mirror of
https://github.com/bol-van/zapret.git
synced 2024-11-26 20:20:53 +03:00
allow to specify protocol in helper function, do not fix tcp
This commit is contained in:
bol-van
parent
d572264a92
commit
7f5731c5d0
@ -50,11 +50,11 @@ filter_apply_port_target()
|
||||
# $1 - var name of iptables filter
|
||||
local f
|
||||
if [ "$MODE_HTTP" = "1" ] && [ "$MODE_HTTPS" = "1" ]; then
|
||||
f="-m multiport --dports 80,443"
|
||||
f="-p tcp -m multiport --dports 80,443"
|
||||
elif [ "$MODE_HTTPS" = "1" ]; then
|
||||
f="--dport 443"
|
||||
f="-p tcp --dport 443"
|
||||
elif [ "$MODE_HTTP" = "1" ]; then
|
||||
f="--dport 80"
|
||||
f="-p tcp --dport 80"
|
||||
else
|
||||
echo WARNING !!! HTTP and HTTPS are both disabled
|
||||
fi
|
||||
@ -136,7 +136,7 @@ _fw_tpws4()
|
||||
|
||||
ipt_print_op $1 "$2" "tpws (port $3)"
|
||||
|
||||
rule="-p tcp $2 $IPSET_EXCLUDE dst -j DNAT --to $TPWS_LOCALHOST4:$3"
|
||||
rule="$2 $IPSET_EXCLUDE dst -j DNAT --to $TPWS_LOCALHOST4:$3"
|
||||
for i in $4 ; do
|
||||
ipt_add_del $1 PREROUTING -t nat -i $i $rule
|
||||
done
|
||||
@ -164,7 +164,7 @@ _fw_tpws6()
|
||||
|
||||
ipt_print_op $1 "$2" "tpws (port $3)" 6
|
||||
|
||||
rule="-p tcp $2 $IPSET_EXCLUDE6 dst"
|
||||
rule="$2 $IPSET_EXCLUDE6 dst"
|
||||
for i in $4 ; do
|
||||
_dnat6_target $i DNAT6
|
||||
[ -n "$DNAT6" -a "$DNAT6" != "-" ] && ipt6_add_del $1 PREROUTING -t nat -i $i $rule -j DNAT --to [$DNAT6]:$3
|
||||
@ -202,7 +202,7 @@ _fw_nfqws_post4()
|
||||
|
||||
ipt_print_op $1 "$2" "nfqws postrouting (qnum $3)"
|
||||
|
||||
rule="-p tcp $2 $IPSET_EXCLUDE dst -j NFQUEUE --queue-num $3 --queue-bypass"
|
||||
rule="$2 $IPSET_EXCLUDE dst -j NFQUEUE --queue-num $3 --queue-bypass"
|
||||
if [ -n "$4" ] ; then
|
||||
for i in $4; do
|
||||
ipt_add_del $1 POSTROUTING -t mangle -o $i $rule
|
||||
@ -223,7 +223,7 @@ _fw_nfqws_post6()
|
||||
|
||||
ipt_print_op $1 "$2" "nfqws postrouting (qnum $3)" 6
|
||||
|
||||
rule="-p tcp $2 $IPSET_EXCLUDE6 dst -j NFQUEUE --queue-num $3 --queue-bypass"
|
||||
rule="$2 $IPSET_EXCLUDE6 dst -j NFQUEUE --queue-num $3 --queue-bypass"
|
||||
if [ -n "$4" ] ; then
|
||||
for i in $4; do
|
||||
ipt6_add_del $1 POSTROUTING -t mangle -o $i $rule
|
||||
@ -270,13 +270,13 @@ zapret_do_firewall_rules_ipt()
|
||||
fw_nfqws_post4 $1 "$f4 $desync" $qn
|
||||
else
|
||||
if [ -n "$qn" ]; then
|
||||
f4="--dport 80"
|
||||
f4="-p tcp --dport 80"
|
||||
[ "$MODE_HTTP_KEEPALIVE" = "1" ] || f4="$f4 $first_packet_only"
|
||||
filter_apply_ipset_target4 f4
|
||||
fw_nfqws_post4 $1 "$f4 $desync" $qn
|
||||
fi
|
||||
if [ -n "$qns" ]; then
|
||||
f4="--dport 443 $first_packet_only"
|
||||
f4="-p tcp --dport 443 $first_packet_only"
|
||||
filter_apply_ipset_target4 f4
|
||||
fw_nfqws_post4 $1 "$f4 $desync" $qns
|
||||
fi
|
||||
@ -288,13 +288,13 @@ zapret_do_firewall_rules_ipt()
|
||||
fw_nfqws_post6 $1 "$f6 $desync" $qn6
|
||||
else
|
||||
if [ -n "$qn6" ]; then
|
||||
f6="--dport 80"
|
||||
f6="-p tcp --dport 80"
|
||||
[ "$MODE_HTTP_KEEPALIVE" = "1" ] || f6="$f6 $first_packet_only"
|
||||
filter_apply_ipset_target6 f6
|
||||
fw_nfqws_post6 $1 "$f6 $desync" $qn6
|
||||
fi
|
||||
if [ -n "$qns6" ]; then
|
||||
f6="--dport 443 $first_packet_only"
|
||||
f6="-p tcp --dport 443 $first_packet_only"
|
||||
filter_apply_ipset_target6 f6
|
||||
fw_nfqws_post6 $1 "$f6 $desync" $qns6
|
||||
fi
|
||||
|
||||
@ -346,8 +346,8 @@ _nft_fw_tpws4()
|
||||
[ "$DISABLE_IPV4" = "1" ] || {
|
||||
local filter="$1" port="$2"
|
||||
nft_print_op "$filter" "tpws (port $2)" 4
|
||||
nft_add_rule dnat_output skuid != $WS_USER ${3:+oifname @wanif }meta l4proto tcp $filter ip daddr != @nozapret dnat ip to $TPWS_LOCALHOST4:$port
|
||||
nft_add_rule dnat_pre iifname @lanif meta l4proto tcp $filter ip daddr != @nozapret dnat ip to $TPWS_LOCALHOST4:$port
|
||||
nft_add_rule dnat_output skuid != $WS_USER ${3:+oifname @wanif }$filter ip daddr != @nozapret dnat ip to $TPWS_LOCALHOST4:$port
|
||||
nft_add_rule dnat_pre iifname @lanif $filter ip daddr != @nozapret dnat ip to $TPWS_LOCALHOST4:$port
|
||||
prepare_route_localnet
|
||||
}
|
||||
}
|
||||
@ -361,9 +361,9 @@ _nft_fw_tpws6()
|
||||
[ "$DISABLE_IPV6" = "1" ] || {
|
||||
local filter="$1" port="$2" DNAT6 i
|
||||
nft_print_op "$filter" "tpws (port $port)" 6
|
||||
nft_add_rule dnat_output skuid != $WS_USER ${4:+oifname @wanif6 }meta l4proto tcp $filter ip6 daddr != @nozapret6 dnat ip6 to [::1]:$port
|
||||
nft_add_rule dnat_output skuid != $WS_USER ${4:+oifname @wanif6 }$filter ip6 daddr != @nozapret6 dnat ip6 to [::1]:$port
|
||||
[ -n "$3" ] && {
|
||||
nft_add_rule dnat_pre meta l4proto tcp $filter ip6 daddr != @nozapret6 dnat ip6 to iifname map @link_local:$port
|
||||
nft_add_rule dnat_pre $filter ip6 daddr != @nozapret6 dnat ip6 to iifname map @link_local:$port
|
||||
for i in $3; do
|
||||
_dnat6_target $i DNAT6
|
||||
# can be multiple tpws processes on different ports
|
||||
@ -391,7 +391,7 @@ _nft_fw_nfqws_post4()
|
||||
[ "$DISABLE_IPV4" = "1" ] || {
|
||||
local filter="$1" port="$2" rule
|
||||
nft_print_op "$filter" "nfqws postrouting (qnum $port)" 4
|
||||
rule="${3:+oifname @wanif }meta l4proto tcp $filter ip daddr != @nozapret"
|
||||
rule="${3:+oifname @wanif }$filter ip daddr != @nozapret"
|
||||
nft_add_rule postrouting $rule queue num $port bypass
|
||||
nft_add_nfqws_flow_exempt_rule "$rule"
|
||||
}
|
||||
@ -405,7 +405,7 @@ _nft_fw_nfqws_post6()
|
||||
[ "$DISABLE_IPV6" = "1" ] || {
|
||||
local filter="$1" port="$2" rule
|
||||
nft_print_op "$filter" "nfqws postrouting (qnum $port)" 6
|
||||
rule="${3:+oifname @wanif6 }meta l4proto tcp $filter ip6 daddr != @nozapret6"
|
||||
rule="${3:+oifname @wanif6 }$filter ip6 daddr != @nozapret6"
|
||||
nft_add_rule postrouting $rule queue num $port bypass
|
||||
nft_add_nfqws_flow_exempt_rule "$rule"
|
||||
}
|
||||
|
||||
@ -26,7 +26,7 @@ zapret_custom_firewall()
|
||||
|
||||
zapret_do_firewall_rules_ipt $1
|
||||
|
||||
f4="--dport $MY_DPORT"
|
||||
f4="-p tcp --dport $MY_DPORT"
|
||||
f6=$f4
|
||||
filter_apply_ipset_target f4 f6
|
||||
fw_tpws $1 "$f4" "$f6" $MY_TPPORT
|
||||
|
||||
@ -28,14 +28,14 @@ zapret_custom_firewall()
|
||||
local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK"
|
||||
|
||||
[ "$MODE_HTTP" = "1" ] && {
|
||||
f4="--dport 80"
|
||||
f4="-p tcp --dport 80"
|
||||
f6=$f4
|
||||
filter_apply_ipset_target f4 f6
|
||||
fw_tpws $1 "$f4" "$f6" $TPPORT
|
||||
}
|
||||
|
||||
[ "$MODE_HTTPS" = "1" ] && {
|
||||
f4="--dport 443 $first_packet_only"
|
||||
f4="-p tcp --dport 443 $first_packet_only"
|
||||
f6=$f4
|
||||
filter_apply_ipset_target f4 f6
|
||||
fw_nfqws_post $1 "$f4 $desync" "$f6 $desync" $QNUM
|
||||
|
||||
@ -26,7 +26,7 @@ zapret_custom_firewall()
|
||||
|
||||
zapret_do_firewall_rules_ipt $1
|
||||
|
||||
f4="--dport $MY_DPORT"
|
||||
f4="-p tcp --dport $MY_DPORT"
|
||||
f6=$f4
|
||||
filter_apply_ipset_target f4 f6
|
||||
fw_tpws $1 "$f4" "$f6" $MY_TPPORT
|
||||
|
||||
@ -28,14 +28,14 @@ zapret_custom_firewall()
|
||||
local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK"
|
||||
|
||||
[ "$MODE_HTTP" = "1" ] && {
|
||||
f4="--dport 80"
|
||||
f4="-p tcp --dport 80"
|
||||
f6=$f4
|
||||
filter_apply_ipset_target f4 f6
|
||||
fw_tpws $1 "$f4" "$f6" $TPPORT
|
||||
}
|
||||
|
||||
[ "$MODE_HTTPS" = "1" ] && {
|
||||
f4="--dport 443 $first_packet_only"
|
||||
f4="-p tcp --dport 443 $first_packet_only"
|
||||
f6=$f4
|
||||
filter_apply_ipset_target f4 f6
|
||||
fw_nfqws_post $1 "$f4 $desync" "$f6 $desync" $QNUM
|
||||
|
||||
Loading…
Reference in New Issue
Block a user