mirror of
https://github.com/bol-van/zapret.git
synced 2025-01-07 17:00:34 +05:00
init: nft_fill_ifsets universal
This commit is contained in:
parent
a770ae10c8
commit
4dd8635f6b
@ -75,6 +75,11 @@ make_comma_list()
|
|||||||
shift
|
shift
|
||||||
make_separator_list $var , "$@"
|
make_separator_list $var , "$@"
|
||||||
}
|
}
|
||||||
|
unique()
|
||||||
|
{
|
||||||
|
local i
|
||||||
|
for i in "$@"; do echo $i; done | sort -u | xargs
|
||||||
|
}
|
||||||
|
|
||||||
is_linked_to_busybox()
|
is_linked_to_busybox()
|
||||||
{
|
{
|
||||||
@ -133,3 +138,23 @@ create_dev_stdin()
|
|||||||
{
|
{
|
||||||
[ -e /dev/stdin ] || ln -s /proc/self/fd/0 /dev/stdin
|
[ -e /dev/stdin ] || ln -s /proc/self/fd/0 /dev/stdin
|
||||||
}
|
}
|
||||||
|
|
||||||
|
call_for_multiple_items()
|
||||||
|
{
|
||||||
|
# $1 - function to get an item
|
||||||
|
# $2 - variable name to put result into
|
||||||
|
# $3 - space separated parameters to function $1
|
||||||
|
|
||||||
|
local i item items
|
||||||
|
for i in $3; do
|
||||||
|
$1 item $i
|
||||||
|
[ -n "$item" ] && {
|
||||||
|
if [ -n "$items" ]; then
|
||||||
|
items="$items $item"
|
||||||
|
else
|
||||||
|
items="$item"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
done
|
||||||
|
eval $2=\"$items\"
|
||||||
|
}
|
||||||
|
@ -119,7 +119,7 @@ nft_list_ifsets()
|
|||||||
nft list set inet $ZAPRET_NFT_TABLE lanif
|
nft list set inet $ZAPRET_NFT_TABLE lanif
|
||||||
nft list set inet $ZAPRET_NFT_TABLE wanif
|
nft list set inet $ZAPRET_NFT_TABLE wanif
|
||||||
nft list set inet $ZAPRET_NFT_TABLE wanif6
|
nft list set inet $ZAPRET_NFT_TABLE wanif6
|
||||||
nft list flowtable inet $ZAPRET_NFT_TABLE ft
|
nft list flowtable inet $ZAPRET_NFT_TABLE ft 2>/dev/null
|
||||||
}
|
}
|
||||||
|
|
||||||
nft_create_firewall()
|
nft_create_firewall()
|
||||||
@ -223,6 +223,57 @@ nft_filter_apply_ipset_target()
|
|||||||
nft_filter_apply_ipset_target6 $2
|
nft_filter_apply_ipset_target6 $2
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
nft_script_add_ifset_element()
|
||||||
|
{
|
||||||
|
# $1 - set name
|
||||||
|
# $2 - space separated elements
|
||||||
|
local elements
|
||||||
|
[ -n "$2" ] && {
|
||||||
|
make_comma_list elements $2
|
||||||
|
script="${script}
|
||||||
|
add element inet $ZAPRET_NFT_TABLE $1 { $elements }"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
nft_fill_ifsets()
|
||||||
|
{
|
||||||
|
# $1 - space separated lan interface names
|
||||||
|
# $2 - space separated wan interface names
|
||||||
|
# $3 - space separated wan6 interface names
|
||||||
|
|
||||||
|
local script i ALLDEVS
|
||||||
|
|
||||||
|
# if large sets exist nft works very ineffectively
|
||||||
|
# looks like it analyzes the whole table blob to find required data pieces
|
||||||
|
# calling all in one shot helps not to waste cpu time many times
|
||||||
|
|
||||||
|
script="flush set inet $ZAPRET_NFT_TABLE wanif
|
||||||
|
flush set inet $ZAPRET_NFT_TABLE wanif6
|
||||||
|
flush set inet $ZAPRET_NFT_TABLE lanif"
|
||||||
|
|
||||||
|
[ "$DISABLE_IPV4" = "1" ] || nft_script_add_ifset_element wanif "$2"
|
||||||
|
[ "$DISABLE_IPV6" = "1" ] || nft_script_add_ifset_element wanif6 "$3"
|
||||||
|
nft_script_add_ifset_element lanif "$1"
|
||||||
|
|
||||||
|
echo "$script" | nft -f -
|
||||||
|
|
||||||
|
case "$FLOWOFFLOAD" in
|
||||||
|
software)
|
||||||
|
ALLDEVS=$(unique $1 $2 $3)
|
||||||
|
nft_create_or_update_flowtable '' $ALLDEVS
|
||||||
|
;;
|
||||||
|
hardware)
|
||||||
|
ALLDEVS=$(unique $1 $2 $3)
|
||||||
|
# first create unbound flowtable. may cause error in older nft version
|
||||||
|
nft_create_or_update_flowtable 'offload' 2>/dev/null
|
||||||
|
# then add elements. some of them can cause error because unsupported
|
||||||
|
for i in $ALLDEVS; do
|
||||||
|
nft_hw_offload_supported $i && nft_create_or_update_flowtable 'offload' $i
|
||||||
|
done
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
}
|
||||||
|
|
||||||
nft_only()
|
nft_only()
|
||||||
{
|
{
|
||||||
linux_fwtype
|
linux_fwtype
|
||||||
@ -236,7 +287,7 @@ nft_only()
|
|||||||
|
|
||||||
zapret_reload_ifsets()
|
zapret_reload_ifsets()
|
||||||
{
|
{
|
||||||
nft_only nft_create_table ; nft_fill_ifsets
|
nft_only nft_create_table ; nft_fill_ifsets_overload
|
||||||
return 0
|
return 0
|
||||||
}
|
}
|
||||||
zapret_list_ifsets()
|
zapret_list_ifsets()
|
||||||
@ -264,7 +315,7 @@ zapret_apply_firewall_nft()
|
|||||||
|
|
||||||
create_ipset no-update
|
create_ipset no-update
|
||||||
nft_create_firewall
|
nft_create_firewall
|
||||||
nft_fill_ifsets
|
nft_fill_ifsets_overload
|
||||||
|
|
||||||
case "$mode" in
|
case "$mode" in
|
||||||
tpws)
|
tpws)
|
||||||
|
@ -384,59 +384,19 @@ flow_offloading_unexempt()
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
nft_fill_ifsets_overload()
|
||||||
nft_fill_ifsets()
|
|
||||||
{
|
{
|
||||||
local script elements i wan_iface DEVICE DLAN DWAN DWAN6 ALLDEVS flags
|
local script ifaces DLAN DWAN DWAN6
|
||||||
|
|
||||||
# if large sets exist nft works very ineffectively
|
call_for_multiple_items network_get_device DLAN "$OPENWRT_LAN"
|
||||||
# looks like it analyzes the whole table blob to find required data pieces
|
|
||||||
# calling all in one shot helps not to waste cpu time many times
|
|
||||||
|
|
||||||
script="flush set inet $ZAPRET_NFT_TABLE wanif
|
network_find_wan_all ifaces
|
||||||
flush set inet $ZAPRET_NFT_TABLE wanif6
|
call_for_multiple_items network_get_device DWAN "$ifaces"
|
||||||
flush set inet $ZAPRET_NFT_TABLE lanif"
|
|
||||||
|
|
||||||
[ "$DISABLE_IPV4" = "1" ] || {
|
network_find_wan6_all ifaces
|
||||||
network_find_wan_all wan_iface
|
call_for_multiple_items network_get_device DWAN6 "$ifaces"
|
||||||
for i in $wan_iface; do
|
|
||||||
network_get_device DEVICE $i
|
|
||||||
DWAN="$DWAN $DEVICE"
|
|
||||||
done
|
|
||||||
[ -n "$DWAN" ] && {
|
|
||||||
make_comma_list elements $DWAN
|
|
||||||
script="${script}
|
|
||||||
add element inet $ZAPRET_NFT_TABLE wanif { $elements }"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
[ "$DISABLE_IPV6" = "1" ] || {
|
|
||||||
network_find_wan6_all wan_iface
|
|
||||||
for i in $wan_iface; do
|
|
||||||
network_get_device DEVICE $i
|
|
||||||
DWAN6="$DWAN6 $DEVICE"
|
|
||||||
done
|
|
||||||
[ -n "$DWAN6" ] && {
|
|
||||||
make_comma_list elements $DWAN6
|
|
||||||
script="${script}
|
|
||||||
add element inet $ZAPRET_NFT_TABLE wanif6 { $elements }"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
for i in $OPENWRT_LAN; do
|
|
||||||
network_get_device DEVICE $i
|
|
||||||
DLAN="$DLAN $DEVICE"
|
|
||||||
done
|
|
||||||
[ -n "$DLAN" ] && {
|
|
||||||
make_comma_list elements $DLAN
|
|
||||||
script="${script}
|
|
||||||
add element inet $ZAPRET_NFT_TABLE lanif { $elements }"
|
|
||||||
}
|
|
||||||
echo "$script" | nft -f -
|
|
||||||
|
|
||||||
[ "$FLOWOFFLOAD" = 'software' -o "$FLOWOFFLOAD" = 'hardware' ] && {
|
nft_fill_ifsets "$DLAN" "$DWAN" "$DWAN6"
|
||||||
ALLDEVS=$(for i in $DLAN $DWAN $DWAN6; do echo $i; done | sort -u | xargs)
|
|
||||||
[ "$FLOWOFFLOAD" = 'hardware' ] && nft_hw_offload_supported $ALLDEVS && flags=offload
|
|
||||||
nft_create_or_update_flowtable "$flags" $ALLDEVS
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
nft_fw_tpws4()
|
nft_fw_tpws4()
|
||||||
|
@ -521,38 +521,9 @@ zapret_stop_daemons()
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
nft_fill_ifsets()
|
nft_fill_ifsets_overload()
|
||||||
{
|
{
|
||||||
local script elements i ALLDEVS flags
|
nft_fill_ifsets "$IFACE_LAN" "$IFACE_WAN" "$IFACE_WAN"
|
||||||
|
|
||||||
# if large sets exist nft works very ineffectively
|
|
||||||
# looks like it analyzes the whole table blob to find required data pieces
|
|
||||||
# calling all in one shot helps not to waste cpu time many times
|
|
||||||
|
|
||||||
script="flush set inet $ZAPRET_NFT_TABLE wanif
|
|
||||||
flush set inet $ZAPRET_NFT_TABLE wanif6
|
|
||||||
flush set inet $ZAPRET_NFT_TABLE lanif"
|
|
||||||
|
|
||||||
[ -n "$IFACE_LAN" ] && {
|
|
||||||
make_comma_list elements $IFACE_LAN
|
|
||||||
script="${script}
|
|
||||||
add element inet $ZAPRET_NFT_TABLE lanif { $elements }"
|
|
||||||
}
|
|
||||||
[ -n "$IFACE_WAN" ] && {
|
|
||||||
make_comma_list elements $IFACE_WAN
|
|
||||||
script="${script}
|
|
||||||
add element inet $ZAPRET_NFT_TABLE wanif { $elements }
|
|
||||||
add element inet $ZAPRET_NFT_TABLE wanif6 { $elements }"
|
|
||||||
}
|
|
||||||
echo "$script" | nft -f -
|
|
||||||
|
|
||||||
[ "$FLOWOFFLOAD" = 'software' -o "$FLOWOFFLOAD" = 'hardware' ] && {
|
|
||||||
ALLDEVS=$(for i in $IFACE_LAN $IFACE_WAN; do echo $i; done | sort -u | xargs)
|
|
||||||
[ -n "$ALLDEVS" ] && {
|
|
||||||
[ "$FLOWOFFLOAD" = 'hardware' ] && nft_hw_offload_supported $ALLDEVS && flags=offload
|
|
||||||
nft_create_or_update_flowtable "$flags" $ALLDEVS
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
nft_print_op()
|
nft_print_op()
|
||||||
|
Loading…
Reference in New Issue
Block a user