i11th/ruantiblock_openwrt
1
0
Fork 0
mirror of https://github.com/gSpotx2f/ruantiblock_openwrt.git synced 2026-05-14 06:30:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

v2.1. Refactoring, fixes & improvements.

Browse Source
This commit is contained in:
gSpot
2024-11-06 15:30:03 +03:00
parent 06219e9328
commit 0cc02a7ddd
18 changed files with 282 additions and 477 deletions
Download Patch File Download Diff File Expand all files Collapse all files
ruantiblock/files/etc/config/ruantiblock
-5
View File
@@ -44,7 +44,6 @@ config user_instance 'list1'
option u_enable_entries_remote_proxy '0'
option u_entries_dns ''
option u_enable_fproxy '0'
option u_skip_marked_packets '0'
config user_instance 'list2'
option u_enabled '0'
@@ -59,7 +58,6 @@ config user_instance 'list2'
option u_enable_entries_remote_proxy '0'
option u_entries_dns ''
option u_enable_fproxy '0'
option u_skip_marked_packets '0'
config user_instance 'list3'
option u_enabled '0'
@@ -74,7 +72,6 @@ config user_instance 'list3'
option u_enable_entries_remote_proxy '0'
option u_entries_dns ''
option u_enable_fproxy '0'
option u_skip_marked_packets '0'
config user_instance 'list4'
option u_enabled '0'
@@ -89,7 +86,6 @@ config user_instance 'list4'
option u_enable_entries_remote_proxy '0'
option u_entries_dns ''
option u_enable_fproxy '0'
option u_skip_marked_packets '0'
config user_instance 'list5'
option u_enabled '0'
@@ -104,4 +100,3 @@ config user_instance 'list5'
option u_enable_entries_remote_proxy '0'
option u_entries_dns ''
option u_enable_fproxy '0'
option u_skip_marked_packets '0'
ruantiblock/files/etc/hotplug.d/iface/40-ruantiblock
+1 -1
View File
@@ -7,7 +7,7 @@ if [ "$ACTION" = "ifup" ]; then
USER_INSTANCES_COMMON="/usr/share/ruantiblock/user_instances_common"
CONFIG_SCRIPT_USER_INSTANCES="/usr/share/ruantiblock/config_script_user_instances"
USER_INSTANCES_DIR="/etc/ruantiblock/user_instances"
USER_INSTANCE_VARS="U_ENABLED U_NAME U_PROXY_MODE U_TOR_TRANS_PORT U_ONION_DNS_ADDR U_IF_VPN U_VPN_GW_IP U_T_PROXY_TYPE U_T_PROXY_PORT_TCP U_T_PROXY_PORT_UDP U_T_PROXY_ALLOW_UDP U_USER_ENTRIES_DNS U_USER_ENTRIES_REMOTE U_ENABLE_ENTRIES_REMOTE_PROXY U_ENABLE_FPROXY U_FPROXY_LIST U_SKIP_MARKED_PACKETS"
USER_INSTANCE_VARS="U_ENABLED U_NAME U_PROXY_MODE U_TOR_TRANS_PORT U_ONION_DNS_ADDR U_IF_VPN U_VPN_GW_IP U_T_PROXY_TYPE U_T_PROXY_PORT_TCP U_T_PROXY_PORT_UDP U_T_PROXY_ALLOW_UDP U_USER_ENTRIES_DNS U_USER_ENTRIES_REMOTE U_ENABLE_ENTRIES_REMOTE_PROXY U_ENABLE_FPROXY U_FPROXY_LIST"
USER_INSTANCES_MAX=10
DEBUG=0
IF_VPN_CURRENT=""
ruantiblock/files/etc/ruantiblock/ruantiblock.conf
+3 -5
View File
@@ -2,13 +2,13 @@
### Настройки ruantiblock ###
### Директория данных (генерируемые конфиги dnsmasq, nftset и пр.)
DATA_DIR="/tmp/ruantiblock"
DATA_DIR="/var/ruantiblock"
### Директория модулей
MODULES_DIR="/usr/libexec/ruantiblock"
### Директория PID-файлов и файлов статуса
RUN_FILES_DIR="/tmp/run"
RUN_FILES_DIR="/var/run"
### Директория доп. конфигов dnsmasq
DNSMASQ_CFG_DIR="/tmp/dnsmasq.d"
DNSMASQ_CFG_DIR="/var/dnsmasq.d"
### Команда для перезапуска dnsmasq
DNSMASQ_RESTART_CMD="/etc/init.d/dnsmasq restart"
### Директория для html-страницы статуса (не используется в OpenWrt)
@@ -70,8 +70,6 @@ USER_ENTRIES_REMOTE_DOWNLOAD_ATTEMPTS=3
USER_ENTRIES_REMOTE_DOWNLOAD_TIMEOUT=60
### Кол-во экземпляров записей пользователя (не более 50!)
USER_INSTANCES_MAX=5
### Пропускать мимо фильтра пакеты уже помеченные в записях пользователя (0 - выкл, 1 - вкл)
SKIP_MARKED_PACKETS=0
### Режим списка записей, исключаемых из обхода блокировок (0 - выкл, 1 - вкл)
BYPASS_MODE=0
### DNS-сервер для исключаемых записей (пустая строка - без DNS-сервера). Можно с портом: 8.8.8.8#53. Если в записи указан свой DNS-сервер - он имеет приоритет
ruantiblock/files/usr/bin/ruantiblock
+45 -111
View File
@@ -88,14 +88,10 @@ export NFTSET_POLICY_DNSMASQ="performance"
export NFTSET_DNSMASQ_TIMEOUT="150m"
### Динамическое обновление таймаута записей в сете $NFTSET_DNSMASQ (0 - выкл, 1 - вкл)
export NFTSET_DNSMASQ_TIMEOUT_UPDATE=1
### Приоритет правила отбора пакетов nftables для конфигупации Tor или прозрачного прокси
export NFT_PRIO_NAT=-140 # dstnat - 10 (-110)
### Приоритет правила отбора пакетов nftables для трафика локальных клиентов в конфигупации Tor или прозрачного прокси
export NFT_PRIO_NAT_LOCAL=-140 # dstnat - 10 (-110)
### Приоритет правила отбора пакетов nftables для VPN-конфигурации
export NFT_PRIO_ROUTE=-140 # mangle + 10
### Приоритет правила отбора пакетов nftables для трафика локальных клиентов в VPN-конфигурации
export NFT_PRIO_ROUTE_LOCAL=-140 # mangle + 10
### Приоритет правил отбора пакетов nftables
export NFT_PRIO=-140
### Приоритет правил отбора пакетов nftables для трафика локальных клиентов
export NFT_PRIO_LOCAL=-140
### Кол-во попыток скачивания удаленного файла записей пользователя (в случае неудачи)
export USER_ENTRIES_REMOTE_DOWNLOAD_ATTEMPTS=3
### Таймаут между попытками скачивания
@@ -105,11 +101,9 @@ export USER_INSTANCES_DIR="${CONFIG_DIR}/user_instances"
### Директория списков записей пользователя
export USER_LISTS_DIR="${CONFIG_DIR}/user_lists"
### Переменные экземпляров записей пользователя
export USER_INSTANCE_VARS="U_ENABLED U_NAME U_PROXY_MODE U_TOR_TRANS_PORT U_ONION_DNS_ADDR U_IF_VPN U_VPN_GW_IP U_T_PROXY_TYPE U_T_PROXY_PORT_TCP U_T_PROXY_PORT_UDP U_T_PROXY_ALLOW_UDP U_USER_ENTRIES_DNS U_USER_ENTRIES_REMOTE U_ENABLE_ENTRIES_REMOTE_PROXY U_ENABLE_FPROXY U_FPROXY_LIST U_SKIP_MARKED_PACKETS"
export USER_INSTANCE_VARS="U_ENABLED U_NAME U_PROXY_MODE U_TOR_TRANS_PORT U_ONION_DNS_ADDR U_IF_VPN U_VPN_GW_IP U_T_PROXY_TYPE U_T_PROXY_PORT_TCP U_T_PROXY_PORT_UDP U_T_PROXY_ALLOW_UDP U_USER_ENTRIES_DNS U_USER_ENTRIES_REMOTE U_ENABLE_ENTRIES_REMOTE_PROXY U_ENABLE_FPROXY U_FPROXY_LIST"
### Кол-во экземпляров записей пользователя (не более 50!)
export USER_INSTANCES_MAX=5
### Пропускать мимо фильтра пакеты уже помеченные в записях пользователя (0 - выкл, 1 - вкл)
export SKIP_MARKED_PACKETS=0
### Режим списка IP адресов исключаемых из обхода блокировок (0 - выкл, 1 - вкл)
export BYPASS_MODE=0
### DNS-сервер для исключаемых записей (пустая строка - без DNS-сервера). Можно с портом: 8.8.8.8#53. Если в записи указан свой DNS-сервер - он имеет приоритет
@@ -250,7 +244,6 @@ export NFTSET_ONION="onion"
export NFTSET_CIDR="c"
export NFTSET_IP="i"
export NFTSET_DNSMASQ="d"
export NFTSET_MARK_SET="mark_set"
export NFTSET_ALLOWED_HOSTS_TYPE="ipv4_addr"
export NFTSET_BYPASS_IP_TYPE="ipv4_addr"
export NFTSET_BYPASS_FQDN_TYPE="ipv4_addr"
@@ -260,7 +253,6 @@ export NFTSET_BLLIST_PROXY_TYPE="ipv4_addr"
export NFTSET_CIDR_TYPE="ipv4_addr"
export NFTSET_IP_TYPE="ipv4_addr"
export NFTSET_DNSMASQ_TYPE="ipv4_addr"
export NFTSET_MARK_SET_TYPE="mark"
export NFTSET_CIDR_PATTERN="set %s {type ${NFTSET_CIDR_TYPE};size ${NFTSET_MAXELEM_CIDR};policy ${NFTSET_POLICY_CIDR};flags interval;auto-merge;"
export NFTSET_IP_PATTERN="set %s {type ${NFTSET_IP_TYPE};size ${NFTSET_MAXELEM_IP};policy ${NFTSET_POLICY_IP};flags dynamic;"
export NFTSET_CIDR_STRING_MAIN=`printf "$NFTSET_CIDR_PATTERN" "${NFTSET_CIDR}"`
@@ -318,7 +310,7 @@ cat << EOF
reload : Renew nftables configuration
update : Update blacklist
force-update : Force update blacklist
blacklist-files : Create ${IP_DATA_FILE}, ${DNSMASQ_DATA_FILE}, ${DNSMASQ_DATA_FILE_BYPASS} (without network functions)
blacklist-files : Create ${IP_DATA_FILE}, ${IP_DATA_FILE_USER_INSTANCES}, ${DNSMASQ_DATA_FILE}, ${DNSMASQ_DATA_FILE_USER_INSTANCES}, ${IP_DATA_FILE_BYPASS}, ${DNSMASQ_DATA_FILE_BYPASS} (without network functions)
status : Status & some info
raw-status : Return code: 0 - enabled, 1 - error, 2 - disabled, 3 - starting, 4 - updating
html-info : Return the html-info output
@@ -422,7 +414,7 @@ FlushInstancesNftSets() {
if [ "$_name" = " " ]; then
_name=""
else
_name="-${_name}"
_name=".${_name}"
fi
case "$_arg" in
fqdn)
@@ -456,7 +448,6 @@ AddBaseNftSets() {
if [ -n "$_fproxy_private" ]; then
$NFT_CMD add element $NFT_TABLE "$NFTSET_FPROXY_PRIVATE" { "$_fproxy_private" }
fi
$NFT_CMD add set $NFT_TABLE "$NFTSET_MARK_SET" { type "$NFTSET_MARK_SET_TYPE"\; }
}
MakeInstanceNftSets() {
@@ -464,7 +455,7 @@ MakeInstanceNftSets() {
if [ "$_name" = " " ]; then
_name=""
else
_name="-${_name}"
_name=".${_name}"
fi
$NFT_CMD add set $NFT_TABLE "${NFTSET_CIDR}${_name}" { type "$NFTSET_CIDR_TYPE"\; size $NFTSET_MAXELEM_CIDR\; policy "$NFTSET_POLICY_CIDR"\; flags interval\; auto-merge\; }
$NFT_CMD add set $NFT_TABLE "${NFTSET_IP}${_name}" { type "$NFTSET_IP_TYPE"\; size $NFTSET_MAXELEM_IP\; policy "$NFTSET_POLICY_IP"\; flags dynamic\; }
@@ -494,7 +485,7 @@ UpdateBllistProxySet() {
if [ "$_name" = " " ]; then
_name=""
else
_name="-${_name}"
_name=".${_name}"
fi
FlushNftSets "${NFTSET_BLLIST_PROXY}${_name}"
for _host in `echo "$_urls" | $AWK_CMD '
@@ -564,21 +555,16 @@ AddUserInstancesNftRules() {
do
IncludeUserInstanceVars "$_inst"
if [ "$U_PROXY_MODE" = "2" ]; then
_chain_prio_first=$(($NFT_PRIO_ROUTE + $USER_INSTANCES_MAX + $_prio_offset))
_chain_prio_local=$(($NFT_PRIO_ROUTE_LOCAL + $USER_INSTANCES_MAX + $_prio_offset))
_vpn_route_table_id=$(($_vpn_route_table_id + 1))
_route_table_id=$_vpn_route_table_id
else
_chain_prio_first=$(($NFT_PRIO_NAT + $USER_INSTANCES_MAX + $_prio_offset))
_chain_prio_local=$(($NFT_PRIO_NAT_LOCAL + $USER_INSTANCES_MAX + $_prio_offset))
if [ "$U_PROXY_MODE" = "3" -a "$U_T_PROXY_TYPE" = "1" ]; then
_tproxy_route_table_id=$(($_tproxy_route_table_id + 1))
fi
_route_table_id=$_tproxy_route_table_id
fi
_pkts_mark=$(($_pkts_mark + 1))
NftInstanceAdd "\"$U_NAME\"" $_pkts_mark $_chain_prio_first $_chain_prio_local $U_PROXY_MODE $U_TOR_TRANS_PORT $_route_table_id "\"$U_IF_VPN\"" $U_T_PROXY_TYPE $U_T_PROXY_PORT_TCP $U_T_PROXY_PORT_UDP $U_T_PROXY_ALLOW_UDP $U_ENABLE_ENTRIES_REMOTE_PROXY $U_ENABLE_FPROXY $U_SKIP_MARKED_PACKETS "\"$U_VPN_GW_IP\""
$NFT_CMD add element $NFT_TABLE "$NFTSET_MARK_SET" { $_pkts_mark }
NftInstanceAdd "\"$U_NAME\"" $_pkts_mark $U_PROXY_MODE $U_TOR_TRANS_PORT $_route_table_id "\"$U_IF_VPN\"" $U_T_PROXY_TYPE $U_T_PROXY_PORT_TCP $U_T_PROXY_PORT_UDP $U_T_PROXY_ALLOW_UDP $U_ENABLE_ENTRIES_REMOTE_PROXY $U_ENABLE_FPROXY "\"$U_VPN_GW_IP\""
ClearUserInstanceVars
_prio_offset=$(($_prio_offset - 1))
done
@@ -602,32 +588,26 @@ DeleteUserInstancesNftRules() {
}
AddNftRules() {
local _chain_prio_first _chain_prio_local _route_table_id
if [ "$PROXY_MODE" = "2" ]; then
_chain_prio_first=$NFT_PRIO_ROUTE
_chain_prio_local=$NFT_PRIO_ROUTE_LOCAL
_chain_prio_sink=$(($NFT_PRIO_ROUTE + $USER_INSTANCES_MAX + 1))
_chain_prio_action=$(($NFT_PRIO_ROUTE + $USER_INSTANCES_MAX + 2))
_route_table_id=$VPN_ROUTE_TABLE_ID_START
else
_chain_prio_first=$NFT_PRIO_NAT
_chain_prio_local=$NFT_PRIO_NAT_LOCAL
_chain_prio_sink=$(($NFT_PRIO_NAT + $USER_INSTANCES_MAX + 1))
_chain_prio_action=$(($NFT_PRIO_NAT + $USER_INSTANCES_MAX + 2))
_route_table_id=$TPROXY_ROUTE_TABLE_ID_START
fi
local _chain_prio_first _chain_prio_local _chain_prio_fproxy _chain_prio_action _route_table_id
_chain_prio_first=$NFT_PRIO
_chain_prio_local=$NFT_PRIO_LOCAL
_chain_prio_fproxy=$(($NFT_PRIO + 1))
_chain_prio_action=$(($NFT_PRIO + 2))
_route_table_id=$VPN_ROUTE_TABLE_ID_START
NftAddBaseChains $_chain_prio_first $_chain_prio_local $_chain_prio_fproxy
NftAddActionChains $_chain_prio_action
NftAddSinkChains $_chain_prio_sink
AddUserInstancesNftRules
NftInstanceAdd "\" \"" $PKTS_MARK_START $_chain_prio_first $_chain_prio_local $PROXY_MODE $TOR_TRANS_PORT $_route_table_id "\"$IF_VPN\"" $T_PROXY_TYPE $T_PROXY_PORT_TCP $T_PROXY_PORT_UDP $T_PROXY_ALLOW_UDP $ENABLE_BLLIST_PROXY $ENABLE_FPROXY $SKIP_MARKED_PACKETS "\"$VPN_GW_IP\""
$NFT_CMD add element $NFT_TABLE "$NFTSET_MARK_SET" { $PKTS_MARK_START }
NftInstanceAdd "\" \"" $PKTS_MARK_START $PROXY_MODE $TOR_TRANS_PORT $_route_table_id "\"$IF_VPN\"" $T_PROXY_TYPE $T_PROXY_PORT_TCP $T_PROXY_PORT_UDP $T_PROXY_ALLOW_UDP $ENABLE_BLLIST_PROXY $ENABLE_FPROXY "\"$VPN_GW_IP\""
if [ "$PROXY_LOCAL_CLIENTS" = "1" ]; then
NftAddLocalClientsRule
fi
}
DeleteNftRules() {
NftInstanceDelete " "
DeleteUserInstancesNftRules
NftDeleteSinkChains
NftDeleteActionChains
NftDeleteBaseChains
if [ "$PROXY_MODE" = "2" ]; then
NftRouteDelete $VPN_ROUTE_TABLE_ID_START 2> /dev/null
elif [ "$PROXY_MODE" = "3" -a "$T_PROXY_TYPE" = "1" ]; then
@@ -645,7 +625,7 @@ SetNetConfig() {
DropNetConfig() {
DeleteNftRules
FlushInstancesNftSets
FlushNftSets "$NFTSET_ALLOWED_HOSTS" "$NFTSET_FPROXY_PRIVATE" "$NFTSET_BLLIST_PROXY" "$NFTSET_BYPASS_IP" "$NFTSET_BYPASS_FQDN" "$NFTSET_MARK_SET"
FlushNftSets "$NFTSET_ALLOWED_HOSTS" "$NFTSET_FPROXY_PRIVATE" "$NFTSET_BLLIST_PROXY" "$NFTSET_BYPASS_IP" "$NFTSET_BYPASS_FQDN"
}
DestroyNetConfig() {
@@ -654,7 +634,7 @@ DestroyNetConfig() {
}
CheckStatus() {
NftReturnInstanceStatus " "
NftReturnStatus
return $?
}
@@ -675,22 +655,6 @@ GetVpnRouteStatus() {
return $_ret_val
}
GetBllistChains() {
local _inst
for _inst in $USER_INSTANCES_ALL " "
do
NftListBllistChain "$_inst"
done
}
GetBllistChainsJson() {
local _inst
for _inst in $USER_INSTANCES_ALL " "
do
NftListBllistChainJson "$_inst"
done
}
ClearDataFiles() {
local _arg="$1"
if [ -d "$DATA_DIR" ]; then
@@ -781,8 +745,8 @@ AddBypassEntries() {
ParseUserEntries() {
$AWK_CMD -v NFTSET_IP_STRING="$1" -v NFTSET_CIDR_STRING="$2" -v NFTSET_DNSMASQ="$3" \
-v IP_DATA_FILE="$4" -v DNSMASQ_DATA_FILE="$5" -v USER_ENTRIES_STATUS_FILE="$6" \
-v ID="$7" -v USER_ENTRIES_DNS="$8" '
-v IP_DATA_FILE="$4" -v DNSMASQ_DATA_FILE="$5" -v USER_ENTRIES_STATUS_FILE="$6" \
-v ID="$7" -v USER_ENTRIES_DNS="$8" '
BEGIN {
null = "";
ip_array[0] = null;
@@ -880,14 +844,14 @@ AddUserEntries() {
MakeLogRecord "debug" "ruantiblock.AddUserEntries._instance_entries_file=${_instance_entries_file}"
fi
printf "flush set %s %s\nflush set %s %s\n" "$NFT_TABLE" "${NFTSET_CIDR}-${_inst}" "$NFT_TABLE" "${NFTSET_IP}-${_inst}" >> "$_ip_data_file_user_instances"
printf "flush set %s %s\nflush set %s %s\n" "$NFT_TABLE" "${NFTSET_CIDR}.${_inst}" "$NFT_TABLE" "${NFTSET_IP}.${_inst}" >> "$_ip_data_file_user_instances"
if [ "$U_PROXY_MODE" != "2" -a "$U_PROXY_MODE" != "3" ]; then
### Запись для .onion
printf "server=/onion/%s\nnftset=/onion/%s#%s\n" "$U_ONION_DNS_ADDR" "$NFT_TABLE_DNSMASQ" "${NFTSET_ONION}-${_inst}" >> "$_dnsmasq_data_file_user_instances"
printf "server=/onion/%s\nnftset=/onion/%s#%s\n" "$U_ONION_DNS_ADDR" "$NFT_TABLE_DNSMASQ" "${NFTSET_ONION}.${_inst}" >> "$_dnsmasq_data_file_user_instances"
fi
if [ -f "$_instance_entries_file" ]; then
{ cat "$_instance_entries_file"; printf "\n0\n"; } | ParseUserEntries "`printf "$NFTSET_IP_PATTERN" "${NFTSET_IP}-${_inst}"`" "`printf "$NFTSET_CIDR_PATTERN" "${NFTSET_CIDR}-${_inst}"`" "${NFTSET_DNSMASQ}-${_inst}" "$_ip_data_file_user_instances" "$_dnsmasq_data_file_user_instances" "$_user_entries_status_file" "${_inst}:local" "$U_ENTRIES_DNS"
{ cat "$_instance_entries_file"; printf "\n0\n"; } | ParseUserEntries "`printf "$NFTSET_IP_PATTERN" "${NFTSET_IP}.${_inst}"`" "`printf "$NFTSET_CIDR_PATTERN" "${NFTSET_CIDR}.${_inst}"`" "${NFTSET_DNSMASQ}.${_inst}" "$_ip_data_file_user_instances" "$_dnsmasq_data_file_user_instances" "$_user_entries_status_file" "${_inst}:local" "$U_ENTRIES_DNS"
fi
if [ -n "$U_ENTRIES_REMOTE" ]; then
for _url in $U_ENTRIES_REMOTE
@@ -899,7 +863,7 @@ AddUserEntries() {
if [ "$U_ENABLE_ENTRIES_REMOTE_PROXY" = "1" ]; then
UpdateBllistProxySet "$_inst" "$_url"
fi
{ Download - "$_url"; printf "\n$?\n"; } | ParseUserEntries "`printf "$NFTSET_IP_PATTERN" "${NFTSET_IP}-${_inst}"`" "`printf "$NFTSET_CIDR_PATTERN" "${NFTSET_CIDR}-${_inst}"`" "${NFTSET_DNSMASQ}-${_inst}" "$_ip_data_file_user_instances" "$_dnsmasq_data_file_user_instances" "$_user_entries_status_file" "${_inst}:${_url}" "$U_ENTRIES_DNS"
{ Download - "$_url"; printf "\n$?\n"; } | ParseUserEntries "`printf "$NFTSET_IP_PATTERN" "${NFTSET_IP}.${_inst}"`" "`printf "$NFTSET_CIDR_PATTERN" "${NFTSET_CIDR}.${_inst}"`" "${NFTSET_DNSMASQ}.${_inst}" "$_ip_data_file_user_instances" "$_dnsmasq_data_file_user_instances" "$_user_entries_status_file" "${_inst}:${_url}" "$U_ENTRIES_DNS"
if [ $? -eq 0 ]; then
_instance_return_code=0
break
@@ -921,7 +885,7 @@ AddUserEntries() {
fi
done
if [ "$U_ENABLE_ENTRIES_REMOTE_PROXY" = "1" ]; then
FlushNftSets "${NFTSET_BLLIST_PROXY}-${_inst}"
FlushNftSets "${NFTSET_BLLIST_PROXY}.${_inst}"
fi
fi
ClearUserInstanceVars
@@ -1193,7 +1157,7 @@ Reload() {
}
Status() {
local _inst _update_status _user_entries_status _vpn_error
local _update_status _user_entries_status _vpn_error
if [ -f "$UPDATE_STATUS_FILE" ]; then
_update_status=`$AWK_CMD '{
update_string=(NF < 4) ? "No data" : $4" (CIDR: "$1" | IP: "$2" | FQDN: "$3")";
@@ -1214,29 +1178,27 @@ Status() {
if ! GetVpnRouteStatus; then
_vpn_error="\033[1;31mVPN ROUTING ERROR! (NEED THE RESTART)\033[m"
fi
NftListSinkChain 2> /dev/null | $AWK_CMD -v UPDATE_STATUS="$_update_status" -v USER_ENTRIES_STATUS="$_user_entries_status" -v VPN_ERROR="$_vpn_error" '
NftListBllistChain 2> /dev/null | $AWK_CMD -v UPDATE_STATUS="$_update_status" -v USER_ENTRIES_STATUS="$_user_entries_status" -v VPN_ERROR="$_vpn_error" '
BEGIN {
rules_str = "";
rules_str = "";
nftset = "";
bytes = "";
}
{
if($0 ~ /(table|chain|type|return|\{|\})/) {
next;
/@/ {
if(match($0, /@[^ ]+/) != 0) {
nftset = substr($0, RSTART+1, RLENGTH-1);
if(match($0, /bytes [^ ]+/) != 0) {
bytes = substr($0, RSTART+6, RLENGTH-6);
};
rules_str = rules_str " Match-set: " nftset "\n Bytes: " bytes "\n\n";
};
instance = $NF;
if(instance == "\"") {
instance = "-main-";
};
gsub("\"", "", instance);
proto = ($3 ~ /(tcp|udp)/) ? $3 : "all";
bytes = (match($0, /bytes [^ ]+/) != 0) ? substr($0, RSTART+6, RLENGTH-6) : "";
rules_str = rules_str " Instance:\t" instance "\n Protocol:\t" proto "\n Bytes:\t" bytes "\n\n";
}
END {
if(NR == 0) {
printf "\n \033[1m" ENVIRON["NAME"] " status\033[m: \033[1mDisabled\033[m\n\n";
exit 2;
};
printf "\n \033[1m" ENVIRON["NAME"] " status\033[m: \033[1;32mEnabled\033[m\n\n DNSMASQ_CFG_DIR: " ENVIRON["DNSMASQ_CFG_DIR"] "\n\n PROXY_LOCAL_CLIENTS: " ENVIRON["PROXY_LOCAL_CLIENTS"] "\n\n Main Instance: \n PROXY_MODE: " ENVIRON["PROXY_MODE"] "\n BLLIST_PRESET: " ENVIRON["BLLIST_PRESET"] "\n BLLIST_MODULE: " ENVIRON["BLLIST_MODULE"] "\n";
printf "\n \033[1m" ENVIRON["NAME"] " status\033[m: \033[1;32mEnabled\033[m\n\n PROXY_MODE: " ENVIRON["PROXY_MODE"] "\n PROXY_LOCAL_CLIENTS: " ENVIRON["PROXY_LOCAL_CLIENTS"] "\n BLLIST_PRESET: " ENVIRON["BLLIST_PRESET"] "\n BLLIST_MODULE: " ENVIRON["BLLIST_MODULE"] "\n";
printf "\n "UPDATE_STATUS"\n";
if(length(USER_ENTRIES_STATUS) > 0) {
printf "\n"USER_ENTRIES_STATUS"\n";
@@ -1244,37 +1206,9 @@ Status() {
if(length(VPN_ERROR) > 0) {
printf "\n "VPN_ERROR"\n";
};
printf "\n Transit traffic:\n\n";
printf "\n \033[4mNftables rules\033[m:\n\n";
printf rules_str;
}'
if [ $? -eq 0 -a "$PROXY_LOCAL_CLIENTS" = "1" ]; then
NftListSinkLocalChain 2> /dev/null | $AWK_CMD -v UPDATE_STATUS="$_update_status" -v USER_ENTRIES_STATUS="$_user_entries_status" '
BEGIN {
rules_str = "";
}
{
if($0 ~ /(table|chain|type|return|\{|\})/) {
next;
};
instance = $NF;
if(instance == "\"") {
instance = "-main-";
};
gsub("\"", "", instance);
proto = ($3 ~ /(tcp|udp)/) ? $3 : "all";
bytes = (match($0, /bytes [^ ]+/) != 0) ? substr($0, RSTART+6, RLENGTH-6) : "";
rules_str = rules_str " Instance:\t" instance "\n Protocol:\t" proto "\n Bytes:\t" bytes "\n\n";
}
END {
if(NR == 0) {
exit 2;
};
printf " Local traffic:\n\n";
printf rules_str;
}'
else
return 2
fi
}
StatusOutput() {
ruantiblock/files/usr/share/ruantiblock/config_script_user_instances
+2 -2
View File
@@ -1,4 +1,4 @@
UCI_VARS="u_enabled u_proxy_mode u_tor_trans_port u_onion_dns_addr u_if_vpn u_vpn_gw_ip u_t_proxy_type u_t_proxy_port_tcp u_t_proxy_port_udp u_t_proxy_allow_udp u_entries_dns u_entries_remote u_enable_entries_remote_proxy u_enable_fproxy u_fproxy_list u_skip_marked_packets"
UCI_VARS="u_enabled u_proxy_mode u_tor_trans_port u_onion_dns_addr u_if_vpn u_vpn_gw_ip u_t_proxy_type u_t_proxy_port_tcp u_t_proxy_port_udp u_t_proxy_allow_udp u_entries_dns u_entries_remote u_enable_entries_remote_proxy u_enable_fproxy u_fproxy_list"
UCI_CMD=`which uci`
if [ $? -ne 0 ]; then
echo " Error! UCI doesn't exists" >&2
@@ -7,7 +7,7 @@ fi
AWK_CMD="awk"
ListUserInstances() {
$UCI_CMD export "$NAME" | $AWK_CMD -v TYPE="user_instance" '
$UCI_CMD -n export "$NAME" | $AWK_CMD -v TYPE="user_instance" '
BEGIN {
instances="";
}
ruantiblock/files/usr/share/ruantiblock/info_output
+13 -7
View File
@@ -33,30 +33,36 @@ Info() {
else
_user_entries_status="[]"
fi
NftListSinkChainJson 2> /dev/null | $AWK_CMD -v UPDATE_STATUS="$_update_status" -v USER_ENTRIES_STATUS="$_user_entries_status" '
NftListBllistChainJson 2> /dev/null | $AWK_CMD -v UPDATE_STATUS="$_update_status" -v USER_ENTRIES_STATUS="$_user_entries_status" '
BEGIN {
rules_str = "";
}
{
rules_str = rules_str $0;
}
END {
if(NR == 0) {
printf "{\"status\": \"disabled\"}";
exit 1;
} else {
printf "{\"status\": \"enabled\",\"last_blacklist_update\": %s,\"user_entries\" :%s,\"sink\": %s", UPDATE_STATUS, USER_ENTRIES_STATUS, $0;
printf "{\"status\":\"enabled\",\"last_blacklist_update\":%s,\"user_entries\":%s,\"rules\":%s", UPDATE_STATUS, USER_ENTRIES_STATUS, rules_str;
exit 0;
};
}'
if [ $? -eq 0 ]; then
if [ "$PROXY_LOCAL_CLIENTS" = "1" ]; then
printf ",\"sink_local\":"
NftListSinkLocalChainJson 2> /dev/null
fi
printf ",\"dnsmasq\":"
$NFT_CMD -j list set $NFT_TABLE "$NFTSET_DNSMASQ" 2> /dev/null
printf ",\"dnsmasq_user_instances\":["
for _inst in $USER_INSTANCES_ALL
do
$NFT_CMD -j list set $NFT_TABLE "${NFTSET_DNSMASQ}-${_inst}" 2> /dev/null
$NFT_CMD -j list set $NFT_TABLE "${NFTSET_DNSMASQ}.${_inst}" 2> /dev/null
printf ","
done
printf "{\"dummy\": {}}]"
if [ "$BYPASS_MODE" = "1" ]; then
printf ",\"dnsmasq_bypass\":"
$NFT_CMD -j list set $NFT_TABLE "$NFTSET_BYPASS_FQDN" 2> /dev/null
fi
printf "}"
fi
}
ruantiblock/files/usr/share/ruantiblock/nft_functions
+58 -112
View File
@@ -1,24 +1,22 @@
NFT_ALLOWED_HOSTS_CHAIN="allowed_hosts"
NFT_BLLIST_CHAIN="blacklist"
NFT_FPROXY_FILTER="fproxy_filter"
NFT_DNSMASQ_TIMEOUT_UPDATE_CHAIN="dnsmasq_timeout_update"
NFT_MARK_CHAIN="mark_chain"
NFT_LOCAL_CLIENTS_CHAIN="local_clients"
NFT_SINK_CHAIN="sink"
NFT_SINK_LOCAL_CHAIN="sink_local"
NFT_FPROXY_CHAIN="fproxy_chain"
NFT_ACTION_FILTER_CHAIN="action_filter"
NFT_ACTION_NAT_CHAIN="action_nat"
NFT_ACTION_NAT_LOCAL_CHAIN="action_nat_local"
case "$ALLOWED_HOSTS_MODE" in
"1")
NFT_ALLOWED_HOSTS_PATTERN="ip saddr @${NFTSET_ALLOWED_HOSTS} jump ${NFT_BLLIST_CHAIN}%s"
NFT_ALLOWED_HOSTS_PATTERN="ip saddr @${NFTSET_ALLOWED_HOSTS} jump ${NFT_BLLIST_CHAIN}"
;;
"2")
NFT_ALLOWED_HOSTS_PATTERN="ip saddr != @${NFTSET_ALLOWED_HOSTS} jump ${NFT_BLLIST_CHAIN}%s"
NFT_ALLOWED_HOSTS_PATTERN="ip saddr != @${NFTSET_ALLOWED_HOSTS} jump ${NFT_BLLIST_CHAIN}"
;;
*)
NFT_ALLOWED_HOSTS_PATTERN="jump ${NFT_BLLIST_CHAIN}%s"
NFT_ALLOWED_HOSTS_PATTERN="jump ${NFT_BLLIST_CHAIN}"
;;
esac
@@ -86,35 +84,52 @@ NftRouteStatus() {
return 1
}
NftAddSinkChains() {
local _chain_prio_sink=$1
$NFT_CMD add chain $NFT_TABLE "${NFT_SINK_CHAIN}" { type filter hook prerouting priority ${_chain_prio_sink}\; policy accept\; }
$NFT_CMD add chain $NFT_TABLE "${NFT_SINK_LOCAL_CHAIN}" { type route hook output priority ${_chain_prio_sink}\; policy accept\; }
NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_SINK_CHAIN}" meta iif lo return
NftAddBaseChains() {
local _chain_prio_first=$1 _chain_prio_local=$2 _chain_prio_fproxy=$3
$NFT_CMD add chain $NFT_TABLE "$NFT_LOCAL_CLIENTS_CHAIN" { type route hook output priority ${_chain_prio_local}\; policy accept\; }
$NFT_CMD add chain $NFT_TABLE "$NFT_BLLIST_CHAIN"
$NFT_CMD add chain $NFT_TABLE "$NFT_FPROXY_CHAIN" { type filter hook prerouting priority ${_chain_prio_fproxy}\; policy accept\; }
$NFT_CMD add chain $NFT_TABLE "$NFT_ALLOWED_HOSTS_CHAIN" { type filter hook prerouting priority ${_chain_prio_first}\; policy accept\; }
NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "$NFT_FPROXY_CHAIN" meta iif lo return
NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "$NFT_FPROXY_CHAIN" ip daddr "@${NFTSET_FPROXY_PRIVATE}" return
NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "$NFT_ALLOWED_HOSTS_CHAIN" meta iif lo return
NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "$NFT_ALLOWED_HOSTS_CHAIN" "$NFT_ALLOWED_HOSTS_PATTERN"
if [ "$BYPASS_MODE" = "1" ]; then
for _set in "$NFTSET_BYPASS_IP" "$NFTSET_BYPASS_FQDN"
do
NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "$NFT_BLLIST_CHAIN" ip daddr "@${_set}" counter accept
done
fi
}
NftDeleteSinkChains() {
$NFT_CMD delete chain $NFT_TABLE "${NFT_SINK_CHAIN}"
$NFT_CMD delete chain $NFT_TABLE "${NFT_SINK_LOCAL_CHAIN}"
NftAddLocalClientsRule() {
NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "$NFT_LOCAL_CLIENTS_CHAIN" jump "$NFT_BLLIST_CHAIN"
}
NftDeleteBaseChains() {
$NFT_CMD delete chain $NFT_TABLE "$NFT_ALLOWED_HOSTS_CHAIN"
$NFT_CMD delete chain $NFT_TABLE "$NFT_LOCAL_CLIENTS_CHAIN"
$NFT_CMD delete chain $NFT_TABLE "$NFT_BLLIST_CHAIN"
$NFT_CMD delete chain $NFT_TABLE "$NFT_FPROXY_CHAIN"
}
NftAddActionChains() {
local _chain_prio_action=$1
$NFT_CMD add chain $NFT_TABLE "${NFT_ACTION_FILTER_CHAIN}" { type filter hook prerouting priority ${_chain_prio_action}\; policy accept\; }
$NFT_CMD add chain $NFT_TABLE "${NFT_ACTION_NAT_CHAIN}" { type nat hook prerouting priority ${_chain_prio_action}\; policy accept\; }
$NFT_CMD add chain $NFT_TABLE "${NFT_ACTION_NAT_LOCAL_CHAIN}" { type nat hook output priority ${_chain_prio_action}\; policy accept\; }
$NFT_CMD add chain $NFT_TABLE "$NFT_ACTION_FILTER_CHAIN" { type filter hook prerouting priority ${_chain_prio_action}\; policy accept\; }
$NFT_CMD add chain $NFT_TABLE "$NFT_ACTION_NAT_CHAIN" { type nat hook prerouting priority ${_chain_prio_action}\; policy accept\; }
$NFT_CMD add chain $NFT_TABLE "$NFT_ACTION_NAT_LOCAL_CHAIN" { type nat hook output priority ${_chain_prio_action}\; policy accept\; }
}
NftDeleteActionChains() {
$NFT_CMD delete chain $NFT_TABLE "${NFT_ACTION_FILTER_CHAIN}"
$NFT_CMD delete chain $NFT_TABLE "${NFT_ACTION_NAT_CHAIN}"
$NFT_CMD delete chain $NFT_TABLE "${NFT_ACTION_NAT_LOCAL_CHAIN}"
$NFT_CMD delete chain $NFT_TABLE "$NFT_ACTION_FILTER_CHAIN"
$NFT_CMD delete chain $NFT_TABLE "$NFT_ACTION_NAT_CHAIN"
$NFT_CMD delete chain $NFT_TABLE "$NFT_ACTION_NAT_LOCAL_CHAIN"
}
NftInstanceAdd() {
local _i _inst _first_chain_type _t_proxy_statement _chain_action_type _set
for _i in "_name" "_pkts_mark" "_chain_prio_first" "_chain_prio_local" "_proxy_mode" "_tor_trans_port" "_route_table_id" "_if_vpn" "_t_proxy_type" "_t_proxy_port_tcp" "_t_proxy_port_udp" "_t_proxy_allow_udp" "_enable_bllist_proxy" "_enable_fproxy" "_skip_marked_packets" "_vpn_gw_ip"
for _i in "_name" "_pkts_mark" "_proxy_mode" "_tor_trans_port" "_route_table_id" "_if_vpn" "_t_proxy_type" "_t_proxy_port_tcp" "_t_proxy_port_udp" "_t_proxy_allow_udp" "_enable_bllist_proxy" "_enable_fproxy" "_vpn_gw_ip"
do
eval "local $_i=$1"
shift
@@ -124,12 +139,12 @@ NftInstanceAdd() {
if [ "$_name" = " " ]; then
_name=""
else
_name="-${_name}"
_name=".${_name}"
fi
if [ $DEBUG -ge 1 ]; then
echo " nft_functions.NftInstanceAdd.args: _name=${_name} _pkts_mark=${_pkts_mark} _chain_prio_first=${_chain_prio_first} _chain_prio_local=${_chain_prio_local} _proxy_mode=${_proxy_mode} _tor_trans_port=${_tor_trans_port} _route_table_id=${_route_table_id} _if_vpn=${_if_vpn} _t_proxy_type=${_t_proxy_type} _t_proxy_port_tcp=${_t_proxy_port_tcp} _t_proxy_port_udp=${_t_proxy_port_udp} _t_proxy_allow_udp=${_t_proxy_allow_udp} _enable_bllist_proxy=${_enable_bllist_proxy} _enable_fproxy=${_enable_fproxy} _skip_marked_packets=${_skip_marked_packets} _vpn_gw_ip=${_vpn_gw_ip}" >&2
MakeLogRecord "debug" "nft_functions.NftInstanceAdd.args: _name=${_name} _pkts_mark=${_pkts_mark} _chain_prio_first=${_chain_prio_first} _chain_prio_local=${_chain_prio_local} _proxy_mode=${_proxy_mode} _tor_trans_port=${_tor_trans_port} _route_table_id=${_route_table_id} _if_vpn=${_if_vpn} _t_proxy_type=${_t_proxy_type} _t_proxy_port_tcp=${_t_proxy_port_tcp} _t_proxy_port_udp=${_t_proxy_port_udp} _t_proxy_allow_udp=${_t_proxy_allow_udp} _enable_bllist_proxy=${_enable_bllist_proxy} _enable_fproxy=${_enable_fproxy} _skip_marked_packets=${_skip_marked_packets} _vpn_gw_ip=${_vpn_gw_ip}"
echo " nft_functions.NftInstanceAdd.args: _name=${_name} _pkts_mark=${_pkts_mark} _proxy_mode=${_proxy_mode} _tor_trans_port=${_tor_trans_port} _route_table_id=${_route_table_id} _if_vpn=${_if_vpn} _t_proxy_type=${_t_proxy_type} _t_proxy_port_tcp=${_t_proxy_port_tcp} _t_proxy_port_udp=${_t_proxy_port_udp} _t_proxy_allow_udp=${_t_proxy_allow_udp} _enable_bllist_proxy=${_enable_bllist_proxy} _enable_fproxy=${_enable_fproxy} _vpn_gw_ip=${_vpn_gw_ip}" >&2
MakeLogRecord "debug" "nft_functions.NftInstanceAdd.args: _name=${_name} _pkts_mark=${_pkts_mark} _proxy_mode=${_proxy_mode} _tor_trans_port=${_tor_trans_port} _route_table_id=${_route_table_id} _if_vpn=${_if_vpn} _t_proxy_type=${_t_proxy_type} _t_proxy_port_tcp=${_t_proxy_port_tcp} _t_proxy_port_udp=${_t_proxy_port_udp} _t_proxy_allow_udp=${_t_proxy_allow_udp} _enable_bllist_proxy=${_enable_bllist_proxy} _enable_fproxy=${_enable_fproxy} _vpn_gw_ip=${_vpn_gw_ip}"
fi
if [ "$NFTSET_DNSMASQ_TIMEOUT_UPDATE" = "1" ]; then
@@ -138,71 +153,43 @@ NftInstanceAdd() {
_nft_dnsmasq_rule_target="${NFT_MARK_CHAIN}${_name}"
fi
$NFT_CMD add chain $NFT_TABLE "${NFT_LOCAL_CLIENTS_CHAIN}${_name}" { type route hook output priority ${_chain_prio_local}\; policy accept\; }
$NFT_CMD add chain $NFT_TABLE "${NFT_MARK_CHAIN}${_name}"
$NFT_CMD add chain $NFT_TABLE "${NFT_FPROXY_FILTER}${_name}"
$NFT_CMD add chain $NFT_TABLE "${NFT_DNSMASQ_TIMEOUT_UPDATE_CHAIN}${_name}"
$NFT_CMD add chain $NFT_TABLE "${NFT_BLLIST_CHAIN}${_name}"
$NFT_CMD add chain $NFT_TABLE "${NFT_ALLOWED_HOSTS_CHAIN}${_name}" { type filter hook prerouting priority ${_chain_prio_first}\; policy accept\; }
NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_FPROXY_FILTER}${_name}" ip daddr "@${NFTSET_FPROXY_PRIVATE}" return
NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_FPROXY_FILTER}${_name}" jump "${NFT_MARK_CHAIN}${_name}"
NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_DNSMASQ_TIMEOUT_UPDATE_CHAIN}${_name}" ct state new set update ip daddr "@${NFTSET_DNSMASQ}${_name}"
NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_DNSMASQ_TIMEOUT_UPDATE_CHAIN}${_name}" jump "${NFT_MARK_CHAIN}${_name}"
NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_ALLOWED_HOSTS_CHAIN}${_name}" "`printf "$NFT_ALLOWED_HOSTS_PATTERN" "$_name"`"
if [ "$_proxy_mode" = "2" ]; then
NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_SINK_CHAIN}" meta mark $_pkts_mark counter comment \""$_inst"\"
NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_SINK_LOCAL_CHAIN}" meta mark $_pkts_mark counter comment \""$_inst"\"
elif [ "$_proxy_mode" = "3" ]; then
NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_SINK_CHAIN}" meta l4proto tcp meta mark $_pkts_mark counter comment \""$_inst"\"
NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_SINK_LOCAL_CHAIN}" meta l4proto tcp meta mark $_pkts_mark counter comment \""$_inst"\"
if [ "$_proxy_mode" = "3" ]; then
if [ "$_t_proxy_type" = "1" ]; then
NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_ACTION_FILTER_CHAIN}" meta l4proto tcp meta mark $_pkts_mark tproxy to ":${_t_proxy_port_tcp}" comment \""$_inst"\"
NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "$NFT_ACTION_FILTER_CHAIN" meta l4proto tcp meta mark $_pkts_mark tproxy to ":${_t_proxy_port_tcp}" comment \""$_inst"\"
if [ "$_t_proxy_allow_udp" = "1" ]; then
NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_ACTION_FILTER_CHAIN}" meta l4proto udp meta mark $_pkts_mark tproxy to ":${_t_proxy_port_udp}" comment \""$_inst"\"
NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_SINK_CHAIN}" meta l4proto udp meta mark $_pkts_mark counter comment \""$_inst"\"
NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_SINK_LOCAL_CHAIN}" meta l4proto udp meta mark $_pkts_mark counter comment \""$_inst"\"
NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "$NFT_ACTION_FILTER_CHAIN" meta l4proto udp meta mark $_pkts_mark tproxy to ":${_t_proxy_port_udp}" comment \""$_inst"\"
fi
else
NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_ACTION_NAT_CHAIN}" meta l4proto tcp meta mark $_pkts_mark redirect to ":${_t_proxy_port_tcp}" comment \""$_inst"\"
NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_ACTION_NAT_LOCAL_CHAIN}" meta l4proto tcp meta mark $_pkts_mark redirect to ":${_t_proxy_port_tcp}" comment \""$_inst"\"
NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "$NFT_ACTION_NAT_CHAIN" meta l4proto tcp meta mark $_pkts_mark redirect to ":${_t_proxy_port_tcp}" comment \""$_inst"\"
NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "$NFT_ACTION_NAT_LOCAL_CHAIN" meta l4proto tcp meta mark $_pkts_mark redirect to ":${_t_proxy_port_tcp}" comment \""$_inst"\"
if [ "$_t_proxy_allow_udp" = "1" ]; then
NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_ACTION_NAT_CHAIN}" meta l4proto udp meta mark $_pkts_mark redirect to ":${_t_proxy_port_udp}" comment \""$_inst"\"
NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_ACTION_NAT_LOCAL_CHAIN}" meta l4proto udp meta mark $_pkts_mark redirect to ":${_t_proxy_port_udp}" comment \""$_inst"\"
NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_SINK_CHAIN}" meta l4proto udp meta mark $_pkts_mark counter comment \""$_inst"\"
NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_SINK_LOCAL_CHAIN}" meta l4proto udp meta mark $_pkts_mark counter comment \""$_inst"\"
NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "$NFT_ACTION_NAT_CHAIN" meta l4proto udp meta mark $_pkts_mark redirect to ":${_t_proxy_port_udp}" comment \""$_inst"\"
NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "$NFT_ACTION_NAT_LOCAL_CHAIN" meta l4proto udp meta mark $_pkts_mark redirect to ":${_t_proxy_port_udp}" comment \""$_inst"\"
fi
fi
elif [ "$_proxy_mode" != "2" ]; then
NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_ACTION_NAT_CHAIN}" meta l4proto tcp meta mark $_pkts_mark redirect to ":${_tor_trans_port}" comment \""$_inst"\"
NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_ACTION_NAT_LOCAL_CHAIN}" meta l4proto tcp meta mark $_pkts_mark redirect to ":${_tor_trans_port}" comment \""$_inst"\"
NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_SINK_CHAIN}" meta l4proto tcp meta mark $_pkts_mark counter comment \""$_inst"\"
NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_SINK_LOCAL_CHAIN}" meta l4proto tcp meta mark $_pkts_mark counter comment \""$_inst"\"
NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "$NFT_ACTION_NAT_CHAIN" meta l4proto tcp meta mark $_pkts_mark redirect to ":${_tor_trans_port}" comment \""$_inst"\"
NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "$NFT_ACTION_NAT_LOCAL_CHAIN" meta l4proto tcp meta mark $_pkts_mark redirect to ":${_tor_trans_port}" comment \""$_inst"\"
fi
NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_MARK_CHAIN}${_name}" mark set $_pkts_mark
if [ "$_proxy_mode" != "2" -a "$_proxy_mode" != "3" ]; then
NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_BLLIST_CHAIN}${_name}" ip daddr "@${NFTSET_ONION}${_name}" counter goto "${NFT_MARK_CHAIN}${_name}"
fi
if [ "$_skip_marked_packets" = "1" ]; then
NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_BLLIST_CHAIN}${_name}" meta mark "@${NFTSET_MARK_SET}" return
NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "$NFT_BLLIST_CHAIN" ip daddr "@${NFTSET_ONION}${_name}" counter goto "${NFT_MARK_CHAIN}${_name}" comment \""$_inst"\"
fi
if [ "$_enable_fproxy" = "1" ]; then
NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_BLLIST_CHAIN}${_name}" ip saddr "@${NFTSET_FPROXY}${_name}" goto "${NFT_FPROXY_FILTER}${_name}"
fi
if [ "$BYPASS_MODE" = "1" ]; then
for _set in "$NFTSET_BYPASS_IP" "$NFTSET_BYPASS_FQDN"
do
NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_BLLIST_CHAIN}${_name}" ip daddr "@${_set}" accept
done
NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "$NFT_FPROXY_CHAIN" ip saddr "@${NFTSET_FPROXY}${_name}" goto "${NFT_MARK_CHAIN}${_name}" comment \""$_inst"\"
fi
for _set in "${NFTSET_CIDR}${_name}" "${NFTSET_IP}${_name}"
do
NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_BLLIST_CHAIN}${_name}" ip daddr "@${_set}" counter goto "${NFT_MARK_CHAIN}${_name}"
NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "$NFT_BLLIST_CHAIN" ip daddr "@${_set}" counter goto "${NFT_MARK_CHAIN}${_name}" comment \""$_inst"\"
done
NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_BLLIST_CHAIN}${_name}" ip daddr "@${NFTSET_DNSMASQ}${_name}" counter goto "$_nft_dnsmasq_rule_target"
NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "$NFT_BLLIST_CHAIN" ip daddr "@${NFTSET_DNSMASQ}${_name}" counter goto "$_nft_dnsmasq_rule_target" comment \""$_inst"\"
if [ "$_proxy_mode" = "2" ]; then
NftRouteAdd vpn $_route_table_id $_pkts_mark "$_if_vpn" "$_vpn_gw_ip"
@@ -211,10 +198,7 @@ NftInstanceAdd() {
fi
if [ "$_enable_bllist_proxy" = "1" ]; then
NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_LOCAL_CLIENTS_CHAIN}${_name}" ip daddr "@${NFTSET_BLLIST_PROXY}${_name}" counter goto "${NFT_MARK_CHAIN}${_name}"
fi
if [ "$PROXY_LOCAL_CLIENTS" = "1" ]; then
NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "${NFT_LOCAL_CLIENTS_CHAIN}${_name}" jump "${NFT_BLLIST_CHAIN}${_name}"
NftCmdWrapper $NFT_CMD add rule $NFT_TABLE "$NFT_LOCAL_CLIENTS_CHAIN" ip daddr "@${NFTSET_BLLIST_PROXY}${_name}" counter goto "${NFT_MARK_CHAIN}${_name}" comment \""$_inst"\"
fi
}
@@ -223,59 +207,21 @@ NftInstanceDelete() {
if [ -z "$_name" -o "$_name" = " " ]; then
_name=""
else
_name="-${_name}"
_name=".${_name}"
fi
$NFT_CMD delete chain $NFT_TABLE "${NFT_ALLOWED_HOSTS_CHAIN}${_name}"
$NFT_CMD delete chain $NFT_TABLE "${NFT_LOCAL_CLIENTS_CHAIN}${_name}"
$NFT_CMD delete chain $NFT_TABLE "${NFT_BLLIST_CHAIN}${_name}"
$NFT_CMD delete chain $NFT_TABLE "${NFT_DNSMASQ_TIMEOUT_UPDATE_CHAIN}${_name}"
$NFT_CMD delete chain $NFT_TABLE "${NFT_FPROXY_FILTER}${_name}"
$NFT_CMD delete chain $NFT_TABLE "${NFT_MARK_CHAIN}${_name}"
}
NftListBllistChain() {
local _name="$1"
if [ -z "$_name" -o "$_name" = " " ]; then
_name=""
else
_name="-${_name}"
fi
$NFT_CMD -t list chain $NFT_TABLE "${NFT_BLLIST_CHAIN}${_name}"
$NFT_CMD -t list chain $NFT_TABLE "$NFT_BLLIST_CHAIN"
}
NftListBllistChainJson() {
local _name="$1"
if [ -z "$_name" -o "$_name" = " " ]; then
_name=""
else
_name="-${_name}"
fi
$NFT_CMD -t -j list chain $NFT_TABLE "${NFT_BLLIST_CHAIN}${_name}"
$NFT_CMD -t -j list chain $NFT_TABLE "$NFT_BLLIST_CHAIN"
}
NftListSinkChain() {
$NFT_CMD -t list chain $NFT_TABLE "$NFT_SINK_CHAIN"
}
NftListSinkChainJson() {
$NFT_CMD -t -j list chain $NFT_TABLE "$NFT_SINK_CHAIN"
}
NftListSinkLocalChain() {
$NFT_CMD -t list chain $NFT_TABLE "$NFT_SINK_LOCAL_CHAIN"
}
NftListSinkLocalChainJson() {
$NFT_CMD -t -j list chain $NFT_TABLE "$NFT_SINK_LOCAL_CHAIN"
}
NftReturnInstanceStatus() {
local _name="$1"
if [ -z "$_name" -o "$_name" = " " ]; then
_name=""
else
_name="-${_name}"
fi
$NFT_CMD -c add rule $NFT_TABLE "${NFT_ALLOWED_HOSTS_CHAIN}${_name}" continue &> /dev/null
NftReturnStatus() {
$NFT_CMD -c add rule $NFT_TABLE "$NFT_ALLOWED_HOSTS_CHAIN" continue &> /dev/null
return $?
}