How to pass exclude/include command like interface, but on commandline?

[Marctraider]

I need to be able to include/exclude interfaces from outside engarde interface (scripted) while its running

is this possible?

[ale-rinaldi]

Hello, it is possible via API requests, if you enabled the web interface. You need to make a POST request to http://localhost:9001/api/v1/swap-exclusion (change host and port as per your configuration), with HTTP basic authentication, with this body: {"interface":"ifname"}

For a Bash script, for example, you could use something like this:

curl --user username:password 'http://**localhost**:**9001**/api/v1/swap-exclusion' --data '{"interface":"interface-name"}'

This will swap excluded status.

To know wether an interface is excluded or not you can make a GET to http://localhost:9001/api/v1/get-list : curl --user username:password 'http://**localhost**:**9001**/api/v1/get-list'

This will return a JSON of all the interfaces: the status can be "active", "idle" or "excluded".

I will write some more API documentation soon!

Keep in mind that the changes are not permanent and are lost after an engarde restart.

Please let me know if this solves the issue for you, or you'd like it solved differently.

Thanks!

[Marctraider]

@ale-rinaldi Hey man! Good to hear you're still working on this great program!

Sounds great! I will try this later today! I'd rather not want to completely take the interfaces down but rather disconnect them from engarde. I'm not sure what is technically preferred.

Now I catch you on, maybe you could help me with something else (I'd rather not want to open dozens of issues for some questions lol)

Currently the engarde setup I run with 3 wan is rock stable, but I want to fortify even more with 'udpspeeder' in between.

Currently my setup is like this, i made a small mspaint picture, I think it is correct, but haven't figured out where to put the client/server with udpspeeder ports.

Edit: maybe Its better to somehow run https://github.com/wangyu-/tinyfecVPN

[ale-rinaldi]

Sounds great! I will try this later today! I'd rather not want to completely take the interfaces down but rather disconnect them from engarde. I'm not sure what is technically preferred.

Yep, the API call just excludes them from the interfaces engarde will send traffic on, it doesn't take down the interfaces or anything, just like the "EXCLUDE" button on the web interface would.

Currently the engarde setup I run with 3 wan is rock stable, but I want to fortify even more with 'udpspeeder' in between.

Currently my setup is like this, i made a small mspaint picture, I think it is correct, but haven't figured out where to put the client/server with udpspeeder ports.

Hmm, the only way to do that currently is by creating a "fake" interface on the system and overriding the destination address on it to match the udpspeeder listen address. But it's not the most comfortable thing.

I will for sure consider to add a feature to do it without hacky ways! At the moment, by the way, I'm planning to work on an easier setup procedure as first thing, I'm sure you noticed it's something totally missing the point at the moment :D then, I will work on the improvements, and this will be one of them! ;)

[Marctraider]

Sounds good!

Maybe just implement reed-solomon FEC directly into engarde itself?(optional) That would no longer require all this complication 👍

Will look forward to enhancements either way!

[ale-rinaldi]

Yep, this would be the best thing. There's already a Golang implementation, so it's not hard at all. I'll probably make it optional, btw, since in some contexts low latency is more important than error correction.

Thanks for the suggestion!

[Marctraider]

Yep, this would be the best thing. There's already a Golang implementation, so it's not hard at all. I'll probably make it optional, btw, since in some contexts low latency is more important than error correction.

Thanks for the suggestion!

Yes thats true. I wonder how much latency it will cost with just realtime gaming or voip, without massive bandwidth.

Assuming it will someday be implemented, is it also possible to apply this on the fly? Or on only specific interfaces?

[Marctraider]

@ale-rinaldi Quicky, how do you specifically exclude or include an interface, rather than flipping it? (swap)?

The curl commands work great but need specific up or down!

Edit: Think I found it, api/v1/reset-exclusions

Thanks!

[Marctraider]

I think I know what im looking for now, reset-exclusions does what I want, however swap-exclusions can put it back up and down on the same command, which can screw over my connection up/down alert system. So basically I'm looking for a

curl 'http://localhost:9001/api/v1/include' --data '{"interface":"eth3"}' curl 'http://localhost:9001/api/v1/exclude' --data '{"interface":"eth3"}'

So even if my alert system or when my system reboots the state of link is 'confused', it will never turn it off when it needs to turn on, and vice versa. It would basically send exclude to an already down-link so to speak, and basically does nothing or overwrites the config with the same state.

Edit: Mhh for the time being, after a reboot, I can indeed read interface state in engarde and make a quick script to see its current state and act upon that! :)

[ale-rinaldi]

Yep, I see your point, that's another thing that is missing :( However, it's much easier to implement, I'm gonna add this in the weekend :) Thanks!

[ale-rinaldi]

Hello,

please try binaries at https://engarde.linuxzogno.org/builds/feature/add-include-exclude-webpoint/ to ensure they work as you expect.
The endpoints are exactly the ones you suggested: /api/v1/include and /api/v1/exclude. The payload to provide is the same as /api/v1/swap-exclusion.

After your confirmation, I'll merge the change into master and close this issue. Please open another one about the reed-solomon feature suggestion. This is really interesting, but I don't know exactly when I'll look into it since it's a bigger change than this.

Thank you!

[Marctraider]

Hello,

please try binaries at https://engarde.linuxzogno.org/builds/feature/add-include-exclude-webpoint/ to ensure they work as you expect. The endpoints are exactly the ones you suggested: /api/v1/include and /api/v1/exclude. The payload to provide is the same as /api/v1/swap-exclusion.

After your confirmation, I'll merge the change into master and close this issue. Please open another one about the reed-solomon feature suggestion. This is really interesting, but I don't know exactly when I'll look into it since it's a bigger change than this.

Thank you!

Thank you as well! I will try these binaries on client and server and let you know very shortly!

Can I just make issues without making you nervous? I don't want to bother you too much 👍 Not sure if they are all valid or maybe just infrastructure / configuration 'flaws' on my side.

[Marctraider]

@ale-rinaldi I can confirm it works perfect so far! Overriding with same status just gives me message 'already included or excluded'.

Also excluding the interface in engarde.yml (on boot) and later adding it with include works fine!

If i find any bugs I'll let you know, but so far so good.