diff --git a/common/nft.sh b/common/nft.sh index b1071e7..8cf92ed 100644 --- a/common/nft.sh +++ b/common/nft.sh @@ -18,6 +18,18 @@ nft_list_table() nft -t list table inet $ZAPRET_NFT_TABLE } +nft_add_chain() +{ + # $1 - chain + # $2 - params + nft add chain inet $ZAPRET_NFT_TABLE $1 "{ $2 }" +} +nft_delete_chain() +{ + # $1 - chain + nft delete chain inet $ZAPRET_NFT_TABLE $1 +} + nft_create_set() { # $1 - set name diff --git a/docs/changes.txt b/docs/changes.txt index 26f18c6..9128bbc 100644 --- a/docs/changes.txt +++ b/docs/changes.txt @@ -157,3 +157,6 @@ v0.8.1 * nfqws2: do not start if NFQWS2_COMPAT_VER unexpected * nfqws2: cache dns response IP addresses if --ipcache-hostname enabled * winws2: remove hardcoded filter for loopback +* init.d: ressurect @lanif in nft scheme +* init.d: fix broken @wanif/@wanif6 fill in sysv nft scheme +* init.d: 80-dns-intercept diff --git a/init.d/custom.d.examples.linux/80-dns-intercept b/init.d/custom.d.examples.linux/80-dns-intercept new file mode 100644 index 0000000..6699fe1 --- /dev/null +++ b/init.d/custom.d.examples.linux/80-dns-intercept @@ -0,0 +1,47 @@ +# this custom script feeds dns response data to main nfqws2 instance + +zapret_custom_firewall() +{ + # $1 - 1 - run, 0 - stop + local filt="-p udp --sport 53" + local jump="-j NFQUEUE --queue-num $QNUM --queue-bypass" + local chain lan lanifs + + get_lanif lanifs + + # router + for lan in $lanifs; do + [ "$DISABLE_IPV4" = 1 ] || ipt_add_del $1 FORWARD -o $lan $filt $jump + [ "$DISABLE_IPV6" = 1 ] || ipt6_add_del $1 FORWARD -o $lan $filt $jump + done + # dns client server + for chain in INPUT OUTPUT ; do + [ "$DISABLE_IPV4" = 1 ] || ipt_add_del $1 $chain $filt $jump + [ "$DISABLE_IPV6" = 1 ] || ipt6_add_del $1 $chain $filt $jump + done +} + +zapret_custom_firewall_nft() +{ + # stop logic is not required + + # dns client + nft_add_chain forward_dns_feed "type filter hook forward priority mangle;" + nft_add_rule forward_dns_feed oifname @lanif udp sport 53 queue num $QNUM bypass + + # router + nft_add_chain input_dns_feed "type filter hook input priority mangle;" + nft_add_rule input_dns_feed udp sport 53 queue num $QNUM bypass + + # dns server + nft_add_chain output_dns_feed "type filter hook output priority mangle;" + nft_add_rule output_dns_feed udp sport 53 queue num $QNUM bypass +} + +zapret_custom_firewall_nft_flush() +{ + local chain + for chain in forward_dns_feed input_dns_feed output_dns_feed; do + nft_delete_chain $chain 2>/dev/null + done +} diff --git a/init.d/openwrt/functions b/init.d/openwrt/functions index f3bc19c..603e84c 100644 --- a/init.d/openwrt/functions +++ b/init.d/openwrt/functions @@ -62,6 +62,20 @@ network_find_wanX_devices() call_for_multiple_items network_get_device $2 "$ifaces" } +get_wanif46() +{ + # $1 - 4/6 + # $2 - var to receive interface list + local ifaces + network_find_wan${1}_all ifaces + call_for_multiple_items network_get_device $2 "$ifaces" +} +get_lanif() +{ + # $1 - var to receive interface list + call_for_multiple_items network_get_device $1 "$OPENWRT_LAN" +} + fw_nfqws_prepost_x() { @@ -71,10 +85,8 @@ fw_nfqws_prepost_x() # $4 - 4/6 # $5 - post/pre - local ifaces DWAN - network_find_wan${4}_all ifaces - call_for_multiple_items network_get_device DWAN "$ifaces" - + local DWAN + get_wanif46 $4 DWAN [ -n "$DWAN" ] && _fw_nfqws_${5}${4} $1 "$2" $3 "$(unique $DWAN)" } fw_nfqws_post4() diff --git a/init.d/sysv/functions b/init.d/sysv/functions index 571461e..8cc0c4b 100644 --- a/init.d/sysv/functions +++ b/init.d/sysv/functions @@ -75,6 +75,26 @@ NFQWS2="${NFQWS2:-$ZAPRET_BASE/nfq2/nfqws2}" LUAOPT="--lua-init=@$ZAPRET_BASE/lua/zapret-lib.lua --lua-init=@$ZAPRET_BASE/lua/zapret-antidpi.lua --lua-init=@$ZAPRET_BASE/lua/zapret-auto.lua" NFQWS2_OPT_BASE="$USEROPT --fwmark=$DESYNC_MARK $LUAOPT" +get_wanif46() +{ + # $1 - 4/6 + # $2 - var to receive interface list + case $1 in + 6) + eval $2="\${IFACE_WAN6:-$IFACE_WAN}" + ;; + 4) + eval $2="\$IFACE_WAN" + ;; + *) + eval $2= + esac +} +get_lanif() +{ + # $1 - var to receive interface list + eval $1="\$IFACE_LAN" +} fw_nfqws_post4() {