|
|
|
@ -23,24 +23,28 @@ zapret_custom_firewall() |
|
|
|
|
|
|
|
[ "$1" = 1 ] && { |
|
|
|
ipset create $NFQWS_CLOUDFLARE_SET_NAME_IPV4 hash:net hashsize 8192 maxelem 4096 2>/dev/null |
|
|
|
ipset create $NFQWS_CLOUDFLARE_SET_NAME_IPV6 hash:net family inet6 hashsize 8192 maxelem 4096 2>/dev/null |
|
|
|
ipset flush $NFQWS_CLOUDFLARE_SET_NAME_IPV4 |
|
|
|
ipset flush $NFQWS_CLOUDFLARE_SET_NAME_IPV6 |
|
|
|
for subnet in $NFQWS_CLOUDFLARE_SUBNETS_IPV4; do |
|
|
|
echo add $NFQWS_CLOUDFLARE_SET_NAME_IPV4 $subnet |
|
|
|
done | ipset -! restore |
|
|
|
for subnet in $NFQWS_CLOUDFLARE_SUBNETS_IPV6; do |
|
|
|
echo add $NFQWS_CLOUDFLARE_SET_NAME_IPV6 $subnet |
|
|
|
done | ipset -! restore |
|
|
|
|
|
|
|
[ "$DISABLE_IPV6" != "1" ] && { |
|
|
|
ipset create $NFQWS_CLOUDFLARE_SET_NAME_IPV6 hash:net family inet6 hashsize 8192 maxelem 4096 2>/dev/null |
|
|
|
ipset flush $NFQWS_CLOUDFLARE_SET_NAME_IPV6 |
|
|
|
for subnet in $NFQWS_CLOUDFLARE_SUBNETS_IPV6; do |
|
|
|
echo add $NFQWS_CLOUDFLARE_SET_NAME_IPV6 $subnet |
|
|
|
done | ipset -! restore |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
local f="-p tcp -m multiport --dports $NFQWS_CLOUDFLARE_PORTS" |
|
|
|
fw_nfqws_post $1 "$f $first_packets_only $dest_set_ipv4" "" $QNUM_NFQWS_CLOUDFLARE |
|
|
|
fw_nfqws_post $1 "$f $first_packets_only $dest_set_ipv6" "" $QNUM_NFQWS_CLOUDFLARE |
|
|
|
|
|
|
|
[ "$DISABLE_IPV6" != "1" ] && fw_nfqws_post $1 "$f $first_packets_only $dest_set_ipv6" "" $QNUM_NFQWS_CLOUDFLARE |
|
|
|
|
|
|
|
[ "$1" = 1 ] || { |
|
|
|
ipset destroy $NFQWS_CLOUDFLARE_SET_NAME_IPV4 2>/dev/null |
|
|
|
ipset destroy $NFQWS_CLOUDFLARE_SET_NAME_IPV6 2>/dev/null |
|
|
|
[ "$DISABLE_IPV6" != "1" ] && ipset destroy $NFQWS_CLOUDFLARE_SET_NAME_IPV6 2>/dev/null |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
@ -49,24 +53,30 @@ zapret_custom_firewall_nft() |
|
|
|
local first_packets_only="$nft_connbytes 1-3" |
|
|
|
local dest_set_ipv4="ip daddr @$NFQWS_CLOUDFLARE_SET_NAME_IPV4" |
|
|
|
local dest_set_ipv6="ip6 daddr @$NFQWS_CLOUDFLARE_SET_NAME_IPV6" |
|
|
|
local nft_rules="type ipv4_addr; size 4096; auto-merge; flags interval;" |
|
|
|
local subnets subnets_ipv6 |
|
|
|
|
|
|
|
make_comma_list subnets $NFQWS_CLOUDFLARE_SUBNETS_IPV4 |
|
|
|
make_comma_list subnets_ipv6 $NFQWS_CLOUDFLARE_SUBNETS_IPV6 |
|
|
|
nft_create_set $NFQWS_CLOUDFLARE_SET_NAME_IPV4 "type ipv4_addr; size 4096; auto-merge; flags interval;" |
|
|
|
nft_create_set $NFQWS_CLOUDFLARE_SET_NAME_IPV6 "type ipv6_addr; size 4096; auto-merge; flags interval;" |
|
|
|
|
|
|
|
nft_create_set $NFQWS_CLOUDFLARE_SET_NAME_IPV4 "$nft_rules" |
|
|
|
nft_flush_set $NFQWS_CLOUDFLARE_SET_NAME_IPV4 |
|
|
|
nft_flush_set $NFQWS_CLOUDFLARE_SET_NAME_IPV6 |
|
|
|
nft_add_set_element $NFQWS_CLOUDFLARE_SET_NAME_IPV4 "$subnets" |
|
|
|
nft_add_set_element $NFQWS_CLOUDFLARE_SET_NAME_IPV6 "$subnets_ipv6" |
|
|
|
|
|
|
|
[ "$DISABLE_IPV6" != "1" ] && { |
|
|
|
nft_create_set $NFQWS_CLOUDFLARE_SET_NAME_IPV6 "$nft_rules" |
|
|
|
nft_flush_set $NFQWS_CLOUDFLARE_SET_NAME_IPV6 |
|
|
|
nft_add_set_element $NFQWS_CLOUDFLARE_SET_NAME_IPV6 "$subnets_ipv6" |
|
|
|
} |
|
|
|
|
|
|
|
local f="tcp dport {$NFQWS_CLOUDFLARE_PORTS}" |
|
|
|
nft_fw_nfqws_post "$f $first_packets_only $dest_set_ipv4" "" $QNUM_NFQWS_CLOUDFLARE |
|
|
|
nft_fw_nfqws_post "$f $first_packets_only $dest_set_ipv6" "" $QNUM_NFQWS_CLOUDFLARE |
|
|
|
|
|
|
|
[ "$DISABLE_IPV6" != "1" ] && nft_fw_nfqws_post "$f $first_packets_only $dest_set_ipv6" "" $QNUM_NFQWS_CLOUDFLARE |
|
|
|
} |
|
|
|
|
|
|
|
zapret_custom_firewall_nft_flush() |
|
|
|
{ |
|
|
|
nft_del_set $NFQWS_CLOUDFLARE_SET_NAME_IPV4 2>/dev/null |
|
|
|
nft_del_set $NFQWS_CLOUDFLARE_SET_NAME_IPV6 2>/dev/null |
|
|
|
[ "$DISABLE_IPV6" != "1" ] && nft_del_set $NFQWS_CLOUDFLARE_SET_NAME_IPV6 2>/dev/null |
|
|
|
} |
|
|
|
|
Wend4r
4 months ago