ForkMaster/zapret
1
0
Fork 0
mirror of https://github.com/bol-van/zapret.git synced 2024-11-14 10:48:32 +05:00
Code Issues Actions Packages Projects Releases Wiki Activity

init: firewall apply hooks

Browse Source
This commit is contained in:
bol-van 2022-02-18 12:35:06 +03:00
parent 1fb0195e62
commit 1b25b0e64f
5 changed files with 36 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
common/linux_fw.sh
View File

@ -2,6 +2,9 @@ zapret_do_firewall()
{ {
linux_fwtype linux_fwtype
[ "$1" = 1 -a -n "$INIT_FW_PRE_UP_HOOK" ] && $INIT_FW_PRE_UP_HOOK
[ "$1" = 0 -a -n "$INIT_FW_PRE_DOWN_HOOK" ] && $INIT_FW_PRE_DOWN_HOOK
case "$FWTYPE" in case "$FWTYPE" in
iptables) iptables)
zapret_do_firewall_ipt "$@" zapret_do_firewall_ipt "$@"
@ -11,6 +14,9 @@ zapret_do_firewall()
;; ;;
esac esac
[ "$1" = 1 -a -n "$INIT_FW_POST_UP_HOOK" ] && $INIT_FW_POST_UP_HOOK
[ "$1" = 0 -a -n "$INIT_FW_POST_DOWN_HOOK" ] && $INIT_FW_POST_DOWN_HOOK
return 0 return 0
} }
zapret_apply_firewall() zapret_apply_firewall()

7
config
View File

@ -71,8 +71,13 @@ FLOWOFFLOAD=donttouch
#IFACE_WAN=eth1 #IFACE_WAN=eth1
# should start/stop command of init scripts apply firewall rules ? # should start/stop command of init scripts apply firewall rules ?
# not applicable to openwrt with firewall3+iptables # not applicable to older openwrt with fw3 firewall
INIT_APPLY_FW=1 INIT_APPLY_FW=1
# firewall apply hooks
#INIT_FW_PRE_UP_HOOK="/etc/firewall.zapret.hook.pre_up"
#INIT_FW_POST_UP_HOOK="/etc/firewall.zapret.hook.post_up"
#INIT_FW_PRE_DOWN_HOOK="/etc/firewall.zapret.hook.pre_down"
#INIT_FW_POST_DOWN_HOOK="/etc/firewall.zapret.hook.post_down"
# do not work with ipv4 # do not work with ipv4
#DISABLE_IPV4=1 #DISABLE_IPV4=1

9
docs/readme.eng.md
View File

@ -859,6 +859,15 @@ Calls `nft -t list table inet zapret`.
/opt/zapret/init.d/sysv/zapret list_table /opt/zapret/init.d/sysv/zapret list_table
``` ```
It's also possible to hook with your script to any stage of zapret firewall processing.
The following settings are available in the zapret config file :
```
INIT_FW_PRE_UP_HOOK="/etc/firewall.zapret.hook.pre_up"
INIT_FW_POST_UP_HOOK="/etc/firewall.zapret.hook.post_up"
INIT_FW_PRE_DOWN_HOOK="/etc/firewall.zapret.hook.pre_down"
INIT_FW_POST_DOWN_HOOK="/etc/firewall.zapret.hook.post_down"
```
## Installation ## Installation

9
docs/readme.txt
View File

@ -1014,6 +1014,15 @@ nftables сводят практически на нет конфликты ме
Просмотр таблицы без содержимого set-ов. Вызывает nft -t list table inet zapret Просмотр таблицы без содержимого set-ов. Вызывает nft -t list table inet zapret
/opt/zapret/init.d/sysv/zapret list_table /opt/zapret/init.d/sysv/zapret list_table
Так же возможно прицепиться своим скриптом к любой стадии применения и снятия фаервола со стороны zapret скриптов :
INIT_FW_PRE_UP_HOOK="/etc/firewall.zapret.hook.pre_up"
INIT_FW_POST_UP_HOOK="/etc/firewall.zapret.hook.post_up"
INIT_FW_PRE_DOWN_HOOK="/etc/firewall.zapret.hook.pre_down"
INIT_FW_POST_DOWN_HOOK="/etc/firewall.zapret.hook.post_down"
Эти настройки доступны в config.
Вариант custom Вариант custom
-------------- --------------

12
init.d/macos/functions
View File

@ -119,6 +119,9 @@ zapret_do_firewall()
{ {
# $1 - 1 - add, 0 - del # $1 - 1 - add, 0 - del
[ "$1" = 1 -a -n "$INIT_FW_PRE_UP_HOOK" ] && $INIT_FW_PRE_UP_HOOK
[ "$1" = 0 -a -n "$INIT_FW_PRE_DOWN_HOOK" ] && $INIT_FW_PRE_DOWN_HOOK
case "${MODE_OVERRIDE:-$MODE}" in case "${MODE_OVERRIDE:-$MODE}" in
tpws|filter|custom) tpws|filter|custom)
if [ "$1" = "1" ] ; then if [ "$1" = "1" ] ; then
@ -130,14 +133,11 @@ zapret_do_firewall()
pf_anchors_clear pf_anchors_clear
fi fi
;; ;;
tpws-socks)
;;
*)
echo "unsupported MODE=$MODE"
return 1
;;
esac esac
[ "$1" = 1 -a -n "$INIT_FW_POST_UP_HOOK" ] && $INIT_FW_POST_UP_HOOK
[ "$1" = 0 -a -n "$INIT_FW_POST_DOWN_HOOK" ] && $INIT_FW_POST_DOWN_HOOK
return 0 return 0
} }
zapret_apply_firewall() zapret_apply_firewall()