nft: use map for tpws DNAT6 targeting

3 years ago · 6b3d9153f8
1 changed files with 25 additions and 9 deletions
--- a/common/nft.sh
+++ b/common/nft.sh
@ -84,6 +84,7 @@ cat << EOF | nft -f -
 	add set inet $ZAPRET_NFT_TABLE lanif { type ifname; }
 	add set inet $ZAPRET_NFT_TABLE wanif { type ifname; }
 	add set inet $ZAPRET_NFT_TABLE wanif6 { type ifname; }
+	add map inet $ZAPRET_NFT_TABLE tpws6 { type ifname: ipv6_addr . inet_service; }
 EOF
 }
 nft_del_chains()
@ -128,13 +129,19 @@ cat << EOF | nft -f -  2>/dev/null
 	flush set inet $ZAPRET_NFT_TABLE lanif
 	flush set inet $ZAPRET_NFT_TABLE wanif
 	flush set inet $ZAPRET_NFT_TABLE wanif6
+	flush map inet $ZAPRET_NFT_TABLE tpws6
 EOF
 }
+nft_flush_tpws6()
+{
+	nft flush map inet $ZAPRET_NFT_TABLE tpws6 2>/dev/null
+}
 nft_list_ifsets()
 {
 	nft list set inet $ZAPRET_NFT_TABLE lanif
 	nft list set inet $ZAPRET_NFT_TABLE wanif
 	nft list set inet $ZAPRET_NFT_TABLE wanif6
+	nft list map inet $ZAPRET_NFT_TABLE tpws6
 	nft list flowtable inet $ZAPRET_NFT_TABLE ft 2>/dev/null
 }

@ -142,12 +149,14 @@ nft_create_firewall()
 {
 	nft_create_table
 	nft_del_flowtable
+	nft_flush_tpws6
 	nft_create_chains
 }
 nft_del_firewall()
 {
 	nft_del_chains
 	nft_del_flowtable
+	nft_flush_tpws6
 	# leave ifsets and ipsets because they may be used by custom rules
 }

@ -159,14 +168,20 @@ nft_add_rule()
 	shift
 	nft add rule inet $ZAPRET_NFT_TABLE $chain "$@"
 }
+nft_add_set_element()
+{
+	# $1 - set or map name
+	# $2 - element
+	[ -z "$2" ] || nft add element inet $ZAPRET_NFT_TABLE $1 "{ $2 }"
+}
 nft_add_set_elements()
 {
-	# $1 - set name
+	# $1 - set or map name
 	# $2,$3,... - element(s)
 	local set="$1" elements
 	shift
 	make_comma_list elements "$@"
-	[ -z "$elements" ] || nft add element inet $ZAPRET_NFT_TABLE $set "{ $elements }"
+	nft_add_set_element $set "$elements"
 }
 nft_reverse_nfqws_rule()
 {
@ -326,7 +341,7 @@ _nft_fw_tpws4()
 {
 	# $1 - filter ipv4
 	# $2 - tpws port
-	# $4 - not-empty if wan interface filtering required
+	# $3 - not-empty if wan interface filtering required

 	[ "$DISABLE_IPV4" = "1" ] || {
 		local filter="$1" port="$2"
@ -347,12 +362,13 @@ _nft_fw_tpws6()
 		local filter="$1" port="$2" DNAT6 i
 		nft_print_op "$filter" "tpws (port $port)" 6
 		nft_add_rule dnat_output skuid != $WS_USER ${4:+oifname @wanif6 }meta l4proto tcp $filter ip6 daddr != @nozapret6 dnat ip6 to [::1]:$port
-                _set_route_localnet 1 $3
-		for i in $3; do
-			_dnat6_target $i DNAT6
-			[ -n "$DNAT6" -a "$DNAT6" != '-' ] && nft_add_rule dnat_pre iifname \"$i\" meta l4proto tcp $filter ip6 daddr != @nozapret6 dnat ip6 to [$DNAT6]:$port
-			shift
-		done
+		[ -n "$3" ] && {
+			nft_add_rule dnat_pre meta l4proto tcp $filter ip6 daddr != @nozapret6 dnat ip6 to iifname map @tpws6
+			for i in $3; do
+				_dnat6_target $i DNAT6
+				[ -n "$DNAT6" -a "$DNAT6" != '-' ] && nft_add_set_element tpws6 "$i : $DNAT6 . $port"
+			done
+		}
 	}
 }
 nft_fw_tpws()