Cloudflare: add IPv6 support

2025-04-13 18:42:58 +03:00 · 2025-04-04 22:03:38 +03:00 · 2025-04-04 22:03:38 +03:00 · 99fe1531a7
commit 99fe1531a7
parent 2864409913
1 changed files with 34 additions and 17 deletions
--- a/init.d/custom.d.examples.linux/50-cloudflare
+++ b/init.d/custom.d.examples.linux/50-cloudflare
@ -1,10 +1,12 @@
 NFQWS_CLOUDFLARE_OPTS="${NFQWS_CLOUDFLARE_OPTS:---dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-any-protocol}"
 NFQWS_CLOUDFLARE_PORTS=${NFQWS_CLOUDFLARE_PORTS:-443,80}
-NFQWS_CLOUDFLARE_SUBNETS="103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 104.16.0.0/13 104.24.0.0/14 108.162.192.0/18 131.0.72.0/22 141.101.64.0/18 162.158.0.0/15 172.64.0.0/13 173.245.48.0/20 188.114.96.0/20 190.93.240.0/20 197.234.240.0/22 198.41.128.0/17"
+NFQWS_CLOUDFLARE_SUBNETS_IPV4="103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 104.16.0.0/13 104.24.0.0/14 108.162.192.0/18 131.0.72.0/22 141.101.64.0/18 162.158.0.0/15 172.64.0.0/13 173.245.48.0/20 188.114.96.0/20 190.93.240.0/20 197.234.240.0/22 198.41.128.0/17"
+NFQWS_CLOUDFLARE_SUBNETS_IPV6="2400:cb00::/32 2405:8100::/32 2405:b500::/32 2606:4700::/32 2803:f800::/32 2a06:98c0::/29 2c0f:f248::/32"

 alloc_dnum DNUM_NFQWS_CLOUDFLARE
 alloc_qnum QNUM_NFQWS_CLOUDFLARE
-NFQWS_CLOUDFLARE_SET_NAME=cloudflare_nfqws
+NFQWS_CLOUDFLARE_SET_NAME_IPV4=cloudflare_nfqws_ipv4
+NFQWS_CLOUDFLARE_SET_NAME_IPV6=cloudflare_nfqws_ipv6

 zapret_custom_daemons()
 {
@ -15,41 +17,56 @@ zapret_custom_daemons()
 zapret_custom_firewall()
 {
 	local first_packets_only="$ipt_connbytes 1:3"
-	local dest_set="-m set --match-set $NFQWS_CLOUDFLARE_SET_NAME dst"
+	local dest_set_ipv4="-m set --match-set $NFQWS_CLOUDFLARE_SET_NAME_IPV4 dst"
+	local dest_set_ipv6="-m set --match-set $NFQWS_CLOUDFLARE_SET_NAME_IPV6 dst"
 	local subnet

 	[ "$1" = 1 ] && {
-		ipset create $NFQWS_CLOUDFLARE_SET_NAME hash:net hashsize 8192 maxelem 4096 2>/dev/null
-		ipset flush $NFQWS_CLOUDFLARE_SET_NAME
-		for subnet in $NFQWS_CLOUDFLARE_SUBNETS; do
-			echo add $NFQWS_CLOUDFLARE_SET_NAME $subnet
+		ipset create $NFQWS_CLOUDFLARE_SET_NAME_IPV4 hash:net hashsize 8192 maxelem 4096 2>/dev/null
+		ipset create $NFQWS_CLOUDFLARE_SET_NAME_IPV6 hash:net family inet6 hashsize 8192 maxelem 4096 2>/dev/null
+		ipset flush $NFQWS_CLOUDFLARE_SET_NAME_IPV4
+		ipset flush $NFQWS_CLOUDFLARE_SET_NAME_IPV6
+		for subnet in $NFQWS_CLOUDFLARE_SUBNETS_IPV4; do
+			echo add $NFQWS_CLOUDFLARE_SET_NAME_IPV4 $subnet
+		done | ipset -! restore
+		for subnet in $NFQWS_CLOUDFLARE_SUBNETS_IPV6; do
+			echo add $NFQWS_CLOUDFLARE_SET_NAME_IPV6 $subnet
 		done | ipset -! restore
 	}

 	local f="-p tcp -m multiport --dports $NFQWS_CLOUDFLARE_PORTS"
-	fw_nfqws_post $1 "$f $first_packets_only $dest_set" "" $QNUM_NFQWS_CLOUDFLARE
+	fw_nfqws_post $1 "$f $first_packets_only $dest_set_ipv4" "" $QNUM_NFQWS_CLOUDFLARE
+	fw_nfqws_post $1 "$f $first_packets_only $dest_set_ipv6" "" $QNUM_NFQWS_CLOUDFLARE

 	[ "$1" = 1 ] || {
-		ipset destroy $NFQWS_CLOUDFLARE_SET_NAME 2>/dev/null
+		ipset destroy $NFQWS_CLOUDFLARE_SET_NAME_IPV4 2>/dev/null
+		ipset destroy $NFQWS_CLOUDFLARE_SET_NAME_IPV6 2>/dev/null
 	}
 }

 zapret_custom_firewall_nft()
 {
 	local first_packets_only="$nft_connbytes 1-3"
-	local dest_set="ip daddr @$NFQWS_CLOUDFLARE_SET_NAME"
-	local subnets
+	local dest_set_ipv4="ip daddr @$NFQWS_CLOUDFLARE_SET_NAME_IPV4"
+	local dest_set_ipv6="ip6 daddr @$NFQWS_CLOUDFLARE_SET_NAME_IPV6"
+	local subnets subnets_ipv6

-	make_comma_list subnets $NFQWS_CLOUDFLARE_SUBNETS
-	nft_create_set $NFQWS_CLOUDFLARE_SET_NAME "type ipv4_addr; size 4096; auto-merge; flags interval;"
-	nft_flush_set $NFQWS_CLOUDFLARE_SET_NAME
-	nft_add_set_element $NFQWS_CLOUDFLARE_SET_NAME "$subnets"
+	make_comma_list subnets $NFQWS_CLOUDFLARE_SUBNETS_IPV4
+	make_comma_list subnets_ipv6 $NFQWS_CLOUDFLARE_SUBNETS_IPV6
+	nft_create_set $NFQWS_CLOUDFLARE_SET_NAME_IPV4 "type ipv4_addr; size 4096; auto-merge; flags interval;"
+	nft_create_set $NFQWS_CLOUDFLARE_SET_NAME_IPV6 "type ipv6_addr; size 4096; auto-merge; flags interval;"
+	nft_flush_set $NFQWS_CLOUDFLARE_SET_NAME_IPV4
+	nft_flush_set $NFQWS_CLOUDFLARE_SET_NAME_IPV6
+	nft_add_set_element $NFQWS_CLOUDFLARE_SET_NAME_IPV4 "$subnets"
+	nft_add_set_element $NFQWS_CLOUDFLARE_SET_NAME_IPV6 "$subnets_ipv6"

 	local f="tcp dport {$NFQWS_CLOUDFLARE_PORTS}"
-	nft_fw_nfqws_post "$f $first_packets_only $dest_set" "" $QNUM_NFQWS_CLOUDFLARE
+	nft_fw_nfqws_post "$f $first_packets_only $dest_set_ipv4" "" $QNUM_NFQWS_CLOUDFLARE
+	nft_fw_nfqws_post "$f $first_packets_only $dest_set_ipv6" "" $QNUM_NFQWS_CLOUDFLARE
 }

 zapret_custom_firewall_nft_flush()
 {
-	nft_del_set $NFQWS_CLOUDFLARE_SET_NAME 2>/dev/null
+	nft_del_set $NFQWS_CLOUDFLARE_SET_NAME_IPV4 2>/dev/null
+	nft_del_set $NFQWS_CLOUDFLARE_SET_NAME_IPV6 2>/dev/null
 }