diff --git a/autoinstall/2.x/autoinstall.sh b/autoinstall/2.x/autoinstall.sh
index 78812df..f9cb56e 100755
--- a/autoinstall/2.x/autoinstall.sh
+++ b/autoinstall/2.x/autoinstall.sh
@@ -10,9 +10,9 @@ LUCI_APP=1
HTTPS_DNS_PROXY=1
OWRT_VERSION="current"
-RUAB_VERSION="2.0.0-r1"
-RUAB_MOD_LUA_VERSION="2.0.0-r1"
-RUAB_LUCI_APP_VERSION="2.0.0-1"
+RUAB_VERSION="2.1.0-r1"
+RUAB_MOD_LUA_VERSION="2.1.0-r1"
+RUAB_LUCI_APP_VERSION="2.1.0-1"
BASE_URL="https://raw.githubusercontent.com/gSpotx2f/packages-openwrt/master"
PKG_DIR="/tmp"
diff --git a/luci-app-ruantiblock/Makefile b/luci-app-ruantiblock/Makefile
index cad0f56..9a42bad 100644
--- a/luci-app-ruantiblock/Makefile
+++ b/luci-app-ruantiblock/Makefile
@@ -5,7 +5,7 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=luci-app-ruantiblock
-PKG_VERSION:=2.0.0
+PKG_VERSION:=2.1.0
PKG_RELEASE:=1
LUCI_TITLE:=LuCI support for ruantiblock
LUCI_DEPENDS:=+ruantiblock
diff --git a/luci-app-ruantiblock/htdocs/luci-static/resources/view/ruantiblock/info.js b/luci-app-ruantiblock/htdocs/luci-static/resources/view/ruantiblock/info.js
index c3ab9e7..d898a7f 100644
--- a/luci-app-ruantiblock/htdocs/luci-static/resources/view/ruantiblock/info.js
+++ b/luci-app-ruantiblock/htdocs/luci-static/resources/view/ruantiblock/info.js
@@ -43,97 +43,61 @@ return view.extend({
},
formatNftJson(data) {
- let output = { 'sink': [] };
- if(data.sink.nftables && data.sink.nftables.length > 1) {
- let rules = [];
-
- for(let i of data.sink.nftables) {
- if(i.rule) {
- let instance = (i.rule.comment === ' ') ? '-main-' : i.rule.comment;
- let proto, bytes;
- i.rule.expr.forEach(e => {
- if(e.match && e.match.left && e.match.left.meta && e.match.left.meta.key && e.match.left.meta.key == "l4proto") {
- proto = e.match.right;
- }
- else if(e.counter) {
- bytes = e.counter.bytes;
- };
- });
- rules.push([ instance, proto, bytes ]);
- } else {
- continue;
- };
- };
-
- if(rules.length > 0) {
- output.sink = rules;
- };
- };
-
- if(data.sink_local && data.sink_local.nftables && data.sink_local.nftables.length > 1) {
- output.sink_local = [];
- let rules = [];
-
- for(let i of data.sink_local.nftables) {
- if(i.rule) {
- let instance = (i.rule.comment === ' ') ? '-main-' : i.rule.comment;
- let proto, bytes;
- i.rule.expr.forEach(e => {
- if(e.match && e.match.left && e.match.left.meta && e.match.left.meta.key && e.match.left.meta.key == "l4proto") {
- proto = e.match.right;
- }
- else if(e.counter) {
- bytes = e.counter.bytes;
- };
- });
- rules.push([ instance, proto, bytes ]);
- } else {
- continue;
- };
- };
-
- if(rules.length > 0) {
- output.sink_local = rules;
- };
- };
-
- function parseDnsmasqData(set) {
- let sArray = [];
- if(set.nftables && set.nftables.length > 1) {
- set.nftables.forEach(e => {
- if(e.set && e.set.elem) {
- e.set.elem.forEach(i => {
- if(i.elem) {
- sArray.push([ i.elem.val, i.elem.expires ]);
- };
- });
+ let output = { 'rules': [] };
+ if(data.rules.nftables && data.rules.nftables.length > 1) {
+ for(let i of data.rules.nftables) {
+ if(!i.rule) continue;
+ let set, bytes;
+ i.rule.expr.forEach(e => {
+ if(e.match && e.match.left && e.match.left.payload) {
+ set = e.match.right.replace('@', '');
+ }
+ else if(e.counter) {
+ bytes = e.counter.bytes;
};
});
+ output.rules.push([ set, bytes ]);
};
- return sArray;
- };
- if(data.dnsmasq) {
- output.dnsmasq = parseDnsmasqData(data.dnsmasq);
- };
- if(data.dnsmasq_bypass) {
- output.dnsmasq_bypass = parseDnsmasqData(data.dnsmasq_bypass);
- };
- if(data.dnsmasq_user_instances) {
- output.dnsmasq_user_instances = [];
- if(data.dnsmasq_user_instances && data.dnsmasq_user_instances.length > 1) {
- for(let i of data.dnsmasq_user_instances) {
- if(i.nftables) {
- let name;
- i.nftables.forEach(e => {
- if(e.set) {
- name = e.set.name;
- };
- });
- output.dnsmasq_user_instances.push([ name, parseDnsmasqData(i) ]);
+ function parseDnsmasqData(set) {
+ let sArray = [];
+ if(set.nftables && set.nftables.length > 1) {
+ set.nftables.forEach(e => {
+ if(e.set && e.set.elem) {
+ e.set.elem.forEach(i => {
+ if(i.elem) {
+ sArray.push([ i.elem.val, i.elem.expires ]);
+ };
+ });
+ };
+ });
+ };
+ return sArray;
+ };
+
+ if(data.dnsmasq) {
+ output.dnsmasq = parseDnsmasqData(data.dnsmasq);
+ };
+ if(data.dnsmasq_bypass) {
+ output.dnsmasq_bypass = parseDnsmasqData(data.dnsmasq_bypass);
+ };
+ if(data.dnsmasq_user_instances) {
+ output.dnsmasq_user_instances = [];
+ if(data.dnsmasq_user_instances && data.dnsmasq_user_instances.length > 1) {
+ for(let i of data.dnsmasq_user_instances) {
+ if(i.nftables) {
+ let name;
+ i.nftables.forEach(e => {
+ if(e.set) {
+ name = e.set.name;
+ };
+ });
+ output.dnsmasq_user_instances.push([ name, parseDnsmasqData(i) ]);
+ };
};
};
};
+
};
return output;
},
@@ -228,20 +192,11 @@ return view.extend({
let nft_data = this.formatNftJson(data);
- if(nft_data.sink.length > 0) {
- for(let i of nft_data.sink) {
- let elem = document.getElementById('sink.' + i[0] + '.' + (i[1] || 'all'));
+ if(nft_data.rules.length > 0) {
+ for(let [set, bytes] of nft_data.rules) {
+ let elem = document.getElementById('rules.' + set);
if(elem) {
- elem.textContent = i[2];
- };
- };
- };
-
- if(nft_data.sink_local && nft_data.sink_local.length > 0) {
- for(let i of nft_data.sink_local) {
- let elem = document.getElementById('sink_local.' + i[0] + '.' + (i[1] || 'all'));
- if(elem) {
- elem.textContent = i[2];
+ elem.textContent = bytes;
};
};
};
@@ -267,6 +222,14 @@ return view.extend({
});
},
+ formatRuleDescription(s) {
+ return (s.length >= 1) ? (
+ s.replace(/^c\.?(.*)/, '$1 CIDR').replace(/^i\.?(.*)/, '$1 IP')
+ .replace(/^d\.?(.*)/, '$1 dnsmasq').replace(/^onion\.?(.*)/, '$1 onion')
+ .replace(/^bi/, 'bypass IP').replace(/^bd/, 'bypass dnsmasq')
+ ) : '';
+ },
+
load() {
return fs.exec_direct(tools.execPath, [ 'html-info' ], 'json').catch(e => {
ui.addNotification(null, E('p', _('Unable to execute or read contents')
@@ -286,10 +249,10 @@ return view.extend({
let update_status = null,
user_entries = null,
- sink = null,
- sink_local = null,
+ rules = null,
dnsmasq = null,
- dnsmasqUserInstances = null;
+ dnsmasqUserInstances = null,
+ dnsmasqBypass = null;
if(data) {
if(data.status === 'enabled') {
@@ -350,87 +313,42 @@ return view.extend({
let nft_data = this.formatNftJson(data);
- if(nft_data.sink) {
- let table = E('table', { 'class': 'table' }, [
+ if(nft_data.rules) {
+ let table_rules = E('table', { 'class': 'table' }, [
E('tr', { 'class': 'tr table-titles' }, [
E('th', { 'class': 'th left', 'style': 'min-width:33%' },
- _('Instance')),
- E('th', { 'class': 'th left' }, _('Protocol')),
+ _('Match-set')),
+ E('th', { 'class': 'th left' }, _('Description')),
E('th', { 'class': 'th left' }, _('Bytes')),
]),
]);
- for(let i of nft_data.sink) {
- let instance = i[0];
- let proto = (i[1] === undefined) ? _('all') : i[1];
- let bytes = i[2];
- if(!instance) {
+ for(let [set, bytes] of nft_data.rules) {
+ if(!set) {
continue;
};
- table.append(
+ table_rules.append(
E('tr', { 'class': 'tr' }, [
+ E('td',{
+ 'class' : 'td left',
+ 'data-title': _('Match-set'),
+ }, set),
E('td', {
'class' : 'td left',
- 'data-title': _('Instance'),
- }, instance),
+ 'data-title': _('Description'),
+ }, this.formatRuleDescription(set)),
E('td', {
'class' : 'td left',
- 'data-title': _('Protocol'),
- }, proto),
- E('td', {
- 'class' : 'td left',
- 'id' : 'sink.' + instance + '.' + (i[1] || 'all'),
+ 'id' : 'rules.' + set,
'data-title': _('Bytes'),
}, bytes),
])
);
-
};
- sink = E([
- E('h3', {}, _('Transit traffic')),
- table,
- ]);
- };
- if(nft_data.sink_local) {
- let table = E('table', { 'class': 'table' }, [
- E('tr', { 'class': 'tr table-titles' }, [
- E('th', { 'class': 'th left', 'style': 'min-width:33%' },
- _('Instance')),
- E('th', { 'class': 'th left' }, _('Protocol')),
- E('th', { 'class': 'th left' }, _('Bytes')),
- ]),
- ]);
- for(let i of nft_data.sink_local) {
- let instance = i[0];
- let proto = (i[1] === undefined) ? _('all') : i[1];
- let bytes = i[2];
-
- if(!instance) {
- continue;
- };
- table.append(
- E('tr', { 'class': 'tr' }, [
- E('td', {
- 'class' : 'td left',
- 'data-title': _('Instance'),
- }, instance),
- E('td', {
- 'class' : 'td left',
- 'data-title': _('Protocol'),
- }, proto),
- E('td', {
- 'class' : 'td left',
- 'id' : 'sink_local.' + instance + '.' + (i[1] || 'all'),
- 'data-title': _('Bytes'),
- }, bytes),
- ])
- );
-
- };
- sink_local = E([
- E('h3', {}, _('Local traffic')),
- table,
+ rules = E([
+ E('h3', {}, _('Nftables rules')),
+ table_rules,
]);
};
@@ -462,6 +380,17 @@ return view.extend({
};
};
+ if(nft_data.dnsmasq_bypass) {
+ let rdbTableWrapper = E('div', {
+ 'id' : 'rdbTableWrapper',
+ 'style': 'width:100%'
+ }, this.makeDnsmasqTable(nft_data.dnsmasq_bypass, _('Dnsmasq bypass')));
+
+ dnsmasqBypass = E([
+ rdbTableWrapper,
+ ]);
+ };
+
poll.add(L.bind(this.pollInfo, this), this.pollInterval);
} else {
update_status = E('em', {}, _('Status') + ' : ' + _('disabled'));
@@ -477,7 +406,7 @@ return view.extend({
E('div', { 'class': 'cbi-section-node' }, update_status)
),
E('div', { 'class': 'cbi-section fade-in' },
- E('div', { 'class': 'cbi-section-node' }, sink)
+ E('div', { 'class': 'cbi-section-node' }, rules)
),
];
@@ -490,10 +419,10 @@ return view.extend({
);
}
- if(sink_local) {
+ if(dnsmasqBypass) {
layout.splice(5, 0,
E('div', { 'class': 'cbi-section fade-in' },
- E('div', { 'class': 'cbi-section-node' }, sink_local)
+ E('div', { 'class': 'cbi-section-node' }, dnsmasqBypass)
)
);
};
diff --git a/luci-app-ruantiblock/htdocs/luci-static/resources/view/ruantiblock/settings.js b/luci-app-ruantiblock/htdocs/luci-static/resources/view/ruantiblock/settings.js
index 1f0147c..ae6a893 100644
--- a/luci-app-ruantiblock/htdocs/luci-static/resources/view/ruantiblock/settings.js
+++ b/luci-app-ruantiblock/htdocs/luci-static/resources/view/ruantiblock/settings.js
@@ -248,12 +248,14 @@ return view.extend({
o = s.taboption('tor_tab', form.Value, 'tor_trans_port',
_('Transparent proxy port'));
o.rmempty = false;
+ o.default = tools.defaultConfig.tor_trans_port;
o.datatype = 'port';
// ONION_DNS_ADDR
o = s.taboption('tor_tab', form.Value, 'onion_dns_addr',
_("Optional DNS resolver for '.onion' zone"), 'ipaddress#port');
o.rmempty = false;
+ o.default = tools.defaultConfig.onion_dns_addr;
o.validate = this.validateIpPort;
// Torrc edit dialog
@@ -274,7 +276,7 @@ return view.extend({
o.multiple = false;
o.noaliases = true;
o.rmempty = false;
- o.default = 'tun0';
+ o.default = tools.defaultConfig.if_vpn;
// VPN_GW_IP
o = s.taboption('vpn_tab', form.Value, 'vpn_gw_ip',
@@ -307,17 +309,20 @@ return view.extend({
o = s.taboption('tproxy_tab', form.Value, 't_proxy_port_tcp',
_('Transparent proxy TCP port'));
o.rmempty = false;
+ o.default = tools.defaultConfig.t_proxy_port_tcp;
o.datatype = 'port';
// T_PROXY_ALLOW_UDP
o = s.taboption('tproxy_tab', form.Flag, 't_proxy_allow_udp',
_('Send UDP traffic to transparent proxy'));
o.rmempty = false;
+ o.default = 0;
// T_PROXY_PORT_UDP
o = s.taboption('tproxy_tab', form.Value, 't_proxy_port_udp',
_('Transparent proxy UDP port'));
o.rmempty = false;
+ o.default = tools.defaultConfig.t_proxy_port_udp;
o.datatype = 'port';
@@ -331,6 +336,7 @@ return view.extend({
o.value('1', 'Tor');
o.value('2', 'VPN');
o.value('3', _('Transparent proxy'));
+ o.default = tools.defaultConfig.proxy_mode;
// BLLIST_PRESET
let bllist_preset = s.taboption('blacklist_tab', form.ListValue,
@@ -375,6 +381,7 @@ return view.extend({
_('Enable full proxy mode'));
o.description = _('All traffic of the specified hosts passes through the proxy, without a blacklist');
o.rmempty = false;
+ o.default = 0;
// FPROXY_LIST
o = s.taboption('blacklist_tab', form.DynamicList, 'fproxy_list',
@@ -531,7 +538,7 @@ return view.extend({
_('Enabled'),
);
o.rmempty = false;
- o.default = '1';
+ o.default = 1;
o.editable = true;
o.modalonly = false;
@@ -547,14 +554,7 @@ return view.extend({
o.value('1', 'Tor');
o.value('2', 'VPN');
o.value('3', _('Transparent proxy'));
- o.default = '2';
- o.modalonly = true;
-
- // U_SKIP_MARKED_PACKETS
- o = ss.taboption('u_main_tab', form.Flag, 'u_skip_marked_packets',
- _('Lowest priority'));
- o.description = _('This proxy will receive traffic last, even after the main blacklist');
- o.rmempty = false;
+ o.default = tools.defaultConfig.proxy_mode;
o.modalonly = true;
// U_ENABLE_FPROXY
@@ -562,6 +562,7 @@ return view.extend({
_('Enable full proxy mode'));
o.description = _('All traffic of the specified hosts passes through the proxy, without a blacklist');
o.rmempty = false;
+ o.default = 0;
o.modalonly = true;
// U_FPROXY_LIST
@@ -579,6 +580,7 @@ return view.extend({
o = ss.taboption('u_tor_tab', form.Value, 'u_tor_trans_port',
_('Transparent proxy port'));
o.rmempty = false;
+ o.default = tools.defaultConfig.tor_trans_port;
o.datatype = 'port';
o.modalonly = true;
@@ -586,6 +588,7 @@ return view.extend({
o = ss.taboption('u_tor_tab', form.Value, 'u_onion_dns_addr',
_("Optional DNS resolver for '.onion' zone"), 'ipaddress#port');
o.rmempty = false;
+ o.default = tools.defaultConfig.onion_dns_addr;
o.validate = this.validateIpPort;
o.modalonly = true;
@@ -599,7 +602,7 @@ return view.extend({
o.multiple = false;
o.noaliases = true;
o.rmempty = false;
- o.default = 'tun0';
+ o.default = tools.defaultConfig.if_vpn;
o.modalonly = true;
// U_VPN_GW_IP
@@ -625,19 +628,22 @@ return view.extend({
o = ss.taboption('u_tproxy_tab', form.Value, 'u_t_proxy_port_tcp',
_('Transparent proxy TCP port'));
o.rmempty = false;
+ o.default = tools.defaultConfig.t_proxy_port_tcp;
o.datatype = 'port';
o.modalonly = true;
// U_T_PROXY_ALLOW_UDP
o = ss.taboption('u_tproxy_tab', form.Flag, 'u_t_proxy_allow_udp',
_('Send UDP traffic to transparent proxy'));
- o.rmempty = false;
+ o.rmempty = false;
+ o.default = 0;
o.modalonly = true;
// U_T_PROXY_PORT_UDP
o = ss.taboption('u_tproxy_tab', form.Value, 'u_t_proxy_port_udp',
_('Transparent proxy UDP port'));
o.rmempty = false;
+ o.default = tools.defaultConfig.t_proxy_port_udp;
o.datatype = 'port';
o.modalonly = true;
diff --git a/luci-app-ruantiblock/htdocs/luci-static/resources/view/ruantiblock/tools.js b/luci-app-ruantiblock/htdocs/luci-static/resources/view/ruantiblock/tools.js
index 8bd97a8..499b43e 100644
--- a/luci-app-ruantiblock/htdocs/luci-static/resources/view/ruantiblock/tools.js
+++ b/luci-app-ruantiblock/htdocs/luci-static/resources/view/ruantiblock/tools.js
@@ -34,25 +34,25 @@ document.head.append(E('style', {'type': 'text/css'},
`));
return baseclass.extend({
- appName : 'ruantiblock',
- execPath : '/usr/bin/ruantiblock',
- tokenFile : '/var/run/ruantiblock.token',
- parsersDir : '/usr/libexec/ruantiblock',
- dnsmasqCfgDirsRoot: '/tmp',
- torrcFile : '/etc/tor/torrc',
- userEntriesFile : '/etc/ruantiblock/user_entries',
- userListsDir : '/etc/ruantiblock/user_lists',
- bypassEntriesFile : '/etc/ruantiblock/bypass_entries',
- fqdnFilterFile : '/etc/ruantiblock/fqdn_filter',
- ipFilterFile : '/etc/ruantiblock/ip_filter',
- grExcludedNetsFile: '/etc/ruantiblock/gr_excluded_nets',
- grExcludedSldFile : '/etc/ruantiblock/gr_excluded_sld',
- crontabFile : '/etc/crontabs/root',
- infoLabelStarting : '' + _('Starting') + '',
- infoLabelRunning : '' + _('Enabled') + '',
- infoLabelUpdating : '' + _('Updating') + '',
- infoLabelStopped : '' + _('Disabled') + '',
- infoLabelError : '' + _('Error') + '',
+ appName : 'ruantiblock',
+ execPath : '/usr/bin/ruantiblock',
+ tokenFile : '/var/run/ruantiblock.token',
+ parsersDir : '/usr/libexec/ruantiblock',
+ dnsmasqCfgDirsRoot : '/tmp',
+ torrcFile : '/etc/tor/torrc',
+ userEntriesFile : '/etc/ruantiblock/user_entries',
+ userListsDir : '/etc/ruantiblock/user_lists',
+ bypassEntriesFile : '/etc/ruantiblock/bypass_entries',
+ fqdnFilterFile : '/etc/ruantiblock/fqdn_filter',
+ ipFilterFile : '/etc/ruantiblock/ip_filter',
+ grExcludedNetsFile : '/etc/ruantiblock/gr_excluded_nets',
+ grExcludedSldFile : '/etc/ruantiblock/gr_excluded_sld',
+ crontabFile : '/etc/crontabs/root',
+ infoLabelStarting : '' + _('Starting') + '',
+ infoLabelRunning : '' + _('Enabled') + '',
+ infoLabelUpdating : '' + _('Updating') + '',
+ infoLabelStopped : '' + _('Disabled') + '',
+ infoLabelError : '' + _('Error') + '',
blacklistPresets: {
'ruantiblock-fqdn': [ 'ruantiblock', 'fqdn', 'https://github.com/gSpotx2f/ruantiblock_blacklist' ],
@@ -64,6 +64,15 @@ return baseclass.extend({
'antifilter-ip' : [ '*antifilter', 'ip', 'https://antifilter.download' ],
},
+ defaultConfig: {
+ 'proxy_mode' : '2',
+ 'tor_trans_port' : '9040',
+ 'onion_dns_addr' : '127.0.0.1#9053',
+ 'if_vpn' : 'tun0',
+ 't_proxy_port_tcp': '1100',
+ 't_proxy_port_udp': '1100',
+ },
+
callInitStatus: rpc.declare({
object: 'luci',
method: 'getInitList',
@@ -107,11 +116,11 @@ return baseclass.extend({
return (v && typeof(v) === 'string') ? v.trim().replace(/\r?\n/g, '') : v;
},
- makeStatusString: function(
- app_status_code,
- bllist_preset,
- bllist_module,
- vpn_route_status_code) {
+ makeStatusString(
+ app_status_code,
+ bllist_preset,
+ bllist_module,
+ vpn_route_status_code) {
let app_status_label;
let spinning = '';
@@ -226,7 +235,7 @@ return baseclass.extend({
let textarea = document.getElementById('widget.modal_content');
let value = textarea.value.trim().replace(/\r\n/g, '\n') + '\n';
- return fs.write(this.file, value).then(async rc => {
+ return fs.write(this.file, value).then(rc => {
textarea.value = value;
ui.addNotification(null, E('p', _('Contents have been saved.')),
'info');
diff --git a/luci-app-ruantiblock/po/ru/ruantiblock.po b/luci-app-ruantiblock/po/ru/ruantiblock.po
index 13097f9..49f969c 100644
--- a/luci-app-ruantiblock/po/ru/ruantiblock.po
+++ b/luci-app-ruantiblock/po/ru/ruantiblock.po
@@ -272,9 +272,6 @@ msgstr "Список хостов, которые исключаются из о
msgid "Loading"
msgstr "Загрузка"
-msgid "Local traffic"
-msgstr "Локальный трафик"
-
msgid "Log"
msgstr "Лог"
@@ -287,14 +284,11 @@ msgstr "Уровни логирования"
msgid "Logread not found"
msgstr "Logread не найден"
-msgid "Lowest priority"
-msgstr "Самый низкий приоритет"
-
msgid "Main settings"
msgstr "Основные настройки"
msgid "Match-set"
-msgstr "Правило"
+msgstr "Сет"
msgid "Message"
msgstr "Сообщение"
@@ -314,6 +308,9 @@ msgstr "Настройки модуля"
msgid "Name"
msgstr "Имя"
+msgid "Nftables rules"
+msgstr "Правила Nftables"
+
msgid "No Sсhedule"
msgstr "Нет расписания"
@@ -502,9 +499,6 @@ msgid ""
msgstr ""
"Служба будет выключена и все данные блэклиста будут удалены. Продолжить?"
-msgid "This proxy will receive traffic last, even after the main blacklist"
-msgstr "В этот прокси трафик будет попадать в последнюю очередь, даже после основного блэклиста"
-
msgid "Time"
msgstr "Время"
@@ -523,9 +517,6 @@ msgstr "Конфигурационный файл Tor"
msgid "Tor mode"
msgstr "Режим Tor"
-msgid "Transit traffic"
-msgstr "Транзитный трафик"
-
msgid "Transparent proxy"
msgstr "Прозрачный прокси"
diff --git a/luci-app-ruantiblock/po/templates/ruantiblock.pot b/luci-app-ruantiblock/po/templates/ruantiblock.pot
index 89473c7..bf117fd 100644
--- a/luci-app-ruantiblock/po/templates/ruantiblock.pot
+++ b/luci-app-ruantiblock/po/templates/ruantiblock.pot
@@ -253,9 +253,6 @@ msgstr ""
msgid "Loading"
msgstr ""
-msgid "Local traffic"
-msgstr ""
-
msgid "Log"
msgstr ""
@@ -268,9 +265,6 @@ msgstr ""
msgid "Logread not found"
msgstr ""
-msgid "Lowest priority"
-msgstr ""
-
msgid "Main settings"
msgstr ""
@@ -295,6 +289,9 @@ msgstr ""
msgid "Name"
msgstr ""
+msgid "Nftables rules"
+msgstr ""
+
msgid "No Sсhedule"
msgstr ""
@@ -457,9 +454,6 @@ msgid ""
"Continue?"
msgstr ""
-msgid "This proxy will receive traffic last, even after the main blacklist"
-msgstr ""
-
msgid "Time"
msgstr ""
@@ -478,9 +472,6 @@ msgstr ""
msgid "Tor mode"
msgstr ""
-msgid "Transit traffic"
-msgstr ""
-
msgid "Transparent proxy"
msgstr ""
diff --git a/ruantiblock-mod-lua/Makefile b/ruantiblock-mod-lua/Makefile
index 366ecd7..c1115fd 100644
--- a/ruantiblock-mod-lua/Makefile
+++ b/ruantiblock-mod-lua/Makefile
@@ -5,7 +5,7 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=ruantiblock-mod-lua
-PKG_VERSION:=2.0.0
+PKG_VERSION:=2.1.0
PKG_RELEASE:=1
PKG_MAINTAINER:=gSpot
diff --git a/ruantiblock-mod-py/Makefile b/ruantiblock-mod-py/Makefile
index 74af266..d5cb4c4 100644
--- a/ruantiblock-mod-py/Makefile
+++ b/ruantiblock-mod-py/Makefile
@@ -5,7 +5,7 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=ruantiblock-mod-py
-PKG_VERSION:=2.0.0
+PKG_VERSION:=2.1.0
PKG_RELEASE:=1
PKG_MAINTAINER:=gSpot
diff --git a/ruantiblock/Makefile b/ruantiblock/Makefile
index db35aa1..249dd19 100644
--- a/ruantiblock/Makefile
+++ b/ruantiblock/Makefile
@@ -5,7 +5,7 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=ruantiblock
-PKG_VERSION:=2.0.0
+PKG_VERSION:=2.1.0
PKG_RELEASE:=1
PKG_MAINTAINER:=gSpot
diff --git a/ruantiblock/files/etc/config/ruantiblock b/ruantiblock/files/etc/config/ruantiblock
index 412ffaf..4cb8b19 100644
--- a/ruantiblock/files/etc/config/ruantiblock
+++ b/ruantiblock/files/etc/config/ruantiblock
@@ -44,7 +44,6 @@ config user_instance 'list1'
option u_enable_entries_remote_proxy '0'
option u_entries_dns ''
option u_enable_fproxy '0'
- option u_skip_marked_packets '0'
config user_instance 'list2'
option u_enabled '0'
@@ -59,7 +58,6 @@ config user_instance 'list2'
option u_enable_entries_remote_proxy '0'
option u_entries_dns ''
option u_enable_fproxy '0'
- option u_skip_marked_packets '0'
config user_instance 'list3'
option u_enabled '0'
@@ -74,7 +72,6 @@ config user_instance 'list3'
option u_enable_entries_remote_proxy '0'
option u_entries_dns ''
option u_enable_fproxy '0'
- option u_skip_marked_packets '0'
config user_instance 'list4'
option u_enabled '0'
@@ -89,7 +86,6 @@ config user_instance 'list4'
option u_enable_entries_remote_proxy '0'
option u_entries_dns ''
option u_enable_fproxy '0'
- option u_skip_marked_packets '0'
config user_instance 'list5'
option u_enabled '0'
@@ -104,4 +100,3 @@ config user_instance 'list5'
option u_enable_entries_remote_proxy '0'
option u_entries_dns ''
option u_enable_fproxy '0'
- option u_skip_marked_packets '0'
diff --git a/ruantiblock/files/etc/hotplug.d/iface/40-ruantiblock b/ruantiblock/files/etc/hotplug.d/iface/40-ruantiblock
index f354656..28c431d 100755
--- a/ruantiblock/files/etc/hotplug.d/iface/40-ruantiblock
+++ b/ruantiblock/files/etc/hotplug.d/iface/40-ruantiblock
@@ -7,7 +7,7 @@ if [ "$ACTION" = "ifup" ]; then
USER_INSTANCES_COMMON="/usr/share/ruantiblock/user_instances_common"
CONFIG_SCRIPT_USER_INSTANCES="/usr/share/ruantiblock/config_script_user_instances"
USER_INSTANCES_DIR="/etc/ruantiblock/user_instances"
- USER_INSTANCE_VARS="U_ENABLED U_NAME U_PROXY_MODE U_TOR_TRANS_PORT U_ONION_DNS_ADDR U_IF_VPN U_VPN_GW_IP U_T_PROXY_TYPE U_T_PROXY_PORT_TCP U_T_PROXY_PORT_UDP U_T_PROXY_ALLOW_UDP U_USER_ENTRIES_DNS U_USER_ENTRIES_REMOTE U_ENABLE_ENTRIES_REMOTE_PROXY U_ENABLE_FPROXY U_FPROXY_LIST U_SKIP_MARKED_PACKETS"
+ USER_INSTANCE_VARS="U_ENABLED U_NAME U_PROXY_MODE U_TOR_TRANS_PORT U_ONION_DNS_ADDR U_IF_VPN U_VPN_GW_IP U_T_PROXY_TYPE U_T_PROXY_PORT_TCP U_T_PROXY_PORT_UDP U_T_PROXY_ALLOW_UDP U_USER_ENTRIES_DNS U_USER_ENTRIES_REMOTE U_ENABLE_ENTRIES_REMOTE_PROXY U_ENABLE_FPROXY U_FPROXY_LIST"
USER_INSTANCES_MAX=10
DEBUG=0
IF_VPN_CURRENT=""
diff --git a/ruantiblock/files/etc/ruantiblock/ruantiblock.conf b/ruantiblock/files/etc/ruantiblock/ruantiblock.conf
index 4eacf1b..6006743 100644
--- a/ruantiblock/files/etc/ruantiblock/ruantiblock.conf
+++ b/ruantiblock/files/etc/ruantiblock/ruantiblock.conf
@@ -2,13 +2,13 @@
### Настройки ruantiblock ###
### Директория данных (генерируемые конфиги dnsmasq, nftset и пр.)
-DATA_DIR="/tmp/ruantiblock"
+DATA_DIR="/var/ruantiblock"
### Директория модулей
MODULES_DIR="/usr/libexec/ruantiblock"
### Директория PID-файлов и файлов статуса
-RUN_FILES_DIR="/tmp/run"
+RUN_FILES_DIR="/var/run"
### Директория доп. конфигов dnsmasq
-DNSMASQ_CFG_DIR="/tmp/dnsmasq.d"
+DNSMASQ_CFG_DIR="/var/dnsmasq.d"
### Команда для перезапуска dnsmasq
DNSMASQ_RESTART_CMD="/etc/init.d/dnsmasq restart"
### Директория для html-страницы статуса (не используется в OpenWrt)
@@ -70,8 +70,6 @@ USER_ENTRIES_REMOTE_DOWNLOAD_ATTEMPTS=3
USER_ENTRIES_REMOTE_DOWNLOAD_TIMEOUT=60
### Кол-во экземпляров записей пользователя (не более 50!)
USER_INSTANCES_MAX=5
-### Пропускать мимо фильтра пакеты уже помеченные в записях пользователя (0 - выкл, 1 - вкл)
-SKIP_MARKED_PACKETS=0
### Режим списка записей, исключаемых из обхода блокировок (0 - выкл, 1 - вкл)
BYPASS_MODE=0
### DNS-сервер для исключаемых записей (пустая строка - без DNS-сервера). Можно с портом: 8.8.8.8#53. Если в записи указан свой DNS-сервер - он имеет приоритет
diff --git a/ruantiblock/files/usr/bin/ruantiblock b/ruantiblock/files/usr/bin/ruantiblock
index e9dc6be..e01dad9 100755
--- a/ruantiblock/files/usr/bin/ruantiblock
+++ b/ruantiblock/files/usr/bin/ruantiblock
@@ -88,14 +88,10 @@ export NFTSET_POLICY_DNSMASQ="performance"
export NFTSET_DNSMASQ_TIMEOUT="150m"
### Динамическое обновление таймаута записей в сете $NFTSET_DNSMASQ (0 - выкл, 1 - вкл)
export NFTSET_DNSMASQ_TIMEOUT_UPDATE=1
-### Приоритет правила отбора пакетов nftables для конфигупации Tor или прозрачного прокси
-export NFT_PRIO_NAT=-140 # dstnat - 10 (-110)
-### Приоритет правила отбора пакетов nftables для трафика локальных клиентов в конфигупации Tor или прозрачного прокси
-export NFT_PRIO_NAT_LOCAL=-140 # dstnat - 10 (-110)
-### Приоритет правила отбора пакетов nftables для VPN-конфигурации
-export NFT_PRIO_ROUTE=-140 # mangle + 10
-### Приоритет правила отбора пакетов nftables для трафика локальных клиентов в VPN-конфигурации
-export NFT_PRIO_ROUTE_LOCAL=-140 # mangle + 10
+### Приоритет правил отбора пакетов nftables
+export NFT_PRIO=-140
+### Приоритет правил отбора пакетов nftables для трафика локальных клиентов
+export NFT_PRIO_LOCAL=-140
### Кол-во попыток скачивания удаленного файла записей пользователя (в случае неудачи)
export USER_ENTRIES_REMOTE_DOWNLOAD_ATTEMPTS=3
### Таймаут между попытками скачивания
@@ -105,11 +101,9 @@ export USER_INSTANCES_DIR="${CONFIG_DIR}/user_instances"
### Директория списков записей пользователя
export USER_LISTS_DIR="${CONFIG_DIR}/user_lists"
### Переменные экземпляров записей пользователя
-export USER_INSTANCE_VARS="U_ENABLED U_NAME U_PROXY_MODE U_TOR_TRANS_PORT U_ONION_DNS_ADDR U_IF_VPN U_VPN_GW_IP U_T_PROXY_TYPE U_T_PROXY_PORT_TCP U_T_PROXY_PORT_UDP U_T_PROXY_ALLOW_UDP U_USER_ENTRIES_DNS U_USER_ENTRIES_REMOTE U_ENABLE_ENTRIES_REMOTE_PROXY U_ENABLE_FPROXY U_FPROXY_LIST U_SKIP_MARKED_PACKETS"
+export USER_INSTANCE_VARS="U_ENABLED U_NAME U_PROXY_MODE U_TOR_TRANS_PORT U_ONION_DNS_ADDR U_IF_VPN U_VPN_GW_IP U_T_PROXY_TYPE U_T_PROXY_PORT_TCP U_T_PROXY_PORT_UDP U_T_PROXY_ALLOW_UDP U_USER_ENTRIES_DNS U_USER_ENTRIES_REMOTE U_ENABLE_ENTRIES_REMOTE_PROXY U_ENABLE_FPROXY U_FPROXY_LIST"
### Кол-во экземпляров записей пользователя (не более 50!)
export USER_INSTANCES_MAX=5
-### Пропускать мимо фильтра пакеты уже помеченные в записях пользователя (0 - выкл, 1 - вкл)
-export SKIP_MARKED_PACKETS=0
### Режим списка IP адресов исключаемых из обхода блокировок (0 - выкл, 1 - вкл)
export BYPASS_MODE=0
### DNS-сервер для исключаемых записей (пустая строка - без DNS-сервера). Можно с портом: 8.8.8.8#53. Если в записи указан свой DNS-сервер - он имеет приоритет
@@ -250,7 +244,6 @@ export NFTSET_ONION="onion"
export NFTSET_CIDR="c"
export NFTSET_IP="i"
export NFTSET_DNSMASQ="d"
-export NFTSET_MARK_SET="mark_set"
export NFTSET_ALLOWED_HOSTS_TYPE="ipv4_addr"
export NFTSET_BYPASS_IP_TYPE="ipv4_addr"
export NFTSET_BYPASS_FQDN_TYPE="ipv4_addr"
@@ -260,7 +253,6 @@ export NFTSET_BLLIST_PROXY_TYPE="ipv4_addr"
export NFTSET_CIDR_TYPE="ipv4_addr"
export NFTSET_IP_TYPE="ipv4_addr"
export NFTSET_DNSMASQ_TYPE="ipv4_addr"
-export NFTSET_MARK_SET_TYPE="mark"
export NFTSET_CIDR_PATTERN="set %s {type ${NFTSET_CIDR_TYPE};size ${NFTSET_MAXELEM_CIDR};policy ${NFTSET_POLICY_CIDR};flags interval;auto-merge;"
export NFTSET_IP_PATTERN="set %s {type ${NFTSET_IP_TYPE};size ${NFTSET_MAXELEM_IP};policy ${NFTSET_POLICY_IP};flags dynamic;"
export NFTSET_CIDR_STRING_MAIN=`printf "$NFTSET_CIDR_PATTERN" "${NFTSET_CIDR}"`
@@ -318,7 +310,7 @@ cat << EOF
reload : Renew nftables configuration
update : Update blacklist
force-update : Force update blacklist
- blacklist-files : Create ${IP_DATA_FILE}, ${DNSMASQ_DATA_FILE}, ${DNSMASQ_DATA_FILE_BYPASS} (without network functions)
+ blacklist-files : Create ${IP_DATA_FILE}, ${IP_DATA_FILE_USER_INSTANCES}, ${DNSMASQ_DATA_FILE}, ${DNSMASQ_DATA_FILE_USER_INSTANCES}, ${IP_DATA_FILE_BYPASS}, ${DNSMASQ_DATA_FILE_BYPASS} (without network functions)
status : Status & some info
raw-status : Return code: 0 - enabled, 1 - error, 2 - disabled, 3 - starting, 4 - updating
html-info : Return the html-info output
@@ -422,7 +414,7 @@ FlushInstancesNftSets() {
if [ "$_name" = " " ]; then
_name=""
else
- _name="-${_name}"
+ _name=".${_name}"
fi
case "$_arg" in
fqdn)
@@ -456,7 +448,6 @@ AddBaseNftSets() {
if [ -n "$_fproxy_private" ]; then
$NFT_CMD add element $NFT_TABLE "$NFTSET_FPROXY_PRIVATE" { "$_fproxy_private" }
fi
- $NFT_CMD add set $NFT_TABLE "$NFTSET_MARK_SET" { type "$NFTSET_MARK_SET_TYPE"\; }
}
MakeInstanceNftSets() {
@@ -464,7 +455,7 @@ MakeInstanceNftSets() {
if [ "$_name" = " " ]; then
_name=""
else
- _name="-${_name}"
+ _name=".${_name}"
fi
$NFT_CMD add set $NFT_TABLE "${NFTSET_CIDR}${_name}" { type "$NFTSET_CIDR_TYPE"\; size $NFTSET_MAXELEM_CIDR\; policy "$NFTSET_POLICY_CIDR"\; flags interval\; auto-merge\; }
$NFT_CMD add set $NFT_TABLE "${NFTSET_IP}${_name}" { type "$NFTSET_IP_TYPE"\; size $NFTSET_MAXELEM_IP\; policy "$NFTSET_POLICY_IP"\; flags dynamic\; }
@@ -494,7 +485,7 @@ UpdateBllistProxySet() {
if [ "$_name" = " " ]; then
_name=""
else
- _name="-${_name}"
+ _name=".${_name}"
fi
FlushNftSets "${NFTSET_BLLIST_PROXY}${_name}"
for _host in `echo "$_urls" | $AWK_CMD '
@@ -564,21 +555,16 @@ AddUserInstancesNftRules() {
do
IncludeUserInstanceVars "$_inst"
if [ "$U_PROXY_MODE" = "2" ]; then
- _chain_prio_first=$(($NFT_PRIO_ROUTE + $USER_INSTANCES_MAX + $_prio_offset))
- _chain_prio_local=$(($NFT_PRIO_ROUTE_LOCAL + $USER_INSTANCES_MAX + $_prio_offset))
_vpn_route_table_id=$(($_vpn_route_table_id + 1))
_route_table_id=$_vpn_route_table_id
else
- _chain_prio_first=$(($NFT_PRIO_NAT + $USER_INSTANCES_MAX + $_prio_offset))
- _chain_prio_local=$(($NFT_PRIO_NAT_LOCAL + $USER_INSTANCES_MAX + $_prio_offset))
if [ "$U_PROXY_MODE" = "3" -a "$U_T_PROXY_TYPE" = "1" ]; then
_tproxy_route_table_id=$(($_tproxy_route_table_id + 1))
fi
_route_table_id=$_tproxy_route_table_id
fi
_pkts_mark=$(($_pkts_mark + 1))
- NftInstanceAdd "\"$U_NAME\"" $_pkts_mark $_chain_prio_first $_chain_prio_local $U_PROXY_MODE $U_TOR_TRANS_PORT $_route_table_id "\"$U_IF_VPN\"" $U_T_PROXY_TYPE $U_T_PROXY_PORT_TCP $U_T_PROXY_PORT_UDP $U_T_PROXY_ALLOW_UDP $U_ENABLE_ENTRIES_REMOTE_PROXY $U_ENABLE_FPROXY $U_SKIP_MARKED_PACKETS "\"$U_VPN_GW_IP\""
- $NFT_CMD add element $NFT_TABLE "$NFTSET_MARK_SET" { $_pkts_mark }
+ NftInstanceAdd "\"$U_NAME\"" $_pkts_mark $U_PROXY_MODE $U_TOR_TRANS_PORT $_route_table_id "\"$U_IF_VPN\"" $U_T_PROXY_TYPE $U_T_PROXY_PORT_TCP $U_T_PROXY_PORT_UDP $U_T_PROXY_ALLOW_UDP $U_ENABLE_ENTRIES_REMOTE_PROXY $U_ENABLE_FPROXY "\"$U_VPN_GW_IP\""
ClearUserInstanceVars
_prio_offset=$(($_prio_offset - 1))
done
@@ -602,32 +588,26 @@ DeleteUserInstancesNftRules() {
}
AddNftRules() {
- local _chain_prio_first _chain_prio_local _route_table_id
- if [ "$PROXY_MODE" = "2" ]; then
- _chain_prio_first=$NFT_PRIO_ROUTE
- _chain_prio_local=$NFT_PRIO_ROUTE_LOCAL
- _chain_prio_sink=$(($NFT_PRIO_ROUTE + $USER_INSTANCES_MAX + 1))
- _chain_prio_action=$(($NFT_PRIO_ROUTE + $USER_INSTANCES_MAX + 2))
- _route_table_id=$VPN_ROUTE_TABLE_ID_START
- else
- _chain_prio_first=$NFT_PRIO_NAT
- _chain_prio_local=$NFT_PRIO_NAT_LOCAL
- _chain_prio_sink=$(($NFT_PRIO_NAT + $USER_INSTANCES_MAX + 1))
- _chain_prio_action=$(($NFT_PRIO_NAT + $USER_INSTANCES_MAX + 2))
- _route_table_id=$TPROXY_ROUTE_TABLE_ID_START
- fi
+ local _chain_prio_first _chain_prio_local _chain_prio_fproxy _chain_prio_action _route_table_id
+ _chain_prio_first=$NFT_PRIO
+ _chain_prio_local=$NFT_PRIO_LOCAL
+ _chain_prio_fproxy=$(($NFT_PRIO + 1))
+ _chain_prio_action=$(($NFT_PRIO + 2))
+ _route_table_id=$VPN_ROUTE_TABLE_ID_START
+ NftAddBaseChains $_chain_prio_first $_chain_prio_local $_chain_prio_fproxy
NftAddActionChains $_chain_prio_action
- NftAddSinkChains $_chain_prio_sink
AddUserInstancesNftRules
- NftInstanceAdd "\" \"" $PKTS_MARK_START $_chain_prio_first $_chain_prio_local $PROXY_MODE $TOR_TRANS_PORT $_route_table_id "\"$IF_VPN\"" $T_PROXY_TYPE $T_PROXY_PORT_TCP $T_PROXY_PORT_UDP $T_PROXY_ALLOW_UDP $ENABLE_BLLIST_PROXY $ENABLE_FPROXY $SKIP_MARKED_PACKETS "\"$VPN_GW_IP\""
- $NFT_CMD add element $NFT_TABLE "$NFTSET_MARK_SET" { $PKTS_MARK_START }
+ NftInstanceAdd "\" \"" $PKTS_MARK_START $PROXY_MODE $TOR_TRANS_PORT $_route_table_id "\"$IF_VPN\"" $T_PROXY_TYPE $T_PROXY_PORT_TCP $T_PROXY_PORT_UDP $T_PROXY_ALLOW_UDP $ENABLE_BLLIST_PROXY $ENABLE_FPROXY "\"$VPN_GW_IP\""
+ if [ "$PROXY_LOCAL_CLIENTS" = "1" ]; then
+ NftAddLocalClientsRule
+ fi
}
DeleteNftRules() {
NftInstanceDelete " "
DeleteUserInstancesNftRules
- NftDeleteSinkChains
NftDeleteActionChains
+ NftDeleteBaseChains
if [ "$PROXY_MODE" = "2" ]; then
NftRouteDelete $VPN_ROUTE_TABLE_ID_START 2> /dev/null
elif [ "$PROXY_MODE" = "3" -a "$T_PROXY_TYPE" = "1" ]; then
@@ -645,7 +625,7 @@ SetNetConfig() {
DropNetConfig() {
DeleteNftRules
FlushInstancesNftSets
- FlushNftSets "$NFTSET_ALLOWED_HOSTS" "$NFTSET_FPROXY_PRIVATE" "$NFTSET_BLLIST_PROXY" "$NFTSET_BYPASS_IP" "$NFTSET_BYPASS_FQDN" "$NFTSET_MARK_SET"
+ FlushNftSets "$NFTSET_ALLOWED_HOSTS" "$NFTSET_FPROXY_PRIVATE" "$NFTSET_BLLIST_PROXY" "$NFTSET_BYPASS_IP" "$NFTSET_BYPASS_FQDN"
}
DestroyNetConfig() {
@@ -654,7 +634,7 @@ DestroyNetConfig() {
}
CheckStatus() {
- NftReturnInstanceStatus " "
+ NftReturnStatus
return $?
}
@@ -675,22 +655,6 @@ GetVpnRouteStatus() {
return $_ret_val
}
-GetBllistChains() {
- local _inst
- for _inst in $USER_INSTANCES_ALL " "
- do
- NftListBllistChain "$_inst"
- done
-}
-
-GetBllistChainsJson() {
- local _inst
- for _inst in $USER_INSTANCES_ALL " "
- do
- NftListBllistChainJson "$_inst"
- done
-}
-
ClearDataFiles() {
local _arg="$1"
if [ -d "$DATA_DIR" ]; then
@@ -781,8 +745,8 @@ AddBypassEntries() {
ParseUserEntries() {
$AWK_CMD -v NFTSET_IP_STRING="$1" -v NFTSET_CIDR_STRING="$2" -v NFTSET_DNSMASQ="$3" \
- -v IP_DATA_FILE="$4" -v DNSMASQ_DATA_FILE="$5" -v USER_ENTRIES_STATUS_FILE="$6" \
- -v ID="$7" -v USER_ENTRIES_DNS="$8" '
+ -v IP_DATA_FILE="$4" -v DNSMASQ_DATA_FILE="$5" -v USER_ENTRIES_STATUS_FILE="$6" \
+ -v ID="$7" -v USER_ENTRIES_DNS="$8" '
BEGIN {
null = "";
ip_array[0] = null;
@@ -880,14 +844,14 @@ AddUserEntries() {
MakeLogRecord "debug" "ruantiblock.AddUserEntries._instance_entries_file=${_instance_entries_file}"
fi
- printf "flush set %s %s\nflush set %s %s\n" "$NFT_TABLE" "${NFTSET_CIDR}-${_inst}" "$NFT_TABLE" "${NFTSET_IP}-${_inst}" >> "$_ip_data_file_user_instances"
+ printf "flush set %s %s\nflush set %s %s\n" "$NFT_TABLE" "${NFTSET_CIDR}.${_inst}" "$NFT_TABLE" "${NFTSET_IP}.${_inst}" >> "$_ip_data_file_user_instances"
if [ "$U_PROXY_MODE" != "2" -a "$U_PROXY_MODE" != "3" ]; then
### Запись для .onion
- printf "server=/onion/%s\nnftset=/onion/%s#%s\n" "$U_ONION_DNS_ADDR" "$NFT_TABLE_DNSMASQ" "${NFTSET_ONION}-${_inst}" >> "$_dnsmasq_data_file_user_instances"
+ printf "server=/onion/%s\nnftset=/onion/%s#%s\n" "$U_ONION_DNS_ADDR" "$NFT_TABLE_DNSMASQ" "${NFTSET_ONION}.${_inst}" >> "$_dnsmasq_data_file_user_instances"
fi
if [ -f "$_instance_entries_file" ]; then
- { cat "$_instance_entries_file"; printf "\n0\n"; } | ParseUserEntries "`printf "$NFTSET_IP_PATTERN" "${NFTSET_IP}-${_inst}"`" "`printf "$NFTSET_CIDR_PATTERN" "${NFTSET_CIDR}-${_inst}"`" "${NFTSET_DNSMASQ}-${_inst}" "$_ip_data_file_user_instances" "$_dnsmasq_data_file_user_instances" "$_user_entries_status_file" "${_inst}:local" "$U_ENTRIES_DNS"
+ { cat "$_instance_entries_file"; printf "\n0\n"; } | ParseUserEntries "`printf "$NFTSET_IP_PATTERN" "${NFTSET_IP}.${_inst}"`" "`printf "$NFTSET_CIDR_PATTERN" "${NFTSET_CIDR}.${_inst}"`" "${NFTSET_DNSMASQ}.${_inst}" "$_ip_data_file_user_instances" "$_dnsmasq_data_file_user_instances" "$_user_entries_status_file" "${_inst}:local" "$U_ENTRIES_DNS"
fi
if [ -n "$U_ENTRIES_REMOTE" ]; then
for _url in $U_ENTRIES_REMOTE
@@ -899,7 +863,7 @@ AddUserEntries() {
if [ "$U_ENABLE_ENTRIES_REMOTE_PROXY" = "1" ]; then
UpdateBllistProxySet "$_inst" "$_url"
fi
- { Download - "$_url"; printf "\n$?\n"; } | ParseUserEntries "`printf "$NFTSET_IP_PATTERN" "${NFTSET_IP}-${_inst}"`" "`printf "$NFTSET_CIDR_PATTERN" "${NFTSET_CIDR}-${_inst}"`" "${NFTSET_DNSMASQ}-${_inst}" "$_ip_data_file_user_instances" "$_dnsmasq_data_file_user_instances" "$_user_entries_status_file" "${_inst}:${_url}" "$U_ENTRIES_DNS"
+ { Download - "$_url"; printf "\n$?\n"; } | ParseUserEntries "`printf "$NFTSET_IP_PATTERN" "${NFTSET_IP}.${_inst}"`" "`printf "$NFTSET_CIDR_PATTERN" "${NFTSET_CIDR}.${_inst}"`" "${NFTSET_DNSMASQ}.${_inst}" "$_ip_data_file_user_instances" "$_dnsmasq_data_file_user_instances" "$_user_entries_status_file" "${_inst}:${_url}" "$U_ENTRIES_DNS"
if [ $? -eq 0 ]; then
_instance_return_code=0
break
@@ -921,7 +885,7 @@ AddUserEntries() {
fi
done
if [ "$U_ENABLE_ENTRIES_REMOTE_PROXY" = "1" ]; then
- FlushNftSets "${NFTSET_BLLIST_PROXY}-${_inst}"
+ FlushNftSets "${NFTSET_BLLIST_PROXY}.${_inst}"
fi
fi
ClearUserInstanceVars
@@ -1193,7 +1157,7 @@ Reload() {
}
Status() {
- local _inst _update_status _user_entries_status _vpn_error
+ local _update_status _user_entries_status _vpn_error
if [ -f "$UPDATE_STATUS_FILE" ]; then
_update_status=`$AWK_CMD '{
update_string=(NF < 4) ? "No data" : $4" (CIDR: "$1" | IP: "$2" | FQDN: "$3")";
@@ -1214,29 +1178,27 @@ Status() {
if ! GetVpnRouteStatus; then
_vpn_error="\033[1;31mVPN ROUTING ERROR! (NEED THE RESTART)\033[m"
fi
- NftListSinkChain 2> /dev/null | $AWK_CMD -v UPDATE_STATUS="$_update_status" -v USER_ENTRIES_STATUS="$_user_entries_status" -v VPN_ERROR="$_vpn_error" '
+ NftListBllistChain 2> /dev/null | $AWK_CMD -v UPDATE_STATUS="$_update_status" -v USER_ENTRIES_STATUS="$_user_entries_status" -v VPN_ERROR="$_vpn_error" '
BEGIN {
- rules_str = "";
+ rules_str = "";
+ nftset = "";
+ bytes = "";
}
- {
- if($0 ~ /(table|chain|type|return|\{|\})/) {
- next;
+ /@/ {
+ if(match($0, /@[^ ]+/) != 0) {
+ nftset = substr($0, RSTART+1, RLENGTH-1);
+ if(match($0, /bytes [^ ]+/) != 0) {
+ bytes = substr($0, RSTART+6, RLENGTH-6);
+ };
+ rules_str = rules_str " Match-set: " nftset "\n Bytes: " bytes "\n\n";
};
- instance = $NF;
- if(instance == "\"") {
- instance = "-main-";
- };
- gsub("\"", "", instance);
- proto = ($3 ~ /(tcp|udp)/) ? $3 : "all";
- bytes = (match($0, /bytes [^ ]+/) != 0) ? substr($0, RSTART+6, RLENGTH-6) : "";
- rules_str = rules_str " Instance:\t" instance "\n Protocol:\t" proto "\n Bytes:\t" bytes "\n\n";
}
END {
if(NR == 0) {
printf "\n \033[1m" ENVIRON["NAME"] " status\033[m: \033[1mDisabled\033[m\n\n";
exit 2;
};
- printf "\n \033[1m" ENVIRON["NAME"] " status\033[m: \033[1;32mEnabled\033[m\n\n DNSMASQ_CFG_DIR: " ENVIRON["DNSMASQ_CFG_DIR"] "\n\n PROXY_LOCAL_CLIENTS: " ENVIRON["PROXY_LOCAL_CLIENTS"] "\n\n Main Instance: \n PROXY_MODE: " ENVIRON["PROXY_MODE"] "\n BLLIST_PRESET: " ENVIRON["BLLIST_PRESET"] "\n BLLIST_MODULE: " ENVIRON["BLLIST_MODULE"] "\n";
+ printf "\n \033[1m" ENVIRON["NAME"] " status\033[m: \033[1;32mEnabled\033[m\n\n PROXY_MODE: " ENVIRON["PROXY_MODE"] "\n PROXY_LOCAL_CLIENTS: " ENVIRON["PROXY_LOCAL_CLIENTS"] "\n BLLIST_PRESET: " ENVIRON["BLLIST_PRESET"] "\n BLLIST_MODULE: " ENVIRON["BLLIST_MODULE"] "\n";
printf "\n "UPDATE_STATUS"\n";
if(length(USER_ENTRIES_STATUS) > 0) {
printf "\n"USER_ENTRIES_STATUS"\n";
@@ -1244,37 +1206,9 @@ Status() {
if(length(VPN_ERROR) > 0) {
printf "\n "VPN_ERROR"\n";
};
- printf "\n Transit traffic:\n\n";
+ printf "\n \033[4mNftables rules\033[m:\n\n";
printf rules_str;
}'
- if [ $? -eq 0 -a "$PROXY_LOCAL_CLIENTS" = "1" ]; then
- NftListSinkLocalChain 2> /dev/null | $AWK_CMD -v UPDATE_STATUS="$_update_status" -v USER_ENTRIES_STATUS="$_user_entries_status" '
- BEGIN {
- rules_str = "";
- }
- {
- if($0 ~ /(table|chain|type|return|\{|\})/) {
- next;
- };
- instance = $NF;
- if(instance == "\"") {
- instance = "-main-";
- };
- gsub("\"", "", instance);
- proto = ($3 ~ /(tcp|udp)/) ? $3 : "all";
- bytes = (match($0, /bytes [^ ]+/) != 0) ? substr($0, RSTART+6, RLENGTH-6) : "";
- rules_str = rules_str " Instance:\t" instance "\n Protocol:\t" proto "\n Bytes:\t" bytes "\n\n";
- }
- END {
- if(NR == 0) {
- exit 2;
- };
- printf " Local traffic:\n\n";
- printf rules_str;
- }'
- else
- return 2
- fi
}
StatusOutput() {
diff --git a/ruantiblock/files/usr/share/ruantiblock/config_script_user_instances b/ruantiblock/files/usr/share/ruantiblock/config_script_user_instances
index 6f8ed91..6e92d2f 100644
--- a/ruantiblock/files/usr/share/ruantiblock/config_script_user_instances
+++ b/ruantiblock/files/usr/share/ruantiblock/config_script_user_instances
@@ -1,4 +1,4 @@
-UCI_VARS="u_enabled u_proxy_mode u_tor_trans_port u_onion_dns_addr u_if_vpn u_vpn_gw_ip u_t_proxy_type u_t_proxy_port_tcp u_t_proxy_port_udp u_t_proxy_allow_udp u_entries_dns u_entries_remote u_enable_entries_remote_proxy u_enable_fproxy u_fproxy_list u_skip_marked_packets"
+UCI_VARS="u_enabled u_proxy_mode u_tor_trans_port u_onion_dns_addr u_if_vpn u_vpn_gw_ip u_t_proxy_type u_t_proxy_port_tcp u_t_proxy_port_udp u_t_proxy_allow_udp u_entries_dns u_entries_remote u_enable_entries_remote_proxy u_enable_fproxy u_fproxy_list"
UCI_CMD=`which uci`
if [ $? -ne 0 ]; then
echo " Error! UCI doesn't exists" >&2
@@ -7,7 +7,7 @@ fi
AWK_CMD="awk"
ListUserInstances() {
- $UCI_CMD export "$NAME" | $AWK_CMD -v TYPE="user_instance" '
+ $UCI_CMD -n export "$NAME" | $AWK_CMD -v TYPE="user_instance" '
BEGIN {
instances="";
}
diff --git a/ruantiblock/files/usr/share/ruantiblock/info_output b/ruantiblock/files/usr/share/ruantiblock/info_output
index 50c77d9..f673c98 100644
--- a/ruantiblock/files/usr/share/ruantiblock/info_output
+++ b/ruantiblock/files/usr/share/ruantiblock/info_output
@@ -33,30 +33,36 @@ Info() {
else
_user_entries_status="[]"
fi
- NftListSinkChainJson 2> /dev/null | $AWK_CMD -v UPDATE_STATUS="$_update_status" -v USER_ENTRIES_STATUS="$_user_entries_status" '
+ NftListBllistChainJson 2> /dev/null | $AWK_CMD -v UPDATE_STATUS="$_update_status" -v USER_ENTRIES_STATUS="$_user_entries_status" '
+ BEGIN {
+ rules_str = "";
+ }
+ {
+ rules_str = rules_str $0;
+ }
END {
if(NR == 0) {
printf "{\"status\": \"disabled\"}";
exit 1;
} else {
- printf "{\"status\": \"enabled\",\"last_blacklist_update\": %s,\"user_entries\" :%s,\"sink\": %s", UPDATE_STATUS, USER_ENTRIES_STATUS, $0;
+ printf "{\"status\":\"enabled\",\"last_blacklist_update\":%s,\"user_entries\":%s,\"rules\":%s", UPDATE_STATUS, USER_ENTRIES_STATUS, rules_str;
exit 0;
};
}'
if [ $? -eq 0 ]; then
- if [ "$PROXY_LOCAL_CLIENTS" = "1" ]; then
- printf ",\"sink_local\":"
- NftListSinkLocalChainJson 2> /dev/null
- fi
printf ",\"dnsmasq\":"
$NFT_CMD -j list set $NFT_TABLE "$NFTSET_DNSMASQ" 2> /dev/null
printf ",\"dnsmasq_user_instances\":["
for _inst in $USER_INSTANCES_ALL
do
- $NFT_CMD -j list set $NFT_TABLE "${NFTSET_DNSMASQ}-${_inst}" 2> /dev/null
+ $NFT_CMD -j list set $NFT_TABLE "${NFTSET_DNSMASQ}.${_inst}" 2> /dev/null
printf ","
done
printf "{\"dummy\": {}}]"
+ if [ "$BYPASS_MODE" = "1" ]; then
+ printf ",\"dnsmasq_bypass\":"
+ $NFT_CMD -j list set $NFT_TABLE "$NFTSET_BYPASS_FQDN" 2> /dev/null
+ fi
printf "}"
fi
}
diff --git a/ruantiblock/files/usr/share/ruantiblock/nft_functions b/ruantiblock/files/usr/share/ruantiblock/nft_functions
index 8c48b7c..7ac7e15 100644
--- a/ruantiblock/files/usr/share/ruantiblock/nft_functions
+++ b/ruantiblock/files/usr/share/ruantiblock/nft_functions
@@ -1,24 +1,22 @@
NFT_ALLOWED_HOSTS_CHAIN="allowed_hosts"
NFT_BLLIST_CHAIN="blacklist"
-NFT_FPROXY_FILTER="fproxy_filter"
NFT_DNSMASQ_TIMEOUT_UPDATE_CHAIN="dnsmasq_timeout_update"
NFT_MARK_CHAIN="mark_chain"
NFT_LOCAL_CLIENTS_CHAIN="local_clients"
-NFT_SINK_CHAIN="sink"
-NFT_SINK_LOCAL_CHAIN="sink_local"
+NFT_FPROXY_CHAIN="fproxy_chain"
NFT_ACTION_FILTER_CHAIN="action_filter"
NFT_ACTION_NAT_CHAIN="action_nat"
NFT_ACTION_NAT_LOCAL_CHAIN="action_nat_local"
case "$ALLOWED_HOSTS_MODE" in
"1")
- NFT_ALLOWED_HOSTS_PATTERN="ip saddr @${NFTSET_ALLOWED_HOSTS} jump ${NFT_BLLIST_CHAIN}%s"
+ NFT_ALLOWED_HOSTS_PATTERN="ip saddr @${NFTSET_ALLOWED_HOSTS} jump ${NFT_BLLIST_CHAIN}"
;;
"2")
- NFT_ALLOWED_HOSTS_PATTERN="ip saddr != @${NFTSET_ALLOWED_HOSTS} jump ${NFT_BLLIST_CHAIN}%s"
+ NFT_ALLOWED_HOSTS_PATTERN="ip saddr != @${NFTSET_ALLOWED_HOSTS} jump ${NFT_BLLIST_CHAIN}"
;;
*)
- NFT_ALLOWED_HOSTS_PATTERN="jump ${NFT_BLLIST_CHAIN}%s"
+ NFT_ALLOWED_HOSTS_PATTERN="jump ${NFT_BLLIST_CHAIN}"
;;
esac
@@ -86,35 +84,52 @@ NftRouteStatus() {
return 1
}
-NftAddSinkChains() {
- local _chain_prio_sink=$1
- $NFT_CMD add chain $NFT_TABLE "${NFT_SINK_CHAIN}" { type filter hook prerouting priority ${_chain_prio_sink}\; policy accept\; }
- $NFT_CMD add chain $NFT_TABLE "${NFT_SINK_LOCAL_CHAIN}" { type route hook output priority ${_chain_prio_sink}\; policy accept\; }
- NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_SINK_CHAIN}" meta iif lo return
+NftAddBaseChains() {
+ local _chain_prio_first=$1 _chain_prio_local=$2 _chain_prio_fproxy=$3
+ $NFT_CMD add chain $NFT_TABLE "$NFT_LOCAL_CLIENTS_CHAIN" { type route hook output priority ${_chain_prio_local}\; policy accept\; }
+ $NFT_CMD add chain $NFT_TABLE "$NFT_BLLIST_CHAIN"
+ $NFT_CMD add chain $NFT_TABLE "$NFT_FPROXY_CHAIN" { type filter hook prerouting priority ${_chain_prio_fproxy}\; policy accept\; }
+ $NFT_CMD add chain $NFT_TABLE "$NFT_ALLOWED_HOSTS_CHAIN" { type filter hook prerouting priority ${_chain_prio_first}\; policy accept\; }
+ NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "$NFT_FPROXY_CHAIN" meta iif lo return
+ NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "$NFT_FPROXY_CHAIN" ip daddr "@${NFTSET_FPROXY_PRIVATE}" return
+ NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "$NFT_ALLOWED_HOSTS_CHAIN" meta iif lo return
+ NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "$NFT_ALLOWED_HOSTS_CHAIN" "$NFT_ALLOWED_HOSTS_PATTERN"
+ if [ "$BYPASS_MODE" = "1" ]; then
+ for _set in "$NFTSET_BYPASS_IP" "$NFTSET_BYPASS_FQDN"
+ do
+ NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "$NFT_BLLIST_CHAIN" ip daddr "@${_set}" counter accept
+ done
+ fi
}
-NftDeleteSinkChains() {
- $NFT_CMD delete chain $NFT_TABLE "${NFT_SINK_CHAIN}"
- $NFT_CMD delete chain $NFT_TABLE "${NFT_SINK_LOCAL_CHAIN}"
+NftAddLocalClientsRule() {
+ NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "$NFT_LOCAL_CLIENTS_CHAIN" jump "$NFT_BLLIST_CHAIN"
+}
+
+NftDeleteBaseChains() {
+ $NFT_CMD delete chain $NFT_TABLE "$NFT_ALLOWED_HOSTS_CHAIN"
+ $NFT_CMD delete chain $NFT_TABLE "$NFT_LOCAL_CLIENTS_CHAIN"
+ $NFT_CMD delete chain $NFT_TABLE "$NFT_BLLIST_CHAIN"
+ $NFT_CMD delete chain $NFT_TABLE "$NFT_FPROXY_CHAIN"
}
NftAddActionChains() {
local _chain_prio_action=$1
- $NFT_CMD add chain $NFT_TABLE "${NFT_ACTION_FILTER_CHAIN}" { type filter hook prerouting priority ${_chain_prio_action}\; policy accept\; }
- $NFT_CMD add chain $NFT_TABLE "${NFT_ACTION_NAT_CHAIN}" { type nat hook prerouting priority ${_chain_prio_action}\; policy accept\; }
- $NFT_CMD add chain $NFT_TABLE "${NFT_ACTION_NAT_LOCAL_CHAIN}" { type nat hook output priority ${_chain_prio_action}\; policy accept\; }
+ $NFT_CMD add chain $NFT_TABLE "$NFT_ACTION_FILTER_CHAIN" { type filter hook prerouting priority ${_chain_prio_action}\; policy accept\; }
+ $NFT_CMD add chain $NFT_TABLE "$NFT_ACTION_NAT_CHAIN" { type nat hook prerouting priority ${_chain_prio_action}\; policy accept\; }
+ $NFT_CMD add chain $NFT_TABLE "$NFT_ACTION_NAT_LOCAL_CHAIN" { type nat hook output priority ${_chain_prio_action}\; policy accept\; }
}
NftDeleteActionChains() {
- $NFT_CMD delete chain $NFT_TABLE "${NFT_ACTION_FILTER_CHAIN}"
- $NFT_CMD delete chain $NFT_TABLE "${NFT_ACTION_NAT_CHAIN}"
- $NFT_CMD delete chain $NFT_TABLE "${NFT_ACTION_NAT_LOCAL_CHAIN}"
+ $NFT_CMD delete chain $NFT_TABLE "$NFT_ACTION_FILTER_CHAIN"
+ $NFT_CMD delete chain $NFT_TABLE "$NFT_ACTION_NAT_CHAIN"
+ $NFT_CMD delete chain $NFT_TABLE "$NFT_ACTION_NAT_LOCAL_CHAIN"
}
NftInstanceAdd() {
local _i _inst _first_chain_type _t_proxy_statement _chain_action_type _set
- for _i in "_name" "_pkts_mark" "_chain_prio_first" "_chain_prio_local" "_proxy_mode" "_tor_trans_port" "_route_table_id" "_if_vpn" "_t_proxy_type" "_t_proxy_port_tcp" "_t_proxy_port_udp" "_t_proxy_allow_udp" "_enable_bllist_proxy" "_enable_fproxy" "_skip_marked_packets" "_vpn_gw_ip"
+ for _i in "_name" "_pkts_mark" "_proxy_mode" "_tor_trans_port" "_route_table_id" "_if_vpn" "_t_proxy_type" "_t_proxy_port_tcp" "_t_proxy_port_udp" "_t_proxy_allow_udp" "_enable_bllist_proxy" "_enable_fproxy" "_vpn_gw_ip"
do
eval "local $_i=$1"
shift
@@ -124,12 +139,12 @@ NftInstanceAdd() {
if [ "$_name" = " " ]; then
_name=""
else
- _name="-${_name}"
+ _name=".${_name}"
fi
if [ $DEBUG -ge 1 ]; then
- echo " nft_functions.NftInstanceAdd.args: _name=${_name} _pkts_mark=${_pkts_mark} _chain_prio_first=${_chain_prio_first} _chain_prio_local=${_chain_prio_local} _proxy_mode=${_proxy_mode} _tor_trans_port=${_tor_trans_port} _route_table_id=${_route_table_id} _if_vpn=${_if_vpn} _t_proxy_type=${_t_proxy_type} _t_proxy_port_tcp=${_t_proxy_port_tcp} _t_proxy_port_udp=${_t_proxy_port_udp} _t_proxy_allow_udp=${_t_proxy_allow_udp} _enable_bllist_proxy=${_enable_bllist_proxy} _enable_fproxy=${_enable_fproxy} _skip_marked_packets=${_skip_marked_packets} _vpn_gw_ip=${_vpn_gw_ip}" >&2
- MakeLogRecord "debug" "nft_functions.NftInstanceAdd.args: _name=${_name} _pkts_mark=${_pkts_mark} _chain_prio_first=${_chain_prio_first} _chain_prio_local=${_chain_prio_local} _proxy_mode=${_proxy_mode} _tor_trans_port=${_tor_trans_port} _route_table_id=${_route_table_id} _if_vpn=${_if_vpn} _t_proxy_type=${_t_proxy_type} _t_proxy_port_tcp=${_t_proxy_port_tcp} _t_proxy_port_udp=${_t_proxy_port_udp} _t_proxy_allow_udp=${_t_proxy_allow_udp} _enable_bllist_proxy=${_enable_bllist_proxy} _enable_fproxy=${_enable_fproxy} _skip_marked_packets=${_skip_marked_packets} _vpn_gw_ip=${_vpn_gw_ip}"
+ echo " nft_functions.NftInstanceAdd.args: _name=${_name} _pkts_mark=${_pkts_mark} _proxy_mode=${_proxy_mode} _tor_trans_port=${_tor_trans_port} _route_table_id=${_route_table_id} _if_vpn=${_if_vpn} _t_proxy_type=${_t_proxy_type} _t_proxy_port_tcp=${_t_proxy_port_tcp} _t_proxy_port_udp=${_t_proxy_port_udp} _t_proxy_allow_udp=${_t_proxy_allow_udp} _enable_bllist_proxy=${_enable_bllist_proxy} _enable_fproxy=${_enable_fproxy} _vpn_gw_ip=${_vpn_gw_ip}" >&2
+ MakeLogRecord "debug" "nft_functions.NftInstanceAdd.args: _name=${_name} _pkts_mark=${_pkts_mark} _proxy_mode=${_proxy_mode} _tor_trans_port=${_tor_trans_port} _route_table_id=${_route_table_id} _if_vpn=${_if_vpn} _t_proxy_type=${_t_proxy_type} _t_proxy_port_tcp=${_t_proxy_port_tcp} _t_proxy_port_udp=${_t_proxy_port_udp} _t_proxy_allow_udp=${_t_proxy_allow_udp} _enable_bllist_proxy=${_enable_bllist_proxy} _enable_fproxy=${_enable_fproxy} _vpn_gw_ip=${_vpn_gw_ip}"
fi
if [ "$NFTSET_DNSMASQ_TIMEOUT_UPDATE" = "1" ]; then
@@ -138,71 +153,43 @@ NftInstanceAdd() {
_nft_dnsmasq_rule_target="${NFT_MARK_CHAIN}${_name}"
fi
- $NFT_CMD add chain $NFT_TABLE "${NFT_LOCAL_CLIENTS_CHAIN}${_name}" { type route hook output priority ${_chain_prio_local}\; policy accept\; }
$NFT_CMD add chain $NFT_TABLE "${NFT_MARK_CHAIN}${_name}"
- $NFT_CMD add chain $NFT_TABLE "${NFT_FPROXY_FILTER}${_name}"
$NFT_CMD add chain $NFT_TABLE "${NFT_DNSMASQ_TIMEOUT_UPDATE_CHAIN}${_name}"
- $NFT_CMD add chain $NFT_TABLE "${NFT_BLLIST_CHAIN}${_name}"
- $NFT_CMD add chain $NFT_TABLE "${NFT_ALLOWED_HOSTS_CHAIN}${_name}" { type filter hook prerouting priority ${_chain_prio_first}\; policy accept\; }
- NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_FPROXY_FILTER}${_name}" ip daddr "@${NFTSET_FPROXY_PRIVATE}" return
- NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_FPROXY_FILTER}${_name}" jump "${NFT_MARK_CHAIN}${_name}"
NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_DNSMASQ_TIMEOUT_UPDATE_CHAIN}${_name}" ct state new set update ip daddr "@${NFTSET_DNSMASQ}${_name}"
NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_DNSMASQ_TIMEOUT_UPDATE_CHAIN}${_name}" jump "${NFT_MARK_CHAIN}${_name}"
- NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_ALLOWED_HOSTS_CHAIN}${_name}" "`printf "$NFT_ALLOWED_HOSTS_PATTERN" "$_name"`"
- if [ "$_proxy_mode" = "2" ]; then
- NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_SINK_CHAIN}" meta mark $_pkts_mark counter comment \""$_inst"\"
- NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_SINK_LOCAL_CHAIN}" meta mark $_pkts_mark counter comment \""$_inst"\"
- elif [ "$_proxy_mode" = "3" ]; then
- NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_SINK_CHAIN}" meta l4proto tcp meta mark $_pkts_mark counter comment \""$_inst"\"
- NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_SINK_LOCAL_CHAIN}" meta l4proto tcp meta mark $_pkts_mark counter comment \""$_inst"\"
+ if [ "$_proxy_mode" = "3" ]; then
if [ "$_t_proxy_type" = "1" ]; then
- NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_ACTION_FILTER_CHAIN}" meta l4proto tcp meta mark $_pkts_mark tproxy to ":${_t_proxy_port_tcp}" comment \""$_inst"\"
+ NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "$NFT_ACTION_FILTER_CHAIN" meta l4proto tcp meta mark $_pkts_mark tproxy to ":${_t_proxy_port_tcp}" comment \""$_inst"\"
if [ "$_t_proxy_allow_udp" = "1" ]; then
- NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_ACTION_FILTER_CHAIN}" meta l4proto udp meta mark $_pkts_mark tproxy to ":${_t_proxy_port_udp}" comment \""$_inst"\"
- NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_SINK_CHAIN}" meta l4proto udp meta mark $_pkts_mark counter comment \""$_inst"\"
- NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_SINK_LOCAL_CHAIN}" meta l4proto udp meta mark $_pkts_mark counter comment \""$_inst"\"
+ NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "$NFT_ACTION_FILTER_CHAIN" meta l4proto udp meta mark $_pkts_mark tproxy to ":${_t_proxy_port_udp}" comment \""$_inst"\"
fi
else
- NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_ACTION_NAT_CHAIN}" meta l4proto tcp meta mark $_pkts_mark redirect to ":${_t_proxy_port_tcp}" comment \""$_inst"\"
- NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_ACTION_NAT_LOCAL_CHAIN}" meta l4proto tcp meta mark $_pkts_mark redirect to ":${_t_proxy_port_tcp}" comment \""$_inst"\"
+ NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "$NFT_ACTION_NAT_CHAIN" meta l4proto tcp meta mark $_pkts_mark redirect to ":${_t_proxy_port_tcp}" comment \""$_inst"\"
+ NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "$NFT_ACTION_NAT_LOCAL_CHAIN" meta l4proto tcp meta mark $_pkts_mark redirect to ":${_t_proxy_port_tcp}" comment \""$_inst"\"
if [ "$_t_proxy_allow_udp" = "1" ]; then
- NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_ACTION_NAT_CHAIN}" meta l4proto udp meta mark $_pkts_mark redirect to ":${_t_proxy_port_udp}" comment \""$_inst"\"
- NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_ACTION_NAT_LOCAL_CHAIN}" meta l4proto udp meta mark $_pkts_mark redirect to ":${_t_proxy_port_udp}" comment \""$_inst"\"
- NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_SINK_CHAIN}" meta l4proto udp meta mark $_pkts_mark counter comment \""$_inst"\"
- NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_SINK_LOCAL_CHAIN}" meta l4proto udp meta mark $_pkts_mark counter comment \""$_inst"\"
+ NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "$NFT_ACTION_NAT_CHAIN" meta l4proto udp meta mark $_pkts_mark redirect to ":${_t_proxy_port_udp}" comment \""$_inst"\"
+ NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "$NFT_ACTION_NAT_LOCAL_CHAIN" meta l4proto udp meta mark $_pkts_mark redirect to ":${_t_proxy_port_udp}" comment \""$_inst"\"
fi
fi
elif [ "$_proxy_mode" != "2" ]; then
- NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_ACTION_NAT_CHAIN}" meta l4proto tcp meta mark $_pkts_mark redirect to ":${_tor_trans_port}" comment \""$_inst"\"
- NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_ACTION_NAT_LOCAL_CHAIN}" meta l4proto tcp meta mark $_pkts_mark redirect to ":${_tor_trans_port}" comment \""$_inst"\"
- NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_SINK_CHAIN}" meta l4proto tcp meta mark $_pkts_mark counter comment \""$_inst"\"
- NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_SINK_LOCAL_CHAIN}" meta l4proto tcp meta mark $_pkts_mark counter comment \""$_inst"\"
+ NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "$NFT_ACTION_NAT_CHAIN" meta l4proto tcp meta mark $_pkts_mark redirect to ":${_tor_trans_port}" comment \""$_inst"\"
+ NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "$NFT_ACTION_NAT_LOCAL_CHAIN" meta l4proto tcp meta mark $_pkts_mark redirect to ":${_tor_trans_port}" comment \""$_inst"\"
fi
NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_MARK_CHAIN}${_name}" mark set $_pkts_mark
if [ "$_proxy_mode" != "2" -a "$_proxy_mode" != "3" ]; then
- NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_BLLIST_CHAIN}${_name}" ip daddr "@${NFTSET_ONION}${_name}" counter goto "${NFT_MARK_CHAIN}${_name}"
- fi
- if [ "$_skip_marked_packets" = "1" ]; then
- NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_BLLIST_CHAIN}${_name}" meta mark "@${NFTSET_MARK_SET}" return
+ NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "$NFT_BLLIST_CHAIN" ip daddr "@${NFTSET_ONION}${_name}" counter goto "${NFT_MARK_CHAIN}${_name}" comment \""$_inst"\"
fi
if [ "$_enable_fproxy" = "1" ]; then
- NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_BLLIST_CHAIN}${_name}" ip saddr "@${NFTSET_FPROXY}${_name}" goto "${NFT_FPROXY_FILTER}${_name}"
- fi
-
- if [ "$BYPASS_MODE" = "1" ]; then
- for _set in "$NFTSET_BYPASS_IP" "$NFTSET_BYPASS_FQDN"
- do
- NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_BLLIST_CHAIN}${_name}" ip daddr "@${_set}" accept
- done
+ NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "$NFT_FPROXY_CHAIN" ip saddr "@${NFTSET_FPROXY}${_name}" goto "${NFT_MARK_CHAIN}${_name}" comment \""$_inst"\"
fi
for _set in "${NFTSET_CIDR}${_name}" "${NFTSET_IP}${_name}"
do
- NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_BLLIST_CHAIN}${_name}" ip daddr "@${_set}" counter goto "${NFT_MARK_CHAIN}${_name}"
+ NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "$NFT_BLLIST_CHAIN" ip daddr "@${_set}" counter goto "${NFT_MARK_CHAIN}${_name}" comment \""$_inst"\"
done
- NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_BLLIST_CHAIN}${_name}" ip daddr "@${NFTSET_DNSMASQ}${_name}" counter goto "$_nft_dnsmasq_rule_target"
+ NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "$NFT_BLLIST_CHAIN" ip daddr "@${NFTSET_DNSMASQ}${_name}" counter goto "$_nft_dnsmasq_rule_target" comment \""$_inst"\"
if [ "$_proxy_mode" = "2" ]; then
NftRouteAdd vpn $_route_table_id $_pkts_mark "$_if_vpn" "$_vpn_gw_ip"
@@ -211,10 +198,7 @@ NftInstanceAdd() {
fi
if [ "$_enable_bllist_proxy" = "1" ]; then
- NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_LOCAL_CLIENTS_CHAIN}${_name}" ip daddr "@${NFTSET_BLLIST_PROXY}${_name}" counter goto "${NFT_MARK_CHAIN}${_name}"
- fi
- if [ "$PROXY_LOCAL_CLIENTS" = "1" ]; then
- NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_LOCAL_CLIENTS_CHAIN}${_name}" jump "${NFT_BLLIST_CHAIN}${_name}"
+ NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "$NFT_LOCAL_CLIENTS_CHAIN" ip daddr "@${NFTSET_BLLIST_PROXY}${_name}" counter goto "${NFT_MARK_CHAIN}${_name}" comment \""$_inst"\"
fi
}
@@ -223,59 +207,21 @@ NftInstanceDelete() {
if [ -z "$_name" -o "$_name" = " " ]; then
_name=""
else
- _name="-${_name}"
+ _name=".${_name}"
fi
- $NFT_CMD delete chain $NFT_TABLE "${NFT_ALLOWED_HOSTS_CHAIN}${_name}"
- $NFT_CMD delete chain $NFT_TABLE "${NFT_LOCAL_CLIENTS_CHAIN}${_name}"
- $NFT_CMD delete chain $NFT_TABLE "${NFT_BLLIST_CHAIN}${_name}"
$NFT_CMD delete chain $NFT_TABLE "${NFT_DNSMASQ_TIMEOUT_UPDATE_CHAIN}${_name}"
- $NFT_CMD delete chain $NFT_TABLE "${NFT_FPROXY_FILTER}${_name}"
$NFT_CMD delete chain $NFT_TABLE "${NFT_MARK_CHAIN}${_name}"
}
NftListBllistChain() {
- local _name="$1"
- if [ -z "$_name" -o "$_name" = " " ]; then
- _name=""
- else
- _name="-${_name}"
- fi
- $NFT_CMD -t list chain $NFT_TABLE "${NFT_BLLIST_CHAIN}${_name}"
+ $NFT_CMD -t list chain $NFT_TABLE "$NFT_BLLIST_CHAIN"
}
NftListBllistChainJson() {
- local _name="$1"
- if [ -z "$_name" -o "$_name" = " " ]; then
- _name=""
- else
- _name="-${_name}"
- fi
- $NFT_CMD -t -j list chain $NFT_TABLE "${NFT_BLLIST_CHAIN}${_name}"
+ $NFT_CMD -t -j list chain $NFT_TABLE "$NFT_BLLIST_CHAIN"
}
-NftListSinkChain() {
- $NFT_CMD -t list chain $NFT_TABLE "$NFT_SINK_CHAIN"
-}
-
-NftListSinkChainJson() {
- $NFT_CMD -t -j list chain $NFT_TABLE "$NFT_SINK_CHAIN"
-}
-
-NftListSinkLocalChain() {
- $NFT_CMD -t list chain $NFT_TABLE "$NFT_SINK_LOCAL_CHAIN"
-}
-
-NftListSinkLocalChainJson() {
- $NFT_CMD -t -j list chain $NFT_TABLE "$NFT_SINK_LOCAL_CHAIN"
-}
-
-NftReturnInstanceStatus() {
- local _name="$1"
- if [ -z "$_name" -o "$_name" = " " ]; then
- _name=""
- else
- _name="-${_name}"
- fi
- $NFT_CMD -c add rule $NFT_TABLE "${NFT_ALLOWED_HOSTS_CHAIN}${_name}" continue &> /dev/null
+NftReturnStatus() {
+ $NFT_CMD -c add rule $NFT_TABLE "$NFT_ALLOWED_HOSTS_CHAIN" continue &> /dev/null
return $?
}
diff --git a/screenshots/07.jpg b/screenshots/07.jpg
index 385008e..33693c6 100644
Binary files a/screenshots/07.jpg and b/screenshots/07.jpg differ