Mic92/freifunk-vpn-setup.service

## freifunk-vpn-setup.service
[Unit]
Description=Setup policy routing for vpn gateways

[Service]
Type=oneshot
# Set gateway for local connections.
# fwmark is set in iptables OUTPUT chain:
# $ iptables -t mangle -I OUTPUT -j MARK --set-xmark 0x2a/0xffffffff
# $ ip6tables -t mangle -I OUTPUT -j MARK --set-xmark 0x2a/0xffffffff
# for the default gateway rp_filter needs to be disabled
ExecStart=/usr/bin/ip rule add fwmark 42 table lxc_gateway priority 424242
ExecStart=/usr/bin/bash -c "ip -4 route list 0/0 | while read ROUTE; do ip route add table lxc_gateway $ROUTE; done"
ExecStart=/usr/bin/bash -c "ip -4 route list 0/0 | while read ROUTE; do ip route del $ROUTE; done"
# same thing for ipv6
ExecStart=/usr/bin/ip -6 rule add fwmark 42 table lxc_gateway priority 424242
ExecStart=/usr/bin/bash -c "ip -6 route list ::/0 | while read ROUTE; do ip -6 route add table lxc_gateway $ROUTE; done"
ExecStart=/usr/bin/bash -c "ip -6 route list ::/0 | while read ROUTE; do ip -6 route del $ROUTE; done"
# Set dummy default gateway for ipredator
# this is needed because the kernel performs lookup in the routing table
# before entering the OUTPUT firewall chain and setting fwmark 42,
# later ipredator will be added as a gateway to this table
ExecStart=/usr/bin/ip rule add table ipredator priority 424243
ExecStart=/usr/bin/ip route add default dev lo scope link metric 1024 table ipredator
# same thing for ipv6
ExecStart=/usr/bin/ip -6 rule add table ipredator priority 424243
# the trick as above with the loopback route above does not work for ipv6,
# use a link-local address which will be hopefully never used
ExecStart=/usr/bin/ip -6 route add via fe80:dead:9292:beaf:6af7:28ff:feb2:8706 dev eth0 metric 1024 table ipredator
ExecStart=/usr/bin/ip route flush cache
ExecStart=/usr/bin/ip -6 route flush cache

[Install]
WantedBy=multi-user.target
	[Unit]
	Description=Setup policy routing for vpn gateways

	[Service]
	Type=oneshot
	# Set gateway for local connections.
	# fwmark is set in iptables OUTPUT chain:
	# $ iptables -t mangle -I OUTPUT -j MARK --set-xmark 0x2a/0xffffffff
	# $ ip6tables -t mangle -I OUTPUT -j MARK --set-xmark 0x2a/0xffffffff
	# for the default gateway rp_filter needs to be disabled
	ExecStart=/usr/bin/ip rule add fwmark 42 table lxc_gateway priority 424242
	ExecStart=/usr/bin/bash -c "ip -4 route list 0/0 \| while read ROUTE; do ip route add table lxc_gateway $ROUTE; done"
	ExecStart=/usr/bin/bash -c "ip -4 route list 0/0 \| while read ROUTE; do ip route del $ROUTE; done"
	# same thing for ipv6
	ExecStart=/usr/bin/ip -6 rule add fwmark 42 table lxc_gateway priority 424242
	ExecStart=/usr/bin/bash -c "ip -6 route list ::/0 \| while read ROUTE; do ip -6 route add table lxc_gateway $ROUTE; done"
	ExecStart=/usr/bin/bash -c "ip -6 route list ::/0 \| while read ROUTE; do ip -6 route del $ROUTE; done"
	# Set dummy default gateway for ipredator
	# this is needed because the kernel performs lookup in the routing table
	# before entering the OUTPUT firewall chain and setting fwmark 42,
	# later ipredator will be added as a gateway to this table
	ExecStart=/usr/bin/ip rule add table ipredator priority 424243
	ExecStart=/usr/bin/ip route add default dev lo scope link metric 1024 table ipredator
	# same thing for ipv6
	ExecStart=/usr/bin/ip -6 rule add table ipredator priority 424243
	# the trick as above with the loopback route above does not work for ipv6,
	# use a link-local address which will be hopefully never used
	ExecStart=/usr/bin/ip -6 route add via fe80:dead:9292:beaf:6af7:28ff:feb2:8706 dev eth0 metric 1024 table ipredator
	ExecStart=/usr/bin/ip route flush cache
	ExecStart=/usr/bin/ip -6 route flush cache

	[Install]
	WantedBy=multi-user.target