From 0ef19aa2fe40344f21d6ce4bf1cfc4250e9e9f15 Mon Sep 17 00:00:00 2001 From: ShanStone <31815718+ShanStone@users.noreply.github.com> Date: Wed, 7 Jun 2023 01:00:40 +0800 Subject: [PATCH] luci: fix --- luci-app-passwall/Makefile | 2 +- .../luasrc/passwall/server_app.lua | 25 +-- .../root/usr/share/passwall/nftables.sh | 185 +++++++++--------- 3 files changed, 111 insertions(+), 101 deletions(-) diff --git a/luci-app-passwall/Makefile b/luci-app-passwall/Makefile index 8f8b4234f..f55c18cb3 100644 --- a/luci-app-passwall/Makefile +++ b/luci-app-passwall/Makefile @@ -6,7 +6,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=luci-app-passwall -PKG_VERSION:=4.66-6 +PKG_VERSION:=4.66-7 PKG_RELEASE:= PKG_CONFIG_DEPENDS:= \ diff --git a/luci-app-passwall/luasrc/passwall/server_app.lua b/luci-app-passwall/luasrc/passwall/server_app.lua index 9d1382599..f574e9db9 100644 --- a/luci-app-passwall/luasrc/passwall/server_app.lua +++ b/luci-app-passwall/luasrc/passwall/server_app.lua @@ -8,6 +8,7 @@ local jsonc = api.jsonc local CONFIG = "passwall_server" local CONFIG_PATH = "/tmp/etc/" .. CONFIG +local NFT_INCLUDE_FILE = CONFIG_PATH .. "/" .. CONFIG .. ".nft" local LOG_APP_FILE = "/tmp/log/" .. CONFIG .. ".log" local TMP_BIN_PATH = CONFIG_PATH .. "/bin" local require_dir = "luci.passwall." @@ -49,11 +50,6 @@ end local function gen_include() cmd(string.format("echo '#!/bin/sh' > /tmp/etc/%s.include", CONFIG)) - if nft_flag == "1" then - cmd("echo \"\" > " .. CONFIG_PATH .. "/" .. CONFIG .. ".nft") - local nft_cmd = "for chain in $(nft -a list chains |grep -E \"chain PSW-SERVER\" |awk -F ' ' '{print$2}'); do\n nft list chain inet fw4 ${chain} >> " .. CONFIG_PATH .. "/" .. CONFIG .. ".nft\n done" - cmd(nft_cmd) - end local function extract_rules(n, a) local _ipt = ipt_bin if n == "6" then @@ -77,8 +73,7 @@ local function gen_include() f:write("EOT" .. "\n") f:close() else - f:write("nft -f " .. CONFIG_PATH .. "/" .. CONFIG .. ".nft\n") - f:write("nft insert rule inet fw4 input position 0 counter jump PSW-SERVER") + f:write("nft -f " .. NFT_INCLUDE_FILE .. "\n") f:close() end end @@ -97,8 +92,11 @@ local function start() ip6t("-N PSW-SERVER") ip6t("-I INPUT -j PSW-SERVER") else - cmd("nft add chain inet fw4 PSW-SERVER\n") - cmd("nft insert rule inet fw4 input position 0 counter jump PSW-SERVER") + nft_file, err = io.open(NFT_INCLUDE_FILE, "w") + nft_file:write('#!/usr/sbin/nft -f\n') + nft_file:write('add chain inet fw4 PSW-SERVER\n') + nft_file:write('flush chain inet fw4 PSW-SERVER\n') + nft_file:write('insert rule inet fw4 input position 0 jump PSW-SERVER comment "PSW-SERVER"\n') end uci:foreach(CONFIG, "user", function(user) local id = user[".name"] @@ -194,14 +192,19 @@ local function start() ip6t(string.format('-A PSW-SERVER -p udp --dport %s -m comment --comment "%s" -j ACCEPT', port, remarks)) end else - cmd(string.format('nft add rule inet fw4 PSW-SERVER meta l4proto tcp tcp dport {%s} accept', port)) + nft_file:write(string.format('add rule inet fw4 PSW-SERVER meta l4proto tcp tcp dport {%s} counter accept comment "%s"\n', port, remarks)) if udp_forward == 1 then - cmd(string.format('nft add rule inet fw4 PSW-SERVER meta l4proto udp udp dport {%s} accept', port)) + nft_file:write(string.format('add rule inet fw4 PSW-SERVER meta l4proto udp udp dport {%s} counter accept comment "%s"\n', port, remarks)) end end end end end) + if nft_flag == "1" then + nft_file:write("add rule inet fw4 PSW-SERVER return\n") + nft_file:close() + cmd("nft -f " .. NFT_INCLUDE_FILE) + end gen_include() end diff --git a/luci-app-passwall/root/usr/share/passwall/nftables.sh b/luci-app-passwall/root/usr/share/passwall/nftables.sh index 41eeafc43..bebcd9005 100755 --- a/luci-app-passwall/root/usr/share/passwall/nftables.sh +++ b/luci-app-passwall/root/usr/share/passwall/nftables.sh @@ -20,7 +20,7 @@ NFTSET_BLACKLIST6="passwall_blacklist6" NFTSET_WHITELIST6="passwall_whitelist6" NFTSET_BLOCKLIST6="passwall_blocklist6" -FORCE_INDEX=2 +FORCE_INDEX=0 . /lib/functions/network.sh @@ -377,10 +377,10 @@ load_acl() { } if [ -z "${is_tproxy}" ]; then - nft "add rule inet fw4 PSW ${_ipt_source} ip daddr $FAKE_IP $(REDIRECT $tcp_port) comment \"$remarks\"" - nft "add rule inet fw4 PSW ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ip daddr @$NFTSET_SHUNTLIST $(REDIRECT $tcp_port) comment \"$remarks\"" - nft "add rule inet fw4 PSW ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ip daddr @$NFTSET_BLACKLIST $(REDIRECT $tcp_port) comment \"$remarks\"" - [ "$tcp_proxy_mode" != "direct/proxy" ] && nft "add rule inet fw4 PSW ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") $(get_redirect_ipv4 $tcp_proxy_mode $tcp_port) comment \"$remarks\"" + nft "add rule inet fw4 PSW_NAT ${_ipt_source} ip daddr $FAKE_IP $(REDIRECT $tcp_port) comment \"$remarks\"" + nft "add rule inet fw4 PSW_NAT ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ip daddr @$NFTSET_SHUNTLIST $(REDIRECT $tcp_port) comment \"$remarks\"" + nft "add rule inet fw4 PSW_NAT ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ip daddr @$NFTSET_BLACKLIST $(REDIRECT $tcp_port) comment \"$remarks\"" + [ "$tcp_proxy_mode" != "direct/proxy" ] && nft "add rule inet fw4 PSW_NAT ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") $(get_redirect_ipv4 $tcp_proxy_mode $tcp_port) comment \"$remarks\"" else nft "add rule inet fw4 PSW_MANGLE ip protocol tcp ${_ipt_source} ip daddr $FAKE_IP counter jump PSW_RULE comment \"$remarks\"" nft "add rule inet fw4 PSW_MANGLE ip protocol tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ip daddr @$NFTSET_SHUNTLIST counter jump PSW_RULE comment \"$remarks\"" @@ -499,11 +499,11 @@ load_acl() { } if [ -z "${is_tproxy}" ]; then - nft "add rule inet fw4 PSW ip protocol tcp ip daddr $FAKE_IP $(REDIRECT $TCP_REDIR_PORT) comment \"默认\"" - nft "add rule inet fw4 PSW ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip daddr @$NFTSET_SHUNTLIST $(REDIRECT $TCP_REDIR_PORT) comment \"默认\"" - nft "add rule inet fw4 PSW ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip daddr @$NFTSET_BLACKLIST $(REDIRECT $TCP_REDIR_PORT) comment \"默认\"" - [ "$TCP_PROXY_MODE" != "direct/proxy" ] && nft "add rule inet fw4 PSW ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") $(get_redirect_ipv4 $TCP_PROXY_MODE $TCP_REDIR_PORT) comment \"默认\"" - nft "add rule inet fw4 PSW ip protocol tcp counter return comment \"默认\"" + nft "add rule inet fw4 PSW_NAT ip protocol tcp ip daddr $FAKE_IP $(REDIRECT $TCP_REDIR_PORT) comment \"默认\"" + nft "add rule inet fw4 PSW_NAT ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip daddr @$NFTSET_SHUNTLIST $(REDIRECT $TCP_REDIR_PORT) comment \"默认\"" + nft "add rule inet fw4 PSW_NAT ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip daddr @$NFTSET_BLACKLIST $(REDIRECT $TCP_REDIR_PORT) comment \"默认\"" + [ "$TCP_PROXY_MODE" != "direct/proxy" ] && nft "add rule inet fw4 PSW_NAT ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") $(get_redirect_ipv4 $TCP_PROXY_MODE $TCP_REDIR_PORT) comment \"默认\"" + nft "add rule inet fw4 PSW_NAT ip protocol tcp counter return comment \"默认\"" else nft "add rule inet fw4 PSW_MANGLE ip protocol tcp ip daddr $FAKE_IP counter jump PSW_RULE comment \"默认\"" nft "add rule inet fw4 PSW_MANGLE ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip daddr @$NFTSET_SHUNTLIST counter jump PSW_RULE comment \"默认\"" @@ -625,7 +625,7 @@ filter_node() { local ADD_INDEX=$FORCE_INDEX for _ipt in 4 6; do - [ "$_ipt" == "4" ] && _ip_type=ip4 && _set_name=$NFTSET_VPSLIST + [ "$_ipt" == "4" ] && _ip_type=ip && _set_name=$NFTSET_VPSLIST [ "$_ipt" == "6" ] && _ip_type=ip6 && _set_name=$NFTSET_VPSLIST6 nft "list chain inet fw4 $nft_output_chain" 2>/dev/null | grep -q "${address}:${port}" if [ $? -ne 0 ]; then @@ -641,8 +641,7 @@ filter_node() { dst_rule="return" msg2="直连代理" } - nft "insert rule inet fw4 $nft_output_chain position $ADD_INDEX comment \"${address}:${port}\" meta l4proto $stream $_ip_type daddr $address tcp dport $port $dst_rule" 2>/dev/null - nft "insert rule inet fw4 $nft_output_chain position $ADD_INDEX comment \"${address}:${port}\" meta l4proto $stream $_ip_type daddr $address udp dport $port $dst_rule" 2>/dev/null + nft "insert rule inet fw4 $nft_output_chain position $ADD_INDEX meta l4proto $stream $_ip_type daddr $address $stream dport $port $dst_rule comment \"${address}:${port}\"" 2>/dev/null else msg2="已配置过的节点," fi @@ -774,8 +773,8 @@ add_firewall_rule() { local tcp_proxy_way=$(config_t_get global_forwarding tcp_proxy_way redirect) if [ "$tcp_proxy_way" = "redirect" ]; then unset is_tproxy - nft_prerouting_chain="PSW" - nft_output_chain="PSW_OUTPUT" + nft_prerouting_chain="PSW_NAT" + nft_output_chain="PSW_OUTPUT_NAT" elif [ "$tcp_proxy_way" = "tproxy" ]; then is_tproxy="TPROXY" nft_prerouting_chain="PSW_MANGLE" @@ -823,21 +822,21 @@ add_firewall_rule() { #ipv4 tcp redirect mode [ -z "${is_tproxy}" ] && { - nft "add chain inet fw4 PSW" - nft "flush chain inet fw4 PSW" - nft "add rule inet fw4 PSW ip daddr @$NFTSET_LANLIST counter return" - nft "add rule inet fw4 PSW ip daddr @$NFTSET_VPSLIST counter return" - nft "add rule inet fw4 PSW ip daddr @$NFTSET_WHITELIST counter return" - nft "add rule inet fw4 PSW ip daddr @$NFTSET_BLOCKLIST counter drop" - nft "add rule inet fw4 dstnat ip protocol tcp counter jump PSW" + nft "add chain inet fw4 PSW_NAT" + nft "flush chain inet fw4 PSW_NAT" + nft "add rule inet fw4 PSW_NAT ip daddr @$NFTSET_LANLIST counter return" + nft "add rule inet fw4 PSW_NAT ip daddr @$NFTSET_VPSLIST counter return" + nft "add rule inet fw4 PSW_NAT ip daddr @$NFTSET_WHITELIST counter return" + nft "add rule inet fw4 PSW_NAT ip daddr @$NFTSET_BLOCKLIST counter drop" + nft "add rule inet fw4 dstnat ip protocol tcp counter jump PSW_NAT" - nft "add chain inet fw4 PSW_OUTPUT" - nft "flush chain inet fw4 PSW_OUTPUT" - nft "add rule inet fw4 PSW_OUTPUT ip daddr @$NFTSET_LANLIST counter return" - nft "add rule inet fw4 PSW_OUTPUT ip daddr @$NFTSET_VPSLIST counter return" - nft "add rule inet fw4 PSW_OUTPUT ip daddr @$NFTSET_WHITELIST counter return" - nft "add rule inet fw4 PSW_OUTPUT meta mark 0xff counter return" - nft "add rule inet fw4 PSW_OUTPUT ip daddr @$NFTSET_BLOCKLIST counter drop" + nft "add chain inet fw4 PSW_OUTPUT_NAT" + nft "flush chain inet fw4 PSW_OUTPUT_NAT" + nft "add rule inet fw4 PSW_OUTPUT_NAT ip daddr @$NFTSET_LANLIST counter return" + nft "add rule inet fw4 PSW_OUTPUT_NAT ip daddr @$NFTSET_VPSLIST counter return" + nft "add rule inet fw4 PSW_OUTPUT_NAT ip daddr @$NFTSET_WHITELIST counter return" + nft "add rule inet fw4 PSW_OUTPUT_NAT meta mark 0xff counter return" + nft "add rule inet fw4 PSW_OUTPUT_NAT ip daddr @$NFTSET_BLOCKLIST counter drop" } #icmp ipv6-icmp redirect @@ -860,7 +859,7 @@ add_firewall_rule() { WAN_IP=$(get_wan_ip) if [ -n "${WAN_IP}" ]; then - [ -n "${is_tproxy}" ] && nft "add rule inet fw4 PSW_MANGLE ip daddr ${WAN_IP} counter return comment \"WAN_IP_RETURN\"" || nft "add rule inet fw4 PSW ip daddr ${WAN_IP} counter return comment \"WAN_IP_RETURN\"" + [ -n "${is_tproxy}" ] && nft "add rule inet fw4 PSW_MANGLE ip daddr ${WAN_IP} counter return comment \"WAN_IP_RETURN\"" || nft "add rule inet fw4 PSW_NAT ip daddr ${WAN_IP} counter return comment \"WAN_IP_RETURN\"" fi unset WAN_IP @@ -886,7 +885,7 @@ add_firewall_rule() { # jump chains [ "$PROXY_IPV6" == "1" ] && { nft "add rule inet fw4 mangle_prerouting meta nfproto {ipv6} counter jump PSW_MANGLE_V6" - nft "add rule inet fw4 mangle_output meta nfproto {ipv6} counter jump PSW_OUTPUT_MANGLE_V6 comment \"mangle-OUTPUT-PSW\"" + nft "add rule inet fw4 mangle_output meta nfproto {ipv6} counter jump PSW_OUTPUT_MANGLE_V6 comment \"PSW_OUTPUT_MANGLE\"" WAN6_IP=$(get_wan6_ip) [ -n "${WAN6_IP}" ] && nft "add rule inet fw4 PSW_MANGLE_V6 ip6 daddr ${WAN6_IP} counter return comment \"WAN6_IP_RETURN\"" @@ -962,7 +961,7 @@ add_firewall_rule() { return 0 } if [ -z "${is_tproxy}" ]; then - nft add rule inet fw4 PSW_OUTPUT ip protocol tcp ip daddr ${2} tcp dport ${3} $(REDIRECT $TCP_REDIR_PORT) + nft add rule inet fw4 PSW_OUTPUT_NAT ip protocol tcp ip daddr ${2} tcp dport ${3} $(REDIRECT $TCP_REDIR_PORT) else nft add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol tcp ip daddr ${2} tcp dport ${3} counter jump PSW_RULE nft add rule inet fw4 PSW_MANGLE iif lo tcp dport ${3} ip daddr ${2} $(REDIRECT $TCP_REDIR_PORT TPROXY4) comment \"本机\" @@ -986,12 +985,12 @@ add_firewall_rule() { if [ -z "${is_tproxy}" ]; then [ "$LOCALHOST_TCP_PROXY_MODE" != "disable" ] && { - nft "add rule inet fw4 PSW_OUTPUT ip protocol tcp ip daddr $FAKE_IP $(REDIRECT $TCP_REDIR_PORT)" - nft "add rule inet fw4 PSW_OUTPUT ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip daddr @$NFTSET_SHUNTLIST counter $(REDIRECT $TCP_REDIR_PORT)" - nft "add rule inet fw4 PSW_OUTPUT ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip daddr @$NFTSET_BLACKLIST counter $(REDIRECT $TCP_REDIR_PORT)" - [ "$LOCALHOST_TCP_PROXY_MODE" != "direct/proxy" ] && nft "add rule inet fw4 PSW_OUTPUT ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") $(get_redirect_ipv4 $LOCALHOST_TCP_PROXY_MODE $TCP_REDIR_PORT)" + nft "add rule inet fw4 PSW_OUTPUT_NAT ip protocol tcp ip daddr $FAKE_IP $(REDIRECT $TCP_REDIR_PORT)" + nft "add rule inet fw4 PSW_OUTPUT_NAT ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip daddr @$NFTSET_SHUNTLIST counter $(REDIRECT $TCP_REDIR_PORT)" + nft "add rule inet fw4 PSW_OUTPUT_NAT ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip daddr @$NFTSET_BLACKLIST counter $(REDIRECT $TCP_REDIR_PORT)" + [ "$LOCALHOST_TCP_PROXY_MODE" != "direct/proxy" ] && nft "add rule inet fw4 PSW_OUTPUT_NAT ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") $(get_redirect_ipv4 $LOCALHOST_TCP_PROXY_MODE $TCP_REDIR_PORT)" } - nft "add rule inet fw4 nat_output ip protocol tcp counter jump PSW_OUTPUT" + nft "add rule inet fw4 nat_output ip protocol tcp counter jump PSW_OUTPUT_NAT" else [ "$LOCALHOST_TCP_PROXY_MODE" != "disable" ] && { nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol tcp ip daddr $FAKE_IP counter jump PSW_RULE" @@ -1001,7 +1000,7 @@ add_firewall_rule() { nft "add rule inet fw4 PSW_MANGLE meta l4proto tcp iif lo $(REDIRECT $TCP_REDIR_PORT TPROXY) comment \"本机\"" } nft "add rule inet fw4 PSW_MANGLE ip protocol tcp iif lo counter return comment \"本机\"" - nft "add rule inet fw4 mangle_output meta nfproto {ipv4} meta l4proto tcp counter jump PSW_OUTPUT_MANGLE comment \"mangle-OUTPUT-PSW\"" + nft "add rule inet fw4 mangle_output meta nfproto {ipv4} meta l4proto tcp counter jump PSW_OUTPUT_MANGLE comment \"PSW_OUTPUT_MANGLE\"" fi [ "$PROXY_IPV6" == "1" ] && { @@ -1051,7 +1050,7 @@ add_firewall_rule() { nft "add rule inet fw4 PSW_MANGLE meta l4proto udp iif lo $(REDIRECT $UDP_REDIR_PORT TPROXY) comment \"本机\"" } nft "add rule inet fw4 PSW_MANGLE ip protocol udp iif lo counter return comment \"本机\"" - nft "add rule inet fw4 mangle_output meta nfproto {ipv4} meta l4proto udp counter jump PSW_OUTPUT_MANGLE comment \"mangle-OUTPUT-PSW\"" + nft "add rule inet fw4 mangle_output meta nfproto {ipv4} meta l4proto udp counter jump PSW_OUTPUT_MANGLE comment \"PSW_OUTPUT_MANGLE\"" [ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && { [ "$LOCALHOST_UDP_PROXY_MODE" != "disable" ] && { @@ -1064,8 +1063,8 @@ add_firewall_rule() { } fi - nft "add rule inet fw4 mangle_output oif lo counter return comment \"mangle-OUTPUT-PSW\"" - nft "add rule inet fw4 mangle_output meta mark 1 counter return comment \"mangle-OUTPUT-PSW\"" + nft "add rule inet fw4 mangle_output oif lo counter return comment \"PSW_OUTPUT_MANGLE\"" + nft "add rule inet fw4 mangle_output meta mark 1 counter return comment \"PSW_OUTPUT_MANGLE\"" nft "add rule inet fw4 PSW_MANGLE ip protocol udp udp dport 53 counter return" nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp udp dport 53 counter return" @@ -1093,14 +1092,14 @@ add_firewall_rule() { } del_firewall_rule() { - for nft in "input" "forward" "dstnat" "srcnat" "nat_output" "mangle_prerouting" "mangle_output"; do - local handles=$(nft -a list chain inet fw4 ${nft} 2>/dev/null | grep -E "PSW" | awk -F '# handle ' '{print$2}') + for nft in "forward" "dstnat" "srcnat" "nat_output" "mangle_prerouting" "mangle_output"; do + local handles=$(nft -a list chain inet fw4 ${nft} 2>/dev/null | grep -E "PSW_" | awk -F '# handle ' '{print$2}') for handle in $handles; do nft delete rule inet fw4 ${nft} handle ${handle} 2>/dev/null done done - for handle in $(nft -a list chains | grep -E "chain PSW" | grep -v "PSW_RULE" | awk -F '# handle ' '{print$2}'); do + for handle in $(nft -a list chains | grep -E "chain PSW_" | grep -v "PSW_RULE" | awk -F '# handle ' '{print$2}'); do nft delete chain inet fw4 handle ${handle} 2>/dev/null done @@ -1147,62 +1146,70 @@ flush_include() { } gen_include() { - local nft_chain_file=$TMP_PATH/PSW.nft - echo "" > $nft_chain_file - for chain in $(nft -a list chains | grep -E "chain PSW" |awk -F ' ' '{print$2}'); do + local nft_chain_file=$TMP_PATH/PSW_RULE.nft + local nft_set_file=$TMP_PATH/PSW_SETS.nft + echo "#!/usr/sbin/nft -f" > $nft_chain_file + echo "#!/usr/sbin/nft -f" > $nft_set_file + for chain in $(nft -a list chains | grep -E "chain PSW_" | awk -F ' ' '{print$2}'); do nft list chain inet fw4 ${chain} >> $nft_chain_file done + for set_name in $(nft -a list sets | grep -E "set passwall_" | awk -F ' ' '{print$2}'); do + nft list set inet fw4 ${set_name} >> $nft_set_file + done + local __nft=" " - [ -z "${nft}" ] && { - __nft=$(cat <<- EOF - nft -f ${nft_chain_file} + __nft=$(cat <<- EOF - nft "add rule inet fw4 dstnat jump PSW_REDIRECT" + [ -z "\$(nft list sets 2>/dev/null | grep "passwall_")" ] && nft -f ${nft_set_file} + [ -z "\$(nft list chain inet fw4 nat_output 2>/dev/null)" ] && nft "add chain inet fw4 nat_output { type nat hook output priority -1; }" + nft -f ${nft_chain_file} - [ "$accept_icmp" == "1" ] && { - nft "add rule inet fw4 dstnat meta l4proto {icmp,icmpv6} counter jump PSW_ICMP_REDIRECT" - nft "add rule inet fw4 nat_output meta l4proto {icmp,icmpv6} counter jump PSW_ICMP_REDIRECT" - } + nft "add rule inet fw4 dstnat jump PSW_REDIRECT" - [ -z "${is_tproxy}" ] && { - PR_INDEX=\$(${MY_PATH} RULE_LAST_INDEX "inet fw4" PSW WAN_IP_RETURN -1) - if [ \$PR_INDEX -ge 0 ]; then - WAN_IP=\$(${MY_PATH} get_wan_ip) - [ ! -z "\${WAN_IP}" ] && nft "replace rule inet fw4 PSW handle \$PR_INDEX ip daddr "\${WAN_IP}" counter return comment \"WAN_IP_RETURN\"" - fi - nft "add rule inet fw4 dstnat ip protocol tcp counter jump PSW" - nft "add rule inet fw4 nat_output ip protocol tcp counter jump PSW_OUTPUT" - } + [ "$accept_icmp" == "1" ] && { + nft "add rule inet fw4 dstnat meta l4proto {icmp,icmpv6} counter jump PSW_ICMP_REDIRECT" + nft "add rule inet fw4 nat_output meta l4proto {icmp,icmpv6} counter jump PSW_ICMP_REDIRECT" + } - [ -n "${is_tproxy}" ] && { - PR_INDEX=\$(${MY_PATH} RULE_LAST_INDEX "inet fw4" PSW_MANGLE WAN_IP_RETURN -1) - if [ \$PR_INDEX -ge 0 ]; then - WAN_IP=\$(${MY_PATH} get_wan_ip) - [ ! -z "\${WAN_IP}" ] && nft "replace rule inet fw4 PSW_MANGLE handle \$PR_INDEX ip daddr "\${WAN_IP}" counter return comment \"WAN_IP_RETURN\"" - fi - nft "add rule inet fw4 mangle_prerouting meta nfproto {ipv4} counter jump PSW_MANGLE" - nft "add rule inet fw4 mangle_output meta nfproto {ipv4} meta l4proto tcp counter jump PSW_OUTPUT_MANGLE comment \"mangle-OUTPUT-PSW\"" - } - \$(${MY_PATH} insert_rule_before "inet fw4" "mangle_prerouting" "PSW_MANGLE" "counter jump PSW_DIVERT") + [ -z "${is_tproxy}" ] && { + PR_INDEX=\$(sh ${MY_PATH} RULE_LAST_INDEX "inet fw4" PSW_NAT WAN_IP_RETURN -1) + if [ \$PR_INDEX -ge 0 ]; then + WAN_IP=\$(sh ${MY_PATH} get_wan_ip) + [ ! -z "\${WAN_IP}" ] && nft "replace rule inet fw4 PSW_NAT handle \$PR_INDEX ip daddr "\${WAN_IP}" counter return comment \"WAN_IP_RETURN\"" + fi + nft "add rule inet fw4 dstnat ip protocol tcp counter jump PSW_NAT" + nft "add rule inet fw4 nat_output ip protocol tcp counter jump PSW_OUTPUT_NAT" + } - [ "$UDP_NODE" != "nil" -o "$TCP_UDP" = "1" ] && nft "add rule inet fw4 mangle_output meta nfproto {ipv4} meta l4proto udp counter jump PSW_OUTPUT_MANGLE comment \"mangle-OUTPUT-PSW\"" + [ -n "${is_tproxy}" ] && { + PR_INDEX=\$(sh ${MY_PATH} RULE_LAST_INDEX "inet fw4" PSW_MANGLE WAN_IP_RETURN -1) + if [ \$PR_INDEX -ge 0 ]; then + WAN_IP=\$(sh ${MY_PATH} get_wan_ip) + [ ! -z "\${WAN_IP}" ] && nft "replace rule inet fw4 PSW_MANGLE handle \$PR_INDEX ip daddr "\${WAN_IP}" counter return comment \"WAN_IP_RETURN\"" + fi + nft "add rule inet fw4 mangle_prerouting meta nfproto {ipv4} counter jump PSW_MANGLE" + nft "add rule inet fw4 mangle_output meta nfproto {ipv4} meta l4proto tcp counter jump PSW_OUTPUT_MANGLE comment \"PSW_OUTPUT_MANGLE\"" + } + \$(sh ${MY_PATH} insert_rule_before "inet fw4" "mangle_prerouting" "PSW_MANGLE" "counter jump PSW_DIVERT") - [ "$PROXY_IPV6" == "1" ] && { - PR_INDEX=\$(${MY_PATH} RULE_LAST_INDEX "inet fw4" PSW_MANGLE_V6 WAN6_IP_RETURN -1) - if [ \$PR_INDEX -ge 0 ]; then - WAN6_IP=\$(${MY_PATH} get_wan6_ip) - [ ! -z "\${WAN_IP}" ] && nft "replace rule inet fw4 PSW_MANGLE_V6 handle \$PR_INDEX ip6 daddr "\${WAN6_IP}" counter return comment \"WAN6_IP_RETURN\"" - fi - nft "add rule inet fw4 mangle_prerouting meta nfproto {ipv6} counter jump PSW_MANGLE_V6" - nft "add rule inet fw4 mangle_output meta nfproto {ipv6} counter jump PSW_OUTPUT_MANGLE_V6 comment \"mangle-OUTPUT-PSW\"" - } + [ "$UDP_NODE" != "nil" -o "$TCP_UDP" = "1" ] && nft "add rule inet fw4 mangle_output meta nfproto {ipv4} meta l4proto udp counter jump PSW_OUTPUT_MANGLE comment \"PSW_OUTPUT_MANGLE\"" + + [ "$PROXY_IPV6" == "1" ] && { + PR_INDEX=\$(sh ${MY_PATH} RULE_LAST_INDEX "inet fw4" PSW_MANGLE_V6 WAN6_IP_RETURN -1) + if [ \$PR_INDEX -ge 0 ]; then + WAN6_IP=\$(sh ${MY_PATH} get_wan6_ip) + [ ! -z "\${WAN_IP}" ] && nft "replace rule inet fw4 PSW_MANGLE_V6 handle \$PR_INDEX ip6 daddr "\${WAN6_IP}" counter return comment \"WAN6_IP_RETURN\"" + fi + nft "add rule inet fw4 mangle_prerouting meta nfproto {ipv6} counter jump PSW_MANGLE_V6" + nft "add rule inet fw4 mangle_output meta nfproto {ipv6} counter jump PSW_OUTPUT_MANGLE_V6 comment \"PSW_OUTPUT_MANGLE\"" + } + + nft "add rule inet fw4 mangle_output oif lo counter return comment \"PSW_OUTPUT_MANGLE\"" + nft "add rule inet fw4 mangle_output meta mark 1 counter return comment \"PSW_OUTPUT_MANGLE\"" + EOF + ) - nft "add rule inet fw4 mangle_output oif lo counter return comment \"mangle-OUTPUT-PSW\"" - nft "add rule inet fw4 mangle_output meta mark 1 counter return comment \"mangle-OUTPUT-PSW\"" - EOF - ) - } cat <<-EOF >> $FWI ${__nft} EOF