From 7f5731c5d05bfc81d09977501677afa502586785 Mon Sep 17 00:00:00 2001 From: bol-van Date: Fri, 4 Mar 2022 17:30:02 +0300 Subject: [PATCH] allow to specify protocol in helper function, do not fix tcp --- common/ipt.sh | 22 ++++++++++----------- common/nft.sh | 12 +++++------ init.d/openwrt/custom-reuse-builtin-mode | 2 +- init.d/openwrt/custom-tpws4http-nfqws4https | 4 ++-- init.d/sysv/custom-reuse-builtin-mode | 2 +- init.d/sysv/custom-tpws4http-nfqws4https | 4 ++-- 6 files changed, 23 insertions(+), 23 deletions(-) diff --git a/common/ipt.sh b/common/ipt.sh index 1307145..0e1e822 100644 --- a/common/ipt.sh +++ b/common/ipt.sh @@ -50,11 +50,11 @@ filter_apply_port_target() # $1 - var name of iptables filter local f if [ "$MODE_HTTP" = "1" ] && [ "$MODE_HTTPS" = "1" ]; then - f="-m multiport --dports 80,443" + f="-p tcp -m multiport --dports 80,443" elif [ "$MODE_HTTPS" = "1" ]; then - f="--dport 443" + f="-p tcp --dport 443" elif [ "$MODE_HTTP" = "1" ]; then - f="--dport 80" + f="-p tcp --dport 80" else echo WARNING !!! HTTP and HTTPS are both disabled fi @@ -136,7 +136,7 @@ _fw_tpws4() ipt_print_op $1 "$2" "tpws (port $3)" - rule="-p tcp $2 $IPSET_EXCLUDE dst -j DNAT --to $TPWS_LOCALHOST4:$3" + rule="$2 $IPSET_EXCLUDE dst -j DNAT --to $TPWS_LOCALHOST4:$3" for i in $4 ; do ipt_add_del $1 PREROUTING -t nat -i $i $rule done @@ -164,7 +164,7 @@ _fw_tpws6() ipt_print_op $1 "$2" "tpws (port $3)" 6 - rule="-p tcp $2 $IPSET_EXCLUDE6 dst" + rule="$2 $IPSET_EXCLUDE6 dst" for i in $4 ; do _dnat6_target $i DNAT6 [ -n "$DNAT6" -a "$DNAT6" != "-" ] && ipt6_add_del $1 PREROUTING -t nat -i $i $rule -j DNAT --to [$DNAT6]:$3 @@ -202,7 +202,7 @@ _fw_nfqws_post4() ipt_print_op $1 "$2" "nfqws postrouting (qnum $3)" - rule="-p tcp $2 $IPSET_EXCLUDE dst -j NFQUEUE --queue-num $3 --queue-bypass" + rule="$2 $IPSET_EXCLUDE dst -j NFQUEUE --queue-num $3 --queue-bypass" if [ -n "$4" ] ; then for i in $4; do ipt_add_del $1 POSTROUTING -t mangle -o $i $rule @@ -223,7 +223,7 @@ _fw_nfqws_post6() ipt_print_op $1 "$2" "nfqws postrouting (qnum $3)" 6 - rule="-p tcp $2 $IPSET_EXCLUDE6 dst -j NFQUEUE --queue-num $3 --queue-bypass" + rule="$2 $IPSET_EXCLUDE6 dst -j NFQUEUE --queue-num $3 --queue-bypass" if [ -n "$4" ] ; then for i in $4; do ipt6_add_del $1 POSTROUTING -t mangle -o $i $rule @@ -270,13 +270,13 @@ zapret_do_firewall_rules_ipt() fw_nfqws_post4 $1 "$f4 $desync" $qn else if [ -n "$qn" ]; then - f4="--dport 80" + f4="-p tcp --dport 80" [ "$MODE_HTTP_KEEPALIVE" = "1" ] || f4="$f4 $first_packet_only" filter_apply_ipset_target4 f4 fw_nfqws_post4 $1 "$f4 $desync" $qn fi if [ -n "$qns" ]; then - f4="--dport 443 $first_packet_only" + f4="-p tcp --dport 443 $first_packet_only" filter_apply_ipset_target4 f4 fw_nfqws_post4 $1 "$f4 $desync" $qns fi @@ -288,13 +288,13 @@ zapret_do_firewall_rules_ipt() fw_nfqws_post6 $1 "$f6 $desync" $qn6 else if [ -n "$qn6" ]; then - f6="--dport 80" + f6="-p tcp --dport 80" [ "$MODE_HTTP_KEEPALIVE" = "1" ] || f6="$f6 $first_packet_only" filter_apply_ipset_target6 f6 fw_nfqws_post6 $1 "$f6 $desync" $qn6 fi if [ -n "$qns6" ]; then - f6="--dport 443 $first_packet_only" + f6="-p tcp --dport 443 $first_packet_only" filter_apply_ipset_target6 f6 fw_nfqws_post6 $1 "$f6 $desync" $qns6 fi diff --git a/common/nft.sh b/common/nft.sh index 4bc2247..81b14c8 100644 --- a/common/nft.sh +++ b/common/nft.sh @@ -346,8 +346,8 @@ _nft_fw_tpws4() [ "$DISABLE_IPV4" = "1" ] || { local filter="$1" port="$2" nft_print_op "$filter" "tpws (port $2)" 4 - nft_add_rule dnat_output skuid != $WS_USER ${3:+oifname @wanif }meta l4proto tcp $filter ip daddr != @nozapret dnat ip to $TPWS_LOCALHOST4:$port - nft_add_rule dnat_pre iifname @lanif meta l4proto tcp $filter ip daddr != @nozapret dnat ip to $TPWS_LOCALHOST4:$port + nft_add_rule dnat_output skuid != $WS_USER ${3:+oifname @wanif }$filter ip daddr != @nozapret dnat ip to $TPWS_LOCALHOST4:$port + nft_add_rule dnat_pre iifname @lanif $filter ip daddr != @nozapret dnat ip to $TPWS_LOCALHOST4:$port prepare_route_localnet } } @@ -361,9 +361,9 @@ _nft_fw_tpws6() [ "$DISABLE_IPV6" = "1" ] || { local filter="$1" port="$2" DNAT6 i nft_print_op "$filter" "tpws (port $port)" 6 - nft_add_rule dnat_output skuid != $WS_USER ${4:+oifname @wanif6 }meta l4proto tcp $filter ip6 daddr != @nozapret6 dnat ip6 to [::1]:$port + nft_add_rule dnat_output skuid != $WS_USER ${4:+oifname @wanif6 }$filter ip6 daddr != @nozapret6 dnat ip6 to [::1]:$port [ -n "$3" ] && { - nft_add_rule dnat_pre meta l4proto tcp $filter ip6 daddr != @nozapret6 dnat ip6 to iifname map @link_local:$port + nft_add_rule dnat_pre $filter ip6 daddr != @nozapret6 dnat ip6 to iifname map @link_local:$port for i in $3; do _dnat6_target $i DNAT6 # can be multiple tpws processes on different ports @@ -391,7 +391,7 @@ _nft_fw_nfqws_post4() [ "$DISABLE_IPV4" = "1" ] || { local filter="$1" port="$2" rule nft_print_op "$filter" "nfqws postrouting (qnum $port)" 4 - rule="${3:+oifname @wanif }meta l4proto tcp $filter ip daddr != @nozapret" + rule="${3:+oifname @wanif }$filter ip daddr != @nozapret" nft_add_rule postrouting $rule queue num $port bypass nft_add_nfqws_flow_exempt_rule "$rule" } @@ -405,7 +405,7 @@ _nft_fw_nfqws_post6() [ "$DISABLE_IPV6" = "1" ] || { local filter="$1" port="$2" rule nft_print_op "$filter" "nfqws postrouting (qnum $port)" 6 - rule="${3:+oifname @wanif6 }meta l4proto tcp $filter ip6 daddr != @nozapret6" + rule="${3:+oifname @wanif6 }$filter ip6 daddr != @nozapret6" nft_add_rule postrouting $rule queue num $port bypass nft_add_nfqws_flow_exempt_rule "$rule" } diff --git a/init.d/openwrt/custom-reuse-builtin-mode b/init.d/openwrt/custom-reuse-builtin-mode index e1f9f45..39c16e8 100644 --- a/init.d/openwrt/custom-reuse-builtin-mode +++ b/init.d/openwrt/custom-reuse-builtin-mode @@ -26,7 +26,7 @@ zapret_custom_firewall() zapret_do_firewall_rules_ipt $1 - f4="--dport $MY_DPORT" + f4="-p tcp --dport $MY_DPORT" f6=$f4 filter_apply_ipset_target f4 f6 fw_tpws $1 "$f4" "$f6" $MY_TPPORT diff --git a/init.d/openwrt/custom-tpws4http-nfqws4https b/init.d/openwrt/custom-tpws4http-nfqws4https index 306a7e9..8c82ad9 100644 --- a/init.d/openwrt/custom-tpws4http-nfqws4https +++ b/init.d/openwrt/custom-tpws4http-nfqws4https @@ -28,14 +28,14 @@ zapret_custom_firewall() local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK" [ "$MODE_HTTP" = "1" ] && { - f4="--dport 80" + f4="-p tcp --dport 80" f6=$f4 filter_apply_ipset_target f4 f6 fw_tpws $1 "$f4" "$f6" $TPPORT } [ "$MODE_HTTPS" = "1" ] && { - f4="--dport 443 $first_packet_only" + f4="-p tcp --dport 443 $first_packet_only" f6=$f4 filter_apply_ipset_target f4 f6 fw_nfqws_post $1 "$f4 $desync" "$f6 $desync" $QNUM diff --git a/init.d/sysv/custom-reuse-builtin-mode b/init.d/sysv/custom-reuse-builtin-mode index c741f00..b36ac58 100644 --- a/init.d/sysv/custom-reuse-builtin-mode +++ b/init.d/sysv/custom-reuse-builtin-mode @@ -26,7 +26,7 @@ zapret_custom_firewall() zapret_do_firewall_rules_ipt $1 - f4="--dport $MY_DPORT" + f4="-p tcp --dport $MY_DPORT" f6=$f4 filter_apply_ipset_target f4 f6 fw_tpws $1 "$f4" "$f6" $MY_TPPORT diff --git a/init.d/sysv/custom-tpws4http-nfqws4https b/init.d/sysv/custom-tpws4http-nfqws4https index b7b4327..9680c23 100644 --- a/init.d/sysv/custom-tpws4http-nfqws4https +++ b/init.d/sysv/custom-tpws4http-nfqws4https @@ -28,14 +28,14 @@ zapret_custom_firewall() local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK" [ "$MODE_HTTP" = "1" ] && { - f4="--dport 80" + f4="-p tcp --dport 80" f6=$f4 filter_apply_ipset_target f4 f6 fw_tpws $1 "$f4" "$f6" $TPPORT } [ "$MODE_HTTPS" = "1" ] && { - f4="--dport 443 $first_packet_only" + f4="-p tcp --dport 443 $first_packet_only" f6=$f4 filter_apply_ipset_target f4 f6 fw_nfqws_post $1 "$f4 $desync" "$f6 $desync" $QNUM