mirror of
https://github.com/Ysurac/openmptcprouter-feeds.git
synced 2025-02-13 11:01:50 +00:00
836 lines
28 KiB
Bash
Executable file
836 lines
28 KiB
Bash
Executable file
#!/bin/sh /etc/rc.common
|
||
# Copyright (C) 2018-2020 Ycarus (Yannick Chabanois) <ycarus@zugaina.org>
|
||
|
||
START=98
|
||
STOP=10
|
||
USE_PROCD=1
|
||
EXTRA_COMMANDS="reload_rules bypass_asn"
|
||
|
||
. /usr/lib/unbound/iptools.sh
|
||
|
||
_add_proto() {
|
||
protoname=$1
|
||
[ -z "$protoname" ] && return
|
||
if [ "$(dd if=/proc/net/xt_ndpi/proto bs=4096 2> /dev/null | grep $protoname)" = "" ]; then
|
||
echo "add_custom $protoname" >/proc/net/xt_ndpi/proto
|
||
fi
|
||
hosts="$( uci -q get omr-bypass.$protoname.url )"
|
||
for url in $hosts; do
|
||
echo "$protoname:$url" >/proc/net/xt_ndpi/host_proto
|
||
done
|
||
ip="$( uci -q get omr-bypass.$protoname.ip )"
|
||
for ip in $ips; do
|
||
echo "$protoname:$ip" >/proc/net/xt_ndpi/ip_proto
|
||
done
|
||
}
|
||
|
||
_bypass_ip() {
|
||
local ip=$1
|
||
local type=$2
|
||
[ -z "$type" ] && type="all"
|
||
valid_ip4=$( valid_subnet4 $ip)
|
||
valid_ip6=$( valid_subnet6 $ip)
|
||
if [ "$valid_ip4" = "ok" ]; then
|
||
ipset -q add omr_dst_bypass_$type $ip
|
||
elif [ "$valid_ip6" = "ok" ]; then
|
||
ipset -q add omr6_dst_bypass_$type $ip
|
||
fi
|
||
}
|
||
|
||
_bypass_domains() {
|
||
local domain
|
||
local intf
|
||
local enabled
|
||
config_get domain $1 name
|
||
config_get intf $1 interface
|
||
config_get enabled $1 enabled
|
||
[ "$enabled" = "0" ] && return
|
||
[ -z "$domain" ] && return
|
||
if [ "$(echo $domain | grep '\.$')" != "" ] || [ "$(echo $domain | grep '\.\*$')" != "" ]; then
|
||
tlds=`curl --max-time 4 -s -k https://data.iana.org/TLD/tlds-alpha-by-domain.txt`
|
||
domain="$(echo '"$domain"' | sed 's:*::')"
|
||
domainlist=""
|
||
# construct list of domains to query
|
||
i=0
|
||
for tld in $tlds; do
|
||
i=$((i+1))
|
||
# trim off header
|
||
if [ "$i" -lt "12" ] || [ "$i" -gt "50" ]; then
|
||
continue
|
||
fi
|
||
# add to command
|
||
domainlist="${domainlist} ${domain}${tld}"
|
||
done
|
||
domainlist="$(echo $domainlist `# Get the list of valid domains, pass it to awk` \
|
||
| awk '{print tolower($0)}' `# awk lowercases the whole string and passes it to ` \
|
||
| xargs -n8 -P12 `# xargs sends 8 arguments at a time to` \
|
||
dig a +timeout=1 +tries=1 +retry=1 +nocmd +noall +answer `# dig, which passes results (if any) to` \
|
||
| awk '{print $1}' `# awk, which outputs queried domain to` \
|
||
| sed -e 's/.$//' `# sed, which trims off the trailing dot (google.com. -> google.com)` to \
|
||
| grep $domain `# grep, only keep wanted domain` \
|
||
| awk '{for (i=1;i<=NF;i++) if (!a[$i]++) printf("%s%s",$i,FS)}{printf("\n")}')" # deduplicate
|
||
for validdomain in $domainlist; do
|
||
_bypass_domain $validdomain $intf
|
||
done
|
||
else
|
||
_bypass_domain $domain $intf
|
||
fi
|
||
}
|
||
|
||
_bypass_domain() {
|
||
local domain=$1
|
||
local intf=$2
|
||
intf=$(echo $intf | sed -e 's/\./_/')
|
||
[ -n "$intf" ] && [ -z "$(ipset --list | grep omr_dst_bypass_$intf)" ] && return
|
||
[ -z "$intf" ] && intf="all"
|
||
if [ -n "$domain" ]; then
|
||
domain=$(echo $domain | sed 's:^\.::')
|
||
#logger -t "omr-bypass" "Get IPs of $domain..."
|
||
if [ -z $RELOAD ]; then
|
||
resolve=$(dig a +timeout=1 +tries=1 +nocmd +noall +answer $domain | grep -v CNAME | awk '{print $5}')
|
||
for ip in $resolve; do
|
||
_bypass_ip $ip $intf
|
||
done
|
||
if [ "$disableipv6" = "0" ]; then
|
||
resolve=$(dig aaaa +timeout=1 +tries=1 +nocmd +noall +answer $domain | grep AAAA | awk '{print $5}')
|
||
for ip in $resolve; do
|
||
_bypass_ip $ip $intf
|
||
done
|
||
fi
|
||
fi
|
||
if [ "$(uci -q get dhcp.@dnsmasq[0].ipset | grep /$domain/)" = "" ]; then
|
||
uci -q add_list dhcp.@dnsmasq[0].ipset="/$domain/omr_dst_bypass_$intf,omr6_dst_bypass_$intf"
|
||
add_domains="true"
|
||
else
|
||
dnsmasqipset=$(uci -q get dhcp.@dnsmasq[0].ipset | sed 's/ /\n/g')
|
||
for dnsipset in $dnsmasqipset; do
|
||
if [ "$(echo $dnsipset | cut -d/ -f2)" = "$domain" ]; then
|
||
uci -q del_list dhcp.@dnsmasq[0].ipset=$dnsipset
|
||
uci -q add_list dhcp.@dnsmasq[0].ipset="$dnsipset,omr_dst_bypass_$intf,omr6_dst_bypass_$intf"
|
||
add_domains="true"
|
||
fi
|
||
done
|
||
fi
|
||
#logger -t "omr-bypass" "Get IPs of $domain... Done"
|
||
fi
|
||
}
|
||
|
||
_bypass_mac() {
|
||
local mac
|
||
local intf
|
||
local enabled
|
||
config_get mac $1 mac
|
||
config_get intf $1 interface
|
||
config_get enabled $1 enabled
|
||
[ "$enabled" = "0" ] && return
|
||
intf=$(echo $intf | sed -e 's/\./_/')
|
||
[ -n "$intf" ] && [ -z "$(ipset --list | grep omr_dst_bypass_$intf)" ] && return
|
||
local intfid="$(uci -q get omr-bypass.$intf.id)"
|
||
|
||
[ -z "$intf" ] && intf="all"
|
||
[ -z "$mac" ] && return
|
||
if [ "$intf" = "all" ]; then
|
||
iptables-restore -w --wait=60 --noflush <<-EOF
|
||
*mangle
|
||
-A omr-bypass -m mac --mac-source $mac -j MARK --set-mark 0x539
|
||
COMMIT
|
||
EOF
|
||
if [ "$disableipv6" = "0" ]; then
|
||
ip6tables-restore -w --wait=60 --noflush <<-EOF
|
||
*mangle
|
||
-A omr-bypass6 -m mac --mac-source $mac -j MARK --set-mark 0x6539
|
||
COMMIT
|
||
EOF
|
||
fi
|
||
else
|
||
iptables-restore -w --wait=60 --noflush <<-EOF
|
||
*mangle
|
||
-A omr-bypass -m mac --mac-source $mac -j MARK --set-mark 0x539$intfid
|
||
COMMIT
|
||
EOF
|
||
if [ "$disableipv6" = "0" ]; then
|
||
ip6tables-restore -w --wait=60 --noflush <<-EOF
|
||
*mangle
|
||
-A omr-bypass6 -m mac --mac-source $mac -j MARK --set-mark 0x6539$intfid
|
||
COMMIT
|
||
EOF
|
||
fi
|
||
fi
|
||
}
|
||
|
||
_bypass_lan_ip() {
|
||
local ip
|
||
local intf
|
||
local enabled
|
||
config_get ip $1 ip
|
||
config_get intf $1 interface
|
||
config_get enabled $1 enabled
|
||
[ "$enabled" = "0" ] && return
|
||
intf=$(echo $intf | sed -e 's/\./_/')
|
||
[ -n "$intf" ] && [ -z "$(ipset --list | grep omr_dst_bypass_$intf)" ] && return
|
||
local intfid="$(uci -q get omr-bypass.$intf.id)"
|
||
|
||
[ -z "$intf" ] && intf="all"
|
||
[ -z "$ip" ] && return
|
||
valid_ip4=$(valid_subnet4 $ip)
|
||
valid_ip6=$(valid_subnet6 $ip)
|
||
if [ "$intf" = "all" ]; then
|
||
if [ "$valid_ip4" = "ok" ]; then
|
||
iptables-restore -w --wait=60 --noflush <<-EOF
|
||
*mangle
|
||
-A omr-bypass -s $ip -j MARK --set-mark 0x539
|
||
COMMIT
|
||
EOF
|
||
iptables-restore -w --wait=60 --noflush <<-EOF
|
||
*mangle
|
||
-A omr-bypass-local -s $ip -j MARK --set-mark 0x539
|
||
COMMIT
|
||
EOF
|
||
elif [ "$valid_ip6" = "ok" ] && [ "$disableipv6" = "0" ]; then
|
||
ip6tables-restore -w --wait=60 --noflush <<-EOF
|
||
*mangle
|
||
-A omr-bypass6 -s $ip -j MARK --set-mark 0x6539
|
||
COMMIT
|
||
EOF
|
||
fi
|
||
else
|
||
if [ "$valid_ip4" = "ok" ]; then
|
||
iptables-restore -w --wait=60 --noflush <<-EOF
|
||
*mangle
|
||
-A omr-bypass -s $ip -j MARK --set-mark 0x539$intfid
|
||
COMMIT
|
||
EOF
|
||
iptables-restore -w --wait=60 --noflush <<-EOF
|
||
*mangle
|
||
-A omr-bypass-local -s $ip -j MARK --set-mark 0x539$intfid
|
||
COMMIT
|
||
EOF
|
||
elif [ "$valid_ip6" = "ok" ] && [ "$disableipv6" = "0" ]; then
|
||
ip6tables-restore -w --wait=60 --noflush <<-EOF
|
||
*mangle
|
||
-A omr-bypass6 -s $ip -j MARK --set-mark 0x6539$intfid
|
||
COMMIT
|
||
EOF
|
||
fi
|
||
fi
|
||
}
|
||
|
||
_bypass_dest_port() {
|
||
local intf
|
||
local enabled
|
||
local dport
|
||
local proto
|
||
config_get dport $1 dport
|
||
config_get proto $1 proto
|
||
config_get intf $1 interface
|
||
config_get enabled $1 enabled
|
||
[ "$enabled" = "0" ] && return
|
||
intf=$(echo $intf | sed -e 's/\./_/')
|
||
[ -n "$intf" ] && [ -z "$(ipset --list | grep omr_dst_bypass_$intf)" ] && return
|
||
local intfid="$(uci -q get omr-bypass.$intf.id)"
|
||
|
||
[ -z "$intf" ] && intf="all"
|
||
[ -z "$dport" ] && return
|
||
dport="$(echo $dport | sed 's/-/:/')"
|
||
[ -z "$proto" ] && return
|
||
if [ "$intf" = "all" ]; then
|
||
iptables-restore -w --wait=60 --noflush <<-EOF
|
||
*mangle
|
||
-A omr-bypass --protocol $proto --destination-port $dport -j MARK --set-mark 0x539
|
||
COMMIT
|
||
EOF
|
||
iptables-restore -w --wait=60 --noflush <<-EOF
|
||
*mangle
|
||
-A omr-bypass-local --protocol $proto --destination-port $dport -j MARK --set-mark 0x539
|
||
COMMIT
|
||
EOF
|
||
if [ "$disableipv6" = "0" ]; then
|
||
ip6tables-restore -w --wait=60 --noflush <<-EOF
|
||
*mangle
|
||
-A omr-bypass6 --protocol $proto --destination-port $dport -j MARK --set-mark 0x6539
|
||
COMMIT
|
||
EOF
|
||
fi
|
||
else
|
||
iptables-restore -w --wait=60 --noflush <<-EOF
|
||
*mangle
|
||
-A omr-bypass --protocol $proto --destination-port $dport -j MARK --set-mark 0x539$intfid
|
||
COMMIT
|
||
EOF
|
||
iptables-restore -w --wait=60 --noflush <<-EOF
|
||
*mangle
|
||
-A omr-bypass-local --protocol $proto --destination-port $dport -j MARK --set-mark 0x539$intfid
|
||
COMMIT
|
||
EOF
|
||
if [ "$disableipv6" = "0" ]; then
|
||
ip6tables-restore -w --wait=60 --noflush <<-EOF
|
||
*mangle
|
||
-A omr-bypass6 --protocol $proto --destination-port $dport -j MARK --set-mark 0x6539$intfid
|
||
COMMIT
|
||
EOF
|
||
fi
|
||
fi
|
||
}
|
||
|
||
_bypass_src_port() {
|
||
local intf
|
||
local enabled
|
||
local sport
|
||
local proto
|
||
config_get sport $1 sport
|
||
config_get proto $1 proto
|
||
config_get intf $1 interface
|
||
config_get enabled $1 enabled
|
||
[ "$enabled" = "0" ] && return
|
||
intf=$(echo $intf | sed -e 's/\./_/')
|
||
[ -n "$intf" ] && [ -z "$(ipset --list | grep omr_dst_bypass_$intf)" ] && return
|
||
local intfid="$(uci -q get omr-bypass.$intf.id)"
|
||
|
||
[ -z "$intf" ] && intf="all"
|
||
[ -z "$sport" ] && return
|
||
sport="$(echo $sport | sed 's/-/:/')"
|
||
[ -z "$proto" ] && return
|
||
if [ "$intf" = "all" ]; then
|
||
iptables-restore -w --wait=60 --noflush <<-EOF
|
||
*mangle
|
||
-A omr-bypass --protocol $proto --source-port $sport -j MARK --set-mark 0x539
|
||
COMMIT
|
||
EOF
|
||
iptables-restore -w --wait=60 --noflush <<-EOF
|
||
*mangle
|
||
-A omr-bypass-local --protocol $proto --source-port $sport -j MARK --set-mark 0x539
|
||
COMMIT
|
||
EOF
|
||
if [ "$disableipv6" = "0" ]; then
|
||
ip6tables-restore -w --wait=60 --noflush <<-EOF
|
||
*mangle
|
||
-A omr-bypass6 --protocol $proto --source-port $sport -j MARK --set-mark 0x6539
|
||
COMMIT
|
||
EOF
|
||
fi
|
||
else
|
||
iptables-restore -w --wait=60 --noflush <<-EOF
|
||
*mangle
|
||
-A omr-bypass --protocol $proto --source-port $sport -j MARK --set-mark 0x539$intfid
|
||
COMMIT
|
||
EOF
|
||
iptables-restore -w --wait=60 --noflush <<-EOF
|
||
*mangle
|
||
-A omr-bypass-local --protocol $proto --source-port $sport -j MARK --set-mark 0x539$intfid
|
||
COMMIT
|
||
EOF
|
||
if [ "$disableipv6" = "0" ]; then
|
||
ip6tables-restore -w --wait=60 --noflush <<-EOF
|
||
*mangle
|
||
-A omr-bypass6 --protocol $proto --source-port $sport -j MARK --set-mark 0x6539$intfid
|
||
COMMIT
|
||
EOF
|
||
fi
|
||
fi
|
||
}
|
||
|
||
_bypass_proto() {
|
||
local proto
|
||
local intf
|
||
local enabled
|
||
config_get proto $1 proto
|
||
config_get intf $1 interface
|
||
config_get enabled $1 enabled
|
||
[ "$enabled" = "0" ] && return
|
||
intf=$(echo $intf | sed -e 's/\./_/')
|
||
[ -n "$intf" ] && [ -z "$(ipset --list | grep omr_dst_bypass_$intf)" ] && return
|
||
local intfid="$(uci -q get omr-bypass.$intf.id)"
|
||
|
||
[ -z "$intf" ] && intf="all"
|
||
[ -z "$proto" ] && return
|
||
if [ "$(uci -q get openmptcprouter.settings.ndpi)" != "0" ]; then
|
||
if [ "$intf" = "all" ]; then
|
||
iptables-restore -w --wait=60 --noflush <<-EOF
|
||
*mangle
|
||
-A omr-bypass-dpi -m ndpi --proto $proto -j MARK --set-mark 0x539
|
||
COMMIT
|
||
EOF
|
||
if [ "$disableipv6" = "0" ]; then
|
||
ip6tables-restore -w --wait=60 --noflush <<-EOF
|
||
*mangle
|
||
-A omr-bypass6-dpi -m ndpi --proto $proto -j MARK --set-mark 0x6539
|
||
COMMIT
|
||
EOF
|
||
fi
|
||
else
|
||
iptables-restore -w --wait=60 --noflush <<-EOF
|
||
*mangle
|
||
-A omr-bypass-dpi -m ndpi --proto $proto -j MARK --set-mark 0x539$intfid
|
||
COMMIT
|
||
EOF
|
||
if [ "$disableipv6" = "0" ]; then
|
||
ip6tables-restore -w --wait=60 --noflush <<-EOF
|
||
*mangle
|
||
-A omr-bypass6-dpi -m ndpi --proto $proto -j MARK --set-mark 0x6539$intfid
|
||
COMMIT
|
||
EOF
|
||
fi
|
||
fi
|
||
fi
|
||
# Use dnsmasq ipset to bypass domains of the proto
|
||
local domains
|
||
domains="$(cat /proc/net/xt_ndpi/host_proto | grep -i $proto: | sed -e "s/$proto://i" -e 's/*//' -e 's/,/ /g')"
|
||
if [ -n "$domains" ]; then
|
||
tlds=`curl --max-time 4 -s -k https://data.iana.org/TLD/tlds-alpha-by-domain.txt`
|
||
for domain in $domains; do
|
||
if [ -n "$domain" ]; then
|
||
domain="$(echo $domain | sed 's/^\.//')"
|
||
if [ "$(echo $domain | grep '\.$')" != "" ]; then
|
||
domainlist=""
|
||
# construct list of domains to query
|
||
i=0
|
||
for tld in $tlds; do
|
||
i=$((i+1))
|
||
# trim off header
|
||
if [ "$i" -lt "12" ] || [ "$i" -gt "50" ]; then
|
||
continue
|
||
fi
|
||
# add to command
|
||
domainlist="${domainlist} ${domain}${tld}"
|
||
done
|
||
domainlist="$(echo $domainlist `# Get the list of valid domains, pass it to awk` \
|
||
| awk '{print tolower($0)}' `# awk lowercases the whole string and passes it to ` \
|
||
| xargs -n8 -P12 `# xargs sends 8 arguments at a time to` \
|
||
dig a +timeout=1 +tries=1 +retry=1 +nocmd +noall +answer `# dig, which passes results (if any) to` \
|
||
| awk '{print $1}' `# awk, which outputs queried domain to` \
|
||
| sed -e 's/.$//' `# sed, which trims off the trailing dot (google.com. -> google.com)` to \
|
||
| grep $domain `# grep, only keep wanted domain` \
|
||
| awk '{for (i=1;i<=NF;i++) if (!a[$i]++) printf("%s%s",$i,FS)}{printf("\n")}')" # deduplicate
|
||
for validdomain in $domainlist; do
|
||
_bypass_domain $validdomain $intf
|
||
done
|
||
else
|
||
_bypass_domain $domain $intf
|
||
fi
|
||
fi
|
||
done
|
||
fi
|
||
}
|
||
|
||
_intf_rule_ss_rules() {
|
||
rule_name=$1
|
||
[ "$rule_name" = "ss_rules" ] && rule_name="def"
|
||
if [ "$(iptables --wait=40 -t nat -L -n | grep ssr_${rule_name}_dst)" != "" ] && [ "$(iptables-save | grep ssr_${rule_name}_dst | grep omr_dst_bypass_$intf)" = "" ]; then
|
||
iptables-restore -w --wait=60 --noflush <<-EOF
|
||
*nat
|
||
-I ssr_${rule_name}_dst 1 -m set --match-set omr_dst_bypass_$intf dst -j MARK --set-mark 0x539$count
|
||
-I ssr_${rule_name}_dst 2 -m mark --mark 0x539$count -j RETURN
|
||
COMMIT
|
||
EOF
|
||
fi
|
||
if [ "$(iptables --wait=40 -t nat -L -n | grep ssr_${rule_name}_local_out)" != "" ] && [ "$(iptables-save | grep ssr_${rule_name}_local_out | grep omr_dst_bypass_$intf)" = "" ]; then
|
||
iptables-restore -w --wait=60 --noflush <<-EOF
|
||
*nat
|
||
-I ssr_${rule_name}_local_out 1 -m set --match-set omr_dst_bypass_$intf dst -j MARK --set-mark 0x539$count
|
||
-I ssr_${rule_name}_local_out 2 -m mark --mark 0x539$count -j RETURN
|
||
COMMIT
|
||
EOF
|
||
fi
|
||
if [ "$(iptables --wait=40 -t nat -L -n | grep ssr_${rule_name}_pre_src)" != "" ] && [ "$(iptables-save | grep ssr_${rule_name}_pre_src | grep omr_dst_bypass_$intf)" = "" ]; then
|
||
iptables-restore -w --wait=60 --noflush <<-EOF
|
||
*nat
|
||
-I ssr_${rule_name}_pre_src 1 -m set --match-set omr_dst_bypass_$intf dst -j MARK --set-mark 0x539$count
|
||
-I ssr_${rule_name}_pre_src 2 -m mark --mark 0x539$count -j RETURN
|
||
COMMIT
|
||
EOF
|
||
fi
|
||
if [ "$disableipv6" = "0" ]; then
|
||
if [ "$(ip6tables --wait=40 -t mangle -L -n | grep omr6_dst_bypass_$intf)" = "" ]; then
|
||
ip6tables-restore -w --wait=60 --noflush <<-EOF
|
||
*mangle
|
||
-I omr-bypass6 1 -m set --match-set omr6_dst_bypass_$intf dst -j MARK --set-mark 0x6539$count
|
||
COMMIT
|
||
EOF
|
||
fi
|
||
if [ "$(ip6tables --wait=40 -t nat -L -n | grep ssr6_${rule_name}_pre_src)" != "" ] && [ "$(ip6tables-save | grep ssr6 | grep omr6_dst_bypass_$intf)" = "" ]; then
|
||
ip6tables-restore -w --wait=60 --noflush <<-EOF
|
||
*nat
|
||
-I ssr6_${rule_name}_dst 1 -m set --match-set omr6_dst_bypass_$intf dst -j MARK --set-mark 0x6539$count
|
||
-I ssr6_${rule_name}_dst 2 -m mark --mark 0x6539$count -j RETURN
|
||
-I ssr6_${rule_name}_local_out 1 -m set --match-set omr6_dst_bypass_$intf dst -j MARK --set-mark 0x6539$count
|
||
-I ssr6_${rule_name}_local_out 2 -m mark --mark 0x6539$count -j RETURN
|
||
-I ssr6_${rule_name}_pre_src 1 -m set --match-set omr6_dst_bypass_$intf dst -j MARK --set-mark 0x6539$count
|
||
-I ssr6_${rule_name}_pre_src 2 -m mark --mark 0x6539$count -j RETURN
|
||
COMMIT
|
||
EOF
|
||
fi
|
||
fi
|
||
}
|
||
|
||
_intf_rule_v2ray_rules() {
|
||
#rule_name=$1
|
||
#[ "$rule_name" = "ss_rules" ] && rule_name="def"
|
||
rule_name="def"
|
||
if [ "$(iptables --wait=40 -t nat -L -n | grep v2r_${rule_name}_pre_src)" != "" ] && [ "$(iptables-save | grep v2r | grep omr_dst_bypass_$intf)" = "" ]; then
|
||
iptables-restore -w --wait=60 --noflush <<-EOF
|
||
*nat
|
||
-I v2r_${rule_name}_dst 1 -m set --match-set omr_dst_bypass_$intf dst -j MARK --set-mark 0x539$count
|
||
-I v2r_${rule_name}_dst 2 -m mark --mark 0x539$count -j RETURN
|
||
-I v2r_${rule_name}_local_out 1 -m set --match-set omr_dst_bypass_$intf dst -j MARK --set-mark 0x539$count
|
||
-I v2r_${rule_name}_local_out 2 -m mark --mark 0x539$count -j RETURN
|
||
-I v2r_${rule_name}_pre_src 1 -m set --match-set omr_dst_bypass_$intf dst -j MARK --set-mark 0x539$count
|
||
-I v2r_${rule_name}_pre_src 2 -m mark --mark 0x539$count -j RETURN
|
||
COMMIT
|
||
EOF
|
||
fi
|
||
if [ "$disableipv6" = "0" ]; then
|
||
if [ "$(ip6tables-save | grep omr-bypass6 | grep omr6_dst_bypass_$intf)" = "" ]; then
|
||
ip6tables-restore -w --wait=60 --noflush <<-EOF
|
||
*mangle
|
||
-I omr-bypass6 1 -m set --match-set omr6_dst_bypass_$intf dst -j MARK --set-mark 0x6539$count
|
||
COMMIT
|
||
EOF
|
||
fi
|
||
if [ "$(ip6tables --wait=40 -t nat -L -n | grep v2r6_${rule_name}_pre_src)" != "" ] && [ "$(ip6tables-save | grep v2r6 | grep omr6_dst_bypass_$intf)" = "" ]; then
|
||
ip6tables-restore -w --wait=60 --noflush <<-EOF
|
||
*nat
|
||
-I v2r6_${rule_name}_dst 1 -m set --match-set omr6_dst_bypass_$intf dst -j MARK --set-mark 0x6539$count
|
||
-I v2r6_${rule_name}_dst 2 -m mark --mark 0x6539$count -j RETURN
|
||
-I v2r6_${rule_name}_local_out 1 -m set --match-set omr6_dst_bypass_$intf dst -j MARK --set-mark 0x6539$count
|
||
-I v2r6_${rule_name}_local_out 2 -m mark --mark 0x6539$count -j RETURN
|
||
-I v2r6_${rule_name}_pre_src 1 -m set --match-set omr6_dst_bypass_$intf dst -j MARK --set-mark 0x6539$count
|
||
-I v2r6_${rule_name}_pre_src 2 -m mark --mark 0x6539$count -j RETURN
|
||
COMMIT
|
||
EOF
|
||
fi
|
||
fi
|
||
}
|
||
|
||
_intf_rule() {
|
||
local intf
|
||
intf=$(ifstatus "$1" | jsonfilter -q -e '@["l3_device"]')
|
||
[ -n "$(echo $intf | grep '@')" ] && intf=$(ifstatus "$1" | jsonfilter -q -e '@["device"]')
|
||
[ -z "$intf" ] && config_get intf $1 device
|
||
#count=$((count+1))
|
||
config_get count $1 metric
|
||
local mode
|
||
#config_get mode $1 multipath "off"
|
||
#[ "$mode" = "off" ] && return
|
||
[ -z "$count" ] && return
|
||
[ -z "$intf" ] && return
|
||
intf=$(echo $intf | sed -e 's/\./_/')
|
||
[ "$(echo $1 | grep _dev)" != "" ] && return
|
||
[ -z "$RELOAD" ] || [ "$(ipset --list | grep omr_dst_bypass_$intf)" = "" ] && {
|
||
unset RELOAD
|
||
ipset -q flush omr_dst_bypass_$intf > /dev/null 2>&1
|
||
ipset -q flush omr6_dst_bypass_$intf > /dev/null 2>&1
|
||
ipset -q --exist restore <<-EOF
|
||
create omr_dst_bypass_$intf hash:net hashsize 64
|
||
create omr6_dst_bypass_$intf hash:net family inet6 hashsize 64
|
||
EOF
|
||
if [ "$(uci -q get openmptcprouter.settings.uci_rules)" = "1" ]; then
|
||
uci -q batch <<-EOF >/dev/null
|
||
delete network.${1}_fw_rule=rule
|
||
set network.${1}_fw_rule=rule
|
||
set network.${1}_fw_rule.priority=1
|
||
set network.${1}_fw_rule.mark=0x539${count}
|
||
set network.${1}_fw_rule.lookup=${count}
|
||
delete network.${1}_fw_rule6=rule6
|
||
set network.${1}_fw_rule6=rule6
|
||
set network.${1}_fw_rule6.priority=1
|
||
set network.${1}_fw_rule6.mark=0x6539${count}
|
||
set network.${1}_fw_rule6.lookup=${count}
|
||
commit network
|
||
EOF
|
||
else
|
||
ip rule add prio 1 fwmark 0x539$count lookup $count pref 1 > /dev/null 2>&1
|
||
ip -6 rule add prio 1 fwmark 0x6539$count lookup 6$count > /dev/null 2>&1
|
||
fi
|
||
}
|
||
if [ "$(iptables-save | grep omr-bypass | grep omr_dst_bypass_$intf)" = "" ]; then
|
||
iptables-restore -w --wait=60 --noflush <<-EOF
|
||
*mangle
|
||
-I omr-bypass 1 -m set --match-set omr_dst_bypass_$intf dst -j MARK --set-mark 0x539$count
|
||
-I omr-bypass-local 1 -m set --match-set omr_dst_bypass_$intf dst -j MARK --set-mark 0x539$count
|
||
COMMIT
|
||
EOF
|
||
fi
|
||
config_load shadowsocks-libev
|
||
config_foreach _intf_rule_ss_rules ss_rules
|
||
_intf_rule_v2ray_rules
|
||
|
||
uci -q set omr-bypass.$intf=interface
|
||
uci -q set omr-bypass.$intf.id=$count
|
||
}
|
||
|
||
_bypass_ip_set() {
|
||
local ip
|
||
local interface
|
||
local enabled
|
||
config_get ip $1 ip
|
||
config_get interface $1 interface
|
||
config_get enabled $1 enabled
|
||
[ "$enabled" = "0" ] && return
|
||
_bypass_ip $ip $interface
|
||
}
|
||
|
||
_bypass_asn() {
|
||
local asn
|
||
local interface
|
||
local enabled
|
||
config_get asn $1 asn
|
||
config_get interface $1 interface
|
||
config_get enabled $1 enabled
|
||
[ "$enabled" = "0" ] && return
|
||
local asnips
|
||
asnips=`curl --max-time 4 -s -k https://stat.ripe.net/data/announced-prefixes/data.json?resource=${asn} | jsonfilter -q -e '@.data.prefixes.*.prefix'`
|
||
for ip in $asnips; do
|
||
_bypass_ip $ip $interface
|
||
done
|
||
|
||
}
|
||
|
||
bypass_asn() {
|
||
config_load omr-bypass
|
||
config_foreach _bypass_asn asns
|
||
}
|
||
|
||
_bypass_omr_server() {
|
||
local ip
|
||
config_get ip $1 ip
|
||
_bypass_ip $ip
|
||
}
|
||
|
||
|
||
_ss_rules_config() {
|
||
rule_name=$1
|
||
[ "$rule_name" = "ss_rules" ] && rule_name="def"
|
||
if [ "$(iptables --wait=40 -t nat -L -n | grep ssr_${rule_name}_pre_src)" != "" ] && [ "$(iptables --wait=40 -t nat -L -n | grep omr_dst_bypass_all)" = "" ]; then
|
||
iptables-restore -w --wait=60 --noflush <<-EOF
|
||
*nat
|
||
-I ssr_${rule_name}_dst 1 -m set --match-set omr_dst_bypass_all dst -j MARK --set-mark 0x539
|
||
-I ssr_${rule_name}_dst 1 -m mark --mark 0x539 -j RETURN
|
||
-I ssr_${rule_name}_local_out 1 -m set --match-set omr_dst_bypass_all dst -j MARK --set-mark 0x539
|
||
-I ssr_${rule_name}_local_out 2 -m mark --mark 0x539 -j RETURN
|
||
-I ssr_${rule_name}_pre_src 1 -m set --match-set omr_dst_bypass_all dst -j MARK --set-mark 0x539
|
||
-I ssr_${rule_name}_pre_src 2 -m mark --mark 0x539 -j RETURN
|
||
COMMIT
|
||
EOF
|
||
fi
|
||
if [ "$disableipv6" = "0" ]; then
|
||
if [ "$(ip6tables --wait=40 -t mangle -L -n | grep 'match-set omr6_dst_bypass_all dst MARK set')" = "" ]; then
|
||
ip6tables-restore -w --wait=60 --noflush <<-EOF
|
||
*mangle
|
||
-A omr-bypass6 -m set --match-set omr6_dst_bypass_all dst -j MARK --set-mark 0x6539
|
||
COMMIT
|
||
EOF
|
||
fi
|
||
if [ "$(ip6tables --wait=40 -t nat -L -n | grep ssr6_${rule_name}_pre_src)" != "" ] && [ "$(ip6tables --wait=40 -t nat -L -n | grep omr6_dst_bypass_all)" = "" ]; then
|
||
ip6tables-restore -w --wait=60 --noflush <<-EOF
|
||
*nat
|
||
-I ssr6_${rule_name}_dst 1 -m set --match-set omr6_dst_bypass_all dst -j MARK --set-mark 0x6539
|
||
-I ssr6_${rule_name}_dst 1 -m mark --mark 0x6539 -j RETURN
|
||
-I ssr6_${rule_name}_local_out 1 -m set --match-set omr6_dst_bypass_all dst -j MARK --set-mark 0x6539
|
||
-I ssr6_${rule_name}_local_out 2 -m mark --mark 0x6539 -j RETURN
|
||
-I ssr6_${rule_name}_pre_src 1 -m set --match-set omr6_dst_bypass_all dst -j MARK --set-mark 0x6539
|
||
-I ssr6_${rule_name}_pre_src 2 -m mark --mark 0x6539 -j RETURN
|
||
COMMIT
|
||
EOF
|
||
fi
|
||
fi
|
||
}
|
||
|
||
_v2ray_rules_config() {
|
||
#rule_name=$1
|
||
#[ "$rule_name" = "ss_rules" ] && rule_name="def"
|
||
rule_name="def"
|
||
if [ "$(iptables --wait=40 -t nat -L -n | grep v2r_${rule_name}_pre_src)" != "" ] && [ "$(iptables --wait=40 -t nat -L -n | grep omr_dst_bypass_all)" = "" ]; then
|
||
iptables-restore -w --wait=60 --noflush <<-EOF
|
||
*nat
|
||
-I v2r_${rule_name}_dst 1 -m set --match-set omr_dst_bypass_all dst -j MARK --set-mark 0x539
|
||
-I v2r_${rule_name}_dst 1 -m mark --mark 0x539 -j RETURN
|
||
-I v2r_${rule_name}_local_out 1 -m set --match-set omr_dst_bypass_all dst -j MARK --set-mark 0x539
|
||
-I v2r_${rule_name}_local_out 2 -m mark --mark 0x539 -j RETURN
|
||
-I v2r_${rule_name}_pre_src 1 -m set --match-set omr_dst_bypass_all dst -j MARK --set-mark 0x539
|
||
-I v2r_${rule_name}_pre_src 2 -m mark --mark 0x539 -j RETURN
|
||
COMMIT
|
||
EOF
|
||
fi
|
||
if [ "$disableipv6" = "0" ]; then
|
||
if [ "$(ip6tables --wait=40 -t mangle -L -n | grep 'match-set omr6_dst_bypass_all dst MARK set')" = "" ]; then
|
||
ip6tables-restore -w --wait=60 --noflush <<-EOF
|
||
*mangle
|
||
-A omr-bypass6 -m set --match-set omr6_dst_bypass_all dst -j MARK --set-mark 0x6539
|
||
COMMIT
|
||
EOF
|
||
fi
|
||
if [ "$(ip6tables --wait=40 -t nat -L -n | grep v2r6_${rule_name}_pre_src)" != "" ] && [ "$(ip6tables --wait=40 -t nat -L -n | grep omr6_dst_bypass_all)" = "" ]; then
|
||
ip6tables-restore -w --wait=60 --noflush <<-EOF
|
||
*nat
|
||
-I v2r6_${rule_name}_dst 1 -m set --match-set omr6_dst_bypass_all dst -j MARK --set-mark 0x6539
|
||
-I v2r6_${rule_name}_dst 1 -m mark --mark 0x6539 -j RETURN
|
||
-I v2r6_${rule_name}_local_out 1 -m set --match-set omr6_dst_bypass_all dst -j MARK --set-mark 0x6539
|
||
-I v2r6_${rule_name}_local_out 2 -m mark --mark 0x6539 -j RETURN
|
||
-I v2r6_${rule_name}_pre_src 1 -m set --match-set omr6_dst_bypass_all dst -j MARK --set-mark 0x6539
|
||
-I v2r6_${rule_name}_pre_src 2 -m mark --mark 0x6539 -j RETURN
|
||
COMMIT
|
||
EOF
|
||
fi
|
||
fi
|
||
}
|
||
|
||
boot() {
|
||
BOOT=1
|
||
start "$@"
|
||
}
|
||
|
||
start_service() {
|
||
#local count
|
||
logger -t "omr-bypass" "Starting OMR-ByPass..."
|
||
add_domains="false"
|
||
config_load omr-bypass
|
||
config_foreach _add_proto proto
|
||
disableipv6="$(uci -q get openmptcprouter.settings.disable_ipv6)"
|
||
|
||
[ -n "$RELOAD" ] && [ "$(ipset --list | grep omr_dst_bypass_all)" = "" ] && {
|
||
unset RELOAD
|
||
}
|
||
[ -z "$RELOAD" ] && {
|
||
ipset -q flush omr_dst_bypass_all > /dev/null 2>&1
|
||
ipset -q flush omr6_dst_bypass_all > /dev/null 2>&1
|
||
ipset -q --exist restore <<-EOF
|
||
create omr_dst_bypass_all hash:net hashsize 64
|
||
create omr6_dst_bypass_all hash:net family inet6 hashsize 64
|
||
EOF
|
||
}
|
||
iptables-save --counters | grep -v omr-bypass | iptables-restore -w --counters
|
||
iptables-restore -w --wait=60 --noflush <<-EOF
|
||
*mangle
|
||
:omr-bypass -
|
||
-I PREROUTING -m addrtype ! --dst-type LOCAL -j omr-bypass
|
||
COMMIT
|
||
EOF
|
||
iptables-restore -w --wait=60 --noflush <<-EOF
|
||
*mangle
|
||
:omr-bypass-local -
|
||
-I OUTPUT -m addrtype ! --dst-type LOCAL -j omr-bypass-local
|
||
COMMIT
|
||
EOF
|
||
if [ "$disableipv6" = "0" ]; then
|
||
ip6tables-save --counters | grep -v omr-bypass6 | ip6tables-restore -w --counters
|
||
ip6tables-restore -w --wait=60 --noflush <<-EOF
|
||
*mangle
|
||
:omr-bypass6 -
|
||
-I PREROUTING -m addrtype ! --dst-type LOCAL -j omr-bypass6
|
||
COMMIT
|
||
EOF
|
||
fi
|
||
|
||
config_load network
|
||
config_foreach _intf_rule interface
|
||
local ndpi_rules=""
|
||
if [ "$(uci -q get openmptcprouter.settings.bypass_servers)" = "1" ]; then
|
||
config_load openmptcprouter
|
||
config_foreach _bypass_omr_server server
|
||
fi
|
||
config_load omr-bypass
|
||
config_foreach _bypass_ip_set ips
|
||
config_foreach _bypass_mac macs
|
||
config_foreach _bypass_lan_ip lan_ip
|
||
config_foreach _bypass_dest_port dest_port
|
||
config_foreach _bypass_src_port src_port
|
||
config_foreach _bypass_asn asns
|
||
dnsmasqipset=$(uci -q get dhcp.@dnsmasq[0].ipset | sed 's/ /\n/g' | grep -v dst_bypass)
|
||
uci -q delete dhcp.@dnsmasq[0].ipset
|
||
if [ -n "$dnsmasqipset" ]; then
|
||
for dnsipset in $dnsmasqipset; do
|
||
ipsets=""
|
||
allipsets=$(echo $dnsipset | cut -d/ -f3 | sed 's/,/\n/g')
|
||
for ipset in $allipsets; do
|
||
[ "$(echo $ipset | grep -v dst_bypass)" != "" ] && {
|
||
[ "$ipsets" != "" ] && ipsets="$ipsets,$ipset"
|
||
[ "$ipsets" = "" ] && ipsets="$ipset"
|
||
}
|
||
done
|
||
if [ "$ipsets" != "" ]; then
|
||
resultipset="/$(echo $dnsipset | cut -d/ -f2)/$ipsets"
|
||
[ -n "$resultipset" ] && uci -q add_list dhcp.@dnsmasq[0].ipset=$resultipset
|
||
fi
|
||
done
|
||
fi
|
||
config_foreach _bypass_domains domains
|
||
uci -q commit dhcp
|
||
|
||
ip rule add prio 1 fwmark 0x539 lookup 991337 > /dev/null 2>&1
|
||
ip -6 rule add prio 1 fwmark 0x6539 lookup 6991337 > /dev/null 2>&1
|
||
|
||
if [ "$(iptables --wait=40 -t mangle -L -n | grep 'match-set omr_dst_bypass_all dst MARK set')" = "" ]; then
|
||
iptables-restore -w --wait=60 --noflush <<-EOF
|
||
*mangle
|
||
-A omr-bypass -m set --match-set omr_dst_bypass_all dst -j MARK --set-mark 0x539
|
||
COMMIT
|
||
EOF
|
||
iptables-restore -w --wait=60 --noflush <<-EOF
|
||
*mangle
|
||
-A omr-bypass-local -m set --match-set omr_dst_bypass_all dst -j MARK --set-mark 0x539
|
||
COMMIT
|
||
EOF
|
||
fi
|
||
|
||
config_load shadowsocks-libev
|
||
config_foreach _ss_rules_config
|
||
_v2ray_rules_config
|
||
|
||
iptables-save --counters | grep -v omr-bypass-dpi | iptables-restore -w --counters
|
||
iptables-restore -w --wait=60 --noflush <<-EOF
|
||
*mangle
|
||
:omr-bypass-dpi -
|
||
-A PREROUTING -m addrtype ! --dst-type LOCAL -j omr-bypass-dpi
|
||
-A OUTPUT -m addrtype ! --dst-type LOCAL -j omr-bypass-dpi
|
||
-A POSTROUTING -m addrtype --dst-type LOCAL -j omr-bypass-dpi
|
||
COMMIT
|
||
EOF
|
||
if [ "$disableipv6" = "0" ]; then
|
||
ip6tables-save --counters | grep -v omr-bypass6-dpi | ip6tables-restore -w --counters
|
||
ip6tables-restore -w --wait=60 --noflush <<-EOF
|
||
*mangle
|
||
:omr-bypass6-dpi -
|
||
-A PREROUTING -m addrtype ! --dst-type LOCAL -j omr-bypass6-dpi
|
||
-A OUTPUT -m addrtype ! --dst-type LOCAL -j omr-bypass6-dpi
|
||
-A POSTROUTING -m addrtype --dst-type LOCAL -j omr-bypass6-dpi
|
||
COMMIT
|
||
EOF
|
||
fi
|
||
config_load omr-bypass
|
||
config_foreach _bypass_proto dpis
|
||
uci -q commit omr-bypass
|
||
|
||
[ -z "$RELOAD" ] && [ "$add_domains" = "true" ] && {
|
||
logger -t "omr-bypass" "Restart dnsmasq..."
|
||
/etc/init.d/dnsmasq restart
|
||
}
|
||
[ -n "$RELOAD" ] && [ "$add_domains" = "true" ] && {
|
||
logger -t "omr-bypass" "Reload dnsmasq..."
|
||
/etc/init.d/dnsmasq reload
|
||
}
|
||
logger -t "omr-bypass" "OMR-ByPass is running"
|
||
}
|
||
|
||
stop_service() {
|
||
iptables-save --counters | grep -v omr-bypass | iptables-restore -w --counters
|
||
iptables-save --counters | grep -v omr_dst | iptables-restore -w --counters
|
||
ip6tables-save --counters | grep -v omr-bypass6 | ip6tables-restore -w --counters
|
||
ip6tables-save --counters | grep -v omr6_dst | ip6tables-restore -w --counters
|
||
for setname in $(ipset -n list | grep "omr_"); do
|
||
ipset -q destroy "$setname" 2>/dev/null || true
|
||
done
|
||
}
|
||
|
||
service_triggers() {
|
||
procd_add_reload_trigger omr-bypass network firewall
|
||
}
|
||
|
||
reload_service() {
|
||
start
|
||
}
|
||
|
||
reload_rules() {
|
||
[ "$( ipset -n list | grep omr_ )" = "" ] && return 0
|
||
RELOAD=1
|
||
start
|
||
}
|