nft: use map for tpws DNAT6 targeting

This commit is contained in:
bol-van 2022-02-23 12:13:26 +03:00
parent f49ad5d194
commit 6b3d9153f8

View File

@ -84,6 +84,7 @@ cat << EOF | nft -f -
add set inet $ZAPRET_NFT_TABLE lanif { type ifname; } add set inet $ZAPRET_NFT_TABLE lanif { type ifname; }
add set inet $ZAPRET_NFT_TABLE wanif { type ifname; } add set inet $ZAPRET_NFT_TABLE wanif { type ifname; }
add set inet $ZAPRET_NFT_TABLE wanif6 { type ifname; } add set inet $ZAPRET_NFT_TABLE wanif6 { type ifname; }
add map inet $ZAPRET_NFT_TABLE tpws6 { type ifname: ipv6_addr . inet_service; }
EOF EOF
} }
nft_del_chains() nft_del_chains()
@ -128,13 +129,19 @@ cat << EOF | nft -f - 2>/dev/null
flush set inet $ZAPRET_NFT_TABLE lanif flush set inet $ZAPRET_NFT_TABLE lanif
flush set inet $ZAPRET_NFT_TABLE wanif flush set inet $ZAPRET_NFT_TABLE wanif
flush set inet $ZAPRET_NFT_TABLE wanif6 flush set inet $ZAPRET_NFT_TABLE wanif6
flush map inet $ZAPRET_NFT_TABLE tpws6
EOF EOF
} }
nft_flush_tpws6()
{
nft flush map inet $ZAPRET_NFT_TABLE tpws6 2>/dev/null
}
nft_list_ifsets() nft_list_ifsets()
{ {
nft list set inet $ZAPRET_NFT_TABLE lanif nft list set inet $ZAPRET_NFT_TABLE lanif
nft list set inet $ZAPRET_NFT_TABLE wanif nft list set inet $ZAPRET_NFT_TABLE wanif
nft list set inet $ZAPRET_NFT_TABLE wanif6 nft list set inet $ZAPRET_NFT_TABLE wanif6
nft list map inet $ZAPRET_NFT_TABLE tpws6
nft list flowtable inet $ZAPRET_NFT_TABLE ft 2>/dev/null nft list flowtable inet $ZAPRET_NFT_TABLE ft 2>/dev/null
} }
@ -142,12 +149,14 @@ nft_create_firewall()
{ {
nft_create_table nft_create_table
nft_del_flowtable nft_del_flowtable
nft_flush_tpws6
nft_create_chains nft_create_chains
} }
nft_del_firewall() nft_del_firewall()
{ {
nft_del_chains nft_del_chains
nft_del_flowtable nft_del_flowtable
nft_flush_tpws6
# leave ifsets and ipsets because they may be used by custom rules # leave ifsets and ipsets because they may be used by custom rules
} }
@ -159,14 +168,20 @@ nft_add_rule()
shift shift
nft add rule inet $ZAPRET_NFT_TABLE $chain "$@" nft add rule inet $ZAPRET_NFT_TABLE $chain "$@"
} }
nft_add_set_element()
{
# $1 - set or map name
# $2 - element
[ -z "$2" ] || nft add element inet $ZAPRET_NFT_TABLE $1 "{ $2 }"
}
nft_add_set_elements() nft_add_set_elements()
{ {
# $1 - set name # $1 - set or map name
# $2,$3,... - element(s) # $2,$3,... - element(s)
local set="$1" elements local set="$1" elements
shift shift
make_comma_list elements "$@" make_comma_list elements "$@"
[ -z "$elements" ] || nft add element inet $ZAPRET_NFT_TABLE $set "{ $elements }" nft_add_set_element $set "$elements"
} }
nft_reverse_nfqws_rule() nft_reverse_nfqws_rule()
{ {
@ -326,7 +341,7 @@ _nft_fw_tpws4()
{ {
# $1 - filter ipv4 # $1 - filter ipv4
# $2 - tpws port # $2 - tpws port
# $4 - not-empty if wan interface filtering required # $3 - not-empty if wan interface filtering required
[ "$DISABLE_IPV4" = "1" ] || { [ "$DISABLE_IPV4" = "1" ] || {
local filter="$1" port="$2" local filter="$1" port="$2"
@ -347,13 +362,14 @@ _nft_fw_tpws6()
local filter="$1" port="$2" DNAT6 i local filter="$1" port="$2" DNAT6 i
nft_print_op "$filter" "tpws (port $port)" 6 nft_print_op "$filter" "tpws (port $port)" 6
nft_add_rule dnat_output skuid != $WS_USER ${4:+oifname @wanif6 }meta l4proto tcp $filter ip6 daddr != @nozapret6 dnat ip6 to [::1]:$port nft_add_rule dnat_output skuid != $WS_USER ${4:+oifname @wanif6 }meta l4proto tcp $filter ip6 daddr != @nozapret6 dnat ip6 to [::1]:$port
_set_route_localnet 1 $3 [ -n "$3" ] && {
nft_add_rule dnat_pre meta l4proto tcp $filter ip6 daddr != @nozapret6 dnat ip6 to iifname map @tpws6
for i in $3; do for i in $3; do
_dnat6_target $i DNAT6 _dnat6_target $i DNAT6
[ -n "$DNAT6" -a "$DNAT6" != '-' ] && nft_add_rule dnat_pre iifname \"$i\" meta l4proto tcp $filter ip6 daddr != @nozapret6 dnat ip6 to [$DNAT6]:$port [ -n "$DNAT6" -a "$DNAT6" != '-' ] && nft_add_set_element tpws6 "$i : $DNAT6 . $port"
shift
done done
} }
}
} }
nft_fw_tpws() nft_fw_tpws()
{ {