From c0f01c38296d1ed9610ed79b1a6cde3e87f1cf0d Mon Sep 17 00:00:00 2001
From: bol-van <none@none.none>
Date: Sun, 19 Jun 2022 16:16:20 +0300
Subject: [PATCH] wireguard, redsocks: nozapret notice

---
 docs/redsocks.txt                            | 12 ++++++------
 docs/wireguard/wireguard_iproute_openwrt.txt |  3 ++-
 2 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/docs/redsocks.txt b/docs/redsocks.txt
index c475655..99feb23 100644
--- a/docs/redsocks.txt
+++ b/docs/redsocks.txt
@@ -113,8 +113,8 @@ create_ipset no-update
 network_find_wan_all wan_iface
 for ext_iface in $wan_iface; do
     network_get_device ext_device $ext_iface
-    ipt OUTPUT -t nat -o $ext_device -p tcp --dport 443 -m set --match-set zapret dst -j REDIRECT --to-port $SOXIFIER_PORT
-    ipt OUTPUT -t nat -o $ext_device -p tcp -m set --match-set ipban dst -j REDIRECT --to-port $SOXIFIER_PORT
+    ipt OUTPUT -t nat -o $ext_device -p tcp --dport 443 -m set --match-set zapret dst -m set ! --match-set nozapret dst -j REDIRECT --to-port $SOXIFIER_PORT
+    ipt OUTPUT -t nat -o $ext_device -p tcp -m set --match-set ipban dst -m set ! --match-set nozapret dst -j REDIRECT --to-port $SOXIFIER_PORT
 done
 
 prepare_route_localnet
@@ -165,13 +165,13 @@ prepare_route_localnet
 cat << EOF | nft -f -
  add chain inet $ZAPRET_NFT_TABLE my_output { type nat hook output priority -102; }
  flush chain inet $ZAPRET_NFT_TABLE my_output
- add rule inet $ZAPRET_NFT_TABLE my_output oifname @wanif meta l4proto tcp ip daddr @ipban dnat to $TPWS_LOCALHOST4:$SOXIFIER_PORT
- add rule inet $ZAPRET_NFT_TABLE my_output oifname @wanif tcp dport 443 ip daddr @zapret dnat to $TPWS_LOCALHOST4:$SOXIFIER_PORT
+ add rule inet $ZAPRET_NFT_TABLE my_output oifname @wanif meta l4proto tcp ip daddr @ipban ip daddr != @nozapret dnat to $TPWS_LOCALHOST4:$SOXIFIER_PORT
+ add rule inet $ZAPRET_NFT_TABLE my_output oifname @wanif tcp dport 443 ip daddr @zapret ip daddr != @nozapret dnat to $TPWS_LOCALHOST4:$SOXIFIER_PORT
 
  add chain inet $ZAPRET_NFT_TABLE my_prerouting { type nat hook prerouting priority -102; }
  flush chain inet $ZAPRET_NFT_TABLE my_prerouting
- add rule inet $ZAPRET_NFT_TABLE my_prerouting iifname @lanif meta l4proto tcp ip daddr @ipban dnat to $TPWS_LOCALHOST4:$SOXIFIER_PORT
- add rule inet $ZAPRET_NFT_TABLE my_prerouting iifname @lanif tcp dport 443 ip daddr @zapret dnat to $TPWS_LOCALHOST4:$SOXIFIER_PORT
+ add rule inet $ZAPRET_NFT_TABLE my_prerouting iifname @lanif meta l4proto tcp ip daddr @ipban ip daddr != @nozapret dnat to $TPWS_LOCALHOST4:$SOXIFIER_PORT
+ add rule inet $ZAPRET_NFT_TABLE my_prerouting iifname @lanif tcp dport 443 ip daddr @zapret ip daddr != @nozapret dnat to $TPWS_LOCALHOST4:$SOXIFIER_PORT
 EOF
 ----------------------------
 
diff --git a/docs/wireguard/wireguard_iproute_openwrt.txt b/docs/wireguard/wireguard_iproute_openwrt.txt
index 7ca61cd..880d528 100644
--- a/docs/wireguard/wireguard_iproute_openwrt.txt
+++ b/docs/wireguard/wireguard_iproute_openwrt.txt
@@ -267,7 +267,8 @@ config rule
 все равно ресолвится. Вы всегда можете расчитывать на ipset/nfset "ipban", "nozapret".
 
 "nozapret" - это ipset/nfset, связанный с системой исключения ip. Сюда загоняется все из ipset/zapret-hosts-user-exclude.txt после ресолвинга.
-
+Его учет крайне желателен, чтобы вдруг из скачанного листа не просочились записи, например, 192.168.0.0/16 и не заставили лезть туда через VPN.
+Хотя скрипты получения листов и пытаются отсечь IP локалок, но так будет намного надежнее.
 
 --- Маркировка трафика ---