diff --git a/blockcheck.sh b/blockcheck.sh index e69aaee..7505e30 100755 --- a/blockcheck.sh +++ b/blockcheck.sh @@ -1,7 +1,10 @@ #!/bin/sh EXEDIR="$(dirname "$0")" -EXEDIR="$(cd "$EXEDIR"; pwd)" +EXEDIR="$( + cd "$EXEDIR" || exit + pwd +)" ZAPRET_BASE=${ZAPRET_BASE:-"$EXEDIR"} ZAPRET_RW=${ZAPRET_RW:-"$ZAPRET_BASE"} ZAPRET_CONFIG=${ZAPRET_CONFIG:-"$ZAPRET_RW/config"} @@ -62,58 +65,51 @@ PF_RULES_SAVE=/tmp/pf-zapret-save.conf unset ALL_PROXY -killwait() -{ +killwait() { # $1 - signal (-9, -2, ...) # $2 - pid - kill $1 $2 + kill "$1" "$2" # suppress job kill message - wait $2 2>/dev/null + wait "$2" 2>/dev/null } -exitp() -{ +exitp() { local A echo echo press enter to continue read A - exit $1 + exit "$1" } -pf_is_avail() -{ +pf_is_avail() { [ -c /dev/pf ] } -pf_status() -{ - pfctl -qsi | sed -nre "s/^Status: ([^ ]+).*$/\1/p" +pf_status() { + pfctl -qsi | sed -nre "s/^Status: ([^ ]+).*$/\1/p" } -pf_is_enabled() -{ +pf_is_enabled() { [ "$(pf_status)" = Enabled ] } -pf_save() -{ +pf_save() { PF_STATUS=0 pf_is_enabled && PF_STATUS=1 [ "$UNAME" = "OpenBSD" ] && pfctl -sr >"$PF_RULES_SAVE" } -pf_restore() -{ +pf_restore() { [ -n "$PF_STATUS" ] || return case "$UNAME" in - OpenBSD) - if [ -f "$PF_RULES_SAVE" ]; then - pfctl -qf "$PF_RULES_SAVE" - else - echo | pfctl -qf - - fi - ;; - Darwin) - # it's not possible to save all rules in the right order. hard to reorder. if not ordered pf will refuse to load conf. - pfctl -qf /etc/pf.conf - ;; + OpenBSD) + if [ -f "$PF_RULES_SAVE" ]; then + pfctl -qf "$PF_RULES_SAVE" + else + echo | pfctl -qf - + fi + ;; + Darwin) + # it's not possible to save all rules in the right order. hard to reorder. if not ordered pf will refuse to load conf. + pfctl -qf /etc/pf.conf + ;; esac if [ "$PF_STATUS" = 1 ]; then pfctl -qe @@ -121,12 +117,10 @@ pf_restore() pfctl -qd fi } -pf_clean() -{ +pf_clean() { rm -f "$PF_RULES_SAVE" } -opf_dvtws_anchor() -{ +opf_dvtws_anchor() { # $1 - tcp/udp # $2 - port local family=inet @@ -137,117 +131,102 @@ opf_dvtws_anchor() echo "pass out quick $family proto $1 to port $2 divert-packet port $IPFW_DIVERT_PORT no state" echo "pass" } -opf_prepare_dvtws() -{ +opf_prepare_dvtws() { # $1 - tcp/udp # $2 - port - opf_dvtws_anchor $1 $2 | pfctl -qf - + opf_dvtws_anchor "$1" "$2" | pfctl -qf - pfctl -qe } -cleanup() -{ +cleanup() { case "$UNAME" in - OpenBSD) - pf_clean - ;; + OpenBSD) + pf_clean + ;; esac } -IPT() -{ +IPT() { $IPTABLES -C "$@" >/dev/null 2>/dev/null || $IPTABLES -I "$@" } -IPT_DEL() -{ +IPT_DEL() { $IPTABLES -C "$@" >/dev/null 2>/dev/null && $IPTABLES -D "$@" } -IPT_ADD_DEL() -{ +IPT_ADD_DEL() { on_off_function IPT IPT_DEL "$@" } -IPFW_ADD() -{ - ipfw -qf add $IPFW_RULE_NUM "$@" +IPFW_ADD() { + ipfw -qf add "$IPFW_RULE_NUM" "$@" } -IPFW_DEL() -{ - ipfw -qf delete $IPFW_RULE_NUM 2>/dev/null +IPFW_DEL() { + ipfw -qf delete "$IPFW_RULE_NUM" 2>/dev/null } -ipt6_has_raw() -{ +ipt6_has_raw() { ip6tables -nL -t raw >/dev/null 2>/dev/null } -ipt6_has_frag() -{ +ipt6_has_frag() { ip6tables -A OUTPUT -m frag 2>/dev/null || return 1 ip6tables -D OUTPUT -m frag 2>/dev/null } -ipt_has_nfq() -{ +ipt_has_nfq() { # cannot just check /proc/net/ip_tables_targets because of iptables-nft or modules not loaded yet - iptables -A OUTPUT -t mangle -p 255 -j NFQUEUE --queue-num $QNUM --queue-bypass 2>/dev/null || return 1 - iptables -D OUTPUT -t mangle -p 255 -j NFQUEUE --queue-num $QNUM --queue-bypass 2>/dev/null + iptables -A OUTPUT -t mangle -p 255 -j NFQUEUE --queue-num "$QNUM" --queue-bypass 2>/dev/null || return 1 + iptables -D OUTPUT -t mangle -p 255 -j NFQUEUE --queue-num "$QNUM" --queue-bypass 2>/dev/null return 0 } -nft_has_nfq() -{ +nft_has_nfq() { local res=1 nft delete table ${NFT_TABLE}_test 2>/dev/null nft add table ${NFT_TABLE}_test 2>/dev/null && { nft add chain ${NFT_TABLE}_test test - nft add rule ${NFT_TABLE}_test test queue num $QNUM bypass 2>/dev/null && res=0 + nft add rule ${NFT_TABLE}_test test queue num "$QNUM" bypass 2>/dev/null && res=0 nft delete table ${NFT_TABLE}_test } return $res } -mdig_vars() -{ +mdig_vars() { # $1 - ip version 4/6 # $2 - hostname - hostvar=$(echo $2 | sed -e 's/[\.-]/_/g') + hostvar=$(echo "$2" | sed -e 's/[\.-]/_/g') cachevar=DNSCACHE_${hostvar}_$1 countvar=${cachevar}_COUNT - eval count=\$${countvar} + eval count=\$"${countvar}" } -mdig_cache() -{ +mdig_cache() { # $1 - ip version 4/6 # $2 - hostname local hostvar cachevar countvar count ip ips mdig_vars "$@" [ -n "$count" ] || { - # windows version of mdig outputs 0D0A line ending. remove 0D. - ips="$(echo $2 | "$MDIG" --family=$1 | tr -d '\r' | xargs)" + # Windows version of mdig outputs 0D0A line ending. remove 0D. + ips="$(echo "$2" | "$MDIG" --family="$1" | tr -d '\r' | xargs)" [ -n "$ips" ] || return 1 count=0 for ip in $ips; do - eval ${cachevar}_$count=$ip - count=$(($count+1)) + eval "${cachevar}"_$count="$ip" + count=$(($count + 1)) done - eval $countvar=$count + eval "$countvar"=$count } return 0 } -mdig_resolve() -{ +mdig_resolve() { # $1 - ip version 4/6 # $2 - hostname local hostvar cachevar countvar count ip n mdig_vars "$@" if [ -n "$count" ]; then - n=$(random 0 $(($count-1))) - eval ip=\$${cachevar}_$n - echo $ip + n=$(random 0 $(($count - 1))) + eval ip=\$"${cachevar}"_"$n" + echo "$ip" return 0 else mdig_cache "$@" && mdig_resolve "$@" fi } -mdig_resolve_all() -{ +mdig_resolve_all() { # $1 - ip version 4/6 # $2 - hostname @@ -255,8 +234,8 @@ mdig_resolve_all() mdig_vars "$@" if [ -n "$count" ]; then n=0 - while [ "$n" -le $count ]; do - eval ip=\$${cachevar}_$n + while [ "$n" -le "$count" ]; do + eval ip=\$"${cachevar}"_$n if [ -n "$ips" ]; then ips="$ips $ip" else @@ -271,8 +250,7 @@ mdig_resolve_all() fi } -netcat_setup() -{ +netcat_setup() { [ -n "$NCAT" ] || { if exists ncat; then NCAT=ncat @@ -285,22 +263,20 @@ netcat_setup() fi } return 0 - + } -netcat_test() -{ +netcat_test() { # $1 - ip # $2 - port local cmd netcat_setup && { cmd="$NCAT -z -w 1 $1 $2" - echo $cmd + echo "$cmd" $cmd 2>&1 } } -check_system() -{ +check_system() { echo \* checking system UNAME=$(uname) @@ -309,139 +285,137 @@ check_system() # can be passed FWTYPE=iptables to override default nftables preference case "$UNAME" in - Linux) - PKTWS="$NFQWS" - PKTWSD=nfqws - linux_fwtype - [ "$FWTYPE" = iptables -o "$FWTYPE" = nftables ] || { - echo firewall type $FWTYPE not supported in $UNAME - exitp 5 - } - ;; - FreeBSD) - PKTWS="$DVTWS" - PKTWSD=dvtws - FWTYPE=ipfw - [ -f /etc/platform ] && read SUBSYS /dev/null - sysctl net.inet.ip.pfil.inbound=ipfw,pf 2>/dev/null - sysctl net.inet6.ip6.pfil.outbound=ipfw,pf 2>/dev/null - sysctl net.inet6.ip6.pfil.inbound=ipfw,pf 2>/dev/null - pfctl -qd - pfctl -qe - pf_restore - } - } ;; - OpenBSD|Darwin) - progs="$progs pfctl" - pf_is_avail || { - echo pf is not available + nftables) + nft_has_nfq || { + echo nftables queue support is not available. pls install modules. exitp 6 } - # no divert sockets in MacOS - [ "$UNAME" = "Darwin" ] && SKIP_PKTWS=1 + ;; + esac + ;; + FreeBSD) + progs="$progs ipfw" + freebsd_modules_loaded ipfw ipdivert || { + echo ipfw or ipdivert kernel module not loaded + exitp 6 + } + [ "$(sysctl -qn net.inet.ip.fw.enable)" = 0 -o "$(sysctl -qn net.inet6.ip6.fw.enable)" = 0 ] && { + echo ipfw is disabled. use: ipfw enable firewall + exitp 6 + } + pf_is_avail && { pf_save - ;; - CYGWIN) - SKIP_TPWS=1 - ;; + [ "$SUBSYS" = "pfSense" ] && { + # pfsense's ipfw may not work without these workarounds + sysctl net.inet.ip.pfil.outbound=ipfw,pf 2>/dev/null + sysctl net.inet.ip.pfil.inbound=ipfw,pf 2>/dev/null + sysctl net.inet6.ip6.pfil.outbound=ipfw,pf 2>/dev/null + sysctl net.inet6.ip6.pfil.inbound=ipfw,pf 2>/dev/null + pfctl -qd + pfctl -qe + pf_restore + } + } + ;; + OpenBSD | Darwin) + progs="$progs pfctl" + pf_is_avail || { + echo pf is not available + exitp 6 + } + # no divert sockets in macOS + [ "$UNAME" = "Darwin" ] && SKIP_PKTWS=1 + pf_save + ;; + CYGWIN) + SKIP_TPWS=1 + ;; esac for prog in $progs; do - exists $prog || { - echo $prog does not exist. please install + exists "$prog" || { + echo "$prog" does not exist. please install exitp 6 } done @@ -456,55 +430,64 @@ check_prerequisites() fi } - -curl_translate_code() -{ +curl_translate_code() { # $1 - code - printf $1 + printf "$1" case $1 in - 0) printf ": ok" + 0) + printf ": ok" ;; - 1) printf ": unsupported protocol" + 1) + printf ": unsupported protocol" ;; - 2) printf ": early initialization code failed" + 2) + printf ": early initialization code failed" ;; - 3) printf ": the URL was not properly formatted" + 3) + printf ": the URL was not properly formatted" ;; - 4) printf ": feature not supported by libcurl" + 4) + printf ": feature not supported by libcurl" ;; - 5) printf ": could not resolve proxy" + 5) + printf ": could not resolve proxy" ;; - 6) printf ": could not resolve host" + 6) + printf ": could not resolve host" ;; - 7) printf ": could not connect" + 7) + printf ": could not connect" ;; - 8) printf ": invalid server reply" + 8) + printf ": invalid server reply" ;; - 9) printf ": remote access denied" + 9) + printf ": remote access denied" ;; - 27) printf ": out of memory" + 27) + printf ": out of memory" ;; - 28) printf ": operation timed out" + 28) + printf ": operation timed out" ;; - 35) printf ": SSL connect error" + 35) + printf ": SSL connect error" ;; esac } -curl_supports_tls13() -{ +curl_supports_tls13() { local r $CURL --tlsv1.3 -Is -o /dev/null --max-time 1 http://127.0.0.1:65535 2>/dev/null # return code 2 = init failed. likely bad command line options [ $? = 2 ] && return 1 # curl can have tlsv1.3 key present but ssl library without TLS 1.3 support # this is online test because there's no other way to trigger library incompatibility case - $CURL --tlsv1.3 --max-time $CURL_MAX_TIME -Is -o /dev/null https://w3.org 2>/dev/null + $CURL --tlsv1.3 --max-time "$CURL_MAX_TIME" -Is -o /dev/null https://w3.org 2>/dev/null r=$? [ $r != 4 -a $r != 35 ] } -curl_supports_tlsmax() -{ +curl_supports_tlsmax() { # supported only in OpenSSL and LibreSSL $CURL --version | grep -Fq -e OpenSSL -e LibreSSL -e BoringSSL -e GnuTLS -e quictls || return 1 # supported since curl 7.54 @@ -513,89 +496,88 @@ curl_supports_tlsmax() [ $? != 2 ] } -curl_supports_connect_to() -{ +curl_supports_connect_to() { $CURL --connect-to 127.0.0.1:: -o /dev/null --max-time 1 http://127.0.0.1:65535 2>/dev/null [ "$?" != 2 ] } -curl_supports_http3() -{ - # if it has http3 : curl: (3) HTTP/3 requested for non-HTTPS URL - # otherwise : curl: (2) option --http3-only: is unknown +curl_supports_http3() { + # if it has HTTP3: curl: (3) HTTP/3 requested for non-HTTPS URL + # otherwise: curl: (2) option --http3-only: is unknown $CURL --connect-to 127.0.0.1:: -o /dev/null --max-time 1 --http3-only http://127.0.0.1:65535 2>/dev/null [ "$?" != 2 ] } -hdrfile_http_code() -{ +hdrfile_http_code() { # $1 - hdr file sed -nre '1,1 s/^HTTP\/1\.[0,1] ([0-9]+) .*$/\1/p' "$1" } -hdrfile_location() -{ +hdrfile_location() { # $1 - hdr file # some DPIs return CRLF line ending tr -d '\015' <"$1" | sed -nre 's/^[Ll][Oo][Cc][Aa][Tt][Ii][Oo][Nn]:[ ]*([^ ]*)[ ]*$/\1/p' } -curl_with_subst_ip() -{ +curl_with_subst_ip() { # $1 - domain # $2 - port # $3 - ip # $4+ - curl params local connect_to="--connect-to $1::[$3]${2:+:$2}" arg - shift ; shift ; shift + shift + shift + shift [ "$CURL_VERBOSE" = 1 ] && arg="-v" - [ "$CURL_CMD" = 1 ] && echo $CURL ${arg:+$arg }$connect_to "$@" - ALL_PROXY="$ALL_PROXY" $CURL ${arg:+$arg }$connect_to "$@" + [ "$CURL_CMD" = 1 ] && echo "$CURL" ${arg:+$arg }"$connect_to" "$@" + ALL_PROXY="$ALL_PROXY" $CURL ${arg:+$arg }"$connect_to" "$@" } -curl_with_dig() -{ - # $1 - ip version : 4/6 +curl_with_dig() { + # $1 - IP version: 4/6 # $2 - domain name # $3 - port # $4+ - curl params - local dom=$2 port=$3 - local ip=$(mdig_resolve $1 $dom) - shift ; shift ; shift + local dom="$2" por"t"="""$3" + local ip=$(mdig_resolve "$1" "$dom") + shift + shift + shift if [ -n "$ip" ]; then - curl_with_subst_ip $dom $port $ip "$@" + curl_with_subst_ip "$dom" "$port" "$ip" "$@" else return 6 fi } -curl_probe() -{ - # $1 - ip version : 4/6 +curl_probe() { + # $1 - IP version: 4/6 # $2 - domain name # $3 - port # $4 - subst ip # $5+ - curl params - local ipv=$1 dom=$2 port=$3 subst=$4 - shift; shift; shift; shift + local ipv="$1" dom="$2" port="$3" subst="$4" + shift + shift + shift + shift if [ -n "$subst" ]; then - curl_with_subst_ip $dom $port $subst "$@" + curl_with_subst_ip "$dom" "$port" "$subst" "$@" else - curl_with_dig $ipv $dom $port "$@" + curl_with_dig "$ipv" "$dom" "$port" "$@" fi } -curl_test_http() -{ - # $1 - ip version : 4/6 +curl_test_http() { + # $1 - IP version: 4/6 # $2 - domain name # $3 - subst ip # $4 - "detail" - detail info local code loc - curl_probe $1 $2 $HTTP_PORT "$3" -SsD "$HDRTEMP" -A "$USER_AGENT" --max-time $CURL_MAX_TIME $CURL_OPT "http://$2" -o /dev/null 2>&1 || { + curl_probe "$1" "$2" "$HTTP_PORT" "$3" -SsD "$HDRTEMP" -A "$USER_AGENT" --max-time "$CURL_MAX_TIME" "$CURL_OPT" "http://$2" -o /dev/null 2>&1 || { code=$? rm -f "$HDRTEMP" - return $code + return "$code" } - if [ "$4" = "detail" ] ; then + if [ "$4" = "detail" ]; then head -n 1 "$HDRTEMP" grep "^[lL]ocation:" "$HDRTEMP" else @@ -603,8 +585,8 @@ curl_test_http() [ "$code" = 301 -o "$code" = 302 -o "$code" = 307 -o "$code" = 308 ] && { loc=$(hdrfile_location "$HDRTEMP") echo "$loc" | grep -qE "^https?://.*$2(/|$)" || - echo "$loc" | grep -vqE '^https?://' || { - echo suspicious redirection $code to : $loc + echo "$loc" | grep -vqE '^https?://' || { + echo suspicious redirection "$code" to: "$loc" rm -f "$HDRTEMP" return 254 } @@ -613,63 +595,58 @@ curl_test_http() rm -f "$HDRTEMP" [ "$code" = 400 ] && { # this can often happen if the server receives fake packets it should not receive - echo http code $code. likely the server receives fakes. + echo HTTP code "$code". likely the server receives fakes. return 254 } return 0 } -curl_test_https_tls12() -{ - # $1 - ip version : 4/6 +curl_test_https_tls12() { + # $1 - IP version: 4/6 # $2 - domain name # $3 - subst ip - # do not use tls 1.3 to make sure server certificate is not encrypted - curl_probe $1 $2 $HTTPS_PORT "$3" -ISs -A "$USER_AGENT" --max-time $CURL_MAX_TIME $CURL_OPT --tlsv1.2 $TLSMAX12 "https://$2" -o /dev/null 2>&1 + # do not use TLS 1.3 to make sure server certificate is not encrypted + curl_probe "$1" "$2" "$HTTPS_PORT" "$3" -ISs -A "$USER_AGENT" --max-time "$CURL_MAX_TIME" "$CURL_OPT" --tlsv1.2 "$TLSMAX12" "https://$2" -o /dev/null 2>&1 } -curl_test_https_tls13() -{ - # $1 - ip version : 4/6 +curl_test_https_tls13() { + # $1 - IP version: 4/6 # $2 - domain name # $3 - subst ip # force TLS1.3 mode - curl_probe $1 $2 $HTTPS_PORT "$3" -ISs -A "$USER_AGENT" --max-time $CURL_MAX_TIME $CURL_OPT --tlsv1.3 $TLSMAX13 "https://$2" -o /dev/null 2>&1 + curl_probe "$1" "$2" "$HTTPS_PORT" "$3" -ISs -A "$USER_AGENT" --max-time "$CURL_MAX_TIME" "$CURL_OPT" --tlsv1.3 "$TLSMAX13" "https://$2" -o /dev/null 2>&1 } -curl_test_http3() -{ - # $1 - ip version : 4/6 +curl_test_http3() { + # $1 - IP version: 4/6 # $2 - domain name - # force QUIC only mode without tcp - curl_with_dig $1 $2 $QUIC_PORT -ISs -A "$USER_AGENT" --max-time $CURL_MAX_TIME_QUIC --http3-only $CURL_OPT "https://$2" -o /dev/null 2>&1 + # force QUIC only mode without TCP + curl_with_dig "$1" "$2" "$QUIC_PORT" -ISs -A "$USER_AGENT" --max-time "$CURL_MAX_TIME_QUIC" --http3-only "$CURL_OPT" "https://$2" -o /dev/null 2>&1 } -ipt_scheme() -{ - # $1 - 1 - add , 0 - del +ipt_scheme() { + # $1 - 1 - add, 0 - del # $2 - tcp/udp # $3 - port - IPT_ADD_DEL $1 OUTPUT -t mangle -p $2 --dport $3 -m mark ! --mark $DESYNC_MARK/$DESYNC_MARK -j NFQUEUE --queue-num $QNUM + IPT_ADD_DEL "$1" OUTPUT -t mangle -p "$2" --dport "$3" -m mark ! --mark $DESYNC_MARK/$DESYNC_MARK -j NFQUEUE --queue-num "$QNUM" # to avoid possible INVALID state drop - [ "$2" = tcp ] && IPT_ADD_DEL $1 INPUT -p $2 --sport $3 ! --syn -j ACCEPT + [ "$2" = tcp ] && IPT_ADD_DEL "$1" INPUT -p "$2" --sport "$3" ! --syn -j ACCEPT # for strategies with incoming packets involved (autottl) - IPT_ADD_DEL $1 OUTPUT -p $2 --dport $3 -m conntrack --ctstate INVALID -j ACCEPT + IPT_ADD_DEL "$1" OUTPUT -p "$2" --dport "$3" -m conntrack --ctstate INVALID -j ACCEPT if [ "$IPV" = 6 -a -n "$IP6_DEFRAG_DISABLE" ]; then - # the only way to reliable disable ipv6 defrag. works only in 4.16+ kernels - IPT_ADD_DEL $1 OUTPUT -t raw -p $2 -m frag -j CT --notrack + # the only way to reliable disable IPv6 defrag. works only in 4.16+ kernels + IPT_ADD_DEL "$1" OUTPUT -t raw -p "$2" -m frag -j CT --notrack elif [ "$IPV" = 4 ]; then # enable fragments - IPT_ADD_DEL $1 OUTPUT -f -j ACCEPT + IPT_ADD_DEL "$1" OUTPUT -f -j ACCEPT fi # enable everything generated by nfqws (works only in OUTPUT, not in FORWARD) # raw table may not be present - IPT_ADD_DEL $1 OUTPUT -t raw -m mark --mark $DESYNC_MARK/$DESYNC_MARK -j CT --notrack + IPT_ADD_DEL "$1" OUTPUT -t raw -m mark --mark $DESYNC_MARK/$DESYNC_MARK -j CT --notrack } -nft_scheme() -{ +nft_scheme() { # $1 - tcp/udp # $2 - port nft add table inet $NFT_TABLE @@ -682,148 +659,138 @@ nft_scheme() nft "add rule inet $NFT_TABLE predefrag meta nfproto ipv${IPV} mark and $DESYNC_MARK !=0 notrack" } -pktws_ipt_prepare() -{ +pktws_ipt_prepare() { # $1 - tcp/udp # $2 - port case "$FWTYPE" in - iptables) - ipt_scheme 1 $1 $2 - ;; - nftables) - nft_scheme $1 $2 - ;; - ipfw) - # disable PF to avoid interferences - pf_is_avail && pfctl -qd - IPFW_ADD divert $IPFW_DIVERT_PORT $1 from me to any $2 proto ip${IPV} out not diverted not sockarg - ;; - opf) - opf_prepare_dvtws $1 $2 - ;; - windivert) - WF="--wf-l3=ipv${IPV} --wf-${1}=$2" - ;; + iptables) + ipt_scheme 1 "$1" "$2" + ;; + nftables) + nft_scheme "$1" "$2" + ;; + ipfw) + # disable PF to avoid interferences + pf_is_avail && pfctl -qd + IPFW_ADD divert "$IPFW_DIVERT_PORT" "$1" from me to any "$2" proto ip"${IPV}" out not diverted not sockarg + ;; + opf) + opf_prepare_dvtws "$1" "$2" + ;; + windivert) + WF="--wf-l3=ipv${IPV} --wf-${1}=$2" + ;; esac } -pktws_ipt_unprepare() -{ +pktws_ipt_unprepare() { # $1 - tcp/udp # $2 - port case "$FWTYPE" in - iptables) - ipt_scheme 0 $1 $2 - ;; - nftables) - nft delete table inet $NFT_TABLE 2>/dev/null - ;; - ipfw) - IPFW_DEL - pf_is_avail && pf_restore - ;; - opf) - pf_restore - ;; - windivert) - unset WF - ;; + iptables) + ipt_scheme 0 "$1" "$2" + ;; + nftables) + nft delete table inet $NFT_TABLE 2>/dev/null + ;; + ipfw) + IPFW_DEL + pf_is_avail && pf_restore + ;; + opf) + pf_restore + ;; + windivert) + unset WF + ;; esac } -pktws_ipt_prepare_tcp() -{ +pktws_ipt_prepare_tcp() { # $1 - port - pktws_ipt_prepare tcp $1 + pktws_ipt_prepare tcp "$1" case "$FWTYPE" in - iptables) - # for autottl - IPT INPUT -t mangle -p tcp --sport $1 -m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:1 -j NFQUEUE --queue-num $QNUM - ;; - nftables) - # for autottl - nft "add rule inet $NFT_TABLE prenat meta nfproto ipv${IPV} tcp sport $1 ct original packets 1 queue num $QNUM" - ;; - ipfw) - # for autottl mode - IPFW_ADD divert $IPFW_DIVERT_PORT tcp from any $1 to me proto ip${IPV} tcpflags syn,ack in not diverted not sockarg - ;; + iptables) + # for autottl + IPT INPUT -t mangle -p tcp --sport "$1" -m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:1 -j NFQUEUE --queue-num "$QNUM" + ;; + nftables) + # for autottl + nft "add rule inet $NFT_TABLE prenat meta nfproto ipv${IPV} tcp sport $1 ct original packets 1 queue num $QNUM" + ;; + ipfw) + # for autottl mode + IPFW_ADD divert "$IPFW_DIVERT_PORT" tcp from any "$1" to me proto ip"${IPV}" tcpflags syn,ack in not diverted not sockarg + ;; esac } -pktws_ipt_unprepare_tcp() -{ +pktws_ipt_unprepare_tcp() { # $1 - port - - pktws_ipt_unprepare tcp $1 + + pktws_ipt_unprepare tcp "$1" case "$FWTYPE" in - iptables) - IPT_DEL INPUT -t mangle -p tcp --sport $1 -m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:1 -j NFQUEUE --queue-num $QNUM - ;; + iptables) + IPT_DEL INPUT -t mangle -p tcp --sport "$1" -m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:1 -j NFQUEUE --queue-num "$QNUM" + ;; esac } -pktws_ipt_prepare_udp() -{ +pktws_ipt_prepare_udp() { # $1 - port - pktws_ipt_prepare udp $1 + pktws_ipt_prepare udp "$1" } -pktws_ipt_unprepare_udp() -{ +pktws_ipt_unprepare_udp() { # $1 - port - - pktws_ipt_unprepare udp $1 + + pktws_ipt_unprepare udp "$1" } -pktws_start() -{ +pktws_start() { case "$UNAME" in - Linux) - "$NFQWS" --uid $TPWS_UID:$TPWS_GID --dpi-desync-fwmark=$DESYNC_MARK --qnum=$QNUM "$@" >/dev/null & - ;; - FreeBSD|OpenBSD) - "$DVTWS" --port=$IPFW_DIVERT_PORT "$@" >/dev/null & - ;; - CYGWIN) - "$WINWS" $WF "$@" >/dev/null & - ;; + Linux) + "$NFQWS" --uid "$TPWS_UID":"$TPWS_GID" --dpi-desync-fwmark="$DESYNC_MARK" --qnum="$QNUM" "$@" >/dev/null & + ;; + FreeBSD | OpenBSD) + "$DVTWS" --port="$IPFW_DIVERT_PORT" "$@" >/dev/null & + ;; + CYGWIN) + "$WINWS" "$WF" "$@" >/dev/null & + ;; esac PID=$! # give some time to initialize minsleep } -tpws_start() -{ - "$TPWS" --uid $TPWS_UID:$TPWS_GID --socks --bind-addr=127.0.0.1 --port=$SOCKS_PORT "$@" >/dev/null & +tpws_start() { + "$TPWS" --uid "$TPWS_UID":"$TPWS_GID" --socks --bind-addr=127.0.0.1 --port="$SOCKS_PORT" "$@" >/dev/null & PID=$! # give some time to initialize minsleep } -ws_kill() -{ +ws_kill() { [ -z "$PID" ] || { - killwait -9 $PID 2>/dev/null + killwait -9 "$PID" 2>/dev/null PID= } } -check_domain_port_block() -{ +check_domain_port_block() { # $1 - domain # $2 - port local ip ips echo - echo \* port block tests ipv$IPV $1:$2 + echo \* port block tests ipv"$IPV" "$1":"$2" if netcat_setup; then - ips=$(mdig_resolve_all $IPV $1) + ips=$(mdig_resolve_all "$IPV" "$1") if [ -n "$ips" ]; then for ip in $ips; do - if netcat_test $ip $2; then - echo $ip connects + if netcat_test "$ip" "$2"; then + echo "$ip" connects else - echo $ip does not connect. netcat code $? + echo "$ip" does not connect. netcat code $? fi done else @@ -834,8 +801,7 @@ check_domain_port_block() fi } -curl_test() -{ +curl_test() { # $1 - test function # $2 - domain # $3 - subst ip @@ -843,9 +809,9 @@ curl_test() local code=0 n=0 while [ $n -lt $REPEATS ]; do - n=$(($n+1)) + n=$(($n + 1)) [ $REPEATS -gt 1 ] && printf "[attempt $n] " - if $1 "$IPV" $2 $3 "$4" ; then + if $1 "$IPV" "$2" "$3" "$4"; then [ $REPEATS -gt 1 ] && echo 'AVAILABLE' else code=$? @@ -863,81 +829,72 @@ curl_test() } return $code } -ws_curl_test() -{ +ws_curl_test() { # $1 - ws start function # $2 - test function # $3 - domain # $4,$5,$6, ... - ws params - local code ws_start=$1 testf=$2 dom=$3 + local code ws_start="$1" testf="$2" dom="$3" shift shift shift $ws_start "$@" - curl_test $testf $dom + curl_test "$testf" "$dom" code=$? ws_kill - return $code + return "$code" } -tpws_curl_test() -{ +tpws_curl_test() { # $1 - test function # $2 - domain # $3,$4,$5, ... - tpws params - echo - checking tpws $3 $4 $5 $6 $7 $8 $9 + echo - checking tpws "$3" "$4" "$5" "$6" "$7" "$8" "$9" local ALL_PROXY="socks5://127.0.0.1:$SOCKS_PORT" ws_curl_test tpws_start "$@" } -pktws_curl_test() -{ +pktws_curl_test() { # $1 - test function # $2 - domain # $3,$4,$5, ... - nfqws/dvtws params - echo - checking $PKTWSD ${WF:+$WF }$3 $4 $5 $6 $7 $8 $9 + echo - checking "$PKTWSD" ${WF:+$WF }"$3" "$4" "$5" "$6" "$7" "$8" "$9" ws_curl_test pktws_start "$@" } -xxxws_curl_test_update() -{ +xxxws_curl_test_update() { # $1 - xxx_curl_test function # $2 - test function # $3 - domain # $4,$5,$6, ... - nfqws/dvtws params - local code xxxf=$1 testf=$2 dom=$3 + local code xxxf="$1" testf="$2" dom="$3" shift shift shift - $xxxf $testf $dom "$@" + $xxxf "$testf" "$dom" "$@" code=$? [ $code = 0 ] && strategy="${strategy:-$@}" return $code } -pktws_curl_test_update() -{ +pktws_curl_test_update() { xxxws_curl_test_update pktws_curl_test "$@" } -tpws_curl_test_update() -{ +tpws_curl_test_update() { xxxws_curl_test_update tpws_curl_test "$@" } -report_append() -{ +report_append() { NREPORT=${NREPORT:-0} - eval REPORT_${NREPORT}=\"$@\" - NREPORT=$(($NREPORT+1)) + eval REPORT_"${NREPORT}"=\"$@\" + NREPORT=$(($NREPORT + 1)) } -report_print() -{ +report_print() { local n=0 s NREPORT=${NREPORT:-0} - while [ $n -lt $NREPORT ]; do + while [ $n -lt "$NREPORT" ]; do eval s=\"\${REPORT_$n}\" - echo $s - n=$(($n+1)) + echo "$s" + n=$(($n + 1)) done } -report_strategy() -{ +report_strategy() { # $1 - test function # $2 - domain # $3 - daemon @@ -954,52 +911,50 @@ report_strategy() return 1 fi } -test_has_split() -{ +test_has_split() { contains "$1" split || contains "$1" disorder } -test_has_fake() -{ +test_has_fake() { contains "$1" fake } -warn_fool() -{ +warn_fool() { case "$1" in - md5sig) echo 'WARNING ! although md5sig fooling worked it will not work on all sites. it typically works only on linux servers.' ;; - datanoack) echo 'WARNING ! although datanoack fooling worked it may break NAT and may only work with external IP. Additionally it may require nftables to work correctly.' ;; + md5sig) echo 'WARNING ! although md5sig fooling worked it will not work on all sites. it typically works only on Linux servers.' ;; + datanoack) echo 'WARNING ! although datanoack fooling worked it may break NAT and may only work with external IP. Additionally it may require nftables to work correctly.' ;; esac } -pktws_curl_test_update_vary() -{ +pktws_curl_test_update_vary() { # $1 - test function # $2 - encrypted test : 0 = plain, 1 - encrypted with server reply risk, 2 - encrypted without server reply risk # $3 - domain # $4 - desync mode # $5,$6,... - strategy - local testf=$1 sec=$2 domain=$3 desync=$4 zerofake split fake - - shift; shift; shift; shift - + local testf="$1" sec="$2" domain="$3" desync="$4" zerofake split fake + + shift + shift + shift + shift + zerofake=http [ "$sec" = 0 ] || zerofake=tls zerofake="--dpi-desync-fake-$zerofake=0x00000000" - - for fake in '' $zerofake ; do - for split in '' '--dpi-desync-split-pos=1' ; do - pktws_curl_test_update $testf $domain --dpi-desync=$desync "$@" $fake $split && return 0 - # split-pos=1 is meaningful for DPIs searching for 16 03 in TLS. no reason to apply to http + + for fake in '' $zerofake; do + for split in '' '--dpi-desync-split-pos=1'; do + pktws_curl_test_update "$testf" "$domain" --dpi-desync="$desync" "$@" "$fake" $split && return 0 + # split-pos=1 is meaningful for DPIs searching for 16 03 in TLS. no reason to apply to HTTP [ "$sec" = 1 ] || break - test_has_split $desync || break + test_has_split "$desync" || break done - test_has_fake $desync || break + test_has_fake "$desync" || break done return 1 } -pktws_check_domain_http_bypass_() -{ +pktws_check_domain_http_bypass_() { # $1 - test function # $2 - encrypted test : 0 = plain, 1 - encrypted with server reply risk, 2 - encrypted without server reply risk # $3 - domain @@ -1008,13 +963,13 @@ pktws_check_domain_http_bypass_() [ "$sec" = 0 ] && { for s in '--hostcase' '--hostspell=hoSt' '--hostnospace' '--domcase'; do - pktws_curl_test_update $1 $3 $s + pktws_curl_test_update "$1" "$3" $s done } s="--dpi-desync=split2" ok=0 - pktws_curl_test_update $1 $3 $s + pktws_curl_test_update "$1" "$3" $s ret=$? [ "$ret" = 0 ] && { [ "$SCANLEVEL" = quick ] && return @@ -1022,13 +977,13 @@ pktws_check_domain_http_bypass_() } [ "$ret" != 0 -o "$SCANLEVEL" = force ] && { if [ "$sec" = 0 ]; then - pktws_curl_test_update $1 $3 $s --hostcase && { + pktws_curl_test_update "$1" "$3" $s --hostcase && { [ "$SCANLEVEL" = quick ] && return ok=1 } for pos in method host; do for hostcase in '' '--hostcase'; do - pktws_curl_test_update $1 $3 $s --dpi-desync-split-http-req=$pos $hostcase && { + pktws_curl_test_update "$1" "$3" $s --dpi-desync-split-http-req=$pos $hostcase && { [ "$SCANLEVEL" = quick ] && return ok=1 } @@ -1036,7 +991,7 @@ pktws_check_domain_http_bypass_() done else for pos in sni sniext; do - pktws_curl_test_update $1 $3 $s --dpi-desync-split-tls=$pos && { + pktws_curl_test_update "$1" "$3" $s --dpi-desync-split-tls=$pos && { [ "$SCANLEVEL" = quick ] && return ok=1 } @@ -1044,38 +999,38 @@ pktws_check_domain_http_bypass_() fi for pos in 1 3 4 5 10 50; do s="--dpi-desync=split2 --dpi-desync-split-pos=$pos" - if pktws_curl_test_update $1 $3 $s; then + if pktws_curl_test_update "$1" "$3" "$s"; then [ "$SCANLEVEL" = quick ] && return ok=1 [ "$SCANLEVEL" = force ] || break elif [ "$sec" = 0 ]; then - pktws_curl_test_update $1 $3 $s --hostcase && [ "$SCANLEVEL" = quick ] && return + pktws_curl_test_update "$1" "$3" "$s" --hostcase && [ "$SCANLEVEL" = quick ] && return fi done } [ "$ok" = 1 -a "$SCANLEVEL" != force ] || tests="$tests split fake,split2 fake,split" - pktws_curl_test_update $1 $3 --dpi-desync=disorder2 + pktws_curl_test_update "$1" "$3" --dpi-desync=disorder2 ret=$? [ "$ret" = 0 -a "$SCANLEVEL" = quick ] && return [ "$ret" != 0 -o "$SCANLEVEL" = force ] && { - pktws_curl_test_update $1 $3 --dpi-desync=disorder2 --dpi-desync-split-pos=1 - ret=$? - [ "$ret" = 0 -a "$SCANLEVEL" = quick ] && return + pktws_curl_test_update "$1" "$3" --dpi-desync=disorder2 --dpi-desync-split-pos=1 + ret=$? + [ "$ret" = 0 -a "$SCANLEVEL" = quick ] && return } [ "$ret" != 0 -o "$SCANLEVEL" = force ] && tests="$tests disorder fake,disorder2 fake,disorder" - ttls=$(seq -s ' ' $MIN_TTL $MAX_TTL) + ttls=$(seq -s ' ' "$MIN_TTL" "$MAX_TTL") for e in '' '--wssize 1:6'; do [ -n "$e" ] && { - pktws_curl_test_update $1 $3 $e && [ "$SCANLEVEL" = quick ] && return + pktws_curl_test_update "$1" "$3" "$e" && [ "$SCANLEVEL" = quick ] && return for desync in split2 disorder2; do - pktws_curl_test_update_vary $1 $2 $3 $desync $e && [ "$SCANLEVEL" = quick ] && return + pktws_curl_test_update_vary "$1" "$2" "$3" $desync "$e" && [ "$SCANLEVEL" = quick ] && return done } for desync in $tests; do for ttl in $ttls; do - pktws_curl_test_update_vary $1 $2 $3 $desync --dpi-desync-ttl=$ttl $e && { + pktws_curl_test_update_vary "$1" "$2" "$3" "$desync" --dpi-desync-ttl="$ttl" "$e" && { [ "$SCANLEVEL" = quick ] && return break } @@ -1085,8 +1040,8 @@ pktws_check_domain_http_bypass_() f="$f badseq datanoack md5sig" [ "$IPV" = 6 ] && f="$f hopbyhop hopbyhop2" for fooling in $f; do - pktws_curl_test_update_vary $1 $2 $3 $desync --dpi-desync-fooling=$fooling $e && { - warn_fool $fooling + pktws_curl_test_update_vary "$1" "$2" "$3" "$desync" --dpi-desync-fooling="$fooling" "$e" && { + warn_fool "$fooling" [ "$SCANLEVEL" = quick ] && return } done @@ -1095,7 +1050,7 @@ pktws_check_domain_http_bypass_() f="hopbyhop hopbyhop,split2 hopbyhop,disorder2 destopt destopt,split2 destopt,disorder2" [ -n "$IP6_DEFRAG_DISABLE" ] && f="$f ipfrag1 ipfrag1,split2 ipfrag1,disorder2" for desync in $f; do - pktws_curl_test_update_vary $1 $2 $3 $desync $e && [ "$SCANLEVEL" = quick ] && return + pktws_curl_test_update_vary "$1" "$2" "$3" "$desync" "$e" && [ "$SCANLEVEL" = quick ] && return done } @@ -1103,65 +1058,63 @@ pktws_check_domain_http_bypass_() s="--dpi-desync=$desync" if [ "$sec" = 0 ]; then for pos in method host; do - pktws_curl_test_update $1 $3 $s --dpi-desync-split-seqovl=1 --dpi-desync-split-http-req=$pos $e && [ "$SCANLEVEL" = quick ] && return + pktws_curl_test_update "$1" "$3" $s --dpi-desync-split-seqovl=1 --dpi-desync-split-http-req=$pos "$e" && [ "$SCANLEVEL" = quick ] && return done else for pos in sni sniext; do - pktws_curl_test_update $1 $3 $s --dpi-desync-split-seqovl=1 --dpi-desync-split-tls=$pos $e && [ "$SCANLEVEL" = quick ] && return + pktws_curl_test_update "$1" "$3" $s --dpi-desync-split-seqovl=1 --dpi-desync-split-tls=$pos "$e" && [ "$SCANLEVEL" = quick ] && return done fi for pos in 2 3 4 5 10 50; do - pktws_curl_test_update $1 $3 $s --dpi-desync-split-seqovl=$(($pos - 1)) --dpi-desync-split-pos=$pos $e && [ "$SCANLEVEL" = quick ] && return + pktws_curl_test_update "$1" "$3" $s --dpi-desync-split-seqovl=$(($pos - 1)) --dpi-desync-split-pos=$pos "$e" && [ "$SCANLEVEL" = quick ] && return done [ "$sec" != 0 -a $desync = split2 ] && { - pktws_curl_test_update $1 $3 $s --dpi-desync-split-seqovl=336 --dpi-desync-split-seqovl-pattern="$ZAPRET_BASE/files/fake/tls_clienthello_iana_org.bin" $e && [ "$SCANLEVEL" = quick ] && return + pktws_curl_test_update "$1" "$3" $s --dpi-desync-split-seqovl=336 --dpi-desync-split-seqovl-pattern="$ZAPRET_BASE/files/fake/tls_clienthello_iana_org.bin" "$e" && [ "$SCANLEVEL" = quick ] && return } done for desync in $tests; do ok=0 for delta in 1 2 3 4 5; do - pktws_curl_test_update_vary $1 $2 $3 $desync --dpi-desync-ttl=1 --dpi-desync-autottl=$delta $e && ok=1 + pktws_curl_test_update_vary "$1" "$2" "$3" "$desync" --dpi-desync-ttl=1 --dpi-desync-autottl=$delta "$e" && ok=1 done [ "$ok" = 1 ] && - { - echo "WARNING ! although autottl worked it requires testing on multiple domains to find out reliable delta" - echo "WARNING ! if a reliable delta cannot be found it's a good idea not to use autottl" - [ "$SCANLEVEL" = quick ] && return - } + { + echo "WARNING ! although autottl worked it requires testing on multiple domains to find out reliable delta" + echo "WARNING ! if a reliable delta cannot be found it's a good idea not to use autottl" + [ "$SCANLEVEL" = quick ] && return + } done s="http_iana_org.bin" [ "$sec" = 0 ] || s="tls_clienthello_iana_org.bin" - for desync in syndata syndata,split2 syndata,disorder2 ; do - pktws_curl_test_update_vary $1 $2 $3 $desync $e && [ "$SCANLEVEL" = quick ] && return - pktws_curl_test_update_vary $1 $2 $3 $desync --dpi-desync-fake-syndata="$ZAPRET_BASE/files/fake/$s" $e && [ "$SCANLEVEL" = quick ] && return + for desync in syndata syndata,split2 syndata,disorder2; do + pktws_curl_test_update_vary "$1" "$2" "$3" $desync "$e" && [ "$SCANLEVEL" = quick ] && return + pktws_curl_test_update_vary "$1" "$2" "$3" $desync --dpi-desync-fake-syndata="$ZAPRET_BASE/files/fake/$s" "$e" && [ "$SCANLEVEL" = quick ] && return done # do not do wssize test for http and TLS 1.3. it's useless [ "$sec" = 1 ] || break done } -pktws_check_domain_http_bypass() -{ +pktws_check_domain_http_bypass() { # $1 - test function # $2 - encrypted test : 0 = plain, 1 - encrypted with server reply risk, 2 - encrypted without server reply risk # $3 - domain local strategy pktws_check_domain_http_bypass_ "$@" - report_strategy $1 $3 $PKTWSD + report_strategy "$1" "$3" $PKTWSD } -pktws_check_domain_http3_bypass_() -{ +pktws_check_domain_http3_bypass_() { # $1 - test function # $2 - domain - + local f desync frag tests rep for rep in '' 2 5 10 20; do - pktws_curl_test_update $1 $2 --dpi-desync=fake ${rep:+--dpi-desync-repeats=$rep} && [ "$SCANLEVEL" != force ] && { + pktws_curl_test_update "$1" "$2" --dpi-desync=fake ${rep:+--dpi-desync-repeats=$rep} && [ "$SCANLEVEL" != force ] && { [ "$SCANLEVEL" = quick ] && return break } @@ -1171,7 +1124,7 @@ pktws_check_domain_http3_bypass_() f="hopbyhop destopt" [ -n "$IP6_DEFRAG_DISABLE" ] && f="$f ipfrag1" for desync in $f; do - pktws_curl_test_update $1 $2 --dpi-desync=$desync && [ "$SCANLEVEL" = quick ] && return + pktws_curl_test_update "$1" "$2" --dpi-desync="$desync" && [ "$SCANLEVEL" = quick ] && return done } @@ -1181,29 +1134,26 @@ pktws_check_domain_http3_bypass_() tests="ipfrag2" [ "$IPV" = 6 ] && tests="$tests hopbyhop,ipfrag2 destopt,ipfrag2" for desync in $tests; do - pktws_curl_test_update $1 $2 --dpi-desync=$desync --dpi-desync-ipfrag-pos-udp=$frag && [ "$SCANLEVEL" = quick ] && return + pktws_curl_test_update "$1" "$2" --dpi-desync="$desync" --dpi-desync-ipfrag-pos-udp=$frag && [ "$SCANLEVEL" = quick ] && return done done } - + } -pktws_check_domain_http3_bypass() -{ +pktws_check_domain_http3_bypass() { # $1 - test function # $2 - domain local strategy pktws_check_domain_http3_bypass_ "$@" - report_strategy $1 $2 $PKTWSD + report_strategy "$1" "$2" $PKTWSD } -warn_mss() -{ +warn_mss() { [ -n "$1" ] && echo 'WARNING ! although mss worked it may not work on all sites and will likely cause significant slowdown. it may only be required for TLS1.2, not TLS1.3' return 0 } -tpws_check_domain_http_bypass_() -{ +tpws_check_domain_http_bypass_() { # $1 - test function # $2 - encrypted test : 0 = plain, 1 - encrypted with server reply risk, 2 - encrypted without server reply risk # $3 - domain @@ -1211,16 +1161,16 @@ tpws_check_domain_http_bypass_() local s mss s2 s3 pos sec="$2" if [ "$sec" = 0 ]; then for s in '--hostcase' '--hostspell=hoSt' '--hostdot' '--hosttab' '--hostnospace' '--domcase' \ - '--hostpad=1024' '--hostpad=2048' '--hostpad=4096' '--hostpad=8192' '--hostpad=16384' ; do - tpws_curl_test_update $1 $3 $s && [ "$SCANLEVEL" = quick ] && return + '--hostpad=1024' '--hostpad=2048' '--hostpad=4096' '--hostpad=8192' '--hostpad=16384'; do + tpws_curl_test_update "$1" "$3" $s && [ "$SCANLEVEL" = quick ] && return done for s2 in '' '--oob' '--disorder' '--oob --disorder'; do - for s in '--split-http-req=method' '--split-http-req=method --hostcase' '--split-http-req=host' '--split-http-req=host --hostcase' ; do - tpws_curl_test_update $1 $3 $s $s2 && [ "$SCANLEVEL" = quick ] && return + for s in '--split-http-req=method' '--split-http-req=method --hostcase' '--split-http-req=host' '--split-http-req=host --hostcase'; do + tpws_curl_test_update "$1" "$3" "$s" "$s2" && [ "$SCANLEVEL" = quick ] && return done done - for s in '--methodspace' '--unixeol' '--methodeol'; do - tpws_curl_test_update $1 $3 $s && [ "$SCANLEVEL" = quick ] && return + for s in '--methodspace' '--unixeol' '--methodeol'; do + tpws_curl_test_update "$1" "$3" $s && [ "$SCANLEVEL" = quick ] && return done else for mss in '' 88; do @@ -1228,24 +1178,24 @@ tpws_check_domain_http_bypass_() for s2 in '' '--oob' '--disorder' '--oob --disorder'; do for pos in sni sniext; do s="--split-tls=$pos" - tpws_curl_test_update $1 $3 $s $s2 $s3 && warn_mss $s3 && [ "$SCANLEVEL" != force ] && { + tpws_curl_test_update "$1" "$3" $s "$s2" "$s3" && warn_mss "$s3" && [ "$SCANLEVEL" != force ] && { [ "$SCANLEVEL" = quick ] && return break } done for pos in 1 2 3 4 5 10 50; do s="--split-pos=$pos" - tpws_curl_test_update $1 $3 $s $s2 $s3 && warn_mss $s3 && [ "$SCANLEVEL" != force ] && { + tpws_curl_test_update "$1" "$3" $s "$s2" "$s3" && warn_mss "$s3" && [ "$SCANLEVEL" != force ] && { [ "$SCANLEVEL" = quick ] && return break } done done for s2 in '--tlsrec=sni' '--tlsrec=sni --split-tls=sni' '--tlsrec=sni --split-tls=sni --oob' \ - '--tlsrec=sni --split-tls=sni --disorder' '--tlsrec=sni --split-tls=sni --oob --disorder' \ - '--tlsrec=sni --split-pos=1' '--tlsrec=sni --split-pos=1 --oob' '--tlsrec=sni --split-pos=1 --disorder' \ - '--tlsrec=sni --split-pos=1 --oob --disorder'; do - tpws_curl_test_update $1 $3 $s2 $s3 && warn_mss $s3 && [ "$SCANLEVEL" != force ] && { + '--tlsrec=sni --split-tls=sni --disorder' '--tlsrec=sni --split-tls=sni --oob --disorder' \ + '--tlsrec=sni --split-pos=1' '--tlsrec=sni --split-pos=1 --oob' '--tlsrec=sni --split-pos=1 --disorder' \ + '--tlsrec=sni --split-pos=1 --oob --disorder'; do + tpws_curl_test_update "$1" "$3" "$s2" "$s3" && warn_mss "$s3" && [ "$SCANLEVEL" != force ] && { [ "$SCANLEVEL" = quick ] && return break } @@ -1255,60 +1205,56 @@ tpws_check_domain_http_bypass_() done fi } -tpws_check_domain_http_bypass() -{ +tpws_check_domain_http_bypass() { # $1 - test function # $2 - encrypted test : 0 = plain, 1 - encrypted with server reply risk, 2 - encrypted without server reply risk # $3 - domain local strategy tpws_check_domain_http_bypass_ "$@" - report_strategy $1 $3 tpws + report_strategy "$1" "$3" tpws } -check_dpi_ip_block() -{ +check_dpi_ip_block() { # $1 - test function # $2 - domain - local blocked_dom=$2 + local blocked_dom="$2" local blocked_ip blocked_ips unblocked_ip - echo + echo echo "- IP block tests (requires manual interpretation)" echo "> testing $UNBLOCKED_DOM on it's original ip" - if curl_test $1 $UNBLOCKED_DOM; then - unblocked_ip=$(mdig_resolve $IPV $UNBLOCKED_DOM) + if curl_test "$1" "$UNBLOCKED_DOM"; then + unblocked_ip=$(mdig_resolve "$IPV" "$UNBLOCKED_DOM") [ -n "$unblocked_ip" ] || { - echo $UNBLOCKED_DOM does not resolve. tests not possible. + echo "$UNBLOCKED_DOM" does not resolve. tests not possible. return 1 } echo "> testing $blocked_dom on $unblocked_ip ($UNBLOCKED_DOM)" - curl_test $1 $blocked_dom $unblocked_ip detail + curl_test "$1" "$blocked_dom" "$unblocked_ip" detail - blocked_ips=$(mdig_resolve_all $IPV $blocked_dom) + blocked_ips=$(mdig_resolve_all "$IPV" "$blocked_dom") for blocked_ip in $blocked_ips; do echo "> testing $UNBLOCKED_DOM on $blocked_ip ($blocked_dom)" - curl_test $1 $UNBLOCKED_DOM $blocked_ip detail + curl_test "$1" "$UNBLOCKED_DOM" "$blocked_ip" detail done else - echo $UNBLOCKED_DOM is not available. skipping this test. + echo "$UNBLOCKED_DOM" is not available. skipping this test. fi } -curl_has_reason_to_continue() -{ +curl_has_reason_to_continue() { # $1 - curl return code - for c in 1 2 3 4 6 27 ; do - [ $1 = $c ] && return 1 + for c in 1 2 3 4 6 27; do + [ "$1" = $c ] && return 1 done return 0 } -check_domain_prolog() -{ +check_domain_prolog() { # $1 - test function # $2 - port # $3 - domain @@ -1316,11 +1262,11 @@ check_domain_prolog() local code echo - echo \* $1 ipv$IPV $3 + echo \* "$1" ipv"$IPV" "$3" echo "- checking without DPI bypass" - curl_test $1 $3 && { - report_append "ipv${IPV} $3 $1 : working without bypass" + curl_test "$1" "$3" && { + report_append "ipv${IPV} $3 $1: working without bypass" [ "$SCANLEVEL" = force ] || return 1 } code=$? @@ -1330,85 +1276,77 @@ check_domain_prolog() } return 0 } -check_domain_http_tcp() -{ +check_domain_http_tcp() { # $1 - test function # $2 - port # $3 - encrypted test : 0 = plain, 1 - encrypted with server reply risk, 2 - encrypted without server reply risk # $4 - domain # in case was interrupted before - pktws_ipt_unprepare_tcp $2 + pktws_ipt_unprepare_tcp "$2" ws_kill - check_domain_prolog $1 $2 $4 || return + check_domain_prolog "$1" "$2" "$4" || return - check_dpi_ip_block $1 $4 + check_dpi_ip_block "$1" "$4" [ "$SKIP_TPWS" = 1 ] || { echo - tpws_check_domain_http_bypass $1 $3 $4 + tpws_check_domain_http_bypass "$1" "$3" "$4" } [ "$SKIP_PKTWS" = 1 ] || { echo - echo preparing $PKTWSD redirection - pktws_ipt_prepare_tcp $2 + echo preparing $PKTWSD redirection + pktws_ipt_prepare_tcp "$2" - pktws_check_domain_http_bypass $1 $3 $4 + pktws_check_domain_http_bypass "$1" "$3" "$4" echo clearing $PKTWSD redirection - pktws_ipt_unprepare_tcp $2 + pktws_ipt_unprepare_tcp "$2" } } -check_domain_http_udp() -{ +check_domain_http_udp() { # $1 - test function # $2 - port # $3 - domain # in case was interrupted before - pktws_ipt_unprepare_udp $2 + pktws_ipt_unprepare_udp "$2" ws_kill - check_domain_prolog $1 $2 $3 || return + check_domain_prolog "$1" "$2" "$3" || return [ "$SKIP_PKTWS" = 1 ] || { echo - echo preparing $PKTWSD redirection - pktws_ipt_prepare_udp $2 + echo preparing $PKTWSD redirection + pktws_ipt_prepare_udp "$2" - pktws_check_domain_http3_bypass $1 $3 + pktws_check_domain_http3_bypass "$1" "$3" echo clearing $PKTWSD redirection - pktws_ipt_unprepare_udp $2 + pktws_ipt_unprepare_udp "$2" } } - -check_domain_http() -{ +check_domain_http() { # $1 - domain - check_domain_http_tcp curl_test_http 80 0 $1 + check_domain_http_tcp curl_test_http 80 0 "$1" } -check_domain_https_tls12() -{ +check_domain_https_tls12() { # $1 - domain - check_domain_http_tcp curl_test_https_tls12 443 1 $1 + check_domain_http_tcp curl_test_https_tls12 443 1 "$1" } -check_domain_https_tls13() -{ +check_domain_https_tls13() { # $1 - domain - check_domain_http_tcp curl_test_https_tls13 443 2 $1 + check_domain_http_tcp curl_test_https_tls13 443 2 "$1" } -check_domain_http3() -{ +check_domain_http3() { # $1 - domain - check_domain_http_udp curl_test_http3 443 $1 + check_domain_http_udp curl_test_http3 443 "$1" } -configure_ip_version() -{ +configure_ip_version() { if [ "$IPV" = 6 ]; then LOCALHOST=::1 LOCALHOST_IPT=[${LOCALHOST}] @@ -1421,10 +1359,9 @@ configure_ip_version() fi IPTABLES=ip${IPVV}tables } -configure_curl_opt() -{ - # wolfssl : --tlsv1.x mandates exact ssl version, tls-max not supported - # openssl : --tlsv1.x means "version equal or greater", tls-max supported +configure_curl_opt() { + # wolfssl: --tlsv1.x mandates exact SSL version, tls-max not supported + # openssl: --tlsv1.x means "version equal or greater", tls-max supported TLSMAX12= TLSMAX13= curl_supports_tlsmax && { @@ -1437,13 +1374,11 @@ configure_curl_opt() curl_supports_http3 && HTTP3=1 } -linux_ipv6_defrag_can_be_disabled() -{ +linux_ipv6_defrag_can_be_disabled() { linux_min_version 4 16 } -configure_defrag() -{ +configure_defrag() { IP6_DEFRAG_DISABLE= [ "$IPVS" = 4 ] && return @@ -1458,40 +1393,39 @@ configure_defrag() } case "$FWTYPE" in - iptables) - if ipt6_has_raw ; then - if ipt6_has_frag; then - IP6_DEFRAG_DISABLE=1 - else - echo "WARNING ! ip6tables does not have '-m frag' module, ipv6 ipfrag tests are disabled" - echo - fi + iptables) + if ipt6_has_raw; then + if ipt6_has_frag; then + IP6_DEFRAG_DISABLE=1 else - echo "WARNING ! ip6tables raw table is not available, ipv6 ipfrag tests are disabled" + echo "WARNING ! ip6tables does not have '-m frag' module, IPv6 ipfrag tests are disabled" echo fi - [ -n "$IP6_DEFRAG_DISABLE" ] && { - local ipexe="$(readlink -f $(whichq ip6tables))" - if contains "$ipexe" nft; then - echo "WARNING ! ipv6 ipfrag tests may have no effect if ip6tables-nft is used. current ip6tables point to : $ipexe" - else - echo "WARNING ! ipv6 ipfrag tests may have no effect if ip6table_raw kernel module is not loaded with parameter : raw_before_defrag=1" - fi - echo - } - ;; - *) - IP6_DEFRAG_DISABLE=1 - ;; + else + echo "WARNING ! ip6tables raw table is not available, IPv6 ipfrag tests are disabled" + echo + fi + [ -n "$IP6_DEFRAG_DISABLE" ] && { + local ipexe="$(readlink -f $(whichq ip6tables))" + if contains "$ipexe" nft; then + echo "WARNING ! IPv6 ipfrag tests may have no effect if ip6tables-nft is used. current ip6tables point to: $ipexe" + else + echo "WARNING ! IPv6 ipfrag tests may have no effect if ip6table_raw kernel module is not loaded with parameter: raw_before_defrag=1" + fi + echo + } + ;; + *) + IP6_DEFRAG_DISABLE=1 + ;; esac } -ask_params() -{ +ask_params() { echo echo NOTE ! this test should be run with zapret or any other bypass software disabled, without VPN echo - + curl_supports_connect_to || { echo "installed curl does not support --connect-to option. pls install at least curl 7.49" echo "current curl version:" @@ -1499,7 +1433,6 @@ ask_params() exitp 1 } - echo "specify domain(s) to test. multiple domains are space separated." printf "domain(s) (default: $DOMAINS) : " local dom @@ -1566,16 +1499,16 @@ ask_params() echo "sometimes ISPs use multiple DPIs or load balancing. bypass strategies may work unstable." printf "how many times to repeat each test (default: 1) : " read REPEATS - REPEATS=$((0+${REPEATS:-1})) + REPEATS=$((0 + ${REPEATS:-1})) [ "$REPEATS" = 0 ] && { echo invalid repeat count exitp 1 } echo - echo quick - scan as fast as possible to reveal any working strategy + echo quick - scan as fast as possible to reveal any working strategy echo standard - do investigation what works on your DPI - echo force - scan maximum despite of result + echo force - scan maximum despite of result SCANLEVEL=${SCANLEVEL:-standard} ask_list SCANLEVEL "quick standard force" "$SCANLEVEL" # disable tpws checks by default in quick mode @@ -1586,25 +1519,21 @@ ask_params() configure_defrag } - - -ping_with_fix() -{ +ping_with_fix() { local ret - $PING $2 $1 >/dev/null 2>/dev/null + $PING "$2" "$1" >/dev/null 2>/dev/null ret=$? # can be because of unsupported -4 option if [ "$ret" = 2 -o "$ret" = 64 ]; then - ping $2 $1 >/dev/null + ping "$2" "$1" >/dev/null else return $ret fi } -pingtest() -{ - # $1 - ip version : 4 or 6 - # $2 - domain or ip +pingtest() { + # $1 - IP version: 4 or 6 + # $2 - domain or IP # ping command can vary a lot. some implementations have -4/-6 options. others don.t # WARNING ! macos ping6 command does not have timeout option. ping6 will fail @@ -1628,76 +1557,70 @@ pingtest() fi fi case "$UNAME" in - Darwin) - $PING -c 1 -t 1 $2 >/dev/null 2>/dev/null - # WARNING ! macos ping6 command does not have timeout option. ping6 will fail. but without timeout is not an option. - ;; - OpenBSD) - $PING -c 1 -w 1 $2 >/dev/null - ;; - CYGWIN) - if starts_with "$(which ping)" /cygdrive; then - # cygwin does not have own ping by default. use windows PING. - $PING -n 1 -w 1000 $2 >/dev/null - else - ping_with_fix $2 '-c 1 -w 1' - fi - ;; - *) - ping_with_fix $2 '-c 1 -W 1' - ;; + Darwin) + $PING -c 1 -t 1 "$2" >/dev/null 2>/dev/null + # WARNING ! macOS ping6 command does not have timeout option. ping6 will fail. but without timeout is not an option. + ;; + OpenBSD) + $PING -c 1 -w 1 "$2" >/dev/null + ;; + CYGWIN) + if starts_with "$(which ping)" /cygdrive; then + # cygwin does not have own ping by default. use Windows PING. + $PING -n 1 -w 1000 "$2" >/dev/null + else + ping_with_fix "$2" '-c 1 -w 1' + fi + ;; + *) + ping_with_fix "$2" '-c 1 -W 1' + ;; esac } -dnstest() -{ - # $1 - dns server. empty for system resolver - "$LOOKUP" w3.org $1 >/dev/null 2>/dev/null +dnstest() { + # $1 - DNS server. empty for system resolver + "$LOOKUP" w3.org "$1" >/dev/null 2>/dev/null } -find_working_public_dns() -{ +find_working_public_dns() { local dns for dns in $DNSCHECK_DNS; do - pingtest 4 $dns && dnstest $dns && { + pingtest 4 "$dns" && dnstest "$dns" && { PUBDNS=$dns return 0 } done return 1 } -lookup4() -{ +lookup4() { # $1 - domain # $2 - DNS case "$LOOKUP" in - nslookup) - if is_linked_to_busybox nslookup; then - nslookup $1 $2 2>/dev/null | sed -e '1,3d' -nre 's/^.*:[^0-9]*(([0-9]{1,3}\.){3}[0-9]{1,3}).*$/\1/p' - else - nslookup $1 $2 2>/dev/null | sed -e '1,3d' -nre 's/^[^0-9]*(([0-9]{1,3}\.){3}[0-9]{1,3}).*$/\1/p' - fi - ;; - host) - host -t A $1 $2 | grep "has address" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' - ;; + nslookup) + if is_linked_to_busybox nslookup; then + nslookup "$1" "$2" 2>/dev/null | sed -e '1,3d' -nre 's/^.*:[^0-9]*(([0-9]{1,3}\.){3}[0-9]{1,3}).*$/\1/p' + else + nslookup "$1" "$2" 2>/dev/null | sed -e '1,3d' -nre 's/^[^0-9]*(([0-9]{1,3}\.){3}[0-9]{1,3}).*$/\1/p' + fi + ;; + host) + host -t A "$1" "$2" | grep "has address" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' + ;; esac } -check_dns_spoof() -{ +check_dns_spoof() { # $1 - domain # $2 - public DNS - # windows version of mdig outputs 0D0A line ending. remove 0D. - echo $1 | "$MDIG" --family=4 | tr -d '\r' >"$DNSCHECK_DIG1" - lookup4 $1 $2 >"$DNSCHECK_DIG2" + # Windows version of mdig outputs 0D0A line ending. remove 0D. + echo "$1" | "$MDIG" --family=4 | tr -d '\r' >"$DNSCHECK_DIG1" + lookup4 "$1" "$2" >"$DNSCHECK_DIG2" # check whether system resolver returns anything other than public DNS grep -qvFf "$DNSCHECK_DIG2" "$DNSCHECK_DIG1" } -check_dns_cleanup() -{ +check_dns_cleanup() { rm -f "$DNSCHECK_DIG1" "$DNSCHECK_DIG2" "$DNSCHECK_DIGS" 2>/dev/null } -check_dns() -{ +check_dns() { local C1 C2 dom echo \* checking DNS @@ -1705,54 +1628,54 @@ check_dns() [ -f "$DNSCHECK_DIGS" ] && rm -f "$DNSCHECK_DIGS" dnstest || { - echo -- DNS is not working. It's either misconfigured or blocked or you don't have inet access. + echo "-- DNS is not working. It's either misconfigured or blocked or you don't have inet access." return 1 } echo system DNS is working - if find_working_public_dns ; then - echo comparing system resolver to public DNS : $PUBDNS + if find_working_public_dns; then + echo comparing system resolver to public DNS: "$PUBDNS" for dom in $DNSCHECK_DOM; do - if check_dns_spoof $dom $PUBDNS ; then - echo $dom : MISMATCH - echo -- system resolver : + if check_dns_spoof "$dom" "$PUBDNS"; then + echo "$dom": MISMATCH + echo -- system resolver: cat "$DNSCHECK_DIG1" - echo -- $PUBDNS : + echo -- "$PUBDNS": cat "$DNSCHECK_DIG2" check_dns_cleanup echo -- POSSIBLE DNS HIJACK DETECTED. ZAPRET WILL NOT HELP YOU IN CASE DNS IS SPOOFED !!! echo -- DNS CHANGE OR DNSCRYPT MAY BE REQUIRED return 1 else - echo $dom : OK + echo "$dom": OK cat "$DNSCHECK_DIG1" >>"$DNSCHECK_DIGS" fi done else echo no working public DNS was found. looks like public DNS blocked. - for dom in $DNSCHECK_DOM; do echo $dom; done | "$MDIG" --threads=10 --family=4 >"$DNSCHECK_DIGS" + for dom in $DNSCHECK_DOM; do echo "$dom"; done | "$MDIG" --threads=10 --family=4 >"$DNSCHECK_DIGS" fi - echo checking resolved IP uniqueness for : $DNSCHECK_DOM + echo checking resolved IP uniqueness for: "$DNSCHECK_DOM" echo censor\'s DNS can return equal result for multiple blocked domains. C1=$(wc -l <"$DNSCHECK_DIGS") C2=$(sort -u "$DNSCHECK_DIGS" | wc -l) [ "$C1" -eq 0 ] && - { - echo -- DNS is not working. It's either misconfigured or blocked or you don't have inet access. - check_dns_cleanup - return 1 - } + { + echo "-- DNS is not working. It's either misconfigured or blocked or you don't have inet access." + check_dns_cleanup + return 1 + } [ "$C1" = "$C2" ] || - { - echo system dns resolver has returned equal IPs for some domains checked above \($C1 total, $C2 unique\) - echo non-unique IPs : - sort "$DNSCHECK_DIGS" | uniq -d - echo -- POSSIBLE DNS HIJACK DETECTED. ZAPRET WILL NOT HELP YOU IN CASE DNS IS SPOOFED !!! - echo -- DNSCRYPT MAY BE REQUIRED - check_dns_cleanup - return 1 - } + { + echo system DNS resolver has returned equal IPs for some domains checked above \("$C1" total, "$C2" unique\) + echo non-unique IPs: + sort "$DNSCHECK_DIGS" | uniq -d + echo -- POSSIBLE DNS HIJACK DETECTED. ZAPRET WILL NOT HELP YOU IN CASE DNS IS SPOOFED !!! + echo -- DNSCRYPT MAY BE REQUIRED + check_dns_cleanup + return 1 + } echo all resolved IPs are unique echo -- DNS looks good echo -- NOTE this check is Russia targeted. In your country other domains may be blocked. @@ -1760,9 +1683,7 @@ check_dns() return 0 } - -unprepare_all() -{ +unprepare_all() { # make sure we are not in a middle state that impacts connectivity rm -f "$HDRTEMP" [ -n "$IPV" ] && { @@ -1773,20 +1694,17 @@ unprepare_all() ws_kill cleanup } -sigint() -{ +sigint() { echo echo terminating... unprepare_all exitp 1 } -sigint_cleanup() -{ +sigint_cleanup() { cleanup exit 1 } -sigsilent() -{ +sigsilent() { # must not write anything here to stdout unprepare_all exit 1 @@ -1813,13 +1731,13 @@ for dom in $DOMAINS; do for IPV in $IPVS; do configure_ip_version [ "$ENABLE_HTTP" = 1 ] && { - check_domain_port_block $dom $HTTP_PORT - check_domain_http $dom + check_domain_port_block "$dom" "$HTTP_PORT" + check_domain_http "$dom" } - [ "$ENABLE_HTTPS_TLS12" = 1 -o "$ENABLE_HTTPS_TLS13" = 1 ] && check_domain_port_block $dom $HTTPS_PORT - [ "$ENABLE_HTTPS_TLS12" = 1 ] && check_domain_https_tls12 $dom - [ "$ENABLE_HTTPS_TLS13" = 1 ] && check_domain_https_tls13 $dom - [ "$ENABLE_HTTP3" = 1 ] && check_domain_http3 $dom + [ "$ENABLE_HTTPS_TLS12" = 1 -o "$ENABLE_HTTPS_TLS13" = 1 ] && check_domain_port_block "$dom" "$HTTPS_PORT" + [ "$ENABLE_HTTPS_TLS12" = 1 ] && check_domain_https_tls12 "$dom" + [ "$ENABLE_HTTPS_TLS13" = 1 ] && check_domain_https_tls13 "$dom" + [ "$ENABLE_HTTP3" = 1 ] && check_domain_http3 "$dom" done done trap - HUP diff --git a/common/base.sh b/common/base.sh index cdfc7d9..a30bf7b 100644 --- a/common/base.sh +++ b/common/base.sh @@ -1,42 +1,36 @@ -which() -{ +which() { # on some systems 'which' command is considered deprecated and not installed by default # 'command -v' replacement does not work exactly the same way. it outputs shell aliases if present # $1 - executable name local IFS=: for p in $PATH; do - [ -x "$p/$1" ] && { - echo "$p/$1" - return 0 - } + [ -x "$p/$1" ] && { + echo "$p/$1" + return 0 + } done return 1 } -exists() -{ +exists() { which "$1" >/dev/null 2>/dev/null } -existf() -{ +existf() { type "$1" >/dev/null 2>/dev/null } -whichq() -{ - which $1 2>/dev/null +whichq() { + which "$1" 2>/dev/null } -exist_all() -{ +exist_all() { while [ -n "$1" ]; do exists "$1" || return 1 shift done return 0 } -on_off_function() -{ - # $1 : function name on - # $2 : function name off - # $3 : 0 - off, 1 - on +on_off_function() { + # $1: function name on + # $2: function name off + # $3: 0 - off, 1 - on local F="$1" [ "$3" = "1" ] || F="$2" shift @@ -44,24 +38,21 @@ on_off_function() shift "$F" "$@" } -contains() -{ +contains() { # check if substring $2 contains in $1 [ "${1#*$2}" != "$1" ] } -starts_with() -{ - # $1 : what - # $2 : starts with +starts_with() { + # $1: what + # $2: starts with case "$1" in - "$2"*) - return 0 - ;; + "$2"*) + return 0 + ;; esac return 1 } -find_str_in_list() -{ +find_str_in_list() { [ -n "$1" ] && { for v in $2; do [ "$v" = "$1" ] && return 0 @@ -69,14 +60,12 @@ find_str_in_list() } return 1 } -end_with_newline() -{ +end_with_newline() { local c="$(tail -c 1)" [ "$c" = "" ] } -append_separator_list() -{ +append_separator_list() { # $1 - var name to receive result # $2 - separator # $3 - quoter @@ -84,113 +73,102 @@ append_separator_list() local _var="$1" sep="$2" quo="$3" i eval i="\$$_var" - shift; shift; shift + shift + shift + shift while [ -n "$1" ]; do - if [ -n "$i" ] ; then + if [ -n "$i" ]; then i="$i$sep$quo$1$quo" else i="$quo$1$quo" fi shift done - eval $_var="\$i" + eval "$_var"="\$i" } -make_separator_list() -{ - eval $1='' +make_separator_list() { + eval "$1"='' append_separator_list "$@" } -make_comma_list() -{ +make_comma_list() { # $1 - var name to receive result # $2,$3,... - elements local var="$1" shift - make_separator_list $var , '' "$@" + make_separator_list "$var" , '' "$@" } -make_quoted_comma_list() -{ +make_quoted_comma_list() { # $1 - var name to receive result # $2,$3,... - elements local var="$1" shift - make_separator_list $var , '"' "$@" + make_separator_list "$var" , '"' "$@" } -unique() -{ +unique() { local i - for i in "$@"; do echo $i; done | sort -u | xargs + for i in "$@"; do echo "$i"; done | sort -u | xargs } -is_linked_to_busybox() -{ +is_linked_to_busybox() { local IFS F P - + IFS=: for path in $PATH; do F=$path/$1 - P="$(readlink $F)" - if [ -z "$P" ] && [ -x $F ] && [ ! -L $F ]; then return 1; fi + P="$(readlink "$F")" + if [ -z "$P" ] && [ -x "$F" ] && [ ! -L "$F" ]; then return 1; fi [ "${P%busybox*}" != "$P" ] && return done } -get_dir_inode() -{ +get_dir_inode() { local dir="$1" [ -L "$dir" ] && dir=$(readlink "$dir") ls -id "$dir" | awk '{print $1}' } -linux_min_version() -{ +linux_min_version() { # $1 - major ver # $2 - minor ver local V1=$(sed -nre 's/^Linux version ([0-9]+)\.[0-9]+.*$/\1/p' /proc/version) local V2=$(sed -nre 's/^Linux version [0-9]+\.([0-9]+).*$/\1/p' /proc/version) [ -n "$V1" -a -n "$V2" ] && [ "$V1" -gt "$1" -o "$V1" -eq "$1" -a "$V2" -ge "$2" ] } -linux_get_subsys() -{ +linux_get_subsys() { local INIT="$(sed 's/\x0/\n/g' /proc/1/cmdline | head -n 1)" [ -L "$INIT" ] && INIT=$(readlink "$INIT") INIT="$(basename "$INIT")" - if [ -f "/etc/openwrt_release" ] && [ "$INIT" = "procd" ] ; then + if [ -f "/etc/openwrt_release" ] && [ "$INIT" = "procd" ]; then SUBSYS=openwrt - elif [ -x "/bin/ndm" ] ; then + elif [ -x "/bin/ndm" ]; then SUBSYS=keenetic else # generic linux SUBSYS= fi } -openwrt_fw3() -{ +openwrt_fw3() { [ ! -x /sbin/fw4 -a -x /sbin/fw3 ] } -openwrt_fw4() -{ +openwrt_fw4() { [ -x /sbin/fw4 ] } -openwrt_fw3_integration() -{ +openwrt_fw3_integration() { [ "$FWTYPE" = iptables ] && openwrt_fw3 } -create_dev_stdin() -{ +create_dev_stdin() { [ -e /dev/stdin ] || ln -s /proc/self/fd/0 /dev/stdin } -call_for_multiple_items() -{ +call_for_multiple_items() { # $1 - function to get an item # $2 - variable name to put result into # $3 - space separated parameters to function $1 local i item items for i in $3; do - $1 item $i + $1 item "$i" [ -n "$item" ] && { if [ -n "$items" ]; then items="$items $item" @@ -199,91 +177,85 @@ call_for_multiple_items() fi } done - eval $2=\"$items\" + eval "$2"=\""$items"\" } -fix_sbin_path() -{ +fix_sbin_path() { local IFS=':' - printf "%s\n" $PATH | grep -Fxq '/usr/sbin' || PATH="/usr/sbin:$PATH" - printf "%s\n" $PATH | grep -Fxq '/sbin' || PATH="/sbin:$PATH" + printf "%s\n" "$PATH" | grep -Fxq '/usr/sbin' || PATH="/usr/sbin:$PATH" + printf "%s\n" "$PATH" | grep -Fxq '/sbin' || PATH="/sbin:$PATH" export PATH } # it can calculate floating point expr -calc() -{ - awk "BEGIN { print $*}"; +calc() { + awk "BEGIN { print $*}" } -fsleep_setup() -{ - [ -n "$FSLEEP" ] || { - if sleep 0.001 2>/dev/null; then - FSLEEP=1 - elif busybox usleep 1 2>/dev/null; then - FSLEEP=2 - else - local errtext="$(read -t 0.001 2>&1)" - if [ -z "$errtext" ]; then - FSLEEP=3 - # newer openwrt has ucode with system function that supports timeout in ms - elif ucode -e "system(['sleep','1'], 1)" 2>/dev/null; then - FSLEEP=4 - # older openwrt may have lua and nixio lua module - elif lua -e 'require "nixio".nanosleep(0,1)' 2>/dev/null ; then - FSLEEP=5 +fsleep_setup() { + [ -n "$FSLEEP" ] || { + if sleep 0.001 2>/dev/null; then + FSLEEP=1 + elif busybox usleep 1 2>/dev/null; then + FSLEEP=2 else - FSLEEP=0 + local errtext="$(read -t 0.001 2>&1)" + if [ -z "$errtext" ]; then + FSLEEP=3 + # newer OpenWrt has ucode with system function that supports timeout in ms + elif ucode -e "system(['sleep','1'], 1)" 2>/dev/null; then + FSLEEP=4 + # older OpenWrt may have lua and nixio lua module + elif lua -e 'require "nixio".nanosleep(0,1)' 2>/dev/null; then + FSLEEP=5 + else + FSLEEP=0 + fi fi - fi - } + } } -msleep() -{ - # $1 - milliseconds - case "$FSLEEP" in +msleep() { + # $1 - milliseconds + case "$FSLEEP" in 1) - sleep $(calc $1/1000) + sleep $(calc "$1"/1000) ;; 2) - busybox usleep $(calc $1*1000) + busybox usleep $(calc "$1"*1000) ;; 3) - read -t $(calc $1/1000) + read -t $(calc "$1"/1000) ;; 4) ucode -e "system(['sleep','2147483647'], $1)" ;; 5) - lua -e "require 'nixio'.nanosleep($(($1/1000)),$(calc $1%1000*1000000))" + lua -e "require 'nixio'.nanosleep($(($1 / 1000)),$(calc "$1"%1000*1000000))" ;; - *) - sleep $((($1+999)/1000)) - esac + *) + sleep $((($1 + 999) / 1000)) + ;; + esac } -minsleep() -{ +minsleep() { msleep 100 } -replace_char() -{ +replace_char() { local a=$1 local b=$2 - shift; shift - echo "$@" | tr $a $b + shift + shift + echo "$@" | tr "$a" "$b" } -setup_md5() -{ +setup_md5() { [ -n "$MD5" ] && return MD5=md5sum exists $MD5 || MD5=md5 } -random() -{ +random() { # $1 - min, $2 - max local r rs setup_md5 @@ -293,12 +265,11 @@ random() rs="$RANDOM$RANDOM$(date)" fi # shells use signed int64 - r=1$(echo $rs | $MD5 | sed 's/[^0-9]//g' | cut -c 1-17) - echo $(( ($r % ($2-$1+1)) + $1 )) + r=1$(echo "$rs" | $MD5 | sed 's/[^0-9]//g' | cut -c 1-17) + echo $((($r % ($2 - $1 + 1)) + $1)) } -shell_name() -{ +shell_name() { [ -n "$SHELL_NAME" ] || { [ -n "$UNAME" ] || UNAME="$(uname)" @@ -313,12 +284,11 @@ shell_name() } } -std_ports() -{ - HTTP_PORTS=${HTTP_PORTS:-80} +std_ports() { + HTTP_PORTS=${HTTP_PORTS:-80} HTTPS_PORTS=${HTTPS_PORTS:-443} QUIC_PORTS=${QUIC_PORTS:-443} - HTTP_PORTS_IPT=$(replace_char - : $HTTP_PORTS) - HTTPS_PORTS_IPT=$(replace_char - : $HTTPS_PORTS) - QUIC_PORTS_IPT=$(replace_char - : $QUIC_PORTS) + HTTP_PORTS_IPT=$(replace_char - : "$HTTP_PORTS") + HTTPS_PORTS_IPT=$(replace_char - : "$HTTPS_PORTS") + QUIC_PORTS_IPT=$(replace_char - : "$QUIC_PORTS") } diff --git a/common/dialog.sh b/common/dialog.sh index 0cb3890..47ef500 100644 --- a/common/dialog.sh +++ b/common/dialog.sh @@ -1,36 +1,32 @@ -read_yes_no() -{ +read_yes_no() { # $1 - default (Y/N) local A read A [ -z "$A" ] || ([ "$A" != "Y" ] && [ "$A" != "y" ] && [ "$A" != "N" ] && [ "$A" != "n" ]) && A=$1 [ "$A" = "Y" ] || [ "$A" = "y" ] || [ "$A" = "1" ] } -ask_yes_no() -{ +ask_yes_no() { # $1 - default (Y/N or 0/1) # $2 - text local DEFAULT=$1 [ "$1" = "1" ] && DEFAULT=Y [ "$1" = "0" ] && DEFAULT=N [ -z "$DEFAULT" ] && DEFAULT=N - printf "$2 (default : $DEFAULT) (Y/N) ? " - read_yes_no $DEFAULT + printf "$2 (default: $DEFAULT) (Y/N)?" + read_yes_no "$DEFAULT" } -ask_yes_no_var() -{ - # $1 - variable name for answer : 0/1 +ask_yes_no_var() { + # $1 - variable name for answer: 0/1 # $2 - text local DEFAULT eval DEFAULT="\$$1" if ask_yes_no "$DEFAULT" "$2"; then - eval $1=1 + eval "$1"=1 else - eval $1=0 + eval "$1"=0 fi } -ask_list() -{ +ask_list() { # $1 - mode var # $2 - space separated value list # $3 - (optional) default value @@ -39,20 +35,20 @@ ask_list() local M_ALL=$M_DEFAULT local M="" local m - - [ -n "$3" ] && { find_str_in_list "$M_DEFAULT" "$2" || M_DEFAULT="$3" ;} - + + [ -n "$3" ] && { find_str_in_list "$M_DEFAULT" "$2" || M_DEFAULT="$3"; } + n=1 for m in $2; do - echo $n : $m - n=$(($n+1)) + echo $n: "$m" + n=$(($n + 1)) done printf "your choice (default : $M_DEFAULT) : " read m - [ -n "$m" ] && M=$(echo $2 | cut -d ' ' -f$m 2>/dev/null) + [ -n "$m" ] && M=$(echo "$2" | cut -d ' ' -f"$m" 2>/dev/null) [ -z "$M" ] && M="$M_DEFAULT" - echo selected : $M - eval $1="\"$M\"" - + echo selected: "$M" + eval "$1"="\"$M\"" + [ "$M" != "$M_OLD" ] } diff --git a/common/elevate.sh b/common/elevate.sh index 65e8dc9..c28863a 100644 --- a/common/elevate.sh +++ b/common/elevate.sh @@ -1,5 +1,4 @@ -require_root() -{ +require_root() { local exe echo \* checking privileges [ $(id -u) -ne "0" ] && { diff --git a/common/fwtype.sh b/common/fwtype.sh index 61390bb..de8b323 100644 --- a/common/fwtype.sh +++ b/common/fwtype.sh @@ -1,25 +1,21 @@ -linux_ipt_avail() -{ +linux_ipt_avail() { exists iptables && exists ip6tables } -linux_maybe_iptables_fwtype() -{ +linux_maybe_iptables_fwtype() { linux_ipt_avail && FWTYPE=iptables } -linux_nft_avail() -{ +linux_nft_avail() { exists nft } -linux_fwtype() -{ +linux_fwtype() { [ -n "$FWTYPE" ] && return FWTYPE=unsupported linux_get_subsys - if [ "$SUBSYS" = openwrt ] ; then - # linux kernel is new enough if fw4 is there - if [ -x /sbin/fw4 ] && linux_nft_avail ; then + if [ "$SUBSYS" = openwrt ]; then + # Linux kernel is new enough if fw4 is there + if [ -x /sbin/fw4 ] && linux_nft_avail; then FWTYPE=nftables else linux_maybe_iptables_fwtype @@ -38,26 +34,25 @@ linux_fwtype() export FWTYPE } -get_fwtype() -{ +get_fwtype() { [ -n "$FWTYPE" ] && return local UNAME="$(uname)" case "$UNAME" in - Linux) - linux_fwtype - ;; - FreeBSD) - if exists ipfw ; then - FWTYPE=ipfw - else - FWTYPE=unsupported - fi - ;; - *) + Linux) + linux_fwtype + ;; + FreeBSD) + if exists ipfw; then + FWTYPE=ipfw + else FWTYPE=unsupported - ;; + fi + ;; + *) + FWTYPE=unsupported + ;; esac export FWTYPE diff --git a/common/installer.sh b/common/installer.sh index a09c846..01c4b7f 100644 --- a/common/installer.sh +++ b/common/installer.sh @@ -6,36 +6,31 @@ SYSTEMD_DIR=/lib/systemd INIT_SCRIPT=/etc/init.d/zapret - -exitp() -{ +exitp() { echo echo press enter to continue read A - exit $1 + exit "$1" } -parse_var_checked() -{ +parse_var_checked() { # $1 - file name # $2 - var name local sed="sed -nre s/^[[:space:]]*$2=[\\\"|\']?([^\\\"|\']*)[\\\"|\']?/\1/p" local v="$($sed <"$1" | tail -n 1)" - eval $2=\"$v\" + eval "$2"=\""$v"\" } -parse_vars_checked() -{ +parse_vars_checked() { # $1 - file name # $2,$3,... - var names local f="$1" shift while [ -n "$1" ]; do - parse_var_checked "$f" $1 + parse_var_checked "$f" "$1" shift - done + done } -edit_file() -{ +edit_file() { # $1 - file name local ed="$EDITOR" [ -n "$ed" ] || { @@ -48,8 +43,7 @@ edit_file() } [ -n "$ed" ] && "$ed" "$1" } -edit_vars() -{ +edit_vars() { # $1,$2,... - var names local n=1 var v tmp="/tmp/zvars" rm -f "$tmp" @@ -57,21 +51,19 @@ edit_vars() eval var="\$$n" [ -n "$var" ] || break eval v="\$$var" - echo $var=\"$v\" >>"$tmp" - n=$(($n+1)) + echo "$var"=\""$v"\" >>"$tmp" + n=$(($n + 1)) done edit_file "$tmp" && parse_vars_checked "$tmp" "$@" rm -f "$tmp" } -openrc_test() -{ +openrc_test() { exists rc-update || return 1 # some systems do not usse openrc-init but launch openrc from inittab [ "$INIT" = "openrc-init" ] || grep -qE "sysinit.*openrc" /etc/inittab 2>/dev/null } -check_system() -{ +check_system() { # $1 - nonempty = do not fail on unknown rc system echo \* checking system @@ -93,21 +85,21 @@ check_system() # some distros include systemctl without systemd if [ -d "$SYSTEMD_DIR" ] && [ -x "$SYSTEMCTL" ] && [ "$INIT" = "systemd" ]; then SYSTEM=systemd - elif [ -f "/etc/openwrt_release" ] && exists opkg && exists uci && [ "$INIT" = "procd" ] ; then - { - SYSTEM=openwrt - if openwrt_fw3 ; then - OPENWRT_FW3=1 - info="openwrt firewall uses fw3" - if is_ipt_flow_offload_avail; then - info="$info. hardware flow offloading requires iptables." - else - info="$info. flow offloading unavailable." + elif [ -f "/etc/openwrt_release" ] && exists opkg && exists uci && [ "$INIT" = "procd" ]; then + { + SYSTEM=openwrt + if openwrt_fw3; then + OPENWRT_FW3=1 + info="openwrt firewall uses fw3" + if is_ipt_flow_offload_avail; then + info="$info. hardware flow offloading requires iptables." + else + info="$info. flow offloading unavailable." + fi + elif openwrt_fw4; then + info="openwrt firewall uses fw4. flow offloading requires nftables." fi - elif openwrt_fw4; then - info="openwrt firewall uses fw4. flow offloading requires nftables." - fi - } + } elif openrc_test; then SYSTEM=openrc else @@ -115,9 +107,9 @@ check_system() echo easy installer can set up config settings but can\'t configure auto start echo you have to do it manually. check readme.txt for manual setup info. if [ -n "$1" ] || ask_yes_no N "do you want to continue"; then - SYSTEM=linux + SYSTEM=linux else - exitp 5 + exitp 5 fi fi linux_get_subsys @@ -128,25 +120,21 @@ check_system() exitp 5 fi echo system is based on $SYSTEM - [ -n "$info" ] && echo $info + [ -n "$info" ] && echo "$info" } -get_free_space_mb() -{ - df -m $PWD | awk '/[0-9]%/{print $(NF-2)}' +get_free_space_mb() { + df -m "$PWD" | awk '/[0-9]%/{print $(NF-2)}' } -get_ram_kb() -{ - grep MemTotal /proc/meminfo | awk '{print $2}' +get_ram_kb() { + grep MemTotal /proc/meminfo | awk '{print $2}' } -get_ram_mb() -{ - local R=$(get_ram_kb) - echo $(($R/1024)) +get_ram_mb() { + local R=$(get_ram_kb) + echo $(($R / 1024)) } -crontab_del() -{ +crontab_del() { exists crontab || return echo \* removing crontab entry @@ -162,8 +150,7 @@ crontab_del() fi rm -f $CRONTMP } -crontab_del_quiet() -{ +crontab_del_quiet() { exists crontab || return CRONTMP=/tmp/cron.tmp @@ -175,11 +162,10 @@ crontab_del_quiet() fi rm -f $CRONTMP } -crontab_add() -{ +crontab_add() { # $1 - hour min # $2 - hour max - [ -x "$GET_LIST" ] && { + [ -x "$GET_LIST" ] && { echo \* adding crontab entry if exists crontab; then @@ -190,7 +176,7 @@ crontab_add() grep "$GET_LIST_PREFIX" $CRONTMP else end_with_newline <"$CRONTMP" || echo >>"$CRONTMP" - echo "$(random 0 59) $(random $1 $2) */2 * * $GET_LIST" >>$CRONTMP + echo "$(random 0 59) $(random "$1" "$2") */2 * * $GET_LIST" >>$CRONTMP crontab $CRONTMP fi rm -f $CRONTMP @@ -199,18 +185,15 @@ crontab_add() fi } } -cron_ensure_running() -{ - # if no crontabs present in /etc/cron openwrt init script does not launch crond. this is default +cron_ensure_running() { + # if no crontabs present in /etc/cron OpenWrt init script does not launch crond. this is default [ "$SYSTEM" = "openwrt" ] && { /etc/init.d/cron enable /etc/init.d/cron start } } - -service_start_systemd() -{ +service_start_systemd() { echo \* starting zapret service "$SYSTEMCTL" start zapret || { @@ -218,23 +201,20 @@ service_start_systemd() exitp 30 } } -service_stop_systemd() -{ +service_stop_systemd() { echo \* stopping zapret service "$SYSTEMCTL" daemon-reload "$SYSTEMCTL" disable zapret "$SYSTEMCTL" stop zapret } -service_remove_systemd() -{ +service_remove_systemd() { echo \* removing zapret service rm -f "$SYSTEMD_SYSTEM_DIR/zapret.service" "$SYSTEMCTL" daemon-reload } -timer_remove_systemd() -{ +timer_remove_systemd() { echo \* removing zapret-list-update timer "$SYSTEMCTL" daemon-reload @@ -244,8 +224,7 @@ timer_remove_systemd() "$SYSTEMCTL" daemon-reload } -install_sysv_init() -{ +install_sysv_init() { # $1 - "0"=disable echo \* installing init script @@ -256,8 +235,7 @@ install_sysv_init() ln -fs "$INIT_SCRIPT_SRC" "$INIT_SCRIPT" [ "$1" != "0" ] && "$INIT_SCRIPT" enable } -install_openrc_init() -{ +install_openrc_init() { # $1 - "0"=disable echo \* installing init script @@ -268,8 +246,7 @@ install_openrc_init() ln -fs "$INIT_SCRIPT_SRC" "$INIT_SCRIPT" [ "$1" != "0" ] && rc-update add zapret } -service_remove_openrc() -{ +service_remove_openrc() { echo \* removing zapret service [ -x "$INIT_SCRIPT" ] && { @@ -278,8 +255,7 @@ service_remove_openrc() } rm -f "$INIT_SCRIPT" } -service_start_sysv() -{ +service_start_sysv() { [ -x "$INIT_SCRIPT" ] && { echo \* starting zapret service "$INIT_SCRIPT" start || { @@ -288,15 +264,13 @@ service_start_sysv() } } } -service_stop_sysv() -{ +service_stop_sysv() { [ -x "$INIT_SCRIPT" ] && { echo \* stopping zapret service "$INIT_SCRIPT" stop } } -service_remove_sysv() -{ +service_remove_sysv() { echo \* removing zapret service [ -x "$INIT_SCRIPT" ] && { @@ -306,104 +280,91 @@ service_remove_sysv() rm -f "$INIT_SCRIPT" } -check_kmod() -{ +check_kmod() { [ -f "/lib/modules/$(uname -r)/$1.ko" ] } -check_package_exists_openwrt() -{ - [ -n "$(opkg list $1)" ] +check_package_exists_openwrt() { + [ -n "$(opkg list "$1")" ] } -check_package_openwrt() -{ - [ -n "$(opkg list-installed $1)" ] && return 0 - local what="$(opkg whatprovides $1 | tail -n +2 | head -n 1)" +check_package_openwrt() { + [ -n "$(opkg list-installed "$1")" ] && return 0 + local what="$(opkg whatprovides "$1" | tail -n +2 | head -n 1)" [ -n "$what" ] || return 1 - [ -n "$(opkg list-installed $what)" ] + [ -n "$(opkg list-installed "$what")" ] } -check_packages_openwrt() -{ +check_packages_openwrt() { for pkg in $@; do - check_package_openwrt $pkg || return + check_package_openwrt "$pkg" || return done } -install_openwrt_iface_hook() -{ +install_openwrt_iface_hook() { echo \* installing ifup hook - + ln -fs "$OPENWRT_IFACE_HOOK" /etc/hotplug.d/iface } -remove_openwrt_iface_hook() -{ +remove_openwrt_iface_hook() { echo \* removing ifup hook - + rm -f /etc/hotplug.d/iface/??-zapret } -openwrt_fw_section_find() -{ +openwrt_fw_section_find() { # $1 - fw include postfix # echoes section number - + i=0 - while true - do + while true; do path=$(uci -q get firewall.@include[$i].path) [ -n "$path" ] || break [ "$path" = "$OPENWRT_FW_INCLUDE$1" ] && { - echo $i - return 0 + echo $i + return 0 } - i=$(($i+1)) + i=$(($i + 1)) done return 1 } -openwrt_fw_section_del() -{ +openwrt_fw_section_del() { # $1 - fw include postfix - local id="$(openwrt_fw_section_find $1)" + local id="$(openwrt_fw_section_find "$1")" [ -n "$id" ] && { - uci delete firewall.@include[$id] && uci commit firewall + uci delete firewall.@include["$id"] && uci commit firewall rm -f "$OPENWRT_FW_INCLUDE$1" } } -openwrt_fw_section_add() -{ +openwrt_fw_section_add() { openwrt_fw_section_find || - { - uci add firewall include >/dev/null || return - echo -1 - } + { + uci add firewall include >/dev/null || return + echo -1 + } } -openwrt_fw_section_configure() -{ - local id="$(openwrt_fw_section_add $1)" +openwrt_fw_section_configure() { + local id="$(openwrt_fw_section_add "$1")" [ -z "$id" ] || - ! uci set firewall.@include[$id].path="$OPENWRT_FW_INCLUDE" || - ! uci set firewall.@include[$id].reload="1" || - ! uci commit firewall && - { - echo could not add firewall include - exitp 50 - } + ! uci set firewall.@include["$id"].path="$OPENWRT_FW_INCLUDE" || + ! uci set firewall.@include["$id"].reload="1" || + ! uci commit firewall && + { + echo could not add firewall include + exitp 50 + } } -install_openwrt_firewall() -{ - echo \* installing firewall script $1 - +install_openwrt_firewall() { + echo \* installing firewall script "$1" + [ -n "MODE" ] || { - echo should specify MODE in $ZAPRET_CONFIG + echo should specify MODE in "$ZAPRET_CONFIG" exitp 7 } - - echo "linking : $FW_SCRIPT_SRC => $OPENWRT_FW_INCLUDE" + + echo "linking: $FW_SCRIPT_SRC => $OPENWRT_FW_INCLUDE" ln -fs "$FW_SCRIPT_SRC" "$OPENWRT_FW_INCLUDE" - - openwrt_fw_section_configure $1 + + openwrt_fw_section_configure "$1" } -restart_openwrt_firewall() -{ +restart_openwrt_firewall() { echo \* restarting firewall local FW=fw4 @@ -413,52 +374,44 @@ restart_openwrt_firewall() exitp 30 } } -remove_openwrt_firewall() -{ +remove_openwrt_firewall() { echo \* removing firewall script - + openwrt_fw_section_del # from old zapret versions. now we use single include openwrt_fw_section_del 6 } -clear_ipset() -{ +clear_ipset() { echo "* clearing ipset(s)" # free some RAM "$IPSET_DIR/create_ipset.sh" clear } - -service_install_macos() -{ +service_install_macos() { echo \* installing zapret service ln -fs "$ZAPRET_BASE/init.d/macos/zapret.plist" /Library/LaunchDaemons } -service_start_macos() -{ +service_start_macos() { echo \* starting zapret service "$INIT_SCRIPT_SRC" start } -service_stop_macos() -{ +service_stop_macos() { echo \* stopping zapret service "$INIT_SCRIPT_SRC" stop } -service_remove_macos() -{ +service_remove_macos() { echo \* removing zapret service rm -f /Library/LaunchDaemons/zapret.plist zapret_stop_daemons } -remove_macos_firewall() -{ +remove_macos_firewall() { echo \* removing zapret PF hooks pf_anchors_clear @@ -467,9 +420,8 @@ remove_macos_firewall() pf_anchor_root_reload } -sedi() -{ - # MacOS doesnt support -i without parameter. busybox doesnt support -i with parameter. +sedi() { + # macOS doesnt support -i without parameter. busybox doesnt support -i with parameter. # its not possible to put "sed -i ''" to a variable and then use it if [ "$SYSTEM" = "macos" ]; then sed -i '' "$@" @@ -478,8 +430,7 @@ sedi() fi } -write_config_var() -{ +write_config_var() { # $1 - mode var local M eval M="\$$1" @@ -487,7 +438,7 @@ write_config_var() if grep -q "^$1=\|^#$1=" "$ZAPRET_CONFIG"; then # replace / => \/ #M=${M//\//\\\/} - M=$(echo $M | sed 's/\//\\\//g') + M=$(echo "$M" | sed 's/\//\\\//g') if [ -n "$M" ]; then if contains "$M" " "; then sedi -Ee "s/^#?$1=.*$/$1=\"$M\"/" "$ZAPRET_CONFIG" @@ -508,37 +459,36 @@ write_config_var() fi } -check_prerequisites_linux() -{ +check_prerequisites_linux() { echo \* checking prerequisites local s cmd PKGS UTILS req="curl curl" case "$FWTYPE" in - iptables) - req="$req iptables iptables ip6tables iptables ipset ipset" - ;; - nftables) - req="$req nft nftables" - ;; + iptables) + req="$req iptables iptables ip6tables iptables ipset ipset" + ;; + nftables) + req="$req nft nftables" + ;; esac - PKGS=$(for s in $req; do echo $s; done | + PKGS=$(for s in $req; do echo "$s"; done | while read cmd; do read pkg - exists $cmd || echo $pkg + exists "$cmd" || echo "$pkg" done | sort -u | xargs) - UTILS=$(for s in $req; do echo $s; done | + UTILS=$(for s in $req; do echo "$s"; done | while read cmd; do read pkg - echo $cmd + echo "$cmd" done | sort -u | xargs) - if [ -z "$PKGS" ] ; then - echo required utilities exist : $UTILS + if [ -z "$PKGS" ]; then + echo required utilities exist: "$UTILS" else echo \* installing prerequisites - echo packages required : $PKGS + echo packages required: "$PKGS" APTGET=$(whichq apt-get) YUM=$(whichq yum) @@ -546,78 +496,77 @@ check_prerequisites_linux() ZYPPER=$(whichq zypper) EOPKG=$(whichq eopkg) APK=$(whichq apk) - if [ -x "$APTGET" ] ; then + if [ -x "$APTGET" ]; then "$APTGET" update - "$APTGET" install -y --no-install-recommends $PKGS dnsutils || { + "$APTGET" install -y --no-install-recommends "$PKGS" dnsutils || { echo could not install prerequisites exitp 6 } - elif [ -x "$YUM" ] ; then - "$YUM" -y install $PKGS || { + elif [ -x "$YUM" ]; then + "$YUM" -y install "$PKGS" || { echo could not install prerequisites exitp 6 } - elif [ -x "$PACMAN" ] ; then + elif [ -x "$PACMAN" ]; then "$PACMAN" -Syy - "$PACMAN" --noconfirm -S $PKGS || { + "$PACMAN" --noconfirm -S "$PKGS" || { echo could not install prerequisites exitp 6 } - elif [ -x "$ZYPPER" ] ; then - "$ZYPPER" --non-interactive install $PKGS || { + elif [ -x "$ZYPPER" ]; then + "$ZYPPER" --non-interactive install "$PKGS" || { echo could not install prerequisites exitp 6 } - elif [ -x "$EOPKG" ] ; then - "$EOPKG" -y install $PKGS || { + elif [ -x "$EOPKG" ]; then + "$EOPKG" -y install "$PKGS" || { echo could not install prerequisites exitp 6 } - elif [ -x "$APK" ] ; then + elif [ -x "$APK" ]; then "$APK" update # for alpine [ "$FWTYPE" = iptables ] && [ -n "$($APK list ip6tables)" ] && PKGS="$PKGS ip6tables" - "$APK" add $PKGS || { + "$APK" add "$PKGS" || { echo could not install prerequisites exitp 6 } else echo supported package manager not found - echo you must manually install : $UTILS + echo you must manually install: "$UTILS" exitp 5 fi fi } -check_prerequisites_openwrt() -{ +check_prerequisites_openwrt() { echo \* checking prerequisites local PKGS="curl" UPD=0 case "$FWTYPE" in - iptables) - PKGS="$PKGS ipset iptables iptables-mod-extra iptables-mod-nfqueue iptables-mod-filter iptables-mod-ipopt iptables-mod-conntrack-extra" - [ "$DISABLE_IPV6" != "1" ] && PKGS="$PKGS ip6tables ip6tables-mod-nat ip6tables-extra" - ;; - nftables) - PKGS="$PKGS nftables kmod-nft-nat kmod-nft-offload kmod-nft-queue" - ;; + iptables) + PKGS="$PKGS ipset iptables iptables-mod-extra iptables-mod-nfqueue iptables-mod-filter iptables-mod-ipopt iptables-mod-conntrack-extra" + [ "$DISABLE_IPV6" != "1" ] && PKGS="$PKGS ip6tables ip6tables-mod-nat ip6tables-extra" + ;; + nftables) + PKGS="$PKGS nftables kmod-nft-nat kmod-nft-offload kmod-nft-queue" + ;; esac - if check_packages_openwrt $PKGS ; then + if check_packages_openwrt "$PKGS"; then echo everything is present else echo \* installing prerequisites opkg update UPD=1 - opkg install $PKGS || { + opkg install "$PKGS" || { echo could not install prerequisites exitp 6 } fi - + is_linked_to_busybox gzip && { echo echo your system uses default busybox gzip. its several times slower than GNU gzip. @@ -659,10 +608,7 @@ check_prerequisites_openwrt() } } - - -select_ipv6() -{ +select_ipv6() { local T=N [ "$DISABLE_IPV6" != '1' ] && T=Y @@ -675,8 +621,7 @@ select_ipv6() fi [ "$old6" != "$DISABLE_IPV6" ] && write_config_var DISABLE_IPV6 } -select_fwtype() -{ +select_fwtype() { echo [ $(get_ram_mb) -le 400 ] && { echo WARNING ! you are running a low RAM system diff --git a/common/ipt.sh b/common/ipt.sh index ec5af86..7fe8710 100644 --- a/common/ipt.sh +++ b/common/ipt.sh @@ -1,55 +1,43 @@ std_ports readonly ipt_connbytes="-m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes" -ipt() -{ +ipt() { iptables -C "$@" >/dev/null 2>/dev/null || iptables -I "$@" } -ipta() -{ +ipta() { iptables -C "$@" >/dev/null 2>/dev/null || iptables -A "$@" } -ipt_del() -{ +ipt_del() { iptables -C "$@" >/dev/null 2>/dev/null && iptables -D "$@" } -ipt_add_del() -{ +ipt_add_del() { on_off_function ipt ipt_del "$@" } -ipta_add_del() -{ +ipta_add_del() { on_off_function ipta ipt_del "$@" } -ipt6() -{ +ipt6() { ip6tables -C "$@" >/dev/null 2>/dev/null || ip6tables -I "$@" } -ipt6a() -{ +ipt6a() { ip6tables -C "$@" >/dev/null 2>/dev/null || ip6tables -A "$@" } -ipt6_del() -{ +ipt6_del() { ip6tables -C "$@" >/dev/null 2>/dev/null && ip6tables -D "$@" } -ipt6_add_del() -{ +ipt6_add_del() { on_off_function ipt6 ipt6_del "$@" } -ipt6a_add_del() -{ +ipt6a_add_del() { on_off_function ipt6 ipt6a_del "$@" } -is_ipt_flow_offload_avail() -{ - # $1 = '' for ipv4, '6' for ipv6 - grep -q FLOWOFFLOAD 2>/dev/null /proc/net/ip$1_tables_targets +is_ipt_flow_offload_avail() { + # $1 = '' for IPv4, '6' for IPv6 + grep -q FLOWOFFLOAD /proc/net/ip"$1"_tables_targets 2>/dev/null } -filter_apply_port_target() -{ +filter_apply_port_target() { # $1 - var name of iptables filter local f if [ "$MODE_HTTP" = "1" ] && [ "$MODE_HTTPS" = "1" ]; then @@ -61,62 +49,54 @@ filter_apply_port_target() else echo WARNING !!! HTTP and HTTPS are both disabled fi - eval $1="\"\$$1 $f\"" + eval "$1"="\"\$$1 $f\"" } -filter_apply_port_target_quic() -{ +filter_apply_port_target_quic() { # $1 - var name of nftables filter local f f="-p udp -m multiport --dports $QUIC_PORTS_IPT" - eval $1="\"\$$1 $f\"" + eval "$1"="\"\$$1 $f\"" } -filter_apply_ipset_target4() -{ +filter_apply_ipset_target4() { # $1 - var name of ipv4 iptables filter if [ "$MODE_FILTER" = "ipset" ]; then - eval $1="\"\$$1 -m set --match-set zapret dst\"" + eval "$1"="\"\$$1 -m set --match-set zapret dst\"" fi } -filter_apply_ipset_target6() -{ +filter_apply_ipset_target6() { # $1 - var name of ipv6 iptables filter if [ "$MODE_FILTER" = "ipset" ]; then - eval $1="\"\$$1 -m set --match-set zapret6 dst\"" + eval "$1"="\"\$$1 -m set --match-set zapret6 dst\"" fi } -filter_apply_ipset_target() -{ +filter_apply_ipset_target() { # $1 - var name of ipv4 iptables filter # $2 - var name of ipv6 iptables filter - filter_apply_ipset_target4 $1 - filter_apply_ipset_target6 $2 + filter_apply_ipset_target4 "$1" + filter_apply_ipset_target6 "$2" } -reverse_nfqws_rule_stream() -{ +reverse_nfqws_rule_stream() { sed -e 's/-o /-i /g' -e 's/--dport /--sport /g' -e 's/--dports /--sports /g' -e 's/ dst$/ src/' -e 's/ dst / src /g' -e 's/--connbytes-dir=original/--connbytes-dir=reply/g' -e "s/-m mark ! --mark $DESYNC_MARK\/$DESYNC_MARK//g" } -reverse_nfqws_rule() -{ +reverse_nfqws_rule() { echo "$@" | reverse_nfqws_rule_stream } -prepare_tpws_fw4() -{ - # otherwise linux kernel will treat 127.0.0.0/8 as "martian" ip and refuse routing to it - # NOTE : kernels <3.6 do not have this feature. consider upgrading or change DNAT to REDIRECT and do not bind to 127.0.0.0/8 +prepare_tpws_fw4() { + # otherwise Linux kernel will treat 127.0.0.0/8 as "martian" ip and refuse routing to it + # NOTE: kernels <3.6 do not have this feature. consider upgrading or change DNAT to REDIRECT and do not bind to 127.0.0.0/8 [ "$DISABLE_IPV4" = "1" ] || { iptables -N input_rule_zapret 2>/dev/null - ipt input_rule_zapret -d $TPWS_LOCALHOST4 -j RETURN + ipt input_rule_zapret -d "$TPWS_LOCALHOST4" -j RETURN ipta input_rule_zapret -d 127.0.0.0/8 -j DROP ipt INPUT ! -i lo -j input_rule_zapret prepare_route_localnet } } -unprepare_tpws_fw4() -{ +unprepare_tpws_fw4() { [ "$DISABLE_IPV4" = "1" ] || { unprepare_route_localnet @@ -125,14 +105,11 @@ unprepare_tpws_fw4() iptables -X input_rule_zapret 2>/dev/null } } -unprepare_tpws_fw() -{ +unprepare_tpws_fw() { unprepare_tpws_fw4 } - -ipt_print_op() -{ +ipt_print_op() { if [ "$1" = "1" ]; then echo "Adding ip$4tables rule for $3 : $2" else @@ -140,8 +117,7 @@ ipt_print_op() fi } -_fw_tpws4() -{ +_fw_tpws4() { # $1 - 1 - add, 0 - del # $2 - iptable filter for ipv4 # $3 - tpws port @@ -152,25 +128,24 @@ _fw_tpws4() [ "$1" = 1 ] && prepare_tpws_fw4 - ipt_print_op $1 "$2" "tpws (port $3)" + ipt_print_op "$1" "$2" "tpws (port $3)" rule="$2 $IPSET_EXCLUDE dst -j DNAT --to $TPWS_LOCALHOST4:$3" - for i in $4 ; do - ipt_add_del $1 PREROUTING -t nat -i $i $rule - done + for i in $4; do + ipt_add_del "$1" PREROUTING -t nat -i "$i" "$rule" + done rule="-m owner ! --uid-owner $WS_USER $rule" if [ -n "$5" ]; then for i in $5; do - ipt_add_del $1 OUTPUT -t nat -o $i $rule + ipt_add_del "$1" OUTPUT -t nat -o "$i" "$rule" done else - ipt_add_del $1 OUTPUT -t nat $rule + ipt_add_del "$1" OUTPUT -t nat "$rule" fi } } -_fw_tpws6() -{ +_fw_tpws6() { # $1 - 1 - add, 0 - del # $2 - iptable filter for ipv6 # $3 - tpws port @@ -180,37 +155,34 @@ _fw_tpws6() [ "$DISABLE_IPV6" = "1" -o -z "$2" ] || { local i rule DNAT6 - ipt_print_op $1 "$2" "tpws (port $3)" 6 + ipt_print_op "$1" "$2" "tpws (port $3)" 6 rule="$2 $IPSET_EXCLUDE6 dst" - for i in $4 ; do - _dnat6_target $i DNAT6 - [ -n "$DNAT6" -a "$DNAT6" != "-" ] && ipt6_add_del $1 PREROUTING -t nat -i $i $rule -j DNAT --to [$DNAT6]:$3 - done + for i in $4; do + _dnat6_target "$i" DNAT6 + [ -n "$DNAT6" -a "$DNAT6" != "-" ] && ipt6_add_del "$1" PREROUTING -t nat -i "$i" "$rule" -j DNAT --to ["$DNAT6"]:"$3" + done rule="-m owner ! --uid-owner $WS_USER $rule -j DNAT --to [::1]:$3" if [ -n "$5" ]; then for i in $5; do - ipt6_add_del $1 OUTPUT -t nat -o $i $rule + ipt6_add_del "$1" OUTPUT -t nat -o "$i" "$rule" done else - ipt6_add_del $1 OUTPUT -t nat $rule + ipt6_add_del "$1" OUTPUT -t nat "$rule" fi } } -fw_tpws() -{ +fw_tpws() { # $1 - 1 - add, 0 - del # $2 - iptable filter for ipv4 # $3 - iptable filter for ipv6 # $4 - tpws port - fw_tpws4 $1 "$2" $4 - fw_tpws6 $1 "$3" $4 + fw_tpws4 "$1" "$2" "$4" + fw_tpws6 "$1" "$3" "$4" } - -_fw_nfqws_post4() -{ +_fw_nfqws_post4() { # $1 - 1 - add, 0 - del # $2 - iptable filter for ipv4 # $3 - queue number @@ -218,20 +190,19 @@ _fw_nfqws_post4() [ "$DISABLE_IPV4" = "1" -o -z "$2" ] || { local i - ipt_print_op $1 "$2" "nfqws postrouting (qnum $3)" + ipt_print_op "$1" "$2" "nfqws postrouting (qnum $3)" rule="$2 $IPSET_EXCLUDE dst -j NFQUEUE --queue-num $3 --queue-bypass" - if [ -n "$4" ] ; then + if [ -n "$4" ]; then for i in $4; do - ipt_add_del $1 POSTROUTING -t mangle -o $i $rule + ipt_add_del "$1" POSTROUTING -t mangle -o "$i" "$rule" done else - ipt_add_del $1 POSTROUTING -t mangle $rule + ipt_add_del "$1" POSTROUTING -t mangle "$rule" fi } } -_fw_nfqws_post6() -{ +_fw_nfqws_post6() { # $1 - 1 - add, 0 - del # $2 - iptable filter for ipv6 # $3 - queue number @@ -239,30 +210,28 @@ _fw_nfqws_post6() [ "$DISABLE_IPV6" = "1" -o -z "$2" ] || { local i - ipt_print_op $1 "$2" "nfqws postrouting (qnum $3)" 6 + ipt_print_op "$1" "$2" "nfqws postrouting (qnum $3)" 6 rule="$2 $IPSET_EXCLUDE6 dst -j NFQUEUE --queue-num $3 --queue-bypass" - if [ -n "$4" ] ; then + if [ -n "$4" ]; then for i in $4; do - ipt6_add_del $1 POSTROUTING -t mangle -o $i $rule + ipt6_add_del "$1" POSTROUTING -t mangle -o "$i" "$rule" done else - ipt6_add_del $1 POSTROUTING -t mangle $rule + ipt6_add_del "$1" POSTROUTING -t mangle "$rule" fi } } -fw_nfqws_post() -{ +fw_nfqws_post() { # $1 - 1 - add, 0 - del # $2 - iptable filter for ipv4 # $3 - iptable filter for ipv6 # $4 - queue number - fw_nfqws_post4 $1 "$2" $4 - fw_nfqws_post6 $1 "$3" $4 + fw_nfqws_post4 "$1" "$2" "$4" + fw_nfqws_post6 "$1" "$3" "$4" } -_fw_nfqws_pre4() -{ +_fw_nfqws_pre4() { # $1 - 1 - add, 0 - del # $2 - iptable filter for ipv4 # $3 - queue number @@ -270,23 +239,22 @@ _fw_nfqws_pre4() [ "$DISABLE_IPV4" = "1" -o -z "$2" ] || { local i - ipt_print_op $1 "$2" "nfqws input+forward (qnum $3)" + ipt_print_op "$1" "$2" "nfqws input+forward (qnum $3)" rule="$2 $IPSET_EXCLUDE src -j NFQUEUE --queue-num $3 --queue-bypass" - if [ -n "$4" ] ; then + if [ -n "$4" ]; then for i in $4; do # iptables PREROUTING chain is before NAT. not possible to have DNATed ip's there - ipt_add_del $1 INPUT -t mangle -i $i $rule - ipt_add_del $1 FORWARD -t mangle -i $i $rule + ipt_add_del "$1" INPUT -t mangle -i "$i" "$rule" + ipt_add_del "$1" FORWARD -t mangle -i "$i" "$rule" done else - ipt_add_del $1 INPUT -t mangle $rule - ipt_add_del $1 FORWARD -t mangle $rule + ipt_add_del "$1" INPUT -t mangle "$rule" + ipt_add_del "$1" FORWARD -t mangle "$rule" fi } } -_fw_nfqws_pre6() -{ +_fw_nfqws_pre6() { # $1 - 1 - add, 0 - del # $2 - iptable filter for ipv6 # $3 - queue number @@ -294,34 +262,31 @@ _fw_nfqws_pre6() [ "$DISABLE_IPV6" = "1" -o -z "$2" ] || { local i - ipt_print_op $1 "$2" "nfqws input+forward (qnum $3)" 6 + ipt_print_op "$1" "$2" "nfqws input+forward (qnum $3)" 6 rule="$2 $IPSET_EXCLUDE6 src -j NFQUEUE --queue-num $3 --queue-bypass" - if [ -n "$4" ] ; then + if [ -n "$4" ]; then for i in $4; do # iptables PREROUTING chain is before NAT. not possible to have DNATed ip's there - ipt6_add_del $1 INPUT -t mangle -i $i $rule - ipt6_add_del $1 FORWARD -t mangle -i $i $rule + ipt6_add_del "$1" INPUT -t mangle -i "$i" "$rule" + ipt6_add_del "$1" FORWARD -t mangle -i "$i" "$rule" done else - ipt6_add_del $1 INPUT -t mangle $rule - ipt6_add_del $1 FORWARD -t mangle $rule + ipt6_add_del "$1" INPUT -t mangle "$rule" + ipt6_add_del "$1" FORWARD -t mangle "$rule" fi } } -fw_nfqws_pre() -{ +fw_nfqws_pre() { # $1 - 1 - add, 0 - del # $2 - iptable filter for ipv4 # $3 - iptable filter for ipv6 # $4 - queue number - fw_nfqws_pre4 $1 "$2" $4 - fw_nfqws_pre6 $1 "$3" $4 + fw_nfqws_pre4 "$1" "$2" "$4" + fw_nfqws_pre6 "$1" "$3" "$4" } - -produce_reverse_nfqws_rule() -{ +produce_reverse_nfqws_rule() { local rule="$1" if contains "$rule" "$ipt_connbytes"; then # autohostlist - need several incoming packets @@ -334,28 +299,23 @@ produce_reverse_nfqws_rule() fi echo "$rule" | reverse_nfqws_rule_stream } -fw_reverse_nfqws_rule4() -{ - fw_nfqws_pre4 $1 "$(produce_reverse_nfqws_rule "$2")" $3 +fw_reverse_nfqws_rule4() { + fw_nfqws_pre4 "$1" "$(produce_reverse_nfqws_rule "$2")" "$3" } -fw_reverse_nfqws_rule6() -{ - fw_nfqws_pre6 $1 "$(produce_reverse_nfqws_rule "$2")" $3 +fw_reverse_nfqws_rule6() { + fw_nfqws_pre6 "$1" "$(produce_reverse_nfqws_rule "$2")" "$3" } -fw_reverse_nfqws_rule() -{ +fw_reverse_nfqws_rule() { # ensure that modes relying on incoming traffic work # $1 - 1 - add, 0 - del # $2 - rule4 # $3 - rule6 # $4 - queue number - fw_reverse_nfqws_rule4 $1 "$2" $4 - fw_reverse_nfqws_rule6 $1 "$3" $4 + fw_reverse_nfqws_rule4 "$1" "$2" "$4" + fw_reverse_nfqws_rule6 "$1" "$3" "$4" } - -zapret_do_firewall_rules_ipt() -{ +zapret_do_firewall_rules_ipt() { local mode="${MODE_OVERRIDE:-$MODE}" local first_packet_only="$ipt_connbytes 1:$(first_packets_for_mode)" @@ -363,87 +323,86 @@ zapret_do_firewall_rules_ipt() local n f4 f6 qn qns qn6 qns6 case "$mode" in - tpws) - if [ ! "$MODE_HTTP" = "1" ] && [ ! "$MODE_HTTPS" = "1" ]; then - echo both http and https are disabled. not applying redirection. - else - filter_apply_port_target f4 - f6=$f4 - filter_apply_ipset_target f4 f6 - fw_tpws $1 "$f4" "$f6" $TPPORT - fi - ;; - - nfqws) - # quite complex but we need to minimize nfqws processes to save RAM - get_nfqws_qnums qn qns qn6 qns6 - if [ "$MODE_HTTP_KEEPALIVE" != "1" ] && [ -n "$qn" ] && [ "$qn" = "$qns" ]; then - filter_apply_port_target f4 - f4="$f4 $first_packet_only" - filter_apply_ipset_target4 f4 - fw_nfqws_post4 $1 "$f4 $desync" $qn - fw_reverse_nfqws_rule4 $1 "$f4" $qn - else - if [ -n "$qn" ]; then - f4="-p tcp -m multiport --dports $HTTP_PORTS_IPT" - [ "$MODE_HTTP_KEEPALIVE" = "1" ] || f4="$f4 $first_packet_only" - filter_apply_ipset_target4 f4 - fw_nfqws_post4 $1 "$f4 $desync" $qn - fw_reverse_nfqws_rule4 $1 "$f4" $qn - fi - if [ -n "$qns" ]; then - f4="-p tcp -m multiport --dports $HTTPS_PORTS_IPT $first_packet_only" - filter_apply_ipset_target4 f4 - fw_nfqws_post4 $1 "$f4 $desync" $qns - fw_reverse_nfqws_rule4 $1 "$f4" $qns - fi - fi - if [ "$MODE_HTTP_KEEPALIVE" != "1" ] && [ -n "$qn6" ] && [ "$qn6" = "$qns6" ]; then - filter_apply_port_target f6 - f6="$f6 $first_packet_only" - filter_apply_ipset_target6 f6 - fw_nfqws_post6 $1 "$f6 $desync" $qn6 - fw_reverse_nfqws_rule6 $1 "$f6" $qn6 - else - if [ -n "$qn6" ]; then - f6="-p tcp -m multiport --dports $HTTP_PORTS_IPT" - [ "$MODE_HTTP_KEEPALIVE" = "1" ] || f6="$f6 $first_packet_only" - filter_apply_ipset_target6 f6 - fw_nfqws_post6 $1 "$f6 $desync" $qn6 - fw_reverse_nfqws_rule6 $1 "$f6" $qn6 - fi - if [ -n "$qns6" ]; then - f6="-p tcp -m multiport --dports $HTTPS_PORTS_IPT $first_packet_only" - filter_apply_ipset_target6 f6 - fw_nfqws_post6 $1 "$f6 $desync" $qns6 - fw_reverse_nfqws_rule6 $1 "$f6" $qns6 - fi - fi + tpws) + if [ ! "$MODE_HTTP" = "1" ] && [ ! "$MODE_HTTPS" = "1" ]; then + echo both HTTP and HTTPS are disabled. not applying redirection. + else + filter_apply_port_target f4 + f6=$f4 + filter_apply_ipset_target f4 f6 + fw_tpws "$1" "$f4" "$f6" "$TPPORT" + fi + ;; - get_nfqws_qnums_quic qn qn6 + nfqws) + # quite complex but we need to minimize nfqws processes to save RAM + get_nfqws_qnums qn qns qn6 qns6 + if [ "$MODE_HTTP_KEEPALIVE" != "1" ] && [ -n "$qn" ] && [ "$qn" = "$qns" ]; then + filter_apply_port_target f4 + f4="$f4 $first_packet_only" + filter_apply_ipset_target4 f4 + fw_nfqws_post4 "$1" "$f4 $desync" "$qn" + fw_reverse_nfqws_rule4 "$1" "$f4" "$qn" + else if [ -n "$qn" ]; then - f4= - filter_apply_port_target_quic f4 - f4="$f4 $first_packet_only" + f4="-p tcp -m multiport --dports $HTTP_PORTS_IPT" + [ "$MODE_HTTP_KEEPALIVE" = "1" ] || f4="$f4 $first_packet_only" filter_apply_ipset_target4 f4 - fw_nfqws_post4 $1 "$f4 $desync" $qn + fw_nfqws_post4 "$1" "$f4 $desync" "$qn" + fw_reverse_nfqws_rule4 "$1" "$f4" "$qn" fi + if [ -n "$qns" ]; then + f4="-p tcp -m multiport --dports $HTTPS_PORTS_IPT $first_packet_only" + filter_apply_ipset_target4 f4 + fw_nfqws_post4 "$1" "$f4 $desync" "$qns" + fw_reverse_nfqws_rule4 "$1" "$f4" "$qns" + fi + fi + if [ "$MODE_HTTP_KEEPALIVE" != "1" ] && [ -n "$qn6" ] && [ "$qn6" = "$qns6" ]; then + filter_apply_port_target f6 + f6="$f6 $first_packet_only" + filter_apply_ipset_target6 f6 + fw_nfqws_post6 "$1" "$f6 $desync" "$qn6" + fw_reverse_nfqws_rule6 "$1" "$f6" "$qn6" + else if [ -n "$qn6" ]; then - f6= - filter_apply_port_target_quic f6 - f6="$f6 $first_packet_only" + f6="-p tcp -m multiport --dports $HTTP_PORTS_IPT" + [ "$MODE_HTTP_KEEPALIVE" = "1" ] || f6="$f6 $first_packet_only" filter_apply_ipset_target6 f6 - fw_nfqws_post6 $1 "$f6 $desync" $qn6 + fw_nfqws_post6 "$1" "$f6 $desync" "$qn6" + fw_reverse_nfqws_rule6 "$1" "$f6" "$qn6" fi - ;; - custom) - existf zapret_custom_firewall && zapret_custom_firewall $1 - ;; + if [ -n "$qns6" ]; then + f6="-p tcp -m multiport --dports $HTTPS_PORTS_IPT $first_packet_only" + filter_apply_ipset_target6 f6 + fw_nfqws_post6 "$1" "$f6 $desync" "$qns6" + fw_reverse_nfqws_rule6 "$1" "$f6" "$qns6" + fi + fi + + get_nfqws_qnums_quic qn qn6 + if [ -n "$qn" ]; then + f4= + filter_apply_port_target_quic f4 + f4="$f4 $first_packet_only" + filter_apply_ipset_target4 f4 + fw_nfqws_post4 "$1" "$f4 $desync" "$qn" + fi + if [ -n "$qn6" ]; then + f6= + filter_apply_port_target_quic f6 + f6="$f6 $first_packet_only" + filter_apply_ipset_target6 f6 + fw_nfqws_post6 "$1" "$f6 $desync" "$qn6" + fi + ;; + custom) + existf zapret_custom_firewall && zapret_custom_firewall "$1" + ;; esac } -zapret_do_firewall_ipt() -{ +zapret_do_firewall_ipt() { # $1 - 1 - add, 0 - del if [ "$1" = 1 ]; then @@ -461,7 +420,7 @@ zapret_do_firewall_ipt() zapret_do_firewall_rules_ipt "$@" - if [ "$1" = 1 ] ; then + if [ "$1" = 1 ]; then existf flow_offloading_exempt && flow_offloading_exempt else existf flow_offloading_unexempt && flow_offloading_unexempt diff --git a/common/linux_fw.sh b/common/linux_fw.sh index dbddc65..251c1f9 100644 --- a/common/linux_fw.sh +++ b/common/linux_fw.sh @@ -1,21 +1,19 @@ -set_conntrack_liberal_mode() -{ - [ -n "$SKIP_CONNTRACK_LIBERAL_MODE" ] || sysctl -w net.netfilter.nf_conntrack_tcp_be_liberal=$1 +set_conntrack_liberal_mode() { + [ -n "$SKIP_CONNTRACK_LIBERAL_MODE" ] || sysctl -w net.netfilter.nf_conntrack_tcp_be_liberal="$1" } -zapret_do_firewall() -{ +zapret_do_firewall() { linux_fwtype [ "$1" = 1 -a -n "$INIT_FW_PRE_UP_HOOK" ] && $INIT_FW_PRE_UP_HOOK [ "$1" = 0 -a -n "$INIT_FW_PRE_DOWN_HOOK" ] && $INIT_FW_PRE_DOWN_HOOK case "$FWTYPE" in - iptables) - zapret_do_firewall_ipt "$@" - ;; - nftables) - zapret_do_firewall_nft "$@" - ;; + iptables) + zapret_do_firewall_ipt "$@" + ;; + nftables) + zapret_do_firewall_nft "$@" + ;; esac # russian DPI sends RST,ACK with wrong ACK. @@ -23,29 +21,26 @@ zapret_do_firewall() # switch on liberal mode on zapret firewall start and switch off on zapret firewall stop # this is only required for processing incoming bad RSTs. incoming rules are only applied in autohostlist mode # calling this after firewall because conntrack module can be not loaded before applying conntrack firewall rules - [ "$MODE_FILTER" = "autohostlist" -a "$MODE" != tpws -a "$MODE" != tpws-socks ] && set_conntrack_liberal_mode $1 - + [ "$MODE_FILTER" = "autohostlist" -a "$MODE" != tpws -a "$MODE" != tpws-socks ] && set_conntrack_liberal_mode "$1" + [ "$1" = 1 -a -n "$INIT_FW_POST_UP_HOOK" ] && $INIT_FW_POST_UP_HOOK [ "$1" = 0 -a -n "$INIT_FW_POST_DOWN_HOOK" ] && $INIT_FW_POST_DOWN_HOOK return 0 } -zapret_apply_firewall() -{ +zapret_apply_firewall() { zapret_do_firewall 1 "$@" } -zapret_unapply_firewall() -{ +zapret_unapply_firewall() { zapret_do_firewall 0 "$@" } -first_packets_for_mode() -{ +first_packets_for_mode() { # autohostlist and autottl modes requires incoming traffic sample # always use conntrack packet limiter or nfqws will deal with gigabytes local n if [ "$MODE_FILTER" = "autohostlist" ]; then - n=$((6+${AUTOHOSTLIST_RETRANS_THRESHOLD:-3})) + n=$((6 + ${AUTOHOSTLIST_RETRANS_THRESHOLD:-3})) else n=6 fi diff --git a/common/linux_iphelper.sh b/common/linux_iphelper.sh index e22f91a..3c008a8 100644 --- a/common/linux_iphelper.sh +++ b/common/linux_iphelper.sh @@ -4,54 +4,48 @@ # PREROUTING - can't DNAT to ::1. can DNAT to link local of -i interface or to any global addr # not a good idea to expose tpws to the world (bind to ::) - -get_ipv6_linklocal() -{ - # $1 - interface name. if empty - any interface - if exists ip ; then - local dev - [ -n "$1" ] && dev="dev $1" - ip addr show $dev | sed -e 's/^.*inet6 \([^ ]*\)\/[0-9]* scope link.*$/\1/;t;d' | head -n 1 - else - ifconfig $1 | sed -re 's/^.*inet6 addr: ([^ ]*)\/[0-9]* Scope:Link.*$/\1/;t;d' | head -n 1 - fi +get_ipv6_linklocal() { + # $1 - interface name. if empty - any interface + if exists ip; then + local dev + [ -n "$1" ] && dev="dev $1" + ip addr show "$dev" | sed -e 's/^.*inet6 \([^ ]*\)\/[0-9]* scope link.*$/\1/;t;d' | head -n 1 + else + ifconfig "$1" | sed -re 's/^.*inet6 addr: ([^ ]*)\/[0-9]* Scope:Link.*$/\1/;t;d' | head -n 1 + fi } -get_ipv6_global() -{ - # $1 - interface name. if empty - any interface - if exists ip ; then - local dev - [ -n "$1" ] && dev="dev $1" - ip addr show $dev | sed -e 's/^.*inet6 \([^ ]*\)\/[0-9]* scope global.*$/\1/;t;d' | head -n 1 - else - ifconfig $1 | sed -re 's/^.*inet6 addr: ([^ ]*)\/[0-9]* Scope:Global.*$/\1/;t;d' | head -n 1 - fi +get_ipv6_global() { + # $1 - interface name. if empty - any interface + if exists ip; then + local dev + [ -n "$1" ] && dev="dev $1" + ip addr show "$dev" | sed -e 's/^.*inet6 \([^ ]*\)\/[0-9]* scope global.*$/\1/;t;d' | head -n 1 + else + ifconfig "$1" | sed -re 's/^.*inet6 addr: ([^ ]*)\/[0-9]* Scope:Global.*$/\1/;t;d' | head -n 1 + fi } -iface_is_up() -{ +iface_is_up() { # $1 - interface name - [ -f /sys/class/net/$1/operstate ] || return + [ -f /sys/class/net/"$1"/operstate ] || return local state - read state /dev/null +nft_del_table() { + nft delete table inet "$ZAPRET_NFT_TABLE" 2>/dev/null } -nft_list_table() -{ - nft -t list table inet $ZAPRET_NFT_TABLE +nft_list_table() { + nft -t list table inet "$ZAPRET_NFT_TABLE" } -nft_create_set() -{ +nft_create_set() { # $1 - set name # $2 - params - nft create set inet $ZAPRET_NFT_TABLE $1 "{ $2 }" 2>/dev/null + nft create set inet "$ZAPRET_NFT_TABLE" "$1" "{ $2 }" 2>/dev/null } -nft_del_set() -{ +nft_del_set() { # $1 - set name - nft delete set inet $ZAPRET_NFT_TABLE $1 + nft delete set inet "$ZAPRET_NFT_TABLE" "$1" } -nft_flush_set() -{ +nft_flush_set() { # $1 - set name - nft flush set inet $ZAPRET_NFT_TABLE $1 + nft flush set inet "$ZAPRET_NFT_TABLE" "$1" } -nft_set_exists() -{ +nft_set_exists() { # $1 - set name - nft -t list set inet $ZAPRET_NFT_TABLE $1 2>/dev/null >/dev/null + nft -t list set inet "$ZAPRET_NFT_TABLE" "$1" 2>/dev/null >/dev/null } -nft_flush_chain() -{ +nft_flush_chain() { # $1 - chain name - nft flush chain inet $ZAPRET_NFT_TABLE $1 + nft flush chain inet "$ZAPRET_NFT_TABLE" "$1" } -nft_del_all_chains_from_table() -{ +nft_del_all_chains_from_table() { # $1 - table_name with or without family # delete all chains with possible references to each other @@ -54,12 +45,12 @@ nft_del_all_chains_from_table() # avoid infinite loops local chains deleted=1 error=1 while [ -n "$deleted" -a -n "$error" ]; do - chains=$(nft -t list table $1 2>/dev/null | sed -nre "s/^[ ]*chain ([^ ]+) \{/\1/p" | xargs) + chains=$(nft -t list table "$1" 2>/dev/null | sed -nre "s/^[ ]*chain ([^ ]+) \{/\1/p" | xargs) [ -n "$chains" ] || break deleted= error= for chain in $chains; do - if nft delete chain $1 $chain 2>/dev/null; then + if nft delete chain "$1" "$chain" 2>/dev/null; then deleted=1 else error=1 @@ -68,9 +59,8 @@ nft_del_all_chains_from_table() done } -nft_create_chains() -{ -cat << EOF | nft -f - +nft_create_chains() { + cat </dev/null + cat </dev/null delete chain inet $ZAPRET_NFT_TABLE dnat_output delete chain inet $ZAPRET_NFT_TABLE dnat_pre delete chain inet $ZAPRET_NFT_TABLE forward @@ -132,15 +121,13 @@ cat << EOF | nft -f - 2>/dev/null delete chain inet $ZAPRET_NFT_TABLE flow_offload delete chain inet $ZAPRET_NFT_TABLE localnet_protect EOF -# unfortunately this approach breaks udp desync of the connection initiating packet (new, first one) -# delete chain inet $ZAPRET_NFT_TABLE predefrag + # unfortunately this approach breaks udp desync of the connection initiating packet (new, first one) + # delete chain inet $ZAPRET_NFT_TABLE predefrag } -nft_del_flowtable() -{ - nft delete flowtable inet $ZAPRET_NFT_TABLE ft 2>/dev/null +nft_del_flowtable() { + nft delete flowtable inet "$ZAPRET_NFT_TABLE" ft 2>/dev/null } -nft_create_or_update_flowtable() -{ +nft_create_or_update_flowtable() { # $1 = flags ('offload' for hw offload) # $2,$3,$4,... - interfaces # can be called multiple times to add interfaces. interfaces can only be added , not removed @@ -153,117 +140,102 @@ nft_create_or_update_flowtable() for makelist in make_quoted_comma_list make_comma_list; do $makelist devices "$@" [ -n "$devices" ] && devices="devices={$devices};" - nft add flowtable inet $ZAPRET_NFT_TABLE ft "{ hook ingress priority -1; $flags $devices }" && break + nft add flowtable inet "$ZAPRET_NFT_TABLE" ft "{ hook ingress priority -1; $flags $devices }" && break done } -nft_flush_ifsets() -{ -cat << EOF | nft -f - 2>/dev/null +nft_flush_ifsets() { + cat </dev/null flush set inet $ZAPRET_NFT_TABLE lanif flush set inet $ZAPRET_NFT_TABLE wanif flush set inet $ZAPRET_NFT_TABLE wanif6 flush map inet $ZAPRET_NFT_TABLE link_local EOF } -nft_flush_link_local() -{ - nft flush map inet $ZAPRET_NFT_TABLE link_local 2>/dev/null +nft_flush_link_local() { + nft flush map inet "$ZAPRET_NFT_TABLE" link_local 2>/dev/null } -nft_list_ifsets() -{ - nft list set inet $ZAPRET_NFT_TABLE lanif - nft list set inet $ZAPRET_NFT_TABLE wanif - nft list set inet $ZAPRET_NFT_TABLE wanif6 - nft list map inet $ZAPRET_NFT_TABLE link_local - nft list flowtable inet $ZAPRET_NFT_TABLE ft 2>/dev/null +nft_list_ifsets() { + nft list set inet "$ZAPRET_NFT_TABLE" lanif + nft list set inet "$ZAPRET_NFT_TABLE" wanif + nft list set inet "$ZAPRET_NFT_TABLE" wanif6 + nft list map inet "$ZAPRET_NFT_TABLE" link_local + nft list flowtable inet "$ZAPRET_NFT_TABLE" ft 2>/dev/null } -nft_create_firewall() -{ +nft_create_firewall() { nft_create_table nft_del_flowtable nft_flush_link_local nft_create_chains } -nft_del_firewall() -{ +nft_del_firewall() { nft_del_chains nft_del_flowtable nft_flush_link_local # leave ifsets and ipsets because they may be used by custom rules } -nft_add_rule() -{ +nft_add_rule() { # $1 - chain # $2,$3,... - rule(s) local chain="$1" shift - nft add rule inet $ZAPRET_NFT_TABLE $chain "$@" + nft add rule inet "$ZAPRET_NFT_TABLE" "$chain" "$@" } -nft_add_set_element() -{ +nft_add_set_element() { # $1 - set or map name # $2 - element - [ -z "$2" ] || nft add element inet $ZAPRET_NFT_TABLE $1 "{ $2 }" + [ -z "$2" ] || nft add element inet "$ZAPRET_NFT_TABLE" "$1" "{ $2 }" } -nft_add_set_elements() -{ +nft_add_set_elements() { # $1 - set or map name # $2,$3,... - element(s) local set="$1" elements shift make_comma_list elements "$@" - nft_add_set_element $set "$elements" + nft_add_set_element "$set" "$elements" } -nft_reverse_nfqws_rule() -{ +nft_reverse_nfqws_rule() { echo "$@" | sed -e 's/oifname /iifname /g' -e 's/dport /sport /g' -e 's/daddr /saddr /g' -e 's/ct original /ct reply /g' -e "s/mark and $DESYNC_MARK == 0//g" } -nft_clean_nfqws_rule() -{ +nft_clean_nfqws_rule() { echo "$@" | sed -e "s/mark and $DESYNC_MARK == 0//g" -e "s/oifname @wanif6//g" -e "s/oifname @wanif//g" } -nft_add_nfqws_flow_exempt_rule() -{ +nft_add_nfqws_flow_exempt_rule() { # $1 - rule (must be all filters in one var) - nft_add_rule flow_offload $(nft_clean_nfqws_rule $1) return comment \"direct flow offloading exemption\" + nft_add_rule flow_offload $(nft_clean_nfqws_rule "$1") return comment \"direct flow offloading exemption\" # do not need this because of oifname @wanif/@wanif6 filter in forward chain #nft_add_rule flow_offload $(nft_reverse_nfqws_rule $1) return comment \"reverse flow offloading exemption\" } -nft_add_flow_offload_exemption() -{ +nft_add_flow_offload_exemption() { # "$1" - rule for ipv4 # "$2" - rule for ipv6 # "$3" - comment - [ "$DISABLE_IPV4" = "1" -o -z "$1" ] || nft_add_rule flow_offload oifname @wanif $1 ip daddr != @nozapret return comment \"$3\" - [ "$DISABLE_IPV6" = "1" -o -z "$2" ] || nft_add_rule flow_offload oifname @wanif6 $2 ip6 daddr != @nozapret6 return comment \"$3\" + [ "$DISABLE_IPV4" = "1" -o -z "$1" ] || nft_add_rule flow_offload oifname @wanif "$1" ip daddr != @nozapret return comment \""$3"\" + [ "$DISABLE_IPV6" = "1" -o -z "$2" ] || nft_add_rule flow_offload oifname @wanif6 "$2" ip6 daddr != @nozapret6 return comment \""$3"\" } -nft_hw_offload_supported() -{ +nft_hw_offload_supported() { # $1,$2,... - interface names local devices res=1 make_quoted_comma_list devices "$@" [ -n "$devices" ] && devices="devices={$devices};" - nft add table ${ZAPRET_NFT_TABLE}_test && nft add flowtable ${ZAPRET_NFT_TABLE}_test ft "{ flags offload; $devices }" 2>/dev/null && res=0 - nft delete table ${ZAPRET_NFT_TABLE}_test 2>/dev/null + nft add table "${ZAPRET_NFT_TABLE}"_test && nft add flowtable "${ZAPRET_NFT_TABLE}"_test ft "{ flags offload; $devices }" 2>/dev/null && res=0 + nft delete table "${ZAPRET_NFT_TABLE}"_test 2>/dev/null return $res } -nft_hw_offload_find_supported() -{ +nft_hw_offload_find_supported() { # $1,$2,... - interface names local supported_list while [ -n "$1" ]; do nft_hw_offload_supported "$1" && append_separator_list supported_list ' ' '' "$1" shift done - echo $supported_list + echo "$supported_list" } -nft_apply_flow_offloading() -{ +nft_apply_flow_offloading() { # ft can be absent nft_add_rule flow_offload meta l4proto "{ tcp, udp }" flow add @ft 2>/dev/null && { nft_add_rule flow_offload meta l4proto "{ tcp, udp }" counter comment \"if offload works here must not be too much traffic\" @@ -273,10 +245,7 @@ nft_apply_flow_offloading() } } - - -nft_filter_apply_port_target() -{ +nft_filter_apply_port_target() { # $1 - var name of nftables filter local f if [ "$MODE_HTTP" = "1" ] && [ "$MODE_HTTPS" = "1" ]; then @@ -288,58 +257,51 @@ nft_filter_apply_port_target() else echo WARNING !!! HTTP and HTTPS are both disabled fi - eval $1="\"\$$1 $f\"" + eval "$1"="\"\$$1 $f\"" } -nft_filter_apply_port_target_quic() -{ +nft_filter_apply_port_target_quic() { # $1 - var name of nftables filter local f f="udp dport {$QUIC_PORTS}" - eval $1="\"\$$1 $f\"" + eval "$1"="\"\$$1 $f\"" } -nft_filter_apply_ipset_target4() -{ +nft_filter_apply_ipset_target4() { # $1 - var name of ipv4 nftables filter if [ "$MODE_FILTER" = "ipset" ]; then - eval $1="\"\$$1 ip daddr @zapret\"" + eval "$1"="\"\$$1 ip daddr @zapret\"" fi } -nft_filter_apply_ipset_target6() -{ +nft_filter_apply_ipset_target6() { # $1 - var name of ipv6 nftables filter if [ "$MODE_FILTER" = "ipset" ]; then - eval $1="\"\$$1 ip6 daddr @zapret6\"" + eval "$1"="\"\$$1 ip6 daddr @zapret6\"" fi } -nft_filter_apply_ipset_target() -{ +nft_filter_apply_ipset_target() { # $1 - var name of ipv4 nftables filter # $2 - var name of ipv6 nftables filter - nft_filter_apply_ipset_target4 $1 - nft_filter_apply_ipset_target6 $2 + nft_filter_apply_ipset_target4 "$1" + nft_filter_apply_ipset_target6 "$2" } - -nft_script_add_ifset_element() -{ +nft_script_add_ifset_element() { # $1 - set name # $2 - space separated elements local elements [ -n "$2" ] && { - make_quoted_comma_list elements $2 + make_quoted_comma_list elements "$2" script="${script} add element inet $ZAPRET_NFT_TABLE $1 { $elements }" } } -nft_fill_ifsets() -{ - # $1 - space separated lan interface names - # $2 - space separated wan interface names - # $3 - space separated wan6 interface names - # 4,5,6 is needed for pppoe+openwrt case. looks like it's not easily possible to resolve ethernet device behind a pppoe interface - # $4 - space separated lan physical interface names (optional) - # $5 - space separated wan physical interface names (optional) - # $6 - space separated wan6 physical interface names (optional) +nft_fill_ifsets() { + # $1 - space separated LAN interface names + # $2 - space separated WAN interface names + # $3 - space separated WAN6 interface names + # 4,5,6 is needed for PPPoE+OpenWrt case. looks like it's not easily possible to resolve Ethernet device behind a PPPoE interface + # $4 - space separated LAN physical interface names (optional) + # $5 - space separated WAN physical interface names (optional) + # $6 - space separated WAN6 physical interface names (optional) local script i j ALLDEVS devs @@ -358,51 +320,47 @@ flush set inet $ZAPRET_NFT_TABLE lanif" echo "$script" | nft -f - case "$FLOWOFFLOAD" in - software) - ALLDEVS=$(unique $1 $2 $3) - # unbound flowtable may cause error in older nft version - nft_create_or_update_flowtable '' $ALLDEVS 2>/dev/null - ;; - hardware) - ALLDEVS=$(unique $1 $2 $3 $4 $5 $6) - # first create unbound flowtable. may cause error in older nft version - nft_create_or_update_flowtable 'offload' 2>/dev/null - # then add elements. some of them can cause error because unsupported - for i in $ALLDEVS; do - if nft_hw_offload_supported $i; then - nft_create_or_update_flowtable 'offload' $i - else - # bridge members must be added instead of the bridge itself - # some members may not support hw offload. example : lan1 lan2 lan3 support, wlan0 wlan1 - not - devs=$(resolve_lower_devices $i) - for j in $devs; do - # do not display error if addition failed - nft_create_or_update_flowtable 'offload' $j 2>/dev/null - done - fi - done - ;; + software) + ALLDEVS=$(unique "$1" "$2" "$3") + # unbound flowtable may cause error in older nft version + nft_create_or_update_flowtable '' "$ALLDEVS" 2>/dev/null + ;; + hardware) + ALLDEVS=$(unique "$1" "$2" "$3" "$4" "$5" "$6") + # first create unbound flowtable. may cause error in older nft version + nft_create_or_update_flowtable 'offload' 2>/dev/null + # then add elements. some of them can cause error because unsupported + for i in $ALLDEVS; do + if nft_hw_offload_supported "$i"; then + nft_create_or_update_flowtable 'offload' "$i" + else + # bridge members must be added instead of the bridge itself + # some members may not support hw offload. example: lan1 lan2 lan3 support, wlan0 wlan1 - not + devs=$(resolve_lower_devices "$i") + for j in $devs; do + # do not display error if addition failed + nft_create_or_update_flowtable 'offload' "$j" 2>/dev/null + done + fi + done + ;; esac } -nft_only() -{ +nft_only() { linux_fwtype case "$FWTYPE" in - nftables) - "$@" - ;; + nftables) + "$@" + ;; esac } - -nft_print_op() -{ - echo "Adding nftables ipv$3 rule for $2 : $1" +nft_print_op() { + echo "Adding nftables IPv$3 rule for $2: $1" } -_nft_fw_tpws4() -{ +_nft_fw_tpws4() { # $1 - filter ipv4 # $2 - tpws port # $3 - not-empty if wan interface filtering required @@ -410,13 +368,12 @@ _nft_fw_tpws4() [ "$DISABLE_IPV4" = "1" -o -z "$1" ] || { local filter="$1" port="$2" nft_print_op "$filter" "tpws (port $2)" 4 - nft_add_rule dnat_output skuid != $WS_USER ${3:+oifname @wanif }$filter ip daddr != @nozapret dnat ip to $TPWS_LOCALHOST4:$port - nft_add_rule dnat_pre iifname @lanif $filter ip daddr != @nozapret dnat ip to $TPWS_LOCALHOST4:$port + nft_add_rule dnat_output skuid != "$WS_USER" ${3:+oifname @wanif }"$filter" ip daddr != @nozapret dnat ip to "$TPWS_LOCALHOST4":"$port" + nft_add_rule dnat_pre iifname @lanif "$filter" ip daddr != @nozapret dnat ip to "$TPWS_LOCALHOST4":"$port" prepare_route_localnet } } -_nft_fw_tpws6() -{ +_nft_fw_tpws6() { # $1 - filter ipv6 # $2 - tpws port # $3 - lan interface names space separated @@ -425,48 +382,43 @@ _nft_fw_tpws6() [ "$DISABLE_IPV6" = "1" -o -z "$1" ] || { local filter="$1" port="$2" DNAT6 i nft_print_op "$filter" "tpws (port $port)" 6 - nft_add_rule dnat_output skuid != $WS_USER ${4:+oifname @wanif6 }$filter ip6 daddr != @nozapret6 dnat ip6 to [::1]:$port + nft_add_rule dnat_output skuid != "$WS_USER" ${4:+oifname @wanif6 }"$filter" ip6 daddr != @nozapret6 dnat ip6 to [::1]:"$port" [ -n "$3" ] && { - nft_add_rule dnat_pre $filter ip6 daddr != @nozapret6 dnat ip6 to iifname map @link_local:$port + nft_add_rule dnat_pre "$filter" ip6 daddr != @nozapret6 dnat ip6 to iifname map @link_local:"$port" for i in $3; do - _dnat6_target $i DNAT6 + _dnat6_target "$i" DNAT6 # can be multiple tpws processes on different ports [ -n "$DNAT6" -a "$DNAT6" != '-' ] && nft_add_set_element link_local "$i : $DNAT6" done } } } -nft_fw_tpws() -{ +nft_fw_tpws() { # $1 - filter ipv4 # $2 - filter ipv6 # $3 - tpws port - nft_fw_tpws4 "$1" $3 - nft_fw_tpws6 "$2" $3 + nft_fw_tpws4 "$1" "$3" + nft_fw_tpws6 "$2" "$3" } -is_postnat() -{ +is_postnat() { [ "$POSTNAT" != 0 -o "$POSTNAT_ALL" = 1 ] } -get_postchain() -{ - if is_postnat ; then +get_postchain() { + if is_postnat; then echo -n postnat else echo -n postrouting fi } -get_prechain() -{ - if is_postnat ; then +get_prechain() { + if is_postnat; then echo -n prenat else echo -n prerouting fi } -_nft_fw_nfqws_post4() -{ +_nft_fw_nfqws_post4() { # $1 - filter ipv4 # $2 - queue number # $3 - not-empty if wan interface filtering required @@ -476,12 +428,11 @@ _nft_fw_nfqws_post4() nft_print_op "$filter" "nfqws postrouting (qnum $port)" 4 rule="${3:+oifname @wanif }$filter ip daddr != @nozapret" is_postnat && setmark="meta mark set meta mark or $DESYNC_MARK_POSTNAT" - nft_add_rule $chain $rule $setmark queue num $port bypass + nft_add_rule "$chain" "$rule" "$setmark" queue num "$port" bypass nft_add_nfqws_flow_exempt_rule "$rule" } } -_nft_fw_nfqws_post6() -{ +_nft_fw_nfqws_post6() { # $1 - filter ipv6 # $2 - queue number # $3 - not-empty if wan interface filtering required @@ -491,22 +442,20 @@ _nft_fw_nfqws_post6() nft_print_op "$filter" "nfqws postrouting (qnum $port)" 6 rule="${3:+oifname @wanif6 }$filter ip6 daddr != @nozapret6" is_postnat && setmark="meta mark set meta mark or $DESYNC_MARK_POSTNAT" - nft_add_rule $chain $rule $setmark queue num $port bypass + nft_add_rule "$chain" "$rule" "$setmark" queue num "$port" bypass nft_add_nfqws_flow_exempt_rule "$rule" } } -nft_fw_nfqws_post() -{ - # $1 - filter ipv4 +nft_fw_nfqws_post() { + # $1 - filter IPv4 # $2 - filter ipv6 # $3 - queue number - nft_fw_nfqws_post4 "$1" $3 - nft_fw_nfqws_post6 "$2" $3 + nft_fw_nfqws_post4 "$1" "$3" + nft_fw_nfqws_post6 "$2" "$3" } -_nft_fw_nfqws_pre4() -{ +_nft_fw_nfqws_pre4() { # $1 - filter ipv4 # $2 - queue number # $3 - not-empty if wan interface filtering required @@ -515,11 +464,10 @@ _nft_fw_nfqws_pre4() local filter="$1" port="$2" rule nft_print_op "$filter" "nfqws prerouting (qnum $port)" 4 rule="${3:+iifname @wanif }$filter ip saddr != @nozapret" - nft_add_rule $(get_prechain) $rule queue num $port bypass + nft_add_rule $(get_prechain) "$rule" queue num "$port" bypass } } -_nft_fw_nfqws_pre6() -{ +_nft_fw_nfqws_pre6() { # $1 - filter ipv6 # $2 - queue number # $3 - not-empty if wan interface filtering required @@ -528,35 +476,31 @@ _nft_fw_nfqws_pre6() local filter="$1" port="$2" rule nft_print_op "$filter" "nfqws prerouting (qnum $port)" 6 rule="${3:+iifname @wanif6 }$filter ip6 saddr != @nozapret6" - nft_add_rule $(get_prechain) $rule queue num $port bypass + nft_add_rule $(get_prechain) "$rule" queue num "$port" bypass } } -nft_fw_nfqws_pre() -{ +nft_fw_nfqws_pre() { # $1 - filter ipv4 # $2 - filter ipv6 # $3 - queue number - nft_fw_nfqws_pre4 "$1" $3 - nft_fw_nfqws_pre6 "$2" $3 + nft_fw_nfqws_pre4 "$1" "$3" + nft_fw_nfqws_pre6 "$2" "$3" } -nft_fw_nfqws_both4() -{ +nft_fw_nfqws_both4() { # $1 - filter ipv4 # $2 - queue number nft_fw_nfqws_post4 "$@" - nft_fw_nfqws_pre4 "$(nft_reverse_nfqws_rule $1)" $2 + nft_fw_nfqws_pre4 "$(nft_reverse_nfqws_rule "$1")" "$2" } -nft_fw_nfqws_both6() -{ +nft_fw_nfqws_both6() { # $1 - filter ipv6 # $2 - queue number nft_fw_nfqws_post6 "$@" - nft_fw_nfqws_pre6 "$(nft_reverse_nfqws_rule $1)" $2 + nft_fw_nfqws_pre6 "$(nft_reverse_nfqws_rule "$1")" "$2" } -nft_fw_nfqws_both() -{ +nft_fw_nfqws_both() { # $1 - filter ipv4 # $2 - filter ipv6 # $3 - queue number @@ -564,26 +508,21 @@ nft_fw_nfqws_both() nft_fw_nfqws_both6 "$2" "$3" } -zapret_reload_ifsets() -{ - nft_only nft_create_table ; nft_fill_ifsets_overload +zapret_reload_ifsets() { + nft_only nft_create_table + nft_fill_ifsets_overload return 0 } -zapret_list_ifsets() -{ +zapret_list_ifsets() { nft_only nft_list_ifsets return 0 } -zapret_list_table() -{ +zapret_list_table() { nft_only nft_list_table return 0 } - - -nft_produce_reverse_nfqws_rule() -{ +nft_produce_reverse_nfqws_rule() { local rule="$1" if contains "$rule" "$nft_connbytes "; then # autohostlist - need several incoming packets @@ -596,122 +535,117 @@ nft_produce_reverse_nfqws_rule() [ "$range" = 1 ] || range="1-$range" rule="$nft_connbytes $range $rule" fi - nft_reverse_nfqws_rule $rule + nft_reverse_nfqws_rule "$rule" } -nft_fw_reverse_nfqws_rule4() -{ - nft_fw_nfqws_pre4 "$(nft_produce_reverse_nfqws_rule "$1")" $2 +nft_fw_reverse_nfqws_rule4() { + nft_fw_nfqws_pre4 "$(nft_produce_reverse_nfqws_rule "$1")" "$2" } -nft_fw_reverse_nfqws_rule6() -{ - nft_fw_nfqws_pre6 "$(nft_produce_reverse_nfqws_rule "$1")" $2 +nft_fw_reverse_nfqws_rule6() { + nft_fw_nfqws_pre6 "$(nft_produce_reverse_nfqws_rule "$1")" "$2" } -nft_fw_reverse_nfqws_rule() -{ +nft_fw_reverse_nfqws_rule() { # ensure that modes relying on incoming traffic work # $1 - rule4 # $2 - rule6 # $3 - queue number - nft_fw_reverse_nfqws_rule4 "$1" $3 - nft_fw_reverse_nfqws_rule6 "$2" $3 + nft_fw_reverse_nfqws_rule4 "$1" "$3" + nft_fw_reverse_nfqws_rule6 "$2" "$3" } -zapret_apply_firewall_rules_nft() -{ +zapret_apply_firewall_rules_nft() { local mode="${MODE_OVERRIDE:-$MODE}" local first_packets_only local desync="mark and $DESYNC_MARK == 0" local f4 f6 qn qns qn6 qns6 - + first_packets_only="$nft_connbytes 1-$(first_packets_for_mode)" case "$mode" in - tpws) - if [ ! "$MODE_HTTP" = "1" ] && [ ! "$MODE_HTTPS" = "1" ]; then - echo both http and https are disabled. not applying redirection. - else - nft_filter_apply_port_target f4 - f6=$f4 - nft_filter_apply_ipset_target f4 f6 - nft_fw_tpws "$f4" "$f6" $TPPORT - fi - ;; - nfqws) - local POSTNAT_SAVE=$POSTNAT + tpws) + if [ ! "$MODE_HTTP" = "1" ] && [ ! "$MODE_HTTPS" = "1" ]; then + echo both HTTP and HTTPS are disabled. not applying redirection. + else + nft_filter_apply_port_target f4 + f6=$f4 + nft_filter_apply_ipset_target f4 f6 + nft_fw_tpws "$f4" "$f6" "$TPPORT" + fi + ;; + nfqws) + local POSTNAT_SAVE=$POSTNAT - POSTNAT=1 - # quite complex but we need to minimize nfqws processes to save RAM - get_nfqws_qnums qn qns qn6 qns6 - if [ "$MODE_HTTP_KEEPALIVE" != "1" ] && [ -n "$qn" ] && [ "$qn" = "$qns" ]; then - nft_filter_apply_port_target f4 - f4="$f4 $first_packets_only" - nft_filter_apply_ipset_target4 f4 - nft_fw_nfqws_post4 "$f4 $desync" $qn - nft_fw_reverse_nfqws_rule4 "$f4" $qn - else - if [ -n "$qn" ]; then - f4="tcp dport {$HTTP_PORTS}" - [ "$MODE_HTTP_KEEPALIVE" = "1" ] || f4="$f4 $first_packets_only" - nft_filter_apply_ipset_target4 f4 - nft_fw_nfqws_post4 "$f4 $desync" $qn - nft_fw_reverse_nfqws_rule4 "$f4" $qn - fi - if [ -n "$qns" ]; then - f4="tcp dport {$HTTPS_PORTS} $first_packets_only" - nft_filter_apply_ipset_target4 f4 - nft_fw_nfqws_post4 "$f4 $desync" $qns - nft_fw_reverse_nfqws_rule4 "$f4" $qns - fi - fi - if [ "$MODE_HTTP_KEEPALIVE" != "1" ] && [ -n "$qn6" ] && [ "$qn6" = "$qns6" ]; then - nft_filter_apply_port_target f6 - f6="$f6 $first_packets_only" - nft_filter_apply_ipset_target6 f6 - nft_fw_nfqws_post6 "$f6 $desync" $qn6 - nft_fw_reverse_nfqws_rule6 "$f6" $qn6 - else - if [ -n "$qn6" ]; then - f6="tcp dport {$HTTP_PORTS}" - [ "$MODE_HTTP_KEEPALIVE" = "1" ] || f6="$f6 $first_packets_only" - nft_filter_apply_ipset_target6 f6 - nft_fw_nfqws_post6 "$f6 $desync" $qn6 - nft_fw_reverse_nfqws_rule6 "$f6" $qn6 - fi - if [ -n "$qns6" ]; then - f6="tcp dport {$HTTPS_PORTS} $first_packets_only" - nft_filter_apply_ipset_target6 f6 - nft_fw_nfqws_post6 "$f6 $desync" $qns6 - nft_fw_reverse_nfqws_rule6 "$f6" $qns6 - fi - fi - - get_nfqws_qnums_quic qn qn6 + POSTNAT=1 + # quite complex but we need to minimize nfqws processes to save RAM + get_nfqws_qnums qn qns qn6 qns6 + if [ "$MODE_HTTP_KEEPALIVE" != "1" ] && [ -n "$qn" ] && [ "$qn" = "$qns" ]; then + nft_filter_apply_port_target f4 + f4="$f4 $first_packets_only" + nft_filter_apply_ipset_target4 f4 + nft_fw_nfqws_post4 "$f4 $desync" "$qn" + nft_fw_reverse_nfqws_rule4 "$f4" "$qn" + else if [ -n "$qn" ]; then - f4= - nft_filter_apply_port_target_quic f4 - f4="$f4 $first_packets_only" + f4="tcp dport {$HTTP_PORTS}" + [ "$MODE_HTTP_KEEPALIVE" = "1" ] || f4="$f4 $first_packets_only" nft_filter_apply_ipset_target4 f4 - nft_fw_nfqws_post4 "$f4 $desync" $qn + nft_fw_nfqws_post4 "$f4 $desync" "$qn" + nft_fw_reverse_nfqws_rule4 "$f4" "$qn" fi + if [ -n "$qns" ]; then + f4="tcp dport {$HTTPS_PORTS} $first_packets_only" + nft_filter_apply_ipset_target4 f4 + nft_fw_nfqws_post4 "$f4 $desync" "$qns" + nft_fw_reverse_nfqws_rule4 "$f4" "$qns" + fi + fi + if [ "$MODE_HTTP_KEEPALIVE" != "1" ] && [ -n "$qn6" ] && [ "$qn6" = "$qns6" ]; then + nft_filter_apply_port_target f6 + f6="$f6 $first_packets_only" + nft_filter_apply_ipset_target6 f6 + nft_fw_nfqws_post6 "$f6 $desync" "$qn6" + nft_fw_reverse_nfqws_rule6 "$f6" "$qn6" + else if [ -n "$qn6" ]; then - f6= - nft_filter_apply_port_target_quic f6 - f6="$f6 $first_packets_only" + f6="tcp dport {$HTTP_PORTS}" + [ "$MODE_HTTP_KEEPALIVE" = "1" ] || f6="$f6 $first_packets_only" nft_filter_apply_ipset_target6 f6 - nft_fw_nfqws_post6 "$f6 $desync" $qn6 + nft_fw_nfqws_post6 "$f6 $desync" "$qn6" + nft_fw_reverse_nfqws_rule6 "$f6" "$qn6" fi + if [ -n "$qns6" ]; then + f6="tcp dport {$HTTPS_PORTS} $first_packets_only" + nft_filter_apply_ipset_target6 f6 + nft_fw_nfqws_post6 "$f6 $desync" "$qns6" + nft_fw_reverse_nfqws_rule6 "$f6" "$qns6" + fi + fi - POSTNAT=$POSTNAT_SAVE - ;; - custom) - existf zapret_custom_firewall_nft && zapret_custom_firewall_nft - ;; + get_nfqws_qnums_quic qn qn6 + if [ -n "$qn" ]; then + f4= + nft_filter_apply_port_target_quic f4 + f4="$f4 $first_packets_only" + nft_filter_apply_ipset_target4 f4 + nft_fw_nfqws_post4 "$f4 $desync" "$qn" + fi + if [ -n "$qn6" ]; then + f6= + nft_filter_apply_port_target_quic f6 + f6="$f6 $first_packets_only" + nft_filter_apply_ipset_target6 f6 + nft_fw_nfqws_post6 "$f6 $desync" "$qn6" + fi + + POSTNAT=$POSTNAT_SAVE + ;; + custom) + existf zapret_custom_firewall_nft && zapret_custom_firewall_nft + ;; esac } -zapret_apply_firewall_nft() -{ +zapret_apply_firewall_nft() { echo Applying nftables local mode="${MODE_OVERRIDE:-$MODE}" @@ -728,19 +662,17 @@ zapret_apply_firewall_nft() return 0 } -zapret_unapply_firewall_nft() -{ +zapret_unapply_firewall_nft() { echo Clearing nftables unprepare_route_localnet nft_del_firewall return 0 } -zapret_do_firewall_nft() -{ +zapret_do_firewall_nft() { # $1 - 1 - add, 0 - del - if [ "$1" = 0 ] ; then + if [ "$1" = 0 ]; then zapret_unapply_firewall_nft else zapret_apply_firewall_nft diff --git a/common/pf.sh b/common/pf.sh index a6fa57c..166ccba 100644 --- a/common/pf.sh +++ b/common/pf.sh @@ -6,14 +6,12 @@ PF_ANCHOR_ZAPRET_V6="$PF_ANCHOR_DIR/zapret-v6" std_ports -pf_anchor_root_reload() -{ +pf_anchor_root_reload() { echo reloading PF root anchor pfctl -qf "$PF_MAIN" } -pf_anchor_root() -{ +pf_anchor_root() { local patch [ -f "$PF_MAIN" ] && { grep -q '^rdr-anchor "zapret"$' "$PF_MAIN" || { @@ -39,8 +37,8 @@ set limit table-entries 5000000 } grep -q '^anchor "zapret"$' "$PF_MAIN" && - grep -q '^rdr-anchor "zapret"$' "$PF_MAIN" && - grep -q '^set limit table-entries' "$PF_MAIN" && { + grep -q '^rdr-anchor "zapret"$' "$PF_MAIN" && + grep -q '^set limit table-entries' "$PF_MAIN" && { if [ -n "$patch" ]; then echo successfully patched $PF_MAIN pf_anchor_root_reload @@ -57,13 +55,11 @@ set limit table-entries 5000000 echo ---------------------------------- return 1 } -pf_anchor_root_del() -{ +pf_anchor_root_del() { sed -i '' -e '/^anchor "zapret"$/d' -e '/^rdr-anchor "zapret"$/d' -e '/^set limit table-entries/d' "$PF_MAIN" } -pf_anchor_zapret() -{ +pf_anchor_zapret() { [ "$DISABLE_IPV4" = "1" ] || { if [ -f "$ZIPLIST_EXCLUDE" ]; then echo "table persist file \"$ZIPLIST_EXCLUDE\"" @@ -83,8 +79,7 @@ pf_anchor_zapret() [ "$DISABLE_IPV4" = "1" ] || echo "anchor \"/zapret-v4\" inet to !" [ "$DISABLE_IPV6" = "1" ] || echo "anchor \"/zapret-v6\" inet6 to !" } -pf_anchor_zapret_tables() -{ +pf_anchor_zapret_tables() { # $1 - variable to receive applied table names # $2/$3 $4/$5 ... table_name/table_file local tblv=$1 @@ -92,22 +87,21 @@ pf_anchor_zapret_tables() shift [ "$MODE_FILTER" = "ipset" ] && - { - while [ -n "$1" ] && [ -n "$2" ] ; do - [ -f "$2" ] && { - echo "table <$1> file \"$2\"" - _tbl="$_tbl<$1> " - } - shift - shift - done - } + { + while [ -n "$1" ] && [ -n "$2" ]; do + [ -f "$2" ] && { + echo "table <$1> file \"$2\"" + _tbl="$_tbl<$1> " + } + shift + shift + done + } [ -n "$_tbl" ] || _tbl="any" - eval $tblv="\"\$_tbl\"" + eval "$tblv"="\"\$_tbl\"" } -pf_anchor_port_target() -{ +pf_anchor_port_target() { if [ "$MODE_HTTP" = "1" ] && [ "$MODE_HTTPS" = "1" ]; then echo "{$HTTP_PORTS_IPT,$HTTPS_PORTS_IPT}" elif [ "$MODE_HTTPS" = "1" ]; then @@ -117,20 +111,19 @@ pf_anchor_port_target() fi } -pf_anchor_zapret_v4_tpws() -{ +pf_anchor_zapret_v4_tpws() { # $1 - port local rule port=$(pf_anchor_port_target) for lan in $IFACE_LAN; do for t in $tbl; do - echo "rdr on $lan inet proto tcp from any to $t port $port -> 127.0.0.1 port $1" + echo "rdr on $lan inet proto tcp from any to $t port $port -> 127.0.0.1 port $1" done done echo "rdr on lo0 inet proto tcp from !127.0.0.0/8 to any port $port -> 127.0.0.1 port $1" for t in $tbl; do rule="route-to (lo0 127.0.0.1) inet proto tcp from !127.0.0.0/8 to $t port $port user { >root }" - if [ -n "$IFACE_WAN" ] ; then + if [ -n "$IFACE_WAN" ]; then for wan in $IFACE_WAN; do echo "pass out on $wan $rule" done @@ -140,31 +133,29 @@ pf_anchor_zapret_v4_tpws() done } -pf_anchor_zapret_v4() -{ +pf_anchor_zapret_v4() { local tbl port [ "$DISABLE_IPV4" = "1" ] || { case $MODE in - tpws) - [ ! "$MODE_HTTP" = "1" ] && [ ! "$MODE_HTTPS" = "1" ] && return - pf_anchor_zapret_tables tbl zapret-user "$ZIPLIST_USER" zapret "$ZIPLIST" - pf_anchor_zapret_v4_tpws $TPPORT - ;; - custom) - pf_anchor_zapret_tables tbl zapret-user "$ZIPLIST_USER" zapret "$ZIPLIST" - existf zapret_custom_firewall_v4 && zapret_custom_firewall_v4 - ;; + tpws) + [ ! "$MODE_HTTP" = "1" ] && [ ! "$MODE_HTTPS" = "1" ] && return + pf_anchor_zapret_tables tbl zapret-user "$ZIPLIST_USER" zapret "$ZIPLIST" + pf_anchor_zapret_v4_tpws "$TPPORT" + ;; + custom) + pf_anchor_zapret_tables tbl zapret-user "$ZIPLIST_USER" zapret "$ZIPLIST" + existf zapret_custom_firewall_v4 && zapret_custom_firewall_v4 + ;; esac } } -pf_anchor_zapret_v6_tpws() -{ +pf_anchor_zapret_v6_tpws() { # $1 - port local LL_LAN rule port=$(pf_anchor_port_target) # LAN link local is only for router for lan in $IFACE_LAN; do - LL_LAN=$(get_ipv6_linklocal $lan) + LL_LAN=$(get_ipv6_linklocal "$lan") [ -n "$LL_LAN" ] && { for t in $tbl; do echo "rdr on $lan inet6 proto tcp from any to $t port $port -> $LL_LAN port $1" @@ -174,7 +165,7 @@ pf_anchor_zapret_v6_tpws() echo "rdr on lo0 inet6 proto tcp from !::1 to any port $port -> fe80::1 port $1" for t in $tbl; do rule="route-to (lo0 fe80::1) inet6 proto tcp from !::1 to $t port $port user { >root }" - if [ -n "${IFACE_WAN6:-$IFACE_WAN}" ] ; then + if [ -n "${IFACE_WAN6:-$IFACE_WAN}" ]; then for wan in ${IFACE_WAN6:-$IFACE_WAN}; do echo "pass out on $wan $rule" done @@ -183,38 +174,34 @@ pf_anchor_zapret_v6_tpws() fi done } -pf_anchor_zapret_v6() -{ +pf_anchor_zapret_v6() { local tbl port [ "$DISABLE_IPV6" = "1" ] || { case $MODE in - tpws) - [ ! "$MODE_HTTP" = "1" ] && [ ! "$MODE_HTTPS" = "1" ] && return - pf_anchor_zapret_tables tbl zapret6-user "$ZIPLIST_USER6" zapret6 "$ZIPLIST6" - pf_anchor_zapret_v6_tpws $TPPORT - ;; - custom) - pf_anchor_zapret_tables tbl zapret6-user "$ZIPLIST_USER6" zapret6 "$ZIPLIST6" - existf zapret_custom_firewall_v6 && zapret_custom_firewall_v6 - ;; + tpws) + [ ! "$MODE_HTTP" = "1" ] && [ ! "$MODE_HTTPS" = "1" ] && return + pf_anchor_zapret_tables tbl zapret6-user "$ZIPLIST_USER6" zapret6 "$ZIPLIST6" + pf_anchor_zapret_v6_tpws "$TPPORT" + ;; + custom) + pf_anchor_zapret_tables tbl zapret6-user "$ZIPLIST_USER6" zapret6 "$ZIPLIST6" + existf zapret_custom_firewall_v6 && zapret_custom_firewall_v6 + ;; esac } } -pf_anchors_create() -{ +pf_anchors_create() { wait_lan_ll pf_anchor_zapret >"$PF_ANCHOR_ZAPRET" pf_anchor_zapret_v4 >"$PF_ANCHOR_ZAPRET_V4" pf_anchor_zapret_v6 >"$PF_ANCHOR_ZAPRET_V6" } -pf_anchors_del() -{ +pf_anchors_del() { rm -f "$PF_ANCHOR_ZAPRET" "$PF_ANCHOR_ZAPRET_V4" "$PF_ANCHOR_ZAPRET_V6" } -pf_anchors_load() -{ +pf_anchors_load() { echo loading zapret anchor from "$PF_ANCHOR_ZAPRET" pfctl -qa zapret -f "$PF_ANCHOR_ZAPRET" || { echo error loading zapret anchor @@ -243,20 +230,17 @@ pf_anchors_load() echo successfully loaded PF anchors return 0 } -pf_anchors_clear() -{ +pf_anchors_clear() { echo clearing zapret anchors pfctl -qa zapret-v4 -F all 2>/dev/null pfctl -qa zapret-v6 -F all 2>/dev/null pfctl -qa zapret -F all 2>/dev/null } -pf_enable() -{ +pf_enable() { echo enabling PF pfctl -qe } -pf_table_reload() -{ +pf_table_reload() { echo reloading zapret tables [ "$DISABLE_IPV4" = "1" ] || pfctl -qTl -a zapret-v4 -f "$PF_ANCHOR_ZAPRET_V4" [ "$DISABLE_IPV6" = "1" ] || pfctl -qTl -a zapret-v6 -f "$PF_ANCHOR_ZAPRET_V6" diff --git a/common/queue.sh b/common/queue.sh index 15badfe..156a7fc 100644 --- a/common/queue.sh +++ b/common/queue.sh @@ -1,5 +1,4 @@ -apply_unspecified_desync_modes() -{ +apply_unspecified_desync_modes() { NFQWS_OPT_DESYNC_HTTP="${NFQWS_OPT_DESYNC_HTTP:-$NFQWS_OPT_DESYNC}" NFQWS_OPT_DESYNC_HTTPS="${NFQWS_OPT_DESYNC_HTTPS:-$NFQWS_OPT_DESYNC}" NFQWS_OPT_DESYNC_HTTP6="${NFQWS_OPT_DESYNC_HTTP6:-$NFQWS_OPT_DESYNC_HTTP}" @@ -7,8 +6,7 @@ apply_unspecified_desync_modes() NFQWS_OPT_DESYNC_QUIC6="${NFQWS_OPT_DESYNC_QUIC6:-$NFQWS_OPT_DESYNC_QUIC}" } -get_nfqws_qnums() -{ +get_nfqws_qnums() { # $1 - var name for ipv4 http # $2 - var name for ipv4 https # $3 - var name for ipv6 http @@ -18,63 +16,62 @@ get_nfqws_qnums() [ "$DISABLE_IPV4" = "1" ] || { _qn=$QNUM _qns=$_qn - [ "$NFQWS_OPT_DESYNC_HTTP" = "$NFQWS_OPT_DESYNC_HTTPS" ] || _qns=$(($QNUM+1)) + [ "$NFQWS_OPT_DESYNC_HTTP" = "$NFQWS_OPT_DESYNC_HTTPS" ] || _qns=$(($QNUM + 1)) } [ "$DISABLE_IPV6" = "1" ] || { - _qn6=$(($QNUM+2)) - _qns6=$(($QNUM+3)) + _qn6=$(($QNUM + 2)) + _qns6=$(($QNUM + 3)) [ "$DISABLE_IPV4" = "1" ] || { if [ "$NFQWS_OPT_DESYNC_HTTP6" = "$NFQWS_OPT_DESYNC_HTTP" ]; then - _qn6=$_qn; + _qn6=$_qn elif [ "$NFQWS_OPT_DESYNC_HTTP6" = "$NFQWS_OPT_DESYNC_HTTPS" ]; then - _qn6=$_qns; + _qn6=$_qns fi if [ "$NFQWS_OPT_DESYNC_HTTPS6" = "$NFQWS_OPT_DESYNC_HTTP" ]; then - _qns6=$_qn; + _qns6=$_qn elif [ "$NFQWS_OPT_DESYNC_HTTPS6" = "$NFQWS_OPT_DESYNC_HTTPS" ]; then - _qns6=$_qns; + _qns6=$_qns fi } - [ "$NFQWS_OPT_DESYNC_HTTPS6" = "$NFQWS_OPT_DESYNC_HTTP6" ] && _qns6=$_qn6; + [ "$NFQWS_OPT_DESYNC_HTTPS6" = "$NFQWS_OPT_DESYNC_HTTP6" ] && _qns6=$_qn6 } if [ "$MODE_HTTP" = 1 ]; then - eval $1=$_qn - eval $3=$_qn6 + eval "$1"="$_qn" + eval "$3"="$_qn6" else - eval $1= - eval $3= + eval "$1"= + eval "$3"= fi if [ "$MODE_HTTPS" = 1 ]; then - eval $2=$_qns - eval $4=$_qns6 + eval "$2"="$_qns" + eval "$4"="$_qns6" else - eval $2= - eval $4= + eval "$2"= + eval "$4"= fi } -get_nfqws_qnums_quic() -{ +get_nfqws_qnums_quic() { # $1 - var name for ipv4 quic # $2 - var name for ipv6 quic local _qn _qn6 [ "$DISABLE_IPV4" = "1" ] || { - _qn=$(($QNUM+10)) + _qn=$(($QNUM + 10)) } [ "$DISABLE_IPV6" = "1" ] || { - _qn6=$(($QNUM+11)) + _qn6=$(($QNUM + 11)) [ "$DISABLE_IPV4" = "1" ] || { if [ "$NFQWS_OPT_DESYNC_QUIC" = "$NFQWS_OPT_DESYNC_QUIC6" ]; then - _qn6=$_qn; + _qn6=$_qn fi } } if [ "$MODE_QUIC" = 1 ]; then - eval $1=$_qn - eval $2=$_qn6 + eval "$1"=$_qn + eval "$2"=$_qn6 else - eval $1= - eval $2= + eval "$1"= + eval "$2"= fi } diff --git a/common/virt.sh b/common/virt.sh index 6e566d6..5c9cb28 100644 --- a/common/virt.sh +++ b/common/virt.sh @@ -1,28 +1,26 @@ -get_virt() -{ +get_virt() { local vm s v UNAME UNAME=$(uname) case "$UNAME" in - Linux) - if exists systemd-detect-virt; then - vm=$(systemd-detect-virt --vm) - elif [ -f /sys/class/dmi/id/product_name ]; then - read s ... -zapret_custom_firewall_v4() -{ +zapret_custom_firewall_v4() { pf_anchor_zapret_v4_tpws $TPPORT_MY } -zapret_custom_firewall_v6() -{ +zapret_custom_firewall_v6() { pf_anchor_zapret_v6_tpws $TPPORT_MY } diff --git a/init.d/macos/custom.default b/init.d/macos/custom.default index e00e1c8..e36932a 100644 --- a/init.d/macos/custom.default +++ b/init.d/macos/custom.default @@ -2,8 +2,7 @@ # use helpers from "functions" file # in case of upgrade keep this file only, do not modify others -zapret_custom_daemons() -{ +zapret_custom_daemons() { # $1 - 1 - run, 0 - stop : } @@ -11,11 +10,9 @@ zapret_custom_daemons() # custom firewall functions echo rules for zapret-v4 and zapret-v6 anchors # they come after automated table definitions. so you can use ... -zapret_custom_firewall_v4() -{ +zapret_custom_firewall_v4() { : } -zapret_custom_firewall_v6() -{ +zapret_custom_firewall_v6() { : } diff --git a/init.d/macos/functions b/init.d/macos/functions index 45f678e..775a50b 100644 --- a/init.d/macos/functions +++ b/init.d/macos/functions @@ -21,8 +21,7 @@ TPWS_WAIT_SOCKS6="$TPWS_WAIT --bind-wait-ip-linklocal=30" CUSTOM_SCRIPT="$ZAPRET_BASE/init.d/macos/custom" [ -f "$CUSTOM_SCRIPT" ] && . "$CUSTOM_SCRIPT" -run_daemon() -{ +run_daemon() { # $1 - daemon number : 1,2,3,... # $2 - daemon # $3 - daemon args @@ -31,14 +30,13 @@ run_daemon() local PIDFILE="$PIDDIR/$DAEMONBASE$1.pid" local ARGS="--daemon --pidfile=$PIDFILE $3" [ -f "$PIDFILE" ] && pgrep -qF "$PIDFILE" && { - echo Already running $1: $2 + echo Already running "$1": "$2" return 0 } echo "Starting daemon $1: $2 $ARGS" - "$2" $ARGS + "$2" "$ARGS" } -stop_daemon() -{ +stop_daemon() { # $1 - daemon number : 1,2,3,... # $2 - daemon # use $PIDDIR/$DAEMONBASE$1.pid as pidfile @@ -49,19 +47,17 @@ stop_daemon() [ -f "$PIDFILE" ] && read PID <"$PIDFILE" [ -n "$PID" ] && { echo "Stopping daemon $1: $2 (PID=$PID)" - kill $PID + kill "$PID" rm -f "$PIDFILE" } return 0 } -do_daemon() -{ +do_daemon() { # $1 - 1 - run, 0 - stop on_off_function run_daemon stop_daemon "$@" } -tpws_apply_binds() -{ +tpws_apply_binds() { local o [ "$DISABLE_IPV4" = "1" ] || o="--bind-addr=127.0.0.1" [ "$DISABLE_IPV6" = "1" ] || { @@ -69,32 +65,29 @@ tpws_apply_binds() o="$o --bind-iface6=$i --bind-linklocal=force $TPWS_WAIT" done } - eval $1="\"\$$1 $o\"" + eval "$1"="\"\$$1 $o\"" } -tpws_apply_socks_binds() -{ +tpws_apply_socks_binds() { local o [ "$DISABLE_IPV4" = "1" ] || o="--bind-addr=127.0.0.1" [ "$DISABLE_IPV6" = "1" ] || o="$o --bind-addr=::1" - + for lan in $IFACE_LAN; do - [ "$DISABLE_IPV4" = "1" ] || o="$o --bind-iface4=$lan $TPWS_WAIT" - [ "$DISABLE_IPV6" = "1" ] || o="$o --bind-iface6=$lan --bind-linklocal=unwanted $TPWS_WAIT_SOCKS6" + [ "$DISABLE_IPV4" = "1" ] || o="$o --bind-iface4=$lan $TPWS_WAIT" + [ "$DISABLE_IPV6" = "1" ] || o="$o --bind-iface6=$lan --bind-linklocal=unwanted $TPWS_WAIT_SOCKS6" done - eval $1="\"\$$1 $o\"" + eval "$1"="\"\$$1 $o\"" } -wait_interface_ll() -{ - echo waiting for an ipv6 link local address on $1 ... - "$TPWS" --bind-wait-only --bind-iface6=$1 --bind-linklocal=force $TPWS_WAIT +wait_interface_ll() { + echo waiting for an IPv6 link local address on "$1" ... + "$TPWS" --bind-wait-only --bind-iface6="$1" --bind-linklocal=force "$TPWS_WAIT" } -wait_lan_ll() -{ +wait_lan_ll() { [ "$DISABLE_IPV6" != "1" ] && { for lan in $IFACE_LAN; do - wait_interface_ll $lan >&2 || { + wait_interface_ll "$lan" >&2 || { echo "wait interface failed on $lan" return 1 } @@ -102,30 +95,27 @@ wait_lan_ll() } return 0 } -get_ipv6_linklocal() -{ - ifconfig $1 | sed -nEe 's/^.*inet6 (fe80:[a-f0-9:]+).*/\1/p' +get_ipv6_linklocal() { + ifconfig "$1" | sed -nEe 's/^.*inet6 (fe80:[a-f0-9:]+).*/\1/p' } - -zapret_do_firewall() -{ +zapret_do_firewall() { # $1 - 1 - add, 0 - del [ "$1" = 1 -a -n "$INIT_FW_PRE_UP_HOOK" ] && $INIT_FW_PRE_UP_HOOK [ "$1" = 0 -a -n "$INIT_FW_PRE_DOWN_HOOK" ] && $INIT_FW_PRE_DOWN_HOOK case "${MODE_OVERRIDE:-$MODE}" in - tpws|filter|custom) - if [ "$1" = "1" ] ; then - pf_anchor_root || return 1 - pf_anchors_create - pf_anchors_load || return 1 - pf_enable - else - pf_anchors_clear - fi - ;; + tpws | filter | custom) + if [ "$1" = "1" ]; then + pf_anchor_root || return 1 + pf_anchors_create + pf_anchors_load || return 1 + pf_enable + else + pf_anchors_clear + fi + ;; esac [ "$1" = 1 -a -n "$INIT_FW_POST_UP_HOOK" ] && $INIT_FW_POST_UP_HOOK @@ -133,75 +123,65 @@ zapret_do_firewall() return 0 } -zapret_apply_firewall() -{ +zapret_apply_firewall() { zapret_do_firewall 1 "$@" } -zapret_unapply_firewall() -{ +zapret_unapply_firewall() { zapret_do_firewall 0 "$@" } -zapret_restart_firewall() -{ +zapret_restart_firewall() { zapret_unapply_firewall "$@" zapret_apply_firewall "$@" } - - -zapret_do_daemons() -{ +zapret_do_daemons() { # $1 - 1 - run, 0 - stop local opt case "${MODE_OVERRIDE:-$MODE}" in - tpws) - [ "$1" = "1" ] && [ "$DISABLE_IPV4" = "1" ] && [ "$DISABLE_IPV6" = "1" ] && { - echo "both ipv4 and ipv6 are disabled. nothing to do" - return 0 - } - # MacOS requires root. kernel hardcoded requirement for /dev/pf ioctls - opt="--user=root --port=$TPPORT" - filter_apply_hostlist_target opt - tpws_apply_binds opt - opt="$opt $TPWS_OPT" - do_daemon $1 1 "$TPWS" "$opt" - ;; - tpws-socks) - [ "$1" = "1" ] && [ "$DISABLE_IPV4" = "1" ] && [ "$DISABLE_IPV6" = "1" ] && { - echo "both ipv4 and ipv6 are disabled. nothing to do" - return 0 - } - opt="--socks --user=$WS_USER --port=$TPPORT" - tpws_apply_socks_binds opt - filter_apply_hostlist_target opt - opt="$opt $TPWS_OPT" - do_daemon $1 1 "$TPWS" "$opt" - ;; - filter) - ;; - custom) - existf zapret_custom_daemons && zapret_custom_daemons $1 - ;; - *) - echo "unsupported MODE=$MODE" - return 1 - ;; + tpws) + [ "$1" = "1" ] && [ "$DISABLE_IPV4" = "1" ] && [ "$DISABLE_IPV6" = "1" ] && { + echo "both IPv4 and IPv6 are disabled. nothing to do" + return 0 + } + # macOS requires root. kernel hardcoded requirement for /dev/pf ioctls + opt="--user=root --port=$TPPORT" + filter_apply_hostlist_target opt + tpws_apply_binds opt + opt="$opt $TPWS_OPT" + do_daemon "$1" 1 "$TPWS" "$opt" + ;; + tpws-socks) + [ "$1" = "1" ] && [ "$DISABLE_IPV4" = "1" ] && [ "$DISABLE_IPV6" = "1" ] && { + echo "both IPv4 and IPv6 are disabled. nothing to do" + return 0 + } + opt="--socks --user=$WS_USER --port=$TPPORT" + tpws_apply_socks_binds opt + filter_apply_hostlist_target opt + opt="$opt $TPWS_OPT" + do_daemon "$1" 1 "$TPWS" "$opt" + ;; + filter) ;; + custom) + existf zapret_custom_daemons && zapret_custom_daemons "$1" + ;; + *) + echo "unsupported MODE=$MODE" + return 1 + ;; esac return 0 } -zapret_run_daemons() -{ +zapret_run_daemons() { zapret_do_daemons 1 "$@" } -zapret_stop_daemons() -{ +zapret_stop_daemons() { zapret_do_daemons 0 "$@" } -zapret_restart_daemons() -{ +zapret_restart_daemons() { zapret_stop_daemons "$@" zapret_run_daemons "$@" } diff --git a/init.d/macos/zapret b/init.d/macos/zapret index 17f7897..4503466 100755 --- a/init.d/macos/zapret +++ b/init.d/macos/zapret @@ -2,48 +2,51 @@ EXEDIR="$(dirname "$0")" ZAPRET_BASE="$EXEDIR/../.." -ZAPRET_BASE="$(cd "$ZAPRET_BASE"; pwd)" +ZAPRET_BASE="$( + cd "$ZAPRET_BASE" + pwd +)" . "$EXEDIR/functions" case "$1" in - start) - zapret_run_daemons - [ "$INIT_APPLY_FW" != "1" ] || zapret_apply_firewall - ;; - stop) - [ "$INIT_APPLY_FW" != "1" ] || zapret_unapply_firewall - zapret_stop_daemons - ;; - restart) - "$0" stop - "$0" start - ;; +start) + zapret_run_daemons + [ "$INIT_APPLY_FW" != "1" ] || zapret_apply_firewall + ;; +stop) + [ "$INIT_APPLY_FW" != "1" ] || zapret_unapply_firewall + zapret_stop_daemons + ;; +restart) + "$0" stop + "$0" start + ;; - start-fw|start_fw) - zapret_apply_firewall - ;; - stop-fw|stop_fw) - zapret_unapply_firewall - ;; - restart-fw|stop_fw) - zapret_restart_firewall - ;; - reload-fw-tables|reload_fw_tables) - pf_table_reload - ;; - - start-daemons|start_daemons) - zapret_run_daemons - ;; - stop-daemons|stop_daemons) - zapret_stop_daemons - ;; - restart-daemons|restart_daemons) - zapret_restart_daemons - ;; - - *) +start-fw | start_fw) + zapret_apply_firewall + ;; +stop-fw | stop_fw) + zapret_unapply_firewall + ;; +restart-fw | stop_fw) + zapret_restart_firewall + ;; +reload-fw-tables | reload_fw_tables) + pf_table_reload + ;; + +start-daemons | start_daemons) + zapret_run_daemons + ;; +stop-daemons | stop_daemons) + zapret_stop_daemons + ;; +restart-daemons | restart_daemons) + zapret_restart_daemons + ;; + +*) N="$SCRIPT/$NAME" echo "Usage: $N {start|stop|start-fw|stop-fw|restart-fw|reload-fw-tables|start-daemons|stop-daemons|restart-daemons}" >&2 exit 1 diff --git a/init.d/openrc/zapret b/init.d/openrc/zapret index 3a1ca58..66a330a 100755 --- a/init.d/openrc/zapret +++ b/init.d/openrc/zapret @@ -4,7 +4,10 @@ # on some systems (alpine) for unknown reason non-openrc-run scripts are not started from /etc/init.d EXEDIR=$(dirname "$RC_SERVICE") -EXEDIR="$(cd "$EXEDIR"; pwd)" +EXEDIR="$( + cd "$EXEDIR" + pwd +)" ZAPRET_BASE="$EXEDIR/../.." ZAPRET_INIT="$ZAPRET_BASE/init.d/sysv/zapret" @@ -23,47 +26,36 @@ description_restart_daemons="Restart zapret firewall only" depend() { rc-service -e networking && need networking } -start() -{ +start() { "$ZAPRET_INIT" start } -stop() -{ +stop() { "$ZAPRET_INIT" stop } -start_fw() -{ +start_fw() { "$ZAPRET_INIT" start_fw } -stop_fw() -{ +stop_fw() { "$ZAPRET_INIT" stop_fw } -restart_fw() -{ +restart_fw() { "$ZAPRET_INIT" restart_fw } -start_daemons() -{ +start_daemons() { "$ZAPRET_INIT" start_daemons } -stop_daemons() -{ +stop_daemons() { "$ZAPRET_INIT" stop_daemons } -restart_daemons() -{ +restart_daemons() { "$ZAPRET_INIT" restart_daemons } -reload_ifsets() -{ +reload_ifsets() { "$ZAPRET_INIT" reload_ifsets } -list_ifsets() -{ +list_ifsets() { "$ZAPRET_INIT" list_ifsets } -list_table() -{ +list_table() { "$ZAPRET_INIT" list_table } diff --git a/init.d/openwrt/90-zapret b/init.d/openwrt/90-zapret index 8cb05f5..797f006 100644 --- a/init.d/openwrt/90-zapret +++ b/init.d/openwrt/90-zapret @@ -2,8 +2,7 @@ ZAPRET=/etc/init.d/zapret -check_lan() -{ +check_lan() { IS_LAN= [ -n "$OPENWRT_LAN" ] || OPENWRT_LAN=lan for lan in $OPENWRT_LAN; do @@ -13,8 +12,7 @@ check_lan() } done } -check_need_to_reload_tpws6() -{ +check_need_to_reload_tpws6() { # tpws6 dnat target nft map can only be reloaded within firewall apply procedure # interface ifsets (wanif, wanif6, lanif) can be reloaded independently check_lan @@ -22,7 +20,6 @@ check_need_to_reload_tpws6() [ "$ACTION" = "ifup" -a "$DISABLE_IPV6" != 1 -a -n "$IS_LAN" ] && [ "$MODE" = "tpws" -o "$MODE" = "custom" ] && RELOAD_TPWS6=1 } - [ -n "$INTERFACE" ] && [ "$ACTION" = ifup -o "$ACTION" = ifdown ] && [ -x "$ZAPRET" ] && "$ZAPRET" enabled && { SCRIPT=$(readlink "$ZAPRET") if [ -n "$SCRIPT" ]; then @@ -37,27 +34,27 @@ check_need_to_reload_tpws6() check_need_to_reload_tpws6 [ -n "$RELOAD_TPWS6" ] && { - logger -t zapret restarting daemons due to $ACTION of $INTERFACE to update tpws6 dnat target + logger -t zapret restarting daemons due to "$ACTION" of "$INTERFACE" to update tpws6 dnat target "$ZAPRET" restart_daemons } . "$ZAPRET_BASE/common/base.sh" . "$ZAPRET_BASE/common/fwtype.sh" linux_fwtype case "$FWTYPE" in - nftables) - if [ -n "$RELOAD_TPWS6" ] ; then - logger -t zapret reloading nftables due to $ACTION of $INTERFACE to update tpws6 dnat target - "$ZAPRET" restart_fw - else - logger -t zapret reloading nftables ifsets due to $ACTION of $INTERFACE - "$ZAPRET" reload_ifsets - fi - ;; - iptables) - openwrt_fw3 || { - logger -t zapret reloading iptables due to $ACTION of $INTERFACE - "$ZAPRET" restart_fw - } - ;; + nftables) + if [ -n "$RELOAD_TPWS6" ]; then + logger -t zapret reloading nftables due to "$ACTION" of "$INTERFACE" to update tpws6 dnat target + "$ZAPRET" restart_fw + else + logger -t zapret reloading nftables ifsets due to "$ACTION" of "$INTERFACE" + "$ZAPRET" reload_ifsets + fi + ;; + iptables) + openwrt_fw3 || { + logger -t zapret reloading iptables due to "$ACTION" of "$INTERFACE" + "$ZAPRET" restart_fw + } + ;; esac } diff --git a/init.d/openwrt/custom-nfqws-dht4all b/init.d/openwrt/custom-nfqws-dht4all index 069aa4b..7fdbdbf 100644 --- a/init.d/openwrt/custom-nfqws-dht4all +++ b/init.d/openwrt/custom-nfqws-dht4all @@ -1,10 +1,9 @@ # this custom script in addition to MODE=nfqws runs desync to DHT packets with udp payload length 101..399 , without ipset/hostlist filtering # need to add to config : NFQWS_OPT_DESYNC_DHT="--dpi-desync=fake --dpi-desync-ttl=5" -QNUM2=$(($QNUM+20)) +QNUM2=$(($QNUM + 20)) -zapret_custom_daemons() -{ +zapret_custom_daemons() { # stop logic is managed by procd local MODE_OVERRIDE=nfqws @@ -13,10 +12,9 @@ zapret_custom_daemons() start_daemons_procd opt="--qnum=$QNUM2 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_DHT" - run_daemon 100 $NFQWS "$opt" + run_daemon 100 "$NFQWS" "$opt" } -zapret_custom_firewall() -{ +zapret_custom_firewall() { # $1 - 1 - run, 0 - stop local MODE_OVERRIDE=nfqws @@ -24,15 +22,14 @@ zapret_custom_firewall() local first_packet_only="$ipt_connbytes 1:1" local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK" - zapret_do_firewall_rules_ipt $1 + zapret_do_firewall_rules_ipt "$1" f='-p udp -m length --length 109:407 -m u32 --u32' - uf4='0>>22&0x3C@8>>16=0x6431' - uf6='48>>16=0x6431' - fw_nfqws_post $1 "$f $uf4 $desync $first_packet_only" "$f $uf6 $desync $first_packet_only" $QNUM2 + uf4='0>>22&0x3C@8>>16=0x6431' + uf6='48>>16=0x6431' + fw_nfqws_post "$1" "$f $uf4 $desync $first_packet_only" "$f $uf6 $desync $first_packet_only" $QNUM2 } -zapret_custom_firewall_nft() -{ +zapret_custom_firewall_nft() { # stop logic is not required local MODE_OVERRIDE=nfqws diff --git a/init.d/openwrt/custom-nfqws-quic4all b/init.d/openwrt/custom-nfqws-quic4all index 26dfcc7..3e04966 100644 --- a/init.d/openwrt/custom-nfqws-quic4all +++ b/init.d/openwrt/custom-nfqws-quic4all @@ -2,10 +2,9 @@ # need to add to config : NFQWS_OPT_DESYNC_QUIC="--dpi-desync=fake" # NOTE : do not use TTL fooling. chromium QUIC engine breaks sessions if TTL expired in transit received -QNUM2=$(($QNUM+10)) +QNUM2=$(($QNUM + 10)) -zapret_custom_daemons() -{ +zapret_custom_daemons() { # stop logic is managed by procd local MODE_OVERRIDE=nfqws @@ -14,10 +13,9 @@ zapret_custom_daemons() start_daemons_procd opt="--qnum=$QNUM2 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_QUIC" - run_daemon 100 $NFQWS "$opt" + run_daemon 100 "$NFQWS" "$opt" } -zapret_custom_firewall() -{ +zapret_custom_firewall() { # $1 - 1 - run, 0 - stop local MODE_OVERRIDE=nfqws @@ -25,14 +23,13 @@ zapret_custom_firewall() local first_packets_only="$ipt_connbytes 1:3" local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK" - zapret_do_firewall_rules_ipt $1 + zapret_do_firewall_rules_ipt "$1" f="-p udp -m multiport --dports $QUIC_PORTS_IPT" - fw_nfqws_post $1 "$f $desync $first_packets_only" "$f $desync $first_packets_only" $QNUM2 + fw_nfqws_post "$1" "$f $desync $first_packets_only" "$f $desync $first_packets_only" $QNUM2 } -zapret_custom_firewall_nft() -{ +zapret_custom_firewall_nft() { # stop logic is not required local MODE_OVERRIDE=nfqws diff --git a/init.d/openwrt/custom-reuse-builtin-mode b/init.d/openwrt/custom-reuse-builtin-mode index 39c16e8..1dda7b1 100644 --- a/init.d/openwrt/custom-reuse-builtin-mode +++ b/init.d/openwrt/custom-reuse-builtin-mode @@ -4,8 +4,7 @@ MY_TPPORT=$(($TPPORT + 1)) MY_TPWS_OPT="--methodeol --hostcase" MY_DPORT=81 -zapret_custom_daemons() -{ +zapret_custom_daemons() { # stop logic is managed by procd local MODE_OVERRIDE=tpws @@ -17,22 +16,20 @@ zapret_custom_daemons() filter_apply_hostlist_target opt run_tpws 100 "$opt" } -zapret_custom_firewall() -{ +zapret_custom_firewall() { # $1 - 1 - run, 0 - stop local MODE_OVERRIDE=tpws local f4 f6 - zapret_do_firewall_rules_ipt $1 + zapret_do_firewall_rules_ipt "$1" f4="-p tcp --dport $MY_DPORT" f6=$f4 filter_apply_ipset_target f4 f6 - fw_tpws $1 "$f4" "$f6" $MY_TPPORT + fw_tpws "$1" "$f4" "$f6" $MY_TPPORT } -zapret_custom_firewall_nft() -{ +zapret_custom_firewall_nft() { # stop logic is not required local MODE_OVERRIDE=tpws diff --git a/init.d/openwrt/custom-tpws4http-nfqws4https b/init.d/openwrt/custom-tpws4http-nfqws4https index 5515d09..3ec2528 100644 --- a/init.d/openwrt/custom-tpws4http-nfqws4https +++ b/init.d/openwrt/custom-tpws4http-nfqws4https @@ -1,8 +1,7 @@ # this custom script demonstrates how to apply tpws to http and nfqws to https # it preserves config settings : MODE_HTTP, MODE_HTTPS, MODE_FILTER, TPWS_OPT, NFQWS_OPT_DESYNC, NFQWS_OPT_DESYNC_HTTPS -zapret_custom_daemons() -{ +zapret_custom_daemons() { # stop logic is managed by procd local opt @@ -16,11 +15,10 @@ zapret_custom_daemons() [ "$MODE_HTTPS" = "1" ] && { opt="--qnum=$QNUM $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_HTTPS" filter_apply_hostlist_target opt - run_daemon 2 $NFQWS "$opt" + run_daemon 2 "$NFQWS" "$opt" } } -zapret_custom_firewall() -{ +zapret_custom_firewall() { # $1 - 1 - run, 0 - stop local f4 f6 @@ -31,18 +29,17 @@ zapret_custom_firewall() f4="-p tcp -m multiport --dports $HTTP_PORTS_IPT" f6=$f4 filter_apply_ipset_target f4 f6 - fw_tpws $1 "$f4" "$f6" $TPPORT + fw_tpws "$1" "$f4" "$f6" "$TPPORT" } - + [ "$MODE_HTTPS" = "1" ] && { f4="-p tcp -m multiport --dports $HTTPS_PORTS_IPT $first_packet_only" f6=$f4 filter_apply_ipset_target f4 f6 - fw_nfqws_post $1 "$f4 $desync" "$f6 $desync" $QNUM + fw_nfqws_post "$1" "$f4 $desync" "$f6 $desync" "$QNUM" } } -zapret_custom_firewall_nft() -{ +zapret_custom_firewall_nft() { # stop logic is not required local f4 f6 @@ -53,15 +50,15 @@ zapret_custom_firewall_nft() f4="tcp dport {$HTTP_PORTS}" f6=$f4 nft_filter_apply_ipset_target f4 f6 - nft_fw_tpws "$f4" "$f6" $TPPORT + nft_fw_tpws "$f4" "$f6" "$TPPORT" } - + [ "$MODE_HTTPS" = "1" ] && { f4="tcp dport {$HTTPS_PORTS} $first_packet_only" f6=$f4 nft_filter_apply_ipset_target f4 f6 - nft_fw_nfqws_post "$f4 $desync" "$f6 $desync" $QNUM + nft_fw_nfqws_post "$f4 $desync" "$f6 $desync" "$QNUM" # for modes that require incoming traffic - nft_fw_reverse_nfqws_rule "$f4" "$f6" $QNUM + nft_fw_reverse_nfqws_rule "$f4" "$f6" "$QNUM" } } diff --git a/init.d/openwrt/custom.default b/init.d/openwrt/custom.default index 508013e..21f7782 100644 --- a/init.d/openwrt/custom.default +++ b/init.d/openwrt/custom.default @@ -2,8 +2,7 @@ # use helpers from "functions" file and "zapret" init script # in case of upgrade keep this file only, do not modify others -zapret_custom_daemons() -{ +zapret_custom_daemons() { # stop logic is managed by procd # PLACEHOLDER @@ -13,8 +12,7 @@ zapret_custom_daemons() run_daemon 1 /bin/sleep 20 } -zapret_custom_firewall() -{ +zapret_custom_firewall() { # $1 - 1 - run, 0 - stop # PLACEHOLDER @@ -22,8 +20,7 @@ zapret_custom_firewall() echo Configure iptables for required actions echo Study how other sections work } -zapret_custom_firewall_nft() -{ +zapret_custom_firewall_nft() { # stop logic is not required # PLACEHOLDER diff --git a/init.d/openwrt/firewall.zapret b/init.d/openwrt/firewall.zapret index a09d74d..cd37ac1 100644 --- a/init.d/openwrt/firewall.zapret +++ b/init.d/openwrt/firewall.zapret @@ -1,9 +1,9 @@ SCRIPT=$(readlink /etc/init.d/zapret) if [ -n "$SCRIPT" ]; then - EXEDIR=$(dirname "$SCRIPT") - ZAPRET_BASE=$(readlink -f "$EXEDIR/../..") + EXEDIR=$(dirname "$SCRIPT") + ZAPRET_BASE=$(readlink -f "$EXEDIR/../..") else - ZAPRET_BASE=/opt/zapret + ZAPRET_BASE=/opt/zapret fi . "$ZAPRET_BASE/init.d/openwrt/functions" diff --git a/init.d/openwrt/functions b/init.d/openwrt/functions index c46d866..5123746 100644 --- a/init.d/openwrt/functions +++ b/init.d/openwrt/functions @@ -35,75 +35,65 @@ IPSET_EXCLUDE6="-m set ! --match-set nozapret6" apply_unspecified_desync_modes - -# can be multiple ipv6 outgoing interfaces -# uplink from isp, tunnelbroker, vpn, ... +# can be multiple IPv6 outgoing interfaces +# uplink from ISP, tunnelbroker, VPN, ... # want them all. who knows what's the real one that blocks sites # dont want any manual configuration - want to do it automatically # standard network_find_wan[6] return only the first # we use low level function from network.sh to avoid this limitation # it can change theoretically and stop working -network_find_wan4_all() -{ +network_find_wan4_all() { if [ -n "$OPENWRT_WAN4" ]; then - eval $1="\$OPENWRT_WAN4" + eval "$1"="\$OPENWRT_WAN4" else __network_ifstatus "$1" "" "[@.route[@.target='0.0.0.0' && !@.table]].interface" "" 10 2>/dev/null && return - network_find_wan $1 + network_find_wan "$1" fi } -network_find_wan_all() -{ +network_find_wan_all() { network_find_wan4_all "$@" } -network_find_wan6_all() -{ +network_find_wan6_all() { if [ -n "$OPENWRT_WAN6" ]; then - eval $1="\$OPENWRT_WAN6" + eval "$1"="\$OPENWRT_WAN6" else __network_ifstatus "$1" "" "[@.route[@.target='::' && !@.table]].interface" "" 10 2>/dev/null && return - network_find_wan6 $1 + network_find_wan6 "$1" fi } -network_find_wanX_devices() -{ +network_find_wanX_devices() { # $1 - ip version: 4 or 6 # $2 - variable to put result to local ifaces - network_find_wan${1}_all ifaces - call_for_multiple_items network_get_device $2 "$ifaces" + network_find_wan"${1}"_all ifaces + call_for_multiple_items network_get_device "$2" "$ifaces" } - -dnat6_target() -{ - # $1 - lan network name +dnat6_target() { + # $1 - LAN network name # $2 - var to store target ip6 - network_is_up $1 || { - [ -n "$2" ] && eval $2='' + network_is_up "$1" || { + [ -n "$2" ] && eval "$2"='' return } local DEVICE - network_get_device DEVICE $1 + network_get_device DEVICE "$1" - _dnat6_target $DEVICE $2 + _dnat6_target "$DEVICE" "$2" } -set_route_localnet() -{ +set_route_localnet() { # $1 - 1 = enable, 0 = disable local DLAN call_for_multiple_items network_get_device DLAN "$OPENWRT_LAN" - _set_route_localnet $1 $DLAN + _set_route_localnet "$1" "$DLAN" } - -fw_nfqws_prepost_x() -{ +fw_nfqws_prepost_x() { # $1 - 1 - add, 0 - del # $2 - filter # $3 - queue number @@ -111,29 +101,24 @@ fw_nfqws_prepost_x() # $5 - post/pre local ifaces DWAN - network_find_wan${4}_all ifaces + network_find_wan"${4}"_all ifaces call_for_multiple_items network_get_device DWAN "$ifaces" - [ -n "$DWAN" ] && _fw_nfqws_${5}${4} $1 "$2" $3 "$(unique $DWAN)" + [ -n "$DWAN" ] && _fw_nfqws_"${5}"${4} "$1" "$2" "$3" "$(unique "$DWAN")" } -fw_nfqws_post4() -{ - fw_nfqws_prepost_x $1 "$2" $3 4 post +fw_nfqws_post4() { + fw_nfqws_prepost_x "$1" "$2" "$3" 4 post } -fw_nfqws_post6() -{ - fw_nfqws_prepost_x $1 "$2" $3 6 post +fw_nfqws_post6() { + fw_nfqws_prepost_x "$1" "$2" "$3" 6 post } -fw_nfqws_pre4() -{ - fw_nfqws_prepost_x $1 "$2" $3 4 pre +fw_nfqws_pre4() { + fw_nfqws_prepost_x "$1" "$2" "$3" 4 pre } -fw_nfqws_pre6() -{ - fw_nfqws_prepost_x $1 "$2" $3 6 pre +fw_nfqws_pre6() { + fw_nfqws_prepost_x "$1" "$2" "$3" 6 pre } -fw_tpws_x() -{ +fw_tpws_x() { # $1 - 1 - add, 0 - del # $2 - filter # $3 - tpws port @@ -143,102 +128,88 @@ fw_tpws_x() call_for_multiple_items network_get_device DLAN "$OPENWRT_LAN" - network_find_wan${4}_all ifaces + network_find_wan"${4}"_all ifaces call_for_multiple_items network_get_device DWAN "$ifaces" - [ -n "$DWAN" ] && _fw_tpws${4} $1 "$2" $3 "$DLAN" "$(unique $DWAN)" + [ -n "$DWAN" ] && _fw_tpws"${4}" "$1" "$2" "$3" "$DLAN" "$(unique "$DWAN")" } -fw_tpws4() -{ - fw_tpws_x $1 "$2" $3 4 +fw_tpws4() { + fw_tpws_x "$1" "$2" "$3" 4 } -fw_tpws6() -{ - fw_tpws_x $1 "$2" $3 6 +fw_tpws6() { + fw_tpws_x "$1" "$2" "$3" 6 } - -create_ipset() -{ +create_ipset() { echo "Creating ip list table (firewall type $FWTYPE)" "$IPSET_CR" "$@" } -list_nfqws_rules() -{ - # $1 = '' for ipv4, '6' for ipv6 - ip$1tables -S POSTROUTING -t mangle | \ - grep -E "NFQUEUE --queue-num $QNUM --queue-bypass|NFQUEUE --queue-num $(($QNUM+1)) --queue-bypass|NFQUEUE --queue-num $(($QNUM+2)) --queue-bypass|NFQUEUE --queue-num $(($QNUM+3)) --queue-bypass|NFQUEUE --queue-num $(($QNUM+10)) --queue-bypass|NFQUEUE --queue-num $(($QNUM+11)) --queue-bypass" | \ +list_nfqws_rules() { + # $1 = '' for IPv4, '6' for IPv6 + ip"$1"tables -S POSTROUTING -t mangle | + grep -E "NFQUEUE --queue-num $QNUM --queue-bypass|NFQUEUE --queue-num $(($QNUM + 1)) --queue-bypass|NFQUEUE --queue-num $(($QNUM + 2)) --queue-bypass|NFQUEUE --queue-num $(($QNUM + 3)) --queue-bypass|NFQUEUE --queue-num $(($QNUM + 10)) --queue-bypass|NFQUEUE --queue-num $(($QNUM + 11)) --queue-bypass" | sed -re 's/^-A POSTROUTING (.*) -j NFQUEUE.*$/\1/' -e "s/-m mark ! --mark $DESYNC_MARK\/$DESYNC_MARK//" } -apply_flow_offloading_enable_rule() -{ - # $1 = '' for ipv4, '6' for ipv6 +apply_flow_offloading_enable_rule() { + # $1 = '' for IPv4, '6' for IPv6 local i off='-j FLOWOFFLOAD' [ "$FLOWOFFLOAD" = "hardware" ] && off="$off --hw" i="forwarding_rule_zapret -m comment --comment zapret_traffic_offloading_enable -m conntrack --ctstate RELATED,ESTABLISHED $off" - echo enabling ipv${1:-4} flow offloading : $i - ip$1tables -A $i + echo enabling ipv"${1:-4}" flow offloading : "$i" + ip"$1"tables -A "$i" } -apply_flow_offloading_exempt_rule() -{ - # $1 = '' for ipv4, '6' for ipv6 +apply_flow_offloading_exempt_rule() { + # $1 = '' for IPv4, '6' for IPv6 local i v v=$1 shift i="forwarding_rule_zapret $@ -m comment --comment zapret_traffic_offloading_exemption -j RETURN" - echo applying ipv${v:-4} flow offloading exemption : $i - ip${v}tables -A $i + echo applying ipv"${v:-4}" flow offloading exemption : "$i" + ip"${v}"tables -A "$i" } -flow_offloading_unexempt_v() -{ - # $1 = '' for ipv4, '6' for ipv6 +flow_offloading_unexempt_v() { + # $1 = '' for IPv4, '6' for IPv6 local DWAN - network_find_wanX_devices ${1:-4} DWAN - for i in $DWAN; do ipt$1_del FORWARD -o $i -j forwarding_rule_zapret ; done - ip$1tables -F forwarding_rule_zapret 2>/dev/null - ip$1tables -X forwarding_rule_zapret 2>/dev/null + network_find_wanX_devices "${1:-4}" DWAN + for i in $DWAN; do ipt"$1"_del FORWARD -o "$i" -j forwarding_rule_zapret; done + ip"$1"tables -F forwarding_rule_zapret 2>/dev/null + ip"$1"tables -X forwarding_rule_zapret 2>/dev/null } -flow_offloading_exempt_v() -{ - # $1 = '' for ipv4, '6' for ipv6 - is_ipt_flow_offload_avail $1 || return 0 +flow_offloading_exempt_v() { + # $1 = '' for IPv4, '6' for IPv6 + is_ipt_flow_offload_avail "$1" || return 0 - flow_offloading_unexempt_v $1 + flow_offloading_unexempt_v "$1" [ "$FLOWOFFLOAD" = 'software' -o "$FLOWOFFLOAD" = 'hardware' ] && { - ip$1tables -N forwarding_rule_zapret + ip"$1"tables -N forwarding_rule_zapret # remove outgoing interface - list_nfqws_rules $1 | sed -re 's/-o +[^ ]+//g' | - while read rule; do - apply_flow_offloading_exempt_rule "$1" $rule - done - - apply_flow_offloading_enable_rule $1 + list_nfqws_rules "$1" | sed -re 's/-o +[^ ]+//g' | + while read rule; do + apply_flow_offloading_exempt_rule "$1" "$rule" + done + + apply_flow_offloading_enable_rule "$1" # only outgoing to WAN packets trigger flow offloading local DWAN - network_find_wanX_devices ${1:-4} DWAN - for i in $DWAN; do ipt$1 FORWARD -o $i -j forwarding_rule_zapret; done + network_find_wanX_devices "${1:-4}" DWAN + for i in $DWAN; do ipt"$1" FORWARD -o "$i" -j forwarding_rule_zapret; done } return 0 } -flow_offloading_exempt() -{ +flow_offloading_exempt() { [ "$DISABLE_IPV4" = "1" ] || flow_offloading_exempt_v [ "$DISABLE_IPV6" = "1" ] || flow_offloading_exempt_v 6 } -flow_offloading_unexempt() -{ +flow_offloading_unexempt() { [ "$DISABLE_IPV4" = "1" ] || flow_offloading_unexempt_v [ "$DISABLE_IPV6" = "1" ] || flow_offloading_unexempt_v 6 } - - -nft_fill_ifsets_overload() -{ +nft_fill_ifsets_overload() { local ifaces DLAN DWAN DWAN6 PDLAN PDWAN PDWAN6 call_for_multiple_items network_get_device DLAN "$OPENWRT_LAN" @@ -255,29 +226,23 @@ nft_fill_ifsets_overload() nft_fill_ifsets "$DLAN" "$DWAN" "$DWAN6" "$PDLAN" "$PDWAN" "$PDWAN6" } -nft_fw_tpws4() -{ - _nft_fw_tpws4 "$1" $2 always_apply_wan_filter +nft_fw_tpws4() { + _nft_fw_tpws4 "$1" "$2" always_apply_wan_filter } -nft_fw_tpws6() -{ +nft_fw_tpws6() { local DLAN call_for_multiple_items network_get_device DLAN "$OPENWRT_LAN" - _nft_fw_tpws6 "$1" $2 "$DLAN" always_apply_wan_filter + _nft_fw_tpws6 "$1" "$2" "$DLAN" always_apply_wan_filter } -nft_fw_nfqws_post4() -{ - _nft_fw_nfqws_post4 "$1" $2 always_apply_wan_filter +nft_fw_nfqws_post4() { + _nft_fw_nfqws_post4 "$1" "$2" always_apply_wan_filter } -nft_fw_nfqws_post6() -{ - _nft_fw_nfqws_post6 "$1" $2 always_apply_wan_filter +nft_fw_nfqws_post6() { + _nft_fw_nfqws_post6 "$1" "$2" always_apply_wan_filter } -nft_fw_nfqws_pre4() -{ - _nft_fw_nfqws_pre4 "$1" $2 always_apply_wan_filter +nft_fw_nfqws_pre4() { + _nft_fw_nfqws_pre4 "$1" "$2" always_apply_wan_filter } -nft_fw_nfqws_pre6() -{ - _nft_fw_nfqws_pre6 "$1" $2 always_apply_wan_filter +nft_fw_nfqws_pre6() { + _nft_fw_nfqws_pre6 "$1" "$2" always_apply_wan_filter } diff --git a/init.d/openwrt/zapret b/init.d/openwrt/zapret index cc23018..874416c 100755 --- a/init.d/openwrt/zapret +++ b/init.d/openwrt/zapret @@ -25,17 +25,16 @@ my_extra_command restart_daemons "Restart zapret firewall only (=restart in ipta SCRIPT=$(readlink /etc/init.d/zapret) if [ -n "$SCRIPT" ]; then - EXEDIR=$(dirname "$SCRIPT") - ZAPRET_BASE=$(readlink -f "$EXEDIR/../..") + EXEDIR=$(dirname "$SCRIPT") + ZAPRET_BASE=$(readlink -f "$EXEDIR/../..") else - ZAPRET_BASE=/opt/zapret + ZAPRET_BASE=/opt/zapret fi . "$ZAPRET_BASE/init.d/openwrt/functions" - -# !!!!! in old openwrt 21.x- with iptables firewall rules are configured separately -# !!!!! in new openwrt >21.x with nftables firewall is configured here +# !!!!! in old OpenWrt 21.x- with iptables firewall rules are configured separately +# !!!!! in new OpenWrt >21.x with nftables firewall is configured here PIDDIR=/var/run @@ -50,8 +49,7 @@ TPWS_WAIT="--bind-wait-ifup=30 --bind-wait-ip=30" TPWS_WAIT_SOCKS6="$TPWS_WAIT --bind-wait-ip-linklocal=30" TPWS_OPT_BASE6_PRE="--bind-linklocal=prefer $TPWS_WAIT --bind-wait-ip-linklocal=3" -run_daemon() -{ +run_daemon() { # $1 - daemon string id or number. can use 1,2,3,... # $2 - daemon # $3 - daemon args @@ -59,13 +57,12 @@ run_daemon() local DAEMONBASE="$(basename "$2")" echo "Starting daemon $1: $2 $3" procd_open_instance - procd_set_param command $2 $3 - procd_set_param pidfile $PIDDIR/$DAEMONBASE$1.pid + procd_set_param command "$2" "$3" + procd_set_param pidfile $PIDDIR/"$DAEMONBASE"$1.pid procd_close_instance } -run_tpws() -{ +run_tpws() { [ "$DISABLE_IPV4" = "1" ] && [ "$DISABLE_IPV6" = "1" ] && return 0 local OPT="$TPWS_OPT_BASE" @@ -75,144 +72,128 @@ run_tpws() [ "$DISABLE_IPV6" = "1" ] || { OPT="$OPT $TPWS_OPT_BASE6" for lan in $OPENWRT_LAN; do - network_get_device DEVICE $lan - [ -n "$DEVICE" ] && OPT="$OPT --bind-iface6=$DEVICE $TPWS_OPT_BASE6_PRE" + network_get_device DEVICE "$lan" + [ -n "$DEVICE" ] && OPT="$OPT --bind-iface6=$DEVICE $TPWS_OPT_BASE6_PRE" done } - run_daemon $1 "$TPWS" "$OPT $2" + run_daemon "$1" "$TPWS" "$OPT $2" } -run_tpws_socks() -{ +run_tpws_socks() { [ "$DISABLE_IPV4" = "1" ] && [ "$DISABLE_IPV6" = "1" ] && return 0 local opt="$TPWS_OPT_BASE --socks" tpws_apply_socks_binds opt - run_daemon $1 "$TPWS" "$opt $2" + run_daemon "$1" "$TPWS" "$opt $2" } -stop_tpws() -{ - stop_daemon $1 "$TPWS" +stop_tpws() { + stop_daemon "$1" "$TPWS" } - -tpws_apply_socks_binds() -{ +tpws_apply_socks_binds() { local o [ "$DISABLE_IPV4" = "1" ] || o="--bind-addr=127.0.0.1" [ "$DISABLE_IPV6" = "1" ] || o="$o --bind-addr=::1" - + for lan in $OPENWRT_LAN; do - network_get_device DEVICE $lan - [ -n "$DEVICE" ] || continue - [ "$DISABLE_IPV4" = "1" ] || o="$o --bind-iface4=$DEVICE $TPWS_WAIT" - [ "$DISABLE_IPV6" = "1" ] || o="$o --bind-iface6=$DEVICE --bind-linklocal=unwanted $TPWS_WAIT_SOCKS6" + network_get_device DEVICE "$lan" + [ -n "$DEVICE" ] || continue + [ "$DISABLE_IPV4" = "1" ] || o="$o --bind-iface4=$DEVICE $TPWS_WAIT" + [ "$DISABLE_IPV6" = "1" ] || o="$o --bind-iface6=$DEVICE --bind-linklocal=unwanted $TPWS_WAIT_SOCKS6" done - eval $1="\"\$$1 $o\"" + eval "$1"="\"\$$1 $o\"" } - -start_daemons_procd() -{ +start_daemons_procd() { local opt qn qns qn6 qns6 case "${MODE_OVERRIDE:-$MODE}" in - tpws) - opt="--port=$TPPORT $TPWS_OPT" + tpws) + opt="--port=$TPPORT $TPWS_OPT" + filter_apply_hostlist_target opt + run_tpws 1 "$opt" + ;; + tpws-socks) + opt="--port=$TPPORT $TPWS_OPT" + filter_apply_hostlist_target opt + run_tpws_socks 1 "$opt" + ;; + nfqws) + # quite complex but we need to minimize nfqws processes to save RAM + get_nfqws_qnums qn qns qn6 qns6 + [ -z "$qn" ] || { + opt="--qnum=$qn $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_HTTP" filter_apply_hostlist_target opt - run_tpws 1 "$opt" - ;; - tpws-socks) - opt="--port=$TPPORT $TPWS_OPT" + run_daemon 1 "$NFQWS" "$opt" + } + [ -z "$qns" ] || [ "$qns" = "$qn" ] || { + opt="--qnum=$qns $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_HTTPS" filter_apply_hostlist_target opt - run_tpws_socks 1 "$opt" - ;; - nfqws) - # quite complex but we need to minimize nfqws processes to save RAM - get_nfqws_qnums qn qns qn6 qns6 - [ -z "$qn" ] || { - opt="--qnum=$qn $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_HTTP" - filter_apply_hostlist_target opt - run_daemon 1 "$NFQWS" "$opt" - } - [ -z "$qns" ] || [ "$qns" = "$qn" ] || { - opt="--qnum=$qns $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_HTTPS" - filter_apply_hostlist_target opt - run_daemon 2 "$NFQWS" "$opt" - } - [ -z "$qn6" ] || [ "$qn6" = "$qn" ] || [ "$qn6" = "$qns" ] || { - opt="--qnum=$qn6 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_HTTP6" - filter_apply_hostlist_target opt - run_daemon 3 "$NFQWS" "$opt" - } - [ -z "$qns6" ] || [ "$qns6" = "$qn" ] || [ "$qns6" = "$qns" ] || [ "$qns6" = "$qn6" ] || { - opt="--qnum=$qns6 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_HTTPS6" - filter_apply_hostlist_target opt - run_daemon 4 "$NFQWS" "$opt" - } - get_nfqws_qnums_quic qn qn6 - [ -z "$qn" ] || { - opt="--qnum=$qn $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_QUIC" - filter_apply_hostlist_target opt - run_daemon 10 "$NFQWS" "$opt" - } - [ -z "$qn6" ] || [ "$qn6" = "$qn" ] || { - opt="--qnum=$qn6 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_QUIC6" - filter_apply_hostlist_target opt - run_daemon 11 "$NFQWS" "$opt" - } - ;; - custom) - existf zapret_custom_daemons && zapret_custom_daemons $1 - ;; + run_daemon 2 "$NFQWS" "$opt" + } + [ -z "$qn6" ] || [ "$qn6" = "$qn" ] || [ "$qn6" = "$qns" ] || { + opt="--qnum=$qn6 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_HTTP6" + filter_apply_hostlist_target opt + run_daemon 3 "$NFQWS" "$opt" + } + [ -z "$qns6" ] || [ "$qns6" = "$qn" ] || [ "$qns6" = "$qns" ] || [ "$qns6" = "$qn6" ] || { + opt="--qnum=$qns6 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_HTTPS6" + filter_apply_hostlist_target opt + run_daemon 4 "$NFQWS" "$opt" + } + get_nfqws_qnums_quic qn qn6 + [ -z "$qn" ] || { + opt="--qnum=$qn $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_QUIC" + filter_apply_hostlist_target opt + run_daemon 10 "$NFQWS" "$opt" + } + [ -z "$qn6" ] || [ "$qn6" = "$qn" ] || { + opt="--qnum=$qn6 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_QUIC6" + filter_apply_hostlist_target opt + run_daemon 11 "$NFQWS" "$opt" + } + ;; + custom) + existf zapret_custom_daemons && zapret_custom_daemons "$1" + ;; esac return 0 } -start_daemons() -{ +start_daemons() { rc_procd start_daemons_procd "$@" } -stop_daemons() -{ - procd_kill "$(basename ${basescript:-$initscript})" "$1" +stop_daemons() { + procd_kill "$(basename "${basescript:-$initscript}")" "$1" } -restart_daemons() -{ +restart_daemons() { stop_daemons start_daemons } -start_fw() -{ +start_fw() { zapret_apply_firewall } -stop_fw() -{ +stop_fw() { zapret_unapply_firewall } -restart_fw() -{ +restart_fw() { stop_fw start_fw } -reload_ifsets() -{ +reload_ifsets() { zapret_reload_ifsets } -list_ifsets() -{ +list_ifsets() { zapret_list_ifsets } -list_table() -{ +list_table() { zapret_list_table } -start_service() -{ +start_service() { start_daemons_procd [ "$INIT_APPLY_FW" != "1" ] || { linux_fwtype @@ -220,8 +201,7 @@ start_service() } } -stop_service() -{ +stop_service() { # this procedure is called from stop() # stop() already stop daemons [ "$INIT_APPLY_FW" != "1" ] || { diff --git a/init.d/pfsense/zapret.sh b/init.d/pfsense/zapret.sh index 9c434ac..8182ef2 100755 --- a/init.d/pfsense/zapret.sh +++ b/init.d/pfsense/zapret.sh @@ -14,7 +14,8 @@ sysctl net.inet6.ip6.pfil.outbound=ipfw,pf sysctl net.inet6.ip6.pfil.inbound=ipfw,pf # required for newer pfsense versions (2.6.0 tested) to return ipfw to functional state -pfctl -d ; pfctl -e +pfctl -d +pfctl -e # add ipfw rules and start daemon diff --git a/init.d/sysv/custom-nfqws-dht4all b/init.d/sysv/custom-nfqws-dht4all index dbc9a3a..9434ed2 100644 --- a/init.d/sysv/custom-nfqws-dht4all +++ b/init.d/sysv/custom-nfqws-dht4all @@ -1,22 +1,20 @@ # this custom script in addition to MODE=nfqws runs desync to DHT packets with udp payload length 101..399 , without ipset/hostlist filtering # need to add to config : NFQWS_OPT_DESYNC_DHT="--dpi-desync=fake --dpi-desync-ttl=5" -QNUM2=$(($QNUM+20)) +QNUM2=$(($QNUM + 20)) -zapret_custom_daemons() -{ +zapret_custom_daemons() { # stop logic is managed by procd local MODE_OVERRIDE=nfqws local opt - zapret_do_daemons $1 + zapret_do_daemons "$1" opt="--qnum=$QNUM2 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_DHT" - do_nfqws $1 100 "$opt" + do_nfqws "$1" 100 "$opt" } -zapret_custom_firewall() -{ +zapret_custom_firewall() { # $1 - 1 - run, 0 - stop local MODE_OVERRIDE=nfqws @@ -24,16 +22,15 @@ zapret_custom_firewall() local first_packet_only="$ipt_connbytes 1:1" local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK" - zapret_do_firewall_rules_ipt $1 + zapret_do_firewall_rules_ipt "$1" f='-p udp -m length --length 109:407 -m u32 --u32' - uf4='0>>22&0x3C@8>>16=0x6431' - uf6='48>>16=0x6431' - fw_nfqws_post $1 "$f $uf4 $desync $first_packet_only" "$f $uf6 $desync $first_packet_only" $QNUM2 + uf4='0>>22&0x3C@8>>16=0x6431' + uf6='48>>16=0x6431' + fw_nfqws_post "$1" "$f $uf4 $desync $first_packet_only" "$f $uf6 $desync $first_packet_only" $QNUM2 } -zapret_custom_firewall_nft() -{ +zapret_custom_firewall_nft() { # stop logic is not required local MODE_OVERRIDE=nfqws @@ -46,4 +43,3 @@ zapret_custom_firewall_nft() f="meta length 109-407 meta l4proto udp @th,64,16 0x6431" nft_fw_nfqws_post "$f $desync $first_packet_only" "$f $desync $first_packet_only" $QNUM2 } - diff --git a/init.d/sysv/custom-nfqws-quic4all b/init.d/sysv/custom-nfqws-quic4all index 37303b4..689ad71 100644 --- a/init.d/sysv/custom-nfqws-quic4all +++ b/init.d/sysv/custom-nfqws-quic4all @@ -2,22 +2,20 @@ # need to add to config : NFQWS_OPT_DESYNC_QUIC="--dpi-desync=fake" # NOTE : do not use TTL fooling. chromium QUIC engine breaks sessions if TTL expired in transit received -QNUM2=$(($QNUM+10)) +QNUM2=$(($QNUM + 10)) -zapret_custom_daemons() -{ +zapret_custom_daemons() { # $1 - 1 - run, 0 - stop local MODE_OVERRIDE=nfqws local opt - zapret_do_daemons $1 + zapret_do_daemons "$1" opt="--qnum=$QNUM2 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_QUIC" - do_nfqws $1 100 "$opt" + do_nfqws "$1" 100 "$opt" } -zapret_custom_firewall() -{ +zapret_custom_firewall() { # $1 - 1 - run, 0 - stop local MODE_OVERRIDE=nfqws @@ -25,14 +23,13 @@ zapret_custom_firewall() local first_packets_only="$ipt_connbytes 1:3" local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK" - zapret_do_firewall_rules_ipt $1 + zapret_do_firewall_rules_ipt "$1" f="-p udp -m multiport --dports $QUIC_PORTS_IPT" - fw_nfqws_post $1 "$f $desync $first_packets_only" "$f $desync $first_packets_only" $QNUM2 + fw_nfqws_post "$1" "$f $desync $first_packets_only" "$f $desync $first_packets_only" $QNUM2 } -zapret_custom_firewall_nft() -{ +zapret_custom_firewall_nft() { # stop logic is not required local MODE_OVERRIDE=nfqws diff --git a/init.d/sysv/custom-reuse-builtin-mode b/init.d/sysv/custom-reuse-builtin-mode index b36ac58..23de641 100644 --- a/init.d/sysv/custom-reuse-builtin-mode +++ b/init.d/sysv/custom-reuse-builtin-mode @@ -4,35 +4,32 @@ MY_TPPORT=$(($TPPORT + 1)) MY_TPWS_OPT="--methodeol --hostcase" MY_DPORT=81 -zapret_custom_daemons() -{ +zapret_custom_daemons() { # $1 - 1 - run, 0 - stop local MODE_OVERRIDE=tpws local opt - zapret_do_daemons $1 + zapret_do_daemons "$1" opt="--port=$MY_TPPORT $MY_TPWS_OPT" filter_apply_hostlist_target opt - do_tpws $1 100 "$opt" + do_tpws "$1" 100 "$opt" } -zapret_custom_firewall() -{ +zapret_custom_firewall() { # $1 - 1 - run, 0 - stop local MODE_OVERRIDE=tpws local f4 f6 - zapret_do_firewall_rules_ipt $1 + zapret_do_firewall_rules_ipt "$1" f4="-p tcp --dport $MY_DPORT" f6=$f4 filter_apply_ipset_target f4 f6 - fw_tpws $1 "$f4" "$f6" $MY_TPPORT + fw_tpws "$1" "$f4" "$f6" $MY_TPPORT } -zapret_custom_firewall_nft() -{ +zapret_custom_firewall_nft() { # stop logic is not required local MODE_OVERRIDE=tpws diff --git a/init.d/sysv/custom-tpws4http-nfqws4https b/init.d/sysv/custom-tpws4http-nfqws4https index eb818ab..1da140d 100644 --- a/init.d/sysv/custom-tpws4http-nfqws4https +++ b/init.d/sysv/custom-tpws4http-nfqws4https @@ -1,8 +1,7 @@ # this custom script demonstrates how to apply tpws to http and nfqws to https # it preserves config settings : MODE_HTTP, MODE_HTTPS, MODE_FILTER, TPWS_OPT, NFQWS_OPT_DESYNC, NFQWS_OPT_DESYNC_HTTPS -zapret_custom_daemons() -{ +zapret_custom_daemons() { # $1 - 1 - run, 0 - stop local opt @@ -10,17 +9,16 @@ zapret_custom_daemons() [ "$MODE_HTTP" = "1" ] && { opt="--port=$TPPORT $TPWS_OPT" filter_apply_hostlist_target opt - do_tpws $1 1 "$opt" + do_tpws "$1" 1 "$opt" } [ "$MODE_HTTPS" = "1" ] && { opt="--qnum=$QNUM $NFQWS_OPT_DESYNC_HTTPS" filter_apply_hostlist_target opt - do_nfqws $1 2 "$opt" + do_nfqws "$1" 2 "$opt" } } -zapret_custom_firewall() -{ +zapret_custom_firewall() { # $1 - 1 - run, 0 - stop local f4 f6 @@ -31,20 +29,19 @@ zapret_custom_firewall() f4="-p tcp -m multiport --dports $HTTP_PORTS_IPT" f6=$f4 filter_apply_ipset_target f4 f6 - fw_tpws $1 "$f4" "$f6" $TPPORT + fw_tpws "$1" "$f4" "$f6" "$TPPORT" } - + [ "$MODE_HTTPS" = "1" ] && { f4="-p tcp -m multiport --dports $HTTPS_PORTS_IPT $first_packet_only" f6=$f4 filter_apply_ipset_target f4 f6 - fw_nfqws_post $1 "$f4 $desync" "$f6 $desync" $QNUM + fw_nfqws_post "$1" "$f4 $desync" "$f6 $desync" "$QNUM" # for modes that require incoming traffic - fw_reverse_nfqws_rule $1 "$f4" "$f6" $QNUM + fw_reverse_nfqws_rule "$1" "$f4" "$f6" "$QNUM" } } -zapret_custom_firewall_nft() -{ +zapret_custom_firewall_nft() { # stop logic is not required local f4 f6 @@ -55,15 +52,15 @@ zapret_custom_firewall_nft() f4="tcp dport {$HTTP_PORTS}" f6=$f4 nft_filter_apply_ipset_target f4 f6 - nft_fw_tpws "$f4" "$f6" $TPPORT + nft_fw_tpws "$f4" "$f6" "$TPPORT" } - + [ "$MODE_HTTPS" = "1" ] && { f4="tcp dport {$HTTPS_PORTS} $first_packet_only" f6=$f4 nft_filter_apply_ipset_target f4 f6 - nft_fw_nfqws_post "$f4 $desync" "$f6 $desync" $QNUM + nft_fw_nfqws_post "$f4 $desync" "$f6 $desync" "$QNUM" # for modes that require incoming traffic - nft_fw_reverse_nfqws_rule "$f4" "$f6" $QNUM + nft_fw_reverse_nfqws_rule "$f4" "$f6" "$QNUM" } } diff --git a/init.d/sysv/custom.default b/init.d/sysv/custom.default index 666d2d4..53b0237 100644 --- a/init.d/sysv/custom.default +++ b/init.d/sysv/custom.default @@ -2,8 +2,7 @@ # use helpers from "functions" file # in case of upgrade keep this file only, do not modify others -zapret_custom_daemons() -{ +zapret_custom_daemons() { # $1 - 1 - run, 0 - stop # PLACEHOLDER @@ -11,10 +10,9 @@ zapret_custom_daemons() echo Start daemon\(s\) echo Study how other sections work - do_daemon $1 1 /bin/sleep 20 + do_daemon "$1" 1 /bin/sleep 20 } -zapret_custom_firewall() -{ +zapret_custom_firewall() { # $1 - 1 - run, 0 - stop # PLACEHOLDER @@ -23,8 +21,7 @@ zapret_custom_firewall() echo Study how other sections work } -zapret_custom_firewall_nft() -{ +zapret_custom_firewall_nft() { # stop logic is not required # PLACEHOLDER diff --git a/init.d/sysv/functions b/init.d/sysv/functions index b4ba081..d93f0c9 100644 --- a/init.d/sysv/functions +++ b/init.d/sysv/functions @@ -13,38 +13,34 @@ ZAPRET_CONFIG=${ZAPRET_CONFIG:-"$ZAPRET_RW/config"} . "$ZAPRET_BASE/common/linux_fw.sh" . "$ZAPRET_BASE/common/list.sh" - -user_exists() -{ - id -u $1 >/dev/null 2>/dev/null +user_exists() { + id -u "$1" >/dev/null 2>/dev/null } -useradd_compat() -{ +useradd_compat() { # $1 - username # skip for readonly systems [ -w "/etc" ] && { - if exists useradd ; then - useradd --no-create-home --system --shell /bin/false $1 - elif is_linked_to_busybox adduser ; then + if exists useradd; then + useradd --no-create-home --system --shell /bin/false "$1" + elif is_linked_to_busybox adduser; then # some systems may miss nogroup group in /etc/group # adduser fails if it's absent and no group is specified addgroup nogroup 2>/dev/null # busybox has special adduser syntax - adduser -S -H -D $1 + adduser -S -H -D "$1" elif exists adduser; then - adduser --no-create-home --system --disabled-login $1 + adduser --no-create-home --system --disabled-login "$1" fi } - user_exists $1 + user_exists "$1" } -prepare_user() -{ +prepare_user() { # $WS_USER is required to prevent redirection of the traffic originating from TPWS itself # otherwise infinite loop will occur # also its good idea not to run tpws as root - user_exists $WS_USER || { + user_exists "$WS_USER" || { # fallback to daemon if we cant add WS_USER - useradd_compat $WS_USER || { + useradd_compat "$WS_USER" || { for user in daemon nobody; do user_exists $user && { WS_USER=$user @@ -59,10 +55,10 @@ prepare_user() # this complex user selection allows to survive in any locked/readonly/minimalistic environment [ -n "$WS_USER" ] || WS_USER=tpws if prepare_user; then - USEROPT="--user=$WS_USER" + USEROPT="--user=$WS_USER" else - WS_USER=1 - USEROPT="--uid $WS_USER:$WS_USER" + WS_USER=1 + USEROPT="--uid $WS_USER:$WS_USER" fi PIDDIR=/var/run @@ -97,72 +93,54 @@ CUSTOM_SCRIPT="$ZAPRET_BASE/init.d/sysv/custom" IPSET_EXCLUDE="-m set ! --match-set nozapret" IPSET_EXCLUDE6="-m set ! --match-set nozapret6" - -dnat6_target() -{ +dnat6_target() { _dnat6_target "$@" } -set_route_localnet() -{ - _set_route_localnet $1 "$IFACE_LAN" +set_route_localnet() { + _set_route_localnet "$1" "$IFACE_LAN" } -fw_nfqws_post4() -{ - _fw_nfqws_post4 $1 "$2" $3 "$IFACE_WAN" +fw_nfqws_post4() { + _fw_nfqws_post4 "$1" "$2" "$3" "$IFACE_WAN" } -fw_nfqws_post6() -{ - _fw_nfqws_post6 $1 "$2" $3 "${IFACE_WAN6:-$IFACE_WAN}" +fw_nfqws_post6() { + _fw_nfqws_post6 "$1" "$2" "$3" "${IFACE_WAN6:-$IFACE_WAN}" } -fw_nfqws_pre4() -{ - _fw_nfqws_pre4 $1 "$2" $3 "$IFACE_WAN" +fw_nfqws_pre4() { + _fw_nfqws_pre4 "$1" "$2" "$3" "$IFACE_WAN" } -fw_nfqws_pre6() -{ - _fw_nfqws_pre6 $1 "$2" $3 "${IFACE_WAN6:-$IFACE_WAN}" +fw_nfqws_pre6() { + _fw_nfqws_pre6 "$1" "$2" "$3" "${IFACE_WAN6:-$IFACE_WAN}" } -fw_tpws4() -{ - _fw_tpws4 $1 "$2" $3 "$IFACE_LAN" "$IFACE_WAN" +fw_tpws4() { + _fw_tpws4 "$1" "$2" "$3" "$IFACE_LAN" "$IFACE_WAN" } -fw_tpws6() -{ - _fw_tpws6 $1 "$2" $3 "$IFACE_LAN" "${IFACE_WAN6:-$IFACE_WAN}" +fw_tpws6() { + _fw_tpws6 "$1" "$2" "$3" "$IFACE_LAN" "${IFACE_WAN6:-$IFACE_WAN}" } -nft_fw_tpws4() -{ - _nft_fw_tpws4 "$1" $2 "$IFACE_WAN" +nft_fw_tpws4() { + _nft_fw_tpws4 "$1" "$2" "$IFACE_WAN" } -nft_fw_tpws6() -{ - _nft_fw_tpws6 "$1" $2 "$IFACE_LAN" "${IFACE_WAN6:-$IFACE_WAN}" +nft_fw_tpws6() { + _nft_fw_tpws6 "$1" "$2" "$IFACE_LAN" "${IFACE_WAN6:-$IFACE_WAN}" } -nft_fw_nfqws_post4() -{ - _nft_fw_nfqws_post4 "$1" $2 "$IFACE_WAN" +nft_fw_nfqws_post4() { + _nft_fw_nfqws_post4 "$1" "$2" "$IFACE_WAN" } -nft_fw_nfqws_post6() -{ - _nft_fw_nfqws_post6 "$1" $2 "${IFACE_WAN6:-$IFACE_WAN}" +nft_fw_nfqws_post6() { + _nft_fw_nfqws_post6 "$1" "$2" "${IFACE_WAN6:-$IFACE_WAN}" } -nft_fw_nfqws_pre4() -{ - _nft_fw_nfqws_pre4 "$1" $2 "$IFACE_WAN" +nft_fw_nfqws_pre4() { + _nft_fw_nfqws_pre4 "$1" "$2" "$IFACE_WAN" } -nft_fw_nfqws_pre6() -{ - _nft_fw_nfqws_pre6 "$1" $2 "${IFACE_WAN6:-$IFACE_WAN}" +nft_fw_nfqws_pre6() { + _nft_fw_nfqws_pre6 "$1" "$2" "${IFACE_WAN6:-$IFACE_WAN}" } -nft_fill_ifsets_overload() -{ +nft_fill_ifsets_overload() { nft_fill_ifsets "$IFACE_LAN" "$IFACE_WAN" "${IFACE_WAN6:-$IFACE_WAN}" } - -run_daemon() -{ +run_daemon() { # $1 - daemon number : 1,2,3,... # $2 - daemon # $3 - daemon args @@ -171,52 +149,48 @@ run_daemon() local DAEMONBASE="$(basename "$2")" local PIDFILE=$PIDDIR/$DAEMONBASE$1.pid echo "Starting daemon $1: $2 $3" - if exists start-stop-daemon ; then - start-stop-daemon -S -p "$PIDFILE" -m -b -x "$2" -- $3 + if exists start-stop-daemon; then + start-stop-daemon -S -p "$PIDFILE" -m -b -x "$2" -- "$3" else if [ -f "$PIDFILE" ] && pgrep -F "$PIDFILE" "$DAEMONBASE" >/dev/null; then echo already running else - "$2" $3 >/dev/null 2>/dev/null & + "$2" "$3" >/dev/null 2>/dev/null & PID=$! if [ -n "$PID" ]; then - echo $PID >$PIDFILE + echo $PID >"$PIDFILE" else - echo could not start daemon $1 : $2 $3 + echo could not start daemon "$1" : "$2" "$3" false fi fi fi } -stop_daemon() -{ +stop_daemon() { # $1 - daemon number : 1,2,3,... # $2 - daemon # use $PIDDIR/$DAEMONBASE$1.pid as pidfile local DAEMONBASE="$(basename "$2")" local PIDFILE=$PIDDIR/$DAEMONBASE$1.pid echo "Stopping daemon $1: $2" - if exists start-stop-daemon ; then + if exists start-stop-daemon; then start-stop-daemon -K -p "$PIDFILE" -x "$2" else if [ -f "$PIDFILE" ]; then read PID <"$PIDFILE" - kill $PID + kill "$PID" rm -f "$PIDFILE" else - echo no pidfile : $PIDFILE + echo no pidfile : "$PIDFILE" fi fi } -do_daemon() -{ +do_daemon() { # $1 - 1 - run, 0 - stop on_off_function run_daemon stop_daemon "$@" } - -do_tpws() -{ +do_tpws() { # $1 : 1 - run, 0 - stop # $2 : daemon number # $3 : daemon args @@ -233,10 +207,9 @@ do_tpws() done } - do_daemon $1 $2 "$TPWS" "$OPT $3" + do_daemon "$1" "$2" "$TPWS" "$OPT $3" } -do_tpws_socks() -{ +do_tpws_socks() { # $1 : 1 - run, 0 - stop # $2 : daemon number # $3 : daemon args @@ -247,104 +220,95 @@ do_tpws_socks() tpws_apply_socks_binds opt - do_daemon $1 $2 "$TPWS" "$opt $3" + do_daemon "$1" "$2" "$TPWS" "$opt $3" } -do_nfqws() -{ +do_nfqws() { # $1 : 1 - run, 0 - stop # $2 : daemon number # $3 : daemon args - do_daemon $1 $2 "$NFQWS" "$NFQWS_OPT_BASE $3" + do_daemon "$1" "$2" "$NFQWS" "$NFQWS_OPT_BASE $3" } -tpws_apply_socks_binds() -{ +tpws_apply_socks_binds() { local o [ "$DISABLE_IPV4" = "1" ] || o="--bind-addr=127.0.0.1" [ "$DISABLE_IPV6" = "1" ] || o="$o --bind-addr=::1" - + for lan in $IFACE_LAN; do - [ "$DISABLE_IPV4" = "1" ] || o="$o --bind-iface4=$lan $TPWS_WAIT" - [ "$DISABLE_IPV6" = "1" ] || o="$o --bind-iface6=$lan --bind-linklocal=unwanted $TPWS_WAIT_SOCKS6" + [ "$DISABLE_IPV4" = "1" ] || o="$o --bind-iface4=$lan $TPWS_WAIT" + [ "$DISABLE_IPV6" = "1" ] || o="$o --bind-iface6=$lan --bind-linklocal=unwanted $TPWS_WAIT_SOCKS6" done - eval $1="\"\$$1 $o\"" + eval "$1"="\"\$$1 $o\"" } - -create_ipset() -{ +create_ipset() { echo "Creating ip list table (firewall type $FWTYPE)" "$IPSET_CR" "$@" } - -zapret_do_daemons() -{ +zapret_do_daemons() { # $1 - 1 - run, 0 - stop local opt qn qns qn6 qns6 case "${MODE_OVERRIDE:-$MODE}" in - tpws) - opt="--port=$TPPORT $TPWS_OPT" + tpws) + opt="--port=$TPPORT $TPWS_OPT" + filter_apply_hostlist_target opt + do_tpws "$1" 1 "$opt" + ;; + tpws-socks) + opt="--port=$TPPORT $TPWS_OPT" + filter_apply_hostlist_target opt + do_tpws_socks "$1" 1 "$opt" + ;; + nfqws) + get_nfqws_qnums qn qns qn6 qns6 + [ -z "$qn" ] || { + opt="--qnum=$qn $NFQWS_OPT_DESYNC_HTTP" filter_apply_hostlist_target opt - do_tpws $1 1 "$opt" - ;; - tpws-socks) - opt="--port=$TPPORT $TPWS_OPT" + do_nfqws "$1" 1 "$opt" + } + [ -z "$qns" ] || [ "$qns" = "$qn" ] || { + opt="--qnum=$qns $NFQWS_OPT_DESYNC_HTTPS" filter_apply_hostlist_target opt - do_tpws_socks $1 1 "$opt" - ;; - nfqws) - get_nfqws_qnums qn qns qn6 qns6 - [ -z "$qn" ] || { - opt="--qnum=$qn $NFQWS_OPT_DESYNC_HTTP" - filter_apply_hostlist_target opt - do_nfqws $1 1 "$opt" - } - [ -z "$qns" ] || [ "$qns" = "$qn" ] || { - opt="--qnum=$qns $NFQWS_OPT_DESYNC_HTTPS" - filter_apply_hostlist_target opt - do_nfqws $1 2 "$opt" - } - [ -z "$qn6" ] || [ "$qn6" = "$qn" ] || [ "$qn6" = "$qns" ] || { - opt="--qnum=$qn6 $NFQWS_OPT_DESYNC_HTTP6" - filter_apply_hostlist_target opt - do_nfqws $1 3 "$opt" - } - [ -z "$qns6" ] || [ "$qns6" = "$qn" ] || [ "$qns6" = "$qns" ] || [ "$qns6" = "$qn6" ] || { - opt="--qnum=$qns6 $NFQWS_OPT_DESYNC_HTTPS6" - filter_apply_hostlist_target opt - do_nfqws $1 4 "$opt" - } - get_nfqws_qnums_quic qn qn6 - [ -z "$qn" ] || { - opt="--qnum=$qn $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_QUIC" - filter_apply_hostlist_target opt - do_nfqws $1 10 "$opt" - } - [ -z "$qn6" ] || [ "$qn6" = "$qn" ] || { - opt="--qnum=$qn6 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_QUIC6" - filter_apply_hostlist_target opt - do_nfqws $1 11 "$opt" - } - ;; - custom) - existf zapret_custom_daemons && zapret_custom_daemons $1 - ;; + do_nfqws "$1" 2 "$opt" + } + [ -z "$qn6" ] || [ "$qn6" = "$qn" ] || [ "$qn6" = "$qns" ] || { + opt="--qnum=$qn6 $NFQWS_OPT_DESYNC_HTTP6" + filter_apply_hostlist_target opt + do_nfqws "$1" 3 "$opt" + } + [ -z "$qns6" ] || [ "$qns6" = "$qn" ] || [ "$qns6" = "$qns" ] || [ "$qns6" = "$qn6" ] || { + opt="--qnum=$qns6 $NFQWS_OPT_DESYNC_HTTPS6" + filter_apply_hostlist_target opt + do_nfqws "$1" 4 "$opt" + } + get_nfqws_qnums_quic qn qn6 + [ -z "$qn" ] || { + opt="--qnum=$qn $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_QUIC" + filter_apply_hostlist_target opt + do_nfqws "$1" 10 "$opt" + } + [ -z "$qn6" ] || [ "$qn6" = "$qn" ] || { + opt="--qnum=$qn6 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_QUIC6" + filter_apply_hostlist_target opt + do_nfqws "$1" 11 "$opt" + } + ;; + custom) + existf zapret_custom_daemons && zapret_custom_daemons "$1" + ;; esac return 0 } -zapret_run_daemons() -{ +zapret_run_daemons() { zapret_do_daemons 1 "$@" } -zapret_stop_daemons() -{ +zapret_stop_daemons() { zapret_do_daemons 0 "$@" } - diff --git a/init.d/sysv/zapret b/init.d/sysv/zapret index 9e247a4..6f8c73f 100755 --- a/init.d/sysv/zapret +++ b/init.d/sysv/zapret @@ -15,65 +15,63 @@ ZAPRET_BASE=$(readlink -f "$EXEDIR/../..") NAME=zapret DESC=anti-zapret -do_start() -{ +do_start() { zapret_run_daemons [ "$INIT_APPLY_FW" != "1" ] || { zapret_apply_firewall; } } -do_stop() -{ +do_stop() { zapret_stop_daemons [ "$INIT_APPLY_FW" != "1" ] || zapret_unapply_firewall } case "$1" in - start) - do_start - ;; +start) + do_start + ;; - stop) - do_stop - ;; +stop) + do_stop + ;; - restart) - do_stop - do_start - ;; +restart) + do_stop + do_start + ;; - start-fw|start_fw) - zapret_apply_firewall - ;; - stop-fw|stop_fw) - zapret_unapply_firewall - ;; +start-fw | start_fw) + zapret_apply_firewall + ;; +stop-fw | stop_fw) + zapret_unapply_firewall + ;; - restart-fw|restart_fw) - zapret_unapply_firewall - zapret_apply_firewall - ;; - - start-daemons|start_daemons) - zapret_run_daemons - ;; - stop-daemons|stop_daemons) - zapret_stop_daemons - ;; - restart-daemons|restart_daemons) - zapret_stop_daemons - zapret_run_daemons - ;; +restart-fw | restart_fw) + zapret_unapply_firewall + zapret_apply_firewall + ;; - reload-ifsets|reload_ifsets) - zapret_reload_ifsets - ;; - list-ifsets|list_ifsets) - zapret_list_ifsets - ;; - list-table|list_table) - zapret_list_table - ;; - - *) +start-daemons | start_daemons) + zapret_run_daemons + ;; +stop-daemons | stop_daemons) + zapret_stop_daemons + ;; +restart-daemons | restart_daemons) + zapret_stop_daemons + zapret_run_daemons + ;; + +reload-ifsets | reload_ifsets) + zapret_reload_ifsets + ;; +list-ifsets | list_ifsets) + zapret_list_ifsets + ;; +list-table | list_table) + zapret_list_table + ;; + +*) N=/etc/init.d/$NAME echo "Usage: $N {start|stop|restart|start-fw|stop-fw|restart-fw|start-daemons|stop-daemons|restart-daemons|reload-ifsets|list-ifsets|list-table}" >&2 exit 1 diff --git a/install_bin.sh b/install_bin.sh index fb33462..b6b8f68 100755 --- a/install_bin.sh +++ b/install_bin.sh @@ -1,15 +1,17 @@ #!/bin/sh EXEDIR="$(dirname "$0")" -EXEDIR="$(cd "$EXEDIR"; pwd)" +EXEDIR="$( + cd "$EXEDIR" + pwd +)" BINS=binaries BINDIR="$EXEDIR/$BINS" ZAPRET_BASE=${ZAPRET_BASE:-"$EXEDIR"} . "$ZAPRET_BASE/common/base.sh" -check_dir() -{ +check_dir() { local dir="$BINDIR/$1" local exe="$dir/ip2net" local out @@ -39,8 +41,7 @@ check_dir() } # link or copy executables. uncomment either ln or cp, comment other -ccp() -{ +ccp() { local F="$(basename "$1")" [ -d "$ZAPRET_BASE/$2" ] || mkdir "$ZAPRET_BASE/$2" [ -f "$ZAPRET_BASE/$2/$F" ] && rm -f "$ZAPRET_BASE/$2/$F" @@ -51,49 +52,48 @@ ccp() UNAME=$(uname) unset PKTWS case $UNAME in - Linux) - ARCHLIST="my x86_64 x86 aarch64 arm mips64r2-msb mips32r1-lsb mips32r1-msb ppc" - PKTWS=nfqws - ;; - Darwin) - ARCHLIST="my mac64" - ;; - FreeBSD) - ARCHLIST="my freebsd-x64" - PKTWS=dvtws - ;; - CYGWIN*) - UNAME=CYGWIN - ARCHLIST="win64" - PKTWS=winws - ;; - *) - ARCHLIST="my" +Linux) + ARCHLIST="my x86_64 x86 aarch64 arm mips64r2-msb mips32r1-lsb mips32r1-msb ppc" + PKTWS=nfqws + ;; +Darwin) + ARCHLIST="my mac64" + ;; +FreeBSD) + ARCHLIST="my freebsd-x64" + PKTWS=dvtws + ;; +CYGWIN*) + UNAME=CYGWIN + ARCHLIST="win64" + PKTWS=winws + ;; +*) + ARCHLIST="my" + ;; esac if [ "$1" = "getarch" ]; then - for arch in $ARCHLIST - do + for arch in $ARCHLIST; do [ -d "$BINDIR/$arch" ] || continue - if check_dir $arch; then - echo $arch - exit 0 - fi + if check_dir "$arch"; then + echo "$arch" + exit 0 + fi done else - for arch in $ARCHLIST - do + for arch in $ARCHLIST; do [ -d "$BINDIR/$arch" ] || continue - if check_dir $arch; then - echo $arch is OK + if check_dir "$arch"; then + echo "$arch" is OK echo installing binaries ... - ccp $arch/ip2net ip2net - ccp $arch/mdig mdig - [ -n "$PKTWS" ] && ccp $arch/$PKTWS nfq - [ "$UNAME" = CYGWIN ] || ccp $arch/tpws tpws - exit 0 + ccp "$arch"/ip2net ip2net + ccp "$arch"/mdig mdig + [ -n "$PKTWS" ] && ccp "$arch"/$PKTWS nfq + [ "$UNAME" = CYGWIN ] || ccp "$arch"/tpws tpws + exit 0 else - echo $arch is NOT OK + echo "$arch" is NOT OK fi done echo no compatible binaries found diff --git a/install_easy.sh b/install_easy.sh index 9b3dc85..62539ab 100755 --- a/install_easy.sh +++ b/install_easy.sh @@ -3,7 +3,10 @@ # automated script for easy installing zapret EXEDIR="$(dirname "$0")" -EXEDIR="$(cd "$EXEDIR"; pwd)" +EXEDIR="$( + cd "$EXEDIR" + pwd +)" ZAPRET_BASE=${ZAPRET_BASE:-"$EXEDIR"} ZAPRET_RW=${ZAPRET_RW:-"$ZAPRET_BASE"} ZAPRET_CONFIG=${ZAPRET_CONFIG:-"$ZAPRET_RW/config"} @@ -31,17 +34,16 @@ GET_LIST="$IPSET_DIR/get_config.sh" [ -n "$TPPORT" ] || TPPORT=988 -check_readonly_system() -{ +check_readonly_system() { local RO echo \* checking readonly system - case $SYSTEM in - systemd) - [ -w "$SYSTEMD_SYSTEM_DIR" ] || RO=1 - ;; - openrc) - [ -w "$(dirname "$INIT_SCRIPT")" ] || RO=1 - ;; + case $SYSTEM in + systemd) + [ -w "$SYSTEMD_SYSTEM_DIR" ] || RO=1 + ;; + openrc) + [ -w "$(dirname "$INIT_SCRIPT")" ] || RO=1 + ;; esac [ -z "$RO" ] || { echo '!!! READONLY SYSTEM DETECTED !!!' @@ -51,8 +53,7 @@ check_readonly_system() } } -check_bins() -{ +check_bins() { echo \* checking executables fix_perms_bin_test "$EXEDIR" @@ -66,7 +67,7 @@ check_bins() arch="" fi } - if [ -n "$arch" ] ; then + if [ -n "$arch" ]; then echo found architecture "\"$arch\"" elif [ -f "$EXEDIR/Makefile" ] && exists make; then echo trying to compile @@ -83,17 +84,14 @@ check_bins() fi } -call_install_bin() -{ - sh "$EXEDIR/install_bin.sh" $1 +call_install_bin() { + sh "$EXEDIR/install_bin.sh" "$1" } -get_bin_arch() -{ +get_bin_arch() { call_install_bin getarch } -install_binaries() -{ +install_binaries() { echo \* installing binaries call_install_bin || { @@ -102,8 +100,7 @@ install_binaries() } } -select_mode_mode() -{ +select_mode_mode() { local edited v vars MODES="tpws tpws-socks nfqws filter custom" [ "$SYSTEM" = "macos" ] && MODES="tpws tpws-socks filter custom" echo @@ -111,44 +108,42 @@ select_mode_mode() ask_list MODE "$MODES" tpws && write_config_var MODE case $MODE in - tpws) - vars="TPWS_OPT" - ;; - nfqws) - vars="NFQWS_OPT_DESYNC NFQWS_OPT_DESYNC_HTTP NFQWS_OPT_DESYNC_HTTPS NFQWS_OPT_DESYNC_HTTP6 NFQWS_OPT_DESYNC_HTTPS6 NFQWS_OPT_DESYNC_QUIC NFQWS_OPT_DESYNC_QUIC6" - ;; + tpws) + vars="TPWS_OPT" + ;; + nfqws) + vars="NFQWS_OPT_DESYNC NFQWS_OPT_DESYNC_HTTP NFQWS_OPT_DESYNC_HTTPS NFQWS_OPT_DESYNC_HTTP6 NFQWS_OPT_DESYNC_HTTPS6 NFQWS_OPT_DESYNC_QUIC NFQWS_OPT_DESYNC_QUIC6" + ;; esac [ -n "$vars" ] && { echo - while [ 1=1 ]; do + while true; do for var in $vars; do eval v="\$$var" - echo $var=\"$v\" + echo "$var"=\""$v"\" done ask_yes_no N "do you want to edit the options" || { [ -n "$edited" ] && { for var in $vars; do - write_config_var $var + write_config_var "$var" done } break } - edit_vars $vars + edit_vars "$vars" edited=1 echo ..edited.. done } } -select_mode_http() -{ +select_mode_http() { [ "$MODE" != "filter" ] && [ "$MODE" != "tpws-socks" ] && { echo ask_yes_no_var MODE_HTTP "enable http support" write_config_var MODE_HTTP } } -select_mode_keepalive() -{ +select_mode_keepalive() { [ "$MODE" = "nfqws" ] && [ "$MODE_HTTP" = "1" ] && { echo echo enable keep alive support only if DPI checks every outgoing packet for http signature @@ -157,16 +152,14 @@ select_mode_keepalive() write_config_var MODE_HTTP_KEEPALIVE } } -select_mode_https() -{ +select_mode_https() { [ "$MODE" != "filter" ] && [ "$MODE" != "tpws-socks" ] && { echo ask_yes_no_var MODE_HTTPS "enable https support" write_config_var MODE_HTTPS } } -select_mode_quic() -{ +select_mode_quic() { [ "$SUBSYS" = "keenetic" ] && { echo echo "WARNING ! Keenetic is not officially supported by zapret." @@ -183,16 +176,14 @@ select_mode_quic() write_config_var MODE_QUIC } } -select_mode_filter() -{ +select_mode_filter() { local filter="none ipset hostlist autohostlist" [ "$MODE" = "tpws-socks" ] && filter="none hostlist autohostlist" echo echo select filtering : ask_list MODE_FILTER "$filter" none && write_config_var MODE_FILTER } -select_mode() -{ +select_mode() { select_mode_mode select_mode_iface select_mode_http @@ -202,14 +193,13 @@ select_mode() select_mode_filter } -select_getlist() -{ +select_getlist() { if [ "$MODE_FILTER" = "ipset" -o "$MODE_FILTER" = "hostlist" ]; then local D=N [ -n "$GETLIST" ] && D=Y echo if ask_yes_no $D "do you want to auto download ip/host list"; then - if [ "$MODE_FILTER" = "hostlist" ] ; then + if [ "$MODE_FILTER" = "hostlist" ]; then GETLISTS="get_antizapret_domains.sh get_reestr_resolvable_domains.sh get_reestr_hostlist.sh" GETLIST_DEF="get_antizapret_domains.sh" else @@ -224,14 +214,12 @@ select_getlist() write_config_var GETLIST } -ask_config() -{ +ask_config() { select_mode select_getlist } -ask_config_offload() -{ +ask_config_offload() { [ "$FWTYPE" = nftables ] || is_ipt_flow_offload_avail && { echo echo flow offloading can greatly increase speed on slow devices and high speed links \(usually 150+ mbits\) @@ -257,31 +245,28 @@ ask_config_offload() } } -ask_config_tmpdir() -{ +ask_config_tmpdir() { # ask tmpdir change for low ram systems with enough free disk space [ -n "$GETLIST" ] && [ $(get_free_space_mb "$EXEDIR/tmp") -ge 128 ] && [ $(get_ram_mb) -le 400 ] && { echo echo /tmp in openwrt is tmpfs. on low RAM systems there may be not enough RAM to store downloaded files echo default tmpfs has size of 50% RAM - echo "RAM : $(get_ram_mb) Mb" - echo "DISK : $(get_free_space_mb) Mb" - echo select temp file location + echo "RAM: $(get_ram_mb) Mb" + echo "DISK: $(get_free_space_mb) Mb" + echo select temp file location [ -z "$TMPDIR" ] && TMPDIR=/tmp ask_list TMPDIR "/tmp $EXEDIR/tmp" && { - [ "$TMPDIR" = "/tmp" ] && TMPDIR= - write_config_var TMPDIR + [ "$TMPDIR" = "/tmp" ] && TMPDIR= + write_config_var TMPDIR } } } -nft_flow_offload() -{ +nft_flow_offload() { [ "$UNAME" = Linux -a "$FWTYPE" = nftables -a "$MODE" != "tpws-socks" ] && [ "$FLOWOFFLOAD" = software -o "$FLOWOFFLOAD" = hardware ] } -ask_iface() -{ +ask_iface() { # $1 - var to ask # $2 - additional name for empty string synonim @@ -290,38 +275,35 @@ ask_iface() [ -n "$2" ] && i0="$2 " case $SYSTEM in - macos) - ifs="$(ifconfig -l)" - ;; - *) - ifs="$(ls /sys/class/net)" - ;; + macos) + ifs="$(ifconfig -l)" + ;; + *) + ifs="$(ls /sys/class/net)" + ;; esac - [ -z "$def" ] && eval $1="$2" - ask_list $1 "$i0$ifs" && { + [ -z "$def" ] && eval "$1"="$2" + ask_list "$1" "$i0$ifs" && { eval new="\$$1" - [ "$new" = "$2" ] && eval $1="" - write_config_var $1 + [ "$new" = "$2" ] && eval "$1"="" + write_config_var "$1" } } -ask_iface_lan() -{ +ask_iface_lan() { echo LAN interface : local opt nft_flow_offload || opt=NONE ask_iface IFACE_LAN $opt } -ask_iface_wan() -{ +ask_iface_wan() { echo WAN interface : local opt nft_flow_offload || opt=ANY ask_iface IFACE_WAN $opt } -select_mode_iface() -{ - # openwrt has its own interface management scheme +select_mode_iface() { + # OpenWrt has its own interface management scheme # filter just creates ip tables, no daemons involved # nfqws sits in POSTROUTING chain and unable to filter by incoming interface # tpws redirection works in PREROUTING chain @@ -332,63 +314,62 @@ select_mode_iface() if [ "$SYSTEM" = "openwrt" ] || [ "$MODE" = "filter" ]; then return; fi case "$MODE" in - tpws-socks) - echo "select LAN interface to allow socks access from your LAN. select NONE for localhost only." - echo "expect socks on tcp port $TPPORT" + tpws-socks) + echo "select LAN interface to allow SOCKS access from your LAN. select NONE for localhost only." + echo "expect SOCKS on tcp port $TPPORT" + ask_iface_lan + ;; + tpws) + echo "select LAN interface to operate in router mode. select NONE for local outgoing traffic only." + if [ "$SYSTEM" = "macos" ]; then + echo "WARNING ! OS feature \"internet sharing\" is not supported." + echo "Only manually configured PF router is supported." + else + echo "WARNING ! This installer will not configure routing, NAT, ... for you. Its your responsibility." + fi + ask_iface_lan + ;; + custom) + echo "select LAN interface for your custom script (how it works depends on your code)" + ask_iface_lan + ;; + *) + nft_flow_offload && { + echo "select LAN interface for nftables flow offloading" ask_iface_lan - ;; - tpws) - echo "select LAN interface to operate in router mode. select NONE for local outgoing traffic only." - if [ "$SYSTEM" = "macos" ]; then - echo "WARNING ! OS feature \"internet sharing\" is not supported." - echo "Only manually configured PF router is supported." - else - echo "WARNING ! This installer will not configure routing, NAT, ... for you. Its your responsibility." - fi - ask_iface_lan - ;; - custom) - echo "select LAN interface for your custom script (how it works depends on your code)" - ask_iface_lan - ;; - *) - nft_flow_offload && { - echo "select LAN interface for nftables flow offloading" - ask_iface_lan - } - ;; + } + ;; esac case "$MODE" in - tpws) - echo "select WAN interface for $MODE operations. select ANY to operate on any interface." - [ -n "$IFACE_LAN" ] && echo "WAN filtering works only for local outgoing traffic !" + tpws) + echo "select WAN interface for $MODE operations. select ANY to operate on any interface." + [ -n "$IFACE_LAN" ] && echo "WAN filtering works only for local outgoing traffic !" + ask_iface_wan + ;; + nfqws) + echo "select WAN interface for $MODE operations. select ANY to operate on any interface." + ask_iface_wan + ;; + custom) + echo "select WAN interface for your custom script (how it works depends on your code)" + ask_iface_wan + ;; + *) + nft_flow_offload && { + echo "select WAN interface for nftables flow offloading" ask_iface_wan - ;; - nfqws) - echo "select WAN interface for $MODE operations. select ANY to operate on any interface." - ask_iface_wan - ;; - custom) - echo "select WAN interface for your custom script (how it works depends on your code)" - ask_iface_wan - ;; - *) - nft_flow_offload && { - echo "select WAN interface for nftables flow offloading" - ask_iface_wan - } - ;; + } + ;; esac } -default_files() -{ +default_files() { # $1 - ro location # $2 - rw location (can be equal to $1) [ -d "$2/ipset" ] || mkdir -p "$2/ipset" [ -f "$2/ipset/zapret-hosts-user-exclude.txt" ] || cp "$1/ipset/zapret-hosts-user-exclude.txt.default" "$2/ipset/zapret-hosts-user-exclude.txt" - [ -f "$2/ipset/zapret-hosts-user.txt" ] || echo nonexistent.domain >> "$2/ipset/zapret-hosts-user.txt" + [ -f "$2/ipset/zapret-hosts-user.txt" ] || echo nonexistent.domain >>"$2/ipset/zapret-hosts-user.txt" [ -f "$2/ipset/zapret-hosts-user-ipban.txt" ] || touch "$2/ipset/zapret-hosts-user-ipban.txt" for dir in openwrt sysv macos; do [ -d "$1/init.d/$dir" ] && { @@ -397,19 +378,17 @@ default_files() } done } -copy_all() -{ +copy_all() { local dir cp -R "$1" "$2" [ -d "$2/tmp" ] || mkdir "$2/tmp" } -copy_openwrt() -{ +copy_openwrt() { local ARCH="$(get_bin_arch)" local BINDIR="$1/binaries/$ARCH" local file - + [ -d "$2" ] || mkdir -p "$2" mkdir "$2/tpws" "$2/nfq" "$2/ip2net" "$2/mdig" "$2/binaries" "$2/binaries/$ARCH" "$2/init.d" "$2/tmp" "$2/files" @@ -420,91 +399,84 @@ copy_openwrt() cp "$BINDIR/tpws" "$BINDIR/nfqws" "$BINDIR/ip2net" "$BINDIR/mdig" "$2/binaries/$ARCH" } -fix_perms_bin_test() -{ +fix_perms_bin_test() { [ -d "$1" ] || return find "$1/binaries" -name ip2net ! -perm -111 -exec chmod +x {} \; } -fix_perms() -{ +fix_perms() { [ -d "$1" ] || return find "$1" -type d -exec chmod 755 {} \; find "$1" -type f -exec chmod 644 {} \; local chow case "$UNAME" in - Linux) - chow=root:root - ;; - *) - chow=root:wheel + Linux) + chow=root:root + ;; + *) + chow=root:wheel + ;; esac chown -R $chow "$1" find "$1/binaries" '(' -name tpws -o -name dvtws -o -name nfqws -o -name ip2net -o -name mdig ')' -exec chmod 755 {} \; for f in \ -install_bin.sh \ -blockcheck.sh \ -install_easy.sh \ -install_prereq.sh \ -files/huawei/E8372/zapret-ip \ -files/huawei/E8372/unzapret-ip \ -files/huawei/E8372/run-zapret-hostlist \ -files/huawei/E8372/unzapret \ -files/huawei/E8372/zapret \ -files/huawei/E8372/run-zapret-ip \ -ipset/get_exclude.sh \ -ipset/clear_lists.sh \ -ipset/get_antifilter_ipresolve.sh \ -ipset/get_reestr_resolvable_domains.sh \ -ipset/get_config.sh \ -ipset/get_reestr_preresolved.sh \ -ipset/get_user.sh \ -ipset/get_antifilter_allyouneed.sh \ -ipset/get_reestr_resolve.sh \ -ipset/create_ipset.sh \ -ipset/get_reestr_hostlist.sh \ -ipset/get_ipban.sh \ -ipset/get_antifilter_ipsum.sh \ -ipset/get_antifilter_ipsmart.sh \ -ipset/get_antizapret_domains.sh \ -ipset/get_reestr_preresolved_smart.sh \ -ipset/get_antifilter_ip.sh \ -init.d/pfsense/zapret.sh \ -init.d/macos/zapret \ -init.d/runit/zapret/run \ -init.d/runit/zapret/finish \ -init.d/openrc/zapret \ -init.d/sysv/zapret \ -init.d/openwrt/zapret \ -uninstall_easy.sh \ - ; do chmod 755 "$1/$f" 2>/dev/null ; done + install_bin.sh \ + blockcheck.sh \ + install_easy.sh \ + install_prereq.sh \ + files/huawei/E8372/zapret-ip \ + files/huawei/E8372/unzapret-ip \ + files/huawei/E8372/run-zapret-hostlist \ + files/huawei/E8372/unzapret \ + files/huawei/E8372/zapret \ + files/huawei/E8372/run-zapret-ip \ + ipset/get_exclude.sh \ + ipset/clear_lists.sh \ + ipset/get_antifilter_ipresolve.sh \ + ipset/get_reestr_resolvable_domains.sh \ + ipset/get_config.sh \ + ipset/get_reestr_preresolved.sh \ + ipset/get_user.sh \ + ipset/get_antifilter_allyouneed.sh \ + ipset/get_reestr_resolve.sh \ + ipset/create_ipset.sh \ + ipset/get_reestr_hostlist.sh \ + ipset/get_ipban.sh \ + ipset/get_antifilter_ipsum.sh \ + ipset/get_antifilter_ipsmart.sh \ + ipset/get_antizapret_domains.sh \ + ipset/get_reestr_preresolved_smart.sh \ + ipset/get_antifilter_ip.sh \ + init.d/pfsense/zapret.sh \ + init.d/macos/zapret \ + init.d/runit/zapret/run \ + init.d/runit/zapret/finish \ + init.d/openrc/zapret \ + init.d/sysv/zapret \ + init.d/openwrt/zapret \ + uninstall_easy.sh; do chmod 755 "$1/$f" 2>/dev/null; done } - -_backup_settings() -{ +_backup_settings() { local i=0 for f in "$@"; do [ -f "$ZAPRET_TARGET/$f" ] && cp -f "$ZAPRET_TARGET/$f" "/tmp/zapret-bkp-$i" - i=$(($i+1)) + i=$(($i + 1)) done } -_restore_settings() -{ +_restore_settings() { local i=0 for f in "$@"; do [ -f "/tmp/zapret-bkp-$i" ] && mv -f "/tmp/zapret-bkp-$i" "$ZAPRET_TARGET/$f" || rm -f "/tmp/zapret-bkp-$i" - i=$(($i+1)) + i=$(($i + 1)) done } -backup_restore_settings() -{ +backup_restore_settings() { # $1 - 1 - backup, 0 - restore - local mode=$1 - on_off_function _backup_settings _restore_settings $mode "config" "init.d/sysv/custom" "init.d/openwrt/custom" "init.d/macos/custom" "ipset/zapret-hosts-user.txt" "ipset/zapret-hosts-user-exclude.txt" "ipset/zapret-hosts-user-ipban.txt" "ipset/zapret-hosts-auto.txt" + local mode="$1" + on_off_function _backup_settings _restore_settings "$mode" "config" "init.d/sysv/custom" "init.d/openwrt/custom" "init.d/macos/custom" "ipset/zapret-hosts-user.txt" "ipset/zapret-hosts-user-exclude.txt" "ipset/zapret-hosts-user-ipban.txt" "ipset/zapret-hosts-auto.txt" } -check_location() -{ +check_location() { # $1 - copy function echo \* checking location @@ -514,13 +486,13 @@ check_location() default_files "$ZAPRET_TARGET" "$ZAPRET_RW" else echo - echo easy install is supported only from default location : $ZAPRET_TARGET - echo currently its run from $EXEDIR + echo easy install is supported only from default location: "$ZAPRET_TARGET" + echo currently its run from "$EXEDIR" if ask_yes_no N "do you want the installer to copy it for you"; then local keep=N if [ -d "$ZAPRET_TARGET" ]; then echo - echo installer found existing $ZAPRET_TARGET + echo installer found existing "$ZAPRET_TARGET" echo directory needs to be replaced. config and custom scripts can be kept or replaced with clean version if ask_yes_no N "do you want to delete all files there and copy this version"; then echo @@ -530,7 +502,7 @@ check_location() fi rm -r "$ZAPRET_TARGET" else - echo refused to overwrite $ZAPRET_TARGET. exiting + echo refused to overwrite "$ZAPRET_TARGET". exiting exitp 3 fi fi @@ -539,22 +511,20 @@ check_location() $1 "$EXEDIR" "$ZAPRET_TARGET" fix_perms "$ZAPRET_TARGET" [ "$keep" = "Y" ] && backup_restore_settings 0 - echo relaunching itself from $ZAPRET_TARGET + echo relaunching itself from "$ZAPRET_TARGET" exec "$ZAPRET_TARGET/$(basename "$0")" else echo copying aborted. exiting exitp 3 fi fi - echo running from $EXEDIR + echo running from "$EXEDIR" } - -service_install_systemd() -{ +service_install_systemd() { echo \* installing zapret service - if [ -w "$SYSTEMD_SYSTEM_DIR" ] ; then + if [ -w "$SYSTEMD_SYSTEM_DIR" ]; then rm -f "$INIT_SCRIPT" ln -fs "$EXEDIR/init.d/systemd/zapret.service" "$SYSTEMD_SYSTEM_DIR" "$SYSTEMCTL" daemon-reload @@ -567,11 +537,10 @@ service_install_systemd() fi } -timer_install_systemd() -{ +timer_install_systemd() { echo \* installing zapret-list-update timer - if [ -w "$SYSTEMD_SYSTEM_DIR" ] ; then + if [ -w "$SYSTEMD_SYSTEM_DIR" ]; then "$SYSTEMCTL" disable zapret-list-update.timer "$SYSTEMCTL" stop zapret-list-update.timer ln -fs "$EXEDIR/init.d/systemd/zapret-list-update.service" "$SYSTEMD_SYSTEM_DIR" @@ -590,9 +559,8 @@ timer_install_systemd() fi } -download_list() -{ - [ -x "$GET_LIST" ] && { +download_list() { + [ -x "$GET_LIST" ] && { echo \* downloading blocked ip/host list # can be txt or txt.gz @@ -601,27 +569,22 @@ download_list() } } - -dnstest() -{ - # $1 - dns server. empty for system resolver - nslookup w3.org $1 >/dev/null 2>/dev/null +dnstest() { + # $1 - DNS server. empty for system resolver + nslookup w3.org "$1" >/dev/null 2>/dev/null } -check_dns() -{ +check_dns() { echo \* checking DNS dnstest || { - echo -- DNS is not working. It's either misconfigured or blocked or you don't have inet access. + echo "-- DNS is not working. It's either misconfigured or blocked or you don't have inet access." return 1 } echo system DNS is working return 0 } - -install_systemd() -{ +install_systemd() { INIT_SCRIPT_SRC="$EXEDIR/init.d/sysv/zapret" check_bins @@ -646,8 +609,7 @@ install_systemd() service_start_systemd } -_install_sysv() -{ +_install_sysv() { # $1 - install init script check_bins @@ -671,21 +633,17 @@ _install_sysv() service_start_sysv } -install_sysv() -{ +install_sysv() { INIT_SCRIPT_SRC="$EXEDIR/init.d/sysv/zapret" _install_sysv install_sysv_init } -install_openrc() -{ +install_openrc() { INIT_SCRIPT_SRC="$EXEDIR/init.d/openrc/zapret" _install_sysv install_openrc_init } - -install_linux() -{ +install_linux() { INIT_SCRIPT_SRC="$EXEDIR/init.d/sysv/zapret" check_bins @@ -703,17 +661,15 @@ install_linux() crontab_del_quiet # desktop system. more likely up at daytime crontab_add 10 22 - + echo echo '!!! WARNING. YOUR SETUP IS INCOMPLETE !!!' - echo you must manually add to auto start : $INIT_SCRIPT_SRC start + echo you must manually add to auto start: "$INIT_SCRIPT_SRC" start echo make sure it\'s executed after your custom/firewall iptables configuration echo "if your system uses sysv init : ln -fs $INIT_SCRIPT_SRC /etc/init.d/zapret ; chkconfig zapret on" } - -deoffload_openwrt_firewall() -{ +deoffload_openwrt_firewall() { echo \* checking flow offloading [ "$FWTYPE" = "nftables" ] || is_ipt_flow_offload_avail || { @@ -723,39 +679,37 @@ deoffload_openwrt_firewall() local fo=$(uci -q get firewall.@defaults[0].flow_offloading) - if [ "$fo" = "1" ] ; then + if [ "$fo" = "1" ]; then local mod=0 printf "system wide flow offloading detected. " case $FLOWOFFLOAD in - donttouch) - if [ "$MODE" = "nfqws" ]; then - echo its incompatible with nfqws tcp data tampering. disabling - uci set firewall.@defaults[0].flow_offloading=0 - mod=1 + donttouch) + if [ "$MODE" = "nfqws" ]; then + echo its incompatible with nfqws tcp data tampering. disabling + uci set firewall.@defaults[0].flow_offloading=0 + mod=1 + else + if [ "$MODE" = "custom" ]; then + echo custom mode selected !!! only you can decide whether flow offloading is compatible else - if [ "$MODE" = "custom" ] ; then - echo custom mode selected !!! only you can decide whether flow offloading is compatible - else - echo its compatible with selected options. not disabling - fi + echo its compatible with selected options. not disabling fi + fi ;; *) echo zapret will disable system wide offloading setting and add selective rules if required uci set firewall.@defaults[0].flow_offloading=0 mod=1 + ;; esac [ "$mod" = "1" ] && uci commit firewall else echo system wide software flow offloading disabled. ok fi - + } - - -install_openwrt() -{ +install_openwrt() { INIT_SCRIPT_SRC="$EXEDIR/init.d/openwrt/zapret" FW_SCRIPT_SRC="$EXEDIR/init.d/openwrt/firewall.zapret" OPENWRT_FW_INCLUDE=/etc/firewall.zapret @@ -768,7 +722,7 @@ install_openwrt() check_dns check_virt - local FWTYPE_OLD=$FWTYPE + local FWTYPE_OLD="$FWTYPE" echo \* stopping current firewall rules/daemons "$INIT_SCRIPT_SRC" stop_fw @@ -798,36 +752,30 @@ install_openwrt() restart_openwrt_firewall } - - -remove_pf_zapret_hooks() -{ +remove_pf_zapret_hooks() { echo \* removing zapret PF hooks pf_anchors_clear } -macos_fw_reload_trigger_clear() -{ +macos_fw_reload_trigger_clear() { case "$MODE" in - tpws|tpws-socks|custom) - LISTS_RELOAD= - write_config_var LISTS_RELOAD - ;; + tpws | tpws-socks | custom) + LISTS_RELOAD= + write_config_var LISTS_RELOAD + ;; esac } -macos_fw_reload_trigger_set() -{ +macos_fw_reload_trigger_set() { case "$MODE" in - tpws|custom) - LISTS_RELOAD="$INIT_SCRIPT_SRC reload-fw-tables" - write_config_var LISTS_RELOAD - ;; + tpws | custom) + LISTS_RELOAD="$INIT_SCRIPT_SRC reload-fw-tables" + write_config_var LISTS_RELOAD + ;; esac } -install_macos() -{ +install_macos() { INIT_SCRIPT_SRC="$EXEDIR/init.d/macos/zapret" # compile before root @@ -852,7 +800,6 @@ install_macos() service_start_macos } - # build binaries, do not use precompiled [ "$1" = "make" ] && FORCE_BUILD=1 @@ -864,22 +811,21 @@ check_system [ "$SYSTEM" = "macos" ] && . "$EXEDIR/init.d/macos/functions" case $SYSTEM in - systemd) - install_systemd - ;; - openrc) - install_openrc - ;; - linux) - install_linux - ;; - openwrt) - install_openwrt - ;; - macos) - install_macos - ;; +systemd) + install_systemd + ;; +openrc) + install_openrc + ;; +linux) + install_linux + ;; +openwrt) + install_openwrt + ;; +macos) + install_macos + ;; esac - exitp 0 diff --git a/install_prereq.sh b/install_prereq.sh index be938cc..3caa717 100755 --- a/install_prereq.sh +++ b/install_prereq.sh @@ -3,7 +3,10 @@ # install prerequisites EXEDIR="$(dirname "$0")" -EXEDIR="$(cd "$EXEDIR"; pwd)" +EXEDIR="$( + cd "$EXEDIR" + pwd +)" ZAPRET_BASE=${ZAPRET_BASE:-"$EXEDIR"} ZAPRET_RW=${ZAPRET_RW:-"$ZAPRET_BASE"} ZAPRET_CONFIG=${ZAPRET_CONFIG:-"$ZAPRET_RW/config"} @@ -27,25 +30,25 @@ umask 0022 fix_sbin_path fsleep_setup check_system accept_unknown_rc -[ $UNAME = "Linux" ] || { - echo no prerequisites required for $UNAME +[ "$UNAME" = "Linux" ] || { + echo no prerequisites required for "$UNAME" exitp 0 } require_root case $UNAME in - Linux) - select_fwtype - case $SYSTEM in - openwrt) - select_ipv6 - check_prerequisites_openwrt - ;; - *) - check_prerequisites_linux - ;; - esac +Linux) + select_fwtype + case $SYSTEM in + openwrt) + select_ipv6 + check_prerequisites_openwrt ;; + *) + check_prerequisites_linux + ;; + esac + ;; esac exitp 0 diff --git a/ipset/clear_lists.sh b/ipset/clear_lists.sh index 80c1531..14de2f7 100755 --- a/ipset/clear_lists.sh +++ b/ipset/clear_lists.sh @@ -1,7 +1,10 @@ #!/bin/sh IPSET_DIR="$(dirname "$0")" -IPSET_DIR="$(cd "$IPSET_DIR"; pwd)" +IPSET_DIR="$( + cd "$IPSET_DIR" + pwd +)" . "$IPSET_DIR/def.sh" diff --git a/ipset/create_ipset.sh b/ipset/create_ipset.sh index f5eaaa5..f07fcfa 100755 --- a/ipset/create_ipset.sh +++ b/ipset/create_ipset.sh @@ -5,7 +5,10 @@ # $1=clear - clear ipset IPSET_DIR="$(dirname "$0")" -IPSET_DIR="$(cd "$IPSET_DIR"; pwd)" +IPSET_DIR="$( + cd "$IPSET_DIR" || exit + pwd +)" . "$IPSET_DIR/def.sh" . "$IPSET_DIR/../common/fwtype.sh" @@ -27,17 +30,14 @@ while [ -n "$1" ]; do shift done - -file_extract_lines() -{ +file_extract_lines() { # $1 - filename # $2 - from line (starting with 0) # $3 - line count # awk "{ err=1 } NR < $(($2+1)) { next } { print; err=0 } NR == $(($2+$3)) { exit err } END {exit err}" "$1" - $AWK "NR < $(($2+1)) { next } { print } NR == $(($2+$3)) { exit }" "$1" + $AWK "NR < $(($2 + 1)) { next } { print } NR == $(($2 + $3)) { exit }" "$1" } -ipset_restore_chunked() -{ +ipset_restore_chunked() { # $1 - filename # $2 - chunk size local pos lines @@ -45,27 +45,23 @@ ipset_restore_chunked() lines=$(wc -l <"$1") pos=$lines while [ "$pos" -gt "0" ]; do - pos=$((pos-$2)) + pos=$((pos - $2)) [ "$pos" -lt "0" ] && pos=0 - file_extract_lines "$1" $pos $2 | ipset -! restore - sed -i "$(($pos+1)),$ d" "$1" + file_extract_lines "$1" $pos "$2" | ipset -! restore + sed -i "$(($pos + 1)),$ d" "$1" done } - -ipset_get_script() -{ +ipset_get_script() { # $1 - ipset name sed -nEe "s/^.+$/add $1 &/p" } -ipset_get_script_from_file() -{ +ipset_get_script_from_file() { # $1 - filename # $2 - ipset name - zzcat "$1" | sort -u | ipset_get_script $2 + zzcat "$1" | sort -u | ipset_get_script "$2" } -ipset_restore() -{ +ipset_restore() { # $1 - ipset name # $2 - filename @@ -78,7 +74,7 @@ ipset_restore() local T="Adding to ipset $1 " [ "$svram" = "1" ] && T="$T (saveram)" T="$T : $f" - echo $T + echo "$T" if [ "$svram" = "1" ]; then ipset_get_script_from_file "$2" "$1" >"$IPSET_CMD" @@ -88,46 +84,43 @@ ipset_restore() ipset_get_script_from_file "$2" "$1" | ipset -! restore fi } -create_ipset() -{ +create_ipset() { if [ "$1" -eq "6" ]; then FAMILY=inet6 else FAMILY=inet fi - ipset create $2 $3 $4 family $FAMILY 2>/dev/null || { + ipset create "$2" "$3" "$4" family $FAMILY 2>/dev/null || { [ "$NO_UPDATE" = "1" ] && return 0 } - ipset flush $2 + ipset flush "$2" [ "$DO_CLEAR" = "1" ] || { - for f in "$5" "$6" ; do + for f in "$5" "$6"; do ipset_restore "$2" "$f" done - [ -n "$IPSET_HOOK" ] && $IPSET_HOOK $2 | ipset_get_script $2 | ipset -! restore + [ -n "$IPSET_HOOK" ] && $IPSET_HOOK "$2" | ipset_get_script "$2" | ipset -! restore } return 0 } -nfset_get_script_multi() -{ +nfset_get_script_multi() { # $1 - set name # $2,$3,... - filenames # all in one shot. this allows to merge overlapping ranges # good but eats lots of RAM - local set=$1 nonempty N=1 f - + local set="$1" nonempty N=1 f + shift # first we need to make sure at least one element exists or nft will fail - while : - do + while :; do eval f=\$$N [ -n "$f" ] || break nonempty=$(zzexist "$f" && zzcat "$f" | head -n 1) [ -n "$nonempty" ] && break - N=$(($N+1)) + N=$(($N + 1)) done [ -n "$nonempty" ] && { @@ -139,22 +132,20 @@ nfset_get_script_multi() echo "}" } } -nfset_restore() -{ +nfset_restore() { # $1 - set name # $2,$3,... - filenames echo "Adding to nfset $1 : $2 $3 $4 $5" local hookfile [ -n "$IPSET_HOOK" ] && { - $IPSET_HOOK $1 >"$IPSET_HOOK_TEMP" + $IPSET_HOOK "$1" >"$IPSET_HOOK_TEMP" [ -s "$IPSET_HOOK_TEMP" ] && hookfile=$IPSET_HOOK_TEMP } - nfset_get_script_multi "$@" $hookfile | nft -f - + nfset_get_script_multi "$@" "$hookfile" | nft -f - rm -f "$IPSET_HOOK_TEMP" } -create_nfset() -{ +create_nfset() { # $1 - family # $2 - set name # $3 - maxelem @@ -162,54 +153,50 @@ create_nfset() local policy [ $SAVERAM = "1" ] && policy="policy memory;" - nft_create_set $2 "type ipv${1}_addr; size $3; flags interval; auto-merge; $policy" || { + nft_create_set "$2" "type ipv${1}_addr; size $3; flags interval; auto-merge; $policy" || { [ "$NO_UPDATE" = "1" ] && return 0 - nft flush set inet $ZAPRET_NFT_TABLE $2 + nft flush set inet "$ZAPRET_NFT_TABLE" "$2" } [ "$DO_CLEAR" = "1" ] || { - nfset_restore $2 $4 $5 + nfset_restore "$2" "$4" "$5" } return 0 } -add_ipfw_table() -{ +add_ipfw_table() { # $1 - table name sed -nEe "s/^.+$/table $1 add &/p" | ipfw -q /dev/stdin } -populate_ipfw_table() -{ +populate_ipfw_table() { # $1 - table name # $2 - ip list file zzexist "$2" || return - zzcat "$2" | sort -u | add_ipfw_table $1 + zzcat "$2" | sort -u | add_ipfw_table "$1" } -create_ipfw_table() -{ +create_ipfw_table() { # $1 - table name # $2 - table options # $3,$4, ... - ip list files. can be v4,v6 or mixed - local name=$1 - ipfw table "$name" create $2 2>/dev/null || { + local name="$1" + ipfw table "$name" create "$2" 2>/dev/null || { [ "$NO_UPDATE" = "1" ] && return 0 } - ipfw -q table $1 flush + ipfw -q table "$1" flush shift shift [ "$DO_CLEAR" = "1" ] || { while [ -n "$1" ]; do echo "Adding to ipfw table $name : $1" - populate_ipfw_table $name "$1" + populate_ipfw_table "$name" "$1" shift done - [ -n "$IPSET_HOOK" ] && $IPSET_HOOK $name | add_ipfw_table $name + [ -n "$IPSET_HOOK" ] && $IPSET_HOOK "$name" | add_ipfw_table "$name" } return 0 } -print_reloading_backend() -{ +print_reloading_backend() { # $1 - backend name local s="reloading $1 backend" if [ "$NO_UPDATE" = 1 ]; then @@ -219,91 +206,90 @@ print_reloading_backend() else s="$s (forced-update)" fi - echo $s + echo "$s" } - oom_adjust_high get_fwtype -if [ -n "$LISTS_RELOAD" ] ; then - if [ "$LISTS_RELOAD" = "-" ] ; then +if [ -n "$LISTS_RELOAD" ]; then + if [ "$LISTS_RELOAD" = "-" ]; then echo not reloading ip list backend true else - echo executing custom ip list reload command : $LISTS_RELOAD + echo executing custom ip list reload command : "$LISTS_RELOAD" $LISTS_RELOAD [ -n "$IPSET_HOOK" ] && $IPSET_HOOK fi else case "$FWTYPE" in - iptables) - # ipset seem to buffer the whole script to memory - # on low RAM system this can cause oom errors - # in SAVERAM mode we feed script lines in portions starting from the end, while truncating source file to free /tmp space - # only /tmp is considered tmpfs. other locations mean tmpdir was redirected to a disk + iptables) + # ipset seem to buffer the whole script to memory + # on low RAM system this can cause oom errors + # in SAVERAM mode we feed script lines in portions starting from the end, while truncating source file to free /tmp space + # only /tmp is considered tmpfs. other locations mean tmpdir was redirected to a disk + SAVERAM=0 + [ "$TMPDIR" = "/tmp" ] && { + RAMSIZE=$($GREP MemTotal /proc/meminfo | $AWK "{print $2}") + [ "$RAMSIZE" -lt "110000" ] && SAVERAM=1 + } + print_reloading_backend ipset + [ "$DISABLE_IPV4" != "1" ] && { + create_ipset 4 "$ZIPSET" hash:net "$IPSET_OPT" "$ZIPLIST" "$ZIPLIST_USER" + create_ipset 4 "$ZIPSET_IPBAN" hash:net "$IPSET_OPT" "$ZIPLIST_IPBAN" "$ZIPLIST_USER_IPBAN" + create_ipset 4 "$ZIPSET_EXCLUDE" hash:net "$IPSET_OPT_EXCLUDE" "$ZIPLIST_EXCLUDE" + } + [ "$DISABLE_IPV6" != "1" ] && { + create_ipset 6 "$ZIPSET6" hash:net "$IPSET_OPT" "$ZIPLIST6" "$ZIPLIST_USER6" + create_ipset 6 "$ZIPSET_IPBAN6" hash:net "$IPSET_OPT" "$ZIPLIST_IPBAN6" "$ZIPLIST_USER_IPBAN6" + create_ipset 6 "$ZIPSET_EXCLUDE6" hash:net "$IPSET_OPT_EXCLUDE" "$ZIPLIST_EXCLUDE6" + } + true + ;; + nftables) + nft_create_table && { SAVERAM=0 - [ "$TMPDIR" = "/tmp" ] && { - RAMSIZE=$($GREP MemTotal /proc/meminfo | $AWK '{print $2}') - [ "$RAMSIZE" -lt "110000" ] && SAVERAM=1 - } - print_reloading_backend ipset + RAMSIZE=$($GREP MemTotal /proc/meminfo | $AWK "{print $2}") + [ "$RAMSIZE" -lt "420000" ] && SAVERAM=1 + print_reloading_backend "nftables set" [ "$DISABLE_IPV4" != "1" ] && { - create_ipset 4 $ZIPSET hash:net "$IPSET_OPT" "$ZIPLIST" "$ZIPLIST_USER" - create_ipset 4 $ZIPSET_IPBAN hash:net "$IPSET_OPT" "$ZIPLIST_IPBAN" "$ZIPLIST_USER_IPBAN" - create_ipset 4 $ZIPSET_EXCLUDE hash:net "$IPSET_OPT_EXCLUDE" "$ZIPLIST_EXCLUDE" + create_nfset 4 "$ZIPSET" "$SET_MAXELEM" "$ZIPLIST" "$ZIPLIST_USER" + create_nfset 4 "$ZIPSET_IPBAN" "$SET_MAXELEM" "$ZIPLIST_IPBAN" "$ZIPLIST_USER_IPBAN" + create_nfset 4 "$ZIPSET_EXCLUDE" "$SET_MAXELEM_EXCLUDE" "$ZIPLIST_EXCLUDE" } [ "$DISABLE_IPV6" != "1" ] && { - create_ipset 6 $ZIPSET6 hash:net "$IPSET_OPT" "$ZIPLIST6" "$ZIPLIST_USER6" - create_ipset 6 $ZIPSET_IPBAN6 hash:net "$IPSET_OPT" "$ZIPLIST_IPBAN6" "$ZIPLIST_USER_IPBAN6" - create_ipset 6 $ZIPSET_EXCLUDE6 hash:net "$IPSET_OPT_EXCLUDE" "$ZIPLIST_EXCLUDE6" + create_nfset 6 "$ZIPSET6" "$SET_MAXELEM" "$ZIPLIST6" "$ZIPLIST_USER6" + create_nfset 6 "$ZIPSET_IPBAN6" "$SET_MAXELEM" "$ZIPLIST_IPBAN6" "$ZIPLIST_USER_IPBAN6" + create_nfset 6 "$ZIPSET_EXCLUDE6" "$SET_MAXELEM_EXCLUDE" "$ZIPLIST_EXCLUDE6" } true - ;; - nftables) - nft_create_table && { - SAVERAM=0 - RAMSIZE=$($GREP MemTotal /proc/meminfo | $AWK '{print $2}') - [ "$RAMSIZE" -lt "420000" ] && SAVERAM=1 - print_reloading_backend "nftables set" - [ "$DISABLE_IPV4" != "1" ] && { - create_nfset 4 $ZIPSET $SET_MAXELEM "$ZIPLIST" "$ZIPLIST_USER" - create_nfset 4 $ZIPSET_IPBAN $SET_MAXELEM "$ZIPLIST_IPBAN" "$ZIPLIST_USER_IPBAN" - create_nfset 4 $ZIPSET_EXCLUDE $SET_MAXELEM_EXCLUDE "$ZIPLIST_EXCLUDE" - } - [ "$DISABLE_IPV6" != "1" ] && { - create_nfset 6 $ZIPSET6 $SET_MAXELEM "$ZIPLIST6" "$ZIPLIST_USER6" - create_nfset 6 $ZIPSET_IPBAN6 $SET_MAXELEM "$ZIPLIST_IPBAN6" "$ZIPLIST_USER_IPBAN6" - create_nfset 6 $ZIPSET_EXCLUDE6 $SET_MAXELEM_EXCLUDE "$ZIPLIST_EXCLUDE6" - } - true - } - ;; - ipfw) - print_reloading_backend "ipfw table" - if [ "$DISABLE_IPV4" != "1" ] && [ "$DISABLE_IPV6" != "1" ]; then - create_ipfw_table $ZIPSET "$IPFW_TABLE_OPT" "$ZIPLIST" "$ZIPLIST_USER" "$ZIPLIST6" "$ZIPLIST_USER6" - create_ipfw_table $ZIPSET_IPBAN "$IPFW_TABLE_OPT" "$ZIPLIST_IPBAN" "$ZIPLIST_USER_IPBAN" "$ZIPLIST_IPBAN6" "$ZIPLIST_USER_IPBAN6" - create_ipfw_table $ZIPSET_EXCLUDE "$IPFW_TABLE_OPT_EXCLUDE" "$ZIPLIST_EXCLUDE" "$ZIPLIST_EXCLUDE6" - elif [ "$DISABLE_IPV4" != "1" ]; then - create_ipfw_table $ZIPSET "$IPFW_TABLE_OPT" "$ZIPLIST" "$ZIPLIST_USER" - create_ipfw_table $ZIPSET_IPBAN "$IPFW_TABLE_OPT" "$ZIPLIST_IPBAN" "$ZIPLIST_USER_IPBAN" - create_ipfw_table $ZIPSET_EXCLUDE "$IPFW_TABLE_OPT_EXCLUDE" "$ZIPLIST_EXCLUDE" - elif [ "$DISABLE_IPV6" != "1" ]; then - create_ipfw_table $ZIPSET "$IPFW_TABLE_OPT" "$ZIPLIST6" "$ZIPLIST_USER6" - create_ipfw_table $ZIPSET_IPBAN "$IPFW_TABLE_OPT" "$ZIPLIST_IPBAN6" "$ZIPLIST_USER_IPBAN6" - create_ipfw_table $ZIPSET_EXCLUDE "$IPFW_TABLE_OPT_EXCLUDE" "$ZIPLIST_EXCLUDE6" - else - create_ipfw_table $ZIPSET "$IPFW_TABLE_OPT" - create_ipfw_table $ZIPSET_IPBAN "$IPFW_TABLE_OPT" - create_ipfw_table $ZIPSET_EXCLUDE "$IPFW_TABLE_OPT_EXCLUDE" - fi - true - ;; - *) - echo no supported ip list backend found - true - ;; - esac + } + ;; + ipfw) + print_reloading_backend "ipfw table" + if [ "$DISABLE_IPV4" != "1" ] && [ "$DISABLE_IPV6" != "1" ]; then + create_ipfw_table "$ZIPSET" "$IPFW_TABLE_OPT" "$ZIPLIST" "$ZIPLIST_USER" "$ZIPLIST6" "$ZIPLIST_USER6" + create_ipfw_table "$ZIPSET_IPBAN" "$IPFW_TABLE_OPT" "$ZIPLIST_IPBAN" "$ZIPLIST_USER_IPBAN" "$ZIPLIST_IPBAN6" "$ZIPLIST_USER_IPBAN6" + create_ipfw_table "$ZIPSET_EXCLUDE" "$IPFW_TABLE_OPT_EXCLUDE" "$ZIPLIST_EXCLUDE" "$ZIPLIST_EXCLUDE6" + elif [ "$DISABLE_IPV4" != "1" ]; then + create_ipfw_table "$ZIPSET" "$IPFW_TABLE_OPT" "$ZIPLIST" "$ZIPLIST_USER" + create_ipfw_table "$ZIPSET_IPBAN" "$IPFW_TABLE_OPT" "$ZIPLIST_IPBAN" "$ZIPLIST_USER_IPBAN" + create_ipfw_table "$ZIPSET_EXCLUDE" "$IPFW_TABLE_OPT_EXCLUDE" "$ZIPLIST_EXCLUDE" + elif [ "$DISABLE_IPV6" != "1" ]; then + create_ipfw_table "$ZIPSET" "$IPFW_TABLE_OPT" "$ZIPLIST6" "$ZIPLIST_USER6" + create_ipfw_table "$ZIPSET_IPBAN" "$IPFW_TABLE_OPT" "$ZIPLIST_IPBAN6" "$ZIPLIST_USER_IPBAN6" + create_ipfw_table "$ZIPSET_EXCLUDE" "$IPFW_TABLE_OPT_EXCLUDE" "$ZIPLIST_EXCLUDE6" + else + create_ipfw_table "$ZIPSET" "$IPFW_TABLE_OPT" + create_ipfw_table "$ZIPSET_IPBAN" "$IPFW_TABLE_OPT" + create_ipfw_table "$ZIPSET_EXCLUDE" "$IPFW_TABLE_OPT_EXCLUDE" + fi + true + ;; + *) + echo no supported ip list backend found + true + ;; + esac fi diff --git a/ipset/def.sh b/ipset/def.sh index 4be9e8d..49f6bcf 100644 --- a/ipset/def.sh +++ b/ipset/def.sh @@ -1,6 +1,9 @@ [ -n "$IPSET_DIR" ] || { - IPSET_DIR="$(dirname "$0")" - IPSET_DIR="$(cd "$IPSET_DIR"; pwd)" + IPSET_DIR="$(dirname "$0")" + IPSET_DIR="$( + cd "$IPSET_DIR" || exit + pwd + )" } . "$IPSET_DIR/../config" @@ -39,230 +42,204 @@ ZIPLIST_USER_IPBAN6="$IPSET_DIR/zapret-ip-user-ipban6.txt" ZUSERLIST_IPBAN="$IPSET_DIR/zapret-hosts-user-ipban.txt" ZUSERLIST_EXCLUDE="$IPSET_DIR/zapret-hosts-user-exclude.txt" - [ -n "$IP2NET" ] || IP2NET="$IPSET_DIR/../ip2net/ip2net" [ -n "$MDIG" ] || MDIG="$IPSET_DIR/../mdig/mdig" [ -z "$MDIG_THREADS" ] && MDIG_THREADS=30 - - # BSD grep is damn slow with -f option. prefer GNU grep (ggrep) if present # MacoS in cron does not include /usr/local/bin to PATH -if [ -x /usr/local/bin/ggrep ] ; then - GREP=/usr/local/bin/ggrep -elif [ -x /usr/local/bin/grep ] ; then - GREP=/usr/local/bin/grep +if [ -x /usr/local/bin/ggrep ]; then + GREP=/usr/local/bin/ggrep +elif [ -x /usr/local/bin/grep ]; then + GREP=/usr/local/bin/grep elif exists ggrep; then - GREP=$(whichq ggrep) + GREP=$(whichq ggrep) else - GREP=$(whichq grep) + GREP=$(whichq grep) fi # GNU awk is faster if exists gawk; then - AWK=gawk + AWK=gawk else - AWK=awk + AWK=awk fi -grep_supports_b() -{ - # \b does not work with BSD grep - $GREP --version 2>&1 | $GREP -qE "BusyBox|GNU" +grep_supports_b() { + # \b does not work with BSD grep + $GREP --version 2>&1 | $GREP -qE "BusyBox|GNU" } -get_ip_regex() -{ - REG_IPV4='((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\/([0-9]|[12][0-9]|3[012]))?' - REG_IPV6='[0-9a-fA-F]{1,4}:([0-9a-fA-F]{1,4}|:)+(\/([0-9][0-9]?|1[01][0-9]|12[0-8]))?' - # good but too slow - # REG_IPV6='([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}(/[0-9]+)?|([0-9a-fA-F]{1,4}:){1,7}:(/[0-9]+)?|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}(/[0-9]+)?|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}(/[0-9]+)?|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}(/[0-9]+)?|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}(/[0-9]+)?|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}(/[0-9]+)?|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})(/[0-9]+)?|:((:[0-9a-fA-F]{1,4}){1,7}|:)(/([0-9][0-9]?|1[01][0-9]|12[0-8]))?' -# grep_supports_b && { -# REG_IPV4="\b$REG_IPV4\b" -# REG_IPV6="\b$REG_IPV6\b" -# } +get_ip_regex() { + REG_IPV4='((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\/([0-9]|[12][0-9]|3[012]))?' + REG_IPV6='[0-9a-fA-F]{1,4}:([0-9a-fA-F]{1,4}|:)+(\/([0-9][0-9]?|1[01][0-9]|12[0-8]))?' + # good but too slow + # REG_IPV6='([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}(/[0-9]+)?|([0-9a-fA-F]{1,4}:){1,7}:(/[0-9]+)?|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}(/[0-9]+)?|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}(/[0-9]+)?|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}(/[0-9]+)?|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}(/[0-9]+)?|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}(/[0-9]+)?|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})(/[0-9]+)?|:((:[0-9a-fA-F]{1,4}){1,7}|:)(/([0-9][0-9]?|1[01][0-9]|12[0-8]))?' + # grep_supports_b && { + # REG_IPV4="\b$REG_IPV4\b" + # REG_IPV6="\b$REG_IPV6\b" + # } } -ip2net4() -{ - if [ -x "$IP2NET" ]; then - "$IP2NET" -4 $IP2NET_OPT4 - else - sort -u - fi +ip2net4() { + if [ -x "$IP2NET" ]; then + "$IP2NET" -4 "$IP2NET_OPT4" + else + sort -u + fi } -ip2net6() -{ - if [ -x "$IP2NET" ]; then - "$IP2NET" -6 $IP2NET_OPT6 - else - sort -u - fi +ip2net6() { + if [ -x "$IP2NET" ]; then + "$IP2NET" -6 "$IP2NET_OPT6" + else + sort -u + fi } -zzexist() -{ - [ -f "$1.gz" ] || [ -f "$1" ] +zzexist() { + [ -f "$1.gz" ] || [ -f "$1" ] } -zztest() -{ - gzip -t "$1" 2>/dev/null +zztest() { + gzip -t "$1" 2>/dev/null } -zzcat() -{ - if [ -f "$1.gz" ]; then - gunzip -c "$1.gz" - elif [ -f "$1" ]; then - if zztest "$1"; then - gunzip -c "$1" - else - cat "$1" - fi - fi +zzcat() { + if [ -f "$1.gz" ]; then + gunzip -c "$1.gz" + elif [ -f "$1" ]; then + if zztest "$1"; then + gunzip -c "$1" + else + cat "$1" + fi + fi } -zz() -{ - if [ "$GZIP_LISTS" = "1" ]; then - gzip -c >"$1.gz" - rm -f "$1" - else - cat >"$1" - rm -f "$1.gz" - fi +zz() { + if [ "$GZIP_LISTS" = "1" ]; then + gzip -c >"$1.gz" + rm -f "$1" + else + cat >"$1" + rm -f "$1.gz" + fi } -zzsize() -{ - local f="$1" - [ -f "$1.gz" ] && f="$1.gz" - if [ -f "$f" ]; then - wc -c <"$f" | xargs - else - printf 0 - fi +zzsize() { + local f="$1" + [ -f "$1.gz" ] && f="$1.gz" + if [ -f "$f" ]; then + wc -c <"$f" | xargs + else + printf 0 + fi } -digger() -{ - # $1 - family (4|6) - # $2 - s=enable mdig stats - if [ -x "$MDIG" ]; then - local cmd - [ "$2" = "s" ] && cmd=--stats=1000 - "$MDIG" --family=$1 --threads=$MDIG_THREADS $cmd - else - local A=A - [ "$1" = "6" ] && A=AAAA - dig $A +short +time=8 +tries=2 -f - | $GREP -E '^[^;].*[^\.]$' - fi +digger() { + # $1 - family (4|6) + # $2 - s=enable mdig stats + if [ -x "$MDIG" ]; then + local cmd + [ "$2" = "s" ] && cmd=--stats=1000 + "$MDIG" --family="$1" --threads="$MDIG_THREADS" $cmd + else + local A=A + [ "$1" = "6" ] && A=AAAA + dig $A +short +time=8 +tries=2 -f - | $GREP -E '^[^;].*[^\.]$' + fi } -filedigger() -{ - # $1 - hostlist - # $2 - family (4|6) - >&2 echo digging $(wc -l <"$1" | xargs) ipv$2 domains : "$1" - zzcat "$1" | digger $2 s +filedigger() { + # $1 - hostlist + # $2 - family (4|6) + echo ">&2 digging $(wc -l <"$1" | xargs) ipv$2 domains : $1" + zzcat "$1" | digger "$2" s } -flush_dns_cache() -{ - echo clearing all known DNS caches +flush_dns_cache() { + echo clearing all known DNS caches - if exists killall; then - killall -HUP dnsmasq 2>/dev/null - # MacOS - killall -HUP mDNSResponder 2>/dev/null - elif exists pkill; then - pkill -HUP ^dnsmasq$ - else - echo no mass killer available ! cant flush dnsmasq - fi - - if exists rndc; then - rndc flush - fi + if exists killall; then + killall -HUP dnsmasq 2>/dev/null + # macOS + killall -HUP mDNSResponder 2>/dev/null + elif exists pkill; then + pkill -HUP ^dnsmasq$ + else + echo no mass killer available ! cant flush dnsmasq + fi - if exists systemd-resolve; then - systemd-resolve --flush-caches - fi + if exists rndc; then + rndc flush + fi + + if exists systemd-resolve; then + systemd-resolve --flush-caches + fi } -dnstest() -{ - local ip="$(echo w3.org | digger 46)" - [ -n "$ip" ] +dnstest() { + local ip + ip="$(echo w3.org | digger 46)" + [ -n "$ip" ] } -dnstest_with_cache_clear() -{ - flush_dns_cache - if dnstest ; then +dnstest_with_cache_clear() { + flush_dns_cache + if dnstest; then echo DNS is working return 0 - else + else echo "! DNS is not working" return 1 - fi + fi } - -cut_local() -{ +cut_local() { $GREP -vE '^192\.168\.|^127\.|^10\.' } -cut_local6() -{ +cut_local6() { $GREP -vE '^::|^fc..:|^fd..:|^fe8.:|^fe9.:|^fea.:|^feb.:|^FC..:|^FD..:|^FE8.:|^FE9.:|^FEA.:|^FEB.:' } -oom_adjust_high() -{ - [ -f /proc/$$/oom_score_adj ] && { - echo setting high oom kill priority - echo -n 100 >/proc/$$/oom_score_adj - } +oom_adjust_high() { + [ -f /proc/$$/oom_score_adj ] && { + echo setting high oom kill priority + echo -n 100 >/proc/$$/oom_score_adj + } } -getexclude() -{ - oom_adjust_high - dnstest_with_cache_clear || return - [ -f "$ZUSERLIST_EXCLUDE" ] && { - [ "$DISABLE_IPV4" != "1" ] && filedigger "$ZUSERLIST_EXCLUDE" 4 | sort -u > "$ZIPLIST_EXCLUDE" - [ "$DISABLE_IPV6" != "1" ] && filedigger "$ZUSERLIST_EXCLUDE" 6 | sort -u > "$ZIPLIST_EXCLUDE6" - } - return 0 +getexclude() { + oom_adjust_high + dnstest_with_cache_clear || return + [ -f "$ZUSERLIST_EXCLUDE" ] && { + [ "$DISABLE_IPV4" != "1" ] && filedigger "$ZUSERLIST_EXCLUDE" 4 | sort -u >"$ZIPLIST_EXCLUDE" + [ "$DISABLE_IPV6" != "1" ] && filedigger "$ZUSERLIST_EXCLUDE" 6 | sort -u >"$ZIPLIST_EXCLUDE6" + } + return 0 } -_get_ipban() -{ - [ -f "$ZUSERLIST_IPBAN" ] && { - [ "$DISABLE_IPV4" != "1" ] && filedigger "$ZUSERLIST_IPBAN" 4 | cut_local | sort -u > "$ZIPLIST_USER_IPBAN" - [ "$DISABLE_IPV6" != "1" ] && filedigger "$ZUSERLIST_IPBAN" 6 | cut_local6 | sort -u > "$ZIPLIST_USER_IPBAN6" - } +_get_ipban() { + [ -f "$ZUSERLIST_IPBAN" ] && { + [ "$DISABLE_IPV4" != "1" ] && filedigger "$ZUSERLIST_IPBAN" 4 | cut_local | sort -u >"$ZIPLIST_USER_IPBAN" + [ "$DISABLE_IPV6" != "1" ] && filedigger "$ZUSERLIST_IPBAN" 6 | cut_local6 | sort -u >"$ZIPLIST_USER_IPBAN6" + } } -getuser() -{ - getexclude || return - [ -f "$ZUSERLIST" ] && { - [ "$DISABLE_IPV4" != "1" ] && filedigger "$ZUSERLIST" 4 | cut_local | sort -u > "$ZIPLIST_USER" - [ "$DISABLE_IPV6" != "1" ] && filedigger "$ZUSERLIST" 6 | cut_local6 | sort -u > "$ZIPLIST_USER6" - } - _get_ipban - return 0 +getuser() { + getexclude || return + [ -f "$ZUSERLIST" ] && { + [ "$DISABLE_IPV4" != "1" ] && filedigger "$ZUSERLIST" 4 | cut_local | sort -u >"$ZIPLIST_USER" + [ "$DISABLE_IPV6" != "1" ] && filedigger "$ZUSERLIST" 6 | cut_local6 | sort -u >"$ZIPLIST_USER6" + } + _get_ipban + return 0 } -getipban() -{ - getexclude || return - _get_ipban - return 0 +getipban() { + getexclude || return + _get_ipban + return 0 } -hup_zapret_daemons() -{ - echo forcing zapret daemons to reload their hostlist - if exists killall; then - killall -HUP tpws nfqws dvtws 2>/dev/null - elif exists pkill; then - pkill -HUP ^tpws$ ^nfqws$ ^dvtws$ - else - echo no mass killer available ! cant HUP zapret daemons - fi +hup_zapret_daemons() { + echo forcing zapret daemons to reload their hostlist + if exists killall; then + killall -HUP tpws nfqws dvtws 2>/dev/null + elif exists pkill; then + pkill -HUP ^tpws$ ^nfqws$ ^dvtws$ + else + echo no mass killer available ! cant HUP zapret daemons + fi } - diff --git a/ipset/get_antifilter_allyouneed.sh b/ipset/get_antifilter_allyouneed.sh index a5b3d22..d09be88 100755 --- a/ipset/get_antifilter_allyouneed.sh +++ b/ipset/get_antifilter_allyouneed.sh @@ -1,13 +1,16 @@ #!/bin/sh IPSET_DIR="$(dirname "$0")" -IPSET_DIR="$(cd "$IPSET_DIR"; pwd)" +IPSET_DIR="$( + cd "$IPSET_DIR" + pwd +)" . "$IPSET_DIR/def.sh" getuser && { - . "$IPSET_DIR/antifilter.helper" - get_antifilter https://antifilter.download/list/allyouneed.lst "$ZIPLIST" + . "$IPSET_DIR/antifilter.helper" + get_antifilter https://antifilter.download/list/allyouneed.lst "$ZIPLIST" } "$IPSET_DIR/create_ipset.sh" diff --git a/ipset/get_antifilter_ip.sh b/ipset/get_antifilter_ip.sh index e2cd085..654deeb 100755 --- a/ipset/get_antifilter_ip.sh +++ b/ipset/get_antifilter_ip.sh @@ -1,13 +1,16 @@ #!/bin/sh IPSET_DIR="$(dirname "$0")" -IPSET_DIR="$(cd "$IPSET_DIR"; pwd)" +IPSET_DIR="$( + cd "$IPSET_DIR" + pwd +)" . "$IPSET_DIR/def.sh" getuser && { - . "$IPSET_DIR/antifilter.helper" - get_antifilter https://antifilter.download/list/ip.lst "$ZIPLIST" + . "$IPSET_DIR/antifilter.helper" + get_antifilter https://antifilter.download/list/ip.lst "$ZIPLIST" } "$IPSET_DIR/create_ipset.sh" diff --git a/ipset/get_antifilter_ipresolve.sh b/ipset/get_antifilter_ipresolve.sh index de08e28..f21505b 100755 --- a/ipset/get_antifilter_ipresolve.sh +++ b/ipset/get_antifilter_ipresolve.sh @@ -1,13 +1,16 @@ #!/bin/sh IPSET_DIR="$(dirname "$0")" -IPSET_DIR="$(cd "$IPSET_DIR"; pwd)" +IPSET_DIR="$( + cd "$IPSET_DIR" + pwd +)" . "$IPSET_DIR/def.sh" getuser && { - . "$IPSET_DIR/antifilter.helper" - get_antifilter https://antifilter.download/list/ipresolve.lst "$ZIPLIST" + . "$IPSET_DIR/antifilter.helper" + get_antifilter https://antifilter.download/list/ipresolve.lst "$ZIPLIST" } "$IPSET_DIR/create_ipset.sh" diff --git a/ipset/get_antifilter_ipsmart.sh b/ipset/get_antifilter_ipsmart.sh index 9f0d671..59b8c74 100755 --- a/ipset/get_antifilter_ipsmart.sh +++ b/ipset/get_antifilter_ipsmart.sh @@ -1,13 +1,16 @@ #!/bin/sh IPSET_DIR="$(dirname "$0")" -IPSET_DIR="$(cd "$IPSET_DIR"; pwd)" +IPSET_DIR="$( + cd "$IPSET_DIR" + pwd +)" . "$IPSET_DIR/def.sh" getuser && { - . "$IPSET_DIR/antifilter.helper" - get_antifilter https://antifilter.network/download/ipsmart.lst "$ZIPLIST" + . "$IPSET_DIR/antifilter.helper" + get_antifilter https://antifilter.network/download/ipsmart.lst "$ZIPLIST" } "$IPSET_DIR/create_ipset.sh" diff --git a/ipset/get_antifilter_ipsum.sh b/ipset/get_antifilter_ipsum.sh index ccf1c8f..d9434e0 100755 --- a/ipset/get_antifilter_ipsum.sh +++ b/ipset/get_antifilter_ipsum.sh @@ -1,13 +1,16 @@ #!/bin/sh IPSET_DIR="$(dirname "$0")" -IPSET_DIR="$(cd "$IPSET_DIR"; pwd)" +IPSET_DIR="$( + cd "$IPSET_DIR" + pwd +)" . "$IPSET_DIR/def.sh" getuser && { - . "$IPSET_DIR/antifilter.helper" - get_antifilter https://antifilter.download/list/ipsum.lst "$ZIPLIST" + . "$IPSET_DIR/antifilter.helper" + get_antifilter https://antifilter.download/list/ipsum.lst "$ZIPLIST" } "$IPSET_DIR/create_ipset.sh" diff --git a/ipset/get_antizapret_domains.sh b/ipset/get_antizapret_domains.sh index 93848ac..9bf7526 100755 --- a/ipset/get_antizapret_domains.sh +++ b/ipset/get_antizapret_domains.sh @@ -1,7 +1,10 @@ #!/bin/sh IPSET_DIR="$(dirname "$0")" -IPSET_DIR="$(cd "$IPSET_DIR"; pwd)" +IPSET_DIR="$( + cd "$IPSET_DIR" + pwd +)" . "$IPSET_DIR/def.sh" @@ -14,17 +17,16 @@ getipban || FAIL=1 ZURL=https://antizapret.prostovpn.org:8443/domains-export.txt ZDOM="$TMPDIR/zapret.txt" - curl -H "Accept-Encoding: gzip" -k --fail --max-time 600 --connect-timeout 5 --retry 3 --max-filesize 251658240 "$ZURL" | gunzip - >"$ZDOM" || -{ - echo domain list download failed - exit 2 -} + { + echo domain list download failed + exit 2 + } dlsize=$(LANG=C wc -c "$ZDOM" | xargs | cut -f 1 -d ' ') -if test $dlsize -lt 102400; then - echo list file is too small. can be bad. - exit 2 +if test "$dlsize" -lt 102400; then + echo list file is too small. can be bad. + exit 2 fi sort -u "$ZDOM" | zz "$ZHOSTLIST" diff --git a/ipset/get_config.sh b/ipset/get_config.sh index f751f18..d45e47d 100755 --- a/ipset/get_config.sh +++ b/ipset/get_config.sh @@ -2,7 +2,10 @@ # run script specified in config IPSET_DIR="$(dirname "$0")" -IPSET_DIR="$(cd "$IPSET_DIR"; pwd)" +IPSET_DIR="$( + cd "$IPSET_DIR" + pwd +)" . "$IPSET_DIR/../config" diff --git a/ipset/get_exclude.sh b/ipset/get_exclude.sh index adaf8d6..e0b18c9 100755 --- a/ipset/get_exclude.sh +++ b/ipset/get_exclude.sh @@ -2,7 +2,10 @@ # resolve user host list IPSET_DIR="$(dirname "$0")" -IPSET_DIR="$(cd "$IPSET_DIR"; pwd)" +IPSET_DIR="$( + cd "$IPSET_DIR" + pwd +)" . "$IPSET_DIR/def.sh" diff --git a/ipset/get_ipban.sh b/ipset/get_ipban.sh index 2bda981..ca37bf4 100755 --- a/ipset/get_ipban.sh +++ b/ipset/get_ipban.sh @@ -2,7 +2,10 @@ # resolve only ipban user host list IPSET_DIR="$(dirname "$0")" -IPSET_DIR="$(cd "$IPSET_DIR"; pwd)" +IPSET_DIR="$( + cd "$IPSET_DIR" + pwd +)" . "$IPSET_DIR/def.sh" diff --git a/ipset/get_reestr_hostlist.sh b/ipset/get_reestr_hostlist.sh index 6691268..4627bcf 100755 --- a/ipset/get_reestr_hostlist.sh +++ b/ipset/get_reestr_hostlist.sh @@ -1,7 +1,10 @@ #!/bin/sh IPSET_DIR="$(dirname "$0")" -IPSET_DIR="$(cd "$IPSET_DIR"; pwd)" +IPSET_DIR="$( + cd "$IPSET_DIR" || exit + pwd +)" . "$IPSET_DIR/def.sh" @@ -9,44 +12,40 @@ ZREESTR="$TMPDIR/zapret.txt" IPB="$TMPDIR/ipb.txt" ZURL_REESTR=https://raw.githubusercontent.com/zapret-info/z-i/master/dump.csv -dl_checked() -{ +dl_checked() { # $1 - url # $2 - file # $3 - minsize # $4 - maxsize # $5 - maxtime - curl -k --fail --max-time $5 --connect-timeout 10 --retry 4 --max-filesize $4 -o "$2" "$1" || - { - echo list download failed : $1 - return 2 - } + curl -k --fail --max-time "$5" --connect-timeout 10 --retry 4 --max-filesize "$4" -o "$2" "$1" || + { + echo list download failed : "$1" + return 2 + } dlsize=$(LANG=C wc -c "$2" | xargs | cut -f 1 -d ' ') - if test $dlsize -lt $3; then - echo list is too small : $dlsize bytes. can be bad. - return 2 + if test "$dlsize" -lt "$3"; then + echo list is too small : "$dlsize" bytes. can be bad. + return 2 fi return 0 } -reestr_list() -{ - LANG=C cut -s -f2 -d';' "$ZREESTR" | LANG=C nice -n 5 sed -Ee 's/^\*\.(.+)$/\1/' -ne 's/^[a-z0-9A-Z._-]+$/&/p' | $AWK '{ print tolower($0) }' +reestr_list() { + LANG=C cut -s -f2 -d';' "$ZREESTR" | LANG=C nice -n 5 sed -Ee 's/^\*\.(.+)$/\1/' -ne 's/^[a-z0-9A-Z._-]+$/&/p' | $AWK "{ print tolower($0) }" } -reestr_extract_ip() -{ - LANG=C nice -n 5 $AWK -F ';' '($1 ~ /^([0-9]{1,3}\.){3}[0-9]{1,3}/) && (($2 == "" && $3 == "") || ($1 == $2)) {gsub(/ \| /, RS); print $1}' "$ZREESTR" | LANG=C $AWK '{split($1, a, /\|/); for (i in a) {print a[i]}}' +reestr_extract_ip() { + LANG=C nice -n 5 "$AWK" -F ";" "($1 ~ /^([0-9]{1,3}\.){3}[0-9]{1,3}/) && (($2 == "" && $3 == "") || ($1 == $2)) {gsub(/ \| /, RS); print $1}" "$ZREESTR" | LANG=C $AWK "{split($1, a, /\|/); for (i in a) {print a[i]}}" } -ipban_fin() -{ - getipban - "$IPSET_DIR/create_ipset.sh" +ipban_fin() { + getipban + "$IPSET_DIR/create_ipset.sh" } dl_checked "$ZURL_REESTR" "$ZREESTR" 204800 251658240 600 || { - ipban_fin - exit 2 + ipban_fin + exit 2 } reestr_list | sort -u | zz "$ZHOSTLIST" diff --git a/ipset/get_reestr_preresolved.sh b/ipset/get_reestr_preresolved.sh index 6e530e7..cd87ba4 100755 --- a/ipset/get_reestr_preresolved.sh +++ b/ipset/get_reestr_preresolved.sh @@ -1,7 +1,10 @@ #!/bin/sh IPSET_DIR="$(dirname "$0")" -IPSET_DIR="$(cd "$IPSET_DIR"; pwd)" +IPSET_DIR="$( + cd "$IPSET_DIR" || exit + pwd +)" . "$IPSET_DIR/def.sh" @@ -13,35 +16,34 @@ URL6="$BASEURL/reestr_resolved6.txt" IPB4="$BASEURL/reestr_ipban4.txt" IPB6="$BASEURL/reestr_ipban6.txt" -dl() -{ +dl() { # $1 - url # $2 - file # $3 - minsize # $4 - maxsize - curl -H "Accept-Encoding: gzip" -k --fail --max-time 120 --connect-timeout 10 --retry 4 --max-filesize $4 -o "$TMPLIST" "$1" || - { - echo list download failed : $1 - exit 2 - } + curl -H "Accept-Encoding: gzip" -k --fail --max-time 120 --connect-timeout 10 --retry 4 --max-filesize "$4" -o "$TMPLIST" "$1" || + { + echo list download failed : "$1" + exit 2 + } dlsize=$(LANG=C wc -c "$TMPLIST" | xargs | cut -f 1 -d ' ') - if test $dlsize -lt $3; then - echo list is too small : $dlsize bytes. can be bad. - exit 2 + if test "$dlsize" -lt "$3"; then + echo list is too small : "$dlsize" bytes. can be bad. + exit 2 fi zzcat "$TMPLIST" | zz "$2" rm -f "$TMPLIST" } getuser && { - [ "$DISABLE_IPV4" != "1" ] && { - dl "$URL4" "$ZIPLIST" 32768 4194304 - dl "$IPB4" "$ZIPLIST_IPBAN" 8192 1048576 - } - [ "$DISABLE_IPV6" != "1" ] && { - dl "$URL6" "$ZIPLIST6" 8192 4194304 - dl "$IPB6" "$ZIPLIST_IPBAN6" 128 1048576 - } + [ "$DISABLE_IPV4" != "1" ] && { + dl "$URL4" "$ZIPLIST" 32768 4194304 + dl "$IPB4" "$ZIPLIST_IPBAN" 8192 1048576 + } + [ "$DISABLE_IPV6" != "1" ] && { + dl "$URL6" "$ZIPLIST6" 8192 4194304 + dl "$IPB6" "$ZIPLIST_IPBAN6" 128 1048576 + } } "$IPSET_DIR/create_ipset.sh" diff --git a/ipset/get_reestr_preresolved_smart.sh b/ipset/get_reestr_preresolved_smart.sh index d31c0b3..63c2ea9 100755 --- a/ipset/get_reestr_preresolved_smart.sh +++ b/ipset/get_reestr_preresolved_smart.sh @@ -1,7 +1,10 @@ #!/bin/sh IPSET_DIR="$(dirname "$0")" -IPSET_DIR="$(cd "$IPSET_DIR"; pwd)" +IPSET_DIR="$( + cd "$IPSET_DIR" || exit + pwd +)" . "$IPSET_DIR/def.sh" @@ -13,35 +16,34 @@ URL6="$BASEURL/reestr_smart6.txt" IPB4="$BASEURL/reestr_ipban4.txt" IPB6="$BASEURL/reestr_ipban6.txt" -dl() -{ +dl() { # $1 - url # $2 - file # $3 - minsize # $4 - maxsize - curl -H "Accept-Encoding: gzip" -k --fail --max-time 120 --connect-timeout 10 --retry 4 --max-filesize $4 -o "$TMPLIST" "$1" || - { - echo list download failed : $1 - exit 2 - } + curl -H "Accept-Encoding: gzip" -k --fail --max-time 120 --connect-timeout 10 --retry 4 --max-filesize "$4" -o "$TMPLIST" "$1" || + { + echo list download failed : "$1" + exit 2 + } dlsize=$(LANG=C wc -c "$TMPLIST" | xargs | cut -f 1 -d ' ') - if test $dlsize -lt $3; then - echo list is too small : $dlsize bytes. can be bad. - exit 2 + if test "$dlsize" -lt "$3"; then + echo list is too small : "$dlsize" bytes. can be bad. + exit 2 fi zzcat "$TMPLIST" | zz "$2" rm -f "$TMPLIST" } getuser && { - [ "$DISABLE_IPV4" != "1" ] && { - dl "$URL4" "$ZIPLIST" 32768 4194304 - dl "$IPB4" "$ZIPLIST_IPBAN" 8192 1048576 - } - [ "$DISABLE_IPV6" != "1" ] && { - dl "$URL6" "$ZIPLIST6" 8192 4194304 - dl "$IPB6" "$ZIPLIST_IPBAN6" 128 1048576 - } + [ "$DISABLE_IPV4" != "1" ] && { + dl "$URL4" "$ZIPLIST" 32768 4194304 + dl "$IPB4" "$ZIPLIST_IPBAN" 8192 1048576 + } + [ "$DISABLE_IPV6" != "1" ] && { + dl "$URL6" "$ZIPLIST6" 8192 4194304 + dl "$IPB6" "$ZIPLIST_IPBAN6" 128 1048576 + } } "$IPSET_DIR/create_ipset.sh" diff --git a/ipset/get_reestr_resolvable_domains.sh b/ipset/get_reestr_resolvable_domains.sh index d2defdc..2fd6799 100755 --- a/ipset/get_reestr_resolvable_domains.sh +++ b/ipset/get_reestr_resolvable_domains.sh @@ -1,7 +1,10 @@ #!/bin/sh IPSET_DIR="$(dirname "$0")" -IPSET_DIR="$(cd "$IPSET_DIR"; pwd)" +IPSET_DIR="$( + cd "$IPSET_DIR" || exit + pwd +)" . "$IPSET_DIR/def.sh" @@ -12,21 +15,20 @@ URL="$BASEURL/reestr_hostname_resolvable.txt" IPB4="$BASEURL/reestr_ipban4.txt" IPB6="$BASEURL/reestr_ipban6.txt" -dl() -{ +dl() { # $1 - url # $2 - file # $3 - minsize # $4 - maxsize - curl -H "Accept-Encoding: gzip" -k --fail --max-time 120 --connect-timeout 10 --retry 4 --max-filesize $4 -o "$TMPLIST" "$1" || - { - echo list download failed : $1 - exit 2 - } + curl -H "Accept-Encoding: gzip" -k --fail --max-time 120 --connect-timeout 10 --retry 4 --max-filesize "$4" -o "$TMPLIST" "$1" || + { + echo list download failed : "$1" + exit 2 + } dlsize=$(LANG=C wc -c "$TMPLIST" | xargs | cut -f 1 -d ' ') - if test $dlsize -lt $3; then - echo list is too small : $dlsize bytes. can be bad. - exit 2 + if test "$dlsize" -lt "$3"; then + echo list is too small : "$dlsize" bytes. can be bad. + exit 2 fi zzcat "$TMPLIST" | zz "$2" rm -f "$TMPLIST" diff --git a/ipset/get_reestr_resolve.sh b/ipset/get_reestr_resolve.sh index 924a073..ea6b688 100755 --- a/ipset/get_reestr_resolve.sh +++ b/ipset/get_reestr_resolve.sh @@ -1,7 +1,10 @@ #!/bin/sh IPSET_DIR="$(dirname "$0")" -IPSET_DIR="$(cd "$IPSET_DIR"; pwd)" +IPSET_DIR="$( + cd "$IPSET_DIR" || exit + pwd +)" . "$IPSET_DIR/def.sh" @@ -12,72 +15,69 @@ ZIPLISTTMP="$TMPDIR/zapret-ip.txt" #ZURL=https://reestr.rublacklist.net/api/current ZURL_REESTR=https://raw.githubusercontent.com/zapret-info/z-i/master/dump.csv -dl_checked() -{ +dl_checked() { # $1 - url # $2 - file # $3 - minsize # $4 - maxsize # $5 - maxtime - curl -k --fail --max-time $5 --connect-timeout 10 --retry 4 --max-filesize $4 -o "$2" "$1" || - { - echo list download failed : $1 - return 2 - } + curl -k --fail --max-time "$5" --connect-timeout 10 --retry 4 --max-filesize "$4" -o "$2" "$1" || + { + echo list download failed : "$1" + return 2 + } dlsize=$(LANG=C wc -c "$2" | xargs | cut -f 1 -d ' ') - if test $dlsize -lt $3; then - echo list is too small : $dlsize bytes. can be bad. - return 2 + if test "$dlsize" -lt "$3"; then + echo list is too small : "$dlsize" bytes. can be bad. + return 2 fi return 0 } -reestr_list() -{ - LANG=C cut -s -f2 -d';' "$ZREESTR" | LANG=C nice -n 5 sed -Ee 's/^\*\.(.+)$/\1/' -ne 's/^[a-z0-9A-Z._-]+$/&/p' +reestr_list() { + LANG=C cut -s -f2 -d';' "$ZREESTR" | LANG=C nice -n 5 sed -Ee 's/^\*\.(.+)$/\1/' -ne 's/^[a-z0-9A-Z._-]+$/&/p' } -reestr_extract_ip() -{ - LANG=C nice -n 5 $AWK -F ';' '($1 ~ /^([0-9]{1,3}\.){3}[0-9]{1,3}/) && (($2 == "" && $3 == "") || ($1 == $2)) {gsub(/ \| /, RS); print $1}' "$ZREESTR" | LANG=C $AWK '{split($1, a, /\|/); for (i in a) {print a[i]}}' +reestr_extract_ip() { + LANG=C nice -n 5 "$AWK" -F ';' "($1 ~ /^([0-9]{1,3}\.){3}[0-9]{1,3}/) && (($2 == "" && $3 == "") || ($1 == $2)) {gsub(/ \| /, RS); print $1}" "$ZREESTR" | LANG=C $AWK "{split($1, a, /\|/); for (i in a) {print a[i]}}" } getuser && { - # both disabled - [ "$DISABLE_IPV4" = "1" ] && [ "$DISABLE_IPV6" = "1" ] && exit 0 + # both disabled + [ "$DISABLE_IPV4" = "1" ] && [ "$DISABLE_IPV6" = "1" ] && exit 0 - dl_checked "$ZURL_REESTR" "$ZREESTR" 204800 251658240 600 || exit 2 - - echo preparing ipban list .. - - reestr_extract_ip <"$ZREESTR" >"$IPB" - [ "$DISABLE_IPV4" != "1" ] && $AWK '/^([0-9]{1,3}\.){3}[0-9]{1,3}($|(\/[0-9]{2}$))/' "$IPB" | cut_local | ip2net4 | zz "$ZIPLIST_IPBAN" - [ "$DISABLE_IPV6" != "1" ] && $AWK '/^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}($|(\/[0-9]{2,3}$))/' "$IPB" | cut_local6 | ip2net6 | zz "$ZIPLIST_IPBAN6" - rm -f "$IPB" + dl_checked "$ZURL_REESTR" "$ZREESTR" 204800 251658240 600 || exit 2 - echo preparing dig list .. - reestr_list | sort -u >"$ZDIG" + echo preparing ipban list .. - rm -f "$ZREESTR" + reestr_extract_ip <"$ZREESTR" >"$IPB" + [ "$DISABLE_IPV4" != "1" ] && $AWK '/^([0-9]{1,3}\.){3}[0-9]{1,3}($|(\/[0-9]{2}$))/' "$IPB" | cut_local | ip2net4 | zz "$ZIPLIST_IPBAN" + [ "$DISABLE_IPV6" != "1" ] && $AWK '/^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}($|(\/[0-9]{2,3}$))/' "$IPB" | cut_local6 | ip2net6 | zz "$ZIPLIST_IPBAN6" + rm -f "$IPB" - echo digging started. this can take long ... + echo preparing dig list .. + reestr_list | sort -u >"$ZDIG" - [ "$DISABLE_IPV4" != "1" ] && { - filedigger "$ZDIG" 4 | cut_local >"$ZIPLISTTMP" || { - rm -f "$ZDIG" - exit 1 + rm -f "$ZREESTR" + + echo digging started. this can take long ... + + [ "$DISABLE_IPV4" != "1" ] && { + filedigger "$ZDIG" 4 | cut_local >"$ZIPLISTTMP" || { + rm -f "$ZDIG" + exit 1 + } + ip2net4 <"$ZIPLISTTMP" | zz "$ZIPLIST" + rm -f "$ZIPLISTTMP" } - ip2net4 <"$ZIPLISTTMP" | zz "$ZIPLIST" - rm -f "$ZIPLISTTMP" - } - [ "$DISABLE_IPV6" != "1" ] && { - filedigger "$ZDIG" 6 | cut_local6 >"$ZIPLISTTMP" || { - rm -f "$ZDIG" - exit 1 + [ "$DISABLE_IPV6" != "1" ] && { + filedigger "$ZDIG" 6 | cut_local6 >"$ZIPLISTTMP" || { + rm -f "$ZDIG" + exit 1 + } + ip2net6 <"$ZIPLISTTMP" | zz "$ZIPLIST6" + rm -f "$ZIPLISTTMP" } - ip2net6 <"$ZIPLISTTMP" | zz "$ZIPLIST6" - rm -f "$ZIPLISTTMP" - } - rm -f "$ZDIG" + rm -f "$ZDIG" } "$IPSET_DIR/create_ipset.sh" diff --git a/ipset/get_user.sh b/ipset/get_user.sh index 2d98981..21e0e8b 100755 --- a/ipset/get_user.sh +++ b/ipset/get_user.sh @@ -2,7 +2,10 @@ # resolve user host list IPSET_DIR="$(dirname "$0")" -IPSET_DIR="$(cd "$IPSET_DIR"; pwd)" +IPSET_DIR="$( + cd "$IPSET_DIR" + pwd +)" . "$IPSET_DIR/def.sh" diff --git a/uninstall_easy.sh b/uninstall_easy.sh index 781c8d5..f4677f0 100755 --- a/uninstall_easy.sh +++ b/uninstall_easy.sh @@ -3,7 +3,10 @@ # automated script for easy uninstalling zapret EXEDIR="$(dirname "$0")" -EXEDIR="$(cd "$EXEDIR"; pwd)" +EXEDIR="$( + cd "$EXEDIR" + pwd +)" ZAPRET_BASE=${ZAPRET_BASE:-"$EXEDIR"} ZAPRET_RW=${ZAPRET_RW:-"$ZAPRET_BASE"} ZAPRET_CONFIG=${ZAPRET_CONFIG:-"$ZAPRET_RW/config"} @@ -26,8 +29,7 @@ IPSET_DIR="$ZAPRET_BASE/ipset" . "$ZAPRET_BASE/common/pf.sh" . "$ZAPRET_BASE/common/installer.sh" -remove_systemd() -{ +remove_systemd() { clear_ipset service_stop_systemd service_remove_systemd @@ -36,23 +38,21 @@ remove_systemd() crontab_del } -remove_openrc() -{ +remove_openrc() { clear_ipset service_remove_openrc nft_del_table crontab_del } -remove_linux() -{ +remove_linux() { INIT_SCRIPT_SRC="$EXEDIR/init.d/sysv/zapret" clear_ipset echo \* executing sysv init stop "$INIT_SCRIPT_SRC" stop - + nft_del_table crontab_del @@ -61,8 +61,7 @@ remove_linux() echo 'you must manually remove zapret auto start from your system' } -remove_openwrt() -{ +remove_openwrt() { OPENWRT_FW_INCLUDE=/etc/firewall.zapret clear_ipset @@ -74,14 +73,12 @@ remove_openwrt() crontab_del } -remove_macos() -{ +remove_macos() { remove_macos_firewall service_remove_macos crontab_del } - fix_sbin_path check_system require_root @@ -89,22 +86,21 @@ require_root [ "$SYSTEM" = "macos" ] && . "$EXEDIR/init.d/macos/functions" case $SYSTEM in - systemd) - remove_systemd - ;; - openrc) - remove_openrc - ;; - linux) - remove_linux - ;; - openwrt) - remove_openwrt - ;; - macos) - remove_macos - ;; +systemd) + remove_systemd + ;; +openrc) + remove_openrc + ;; +linux) + remove_linux + ;; +openwrt) + remove_openwrt + ;; +macos) + remove_macos + ;; esac - exitp 0