init: firewall apply hooks

2024-11-11 17:29:16 +05:00 · 2022-02-18 12:35:06 +03:00 · 2022-02-18 12:35:06 +03:00 · 1b25b0e64f
commit 1b25b0e64f
parent 1fb0195e62
5 changed files with 36 additions and 7 deletions
--- a/common/linux_fw.sh
+++ b/common/linux_fw.sh
@ -2,6 +2,9 @@ zapret_do_firewall()
 {
 	linux_fwtype

+	[ "$1" = 1 -a -n "$INIT_FW_PRE_UP_HOOK" ] && $INIT_FW_PRE_UP_HOOK
+	[ "$1" = 0 -a -n "$INIT_FW_PRE_DOWN_HOOK" ] && $INIT_FW_PRE_DOWN_HOOK
+
 	case "$FWTYPE" in
 		iptables)
 			zapret_do_firewall_ipt "$@"
@ -11,6 +14,9 @@ zapret_do_firewall()
 			;;
 	esac

+	[ "$1" = 1 -a -n "$INIT_FW_POST_UP_HOOK" ] && $INIT_FW_POST_UP_HOOK
+	[ "$1" = 0 -a -n "$INIT_FW_POST_DOWN_HOOK" ] && $INIT_FW_POST_DOWN_HOOK
+
 	return 0
 }
 zapret_apply_firewall()
--- a/7
+++ b/7
@ -71,8 +71,13 @@ FLOWOFFLOAD=donttouch
 #IFACE_WAN=eth1

 # should start/stop command of init scripts apply firewall rules ?
-# not applicable to openwrt with firewall3+iptables
+# not applicable to older openwrt with fw3 firewall
 INIT_APPLY_FW=1
+# firewall apply hooks
+#INIT_FW_PRE_UP_HOOK="/etc/firewall.zapret.hook.pre_up"
+#INIT_FW_POST_UP_HOOK="/etc/firewall.zapret.hook.post_up"
+#INIT_FW_PRE_DOWN_HOOK="/etc/firewall.zapret.hook.pre_down"
+#INIT_FW_POST_DOWN_HOOK="/etc/firewall.zapret.hook.post_down"

 # do not work with ipv4
 #DISABLE_IPV4=1
--- a/docs/readme.eng.md
+++ b/docs/readme.eng.md
@ -859,6 +859,15 @@ Calls `nft -t list table inet zapret`.
 /opt/zapret/init.d/sysv/zapret list_table
 ```

+It's also possible to hook with your script to any stage of zapret firewall processing.
+The following settings are available in the zapret config file :
+
+```
+INIT_FW_PRE_UP_HOOK="/etc/firewall.zapret.hook.pre_up"
+INIT_FW_POST_UP_HOOK="/etc/firewall.zapret.hook.post_up"
+INIT_FW_PRE_DOWN_HOOK="/etc/firewall.zapret.hook.pre_down"
+INIT_FW_POST_DOWN_HOOK="/etc/firewall.zapret.hook.post_down"
+```

 ## Installation

--- a/docs/readme.txt
+++ b/docs/readme.txt
@ -1014,6 +1014,15 @@ nftables сводят практически на нет конфликты ме
 Просмотр таблицы без содержимого set-ов. Вызывает nft -t list table inet zapret
 /opt/zapret/init.d/sysv/zapret list_table

+Так же возможно прицепиться своим скриптом к любой стадии применения и снятия фаервола со стороны zapret скриптов :
+
+INIT_FW_PRE_UP_HOOK="/etc/firewall.zapret.hook.pre_up"
+INIT_FW_POST_UP_HOOK="/etc/firewall.zapret.hook.post_up"
+INIT_FW_PRE_DOWN_HOOK="/etc/firewall.zapret.hook.pre_down"
+INIT_FW_POST_DOWN_HOOK="/etc/firewall.zapret.hook.post_down"
+
+Эти настройки доступны в config.
+
 Вариант custom
 --------------

--- a/init.d/macos/functions
+++ b/init.d/macos/functions
@ -119,6 +119,9 @@ zapret_do_firewall()
 {
 	# $1 - 1 - add, 0 - del

+	[ "$1" = 1 -a -n "$INIT_FW_PRE_UP_HOOK" ] && $INIT_FW_PRE_UP_HOOK
+	[ "$1" = 0 -a -n "$INIT_FW_PRE_DOWN_HOOK" ] && $INIT_FW_PRE_DOWN_HOOK
+
 	case "${MODE_OVERRIDE:-$MODE}" in
 		tpws|filter|custom)
 			if [ "$1" = "1" ] ; then
@ -130,14 +133,11 @@ zapret_do_firewall()
 				pf_anchors_clear
 			fi
 			;;
-		tpws-socks)
-			;;
-		*)
-			echo "unsupported MODE=$MODE"
-			return 1
-			;;
 	esac

+	[ "$1" = 1 -a -n "$INIT_FW_POST_UP_HOOK" ] && $INIT_FW_POST_UP_HOOK
+	[ "$1" = 0 -a -n "$INIT_FW_POST_DOWN_HOOK" ] && $INIT_FW_POST_DOWN_HOOK
+
 	return 0
 }
 zapret_apply_firewall()