diff --git a/https-dns-proxy/files/https-dns-proxy.init b/https-dns-proxy/files/https-dns-proxy.init index 0b9a620a5..709999b13 100755 --- a/https-dns-proxy/files/https-dns-proxy.init +++ b/https-dns-proxy/files/https-dns-proxy.init @@ -1,6 +1,6 @@ #!/bin/sh /etc/rc.common -# Copyright 2019-2022 Stan Grishin (stangri@melmac.ca) -# shellcheck disable=SC1091,SC2039,SC3043,SC3060 +# Copyright 2019-2020 Stan Grishin (stangri@melmac.net) +# shellcheck disable=SC2039,SC3043,SC3060 PKG_VERSION='dev-test' # shellcheck disable=SC2034 @@ -15,52 +15,9 @@ else EXTRA_COMMANDS='version' fi -readonly packageName='https-dns-proxy' -readonly serviceName="$packageName $PKG_VERSION" -readonly sharedMemoryOutput="/dev/shm/$packageName-output" -readonly _OK_='\033[0;32m\xe2\x9c\x93\033[0m' -readonly _FAIL_='\033[0;31m\xe2\x9c\x97\033[0m' readonly PROG=/usr/sbin/https-dns-proxy -readonly DEFAULT_BOOTSTRAP='1.1.1.1,1.0.0.1,2606:4700:4700::1111,2606:4700:4700::1001,8.8.8.8,8.8.4.4,2001:4860:4860::8888,2001:4860:4860::8844' -readonly canaryDomains='use-application-dns.net' dnsmasqConfig=''; forceDNS=''; forceDNSPorts=''; -str_contains() { [ -n "$1" ] &&[ -n "$2" ] && [ "${1//$2}" != "$1" ]; } -is_mac_address() { expr "$1" : '[0-9A-F][0-9A-F]:[0-9A-F][0-9A-F]:[0-9A-F][0-9A-F]:[0-9A-F][0-9A-F]:[0-9A-F][0-9A-F]:[0-9A-F][0-9A-F]$' >/dev/null; } -is_ipv4() { expr "$1" : '[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*$' >/dev/null; } -is_ipv6() { ! is_mac_address "$1" && str_contains "$1" ":"; } -output() { - local msg memmsg logmsg - [ -t 1 ] && printf "%b" "$@" - msg="${1//$serviceName /service }"; - if [ "$(printf "%b" "$msg" | wc -l)" -gt 0 ]; then - [ -s "$sharedMemoryOutput" ] && memmsg="$(cat "$sharedMemoryOutput")" - logmsg="$(printf "%b" "${memmsg}${msg}" | sed 's/\x1b\[[0-9;]*m//g')" - logger -t "$packageName" "$(printf "%b" "$logmsg")" - rm -f "$sharedMemoryOutput" - else - printf "%b" "$msg" >> "$sharedMemoryOutput" - fi -} -output_ok() { output "$_OK_"; } -output_okn() { output "${_OK_}\\n"; } -output_fail() { output "$_FAIL_"; } -output_failn() { output "${_FAIL_}\\n"; } -uci_add_list_if_new() { - local key="$1" value="$2" i - if [ -z "$value" ]; then - value="${key#*=}" - key="${key%=*}" - fi - [ -n "$key" ] && [ -n "$value" ] || return 1 - for i in $(uci -q get "$key"); do - [ "$i" = "$value" ] && return 0 - done - uci -q add_list "${key}=${value}" -} - -dnsmasq_restart() { [ -x /etc/init.d/dnsmasq ] || return 0; /etc/init.d/dnsmasq restart >/dev/null 2>&1; } - version() { echo "$PKG_VERSION"; } xappend() { param="$param $1"; } @@ -69,10 +26,11 @@ append_bool() { local section="$1" local option="$2" local value="$3" - local default="${4:-0}" + local default="$4" local _loctmp + [ -z "$default" ] && default="0" config_get_bool _loctmp "$section" "$option" "$default" - [ "$_loctmp" -ne 0 ] && xappend "$value" + [ "$_loctmp" != "0" ] && xappend "$value" } append_parm() { @@ -82,191 +40,137 @@ append_parm() { local default="$4" local _loctmp config_get _loctmp "$section" "$option" "$default" - [ -n "$_loctmp" ] && xappend "$switch $_loctmp" -} - -append_counter() { - local section="$1" - local option="$2" - local switch="$3" - local default="${4:-0}" - local _loctmp i - config_get _loctmp "$section" "$option" "$default" -# shellcheck disable=SC2086,SC2154 - for i in $(seq 1 $_loctmp); do - xappend '-v' - done -} - -append_bootstrap() { - local section="$1" - local option="$2" - local switch="$3" - local default="$4" - local _old_ifs="$IFS" - local _loctmp _newtmp i - config_get _loctmp "$section" "$option" "$default" [ -z "$_loctmp" ] && return 0 - IFS=" ," - for i in $_loctmp; do - if { [ "$ipv6_resolvers_only" -eq 0 ] && is_ipv4 "$i"; } || \ - { [ "$ipv6_resolvers_only" -ne 0 ] && is_ipv6 "$i"; }; then - [ -z "$_newtmp" ] && _newtmp="$i" || _newtmp="${_newtmp},${i}" - fi - done - IFS="$_old_ifs" - [ -n "$_newtmp" ] && xappend "$switch $_newtmp" - [ "$ipv6_resolvers_only" -eq 0 ] && xappend '-4' + xappend "$switch $_loctmp" } start_instance() { - local cfg="$1" param listen_addr listen_port ipv6_resolvers_only p - config_get_bool ipv6_resolvers_only "$cfg" 'use_ipv6_resolvers_only' '0' + local cfg="$1" param listen_addr listen_port i append_parm "$cfg" 'resolver_url' '-r' append_parm "$cfg" 'polling_interval' '-i' append_parm "$cfg" 'listen_addr' '-a' '127.0.0.1' - append_parm "$cfg" 'listen_port' '-p' "$port" + append_parm "$cfg" 'listen_port' '-p' "$p" append_parm "$cfg" 'dscp_codepoint' '-c' - append_bootstrap "$cfg" 'bootstrap_dns' '-b' "$DEFAULT_BOOTSTRAP" + append_parm "$cfg" 'bootstrap_dns' '-b' append_parm "$cfg" 'user' '-u' 'nobody' append_parm "$cfg" 'group' '-g' 'nogroup' append_parm "$cfg" 'proxy_server' '-t' append_parm "$cfg" 'logfile' '-l' append_bool "$cfg" 'use_http1' '-x' - append_counter "$cfg" 'verbosity' '-v' '0' + config_get_bool ipv6_resolvers_only "$cfg" 'use_ipv6_resolvers_only' '0' + config_get verbosity "$cfg" 'verbosity' '0' + +# shellcheck disable=SC2086,SC2154 + for i in $(seq 1 $verbosity); do + xappend '-v' + done +# shellcheck disable=SC2154 + if [ "$ipv6_resolvers_only" = 0 ]; then + xappend '-4' + fi procd_open_instance # shellcheck disable=SC2086 - procd_set_param command $PROG $param + procd_set_param command ${PROG} ${param} procd_set_param stderr 1 procd_set_param stdout 1 procd_set_param respawn + procd_close_instance + + config_get listen_addr "$cfg" 'listen_addr' '127.0.0.1' + config_get listen_port "$cfg" 'listen_port' "$p" + + if [ "$dnsmasqConfig" = "*" ]; then + config_load 'dhcp' + config_foreach dnsmasq_add_doh_server 'dnsmasq' "${listen_addr}" "${listen_port}" + elif [ -n "$dnsmasqConfig" ]; then + for i in $dnsmasqConfig; do + dnsmasq_add_doh_server "@dnsmasq[${i}]" "${listen_addr}" "${listen_port}" + done + fi + p="$((p+1))" +} + +is_force_dns_active() { iptables-save 2>/dev/null | grep -q -w -- '--dport 53'; } + +start_service() { + local p=5053 c + config_load 'https-dns-proxy' + config_get dnsmasqConfig 'config' 'update_dnsmasq_config' '*' + config_get_bool forceDNS 'config' 'force_dns' '1' + config_get forceDNSPorts 'config' 'force_dns_port' '53 853' + dhcp_backup 'create' + config_load 'https-dns-proxy' + config_foreach start_instance 'https-dns-proxy' if [ "$forceDNS" -ne 0 ]; then + procd_open_instance 'main' + procd_set_param command /bin/true + procd_set_param stdout 1 + procd_set_param stderr 1 procd_open_data json_add_array firewall - for p in $forceDNSPorts; do - if netstat -tuln | grep 'LISTEN' | grep ":${p}" >/dev/null 2>&1 || [ "$p" = '53' ]; then - json_add_object '' + for c in $forceDNSPorts; do + if netstat -tuln | grep 'LISTEN' | grep ":${c}" >/dev/null 2>&1 || [ "$c" = "53" ]; then + json_add_object "" json_add_string type redirect json_add_string target DNAT json_add_string src lan - json_add_string proto 'tcp udp' - json_add_string src_dport "$p" - json_add_string dest_port "$p" + json_add_string proto "tcp udp" + json_add_string src_dport "$c" + json_add_string dest_port "$c" json_add_boolean reflection 0 json_close_object else - json_add_object '' + json_add_object "" json_add_string type rule json_add_string src lan - json_add_string dest '*' - json_add_string proto 'tcp udp' - json_add_string dest_port "$p" + json_add_string dest "*" + json_add_string proto "tcp udp" + json_add_string dest_port "$c" json_add_string target REJECT json_close_object fi done json_close_array procd_close_data + procd_close_instance fi - procd_close_instance - - if [ "$?" ]; then - config_get listen_addr "$cfg" 'listen_addr' '127.0.0.1' - config_get listen_port "$cfg" 'listen_port' "$port" - if [ "$dnsmasqConfig" = '*' ]; then - config_load 'dhcp' - config_foreach dnsmasq_doh_server 'dnsmasq' 'add' "${listen_addr}" "${listen_port}" - elif [ -n "$dnsmasqConfig" ]; then - for i in $dnsmasqConfig; do - if [ -n "$(uci -q get "dhcp.@dnsmasq[$i]")" ]; then - dnsmasq_doh_server "@dnsmasq[$i]" 'add' "${listen_addr}" "${listen_port}" - elif [ -n "$(uci -q get "dhcp.${i}")" ]; then - dnsmasq_doh_server "${i}" 'add' "${listen_addr}" "${listen_port}" - fi - done - fi - output_ok - port="$((port+1))" - forceDNS=0 - else - output_fail - fi -} - -start_service() { - local port=5053 - output "Starting $serviceName " - config_load "$packageName" - config_get dnsmasqConfig 'config' 'update_dnsmasq_config' '*' - config_get_bool forceDNS 'config' 'force_dns' '1' - config_get forceDNSPorts 'config' 'force_dns_port' '53 853' - dhcp_backup 'create' - config_load "$packageName" - config_foreach start_instance "$packageName" if [ -n "$(uci -q changes dhcp)" ]; then uci -q commit dhcp - dnsmasq_restart + [ -x /etc/init.d/dnsmasq ] && /etc/init.d/dnsmasq restart >/dev/null 2>&1 fi - output "\\n" } stop_service() { - local s=0 - output "Stopping $serviceName " - config_load "$packageName" + config_load 'https-dns-proxy' config_get dnsmasqConfig 'config' 'update_dnsmasq_config' '*' dhcp_backup 'restore' if [ -n "$(uci -q changes dhcp)" ]; then uci -q commit dhcp - dnsmasq_restart || s=1 + [ -x /etc/init.d/dnsmasq ] && /etc/init.d/dnsmasq restart >/dev/null 2>&1 fi -# shellcheck disable=SC2015 - [ "$s" -eq 0 ] && output_okn || output_failn } -# shellcheck disable=SC1091 -service_triggers() { - local iface - . /lib/functions/network.sh - network_flush_cache - network_find_wan iface - iface="${iface:-wan}" - if [ -n "$iface" ]; then - procd_add_interface_trigger "interface.*" "$iface" "/etc/init.d/${packageName}" restart - fi - procd_add_config_trigger "config.change" "$packageName" "/etc/init.d/${packageName}" restart +service_triggers() { + procd_add_config_trigger "config.change" "https-dns-proxy" /etc/init.d/https-dns-proxy reload } service_started() { procd_set_config_changed firewall; } service_stopped() { procd_set_config_changed firewall; } -dnsmasq_doh_server() { - local cfg="$1" param="$2" address="${3:-127.0.0.1}" port="$4" i - case "$param" in - add) - if [ "$forceDNS" -ne 0 ]; then - for i in $canaryDomains; do - uci_add_list_if_new "dhcp.${cfg}.server" "/${i}/" - done - fi - case $address in - 0.0.0.0|::ffff:0.0.0.0) address='127.0.0.1';; - ::) address='::1';; - esac - uci_add_list_if_new "dhcp.${cfg}.server" "${address}#${port}" - ;; - remove) - eval "$(ubus call service list "{ 'verbose': true, 'name': '$packageName' }" | jsonfilter -F '# ' -e 'TUPLES=@[*].instances[*].command[4,6]')" - for i in $TUPLES; do - uci -q del_list "dhcp.${cfg}.server=${i}" - done - ;; +dnsmasq_add_doh_server() { + local cfg="$1" address="$2" port="$3" + case $address in + 0.0.0.0|::ffff:0.0.0.0) address='127.0.0.1';; + ::) address='::1';; esac + uci -q del_list "dhcp.${cfg}.server=${address}#${port}" + uci -q add_list "dhcp.${cfg}.server=${address}#${port}" } dnsmasq_create_server_backup() { - local cfg="$1" i + local cfg="$1" + local i uci -q get "dhcp.${cfg}" >/dev/null || return 1 if ! uci -q get "dhcp.${cfg}.doh_backup_noresolv" >/dev/null; then if [ -z "$(uci -q get "dhcp.${cfg}.noresolv")" ]; then @@ -292,22 +196,23 @@ dnsmasq_create_server_backup() { } dnsmasq_restore_server_backup() { - local cfg="$1" i + local cfg="$1" + local i uci -q get "dhcp.${cfg}" >/dev/null || return 0 if uci -q get "dhcp.${cfg}.doh_backup_noresolv" >/dev/null; then if [ "$(uci -q get "dhcp.${cfg}.doh_backup_noresolv")" = "0" ]; then uci -q set "dhcp.${cfg}.noresolv=0" - else + else uci -q del "dhcp.${cfg}.noresolv" fi uci -q del "dhcp.${cfg}.doh_backup_noresolv" fi if uci -q get "dhcp.${cfg}.doh_backup_server" >/dev/null; then - dnsmasq_doh_server "$cfg" 'remove' + uci -q del "dhcp.${cfg}.server" for i in $(uci -q get "dhcp.${cfg}.doh_backup_server"); do - uci_add_list_if_new "dhcp.${cfg}.server" "$i" + uci -q add_list "dhcp.${cfg}.server=$i" done - uci -q del "dhcp.${cfg}.doh_backup_server" + uci -q del "dhcp.${cfg}.doh_backup_server" fi } @@ -320,11 +225,8 @@ dhcp_backup() { config_foreach dnsmasq_create_server_backup 'dnsmasq' elif [ -n "$dnsmasqConfig" ]; then for i in $dnsmasqConfig; do - if [ -n "$(uci -q get "dhcp.@dnsmasq[$i]")" ]; then - dnsmasq_create_server_backup "@dnsmasq[$i]" - elif [ -n "$(uci -q get "dhcp.${i}")" ]; then + dnsmasq_create_server_backup "@dnsmasq[${i}]" || \ dnsmasq_create_server_backup "$i" - fi done fi ;; diff --git a/luci-app-omr-bypass/root/etc/firewall.omr-bypass b/luci-app-omr-bypass/root/etc/firewall.omr-bypass index 7efffb894..5c482a198 100755 --- a/luci-app-omr-bypass/root/etc/firewall.omr-bypass +++ b/luci-app-omr-bypass/root/etc/firewall.omr-bypass @@ -1,2 +1,2 @@ #!/bin/sh -[ -z "$(pgrep -f omr-bypass)" ] && /etc/init.d/omr-bypass reload_rules +[ -z "$(pgrep -f omr-bypass)" ] && logger -t "firewall.omr-bypass" "reloal omr-bypass rules" && /etc/init.d/omr-bypass reload_rules diff --git a/luci-app-omr-bypass/root/etc/init.d/omr-bypass b/luci-app-omr-bypass/root/etc/init.d/omr-bypass index 6c349317d..0c3ba4932 100755 --- a/luci-app-omr-bypass/root/etc/init.d/omr-bypass +++ b/luci-app-omr-bypass/root/etc/init.d/omr-bypass @@ -8,6 +8,22 @@ EXTRA_COMMANDS="reload_rules bypass_asn" . /usr/lib/unbound/iptools.sh +if [ -f /usr/sbin/iptables-legacy ]; then + IPTABLES="/usr/sbin/iptables-legacy" + IPTABLESRESTORE="/usr/sbin/iptables-legacy-restore" + IPTABLESSAVE="/usr/sbin/iptables-legacy-save" + IP6TABLES="/usr/sbin/ip6tables-legacy" + IP6TABLESRESTORE="/usr/sbin/ip6tables-legacy-restore" + IP6TABLESSAVE="/usr/sbin/ip6tables-legacy-save" +else + IPTABLES="/usr/sbin/iptables" + IPTABLESRESTORE="/usr/sbin/iptables-restore" + IPTABLESSAVE="/usr/sbin/iptables-save" + IP6TABLES="/usr/sbin/ip6tables" + IP6TABLESRESTORE="/usr/sbin/ip6tables-restore" + IP6TABLESSAVE="/usr/sbin/ip6tables-save" +fi + _add_proto() { protoname=$1 [ -z "$protoname" ] && return @@ -135,26 +151,26 @@ _bypass_mac() { [ -z "$intf" ] && intf="all" [ -z "$mac" ] && return if [ "$intf" = "all" ]; then - iptables-restore -w --wait=60 --noflush <<-EOF + $IPTABLESRESTORE -w --wait=60 --noflush <<-EOF *mangle -A omr-bypass -m mac --mac-source $mac -j MARK --set-mark 0x539 COMMIT EOF if [ "$disableipv6" = "0" ]; then - ip6tables-restore -w --wait=60 --noflush <<-EOF + $IP6TABLESRESTORE -w --wait=60 --noflush <<-EOF *mangle -A omr-bypass6 -m mac --mac-source $mac -j MARK --set-mark 0x6539 COMMIT EOF fi else - iptables-restore -w --wait=60 --noflush <<-EOF + $IPTABLESRESTORE -w --wait=60 --noflush <<-EOF *mangle -A omr-bypass -m mac --mac-source $mac -j MARK --set-mark 0x539$intfid COMMIT EOF if [ "$disableipv6" = "0" ]; then - ip6tables-restore -w --wait=60 --noflush <<-EOF + $IP6TABLESRESTORE -w --wait=60 --noflush <<-EOF *mangle -A omr-bypass6 -m mac --mac-source $mac -j MARK --set-mark 0x6539$intfid COMMIT @@ -181,18 +197,18 @@ _bypass_lan_ip() { valid_ip6=$(valid_subnet6 $ip) if [ "$intf" = "all" ]; then if [ "$valid_ip4" = "ok" ]; then - iptables-restore -w --wait=60 --noflush <<-EOF + $IPTABLESRESTORE -w --wait=60 --noflush <<-EOF *mangle -A omr-bypass -s $ip -j MARK --set-mark 0x539 COMMIT EOF - iptables-restore -w --wait=60 --noflush <<-EOF + $IPTABLESRESTORE -w --wait=60 --noflush <<-EOF *mangle -A omr-bypass-local -s $ip -j MARK --set-mark 0x539 COMMIT EOF elif [ "$valid_ip6" = "ok" ] && [ "$disableipv6" = "0" ]; then - ip6tables-restore -w --wait=60 --noflush <<-EOF + $IP6TABLESRESTORE -w --wait=60 --noflush <<-EOF *mangle -A omr-bypass6 -s $ip -j MARK --set-mark 0x6539 COMMIT @@ -200,18 +216,18 @@ _bypass_lan_ip() { fi else if [ "$valid_ip4" = "ok" ]; then - iptables-restore -w --wait=60 --noflush <<-EOF + $IPTABLESRESTORE -w --wait=60 --noflush <<-EOF *mangle -A omr-bypass -s $ip -j MARK --set-mark 0x539$intfid COMMIT EOF - iptables-restore -w --wait=60 --noflush <<-EOF + $IPTABLESRESTORE -w --wait=60 --noflush <<-EOF *mangle -A omr-bypass-local -s $ip -j MARK --set-mark 0x539$intfid COMMIT EOF elif [ "$valid_ip6" = "ok" ] && [ "$disableipv6" = "0" ]; then - ip6tables-restore -w --wait=60 --noflush <<-EOF + $IP6TABLESRESTORE -w --wait=60 --noflush <<-EOF *mangle -A omr-bypass6 -s $ip -j MARK --set-mark 0x6539$intfid COMMIT @@ -239,36 +255,36 @@ _bypass_dest_port() { dport="$(echo $dport | sed 's/-/:/')" [ -z "$proto" ] && return if [ "$intf" = "all" ]; then - iptables-restore -w --wait=60 --noflush <<-EOF + $IPTABLESRESTORE -w --wait=60 --noflush <<-EOF *mangle -A omr-bypass --protocol $proto --destination-port $dport -j MARK --set-mark 0x539 COMMIT EOF - iptables-restore -w --wait=60 --noflush <<-EOF + $IPTABLESRESTORE -w --wait=60 --noflush <<-EOF *mangle -A omr-bypass-local --protocol $proto --destination-port $dport -j MARK --set-mark 0x539 COMMIT EOF if [ "$disableipv6" = "0" ]; then - ip6tables-restore -w --wait=60 --noflush <<-EOF + $IP6TABLESRESTORE -w --wait=60 --noflush <<-EOF *mangle -A omr-bypass6 --protocol $proto --destination-port $dport -j MARK --set-mark 0x6539 COMMIT EOF fi else - iptables-restore -w --wait=60 --noflush <<-EOF + $IPTABLESRESTORE -w --wait=60 --noflush <<-EOF *mangle -A omr-bypass --protocol $proto --destination-port $dport -j MARK --set-mark 0x539$intfid COMMIT EOF - iptables-restore -w --wait=60 --noflush <<-EOF + $IPTABLESRESTORE -w --wait=60 --noflush <<-EOF *mangle -A omr-bypass-local --protocol $proto --destination-port $dport -j MARK --set-mark 0x539$intfid COMMIT EOF if [ "$disableipv6" = "0" ]; then - ip6tables-restore -w --wait=60 --noflush <<-EOF + $IP6TABLESRESTORE -w --wait=60 --noflush <<-EOF *mangle -A omr-bypass6 --protocol $proto --destination-port $dport -j MARK --set-mark 0x6539$intfid COMMIT @@ -296,36 +312,36 @@ _bypass_src_port() { sport="$(echo $sport | sed 's/-/:/')" [ -z "$proto" ] && return if [ "$intf" = "all" ]; then - iptables-restore -w --wait=60 --noflush <<-EOF + $IPTABLESRESTORE -w --wait=60 --noflush <<-EOF *mangle -A omr-bypass --protocol $proto --source-port $sport -j MARK --set-mark 0x539 COMMIT EOF - iptables-restore -w --wait=60 --noflush <<-EOF + $IPTABLESRESTORE -w --wait=60 --noflush <<-EOF *mangle -A omr-bypass-local --protocol $proto --source-port $sport -j MARK --set-mark 0x539 COMMIT EOF if [ "$disableipv6" = "0" ]; then - ip6tables-restore -w --wait=60 --noflush <<-EOF + $IP6TABLESRESTORE -w --wait=60 --noflush <<-EOF *mangle -A omr-bypass6 --protocol $proto --source-port $sport -j MARK --set-mark 0x6539 COMMIT EOF fi else - iptables-restore -w --wait=60 --noflush <<-EOF + $IPTABLESRESTORE -w --wait=60 --noflush <<-EOF *mangle -A omr-bypass --protocol $proto --source-port $sport -j MARK --set-mark 0x539$intfid COMMIT EOF - iptables-restore -w --wait=60 --noflush <<-EOF + $IPTABLESRESTORE -w --wait=60 --noflush <<-EOF *mangle -A omr-bypass-local --protocol $proto --source-port $sport -j MARK --set-mark 0x539$intfid COMMIT EOF if [ "$disableipv6" = "0" ]; then - ip6tables-restore -w --wait=60 --noflush <<-EOF + $IP6TABLESRESTORE -w --wait=60 --noflush <<-EOF *mangle -A omr-bypass6 --protocol $proto --source-port $sport -j MARK --set-mark 0x6539$intfid COMMIT @@ -351,14 +367,14 @@ _bypass_proto() { [ -z "$proto" ] && return if [ "$(uci -q get openmptcprouter.settings.ndpi)" != "0" ] && [ "$ndpi" != "0" ]; then if [ "$intf" = "all" ]; then - iptables-restore -w --wait=60 --noflush <<-EOF + $IPTABLESRESTORE -w --wait=60 --noflush <<-EOF *mangle -A omr-bypass-dpi -m ndpi --proto $proto -j MARK --set-mark 0x539 -A omr-bypass-dpi -m mark --mark 0x539 -j RETURN COMMIT EOF if [ "$disableipv6" = "0" ]; then - ip6tables-restore -w --wait=60 --noflush <<-EOF + $IP6TABLESRESTORE -w --wait=60 --noflush <<-EOF *mangle -A omr-bypass6-dpi -m ndpi --proto $proto -j MARK --set-mark 0x6539 -A omr-bypass6-dpi -m mark --mark 0x6539 -j RETURN @@ -366,14 +382,14 @@ _bypass_proto() { EOF fi else - iptables-restore -w --wait=60 --noflush <<-EOF + $IPTABLESRESTORE -w --wait=60 --noflush <<-EOF *mangle -A omr-bypass-dpi -m ndpi --proto $proto -j MARK --set-mark 0x539$intfid -A omr-bypass-dpi -m mark --mark 0x539$intfid -j RETURN COMMIT EOF if [ "$disableipv6" = "0" ]; then - ip6tables-restore -w --wait=60 --noflush <<-EOF + $IP6TABLESRESTORE -w --wait=60 --noflush <<-EOF *mangle -A omr-bypass6-dpi -m ndpi --proto $proto -j MARK --set-mark 0x6539$intfid -A omr-bypass6-dpi -m mark --mark 0x6539$intfid -j RETURN @@ -425,24 +441,24 @@ _bypass_proto() { _intf_rule_ss_rules() { rule_name=$1 [ "$rule_name" = "ss_rules" ] && rule_name="def" - if [ "$(iptables --wait=40 -t nat -L -n | grep ssr_${rule_name}_dst)" != "" ] && [ "$(iptables-save | grep ssr_${rule_name}_dst | grep omr_dst_bypass_$intf)" = "" ]; then - iptables-restore -w --wait=60 --noflush <<-EOF + if [ "$($IPTABLES --wait=40 -t nat -L -n | grep ssr_${rule_name}_dst)" != "" ] && [ "$($IPTABLESSAVE 2>/dev/null | grep ssr_${rule_name}_dst | grep omr_dst_bypass_$intf)" = "" ]; then + $IPTABLESRESTORE -w --wait=60 --noflush <<-EOF *nat -I ssr_${rule_name}_dst 1 -m set --match-set omr_dst_bypass_$intf dst -j MARK --set-mark 0x539$count -I ssr_${rule_name}_dst 2 -m mark --mark 0x539$count -j RETURN COMMIT EOF fi - if [ "$(iptables --wait=40 -t nat -L -n | grep ssr_${rule_name}_local_out)" != "" ] && [ "$(iptables-save | grep ssr_${rule_name}_local_out | grep omr_dst_bypass_$intf)" = "" ]; then - iptables-restore -w --wait=60 --noflush <<-EOF + if [ "$($IPTABLES --wait=40 -t nat -L -n | grep ssr_${rule_name}_local_out)" != "" ] && [ "$($IPTABLESSAVE 2>/dev/null | grep ssr_${rule_name}_local_out | grep omr_dst_bypass_$intf)" = "" ]; then + $IPTABLESRESTORE -w --wait=60 --noflush <<-EOF *nat -I ssr_${rule_name}_local_out 1 -m set --match-set omr_dst_bypass_$intf dst -j MARK --set-mark 0x539$count -I ssr_${rule_name}_local_out 2 -m mark --mark 0x539$count -j RETURN COMMIT EOF fi - if [ "$(iptables --wait=40 -t nat -L -n | grep ssr_${rule_name}_pre_src)" != "" ] && [ "$(iptables-save | grep ssr_${rule_name}_pre_src | grep omr_dst_bypass_$intf)" = "" ]; then - iptables-restore -w --wait=60 --noflush <<-EOF + if [ "$($IPTABLES --wait=40 -t nat -L -n | grep ssr_${rule_name}_pre_src)" != "" ] && [ "$($IPTABLESSAVE 2>/dev/null | grep ssr_${rule_name}_pre_src | grep omr_dst_bypass_$intf)" = "" ]; then + $IPTABLESRESTORE -w --wait=60 --noflush <<-EOF *nat -I ssr_${rule_name}_pre_src 1 -m set --match-set omr_dst_bypass_$intf dst -j MARK --set-mark 0x539$count -I ssr_${rule_name}_pre_src 2 -m mark --mark 0x539$count -j RETURN @@ -450,15 +466,15 @@ _intf_rule_ss_rules() { EOF fi if [ "$disableipv6" = "0" ]; then - if [ "$(ip6tables --wait=40 -t mangle -L -n | grep omr6_dst_bypass_$intf)" = "" ]; then - ip6tables-restore -w --wait=60 --noflush <<-EOF + if [ "$($IP6TABLES --wait=40 -t mangle -L -n | grep omr6_dst_bypass_$intf)" = "" ]; then + $IP6TABLESRESTORE -w --wait=60 --noflush <<-EOF *mangle -I omr-bypass6 1 -m set --match-set omr6_dst_bypass_$intf dst -j MARK --set-mark 0x6539$count COMMIT EOF fi - if [ "$(ip6tables --wait=40 -t nat -L -n | grep ssr6_${rule_name}_pre_src)" != "" ] && [ "$(ip6tables-save | grep ssr6 | grep omr6_dst_bypass_$intf)" = "" ]; then - ip6tables-restore -w --wait=60 --noflush <<-EOF + if [ "$($IP6TABLES --wait=40 -t nat -L -n | grep ssr6_${rule_name}_pre_src)" != "" ] && [ "$($IP6TABLESSAVE 2>/dev/null | grep ssr6 | grep omr6_dst_bypass_$intf)" = "" ]; then + $IP6TABLESRESTORE -w --wait=60 --noflush <<-EOF *nat -I ssr6_${rule_name}_dst 1 -m set --match-set omr6_dst_bypass_$intf dst -j MARK --set-mark 0x6539$count -I ssr6_${rule_name}_dst 2 -m mark --mark 0x6539$count -j RETURN @@ -476,24 +492,24 @@ _intf_rule_v2ray_rules() { #rule_name=$1 #[ "$rule_name" = "ss_rules" ] && rule_name="def" rule_name="def" - if [ "$(iptables --wait=40 -t nat -L -n | grep v2r_${rule_name}_dst)" != "" ] && [ "$(iptables-save | grep v2r_${rule_name}_dst | grep omr_dst_bypass_$intf)" = "" ]; then - iptables-restore -w --wait=60 --noflush <<-EOF + if [ "$($IPTABLES --wait=40 -t nat -L -n | grep v2r_${rule_name}_dst)" != "" ] && [ "$($IPTABLESSAVE 2>/dev/null | grep v2r_${rule_name}_dst | grep omr_dst_bypass_$intf)" = "" ]; then + $IPTABLESRESTORE -w --wait=60 --noflush <<-EOF *nat -I v2r_${rule_name}_dst 1 -m set --match-set omr_dst_bypass_$intf dst -j MARK --set-mark 0x539$count -I v2r_${rule_name}_dst 2 -m mark --mark 0x539$count -j RETURN COMMIT EOF fi - if [ "$(iptables --wait=40 -t nat -L -n | grep v2r_${rule_name}_local_out)" != "" ] && [ "$(iptables-save | grep v2r_${rule_name}_local_out | grep omr_dst_bypass_$intf)" = "" ]; then - iptables-restore -w --wait=60 --noflush <<-EOF + if [ "$($IPTABLES --wait=40 -t nat -L -n | grep v2r_${rule_name}_local_out)" != "" ] && [ "$($IPTABLESSAVE 2>/dev/null | grep v2r_${rule_name}_local_out | grep omr_dst_bypass_$intf)" = "" ]; then + $IPTABLESRESTORE -w --wait=60 --noflush <<-EOF *nat -I v2r_${rule_name}_local_out 1 -m set --match-set omr_dst_bypass_$intf dst -j MARK --set-mark 0x539$count -I v2r_${rule_name}_local_out 2 -m mark --mark 0x539$count -j RETURN COMMIT EOF fi - if [ "$(iptables --wait=40 -t nat -L -n | grep v2r_${rule_name}_pre_src)" != "" ] && [ "$(iptables-save | grep v2r_${rule_name}_pre_src | grep omr_dst_bypass_$intf)" = "" ]; then - iptables-restore -w --wait=60 --noflush <<-EOF + if [ "$($IPTABLES --wait=40 -t nat -L -n | grep v2r_${rule_name}_pre_src)" != "" ] && [ "$($IPTABLESSAVE 2/dev/null | grep v2r6 | grep omr6_dst_bypass_$intf)" = "" ]; then + $IP6TABLESRESTORE -w --wait=60 --noflush <<-EOF *nat -I v2r6_${rule_name}_dst 1 -m set --match-set omr6_dst_bypass_$intf dst -j MARK --set-mark 0x6539$count -I v2r6_${rule_name}_dst 2 -m mark --mark 0x6539$count -j RETURN @@ -567,8 +583,8 @@ _intf_rule() { ip -6 rule add prio 1 fwmark 0x6539$count lookup 6$count pref 1 > /dev/null 2>&1 fi } - if [ "$(iptables-save | grep omr-bypass | grep omr_dst_bypass_$intf)" = "" ]; then - iptables-restore -w --wait=60 --noflush <<-EOF + if [ "$($IPTABLESSAVE 2>/dev/null | grep omr-bypass | grep omr_dst_bypass_$intf)" = "" ]; then + $IPTABLESRESTORE -w --wait=60 --noflush <<-EOF *mangle -I omr-bypass 1 -m set --match-set omr_dst_bypass_$intf dst -j MARK --set-mark 0x539$count -I omr-bypass 2 -m mark --mark 0x539$count -j RETURN @@ -627,8 +643,8 @@ _bypass_omr_server() { _ss_rules_config() { rule_name=$1 [ "$rule_name" = "ss_rules" ] && rule_name="def" - if [ "$(iptables --wait=40 -t nat -L -n | grep ssr_${rule_name}_pre_src)" != "" ] && [ "$(iptables --wait=40 -t nat -L -n | grep omr_dst_bypass_all)" = "" ]; then - iptables-restore -w --wait=60 --noflush <<-EOF + if [ "$($IPTABLES --wait=40 -t nat -L -n | grep ssr_${rule_name}_pre_src)" != "" ] && [ "$($IPTABLES --wait=40 -t nat -L -n | grep omr_dst_bypass_all)" = "" ]; then + $IPTABLESRESTORE -w --wait=60 --noflush <<-EOF *nat -I ssr_${rule_name}_dst 1 -m set --match-set omr_dst_bypass_all dst -j MARK --set-mark 0x539 -I ssr_${rule_name}_dst 2 -m mark --mark 0x539 -j RETURN @@ -640,15 +656,15 @@ _ss_rules_config() { EOF fi if [ "$disableipv6" = "0" ]; then - if [ "$(ip6tables --wait=40 -t mangle -L -n | grep 'match-set omr6_dst_bypass_all dst MARK set')" = "" ]; then - ip6tables-restore -w --wait=60 --noflush <<-EOF + if [ "$($IP6TABLES --wait=40 -t mangle -L -n | grep 'match-set omr6_dst_bypass_all dst MARK set')" = "" ]; then + $IP6TABLESRESTORE -w --wait=60 --noflush <<-EOF *mangle -A omr-bypass6 -m set --match-set omr6_dst_bypass_all dst -j MARK --set-mark 0x6539 COMMIT EOF fi - if [ "$(ip6tables --wait=40 -t nat -L -n | grep ssr6_${rule_name}_pre_src)" != "" ] && [ "$(ip6tables --wait=40 -t nat -L -n | grep omr6_dst_bypass_all)" = "" ]; then - ip6tables-restore -w --wait=60 --noflush <<-EOF + if [ "$($IP6TABLES --wait=40 -t nat -L -n | grep ssr6_${rule_name}_pre_src)" != "" ] && [ "$($IP6TABLES --wait=40 -t nat -L -n | grep omr6_dst_bypass_all)" = "" ]; then + $IP6TABLESRESTORE -w --wait=60 --noflush <<-EOF *nat -I ssr6_${rule_name}_dst 1 -m set --match-set omr6_dst_bypass_all dst -j MARK --set-mark 0x6539 -I ssr6_${rule_name}_dst 1 -m mark --mark 0x6539 -j RETURN @@ -666,8 +682,8 @@ _v2ray_rules_config() { #rule_name=$1 #[ "$rule_name" = "ss_rules" ] && rule_name="def" rule_name="def" - if [ "$(iptables --wait=40 -t nat -L -n | grep v2r_${rule_name}_pre_src)" != "" ] && [ "$(iptables --wait=40 -t nat -L -n | grep omr_dst_bypass_all)" = "" ]; then - iptables-restore -w --wait=60 --noflush <<-EOF + if [ "$($IPTABLES --wait=40 -t nat -L -n | grep v2r_${rule_name}_pre_src)" != "" ] && [ "$($IPTABLES --wait=40 -t nat -L -n | grep omr_dst_bypass_all)" = "" ]; then + $IPTABLESRESTORE -w --wait=60 --noflush <<-EOF *nat -I v2r_${rule_name}_dst 1 -m set --match-set omr_dst_bypass_all dst -j MARK --set-mark 0x539 -I v2r_${rule_name}_dst 2 -m mark --mark 0x539 -j RETURN @@ -679,15 +695,15 @@ _v2ray_rules_config() { EOF fi if [ "$disableipv6" = "0" ]; then - if [ "$(ip6tables --wait=40 -t mangle -L -n | grep 'match-set omr6_dst_bypass_all dst MARK set')" = "" ]; then - ip6tables-restore -w --wait=60 --noflush <<-EOF + if [ "$($IP6TABLES --wait=40 -t mangle -L -n | grep 'match-set omr6_dst_bypass_all dst MARK set')" = "" ]; then + $IP6TABLESRESTORE -w --wait=60 --noflush <<-EOF *mangle -A omr-bypass6 -m set --match-set omr6_dst_bypass_all dst -j MARK --set-mark 0x6539 COMMIT EOF fi - if [ "$(ip6tables --wait=40 -t nat -L -n | grep v2r6_${rule_name}_pre_src)" != "" ] && [ "$(ip6tables --wait=40 -t nat -L -n | grep omr6_dst_bypass_all)" = "" ]; then - ip6tables-restore -w --wait=60 --noflush <<-EOF + if [ "$($IP6TABLES --wait=40 -t nat -L -n | grep v2r6_${rule_name}_pre_src)" != "" ] && [ "$($IP6TABLES --wait=40 -t nat -L -n | grep omr6_dst_bypass_all)" = "" ]; then + $IP6TABLESRESTORE -w --wait=60 --noflush <<-EOF *nat -I v2r6_${rule_name}_dst 1 -m set --match-set omr6_dst_bypass_all dst -j MARK --set-mark 0x6539 -I v2r6_${rule_name}_dst 1 -m mark --mark 0x6539 -j RETURN @@ -725,22 +741,22 @@ start_service() { create omr6_dst_bypass_all hash:net family inet6 hashsize 64 EOF } - iptables-save --counters | grep -v omr-bypass | iptables-restore -w --counters - iptables-restore -w --wait=60 --noflush <<-EOF + $IPTABLESSAVE --counters 2>/dev/null | grep -v omr-bypass | $IPTABLESRESTORE -w --counters 2>/dev/null + $IPTABLESRESTORE -w --wait=60 --noflush <<-EOF *mangle :omr-bypass - -A PREROUTING -j omr-bypass COMMIT EOF - iptables-restore -w --wait=60 --noflush <<-EOF + $IPTABLESRESTORE -w --wait=60 --noflush <<-EOF *mangle :omr-bypass-local - -A OUTPUT -m addrtype ! --dst-type LOCAL -j omr-bypass-local COMMIT EOF if [ "$disableipv6" = "0" ]; then - ip6tables-save --counters | grep -v omr-bypass6 | ip6tables-restore -w --counters - ip6tables-restore -w --wait=60 --noflush <<-EOF + $IP6TABLESSAVE --counters 2>/dev/null | grep -v omr-bypass6 | $IP6TABLESRESTORE -w --counters 2>/dev/null + $IP6TABLESRESTORE -w --wait=60 --noflush <<-EOF *mangle :omr-bypass6 - -A PREROUTING -j omr-bypass6 @@ -786,14 +802,14 @@ start_service() { ip rule add prio 1 fwmark 0x539 lookup 991337 > /dev/null 2>&1 ip -6 rule add prio 1 fwmark 0x6539 lookup 6991337 > /dev/null 2>&1 - if [ "$(iptables --wait=40 -t mangle -L -n | grep 'match-set omr_dst_bypass_all dst MARK set')" = "" ]; then - iptables-restore -w --wait=60 --noflush <<-EOF + if [ "$($IPTABLES --wait=40 -t mangle -L -n | grep 'match-set omr_dst_bypass_all dst MARK set')" = "" ]; then + $IPTABLESRESTORE -w --wait=60 --noflush <<-EOF *mangle -A omr-bypass -m set --match-set omr_dst_bypass_all dst -j MARK --set-mark 0x539 -A omr-bypass -m mark --mark 0x539 -j RETURN COMMIT EOF - iptables-restore -w --wait=60 --noflush <<-EOF + $IPTABLESRESTORE -w --wait=60 --noflush <<-EOF *mangle -A omr-bypass-local -m set --match-set omr_dst_bypass_all dst -j MARK --set-mark 0x539 -A omr-bypass-local -m mark --mark 0x539 -j RETURN @@ -805,8 +821,8 @@ start_service() { config_foreach _ss_rules_config _v2ray_rules_config - iptables-save --counters | grep -v omr-bypass-dpi | iptables-restore -w --counters - iptables-restore -w --wait=60 --noflush <<-EOF + $IPTABLESSAVE --counters 2>/dev/null | grep -v omr-bypass-dpi | $IPTABLESRESTORE -w --counters 2>/dev/null + $IPTABLESRESTORE -w --wait=60 --noflush <<-EOF *mangle :omr-bypass-dpi - -A INPUT -j omr-bypass-dpi @@ -814,8 +830,8 @@ start_service() { COMMIT EOF if [ "$disableipv6" = "0" ]; then - ip6tables-save --counters | grep -v omr-bypass6-dpi | ip6tables-restore -w --counters - ip6tables-restore -w --wait=60 --noflush <<-EOF + $IP6TABLESSAVE --counters | grep -v omr-bypass6-dpi | $IP6TABLESRESTORE -w --counters 2>/dev/null + $IP6TABLESRESTORE -w --wait=60 --noflush <<-EOF *mangle :omr-bypass6-dpi - -A INPUT -j omr-bypass6-dpi @@ -839,10 +855,10 @@ start_service() { } stop_service() { - iptables-save --counters | grep -v omr-bypass | iptables-restore -w --counters - iptables-save --counters | grep -v omr_dst | iptables-restore -w --counters - ip6tables-save --counters | grep -v omr-bypass6 | ip6tables-restore -w --counters - ip6tables-save --counters | grep -v omr6_dst | ip6tables-restore -w --counters + $IPTABLESSAVE --counters 2>/dev/null | grep -v omr-bypass | $IPTABLESRESTORE -w --counters 2>/dev/null + $IPTABLESSAVE --counters 2>/dev/null | grep -v omr_dst | $IPTABLESRESTORE -w --counters 2>/dev/null + $IP6TABLESSAVE --counters 2>/dev/null | grep -v omr-bypass6 | $IP6TABLESRESTORE -w --counters 2>/dev/null + $IP6TABLESSAVE --counters 2>/dev/null | grep -v omr6_dst | $IP6TABLESRESTORE -w --counters 2>/dev/null for setname in $(ipset -n list | grep "omr_"); do ipset -q destroy "$setname" 2>/dev/null || true done @@ -853,6 +869,7 @@ service_triggers() { } reload_service() { + RELOAD=1 start } diff --git a/luci-app-openmptcprouter/root/usr/libexec/rpcd/openmptcprouter b/luci-app-openmptcprouter/root/usr/libexec/rpcd/openmptcprouter index e551ed8c3..771e4f98c 100755 --- a/luci-app-openmptcprouter/root/usr/libexec/rpcd/openmptcprouter +++ b/luci-app-openmptcprouter/root/usr/libexec/rpcd/openmptcprouter @@ -895,7 +895,7 @@ function interfaces_status() mArray.openmptcprouter["vps_status"] = "UP" mArray.openmptcprouter["vps_admin_error_msg"] = "" else - uci:set("openmptcprouter",s[".name"],"admin_error","1") + uci:set("openmptcprouter",s[".name"],"token_error","1") mArray.openmptcprouter["vps_admin_error"] = true uci:delete("openmptcprouter",s[".name"],"token") uci:save("openmptcprouter",s[".name"]) @@ -931,7 +931,7 @@ function interfaces_status() else mArray.openmptcprouter["vps_admin"] = false mArray.openmptcprouter["vps_admin_error_msg"] = "No result" - uci:set("openmptcprouter",s[".name"],"admin_error","1") + uci:set("openmptcprouter",s[".name"],"token_error","1") mArray.openmptcprouter["vps_admin_error"] = true uci:delete("openmptcprouter",s[".name"],"token") uci:save("openmptcprouter",s[".name"]) diff --git a/mptcp/files/usr/share/omr/post-tracking.d/post-tracking b/mptcp/files/usr/share/omr/post-tracking.d/post-tracking index e6560ec05..2d31acd3f 100755 --- a/mptcp/files/usr/share/omr/post-tracking.d/post-tracking +++ b/mptcp/files/usr/share/omr/post-tracking.d/post-tracking @@ -1692,7 +1692,7 @@ if [ -n "$(logread | tail -n 2 | grep 'Ring expansion failed')" ]; then echo 1 > /sys/bus/pci/rescan fi -if [ -f /etc/init.d/omr-bypass ] && [ "$(iptables-save | grep omr-bypass)" = "" ] && [ "$(pgrep -f omr-bypass)" = "" ]; then +if [ -f /etc/init.d/omr-bypass ] && (([ -f /usr/sbin/iptables-legacy-save ] && [ "$(iptables-legacy-save 2>/dev/null | grep omr-bypass)" = "" ]) || [ "$(iptables-save 2>/dev/null | grep omr-bypass)" = "" ]) && [ "$(pgrep -f omr-bypass)" = "" ]; then _log "Can't find omr-bypass rules, restart omr-bypass..." /etc/init.d/omr-bypass 2>&1 >/dev/null sleep 5 @@ -1703,6 +1703,10 @@ if [ -f /etc/backup/installed_packages.txt ] && [ -n "$(grep overlay /etc/backup /etc/init.d/sysupgrade restart 2>&1 >/dev/null fi +if [ "$(pgrep openmptcprouter-vps)" = "" ] && [ "$(uci -q show openmptcprouter | grep token_error=\'1\')" != "" ]; then + /etc/init.d/openmptcprouter-vps token >/dev/null 2>&1 + sleep 5 +fi if [ "$(pgrep openmptcprouter-vps)" = "" ] && ([ "$(uci -q show openmptcprouter | grep get_config=\'1\')" != "" ] || [ "$(uci -q show openmptcprouter | grep admin_error=\'1\')" != "" ]); then /etc/init.d/openmptcprouter-vps restart >/dev/null 2>&1 sleep 5 @@ -1713,7 +1717,7 @@ if [ "$(uci -q get sqm.${OMR_TRACKER_INTERFACE}.enabled)" = "1" ] && [ "$(uci -q sleep 5 fi -#if [ "$(uci -q show openmptcprouter | grep server)" != "" ] && [ "$(uci -q show openmptcprouter | grep password)" != "" ] && [ "$(pgrep openmptcprouter-vps)" = "" ] && [ "$(uci -q show openmptcprouter | grep admin_error=\'1\')" = "" ] && ([ "$(uci -q show openmptcprouter | grep set_firewall=\'1\')" != "" ] || [ -z "$(iptables-save | grep omr_dst_bypass_${OMR_TRACKER_DEVICE})" ]); then +#if [ "$(uci -q show openmptcprouter | grep server)" != "" ] && [ "$(uci -q show openmptcprouter | grep password)" != "" ] && [ "$(pgrep openmptcprouter-vps)" = "" ] && [ "$(uci -q show openmptcprouter | grep admin_error=\'1\')" = "" ] && ([ "$(uci -q show openmptcprouter | grep set_firewall=\'1\')" != "" ] || (([ -f /usr/sbin/iptables-legacy-save ] && [ -z "$(iptables-save 2>/dev/null | grep omr_dst_bypass_${OMR_TRACKER_DEVICE})" ]) || [ -z "$(iptables-save 2>/dev/null | grep omr_dst_bypass_${OMR_TRACKER_DEVICE})" ])); then if [ "$(pgrep -f set_vps_firewall)" = "" ] && [ "$(uci -q show openmptcprouter | grep server)" != "" ] && [ "$(uci -q show openmptcprouter | grep password)" != "" ] && [ "$(pgrep openmptcprouter-vps)" = "" ] && [ "$(uci -q show openmptcprouter | grep admin_error=\'1\')" = "" ] && [ "$(uci -q show openmptcprouter | grep set_firewall=\'1\')" != "" ]; then check_server_fw() { [ "$(uci -q get openmptcprouter.$1.set_firewall)" = "1" ] && { diff --git a/omr-tracker/files/bin/omr-tracker-ss b/omr-tracker/files/bin/omr-tracker-ss index 28f54b41a..50337a094 100755 --- a/omr-tracker/files/bin/omr-tracker-ss +++ b/omr-tracker/files/bin/omr-tracker-ss @@ -4,6 +4,16 @@ name=$0 basename="$(basename $0)" +if [ -f /usr/sbin/iptables-legacy ]; then + IPTABLES="/usr/sbin/iptables-legacy" + IPTABLESAVE="/usr/sbin/iptables-legacy-save" +else + IPTABLES="/usr/sbin/iptables" + IPTABLESAVE="/usr/sbin/iptables-save" +fi + + + _log() { logger -p daemon.info -t "${basename}" "$@" } @@ -76,7 +86,7 @@ while true; do uci -q set openmptcprouter.omr.ss_${server}="up" uci -q commit openmptcprouter.omr } - if [ -z "$(iptables-save | grep :ssr)" ] && [ "$(uci -q get shadowsocks-libev.ss_rules.disabled)" != "1" ]; then + if [ -z "$($IPTABLESSAVE 2>/dev/null | grep :ssr)" ] && [ "$(uci -q get shadowsocks-libev.ss_rules.disabled)" != "1" ]; then _log "Reload Shadowsocks rules" /etc/init.d/shadowsocks-libev rules_up 2> /dev/null _get_ip @@ -87,7 +97,7 @@ while true; do last=$((last + 1 )) [ -z "$nocontact" ] && nocontact="$host" || nocontact="$nocontact, $host" [ "${last}" -ge "${retry}" ] && { - if [ -n "$(iptables -w -t nat -L -n | grep ssr)" ]; then + if [ -n "$($IPTABLES -w -t nat -L -n 2>/dev/null | grep ssr)" ]; then _log "Shadowsocks ${server} is down (can't contact via http ${nocontact})" uci -q set openmptcprouter.omr.ss_${server}="down" uci -q commit openmptcprouter.omr diff --git a/omr-tracker/files/bin/omr-tracker-v2ray b/omr-tracker/files/bin/omr-tracker-v2ray index 2530ca63f..9201d54b0 100755 --- a/omr-tracker/files/bin/omr-tracker-v2ray +++ b/omr-tracker/files/bin/omr-tracker-v2ray @@ -4,6 +4,13 @@ name=$0 basename="$(basename $0)" +if [ -f /usr/sbin/iptables-legacy ]; then + IPTABLES="/usr/sbin/iptables-legacy" +else + IPTABLES="/usr/sbin/iptables" +fi + + _log() { logger -p daemon.info -t "${basename}" "$@" } @@ -75,7 +82,7 @@ while true; do uci -q set openmptcprouter.omr.v2ray="up" uci -q commit openmptcprouter.omr } - if [ -z "$(iptables -w -t nat -L -n | grep v2r)" ]; then + if [ -z "$($IPTABLES -w -t nat -L -n 2>/dev/null | grep v2r)" ]; then _log "Reload V2Ray rules" /etc/init.d/v2ray rules_up 2> /dev/null _get_ip @@ -86,7 +93,7 @@ while true; do last=$((last + 1 )) [ -z "$nocontact" ] && nocontact="$host" || nocontact="$nocontact, $host" [ "${last}" -ge "${retry}" ] && { - if [ -n "$(iptables -w -t nat -L -n | grep v2r)" ]; then + if [ -n "$($IPTABLES -w -t nat -L -n 2>/dev/null | grep v2r)" ]; then _log "V2Ray is down (can't contact via http ${nocontact})" uci -q set openmptcprouter.omr.v2ray="down" uci -q commit openmptcprouter.omr diff --git a/openmptcprouter/files/bin/blocklanfw b/openmptcprouter/files/bin/blocklanfw index a35694dac..56f176c81 100755 --- a/openmptcprouter/files/bin/blocklanfw +++ b/openmptcprouter/files/bin/blocklanfw @@ -1,18 +1,31 @@ #!/bin/sh + +if [ -f /usr/sbin/iptables-legacy ]; then + IPTABLES="/usr/sbin/iptables-legacy" + IP6TABLES="/usr/sbin/ip6tables-legacy" + IPTABLESSAVE="/usr/sbin/iptables-legacy-save" + IP6TABLESSAVE="/usr/sbin/ip6tables-legacy-save" +else + IPTABLES="/usr/sbin/iptables" + IP6TABLES="/usr/sbin/ip6tables" + IPTABLESSAVE="/usr/sbin/iptables-save" + IP6TABLESSAVE="/usr/sbin/ip6tables-save" +fi + ss_rules_fw_drop() { timeout 1 fw3 -4 print 2>/dev/null | awk '/iptables/&&/zone_lan_forward/&&/tcp/&&/-t filter/&&/-j reject/ {for(i=6; i<=NF; i++) { printf "%s ",$i } print "\n" }' | while IFS=$"\n" read -r c; do fwrule=$(echo "$c" | sed 's/reject/REDIRECT --to-ports 65535/') - if [ -n "$fwrule" ] && [ -z "$(iptables-save | grep zone_lan_prerouting | grep '${fwrule}')" ]; then - eval "iptables -w -t nat -A zone_lan_prerouting ${fwrule} 2>&1 >/dev/null" + if [ -n "$fwrule" ] && [ -z "$($IPTABLESSAVE 2>/dev/null | grep zone_lan_prerouting | grep '${fwrule}')" ]; then + eval "$IPTABLES-w -t nat -A zone_lan_prerouting ${fwrule} 2>&1 >/dev/null" fw=$((fw+1)) fi done timeout 1 fw3 -4 print 2>/dev/null | awk '/iptables/&&/zone_lan_forward/&&/tcp/&&/-t filter/&&/-j DROP/ {for(i=6; i<=NF; i++) { printf "%s ",$i } print "\n" }' | while IFS=$"\n" read -r c; do fwrule=$(echo "$c" | sed 's/DROP/REDIRECT --to-ports 65535/') - if [ -n "$fwrule" ] && [ -z "$(iptables-save | grep zone_lan_prerouting | grep '${fwrule}')" ]; then - eval "iptables -w -t nat -A zone_lan_prerouting ${fwrule} 2>&1 >/dev/null" + if [ -n "$fwrule" ] && [ -z "$($IPTABLESSAVE 2>/dev/null | grep zone_lan_prerouting | grep '${fwrule}')" ]; then + eval "$IPTABLES-w -t nat -A zone_lan_prerouting ${fwrule} 2>&1 >/dev/null" fw=$((fw+1)) fi done @@ -22,16 +35,16 @@ ss_rules6_fw_drop() { timeout 1 fw3 -6 print 2>/dev/null | awk '/iptables/&&/zone_lan_forward/&&/tcp/&&/-t filter/&&/-j reject/ {for(i=6; i<=NF; i++) { printf "%s ",$i } print "\n" }' | while IFS=$"\n" read -r c; do fwrule=$(echo "$c" | sed 's/reject/REDIRECT --to-ports 65535/') - if [ -n "$fwrule" ] && [ -z "$(iptables-save | grep zone_lan_prerouting | grep '${fwrule}')" ]; then - eval "ip6tables -w -t nat -A zone_lan_prerouting ${fwrule} 2>&1 >/dev/null" + if [ -n "$fwrule" ] && [ -z "$($IPTABLESSAVE 2>/dev/null | grep zone_lan_prerouting | grep '${fwrule}')" ]; then + eval "$IP6TABLES-w -t nat -A zone_lan_prerouting ${fwrule} 2>&1 >/dev/null" fw=$((fw+1)) fi done timeout 1 fw3 -6 print 2>/dev/null | awk '/iptables/&&/zone_lan_forward/&&/tcp/&&/-t filter/&&/-j DROP/ {for(i=6; i<=NF; i++) { printf "%s ",$i } print "\n" }' | while IFS=$"\n" read -r c; do fwrule=$(echo "$c" | sed 's/DROP/REDIRECT --to-ports 65535/') - if [ -n "$fwrule" ] && [ -z "$(iptables-save | grep zone_lan_prerouting | grep '${fwrule}')" ]; then - eval "ip6tables -w -t nat -A zone_lan_prerouting ${fwrule} 2>&1 >/dev/null" + if [ -n "$fwrule" ] && [ -z "$($IPTABLESSAVE 2>/dev/null | grep zone_lan_prerouting | grep '${fwrule}')" ]; then + eval "$IP6TABLES-w -t nat -A zone_lan_prerouting ${fwrule} 2>&1 >/dev/null" fw=$((fw+1)) fi done @@ -41,16 +54,16 @@ v2r_rules_fw_drop() { timeout 1 fw3 -4 print 2>/dev/null | awk '/iptables/&&/zone_lan_forward/&&/tcp/&&/-t filter/&&/-j reject/ {for(i=6; i<=NF; i++) { printf "%s ",$i } print "\n" }' | while IFS=$"\n" read -r c; do fwrule=$(echo "$c" | sed 's/reject/REDIRECT --to-ports 65535/') - if [ -n "$fwrule" ] && [ -z "$(iptables-save | grep zone_lan_prerouting | grep '${fwrule}')" ]; then - eval "iptables -w -t nat -I zone_lan_prerouting 1 ${fwrule} 2>&1 >/dev/null" + if [ -n "$fwrule" ] && [ -z "$($IPTABLESSAVE 2>/dev/null | grep zone_lan_prerouting | grep '${fwrule}')" ]; then + eval "$IPTABLES-w -t nat -I zone_lan_prerouting 1 ${fwrule} 2>&1 >/dev/null" fw=$((fw+1)) fi done timeout 1 fw3 -4 print 2>/dev/null | awk '/iptables/&&/zone_lan_forward/&&/tcp/&&/-t filter/&&/-j DROP/ {for(i=6; i<=NF; i++) { printf "%s ",$i } print "\n" }' | while IFS=$"\n" read -r c; do fwrule=$(echo "$c" | sed 's/DROP/REDIRECT --to-ports 65535/') - if [ -n "$fwrule" ] && [ -z "$(iptables-save | grep zone_lan_prerouting | grep '${fwrule}')" ]; then - eval "iptables -w -t nat -I zone_lan_prerouting 1 ${fwrule} 2>&1 >/dev/null" + if [ -n "$fwrule" ] && [ -z "$($IPTABLESSAVE 2>/dev/null | grep zone_lan_prerouting | grep '${fwrule}')" ]; then + eval "$IPTABLES-w -t nat -I zone_lan_prerouting 1 ${fwrule} 2>&1 >/dev/null" fw=$((fw+1)) fi done @@ -60,21 +73,21 @@ v2ray_rules6_fw_drop() { timeout 1 fw3 -6 print 2>/dev/null | awk '/iptables/&&/zone_lan_forward/&&/tcp/&&/-t filter/&&/-j reject/ {for(i=6; i<=NF; i++) { printf "%s ",$i } print "\n" }' | while IFS=$"\n" read -r c; do fwrule=$(echo "$c" | sed 's/reject/REDIRECT --to-ports 65535/') - if [ -n "$fwrule" ] && [ -z "$(iptables-save | grep zone_lan_prerouting | grep '${fwrule}')" ]; then - eval "ip6tables -w -t nat -I zone_lan_prerouting 1 ${fwrule} 2>&1 >/dev/null" + if [ -n "$fwrule" ] && [ -z "$($IPTABLESSAVE 2>/dev/null | grep zone_lan_prerouting | grep '${fwrule}')" ]; then + eval "$IP6TABLES-w -t nat -I zone_lan_prerouting 1 ${fwrule} 2>&1 >/dev/null" fi done timeout 1 fw3 -6 print 2>/dev/null | awk '/iptables/&&/zone_lan_forward/&&/tcp/&&/-t filter/&&/-j DROP/ {for(i=6; i<=NF; i++) { printf "%s ",$i } print "\n" }' | while IFS=$"\n" read -r c; do fwrule=$(echo "$c" | sed 's/DROP/REDIRECT --to-ports 65535/') - if [ -n "$fwrule" ] && [ -z "$(iptables-save | grep zone_lan_prerouting | grep '${fwrule}')" ]; then - eval "ip6tables -w -t nat -I zone_lan_prerouting 1 ${fwrule} 2>&1 >/dev/null" + if [ -n "$fwrule" ] && [ -z "$($IPTABLESSAVE 2>/dev/null | grep zone_lan_prerouting | grep '${fwrule}')" ]; then + eval "$IP6TABLES-w -t nat -I zone_lan_prerouting 1 ${fwrule} 2>&1 >/dev/null" fi done } [ -n "$(pgrep blocklanfw)" ] && exit 0 -[ -z "$(iptables-save | grep zone_lan)" ] && exit 0 +[ -z "$($IPTABLESSAVE 2>/dev/null | grep zone_lan)" ] && exit 0 fw=0 if [ "$(uci -q get openmptcprouter.settings.proxy)" = "shadowsocks" ]; then ss_rules6_fw_drop diff --git a/openmptcprouter/files/etc/firewall.gre-tunnel b/openmptcprouter/files/etc/firewall.gre-tunnel index 4d8d450e1..f287a096b 100755 --- a/openmptcprouter/files/etc/firewall.gre-tunnel +++ b/openmptcprouter/files/etc/firewall.gre-tunnel @@ -1,6 +1,14 @@ #!/bin/sh . /lib/functions.sh +if [ -f /usr/sbin/iptables-legacy ]; then + IPTABLESSAVE="/usr/sbin/iptables-legacy-save" + IPTABLESRESTORE="/usr/sbin/iptables-legacy-restore" +else + IPTABLESSAVE="/usr/sbin/iptables-save" + IPTABLESRESTORE="/usr/sbin/iptables-restore" +fi + _setup_rules() { config_get lookup $1 lookup [ -n "$lookup" ] && [ -z "$(ip rule list fwmark 0x${lookup})" ] && { @@ -30,8 +38,8 @@ _setup_fw() { [ -n "$src_ips_forward" ] && rule="$rule -s $(echo "${src_ips_forward}" | sed 's/ /,/g')" [ -n "$ifnames" ] && rule="$rule -i $(echo "${ifnames}" | sed 's/ /-i /g')" if [ -n "$rule" ] && [ -n "$lookup" ]; then - iptables-save --counters | grep -v "0x${lookup}" | iptables-restore -w --counters - iptables-restore -w --wait=60 --noflush <<-EOF + $IPTABLESAVE --counters | grep -v "0x${lookup}" | $IPTABLERESTORE -w --counters + $IPTABLERESTORE -w --wait=60 --noflush <<-EOF *mangle -A omr-gre-tunnel ${rule} -j MARK --set-mark 0x${lookup} COMMIT @@ -39,8 +47,8 @@ _setup_fw() { fi } -if [ -z "$(iptables-save | grep omr-gre-tunnel)" ]; then - iptables-restore -w --wait=60 --noflush <<-EOF +if [ -z "$($IPTABLESAVE | grep omr-gre-tunnel)" ]; then + $IPTABLERESTORE -w --wait=60 --noflush <<-EOF *mangle :omr-gre-tunnel - -I PREROUTING 1 -m addrtype ! --dst-type LOCAL -j omr-gre-tunnel diff --git a/openmptcprouter/files/etc/firewall.ttl b/openmptcprouter/files/etc/firewall.ttl index e241dbfca..0c48ee873 100755 --- a/openmptcprouter/files/etc/firewall.ttl +++ b/openmptcprouter/files/etc/firewall.ttl @@ -5,7 +5,7 @@ _set_ttl() { device=$(uci -q get network.$1.name) ttl=$(uci -q get network.$1.ttl) - if [ -n "$ttl" ] && [ -z "$(iptables-save | grep TTL | grep $device)" ]; then + if [ -n "$ttl" ] && [ -z "$(iptables-save 2>/dev/null | grep TTL | grep $device)" ]; then iptables -w -t mangle -I POSTROUTING -o $device -j TTL --ttl-set $ttl 2>&1 >/dev/null fi } diff --git a/openmptcprouter/files/etc/init.d/openmptcprouter-vps b/openmptcprouter/files/etc/init.d/openmptcprouter-vps index d49d3aed9..6fcf197d5 100755 --- a/openmptcprouter/files/etc/init.d/openmptcprouter-vps +++ b/openmptcprouter/files/etc/init.d/openmptcprouter-vps @@ -6,10 +6,27 @@ START=99 USE_PROCD=1 -EXTRA_COMMANDS="set_pihole backup_send backup_get backup_list set_vps_firewall get_openvpn_key set_gre_tunnel" +EXTRA_COMMANDS="set_pihole backup_send backup_get backup_list set_vps_firewall get_openvpn_key set_gre_tunnel token" . /usr/lib/unbound/iptools.sh +if [ -f /usr/sbin/iptables-legacy ]; then + IPTABLES="/usr/sbin/iptables-legacy" + IPTABLESRESTORE="/usr/sbin/iptables-legacy-restore" + IPTABLESSAVE="/usr/sbin/iptables-legacy-save" + IP6TABLES="/usr/sbin/ip6tables-legacy" + IP6TABLESRESTORE="/usr/sbin/ip6tables-legacy-restore" + IP6TABLESSAVE="/usr/sbin/ip6tables-legacy-save" +else + IPTABLES="/usr/sbin/iptables" + IPTABLESRESTORE="/usr/sbin/iptables-restore" + IPTABLESSAVE="/usr/sbin/iptables-save" + IP6TABLES="/usr/sbin/ip6tables" + IP6TABLESRESTORE="/usr/sbin/ip6tables-restore" + IP6TABLESSAVE="/usr/sbin/ip6tables-save" +fi + + _parse_result() { result=$("echo $1 | jsonfilter -q -e '@.result'") echo $result @@ -937,7 +954,7 @@ _vps_firewall_redirect_port() { comment="" [ -n "$src_dip" ] && { comment=" to $src_dip" - iptables-save --counters | sed "s:-d $src_dip/32::g" | iptables-restore -w + $IPTABLESSAVE --counters | sed "s:-d $src_dip/32::g" | $IPTABLESRESTORE -w } [ -n "$src_ip" ] && comment=" from $src_ip" if [ "$target" = "ACCEPT" ]; then @@ -1019,7 +1036,7 @@ _vps_firewall_redirect_port() { comment="" [ -n "$src_dip" ] && { comment=" to $src_dip" - iptables-save --counters | sed "s:-d $src_dip/32::g" | iptables-restore -w + $IPTABLESSAVE --counters | sed "s:-d $src_dip/32::g" | $IPTABLESRESTORE -w } [ -n "$src_ip" ] && comment=" from $src_ip" checkfw=$(echo "$vpsfwlist" | grep "# OMR $username open router $src_dport port ${protoi}${comment} --- V2Ray to ${dest_ip}:${dest_port}") @@ -1791,7 +1808,7 @@ _count_server() { serversnb=$((serversnb+1)) } -_config_service() { +_get_token() { servername=$1 [ -z "$(uci -q get openmptcprouter.${servername}.username)" ] && return [ -z "$(uci -q get openmptcprouter.${servername}.password)" ] && return @@ -1799,7 +1816,6 @@ _config_service() { [ -z "$(uci -q get openmptcprouter.${servername}.ip)" ] && return [ "$(uci -q get openmptcprouter.${servername}.disabled)" = "1" ] && return token="" - vps_config="" _login [ -z "$token" ] && { reason="" @@ -1840,8 +1856,15 @@ _config_service() { uci -q batch <<-EOF >/dev/null set openmptcprouter.${servername}.admin_error=1 EOF - return } + echo $token +} + +_config_service() { + servername=$1 + vps_config="" + token=$(_get_token $servername) + [ -z "$token" ] && return error=0 if [ -n "$serial" ]; then [ -z "$vps_config" ] && vps_config=$(_get_json "config?serial=${serial}") @@ -1958,6 +1981,11 @@ set_pihole() { config_foreach _set_pihole_server server } +token() { + config_load openmptcprouter + config_foreach _get_token server +} + start_service() { serversnb=0 wanips="" diff --git a/shadowsocks-libev/files/shadowsocks-libev.init b/shadowsocks-libev/files/shadowsocks-libev.init index c93f03a3e..094e1fdbd 100755 --- a/shadowsocks-libev/files/shadowsocks-libev.init +++ b/shadowsocks-libev/files/shadowsocks-libev.init @@ -326,7 +326,7 @@ reload_service() { } rules_exist() { - [ -n "$(iptables-save | grep 'A ssr')" ] && return 0 + [ -n "$(iptables-save 2>/dev/null | grep 'A ssr')" ] && return 0 return 1 } @@ -356,7 +356,7 @@ rules_up() { config_foreach ss_rules_restart "$cfgtype" "$cfgtype" done config_foreach ss_rules ss_rules - [ -z "$(iptables-save | grep :ssr)" ] && logger -t "Shadowsocks" "Rules not applied" + [ -z "$(iptables-save 2>/dev/null | grep :ssr)" ] && logger -t "Shadowsocks" "Rules not applied" [ -f /etc/init.d/omr-bypass ] && [ -z "$(pgrep -f omr-bypass)" ] && { logger -t "Shadowsocks" "Reload omr-bypass rules" /etc/init.d/omr-bypass reload_rules diff --git a/shadowsocks-libev/files/ss-rules b/shadowsocks-libev/files/ss-rules index 9364afb31..9e6907fab 100755 --- a/shadowsocks-libev/files/ss-rules +++ b/shadowsocks-libev/files/ss-rules @@ -9,6 +9,17 @@ # See /LICENSE for more information. # +if [ -f /usr/sbin/iptables-legacy ]; then + IPTABLES="/usr/sbin/iptables-legacy" + IPTABLESRESTORE="/usr/sbin/iptables-legacy-restore" + IPTABLESSAVE="/usr/sbin/iptables-legacy-save" +else + IPTABLES="/usr/sbin/iptables" + IPTABLESRESTORE="/usr/sbin/iptables-restore" + IPTABLESSAVE="/usr/sbin/iptables-save" +fi + + ss_rules_usage() { cat >&2 </dev/null; then + if [ -n "$o_dst_forward_recentrst" ] && ! $IPTABLES -w -m recent -h >/dev/null; then __errmsg "Please install iptables-mod-conntrack-extra with opkg" return 1 fi @@ -122,7 +133,7 @@ ss_rules_parse_args() { ss_rules_flush() { local setname - iptables-save --counters | grep -v ssr_ | iptables-restore -w --counters + $IPTABLESSAVE --counters 2>/dev/null | grep -v ssr_ | $IPTABLESRESTORE -w --counters while ip rule del fwmark 1 lookup 100 2>/dev/null; do true; done ip route flush table 100 || true for setname in $(ipset -n list | grep "ssr_${rule}"); do @@ -166,8 +177,8 @@ ss_rules_iptchains_init() { } ss_rules_iptchains_init_mark() { - if [ "$(iptables -w -t mangle -L PREROUTING | grep ss_rules_dst_bypass_all)" = "" ]; then - iptables-restore -w --noflush <<-EOF + if [ "$($IPTABLES -w -t mangle -L PREROUTING | grep ss_rules_dst_bypass_all)" = "" ]; then + $IPTABLESRESTORE -w --noflush <<-EOF *mangle -A PREROUTING -m set --match-set ss_rules_dst_bypass_all dst -j MARK --set-mark 0x539 COMMIT @@ -187,8 +198,8 @@ ss_rules_iptchains_init_tcp() { forward) local_target=ssr_${rule}_forward ;; bypass|*) return 0;; esac - if [ "$(iptables-save | grep ssr_${rule}_local_out | grep ssr_${rule}_dst_bypass)" = "" ]; then - iptables-restore -w --noflush <<-EOF + if [ "$($IPTABLESSAVE 2>/dev/null | grep ssr_${rule}_local_out | grep ssr_${rule}_dst_bypass)" = "" ]; then + $IPTABLESRESTORE -w --noflush <<-EOF *nat :ssr_${rule}_local_out - -I OUTPUT 1 -p tcp -j ssr_${rule}_local_out @@ -244,7 +255,7 @@ ss_rules_iptchains_init_() { forward) dst_default_target=ssr_${rule}_forward ;; bypass|*) dst_default_target=RETURN ;; esac - sed -e '/^\s*$/d' -e 's/^\s\+//' <<-EOF | iptables-restore -w --noflush + sed -e '/^\s*$/d' -e 's/^\s\+//' <<-EOF | $IPTABLESRESTORE -w --noflush *$table :ssr_${rule}_pre_src - :ssr_${rule}_src - diff --git a/shadowsocks-libev/files/ss-rules6 b/shadowsocks-libev/files/ss-rules6 index 0b1973523..b0e2704d8 100755 --- a/shadowsocks-libev/files/ss-rules6 +++ b/shadowsocks-libev/files/ss-rules6 @@ -9,6 +9,18 @@ # See /LICENSE for more information. # +if [ -f /usr/sbin/iptables-legacy ]; then + IP6TABLES="/usr/sbin/ip6tables-legacy" + IP6TABLESRESTORE="/usr/sbin/ip6tables-legacy-restore" + IP6TABLESSAVE="/usr/sbin/ip6tables-legacy-save" +else + IP6TABLES="/usr/sbin/ip6tables" + IP6TABLESRESTORE="/usr/sbin/ip6tables-restore" + IP6TABLESSAVE="/usr/sbin/ip6tables-save" +fi + + + ss_rules6_usage() { cat >&2 </dev/null; then + if [ -n "$o_dst_forward_recentrst" ] && ! $IP6TABLES -w -m recent -h >/dev/null; then __errmsg "Please install ip6tables-mod-conntrack-extra with opkg" return 1 fi @@ -105,7 +117,7 @@ ss_rules6_parse_args() { ss_rules6_flush() { local setname - ip6tables-save --counters | grep -v ssr6_ | ip6tables-restore -w --counters + $IP6TABLESSAVE --counters 2>/dev/null | grep -v ssr6_ | $IP6TABLESRESTORE -w --counters while ip -f inet6 rule del fwmark 1 lookup 100 2>/dev/null; do true; done ip -f inet6 route flush table 100 || true for setname in $(ipset -n list | grep "ssr6_${rule}"); do @@ -149,8 +161,8 @@ ss_rules6_iptchains_init() { } ss_rules6_iptchains_init_mark() { - if [ "$(ip6tables -w -t mangle -L PREROUTING | grep ss_rules6_dst_bypass_all)" = "" ]; then - ip6tables-restore -w --noflush <<-EOF + if [ "$($IP6TABLES -w -t mangle -L PREROUTING | grep ss_rules6_dst_bypass_all)" = "" ]; then + $IP6TABLESRESTORE -w --noflush <<-EOF *mangle -A PREROUTING -m set --match-set ss_rules6_dst_bypass_all dst -j MARK --set-mark 0x6539 COMMIT @@ -172,7 +184,7 @@ ss_rules6_iptchains_init_tcp() { bypass|*) return 0;; esac - ip6tables-restore -w --noflush <<-EOF + $IP6TABLESRESTORE -w --noflush <<-EOF *nat :ssr6_${rule}_local_out - -I OUTPUT 1 -p tcp -j ssr6_${rule}_local_out @@ -227,7 +239,7 @@ ss_rules6_iptchains_init_() { forward) dst_default_target=ssr6_${rule}_forward ;; bypass|*) dst_default_target=RETURN ;; esac - sed -e '/^\s*$/d' -e 's/^\s\+//' <<-EOF | ip6tables-restore -w --noflush + sed -e '/^\s*$/d' -e 's/^\s\+//' <<-EOF | $IP6TABLESRESTORE -w --noflush *$table :ssr6_${rule}_pre_src - :ssr6_${rule}_src - diff --git a/v2ray-core/files/etc/init.d/v2ray b/v2ray-core/files/etc/init.d/v2ray index ffe8d1db4..3cd9e8740 100755 --- a/v2ray-core/files/etc/init.d/v2ray +++ b/v2ray-core/files/etc/init.d/v2ray @@ -2086,7 +2086,7 @@ start_instance() { } rules_exist() { - [ -n "$(iptables -w -t nat -L -n | grep v2r_)" ] && return 0 + [ -n "$(iptables -w -t nat -L -n 2>/dev/null | grep v2r_)" ] && return 0 return 1 } diff --git a/v2ray-core/files/usr/bin/v2ray-rules b/v2ray-core/files/usr/bin/v2ray-rules index 45150d743..1424e52e1 100755 --- a/v2ray-core/files/usr/bin/v2ray-rules +++ b/v2ray-core/files/usr/bin/v2ray-rules @@ -9,6 +9,18 @@ # See /LICENSE for more information. # +if [ -f /usr/sbin/iptables-legacy ]; then + IPTABLES="/usr/sbin/iptables-legacy" + IPTABLESRESTORE="/usr/sbin/iptables-legacy-restore" + IPTABLESSAVE="/usr/sbin/iptables-legacy-save" +else + IPTABLES="/usr/sbin/iptables" + IPTABLESRESTORE="/usr/sbin/iptables-restore" + IPTABLESSAVE="/usr/sbin/iptables-save" +fi + + + v2r_rules_usage() { cat >&2 </dev/null; then + if [ -n "$o_dst_forward_recentrst" ] && ! $IPTABLES -w -m recent -h >/dev/null; then __errmsg "Please install iptables-mod-conntrack-extra with opkg" return 1 fi @@ -122,7 +134,7 @@ v2r_rules_parse_args() { v2r_rules_flush() { local setname - iptables-save --counters | grep -v v2r_ | iptables-restore -w --counters + $IPTABLESSAVE --counters 2>/dev/null | grep -v v2r_ | $IPTABLESRESTORE -w --counters while ip rule del fwmark 1 lookup 100 2>/dev/null; do true; done ip route flush table 100 || true for setname in $(ipset -n list | grep "ssr_${rule}"); do @@ -166,8 +178,8 @@ v2r_rules_iptchains_init() { } v2r_rules_iptchains_init_mark() { - if [ "$(iptables -w -t mangle -L PREROUTING | grep ss_rules_dst_bypass_all)" = "" ]; then - iptables-restore -w --noflush <<-EOF + if [ "$($IPTABLES -w -t mangle -L PREROUTING | grep ss_rules_dst_bypass_all)" = "" ]; then + $IPTABLESRESTORE -w --noflush <<-EOF *mangle -A PREROUTING -m set --match-set ss_rules_dst_bypass_all dst -j MARK --set-mark 0x539 COMMIT @@ -188,7 +200,7 @@ v2r_rules_iptchains_init_tcp() { bypass|*) return 0;; esac - iptables-restore -w --noflush <<-EOF + $IPTABLESRESTORE -w --noflush <<-EOF *nat :v2r_${rule}_local_out - -I OUTPUT 1 -p tcp -j v2r_${rule}_local_out @@ -243,7 +255,7 @@ v2r_rules_iptchains_init_() { forward) dst_default_target=v2r_${rule}_forward ;; bypass|*) dst_default_target=RETURN ;; esac - sed -e '/^\s*$/d' -e 's/^\s\+//' <<-EOF | iptables-restore -w --noflush + sed -e '/^\s*$/d' -e 's/^\s\+//' <<-EOF | $IPTABLESRESTORE -w --noflush *$table :v2r_${rule}_pre_src - :v2r_${rule}_src - @@ -287,15 +299,15 @@ v2r_rules_fw_drop() { fw3 -4 print 2>/dev/null | awk '/iptables/&&/zone_lan_forward/&&/tcp/&&/-t filter/&&/-j reject/ {for(i=6; i<=NF; i++) { printf "%s ",$i } print "\n" }' | while IFS=$"\n" read -r c; do fwrule=$(echo "$c" | sed 's/reject/REDIRECT --to-ports 65535/') - if [ -n "$fwrule" ] && [ -z "$(iptables-save | grep zone_lan_prerouting | grep '${fwrule}')" ]; then - eval "iptables -w -t nat -A zone_lan_prerouting ${fwrule} 2>&1 >/dev/null" + if [ -n "$fwrule" ] && [ -z "$($IPTABLESSAVE 2>/dev/null | grep zone_lan_prerouting | grep '${fwrule}')" ]; then + eval "$IPTABLES -w -t nat -A zone_lan_prerouting ${fwrule} 2>&1 >/dev/null" fi done fw3 -4 print 2>/dev/null | awk '/iptables/&&/zone_lan_forward/&&/tcp/&&/-t filter/&&/-j drop/ {for(i=6; i<=NF; i++) { printf "%s ",$i } print "\n" }' | while IFS=$"\n" read -r c; do fwrule=$(echo "$c" | sed 's/drop/REDIRECT --to-ports 65535/') - if [ -n "$fwrule" ] && [ -z "$(iptables-save | grep zone_lan_prerouting | grep '${fwrule}')" ]; then - eval "iptables -t nat -A zone_lan_prerouting ${fwrule} 2>&1 >/dev/null" + if [ -n "$fwrule" ] && [ -z "$($IPTABLESSAVE 2>/dev/null | grep zone_lan_prerouting | grep '${fwrule}')" ]; then + eval "$IPTABLES -t nat -A zone_lan_prerouting ${fwrule} 2>&1 >/dev/null" fi done } diff --git a/v2ray-core/files/usr/bin/v2ray-rules6 b/v2ray-core/files/usr/bin/v2ray-rules6 index 3d0e6d79f..ed9ad2e1a 100755 --- a/v2ray-core/files/usr/bin/v2ray-rules6 +++ b/v2ray-core/files/usr/bin/v2ray-rules6 @@ -9,6 +9,18 @@ # See /LICENSE for more information. # +if [ -f /usr/sbin/iptables-legacy ]; then + IP6TABLES="/usr/sbin/ip6tables-legacy" + IP6TABLESRESTORE="/usr/sbin/ip6tables-legacy-restore" + IP6TABLESSAVE="/usr/sbin/ip6tables-legacy-save" +else + IP6TABLES="/usr/sbin/ip6tables" + IP6TABLESRESTORE="/usr/sbin/ip6tables-restore" + IP6TABLESSAVE="/usr/sbin/ip6tables-save" +fi + + + v2ray_rules6_usage() { cat >&2 </dev/null; then + if [ -n "$o_dst_forward_recentrst" ] && ! $IP6TABLES -w -m recent -h >/dev/null; then __errmsg "Please install ip6tables-mod-conntrack-extra with opkg" return 1 fi @@ -105,7 +117,7 @@ v2ray_rules6_parse_args() { v2ray_rules6_flush() { local setname - ip6tables-save --counters | grep -v v2r6_ | ip6tables-restore -w --counters + $IP6TABLESSAVE --counters 2>/dev/null | grep -v v2r6_ | $IP6TABLESRESTORE -w --counters while ip -f inet6 rule del fwmark 1 lookup 100 2>/dev/null; do true; done ip -f inet6 route flush table 100 || true for setname in $(ipset -n list | grep "ssr6_${rule}"); do @@ -149,7 +161,7 @@ v2ray_rules6_iptchains_init() { } v2ray_rules6_iptchains_init_mark() { - ip6tables-restore -w --noflush <<-EOF + $IP6TABLESRESTORE -w --noflush <<-EOF *mangle -A PREROUTING -m set --match-set ss_rules6_dst_bypass_all dst -j MARK --set-mark 0x6539 COMMIT @@ -172,7 +184,7 @@ v2ray_rules6_iptchains_init_tcp() { esac # echo "tcp mangle" -# ip6tables-restore -w --noflush <<-EOF +# $IP6TABLESRESTORE -w --noflush <<-EOF # *mangle # :v2r6_${rule}_local_out - # -I OUTPUT 1 -p tcp -j v2r6_${rule}_local_out @@ -232,7 +244,7 @@ v2ray_rules6_iptchains_init_() { forward) dst_default_target=v2r6_${rule}_forward ;; bypass|*) dst_default_target=RETURN ;; esac - sed -e '/^\s*$/d' -e 's/^\s\+//' <<-EOF | ip6tables-restore -w --noflush + sed -e '/^\s*$/d' -e 's/^\s\+//' <<-EOF | $IP6TABLESRESTORE -w --noflush *$table :v2r6_${rule}_pre_src - :v2r6_${rule}_src - @@ -279,14 +291,14 @@ v2ray_rules6_fw_drop() { while IFS=$"\n" read -r c; do fwrule=$(echo "$c" | sed 's/reject/REDIRECT --to-ports 65535/') if [ -n "$fwrule" ] && [ -z "$(iptables-save | grep zone_lan_prerouting | grep '${fwrule}')" ]; then - eval "ip6tables -w -t nat -A zone_lan_prerouting ${fwrule} 2>&1 >/dev/null" + eval "$IP6TABLES -w -t nat -A zone_lan_prerouting ${fwrule} 2>&1 >/dev/null" fi done fw3 -6 print 2>/dev/null | awk '/iptables/&&/zone_lan_forward/&&/tcp/&&/-t filter/&&/-j drop/ {for(i=6; i<=NF; i++) { printf "%s ",$i } print "\n" }' | while IFS=$"\n" read -r c; do fwrule=$(echo "$c" | sed 's/drop/REDIRECT --to-ports 65535/') if [ -n "$fwrule" ] && [ -z "$(iptables-save | grep zone_lan_prerouting | grep '${fwrule}')" ]; then - eval "ip6tables -t nat -A zone_lan_prerouting ${fwrule} 2>&1 >/dev/null" + eval "$IP6TABLES -t nat -A zone_lan_prerouting ${fwrule} 2>&1 >/dev/null" fi done }