From 1b25b0e64f39150f6053bd34fcc1414a62e7febe Mon Sep 17 00:00:00 2001 From: bol-van Date: Fri, 18 Feb 2022 12:35:06 +0300 Subject: [PATCH] init: firewall apply hooks --- common/linux_fw.sh | 6 ++++++ config | 7 ++++++- docs/readme.eng.md | 9 +++++++++ docs/readme.txt | 9 +++++++++ init.d/macos/functions | 12 ++++++------ 5 files changed, 36 insertions(+), 7 deletions(-) diff --git a/common/linux_fw.sh b/common/linux_fw.sh index 65af95c..607bb99 100644 --- a/common/linux_fw.sh +++ b/common/linux_fw.sh @@ -2,6 +2,9 @@ zapret_do_firewall() { linux_fwtype + [ "$1" = 1 -a -n "$INIT_FW_PRE_UP_HOOK" ] && $INIT_FW_PRE_UP_HOOK + [ "$1" = 0 -a -n "$INIT_FW_PRE_DOWN_HOOK" ] && $INIT_FW_PRE_DOWN_HOOK + case "$FWTYPE" in iptables) zapret_do_firewall_ipt "$@" @@ -11,6 +14,9 @@ zapret_do_firewall() ;; esac + [ "$1" = 1 -a -n "$INIT_FW_POST_UP_HOOK" ] && $INIT_FW_POST_UP_HOOK + [ "$1" = 0 -a -n "$INIT_FW_POST_DOWN_HOOK" ] && $INIT_FW_POST_DOWN_HOOK + return 0 } zapret_apply_firewall() diff --git a/config b/config index 345f131..1aaeff2 100644 --- a/config +++ b/config @@ -71,8 +71,13 @@ FLOWOFFLOAD=donttouch #IFACE_WAN=eth1 # should start/stop command of init scripts apply firewall rules ? -# not applicable to openwrt with firewall3+iptables +# not applicable to older openwrt with fw3 firewall INIT_APPLY_FW=1 +# firewall apply hooks +#INIT_FW_PRE_UP_HOOK="/etc/firewall.zapret.hook.pre_up" +#INIT_FW_POST_UP_HOOK="/etc/firewall.zapret.hook.post_up" +#INIT_FW_PRE_DOWN_HOOK="/etc/firewall.zapret.hook.pre_down" +#INIT_FW_POST_DOWN_HOOK="/etc/firewall.zapret.hook.post_down" # do not work with ipv4 #DISABLE_IPV4=1 diff --git a/docs/readme.eng.md b/docs/readme.eng.md index 5c0b562..26597e9 100644 --- a/docs/readme.eng.md +++ b/docs/readme.eng.md @@ -859,6 +859,15 @@ Calls `nft -t list table inet zapret`. /opt/zapret/init.d/sysv/zapret list_table ``` +It's also possible to hook with your script to any stage of zapret firewall processing. +The following settings are available in the zapret config file : + +``` +INIT_FW_PRE_UP_HOOK="/etc/firewall.zapret.hook.pre_up" +INIT_FW_POST_UP_HOOK="/etc/firewall.zapret.hook.post_up" +INIT_FW_PRE_DOWN_HOOK="/etc/firewall.zapret.hook.pre_down" +INIT_FW_POST_DOWN_HOOK="/etc/firewall.zapret.hook.post_down" +``` ## Installation diff --git a/docs/readme.txt b/docs/readme.txt index 1a09f9e..343efe1 100644 --- a/docs/readme.txt +++ b/docs/readme.txt @@ -1014,6 +1014,15 @@ nftables сводят практически на нет конфликты ме Просмотр таблицы без содержимого set-ов. Вызывает nft -t list table inet zapret /opt/zapret/init.d/sysv/zapret list_table +Так же возможно прицепиться своим скриптом к любой стадии применения и снятия фаервола со стороны zapret скриптов : + +INIT_FW_PRE_UP_HOOK="/etc/firewall.zapret.hook.pre_up" +INIT_FW_POST_UP_HOOK="/etc/firewall.zapret.hook.post_up" +INIT_FW_PRE_DOWN_HOOK="/etc/firewall.zapret.hook.pre_down" +INIT_FW_POST_DOWN_HOOK="/etc/firewall.zapret.hook.post_down" + +Эти настройки доступны в config. + Вариант custom -------------- diff --git a/init.d/macos/functions b/init.d/macos/functions index 1cc6a80..ab640f6 100644 --- a/init.d/macos/functions +++ b/init.d/macos/functions @@ -119,6 +119,9 @@ zapret_do_firewall() { # $1 - 1 - add, 0 - del + [ "$1" = 1 -a -n "$INIT_FW_PRE_UP_HOOK" ] && $INIT_FW_PRE_UP_HOOK + [ "$1" = 0 -a -n "$INIT_FW_PRE_DOWN_HOOK" ] && $INIT_FW_PRE_DOWN_HOOK + case "${MODE_OVERRIDE:-$MODE}" in tpws|filter|custom) if [ "$1" = "1" ] ; then @@ -130,14 +133,11 @@ zapret_do_firewall() pf_anchors_clear fi ;; - tpws-socks) - ;; - *) - echo "unsupported MODE=$MODE" - return 1 - ;; esac + [ "$1" = 1 -a -n "$INIT_FW_POST_UP_HOOK" ] && $INIT_FW_POST_UP_HOOK + [ "$1" = 0 -a -n "$INIT_FW_POST_DOWN_HOOK" ] && $INIT_FW_POST_DOWN_HOOK + return 0 } zapret_apply_firewall()