|
${_('Blacklist update mode')}:
@@ -172,10 +165,9 @@ return baseclass.extend({
`.format(
spinning,
app_status_label,
- (app_status_code != 2 && proxy_mode == 2 && vpn_route_status_code != 0)
+ (app_status_code != 2 && vpn_route_status_code != 0)
? ''
+ _('VPN routing error! Need restart') + '' : '',
- (proxy_mode == 3) ? _('Transparent proxy') : (proxy_mode == 2) ? 'VPN' : 'Tor',
(!bllist_preset || bllist_preset === '') ? _('user entries only') :
(this.blacklistPresets[bllist_preset]) ?
`
@@ -185,7 +177,7 @@ return baseclass.extend({
},
fileEditDialog: baseclass.extend({
- __init__: function(file, title, description, callback, file_exists=false) {
+ __init__(file, title, description, callback, file_exists=false) {
this.file = file;
this.title = title;
this.description = description;
@@ -193,11 +185,11 @@ return baseclass.extend({
this.file_exists = file_exists;
},
- load: function() {
+ load() {
return L.resolveDefault(fs.read(this.file), '');
},
- render: function(content) {
+ render(content) {
ui.showModal(this.title, [
E('div', { 'class': 'cbi-section' }, [
E('div', { 'class': 'cbi-section-descr' }, this.description),
@@ -230,7 +222,7 @@ return baseclass.extend({
]);
},
- handleSave: function(ev) {
+ handleSave(ev) {
let textarea = document.getElementById('widget.modal_content');
let value = textarea.value.trim().replace(/\r\n/g, '\n') + '\n';
@@ -249,7 +241,7 @@ return baseclass.extend({
});
},
- error: function(e) {
+ error(e) {
if(!this.file_exists && e instanceof Error && e.name === 'NotFoundError') {
return this.render();
} else {
@@ -268,7 +260,7 @@ return baseclass.extend({
};
},
- show: function() {
+ show() {
ui.showModal(null,
E('p', { 'class': 'spinning' }, _('Loading'))
);
diff --git a/luci-app-ruantiblock/po/ru/ruantiblock.po b/luci-app-ruantiblock/po/ru/ruantiblock.po
index d4b5221..13097f9 100644
--- a/luci-app-ruantiblock/po/ru/ruantiblock.po
+++ b/luci-app-ruantiblock/po/ru/ruantiblock.po
@@ -70,6 +70,9 @@ msgstr "Байты"
msgid "Cancel"
msgstr "Отмена"
+msgid "Change dnsmasq config directory"
+msgstr "Изменить директорию конфигов dnsmasq"
+
msgid "Changes have been saved."
msgstr "Изменения сохранены."
@@ -110,12 +113,18 @@ msgstr "День"
msgid "Debug"
msgstr "Отладка"
+msgid "Description"
+msgstr "Описание"
+
msgid "Disabled"
msgstr "Отключено"
msgid "Dismiss"
msgstr "Закрыть"
+msgid "Dnsmasq config directory"
+msgstr "Директория конфигов dnsmasq"
+
msgid "Download error"
msgstr "Ошибка загрузки"
@@ -125,9 +134,15 @@ msgstr "Скачать журнал"
msgid "Downloading a blacklist via proxy"
msgstr "Скачивать блэклист через прокси"
+msgid "Downloading files via proxy"
+msgstr "Скачивать файлы через прокси"
+
msgid "Edit"
msgstr "Изменить"
+msgid "Edit entries"
+msgstr "Изменить записи"
+
msgid "Emergency"
msgstr "Чрезвычайная ситуация"
@@ -233,15 +248,15 @@ msgstr "Шаблоны IP подсетей (/24) не подлежащих оп
msgid "Info"
msgstr "Информация"
+msgid "Instance"
+msgstr "Экземпляр"
+
msgid "Interval"
msgstr "Интервал"
msgid "Invalid regular expression"
msgstr "Неправильное регулярное выражение"
-msgid "Nftables rules"
-msgstr "Правила nftables"
-
msgid "Last blacklist update"
msgstr "Последнее обновление блэклиста"
@@ -257,6 +272,9 @@ msgstr "Список хостов, которые исключаются из о
msgid "Loading"
msgstr "Загрузка"
+msgid "Local traffic"
+msgstr "Локальный трафик"
+
msgid "Log"
msgstr "Лог"
@@ -269,6 +287,9 @@ msgstr "Уровни логирования"
msgid "Logread not found"
msgstr "Logread не найден"
+msgid "Lowest priority"
+msgstr "Самый низкий приоритет"
+
msgid "Main settings"
msgstr "Основные настройки"
@@ -373,9 +394,15 @@ msgstr "Отбор IP адресов из блэклиста по шаблона
msgid "Pick domains from blacklist by FQDN filter patterns"
msgstr "Отбор доменов из блэклиста по шаблонам фильтра FQDN"
+msgid "Protocol"
+msgstr "Протокол"
+
msgid "Proxy mode"
msgstr "Режим прокси"
+msgid "Proxy type"
+msgstr "Тип прокси"
+
msgid "Reduces RAM consumption during update"
msgstr "Уменьшает потребление оперативной памяти при обновлении"
@@ -418,8 +445,11 @@ msgstr "Настройки"
msgid "Shutdown"
msgstr "Выключение"
-msgid "Size in memory"
-msgstr "Размер в памяти"
+msgid "Skip marked packets"
+msgstr "Пропускать помеченные пакеты"
+
+msgid "Skip packets that have already been marked in previous rules"
+msgstr "Пропускать пакеты, которые уже были помечены в предыдущих правилах"
msgid "Sorting entries"
msgstr "Сортировка записей"
@@ -430,6 +460,9 @@ msgstr "Запускается"
msgid "Statistics"
msgstr "Статистика"
+msgid "Statement in nftables rules"
+msgstr "Действие в правилах nftables"
+
msgid "Status"
msgstr "Статус"
@@ -469,6 +502,9 @@ msgid ""
msgstr ""
"Служба будет выключена и все данные блэклиста будут удалены. Продолжить?"
+msgid "This proxy will receive traffic last, even after the main blacklist"
+msgstr "В этот прокси трафик будет попадать в последнюю очередь, даже после основного блэклиста"
+
msgid "Time"
msgstr "Время"
@@ -487,6 +523,9 @@ msgstr "Конфигурационный файл Tor"
msgid "Tor mode"
msgstr "Режим Tor"
+msgid "Transit traffic"
+msgstr "Транзитный трафик"
+
msgid "Transparent proxy"
msgstr "Прозрачный прокси"
@@ -505,6 +544,9 @@ msgstr "UDP порт прозрачного прокси"
msgid "Turn on if blacklist source is blocked"
msgstr "Включите, если источник блэклиста заблокирован"
+msgid "Turn on if files are blocked"
+msgstr "Включите, если файлы заблокированы"
+
msgid "Type a search pattern..."
msgstr "Введите шаблон для поиска"
@@ -568,6 +610,9 @@ msgstr "Ошибка маршрутизации VPN! Необходим пере
msgid "Warning"
msgstr "Внимание"
+msgid "all"
+msgstr "все"
+
msgid "ascending"
msgstr "по возрастанию"
diff --git a/luci-app-ruantiblock/po/templates/ruantiblock.pot b/luci-app-ruantiblock/po/templates/ruantiblock.pot
index fff608e..89473c7 100644
--- a/luci-app-ruantiblock/po/templates/ruantiblock.pot
+++ b/luci-app-ruantiblock/po/templates/ruantiblock.pot
@@ -55,6 +55,9 @@ msgstr ""
msgid "Cancel"
msgstr ""
+msgid "Change dnsmasq config directory"
+msgstr ""
+
msgid "Changes have been saved."
msgstr ""
@@ -95,12 +98,18 @@ msgstr ""
msgid "Debug"
msgstr ""
+msgid "Description"
+msgstr ""
+
msgid "Disabled"
msgstr ""
msgid "Dismiss"
msgstr ""
+msgid "Dnsmasq config directory"
+msgstr ""
+
msgid "Download error"
msgstr ""
@@ -110,9 +119,15 @@ msgstr ""
msgid "Downloading a blacklist via proxy"
msgstr ""
+msgid "Downloading files via proxy"
+msgstr ""
+
msgid "Edit"
msgstr ""
+msgid "Edit entries"
+msgstr ""
+
msgid "Emergency"
msgstr ""
msgid "Enable"
@@ -214,15 +229,15 @@ msgstr ""
msgid "Info"
msgstr ""
+msgid "Instance"
+msgstr ""
+
msgid "Interval"
msgstr ""
msgid "Invalid regular expression"
msgstr ""
-msgid "Nftables rules"
-msgstr ""
-
msgid "Last blacklist update"
msgstr ""
@@ -238,6 +253,9 @@ msgstr ""
msgid "Loading"
msgstr ""
+msgid "Local traffic"
+msgstr ""
+
msgid "Log"
msgstr ""
@@ -250,6 +268,9 @@ msgstr ""
msgid "Logread not found"
msgstr ""
+msgid "Lowest priority"
+msgstr ""
+
msgid "Main settings"
msgstr ""
@@ -342,9 +363,15 @@ msgstr ""
msgid "Pick domains from blacklist by FQDN filter patterns"
msgstr ""
+msgid "Protocol"
+msgstr ""
+
msgid "Proxy mode"
msgstr ""
+msgid "Proxy type"
+msgstr ""
+
msgid "Reduces RAM consumption during update"
msgstr ""
@@ -386,9 +413,6 @@ msgstr ""
msgid "Shutdown"
msgstr ""
-msgid "Size in memory"
-msgstr ""
-
msgid "Sorting entries"
msgstr ""
@@ -397,6 +421,10 @@ msgstr ""
msgid "Statistics"
msgstr ""
+
+msgid "Statement in nftables rules"
+msgstr ""
+
msgid "Status"
msgstr ""
@@ -429,6 +457,9 @@ msgid ""
"Continue?"
msgstr ""
+msgid "This proxy will receive traffic last, even after the main blacklist"
+msgstr ""
+
msgid "Time"
msgstr ""
@@ -447,6 +478,9 @@ msgstr ""
msgid "Tor mode"
msgstr ""
+msgid "Transit traffic"
+msgstr ""
+
msgid "Transparent proxy"
msgstr ""
@@ -465,6 +499,9 @@ msgstr ""
msgid "Turn on if blacklist source is blocked"
msgstr ""
+msgid "Turn on if files are blocked"
+msgstr ""
+
msgid "Type a search pattern..."
msgstr ""
@@ -509,6 +546,7 @@ msgid "URLs of remote user entries file"
msgid "Use optional DNS resolver"
msgstr ""
+
msgid "User entries"
msgstr ""
@@ -527,6 +565,9 @@ msgstr ""
msgid "Warning"
msgstr ""
+msgid "all"
+msgstr "все"
+
msgid "ascending"
msgstr ""
diff --git a/luci-app-ruantiblock/root/usr/share/rpcd/acl.d/luci-app-ruantiblock.json b/luci-app-ruantiblock/root/usr/share/rpcd/acl.d/luci-app-ruantiblock.json
index ad22748..6dfe703 100644
--- a/luci-app-ruantiblock/root/usr/share/rpcd/acl.d/luci-app-ruantiblock.json
+++ b/luci-app-ruantiblock/root/usr/share/rpcd/acl.d/luci-app-ruantiblock.json
@@ -7,7 +7,7 @@
"/usr/libexec/ruantiblock": [ "list" ],
"/etc/ruantiblock/fqdn_filter": [ "read" ],
"/etc/ruantiblock/ip_filter": [ "read" ],
- "/etc/ruantiblock/user_entries": [ "read" ],
+ "/etc/ruantiblock/user_lists/*": [ "read" ],
"/etc/ruantiblock/bypass_entries": [ "read" ],
"/etc/ruantiblock/gr_excluded_nets": [ "read" ],
"/etc/ruantiblock/gr_excluded_sld": [ "read" ],
@@ -16,7 +16,8 @@
"/etc/crontabs/root": [ "read" ],
"/usr/bin/ruantiblock*": [ "exec" ],
"/sbin/logread -e ruantiblock:": [ "exec" ],
- "/usr/sbin/logread -e ruantiblock:": [ "exec" ]
+ "/usr/sbin/logread -e ruantiblock:": [ "exec" ],
+ "/tmp": [ "list" ]
},
"uci": [ "network", "ruantiblock" ],
"ubus": {
@@ -27,7 +28,7 @@
"file": {
"/etc/ruantiblock/fqdn_filter": [ "write" ],
"/etc/ruantiblock/ip_filter": [ "write" ],
- "/etc/ruantiblock/user_entries": [ "write" ],
+ "/etc/ruantiblock/user_lists/*": [ "write" ],
"/etc/ruantiblock/bypass_entries": [ "write" ],
"/etc/ruantiblock/gr_excluded_nets": [ "write" ],
"/etc/ruantiblock/gr_excluded_sld": [ "write" ],
diff --git a/ruantiblock-mod-lua/Makefile b/ruantiblock-mod-lua/Makefile
index 82ec6ae..366ecd7 100644
--- a/ruantiblock-mod-lua/Makefile
+++ b/ruantiblock-mod-lua/Makefile
@@ -5,7 +5,7 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=ruantiblock-mod-lua
-PKG_VERSION:=1.6.0
+PKG_VERSION:=2.0.0
PKG_RELEASE:=1
PKG_MAINTAINER:=gSpot
diff --git a/ruantiblock-mod-lua/files/usr/libexec/ruantiblock/ruab_parser.lua b/ruantiblock-mod-lua/files/usr/libexec/ruantiblock/ruab_parser.lua
index fe34241..e4fdde0 100755
--- a/ruantiblock-mod-lua/files/usr/libexec/ruantiblock/ruab_parser.lua
+++ b/ruantiblock-mod-lua/files/usr/libexec/ruantiblock/ruab_parser.lua
@@ -58,9 +58,8 @@ local Config = Class(nil, {
["NFTSET_CIDR"] = true,
["NFTSET_IP"] = true,
["NFTSET_DNSMASQ"] = true,
- ["NFTSET_CIDR_CFG"] = true,
- ["NFTSET_IP_CFG"] = true,
- ["NFTSET_DNSMASQ"] = true,
+ ["NFTSET_CIDR_STRING_MAIN"] = true,
+ ["NFTSET_IP_STRING_MAIN"] = true,
["DNSMASQ_DATA_FILE"] = true,
["IP_DATA_FILE"] = true,
["UPDATE_STATUS_FILE"] = true,
@@ -788,7 +787,7 @@ function WriteConfigFiles:write_ipset_config(ip_table, cidr_table)
file_handler:write(string.format("flush set %s %s\n", self.NFT_TABLE, v))
end
file_handler:write(
- string.format("table %s {\n%s", self.NFT_TABLE, self.NFTSET_CIDR_CFG)
+ string.format("table %s {\n%s", self.NFT_TABLE, self.NFTSET_CIDR_STRING_MAIN)
)
local c = 0
if next(cidr_table) then
@@ -801,7 +800,7 @@ function WriteConfigFiles:write_ipset_config(ip_table, cidr_table)
end
self.cidr_count = c
file_handler:write(
- string.format("}\n%s", self.NFTSET_IP_CFG)
+ string.format("}\n%s", self.NFTSET_IP_STRING_MAIN)
)
local i = 0
if next(ip_table) then
@@ -1076,6 +1075,7 @@ if parser_classes then
for _, i in ipairs(parser_instances) do
ret_list[i:run()] = true
end
+
local return_sum = 0
for i, _ in pairs(ret_list) do
return_sum = return_sum + i
diff --git a/ruantiblock-mod-py/Makefile b/ruantiblock-mod-py/Makefile
index 9e550e1..74af266 100644
--- a/ruantiblock-mod-py/Makefile
+++ b/ruantiblock-mod-py/Makefile
@@ -5,7 +5,7 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=ruantiblock-mod-py
-PKG_VERSION:=1.6.0
+PKG_VERSION:=2.0.0
PKG_RELEASE:=1
PKG_MAINTAINER:=gSpot
diff --git a/ruantiblock-mod-py/files/usr/libexec/ruantiblock/ruab_parser.py b/ruantiblock-mod-py/files/usr/libexec/ruantiblock/ruab_parser.py
index b6a1009..934e52e 100755
--- a/ruantiblock-mod-py/files/usr/libexec/ruantiblock/ruab_parser.py
+++ b/ruantiblock-mod-py/files/usr/libexec/ruantiblock/ruab_parser.py
@@ -42,9 +42,8 @@ class Config:
"NFTSET_CIDR",
"NFTSET_IP",
"NFTSET_DNSMASQ",
- "NFTSET_CIDR_CFG",
- "NFTSET_IP_CFG",
- "NFTSET_DNSMASQ",
+ "NFTSET_CIDR_STRING_MAIN",
+ "NFTSET_IP_STRING_MAIN",
"DNSMASQ_DATA_FILE",
"IP_DATA_FILE",
"UPDATE_STATUS_FILE",
@@ -459,6 +458,7 @@ class Summarize:
@classmethod
def _group_nets(cls, cidr_list, raw_list=None):
+
def remove_items(start, end):
for ip in range(int(start), int(end) + 1, 256):
raw_list.remove(str(IPv4Address(ip)) + "/24")
@@ -570,7 +570,7 @@ class WriteConfigFiles(Config):
for i in (self.NFTSET_CIDR, self.NFTSET_IP):
file_handler.write("flush set {} {}\n".format(self.NFT_TABLE, i))
file_handler.write(
- "table {} {{\n{}".format(self.NFT_TABLE, self.NFTSET_CIDR_CFG)
+ "table {} {{\n{}".format(self.NFT_TABLE, self.NFTSET_CIDR_STRING_MAIN)
)
if len(cidr_set) > 0:
file_handler.write("elements={")
@@ -578,7 +578,7 @@ class WriteConfigFiles(Config):
file_handler.write(f"{i},")
file_handler.write("};")
file_handler.write(
- "}}\n{}".format(self.NFTSET_IP_CFG)
+ "}}\n{}".format(self.NFTSET_IP_STRING_MAIN)
)
if len(ip_dict) > 0:
file_handler.write("elements={")
diff --git a/ruantiblock/Makefile b/ruantiblock/Makefile
index 8db4dc4..db35aa1 100644
--- a/ruantiblock/Makefile
+++ b/ruantiblock/Makefile
@@ -5,7 +5,7 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=ruantiblock
-PKG_VERSION:=1.6.0
+PKG_VERSION:=2.0.0
PKG_RELEASE:=1
PKG_MAINTAINER:=gSpot
@@ -17,7 +17,7 @@ define Package/$(PKG_NAME)
TITLE:=Ruantiblock
URL:=https://github.com/gSpotx2f/ruantiblock_openwrt
PKGARCH:=all
- DEPENDS:=+dnsmasq-full
+ DEPENDS:=+dnsmasq-full +kmod-nft-tproxy
endef
define Package/$(PKG_NAME)/description
@@ -28,10 +28,14 @@ define Package/$(PKG_NAME)/conffiles
/etc/ruantiblock/ruantiblock.conf
/etc/ruantiblock/fqdn_filter
/etc/ruantiblock/ip_filter
-/etc/ruantiblock/user_entries
/etc/ruantiblock/bypass_entries
/etc/ruantiblock/gr_excluded_nets
/etc/ruantiblock/gr_excluded_sld
+/etc/ruantiblock/user_lists/list1
+/etc/ruantiblock/user_lists/list2
+/etc/ruantiblock/user_lists/list3
+/etc/ruantiblock/user_lists/list4
+/etc/ruantiblock/user_lists/list5
endef
define Build/Configure
@@ -51,15 +55,22 @@ define Package/$(PKG_NAME)/install
$(INSTALL_CONF) ./files/etc/ruantiblock/ruantiblock.conf $(1)/etc/ruantiblock/ruantiblock.conf
$(INSTALL_DATA) ./files/etc/ruantiblock/fqdn_filter $(1)/etc/ruantiblock/fqdn_filter
$(INSTALL_DATA) ./files/etc/ruantiblock/ip_filter $(1)/etc/ruantiblock/ip_filter
- $(INSTALL_DATA) ./files/etc/ruantiblock/user_entries $(1)/etc/ruantiblock/user_entries
$(INSTALL_DATA) ./files/etc/ruantiblock/bypass_entries $(1)/etc/ruantiblock/bypass_entries
$(INSTALL_DATA) ./files/etc/ruantiblock/gr_excluded_nets $(1)/etc/ruantiblock/gr_excluded_nets
$(INSTALL_DATA) ./files/etc/ruantiblock/gr_excluded_sld $(1)/etc/ruantiblock/gr_excluded_sld
+ $(INSTALL_DIR) $(1)/etc/ruantiblock/user_lists
+ $(INSTALL_DATA) ./files/etc/ruantiblock/user_lists/list1 $(1)/etc/ruantiblock/user_lists/list1
+ $(INSTALL_DATA) ./files/etc/ruantiblock/user_lists/list2 $(1)/etc/ruantiblock/user_lists/list2
+ $(INSTALL_DATA) ./files/etc/ruantiblock/user_lists/list3 $(1)/etc/ruantiblock/user_lists/list3
+ $(INSTALL_DATA) ./files/etc/ruantiblock/user_lists/list4 $(1)/etc/ruantiblock/user_lists/list4
+ $(INSTALL_DATA) ./files/etc/ruantiblock/user_lists/list5 $(1)/etc/ruantiblock/user_lists/list5
$(INSTALL_DIR) $(1)/usr/share/ruantiblock
+ $(INSTALL_DATA) ./files/usr/share/ruantiblock/blacklist_sources $(1)/usr/share/ruantiblock/blacklist_sources
$(INSTALL_DATA) ./files/usr/share/ruantiblock/config_script $(1)/usr/share/ruantiblock/config_script
+ $(INSTALL_DATA) ./files/usr/share/ruantiblock/config_script_user_instances $(1)/usr/share/ruantiblock/config_script_user_instances
$(INSTALL_DATA) ./files/usr/share/ruantiblock/info_output $(1)/usr/share/ruantiblock/info_output
$(INSTALL_DATA) ./files/usr/share/ruantiblock/nft_functions $(1)/usr/share/ruantiblock/nft_functions
- $(INSTALL_DATA) ./files/usr/share/ruantiblock/blacklist_sources $(1)/usr/share/ruantiblock/blacklist_sources
+ $(INSTALL_DATA) ./files/usr/share/ruantiblock/user_instances_common $(1)/usr/share/ruantiblock/user_instances_common
$(INSTALL_DIR) $(1)/usr/libexec/ruantiblock
$(INSTALL_BIN) ./files/usr/libexec/ruantiblock/ruab_route_check $(1)/usr/libexec/ruantiblock/ruab_route_check
$(INSTALL_DIR) $(1)/usr/bin
@@ -82,14 +93,16 @@ define Package/$(PKG_NAME)/prerm
FILE_INIT_SCRIPT="/etc/init.d/ruantiblock"
FILE_MAIN_SCRIPT="/usr/bin/ruantiblock"
CRONTAB_FILE="/etc/crontabs/root"
-DNSMASQ_DATA_FILE="/tmp/dnsmasq.d/02-ruantiblock.dnsmasq"
+DNSMASQ_DATA_FILE_BYPASS="/tmp/dnsmasq*.d/00-ruantiblock_bypass.dnsmasq"
+DNSMASQ_DATA_FILE_USER_INSTANCES="/tmp/dnsmasq*.d/01-ruantiblock_user_instances.dnsmasq"
+DNSMASQ_DATA_FILE="/tmp/dnsmasq*.d/02-ruantiblock.dnsmasq"
+DNSMASQ_DATA_FILE_BYPASS_TMP="${DNSMASQ_DATA_FILE_BYPASS}.tmp"
+DNSMASQ_DATA_FILE_USER_INSTANCES_TMP="${DNSMASQ_DATA_FILE_USER_INSTANCES}.tmp"
DNSMASQ_DATA_FILE_TMP="${DNSMASQ_DATA_FILE}.tmp"
-DNSMASQ_DATA_FILE_BYPASS="/tmp/dnsmasq.d/01-ruantiblock_bypass.dnsmasq"
-rm -f $$DNSMASQ_DATA_FILE $$DNSMASQ_DATA_FILE_TMP $$DNSMASQ_DATA_FILE_BYPASS
test -e "$$FILE_MAIN_SCRIPT" && $$FILE_MAIN_SCRIPT destroy
-
test -e "$$FILE_INIT_SCRIPT" && $$FILE_INIT_SCRIPT disable
+rm -f $$DNSMASQ_DATA_FILE $$DNSMASQ_DATA_FILE_TMP $$DNSMASQ_DATA_FILE_BYPASS $$DNSMASQ_DATA_FILE_BYPASS_TMP $$DNSMASQ_DATA_FILE_USER_INSTANCES $$DNSMASQ_DATA_FILE_USER_INSTANCES_TMP
awk -v FILE_MAIN_SCRIPT="$$FILE_MAIN_SCRIPT" '$$0 !~ FILE_MAIN_SCRIPT {
print $$0;
diff --git a/ruantiblock/files/etc/config/ruantiblock b/ruantiblock/files/etc/config/ruantiblock
index 86b59e7..412ffaf 100644
--- a/ruantiblock/files/etc/config/ruantiblock
+++ b/ruantiblock/files/etc/config/ruantiblock
@@ -11,13 +11,13 @@ config main 'config'
option vpn_route_check '0'
option tor_trans_port '9040'
option onion_dns_addr '127.0.0.1#9053'
+ option t_proxy_type '0'
option t_proxy_port_tcp '1100'
option t_proxy_port_udp '1100'
option t_proxy_allow_udp '0'
option bypass_mode '0'
option enable_bllist_proxy '0'
option enable_tmp_downloads '0'
- option add_user_entries '0'
option bllist_min_entries '3000'
option bllist_ip_limit '0'
option bllist_summarize_ip '1'
@@ -30,3 +30,78 @@ config main 'config'
option bllist_enable_idn '0'
option bllist_alt_nslookup '0'
option bllist_alt_dns_addr '8.8.8.8'
+
+config user_instance 'list1'
+ option u_enabled '0'
+ option u_proxy_mode '2'
+ option u_tor_trans_port '9040'
+ option u_onion_dns_addr '127.0.0.1#9053'
+ option u_if_vpn 'tun0'
+ option u_t_proxy_type '0'
+ option u_t_proxy_port_tcp '1100'
+ option u_t_proxy_port_udp '1100'
+ option u_t_proxy_allow_udp '0'
+ option u_enable_entries_remote_proxy '0'
+ option u_entries_dns ''
+ option u_enable_fproxy '0'
+ option u_skip_marked_packets '0'
+
+config user_instance 'list2'
+ option u_enabled '0'
+ option u_proxy_mode '2'
+ option u_tor_trans_port '9040'
+ option u_onion_dns_addr '127.0.0.1#9053'
+ option u_if_vpn 'tun0'
+ option u_t_proxy_type '0'
+ option u_t_proxy_port_tcp '1100'
+ option u_t_proxy_port_udp '1100'
+ option u_t_proxy_allow_udp '0'
+ option u_enable_entries_remote_proxy '0'
+ option u_entries_dns ''
+ option u_enable_fproxy '0'
+ option u_skip_marked_packets '0'
+
+config user_instance 'list3'
+ option u_enabled '0'
+ option u_proxy_mode '2'
+ option u_tor_trans_port '9040'
+ option u_onion_dns_addr '127.0.0.1#9053'
+ option u_if_vpn 'tun0'
+ option u_t_proxy_type '0'
+ option u_t_proxy_port_tcp '1100'
+ option u_t_proxy_port_udp '1100'
+ option u_t_proxy_allow_udp '0'
+ option u_enable_entries_remote_proxy '0'
+ option u_entries_dns ''
+ option u_enable_fproxy '0'
+ option u_skip_marked_packets '0'
+
+config user_instance 'list4'
+ option u_enabled '0'
+ option u_proxy_mode '2'
+ option u_tor_trans_port '9040'
+ option u_onion_dns_addr '127.0.0.1#9053'
+ option u_if_vpn 'tun0'
+ option u_t_proxy_type '0'
+ option u_t_proxy_port_tcp '1100'
+ option u_t_proxy_port_udp '1100'
+ option u_t_proxy_allow_udp '0'
+ option u_enable_entries_remote_proxy '0'
+ option u_entries_dns ''
+ option u_enable_fproxy '0'
+ option u_skip_marked_packets '0'
+
+config user_instance 'list5'
+ option u_enabled '0'
+ option u_proxy_mode '2'
+ option u_tor_trans_port '9040'
+ option u_onion_dns_addr '127.0.0.1#9053'
+ option u_if_vpn 'tun0'
+ option u_t_proxy_type '0'
+ option u_t_proxy_port_tcp '1100'
+ option u_t_proxy_port_udp '1100'
+ option u_t_proxy_allow_udp '0'
+ option u_enable_entries_remote_proxy '0'
+ option u_entries_dns ''
+ option u_enable_fproxy '0'
+ option u_skip_marked_packets '0'
diff --git a/ruantiblock/files/etc/hotplug.d/iface/40-ruantiblock b/ruantiblock/files/etc/hotplug.d/iface/40-ruantiblock
index 08f1693..f354656 100755
--- a/ruantiblock/files/etc/hotplug.d/iface/40-ruantiblock
+++ b/ruantiblock/files/etc/hotplug.d/iface/40-ruantiblock
@@ -1,20 +1,64 @@
#!/bin/sh
-UCI_CMD=`which uci`
-if [ $? -ne 0 ]; then
- echo " Error! UCI doesn't exists" >&2
- exit 1
-fi
-RUAB_CMD="/usr/bin/ruantiblock"
-PROXY_MODE=`$UCI_CMD get ruantiblock.config.proxy_mode`
-IF_VPN=`$UCI_CMD get ruantiblock.config.if_vpn`
-VPN_ROUTE_CHECK=`$UCI_CMD get ruantiblock.config.vpn_route_check`
+if [ "$ACTION" = "ifup" ]; then
+ NAME="ruantiblock"
+ RUAB_CMD="/usr/bin/ruantiblock"
+ CONFIG_FILE="/etc/ruantiblock/ruantiblock.conf"
+ USER_INSTANCES_COMMON="/usr/share/ruantiblock/user_instances_common"
+ CONFIG_SCRIPT_USER_INSTANCES="/usr/share/ruantiblock/config_script_user_instances"
+ USER_INSTANCES_DIR="/etc/ruantiblock/user_instances"
+ USER_INSTANCE_VARS="U_ENABLED U_NAME U_PROXY_MODE U_TOR_TRANS_PORT U_ONION_DNS_ADDR U_IF_VPN U_VPN_GW_IP U_T_PROXY_TYPE U_T_PROXY_PORT_TCP U_T_PROXY_PORT_UDP U_T_PROXY_ALLOW_UDP U_USER_ENTRIES_DNS U_USER_ENTRIES_REMOTE U_ENABLE_ENTRIES_REMOTE_PROXY U_ENABLE_FPROXY U_FPROXY_LIST U_SKIP_MARKED_PACKETS"
+ USER_INSTANCES_MAX=10
+ DEBUG=0
+ IF_VPN_CURRENT=""
-[ "$VPN_ROUTE_CHECK" != "0" ] && exit 0
+ ruab_route_status=`$RUAB_CMD raw-status`
+ [ $ruab_route_status -eq 1 -o $ruab_route_status -eq 2 ] && exit 0
-if [ "$ACTION" = "ifup" ] && [ "$PROXY_MODE" = "2" ] && [ "$DEVICE" = "$IF_VPN" ]; then
- if [ `$RUAB_CMD raw-status` -ne 2 ]; then
- sleep 5
- $RUAB_CMD reload
- fi
+ UCI_CMD=`which uci`
+ if [ $? -ne 0 ]; then
+ echo " Error! UCI doesn't exists" >&2
+ exit 1
+ fi
+
+ [ -f "$CONFIG_FILE" ] && . "$CONFIG_FILE"
+
+ VPN_ROUTE_CHECK=`$UCI_CMD get ruantiblock.config.vpn_route_check`
+ [ "$VPN_ROUTE_CHECK" != "0" ] && exit 0
+
+ PROXY_MODE=`$UCI_CMD get ruantiblock.config.proxy_mode`
+ if [ "$PROXY_MODE" = "2" ]; then
+ IF_VPN_CURRENT=`$UCI_CMD get ruantiblock.config.if_vpn`
+ fi
+
+ if [ "$DEVICE" != "$IF_VPN_CURRENT" ]; then
+
+ . "$USER_INSTANCES_COMMON"
+
+ for inst in `GetUserInstances 2`
+ do
+ IncludeUserInstanceVars "$inst"
+ if [ "$DEVICE" = "$U_IF_VPN" ]; then
+ IF_VPN_CURRENT="$U_IF_VPN"
+
+ if [ $DEBUG -ge 1 ]; then
+ echo " ruantiblock-vpn-iface-script: U_NAME=${U_NAME} U_IF_VPN=${U_IF_VPN}" >&2
+ logger -p "user.debug" -t "ruantiblock-hotplug-script" "U_NAME=${U_NAME} U_IF_VPN=${U_IF_VPN}"
+ fi
+
+ break
+ fi
+ ClearUserInstanceVars
+ done
+ fi
+
+ if [ "$DEVICE" = "$IF_VPN_CURRENT" ]; then
+ if [ $DEBUG -ge 1 ]; then
+ echo " ruantiblock-vpn-iface-script: IF_VPN_CURRENT=${IF_VPN_CURRENT} ACTION=\"${ACTION}\" DEVICE=${DEVICE} INTERFACE=${INTERFACE}" >&2
+ logger -p "user.debug" -t "ruantiblock-hotplug-script" "IF_VPN_CURRENT=${IF_VPN_CURRENT} ACTION=\"${ACTION}\" DEVICE=${DEVICE} INTERFACE=${INTERFACE}"
+ fi
+
+ sleep 5
+ $RUAB_CMD reload
+ fi
fi
diff --git a/ruantiblock/files/etc/init.d/ruantiblock b/ruantiblock/files/etc/init.d/ruantiblock
index e54a79d..4dbf66c 100755
--- a/ruantiblock/files/etc/init.d/ruantiblock
+++ b/ruantiblock/files/etc/init.d/ruantiblock
@@ -5,14 +5,40 @@ STOP=01
APP_NAME="ruantiblock"
APP_EXEC="/usr/bin/${APP_NAME}"
+DNSMASQ_VAR_DIR="/tmp"
config_load $APP_NAME
+get_dnsmasq_cfg_dir() {
+ local _first_instance
+ if [ -d "${DNSMASQ_VAR_DIR}/dnsmasq.d" ]; then
+ printf "${DNSMASQ_VAR_DIR}/dnsmasq.d"
+ return 0
+ else
+ _first_instance=`ls -1 "$DNSMASQ_VAR_DIR" | grep -e "^dnsmasq" | head -n 1`
+ if [ -n "$_first_instance" ]; then
+ printf "${DNSMASQ_VAR_DIR}/${_first_instance}"
+ return 0
+ fi
+ fi
+ return 1
+}
+
start() {
- local update_at_startup
- config_get update_at_startup config update_at_startup
+ local _update_at_startup _dnsmasq_cfg_dir
+ config_get _update_at_startup config update_at_startup
+ config_get _dnsmasq_cfg_dir config dnsmasq_cfg_dir ""
+ if [ -z "$_dnsmasq_cfg_dir" ]; then
+ _dnsmasq_cfg_dir=`get_dnsmasq_cfg_dir`
+ if [ $? -eq 0 -a -n "$_dnsmasq_cfg_dir" ]; then
+ uci set "${APP_NAME}.config.dnsmasq_cfg_dir"="$_dnsmasq_cfg_dir"
+ uci commit ruantiblock
+ else
+ exit 1
+ fi
+ fi
$APP_EXEC start
- if [ $? -eq 0 -a "$update_at_startup" = "1" ]; then
+ if [ $? -eq 0 -a "$_update_at_startup" = "1" ]; then
$APP_EXEC update
else
/etc/init.d/dnsmasq restart
diff --git a/ruantiblock/files/etc/ruantiblock/fqdn_filter b/ruantiblock/files/etc/ruantiblock/fqdn_filter
index 55a5c3a..f8888d0 100644
--- a/ruantiblock/files/etc/ruantiblock/fqdn_filter
+++ b/ruantiblock/files/etc/ruantiblock/fqdn_filter
@@ -82,4 +82,3 @@ birds
forex
kraken
zerkalo
-#lord
diff --git a/ruantiblock/files/etc/ruantiblock/ruantiblock.conf b/ruantiblock/files/etc/ruantiblock/ruantiblock.conf
index ce0b7d6..4eacf1b 100644
--- a/ruantiblock/files/etc/ruantiblock/ruantiblock.conf
+++ b/ruantiblock/files/etc/ruantiblock/ruantiblock.conf
@@ -5,9 +5,10 @@
DATA_DIR="/tmp/ruantiblock"
### Директория модулей
MODULES_DIR="/usr/libexec/ruantiblock"
-### Дополнительный конфиг dnsmasq с FQDN записями блэклиста
-DNSMASQ_DATA_FILE="/tmp/dnsmasq.d/02-ruantiblock.dnsmasq"
-DNSMASQ_DATA_FILE_BYPASS="/tmp/dnsmasq.d/01-ruantiblock_bypass.dnsmasq"
+### Директория PID-файлов и файлов статуса
+RUN_FILES_DIR="/tmp/run"
+### Директория доп. конфигов dnsmasq
+DNSMASQ_CFG_DIR="/tmp/dnsmasq.d"
### Команда для перезапуска dnsmasq
DNSMASQ_RESTART_CMD="/etc/init.d/dnsmasq restart"
### Директория для html-страницы статуса (не используется в OpenWrt)
@@ -31,26 +32,26 @@ ONION_DNS_ADDR="127.0.0.1#9053"
IF_VPN="tun0"
### IP адрес шлюза для VPN конфигурации. Если не задан, используется адрес VPN интерфейса (или адрес пира для протоколов PPP)
VPN_GW_IP=""
-### Метка для отбора пакетов в VPN туннель
-VPN_PKTS_MARK=8
-### Таблица маршрутизации для отправки пакетов в VPN туннель
-VPN_ROUTE_TABLE_ID=99
-### Приоритет правила отбора пакетов при маршрутизации в VPN-интерфейс
-VPN_RULE_PRIO=1000
### Способ добавления в таблицу маршрутизации правила для отправки пакетов в VPN туннель (0 - hotplug.d, 1 - скрипт ruab_route_check)
VPN_ROUTE_CHECK=0
+### Тип прозрачного прокси (0 - redirect, 1 - tproxy)
+T_PROXY_TYPE=0
### TCP порт прокси в режиме прозрачного прокси
T_PROXY_PORT_TCP=1100
### UDP порт прокси в режиме прозрачного прокси
T_PROXY_PORT_UDP=1100
### Отправлять в прозрачный прокси UDP-трафик (0 - выкл, 1 - вкл)
T_PROXY_ALLOW_UDP=0
+### Начальное значение метки для отбора пакетов в фильтрах
+PKTS_MARK_START=8
### Запись событий в syslog (0 - выкл, 1 - вкл)
ENABLE_LOGGING=1
+### Вывод дополнительных сообщений в лог (0 - выкл, 1, 2)
+DEBUG=0
### Html-страница с инфо о текущем статусе (0 - выкл, 1 - вкл) (не используется в OpenWrt)
ENABLE_HTML_INFO=0
### Максимальное кол-во элементов списка nftables
-#NFTSET_MAXELEM_CIDR=65535
+NFTSET_MAXELEM_CIDR=65535
NFTSET_MAXELEM_IP=1000000
NFTSET_MAXELEM_DNSMASQ=65535
NFTSET_MAXELEM_BYPASS_IP=65535
@@ -63,29 +64,14 @@ NFTSET_POLICY_DNSMASQ="performance"
NFTSET_DNSMASQ_TIMEOUT="150m"
### Динамическое обновление таймаута записей в сете $NFTSET_DNSMASQ (0 - выкл, 1 - вкл)
NFTSET_DNSMASQ_TIMEOUT_UPDATE=1
-### Приоритет правила отбора пакетов nftables для конфигупации Tor или прозрачного прокси
-NFT_PRIO_NAT="dstnat - 10"
-### Приоритет правила отбора пакетов nftables для трафика локальных клиентов в конфигупации Tor или прозрачного прокси
-NFT_PRIO_NAT_LOCAL="filter - 10"
-### Приоритет правила отбора пакетов nftables для VPN-конфигурации
-NFT_PRIO_ROUTE="mangle + 10"
-### Приоритет правила отбора пакетов nftables для трафика локальных клиентов в VPN-конфигурации
-NFT_PRIO_ROUTE_LOCAL="mangle + 10"
-### Добавление в список блокировок пользовательских записей из файла $USER_ENTRIES_FILE (0 - выкл, 1 - вкл)
-### В $CONFIG_DIR можно создать текстовый файл user_entries с записями IP, CIDR или FQDN (одна на строку). Эти записи будут добавлены в список блокировок
-### В записях FQDN можно задать DNS-сервер для разрешения данного домена, через пробел (прим.: domain.com 8.8.8.8)
-### Можно комментировать строки (#)
-ADD_USER_ENTRIES=0
-### DNS-сервер для пользовательских записей (пустая строка - без DNS-сервера). Можно с портом: 8.8.8.8#53. Если в записи указан свой DNS-сервер - он имеет приоритет
-USER_ENTRIES_DNS=""
-### Файл пользовательских записей
-USER_ENTRIES_FILE="/etc/ruantiblock/user_entries"
-### URL удаленных файлов записей пользователя, через пробел (прим.: http://server.lan/files/user_entries_1 http://server.lan/files/user_entries_2)
-USER_ENTRIES_REMOTE=""
### Кол-во попыток скачивания удаленного файла записей пользователя (в случае неудачи)
USER_ENTRIES_REMOTE_DOWNLOAD_ATTEMPTS=3
### Таймаут между попытками скачивания
USER_ENTRIES_REMOTE_DOWNLOAD_TIMEOUT=60
+### Кол-во экземпляров записей пользователя (не более 50!)
+USER_INSTANCES_MAX=5
+### Пропускать мимо фильтра пакеты уже помеченные в записях пользователя (0 - выкл, 1 - вкл)
+SKIP_MARKED_PACKETS=0
### Режим списка записей, исключаемых из обхода блокировок (0 - выкл, 1 - вкл)
BYPASS_MODE=0
### DNS-сервер для исключаемых записей (пустая строка - без DNS-сервера). Можно с портом: 8.8.8.8#53. Если в записи указан свой DNS-сервер - он имеет приоритет
@@ -143,7 +129,7 @@ BLLIST_SD_LIMIT=16
BLLIST_GR_EXCLUDED_SLD_FILE="/etc/ruantiblock/gr_excluded_sld"
### Файл с масками SLD не подлежащими группировке при оптимизации (одна запись на строку)
BLLIST_GR_EXCLUDED_SLD_MASKS_FILE="/etc/ruantiblock/gr_excluded_sld_mask"
-### Фильтрация записей блэклиста по шаблонам из файла ENTRIES_FILTER_FILE. Записи (FQDN) попадающие под шаблоны исключаются из кофига dnsmasq (0 - выкл, 1 - вкл)
+### Фильтрация записей блэклиста по шаблонам из файла BLLIST_FQDN_FILTER_FILE. Записи (FQDN) попадающие под шаблоны исключаются из кофига dnsmasq (0 - выкл, 1 - вкл)
BLLIST_FQDN_FILTER=0
### Тип фильтра FQDN (0 - все записи, кроме совпадающих с шаблонами; 1 - только записи, совпадающие с шаблонами)
BLLIST_FQDN_FILTER_TYPE=0
diff --git a/ruantiblock/files/etc/ruantiblock/user_entries b/ruantiblock/files/etc/ruantiblock/user_lists/list1
similarity index 100%
rename from ruantiblock/files/etc/ruantiblock/user_entries
rename to ruantiblock/files/etc/ruantiblock/user_lists/list1
diff --git a/ruantiblock/files/etc/ruantiblock/user_lists/list2 b/ruantiblock/files/etc/ruantiblock/user_lists/list2
new file mode 100644
index 0000000..e69de29
diff --git a/ruantiblock/files/etc/ruantiblock/user_lists/list3 b/ruantiblock/files/etc/ruantiblock/user_lists/list3
new file mode 100644
index 0000000..e69de29
diff --git a/ruantiblock/files/etc/ruantiblock/user_lists/list4 b/ruantiblock/files/etc/ruantiblock/user_lists/list4
new file mode 100644
index 0000000..e69de29
diff --git a/ruantiblock/files/etc/ruantiblock/user_lists/list5 b/ruantiblock/files/etc/ruantiblock/user_lists/list5
new file mode 100644
index 0000000..e69de29
diff --git a/ruantiblock/files/usr/bin/ruantiblock b/ruantiblock/files/usr/bin/ruantiblock
index 899137d..e9dc6be 100755
--- a/ruantiblock/files/usr/bin/ruantiblock
+++ b/ruantiblock/files/usr/bin/ruantiblock
@@ -18,11 +18,11 @@ export LANGUAGE="en"
CONFIG_DIR="/etc/${NAME}"
CONFIG_FILE="${CONFIG_DIR}/${NAME}.conf"
SCRIPTS_DIR="/usr/share/${NAME}"
-export DATA_DIR="${CONFIG_DIR}/var"
+export DATA_DIR="/var/${NAME}"
export MODULES_DIR="/usr/libexec/${NAME}"
-### Дополнительный конфиг dnsmasq с FQDN записями блэклиста
-export DNSMASQ_DATA_FILE="/var/dnsmasq.d/02-${NAME}.dnsmasq"
-export DNSMASQ_DATA_FILE_BYPASS="/var/dnsmasq.d/01-${NAME}_bypass.dnsmasq"
+RUN_FILES_DIR="/var/run"
+### Директория доп. конфигов dnsmasq
+export DNSMASQ_CFG_DIR="/var/dnsmasq.d"
### Команда для перезапуска dnsmasq
export DNSMASQ_RESTART_CMD="/etc/init.d/dnsmasq restart"
### Директория для html-страницы статуса (не используется в OpenWrt)
@@ -48,22 +48,30 @@ export ONION_DNS_ADDR="127.0.0.1#9053"
export IF_VPN="tun0"
### IP адрес шлюза для VPN конфигурации. Если не задан, используется адрес VPN интерфейса (или адрес пира для протоколов PPP)
export VPN_GW_IP=""
-### Метка для отбора пакетов в VPN туннель
-export VPN_PKTS_MARK=8
-### Таблица маршрутизации для отправки пакетов в VPN туннель
-export VPN_ROUTE_TABLE_ID=99
+### Начальный номер таблицы маршрутизации для отправки пакетов в VPN туннель
+export VPN_ROUTE_TABLE_ID_START=149
+### Начальный номер таблицы маршрутизации для отправки локальных пакетов в tproxy
+export TPROXY_ROUTE_TABLE_ID_START=201
### Приоритет правила отбора пакетов при маршрутизации в VPN-интерфейс
export VPN_RULE_PRIO=1000
+### Приоритет правила отбора пакетов при маршрутизации в lo интерфейс
+export LO_RULE_PRIO=1000
### Способ добавления в таблицу маршрутизации правила для отправки пакетов в VPN туннель (0 - hotplug.d, 1 - скрипт ruab_route_check)
export VPN_ROUTE_CHECK=0
+### Тип прозрачного прокси (0 - redirect, 1 - tproxy)
+export T_PROXY_TYPE=0
### TCP порт прокси в режиме прозрачного прокси
export T_PROXY_PORT_TCP=1100
### UDP порт прокси в режиме прозрачного прокси
export T_PROXY_PORT_UDP=1100
### Отправлять в прозрачный прокси UDP-трафик (0 - выкл, 1 - вкл)
export T_PROXY_ALLOW_UDP=0
+### Начальное значение метки для отбора пакетов в фильтрах
+export PKTS_MARK_START=8
### Запись событий в syslog (0 - выкл, 1 - вкл)
export ENABLE_LOGGING=1
+### Вывод дополнительных сообщений в лог (0 - выкл, 1, 2)
+export DEBUG=0
### Html-страница с инфо о текущем статусе (0 - выкл, 1 - вкл) (не используется в OpenWrt)
export ENABLE_HTML_INFO=0
### Максимальное кол-во элементов списка nftables
@@ -81,28 +89,27 @@ export NFTSET_DNSMASQ_TIMEOUT="150m"
### Динамическое обновление таймаута записей в сете $NFTSET_DNSMASQ (0 - выкл, 1 - вкл)
export NFTSET_DNSMASQ_TIMEOUT_UPDATE=1
### Приоритет правила отбора пакетов nftables для конфигупации Tor или прозрачного прокси
-export NFT_PRIO_NAT="dstnat - 10"
+export NFT_PRIO_NAT=-140 # dstnat - 10 (-110)
### Приоритет правила отбора пакетов nftables для трафика локальных клиентов в конфигупации Tor или прозрачного прокси
-export NFT_PRIO_NAT_LOCAL="filter - 10"
+export NFT_PRIO_NAT_LOCAL=-140 # dstnat - 10 (-110)
### Приоритет правила отбора пакетов nftables для VPN-конфигурации
-export NFT_PRIO_ROUTE="mangle + 10"
+export NFT_PRIO_ROUTE=-140 # mangle + 10
### Приоритет правила отбора пакетов nftables для трафика локальных клиентов в VPN-конфигурации
-export NFT_PRIO_ROUTE_LOCAL="mangle + 10"
-### Добавление в список блокировок пользовательских записей из файла $USER_ENTRIES_FILE (0 - выкл, 1 - вкл)
-### В $CONFIG_DIR можно создать текстовый файл user_entries с записями IP, CIDR или FQDN (одна на строку). Эти записи будут добавлены в список блокировок
-### В записях FQDN можно задать DNS-сервер для разрешения данного домена, через пробел (прим.: domain.com 8.8.8.8)
-### Можно комментировать строки (#)
-export ADD_USER_ENTRIES=0
-### DNS-сервер для пользовательских записей (пустая строка - без DNS-сервера). Можно с портом: 8.8.8.8#53. Если в записи указан свой DNS-сервер - он имеет приоритет
-export USER_ENTRIES_DNS=""
-### Файл пользовательских записей
-export USER_ENTRIES_FILE="${CONFIG_DIR}/user_entries"
-### URL удаленных файлов записей пользователя, через пробел (прим.: http://server.lan/files/user_entries_1 http://server.lan/files/user_entries_2)
-export USER_ENTRIES_REMOTE=""
+export NFT_PRIO_ROUTE_LOCAL=-140 # mangle + 10
### Кол-во попыток скачивания удаленного файла записей пользователя (в случае неудачи)
export USER_ENTRIES_REMOTE_DOWNLOAD_ATTEMPTS=3
### Таймаут между попытками скачивания
export USER_ENTRIES_REMOTE_DOWNLOAD_TIMEOUT=60
+### Директория конфигов экземпляров записей пользователя
+export USER_INSTANCES_DIR="${CONFIG_DIR}/user_instances"
+### Директория списков записей пользователя
+export USER_LISTS_DIR="${CONFIG_DIR}/user_lists"
+### Переменные экземпляров записей пользователя
+export USER_INSTANCE_VARS="U_ENABLED U_NAME U_PROXY_MODE U_TOR_TRANS_PORT U_ONION_DNS_ADDR U_IF_VPN U_VPN_GW_IP U_T_PROXY_TYPE U_T_PROXY_PORT_TCP U_T_PROXY_PORT_UDP U_T_PROXY_ALLOW_UDP U_USER_ENTRIES_DNS U_USER_ENTRIES_REMOTE U_ENABLE_ENTRIES_REMOTE_PROXY U_ENABLE_FPROXY U_FPROXY_LIST U_SKIP_MARKED_PACKETS"
+### Кол-во экземпляров записей пользователя (не более 50!)
+export USER_INSTANCES_MAX=5
+### Пропускать мимо фильтра пакеты уже помеченные в записях пользователя (0 - выкл, 1 - вкл)
+export SKIP_MARKED_PACKETS=0
### Режим списка IP адресов исключаемых из обхода блокировок (0 - выкл, 1 - вкл)
export BYPASS_MODE=0
### DNS-сервер для исключаемых записей (пустая строка - без DNS-сервера). Можно с портом: 8.8.8.8#53. Если в записи указан свой DNS-сервер - он имеет приоритет
@@ -185,6 +192,8 @@ export BLLIST_ALT_DNS_ADDR="8.8.8.8"
[ -f "$CONFIG_FILE" ] && . "$CONFIG_FILE"
CONFIG_SCRIPT="${SCRIPTS_DIR}/config_script"
+export USER_INSTANCES_COMMON="${SCRIPTS_DIR}/user_instances_common"
+export CONFIG_SCRIPT_USER_INSTANCES="${SCRIPTS_DIR}/config_script_user_instances"
START_SCRIPT="${SCRIPTS_DIR}/start_script"
STOP_SCRIPT="${SCRIPTS_DIR}/stop_script"
BLLIST_SOURCES_SCRIPT="${SCRIPTS_DIR}/blacklist_sources"
@@ -192,6 +201,10 @@ BLLIST_SOURCES_SCRIPT="${SCRIPTS_DIR}/blacklist_sources"
### Config script
[ -f "$CONFIG_SCRIPT" ] && . "$CONFIG_SCRIPT"
+export DNSMASQ_DATA_FILE_BYPASS="${DNSMASQ_CFG_DIR}/00-${NAME}_bypass.dnsmasq"
+export DNSMASQ_DATA_FILE_USER_INSTANCES="${DNSMASQ_CFG_DIR}/01-${NAME}_user_instances.dnsmasq"
+export DNSMASQ_DATA_FILE="${DNSMASQ_CFG_DIR}/02-${NAME}.dnsmasq"
+
### Utilities
AWK_CMD="awk"
NFT_CMD=`which nft`
@@ -223,6 +236,8 @@ if [ $? -ne 0 ]; then
fi
ROUTE_CHECK_EXEC="${MODULES_DIR}/ruab_route_check"
export IP_DATA_FILE="${DATA_DIR}/${NAME}.ip"
+export IP_DATA_FILE_BYPASS="${DATA_DIR}/${NAME}_bypass.ip"
+export IP_DATA_FILE_USER_INSTANCES="${DATA_DIR}/${NAME}_user_instances.ip"
export NFT_TABLE="ip r"
export NFT_TABLE_DNSMASQ="4#ip#r"
export NFTSET_ALLOWED_HOSTS="allowed_ip"
@@ -235,6 +250,7 @@ export NFTSET_ONION="onion"
export NFTSET_CIDR="c"
export NFTSET_IP="i"
export NFTSET_DNSMASQ="d"
+export NFTSET_MARK_SET="mark_set"
export NFTSET_ALLOWED_HOSTS_TYPE="ipv4_addr"
export NFTSET_BYPASS_IP_TYPE="ipv4_addr"
export NFTSET_BYPASS_FQDN_TYPE="ipv4_addr"
@@ -244,28 +260,45 @@ export NFTSET_BLLIST_PROXY_TYPE="ipv4_addr"
export NFTSET_CIDR_TYPE="ipv4_addr"
export NFTSET_IP_TYPE="ipv4_addr"
export NFTSET_DNSMASQ_TYPE="ipv4_addr"
-export NFTSET_CIDR_CFG="set ${NFTSET_CIDR} {type ${NFTSET_CIDR_TYPE};size ${NFTSET_MAXELEM_CIDR};policy ${NFTSET_POLICY_CIDR};flags interval;auto-merge;"
-export NFTSET_IP_CFG="set ${NFTSET_IP} {type ${NFTSET_IP_TYPE};size ${NFTSET_MAXELEM_IP};policy ${NFTSET_POLICY_IP};flags dynamic;"
-export NFTSET_BYPASS_IP_CFG="set ${NFTSET_BYPASS_IP} {type ${NFTSET_BYPASS_IP_TYPE};size ${NFTSET_MAXELEM_BYPASS_IP};policy ${NFTSET_POLICY_CIDR};flags interval;auto-merge;"
+export NFTSET_MARK_SET_TYPE="mark"
+export NFTSET_CIDR_PATTERN="set %s {type ${NFTSET_CIDR_TYPE};size ${NFTSET_MAXELEM_CIDR};policy ${NFTSET_POLICY_CIDR};flags interval;auto-merge;"
+export NFTSET_IP_PATTERN="set %s {type ${NFTSET_IP_TYPE};size ${NFTSET_MAXELEM_IP};policy ${NFTSET_POLICY_IP};flags dynamic;"
+export NFTSET_CIDR_STRING_MAIN=`printf "$NFTSET_CIDR_PATTERN" "${NFTSET_CIDR}"`
+export NFTSET_IP_STRING_MAIN=`printf "$NFTSET_IP_PATTERN" "${NFTSET_IP}"`
+export NFTSET_BYPASS_IP_STRING="set ${NFTSET_BYPASS_IP} {type ${NFTSET_BYPASS_IP_TYPE};size ${NFTSET_MAXELEM_BYPASS_IP};policy ${NFTSET_POLICY_CIDR};flags interval;auto-merge;"
export UPDATE_STATUS_FILE="${DATA_DIR}/update_status"
export USER_ENTRIES_STATUS_FILE="${DATA_DIR}/user_entries_status"
-U_PID_FILE="/var/run/${NAME}_update.pid"
-START_PID_FILE="/var/run/${NAME}_start.pid"
-TOKEN_FILE="/var/run/${NAME}.token"
+U_PID_FILE="${RUN_FILES_DIR}/${NAME}_update.pid"
+START_PID_FILE="${RUN_FILES_DIR}/${NAME}_start.pid"
+TOKEN_FILE="${RUN_FILES_DIR}/${NAME}.token"
export HTML_OUTPUT="${HTML_DIR}/${NAME}.html"
NFT_FUNCTIONS="${SCRIPTS_DIR}/nft_functions"
INFO_OUTPUT_FUNCTION="${SCRIPTS_DIR}/info_output"
export IP_DATA_FILE_TMP="${IP_DATA_FILE}.tmp"
+export IP_DATA_FILE_USER_INSTANCES_TMP="${IP_DATA_FILE_USER_INSTANCES}.tmp"
+export DNSMASQ_DATA_FILE_TMP="${DNSMASQ_DATA_FILE}.tmp"
+export DNSMASQ_DATA_FILE_USER_INSTANCES_TMP="${DNSMASQ_DATA_FILE_USER_INSTANCES}.tmp"
export DNSMASQ_DATA_FILE_TMP="${DNSMASQ_DATA_FILE}.tmp"
export UPDATE_STATUS_FILE_TMP="${UPDATE_STATUS_FILE}.tmp"
export USER_ENTRIES_STATUS_FILE_TMP="${USER_ENTRIES_STATUS_FILE}.tmp"
+export USER_INSTANCES_ALL=""
+export USER_INSTANCES_ALL_FNAMES=""
+export USER_INSTANCES_VPN=""
+export USER_INSTANCES_VPN_FNAMES=""
+export USER_INSTANCES_CFG=""
+export USER_INSTANCES_CFG_FNAMES=""
+INSTANCES_CACHE="${RUN_FILES_DIR}/${NAME}.instances"
DL_IPSET_URL=""
DL_DMASK_URL=""
DL_STAT_URL=""
+### for compatibility with v1.x parsers
+export NFTSET_CIDR_CFG="$NFTSET_CIDR_STRING_MAIN"
+export NFTSET_IP_CFG="$NFTSET_IP_STRING_MAIN"
######################### External functions ###########################
. "$NFT_FUNCTIONS"
+. "$USER_INSTANCES_COMMON"
if [ -f "$INFO_OUTPUT_FUNCTION" ]; then
. "$INFO_OUTPUT_FUNCTION"
else
@@ -276,7 +309,7 @@ fi
Help() {
cat << EOF
- Usage: ${APP_NAME} start|force-start|stop|destroy|restart|reload|update|force-update|data-files|status|raw-status|html-info|help
+ Usage: ${APP_NAME} start|force-start|stop|destroy|restart|reload|update|force-update|blacklist-files|status|raw-status|html-info|help
start : Start
force-start : Removing the PID-file before running
stop : Stop
@@ -285,7 +318,7 @@ cat << EOF
reload : Renew nftables configuration
update : Update blacklist
force-update : Force update blacklist
- data-files : Create ${IP_DATA_FILE}, ${DNSMASQ_DATA_FILE}, ${DNSMASQ_DATA_FILE_BYPASS} (without network functions)
+ blacklist-files : Create ${IP_DATA_FILE}, ${DNSMASQ_DATA_FILE}, ${DNSMASQ_DATA_FILE_BYPASS} (without network functions)
status : Status & some info
raw-status : Return code: 0 - enabled, 1 - error, 2 - disabled, 3 - starting, 4 - updating
html-info : Return the html-info output
@@ -299,7 +332,7 @@ cat << EOF
${APP_NAME} reload
${APP_NAME} update
${APP_NAME} force-update
- ${APP_NAME} data-files
+ ${APP_NAME} blacklist-files
${APP_NAME} status
${APP_NAME} raw-status
${APP_NAME} html-info
@@ -307,12 +340,17 @@ EOF
}
MakeLogRecord() {
- if [ $ENABLE_LOGGING = "1" ]; then
+ if [ "$ENABLE_LOGGING" = "1" ]; then
$LOGGER_CMD $LOGGER_PARAMS -p "user.${1}" "$2"
fi
}
Download() {
+ if [ $DEBUG -ge 1 ]; then
+ echo " ruantiblock.Download ${1} ${2}" >&2
+ MakeLogRecord "debug" "ruantiblock.Download ${1} ${2}"
+ fi
+
$WGET_CMD $WGET_PARAMS "$1" "$2"
if [ $? -ne 0 ]; then
echo " Downloading failed! Connection error (${2})" >&2
@@ -377,16 +415,35 @@ FlushNftSets() {
done
}
+FlushInstancesNftSets() {
+ local _arg="$1" _name
+ for _name in $USER_INSTANCES_ALL " "
+ do
+ if [ "$_name" = " " ]; then
+ _name=""
+ else
+ _name="-${_name}"
+ fi
+ case "$_arg" in
+ fqdn)
+ FlushNftSets "${NFTSET_DNSMASQ}${_name}" "${NFTSET_ONION}${_name}"
+ ;;
+ bllist)
+ FlushNftSets "${NFTSET_CIDR}${_name}" "${NFTSET_IP}${_name}" "${NFTSET_DNSMASQ}${_name}"
+ ;;
+ *)
+ FlushNftSets "${NFTSET_FPROXY}${_name}" "${NFTSET_BLLIST_PROXY}${_name}" "${NFTSET_CIDR}${_name}" "${NFTSET_IP}${_name}" "${NFTSET_DNSMASQ}${_name}" "${NFTSET_ONION}${_name}"
+ ;;
+ esac
+ done
+}
+
FormatNftSetElemsList() {
printf "$1" | $AWK_CMD '{gsub(/[ ]+/, ",", $0); printf $0;}'
}
-AddNftSets() {
- local _allowed_hosts _bypass_ips _fproxy_hosts _fproxy_private
- $NFT_CMD add set $NFT_TABLE "$NFTSET_CIDR" { type "$NFTSET_CIDR_TYPE"\; size $NFTSET_MAXELEM_CIDR\; policy "$NFTSET_POLICY_CIDR"\; flags interval\; auto-merge\; }
- $NFT_CMD add set $NFT_TABLE "$NFTSET_IP" { type "$NFTSET_IP_TYPE"\; size $NFTSET_MAXELEM_IP\; policy "$NFTSET_POLICY_IP"\; flags dynamic\; }
- $NFT_CMD add set $NFT_TABLE "$NFTSET_DNSMASQ" { type "$NFTSET_DNSMASQ_TYPE"\; size $NFTSET_MAXELEM_DNSMASQ\; policy "$NFTSET_POLICY_DNSMASQ"\; flags dynamic,timeout\; timeout "$NFTSET_DNSMASQ_TIMEOUT"\; }
- $NFT_CMD add set $NFT_TABLE "$NFTSET_ONION" { type "$NFTSET_DNSMASQ_TYPE"\; size $NFTSET_MAXELEM_DNSMASQ\; policy "$NFTSET_POLICY_DNSMASQ"\; flags dynamic,timeout\; timeout "$NFTSET_DNSMASQ_TIMEOUT"\; }
+AddBaseNftSets() {
+ local _allowed_hosts _fproxy_private
$NFT_CMD add set $NFT_TABLE "$NFTSET_ALLOWED_HOSTS" { type "$NFTSET_ALLOWED_HOSTS_TYPE"\; policy "$NFTSET_POLICY_CIDR"\; flags interval\; auto-merge\; }
_allowed_hosts=`FormatNftSetElemsList "$ALLOWED_HOSTS_LIST"`
if [ -n "$_allowed_hosts" ]; then
@@ -394,42 +451,103 @@ AddNftSets() {
fi
$NFT_CMD add set $NFT_TABLE "$NFTSET_BYPASS_IP" { type "$NFTSET_BYPASS_IP_TYPE"\; size $NFTSET_MAXELEM_BYPASS_IP\; policy "$NFTSET_POLICY_CIDR"\; flags interval\; auto-merge\; }
$NFT_CMD add set $NFT_TABLE "$NFTSET_BYPASS_FQDN" { type "$NFTSET_BYPASS_FQDN_TYPE"\; size $NFTSET_MAXELEM_BYPASS_FQDN\; policy "$NFTSET_POLICY_DNSMASQ"\; flags dynamic,timeout\; timeout "$NFTSET_DNSMASQ_TIMEOUT"\; }
- $NFT_CMD add set $NFT_TABLE "$NFTSET_FPROXY" { type "$NFTSET_FPROXY_TYPE"\; policy "$NFTSET_POLICY_CIDR"\; flags interval\; auto-merge\; }
- _fproxy_hosts=`FormatNftSetElemsList "$FPROXY_LIST"`
- if [ -n "$_fproxy_hosts" ]; then
- $NFT_CMD add element $NFT_TABLE "$NFTSET_FPROXY" { "$_fproxy_hosts" }
- fi
$NFT_CMD add set $NFT_TABLE "$NFTSET_FPROXY_PRIVATE" { type "$NFTSET_FPROXY_PRIVATE_TYPE"\; policy "$NFTSET_POLICY_CIDR"\; flags interval\; auto-merge\; }
_fproxy_private=`FormatNftSetElemsList "$FPROXY_PRIVATE_NETS"`
if [ -n "$_fproxy_private" ]; then
$NFT_CMD add element $NFT_TABLE "$NFTSET_FPROXY_PRIVATE" { "$_fproxy_private" }
fi
- $NFT_CMD add set $NFT_TABLE "$NFTSET_BLLIST_PROXY" { type "$NFTSET_BLLIST_PROXY_TYPE"\; policy "$NFTSET_POLICY_IP"\; flags dynamic\; }
+ $NFT_CMD add set $NFT_TABLE "$NFTSET_MARK_SET" { type "$NFTSET_MARK_SET_TYPE"\; }
+}
+
+MakeInstanceNftSets() {
+ local _name="$1" _fproxy_list="$2" _fproxy_hosts
+ if [ "$_name" = " " ]; then
+ _name=""
+ else
+ _name="-${_name}"
+ fi
+ $NFT_CMD add set $NFT_TABLE "${NFTSET_CIDR}${_name}" { type "$NFTSET_CIDR_TYPE"\; size $NFTSET_MAXELEM_CIDR\; policy "$NFTSET_POLICY_CIDR"\; flags interval\; auto-merge\; }
+ $NFT_CMD add set $NFT_TABLE "${NFTSET_IP}${_name}" { type "$NFTSET_IP_TYPE"\; size $NFTSET_MAXELEM_IP\; policy "$NFTSET_POLICY_IP"\; flags dynamic\; }
+ $NFT_CMD add set $NFT_TABLE "${NFTSET_DNSMASQ}${_name}" { type "$NFTSET_DNSMASQ_TYPE"\; size $NFTSET_MAXELEM_DNSMASQ\; policy "$NFTSET_POLICY_DNSMASQ"\; flags dynamic,timeout\; timeout "$NFTSET_DNSMASQ_TIMEOUT"\; }
+ $NFT_CMD add set $NFT_TABLE "${NFTSET_ONION}${_name}" { type "$NFTSET_DNSMASQ_TYPE"\; size $NFTSET_MAXELEM_DNSMASQ\; policy "$NFTSET_POLICY_DNSMASQ"\; flags dynamic,timeout\; timeout "$NFTSET_DNSMASQ_TIMEOUT"\; }
+ $NFT_CMD add set $NFT_TABLE "${NFTSET_FPROXY}${_name}" { type "$NFTSET_FPROXY_TYPE"\; policy "$NFTSET_POLICY_CIDR"\; flags interval\; auto-merge\; }
+ _fproxy_hosts=`FormatNftSetElemsList "$_fproxy_list"`
+ if [ -n "$_fproxy_hosts" ]; then
+ $NFT_CMD add element $NFT_TABLE "${NFTSET_FPROXY}${_name}" { "$_fproxy_hosts" }
+ fi
+ $NFT_CMD add set $NFT_TABLE "${NFTSET_BLLIST_PROXY}${_name}" { type "$NFTSET_BLLIST_PROXY_TYPE"\; policy "$NFTSET_POLICY_IP"\; flags dynamic\; }
+}
+
+AddInstancesNftSets() {
+ local _inst
+ for _inst in $USER_INSTANCES_ALL_FNAMES
+ do
+ IncludeUserInstanceVars "$_inst"
+ MakeInstanceNftSets "$U_NAME" "$U_FPROXY_LIST"
+ ClearUserInstanceVars
+ done
+ MakeInstanceNftSets " " "$FPROXY_LIST"
}
UpdateBllistProxySet() {
- local _ip_string=""
- FlushNftSets "$NFTSET_BLLIST_PROXY"
- for host in $BLLIST_HOSTS
+ local _name="$1" _urls="$2" _host _ip_string=""
+ if [ "$_name" = " " ]; then
+ _name=""
+ else
+ _name="-${_name}"
+ fi
+ FlushNftSets "${NFTSET_BLLIST_PROXY}${_name}"
+ for _host in `echo "$_urls" | $AWK_CMD '
+ BEGIN {
+ RS = " ";
+ }
+ {
+ gsub("\n", "", $0);
+ sub(/^https?:\/\//, "", $0);
+ sub(/\/.*$/, "", $0);
+ sub(/:[0-9]{2,5}$/, "", $0);
+ if($0 ~ /^([a-z0-9._-]+[.])+([a-z]{2,}|xn--[a-z0-9]+)$/ || $0 ~ /^[0-9]{1,3}([.][0-9]{1,3}){3}$/) {
+ hosts_arr[$0];
+ };
+ }
+ END {
+ for(i in hosts_arr) {
+ printf i " ";
+ };
+ }'`
do
- if printf "$host" | $AWK_CMD '{exit ($0 ~ /^([0-9]{1,3}.){3}[0-9]{1,3}$/) ? 0 : 1}'; then
- _ip_string="${_ip_string}${host} "
+ if printf "$_host" | $AWK_CMD '{exit ($0 ~ /^([0-9]{1,3}.){3}[0-9]{1,3}$/) ? 0 : 1}'; then
+ _ip_string="${_ip_string}${_host} "
else
- _ip_string="${_ip_string}`$NSLOOKUP_CMD $host 2> /dev/null | $AWK_CMD '/^Address: ([0-9]{1,3}.){3}[0-9]{1,3}$/ {printf $2" "}'`"
+ _ip_string="${_ip_string}`$NSLOOKUP_CMD $_host 2> /dev/null | $AWK_CMD '/^Address: ([0-9]{1,3}.){3}[0-9]{1,3}$/ {printf $2" "}'`"
fi
done
_ip_string=`FormatNftSetElemsList "$_ip_string"`
+
+ if [ $DEBUG -ge 1 ]; then
+ echo " ruantiblock.UpdateBllistProxySet()._ip_string=${_ip_string=}; _name=${_name}" >&2
+ MakeLogRecord "debug" "ruantiblock.UpdateBllistProxySet()._ip_string=${_ip_string=}; _name=${_name}"
+ fi
+
if [ -n "$_ip_string" ]; then
- $NFT_CMD add element $NFT_TABLE "$NFTSET_BLLIST_PROXY" { "$_ip_string" }
+ $NFT_CMD add element $NFT_TABLE "${NFTSET_BLLIST_PROXY}${_name}" { "$_ip_string" }
fi
}
UpdateBllistSets() {
local _return_code=0
- if [ -f "$IP_DATA_FILE" ]; then
+ if [ -f "$IP_DATA_FILE" -a -f "$IP_DATA_FILE_USER_INSTANCES" -a -f "$IP_DATA_FILE_BYPASS" ]; then
echo " Updating nft sets..."
- $NFT_CMD -f "$IP_DATA_FILE"
+ $NFT_CMD -f "$IP_DATA_FILE_BYPASS"
_return_code=$?
+ if [ $_return_code -eq 0 ]; then
+ $NFT_CMD -f "$IP_DATA_FILE_USER_INSTANCES"
+ _return_code=$?
+ if [ $_return_code -eq 0 ]; then
+ $NFT_CMD -f "$IP_DATA_FILE"
+ _return_code=$?
+ fi
+ fi
if [ $_return_code -eq 0 ]; then
echo " Ok"
else
@@ -440,23 +558,94 @@ UpdateBllistSets() {
return $_return_code
}
+AddUserInstancesNftRules() {
+ local _prio_offset=0 _pkts_mark=$PKTS_MARK_START _chain_prio_first _chain_prio_local _inst _vpn_route_table_id=$VPN_ROUTE_TABLE_ID_START _tproxy_route_table_id=$TPROXY_ROUTE_TABLE_ID_START _route_table_id
+ for _inst in $USER_INSTANCES_ALL_FNAMES
+ do
+ IncludeUserInstanceVars "$_inst"
+ if [ "$U_PROXY_MODE" = "2" ]; then
+ _chain_prio_first=$(($NFT_PRIO_ROUTE + $USER_INSTANCES_MAX + $_prio_offset))
+ _chain_prio_local=$(($NFT_PRIO_ROUTE_LOCAL + $USER_INSTANCES_MAX + $_prio_offset))
+ _vpn_route_table_id=$(($_vpn_route_table_id + 1))
+ _route_table_id=$_vpn_route_table_id
+ else
+ _chain_prio_first=$(($NFT_PRIO_NAT + $USER_INSTANCES_MAX + $_prio_offset))
+ _chain_prio_local=$(($NFT_PRIO_NAT_LOCAL + $USER_INSTANCES_MAX + $_prio_offset))
+ if [ "$U_PROXY_MODE" = "3" -a "$U_T_PROXY_TYPE" = "1" ]; then
+ _tproxy_route_table_id=$(($_tproxy_route_table_id + 1))
+ fi
+ _route_table_id=$_tproxy_route_table_id
+ fi
+ _pkts_mark=$(($_pkts_mark + 1))
+ NftInstanceAdd "\"$U_NAME\"" $_pkts_mark $_chain_prio_first $_chain_prio_local $U_PROXY_MODE $U_TOR_TRANS_PORT $_route_table_id "\"$U_IF_VPN\"" $U_T_PROXY_TYPE $U_T_PROXY_PORT_TCP $U_T_PROXY_PORT_UDP $U_T_PROXY_ALLOW_UDP $U_ENABLE_ENTRIES_REMOTE_PROXY $U_ENABLE_FPROXY $U_SKIP_MARKED_PACKETS "\"$U_VPN_GW_IP\""
+ $NFT_CMD add element $NFT_TABLE "$NFTSET_MARK_SET" { $_pkts_mark }
+ ClearUserInstanceVars
+ _prio_offset=$(($_prio_offset - 1))
+ done
+}
+
+DeleteUserInstancesNftRules() {
+ local _inst _i=1 _j=1
+ for _inst in $USER_INSTANCES_CFG_FNAMES
+ do
+ IncludeUserInstanceVars "$_inst"
+ NftInstanceDelete "$U_NAME" 2> /dev/null
+ if [ "$U_PROXY_MODE" = "2" ]; then
+ NftRouteDelete $(($VPN_ROUTE_TABLE_ID_START + $_i)) 2> /dev/null
+ _i=$(($_i + 1))
+ elif [ "$U_PROXY_MODE" = "3" -a "$U_T_PROXY_TYPE" = "1" ]; then
+ NftRouteDelete $(($TPROXY_ROUTE_TABLE_ID_START + $_j)) 2> /dev/null
+ _j=$(($_j + 1))
+ fi
+ ClearUserInstanceVars
+ done
+}
+
AddNftRules() {
- NftMainAdd
+ local _chain_prio_first _chain_prio_local _route_table_id
+ if [ "$PROXY_MODE" = "2" ]; then
+ _chain_prio_first=$NFT_PRIO_ROUTE
+ _chain_prio_local=$NFT_PRIO_ROUTE_LOCAL
+ _chain_prio_sink=$(($NFT_PRIO_ROUTE + $USER_INSTANCES_MAX + 1))
+ _chain_prio_action=$(($NFT_PRIO_ROUTE + $USER_INSTANCES_MAX + 2))
+ _route_table_id=$VPN_ROUTE_TABLE_ID_START
+ else
+ _chain_prio_first=$NFT_PRIO_NAT
+ _chain_prio_local=$NFT_PRIO_NAT_LOCAL
+ _chain_prio_sink=$(($NFT_PRIO_NAT + $USER_INSTANCES_MAX + 1))
+ _chain_prio_action=$(($NFT_PRIO_NAT + $USER_INSTANCES_MAX + 2))
+ _route_table_id=$TPROXY_ROUTE_TABLE_ID_START
+ fi
+ NftAddActionChains $_chain_prio_action
+ NftAddSinkChains $_chain_prio_sink
+ AddUserInstancesNftRules
+ NftInstanceAdd "\" \"" $PKTS_MARK_START $_chain_prio_first $_chain_prio_local $PROXY_MODE $TOR_TRANS_PORT $_route_table_id "\"$IF_VPN\"" $T_PROXY_TYPE $T_PROXY_PORT_TCP $T_PROXY_PORT_UDP $T_PROXY_ALLOW_UDP $ENABLE_BLLIST_PROXY $ENABLE_FPROXY $SKIP_MARKED_PACKETS "\"$VPN_GW_IP\""
+ $NFT_CMD add element $NFT_TABLE "$NFTSET_MARK_SET" { $PKTS_MARK_START }
}
DeleteNftRules() {
- NftMainDelete
+ NftInstanceDelete " "
+ DeleteUserInstancesNftRules
+ NftDeleteSinkChains
+ NftDeleteActionChains
+ if [ "$PROXY_MODE" = "2" ]; then
+ NftRouteDelete $VPN_ROUTE_TABLE_ID_START 2> /dev/null
+ elif [ "$PROXY_MODE" = "3" -a "$T_PROXY_TYPE" = "1" ]; then
+ NftRouteDelete $TPROXY_ROUTE_TABLE_ID_START 2> /dev/null
+ fi
}
SetNetConfig() {
$NFT_CMD add table $NFT_TABLE
- AddNftSets
+ AddBaseNftSets
+ AddInstancesNftSets
AddNftRules
}
DropNetConfig() {
DeleteNftRules
- FlushNftSets "$NFTSET_ALLOWED_HOSTS" "$NFTSET_FPROXY" "$NFTSET_FPROXY_PRIVATE" "$NFTSET_BLLIST_PROXY" "$NFTSET_BYPASS_IP" "$NFTSET_BYPASS_FQDN" "$NFTSET_CIDR" "$NFTSET_IP" "$NFTSET_DNSMASQ" "$NFTSET_ONION"
+ FlushInstancesNftSets
+ FlushNftSets "$NFTSET_ALLOWED_HOSTS" "$NFTSET_FPROXY_PRIVATE" "$NFTSET_BLLIST_PROXY" "$NFTSET_BYPASS_IP" "$NFTSET_BYPASS_FQDN" "$NFTSET_MARK_SET"
}
DestroyNetConfig() {
@@ -464,19 +653,62 @@ DestroyNetConfig() {
$NFT_CMD delete table $NFT_TABLE &> /dev/null
}
-ClearDataFiles() {
- if [ -d "$DATA_DIR" ]; then
- printf "" > "$DNSMASQ_DATA_FILE"
- printf "" > "$DNSMASQ_DATA_FILE_BYPASS"
- printf "" > "$IP_DATA_FILE"
- printf "0 0 0" > "$UPDATE_STATUS_FILE"
- printf "" > "$USER_ENTRIES_STATUS_FILE"
- fi
+CheckStatus() {
+ NftReturnInstanceStatus " "
+ return $?
}
-CheckStatus() {
- NftReturnStatus
- return $?
+GetVpnRouteStatus() {
+ local _inst _i=1 _ret_val=0
+ for _inst in $USER_INSTANCES_VPN_FNAMES
+
+ do
+ if ! NftRouteStatus $(($VPN_ROUTE_TABLE_ID_START + $_i)); then
+ _ret_val=1
+ break
+ fi
+ _i=$(($_i + 1))
+ done
+ if [ "$PROXY_MODE" = "2" ] && ! NftRouteStatus $VPN_ROUTE_TABLE_ID_START; then
+ _ret_val=1
+ fi
+ return $_ret_val
+}
+
+GetBllistChains() {
+ local _inst
+ for _inst in $USER_INSTANCES_ALL " "
+ do
+ NftListBllistChain "$_inst"
+ done
+}
+
+GetBllistChainsJson() {
+ local _inst
+ for _inst in $USER_INSTANCES_ALL " "
+ do
+ NftListBllistChainJson "$_inst"
+ done
+}
+
+ClearDataFiles() {
+ local _arg="$1"
+ if [ -d "$DATA_DIR" ]; then
+ if [ -z "$_arg" -o "$_arg" = "main_instance" ]; then
+ printf "" > "$IP_DATA_FILE"
+ printf "" > "$DNSMASQ_DATA_FILE"
+ printf "0 0 0" > "$UPDATE_STATUS_FILE"
+ fi
+ if [ -z "$_arg" -o "$_arg" = "user_instances" ]; then
+ printf "" > "$IP_DATA_FILE_USER_INSTANCES"
+ printf "" > "$DNSMASQ_DATA_FILE_USER_INSTANCES"
+ printf "" > "$USER_ENTRIES_STATUS_FILE"
+ fi
+ if [ -z "$_arg" ]; then
+ printf "" > "$IP_DATA_FILE_BYPASS"
+ printf "" > "$DNSMASQ_DATA_FILE_BYPASS"
+ fi
+ fi
}
PreStartCheck() {
@@ -485,158 +717,15 @@ PreStartCheck() {
### Костыль для старта dnsmasq
[ -e "$DNSMASQ_DATA_FILE" ] || printf "" > "$DNSMASQ_DATA_FILE"
[ -e "$DNSMASQ_DATA_FILE_BYPASS" ] || printf "" > "$DNSMASQ_DATA_FILE_BYPASS"
-}
-
-ParseUserEntries() {
- $AWK_CMD -v IP_DATA_FILE="$1" -v DNSMASQ_DATA_FILE="$2" -v USER_ENTRIES_STATUS_FILE="$3" -v ID="$4" 'BEGIN {
- null = "";
- ip_array[0] = null;
- cidr_array[0] = null;
- fqdn_array[0] = null;
- }
- function writeIpList(array, _str) {
- _str = "";
- for(i in array) {
- _str = _str i ",";
- };
- return _str;
- };
- function writeDNSData(val, dns) {
- if(length(dns) == 0 && length(ENVIRON["USER_ENTRIES_DNS"]) > 0) {
- dns = ENVIRON["USER_ENTRIES_DNS"];
- };
- if(length(dns) > 0) {
- printf "server=/%s/%s\n", val, dns >> DNSMASQ_DATA_FILE;
- };
- printf "nftset=/%s/%s#%s\n", val, ENVIRON["NFT_TABLE_DNSMASQ"], ENVIRON["NFTSET_DNSMASQ"] >> DNSMASQ_DATA_FILE;
- };
- function writeFqdnEntries() {
- delete fqdn_array[0];
- for(i in fqdn_array) {
- split(fqdn_array[i], a, " ");
- writeDNSData(a[1], a[2]);
- };
- };
- ($0 !~ /^([\040\011]*$|#)/) {
- if($0 ~ /^[0-9]{1,3}([.][0-9]{1,3}){3}$/) {
- ip_array[$0] = null;
- }
- else if($0 ~ /^[0-9]{1,3}([.][0-9]{1,3}){3}[\057][0-9]{1,2}$/) {
- cidr_array[$0] = null;
- }
- else if($0 ~ /^[a-z0-9.\052-]+[.]([a-z]{2,}|xn--[a-z0-9]+)([ ][0-9]{1,3}([.][0-9]{1,3}){3}([#][0-9]{2,5})?)?$/) {
- fqdn_array[length(fqdn_array)] = $1 " " $2;
- };
- }
- END {
- ret_code = 0;
- if($0 ~ /[0-9]+/) {
- ret_code = $0;
- };
- delete cidr_array[0];
- delete ip_array[0];
- if(ret_code == 0 && (length(cidr_array) > 0 || length(ip_array) > 0)) {
- printf "table %s {\n%s", ENVIRON["NFT_TABLE"], ENVIRON["NFTSET_CIDR_CFG"] >> IP_DATA_FILE;
- if(length(cidr_array) > 0) {
- printf "elements={%s};", writeIpList(cidr_array) >> IP_DATA_FILE;
- };
- printf "}\n%s", ENVIRON["NFTSET_IP_CFG"] >> IP_DATA_FILE;
-
- if(length(ip_array) > 0) {
- printf "elements={%s};", writeIpList(ip_array) >> IP_DATA_FILE;
- };
- printf "}\n}\n" >> IP_DATA_FILE;
- };
- writeFqdnEntries();
- if(ret_code == 0) {
- printf "%s %s %s %s\n", length(cidr_array), length(ip_array), length(fqdn_array), ID >> USER_ENTRIES_STATUS_FILE;
- };
- exit ret_code;
- }' -
-}
-
-AddUserEntries() {
- local _url _return_code=0 _attempt=1 _ip_data_file _dnsmasq_data_file _user_entries_status_file _str _update_string
- if [ "$ADD_USER_ENTRIES" = "1" ]; then
- if [ "$ENABLE_TMP_DOWNLOADS" = "1" ]; then
- _ip_data_file="$IP_DATA_FILE_TMP"
- _dnsmasq_data_file="$DNSMASQ_DATA_FILE_TMP"
- _user_entries_status_file="$USER_ENTRIES_STATUS_FILE_TMP"
- rm -f "$_ip_data_file" "$_dnsmasq_data_file" "$_user_entries_status_file"
- else
- _ip_data_file="$IP_DATA_FILE"
- _dnsmasq_data_file="$DNSMASQ_DATA_FILE"
- _user_entries_status_file="$USER_ENTRIES_STATUS_FILE"
- fi
- if [ "$1" = "flush" ]; then
- if [ "$ENABLE_TMP_DOWNLOADS" != "1" ]; then
- ClearDataFiles
- fi
- printf "flush set %s %s\nflush set %s %s\n" "$NFT_TABLE" "$NFTSET_CIDR" "$NFT_TABLE" "$NFTSET_IP" >> "$_ip_data_file"
- else
- printf "" > "$USER_ENTRIES_STATUS_FILE"
- fi
- if [ -f "$USER_ENTRIES_FILE" ]; then
- { cat "$USER_ENTRIES_FILE"; echo 0; } | ParseUserEntries "$_ip_data_file" "$_dnsmasq_data_file" "$_user_entries_status_file" "local"
- fi
- if [ -n "$USER_ENTRIES_REMOTE" ]; then
- for _url in $USER_ENTRIES_REMOTE
- do
- _attempt=1
- while :
- do
- if [ "$ENABLE_BLLIST_PROXY" = "1" ]; then
- UpdateBllistProxySet
- fi
- { Download - "$_url"; echo $?; } | ParseUserEntries "$_ip_data_file" "$_dnsmasq_data_file" "$_user_entries_status_file" "$_url"
- if [ $? -eq 0 ]; then
- break
- else
- _return_code=1
- ### STDOUT
- echo " User entries download attempt ${_attempt}: failed [${_url}]" >&2
- MakeLogRecord "err" "User entries download attempt ${_attempt}: failed [${_url}]"
- _attempt=$(($_attempt + 1))
- [ $_attempt -gt $USER_ENTRIES_REMOTE_DOWNLOAD_ATTEMPTS ] && break
- sleep $USER_ENTRIES_REMOTE_DOWNLOAD_TIMEOUT
- fi
- done
- done
- if [ "$ENABLE_BLLIST_PROXY" = "1" ]; then
- FlushNftSets "$NFTSET_BLLIST_PROXY"
- fi
- fi
- if [ "$ENABLE_TMP_DOWNLOADS" = "1" ]; then
- if [ $_return_code -eq 0 ]; then
- if [ "$1" = "flush" ]; then
- ClearDataFiles
- fi
- cat "$_ip_data_file" >> "$IP_DATA_FILE"
- cat "$_dnsmasq_data_file" >> "$DNSMASQ_DATA_FILE"
- mv -f "$_user_entries_status_file" "$USER_ENTRIES_STATUS_FILE"
- fi
- rm -f "$_ip_data_file" "$_dnsmasq_data_file" "$_user_entries_status_file"
- fi
- while read _str
- do
- _update_string=`printf "$_str" | $AWK_CMD '{
- if(NF == 4) {
- printf "User entries (%s): CIDR: %s, IP: %s, FQDN: %s", $4, $1, $2, $3;
- };
- }'`
- if [ -n "$_update_string" ]; then
- ### STDOUT
- echo " ${_update_string}"
- MakeLogRecord "notice" "${_update_string}"
- fi
- done < "$USER_ENTRIES_STATUS_FILE"
- else
- printf "" > "$USER_ENTRIES_STATUS_FILE"
- fi
+ [ -e "$DNSMASQ_DATA_FILE_USER_INSTANCES" ] || printf "" > "$DNSMASQ_DATA_FILE_USER_INSTANCES"
}
AddBypassEntries() {
- [ -d "$DATA_DIR" ] && printf "" > "$DNSMASQ_DATA_FILE_BYPASS"
+ if [ -d "$DATA_DIR" ]; then
+ printf "" > "$DNSMASQ_DATA_FILE_BYPASS"
+ printf "" > "$IP_DATA_FILE_BYPASS"
+ printf "flush set %s %s\nflush set %s %s\n" "$NFT_TABLE" "$NFTSET_BYPASS_IP" "$NFT_TABLE" "$NFTSET_BYPASS_FQDN" >> "$IP_DATA_FILE_BYPASS"
+ fi
FlushNftSets "$NFTSET_BYPASS_IP" "$NFTSET_BYPASS_FQDN"
if [ "$BYPASS_MODE" = "1" ]; then
if [ -f "$BYPASS_ENTRIES_FILE" ]; then
@@ -669,26 +758,209 @@ AddBypassEntries() {
};
};
($0 !~ /^([\040\011]*$|#)/) {
+ sub("\015", "", $0);
if($0 ~ /^[0-9]{1,3}([.][0-9]{1,3}){3}([\057][0-9]{1,2})?$/) {
ip_array[$0] = null;
}
- else if($0 ~ /^[a-z0-9.\052-]+[.]([a-z]{2,}|xn--[a-z0-9]+)([ ][0-9]{1,3}([.][0-9]{1,3}){3}([#][0-9]{2,5})?)?$/) {
+ else if($0 ~ /^([a-z0-9._-]+[.])*([a-z]{2,}|xn--[a-z0-9]+)([ ][0-9]{1,3}([.][0-9]{1,3}){3}([#][0-9]{2,5})?)?$/) {
fqdn_array[length(fqdn_array)] = $1 " " $2;
};
}
END {
- printf "table %s {\n%s", ENVIRON["NFT_TABLE"], ENVIRON["NFTSET_BYPASS_IP_CFG"] >> ENVIRON["IP_DATA_FILE"];
+ printf "table %s {\n%s", ENVIRON["NFT_TABLE"], ENVIRON["NFTSET_BYPASS_IP_STRING"] >> ENVIRON["IP_DATA_FILE_BYPASS"];
delete ip_array[0];
if(length(ip_array) > 0) {
- printf "elements={%s};", writeIpList(ip_array) >> ENVIRON["IP_DATA_FILE"];
+ printf "elements={%s};", writeIpList(ip_array) >> ENVIRON["IP_DATA_FILE_BYPASS"];
};
- printf "}\n}\n" >> ENVIRON["IP_DATA_FILE"];
+ printf "}\n}\n" >> ENVIRON["IP_DATA_FILE_BYPASS"];
writeFqdnEntries();
}' "$BYPASS_ENTRIES_FILE"
fi
fi
}
+ParseUserEntries() {
+ $AWK_CMD -v NFTSET_IP_STRING="$1" -v NFTSET_CIDR_STRING="$2" -v NFTSET_DNSMASQ="$3" \
+ -v IP_DATA_FILE="$4" -v DNSMASQ_DATA_FILE="$5" -v USER_ENTRIES_STATUS_FILE="$6" \
+ -v ID="$7" -v USER_ENTRIES_DNS="$8" '
+ BEGIN {
+ null = "";
+ ip_array[0] = null;
+ cidr_array[0] = null;
+ fqdn_array[0] = null;
+ }
+ function writeIpList(array, _str) {
+ _str = "";
+ for(i in array) {
+ _str = _str i ",";
+ };
+ return _str;
+ };
+ function writeDNSData(val, dns) {
+ if(length(dns) == 0 && length(USER_ENTRIES_DNS) > 0) {
+ dns = USER_ENTRIES_DNS;
+ };
+ if(length(dns) > 0) {
+ printf "server=/%s/%s\n", val, dns >> DNSMASQ_DATA_FILE;
+ };
+ printf "nftset=/%s/%s#%s\n", val, ENVIRON["NFT_TABLE_DNSMASQ"], NFTSET_DNSMASQ >> DNSMASQ_DATA_FILE;
+ };
+ function writeFqdnEntries() {
+ delete fqdn_array[0];
+ for(i in fqdn_array) {
+ split(fqdn_array[i], a, " ");
+ writeDNSData(a[1], a[2]);
+ };
+ };
+ ($0 !~ /^([\040\011]*$|#)/) {
+ sub("\015", "", $0);
+ if($0 ~ /^[0-9]{1,3}([.][0-9]{1,3}){3}$/) {
+ ip_array[$0] = null;
+ }
+ else if($0 ~ /^[0-9]{1,3}([.][0-9]{1,3}){3}[\057][0-9]{1,2}$/) {
+ cidr_array[$0] = null;
+ }
+ else if($0 ~ /^([a-z0-9._-]+[.])*([a-z]{2,}|xn--[a-z0-9]+)([ ][0-9]{1,3}([.][0-9]{1,3}){3}([#][0-9]{2,5})?)?$/) {
+ fqdn_array[length(fqdn_array)] = $1 " " $2;
+ };
+ }
+ END {
+ ret_code = 0;
+ if($0 ~ /[0-9]+/) {
+ ret_code = $0;
+ };
+ delete cidr_array[0];
+ delete ip_array[0];
+ if(ret_code == 0 && (length(cidr_array) > 0 || length(ip_array) > 0)) {
+ printf "table %s {\n%s", ENVIRON["NFT_TABLE"], NFTSET_CIDR_STRING >> IP_DATA_FILE;
+ if(length(cidr_array) > 0) {
+ printf "elements={%s};", writeIpList(cidr_array) >> IP_DATA_FILE;
+ };
+ printf "}\n%s", NFTSET_IP_STRING >> IP_DATA_FILE;
+
+ if(length(ip_array) > 0) {
+ printf "elements={%s};", writeIpList(ip_array) >> IP_DATA_FILE;
+ };
+ printf "}\n}\n" >> IP_DATA_FILE;
+ };
+ writeFqdnEntries();
+ if(ret_code == 0) {
+ printf "%s %s %s %s\n", length(cidr_array), length(ip_array), length(fqdn_array), ID >> USER_ENTRIES_STATUS_FILE;
+ };
+ exit ret_code;
+ }' -
+}
+
+AddUserEntries() {
+ local _inst _url _return_code=0 _instance_return_code=0 _attempt=1 _instance_entries_file _ip_data_file_user_instances _dnsmasq_data_file_user_instances _user_entries_status_file _str _update_string
+
+ if [ "$ENABLE_TMP_DOWNLOADS" = "1" ]; then
+ _ip_data_file_user_instances="$IP_DATA_FILE_USER_INSTANCES_TMP"
+ _dnsmasq_data_file="$DNSMASQ_DATA_FILE_TMP"
+ _dnsmasq_data_file_user_instances="$DNSMASQ_DATA_FILE_USER_INSTANCES_TMP"
+ _user_entries_status_file="$USER_ENTRIES_STATUS_FILE_TMP"
+ rm -f "$_ip_data_file_user_instances" "$_dnsmasq_data_file_user_instances" "$_user_entries_status_file"
+ else
+ _ip_data_file_user_instances="$IP_DATA_FILE_USER_INSTANCES"
+ _dnsmasq_data_file_user_instances="$DNSMASQ_DATA_FILE_USER_INSTANCES"
+ _user_entries_status_file="$USER_ENTRIES_STATUS_FILE"
+ fi
+
+ if [ "$ENABLE_TMP_DOWNLOADS" != "1" ]; then
+ ClearDataFiles user_instances
+ fi
+
+ for _inst in $USER_INSTANCES_ALL
+ do
+ IncludeUserInstanceVars "$_inst"
+ _instance_entries_file="${USER_LISTS_DIR}/${_inst}"
+
+ if [ $DEBUG -ge 1 ]; then
+ echo " ruantiblock.AddUserEntries._instance_entries_file=${_instance_entries_file}" >&2
+ MakeLogRecord "debug" "ruantiblock.AddUserEntries._instance_entries_file=${_instance_entries_file}"
+ fi
+
+ printf "flush set %s %s\nflush set %s %s\n" "$NFT_TABLE" "${NFTSET_CIDR}-${_inst}" "$NFT_TABLE" "${NFTSET_IP}-${_inst}" >> "$_ip_data_file_user_instances"
+
+ if [ "$U_PROXY_MODE" != "2" -a "$U_PROXY_MODE" != "3" ]; then
+ ### Запись для .onion
+ printf "server=/onion/%s\nnftset=/onion/%s#%s\n" "$U_ONION_DNS_ADDR" "$NFT_TABLE_DNSMASQ" "${NFTSET_ONION}-${_inst}" >> "$_dnsmasq_data_file_user_instances"
+ fi
+ if [ -f "$_instance_entries_file" ]; then
+ { cat "$_instance_entries_file"; printf "\n0\n"; } | ParseUserEntries "`printf "$NFTSET_IP_PATTERN" "${NFTSET_IP}-${_inst}"`" "`printf "$NFTSET_CIDR_PATTERN" "${NFTSET_CIDR}-${_inst}"`" "${NFTSET_DNSMASQ}-${_inst}" "$_ip_data_file_user_instances" "$_dnsmasq_data_file_user_instances" "$_user_entries_status_file" "${_inst}:local" "$U_ENTRIES_DNS"
+ fi
+ if [ -n "$U_ENTRIES_REMOTE" ]; then
+ for _url in $U_ENTRIES_REMOTE
+ do
+ _instance_return_code=0
+ _attempt=1
+ while :
+ do
+ if [ "$U_ENABLE_ENTRIES_REMOTE_PROXY" = "1" ]; then
+ UpdateBllistProxySet "$_inst" "$_url"
+ fi
+ { Download - "$_url"; printf "\n$?\n"; } | ParseUserEntries "`printf "$NFTSET_IP_PATTERN" "${NFTSET_IP}-${_inst}"`" "`printf "$NFTSET_CIDR_PATTERN" "${NFTSET_CIDR}-${_inst}"`" "${NFTSET_DNSMASQ}-${_inst}" "$_ip_data_file_user_instances" "$_dnsmasq_data_file_user_instances" "$_user_entries_status_file" "${_inst}:${_url}" "$U_ENTRIES_DNS"
+ if [ $? -eq 0 ]; then
+ _instance_return_code=0
+ break
+ else
+ _instance_return_code=1
+ ### STDOUT
+ echo " User entries download attempt ${_attempt}: failed [${_inst}:${_url}]" >&2
+ MakeLogRecord "err" "User entries download attempt ${_attempt}: failed [${_inst}:${_url}]"
+ _attempt=$(($_attempt + 1))
+ [ $_attempt -gt $USER_ENTRIES_REMOTE_DOWNLOAD_ATTEMPTS ] && break
+ sleep $USER_ENTRIES_REMOTE_DOWNLOAD_TIMEOUT
+ fi
+ done
+ if [ $_instance_return_code -ne 0 ]; then
+ _return_code=$_instance_return_code
+ if [ "$ENABLE_TMP_DOWNLOADS" = "1" ]; then
+ break 2
+ fi
+ fi
+ done
+ if [ "$U_ENABLE_ENTRIES_REMOTE_PROXY" = "1" ]; then
+ FlushNftSets "${NFTSET_BLLIST_PROXY}-${_inst}"
+ fi
+ fi
+ ClearUserInstanceVars
+ done
+
+ if [ "$ENABLE_TMP_DOWNLOADS" = "1" ]; then
+ if [ $_return_code -eq 0 ]; then
+ ClearDataFiles user_instances
+ if [ -e "$_ip_data_file_user_instances" ]; then
+ cat "$_ip_data_file_user_instances" >> "$IP_DATA_FILE_USER_INSTANCES"
+ fi
+ if [ -e "$_dnsmasq_data_file_user_instances" ]; then
+ cat "$_dnsmasq_data_file_user_instances" >> "$DNSMASQ_DATA_FILE_USER_INSTANCES"
+ fi
+ if [ -e "$_user_entries_status_file" ]; then
+ mv -f "$_user_entries_status_file" "$USER_ENTRIES_STATUS_FILE"
+ fi
+ fi
+ rm -f "$_ip_data_file_user_instances" "$_dnsmasq_data_file_user_instances" "$_user_entries_status_file"
+ fi
+ if [ "$ENABLE_TMP_DOWNLOADS" != "1" ] || [ "$ENABLE_TMP_DOWNLOADS" = "1" -a $_return_code -eq 0 ]; then
+ while read _str
+ do
+ _update_string=`printf "$_str" | $AWK_CMD '{
+ if(NF == 4) {
+ printf "User entries (%s): CIDR: %s, IP: %s, FQDN: %s", $4, $1, $2, $3;
+ };
+ }'`
+ if [ -n "$_update_string" ]; then
+ ### STDOUT
+ echo " ${_update_string}"
+ MakeLogRecord "notice" "${_update_string}"
+ fi
+ done < "$USER_ENTRIES_STATUS_FILE"
+ fi
+
+ return $_return_code
+}
+
ToggleUPIDFile() {
if [ "$1" = "del" ]; then
rm -f "$U_PID_FILE"
@@ -697,14 +969,14 @@ ToggleUPIDFile() {
fi
}
-GetDataFiles() {
+GetMainInstanceEntries() {
local _return_code=1 _attempt=1 _update_string
PreStartCheck
if [ -n "$BLLIST_PRESET" -a -n "$BLLIST_MODULE" ]; then
while :
do
if [ "$ENABLE_BLLIST_PROXY" = "1" ]; then
- UpdateBllistProxySet
+ UpdateBllistProxySet " " "$BLLIST_HOSTS"
fi
$BLLIST_MODULE
_return_code=$?
@@ -728,14 +1000,10 @@ GetDataFiles() {
echo " ${_update_string}"
MakeLogRecord "notice" "${_update_string}"
printf " `date +%d.%m.%Y-%H:%M`\n" >> "$UPDATE_STATUS_FILE"
- AddUserEntries
- AddBypassEntries
fi
elif [ -z "$BLLIST_PRESET" -a -z "$BLLIST_MODULE" ]; then
- ADD_USER_ENTRIES=1
- AddUserEntries flush
- AddBypassEntries
- _return_code=0
+ ClearDataFiles main_instance
+ _return_code=3
else
_return_code=2
return $_return_code
@@ -751,48 +1019,87 @@ GetDataFiles() {
return $_return_code
}
+GetBlacklistFiles() {
+ local _return_code=1 _user_entries_ret_code=1
+ AddBypassEntries
+ GetMainInstanceEntries
+ case $? in
+ 0)
+ echo " Blacklist updated"
+ MakeLogRecord "notice" "Blacklist updated"
+ ;;
+ 2)
+ echo " Error! Blacklist update error" >&2
+ MakeLogRecord "err" "Error! Blacklist update error"
+ _return_code=1
+ ;;
+ 3)
+ :
+ ;;
+ *)
+ echo " Module error! [${BLLIST_MODULE}]" >&2
+ MakeLogRecord "err" "Module error! [${BLLIST_MODULE}]"
+ _return_code=1
+ ;;
+ esac
+ AddUserEntries
+ _user_entries_ret_code=$?
+ if [ $_return_code -eq 0 ]; then
+ _return_code=$_user_entries_ret_code
+ fi
+ return $_return_code
+}
+
+MakeInstancesCache() {
+ printf "USER_INSTANCES_ALL=\"${USER_INSTANCES_ALL}\"\nUSER_INSTANCES_ALL_FNAMES=\"${USER_INSTANCES_ALL_FNAMES}\"\nUSER_INSTANCES_VPN=\"${USER_INSTANCES_VPN}\"\nUSER_INSTANCES_VPN_FNAMES=\"${USER_INSTANCES_VPN_FNAMES}\"\nUSER_INSTANCES_CFG=\"${USER_INSTANCES_CFG}\"\nUSER_INSTANCES_CFG_FNAMES=\"${USER_INSTANCES_CFG_FNAMES}\"\n" > "$INSTANCES_CACHE"
+}
+
+DeleteInstancesCache() {
+ rm -f "$INSTANCES_CACHE"
+}
+
+Init() {
+ local _arg="$1"
+ . "$BLLIST_SOURCES_SCRIPT"
+ if [ -e "$INSTANCES_CACHE" ]; then
+ . "$INSTANCES_CACHE"
+
+ if [ $DEBUG -ge 2 ]; then
+ echo " ruantiblock.Init(): read from INSTANCES_CACHE" >&2
+ MakeLogRecord "debug" "ruantiblock.Init(): read from INSTANCES_CACHE"
+ fi
+
+ else
+ SetUserInstancesItems
+ fi
+}
+
MakeToken() {
date +%s > "$TOKEN_FILE"
}
Update() {
- local _return_code=0
+ local _arg="$1" _return_code=0
if CheckStatus; then
:
else
- echo " ${NAME} ${1} - Error! ${NAME} does not running or another error has occurred" >&2
+ echo " ${NAME} ${_arg} - Error! ${NAME} does not running or another error has occurred" >&2
return 1
fi
MakeToken
- if [ -e "$U_PID_FILE" ] && [ "$1" != "force-update" ]; then
- echo " ${NAME} ${1} - Error! Another instance of update is already running" >&2
- MakeLogRecord "err" "${1} - Error! Another instance of update is already running"
+ if [ -e "$U_PID_FILE" ] && [ "$_arg" != "force-update" ]; then
+ echo " ${NAME} ${_arg} - Error! Another instance of update is already running" >&2
+ MakeLogRecord "err" "${_arg} - Error! Another instance of update is already running"
_return_code=2
else
ToggleUPIDFile add
- echo " ${NAME} ${1}..."
- MakeLogRecord "notice" "${1}..."
+ echo " ${NAME} ${_arg}..."
+ MakeLogRecord "notice" "${_arg}..."
if [ "$NFTSET_CLEAR_SETS" = "1" ]; then
- FlushNftSets "$NFTSET_CIDR" "$NFTSET_IP" "$NFTSET_DNSMASQ"
+ FlushInstancesNftSets bllist
fi
- GetDataFiles
- case $? in
- 0)
- echo " Blacklist updated"
- MakeLogRecord "notice" "Blacklist updated"
- ;;
- 2)
- echo " Error! Blacklist update error" >&2
- MakeLogRecord "err" "Error! Blacklist update error"
- _return_code=1
- ;;
- *)
- echo " Module error! [${BLLIST_MODULE}]" >&2
- MakeLogRecord "err" "Module error! [${BLLIST_MODULE}]"
- _return_code=1
- ;;
- esac
- FlushNftSets "$NFTSET_DNSMASQ" "$NFTSET_ONION"
+ GetBlacklistFiles
+ FlushInstancesNftSets fqdn
UpdateBllistSets
_return_code=$?
RestartDnsmasq
@@ -803,7 +1110,7 @@ Update() {
}
Start() {
- local _return_code=1
+ local _arg="$1" _return_code=1
if [ -e "$START_PID_FILE" ]; then
echo " ${NAME} is currently starting..." >&2
return 1
@@ -811,20 +1118,22 @@ Start() {
echo "$$" > "$START_PID_FILE"
fi
MakeToken
+ Init
if CheckStatus; then
echo " ${NAME} is already running" >&2
_return_code=1
else
- echo " ${NAME} ${1}..."
- MakeLogRecord "info" "${1}..."
+ echo " ${NAME} ${_arg}..."
+ MakeLogRecord "info" "${_arg}..."
DropNetConfig &> /dev/null
SetNetConfig
PreStartCheck
UpdateBllistSets
_return_code=$?
- if [ "$PROXY_MODE" = "2" -a "$VPN_ROUTE_CHECK" = "1" -a -x "$ROUTE_CHECK_EXEC" ]; then
+ if [ "$VPN_ROUTE_CHECK" = "1" -a -x "$ROUTE_CHECK_EXEC" ] && [ "$PROXY_MODE" = "2" -o -n "$USER_INSTANCES_VPN" ]; then
$ROUTE_CHECK_EXEC start &> /dev/null &
fi
+ MakeInstancesCache
### Start-script
[ -x "$START_SCRIPT" ] && $START_SCRIPT > /dev/null 2>&1 &
fi
@@ -834,11 +1143,11 @@ Start() {
}
Stop() {
- local _return_code=1
+ local _arg="$1" _return_code=1
if CheckStatus; then
MakeToken
- echo " ${NAME} ${1}..."
- MakeLogRecord "info" "${1}..."
+ echo " ${NAME} ${_arg}..."
+ MakeLogRecord "info" "${_arg}..."
DropNetConfig &> /dev/null
_return_code=$?
if [ -x "$ROUTE_CHECK_EXEC" ]; then
@@ -850,6 +1159,7 @@ Stop() {
else
echo " ${NAME} does not running" >&2
fi
+ DeleteInstancesCache
return $_return_code
}
@@ -862,8 +1172,20 @@ Reload() {
return 1
fi
_i=$(($_i + 1))
+
+ if [ $DEBUG -ge 1 ]; then
+ echo " ruantiblock.Reload._i=${_i}" >&2
+ MakeLogRecord "debug" "ruantiblock.Reload._i ${_i}"
+ fi
+
sleep 1
done
+
+ if [ $DEBUG -ge 1 ]; then
+ echo " ruantiblock.Reload()" >&2
+ MakeLogRecord "debug" "ruantiblock.Reload()"
+ fi
+
echo " ${NAME} reload..."
DeleteNftRules &> /dev/null
AddNftRules &> /dev/null
@@ -871,7 +1193,7 @@ Reload() {
}
Status() {
- local _update_status _user_entries_status _vpn_error
+ local _inst _update_status _user_entries_status _vpn_error
if [ -f "$UPDATE_STATUS_FILE" ]; then
_update_status=`$AWK_CMD '{
update_string=(NF < 4) ? "No data" : $4" (CIDR: "$1" | IP: "$2" | FQDN: "$3")";
@@ -889,30 +1211,32 @@ Status() {
}' "$USER_ENTRIES_STATUS_FILE"`
fi
- if [ "$PROXY_MODE" = "2" ] && ! NftVpnRouteStatus; then
+ if ! GetVpnRouteStatus; then
_vpn_error="\033[1;31mVPN ROUTING ERROR! (NEED THE RESTART)\033[m"
fi
- NftListBllistChain 2> /dev/null | $AWK_CMD -v UPDATE_STATUS="$_update_status" -v USER_ENTRIES_STATUS="$_user_entries_status" -v VPN_ERROR="$_vpn_error" '
+ NftListSinkChain 2> /dev/null | $AWK_CMD -v UPDATE_STATUS="$_update_status" -v USER_ENTRIES_STATUS="$_user_entries_status" -v VPN_ERROR="$_vpn_error" '
BEGIN {
- rules_str = "";
- nftset = "";
- bytes = "";
+ rules_str = "";
}
- /@/ {
- if(match($0, /@[^ ]+/) != 0) {
- nftset = substr($0, RSTART+1, RLENGTH-1);
- if(match($0, /bytes [^ ]+/) != 0) {
- bytes = substr($0, RSTART+6, RLENGTH-6);
- };
- rules_str = rules_str " Match-set: " nftset "\n Bytes: " bytes "\n\n";
+ {
+ if($0 ~ /(table|chain|type|return|\{|\})/) {
+ next;
};
+ instance = $NF;
+ if(instance == "\"") {
+ instance = "-main-";
+ };
+ gsub("\"", "", instance);
+ proto = ($3 ~ /(tcp|udp)/) ? $3 : "all";
+ bytes = (match($0, /bytes [^ ]+/) != 0) ? substr($0, RSTART+6, RLENGTH-6) : "";
+ rules_str = rules_str " Instance:\t" instance "\n Protocol:\t" proto "\n Bytes:\t" bytes "\n\n";
}
END {
if(NR == 0) {
printf "\n \033[1m" ENVIRON["NAME"] " status\033[m: \033[1mDisabled\033[m\n\n";
exit 2;
};
- printf "\n \033[1m" ENVIRON["NAME"] " status\033[m: \033[1;32mEnabled\033[m\n\n PROXY_MODE: " ENVIRON["PROXY_MODE"] "\n PROXY_LOCAL_CLIENTS: " ENVIRON["PROXY_LOCAL_CLIENTS"] "\n BLLIST_PRESET: " ENVIRON["BLLIST_PRESET"] "\n BLLIST_MODULE: " ENVIRON["BLLIST_MODULE"] "\n";
+ printf "\n \033[1m" ENVIRON["NAME"] " status\033[m: \033[1;32mEnabled\033[m\n\n DNSMASQ_CFG_DIR: " ENVIRON["DNSMASQ_CFG_DIR"] "\n\n PROXY_LOCAL_CLIENTS: " ENVIRON["PROXY_LOCAL_CLIENTS"] "\n\n Main Instance: \n PROXY_MODE: " ENVIRON["PROXY_MODE"] "\n BLLIST_PRESET: " ENVIRON["BLLIST_PRESET"] "\n BLLIST_MODULE: " ENVIRON["BLLIST_MODULE"] "\n";
printf "\n "UPDATE_STATUS"\n";
if(length(USER_ENTRIES_STATUS) > 0) {
printf "\n"USER_ENTRIES_STATUS"\n";
@@ -920,9 +1244,37 @@ Status() {
if(length(VPN_ERROR) > 0) {
printf "\n "VPN_ERROR"\n";
};
- printf "\n \033[4mNftables rules\033[m:\n\n";
+ printf "\n Transit traffic:\n\n";
printf rules_str;
}'
+ if [ $? -eq 0 -a "$PROXY_LOCAL_CLIENTS" = "1" ]; then
+ NftListSinkLocalChain 2> /dev/null | $AWK_CMD -v UPDATE_STATUS="$_update_status" -v USER_ENTRIES_STATUS="$_user_entries_status" '
+ BEGIN {
+ rules_str = "";
+ }
+ {
+ if($0 ~ /(table|chain|type|return|\{|\})/) {
+ next;
+ };
+ instance = $NF;
+ if(instance == "\"") {
+ instance = "-main-";
+ };
+ gsub("\"", "", instance);
+ proto = ($3 ~ /(tcp|udp)/) ? $3 : "all";
+ bytes = (match($0, /bytes [^ ]+/) != 0) ? substr($0, RSTART+6, RLENGTH-6) : "";
+ rules_str = rules_str " Instance:\t" instance "\n Protocol:\t" proto "\n Bytes:\t" bytes "\n\n";
+ }
+ END {
+ if(NR == 0) {
+ exit 2;
+ };
+ printf " Local traffic:\n\n";
+ printf rules_str;
+ }'
+ else
+ return 2
+ fi
}
StatusOutput() {
@@ -933,9 +1285,6 @@ StatusOutput() {
############################ Main section ##############################
-### Blacklist sources
-. "$BLLIST_SOURCES_SCRIPT"
-
return_code=1
case "$1" in
start|force-start)
@@ -945,22 +1294,41 @@ case "$1" in
StatusOutput
;;
stop)
+ Init
Stop "$1"
return_code=$?
StatusOutput
;;
- restart)
- Stop "stop"
- Start "start"
- return_code=$?
- StatusOutput
+ restart|delayed-restart)
+ if [ "$1" == "delayed-restart" -a -n "$2" ]; then
+ {
+ echo "$$" > "$START_PID_FILE"
+ sleep $2 &> /dev/null
+ rm -f "$START_PID_FILE"
+ Init
+ Stop "stop"
+ Start "start"
+ return_code=$?
+ StatusOutput
+ exit $return_code;
+ } &> /dev/null &
+ return_code=0
+ else
+ Init
+ Stop "stop"
+ Start "start"
+ return_code=$?
+ StatusOutput
+ fi
;;
reload)
+ Init
Reload
return_code=$?
StatusOutput
;;
destroy)
+ Init
Stop "$1" &> /dev/null
DestroyNetConfig
ClearDataFiles
@@ -970,24 +1338,28 @@ case "$1" in
StatusOutput
;;
update|force-update)
+ Init
Update "$1"
return_code=$?
StatusOutput
;;
- data-files)
+ blacklist-files)
+ Init
if [ -e "$U_PID_FILE" ] && [ "$1" != "force-update" ]; then
echo " ${NAME} - Error! Another instance of update is already running" >&2
exit 2
else
- GetDataFiles
+ GetBlacklistFiles
return_code=$?
fi
;;
status)
+ Init
Status
return_code=$?
;;
raw-status)
+ Init
CheckStatus
return_code=$?
case $return_code in
@@ -1009,11 +1381,13 @@ case "$1" in
esac
;;
vpn-route-status)
- NftVpnRouteStatus
+ Init
+ GetVpnRouteStatus
return_code=$?
echo $return_code
;;
html-info)
+ Init
Info
return_code=$?
;;
diff --git a/ruantiblock/files/usr/libexec/ruantiblock/ruab_route_check b/ruantiblock/files/usr/libexec/ruantiblock/ruab_route_check
index 4920a26..76ae813 100755
--- a/ruantiblock/files/usr/libexec/ruantiblock/ruab_route_check
+++ b/ruantiblock/files/usr/libexec/ruantiblock/ruab_route_check
@@ -1,17 +1,69 @@
#!/bin/sh
PID_FILE="/var/run/`basename $0`.pid"
+APP_EXEC="/usr/bin/ruantiblock"
-VpnRouteStatus() {
- [ -n "`$IP_CMD route show table $VPN_ROUTE_TABLE_ID 2> /dev/null`" ] && return 0
+. "$USER_INSTANCES_COMMON"
+
+VPN_IFACES_STATUS=1
+
+CheckIfaceStatus() {
+ local _iface="$1" _ret_val=0
+ if [ -z "`$IP_CMD link show dev $_iface up 2> /dev/null`" ]; then
+ _ret_val=1
+
+ if [ $DEBUG -ge 1 ]; then
+ echo " ruab_route_check.GetVpnRouteStatus: ${_iface} disabled" >&2
+ logger -p "user.debug" -t "ruantiblock" "ruab_route_check.GetVpnRouteStatus: iface ${_iface} disabled"
+ fi
+
+ fi
+ return $_ret_val
+}
+
+VpnRouteInstanceStatus() {
+ local _vpn_route_table_id=$1
+ [ -n "`$IP_CMD route show table $_vpn_route_table_id 2> /dev/null`" ] && return 0
return 1
}
+GetVpnRouteStatus() {
+ local _inst _i=1 _ret_val=0
+ for _inst in $USER_INSTANCES_VPN_FNAMES
+ do
+ IncludeUserInstanceVars "$_inst"
+ if ! CheckIfaceStatus $U_IF_VPN; then
+ VPN_IFACES_STATUS=0
+ fi
+ if ! VpnRouteInstanceStatus $(($VPN_ROUTE_TABLE_ID_START + $_i)); then
+ _ret_val=1
+ break
+ fi
+ _i=$(($_i + 1))
+ ClearUserInstanceVars
+ done
+ if [ $_ret_val -eq 0 -a "$PROXY_MODE" = "2" ]; then
+ if ! CheckIfaceStatus $IF_VPN; then
+ VPN_IFACES_STATUS=0
+ fi
+ if ! VpnRouteInstanceStatus $VPN_ROUTE_TABLE_ID_START; then
+ _ret_val=1
+ fi
+ fi
+ return $_ret_val
+}
+
Main() {
while [ -e "$PID_FILE" ]
do
- if ! VpnRouteStatus; then
- if $IP_CMD link show $IF_VPN &> /dev/null; then
+ VPN_IFACES_STATUS=1
+ if ! GetVpnRouteStatus; then
+ if [ "$VPN_IFACES_STATUS" = "1" ]; then
+
+ if [ $DEBUG -ge 1 ]; then
+ echo " ruab_route_check.Main: ${APP_EXEC} reload" >&2
+ logger -p "user.debug" -t "ruantiblock" "ruab_route_check.Main: ${APP_EXEC} reload"
+ fi
$APP_EXEC reload
fi
fi
diff --git a/ruantiblock/files/usr/share/ruantiblock/blacklist_sources b/ruantiblock/files/usr/share/ruantiblock/blacklist_sources
index 603cf95..e9350bb 100644
--- a/ruantiblock/files/usr/share/ruantiblock/blacklist_sources
+++ b/ruantiblock/files/usr/share/ruantiblock/blacklist_sources
@@ -6,7 +6,6 @@ export RBL_DPI_URL="https://reestr.rublacklist.net/api/v3/dpi/"
export RBL_ENCODING=""
## zapret-info
export ZI_ALL_URL="https://raw.githubusercontent.com/zapret-info/z-i/master/dump.csv"
-#export ZI_ALL_URL="https://app.assembla.com/spaces/z-i/git/source/master/dump.csv?_format=raw"
export ZI_ENCODING="CP1251"
## antifilter
export AF_IP_URL="https://antifilter.download/list/allyouneed.lst"
@@ -52,7 +51,6 @@ case "$BLLIST_PRESET" in
export BLLIST_SOURCE="ruantiblock"
export BLLIST_MODE="ip"
BLLIST_MODULE="DownloadNativeBlacklist"
- # github
DL_IPSET_URL="https://raw.githubusercontent.com/gSpotx2f/ruantiblock_blacklist/master/blacklist-1.1/ip/ruantiblock.ip"
DL_DMASK_URL="https://raw.githubusercontent.com/gSpotx2f/ruantiblock_blacklist/master/blacklist-1.1/ip/ruantiblock.dnsmasq"
DL_STAT_URL="https://raw.githubusercontent.com/gSpotx2f/ruantiblock_blacklist/master/blacklist-1.1/ip/update_status"
@@ -61,7 +59,6 @@ case "$BLLIST_PRESET" in
export BLLIST_SOURCE="ruantiblock"
export BLLIST_MODE="fqdn"
BLLIST_MODULE="DownloadNativeBlacklist"
- # github
DL_IPSET_URL="https://raw.githubusercontent.com/gSpotx2f/ruantiblock_blacklist/master/blacklist-1.1/fqdn/ruantiblock.ip"
DL_DMASK_URL="https://raw.githubusercontent.com/gSpotx2f/ruantiblock_blacklist/master/blacklist-1.1/fqdn/ruantiblock.dnsmasq"
DL_STAT_URL="https://raw.githubusercontent.com/gSpotx2f/ruantiblock_blacklist/master/blacklist-1.1/fqdn/update_status"
diff --git a/ruantiblock/files/usr/share/ruantiblock/config_script b/ruantiblock/files/usr/share/ruantiblock/config_script
index 309d15c..a2a67bc 100644
--- a/ruantiblock/files/usr/share/ruantiblock/config_script
+++ b/ruantiblock/files/usr/share/ruantiblock/config_script
@@ -1,5 +1,5 @@
UCI_SECTION="ruantiblock.config"
-UCI_VARS="proxy_mode proxy_local_clients nftset_clear_sets allowed_hosts_mode allowed_hosts_list bypass_mode bypass_entries_dns enable_fproxy fproxy_list enable_bllist_proxy if_vpn vpn_gw_ip vpn_route_check tor_trans_port onion_dns_addr t_proxy_port_tcp t_proxy_port_udp t_proxy_allow_udp add_user_entries user_entries_dns user_entries_remote enable_logging bllist_min_entries bllist_module bllist_preset bllist_ip_limit bllist_summarize_ip bllist_summarize_cidr bllist_ip_filter bllist_ip_filter_type bllist_sd_limit bllist_fqdn_filter bllist_fqdn_filter_type bllist_enable_idn bllist_alt_nslookup bllist_alt_dns_addr update_at_startup enable_tmp_downloads"
+UCI_VARS="dnsmasq_cfg_dir proxy_mode proxy_local_clients nftset_clear_sets allowed_hosts_mode allowed_hosts_list bypass_mode bypass_entries_dns enable_fproxy fproxy_list enable_bllist_proxy if_vpn vpn_gw_ip vpn_route_check tor_trans_port onion_dns_addr t_proxy_type t_proxy_port_tcp t_proxy_port_udp t_proxy_allow_udp enable_logging bllist_min_entries bllist_module bllist_preset bllist_ip_limit bllist_summarize_ip bllist_summarize_cidr bllist_ip_filter bllist_ip_filter_type bllist_sd_limit bllist_fqdn_filter bllist_fqdn_filter_type bllist_enable_idn bllist_alt_nslookup bllist_alt_dns_addr update_at_startup enable_tmp_downloads"
UCI_CMD=`which uci`
if [ $? -ne 0 ]; then
echo " Error! UCI doesn't exists" >&2
diff --git a/ruantiblock/files/usr/share/ruantiblock/config_script_user_instances b/ruantiblock/files/usr/share/ruantiblock/config_script_user_instances
new file mode 100644
index 0000000..6f8ed91
--- /dev/null
+++ b/ruantiblock/files/usr/share/ruantiblock/config_script_user_instances
@@ -0,0 +1,54 @@
+UCI_VARS="u_enabled u_proxy_mode u_tor_trans_port u_onion_dns_addr u_if_vpn u_vpn_gw_ip u_t_proxy_type u_t_proxy_port_tcp u_t_proxy_port_udp u_t_proxy_allow_udp u_entries_dns u_entries_remote u_enable_entries_remote_proxy u_enable_fproxy u_fproxy_list u_skip_marked_packets"
+UCI_CMD=`which uci`
+if [ $? -ne 0 ]; then
+ echo " Error! UCI doesn't exists" >&2
+ exit 1
+fi
+AWK_CMD="awk"
+
+ListUserInstances() {
+ $UCI_CMD export "$NAME" | $AWK_CMD -v TYPE="user_instance" '
+ BEGIN {
+ instances="";
+ }
+ {
+ if($0 ~ "config "TYPE) {
+ gsub(/["\047]/, "", $3);
+ instances=instances (length(instances) > 0 ? "\n" : "") $3;
+ };
+ }
+ END {
+ print instances;
+ }'
+}
+
+IncludeUserInstanceVars() {
+ local _inst="$1"
+ local _uci_section="${NAME}.${_inst}"
+ U_NAME="$_inst"
+ eval `$UCI_CMD show "$_uci_section" | $AWK_CMD -F "=" -v UCI_VARS="$UCI_VARS" '
+ BEGIN {
+ split(UCI_VARS, split_array, " ");
+ for(i in split_array)
+ vars_array[split_array[i]]="";
+ }
+ {
+ sub(/^.*[.]/, "", $1);
+ gsub(/["\047]/, "", $2);
+ if($1 in vars_array) {
+ print toupper($1) "=\"" $2 "\"";
+ delete vars_array[$1];
+ };
+ }
+ END {
+ if(length(vars_array) > 0) {
+ for(i in vars_array)
+ print toupper(i) "=\"""\"";
+ };
+ }'`
+
+ if [ $DEBUG -ge 2 ]; then
+ echo " user_instances_config_script.IncludeUserInstanceVars: _inst=${_inst} U_NAME=${U_NAME} U_PROXY_MODE=${U_PROXY_MODE}" >&2
+ MakeLogRecord "debug" "user_instances_config_script.IncludeUserInstanceVars: _inst=${_inst} U_NAME=${U_NAME} U_PROXY_MODE=${U_PROXY_MODE}"
+ fi
+}
diff --git a/ruantiblock/files/usr/share/ruantiblock/info_output b/ruantiblock/files/usr/share/ruantiblock/info_output
index 68aa49d..50c77d9 100644
--- a/ruantiblock/files/usr/share/ruantiblock/info_output
+++ b/ruantiblock/files/usr/share/ruantiblock/info_output
@@ -1,5 +1,5 @@
Info() {
- local _update_status _user_entries_status
+ local _update_status _user_entries_status _inst
if [ -f "$UPDATE_STATUS_FILE" ]; then
_update_status=`$AWK_CMD '{
if(NF < 4) {
@@ -33,29 +33,30 @@ Info() {
else
_user_entries_status="[]"
fi
- NftListBllistChainJson 2> /dev/null | $AWK_CMD -v UPDATE_STATUS="$_update_status" -v USER_ENTRIES_STATUS="$_user_entries_status" '
- BEGIN {
- rules_str = "";
- }
- {
- rules_str = rules_str $0;
- }
+ NftListSinkChainJson 2> /dev/null | $AWK_CMD -v UPDATE_STATUS="$_update_status" -v USER_ENTRIES_STATUS="$_user_entries_status" '
END {
if(NR == 0) {
printf "{\"status\": \"disabled\"}";
exit 1;
} else {
- printf "{\"status\":\"enabled\",\"last_blacklist_update\":%s,\"user_entries\":%s,\"rules\":%s", UPDATE_STATUS, USER_ENTRIES_STATUS, rules_str;
+ printf "{\"status\": \"enabled\",\"last_blacklist_update\": %s,\"user_entries\" :%s,\"sink\": %s", UPDATE_STATUS, USER_ENTRIES_STATUS, $0;
exit 0;
};
}'
if [ $? -eq 0 ]; then
+ if [ "$PROXY_LOCAL_CLIENTS" = "1" ]; then
+ printf ",\"sink_local\":"
+ NftListSinkLocalChainJson 2> /dev/null
+ fi
printf ",\"dnsmasq\":"
$NFT_CMD -j list set $NFT_TABLE "$NFTSET_DNSMASQ" 2> /dev/null
- if [ "$BYPASS_MODE" = "1" ]; then
- printf ",\"dnsmasq_bypass\":"
- $NFT_CMD -j list set $NFT_TABLE "$NFTSET_BYPASS_FQDN" 2> /dev/null
- fi
+ printf ",\"dnsmasq_user_instances\":["
+ for _inst in $USER_INSTANCES_ALL
+ do
+ $NFT_CMD -j list set $NFT_TABLE "${NFTSET_DNSMASQ}-${_inst}" 2> /dev/null
+ printf ","
+ done
+ printf "{\"dummy\": {}}]"
printf "}"
fi
}
diff --git a/ruantiblock/files/usr/share/ruantiblock/nft_functions b/ruantiblock/files/usr/share/ruantiblock/nft_functions
index 2659820..8c48b7c 100644
--- a/ruantiblock/files/usr/share/ruantiblock/nft_functions
+++ b/ruantiblock/files/usr/share/ruantiblock/nft_functions
@@ -2,35 +2,26 @@ NFT_ALLOWED_HOSTS_CHAIN="allowed_hosts"
NFT_BLLIST_CHAIN="blacklist"
NFT_FPROXY_FILTER="fproxy_filter"
NFT_DNSMASQ_TIMEOUT_UPDATE_CHAIN="dnsmasq_timeout_update"
-NFT_ACTION_CHAIN="action"
+NFT_MARK_CHAIN="mark_chain"
NFT_LOCAL_CLIENTS_CHAIN="local_clients"
-
-if [ "$PROXY_MODE" = "2" ]; then
- MAIN_CHAIN_TYPE="type filter hook prerouting priority ${NFT_PRIO_ROUTE}; policy accept;"
- LOCAL_CLIENTS_CHAIN_TYPE="type route hook output priority ${NFT_PRIO_ROUTE_LOCAL}; policy accept;"
-else
- MAIN_CHAIN_TYPE="type nat hook prerouting priority ${NFT_PRIO_NAT}; policy accept;"
- LOCAL_CLIENTS_CHAIN_TYPE="type nat hook output priority ${NFT_PRIO_NAT_LOCAL}; policy accept;"
-fi
+NFT_SINK_CHAIN="sink"
+NFT_SINK_LOCAL_CHAIN="sink_local"
+NFT_ACTION_FILTER_CHAIN="action_filter"
+NFT_ACTION_NAT_CHAIN="action_nat"
+NFT_ACTION_NAT_LOCAL_CHAIN="action_nat_local"
case "$ALLOWED_HOSTS_MODE" in
"1")
- NFT_ALLOWED_HOSTS_EXPR="ip saddr @${NFTSET_ALLOWED_HOSTS} jump ${NFT_BLLIST_CHAIN}"
+ NFT_ALLOWED_HOSTS_PATTERN="ip saddr @${NFTSET_ALLOWED_HOSTS} jump ${NFT_BLLIST_CHAIN}%s"
;;
"2")
- NFT_ALLOWED_HOSTS_EXPR="ip saddr != @${NFTSET_ALLOWED_HOSTS} jump ${NFT_BLLIST_CHAIN}"
+ NFT_ALLOWED_HOSTS_PATTERN="ip saddr != @${NFTSET_ALLOWED_HOSTS} jump ${NFT_BLLIST_CHAIN}%s"
;;
*)
- NFT_ALLOWED_HOSTS_EXPR="jump ${NFT_BLLIST_CHAIN}"
+ NFT_ALLOWED_HOSTS_PATTERN="jump ${NFT_BLLIST_CHAIN}%s"
;;
esac
-if [ "$NFTSET_DNSMASQ_TIMEOUT_UPDATE" = "1" ]; then
- NFT_DNSMASQ_RULE_TARGET="$NFT_DNSMASQ_TIMEOUT_UPDATE_CHAIN"
-else
- NFT_DNSMASQ_RULE_TARGET="$NFT_ACTION_CHAIN"
-fi
-
NftCmdWrapper() {
local _i=0 _attempts=10 _return_code=1
while [ $_i -lt $_attempts ]
@@ -44,105 +35,247 @@ NftCmdWrapper() {
return $_return_code
}
-NftVpnRouteDelete() {
- $IP_CMD route flush table $VPN_ROUTE_TABLE_ID
- $IP_CMD rule del table $VPN_ROUTE_TABLE_ID
+NftRouteDelete() {
+ local _route_table_id=$1
+ $IP_CMD route flush table $_route_table_id
+ $IP_CMD rule del table $_route_table_id
}
-NftVpnRouteAdd() {
- local _vpn_ip
- if [ -n "$VPN_GW_IP" ]; then
- _vpn_ip="$VPN_GW_IP"
+NftRouteAdd() {
+ local _vpn_ip _type="$1" _route_table_id=$2 _pkts_mark=$3 _if_vpn="$4" _vpn_gw_ip="$5"
+ if [ "$_type" = "lo" ]; then
+ echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
+ $IP_CMD rule add fwmark $_pkts_mark table $_route_table_id priority $LO_RULE_PRIO
+ $IP_CMD route add local default dev lo table $_route_table_id
+
+ if [ $DEBUG -ge 1 ]; then
+ echo " nft_functions.NftRouteAdd: ${IP_CMD} rule add fwmark ${_pkts_mark} table ${_route_table_id} priority ${LO_RULE_PRIO}" >&2
+ MakeLogRecord "debug" "nft_functions.NftRouteAdd: ${IP_CMD} rule add fwmark ${_pkts_mark} table ${_route_table_id} priority ${LO_RULE_PRIO}"
+ echo " nft_functions.NftRouteAdd: ${IP_CMD} route add local default dev lo table ${_route_table_id}" >&2
+ MakeLogRecord "debug" "nft_functions.NftRouteAdd: ${IP_CMD} route add local default dev lo table ${_route_table_id}"
+ fi
else
- _vpn_ip=`$IP_CMD addr list dev $IF_VPN 2> /dev/null | $AWK_CMD '/inet/{f=($3 == "peer") ? 4 : 2; sub("/[0-9]{1,2}$", "", $f); print $f; exit}'`
- fi
- if [ -n "$_vpn_ip" ]; then
- echo 0 > /proc/sys/net/ipv4/conf/$IF_VPN/rp_filter
- NftVpnRouteDelete 2> /dev/null
- $IP_CMD rule add fwmark $VPN_PKTS_MARK table $VPN_ROUTE_TABLE_ID priority $VPN_RULE_PRIO
- $IP_CMD route add default via $_vpn_ip table $VPN_ROUTE_TABLE_ID
+ if [ -n "$_vpn_gw_ip" ]; then
+ _vpn_ip="$_vpn_gw_ip"
+ else
+ _vpn_ip=`$IP_CMD addr list dev $_if_vpn 2> /dev/null | $AWK_CMD '/inet/{f=($3 == "peer") ? 4 : 2; sub("/[0-9]{1,2}$", "", $f); print $f; exit}'`
+ fi
+ if [ -n "$_vpn_ip" -a "$_type" = "vpn" ]; then
+ echo 0 > /proc/sys/net/ipv4/conf/$_if_vpn/rp_filter
+ NftRouteDelete $_route_table_id 2> /dev/null
+ $IP_CMD rule add fwmark $_pkts_mark table $_route_table_id priority $VPN_RULE_PRIO
+ $IP_CMD route add default via $_vpn_ip table $_route_table_id
+ if [ $? -ne 0 ]; then
+ echo " Error! An error occurred while adding the route. Routing table id=${_route_table_id}, VPN gateway IP=${_vpn_ip}" >&2
+ MakeLogRecord "err" "Error! An error occurred while adding the route. Routing table id=${_route_table_id}, VPN gateway IP=${_vpn_ip}"
+ fi
+
+ if [ $DEBUG -ge 1 ]; then
+ echo " nft_functions.NftRouteAdd: ${IP_CMD} rule add fwmark ${_pkts_mark} table ${_route_table_id} priority ${VPN_RULE_PRIO}" >&2
+ MakeLogRecord "debug" "nft_functions.NftRouteAdd: ${IP_CMD} rule add fwmark ${_pkts_mark} table ${_route_table_id} priority ${VPN_RULE_PRIO}"
+ echo " nft_functions.NftRouteAdd: ${IP_CMD} route add default via ${_vpn_ip} table ${_route_table_id}" >&2
+ MakeLogRecord "debug" "nft_functions.NftRouteAdd: ${IP_CMD} route add default via ${_vpn_ip} table ${_route_table_id}"
+ fi
+ fi
fi
}
-NftVpnRouteStatus() {
- [ -n "`$IP_CMD route show table $VPN_ROUTE_TABLE_ID 2> /dev/null`" ] && return 0
+NftRouteStatus() {
+ local _route_table_id=$1
+ [ -n "`$IP_CMD route show table $_route_table_id 2> /dev/null`" ] && return 0
return 1
}
-NftMainAdd() {
- local _set
- $NFT_CMD add chain $NFT_TABLE "$NFT_LOCAL_CLIENTS_CHAIN" { $LOCAL_CLIENTS_CHAIN_TYPE }
- $NFT_CMD add chain $NFT_TABLE "$NFT_ACTION_CHAIN"
- $NFT_CMD add chain $NFT_TABLE "$NFT_FPROXY_FILTER"
- $NFT_CMD add chain $NFT_TABLE "$NFT_DNSMASQ_TIMEOUT_UPDATE_CHAIN"
- $NFT_CMD add chain $NFT_TABLE "$NFT_BLLIST_CHAIN"
- $NFT_CMD add chain $NFT_TABLE "$NFT_ALLOWED_HOSTS_CHAIN" { $MAIN_CHAIN_TYPE }
- NftCmdWrapper $NFT_CMD add rule $NFT_TABLE $NFT_FPROXY_FILTER ip daddr "@${NFTSET_FPROXY_PRIVATE}" return
- NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "$NFT_FPROXY_FILTER" jump "$NFT_ACTION_CHAIN"
- NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "$NFT_DNSMASQ_TIMEOUT_UPDATE_CHAIN" ct state new set update ip daddr "@${NFTSET_DNSMASQ}"
- NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "$NFT_DNSMASQ_TIMEOUT_UPDATE_CHAIN" jump "$NFT_ACTION_CHAIN"
- NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "$NFT_ALLOWED_HOSTS_CHAIN" $NFT_ALLOWED_HOSTS_EXPR
- if [ "$PROXY_MODE" = "2" ]; then
- NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "$NFT_ACTION_CHAIN" mark set $VPN_PKTS_MARK
- elif [ "$PROXY_MODE" = "3" ]; then
- NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "$NFT_ACTION_CHAIN" tcp dport { 0-65535 } redirect to $T_PROXY_PORT_TCP
- if [ "$T_PROXY_ALLOW_UDP" = "1" ]; then
- NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "$NFT_ACTION_CHAIN" udp dport { 0-65535 } redirect to $T_PROXY_PORT_UDP
- fi
+NftAddSinkChains() {
+ local _chain_prio_sink=$1
+ $NFT_CMD add chain $NFT_TABLE "${NFT_SINK_CHAIN}" { type filter hook prerouting priority ${_chain_prio_sink}\; policy accept\; }
+ $NFT_CMD add chain $NFT_TABLE "${NFT_SINK_LOCAL_CHAIN}" { type route hook output priority ${_chain_prio_sink}\; policy accept\; }
+ NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_SINK_CHAIN}" meta iif lo return
+}
+
+NftDeleteSinkChains() {
+ $NFT_CMD delete chain $NFT_TABLE "${NFT_SINK_CHAIN}"
+ $NFT_CMD delete chain $NFT_TABLE "${NFT_SINK_LOCAL_CHAIN}"
+}
+
+NftAddActionChains() {
+ local _chain_prio_action=$1
+ $NFT_CMD add chain $NFT_TABLE "${NFT_ACTION_FILTER_CHAIN}" { type filter hook prerouting priority ${_chain_prio_action}\; policy accept\; }
+ $NFT_CMD add chain $NFT_TABLE "${NFT_ACTION_NAT_CHAIN}" { type nat hook prerouting priority ${_chain_prio_action}\; policy accept\; }
+ $NFT_CMD add chain $NFT_TABLE "${NFT_ACTION_NAT_LOCAL_CHAIN}" { type nat hook output priority ${_chain_prio_action}\; policy accept\; }
+}
+
+NftDeleteActionChains() {
+ $NFT_CMD delete chain $NFT_TABLE "${NFT_ACTION_FILTER_CHAIN}"
+ $NFT_CMD delete chain $NFT_TABLE "${NFT_ACTION_NAT_CHAIN}"
+ $NFT_CMD delete chain $NFT_TABLE "${NFT_ACTION_NAT_LOCAL_CHAIN}"
+}
+
+NftInstanceAdd() {
+ local _i _inst _first_chain_type _t_proxy_statement _chain_action_type _set
+
+ for _i in "_name" "_pkts_mark" "_chain_prio_first" "_chain_prio_local" "_proxy_mode" "_tor_trans_port" "_route_table_id" "_if_vpn" "_t_proxy_type" "_t_proxy_port_tcp" "_t_proxy_port_udp" "_t_proxy_allow_udp" "_enable_bllist_proxy" "_enable_fproxy" "_skip_marked_packets" "_vpn_gw_ip"
+ do
+ eval "local $_i=$1"
+ shift
+ done
+
+ _inst="$_name"
+ if [ "$_name" = " " ]; then
+ _name=""
else
- NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "$NFT_ACTION_CHAIN" tcp dport { 0-65535 } redirect to $TOR_TRANS_PORT
- NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "$NFT_BLLIST_CHAIN" ip daddr "@${NFTSET_ONION}" counter goto "$NFT_ACTION_CHAIN"
+ _name="-${_name}"
fi
- if [ "$ENABLE_FPROXY" = "1" ]; then
- NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "$NFT_BLLIST_CHAIN" ip saddr "@${NFTSET_FPROXY}" counter goto "$NFT_FPROXY_FILTER"
+
+ if [ $DEBUG -ge 1 ]; then
+ echo " nft_functions.NftInstanceAdd.args: _name=${_name} _pkts_mark=${_pkts_mark} _chain_prio_first=${_chain_prio_first} _chain_prio_local=${_chain_prio_local} _proxy_mode=${_proxy_mode} _tor_trans_port=${_tor_trans_port} _route_table_id=${_route_table_id} _if_vpn=${_if_vpn} _t_proxy_type=${_t_proxy_type} _t_proxy_port_tcp=${_t_proxy_port_tcp} _t_proxy_port_udp=${_t_proxy_port_udp} _t_proxy_allow_udp=${_t_proxy_allow_udp} _enable_bllist_proxy=${_enable_bllist_proxy} _enable_fproxy=${_enable_fproxy} _skip_marked_packets=${_skip_marked_packets} _vpn_gw_ip=${_vpn_gw_ip}" >&2
+ MakeLogRecord "debug" "nft_functions.NftInstanceAdd.args: _name=${_name} _pkts_mark=${_pkts_mark} _chain_prio_first=${_chain_prio_first} _chain_prio_local=${_chain_prio_local} _proxy_mode=${_proxy_mode} _tor_trans_port=${_tor_trans_port} _route_table_id=${_route_table_id} _if_vpn=${_if_vpn} _t_proxy_type=${_t_proxy_type} _t_proxy_port_tcp=${_t_proxy_port_tcp} _t_proxy_port_udp=${_t_proxy_port_udp} _t_proxy_allow_udp=${_t_proxy_allow_udp} _enable_bllist_proxy=${_enable_bllist_proxy} _enable_fproxy=${_enable_fproxy} _skip_marked_packets=${_skip_marked_packets} _vpn_gw_ip=${_vpn_gw_ip}"
fi
+
+ if [ "$NFTSET_DNSMASQ_TIMEOUT_UPDATE" = "1" ]; then
+ _nft_dnsmasq_rule_target="${NFT_DNSMASQ_TIMEOUT_UPDATE_CHAIN}${_name}"
+ else
+ _nft_dnsmasq_rule_target="${NFT_MARK_CHAIN}${_name}"
+ fi
+
+ $NFT_CMD add chain $NFT_TABLE "${NFT_LOCAL_CLIENTS_CHAIN}${_name}" { type route hook output priority ${_chain_prio_local}\; policy accept\; }
+ $NFT_CMD add chain $NFT_TABLE "${NFT_MARK_CHAIN}${_name}"
+ $NFT_CMD add chain $NFT_TABLE "${NFT_FPROXY_FILTER}${_name}"
+ $NFT_CMD add chain $NFT_TABLE "${NFT_DNSMASQ_TIMEOUT_UPDATE_CHAIN}${_name}"
+ $NFT_CMD add chain $NFT_TABLE "${NFT_BLLIST_CHAIN}${_name}"
+ $NFT_CMD add chain $NFT_TABLE "${NFT_ALLOWED_HOSTS_CHAIN}${_name}" { type filter hook prerouting priority ${_chain_prio_first}\; policy accept\; }
+ NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_FPROXY_FILTER}${_name}" ip daddr "@${NFTSET_FPROXY_PRIVATE}" return
+ NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_FPROXY_FILTER}${_name}" jump "${NFT_MARK_CHAIN}${_name}"
+ NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_DNSMASQ_TIMEOUT_UPDATE_CHAIN}${_name}" ct state new set update ip daddr "@${NFTSET_DNSMASQ}${_name}"
+ NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_DNSMASQ_TIMEOUT_UPDATE_CHAIN}${_name}" jump "${NFT_MARK_CHAIN}${_name}"
+ NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_ALLOWED_HOSTS_CHAIN}${_name}" "`printf "$NFT_ALLOWED_HOSTS_PATTERN" "$_name"`"
+
+ if [ "$_proxy_mode" = "2" ]; then
+ NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_SINK_CHAIN}" meta mark $_pkts_mark counter comment \""$_inst"\"
+ NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_SINK_LOCAL_CHAIN}" meta mark $_pkts_mark counter comment \""$_inst"\"
+ elif [ "$_proxy_mode" = "3" ]; then
+ NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_SINK_CHAIN}" meta l4proto tcp meta mark $_pkts_mark counter comment \""$_inst"\"
+ NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_SINK_LOCAL_CHAIN}" meta l4proto tcp meta mark $_pkts_mark counter comment \""$_inst"\"
+ if [ "$_t_proxy_type" = "1" ]; then
+ NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_ACTION_FILTER_CHAIN}" meta l4proto tcp meta mark $_pkts_mark tproxy to ":${_t_proxy_port_tcp}" comment \""$_inst"\"
+ if [ "$_t_proxy_allow_udp" = "1" ]; then
+ NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_ACTION_FILTER_CHAIN}" meta l4proto udp meta mark $_pkts_mark tproxy to ":${_t_proxy_port_udp}" comment \""$_inst"\"
+ NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_SINK_CHAIN}" meta l4proto udp meta mark $_pkts_mark counter comment \""$_inst"\"
+ NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_SINK_LOCAL_CHAIN}" meta l4proto udp meta mark $_pkts_mark counter comment \""$_inst"\"
+ fi
+ else
+ NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_ACTION_NAT_CHAIN}" meta l4proto tcp meta mark $_pkts_mark redirect to ":${_t_proxy_port_tcp}" comment \""$_inst"\"
+ NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_ACTION_NAT_LOCAL_CHAIN}" meta l4proto tcp meta mark $_pkts_mark redirect to ":${_t_proxy_port_tcp}" comment \""$_inst"\"
+ if [ "$_t_proxy_allow_udp" = "1" ]; then
+ NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_ACTION_NAT_CHAIN}" meta l4proto udp meta mark $_pkts_mark redirect to ":${_t_proxy_port_udp}" comment \""$_inst"\"
+ NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_ACTION_NAT_LOCAL_CHAIN}" meta l4proto udp meta mark $_pkts_mark redirect to ":${_t_proxy_port_udp}" comment \""$_inst"\"
+ NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_SINK_CHAIN}" meta l4proto udp meta mark $_pkts_mark counter comment \""$_inst"\"
+ NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_SINK_LOCAL_CHAIN}" meta l4proto udp meta mark $_pkts_mark counter comment \""$_inst"\"
+ fi
+ fi
+ elif [ "$_proxy_mode" != "2" ]; then
+ NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_ACTION_NAT_CHAIN}" meta l4proto tcp meta mark $_pkts_mark redirect to ":${_tor_trans_port}" comment \""$_inst"\"
+ NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_ACTION_NAT_LOCAL_CHAIN}" meta l4proto tcp meta mark $_pkts_mark redirect to ":${_tor_trans_port}" comment \""$_inst"\"
+ NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_SINK_CHAIN}" meta l4proto tcp meta mark $_pkts_mark counter comment \""$_inst"\"
+ NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_SINK_LOCAL_CHAIN}" meta l4proto tcp meta mark $_pkts_mark counter comment \""$_inst"\"
+ fi
+
+ NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_MARK_CHAIN}${_name}" mark set $_pkts_mark
+ if [ "$_proxy_mode" != "2" -a "$_proxy_mode" != "3" ]; then
+ NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_BLLIST_CHAIN}${_name}" ip daddr "@${NFTSET_ONION}${_name}" counter goto "${NFT_MARK_CHAIN}${_name}"
+ fi
+ if [ "$_skip_marked_packets" = "1" ]; then
+ NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_BLLIST_CHAIN}${_name}" meta mark "@${NFTSET_MARK_SET}" return
+ fi
+ if [ "$_enable_fproxy" = "1" ]; then
+ NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_BLLIST_CHAIN}${_name}" ip saddr "@${NFTSET_FPROXY}${_name}" goto "${NFT_FPROXY_FILTER}${_name}"
+ fi
+
if [ "$BYPASS_MODE" = "1" ]; then
for _set in "$NFTSET_BYPASS_IP" "$NFTSET_BYPASS_FQDN"
do
- NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "$NFT_BLLIST_CHAIN" ip daddr "@${_set}" counter accept
+ NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_BLLIST_CHAIN}${_name}" ip daddr "@${_set}" accept
done
fi
- for _set in "$NFTSET_CIDR" "$NFTSET_IP"
+
+ for _set in "${NFTSET_CIDR}${_name}" "${NFTSET_IP}${_name}"
do
- NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "$NFT_BLLIST_CHAIN" ip daddr "@${_set}" counter goto "$NFT_ACTION_CHAIN"
+ NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_BLLIST_CHAIN}${_name}" ip daddr "@${_set}" counter goto "${NFT_MARK_CHAIN}${_name}"
done
- NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "$NFT_BLLIST_CHAIN" ip daddr "@${NFTSET_DNSMASQ}" counter goto "$NFT_DNSMASQ_RULE_TARGET"
- if [ "$PROXY_MODE" = "2" ]; then
- NftVpnRouteAdd
+ NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_BLLIST_CHAIN}${_name}" ip daddr "@${NFTSET_DNSMASQ}${_name}" counter goto "$_nft_dnsmasq_rule_target"
+
+ if [ "$_proxy_mode" = "2" ]; then
+ NftRouteAdd vpn $_route_table_id $_pkts_mark "$_if_vpn" "$_vpn_gw_ip"
+ elif [ "$_proxy_mode" = "3" -a "$_t_proxy_type" = "1" ]; then
+ NftRouteAdd lo $_route_table_id $_pkts_mark
fi
- if [ "$ENABLE_BLLIST_PROXY" = "1" ]; then
- NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "$NFT_LOCAL_CLIENTS_CHAIN" ip daddr "@${NFTSET_BLLIST_PROXY}" counter goto "$NFT_ACTION_CHAIN"
+
+ if [ "$_enable_bllist_proxy" = "1" ]; then
+ NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_LOCAL_CLIENTS_CHAIN}${_name}" ip daddr "@${NFTSET_BLLIST_PROXY}${_name}" counter goto "${NFT_MARK_CHAIN}${_name}"
fi
if [ "$PROXY_LOCAL_CLIENTS" = "1" ]; then
- NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "$NFT_LOCAL_CLIENTS_CHAIN" jump "$NFT_BLLIST_CHAIN"
+ NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_LOCAL_CLIENTS_CHAIN}${_name}" jump "${NFT_BLLIST_CHAIN}${_name}"
fi
}
-NftMainDelete() {
- $NFT_CMD flush chain $NFT_TABLE "$NFT_ALLOWED_HOSTS_CHAIN"
- $NFT_CMD delete chain $NFT_TABLE "$NFT_ALLOWED_HOSTS_CHAIN"
- $NFT_CMD flush chain $NFT_TABLE "$NFT_LOCAL_CLIENTS_CHAIN"
- $NFT_CMD delete chain $NFT_TABLE "$NFT_LOCAL_CLIENTS_CHAIN"
- $NFT_CMD flush chain $NFT_TABLE "$NFT_BLLIST_CHAIN"
- $NFT_CMD delete chain $NFT_TABLE "$NFT_BLLIST_CHAIN"
- $NFT_CMD flush chain $NFT_TABLE "$NFT_DNSMASQ_TIMEOUT_UPDATE_CHAIN"
- $NFT_CMD delete chain $NFT_TABLE "$NFT_DNSMASQ_TIMEOUT_UPDATE_CHAIN"
- $NFT_CMD flush chain $NFT_TABLE "$NFT_FPROXY_FILTER"
- $NFT_CMD delete chain $NFT_TABLE "$NFT_FPROXY_FILTER"
- $NFT_CMD flush chain $NFT_TABLE "$NFT_ACTION_CHAIN"
- $NFT_CMD delete chain $NFT_TABLE "$NFT_ACTION_CHAIN"
- NftVpnRouteDelete 2> /dev/null
+NftInstanceDelete() {
+ local _name="$1"
+ if [ -z "$_name" -o "$_name" = " " ]; then
+ _name=""
+ else
+ _name="-${_name}"
+ fi
+ $NFT_CMD delete chain $NFT_TABLE "${NFT_ALLOWED_HOSTS_CHAIN}${_name}"
+ $NFT_CMD delete chain $NFT_TABLE "${NFT_LOCAL_CLIENTS_CHAIN}${_name}"
+ $NFT_CMD delete chain $NFT_TABLE "${NFT_BLLIST_CHAIN}${_name}"
+ $NFT_CMD delete chain $NFT_TABLE "${NFT_DNSMASQ_TIMEOUT_UPDATE_CHAIN}${_name}"
+ $NFT_CMD delete chain $NFT_TABLE "${NFT_FPROXY_FILTER}${_name}"
+ $NFT_CMD delete chain $NFT_TABLE "${NFT_MARK_CHAIN}${_name}"
}
NftListBllistChain() {
- $NFT_CMD -t list chain $NFT_TABLE "$NFT_BLLIST_CHAIN"
+ local _name="$1"
+ if [ -z "$_name" -o "$_name" = " " ]; then
+ _name=""
+ else
+ _name="-${_name}"
+ fi
+ $NFT_CMD -t list chain $NFT_TABLE "${NFT_BLLIST_CHAIN}${_name}"
}
NftListBllistChainJson() {
- $NFT_CMD -t -j list chain $NFT_TABLE "$NFT_BLLIST_CHAIN"
+ local _name="$1"
+ if [ -z "$_name" -o "$_name" = " " ]; then
+ _name=""
+ else
+ _name="-${_name}"
+ fi
+ $NFT_CMD -t -j list chain $NFT_TABLE "${NFT_BLLIST_CHAIN}${_name}"
}
-NftReturnStatus() {
- $NFT_CMD -c add rule $NFT_TABLE "$NFT_BLLIST_CHAIN" continue &> /dev/null
+NftListSinkChain() {
+ $NFT_CMD -t list chain $NFT_TABLE "$NFT_SINK_CHAIN"
+}
+
+NftListSinkChainJson() {
+ $NFT_CMD -t -j list chain $NFT_TABLE "$NFT_SINK_CHAIN"
+}
+
+NftListSinkLocalChain() {
+ $NFT_CMD -t list chain $NFT_TABLE "$NFT_SINK_LOCAL_CHAIN"
+}
+
+NftListSinkLocalChainJson() {
+ $NFT_CMD -t -j list chain $NFT_TABLE "$NFT_SINK_LOCAL_CHAIN"
+}
+
+NftReturnInstanceStatus() {
+ local _name="$1"
+ if [ -z "$_name" -o "$_name" = " " ]; then
+ _name=""
+ else
+ _name="-${_name}"
+ fi
+ $NFT_CMD -c add rule $NFT_TABLE "${NFT_ALLOWED_HOSTS_CHAIN}${_name}" continue &> /dev/null
return $?
}
diff --git a/ruantiblock/files/usr/share/ruantiblock/user_instances_common b/ruantiblock/files/usr/share/ruantiblock/user_instances_common
new file mode 100644
index 0000000..8882386
--- /dev/null
+++ b/ruantiblock/files/usr/share/ruantiblock/user_instances_common
@@ -0,0 +1,75 @@
+
+if [ $USER_INSTANCES_MAX -gt 50 ]; then
+ USER_INSTANCES_MAX=50
+fi
+
+IncludeUserInstanceVars() {
+ local _inst="$1"
+ . "${USER_INSTANCES_DIR}/${_inst}"
+
+ if [ $DEBUG -ge 2 ]; then
+ echo " user_instances_common.IncludeUserInstanceVars: _inst=${_inst} U_NAME=${U_NAME} U_PROXY_MODE=${U_PROXY_MODE}" >&2
+ MakeLogRecord "debug" "user_instances_common.IncludeUserInstanceVars: _inst=${_inst} U_NAME=${U_NAME} U_PROXY_MODE=${U_PROXY_MODE}"
+ fi
+}
+
+ClearUserInstanceVars() {
+ unset $USER_INSTANCE_VARS
+}
+
+ListUserInstances() {
+ ls -1 "$USER_INSTANCES_DIR"
+}
+
+[ -f "$CONFIG_SCRIPT_USER_INSTANCES" ] && . "$CONFIG_SCRIPT_USER_INSTANCES"
+
+GetUserInstances() {
+ local _type="$1" _fnames="$2" _i=0 _inst _instances=""
+ for _inst in `ListUserInstances`
+ do
+ IncludeUserInstanceVars "$_inst"
+ if [ $_i -lt $USER_INSTANCES_MAX -a -n "$U_NAME" -a "$U_ENABLED" != "0" ]; then
+ if [ "$_type" = "0" -o "$U_PROXY_MODE" = "$_type" ]; then
+ if [ "$_fnames" = "fnames" ]; then
+ _instances="${_instances}${_inst} "
+ else
+ _instances="${_instances}${U_NAME} "
+ fi
+ fi
+ _i=$(($_i + 1))
+ fi
+ ClearUserInstanceVars
+ done
+ printf "$_instances"
+}
+
+SetUserInstancesItems() {
+ local _i=0 _inst _instances_all="" _instances_all_fnames="" _instances_vpn="" _instances_vpn_fnames="" _instances_cfg="" _instances_cfg_fnames=""
+ for _inst in `ListUserInstances`
+ do
+ IncludeUserInstanceVars "$_inst"
+ if [ $_i -lt $USER_INSTANCES_MAX -a -n "$U_NAME" -a "$U_ENABLED" != "0" ]; then
+ _instances_all="${_instances_all}${U_NAME} "
+ _instances_all_fnames="${_instances_all_fnames}${_inst} "
+ if [ "$U_PROXY_MODE" = "2" ]; then
+ _instances_vpn="${_instances_vpn}${U_NAME} "
+ _instances_vpn_fnames="${_instances_vpn_fnames}${_inst} "
+ fi
+ _i=$(($_i + 1))
+ fi
+ _instances_cfg="${_instances_cfg}${U_NAME} "
+ _instances_cfg_fnames="${_instances_cfg_fnames}${_inst} "
+ ClearUserInstanceVars
+ done
+ USER_INSTANCES_ALL="$_instances_all"
+ USER_INSTANCES_ALL_FNAMES="$_instances_all_fnames"
+ USER_INSTANCES_VPN="$_instances_vpn"
+ USER_INSTANCES_VPN_FNAMES="$_instances_vpn_fnames"
+ USER_INSTANCES_CFG="$_instances_cfg"
+ USER_INSTANCES_CFG_FNAMES="$_instances_cfg_fnames"
+
+ if [ $DEBUG -ge 2 ]; then
+ echo " user_instances_common.SetUserInstancesItems: USER_INSTANCES_ALL=\"${USER_INSTANCES_ALL}\"; USER_INSTANCES_ALL_FNAMES=\"${USER_INSTANCES_ALL_FNAMES}\"; USER_INSTANCES_VPN=\"${USER_INSTANCES_VPN}\"; USER_INSTANCES_VPN_FNAMES=\"${USER_INSTANCES_VPN_FNAMES}\"" >&2
+ MakeLogRecord "debug" "user_instances_common.SetUserInstancesItems: USER_INSTANCES_ALL=\"${USER_INSTANCES_ALL}\"; USER_INSTANCES_ALL_FNAMES=\"${USER_INSTANCES_ALL_FNAMES}\"; USER_INSTANCES_VPN=\"${USER_INSTANCES_VPN}\"; USER_INSTANCES_VPN_FNAMES=\"${USER_INSTANCES_VPN_FNAMES}\""
+ fi
+}
diff --git a/screenshots/01.jpg b/screenshots/01.jpg
index 2db737d..ea26518 100644
Binary files a/screenshots/01.jpg and b/screenshots/01.jpg differ
diff --git a/screenshots/02.jpg b/screenshots/02.jpg
index f21638c..85c738e 100644
Binary files a/screenshots/02.jpg and b/screenshots/02.jpg differ
diff --git a/screenshots/03.jpg b/screenshots/03.jpg
index 9f3528a..d86bf08 100644
Binary files a/screenshots/03.jpg and b/screenshots/03.jpg differ
diff --git a/screenshots/04.jpg b/screenshots/04.jpg
index d7e2bc6..d00ed54 100644
Binary files a/screenshots/04.jpg and b/screenshots/04.jpg differ
diff --git a/screenshots/05.jpg b/screenshots/05.jpg
index 7ba9e8f..06bf40a 100644
Binary files a/screenshots/05.jpg and b/screenshots/05.jpg differ
diff --git a/screenshots/06.jpg b/screenshots/06.jpg
index dbba3e2..7ba9e8f 100644
Binary files a/screenshots/06.jpg and b/screenshots/06.jpg differ
diff --git a/screenshots/07.jpg b/screenshots/07.jpg
new file mode 100644
index 0000000..385008e
Binary files /dev/null and b/screenshots/07.jpg differ
|