servers/roles/ocserv/files/ocserv-script

#!/bin/sh

set -x

[ -n "$DEVICE" ] || exit 1
[ -n "$USERNAME" ] || exit 2
[ -n "$IP_REMOTE" ] || exit 3

chain="inet ocserv client-${USERNAME}"
remote_ip="${IP_REMOTE%/*}"

case "${REASON}" in
connect)
	nft "add chain ${chain} { type filter hook forward priority filter; policy accept; }"
	nft "flush chain ${chain}" # in case it already existed and not empty
	if [ -n "$OCSERV_ROUTES" ] ; then
		# convert netmask to prefix len, e.g. /255.0.0.0 to /8 and replace spaces with commas
		routes="$(netmask $OCSERV_ROUTES | paste -s -d ',' | tr -d '[:space:]')"
		nft "add rule ${chain} iif ${DEVICE} ip saddr ${remote_ip} ip daddr { ${routes} } mark set 0x100"
	fi
	;;
disconnect)
	nft "delete chain ${chain}"
	;;
esac