mirror of
https://github.com/bol-van/zapret.git
synced 2024-11-26 20:20:53 +03:00
nft: use map for tpws DNAT6 targeting
This commit is contained in:
parent
f49ad5d194
commit
6b3d9153f8
@ -84,6 +84,7 @@ cat << EOF | nft -f -
|
|||||||
add set inet $ZAPRET_NFT_TABLE lanif { type ifname; }
|
add set inet $ZAPRET_NFT_TABLE lanif { type ifname; }
|
||||||
add set inet $ZAPRET_NFT_TABLE wanif { type ifname; }
|
add set inet $ZAPRET_NFT_TABLE wanif { type ifname; }
|
||||||
add set inet $ZAPRET_NFT_TABLE wanif6 { type ifname; }
|
add set inet $ZAPRET_NFT_TABLE wanif6 { type ifname; }
|
||||||
|
add map inet $ZAPRET_NFT_TABLE tpws6 { type ifname: ipv6_addr . inet_service; }
|
||||||
EOF
|
EOF
|
||||||
}
|
}
|
||||||
nft_del_chains()
|
nft_del_chains()
|
||||||
@ -128,13 +129,19 @@ cat << EOF | nft -f - 2>/dev/null
|
|||||||
flush set inet $ZAPRET_NFT_TABLE lanif
|
flush set inet $ZAPRET_NFT_TABLE lanif
|
||||||
flush set inet $ZAPRET_NFT_TABLE wanif
|
flush set inet $ZAPRET_NFT_TABLE wanif
|
||||||
flush set inet $ZAPRET_NFT_TABLE wanif6
|
flush set inet $ZAPRET_NFT_TABLE wanif6
|
||||||
|
flush map inet $ZAPRET_NFT_TABLE tpws6
|
||||||
EOF
|
EOF
|
||||||
}
|
}
|
||||||
|
nft_flush_tpws6()
|
||||||
|
{
|
||||||
|
nft flush map inet $ZAPRET_NFT_TABLE tpws6 2>/dev/null
|
||||||
|
}
|
||||||
nft_list_ifsets()
|
nft_list_ifsets()
|
||||||
{
|
{
|
||||||
nft list set inet $ZAPRET_NFT_TABLE lanif
|
nft list set inet $ZAPRET_NFT_TABLE lanif
|
||||||
nft list set inet $ZAPRET_NFT_TABLE wanif
|
nft list set inet $ZAPRET_NFT_TABLE wanif
|
||||||
nft list set inet $ZAPRET_NFT_TABLE wanif6
|
nft list set inet $ZAPRET_NFT_TABLE wanif6
|
||||||
|
nft list map inet $ZAPRET_NFT_TABLE tpws6
|
||||||
nft list flowtable inet $ZAPRET_NFT_TABLE ft 2>/dev/null
|
nft list flowtable inet $ZAPRET_NFT_TABLE ft 2>/dev/null
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -142,12 +149,14 @@ nft_create_firewall()
|
|||||||
{
|
{
|
||||||
nft_create_table
|
nft_create_table
|
||||||
nft_del_flowtable
|
nft_del_flowtable
|
||||||
|
nft_flush_tpws6
|
||||||
nft_create_chains
|
nft_create_chains
|
||||||
}
|
}
|
||||||
nft_del_firewall()
|
nft_del_firewall()
|
||||||
{
|
{
|
||||||
nft_del_chains
|
nft_del_chains
|
||||||
nft_del_flowtable
|
nft_del_flowtable
|
||||||
|
nft_flush_tpws6
|
||||||
# leave ifsets and ipsets because they may be used by custom rules
|
# leave ifsets and ipsets because they may be used by custom rules
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -159,14 +168,20 @@ nft_add_rule()
|
|||||||
shift
|
shift
|
||||||
nft add rule inet $ZAPRET_NFT_TABLE $chain "$@"
|
nft add rule inet $ZAPRET_NFT_TABLE $chain "$@"
|
||||||
}
|
}
|
||||||
|
nft_add_set_element()
|
||||||
|
{
|
||||||
|
# $1 - set or map name
|
||||||
|
# $2 - element
|
||||||
|
[ -z "$2" ] || nft add element inet $ZAPRET_NFT_TABLE $1 "{ $2 }"
|
||||||
|
}
|
||||||
nft_add_set_elements()
|
nft_add_set_elements()
|
||||||
{
|
{
|
||||||
# $1 - set name
|
# $1 - set or map name
|
||||||
# $2,$3,... - element(s)
|
# $2,$3,... - element(s)
|
||||||
local set="$1" elements
|
local set="$1" elements
|
||||||
shift
|
shift
|
||||||
make_comma_list elements "$@"
|
make_comma_list elements "$@"
|
||||||
[ -z "$elements" ] || nft add element inet $ZAPRET_NFT_TABLE $set "{ $elements }"
|
nft_add_set_element $set "$elements"
|
||||||
}
|
}
|
||||||
nft_reverse_nfqws_rule()
|
nft_reverse_nfqws_rule()
|
||||||
{
|
{
|
||||||
@ -326,7 +341,7 @@ _nft_fw_tpws4()
|
|||||||
{
|
{
|
||||||
# $1 - filter ipv4
|
# $1 - filter ipv4
|
||||||
# $2 - tpws port
|
# $2 - tpws port
|
||||||
# $4 - not-empty if wan interface filtering required
|
# $3 - not-empty if wan interface filtering required
|
||||||
|
|
||||||
[ "$DISABLE_IPV4" = "1" ] || {
|
[ "$DISABLE_IPV4" = "1" ] || {
|
||||||
local filter="$1" port="$2"
|
local filter="$1" port="$2"
|
||||||
@ -347,12 +362,13 @@ _nft_fw_tpws6()
|
|||||||
local filter="$1" port="$2" DNAT6 i
|
local filter="$1" port="$2" DNAT6 i
|
||||||
nft_print_op "$filter" "tpws (port $port)" 6
|
nft_print_op "$filter" "tpws (port $port)" 6
|
||||||
nft_add_rule dnat_output skuid != $WS_USER ${4:+oifname @wanif6 }meta l4proto tcp $filter ip6 daddr != @nozapret6 dnat ip6 to [::1]:$port
|
nft_add_rule dnat_output skuid != $WS_USER ${4:+oifname @wanif6 }meta l4proto tcp $filter ip6 daddr != @nozapret6 dnat ip6 to [::1]:$port
|
||||||
_set_route_localnet 1 $3
|
[ -n "$3" ] && {
|
||||||
for i in $3; do
|
nft_add_rule dnat_pre meta l4proto tcp $filter ip6 daddr != @nozapret6 dnat ip6 to iifname map @tpws6
|
||||||
_dnat6_target $i DNAT6
|
for i in $3; do
|
||||||
[ -n "$DNAT6" -a "$DNAT6" != '-' ] && nft_add_rule dnat_pre iifname \"$i\" meta l4proto tcp $filter ip6 daddr != @nozapret6 dnat ip6 to [$DNAT6]:$port
|
_dnat6_target $i DNAT6
|
||||||
shift
|
[ -n "$DNAT6" -a "$DNAT6" != '-' ] && nft_add_set_element tpws6 "$i : $DNAT6 . $port"
|
||||||
done
|
done
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
nft_fw_tpws()
|
nft_fw_tpws()
|
||||||
|
Loading…
Reference in New Issue
Block a user