init.d: 20-fw-extra

	}

}

zapret_do_firewall_standard_rules_ipt()

zapret_do_firewall_standard_tpws_rules_ipt()

{

	# $1 - 1 - add, 0 - del

	local f4 f6

	[ "$TPWS_ENABLE" = 1 -a -n "$TPWS_PORTS" ] &&

	{

	[ "$TPWS_ENABLE" = 1 -a -n "$TPWS_PORTS" ] && {

		f4="-p tcp -m multiport --dports $TPWS_PORTS_IPT"

		f6=$f4

		filter_apply_ipset_target f4 f6

		fw_tpws $1 "$f4" "$f6" $TPPORT

	}

	[ "$NFQWS_ENABLE" = 1 ] &&

}

zapret_do_firewall_standard_nfqws_rules_ipt()

{

	# $1 - 1 - add, 0 - del

	[ "$NFQWS_ENABLE" = 1 ] && {

		ipt_do_nfqws_in_out $1 tcp "$NFQWS_PORTS_TCP_IPT" "$NFQWS_TCP_PKT_OUT" "$NFQWS_TCP_PKT_IN"

		ipt_do_nfqws_in_out $1 tcp "$NFQWS_PORTS_TCP_KEEPALIVE_IPT" keepalive "$NFQWS_TCP_PKT_IN"

		ipt_do_nfqws_in_out $1 udp "$NFQWS_PORTS_UDP_IPT" "$NFQWS_UDP_PKT_OUT" "$NFQWS_UDP_PKT_IN"

		ipt_do_nfqws_in_out $1 udp "$NFQWS_PORTS_UDP_KEEPALIVE_IPT" keepalive "$NFQWS_UDP_PKT_IN"

	}

}

zapret_do_firewall_standard_rules_ipt()

{

	# $1 - 1 - add, 0 - del

	zapret_do_firewall_standard_tpws_rules_ipt $1

	zapret_do_firewall_standard_nfqws_rules_ipt $1

}

zapret_do_firewall_rules_ipt()

{

standard_mode_tpws_socks()

{

	# $1 - 1 - run, 0 - stop

	local opt

	[ "$TPWS_SOCKS_ENABLE" = 1 ] && {

		opt="--port=$TPPORT_SOCKS $TPWS_SOCKS_OPT"

		filter_apply_hostlist_target opt

		do_tpws_socks $1 2 "$opt"

	}

}

standard_mode_tpws()

{

	# $1 - 1 - run, 0 - stop

	local opt

	[ "$TPWS_ENABLE" = 1 ] && check_bad_ws_options $1 "$TPWS_OPT" && {

		opt="--port=$TPPORT $TPWS_OPT"

		filter_apply_hostlist_target opt

		do_tpws $1 1 "$opt"

	}

}

standard_mode_nfqws()

{

	# $1 - 1 - run, 0 - stop

	local opt

	[ "$NFQWS_ENABLE" = 1 ] && check_bad_ws_options $1 "$NFQWS_OPT" && {

		opt="--qnum=$QNUM $NFQWS_OPT"

		filter_apply_hostlist_target opt

		do_nfqws $1 3 "$opt"

	}

}

standard_mode_daemons()

{

	# $1 - 1 - run, 0 - stop

	standard_mode_tpws_socks $1

	standard_mode_tpws $1

	standard_mode_nfqws $1

}

zapret_do_daemons()

{

	# $1 - 1 - run, 0 - stop

	standard_mode_daemons $1

	custom_runner zapret_custom_daemons $1

	return 0

}

zapret_run_daemons()

{

	zapret_do_daemons 1 "$@"

}

zapret_stop_daemons()

{

	zapret_do_daemons 0 "$@"

}

	}

}

zapret_apply_firewall_standard_rules_nft()

zapret_apply_firewall_standard_tpws_rules_nft()

{

	local f4 f6

	[ "$TPWS_ENABLE" = 1 -a -n "$TPWS_PORTS" ] &&

	{

	[ "$TPWS_ENABLE" = 1 -a -n "$TPWS_PORTS" ] && {

		f4="tcp dport {$TPWS_PORTS}"

		f6=$f4

		nft_filter_apply_ipset_target f4 f6

		nft_fw_tpws "$f4" "$f6" $TPPORT

	}

	[ "$NFQWS_ENABLE" = 1 ] &&

}

zapret_apply_firewall_standard_nfqws_rules_nft()

{

	[ "$NFQWS_ENABLE" = 1 ] && {

		nft_apply_nfqws_in_out tcp "$NFQWS_PORTS_TCP" "$NFQWS_TCP_PKT_OUT" "$NFQWS_TCP_PKT_IN"

		nft_apply_nfqws_in_out tcp "$NFQWS_PORTS_TCP_KEEPALIVE" keepalive "$NFQWS_TCP_PKT_IN"

		nft_apply_nfqws_in_out udp "$NFQWS_PORTS_UDP" "$NFQWS_UDP_PKT_OUT" "$NFQWS_UDP_PKT_IN"

		nft_apply_nfqws_in_out udp "$NFQWS_PORTS_UDP_KEEPALIVE" keepalive "$NFQWS_UDP_PKT_IN"

	}

}

zapret_apply_firewall_standard_rules_nft()

{

	zapret_apply_firewall_standard_tpws_rules_nft

	zapret_apply_firewall_standard_nfqws_rules_nft

}

zapret_apply_firewall_rules_nft()

{

# this custom script runs standard mode with extra firewall rules

# config: use TPWS_ENABLE_OVERRIDE, NFQWS_ENABLE_OVERRIDE to enable standard mode daemons

# standard and override switches cannot be enabled simultaneously !

TPWS_ENABLE_OVERRIDE=${TPWS_ENABLE_OVERRIDE:-0}

NFQWS_ENABLE_OVERRIDE=${NFQWS_ENABLE_OVERRIDE:-0}

# config: some if these values must be set in config. not setting any of these makes this script meaningless.

# pre vars put ipt/nft code to the rule beginning

#FW_EXTRA_PRE_TPWS_IPT=

#FW_EXTRA_PRE_TPWS_NFT=

#FW_EXTRA_PRE_NFQWS_IPT="-m mark --mark 0x10000000/0x10000000"

#FW_EXTRA_PRE_NFQWS_NFT="mark and 0x10000000 != 0"

# post vars put ipt/nft code to the rule end

#FW_EXTRA_POST_TPWS_IPT=

#FW_EXTRA_POST_TPWS_NFT=

#FW_EXTRA_POST_NFQWS_IPT=

#FW_EXTRA_POST_NFQWS_NFT=

check_std_intersect()

{

	[ "$TPWS_ENABLE_OVERRIDE" = 1 -a "$TPWS_ENABLE" = 1 ] && {

		echo "ERROR ! both TPWS_ENABLE_OVERRIDE and TPWS_ENABLE are enabled"

		return 1

	}

	[ "$NFQWS_ENABLE_OVERRIDE" = 1 -a "$NFQWS_ENABLE" = 1 ] && {

		echo "ERROR ! both NFQWS_ENABLE_OVERRIDE and NFQWS_ENABLE are enabled"

		return 1

	}

	return 0

}

zapret_custom_daemons()

{

	# $1 - 1 - add, 0 - stop

	check_std_intersect || return

	local TPWS_SOCKS_ENABLE=0 TPWS_ENABLE=$TPWS_ENABLE_OVERRIDE NFQWS_ENABLE=$NFQWS_ENABLE_OVERRIDE

	standard_mode_daemons "$1"

}

zapret_custom_firewall()

{

        # $1 - 1 - run, 0 - stop

	check_std_intersect || return

	local FW_EXTRA_PRE FW_EXTRA_POST TPWS_ENABLE=$TPWS_ENABLE_OVERRIDE NFQWS_ENABLE=$NFQWS_ENABLE_OVERRIDE

	FW_EXTRA_PRE="$FW_EXTRA_PRE_TPWS_IPT" FW_EXTRA_POST="$FW_EXTRA_POST_TPWS_IPT"

	zapret_do_firewall_standard_tpws_rules_ipt $1

	FW_EXTRA_PRE="$FW_EXTRA_PRE_NFQWS_IPT" FW_EXTRA_POST="$FW_EXTRA_POST_NFQWS_IPT"

	zapret_do_firewall_standard_nfqws_rules_ipt $1

}

zapret_custom_firewall_nft()

{

        # stop logic is not required

	check_std_intersect || return

	local FW_EXTRA_PRE FW_EXTRA_POST TPWS_ENABLE=$TPWS_ENABLE_OVERRIDE NFQWS_ENABLE=$NFQWS_ENABLE_OVERRIDE

	FW_EXTRA_PRE="$FW_EXTRA_PRE_TPWS_NFT" FW_EXTRA_POST="$FW_EXTRA_POST_TPWS_NFT"

	zapret_apply_firewall_standard_tpws_rules_nft

	FW_EXTRA_PRE="$FW_EXTRA_PRE_NFQWS_NFT" FW_EXTRA_POST="$FW_EXTRA_POST_NFQWS_NFT"

	zapret_apply_firewall_standard_nfqws_rules_nft

}

. "$ZAPRET_BASE/common/ipt.sh"

. "$ZAPRET_BASE/common/nft.sh"

. "$ZAPRET_BASE/common/linux_fw.sh"

. "$ZAPRET_BASE/common/linux_daemons.sh"

. "$ZAPRET_BASE/common/list.sh"

. "$ZAPRET_BASE/common/custom.sh"

CUSTOM_DIR="$ZAPRET_RW/init.d/openwrt"