mirror of
https://github.com/bol-van/zapret.git
synced 2024-11-14 10:48:32 +05:00
nft: POSTNAT mode support
This commit is contained in:
parent
22b6ee4ad5
commit
f03bb1747f
@ -37,6 +37,11 @@ nft_set_exists()
|
|||||||
# $1 - set name
|
# $1 - set name
|
||||||
nft -t list set inet $ZAPRET_NFT_TABLE $1 2>/dev/null >/dev/null
|
nft -t list set inet $ZAPRET_NFT_TABLE $1 2>/dev/null >/dev/null
|
||||||
}
|
}
|
||||||
|
nft_flush_chain()
|
||||||
|
{
|
||||||
|
# $1 - chain name
|
||||||
|
nft flush chain inet $ZAPRET_NFT_TABLE $1
|
||||||
|
}
|
||||||
|
|
||||||
nft_del_all_chains_from_table()
|
nft_del_all_chains_from_table()
|
||||||
{
|
{
|
||||||
@ -65,6 +70,7 @@ nft_create_chains()
|
|||||||
{
|
{
|
||||||
# NOTE : postrouting hook has priority 99 to hook packets with original source but NATed destination
|
# NOTE : postrouting hook has priority 99 to hook packets with original source but NATed destination
|
||||||
# NOTE : prerouting hook has priority -99 for the same reason
|
# NOTE : prerouting hook has priority -99 for the same reason
|
||||||
|
# NOTE : postnat is intended for hooks after NAT. many undersired things can happen. use with care. to activate set env POSTNAT=1
|
||||||
cat << EOF | nft -f -
|
cat << EOF | nft -f -
|
||||||
add chain inet $ZAPRET_NFT_TABLE dnat_output { type nat hook output priority -101; }
|
add chain inet $ZAPRET_NFT_TABLE dnat_output { type nat hook output priority -101; }
|
||||||
flush chain inet $ZAPRET_NFT_TABLE dnat_output
|
flush chain inet $ZAPRET_NFT_TABLE dnat_output
|
||||||
@ -82,13 +88,24 @@ cat << EOF | nft -f -
|
|||||||
add rule inet $ZAPRET_NFT_TABLE localnet_protect ip daddr 127.0.0.0/8 drop comment "route_localnet remote access protection"
|
add rule inet $ZAPRET_NFT_TABLE localnet_protect ip daddr 127.0.0.0/8 drop comment "route_localnet remote access protection"
|
||||||
add rule inet $ZAPRET_NFT_TABLE input iif != lo jump localnet_protect
|
add rule inet $ZAPRET_NFT_TABLE input iif != lo jump localnet_protect
|
||||||
add chain inet $ZAPRET_NFT_TABLE postrouting { type filter hook postrouting priority 99; }
|
add chain inet $ZAPRET_NFT_TABLE postrouting { type filter hook postrouting priority 99; }
|
||||||
add chain inet $ZAPRET_NFT_TABLE prerouting { type filter hook prerouting priority -99; }
|
|
||||||
flush chain inet $ZAPRET_NFT_TABLE postrouting
|
flush chain inet $ZAPRET_NFT_TABLE postrouting
|
||||||
|
add chain inet $ZAPRET_NFT_TABLE postnat { type filter hook postrouting priority 101; }
|
||||||
|
flush chain inet $ZAPRET_NFT_TABLE postnat
|
||||||
|
add chain inet $ZAPRET_NFT_TABLE prerouting { type filter hook prerouting priority -99; }
|
||||||
|
flush chain inet $ZAPRET_NFT_TABLE prerouting
|
||||||
|
add chain inet $ZAPRET_NFT_TABLE predefrag { type filter hook output priority -401; }
|
||||||
|
flush chain inet $ZAPRET_NFT_TABLE predefrag
|
||||||
|
add rule inet $ZAPRET_NFT_TABLE predefrag mark and $DESYNC_MARK !=0 ip frag-off != 0 notrack comment "do not track nfqws generated ipfrag packets to avoid nat tampering and defragmentation"
|
||||||
|
add rule inet $ZAPRET_NFT_TABLE predefrag mark and $DESYNC_MARK !=0 exthdr frag exists notrack comment "do not track nfqws generated ipfrag packets to avoid nat tampering and defragmentation"
|
||||||
add set inet $ZAPRET_NFT_TABLE lanif { type ifname; }
|
add set inet $ZAPRET_NFT_TABLE lanif { type ifname; }
|
||||||
add set inet $ZAPRET_NFT_TABLE wanif { type ifname; }
|
add set inet $ZAPRET_NFT_TABLE wanif { type ifname; }
|
||||||
add set inet $ZAPRET_NFT_TABLE wanif6 { type ifname; }
|
add set inet $ZAPRET_NFT_TABLE wanif6 { type ifname; }
|
||||||
add map inet $ZAPRET_NFT_TABLE link_local { type ifname : ipv6_addr; }
|
add map inet $ZAPRET_NFT_TABLE link_local { type ifname : ipv6_addr; }
|
||||||
EOF
|
EOF
|
||||||
|
[ -n "$POSTNAT_ALL" ] && {
|
||||||
|
nft_flush_chain predefrag
|
||||||
|
nft_add_rule predefrag mark and $DESYNC_MARK !=0 notrack comment \"do not track nfqws generated packets to avoid nat tampering and defragmentation\"
|
||||||
|
}
|
||||||
# unfortunately this approach breaks udp desync of the connection initiating packet (new, first one)
|
# unfortunately this approach breaks udp desync of the connection initiating packet (new, first one)
|
||||||
# however without notrack ipfrag will not work
|
# however without notrack ipfrag will not work
|
||||||
# postrouting priority : 99 - before srcnat, 101 - after srcnat
|
# postrouting priority : 99 - before srcnat, 101 - after srcnat
|
||||||
@ -108,7 +125,9 @@ cat << EOF | nft -f - 2>/dev/null
|
|||||||
delete chain inet $ZAPRET_NFT_TABLE forward
|
delete chain inet $ZAPRET_NFT_TABLE forward
|
||||||
delete chain inet $ZAPRET_NFT_TABLE input
|
delete chain inet $ZAPRET_NFT_TABLE input
|
||||||
delete chain inet $ZAPRET_NFT_TABLE postrouting
|
delete chain inet $ZAPRET_NFT_TABLE postrouting
|
||||||
|
delete chain inet $ZAPRET_NFT_TABLE postnat
|
||||||
delete chain inet $ZAPRET_NFT_TABLE prerouting
|
delete chain inet $ZAPRET_NFT_TABLE prerouting
|
||||||
|
delete chain inet $ZAPRET_NFT_TABLE predefrag
|
||||||
delete chain inet $ZAPRET_NFT_TABLE flow_offload
|
delete chain inet $ZAPRET_NFT_TABLE flow_offload
|
||||||
delete chain inet $ZAPRET_NFT_TABLE localnet_protect
|
delete chain inet $ZAPRET_NFT_TABLE localnet_protect
|
||||||
EOF
|
EOF
|
||||||
@ -425,7 +444,14 @@ nft_fw_tpws()
|
|||||||
nft_fw_tpws4 "$1" $3
|
nft_fw_tpws4 "$1" $3
|
||||||
nft_fw_tpws6 "$2" $3
|
nft_fw_tpws6 "$2" $3
|
||||||
}
|
}
|
||||||
|
get_postchain()
|
||||||
|
{
|
||||||
|
if [ "$POSTNAT" = 1 -o "$POSTNAT_ALL" = 1 ] ; then
|
||||||
|
echo -n postnat
|
||||||
|
else
|
||||||
|
echo -n postrouting
|
||||||
|
fi
|
||||||
|
}
|
||||||
_nft_fw_nfqws_post4()
|
_nft_fw_nfqws_post4()
|
||||||
{
|
{
|
||||||
# $1 - filter ipv4
|
# $1 - filter ipv4
|
||||||
@ -436,7 +462,7 @@ _nft_fw_nfqws_post4()
|
|||||||
local filter="$1" port="$2" rule
|
local filter="$1" port="$2" rule
|
||||||
nft_print_op "$filter" "nfqws postrouting (qnum $port)" 4
|
nft_print_op "$filter" "nfqws postrouting (qnum $port)" 4
|
||||||
rule="${3:+oifname @wanif }$filter ip daddr != @nozapret"
|
rule="${3:+oifname @wanif }$filter ip daddr != @nozapret"
|
||||||
nft_add_rule postrouting $rule queue num $port bypass
|
nft_add_rule $(get_postchain) $rule queue num $port bypass
|
||||||
nft_add_nfqws_flow_exempt_rule "$rule"
|
nft_add_nfqws_flow_exempt_rule "$rule"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -450,7 +476,7 @@ _nft_fw_nfqws_post6()
|
|||||||
local filter="$1" port="$2" rule
|
local filter="$1" port="$2" rule
|
||||||
nft_print_op "$filter" "nfqws postrouting (qnum $port)" 6
|
nft_print_op "$filter" "nfqws postrouting (qnum $port)" 6
|
||||||
rule="${3:+oifname @wanif6 }$filter ip6 daddr != @nozapret6"
|
rule="${3:+oifname @wanif6 }$filter ip6 daddr != @nozapret6"
|
||||||
nft_add_rule postrouting $rule queue num $port bypass
|
nft_add_rule $(get_postchain) $rule queue num $port bypass
|
||||||
nft_add_nfqws_flow_exempt_rule "$rule"
|
nft_add_nfqws_flow_exempt_rule "$rule"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user