From 80d42f5d447e14734b8bae14a8ea0966c1bcdb48 Mon Sep 17 00:00:00 2001 From: bolvan Date: Thu, 16 May 2019 13:35:07 +0300 Subject: [PATCH] openwrt : move to the single firewall include --- docs/readme.txt | 24 +-- ...{firewall.zapret.ipset => firewall.zapret} | 3 +- init.d/openwrt/firewall.zapret.ipset6 | 1 - init.d/openwrt/firewall.zapret.nfqws_all | 6 - init.d/openwrt/firewall.zapret.nfqws_all6 | 6 - .../openwrt/firewall.zapret.nfqws_all_https | 6 - .../openwrt/firewall.zapret.nfqws_all_https6 | 6 - init.d/openwrt/firewall.zapret.nfqws_ipset | 7 - init.d/openwrt/firewall.zapret.nfqws_ipset6 | 7 - .../openwrt/firewall.zapret.nfqws_ipset_https | 7 - .../firewall.zapret.nfqws_ipset_https6 | 7 - init.d/openwrt/firewall.zapret.tpws_all | 5 - init.d/openwrt/firewall.zapret.tpws_all6 | 5 - init.d/openwrt/firewall.zapret.tpws_all_https | 6 - .../openwrt/firewall.zapret.tpws_all_https6 | 6 - init.d/openwrt/firewall.zapret.tpws_hostlist | 1 - init.d/openwrt/firewall.zapret.tpws_hostlist6 | 1 - init.d/openwrt/firewall.zapret.tpws_ipset | 6 - init.d/openwrt/firewall.zapret.tpws_ipset6 | 6 - .../openwrt/firewall.zapret.tpws_ipset_https | 7 - .../openwrt/firewall.zapret.tpws_ipset_https6 | 7 - init.d/openwrt/functions | 181 +++++++++++------- init.d/sysv/functions | 2 +- install_easy.sh | 53 ++--- uninstall_easy.sh | 2 +- 25 files changed, 138 insertions(+), 230 deletions(-) rename init.d/openwrt/{firewall.zapret.ipset => firewall.zapret} (62%) delete mode 120000 init.d/openwrt/firewall.zapret.ipset6 delete mode 100644 init.d/openwrt/firewall.zapret.nfqws_all delete mode 100644 init.d/openwrt/firewall.zapret.nfqws_all6 delete mode 100644 init.d/openwrt/firewall.zapret.nfqws_all_https delete mode 100644 init.d/openwrt/firewall.zapret.nfqws_all_https6 delete mode 100644 init.d/openwrt/firewall.zapret.nfqws_ipset delete mode 100644 init.d/openwrt/firewall.zapret.nfqws_ipset6 delete mode 100644 init.d/openwrt/firewall.zapret.nfqws_ipset_https delete mode 100644 init.d/openwrt/firewall.zapret.nfqws_ipset_https6 delete mode 100644 init.d/openwrt/firewall.zapret.tpws_all delete mode 100644 init.d/openwrt/firewall.zapret.tpws_all6 delete mode 100644 init.d/openwrt/firewall.zapret.tpws_all_https delete mode 100644 init.d/openwrt/firewall.zapret.tpws_all_https6 delete mode 120000 init.d/openwrt/firewall.zapret.tpws_hostlist delete mode 120000 init.d/openwrt/firewall.zapret.tpws_hostlist6 delete mode 100644 init.d/openwrt/firewall.zapret.tpws_ipset delete mode 100644 init.d/openwrt/firewall.zapret.tpws_ipset6 delete mode 100644 init.d/openwrt/firewall.zapret.tpws_ipset_https delete mode 100644 init.d/openwrt/firewall.zapret.tpws_ipset_https6 diff --git a/docs/readme.txt b/docs/readme.txt index 4a62c16..5d74d33 100644 --- a/docs/readme.txt +++ b/docs/readme.txt @@ -616,11 +616,8 @@ ipset можно выкинуть, если не будем пользовать может быть критично, они не запустятся после перезагрузки. Cкрипт из /etc/hotplug.d/iface запустит недостающие службы при поднятии интерфейса lan. -Если не включен параметр DISABLE_IPV4 : -В зависимости от выбранного в файле config MODE создать ссылку на нужный файл настроек фаервола : - ln -fs /opt/zapret/init.d/openwrt/firewall.zapret.$MODE /etc/firewall.zapret -Например : - ln -fs /opt/zapret/init.d/openwrt/firewall.zapret.tpws_ipset_https /etc/firewall.zapret +Создать ссылку на firewall include : + ln -fs /opt/zapret/init.d/openwrt/firewall.zapret /etc/firewall.zapret Проверить была ли создана ранее запись о firewall include : uci show firewall | grep firewall.zapret Если firewall.zapret нет, значит добавить : @@ -631,21 +628,6 @@ Cкрипт из /etc/hotplug.d/iface запустит недостающие с Перезапустить фаервол : fw3 restart -Если не включен параметр DISABLE_IPV6 : -В зависимости от выбранного в файле config MODE создать ссылку на нужный файл настроек фаервола : - ln -fs /opt/zapret/init.d/openwrt/firewall.zapret.${MODE}6 /etc/firewall.zapret6 -Например : - ln -fs /opt/zapret/init.d/openwrt/firewall.zapret.tpws_ipset_https6 /etc/firewall.zapret6 -Проверить была ли создана ранее запись о firewall include : - uci show firewall | grep firewall.zapret6 -Если firewall.zapret6 нет, значит добавить : - uci add firewall include - uci set firewall.@include[-1].path="/etc/firewall.zapret6" - uci set firewall.@include[-1].reload="1" - uci commit firewall -Перезапустить фаервол : - fw3 restart - Посмотреть через iptables -nL, ip6tables -nL или через luci вкладку "firewall" появились ли нужные правила. ЭКОНОМИЯ МЕСТА : если его мало, то можно оставить в директории zapret лишь подкаталог ipset, файл config и init.d/openwrt. @@ -656,7 +638,7 @@ Cкрипт из /etc/hotplug.d/iface запустит недостающие с ЕСЛИ ВСЕ ПЛОХО С МЕСТОМ : откажитесь от работы со списком РКН. используйте только get_user.sh ЕСЛИ СОВСЕМ ВСЕ УЖАСНО С МЕСТОМ : не надо устанавливать дополнительные пакеты через opkg. -оставьте лишь /opt/zapret/tpws/tpws, /opt/zapret/config, /etc/init.d/zapret, /etc/firewall.zapret +оставьте лишь /opt/zapret/tpws/tpws, /opt/zapret/config, /opt/zapret/init.d/openwrt используйте MODE=tpws_all или tpws_all_https такой вариант потребует около 100 кб места и полностью статичен. отсутствуют любые загрузки, обновления, изменения файлов. diff --git a/init.d/openwrt/firewall.zapret.ipset b/init.d/openwrt/firewall.zapret similarity index 62% rename from init.d/openwrt/firewall.zapret.ipset rename to init.d/openwrt/firewall.zapret index be14cdd..3ed9946 100644 --- a/init.d/openwrt/firewall.zapret.ipset +++ b/init.d/openwrt/firewall.zapret @@ -1,4 +1,3 @@ . /opt/zapret/init.d/openwrt/functions -create_ipset no-update - +zapret_apply_firewall diff --git a/init.d/openwrt/firewall.zapret.ipset6 b/init.d/openwrt/firewall.zapret.ipset6 deleted file mode 120000 index 86fdc0f..0000000 --- a/init.d/openwrt/firewall.zapret.ipset6 +++ /dev/null @@ -1 +0,0 @@ -firewall.zapret.ipset \ No newline at end of file diff --git a/init.d/openwrt/firewall.zapret.nfqws_all b/init.d/openwrt/firewall.zapret.nfqws_all deleted file mode 100644 index 77d7eb6..0000000 --- a/init.d/openwrt/firewall.zapret.nfqws_all +++ /dev/null @@ -1,6 +0,0 @@ -IPT_FILTER_PRE="-p tcp --tcp-flags SYN,ACK SYN,ACK --sport 80" -IPT_FILTER_POST="-p tcp --dport 80" - -. /opt/zapret/init.d/openwrt/functions - -fw_nfqws diff --git a/init.d/openwrt/firewall.zapret.nfqws_all6 b/init.d/openwrt/firewall.zapret.nfqws_all6 deleted file mode 100644 index f39f23f..0000000 --- a/init.d/openwrt/firewall.zapret.nfqws_all6 +++ /dev/null @@ -1,6 +0,0 @@ -IPT_FILTER_PRE="-p tcp --tcp-flags SYN,ACK SYN,ACK --sport 80" -IPT_FILTER_POST="-p tcp --dport 80" - -. /opt/zapret/init.d/openwrt/functions - -fw_nfqws6 diff --git a/init.d/openwrt/firewall.zapret.nfqws_all_https b/init.d/openwrt/firewall.zapret.nfqws_all_https deleted file mode 100644 index 5885faf..0000000 --- a/init.d/openwrt/firewall.zapret.nfqws_all_https +++ /dev/null @@ -1,6 +0,0 @@ -IPT_FILTER_PRE="-p tcp --tcp-flags SYN,ACK SYN,ACK -m multiport --sports 80,443" -IPT_FILTER_POST="-p tcp --dport 80" - -. /opt/zapret/init.d/openwrt/functions - -fw_nfqws diff --git a/init.d/openwrt/firewall.zapret.nfqws_all_https6 b/init.d/openwrt/firewall.zapret.nfqws_all_https6 deleted file mode 100644 index b328e6e..0000000 --- a/init.d/openwrt/firewall.zapret.nfqws_all_https6 +++ /dev/null @@ -1,6 +0,0 @@ -IPT_FILTER_PRE="-p tcp --tcp-flags SYN,ACK SYN,ACK -m multiport --sports 80,443" -IPT_FILTER_POST="-p tcp --dport 80" - -. /opt/zapret/init.d/openwrt/functions - -fw_nfqws6 diff --git a/init.d/openwrt/firewall.zapret.nfqws_ipset b/init.d/openwrt/firewall.zapret.nfqws_ipset deleted file mode 100644 index f506771..0000000 --- a/init.d/openwrt/firewall.zapret.nfqws_ipset +++ /dev/null @@ -1,7 +0,0 @@ -IPT_FILTER_PRE="-p tcp --tcp-flags SYN,ACK SYN,ACK --sport 80 -m set --match-set zapret src" -IPT_FILTER_POST="-p tcp --dport 80 -m set --match-set zapret dst" - -. /opt/zapret/init.d/openwrt/functions - -create_ipset no-update -fw_nfqws diff --git a/init.d/openwrt/firewall.zapret.nfqws_ipset6 b/init.d/openwrt/firewall.zapret.nfqws_ipset6 deleted file mode 100644 index 492107f..0000000 --- a/init.d/openwrt/firewall.zapret.nfqws_ipset6 +++ /dev/null @@ -1,7 +0,0 @@ -IPT_FILTER_PRE="-p tcp --tcp-flags SYN,ACK SYN,ACK --sport 80 -m set --match-set zapret6 src" -IPT_FILTER_POST="-p tcp --dport 80 -m set --match-set zapret6 dst" - -. /opt/zapret/init.d/openwrt/functions - -create_ipset no-update -fw_nfqws6 diff --git a/init.d/openwrt/firewall.zapret.nfqws_ipset_https b/init.d/openwrt/firewall.zapret.nfqws_ipset_https deleted file mode 100644 index 0828ccf..0000000 --- a/init.d/openwrt/firewall.zapret.nfqws_ipset_https +++ /dev/null @@ -1,7 +0,0 @@ -IPT_FILTER_PRE="-p tcp --tcp-flags SYN,ACK SYN,ACK -m multiport --sports 80,443 -m set --match-set zapret src" -IPT_FILTER_POST="-p tcp --dport 80 -m set --match-set zapret dst" - -. /opt/zapret/init.d/openwrt/functions - -create_ipset no-update -fw_nfqws diff --git a/init.d/openwrt/firewall.zapret.nfqws_ipset_https6 b/init.d/openwrt/firewall.zapret.nfqws_ipset_https6 deleted file mode 100644 index ac4e9ae..0000000 --- a/init.d/openwrt/firewall.zapret.nfqws_ipset_https6 +++ /dev/null @@ -1,7 +0,0 @@ -IPT_FILTER_PRE="-p tcp --tcp-flags SYN,ACK SYN,ACK -m multiport --sports 80,443 -m set --match-set zapret6 src" -IPT_FILTER_POST="-p tcp --dport 80 -m set --match-set zapret6 dst" - -. /opt/zapret/init.d/openwrt/functions - -create_ipset no-update -fw_nfqws6 diff --git a/init.d/openwrt/firewall.zapret.tpws_all b/init.d/openwrt/firewall.zapret.tpws_all deleted file mode 100644 index 0edd8c4..0000000 --- a/init.d/openwrt/firewall.zapret.tpws_all +++ /dev/null @@ -1,5 +0,0 @@ -IPT_FILTER_HTTP="-p tcp --dport 80" - -. /opt/zapret/init.d/openwrt/functions - -fw_tpws diff --git a/init.d/openwrt/firewall.zapret.tpws_all6 b/init.d/openwrt/firewall.zapret.tpws_all6 deleted file mode 100644 index 7779a64..0000000 --- a/init.d/openwrt/firewall.zapret.tpws_all6 +++ /dev/null @@ -1,5 +0,0 @@ -IPT_FILTER_HTTP="-p tcp --dport 80" - -. /opt/zapret/init.d/openwrt/functions - -fw_tpws6 diff --git a/init.d/openwrt/firewall.zapret.tpws_all_https b/init.d/openwrt/firewall.zapret.tpws_all_https deleted file mode 100644 index 8e52c53..0000000 --- a/init.d/openwrt/firewall.zapret.tpws_all_https +++ /dev/null @@ -1,6 +0,0 @@ -IPT_FILTER_HTTP="-p tcp --dport 80" -IPT_FILTER_HTTPS="-p tcp --dport 443" - -. /opt/zapret/init.d/openwrt/functions - -fw_tpws_https diff --git a/init.d/openwrt/firewall.zapret.tpws_all_https6 b/init.d/openwrt/firewall.zapret.tpws_all_https6 deleted file mode 100644 index f4cf816..0000000 --- a/init.d/openwrt/firewall.zapret.tpws_all_https6 +++ /dev/null @@ -1,6 +0,0 @@ -IPT_FILTER_HTTP="-p tcp --dport 80" -IPT_FILTER_HTTPS="-p tcp --dport 443" - -. /opt/zapret/init.d/openwrt/functions - -fw_tpws_https6 diff --git a/init.d/openwrt/firewall.zapret.tpws_hostlist b/init.d/openwrt/firewall.zapret.tpws_hostlist deleted file mode 120000 index 248e381..0000000 --- a/init.d/openwrt/firewall.zapret.tpws_hostlist +++ /dev/null @@ -1 +0,0 @@ -firewall.zapret.tpws_all \ No newline at end of file diff --git a/init.d/openwrt/firewall.zapret.tpws_hostlist6 b/init.d/openwrt/firewall.zapret.tpws_hostlist6 deleted file mode 120000 index 4ce5a8a..0000000 --- a/init.d/openwrt/firewall.zapret.tpws_hostlist6 +++ /dev/null @@ -1 +0,0 @@ -firewall.zapret.tpws_all6 \ No newline at end of file diff --git a/init.d/openwrt/firewall.zapret.tpws_ipset b/init.d/openwrt/firewall.zapret.tpws_ipset deleted file mode 100644 index 9ee1a8a..0000000 --- a/init.d/openwrt/firewall.zapret.tpws_ipset +++ /dev/null @@ -1,6 +0,0 @@ -IPT_FILTER_HTTP="-p tcp --dport 80 -m set --match-set zapret dst" - -. /opt/zapret/init.d/openwrt/functions - -create_ipset no-update -fw_tpws diff --git a/init.d/openwrt/firewall.zapret.tpws_ipset6 b/init.d/openwrt/firewall.zapret.tpws_ipset6 deleted file mode 100644 index 9894937..0000000 --- a/init.d/openwrt/firewall.zapret.tpws_ipset6 +++ /dev/null @@ -1,6 +0,0 @@ -IPT_FILTER_HTTP="-p tcp --dport 80 -m set --match-set zapret6 dst" - -. /opt/zapret/init.d/openwrt/functions - -create_ipset no-update -fw_tpws6 diff --git a/init.d/openwrt/firewall.zapret.tpws_ipset_https b/init.d/openwrt/firewall.zapret.tpws_ipset_https deleted file mode 100644 index 23a83ea..0000000 --- a/init.d/openwrt/firewall.zapret.tpws_ipset_https +++ /dev/null @@ -1,7 +0,0 @@ -IPT_FILTER_HTTP="-p tcp --dport 80 -m set --match-set zapret dst" -IPT_FILTER_HTTPS="-p tcp --dport 443 -m set --match-set zapret dst" - -. /opt/zapret/init.d/openwrt/functions - -create_ipset no-update -fw_tpws_https diff --git a/init.d/openwrt/firewall.zapret.tpws_ipset_https6 b/init.d/openwrt/firewall.zapret.tpws_ipset_https6 deleted file mode 100644 index 8dffe3f..0000000 --- a/init.d/openwrt/firewall.zapret.tpws_ipset_https6 +++ /dev/null @@ -1,7 +0,0 @@ -IPT_FILTER_HTTP="-p tcp --dport 80 -m set --match-set zapret6 dst" -IPT_FILTER_HTTPS="-p tcp --dport 443 -m set --match-set zapret6 dst" - -. /opt/zapret/init.d/openwrt/functions - -create_ipset no-update -fw_tpws_https6 diff --git a/init.d/openwrt/functions b/init.d/openwrt/functions index 46ed44b..bcd1545 100644 --- a/init.d/openwrt/functions +++ b/init.d/openwrt/functions @@ -82,6 +82,7 @@ dnat6_target() # link local address can appear not immediately after ifup # DNAT6_TARGET=- means attempt was made but address was not found (to avoid multiple re-attempts) + [ -n "$DNAT6_TARGET" ] || { # no reason to query if its down network_is_up lan || return @@ -111,86 +112,138 @@ dnat6_target() } -fw_nfqws() +fw_nfqws_pre() { - [ "$DISABLE_IPV4" = "1" ] && return + # $1 - filter ipv4 + # $2 - filter ipv6 + local DEVICE wan_iface - network_find_wan_all wan_iface - for ext_iface in $wan_iface; do - network_get_device DEVICE $ext_iface - ipt POSTROUTING -t mangle -o $DEVICE $IPT_FILTER_POST -j NFQUEUE --queue-num $QNUM --queue-bypass - ipt PREROUTING -t raw -i $DEVICE $IPT_FILTER_PRE -j NFQUEUE --queue-num $QNUM --queue-bypass - done + + [ "$DISABLE_IPV4" = "1" ] || { + network_find_wan_all wan_iface + for ext_iface in $wan_iface; do + network_get_device DEVICE $ext_iface + ipt PREROUTING -t raw -i $DEVICE -p tcp $1 -j NFQUEUE --queue-num $QNUM --queue-bypass + done + } + [ "$DISABLE_IPV6" = "1" ] || { + network_find_wan6_all wan_iface + for ext_iface in $wan_iface; do + network_get_device DEVICE $ext_iface + ipt6 PREROUTING -t raw -i $DEVICE -p tcp $2 -j NFQUEUE --queue-num $QNUM --queue-bypass + done + } } -fw_nfqws6() +fw_nfqws_post() { - [ "$DISABLE_IPV6" = "1" ] && return + # $1 - filter ipv4 + # $2 - filter ipv6 + local DEVICE wan_iface - network_find_wan6_all wan_iface - for ext_iface in $wan_iface; do - network_get_device DEVICE $ext_iface - ipt6 POSTROUTING -t mangle -o $DEVICE $IPT_FILTER_POST -j NFQUEUE --queue-num $QNUM --queue-bypass - ipt6 PREROUTING -t raw -i $DEVICE $IPT_FILTER_PRE -j NFQUEUE --queue-num $QNUM --queue-bypass - done + + [ "$DISABLE_IPV4" = "1" ] || { + network_find_wan_all wan_iface + for ext_iface in $wan_iface; do + network_get_device DEVICE $ext_iface + ipt POSTROUTING -t mangle -o $DEVICE -p tcp $1 -j NFQUEUE --queue-num $QNUM --queue-bypass + done + } + [ "$DISABLE_IPV6" = "1" ] || { + network_find_wan6_all wan_iface + for ext_iface in $wan_iface; do + network_get_device DEVICE $ext_iface + ipt6 POSTROUTING -t mangle -o $DEVICE -p tcp $2 -j NFQUEUE --queue-num $QNUM --queue-bypass + done + } } IPT_OWNER="-m owner ! --uid-owner $TPWS_USER" -__fw_tpws() -{ - # $1 - use https - [ "$DISABLE_IPV4" = "1" ] && return - local DEVICE wan_iface - network_find_wan_all wan_iface - for ext_iface in $wan_iface; do - network_get_device DEVICE $ext_iface - ipt OUTPUT -t nat -o $DEVICE $IPT_OWNER $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP - [ "$1" != "1" ] || ipt OUTPUT -t nat -o $DEVICE $IPT_OWNER $IPT_FILTER_HTTPS -j DNAT --to 127.0.0.1:$TPPORT_HTTPS - done - network_get_device DEVICE lan - sysctl -w net.ipv4.conf.$DEVICE.route_localnet=1 - ipt prerouting_lan_rule -t nat $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP - [ "$1" != "1" ] || ipt prerouting_lan_rule -t nat $IPT_FILTER_HTTPS -j DNAT --to 127.0.0.1:$TPPORT_HTTPS -} fw_tpws() { - __fw_tpws 0 -} -fw_tpws_https() -{ - __fw_tpws 1 -} + # $1 - filter ipv4 + # $2 - filter ipv6 + # $3 - tpws port -__fw_tpws6() -{ - # $1 - use https - [ "$DISABLE_IPV6" = "1" ] && return - local DEVICE wan_iface ip6 - network_find_wan6_all wan_iface - for ext_iface in $wan_iface; do - network_get_device DEVICE $ext_iface - ipt6 OUTPUT -t nat -o $DEVICE $IPT_OWNER $IPT_FILTER_HTTP -j DNAT --to [::1]:$TPPORT_HTTP - [ "$1" != "1" ] || ipt6 OUTPUT -t nat -o $DEVICE $IPT_OWNER $IPT_FILTER_HTTPS -j DNAT --to [::1]:$TPPORT_HTTPS - done - network_get_device DEVICE lan - dnat6_target - [ "$DNAT6_TARGET" != "-" ] && { - ipt6 PREROUTING -t nat -i $DEVICE $IPT_FILTER_HTTP -j DNAT --to [$DNAT6_TARGET]:$TPPORT_HTTP - [ "$1" != "1" ] || ipt6 PREROUTING -t nat -i $DEVICE $IPT_FILTER_HTTPS -j DNAT --to [$DNAT6_TARGET]:$TPPORT_HTTPS + local DEVICE wan_iface + + [ "$DISABLE_IPV4" = "1" ] || { + network_find_wan_all wan_iface + for ext_iface in $wan_iface; do + network_get_device DEVICE $ext_iface + ipt OUTPUT -t nat -o $DEVICE $IPT_OWNER -p tcp $1 -j DNAT --to 127.0.0.1:$3 + done + ipt prerouting_lan_rule -t nat -p tcp $1 -j DNAT --to 127.0.0.1:$3 + network_get_device DEVICE lan + sysctl -qw net.ipv4.conf.$DEVICE.route_localnet=1 + } + [ "$DISABLE_IPV6" = "1" ] || { + network_find_wan6_all wan_iface + for ext_iface in $wan_iface; do + network_get_device DEVICE $ext_iface + ipt6 OUTPUT -t nat -o $DEVICE $IPT_OWNER -p tcp $2 -j DNAT --to [::1]:$3 + done + network_get_device DEVICE lan + dnat6_target + [ "$DNAT6_TARGET" != "-" ] && ipt6 PREROUTING -t nat -i $DEVICE -p tcp $2 -j DNAT --to [$DNAT6_TARGET]:$3 } } -fw_tpws6() -{ - __fw_tpws6 0 -} -fw_tpws_https6() -{ - __fw_tpws6 1 -} - create_ipset() { echo "Creating ipset" - "$IPSET_CR" $1 + "$IPSET_CR" "$@" +} + + +zapret_apply_firewall() +{ + case "${MODE}" in + tpws_hostlist) + fw_tpws "--dport 80" "--dport 80" $TPPORT_HTTP + ;; + tpws_ipset) + create_ipset no-update + fw_tpws "--dport 80 -m set --match-set zapret dst" "--dport 80 -m set --match-set zapret6 dst" $TPPORT_HTTP + ;; + tpws_ipset_https) + create_ipset no-update + fw_tpws "--dport 80 -m set --match-set zapret dst" "--dport 80 -m set --match-set zapret6 dst" $TPPORT_HTTP + fw_tpws "--dport 443 -m set --match-set zapret dst" "--dport 443 -m set --match-set zapret6 dst" $TPPORT_HTTPS + ;; + tpws_all) + fw_tpws "--dport 80" "--dport 80" $TPPORT_HTTP + ;; + tpws_all_https) + fw_tpws "--dport 80" "--dport 80" $TPPORT_HTTP + fw_tpws "--dport 443" "--dport 443" $TPPORT_HTTPS + ;; + nfqws_ipset) + create_ipset no-update + fw_nfqws_pre "--sport 80 -m set --match-set zapret src" "--sport 80 -m set --match-set zapret6 src" + fw_nfqws_post "--dport 80 -m set --match-set zapret dst" "--dport 80 -m set --match-set zapret6 dst" + ;; + nfqws_ipset_https) + create_ipset no-update + fw_nfqws_pre "-m multiport --sports 80,443 -m set --match-set zapret src" "-m multiport --sports 80,443 -m set --match-set zapret6 src" + fw_nfqws_post "--dport 80 -m set --match-set zapret dst" "--dport 80 -m set --match-set zapret6 dst" + ;; + nfqws_all) + fw_nfqws_pre "--sport 80" "--sport 80" + fw_nfqws_post "--dport 80" "--dport 80" + ;; + nfqws_all_https) + fw_nfqws_pre "-m multiport --sports 80,443" "-m multiport --sports 80,443" + fw_nfqws_post "--dport 80" "--dport 80" + ;; + ipset) + create_ipset no-update + ;; + custom) + # PLACEHOLDER + echo !!! NEED ATTENTION !!! + echo Configure iptables for required actions + echo Study how other sections work + ;; + esac } diff --git a/init.d/sysv/functions b/init.d/sysv/functions index 43a9481..a31d2fa 100644 --- a/init.d/sysv/functions +++ b/init.d/sysv/functions @@ -292,7 +292,7 @@ do_tpws() create_ipset() { echo "Creating ipset" - "$IPSET_CR" + "$IPSET_CR" "$@" } diff --git a/install_easy.sh b/install_easy.sh index 5320227..a6d5b7f 100755 --- a/install_easy.sh +++ b/install_easy.sh @@ -559,32 +559,29 @@ openwrt_fw_section_find() false return } -openwrt_fw_section_add() -{ - # $1 - fw include postfix - # echoes section number - - openwrt_fw_section_find $1 || - { - uci add firewall include >/dev/null || return - echo -1 - } -} openwrt_fw_section_del() { # $1 - fw include postfix + local id=$(openwrt_fw_section_find $1) [ -n "$id" ] && { uci delete firewall.@include[$id] && uci commit firewall rm -f "$OPENWRT_FW_INCLUDE$1" } } +openwrt_fw_section_add() +{ + openwrt_fw_section_find || + { + uci add firewall include >/dev/null || return + echo -1 + } +} openwrt_fw_section_configure() { - # $1 - fw include postfix local id=$(openwrt_fw_section_add $1) [ -z "$id" ] || - ! uci set firewall.@include[$id].path="$OPENWRT_FW_INCLUDE$1" || + ! uci set firewall.@include[$id].path="$OPENWRT_FW_INCLUDE" || ! uci set firewall.@include[$id].reload="1" || ! uci commit firewall && { @@ -595,8 +592,6 @@ openwrt_fw_section_configure() install_openwrt_firewall() { - # $1 - fw include postfix - echo \* installing firewall script $1 [ -n "MODE" ] || { @@ -604,31 +599,12 @@ install_openwrt_firewall() exitp 7 } - local FW_SCRIPT_SRC="$FW_SCRIPT_SRC_DIR.$MODE$1" - [ -f "$FW_SCRIPT_SRC" ] || { - echo firewall script $FW_SCRIPT_SRC not found. removing firewall include - openwrt_fw_section_del - return - } - echo "linking : $FW_SCRIPT_SRC => $OPENWRT_FW_INCLUDE$1" - ln -fs "$FW_SCRIPT_SRC" "$OPENWRT_FW_INCLUDE$1" + echo "linking : $FW_SCRIPT_SRC => $OPENWRT_FW_INCLUDE" + ln -fs "$FW_SCRIPT_SRC" "$OPENWRT_FW_INCLUDE" openwrt_fw_section_configure $1 } -install_openwrt_firewall_all() -{ - if [ "$DISABLE_IPV4" = "1" ] ; then - openwrt_fw_section_del - else - install_openwrt_firewall - fi - if [ "$DISABLE_IPV6" = "1" ] ; then - openwrt_fw_section_del 6 - else - install_openwrt_firewall 6 - fi -} restart_openwrt_firewall() { @@ -645,6 +621,7 @@ remove_openwrt_firewall() echo \* removing firewall script openwrt_fw_section_del + # from old zapret versions. now we use single include openwrt_fw_section_del 6 } @@ -683,7 +660,7 @@ service_start_sysv() install_openwrt() { INIT_SCRIPT_SRC=$EXEDIR/init.d/openwrt/zapret - FW_SCRIPT_SRC_DIR=$EXEDIR/init.d/openwrt/firewall.zapret + FW_SCRIPT_SRC=$EXEDIR/init.d/openwrt/firewall.zapret OPENWRT_FW_INCLUDE=/etc/firewall.zapret OPENWRT_IFACE_HOOK=$EXEDIR/init.d/openwrt/90-zapret @@ -701,7 +678,7 @@ install_openwrt() crontab_add 0 6 service_start_sysv install_openwrt_iface_hook - install_openwrt_firewall_all + install_openwrt_firewall restart_openwrt_firewall } diff --git a/uninstall_easy.sh b/uninstall_easy.sh index e314326..edf3b90 100755 --- a/uninstall_easy.sh +++ b/uninstall_easy.sh @@ -121,7 +121,6 @@ remove_systemd() - openwrt_fw_section_find() { # $1 - fw include postfix @@ -157,6 +156,7 @@ remove_openwrt_firewall() echo \* removing firewall script openwrt_fw_section_del + # from old zapret versions. now we use single include openwrt_fw_section_del 6 }