mirror of https://github.com/bol-van/zapret/
2 changed files with 74 additions and 75 deletions
File diff suppressed because one or more lines are too long
@ -0,0 +1,74 @@ |
|||
# this custom script demonstrates how to launch extra nfqws instance limited by ipset. ipv4 only. |
|||
|
|||
# can override in config : |
|||
NFQWS_OPT_DESYNC_NFQWS_MY1="${NFQWS_OPT_DESYNC_NFQWS_MY1:---dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-any-protocol}" |
|||
NFQWS_MY1_PORTS=${NFQWS_MY1_PORTS:-6000-6009} |
|||
NFQWS_MY1_SUBNETS="${NFQWS_MY1_SUBNETS:-34.0.48.0/21 34.0.56.0/23 34.0.59.0/24 34.0.60.0/24 34.0.62.0/23}" |
|||
|
|||
alloc_dnum DNUM_NFQWS_MY1 |
|||
alloc_qnum QNUM_NFQWS_MY1 |
|||
NFQWS_MY1_SET_NAME=my1nfqws4 |
|||
|
|||
zapret_custom_daemons() |
|||
{ |
|||
# $1 - 1 - run, 0 - stop |
|||
|
|||
local opt="--qnum=$QNUM_NFQWS_MY1 $NFQWS_OPT_DESYNC_NFQWS_MY1" |
|||
do_nfqws $1 $DNUM_NFQWS_MY1 "$opt" |
|||
} |
|||
|
|||
zapret_custom_firewall() |
|||
{ |
|||
# $1 - 1 - run, 0 - stop |
|||
|
|||
local f |
|||
local first_packets_only="$ipt_connbytes 1:3" |
|||
local NFQWS_MY1_PORTS_IPT=$(replace_char - : $NFQWS_MY1_PORTS) |
|||
local dest_set="-m set --match-set $NFQWS_MY1_SET_NAME dst" |
|||
local subnet |
|||
|
|||
local DISABLE_IPV6=1 |
|||
|
|||
[ "$1" = 1 ] && { |
|||
ipset create $NFQWS_MY1_SET_NAME hash:net hashsize 8192 maxelem 4096 2>/dev/null |
|||
ipset flush $NFQWS_MY1_SET_NAME |
|||
for subnet in $NFQWS_MY1_SUBNETS; do |
|||
echo add $NFQWS_MY1_SET_NAME $subnet |
|||
done | ipset -! restore |
|||
} |
|||
|
|||
f="-p udp -m multiport --dports $NFQWS_MY1_PORTS_IPT" |
|||
fw_nfqws_post $1 "$f $first_packets_only $dest_set" "" $QNUM_NFQWS_MY1 |
|||
|
|||
[ "$1" = 1 ] || { |
|||
ipset destroy $NFQWS_MY1_SET_NAME 2>/dev/null |
|||
} |
|||
} |
|||
|
|||
zapret_custom_firewall_nft() |
|||
{ |
|||
# stop logic is not required |
|||
|
|||
local f |
|||
local first_packets_only="$nft_connbytes 1-3" |
|||
local dest_set="ip daddr @$NFQWS_MY1_SET_NAME" |
|||
local subnets |
|||
|
|||
local DISABLE_IPV6=1 |
|||
|
|||
make_comma_list subnets $NFQWS_MY1_SUBNETS |
|||
nft_create_set $NFQWS_MY1_SET_NAME "type ipv4_addr; size 4096; auto-merge; flags interval;" |
|||
nft_flush_set $NFQWS_MY1_SET_NAME |
|||
nft_add_set_element $NFQWS_MY1_SET_NAME "$subnets" |
|||
|
|||
f="udp dport {$NFQWS_MY1_PORTS}" |
|||
nft_fw_nfqws_post "$f $first_packets_only $dest_set" "" $QNUM_NFQWS_MY1 |
|||
} |
|||
|
|||
zapret_custom_firewall_nft_flush() |
|||
{ |
|||
# this function is called after all nft fw rules are deleted |
|||
# however sets are not deleted. it's desired to clear sets here. |
|||
|
|||
nft_del_set $NFQWS_MY1_SET_NAME 2>/dev/null |
|||
} |
Loading…
Reference in new issue