ForkMaster/zapret
1
0
Fork 0
mirror of https://github.com/bol-van/zapret.git synced 2024-11-11 17:29:16 +05:00
Code Issues Actions Packages Projects Releases Wiki Activity

init scripts: multiple LAN/WAN interfaces

Browse Source
This commit is contained in:
bol-van 2021-09-28 22:43:43 +03:00
parent 9d982e96ca
commit 86e2802c4a
9 changed files with 239 additions and 125 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
config
View File

@ -50,9 +50,13 @@ TPWS_OPT="--hostspell=HOST --split-http-req=method --split-pos=3"
# openwrt only : donttouch,none,software,hardware # openwrt only : donttouch,none,software,hardware
FLOWOFFLOAD=donttouch FLOWOFFLOAD=donttouch
# openwrt: specify networks to be treated as LAN. default is "lan"
# OPENWRT_LAN="lan lan2 lan3"
# for routers based on desktop linux and macos. has no effect in openwrt. # for routers based on desktop linux and macos. has no effect in openwrt.
# CHOOSE LAN and optinally WAN NETWORK INTERFACES # CHOOSE LAN and optinally WAN NETWORK INTERFACES
# or leave them commented if its not router # or leave them commented if its not router
# it's possible to specify multiple interfaces like this : IFACE_LAN="eth0 eth1 eth2"
#IFACE_LAN=eth0 #IFACE_LAN=eth0
#IFACE_WAN=eth1 #IFACE_WAN=eth1

5
docs/changes.txt
View File

@ -193,3 +193,8 @@ MacOS easy install
v39 v39
nfqws: conntrack, wssize nfqws: conntrack, wssize
v40
init scripts : IFACE_LAN, IFACE_WAN now accept multiple interfaces
init scripts : openwrt uses now OPENWRT_LAN parameter to override incoming interfaces for tpws

5
docs/readme.eng.txt
View File

@ -590,6 +590,10 @@ Newer FreeBSD versions support table only reloading : pfctl -Tl -f /etc/pf.conf
Set to "-" to disable reload. Set to "-" to disable reload.
LISTS_RELOAD="pfctl -f /etc/pf.conf" LISTS_RELOAD="pfctl -f /etc/pf.conf"
In openwrt there's default network 'lan'. Only traffic coming from this network is redirected to tpws by default.
To override this behaviour set the following variable :
OPENWRT_LAN="lan lan2 lan3"
The following settings are not relevant for openwrt : The following settings are not relevant for openwrt :
If your system works as a router, then you need to enter the names of the internal and external interfaces: If your system works as a router, then you need to enter the names of the internal and external interfaces:
@ -597,6 +601,7 @@ IFACE_LAN = eth0
IFACE_WAN = eth1 IFACE_WAN = eth1
IMPORTANT: configuring routing, masquerade, etc. not a zapret task. IMPORTANT: configuring routing, masquerade, etc. not a zapret task.
Only modes that intercept transit traffic are enabled. Only modes that intercept transit traffic are enabled.
It's possible to specify multiple interfaces like this : IFACE_LAN="eth0 eth1 eth2"
The INIT_APPLY_FW=1 parameter enables the init script to independently apply iptables rules. The INIT_APPLY_FW=1 parameter enables the init script to independently apply iptables rules.
With other values or if the parameter is commented out, the rules will not be applied. With other values or if the parameter is commented out, the rules will not be applied.

6
docs/readme.txt
View File

@ -1,4 +1,4 @@
zapret v.39 zapret v.40
English English
------- -------
@ -829,6 +829,9 @@ GZIP_LISTS=1
#LISTS_RELOAD="pfctl -f /etc/pf.conf" #LISTS_RELOAD="pfctl -f /etc/pf.conf"
#LISTS_RELOAD=- #LISTS_RELOAD=-
В openwrt существует сеть по умолчанию 'lan'. Только трафик с этой сети будет перенаправлен на tpws.
Но возможно задать другие сети или список сетей :
OPENWRT_LAN="lan lan2 lan3"
Следующие настройки не актуальны для openwrt : Следующие настройки не актуальны для openwrt :
@ -837,6 +840,7 @@ IFACE_LAN=eth0
IFACE_WAN=eth1 IFACE_WAN=eth1
ВАЖНО : настройка маршрутизации , маскарада и т.д. не входит в задачу zapret. ВАЖНО : настройка маршрутизации , маскарада и т.д. не входит в задачу zapret.
Включаются только режимы, обеспечивающие перехват транзитного трафика. Включаются только режимы, обеспечивающие перехват транзитного трафика.
Возможно определить несколько интерфейсов следующим образом : IFACE_LAN="eth0 eth1 eth2"
Параметр INIT_APPLY_FW=1 разрешает init скрипту самостоятельно применять правила iptables. Параметр INIT_APPLY_FW=1 разрешает init скрипту самостоятельно применять правила iptables.
При иных значениях или если параметр закомментирован, правила применены не будут. При иных значениях или если параметр закомментирован, правила применены не будут.

61
init.d/macos/functions
View File

@ -20,8 +20,6 @@ PF_ANCHOR_ZAPRET="$PF_ANCHOR_DIR/zapret"
PF_ANCHOR_ZAPRET_V4="$PF_ANCHOR_DIR/zapret-v4" PF_ANCHOR_ZAPRET_V4="$PF_ANCHOR_DIR/zapret-v4"
PF_ANCHOR_ZAPRET_V6="$PF_ANCHOR_DIR/zapret-v6" PF_ANCHOR_ZAPRET_V6="$PF_ANCHOR_DIR/zapret-v6"
[ -n "$IFACE_WAN" ] && OWAN=" on $IFACE_WAN"
CUSTOM_SCRIPT="$ZAPRET_BASE/init.d/macos/custom" CUSTOM_SCRIPT="$ZAPRET_BASE/init.d/macos/custom"
[ -f "$CUSTOM_SCRIPT" ] && . "$CUSTOM_SCRIPT" [ -f "$CUSTOM_SCRIPT" ] && . "$CUSTOM_SCRIPT"
@ -103,14 +101,13 @@ tpws_apply_socks_binds()
{ {
local o local o
[ "$DISABLE_IPV4" = "1" ] || { [ "$DISABLE_IPV4" = "1" ] || o="--bind-addr=127.0.0.1"
o="--bind-addr=127.0.0.1" [ "$DISABLE_IPV6" = "1" ] || o="$o --bind-addr=::1"
[ -n "$IFACE_LAN" ] && o="$o --bind-iface4=$IFACE_LAN $TPWS_WAIT"
} for lan in $IFACE_LAN; do
[ "$DISABLE_IPV6" = "1" ] || { [ "$DISABLE_IPV4" = "1" ] || o="$o --bind-iface4=$lan $TPWS_WAIT"
o="$o --bind-addr=::1" [ "$DISABLE_IPV6" = "1" ] || o="$o --bind-iface6=$lan --bind-linklocal=unwanted $TPWS_WAIT_SOCKS6"
[ -n "$IFACE_LAN" ] && o="$o --bind-iface6=$IFACE_LAN --bind-linklocal=unwanted $TPWS_WAIT_SOCKS6" done
}
eval $1="\"\$$1 $o\"" eval $1="\"\$$1 $o\""
} }
@ -121,11 +118,13 @@ wait_interface_ll()
} }
wait_lan_ll() wait_lan_ll()
{ {
[ "$DISABLE_IPV6" != "1" ] && [ -n "$IFACE_LAN" ] && { [ "$DISABLE_IPV6" != "1" ] && {
wait_interface_ll $IFACE_LAN >&2 || { for lan in $IFACE_LAN; do
echo "wait interface failed" wait_interface_ll $lan >&2 || {
echo "wait interface failed on $lan"
return 1 return 1
} }
done
} }
return 0 return 0
} }
@ -249,15 +248,22 @@ pf_anchor_zapret_v4_tpws()
{ {
# $1 - port # $1 - port
local port=$(pf_anchor_port_target) local rule port=$(pf_anchor_port_target)
[ -n "$IFACE_LAN" ] && { for lan in $IFACE_LAN; do
for t in $tbl; do for t in $tbl; do
echo "rdr on $IFACE_LAN inet proto tcp from any to $t port $port -> 127.0.0.1 port $1" echo "rdr on $lan inet proto tcp from any to $t port $port -> 127.0.0.1 port $1"
done
done done
}
echo "rdr on lo0 inet proto tcp from !127.0.0.0/8 to any port $port -> 127.0.0.1 port $1" echo "rdr on lo0 inet proto tcp from !127.0.0.0/8 to any port $port -> 127.0.0.1 port $1"
for t in $tbl; do for t in $tbl; do
echo "pass out$OWAN route-to (lo0 127.0.0.1) inet proto tcp from !127.0.0.0/8 to $t port $port user { >root }" rule="route-to (lo0 127.0.0.1) inet proto tcp from !127.0.0.0/8 to $t port $port user { >root }"
if [ -n "$IFACE_WAN" ] ; then
for wan in $IFACE_WAN; do
echo "pass out on $wan $rule"
done
else
echo "pass out $rule"
fi
done done
} }
@ -282,22 +288,31 @@ pf_anchor_zapret_v6_tpws()
{ {
# $1 - port # $1 - port
local port=$(pf_anchor_port_target) local LL_LAN rule port=$(pf_anchor_port_target)
# LAN link local is only for router # LAN link local is only for router
[ -n "$IFACE_LAN" ] && LL_LAN=$(get_ipv6_linklocal $IFACE_LAN) for lan in $IFACE_LAN; do
LL_LAN=$(get_ipv6_linklocal $lan)
[ -n "$LL_LAN" ] && { [ -n "$LL_LAN" ] && {
for t in $tbl; do for t in $tbl; do
echo "rdr on $IFACE_LAN inet6 proto tcp from any to $t port $port -> $LL_LAN port $1" echo "rdr on $lan inet6 proto tcp from any to $t port $port -> $LL_LAN port $1"
done done
} }
done
echo "rdr on lo0 inet6 proto tcp from !::1 to any port $port -> fe80::1 port $1" echo "rdr on lo0 inet6 proto tcp from !::1 to any port $port -> fe80::1 port $1"
for t in $tbl; do for t in $tbl; do
echo "pass out$OWAN route-to (lo0 fe80::1) inet6 proto tcp from !::1 to $t port $port user { >root }" rule="route-to (lo0 fe80::1) inet6 proto tcp from !::1 to $t port $port user { >root }"
if [ -n "$IFACE_WAN" ] ; then
for wan in $IFACE_WAN; do
echo "pass out on $wan $rule"
done
else
echo "pass out $rule"
fi
done done
} }
pf_anchor_zapret_v6() pf_anchor_zapret_v6()
{ {
local tbl port LL_LAN local tbl port
[ "$DISABLE_IPV6" = "1" ] || { [ "$DISABLE_IPV6" = "1" ] || {
case $MODE in case $MODE in

59
init.d/openwrt/functions
View File

@ -8,6 +8,7 @@
TPWS_USER=daemon TPWS_USER=daemon
TPWS_LOCALHOST4=127.0.0.127 TPWS_LOCALHOST4=127.0.0.127
[ -n "$DESYNC_MARK" ] || DESYNC_MARK=0x40000000 [ -n "$DESYNC_MARK" ] || DESYNC_MARK=0x40000000
[ -n "$OPENWRT_LAN" ] || OPENWRT_LAN=lan
# max wait time for the link local ipv6 on the LAN interface # max wait time for the link local ipv6 on the LAN interface
LINKLOCAL_WAIT_SEC=5 LINKLOCAL_WAIT_SEC=5
@ -54,19 +55,19 @@ network_find_wan6_all()
ipt() ipt()
{ {
iptables -C "$@" 2>/dev/null || iptables -I "$@" iptables -C "$@" >/dev/null 2>/dev/null || iptables -I "$@"
} }
ipt_del() ipt_del()
{ {
iptables -C "$@" 2>/dev/null && iptables -D "$@" iptables -C "$@" >/dev/null 2>/dev/null && iptables -D "$@"
} }
ipt6() ipt6()
{ {
ip6tables -C "$@" 2>/dev/null || ip6tables -I "$@" ip6tables -C "$@" >/dev/null 2>/dev/null || ip6tables -I "$@"
} }
ipt6_del() ipt6_del()
{ {
ip6tables -C "$@" 2>/dev/null && ip6tables -D "$@" ip6tables -C "$@" >/dev/null 2>/dev/null && ip6tables -D "$@"
} }
# there's no route_localnet for ipv6 # there's no route_localnet for ipv6
@ -100,38 +101,46 @@ get_ipv6_global()
dnat6_target() dnat6_target()
{ {
# $1 - lan network name
# $2 - var to store target ip6
# get target ip address for DNAT. prefer link locals # get target ip address for DNAT. prefer link locals
# tpws should be as inaccessible from outside as possible # tpws should be as inaccessible from outside as possible
# link local address can appear not immediately after ifup # link local address can appear not immediately after ifup
# DNAT6_TARGET=- means attempt was made but address was not found (to avoid multiple re-attempts) # DNAT6_TARGET=- means attempt was made but address was not found (to avoid multiple re-attempts)
local DNAT6_TARGET DVAR=DNAT6_TARGET_$1
DVAR=$(echo $DVAR | sed 's/[^a-zA-Z0-9_]/_/g')
eval DNAT6_TARGET="\$$DVAR"
[ -n "$2" ] && eval $2=''
[ -n "$DNAT6_TARGET" ] || { [ -n "$DNAT6_TARGET" ] || {
# no reason to query if its down # no reason to query if its down
network_is_up lan || return network_is_up $1 || return
local DEVICE local DEVICE
network_get_device DEVICE lan network_get_device DEVICE $1
local ct=0 local ct=0
while while
DNAT6_TARGET=$(get_ipv6_linklocal $DEVICE) DNAT6_TARGET=$(get_ipv6_linklocal $DEVICE)
[ -n "$DNAT6_TARGET" ] && break [ -n "$DNAT6_TARGET" ] && break
[ "$ct" -ge "$LINKLOCAL_WAIT_SEC" ] && break [ "$ct" -ge "$LINKLOCAL_WAIT_SEC" ] && break
echo waiting for the link local for another $(($LINKLOCAL_WAIT_SEC - $ct)) seconds ... echo $DEVICE: waiting for the link local for another $(($LINKLOCAL_WAIT_SEC - $ct)) seconds ...
ct=$(($ct+1)) ct=$(($ct+1))
sleep 1 sleep 1
do :; done do :; done
[ -n "$DNAT6_TARGET" ] || { [ -n "$DNAT6_TARGET" ] || {
echo no link local. getting global echo $DEVICE: no link local. getting global
DNAT6_TARGET=$(get_ipv6_global $DEVICE) DNAT6_TARGET=$(get_ipv6_global $DEVICE)
[ -n "$DNAT6_TARGET" ] || { [ -n "$DNAT6_TARGET" ] || {
echo could not get any address echo $DEVICE: could not get any address
DNAT6_TARGET=- DNAT6_TARGET=-
} }
} }
eval $DVAR="$DNAT6_TARGET"
} }
[ -n "$2" ] && eval $2="$DNAT6_TARGET"
} }
@ -229,16 +238,19 @@ fw_tpws4()
network_get_device DEVICE $ext_iface network_get_device DEVICE $ext_iface
ipt OUTPUT -t nat -o $DEVICE $IPT_OWNER -p tcp $1 $IPSET_EXCLUDE dst -j DNAT --to $TPWS_LOCALHOST4:$2 ipt OUTPUT -t nat -o $DEVICE $IPT_OWNER -p tcp $1 $IPSET_EXCLUDE dst -j DNAT --to $TPWS_LOCALHOST4:$2
done done
ipt prerouting_lan_rule -t nat -p tcp $1 $IPSET_EXCLUDE dst -j DNAT --to $TPWS_LOCALHOST4:$2
network_get_device DEVICE lan
[ -n "$DEVICE" ] && {
# allow localnet route only to special tpws IP # allow localnet route only to special tpws IP
iptables -N input_lan_rule_zapret 2>/dev/null iptables -N input_rule_zapret 2>/dev/null
ipt input_lan_rule_zapret -d 127.0.0.0/8 -j DROP ipt input_rule_zapret -d 127.0.0.0/8 -j DROP
ipt input_lan_rule_zapret -d $TPWS_LOCALHOST4 -j RETURN ipt input_rule_zapret -d $TPWS_LOCALHOST4 -j RETURN
ipt input_lan_rule -j input_lan_rule_zapret
for lan in $OPENWRT_LAN; do
network_get_device DEVICE $lan
[ -n "$DEVICE" ] || continue
ipt prerouting_rule -t nat -i $DEVICE -p tcp $1 $IPSET_EXCLUDE dst -j DNAT --to $TPWS_LOCALHOST4:$2
ipt input_rule -i $DEVICE -j input_rule_zapret
sysctl -qw net.ipv4.conf.$DEVICE.route_localnet=1 sysctl -qw net.ipv4.conf.$DEVICE.route_localnet=1
} done
} }
} }
fw_tpws6() fw_tpws6()
@ -246,7 +258,7 @@ fw_tpws6()
# $1 - filter ipv6 # $1 - filter ipv6
# $2 - tpws port # $2 - tpws port
local DEVICE wan_iface local DEVICE wan_iface DNAT6
[ "$DISABLE_IPV6" = "1" ] || { [ "$DISABLE_IPV6" = "1" ] || {
network_find_wan6_all wan_iface network_find_wan6_all wan_iface
@ -254,9 +266,12 @@ fw_tpws6()
network_get_device DEVICE $ext_iface network_get_device DEVICE $ext_iface
ipt6 OUTPUT -t nat -o $DEVICE $IPT_OWNER -p tcp $1 $IPSET_EXCLUDE6 dst -j DNAT --to [::1]:$2 ipt6 OUTPUT -t nat -o $DEVICE $IPT_OWNER -p tcp $1 $IPSET_EXCLUDE6 dst -j DNAT --to [::1]:$2
done done
network_get_device DEVICE lan for lan in $OPENWRT_LAN; do
dnat6_target network_get_device DEVICE $lan
[ "$DNAT6_TARGET" != "-" ] && ipt6 PREROUTING -t nat -i $DEVICE -p tcp $1 $IPSET_EXCLUDE6 dst -j DNAT --to [$DNAT6_TARGET]:$2 [ -n "$DEVICE" ] || continue
dnat6_target $lan DNAT6
[ "$DNAT6" != '-' ] && ipt6 PREROUTING -t nat -i $DEVICE -p tcp $1 $IPSET_EXCLUDE6 dst -j DNAT --to [$DNAT6]:$2
done
} }
} }
fw_tpws() fw_tpws()

36
init.d/openwrt/zapret
View File

@ -59,11 +59,23 @@ run_tpws()
[ "$DISABLE_IPV4" = "1" ] || OPT="$OPT $TPWS_OPT_BASE4" [ "$DISABLE_IPV4" = "1" ] || OPT="$OPT $TPWS_OPT_BASE4"
[ "$DISABLE_IPV6" = "1" ] || { [ "$DISABLE_IPV6" = "1" ] || {
OPT="$OPT $TPWS_OPT_BASE6" OPT="$OPT $TPWS_OPT_BASE6"
network_get_device DEVICE lan for lan in $OPENWRT_LAN; do
network_get_device DEVICE $lan
[ -n "$DEVICE" ] && OPT="$OPT --bind-iface6=$DEVICE $TPWS_OPT_BASE6_PRE" [ -n "$DEVICE" ] && OPT="$OPT --bind-iface6=$DEVICE $TPWS_OPT_BASE6_PRE"
done
} }
run_daemon $1 "$TPWS" "$OPT $2" run_daemon $1 "$TPWS" "$OPT $2"
} }
run_tpws_socks()
{
[ "$DISABLE_IPV4" = "1" ] && [ "$DISABLE_IPV6" = "1" ] && return 0
local opt="$TPWS_OPT_BASE --socks"
tpws_apply_socks_binds opt
run_daemon $1 "$TPWS" "$opt $2"
}
stop_tpws() stop_tpws()
{ {
stop_daemon $1 "$TPWS" stop_daemon $1 "$TPWS"
@ -80,16 +92,15 @@ tpws_apply_socks_binds()
{ {
local o local o
network_get_device DEVICE lan [ "$DISABLE_IPV4" = "1" ] || o="--bind-addr=127.0.0.1"
[ "$DISABLE_IPV6" = "1" ] || o="$o --bind-addr=::1"
[ "$DISABLE_IPV4" = "1" ] || { for lan in $OPENWRT_LAN; do
o="--bind-addr=127.0.0.1" network_get_device DEVICE $lan
[ -n "$DEVICE" ] && o="$o --bind-iface4=$DEVICE $TPWS_WAIT" [ -n "$DEVICE" ] || continue
} [ "$DISABLE_IPV4" = "1" ] || o="$o --bind-iface4=$DEVICE $TPWS_WAIT"
[ "$DISABLE_IPV6" = "1" ] || { [ "$DISABLE_IPV6" = "1" ] || o="$o --bind-iface6=$DEVICE --bind-linklocal=unwanted $TPWS_WAIT_SOCKS6"
o="$o --bind-addr=::1" done
[ -n "$DEVICE" ] && o="$o --bind-iface6=$DEVICE --bind-linklocal=unwanted $TPWS_WAIT_SOCKS6"
}
eval $1="\"\$$1 $o\"" eval $1="\"\$$1 $o\""
} }
@ -104,10 +115,9 @@ start_service() {
run_tpws 1 "$opt" run_tpws 1 "$opt"
;; ;;
tpws-socks) tpws-socks)
opt="--port=$TPPORT $TPWS_OPT_BASE --socks $TPWS_OPT" opt="--port=$TPPORT $TPWS_OPT"
tpws_apply_socks_binds opt
filter_apply_hostlist_target opt filter_apply_hostlist_target opt
run_daemon 1 "$TPWS" "$opt" run_tpws_socks 1 "$opt"
;; ;;
nfqws) nfqws)
opt="--qnum=$QNUM $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_HTTP" opt="--qnum=$QNUM $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_HTTP"

166
init.d/sysv/functions
View File

@ -31,11 +31,6 @@ TPWS_WAIT_SOCKS6="$TPWS_WAIT --bind-wait-ip-linklocal=30"
# first wait for lan to ifup, then wait for bind-wait-ip-linklocal seconds for link local address and bind-wait-ip for any ipv6 as the worst case # first wait for lan to ifup, then wait for bind-wait-ip-linklocal seconds for link local address and bind-wait-ip for any ipv6 as the worst case
TPWS_OPT_BASE6_PRE="--bind-linklocal=prefer $TPWS_WAIT --bind-wait-ip-linklocal=3" TPWS_OPT_BASE6_PRE="--bind-linklocal=prefer $TPWS_WAIT --bind-wait-ip-linklocal=3"
[ -n "$IFACE_WAN" ] && IPT_OWAN="-o $IFACE_WAN"
[ -n "$IFACE_WAN" ] && IPT_IWAN="-i $IFACE_WAN"
[ -n "$IFACE_LAN" ] && IPT_ILAN="-i $IFACE_LAN"
[ -n "$DESYNC_MARK" ] || DESYNC_MARK=0x40000000 [ -n "$DESYNC_MARK" ] || DESYNC_MARK=0x40000000
# max wait time for the link local ipv6 on the LAN interface # max wait time for the link local ipv6 on the LAN interface
@ -72,11 +67,11 @@ on_off_function()
ipt() ipt()
{ {
iptables -C "$@" 2>/dev/null || iptables -I "$@" iptables -C "$@" >/dev/null 2>/dev/null || iptables -I "$@"
} }
ipt_del() ipt_del()
{ {
iptables -C "$@" 2>/dev/null && iptables -D "$@" iptables -C "$@" >/dev/null 2>/dev/null && iptables -D "$@"
} }
ipt_add_del() ipt_add_del()
{ {
@ -84,11 +79,11 @@ ipt_add_del()
} }
ipt6() ipt6()
{ {
ip6tables -C "$@" 2>/dev/null || ip6tables -I "$@" ip6tables -C "$@" >/dev/null 2>/dev/null || ip6tables -I "$@"
} }
ipt6_del() ipt6_del()
{ {
ip6tables -C "$@" 2>/dev/null && ip6tables -D "$@" ip6tables -C "$@" >/dev/null 2>/dev/null && ip6tables -D "$@"
} }
ipt6_add_del() ipt6_add_del()
{ {
@ -141,31 +136,39 @@ wait_ifup()
dnat6_target() dnat6_target()
{ {
# $1 - lan network name
# $2 - var to store target ip6
# get target ip address for DNAT. prefer link locals # get target ip address for DNAT. prefer link locals
# tpws should be as inaccessible from outside as possible # tpws should be as inaccessible from outside as possible
# link local address can appear not immediately after ifup # link local address can appear not immediately after ifup
# DNAT6_TARGET=- means attempt was made but address was not found (to avoid multiple re-attempts) # DNAT6_TARGET=- means attempt was made but address was not found (to avoid multiple re-attempts)
local DNAT6_TARGET DVAR=DNAT6_TARGET_$1
DVAR=$(echo $DVAR | sed 's/[^a-zA-Z0-9_]/_/g')
eval DNAT6_TARGET="\$$DVAR"
[ -n "$2" ] && eval $2=''
[ -n "$DNAT6_TARGET" ] || { [ -n "$DNAT6_TARGET" ] || {
local ct=0 local ct=0
while while
DNAT6_TARGET=$(get_ipv6_linklocal $IFACE_LAN) DNAT6_TARGET=$(get_ipv6_linklocal $1)
[ -n "$DNAT6_TARGET" ] && break [ -n "$DNAT6_TARGET" ] && break
[ "$ct" -ge "$LINKLOCAL_WAIT_SEC" ] && break [ "$ct" -ge "$LINKLOCAL_WAIT_SEC" ] && break
echo waiting for the link local for another $(($LINKLOCAL_WAIT_SEC - $ct)) seconds ... echo $1: waiting for the link local for another $(($LINKLOCAL_WAIT_SEC - $ct)) seconds ...
ct=$(($ct+1)) ct=$(($ct+1))
sleep 1 sleep 1
do :; done do :; done
[ -n "$DNAT6_TARGET" ] || { [ -n "$DNAT6_TARGET" ] || {
echo no link local. getting global echo $1: no link local. getting global
DNAT6_TARGET=$(get_ipv6_global $IFACE_LAN) DNAT6_TARGET=$(get_ipv6_global $1)
[ -n "$DNAT6_TARGET" ] || { [ -n "$DNAT6_TARGET" ] || {
echo could not get any address echo $1: could not get any address
DNAT6_TARGET=- DNAT6_TARGET=-
} }
} }
eval $DVAR="$DNAT6_TARGET"
} }
[ -n "$2" ] && eval $2="$DNAT6_TARGET"
} }
prepare_tpws_fw4() prepare_tpws_fw4()
@ -173,26 +176,25 @@ prepare_tpws_fw4()
# otherwise linux kernel will treat 127.0.0.0/8 as "martian" ip and refuse routing to it # otherwise linux kernel will treat 127.0.0.0/8 as "martian" ip and refuse routing to it
# NOTE : kernels <3.6 do not have this feature. consider upgrading or change DNAT to REDIRECT and do not bind to 127.0.0.0/8 # NOTE : kernels <3.6 do not have this feature. consider upgrading or change DNAT to REDIRECT and do not bind to 127.0.0.0/8
[ -n "$IFACE_LAN" ] && { [ -n "$IFACE_LAN" ] && {
iptables -C INPUT -i $IFACE_LAN -j input_lan_rule_zapret 2>/dev/null || { iptables -N input_rule_zapret 2>/dev/null
# allow localnet route only to special tpws IP iptables -F input_rule_zapret
iptables -N input_lan_rule_zapret 2>/dev/null iptables -A input_rule_zapret -d $TPWS_LOCALHOST4 -j RETURN
iptables -F input_lan_rule_zapret iptables -A input_rule_zapret -d 127.0.0.0/8 -j DROP
iptables -A input_lan_rule_zapret -d $TPWS_LOCALHOST4 -j RETURN for lan in $IFACE_LAN ; do
iptables -A input_lan_rule_zapret -d 127.0.0.0/8 -j DROP ipt INPUT -i $lan -j input_rule_zapret
iptables -I INPUT -i $IFACE_LAN -j input_lan_rule_zapret sysctl -qw net.ipv4.conf.$lan.route_localnet=1
} done
sysctl -qw net.ipv4.conf.$IFACE_LAN.route_localnet=1
} }
} }
unprepare_tpws_fw4() unprepare_tpws_fw4()
{ {
[ -n "$IFACE_LAN" ] && { [ -n "$IFACE_LAN" ] && {
iptables -C INPUT -i $IFACE_LAN -j input_lan_rule_zapret 2>/dev/null && { for lan in $IFACE_LAN ; do
sysctl -qw net.ipv4.conf.$IFACE_LAN.route_localnet=0 ipt_del INPUT -i $lan -j input_rule_zapret
iptables -D INPUT -i $IFACE_LAN -j input_lan_rule_zapret sysctl -qw net.ipv4.conf.$lan.route_localnet=0
iptables -F input_lan_rule_zapret done
iptables -X input_lan_rule_zapret iptables -F input_rule_zapret 2>/dev/null
} iptables -X input_rule_zapret 2>/dev/null
} }
} }
unprepare_tpws_fw() unprepare_tpws_fw()
@ -218,10 +220,16 @@ fw_tpws4()
[ "$DISABLE_IPV4" = "1" ] || { [ "$DISABLE_IPV4" = "1" ] || {
[ "$1" = 1 ] && prepare_tpws_fw4 [ "$1" = 1 ] && prepare_tpws_fw4
print_op $1 "$2" "tpws (port $3)" print_op $1 "$2" "tpws (port $3)"
[ -n "$IFACE_LAN" ] && { for lan in $IFACE_LAN ; do
ipt_add_del $1 PREROUTING -t nat $IPT_ILAN -p tcp $2 $IPSET_EXCLUDE dst -j DNAT --to $TPWS_LOCALHOST4:$3 ipt_add_del $1 PREROUTING -t nat -i $lan -p tcp $2 $IPSET_EXCLUDE dst -j DNAT --to $TPWS_LOCALHOST4:$3
} done
ipt_add_del $1 OUTPUT -t nat $IPT_OWAN -m owner ! --uid-owner $WS_USER -p tcp $2 $IPSET_EXCLUDE dst -j DNAT --to $TPWS_LOCALHOST4:$3 if [ -n "$IFACE_WAN" ]; then
for wan in $IFACE_WAN; do
ipt_add_del $1 OUTPUT -t nat -o $wan -m owner ! --uid-owner $WS_USER -p tcp $2 $IPSET_EXCLUDE dst -j DNAT --to $TPWS_LOCALHOST4:$3
done
else
ipt_add_del $1 OUTPUT -t nat -m owner ! --uid-owner $WS_USER -p tcp $2 $IPSET_EXCLUDE dst -j DNAT --to $TPWS_LOCALHOST4:$3
fi
} }
} }
fw_tpws6() fw_tpws6()
@ -231,11 +239,18 @@ fw_tpws6()
# $3 - tpws port # $3 - tpws port
[ "$DISABLE_IPV6" = "1" ] || { [ "$DISABLE_IPV6" = "1" ] || {
print_op $1 "$2" "tpws (port $3)" 6 print_op $1 "$2" "tpws (port $3)" 6
[ -n "$IFACE_LAN" ] && { local DNAT6
dnat6_target for lan in $IFACE_LAN ; do
[ "$DNAT6_TARGET" != "-" ] && ipt6_add_del $1 PREROUTING -t nat $IPT_ILAN -p tcp $2 $IPSET_EXCLUDE6 dst -j DNAT --to [$DNAT6_TARGET]:$3 dnat6_target $lan DNAT6
} [ "$DNAT6" != "-" ] && ipt6_add_del $1 PREROUTING -t nat -i $lan -p tcp $2 $IPSET_EXCLUDE6 dst -j DNAT --to [$DNAT6]:$3
ipt6_add_del $1 OUTPUT -t nat $IPT_OWAN -m owner ! --uid-owner $WS_USER -p tcp $2 $IPSET_EXCLUDE6 dst -j DNAT --to [::1]:$3 done
if [ -n "$IFACE_WAN" ]; then
for wan in $IFACE_WAN; do
ipt6_add_del $1 OUTPUT -t nat -o $wan -m owner ! --uid-owner $WS_USER -p tcp $2 $IPSET_EXCLUDE6 dst -j DNAT --to [::1]:$3
done
else
ipt6_add_del $1 OUTPUT -t nat -m owner ! --uid-owner $WS_USER -p tcp $2 $IPSET_EXCLUDE6 dst -j DNAT --to [::1]:$3
fi
} }
} }
fw_tpws() fw_tpws()
@ -256,7 +271,13 @@ fw_nfqws_pre4()
# $3 - queue number # $3 - queue number
[ "$DISABLE_IPV4" = "1" ] || { [ "$DISABLE_IPV4" = "1" ] || {
print_op $1 "$2" "nfqws prerouting (qnum $3)" print_op $1 "$2" "nfqws prerouting (qnum $3)"
ipt_add_del $1 PREROUTING -t mangle $IPT_IWAN -p tcp $2 $IPSET_EXCLUDE src -j NFQUEUE --queue-num $3 --queue-bypass if [ -n "$IFACE_WAN" ]; then
for wan in $IFACE_WAN; do
ipt_add_del $1 PREROUTING -t mangle -i $wan -p tcp $2 $IPSET_EXCLUDE src -j NFQUEUE --queue-num $3 --queue-bypass
done
else
ipt_add_del $1 PREROUTING -t mangle -p tcp $2 $IPSET_EXCLUDE src -j NFQUEUE --queue-num $3 --queue-bypass
fi
} }
} }
fw_nfqws_pre6() fw_nfqws_pre6()
@ -266,7 +287,13 @@ fw_nfqws_pre6()
# $3 - queue number # $3 - queue number
[ "$DISABLE_IPV6" = "1" ] || { [ "$DISABLE_IPV6" = "1" ] || {
print_op $1 "$2" "nfqws prerouting (qnum $3)" 6 print_op $1 "$2" "nfqws prerouting (qnum $3)" 6
ipt6_add_del $1 PREROUTING -t mangle $IPT_IWAN -p tcp $2 $IPSET_EXCLUDE6 src -j NFQUEUE --queue-num $3 --queue-bypass if [ -n "$IFACE_WAN" ]; then
for wan in $IFACE_WAN; do
ipt6_add_del $1 PREROUTING -t mangle -i $wan -p tcp $2 $IPSET_EXCLUDE6 src -j NFQUEUE --queue-num $3 --queue-bypass
done
else
ipt6_add_del $1 PREROUTING -t mangle -p tcp $2 $IPSET_EXCLUDE6 src -j NFQUEUE --queue-num $3 --queue-bypass
fi
} }
} }
fw_nfqws_pre() fw_nfqws_pre()
@ -285,7 +312,13 @@ fw_nfqws_post4()
# $3 - queue number # $3 - queue number
[ "$DISABLE_IPV4" = "1" ] || { [ "$DISABLE_IPV4" = "1" ] || {
print_op $1 "$2" "nfqws postrouting (qnum $3)" print_op $1 "$2" "nfqws postrouting (qnum $3)"
ipt_add_del $1 POSTROUTING -t mangle $IPT_OWAN -p tcp $2 $IPSET_EXCLUDE dst -j NFQUEUE --queue-num $3 --queue-bypass if [ -n "$IFACE_WAN" ]; then
for wan in $IFACE_WAN; do
ipt_add_del $1 POSTROUTING -t mangle -o $wan -p tcp $2 $IPSET_EXCLUDE dst -j NFQUEUE --queue-num $3 --queue-bypass
done
else
ipt_add_del $1 POSTROUTING -t mangle -p tcp $2 $IPSET_EXCLUDE dst -j NFQUEUE --queue-num $3 --queue-bypass
fi
} }
} }
fw_nfqws_post6() fw_nfqws_post6()
@ -295,7 +328,13 @@ fw_nfqws_post6()
# $3 - queue number # $3 - queue number
[ "$DISABLE_IPV6" = "1" ] || { [ "$DISABLE_IPV6" = "1" ] || {
print_op $1 "$2" "nfqws postrouting (qnum $3)" 6 print_op $1 "$2" "nfqws postrouting (qnum $3)" 6
ipt6_add_del $1 POSTROUTING -t mangle $IPT_OWAN -p tcp $2 $IPSET_EXCLUDE6 dst -j NFQUEUE --queue-num $3 --queue-bypass if [ -n "$IFACE_WAN" ]; then
for wan in $IFACE_WAN; do
ipt6_add_del $1 POSTROUTING -t mangle -o $wan -p tcp $2 $IPSET_EXCLUDE6 dst -j NFQUEUE --queue-num $3 --queue-bypass
done
else
ipt6_add_del $1 POSTROUTING -t mangle -p tcp $2 $IPSET_EXCLUDE6 dst -j NFQUEUE --queue-num $3 --queue-bypass
fi
} }
} }
fw_nfqws_post() fw_nfqws_post()
@ -385,11 +424,30 @@ do_tpws()
[ "$DISABLE_IPV4" = "1" ] || OPT="$OPT $TPWS_OPT_BASE4" [ "$DISABLE_IPV4" = "1" ] || OPT="$OPT $TPWS_OPT_BASE4"
[ "$DISABLE_IPV6" = "1" ] || { [ "$DISABLE_IPV6" = "1" ] || {
OPT="$OPT $TPWS_OPT_BASE6" OPT="$OPT $TPWS_OPT_BASE6"
[ -n "$IFACE_LAN" ] && OPT="$OPT --bind-iface6=$IFACE_LAN $TPWS_OPT_BASE6_PRE" for lan in $IFACE_LAN; do
OPT="$OPT --bind-iface6=$lan $TPWS_OPT_BASE6_PRE"
done
} }
do_daemon $1 $2 "$TPWS" "$OPT $3" do_daemon $1 $2 "$TPWS" "$OPT $3"
} }
do_tpws_socks()
{
# $1 : 1 - run, 0 - stop
# $2 : daemon number
# $3 : daemon args
[ "$1" = "1" ] && prepare_user
[ "$DISABLE_IPV4" = "1" ] && [ "$DISABLE_IPV6" = "1" ] && return 0
local opt="$TPWS_OPT_BASE --socks"
tpws_apply_socks_binds opt
do_daemon $1 $2 "$TPWS" "$opt $3"
}
do_nfqws() do_nfqws()
{ {
# $1 : 1 - run, 0 - stop # $1 : 1 - run, 0 - stop
@ -434,14 +492,13 @@ tpws_apply_socks_binds()
{ {
local o local o
[ "$DISABLE_IPV4" = "1" ] || { [ "$DISABLE_IPV4" = "1" ] || o="--bind-addr=127.0.0.1"
o="--bind-addr=127.0.0.1" [ "$DISABLE_IPV6" = "1" ] || o="$o --bind-addr=::1"
[ -n "$IFACE_LAN" ] && o="$o --bind-iface4=$IFACE_LAN $TPWS_WAIT"
} for lan in $IFACE_LAN; do
[ "$DISABLE_IPV6" = "1" ] || { [ "$DISABLE_IPV4" = "1" ] || o="$o --bind-iface4=$lan $TPWS_WAIT"
o="$o --bind-addr=::1" [ "$DISABLE_IPV6" = "1" ] || o="$o --bind-iface6=$lan --bind-linklocal=unwanted $TPWS_WAIT_SOCKS6"
[ -n "$IFACE_LAN" ] && o="$o --bind-iface6=$IFACE_LAN --bind-linklocal=unwanted $TPWS_WAIT_SOCKS6" done
}
eval $1="\"\$$1 $o\"" eval $1="\"\$$1 $o\""
} }
@ -535,10 +592,9 @@ zapret_do_daemons()
do_tpws $1 1 "$opt" do_tpws $1 1 "$opt"
;; ;;
tpws-socks) tpws-socks)
opt="--port=$TPPORT $TPWS_OPT_BASE --socks $TPWS_OPT" opt="--port=$TPPORT $TPWS_OPT"
tpws_apply_socks_binds opt
filter_apply_hostlist_target opt filter_apply_hostlist_target opt
do_daemon $1 1 "$TPWS" "$opt" do_tpws_socks $1 1 "$opt"
;; ;;
nfqws) nfqws)
opt="--qnum=$QNUM $NFQWS_OPT_DESYNC_HTTP" opt="--qnum=$QNUM $NFQWS_OPT_DESYNC_HTTP"

2
install_easy.sh
View File

@ -257,7 +257,7 @@ ask_list()
[ -n "$m" ] && M=$(echo $2 | cut -d ' ' -f$m 2>/dev/null) [ -n "$m" ] && M=$(echo $2 | cut -d ' ' -f$m 2>/dev/null)
[ -z "$M" ] && M="$M_DEFAULT" [ -z "$M" ] && M="$M_DEFAULT"
echo selected : $M echo selected : $M
eval $1="$M" eval $1="\"$M\""
[ "$M" != "$M_OLD" ] [ "$M" != "$M_OLD" ]
} }