QUIC support to main scripts

2025-05-24 22:32:58 +03:00 · 2023-07-02 18:46:26 +03:00
parent db1c533b6c
commit 9a87e617e4
12 changed files with 141 additions and 3 deletions
--- a/common/ipt.sh
+++ b/common/ipt.sh
@@ -60,6 +60,13 @@ filter_apply_port_target()
 	fi
 	eval $1="\"\$$1 $f\""
 }
+filter_apply_port_target_quic()
+{
+	# $1 - var name of nftables filter
+	local f
+	f="-p udp --dport 443"
+	eval $1="\"\$$1 $f\""
+}
 filter_apply_ipset_target4()
 {
 	# $1 - var name of ipv4 iptables filter
@@ -303,6 +310,22 @@ zapret_do_firewall_rules_ipt()
 					fw_nfqws_post6 $1 "$f6 $desync" $qns6
 				fi
 			fi
+
+			get_nfqws_qnums_quic qn qn6
+			if [ -n "$qn" ]; then
+				f4=
+				filter_apply_port_target_quic f4
+				f4="$f4 $first_packet_only"
+				filter_apply_ipset_target4 f4
+				fw_nfqws_post4 $1 "$f4 $desync" $qn
+			fi
+			if [ -n "$qn6" ]; then
+				f6=
+				filter_apply_port_target_quic f6
+				f6="$f6 $first_packet_only"
+				filter_apply_ipset_target6 f6
+				fw_nfqws_post6 $1 "$f6 $desync" $qn6
+			fi
 			;;
 		custom)
 	    		existf zapret_custom_firewall && zapret_custom_firewall $1
--- a/common/nft.sh
+++ b/common/nft.sh
@@ -270,6 +270,13 @@ nft_filter_apply_port_target()
 	fi
 	eval $1="\"\$$1 $f\""
 }
+nft_filter_apply_port_target_quic()
+{
+	# $1 - var name of nftables filter
+	local f
+	f="udp dport 443"
+	eval $1="\"\$$1 $f\""
+}
 nft_filter_apply_ipset_target4()
 {
 	# $1 - var name of ipv4 nftables filter
@@ -532,6 +539,22 @@ zapret_apply_firewall_rules_nft()
 					nft_fw_nfqws_post6 "$f6 $desync" $qns6
 				fi
 			fi
+
+			get_nfqws_qnums_quic qn qn6
+			if [ -n "$qn" ]; then
+				f4=
+				nft_filter_apply_port_target_quic f4
+				f4="$f4 $first_packet_only"
+				nft_filter_apply_ipset_target4 f4
+				nft_fw_nfqws_post4 "$f4 $desync" $qn
+			fi
+			if [ -n "$qn6" ]; then
+				f6=
+				nft_filter_apply_port_target_quic f6
+				f6="$f6 $first_packet_only"
+				nft_filter_apply_ipset_target6 f6
+				nft_fw_nfqws_post6 "$f6 $desync" $qn6
+			fi
 			;;
 		custom)
 	    		existf zapret_custom_firewall_nft && zapret_custom_firewall_nft
--- a/common/queue.sh
+++ b/common/queue.sh
@@ -43,3 +43,29 @@ get_nfqws_qnums()
 		eval $4=
 	fi
 }
+
+get_nfqws_qnums_quic()
+{
+	# $1 - var name for ipv4 quic
+	# $2 - var name for ipv6 quic
+	local _qn _qn6
+
+	[ "$DISABLE_IPV4" = "1" ] || {
+		_qn=$(($QNUM+10))
+	}
+	[ "$DISABLE_IPV6" = "1" ] || {
+		_qn6=$(($QNUM+11))
+		[ "$DISABLE_IPV4" = "1" ] || {
+			if [ "$NFQWS_OPT_DESYNC_QUIC" = "$NFQWS_OPT_DESYNC_QUIC6" ]; then
+				_qn6=$_qn;
+			fi
+		}
+	}
+	if [ "$MODE_QUIC" = 1 ]; then
+		eval $1=$_qn
+		eval $2=$_qn6
+	else
+		eval $1=
+		eval $2=
+	fi
+}