diff --git a/common/base.sh b/common/base.sh index b716385..0381879 100644 --- a/common/base.sh +++ b/common/base.sh @@ -253,3 +253,21 @@ minsleep() { msleep 100 } + +replace_char() +{ + local a=$1 + local b=$2 + shift; shift + echo "$@" | tr $a $b +} + +std_ports() +{ + HTTP_PORTS=${HTTP_PORTS:-80} + HTTPS_PORTS=${HTTPS_PORTS:-443} + QUIC_PORTS=${QUIC_PORTS:-443} + HTTP_PORTS_IPT=$(replace_char - : $HTTP_PORTS) + HTTPS_PORTS_IPT=$(replace_char - : $HTTPS_PORTS) + QUIC_PORTS_IPT=$(replace_char - : $QUIC_PORTS) +} diff --git a/common/ipt.sh b/common/ipt.sh index 0b42818..463abc0 100644 --- a/common/ipt.sh +++ b/common/ipt.sh @@ -1,3 +1,5 @@ +std_ports + ipt() { iptables -C "$@" >/dev/null 2>/dev/null || iptables -I "$@" @@ -50,11 +52,11 @@ filter_apply_port_target() # $1 - var name of iptables filter local f if [ "$MODE_HTTP" = "1" ] && [ "$MODE_HTTPS" = "1" ]; then - f="-p tcp -m multiport --dports 80,443" + f="-p tcp -m multiport --dports $HTTP_PORTS_IPT,$HTTPS_PORTS_IPT" elif [ "$MODE_HTTPS" = "1" ]; then - f="-p tcp --dport 443" + f="-p tcp -m multiport --dports $HTTPS_PORTS_IPT" elif [ "$MODE_HTTP" = "1" ]; then - f="-p tcp --dport 80" + f="-p tcp -m multiport --dports $HTTP_PORTS_IPT" else echo WARNING !!! HTTP and HTTPS are both disabled fi @@ -64,7 +66,7 @@ filter_apply_port_target_quic() { # $1 - var name of nftables filter local f - f="-p udp --dport 443" + f="-p udp -m multiport --dports $QUIC_PORTS_IPT" eval $1="\"\$$1 $f\"" } filter_apply_ipset_target4() @@ -357,7 +359,7 @@ zapret_do_firewall_rules_ipt() [ "$MODE_FILTER" = "autohostlist" ] && fw_nfqws_pre4 $1 "$(reverse_nfqws_rule $f4)" $qn else if [ -n "$qn" ]; then - f4="-p tcp --dport 80" + f4="-p tcp -m multiport --dports $HTTP_PORTS_IPT" ff="$f4" [ "$MODE_HTTP_KEEPALIVE" = "1" ] || f4="$f4 $first_packet_only" ff="$ff $first_packet_only" @@ -367,7 +369,7 @@ zapret_do_firewall_rules_ipt() [ "$MODE_FILTER" = "autohostlist" ] && fw_nfqws_pre4 $1 "$(reverse_nfqws_rule $ff)" $qn fi if [ -n "$qns" ]; then - f4="-p tcp --dport 443 $first_packet_only" + f4="-p tcp -m multiport --dports $HTTPS_PORTS_IPT $first_packet_only" filter_apply_ipset_target4 f4 fw_nfqws_post4 $1 "$f4 $desync" $qns [ "$MODE_FILTER" = "autohostlist" ] && fw_nfqws_pre4 $1 "$(reverse_nfqws_rule $f4)" $qns @@ -381,7 +383,7 @@ zapret_do_firewall_rules_ipt() [ "$MODE_FILTER" = "autohostlist" ] && fw_nfqws_pre6 $1 "$(reverse_nfqws_rule $f6)" $qn else if [ -n "$qn6" ]; then - f6="-p tcp --dport 80" + f6="-p tcp -m multiport --dports $HTTP_PORTS_IPT" ff="$f6" [ "$MODE_HTTP_KEEPALIVE" = "1" ] || f6="$f6 $first_packet_only" ff="$ff $first_packet_only" @@ -391,7 +393,7 @@ zapret_do_firewall_rules_ipt() [ "$MODE_FILTER" = "autohostlist" ] && fw_nfqws_pre6 $1 "$(reverse_nfqws_rule $ff)" $qn6 fi if [ -n "$qns6" ]; then - f6="-p tcp --dport 443 $first_packet_only" + f6="-p tcp -m multiport --dports $HTTPS_PORTS_IPT $first_packet_only" filter_apply_ipset_target6 f6 fw_nfqws_post6 $1 "$f6 $desync" $qns6 [ "$MODE_FILTER" = "autohostlist" ] && fw_nfqws_pre6 $1 "$(reverse_nfqws_rule $f6)" $qns6 diff --git a/common/nft.sh b/common/nft.sh index 9f0b83e..a87de91 100644 --- a/common/nft.sh +++ b/common/nft.sh @@ -2,6 +2,7 @@ # required for : nft -f - create_dev_stdin +std_ports nft_create_table() { @@ -279,11 +280,11 @@ nft_filter_apply_port_target() # $1 - var name of nftables filter local f if [ "$MODE_HTTP" = "1" ] && [ "$MODE_HTTPS" = "1" ]; then - f="tcp dport {80,443}" + f="tcp dport {$HTTP_PORTS,$HTTPS_PORTS}" elif [ "$MODE_HTTPS" = "1" ]; then - f="tcp dport 443" + f="tcp dport {$HTTPS_PORTS}" elif [ "$MODE_HTTP" = "1" ]; then - f="tcp dport 80" + f="tcp dport {$HTTP_PORTS}" else echo WARNING !!! HTTP and HTTPS are both disabled fi @@ -293,7 +294,7 @@ nft_filter_apply_port_target_quic() { # $1 - var name of nftables filter local f - f="udp dport 443" + f="udp dport {$QUIC_PORTS}" eval $1="\"\$$1 $f\"" } nft_filter_apply_ipset_target4() @@ -604,7 +605,7 @@ zapret_apply_firewall_rules_nft() [ "$MODE_FILTER" = "autohostlist" ] && nft_fw_nfqws_pre4 "$(nft_reverse_nfqws_rule $f4)" $qn else if [ -n "$qn" ]; then - f4="tcp dport 80" + f4="tcp dport {$HTTP_PORTS}" ff="$f4" [ "$MODE_HTTP_KEEPALIVE" = "1" ] || f4="$f4 $first_packet_only" ff="$ff $first_packet_only" @@ -614,7 +615,7 @@ zapret_apply_firewall_rules_nft() [ "$MODE_FILTER" = "autohostlist" ] && nft_fw_nfqws_pre4 "$(nft_reverse_nfqws_rule $ff)" $qn fi if [ -n "$qns" ]; then - f4="tcp dport 443 $first_packet_only" + f4="tcp dport {$HTTPS_PORTS} $first_packet_only" nft_filter_apply_ipset_target4 f4 nft_fw_nfqws_post4 "$f4 $desync" $qns [ "$MODE_FILTER" = "autohostlist" ] && nft_fw_nfqws_pre4 "$(nft_reverse_nfqws_rule $f4)" $qns @@ -628,7 +629,7 @@ zapret_apply_firewall_rules_nft() [ "$MODE_FILTER" = "autohostlist" ] && nft_fw_nfqws_pre6 "$(nft_reverse_nfqws_rule $f6)" $qn else if [ -n "$qn6" ]; then - f6="tcp dport 80" + f6="tcp dport {$HTTP_PORTS}" ff="$f6" [ "$MODE_HTTP_KEEPALIVE" = "1" ] || f6="$f6 $first_packet_only" ff="$ff $first_packet_only" @@ -638,7 +639,7 @@ zapret_apply_firewall_rules_nft() [ "$MODE_FILTER" = "autohostlist" ] && nft_fw_nfqws_pre6 "$(nft_reverse_nfqws_rule $ff)" $qn6 fi if [ -n "$qns6" ]; then - f6="tcp dport 443 $first_packet_only" + f6="tcp dport {$HTTPS_PORTS} $first_packet_only" nft_filter_apply_ipset_target6 f6 nft_fw_nfqws_post6 "$f6 $desync" $qns6 [ "$MODE_FILTER" = "autohostlist" ] && nft_fw_nfqws_pre6 "$(nft_reverse_nfqws_rule $f6)" $qns6 diff --git a/common/pf.sh b/common/pf.sh index 5b021f9..a6fa57c 100644 --- a/common/pf.sh +++ b/common/pf.sh @@ -4,6 +4,8 @@ PF_ANCHOR_ZAPRET="$PF_ANCHOR_DIR/zapret" PF_ANCHOR_ZAPRET_V4="$PF_ANCHOR_DIR/zapret-v4" PF_ANCHOR_ZAPRET_V6="$PF_ANCHOR_DIR/zapret-v6" +std_ports + pf_anchor_root_reload() { echo reloading PF root anchor @@ -107,11 +109,11 @@ pf_anchor_zapret_tables() pf_anchor_port_target() { if [ "$MODE_HTTP" = "1" ] && [ "$MODE_HTTPS" = "1" ]; then - echo "{80,443}" + echo "{$HTTP_PORTS_IPT,$HTTPS_PORTS_IPT}" elif [ "$MODE_HTTPS" = "1" ]; then - echo "443" + echo "{$HTTPS_PORTS_IPT}" elif [ "$MODE_HTTP" = "1" ]; then - echo "80" + echo "{$HTTP_PORTS_IPT}" fi } diff --git a/config b/config index 51e29e3..e6f2482 100644 --- a/config +++ b/config @@ -37,6 +37,11 @@ GZIP_LISTS=1 # set to "-" to disable reload #LISTS_RELOAD="pfctl -f /etc/pf.conf" +# override ports +#HTTP_PORTS=80-81,85 +#HTTPS_PORTS=443,500-501 +#QUIC_PORTS=443,444 + # CHOOSE OPERATION MODE # MODE : nfqws,tpws,tpws-socks,filter,custom # nfqws : nfqws for dpi desync @@ -96,7 +101,7 @@ INIT_APPLY_FW=1 # do not work with ipv4 #DISABLE_IPV4=1 # do not work with ipv6 -DISABLE_IPV6=1 +#DISABLE_IPV6=1 # select which init script will be used to get ip or host list # possible values : get_user.sh get_antizapret.sh get_combined.sh get_reestr.sh get_hostlist.sh