gsd
/
zapret
mirror of https://github.com/bol-van/zapret/
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

allow to specify protocol in helper function, do not fix tcp

pull/98/head
bol-van 3 years ago
parent
d572264a92
commit
7f5731c5d0
6 changed files with 23 additions and 23 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 22
      common/ipt.sh
  2. 12
      common/nft.sh
  3. 2
      init.d/openwrt/custom-reuse-builtin-mode
  4. 4
      init.d/openwrt/custom-tpws4http-nfqws4https
  5. 2
      init.d/sysv/custom-reuse-builtin-mode
  6. 4
      init.d/sysv/custom-tpws4http-nfqws4https

22
common/ipt.sh
View File

@ -50,11 +50,11 @@ filter_apply_port_target()
# $1 - var name of iptables filter
local f
if [ "$MODE_HTTP" = "1" ] && [ "$MODE_HTTPS" = "1" ]; then
f="-m multiport --dports 80,443"
f="-p tcp -m multiport --dports 80,443"
elif [ "$MODE_HTTPS" = "1" ]; then
f="--dport 443"
f="-p tcp --dport 443"
elif [ "$MODE_HTTP" = "1" ]; then
f="--dport 80"
f="-p tcp --dport 80"
else
echo WARNING !!! HTTP and HTTPS are both disabled
fi
@ -136,7 +136,7 @@ _fw_tpws4()
ipt_print_op $1 "$2" "tpws (port $3)"
rule="-p tcp $2 $IPSET_EXCLUDE dst -j DNAT --to $TPWS_LOCALHOST4:$3"
rule="$2 $IPSET_EXCLUDE dst -j DNAT --to $TPWS_LOCALHOST4:$3"
for i in $4 ; do
ipt_add_del $1 PREROUTING -t nat -i $i $rule
done
@ -164,7 +164,7 @@ _fw_tpws6()
ipt_print_op $1 "$2" "tpws (port $3)" 6
rule="-p tcp $2 $IPSET_EXCLUDE6 dst"
rule="$2 $IPSET_EXCLUDE6 dst"
for i in $4 ; do
_dnat6_target $i DNAT6
[ -n "$DNAT6" -a "$DNAT6" != "-" ] && ipt6_add_del $1 PREROUTING -t nat -i $i $rule -j DNAT --to [$DNAT6]:$3
@ -202,7 +202,7 @@ _fw_nfqws_post4()
ipt_print_op $1 "$2" "nfqws postrouting (qnum $3)"
rule="-p tcp $2 $IPSET_EXCLUDE dst -j NFQUEUE --queue-num $3 --queue-bypass"
rule="$2 $IPSET_EXCLUDE dst -j NFQUEUE --queue-num $3 --queue-bypass"
if [ -n "$4" ] ; then
for i in $4; do
ipt_add_del $1 POSTROUTING -t mangle -o $i $rule
@ -223,7 +223,7 @@ _fw_nfqws_post6()
ipt_print_op $1 "$2" "nfqws postrouting (qnum $3)" 6
rule="-p tcp $2 $IPSET_EXCLUDE6 dst -j NFQUEUE --queue-num $3 --queue-bypass"
rule="$2 $IPSET_EXCLUDE6 dst -j NFQUEUE --queue-num $3 --queue-bypass"
if [ -n "$4" ] ; then
for i in $4; do
ipt6_add_del $1 POSTROUTING -t mangle -o $i $rule
@ -270,13 +270,13 @@ zapret_do_firewall_rules_ipt()
fw_nfqws_post4 $1 "$f4 $desync" $qn
else
if [ -n "$qn" ]; then
f4="--dport 80"
f4="-p tcp --dport 80"
[ "$MODE_HTTP_KEEPALIVE" = "1" ] || f4="$f4 $first_packet_only"
filter_apply_ipset_target4 f4
fw_nfqws_post4 $1 "$f4 $desync" $qn
fi
if [ -n "$qns" ]; then
f4="--dport 443 $first_packet_only"
f4="-p tcp --dport 443 $first_packet_only"
filter_apply_ipset_target4 f4
fw_nfqws_post4 $1 "$f4 $desync" $qns
fi
@ -288,13 +288,13 @@ zapret_do_firewall_rules_ipt()
fw_nfqws_post6 $1 "$f6 $desync" $qn6
else
if [ -n "$qn6" ]; then
f6="--dport 80"
f6="-p tcp --dport 80"
[ "$MODE_HTTP_KEEPALIVE" = "1" ] || f6="$f6 $first_packet_only"
filter_apply_ipset_target6 f6
fw_nfqws_post6 $1 "$f6 $desync" $qn6
fi
if [ -n "$qns6" ]; then
f6="--dport 443 $first_packet_only"
f6="-p tcp --dport 443 $first_packet_only"
filter_apply_ipset_target6 f6
fw_nfqws_post6 $1 "$f6 $desync" $qns6
fi

12
common/nft.sh
View File

@ -346,8 +346,8 @@ _nft_fw_tpws4()
[ "$DISABLE_IPV4" = "1" ] || {
local filter="$1" port="$2"
nft_print_op "$filter" "tpws (port $2)" 4
nft_add_rule dnat_output skuid != $WS_USER ${3:+oifname @wanif }meta l4proto tcp $filter ip daddr != @nozapret dnat ip to $TPWS_LOCALHOST4:$port
nft_add_rule dnat_pre iifname @lanif meta l4proto tcp $filter ip daddr != @nozapret dnat ip to $TPWS_LOCALHOST4:$port
nft_add_rule dnat_output skuid != $WS_USER ${3:+oifname @wanif }$filter ip daddr != @nozapret dnat ip to $TPWS_LOCALHOST4:$port
nft_add_rule dnat_pre iifname @lanif $filter ip daddr != @nozapret dnat ip to $TPWS_LOCALHOST4:$port
prepare_route_localnet
}
}
@ -361,9 +361,9 @@ _nft_fw_tpws6()
[ "$DISABLE_IPV6" = "1" ] || {
local filter="$1" port="$2" DNAT6 i
nft_print_op "$filter" "tpws (port $port)" 6
nft_add_rule dnat_output skuid != $WS_USER ${4:+oifname @wanif6 }meta l4proto tcp $filter ip6 daddr != @nozapret6 dnat ip6 to [::1]:$port
nft_add_rule dnat_output skuid != $WS_USER ${4:+oifname @wanif6 }$filter ip6 daddr != @nozapret6 dnat ip6 to [::1]:$port
[ -n "$3" ] && {
nft_add_rule dnat_pre meta l4proto tcp $filter ip6 daddr != @nozapret6 dnat ip6 to iifname map @link_local:$port
nft_add_rule dnat_pre $filter ip6 daddr != @nozapret6 dnat ip6 to iifname map @link_local:$port
for i in $3; do
_dnat6_target $i DNAT6
# can be multiple tpws processes on different ports
@ -391,7 +391,7 @@ _nft_fw_nfqws_post4()
[ "$DISABLE_IPV4" = "1" ] || {
local filter="$1" port="$2" rule
nft_print_op "$filter" "nfqws postrouting (qnum $port)" 4
rule="${3:+oifname @wanif }meta l4proto tcp $filter ip daddr != @nozapret"
rule="${3:+oifname @wanif }$filter ip daddr != @nozapret"
nft_add_rule postrouting $rule queue num $port bypass
nft_add_nfqws_flow_exempt_rule "$rule"
}
@ -405,7 +405,7 @@ _nft_fw_nfqws_post6()
[ "$DISABLE_IPV6" = "1" ] || {
local filter="$1" port="$2" rule
nft_print_op "$filter" "nfqws postrouting (qnum $port)" 6
rule="${3:+oifname @wanif6 }meta l4proto tcp $filter ip6 daddr != @nozapret6"
rule="${3:+oifname @wanif6 }$filter ip6 daddr != @nozapret6"
nft_add_rule postrouting $rule queue num $port bypass
nft_add_nfqws_flow_exempt_rule "$rule"
}

2
init.d/openwrt/custom-reuse-builtin-mode
View File

@ -26,7 +26,7 @@ zapret_custom_firewall()
zapret_do_firewall_rules_ipt $1
f4="--dport $MY_DPORT"
f4="-p tcp --dport $MY_DPORT"
f6=$f4
filter_apply_ipset_target f4 f6
fw_tpws $1 "$f4" "$f6" $MY_TPPORT

4
init.d/openwrt/custom-tpws4http-nfqws4https
View File

@ -28,14 +28,14 @@ zapret_custom_firewall()
local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK"
[ "$MODE_HTTP" = "1" ] && {
f4="--dport 80"
f4="-p tcp --dport 80"
f6=$f4
filter_apply_ipset_target f4 f6
fw_tpws $1 "$f4" "$f6" $TPPORT
}
[ "$MODE_HTTPS" = "1" ] && {
f4="--dport 443 $first_packet_only"
f4="-p tcp --dport 443 $first_packet_only"
f6=$f4
filter_apply_ipset_target f4 f6
fw_nfqws_post $1 "$f4 $desync" "$f6 $desync" $QNUM

2
init.d/sysv/custom-reuse-builtin-mode
View File

@ -26,7 +26,7 @@ zapret_custom_firewall()
zapret_do_firewall_rules_ipt $1
f4="--dport $MY_DPORT"
f4="-p tcp --dport $MY_DPORT"
f6=$f4
filter_apply_ipset_target f4 f6
fw_tpws $1 "$f4" "$f6" $MY_TPPORT

4
init.d/sysv/custom-tpws4http-nfqws4https
View File

@ -28,14 +28,14 @@ zapret_custom_firewall()
local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK"
[ "$MODE_HTTP" = "1" ] && {
f4="--dport 80"
f4="-p tcp --dport 80"
f6=$f4
filter_apply_ipset_target f4 f6
fw_tpws $1 "$f4" "$f6" $TPPORT
}
[ "$MODE_HTTPS" = "1" ] && {
f4="--dport 443 $first_packet_only"
f4="-p tcp --dport 443 $first_packet_only"
f6=$f4
filter_apply_ipset_target f4 f6
fw_nfqws_post $1 "$f4 $desync" "$f6 $desync" $QNUM

Write Preview
Loading…
Cancel
Save