From 86e2802c4a6f00e6c86fbf6afe7d432fc01ae6dd Mon Sep 17 00:00:00 2001 From: bol-van Date: Tue, 28 Sep 2021 22:43:43 +0300 Subject: [PATCH] init scripts: multiple LAN/WAN interfaces --- config | 4 + docs/changes.txt | 5 ++ docs/readme.eng.txt | 5 ++ docs/readme.txt | 6 +- init.d/macos/functions | 73 ++++++++++------- init.d/openwrt/functions | 63 +++++++++------ init.d/openwrt/zapret | 40 ++++++---- init.d/sysv/functions | 166 ++++++++++++++++++++++++++------------- install_easy.sh | 2 +- 9 files changed, 239 insertions(+), 125 deletions(-) diff --git a/config b/config index a69ed30..8e26ba0 100644 --- a/config +++ b/config @@ -50,9 +50,13 @@ TPWS_OPT="--hostspell=HOST --split-http-req=method --split-pos=3" # openwrt only : donttouch,none,software,hardware FLOWOFFLOAD=donttouch +# openwrt: specify networks to be treated as LAN. default is "lan" +# OPENWRT_LAN="lan lan2 lan3" + # for routers based on desktop linux and macos. has no effect in openwrt. # CHOOSE LAN and optinally WAN NETWORK INTERFACES # or leave them commented if its not router +# it's possible to specify multiple interfaces like this : IFACE_LAN="eth0 eth1 eth2" #IFACE_LAN=eth0 #IFACE_WAN=eth1 diff --git a/docs/changes.txt b/docs/changes.txt index d30ecde..e91c1af 100644 --- a/docs/changes.txt +++ b/docs/changes.txt @@ -193,3 +193,8 @@ MacOS easy install v39 nfqws: conntrack, wssize + +v40 + +init scripts : IFACE_LAN, IFACE_WAN now accept multiple interfaces +init scripts : openwrt uses now OPENWRT_LAN parameter to override incoming interfaces for tpws diff --git a/docs/readme.eng.txt b/docs/readme.eng.txt index e366ab3..4b08eca 100644 --- a/docs/readme.eng.txt +++ b/docs/readme.eng.txt @@ -590,6 +590,10 @@ Newer FreeBSD versions support table only reloading : pfctl -Tl -f /etc/pf.conf Set to "-" to disable reload. LISTS_RELOAD="pfctl -f /etc/pf.conf" +In openwrt there's default network 'lan'. Only traffic coming from this network is redirected to tpws by default. +To override this behaviour set the following variable : +OPENWRT_LAN="lan lan2 lan3" + The following settings are not relevant for openwrt : If your system works as a router, then you need to enter the names of the internal and external interfaces: @@ -597,6 +601,7 @@ IFACE_LAN = eth0 IFACE_WAN = eth1 IMPORTANT: configuring routing, masquerade, etc. not a zapret task. Only modes that intercept transit traffic are enabled. +It's possible to specify multiple interfaces like this : IFACE_LAN="eth0 eth1 eth2" The INIT_APPLY_FW=1 parameter enables the init script to independently apply iptables rules. With other values or if the parameter is commented out, the rules will not be applied. diff --git a/docs/readme.txt b/docs/readme.txt index 0f4dab2..41b2ec8 100644 --- a/docs/readme.txt +++ b/docs/readme.txt @@ -1,4 +1,4 @@ -zapret v.39 +zapret v.40 English ------- @@ -829,6 +829,9 @@ GZIP_LISTS=1 #LISTS_RELOAD="pfctl -f /etc/pf.conf" #LISTS_RELOAD=- +В openwrt существует сеть по умолчанию 'lan'. Только трафик с этой сети будет перенаправлен на tpws. +Но возможно задать другие сети или список сетей : +OPENWRT_LAN="lan lan2 lan3" Следующие настройки не актуальны для openwrt : @@ -837,6 +840,7 @@ IFACE_LAN=eth0 IFACE_WAN=eth1 ВАЖНО : настройка маршрутизации , маскарада и т.д. не входит в задачу zapret. Включаются только режимы, обеспечивающие перехват транзитного трафика. +Возможно определить несколько интерфейсов следующим образом : IFACE_LAN="eth0 eth1 eth2" Параметр INIT_APPLY_FW=1 разрешает init скрипту самостоятельно применять правила iptables. При иных значениях или если параметр закомментирован, правила применены не будут. diff --git a/init.d/macos/functions b/init.d/macos/functions index fbba7c6..85cce3e 100644 --- a/init.d/macos/functions +++ b/init.d/macos/functions @@ -20,8 +20,6 @@ PF_ANCHOR_ZAPRET="$PF_ANCHOR_DIR/zapret" PF_ANCHOR_ZAPRET_V4="$PF_ANCHOR_DIR/zapret-v4" PF_ANCHOR_ZAPRET_V6="$PF_ANCHOR_DIR/zapret-v6" -[ -n "$IFACE_WAN" ] && OWAN=" on $IFACE_WAN" - CUSTOM_SCRIPT="$ZAPRET_BASE/init.d/macos/custom" [ -f "$CUSTOM_SCRIPT" ] && . "$CUSTOM_SCRIPT" @@ -103,14 +101,13 @@ tpws_apply_socks_binds() { local o - [ "$DISABLE_IPV4" = "1" ] || { - o="--bind-addr=127.0.0.1" - [ -n "$IFACE_LAN" ] && o="$o --bind-iface4=$IFACE_LAN $TPWS_WAIT" - } - [ "$DISABLE_IPV6" = "1" ] || { - o="$o --bind-addr=::1" - [ -n "$IFACE_LAN" ] && o="$o --bind-iface6=$IFACE_LAN --bind-linklocal=unwanted $TPWS_WAIT_SOCKS6" - } + [ "$DISABLE_IPV4" = "1" ] || o="--bind-addr=127.0.0.1" + [ "$DISABLE_IPV6" = "1" ] || o="$o --bind-addr=::1" + + for lan in $IFACE_LAN; do + [ "$DISABLE_IPV4" = "1" ] || o="$o --bind-iface4=$lan $TPWS_WAIT" + [ "$DISABLE_IPV6" = "1" ] || o="$o --bind-iface6=$lan --bind-linklocal=unwanted $TPWS_WAIT_SOCKS6" + done eval $1="\"\$$1 $o\"" } @@ -121,11 +118,13 @@ wait_interface_ll() } wait_lan_ll() { - [ "$DISABLE_IPV6" != "1" ] && [ -n "$IFACE_LAN" ] && { - wait_interface_ll $IFACE_LAN >&2 || { - echo "wait interface failed" - return 1 - } + [ "$DISABLE_IPV6" != "1" ] && { + for lan in $IFACE_LAN; do + wait_interface_ll $lan >&2 || { + echo "wait interface failed on $lan" + return 1 + } + done } return 0 } @@ -249,15 +248,22 @@ pf_anchor_zapret_v4_tpws() { # $1 - port - local port=$(pf_anchor_port_target) - [ -n "$IFACE_LAN" ] && { + local rule port=$(pf_anchor_port_target) + for lan in $IFACE_LAN; do for t in $tbl; do - echo "rdr on $IFACE_LAN inet proto tcp from any to $t port $port -> 127.0.0.1 port $1" + echo "rdr on $lan inet proto tcp from any to $t port $port -> 127.0.0.1 port $1" done - } + done echo "rdr on lo0 inet proto tcp from !127.0.0.0/8 to any port $port -> 127.0.0.1 port $1" for t in $tbl; do - echo "pass out$OWAN route-to (lo0 127.0.0.1) inet proto tcp from !127.0.0.0/8 to $t port $port user { >root }" + rule="route-to (lo0 127.0.0.1) inet proto tcp from !127.0.0.0/8 to $t port $port user { >root }" + if [ -n "$IFACE_WAN" ] ; then + for wan in $IFACE_WAN; do + echo "pass out on $wan $rule" + done + else + echo "pass out $rule" + fi done } @@ -282,22 +288,31 @@ pf_anchor_zapret_v6_tpws() { # $1 - port - local port=$(pf_anchor_port_target) + local LL_LAN rule port=$(pf_anchor_port_target) # LAN link local is only for router - [ -n "$IFACE_LAN" ] && LL_LAN=$(get_ipv6_linklocal $IFACE_LAN) - [ -n "$LL_LAN" ] && { - for t in $tbl; do - echo "rdr on $IFACE_LAN inet6 proto tcp from any to $t port $port -> $LL_LAN port $1" - done - } + for lan in $IFACE_LAN; do + LL_LAN=$(get_ipv6_linklocal $lan) + [ -n "$LL_LAN" ] && { + for t in $tbl; do + echo "rdr on $lan inet6 proto tcp from any to $t port $port -> $LL_LAN port $1" + done + } + done echo "rdr on lo0 inet6 proto tcp from !::1 to any port $port -> fe80::1 port $1" for t in $tbl; do - echo "pass out$OWAN route-to (lo0 fe80::1) inet6 proto tcp from !::1 to $t port $port user { >root }" + rule="route-to (lo0 fe80::1) inet6 proto tcp from !::1 to $t port $port user { >root }" + if [ -n "$IFACE_WAN" ] ; then + for wan in $IFACE_WAN; do + echo "pass out on $wan $rule" + done + else + echo "pass out $rule" + fi done } pf_anchor_zapret_v6() { - local tbl port LL_LAN + local tbl port [ "$DISABLE_IPV6" = "1" ] || { case $MODE in diff --git a/init.d/openwrt/functions b/init.d/openwrt/functions index e7b9f1e..5cba504 100644 --- a/init.d/openwrt/functions +++ b/init.d/openwrt/functions @@ -8,6 +8,7 @@ TPWS_USER=daemon TPWS_LOCALHOST4=127.0.0.127 [ -n "$DESYNC_MARK" ] || DESYNC_MARK=0x40000000 +[ -n "$OPENWRT_LAN" ] || OPENWRT_LAN=lan # max wait time for the link local ipv6 on the LAN interface LINKLOCAL_WAIT_SEC=5 @@ -54,19 +55,19 @@ network_find_wan6_all() ipt() { - iptables -C "$@" 2>/dev/null || iptables -I "$@" + iptables -C "$@" >/dev/null 2>/dev/null || iptables -I "$@" } ipt_del() { - iptables -C "$@" 2>/dev/null && iptables -D "$@" + iptables -C "$@" >/dev/null 2>/dev/null && iptables -D "$@" } ipt6() { - ip6tables -C "$@" 2>/dev/null || ip6tables -I "$@" + ip6tables -C "$@" >/dev/null 2>/dev/null || ip6tables -I "$@" } ipt6_del() { - ip6tables -C "$@" 2>/dev/null && ip6tables -D "$@" + ip6tables -C "$@" >/dev/null 2>/dev/null && ip6tables -D "$@" } # there's no route_localnet for ipv6 @@ -100,38 +101,46 @@ get_ipv6_global() dnat6_target() { + # $1 - lan network name + # $2 - var to store target ip6 # get target ip address for DNAT. prefer link locals # tpws should be as inaccessible from outside as possible # link local address can appear not immediately after ifup - # DNAT6_TARGET=- means attempt was made but address was not found (to avoid multiple re-attempts) + local DNAT6_TARGET DVAR=DNAT6_TARGET_$1 + DVAR=$(echo $DVAR | sed 's/[^a-zA-Z0-9_]/_/g') + eval DNAT6_TARGET="\$$DVAR" + [ -n "$2" ] && eval $2='' + [ -n "$DNAT6_TARGET" ] || { # no reason to query if its down - network_is_up lan || return + network_is_up $1 || return local DEVICE - network_get_device DEVICE lan + network_get_device DEVICE $1 local ct=0 while DNAT6_TARGET=$(get_ipv6_linklocal $DEVICE) [ -n "$DNAT6_TARGET" ] && break [ "$ct" -ge "$LINKLOCAL_WAIT_SEC" ] && break - echo waiting for the link local for another $(($LINKLOCAL_WAIT_SEC - $ct)) seconds ... + echo $DEVICE: waiting for the link local for another $(($LINKLOCAL_WAIT_SEC - $ct)) seconds ... ct=$(($ct+1)) sleep 1 do :; done [ -n "$DNAT6_TARGET" ] || { - echo no link local. getting global + echo $DEVICE: no link local. getting global DNAT6_TARGET=$(get_ipv6_global $DEVICE) [ -n "$DNAT6_TARGET" ] || { - echo could not get any address + echo $DEVICE: could not get any address DNAT6_TARGET=- } } + eval $DVAR="$DNAT6_TARGET" } + [ -n "$2" ] && eval $2="$DNAT6_TARGET" } @@ -229,16 +238,19 @@ fw_tpws4() network_get_device DEVICE $ext_iface ipt OUTPUT -t nat -o $DEVICE $IPT_OWNER -p tcp $1 $IPSET_EXCLUDE dst -j DNAT --to $TPWS_LOCALHOST4:$2 done - ipt prerouting_lan_rule -t nat -p tcp $1 $IPSET_EXCLUDE dst -j DNAT --to $TPWS_LOCALHOST4:$2 - network_get_device DEVICE lan - [ -n "$DEVICE" ] && { - # allow localnet route only to special tpws IP - iptables -N input_lan_rule_zapret 2>/dev/null - ipt input_lan_rule_zapret -d 127.0.0.0/8 -j DROP - ipt input_lan_rule_zapret -d $TPWS_LOCALHOST4 -j RETURN - ipt input_lan_rule -j input_lan_rule_zapret - sysctl -qw net.ipv4.conf.$DEVICE.route_localnet=1 - } + + # allow localnet route only to special tpws IP + iptables -N input_rule_zapret 2>/dev/null + ipt input_rule_zapret -d 127.0.0.0/8 -j DROP + ipt input_rule_zapret -d $TPWS_LOCALHOST4 -j RETURN + + for lan in $OPENWRT_LAN; do + network_get_device DEVICE $lan + [ -n "$DEVICE" ] || continue + ipt prerouting_rule -t nat -i $DEVICE -p tcp $1 $IPSET_EXCLUDE dst -j DNAT --to $TPWS_LOCALHOST4:$2 + ipt input_rule -i $DEVICE -j input_rule_zapret + sysctl -qw net.ipv4.conf.$DEVICE.route_localnet=1 + done } } fw_tpws6() @@ -246,7 +258,7 @@ fw_tpws6() # $1 - filter ipv6 # $2 - tpws port - local DEVICE wan_iface + local DEVICE wan_iface DNAT6 [ "$DISABLE_IPV6" = "1" ] || { network_find_wan6_all wan_iface @@ -254,9 +266,12 @@ fw_tpws6() network_get_device DEVICE $ext_iface ipt6 OUTPUT -t nat -o $DEVICE $IPT_OWNER -p tcp $1 $IPSET_EXCLUDE6 dst -j DNAT --to [::1]:$2 done - network_get_device DEVICE lan - dnat6_target - [ "$DNAT6_TARGET" != "-" ] && ipt6 PREROUTING -t nat -i $DEVICE -p tcp $1 $IPSET_EXCLUDE6 dst -j DNAT --to [$DNAT6_TARGET]:$2 + for lan in $OPENWRT_LAN; do + network_get_device DEVICE $lan + [ -n "$DEVICE" ] || continue + dnat6_target $lan DNAT6 + [ "$DNAT6" != '-' ] && ipt6 PREROUTING -t nat -i $DEVICE -p tcp $1 $IPSET_EXCLUDE6 dst -j DNAT --to [$DNAT6]:$2 + done } } fw_tpws() diff --git a/init.d/openwrt/zapret b/init.d/openwrt/zapret index 2eabc32..cf565e4 100755 --- a/init.d/openwrt/zapret +++ b/init.d/openwrt/zapret @@ -59,11 +59,23 @@ run_tpws() [ "$DISABLE_IPV4" = "1" ] || OPT="$OPT $TPWS_OPT_BASE4" [ "$DISABLE_IPV6" = "1" ] || { OPT="$OPT $TPWS_OPT_BASE6" - network_get_device DEVICE lan - [ -n "$DEVICE" ] && OPT="$OPT --bind-iface6=$DEVICE $TPWS_OPT_BASE6_PRE" + for lan in $OPENWRT_LAN; do + network_get_device DEVICE $lan + [ -n "$DEVICE" ] && OPT="$OPT --bind-iface6=$DEVICE $TPWS_OPT_BASE6_PRE" + done } run_daemon $1 "$TPWS" "$OPT $2" } +run_tpws_socks() +{ + [ "$DISABLE_IPV4" = "1" ] && [ "$DISABLE_IPV6" = "1" ] && return 0 + + local opt="$TPWS_OPT_BASE --socks" + + tpws_apply_socks_binds opt + run_daemon $1 "$TPWS" "$opt $2" +} + stop_tpws() { stop_daemon $1 "$TPWS" @@ -80,16 +92,15 @@ tpws_apply_socks_binds() { local o - network_get_device DEVICE lan - - [ "$DISABLE_IPV4" = "1" ] || { - o="--bind-addr=127.0.0.1" - [ -n "$DEVICE" ] && o="$o --bind-iface4=$DEVICE $TPWS_WAIT" - } - [ "$DISABLE_IPV6" = "1" ] || { - o="$o --bind-addr=::1" - [ -n "$DEVICE" ] && o="$o --bind-iface6=$DEVICE --bind-linklocal=unwanted $TPWS_WAIT_SOCKS6" - } + [ "$DISABLE_IPV4" = "1" ] || o="--bind-addr=127.0.0.1" + [ "$DISABLE_IPV6" = "1" ] || o="$o --bind-addr=::1" + + for lan in $OPENWRT_LAN; do + network_get_device DEVICE $lan + [ -n "$DEVICE" ] || continue + [ "$DISABLE_IPV4" = "1" ] || o="$o --bind-iface4=$DEVICE $TPWS_WAIT" + [ "$DISABLE_IPV6" = "1" ] || o="$o --bind-iface6=$DEVICE --bind-linklocal=unwanted $TPWS_WAIT_SOCKS6" + done eval $1="\"\$$1 $o\"" } @@ -104,10 +115,9 @@ start_service() { run_tpws 1 "$opt" ;; tpws-socks) - opt="--port=$TPPORT $TPWS_OPT_BASE --socks $TPWS_OPT" - tpws_apply_socks_binds opt + opt="--port=$TPPORT $TPWS_OPT" filter_apply_hostlist_target opt - run_daemon 1 "$TPWS" "$opt" + run_tpws_socks 1 "$opt" ;; nfqws) opt="--qnum=$QNUM $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_HTTP" diff --git a/init.d/sysv/functions b/init.d/sysv/functions index f88b5ab..5040953 100644 --- a/init.d/sysv/functions +++ b/init.d/sysv/functions @@ -31,11 +31,6 @@ TPWS_WAIT_SOCKS6="$TPWS_WAIT --bind-wait-ip-linklocal=30" # first wait for lan to ifup, then wait for bind-wait-ip-linklocal seconds for link local address and bind-wait-ip for any ipv6 as the worst case TPWS_OPT_BASE6_PRE="--bind-linklocal=prefer $TPWS_WAIT --bind-wait-ip-linklocal=3" - -[ -n "$IFACE_WAN" ] && IPT_OWAN="-o $IFACE_WAN" -[ -n "$IFACE_WAN" ] && IPT_IWAN="-i $IFACE_WAN" -[ -n "$IFACE_LAN" ] && IPT_ILAN="-i $IFACE_LAN" - [ -n "$DESYNC_MARK" ] || DESYNC_MARK=0x40000000 # max wait time for the link local ipv6 on the LAN interface @@ -72,11 +67,11 @@ on_off_function() ipt() { - iptables -C "$@" 2>/dev/null || iptables -I "$@" + iptables -C "$@" >/dev/null 2>/dev/null || iptables -I "$@" } ipt_del() { - iptables -C "$@" 2>/dev/null && iptables -D "$@" + iptables -C "$@" >/dev/null 2>/dev/null && iptables -D "$@" } ipt_add_del() { @@ -84,11 +79,11 @@ ipt_add_del() } ipt6() { - ip6tables -C "$@" 2>/dev/null || ip6tables -I "$@" + ip6tables -C "$@" >/dev/null 2>/dev/null || ip6tables -I "$@" } ipt6_del() { - ip6tables -C "$@" 2>/dev/null && ip6tables -D "$@" + ip6tables -C "$@" >/dev/null 2>/dev/null && ip6tables -D "$@" } ipt6_add_del() { @@ -141,31 +136,39 @@ wait_ifup() dnat6_target() { + # $1 - lan network name + # $2 - var to store target ip6 # get target ip address for DNAT. prefer link locals # tpws should be as inaccessible from outside as possible # link local address can appear not immediately after ifup - # DNAT6_TARGET=- means attempt was made but address was not found (to avoid multiple re-attempts) + + local DNAT6_TARGET DVAR=DNAT6_TARGET_$1 + DVAR=$(echo $DVAR | sed 's/[^a-zA-Z0-9_]/_/g') + eval DNAT6_TARGET="\$$DVAR" + [ -n "$2" ] && eval $2='' [ -n "$DNAT6_TARGET" ] || { local ct=0 while - DNAT6_TARGET=$(get_ipv6_linklocal $IFACE_LAN) + DNAT6_TARGET=$(get_ipv6_linklocal $1) [ -n "$DNAT6_TARGET" ] && break [ "$ct" -ge "$LINKLOCAL_WAIT_SEC" ] && break - echo waiting for the link local for another $(($LINKLOCAL_WAIT_SEC - $ct)) seconds ... + echo $1: waiting for the link local for another $(($LINKLOCAL_WAIT_SEC - $ct)) seconds ... ct=$(($ct+1)) sleep 1 do :; done [ -n "$DNAT6_TARGET" ] || { - echo no link local. getting global - DNAT6_TARGET=$(get_ipv6_global $IFACE_LAN) + echo $1: no link local. getting global + DNAT6_TARGET=$(get_ipv6_global $1) [ -n "$DNAT6_TARGET" ] || { - echo could not get any address + echo $1: could not get any address DNAT6_TARGET=- } } + eval $DVAR="$DNAT6_TARGET" } + [ -n "$2" ] && eval $2="$DNAT6_TARGET" } prepare_tpws_fw4() @@ -173,26 +176,25 @@ prepare_tpws_fw4() # otherwise linux kernel will treat 127.0.0.0/8 as "martian" ip and refuse routing to it # NOTE : kernels <3.6 do not have this feature. consider upgrading or change DNAT to REDIRECT and do not bind to 127.0.0.0/8 [ -n "$IFACE_LAN" ] && { - iptables -C INPUT -i $IFACE_LAN -j input_lan_rule_zapret 2>/dev/null || { - # allow localnet route only to special tpws IP - iptables -N input_lan_rule_zapret 2>/dev/null - iptables -F input_lan_rule_zapret - iptables -A input_lan_rule_zapret -d $TPWS_LOCALHOST4 -j RETURN - iptables -A input_lan_rule_zapret -d 127.0.0.0/8 -j DROP - iptables -I INPUT -i $IFACE_LAN -j input_lan_rule_zapret - } - sysctl -qw net.ipv4.conf.$IFACE_LAN.route_localnet=1 + iptables -N input_rule_zapret 2>/dev/null + iptables -F input_rule_zapret + iptables -A input_rule_zapret -d $TPWS_LOCALHOST4 -j RETURN + iptables -A input_rule_zapret -d 127.0.0.0/8 -j DROP + for lan in $IFACE_LAN ; do + ipt INPUT -i $lan -j input_rule_zapret + sysctl -qw net.ipv4.conf.$lan.route_localnet=1 + done } } unprepare_tpws_fw4() { [ -n "$IFACE_LAN" ] && { - iptables -C INPUT -i $IFACE_LAN -j input_lan_rule_zapret 2>/dev/null && { - sysctl -qw net.ipv4.conf.$IFACE_LAN.route_localnet=0 - iptables -D INPUT -i $IFACE_LAN -j input_lan_rule_zapret - iptables -F input_lan_rule_zapret - iptables -X input_lan_rule_zapret - } + for lan in $IFACE_LAN ; do + ipt_del INPUT -i $lan -j input_rule_zapret + sysctl -qw net.ipv4.conf.$lan.route_localnet=0 + done + iptables -F input_rule_zapret 2>/dev/null + iptables -X input_rule_zapret 2>/dev/null } } unprepare_tpws_fw() @@ -218,10 +220,16 @@ fw_tpws4() [ "$DISABLE_IPV4" = "1" ] || { [ "$1" = 1 ] && prepare_tpws_fw4 print_op $1 "$2" "tpws (port $3)" - [ -n "$IFACE_LAN" ] && { - ipt_add_del $1 PREROUTING -t nat $IPT_ILAN -p tcp $2 $IPSET_EXCLUDE dst -j DNAT --to $TPWS_LOCALHOST4:$3 - } - ipt_add_del $1 OUTPUT -t nat $IPT_OWAN -m owner ! --uid-owner $WS_USER -p tcp $2 $IPSET_EXCLUDE dst -j DNAT --to $TPWS_LOCALHOST4:$3 + for lan in $IFACE_LAN ; do + ipt_add_del $1 PREROUTING -t nat -i $lan -p tcp $2 $IPSET_EXCLUDE dst -j DNAT --to $TPWS_LOCALHOST4:$3 + done + if [ -n "$IFACE_WAN" ]; then + for wan in $IFACE_WAN; do + ipt_add_del $1 OUTPUT -t nat -o $wan -m owner ! --uid-owner $WS_USER -p tcp $2 $IPSET_EXCLUDE dst -j DNAT --to $TPWS_LOCALHOST4:$3 + done + else + ipt_add_del $1 OUTPUT -t nat -m owner ! --uid-owner $WS_USER -p tcp $2 $IPSET_EXCLUDE dst -j DNAT --to $TPWS_LOCALHOST4:$3 + fi } } fw_tpws6() @@ -231,11 +239,18 @@ fw_tpws6() # $3 - tpws port [ "$DISABLE_IPV6" = "1" ] || { print_op $1 "$2" "tpws (port $3)" 6 - [ -n "$IFACE_LAN" ] && { - dnat6_target - [ "$DNAT6_TARGET" != "-" ] && ipt6_add_del $1 PREROUTING -t nat $IPT_ILAN -p tcp $2 $IPSET_EXCLUDE6 dst -j DNAT --to [$DNAT6_TARGET]:$3 - } - ipt6_add_del $1 OUTPUT -t nat $IPT_OWAN -m owner ! --uid-owner $WS_USER -p tcp $2 $IPSET_EXCLUDE6 dst -j DNAT --to [::1]:$3 + local DNAT6 + for lan in $IFACE_LAN ; do + dnat6_target $lan DNAT6 + [ "$DNAT6" != "-" ] && ipt6_add_del $1 PREROUTING -t nat -i $lan -p tcp $2 $IPSET_EXCLUDE6 dst -j DNAT --to [$DNAT6]:$3 + done + if [ -n "$IFACE_WAN" ]; then + for wan in $IFACE_WAN; do + ipt6_add_del $1 OUTPUT -t nat -o $wan -m owner ! --uid-owner $WS_USER -p tcp $2 $IPSET_EXCLUDE6 dst -j DNAT --to [::1]:$3 + done + else + ipt6_add_del $1 OUTPUT -t nat -m owner ! --uid-owner $WS_USER -p tcp $2 $IPSET_EXCLUDE6 dst -j DNAT --to [::1]:$3 + fi } } fw_tpws() @@ -256,7 +271,13 @@ fw_nfqws_pre4() # $3 - queue number [ "$DISABLE_IPV4" = "1" ] || { print_op $1 "$2" "nfqws prerouting (qnum $3)" - ipt_add_del $1 PREROUTING -t mangle $IPT_IWAN -p tcp $2 $IPSET_EXCLUDE src -j NFQUEUE --queue-num $3 --queue-bypass + if [ -n "$IFACE_WAN" ]; then + for wan in $IFACE_WAN; do + ipt_add_del $1 PREROUTING -t mangle -i $wan -p tcp $2 $IPSET_EXCLUDE src -j NFQUEUE --queue-num $3 --queue-bypass + done + else + ipt_add_del $1 PREROUTING -t mangle -p tcp $2 $IPSET_EXCLUDE src -j NFQUEUE --queue-num $3 --queue-bypass + fi } } fw_nfqws_pre6() @@ -266,7 +287,13 @@ fw_nfqws_pre6() # $3 - queue number [ "$DISABLE_IPV6" = "1" ] || { print_op $1 "$2" "nfqws prerouting (qnum $3)" 6 - ipt6_add_del $1 PREROUTING -t mangle $IPT_IWAN -p tcp $2 $IPSET_EXCLUDE6 src -j NFQUEUE --queue-num $3 --queue-bypass + if [ -n "$IFACE_WAN" ]; then + for wan in $IFACE_WAN; do + ipt6_add_del $1 PREROUTING -t mangle -i $wan -p tcp $2 $IPSET_EXCLUDE6 src -j NFQUEUE --queue-num $3 --queue-bypass + done + else + ipt6_add_del $1 PREROUTING -t mangle -p tcp $2 $IPSET_EXCLUDE6 src -j NFQUEUE --queue-num $3 --queue-bypass + fi } } fw_nfqws_pre() @@ -285,7 +312,13 @@ fw_nfqws_post4() # $3 - queue number [ "$DISABLE_IPV4" = "1" ] || { print_op $1 "$2" "nfqws postrouting (qnum $3)" - ipt_add_del $1 POSTROUTING -t mangle $IPT_OWAN -p tcp $2 $IPSET_EXCLUDE dst -j NFQUEUE --queue-num $3 --queue-bypass + if [ -n "$IFACE_WAN" ]; then + for wan in $IFACE_WAN; do + ipt_add_del $1 POSTROUTING -t mangle -o $wan -p tcp $2 $IPSET_EXCLUDE dst -j NFQUEUE --queue-num $3 --queue-bypass + done + else + ipt_add_del $1 POSTROUTING -t mangle -p tcp $2 $IPSET_EXCLUDE dst -j NFQUEUE --queue-num $3 --queue-bypass + fi } } fw_nfqws_post6() @@ -295,7 +328,13 @@ fw_nfqws_post6() # $3 - queue number [ "$DISABLE_IPV6" = "1" ] || { print_op $1 "$2" "nfqws postrouting (qnum $3)" 6 - ipt6_add_del $1 POSTROUTING -t mangle $IPT_OWAN -p tcp $2 $IPSET_EXCLUDE6 dst -j NFQUEUE --queue-num $3 --queue-bypass + if [ -n "$IFACE_WAN" ]; then + for wan in $IFACE_WAN; do + ipt6_add_del $1 POSTROUTING -t mangle -o $wan -p tcp $2 $IPSET_EXCLUDE6 dst -j NFQUEUE --queue-num $3 --queue-bypass + done + else + ipt6_add_del $1 POSTROUTING -t mangle -p tcp $2 $IPSET_EXCLUDE6 dst -j NFQUEUE --queue-num $3 --queue-bypass + fi } } fw_nfqws_post() @@ -385,11 +424,30 @@ do_tpws() [ "$DISABLE_IPV4" = "1" ] || OPT="$OPT $TPWS_OPT_BASE4" [ "$DISABLE_IPV6" = "1" ] || { OPT="$OPT $TPWS_OPT_BASE6" - [ -n "$IFACE_LAN" ] && OPT="$OPT --bind-iface6=$IFACE_LAN $TPWS_OPT_BASE6_PRE" + for lan in $IFACE_LAN; do + OPT="$OPT --bind-iface6=$lan $TPWS_OPT_BASE6_PRE" + done } do_daemon $1 $2 "$TPWS" "$OPT $3" } +do_tpws_socks() +{ + # $1 : 1 - run, 0 - stop + # $2 : daemon number + # $3 : daemon args + + [ "$1" = "1" ] && prepare_user + + [ "$DISABLE_IPV4" = "1" ] && [ "$DISABLE_IPV6" = "1" ] && return 0 + + local opt="$TPWS_OPT_BASE --socks" + + tpws_apply_socks_binds opt + + do_daemon $1 $2 "$TPWS" "$opt $3" +} + do_nfqws() { # $1 : 1 - run, 0 - stop @@ -434,14 +492,13 @@ tpws_apply_socks_binds() { local o - [ "$DISABLE_IPV4" = "1" ] || { - o="--bind-addr=127.0.0.1" - [ -n "$IFACE_LAN" ] && o="$o --bind-iface4=$IFACE_LAN $TPWS_WAIT" - } - [ "$DISABLE_IPV6" = "1" ] || { - o="$o --bind-addr=::1" - [ -n "$IFACE_LAN" ] && o="$o --bind-iface6=$IFACE_LAN --bind-linklocal=unwanted $TPWS_WAIT_SOCKS6" - } + [ "$DISABLE_IPV4" = "1" ] || o="--bind-addr=127.0.0.1" + [ "$DISABLE_IPV6" = "1" ] || o="$o --bind-addr=::1" + + for lan in $IFACE_LAN; do + [ "$DISABLE_IPV4" = "1" ] || o="$o --bind-iface4=$lan $TPWS_WAIT" + [ "$DISABLE_IPV6" = "1" ] || o="$o --bind-iface6=$lan --bind-linklocal=unwanted $TPWS_WAIT_SOCKS6" + done eval $1="\"\$$1 $o\"" } @@ -535,10 +592,9 @@ zapret_do_daemons() do_tpws $1 1 "$opt" ;; tpws-socks) - opt="--port=$TPPORT $TPWS_OPT_BASE --socks $TPWS_OPT" - tpws_apply_socks_binds opt + opt="--port=$TPPORT $TPWS_OPT" filter_apply_hostlist_target opt - do_daemon $1 1 "$TPWS" "$opt" + do_tpws_socks $1 1 "$opt" ;; nfqws) opt="--qnum=$QNUM $NFQWS_OPT_DESYNC_HTTP" diff --git a/install_easy.sh b/install_easy.sh index 2adb7e3..58d0a96 100755 --- a/install_easy.sh +++ b/install_easy.sh @@ -257,7 +257,7 @@ ask_list() [ -n "$m" ] && M=$(echo $2 | cut -d ' ' -f$m 2>/dev/null) [ -z "$M" ] && M="$M_DEFAULT" echo selected : $M - eval $1="$M" + eval $1="\"$M\"" [ "$M" != "$M_OLD" ] }