# this custom script demonstrates how to launch extra nfqws instance limited by ipset. ipv4 only. # can override in config : NFQWS_OPT_DESYNC_NFQWS_MY1="${NFQWS_OPT_DESYNC_NFQWS_MY1:---dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-any-protocol}" NFQWS_MY1_PORTS=${NFQWS_MY1_PORTS:-6000-6009} NFQWS_MY1_SUBNETS="${NFQWS_MY1_SUBNETS:-34.0.48.0/21 34.0.56.0/23 34.0.59.0/24 34.0.60.0/24 34.0.62.0/23}" alloc_dnum DNUM_NFQWS_MY1 alloc_qnum QNUM_NFQWS_MY1 NFQWS_MY1_SET_NAME=my1nfqws4 zapret_custom_daemons() { # $1 - 1 - run, 0 - stop local opt="--qnum=$QNUM_NFQWS_MY1 $NFQWS_OPT_DESYNC_NFQWS_MY1" do_nfqws $1 $DNUM_NFQWS_MY1 "$opt" } zapret_custom_firewall() { # $1 - 1 - run, 0 - stop local f local first_packets_only="$ipt_connbytes 1:3" local NFQWS_MY1_PORTS_IPT=$(replace_char - : $NFQWS_MY1_PORTS) local dest_set="-m set --match-set $NFQWS_MY1_SET_NAME dst" local subnet local DISABLE_IPV6=1 [ "$1" = 1 ] && { ipset create $NFQWS_MY1_SET_NAME hash:net hashsize 8192 maxelem 4096 2>/dev/null ipset flush $NFQWS_MY1_SET_NAME for subnet in $NFQWS_MY1_SUBNETS; do echo add $NFQWS_MY1_SET_NAME $subnet done | ipset -! restore } f="-p udp -m multiport --dports $NFQWS_MY1_PORTS_IPT" fw_nfqws_post $1 "$f $first_packets_only $dest_set" "" $QNUM_NFQWS_MY1 [ "$1" = 1 ] || { ipset destroy $NFQWS_MY1_SET_NAME 2>/dev/null } } zapret_custom_firewall_nft() { # stop logic is not required local f local first_packets_only="$nft_connbytes 1-3" local dest_set="ip daddr @$NFQWS_MY1_SET_NAME" local subnets local DISABLE_IPV6=1 make_comma_list subnets $NFQWS_MY1_SUBNETS nft_create_set $NFQWS_MY1_SET_NAME "type ipv4_addr; size 4096; auto-merge; flags interval;" nft_flush_set $NFQWS_MY1_SET_NAME nft_add_set_element $NFQWS_MY1_SET_NAME "$subnets" f="udp dport {$NFQWS_MY1_PORTS}" nft_fw_nfqws_post "$f $first_packets_only $dest_set" "" $QNUM_NFQWS_MY1 } zapret_custom_firewall_nft_flush() { # this function is called after all nft fw rules are deleted # however sets are not deleted. it's desired to clear sets here. nft_del_set $NFQWS_MY1_SET_NAME 2>/dev/null }