init.d: dns intercept scheme

common/nft.sh

@@ -18,6 +18,18 @@ nft_list_table()
 	nft -t list table inet $ZAPRET_NFT_TABLE
 }
 
+nft_add_chain()
+{
+	# $1 - chain
+	# $2 - params
+	nft add chain inet $ZAPRET_NFT_TABLE $1 "{ $2 }"
+}
+nft_delete_chain()
+{
+	# $1 - chain
+	nft delete chain inet $ZAPRET_NFT_TABLE $1
+}
+
 nft_create_set()
 {
 	# $1 - set name

docs/changes.txt

@@ -157,3 +157,6 @@ v0.8.1
 * nfqws2: do not start if NFQWS2_COMPAT_VER unexpected
 * nfqws2: cache dns response IP addresses if --ipcache-hostname enabled
 * winws2: remove hardcoded filter for loopback
+* init.d: ressurect @lanif in nft scheme
+* init.d: fix broken @wanif/@wanif6 fill in sysv nft scheme
+* init.d: 80-dns-intercept

init.d/custom.d.examples.linux/80-dns-intercept

@@ -0,0 +1,47 @@
+# this custom script feeds dns response data to main nfqws2 instance
+
+zapret_custom_firewall()
+{
+	# $1 - 1 - run, 0 - stop
+	local filt="-p udp --sport 53"
+	local jump="-j NFQUEUE --queue-num $QNUM --queue-bypass"
+	local chain lan lanifs
+
+	get_lanif lanifs
+
+	# router
+	for lan in $lanifs; do
+		[ "$DISABLE_IPV4" = 1 ] || ipt_add_del $1 FORWARD -o $lan $filt $jump
+		[ "$DISABLE_IPV6" = 1 ] || ipt6_add_del $1 FORWARD -o $lan $filt $jump
+	done
+	# dns client server
+	for chain in INPUT OUTPUT ; do
+		[ "$DISABLE_IPV4" = 1 ] || ipt_add_del $1 $chain $filt $jump
+		[ "$DISABLE_IPV6" = 1 ] || ipt6_add_del $1 $chain $filt $jump
+	done
+}
+
+zapret_custom_firewall_nft()
+{
+	# stop logic is not required
+
+	# dns client
+	nft_add_chain forward_dns_feed "type filter hook forward priority mangle;"
+	nft_add_rule forward_dns_feed oifname @lanif udp sport 53 queue num $QNUM bypass
+
+	# router
+	nft_add_chain input_dns_feed "type filter hook input priority mangle;"
+	nft_add_rule input_dns_feed udp sport 53 queue num $QNUM bypass
+
+	# dns server
+	nft_add_chain output_dns_feed "type filter hook output priority mangle;"
+	nft_add_rule output_dns_feed udp sport 53 queue num $QNUM bypass
+}
+
+zapret_custom_firewall_nft_flush()
+{
+	local chain
+	for chain in forward_dns_feed input_dns_feed output_dns_feed; do
+		nft_delete_chain $chain 2>/dev/null
+	done
+}

init.d/openwrt/functions

@@ -62,6 +62,20 @@ network_find_wanX_devices()
 	call_for_multiple_items network_get_device $2 "$ifaces"
 }
 
+get_wanif46()
+{
+	# $1 - 4/6
+	# $2 - var to receive interface list
+	local ifaces
+	network_find_wan${1}_all ifaces
+	call_for_multiple_items network_get_device $2 "$ifaces"
+}
+get_lanif()
+{
+	# $1 - var to receive interface list
+	call_for_multiple_items network_get_device $1 "$OPENWRT_LAN"
+}
+
 
 fw_nfqws_prepost_x()
 {
@@ -71,10 +85,8 @@ fw_nfqws_prepost_x()
 	# $4 - 4/6
 	# $5 - post/pre
 
-	local ifaces DWAN
+	local DWAN
-	network_find_wan${4}_all ifaces
+	get_wanif46 $4 DWAN
-	call_for_multiple_items network_get_device DWAN "$ifaces"
-
 	[ -n "$DWAN" ] && _fw_nfqws_${5}${4} $1 "$2" $3 "$(unique $DWAN)"
 }
 fw_nfqws_post4()

init.d/sysv/functions

@@ -75,6 +75,26 @@ NFQWS2="${NFQWS2:-$ZAPRET_BASE/nfq2/nfqws2}"
 LUAOPT="--lua-init=@$ZAPRET_BASE/lua/zapret-lib.lua --lua-init=@$ZAPRET_BASE/lua/zapret-antidpi.lua --lua-init=@$ZAPRET_BASE/lua/zapret-auto.lua"
 NFQWS2_OPT_BASE="$USEROPT --fwmark=$DESYNC_MARK $LUAOPT"
 
+get_wanif46()
+{
+	# $1 - 4/6
+	# $2 - var to receive interface list
+	case $1 in
+		6)
+			eval $2="\${IFACE_WAN6:-$IFACE_WAN}"
+			;;
+		4)
+			eval $2="\$IFACE_WAN"
+			;;
+		*)
+			eval $2=
+	esac
+}
+get_lanif()
+{
+	# $1 - var to receive interface list
+	eval $1="\$IFACE_LAN"
+}
 
 fw_nfqws_post4()
 {