drygdryg/zapret
1
0
Fork 0
mirror of https://github.com/bol-van/zapret.git synced 2024-11-26 20:20:53 +03:00
Code Issues Packages Projects Releases Wiki Activity

allow to specify protocol in helper function, do not fix tcp

Browse Source
This commit is contained in:
bol-van 2022-03-04 17:30:02 +03:00
parent d572264a92
commit 7f5731c5d0
6 changed files with 23 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
common/ipt.sh
View File

@ -50,11 +50,11 @@ filter_apply_port_target()
# $1 - var name of iptables filter # $1 - var name of iptables filter
local f local f
if [ "$MODE_HTTP" = "1" ] && [ "$MODE_HTTPS" = "1" ]; then if [ "$MODE_HTTP" = "1" ] && [ "$MODE_HTTPS" = "1" ]; then
f="-m multiport --dports 80,443" f="-p tcp -m multiport --dports 80,443"
elif [ "$MODE_HTTPS" = "1" ]; then elif [ "$MODE_HTTPS" = "1" ]; then
f="--dport 443" f="-p tcp --dport 443"
elif [ "$MODE_HTTP" = "1" ]; then elif [ "$MODE_HTTP" = "1" ]; then
f="--dport 80" f="-p tcp --dport 80"
else else
echo WARNING !!! HTTP and HTTPS are both disabled echo WARNING !!! HTTP and HTTPS are both disabled
fi fi
@ -136,7 +136,7 @@ _fw_tpws4()
ipt_print_op $1 "$2" "tpws (port $3)" ipt_print_op $1 "$2" "tpws (port $3)"
rule="-p tcp $2 $IPSET_EXCLUDE dst -j DNAT --to $TPWS_LOCALHOST4:$3" rule="$2 $IPSET_EXCLUDE dst -j DNAT --to $TPWS_LOCALHOST4:$3"
for i in $4 ; do for i in $4 ; do
ipt_add_del $1 PREROUTING -t nat -i $i $rule ipt_add_del $1 PREROUTING -t nat -i $i $rule
done done
@ -164,7 +164,7 @@ _fw_tpws6()
ipt_print_op $1 "$2" "tpws (port $3)" 6 ipt_print_op $1 "$2" "tpws (port $3)" 6
rule="-p tcp $2 $IPSET_EXCLUDE6 dst" rule="$2 $IPSET_EXCLUDE6 dst"
for i in $4 ; do for i in $4 ; do
_dnat6_target $i DNAT6 _dnat6_target $i DNAT6
[ -n "$DNAT6" -a "$DNAT6" != "-" ] && ipt6_add_del $1 PREROUTING -t nat -i $i $rule -j DNAT --to [$DNAT6]:$3 [ -n "$DNAT6" -a "$DNAT6" != "-" ] && ipt6_add_del $1 PREROUTING -t nat -i $i $rule -j DNAT --to [$DNAT6]:$3
@ -202,7 +202,7 @@ _fw_nfqws_post4()
ipt_print_op $1 "$2" "nfqws postrouting (qnum $3)" ipt_print_op $1 "$2" "nfqws postrouting (qnum $3)"
rule="-p tcp $2 $IPSET_EXCLUDE dst -j NFQUEUE --queue-num $3 --queue-bypass" rule="$2 $IPSET_EXCLUDE dst -j NFQUEUE --queue-num $3 --queue-bypass"
if [ -n "$4" ] ; then if [ -n "$4" ] ; then
for i in $4; do for i in $4; do
ipt_add_del $1 POSTROUTING -t mangle -o $i $rule ipt_add_del $1 POSTROUTING -t mangle -o $i $rule
@ -223,7 +223,7 @@ _fw_nfqws_post6()
ipt_print_op $1 "$2" "nfqws postrouting (qnum $3)" 6 ipt_print_op $1 "$2" "nfqws postrouting (qnum $3)" 6
rule="-p tcp $2 $IPSET_EXCLUDE6 dst -j NFQUEUE --queue-num $3 --queue-bypass" rule="$2 $IPSET_EXCLUDE6 dst -j NFQUEUE --queue-num $3 --queue-bypass"
if [ -n "$4" ] ; then if [ -n "$4" ] ; then
for i in $4; do for i in $4; do
ipt6_add_del $1 POSTROUTING -t mangle -o $i $rule ipt6_add_del $1 POSTROUTING -t mangle -o $i $rule
@ -270,13 +270,13 @@ zapret_do_firewall_rules_ipt()
fw_nfqws_post4 $1 "$f4 $desync" $qn fw_nfqws_post4 $1 "$f4 $desync" $qn
else else
if [ -n "$qn" ]; then if [ -n "$qn" ]; then
f4="--dport 80" f4="-p tcp --dport 80"
[ "$MODE_HTTP_KEEPALIVE" = "1" ] || f4="$f4 $first_packet_only" [ "$MODE_HTTP_KEEPALIVE" = "1" ] || f4="$f4 $first_packet_only"
filter_apply_ipset_target4 f4 filter_apply_ipset_target4 f4
fw_nfqws_post4 $1 "$f4 $desync" $qn fw_nfqws_post4 $1 "$f4 $desync" $qn
fi fi
if [ -n "$qns" ]; then if [ -n "$qns" ]; then
f4="--dport 443 $first_packet_only" f4="-p tcp --dport 443 $first_packet_only"
filter_apply_ipset_target4 f4 filter_apply_ipset_target4 f4
fw_nfqws_post4 $1 "$f4 $desync" $qns fw_nfqws_post4 $1 "$f4 $desync" $qns
fi fi
@ -288,13 +288,13 @@ zapret_do_firewall_rules_ipt()
fw_nfqws_post6 $1 "$f6 $desync" $qn6 fw_nfqws_post6 $1 "$f6 $desync" $qn6
else else
if [ -n "$qn6" ]; then if [ -n "$qn6" ]; then
f6="--dport 80" f6="-p tcp --dport 80"
[ "$MODE_HTTP_KEEPALIVE" = "1" ] || f6="$f6 $first_packet_only" [ "$MODE_HTTP_KEEPALIVE" = "1" ] || f6="$f6 $first_packet_only"
filter_apply_ipset_target6 f6 filter_apply_ipset_target6 f6
fw_nfqws_post6 $1 "$f6 $desync" $qn6 fw_nfqws_post6 $1 "$f6 $desync" $qn6
fi fi
if [ -n "$qns6" ]; then if [ -n "$qns6" ]; then
f6="--dport 443 $first_packet_only" f6="-p tcp --dport 443 $first_packet_only"
filter_apply_ipset_target6 f6 filter_apply_ipset_target6 f6
fw_nfqws_post6 $1 "$f6 $desync" $qns6 fw_nfqws_post6 $1 "$f6 $desync" $qns6
fi fi

12
common/nft.sh
View File

@ -346,8 +346,8 @@ _nft_fw_tpws4()
[ "$DISABLE_IPV4" = "1" ] || { [ "$DISABLE_IPV4" = "1" ] || {
local filter="$1" port="$2" local filter="$1" port="$2"
nft_print_op "$filter" "tpws (port $2)" 4 nft_print_op "$filter" "tpws (port $2)" 4
nft_add_rule dnat_output skuid != $WS_USER ${3:+oifname @wanif }meta l4proto tcp $filter ip daddr != @nozapret dnat ip to $TPWS_LOCALHOST4:$port nft_add_rule dnat_output skuid != $WS_USER ${3:+oifname @wanif }$filter ip daddr != @nozapret dnat ip to $TPWS_LOCALHOST4:$port
nft_add_rule dnat_pre iifname @lanif meta l4proto tcp $filter ip daddr != @nozapret dnat ip to $TPWS_LOCALHOST4:$port nft_add_rule dnat_pre iifname @lanif $filter ip daddr != @nozapret dnat ip to $TPWS_LOCALHOST4:$port
prepare_route_localnet prepare_route_localnet
} }
} }
@ -361,9 +361,9 @@ _nft_fw_tpws6()
[ "$DISABLE_IPV6" = "1" ] || { [ "$DISABLE_IPV6" = "1" ] || {
local filter="$1" port="$2" DNAT6 i local filter="$1" port="$2" DNAT6 i
nft_print_op "$filter" "tpws (port $port)" 6 nft_print_op "$filter" "tpws (port $port)" 6
nft_add_rule dnat_output skuid != $WS_USER ${4:+oifname @wanif6 }meta l4proto tcp $filter ip6 daddr != @nozapret6 dnat ip6 to [::1]:$port nft_add_rule dnat_output skuid != $WS_USER ${4:+oifname @wanif6 }$filter ip6 daddr != @nozapret6 dnat ip6 to [::1]:$port
[ -n "$3" ] && { [ -n "$3" ] && {
nft_add_rule dnat_pre meta l4proto tcp $filter ip6 daddr != @nozapret6 dnat ip6 to iifname map @link_local:$port nft_add_rule dnat_pre $filter ip6 daddr != @nozapret6 dnat ip6 to iifname map @link_local:$port
for i in $3; do for i in $3; do
_dnat6_target $i DNAT6 _dnat6_target $i DNAT6
# can be multiple tpws processes on different ports # can be multiple tpws processes on different ports
@ -391,7 +391,7 @@ _nft_fw_nfqws_post4()
[ "$DISABLE_IPV4" = "1" ] || { [ "$DISABLE_IPV4" = "1" ] || {
local filter="$1" port="$2" rule local filter="$1" port="$2" rule
nft_print_op "$filter" "nfqws postrouting (qnum $port)" 4 nft_print_op "$filter" "nfqws postrouting (qnum $port)" 4
rule="${3:+oifname @wanif }meta l4proto tcp $filter ip daddr != @nozapret" rule="${3:+oifname @wanif }$filter ip daddr != @nozapret"
nft_add_rule postrouting $rule queue num $port bypass nft_add_rule postrouting $rule queue num $port bypass
nft_add_nfqws_flow_exempt_rule "$rule" nft_add_nfqws_flow_exempt_rule "$rule"
} }
@ -405,7 +405,7 @@ _nft_fw_nfqws_post6()
[ "$DISABLE_IPV6" = "1" ] || { [ "$DISABLE_IPV6" = "1" ] || {
local filter="$1" port="$2" rule local filter="$1" port="$2" rule
nft_print_op "$filter" "nfqws postrouting (qnum $port)" 6 nft_print_op "$filter" "nfqws postrouting (qnum $port)" 6
rule="${3:+oifname @wanif6 }meta l4proto tcp $filter ip6 daddr != @nozapret6" rule="${3:+oifname @wanif6 }$filter ip6 daddr != @nozapret6"
nft_add_rule postrouting $rule queue num $port bypass nft_add_rule postrouting $rule queue num $port bypass
nft_add_nfqws_flow_exempt_rule "$rule" nft_add_nfqws_flow_exempt_rule "$rule"
} }

2
init.d/openwrt/custom-reuse-builtin-mode
View File

@ -26,7 +26,7 @@ zapret_custom_firewall()
zapret_do_firewall_rules_ipt $1 zapret_do_firewall_rules_ipt $1
f4="--dport $MY_DPORT" f4="-p tcp --dport $MY_DPORT"
f6=$f4 f6=$f4
filter_apply_ipset_target f4 f6 filter_apply_ipset_target f4 f6
fw_tpws $1 "$f4" "$f6" $MY_TPPORT fw_tpws $1 "$f4" "$f6" $MY_TPPORT

4
init.d/openwrt/custom-tpws4http-nfqws4https
View File

@ -28,14 +28,14 @@ zapret_custom_firewall()
local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK" local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK"
[ "$MODE_HTTP" = "1" ] && { [ "$MODE_HTTP" = "1" ] && {
f4="--dport 80" f4="-p tcp --dport 80"
f6=$f4 f6=$f4
filter_apply_ipset_target f4 f6 filter_apply_ipset_target f4 f6
fw_tpws $1 "$f4" "$f6" $TPPORT fw_tpws $1 "$f4" "$f6" $TPPORT
} }
[ "$MODE_HTTPS" = "1" ] && { [ "$MODE_HTTPS" = "1" ] && {
f4="--dport 443 $first_packet_only" f4="-p tcp --dport 443 $first_packet_only"
f6=$f4 f6=$f4
filter_apply_ipset_target f4 f6 filter_apply_ipset_target f4 f6
fw_nfqws_post $1 "$f4 $desync" "$f6 $desync" $QNUM fw_nfqws_post $1 "$f4 $desync" "$f6 $desync" $QNUM

2
init.d/sysv/custom-reuse-builtin-mode
View File

@ -26,7 +26,7 @@ zapret_custom_firewall()
zapret_do_firewall_rules_ipt $1 zapret_do_firewall_rules_ipt $1
f4="--dport $MY_DPORT" f4="-p tcp --dport $MY_DPORT"
f6=$f4 f6=$f4
filter_apply_ipset_target f4 f6 filter_apply_ipset_target f4 f6
fw_tpws $1 "$f4" "$f6" $MY_TPPORT fw_tpws $1 "$f4" "$f6" $MY_TPPORT

4
init.d/sysv/custom-tpws4http-nfqws4https
View File

@ -28,14 +28,14 @@ zapret_custom_firewall()
local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK" local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK"
[ "$MODE_HTTP" = "1" ] && { [ "$MODE_HTTP" = "1" ] && {
f4="--dport 80" f4="-p tcp --dport 80"
f6=$f4 f6=$f4
filter_apply_ipset_target f4 f6 filter_apply_ipset_target f4 f6
fw_tpws $1 "$f4" "$f6" $TPPORT fw_tpws $1 "$f4" "$f6" $TPPORT
} }
[ "$MODE_HTTPS" = "1" ] && { [ "$MODE_HTTPS" = "1" ] && {
f4="--dport 443 $first_packet_only" f4="-p tcp --dport 443 $first_packet_only"
f6=$f4 f6=$f4
filter_apply_ipset_target f4 f6 filter_apply_ipset_target f4 f6
fw_nfqws_post $1 "$f4 $desync" "$f6 $desync" $QNUM fw_nfqws_post $1 "$f4 $desync" "$f6 $desync" $QNUM