mirror of
https://github.com/bol-van/zapret.git
synced 2025-04-08 14:27:27 +05:00
75 lines
2.1 KiB
Plaintext
75 lines
2.1 KiB
Plaintext
# this custom script demonstrates how to launch extra nfqws instance limited by ipset. ipv4 only.
|
|
|
|
# can override in config :
|
|
NFQWS_OPT_DESYNC_NFQWS_MY1="${NFQWS_OPT_DESYNC_NFQWS_MY1:---dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-any-protocol}"
|
|
NFQWS_MY1_PORTS=${NFQWS_MY1_PORTS:-6000-6009}
|
|
NFQWS_MY1_SUBNETS="${NFQWS_MY1_SUBNETS:-34.0.48.0/21 34.0.56.0/23 34.0.59.0/24 34.0.60.0/24 34.0.62.0/23}"
|
|
|
|
alloc_dnum DNUM_NFQWS_MY1
|
|
alloc_qnum QNUM_NFQWS_MY1
|
|
NFQWS_MY1_SET_NAME=my1nfqws4
|
|
|
|
zapret_custom_daemons()
|
|
{
|
|
# $1 - 1 - run, 0 - stop
|
|
|
|
local opt="--qnum=$QNUM_NFQWS_MY1 $NFQWS_OPT_DESYNC_NFQWS_MY1"
|
|
do_nfqws $1 $DNUM_NFQWS_MY1 "$opt"
|
|
}
|
|
|
|
zapret_custom_firewall()
|
|
{
|
|
# $1 - 1 - run, 0 - stop
|
|
|
|
local f
|
|
local first_packets_only="$ipt_connbytes 1:3"
|
|
local NFQWS_MY1_PORTS_IPT=$(replace_char - : $NFQWS_MY1_PORTS)
|
|
local dest_set="-m set --match-set $NFQWS_MY1_SET_NAME dst"
|
|
local subnet
|
|
|
|
local DISABLE_IPV6=1
|
|
|
|
[ "$1" = 1 ] && {
|
|
ipset create $NFQWS_MY1_SET_NAME hash:net hashsize 8192 maxelem 4096 2>/dev/null
|
|
ipset flush $NFQWS_MY1_SET_NAME
|
|
for subnet in $NFQWS_MY1_SUBNETS; do
|
|
echo add $NFQWS_MY1_SET_NAME $subnet
|
|
done | ipset -! restore
|
|
}
|
|
|
|
f="-p udp -m multiport --dports $NFQWS_MY1_PORTS_IPT"
|
|
fw_nfqws_post $1 "$f $first_packets_only $dest_set" "" $QNUM_NFQWS_MY1
|
|
|
|
[ "$1" = 1 ] || {
|
|
ipset destroy $NFQWS_MY1_SET_NAME 2>/dev/null
|
|
}
|
|
}
|
|
|
|
zapret_custom_firewall_nft()
|
|
{
|
|
# stop logic is not required
|
|
|
|
local f
|
|
local first_packets_only="$nft_connbytes 1-3"
|
|
local dest_set="ip daddr @$NFQWS_MY1_SET_NAME"
|
|
local subnets
|
|
|
|
local DISABLE_IPV6=1
|
|
|
|
make_comma_list subnets $NFQWS_MY1_SUBNETS
|
|
nft_create_set $NFQWS_MY1_SET_NAME "type ipv4_addr; size 4096; auto-merge; flags interval;"
|
|
nft_flush_set $NFQWS_MY1_SET_NAME
|
|
nft_add_set_element $NFQWS_MY1_SET_NAME "$subnets"
|
|
|
|
f="udp dport {$NFQWS_MY1_PORTS}"
|
|
nft_fw_nfqws_post "$f $first_packets_only $dest_set" "" $QNUM_NFQWS_MY1
|
|
}
|
|
|
|
zapret_custom_firewall_nft_flush()
|
|
{
|
|
# this function is called after all nft fw rules are deleted
|
|
# however sets are not deleted. it's desired to clear sets here.
|
|
|
|
nft_del_set $NFQWS_MY1_SET_NAME 2>/dev/null
|
|
}
|