mptcp/openmptcprouter-feeds
1
0
Fork 0
mirror of https://github.com/Ysurac/openmptcprouter-feeds.git synced 2025-02-14 19:41:51 +00:00
Code Issues Releases Wiki Activity

Use iptables-legacy instead of iptables

Browse source
This commit is contained in:
Ycarus (Yannick Chabanois) 2022-09-25 19:02:32 +02:00
parent ca45d952c2
commit 827a93c478
10 changed files with 233 additions and 132 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

168
luci-app-omr-bypass/root/etc/init.d/omr-bypass
View file

@ -8,6 +8,22 @@ EXTRA_COMMANDS="reload_rules bypass_asn"
. /usr/lib/unbound/iptools.sh
if [ -f /usr/sbin/iptables-legacy ]; then
IPTABLES="/usr/sbin/iptables-legacy"
IPTABLESRESTORE="/usr/sbin/iptables-legacy-restore"
IPTABLESSAVE="/usr/sbin/iptables-legacy-save"
IP6TABLES="/usr/sbin/ip6tables-legacy"
IP6TABLESRESTORE="/usr/sbin/ip6tables-legacy-restore"
IP6TABLESSAVE="/usr/sbin/ip6tables-legacy-save"
else
IPTABLES="/usr/sbin/iptables"
IPTABLESRESTORE="/usr/sbin/iptables-restore"
IPTABLESSAVE="/usr/sbin/iptables-save"
IP6TABLES="/usr/sbin/ip6tables"
IP6TABLESRESTORE="/usr/sbin/ip6tables-restore"
IP6TABLESSAVE="/usr/sbin/ip6tables-save"
fi
_add_proto() {
protoname=$1
[ -z "$protoname" ] && return
@ -135,26 +151,26 @@ _bypass_mac() {
[ -z "$intf" ] && intf="all"
[ -z "$mac" ] && return
if [ "$intf" = "all" ]; then
iptables-restore -w --wait=60 --noflush <<-EOF
$IPTABLESRESTORE -w --wait=60 --noflush <<-EOF
*mangle
-A omr-bypass -m mac --mac-source $mac -j MARK --set-mark 0x539
COMMIT
EOF
if [ "$disableipv6" = "0" ]; then
ip6tables-restore -w --wait=60 --noflush <<-EOF
$IP6TABLESRESTORE -w --wait=60 --noflush <<-EOF
*mangle
-A omr-bypass6 -m mac --mac-source $mac -j MARK --set-mark 0x6539
COMMIT
EOF
fi
else
iptables-restore -w --wait=60 --noflush <<-EOF
$IPTABLESRESTORE -w --wait=60 --noflush <<-EOF
*mangle
-A omr-bypass -m mac --mac-source $mac -j MARK --set-mark 0x539$intfid
COMMIT
EOF
if [ "$disableipv6" = "0" ]; then
ip6tables-restore -w --wait=60 --noflush <<-EOF
$IP6TABLESRESTORE -w --wait=60 --noflush <<-EOF
*mangle
-A omr-bypass6 -m mac --mac-source $mac -j MARK --set-mark 0x6539$intfid
COMMIT
@ -181,18 +197,18 @@ _bypass_lan_ip() {
valid_ip6=$(valid_subnet6 $ip)
if [ "$intf" = "all" ]; then
if [ "$valid_ip4" = "ok" ]; then
iptables-restore -w --wait=60 --noflush <<-EOF
$IPTABLESRESTORE -w --wait=60 --noflush <<-EOF
*mangle
-A omr-bypass -s $ip -j MARK --set-mark 0x539
COMMIT
EOF
iptables-restore -w --wait=60 --noflush <<-EOF
$IPTABLESRESTORE -w --wait=60 --noflush <<-EOF
*mangle
-A omr-bypass-local -s $ip -j MARK --set-mark 0x539
COMMIT
EOF
elif [ "$valid_ip6" = "ok" ] && [ "$disableipv6" = "0" ]; then
ip6tables-restore -w --wait=60 --noflush <<-EOF
$IP6TABLESRESTORE -w --wait=60 --noflush <<-EOF
*mangle
-A omr-bypass6 -s $ip -j MARK --set-mark 0x6539
COMMIT
@ -200,18 +216,18 @@ _bypass_lan_ip() {
fi
else
if [ "$valid_ip4" = "ok" ]; then
iptables-restore -w --wait=60 --noflush <<-EOF
$IPTABLESRESTORE -w --wait=60 --noflush <<-EOF
*mangle
-A omr-bypass -s $ip -j MARK --set-mark 0x539$intfid
COMMIT
EOF
iptables-restore -w --wait=60 --noflush <<-EOF
$IPTABLESRESTORE -w --wait=60 --noflush <<-EOF
*mangle
-A omr-bypass-local -s $ip -j MARK --set-mark 0x539$intfid
COMMIT
EOF
elif [ "$valid_ip6" = "ok" ] && [ "$disableipv6" = "0" ]; then
ip6tables-restore -w --wait=60 --noflush <<-EOF
$IP6TABLESRESTORE -w --wait=60 --noflush <<-EOF
*mangle
-A omr-bypass6 -s $ip -j MARK --set-mark 0x6539$intfid
COMMIT
@ -239,36 +255,36 @@ _bypass_dest_port() {
dport="$(echo $dport | sed 's/-/:/')"
[ -z "$proto" ] && return
if [ "$intf" = "all" ]; then
iptables-restore -w --wait=60 --noflush <<-EOF
$IPTABLESRESTORE -w --wait=60 --noflush <<-EOF
*mangle
-A omr-bypass --protocol $proto --destination-port $dport -j MARK --set-mark 0x539
COMMIT
EOF
iptables-restore -w --wait=60 --noflush <<-EOF
$IPTABLESRESTORE -w --wait=60 --noflush <<-EOF
*mangle
-A omr-bypass-local --protocol $proto --destination-port $dport -j MARK --set-mark 0x539
COMMIT
EOF
if [ "$disableipv6" = "0" ]; then
ip6tables-restore -w --wait=60 --noflush <<-EOF
$IP6TABLESRESTORE -w --wait=60 --noflush <<-EOF
*mangle
-A omr-bypass6 --protocol $proto --destination-port $dport -j MARK --set-mark 0x6539
COMMIT
EOF
fi
else
iptables-restore -w --wait=60 --noflush <<-EOF
$IPTABLESRESTORE -w --wait=60 --noflush <<-EOF
*mangle
-A omr-bypass --protocol $proto --destination-port $dport -j MARK --set-mark 0x539$intfid
COMMIT
EOF
iptables-restore -w --wait=60 --noflush <<-EOF
$IPTABLESRESTORE -w --wait=60 --noflush <<-EOF
*mangle
-A omr-bypass-local --protocol $proto --destination-port $dport -j MARK --set-mark 0x539$intfid
COMMIT
EOF
if [ "$disableipv6" = "0" ]; then
ip6tables-restore -w --wait=60 --noflush <<-EOF
$IP6TABLESRESTORE -w --wait=60 --noflush <<-EOF
*mangle
-A omr-bypass6 --protocol $proto --destination-port $dport -j MARK --set-mark 0x6539$intfid
COMMIT
@ -296,36 +312,36 @@ _bypass_src_port() {
sport="$(echo $sport | sed 's/-/:/')"
[ -z "$proto" ] && return
if [ "$intf" = "all" ]; then
iptables-restore -w --wait=60 --noflush <<-EOF
$IPTABLESRESTORE -w --wait=60 --noflush <<-EOF
*mangle
-A omr-bypass --protocol $proto --source-port $sport -j MARK --set-mark 0x539
COMMIT
EOF
iptables-restore -w --wait=60 --noflush <<-EOF
$IPTABLESRESTORE -w --wait=60 --noflush <<-EOF
*mangle
-A omr-bypass-local --protocol $proto --source-port $sport -j MARK --set-mark 0x539
COMMIT
EOF
if [ "$disableipv6" = "0" ]; then
ip6tables-restore -w --wait=60 --noflush <<-EOF
$IP6TABLESRESTORE -w --wait=60 --noflush <<-EOF
*mangle
-A omr-bypass6 --protocol $proto --source-port $sport -j MARK --set-mark 0x6539
COMMIT
EOF
fi
else
iptables-restore -w --wait=60 --noflush <<-EOF
$IPTABLESRESTORE -w --wait=60 --noflush <<-EOF
*mangle
-A omr-bypass --protocol $proto --source-port $sport -j MARK --set-mark 0x539$intfid
COMMIT
EOF
iptables-restore -w --wait=60 --noflush <<-EOF
$IPTABLESRESTORE -w --wait=60 --noflush <<-EOF
*mangle
-A omr-bypass-local --protocol $proto --source-port $sport -j MARK --set-mark 0x539$intfid
COMMIT
EOF
if [ "$disableipv6" = "0" ]; then
ip6tables-restore -w --wait=60 --noflush <<-EOF
$IP6TABLESRESTORE -w --wait=60 --noflush <<-EOF
*mangle
-A omr-bypass6 --protocol $proto --source-port $sport -j MARK --set-mark 0x6539$intfid
COMMIT
@ -351,14 +367,14 @@ _bypass_proto() {
[ -z "$proto" ] && return
if [ "$(uci -q get openmptcprouter.settings.ndpi)" != "0" ] && [ "$ndpi" != "0" ]; then
if [ "$intf" = "all" ]; then
iptables-restore -w --wait=60 --noflush <<-EOF
$IPTABLESRESTORE -w --wait=60 --noflush <<-EOF
*mangle
-A omr-bypass-dpi -m ndpi --proto $proto -j MARK --set-mark 0x539
-A omr-bypass-dpi -m mark --mark 0x539 -j RETURN
COMMIT
EOF
if [ "$disableipv6" = "0" ]; then
ip6tables-restore -w --wait=60 --noflush <<-EOF
$IP6TABLESRESTORE -w --wait=60 --noflush <<-EOF
*mangle
-A omr-bypass6-dpi -m ndpi --proto $proto -j MARK --set-mark 0x6539
-A omr-bypass6-dpi -m mark --mark 0x6539 -j RETURN
@ -366,14 +382,14 @@ _bypass_proto() {
EOF
fi
else
iptables-restore -w --wait=60 --noflush <<-EOF
$IPTABLESRESTORE -w --wait=60 --noflush <<-EOF
*mangle
-A omr-bypass-dpi -m ndpi --proto $proto -j MARK --set-mark 0x539$intfid
-A omr-bypass-dpi -m mark --mark 0x539$intfid -j RETURN
COMMIT
EOF
if [ "$disableipv6" = "0" ]; then
ip6tables-restore -w --wait=60 --noflush <<-EOF
$IP6TABLESRESTORE -w --wait=60 --noflush <<-EOF
*mangle
-A omr-bypass6-dpi -m ndpi --proto $proto -j MARK --set-mark 0x6539$intfid
-A omr-bypass6-dpi -m mark --mark 0x6539$intfid -j RETURN
@ -425,24 +441,24 @@ _bypass_proto() {
_intf_rule_ss_rules() {
rule_name=$1
[ "$rule_name" = "ss_rules" ] && rule_name="def"
if [ "$(iptables --wait=40 -t nat -L -n | grep ssr_${rule_name}_dst)" != "" ] && [ "$(iptables-save 2>/dev/null | grep ssr_${rule_name}_dst | grep omr_dst_bypass_$intf)" = "" ]; then
iptables-restore -w --wait=60 --noflush <<-EOF
if [ "$($IPTABLES --wait=40 -t nat -L -n | grep ssr_${rule_name}_dst)" != "" ] && [ "$($IPTABLESSAVE 2>/dev/null | grep ssr_${rule_name}_dst | grep omr_dst_bypass_$intf)" = "" ]; then
$IPTABLESRESTORE -w --wait=60 --noflush <<-EOF
*nat
-I ssr_${rule_name}_dst 1 -m set --match-set omr_dst_bypass_$intf dst -j MARK --set-mark 0x539$count
-I ssr_${rule_name}_dst 2 -m mark --mark 0x539$count -j RETURN
COMMIT
EOF
fi
if [ "$(iptables --wait=40 -t nat -L -n | grep ssr_${rule_name}_local_out)" != "" ] && [ "$(iptables-save 2>/dev/null | grep ssr_${rule_name}_local_out | grep omr_dst_bypass_$intf)" = "" ]; then
iptables-restore -w --wait=60 --noflush <<-EOF
if [ "$($IPTABLES --wait=40 -t nat -L -n | grep ssr_${rule_name}_local_out)" != "" ] && [ "$($IPTABLESSAVE 2>/dev/null | grep ssr_${rule_name}_local_out | grep omr_dst_bypass_$intf)" = "" ]; then
$IPTABLESRESTORE -w --wait=60 --noflush <<-EOF
*nat
-I ssr_${rule_name}_local_out 1 -m set --match-set omr_dst_bypass_$intf dst -j MARK --set-mark 0x539$count
-I ssr_${rule_name}_local_out 2 -m mark --mark 0x539$count -j RETURN
COMMIT
EOF
fi
if [ "$(iptables --wait=40 -t nat -L -n | grep ssr_${rule_name}_pre_src)" != "" ] && [ "$(iptables-save 2>/dev/null | grep ssr_${rule_name}_pre_src | grep omr_dst_bypass_$intf)" = "" ]; then
iptables-restore -w --wait=60 --noflush <<-EOF
if [ "$($IPTABLES --wait=40 -t nat -L -n | grep ssr_${rule_name}_pre_src)" != "" ] && [ "$($IPTABLESSAVE 2>/dev/null | grep ssr_${rule_name}_pre_src | grep omr_dst_bypass_$intf)" = "" ]; then
$IPTABLESRESTORE -w --wait=60 --noflush <<-EOF
*nat
-I ssr_${rule_name}_pre_src 1 -m set --match-set omr_dst_bypass_$intf dst -j MARK --set-mark 0x539$count
-I ssr_${rule_name}_pre_src 2 -m mark --mark 0x539$count -j RETURN
@ -450,15 +466,15 @@ _intf_rule_ss_rules() {
EOF
fi
if [ "$disableipv6" = "0" ]; then
if [ "$(ip6tables --wait=40 -t mangle -L -n | grep omr6_dst_bypass_$intf)" = "" ]; then
ip6tables-restore -w --wait=60 --noflush <<-EOF
if [ "$($IP6TABLES --wait=40 -t mangle -L -n | grep omr6_dst_bypass_$intf)" = "" ]; then
$IP6TABLESRESTORE -w --wait=60 --noflush <<-EOF
*mangle
-I omr-bypass6 1 -m set --match-set omr6_dst_bypass_$intf dst -j MARK --set-mark 0x6539$count
COMMIT
EOF
fi
if [ "$(ip6tables --wait=40 -t nat -L -n | grep ssr6_${rule_name}_pre_src)" != "" ] && [ "$(ip6tables-save 2>/dev/null | grep ssr6 | grep omr6_dst_bypass_$intf)" = "" ]; then
ip6tables-restore -w --wait=60 --noflush <<-EOF
if [ "$($IP6TABLES --wait=40 -t nat -L -n | grep ssr6_${rule_name}_pre_src)" != "" ] && [ "$($IP6TABLESSAVE 2>/dev/null | grep ssr6 | grep omr6_dst_bypass_$intf)" = "" ]; then
$IP6TABLESRESTORE -w --wait=60 --noflush <<-EOF
*nat
-I ssr6_${rule_name}_dst 1 -m set --match-set omr6_dst_bypass_$intf dst -j MARK --set-mark 0x6539$count
-I ssr6_${rule_name}_dst 2 -m mark --mark 0x6539$count -j RETURN
@ -476,24 +492,24 @@ _intf_rule_v2ray_rules() {
#rule_name=$1
#[ "$rule_name" = "ss_rules" ] && rule_name="def"
rule_name="def"
if [ "$(iptables --wait=40 -t nat -L -n | grep v2r_${rule_name}_dst)" != "" ] && [ "$(iptables-save 2>/dev/null | grep v2r_${rule_name}_dst | grep omr_dst_bypass_$intf)" = "" ]; then
iptables-restore -w --wait=60 --noflush <<-EOF
if [ "$($IPTABLES --wait=40 -t nat -L -n | grep v2r_${rule_name}_dst)" != "" ] && [ "$($IPTABLESSAVE 2>/dev/null | grep v2r_${rule_name}_dst | grep omr_dst_bypass_$intf)" = "" ]; then
$IPTABLESRESTORE -w --wait=60 --noflush <<-EOF
*nat
-I v2r_${rule_name}_dst 1 -m set --match-set omr_dst_bypass_$intf dst -j MARK --set-mark 0x539$count
-I v2r_${rule_name}_dst 2 -m mark --mark 0x539$count -j RETURN
COMMIT
EOF
fi
if [ "$(iptables --wait=40 -t nat -L -n | grep v2r_${rule_name}_local_out)" != "" ] && [ "$(iptables-save 2>/dev/null | grep v2r_${rule_name}_local_out | grep omr_dst_bypass_$intf)" = "" ]; then
iptables-restore -w --wait=60 --noflush <<-EOF
if [ "$($IPTABLES --wait=40 -t nat -L -n | grep v2r_${rule_name}_local_out)" != "" ] && [ "$($IPTABLESSAVE 2>/dev/null | grep v2r_${rule_name}_local_out | grep omr_dst_bypass_$intf)" = "" ]; then
$IPTABLESRESTORE -w --wait=60 --noflush <<-EOF
*nat
-I v2r_${rule_name}_local_out 1 -m set --match-set omr_dst_bypass_$intf dst -j MARK --set-mark 0x539$count
-I v2r_${rule_name}_local_out 2 -m mark --mark 0x539$count -j RETURN
COMMIT
EOF
fi
if [ "$(iptables --wait=40 -t nat -L -n | grep v2r_${rule_name}_pre_src)" != "" ] && [ "$(iptables-save 2</dev/null | grep v2r_${rule_name}_pre_src | grep omr_dst_bypass_$intf)" = "" ]; then
iptables-restore -w --wait=60 --noflush <<-EOF
if [ "$($IPTABLES --wait=40 -t nat -L -n | grep v2r_${rule_name}_pre_src)" != "" ] && [ "$($IPTABLESSAVE 2</dev/null | grep v2r_${rule_name}_pre_src | grep omr_dst_bypass_$intf)" = "" ]; then
$IPTABLESRESTORE -w --wait=60 --noflush <<-EOF
*nat
-I v2r_${rule_name}_pre_src 1 -m set --match-set omr_dst_bypass_$intf dst -j MARK --set-mark 0x539$count
-I v2r_${rule_name}_pre_src 2 -m mark --mark 0x539$count -j RETURN
@ -503,15 +519,15 @@ _intf_rule_v2ray_rules() {
if [ "$disableipv6" = "0" ]; then
if [ "$(ip6tables-save | grep omr-bypass6 | grep omr6_dst_bypass_$intf)" = "" ]; then
ip6tables-restore -w --wait=60 --noflush <<-EOF
if [ "$($IP6TABLESSAVE | grep omr-bypass6 | grep omr6_dst_bypass_$intf)" = "" ]; then
$IP6TABLESRESTORE -w --wait=60 --noflush <<-EOF
*mangle
-I omr-bypass6 1 -m set --match-set omr6_dst_bypass_$intf dst -j MARK --set-mark 0x6539$count
COMMIT
EOF
fi
if [ "$(ip6tables --wait=40 -t nat -L -n | grep v2r6_${rule_name}_pre_src)" != "" ] && [ "$(ip6tables-save 2>/dev/null | grep v2r6 | grep omr6_dst_bypass_$intf)" = "" ]; then
ip6tables-restore -w --wait=60 --noflush <<-EOF
if [ "$($IP6TABLES --wait=40 -t nat -L -n | grep v2r6_${rule_name}_pre_src)" != "" ] && [ "$($IP6TABLESSAVE 2>/dev/null | grep v2r6 | grep omr6_dst_bypass_$intf)" = "" ]; then
$IP6TABLESRESTORE -w --wait=60 --noflush <<-EOF
*nat
-I v2r6_${rule_name}_dst 1 -m set --match-set omr6_dst_bypass_$intf dst -j MARK --set-mark 0x6539$count
-I v2r6_${rule_name}_dst 2 -m mark --mark 0x6539$count -j RETURN
@ -567,8 +583,8 @@ _intf_rule() {
ip -6 rule add prio 1 fwmark 0x6539$count lookup 6$count pref 1 > /dev/null 2>&1
fi
}
if [ "$(iptables-save 2>/dev/null | grep omr-bypass | grep omr_dst_bypass_$intf)" = "" ]; then
iptables-restore -w --wait=60 --noflush <<-EOF
if [ "$($IPTABLESSAVE 2>/dev/null | grep omr-bypass | grep omr_dst_bypass_$intf)" = "" ]; then
$IPTABLESRESTORE -w --wait=60 --noflush <<-EOF
*mangle
-I omr-bypass 1 -m set --match-set omr_dst_bypass_$intf dst -j MARK --set-mark 0x539$count
-I omr-bypass 2 -m mark --mark 0x539$count -j RETURN
@ -627,8 +643,8 @@ _bypass_omr_server() {
_ss_rules_config() {
rule_name=$1
[ "$rule_name" = "ss_rules" ] && rule_name="def"
if [ "$(iptables --wait=40 -t nat -L -n | grep ssr_${rule_name}_pre_src)" != "" ] && [ "$(iptables --wait=40 -t nat -L -n | grep omr_dst_bypass_all)" = "" ]; then
iptables-restore -w --wait=60 --noflush <<-EOF
if [ "$($IPTABLES --wait=40 -t nat -L -n | grep ssr_${rule_name}_pre_src)" != "" ] && [ "$($IPTABLES --wait=40 -t nat -L -n | grep omr_dst_bypass_all)" = "" ]; then
$IPTABLESRESTORE -w --wait=60 --noflush <<-EOF
*nat
-I ssr_${rule_name}_dst 1 -m set --match-set omr_dst_bypass_all dst -j MARK --set-mark 0x539
-I ssr_${rule_name}_dst 2 -m mark --mark 0x539 -j RETURN
@ -640,15 +656,15 @@ _ss_rules_config() {
EOF
fi
if [ "$disableipv6" = "0" ]; then
if [ "$(ip6tables --wait=40 -t mangle -L -n | grep 'match-set omr6_dst_bypass_all dst MARK set')" = "" ]; then
ip6tables-restore -w --wait=60 --noflush <<-EOF
if [ "$($IP6TABLES --wait=40 -t mangle -L -n | grep 'match-set omr6_dst_bypass_all dst MARK set')" = "" ]; then
$IP6TABLESRESTORE -w --wait=60 --noflush <<-EOF
*mangle
-A omr-bypass6 -m set --match-set omr6_dst_bypass_all dst -j MARK --set-mark 0x6539
COMMIT
EOF
fi
if [ "$(ip6tables --wait=40 -t nat -L -n | grep ssr6_${rule_name}_pre_src)" != "" ] && [ "$(ip6tables --wait=40 -t nat -L -n | grep omr6_dst_bypass_all)" = "" ]; then
ip6tables-restore -w --wait=60 --noflush <<-EOF
if [ "$($IP6TABLES --wait=40 -t nat -L -n | grep ssr6_${rule_name}_pre_src)" != "" ] && [ "$($IP6TABLES --wait=40 -t nat -L -n | grep omr6_dst_bypass_all)" = "" ]; then
$IP6TABLESRESTORE -w --wait=60 --noflush <<-EOF
*nat
-I ssr6_${rule_name}_dst 1 -m set --match-set omr6_dst_bypass_all dst -j MARK --set-mark 0x6539
-I ssr6_${rule_name}_dst 1 -m mark --mark 0x6539 -j RETURN
@ -666,8 +682,8 @@ _v2ray_rules_config() {
#rule_name=$1
#[ "$rule_name" = "ss_rules" ] && rule_name="def"
rule_name="def"
if [ "$(iptables --wait=40 -t nat -L -n | grep v2r_${rule_name}_pre_src)" != "" ] && [ "$(iptables --wait=40 -t nat -L -n | grep omr_dst_bypass_all)" = "" ]; then
iptables-restore -w --wait=60 --noflush <<-EOF
if [ "$($IPTABLES --wait=40 -t nat -L -n | grep v2r_${rule_name}_pre_src)" != "" ] && [ "$($IPTABLES --wait=40 -t nat -L -n | grep omr_dst_bypass_all)" = "" ]; then
$IPTABLESRESTORE -w --wait=60 --noflush <<-EOF
*nat
-I v2r_${rule_name}_dst 1 -m set --match-set omr_dst_bypass_all dst -j MARK --set-mark 0x539
-I v2r_${rule_name}_dst 2 -m mark --mark 0x539 -j RETURN
@ -679,15 +695,15 @@ _v2ray_rules_config() {
EOF
fi
if [ "$disableipv6" = "0" ]; then
if [ "$(ip6tables --wait=40 -t mangle -L -n | grep 'match-set omr6_dst_bypass_all dst MARK set')" = "" ]; then
ip6tables-restore -w --wait=60 --noflush <<-EOF
if [ "$($IP6TABLES --wait=40 -t mangle -L -n | grep 'match-set omr6_dst_bypass_all dst MARK set')" = "" ]; then
$IP6TABLESRESTORE -w --wait=60 --noflush <<-EOF
*mangle
-A omr-bypass6 -m set --match-set omr6_dst_bypass_all dst -j MARK --set-mark 0x6539
COMMIT
EOF
fi
if [ "$(ip6tables --wait=40 -t nat -L -n | grep v2r6_${rule_name}_pre_src)" != "" ] && [ "$(ip6tables --wait=40 -t nat -L -n | grep omr6_dst_bypass_all)" = "" ]; then
ip6tables-restore -w --wait=60 --noflush <<-EOF
if [ "$($IP6TABLES --wait=40 -t nat -L -n | grep v2r6_${rule_name}_pre_src)" != "" ] && [ "$($IP6TABLES --wait=40 -t nat -L -n | grep omr6_dst_bypass_all)" = "" ]; then
$IP6TABLESRESTORE -w --wait=60 --noflush <<-EOF
*nat
-I v2r6_${rule_name}_dst 1 -m set --match-set omr6_dst_bypass_all dst -j MARK --set-mark 0x6539
-I v2r6_${rule_name}_dst 1 -m mark --mark 0x6539 -j RETURN
@ -725,22 +741,22 @@ start_service() {
create omr6_dst_bypass_all hash:net family inet6 hashsize 64
EOF
}
iptables-save --counters 2>/dev/null | grep -v omr-bypass | iptables-restore -w --counters 2>/dev/null
iptables-restore -w --wait=60 --noflush <<-EOF
$IPTABLESSAVE --counters 2>/dev/null | grep -v omr-bypass | $IPTABLESRESTORE -w --counters 2>/dev/null
$IPTABLESRESTORE -w --wait=60 --noflush <<-EOF
*mangle
:omr-bypass -
-A PREROUTING -j omr-bypass
COMMIT
EOF
iptables-restore -w --wait=60 --noflush <<-EOF
$IPTABLESRESTORE -w --wait=60 --noflush <<-EOF
*mangle
:omr-bypass-local -
-A OUTPUT -m addrtype ! --dst-type LOCAL -j omr-bypass-local
COMMIT
EOF
if [ "$disableipv6" = "0" ]; then
ip6tables-save --counters 2>/dev/null | grep -v omr-bypass6 | ip6tables-restore -w --counters 2>/dev/null
ip6tables-restore -w --wait=60 --noflush <<-EOF
$IP6TABLESSAVE --counters 2>/dev/null | grep -v omr-bypass6 | $IP6TABLESRESTORE -w --counters 2>/dev/null
$IP6TABLESRESTORE -w --wait=60 --noflush <<-EOF
*mangle
:omr-bypass6 -
-A PREROUTING -j omr-bypass6
@ -786,14 +802,14 @@ start_service() {
ip rule add prio 1 fwmark 0x539 lookup 991337 > /dev/null 2>&1
ip -6 rule add prio 1 fwmark 0x6539 lookup 6991337 > /dev/null 2>&1
if [ "$(iptables --wait=40 -t mangle -L -n | grep 'match-set omr_dst_bypass_all dst MARK set')" = "" ]; then
iptables-restore -w --wait=60 --noflush <<-EOF
if [ "$($IPTABLES --wait=40 -t mangle -L -n | grep 'match-set omr_dst_bypass_all dst MARK set')" = "" ]; then
$IPTABLESRESTORE -w --wait=60 --noflush <<-EOF
*mangle
-A omr-bypass -m set --match-set omr_dst_bypass_all dst -j MARK --set-mark 0x539
-A omr-bypass -m mark --mark 0x539 -j RETURN
COMMIT
EOF
iptables-restore -w --wait=60 --noflush <<-EOF
$IPTABLESRESTORE -w --wait=60 --noflush <<-EOF
*mangle
-A omr-bypass-local -m set --match-set omr_dst_bypass_all dst -j MARK --set-mark 0x539
-A omr-bypass-local -m mark --mark 0x539 -j RETURN
@ -805,8 +821,8 @@ start_service() {
config_foreach _ss_rules_config
_v2ray_rules_config
iptables-save --counters 2>/dev/null | grep -v omr-bypass-dpi | iptables-restore -w --counters 2>/dev/null
iptables-restore -w --wait=60 --noflush <<-EOF
$IPTABLESSAVE --counters 2>/dev/null | grep -v omr-bypass-dpi | $IPTABLESRESTORE -w --counters 2>/dev/null
$IPTABLESRESTORE -w --wait=60 --noflush <<-EOF
*mangle
:omr-bypass-dpi -
-A INPUT -j omr-bypass-dpi
@ -814,8 +830,8 @@ start_service() {
COMMIT
EOF
if [ "$disableipv6" = "0" ]; then
ip6tables-save --counters | grep -v omr-bypass6-dpi | ip6tables-restore -w --counters 2>/dev/null
ip6tables-restore -w --wait=60 --noflush <<-EOF
$IP6TABLESSAVE --counters | grep -v omr-bypass6-dpi | $IP6TABLESRESTORE -w --counters 2>/dev/null
$IP6TABLESRESTORE -w --wait=60 --noflush <<-EOF
*mangle
:omr-bypass6-dpi -
-A INPUT -j omr-bypass6-dpi
@ -839,10 +855,10 @@ start_service() {
}
stop_service() {
iptables-save --counters 2>/dev/null | grep -v omr-bypass | iptables-restore -w --counters 2>/dev/null
iptables-save --counters 2>/dev/null | grep -v omr_dst | iptables-restore -w --counters 2>/dev/null
ip6tables-save --counters 2>/dev/null | grep -v omr-bypass6 | ip6tables-restore -w --counters 2>/dev/null
ip6tables-save --counters 2>/dev/null | grep -v omr6_dst | ip6tables-restore -w --counters 2>/dev/null
$IPTABLESSAVE --counters 2>/dev/null | grep -v omr-bypass | $IPTABLESRESTORE -w --counters 2>/dev/null
$IPTABLESSAVE --counters 2>/dev/null | grep -v omr_dst | $IPTABLESRESTORE -w --counters 2>/dev/null
$IP6TABLESSAVE --counters 2>/dev/null | grep -v omr-bypass6 | $IP6TABLESRESTORE -w --counters 2>/dev/null
$IP6TABLESSAVE --counters 2>/dev/null | grep -v omr6_dst | $IP6TABLESRESTORE -w --counters 2>/dev/null
for setname in $(ipset -n list | grep "omr_"); do
ipset -q destroy "$setname" 2>/dev/null || true
done

14
omr-tracker/files/bin/omr-tracker-ss
View file

@ -4,6 +4,16 @@
name=$0
basename="$(basename $0)"
if [ -f /usr/sbin/iptables-legacy ]; then
IPTABLES="/usr/sbin/iptables-legacy"
IPTABLESAVE="/usr/sbin/iptables-legacy-save"
else
IPTABLES="/usr/sbin/iptables"
IPTABLESAVE="/usr/sbin/iptables-save"
fi
_log() {
logger -p daemon.info -t "${basename}" "$@"
}
@ -76,7 +86,7 @@ while true; do
uci -q set openmptcprouter.omr.ss_${server}="up"
uci -q commit openmptcprouter.omr
}
if [ -z "$(iptables-save 2>/dev/null | grep :ssr)" ] && [ "$(uci -q get shadowsocks-libev.ss_rules.disabled)" != "1" ]; then
if [ -z "$($IPTABLESSAVE 2>/dev/null | grep :ssr)" ] && [ "$(uci -q get shadowsocks-libev.ss_rules.disabled)" != "1" ]; then
_log "Reload Shadowsocks rules"
/etc/init.d/shadowsocks-libev rules_up 2> /dev/null
_get_ip
@ -87,7 +97,7 @@ while true; do
last=$((last + 1 ))
[ -z "$nocontact" ] && nocontact="$host" || nocontact="$nocontact, $host"
[ "${last}" -ge "${retry}" ] && {
if [ -n "$(iptables -w -t nat -L -n | grep ssr)" ]; then
if [ -n "$($IPTABLES -w -t nat -L -n 2>/dev/null | grep ssr)" ]; then
_log "Shadowsocks ${server} is down (can't contact via http ${nocontact})"
uci -q set openmptcprouter.omr.ss_${server}="down"
uci -q commit openmptcprouter.omr

11
omr-tracker/files/bin/omr-tracker-v2ray
View file

@ -4,6 +4,13 @@
name=$0
basename="$(basename $0)"
if [ -f /usr/sbin/iptables-legacy ]; then
IPTABLES="/usr/sbin/iptables-legacy"
else
IPTABLES="/usr/sbin/iptables"
fi
_log() {
logger -p daemon.info -t "${basename}" "$@"
}
@ -75,7 +82,7 @@ while true; do
uci -q set openmptcprouter.omr.v2ray="up"
uci -q commit openmptcprouter.omr
}
if [ -z "$(iptables -w -t nat -L -n | grep v2r)" ]; then
if [ -z "$($IPTABLES -w -t nat -L -n 2>/dev/null | grep v2r)" ]; then
_log "Reload V2Ray rules"
/etc/init.d/v2ray rules_up 2> /dev/null
_get_ip
@ -86,7 +93,7 @@ while true; do
last=$((last + 1 ))
[ -z "$nocontact" ] && nocontact="$host" || nocontact="$nocontact, $host"
[ "${last}" -ge "${retry}" ] && {
if [ -n "$(iptables -w -t nat -L -n | grep v2r)" ]; then
if [ -n "$($IPTABLES -w -t nat -L -n 2>/dev/null | grep v2r)" ]; then
_log "V2Ray is down (can't contact via http ${nocontact})"
uci -q set openmptcprouter.omr.v2ray="down"
uci -q commit openmptcprouter.omr

47
openmptcprouter/files/bin/blocklanfw
View file

@ -1,18 +1,31 @@
#!/bin/sh
if [ -f /usr/sbin/iptables-legacy ]; then
IPTABLES="/usr/sbin/iptables-legacy"
IP6TABLES="/usr/sbin/ip6tables-legacy"
IPTABLESSAVE="/usr/sbin/iptables-legacy-save"
IP6TABLESSAVE="/usr/sbin/ip6tables-legacy-save"
else
IPTABLES="/usr/sbin/iptables"
IP6TABLES="/usr/sbin/ip6tables"
IPTABLESSAVE="/usr/sbin/iptables-save"
IP6TABLESSAVE="/usr/sbin/ip6tables-save"
fi
ss_rules_fw_drop() {
timeout 1 fw3 -4 print 2>/dev/null | awk '/iptables/&&/zone_lan_forward/&&/tcp/&&/-t filter/&&/-j reject/ {for(i=6; i<=NF; i++) { printf "%s ",$i } print "\n" }' |
while IFS=$"\n" read -r c; do
fwrule=$(echo "$c" | sed 's/reject/REDIRECT --to-ports 65535/')
if [ -n "$fwrule" ] && [ -z "$(iptables-save 2>/dev/null | grep zone_lan_prerouting | grep '${fwrule}')" ]; then
eval "iptables -w -t nat -A zone_lan_prerouting ${fwrule} 2>&1 >/dev/null"
if [ -n "$fwrule" ] && [ -z "$($IPTABLESSAVE 2>/dev/null | grep zone_lan_prerouting | grep '${fwrule}')" ]; then
eval "$IPTABLES-w -t nat -A zone_lan_prerouting ${fwrule} 2>&1 >/dev/null"
fw=$((fw+1))
fi
done
timeout 1 fw3 -4 print 2>/dev/null | awk '/iptables/&&/zone_lan_forward/&&/tcp/&&/-t filter/&&/-j DROP/ {for(i=6; i<=NF; i++) { printf "%s ",$i } print "\n" }' |
while IFS=$"\n" read -r c; do
fwrule=$(echo "$c" | sed 's/DROP/REDIRECT --to-ports 65535/')
if [ -n "$fwrule" ] && [ -z "$(iptables-save 2>/dev/null | grep zone_lan_prerouting | grep '${fwrule}')" ]; then
eval "iptables -w -t nat -A zone_lan_prerouting ${fwrule} 2>&1 >/dev/null"
if [ -n "$fwrule" ] && [ -z "$($IPTABLESSAVE 2>/dev/null | grep zone_lan_prerouting | grep '${fwrule}')" ]; then
eval "$IPTABLES-w -t nat -A zone_lan_prerouting ${fwrule} 2>&1 >/dev/null"
fw=$((fw+1))
fi
done
@ -22,16 +35,16 @@ ss_rules6_fw_drop() {
timeout 1 fw3 -6 print 2>/dev/null | awk '/iptables/&&/zone_lan_forward/&&/tcp/&&/-t filter/&&/-j reject/ {for(i=6; i<=NF; i++) { printf "%s ",$i } print "\n" }' |
while IFS=$"\n" read -r c; do
fwrule=$(echo "$c" | sed 's/reject/REDIRECT --to-ports 65535/')
if [ -n "$fwrule" ] && [ -z "$(iptables-save 2>/dev/null | grep zone_lan_prerouting | grep '${fwrule}')" ]; then
eval "ip6tables -w -t nat -A zone_lan_prerouting ${fwrule} 2>&1 >/dev/null"
if [ -n "$fwrule" ] && [ -z "$($IPTABLESSAVE 2>/dev/null | grep zone_lan_prerouting | grep '${fwrule}')" ]; then
eval "$IP6TABLES-w -t nat -A zone_lan_prerouting ${fwrule} 2>&1 >/dev/null"
fw=$((fw+1))
fi
done
timeout 1 fw3 -6 print 2>/dev/null | awk '/iptables/&&/zone_lan_forward/&&/tcp/&&/-t filter/&&/-j DROP/ {for(i=6; i<=NF; i++) { printf "%s ",$i } print "\n" }' |
while IFS=$"\n" read -r c; do
fwrule=$(echo "$c" | sed 's/DROP/REDIRECT --to-ports 65535/')
if [ -n "$fwrule" ] && [ -z "$(iptables-save 2>/dev/null | grep zone_lan_prerouting | grep '${fwrule}')" ]; then
eval "ip6tables -w -t nat -A zone_lan_prerouting ${fwrule} 2>&1 >/dev/null"
if [ -n "$fwrule" ] && [ -z "$($IPTABLESSAVE 2>/dev/null | grep zone_lan_prerouting | grep '${fwrule}')" ]; then
eval "$IP6TABLES-w -t nat -A zone_lan_prerouting ${fwrule} 2>&1 >/dev/null"
fw=$((fw+1))
fi
done
@ -41,16 +54,16 @@ v2r_rules_fw_drop() {
timeout 1 fw3 -4 print 2>/dev/null | awk '/iptables/&&/zone_lan_forward/&&/tcp/&&/-t filter/&&/-j reject/ {for(i=6; i<=NF; i++) { printf "%s ",$i } print "\n" }' |
while IFS=$"\n" read -r c; do
fwrule=$(echo "$c" | sed 's/reject/REDIRECT --to-ports 65535/')
if [ -n "$fwrule" ] && [ -z "$(iptables-save 2>/dev/null | grep zone_lan_prerouting | grep '${fwrule}')" ]; then
eval "iptables -w -t nat -I zone_lan_prerouting 1 ${fwrule} 2>&1 >/dev/null"
if [ -n "$fwrule" ] && [ -z "$($IPTABLESSAVE 2>/dev/null | grep zone_lan_prerouting | grep '${fwrule}')" ]; then
eval "$IPTABLES-w -t nat -I zone_lan_prerouting 1 ${fwrule} 2>&1 >/dev/null"
fw=$((fw+1))
fi
done
timeout 1 fw3 -4 print 2>/dev/null | awk '/iptables/&&/zone_lan_forward/&&/tcp/&&/-t filter/&&/-j DROP/ {for(i=6; i<=NF; i++) { printf "%s ",$i } print "\n" }' |
while IFS=$"\n" read -r c; do
fwrule=$(echo "$c" | sed 's/DROP/REDIRECT --to-ports 65535/')
if [ -n "$fwrule" ] && [ -z "$(iptables-save 2>/dev/null | grep zone_lan_prerouting | grep '${fwrule}')" ]; then
eval "iptables -w -t nat -I zone_lan_prerouting 1 ${fwrule} 2>&1 >/dev/null"
if [ -n "$fwrule" ] && [ -z "$($IPTABLESSAVE 2>/dev/null | grep zone_lan_prerouting | grep '${fwrule}')" ]; then
eval "$IPTABLES-w -t nat -I zone_lan_prerouting 1 ${fwrule} 2>&1 >/dev/null"
fw=$((fw+1))
fi
done
@ -60,21 +73,21 @@ v2ray_rules6_fw_drop() {
timeout 1 fw3 -6 print 2>/dev/null | awk '/iptables/&&/zone_lan_forward/&&/tcp/&&/-t filter/&&/-j reject/ {for(i=6; i<=NF; i++) { printf "%s ",$i } print "\n" }' |
while IFS=$"\n" read -r c; do
fwrule=$(echo "$c" | sed 's/reject/REDIRECT --to-ports 65535/')
if [ -n "$fwrule" ] && [ -z "$(iptables-save 2>/dev/null | grep zone_lan_prerouting | grep '${fwrule}')" ]; then
eval "ip6tables -w -t nat -I zone_lan_prerouting 1 ${fwrule} 2>&1 >/dev/null"
if [ -n "$fwrule" ] && [ -z "$($IPTABLESSAVE 2>/dev/null | grep zone_lan_prerouting | grep '${fwrule}')" ]; then
eval "$IP6TABLES-w -t nat -I zone_lan_prerouting 1 ${fwrule} 2>&1 >/dev/null"
fi
done
timeout 1 fw3 -6 print 2>/dev/null | awk '/iptables/&&/zone_lan_forward/&&/tcp/&&/-t filter/&&/-j DROP/ {for(i=6; i<=NF; i++) { printf "%s ",$i } print "\n" }' |
while IFS=$"\n" read -r c; do
fwrule=$(echo "$c" | sed 's/DROP/REDIRECT --to-ports 65535/')
if [ -n "$fwrule" ] && [ -z "$(iptables-save 2>/dev/null | grep zone_lan_prerouting | grep '${fwrule}')" ]; then
eval "ip6tables -w -t nat -I zone_lan_prerouting 1 ${fwrule} 2>&1 >/dev/null"
if [ -n "$fwrule" ] && [ -z "$($IPTABLESSAVE 2>/dev/null | grep zone_lan_prerouting | grep '${fwrule}')" ]; then
eval "$IP6TABLES-w -t nat -I zone_lan_prerouting 1 ${fwrule} 2>&1 >/dev/null"
fi
done
}
[ -n "$(pgrep blocklanfw)" ] && exit 0
[ -z "$(iptables-save 2>/dev/null | grep zone_lan)" ] && exit 0
[ -z "$($IPTABLESSAVE 2>/dev/null | grep zone_lan)" ] && exit 0
fw=0
if [ "$(uci -q get openmptcprouter.settings.proxy)" = "shadowsocks" ]; then
ss_rules6_fw_drop

16
openmptcprouter/files/etc/firewall.gre-tunnel
View file

@ -1,6 +1,14 @@
#!/bin/sh
. /lib/functions.sh
if [ -f /usr/sbin/iptables-legacy ]; then
IPTABLESSAVE="/usr/sbin/iptables-legacy-save"
IPTABLESRESTORE="/usr/sbin/iptables-legacy-restore"
else
IPTABLESSAVE="/usr/sbin/iptables-save"
IPTABLESRESTORE="/usr/sbin/iptables-restore"
fi
_setup_rules() {
config_get lookup $1 lookup
[ -n "$lookup" ] && [ -z "$(ip rule list fwmark 0x${lookup})" ] && {
@ -30,8 +38,8 @@ _setup_fw() {
[ -n "$src_ips_forward" ] && rule="$rule -s $(echo "${src_ips_forward}" | sed 's/ /,/g')"
[ -n "$ifnames" ] && rule="$rule -i $(echo "${ifnames}" | sed 's/ /-i /g')"
if [ -n "$rule" ] && [ -n "$lookup" ]; then
iptables-save --counters | grep -v "0x${lookup}" | iptables-restore -w --counters
iptables-restore -w --wait=60 --noflush <<-EOF
$IPTABLESAVE --counters | grep -v "0x${lookup}" | $IPTABLERESTORE -w --counters
$IPTABLERESTORE -w --wait=60 --noflush <<-EOF
*mangle
-A omr-gre-tunnel ${rule} -j MARK --set-mark 0x${lookup}
COMMIT
@ -39,8 +47,8 @@ _setup_fw() {
fi
}
if [ -z "$(iptables-save | grep omr-gre-tunnel)" ]; then
iptables-restore -w --wait=60 --noflush <<-EOF
if [ -z "$($IPTABLESAVE | grep omr-gre-tunnel)" ]; then
$IPTABLERESTORE -w --wait=60 --noflush <<-EOF
*mangle
:omr-gre-tunnel -
-I PREROUTING 1 -m addrtype ! --dst-type LOCAL -j omr-gre-tunnel

25
shadowsocks-libev/files/ss-rules
View file

@ -9,6 +9,17 @@
# See /LICENSE for more information.
#
if [ -f /usr/sbin/iptables-legacy ]; then
IPTABLES="/usr/sbin/iptables-legacy"
IPTABLESRESTORE="/usr/sbin/iptables-legacy-restore"
IPTABLESSAVE="/usr/sbin/iptables-legacy-save"
else
IPTABLES="/usr/sbin/iptables"
IPTABLESRESTORE="/usr/sbin/iptables-restore"
IPTABLESSAVE="/usr/sbin/iptables-save"
fi
ss_rules_usage() {
cat >&2 <<EOF
Usage: ss-rules [options]
@ -112,7 +123,7 @@ ss_rules_parse_args() {
__errmsg "Requires at least -l or -L option"
return 1
fi
if [ -n "$o_dst_forward_recentrst" ] && ! iptables -w -m recent -h >/dev/null; then
if [ -n "$o_dst_forward_recentrst" ] && ! $IPTABLES -w -m recent -h >/dev/null; then
__errmsg "Please install iptables-mod-conntrack-extra with opkg"
return 1
fi
@ -122,7 +133,7 @@ ss_rules_parse_args() {
ss_rules_flush() {
local setname
iptables-save --counters 2>/dev/null | grep -v ssr_ | iptables-restore -w --counters
$IPTABLESSAVE --counters 2>/dev/null | grep -v ssr_ | $IPTABLESRESTORE -w --counters
while ip rule del fwmark 1 lookup 100 2>/dev/null; do true; done
ip route flush table 100 || true
for setname in $(ipset -n list | grep "ssr_${rule}"); do
@ -166,8 +177,8 @@ ss_rules_iptchains_init() {
}
ss_rules_iptchains_init_mark() {
if [ "$(iptables -w -t mangle -L PREROUTING | grep ss_rules_dst_bypass_all)" = "" ]; then
iptables-restore -w --noflush <<-EOF
if [ "$($IPTABLES -w -t mangle -L PREROUTING | grep ss_rules_dst_bypass_all)" = "" ]; then
$IPTABLESRESTORE -w --noflush <<-EOF
*mangle
-A PREROUTING -m set --match-set ss_rules_dst_bypass_all dst -j MARK --set-mark 0x539
COMMIT
@ -187,8 +198,8 @@ ss_rules_iptchains_init_tcp() {
forward) local_target=ssr_${rule}_forward ;;
bypass|*) return 0;;
esac
if [ "$(iptables-save 2>/dev/null | grep ssr_${rule}_local_out | grep ssr_${rule}_dst_bypass)" = "" ]; then
iptables-restore -w --noflush <<-EOF
if [ "$($IPTABLESSAVE 2>/dev/null | grep ssr_${rule}_local_out | grep ssr_${rule}_dst_bypass)" = "" ]; then
$IPTABLESRESTORE -w --noflush <<-EOF
*nat
:ssr_${rule}_local_out -
-I OUTPUT 1 -p tcp -j ssr_${rule}_local_out
@ -244,7 +255,7 @@ ss_rules_iptchains_init_() {
forward) dst_default_target=ssr_${rule}_forward ;;
bypass|*) dst_default_target=RETURN ;;
esac
sed -e '/^\s*$/d' -e 's/^\s\+//' <<-EOF | iptables-restore -w --noflush
sed -e '/^\s*$/d' -e 's/^\s\+//' <<-EOF | $IPTABLESRESTORE -w --noflush
*$table
:ssr_${rule}_pre_src -
:ssr_${rule}_src -

24
shadowsocks-libev/files/ss-rules6
View file

@ -9,6 +9,18 @@
# See /LICENSE for more information.
#
if [ -f /usr/sbin/iptables-legacy ]; then
IP6TABLES="/usr/sbin/ip6tables-legacy"
IP6TABLESRESTORE="/usr/sbin/ip6tables-legacy-restore"
IP6TABLESSAVE="/usr/sbin/ip6tables-legacy-save"
else
IP6TABLES="/usr/sbin/ip6tables"
IP6TABLESRESTORE="/usr/sbin/ip6tables-restore"
IP6TABLESSAVE="/usr/sbin/ip6tables-save"
fi
ss_rules6_usage() {
cat >&2 <<EOF
Usage: ss-rules [options]
@ -95,7 +107,7 @@ ss_rules6_parse_args() {
__errmsg "Requires at least -l or -L option"
return 1
fi
if [ -n "$o_dst_forward_recentrst" ] && ! ip6tables -w -m recent -h >/dev/null; then
if [ -n "$o_dst_forward_recentrst" ] && ! $IP6TABLES -w -m recent -h >/dev/null; then
__errmsg "Please install ip6tables-mod-conntrack-extra with opkg"
return 1
fi
@ -105,7 +117,7 @@ ss_rules6_parse_args() {
ss_rules6_flush() {
local setname
ip6tables-save --counters 2>/dev/null | grep -v ssr6_ | ip6tables-restore -w --counters
$IP6TABLESSAVE --counters 2>/dev/null | grep -v ssr6_ | $IP6TABLESRESTORE -w --counters
while ip -f inet6 rule del fwmark 1 lookup 100 2>/dev/null; do true; done
ip -f inet6 route flush table 100 || true
for setname in $(ipset -n list | grep "ssr6_${rule}"); do
@ -149,8 +161,8 @@ ss_rules6_iptchains_init() {
}
ss_rules6_iptchains_init_mark() {
if [ "$(ip6tables -w -t mangle -L PREROUTING | grep ss_rules6_dst_bypass_all)" = "" ]; then
ip6tables-restore -w --noflush <<-EOF
if [ "$($IP6TABLES -w -t mangle -L PREROUTING | grep ss_rules6_dst_bypass_all)" = "" ]; then
$IP6TABLESRESTORE -w --noflush <<-EOF
*mangle
-A PREROUTING -m set --match-set ss_rules6_dst_bypass_all dst -j MARK --set-mark 0x6539
COMMIT
@ -172,7 +184,7 @@ ss_rules6_iptchains_init_tcp() {
bypass|*) return 0;;
esac
ip6tables-restore -w --noflush <<-EOF
$IP6TABLESRESTORE -w --noflush <<-EOF
*nat
:ssr6_${rule}_local_out -
-I OUTPUT 1 -p tcp -j ssr6_${rule}_local_out
@ -227,7 +239,7 @@ ss_rules6_iptchains_init_() {
forward) dst_default_target=ssr6_${rule}_forward ;;
bypass|*) dst_default_target=RETURN ;;
esac
sed -e '/^\s*$/d' -e 's/^\s\+//' <<-EOF | ip6tables-restore -w --noflush
sed -e '/^\s*$/d' -e 's/^\s\+//' <<-EOF | $IP6TABLESRESTORE -w --noflush
*$table
:ssr6_${rule}_pre_src -
:ssr6_${rule}_src -

2
v2ray-core/files/etc/init.d/v2ray
View file

@ -2086,7 +2086,7 @@ start_instance() {
}
rules_exist() {
[ -n "$(iptables -w -t nat -L -n | grep v2r_)" ] && return 0
[ -n "$(iptables -w -t nat -L -n 2>/dev/null | grep v2r_)" ] && return 0
return 1
}

32
v2ray-core/files/usr/bin/v2ray-rules
View file

@ -9,6 +9,18 @@
# See /LICENSE for more information.
#
if [ -f /usr/sbin/iptables-legacy ]; then
IPTABLES="/usr/sbin/iptables-legacy"
IPTABLESRESTORE="/usr/sbin/iptables-legacy-restore"
IPTABLESSAVE="/usr/sbin/iptables-legacy-save"
else
IPTABLES="/usr/sbin/iptables"
IPTABLESRESTORE="/usr/sbin/iptables-restore"
IPTABLESSAVE="/usr/sbin/iptables-save"
fi
v2r_rules_usage() {
cat >&2 <<EOF
Usage: v2ray-rules [options]
@ -112,7 +124,7 @@ v2r_rules_parse_args() {
__errmsg "Requires at least -l or -L option"
return 1
fi
if [ -n "$o_dst_forward_recentrst" ] && ! iptables -w -m recent -h >/dev/null; then
if [ -n "$o_dst_forward_recentrst" ] && ! $IPTABLES -w -m recent -h >/dev/null; then
__errmsg "Please install iptables-mod-conntrack-extra with opkg"
return 1
fi
@ -122,7 +134,7 @@ v2r_rules_parse_args() {
v2r_rules_flush() {
local setname
iptables-save --counters 2>/dev/null | grep -v v2r_ | iptables-restore -w --counters
$IPTABLESSAVE --counters 2>/dev/null | grep -v v2r_ | $IPTABLESRESTORE -w --counters
while ip rule del fwmark 1 lookup 100 2>/dev/null; do true; done
ip route flush table 100 || true
for setname in $(ipset -n list | grep "ssr_${rule}"); do
@ -166,8 +178,8 @@ v2r_rules_iptchains_init() {
}
v2r_rules_iptchains_init_mark() {
if [ "$(iptables -w -t mangle -L PREROUTING | grep ss_rules_dst_bypass_all)" = "" ]; then
iptables-restore -w --noflush <<-EOF
if [ "$($IPTABLES -w -t mangle -L PREROUTING | grep ss_rules_dst_bypass_all)" = "" ]; then
$IPTABLESRESTORE -w --noflush <<-EOF
*mangle
-A PREROUTING -m set --match-set ss_rules_dst_bypass_all dst -j MARK --set-mark 0x539
COMMIT
@ -188,7 +200,7 @@ v2r_rules_iptchains_init_tcp() {
bypass|*) return 0;;
esac
iptables-restore -w --noflush <<-EOF
$IPTABLESRESTORE -w --noflush <<-EOF
*nat
:v2r_${rule}_local_out -
-I OUTPUT 1 -p tcp -j v2r_${rule}_local_out
@ -243,7 +255,7 @@ v2r_rules_iptchains_init_() {
forward) dst_default_target=v2r_${rule}_forward ;;
bypass|*) dst_default_target=RETURN ;;
esac
sed -e '/^\s*$/d' -e 's/^\s\+//' <<-EOF | iptables-restore -w --noflush
sed -e '/^\s*$/d' -e 's/^\s\+//' <<-EOF | $IPTABLESRESTORE -w --noflush
*$table
:v2r_${rule}_pre_src -
:v2r_${rule}_src -
@ -287,15 +299,15 @@ v2r_rules_fw_drop() {
fw3 -4 print 2>/dev/null | awk '/iptables/&&/zone_lan_forward/&&/tcp/&&/-t filter/&&/-j reject/ {for(i=6; i<=NF; i++) { printf "%s ",$i } print "\n" }' |
while IFS=$"\n" read -r c; do
fwrule=$(echo "$c" | sed 's/reject/REDIRECT --to-ports 65535/')
if [ -n "$fwrule" ] && [ -z "$(iptables-save 2>/dev/null | grep zone_lan_prerouting | grep '${fwrule}')" ]; then
eval "iptables -w -t nat -A zone_lan_prerouting ${fwrule} 2>&1 >/dev/null"
if [ -n "$fwrule" ] && [ -z "$($IPTABLESSAVE 2>/dev/null | grep zone_lan_prerouting | grep '${fwrule}')" ]; then
eval "$IPTABLES -w -t nat -A zone_lan_prerouting ${fwrule} 2>&1 >/dev/null"
fi
done
fw3 -4 print 2>/dev/null | awk '/iptables/&&/zone_lan_forward/&&/tcp/&&/-t filter/&&/-j drop/ {for(i=6; i<=NF; i++) { printf "%s ",$i } print "\n" }' |
while IFS=$"\n" read -r c; do
fwrule=$(echo "$c" | sed 's/drop/REDIRECT --to-ports 65535/')
if [ -n "$fwrule" ] && [ -z "$(iptables-save 2>/dev/null | grep zone_lan_prerouting | grep '${fwrule}')" ]; then
eval "iptables -t nat -A zone_lan_prerouting ${fwrule} 2>&1 >/dev/null"
if [ -n "$fwrule" ] && [ -z "$($IPTABLESSAVE 2>/dev/null | grep zone_lan_prerouting | grep '${fwrule}')" ]; then
eval "$IPTABLES -t nat -A zone_lan_prerouting ${fwrule} 2>&1 >/dev/null"
fi
done
}

26
v2ray-core/files/usr/bin/v2ray-rules6
View file

@ -9,6 +9,18 @@
# See /LICENSE for more information.
#
if [ -f /usr/sbin/iptables-legacy ]; then
IP6TABLES="/usr/sbin/ip6tables-legacy"
IP6TABLESRESTORE="/usr/sbin/ip6tables-legacy-restore"
IP6TABLESSAVE="/usr/sbin/ip6tables-legacy-save"
else
IP6TABLES="/usr/sbin/ip6tables"
IP6TABLESRESTORE="/usr/sbin/ip6tables-restore"
IP6TABLESSAVE="/usr/sbin/ip6tables-save"
fi
v2ray_rules6_usage() {
cat >&2 <<EOF
Usage: v2ray-rules6 [options]
@ -95,7 +107,7 @@ v2ray_rules6_parse_args() {
__errmsg "Requires at least -l or -L option"
return 1
fi
if [ -n "$o_dst_forward_recentrst" ] && ! ip6tables -w -m recent -h >/dev/null; then
if [ -n "$o_dst_forward_recentrst" ] && ! $IP6TABLES -w -m recent -h >/dev/null; then
__errmsg "Please install ip6tables-mod-conntrack-extra with opkg"
return 1
fi
@ -105,7 +117,7 @@ v2ray_rules6_parse_args() {
v2ray_rules6_flush() {
local setname
ip6tables-save --counters 2>/dev/null | grep -v v2r6_ | ip6tables-restore -w --counters
$IP6TABLESSAVE --counters 2>/dev/null | grep -v v2r6_ | $IP6TABLESRESTORE -w --counters
while ip -f inet6 rule del fwmark 1 lookup 100 2>/dev/null; do true; done
ip -f inet6 route flush table 100 || true
for setname in $(ipset -n list | grep "ssr6_${rule}"); do
@ -149,7 +161,7 @@ v2ray_rules6_iptchains_init() {
}
v2ray_rules6_iptchains_init_mark() {
ip6tables-restore -w --noflush <<-EOF
$IP6TABLESRESTORE -w --noflush <<-EOF
*mangle
-A PREROUTING -m set --match-set ss_rules6_dst_bypass_all dst -j MARK --set-mark 0x6539
COMMIT
@ -172,7 +184,7 @@ v2ray_rules6_iptchains_init_tcp() {
esac
# echo "tcp mangle"
# ip6tables-restore -w --noflush <<-EOF
# $IP6TABLESRESTORE -w --noflush <<-EOF
# *mangle
# :v2r6_${rule}_local_out -
# -I OUTPUT 1 -p tcp -j v2r6_${rule}_local_out
@ -232,7 +244,7 @@ v2ray_rules6_iptchains_init_() {
forward) dst_default_target=v2r6_${rule}_forward ;;
bypass|*) dst_default_target=RETURN ;;
esac
sed -e '/^\s*$/d' -e 's/^\s\+//' <<-EOF | ip6tables-restore -w --noflush
sed -e '/^\s*$/d' -e 's/^\s\+//' <<-EOF | $IP6TABLESRESTORE -w --noflush
*$table
:v2r6_${rule}_pre_src -
:v2r6_${rule}_src -
@ -279,14 +291,14 @@ v2ray_rules6_fw_drop() {
while IFS=$"\n" read -r c; do
fwrule=$(echo "$c" | sed 's/reject/REDIRECT --to-ports 65535/')
if [ -n "$fwrule" ] && [ -z "$(iptables-save | grep zone_lan_prerouting | grep '${fwrule}')" ]; then
eval "ip6tables -w -t nat -A zone_lan_prerouting ${fwrule} 2>&1 >/dev/null"
eval "$IP6TABLES -w -t nat -A zone_lan_prerouting ${fwrule} 2>&1 >/dev/null"
fi
done
fw3 -6 print 2>/dev/null | awk '/iptables/&&/zone_lan_forward/&&/tcp/&&/-t filter/&&/-j drop/ {for(i=6; i<=NF; i++) { printf "%s ",$i } print "\n" }' |
while IFS=$"\n" read -r c; do
fwrule=$(echo "$c" | sed 's/drop/REDIRECT --to-ports 65535/')
if [ -n "$fwrule" ] && [ -z "$(iptables-save | grep zone_lan_prerouting | grep '${fwrule}')" ]; then
eval "ip6tables -t nat -A zone_lan_prerouting ${fwrule} 2>&1 >/dev/null"
eval "$IP6TABLES -t nat -A zone_lan_prerouting ${fwrule} 2>&1 >/dev/null"
fi
done
}