mirror of
https://github.com/bol-van/zapret.git
synced 2024-12-23 14:53:18 +00:00
allow to specify protocol in helper function, do not fix tcp
This commit is contained in:
parent
d572264a92
commit
7f5731c5d0
@ -50,11 +50,11 @@ filter_apply_port_target()
|
|||||||
# $1 - var name of iptables filter
|
# $1 - var name of iptables filter
|
||||||
local f
|
local f
|
||||||
if [ "$MODE_HTTP" = "1" ] && [ "$MODE_HTTPS" = "1" ]; then
|
if [ "$MODE_HTTP" = "1" ] && [ "$MODE_HTTPS" = "1" ]; then
|
||||||
f="-m multiport --dports 80,443"
|
f="-p tcp -m multiport --dports 80,443"
|
||||||
elif [ "$MODE_HTTPS" = "1" ]; then
|
elif [ "$MODE_HTTPS" = "1" ]; then
|
||||||
f="--dport 443"
|
f="-p tcp --dport 443"
|
||||||
elif [ "$MODE_HTTP" = "1" ]; then
|
elif [ "$MODE_HTTP" = "1" ]; then
|
||||||
f="--dport 80"
|
f="-p tcp --dport 80"
|
||||||
else
|
else
|
||||||
echo WARNING !!! HTTP and HTTPS are both disabled
|
echo WARNING !!! HTTP and HTTPS are both disabled
|
||||||
fi
|
fi
|
||||||
@ -136,7 +136,7 @@ _fw_tpws4()
|
|||||||
|
|
||||||
ipt_print_op $1 "$2" "tpws (port $3)"
|
ipt_print_op $1 "$2" "tpws (port $3)"
|
||||||
|
|
||||||
rule="-p tcp $2 $IPSET_EXCLUDE dst -j DNAT --to $TPWS_LOCALHOST4:$3"
|
rule="$2 $IPSET_EXCLUDE dst -j DNAT --to $TPWS_LOCALHOST4:$3"
|
||||||
for i in $4 ; do
|
for i in $4 ; do
|
||||||
ipt_add_del $1 PREROUTING -t nat -i $i $rule
|
ipt_add_del $1 PREROUTING -t nat -i $i $rule
|
||||||
done
|
done
|
||||||
@ -164,7 +164,7 @@ _fw_tpws6()
|
|||||||
|
|
||||||
ipt_print_op $1 "$2" "tpws (port $3)" 6
|
ipt_print_op $1 "$2" "tpws (port $3)" 6
|
||||||
|
|
||||||
rule="-p tcp $2 $IPSET_EXCLUDE6 dst"
|
rule="$2 $IPSET_EXCLUDE6 dst"
|
||||||
for i in $4 ; do
|
for i in $4 ; do
|
||||||
_dnat6_target $i DNAT6
|
_dnat6_target $i DNAT6
|
||||||
[ -n "$DNAT6" -a "$DNAT6" != "-" ] && ipt6_add_del $1 PREROUTING -t nat -i $i $rule -j DNAT --to [$DNAT6]:$3
|
[ -n "$DNAT6" -a "$DNAT6" != "-" ] && ipt6_add_del $1 PREROUTING -t nat -i $i $rule -j DNAT --to [$DNAT6]:$3
|
||||||
@ -202,7 +202,7 @@ _fw_nfqws_post4()
|
|||||||
|
|
||||||
ipt_print_op $1 "$2" "nfqws postrouting (qnum $3)"
|
ipt_print_op $1 "$2" "nfqws postrouting (qnum $3)"
|
||||||
|
|
||||||
rule="-p tcp $2 $IPSET_EXCLUDE dst -j NFQUEUE --queue-num $3 --queue-bypass"
|
rule="$2 $IPSET_EXCLUDE dst -j NFQUEUE --queue-num $3 --queue-bypass"
|
||||||
if [ -n "$4" ] ; then
|
if [ -n "$4" ] ; then
|
||||||
for i in $4; do
|
for i in $4; do
|
||||||
ipt_add_del $1 POSTROUTING -t mangle -o $i $rule
|
ipt_add_del $1 POSTROUTING -t mangle -o $i $rule
|
||||||
@ -223,7 +223,7 @@ _fw_nfqws_post6()
|
|||||||
|
|
||||||
ipt_print_op $1 "$2" "nfqws postrouting (qnum $3)" 6
|
ipt_print_op $1 "$2" "nfqws postrouting (qnum $3)" 6
|
||||||
|
|
||||||
rule="-p tcp $2 $IPSET_EXCLUDE6 dst -j NFQUEUE --queue-num $3 --queue-bypass"
|
rule="$2 $IPSET_EXCLUDE6 dst -j NFQUEUE --queue-num $3 --queue-bypass"
|
||||||
if [ -n "$4" ] ; then
|
if [ -n "$4" ] ; then
|
||||||
for i in $4; do
|
for i in $4; do
|
||||||
ipt6_add_del $1 POSTROUTING -t mangle -o $i $rule
|
ipt6_add_del $1 POSTROUTING -t mangle -o $i $rule
|
||||||
@ -270,13 +270,13 @@ zapret_do_firewall_rules_ipt()
|
|||||||
fw_nfqws_post4 $1 "$f4 $desync" $qn
|
fw_nfqws_post4 $1 "$f4 $desync" $qn
|
||||||
else
|
else
|
||||||
if [ -n "$qn" ]; then
|
if [ -n "$qn" ]; then
|
||||||
f4="--dport 80"
|
f4="-p tcp --dport 80"
|
||||||
[ "$MODE_HTTP_KEEPALIVE" = "1" ] || f4="$f4 $first_packet_only"
|
[ "$MODE_HTTP_KEEPALIVE" = "1" ] || f4="$f4 $first_packet_only"
|
||||||
filter_apply_ipset_target4 f4
|
filter_apply_ipset_target4 f4
|
||||||
fw_nfqws_post4 $1 "$f4 $desync" $qn
|
fw_nfqws_post4 $1 "$f4 $desync" $qn
|
||||||
fi
|
fi
|
||||||
if [ -n "$qns" ]; then
|
if [ -n "$qns" ]; then
|
||||||
f4="--dport 443 $first_packet_only"
|
f4="-p tcp --dport 443 $first_packet_only"
|
||||||
filter_apply_ipset_target4 f4
|
filter_apply_ipset_target4 f4
|
||||||
fw_nfqws_post4 $1 "$f4 $desync" $qns
|
fw_nfqws_post4 $1 "$f4 $desync" $qns
|
||||||
fi
|
fi
|
||||||
@ -288,13 +288,13 @@ zapret_do_firewall_rules_ipt()
|
|||||||
fw_nfqws_post6 $1 "$f6 $desync" $qn6
|
fw_nfqws_post6 $1 "$f6 $desync" $qn6
|
||||||
else
|
else
|
||||||
if [ -n "$qn6" ]; then
|
if [ -n "$qn6" ]; then
|
||||||
f6="--dport 80"
|
f6="-p tcp --dport 80"
|
||||||
[ "$MODE_HTTP_KEEPALIVE" = "1" ] || f6="$f6 $first_packet_only"
|
[ "$MODE_HTTP_KEEPALIVE" = "1" ] || f6="$f6 $first_packet_only"
|
||||||
filter_apply_ipset_target6 f6
|
filter_apply_ipset_target6 f6
|
||||||
fw_nfqws_post6 $1 "$f6 $desync" $qn6
|
fw_nfqws_post6 $1 "$f6 $desync" $qn6
|
||||||
fi
|
fi
|
||||||
if [ -n "$qns6" ]; then
|
if [ -n "$qns6" ]; then
|
||||||
f6="--dport 443 $first_packet_only"
|
f6="-p tcp --dport 443 $first_packet_only"
|
||||||
filter_apply_ipset_target6 f6
|
filter_apply_ipset_target6 f6
|
||||||
fw_nfqws_post6 $1 "$f6 $desync" $qns6
|
fw_nfqws_post6 $1 "$f6 $desync" $qns6
|
||||||
fi
|
fi
|
||||||
|
@ -346,8 +346,8 @@ _nft_fw_tpws4()
|
|||||||
[ "$DISABLE_IPV4" = "1" ] || {
|
[ "$DISABLE_IPV4" = "1" ] || {
|
||||||
local filter="$1" port="$2"
|
local filter="$1" port="$2"
|
||||||
nft_print_op "$filter" "tpws (port $2)" 4
|
nft_print_op "$filter" "tpws (port $2)" 4
|
||||||
nft_add_rule dnat_output skuid != $WS_USER ${3:+oifname @wanif }meta l4proto tcp $filter ip daddr != @nozapret dnat ip to $TPWS_LOCALHOST4:$port
|
nft_add_rule dnat_output skuid != $WS_USER ${3:+oifname @wanif }$filter ip daddr != @nozapret dnat ip to $TPWS_LOCALHOST4:$port
|
||||||
nft_add_rule dnat_pre iifname @lanif meta l4proto tcp $filter ip daddr != @nozapret dnat ip to $TPWS_LOCALHOST4:$port
|
nft_add_rule dnat_pre iifname @lanif $filter ip daddr != @nozapret dnat ip to $TPWS_LOCALHOST4:$port
|
||||||
prepare_route_localnet
|
prepare_route_localnet
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -361,9 +361,9 @@ _nft_fw_tpws6()
|
|||||||
[ "$DISABLE_IPV6" = "1" ] || {
|
[ "$DISABLE_IPV6" = "1" ] || {
|
||||||
local filter="$1" port="$2" DNAT6 i
|
local filter="$1" port="$2" DNAT6 i
|
||||||
nft_print_op "$filter" "tpws (port $port)" 6
|
nft_print_op "$filter" "tpws (port $port)" 6
|
||||||
nft_add_rule dnat_output skuid != $WS_USER ${4:+oifname @wanif6 }meta l4proto tcp $filter ip6 daddr != @nozapret6 dnat ip6 to [::1]:$port
|
nft_add_rule dnat_output skuid != $WS_USER ${4:+oifname @wanif6 }$filter ip6 daddr != @nozapret6 dnat ip6 to [::1]:$port
|
||||||
[ -n "$3" ] && {
|
[ -n "$3" ] && {
|
||||||
nft_add_rule dnat_pre meta l4proto tcp $filter ip6 daddr != @nozapret6 dnat ip6 to iifname map @link_local:$port
|
nft_add_rule dnat_pre $filter ip6 daddr != @nozapret6 dnat ip6 to iifname map @link_local:$port
|
||||||
for i in $3; do
|
for i in $3; do
|
||||||
_dnat6_target $i DNAT6
|
_dnat6_target $i DNAT6
|
||||||
# can be multiple tpws processes on different ports
|
# can be multiple tpws processes on different ports
|
||||||
@ -391,7 +391,7 @@ _nft_fw_nfqws_post4()
|
|||||||
[ "$DISABLE_IPV4" = "1" ] || {
|
[ "$DISABLE_IPV4" = "1" ] || {
|
||||||
local filter="$1" port="$2" rule
|
local filter="$1" port="$2" rule
|
||||||
nft_print_op "$filter" "nfqws postrouting (qnum $port)" 4
|
nft_print_op "$filter" "nfqws postrouting (qnum $port)" 4
|
||||||
rule="${3:+oifname @wanif }meta l4proto tcp $filter ip daddr != @nozapret"
|
rule="${3:+oifname @wanif }$filter ip daddr != @nozapret"
|
||||||
nft_add_rule postrouting $rule queue num $port bypass
|
nft_add_rule postrouting $rule queue num $port bypass
|
||||||
nft_add_nfqws_flow_exempt_rule "$rule"
|
nft_add_nfqws_flow_exempt_rule "$rule"
|
||||||
}
|
}
|
||||||
@ -405,7 +405,7 @@ _nft_fw_nfqws_post6()
|
|||||||
[ "$DISABLE_IPV6" = "1" ] || {
|
[ "$DISABLE_IPV6" = "1" ] || {
|
||||||
local filter="$1" port="$2" rule
|
local filter="$1" port="$2" rule
|
||||||
nft_print_op "$filter" "nfqws postrouting (qnum $port)" 6
|
nft_print_op "$filter" "nfqws postrouting (qnum $port)" 6
|
||||||
rule="${3:+oifname @wanif6 }meta l4proto tcp $filter ip6 daddr != @nozapret6"
|
rule="${3:+oifname @wanif6 }$filter ip6 daddr != @nozapret6"
|
||||||
nft_add_rule postrouting $rule queue num $port bypass
|
nft_add_rule postrouting $rule queue num $port bypass
|
||||||
nft_add_nfqws_flow_exempt_rule "$rule"
|
nft_add_nfqws_flow_exempt_rule "$rule"
|
||||||
}
|
}
|
||||||
|
@ -26,7 +26,7 @@ zapret_custom_firewall()
|
|||||||
|
|
||||||
zapret_do_firewall_rules_ipt $1
|
zapret_do_firewall_rules_ipt $1
|
||||||
|
|
||||||
f4="--dport $MY_DPORT"
|
f4="-p tcp --dport $MY_DPORT"
|
||||||
f6=$f4
|
f6=$f4
|
||||||
filter_apply_ipset_target f4 f6
|
filter_apply_ipset_target f4 f6
|
||||||
fw_tpws $1 "$f4" "$f6" $MY_TPPORT
|
fw_tpws $1 "$f4" "$f6" $MY_TPPORT
|
||||||
|
@ -28,14 +28,14 @@ zapret_custom_firewall()
|
|||||||
local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK"
|
local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK"
|
||||||
|
|
||||||
[ "$MODE_HTTP" = "1" ] && {
|
[ "$MODE_HTTP" = "1" ] && {
|
||||||
f4="--dport 80"
|
f4="-p tcp --dport 80"
|
||||||
f6=$f4
|
f6=$f4
|
||||||
filter_apply_ipset_target f4 f6
|
filter_apply_ipset_target f4 f6
|
||||||
fw_tpws $1 "$f4" "$f6" $TPPORT
|
fw_tpws $1 "$f4" "$f6" $TPPORT
|
||||||
}
|
}
|
||||||
|
|
||||||
[ "$MODE_HTTPS" = "1" ] && {
|
[ "$MODE_HTTPS" = "1" ] && {
|
||||||
f4="--dport 443 $first_packet_only"
|
f4="-p tcp --dport 443 $first_packet_only"
|
||||||
f6=$f4
|
f6=$f4
|
||||||
filter_apply_ipset_target f4 f6
|
filter_apply_ipset_target f4 f6
|
||||||
fw_nfqws_post $1 "$f4 $desync" "$f6 $desync" $QNUM
|
fw_nfqws_post $1 "$f4 $desync" "$f6 $desync" $QNUM
|
||||||
|
@ -26,7 +26,7 @@ zapret_custom_firewall()
|
|||||||
|
|
||||||
zapret_do_firewall_rules_ipt $1
|
zapret_do_firewall_rules_ipt $1
|
||||||
|
|
||||||
f4="--dport $MY_DPORT"
|
f4="-p tcp --dport $MY_DPORT"
|
||||||
f6=$f4
|
f6=$f4
|
||||||
filter_apply_ipset_target f4 f6
|
filter_apply_ipset_target f4 f6
|
||||||
fw_tpws $1 "$f4" "$f6" $MY_TPPORT
|
fw_tpws $1 "$f4" "$f6" $MY_TPPORT
|
||||||
|
@ -28,14 +28,14 @@ zapret_custom_firewall()
|
|||||||
local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK"
|
local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK"
|
||||||
|
|
||||||
[ "$MODE_HTTP" = "1" ] && {
|
[ "$MODE_HTTP" = "1" ] && {
|
||||||
f4="--dport 80"
|
f4="-p tcp --dport 80"
|
||||||
f6=$f4
|
f6=$f4
|
||||||
filter_apply_ipset_target f4 f6
|
filter_apply_ipset_target f4 f6
|
||||||
fw_tpws $1 "$f4" "$f6" $TPPORT
|
fw_tpws $1 "$f4" "$f6" $TPPORT
|
||||||
}
|
}
|
||||||
|
|
||||||
[ "$MODE_HTTPS" = "1" ] && {
|
[ "$MODE_HTTPS" = "1" ] && {
|
||||||
f4="--dport 443 $first_packet_only"
|
f4="-p tcp --dport 443 $first_packet_only"
|
||||||
f6=$f4
|
f6=$f4
|
||||||
filter_apply_ipset_target f4 f6
|
filter_apply_ipset_target f4 f6
|
||||||
fw_nfqws_post $1 "$f4 $desync" "$f6 $desync" $QNUM
|
fw_nfqws_post $1 "$f4 $desync" "$f6 $desync" $QNUM
|
||||||
|
Loading…
Reference in New Issue
Block a user