海运的博客

iptables log当数据量较大的时候严重占用cpu资源，可以使用iptables nflog扩展配合ulogd收集日志，不占用cpu资源并且支持多种存储后端。
openwrt需安装以下：

opkg install iptables-mod-nflog ulogd ulogd-mod-extra ulogd-mod-nflog

ulogd配置文件，/etc/ulogd.conf

[global]
logfile="/var/log/ulogd.log"

plugin="/usr/lib/ulogd/ulogd_inppkt_NFLOG.so"
plugin="/usr/lib/ulogd/ulogd_filter_IFINDEX.so"
plugin="/usr/lib/ulogd/ulogd_filter_IP2STR.so"
plugin="/usr/lib/ulogd/ulogd_filter_PRINTPKT.so"
plugin="/usr/lib/ulogd/ulogd_output_LOGEMU.so"
plugin="/usr/lib/ulogd/ulogd_raw2packet_BASE.so"

stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU

[log1]
group=1

[emu1]
logfile="/var/log/nflog1.log"
sync=1

iptables规则：

iptables -I OUTPUT -p tcp --dport 80 -j NFLOG --nflog-group 1 

也可以使用tcpdump监测，查看tcpdump是否支持nflog或nfqueue：

tcpdump -D
5.nflog (Linux netfilter log (NFLOG) interface) [none]
6.nfqueue (Linux netfilter queue (NFQUEUE) interface) [none]

tcpdump -i nflog:1

修改~/.bashrc添加：

shopt -s histappend
#PROMPT_COMMAND="history -a; history -c; history -r; $PROMPT_COMMAND"
PROMPT_COMMAND="${PROMPT_COMMAND:+$PROMPT_COMMAND$'\n'}history -a; history -c; history -r"

https://unix.stackexchange.com/questions/1288/preserve-bash-history-in-multiple-terminal-windows

先通过web或修改配置添加wifi guest访客网络，network配置，通过mtk管理界面添加的无线接口要添加到网桥：

config globals 'globals'
        option ula_prefix 'xxxx:xxxx:xxxx::/48'

config interface 'guest'
        option proto 'static'
        option ipaddr '10.0.100.1'
        option netmask '255.255.255.0'
        option device 'br-guest'
        option ip6assign '64'
        #分配的前缀,即xxxx:xxxx:xxxx:10::/64
        option ip6hint 10
        #只分配ula_prefix定义的私网,如果pppoe能分配60或以上可以不配置此选项分配私网和wan_6公网                                                                                                                                                                                                                             
        list ip6class local

config device
        option type 'bridge'
        option name 'br-guest'
        list ports 'ra1'
        list ports 'rax1'

通过openwrt原生无线管理添加的接口要添加到指定网络无需额外添加到网桥：

config wifi-iface 'wifinet3'
        option device 'MT7986_1_1'
        option mode 'ap'
        option ssid '2.4G-guest'
        option encryption 'psk-mixed'
        option key 'www.haiyun.me'
        option network 'guest'

dhcp配置：

config dhcp 'guest'                
        option interface 'guest'
        option start '150'
        option limit '100'            
        option leasetime '12h'     
        option dhcpv4 'server'
        list ra_flags 'none'
        option dns_service '0'        
        option ra_default '2' #强制通告ipv6路由给客户端     
        option ra 'server'
        option ra_maxinterval '120'
        option ra_ra_mininterval '60' 
        option ra_lifetime '1200' 
        option ra_useleasetime '1'
        option preferred_lifetime '10m'

iptables配置：

ip6tables -A INPUT -i br-guest -p icmpv6 -j ACCEPT
ip6tables -A FORWARD -i br-guest -o pppoe-wan -j ACCEPT
ip6tables -t nat -A POSTROUTING -s xxxx:xxxx:xxxx:10::/64 -o pppoe-wan -j MASQUERADE

当pppoe成功获取ipv6时添加ipv6默认路由：

echo 'ip -6 rou add default via $LLREMOTE dev $IFNAME' >> /lib/netifd/ppp6-up 

如果是dhcp获取添加hotplug设置ipv6默认路由：

#!/bin/bash
if [ $ACTION = "ifup" -a "$INTERFACE" = "wan6" ]; then
   ip -6 rou add default via fe80::1 dev eth1
fi