openwrt hotplug.d removed

changes.txt

@@ -38,3 +38,7 @@ ipset : added "get_antizapret.sh"
 v7
 
 tpws : added ability to insert "." after Host: name
+
+v8
+
+openwrt init : removed hotplug.d/firewall because of race conditions. now only use /etc/firewall.user

init.d/openwrt/99-zapret

@@ -1,35 +0,0 @@
-# copy it to /etc/hotplug.d/firewall/99-zapret
-
-# CHOOSE ISP HERE. UNCOMMENT ONLY ONE LINE.
-# if your ISP not in list then comment all lines
-ISP=domru
-
-TPPORT=1188
-TPWS_USER=daemon
-
-case "$ACTION" in
-    add)
-    case "$ISP" in
-	domru)
-	case "$INTERFACE" in
-	    wan)
-	    # BLOCK SPOOFED DNS FROM DOMRU
-	    iptables -t raw -C PREROUTING -i $DEVICE -p udp --sport 53 -m string --hex-string "|5cfff164|" --algo bm -j DROP --from 40 --to 300 ||
-	     iptables -t raw -I PREROUTING -i $DEVICE -p udp --sport 53 -m string --hex-string "|5cfff164|" --algo bm -j DROP --from 40 --to 300
-	    iptables -t raw -C PREROUTING -i $DEVICE -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000064|" --algo bm -j DROP --from 40 --to 300 ||
-	     iptables -t raw -I PREROUTING -i $DEVICE -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000064|" --algo bm -j DROP --from 40 --to 300
-	    # DNAT for local traffic
-	    iptables -t nat -C OUTPUT -p tcp --dport 80 -o $DEVICE -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT ||
-	     iptables -t nat -I OUTPUT -p tcp --dport 80 -o $DEVICE -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
-	    ;;
-	    
-	    lan)
-	    # DNAT for pass-thru traffic
-	    sysctl -w net.ipv4.conf.$DEVICE.route_localnet=1
-	    iptables -t nat -C prerouting_lan_rule -p tcp --dport 80 -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT ||
-	     iptables -t nat -I prerouting_lan_rule -p tcp --dport 80 -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
-	    ;;
-     	esac
-	;;
-    esac
-esac

init.d/openwrt/firewall.user.domru

@@ -0,0 +1,23 @@
+TPPORT=1188
+TPWS_USER=daemon
+
+. /lib/functions/network.sh
+
+network_find_wan wan_iface
+
+for ext_iface in $wan_iface; do
+    network_get_device DEVICE $ext_iface
+    # BLOCK SPOOFED DNS FROM DOMRU
+    iptables -t raw -C PREROUTING -i $DEVICE -p udp --sport 53 -m string --hex-string "|5cfff164|" --algo bm -j DROP --from 40 --to 300 ||
+     iptables -t raw -I PREROUTING -i $DEVICE -p udp --sport 53 -m string --hex-string "|5cfff164|" --algo bm -j DROP --from 40 --to 300
+    iptables -t raw -C PREROUTING -i $DEVICE -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000064|" --algo bm -j DROP --from 40 --to 300 ||
+     iptables -t raw -I PREROUTING -i $DEVICE -p udp --sport 53 -m string --hex-string "|2a022698a00000000000000000000064|" --algo bm -j DROP --from 40 --to 300
+    # DNAT for local traffic
+    iptables -t nat -C OUTPUT -p tcp --dport 80 -o $DEVICE -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT ||
+     iptables -t nat -I OUTPUT -p tcp --dport 80 -o $DEVICE -m owner ! --uid-owner $TPWS_USER -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT
+
+done
+
+sysctl -w net.ipv4.conf.br-lan.route_localnet=1
+iptables -t nat -C prerouting_lan_rule -p tcp --dport 80 -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT ||
+ iptables -t nat -I prerouting_lan_rule -p tcp --dport 80 -m set --match-set zapret dst -j DNAT --to 127.0.0.1:$TPPORT

init.d/openwrt/zapret

@@ -7,7 +7,7 @@
 #ISP=beeline
 ISP=domru
 
-# !!!!! in openwrt you need to add firewall rules manually to /etc/firewall.user or /etc/hotplug.d/firewall/99-zapret
+# !!!!! in openwrt you need to add firewall rules manually to /etc/firewall.user
 
 QNUM=200
 TPPORT=1188
@@ -20,6 +20,26 @@ TPWS_USER=daemon
 # start betfore firewall - we need ipset populated
 START=18
 
+
+# must execute /etc/firewall.user on every firewall reload
+set_firewall_user_reload() {
+	i=0
+	while true
+	do
+	 path=$(uci -q get firewall.@include[$i].path)
+	 [ -n "$path" ] || break
+	 [ "$path" == "/etc/firewall.user" ] && {
+	   reload=$(uci -q get firewall.@include[$i].reload)
+	   [ "$reload" = "1" ] || {
+	     echo Setting 'reload' call option to /etc/firewall.user
+	     uci set firewall.@include[$i].reload=1
+	     uci commit firewall
+	   }
+	 }
+	 i=$((i+1))
+	done
+}
+
 get_daemon() {
 	case "${ISP}" in
 	    mns)
@@ -43,6 +63,7 @@ get_daemon() {
 
 
 start() {
+	set_firewall_user_reload
 	echo "Creating ipset"
 	($IPSET_CR)
 

readme.txt

@@ -1,4 +1,4 @@
-zapret v.7
+zapret v.8
 
 Для чего это надо
 -----------------
@@ -242,9 +242,7 @@ opkg install iptables-mod-extra iptables-mod-nfqueue iptables-mod-filter iptable
 В /etc/init.d/zapret выбрать пераметр "ISP". В зависимости от него будут применены нужные правила.
 /etc/init.d/zapret enable
 /etc/init.d/zapret start
-В зависимости от вашего провайдера либо внести нужные записи в /etc/firewall.user, либо
-скопировать 99-zapret в /etc/hotplug.d/firewall (сначала нужно mkdir /etc/hotplug.d/firewall).
-В /etc/hotplug.d/firewall/99-zapret выбрать нужного провайдера.
+В зависимости от вашего провайдера внести нужные записи в /etc/firewall.user.
 /etc/init.d/firewall restart
 Посмотреть через iptables -L или через luci вкладку "firewall" появились ли нужные правила.
 Зашедулить задание обновления листа :