init.d: openwrt-minimal exclude localnet

docs/readme.txt

@@ -1732,9 +1732,10 @@ install_easy.sh автоматизирует ручные варианты пр
 Скопируйте бинарник tpws подходящей архитектуры в /usr/bin/tpws.
 Установите права на файлы : chmod 755 /etc/init.d/tpws /usr/bin/tpws
 Отредактируйте /etc/config/tpws
+Если не нужен ipv6, отредактируйте /etc/nftables.d/90-tpws.nft и закомментируйте строки с редиректом ipv6.
 /etc/init.d/tpws enable
 /etc/init.d/tpws start
-fw4 reload
+fw4 restart
 
 Полное удаление :
 
@@ -1759,6 +1760,7 @@ opkg install iptables-mod-extra
 Скопируйте бинарник tpws подходящей архитектуры в /usr/bin/tpws.
 Установите права на файлы : chmod 755 /etc/init.d/tpws /usr/bin/tpws
 Отредактируйте /etc/config/tpws
+Если не нужен ipv6, отредактируйте /etc/firewall.user и установите там DISABLE_IPV6=1.
 /etc/init.d/tpws enable
 /etc/init.d/tpws start
 fw3 restart

init.d/openwrt-minimal/readme.txt

@@ -11,9 +11,10 @@ Copy everything from tpws directory to the root of the router.
 Copy tpws binary for your architecture to /usr/bin/tpws
 Set proper access rights : chmod 755 /etc/init.d/tpws /usr/bin/tpws
 EDIT /etc/config/tpws
+If you don't want ipv6 : edit /etc/nftables.d and comment lines with ipv6 redirect
 /etc/init.d/tpws enable
 /etc/init.d/tpws start
-fw4 reload
+fw4 restart
 
 * full uninstall :
 
@@ -39,6 +40,7 @@ Copy everything from tpws directory to the root of the router.
 Copy tpws binary for your architecture to /usr/bin/tpws
 Set proper access rights : chmod 755 /etc/init.d/tpws /usr/bin/tpws
 EDIT /etc/config/tpws
+If you don't want ipv6 : edit /etc/firewall.user and set DISABLE_IPV6=1
 /etc/init.d/tpws enable
 /etc/init.d/tpws start
 fw3 restart

init.d/openwrt-minimal/tpws/etc/firewall.user

@@ -1,6 +1,12 @@
+DISABLE_IPV6=0
 TP_PORT=900
 TP_USER=daemon
 
+EXCLUDE4="10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16 127.0.0.0/8"
+EXCLUDE6="fc00::/7 fe80::/10 ::1"
+IPTS="iptables ip6tables"
+[ "$DISABLE_IPV6" = 1 ] && IPTS=iptables
+
 exists()
 {
 	which "$1" >/dev/null 2>/dev/null
@@ -8,13 +14,12 @@ exists()
 
 ipt()
 {
-	$IPTABLES $FW_EXTRA_PRE -C "$@" $FW_EXTRA_POST >/dev/null 2>/dev/null || $IPTABLES $FW_EXTRA_PRE -I "$@" $FW_EXTRA_POST
+	$IPTABLES -C "$@" >/dev/null 2>/dev/null || $IPTABLES -I "$@"
 }
 
 redirect_port()
 {
-	ipt PREROUTING -t nat -p tcp --dport $1 -j REDIRECT --to-port $2
+	ipt tpws -t nat -p tcp --dport $1 -j REDIRECT --to-port $2
-	ipt OUTPUT -t nat -p tcp --dport $1 -m owner ! --uid-owner $TP_USER -j REDIRECT --to-port $2
 }
 
 redirect()
@@ -23,6 +28,22 @@ redirect()
 	redirect_port 443 $TP_PORT
 }
 
-for IPTABLES in iptables ip6tables; do
+for IPTABLES in $IPTS; do
-	exists $IPTABLES && redirect
+	$IPTABLES -t nat -N tpws 2>/dev/null
+	$IPTABLES -t nat -F tpws
+	redirect
+done
+
+for net in $EXCLUDE4; do
+	iptables -t nat -I tpws -d $net -j RETURN
+done
+[ "$DISABLE_IPV6" = 1 ] || {
+	for net in $EXCLUDE6; do
+		ip6tables -t nat -I tpws -d $net -j RETURN
+	done
+}
+
+for IPTABLES in $IPTS; do
+	ipt PREROUTING -t nat -j tpws
+	ipt OUTPUT -t nat -m owner ! --uid-owner $TP_USER -j tpws
 done

init.d/openwrt-minimal/tpws/etc/nftables.d/90-tpws.nft

@@ -1,8 +1,18 @@
-chain tpws_re {
+set tpws_exclude4 {
+	type ipv4_addr; flags interval; auto-merge;
+        elements = { 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,169.254.0.0/16,127.0.0.0/8 }
+}
+set tpws_exclude6 {
+	type ipv6_addr; flags interval; auto-merge;
+        elements = { fc00::/7, fe80::/10, ::1 }
+}
+chain tpws_pre {
 	type nat hook prerouting priority dstnat; policy accept;
-	tcp dport {80,443} redirect to :900
+	tcp dport {80,443} ip daddr != @tpws_exclude4 redirect to :900
+	tcp dport {80,443} ip6 daddr != @tpws_exclude6 redirect to :900
 }
 chain tpws_out {
 	type nat hook output priority -100; policy accept;
-	tcp dport {80,443} skuid != daemon redirect to :900
+	tcp dport {80,443} skuid != daemon ip daddr != @tpws_exclude4 redirect to :900
+	tcp dport {80,443} skuid != daemon ip6 daddr != @tpws_exclude6 redirect to :900
 }