drygdryg/zapret
1
0
Fork 0
mirror of https://github.com/bol-van/zapret.git synced 2025-04-30 02:42:58 +03:00
Code Issues Packages Projects Releases Wiki Activity

shellcheck linting and formatting shell scripts

Browse Source
This commit is contained in:
conc3rned 2024-09-17 16:18:29 +03:00
parent c1db09b19e
commit a13e4e064f
58 changed files with 2759 additions and 3296 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1244
blockcheck.sh
View File

File diff suppressed because it is too large Load Diff

234
common/base.sh
View File

@ -1,42 +1,36 @@
which()
{
which() {
# on some systems 'which' command is considered deprecated and not installed by default
# 'command -v' replacement does not work exactly the same way. it outputs shell aliases if present
# $1 - executable name
local IFS=:
for p in $PATH; do
[ -x "$p/$1" ] && {
echo "$p/$1"
return 0
}
[ -x "$p/$1" ] && {
echo "$p/$1"
return 0
}
done
return 1
}
exists()
{
exists() {
which "$1" >/dev/null 2>/dev/null
}
existf()
{
existf() {
type "$1" >/dev/null 2>/dev/null
}
whichq()
{
which $1 2>/dev/null
whichq() {
which "$1" 2>/dev/null
}
exist_all()
{
exist_all() {
while [ -n "$1" ]; do
exists "$1" || return 1
shift
done
return 0
}
on_off_function()
{
# $1 : function name on
# $2 : function name off
# $3 : 0 - off, 1 - on
on_off_function() {
# $1: function name on
# $2: function name off
# $3: 0 - off, 1 - on
local F="$1"
[ "$3" = "1" ] || F="$2"
shift
@ -44,24 +38,21 @@ on_off_function()
shift
"$F" "$@"
}
contains()
{
contains() {
# check if substring $2 contains in $1
[ "${1#*$2}" != "$1" ]
}
starts_with()
{
# $1 : what
# $2 : starts with
starts_with() {
# $1: what
# $2: starts with
case "$1" in
"$2"*)
return 0
;;
"$2"*)
return 0
;;
esac
return 1
}
find_str_in_list()
{
find_str_in_list() {
[ -n "$1" ] && {
for v in $2; do
[ "$v" = "$1" ] && return 0
@ -69,14 +60,12 @@ find_str_in_list()
}
return 1
}
end_with_newline()
{
end_with_newline() {
local c="$(tail -c 1)"
[ "$c" = "" ]
}
append_separator_list()
{
append_separator_list() {
# $1 - var name to receive result
# $2 - separator
# $3 - quoter
@ -84,113 +73,102 @@ append_separator_list()
local _var="$1" sep="$2" quo="$3" i
eval i="\$$_var"
shift; shift; shift
shift
shift
shift
while [ -n "$1" ]; do
if [ -n "$i" ] ; then
if [ -n "$i" ]; then
i="$i$sep$quo$1$quo"
else
i="$quo$1$quo"
fi
shift
done
eval $_var="\$i"
eval "$_var"="\$i"
}
make_separator_list()
{
eval $1=''
make_separator_list() {
eval "$1"=''
append_separator_list "$@"
}
make_comma_list()
{
make_comma_list() {
# $1 - var name to receive result
# $2,$3,... - elements
local var="$1"
shift
make_separator_list $var , '' "$@"
make_separator_list "$var" , '' "$@"
}
make_quoted_comma_list()
{
make_quoted_comma_list() {
# $1 - var name to receive result
# $2,$3,... - elements
local var="$1"
shift
make_separator_list $var , '"' "$@"
make_separator_list "$var" , '"' "$@"
}
unique()
{
unique() {
local i
for i in "$@"; do echo $i; done | sort -u | xargs
for i in "$@"; do echo "$i"; done | sort -u | xargs
}
is_linked_to_busybox()
{
is_linked_to_busybox() {
local IFS F P
IFS=:
for path in $PATH; do
F=$path/$1
P="$(readlink $F)"
if [ -z "$P" ] && [ -x $F ] && [ ! -L $F ]; then return 1; fi
P="$(readlink "$F")"
if [ -z "$P" ] && [ -x "$F" ] && [ ! -L "$F" ]; then return 1; fi
[ "${P%busybox*}" != "$P" ] && return
done
}
get_dir_inode()
{
get_dir_inode() {
local dir="$1"
[ -L "$dir" ] && dir=$(readlink "$dir")
ls -id "$dir" | awk '{print $1}'
}
linux_min_version()
{
linux_min_version() {
# $1 - major ver
# $2 - minor ver
local V1=$(sed -nre 's/^Linux version ([0-9]+)\.[0-9]+.*$/\1/p' /proc/version)
local V2=$(sed -nre 's/^Linux version [0-9]+\.([0-9]+).*$/\1/p' /proc/version)
[ -n "$V1" -a -n "$V2" ] && [ "$V1" -gt "$1" -o "$V1" -eq "$1" -a "$V2" -ge "$2" ]
}
linux_get_subsys()
{
linux_get_subsys() {
local INIT="$(sed 's/\x0/\n/g' /proc/1/cmdline | head -n 1)"
[ -L "$INIT" ] && INIT=$(readlink "$INIT")
INIT="$(basename "$INIT")"
if [ -f "/etc/openwrt_release" ] && [ "$INIT" = "procd" ] ; then
if [ -f "/etc/openwrt_release" ] && [ "$INIT" = "procd" ]; then
SUBSYS=openwrt
elif [ -x "/bin/ndm" ] ; then
elif [ -x "/bin/ndm" ]; then
SUBSYS=keenetic
else
# generic linux
SUBSYS=
fi
}
openwrt_fw3()
{
openwrt_fw3() {
[ ! -x /sbin/fw4 -a -x /sbin/fw3 ]
}
openwrt_fw4()
{
openwrt_fw4() {
[ -x /sbin/fw4 ]
}
openwrt_fw3_integration()
{
openwrt_fw3_integration() {
[ "$FWTYPE" = iptables ] && openwrt_fw3
}
create_dev_stdin()
{
create_dev_stdin() {
[ -e /dev/stdin ] || ln -s /proc/self/fd/0 /dev/stdin
}
call_for_multiple_items()
{
call_for_multiple_items() {
# $1 - function to get an item
# $2 - variable name to put result into
# $3 - space separated parameters to function $1
local i item items
for i in $3; do
$1 item $i
$1 item "$i"
[ -n "$item" ] && {
if [ -n "$items" ]; then
items="$items $item"
@ -199,91 +177,85 @@ call_for_multiple_items()
fi
}
done
eval $2=\"$items\"
eval "$2"=\""$items"\"
}
fix_sbin_path()
{
fix_sbin_path() {
local IFS=':'
printf "%s\n" $PATH | grep -Fxq '/usr/sbin' || PATH="/usr/sbin:$PATH"
printf "%s\n" $PATH | grep -Fxq '/sbin' || PATH="/sbin:$PATH"
printf "%s\n" "$PATH" | grep -Fxq '/usr/sbin' || PATH="/usr/sbin:$PATH"
printf "%s\n" "$PATH" | grep -Fxq '/sbin' || PATH="/sbin:$PATH"
export PATH
}
# it can calculate floating point expr
calc()
{
awk "BEGIN { print $*}";
calc() {
awk "BEGIN { print $*}"
}
fsleep_setup()
{
[ -n "$FSLEEP" ] || {
if sleep 0.001 2>/dev/null; then
FSLEEP=1
elif busybox usleep 1 2>/dev/null; then
FSLEEP=2
else
local errtext="$(read -t 0.001 2>&1)"
if [ -z "$errtext" ]; then
FSLEEP=3
# newer openwrt has ucode with system function that supports timeout in ms
elif ucode -e "system(['sleep','1'], 1)" 2>/dev/null; then
FSLEEP=4
# older openwrt may have lua and nixio lua module
elif lua -e 'require "nixio".nanosleep(0,1)' 2>/dev/null ; then
FSLEEP=5
fsleep_setup() {
[ -n "$FSLEEP" ] || {
if sleep 0.001 2>/dev/null; then
FSLEEP=1
elif busybox usleep 1 2>/dev/null; then
FSLEEP=2
else
FSLEEP=0
local errtext="$(read -t 0.001 2>&1)"
if [ -z "$errtext" ]; then
FSLEEP=3
# newer OpenWrt has ucode with system function that supports timeout in ms
elif ucode -e "system(['sleep','1'], 1)" 2>/dev/null; then
FSLEEP=4
# older OpenWrt may have lua and nixio lua module
elif lua -e 'require "nixio".nanosleep(0,1)' 2>/dev/null; then
FSLEEP=5
else
FSLEEP=0
fi
fi
fi
}
}
}
msleep()
{
# $1 - milliseconds
case "$FSLEEP" in
msleep() {
# $1 - milliseconds
case "$FSLEEP" in
1)
sleep $(calc $1/1000)
sleep $(calc "$1"/1000)
;;
2)
busybox usleep $(calc $1*1000)
busybox usleep $(calc "$1"*1000)
;;
3)
read -t $(calc $1/1000)
read -t $(calc "$1"/1000)
;;
4)
ucode -e "system(['sleep','2147483647'], $1)"
;;
5)
lua -e "require 'nixio'.nanosleep($(($1/1000)),$(calc $1%1000*1000000))"
lua -e "require 'nixio'.nanosleep($(($1 / 1000)),$(calc "$1"%1000*1000000))"
;;
*)
sleep $((($1+999)/1000))
esac
*)
sleep $((($1 + 999) / 1000))
;;
esac
}
minsleep()
{
minsleep() {
msleep 100
}
replace_char()
{
replace_char() {
local a=$1
local b=$2
shift; shift
echo "$@" | tr $a $b
shift
shift
echo "$@" | tr "$a" "$b"
}
setup_md5()
{
setup_md5() {
[ -n "$MD5" ] && return
MD5=md5sum
exists $MD5 || MD5=md5
}
random()
{
random() {
# $1 - min, $2 - max
local r rs
setup_md5
@ -293,12 +265,11 @@ random()
rs="$RANDOM$RANDOM$(date)"
fi
# shells use signed int64
r=1$(echo $rs | $MD5 | sed 's/[^0-9]//g' | cut -c 1-17)
echo $(( ($r % ($2-$1+1)) + $1 ))
r=1$(echo "$rs" | $MD5 | sed 's/[^0-9]//g' | cut -c 1-17)
echo $((($r % ($2 - $1 + 1)) + $1))
}
shell_name()
{
shell_name() {
[ -n "$SHELL_NAME" ] || {
[ -n "$UNAME" ] || UNAME="$(uname)"
@ -313,12 +284,11 @@ shell_name()
}
}
std_ports()
{
HTTP_PORTS=${HTTP_PORTS:-80}
std_ports() {
HTTP_PORTS=${HTTP_PORTS:-80}
HTTPS_PORTS=${HTTPS_PORTS:-443}
QUIC_PORTS=${QUIC_PORTS:-443}
HTTP_PORTS_IPT=$(replace_char - : $HTTP_PORTS)
HTTPS_PORTS_IPT=$(replace_char - : $HTTPS_PORTS)
QUIC_PORTS_IPT=$(replace_char - : $QUIC_PORTS)
HTTP_PORTS_IPT=$(replace_char - : "$HTTP_PORTS")
HTTPS_PORTS_IPT=$(replace_char - : "$HTTPS_PORTS")
QUIC_PORTS_IPT=$(replace_char - : "$QUIC_PORTS")
}

34
common/dialog.sh
View File

@ -1,36 +1,32 @@
read_yes_no()
{
read_yes_no() {
# $1 - default (Y/N)
local A
read A
[ -z "$A" ] || ([ "$A" != "Y" ] && [ "$A" != "y" ] && [ "$A" != "N" ] && [ "$A" != "n" ]) && A=$1
[ "$A" = "Y" ] || [ "$A" = "y" ] || [ "$A" = "1" ]
}
ask_yes_no()
{
ask_yes_no() {
# $1 - default (Y/N or 0/1)
# $2 - text
local DEFAULT=$1
[ "$1" = "1" ] && DEFAULT=Y
[ "$1" = "0" ] && DEFAULT=N
[ -z "$DEFAULT" ] && DEFAULT=N
printf "$2 (default : $DEFAULT) (Y/N) ? "
read_yes_no $DEFAULT
printf "$2 (default: $DEFAULT) (Y/N)?"
read_yes_no "$DEFAULT"
}
ask_yes_no_var()
{
# $1 - variable name for answer : 0/1
ask_yes_no_var() {
# $1 - variable name for answer: 0/1
# $2 - text
local DEFAULT
eval DEFAULT="\$$1"
if ask_yes_no "$DEFAULT" "$2"; then
eval $1=1
eval "$1"=1
else
eval $1=0
eval "$1"=0
fi
}
ask_list()
{
ask_list() {
# $1 - mode var
# $2 - space separated value list
# $3 - (optional) default value
@ -40,19 +36,19 @@ ask_list()
local M=""
local m
[ -n "$3" ] && { find_str_in_list "$M_DEFAULT" "$2" || M_DEFAULT="$3" ;}
[ -n "$3" ] && { find_str_in_list "$M_DEFAULT" "$2" || M_DEFAULT="$3"; }
n=1
for m in $2; do
echo $n : $m
n=$(($n+1))
echo $n: "$m"
n=$(($n + 1))
done
printf "your choice (default : $M_DEFAULT) : "
read m
[ -n "$m" ] && M=$(echo $2 | cut -d ' ' -f$m 2>/dev/null)
[ -n "$m" ] && M=$(echo "$2" | cut -d ' ' -f"$m" 2>/dev/null)
[ -z "$M" ] && M="$M_DEFAULT"
echo selected : $M
eval $1="\"$M\""
echo selected: "$M"
eval "$1"="\"$M\""
[ "$M" != "$M_OLD" ]
}

3
common/elevate.sh
View File

@ -1,5 +1,4 @@
require_root()
{
require_root() {
local exe
echo \* checking privileges
[ $(id -u) -ne "0" ] && {

45
common/fwtype.sh
View File

@ -1,25 +1,21 @@
linux_ipt_avail()
{
linux_ipt_avail() {
exists iptables && exists ip6tables
}
linux_maybe_iptables_fwtype()
{
linux_maybe_iptables_fwtype() {
linux_ipt_avail && FWTYPE=iptables
}
linux_nft_avail()
{
linux_nft_avail() {
exists nft
}
linux_fwtype()
{
linux_fwtype() {
[ -n "$FWTYPE" ] && return
FWTYPE=unsupported
linux_get_subsys
if [ "$SUBSYS" = openwrt ] ; then
# linux kernel is new enough if fw4 is there
if [ -x /sbin/fw4 ] && linux_nft_avail ; then
if [ "$SUBSYS" = openwrt ]; then
# Linux kernel is new enough if fw4 is there
if [ -x /sbin/fw4 ] && linux_nft_avail; then
FWTYPE=nftables
else
linux_maybe_iptables_fwtype
@ -38,26 +34,25 @@ linux_fwtype()
export FWTYPE
}
get_fwtype()
{
get_fwtype() {
[ -n "$FWTYPE" ] && return
local UNAME="$(uname)"
case "$UNAME" in
Linux)
linux_fwtype
;;
FreeBSD)
if exists ipfw ; then
FWTYPE=ipfw
else
FWTYPE=unsupported
fi
;;
*)
Linux)
linux_fwtype
;;
FreeBSD)
if exists ipfw; then
FWTYPE=ipfw
else
FWTYPE=unsupported
;;
fi
;;
*)
FWTYPE=unsupported
;;
esac
export FWTYPE

339
common/installer.sh
View File

@ -6,36 +6,31 @@ SYSTEMD_DIR=/lib/systemd
INIT_SCRIPT=/etc/init.d/zapret
exitp()
{
exitp() {
echo
echo press enter to continue
read A
exit $1
exit "$1"
}
parse_var_checked()
{
parse_var_checked() {
# $1 - file name
# $2 - var name
local sed="sed -nre s/^[[:space:]]*$2=[\\\"|\']?([^\\\"|\']*)[\\\"|\']?/\1/p"
local v="$($sed <"$1" | tail -n 1)"
eval $2=\"$v\"
eval "$2"=\""$v"\"
}
parse_vars_checked()
{
parse_vars_checked() {
# $1 - file name
# $2,$3,... - var names
local f="$1"
shift
while [ -n "$1" ]; do
parse_var_checked "$f" $1
parse_var_checked "$f" "$1"
shift
done
}
edit_file()
{
edit_file() {
# $1 - file name
local ed="$EDITOR"
[ -n "$ed" ] || {
@ -48,8 +43,7 @@ edit_file()
}
[ -n "$ed" ] && "$ed" "$1"
}
edit_vars()
{
edit_vars() {
# $1,$2,... - var names
local n=1 var v tmp="/tmp/zvars"
rm -f "$tmp"
@ -57,21 +51,19 @@ edit_vars()
eval var="\$$n"
[ -n "$var" ] || break
eval v="\$$var"
echo $var=\"$v\" >>"$tmp"
n=$(($n+1))
echo "$var"=\""$v"\" >>"$tmp"
n=$(($n + 1))
done
edit_file "$tmp" && parse_vars_checked "$tmp" "$@"
rm -f "$tmp"
}
openrc_test()
{
openrc_test() {
exists rc-update || return 1
# some systems do not usse openrc-init but launch openrc from inittab
[ "$INIT" = "openrc-init" ] || grep -qE "sysinit.*openrc" /etc/inittab 2>/dev/null
}
check_system()
{
check_system() {
# $1 - nonempty = do not fail on unknown rc system
echo \* checking system
@ -93,21 +85,21 @@ check_system()
# some distros include systemctl without systemd
if [ -d "$SYSTEMD_DIR" ] && [ -x "$SYSTEMCTL" ] && [ "$INIT" = "systemd" ]; then
SYSTEM=systemd
elif [ -f "/etc/openwrt_release" ] && exists opkg && exists uci && [ "$INIT" = "procd" ] ; then
{
SYSTEM=openwrt
if openwrt_fw3 ; then
OPENWRT_FW3=1
info="openwrt firewall uses fw3"
if is_ipt_flow_offload_avail; then
info="$info. hardware flow offloading requires iptables."
else
info="$info. flow offloading unavailable."
elif [ -f "/etc/openwrt_release" ] && exists opkg && exists uci && [ "$INIT" = "procd" ]; then
{
SYSTEM=openwrt
if openwrt_fw3; then
OPENWRT_FW3=1
info="openwrt firewall uses fw3"
if is_ipt_flow_offload_avail; then
info="$info. hardware flow offloading requires iptables."
else
info="$info. flow offloading unavailable."
fi
elif openwrt_fw4; then
info="openwrt firewall uses fw4. flow offloading requires nftables."
fi
elif openwrt_fw4; then
info="openwrt firewall uses fw4. flow offloading requires nftables."
fi
}
}
elif openrc_test; then
SYSTEM=openrc
else
@ -115,9 +107,9 @@ check_system()
echo easy installer can set up config settings but can\'t configure auto start
echo you have to do it manually. check readme.txt for manual setup info.
if [ -n "$1" ] || ask_yes_no N "do you want to continue"; then
SYSTEM=linux
SYSTEM=linux
else
exitp 5
exitp 5
fi
fi
linux_get_subsys
@ -128,25 +120,21 @@ check_system()
exitp 5
fi
echo system is based on $SYSTEM
[ -n "$info" ] && echo $info
[ -n "$info" ] && echo "$info"
}
get_free_space_mb()
{
df -m $PWD | awk '/[0-9]%/{print $(NF-2)}'
get_free_space_mb() {
df -m "$PWD" | awk '/[0-9]%/{print $(NF-2)}'
}
get_ram_kb()
{
grep MemTotal /proc/meminfo | awk '{print $2}'
get_ram_kb() {
grep MemTotal /proc/meminfo | awk '{print $2}'
}
get_ram_mb()
{
local R=$(get_ram_kb)
echo $(($R/1024))
get_ram_mb() {
local R=$(get_ram_kb)
echo $(($R / 1024))
}
crontab_del()
{
crontab_del() {
exists crontab || return
echo \* removing crontab entry
@ -162,8 +150,7 @@ crontab_del()
fi
rm -f $CRONTMP
}
crontab_del_quiet()
{
crontab_del_quiet() {
exists crontab || return
CRONTMP=/tmp/cron.tmp
@ -175,11 +162,10 @@ crontab_del_quiet()
fi
rm -f $CRONTMP
}
crontab_add()
{
crontab_add() {
# $1 - hour min
# $2 - hour max
[ -x "$GET_LIST" ] && {
[ -x "$GET_LIST" ] && {
echo \* adding crontab entry
if exists crontab; then
@ -190,7 +176,7 @@ crontab_add()
grep "$GET_LIST_PREFIX" $CRONTMP
else
end_with_newline <"$CRONTMP" || echo >>"$CRONTMP"
echo "$(random 0 59) $(random $1 $2) */2 * * $GET_LIST" >>$CRONTMP
echo "$(random 0 59) $(random "$1" "$2") */2 * * $GET_LIST" >>$CRONTMP
crontab $CRONTMP
fi
rm -f $CRONTMP
@ -199,18 +185,15 @@ crontab_add()
fi
}
}
cron_ensure_running()
{
# if no crontabs present in /etc/cron openwrt init script does not launch crond. this is default
cron_ensure_running() {
# if no crontabs present in /etc/cron OpenWrt init script does not launch crond. this is default
[ "$SYSTEM" = "openwrt" ] && {
/etc/init.d/cron enable
/etc/init.d/cron start
}
}
service_start_systemd()
{
service_start_systemd() {
echo \* starting zapret service
"$SYSTEMCTL" start zapret || {
@ -218,23 +201,20 @@ service_start_systemd()
exitp 30
}
}
service_stop_systemd()
{
service_stop_systemd() {
echo \* stopping zapret service
"$SYSTEMCTL" daemon-reload
"$SYSTEMCTL" disable zapret
"$SYSTEMCTL" stop zapret
}
service_remove_systemd()
{
service_remove_systemd() {
echo \* removing zapret service
rm -f "$SYSTEMD_SYSTEM_DIR/zapret.service"
"$SYSTEMCTL" daemon-reload
}
timer_remove_systemd()
{
timer_remove_systemd() {
echo \* removing zapret-list-update timer
"$SYSTEMCTL" daemon-reload
@ -244,8 +224,7 @@ timer_remove_systemd()
"$SYSTEMCTL" daemon-reload
}
install_sysv_init()
{
install_sysv_init() {
# $1 - "0"=disable
echo \* installing init script
@ -256,8 +235,7 @@ install_sysv_init()
ln -fs "$INIT_SCRIPT_SRC" "$INIT_SCRIPT"
[ "$1" != "0" ] && "$INIT_SCRIPT" enable
}
install_openrc_init()
{
install_openrc_init() {
# $1 - "0"=disable
echo \* installing init script
@ -268,8 +246,7 @@ install_openrc_init()
ln -fs "$INIT_SCRIPT_SRC" "$INIT_SCRIPT"
[ "$1" != "0" ] && rc-update add zapret
}
service_remove_openrc()
{
service_remove_openrc() {
echo \* removing zapret service
[ -x "$INIT_SCRIPT" ] && {
@ -278,8 +255,7 @@ service_remove_openrc()
}
rm -f "$INIT_SCRIPT"
}
service_start_sysv()
{
service_start_sysv() {
[ -x "$INIT_SCRIPT" ] && {
echo \* starting zapret service
"$INIT_SCRIPT" start || {
@ -288,15 +264,13 @@ service_start_sysv()
}
}
}
service_stop_sysv()
{
service_stop_sysv() {
[ -x "$INIT_SCRIPT" ] && {
echo \* stopping zapret service
"$INIT_SCRIPT" stop
}
}
service_remove_sysv()
{
service_remove_sysv() {
echo \* removing zapret service
[ -x "$INIT_SCRIPT" ] && {
@ -306,104 +280,91 @@ service_remove_sysv()
rm -f "$INIT_SCRIPT"
}
check_kmod()
{
check_kmod() {
[ -f "/lib/modules/$(uname -r)/$1.ko" ]
}
check_package_exists_openwrt()
{
[ -n "$(opkg list $1)" ]
check_package_exists_openwrt() {
[ -n "$(opkg list "$1")" ]
}
check_package_openwrt()
{
[ -n "$(opkg list-installed $1)" ] && return 0
local what="$(opkg whatprovides $1 | tail -n +2 | head -n 1)"
check_package_openwrt() {
[ -n "$(opkg list-installed "$1")" ] && return 0
local what="$(opkg whatprovides "$1" | tail -n +2 | head -n 1)"
[ -n "$what" ] || return 1
[ -n "$(opkg list-installed $what)" ]
[ -n "$(opkg list-installed "$what")" ]
}
check_packages_openwrt()
{
check_packages_openwrt() {
for pkg in $@; do
check_package_openwrt $pkg || return
check_package_openwrt "$pkg" || return
done
}
install_openwrt_iface_hook()
{
install_openwrt_iface_hook() {
echo \* installing ifup hook
ln -fs "$OPENWRT_IFACE_HOOK" /etc/hotplug.d/iface
}
remove_openwrt_iface_hook()
{
remove_openwrt_iface_hook() {
echo \* removing ifup hook
rm -f /etc/hotplug.d/iface/??-zapret
}
openwrt_fw_section_find()
{
openwrt_fw_section_find() {
# $1 - fw include postfix
# echoes section number
i=0
while true
do
while true; do
path=$(uci -q get firewall.@include[$i].path)
[ -n "$path" ] || break
[ "$path" = "$OPENWRT_FW_INCLUDE$1" ] && {
echo $i
return 0
echo $i
return 0
}
i=$(($i+1))
i=$(($i + 1))
done
return 1
}
openwrt_fw_section_del()
{
openwrt_fw_section_del() {
# $1 - fw include postfix
local id="$(openwrt_fw_section_find $1)"
local id="$(openwrt_fw_section_find "$1")"
[ -n "$id" ] && {
uci delete firewall.@include[$id] && uci commit firewall
uci delete firewall.@include["$id"] && uci commit firewall
rm -f "$OPENWRT_FW_INCLUDE$1"
}
}
openwrt_fw_section_add()
{
openwrt_fw_section_add() {
openwrt_fw_section_find ||
{
uci add firewall include >/dev/null || return
echo -1
}
{
uci add firewall include >/dev/null || return
echo -1
}
}
openwrt_fw_section_configure()
{
local id="$(openwrt_fw_section_add $1)"
openwrt_fw_section_configure() {
local id="$(openwrt_fw_section_add "$1")"
[ -z "$id" ] ||
! uci set firewall.@include[$id].path="$OPENWRT_FW_INCLUDE" ||
! uci set firewall.@include[$id].reload="1" ||
! uci commit firewall &&
{
echo could not add firewall include
exitp 50
}
! uci set firewall.@include["$id"].path="$OPENWRT_FW_INCLUDE" ||
! uci set firewall.@include["$id"].reload="1" ||
! uci commit firewall &&
{
echo could not add firewall include
exitp 50
}
}
install_openwrt_firewall()
{
echo \* installing firewall script $1
install_openwrt_firewall() {
echo \* installing firewall script "$1"
[ -n "MODE" ] || {
echo should specify MODE in $ZAPRET_CONFIG
echo should specify MODE in "$ZAPRET_CONFIG"
exitp 7
}
echo "linking : $FW_SCRIPT_SRC => $OPENWRT_FW_INCLUDE"
echo "linking: $FW_SCRIPT_SRC => $OPENWRT_FW_INCLUDE"
ln -fs "$FW_SCRIPT_SRC" "$OPENWRT_FW_INCLUDE"
openwrt_fw_section_configure $1
openwrt_fw_section_configure "$1"
}
restart_openwrt_firewall()
{
restart_openwrt_firewall() {
echo \* restarting firewall
local FW=fw4
@ -413,8 +374,7 @@ restart_openwrt_firewall()
exitp 30
}
}
remove_openwrt_firewall()
{
remove_openwrt_firewall() {
echo \* removing firewall script
openwrt_fw_section_del
@ -422,43 +382,36 @@ remove_openwrt_firewall()
openwrt_fw_section_del 6
}
clear_ipset()
{
clear_ipset() {
echo "* clearing ipset(s)"
# free some RAM
"$IPSET_DIR/create_ipset.sh" clear
}
service_install_macos()
{
service_install_macos() {
echo \* installing zapret service
ln -fs "$ZAPRET_BASE/init.d/macos/zapret.plist" /Library/LaunchDaemons
}
service_start_macos()
{
service_start_macos() {
echo \* starting zapret service
"$INIT_SCRIPT_SRC" start
}
service_stop_macos()
{
service_stop_macos() {
echo \* stopping zapret service
"$INIT_SCRIPT_SRC" stop
}
service_remove_macos()
{
service_remove_macos() {
echo \* removing zapret service
rm -f /Library/LaunchDaemons/zapret.plist
zapret_stop_daemons
}
remove_macos_firewall()
{
remove_macos_firewall() {
echo \* removing zapret PF hooks
pf_anchors_clear
@ -467,9 +420,8 @@ remove_macos_firewall()
pf_anchor_root_reload
}
sedi()
{
# MacOS doesnt support -i without parameter. busybox doesnt support -i with parameter.
sedi() {
# macOS doesnt support -i without parameter. busybox doesnt support -i with parameter.
# its not possible to put "sed -i ''" to a variable and then use it
if [ "$SYSTEM" = "macos" ]; then
sed -i '' "$@"
@ -478,8 +430,7 @@ sedi()
fi
}
write_config_var()
{
write_config_var() {
# $1 - mode var
local M
eval M="\$$1"
@ -487,7 +438,7 @@ write_config_var()
if grep -q "^$1=\|^#$1=" "$ZAPRET_CONFIG"; then
# replace / => \/
#M=${M//\//\\\/}
M=$(echo $M | sed 's/\//\\\//g')
M=$(echo "$M" | sed 's/\//\\\//g')
if [ -n "$M" ]; then
if contains "$M" " "; then
sedi -Ee "s/^#?$1=.*$/$1=\"$M\"/" "$ZAPRET_CONFIG"
@ -508,37 +459,36 @@ write_config_var()
fi
}
check_prerequisites_linux()
{
check_prerequisites_linux() {
echo \* checking prerequisites
local s cmd PKGS UTILS req="curl curl"
case "$FWTYPE" in
iptables)
req="$req iptables iptables ip6tables iptables ipset ipset"
;;
nftables)
req="$req nft nftables"
;;
iptables)
req="$req iptables iptables ip6tables iptables ipset ipset"
;;
nftables)
req="$req nft nftables"
;;
esac
PKGS=$(for s in $req; do echo $s; done |
PKGS=$(for s in $req; do echo "$s"; done |
while read cmd; do
read pkg
exists $cmd || echo $pkg
exists "$cmd" || echo "$pkg"
done | sort -u | xargs)
UTILS=$(for s in $req; do echo $s; done |
UTILS=$(for s in $req; do echo "$s"; done |
while read cmd; do
read pkg
echo $cmd
echo "$cmd"
done | sort -u | xargs)
if [ -z "$PKGS" ] ; then
echo required utilities exist : $UTILS
if [ -z "$PKGS" ]; then
echo required utilities exist: "$UTILS"
else
echo \* installing prerequisites
echo packages required : $PKGS
echo packages required: "$PKGS"
APTGET=$(whichq apt-get)
YUM=$(whichq yum)
@ -546,73 +496,72 @@ check_prerequisites_linux()
ZYPPER=$(whichq zypper)
EOPKG=$(whichq eopkg)
APK=$(whichq apk)
if [ -x "$APTGET" ] ; then
if [ -x "$APTGET" ]; then
"$APTGET" update
"$APTGET" install -y --no-install-recommends $PKGS dnsutils || {
"$APTGET" install -y --no-install-recommends "$PKGS" dnsutils || {
echo could not install prerequisites
exitp 6
}
elif [ -x "$YUM" ] ; then
"$YUM" -y install $PKGS || {
elif [ -x "$YUM" ]; then
"$YUM" -y install "$PKGS" || {
echo could not install prerequisites
exitp 6
}
elif [ -x "$PACMAN" ] ; then
elif [ -x "$PACMAN" ]; then
"$PACMAN" -Syy
"$PACMAN" --noconfirm -S $PKGS || {
"$PACMAN" --noconfirm -S "$PKGS" || {
echo could not install prerequisites
exitp 6
}
elif [ -x "$ZYPPER" ] ; then
"$ZYPPER" --non-interactive install $PKGS || {
elif [ -x "$ZYPPER" ]; then
"$ZYPPER" --non-interactive install "$PKGS" || {
echo could not install prerequisites
exitp 6
}
elif [ -x "$EOPKG" ] ; then
"$EOPKG" -y install $PKGS || {
elif [ -x "$EOPKG" ]; then
"$EOPKG" -y install "$PKGS" || {
echo could not install prerequisites
exitp 6
}
elif [ -x "$APK" ] ; then
elif [ -x "$APK" ]; then
"$APK" update
# for alpine
[ "$FWTYPE" = iptables ] && [ -n "$($APK list ip6tables)" ] && PKGS="$PKGS ip6tables"
"$APK" add $PKGS || {
"$APK" add "$PKGS" || {
echo could not install prerequisites
exitp 6
}
else
echo supported package manager not found
echo you must manually install : $UTILS
echo you must manually install: "$UTILS"
exitp 5
fi
fi
}
check_prerequisites_openwrt()
{
check_prerequisites_openwrt() {
echo \* checking prerequisites
local PKGS="curl" UPD=0
case "$FWTYPE" in
iptables)
PKGS="$PKGS ipset iptables iptables-mod-extra iptables-mod-nfqueue iptables-mod-filter iptables-mod-ipopt iptables-mod-conntrack-extra"
[ "$DISABLE_IPV6" != "1" ] && PKGS="$PKGS ip6tables ip6tables-mod-nat ip6tables-extra"
;;
nftables)
PKGS="$PKGS nftables kmod-nft-nat kmod-nft-offload kmod-nft-queue"
;;
iptables)
PKGS="$PKGS ipset iptables iptables-mod-extra iptables-mod-nfqueue iptables-mod-filter iptables-mod-ipopt iptables-mod-conntrack-extra"
[ "$DISABLE_IPV6" != "1" ] && PKGS="$PKGS ip6tables ip6tables-mod-nat ip6tables-extra"
;;
nftables)
PKGS="$PKGS nftables kmod-nft-nat kmod-nft-offload kmod-nft-queue"
;;
esac
if check_packages_openwrt $PKGS ; then
if check_packages_openwrt "$PKGS"; then
echo everything is present
else
echo \* installing prerequisites
opkg update
UPD=1
opkg install $PKGS || {
opkg install "$PKGS" || {
echo could not install prerequisites
exitp 6
}
@ -659,10 +608,7 @@ check_prerequisites_openwrt()
}
}
select_ipv6()
{
select_ipv6() {
local T=N
[ "$DISABLE_IPV6" != '1' ] && T=Y
@ -675,8 +621,7 @@ select_ipv6()
fi
[ "$old6" != "$DISABLE_IPV6" ] && write_config_var DISABLE_IPV6
}
select_fwtype()
{
select_fwtype() {
echo
[ $(get_ram_mb) -le 400 ] && {
echo WARNING ! you are running a low RAM system

363
common/ipt.sh
View File

@ -1,55 +1,43 @@
std_ports
readonly ipt_connbytes="-m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes"
ipt()
{
ipt() {
iptables -C "$@" >/dev/null 2>/dev/null || iptables -I "$@"
}
ipta()
{
ipta() {
iptables -C "$@" >/dev/null 2>/dev/null || iptables -A "$@"
}
ipt_del()
{
ipt_del() {
iptables -C "$@" >/dev/null 2>/dev/null && iptables -D "$@"
}
ipt_add_del()
{
ipt_add_del() {
on_off_function ipt ipt_del "$@"
}
ipta_add_del()
{
ipta_add_del() {
on_off_function ipta ipt_del "$@"
}
ipt6()
{
ipt6() {
ip6tables -C "$@" >/dev/null 2>/dev/null || ip6tables -I "$@"
}
ipt6a()
{
ipt6a() {
ip6tables -C "$@" >/dev/null 2>/dev/null || ip6tables -A "$@"
}
ipt6_del()
{
ipt6_del() {
ip6tables -C "$@" >/dev/null 2>/dev/null && ip6tables -D "$@"
}
ipt6_add_del()
{
ipt6_add_del() {
on_off_function ipt6 ipt6_del "$@"
}
ipt6a_add_del()
{
ipt6a_add_del() {
on_off_function ipt6 ipt6a_del "$@"
}
is_ipt_flow_offload_avail()
{
# $1 = '' for ipv4, '6' for ipv6
grep -q FLOWOFFLOAD 2>/dev/null /proc/net/ip$1_tables_targets
is_ipt_flow_offload_avail() {
# $1 = '' for IPv4, '6' for IPv6
grep -q FLOWOFFLOAD /proc/net/ip"$1"_tables_targets 2>/dev/null
}
filter_apply_port_target()
{
filter_apply_port_target() {
# $1 - var name of iptables filter
local f
if [ "$MODE_HTTP" = "1" ] && [ "$MODE_HTTPS" = "1" ]; then
@ -61,62 +49,54 @@ filter_apply_port_target()
else
echo WARNING !!! HTTP and HTTPS are both disabled
fi
eval $1="\"\$$1 $f\""
eval "$1"="\"\$$1 $f\""
}
filter_apply_port_target_quic()
{
filter_apply_port_target_quic() {
# $1 - var name of nftables filter
local f
f="-p udp -m multiport --dports $QUIC_PORTS_IPT"
eval $1="\"\$$1 $f\""
eval "$1"="\"\$$1 $f\""
}
filter_apply_ipset_target4()
{
filter_apply_ipset_target4() {
# $1 - var name of ipv4 iptables filter
if [ "$MODE_FILTER" = "ipset" ]; then
eval $1="\"\$$1 -m set --match-set zapret dst\""
eval "$1"="\"\$$1 -m set --match-set zapret dst\""
fi
}
filter_apply_ipset_target6()
{
filter_apply_ipset_target6() {
# $1 - var name of ipv6 iptables filter
if [ "$MODE_FILTER" = "ipset" ]; then
eval $1="\"\$$1 -m set --match-set zapret6 dst\""
eval "$1"="\"\$$1 -m set --match-set zapret6 dst\""
fi
}
filter_apply_ipset_target()
{
filter_apply_ipset_target() {
# $1 - var name of ipv4 iptables filter
# $2 - var name of ipv6 iptables filter
filter_apply_ipset_target4 $1
filter_apply_ipset_target6 $2
filter_apply_ipset_target4 "$1"
filter_apply_ipset_target6 "$2"
}
reverse_nfqws_rule_stream()
{
reverse_nfqws_rule_stream() {
sed -e 's/-o /-i /g' -e 's/--dport /--sport /g' -e 's/--dports /--sports /g' -e 's/ dst$/ src/' -e 's/ dst / src /g' -e 's/--connbytes-dir=original/--connbytes-dir=reply/g' -e "s/-m mark ! --mark $DESYNC_MARK\/$DESYNC_MARK//g"
}
reverse_nfqws_rule()
{
reverse_nfqws_rule() {
echo "$@" | reverse_nfqws_rule_stream
}
prepare_tpws_fw4()
{
# otherwise linux kernel will treat 127.0.0.0/8 as "martian" ip and refuse routing to it
# NOTE : kernels <3.6 do not have this feature. consider upgrading or change DNAT to REDIRECT and do not bind to 127.0.0.0/8
prepare_tpws_fw4() {
# otherwise Linux kernel will treat 127.0.0.0/8 as "martian" ip and refuse routing to it
# NOTE: kernels <3.6 do not have this feature. consider upgrading or change DNAT to REDIRECT and do not bind to 127.0.0.0/8
[ "$DISABLE_IPV4" = "1" ] || {
iptables -N input_rule_zapret 2>/dev/null
ipt input_rule_zapret -d $TPWS_LOCALHOST4 -j RETURN
ipt input_rule_zapret -d "$TPWS_LOCALHOST4" -j RETURN
ipta input_rule_zapret -d 127.0.0.0/8 -j DROP
ipt INPUT ! -i lo -j input_rule_zapret
prepare_route_localnet
}
}
unprepare_tpws_fw4()
{
unprepare_tpws_fw4() {
[ "$DISABLE_IPV4" = "1" ] || {
unprepare_route_localnet
@ -125,14 +105,11 @@ unprepare_tpws_fw4()
iptables -X input_rule_zapret 2>/dev/null
}
}
unprepare_tpws_fw()
{
unprepare_tpws_fw() {
unprepare_tpws_fw4
}
ipt_print_op()
{
ipt_print_op() {
if [ "$1" = "1" ]; then
echo "Adding ip$4tables rule for $3 : $2"
else
@ -140,8 +117,7 @@ ipt_print_op()
fi
}
_fw_tpws4()
{
_fw_tpws4() {
# $1 - 1 - add, 0 - del
# $2 - iptable filter for ipv4
# $3 - tpws port
@ -152,25 +128,24 @@ _fw_tpws4()
[ "$1" = 1 ] && prepare_tpws_fw4
ipt_print_op $1 "$2" "tpws (port $3)"
ipt_print_op "$1" "$2" "tpws (port $3)"
rule="$2 $IPSET_EXCLUDE dst -j DNAT --to $TPWS_LOCALHOST4:$3"
for i in $4 ; do
ipt_add_del $1 PREROUTING -t nat -i $i $rule
done
for i in $4; do
ipt_add_del "$1" PREROUTING -t nat -i "$i" "$rule"
done
rule="-m owner ! --uid-owner $WS_USER $rule"
if [ -n "$5" ]; then
for i in $5; do
ipt_add_del $1 OUTPUT -t nat -o $i $rule
ipt_add_del "$1" OUTPUT -t nat -o "$i" "$rule"
done
else
ipt_add_del $1 OUTPUT -t nat $rule
ipt_add_del "$1" OUTPUT -t nat "$rule"
fi
}
}
_fw_tpws6()
{
_fw_tpws6() {
# $1 - 1 - add, 0 - del
# $2 - iptable filter for ipv6
# $3 - tpws port
@ -180,37 +155,34 @@ _fw_tpws6()
[ "$DISABLE_IPV6" = "1" -o -z "$2" ] || {
local i rule DNAT6
ipt_print_op $1 "$2" "tpws (port $3)" 6
ipt_print_op "$1" "$2" "tpws (port $3)" 6
rule="$2 $IPSET_EXCLUDE6 dst"
for i in $4 ; do
_dnat6_target $i DNAT6
[ -n "$DNAT6" -a "$DNAT6" != "-" ] && ipt6_add_del $1 PREROUTING -t nat -i $i $rule -j DNAT --to [$DNAT6]:$3
done
for i in $4; do
_dnat6_target "$i" DNAT6
[ -n "$DNAT6" -a "$DNAT6" != "-" ] && ipt6_add_del "$1" PREROUTING -t nat -i "$i" "$rule" -j DNAT --to ["$DNAT6"]:"$3"
done
rule="-m owner ! --uid-owner $WS_USER $rule -j DNAT --to [::1]:$3"
if [ -n "$5" ]; then
for i in $5; do
ipt6_add_del $1 OUTPUT -t nat -o $i $rule
ipt6_add_del "$1" OUTPUT -t nat -o "$i" "$rule"
done
else
ipt6_add_del $1 OUTPUT -t nat $rule
ipt6_add_del "$1" OUTPUT -t nat "$rule"
fi
}
}
fw_tpws()
{
fw_tpws() {
# $1 - 1 - add, 0 - del
# $2 - iptable filter for ipv4
# $3 - iptable filter for ipv6
# $4 - tpws port
fw_tpws4 $1 "$2" $4
fw_tpws6 $1 "$3" $4
fw_tpws4 "$1" "$2" "$4"
fw_tpws6 "$1" "$3" "$4"
}
_fw_nfqws_post4()
{
_fw_nfqws_post4() {
# $1 - 1 - add, 0 - del
# $2 - iptable filter for ipv4
# $3 - queue number
@ -218,20 +190,19 @@ _fw_nfqws_post4()
[ "$DISABLE_IPV4" = "1" -o -z "$2" ] || {
local i
ipt_print_op $1 "$2" "nfqws postrouting (qnum $3)"
ipt_print_op "$1" "$2" "nfqws postrouting (qnum $3)"
rule="$2 $IPSET_EXCLUDE dst -j NFQUEUE --queue-num $3 --queue-bypass"
if [ -n "$4" ] ; then
if [ -n "$4" ]; then
for i in $4; do
ipt_add_del $1 POSTROUTING -t mangle -o $i $rule
ipt_add_del "$1" POSTROUTING -t mangle -o "$i" "$rule"
done
else
ipt_add_del $1 POSTROUTING -t mangle $rule
ipt_add_del "$1" POSTROUTING -t mangle "$rule"
fi
}
}
_fw_nfqws_post6()
{
_fw_nfqws_post6() {
# $1 - 1 - add, 0 - del
# $2 - iptable filter for ipv6
# $3 - queue number
@ -239,30 +210,28 @@ _fw_nfqws_post6()
[ "$DISABLE_IPV6" = "1" -o -z "$2" ] || {
local i
ipt_print_op $1 "$2" "nfqws postrouting (qnum $3)" 6
ipt_print_op "$1" "$2" "nfqws postrouting (qnum $3)" 6
rule="$2 $IPSET_EXCLUDE6 dst -j NFQUEUE --queue-num $3 --queue-bypass"
if [ -n "$4" ] ; then
if [ -n "$4" ]; then
for i in $4; do
ipt6_add_del $1 POSTROUTING -t mangle -o $i $rule
ipt6_add_del "$1" POSTROUTING -t mangle -o "$i" "$rule"
done
else
ipt6_add_del $1 POSTROUTING -t mangle $rule
ipt6_add_del "$1" POSTROUTING -t mangle "$rule"
fi
}
}
fw_nfqws_post()
{
fw_nfqws_post() {
# $1 - 1 - add, 0 - del
# $2 - iptable filter for ipv4
# $3 - iptable filter for ipv6
# $4 - queue number
fw_nfqws_post4 $1 "$2" $4
fw_nfqws_post6 $1 "$3" $4
fw_nfqws_post4 "$1" "$2" "$4"
fw_nfqws_post6 "$1" "$3" "$4"
}
_fw_nfqws_pre4()
{
_fw_nfqws_pre4() {
# $1 - 1 - add, 0 - del
# $2 - iptable filter for ipv4
# $3 - queue number
@ -270,23 +239,22 @@ _fw_nfqws_pre4()
[ "$DISABLE_IPV4" = "1" -o -z "$2" ] || {
local i
ipt_print_op $1 "$2" "nfqws input+forward (qnum $3)"
ipt_print_op "$1" "$2" "nfqws input+forward (qnum $3)"
rule="$2 $IPSET_EXCLUDE src -j NFQUEUE --queue-num $3 --queue-bypass"
if [ -n "$4" ] ; then
if [ -n "$4" ]; then
for i in $4; do
# iptables PREROUTING chain is before NAT. not possible to have DNATed ip's there
ipt_add_del $1 INPUT -t mangle -i $i $rule
ipt_add_del $1 FORWARD -t mangle -i $i $rule
ipt_add_del "$1" INPUT -t mangle -i "$i" "$rule"
ipt_add_del "$1" FORWARD -t mangle -i "$i" "$rule"
done
else
ipt_add_del $1 INPUT -t mangle $rule
ipt_add_del $1 FORWARD -t mangle $rule
ipt_add_del "$1" INPUT -t mangle "$rule"
ipt_add_del "$1" FORWARD -t mangle "$rule"
fi
}
}
_fw_nfqws_pre6()
{
_fw_nfqws_pre6() {
# $1 - 1 - add, 0 - del
# $2 - iptable filter for ipv6
# $3 - queue number
@ -294,34 +262,31 @@ _fw_nfqws_pre6()
[ "$DISABLE_IPV6" = "1" -o -z "$2" ] || {
local i
ipt_print_op $1 "$2" "nfqws input+forward (qnum $3)" 6
ipt_print_op "$1" "$2" "nfqws input+forward (qnum $3)" 6
rule="$2 $IPSET_EXCLUDE6 src -j NFQUEUE --queue-num $3 --queue-bypass"
if [ -n "$4" ] ; then
if [ -n "$4" ]; then
for i in $4; do
# iptables PREROUTING chain is before NAT. not possible to have DNATed ip's there
ipt6_add_del $1 INPUT -t mangle -i $i $rule
ipt6_add_del $1 FORWARD -t mangle -i $i $rule
ipt6_add_del "$1" INPUT -t mangle -i "$i" "$rule"
ipt6_add_del "$1" FORWARD -t mangle -i "$i" "$rule"
done
else
ipt6_add_del $1 INPUT -t mangle $rule
ipt6_add_del $1 FORWARD -t mangle $rule
ipt6_add_del "$1" INPUT -t mangle "$rule"
ipt6_add_del "$1" FORWARD -t mangle "$rule"
fi
}
}
fw_nfqws_pre()
{
fw_nfqws_pre() {
# $1 - 1 - add, 0 - del
# $2 - iptable filter for ipv4
# $3 - iptable filter for ipv6
# $4 - queue number
fw_nfqws_pre4 $1 "$2" $4
fw_nfqws_pre6 $1 "$3" $4
fw_nfqws_pre4 "$1" "$2" "$4"
fw_nfqws_pre6 "$1" "$3" "$4"
}
produce_reverse_nfqws_rule()
{
produce_reverse_nfqws_rule() {
local rule="$1"
if contains "$rule" "$ipt_connbytes"; then
# autohostlist - need several incoming packets
@ -334,28 +299,23 @@ produce_reverse_nfqws_rule()
fi
echo "$rule" | reverse_nfqws_rule_stream
}
fw_reverse_nfqws_rule4()
{
fw_nfqws_pre4 $1 "$(produce_reverse_nfqws_rule "$2")" $3
fw_reverse_nfqws_rule4() {
fw_nfqws_pre4 "$1" "$(produce_reverse_nfqws_rule "$2")" "$3"
}
fw_reverse_nfqws_rule6()
{
fw_nfqws_pre6 $1 "$(produce_reverse_nfqws_rule "$2")" $3
fw_reverse_nfqws_rule6() {
fw_nfqws_pre6 "$1" "$(produce_reverse_nfqws_rule "$2")" "$3"
}
fw_reverse_nfqws_rule()
{
fw_reverse_nfqws_rule() {
# ensure that modes relying on incoming traffic work
# $1 - 1 - add, 0 - del
# $2 - rule4
# $3 - rule6
# $4 - queue number
fw_reverse_nfqws_rule4 $1 "$2" $4
fw_reverse_nfqws_rule6 $1 "$3" $4
fw_reverse_nfqws_rule4 "$1" "$2" "$4"
fw_reverse_nfqws_rule6 "$1" "$3" "$4"
}
zapret_do_firewall_rules_ipt()
{
zapret_do_firewall_rules_ipt() {
local mode="${MODE_OVERRIDE:-$MODE}"
local first_packet_only="$ipt_connbytes 1:$(first_packets_for_mode)"
@ -363,87 +323,86 @@ zapret_do_firewall_rules_ipt()
local n f4 f6 qn qns qn6 qns6
case "$mode" in
tpws)
if [ ! "$MODE_HTTP" = "1" ] && [ ! "$MODE_HTTPS" = "1" ]; then
echo both http and https are disabled. not applying redirection.
else
filter_apply_port_target f4
f6=$f4
filter_apply_ipset_target f4 f6
fw_tpws $1 "$f4" "$f6" $TPPORT
fi
;;
tpws)
if [ ! "$MODE_HTTP" = "1" ] && [ ! "$MODE_HTTPS" = "1" ]; then
echo both HTTP and HTTPS are disabled. not applying redirection.
else
filter_apply_port_target f4
f6=$f4
filter_apply_ipset_target f4 f6
fw_tpws "$1" "$f4" "$f6" "$TPPORT"
fi
;;
nfqws)
# quite complex but we need to minimize nfqws processes to save RAM
get_nfqws_qnums qn qns qn6 qns6
if [ "$MODE_HTTP_KEEPALIVE" != "1" ] && [ -n "$qn" ] && [ "$qn" = "$qns" ]; then
filter_apply_port_target f4
f4="$f4 $first_packet_only"
filter_apply_ipset_target4 f4
fw_nfqws_post4 $1 "$f4 $desync" $qn
fw_reverse_nfqws_rule4 $1 "$f4" $qn
else
if [ -n "$qn" ]; then
f4="-p tcp -m multiport --dports $HTTP_PORTS_IPT"
[ "$MODE_HTTP_KEEPALIVE" = "1" ] || f4="$f4 $first_packet_only"
filter_apply_ipset_target4 f4
fw_nfqws_post4 $1 "$f4 $desync" $qn
fw_reverse_nfqws_rule4 $1 "$f4" $qn
fi
if [ -n "$qns" ]; then
f4="-p tcp -m multiport --dports $HTTPS_PORTS_IPT $first_packet_only"
filter_apply_ipset_target4 f4
fw_nfqws_post4 $1 "$f4 $desync" $qns
fw_reverse_nfqws_rule4 $1 "$f4" $qns
fi
fi
if [ "$MODE_HTTP_KEEPALIVE" != "1" ] && [ -n "$qn6" ] && [ "$qn6" = "$qns6" ]; then
filter_apply_port_target f6
f6="$f6 $first_packet_only"
filter_apply_ipset_target6 f6
fw_nfqws_post6 $1 "$f6 $desync" $qn6
fw_reverse_nfqws_rule6 $1 "$f6" $qn6
else
if [ -n "$qn6" ]; then
f6="-p tcp -m multiport --dports $HTTP_PORTS_IPT"
[ "$MODE_HTTP_KEEPALIVE" = "1" ] || f6="$f6 $first_packet_only"
filter_apply_ipset_target6 f6
fw_nfqws_post6 $1 "$f6 $desync" $qn6
fw_reverse_nfqws_rule6 $1 "$f6" $qn6
fi
if [ -n "$qns6" ]; then
f6="-p tcp -m multiport --dports $HTTPS_PORTS_IPT $first_packet_only"
filter_apply_ipset_target6 f6
fw_nfqws_post6 $1 "$f6 $desync" $qns6
fw_reverse_nfqws_rule6 $1 "$f6" $qns6
fi
fi
get_nfqws_qnums_quic qn qn6
nfqws)
# quite complex but we need to minimize nfqws processes to save RAM
get_nfqws_qnums qn qns qn6 qns6
if [ "$MODE_HTTP_KEEPALIVE" != "1" ] && [ -n "$qn" ] && [ "$qn" = "$qns" ]; then
filter_apply_port_target f4
f4="$f4 $first_packet_only"
filter_apply_ipset_target4 f4
fw_nfqws_post4 "$1" "$f4 $desync" "$qn"
fw_reverse_nfqws_rule4 "$1" "$f4" "$qn"
else
if [ -n "$qn" ]; then
f4=
filter_apply_port_target_quic f4
f4="$f4 $first_packet_only"
f4="-p tcp -m multiport --dports $HTTP_PORTS_IPT"
[ "$MODE_HTTP_KEEPALIVE" = "1" ] || f4="$f4 $first_packet_only"
filter_apply_ipset_target4 f4
fw_nfqws_post4 $1 "$f4 $desync" $qn
fw_nfqws_post4 "$1" "$f4 $desync" "$qn"
fw_reverse_nfqws_rule4 "$1" "$f4" "$qn"
fi
if [ -n "$qns" ]; then
f4="-p tcp -m multiport --dports $HTTPS_PORTS_IPT $first_packet_only"
filter_apply_ipset_target4 f4
fw_nfqws_post4 "$1" "$f4 $desync" "$qns"
fw_reverse_nfqws_rule4 "$1" "$f4" "$qns"
fi
fi
if [ "$MODE_HTTP_KEEPALIVE" != "1" ] && [ -n "$qn6" ] && [ "$qn6" = "$qns6" ]; then
filter_apply_port_target f6
f6="$f6 $first_packet_only"
filter_apply_ipset_target6 f6
fw_nfqws_post6 "$1" "$f6 $desync" "$qn6"
fw_reverse_nfqws_rule6 "$1" "$f6" "$qn6"
else
if [ -n "$qn6" ]; then
f6=
filter_apply_port_target_quic f6
f6="$f6 $first_packet_only"
f6="-p tcp -m multiport --dports $HTTP_PORTS_IPT"
[ "$MODE_HTTP_KEEPALIVE" = "1" ] || f6="$f6 $first_packet_only"
filter_apply_ipset_target6 f6
fw_nfqws_post6 $1 "$f6 $desync" $qn6
fw_nfqws_post6 "$1" "$f6 $desync" "$qn6"
fw_reverse_nfqws_rule6 "$1" "$f6" "$qn6"
fi
;;
custom)
existf zapret_custom_firewall && zapret_custom_firewall $1
;;
if [ -n "$qns6" ]; then
f6="-p tcp -m multiport --dports $HTTPS_PORTS_IPT $first_packet_only"
filter_apply_ipset_target6 f6
fw_nfqws_post6 "$1" "$f6 $desync" "$qns6"
fw_reverse_nfqws_rule6 "$1" "$f6" "$qns6"
fi
fi
get_nfqws_qnums_quic qn qn6
if [ -n "$qn" ]; then
f4=
filter_apply_port_target_quic f4
f4="$f4 $first_packet_only"
filter_apply_ipset_target4 f4
fw_nfqws_post4 "$1" "$f4 $desync" "$qn"
fi
if [ -n "$qn6" ]; then
f6=
filter_apply_port_target_quic f6
f6="$f6 $first_packet_only"
filter_apply_ipset_target6 f6
fw_nfqws_post6 "$1" "$f6 $desync" "$qn6"
fi
;;
custom)
existf zapret_custom_firewall && zapret_custom_firewall "$1"
;;
esac
}
zapret_do_firewall_ipt()
{
zapret_do_firewall_ipt() {
# $1 - 1 - add, 0 - del
if [ "$1" = 1 ]; then
@ -461,7 +420,7 @@ zapret_do_firewall_ipt()
zapret_do_firewall_rules_ipt "$@"
if [ "$1" = 1 ] ; then
if [ "$1" = 1 ]; then
existf flow_offloading_exempt && flow_offloading_exempt
else
existf flow_offloading_unexempt && flow_offloading_unexempt

33
common/linux_fw.sh
View File

@ -1,21 +1,19 @@
set_conntrack_liberal_mode()
{
[ -n "$SKIP_CONNTRACK_LIBERAL_MODE" ] || sysctl -w net.netfilter.nf_conntrack_tcp_be_liberal=$1
set_conntrack_liberal_mode() {
[ -n "$SKIP_CONNTRACK_LIBERAL_MODE" ] || sysctl -w net.netfilter.nf_conntrack_tcp_be_liberal="$1"
}
zapret_do_firewall()
{
zapret_do_firewall() {
linux_fwtype
[ "$1" = 1 -a -n "$INIT_FW_PRE_UP_HOOK" ] && $INIT_FW_PRE_UP_HOOK
[ "$1" = 0 -a -n "$INIT_FW_PRE_DOWN_HOOK" ] && $INIT_FW_PRE_DOWN_HOOK
case "$FWTYPE" in
iptables)
zapret_do_firewall_ipt "$@"
;;
nftables)
zapret_do_firewall_nft "$@"
;;
iptables)
zapret_do_firewall_ipt "$@"
;;
nftables)
zapret_do_firewall_nft "$@"
;;
esac
# russian DPI sends RST,ACK with wrong ACK.
@ -23,29 +21,26 @@ zapret_do_firewall()
# switch on liberal mode on zapret firewall start and switch off on zapret firewall stop
# this is only required for processing incoming bad RSTs. incoming rules are only applied in autohostlist mode
# calling this after firewall because conntrack module can be not loaded before applying conntrack firewall rules
[ "$MODE_FILTER" = "autohostlist" -a "$MODE" != tpws -a "$MODE" != tpws-socks ] && set_conntrack_liberal_mode $1
[ "$MODE_FILTER" = "autohostlist" -a "$MODE" != tpws -a "$MODE" != tpws-socks ] && set_conntrack_liberal_mode "$1"
[ "$1" = 1 -a -n "$INIT_FW_POST_UP_HOOK" ] && $INIT_FW_POST_UP_HOOK
[ "$1" = 0 -a -n "$INIT_FW_POST_DOWN_HOOK" ] && $INIT_FW_POST_DOWN_HOOK
return 0
}
zapret_apply_firewall()
{
zapret_apply_firewall() {
zapret_do_firewall 1 "$@"
}
zapret_unapply_firewall()
{
zapret_unapply_firewall() {
zapret_do_firewall 0 "$@"
}
first_packets_for_mode()
{
first_packets_for_mode() {
# autohostlist and autottl modes requires incoming traffic sample
# always use conntrack packet limiter or nfqws will deal with gigabytes
local n
if [ "$MODE_FILTER" = "autohostlist" ]; then
n=$((6+${AUTOHOSTLIST_RETRANS_THRESHOLD:-3}))
n=$((6 + ${AUTOHOSTLIST_RETRANS_THRESHOLD:-3}))
else
n=6
fi

110
common/linux_iphelper.sh
View File

@ -4,54 +4,48 @@
# PREROUTING - can't DNAT to ::1. can DNAT to link local of -i interface or to any global addr
# not a good idea to expose tpws to the world (bind to ::)
get_ipv6_linklocal()
{
# $1 - interface name. if empty - any interface
if exists ip ; then
local dev
[ -n "$1" ] && dev="dev $1"
ip addr show $dev | sed -e 's/^.*inet6 \([^ ]*\)\/[0-9]* scope link.*$/\1/;t;d' | head -n 1
else
ifconfig $1 | sed -re 's/^.*inet6 addr: ([^ ]*)\/[0-9]* Scope:Link.*$/\1/;t;d' | head -n 1
fi
get_ipv6_linklocal() {
# $1 - interface name. if empty - any interface
if exists ip; then
local dev
[ -n "$1" ] && dev="dev $1"
ip addr show "$dev" | sed -e 's/^.*inet6 \([^ ]*\)\/[0-9]* scope link.*$/\1/;t;d' | head -n 1
else
ifconfig "$1" | sed -re 's/^.*inet6 addr: ([^ ]*)\/[0-9]* Scope:Link.*$/\1/;t;d' | head -n 1
fi
}
get_ipv6_global()
{
# $1 - interface name. if empty - any interface
if exists ip ; then
local dev
[ -n "$1" ] && dev="dev $1"
ip addr show $dev | sed -e 's/^.*inet6 \([^ ]*\)\/[0-9]* scope global.*$/\1/;t;d' | head -n 1
else
ifconfig $1 | sed -re 's/^.*inet6 addr: ([^ ]*)\/[0-9]* Scope:Global.*$/\1/;t;d' | head -n 1
fi
get_ipv6_global() {
# $1 - interface name. if empty - any interface
if exists ip; then
local dev
[ -n "$1" ] && dev="dev $1"
ip addr show "$dev" | sed -e 's/^.*inet6 \([^ ]*\)\/[0-9]* scope global.*$/\1/;t;d' | head -n 1
else
ifconfig "$1" | sed -re 's/^.*inet6 addr: ([^ ]*)\/[0-9]* Scope:Global.*$/\1/;t;d' | head -n 1
fi
}
iface_is_up()
{
iface_is_up() {
# $1 - interface name
[ -f /sys/class/net/$1/operstate ] || return
[ -f /sys/class/net/"$1"/operstate ] || return
local state
read state </sys/class/net/$1/operstate
read state </sys/class/net/"$1"/operstate
[ "$state" != "down" ]
}
wait_ifup()
{
wait_ifup() {
# $1 - interface name
local ct=0
while
iface_is_up $1 && return
iface_is_up "$1" && return
[ "$ct" -ge "$IFUP_WAIT_SEC" ] && break
echo waiting for ifup of $1 for another $(($IFUP_WAIT_SEC - $ct)) seconds ...
ct=$(($ct+1))
echo waiting for ifup of "$1" for another $(($IFUP_WAIT_SEC - $ct)) seconds ...
ct=$(($ct + 1))
sleep 1
do :; done
false
}
_dnat6_target()
{
_dnat6_target() {
# $1 - interface name
# $2 - var to store target ip6
# get target ip address for DNAT. prefer link locals
@ -60,68 +54,64 @@ _dnat6_target()
# DNAT6_TARGET=- means attempt was made but address was not found (to avoid multiple re-attempts)
local DNAT6_TARGET DVAR=DNAT6_TARGET_$1
DVAR=$(echo $DVAR | sed 's/[^a-zA-Z0-9_]/_/g')
DVAR=$(echo "$DVAR" | sed 's/[^a-zA-Z0-9_]/_/g')
eval DNAT6_TARGET="\$$DVAR"
[ -n "$2" ] && eval $2=''
[ -n "$2" ] && eval "$2"=''
[ -n "$DNAT6_TARGET" ] || {
local ct=0
while
DNAT6_TARGET=$(get_ipv6_linklocal $1)
DNAT6_TARGET=$(get_ipv6_linklocal "$1")
[ -n "$DNAT6_TARGET" ] && break
[ "$ct" -ge "$LINKLOCAL_WAIT_SEC" ] && break
echo $1: waiting for the link local for another $(($LINKLOCAL_WAIT_SEC - $ct)) seconds ...
ct=$(($ct+1))
echo "$1": waiting for the link local for another $(($LINKLOCAL_WAIT_SEC - $ct)) seconds ...
ct=$(($ct + 1))
sleep 1
do :; done
[ -n "$DNAT6_TARGET" ] || {
echo $1: no link local. getting global
DNAT6_TARGET=$(get_ipv6_global $1)
echo "$1": no link local. getting global
DNAT6_TARGET=$(get_ipv6_global "$1")
[ -n "$DNAT6_TARGET" ] || {
echo $1: could not get any address
echo "$1": could not get any address
DNAT6_TARGET=-
}
}
eval $DVAR="$DNAT6_TARGET"
eval "$DVAR"="$DNAT6_TARGET"
}
[ -n "$2" ] && eval $2="$DNAT6_TARGET"
[ -n "$2" ] && eval "$2"="$DNAT6_TARGET"
}
_set_route_localnet()
{
_set_route_localnet() {
# $1 - 1 = enable, 0 = disable
# $2,$3,... - interface names
[ "$DISABLE_IPV4" = "1" ] || {
local enable="$1"
shift
while [ -n "$1" ]; do
sysctl -q -w net.ipv4.conf.$1.route_localnet="$enable"
sysctl -q -w net.ipv4.conf."$1".route_localnet="$enable"
shift
done
}
}
prepare_route_localnet()
{
prepare_route_localnet() {
set_route_localnet 1 "$@"
}
unprepare_route_localnet()
{
unprepare_route_localnet() {
set_route_localnet 0 "$@"
}
resolve_lower_devices()
{
resolve_lower_devices() {
# $1 - bridge interface name
[ -d "/sys/class/net/$1" ] && {
find "/sys/class/net/$1" -follow -maxdepth 1 -name "lower_*" |
{
local l lower lowers
while read lower; do
lower="$(basename "$lower")"
l="${lower#lower_*}"
[ "$l" != "$lower" ] && append_separator_list lowers ' ' '' "$l"
done
printf "$lowers"
}
{
local l lower lowers
while read lower; do
lower="$(basename "$lower")"
l="${lower#lower_*}"
[ "$l" != "$lower" ] && append_separator_list lowers ' ' '' "$l"
done
printf "$lowers"
}
}
}

19
common/list.sh
View File

@ -1,5 +1,4 @@
find_hostlists()
{
find_hostlists() {
[ -n "$HOSTLIST_BASE" ] || HOSTLIST_BASE="$ZAPRET_BASE/ipset"
HOSTLIST="$HOSTLIST_BASE/zapret-hosts.txt.gz"
@ -18,8 +17,7 @@ find_hostlists()
HOSTLIST_AUTO_DEBUGLOG="$HOSTLIST_BASE/zapret-hosts-auto-debug.log"
}
filter_apply_autohostlist_target()
{
filter_apply_autohostlist_target() {
# $1 - var name of tpws or nfqws params
local parm1="${AUTOHOSTLIST_FAIL_THRESHOLD:+--hostlist-auto-fail-threshold=$AUTOHOSTLIST_FAIL_THRESHOLD}"
@ -27,11 +25,10 @@ filter_apply_autohostlist_target()
local parm3 parm4
[ "$MODE" = "tpws" -o "$MODE" = "tpws-socks" ] || parm3="${AUTOHOSTLIST_RETRANS_THRESHOLD:+--hostlist-auto-retrans-threshold=$AUTOHOSTLIST_RETRANS_THRESHOLD}"
[ "$AUTOHOSTLIST_DEBUGLOG" = 1 ] && parm4="--hostlist-auto-debug=$HOSTLIST_AUTO_DEBUGLOG"
eval $1="\"\$$1 --hostlist-auto=$HOSTLIST_AUTO $parm1 $parm2 $parm3 $parm4\""
eval "$1"="\"\$$1 --hostlist-auto=$HOSTLIST_AUTO $parm1 $parm2 $parm3 $parm4\""
}
filter_apply_hostlist_target()
{
filter_apply_hostlist_target() {
# $1 - var name of tpws or nfqws params
[ "$MODE_FILTER" = "hostlist" -o "$MODE_FILTER" = "autohostlist" ] || return
@ -40,8 +37,8 @@ filter_apply_hostlist_target()
find_hostlists
[ -n "$HOSTLIST" ] && eval $1="\"\$$1 --hostlist=$HOSTLIST\""
[ -n "$HOSTLIST_USER" ] && eval $1="\"\$$1 --hostlist=$HOSTLIST_USER\""
[ -n "$HOSTLIST_EXCLUDE" ] && eval $1="\"\$$1 --hostlist-exclude=$HOSTLIST_EXCLUDE\""
[ "$MODE_FILTER" = "autohostlist" ] && filter_apply_autohostlist_target $1
[ -n "$HOSTLIST" ] && eval "$1"="\"\$$1 --hostlist=$HOSTLIST\""
[ -n "$HOSTLIST_USER" ] && eval "$1"="\"\$$1 --hostlist=$HOSTLIST_USER\""
[ -n "$HOSTLIST_EXCLUDE" ] && eval "$1"="\"\$$1 --hostlist-exclude=$HOSTLIST_EXCLUDE\""
[ "$MODE_FILTER" = "autohostlist" ] && filter_apply_autohostlist_target "$1"
}

542
common/nft.sh
View File

@ -5,48 +5,39 @@ readonly nft_connbytes="ct original packets"
create_dev_stdin
std_ports
nft_create_table()
{
nft add table inet $ZAPRET_NFT_TABLE
nft_create_table() {
nft add table inet "$ZAPRET_NFT_TABLE"
}
nft_del_table()
{
nft delete table inet $ZAPRET_NFT_TABLE 2>/dev/null
nft_del_table() {
nft delete table inet "$ZAPRET_NFT_TABLE" 2>/dev/null
}
nft_list_table()
{
nft -t list table inet $ZAPRET_NFT_TABLE
nft_list_table() {
nft -t list table inet "$ZAPRET_NFT_TABLE"
}
nft_create_set()
{
nft_create_set() {
# $1 - set name
# $2 - params
nft create set inet $ZAPRET_NFT_TABLE $1 "{ $2 }" 2>/dev/null
nft create set inet "$ZAPRET_NFT_TABLE" "$1" "{ $2 }" 2>/dev/null
}
nft_del_set()
{
nft_del_set() {
# $1 - set name
nft delete set inet $ZAPRET_NFT_TABLE $1
nft delete set inet "$ZAPRET_NFT_TABLE" "$1"
}
nft_flush_set()
{
nft_flush_set() {
# $1 - set name
nft flush set inet $ZAPRET_NFT_TABLE $1
nft flush set inet "$ZAPRET_NFT_TABLE" "$1"
}
nft_set_exists()
{
nft_set_exists() {
# $1 - set name
nft -t list set inet $ZAPRET_NFT_TABLE $1 2>/dev/null >/dev/null
nft -t list set inet "$ZAPRET_NFT_TABLE" "$1" 2>/dev/null >/dev/null
}
nft_flush_chain()
{
nft_flush_chain() {
# $1 - chain name
nft flush chain inet $ZAPRET_NFT_TABLE $1
nft flush chain inet "$ZAPRET_NFT_TABLE" "$1"
}
nft_del_all_chains_from_table()
{
nft_del_all_chains_from_table() {
# $1 - table_name with or without family
# delete all chains with possible references to each other
@ -54,12 +45,12 @@ nft_del_all_chains_from_table()
# avoid infinite loops
local chains deleted=1 error=1
while [ -n "$deleted" -a -n "$error" ]; do
chains=$(nft -t list table $1 2>/dev/null | sed -nre "s/^[ ]*chain ([^ ]+) \{/\1/p" | xargs)
chains=$(nft -t list table "$1" 2>/dev/null | sed -nre "s/^[ ]*chain ([^ ]+) \{/\1/p" | xargs)
[ -n "$chains" ] || break
deleted=
error=
for chain in $chains; do
if nft delete chain $1 $chain 2>/dev/null; then
if nft delete chain "$1" "$chain" 2>/dev/null; then
deleted=1
else
error=1
@ -68,9 +59,8 @@ nft_del_all_chains_from_table()
done
}
nft_create_chains()
{
cat << EOF | nft -f -
nft_create_chains() {
cat <<EOF | nft -f -
add chain inet $ZAPRET_NFT_TABLE dnat_output { type nat hook output priority -101; }
flush chain inet $ZAPRET_NFT_TABLE dnat_output
add chain inet $ZAPRET_NFT_TABLE dnat_pre { type nat hook prerouting priority -101; }
@ -113,12 +103,11 @@ EOF
nft_add_rule predefrag_nfqws notrack comment \"do not track nfqws generated packets to avoid nat tampering and defragmentation\"
}
}
nft_del_chains()
{
nft_del_chains() {
# do not delete all chains because of additional user hooks
# they must be inside zapret table to use nfsets
cat << EOF | nft -f - 2>/dev/null
cat <<EOF | nft -f - 2>/dev/null
delete chain inet $ZAPRET_NFT_TABLE dnat_output
delete chain inet $ZAPRET_NFT_TABLE dnat_pre
delete chain inet $ZAPRET_NFT_TABLE forward
@ -132,15 +121,13 @@ cat << EOF | nft -f - 2>/dev/null
delete chain inet $ZAPRET_NFT_TABLE flow_offload
delete chain inet $ZAPRET_NFT_TABLE localnet_protect
EOF
# unfortunately this approach breaks udp desync of the connection initiating packet (new, first one)
# delete chain inet $ZAPRET_NFT_TABLE predefrag
# unfortunately this approach breaks udp desync of the connection initiating packet (new, first one)
# delete chain inet $ZAPRET_NFT_TABLE predefrag
}
nft_del_flowtable()
{
nft delete flowtable inet $ZAPRET_NFT_TABLE ft 2>/dev/null
nft_del_flowtable() {
nft delete flowtable inet "$ZAPRET_NFT_TABLE" ft 2>/dev/null
}
nft_create_or_update_flowtable()
{
nft_create_or_update_flowtable() {
# $1 = flags ('offload' for hw offload)
# $2,$3,$4,... - interfaces
# can be called multiple times to add interfaces. interfaces can only be added , not removed
@ -153,117 +140,102 @@ nft_create_or_update_flowtable()
for makelist in make_quoted_comma_list make_comma_list; do
$makelist devices "$@"
[ -n "$devices" ] && devices="devices={$devices};"
nft add flowtable inet $ZAPRET_NFT_TABLE ft "{ hook ingress priority -1; $flags $devices }" && break
nft add flowtable inet "$ZAPRET_NFT_TABLE" ft "{ hook ingress priority -1; $flags $devices }" && break
done
}
nft_flush_ifsets()
{
cat << EOF | nft -f - 2>/dev/null
nft_flush_ifsets() {
cat <<EOF | nft -f - 2>/dev/null
flush set inet $ZAPRET_NFT_TABLE lanif
flush set inet $ZAPRET_NFT_TABLE wanif
flush set inet $ZAPRET_NFT_TABLE wanif6
flush map inet $ZAPRET_NFT_TABLE link_local
EOF
}
nft_flush_link_local()
{
nft flush map inet $ZAPRET_NFT_TABLE link_local 2>/dev/null
nft_flush_link_local() {
nft flush map inet "$ZAPRET_NFT_TABLE" link_local 2>/dev/null
}
nft_list_ifsets()
{
nft list set inet $ZAPRET_NFT_TABLE lanif
nft list set inet $ZAPRET_NFT_TABLE wanif
nft list set inet $ZAPRET_NFT_TABLE wanif6
nft list map inet $ZAPRET_NFT_TABLE link_local
nft list flowtable inet $ZAPRET_NFT_TABLE ft 2>/dev/null
nft_list_ifsets() {
nft list set inet "$ZAPRET_NFT_TABLE" lanif
nft list set inet "$ZAPRET_NFT_TABLE" wanif
nft list set inet "$ZAPRET_NFT_TABLE" wanif6
nft list map inet "$ZAPRET_NFT_TABLE" link_local
nft list flowtable inet "$ZAPRET_NFT_TABLE" ft 2>/dev/null
}
nft_create_firewall()
{
nft_create_firewall() {
nft_create_table
nft_del_flowtable
nft_flush_link_local
nft_create_chains
}
nft_del_firewall()
{
nft_del_firewall() {
nft_del_chains
nft_del_flowtable
nft_flush_link_local
# leave ifsets and ipsets because they may be used by custom rules
}
nft_add_rule()
{
nft_add_rule() {
# $1 - chain
# $2,$3,... - rule(s)
local chain="$1"
shift
nft add rule inet $ZAPRET_NFT_TABLE $chain "$@"
nft add rule inet "$ZAPRET_NFT_TABLE" "$chain" "$@"
}
nft_add_set_element()
{
nft_add_set_element() {
# $1 - set or map name
# $2 - element
[ -z "$2" ] || nft add element inet $ZAPRET_NFT_TABLE $1 "{ $2 }"
[ -z "$2" ] || nft add element inet "$ZAPRET_NFT_TABLE" "$1" "{ $2 }"
}
nft_add_set_elements()
{
nft_add_set_elements() {
# $1 - set or map name
# $2,$3,... - element(s)
local set="$1" elements
shift
make_comma_list elements "$@"
nft_add_set_element $set "$elements"
nft_add_set_element "$set" "$elements"
}
nft_reverse_nfqws_rule()
{
nft_reverse_nfqws_rule() {
echo "$@" | sed -e 's/oifname /iifname /g' -e 's/dport /sport /g' -e 's/daddr /saddr /g' -e 's/ct original /ct reply /g' -e "s/mark and $DESYNC_MARK == 0//g"
}
nft_clean_nfqws_rule()
{
nft_clean_nfqws_rule() {
echo "$@" | sed -e "s/mark and $DESYNC_MARK == 0//g" -e "s/oifname @wanif6//g" -e "s/oifname @wanif//g"
}
nft_add_nfqws_flow_exempt_rule()
{
nft_add_nfqws_flow_exempt_rule() {
# $1 - rule (must be all filters in one var)
nft_add_rule flow_offload $(nft_clean_nfqws_rule $1) return comment \"direct flow offloading exemption\"
nft_add_rule flow_offload $(nft_clean_nfqws_rule "$1") return comment \"direct flow offloading exemption\"
# do not need this because of oifname @wanif/@wanif6 filter in forward chain
#nft_add_rule flow_offload $(nft_reverse_nfqws_rule $1) return comment \"reverse flow offloading exemption\"
}
nft_add_flow_offload_exemption()
{
nft_add_flow_offload_exemption() {
# "$1" - rule for ipv4
# "$2" - rule for ipv6
# "$3" - comment
[ "$DISABLE_IPV4" = "1" -o -z "$1" ] || nft_add_rule flow_offload oifname @wanif $1 ip daddr != @nozapret return comment \"$3\"
[ "$DISABLE_IPV6" = "1" -o -z "$2" ] || nft_add_rule flow_offload oifname @wanif6 $2 ip6 daddr != @nozapret6 return comment \"$3\"
[ "$DISABLE_IPV4" = "1" -o -z "$1" ] || nft_add_rule flow_offload oifname @wanif "$1" ip daddr != @nozapret return comment \""$3"\"
[ "$DISABLE_IPV6" = "1" -o -z "$2" ] || nft_add_rule flow_offload oifname @wanif6 "$2" ip6 daddr != @nozapret6 return comment \""$3"\"
}
nft_hw_offload_supported()
{
nft_hw_offload_supported() {
# $1,$2,... - interface names
local devices res=1
make_quoted_comma_list devices "$@"
[ -n "$devices" ] && devices="devices={$devices};"
nft add table ${ZAPRET_NFT_TABLE}_test && nft add flowtable ${ZAPRET_NFT_TABLE}_test ft "{ flags offload; $devices }" 2>/dev/null && res=0
nft delete table ${ZAPRET_NFT_TABLE}_test 2>/dev/null
nft add table "${ZAPRET_NFT_TABLE}"_test && nft add flowtable "${ZAPRET_NFT_TABLE}"_test ft "{ flags offload; $devices }" 2>/dev/null && res=0
nft delete table "${ZAPRET_NFT_TABLE}"_test 2>/dev/null
return $res
}
nft_hw_offload_find_supported()
{
nft_hw_offload_find_supported() {
# $1,$2,... - interface names
local supported_list
while [ -n "$1" ]; do
nft_hw_offload_supported "$1" && append_separator_list supported_list ' ' '' "$1"
shift
done
echo $supported_list
echo "$supported_list"
}
nft_apply_flow_offloading()
{
nft_apply_flow_offloading() {
# ft can be absent
nft_add_rule flow_offload meta l4proto "{ tcp, udp }" flow add @ft 2>/dev/null && {
nft_add_rule flow_offload meta l4proto "{ tcp, udp }" counter comment \"if offload works here must not be too much traffic\"
@ -273,10 +245,7 @@ nft_apply_flow_offloading()
}
}
nft_filter_apply_port_target()
{
nft_filter_apply_port_target() {
# $1 - var name of nftables filter
local f
if [ "$MODE_HTTP" = "1" ] && [ "$MODE_HTTPS" = "1" ]; then
@ -288,58 +257,51 @@ nft_filter_apply_port_target()
else
echo WARNING !!! HTTP and HTTPS are both disabled
fi
eval $1="\"\$$1 $f\""
eval "$1"="\"\$$1 $f\""
}
nft_filter_apply_port_target_quic()
{
nft_filter_apply_port_target_quic() {
# $1 - var name of nftables filter
local f
f="udp dport {$QUIC_PORTS}"
eval $1="\"\$$1 $f\""
eval "$1"="\"\$$1 $f\""
}
nft_filter_apply_ipset_target4()
{
nft_filter_apply_ipset_target4() {
# $1 - var name of ipv4 nftables filter
if [ "$MODE_FILTER" = "ipset" ]; then
eval $1="\"\$$1 ip daddr @zapret\""
eval "$1"="\"\$$1 ip daddr @zapret\""
fi
}
nft_filter_apply_ipset_target6()
{
nft_filter_apply_ipset_target6() {
# $1 - var name of ipv6 nftables filter
if [ "$MODE_FILTER" = "ipset" ]; then
eval $1="\"\$$1 ip6 daddr @zapret6\""
eval "$1"="\"\$$1 ip6 daddr @zapret6\""
fi
}
nft_filter_apply_ipset_target()
{
nft_filter_apply_ipset_target() {
# $1 - var name of ipv4 nftables filter
# $2 - var name of ipv6 nftables filter
nft_filter_apply_ipset_target4 $1
nft_filter_apply_ipset_target6 $2
nft_filter_apply_ipset_target4 "$1"
nft_filter_apply_ipset_target6 "$2"
}
nft_script_add_ifset_element()
{
nft_script_add_ifset_element() {
# $1 - set name
# $2 - space separated elements
local elements
[ -n "$2" ] && {
make_quoted_comma_list elements $2
make_quoted_comma_list elements "$2"
script="${script}
add element inet $ZAPRET_NFT_TABLE $1 { $elements }"
}
}
nft_fill_ifsets()
{
# $1 - space separated lan interface names
# $2 - space separated wan interface names
# $3 - space separated wan6 interface names
# 4,5,6 is needed for pppoe+openwrt case. looks like it's not easily possible to resolve ethernet device behind a pppoe interface
# $4 - space separated lan physical interface names (optional)
# $5 - space separated wan physical interface names (optional)
# $6 - space separated wan6 physical interface names (optional)
nft_fill_ifsets() {
# $1 - space separated LAN interface names
# $2 - space separated WAN interface names
# $3 - space separated WAN6 interface names
# 4,5,6 is needed for PPPoE+OpenWrt case. looks like it's not easily possible to resolve Ethernet device behind a PPPoE interface
# $4 - space separated LAN physical interface names (optional)
# $5 - space separated WAN physical interface names (optional)
# $6 - space separated WAN6 physical interface names (optional)
local script i j ALLDEVS devs
@ -358,51 +320,47 @@ flush set inet $ZAPRET_NFT_TABLE lanif"
echo "$script" | nft -f -
case "$FLOWOFFLOAD" in
software)
ALLDEVS=$(unique $1 $2 $3)
# unbound flowtable may cause error in older nft version
nft_create_or_update_flowtable '' $ALLDEVS 2>/dev/null
;;
hardware)
ALLDEVS=$(unique $1 $2 $3 $4 $5 $6)
# first create unbound flowtable. may cause error in older nft version
nft_create_or_update_flowtable 'offload' 2>/dev/null
# then add elements. some of them can cause error because unsupported
for i in $ALLDEVS; do
if nft_hw_offload_supported $i; then
nft_create_or_update_flowtable 'offload' $i
else
# bridge members must be added instead of the bridge itself
# some members may not support hw offload. example : lan1 lan2 lan3 support, wlan0 wlan1 - not
devs=$(resolve_lower_devices $i)
for j in $devs; do
# do not display error if addition failed
nft_create_or_update_flowtable 'offload' $j 2>/dev/null
done
fi
done
;;
software)
ALLDEVS=$(unique "$1" "$2" "$3")
# unbound flowtable may cause error in older nft version
nft_create_or_update_flowtable '' "$ALLDEVS" 2>/dev/null
;;
hardware)
ALLDEVS=$(unique "$1" "$2" "$3" "$4" "$5" "$6")
# first create unbound flowtable. may cause error in older nft version
nft_create_or_update_flowtable 'offload' 2>/dev/null
# then add elements. some of them can cause error because unsupported
for i in $ALLDEVS; do
if nft_hw_offload_supported "$i"; then
nft_create_or_update_flowtable 'offload' "$i"
else
# bridge members must be added instead of the bridge itself
# some members may not support hw offload. example: lan1 lan2 lan3 support, wlan0 wlan1 - not
devs=$(resolve_lower_devices "$i")
for j in $devs; do
# do not display error if addition failed
nft_create_or_update_flowtable 'offload' "$j" 2>/dev/null
done
fi
done
;;
esac
}
nft_only()
{
nft_only() {
linux_fwtype
case "$FWTYPE" in
nftables)
"$@"
;;
nftables)
"$@"
;;
esac
}
nft_print_op()
{
echo "Adding nftables ipv$3 rule for $2 : $1"
nft_print_op() {
echo "Adding nftables IPv$3 rule for $2: $1"
}
_nft_fw_tpws4()
{
_nft_fw_tpws4() {
# $1 - filter ipv4
# $2 - tpws port
# $3 - not-empty if wan interface filtering required
@ -410,13 +368,12 @@ _nft_fw_tpws4()
[ "$DISABLE_IPV4" = "1" -o -z "$1" ] || {
local filter="$1" port="$2"
nft_print_op "$filter" "tpws (port $2)" 4
nft_add_rule dnat_output skuid != $WS_USER ${3:+oifname @wanif }$filter ip daddr != @nozapret dnat ip to $TPWS_LOCALHOST4:$port
nft_add_rule dnat_pre iifname @lanif $filter ip daddr != @nozapret dnat ip to $TPWS_LOCALHOST4:$port
nft_add_rule dnat_output skuid != "$WS_USER" ${3:+oifname @wanif }"$filter" ip daddr != @nozapret dnat ip to "$TPWS_LOCALHOST4":"$port"
nft_add_rule dnat_pre iifname @lanif "$filter" ip daddr != @nozapret dnat ip to "$TPWS_LOCALHOST4":"$port"
prepare_route_localnet
}
}
_nft_fw_tpws6()
{
_nft_fw_tpws6() {
# $1 - filter ipv6
# $2 - tpws port
# $3 - lan interface names space separated
@ -425,48 +382,43 @@ _nft_fw_tpws6()
[ "$DISABLE_IPV6" = "1" -o -z "$1" ] || {
local filter="$1" port="$2" DNAT6 i
nft_print_op "$filter" "tpws (port $port)" 6
nft_add_rule dnat_output skuid != $WS_USER ${4:+oifname @wanif6 }$filter ip6 daddr != @nozapret6 dnat ip6 to [::1]:$port
nft_add_rule dnat_output skuid != "$WS_USER" ${4:+oifname @wanif6 }"$filter" ip6 daddr != @nozapret6 dnat ip6 to [::1]:"$port"
[ -n "$3" ] && {
nft_add_rule dnat_pre $filter ip6 daddr != @nozapret6 dnat ip6 to iifname map @link_local:$port
nft_add_rule dnat_pre "$filter" ip6 daddr != @nozapret6 dnat ip6 to iifname map @link_local:"$port"
for i in $3; do
_dnat6_target $i DNAT6
_dnat6_target "$i" DNAT6
# can be multiple tpws processes on different ports
[ -n "$DNAT6" -a "$DNAT6" != '-' ] && nft_add_set_element link_local "$i : $DNAT6"
done
}
}
}
nft_fw_tpws()
{
nft_fw_tpws() {
# $1 - filter ipv4
# $2 - filter ipv6
# $3 - tpws port
nft_fw_tpws4 "$1" $3
nft_fw_tpws6 "$2" $3
nft_fw_tpws4 "$1" "$3"
nft_fw_tpws6 "$2" "$3"
}
is_postnat()
{
is_postnat() {
[ "$POSTNAT" != 0 -o "$POSTNAT_ALL" = 1 ]
}
get_postchain()
{
if is_postnat ; then
get_postchain() {
if is_postnat; then
echo -n postnat
else
echo -n postrouting
fi
}
get_prechain()
{
if is_postnat ; then
get_prechain() {
if is_postnat; then
echo -n prenat
else
echo -n prerouting
fi
}
_nft_fw_nfqws_post4()
{
_nft_fw_nfqws_post4() {
# $1 - filter ipv4
# $2 - queue number
# $3 - not-empty if wan interface filtering required
@ -476,12 +428,11 @@ _nft_fw_nfqws_post4()
nft_print_op "$filter" "nfqws postrouting (qnum $port)" 4
rule="${3:+oifname @wanif }$filter ip daddr != @nozapret"
is_postnat && setmark="meta mark set meta mark or $DESYNC_MARK_POSTNAT"
nft_add_rule $chain $rule $setmark queue num $port bypass
nft_add_rule "$chain" "$rule" "$setmark" queue num "$port" bypass
nft_add_nfqws_flow_exempt_rule "$rule"
}
}
_nft_fw_nfqws_post6()
{
_nft_fw_nfqws_post6() {
# $1 - filter ipv6
# $2 - queue number
# $3 - not-empty if wan interface filtering required
@ -491,22 +442,20 @@ _nft_fw_nfqws_post6()
nft_print_op "$filter" "nfqws postrouting (qnum $port)" 6
rule="${3:+oifname @wanif6 }$filter ip6 daddr != @nozapret6"
is_postnat && setmark="meta mark set meta mark or $DESYNC_MARK_POSTNAT"
nft_add_rule $chain $rule $setmark queue num $port bypass
nft_add_rule "$chain" "$rule" "$setmark" queue num "$port" bypass
nft_add_nfqws_flow_exempt_rule "$rule"
}
}
nft_fw_nfqws_post()
{
# $1 - filter ipv4
nft_fw_nfqws_post() {
# $1 - filter IPv4
# $2 - filter ipv6
# $3 - queue number
nft_fw_nfqws_post4 "$1" $3
nft_fw_nfqws_post6 "$2" $3
nft_fw_nfqws_post4 "$1" "$3"
nft_fw_nfqws_post6 "$2" "$3"
}
_nft_fw_nfqws_pre4()
{
_nft_fw_nfqws_pre4() {
# $1 - filter ipv4
# $2 - queue number
# $3 - not-empty if wan interface filtering required
@ -515,11 +464,10 @@ _nft_fw_nfqws_pre4()
local filter="$1" port="$2" rule
nft_print_op "$filter" "nfqws prerouting (qnum $port)" 4
rule="${3:+iifname @wanif }$filter ip saddr != @nozapret"
nft_add_rule $(get_prechain) $rule queue num $port bypass
nft_add_rule $(get_prechain) "$rule" queue num "$port" bypass
}
}
_nft_fw_nfqws_pre6()
{
_nft_fw_nfqws_pre6() {
# $1 - filter ipv6
# $2 - queue number
# $3 - not-empty if wan interface filtering required
@ -528,35 +476,31 @@ _nft_fw_nfqws_pre6()
local filter="$1" port="$2" rule
nft_print_op "$filter" "nfqws prerouting (qnum $port)" 6
rule="${3:+iifname @wanif6 }$filter ip6 saddr != @nozapret6"
nft_add_rule $(get_prechain) $rule queue num $port bypass
nft_add_rule $(get_prechain) "$rule" queue num "$port" bypass
}
}
nft_fw_nfqws_pre()
{
nft_fw_nfqws_pre() {
# $1 - filter ipv4
# $2 - filter ipv6
# $3 - queue number
nft_fw_nfqws_pre4 "$1" $3
nft_fw_nfqws_pre6 "$2" $3
nft_fw_nfqws_pre4 "$1" "$3"
nft_fw_nfqws_pre6 "$2" "$3"
}
nft_fw_nfqws_both4()
{
nft_fw_nfqws_both4() {
# $1 - filter ipv4
# $2 - queue number
nft_fw_nfqws_post4 "$@"
nft_fw_nfqws_pre4 "$(nft_reverse_nfqws_rule $1)" $2
nft_fw_nfqws_pre4 "$(nft_reverse_nfqws_rule "$1")" "$2"
}
nft_fw_nfqws_both6()
{
nft_fw_nfqws_both6() {
# $1 - filter ipv6
# $2 - queue number
nft_fw_nfqws_post6 "$@"
nft_fw_nfqws_pre6 "$(nft_reverse_nfqws_rule $1)" $2
nft_fw_nfqws_pre6 "$(nft_reverse_nfqws_rule "$1")" "$2"
}
nft_fw_nfqws_both()
{
nft_fw_nfqws_both() {
# $1 - filter ipv4
# $2 - filter ipv6
# $3 - queue number
@ -564,26 +508,21 @@ nft_fw_nfqws_both()
nft_fw_nfqws_both6 "$2" "$3"
}
zapret_reload_ifsets()
{
nft_only nft_create_table ; nft_fill_ifsets_overload
zapret_reload_ifsets() {
nft_only nft_create_table
nft_fill_ifsets_overload
return 0
}
zapret_list_ifsets()
{
zapret_list_ifsets() {
nft_only nft_list_ifsets
return 0
}
zapret_list_table()
{
zapret_list_table() {
nft_only nft_list_table
return 0
}
nft_produce_reverse_nfqws_rule()
{
nft_produce_reverse_nfqws_rule() {
local rule="$1"
if contains "$rule" "$nft_connbytes "; then
# autohostlist - need several incoming packets
@ -596,28 +535,24 @@ nft_produce_reverse_nfqws_rule()
[ "$range" = 1 ] || range="1-$range"
rule="$nft_connbytes $range $rule"
fi
nft_reverse_nfqws_rule $rule
nft_reverse_nfqws_rule "$rule"
}
nft_fw_reverse_nfqws_rule4()
{
nft_fw_nfqws_pre4 "$(nft_produce_reverse_nfqws_rule "$1")" $2
nft_fw_reverse_nfqws_rule4() {
nft_fw_nfqws_pre4 "$(nft_produce_reverse_nfqws_rule "$1")" "$2"
}
nft_fw_reverse_nfqws_rule6()
{
nft_fw_nfqws_pre6 "$(nft_produce_reverse_nfqws_rule "$1")" $2
nft_fw_reverse_nfqws_rule6() {
nft_fw_nfqws_pre6 "$(nft_produce_reverse_nfqws_rule "$1")" "$2"
}
nft_fw_reverse_nfqws_rule()
{
nft_fw_reverse_nfqws_rule() {
# ensure that modes relying on incoming traffic work
# $1 - rule4
# $2 - rule6
# $3 - queue number
nft_fw_reverse_nfqws_rule4 "$1" $3
nft_fw_reverse_nfqws_rule6 "$2" $3
nft_fw_reverse_nfqws_rule4 "$1" "$3"
nft_fw_reverse_nfqws_rule6 "$2" "$3"
}
zapret_apply_firewall_rules_nft()
{
zapret_apply_firewall_rules_nft() {
local mode="${MODE_OVERRIDE:-$MODE}"
local first_packets_only
@ -627,91 +562,90 @@ zapret_apply_firewall_rules_nft()
first_packets_only="$nft_connbytes 1-$(first_packets_for_mode)"
case "$mode" in
tpws)
if [ ! "$MODE_HTTP" = "1" ] && [ ! "$MODE_HTTPS" = "1" ]; then
echo both http and https are disabled. not applying redirection.
else
nft_filter_apply_port_target f4
f6=$f4
nft_filter_apply_ipset_target f4 f6
nft_fw_tpws "$f4" "$f6" $TPPORT
fi
;;
nfqws)
local POSTNAT_SAVE=$POSTNAT
tpws)
if [ ! "$MODE_HTTP" = "1" ] && [ ! "$MODE_HTTPS" = "1" ]; then
echo both HTTP and HTTPS are disabled. not applying redirection.
else
nft_filter_apply_port_target f4
f6=$f4
nft_filter_apply_ipset_target f4 f6
nft_fw_tpws "$f4" "$f6" "$TPPORT"
fi
;;
nfqws)
local POSTNAT_SAVE=$POSTNAT
POSTNAT=1
# quite complex but we need to minimize nfqws processes to save RAM
get_nfqws_qnums qn qns qn6 qns6
if [ "$MODE_HTTP_KEEPALIVE" != "1" ] && [ -n "$qn" ] && [ "$qn" = "$qns" ]; then
nft_filter_apply_port_target f4
f4="$f4 $first_packets_only"
nft_filter_apply_ipset_target4 f4
nft_fw_nfqws_post4 "$f4 $desync" $qn
nft_fw_reverse_nfqws_rule4 "$f4" $qn
else
if [ -n "$qn" ]; then
f4="tcp dport {$HTTP_PORTS}"
[ "$MODE_HTTP_KEEPALIVE" = "1" ] || f4="$f4 $first_packets_only"
nft_filter_apply_ipset_target4 f4
nft_fw_nfqws_post4 "$f4 $desync" $qn
nft_fw_reverse_nfqws_rule4 "$f4" $qn
fi
if [ -n "$qns" ]; then
f4="tcp dport {$HTTPS_PORTS} $first_packets_only"
nft_filter_apply_ipset_target4 f4
nft_fw_nfqws_post4 "$f4 $desync" $qns
nft_fw_reverse_nfqws_rule4 "$f4" $qns
fi
fi
if [ "$MODE_HTTP_KEEPALIVE" != "1" ] && [ -n "$qn6" ] && [ "$qn6" = "$qns6" ]; then
nft_filter_apply_port_target f6
f6="$f6 $first_packets_only"
nft_filter_apply_ipset_target6 f6
nft_fw_nfqws_post6 "$f6 $desync" $qn6
nft_fw_reverse_nfqws_rule6 "$f6" $qn6
else
if [ -n "$qn6" ]; then
f6="tcp dport {$HTTP_PORTS}"
[ "$MODE_HTTP_KEEPALIVE" = "1" ] || f6="$f6 $first_packets_only"
nft_filter_apply_ipset_target6 f6
nft_fw_nfqws_post6 "$f6 $desync" $qn6
nft_fw_reverse_nfqws_rule6 "$f6" $qn6
fi
if [ -n "$qns6" ]; then
f6="tcp dport {$HTTPS_PORTS} $first_packets_only"
nft_filter_apply_ipset_target6 f6
nft_fw_nfqws_post6 "$f6 $desync" $qns6
nft_fw_reverse_nfqws_rule6 "$f6" $qns6
fi
fi
get_nfqws_qnums_quic qn qn6
POSTNAT=1
# quite complex but we need to minimize nfqws processes to save RAM
get_nfqws_qnums qn qns qn6 qns6
if [ "$MODE_HTTP_KEEPALIVE" != "1" ] && [ -n "$qn" ] && [ "$qn" = "$qns" ]; then
nft_filter_apply_port_target f4
f4="$f4 $first_packets_only"
nft_filter_apply_ipset_target4 f4
nft_fw_nfqws_post4 "$f4 $desync" "$qn"
nft_fw_reverse_nfqws_rule4 "$f4" "$qn"
else
if [ -n "$qn" ]; then
f4=
nft_filter_apply_port_target_quic f4
f4="$f4 $first_packets_only"
f4="tcp dport {$HTTP_PORTS}"
[ "$MODE_HTTP_KEEPALIVE" = "1" ] || f4="$f4 $first_packets_only"
nft_filter_apply_ipset_target4 f4
nft_fw_nfqws_post4 "$f4 $desync" $qn
nft_fw_nfqws_post4 "$f4 $desync" "$qn"
nft_fw_reverse_nfqws_rule4 "$f4" "$qn"
fi
if [ -n "$qns" ]; then
f4="tcp dport {$HTTPS_PORTS} $first_packets_only"
nft_filter_apply_ipset_target4 f4
nft_fw_nfqws_post4 "$f4 $desync" "$qns"
nft_fw_reverse_nfqws_rule4 "$f4" "$qns"
fi
fi
if [ "$MODE_HTTP_KEEPALIVE" != "1" ] && [ -n "$qn6" ] && [ "$qn6" = "$qns6" ]; then
nft_filter_apply_port_target f6
f6="$f6 $first_packets_only"
nft_filter_apply_ipset_target6 f6
nft_fw_nfqws_post6 "$f6 $desync" "$qn6"
nft_fw_reverse_nfqws_rule6 "$f6" "$qn6"
else
if [ -n "$qn6" ]; then
f6=
nft_filter_apply_port_target_quic f6
f6="$f6 $first_packets_only"
f6="tcp dport {$HTTP_PORTS}"
[ "$MODE_HTTP_KEEPALIVE" = "1" ] || f6="$f6 $first_packets_only"
nft_filter_apply_ipset_target6 f6
nft_fw_nfqws_post6 "$f6 $desync" $qn6
nft_fw_nfqws_post6 "$f6 $desync" "$qn6"
nft_fw_reverse_nfqws_rule6 "$f6" "$qn6"
fi
if [ -n "$qns6" ]; then
f6="tcp dport {$HTTPS_PORTS} $first_packets_only"
nft_filter_apply_ipset_target6 f6
nft_fw_nfqws_post6 "$f6 $desync" "$qns6"
nft_fw_reverse_nfqws_rule6 "$f6" "$qns6"
fi
fi
POSTNAT=$POSTNAT_SAVE
;;
custom)
existf zapret_custom_firewall_nft && zapret_custom_firewall_nft
;;
get_nfqws_qnums_quic qn qn6
if [ -n "$qn" ]; then
f4=
nft_filter_apply_port_target_quic f4
f4="$f4 $first_packets_only"
nft_filter_apply_ipset_target4 f4
nft_fw_nfqws_post4 "$f4 $desync" "$qn"
fi
if [ -n "$qn6" ]; then
f6=
nft_filter_apply_port_target_quic f6
f6="$f6 $first_packets_only"
nft_filter_apply_ipset_target6 f6
nft_fw_nfqws_post6 "$f6 $desync" "$qn6"
fi
POSTNAT=$POSTNAT_SAVE
;;
custom)
existf zapret_custom_firewall_nft && zapret_custom_firewall_nft
;;
esac
}
zapret_apply_firewall_nft()
{
zapret_apply_firewall_nft() {
echo Applying nftables
local mode="${MODE_OVERRIDE:-$MODE}"
@ -728,19 +662,17 @@ zapret_apply_firewall_nft()
return 0
}
zapret_unapply_firewall_nft()
{
zapret_unapply_firewall_nft() {
echo Clearing nftables
unprepare_route_localnet
nft_del_firewall
return 0
}
zapret_do_firewall_nft()
{
zapret_do_firewall_nft() {
# $1 - 1 - add, 0 - del
if [ "$1" = 0 ] ; then
if [ "$1" = 0 ]; then
zapret_unapply_firewall_nft
else
zapret_apply_firewall_nft

118
common/pf.sh
View File

@ -6,14 +6,12 @@ PF_ANCHOR_ZAPRET_V6="$PF_ANCHOR_DIR/zapret-v6"
std_ports
pf_anchor_root_reload()
{
pf_anchor_root_reload() {
echo reloading PF root anchor
pfctl -qf "$PF_MAIN"
}
pf_anchor_root()
{
pf_anchor_root() {
local patch
[ -f "$PF_MAIN" ] && {
grep -q '^rdr-anchor "zapret"$' "$PF_MAIN" || {
@ -39,8 +37,8 @@ set limit table-entries 5000000
}
grep -q '^anchor "zapret"$' "$PF_MAIN" &&
grep -q '^rdr-anchor "zapret"$' "$PF_MAIN" &&
grep -q '^set limit table-entries' "$PF_MAIN" && {
grep -q '^rdr-anchor "zapret"$' "$PF_MAIN" &&
grep -q '^set limit table-entries' "$PF_MAIN" && {
if [ -n "$patch" ]; then
echo successfully patched $PF_MAIN
pf_anchor_root_reload
@ -57,13 +55,11 @@ set limit table-entries 5000000
echo ----------------------------------
return 1
}
pf_anchor_root_del()
{
pf_anchor_root_del() {
sed -i '' -e '/^anchor "zapret"$/d' -e '/^rdr-anchor "zapret"$/d' -e '/^set limit table-entries/d' "$PF_MAIN"
}
pf_anchor_zapret()
{
pf_anchor_zapret() {
[ "$DISABLE_IPV4" = "1" ] || {
if [ -f "$ZIPLIST_EXCLUDE" ]; then
echo "table <nozapret> persist file \"$ZIPLIST_EXCLUDE\""
@ -83,8 +79,7 @@ pf_anchor_zapret()
[ "$DISABLE_IPV4" = "1" ] || echo "anchor \"/zapret-v4\" inet to !<nozapret>"
[ "$DISABLE_IPV6" = "1" ] || echo "anchor \"/zapret-v6\" inet6 to !<nozapret6>"
}
pf_anchor_zapret_tables()
{
pf_anchor_zapret_tables() {
# $1 - variable to receive applied table names
# $2/$3 $4/$5 ... table_name/table_file
local tblv=$1
@ -92,22 +87,21 @@ pf_anchor_zapret_tables()
shift
[ "$MODE_FILTER" = "ipset" ] &&
{
while [ -n "$1" ] && [ -n "$2" ] ; do
[ -f "$2" ] && {
echo "table <$1> file \"$2\""
_tbl="$_tbl<$1> "
}
shift
shift
done
}
{
while [ -n "$1" ] && [ -n "$2" ]; do
[ -f "$2" ] && {
echo "table <$1> file \"$2\""
_tbl="$_tbl<$1> "
}
shift
shift
done
}
[ -n "$_tbl" ] || _tbl="any"
eval $tblv="\"\$_tbl\""
eval "$tblv"="\"\$_tbl\""
}
pf_anchor_port_target()
{
pf_anchor_port_target() {
if [ "$MODE_HTTP" = "1" ] && [ "$MODE_HTTPS" = "1" ]; then
echo "{$HTTP_PORTS_IPT,$HTTPS_PORTS_IPT}"
elif [ "$MODE_HTTPS" = "1" ]; then
@ -117,20 +111,19 @@ pf_anchor_port_target()
fi
}
pf_anchor_zapret_v4_tpws()
{
pf_anchor_zapret_v4_tpws() {
# $1 - port
local rule port=$(pf_anchor_port_target)
for lan in $IFACE_LAN; do
for t in $tbl; do
echo "rdr on $lan inet proto tcp from any to $t port $port -> 127.0.0.1 port $1"
echo "rdr on $lan inet proto tcp from any to $t port $port -> 127.0.0.1 port $1"
done
done
echo "rdr on lo0 inet proto tcp from !127.0.0.0/8 to any port $port -> 127.0.0.1 port $1"
for t in $tbl; do
rule="route-to (lo0 127.0.0.1) inet proto tcp from !127.0.0.0/8 to $t port $port user { >root }"
if [ -n "$IFACE_WAN" ] ; then
if [ -n "$IFACE_WAN" ]; then
for wan in $IFACE_WAN; do
echo "pass out on $wan $rule"
done
@ -140,31 +133,29 @@ pf_anchor_zapret_v4_tpws()
done
}
pf_anchor_zapret_v4()
{
pf_anchor_zapret_v4() {
local tbl port
[ "$DISABLE_IPV4" = "1" ] || {
case $MODE in
tpws)
[ ! "$MODE_HTTP" = "1" ] && [ ! "$MODE_HTTPS" = "1" ] && return
pf_anchor_zapret_tables tbl zapret-user "$ZIPLIST_USER" zapret "$ZIPLIST"
pf_anchor_zapret_v4_tpws $TPPORT
;;
custom)
pf_anchor_zapret_tables tbl zapret-user "$ZIPLIST_USER" zapret "$ZIPLIST"
existf zapret_custom_firewall_v4 && zapret_custom_firewall_v4
;;
tpws)
[ ! "$MODE_HTTP" = "1" ] && [ ! "$MODE_HTTPS" = "1" ] && return
pf_anchor_zapret_tables tbl zapret-user "$ZIPLIST_USER" zapret "$ZIPLIST"
pf_anchor_zapret_v4_tpws "$TPPORT"
;;
custom)
pf_anchor_zapret_tables tbl zapret-user "$ZIPLIST_USER" zapret "$ZIPLIST"
existf zapret_custom_firewall_v4 && zapret_custom_firewall_v4
;;
esac
}
}
pf_anchor_zapret_v6_tpws()
{
pf_anchor_zapret_v6_tpws() {
# $1 - port
local LL_LAN rule port=$(pf_anchor_port_target)
# LAN link local is only for router
for lan in $IFACE_LAN; do
LL_LAN=$(get_ipv6_linklocal $lan)
LL_LAN=$(get_ipv6_linklocal "$lan")
[ -n "$LL_LAN" ] && {
for t in $tbl; do
echo "rdr on $lan inet6 proto tcp from any to $t port $port -> $LL_LAN port $1"
@ -174,7 +165,7 @@ pf_anchor_zapret_v6_tpws()
echo "rdr on lo0 inet6 proto tcp from !::1 to any port $port -> fe80::1 port $1"
for t in $tbl; do
rule="route-to (lo0 fe80::1) inet6 proto tcp from !::1 to $t port $port user { >root }"
if [ -n "${IFACE_WAN6:-$IFACE_WAN}" ] ; then
if [ -n "${IFACE_WAN6:-$IFACE_WAN}" ]; then
for wan in ${IFACE_WAN6:-$IFACE_WAN}; do
echo "pass out on $wan $rule"
done
@ -183,38 +174,34 @@ pf_anchor_zapret_v6_tpws()
fi
done
}
pf_anchor_zapret_v6()
{
pf_anchor_zapret_v6() {
local tbl port
[ "$DISABLE_IPV6" = "1" ] || {
case $MODE in
tpws)
[ ! "$MODE_HTTP" = "1" ] && [ ! "$MODE_HTTPS" = "1" ] && return
pf_anchor_zapret_tables tbl zapret6-user "$ZIPLIST_USER6" zapret6 "$ZIPLIST6"
pf_anchor_zapret_v6_tpws $TPPORT
;;
custom)
pf_anchor_zapret_tables tbl zapret6-user "$ZIPLIST_USER6" zapret6 "$ZIPLIST6"
existf zapret_custom_firewall_v6 && zapret_custom_firewall_v6
;;
tpws)
[ ! "$MODE_HTTP" = "1" ] && [ ! "$MODE_HTTPS" = "1" ] && return
pf_anchor_zapret_tables tbl zapret6-user "$ZIPLIST_USER6" zapret6 "$ZIPLIST6"
pf_anchor_zapret_v6_tpws "$TPPORT"
;;
custom)
pf_anchor_zapret_tables tbl zapret6-user "$ZIPLIST_USER6" zapret6 "$ZIPLIST6"
existf zapret_custom_firewall_v6 && zapret_custom_firewall_v6
;;
esac
}
}
pf_anchors_create()
{
pf_anchors_create() {
wait_lan_ll
pf_anchor_zapret >"$PF_ANCHOR_ZAPRET"
pf_anchor_zapret_v4 >"$PF_ANCHOR_ZAPRET_V4"
pf_anchor_zapret_v6 >"$PF_ANCHOR_ZAPRET_V6"
}
pf_anchors_del()
{
pf_anchors_del() {
rm -f "$PF_ANCHOR_ZAPRET" "$PF_ANCHOR_ZAPRET_V4" "$PF_ANCHOR_ZAPRET_V6"
}
pf_anchors_load()
{
pf_anchors_load() {
echo loading zapret anchor from "$PF_ANCHOR_ZAPRET"
pfctl -qa zapret -f "$PF_ANCHOR_ZAPRET" || {
echo error loading zapret anchor
@ -243,20 +230,17 @@ pf_anchors_load()
echo successfully loaded PF anchors
return 0
}
pf_anchors_clear()
{
pf_anchors_clear() {
echo clearing zapret anchors
pfctl -qa zapret-v4 -F all 2>/dev/null
pfctl -qa zapret-v6 -F all 2>/dev/null
pfctl -qa zapret -F all 2>/dev/null
}
pf_enable()
{
pf_enable() {
echo enabling PF
pfctl -qe
}
pf_table_reload()
{
pf_table_reload() {
echo reloading zapret tables
[ "$DISABLE_IPV4" = "1" ] || pfctl -qTl -a zapret-v4 -f "$PF_ANCHOR_ZAPRET_V4"
[ "$DISABLE_IPV6" = "1" ] || pfctl -qTl -a zapret-v6 -f "$PF_ANCHOR_ZAPRET_V6"

55
common/queue.sh
View File

@ -1,5 +1,4 @@
apply_unspecified_desync_modes()
{
apply_unspecified_desync_modes() {
NFQWS_OPT_DESYNC_HTTP="${NFQWS_OPT_DESYNC_HTTP:-$NFQWS_OPT_DESYNC}"
NFQWS_OPT_DESYNC_HTTPS="${NFQWS_OPT_DESYNC_HTTPS:-$NFQWS_OPT_DESYNC}"
NFQWS_OPT_DESYNC_HTTP6="${NFQWS_OPT_DESYNC_HTTP6:-$NFQWS_OPT_DESYNC_HTTP}"
@ -7,8 +6,7 @@ apply_unspecified_desync_modes()
NFQWS_OPT_DESYNC_QUIC6="${NFQWS_OPT_DESYNC_QUIC6:-$NFQWS_OPT_DESYNC_QUIC}"
}
get_nfqws_qnums()
{
get_nfqws_qnums() {
# $1 - var name for ipv4 http
# $2 - var name for ipv4 https
# $3 - var name for ipv6 http
@ -18,63 +16,62 @@ get_nfqws_qnums()
[ "$DISABLE_IPV4" = "1" ] || {
_qn=$QNUM
_qns=$_qn
[ "$NFQWS_OPT_DESYNC_HTTP" = "$NFQWS_OPT_DESYNC_HTTPS" ] || _qns=$(($QNUM+1))
[ "$NFQWS_OPT_DESYNC_HTTP" = "$NFQWS_OPT_DESYNC_HTTPS" ] || _qns=$(($QNUM + 1))
}
[ "$DISABLE_IPV6" = "1" ] || {
_qn6=$(($QNUM+2))
_qns6=$(($QNUM+3))
_qn6=$(($QNUM + 2))
_qns6=$(($QNUM + 3))
[ "$DISABLE_IPV4" = "1" ] || {
if [ "$NFQWS_OPT_DESYNC_HTTP6" = "$NFQWS_OPT_DESYNC_HTTP" ]; then
_qn6=$_qn;
_qn6=$_qn
elif [ "$NFQWS_OPT_DESYNC_HTTP6" = "$NFQWS_OPT_DESYNC_HTTPS" ]; then
_qn6=$_qns;
_qn6=$_qns
fi
if [ "$NFQWS_OPT_DESYNC_HTTPS6" = "$NFQWS_OPT_DESYNC_HTTP" ]; then
_qns6=$_qn;
_qns6=$_qn
elif [ "$NFQWS_OPT_DESYNC_HTTPS6" = "$NFQWS_OPT_DESYNC_HTTPS" ]; then
_qns6=$_qns;
_qns6=$_qns
fi
}
[ "$NFQWS_OPT_DESYNC_HTTPS6" = "$NFQWS_OPT_DESYNC_HTTP6" ] && _qns6=$_qn6;
[ "$NFQWS_OPT_DESYNC_HTTPS6" = "$NFQWS_OPT_DESYNC_HTTP6" ] && _qns6=$_qn6
}
if [ "$MODE_HTTP" = 1 ]; then
eval $1=$_qn
eval $3=$_qn6
eval "$1"="$_qn"
eval "$3"="$_qn6"
else
eval $1=
eval $3=
eval "$1"=
eval "$3"=
fi
if [ "$MODE_HTTPS" = 1 ]; then
eval $2=$_qns
eval $4=$_qns6
eval "$2"="$_qns"
eval "$4"="$_qns6"
else
eval $2=
eval $4=
eval "$2"=
eval "$4"=
fi
}
get_nfqws_qnums_quic()
{
get_nfqws_qnums_quic() {
# $1 - var name for ipv4 quic
# $2 - var name for ipv6 quic
local _qn _qn6
[ "$DISABLE_IPV4" = "1" ] || {
_qn=$(($QNUM+10))
_qn=$(($QNUM + 10))
}
[ "$DISABLE_IPV6" = "1" ] || {
_qn6=$(($QNUM+11))
_qn6=$(($QNUM + 11))
[ "$DISABLE_IPV4" = "1" ] || {
if [ "$NFQWS_OPT_DESYNC_QUIC" = "$NFQWS_OPT_DESYNC_QUIC6" ]; then
_qn6=$_qn;
_qn6=$_qn
fi
}
}
if [ "$MODE_QUIC" = 1 ]; then
eval $1=$_qn
eval $2=$_qn6
eval "$1"=$_qn
eval "$2"=$_qn6
else
eval $1=
eval $2=
eval "$1"=
eval "$2"=
fi
}

36
common/virt.sh
View File

@ -1,28 +1,26 @@
get_virt()
{
get_virt() {
local vm s v UNAME
UNAME=$(uname)
case "$UNAME" in
Linux)
if exists systemd-detect-virt; then
vm=$(systemd-detect-virt --vm)
elif [ -f /sys/class/dmi/id/product_name ]; then
read s </sys/class/dmi/id/product_name
for v in KVM QEMU VMware VMW VirtualBox Xen Bochs Parallels BHYVE Hyper-V; do
case "$s" in
"$v"*)
vm=$v
break
;;
esac
done
fi
;;
Linux)
if exists systemd-detect-virt; then
vm=$(systemd-detect-virt --vm)
elif [ -f /sys/class/dmi/id/product_name ]; then
read s </sys/class/dmi/id/product_name
for v in KVM QEMU VMware VMW VirtualBox Xen Bochs Parallels BHYVE Hyper-V; do
case "$s" in
"$v"*)
vm=$v
break
;;
esac
done
fi
;;
esac
echo "$vm" | awk '{print tolower($0)}'
}
check_virt()
{
check_virt() {
echo \* checking virtualization
local vm="$(get_virt)"
if [ -n "$vm" ]; then

11
init.d/macos/custom-tpws
View File

@ -2,24 +2,21 @@
TPPORT_MY=987
zapret_custom_daemons()
{
zapret_custom_daemons() {
# $1 - 1 - run, 0 - stop
local opt="--user=root --port=$TPPORT_MY"
filter_apply_hostlist_target opt
tpws_apply_binds opt
opt="$opt $TPWS_OPT"
do_daemon $1 1 "$TPWS" "$opt"
do_daemon "$1" 1 "$TPWS" "$opt"
}
# custom firewall functions echo rules for zapret-v4 and zapret-v6 anchors
# they come after automated table definitions. so you can use <zapret> <zapret6> <zapret-user> ...
zapret_custom_firewall_v4()
{
zapret_custom_firewall_v4() {
pf_anchor_zapret_v4_tpws $TPPORT_MY
}
zapret_custom_firewall_v6()
{
zapret_custom_firewall_v6() {
pf_anchor_zapret_v6_tpws $TPPORT_MY
}

9
init.d/macos/custom.default
View File

@ -2,8 +2,7 @@
# use helpers from "functions" file
# in case of upgrade keep this file only, do not modify others
zapret_custom_daemons()
{
zapret_custom_daemons() {
# $1 - 1 - run, 0 - stop
:
}
@ -11,11 +10,9 @@ zapret_custom_daemons()
# custom firewall functions echo rules for zapret-v4 and zapret-v6 anchors
# they come after automated table definitions. so you can use <zapret> <zapret6> <zapret-user> ...
zapret_custom_firewall_v4()
{
zapret_custom_firewall_v4() {
:
}
zapret_custom_firewall_v6()
{
zapret_custom_firewall_v6() {
:
}

156
init.d/macos/functions
View File

@ -21,8 +21,7 @@ TPWS_WAIT_SOCKS6="$TPWS_WAIT --bind-wait-ip-linklocal=30"
CUSTOM_SCRIPT="$ZAPRET_BASE/init.d/macos/custom"
[ -f "$CUSTOM_SCRIPT" ] && . "$CUSTOM_SCRIPT"
run_daemon()
{
run_daemon() {
# $1 - daemon number : 1,2,3,...
# $2 - daemon
# $3 - daemon args
@ -31,14 +30,13 @@ run_daemon()
local PIDFILE="$PIDDIR/$DAEMONBASE$1.pid"
local ARGS="--daemon --pidfile=$PIDFILE $3"
[ -f "$PIDFILE" ] && pgrep -qF "$PIDFILE" && {
echo Already running $1: $2
echo Already running "$1": "$2"
return 0
}
echo "Starting daemon $1: $2 $ARGS"
"$2" $ARGS
"$2" "$ARGS"
}
stop_daemon()
{
stop_daemon() {
# $1 - daemon number : 1,2,3,...
# $2 - daemon
# use $PIDDIR/$DAEMONBASE$1.pid as pidfile
@ -49,19 +47,17 @@ stop_daemon()
[ -f "$PIDFILE" ] && read PID <"$PIDFILE"
[ -n "$PID" ] && {
echo "Stopping daemon $1: $2 (PID=$PID)"
kill $PID
kill "$PID"
rm -f "$PIDFILE"
}
return 0
}
do_daemon()
{
do_daemon() {
# $1 - 1 - run, 0 - stop
on_off_function run_daemon stop_daemon "$@"
}
tpws_apply_binds()
{
tpws_apply_binds() {
local o
[ "$DISABLE_IPV4" = "1" ] || o="--bind-addr=127.0.0.1"
[ "$DISABLE_IPV6" = "1" ] || {
@ -69,32 +65,29 @@ tpws_apply_binds()
o="$o --bind-iface6=$i --bind-linklocal=force $TPWS_WAIT"
done
}
eval $1="\"\$$1 $o\""
eval "$1"="\"\$$1 $o\""
}
tpws_apply_socks_binds()
{
tpws_apply_socks_binds() {
local o
[ "$DISABLE_IPV4" = "1" ] || o="--bind-addr=127.0.0.1"
[ "$DISABLE_IPV6" = "1" ] || o="$o --bind-addr=::1"
for lan in $IFACE_LAN; do
[ "$DISABLE_IPV4" = "1" ] || o="$o --bind-iface4=$lan $TPWS_WAIT"
[ "$DISABLE_IPV6" = "1" ] || o="$o --bind-iface6=$lan --bind-linklocal=unwanted $TPWS_WAIT_SOCKS6"
[ "$DISABLE_IPV4" = "1" ] || o="$o --bind-iface4=$lan $TPWS_WAIT"
[ "$DISABLE_IPV6" = "1" ] || o="$o --bind-iface6=$lan --bind-linklocal=unwanted $TPWS_WAIT_SOCKS6"
done
eval $1="\"\$$1 $o\""
eval "$1"="\"\$$1 $o\""
}
wait_interface_ll()
{
echo waiting for an ipv6 link local address on $1 ...
"$TPWS" --bind-wait-only --bind-iface6=$1 --bind-linklocal=force $TPWS_WAIT
wait_interface_ll() {
echo waiting for an IPv6 link local address on "$1" ...
"$TPWS" --bind-wait-only --bind-iface6="$1" --bind-linklocal=force "$TPWS_WAIT"
}
wait_lan_ll()
{
wait_lan_ll() {
[ "$DISABLE_IPV6" != "1" ] && {
for lan in $IFACE_LAN; do
wait_interface_ll $lan >&2 || {
wait_interface_ll "$lan" >&2 || {
echo "wait interface failed on $lan"
return 1
}
@ -102,30 +95,27 @@ wait_lan_ll()
}
return 0
}
get_ipv6_linklocal()
{
ifconfig $1 | sed -nEe 's/^.*inet6 (fe80:[a-f0-9:]+).*/\1/p'
get_ipv6_linklocal() {
ifconfig "$1" | sed -nEe 's/^.*inet6 (fe80:[a-f0-9:]+).*/\1/p'
}
zapret_do_firewall()
{
zapret_do_firewall() {
# $1 - 1 - add, 0 - del
[ "$1" = 1 -a -n "$INIT_FW_PRE_UP_HOOK" ] && $INIT_FW_PRE_UP_HOOK
[ "$1" = 0 -a -n "$INIT_FW_PRE_DOWN_HOOK" ] && $INIT_FW_PRE_DOWN_HOOK
case "${MODE_OVERRIDE:-$MODE}" in
tpws|filter|custom)
if [ "$1" = "1" ] ; then
pf_anchor_root || return 1
pf_anchors_create
pf_anchors_load || return 1
pf_enable
else
pf_anchors_clear
fi
;;
tpws | filter | custom)
if [ "$1" = "1" ]; then
pf_anchor_root || return 1
pf_anchors_create
pf_anchors_load || return 1
pf_enable
else
pf_anchors_clear
fi
;;
esac
[ "$1" = 1 -a -n "$INIT_FW_POST_UP_HOOK" ] && $INIT_FW_POST_UP_HOOK
@ -133,75 +123,65 @@ zapret_do_firewall()
return 0
}
zapret_apply_firewall()
{
zapret_apply_firewall() {
zapret_do_firewall 1 "$@"
}
zapret_unapply_firewall()
{
zapret_unapply_firewall() {
zapret_do_firewall 0 "$@"
}
zapret_restart_firewall()
{
zapret_restart_firewall() {
zapret_unapply_firewall "$@"
zapret_apply_firewall "$@"
}
zapret_do_daemons()
{
zapret_do_daemons() {
# $1 - 1 - run, 0 - stop
local opt
case "${MODE_OVERRIDE:-$MODE}" in
tpws)
[ "$1" = "1" ] && [ "$DISABLE_IPV4" = "1" ] && [ "$DISABLE_IPV6" = "1" ] && {
echo "both ipv4 and ipv6 are disabled. nothing to do"
return 0
}
# MacOS requires root. kernel hardcoded requirement for /dev/pf ioctls
opt="--user=root --port=$TPPORT"
filter_apply_hostlist_target opt
tpws_apply_binds opt
opt="$opt $TPWS_OPT"
do_daemon $1 1 "$TPWS" "$opt"
;;
tpws-socks)
[ "$1" = "1" ] && [ "$DISABLE_IPV4" = "1" ] && [ "$DISABLE_IPV6" = "1" ] && {
echo "both ipv4 and ipv6 are disabled. nothing to do"
return 0
}
opt="--socks --user=$WS_USER --port=$TPPORT"
tpws_apply_socks_binds opt
filter_apply_hostlist_target opt
opt="$opt $TPWS_OPT"
do_daemon $1 1 "$TPWS" "$opt"
;;
filter)
;;
custom)
existf zapret_custom_daemons && zapret_custom_daemons $1
;;
*)
echo "unsupported MODE=$MODE"
return 1
;;
tpws)
[ "$1" = "1" ] && [ "$DISABLE_IPV4" = "1" ] && [ "$DISABLE_IPV6" = "1" ] && {
echo "both IPv4 and IPv6 are disabled. nothing to do"
return 0
}
# macOS requires root. kernel hardcoded requirement for /dev/pf ioctls
opt="--user=root --port=$TPPORT"
filter_apply_hostlist_target opt
tpws_apply_binds opt
opt="$opt $TPWS_OPT"
do_daemon "$1" 1 "$TPWS" "$opt"
;;
tpws-socks)
[ "$1" = "1" ] && [ "$DISABLE_IPV4" = "1" ] && [ "$DISABLE_IPV6" = "1" ] && {
echo "both IPv4 and IPv6 are disabled. nothing to do"
return 0
}
opt="--socks --user=$WS_USER --port=$TPPORT"
tpws_apply_socks_binds opt
filter_apply_hostlist_target opt
opt="$opt $TPWS_OPT"
do_daemon "$1" 1 "$TPWS" "$opt"
;;
filter) ;;
custom)
existf zapret_custom_daemons && zapret_custom_daemons "$1"
;;
*)
echo "unsupported MODE=$MODE"
return 1
;;
esac
return 0
}
zapret_run_daemons()
{
zapret_run_daemons() {
zapret_do_daemons 1 "$@"
}
zapret_stop_daemons()
{
zapret_stop_daemons() {
zapret_do_daemons 0 "$@"
}
zapret_restart_daemons()
{
zapret_restart_daemons() {
zapret_stop_daemons "$@"
zapret_run_daemons "$@"
}

73
init.d/macos/zapret
View File

@ -2,48 +2,51 @@
EXEDIR="$(dirname "$0")"
ZAPRET_BASE="$EXEDIR/../.."
ZAPRET_BASE="$(cd "$ZAPRET_BASE"; pwd)"
ZAPRET_BASE="$(
cd "$ZAPRET_BASE"
pwd
)"
. "$EXEDIR/functions"
case "$1" in
start)
zapret_run_daemons
[ "$INIT_APPLY_FW" != "1" ] || zapret_apply_firewall
;;
stop)
[ "$INIT_APPLY_FW" != "1" ] || zapret_unapply_firewall
zapret_stop_daemons
;;
restart)
"$0" stop
"$0" start
;;
start)
zapret_run_daemons
[ "$INIT_APPLY_FW" != "1" ] || zapret_apply_firewall
;;
stop)
[ "$INIT_APPLY_FW" != "1" ] || zapret_unapply_firewall
zapret_stop_daemons
;;
restart)
"$0" stop
"$0" start
;;
start-fw|start_fw)
zapret_apply_firewall
;;
stop-fw|stop_fw)
zapret_unapply_firewall
;;
restart-fw|stop_fw)
zapret_restart_firewall
;;
reload-fw-tables|reload_fw_tables)
pf_table_reload
;;
start-fw | start_fw)
zapret_apply_firewall
;;
stop-fw | stop_fw)
zapret_unapply_firewall
;;
restart-fw | stop_fw)
zapret_restart_firewall
;;
reload-fw-tables | reload_fw_tables)
pf_table_reload
;;
start-daemons|start_daemons)
zapret_run_daemons
;;
stop-daemons|stop_daemons)
zapret_stop_daemons
;;
restart-daemons|restart_daemons)
zapret_restart_daemons
;;
start-daemons | start_daemons)
zapret_run_daemons
;;
stop-daemons | stop_daemons)
zapret_stop_daemons
;;
restart-daemons | restart_daemons)
zapret_restart_daemons
;;
*)
*)
N="$SCRIPT/$NAME"
echo "Usage: $N {start|stop|start-fw|stop-fw|restart-fw|reload-fw-tables|start-daemons|stop-daemons|restart-daemons}" >&2
exit 1

38
init.d/openrc/zapret
View File

@ -4,7 +4,10 @@
# on some systems (alpine) for unknown reason non-openrc-run scripts are not started from /etc/init.d
EXEDIR=$(dirname "$RC_SERVICE")
EXEDIR="$(cd "$EXEDIR"; pwd)"
EXEDIR="$(
cd "$EXEDIR"
pwd
)"
ZAPRET_BASE="$EXEDIR/../.."
ZAPRET_INIT="$ZAPRET_BASE/init.d/sysv/zapret"
@ -23,47 +26,36 @@ description_restart_daemons="Restart zapret firewall only"
depend() {
rc-service -e networking && need networking
}
start()
{
start() {
"$ZAPRET_INIT" start
}
stop()
{
stop() {
"$ZAPRET_INIT" stop
}
start_fw()
{
start_fw() {
"$ZAPRET_INIT" start_fw
}
stop_fw()
{
stop_fw() {
"$ZAPRET_INIT" stop_fw
}
restart_fw()
{
restart_fw() {
"$ZAPRET_INIT" restart_fw
}
start_daemons()
{
start_daemons() {
"$ZAPRET_INIT" start_daemons
}
stop_daemons()
{
stop_daemons() {
"$ZAPRET_INIT" stop_daemons
}
restart_daemons()
{
restart_daemons() {
"$ZAPRET_INIT" restart_daemons
}
reload_ifsets()
{
reload_ifsets() {
"$ZAPRET_INIT" reload_ifsets
}
list_ifsets()
{
list_ifsets() {
"$ZAPRET_INIT" list_ifsets
}
list_table()
{
list_table() {
"$ZAPRET_INIT" list_table
}

39
init.d/openwrt/90-zapret
View File

@ -2,8 +2,7 @@
ZAPRET=/etc/init.d/zapret
check_lan()
{
check_lan() {
IS_LAN=
[ -n "$OPENWRT_LAN" ] || OPENWRT_LAN=lan
for lan in $OPENWRT_LAN; do
@ -13,8 +12,7 @@ check_lan()
}
done
}
check_need_to_reload_tpws6()
{
check_need_to_reload_tpws6() {
# tpws6 dnat target nft map can only be reloaded within firewall apply procedure
# interface ifsets (wanif, wanif6, lanif) can be reloaded independently
check_lan
@ -22,7 +20,6 @@ check_need_to_reload_tpws6()
[ "$ACTION" = "ifup" -a "$DISABLE_IPV6" != 1 -a -n "$IS_LAN" ] && [ "$MODE" = "tpws" -o "$MODE" = "custom" ] && RELOAD_TPWS6=1
}
[ -n "$INTERFACE" ] && [ "$ACTION" = ifup -o "$ACTION" = ifdown ] && [ -x "$ZAPRET" ] && "$ZAPRET" enabled && {
SCRIPT=$(readlink "$ZAPRET")
if [ -n "$SCRIPT" ]; then
@ -37,27 +34,27 @@ check_need_to_reload_tpws6()
check_need_to_reload_tpws6
[ -n "$RELOAD_TPWS6" ] && {
logger -t zapret restarting daemons due to $ACTION of $INTERFACE to update tpws6 dnat target
logger -t zapret restarting daemons due to "$ACTION" of "$INTERFACE" to update tpws6 dnat target
"$ZAPRET" restart_daemons
}
. "$ZAPRET_BASE/common/base.sh"
. "$ZAPRET_BASE/common/fwtype.sh"
linux_fwtype
case "$FWTYPE" in
nftables)
if [ -n "$RELOAD_TPWS6" ] ; then
logger -t zapret reloading nftables due to $ACTION of $INTERFACE to update tpws6 dnat target
"$ZAPRET" restart_fw
else
logger -t zapret reloading nftables ifsets due to $ACTION of $INTERFACE
"$ZAPRET" reload_ifsets
fi
;;
iptables)
openwrt_fw3 || {
logger -t zapret reloading iptables due to $ACTION of $INTERFACE
"$ZAPRET" restart_fw
}
;;
nftables)
if [ -n "$RELOAD_TPWS6" ]; then
logger -t zapret reloading nftables due to "$ACTION" of "$INTERFACE" to update tpws6 dnat target
"$ZAPRET" restart_fw
else
logger -t zapret reloading nftables ifsets due to "$ACTION" of "$INTERFACE"
"$ZAPRET" reload_ifsets
fi
;;
iptables)
openwrt_fw3 || {
logger -t zapret reloading iptables due to "$ACTION" of "$INTERFACE"
"$ZAPRET" restart_fw
}
;;
esac
}

21
init.d/openwrt/custom-nfqws-dht4all
View File

@ -1,10 +1,9 @@
# this custom script in addition to MODE=nfqws runs desync to DHT packets with udp payload length 101..399 , without ipset/hostlist filtering
# need to add to config : NFQWS_OPT_DESYNC_DHT="--dpi-desync=fake --dpi-desync-ttl=5"
QNUM2=$(($QNUM+20))
QNUM2=$(($QNUM + 20))
zapret_custom_daemons()
{
zapret_custom_daemons() {
# stop logic is managed by procd
local MODE_OVERRIDE=nfqws
@ -13,10 +12,9 @@ zapret_custom_daemons()
start_daemons_procd
opt="--qnum=$QNUM2 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_DHT"
run_daemon 100 $NFQWS "$opt"
run_daemon 100 "$NFQWS" "$opt"
}
zapret_custom_firewall()
{
zapret_custom_firewall() {
# $1 - 1 - run, 0 - stop
local MODE_OVERRIDE=nfqws
@ -24,15 +22,14 @@ zapret_custom_firewall()
local first_packet_only="$ipt_connbytes 1:1"
local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK"
zapret_do_firewall_rules_ipt $1
zapret_do_firewall_rules_ipt "$1"
f='-p udp -m length --length 109:407 -m u32 --u32'
uf4='0>>22&0x3C@8>>16=0x6431'
uf6='48>>16=0x6431'
fw_nfqws_post $1 "$f $uf4 $desync $first_packet_only" "$f $uf6 $desync $first_packet_only" $QNUM2
uf4='0>>22&0x3C@8>>16=0x6431'
uf6='48>>16=0x6431'
fw_nfqws_post "$1" "$f $uf4 $desync $first_packet_only" "$f $uf6 $desync $first_packet_only" $QNUM2
}
zapret_custom_firewall_nft()
{
zapret_custom_firewall_nft() {
# stop logic is not required
local MODE_OVERRIDE=nfqws

17
init.d/openwrt/custom-nfqws-quic4all
View File

@ -2,10 +2,9 @@
# need to add to config : NFQWS_OPT_DESYNC_QUIC="--dpi-desync=fake"
# NOTE : do not use TTL fooling. chromium QUIC engine breaks sessions if TTL expired in transit received
QNUM2=$(($QNUM+10))
QNUM2=$(($QNUM + 10))
zapret_custom_daemons()
{
zapret_custom_daemons() {
# stop logic is managed by procd
local MODE_OVERRIDE=nfqws
@ -14,10 +13,9 @@ zapret_custom_daemons()
start_daemons_procd
opt="--qnum=$QNUM2 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_QUIC"
run_daemon 100 $NFQWS "$opt"
run_daemon 100 "$NFQWS" "$opt"
}
zapret_custom_firewall()
{
zapret_custom_firewall() {
# $1 - 1 - run, 0 - stop
local MODE_OVERRIDE=nfqws
@ -25,14 +23,13 @@ zapret_custom_firewall()
local first_packets_only="$ipt_connbytes 1:3"
local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK"
zapret_do_firewall_rules_ipt $1
zapret_do_firewall_rules_ipt "$1"
f="-p udp -m multiport --dports $QUIC_PORTS_IPT"
fw_nfqws_post $1 "$f $desync $first_packets_only" "$f $desync $first_packets_only" $QNUM2
fw_nfqws_post "$1" "$f $desync $first_packets_only" "$f $desync $first_packets_only" $QNUM2
}
zapret_custom_firewall_nft()
{
zapret_custom_firewall_nft() {
# stop logic is not required
local MODE_OVERRIDE=nfqws

13
init.d/openwrt/custom-reuse-builtin-mode
View File

@ -4,8 +4,7 @@ MY_TPPORT=$(($TPPORT + 1))
MY_TPWS_OPT="--methodeol --hostcase"
MY_DPORT=81
zapret_custom_daemons()
{
zapret_custom_daemons() {
# stop logic is managed by procd
local MODE_OVERRIDE=tpws
@ -17,22 +16,20 @@ zapret_custom_daemons()
filter_apply_hostlist_target opt
run_tpws 100 "$opt"
}
zapret_custom_firewall()
{
zapret_custom_firewall() {
# $1 - 1 - run, 0 - stop
local MODE_OVERRIDE=tpws
local f4 f6
zapret_do_firewall_rules_ipt $1
zapret_do_firewall_rules_ipt "$1"
f4="-p tcp --dport $MY_DPORT"
f6=$f4
filter_apply_ipset_target f4 f6
fw_tpws $1 "$f4" "$f6" $MY_TPPORT
fw_tpws "$1" "$f4" "$f6" $MY_TPPORT
}
zapret_custom_firewall_nft()
{
zapret_custom_firewall_nft() {
# stop logic is not required
local MODE_OVERRIDE=tpws

21
init.d/openwrt/custom-tpws4http-nfqws4https
View File

@ -1,8 +1,7 @@
# this custom script demonstrates how to apply tpws to http and nfqws to https
# it preserves config settings : MODE_HTTP, MODE_HTTPS, MODE_FILTER, TPWS_OPT, NFQWS_OPT_DESYNC, NFQWS_OPT_DESYNC_HTTPS
zapret_custom_daemons()
{
zapret_custom_daemons() {
# stop logic is managed by procd
local opt
@ -16,11 +15,10 @@ zapret_custom_daemons()
[ "$MODE_HTTPS" = "1" ] && {
opt="--qnum=$QNUM $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_HTTPS"
filter_apply_hostlist_target opt
run_daemon 2 $NFQWS "$opt"
run_daemon 2 "$NFQWS" "$opt"
}
}
zapret_custom_firewall()
{
zapret_custom_firewall() {
# $1 - 1 - run, 0 - stop
local f4 f6
@ -31,18 +29,17 @@ zapret_custom_firewall()
f4="-p tcp -m multiport --dports $HTTP_PORTS_IPT"
f6=$f4
filter_apply_ipset_target f4 f6
fw_tpws $1 "$f4" "$f6" $TPPORT
fw_tpws "$1" "$f4" "$f6" "$TPPORT"
}
[ "$MODE_HTTPS" = "1" ] && {
f4="-p tcp -m multiport --dports $HTTPS_PORTS_IPT $first_packet_only"
f6=$f4
filter_apply_ipset_target f4 f6
fw_nfqws_post $1 "$f4 $desync" "$f6 $desync" $QNUM
fw_nfqws_post "$1" "$f4 $desync" "$f6 $desync" "$QNUM"
}
}
zapret_custom_firewall_nft()
{
zapret_custom_firewall_nft() {
# stop logic is not required
local f4 f6
@ -53,15 +50,15 @@ zapret_custom_firewall_nft()
f4="tcp dport {$HTTP_PORTS}"
f6=$f4
nft_filter_apply_ipset_target f4 f6
nft_fw_tpws "$f4" "$f6" $TPPORT
nft_fw_tpws "$f4" "$f6" "$TPPORT"
}
[ "$MODE_HTTPS" = "1" ] && {
f4="tcp dport {$HTTPS_PORTS} $first_packet_only"
f6=$f4
nft_filter_apply_ipset_target f4 f6
nft_fw_nfqws_post "$f4 $desync" "$f6 $desync" $QNUM
nft_fw_nfqws_post "$f4 $desync" "$f6 $desync" "$QNUM"
# for modes that require incoming traffic
nft_fw_reverse_nfqws_rule "$f4" "$f6" $QNUM
nft_fw_reverse_nfqws_rule "$f4" "$f6" "$QNUM"
}
}

9
init.d/openwrt/custom.default
View File

@ -2,8 +2,7 @@
# use helpers from "functions" file and "zapret" init script
# in case of upgrade keep this file only, do not modify others
zapret_custom_daemons()
{
zapret_custom_daemons() {
# stop logic is managed by procd
# PLACEHOLDER
@ -13,8 +12,7 @@ zapret_custom_daemons()
run_daemon 1 /bin/sleep 20
}
zapret_custom_firewall()
{
zapret_custom_firewall() {
# $1 - 1 - run, 0 - stop
# PLACEHOLDER
@ -22,8 +20,7 @@ zapret_custom_firewall()
echo Configure iptables for required actions
echo Study how other sections work
}
zapret_custom_firewall_nft()
{
zapret_custom_firewall_nft() {
# stop logic is not required
# PLACEHOLDER

6
init.d/openwrt/firewall.zapret
View File

@ -1,9 +1,9 @@
SCRIPT=$(readlink /etc/init.d/zapret)
if [ -n "$SCRIPT" ]; then
EXEDIR=$(dirname "$SCRIPT")
ZAPRET_BASE=$(readlink -f "$EXEDIR/../..")
EXEDIR=$(dirname "$SCRIPT")
ZAPRET_BASE=$(readlink -f "$EXEDIR/../..")
else
ZAPRET_BASE=/opt/zapret
ZAPRET_BASE=/opt/zapret
fi
. "$ZAPRET_BASE/init.d/openwrt/functions"

203
init.d/openwrt/functions
View File

@ -35,75 +35,65 @@ IPSET_EXCLUDE6="-m set ! --match-set nozapret6"
apply_unspecified_desync_modes
# can be multiple ipv6 outgoing interfaces
# uplink from isp, tunnelbroker, vpn, ...
# can be multiple IPv6 outgoing interfaces
# uplink from ISP, tunnelbroker, VPN, ...
# want them all. who knows what's the real one that blocks sites
# dont want any manual configuration - want to do it automatically
# standard network_find_wan[6] return only the first
# we use low level function from network.sh to avoid this limitation
# it can change theoretically and stop working
network_find_wan4_all()
{
network_find_wan4_all() {
if [ -n "$OPENWRT_WAN4" ]; then
eval $1="\$OPENWRT_WAN4"
eval "$1"="\$OPENWRT_WAN4"
else
__network_ifstatus "$1" "" "[@.route[@.target='0.0.0.0' && !@.table]].interface" "" 10 2>/dev/null && return
network_find_wan $1
network_find_wan "$1"
fi
}
network_find_wan_all()
{
network_find_wan_all() {
network_find_wan4_all "$@"
}
network_find_wan6_all()
{
network_find_wan6_all() {
if [ -n "$OPENWRT_WAN6" ]; then
eval $1="\$OPENWRT_WAN6"
eval "$1"="\$OPENWRT_WAN6"
else
__network_ifstatus "$1" "" "[@.route[@.target='::' && !@.table]].interface" "" 10 2>/dev/null && return
network_find_wan6 $1
network_find_wan6 "$1"
fi
}
network_find_wanX_devices()
{
network_find_wanX_devices() {
# $1 - ip version: 4 or 6
# $2 - variable to put result to
local ifaces
network_find_wan${1}_all ifaces
call_for_multiple_items network_get_device $2 "$ifaces"
network_find_wan"${1}"_all ifaces
call_for_multiple_items network_get_device "$2" "$ifaces"
}
dnat6_target()
{
# $1 - lan network name
dnat6_target() {
# $1 - LAN network name
# $2 - var to store target ip6
network_is_up $1 || {
[ -n "$2" ] && eval $2=''
network_is_up "$1" || {
[ -n "$2" ] && eval "$2"=''
return
}
local DEVICE
network_get_device DEVICE $1
network_get_device DEVICE "$1"
_dnat6_target $DEVICE $2
_dnat6_target "$DEVICE" "$2"
}
set_route_localnet()
{
set_route_localnet() {
# $1 - 1 = enable, 0 = disable
local DLAN
call_for_multiple_items network_get_device DLAN "$OPENWRT_LAN"
_set_route_localnet $1 $DLAN
_set_route_localnet "$1" "$DLAN"
}
fw_nfqws_prepost_x()
{
fw_nfqws_prepost_x() {
# $1 - 1 - add, 0 - del
# $2 - filter
# $3 - queue number
@ -111,29 +101,24 @@ fw_nfqws_prepost_x()
# $5 - post/pre
local ifaces DWAN
network_find_wan${4}_all ifaces
network_find_wan"${4}"_all ifaces
call_for_multiple_items network_get_device DWAN "$ifaces"
[ -n "$DWAN" ] && _fw_nfqws_${5}${4} $1 "$2" $3 "$(unique $DWAN)"
[ -n "$DWAN" ] && _fw_nfqws_"${5}"${4} "$1" "$2" "$3" "$(unique "$DWAN")"
}
fw_nfqws_post4()
{
fw_nfqws_prepost_x $1 "$2" $3 4 post
fw_nfqws_post4() {
fw_nfqws_prepost_x "$1" "$2" "$3" 4 post
}
fw_nfqws_post6()
{
fw_nfqws_prepost_x $1 "$2" $3 6 post
fw_nfqws_post6() {
fw_nfqws_prepost_x "$1" "$2" "$3" 6 post
}
fw_nfqws_pre4()
{
fw_nfqws_prepost_x $1 "$2" $3 4 pre
fw_nfqws_pre4() {
fw_nfqws_prepost_x "$1" "$2" "$3" 4 pre
}
fw_nfqws_pre6()
{
fw_nfqws_prepost_x $1 "$2" $3 6 pre
fw_nfqws_pre6() {
fw_nfqws_prepost_x "$1" "$2" "$3" 6 pre
}
fw_tpws_x()
{
fw_tpws_x() {
# $1 - 1 - add, 0 - del
# $2 - filter
# $3 - tpws port
@ -143,102 +128,88 @@ fw_tpws_x()
call_for_multiple_items network_get_device DLAN "$OPENWRT_LAN"
network_find_wan${4}_all ifaces
network_find_wan"${4}"_all ifaces
call_for_multiple_items network_get_device DWAN "$ifaces"
[ -n "$DWAN" ] && _fw_tpws${4} $1 "$2" $3 "$DLAN" "$(unique $DWAN)"
[ -n "$DWAN" ] && _fw_tpws"${4}" "$1" "$2" "$3" "$DLAN" "$(unique "$DWAN")"
}
fw_tpws4()
{
fw_tpws_x $1 "$2" $3 4
fw_tpws4() {
fw_tpws_x "$1" "$2" "$3" 4
}
fw_tpws6()
{
fw_tpws_x $1 "$2" $3 6
fw_tpws6() {
fw_tpws_x "$1" "$2" "$3" 6
}
create_ipset()
{
create_ipset() {
echo "Creating ip list table (firewall type $FWTYPE)"
"$IPSET_CR" "$@"
}
list_nfqws_rules()
{
# $1 = '' for ipv4, '6' for ipv6
ip$1tables -S POSTROUTING -t mangle | \
grep -E "NFQUEUE --queue-num $QNUM --queue-bypass|NFQUEUE --queue-num $(($QNUM+1)) --queue-bypass|NFQUEUE --queue-num $(($QNUM+2)) --queue-bypass|NFQUEUE --queue-num $(($QNUM+3)) --queue-bypass|NFQUEUE --queue-num $(($QNUM+10)) --queue-bypass|NFQUEUE --queue-num $(($QNUM+11)) --queue-bypass" | \
list_nfqws_rules() {
# $1 = '' for IPv4, '6' for IPv6
ip"$1"tables -S POSTROUTING -t mangle |
grep -E "NFQUEUE --queue-num $QNUM --queue-bypass|NFQUEUE --queue-num $(($QNUM + 1)) --queue-bypass|NFQUEUE --queue-num $(($QNUM + 2)) --queue-bypass|NFQUEUE --queue-num $(($QNUM + 3)) --queue-bypass|NFQUEUE --queue-num $(($QNUM + 10)) --queue-bypass|NFQUEUE --queue-num $(($QNUM + 11)) --queue-bypass" |
sed -re 's/^-A POSTROUTING (.*) -j NFQUEUE.*$/\1/' -e "s/-m mark ! --mark $DESYNC_MARK\/$DESYNC_MARK//"
}
apply_flow_offloading_enable_rule()
{
# $1 = '' for ipv4, '6' for ipv6
apply_flow_offloading_enable_rule() {
# $1 = '' for IPv4, '6' for IPv6
local i off='-j FLOWOFFLOAD'
[ "$FLOWOFFLOAD" = "hardware" ] && off="$off --hw"
i="forwarding_rule_zapret -m comment --comment zapret_traffic_offloading_enable -m conntrack --ctstate RELATED,ESTABLISHED $off"
echo enabling ipv${1:-4} flow offloading : $i
ip$1tables -A $i
echo enabling ipv"${1:-4}" flow offloading : "$i"
ip"$1"tables -A "$i"
}
apply_flow_offloading_exempt_rule()
{
# $1 = '' for ipv4, '6' for ipv6
apply_flow_offloading_exempt_rule() {
# $1 = '' for IPv4, '6' for IPv6
local i v
v=$1
shift
i="forwarding_rule_zapret $@ -m comment --comment zapret_traffic_offloading_exemption -j RETURN"
echo applying ipv${v:-4} flow offloading exemption : $i
ip${v}tables -A $i
echo applying ipv"${v:-4}" flow offloading exemption : "$i"
ip"${v}"tables -A "$i"
}
flow_offloading_unexempt_v()
{
# $1 = '' for ipv4, '6' for ipv6
flow_offloading_unexempt_v() {
# $1 = '' for IPv4, '6' for IPv6
local DWAN
network_find_wanX_devices ${1:-4} DWAN
for i in $DWAN; do ipt$1_del FORWARD -o $i -j forwarding_rule_zapret ; done
ip$1tables -F forwarding_rule_zapret 2>/dev/null
ip$1tables -X forwarding_rule_zapret 2>/dev/null
network_find_wanX_devices "${1:-4}" DWAN
for i in $DWAN; do ipt"$1"_del FORWARD -o "$i" -j forwarding_rule_zapret; done
ip"$1"tables -F forwarding_rule_zapret 2>/dev/null
ip"$1"tables -X forwarding_rule_zapret 2>/dev/null
}
flow_offloading_exempt_v()
{
# $1 = '' for ipv4, '6' for ipv6
is_ipt_flow_offload_avail $1 || return 0
flow_offloading_exempt_v() {
# $1 = '' for IPv4, '6' for IPv6
is_ipt_flow_offload_avail "$1" || return 0
flow_offloading_unexempt_v $1
flow_offloading_unexempt_v "$1"
[ "$FLOWOFFLOAD" = 'software' -o "$FLOWOFFLOAD" = 'hardware' ] && {
ip$1tables -N forwarding_rule_zapret
ip"$1"tables -N forwarding_rule_zapret
# remove outgoing interface
list_nfqws_rules $1 | sed -re 's/-o +[^ ]+//g' |
while read rule; do
apply_flow_offloading_exempt_rule "$1" $rule
done
list_nfqws_rules "$1" | sed -re 's/-o +[^ ]+//g' |
while read rule; do
apply_flow_offloading_exempt_rule "$1" "$rule"
done
apply_flow_offloading_enable_rule $1
apply_flow_offloading_enable_rule "$1"
# only outgoing to WAN packets trigger flow offloading
local DWAN
network_find_wanX_devices ${1:-4} DWAN
for i in $DWAN; do ipt$1 FORWARD -o $i -j forwarding_rule_zapret; done
network_find_wanX_devices "${1:-4}" DWAN
for i in $DWAN; do ipt"$1" FORWARD -o "$i" -j forwarding_rule_zapret; done
}
return 0
}
flow_offloading_exempt()
{
flow_offloading_exempt() {
[ "$DISABLE_IPV4" = "1" ] || flow_offloading_exempt_v
[ "$DISABLE_IPV6" = "1" ] || flow_offloading_exempt_v 6
}
flow_offloading_unexempt()
{
flow_offloading_unexempt() {
[ "$DISABLE_IPV4" = "1" ] || flow_offloading_unexempt_v
[ "$DISABLE_IPV6" = "1" ] || flow_offloading_unexempt_v 6
}
nft_fill_ifsets_overload()
{
nft_fill_ifsets_overload() {
local ifaces DLAN DWAN DWAN6 PDLAN PDWAN PDWAN6
call_for_multiple_items network_get_device DLAN "$OPENWRT_LAN"
@ -255,29 +226,23 @@ nft_fill_ifsets_overload()
nft_fill_ifsets "$DLAN" "$DWAN" "$DWAN6" "$PDLAN" "$PDWAN" "$PDWAN6"
}
nft_fw_tpws4()
{
_nft_fw_tpws4 "$1" $2 always_apply_wan_filter
nft_fw_tpws4() {
_nft_fw_tpws4 "$1" "$2" always_apply_wan_filter
}
nft_fw_tpws6()
{
nft_fw_tpws6() {
local DLAN
call_for_multiple_items network_get_device DLAN "$OPENWRT_LAN"
_nft_fw_tpws6 "$1" $2 "$DLAN" always_apply_wan_filter
_nft_fw_tpws6 "$1" "$2" "$DLAN" always_apply_wan_filter
}
nft_fw_nfqws_post4()
{
_nft_fw_nfqws_post4 "$1" $2 always_apply_wan_filter
nft_fw_nfqws_post4() {
_nft_fw_nfqws_post4 "$1" "$2" always_apply_wan_filter
}
nft_fw_nfqws_post6()
{
_nft_fw_nfqws_post6 "$1" $2 always_apply_wan_filter
nft_fw_nfqws_post6() {
_nft_fw_nfqws_post6 "$1" "$2" always_apply_wan_filter
}
nft_fw_nfqws_pre4()
{
_nft_fw_nfqws_pre4 "$1" $2 always_apply_wan_filter
nft_fw_nfqws_pre4() {
_nft_fw_nfqws_pre4 "$1" "$2" always_apply_wan_filter
}
nft_fw_nfqws_pre6()
{
_nft_fw_nfqws_pre6 "$1" $2 always_apply_wan_filter
nft_fw_nfqws_pre6() {
_nft_fw_nfqws_pre6 "$1" "$2" always_apply_wan_filter
}

182
init.d/openwrt/zapret
View File

@ -25,17 +25,16 @@ my_extra_command restart_daemons "Restart zapret firewall only (=restart in ipta
SCRIPT=$(readlink /etc/init.d/zapret)
if [ -n "$SCRIPT" ]; then
EXEDIR=$(dirname "$SCRIPT")
ZAPRET_BASE=$(readlink -f "$EXEDIR/../..")
EXEDIR=$(dirname "$SCRIPT")
ZAPRET_BASE=$(readlink -f "$EXEDIR/../..")
else
ZAPRET_BASE=/opt/zapret
ZAPRET_BASE=/opt/zapret
fi
. "$ZAPRET_BASE/init.d/openwrt/functions"
# !!!!! in old openwrt 21.x- with iptables firewall rules are configured separately
# !!!!! in new openwrt >21.x with nftables firewall is configured here
# !!!!! in old OpenWrt 21.x- with iptables firewall rules are configured separately
# !!!!! in new OpenWrt >21.x with nftables firewall is configured here
PIDDIR=/var/run
@ -50,8 +49,7 @@ TPWS_WAIT="--bind-wait-ifup=30 --bind-wait-ip=30"
TPWS_WAIT_SOCKS6="$TPWS_WAIT --bind-wait-ip-linklocal=30"
TPWS_OPT_BASE6_PRE="--bind-linklocal=prefer $TPWS_WAIT --bind-wait-ip-linklocal=3"
run_daemon()
{
run_daemon() {
# $1 - daemon string id or number. can use 1,2,3,...
# $2 - daemon
# $3 - daemon args
@ -59,13 +57,12 @@ run_daemon()
local DAEMONBASE="$(basename "$2")"
echo "Starting daemon $1: $2 $3"
procd_open_instance
procd_set_param command $2 $3
procd_set_param pidfile $PIDDIR/$DAEMONBASE$1.pid
procd_set_param command "$2" "$3"
procd_set_param pidfile $PIDDIR/"$DAEMONBASE"$1.pid
procd_close_instance
}
run_tpws()
{
run_tpws() {
[ "$DISABLE_IPV4" = "1" ] && [ "$DISABLE_IPV6" = "1" ] && return 0
local OPT="$TPWS_OPT_BASE"
@ -75,144 +72,128 @@ run_tpws()
[ "$DISABLE_IPV6" = "1" ] || {
OPT="$OPT $TPWS_OPT_BASE6"
for lan in $OPENWRT_LAN; do
network_get_device DEVICE $lan
[ -n "$DEVICE" ] && OPT="$OPT --bind-iface6=$DEVICE $TPWS_OPT_BASE6_PRE"
network_get_device DEVICE "$lan"
[ -n "$DEVICE" ] && OPT="$OPT --bind-iface6=$DEVICE $TPWS_OPT_BASE6_PRE"
done
}
run_daemon $1 "$TPWS" "$OPT $2"
run_daemon "$1" "$TPWS" "$OPT $2"
}
run_tpws_socks()
{
run_tpws_socks() {
[ "$DISABLE_IPV4" = "1" ] && [ "$DISABLE_IPV6" = "1" ] && return 0
local opt="$TPWS_OPT_BASE --socks"
tpws_apply_socks_binds opt
run_daemon $1 "$TPWS" "$opt $2"
run_daemon "$1" "$TPWS" "$opt $2"
}
stop_tpws()
{
stop_daemon $1 "$TPWS"
stop_tpws() {
stop_daemon "$1" "$TPWS"
}
tpws_apply_socks_binds()
{
tpws_apply_socks_binds() {
local o
[ "$DISABLE_IPV4" = "1" ] || o="--bind-addr=127.0.0.1"
[ "$DISABLE_IPV6" = "1" ] || o="$o --bind-addr=::1"
for lan in $OPENWRT_LAN; do
network_get_device DEVICE $lan
[ -n "$DEVICE" ] || continue
[ "$DISABLE_IPV4" = "1" ] || o="$o --bind-iface4=$DEVICE $TPWS_WAIT"
[ "$DISABLE_IPV6" = "1" ] || o="$o --bind-iface6=$DEVICE --bind-linklocal=unwanted $TPWS_WAIT_SOCKS6"
network_get_device DEVICE "$lan"
[ -n "$DEVICE" ] || continue
[ "$DISABLE_IPV4" = "1" ] || o="$o --bind-iface4=$DEVICE $TPWS_WAIT"
[ "$DISABLE_IPV6" = "1" ] || o="$o --bind-iface6=$DEVICE --bind-linklocal=unwanted $TPWS_WAIT_SOCKS6"
done
eval $1="\"\$$1 $o\""
eval "$1"="\"\$$1 $o\""
}
start_daemons_procd()
{
start_daemons_procd() {
local opt qn qns qn6 qns6
case "${MODE_OVERRIDE:-$MODE}" in
tpws)
opt="--port=$TPPORT $TPWS_OPT"
tpws)
opt="--port=$TPPORT $TPWS_OPT"
filter_apply_hostlist_target opt
run_tpws 1 "$opt"
;;
tpws-socks)
opt="--port=$TPPORT $TPWS_OPT"
filter_apply_hostlist_target opt
run_tpws_socks 1 "$opt"
;;
nfqws)
# quite complex but we need to minimize nfqws processes to save RAM
get_nfqws_qnums qn qns qn6 qns6
[ -z "$qn" ] || {
opt="--qnum=$qn $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_HTTP"
filter_apply_hostlist_target opt
run_tpws 1 "$opt"
;;
tpws-socks)
opt="--port=$TPPORT $TPWS_OPT"
run_daemon 1 "$NFQWS" "$opt"
}
[ -z "$qns" ] || [ "$qns" = "$qn" ] || {
opt="--qnum=$qns $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_HTTPS"
filter_apply_hostlist_target opt
run_tpws_socks 1 "$opt"
;;
nfqws)
# quite complex but we need to minimize nfqws processes to save RAM
get_nfqws_qnums qn qns qn6 qns6
[ -z "$qn" ] || {
opt="--qnum=$qn $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_HTTP"
filter_apply_hostlist_target opt
run_daemon 1 "$NFQWS" "$opt"
}
[ -z "$qns" ] || [ "$qns" = "$qn" ] || {
opt="--qnum=$qns $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_HTTPS"
filter_apply_hostlist_target opt
run_daemon 2 "$NFQWS" "$opt"
}
[ -z "$qn6" ] || [ "$qn6" = "$qn" ] || [ "$qn6" = "$qns" ] || {
opt="--qnum=$qn6 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_HTTP6"
filter_apply_hostlist_target opt
run_daemon 3 "$NFQWS" "$opt"
}
[ -z "$qns6" ] || [ "$qns6" = "$qn" ] || [ "$qns6" = "$qns" ] || [ "$qns6" = "$qn6" ] || {
opt="--qnum=$qns6 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_HTTPS6"
filter_apply_hostlist_target opt
run_daemon 4 "$NFQWS" "$opt"
}
get_nfqws_qnums_quic qn qn6
[ -z "$qn" ] || {
opt="--qnum=$qn $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_QUIC"
filter_apply_hostlist_target opt
run_daemon 10 "$NFQWS" "$opt"
}
[ -z "$qn6" ] || [ "$qn6" = "$qn" ] || {
opt="--qnum=$qn6 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_QUIC6"
filter_apply_hostlist_target opt
run_daemon 11 "$NFQWS" "$opt"
}
;;
custom)
existf zapret_custom_daemons && zapret_custom_daemons $1
;;
run_daemon 2 "$NFQWS" "$opt"
}
[ -z "$qn6" ] || [ "$qn6" = "$qn" ] || [ "$qn6" = "$qns" ] || {
opt="--qnum=$qn6 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_HTTP6"
filter_apply_hostlist_target opt
run_daemon 3 "$NFQWS" "$opt"
}
[ -z "$qns6" ] || [ "$qns6" = "$qn" ] || [ "$qns6" = "$qns" ] || [ "$qns6" = "$qn6" ] || {
opt="--qnum=$qns6 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_HTTPS6"
filter_apply_hostlist_target opt
run_daemon 4 "$NFQWS" "$opt"
}
get_nfqws_qnums_quic qn qn6
[ -z "$qn" ] || {
opt="--qnum=$qn $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_QUIC"
filter_apply_hostlist_target opt
run_daemon 10 "$NFQWS" "$opt"
}
[ -z "$qn6" ] || [ "$qn6" = "$qn" ] || {
opt="--qnum=$qn6 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_QUIC6"
filter_apply_hostlist_target opt
run_daemon 11 "$NFQWS" "$opt"
}
;;
custom)
existf zapret_custom_daemons && zapret_custom_daemons "$1"
;;
esac
return 0
}
start_daemons()
{
start_daemons() {
rc_procd start_daemons_procd "$@"
}
stop_daemons()
{
procd_kill "$(basename ${basescript:-$initscript})" "$1"
stop_daemons() {
procd_kill "$(basename "${basescript:-$initscript}")" "$1"
}
restart_daemons()
{
restart_daemons() {
stop_daemons
start_daemons
}
start_fw()
{
start_fw() {
zapret_apply_firewall
}
stop_fw()
{
stop_fw() {
zapret_unapply_firewall
}
restart_fw()
{
restart_fw() {
stop_fw
start_fw
}
reload_ifsets()
{
reload_ifsets() {
zapret_reload_ifsets
}
list_ifsets()
{
list_ifsets() {
zapret_list_ifsets
}
list_table()
{
list_table() {
zapret_list_table
}
start_service()
{
start_service() {
start_daemons_procd
[ "$INIT_APPLY_FW" != "1" ] || {
linux_fwtype
@ -220,8 +201,7 @@ start_service()
}
}
stop_service()
{
stop_service() {
# this procedure is called from stop()
# stop() already stop daemons
[ "$INIT_APPLY_FW" != "1" ] || {

3
init.d/pfsense/zapret.sh
View File

@ -14,7 +14,8 @@ sysctl net.inet6.ip6.pfil.outbound=ipfw,pf
sysctl net.inet6.ip6.pfil.inbound=ipfw,pf
# required for newer pfsense versions (2.6.0 tested) to return ipfw to functional state
pfctl -d ; pfctl -e
pfctl -d
pfctl -e
# add ipfw rules and start daemon

24
init.d/sysv/custom-nfqws-dht4all
View File

@ -1,22 +1,20 @@
# this custom script in addition to MODE=nfqws runs desync to DHT packets with udp payload length 101..399 , without ipset/hostlist filtering
# need to add to config : NFQWS_OPT_DESYNC_DHT="--dpi-desync=fake --dpi-desync-ttl=5"
QNUM2=$(($QNUM+20))
QNUM2=$(($QNUM + 20))
zapret_custom_daemons()
{
zapret_custom_daemons() {
# stop logic is managed by procd
local MODE_OVERRIDE=nfqws
local opt
zapret_do_daemons $1
zapret_do_daemons "$1"
opt="--qnum=$QNUM2 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_DHT"
do_nfqws $1 100 "$opt"
do_nfqws "$1" 100 "$opt"
}
zapret_custom_firewall()
{
zapret_custom_firewall() {
# $1 - 1 - run, 0 - stop
local MODE_OVERRIDE=nfqws
@ -24,16 +22,15 @@ zapret_custom_firewall()
local first_packet_only="$ipt_connbytes 1:1"
local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK"
zapret_do_firewall_rules_ipt $1
zapret_do_firewall_rules_ipt "$1"
f='-p udp -m length --length 109:407 -m u32 --u32'
uf4='0>>22&0x3C@8>>16=0x6431'
uf6='48>>16=0x6431'
fw_nfqws_post $1 "$f $uf4 $desync $first_packet_only" "$f $uf6 $desync $first_packet_only" $QNUM2
uf4='0>>22&0x3C@8>>16=0x6431'
uf6='48>>16=0x6431'
fw_nfqws_post "$1" "$f $uf4 $desync $first_packet_only" "$f $uf6 $desync $first_packet_only" $QNUM2
}
zapret_custom_firewall_nft()
{
zapret_custom_firewall_nft() {
# stop logic is not required
local MODE_OVERRIDE=nfqws
@ -46,4 +43,3 @@ zapret_custom_firewall_nft()
f="meta length 109-407 meta l4proto udp @th,64,16 0x6431"
nft_fw_nfqws_post "$f $desync $first_packet_only" "$f $desync $first_packet_only" $QNUM2
}

19
init.d/sysv/custom-nfqws-quic4all
View File

@ -2,22 +2,20 @@
# need to add to config : NFQWS_OPT_DESYNC_QUIC="--dpi-desync=fake"
# NOTE : do not use TTL fooling. chromium QUIC engine breaks sessions if TTL expired in transit received
QNUM2=$(($QNUM+10))
QNUM2=$(($QNUM + 10))
zapret_custom_daemons()
{
zapret_custom_daemons() {
# $1 - 1 - run, 0 - stop
local MODE_OVERRIDE=nfqws
local opt
zapret_do_daemons $1
zapret_do_daemons "$1"
opt="--qnum=$QNUM2 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_QUIC"
do_nfqws $1 100 "$opt"
do_nfqws "$1" 100 "$opt"
}
zapret_custom_firewall()
{
zapret_custom_firewall() {
# $1 - 1 - run, 0 - stop
local MODE_OVERRIDE=nfqws
@ -25,14 +23,13 @@ zapret_custom_firewall()
local first_packets_only="$ipt_connbytes 1:3"
local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK"
zapret_do_firewall_rules_ipt $1
zapret_do_firewall_rules_ipt "$1"
f="-p udp -m multiport --dports $QUIC_PORTS_IPT"
fw_nfqws_post $1 "$f $desync $first_packets_only" "$f $desync $first_packets_only" $QNUM2
fw_nfqws_post "$1" "$f $desync $first_packets_only" "$f $desync $first_packets_only" $QNUM2
}
zapret_custom_firewall_nft()
{
zapret_custom_firewall_nft() {
# stop logic is not required
local MODE_OVERRIDE=nfqws

17
init.d/sysv/custom-reuse-builtin-mode
View File

@ -4,35 +4,32 @@ MY_TPPORT=$(($TPPORT + 1))
MY_TPWS_OPT="--methodeol --hostcase"
MY_DPORT=81
zapret_custom_daemons()
{
zapret_custom_daemons() {
# $1 - 1 - run, 0 - stop
local MODE_OVERRIDE=tpws
local opt
zapret_do_daemons $1
zapret_do_daemons "$1"
opt="--port=$MY_TPPORT $MY_TPWS_OPT"
filter_apply_hostlist_target opt
do_tpws $1 100 "$opt"
do_tpws "$1" 100 "$opt"
}
zapret_custom_firewall()
{
zapret_custom_firewall() {
# $1 - 1 - run, 0 - stop
local MODE_OVERRIDE=tpws
local f4 f6
zapret_do_firewall_rules_ipt $1
zapret_do_firewall_rules_ipt "$1"
f4="-p tcp --dport $MY_DPORT"
f6=$f4
filter_apply_ipset_target f4 f6
fw_tpws $1 "$f4" "$f6" $MY_TPPORT
fw_tpws "$1" "$f4" "$f6" $MY_TPPORT
}
zapret_custom_firewall_nft()
{
zapret_custom_firewall_nft() {
# stop logic is not required
local MODE_OVERRIDE=tpws

25
init.d/sysv/custom-tpws4http-nfqws4https
View File

@ -1,8 +1,7 @@
# this custom script demonstrates how to apply tpws to http and nfqws to https
# it preserves config settings : MODE_HTTP, MODE_HTTPS, MODE_FILTER, TPWS_OPT, NFQWS_OPT_DESYNC, NFQWS_OPT_DESYNC_HTTPS
zapret_custom_daemons()
{
zapret_custom_daemons() {
# $1 - 1 - run, 0 - stop
local opt
@ -10,17 +9,16 @@ zapret_custom_daemons()
[ "$MODE_HTTP" = "1" ] && {
opt="--port=$TPPORT $TPWS_OPT"
filter_apply_hostlist_target opt
do_tpws $1 1 "$opt"
do_tpws "$1" 1 "$opt"
}
[ "$MODE_HTTPS" = "1" ] && {
opt="--qnum=$QNUM $NFQWS_OPT_DESYNC_HTTPS"
filter_apply_hostlist_target opt
do_nfqws $1 2 "$opt"
do_nfqws "$1" 2 "$opt"
}
}
zapret_custom_firewall()
{
zapret_custom_firewall() {
# $1 - 1 - run, 0 - stop
local f4 f6
@ -31,20 +29,19 @@ zapret_custom_firewall()
f4="-p tcp -m multiport --dports $HTTP_PORTS_IPT"
f6=$f4
filter_apply_ipset_target f4 f6
fw_tpws $1 "$f4" "$f6" $TPPORT
fw_tpws "$1" "$f4" "$f6" "$TPPORT"
}
[ "$MODE_HTTPS" = "1" ] && {
f4="-p tcp -m multiport --dports $HTTPS_PORTS_IPT $first_packet_only"
f6=$f4
filter_apply_ipset_target f4 f6
fw_nfqws_post $1 "$f4 $desync" "$f6 $desync" $QNUM
fw_nfqws_post "$1" "$f4 $desync" "$f6 $desync" "$QNUM"
# for modes that require incoming traffic
fw_reverse_nfqws_rule $1 "$f4" "$f6" $QNUM
fw_reverse_nfqws_rule "$1" "$f4" "$f6" "$QNUM"
}
}
zapret_custom_firewall_nft()
{
zapret_custom_firewall_nft() {
# stop logic is not required
local f4 f6
@ -55,15 +52,15 @@ zapret_custom_firewall_nft()
f4="tcp dport {$HTTP_PORTS}"
f6=$f4
nft_filter_apply_ipset_target f4 f6
nft_fw_tpws "$f4" "$f6" $TPPORT
nft_fw_tpws "$f4" "$f6" "$TPPORT"
}
[ "$MODE_HTTPS" = "1" ] && {
f4="tcp dport {$HTTPS_PORTS} $first_packet_only"
f6=$f4
nft_filter_apply_ipset_target f4 f6
nft_fw_nfqws_post "$f4 $desync" "$f6 $desync" $QNUM
nft_fw_nfqws_post "$f4 $desync" "$f6 $desync" "$QNUM"
# for modes that require incoming traffic
nft_fw_reverse_nfqws_rule "$f4" "$f6" $QNUM
nft_fw_reverse_nfqws_rule "$f4" "$f6" "$QNUM"
}
}

11
init.d/sysv/custom.default
View File

@ -2,8 +2,7 @@
# use helpers from "functions" file
# in case of upgrade keep this file only, do not modify others
zapret_custom_daemons()
{
zapret_custom_daemons() {
# $1 - 1 - run, 0 - stop
# PLACEHOLDER
@ -11,10 +10,9 @@ zapret_custom_daemons()
echo Start daemon\(s\)
echo Study how other sections work
do_daemon $1 1 /bin/sleep 20
do_daemon "$1" 1 /bin/sleep 20
}
zapret_custom_firewall()
{
zapret_custom_firewall() {
# $1 - 1 - run, 0 - stop
# PLACEHOLDER
@ -23,8 +21,7 @@ zapret_custom_firewall()
echo Study how other sections work
}
zapret_custom_firewall_nft()
{
zapret_custom_firewall_nft() {
# stop logic is not required
# PLACEHOLDER

262
init.d/sysv/functions
View File

@ -13,38 +13,34 @@ ZAPRET_CONFIG=${ZAPRET_CONFIG:-"$ZAPRET_RW/config"}
. "$ZAPRET_BASE/common/linux_fw.sh"
. "$ZAPRET_BASE/common/list.sh"
user_exists()
{
id -u $1 >/dev/null 2>/dev/null
user_exists() {
id -u "$1" >/dev/null 2>/dev/null
}
useradd_compat()
{
useradd_compat() {
# $1 - username
# skip for readonly systems
[ -w "/etc" ] && {
if exists useradd ; then
useradd --no-create-home --system --shell /bin/false $1
elif is_linked_to_busybox adduser ; then
if exists useradd; then
useradd --no-create-home --system --shell /bin/false "$1"
elif is_linked_to_busybox adduser; then
# some systems may miss nogroup group in /etc/group
# adduser fails if it's absent and no group is specified
addgroup nogroup 2>/dev/null
# busybox has special adduser syntax
adduser -S -H -D $1
adduser -S -H -D "$1"
elif exists adduser; then
adduser --no-create-home --system --disabled-login $1
adduser --no-create-home --system --disabled-login "$1"
fi
}
user_exists $1
user_exists "$1"
}
prepare_user()
{
prepare_user() {
# $WS_USER is required to prevent redirection of the traffic originating from TPWS itself
# otherwise infinite loop will occur
# also its good idea not to run tpws as root
user_exists $WS_USER || {
user_exists "$WS_USER" || {
# fallback to daemon if we cant add WS_USER
useradd_compat $WS_USER || {
useradd_compat "$WS_USER" || {
for user in daemon nobody; do
user_exists $user && {
WS_USER=$user
@ -59,10 +55,10 @@ prepare_user()
# this complex user selection allows to survive in any locked/readonly/minimalistic environment
[ -n "$WS_USER" ] || WS_USER=tpws
if prepare_user; then
USEROPT="--user=$WS_USER"
USEROPT="--user=$WS_USER"
else
WS_USER=1
USEROPT="--uid $WS_USER:$WS_USER"
WS_USER=1
USEROPT="--uid $WS_USER:$WS_USER"
fi
PIDDIR=/var/run
@ -97,72 +93,54 @@ CUSTOM_SCRIPT="$ZAPRET_BASE/init.d/sysv/custom"
IPSET_EXCLUDE="-m set ! --match-set nozapret"
IPSET_EXCLUDE6="-m set ! --match-set nozapret6"
dnat6_target()
{
dnat6_target() {
_dnat6_target "$@"
}
set_route_localnet()
{
_set_route_localnet $1 "$IFACE_LAN"
set_route_localnet() {
_set_route_localnet "$1" "$IFACE_LAN"
}
fw_nfqws_post4()
{
_fw_nfqws_post4 $1 "$2" $3 "$IFACE_WAN"
fw_nfqws_post4() {
_fw_nfqws_post4 "$1" "$2" "$3" "$IFACE_WAN"
}
fw_nfqws_post6()
{
_fw_nfqws_post6 $1 "$2" $3 "${IFACE_WAN6:-$IFACE_WAN}"
fw_nfqws_post6() {
_fw_nfqws_post6 "$1" "$2" "$3" "${IFACE_WAN6:-$IFACE_WAN}"
}
fw_nfqws_pre4()
{
_fw_nfqws_pre4 $1 "$2" $3 "$IFACE_WAN"
fw_nfqws_pre4() {
_fw_nfqws_pre4 "$1" "$2" "$3" "$IFACE_WAN"
}
fw_nfqws_pre6()
{
_fw_nfqws_pre6 $1 "$2" $3 "${IFACE_WAN6:-$IFACE_WAN}"
fw_nfqws_pre6() {
_fw_nfqws_pre6 "$1" "$2" "$3" "${IFACE_WAN6:-$IFACE_WAN}"
}
fw_tpws4()
{
_fw_tpws4 $1 "$2" $3 "$IFACE_LAN" "$IFACE_WAN"
fw_tpws4() {
_fw_tpws4 "$1" "$2" "$3" "$IFACE_LAN" "$IFACE_WAN"
}
fw_tpws6()
{
_fw_tpws6 $1 "$2" $3 "$IFACE_LAN" "${IFACE_WAN6:-$IFACE_WAN}"
fw_tpws6() {
_fw_tpws6 "$1" "$2" "$3" "$IFACE_LAN" "${IFACE_WAN6:-$IFACE_WAN}"
}
nft_fw_tpws4()
{
_nft_fw_tpws4 "$1" $2 "$IFACE_WAN"
nft_fw_tpws4() {
_nft_fw_tpws4 "$1" "$2" "$IFACE_WAN"
}
nft_fw_tpws6()
{
_nft_fw_tpws6 "$1" $2 "$IFACE_LAN" "${IFACE_WAN6:-$IFACE_WAN}"
nft_fw_tpws6() {
_nft_fw_tpws6 "$1" "$2" "$IFACE_LAN" "${IFACE_WAN6:-$IFACE_WAN}"
}
nft_fw_nfqws_post4()
{
_nft_fw_nfqws_post4 "$1" $2 "$IFACE_WAN"
nft_fw_nfqws_post4() {
_nft_fw_nfqws_post4 "$1" "$2" "$IFACE_WAN"
}
nft_fw_nfqws_post6()
{
_nft_fw_nfqws_post6 "$1" $2 "${IFACE_WAN6:-$IFACE_WAN}"
nft_fw_nfqws_post6() {
_nft_fw_nfqws_post6 "$1" "$2" "${IFACE_WAN6:-$IFACE_WAN}"
}
nft_fw_nfqws_pre4()
{
_nft_fw_nfqws_pre4 "$1" $2 "$IFACE_WAN"
nft_fw_nfqws_pre4() {
_nft_fw_nfqws_pre4 "$1" "$2" "$IFACE_WAN"
}
nft_fw_nfqws_pre6()
{
_nft_fw_nfqws_pre6 "$1" $2 "${IFACE_WAN6:-$IFACE_WAN}"
nft_fw_nfqws_pre6() {
_nft_fw_nfqws_pre6 "$1" "$2" "${IFACE_WAN6:-$IFACE_WAN}"
}
nft_fill_ifsets_overload()
{
nft_fill_ifsets_overload() {
nft_fill_ifsets "$IFACE_LAN" "$IFACE_WAN" "${IFACE_WAN6:-$IFACE_WAN}"
}
run_daemon()
{
run_daemon() {
# $1 - daemon number : 1,2,3,...
# $2 - daemon
# $3 - daemon args
@ -171,52 +149,48 @@ run_daemon()
local DAEMONBASE="$(basename "$2")"
local PIDFILE=$PIDDIR/$DAEMONBASE$1.pid
echo "Starting daemon $1: $2 $3"
if exists start-stop-daemon ; then
start-stop-daemon -S -p "$PIDFILE" -m -b -x "$2" -- $3
if exists start-stop-daemon; then
start-stop-daemon -S -p "$PIDFILE" -m -b -x "$2" -- "$3"
else
if [ -f "$PIDFILE" ] && pgrep -F "$PIDFILE" "$DAEMONBASE" >/dev/null; then
echo already running
else
"$2" $3 >/dev/null 2>/dev/null &
"$2" "$3" >/dev/null 2>/dev/null &
PID=$!
if [ -n "$PID" ]; then
echo $PID >$PIDFILE
echo $PID >"$PIDFILE"
else
echo could not start daemon $1 : $2 $3
echo could not start daemon "$1" : "$2" "$3"
false
fi
fi
fi
}
stop_daemon()
{
stop_daemon() {
# $1 - daemon number : 1,2,3,...
# $2 - daemon
# use $PIDDIR/$DAEMONBASE$1.pid as pidfile
local DAEMONBASE="$(basename "$2")"
local PIDFILE=$PIDDIR/$DAEMONBASE$1.pid
echo "Stopping daemon $1: $2"
if exists start-stop-daemon ; then
if exists start-stop-daemon; then
start-stop-daemon -K -p "$PIDFILE" -x "$2"
else
if [ -f "$PIDFILE" ]; then
read PID <"$PIDFILE"
kill $PID
kill "$PID"
rm -f "$PIDFILE"
else
echo no pidfile : $PIDFILE
echo no pidfile : "$PIDFILE"
fi
fi
}
do_daemon()
{
do_daemon() {
# $1 - 1 - run, 0 - stop
on_off_function run_daemon stop_daemon "$@"
}
do_tpws()
{
do_tpws() {
# $1 : 1 - run, 0 - stop
# $2 : daemon number
# $3 : daemon args
@ -233,10 +207,9 @@ do_tpws()
done
}
do_daemon $1 $2 "$TPWS" "$OPT $3"
do_daemon "$1" "$2" "$TPWS" "$OPT $3"
}
do_tpws_socks()
{
do_tpws_socks() {
# $1 : 1 - run, 0 - stop
# $2 : daemon number
# $3 : daemon args
@ -247,104 +220,95 @@ do_tpws_socks()
tpws_apply_socks_binds opt
do_daemon $1 $2 "$TPWS" "$opt $3"
do_daemon "$1" "$2" "$TPWS" "$opt $3"
}
do_nfqws()
{
do_nfqws() {
# $1 : 1 - run, 0 - stop
# $2 : daemon number
# $3 : daemon args
do_daemon $1 $2 "$NFQWS" "$NFQWS_OPT_BASE $3"
do_daemon "$1" "$2" "$NFQWS" "$NFQWS_OPT_BASE $3"
}
tpws_apply_socks_binds()
{
tpws_apply_socks_binds() {
local o
[ "$DISABLE_IPV4" = "1" ] || o="--bind-addr=127.0.0.1"
[ "$DISABLE_IPV6" = "1" ] || o="$o --bind-addr=::1"
for lan in $IFACE_LAN; do
[ "$DISABLE_IPV4" = "1" ] || o="$o --bind-iface4=$lan $TPWS_WAIT"
[ "$DISABLE_IPV6" = "1" ] || o="$o --bind-iface6=$lan --bind-linklocal=unwanted $TPWS_WAIT_SOCKS6"
[ "$DISABLE_IPV4" = "1" ] || o="$o --bind-iface4=$lan $TPWS_WAIT"
[ "$DISABLE_IPV6" = "1" ] || o="$o --bind-iface6=$lan --bind-linklocal=unwanted $TPWS_WAIT_SOCKS6"
done
eval $1="\"\$$1 $o\""
eval "$1"="\"\$$1 $o\""
}
create_ipset()
{
create_ipset() {
echo "Creating ip list table (firewall type $FWTYPE)"
"$IPSET_CR" "$@"
}
zapret_do_daemons()
{
zapret_do_daemons() {
# $1 - 1 - run, 0 - stop
local opt qn qns qn6 qns6
case "${MODE_OVERRIDE:-$MODE}" in
tpws)
opt="--port=$TPPORT $TPWS_OPT"
tpws)
opt="--port=$TPPORT $TPWS_OPT"
filter_apply_hostlist_target opt
do_tpws "$1" 1 "$opt"
;;
tpws-socks)
opt="--port=$TPPORT $TPWS_OPT"
filter_apply_hostlist_target opt
do_tpws_socks "$1" 1 "$opt"
;;
nfqws)
get_nfqws_qnums qn qns qn6 qns6
[ -z "$qn" ] || {
opt="--qnum=$qn $NFQWS_OPT_DESYNC_HTTP"
filter_apply_hostlist_target opt
do_tpws $1 1 "$opt"
;;
tpws-socks)
opt="--port=$TPPORT $TPWS_OPT"
do_nfqws "$1" 1 "$opt"
}
[ -z "$qns" ] || [ "$qns" = "$qn" ] || {
opt="--qnum=$qns $NFQWS_OPT_DESYNC_HTTPS"
filter_apply_hostlist_target opt
do_tpws_socks $1 1 "$opt"
;;
nfqws)
get_nfqws_qnums qn qns qn6 qns6
[ -z "$qn" ] || {
opt="--qnum=$qn $NFQWS_OPT_DESYNC_HTTP"
filter_apply_hostlist_target opt
do_nfqws $1 1 "$opt"
}
[ -z "$qns" ] || [ "$qns" = "$qn" ] || {
opt="--qnum=$qns $NFQWS_OPT_DESYNC_HTTPS"
filter_apply_hostlist_target opt
do_nfqws $1 2 "$opt"
}
[ -z "$qn6" ] || [ "$qn6" = "$qn" ] || [ "$qn6" = "$qns" ] || {
opt="--qnum=$qn6 $NFQWS_OPT_DESYNC_HTTP6"
filter_apply_hostlist_target opt
do_nfqws $1 3 "$opt"
}
[ -z "$qns6" ] || [ "$qns6" = "$qn" ] || [ "$qns6" = "$qns" ] || [ "$qns6" = "$qn6" ] || {
opt="--qnum=$qns6 $NFQWS_OPT_DESYNC_HTTPS6"
filter_apply_hostlist_target opt
do_nfqws $1 4 "$opt"
}
get_nfqws_qnums_quic qn qn6
[ -z "$qn" ] || {
opt="--qnum=$qn $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_QUIC"
filter_apply_hostlist_target opt
do_nfqws $1 10 "$opt"
}
[ -z "$qn6" ] || [ "$qn6" = "$qn" ] || {
opt="--qnum=$qn6 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_QUIC6"
filter_apply_hostlist_target opt
do_nfqws $1 11 "$opt"
}
;;
custom)
existf zapret_custom_daemons && zapret_custom_daemons $1
;;
do_nfqws "$1" 2 "$opt"
}
[ -z "$qn6" ] || [ "$qn6" = "$qn" ] || [ "$qn6" = "$qns" ] || {
opt="--qnum=$qn6 $NFQWS_OPT_DESYNC_HTTP6"
filter_apply_hostlist_target opt
do_nfqws "$1" 3 "$opt"
}
[ -z "$qns6" ] || [ "$qns6" = "$qn" ] || [ "$qns6" = "$qns" ] || [ "$qns6" = "$qn6" ] || {
opt="--qnum=$qns6 $NFQWS_OPT_DESYNC_HTTPS6"
filter_apply_hostlist_target opt
do_nfqws "$1" 4 "$opt"
}
get_nfqws_qnums_quic qn qn6
[ -z "$qn" ] || {
opt="--qnum=$qn $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_QUIC"
filter_apply_hostlist_target opt
do_nfqws "$1" 10 "$opt"
}
[ -z "$qn6" ] || [ "$qn6" = "$qn" ] || {
opt="--qnum=$qn6 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_QUIC6"
filter_apply_hostlist_target opt
do_nfqws "$1" 11 "$opt"
}
;;
custom)
existf zapret_custom_daemons && zapret_custom_daemons "$1"
;;
esac
return 0
}
zapret_run_daemons()
{
zapret_run_daemons() {
zapret_do_daemons 1 "$@"
}
zapret_stop_daemons()
{
zapret_stop_daemons() {
zapret_do_daemons 0 "$@"
}

86
init.d/sysv/zapret
View File

@ -15,65 +15,63 @@ ZAPRET_BASE=$(readlink -f "$EXEDIR/../..")
NAME=zapret
DESC=anti-zapret
do_start()
{
do_start() {
zapret_run_daemons
[ "$INIT_APPLY_FW" != "1" ] || { zapret_apply_firewall; }
}
do_stop()
{
do_stop() {
zapret_stop_daemons
[ "$INIT_APPLY_FW" != "1" ] || zapret_unapply_firewall
}
case "$1" in
start)
do_start
;;
start)
do_start
;;
stop)
do_stop
;;
stop)
do_stop
;;
restart)
do_stop
do_start
;;
restart)
do_stop
do_start
;;
start-fw|start_fw)
zapret_apply_firewall
;;
stop-fw|stop_fw)
zapret_unapply_firewall
;;
start-fw | start_fw)
zapret_apply_firewall
;;
stop-fw | stop_fw)
zapret_unapply_firewall
;;
restart-fw|restart_fw)
zapret_unapply_firewall
zapret_apply_firewall
;;
restart-fw | restart_fw)
zapret_unapply_firewall
zapret_apply_firewall
;;
start-daemons|start_daemons)
zapret_run_daemons
;;
stop-daemons|stop_daemons)
zapret_stop_daemons
;;
restart-daemons|restart_daemons)
zapret_stop_daemons
zapret_run_daemons
;;
start-daemons | start_daemons)
zapret_run_daemons
;;
stop-daemons | stop_daemons)
zapret_stop_daemons
;;
restart-daemons | restart_daemons)
zapret_stop_daemons
zapret_run_daemons
;;
reload-ifsets|reload_ifsets)
zapret_reload_ifsets
;;
list-ifsets|list_ifsets)
zapret_list_ifsets
;;
list-table|list_table)
zapret_list_table
;;
reload-ifsets | reload_ifsets)
zapret_reload_ifsets
;;
list-ifsets | list_ifsets)
zapret_list_ifsets
;;
list-table | list_table)
zapret_list_table
;;
*)
*)
N=/etc/init.d/$NAME
echo "Usage: $N {start|stop|restart|start-fw|stop-fw|restart-fw|start-daemons|stop-daemons|restart-daemons|reload-ifsets|list-ifsets|list-table}" >&2
exit 1

78
install_bin.sh
View File

@ -1,15 +1,17 @@
#!/bin/sh
EXEDIR="$(dirname "$0")"
EXEDIR="$(cd "$EXEDIR"; pwd)"
EXEDIR="$(
cd "$EXEDIR"
pwd
)"
BINS=binaries
BINDIR="$EXEDIR/$BINS"
ZAPRET_BASE=${ZAPRET_BASE:-"$EXEDIR"}
. "$ZAPRET_BASE/common/base.sh"
check_dir()
{
check_dir() {
local dir="$BINDIR/$1"
local exe="$dir/ip2net"
local out
@ -39,8 +41,7 @@ check_dir()
}
# link or copy executables. uncomment either ln or cp, comment other
ccp()
{
ccp() {
local F="$(basename "$1")"
[ -d "$ZAPRET_BASE/$2" ] || mkdir "$ZAPRET_BASE/$2"
[ -f "$ZAPRET_BASE/$2/$F" ] && rm -f "$ZAPRET_BASE/$2/$F"
@ -51,49 +52,48 @@ ccp()
UNAME=$(uname)
unset PKTWS
case $UNAME in
Linux)
ARCHLIST="my x86_64 x86 aarch64 arm mips64r2-msb mips32r1-lsb mips32r1-msb ppc"
PKTWS=nfqws
;;
Darwin)
ARCHLIST="my mac64"
;;
FreeBSD)
ARCHLIST="my freebsd-x64"
PKTWS=dvtws
;;
CYGWIN*)
UNAME=CYGWIN
ARCHLIST="win64"
PKTWS=winws
;;
*)
ARCHLIST="my"
Linux)
ARCHLIST="my x86_64 x86 aarch64 arm mips64r2-msb mips32r1-lsb mips32r1-msb ppc"
PKTWS=nfqws
;;
Darwin)
ARCHLIST="my mac64"
;;
FreeBSD)
ARCHLIST="my freebsd-x64"
PKTWS=dvtws
;;
CYGWIN*)
UNAME=CYGWIN
ARCHLIST="win64"
PKTWS=winws
;;
*)
ARCHLIST="my"
;;
esac
if [ "$1" = "getarch" ]; then
for arch in $ARCHLIST
do
for arch in $ARCHLIST; do
[ -d "$BINDIR/$arch" ] || continue
if check_dir $arch; then
echo $arch
exit 0
fi
if check_dir "$arch"; then
echo "$arch"
exit 0
fi
done
else
for arch in $ARCHLIST
do
for arch in $ARCHLIST; do
[ -d "$BINDIR/$arch" ] || continue
if check_dir $arch; then
echo $arch is OK
if check_dir "$arch"; then
echo "$arch" is OK
echo installing binaries ...
ccp $arch/ip2net ip2net
ccp $arch/mdig mdig
[ -n "$PKTWS" ] && ccp $arch/$PKTWS nfq
[ "$UNAME" = CYGWIN ] || ccp $arch/tpws tpws
exit 0
ccp "$arch"/ip2net ip2net
ccp "$arch"/mdig mdig
[ -n "$PKTWS" ] && ccp "$arch"/$PKTWS nfq
[ "$UNAME" = CYGWIN ] || ccp "$arch"/tpws tpws
exit 0
else
echo $arch is NOT OK
echo "$arch" is NOT OK
fi
done
echo no compatible binaries found

498
install_easy.sh
View File

@ -3,7 +3,10 @@
# automated script for easy installing zapret
EXEDIR="$(dirname "$0")"
EXEDIR="$(cd "$EXEDIR"; pwd)"
EXEDIR="$(
cd "$EXEDIR"
pwd
)"
ZAPRET_BASE=${ZAPRET_BASE:-"$EXEDIR"}
ZAPRET_RW=${ZAPRET_RW:-"$ZAPRET_BASE"}
ZAPRET_CONFIG=${ZAPRET_CONFIG:-"$ZAPRET_RW/config"}
@ -31,17 +34,16 @@ GET_LIST="$IPSET_DIR/get_config.sh"
[ -n "$TPPORT" ] || TPPORT=988
check_readonly_system()
{
check_readonly_system() {
local RO
echo \* checking readonly system
case $SYSTEM in
systemd)
[ -w "$SYSTEMD_SYSTEM_DIR" ] || RO=1
;;
openrc)
[ -w "$(dirname "$INIT_SCRIPT")" ] || RO=1
;;
case $SYSTEM in
systemd)
[ -w "$SYSTEMD_SYSTEM_DIR" ] || RO=1
;;
openrc)
[ -w "$(dirname "$INIT_SCRIPT")" ] || RO=1
;;
esac
[ -z "$RO" ] || {
echo '!!! READONLY SYSTEM DETECTED !!!'
@ -51,8 +53,7 @@ check_readonly_system()
}
}
check_bins()
{
check_bins() {
echo \* checking executables
fix_perms_bin_test "$EXEDIR"
@ -66,7 +67,7 @@ check_bins()
arch=""
fi
}
if [ -n "$arch" ] ; then
if [ -n "$arch" ]; then
echo found architecture "\"$arch\""
elif [ -f "$EXEDIR/Makefile" ] && exists make; then
echo trying to compile
@ -83,17 +84,14 @@ check_bins()
fi
}
call_install_bin()
{
sh "$EXEDIR/install_bin.sh" $1
call_install_bin() {
sh "$EXEDIR/install_bin.sh" "$1"
}
get_bin_arch()
{
get_bin_arch() {
call_install_bin getarch
}
install_binaries()
{
install_binaries() {
echo \* installing binaries
call_install_bin || {
@ -102,8 +100,7 @@ install_binaries()
}
}
select_mode_mode()
{
select_mode_mode() {
local edited v vars MODES="tpws tpws-socks nfqws filter custom"
[ "$SYSTEM" = "macos" ] && MODES="tpws tpws-socks filter custom"
echo
@ -111,44 +108,42 @@ select_mode_mode()
ask_list MODE "$MODES" tpws && write_config_var MODE
case $MODE in
tpws)
vars="TPWS_OPT"
;;
nfqws)
vars="NFQWS_OPT_DESYNC NFQWS_OPT_DESYNC_HTTP NFQWS_OPT_DESYNC_HTTPS NFQWS_OPT_DESYNC_HTTP6 NFQWS_OPT_DESYNC_HTTPS6 NFQWS_OPT_DESYNC_QUIC NFQWS_OPT_DESYNC_QUIC6"
;;
tpws)
vars="TPWS_OPT"
;;
nfqws)
vars="NFQWS_OPT_DESYNC NFQWS_OPT_DESYNC_HTTP NFQWS_OPT_DESYNC_HTTPS NFQWS_OPT_DESYNC_HTTP6 NFQWS_OPT_DESYNC_HTTPS6 NFQWS_OPT_DESYNC_QUIC NFQWS_OPT_DESYNC_QUIC6"
;;
esac
[ -n "$vars" ] && {
echo
while [ 1=1 ]; do
while true; do
for var in $vars; do
eval v="\$$var"
echo $var=\"$v\"
echo "$var"=\""$v"\"
done
ask_yes_no N "do you want to edit the options" || {
[ -n "$edited" ] && {
for var in $vars; do
write_config_var $var
write_config_var "$var"
done
}
break
}
edit_vars $vars
edit_vars "$vars"
edited=1
echo ..edited..
done
}
}
select_mode_http()
{
select_mode_http() {
[ "$MODE" != "filter" ] && [ "$MODE" != "tpws-socks" ] && {
echo
ask_yes_no_var MODE_HTTP "enable http support"
write_config_var MODE_HTTP
}
}
select_mode_keepalive()
{
select_mode_keepalive() {
[ "$MODE" = "nfqws" ] && [ "$MODE_HTTP" = "1" ] && {
echo
echo enable keep alive support only if DPI checks every outgoing packet for http signature
@ -157,16 +152,14 @@ select_mode_keepalive()
write_config_var MODE_HTTP_KEEPALIVE
}
}
select_mode_https()
{
select_mode_https() {
[ "$MODE" != "filter" ] && [ "$MODE" != "tpws-socks" ] && {
echo
ask_yes_no_var MODE_HTTPS "enable https support"
write_config_var MODE_HTTPS
}
}
select_mode_quic()
{
select_mode_quic() {
[ "$SUBSYS" = "keenetic" ] && {
echo
echo "WARNING ! Keenetic is not officially supported by zapret."
@ -183,16 +176,14 @@ select_mode_quic()
write_config_var MODE_QUIC
}
}
select_mode_filter()
{
select_mode_filter() {
local filter="none ipset hostlist autohostlist"
[ "$MODE" = "tpws-socks" ] && filter="none hostlist autohostlist"
echo
echo select filtering :
ask_list MODE_FILTER "$filter" none && write_config_var MODE_FILTER
}
select_mode()
{
select_mode() {
select_mode_mode
select_mode_iface
select_mode_http
@ -202,14 +193,13 @@ select_mode()
select_mode_filter
}
select_getlist()
{
select_getlist() {
if [ "$MODE_FILTER" = "ipset" -o "$MODE_FILTER" = "hostlist" ]; then
local D=N
[ -n "$GETLIST" ] && D=Y
echo
if ask_yes_no $D "do you want to auto download ip/host list"; then
if [ "$MODE_FILTER" = "hostlist" ] ; then
if [ "$MODE_FILTER" = "hostlist" ]; then
GETLISTS="get_antizapret_domains.sh get_reestr_resolvable_domains.sh get_reestr_hostlist.sh"
GETLIST_DEF="get_antizapret_domains.sh"
else
@ -224,14 +214,12 @@ select_getlist()
write_config_var GETLIST
}
ask_config()
{
ask_config() {
select_mode
select_getlist
}
ask_config_offload()
{
ask_config_offload() {
[ "$FWTYPE" = nftables ] || is_ipt_flow_offload_avail && {
echo
echo flow offloading can greatly increase speed on slow devices and high speed links \(usually 150+ mbits\)
@ -257,31 +245,28 @@ ask_config_offload()
}
}
ask_config_tmpdir()
{
ask_config_tmpdir() {
# ask tmpdir change for low ram systems with enough free disk space
[ -n "$GETLIST" ] && [ $(get_free_space_mb "$EXEDIR/tmp") -ge 128 ] && [ $(get_ram_mb) -le 400 ] && {
echo
echo /tmp in openwrt is tmpfs. on low RAM systems there may be not enough RAM to store downloaded files
echo default tmpfs has size of 50% RAM
echo "RAM : $(get_ram_mb) Mb"
echo "DISK : $(get_free_space_mb) Mb"
echo "RAM: $(get_ram_mb) Mb"
echo "DISK: $(get_free_space_mb) Mb"
echo select temp file location
[ -z "$TMPDIR" ] && TMPDIR=/tmp
ask_list TMPDIR "/tmp $EXEDIR/tmp" && {
[ "$TMPDIR" = "/tmp" ] && TMPDIR=
write_config_var TMPDIR
[ "$TMPDIR" = "/tmp" ] && TMPDIR=
write_config_var TMPDIR
}
}
}
nft_flow_offload()
{
nft_flow_offload() {
[ "$UNAME" = Linux -a "$FWTYPE" = nftables -a "$MODE" != "tpws-socks" ] && [ "$FLOWOFFLOAD" = software -o "$FLOWOFFLOAD" = hardware ]
}
ask_iface()
{
ask_iface() {
# $1 - var to ask
# $2 - additional name for empty string synonim
@ -290,38 +275,35 @@ ask_iface()
[ -n "$2" ] && i0="$2 "
case $SYSTEM in
macos)
ifs="$(ifconfig -l)"
;;
*)
ifs="$(ls /sys/class/net)"
;;
macos)
ifs="$(ifconfig -l)"
;;
*)
ifs="$(ls /sys/class/net)"
;;
esac
[ -z "$def" ] && eval $1="$2"
ask_list $1 "$i0$ifs" && {
[ -z "$def" ] && eval "$1"="$2"
ask_list "$1" "$i0$ifs" && {
eval new="\$$1"
[ "$new" = "$2" ] && eval $1=""
write_config_var $1
[ "$new" = "$2" ] && eval "$1"=""
write_config_var "$1"
}
}
ask_iface_lan()
{
ask_iface_lan() {
echo LAN interface :
local opt
nft_flow_offload || opt=NONE
ask_iface IFACE_LAN $opt
}
ask_iface_wan()
{
ask_iface_wan() {
echo WAN interface :
local opt
nft_flow_offload || opt=ANY
ask_iface IFACE_WAN $opt
}
select_mode_iface()
{
# openwrt has its own interface management scheme
select_mode_iface() {
# OpenWrt has its own interface management scheme
# filter just creates ip tables, no daemons involved
# nfqws sits in POSTROUTING chain and unable to filter by incoming interface
# tpws redirection works in PREROUTING chain
@ -332,63 +314,62 @@ select_mode_iface()
if [ "$SYSTEM" = "openwrt" ] || [ "$MODE" = "filter" ]; then return; fi
case "$MODE" in
tpws-socks)
echo "select LAN interface to allow socks access from your LAN. select NONE for localhost only."
echo "expect socks on tcp port $TPPORT"
tpws-socks)
echo "select LAN interface to allow SOCKS access from your LAN. select NONE for localhost only."
echo "expect SOCKS on tcp port $TPPORT"
ask_iface_lan
;;
tpws)
echo "select LAN interface to operate in router mode. select NONE for local outgoing traffic only."
if [ "$SYSTEM" = "macos" ]; then
echo "WARNING ! OS feature \"internet sharing\" is not supported."
echo "Only manually configured PF router is supported."
else
echo "WARNING ! This installer will not configure routing, NAT, ... for you. Its your responsibility."
fi
ask_iface_lan
;;
custom)
echo "select LAN interface for your custom script (how it works depends on your code)"
ask_iface_lan
;;
*)
nft_flow_offload && {
echo "select LAN interface for nftables flow offloading"
ask_iface_lan
;;
tpws)
echo "select LAN interface to operate in router mode. select NONE for local outgoing traffic only."
if [ "$SYSTEM" = "macos" ]; then
echo "WARNING ! OS feature \"internet sharing\" is not supported."
echo "Only manually configured PF router is supported."
else
echo "WARNING ! This installer will not configure routing, NAT, ... for you. Its your responsibility."
fi
ask_iface_lan
;;
custom)
echo "select LAN interface for your custom script (how it works depends on your code)"
ask_iface_lan
;;
*)
nft_flow_offload && {
echo "select LAN interface for nftables flow offloading"
ask_iface_lan
}
;;
}
;;
esac
case "$MODE" in
tpws)
echo "select WAN interface for $MODE operations. select ANY to operate on any interface."
[ -n "$IFACE_LAN" ] && echo "WAN filtering works only for local outgoing traffic !"
tpws)
echo "select WAN interface for $MODE operations. select ANY to operate on any interface."
[ -n "$IFACE_LAN" ] && echo "WAN filtering works only for local outgoing traffic !"
ask_iface_wan
;;
nfqws)
echo "select WAN interface for $MODE operations. select ANY to operate on any interface."
ask_iface_wan
;;
custom)
echo "select WAN interface for your custom script (how it works depends on your code)"
ask_iface_wan
;;
*)
nft_flow_offload && {
echo "select WAN interface for nftables flow offloading"
ask_iface_wan
;;
nfqws)
echo "select WAN interface for $MODE operations. select ANY to operate on any interface."
ask_iface_wan
;;
custom)
echo "select WAN interface for your custom script (how it works depends on your code)"
ask_iface_wan
;;
*)
nft_flow_offload && {
echo "select WAN interface for nftables flow offloading"
ask_iface_wan
}
;;
}
;;
esac
}
default_files()
{
default_files() {
# $1 - ro location
# $2 - rw location (can be equal to $1)
[ -d "$2/ipset" ] || mkdir -p "$2/ipset"
[ -f "$2/ipset/zapret-hosts-user-exclude.txt" ] || cp "$1/ipset/zapret-hosts-user-exclude.txt.default" "$2/ipset/zapret-hosts-user-exclude.txt"
[ -f "$2/ipset/zapret-hosts-user.txt" ] || echo nonexistent.domain >> "$2/ipset/zapret-hosts-user.txt"
[ -f "$2/ipset/zapret-hosts-user.txt" ] || echo nonexistent.domain >>"$2/ipset/zapret-hosts-user.txt"
[ -f "$2/ipset/zapret-hosts-user-ipban.txt" ] || touch "$2/ipset/zapret-hosts-user-ipban.txt"
for dir in openwrt sysv macos; do
[ -d "$1/init.d/$dir" ] && {
@ -397,15 +378,13 @@ default_files()
}
done
}
copy_all()
{
copy_all() {
local dir
cp -R "$1" "$2"
[ -d "$2/tmp" ] || mkdir "$2/tmp"
}
copy_openwrt()
{
copy_openwrt() {
local ARCH="$(get_bin_arch)"
local BINDIR="$1/binaries/$ARCH"
local file
@ -420,91 +399,84 @@ copy_openwrt()
cp "$BINDIR/tpws" "$BINDIR/nfqws" "$BINDIR/ip2net" "$BINDIR/mdig" "$2/binaries/$ARCH"
}
fix_perms_bin_test()
{
fix_perms_bin_test() {
[ -d "$1" ] || return
find "$1/binaries" -name ip2net ! -perm -111 -exec chmod +x {} \;
}
fix_perms()
{
fix_perms() {
[ -d "$1" ] || return
find "$1" -type d -exec chmod 755 {} \;
find "$1" -type f -exec chmod 644 {} \;
local chow
case "$UNAME" in
Linux)
chow=root:root
;;
*)
chow=root:wheel
Linux)
chow=root:root
;;
*)
chow=root:wheel
;;
esac
chown -R $chow "$1"
find "$1/binaries" '(' -name tpws -o -name dvtws -o -name nfqws -o -name ip2net -o -name mdig ')' -exec chmod 755 {} \;
for f in \
install_bin.sh \
blockcheck.sh \
install_easy.sh \
install_prereq.sh \
files/huawei/E8372/zapret-ip \
files/huawei/E8372/unzapret-ip \
files/huawei/E8372/run-zapret-hostlist \
files/huawei/E8372/unzapret \
files/huawei/E8372/zapret \
files/huawei/E8372/run-zapret-ip \
ipset/get_exclude.sh \
ipset/clear_lists.sh \
ipset/get_antifilter_ipresolve.sh \
ipset/get_reestr_resolvable_domains.sh \
ipset/get_config.sh \
ipset/get_reestr_preresolved.sh \
ipset/get_user.sh \
ipset/get_antifilter_allyouneed.sh \
ipset/get_reestr_resolve.sh \
ipset/create_ipset.sh \
ipset/get_reestr_hostlist.sh \
ipset/get_ipban.sh \
ipset/get_antifilter_ipsum.sh \
ipset/get_antifilter_ipsmart.sh \
ipset/get_antizapret_domains.sh \
ipset/get_reestr_preresolved_smart.sh \
ipset/get_antifilter_ip.sh \
init.d/pfsense/zapret.sh \
init.d/macos/zapret \
init.d/runit/zapret/run \
init.d/runit/zapret/finish \
init.d/openrc/zapret \
init.d/sysv/zapret \
init.d/openwrt/zapret \
uninstall_easy.sh \
; do chmod 755 "$1/$f" 2>/dev/null ; done
install_bin.sh \
blockcheck.sh \
install_easy.sh \
install_prereq.sh \
files/huawei/E8372/zapret-ip \
files/huawei/E8372/unzapret-ip \
files/huawei/E8372/run-zapret-hostlist \
files/huawei/E8372/unzapret \
files/huawei/E8372/zapret \
files/huawei/E8372/run-zapret-ip \
ipset/get_exclude.sh \
ipset/clear_lists.sh \
ipset/get_antifilter_ipresolve.sh \
ipset/get_reestr_resolvable_domains.sh \
ipset/get_config.sh \
ipset/get_reestr_preresolved.sh \
ipset/get_user.sh \
ipset/get_antifilter_allyouneed.sh \
ipset/get_reestr_resolve.sh \
ipset/create_ipset.sh \
ipset/get_reestr_hostlist.sh \
ipset/get_ipban.sh \
ipset/get_antifilter_ipsum.sh \
ipset/get_antifilter_ipsmart.sh \
ipset/get_antizapret_domains.sh \
ipset/get_reestr_preresolved_smart.sh \
ipset/get_antifilter_ip.sh \
init.d/pfsense/zapret.sh \
init.d/macos/zapret \
init.d/runit/zapret/run \
init.d/runit/zapret/finish \
init.d/openrc/zapret \
init.d/sysv/zapret \
init.d/openwrt/zapret \
uninstall_easy.sh; do chmod 755 "$1/$f" 2>/dev/null; done
}
_backup_settings()
{
_backup_settings() {
local i=0
for f in "$@"; do
[ -f "$ZAPRET_TARGET/$f" ] && cp -f "$ZAPRET_TARGET/$f" "/tmp/zapret-bkp-$i"
i=$(($i+1))
i=$(($i + 1))
done
}
_restore_settings()
{
_restore_settings() {
local i=0
for f in "$@"; do
[ -f "/tmp/zapret-bkp-$i" ] && mv -f "/tmp/zapret-bkp-$i" "$ZAPRET_TARGET/$f" || rm -f "/tmp/zapret-bkp-$i"
i=$(($i+1))
i=$(($i + 1))
done
}
backup_restore_settings()
{
backup_restore_settings() {
# $1 - 1 - backup, 0 - restore
local mode=$1
on_off_function _backup_settings _restore_settings $mode "config" "init.d/sysv/custom" "init.d/openwrt/custom" "init.d/macos/custom" "ipset/zapret-hosts-user.txt" "ipset/zapret-hosts-user-exclude.txt" "ipset/zapret-hosts-user-ipban.txt" "ipset/zapret-hosts-auto.txt"
local mode="$1"
on_off_function _backup_settings _restore_settings "$mode" "config" "init.d/sysv/custom" "init.d/openwrt/custom" "init.d/macos/custom" "ipset/zapret-hosts-user.txt" "ipset/zapret-hosts-user-exclude.txt" "ipset/zapret-hosts-user-ipban.txt" "ipset/zapret-hosts-auto.txt"
}
check_location()
{
check_location() {
# $1 - copy function
echo \* checking location
@ -514,13 +486,13 @@ check_location()
default_files "$ZAPRET_TARGET" "$ZAPRET_RW"
else
echo
echo easy install is supported only from default location : $ZAPRET_TARGET
echo currently its run from $EXEDIR
echo easy install is supported only from default location: "$ZAPRET_TARGET"
echo currently its run from "$EXEDIR"
if ask_yes_no N "do you want the installer to copy it for you"; then
local keep=N
if [ -d "$ZAPRET_TARGET" ]; then
echo
echo installer found existing $ZAPRET_TARGET
echo installer found existing "$ZAPRET_TARGET"
echo directory needs to be replaced. config and custom scripts can be kept or replaced with clean version
if ask_yes_no N "do you want to delete all files there and copy this version"; then
echo
@ -530,7 +502,7 @@ check_location()
fi
rm -r "$ZAPRET_TARGET"
else
echo refused to overwrite $ZAPRET_TARGET. exiting
echo refused to overwrite "$ZAPRET_TARGET". exiting
exitp 3
fi
fi
@ -539,22 +511,20 @@ check_location()
$1 "$EXEDIR" "$ZAPRET_TARGET"
fix_perms "$ZAPRET_TARGET"
[ "$keep" = "Y" ] && backup_restore_settings 0
echo relaunching itself from $ZAPRET_TARGET
echo relaunching itself from "$ZAPRET_TARGET"
exec "$ZAPRET_TARGET/$(basename "$0")"
else
echo copying aborted. exiting
exitp 3
fi
fi
echo running from $EXEDIR
echo running from "$EXEDIR"
}
service_install_systemd()
{
service_install_systemd() {
echo \* installing zapret service
if [ -w "$SYSTEMD_SYSTEM_DIR" ] ; then
if [ -w "$SYSTEMD_SYSTEM_DIR" ]; then
rm -f "$INIT_SCRIPT"
ln -fs "$EXEDIR/init.d/systemd/zapret.service" "$SYSTEMD_SYSTEM_DIR"
"$SYSTEMCTL" daemon-reload
@ -567,11 +537,10 @@ service_install_systemd()
fi
}
timer_install_systemd()
{
timer_install_systemd() {
echo \* installing zapret-list-update timer
if [ -w "$SYSTEMD_SYSTEM_DIR" ] ; then
if [ -w "$SYSTEMD_SYSTEM_DIR" ]; then
"$SYSTEMCTL" disable zapret-list-update.timer
"$SYSTEMCTL" stop zapret-list-update.timer
ln -fs "$EXEDIR/init.d/systemd/zapret-list-update.service" "$SYSTEMD_SYSTEM_DIR"
@ -590,9 +559,8 @@ timer_install_systemd()
fi
}
download_list()
{
[ -x "$GET_LIST" ] && {
download_list() {
[ -x "$GET_LIST" ] && {
echo \* downloading blocked ip/host list
# can be txt or txt.gz
@ -601,27 +569,22 @@ download_list()
}
}
dnstest()
{
# $1 - dns server. empty for system resolver
nslookup w3.org $1 >/dev/null 2>/dev/null
dnstest() {
# $1 - DNS server. empty for system resolver
nslookup w3.org "$1" >/dev/null 2>/dev/null
}
check_dns()
{
check_dns() {
echo \* checking DNS
dnstest || {
echo -- DNS is not working. It's either misconfigured or blocked or you don't have inet access.
echo "-- DNS is not working. It's either misconfigured or blocked or you don't have inet access."
return 1
}
echo system DNS is working
return 0
}
install_systemd()
{
install_systemd() {
INIT_SCRIPT_SRC="$EXEDIR/init.d/sysv/zapret"
check_bins
@ -646,8 +609,7 @@ install_systemd()
service_start_systemd
}
_install_sysv()
{
_install_sysv() {
# $1 - install init script
check_bins
@ -671,21 +633,17 @@ _install_sysv()
service_start_sysv
}
install_sysv()
{
install_sysv() {
INIT_SCRIPT_SRC="$EXEDIR/init.d/sysv/zapret"
_install_sysv install_sysv_init
}
install_openrc()
{
install_openrc() {
INIT_SCRIPT_SRC="$EXEDIR/init.d/openrc/zapret"
_install_sysv install_openrc_init
}
install_linux()
{
install_linux() {
INIT_SCRIPT_SRC="$EXEDIR/init.d/sysv/zapret"
check_bins
@ -706,14 +664,12 @@ install_linux()
echo
echo '!!! WARNING. YOUR SETUP IS INCOMPLETE !!!'
echo you must manually add to auto start : $INIT_SCRIPT_SRC start
echo you must manually add to auto start: "$INIT_SCRIPT_SRC" start
echo make sure it\'s executed after your custom/firewall iptables configuration
echo "if your system uses sysv init : ln -fs $INIT_SCRIPT_SRC /etc/init.d/zapret ; chkconfig zapret on"
}
deoffload_openwrt_firewall()
{
deoffload_openwrt_firewall() {
echo \* checking flow offloading
[ "$FWTYPE" = "nftables" ] || is_ipt_flow_offload_avail || {
@ -723,27 +679,28 @@ deoffload_openwrt_firewall()
local fo=$(uci -q get firewall.@defaults[0].flow_offloading)
if [ "$fo" = "1" ] ; then
if [ "$fo" = "1" ]; then
local mod=0
printf "system wide flow offloading detected. "
case $FLOWOFFLOAD in
donttouch)
if [ "$MODE" = "nfqws" ]; then
echo its incompatible with nfqws tcp data tampering. disabling
uci set firewall.@defaults[0].flow_offloading=0
mod=1
donttouch)
if [ "$MODE" = "nfqws" ]; then
echo its incompatible with nfqws tcp data tampering. disabling
uci set firewall.@defaults[0].flow_offloading=0
mod=1
else
if [ "$MODE" = "custom" ]; then
echo custom mode selected !!! only you can decide whether flow offloading is compatible
else
if [ "$MODE" = "custom" ] ; then
echo custom mode selected !!! only you can decide whether flow offloading is compatible
else
echo its compatible with selected options. not disabling
fi
echo its compatible with selected options. not disabling
fi
fi
;;
*)
echo zapret will disable system wide offloading setting and add selective rules if required
uci set firewall.@defaults[0].flow_offloading=0
mod=1
;;
esac
[ "$mod" = "1" ] && uci commit firewall
else
@ -752,10 +709,7 @@ deoffload_openwrt_firewall()
}
install_openwrt()
{
install_openwrt() {
INIT_SCRIPT_SRC="$EXEDIR/init.d/openwrt/zapret"
FW_SCRIPT_SRC="$EXEDIR/init.d/openwrt/firewall.zapret"
OPENWRT_FW_INCLUDE=/etc/firewall.zapret
@ -768,7 +722,7 @@ install_openwrt()
check_dns
check_virt
local FWTYPE_OLD=$FWTYPE
local FWTYPE_OLD="$FWTYPE"
echo \* stopping current firewall rules/daemons
"$INIT_SCRIPT_SRC" stop_fw
@ -798,36 +752,30 @@ install_openwrt()
restart_openwrt_firewall
}
remove_pf_zapret_hooks()
{
remove_pf_zapret_hooks() {
echo \* removing zapret PF hooks
pf_anchors_clear
}
macos_fw_reload_trigger_clear()
{
macos_fw_reload_trigger_clear() {
case "$MODE" in
tpws|tpws-socks|custom)
LISTS_RELOAD=
write_config_var LISTS_RELOAD
;;
tpws | tpws-socks | custom)
LISTS_RELOAD=
write_config_var LISTS_RELOAD
;;
esac
}
macos_fw_reload_trigger_set()
{
macos_fw_reload_trigger_set() {
case "$MODE" in
tpws|custom)
LISTS_RELOAD="$INIT_SCRIPT_SRC reload-fw-tables"
write_config_var LISTS_RELOAD
;;
tpws | custom)
LISTS_RELOAD="$INIT_SCRIPT_SRC reload-fw-tables"
write_config_var LISTS_RELOAD
;;
esac
}
install_macos()
{
install_macos() {
INIT_SCRIPT_SRC="$EXEDIR/init.d/macos/zapret"
# compile before root
@ -852,7 +800,6 @@ install_macos()
service_start_macos
}
# build binaries, do not use precompiled
[ "$1" = "make" ] && FORCE_BUILD=1
@ -864,22 +811,21 @@ check_system
[ "$SYSTEM" = "macos" ] && . "$EXEDIR/init.d/macos/functions"
case $SYSTEM in
systemd)
install_systemd
;;
openrc)
install_openrc
;;
linux)
install_linux
;;
openwrt)
install_openwrt
;;
macos)
install_macos
;;
systemd)
install_systemd
;;
openrc)
install_openrc
;;
linux)
install_linux
;;
openwrt)
install_openwrt
;;
macos)
install_macos
;;
esac
exitp 0

31
install_prereq.sh
View File

@ -3,7 +3,10 @@
# install prerequisites
EXEDIR="$(dirname "$0")"
EXEDIR="$(cd "$EXEDIR"; pwd)"
EXEDIR="$(
cd "$EXEDIR"
pwd
)"
ZAPRET_BASE=${ZAPRET_BASE:-"$EXEDIR"}
ZAPRET_RW=${ZAPRET_RW:-"$ZAPRET_BASE"}
ZAPRET_CONFIG=${ZAPRET_CONFIG:-"$ZAPRET_RW/config"}
@ -27,25 +30,25 @@ umask 0022
fix_sbin_path
fsleep_setup
check_system accept_unknown_rc
[ $UNAME = "Linux" ] || {
echo no prerequisites required for $UNAME
[ "$UNAME" = "Linux" ] || {
echo no prerequisites required for "$UNAME"
exitp 0
}
require_root
case $UNAME in
Linux)
select_fwtype
case $SYSTEM in
openwrt)
select_ipv6
check_prerequisites_openwrt
;;
*)
check_prerequisites_linux
;;
esac
Linux)
select_fwtype
case $SYSTEM in
openwrt)
select_ipv6
check_prerequisites_openwrt
;;
*)
check_prerequisites_linux
;;
esac
;;
esac
exitp 0

5
ipset/clear_lists.sh
View File

@ -1,7 +1,10 @@
#!/bin/sh
IPSET_DIR="$(dirname "$0")"
IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
IPSET_DIR="$(
cd "$IPSET_DIR"
pwd
)"
. "$IPSET_DIR/def.sh"

228
ipset/create_ipset.sh
View File

@ -5,7 +5,10 @@
# $1=clear - clear ipset
IPSET_DIR="$(dirname "$0")"
IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
IPSET_DIR="$(
cd "$IPSET_DIR" || exit
pwd
)"
. "$IPSET_DIR/def.sh"
. "$IPSET_DIR/../common/fwtype.sh"
@ -27,17 +30,14 @@ while [ -n "$1" ]; do
shift
done
file_extract_lines()
{
file_extract_lines() {
# $1 - filename
# $2 - from line (starting with 0)
# $3 - line count
# awk "{ err=1 } NR < $(($2+1)) { next } { print; err=0 } NR == $(($2+$3)) { exit err } END {exit err}" "$1"
$AWK "NR < $(($2+1)) { next } { print } NR == $(($2+$3)) { exit }" "$1"
$AWK "NR < $(($2 + 1)) { next } { print } NR == $(($2 + $3)) { exit }" "$1"
}
ipset_restore_chunked()
{
ipset_restore_chunked() {
# $1 - filename
# $2 - chunk size
local pos lines
@ -45,27 +45,23 @@ ipset_restore_chunked()
lines=$(wc -l <"$1")
pos=$lines
while [ "$pos" -gt "0" ]; do
pos=$((pos-$2))
pos=$((pos - $2))
[ "$pos" -lt "0" ] && pos=0
file_extract_lines "$1" $pos $2 | ipset -! restore
sed -i "$(($pos+1)),$ d" "$1"
file_extract_lines "$1" $pos "$2" | ipset -! restore
sed -i "$(($pos + 1)),$ d" "$1"
done
}
ipset_get_script()
{
ipset_get_script() {
# $1 - ipset name
sed -nEe "s/^.+$/add $1 &/p"
}
ipset_get_script_from_file()
{
ipset_get_script_from_file() {
# $1 - filename
# $2 - ipset name
zzcat "$1" | sort -u | ipset_get_script $2
zzcat "$1" | sort -u | ipset_get_script "$2"
}
ipset_restore()
{
ipset_restore() {
# $1 - ipset name
# $2 - filename
@ -78,7 +74,7 @@ ipset_restore()
local T="Adding to ipset $1 "
[ "$svram" = "1" ] && T="$T (saveram)"
T="$T : $f"
echo $T
echo "$T"
if [ "$svram" = "1" ]; then
ipset_get_script_from_file "$2" "$1" >"$IPSET_CMD"
@ -88,46 +84,43 @@ ipset_restore()
ipset_get_script_from_file "$2" "$1" | ipset -! restore
fi
}
create_ipset()
{
create_ipset() {
if [ "$1" -eq "6" ]; then
FAMILY=inet6
else
FAMILY=inet
fi
ipset create $2 $3 $4 family $FAMILY 2>/dev/null || {
ipset create "$2" "$3" "$4" family $FAMILY 2>/dev/null || {
[ "$NO_UPDATE" = "1" ] && return 0
}
ipset flush $2
ipset flush "$2"
[ "$DO_CLEAR" = "1" ] || {
for f in "$5" "$6" ; do
for f in "$5" "$6"; do
ipset_restore "$2" "$f"
done
[ -n "$IPSET_HOOK" ] && $IPSET_HOOK $2 | ipset_get_script $2 | ipset -! restore
[ -n "$IPSET_HOOK" ] && $IPSET_HOOK "$2" | ipset_get_script "$2" | ipset -! restore
}
return 0
}
nfset_get_script_multi()
{
nfset_get_script_multi() {
# $1 - set name
# $2,$3,... - filenames
# all in one shot. this allows to merge overlapping ranges
# good but eats lots of RAM
local set=$1 nonempty N=1 f
local set="$1" nonempty N=1 f
shift
# first we need to make sure at least one element exists or nft will fail
while :
do
while :; do
eval f=\$$N
[ -n "$f" ] || break
nonempty=$(zzexist "$f" && zzcat "$f" | head -n 1)
[ -n "$nonempty" ] && break
N=$(($N+1))
N=$(($N + 1))
done
[ -n "$nonempty" ] && {
@ -139,22 +132,20 @@ nfset_get_script_multi()
echo "}"
}
}
nfset_restore()
{
nfset_restore() {
# $1 - set name
# $2,$3,... - filenames
echo "Adding to nfset $1 : $2 $3 $4 $5"
local hookfile
[ -n "$IPSET_HOOK" ] && {
$IPSET_HOOK $1 >"$IPSET_HOOK_TEMP"
$IPSET_HOOK "$1" >"$IPSET_HOOK_TEMP"
[ -s "$IPSET_HOOK_TEMP" ] && hookfile=$IPSET_HOOK_TEMP
}
nfset_get_script_multi "$@" $hookfile | nft -f -
nfset_get_script_multi "$@" "$hookfile" | nft -f -
rm -f "$IPSET_HOOK_TEMP"
}
create_nfset()
{
create_nfset() {
# $1 - family
# $2 - set name
# $3 - maxelem
@ -162,54 +153,50 @@ create_nfset()
local policy
[ $SAVERAM = "1" ] && policy="policy memory;"
nft_create_set $2 "type ipv${1}_addr; size $3; flags interval; auto-merge; $policy" || {
nft_create_set "$2" "type ipv${1}_addr; size $3; flags interval; auto-merge; $policy" || {
[ "$NO_UPDATE" = "1" ] && return 0
nft flush set inet $ZAPRET_NFT_TABLE $2
nft flush set inet "$ZAPRET_NFT_TABLE" "$2"
}
[ "$DO_CLEAR" = "1" ] || {
nfset_restore $2 $4 $5
nfset_restore "$2" "$4" "$5"
}
return 0
}
add_ipfw_table()
{
add_ipfw_table() {
# $1 - table name
sed -nEe "s/^.+$/table $1 add &/p" | ipfw -q /dev/stdin
}
populate_ipfw_table()
{
populate_ipfw_table() {
# $1 - table name
# $2 - ip list file
zzexist "$2" || return
zzcat "$2" | sort -u | add_ipfw_table $1
zzcat "$2" | sort -u | add_ipfw_table "$1"
}
create_ipfw_table()
{
create_ipfw_table() {
# $1 - table name
# $2 - table options
# $3,$4, ... - ip list files. can be v4,v6 or mixed
local name=$1
ipfw table "$name" create $2 2>/dev/null || {
local name="$1"
ipfw table "$name" create "$2" 2>/dev/null || {
[ "$NO_UPDATE" = "1" ] && return 0
}
ipfw -q table $1 flush
ipfw -q table "$1" flush
shift
shift
[ "$DO_CLEAR" = "1" ] || {
while [ -n "$1" ]; do
echo "Adding to ipfw table $name : $1"
populate_ipfw_table $name "$1"
populate_ipfw_table "$name" "$1"
shift
done
[ -n "$IPSET_HOOK" ] && $IPSET_HOOK $name | add_ipfw_table $name
[ -n "$IPSET_HOOK" ] && $IPSET_HOOK "$name" | add_ipfw_table "$name"
}
return 0
}
print_reloading_backend()
{
print_reloading_backend() {
# $1 - backend name
local s="reloading $1 backend"
if [ "$NO_UPDATE" = 1 ]; then
@ -219,91 +206,90 @@ print_reloading_backend()
else
s="$s (forced-update)"
fi
echo $s
echo "$s"
}
oom_adjust_high
get_fwtype
if [ -n "$LISTS_RELOAD" ] ; then
if [ "$LISTS_RELOAD" = "-" ] ; then
if [ -n "$LISTS_RELOAD" ]; then
if [ "$LISTS_RELOAD" = "-" ]; then
echo not reloading ip list backend
true
else
echo executing custom ip list reload command : $LISTS_RELOAD
echo executing custom ip list reload command : "$LISTS_RELOAD"
$LISTS_RELOAD
[ -n "$IPSET_HOOK" ] && $IPSET_HOOK
fi
else
case "$FWTYPE" in
iptables)
# ipset seem to buffer the whole script to memory
# on low RAM system this can cause oom errors
# in SAVERAM mode we feed script lines in portions starting from the end, while truncating source file to free /tmp space
# only /tmp is considered tmpfs. other locations mean tmpdir was redirected to a disk
iptables)
# ipset seem to buffer the whole script to memory
# on low RAM system this can cause oom errors
# in SAVERAM mode we feed script lines in portions starting from the end, while truncating source file to free /tmp space
# only /tmp is considered tmpfs. other locations mean tmpdir was redirected to a disk
SAVERAM=0
[ "$TMPDIR" = "/tmp" ] && {
RAMSIZE=$($GREP MemTotal /proc/meminfo | $AWK "{print $2}")
[ "$RAMSIZE" -lt "110000" ] && SAVERAM=1
}
print_reloading_backend ipset
[ "$DISABLE_IPV4" != "1" ] && {
create_ipset 4 "$ZIPSET" hash:net "$IPSET_OPT" "$ZIPLIST" "$ZIPLIST_USER"
create_ipset 4 "$ZIPSET_IPBAN" hash:net "$IPSET_OPT" "$ZIPLIST_IPBAN" "$ZIPLIST_USER_IPBAN"
create_ipset 4 "$ZIPSET_EXCLUDE" hash:net "$IPSET_OPT_EXCLUDE" "$ZIPLIST_EXCLUDE"
}
[ "$DISABLE_IPV6" != "1" ] && {
create_ipset 6 "$ZIPSET6" hash:net "$IPSET_OPT" "$ZIPLIST6" "$ZIPLIST_USER6"
create_ipset 6 "$ZIPSET_IPBAN6" hash:net "$IPSET_OPT" "$ZIPLIST_IPBAN6" "$ZIPLIST_USER_IPBAN6"
create_ipset 6 "$ZIPSET_EXCLUDE6" hash:net "$IPSET_OPT_EXCLUDE" "$ZIPLIST_EXCLUDE6"
}
true
;;
nftables)
nft_create_table && {
SAVERAM=0
[ "$TMPDIR" = "/tmp" ] && {
RAMSIZE=$($GREP MemTotal /proc/meminfo | $AWK '{print $2}')
[ "$RAMSIZE" -lt "110000" ] && SAVERAM=1
}
print_reloading_backend ipset
RAMSIZE=$($GREP MemTotal /proc/meminfo | $AWK "{print $2}")
[ "$RAMSIZE" -lt "420000" ] && SAVERAM=1
print_reloading_backend "nftables set"
[ "$DISABLE_IPV4" != "1" ] && {
create_ipset 4 $ZIPSET hash:net "$IPSET_OPT" "$ZIPLIST" "$ZIPLIST_USER"
create_ipset 4 $ZIPSET_IPBAN hash:net "$IPSET_OPT" "$ZIPLIST_IPBAN" "$ZIPLIST_USER_IPBAN"
create_ipset 4 $ZIPSET_EXCLUDE hash:net "$IPSET_OPT_EXCLUDE" "$ZIPLIST_EXCLUDE"
create_nfset 4 "$ZIPSET" "$SET_MAXELEM" "$ZIPLIST" "$ZIPLIST_USER"
create_nfset 4 "$ZIPSET_IPBAN" "$SET_MAXELEM" "$ZIPLIST_IPBAN" "$ZIPLIST_USER_IPBAN"
create_nfset 4 "$ZIPSET_EXCLUDE" "$SET_MAXELEM_EXCLUDE" "$ZIPLIST_EXCLUDE"
}
[ "$DISABLE_IPV6" != "1" ] && {
create_ipset 6 $ZIPSET6 hash:net "$IPSET_OPT" "$ZIPLIST6" "$ZIPLIST_USER6"
create_ipset 6 $ZIPSET_IPBAN6 hash:net "$IPSET_OPT" "$ZIPLIST_IPBAN6" "$ZIPLIST_USER_IPBAN6"
create_ipset 6 $ZIPSET_EXCLUDE6 hash:net "$IPSET_OPT_EXCLUDE" "$ZIPLIST_EXCLUDE6"
create_nfset 6 "$ZIPSET6" "$SET_MAXELEM" "$ZIPLIST6" "$ZIPLIST_USER6"
create_nfset 6 "$ZIPSET_IPBAN6" "$SET_MAXELEM" "$ZIPLIST_IPBAN6" "$ZIPLIST_USER_IPBAN6"
create_nfset 6 "$ZIPSET_EXCLUDE6" "$SET_MAXELEM_EXCLUDE" "$ZIPLIST_EXCLUDE6"
}
true
;;
nftables)
nft_create_table && {
SAVERAM=0
RAMSIZE=$($GREP MemTotal /proc/meminfo | $AWK '{print $2}')
[ "$RAMSIZE" -lt "420000" ] && SAVERAM=1
print_reloading_backend "nftables set"
[ "$DISABLE_IPV4" != "1" ] && {
create_nfset 4 $ZIPSET $SET_MAXELEM "$ZIPLIST" "$ZIPLIST_USER"
create_nfset 4 $ZIPSET_IPBAN $SET_MAXELEM "$ZIPLIST_IPBAN" "$ZIPLIST_USER_IPBAN"
create_nfset 4 $ZIPSET_EXCLUDE $SET_MAXELEM_EXCLUDE "$ZIPLIST_EXCLUDE"
}
[ "$DISABLE_IPV6" != "1" ] && {
create_nfset 6 $ZIPSET6 $SET_MAXELEM "$ZIPLIST6" "$ZIPLIST_USER6"
create_nfset 6 $ZIPSET_IPBAN6 $SET_MAXELEM "$ZIPLIST_IPBAN6" "$ZIPLIST_USER_IPBAN6"
create_nfset 6 $ZIPSET_EXCLUDE6 $SET_MAXELEM_EXCLUDE "$ZIPLIST_EXCLUDE6"
}
true
}
;;
ipfw)
print_reloading_backend "ipfw table"
if [ "$DISABLE_IPV4" != "1" ] && [ "$DISABLE_IPV6" != "1" ]; then
create_ipfw_table $ZIPSET "$IPFW_TABLE_OPT" "$ZIPLIST" "$ZIPLIST_USER" "$ZIPLIST6" "$ZIPLIST_USER6"
create_ipfw_table $ZIPSET_IPBAN "$IPFW_TABLE_OPT" "$ZIPLIST_IPBAN" "$ZIPLIST_USER_IPBAN" "$ZIPLIST_IPBAN6" "$ZIPLIST_USER_IPBAN6"
create_ipfw_table $ZIPSET_EXCLUDE "$IPFW_TABLE_OPT_EXCLUDE" "$ZIPLIST_EXCLUDE" "$ZIPLIST_EXCLUDE6"
elif [ "$DISABLE_IPV4" != "1" ]; then
create_ipfw_table $ZIPSET "$IPFW_TABLE_OPT" "$ZIPLIST" "$ZIPLIST_USER"
create_ipfw_table $ZIPSET_IPBAN "$IPFW_TABLE_OPT" "$ZIPLIST_IPBAN" "$ZIPLIST_USER_IPBAN"
create_ipfw_table $ZIPSET_EXCLUDE "$IPFW_TABLE_OPT_EXCLUDE" "$ZIPLIST_EXCLUDE"
elif [ "$DISABLE_IPV6" != "1" ]; then
create_ipfw_table $ZIPSET "$IPFW_TABLE_OPT" "$ZIPLIST6" "$ZIPLIST_USER6"
create_ipfw_table $ZIPSET_IPBAN "$IPFW_TABLE_OPT" "$ZIPLIST_IPBAN6" "$ZIPLIST_USER_IPBAN6"
create_ipfw_table $ZIPSET_EXCLUDE "$IPFW_TABLE_OPT_EXCLUDE" "$ZIPLIST_EXCLUDE6"
else
create_ipfw_table $ZIPSET "$IPFW_TABLE_OPT"
create_ipfw_table $ZIPSET_IPBAN "$IPFW_TABLE_OPT"
create_ipfw_table $ZIPSET_EXCLUDE "$IPFW_TABLE_OPT_EXCLUDE"
fi
true
;;
*)
echo no supported ip list backend found
true
;;
esac
}
;;
ipfw)
print_reloading_backend "ipfw table"
if [ "$DISABLE_IPV4" != "1" ] && [ "$DISABLE_IPV6" != "1" ]; then
create_ipfw_table "$ZIPSET" "$IPFW_TABLE_OPT" "$ZIPLIST" "$ZIPLIST_USER" "$ZIPLIST6" "$ZIPLIST_USER6"
create_ipfw_table "$ZIPSET_IPBAN" "$IPFW_TABLE_OPT" "$ZIPLIST_IPBAN" "$ZIPLIST_USER_IPBAN" "$ZIPLIST_IPBAN6" "$ZIPLIST_USER_IPBAN6"
create_ipfw_table "$ZIPSET_EXCLUDE" "$IPFW_TABLE_OPT_EXCLUDE" "$ZIPLIST_EXCLUDE" "$ZIPLIST_EXCLUDE6"
elif [ "$DISABLE_IPV4" != "1" ]; then
create_ipfw_table "$ZIPSET" "$IPFW_TABLE_OPT" "$ZIPLIST" "$ZIPLIST_USER"
create_ipfw_table "$ZIPSET_IPBAN" "$IPFW_TABLE_OPT" "$ZIPLIST_IPBAN" "$ZIPLIST_USER_IPBAN"
create_ipfw_table "$ZIPSET_EXCLUDE" "$IPFW_TABLE_OPT_EXCLUDE" "$ZIPLIST_EXCLUDE"
elif [ "$DISABLE_IPV6" != "1" ]; then
create_ipfw_table "$ZIPSET" "$IPFW_TABLE_OPT" "$ZIPLIST6" "$ZIPLIST_USER6"
create_ipfw_table "$ZIPSET_IPBAN" "$IPFW_TABLE_OPT" "$ZIPLIST_IPBAN6" "$ZIPLIST_USER_IPBAN6"
create_ipfw_table "$ZIPSET_EXCLUDE" "$IPFW_TABLE_OPT_EXCLUDE" "$ZIPLIST_EXCLUDE6"
else
create_ipfw_table "$ZIPSET" "$IPFW_TABLE_OPT"
create_ipfw_table "$ZIPSET_IPBAN" "$IPFW_TABLE_OPT"
create_ipfw_table "$ZIPSET_EXCLUDE" "$IPFW_TABLE_OPT_EXCLUDE"
fi
true
;;
*)
echo no supported ip list backend found
true
;;
esac
fi

325
ipset/def.sh
View File

@ -1,6 +1,9 @@
[ -n "$IPSET_DIR" ] || {
IPSET_DIR="$(dirname "$0")"
IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
IPSET_DIR="$(dirname "$0")"
IPSET_DIR="$(
cd "$IPSET_DIR" || exit
pwd
)"
}
. "$IPSET_DIR/../config"
@ -39,230 +42,204 @@ ZIPLIST_USER_IPBAN6="$IPSET_DIR/zapret-ip-user-ipban6.txt"
ZUSERLIST_IPBAN="$IPSET_DIR/zapret-hosts-user-ipban.txt"
ZUSERLIST_EXCLUDE="$IPSET_DIR/zapret-hosts-user-exclude.txt"
[ -n "$IP2NET" ] || IP2NET="$IPSET_DIR/../ip2net/ip2net"
[ -n "$MDIG" ] || MDIG="$IPSET_DIR/../mdig/mdig"
[ -z "$MDIG_THREADS" ] && MDIG_THREADS=30
# BSD grep is damn slow with -f option. prefer GNU grep (ggrep) if present
# MacoS in cron does not include /usr/local/bin to PATH
if [ -x /usr/local/bin/ggrep ] ; then
GREP=/usr/local/bin/ggrep
elif [ -x /usr/local/bin/grep ] ; then
GREP=/usr/local/bin/grep
if [ -x /usr/local/bin/ggrep ]; then
GREP=/usr/local/bin/ggrep
elif [ -x /usr/local/bin/grep ]; then
GREP=/usr/local/bin/grep
elif exists ggrep; then
GREP=$(whichq ggrep)
GREP=$(whichq ggrep)
else
GREP=$(whichq grep)
GREP=$(whichq grep)
fi
# GNU awk is faster
if exists gawk; then
AWK=gawk
AWK=gawk
else
AWK=awk
AWK=awk
fi
grep_supports_b()
{
# \b does not work with BSD grep
$GREP --version 2>&1 | $GREP -qE "BusyBox|GNU"
grep_supports_b() {
# \b does not work with BSD grep
$GREP --version 2>&1 | $GREP -qE "BusyBox|GNU"
}
get_ip_regex()
{
REG_IPV4='((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\/([0-9]|[12][0-9]|3[012]))?'
REG_IPV6='[0-9a-fA-F]{1,4}:([0-9a-fA-F]{1,4}|:)+(\/([0-9][0-9]?|1[01][0-9]|12[0-8]))?'
# good but too slow
# REG_IPV6='([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}(/[0-9]+)?|([0-9a-fA-F]{1,4}:){1,7}:(/[0-9]+)?|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}(/[0-9]+)?|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}(/[0-9]+)?|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}(/[0-9]+)?|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}(/[0-9]+)?|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}(/[0-9]+)?|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})(/[0-9]+)?|:((:[0-9a-fA-F]{1,4}){1,7}|:)(/([0-9][0-9]?|1[01][0-9]|12[0-8]))?'
# grep_supports_b && {
# REG_IPV4="\b$REG_IPV4\b"
# REG_IPV6="\b$REG_IPV6\b"
# }
get_ip_regex() {
REG_IPV4='((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\/([0-9]|[12][0-9]|3[012]))?'
REG_IPV6='[0-9a-fA-F]{1,4}:([0-9a-fA-F]{1,4}|:)+(\/([0-9][0-9]?|1[01][0-9]|12[0-8]))?'
# good but too slow
# REG_IPV6='([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}(/[0-9]+)?|([0-9a-fA-F]{1,4}:){1,7}:(/[0-9]+)?|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}(/[0-9]+)?|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}(/[0-9]+)?|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}(/[0-9]+)?|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}(/[0-9]+)?|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}(/[0-9]+)?|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})(/[0-9]+)?|:((:[0-9a-fA-F]{1,4}){1,7}|:)(/([0-9][0-9]?|1[01][0-9]|12[0-8]))?'
# grep_supports_b && {
# REG_IPV4="\b$REG_IPV4\b"
# REG_IPV6="\b$REG_IPV6\b"
# }
}
ip2net4()
{
if [ -x "$IP2NET" ]; then
"$IP2NET" -4 $IP2NET_OPT4
else
sort -u
fi
ip2net4() {
if [ -x "$IP2NET" ]; then
"$IP2NET" -4 "$IP2NET_OPT4"
else
sort -u
fi
}
ip2net6()
{
if [ -x "$IP2NET" ]; then
"$IP2NET" -6 $IP2NET_OPT6
else
sort -u
fi
ip2net6() {
if [ -x "$IP2NET" ]; then
"$IP2NET" -6 "$IP2NET_OPT6"
else
sort -u
fi
}
zzexist()
{
[ -f "$1.gz" ] || [ -f "$1" ]
zzexist() {
[ -f "$1.gz" ] || [ -f "$1" ]
}
zztest()
{
gzip -t "$1" 2>/dev/null
zztest() {
gzip -t "$1" 2>/dev/null
}
zzcat()
{
if [ -f "$1.gz" ]; then
gunzip -c "$1.gz"
elif [ -f "$1" ]; then
if zztest "$1"; then
gunzip -c "$1"
else
cat "$1"
fi
fi
zzcat() {
if [ -f "$1.gz" ]; then
gunzip -c "$1.gz"
elif [ -f "$1" ]; then
if zztest "$1"; then
gunzip -c "$1"
else
cat "$1"
fi
fi
}
zz()
{
if [ "$GZIP_LISTS" = "1" ]; then
gzip -c >"$1.gz"
rm -f "$1"
else
cat >"$1"
rm -f "$1.gz"
fi
zz() {
if [ "$GZIP_LISTS" = "1" ]; then
gzip -c >"$1.gz"
rm -f "$1"
else
cat >"$1"
rm -f "$1.gz"
fi
}
zzsize()
{
local f="$1"
[ -f "$1.gz" ] && f="$1.gz"
if [ -f "$f" ]; then
wc -c <"$f" | xargs
else
printf 0
fi
zzsize() {
local f="$1"
[ -f "$1.gz" ] && f="$1.gz"
if [ -f "$f" ]; then
wc -c <"$f" | xargs
else
printf 0
fi
}
digger()
{
# $1 - family (4|6)
# $2 - s=enable mdig stats
if [ -x "$MDIG" ]; then
local cmd
[ "$2" = "s" ] && cmd=--stats=1000
"$MDIG" --family=$1 --threads=$MDIG_THREADS $cmd
else
local A=A
[ "$1" = "6" ] && A=AAAA
dig $A +short +time=8 +tries=2 -f - | $GREP -E '^[^;].*[^\.]$'
fi
digger() {
# $1 - family (4|6)
# $2 - s=enable mdig stats
if [ -x "$MDIG" ]; then
local cmd
[ "$2" = "s" ] && cmd=--stats=1000
"$MDIG" --family="$1" --threads="$MDIG_THREADS" $cmd
else
local A=A
[ "$1" = "6" ] && A=AAAA
dig $A +short +time=8 +tries=2 -f - | $GREP -E '^[^;].*[^\.]$'
fi
}
filedigger()
{
# $1 - hostlist
# $2 - family (4|6)
>&2 echo digging $(wc -l <"$1" | xargs) ipv$2 domains : "$1"
zzcat "$1" | digger $2 s
filedigger() {
# $1 - hostlist
# $2 - family (4|6)
echo ">&2 digging $(wc -l <"$1" | xargs) ipv$2 domains : $1"
zzcat "$1" | digger "$2" s
}
flush_dns_cache()
{
echo clearing all known DNS caches
flush_dns_cache() {
echo clearing all known DNS caches
if exists killall; then
killall -HUP dnsmasq 2>/dev/null
# MacOS
killall -HUP mDNSResponder 2>/dev/null
elif exists pkill; then
pkill -HUP ^dnsmasq$
else
echo no mass killer available ! cant flush dnsmasq
fi
if exists killall; then
killall -HUP dnsmasq 2>/dev/null
# macOS
killall -HUP mDNSResponder 2>/dev/null
elif exists pkill; then
pkill -HUP ^dnsmasq$
else
echo no mass killer available ! cant flush dnsmasq
fi
if exists rndc; then
rndc flush
fi
if exists rndc; then
rndc flush
fi
if exists systemd-resolve; then
systemd-resolve --flush-caches
fi
if exists systemd-resolve; then
systemd-resolve --flush-caches
fi
}
dnstest()
{
local ip="$(echo w3.org | digger 46)"
[ -n "$ip" ]
dnstest() {
local ip
ip="$(echo w3.org | digger 46)"
[ -n "$ip" ]
}
dnstest_with_cache_clear()
{
flush_dns_cache
if dnstest ; then
dnstest_with_cache_clear() {
flush_dns_cache
if dnstest; then
echo DNS is working
return 0
else
else
echo "! DNS is not working"
return 1
fi
fi
}
cut_local()
{
cut_local() {
$GREP -vE '^192\.168\.|^127\.|^10\.'
}
cut_local6()
{
cut_local6() {
$GREP -vE '^::|^fc..:|^fd..:|^fe8.:|^fe9.:|^fea.:|^feb.:|^FC..:|^FD..:|^FE8.:|^FE9.:|^FEA.:|^FEB.:'
}
oom_adjust_high()
{
[ -f /proc/$$/oom_score_adj ] && {
echo setting high oom kill priority
echo -n 100 >/proc/$$/oom_score_adj
}
oom_adjust_high() {
[ -f /proc/$$/oom_score_adj ] && {
echo setting high oom kill priority
echo -n 100 >/proc/$$/oom_score_adj
}
}
getexclude()
{
oom_adjust_high
dnstest_with_cache_clear || return
[ -f "$ZUSERLIST_EXCLUDE" ] && {
[ "$DISABLE_IPV4" != "1" ] && filedigger "$ZUSERLIST_EXCLUDE" 4 | sort -u > "$ZIPLIST_EXCLUDE"
[ "$DISABLE_IPV6" != "1" ] && filedigger "$ZUSERLIST_EXCLUDE" 6 | sort -u > "$ZIPLIST_EXCLUDE6"
}
return 0
getexclude() {
oom_adjust_high
dnstest_with_cache_clear || return
[ -f "$ZUSERLIST_EXCLUDE" ] && {
[ "$DISABLE_IPV4" != "1" ] && filedigger "$ZUSERLIST_EXCLUDE" 4 | sort -u >"$ZIPLIST_EXCLUDE"
[ "$DISABLE_IPV6" != "1" ] && filedigger "$ZUSERLIST_EXCLUDE" 6 | sort -u >"$ZIPLIST_EXCLUDE6"
}
return 0
}
_get_ipban()
{
[ -f "$ZUSERLIST_IPBAN" ] && {
[ "$DISABLE_IPV4" != "1" ] && filedigger "$ZUSERLIST_IPBAN" 4 | cut_local | sort -u > "$ZIPLIST_USER_IPBAN"
[ "$DISABLE_IPV6" != "1" ] && filedigger "$ZUSERLIST_IPBAN" 6 | cut_local6 | sort -u > "$ZIPLIST_USER_IPBAN6"
}
_get_ipban() {
[ -f "$ZUSERLIST_IPBAN" ] && {
[ "$DISABLE_IPV4" != "1" ] && filedigger "$ZUSERLIST_IPBAN" 4 | cut_local | sort -u >"$ZIPLIST_USER_IPBAN"
[ "$DISABLE_IPV6" != "1" ] && filedigger "$ZUSERLIST_IPBAN" 6 | cut_local6 | sort -u >"$ZIPLIST_USER_IPBAN6"
}
}
getuser()
{
getexclude || return
[ -f "$ZUSERLIST" ] && {
[ "$DISABLE_IPV4" != "1" ] && filedigger "$ZUSERLIST" 4 | cut_local | sort -u > "$ZIPLIST_USER"
[ "$DISABLE_IPV6" != "1" ] && filedigger "$ZUSERLIST" 6 | cut_local6 | sort -u > "$ZIPLIST_USER6"
}
_get_ipban
return 0
getuser() {
getexclude || return
[ -f "$ZUSERLIST" ] && {
[ "$DISABLE_IPV4" != "1" ] && filedigger "$ZUSERLIST" 4 | cut_local | sort -u >"$ZIPLIST_USER"
[ "$DISABLE_IPV6" != "1" ] && filedigger "$ZUSERLIST" 6 | cut_local6 | sort -u >"$ZIPLIST_USER6"
}
_get_ipban
return 0
}
getipban()
{
getexclude || return
_get_ipban
return 0
getipban() {
getexclude || return
_get_ipban
return 0
}
hup_zapret_daemons()
{
echo forcing zapret daemons to reload their hostlist
if exists killall; then
killall -HUP tpws nfqws dvtws 2>/dev/null
elif exists pkill; then
pkill -HUP ^tpws$ ^nfqws$ ^dvtws$
else
echo no mass killer available ! cant HUP zapret daemons
fi
hup_zapret_daemons() {
echo forcing zapret daemons to reload their hostlist
if exists killall; then
killall -HUP tpws nfqws dvtws 2>/dev/null
elif exists pkill; then
pkill -HUP ^tpws$ ^nfqws$ ^dvtws$
else
echo no mass killer available ! cant HUP zapret daemons
fi
}

9
ipset/get_antifilter_allyouneed.sh
View File

@ -1,13 +1,16 @@
#!/bin/sh
IPSET_DIR="$(dirname "$0")"
IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
IPSET_DIR="$(
cd "$IPSET_DIR"
pwd
)"
. "$IPSET_DIR/def.sh"
getuser && {
. "$IPSET_DIR/antifilter.helper"
get_antifilter https://antifilter.download/list/allyouneed.lst "$ZIPLIST"
. "$IPSET_DIR/antifilter.helper"
get_antifilter https://antifilter.download/list/allyouneed.lst "$ZIPLIST"
}
"$IPSET_DIR/create_ipset.sh"

9
ipset/get_antifilter_ip.sh
View File

@ -1,13 +1,16 @@
#!/bin/sh
IPSET_DIR="$(dirname "$0")"
IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
IPSET_DIR="$(
cd "$IPSET_DIR"
pwd
)"
. "$IPSET_DIR/def.sh"
getuser && {
. "$IPSET_DIR/antifilter.helper"
get_antifilter https://antifilter.download/list/ip.lst "$ZIPLIST"
. "$IPSET_DIR/antifilter.helper"
get_antifilter https://antifilter.download/list/ip.lst "$ZIPLIST"
}
"$IPSET_DIR/create_ipset.sh"

9
ipset/get_antifilter_ipresolve.sh
View File

@ -1,13 +1,16 @@
#!/bin/sh
IPSET_DIR="$(dirname "$0")"
IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
IPSET_DIR="$(
cd "$IPSET_DIR"
pwd
)"
. "$IPSET_DIR/def.sh"
getuser && {
. "$IPSET_DIR/antifilter.helper"
get_antifilter https://antifilter.download/list/ipresolve.lst "$ZIPLIST"
. "$IPSET_DIR/antifilter.helper"
get_antifilter https://antifilter.download/list/ipresolve.lst "$ZIPLIST"
}
"$IPSET_DIR/create_ipset.sh"

9
ipset/get_antifilter_ipsmart.sh
View File

@ -1,13 +1,16 @@
#!/bin/sh
IPSET_DIR="$(dirname "$0")"
IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
IPSET_DIR="$(
cd "$IPSET_DIR"
pwd
)"
. "$IPSET_DIR/def.sh"
getuser && {
. "$IPSET_DIR/antifilter.helper"
get_antifilter https://antifilter.network/download/ipsmart.lst "$ZIPLIST"
. "$IPSET_DIR/antifilter.helper"
get_antifilter https://antifilter.network/download/ipsmart.lst "$ZIPLIST"
}
"$IPSET_DIR/create_ipset.sh"

9
ipset/get_antifilter_ipsum.sh
View File

@ -1,13 +1,16 @@
#!/bin/sh
IPSET_DIR="$(dirname "$0")"
IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
IPSET_DIR="$(
cd "$IPSET_DIR"
pwd
)"
. "$IPSET_DIR/def.sh"
getuser && {
. "$IPSET_DIR/antifilter.helper"
get_antifilter https://antifilter.download/list/ipsum.lst "$ZIPLIST"
. "$IPSET_DIR/antifilter.helper"
get_antifilter https://antifilter.download/list/ipsum.lst "$ZIPLIST"
}
"$IPSET_DIR/create_ipset.sh"

20
ipset/get_antizapret_domains.sh
View File

@ -1,7 +1,10 @@
#!/bin/sh
IPSET_DIR="$(dirname "$0")"
IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
IPSET_DIR="$(
cd "$IPSET_DIR"
pwd
)"
. "$IPSET_DIR/def.sh"
@ -14,17 +17,16 @@ getipban || FAIL=1
ZURL=https://antizapret.prostovpn.org:8443/domains-export.txt
ZDOM="$TMPDIR/zapret.txt"
curl -H "Accept-Encoding: gzip" -k --fail --max-time 600 --connect-timeout 5 --retry 3 --max-filesize 251658240 "$ZURL" | gunzip - >"$ZDOM" ||
{
echo domain list download failed
exit 2
}
{
echo domain list download failed
exit 2
}
dlsize=$(LANG=C wc -c "$ZDOM" | xargs | cut -f 1 -d ' ')
if test $dlsize -lt 102400; then
echo list file is too small. can be bad.
exit 2
if test "$dlsize" -lt 102400; then
echo list file is too small. can be bad.
exit 2
fi
sort -u "$ZDOM" | zz "$ZHOSTLIST"

5
ipset/get_config.sh
View File

@ -2,7 +2,10 @@
# run script specified in config
IPSET_DIR="$(dirname "$0")"
IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
IPSET_DIR="$(
cd "$IPSET_DIR"
pwd
)"
. "$IPSET_DIR/../config"

5
ipset/get_exclude.sh
View File

@ -2,7 +2,10 @@
# resolve user host list
IPSET_DIR="$(dirname "$0")"
IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
IPSET_DIR="$(
cd "$IPSET_DIR"
pwd
)"
. "$IPSET_DIR/def.sh"

5
ipset/get_ipban.sh
View File

@ -2,7 +2,10 @@
# resolve only ipban user host list
IPSET_DIR="$(dirname "$0")"
IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
IPSET_DIR="$(
cd "$IPSET_DIR"
pwd
)"
. "$IPSET_DIR/def.sh"

45
ipset/get_reestr_hostlist.sh
View File

@ -1,7 +1,10 @@
#!/bin/sh
IPSET_DIR="$(dirname "$0")"
IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
IPSET_DIR="$(
cd "$IPSET_DIR" || exit
pwd
)"
. "$IPSET_DIR/def.sh"
@ -9,44 +12,40 @@ ZREESTR="$TMPDIR/zapret.txt"
IPB="$TMPDIR/ipb.txt"
ZURL_REESTR=https://raw.githubusercontent.com/zapret-info/z-i/master/dump.csv
dl_checked()
{
dl_checked() {
# $1 - url
# $2 - file
# $3 - minsize
# $4 - maxsize
# $5 - maxtime
curl -k --fail --max-time $5 --connect-timeout 10 --retry 4 --max-filesize $4 -o "$2" "$1" ||
{
echo list download failed : $1
return 2
}
curl -k --fail --max-time "$5" --connect-timeout 10 --retry 4 --max-filesize "$4" -o "$2" "$1" ||
{
echo list download failed : "$1"
return 2
}
dlsize=$(LANG=C wc -c "$2" | xargs | cut -f 1 -d ' ')
if test $dlsize -lt $3; then
echo list is too small : $dlsize bytes. can be bad.
return 2
if test "$dlsize" -lt "$3"; then
echo list is too small : "$dlsize" bytes. can be bad.
return 2
fi
return 0
}
reestr_list()
{
LANG=C cut -s -f2 -d';' "$ZREESTR" | LANG=C nice -n 5 sed -Ee 's/^\*\.(.+)$/\1/' -ne 's/^[a-z0-9A-Z._-]+$/&/p' | $AWK '{ print tolower($0) }'
reestr_list() {
LANG=C cut -s -f2 -d';' "$ZREESTR" | LANG=C nice -n 5 sed -Ee 's/^\*\.(.+)$/\1/' -ne 's/^[a-z0-9A-Z._-]+$/&/p' | $AWK "{ print tolower($0) }"
}
reestr_extract_ip()
{
LANG=C nice -n 5 $AWK -F ';' '($1 ~ /^([0-9]{1,3}\.){3}[0-9]{1,3}/) && (($2 == "" && $3 == "") || ($1 == $2)) {gsub(/ \| /, RS); print $1}' "$ZREESTR" | LANG=C $AWK '{split($1, a, /\|/); for (i in a) {print a[i]}}'
reestr_extract_ip() {
LANG=C nice -n 5 "$AWK" -F ";" "($1 ~ /^([0-9]{1,3}\.){3}[0-9]{1,3}/) && (($2 == "" && $3 == "") || ($1 == $2)) {gsub(/ \| /, RS); print $1}" "$ZREESTR" | LANG=C $AWK "{split($1, a, /\|/); for (i in a) {print a[i]}}"
}
ipban_fin()
{
getipban
"$IPSET_DIR/create_ipset.sh"
ipban_fin() {
getipban
"$IPSET_DIR/create_ipset.sh"
}
dl_checked "$ZURL_REESTR" "$ZREESTR" 204800 251658240 600 || {
ipban_fin
exit 2
ipban_fin
exit 2
}
reestr_list | sort -u | zz "$ZHOSTLIST"

40
ipset/get_reestr_preresolved.sh
View File

@ -1,7 +1,10 @@
#!/bin/sh
IPSET_DIR="$(dirname "$0")"
IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
IPSET_DIR="$(
cd "$IPSET_DIR" || exit
pwd
)"
. "$IPSET_DIR/def.sh"
@ -13,35 +16,34 @@ URL6="$BASEURL/reestr_resolved6.txt"
IPB4="$BASEURL/reestr_ipban4.txt"
IPB6="$BASEURL/reestr_ipban6.txt"
dl()
{
dl() {
# $1 - url
# $2 - file
# $3 - minsize
# $4 - maxsize
curl -H "Accept-Encoding: gzip" -k --fail --max-time 120 --connect-timeout 10 --retry 4 --max-filesize $4 -o "$TMPLIST" "$1" ||
{
echo list download failed : $1
exit 2
}
curl -H "Accept-Encoding: gzip" -k --fail --max-time 120 --connect-timeout 10 --retry 4 --max-filesize "$4" -o "$TMPLIST" "$1" ||
{
echo list download failed : "$1"
exit 2
}
dlsize=$(LANG=C wc -c "$TMPLIST" | xargs | cut -f 1 -d ' ')
if test $dlsize -lt $3; then
echo list is too small : $dlsize bytes. can be bad.
exit 2
if test "$dlsize" -lt "$3"; then
echo list is too small : "$dlsize" bytes. can be bad.
exit 2
fi
zzcat "$TMPLIST" | zz "$2"
rm -f "$TMPLIST"
}
getuser && {
[ "$DISABLE_IPV4" != "1" ] && {
dl "$URL4" "$ZIPLIST" 32768 4194304
dl "$IPB4" "$ZIPLIST_IPBAN" 8192 1048576
}
[ "$DISABLE_IPV6" != "1" ] && {
dl "$URL6" "$ZIPLIST6" 8192 4194304
dl "$IPB6" "$ZIPLIST_IPBAN6" 128 1048576
}
[ "$DISABLE_IPV4" != "1" ] && {
dl "$URL4" "$ZIPLIST" 32768 4194304
dl "$IPB4" "$ZIPLIST_IPBAN" 8192 1048576
}
[ "$DISABLE_IPV6" != "1" ] && {
dl "$URL6" "$ZIPLIST6" 8192 4194304
dl "$IPB6" "$ZIPLIST_IPBAN6" 128 1048576
}
}
"$IPSET_DIR/create_ipset.sh"

40
ipset/get_reestr_preresolved_smart.sh
View File

@ -1,7 +1,10 @@
#!/bin/sh
IPSET_DIR="$(dirname "$0")"
IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
IPSET_DIR="$(
cd "$IPSET_DIR" || exit
pwd
)"
. "$IPSET_DIR/def.sh"
@ -13,35 +16,34 @@ URL6="$BASEURL/reestr_smart6.txt"
IPB4="$BASEURL/reestr_ipban4.txt"
IPB6="$BASEURL/reestr_ipban6.txt"
dl()
{
dl() {
# $1 - url
# $2 - file
# $3 - minsize
# $4 - maxsize
curl -H "Accept-Encoding: gzip" -k --fail --max-time 120 --connect-timeout 10 --retry 4 --max-filesize $4 -o "$TMPLIST" "$1" ||
{
echo list download failed : $1
exit 2
}
curl -H "Accept-Encoding: gzip" -k --fail --max-time 120 --connect-timeout 10 --retry 4 --max-filesize "$4" -o "$TMPLIST" "$1" ||
{
echo list download failed : "$1"
exit 2
}
dlsize=$(LANG=C wc -c "$TMPLIST" | xargs | cut -f 1 -d ' ')
if test $dlsize -lt $3; then
echo list is too small : $dlsize bytes. can be bad.
exit 2
if test "$dlsize" -lt "$3"; then
echo list is too small : "$dlsize" bytes. can be bad.
exit 2
fi
zzcat "$TMPLIST" | zz "$2"
rm -f "$TMPLIST"
}
getuser && {
[ "$DISABLE_IPV4" != "1" ] && {
dl "$URL4" "$ZIPLIST" 32768 4194304
dl "$IPB4" "$ZIPLIST_IPBAN" 8192 1048576
}
[ "$DISABLE_IPV6" != "1" ] && {
dl "$URL6" "$ZIPLIST6" 8192 4194304
dl "$IPB6" "$ZIPLIST_IPBAN6" 128 1048576
}
[ "$DISABLE_IPV4" != "1" ] && {
dl "$URL4" "$ZIPLIST" 32768 4194304
dl "$IPB4" "$ZIPLIST_IPBAN" 8192 1048576
}
[ "$DISABLE_IPV6" != "1" ] && {
dl "$URL6" "$ZIPLIST6" 8192 4194304
dl "$IPB6" "$ZIPLIST_IPBAN6" 128 1048576
}
}
"$IPSET_DIR/create_ipset.sh"

24
ipset/get_reestr_resolvable_domains.sh
View File

@ -1,7 +1,10 @@
#!/bin/sh
IPSET_DIR="$(dirname "$0")"
IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
IPSET_DIR="$(
cd "$IPSET_DIR" || exit
pwd
)"
. "$IPSET_DIR/def.sh"
@ -12,21 +15,20 @@ URL="$BASEURL/reestr_hostname_resolvable.txt"
IPB4="$BASEURL/reestr_ipban4.txt"
IPB6="$BASEURL/reestr_ipban6.txt"
dl()
{
dl() {
# $1 - url
# $2 - file
# $3 - minsize
# $4 - maxsize
curl -H "Accept-Encoding: gzip" -k --fail --max-time 120 --connect-timeout 10 --retry 4 --max-filesize $4 -o "$TMPLIST" "$1" ||
{
echo list download failed : $1
exit 2
}
curl -H "Accept-Encoding: gzip" -k --fail --max-time 120 --connect-timeout 10 --retry 4 --max-filesize "$4" -o "$TMPLIST" "$1" ||
{
echo list download failed : "$1"
exit 2
}
dlsize=$(LANG=C wc -c "$TMPLIST" | xargs | cut -f 1 -d ' ')
if test $dlsize -lt $3; then
echo list is too small : $dlsize bytes. can be bad.
exit 2
if test "$dlsize" -lt "$3"; then
echo list is too small : "$dlsize" bytes. can be bad.
exit 2
fi
zzcat "$TMPLIST" | zz "$2"
rm -f "$TMPLIST"

88
ipset/get_reestr_resolve.sh
View File

@ -1,7 +1,10 @@
#!/bin/sh
IPSET_DIR="$(dirname "$0")"
IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
IPSET_DIR="$(
cd "$IPSET_DIR" || exit
pwd
)"
. "$IPSET_DIR/def.sh"
@ -12,72 +15,69 @@ ZIPLISTTMP="$TMPDIR/zapret-ip.txt"
#ZURL=https://reestr.rublacklist.net/api/current
ZURL_REESTR=https://raw.githubusercontent.com/zapret-info/z-i/master/dump.csv
dl_checked()
{
dl_checked() {
# $1 - url
# $2 - file
# $3 - minsize
# $4 - maxsize
# $5 - maxtime
curl -k --fail --max-time $5 --connect-timeout 10 --retry 4 --max-filesize $4 -o "$2" "$1" ||
{
echo list download failed : $1
return 2
}
curl -k --fail --max-time "$5" --connect-timeout 10 --retry 4 --max-filesize "$4" -o "$2" "$1" ||
{
echo list download failed : "$1"
return 2
}
dlsize=$(LANG=C wc -c "$2" | xargs | cut -f 1 -d ' ')
if test $dlsize -lt $3; then
echo list is too small : $dlsize bytes. can be bad.
return 2
if test "$dlsize" -lt "$3"; then
echo list is too small : "$dlsize" bytes. can be bad.
return 2
fi
return 0
}
reestr_list()
{
LANG=C cut -s -f2 -d';' "$ZREESTR" | LANG=C nice -n 5 sed -Ee 's/^\*\.(.+)$/\1/' -ne 's/^[a-z0-9A-Z._-]+$/&/p'
reestr_list() {
LANG=C cut -s -f2 -d';' "$ZREESTR" | LANG=C nice -n 5 sed -Ee 's/^\*\.(.+)$/\1/' -ne 's/^[a-z0-9A-Z._-]+$/&/p'
}
reestr_extract_ip()
{
LANG=C nice -n 5 $AWK -F ';' '($1 ~ /^([0-9]{1,3}\.){3}[0-9]{1,3}/) && (($2 == "" && $3 == "") || ($1 == $2)) {gsub(/ \| /, RS); print $1}' "$ZREESTR" | LANG=C $AWK '{split($1, a, /\|/); for (i in a) {print a[i]}}'
reestr_extract_ip() {
LANG=C nice -n 5 "$AWK" -F ';' "($1 ~ /^([0-9]{1,3}\.){3}[0-9]{1,3}/) && (($2 == "" && $3 == "") || ($1 == $2)) {gsub(/ \| /, RS); print $1}" "$ZREESTR" | LANG=C $AWK "{split($1, a, /\|/); for (i in a) {print a[i]}}"
}
getuser && {
# both disabled
[ "$DISABLE_IPV4" = "1" ] && [ "$DISABLE_IPV6" = "1" ] && exit 0
# both disabled
[ "$DISABLE_IPV4" = "1" ] && [ "$DISABLE_IPV6" = "1" ] && exit 0
dl_checked "$ZURL_REESTR" "$ZREESTR" 204800 251658240 600 || exit 2
dl_checked "$ZURL_REESTR" "$ZREESTR" 204800 251658240 600 || exit 2
echo preparing ipban list ..
echo preparing ipban list ..
reestr_extract_ip <"$ZREESTR" >"$IPB"
[ "$DISABLE_IPV4" != "1" ] && $AWK '/^([0-9]{1,3}\.){3}[0-9]{1,3}($|(\/[0-9]{2}$))/' "$IPB" | cut_local | ip2net4 | zz "$ZIPLIST_IPBAN"
[ "$DISABLE_IPV6" != "1" ] && $AWK '/^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}($|(\/[0-9]{2,3}$))/' "$IPB" | cut_local6 | ip2net6 | zz "$ZIPLIST_IPBAN6"
rm -f "$IPB"
reestr_extract_ip <"$ZREESTR" >"$IPB"
[ "$DISABLE_IPV4" != "1" ] && $AWK '/^([0-9]{1,3}\.){3}[0-9]{1,3}($|(\/[0-9]{2}$))/' "$IPB" | cut_local | ip2net4 | zz "$ZIPLIST_IPBAN"
[ "$DISABLE_IPV6" != "1" ] && $AWK '/^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}($|(\/[0-9]{2,3}$))/' "$IPB" | cut_local6 | ip2net6 | zz "$ZIPLIST_IPBAN6"
rm -f "$IPB"
echo preparing dig list ..
reestr_list | sort -u >"$ZDIG"
echo preparing dig list ..
reestr_list | sort -u >"$ZDIG"
rm -f "$ZREESTR"
rm -f "$ZREESTR"
echo digging started. this can take long ...
echo digging started. this can take long ...
[ "$DISABLE_IPV4" != "1" ] && {
filedigger "$ZDIG" 4 | cut_local >"$ZIPLISTTMP" || {
rm -f "$ZDIG"
exit 1
[ "$DISABLE_IPV4" != "1" ] && {
filedigger "$ZDIG" 4 | cut_local >"$ZIPLISTTMP" || {
rm -f "$ZDIG"
exit 1
}
ip2net4 <"$ZIPLISTTMP" | zz "$ZIPLIST"
rm -f "$ZIPLISTTMP"
}
ip2net4 <"$ZIPLISTTMP" | zz "$ZIPLIST"
rm -f "$ZIPLISTTMP"
}
[ "$DISABLE_IPV6" != "1" ] && {
filedigger "$ZDIG" 6 | cut_local6 >"$ZIPLISTTMP" || {
rm -f "$ZDIG"
exit 1
[ "$DISABLE_IPV6" != "1" ] && {
filedigger "$ZDIG" 6 | cut_local6 >"$ZIPLISTTMP" || {
rm -f "$ZDIG"
exit 1
}
ip2net6 <"$ZIPLISTTMP" | zz "$ZIPLIST6"
rm -f "$ZIPLISTTMP"
}
ip2net6 <"$ZIPLISTTMP" | zz "$ZIPLIST6"
rm -f "$ZIPLISTTMP"
}
rm -f "$ZDIG"
rm -f "$ZDIG"
}
"$IPSET_DIR/create_ipset.sh"

5
ipset/get_user.sh
View File

@ -2,7 +2,10 @@
# resolve user host list
IPSET_DIR="$(dirname "$0")"
IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
IPSET_DIR="$(
cd "$IPSET_DIR"
pwd
)"
. "$IPSET_DIR/def.sh"

52
uninstall_easy.sh
View File

@ -3,7 +3,10 @@
# automated script for easy uninstalling zapret
EXEDIR="$(dirname "$0")"
EXEDIR="$(cd "$EXEDIR"; pwd)"
EXEDIR="$(
cd "$EXEDIR"
pwd
)"
ZAPRET_BASE=${ZAPRET_BASE:-"$EXEDIR"}
ZAPRET_RW=${ZAPRET_RW:-"$ZAPRET_BASE"}
ZAPRET_CONFIG=${ZAPRET_CONFIG:-"$ZAPRET_RW/config"}
@ -26,8 +29,7 @@ IPSET_DIR="$ZAPRET_BASE/ipset"
. "$ZAPRET_BASE/common/pf.sh"
. "$ZAPRET_BASE/common/installer.sh"
remove_systemd()
{
remove_systemd() {
clear_ipset
service_stop_systemd
service_remove_systemd
@ -36,16 +38,14 @@ remove_systemd()
crontab_del
}
remove_openrc()
{
remove_openrc() {
clear_ipset
service_remove_openrc
nft_del_table
crontab_del
}
remove_linux()
{
remove_linux() {
INIT_SCRIPT_SRC="$EXEDIR/init.d/sysv/zapret"
clear_ipset
@ -61,8 +61,7 @@ remove_linux()
echo 'you must manually remove zapret auto start from your system'
}
remove_openwrt()
{
remove_openwrt() {
OPENWRT_FW_INCLUDE=/etc/firewall.zapret
clear_ipset
@ -74,14 +73,12 @@ remove_openwrt()
crontab_del
}
remove_macos()
{
remove_macos() {
remove_macos_firewall
service_remove_macos
crontab_del
}
fix_sbin_path
check_system
require_root
@ -89,22 +86,21 @@ require_root
[ "$SYSTEM" = "macos" ] && . "$EXEDIR/init.d/macos/functions"
case $SYSTEM in
systemd)
remove_systemd
;;
openrc)
remove_openrc
;;
linux)
remove_linux
;;
openwrt)
remove_openwrt
;;
macos)
remove_macos
;;
systemd)
remove_systemd
;;
openrc)
remove_openrc
;;
linux)
remove_linux
;;
openwrt)
remove_openwrt
;;
macos)
remove_macos
;;
esac
exitp 0