zapret/common/linux_fw.sh

set_conntrack_liberal_mode() {
	[ -n "$SKIP_CONNTRACK_LIBERAL_MODE" ] || sysctl -w net.netfilter.nf_conntrack_tcp_be_liberal="$1"
}
zapret_do_firewall() {
	linux_fwtype

	[ "$1" = 1 -a -n "$INIT_FW_PRE_UP_HOOK" ] && $INIT_FW_PRE_UP_HOOK
	[ "$1" = 0 -a -n "$INIT_FW_PRE_DOWN_HOOK" ] && $INIT_FW_PRE_DOWN_HOOK

	case "$FWTYPE" in
	iptables)
		zapret_do_firewall_ipt "$@"
		;;
	nftables)
		zapret_do_firewall_nft "$@"
		;;
	esac

	# Russian DPI sends RST,ACK with wrong ACK.
	# this is sometimes treated by conntrack as invalid and connbytes fw rules do not pass RST packet to nfqws.
	# switch on liberal mode on zapret firewall start and switch off on zapret firewall stop
	# this is only required for processing incoming bad RSTs. incoming rules are only applied in autohostlist mode
	# calling this after firewall because conntrack module can be not loaded before applying conntrack firewall rules
	[ "$MODE_FILTER" = "autohostlist" -a "$MODE" != tpws -a "$MODE" != tpws-socks ] && set_conntrack_liberal_mode "$1"

	[ "$1" = 1 -a -n "$INIT_FW_POST_UP_HOOK" ] && $INIT_FW_POST_UP_HOOK
	[ "$1" = 0 -a -n "$INIT_FW_POST_DOWN_HOOK" ] && $INIT_FW_POST_DOWN_HOOK

	return 0
}
zapret_apply_firewall() {
	zapret_do_firewall 1 "$@"
}
zapret_unapply_firewall() {
	zapret_do_firewall 0 "$@"
}

first_packets_for_mode() {
	# autohostlist and autottl modes requires incoming traffic sample
	# always use conntrack packet limiter or nfqws will deal with gigabytes
	local n
	if [ "$MODE_FILTER" = "autohostlist" ]; then
		n=$((6 + ${AUTOHOSTLIST_RETRANS_THRESHOLD:-3}))
	else
		n=6
	fi
	echo $n
}
`shellcheck` linting and formatting shell scripts 2024-09-17 16:18:29 +03:00			`set_conntrack_liberal_mode() {`
			`[ -n "$SKIP_CONNTRACK_LIBERAL_MODE" ] \|\| sysctl -w net.netfilter.nf_conntrack_tcp_be_liberal="$1"`
autohostlist mode 2023-10-26 15:12:32 +03:00			`}`
`shellcheck` linting and formatting shell scripts 2024-09-17 16:18:29 +03:00			`zapret_do_firewall() {`
nftables support 2022-02-15 17:15:36 +03:00			`linux_fwtype`

init: firewall apply hooks 2022-02-18 12:35:06 +03:00			`[ "$1" = 1 -a -n "$INIT_FW_PRE_UP_HOOK" ] && $INIT_FW_PRE_UP_HOOK`
			`[ "$1" = 0 -a -n "$INIT_FW_PRE_DOWN_HOOK" ] && $INIT_FW_PRE_DOWN_HOOK`

nftables support 2022-02-15 17:15:36 +03:00			`case "$FWTYPE" in`
`shellcheck` linting and formatting shell scripts 2024-09-17 16:18:29 +03:00			`iptables)`
			`zapret_do_firewall_ipt "$@"`
			`;;`
			`nftables)`
			`zapret_do_firewall_nft "$@"`
			`;;`
nftables support 2022-02-15 17:15:36 +03:00			`esac`

Fixed typos, misspellings, abbreviations, Markdown linting, etc. 2024-09-17 16:12:39 +03:00			`# Russian DPI sends RST,ACK with wrong ACK.`
autohostlist mode 2023-10-26 15:12:32 +03:00			`# this is sometimes treated by conntrack as invalid and connbytes fw rules do not pass RST packet to nfqws.`
tcp_be_liberal info 2023-10-29 13:04:04 +03:00			`# switch on liberal mode on zapret firewall start and switch off on zapret firewall stop`
autohostlist mode 2023-10-26 15:12:32 +03:00			`# this is only required for processing incoming bad RSTs. incoming rules are only applied in autohostlist mode`
			`# calling this after firewall because conntrack module can be not loaded before applying conntrack firewall rules`
`shellcheck` linting and formatting shell scripts 2024-09-17 16:18:29 +03:00			`[ "$MODE_FILTER" = "autohostlist" -a "$MODE" != tpws -a "$MODE" != tpws-socks ] && set_conntrack_liberal_mode "$1"`

init: firewall apply hooks 2022-02-18 12:35:06 +03:00			`[ "$1" = 1 -a -n "$INIT_FW_POST_UP_HOOK" ] && $INIT_FW_POST_UP_HOOK`
			`[ "$1" = 0 -a -n "$INIT_FW_POST_DOWN_HOOK" ] && $INIT_FW_POST_DOWN_HOOK`

nftables support 2022-02-15 17:15:36 +03:00			`return 0`
			`}`
`shellcheck` linting and formatting shell scripts 2024-09-17 16:18:29 +03:00			`zapret_apply_firewall() {`
nftables support 2022-02-15 17:15:36 +03:00			`zapret_do_firewall 1 "$@"`
			`}`
`shellcheck` linting and formatting shell scripts 2024-09-17 16:18:29 +03:00			`zapret_unapply_firewall() {`
nftables support 2022-02-15 17:15:36 +03:00			`zapret_do_firewall 0 "$@"`
			`}`
autottl, datanoack, oob, postnat 2024-03-02 17:53:37 +03:00
`shellcheck` linting and formatting shell scripts 2024-09-17 16:18:29 +03:00			`first_packets_for_mode() {`
autottl, datanoack, oob, postnat 2024-03-02 17:53:37 +03:00			`# autohostlist and autottl modes requires incoming traffic sample`
			`# always use conntrack packet limiter or nfqws will deal with gigabytes`
			`local n`
			`if [ "$MODE_FILTER" = "autohostlist" ]; then`
`shellcheck` linting and formatting shell scripts 2024-09-17 16:18:29 +03:00			`n=$((6 + ${AUTOHOSTLIST_RETRANS_THRESHOLD:-3}))`
autottl, datanoack, oob, postnat 2024-03-02 17:53:37 +03:00			`else`
			`n=6`
			`fi`
			`echo $n`
old dash compat 2024-05-04 16:01:09 +03:00			`}`