mirror of https://github.com/bol-van/zapret/
bol-van
3 days ago
2 changed files with 74 additions and 75 deletions
File diff suppressed because one or more lines are too long
@ -0,0 +1,74 @@ |
|||||
|
# this custom script demonstrates how to launch extra nfqws instance limited by ipset. ipv4 only. |
||||
|
|
||||
|
# can override in config : |
||||
|
NFQWS_OPT_DESYNC_NFQWS_MY1="${NFQWS_OPT_DESYNC_NFQWS_MY1:---dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-any-protocol}" |
||||
|
NFQWS_MY1_PORTS=${NFQWS_MY1_PORTS:-6000-6009} |
||||
|
NFQWS_MY1_SUBNETS="${NFQWS_MY1_SUBNETS:-34.0.48.0/21 34.0.56.0/23 34.0.59.0/24 34.0.60.0/24 34.0.62.0/23}" |
||||
|
|
||||
|
alloc_dnum DNUM_NFQWS_MY1 |
||||
|
alloc_qnum QNUM_NFQWS_MY1 |
||||
|
NFQWS_MY1_SET_NAME=my1nfqws4 |
||||
|
|
||||
|
zapret_custom_daemons() |
||||
|
{ |
||||
|
# $1 - 1 - run, 0 - stop |
||||
|
|
||||
|
local opt="--qnum=$QNUM_NFQWS_MY1 $NFQWS_OPT_DESYNC_NFQWS_MY1" |
||||
|
do_nfqws $1 $DNUM_NFQWS_MY1 "$opt" |
||||
|
} |
||||
|
|
||||
|
zapret_custom_firewall() |
||||
|
{ |
||||
|
# $1 - 1 - run, 0 - stop |
||||
|
|
||||
|
local f |
||||
|
local first_packets_only="$ipt_connbytes 1:3" |
||||
|
local NFQWS_MY1_PORTS_IPT=$(replace_char - : $NFQWS_MY1_PORTS) |
||||
|
local dest_set="-m set --match-set $NFQWS_MY1_SET_NAME dst" |
||||
|
local subnet |
||||
|
|
||||
|
local DISABLE_IPV6=1 |
||||
|
|
||||
|
[ "$1" = 1 ] && { |
||||
|
ipset create $NFQWS_MY1_SET_NAME hash:net hashsize 8192 maxelem 4096 2>/dev/null |
||||
|
ipset flush $NFQWS_MY1_SET_NAME |
||||
|
for subnet in $NFQWS_MY1_SUBNETS; do |
||||
|
echo add $NFQWS_MY1_SET_NAME $subnet |
||||
|
done | ipset -! restore |
||||
|
} |
||||
|
|
||||
|
f="-p udp -m multiport --dports $NFQWS_MY1_PORTS_IPT" |
||||
|
fw_nfqws_post $1 "$f $first_packets_only $dest_set" "" $QNUM_NFQWS_MY1 |
||||
|
|
||||
|
[ "$1" = 1 ] || { |
||||
|
ipset destroy $NFQWS_MY1_SET_NAME 2>/dev/null |
||||
|
} |
||||
|
} |
||||
|
|
||||
|
zapret_custom_firewall_nft() |
||||
|
{ |
||||
|
# stop logic is not required |
||||
|
|
||||
|
local f |
||||
|
local first_packets_only="$nft_connbytes 1-3" |
||||
|
local dest_set="ip daddr @$NFQWS_MY1_SET_NAME" |
||||
|
local subnets |
||||
|
|
||||
|
local DISABLE_IPV6=1 |
||||
|
|
||||
|
make_comma_list subnets $NFQWS_MY1_SUBNETS |
||||
|
nft_create_set $NFQWS_MY1_SET_NAME "type ipv4_addr; size 4096; auto-merge; flags interval;" |
||||
|
nft_flush_set $NFQWS_MY1_SET_NAME |
||||
|
nft_add_set_element $NFQWS_MY1_SET_NAME "$subnets" |
||||
|
|
||||
|
f="udp dport {$NFQWS_MY1_PORTS}" |
||||
|
nft_fw_nfqws_post "$f $first_packets_only $dest_set" "" $QNUM_NFQWS_MY1 |
||||
|
} |
||||
|
|
||||
|
zapret_custom_firewall_nft_flush() |
||||
|
{ |
||||
|
# this function is called after all nft fw rules are deleted |
||||
|
# however sets are not deleted. it's desired to clear sets here. |
||||
|
|
||||
|
nft_del_set $NFQWS_MY1_SET_NAME 2>/dev/null |
||||
|
} |
||||
Loading…
Reference in new issue