diff --git a/common/ipt.sh b/common/ipt.sh index f564b5e..f170ef6 100644 --- a/common/ipt.sh +++ b/common/ipt.sh @@ -1,5 +1,9 @@ std_ports ipt_connbytes="-m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes" +IPSET_EXCLUDE="-m set ! --match-set nozapret" +IPSET_EXCLUDE6="-m set ! --match-set nozapret6" +IPBAN_EXCLUDE="-m set ! --match-set ipban" +IPBAN_EXCLUDE6="-m set ! --match-set ipban6" ipt() { @@ -132,7 +136,7 @@ _fw_tpws4() ipt_print_op $1 "$2" "tpws (port $3)" - rule="$2 $IPSET_EXCLUDE dst -j DNAT --to $TPWS_LOCALHOST4:$3" + rule="$2 $IPSET_EXCLUDE dst $IPBAN_EXCLUDE dst -j DNAT --to $TPWS_LOCALHOST4:$3" for i in $4 ; do ipt_add_del $1 PREROUTING -t nat -i $i $rule done @@ -160,7 +164,7 @@ _fw_tpws6() ipt_print_op $1 "$2" "tpws (port $3)" 6 - rule="$2 $IPSET_EXCLUDE6 dst" + rule="$2 $IPSET_EXCLUDE6 dst $IPBAN_EXCLUDE6 dst" for i in $4 ; do _dnat6_target $i DNAT6 [ -n "$DNAT6" -a "$DNAT6" != "-" ] && ipt6_add_del $1 PREROUTING -t nat -i $i $rule -j DNAT --to [$DNAT6]:$3 diff --git a/common/nft.sh b/common/nft.sh index 0bd764d..6d791a4 100644 --- a/common/nft.sh +++ b/common/nft.sh @@ -387,8 +387,8 @@ _nft_fw_tpws4() [ "$DISABLE_IPV4" = "1" -o -z "$1" ] || { local filter="$1" port="$2" nft_print_op "$filter" "tpws (port $2)" 4 - nft_insert_rule dnat_output skuid != $WS_USER ${3:+oifname @wanif }$filter ip daddr != @nozapret $FW_EXTRA_POST dnat ip to $TPWS_LOCALHOST4:$port - nft_insert_rule dnat_pre iifname @lanif $filter ip daddr != @nozapret $FW_EXTRA_POST dnat ip to $TPWS_LOCALHOST4:$port + nft_insert_rule dnat_output skuid != $WS_USER ${3:+oifname @wanif }$filter ip daddr != @nozapret ip daddr != @ipban $FW_EXTRA_POST dnat ip to $TPWS_LOCALHOST4:$port + nft_insert_rule dnat_pre iifname @lanif $filter ip daddr != @nozapret ip daddr != @ipban $FW_EXTRA_POST dnat ip to $TPWS_LOCALHOST4:$port prepare_route_localnet } } @@ -402,9 +402,9 @@ _nft_fw_tpws6() [ "$DISABLE_IPV6" = "1" -o -z "$1" ] || { local filter="$1" port="$2" DNAT6 i nft_print_op "$filter" "tpws (port $port)" 6 - nft_insert_rule dnat_output skuid != $WS_USER ${4:+oifname @wanif6 }$filter ip6 daddr != @nozapret6 $FW_EXTRA_POST dnat ip6 to [::1]:$port + nft_insert_rule dnat_output skuid != $WS_USER ${4:+oifname @wanif6 }$filter ip6 daddr != @nozapret6 ip6 daddr != @ipban6 $FW_EXTRA_POST dnat ip6 to [::1]:$port [ -n "$3" ] && { - nft_insert_rule dnat_pre $filter ip6 daddr != @nozapret6 $FW_EXTRA_POST dnat ip6 to iifname map @link_local:$port + nft_insert_rule dnat_pre $filter ip6 daddr != @nozapret6 ip6 daddr != @ipban6 $FW_EXTRA_POST dnat ip6 to iifname map @link_local:$port for i in $3; do _dnat6_target $i DNAT6 # can be multiple tpws processes on different ports diff --git a/init.d/openwrt/functions b/init.d/openwrt/functions index 2cd1e1f..7424723 100644 --- a/init.d/openwrt/functions +++ b/init.d/openwrt/functions @@ -30,10 +30,6 @@ LINKLOCAL_WAIT_SEC=5 IPSET_CR="$ZAPRET_BASE/ipset/create_ipset.sh" -IPSET_EXCLUDE="-m set ! --match-set nozapret" -IPSET_EXCLUDE6="-m set ! --match-set nozapret6" - - # can be multiple ipv6 outgoing interfaces # uplink from isp, tunnelbroker, vpn, ... # want them all. who knows what's the real one that blocks sites diff --git a/init.d/sysv/functions b/init.d/sysv/functions index abe6098..bfa3d99 100644 --- a/init.d/sysv/functions +++ b/init.d/sysv/functions @@ -93,10 +93,6 @@ TPWS_OPT_BASE6_PRE="--bind-linklocal=prefer $TPWS_WAIT --bind-wait-ip-linklocal= # max wait time for the link local ipv6 on the LAN interface LINKLOCAL_WAIT_SEC=5 -IPSET_EXCLUDE="-m set ! --match-set nozapret" -IPSET_EXCLUDE6="-m set ! --match-set nozapret6" - - dnat6_target() { _dnat6_target "$@"