mirror of
https://github.com/bol-van/zapret.git
synced 2026-06-17 12:50:03 +04:00
init.d: number pools. FW_EXTRA. nft insert. customs reorder
This commit is contained in:
bol-van
@@ -329,6 +329,25 @@ win_process_exists()
|
||||
tasklist /NH /FI "IMAGENAME eq ${1}.exe" | grep -q "^${1}.exe"
|
||||
}
|
||||
|
||||
alloc_num()
|
||||
{
|
||||
# $1 - source var name
|
||||
# $2 - target var name
|
||||
# $3 - min
|
||||
# $4 - max
|
||||
|
||||
local v
|
||||
eval v="\$$2"
|
||||
# do not replace existing value
|
||||
[ -n "$v" ] && return
|
||||
eval v="\$$1"
|
||||
[ -n "$v" ] || v=$3
|
||||
eval $2="$v"
|
||||
v=$((v + 1))
|
||||
[ $v -gt $4 ] && v=$3
|
||||
eval $1="$v"
|
||||
}
|
||||
|
||||
std_ports()
|
||||
{
|
||||
HTTP_PORTS=${HTTP_PORTS:-80}
|
||||
|
||||
@@ -23,3 +23,20 @@ custom_runner()
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
alloc_tpws_port()
|
||||
{
|
||||
# $1 - target var name
|
||||
alloc_num NUMPOOL_TPWS_PORT $1 910 979
|
||||
}
|
||||
alloc_qnum()
|
||||
{
|
||||
# $1 - target var name
|
||||
alloc_num NUMPOOL_QNUM $1 65400 65499
|
||||
}
|
||||
alloc_dnum()
|
||||
{
|
||||
# alloc daemon number
|
||||
# $1 - target var name
|
||||
alloc_num NUMPOOL_DNUM $1 1000 1999
|
||||
}
|
||||
|
||||
+3
-3
@@ -3,15 +3,15 @@ readonly ipt_connbytes="-m connbytes --connbytes-dir=original --connbytes-mode=p
|
||||
|
||||
ipt()
|
||||
{
|
||||
iptables -C "$@" >/dev/null 2>/dev/null || iptables -I "$@"
|
||||
iptables $FW_EXTRA_PRE -C "$@" $FW_EXTRA_POST >/dev/null 2>/dev/null || iptables $FW_EXTRA_PRE -I "$@" $FW_EXTRA_POST
|
||||
}
|
||||
ipta()
|
||||
{
|
||||
iptables -C "$@" >/dev/null 2>/dev/null || iptables -A "$@"
|
||||
iptables $FW_EXTRA_PRE -C "$@" $FW_EXTRA_POST >/dev/null 2>/dev/null || iptables $FW_EXTRA_PRE -A "$@" $FW_EXTRA_POST
|
||||
}
|
||||
ipt_del()
|
||||
{
|
||||
iptables -C "$@" >/dev/null 2>/dev/null && iptables -D "$@"
|
||||
iptables $FW_EXTRA_PRE -C "$@" $FW_EXTRA_POST >/dev/null 2>/dev/null && iptables $FW_EXTRA_PRE -D "$@" $FW_EXTRA_POST
|
||||
}
|
||||
ipt_add_del()
|
||||
{
|
||||
|
||||
+20
-10
@@ -199,7 +199,15 @@ nft_add_rule()
|
||||
# $2,$3,... - rule(s)
|
||||
local chain="$1"
|
||||
shift
|
||||
nft add rule inet $ZAPRET_NFT_TABLE $chain "$@"
|
||||
nft add rule inet $ZAPRET_NFT_TABLE $chain $FW_EXTRA_PRE "$@"
|
||||
}
|
||||
nft_insert_rule()
|
||||
{
|
||||
# $1 - chain
|
||||
# $2,$3,... - rule(s)
|
||||
local chain="$1"
|
||||
shift
|
||||
nft insert rule inet $ZAPRET_NFT_TABLE $chain $FW_EXTRA_PRE "$@"
|
||||
}
|
||||
nft_add_set_element()
|
||||
{
|
||||
@@ -227,6 +235,7 @@ nft_clean_nfqws_rule()
|
||||
nft_add_nfqws_flow_exempt_rule()
|
||||
{
|
||||
# $1 - rule (must be all filters in one var)
|
||||
local FW_EXTRA_POST= FW_EXTRA_PRE=
|
||||
nft_add_rule flow_offload $(nft_clean_nfqws_rule $1) return comment \"direct flow offloading exemption\"
|
||||
# do not need this because of oifname @wanif/@wanif6 filter in forward chain
|
||||
#nft_add_rule flow_offload $(nft_reverse_nfqws_rule $1) return comment \"reverse flow offloading exemption\"
|
||||
@@ -236,6 +245,7 @@ nft_add_flow_offload_exemption()
|
||||
# "$1" - rule for ipv4
|
||||
# "$2" - rule for ipv6
|
||||
# "$3" - comment
|
||||
local FW_EXTRA_POST= FW_EXTRA_PRE=
|
||||
[ "$DISABLE_IPV4" = "1" -o -z "$1" ] || nft_add_rule flow_offload oifname @wanif $1 ip daddr != @nozapret return comment \"$3\"
|
||||
[ "$DISABLE_IPV6" = "1" -o -z "$2" ] || nft_add_rule flow_offload oifname @wanif6 $2 ip6 daddr != @nozapret6 return comment \"$3\"
|
||||
}
|
||||
@@ -399,7 +409,7 @@ nft_only()
|
||||
|
||||
nft_print_op()
|
||||
{
|
||||
echo "Adding nftables ipv$3 rule for $2 : $1"
|
||||
echo "Inserting nftables ipv$3 rule for $2 : $1"
|
||||
}
|
||||
_nft_fw_tpws4()
|
||||
{
|
||||
@@ -410,8 +420,8 @@ _nft_fw_tpws4()
|
||||
[ "$DISABLE_IPV4" = "1" -o -z "$1" ] || {
|
||||
local filter="$1" port="$2"
|
||||
nft_print_op "$filter" "tpws (port $2)" 4
|
||||
nft_add_rule dnat_output skuid != $WS_USER ${3:+oifname @wanif }$filter ip daddr != @nozapret dnat ip to $TPWS_LOCALHOST4:$port
|
||||
nft_add_rule dnat_pre iifname @lanif $filter ip daddr != @nozapret dnat ip to $TPWS_LOCALHOST4:$port
|
||||
nft_insert_rule dnat_output skuid != $WS_USER ${3:+oifname @wanif }$filter ip daddr != @nozapret $FW_EXTRA_POST dnat ip to $TPWS_LOCALHOST4:$port
|
||||
nft_insert_rule dnat_pre iifname @lanif $filter ip daddr != @nozapret $FW_EXTRA_POST dnat ip to $TPWS_LOCALHOST4:$port
|
||||
prepare_route_localnet
|
||||
}
|
||||
}
|
||||
@@ -425,9 +435,9 @@ _nft_fw_tpws6()
|
||||
[ "$DISABLE_IPV6" = "1" -o -z "$1" ] || {
|
||||
local filter="$1" port="$2" DNAT6 i
|
||||
nft_print_op "$filter" "tpws (port $port)" 6
|
||||
nft_add_rule dnat_output skuid != $WS_USER ${4:+oifname @wanif6 }$filter ip6 daddr != @nozapret6 dnat ip6 to [::1]:$port
|
||||
nft_insert_rule dnat_output skuid != $WS_USER ${4:+oifname @wanif6 }$filter ip6 daddr != @nozapret6 $FW_EXTRA_POST dnat ip6 to [::1]:$port
|
||||
[ -n "$3" ] && {
|
||||
nft_add_rule dnat_pre $filter ip6 daddr != @nozapret6 dnat ip6 to iifname map @link_local:$port
|
||||
nft_insert_rule dnat_pre $filter ip6 daddr != @nozapret6 $FW_EXTRA_POST dnat ip6 to iifname map @link_local:$port
|
||||
for i in $3; do
|
||||
_dnat6_target $i DNAT6
|
||||
# can be multiple tpws processes on different ports
|
||||
@@ -476,7 +486,7 @@ _nft_fw_nfqws_post4()
|
||||
nft_print_op "$filter" "nfqws postrouting (qnum $port)" 4
|
||||
rule="${3:+oifname @wanif }$filter ip daddr != @nozapret"
|
||||
is_postnat && setmark="meta mark set meta mark or $DESYNC_MARK_POSTNAT"
|
||||
nft_add_rule $chain $rule $setmark queue num $port bypass
|
||||
nft_insert_rule $chain $rule $setmark $FW_EXTRA_POST queue num $port bypass
|
||||
nft_add_nfqws_flow_exempt_rule "$rule"
|
||||
}
|
||||
}
|
||||
@@ -491,7 +501,7 @@ _nft_fw_nfqws_post6()
|
||||
nft_print_op "$filter" "nfqws postrouting (qnum $port)" 6
|
||||
rule="${3:+oifname @wanif6 }$filter ip6 daddr != @nozapret6"
|
||||
is_postnat && setmark="meta mark set meta mark or $DESYNC_MARK_POSTNAT"
|
||||
nft_add_rule $chain $rule $setmark queue num $port bypass
|
||||
nft_insert_rule $chain $rule $setmark $FW_EXTRA_POST queue num $port bypass
|
||||
nft_add_nfqws_flow_exempt_rule "$rule"
|
||||
}
|
||||
}
|
||||
@@ -515,7 +525,7 @@ _nft_fw_nfqws_pre4()
|
||||
local filter="$1" port="$2" rule
|
||||
nft_print_op "$filter" "nfqws prerouting (qnum $port)" 4
|
||||
rule="${3:+iifname @wanif }$filter ip saddr != @nozapret"
|
||||
nft_add_rule $(get_prechain) $rule queue num $port bypass
|
||||
nft_insert_rule $(get_prechain) $rule $FW_EXTRA_POST queue num $port bypass
|
||||
}
|
||||
}
|
||||
_nft_fw_nfqws_pre6()
|
||||
@@ -528,7 +538,7 @@ _nft_fw_nfqws_pre6()
|
||||
local filter="$1" port="$2" rule
|
||||
nft_print_op "$filter" "nfqws prerouting (qnum $port)" 6
|
||||
rule="${3:+iifname @wanif6 }$filter ip6 saddr != @nozapret6"
|
||||
nft_add_rule $(get_prechain) $rule queue num $port bypass
|
||||
nft_insert_rule $(get_prechain) $rule $FW_EXTRA_POST queue num $port bypass
|
||||
}
|
||||
}
|
||||
nft_fw_nfqws_pre()
|
||||
|
||||
+3
-2
@@ -108,8 +108,9 @@ pf_anchor_zapret_tables()
|
||||
}
|
||||
pf_nat_reorder_rules()
|
||||
{
|
||||
# this is dirty hack to move rdr above route-to and remove route-to dups
|
||||
sort -rfu
|
||||
# this is dirty hack to move rdr above route-to
|
||||
# use only first word as a key and preserve order within a single key
|
||||
sort -srfk 1,1
|
||||
}
|
||||
pf_anchor_port_target()
|
||||
{
|
||||
|
||||
Reference in New Issue
Block a user