v2.0. Multi proxy for user entries. TProxy support.

2026-05-13 22:20:59 +00:00 · 2024-11-03 02:20:45 +03:00
parent 8184a68fe8
commit 06219e9328
42 changed files with 2185 additions and 764 deletions
@@ -5,7 +5,7 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=ruantiblock
-PKG_VERSION:=1.6.0
+PKG_VERSION:=2.0.0
 PKG_RELEASE:=1
 PKG_MAINTAINER:=gSpot <https://github.com/gSpotx2f/ruantiblock_openwrt>

@@ -17,7 +17,7 @@ define Package/$(PKG_NAME)
  TITLE:=Ruantiblock
  URL:=https://github.com/gSpotx2f/ruantiblock_openwrt
  PKGARCH:=all
-  DEPENDS:=+dnsmasq-full
+  DEPENDS:=+dnsmasq-full +kmod-nft-tproxy
 endef

 define Package/$(PKG_NAME)/description
@@ -28,10 +28,14 @@ define Package/$(PKG_NAME)/conffiles
 /etc/ruantiblock/ruantiblock.conf
 /etc/ruantiblock/fqdn_filter
 /etc/ruantiblock/ip_filter
-/etc/ruantiblock/user_entries
 /etc/ruantiblock/bypass_entries
 /etc/ruantiblock/gr_excluded_nets
 /etc/ruantiblock/gr_excluded_sld
+/etc/ruantiblock/user_lists/list1
+/etc/ruantiblock/user_lists/list2
+/etc/ruantiblock/user_lists/list3
+/etc/ruantiblock/user_lists/list4
+/etc/ruantiblock/user_lists/list5
 endef

 define Build/Configure
@@ -51,15 +55,22 @@ define Package/$(PKG_NAME)/install
 	$(INSTALL_CONF) ./files/etc/ruantiblock/ruantiblock.conf $(1)/etc/ruantiblock/ruantiblock.conf
 	$(INSTALL_DATA) ./files/etc/ruantiblock/fqdn_filter $(1)/etc/ruantiblock/fqdn_filter
 	$(INSTALL_DATA) ./files/etc/ruantiblock/ip_filter $(1)/etc/ruantiblock/ip_filter
-	$(INSTALL_DATA) ./files/etc/ruantiblock/user_entries $(1)/etc/ruantiblock/user_entries
 	$(INSTALL_DATA) ./files/etc/ruantiblock/bypass_entries $(1)/etc/ruantiblock/bypass_entries
 	$(INSTALL_DATA) ./files/etc/ruantiblock/gr_excluded_nets $(1)/etc/ruantiblock/gr_excluded_nets
 	$(INSTALL_DATA) ./files/etc/ruantiblock/gr_excluded_sld $(1)/etc/ruantiblock/gr_excluded_sld
+	$(INSTALL_DIR) $(1)/etc/ruantiblock/user_lists
+	$(INSTALL_DATA) ./files/etc/ruantiblock/user_lists/list1 $(1)/etc/ruantiblock/user_lists/list1
+	$(INSTALL_DATA) ./files/etc/ruantiblock/user_lists/list2 $(1)/etc/ruantiblock/user_lists/list2
+	$(INSTALL_DATA) ./files/etc/ruantiblock/user_lists/list3 $(1)/etc/ruantiblock/user_lists/list3
+	$(INSTALL_DATA) ./files/etc/ruantiblock/user_lists/list4 $(1)/etc/ruantiblock/user_lists/list4
+	$(INSTALL_DATA) ./files/etc/ruantiblock/user_lists/list5 $(1)/etc/ruantiblock/user_lists/list5
 	$(INSTALL_DIR) $(1)/usr/share/ruantiblock
+	$(INSTALL_DATA) ./files/usr/share/ruantiblock/blacklist_sources $(1)/usr/share/ruantiblock/blacklist_sources
 	$(INSTALL_DATA) ./files/usr/share/ruantiblock/config_script $(1)/usr/share/ruantiblock/config_script
+	$(INSTALL_DATA) ./files/usr/share/ruantiblock/config_script_user_instances $(1)/usr/share/ruantiblock/config_script_user_instances
 	$(INSTALL_DATA) ./files/usr/share/ruantiblock/info_output $(1)/usr/share/ruantiblock/info_output
 	$(INSTALL_DATA) ./files/usr/share/ruantiblock/nft_functions $(1)/usr/share/ruantiblock/nft_functions
-	$(INSTALL_DATA) ./files/usr/share/ruantiblock/blacklist_sources $(1)/usr/share/ruantiblock/blacklist_sources
+	$(INSTALL_DATA) ./files/usr/share/ruantiblock/user_instances_common $(1)/usr/share/ruantiblock/user_instances_common
 	$(INSTALL_DIR) $(1)/usr/libexec/ruantiblock
 	$(INSTALL_BIN) ./files/usr/libexec/ruantiblock/ruab_route_check $(1)/usr/libexec/ruantiblock/ruab_route_check
 	$(INSTALL_DIR) $(1)/usr/bin
@@ -82,14 +93,16 @@ define Package/$(PKG_NAME)/prerm
 FILE_INIT_SCRIPT="/etc/init.d/ruantiblock"
 FILE_MAIN_SCRIPT="/usr/bin/ruantiblock"
 CRONTAB_FILE="/etc/crontabs/root"
-DNSMASQ_DATA_FILE="/tmp/dnsmasq.d/02-ruantiblock.dnsmasq"
+DNSMASQ_DATA_FILE_BYPASS="/tmp/dnsmasq*.d/00-ruantiblock_bypass.dnsmasq"
+DNSMASQ_DATA_FILE_USER_INSTANCES="/tmp/dnsmasq*.d/01-ruantiblock_user_instances.dnsmasq"
+DNSMASQ_DATA_FILE="/tmp/dnsmasq*.d/02-ruantiblock.dnsmasq"
+DNSMASQ_DATA_FILE_BYPASS_TMP="${DNSMASQ_DATA_FILE_BYPASS}.tmp"
+DNSMASQ_DATA_FILE_USER_INSTANCES_TMP="${DNSMASQ_DATA_FILE_USER_INSTANCES}.tmp"
 DNSMASQ_DATA_FILE_TMP="${DNSMASQ_DATA_FILE}.tmp"
-DNSMASQ_DATA_FILE_BYPASS="/tmp/dnsmasq.d/01-ruantiblock_bypass.dnsmasq"

-rm -f $$DNSMASQ_DATA_FILE $$DNSMASQ_DATA_FILE_TMP $$DNSMASQ_DATA_FILE_BYPASS
 test -e "$$FILE_MAIN_SCRIPT" && $$FILE_MAIN_SCRIPT destroy
-
 test -e "$$FILE_INIT_SCRIPT" && $$FILE_INIT_SCRIPT disable
+rm -f $$DNSMASQ_DATA_FILE $$DNSMASQ_DATA_FILE_TMP $$DNSMASQ_DATA_FILE_BYPASS $$DNSMASQ_DATA_FILE_BYPASS_TMP $$DNSMASQ_DATA_FILE_USER_INSTANCES $$DNSMASQ_DATA_FILE_USER_INSTANCES_TMP

 awk -v FILE_MAIN_SCRIPT="$$FILE_MAIN_SCRIPT" '$$0 !~ FILE_MAIN_SCRIPT {
 	print $$0;
@@ -11,13 +11,13 @@ config main 'config'
 	option vpn_route_check '0'
 	option tor_trans_port '9040'
 	option onion_dns_addr '127.0.0.1#9053'
+	option t_proxy_type '0'
 	option t_proxy_port_tcp '1100'
 	option t_proxy_port_udp '1100'
 	option t_proxy_allow_udp '0'
 	option bypass_mode '0'
 	option enable_bllist_proxy '0'
 	option enable_tmp_downloads '0'
-	option add_user_entries '0'
 	option bllist_min_entries '3000'
 	option bllist_ip_limit '0'
 	option bllist_summarize_ip '1'
@@ -30,3 +30,78 @@ config main 'config'
 	option bllist_enable_idn '0'
 	option bllist_alt_nslookup '0'
 	option bllist_alt_dns_addr '8.8.8.8'
+
+config user_instance 'list1'
+	option u_enabled '0'
+	option u_proxy_mode '2'
+	option u_tor_trans_port '9040'
+	option u_onion_dns_addr '127.0.0.1#9053'
+	option u_if_vpn 'tun0'
+	option u_t_proxy_type '0'
+	option u_t_proxy_port_tcp '1100'
+	option u_t_proxy_port_udp '1100'
+	option u_t_proxy_allow_udp '0'
+	option u_enable_entries_remote_proxy '0'
+	option u_entries_dns ''
+	option u_enable_fproxy '0'
+	option u_skip_marked_packets '0'
+
+config user_instance 'list2'
+	option u_enabled '0'
+	option u_proxy_mode '2'
+	option u_tor_trans_port '9040'
+	option u_onion_dns_addr '127.0.0.1#9053'
+	option u_if_vpn 'tun0'
+	option u_t_proxy_type '0'
+	option u_t_proxy_port_tcp '1100'
+	option u_t_proxy_port_udp '1100'
+	option u_t_proxy_allow_udp '0'
+	option u_enable_entries_remote_proxy '0'
+	option u_entries_dns ''
+	option u_enable_fproxy '0'
+	option u_skip_marked_packets '0'
+
+config user_instance 'list3'
+	option u_enabled '0'
+	option u_proxy_mode '2'
+	option u_tor_trans_port '9040'
+	option u_onion_dns_addr '127.0.0.1#9053'
+	option u_if_vpn 'tun0'
+	option u_t_proxy_type '0'
+	option u_t_proxy_port_tcp '1100'
+	option u_t_proxy_port_udp '1100'
+	option u_t_proxy_allow_udp '0'
+	option u_enable_entries_remote_proxy '0'
+	option u_entries_dns ''
+	option u_enable_fproxy '0'
+	option u_skip_marked_packets '0'
+
+config user_instance 'list4'
+	option u_enabled '0'
+	option u_proxy_mode '2'
+	option u_tor_trans_port '9040'
+	option u_onion_dns_addr '127.0.0.1#9053'
+	option u_if_vpn 'tun0'
+	option u_t_proxy_type '0'
+	option u_t_proxy_port_tcp '1100'
+	option u_t_proxy_port_udp '1100'
+	option u_t_proxy_allow_udp '0'
+	option u_enable_entries_remote_proxy '0'
+	option u_entries_dns ''
+	option u_enable_fproxy '0'
+	option u_skip_marked_packets '0'
+
+config user_instance 'list5'
+	option u_enabled '0'
+	option u_proxy_mode '2'
+	option u_tor_trans_port '9040'
+	option u_onion_dns_addr '127.0.0.1#9053'
+	option u_if_vpn 'tun0'
+	option u_t_proxy_type '0'
+	option u_t_proxy_port_tcp '1100'
+	option u_t_proxy_port_udp '1100'
+	option u_t_proxy_allow_udp '0'
+	option u_enable_entries_remote_proxy '0'
+	option u_entries_dns ''
+	option u_enable_fproxy '0'
+	option u_skip_marked_packets '0'
@@ -1,20 +1,64 @@
 #!/bin/sh

-UCI_CMD=`which uci`
-if [ $? -ne 0 ]; then
-    echo " Error! UCI doesn't exists" >&2
-    exit 1
-fi
-RUAB_CMD="/usr/bin/ruantiblock"
-PROXY_MODE=`$UCI_CMD get ruantiblock.config.proxy_mode`
-IF_VPN=`$UCI_CMD get ruantiblock.config.if_vpn`
-VPN_ROUTE_CHECK=`$UCI_CMD get ruantiblock.config.vpn_route_check`
+if [ "$ACTION" = "ifup" ]; then
+    NAME="ruantiblock"
+    RUAB_CMD="/usr/bin/ruantiblock"
+    CONFIG_FILE="/etc/ruantiblock/ruantiblock.conf"
+    USER_INSTANCES_COMMON="/usr/share/ruantiblock/user_instances_common"
+    CONFIG_SCRIPT_USER_INSTANCES="/usr/share/ruantiblock/config_script_user_instances"
+    USER_INSTANCES_DIR="/etc/ruantiblock/user_instances"
+    USER_INSTANCE_VARS="U_ENABLED U_NAME U_PROXY_MODE U_TOR_TRANS_PORT U_ONION_DNS_ADDR U_IF_VPN U_VPN_GW_IP U_T_PROXY_TYPE U_T_PROXY_PORT_TCP U_T_PROXY_PORT_UDP U_T_PROXY_ALLOW_UDP U_USER_ENTRIES_DNS U_USER_ENTRIES_REMOTE U_ENABLE_ENTRIES_REMOTE_PROXY U_ENABLE_FPROXY U_FPROXY_LIST U_SKIP_MARKED_PACKETS"
+    USER_INSTANCES_MAX=10
+    DEBUG=0
+    IF_VPN_CURRENT=""

-[ "$VPN_ROUTE_CHECK" != "0" ] && exit 0
+    ruab_route_status=`$RUAB_CMD raw-status`
+    [ $ruab_route_status -eq 1 -o $ruab_route_status -eq 2 ] && exit 0

-if [ "$ACTION" = "ifup" ] && [ "$PROXY_MODE" = "2" ] && [ "$DEVICE" = "$IF_VPN" ]; then
-	if [ `$RUAB_CMD raw-status` -ne 2 ]; then
-		sleep 5
-		$RUAB_CMD reload
-	fi
+    UCI_CMD=`which uci`
+    if [ $? -ne 0 ]; then
+        echo " Error! UCI doesn't exists" >&2
+        exit 1
+    fi
+
+    [ -f "$CONFIG_FILE" ] && . "$CONFIG_FILE"
+
+    VPN_ROUTE_CHECK=`$UCI_CMD get ruantiblock.config.vpn_route_check`
+    [ "$VPN_ROUTE_CHECK" != "0" ] && exit 0
+
+    PROXY_MODE=`$UCI_CMD get ruantiblock.config.proxy_mode`
+    if [ "$PROXY_MODE" = "2" ]; then
+        IF_VPN_CURRENT=`$UCI_CMD get ruantiblock.config.if_vpn`
+    fi
+
+    if [ "$DEVICE" != "$IF_VPN_CURRENT" ]; then
+
+        . "$USER_INSTANCES_COMMON"
+
+        for inst in `GetUserInstances 2`
+        do
+            IncludeUserInstanceVars "$inst"
+            if [ "$DEVICE" = "$U_IF_VPN" ]; then
+                IF_VPN_CURRENT="$U_IF_VPN"
+
+                if [ $DEBUG -ge 1 ]; then
+                    echo "  ruantiblock-vpn-iface-script: U_NAME=${U_NAME} U_IF_VPN=${U_IF_VPN}" >&2
+                    logger -p "user.debug" -t "ruantiblock-hotplug-script" "U_NAME=${U_NAME} U_IF_VPN=${U_IF_VPN}"
+                fi
+
+                break
+            fi
+            ClearUserInstanceVars
+        done
+    fi
+
+    if [ "$DEVICE" = "$IF_VPN_CURRENT" ]; then
+        if [ $DEBUG -ge 1 ]; then
+            echo "  ruantiblock-vpn-iface-script: IF_VPN_CURRENT=${IF_VPN_CURRENT} ACTION=\"${ACTION}\" DEVICE=${DEVICE} INTERFACE=${INTERFACE}" >&2
+            logger -p "user.debug" -t "ruantiblock-hotplug-script" "IF_VPN_CURRENT=${IF_VPN_CURRENT} ACTION=\"${ACTION}\" DEVICE=${DEVICE} INTERFACE=${INTERFACE}"
+        fi
+
+        sleep 5
+        $RUAB_CMD reload
+    fi
 fi
@@ -5,14 +5,40 @@ STOP=01

 APP_NAME="ruantiblock"
 APP_EXEC="/usr/bin/${APP_NAME}"
+DNSMASQ_VAR_DIR="/tmp"

 config_load $APP_NAME

+get_dnsmasq_cfg_dir() {
+	local _first_instance
+	if [ -d "${DNSMASQ_VAR_DIR}/dnsmasq.d" ]; then
+		printf "${DNSMASQ_VAR_DIR}/dnsmasq.d"
+		return 0
+	else
+		_first_instance=`ls -1 "$DNSMASQ_VAR_DIR" | grep -e "^dnsmasq" | head -n 1`
+		if [ -n "$_first_instance" ]; then
+			printf "${DNSMASQ_VAR_DIR}/${_first_instance}"
+			return 0
+		fi
+	fi
+	return 1
+}
+
 start() {
-	local update_at_startup
-	config_get update_at_startup config update_at_startup
+	local _update_at_startup _dnsmasq_cfg_dir
+	config_get _update_at_startup config update_at_startup
+	config_get _dnsmasq_cfg_dir config dnsmasq_cfg_dir ""
+	if [ -z "$_dnsmasq_cfg_dir" ]; then
+		_dnsmasq_cfg_dir=`get_dnsmasq_cfg_dir`
+		if [ $? -eq 0 -a -n "$_dnsmasq_cfg_dir" ]; then
+			uci set "${APP_NAME}.config.dnsmasq_cfg_dir"="$_dnsmasq_cfg_dir"
+			uci commit ruantiblock
+		else
+			exit 1
+		fi
+	fi
 	$APP_EXEC start
-	if [ $? -eq 0 -a "$update_at_startup" = "1" ]; then
+	if [ $? -eq 0 -a "$_update_at_startup" = "1" ]; then
 		$APP_EXEC update
 	else
 		/etc/init.d/dnsmasq restart
@@ -82,4 +82,3 @@ birds
 forex
 kraken
 zerkalo
-#lord
@@ -5,9 +5,10 @@
 DATA_DIR="/tmp/ruantiblock"
 ### Директория модулей
 MODULES_DIR="/usr/libexec/ruantiblock"
-### Дополнительный конфиг dnsmasq с FQDN записями блэклиста
-DNSMASQ_DATA_FILE="/tmp/dnsmasq.d/02-ruantiblock.dnsmasq"
-DNSMASQ_DATA_FILE_BYPASS="/tmp/dnsmasq.d/01-ruantiblock_bypass.dnsmasq"
+### Директория PID-файлов и файлов статуса
+RUN_FILES_DIR="/tmp/run"
+### Директория доп. конфигов dnsmasq
+DNSMASQ_CFG_DIR="/tmp/dnsmasq.d"
 ### Команда для перезапуска dnsmasq
 DNSMASQ_RESTART_CMD="/etc/init.d/dnsmasq restart"
 ### Директория для html-страницы статуса (не используется в OpenWrt)
@@ -31,26 +32,26 @@ ONION_DNS_ADDR="127.0.0.1#9053"
 IF_VPN="tun0"
 ### IP адрес шлюза для VPN конфигурации. Если не задан, используется адрес VPN интерфейса (или адрес пира для протоколов PPP)
 VPN_GW_IP=""
-### Метка для отбора пакетов в VPN туннель
-VPN_PKTS_MARK=8
-### Таблица маршрутизации для отправки пакетов в VPN туннель
-VPN_ROUTE_TABLE_ID=99
-### Приоритет правила отбора пакетов при маршрутизации в VPN-интерфейс
-VPN_RULE_PRIO=1000
 ### Способ добавления в таблицу маршрутизации правила для отправки пакетов в VPN туннель (0 - hotplug.d, 1 - скрипт ruab_route_check)
 VPN_ROUTE_CHECK=0
+### Тип прозрачного прокси (0 - redirect, 1 - tproxy)
+T_PROXY_TYPE=0
 ### TCP порт прокси в режиме прозрачного прокси
 T_PROXY_PORT_TCP=1100
 ### UDP порт прокси в режиме прозрачного прокси
 T_PROXY_PORT_UDP=1100
 ### Отправлять в прозрачный прокси UDP-трафик (0 - выкл, 1 - вкл)
 T_PROXY_ALLOW_UDP=0
+### Начальное значение метки для отбора пакетов в фильтрах
+PKTS_MARK_START=8
 ### Запись событий в syslog (0 - выкл, 1 - вкл)
 ENABLE_LOGGING=1
+### Вывод дополнительных сообщений в лог (0 - выкл, 1, 2)
+DEBUG=0
 ### Html-страница с инфо о текущем статусе (0 - выкл, 1 - вкл) (не используется в OpenWrt)
 ENABLE_HTML_INFO=0
 ### Максимальное кол-во элементов списка nftables
-#NFTSET_MAXELEM_CIDR=65535
+NFTSET_MAXELEM_CIDR=65535
 NFTSET_MAXELEM_IP=1000000
 NFTSET_MAXELEM_DNSMASQ=65535
 NFTSET_MAXELEM_BYPASS_IP=65535
@@ -63,29 +64,14 @@ NFTSET_POLICY_DNSMASQ="performance"
 NFTSET_DNSMASQ_TIMEOUT="150m"
 ### Динамическое обновление таймаута записей в сете $NFTSET_DNSMASQ (0 - выкл, 1 - вкл)
 NFTSET_DNSMASQ_TIMEOUT_UPDATE=1
-### Приоритет правила отбора пакетов nftables для конфигупации Tor или прозрачного прокси
-NFT_PRIO_NAT="dstnat - 10"
-### Приоритет правила отбора пакетов nftables для трафика локальных клиентов в конфигупации Tor или прозрачного прокси
-NFT_PRIO_NAT_LOCAL="filter - 10"
-### Приоритет правила отбора пакетов nftables для VPN-конфигурации
-NFT_PRIO_ROUTE="mangle + 10"
-### Приоритет правила отбора пакетов nftables для трафика локальных клиентов в VPN-конфигурации
-NFT_PRIO_ROUTE_LOCAL="mangle + 10"
-### Добавление в список блокировок пользовательских записей из файла $USER_ENTRIES_FILE (0 - выкл, 1 - вкл)
-###  В $CONFIG_DIR можно создать текстовый файл user_entries с записями IP, CIDR или FQDN (одна на строку). Эти записи будут добавлены в список блокировок
-###  В записях FQDN можно задать DNS-сервер для разрешения данного домена, через пробел (прим.: domain.com 8.8.8.8)
-###  Можно комментировать строки (#)
-ADD_USER_ENTRIES=0
-### DNS-сервер для пользовательских записей (пустая строка - без DNS-сервера). Можно с портом: 8.8.8.8#53. Если в записи указан свой DNS-сервер - он имеет приоритет
-USER_ENTRIES_DNS=""
-### Файл пользовательских записей
-USER_ENTRIES_FILE="/etc/ruantiblock/user_entries"
-### URL удаленных файлов записей пользователя, через пробел (прим.: http://server.lan/files/user_entries_1 http://server.lan/files/user_entries_2)
-USER_ENTRIES_REMOTE=""
 ### Кол-во попыток скачивания удаленного файла записей пользователя (в случае неудачи)
 USER_ENTRIES_REMOTE_DOWNLOAD_ATTEMPTS=3
 ### Таймаут между попытками скачивания
 USER_ENTRIES_REMOTE_DOWNLOAD_TIMEOUT=60
+### Кол-во экземпляров записей пользователя (не более 50!)
+USER_INSTANCES_MAX=5
+### Пропускать мимо фильтра пакеты уже помеченные в записях пользователя (0 - выкл, 1 - вкл)
+SKIP_MARKED_PACKETS=0
 ### Режим списка записей, исключаемых из обхода блокировок (0 - выкл, 1 - вкл)
 BYPASS_MODE=0
 ### DNS-сервер для исключаемых записей (пустая строка - без DNS-сервера). Можно с портом: 8.8.8.8#53. Если в записи указан свой DNS-сервер - он имеет приоритет
@@ -143,7 +129,7 @@ BLLIST_SD_LIMIT=16
 BLLIST_GR_EXCLUDED_SLD_FILE="/etc/ruantiblock/gr_excluded_sld"
 ### Файл с масками SLD не подлежащими группировке при оптимизации (одна запись на строку)
 BLLIST_GR_EXCLUDED_SLD_MASKS_FILE="/etc/ruantiblock/gr_excluded_sld_mask"
-### Фильтрация записей блэклиста по шаблонам из файла ENTRIES_FILTER_FILE. Записи (FQDN) попадающие под шаблоны исключаются из кофига dnsmasq (0 - выкл, 1 - вкл)
+### Фильтрация записей блэклиста по шаблонам из файла BLLIST_FQDN_FILTER_FILE. Записи (FQDN) попадающие под шаблоны исключаются из кофига dnsmasq (0 - выкл, 1 - вкл)
 BLLIST_FQDN_FILTER=0
 ### Тип фильтра FQDN (0 - все записи, кроме совпадающих с шаблонами; 1 - только записи, совпадающие с шаблонами)
 BLLIST_FQDN_FILTER_TYPE=0
@@ -1,17 +1,69 @@
 #!/bin/sh

 PID_FILE="/var/run/`basename $0`.pid"
+APP_EXEC="/usr/bin/ruantiblock"

-VpnRouteStatus() {
-    [ -n "`$IP_CMD route show table $VPN_ROUTE_TABLE_ID 2> /dev/null`" ] && return 0
+. "$USER_INSTANCES_COMMON"
+
+VPN_IFACES_STATUS=1
+
+CheckIfaceStatus() {
+    local _iface="$1" _ret_val=0
+    if [ -z "`$IP_CMD link show dev $_iface up 2> /dev/null`" ]; then
+        _ret_val=1
+
+        if [ $DEBUG -ge 1 ]; then
+            echo "  ruab_route_check.GetVpnRouteStatus: ${_iface} disabled" >&2
+            logger -p "user.debug" -t "ruantiblock" "ruab_route_check.GetVpnRouteStatus: iface ${_iface} disabled"
+        fi
+
+    fi
+    return $_ret_val
+}
+
+VpnRouteInstanceStatus() {
+    local _vpn_route_table_id=$1
+    [ -n "`$IP_CMD route show table $_vpn_route_table_id 2> /dev/null`" ] && return 0
    return 1
 }

+GetVpnRouteStatus() {
+    local _inst _i=1 _ret_val=0
+    for _inst in $USER_INSTANCES_VPN_FNAMES
+    do
+        IncludeUserInstanceVars "$_inst"
+        if ! CheckIfaceStatus $U_IF_VPN; then
+            VPN_IFACES_STATUS=0
+        fi
+        if ! VpnRouteInstanceStatus $(($VPN_ROUTE_TABLE_ID_START + $_i)); then
+            _ret_val=1
+            break
+        fi
+        _i=$(($_i + 1))
+        ClearUserInstanceVars
+    done
+    if [ $_ret_val -eq 0 -a "$PROXY_MODE" = "2" ]; then
+        if ! CheckIfaceStatus $IF_VPN; then
+            VPN_IFACES_STATUS=0
+        fi
+        if ! VpnRouteInstanceStatus $VPN_ROUTE_TABLE_ID_START; then
+            _ret_val=1
+        fi
+    fi
+    return $_ret_val
+}
+
 Main() {
    while [ -e "$PID_FILE" ]
    do
-        if ! VpnRouteStatus; then
-            if $IP_CMD link show $IF_VPN &> /dev/null; then
+        VPN_IFACES_STATUS=1
+        if ! GetVpnRouteStatus; then
+            if [ "$VPN_IFACES_STATUS" = "1" ]; then
+
+                if [ $DEBUG -ge 1 ]; then
+                    echo "  ruab_route_check.Main: ${APP_EXEC} reload" >&2
+                    logger -p "user.debug" -t "ruantiblock" "ruab_route_check.Main: ${APP_EXEC} reload"
+                fi
                $APP_EXEC reload
            fi
        fi
@@ -6,7 +6,6 @@ export RBL_DPI_URL="https://reestr.rublacklist.net/api/v3/dpi/"
 export RBL_ENCODING=""
 ## zapret-info
 export ZI_ALL_URL="https://raw.githubusercontent.com/zapret-info/z-i/master/dump.csv"
-#export ZI_ALL_URL="https://app.assembla.com/spaces/z-i/git/source/master/dump.csv?_format=raw"
 export ZI_ENCODING="CP1251"
 ## antifilter
 export AF_IP_URL="https://antifilter.download/list/allyouneed.lst"
@@ -52,7 +51,6 @@ case "$BLLIST_PRESET" in
        export BLLIST_SOURCE="ruantiblock"
        export BLLIST_MODE="ip"
        BLLIST_MODULE="DownloadNativeBlacklist"
-        # github
        DL_IPSET_URL="https://raw.githubusercontent.com/gSpotx2f/ruantiblock_blacklist/master/blacklist-1.1/ip/ruantiblock.ip"
        DL_DMASK_URL="https://raw.githubusercontent.com/gSpotx2f/ruantiblock_blacklist/master/blacklist-1.1/ip/ruantiblock.dnsmasq"
        DL_STAT_URL="https://raw.githubusercontent.com/gSpotx2f/ruantiblock_blacklist/master/blacklist-1.1/ip/update_status"
@@ -61,7 +59,6 @@ case "$BLLIST_PRESET" in
        export BLLIST_SOURCE="ruantiblock"
        export BLLIST_MODE="fqdn"
        BLLIST_MODULE="DownloadNativeBlacklist"
-        # github
        DL_IPSET_URL="https://raw.githubusercontent.com/gSpotx2f/ruantiblock_blacklist/master/blacklist-1.1/fqdn/ruantiblock.ip"
        DL_DMASK_URL="https://raw.githubusercontent.com/gSpotx2f/ruantiblock_blacklist/master/blacklist-1.1/fqdn/ruantiblock.dnsmasq"
        DL_STAT_URL="https://raw.githubusercontent.com/gSpotx2f/ruantiblock_blacklist/master/blacklist-1.1/fqdn/update_status"
@@ -1,5 +1,5 @@
 UCI_SECTION="ruantiblock.config"
-UCI_VARS="proxy_mode proxy_local_clients nftset_clear_sets allowed_hosts_mode allowed_hosts_list bypass_mode bypass_entries_dns enable_fproxy fproxy_list enable_bllist_proxy if_vpn vpn_gw_ip vpn_route_check tor_trans_port onion_dns_addr t_proxy_port_tcp t_proxy_port_udp t_proxy_allow_udp add_user_entries user_entries_dns user_entries_remote enable_logging bllist_min_entries bllist_module bllist_preset bllist_ip_limit bllist_summarize_ip bllist_summarize_cidr bllist_ip_filter bllist_ip_filter_type bllist_sd_limit bllist_fqdn_filter bllist_fqdn_filter_type bllist_enable_idn bllist_alt_nslookup bllist_alt_dns_addr update_at_startup enable_tmp_downloads"
+UCI_VARS="dnsmasq_cfg_dir proxy_mode proxy_local_clients nftset_clear_sets allowed_hosts_mode allowed_hosts_list bypass_mode bypass_entries_dns enable_fproxy fproxy_list enable_bllist_proxy if_vpn vpn_gw_ip vpn_route_check tor_trans_port onion_dns_addr t_proxy_type t_proxy_port_tcp t_proxy_port_udp t_proxy_allow_udp enable_logging bllist_min_entries bllist_module bllist_preset bllist_ip_limit bllist_summarize_ip bllist_summarize_cidr bllist_ip_filter bllist_ip_filter_type bllist_sd_limit bllist_fqdn_filter bllist_fqdn_filter_type bllist_enable_idn bllist_alt_nslookup bllist_alt_dns_addr update_at_startup enable_tmp_downloads"
 UCI_CMD=`which uci`
 if [ $? -ne 0 ]; then
    echo " Error! UCI doesn't exists" >&2
@@ -0,0 +1,54 @@
+UCI_VARS="u_enabled u_proxy_mode u_tor_trans_port u_onion_dns_addr u_if_vpn u_vpn_gw_ip u_t_proxy_type u_t_proxy_port_tcp u_t_proxy_port_udp u_t_proxy_allow_udp u_entries_dns u_entries_remote u_enable_entries_remote_proxy u_enable_fproxy u_fproxy_list u_skip_marked_packets"
+UCI_CMD=`which uci`
+if [ $? -ne 0 ]; then
+    echo " Error! UCI doesn't exists" >&2
+    exit 1
+fi
+AWK_CMD="awk"
+
+ListUserInstances() {
+    $UCI_CMD export "$NAME" | $AWK_CMD -v TYPE="user_instance" '
+    BEGIN {
+        instances="";
+    }
+    {
+        if($0 ~ "config "TYPE) {
+            gsub(/["\047]/, "", $3);
+            instances=instances (length(instances) > 0 ? "\n" : "") $3;
+        };
+    }
+    END {
+        print instances;
+    }'
+}
+
+IncludeUserInstanceVars() {
+    local _inst="$1"
+    local _uci_section="${NAME}.${_inst}"
+    U_NAME="$_inst"
+    eval `$UCI_CMD show "$_uci_section" | $AWK_CMD -F "=" -v UCI_VARS="$UCI_VARS" '
+    BEGIN {
+        split(UCI_VARS, split_array, " ");
+        for(i in split_array)
+            vars_array[split_array[i]]="";
+    }
+    {
+        sub(/^.*[.]/, "", $1);
+        gsub(/["\047]/, "", $2);
+        if($1 in vars_array) {
+            print toupper($1) "=\"" $2 "\"";
+            delete vars_array[$1];
+        };
+    }
+    END {
+        if(length(vars_array) > 0) {
+            for(i in vars_array)
+                print toupper(i) "=\"""\"";
+        };
+    }'`
+
+    if [ $DEBUG -ge 2 ]; then
+        echo "  user_instances_config_script.IncludeUserInstanceVars: _inst=${_inst} U_NAME=${U_NAME} U_PROXY_MODE=${U_PROXY_MODE}" >&2
+        MakeLogRecord "debug" "user_instances_config_script.IncludeUserInstanceVars: _inst=${_inst} U_NAME=${U_NAME} U_PROXY_MODE=${U_PROXY_MODE}"
+    fi
+}
@@ -1,5 +1,5 @@
 Info() {
-    local _update_status _user_entries_status
+    local _update_status _user_entries_status _inst
    if [ -f "$UPDATE_STATUS_FILE" ]; then
        _update_status=`$AWK_CMD '{
            if(NF < 4) {
@@ -33,29 +33,30 @@ Info() {
    else
        _user_entries_status="[]"
    fi
-    NftListBllistChainJson 2> /dev/null | $AWK_CMD -v UPDATE_STATUS="$_update_status" -v USER_ENTRIES_STATUS="$_user_entries_status" '
-        BEGIN {
-            rules_str = "";
-        }
-        {
-            rules_str = rules_str $0;
-        }
+    NftListSinkChainJson 2> /dev/null | $AWK_CMD -v UPDATE_STATUS="$_update_status" -v USER_ENTRIES_STATUS="$_user_entries_status" '
        END {
            if(NR == 0) {
                printf "{\"status\": \"disabled\"}";
                exit 1;
            } else {
-                printf "{\"status\":\"enabled\",\"last_blacklist_update\":%s,\"user_entries\":%s,\"rules\":%s", UPDATE_STATUS, USER_ENTRIES_STATUS, rules_str;
+                printf "{\"status\": \"enabled\",\"last_blacklist_update\": %s,\"user_entries\" :%s,\"sink\": %s", UPDATE_STATUS, USER_ENTRIES_STATUS, $0;
                exit 0;
            };
        }'
    if [ $? -eq 0 ]; then
+        if [ "$PROXY_LOCAL_CLIENTS" = "1" ]; then
+            printf ",\"sink_local\":"
+            NftListSinkLocalChainJson 2> /dev/null
+        fi
        printf ",\"dnsmasq\":"
        $NFT_CMD -j list set $NFT_TABLE "$NFTSET_DNSMASQ" 2> /dev/null
-        if [ "$BYPASS_MODE" = "1" ]; then
-            printf ",\"dnsmasq_bypass\":"
-            $NFT_CMD -j list set $NFT_TABLE "$NFTSET_BYPASS_FQDN" 2> /dev/null
-        fi
+        printf ",\"dnsmasq_user_instances\":["
+        for _inst in $USER_INSTANCES_ALL
+        do
+            $NFT_CMD -j list set $NFT_TABLE "${NFTSET_DNSMASQ}-${_inst}" 2> /dev/null
+            printf ","
+        done
+        printf "{\"dummy\": {}}]"
        printf "}"
    fi
 }
@@ -2,35 +2,26 @@ NFT_ALLOWED_HOSTS_CHAIN="allowed_hosts"
 NFT_BLLIST_CHAIN="blacklist"
 NFT_FPROXY_FILTER="fproxy_filter"
 NFT_DNSMASQ_TIMEOUT_UPDATE_CHAIN="dnsmasq_timeout_update"
-NFT_ACTION_CHAIN="action"
+NFT_MARK_CHAIN="mark_chain"
 NFT_LOCAL_CLIENTS_CHAIN="local_clients"
-
-if [ "$PROXY_MODE" = "2" ]; then
-    MAIN_CHAIN_TYPE="type filter hook prerouting priority ${NFT_PRIO_ROUTE}; policy accept;"
-    LOCAL_CLIENTS_CHAIN_TYPE="type route hook output priority ${NFT_PRIO_ROUTE_LOCAL}; policy accept;"
-else
-    MAIN_CHAIN_TYPE="type nat hook prerouting priority ${NFT_PRIO_NAT}; policy accept;"
-    LOCAL_CLIENTS_CHAIN_TYPE="type nat hook output priority ${NFT_PRIO_NAT_LOCAL}; policy accept;"
-fi
+NFT_SINK_CHAIN="sink"
+NFT_SINK_LOCAL_CHAIN="sink_local"
+NFT_ACTION_FILTER_CHAIN="action_filter"
+NFT_ACTION_NAT_CHAIN="action_nat"
+NFT_ACTION_NAT_LOCAL_CHAIN="action_nat_local"

 case "$ALLOWED_HOSTS_MODE" in
    "1")
-        NFT_ALLOWED_HOSTS_EXPR="ip saddr @${NFTSET_ALLOWED_HOSTS} jump ${NFT_BLLIST_CHAIN}"
+        NFT_ALLOWED_HOSTS_PATTERN="ip saddr @${NFTSET_ALLOWED_HOSTS} jump ${NFT_BLLIST_CHAIN}%s"
    ;;
    "2")
-        NFT_ALLOWED_HOSTS_EXPR="ip saddr != @${NFTSET_ALLOWED_HOSTS} jump ${NFT_BLLIST_CHAIN}"
+        NFT_ALLOWED_HOSTS_PATTERN="ip saddr != @${NFTSET_ALLOWED_HOSTS} jump ${NFT_BLLIST_CHAIN}%s"
    ;;
    *)
-        NFT_ALLOWED_HOSTS_EXPR="jump ${NFT_BLLIST_CHAIN}"
+        NFT_ALLOWED_HOSTS_PATTERN="jump ${NFT_BLLIST_CHAIN}%s"
    ;;
 esac

-if [ "$NFTSET_DNSMASQ_TIMEOUT_UPDATE" = "1" ]; then
-    NFT_DNSMASQ_RULE_TARGET="$NFT_DNSMASQ_TIMEOUT_UPDATE_CHAIN"
-else
-    NFT_DNSMASQ_RULE_TARGET="$NFT_ACTION_CHAIN"
-fi
-
 NftCmdWrapper() {
    local _i=0 _attempts=10 _return_code=1
    while [ $_i -lt $_attempts ]
@@ -44,105 +35,247 @@ NftCmdWrapper() {
    return $_return_code
 }

-NftVpnRouteDelete() {
-    $IP_CMD route flush table $VPN_ROUTE_TABLE_ID
-    $IP_CMD rule del table $VPN_ROUTE_TABLE_ID
+NftRouteDelete() {
+    local _route_table_id=$1
+    $IP_CMD route flush table $_route_table_id
+    $IP_CMD rule del table $_route_table_id
 }

-NftVpnRouteAdd() {
-    local _vpn_ip
-    if [ -n "$VPN_GW_IP" ]; then
-        _vpn_ip="$VPN_GW_IP"
+NftRouteAdd() {
+    local _vpn_ip _type="$1" _route_table_id=$2 _pkts_mark=$3 _if_vpn="$4" _vpn_gw_ip="$5"
+    if [ "$_type" = "lo" ]; then
+        echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
+        $IP_CMD rule add fwmark $_pkts_mark table $_route_table_id priority $LO_RULE_PRIO
+        $IP_CMD route add local default dev lo table $_route_table_id
+
+        if [ $DEBUG -ge 1 ]; then
+            echo "  nft_functions.NftRouteAdd: ${IP_CMD} rule add fwmark ${_pkts_mark} table ${_route_table_id} priority ${LO_RULE_PRIO}" >&2
+            MakeLogRecord "debug" "nft_functions.NftRouteAdd: ${IP_CMD} rule add fwmark ${_pkts_mark} table ${_route_table_id} priority ${LO_RULE_PRIO}"
+            echo "  nft_functions.NftRouteAdd: ${IP_CMD} route add local default dev lo table ${_route_table_id}" >&2
+            MakeLogRecord "debug" "nft_functions.NftRouteAdd: ${IP_CMD} route add local default dev lo table ${_route_table_id}"
+        fi
    else
-        _vpn_ip=`$IP_CMD addr list dev $IF_VPN 2> /dev/null | $AWK_CMD '/inet/{f=($3 == "peer") ? 4 : 2; sub("/[0-9]{1,2}$", "", $f); print $f; exit}'`
-    fi
-    if [ -n "$_vpn_ip" ]; then
-        echo 0 > /proc/sys/net/ipv4/conf/$IF_VPN/rp_filter
-        NftVpnRouteDelete 2> /dev/null
-        $IP_CMD rule add fwmark $VPN_PKTS_MARK table $VPN_ROUTE_TABLE_ID priority $VPN_RULE_PRIO
-        $IP_CMD route add default via $_vpn_ip table $VPN_ROUTE_TABLE_ID
+        if [ -n "$_vpn_gw_ip" ]; then
+            _vpn_ip="$_vpn_gw_ip"
+        else
+            _vpn_ip=`$IP_CMD addr list dev $_if_vpn 2> /dev/null | $AWK_CMD '/inet/{f=($3 == "peer") ? 4 : 2; sub("/[0-9]{1,2}$", "", $f); print $f; exit}'`
+        fi
+        if [ -n "$_vpn_ip" -a "$_type" = "vpn" ]; then
+            echo 0 > /proc/sys/net/ipv4/conf/$_if_vpn/rp_filter
+            NftRouteDelete $_route_table_id 2> /dev/null
+            $IP_CMD rule add fwmark $_pkts_mark table $_route_table_id priority $VPN_RULE_PRIO
+            $IP_CMD route add default via $_vpn_ip table $_route_table_id
+            if [ $? -ne 0 ]; then
+                echo "  Error! An error occurred while adding the route. Routing table id=${_route_table_id}, VPN gateway IP=${_vpn_ip}" >&2
+                MakeLogRecord "err" "Error! An error occurred while adding the route. Routing table id=${_route_table_id}, VPN gateway IP=${_vpn_ip}"
+            fi
+
+            if [ $DEBUG -ge 1 ]; then
+                echo "  nft_functions.NftRouteAdd: ${IP_CMD} rule add fwmark ${_pkts_mark} table ${_route_table_id} priority ${VPN_RULE_PRIO}" >&2
+                MakeLogRecord "debug" "nft_functions.NftRouteAdd: ${IP_CMD} rule add fwmark ${_pkts_mark} table ${_route_table_id} priority ${VPN_RULE_PRIO}"
+                echo "  nft_functions.NftRouteAdd: ${IP_CMD} route add default via ${_vpn_ip} table ${_route_table_id}" >&2
+                MakeLogRecord "debug" "nft_functions.NftRouteAdd: ${IP_CMD} route add default via ${_vpn_ip} table ${_route_table_id}"
+            fi
+        fi
    fi
 }

-NftVpnRouteStatus() {
-    [ -n "`$IP_CMD route show table $VPN_ROUTE_TABLE_ID 2> /dev/null`" ] && return 0
+NftRouteStatus() {
+    local _route_table_id=$1
+    [ -n "`$IP_CMD route show table $_route_table_id 2> /dev/null`" ] && return 0
    return 1
 }

-NftMainAdd() {
-    local _set
-    $NFT_CMD add chain $NFT_TABLE "$NFT_LOCAL_CLIENTS_CHAIN" { $LOCAL_CLIENTS_CHAIN_TYPE }
-    $NFT_CMD add chain $NFT_TABLE "$NFT_ACTION_CHAIN"
-    $NFT_CMD add chain $NFT_TABLE "$NFT_FPROXY_FILTER"
-    $NFT_CMD add chain $NFT_TABLE "$NFT_DNSMASQ_TIMEOUT_UPDATE_CHAIN"
-    $NFT_CMD add chain $NFT_TABLE "$NFT_BLLIST_CHAIN"
-    $NFT_CMD add chain $NFT_TABLE "$NFT_ALLOWED_HOSTS_CHAIN" { $MAIN_CHAIN_TYPE }
-    NftCmdWrapper $NFT_CMD add rule $NFT_TABLE $NFT_FPROXY_FILTER ip daddr "@${NFTSET_FPROXY_PRIVATE}" return
-    NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "$NFT_FPROXY_FILTER" jump "$NFT_ACTION_CHAIN"
-    NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "$NFT_DNSMASQ_TIMEOUT_UPDATE_CHAIN" ct state new set update ip daddr "@${NFTSET_DNSMASQ}"
-    NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "$NFT_DNSMASQ_TIMEOUT_UPDATE_CHAIN" jump "$NFT_ACTION_CHAIN"
-    NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "$NFT_ALLOWED_HOSTS_CHAIN" $NFT_ALLOWED_HOSTS_EXPR
-    if [ "$PROXY_MODE" = "2" ]; then
-        NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "$NFT_ACTION_CHAIN" mark set $VPN_PKTS_MARK
-    elif [ "$PROXY_MODE" = "3" ]; then
-        NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "$NFT_ACTION_CHAIN" tcp dport { 0-65535 } redirect to $T_PROXY_PORT_TCP
-        if [ "$T_PROXY_ALLOW_UDP" = "1" ]; then
-            NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "$NFT_ACTION_CHAIN" udp dport { 0-65535 } redirect to $T_PROXY_PORT_UDP
-        fi
+NftAddSinkChains() {
+    local _chain_prio_sink=$1
+    $NFT_CMD add chain $NFT_TABLE "${NFT_SINK_CHAIN}" { type filter hook prerouting priority ${_chain_prio_sink}\; policy accept\; }
+    $NFT_CMD add chain $NFT_TABLE "${NFT_SINK_LOCAL_CHAIN}" { type route hook output priority ${_chain_prio_sink}\; policy accept\; }
+    NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_SINK_CHAIN}" meta iif lo return
+}
+
+NftDeleteSinkChains() {
+    $NFT_CMD delete chain $NFT_TABLE "${NFT_SINK_CHAIN}"
+    $NFT_CMD delete chain $NFT_TABLE "${NFT_SINK_LOCAL_CHAIN}"
+}
+
+NftAddActionChains() {
+    local _chain_prio_action=$1
+    $NFT_CMD add chain $NFT_TABLE "${NFT_ACTION_FILTER_CHAIN}" { type filter hook prerouting priority ${_chain_prio_action}\; policy accept\; }
+    $NFT_CMD add chain $NFT_TABLE "${NFT_ACTION_NAT_CHAIN}" { type nat hook prerouting priority ${_chain_prio_action}\; policy accept\; }
+    $NFT_CMD add chain $NFT_TABLE "${NFT_ACTION_NAT_LOCAL_CHAIN}" { type nat hook output priority ${_chain_prio_action}\; policy accept\; }
+}
+
+NftDeleteActionChains() {
+    $NFT_CMD delete chain $NFT_TABLE "${NFT_ACTION_FILTER_CHAIN}"
+    $NFT_CMD delete chain $NFT_TABLE "${NFT_ACTION_NAT_CHAIN}"
+    $NFT_CMD delete chain $NFT_TABLE "${NFT_ACTION_NAT_LOCAL_CHAIN}"
+}
+
+NftInstanceAdd() {
+    local _i _inst _first_chain_type _t_proxy_statement _chain_action_type _set
+
+    for _i in "_name" "_pkts_mark" "_chain_prio_first" "_chain_prio_local" "_proxy_mode" "_tor_trans_port" "_route_table_id" "_if_vpn" "_t_proxy_type" "_t_proxy_port_tcp" "_t_proxy_port_udp" "_t_proxy_allow_udp" "_enable_bllist_proxy" "_enable_fproxy" "_skip_marked_packets" "_vpn_gw_ip"
+    do
+        eval "local $_i=$1"
+        shift
+    done
+
+    _inst="$_name"
+    if [ "$_name" = " " ]; then
+        _name=""
    else
-        NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "$NFT_ACTION_CHAIN" tcp dport { 0-65535 } redirect to $TOR_TRANS_PORT
-        NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "$NFT_BLLIST_CHAIN" ip daddr "@${NFTSET_ONION}" counter goto "$NFT_ACTION_CHAIN"
+        _name="-${_name}"
    fi
-    if [ "$ENABLE_FPROXY" = "1" ]; then
-        NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "$NFT_BLLIST_CHAIN" ip saddr "@${NFTSET_FPROXY}" counter goto "$NFT_FPROXY_FILTER"
+
+    if [ $DEBUG -ge 1 ]; then
+        echo "  nft_functions.NftInstanceAdd.args: _name=${_name} _pkts_mark=${_pkts_mark} _chain_prio_first=${_chain_prio_first} _chain_prio_local=${_chain_prio_local} _proxy_mode=${_proxy_mode} _tor_trans_port=${_tor_trans_port} _route_table_id=${_route_table_id} _if_vpn=${_if_vpn} _t_proxy_type=${_t_proxy_type} _t_proxy_port_tcp=${_t_proxy_port_tcp} _t_proxy_port_udp=${_t_proxy_port_udp} _t_proxy_allow_udp=${_t_proxy_allow_udp} _enable_bllist_proxy=${_enable_bllist_proxy} _enable_fproxy=${_enable_fproxy} _skip_marked_packets=${_skip_marked_packets} _vpn_gw_ip=${_vpn_gw_ip}" >&2
+        MakeLogRecord "debug" "nft_functions.NftInstanceAdd.args: _name=${_name} _pkts_mark=${_pkts_mark} _chain_prio_first=${_chain_prio_first} _chain_prio_local=${_chain_prio_local} _proxy_mode=${_proxy_mode} _tor_trans_port=${_tor_trans_port} _route_table_id=${_route_table_id} _if_vpn=${_if_vpn} _t_proxy_type=${_t_proxy_type} _t_proxy_port_tcp=${_t_proxy_port_tcp} _t_proxy_port_udp=${_t_proxy_port_udp} _t_proxy_allow_udp=${_t_proxy_allow_udp} _enable_bllist_proxy=${_enable_bllist_proxy} _enable_fproxy=${_enable_fproxy} _skip_marked_packets=${_skip_marked_packets} _vpn_gw_ip=${_vpn_gw_ip}"
    fi
+
+    if [ "$NFTSET_DNSMASQ_TIMEOUT_UPDATE" = "1" ]; then
+        _nft_dnsmasq_rule_target="${NFT_DNSMASQ_TIMEOUT_UPDATE_CHAIN}${_name}"
+    else
+        _nft_dnsmasq_rule_target="${NFT_MARK_CHAIN}${_name}"
+    fi
+
+    $NFT_CMD add chain $NFT_TABLE "${NFT_LOCAL_CLIENTS_CHAIN}${_name}" { type route hook output priority ${_chain_prio_local}\; policy accept\; }
+    $NFT_CMD add chain $NFT_TABLE "${NFT_MARK_CHAIN}${_name}"
+    $NFT_CMD add chain $NFT_TABLE "${NFT_FPROXY_FILTER}${_name}"
+    $NFT_CMD add chain $NFT_TABLE "${NFT_DNSMASQ_TIMEOUT_UPDATE_CHAIN}${_name}"
+    $NFT_CMD add chain $NFT_TABLE "${NFT_BLLIST_CHAIN}${_name}"
+    $NFT_CMD add chain $NFT_TABLE "${NFT_ALLOWED_HOSTS_CHAIN}${_name}" { type filter hook prerouting priority ${_chain_prio_first}\; policy accept\; }
+    NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_FPROXY_FILTER}${_name}" ip daddr "@${NFTSET_FPROXY_PRIVATE}" return
+    NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_FPROXY_FILTER}${_name}" jump "${NFT_MARK_CHAIN}${_name}"
+    NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_DNSMASQ_TIMEOUT_UPDATE_CHAIN}${_name}" ct state new set update ip daddr "@${NFTSET_DNSMASQ}${_name}"
+    NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_DNSMASQ_TIMEOUT_UPDATE_CHAIN}${_name}" jump "${NFT_MARK_CHAIN}${_name}"
+    NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_ALLOWED_HOSTS_CHAIN}${_name}" "`printf "$NFT_ALLOWED_HOSTS_PATTERN" "$_name"`"
+
+    if [ "$_proxy_mode" = "2" ]; then
+        NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_SINK_CHAIN}" meta mark $_pkts_mark counter comment \""$_inst"\"
+        NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_SINK_LOCAL_CHAIN}" meta mark $_pkts_mark counter comment \""$_inst"\"
+    elif [ "$_proxy_mode" = "3" ]; then
+        NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_SINK_CHAIN}" meta l4proto tcp meta mark $_pkts_mark counter comment \""$_inst"\"
+        NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_SINK_LOCAL_CHAIN}" meta l4proto tcp meta mark $_pkts_mark counter comment \""$_inst"\"
+        if [ "$_t_proxy_type" = "1" ]; then
+            NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_ACTION_FILTER_CHAIN}" meta l4proto tcp meta mark $_pkts_mark tproxy to ":${_t_proxy_port_tcp}" comment \""$_inst"\"
+            if [ "$_t_proxy_allow_udp" = "1" ]; then
+                NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_ACTION_FILTER_CHAIN}" meta l4proto udp meta mark $_pkts_mark tproxy to ":${_t_proxy_port_udp}" comment \""$_inst"\"
+                NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_SINK_CHAIN}" meta l4proto udp meta mark $_pkts_mark counter comment \""$_inst"\"
+                NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_SINK_LOCAL_CHAIN}" meta l4proto udp meta mark $_pkts_mark counter comment \""$_inst"\"
+            fi
+        else
+            NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_ACTION_NAT_CHAIN}" meta l4proto tcp meta mark $_pkts_mark redirect to ":${_t_proxy_port_tcp}" comment \""$_inst"\"
+            NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_ACTION_NAT_LOCAL_CHAIN}" meta l4proto tcp meta mark $_pkts_mark redirect to ":${_t_proxy_port_tcp}" comment \""$_inst"\"
+            if [ "$_t_proxy_allow_udp" = "1" ]; then
+                NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_ACTION_NAT_CHAIN}" meta l4proto udp meta mark $_pkts_mark redirect to ":${_t_proxy_port_udp}" comment \""$_inst"\"
+                NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_ACTION_NAT_LOCAL_CHAIN}" meta l4proto udp meta mark $_pkts_mark redirect to ":${_t_proxy_port_udp}" comment \""$_inst"\"
+                NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_SINK_CHAIN}" meta l4proto udp meta mark $_pkts_mark counter comment \""$_inst"\"
+                NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_SINK_LOCAL_CHAIN}" meta l4proto udp meta mark $_pkts_mark counter comment \""$_inst"\"
+            fi
+        fi
+    elif [ "$_proxy_mode" != "2" ]; then
+        NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_ACTION_NAT_CHAIN}" meta l4proto tcp meta mark $_pkts_mark redirect to ":${_tor_trans_port}" comment \""$_inst"\"
+        NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_ACTION_NAT_LOCAL_CHAIN}" meta l4proto tcp meta mark $_pkts_mark redirect to ":${_tor_trans_port}" comment \""$_inst"\"
+        NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_SINK_CHAIN}" meta l4proto tcp meta mark $_pkts_mark counter comment \""$_inst"\"
+        NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_SINK_LOCAL_CHAIN}" meta l4proto tcp meta mark $_pkts_mark counter comment \""$_inst"\"
+    fi
+
+    NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_MARK_CHAIN}${_name}" mark set $_pkts_mark
+    if [ "$_proxy_mode" != "2" -a "$_proxy_mode" != "3" ]; then
+        NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_BLLIST_CHAIN}${_name}" ip daddr "@${NFTSET_ONION}${_name}" counter goto "${NFT_MARK_CHAIN}${_name}"
+    fi
+    if [ "$_skip_marked_packets" = "1" ]; then
+        NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_BLLIST_CHAIN}${_name}" meta mark "@${NFTSET_MARK_SET}" return
+    fi
+    if [ "$_enable_fproxy" = "1" ]; then
+        NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_BLLIST_CHAIN}${_name}" ip saddr "@${NFTSET_FPROXY}${_name}" goto "${NFT_FPROXY_FILTER}${_name}"
+    fi
+
    if [ "$BYPASS_MODE" = "1" ]; then
        for _set in "$NFTSET_BYPASS_IP" "$NFTSET_BYPASS_FQDN"
        do
-            NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "$NFT_BLLIST_CHAIN" ip daddr "@${_set}" counter accept
+            NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_BLLIST_CHAIN}${_name}" ip daddr "@${_set}" accept
        done
    fi
-    for _set in "$NFTSET_CIDR" "$NFTSET_IP"
+
+    for _set in "${NFTSET_CIDR}${_name}" "${NFTSET_IP}${_name}"
    do
-        NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "$NFT_BLLIST_CHAIN" ip daddr "@${_set}" counter goto "$NFT_ACTION_CHAIN"
+        NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_BLLIST_CHAIN}${_name}" ip daddr "@${_set}" counter goto "${NFT_MARK_CHAIN}${_name}"
    done
-    NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "$NFT_BLLIST_CHAIN" ip daddr "@${NFTSET_DNSMASQ}" counter goto "$NFT_DNSMASQ_RULE_TARGET"
-    if [ "$PROXY_MODE" = "2" ]; then
-        NftVpnRouteAdd
+    NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_BLLIST_CHAIN}${_name}" ip daddr "@${NFTSET_DNSMASQ}${_name}" counter goto "$_nft_dnsmasq_rule_target"
+
+    if [ "$_proxy_mode" = "2" ]; then
+        NftRouteAdd vpn $_route_table_id $_pkts_mark "$_if_vpn" "$_vpn_gw_ip"
+    elif  [ "$_proxy_mode" = "3" -a "$_t_proxy_type" = "1" ]; then
+        NftRouteAdd lo $_route_table_id $_pkts_mark
    fi
-    if [ "$ENABLE_BLLIST_PROXY" = "1" ]; then
-        NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "$NFT_LOCAL_CLIENTS_CHAIN" ip daddr "@${NFTSET_BLLIST_PROXY}" counter goto "$NFT_ACTION_CHAIN"
+
+    if [ "$_enable_bllist_proxy" = "1" ]; then
+        NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_LOCAL_CLIENTS_CHAIN}${_name}" ip daddr "@${NFTSET_BLLIST_PROXY}${_name}" counter goto "${NFT_MARK_CHAIN}${_name}"
    fi
    if [ "$PROXY_LOCAL_CLIENTS" = "1" ]; then
-        NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "$NFT_LOCAL_CLIENTS_CHAIN" jump "$NFT_BLLIST_CHAIN"
+        NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_LOCAL_CLIENTS_CHAIN}${_name}" jump "${NFT_BLLIST_CHAIN}${_name}"
    fi
 }

-NftMainDelete() {
-    $NFT_CMD flush chain $NFT_TABLE "$NFT_ALLOWED_HOSTS_CHAIN"
-    $NFT_CMD delete chain $NFT_TABLE "$NFT_ALLOWED_HOSTS_CHAIN"
-    $NFT_CMD flush chain $NFT_TABLE "$NFT_LOCAL_CLIENTS_CHAIN"
-    $NFT_CMD delete chain $NFT_TABLE "$NFT_LOCAL_CLIENTS_CHAIN"
-    $NFT_CMD flush chain $NFT_TABLE "$NFT_BLLIST_CHAIN"
-    $NFT_CMD delete chain $NFT_TABLE "$NFT_BLLIST_CHAIN"
-    $NFT_CMD flush chain $NFT_TABLE "$NFT_DNSMASQ_TIMEOUT_UPDATE_CHAIN"
-    $NFT_CMD delete chain $NFT_TABLE "$NFT_DNSMASQ_TIMEOUT_UPDATE_CHAIN"
-    $NFT_CMD flush chain $NFT_TABLE "$NFT_FPROXY_FILTER"
-    $NFT_CMD delete chain $NFT_TABLE "$NFT_FPROXY_FILTER"
-    $NFT_CMD flush chain $NFT_TABLE "$NFT_ACTION_CHAIN"
-    $NFT_CMD delete chain $NFT_TABLE "$NFT_ACTION_CHAIN"
-    NftVpnRouteDelete 2> /dev/null
+NftInstanceDelete() {
+    local _name="$1"
+    if [ -z "$_name" -o "$_name" = " " ]; then
+        _name=""
+    else
+        _name="-${_name}"
+    fi
+    $NFT_CMD delete chain $NFT_TABLE "${NFT_ALLOWED_HOSTS_CHAIN}${_name}"
+    $NFT_CMD delete chain $NFT_TABLE "${NFT_LOCAL_CLIENTS_CHAIN}${_name}"
+    $NFT_CMD delete chain $NFT_TABLE "${NFT_BLLIST_CHAIN}${_name}"
+    $NFT_CMD delete chain $NFT_TABLE "${NFT_DNSMASQ_TIMEOUT_UPDATE_CHAIN}${_name}"
+    $NFT_CMD delete chain $NFT_TABLE "${NFT_FPROXY_FILTER}${_name}"
+    $NFT_CMD delete chain $NFT_TABLE "${NFT_MARK_CHAIN}${_name}"
 }

 NftListBllistChain() {
-    $NFT_CMD -t list chain $NFT_TABLE "$NFT_BLLIST_CHAIN"
+    local _name="$1"
+    if [ -z "$_name" -o "$_name" = " " ]; then
+        _name=""
+    else
+        _name="-${_name}"
+    fi
+    $NFT_CMD -t list chain $NFT_TABLE "${NFT_BLLIST_CHAIN}${_name}"
 }

 NftListBllistChainJson() {
-    $NFT_CMD -t -j list chain $NFT_TABLE "$NFT_BLLIST_CHAIN"
+    local _name="$1"
+    if [ -z "$_name" -o "$_name" = " " ]; then
+        _name=""
+    else
+        _name="-${_name}"
+    fi
+    $NFT_CMD -t -j list chain $NFT_TABLE "${NFT_BLLIST_CHAIN}${_name}"
 }

-NftReturnStatus() {
-    $NFT_CMD -c add rule $NFT_TABLE "$NFT_BLLIST_CHAIN" continue &> /dev/null
+NftListSinkChain() {
+    $NFT_CMD -t list chain $NFT_TABLE "$NFT_SINK_CHAIN"
+}
+
+NftListSinkChainJson() {
+    $NFT_CMD -t -j list chain $NFT_TABLE "$NFT_SINK_CHAIN"
+}
+
+NftListSinkLocalChain() {
+    $NFT_CMD -t list chain $NFT_TABLE "$NFT_SINK_LOCAL_CHAIN"
+}
+
+NftListSinkLocalChainJson() {
+    $NFT_CMD -t -j list chain $NFT_TABLE "$NFT_SINK_LOCAL_CHAIN"
+}
+
+NftReturnInstanceStatus() {
+    local _name="$1"
+    if [ -z "$_name" -o "$_name" = " " ]; then
+        _name=""
+    else
+        _name="-${_name}"
+    fi
+    $NFT_CMD -c add rule $NFT_TABLE "${NFT_ALLOWED_HOSTS_CHAIN}${_name}" continue &> /dev/null
    return $?
 }
@@ -0,0 +1,75 @@
+
+if [ $USER_INSTANCES_MAX -gt 50 ]; then
+    USER_INSTANCES_MAX=50
+fi
+
+IncludeUserInstanceVars() {
+    local _inst="$1"
+    . "${USER_INSTANCES_DIR}/${_inst}"
+
+    if [ $DEBUG -ge 2 ]; then
+        echo "  user_instances_common.IncludeUserInstanceVars: _inst=${_inst} U_NAME=${U_NAME} U_PROXY_MODE=${U_PROXY_MODE}" >&2
+        MakeLogRecord "debug" "user_instances_common.IncludeUserInstanceVars: _inst=${_inst} U_NAME=${U_NAME} U_PROXY_MODE=${U_PROXY_MODE}"
+    fi
+}
+
+ClearUserInstanceVars() {
+    unset $USER_INSTANCE_VARS
+}
+
+ListUserInstances() {
+    ls -1 "$USER_INSTANCES_DIR"
+}
+
+[ -f "$CONFIG_SCRIPT_USER_INSTANCES" ] && . "$CONFIG_SCRIPT_USER_INSTANCES"
+
+GetUserInstances() {
+    local _type="$1" _fnames="$2" _i=0 _inst _instances=""
+    for _inst in `ListUserInstances`
+    do
+        IncludeUserInstanceVars "$_inst"
+        if [ $_i -lt $USER_INSTANCES_MAX -a -n "$U_NAME" -a "$U_ENABLED" != "0" ]; then
+            if [ "$_type" = "0" -o "$U_PROXY_MODE" = "$_type" ]; then
+                if [ "$_fnames" = "fnames" ]; then
+                    _instances="${_instances}${_inst} "
+                else
+                    _instances="${_instances}${U_NAME} "
+                fi
+            fi
+            _i=$(($_i + 1))
+        fi
+        ClearUserInstanceVars
+    done
+    printf "$_instances"
+}
+
+SetUserInstancesItems() {
+    local _i=0 _inst _instances_all="" _instances_all_fnames="" _instances_vpn="" _instances_vpn_fnames="" _instances_cfg=""  _instances_cfg_fnames=""
+    for _inst in `ListUserInstances`
+    do
+        IncludeUserInstanceVars "$_inst"
+        if [ $_i -lt $USER_INSTANCES_MAX -a -n "$U_NAME" -a "$U_ENABLED" != "0" ]; then
+            _instances_all="${_instances_all}${U_NAME} "
+            _instances_all_fnames="${_instances_all_fnames}${_inst} "
+            if [ "$U_PROXY_MODE" = "2" ]; then
+                _instances_vpn="${_instances_vpn}${U_NAME} "
+                _instances_vpn_fnames="${_instances_vpn_fnames}${_inst} "
+            fi
+            _i=$(($_i + 1))
+        fi
+        _instances_cfg="${_instances_cfg}${U_NAME} "
+        _instances_cfg_fnames="${_instances_cfg_fnames}${_inst} "
+        ClearUserInstanceVars
+    done
+    USER_INSTANCES_ALL="$_instances_all"
+    USER_INSTANCES_ALL_FNAMES="$_instances_all_fnames"
+    USER_INSTANCES_VPN="$_instances_vpn"
+    USER_INSTANCES_VPN_FNAMES="$_instances_vpn_fnames"
+    USER_INSTANCES_CFG="$_instances_cfg"
+    USER_INSTANCES_CFG_FNAMES="$_instances_cfg_fnames"
+
+    if [ $DEBUG -ge 2 ]; then
+        echo "  user_instances_common.SetUserInstancesItems: USER_INSTANCES_ALL=\"${USER_INSTANCES_ALL}\"; USER_INSTANCES_ALL_FNAMES=\"${USER_INSTANCES_ALL_FNAMES}\"; USER_INSTANCES_VPN=\"${USER_INSTANCES_VPN}\"; USER_INSTANCES_VPN_FNAMES=\"${USER_INSTANCES_VPN_FNAMES}\"" >&2
+        MakeLogRecord "debug" "user_instances_common.SetUserInstancesItems: USER_INSTANCES_ALL=\"${USER_INSTANCES_ALL}\"; USER_INSTANCES_ALL_FNAMES=\"${USER_INSTANCES_ALL_FNAMES}\"; USER_INSTANCES_VPN=\"${USER_INSTANCES_VPN}\"; USER_INSTANCES_VPN_FNAMES=\"${USER_INSTANCES_VPN_FNAMES}\""
+    fi
+}