mirror of
https://github.com/kenzok8/small.git
synced 2025-01-09 04:29:21 +08:00
update 2023-06-10 20:13:57
This commit is contained in:
github-actions[bot]
parent
e8b0f6be8c
commit
0dd7b91f45
@ -6,7 +6,7 @@
|
||||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=luci-app-passwall
|
||||
PKG_VERSION:=4.66-6
|
||||
PKG_VERSION:=4.66-7
|
||||
PKG_RELEASE:=
|
||||
|
||||
PKG_CONFIG_DEPENDS:= \
|
||||
|
||||
@ -8,6 +8,7 @@ local jsonc = api.jsonc
|
||||
|
||||
local CONFIG = "passwall_server"
|
||||
local CONFIG_PATH = "/tmp/etc/" .. CONFIG
|
||||
local NFT_INCLUDE_FILE = CONFIG_PATH .. "/" .. CONFIG .. ".nft"
|
||||
local LOG_APP_FILE = "/tmp/log/" .. CONFIG .. ".log"
|
||||
local TMP_BIN_PATH = CONFIG_PATH .. "/bin"
|
||||
local require_dir = "luci.passwall."
|
||||
@ -49,11 +50,6 @@ end
|
||||
|
||||
local function gen_include()
|
||||
cmd(string.format("echo '#!/bin/sh' > /tmp/etc/%s.include", CONFIG))
|
||||
if nft_flag == "1" then
|
||||
cmd("echo \"\" > " .. CONFIG_PATH .. "/" .. CONFIG .. ".nft")
|
||||
local nft_cmd = "for chain in $(nft -a list chains |grep -E \"chain PSW-SERVER\" |awk -F ' ' '{print$2}'); do\n nft list chain inet fw4 ${chain} >> " .. CONFIG_PATH .. "/" .. CONFIG .. ".nft\n done"
|
||||
cmd(nft_cmd)
|
||||
end
|
||||
local function extract_rules(n, a)
|
||||
local _ipt = ipt_bin
|
||||
if n == "6" then
|
||||
@ -77,8 +73,7 @@ local function gen_include()
|
||||
f:write("EOT" .. "\n")
|
||||
f:close()
|
||||
else
|
||||
f:write("nft -f " .. CONFIG_PATH .. "/" .. CONFIG .. ".nft\n")
|
||||
f:write("nft insert rule inet fw4 input position 0 counter jump PSW-SERVER")
|
||||
f:write("nft -f " .. NFT_INCLUDE_FILE .. "\n")
|
||||
f:close()
|
||||
end
|
||||
end
|
||||
@ -97,8 +92,11 @@ local function start()
|
||||
ip6t("-N PSW-SERVER")
|
||||
ip6t("-I INPUT -j PSW-SERVER")
|
||||
else
|
||||
cmd("nft add chain inet fw4 PSW-SERVER\n")
|
||||
cmd("nft insert rule inet fw4 input position 0 counter jump PSW-SERVER")
|
||||
nft_file, err = io.open(NFT_INCLUDE_FILE, "w")
|
||||
nft_file:write('#!/usr/sbin/nft -f\n')
|
||||
nft_file:write('add chain inet fw4 PSW-SERVER\n')
|
||||
nft_file:write('flush chain inet fw4 PSW-SERVER\n')
|
||||
nft_file:write('insert rule inet fw4 input position 0 jump PSW-SERVER comment "PSW-SERVER"\n')
|
||||
end
|
||||
uci:foreach(CONFIG, "user", function(user)
|
||||
local id = user[".name"]
|
||||
@ -194,14 +192,19 @@ local function start()
|
||||
ip6t(string.format('-A PSW-SERVER -p udp --dport %s -m comment --comment "%s" -j ACCEPT', port, remarks))
|
||||
end
|
||||
else
|
||||
cmd(string.format('nft add rule inet fw4 PSW-SERVER meta l4proto tcp tcp dport {%s} accept', port))
|
||||
nft_file:write(string.format('add rule inet fw4 PSW-SERVER meta l4proto tcp tcp dport {%s} counter accept comment "%s"\n', port, remarks))
|
||||
if udp_forward == 1 then
|
||||
cmd(string.format('nft add rule inet fw4 PSW-SERVER meta l4proto udp udp dport {%s} accept', port))
|
||||
nft_file:write(string.format('add rule inet fw4 PSW-SERVER meta l4proto udp udp dport {%s} counter accept comment "%s"\n', port, remarks))
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end)
|
||||
if nft_flag == "1" then
|
||||
nft_file:write("add rule inet fw4 PSW-SERVER return\n")
|
||||
nft_file:close()
|
||||
cmd("nft -f " .. NFT_INCLUDE_FILE)
|
||||
end
|
||||
gen_include()
|
||||
end
|
||||
|
||||
|
||||
@ -20,7 +20,7 @@ NFTSET_BLACKLIST6="passwall_blacklist6"
|
||||
NFTSET_WHITELIST6="passwall_whitelist6"
|
||||
NFTSET_BLOCKLIST6="passwall_blocklist6"
|
||||
|
||||
FORCE_INDEX=2
|
||||
FORCE_INDEX=0
|
||||
|
||||
. /lib/functions/network.sh
|
||||
|
||||
@ -377,10 +377,10 @@ load_acl() {
|
||||
}
|
||||
|
||||
if [ -z "${is_tproxy}" ]; then
|
||||
nft "add rule inet fw4 PSW ${_ipt_source} ip daddr $FAKE_IP $(REDIRECT $tcp_port) comment \"$remarks\""
|
||||
nft "add rule inet fw4 PSW ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ip daddr @$NFTSET_SHUNTLIST $(REDIRECT $tcp_port) comment \"$remarks\""
|
||||
nft "add rule inet fw4 PSW ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ip daddr @$NFTSET_BLACKLIST $(REDIRECT $tcp_port) comment \"$remarks\""
|
||||
[ "$tcp_proxy_mode" != "direct/proxy" ] && nft "add rule inet fw4 PSW ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") $(get_redirect_ipv4 $tcp_proxy_mode $tcp_port) comment \"$remarks\""
|
||||
nft "add rule inet fw4 PSW_NAT ${_ipt_source} ip daddr $FAKE_IP $(REDIRECT $tcp_port) comment \"$remarks\""
|
||||
nft "add rule inet fw4 PSW_NAT ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ip daddr @$NFTSET_SHUNTLIST $(REDIRECT $tcp_port) comment \"$remarks\""
|
||||
nft "add rule inet fw4 PSW_NAT ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ip daddr @$NFTSET_BLACKLIST $(REDIRECT $tcp_port) comment \"$remarks\""
|
||||
[ "$tcp_proxy_mode" != "direct/proxy" ] && nft "add rule inet fw4 PSW_NAT ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") $(get_redirect_ipv4 $tcp_proxy_mode $tcp_port) comment \"$remarks\""
|
||||
else
|
||||
nft "add rule inet fw4 PSW_MANGLE ip protocol tcp ${_ipt_source} ip daddr $FAKE_IP counter jump PSW_RULE comment \"$remarks\""
|
||||
nft "add rule inet fw4 PSW_MANGLE ip protocol tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ip daddr @$NFTSET_SHUNTLIST counter jump PSW_RULE comment \"$remarks\""
|
||||
@ -499,11 +499,11 @@ load_acl() {
|
||||
}
|
||||
|
||||
if [ -z "${is_tproxy}" ]; then
|
||||
nft "add rule inet fw4 PSW ip protocol tcp ip daddr $FAKE_IP $(REDIRECT $TCP_REDIR_PORT) comment \"默认\""
|
||||
nft "add rule inet fw4 PSW ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip daddr @$NFTSET_SHUNTLIST $(REDIRECT $TCP_REDIR_PORT) comment \"默认\""
|
||||
nft "add rule inet fw4 PSW ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip daddr @$NFTSET_BLACKLIST $(REDIRECT $TCP_REDIR_PORT) comment \"默认\""
|
||||
[ "$TCP_PROXY_MODE" != "direct/proxy" ] && nft "add rule inet fw4 PSW ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") $(get_redirect_ipv4 $TCP_PROXY_MODE $TCP_REDIR_PORT) comment \"默认\""
|
||||
nft "add rule inet fw4 PSW ip protocol tcp counter return comment \"默认\""
|
||||
nft "add rule inet fw4 PSW_NAT ip protocol tcp ip daddr $FAKE_IP $(REDIRECT $TCP_REDIR_PORT) comment \"默认\""
|
||||
nft "add rule inet fw4 PSW_NAT ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip daddr @$NFTSET_SHUNTLIST $(REDIRECT $TCP_REDIR_PORT) comment \"默认\""
|
||||
nft "add rule inet fw4 PSW_NAT ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip daddr @$NFTSET_BLACKLIST $(REDIRECT $TCP_REDIR_PORT) comment \"默认\""
|
||||
[ "$TCP_PROXY_MODE" != "direct/proxy" ] && nft "add rule inet fw4 PSW_NAT ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") $(get_redirect_ipv4 $TCP_PROXY_MODE $TCP_REDIR_PORT) comment \"默认\""
|
||||
nft "add rule inet fw4 PSW_NAT ip protocol tcp counter return comment \"默认\""
|
||||
else
|
||||
nft "add rule inet fw4 PSW_MANGLE ip protocol tcp ip daddr $FAKE_IP counter jump PSW_RULE comment \"默认\""
|
||||
nft "add rule inet fw4 PSW_MANGLE ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip daddr @$NFTSET_SHUNTLIST counter jump PSW_RULE comment \"默认\""
|
||||
@ -625,7 +625,7 @@ filter_node() {
|
||||
|
||||
local ADD_INDEX=$FORCE_INDEX
|
||||
for _ipt in 4 6; do
|
||||
[ "$_ipt" == "4" ] && _ip_type=ip4 && _set_name=$NFTSET_VPSLIST
|
||||
[ "$_ipt" == "4" ] && _ip_type=ip && _set_name=$NFTSET_VPSLIST
|
||||
[ "$_ipt" == "6" ] && _ip_type=ip6 && _set_name=$NFTSET_VPSLIST6
|
||||
nft "list chain inet fw4 $nft_output_chain" 2>/dev/null | grep -q "${address}:${port}"
|
||||
if [ $? -ne 0 ]; then
|
||||
@ -641,8 +641,7 @@ filter_node() {
|
||||
dst_rule="return"
|
||||
msg2="直连代理"
|
||||
}
|
||||
nft "insert rule inet fw4 $nft_output_chain position $ADD_INDEX comment \"${address}:${port}\" meta l4proto $stream $_ip_type daddr $address tcp dport $port $dst_rule" 2>/dev/null
|
||||
nft "insert rule inet fw4 $nft_output_chain position $ADD_INDEX comment \"${address}:${port}\" meta l4proto $stream $_ip_type daddr $address udp dport $port $dst_rule" 2>/dev/null
|
||||
nft "insert rule inet fw4 $nft_output_chain position $ADD_INDEX meta l4proto $stream $_ip_type daddr $address $stream dport $port $dst_rule comment \"${address}:${port}\"" 2>/dev/null
|
||||
else
|
||||
msg2="已配置过的节点,"
|
||||
fi
|
||||
@ -774,8 +773,8 @@ add_firewall_rule() {
|
||||
local tcp_proxy_way=$(config_t_get global_forwarding tcp_proxy_way redirect)
|
||||
if [ "$tcp_proxy_way" = "redirect" ]; then
|
||||
unset is_tproxy
|
||||
nft_prerouting_chain="PSW"
|
||||
nft_output_chain="PSW_OUTPUT"
|
||||
nft_prerouting_chain="PSW_NAT"
|
||||
nft_output_chain="PSW_OUTPUT_NAT"
|
||||
elif [ "$tcp_proxy_way" = "tproxy" ]; then
|
||||
is_tproxy="TPROXY"
|
||||
nft_prerouting_chain="PSW_MANGLE"
|
||||
@ -823,21 +822,21 @@ add_firewall_rule() {
|
||||
|
||||
#ipv4 tcp redirect mode
|
||||
[ -z "${is_tproxy}" ] && {
|
||||
nft "add chain inet fw4 PSW"
|
||||
nft "flush chain inet fw4 PSW"
|
||||
nft "add rule inet fw4 PSW ip daddr @$NFTSET_LANLIST counter return"
|
||||
nft "add rule inet fw4 PSW ip daddr @$NFTSET_VPSLIST counter return"
|
||||
nft "add rule inet fw4 PSW ip daddr @$NFTSET_WHITELIST counter return"
|
||||
nft "add rule inet fw4 PSW ip daddr @$NFTSET_BLOCKLIST counter drop"
|
||||
nft "add rule inet fw4 dstnat ip protocol tcp counter jump PSW"
|
||||
nft "add chain inet fw4 PSW_NAT"
|
||||
nft "flush chain inet fw4 PSW_NAT"
|
||||
nft "add rule inet fw4 PSW_NAT ip daddr @$NFTSET_LANLIST counter return"
|
||||
nft "add rule inet fw4 PSW_NAT ip daddr @$NFTSET_VPSLIST counter return"
|
||||
nft "add rule inet fw4 PSW_NAT ip daddr @$NFTSET_WHITELIST counter return"
|
||||
nft "add rule inet fw4 PSW_NAT ip daddr @$NFTSET_BLOCKLIST counter drop"
|
||||
nft "add rule inet fw4 dstnat ip protocol tcp counter jump PSW_NAT"
|
||||
|
||||
nft "add chain inet fw4 PSW_OUTPUT"
|
||||
nft "flush chain inet fw4 PSW_OUTPUT"
|
||||
nft "add rule inet fw4 PSW_OUTPUT ip daddr @$NFTSET_LANLIST counter return"
|
||||
nft "add rule inet fw4 PSW_OUTPUT ip daddr @$NFTSET_VPSLIST counter return"
|
||||
nft "add rule inet fw4 PSW_OUTPUT ip daddr @$NFTSET_WHITELIST counter return"
|
||||
nft "add rule inet fw4 PSW_OUTPUT meta mark 0xff counter return"
|
||||
nft "add rule inet fw4 PSW_OUTPUT ip daddr @$NFTSET_BLOCKLIST counter drop"
|
||||
nft "add chain inet fw4 PSW_OUTPUT_NAT"
|
||||
nft "flush chain inet fw4 PSW_OUTPUT_NAT"
|
||||
nft "add rule inet fw4 PSW_OUTPUT_NAT ip daddr @$NFTSET_LANLIST counter return"
|
||||
nft "add rule inet fw4 PSW_OUTPUT_NAT ip daddr @$NFTSET_VPSLIST counter return"
|
||||
nft "add rule inet fw4 PSW_OUTPUT_NAT ip daddr @$NFTSET_WHITELIST counter return"
|
||||
nft "add rule inet fw4 PSW_OUTPUT_NAT meta mark 0xff counter return"
|
||||
nft "add rule inet fw4 PSW_OUTPUT_NAT ip daddr @$NFTSET_BLOCKLIST counter drop"
|
||||
}
|
||||
|
||||
#icmp ipv6-icmp redirect
|
||||
@ -860,7 +859,7 @@ add_firewall_rule() {
|
||||
|
||||
WAN_IP=$(get_wan_ip)
|
||||
if [ -n "${WAN_IP}" ]; then
|
||||
[ -n "${is_tproxy}" ] && nft "add rule inet fw4 PSW_MANGLE ip daddr ${WAN_IP} counter return comment \"WAN_IP_RETURN\"" || nft "add rule inet fw4 PSW ip daddr ${WAN_IP} counter return comment \"WAN_IP_RETURN\""
|
||||
[ -n "${is_tproxy}" ] && nft "add rule inet fw4 PSW_MANGLE ip daddr ${WAN_IP} counter return comment \"WAN_IP_RETURN\"" || nft "add rule inet fw4 PSW_NAT ip daddr ${WAN_IP} counter return comment \"WAN_IP_RETURN\""
|
||||
fi
|
||||
unset WAN_IP
|
||||
|
||||
@ -886,7 +885,7 @@ add_firewall_rule() {
|
||||
# jump chains
|
||||
[ "$PROXY_IPV6" == "1" ] && {
|
||||
nft "add rule inet fw4 mangle_prerouting meta nfproto {ipv6} counter jump PSW_MANGLE_V6"
|
||||
nft "add rule inet fw4 mangle_output meta nfproto {ipv6} counter jump PSW_OUTPUT_MANGLE_V6 comment \"mangle-OUTPUT-PSW\""
|
||||
nft "add rule inet fw4 mangle_output meta nfproto {ipv6} counter jump PSW_OUTPUT_MANGLE_V6 comment \"PSW_OUTPUT_MANGLE\""
|
||||
|
||||
WAN6_IP=$(get_wan6_ip)
|
||||
[ -n "${WAN6_IP}" ] && nft "add rule inet fw4 PSW_MANGLE_V6 ip6 daddr ${WAN6_IP} counter return comment \"WAN6_IP_RETURN\""
|
||||
@ -962,7 +961,7 @@ add_firewall_rule() {
|
||||
return 0
|
||||
}
|
||||
if [ -z "${is_tproxy}" ]; then
|
||||
nft add rule inet fw4 PSW_OUTPUT ip protocol tcp ip daddr ${2} tcp dport ${3} $(REDIRECT $TCP_REDIR_PORT)
|
||||
nft add rule inet fw4 PSW_OUTPUT_NAT ip protocol tcp ip daddr ${2} tcp dport ${3} $(REDIRECT $TCP_REDIR_PORT)
|
||||
else
|
||||
nft add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol tcp ip daddr ${2} tcp dport ${3} counter jump PSW_RULE
|
||||
nft add rule inet fw4 PSW_MANGLE iif lo tcp dport ${3} ip daddr ${2} $(REDIRECT $TCP_REDIR_PORT TPROXY4) comment \"本机\"
|
||||
@ -986,12 +985,12 @@ add_firewall_rule() {
|
||||
|
||||
if [ -z "${is_tproxy}" ]; then
|
||||
[ "$LOCALHOST_TCP_PROXY_MODE" != "disable" ] && {
|
||||
nft "add rule inet fw4 PSW_OUTPUT ip protocol tcp ip daddr $FAKE_IP $(REDIRECT $TCP_REDIR_PORT)"
|
||||
nft "add rule inet fw4 PSW_OUTPUT ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip daddr @$NFTSET_SHUNTLIST counter $(REDIRECT $TCP_REDIR_PORT)"
|
||||
nft "add rule inet fw4 PSW_OUTPUT ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip daddr @$NFTSET_BLACKLIST counter $(REDIRECT $TCP_REDIR_PORT)"
|
||||
[ "$LOCALHOST_TCP_PROXY_MODE" != "direct/proxy" ] && nft "add rule inet fw4 PSW_OUTPUT ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") $(get_redirect_ipv4 $LOCALHOST_TCP_PROXY_MODE $TCP_REDIR_PORT)"
|
||||
nft "add rule inet fw4 PSW_OUTPUT_NAT ip protocol tcp ip daddr $FAKE_IP $(REDIRECT $TCP_REDIR_PORT)"
|
||||
nft "add rule inet fw4 PSW_OUTPUT_NAT ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip daddr @$NFTSET_SHUNTLIST counter $(REDIRECT $TCP_REDIR_PORT)"
|
||||
nft "add rule inet fw4 PSW_OUTPUT_NAT ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip daddr @$NFTSET_BLACKLIST counter $(REDIRECT $TCP_REDIR_PORT)"
|
||||
[ "$LOCALHOST_TCP_PROXY_MODE" != "direct/proxy" ] && nft "add rule inet fw4 PSW_OUTPUT_NAT ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") $(get_redirect_ipv4 $LOCALHOST_TCP_PROXY_MODE $TCP_REDIR_PORT)"
|
||||
}
|
||||
nft "add rule inet fw4 nat_output ip protocol tcp counter jump PSW_OUTPUT"
|
||||
nft "add rule inet fw4 nat_output ip protocol tcp counter jump PSW_OUTPUT_NAT"
|
||||
else
|
||||
[ "$LOCALHOST_TCP_PROXY_MODE" != "disable" ] && {
|
||||
nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol tcp ip daddr $FAKE_IP counter jump PSW_RULE"
|
||||
@ -1001,7 +1000,7 @@ add_firewall_rule() {
|
||||
nft "add rule inet fw4 PSW_MANGLE meta l4proto tcp iif lo $(REDIRECT $TCP_REDIR_PORT TPROXY) comment \"本机\""
|
||||
}
|
||||
nft "add rule inet fw4 PSW_MANGLE ip protocol tcp iif lo counter return comment \"本机\""
|
||||
nft "add rule inet fw4 mangle_output meta nfproto {ipv4} meta l4proto tcp counter jump PSW_OUTPUT_MANGLE comment \"mangle-OUTPUT-PSW\""
|
||||
nft "add rule inet fw4 mangle_output meta nfproto {ipv4} meta l4proto tcp counter jump PSW_OUTPUT_MANGLE comment \"PSW_OUTPUT_MANGLE\""
|
||||
fi
|
||||
|
||||
[ "$PROXY_IPV6" == "1" ] && {
|
||||
@ -1051,7 +1050,7 @@ add_firewall_rule() {
|
||||
nft "add rule inet fw4 PSW_MANGLE meta l4proto udp iif lo $(REDIRECT $UDP_REDIR_PORT TPROXY) comment \"本机\""
|
||||
}
|
||||
nft "add rule inet fw4 PSW_MANGLE ip protocol udp iif lo counter return comment \"本机\""
|
||||
nft "add rule inet fw4 mangle_output meta nfproto {ipv4} meta l4proto udp counter jump PSW_OUTPUT_MANGLE comment \"mangle-OUTPUT-PSW\""
|
||||
nft "add rule inet fw4 mangle_output meta nfproto {ipv4} meta l4proto udp counter jump PSW_OUTPUT_MANGLE comment \"PSW_OUTPUT_MANGLE\""
|
||||
|
||||
[ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && {
|
||||
[ "$LOCALHOST_UDP_PROXY_MODE" != "disable" ] && {
|
||||
@ -1064,8 +1063,8 @@ add_firewall_rule() {
|
||||
}
|
||||
fi
|
||||
|
||||
nft "add rule inet fw4 mangle_output oif lo counter return comment \"mangle-OUTPUT-PSW\""
|
||||
nft "add rule inet fw4 mangle_output meta mark 1 counter return comment \"mangle-OUTPUT-PSW\""
|
||||
nft "add rule inet fw4 mangle_output oif lo counter return comment \"PSW_OUTPUT_MANGLE\""
|
||||
nft "add rule inet fw4 mangle_output meta mark 1 counter return comment \"PSW_OUTPUT_MANGLE\""
|
||||
|
||||
nft "add rule inet fw4 PSW_MANGLE ip protocol udp udp dport 53 counter return"
|
||||
nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp udp dport 53 counter return"
|
||||
@ -1093,14 +1092,14 @@ add_firewall_rule() {
|
||||
}
|
||||
|
||||
del_firewall_rule() {
|
||||
for nft in "input" "forward" "dstnat" "srcnat" "nat_output" "mangle_prerouting" "mangle_output"; do
|
||||
local handles=$(nft -a list chain inet fw4 ${nft} 2>/dev/null | grep -E "PSW" | awk -F '# handle ' '{print$2}')
|
||||
for nft in "forward" "dstnat" "srcnat" "nat_output" "mangle_prerouting" "mangle_output"; do
|
||||
local handles=$(nft -a list chain inet fw4 ${nft} 2>/dev/null | grep -E "PSW_" | awk -F '# handle ' '{print$2}')
|
||||
for handle in $handles; do
|
||||
nft delete rule inet fw4 ${nft} handle ${handle} 2>/dev/null
|
||||
done
|
||||
done
|
||||
|
||||
for handle in $(nft -a list chains | grep -E "chain PSW" | grep -v "PSW_RULE" | awk -F '# handle ' '{print$2}'); do
|
||||
for handle in $(nft -a list chains | grep -E "chain PSW_" | grep -v "PSW_RULE" | awk -F '# handle ' '{print$2}'); do
|
||||
nft delete chain inet fw4 handle ${handle} 2>/dev/null
|
||||
done
|
||||
|
||||
@ -1147,62 +1146,70 @@ flush_include() {
|
||||
}
|
||||
|
||||
gen_include() {
|
||||
local nft_chain_file=$TMP_PATH/PSW.nft
|
||||
echo "" > $nft_chain_file
|
||||
for chain in $(nft -a list chains | grep -E "chain PSW" |awk -F ' ' '{print$2}'); do
|
||||
local nft_chain_file=$TMP_PATH/PSW_RULE.nft
|
||||
local nft_set_file=$TMP_PATH/PSW_SETS.nft
|
||||
echo "#!/usr/sbin/nft -f" > $nft_chain_file
|
||||
echo "#!/usr/sbin/nft -f" > $nft_set_file
|
||||
for chain in $(nft -a list chains | grep -E "chain PSW_" | awk -F ' ' '{print$2}'); do
|
||||
nft list chain inet fw4 ${chain} >> $nft_chain_file
|
||||
done
|
||||
|
||||
for set_name in $(nft -a list sets | grep -E "set passwall_" | awk -F ' ' '{print$2}'); do
|
||||
nft list set inet fw4 ${set_name} >> $nft_set_file
|
||||
done
|
||||
|
||||
local __nft=" "
|
||||
[ -z "${nft}" ] && {
|
||||
__nft=$(cat <<- EOF
|
||||
nft -f ${nft_chain_file}
|
||||
__nft=$(cat <<- EOF
|
||||
|
||||
nft "add rule inet fw4 dstnat jump PSW_REDIRECT"
|
||||
[ -z "\$(nft list sets 2>/dev/null | grep "passwall_")" ] && nft -f ${nft_set_file}
|
||||
[ -z "\$(nft list chain inet fw4 nat_output 2>/dev/null)" ] && nft "add chain inet fw4 nat_output { type nat hook output priority -1; }"
|
||||
nft -f ${nft_chain_file}
|
||||
|
||||
[ "$accept_icmp" == "1" ] && {
|
||||
nft "add rule inet fw4 dstnat meta l4proto {icmp,icmpv6} counter jump PSW_ICMP_REDIRECT"
|
||||
nft "add rule inet fw4 nat_output meta l4proto {icmp,icmpv6} counter jump PSW_ICMP_REDIRECT"
|
||||
}
|
||||
nft "add rule inet fw4 dstnat jump PSW_REDIRECT"
|
||||
|
||||
[ -z "${is_tproxy}" ] && {
|
||||
PR_INDEX=\$(${MY_PATH} RULE_LAST_INDEX "inet fw4" PSW WAN_IP_RETURN -1)
|
||||
if [ \$PR_INDEX -ge 0 ]; then
|
||||
WAN_IP=\$(${MY_PATH} get_wan_ip)
|
||||
[ ! -z "\${WAN_IP}" ] && nft "replace rule inet fw4 PSW handle \$PR_INDEX ip daddr "\${WAN_IP}" counter return comment \"WAN_IP_RETURN\""
|
||||
fi
|
||||
nft "add rule inet fw4 dstnat ip protocol tcp counter jump PSW"
|
||||
nft "add rule inet fw4 nat_output ip protocol tcp counter jump PSW_OUTPUT"
|
||||
}
|
||||
[ "$accept_icmp" == "1" ] && {
|
||||
nft "add rule inet fw4 dstnat meta l4proto {icmp,icmpv6} counter jump PSW_ICMP_REDIRECT"
|
||||
nft "add rule inet fw4 nat_output meta l4proto {icmp,icmpv6} counter jump PSW_ICMP_REDIRECT"
|
||||
}
|
||||
|
||||
[ -n "${is_tproxy}" ] && {
|
||||
PR_INDEX=\$(${MY_PATH} RULE_LAST_INDEX "inet fw4" PSW_MANGLE WAN_IP_RETURN -1)
|
||||
if [ \$PR_INDEX -ge 0 ]; then
|
||||
WAN_IP=\$(${MY_PATH} get_wan_ip)
|
||||
[ ! -z "\${WAN_IP}" ] && nft "replace rule inet fw4 PSW_MANGLE handle \$PR_INDEX ip daddr "\${WAN_IP}" counter return comment \"WAN_IP_RETURN\""
|
||||
fi
|
||||
nft "add rule inet fw4 mangle_prerouting meta nfproto {ipv4} counter jump PSW_MANGLE"
|
||||
nft "add rule inet fw4 mangle_output meta nfproto {ipv4} meta l4proto tcp counter jump PSW_OUTPUT_MANGLE comment \"mangle-OUTPUT-PSW\""
|
||||
}
|
||||
\$(${MY_PATH} insert_rule_before "inet fw4" "mangle_prerouting" "PSW_MANGLE" "counter jump PSW_DIVERT")
|
||||
[ -z "${is_tproxy}" ] && {
|
||||
PR_INDEX=\$(sh ${MY_PATH} RULE_LAST_INDEX "inet fw4" PSW_NAT WAN_IP_RETURN -1)
|
||||
if [ \$PR_INDEX -ge 0 ]; then
|
||||
WAN_IP=\$(sh ${MY_PATH} get_wan_ip)
|
||||
[ ! -z "\${WAN_IP}" ] && nft "replace rule inet fw4 PSW_NAT handle \$PR_INDEX ip daddr "\${WAN_IP}" counter return comment \"WAN_IP_RETURN\""
|
||||
fi
|
||||
nft "add rule inet fw4 dstnat ip protocol tcp counter jump PSW_NAT"
|
||||
nft "add rule inet fw4 nat_output ip protocol tcp counter jump PSW_OUTPUT_NAT"
|
||||
}
|
||||
|
||||
[ "$UDP_NODE" != "nil" -o "$TCP_UDP" = "1" ] && nft "add rule inet fw4 mangle_output meta nfproto {ipv4} meta l4proto udp counter jump PSW_OUTPUT_MANGLE comment \"mangle-OUTPUT-PSW\""
|
||||
[ -n "${is_tproxy}" ] && {
|
||||
PR_INDEX=\$(sh ${MY_PATH} RULE_LAST_INDEX "inet fw4" PSW_MANGLE WAN_IP_RETURN -1)
|
||||
if [ \$PR_INDEX -ge 0 ]; then
|
||||
WAN_IP=\$(sh ${MY_PATH} get_wan_ip)
|
||||
[ ! -z "\${WAN_IP}" ] && nft "replace rule inet fw4 PSW_MANGLE handle \$PR_INDEX ip daddr "\${WAN_IP}" counter return comment \"WAN_IP_RETURN\""
|
||||
fi
|
||||
nft "add rule inet fw4 mangle_prerouting meta nfproto {ipv4} counter jump PSW_MANGLE"
|
||||
nft "add rule inet fw4 mangle_output meta nfproto {ipv4} meta l4proto tcp counter jump PSW_OUTPUT_MANGLE comment \"PSW_OUTPUT_MANGLE\""
|
||||
}
|
||||
\$(sh ${MY_PATH} insert_rule_before "inet fw4" "mangle_prerouting" "PSW_MANGLE" "counter jump PSW_DIVERT")
|
||||
|
||||
[ "$PROXY_IPV6" == "1" ] && {
|
||||
PR_INDEX=\$(${MY_PATH} RULE_LAST_INDEX "inet fw4" PSW_MANGLE_V6 WAN6_IP_RETURN -1)
|
||||
if [ \$PR_INDEX -ge 0 ]; then
|
||||
WAN6_IP=\$(${MY_PATH} get_wan6_ip)
|
||||
[ ! -z "\${WAN_IP}" ] && nft "replace rule inet fw4 PSW_MANGLE_V6 handle \$PR_INDEX ip6 daddr "\${WAN6_IP}" counter return comment \"WAN6_IP_RETURN\""
|
||||
fi
|
||||
nft "add rule inet fw4 mangle_prerouting meta nfproto {ipv6} counter jump PSW_MANGLE_V6"
|
||||
nft "add rule inet fw4 mangle_output meta nfproto {ipv6} counter jump PSW_OUTPUT_MANGLE_V6 comment \"mangle-OUTPUT-PSW\""
|
||||
}
|
||||
[ "$UDP_NODE" != "nil" -o "$TCP_UDP" = "1" ] && nft "add rule inet fw4 mangle_output meta nfproto {ipv4} meta l4proto udp counter jump PSW_OUTPUT_MANGLE comment \"PSW_OUTPUT_MANGLE\""
|
||||
|
||||
[ "$PROXY_IPV6" == "1" ] && {
|
||||
PR_INDEX=\$(sh ${MY_PATH} RULE_LAST_INDEX "inet fw4" PSW_MANGLE_V6 WAN6_IP_RETURN -1)
|
||||
if [ \$PR_INDEX -ge 0 ]; then
|
||||
WAN6_IP=\$(sh ${MY_PATH} get_wan6_ip)
|
||||
[ ! -z "\${WAN_IP}" ] && nft "replace rule inet fw4 PSW_MANGLE_V6 handle \$PR_INDEX ip6 daddr "\${WAN6_IP}" counter return comment \"WAN6_IP_RETURN\""
|
||||
fi
|
||||
nft "add rule inet fw4 mangle_prerouting meta nfproto {ipv6} counter jump PSW_MANGLE_V6"
|
||||
nft "add rule inet fw4 mangle_output meta nfproto {ipv6} counter jump PSW_OUTPUT_MANGLE_V6 comment \"PSW_OUTPUT_MANGLE\""
|
||||
}
|
||||
|
||||
nft "add rule inet fw4 mangle_output oif lo counter return comment \"PSW_OUTPUT_MANGLE\""
|
||||
nft "add rule inet fw4 mangle_output meta mark 1 counter return comment \"PSW_OUTPUT_MANGLE\""
|
||||
EOF
|
||||
)
|
||||
|
||||
nft "add rule inet fw4 mangle_output oif lo counter return comment \"mangle-OUTPUT-PSW\""
|
||||
nft "add rule inet fw4 mangle_output meta mark 1 counter return comment \"mangle-OUTPUT-PSW\""
|
||||
EOF
|
||||
)
|
||||
}
|
||||
cat <<-EOF >> $FWI
|
||||
${__nft}
|
||||
EOF
|
||||
|
||||
Loading…
Reference in New Issue
Block a user