Commit b878c313 authored by bol-van's avatar bol-van
Browse files

init.d: exclude ipban from tpws redirection

parent 869e2cd8

common/ipt.sh

+6 −2
Original line number Diff line number Diff line 
std_ports

ipt_connbytes="-m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes"

IPSET_EXCLUDE="-m set ! --match-set nozapret"

IPSET_EXCLUDE6="-m set ! --match-set nozapret6"

IPBAN_EXCLUDE="-m set ! --match-set ipban"

IPBAN_EXCLUDE6="-m set ! --match-set ipban6"



ipt()

{
@@ -132,7 +136,7 @@ _fw_tpws4() 


		ipt_print_op $1 "$2" "tpws (port $3)"



		rule="$2 $IPSET_EXCLUDE dst -j DNAT --to $TPWS_LOCALHOST4:$3"

		rule="$2 $IPSET_EXCLUDE dst $IPBAN_EXCLUDE dst -j DNAT --to $TPWS_LOCALHOST4:$3"

		for i in $4 ; do

			ipt_add_del $1 PREROUTING -t nat -i $i $rule

	 	done
@@ -160,7 +164,7 @@ _fw_tpws6() 


		ipt_print_op $1 "$2" "tpws (port $3)" 6



		rule="$2 $IPSET_EXCLUDE6 dst"

		rule="$2 $IPSET_EXCLUDE6 dst $IPBAN_EXCLUDE6 dst"

		for i in $4 ; do

			_dnat6_target $i DNAT6

			[ -n "$DNAT6" -a "$DNAT6" != "-" ] && ipt6_add_del $1 PREROUTING -t nat -i $i $rule -j DNAT --to [$DNAT6]:$3

common/nft.sh

+4 −4
Original line number Diff line number Diff line
@@ -387,8 +387,8 @@ _nft_fw_tpws4() 
	[ "$DISABLE_IPV4" = "1" -o -z "$1" ] || {

		local filter="$1" port="$2"

		nft_print_op "$filter" "tpws (port $2)" 4

		nft_insert_rule dnat_output skuid != $WS_USER ${3:+oifname @wanif }$filter ip daddr != @nozapret $FW_EXTRA_POST dnat ip to $TPWS_LOCALHOST4:$port

		nft_insert_rule dnat_pre iifname @lanif $filter ip daddr != @nozapret $FW_EXTRA_POST dnat ip to $TPWS_LOCALHOST4:$port

		nft_insert_rule dnat_output skuid != $WS_USER ${3:+oifname @wanif }$filter ip daddr != @nozapret ip daddr != @ipban $FW_EXTRA_POST dnat ip to $TPWS_LOCALHOST4:$port

		nft_insert_rule dnat_pre iifname @lanif $filter ip daddr != @nozapret ip daddr != @ipban $FW_EXTRA_POST dnat ip to $TPWS_LOCALHOST4:$port

		prepare_route_localnet

	}

}
@@ -402,9 +402,9 @@ _nft_fw_tpws6() 
	[ "$DISABLE_IPV6" = "1" -o -z "$1" ] || {

		local filter="$1" port="$2" DNAT6 i

		nft_print_op "$filter" "tpws (port $port)" 6

		nft_insert_rule dnat_output skuid != $WS_USER ${4:+oifname @wanif6 }$filter ip6 daddr != @nozapret6 $FW_EXTRA_POST dnat ip6 to [::1]:$port

		nft_insert_rule dnat_output skuid != $WS_USER ${4:+oifname @wanif6 }$filter ip6 daddr != @nozapret6 ip6 daddr != @ipban6 $FW_EXTRA_POST dnat ip6 to [::1]:$port

		[ -n "$3" ] && {

			nft_insert_rule dnat_pre $filter ip6 daddr != @nozapret6 $FW_EXTRA_POST dnat ip6 to iifname map @link_local:$port

			nft_insert_rule dnat_pre $filter ip6 daddr != @nozapret6 ip6 daddr != @ipban6 $FW_EXTRA_POST dnat ip6 to iifname map @link_local:$port

			for i in $3; do

				_dnat6_target $i DNAT6

				# can be multiple tpws processes on different ports

init.d/openwrt/functions

+0 −4
Original line number Diff line number Diff line
@@ -30,10 +30,6 @@ LINKLOCAL_WAIT_SEC=5 


IPSET_CR="$ZAPRET_BASE/ipset/create_ipset.sh"



IPSET_EXCLUDE="-m set ! --match-set nozapret"

IPSET_EXCLUDE6="-m set ! --match-set nozapret6"





# can be multiple ipv6 outgoing interfaces

# uplink from isp, tunnelbroker, vpn, ...

# want them all. who knows what's the real one that blocks sites

init.d/sysv/functions

+0 −4
Original line number Diff line number Diff line
@@ -93,10 +93,6 @@ TPWS_OPT_BASE6_PRE="--bind-linklocal=prefer $TPWS_WAIT --bind-wait-ip-linklocal= 
# max wait time for the link local ipv6 on the LAN interface

LINKLOCAL_WAIT_SEC=5



IPSET_EXCLUDE="-m set ! --match-set nozapret"

IPSET_EXCLUDE6="-m set ! --match-set nozapret6"





dnat6_target()

{

	_dnat6_target "$@"