diff --git a/init.d/openwrt/firewall.user.nfqws_all_https b/init.d/openwrt/firewall.user.nfqws_all_https
new file mode 100644
index 0000000..74e7dd7
--- /dev/null
+++ b/init.d/openwrt/firewall.user.nfqws_all_https
@@ -0,0 +1,9 @@
+QNUM=200
+IPT_FILTER_PRE="-p tcp -m multiport --sports 80,443"
+IPT_FILTER_POST="-p tcp --dport 80"
+
+iptables -t raw -C PREROUTING $IPT_FILTER_PRE -j NFQUEUE --queue-num $QNUM --queue-bypass ||
+ iptables -t raw -I PREROUTING $IPT_FILTER_PRE -j NFQUEUE --queue-num $QNUM --queue-bypass
+
+iptables -t mangle -C POSTROUTING $IPT_FILTER_POST -j NFQUEUE --queue-num $QNUM --queue-bypass ||
+ iptables -t mangle -I POSTROUTING $IPT_FILTER_POST -j NFQUEUE --queue-num $QNUM --queue-bypass
diff --git a/init.d/openwrt/firewall.user.nfqws_ipset_https b/init.d/openwrt/firewall.user.nfqws_ipset_https
new file mode 100644
index 0000000..ea33ab7
--- /dev/null
+++ b/init.d/openwrt/firewall.user.nfqws_ipset_https
@@ -0,0 +1,9 @@
+QNUM=200
+IPT_FILTER_PRE="-p tcp -m multiport --sports 80,443 -m set --match-set zapret src"
+IPT_FILTER_POST="-p tcp --dport 80 -m set --match-set zapret dst"
+
+iptables -t raw -C PREROUTING $IPT_FILTER_PRE -j NFQUEUE --queue-num $QNUM --queue-bypass ||
+ iptables -t raw -I PREROUTING $IPT_FILTER_PRE -j NFQUEUE --queue-num $QNUM --queue-bypass
+
+iptables -t mangle -C POSTROUTING $IPT_FILTER_POST -j NFQUEUE --queue-num $QNUM --queue-bypass ||
+ iptables -t mangle -I POSTROUTING $IPT_FILTER_POST -j NFQUEUE --queue-num $QNUM --queue-bypass
diff --git a/init.d/openwrt/firewall.user.tpws_all b/init.d/openwrt/firewall.user.tpws_all
index a59221e..3f30f6e 100644
--- a/init.d/openwrt/firewall.user.tpws_all
+++ b/init.d/openwrt/firewall.user.tpws_all
@@ -1,6 +1,6 @@
-TPPORT=1188
+TPPORT_HTTP=1188
TPWS_USER=daemon
-IPT_FILTER="-p tcp --dport 80"
+IPT_FILTER_HTTP="-p tcp --dport 80"
. /lib/functions/network.sh
@@ -10,12 +10,12 @@ for ext_iface in $wan_iface; do
network_get_device DEVICE $ext_iface
# DNAT for local traffic
- iptables -t nat -C OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER -j DNAT --to 127.0.0.1:$TPPORT ||
- iptables -t nat -I OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER -j DNAT --to 127.0.0.1:$TPPORT
+ iptables -t nat -C OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP ||
+ iptables -t nat -I OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP
done
network_get_device DEVICE lan
sysctl -w net.ipv4.conf.$DEVICE.route_localnet=1
-iptables -t nat -C prerouting_lan_rule $IPT_FILTER -j DNAT --to 127.0.0.1:$TPPORT ||
- iptables -t nat -I prerouting_lan_rule $IPT_FILTER -j DNAT --to 127.0.0.1:$TPPORT
+iptables -t nat -C prerouting_lan_rule $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP ||
+ iptables -t nat -I prerouting_lan_rule $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP
diff --git a/init.d/openwrt/firewall.user.tpws_all_https b/init.d/openwrt/firewall.user.tpws_all_https
new file mode 100644
index 0000000..6cdd2fa
--- /dev/null
+++ b/init.d/openwrt/firewall.user.tpws_all_https
@@ -0,0 +1,27 @@
+TPPORT_HTTP=1188
+TPPORT_HTTPS=1189
+TPWS_USER=daemon
+IPT_FILTER_HTTP="-p tcp --dport 80"
+IPT_FILTER_HTTPS="-p tcp --dport 443"
+
+. /lib/functions/network.sh
+
+network_find_wan wan_iface
+
+for ext_iface in $wan_iface; do
+ network_get_device DEVICE $ext_iface
+ # DNAT for local traffic
+
+ iptables -t nat -C OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP ||
+ iptables -t nat -I OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP
+ iptables -t nat -C OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTPS -j DNAT --to 127.0.0.1:$TPPORT_HTTPS ||
+ iptables -t nat -I OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTPS -j DNAT --to 127.0.0.1:$TPPORT_HTTPS
+
+done
+
+network_get_device DEVICE lan
+sysctl -w net.ipv4.conf.$DEVICE.route_localnet=1
+iptables -t nat -C prerouting_lan_rule $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP ||
+ iptables -t nat -I prerouting_lan_rule $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP
+iptables -t nat -C prerouting_lan_rule $IPT_FILTER_HTTPS -j DNAT --to 127.0.0.1:$TPPORT_HTTPS ||
+ iptables -t nat -I prerouting_lan_rule $IPT_FILTER_HTTPS -j DNAT --to 127.0.0.1:$TPPORT_HTTPS
diff --git a/init.d/openwrt/firewall.user.tpws_ipset b/init.d/openwrt/firewall.user.tpws_ipset
index 929b4d3..53c546f 100644
--- a/init.d/openwrt/firewall.user.tpws_ipset
+++ b/init.d/openwrt/firewall.user.tpws_ipset
@@ -1,6 +1,6 @@
-TPPORT=1188
+TPPORT_HTTP=1188
TPWS_USER=daemon
-IPT_FILTER="-p tcp --dport 80 -m set --match-set zapret dst"
+IPT_FILTER_HTTP="-p tcp --dport 80 -m set --match-set zapret dst"
. /lib/functions/network.sh
@@ -10,12 +10,12 @@ for ext_iface in $wan_iface; do
network_get_device DEVICE $ext_iface
# DNAT for local traffic
- iptables -t nat -C OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER -j DNAT --to 127.0.0.1:$TPPORT ||
- iptables -t nat -I OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER -j DNAT --to 127.0.0.1:$TPPORT
+ iptables -t nat -C OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP ||
+ iptables -t nat -I OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP
done
network_get_device DEVICE lan
sysctl -w net.ipv4.conf.$DEVICE.route_localnet=1
-iptables -t nat -C prerouting_lan_rule $IPT_FILTER -j DNAT --to 127.0.0.1:$TPPORT ||
- iptables -t nat -I prerouting_lan_rule $IPT_FILTER -j DNAT --to 127.0.0.1:$TPPORT
+iptables -t nat -C prerouting_lan_rule $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP ||
+ iptables -t nat -I prerouting_lan_rule $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP
diff --git a/init.d/openwrt/firewall.user.tpws_ipset_https b/init.d/openwrt/firewall.user.tpws_ipset_https
new file mode 100644
index 0000000..1738426
--- /dev/null
+++ b/init.d/openwrt/firewall.user.tpws_ipset_https
@@ -0,0 +1,27 @@
+TPPORT_HTTP=1188
+TPPORT_HTTPS=1189
+TPWS_USER=daemon
+IPT_FILTER_HTTP="-p tcp --dport 80 -m set --match-set zapret dst"
+IPT_FILTER_HTTPS="-p tcp --dport 443 -m set --match-set zapret dst"
+
+. /lib/functions/network.sh
+
+network_find_wan wan_iface
+
+for ext_iface in $wan_iface; do
+ network_get_device DEVICE $ext_iface
+ # DNAT for local traffic
+
+ iptables -t nat -C OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP ||
+ iptables -t nat -I OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP
+ iptables -t nat -C OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTPS -j DNAT --to 127.0.0.1:$TPPORT_HTTPS ||
+ iptables -t nat -I OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTPS -j DNAT --to 127.0.0.1:$TPPORT_HTTPS
+
+done
+
+network_get_device DEVICE lan
+sysctl -w net.ipv4.conf.$DEVICE.route_localnet=1
+iptables -t nat -C prerouting_lan_rule $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP ||
+ iptables -t nat -I prerouting_lan_rule $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP
+iptables -t nat -C prerouting_lan_rule $IPT_FILTER_HTTPS -j DNAT --to 127.0.0.1:$TPPORT_HTTPS ||
+ iptables -t nat -I prerouting_lan_rule $IPT_FILTER_HTTPS -j DNAT --to 127.0.0.1:$TPPORT_HTTPS
diff --git a/init.d/openwrt/zapret b/init.d/openwrt/zapret
index f89c441..1b0ab74 100755
--- a/init.d/openwrt/zapret
+++ b/init.d/openwrt/zapret
@@ -13,19 +13,24 @@ START=18
# using nfqws with ipset
#MODE=nfqws_ipset
+#MODE=nfqws_ipset_https
# using nfqws for all
#MODE=nfqws_all
+#MODE=nfqws_all_https
# CHOOSE NFQWS DAEMON OPTIONS. run "nfq/nfqws --help" for option list
NFQWS_OPT="--wsize=3 --hostspell=HOST"
# using tpws with ipset
-MODE=tpws_ipset
+#MODE=tpws_ipset
+MODE=tpws_ipset_https
# using tpws for all
#MODE=tpws_all
+#MODE=tpws_all_https
# using tpws with hostlist
#MODE=tpws_hostlist
# CHOOSE TPWS DAEMON OPTIONS. run "tpws/tpws --help" for option list
-TPWS_OPT="--hostspell=HOST --split-http-req=method"
+TPWS_OPT_HTTP="--hostspell=HOST --split-http-req=method"
+TPWS_OPT_HTTPS="--split-pos=3"
# only fill ipset, do not run daemons
#MODE=ipset
@@ -47,11 +52,14 @@ QNUM=200
NFQWS=$ZAPRET_BASE/nfq/nfqws
NFQWS_OPT_BASE="--qnum=$QNUM"
-TPPORT=1188
+TPPORT_HTTP=1188
+TPPORT_HTTPS=1189
TPWS=$ZAPRET_BASE/tpws/tpws
TPWS_USER=daemon
TPWS_HOSTLIST=$ZAPRET_BASE/ipset/zapret-hosts.txt
-TPWS_OPT_BASE="--port=$TPPORT --user=$TPWS_USER --bind-addr=127.0.0.1"
+TPWS_OPT_BASE="--user=$TPWS_USER --bind-addr=127.0.0.1"
+TPWS_OPT_BASE_HTTP="--port=$TPPORT_HTTP $TPWS_OPT_BASE"
+TPWS_OPT_BASE_HTTPS="--port=$TPPORT_HTTPS $TPWS_OPT_BASE"
# must execute /etc/firewall.user on every firewall reload
@@ -99,20 +107,22 @@ start_service() {
case "${MODE}" in
tpws_hostlist)
- run_daemon 1 $TPWS "$TPWS_OPT_BASE $TPWS_OPT --hostlist=$TPWS_HOSTLIST"
+ run_daemon 1 $TPWS "$TPWS_OPT_BASE_HTTP $TPWS_OPT_HTTP --hostlist=$TPWS_HOSTLIST"
;;
- tpws_ipset)
+ tpws_ipset|tpws_all)
create_ipset
- run_daemon 1 $TPWS "$TPWS_OPT_BASE $TPWS_OPT"
+ run_daemon 1 $TPWS "$TPWS_OPT_BASE_HTTP $TPWS_OPT_HTTP"
;;
- tpws_all)
- run_daemon 1 $TPWS "$TPWS_OPT_BASE $TPWS_OPT"
+ tpws_ipset_https|tpws_all_https)
+ create_ipset
+ run_daemon 1 $TPWS "$TPWS_OPT_BASE_HTTP $TPWS_OPT_HTTP"
+ run_daemon 2 $TPWS "$TPWS_OPT_BASE_HTTPS $TPWS_OPT_HTTPS"
;;
- nfqws_ipset)
+ nfqws_ipset|nfqws_ipset_https)
create_ipset
run_daemon 1 $NFQWS "$NFQWS_OPT_BASE $NFQWS_OPT"
;;
- nfqws_all)
+ nfqws_all|nfqws_all_https)
run_daemon 1 $NFQWS "$NFQWS_OPT_BASE $NFQWS_OPT"
;;
ipset)
diff --git a/init.d/sysv/zapret b/init.d/sysv/zapret
index ed2d5f5..6facc50 100755
--- a/init.d/sysv/zapret
+++ b/init.d/sysv/zapret
@@ -18,19 +18,24 @@
# using nfqws with ipset
#MODE=nfqws_ipset
+#MODE=nfqws_ipset_https
# using nfqws for all
#MODE=nfqws_all
+#MODE=nfqws_all_https
# CHOOSE NFQWS DAEMON OPTIONS. run "nfq/nfqws --help" for option list
NFQWS_OPT="--wsize=3 --hostspell=HOST"
# using tpws with ipset
-MODE=tpws_ipset
+#MODE=tpws_ipset
+MODE=tpws_ipset_https
# using tpws for all
#MODE=tpws_all
+#MODE=tpws_all_https
# using tpws with hostlist
#MODE=tpws_hostlist
# CHOOSE TPWS DAEMON OPTIONS. run "tpws/tpws --help" for option list
-TPWS_OPT="--hostspell=HOST --split-http-req=method"
+TPWS_OPT_HTTP="--hostspell=HOST --split-http-req=method"
+TPWS_OPT_HTTPS="--split-pos=3"
# only fill ipset, do not run daemons
#MODE=ipset
@@ -58,11 +63,14 @@ QNUM=200
NFQWS=$ZAPRET_BASE/nfq/nfqws
NFQWS_OPT_BASE="--qnum=$QNUM"
-TPPORT=1188
+TPPORT_HTTP=1188
+TPPORT_HTTPS=1189
TPWS=$ZAPRET_BASE/tpws/tpws
TPWS_USER=tpws
TPWS_HOSTLIST=$ZAPRET_BASE/ipset/zapret-hosts.txt
-TPWS_OPT_BASE="--port=$TPPORT --user=$TPWS_USER --bind-addr=127.0.0.1"
+TPWS_OPT_BASE="--user=$TPWS_USER --bind-addr=127.0.0.1"
+TPWS_OPT_BASE_HTTP="--port=$TPPORT_HTTP $TPWS_OPT_BASE"
+TPWS_OPT_BASE_HTTPS="--port=$TPPORT_HTTPS $TPWS_OPT_BASE"
# exit script on any error
set -e
@@ -75,25 +83,27 @@ exists()
fw_tpws_add()
{
# $1 - iptable filter
+ # $2 - tpws port
echo "Adding iptables rule for tpws : $1"
[ -n "$SLAVE_ETH" ] && {
- iptables -t nat -C PREROUTING -i $SLAVE_ETH -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null ||
- iptables -t nat -I PREROUTING -i $SLAVE_ETH -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT
+ iptables -t nat -C PREROUTING -i $SLAVE_ETH -p tcp $1 -j DNAT --to 127.0.0.1:$2 2>/dev/null ||
+ iptables -t nat -I PREROUTING -i $SLAVE_ETH -p tcp $1 -j DNAT --to 127.0.0.1:$2
}
- iptables -t nat -C OUTPUT -m owner ! --uid-owner $TPWS_USER -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null ||
- iptables -t nat -I OUTPUT -m owner ! --uid-owner $TPWS_USER -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT
+ iptables -t nat -C OUTPUT -m owner ! --uid-owner $TPWS_USER -p tcp $1 -j DNAT --to 127.0.0.1:$2 2>/dev/null ||
+ iptables -t nat -I OUTPUT -m owner ! --uid-owner $TPWS_USER -p tcp $1 -j DNAT --to 127.0.0.1:$2
}
fw_tpws_del()
{
# $1 - iptable filter
+ # $2 - tpws port
echo "Deleting iptables rule for tpws : $1"
[ -n "$SLAVE_ETH" ] && {
- iptables -t nat -C PREROUTING -i $SLAVE_ETH -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null &&
- iptables -t nat -D PREROUTING -i $SLAVE_ETH -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT
+ iptables -t nat -C PREROUTING -i $SLAVE_ETH -p tcp $1 -j DNAT --to 127.0.0.1:$2 2>/dev/null &&
+ iptables -t nat -D PREROUTING -i $SLAVE_ETH -p tcp $1 -j DNAT --to 127.0.0.1:$2
}
- iptables -t nat -C OUTPUT -m owner ! --uid-owner $TPWS_USER -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null &&
- iptables -t nat -D OUTPUT -m owner ! --uid-owner $TPWS_USER -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT
+ iptables -t nat -C OUTPUT -m owner ! --uid-owner $TPWS_USER -p tcp $1 -j DNAT --to 127.0.0.1:$2 2>/dev/null &&
+ iptables -t nat -D OUTPUT -m owner ! --uid-owner $TPWS_USER -p tcp $1 -j DNAT --to 127.0.0.1:$2
true
}
fw_nfqws_add_pre()
@@ -199,19 +209,34 @@ case "$1" in
case "${MODE}" in
tpws_hostlist)
prepare_tpws
- fw_tpws_add "--dport 80"
- run_daemon 1 $TPWS "$TPWS_OPT_BASE $TPWS_OPT --hostlist=$TPWS_HOSTLIST"
+ fw_tpws_add "--dport 80" $TPPORT_HTTP
+ run_daemon 1 $TPWS "$TPWS_OPT_BASE_HTTP $TPWS_OPT_HTTP --hostlist=$TPWS_HOSTLIST"
;;
tpws_ipset)
create_ipset
prepare_tpws
- fw_tpws_add "--dport 80 -m set --match-set zapret dst"
- run_daemon 1 $TPWS "$TPWS_OPT_BASE $TPWS_OPT"
+ fw_tpws_add "--dport 80 -m set --match-set zapret dst" $TPPORT_HTTP
+ run_daemon 1 $TPWS "$TPWS_OPT_BASE_HTTP $TPWS_OPT_HTTP"
+ ;;
+ tpws_ipset_https)
+ create_ipset
+ prepare_tpws
+ fw_tpws_add "--dport 80 -m set --match-set zapret dst" $TPPORT_HTTP
+ fw_tpws_add "--dport 443 -m set --match-set zapret dst" $TPPORT_HTTPS
+ run_daemon 1 $TPWS "$TPWS_OPT_BASE_HTTP $TPWS_OPT_HTTP"
+ run_daemon 2 $TPWS "$TPWS_OPT_BASE_HTTPS $TPWS_OPT_HTTPS"
;;
tpws_all)
prepare_tpws
- fw_tpws_add "--dport 80"
- run_daemon 1 $TPWS "$TPWS_OPT_BASE $TPWS_OPT"
+ fw_tpws_add "--dport 80" $TPPORT_HTTP
+ run_daemon 1 $TPWS "$TPWS_OPT_BASE_HTTP $TPWS_OPT_HTTP"
+ ;;
+ tpws_all_https)
+ prepare_tpws
+ fw_tpws_add "--dport 80" $TPPORT_HTTP
+ fw_tpws_add "--dport 443" $TPPORT_HTTPS
+ run_daemon 1 $TPWS "$TPWS_OPT_BASE_HTTP $TPWS_OPT_HTTP"
+ run_daemon 2 $TPWS "$TPWS_OPT_BASE_HTTPS $TPWS_OPT_HTTPS"
;;
nfqws_ipset)
create_ipset
@@ -219,11 +244,22 @@ case "$1" in
fw_nfqws_add_post "--dport 80 -m set --match-set zapret dst"
run_daemon 1 $NFQWS "$NFQWS_OPT_BASE $NFQWS_OPT"
;;
+ nfqws_ipset_https)
+ create_ipset
+ fw_nfqws_add_pre "-m multiport --sports 80,443 -m set --match-set zapret src"
+ fw_nfqws_add_post "--dport 80 -m set --match-set zapret dst"
+ run_daemon 1 $NFQWS "$NFQWS_OPT_BASE $NFQWS_OPT"
+ ;;
nfqws_all)
fw_nfqws_add_pre "--sport 80"
fw_nfqws_add_post "--dport 80"
run_daemon 1 $NFQWS "$NFQWS_OPT_BASE $NFQWS_OPT"
;;
+ nfqws_all_https)
+ fw_nfqws_add_pre "-m multiport --sports 80,443"
+ fw_nfqws_add_post "--dport 80"
+ run_daemon 1 $NFQWS "$NFQWS_OPT_BASE $NFQWS_OPT"
+ ;;
ipset)
create_ipset
;;
@@ -241,23 +277,45 @@ case "$1" in
stop)
case "${MODE}" in
tpws_hostlist|tpws_all)
- fw_tpws_del "--dport 80"
+ fw_tpws_del "--dport 80" $TPPORT_HTTP
stop_daemon 1 $TPWS
;;
tpws_ipset)
- fw_tpws_del "--dport 80 -m set --match-set zapret dst"
+ fw_tpws_del "--dport 80 -m set --match-set zapret dst" $TPPORT_HTTP
stop_daemon 1 $TPWS
;;
+ tpws_ipset_https)
+ fw_tpws_del "--dport 80 -m set --match-set zapret dst" $TPPORT_HTTP
+ fw_tpws_del "--dport 443 -m set --match-set zapret dst" $TPPORT_HTTPS
+ stop_daemon 1 $TPWS
+ stop_daemon 2 $TPWS
+ ;;
+ tpws_all_https)
+ fw_tpws_del "--dport 80" $TPPORT_HTTP
+ fw_tpws_del "--dport 443" $TPPORT_HTTPS
+ stop_daemon 1 $TPWS
+ stop_daemon 2 $TPWS
+ ;;
nfqws_ipset)
fw_nfqws_del_pre "--sport 80 -m set --match-set zapret src"
fw_nfqws_del_post "--dport 80 -m set --match-set zapret dst"
stop_daemon 1 $NFQWS
;;
+ nfqws_ipset_https)
+ fw_nfqws_del_pre "-m multiport --sports 80,443 -m set --match-set zapret src"
+ fw_nfqws_del_post "--dport 80 -m set --match-set zapret dst"
+ stop_daemon 1 $NFQWS
+ ;;
nfqws_all)
fw_nfqws_del_pre "--sport 80"
fw_nfqws_del_post "--dport 80"
stop_daemon 1 $NFQWS
;;
+ nfqws_all_https)
+ fw_nfqws_del_pre "-m multiport --sports 80,443"
+ fw_nfqws_del_post "--dport 80"
+ stop_daemon 1 $NFQWS
+ ;;
custom)
# PLACEHOLDER
echo !!! NEED ATTENTION !!!
diff --git a/readme.txt b/readme.txt
index 7ea7e0b..a439606 100644
--- a/readme.txt
+++ b/readme.txt
@@ -210,9 +210,13 @@ tpws должен запускаться без фильтрации по ipset.
Выберите MODE. Снимите комментарий только с одного из присваиваний.
nfqws_ipset - использовать nfqws для модификации трафика на порт 80 только на IP из ipset "zapret"
+nfqws_ipset_https - использовать nfqws для модификации трафика на порты 80 и 443 только на IP из ipset "zapret"
nfqws_all - использовать nfqws для модификации трафика на порт 80 для всех IP
+nfqws_all_https - использовать nfqws для модификации трафика на порты 80 и 443 для всех IP
tpws_ipset - использовать tpws для модификации трафика на порт 80 только на IP из ipset "zapret"
+tpws_ipset_https - использовать tpws для модификации трафика на порты 80 и 443 только на IP из ipset "zapret"
tpws_all - использовать tpws для модификации трафика на порт 80 для всех IP
+tpws_all_https - использовать tpws для модификации трафика на порты 80 и 443 для всех IP
tpws_hostlist - пропускать через tpws весь трафик на порт 80. tpws применяет дурение только к хостам из hostlist.
ipset - только заполнить ipset. ipset может быть применен для заворота трафика на прокси или на VPN
custom - нужно самому запрограммировать запуск демонов и правила iptables
@@ -220,7 +224,8 @@ custom - нужно самому запрограммировать запуск
Можно изменить опции дурения, применяемые демонами nfqws и tpws :
NFQWS_OPT="--wsize=3 --hostspell=HOST"
-TPWS_OPT="--hostspell=HOST --split-http-req=method"
+TPWS_OPT_HTTP="--hostspell=HOST --split-http-req=method"
+TPWS_OPT_HTTPS="--split-pos=3"
Пример установки на debian-подобную систему
-------------------------------------------