mirror of
https://github.com/bol-van/zapret.git
synced 2025-01-19 12:42:21 +03:00
ports override
This commit is contained in:
parent
988af97fee
commit
b7a5f51064
@ -253,3 +253,21 @@ minsleep()
|
|||||||
{
|
{
|
||||||
msleep 100
|
msleep 100
|
||||||
}
|
}
|
||||||
|
|
||||||
|
replace_char()
|
||||||
|
{
|
||||||
|
local a=$1
|
||||||
|
local b=$2
|
||||||
|
shift; shift
|
||||||
|
echo "$@" | tr $a $b
|
||||||
|
}
|
||||||
|
|
||||||
|
std_ports()
|
||||||
|
{
|
||||||
|
HTTP_PORTS=${HTTP_PORTS:-80}
|
||||||
|
HTTPS_PORTS=${HTTPS_PORTS:-443}
|
||||||
|
QUIC_PORTS=${QUIC_PORTS:-443}
|
||||||
|
HTTP_PORTS_IPT=$(replace_char - : $HTTP_PORTS)
|
||||||
|
HTTPS_PORTS_IPT=$(replace_char - : $HTTPS_PORTS)
|
||||||
|
QUIC_PORTS_IPT=$(replace_char - : $QUIC_PORTS)
|
||||||
|
}
|
||||||
|
@ -1,3 +1,5 @@
|
|||||||
|
std_ports
|
||||||
|
|
||||||
ipt()
|
ipt()
|
||||||
{
|
{
|
||||||
iptables -C "$@" >/dev/null 2>/dev/null || iptables -I "$@"
|
iptables -C "$@" >/dev/null 2>/dev/null || iptables -I "$@"
|
||||||
@ -50,11 +52,11 @@ filter_apply_port_target()
|
|||||||
# $1 - var name of iptables filter
|
# $1 - var name of iptables filter
|
||||||
local f
|
local f
|
||||||
if [ "$MODE_HTTP" = "1" ] && [ "$MODE_HTTPS" = "1" ]; then
|
if [ "$MODE_HTTP" = "1" ] && [ "$MODE_HTTPS" = "1" ]; then
|
||||||
f="-p tcp -m multiport --dports 80,443"
|
f="-p tcp -m multiport --dports $HTTP_PORTS_IPT,$HTTPS_PORTS_IPT"
|
||||||
elif [ "$MODE_HTTPS" = "1" ]; then
|
elif [ "$MODE_HTTPS" = "1" ]; then
|
||||||
f="-p tcp --dport 443"
|
f="-p tcp -m multiport --dports $HTTPS_PORTS_IPT"
|
||||||
elif [ "$MODE_HTTP" = "1" ]; then
|
elif [ "$MODE_HTTP" = "1" ]; then
|
||||||
f="-p tcp --dport 80"
|
f="-p tcp -m multiport --dports $HTTP_PORTS_IPT"
|
||||||
else
|
else
|
||||||
echo WARNING !!! HTTP and HTTPS are both disabled
|
echo WARNING !!! HTTP and HTTPS are both disabled
|
||||||
fi
|
fi
|
||||||
@ -64,7 +66,7 @@ filter_apply_port_target_quic()
|
|||||||
{
|
{
|
||||||
# $1 - var name of nftables filter
|
# $1 - var name of nftables filter
|
||||||
local f
|
local f
|
||||||
f="-p udp --dport 443"
|
f="-p udp -m multiport --dports $QUIC_PORTS_IPT"
|
||||||
eval $1="\"\$$1 $f\""
|
eval $1="\"\$$1 $f\""
|
||||||
}
|
}
|
||||||
filter_apply_ipset_target4()
|
filter_apply_ipset_target4()
|
||||||
@ -357,7 +359,7 @@ zapret_do_firewall_rules_ipt()
|
|||||||
[ "$MODE_FILTER" = "autohostlist" ] && fw_nfqws_pre4 $1 "$(reverse_nfqws_rule $f4)" $qn
|
[ "$MODE_FILTER" = "autohostlist" ] && fw_nfqws_pre4 $1 "$(reverse_nfqws_rule $f4)" $qn
|
||||||
else
|
else
|
||||||
if [ -n "$qn" ]; then
|
if [ -n "$qn" ]; then
|
||||||
f4="-p tcp --dport 80"
|
f4="-p tcp -m multiport --dports $HTTP_PORTS_IPT"
|
||||||
ff="$f4"
|
ff="$f4"
|
||||||
[ "$MODE_HTTP_KEEPALIVE" = "1" ] || f4="$f4 $first_packet_only"
|
[ "$MODE_HTTP_KEEPALIVE" = "1" ] || f4="$f4 $first_packet_only"
|
||||||
ff="$ff $first_packet_only"
|
ff="$ff $first_packet_only"
|
||||||
@ -367,7 +369,7 @@ zapret_do_firewall_rules_ipt()
|
|||||||
[ "$MODE_FILTER" = "autohostlist" ] && fw_nfqws_pre4 $1 "$(reverse_nfqws_rule $ff)" $qn
|
[ "$MODE_FILTER" = "autohostlist" ] && fw_nfqws_pre4 $1 "$(reverse_nfqws_rule $ff)" $qn
|
||||||
fi
|
fi
|
||||||
if [ -n "$qns" ]; then
|
if [ -n "$qns" ]; then
|
||||||
f4="-p tcp --dport 443 $first_packet_only"
|
f4="-p tcp -m multiport --dports $HTTPS_PORTS_IPT $first_packet_only"
|
||||||
filter_apply_ipset_target4 f4
|
filter_apply_ipset_target4 f4
|
||||||
fw_nfqws_post4 $1 "$f4 $desync" $qns
|
fw_nfqws_post4 $1 "$f4 $desync" $qns
|
||||||
[ "$MODE_FILTER" = "autohostlist" ] && fw_nfqws_pre4 $1 "$(reverse_nfqws_rule $f4)" $qns
|
[ "$MODE_FILTER" = "autohostlist" ] && fw_nfqws_pre4 $1 "$(reverse_nfqws_rule $f4)" $qns
|
||||||
@ -381,7 +383,7 @@ zapret_do_firewall_rules_ipt()
|
|||||||
[ "$MODE_FILTER" = "autohostlist" ] && fw_nfqws_pre6 $1 "$(reverse_nfqws_rule $f6)" $qn
|
[ "$MODE_FILTER" = "autohostlist" ] && fw_nfqws_pre6 $1 "$(reverse_nfqws_rule $f6)" $qn
|
||||||
else
|
else
|
||||||
if [ -n "$qn6" ]; then
|
if [ -n "$qn6" ]; then
|
||||||
f6="-p tcp --dport 80"
|
f6="-p tcp -m multiport --dports $HTTP_PORTS_IPT"
|
||||||
ff="$f6"
|
ff="$f6"
|
||||||
[ "$MODE_HTTP_KEEPALIVE" = "1" ] || f6="$f6 $first_packet_only"
|
[ "$MODE_HTTP_KEEPALIVE" = "1" ] || f6="$f6 $first_packet_only"
|
||||||
ff="$ff $first_packet_only"
|
ff="$ff $first_packet_only"
|
||||||
@ -391,7 +393,7 @@ zapret_do_firewall_rules_ipt()
|
|||||||
[ "$MODE_FILTER" = "autohostlist" ] && fw_nfqws_pre6 $1 "$(reverse_nfqws_rule $ff)" $qn6
|
[ "$MODE_FILTER" = "autohostlist" ] && fw_nfqws_pre6 $1 "$(reverse_nfqws_rule $ff)" $qn6
|
||||||
fi
|
fi
|
||||||
if [ -n "$qns6" ]; then
|
if [ -n "$qns6" ]; then
|
||||||
f6="-p tcp --dport 443 $first_packet_only"
|
f6="-p tcp -m multiport --dports $HTTPS_PORTS_IPT $first_packet_only"
|
||||||
filter_apply_ipset_target6 f6
|
filter_apply_ipset_target6 f6
|
||||||
fw_nfqws_post6 $1 "$f6 $desync" $qns6
|
fw_nfqws_post6 $1 "$f6 $desync" $qns6
|
||||||
[ "$MODE_FILTER" = "autohostlist" ] && fw_nfqws_pre6 $1 "$(reverse_nfqws_rule $f6)" $qns6
|
[ "$MODE_FILTER" = "autohostlist" ] && fw_nfqws_pre6 $1 "$(reverse_nfqws_rule $f6)" $qns6
|
||||||
|
@ -2,6 +2,7 @@
|
|||||||
|
|
||||||
# required for : nft -f -
|
# required for : nft -f -
|
||||||
create_dev_stdin
|
create_dev_stdin
|
||||||
|
std_ports
|
||||||
|
|
||||||
nft_create_table()
|
nft_create_table()
|
||||||
{
|
{
|
||||||
@ -279,11 +280,11 @@ nft_filter_apply_port_target()
|
|||||||
# $1 - var name of nftables filter
|
# $1 - var name of nftables filter
|
||||||
local f
|
local f
|
||||||
if [ "$MODE_HTTP" = "1" ] && [ "$MODE_HTTPS" = "1" ]; then
|
if [ "$MODE_HTTP" = "1" ] && [ "$MODE_HTTPS" = "1" ]; then
|
||||||
f="tcp dport {80,443}"
|
f="tcp dport {$HTTP_PORTS,$HTTPS_PORTS}"
|
||||||
elif [ "$MODE_HTTPS" = "1" ]; then
|
elif [ "$MODE_HTTPS" = "1" ]; then
|
||||||
f="tcp dport 443"
|
f="tcp dport {$HTTPS_PORTS}"
|
||||||
elif [ "$MODE_HTTP" = "1" ]; then
|
elif [ "$MODE_HTTP" = "1" ]; then
|
||||||
f="tcp dport 80"
|
f="tcp dport {$HTTP_PORTS}"
|
||||||
else
|
else
|
||||||
echo WARNING !!! HTTP and HTTPS are both disabled
|
echo WARNING !!! HTTP and HTTPS are both disabled
|
||||||
fi
|
fi
|
||||||
@ -293,7 +294,7 @@ nft_filter_apply_port_target_quic()
|
|||||||
{
|
{
|
||||||
# $1 - var name of nftables filter
|
# $1 - var name of nftables filter
|
||||||
local f
|
local f
|
||||||
f="udp dport 443"
|
f="udp dport {$QUIC_PORTS}"
|
||||||
eval $1="\"\$$1 $f\""
|
eval $1="\"\$$1 $f\""
|
||||||
}
|
}
|
||||||
nft_filter_apply_ipset_target4()
|
nft_filter_apply_ipset_target4()
|
||||||
@ -604,7 +605,7 @@ zapret_apply_firewall_rules_nft()
|
|||||||
[ "$MODE_FILTER" = "autohostlist" ] && nft_fw_nfqws_pre4 "$(nft_reverse_nfqws_rule $f4)" $qn
|
[ "$MODE_FILTER" = "autohostlist" ] && nft_fw_nfqws_pre4 "$(nft_reverse_nfqws_rule $f4)" $qn
|
||||||
else
|
else
|
||||||
if [ -n "$qn" ]; then
|
if [ -n "$qn" ]; then
|
||||||
f4="tcp dport 80"
|
f4="tcp dport {$HTTP_PORTS}"
|
||||||
ff="$f4"
|
ff="$f4"
|
||||||
[ "$MODE_HTTP_KEEPALIVE" = "1" ] || f4="$f4 $first_packet_only"
|
[ "$MODE_HTTP_KEEPALIVE" = "1" ] || f4="$f4 $first_packet_only"
|
||||||
ff="$ff $first_packet_only"
|
ff="$ff $first_packet_only"
|
||||||
@ -614,7 +615,7 @@ zapret_apply_firewall_rules_nft()
|
|||||||
[ "$MODE_FILTER" = "autohostlist" ] && nft_fw_nfqws_pre4 "$(nft_reverse_nfqws_rule $ff)" $qn
|
[ "$MODE_FILTER" = "autohostlist" ] && nft_fw_nfqws_pre4 "$(nft_reverse_nfqws_rule $ff)" $qn
|
||||||
fi
|
fi
|
||||||
if [ -n "$qns" ]; then
|
if [ -n "$qns" ]; then
|
||||||
f4="tcp dport 443 $first_packet_only"
|
f4="tcp dport {$HTTPS_PORTS} $first_packet_only"
|
||||||
nft_filter_apply_ipset_target4 f4
|
nft_filter_apply_ipset_target4 f4
|
||||||
nft_fw_nfqws_post4 "$f4 $desync" $qns
|
nft_fw_nfqws_post4 "$f4 $desync" $qns
|
||||||
[ "$MODE_FILTER" = "autohostlist" ] && nft_fw_nfqws_pre4 "$(nft_reverse_nfqws_rule $f4)" $qns
|
[ "$MODE_FILTER" = "autohostlist" ] && nft_fw_nfqws_pre4 "$(nft_reverse_nfqws_rule $f4)" $qns
|
||||||
@ -628,7 +629,7 @@ zapret_apply_firewall_rules_nft()
|
|||||||
[ "$MODE_FILTER" = "autohostlist" ] && nft_fw_nfqws_pre6 "$(nft_reverse_nfqws_rule $f6)" $qn
|
[ "$MODE_FILTER" = "autohostlist" ] && nft_fw_nfqws_pre6 "$(nft_reverse_nfqws_rule $f6)" $qn
|
||||||
else
|
else
|
||||||
if [ -n "$qn6" ]; then
|
if [ -n "$qn6" ]; then
|
||||||
f6="tcp dport 80"
|
f6="tcp dport {$HTTP_PORTS}"
|
||||||
ff="$f6"
|
ff="$f6"
|
||||||
[ "$MODE_HTTP_KEEPALIVE" = "1" ] || f6="$f6 $first_packet_only"
|
[ "$MODE_HTTP_KEEPALIVE" = "1" ] || f6="$f6 $first_packet_only"
|
||||||
ff="$ff $first_packet_only"
|
ff="$ff $first_packet_only"
|
||||||
@ -638,7 +639,7 @@ zapret_apply_firewall_rules_nft()
|
|||||||
[ "$MODE_FILTER" = "autohostlist" ] && nft_fw_nfqws_pre6 "$(nft_reverse_nfqws_rule $ff)" $qn6
|
[ "$MODE_FILTER" = "autohostlist" ] && nft_fw_nfqws_pre6 "$(nft_reverse_nfqws_rule $ff)" $qn6
|
||||||
fi
|
fi
|
||||||
if [ -n "$qns6" ]; then
|
if [ -n "$qns6" ]; then
|
||||||
f6="tcp dport 443 $first_packet_only"
|
f6="tcp dport {$HTTPS_PORTS} $first_packet_only"
|
||||||
nft_filter_apply_ipset_target6 f6
|
nft_filter_apply_ipset_target6 f6
|
||||||
nft_fw_nfqws_post6 "$f6 $desync" $qns6
|
nft_fw_nfqws_post6 "$f6 $desync" $qns6
|
||||||
[ "$MODE_FILTER" = "autohostlist" ] && nft_fw_nfqws_pre6 "$(nft_reverse_nfqws_rule $f6)" $qns6
|
[ "$MODE_FILTER" = "autohostlist" ] && nft_fw_nfqws_pre6 "$(nft_reverse_nfqws_rule $f6)" $qns6
|
||||||
|
@ -4,6 +4,8 @@ PF_ANCHOR_ZAPRET="$PF_ANCHOR_DIR/zapret"
|
|||||||
PF_ANCHOR_ZAPRET_V4="$PF_ANCHOR_DIR/zapret-v4"
|
PF_ANCHOR_ZAPRET_V4="$PF_ANCHOR_DIR/zapret-v4"
|
||||||
PF_ANCHOR_ZAPRET_V6="$PF_ANCHOR_DIR/zapret-v6"
|
PF_ANCHOR_ZAPRET_V6="$PF_ANCHOR_DIR/zapret-v6"
|
||||||
|
|
||||||
|
std_ports
|
||||||
|
|
||||||
pf_anchor_root_reload()
|
pf_anchor_root_reload()
|
||||||
{
|
{
|
||||||
echo reloading PF root anchor
|
echo reloading PF root anchor
|
||||||
@ -107,11 +109,11 @@ pf_anchor_zapret_tables()
|
|||||||
pf_anchor_port_target()
|
pf_anchor_port_target()
|
||||||
{
|
{
|
||||||
if [ "$MODE_HTTP" = "1" ] && [ "$MODE_HTTPS" = "1" ]; then
|
if [ "$MODE_HTTP" = "1" ] && [ "$MODE_HTTPS" = "1" ]; then
|
||||||
echo "{80,443}"
|
echo "{$HTTP_PORTS_IPT,$HTTPS_PORTS_IPT}"
|
||||||
elif [ "$MODE_HTTPS" = "1" ]; then
|
elif [ "$MODE_HTTPS" = "1" ]; then
|
||||||
echo "443"
|
echo "{$HTTPS_PORTS_IPT}"
|
||||||
elif [ "$MODE_HTTP" = "1" ]; then
|
elif [ "$MODE_HTTP" = "1" ]; then
|
||||||
echo "80"
|
echo "{$HTTP_PORTS_IPT}"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
7
config
7
config
@ -37,6 +37,11 @@ GZIP_LISTS=1
|
|||||||
# set to "-" to disable reload
|
# set to "-" to disable reload
|
||||||
#LISTS_RELOAD="pfctl -f /etc/pf.conf"
|
#LISTS_RELOAD="pfctl -f /etc/pf.conf"
|
||||||
|
|
||||||
|
# override ports
|
||||||
|
#HTTP_PORTS=80-81,85
|
||||||
|
#HTTPS_PORTS=443,500-501
|
||||||
|
#QUIC_PORTS=443,444
|
||||||
|
|
||||||
# CHOOSE OPERATION MODE
|
# CHOOSE OPERATION MODE
|
||||||
# MODE : nfqws,tpws,tpws-socks,filter,custom
|
# MODE : nfqws,tpws,tpws-socks,filter,custom
|
||||||
# nfqws : nfqws for dpi desync
|
# nfqws : nfqws for dpi desync
|
||||||
@ -96,7 +101,7 @@ INIT_APPLY_FW=1
|
|||||||
# do not work with ipv4
|
# do not work with ipv4
|
||||||
#DISABLE_IPV4=1
|
#DISABLE_IPV4=1
|
||||||
# do not work with ipv6
|
# do not work with ipv6
|
||||||
DISABLE_IPV6=1
|
#DISABLE_IPV6=1
|
||||||
|
|
||||||
# select which init script will be used to get ip or host list
|
# select which init script will be used to get ip or host list
|
||||||
# possible values : get_user.sh get_antizapret.sh get_combined.sh get_reestr.sh get_hostlist.sh
|
# possible values : get_user.sh get_antizapret.sh get_combined.sh get_reestr.sh get_hostlist.sh
|
||||||
|
Loading…
Reference in New Issue
Block a user