~统一缩进
This commit is contained in:
juewuy
@@ -5,24 +5,24 @@ RESERVED_IP=$(echo $reserve_ipv4 | sed 's/[[:space:]]\+/, /g')
|
||||
RESERVED_IP6=$(echo "$reserve_ipv6 $host_ipv6" | sed 's/[[:space:]]\+/, /g')
|
||||
|
||||
add_ip6_route(){
|
||||
#过滤保留地址及本机地址
|
||||
nft add rule inet shellcrash $1 ip6 daddr {$RESERVED_IP6} return
|
||||
#仅代理本机局域网网段流量
|
||||
nft add rule inet shellcrash $1 ip6 saddr != {$HOST_IP6} return
|
||||
#绕过CN_IPV6
|
||||
[ "$dns_mod" != "fake-ip" -a "$cn_ip_route" = "ON" -a -f "$BINDIR"/cn_ipv6.txt ] && {
|
||||
CN_IP6=$(awk '{printf "%s, ",$1}' "$BINDIR"/cn_ipv6.txt)
|
||||
[ -n "$CN_IP6" ] && {
|
||||
nft add set inet shellcrash cn_ip6 { type ipv6_addr \; flags interval \; }
|
||||
nft add element inet shellcrash cn_ip6 { $CN_IP6 }
|
||||
nft add rule inet shellcrash $1 ip6 daddr @cn_ip6 return
|
||||
}
|
||||
}
|
||||
#过滤保留地址及本机地址
|
||||
nft add rule inet shellcrash $1 ip6 daddr {$RESERVED_IP6} return
|
||||
#仅代理本机局域网网段流量
|
||||
nft add rule inet shellcrash $1 ip6 saddr != {$HOST_IP6} return
|
||||
#绕过CN_IPV6
|
||||
[ "$dns_mod" != "fake-ip" -a "$cn_ip_route" = "ON" -a -f "$BINDIR"/cn_ipv6.txt ] && {
|
||||
CN_IP6=$(awk '{printf "%s, ",$1}' "$BINDIR"/cn_ipv6.txt)
|
||||
[ -n "$CN_IP6" ] && {
|
||||
nft add set inet shellcrash cn_ip6 { type ipv6_addr \; flags interval \; }
|
||||
nft add element inet shellcrash cn_ip6 { $CN_IP6 }
|
||||
nft add rule inet shellcrash $1 ip6 daddr @cn_ip6 return
|
||||
}
|
||||
}
|
||||
}
|
||||
start_nft_route() { #nftables-route通用工具
|
||||
#$1:name $2:hook(prerouting/output) $3:type(nat/mangle/filter) $4:priority(-100/-150)
|
||||
[ "$common_ports" = "ON" ] && PORTS=$(echo $multiport | sed 's/,/, /g')
|
||||
[ "$1" = 'prerouting' ] && HOST_IP=$(echo $host_ipv4 | sed 's/[[:space:]]\+/, /g')
|
||||
[ "$1" = 'prerouting' ] && HOST_IP=$(echo $host_ipv4 | sed 's/[[:space:]]\+/, /g')
|
||||
[ "$1" = 'output' ] && HOST_IP="127.0.0.0/8, $(echo $local_ipv4 | sed 's/[[:space:]]\+/, /g')"
|
||||
[ "$1" = 'prerouting_vm' ] && HOST_IP="$(echo $vm_ipv4 | sed 's/[[:space:]]\+/, /g')"
|
||||
#添加新链
|
||||
@@ -39,9 +39,9 @@ start_nft_route() { #nftables-route通用工具
|
||||
#过滤常用端口
|
||||
[ -n "$PORTS" ] && {
|
||||
nft add rule inet shellcrash $1 ip daddr != {28.0.0.0/8} tcp dport != {$PORTS} return
|
||||
nft add rule inet shellcrash $1 ip daddr != {28.0.0.0/8} udp dport != {$PORTS} return
|
||||
nft add rule inet shellcrash $1 ip daddr != {28.0.0.0/8} udp dport != {$PORTS} return
|
||||
nft add rule inet shellcrash $1 ip6 daddr != {fc00::/16} tcp dport != {$PORTS} return
|
||||
nft add rule inet shellcrash $1 ip6 daddr != {fc00::/16} udp dport != {$PORTS} return
|
||||
nft add rule inet shellcrash $1 ip6 daddr != {fc00::/16} udp dport != {$PORTS} return
|
||||
}
|
||||
#nft add rule inet shellcrash $1 ip saddr 28.0.0.0/8 return
|
||||
nft add rule inet shellcrash $1 ip daddr {$RESERVED_IP} return #过滤保留地址
|
||||
@@ -76,23 +76,23 @@ start_nft_route() { #nftables-route通用工具
|
||||
[ "$dns_mod" != "fake-ip" -a "$cn_ip_route" = "ON" -a -f "$BINDIR"/cn_ip.txt ] && {
|
||||
CN_IP=$(awk '{printf "%s, ",$1}' "$BINDIR"/cn_ip.txt)
|
||||
[ -n "$CN_IP" ] && {
|
||||
nft add set inet shellcrash cn_ip { type ipv4_addr \; flags interval \; }
|
||||
nft add element inet shellcrash cn_ip { $CN_IP }
|
||||
nft add rule inet shellcrash $1 ip daddr @cn_ip return
|
||||
}
|
||||
}
|
||||
nft add set inet shellcrash cn_ip { type ipv4_addr \; flags interval \; }
|
||||
nft add element inet shellcrash cn_ip { $CN_IP }
|
||||
nft add rule inet shellcrash $1 ip daddr @cn_ip return
|
||||
}
|
||||
}
|
||||
#局域网ipv6支持
|
||||
if [ "$ipv6_redir" = "ON" -a "$1" = 'prerouting' -a "$firewall_area" != 5 ]; then
|
||||
HOST_IP6=$(echo $host_ipv6 | sed 's/[[:space:]]\+/, /g')
|
||||
HOST_IP6=$(echo $host_ipv6 | sed 's/[[:space:]]\+/, /g')
|
||||
add_ip6_route "$1"
|
||||
elif [ "$ipv6_redir" = "ON" -a "$1" = 'output' -a \( "$firewall_area" = 2 -o "$firewall_area" = 3 \) ]; then
|
||||
HOST_IP6="::1, $(echo $host_ipv6 | sed 's/[[:space:]]\+/, /g')"
|
||||
add_ip6_route "$1"
|
||||
add_ip6_route "$1"
|
||||
else
|
||||
nft add rule inet shellcrash $1 meta nfproto ipv6 return
|
||||
fi
|
||||
#屏蔽quic
|
||||
[ "$quic_rj" = 'ON' -a "$lan_proxy" = true ] && nft add rule inet shellcrash $1 udp dport {443, 8443} return
|
||||
#屏蔽quic
|
||||
[ "$quic_rj" = 'ON' -a "$lan_proxy" = true ] && nft add rule inet shellcrash $1 udp dport {443, 8443} return
|
||||
#添加通用路由
|
||||
nft add rule inet shellcrash "$1" "$JUMP"
|
||||
#处理特殊路由
|
||||
@@ -104,10 +104,10 @@ start_nft_route() { #nftables-route通用工具
|
||||
#nft add rule inet shellcrash local_tproxy log prefix \"pre\" level debug
|
||||
}
|
||||
start_nft_dns() { #nftables-dns
|
||||
[ "$1" = 'prerouting' ] && {
|
||||
HOST_IP=$(echo $host_ipv4 | sed 's/[[:space:]]\+/, /g')
|
||||
HOST_IP6=$(echo $host_ipv6 | sed 's/[[:space:]]\+/, /g')
|
||||
}
|
||||
[ "$1" = 'prerouting' ] && {
|
||||
HOST_IP=$(echo $host_ipv4 | sed 's/[[:space:]]\+/, /g')
|
||||
HOST_IP6=$(echo $host_ipv6 | sed 's/[[:space:]]\+/, /g')
|
||||
}
|
||||
[ "$1" = 'output' ] && HOST_IP="127.0.0.0/8, $(echo $local_ipv4 | sed 's/[[:space:]]\+/, /g')"
|
||||
[ "$1" = 'prerouting_vm' ] && HOST_IP="$(echo $vm_ipv4 | sed 's/[[:space:]]\+/, /g')"
|
||||
nft add chain inet shellcrash "$1"_dns { type nat hook $2 priority -100 \; }
|
||||
@@ -133,26 +133,26 @@ start_nft_dns() { #nftables-dns
|
||||
nft add rule inet shellcrash "$1"_dns tcp dport 53 redirect to "$dns_redir_port"
|
||||
}
|
||||
start_nft_wan() { #nftables公网防火墙
|
||||
HOST_IP=$(echo $host_ipv4 | sed 's/[[:space:]]\+/, /g')
|
||||
HOST_IP6=$(echo $host_ipv6 | sed 's/[[:space:]]\+/, /g')
|
||||
HOST_IP=$(echo $host_ipv4 | sed 's/[[:space:]]\+/, /g')
|
||||
HOST_IP6=$(echo $host_ipv6 | sed 's/[[:space:]]\+/, /g')
|
||||
nft add chain inet shellcrash input { type filter hook input priority -100 \; }
|
||||
nft add rule inet shellcrash input iif lo accept #本机请求全放行
|
||||
#端口放行
|
||||
[ -f "$CRASHDIR"/configs/gateway.cfg ] && . "$CRASHDIR"/configs/gateway.cfg
|
||||
accept_ports=$(echo "$fw_wan_ports,$vms_port,$sss_port" | sed "s/,,/,/g ;s/^,// ;s/,$// ;s/,/, /")
|
||||
#端口放行
|
||||
[ -f "$CRASHDIR"/configs/gateway.cfg ] && . "$CRASHDIR"/configs/gateway.cfg
|
||||
accept_ports=$(echo "$fw_wan_ports,$vms_port,$sss_port" | sed "s/,,/,/g ;s/^,// ;s/,$// ;s/,/, /")
|
||||
[ -n "$accept_ports" ] && {
|
||||
fw_wan_nfports="{ $(echo "$accept_ports" | sed 's/,/, /g') }"
|
||||
nft add rule inet shellcrash input tcp dport $fw_wan_nfports meta mark set 0x67890 accept
|
||||
nft add rule inet shellcrash input udp dport $fw_wan_nfports meta mark set 0x67890 accept
|
||||
}
|
||||
#端口拦截
|
||||
reject_ports="{ $mix_port, $db_port }"
|
||||
nft add rule inet shellcrash input ip saddr {$HOST_IP} accept
|
||||
nft add rule inet shellcrash input ip6 saddr {$HOST_IP6} accept
|
||||
nft add rule inet shellcrash input tcp dport $reject_ports reject
|
||||
nft add rule inet shellcrash input udp dport $reject_ports reject
|
||||
#fw4特殊处理
|
||||
nft list chain inet fw4 input >/dev/null 2>&1 && \
|
||||
fw_wan_nfports="{ $(echo "$accept_ports" | sed 's/,/, /g') }"
|
||||
nft add rule inet shellcrash input tcp dport $fw_wan_nfports meta mark set 0x67890 accept
|
||||
nft add rule inet shellcrash input udp dport $fw_wan_nfports meta mark set 0x67890 accept
|
||||
}
|
||||
#端口拦截
|
||||
reject_ports="{ $mix_port, $db_port }"
|
||||
nft add rule inet shellcrash input ip saddr {$HOST_IP} accept
|
||||
nft add rule inet shellcrash input ip6 saddr {$HOST_IP6} accept
|
||||
nft add rule inet shellcrash input tcp dport $reject_ports reject
|
||||
nft add rule inet shellcrash input udp dport $reject_ports reject
|
||||
#fw4特殊处理
|
||||
nft list chain inet fw4 input >/dev/null 2>&1 && \
|
||||
nft list chain inet fw4 input | grep -q '67890' || \
|
||||
nft insert rule inet fw4 input meta mark 0x67890 accept 2>/dev/null
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user