Commit b63e5980 authored by bol-van's avatar bol-van
Browse files

FILTER_MARK support

parent c60f9c90

common/ipt.sh

+8 −4
Original line number Diff line number Diff line
@@ -112,6 +112,10 @@ unprepare_tpws_fw() 
	unprepare_tpws_fw4

}



ipt_mark_filter()

{

	[ -n "$FILTER_MARK" ] && echo "-m mark --mark $FILTER_MARK/$FILTER_MARK"

}



ipt_print_op()

{
@@ -136,7 +140,7 @@ _fw_tpws4() 


		ipt_print_op $1 "$2" "tpws (port $3)"



		rule="$2 $IPSET_EXCLUDE dst $IPBAN_EXCLUDE dst -j DNAT --to $TPWS_LOCALHOST4:$3"

		rule="$(ipt_mark_filter) $2 $IPSET_EXCLUDE dst $IPBAN_EXCLUDE dst -j DNAT --to $TPWS_LOCALHOST4:$3"

		for i in $4 ; do

			ipt_add_del $1 PREROUTING -t nat -i $i $rule

	 	done
@@ -164,7 +168,7 @@ _fw_tpws6() 


		ipt_print_op $1 "$2" "tpws (port $3)" 6



		rule="$2 $IPSET_EXCLUDE6 dst $IPBAN_EXCLUDE6 dst"

		rule="$(ipt_mark_filter) $2 $IPSET_EXCLUDE6 dst $IPBAN_EXCLUDE6 dst"

		for i in $4 ; do

			_dnat6_target $i DNAT6

			[ -n "$DNAT6" -a "$DNAT6" != "-" ] && ipt6_add_del $1 PREROUTING -t nat -i $i $rule -j DNAT --to [$DNAT6]:$3
@@ -202,7 +206,7 @@ _fw_nfqws_post4() 


		ipt_print_op $1 "$2" "nfqws postrouting (qnum $3)"



		rule="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK $2 $IPSET_EXCLUDE dst -j NFQUEUE --queue-num $3 --queue-bypass"

		rule="$(ipt_mark_filter) -m mark ! --mark $DESYNC_MARK/$DESYNC_MARK $2 $IPSET_EXCLUDE dst -j NFQUEUE --queue-num $3 --queue-bypass"

		if [ -n "$4" ] ; then

			for i in $4; do

				ipt_add_del $1 POSTROUTING -t mangle -o $i $rule
@@ -223,7 +227,7 @@ _fw_nfqws_post6() 


		ipt_print_op $1 "$2" "nfqws postrouting (qnum $3)" 6



		rule="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK $2 $IPSET_EXCLUDE6 dst -j NFQUEUE --queue-num $3 --queue-bypass"

		rule="$(ipt_mark_filter) -m mark ! --mark $DESYNC_MARK/$DESYNC_MARK $2 $IPSET_EXCLUDE6 dst -j NFQUEUE --queue-num $3 --queue-bypass"

		if [ -n "$4" ] ; then

			for i in $4; do

				ipt6_add_del $1 POSTROUTING -t mangle -o $i $rule

common/nft.sh

+14 −8
Original line number Diff line number Diff line
@@ -312,6 +312,10 @@ nft_filter_apply_ipset_target() 
	nft_filter_apply_ipset_target6 $2

}



nft_mark_filter()

{

	[ -n "$FILTER_MARK" ] && echo "mark and $FILTER_MARK != 0"

}



nft_script_add_ifset_element()

{
@@ -403,9 +407,10 @@ _nft_fw_tpws4() 


	[ "$DISABLE_IPV4" = "1" -o -z "$1" ] || {

		local filter="$1" port="$2"

		local mark_filter=$(nft_mark_filter)

		nft_print_op "$filter" "tpws (port $2)" 4

		nft_insert_rule dnat_output skuid != $WS_USER ${3:+oifname @wanif }$filter ip daddr != @nozapret ip daddr != @ipban $FW_EXTRA_POST dnat ip to $TPWS_LOCALHOST4:$port

		nft_insert_rule dnat_pre iifname @lanif $filter ip daddr != @nozapret ip daddr != @ipban $FW_EXTRA_POST dnat ip to $TPWS_LOCALHOST4:$port

		nft_insert_rule dnat_output skuid != $WS_USER ${3:+oifname @wanif} $mark_filter $filter ip daddr != @nozapret ip daddr != @ipban $FW_EXTRA_POST dnat ip to $TPWS_LOCALHOST4:$port

		nft_insert_rule dnat_pre iifname @lanif $mark_filter $filter ip daddr != @nozapret ip daddr != @ipban $FW_EXTRA_POST dnat ip to $TPWS_LOCALHOST4:$port

		prepare_route_localnet

	}

}
@@ -418,10 +423,11 @@ _nft_fw_tpws6() 


	[ "$DISABLE_IPV6" = "1" -o -z "$1" ] || {

		local filter="$1" port="$2" DNAT6 i

		local mark_filter=$(nft_mark_filter)

		nft_print_op "$filter" "tpws (port $port)" 6

		nft_insert_rule dnat_output skuid != $WS_USER ${4:+oifname @wanif6 }$filter ip6 daddr != @nozapret6 ip6 daddr != @ipban6 $FW_EXTRA_POST dnat ip6 to [::1]:$port

		nft_insert_rule dnat_output skuid != $WS_USER ${4:+oifname @wanif6} $mark_filter $filter ip6 daddr != @nozapret6 ip6 daddr != @ipban6 $FW_EXTRA_POST dnat ip6 to [::1]:$port

		[ -n "$3" ] && {

			nft_insert_rule dnat_pre $filter ip6 daddr != @nozapret6 ip6 daddr != @ipban6 $FW_EXTRA_POST dnat ip6 to iifname map @link_local:$port

			nft_insert_rule dnat_pre $mark_filter $filter ip6 daddr != @nozapret6 ip6 daddr != @ipban6 $FW_EXTRA_POST dnat ip6 to iifname map @link_local:$port

			for i in $3; do

				_dnat6_target $i DNAT6

				# can be multiple tpws processes on different ports
@@ -468,7 +474,7 @@ _nft_fw_nfqws_post4() 
	[ "$DISABLE_IPV4" = "1" -o -z "$1" ] || {

		local filter="$1" port="$2" rule chain=$(get_postchain) setmark

		nft_print_op "$filter" "nfqws postrouting (qnum $port)" 4

		rule="${3:+oifname @wanif }$filter ip daddr != @nozapret"

		rule="${3:+oifname @wanif} $(nft_mark_filter) $filter ip daddr != @nozapret"

		is_postnat && setmark="meta mark set meta mark or $DESYNC_MARK_POSTNAT"

		nft_insert_rule $chain $rule $setmark $CONNMARKER $FW_EXTRA_POST queue num $port bypass

		nft_add_nfqws_flow_exempt_rule "$rule"
@@ -483,7 +489,7 @@ _nft_fw_nfqws_post6() 
	[ "$DISABLE_IPV6" = "1" -o -z "$1" ] || {

		local filter="$1" port="$2" rule chain=$(get_postchain) setmark

		nft_print_op "$filter" "nfqws postrouting (qnum $port)" 6

		rule="${3:+oifname @wanif6 }$filter ip6 daddr != @nozapret6"

		rule="${3:+oifname @wanif6} $(nft_mark_filter) $filter ip6 daddr != @nozapret6"

		is_postnat && setmark="meta mark set meta mark or $DESYNC_MARK_POSTNAT"

		nft_insert_rule $chain $rule $setmark $CONNMARKER $FW_EXTRA_POST queue num $port bypass

		nft_add_nfqws_flow_exempt_rule "$rule"

config.default

+6 −0
Original line number Diff line number Diff line
@@ -47,6 +47,12 @@ GZIP_LISTS=1 
DESYNC_MARK=0x40000000

DESYNC_MARK_POSTNAT=0x20000000



# do not pass outgoing traffic to tpws/nfqws not marked with this bit

# this setting allows to write your own rules to limit traffic that should be fooled

# for example based on source IP or incoming interface name

# no filter if not defined

#FILTER_MARK=0x10000000



TPWS_SOCKS_ENABLE=0

# tpws socks listens on this port on localhost and LAN interfaces

TPPORT_SOCKS=987