nft_user_set_counter=
procd_boot_delay=
procd_reload_delay=
+procd_lan_interface=
procd_wan_ignore_status=
procd_wan_interface=
procd_wan6_interface=
uci_get_protocol() { uci_get 'network' "$1" 'proto'; }
is_default_dev() { [ "$1" = "$(ip -4 r | grep -m1 'dev' | grep -Eso 'dev [^ ]*' | awk '{print $2}')" ]; }
is_disabled_interface() { [ "$(uci_get 'network' "$1" 'disabled')" = '1' ]; }
-is_domain() { ! is_ipv6 "$1" && str_contains "$1" '[a-zA-Z]'; }
+is_domain() { ! is_ipv6 "$1" && ! is_mac_address "$1" && ! is_phys_dev "$1" && str_contains "$1" '[a-zA-Z]'; }
is_dslite() { local p; network_get_protocol p "$1"; [ "${p:0:6}" = "dslite" ]; }
is_family_mismatch() { ( is_ipv4_netmask "${1//!}" && is_ipv6 "${2//!}" ) || ( is_ipv6 "${1//!}" && is_ipv4_netmask "${2//!}" ); }
is_greater() { test "$(printf '%s\n' "$@" | sort -V | head -n 1)" != "$1"; }
is_ipv6_unique_local() { [ "${1:0:2}" = 'fc' ] || [ "${1:0:2}" = 'fd' ]; }
is_list() { str_contains "$1" ',' || str_contains "$1" ' '; }
is_ipv4_netmask() { local ip="${1%/*}"; [ "$ip" != "$1" ] && is_ipv4 "$ip"; }
-is_lan() { local d; network_get_device d "$1"; str_contains "$d" 'br-lan'; }
+is_lan() { local d; network_get_device d "$1"; str_contains "$procd_lan_interface" "$d"; }
is_l2tp() { local p; network_get_protocol p "$1"; [ "${p:0:4}" = "l2tp" ]; }
is_mac_address() { expr "$1" : '[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]$' >/dev/null; }
is_negation() { [ "${1:0:1}" = '!' ]; }
config_get verbosity 'config' 'verbosity' '2'
config_get procd_boot_delay 'config' 'procd_boot_delay' '0'
config_get procd_boot_timeout 'config' 'procd_boot_timeout' '30'
+ config_get procd_lan_interface 'config' 'procd_lan_interface' 'br-lan'
config_get procd_wan_ignore_status 'config' 'procd_wan_ignore_status' '0'
config_get procd_wan_interface 'config' 'procd_wan_interface' 'wan'
config_get procd_wan6_interface 'config' 'procd_wan6_interface' 'wan6'
state add 'errorSummary' 'errorDefaultFw4TableMissing' 'fw4'
return 1
fi
- if is_config_enabled 'dns_policy'; then
- if ! nft_call list chain inet fw4 dstnat_lan; then
- state add 'errorSummary' 'errorDefaultFw4ChainMissing' 'dstnat_lan'
+ if is_config_enabled 'dns_policy' || is_tor_running; then
+ if ! nft_call list chain inet fw4 dstnat; then
+ state add 'errorSummary' 'errorDefaultFw4ChainMissing' 'dstnat'
return 1
fi
fi
cleanup_main_chains() {
local i j
- for i in $chainsList dstnat_lan; do
+ for i in $chainsList dstnat; do
i="$(str_to_lower "$i")"
nft_call flush chain inet "$nftTable" "${nftPrefix}_${i}"
done
local negation value dest4 dest6 first_value
local inline_set_ipv4_empty_flag inline_set_ipv6_empty_flag
local name="$1" src_addr="$2" dest_dns="$3" uid="$4"
- local chain='dstnat_lan' iface='dns'
+ local chain='dstnat' iface='dns'
if [ -z "${dest_dns_ipv4}${dest_dns_ipv6}" ]; then
processPolicyError='true'
unset param4
unset param6
- dest4="dport 53 counter dnat ip to ${dest_dns_ipv4}:53"
- dest6="dport 53 counter dnat ip6 to ${dest_dns_ipv6}:53"
+ dest4="dport 53 dnat ip to ${dest_dns_ipv4}:53"
+ dest6="dport 53 dnat ip6 to ${dest_dns_ipv6}:53"
if [ -n "$src_addr" ]; then
if [ "${src_addr:0:1}" = "!" ]; then
fi
fi
- param4="$nftInsertOption rule inet ${nftTable} ${nftPrefix}_${chain} ${param4} ${proto_i} ${nft_rule_params} ${dest4} comment \"$name\""
- param6="$nftInsertOption rule inet ${nftTable} ${nftPrefix}_${chain} ${param6} ${proto_i} ${nft_rule_params} ${dest6} comment \"$name\""
+ param4="$nftInsertOption rule inet ${nftTable} ${nftPrefix}_${chain} ${param4} ${nft_rule_params} meta nfproto ipv4 ${proto_i} ${dest4} comment \"$name\""
+ param6="$nftInsertOption rule inet ${nftTable} ${nftPrefix}_${chain} ${param6} ${nft_rule_params} meta nfproto ipv6 ${proto_i} ${dest6} comment \"$name\""
local ipv4_error='0' ipv6_error='0'
if [ "$policy_routing_nft_prev_param4" != "$param4" ] && \
local dest_udp_53 dest_tcp_80 dest_udp_80 dest_tcp_443 dest_udp_443
local ipv4_error='0' ipv6_error='0'
local dest_i dest4 dest6
- param4="$nftInsertOption rule inet $nftTable ${nftPrefix}_${chain} dstnat meta nfproto ipv4 $param4"
- param6="$nftInsertOption rule inet $nftTable ${nftPrefix}_${chain} dstnat meta nfproto ipv6 $param6"
- dest_udp_53="udp dport 53 counter redirect to :${torDnsPort} comment 'Tor-DNS-UDP'"
- dest_tcp_80="tcp dport 80 counter redirect to :${torTrafficPort} comment 'Tor-HTTP-TCP'"
- dest_udp_80="udp dport 80 counter redirect to :${torTrafficPort} comment 'Tor-HTTP-UDP'"
- dest_tcp_443="tcp dport 443 counter redirect to :${torTrafficPort} comment 'Tor-HTTPS-TCP'"
- dest_udp_443="udp dport 443 counter redirect to :${torTrafficPort} comment 'Tor-HTTPS-UDP'"
+ chain='dstnat'
+ param4="$nftInsertOption rule inet $nftTable ${nftPrefix}_${chain} ${nft_rule_params} meta nfproto ipv4 $param4"
+ param6="$nftInsertOption rule inet $nftTable ${nftPrefix}_${chain} ${nft_rule_params} meta nfproto ipv6 $param6"
+ dest_udp_53="udp dport 53 redirect to :${torDnsPort} comment 'Tor-DNS-UDP'"
+ dest_tcp_80="tcp dport 80 redirect to :${torTrafficPort} comment 'Tor-HTTP-TCP'"
+ dest_udp_80="udp dport 80 redirect to :${torTrafficPort} comment 'Tor-HTTP-UDP'"
+ dest_tcp_443="tcp dport 443 redirect to :${torTrafficPort} comment 'Tor-HTTPS-TCP'"
+ dest_udp_443="udp dport 443 redirect to :${torTrafficPort} comment 'Tor-HTTPS-UDP'"
for dest_i in dest_udp_53 dest_tcp_80 dest_udp_80 dest_tcp_443 dest_udp_443; do
eval "dest4=\$$dest_i"
eval "dest6=\$$dest_i"
nft6 "$param6" || ipv6_error='1'
policy_routing_nft_prev_param6="$param6"
fi
-
if [ -n "$ipv6_enabled" ] && [ "$ipv4_error" -eq '1' ] && [ "$ipv6_error" -eq '1' ]; then
processPolicyError='true'
state add 'errorSummary' 'errorPolicyProcessInsertionFailed' "$name"
json_close_object
}
-interface_process() {
+process_interface() {
local gw4 gw6 dev dev6 s=0 dscp iface="$1" action="$2" reloadedIface="$3"
local displayText dispDev dispGw4 dispGw6 dispStatus
load_environment "${param:-on_start}" "$(load_validate_config)" || return 1
is_wan_up "$param" || return 1
- interface_process 'all' 'prepare'
- config_foreach interface_process 'interface' 'pre_init'
+ process_interface 'all' 'prepare'
+ config_foreach process_interface 'interface' 'pre_init'
case "$param" in
on_boot)
on_interface_reload)
output 1 "Reloading Interface: $reloadedIface "
json_add_array 'gateways'
- interface_process 'all' 'prepare'
- config_foreach interface_process 'interface' 'reload_interface' "$reloadedIface"
+ process_interface 'all' 'prepare'
+ config_foreach process_interface 'interface' 'reload_interface' "$reloadedIface"
json_close_array
output 1 '\n'
;;
nft_file 'create'
output 1 'Processing interfaces '
json_add_array 'gateways'
- interface_process 'all' 'prepare'
- config_foreach interface_process 'interface' 'create'
- interface_process 'tor' 'destroy'
- is_tor_running && interface_process 'tor' 'create'
+ process_interface 'all' 'prepare'
+ config_foreach process_interface 'interface' 'create'
+ process_interface 'tor' 'destroy'
+ is_tor_running && process_interface 'tor' 'create'
json_close_array
ip route flush cache
output 1 '\n'
output 1 '\n'
fi
if is_config_enabled 'include' || [ -d "/etc/${packageName}.d/" ]; then
- interface_process 'all' 'prepare'
- config_foreach interface_process 'interface' 'create_user_set'
+ process_interface 'all' 'prepare'
+ config_foreach process_interface 'interface' 'create_user_set'
output 1 'Processing user file(s) '
config_load "$packageName"
config_foreach load_validate_include 'include' user_file_process
cleanup_marking_chains
output 1 'Resetting interfaces '
config_load 'network'
- config_foreach interface_process 'interface' 'destroy'
- interface_process 'tor' 'destroy'
+ config_foreach process_interface 'interface' 'destroy'
+ process_interface 'tor' 'destroy'
cleanup_rt_tables
output 1 "\\n"
ip route flush cache
fi
echo "$_SEPARATOR_"
echo "$packageName chains - policies"
- for i in $chainsList dstnat_lan; do
+ for i in $chainsList dstnat; do
"$nft" -a list table inet "$nftTable" | sed -n "/chain ${nftPrefix}_${i} {/,/\t}/p"
done
echo "$_SEPARATOR_"
'procd_boot_delay:integer:0' \
'procd_boot_timeout:integer:30' \
'procd_reload_delay:integer:0' \
+ 'procd_lan_interface:list(or(network)):br-lan' \
'procd_wan_ignore_status:bool:0' \
'procd_wan_interface:network:wan' \
'procd_wan6_interface:network:wan6' \
#!/bin/sh
-# This file is heavily based on code from https://github.com/Xentrk/netflix-vpn-bypass/blob/master/IPSET_Netflix.sh
-
-TARGET_INTERFACE='wan'
-TARGET_NFTSET_4="pbr_${TARGET_INTERFACE}_4_dst_ip_user"
-TARGET_NFTSET_6="pbr_${TARGET_INTERFACE}_6_dst_ip_user"
+# shellcheck disable=SC2015,SC3003,SC3060
+TARGET_URL='https://ip-ranges.amazonaws.com/ip-ranges.json'
+TARGET_DL_FILE='/var/pbr_tmp_aws_ip_ranges.gz'
TARGET_TABLE='inet fw4'
-TARGET_URL="https://ip-ranges.amazonaws.com/ip-ranges.json"
-TARGET_DL_FILE_4="/var/pbr_tmp_aws_ip_ranges.ipv4"
-# Uncomment the following line if you enabled ipv6 for pbr and want IPv6 entries added to the IPv6 set
-# TARGET_DL_FILE_6="/var/pbr_tmp_aws_ip_ranges.ipv6"
-_ret=0
+TARGET_INTERFACE='wan'
+
+_ret=1
-if [ ! -s "$TARGET_DL_FILE_4" ]; then
- uclient-fetch --no-check-certificate -qO- "$TARGET_URL" 2>/dev/null | grep "ip_prefix" | sed 's/^.*\"ip_prefix\": \"//; s/\",//' > "$TARGET_DL_FILE_4"
-fi
+mkdir -p "${TARGET_DL_FILE%/*}"
-if [ -s "$TARGET_DL_FILE_4" ]; then
- params=
- while read -r p; do params="${params:+$params, }${p}"; done < "$TARGET_DL_FILE_4"
- [ -n "$params" ] && nft "add element $TARGET_TABLE $TARGET_NFTSET_4 { $params }" || _ret=1
-fi
+[ -s "$TARGET_DL_FILE" ] || \
+ uclient-fetch --no-check-certificate -qO- "$TARGET_URL" | \
+ gzip > "$TARGET_DL_FILE"
-if [ -n "$TARGET_DL_FILE_6" ] && [ ! -s "$TARGET_DL_FILE_6" ]; then
- uclient-fetch --no-check-certificate -qO- "$TARGET_URL" 2>/dev/null | grep "ipv6_prefix" | sed 's/^.*\"ipv6_prefix\": \"//; s/\",//' > "$TARGET_DL_FILE_6"
-fi
+[ "$(uci get pbr.config.ipv6_enabled)" = "1" ] && vers="4 6" || vers="4"
-if [ -s "$TARGET_DL_FILE_6" ]; then
- params=
- while read -r p; do params="${params:+$params, }${p}"; done < "$TARGET_DL_FILE_6"
- [ -n "$params" ] && nft "add element $TARGET_TABLE $TARGET_NFTSET_6 { $params }" || _ret=1
-fi
+for ver in $vers;do
+ case "$ver" in
+ 4) search='@.prefixes[*].ip_prefix';;
+ 6) search='@.ipv6_prefixes[*].ipv6_prefix';;
+ esac
+ params="$(zcat "$TARGET_DL_FILE" | jsonfilter -e "$search")"
+ [ -n "$params" ] && _ret=0 || continue
+ nftset="pbr_${TARGET_INTERFACE}_${ver}_dst_ip_user"
+ nft "add element $TARGET_TABLE $nftset { ${params//$'\n'/, } }" || _ret=1
+done
return $_ret
projects / feed / packages.git / commitdiff