Show document info only
-H, --header [header/@file](mailto:header/@file) Pass custom header(s) to server
…
--ignore-content-length Ignore the size of the remote resource
-i, --include Include protocol response headers in the output
-k, --insecure Allow insecure server connections
--interface <name> Use network INTERFACE (or address)
-4, --ipv4 Resolve names to IPv4 addresses
-6, --ipv6 Resolve names to IPv6 addresses
--json <data> HTTP POST JSON
…
-S, --show-error Show error even when -s is used
-s, --silent Silent mode
…
2023-08-28
rs232 reporter
Indeed I missed the “all”, never mind the curl might be ok then but the CTF is the core issue.
2023-08-28
pedro repo owner
changed status to [open](https://bitbucket.org/pedro311/freshtomato-arm/issues?status=open)
2023-09-05
pedro repo owner
changed status to [new](https://bitbucket.org/pedro311/freshtomato-arm/issues?status=new)
2023-09-10
pedro repo owner
This should tag all the icmp traffic and (not tested yet) hopefully allow for traceroute and ping at least to work correctly.
We don’t have in mangle → PREROUTING chain cotaining “icmp”, so this won’t work.
2024-11-13
rs232 reporter
edited description
2024-11-17
rs232 reporter
@pedro See updated OP here above as there was for sure something tthat was missing. Indeed, we don’t have the ICMP marking in the mangle PREROUTING. As I understand when CTF is enabled packets marked that way will force to bypass CTF and be process normally.
On paper this approach is debatable as CTF is affecting LAN traffic only and that’s why we normally mark packets on the PREROUTING. For traffic generated by the router, it goes straight to OUTPUT and CTF is not relevant any more.
We could mangle in OUTPUT, but it would not impact CTFed traffic.
So perhaps this would not resolve the ping/traceroute failure when generated by the router, but it brings up a slightly different topic, how about adding under Miscellaneous (if CTF is enabled) a custom config where the users can specify a list of LAN IP/Protocols/ports that should bypass CTF?
2024-11-17
The text was updated successfully, but these errors were encountered:
Ref. https://bitbucket.org/pedro311/freshtomato-arm/issues/295/incompatibilities-between-ctf-and-multiwan
It has been reported a couple of times that both watchdog and MultiWAN Routing don’t behave as expected when CTF is enabled.
It might be the case to tag certain packets (e.g. the multiwan watchdog ones) as per MultiWAN compatibility (skipping CTF essentially) e.g.
[ $(nvram get ctf_disable) -eq 0 ] && {
iptables -t mangle -nvL PREROUTING | grep -q '.*MARK.*icmp.*0x1/0x7' || iptables -t mangle -I PREROUTING -i $(nvram get wan_ifnames) -p icmp -j MARK --set-mark 0x01/0x7
}
To remove whenever needed:
iptables -t mangle -D PREROUTING -i $(nvram get wan_ifnames) -p icmp -j MARK --set-mark 0x01/0x7
This should tag all the icmp traffic and (not tested yet) hopefully allow for traceroute and ping at least to work correctly.
BTW while I look into curl… this line from the watchdog:
curl $IP --interface$IFACE --connect-timeout $ ((i+3)) -ksfI -o /dev/null && RESULT=$((RESULT+1))
Appears incorrect as curl (unless I’m misreading this):
doesn’t support -k nor -I so the correct syntax i would expect to be:
Comments (8)
The text was updated successfully, but these errors were encountered: