mirror of
https://github.com/bol-van/zapret2.git
synced 2026-03-13 22:03:09 +00:00
init.d: use bitmap:port ipset for standard dports
This commit is contained in:
bol-van
@@ -426,14 +426,6 @@ alloc_num()
|
|||||||
eval $1="$v"
|
eval $1="$v"
|
||||||
}
|
}
|
||||||
|
|
||||||
std_ports()
|
|
||||||
{
|
|
||||||
NFQWS2_PORTS_TCP_IPT=$(replace_char - : $NFQWS2_PORTS_TCP)
|
|
||||||
NFQWS2_PORTS_TCP_KEEPALIVE_IPT=$(replace_char - : $NFQWS2_PORTS_TCP_KEEPALIVE)
|
|
||||||
NFQWS2_PORTS_UDP_IPT=$(replace_char - : $NFQWS2_PORTS_UDP)
|
|
||||||
NFQWS2_PORTS_UDP_KEEPALIVE_IPT=$(replace_char - : $NFQWS2_PORTS_UDP_KEEPALIVE)
|
|
||||||
}
|
|
||||||
|
|
||||||
has_bad_ws_options()
|
has_bad_ws_options()
|
||||||
{
|
{
|
||||||
# $1 - nfqws2 opts
|
# $1 - nfqws2 opts
|
||||||
|
|||||||
@@ -1,7 +1,7 @@
|
|||||||
std_ports
|
|
||||||
ipt_connbytes="-m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes"
|
ipt_connbytes="-m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes"
|
||||||
IPSET_EXCLUDE="-m set ! --match-set nozapret"
|
IPSET_EXCLUDE="-m set ! --match-set nozapret"
|
||||||
IPSET_EXCLUDE6="-m set ! --match-set nozapret6"
|
IPSET_EXCLUDE6="-m set ! --match-set nozapret6"
|
||||||
|
IPSET_PORTS_NAME=zport
|
||||||
|
|
||||||
ipt()
|
ipt()
|
||||||
{
|
{
|
||||||
@@ -227,6 +227,16 @@ fw_reverse_nfqws_rule()
|
|||||||
fw_reverse_nfqws_rule6 $1 "$3" $4
|
fw_reverse_nfqws_rule6 $1 "$3" $4
|
||||||
}
|
}
|
||||||
|
|
||||||
|
ipt_port_ipset()
|
||||||
|
{
|
||||||
|
# $1 - ipset name
|
||||||
|
# $2 - ports
|
||||||
|
ipset -q flush $1 || {
|
||||||
|
ipset create $1 bitmap:port range 0-65535 || return
|
||||||
|
}
|
||||||
|
echo "$2" | tr ',' '\n' | sed -nEe "s/^.+$/add $1 &/p" | ipset -! restore
|
||||||
|
}
|
||||||
|
|
||||||
ipt_first_packets()
|
ipt_first_packets()
|
||||||
{
|
{
|
||||||
# $1 - packet count
|
# $1 - packet count
|
||||||
@@ -239,12 +249,17 @@ ipt_do_nfqws_in_out()
|
|||||||
# $3 - ports
|
# $3 - ports
|
||||||
# $4 - PKT_OUT. special value : 'keepalive'
|
# $4 - PKT_OUT. special value : 'keepalive'
|
||||||
# $5 - PKT_IN
|
# $5 - PKT_IN
|
||||||
local f4 f6 first_packets_only
|
local f4 f6 first_packets_only ipset
|
||||||
[ -n "$3" ] || return
|
[ -n "$3" ] || return
|
||||||
|
ipset=${IPSET_PORTS_NAME}_$2
|
||||||
|
[ "$4" = keepalive ] && ipset="${ipset}_k"
|
||||||
|
[ "$1" = 1 ] && {
|
||||||
|
ipt_port_ipset $ipset "$3" || return
|
||||||
|
}
|
||||||
[ -n "$4" -a "$4" != 0 ] &&
|
[ -n "$4" -a "$4" != 0 ] &&
|
||||||
{
|
{
|
||||||
first_packets_only="$(ipt_first_packets $4)"
|
first_packets_only="$(ipt_first_packets $4)"
|
||||||
f4="-p $2 -m multiport --dports $3 $first_packets_only"
|
f4="-p $2 -m set --match-set $ipset dst $first_packets_only"
|
||||||
f6=$f4
|
f6=$f4
|
||||||
filter_apply_ipset_target f4 f6
|
filter_apply_ipset_target f4 f6
|
||||||
fw_nfqws_post $1 "$f4" "$f6" $QNUM
|
fw_nfqws_post $1 "$f4" "$f6" $QNUM
|
||||||
@@ -252,11 +267,12 @@ ipt_do_nfqws_in_out()
|
|||||||
[ -n "$5" -a "$5" != 0 ] &&
|
[ -n "$5" -a "$5" != 0 ] &&
|
||||||
{
|
{
|
||||||
first_packets_only="$(ipt_first_packets $5)"
|
first_packets_only="$(ipt_first_packets $5)"
|
||||||
f4="-p $2 -m multiport --dports $3 $first_packets_only"
|
f4="-p $2 -m set --match-set $ipset dst $first_packets_only"
|
||||||
f6=$f4
|
f6=$f4
|
||||||
filter_apply_ipset_target f4 f6
|
filter_apply_ipset_target f4 f6
|
||||||
fw_reverse_nfqws_rule $1 "$f4" "$f6" $QNUM
|
fw_reverse_nfqws_rule $1 "$f4" "$f6" $QNUM
|
||||||
}
|
}
|
||||||
|
[ "$1" = 1 ] || ipset -q destroy $ipset
|
||||||
}
|
}
|
||||||
|
|
||||||
zapret_do_firewall_standard_nfqws_rules_ipt()
|
zapret_do_firewall_standard_nfqws_rules_ipt()
|
||||||
@@ -264,10 +280,10 @@ zapret_do_firewall_standard_nfqws_rules_ipt()
|
|||||||
# $1 - 1 - add, 0 - del
|
# $1 - 1 - add, 0 - del
|
||||||
|
|
||||||
[ "$NFQWS2_ENABLE" = 1 ] && {
|
[ "$NFQWS2_ENABLE" = 1 ] && {
|
||||||
ipt_do_nfqws_in_out $1 tcp "$NFQWS2_PORTS_TCP_IPT" "$NFQWS2_TCP_PKT_OUT" "$NFQWS2_TCP_PKT_IN"
|
ipt_do_nfqws_in_out $1 tcp "$NFQWS2_PORTS_TCP" "$NFQWS2_TCP_PKT_OUT" "$NFQWS2_TCP_PKT_IN"
|
||||||
ipt_do_nfqws_in_out $1 tcp "$NFQWS2_PORTS_TCP_KEEPALIVE_IPT" keepalive "$NFQWS2_TCP_PKT_IN"
|
ipt_do_nfqws_in_out $1 tcp "$NFQWS2_PORTS_TCP_KEEPALIVE" keepalive "$NFQWS2_TCP_PKT_IN"
|
||||||
ipt_do_nfqws_in_out $1 udp "$NFQWS2_PORTS_UDP_IPT" "$NFQWS2_UDP_PKT_OUT" "$NFQWS2_UDP_PKT_IN"
|
ipt_do_nfqws_in_out $1 udp "$NFQWS2_PORTS_UDP" "$NFQWS2_UDP_PKT_OUT" "$NFQWS2_UDP_PKT_IN"
|
||||||
ipt_do_nfqws_in_out $1 udp "$NFQWS2_PORTS_UDP_KEEPALIVE_IPT" keepalive "$NFQWS2_UDP_PKT_IN"
|
ipt_do_nfqws_in_out $1 udp "$NFQWS2_PORTS_UDP_KEEPALIVE" keepalive "$NFQWS2_UDP_PKT_IN"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
zapret_do_firewall_standard_rules_ipt()
|
zapret_do_firewall_standard_rules_ipt()
|
||||||
|
|||||||
@@ -3,7 +3,6 @@ nft_connbytes="ct original packets"
|
|||||||
|
|
||||||
# required for : nft -f -
|
# required for : nft -f -
|
||||||
create_dev_stdin
|
create_dev_stdin
|
||||||
std_ports
|
|
||||||
|
|
||||||
nft_create_table()
|
nft_create_table()
|
||||||
{
|
{
|
||||||
|
|||||||
@@ -236,3 +236,4 @@ zapret-auto: per_instance_condition orchestrator
|
|||||||
zapret-auto: "instances" argument in condition orchestrator
|
zapret-auto: "instances" argument in condition orchestrator
|
||||||
zapret-auto: cond_tcp_has_ts, cond_lua iff functions
|
zapret-auto: cond_tcp_has_ts, cond_lua iff functions
|
||||||
zapret-lib: replay_execution_plan and plan_clear max parameter
|
zapret-lib: replay_execution_plan and plan_clear max parameter
|
||||||
|
init.d: use bitmap:port ipset for standard dports
|
||||||
|
|||||||
@@ -56,6 +56,7 @@ volatile sig_atomic_t bQuit = false;
|
|||||||
|
|
||||||
static void onhup(int sig)
|
static void onhup(int sig)
|
||||||
{
|
{
|
||||||
|
// async safe
|
||||||
if (bQuit) return;
|
if (bQuit) return;
|
||||||
|
|
||||||
const char *msg = "HUP received ! Lists will be reloaded.\n";
|
const char *msg = "HUP received ! Lists will be reloaded.\n";
|
||||||
@@ -84,6 +85,7 @@ static void ReloadCheck()
|
|||||||
|
|
||||||
static void onusr1(int sig)
|
static void onusr1(int sig)
|
||||||
{
|
{
|
||||||
|
// this is debug-only signal. no async safety
|
||||||
if (bQuit) return;
|
if (bQuit) return;
|
||||||
|
|
||||||
printf("\nCONNTRACK DUMP\n");
|
printf("\nCONNTRACK DUMP\n");
|
||||||
@@ -92,6 +94,7 @@ static void onusr1(int sig)
|
|||||||
}
|
}
|
||||||
static void onusr2(int sig)
|
static void onusr2(int sig)
|
||||||
{
|
{
|
||||||
|
// this is debug-only signal. no async safety
|
||||||
if (bQuit) return;
|
if (bQuit) return;
|
||||||
|
|
||||||
printf("\nHOSTFAIL POOL DUMP\n");
|
printf("\nHOSTFAIL POOL DUMP\n");
|
||||||
@@ -108,6 +111,7 @@ static void onusr2(int sig)
|
|||||||
}
|
}
|
||||||
static void onint(int sig)
|
static void onint(int sig)
|
||||||
{
|
{
|
||||||
|
// theoretically lua_sethook is not async-safe. but it's one-time signal
|
||||||
if (bQuit) return;
|
if (bQuit) return;
|
||||||
const char *msg = "INT received !\n";
|
const char *msg = "INT received !\n";
|
||||||
size_t wr = write(1, msg, strlen(msg));
|
size_t wr = write(1, msg, strlen(msg));
|
||||||
@@ -116,6 +120,7 @@ static void onint(int sig)
|
|||||||
}
|
}
|
||||||
static void onterm(int sig)
|
static void onterm(int sig)
|
||||||
{
|
{
|
||||||
|
// theoretically lua_sethook is not async-safe. but it's one-time signal
|
||||||
if (bQuit) return;
|
if (bQuit) return;
|
||||||
const char *msg = "TERM received !\n";
|
const char *msg = "TERM received !\n";
|
||||||
size_t wr = write(1, msg, strlen(msg));
|
size_t wr = write(1, msg, strlen(msg));
|
||||||
|
|||||||
Reference in New Issue
Block a user