gsd
/
zapret
mirror of https://github.com/bol-van/zapret/
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

ports override

pull/172/head
bol-van 1 year ago
parent
988af97fee
commit
b7a5f51064
5 changed files with 48 additions and 20 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 18
      common/base.sh
  2. 18
      common/ipt.sh
  3. 17
      common/nft.sh
  4. 8
      common/pf.sh
  5. 7
      config

18
common/base.sh
View File

@ -253,3 +253,21 @@ minsleep()
{
msleep 100
}
replace_char()
{
local a=$1
local b=$2
shift; shift
echo "$@" | tr $a $b
}
std_ports()
{
HTTP_PORTS=${HTTP_PORTS:-80}
HTTPS_PORTS=${HTTPS_PORTS:-443}
QUIC_PORTS=${QUIC_PORTS:-443}
HTTP_PORTS_IPT=$(replace_char - : $HTTP_PORTS)
HTTPS_PORTS_IPT=$(replace_char - : $HTTPS_PORTS)
QUIC_PORTS_IPT=$(replace_char - : $QUIC_PORTS)
}

18
common/ipt.sh
View File

@ -1,3 +1,5 @@
std_ports
ipt()
{
iptables -C "$@" >/dev/null 2>/dev/null || iptables -I "$@"
@ -50,11 +52,11 @@ filter_apply_port_target()
# $1 - var name of iptables filter
local f
if [ "$MODE_HTTP" = "1" ] && [ "$MODE_HTTPS" = "1" ]; then
f="-p tcp -m multiport --dports 80,443"
f="-p tcp -m multiport --dports $HTTP_PORTS_IPT,$HTTPS_PORTS_IPT"
elif [ "$MODE_HTTPS" = "1" ]; then
f="-p tcp --dport 443"
f="-p tcp -m multiport --dports $HTTPS_PORTS_IPT"
elif [ "$MODE_HTTP" = "1" ]; then
f="-p tcp --dport 80"
f="-p tcp -m multiport --dports $HTTP_PORTS_IPT"
else
echo WARNING !!! HTTP and HTTPS are both disabled
fi
@ -64,7 +66,7 @@ filter_apply_port_target_quic()
{
# $1 - var name of nftables filter
local f
f="-p udp --dport 443"
f="-p udp -m multiport --dports $QUIC_PORTS_IPT"
eval $1="\"\$$1 $f\""
}
filter_apply_ipset_target4()
@ -357,7 +359,7 @@ zapret_do_firewall_rules_ipt()
[ "$MODE_FILTER" = "autohostlist" ] && fw_nfqws_pre4 $1 "$(reverse_nfqws_rule $f4)" $qn
else
if [ -n "$qn" ]; then
f4="-p tcp --dport 80"
f4="-p tcp -m multiport --dports $HTTP_PORTS_IPT"
ff="$f4"
[ "$MODE_HTTP_KEEPALIVE" = "1" ] || f4="$f4 $first_packet_only"
ff="$ff $first_packet_only"
@ -367,7 +369,7 @@ zapret_do_firewall_rules_ipt()
[ "$MODE_FILTER" = "autohostlist" ] && fw_nfqws_pre4 $1 "$(reverse_nfqws_rule $ff)" $qn
fi
if [ -n "$qns" ]; then
f4="-p tcp --dport 443 $first_packet_only"
f4="-p tcp -m multiport --dports $HTTPS_PORTS_IPT $first_packet_only"
filter_apply_ipset_target4 f4
fw_nfqws_post4 $1 "$f4 $desync" $qns
[ "$MODE_FILTER" = "autohostlist" ] && fw_nfqws_pre4 $1 "$(reverse_nfqws_rule $f4)" $qns
@ -381,7 +383,7 @@ zapret_do_firewall_rules_ipt()
[ "$MODE_FILTER" = "autohostlist" ] && fw_nfqws_pre6 $1 "$(reverse_nfqws_rule $f6)" $qn
else
if [ -n "$qn6" ]; then
f6="-p tcp --dport 80"
f6="-p tcp -m multiport --dports $HTTP_PORTS_IPT"
ff="$f6"
[ "$MODE_HTTP_KEEPALIVE" = "1" ] || f6="$f6 $first_packet_only"
ff="$ff $first_packet_only"
@ -391,7 +393,7 @@ zapret_do_firewall_rules_ipt()
[ "$MODE_FILTER" = "autohostlist" ] && fw_nfqws_pre6 $1 "$(reverse_nfqws_rule $ff)" $qn6
fi
if [ -n "$qns6" ]; then
f6="-p tcp --dport 443 $first_packet_only"
f6="-p tcp -m multiport --dports $HTTPS_PORTS_IPT $first_packet_only"
filter_apply_ipset_target6 f6
fw_nfqws_post6 $1 "$f6 $desync" $qns6
[ "$MODE_FILTER" = "autohostlist" ] && fw_nfqws_pre6 $1 "$(reverse_nfqws_rule $f6)" $qns6

17
common/nft.sh
View File

@ -2,6 +2,7 @@
# required for : nft -f -
create_dev_stdin
std_ports
nft_create_table()
{
@ -279,11 +280,11 @@ nft_filter_apply_port_target()
# $1 - var name of nftables filter
local f
if [ "$MODE_HTTP" = "1" ] && [ "$MODE_HTTPS" = "1" ]; then
f="tcp dport {80,443}"
f="tcp dport {$HTTP_PORTS,$HTTPS_PORTS}"
elif [ "$MODE_HTTPS" = "1" ]; then
f="tcp dport 443"
f="tcp dport {$HTTPS_PORTS}"
elif [ "$MODE_HTTP" = "1" ]; then
f="tcp dport 80"
f="tcp dport {$HTTP_PORTS}"
else
echo WARNING !!! HTTP and HTTPS are both disabled
fi
@ -293,7 +294,7 @@ nft_filter_apply_port_target_quic()
{
# $1 - var name of nftables filter
local f
f="udp dport 443"
f="udp dport {$QUIC_PORTS}"
eval $1="\"\$$1 $f\""
}
nft_filter_apply_ipset_target4()
@ -604,7 +605,7 @@ zapret_apply_firewall_rules_nft()
[ "$MODE_FILTER" = "autohostlist" ] && nft_fw_nfqws_pre4 "$(nft_reverse_nfqws_rule $f4)" $qn
else
if [ -n "$qn" ]; then
f4="tcp dport 80"
f4="tcp dport {$HTTP_PORTS}"
ff="$f4"
[ "$MODE_HTTP_KEEPALIVE" = "1" ] || f4="$f4 $first_packet_only"
ff="$ff $first_packet_only"
@ -614,7 +615,7 @@ zapret_apply_firewall_rules_nft()
[ "$MODE_FILTER" = "autohostlist" ] && nft_fw_nfqws_pre4 "$(nft_reverse_nfqws_rule $ff)" $qn
fi
if [ -n "$qns" ]; then
f4="tcp dport 443 $first_packet_only"
f4="tcp dport {$HTTPS_PORTS} $first_packet_only"
nft_filter_apply_ipset_target4 f4
nft_fw_nfqws_post4 "$f4 $desync" $qns
[ "$MODE_FILTER" = "autohostlist" ] && nft_fw_nfqws_pre4 "$(nft_reverse_nfqws_rule $f4)" $qns
@ -628,7 +629,7 @@ zapret_apply_firewall_rules_nft()
[ "$MODE_FILTER" = "autohostlist" ] && nft_fw_nfqws_pre6 "$(nft_reverse_nfqws_rule $f6)" $qn
else
if [ -n "$qn6" ]; then
f6="tcp dport 80"
f6="tcp dport {$HTTP_PORTS}"
ff="$f6"
[ "$MODE_HTTP_KEEPALIVE" = "1" ] || f6="$f6 $first_packet_only"
ff="$ff $first_packet_only"
@ -638,7 +639,7 @@ zapret_apply_firewall_rules_nft()
[ "$MODE_FILTER" = "autohostlist" ] && nft_fw_nfqws_pre6 "$(nft_reverse_nfqws_rule $ff)" $qn6
fi
if [ -n "$qns6" ]; then
f6="tcp dport 443 $first_packet_only"
f6="tcp dport {$HTTPS_PORTS} $first_packet_only"
nft_filter_apply_ipset_target6 f6
nft_fw_nfqws_post6 "$f6 $desync" $qns6
[ "$MODE_FILTER" = "autohostlist" ] && nft_fw_nfqws_pre6 "$(nft_reverse_nfqws_rule $f6)" $qns6

8
common/pf.sh
View File

@ -4,6 +4,8 @@ PF_ANCHOR_ZAPRET="$PF_ANCHOR_DIR/zapret"
PF_ANCHOR_ZAPRET_V4="$PF_ANCHOR_DIR/zapret-v4"
PF_ANCHOR_ZAPRET_V6="$PF_ANCHOR_DIR/zapret-v6"
std_ports
pf_anchor_root_reload()
{
echo reloading PF root anchor
@ -107,11 +109,11 @@ pf_anchor_zapret_tables()
pf_anchor_port_target()
{
if [ "$MODE_HTTP" = "1" ] && [ "$MODE_HTTPS" = "1" ]; then
echo "{80,443}"
echo "{$HTTP_PORTS_IPT,$HTTPS_PORTS_IPT}"
elif [ "$MODE_HTTPS" = "1" ]; then
echo "443"
echo "{$HTTPS_PORTS_IPT}"
elif [ "$MODE_HTTP" = "1" ]; then
echo "80"
echo "{$HTTP_PORTS_IPT}"
fi
}

7
config
View File

@ -37,6 +37,11 @@ GZIP_LISTS=1
# set to "-" to disable reload
#LISTS_RELOAD="pfctl -f /etc/pf.conf"
# override ports
#HTTP_PORTS=80-81,85
#HTTPS_PORTS=443,500-501
#QUIC_PORTS=443,444
# CHOOSE OPERATION MODE
# MODE : nfqws,tpws,tpws-socks,filter,custom
# nfqws : nfqws for dpi desync
@ -96,7 +101,7 @@ INIT_APPLY_FW=1
# do not work with ipv4
#DISABLE_IPV4=1
# do not work with ipv6
DISABLE_IPV6=1
#DISABLE_IPV6=1
# select which init script will be used to get ip or host list
# possible values : get_user.sh get_antizapret.sh get_combined.sh get_reestr.sh get_hostlist.sh

Write Preview
Loading…
Cancel
Save