diff --git a/common/ipt.sh b/common/ipt.sh index fc74a20..1307145 100644 --- a/common/ipt.sh +++ b/common/ipt.sh @@ -244,27 +244,10 @@ fw_nfqws_post() } -zapret_do_firewall_ipt() +zapret_do_firewall_rules_ipt() { - # $1 - 1 - add, 0 - del - - if [ "$1" = 1 ]; then - echo Applying iptables - else - echo Clearing iptables - fi - local mode="${MODE_OVERRIDE:-$MODE}" - [ "$mode" = "tpws-socks" ] && return 0 - - local first_packet_only="-m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:4" - local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK" - local f4 f6 qn qns qn6 qns6 - - # always create ipsets. ip_exclude ipset is required - [ "$1" = 1 ] && create_ipset no-update - case "$mode" in tpws) if [ ! "$MODE_HTTP" = "1" ] && [ ! "$MODE_HTTPS" = "1" ]; then @@ -321,6 +304,30 @@ zapret_do_firewall_ipt() existf zapret_custom_firewall && zapret_custom_firewall $1 ;; esac +} + +zapret_do_firewall_ipt() +{ + # $1 - 1 - add, 0 - del + + if [ "$1" = 1 ]; then + echo Applying iptables + else + echo Clearing iptables + fi + + local mode="${MODE_OVERRIDE:-$MODE}" + + [ "$mode" = "tpws-socks" ] && return 0 + + local first_packet_only="-m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:4" + local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK" + local f4 f6 qn qns qn6 qns6 + + # always create ipsets. ip_exclude ipset is required + [ "$1" = 1 ] && create_ipset no-update + + zapret_do_firewall_rules_ipt "$@" if [ "$1" = 1 ] ; then existf flow_offloading_exempt && flow_offloading_exempt diff --git a/common/linux_iphelper.sh b/common/linux_iphelper.sh index db0516f..3c737aa 100644 --- a/common/linux_iphelper.sh +++ b/common/linux_iphelper.sh @@ -91,7 +91,6 @@ _set_route_localnet() { # $1 - 1 = enable, 0 = disable # $2,$3,... - interface names - [ "$DISABLE_IPV4" = "1" ] || { local enable="$1" shift diff --git a/common/nft.sh b/common/nft.sh index 2e33fb2..4bc2247 100644 --- a/common/nft.sh +++ b/common/nft.sh @@ -437,22 +437,10 @@ zapret_list_table() return 0 } -zapret_apply_firewall_nft() +zapret_apply_firewall_rules_nft() { - echo Applying nftables - local mode="${MODE_OVERRIDE:-$MODE}" - [ "$mode" = "tpws-socks" ] && return 0 - - local first_packet_only="ct original packets 1-4" - local desync="mark and $DESYNC_MARK == 0" - local f4 f6 qn qns qn6 qns6 - - create_ipset no-update - nft_create_firewall - nft_fill_ifsets_overload - case "$mode" in tpws) if [ ! "$MODE_HTTP" = "1" ] && [ ! "$MODE_HTTPS" = "1" ]; then @@ -508,6 +496,25 @@ zapret_apply_firewall_nft() existf zapret_custom_firewall_nft && zapret_custom_firewall_nft ;; esac +} + +zapret_apply_firewall_nft() +{ + echo Applying nftables + + local mode="${MODE_OVERRIDE:-$MODE}" + + [ "$mode" = "tpws-socks" ] && return 0 + + local first_packet_only="ct original packets 1-4" + local desync="mark and $DESYNC_MARK == 0" + local f4 f6 qn qns qn6 qns6 + + create_ipset no-update + nft_create_firewall + nft_fill_ifsets_overload + + zapret_apply_firewall_rules_nft [ "$FLOWOFFLOAD" = 'software' -o "$FLOWOFFLOAD" = 'hardware' ] && nft_apply_flow_offloading diff --git a/init.d/openwrt/custom-reuse-builtin-mode b/init.d/openwrt/custom-reuse-builtin-mode new file mode 100644 index 0000000..2a4a98c --- /dev/null +++ b/init.d/openwrt/custom-reuse-builtin-mode @@ -0,0 +1,46 @@ +# this custom script demonstrates how to reuse built-in modes and add something from yourself + +MY_TPPORT=$(($TPPORT + 1)) +MY_TPWS_OPT="--methodeol --hostcase" +MY_DPORT=81 + +zapret_custom_daemons() +{ + # stop logic is managed by procd + local MODE_OVERRIDE=tpws + local opt + + start_daemons_procd + + opt="--port=$MY_TPPORT $MY_TPWS_OPT" + filter_apply_hostlist_target opt + run_tpws 100 "$opt" +} +zapret_custom_firewall() +{ + # $1 - 1 - run, 0 - stop + + local MODE_OVERRIDE=tpws + local f4 f6 + + zapret_do_firewall_rules_ipt $1 + + f4="--dport $MY_DPORT" + f6=$f4 + filter_apply_ipset_target f4 f6 + fw_tpws $1 "$f4" "$f6" $MY_TPPORT +} +zapret_custom_firewall_nft() +{ + # stop logic is not required + + local MODE_OVERRIDE=tpws + local f4 f6 + + zapret_apply_firewall_rules_nft + + f4="tcp dport $MY_DPORT" + f6=$f4 + nft_filter_apply_ipset_target f4 f6 + nft_fw_tpws "$f4" "$f6" $MY_TPPORT +} diff --git a/init.d/sysv/custom-reuse-builtin-mode b/init.d/sysv/custom-reuse-builtin-mode new file mode 100644 index 0000000..c741f00 --- /dev/null +++ b/init.d/sysv/custom-reuse-builtin-mode @@ -0,0 +1,47 @@ +# this custom script demonstrates how to reuse built-in modes and add something from yourself + +MY_TPPORT=$(($TPPORT + 1)) +MY_TPWS_OPT="--methodeol --hostcase" +MY_DPORT=81 + +zapret_custom_daemons() +{ + # $1 - 1 - run, 0 - stop + + local MODE_OVERRIDE=tpws + local opt + + zapret_do_daemons $1 + + opt="--port=$MY_TPPORT $MY_TPWS_OPT" + filter_apply_hostlist_target opt + do_tpws $1 100 "$opt" +} +zapret_custom_firewall() +{ + # $1 - 1 - run, 0 - stop + + local MODE_OVERRIDE=tpws + local f4 f6 + + zapret_do_firewall_rules_ipt $1 + + f4="--dport $MY_DPORT" + f6=$f4 + filter_apply_ipset_target f4 f6 + fw_tpws $1 "$f4" "$f6" $MY_TPPORT +} +zapret_custom_firewall_nft() +{ + # stop logic is not required + + local MODE_OVERRIDE=tpws + local f4 f6 + + zapret_apply_firewall_rules_nft + + f4="tcp dport $MY_DPORT" + f6=$f4 + nft_filter_apply_ipset_target f4 f6 + nft_fw_tpws "$f4" "$f6" $MY_TPPORT +}