mirror of
https://github.com/Ysurac/openmptcprouter-feeds.git
synced 2025-02-13 11:01:50 +00:00
Rules to mark correctly bypassed traffic
This commit is contained in:
Ycarus
parent
e914931b3e
commit
9f8e93bd21
3 changed files with 10 additions and 6 deletions
|
|
@ -296,7 +296,7 @@ start_service() {
|
||||||
ss_rules
|
ss_rules
|
||||||
ss_rules6
|
ss_rules6
|
||||||
# Add rule to match traffic marked by firewall for bypass
|
# Add rule to match traffic marked by firewall for bypass
|
||||||
ip rule add prio 1 fwmark 0x539 lookup 991337
|
ip rule add prio 1 fwmark 0x539 lookup 991337 > /dev/null 2>&1
|
||||||
}
|
}
|
||||||
|
|
||||||
stop_service() {
|
stop_service() {
|
||||||
|
|
|
||||||
|
|
@ -154,15 +154,15 @@ ss_rules_ipset_mkadd() {
|
||||||
}
|
}
|
||||||
|
|
||||||
ss_rules_iptchains_init() {
|
ss_rules_iptchains_init() {
|
||||||
|
ss_rules_iptchains_init_mark
|
||||||
ss_rules_iptchains_init_tcp
|
ss_rules_iptchains_init_tcp
|
||||||
ss_rules_iptchains_init_udp
|
ss_rules_iptchains_init_udp
|
||||||
ss_rules_iptchains_init_mark
|
|
||||||
}
|
}
|
||||||
|
|
||||||
ss_rules_iptchains_init_mark() {
|
ss_rules_iptchains_init_mark() {
|
||||||
iptables-restore --noflush <<-EOF
|
iptables-restore --noflush <<-EOF
|
||||||
*mangle
|
*mangle
|
||||||
-A OUTPUT -m set --match-set ss_rules_dst_bypass dst -j MARK --set-mark 0x539
|
-A PREROUTING -m set --match-set ss_rules_dst_bypass dst -j MARK --set-mark 0x539
|
||||||
COMMIT
|
COMMIT
|
||||||
EOF
|
EOF
|
||||||
}
|
}
|
||||||
|
|
@ -184,8 +184,8 @@ ss_rules_iptchains_init_tcp() {
|
||||||
*nat
|
*nat
|
||||||
:ss_rules_local_out -
|
:ss_rules_local_out -
|
||||||
-I OUTPUT 1 -p tcp -j ss_rules_local_out
|
-I OUTPUT 1 -p tcp -j ss_rules_local_out
|
||||||
-A ss_rules_local_out -m set --match-set ss_rules_dst_bypass_ dst -j RETURN
|
|
||||||
-A ss_rules_local_out -m set --match-set ss_rules_dst_bypass dst -j RETURN
|
-A ss_rules_local_out -m set --match-set ss_rules_dst_bypass dst -j RETURN
|
||||||
|
-A ss_rules_local_out -m set --match-set ss_rules_dst_bypass_ dst -j RETURN
|
||||||
-A ss_rules_local_out -p tcp $o_ipt_extra -j $local_target -m comment --comment "local_default: $o_local_default"
|
-A ss_rules_local_out -p tcp $o_ipt_extra -j $local_target -m comment --comment "local_default: $o_local_default"
|
||||||
COMMIT
|
COMMIT
|
||||||
EOF
|
EOF
|
||||||
|
|
@ -233,6 +233,7 @@ ss_rules_iptchains_init_() {
|
||||||
forward) dst_default_target=ss_rules_forward ;;
|
forward) dst_default_target=ss_rules_forward ;;
|
||||||
bypass|*) dst_default_target=RETURN ;;
|
bypass|*) dst_default_target=RETURN ;;
|
||||||
esac
|
esac
|
||||||
|
echo "titi"
|
||||||
sed -e '/^\s*$/d' -e 's/^\s\+//' <<-EOF | iptables-restore --noflush
|
sed -e '/^\s*$/d' -e 's/^\s\+//' <<-EOF | iptables-restore --noflush
|
||||||
*$table
|
*$table
|
||||||
:ss_rules_pre_src -
|
:ss_rules_pre_src -
|
||||||
|
|
@ -241,6 +242,7 @@ ss_rules_iptchains_init_() {
|
||||||
:ss_rules_forward -
|
:ss_rules_forward -
|
||||||
$(ss_rules_iptchains_mkprerules "$proto")
|
$(ss_rules_iptchains_mkprerules "$proto")
|
||||||
-A ss_rules_pre_src -m set --match-set ss_rules_dst_bypass_ dst -j RETURN
|
-A ss_rules_pre_src -m set --match-set ss_rules_dst_bypass_ dst -j RETURN
|
||||||
|
-A ss_rules_pre_src -m set --match-set ss_rules_dst_bypass dst -j RETURN
|
||||||
-A ss_rules_dst -m set --match-set ss_rules_dst_bypass dst -j RETURN
|
-A ss_rules_dst -m set --match-set ss_rules_dst_bypass dst -j RETURN
|
||||||
-A ss_rules_pre_src -p $proto $o_ipt_extra -j ss_rules_src
|
-A ss_rules_pre_src -p $proto $o_ipt_extra -j ss_rules_src
|
||||||
-A ss_rules_src -m set --match-set ss_rules_src_bypass src -j RETURN
|
-A ss_rules_src -m set --match-set ss_rules_src_bypass src -j RETURN
|
||||||
|
|
@ -254,6 +256,7 @@ ss_rules_iptchains_init_() {
|
||||||
COMMIT
|
COMMIT
|
||||||
$recentrst_mangle_rules
|
$recentrst_mangle_rules
|
||||||
EOF
|
EOF
|
||||||
|
echo "toto"
|
||||||
}
|
}
|
||||||
|
|
||||||
ss_rules_iptchains_mkprerules() {
|
ss_rules_iptchains_mkprerules() {
|
||||||
|
|
|
||||||
|
|
@ -142,8 +142,8 @@ ss_rules6_iptchains_init() {
|
||||||
ss_rules6_iptchains_init_mark
|
ss_rules6_iptchains_init_mark
|
||||||
}
|
}
|
||||||
|
|
||||||
ss_rules_iptchains_init_mark() {
|
ss_rules6_iptchains_init_mark() {
|
||||||
iptables-restore --noflush <<-EOF
|
ip6tables-restore --noflush <<-EOF
|
||||||
*mangle
|
*mangle
|
||||||
-A OUTPUT -m set --match-set ss_rules6_dst_bypass dst -j MARK --set-mark 0x539
|
-A OUTPUT -m set --match-set ss_rules6_dst_bypass dst -j MARK --set-mark 0x539
|
||||||
COMMIT
|
COMMIT
|
||||||
|
|
@ -226,6 +226,7 @@ ss_rules6_iptchains_init_() {
|
||||||
:ss_rules6_forward -
|
:ss_rules6_forward -
|
||||||
$(ss_rules6_iptchains_mkprerules "$proto")
|
$(ss_rules6_iptchains_mkprerules "$proto")
|
||||||
-A ss_rules6_pre_src -m set --match-set ss_rules6_dst_bypass_ dst -j RETURN
|
-A ss_rules6_pre_src -m set --match-set ss_rules6_dst_bypass_ dst -j RETURN
|
||||||
|
-A ss_rules6_dst -m set --match-set ss_rules6_dst_bypass dst -j MARK --set-mark 0x539
|
||||||
-A ss_rules6_dst -m set --match-set ss_rules6_dst_bypass dst -j RETURN
|
-A ss_rules6_dst -m set --match-set ss_rules6_dst_bypass dst -j RETURN
|
||||||
-A ss_rules6_pre_src -p $proto $o_ipt_extra -j ss_rules6_src
|
-A ss_rules6_pre_src -p $proto $o_ipt_extra -j ss_rules6_src
|
||||||
-A ss_rules6_src -m set --match-set ss_rules6_src_bypass src -j RETURN
|
-A ss_rules6_src -m set --match-set ss_rules6_src_bypass src -j RETURN
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue