openwrt hotplug.d removed

9 years ago · 3d08e29fe6
5 changed files with 51 additions and 40 deletions
--- a/changes.txt
+++ b/changes.txt
@ -38,3 +38,7 @@ ipset : added "get_antizapret.sh"
 v7
 tpws : added ability to insert "." after Host: name
 v8
 openwrt init : removed hotplug.d/firewall because of race conditions. now only use /etc/firewall.user
--- a/init.d/openwrt/99-zapret
+++ b/init.d/openwrt/99-zapret
@ -1,35 +0,0 @@
 # copy it to /etc/hotplug.d/firewall/99-zapret
 # CHOOSE ISP HERE. UNCOMMENT ONLY ONE LINE.
 # if your ISP not in list then comment all lines
 ISP=domru
 TPPORT=1188
 TPWS_USER=daemon
 case "$ACTION" in
    add)
    case "$ISP" in
 	domru)
 	case "$INTERFACE" in
 	    wan)
 	    # BLOCK SPOOFED DNS FROM DOMRU
 	    iptables -t raw -C PREROUTING -i $DEVICE -p udp --sport 53 -m string --hex-string "|5cfff164|" --algo bm -j DROP --from 40 --to 300 ||
 	     iptables -t raw -I PREROUTING -i $DEVICE -p udp --sport 53 -m string --hex-string "|5cfff164|" --algo bm -j DROP --from 40 --to 300
 	    iptables -t raw -C PREROUTING -i $DEVICE -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000064|" --algo bm -j DROP --from 40 --to 300 ||
 	     iptables -t raw -I PREROUTING -i $DEVICE -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000064|" --algo bm -j DROP --from 40 --to 300
 	    # DNAT for local traffic
 	    iptables -t nat -C OUTPUT -p tcp --dport 80 -o $DEVICE -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT ||
 	     iptables -t nat -I OUTPUT -p tcp --dport 80 -o $DEVICE -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
 	    ;;
 	    lan)
 	    # DNAT for pass-thru traffic
 	    sysctl -w net.ipv4.conf.$DEVICE.route_localnet=1
 	    iptables -t nat -C prerouting_lan_rule -p tcp --dport 80 -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT ||
 	     iptables -t nat -I prerouting_lan_rule -p tcp --dport 80 -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
 	    ;;
     	esac
 	;;
    esac
 esac
--- a/init.d/openwrt/firewall.user.domru
+++ b/init.d/openwrt/firewall.user.domru
@ -0,0 +1,23 @@
 TPPORT=1188
 TPWS_USER=daemon
 . /lib/functions/network.sh
 network_find_wan wan_iface
 for ext_iface in $wan_iface; do
    network_get_device DEVICE $ext_iface
    # BLOCK SPOOFED DNS FROM DOMRU
    iptables -t raw -C PREROUTING -i $DEVICE -p udp --sport 53 -m string --hex-string "|5cfff164|" --algo bm -j DROP --from 40 --to 300 ||
     iptables -t raw -I PREROUTING -i $DEVICE -p udp --sport 53 -m string --hex-string "|5cfff164|" --algo bm -j DROP --from 40 --to 300
    iptables -t raw -C PREROUTING -i $DEVICE -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000064|" --algo bm -j DROP --from 40 --to 300 ||
     iptables -t raw -I PREROUTING -i $DEVICE -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000064|" --algo bm -j DROP --from 40 --to 300
    # DNAT for local traffic
    iptables -t nat -C OUTPUT -p tcp --dport 80 -o $DEVICE -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT ||
     iptables -t nat -I OUTPUT -p tcp --dport 80 -o $DEVICE -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
 done
 sysctl -w net.ipv4.conf.br-lan.route_localnet=1
 iptables -t nat -C prerouting_lan_rule -p tcp --dport 80 -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT ||
 iptables -t nat -I prerouting_lan_rule -p tcp --dport 80 -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
--- a/init.d/openwrt/zapret
+++ b/init.d/openwrt/zapret
@ -7,7 +7,7 @@
 #ISP=beeline
 ISP=domru
-# !!!!! in openwrt you need to add firewall rules manually to /etc/firewall.user or /etc/hotplug.d/firewall/99-zapret
+# !!!!! in openwrt you need to add firewall rules manually to /etc/firewall.user
 QNUM=200
 TPPORT=1188
@ -20,6 +20,26 @@ TPWS_USER=daemon
 # start betfore firewall - we need ipset populated
 START=18
 # must execute /etc/firewall.user on every firewall reload
 set_firewall_user_reload() {
 	i=0
 	while true
 	do
 	 path=$(uci -q get firewall.@include[$i].path)
 	 [ -n "$path" ] || break
 	 [ "$path" == "/etc/firewall.user" ] && {
 	   reload=$(uci -q get firewall.@include[$i].reload)
 	   [ "$reload" = "1" ] || {
 	     echo Setting 'reload' call option to /etc/firewall.user
 	     uci set firewall.@include[$i].reload=1
 	     uci commit firewall
 	   }
 	 }
 	 i=$((i+1))
 	done
 }
 get_daemon() {
 	case "${ISP}" in
 	    mns)
@ -43,6 +63,7 @@ get_daemon() {
 start() {
 	set_firewall_user_reload
 	echo "Creating ipset"
 	($IPSET_CR)
--- a/readme.txt
+++ b/readme.txt
@ -1,4 +1,4 @@
-zapret v.7
+zapret v.8
 Для чего это надо
 -----------------
@ -242,9 +242,7 @@ opkg install iptables-mod-extra iptables-mod-nfqueue iptables-mod-filter iptable
 В /etc/init.d/zapret выбрать пераметр "ISP". В зависимости от него будут применены нужные правила.
 /etc/init.d/zapret enable
 /etc/init.d/zapret start
-В зависимости от вашего провайдера либо внести нужные записи в /etc/firewall.user, либо
+В зависимости от вашего провайдера внести нужные записи в /etc/firewall.user.
 скопировать 99-zapret в /etc/hotplug.d/firewall (сначала нужно mkdir /etc/hotplug.d/firewall).
 В /etc/hotplug.d/firewall/99-zapret выбрать нужного провайдера.
 /etc/init.d/firewall restart
 Посмотреть через iptables -L или через luci вкладку "firewall" появились ли нужные правила.
 Зашедулить задание обновления листа :