macos custom mode

This commit is contained in:
bol-van 2021-03-04 17:36:56 +03:00
parent b5bcc85ee6
commit 4dd0524929
5 changed files with 143 additions and 40 deletions

View File

@ -373,3 +373,19 @@ start-fw создает 3 файла anchors в /etc/pf.anchors : zapret,zapret-
Таблицы zapret6,zapret6-user - в anchor "zapret-v6". Таблицы zapret6,zapret6-user - в anchor "zapret-v6".
Если какая-то версия протокола отключена - соответствующий anchor пустой и не упоминается в anchor "zapret". Если какая-то версия протокола отключена - соответствующий anchor пустой и не упоминается в anchor "zapret".
Таблицы и правила создаются только на те листы, которые фактически есть в директории ipset. Таблицы и правила создаются только на те листы, которые фактически есть в директории ipset.
MacOS вариант custom
--------------------
Так же как и в других системах, поддерживаемых в простом инсталяторе, можно создавать свои custom скрипты.
Расположение : /opt/zapret/init.d/macos/custom
zapret_custom_daemons() получает в $1 "0" или "1". "0" - stop, "1" - start
custom firewall отличается от linux варианта.
Вместо заполнения iptables вам нужно сгенерировать правила для zapret-v4 и zapret-v6 anchors и выдать их в stdout.
Это делается в функциях zapret_custom_firewall_v4() и zapret_custom_firewall_v6().
Определения таблиц заполняются основным скриптом - вам это делать не нужно.
Можно ссылаться на таблицы zapret и zapret-user в v4, zapret6 и zapret6-user.
Cм. пример в файле custom-tpws

21
init.d/macos/custom Normal file
View File

@ -0,0 +1,21 @@
# this script contain your special code to launch daemons and configure firewall
# use helpers from "functions" file
# in case of upgrade keep this file only, do not modify others
zapret_custom_daemons()
{
# $1 - 1 - run, 0 - stop
:
}
# custom firewall functions echo rules for zapret-v4 and zapret-v6 anchors
# they come after automated table definitions. so you can use <zapret> <zapret6> <zapret-user> ...
zapret_custom_firewall_v4()
{
:
}
zapret_custom_firewall_v6()
{
:
}

25
init.d/macos/custom-tpws Normal file
View File

@ -0,0 +1,25 @@
# this script is an example describing how to run tpws on a custom port
TPPORT_MY=987
zapret_custom_daemons()
{
# $1 - 1 - run, 0 - stop
local opt="--user=root --port=$TPPORT_MY"
filter_apply_hostlist_target opt
tpws_apply_binds opt
opt="$opt $TPWS_OPT"
do_daemon $1 1 "$TPWS" "$opt"
}
# custom firewall functions echo rules for zapret-v4 and zapret-v6 anchors
# they come after automated table definitions. so you can use <zapret> <zapret6> <zapret-user> ...
zapret_custom_firewall_v4()
{
pf_anchor_zapret_v4_tpws $TPPORT_MY
}
zapret_custom_firewall_v6()
{
pf_anchor_zapret_v6_tpws $TPPORT_MY
}

View File

@ -20,6 +20,14 @@ PF_ANCHOR_ZAPRET_V6="$PF_ANCHOR_DIR/zapret-v6"
[ -n "$IFACE_WAN" ] && OWAN=" on $IFACE_WAN" [ -n "$IFACE_WAN" ] && OWAN=" on $IFACE_WAN"
CUSTOM_SCRIPT="$ZAPRET_BASE/init.d/macos/custom"
[ -f "$CUSTOM_SCRIPT" ] && . "$CUSTOM_SCRIPT"
existf()
{
type "$1" >/dev/null 2>/dev/null
}
on_off_function() on_off_function()
{ {
# $1 : function name on # $1 : function name on
@ -220,46 +228,72 @@ pf_anchor_port_target()
echo "80" echo "80"
fi fi
} }
pf_anchor_zapret_v4_tpws()
{
# $1 - port
local port=$(pf_anchor_port_target)
[ -n "$IFACE_LAN" ] && {
for t in $tbl; do
echo "rdr on $IFACE_LAN inet proto tcp from any to $t port $port -> 127.0.0.1 port $1"
done
}
echo "rdr on lo0 inet proto tcp from !127.0.0.0/8 to any port $port -> 127.0.0.1 port $1"
for t in $tbl; do
echo "pass out$OWAN route-to (lo0 127.0.0.1) inet proto tcp from !127.0.0.0/8 to $t port $port user { >root }"
done
}
pf_anchor_zapret_v4() pf_anchor_zapret_v4()
{ {
local tbl port local tbl port
[ "$DISABLE_IPV4" = "1" ] || { [ "$DISABLE_IPV4" = "1" ] || {
[ "$MODE" = "tpws" ] && { case $MODE in
[ ! "$MODE_HTTP" = "1" ] && [ ! "$MODE_HTTPS" = "1" ] && return tpws)
pf_anchor_zapret_tables tbl zapret-user "$ZIPLIST_USER" zapret "$ZIPLIST" [ ! "$MODE_HTTP" = "1" ] && [ ! "$MODE_HTTPS" = "1" ] && return
port=$(pf_anchor_port_target) pf_anchor_zapret_tables tbl zapret-user "$ZIPLIST_USER" zapret "$ZIPLIST"
for t in $tbl; do pf_anchor_zapret_v4_tpws $TPPORT
[ -n "$IFACE_LAN" ] && echo "rdr on $IFACE_LAN inet proto tcp from any to $t port $port -> 127.0.0.1 port $TPPORT" ;;
done custom)
echo "rdr on lo0 inet proto tcp from !127.0.0.0/8 to any port $port -> 127.0.0.1 port $TPPORT" pf_anchor_zapret_tables tbl zapret-user "$ZIPLIST_USER" zapret "$ZIPLIST"
for t in $tbl; do existf zapret_custom_firewall_v4 && zapret_custom_firewall_v4
echo "pass out$OWAN route-to (lo0 127.0.0.1) inet proto tcp from !127.0.0.0/8 to $t port $port user { >root }" ;;
done esac
}
} }
} }
pf_anchor_zapret_v6_tpws()
{
# $1 - port
local port=$(pf_anchor_port_target)
# LAN link local is only for router
[ -n "$IFACE_LAN" ] && LL_LAN=$(get_ipv6_linklocal $IFACE_LAN)
[ -n "$LL_LAN" ] && {
for t in $tbl; do
echo "rdr on $IFACE_LAN inet6 proto tcp from any to $t port $port -> $LL_LAN port $1"
done
}
echo "rdr on lo0 inet6 proto tcp from !::1 to any port $port -> fe80::1 port $1"
for t in $tbl; do
echo "pass out$OWAN route-to (lo0 fe80::1) inet6 proto tcp from !::1 to $t port $port user { >root }"
done
}
pf_anchor_zapret_v6() pf_anchor_zapret_v6()
{ {
local tbl port LL_LAN local tbl port LL_LAN
[ "$DISABLE_IPV6" = "1" ] || { [ "$DISABLE_IPV6" = "1" ] || {
[ "$MODE" = "tpws" ] && { case $MODE in
[ ! "$MODE_HTTP" = "1" ] && [ ! "$MODE_HTTPS" = "1" ] && return tpws)
[ ! "$MODE_HTTP" = "1" ] && [ ! "$MODE_HTTPS" = "1" ] && return
# LAN link local is only for router pf_anchor_zapret_tables tbl zapret6-user "$ZIPLIST_USER6" zapret6 "$ZIPLIST6"
[ -n "$IFACE_LAN" ] && LL_LAN=$(get_ipv6_linklocal $IFACE_LAN) pf_anchor_zapret_v6_tpws $TPPORT
;;
pf_anchor_zapret_tables tbl zapret6-user "$ZIPLIST_USER6" zapret6 "$ZIPLIST6" custom)
port=$(pf_anchor_port_target) pf_anchor_zapret_tables tbl zapret6-user "$ZIPLIST_USER6" zapret6 "$ZIPLIST6"
for t in $tbl; do existf zapret_custom_firewall_v6 && zapret_custom_firewall_v6
[ -n "$LL_LAN" ] && echo "rdr on $IFACE_LAN inet6 proto tcp from any to $t port $port -> $LL_LAN port $TPPORT" ;;
done esac
echo "rdr on lo0 inet6 proto tcp from !::1 to any port $port -> fe80::1 port $TPPORT"
for t in $tbl; do
echo "pass out$OWAN route-to (lo0 fe80::1) inet6 proto tcp from !::1 to $t port $port user { >root }"
done
}
} }
} }
pf_anchors_create() pf_anchors_create()
@ -330,7 +364,7 @@ zapret_do_firewall()
# $1 - 1 - add, 0 - del # $1 - 1 - add, 0 - del
case "${MODE}" in case "${MODE}" in
tpws|filter) tpws|filter|custom)
if [ "$1" = "1" ] ; then if [ "$1" = "1" ] ; then
pf_anchor_root || return 1 pf_anchor_root || return 1
pf_anchors_create pf_anchors_create
@ -384,6 +418,9 @@ zapret_do_daemons()
;; ;;
filter) filter)
;; ;;
custom)
existf zapret_custom_daemons && zapret_custom_daemons $1
;;
*) *)
echo "unsupported MODE=$MODE" echo "unsupported MODE=$MODE"
return 1 return 1

View File

@ -292,7 +292,7 @@ write_config_var()
select_mode_mode() select_mode_mode()
{ {
local MODES="tpws nfqws filter custom" local MODES="tpws nfqws filter custom"
[ "$SYSTEM" = "macos" ] && MODES="tpws filter" [ "$SYSTEM" = "macos" ] && MODES="tpws filter custom"
echo echo
echo select MODE : echo select MODE :
ask_list MODE "$MODES" tpws && write_config_var MODE ask_list MODE "$MODES" tpws && write_config_var MODE
@ -540,7 +540,7 @@ backup_restore_settings()
{ {
# $1 - 1 - backup, 0 - restore # $1 - 1 - backup, 0 - restore
local mode=$1 local mode=$1
on_off_function _backup_settings _restore_settings $mode "config" "init.d/sysv/custom" "init.d/openwrt/custom" "ipset/zapret-hosts-user.txt" "ipset/zapret-hosts-user-exclude.txt" "ipset/zapret-hosts-user-ipban.txt" on_off_function _backup_settings _restore_settings $mode "config" "init.d/sysv/custom" "init.d/openwrt/custom" "init.d/macos/custom" "ipset/zapret-hosts-user.txt" "ipset/zapret-hosts-user-exclude.txt" "ipset/zapret-hosts-user-ipban.txt"
} }
check_location() check_location()
@ -1176,17 +1176,21 @@ service_start_macos()
} }
macos_fw_reload_trigger_clear() macos_fw_reload_trigger_clear()
{ {
[ "$MODE" = "tpws" ] && { case "$MODE" in
LISTS_RELOAD= tpws|custom)
write_config_var LISTS_RELOAD LISTS_RELOAD=
} write_config_var LISTS_RELOAD
;;
esac
} }
macos_fw_reload_trigger_set() macos_fw_reload_trigger_set()
{ {
[ "$MODE" = "tpws" ] && { case "$MODE" in
LISTS_RELOAD="$INIT_SCRIPT_SRC reload-fw-tables" tpws|custom)
write_config_var LISTS_RELOAD LISTS_RELOAD="$INIT_SCRIPT_SRC reload-fw-tables"
} write_config_var LISTS_RELOAD
;;
esac
} }
install_macos() install_macos()