ForkMaster/zapret
1
0
Fork 0
mirror of https://github.com/bol-van/zapret.git synced 2024-09-22 09:42:51 +05:00
Code Issues Actions Packages Projects Releases Wiki Activity

ports override

Browse Source
This commit is contained in:
bol-van 2023-12-12 21:00:22 +03:00
parent 988af97fee
commit b7a5f51064
5 changed files with 48 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
common/base.sh
View File

@ -253,3 +253,21 @@ minsleep()
{ {
msleep 100 msleep 100
} }
replace_char()
{
local a=$1
local b=$2
shift; shift
echo "$@" | tr $a $b
}
std_ports()
{
HTTP_PORTS=${HTTP_PORTS:-80}
HTTPS_PORTS=${HTTPS_PORTS:-443}
QUIC_PORTS=${QUIC_PORTS:-443}
HTTP_PORTS_IPT=$(replace_char - : $HTTP_PORTS)
HTTPS_PORTS_IPT=$(replace_char - : $HTTPS_PORTS)
QUIC_PORTS_IPT=$(replace_char - : $QUIC_PORTS)
}

18
common/ipt.sh
View File

@ -1,3 +1,5 @@
std_ports
ipt() ipt()
{ {
iptables -C "$@" >/dev/null 2>/dev/null || iptables -I "$@" iptables -C "$@" >/dev/null 2>/dev/null || iptables -I "$@"
@ -50,11 +52,11 @@ filter_apply_port_target()
# $1 - var name of iptables filter # $1 - var name of iptables filter
local f local f
if [ "$MODE_HTTP" = "1" ] && [ "$MODE_HTTPS" = "1" ]; then if [ "$MODE_HTTP" = "1" ] && [ "$MODE_HTTPS" = "1" ]; then
f="-p tcp -m multiport --dports 80,443" f="-p tcp -m multiport --dports $HTTP_PORTS_IPT,$HTTPS_PORTS_IPT"
elif [ "$MODE_HTTPS" = "1" ]; then elif [ "$MODE_HTTPS" = "1" ]; then
f="-p tcp --dport 443" f="-p tcp -m multiport --dports $HTTPS_PORTS_IPT"
elif [ "$MODE_HTTP" = "1" ]; then elif [ "$MODE_HTTP" = "1" ]; then
f="-p tcp --dport 80" f="-p tcp -m multiport --dports $HTTP_PORTS_IPT"
else else
echo WARNING !!! HTTP and HTTPS are both disabled echo WARNING !!! HTTP and HTTPS are both disabled
fi fi
@ -64,7 +66,7 @@ filter_apply_port_target_quic()
{ {
# $1 - var name of nftables filter # $1 - var name of nftables filter
local f local f
f="-p udp --dport 443" f="-p udp -m multiport --dports $QUIC_PORTS_IPT"
eval $1="\"\$$1 $f\"" eval $1="\"\$$1 $f\""
} }
filter_apply_ipset_target4() filter_apply_ipset_target4()
@ -357,7 +359,7 @@ zapret_do_firewall_rules_ipt()
[ "$MODE_FILTER" = "autohostlist" ] && fw_nfqws_pre4 $1 "$(reverse_nfqws_rule $f4)" $qn [ "$MODE_FILTER" = "autohostlist" ] && fw_nfqws_pre4 $1 "$(reverse_nfqws_rule $f4)" $qn
else else
if [ -n "$qn" ]; then if [ -n "$qn" ]; then
f4="-p tcp --dport 80" f4="-p tcp -m multiport --dports $HTTP_PORTS_IPT"
ff="$f4" ff="$f4"
[ "$MODE_HTTP_KEEPALIVE" = "1" ] || f4="$f4 $first_packet_only" [ "$MODE_HTTP_KEEPALIVE" = "1" ] || f4="$f4 $first_packet_only"
ff="$ff $first_packet_only" ff="$ff $first_packet_only"
@ -367,7 +369,7 @@ zapret_do_firewall_rules_ipt()
[ "$MODE_FILTER" = "autohostlist" ] && fw_nfqws_pre4 $1 "$(reverse_nfqws_rule $ff)" $qn [ "$MODE_FILTER" = "autohostlist" ] && fw_nfqws_pre4 $1 "$(reverse_nfqws_rule $ff)" $qn
fi fi
if [ -n "$qns" ]; then if [ -n "$qns" ]; then
f4="-p tcp --dport 443 $first_packet_only" f4="-p tcp -m multiport --dports $HTTPS_PORTS_IPT $first_packet_only"
filter_apply_ipset_target4 f4 filter_apply_ipset_target4 f4
fw_nfqws_post4 $1 "$f4 $desync" $qns fw_nfqws_post4 $1 "$f4 $desync" $qns
[ "$MODE_FILTER" = "autohostlist" ] && fw_nfqws_pre4 $1 "$(reverse_nfqws_rule $f4)" $qns [ "$MODE_FILTER" = "autohostlist" ] && fw_nfqws_pre4 $1 "$(reverse_nfqws_rule $f4)" $qns
@ -381,7 +383,7 @@ zapret_do_firewall_rules_ipt()
[ "$MODE_FILTER" = "autohostlist" ] && fw_nfqws_pre6 $1 "$(reverse_nfqws_rule $f6)" $qn [ "$MODE_FILTER" = "autohostlist" ] && fw_nfqws_pre6 $1 "$(reverse_nfqws_rule $f6)" $qn
else else
if [ -n "$qn6" ]; then if [ -n "$qn6" ]; then
f6="-p tcp --dport 80" f6="-p tcp -m multiport --dports $HTTP_PORTS_IPT"
ff="$f6" ff="$f6"
[ "$MODE_HTTP_KEEPALIVE" = "1" ] || f6="$f6 $first_packet_only" [ "$MODE_HTTP_KEEPALIVE" = "1" ] || f6="$f6 $first_packet_only"
ff="$ff $first_packet_only" ff="$ff $first_packet_only"
@ -391,7 +393,7 @@ zapret_do_firewall_rules_ipt()
[ "$MODE_FILTER" = "autohostlist" ] && fw_nfqws_pre6 $1 "$(reverse_nfqws_rule $ff)" $qn6 [ "$MODE_FILTER" = "autohostlist" ] && fw_nfqws_pre6 $1 "$(reverse_nfqws_rule $ff)" $qn6
fi fi
if [ -n "$qns6" ]; then if [ -n "$qns6" ]; then
f6="-p tcp --dport 443 $first_packet_only" f6="-p tcp -m multiport --dports $HTTPS_PORTS_IPT $first_packet_only"
filter_apply_ipset_target6 f6 filter_apply_ipset_target6 f6
fw_nfqws_post6 $1 "$f6 $desync" $qns6 fw_nfqws_post6 $1 "$f6 $desync" $qns6
[ "$MODE_FILTER" = "autohostlist" ] && fw_nfqws_pre6 $1 "$(reverse_nfqws_rule $f6)" $qns6 [ "$MODE_FILTER" = "autohostlist" ] && fw_nfqws_pre6 $1 "$(reverse_nfqws_rule $f6)" $qns6

17
common/nft.sh
View File

@ -2,6 +2,7 @@
# required for : nft -f - # required for : nft -f -
create_dev_stdin create_dev_stdin
std_ports
nft_create_table() nft_create_table()
{ {
@ -279,11 +280,11 @@ nft_filter_apply_port_target()
# $1 - var name of nftables filter # $1 - var name of nftables filter
local f local f
if [ "$MODE_HTTP" = "1" ] && [ "$MODE_HTTPS" = "1" ]; then if [ "$MODE_HTTP" = "1" ] && [ "$MODE_HTTPS" = "1" ]; then
f="tcp dport {80,443}" f="tcp dport {$HTTP_PORTS,$HTTPS_PORTS}"
elif [ "$MODE_HTTPS" = "1" ]; then elif [ "$MODE_HTTPS" = "1" ]; then
f="tcp dport 443" f="tcp dport {$HTTPS_PORTS}"
elif [ "$MODE_HTTP" = "1" ]; then elif [ "$MODE_HTTP" = "1" ]; then
f="tcp dport 80" f="tcp dport {$HTTP_PORTS}"
else else
echo WARNING !!! HTTP and HTTPS are both disabled echo WARNING !!! HTTP and HTTPS are both disabled
fi fi
@ -293,7 +294,7 @@ nft_filter_apply_port_target_quic()
{ {
# $1 - var name of nftables filter # $1 - var name of nftables filter
local f local f
f="udp dport 443" f="udp dport {$QUIC_PORTS}"
eval $1="\"\$$1 $f\"" eval $1="\"\$$1 $f\""
} }
nft_filter_apply_ipset_target4() nft_filter_apply_ipset_target4()
@ -604,7 +605,7 @@ zapret_apply_firewall_rules_nft()
[ "$MODE_FILTER" = "autohostlist" ] && nft_fw_nfqws_pre4 "$(nft_reverse_nfqws_rule $f4)" $qn [ "$MODE_FILTER" = "autohostlist" ] && nft_fw_nfqws_pre4 "$(nft_reverse_nfqws_rule $f4)" $qn
else else
if [ -n "$qn" ]; then if [ -n "$qn" ]; then
f4="tcp dport 80" f4="tcp dport {$HTTP_PORTS}"
ff="$f4" ff="$f4"
[ "$MODE_HTTP_KEEPALIVE" = "1" ] || f4="$f4 $first_packet_only" [ "$MODE_HTTP_KEEPALIVE" = "1" ] || f4="$f4 $first_packet_only"
ff="$ff $first_packet_only" ff="$ff $first_packet_only"
@ -614,7 +615,7 @@ zapret_apply_firewall_rules_nft()
[ "$MODE_FILTER" = "autohostlist" ] && nft_fw_nfqws_pre4 "$(nft_reverse_nfqws_rule $ff)" $qn [ "$MODE_FILTER" = "autohostlist" ] && nft_fw_nfqws_pre4 "$(nft_reverse_nfqws_rule $ff)" $qn
fi fi
if [ -n "$qns" ]; then if [ -n "$qns" ]; then
f4="tcp dport 443 $first_packet_only" f4="tcp dport {$HTTPS_PORTS} $first_packet_only"
nft_filter_apply_ipset_target4 f4 nft_filter_apply_ipset_target4 f4
nft_fw_nfqws_post4 "$f4 $desync" $qns nft_fw_nfqws_post4 "$f4 $desync" $qns
[ "$MODE_FILTER" = "autohostlist" ] && nft_fw_nfqws_pre4 "$(nft_reverse_nfqws_rule $f4)" $qns [ "$MODE_FILTER" = "autohostlist" ] && nft_fw_nfqws_pre4 "$(nft_reverse_nfqws_rule $f4)" $qns
@ -628,7 +629,7 @@ zapret_apply_firewall_rules_nft()
[ "$MODE_FILTER" = "autohostlist" ] && nft_fw_nfqws_pre6 "$(nft_reverse_nfqws_rule $f6)" $qn [ "$MODE_FILTER" = "autohostlist" ] && nft_fw_nfqws_pre6 "$(nft_reverse_nfqws_rule $f6)" $qn
else else
if [ -n "$qn6" ]; then if [ -n "$qn6" ]; then
f6="tcp dport 80" f6="tcp dport {$HTTP_PORTS}"
ff="$f6" ff="$f6"
[ "$MODE_HTTP_KEEPALIVE" = "1" ] || f6="$f6 $first_packet_only" [ "$MODE_HTTP_KEEPALIVE" = "1" ] || f6="$f6 $first_packet_only"
ff="$ff $first_packet_only" ff="$ff $first_packet_only"
@ -638,7 +639,7 @@ zapret_apply_firewall_rules_nft()
[ "$MODE_FILTER" = "autohostlist" ] && nft_fw_nfqws_pre6 "$(nft_reverse_nfqws_rule $ff)" $qn6 [ "$MODE_FILTER" = "autohostlist" ] && nft_fw_nfqws_pre6 "$(nft_reverse_nfqws_rule $ff)" $qn6
fi fi
if [ -n "$qns6" ]; then if [ -n "$qns6" ]; then
f6="tcp dport 443 $first_packet_only" f6="tcp dport {$HTTPS_PORTS} $first_packet_only"
nft_filter_apply_ipset_target6 f6 nft_filter_apply_ipset_target6 f6
nft_fw_nfqws_post6 "$f6 $desync" $qns6 nft_fw_nfqws_post6 "$f6 $desync" $qns6
[ "$MODE_FILTER" = "autohostlist" ] && nft_fw_nfqws_pre6 "$(nft_reverse_nfqws_rule $f6)" $qns6 [ "$MODE_FILTER" = "autohostlist" ] && nft_fw_nfqws_pre6 "$(nft_reverse_nfqws_rule $f6)" $qns6

8
common/pf.sh
View File

@ -4,6 +4,8 @@ PF_ANCHOR_ZAPRET="$PF_ANCHOR_DIR/zapret"
PF_ANCHOR_ZAPRET_V4="$PF_ANCHOR_DIR/zapret-v4" PF_ANCHOR_ZAPRET_V4="$PF_ANCHOR_DIR/zapret-v4"
PF_ANCHOR_ZAPRET_V6="$PF_ANCHOR_DIR/zapret-v6" PF_ANCHOR_ZAPRET_V6="$PF_ANCHOR_DIR/zapret-v6"
std_ports
pf_anchor_root_reload() pf_anchor_root_reload()
{ {
echo reloading PF root anchor echo reloading PF root anchor
@ -107,11 +109,11 @@ pf_anchor_zapret_tables()
pf_anchor_port_target() pf_anchor_port_target()
{ {
if [ "$MODE_HTTP" = "1" ] && [ "$MODE_HTTPS" = "1" ]; then if [ "$MODE_HTTP" = "1" ] && [ "$MODE_HTTPS" = "1" ]; then
echo "{80,443}" echo "{$HTTP_PORTS_IPT,$HTTPS_PORTS_IPT}"
elif [ "$MODE_HTTPS" = "1" ]; then elif [ "$MODE_HTTPS" = "1" ]; then
echo "443" echo "{$HTTPS_PORTS_IPT}"
elif [ "$MODE_HTTP" = "1" ]; then elif [ "$MODE_HTTP" = "1" ]; then
echo "80" echo "{$HTTP_PORTS_IPT}"
fi fi
} }

7
config
View File

@ -37,6 +37,11 @@ GZIP_LISTS=1
# set to "-" to disable reload # set to "-" to disable reload
#LISTS_RELOAD="pfctl -f /etc/pf.conf" #LISTS_RELOAD="pfctl -f /etc/pf.conf"
# override ports
#HTTP_PORTS=80-81,85
#HTTPS_PORTS=443,500-501
#QUIC_PORTS=443,444
# CHOOSE OPERATION MODE # CHOOSE OPERATION MODE
# MODE : nfqws,tpws,tpws-socks,filter,custom # MODE : nfqws,tpws,tpws-socks,filter,custom
# nfqws : nfqws for dpi desync # nfqws : nfqws for dpi desync
@ -96,7 +101,7 @@ INIT_APPLY_FW=1
# do not work with ipv4 # do not work with ipv4
#DISABLE_IPV4=1 #DISABLE_IPV4=1
# do not work with ipv6 # do not work with ipv6
DISABLE_IPV6=1 #DISABLE_IPV6=1
# select which init script will be used to get ip or host list # select which init script will be used to get ip or host list
# possible values : get_user.sh get_antizapret.sh get_combined.sh get_reestr.sh get_hostlist.sh # possible values : get_user.sh get_antizapret.sh get_combined.sh get_reestr.sh get_hostlist.sh