1 #!/bin/sh /etc/rc.common
2 # Copyright 2020-2022 Stan Grishin (stangri@melmac.ca)
3 # shellcheck disable=SC1091,SC2018,SC2019,SC3043,SC3057,SC3060
5 # sysctl net.ipv4.conf.default.rp_filter=1
6 # sysctl net.ipv4.conf.all.rp_filter=1
8 # shellcheck disable=SC2034
10 # shellcheck disable=SC2034
13 if type extra_command
>/dev
/null
2>&1; then
14 extra_command
'status' "Generates output required to troubleshoot routing issues
15 Use '-d' option for more detailed output
16 Use '-p' option to automatically upload data under VPR paste.ee account
17 WARNING: while paste.ee uploads are unlisted, they are still publicly available
18 List domain names after options to include their lookup in report"
19 extra_command
'version' 'Show version information'
20 extra_command
'on_firewall_reload' ' Run service on firewall reload'
21 extra_command
'on_interface_reload' ' Run service on indicated interface reload'
23 # shellcheck disable=SC2034
24 EXTRA_COMMANDS
='on_firewall_reload on_interface_reload status version'
25 # shellcheck disable=SC2034
26 EXTRA_HELP
=" status Generates output required to troubleshoot routing issues
27 Use '-d' option for more detailed output
28 Use '-p' option to automatically upload data under VPR paste.ee account
29 WARNING: while paste.ee uploads are unlisted, they are still publicly available
30 List domain names after options to include their lookup in report"
33 readonly PKG_VERSION
='dev-test'
34 readonly packageName
='pbr'
35 readonly serviceName
="$packageName $PKG_VERSION"
36 readonly serviceTrapSignals
='exit SIGHUP SIGQUIT SIGKILL'
37 readonly packageConfigFile
="/etc/config/${packageName}"
38 readonly nftTempFile
="/var/run/${packageName}.nft"
39 #readonly nftPermFile="/etc/nftables.d/table-post/30-pbr.nft"
40 readonly dnsmasqFile
="/var/dnsmasq.d/${packageName}"
41 readonly sharedMemoryOutput
="/dev/shm/$packageName-output"
42 readonly _OK_
='\033[0;32m\xe2\x9c\x93\033[0m'
43 readonly _FAIL_
='\033[0;31m\xe2\x9c\x97\033[0m'
44 readonly __OK__
='\033[0;32m[\xe2\x9c\x93]\033[0m'
45 readonly __FAIL__
='\033[0;31m[\xe2\x9c\x97]\033[0m'
46 readonly _ERROR_
='\033[0;31mERROR\033[0m'
47 readonly _WARNING_
='\033[0;33mWARNING\033[0m'
48 readonly ip_full
='/usr/libexec/ip-full'
49 readonly ipTablePrefix
='pbr'
50 # shellcheck disable=SC2155
51 readonly iptables
="$(command -v iptables)"
52 # shellcheck disable=SC2155
53 readonly ip6tables
="$(command -v ip6tables)"
54 # shellcheck disable=SC2155
55 readonly ipset
="$(command -v ipset)"
56 readonly ipsPrefix
='pbr'
57 readonly iptPrefix
='PBR'
58 # shellcheck disable=SC2155
59 readonly agh
="$(command -v AdGuardHome)"
60 readonly aghConfigFile
='/etc/adguardhome.yaml'
61 readonly aghIpsetFile
="/var/run/${packageName}.adguardhome.ipsets"
62 # shellcheck disable=SC2155
63 readonly nft
="$(command -v nft)"
64 readonly nftTable
="fw4"
65 readonly nftPrefix
='pbr'
66 readonly chainsList
='forward input output postrouting prerouting'
68 # package config options
83 wan_ip_rules_priority
=
101 processPolicyWarning
=
102 resolver_set_supported
=
110 errorConfigValidation
) r
="Config ($packageConfigFile) validation failure!";;
111 errorNoIpFull
) r
="ip-full binary cannot be found!";;
112 errorNoIptables
) r
="iptables binary cannot be found!";;
113 errorNoIpset
) r
="Resolver set support (${resolver_set}) requires ipset, but ipset binary cannot be found!";;
114 errorNoNft
) r
="Resolver set support (${resolver_set}) requires nftables, but nft binary cannot be found!";;
115 errorResolverNotSupported
) r
="Resolver set (${resolver_set}) is not supported on this system!";;
116 errorServiceDisabled
) r
="The ${packageName} service is currently disabled!";;
117 errorNoWanGateway
) r
="The ${serviceName} service failed to discover WAN gateway!";;
118 errorIpsetNameTooLong
) r
="The ipset name '%s' is longer than allowed 31 characters!";;
119 errorNftsetNameTooLong
) r
="The nft set name '%s' is longer than allowed 31 characters!";;
120 errorUnexpectedExit
) r
="Unexpected exit or service termination: '%s'!";;
121 errorPolicyNoSrcDest
) r
="Policy '%s' has no source/destination parameters!";;
122 errorPolicyNoInterface
) r
="Policy '%s' has no assigned interface!";;
123 errorPolicyUnknownInterface
) r
="Policy '%s' has an unknown interface!";;
124 errorPolicyProcess
) r
="%s";;
125 errorFailedSetup
) r
="Failed to set up '%s'!";;
126 errorFailedReload
) r
="Failed to reload '%s'!";;
127 errorUserFileNotFound
) r
="Custom user file '%s' not found or empty!";;
128 ererrorUserFileSyntax
) r
="Syntax error in custom user file '%s'!";;
129 errorUserFileRunning
) r
="Error running custom user file '%s'!";;
130 errorUserFileNoCurl
) r
="Use of 'curl' is detected in custom user file '%s', but 'curl' isn't installed!";;
131 errorNoGateways
) r
="Failed to set up any gateway!";;
132 warningResolverNotSupported
) r
="Resolver set (${resolver_set}) is not supported on this system.";;
133 warningAGHVersionTooLow
) r
="Installed AdGuardHome (%s) doesn't support 'ipset_file' option.";;
134 warningPolicyProcess
) r
="%s";;
139 version
() { echo "$PKG_VERSION"; }
140 output_ok
() { output
1 "$_OK_"; output
2 "$__OK__\\n"; }
141 output_okn
() { output
1 "$_OK_\\n"; output
2 "$__OK__\\n"; }
142 output_fail
() { s
=1; output
1 "$_FAIL_"; output
2 "$__FAIL__\\n"; }
143 output_failn
() { output
1 "$_FAIL_\\n"; output
2 "$__FAIL__\\n"; }
144 str_replace
() { printf "%b" "$1" |
sed -e "s/$(printf "%b
" "$2")/$(printf "%b
" "$3")/g"; }
145 str_replace
() { echo "${1//$2/$3}"; }
146 str_contains
() { [ -n "$1" ] &&[ -n "$2" ] && [ "${1//$2}" != "$1" ]; }
147 is_greater
() { test "$(printf '%s\n' "$@
" | sort -V | head -n 1)" != "$1"; }
148 is_greater_or_equal
() { test "$(printf '%s\n' "$@
" | sort -V | head -n 1)" = "$2"; }
149 str_contains_word
() { echo "$1" |
grep -q -w "$2"; }
150 str_to_lower
() { echo "$1" |
tr 'A-Z' 'a-z'; }
151 str_to_upper
() { echo "$1" |
tr 'a-z' 'A-Z'; }
152 str_extras_to_underscore
() { echo "$1" |
tr '[\. ~`!@#$%^&*()\+/,<>?//;:]' '_'; }
153 str_extras_to_space
() { echo "$1" |
tr ';{}' ' '; }
154 debug
() { local i j
; for i
in "$@"; do eval "j=\$$i"; echo "${i}: ${j} "; done; }
156 # Can take a single parameter (text) to be output at any verbosity
157 # Or target verbosity level and text to be output at specifc verbosity
158 local msg memmsg logmsg
159 verbosity="${verbosity:-2}"
160 if [ "$#" -ne 1 ]; then
161 if [ $((verbosity & $1)) -gt 0 ] || [ "$verbosity" = "$1" ]; then shift; else return 0; fi
163 [ -t 1 ] && printf "%b
" "$1"
164 msg="${1//$serviceName /service }";
165 if [ "$
(printf "%b" "$msg" |
wc -l)" -gt 0 ]; then
166 [ -s "$sharedMemoryOutput" ] && memmsg="$
(cat "$sharedMemoryOutput")"
167 logmsg="$
(printf "%b" "${memmsg}${msg}" |
sed 's/\x1b\[[0-9;]*m//g')"
168 logger -t "${packageName:-service}" "$
(printf "%b" "$logmsg")"
169 rm -f "$sharedMemoryOutput"
171 printf "%b
" "$msg" >> "$sharedMemoryOutput"
174 is_present() { command -v "$1" >/dev/null 2>&1; }
175 is_installed() { [ -s "/usr
/lib
/opkg
/info
/${1}.control
" ]; }
176 is_variant_installed() { [ "$
(echo /usr
/lib
/opkg
/info
/"${1}"*.control)" != "/usr/lib/opkg/info/${1}*.control" ]; }
177 is_nft() { [ -x "$nft" ] && ! str_contains "$resolver_set" 'ipset' && "$nft" list chains inet | grep -q "${nftPrefix}_prerouting
"; }
178 _build_ifaces_all() { ifacesAll="${ifacesAll}${1} "; }
179 _build_ifaces_supported
() { is_supported_interface
"$1" && ifacesSupported
="${ifacesSupported}${1} "; }
181 local iface i param="$2"
182 [ "$param" = 'wan6' ] || param='wan'
183 "network_find_
${param}" iface
184 is_tunnel "$iface" && unset iface
185 if [ -z "$iface" ]; then
186 for i in $ifacesAll; do
187 if "is_
${param}" "$i"; then break; else unset i; fi
190 eval "$1"='${iface:-$i}'
193 local iface="$2" dev="$3" gw
194 network_get_gateway gw "$iface" true
195 # if [ -z "$gw" ] || [ "$gw" = '0.0.0.0' ]; then
196 # gw="$
(ubus call
"network.interface.${iface}" status | jsonfilter
-e "@.route[0].nexthop")"
198 if [ -z "$gw" ] || [ "$gw" = '0.0.0.0' ]; then
199 gw="$
($ip_full -4 a list dev
"$dev" 2>/dev
/null |
grep inet |
awk '{print $2}' |
awk -F "/" '{print $1}')"
204 local iface="$2" dev="$3" gw
205 network_get_gateway6 gw "$iface" true
206 if [ -z "$gw" ] || [ "$gw" = '::/0' ] || [ "$gw" = '::0/0' ] || [ "$gw" = '::' ]; then
207 gw="$
($ip_full -6 a list dev
"$dev" 2>/dev
/null |
grep inet6 |
awk '{print $2}')"
211 is_dslite() { local proto; proto=$(uci -q get network."$1".proto); [ "${proto:0:6}" = "dslite
" ]; }
212 is_l2tp() { local proto; proto=$(uci -q get network."$1".proto); [ "${proto:0:4}" = "l2tp
" ]; }
213 is_oc() { local proto; proto=$(uci -q get network."$1".proto); [ "${proto:0:11}" = "openconnect
" ]; }
214 is_ovpn() { local dev; network_get_device dev "$1"; [ "${dev:0:3}" = "tun" ] || [ "${dev:0:3}" = "tap" ] || [ -f "/sys/devices/virtual/net/${dev}/tun_flags" ]; }
215 is_pptp
() { local proto
; proto
=$
(uci
-q get network.
"$1".proto
); [ "${proto:0:4}" = "pptp" ]; }
216 is_softether
() { local dev
; network_get_device dev
"$1"; [ "${dev:0:4}" = "vpn_" ]; }
217 is_tor
() { [ "$(str_to_lower "$1")" = "tor" ]; }
220 if [ -s "/etc/tor/torrc" ]; then
221 json_load
"$(ubus call service list "{ 'name': 'tor' }")"
222 json_select
'tor'; json_select
'instances'; json_select
'instance1';
223 json_get_var ret
'running'; json_cleanup
225 if [ "$ret" = "0" ]; then return 1; else return 0; fi
227 is_wg
() { local proto
; proto
=$
(uci
-q get network.
"$1".proto
); [ "${proto:0:9}" = "wireguard" ]; }
228 is_tunnel
() { is_dslite
"$1" || is_l2tp
"$1" || is_oc
"$1" || is_ovpn
"$1" || is_pptp
"$1" || is_softether
"$1" || is_tor
"$1" || is_wg
"$1"; }
229 is_wan
() { [ "$1" = "$wanIface4" ] ||
{ [ "${1##wan}" != "$1" ] && [ "${1##wan6}" = "$1" ]; } || [ "${1%%wan}" != "$1" ]; }
230 is_wan6() { [ -n "$wanIface6" ] && [ "$1" = "$wanIface6" ] || [ "${1/#wan6}" != "$1" ] || [ "${1/%wan6}" != "$1" ]; }
231 is_ignored_interface
() { str_contains_word
"$ignored_interface" "$1"; }
232 is_supported_interface
() { str_contains_word
"$supported_interface" "$1" ||
{ ! is_ignored_interface
"$1" && { is_wan
"$1" || is_wan6
"$1" || is_tunnel
"$1"; }; } || is_ignore_target
"$1"; }
233 is_ignore_target
() { [ "$(str_to_lower "$1")" = 'ignore' ]; }
234 is_mac_address
() { expr "$1" : '[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]$' >/dev
/null
; }
235 is_ipv4
() { expr "$1" : '[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*$' >/dev
/null
; }
236 is_ipv6
() { ! is_mac_address
"$1" && str_contains
"$1" ":"; }
237 is_family_mismatch
() { ( is_netmask
"${1//!}" && is_ipv6 "${2//!}" ) || ( is_ipv6 "${1//!}" && is_netmask "${2//!}" ); }
238 is_ipv6_link_local() { [ "${1:0:4}" = "fe80
" ]; }
239 is_ipv6_unique_local() { [ "${1:0:2}" = "fc" ] || [ "${1:0:2}" = "fd" ]; }
240 is_ipv6_global
() { [ "${1:0:4}" = "2001" ]; }
241 # is_ipv6_global() { is_ipv6 "$1" && ! is_ipv6_link_local "$1" && ! is_ipv6_link_local "$1"; }
242 is_list
() { str_contains
"$1" "," || str_contains
"$1" " "; }
243 is_netmask
() { local ip
="${1%/*}"; [ "$ip" != "$1" ] && is_ipv4
"$ip"; }
244 is_domain
() { str_contains
"$1" '[a-zA-Z]'; }
245 is_phys_dev
() { [ "${1:0:1}" = "@" ] && ip l show | grep -E -q "^\\d+\\W+${1:1}"; }
246 dnsmasq_kill() { killall -q -s HUP dnsmasq; }
247 dnsmasq_restart() { output 3 'Restarting dnsmasq '; if /etc/init.d/dnsmasq restart >/dev/null 2>&1; then output_okn; else output_failn; fi; }
248 is_default_dev() { [ "$1" = "$
($ip_full -4 r |
grep -m1 'dev' |
grep -Eso 'dev [^ ]*' |
awk '{print $2}')" ]; }
249 is_supported_iface_dev() { local n dev; for n in $ifacesSupported; do network_get_device dev "$n"; [ "$1" = "$dev" ] && return 0; done; return 1; }
250 is_supported_protocol() { grep -o '^[^#]*' /etc/protocols | grep -w -v '0' | grep . | awk '{print $1}' | grep -q "$1"; }
251 is_service_running_iptables() { [ -x "$iptables" ] && "$iptables" -t mangle -L | grep -q "${iptPrefix}_PREROUTING
" >/dev/null 2>&1; }
252 is_service_running_nft() { [ -x "$nft" ] && [ -n "$
(get_mark_nft_chains
)" ]; }
254 # is_service_running_nft() { [ -x "$nft" ] && [ -s "$nftPermFile" ]; }
255 is_service_running() { if is_nft; then is_service_running_nft; else is_service_running_iptables; fi; }
256 is_netifd_table() { local iface="$1"; [ "$
(uci
-q get
"network.${iface}.ip4table")" = "${packageName}_${iface%6}" ]; }
257 get_rt_tables_id() { grep "${packageName}_${iface}" /etc/iproute2/rt_tables | awk '{print $1;}'; }
258 get_rt_tables_next_id() { echo "$(($(sort -r -n /etc/iproute2/rt_tables | grep -o -E -m 1 "^[0-9]+")+1))"; }
259 _check_config() { local en; config_get_bool en "$1" 'enabled
' 1; [ "$en" -gt 0 ] && _cfg_enabled=0; }
260 is_config_enabled() {
261 local cfg="$1" _cfg_enabled=1
262 [ -n "$1" ] || return 1
263 config_load "$packageName"
264 config_foreach _check_config "$cfg"
265 return "$_cfg_enabled"
267 # shellcheck disable=SC2016
268 resolveip_to_ipt() { resolveip "$@" | sed -n 'H
;${x;s/\n/,/g;s/^,//;p;};d
'; }
269 # shellcheck disable=SC2016
270 resolveip_to_nftset() { resolveip "$@" | sed -n 'H
;${x;s/\n/,/g;s/^,//;p;};d
' | tr '\n' ' '; }
271 resolveip_to_nftset4() { resolveip_to_nftset -4 "$@"; }
272 resolveip_to_nftset6() { [ -n "$ipv6_enabled" ] && resolveip_to_nftset -6 "$@"; }
273 # shellcheck disable=SC2016
274 ipv4_leases_to_nftset() { [ -s '/tmp
/dhcp.leases
' ] || return 1; grep "$1" '/tmp
/dhcp.leases
' | awk '{print
$3}' | sed -n 'H
;${x;s/\n/,/g;s/^,//;p;};d
' | tr '\n' ' '; }
275 # shellcheck disable=SC2016
276 ipv6_leases_to_nftset() { [ -s '/tmp
/hosts
/odhcpd
' ] || return 1; grep -v '^\
#' '/tmp/hosts/odhcpd' | grep "$1" | awk '{print $1}' | sed -n 'H;${x;s/\n/,/g;s/^,//;p;};d' | tr '\n' ' '; }
277 # shellcheck disable=SC3037
278 ports_to_nftset
() { echo -ne "$value"; }
279 get_mark_ipt_chains
() { [ -n "$(command -v iptables-save)" ] && iptables-save |
grep ":${iptPrefix}_MARK_" |
awk '{ print $1 }' |
sed 's/://'; }
280 get_mark_nft_chains
() { [ -x "$nft" ] && "$nft" list table inet
"$nftTable" 2>/dev
/null |
grep chain |
grep "${nftPrefix}_mark_" |
awk '{ print $2 }'; }
281 get_ipsets
() { [ -x "$(command -v ipset)" ] && ipset list |
grep "${ipsPrefix}_" |
awk '{ print $2 }'; }
282 get_nft_sets
() { [ -x "$nft" ] && "$nft" list table inet
"$nftTable" 2>/dev
/null |
grep 'set' |
grep "${nftPrefix}_" |
awk '{ print $2 }'; }
283 is_ipset_type_supported
() { ipset
help hash:"$1" >/dev
/null
2>&1; }
284 ubus_get_status
() { ubus call service list
"{ 'name': '$packageName' }" | jsonfilter
-e "@.${packageName}.instances.main.data.status.${1}"; }
285 ubus_get_iface() { ubus call service list "{ 'name': '$packageName' }" | jsonfilter -e "@.
${packageName}.instances.main.data.interfaces[@.name='${1}']${2:+.$2}"; }
287 load_package_config
() {
288 config_load
"$packageName"
289 config_get boot_timeout
'config' 'boot_timeout' '30'
290 config_get_bool enabled
'config' 'enabled' '0'
291 config_get fw_mask
'config' 'fw_mask' 'ff0000'
292 config_get icmp_interface
'config' 'icmp_interface'
293 config_get ignored_interface
'config' 'ignored_interface'
294 config_get_bool ipv6_enabled
'config' 'ipv6_enabled' '0'
295 config_get procd_boot_delay
'config' 'procd_boot_delay' '0'
296 config_get resolver_set
'config' 'resolver_set'
297 config_get rule_create_option
'config' 'rule_create_option' 'add'
298 config_get_bool secure_reload
'config' 'secure_reload' '1'
299 config_get_bool strict_enforcement
'config' 'strict_enforcement' '0'
300 config_get supported_interface
'config' 'supported_interface'
301 config_get verbosity
'config' 'verbosity' '2'
302 config_get wan_ip_rules_priority
'config' 'wan_ip_rules_priority' '30000'
303 config_get wan_mark
'config' 'wan_mark' '010000'
304 fw_mask
="0x${fw_mask}"
305 wan_mark
="0x${wan_mark}"
306 [ -n "$ipv6_enabled" ] && [ "$ipv6_enabled" -eq 0 ] && unset ipv6_enabled
307 .
/lib
/functions
/network.sh
308 .
/usr
/share
/libubox
/jshn.sh
309 mkdir
-p "${dnsmasqFile%/*}"
311 fw_maskXor
="$(printf '%#x' "$
((fw_mask ^
0xffffffff))")"
312 fw_maskXor
="${fw_maskXor:-0xff00ffff}"
314 case $rule_create_option in
315 insert|
-i|
-I) rule_create_option
='-I';;
316 add|
-a|
-A|
*) rule_create_option
='-A';;
322 local param
="$1" validation_result
="$2"
325 if [ "$param" = 'on_start' ]; then
326 if [ -n "$validation_result" ] && [ "$validation_result" != '0' ]; then
327 output
"${_ERROR_}: The $packageName config validation failed!\\n"
328 output
"Please check if the '$packageConfigFile' contains correct values for config options.\\n"
329 state add
'errorSummary' 'errorConfigValidation'
332 if [ "$enabled" -eq 0 ]; then
333 state add
'errorSummary' 'errorServiceDisabled'
336 if [ ! -x "$ip_full" ]; then
337 state add
'errorSummary' 'errorNoIpFull'
341 if [ -z "$iptables" ] ||
[ ! -x "$iptables" ]; then
342 state add
'errorSummary' 'errorNoIptables'
346 resolver
'check_support'
349 load_network
"$param"
353 config_load
'network'
354 [ -z "$ifacesAll" ] && config_foreach _build_ifaces_all
'interface'
355 [ -z "$ifacesSupported" ] && config_foreach _build_ifaces_supported
'interface'
356 pbr_find_iface wanIface4
'wan'
357 [ -n "$ipv6_enabled" ] && pbr_find_iface wanIface6
'wan6'
358 [ -n "$wanIface4" ] && network_get_gateway wanGW4
"$wanIface4"
359 [ -n "$wanIface6" ] && network_get_gateway6 wanGW6
"$wanIface6"
360 wanGW
="${wanGW4:-$wanGW6}"
366 while [ -z "$wanGW" ] ; do
368 if [ $
((sleepCount
)) -gt $
((boot_timeout
)) ] ||
[ -n "$wanGW" ]; then break; fi
369 output
"$serviceName waiting for wan gateway...\\n"
372 sleepCount
=$
((sleepCount
+1))
374 if [ -n "$wanGW" ]; then
377 state add
'errorSummary' 'errorNoWanGateway'
382 # shellcheck disable=SC2086
385 [ -x "$iptables" ] ||
return 1
386 for d
in "${*//-A/-D}" "${*//-I/-D}" "${*//-N/-F}" "${*//-N/-X}"; do
387 [ "$d" != "$*" ] && "$iptables" $d >/dev
/null
2>&1
389 d
="$*"; "$iptables" $d >/dev
/null
2>&1
392 # shellcheck disable=SC2086
395 [ -n "$ipv6_enabled" ] ||
return 0
396 [ -x "$ip6tables" ] ||
return 1
397 for d
in "${*//-A/-D}" "${*//-I/-D}" "${*//-N/-F}" "${*//-N/-X}"; do
398 [ "$d" != "$*" ] && "$ip6tables" $d >/dev
/null
2>&1
401 "$ip6tables" $d >/dev
/null
2>&1
404 # shellcheck disable=SC2086
406 local d failFlagIpv4
=1 failFlagIpv6
=1
407 [ -x "$iptables" ] ||
return 1
408 for d
in "${*//-A/-D}" "${*//-I/-D}" "${*//-N/-F}" "${*//-N/-X}"; do
409 if [ "$d" != "$*" ]; then
410 "$iptables" $d >/dev
/null
2>&1
411 [ -x "$ip6tables" ] && "$ip6tables" $d >/dev
/null
2>&1
414 d
="$*"; "$iptables" $d >/dev
/null
2>&1 && failFlagIpv4
=0;
415 if [ -n "$ipv6_enabled" ] && [ -x "$ip6tables" ]; then
416 "$ip6tables" $d >/dev
/null
2>&1 && failFlagIpv6
=0
418 [ "$failFlagIpv4" -eq 0 ] ||
[ "$failFlagIpv6" -eq 0 ]
421 # shellcheck disable=SC2086
422 ips4
() { [ -x "$ipset" ] && "$ipset" "$@" >/dev
/null
2>&1; }
423 ips6
() { [ -x "$ipset" ] && { if [ -n "$ipv6_enabled" ] && [ -n "$*" ]; then "$ipset" "$@" >/dev
/null
2>&1; else return 1; fi; }; }
425 local command="$1" iface
="$2" target
="${3:-dst}" type="${4:-ip}" uid
="$5" comment
="$6" param
="$7" mark
="$7"
426 local ipset4 ipset6 i
427 local ipv4_error
=1 ipv6_error
=1
428 ipset4
="${ipsPrefix}${iface:+_$iface}_4${target:+_$target}${type:+_$type}${uid:+_$uid}"
429 ipset6
="${ipsPrefix}${iface:+_$iface}_6${target:+_$target}${type:+_$type}${uid:+_$uid}"
431 [ -x "$ipset" ] ||
return 1
433 if [ "${#ipset4}" -gt 31 ]; then
434 state add
'errorSummary' 'errorIpsetNameTooLong' "$ipset4"
440 ips4
-q -! add
"$ipset4" comment
"$comment" && ipv4_error
=0
441 ips6
-q -! add
"$ipset6" comment
"$comment" && ipv6_error
=0
444 [ -n "$ipv6_enabled" ] ||
unset ipset6
445 echo "${param}/${ipset4}${ipset6:+,$ipset6}" >> "$aghIpsetFile" && ipv4_error
=0
448 [ -n "$ipv6_enabled" ] ||
unset ipset6
449 echo "ipset=/${param}/${ipset4}${ipset6:+,$ipset6} # $comment" >> "$dnsmasqFile" && ipv4_error
=0
452 ips4
-q -! create
"$ipset4" "hash:$type" comment
&& ipv4_error
=0
453 ips6
-q -! create
"$ipset6" "hash:$type" comment family inet6
&& ipv6_error
=0
456 ips4
-q -! create
"$ipset4" "hash:$type" comment
&& ipv4_error
=0
457 ips6
-q -! create
"$ipset6" "hash:$type" comment family inet6
&& ipv6_error
=0
460 ips4
-q -! create
"$ipset4" "hash:$type" comment
&& ipv4_error
=0
461 ips6
-q -! create
"$ipset6" "hash:$type" comment family inet6
&& ipv6_error
=0
466 ips4
-q -! create
"$ipset4" "hash:$type" comment
&& ipv4_error
=0
467 ips6
-q -! create
"$ipset6" "hash:$type" comment family inet6
&& ipv4_error
=0
470 ipt4
-t mangle
-A "${iptPrefix}_PREROUTING" -m set --match-set "$ipset4" dst -g "${iptPrefix}_MARK_${mark}" && ipv4_error
=0
471 ipt6
-t mangle
-A "${iptPrefix}_PREROUTING" -m set --match-set "$ipset6" dst -g "${iptPrefix}_MARK_${mark}" && ipv6_error
=0
474 ipt4
-t mangle
-A "${iptPrefix}_PREROUTING" -m set --match-set "$ipset4" src -g "${iptPrefix}_MARK_${mark}" && ipv4_error
=0
475 ipt6
-t mangle
-A "${iptPrefix}_PREROUTING" -m set --match-set "$ipset6" src -g "${iptPrefix}_MARK_${mark}" && ipv6_error
=0
480 ips4
-q -! create
"$ipset4" "hash:$type" comment
&& ipv4_error
=0
481 ips6
-q -! create
"$ipset6" "hash:$type" comment family inet6
&& ipv4_error
=0
482 ipt4
-t mangle
-A "${iptPrefix}_PREROUTING" -m set --match-set "$ipset4" src -g "${iptPrefix}_MARK_${mark}" && ipv4_error
=0
483 ipt6
-t mangle
-A "${iptPrefix}_PREROUTING" -m set --match-set "$ipset6" src -g "${iptPrefix}_MARK_${mark}" && ipv6_error
=0
488 ips4
-q -! destroy
"$ipset4" && ipv4_error
=0
489 ips6
-q -! destroy
"$ipset6" && ipv6_error
=0
492 ips4
-q -! destroy
"$ipset4" && ipv4_error
=0
493 ips6
-q -! destroy
"$ipset6" family inet6
&& ipv6_error
=0
498 ipt4
-t mangle
-D "${iptPrefix}_PREROUTING" -m set --match-set "$ipset4" dst -g "${iptPrefix}_MARK_${mark}" && ipv4_error
=0
499 ipt6
-t mangle
-D "${iptPrefix}_PREROUTING" -m set --match-set "$ipset6" dst -g "${iptPrefix}_MARK_${mark}" && ipv6_error
=0
502 ipt4
-t mangle
-D "${iptPrefix}_PREROUTING" -m set --match-set "$ipset4" src -g "${iptPrefix}_MARK_${mark}" && ipv4_error
=0
503 ipt6
-t mangle
-D "${iptPrefix}_PREROUTING" -m set --match-set "$ipset6" src -g "${iptPrefix}_MARK_${mark}" && ipv6_error
=0
508 ipt4
-t mangle
-D "${iptPrefix}_PREROUTING" -m set --match-set "$ipset4" src -g "${iptPrefix}_MARK_${mark}" && ipv4_error
=0
509 ipt6
-t mangle
-D "${iptPrefix}_PREROUTING" -m set --match-set "$ipset6" src -g "${iptPrefix}_MARK_${mark}" && ipv6_error
=0
513 flush|flush_user_set
)
514 ips4
-q -! flush
"$ipset4" && ipv4_error
=0
515 ips6
-q -! flush
"$ipset6" && ipv6_error
=0
518 return $ipv4_error ||
$ipv6_error
522 #nfta() { echo "$@" >> "$nftTempFile"; }
523 #nfta4() { echo "$@" >> "$nftTempFile"; }
524 #nfta6() { [ -z "$ipv6_enabled" ] || echo "$@" >> "$nftTempFile"; }
525 #nft() { nfta "$@"; [ -x "$nft" ] && "$nft" "$@" >/dev/null 2>&1; }
526 #nft4() { nfta "$@"; [ -x "$nft" ] && "$nft" "$@" >/dev/null 2>&1; }
527 #nft6() { nfta "$@"; [ -n "$ipv6_enabled" ] || return 0; [ -x "$nft" ] && [ -n "$*" ] && "$nft" "$@" >/dev/null 2>&1; }
528 nft
() { [ -x "$nft" ] && "$nft" "$@" >/dev
/null
2>&1; }
529 nft4
() { [ -x "$nft" ] && "$nft" "$@" >/dev
/null
2>&1; }
530 nft6
() { [ -n "$ipv6_enabled" ] ||
return 0; [ -x "$nft" ] && [ -n "$*" ] && "$nft" "$@" >/dev
/null
2>&1; }
532 local command="$1" iface
="$2" target
="${3:-dst}" type="${4:-ip}" uid
="$5" comment
="$6" param
="$7" mark
="$7"
533 local nftset4 nftset6 i param4 param6
534 local ipv4_error
=1 ipv6_error
=1
535 nftset4
="${nftPrefix}${iface:+_$iface}_4${target:+_$target}${type:+_$type}${uid:+_$uid}"
536 nftset6
="${nftPrefix}${iface:+_$iface}_6${target:+_$target}${type:+_$type}${uid:+_$uid}"
538 [ -x "$nft" ] ||
return 1
540 if [ "${#nftset4}" -gt 255 ]; then
541 state add
'errorSummary' 'errorNftsetNameTooLong' "$nftset4"
547 if is_netmask
"$param" || is_ipv4
"$param" || is_ipv6
"$param" \
548 || is_mac_address
"$param" || is_list
"$param"; then
549 nft4 add element inet
"$nftTable" "$nftset4" "{ $param }" && ipv4_error
=0
550 nft6 add element inet
"$nftTable" "$nftset6" "{ $param }" && ipv6_error
=0
552 # elif is_domain "$param"; then
553 if [ "$target" = 'src' ]; then
554 param4
="$(ipv4_leases_to_nftset "$param")"
555 param6
="$(ipv6_leases_to_nftset "$param")"
557 [ -z "$param4" ] && param4
="$(resolveip_to_nftset4 "$param")"
558 [ -z "$param6" ] && param6
="$(resolveip_to_nftset6 "$param")"
559 nft4 add element inet
"$nftTable" "$nftset4" "{ $param4 }" && ipv4_error
=0
560 nft6 add element inet
"$nftTable" "$nftset6" "{ $param6 }" && ipv6_error
=0
564 [ -n "$ipv6_enabled" ] ||
unset nftset6
565 echo "nftset=/${param}/4#inet#${nftTable}#${nftset4}${nftset6:+,6#inet#${nftTable}#$nftset6} # $comment" >> "$dnsmasqFile" && ipv4_error
=0
570 nft4 add
set inet
"$nftTable" "$nftset4" "{ type ipv4_addr; flags interval; auto-merge; comment \"$comment\"; }" && ipv4_error
=0
571 nft6 add
set inet
"$nftTable" "$nftset6" "{ type ipv6_addr; flags interval; auto-merge; comment \"$comment\"; }" && ipv6_error
=0
574 nft4 add
set inet
"$nftTable" "$nftset4" "{ type ether_addr; flags interval; auto-merge; comment \"$comment\"; }" && ipv4_error
=0
575 nft6 add
set inet
"$nftTable" "$nftset6" "{ type ether_addr; flags interval; auto-merge; comment \"$comment\"; }" && ipv6_error
=0
580 nft4 add
set inet
"$nftTable" "$nftset4" "{ type ipv4_addr; flags interval; auto-merge; comment \"$comment\"; }" && ipv4_error
=0
581 nft6 add
set inet
"$nftTable" "$nftset6" "{ type ipv6_addr; flags interval; auto-merge; comment \"$comment\"; }" && ipv6_error
=0
586 nft4 add
set inet
"$nftTable" "$nftset4" "{ type ipv4_addr; flags interval; auto-merge; policy memory; comment \"$comment\"; }" && ipv4_error
=0
587 nft6 add
set inet
"$nftTable" "$nftset6" "{ type ipv6_addr; flags interval; auto-merge; policy memory; comment \"$comment\"; }" && ipv6_error
=0
590 nft add rule inet
"$nftTable" "${nftPrefix}_prerouting" ip daddr "@${nftset4}" goto "${nftPrefix}_mark_${mark}" && ipv4_error
=0
591 nft add rule inet
"$nftTable" "${nftPrefix}_prerouting" ip daddr "@${nftset6}" goto "${nftPrefix}_mark_${mark}" && ipv6_error
=0
594 nft add rule inet
"$nftTable" "${nftPrefix}_prerouting" ip saddr "@${nftset4}" goto "${nftPrefix}_mark_${mark}" && ipv4_error
=0
595 nft add rule inet
"$nftTable" "${nftPrefix}_prerouting" ip saddr "@${nftset6}" goto "${nftPrefix}_mark_${mark}" && ipv6_error
=0
600 nft4 add
set inet
"$nftTable" "$nftset4" "{ type ether_addr; flags interval; auto-merge; policy memory; comment \"$comment\"; }" && ipv4_error
=0
601 nft6 add
set inet
"$nftTable" "$nftset6" "{ type ether_addr; flags interval; auto-merge; policy memory; comment \"$comment\"; }" && ipv6_error
=0
602 nft add rule inet
"$nftTable" "${nftPrefix}_prerouting" ether saddr "@${nftset4}" goto "${nftPrefix}_mark_${mark}" && ipv4_error
=0
603 nft add rule inet
"$nftTable" "${nftPrefix}_prerouting" ether saddr "@${nftset6}" goto "${nftPrefix}_mark_${mark}" && ipv6_error
=0
608 nft delete
set inet
"$nftTable" "$nftset4" && ipv4_error
=0
609 nft delete
set inet
"$nftTable" "$nftset6" && ipv6_error
=0
612 nft delete
set inet
"$nftTable" "$nftset4" && ipv4_error
=0
613 nft delete
set inet
"$nftTable" "$nftset6" && ipv6_error
=0
618 nft delete rule inet
"$nftTable" "${nftPrefix}_prerouting" ip daddr "@${nftset4}" goto "${nftPrefix}_mark_${mark}" && ipv4_error
=0
619 nft delete rule inet
"$nftTable" "${nftPrefix}_prerouting" ip daddr "@${nftset6}" goto "${nftPrefix}_mark_${mark}" && ipv6_error
=0
622 nft delete rule inet
"$nftTable" "${nftPrefix}_prerouting" ip saddr "@${nftset4}" goto "${nftPrefix}_mark_${mark}" && ipv4_error
=0
623 nft delete rule inet
"$nftTable" "${nftPrefix}_prerouting" ip saddr "@${nftset6}" goto "${nftPrefix}_mark_${mark}" && ipv6_error
=0
628 nft delete rule inet
"$nftTable" "${nftPrefix}_prerouting" ether saddr "@${nftset4}" goto "${nftPrefix}_mark_${mark}" && ipv4_error
=0
629 nft delete rule inet
"$nftTable" "${nftPrefix}_prerouting" ether saddr "@${nftset6}" goto "${nftPrefix}_mark_${mark}" && ipv6_error
=0
633 flush|flush_user_set
)
634 nft flush
set inet
"$nftTable" "$nftset4" && ipv4_error
=0
635 nft flush
set inet
"$nftTable" "$nftset6" && ipv6_error
=0
638 # nft6 returns true if IPv6 support is not enabled
639 [ -z "$ipv6_enabled" ] && ipv6_error
='1'
640 return $ipv4_error ||
$ipv6_error
643 cleanup_dnsmasq
() { [ -s "$dnsmasqFile" ] && resolverStoredHash
="$(md5sum $dnsmasqFile | awk '{ print $1; }')" && rm "$dnsmasqFile" >/dev
/null
2>&1; }
644 cleanup_main_chains
() {
646 for i
in $chainsList; do
647 i
="$(str_to_lower "$i")"
648 nft flush chain inet
"$nftTable" "${nftPrefix}_${i}"
650 for i
in $chainsList; do
651 i
="$(str_to_upper "$i")"
652 ipt
-t mangle
-D "${i}" -m mark --mark "0x0/${fw_mask}" -j "${iptPrefix}_${i}"
653 ipt
-t mangle
-F "${iptPrefix}_${i}"
654 ipt
-t mangle
-X "${iptPrefix}_${i}"
658 cleanup_marking_chains
() {
660 for i
in $
(get_mark_nft_chains
); do
661 nft flush chain inet
"$nftTable" "$i"
662 nft delete chain inet
"$nftTable" "$i"
664 for i
in $
(get_mark_ipt_chains
); do
665 ipt
-t mangle
-F "$i"
666 ipt
-t mangle
-X "$i"
672 for i
in $
(get_nft_sets
); do
673 nft flush
set inet
"$nftTable" "$i"
674 nft delete
set inet
"$nftTable" "$i"
676 for i
in $
(get_ipsets
); do
677 ipset
-q -! flush
"$i" >/dev
/null
2>&1
678 ipset
-q -! destroy
"$i" >/dev
/null
2>&1
683 local action
="$1" param
="$2" value
="${3//#/_}"
685 # shellcheck disable=SC2124
687 local line error_id error_extra label
690 line
="$(eval echo "\$
$param")"
691 eval "$param"='${line:+$line#}${value}${extras:+ $extras}'
696 json_add_array
'errors';;
698 json_add_array
'warnings';;
700 if [ -n "$(eval echo "\$
$param")" ]; then
701 while read -r line
; do
702 if str_contains
"$line" ' '; then
705 error_id
="${line% *}"
706 error_extra
="${line#* }"
711 json_add_string
'id' "$error_id"
712 json_add_string
'extra' "$error_extra"
715 $(eval echo "\$$param" | tr \# \\n)
721 [ -z "$(eval echo "\$
$param")" ] && return 0
724 label
="${_ERROR_}:";;
726 label
="${_WARNING_}:";;
728 while read -r line
; do
729 if str_contains
"$line" ' '; then
730 error_id
="${line% *}"
731 error_extra
="${line#* }"
732 printf "%b $(get_text "$error_id")\\n" "$label" "$error_extra"
735 printf "%b $(get_text "$error_id")\\n" "$label"
738 $(eval echo "\$$param" | tr \# \\n)
742 eval "$param"='${value}${extras:+ $extras}'
752 if [ "$param" = 'cleanup_all' ]; then
753 sed -i "/ipset_file: ${aghIpsetFile}/d" "$aghConfigFile" >/dev
/null
2>&1
754 rm -f "$aghIpsetFile"
759 case "$resolver_set" in
762 add_resolver_element
) return 1;;
763 create_resolver_set
) return 1;;
764 check_support
) return 0;;
766 configure
) return 0;;
772 compare_hash
) return 0;;
773 store_hash
) return 0;;
778 add_resolver_element
)
779 [ -n "$resolver_set_supported" ] && ips
'add_agh_element' "$@";;
781 [ -n "$resolver_set_supported" ] && ips
'create_agh_set' "$@";;
783 if [ ! -x "$ipset" ]; then
784 state add
'errorSummary' 'errorNoIpset'
787 if [ -n "$agh" ] && [ -s "$aghConfigFile" ]; then
788 agh_version
="$($agh --version | sed 's|AdGuard Home, version v\(.*\)|\1|')"
789 if is_greater_or_equal
"$agh_version" '0.107.13'; then
790 resolver_set_supported
='true'
793 state add
'warningSummary' 'warningAGHVersionTooLow' "$agh_version"
797 state add
'warningSummary' 'warningResolverNotSupported'
802 [ -z "$resolver_set_supported" ] && return 0
803 rm -f "$aghIpsetFile"
804 sed -i "/ipset_file: ${aghIpsetFile}/d" "$aghConfigFile" >/dev
/null
2>&1
807 [ -z "$resolver_set_supported" ] && return 1
808 mkdir
-p "${aghIpsetFile%/*}"
809 touch "$aghIpsetFile"
810 sed -i '/ipset_file/d' "$aghConfigFile" >/dev
/null
2>&1
811 sed -i "/ ipset:/a \ \ ipset_file: $aghIpsetFile" "$aghConfigFile"
816 [ -n "$resolver_set_supported" ] && [ -n "$agh" ] && killall
-q -s HUP
"$agh";;
818 [ -z "$resolver_set_supported" ] && return 1
819 output
3 'Reloading adguardhome '
820 if /etc
/init.d
/adguardhome reload
>/dev
/null
2>&1; then
829 [ -z "$resolver_set_supported" ] && return 1
830 output
3 'Restarting adguardhome '
831 if /etc
/init.d
/adguardhome restart
>/dev
/null
2>&1; then
840 [ -z "$resolver_set_supported" ] && return 1
841 local resolverNewHash
842 if [ -s "$aghIpsetFile" ]; then
843 resolverNewHash
="$(md5sum $aghIpsetFile | awk '{ print $1; }')"
845 [ "$resolverNewHash" != "$resolverStoredHash" ]
848 [ -s "$aghIpsetFile" ] && resolverStoredHash
="$(md5sum $aghIpsetFile | awk '{ print $1; }')";;
853 add_resolver_element
)
854 [ -n "$resolver_set_supported" ] && ips
'add_dnsmasq_element' "$@";;
856 [ -n "$resolver_set_supported" ] && ips
'create_dnsmasq_set' "$@";;
858 if [ ! -x "$ipset" ]; then
859 state add
'errorSummary' 'errorNoIpset'
862 if ! dnsmasq
-v 2>/dev
/null |
grep -q 'no-ipset' && dnsmasq
-v 2>/dev
/null |
grep -q 'ipset'; then
863 resolver_set_supported
='true'
866 state add
'warningSummary' 'warningResolverNotSupported'
871 [ -n "$resolver_set_supported" ] && rm -f "$dnsmasqFile";;
873 [ -n "$resolver_set_supported" ] && mkdir
-p "${dnsmasqFile%/*}";;
877 [ -n "$resolver_set_supported" ] && killall
-q -s HUP dnsmasq
;;
879 [ -z "$resolver_set_supported" ] && return 1
880 output
3 'Reloading dnsmasq '
881 if /etc
/init.d
/dnsmasq reload
>/dev
/null
2>&1; then
890 [ -z "$resolver_set_supported" ] && return 1
891 output
3 'Restarting dnsmasq '
892 if /etc
/init.d
/dnsmasq restart
>/dev
/null
2>&1; then
901 [ -z "$resolver_set_supported" ] && return 1
902 local resolverNewHash
903 if [ -s "$dnsmasqFile" ]; then
904 resolverNewHash
="$(md5sum $dnsmasqFile | awk '{ print $1; }')"
906 [ "$resolverNewHash" != "$resolverStoredHash" ]
909 [ -s "$dnsmasqFile" ] && resolverStoredHash
="$(md5sum $dnsmasqFile | awk '{ print $1; }')";;
914 add_resolver_element
)
915 [ -n "$resolver_set_supported" ] && nftset
'add_dnsmasq_element' "$@";;
917 [ -n "$resolver_set_supported" ] && nftset
'create_dnsmasq_set' "$@";;
919 if [ ! -x "$nft" ]; then
920 state add
'errorSummary' 'errorNoNft'
923 if ! dnsmasq
-v 2>/dev
/null |
grep -q 'no-nftset' && dnsmasq
-v 2>/dev
/null |
grep -q 'nftset'; then
924 resolver_set_supported
='true'
927 state add
'warningSummary' 'warningResolverNotSupported'
932 [ -n "$resolver_set_supported" ] && rm -f "$dnsmasqFile";;
934 [ -n "$resolver_set_supported" ] && mkdir
-p "${dnsmasqFile%/*}";;
938 [ -n "$resolver_set_supported" ] && killall
-q -s HUP dnsmasq
;;
940 [ -z "$resolver_set_supported" ] && return 1
941 output
3 'Reloading dnsmasq '
942 if /etc
/init.d
/dnsmasq reload
>/dev
/null
2>&1; then
951 [ -z "$resolver_set_supported" ] && return 1
952 output
3 'Restarting dnsmasq '
953 if /etc
/init.d
/dnsmasq restart
>/dev
/null
2>&1; then
962 [ -z "$resolver_set_supported" ] && return 1
963 local resolverNewHash
964 if [ -s "$dnsmasqFile" ]; then
965 resolverNewHash
="$(md5sum $dnsmasqFile | awk '{ print $1; }')"
967 [ "$resolverNewHash" != "$resolverStoredHash" ]
970 [ -s "$dnsmasqFile" ] && resolverStoredHash
="$(md5sum $dnsmasqFile | awk '{ print $1; }')";;
975 add_resolver_element
) :;;
976 create_resolver_set
) :;;
991 add_resolver_element
) :;;
992 create_resolver_set
) :;;
1011 output
"Unexpected exit or service termination: '${1}'!\\n"
1012 state add
'errorSummary' 'errorUnexpectedExit' "$1"
1013 traffic_killswitch
'remove'
1016 traffic_killswitch
() {
1020 local lan_subnet wan_device
1021 [ "$secure_reload" -ne 0 ] ||
return 0
1022 for i
in $serviceTrapSignals; do
1023 # shellcheck disable=SC2064
1024 trap "trap_process $i" "$i"
1026 output
3 'Activating traffic killswitch '
1027 network_get_subnet lan_subnet
'lan'
1028 network_get_physdev wan_device
'wan'
1030 nft add chain inet
"$nftTable" "${nftPrefix}_killswitch" '{ type filter hook forward priority 0; policy accept; }' || s
=1
1031 nft add rule inet
"$nftTable" "${nftPrefix}_killswitch" oifname
"$wan_device" ip saddr
"$lan_subnet" counter reject || s
=1
1032 # nft add rule inet "$nftTable" "${nftPrefix}_killswitch" oifname '$wan_devices' ip saddr '$lan_subnet' counter reject || s=1
1034 ipt
-N "${iptPrefix}_KILLSWITCH" || s
=1
1035 ipt
-A "${iptPrefix}_KILLSWITCH" -s "$lan_subnet" -o "$wan_device" -j REJECT || s
=1
1036 ipt
-I FORWARD
-j "${iptPrefix}_KILLSWITCH" || s
=1
1038 if [ "$s" -eq 0 ]; then
1045 if [ "$secure_reload" -ne 0 ]; then
1046 output
3 'Deactivating traffic killswitch '
1049 nft flush chain inet
"$nftTable" "${nftPrefix}_killswitch" || s
=1
1050 nft delete chain inet
"$nftTable" "${nftPrefix}_killswitch" || s
=1
1052 ipt
-D FORWARD
-j "${iptPrefix}_KILLSWITCH" || s
=1
1053 ipt
-F "${iptPrefix}_KILLSWITCH" || s
=1
1054 ipt
-X "${iptPrefix}_KILLSWITCH" || s
=1
1056 if [ "$secure_reload" -ne 0 ]; then
1057 if [ "$s" -eq 0 ]; then
1063 # shellcheck disable=SC2086
1064 trap - $serviceTrapSignals
1069 policy_routing_tor
() { if is_nft
; then policy_routing_tor_nft
"$@"; else policy_routing_tor_iptables
"$@"; fi; }
1070 policy_routing_tor_iptables
() {
1071 local comment
="$1" iface
="$2" src_addr
="$3" src_port
="$4" dest_addr
="$5" dest_port
="$6" proto chain uid
="$9"
1072 proto
="$(str_to_lower "$7")"
1073 chain
="$(str_to_upper "$8")"
1074 chain
="${chain:-PREROUTING}"
1075 if [ -n "${src_addr}${src_port}${dest_port}" ]; then
1076 processPolicyWarning
="${processPolicyWarning}${_WARNING_}: Please unset 'src_addr', 'src_port' and 'dest_port' for policy '$comment'\\n"
1078 if [ -n "$proto" ] && [ "$proto" != "all" ]; then
1079 processPolicyWarning
="${processPolicyWarning}${_WARNING_}: Please unset 'proto' or set 'proto' to 'all' for policy '$comment'\\n"
1081 if [ "$chain" != "PREROUTING" ]; then
1082 processPolicyWarning
="${processPolicyWarning}${_WARNING_}: Please unset 'chain' or set 'chain' to 'PREROUTING' for policy '$comment'\\n"
1084 resolver
'add_resolver_element' "$iface" 'dst' 'ip' '' "${comment}: $dest_addr" "$dest_addr" || \
1085 processPolicyError
="${processPolicyError}${_ERROR_}: resolver 'add_resolver_element' '$iface' 'dst' 'ip' '${comment}: $dest_addr' '$dest_addr'\\n"
1088 policy_routing_tor_nft
() {
1089 local comment
="$1" iface
="$2" src_addr
="$3" src_port
="$4" dest_addr
="$5" dest_port
="$6" proto chain uid
="$9"
1090 proto
="$(str_to_lower "$7")"
1091 chain
="$(str_to_lower "$8")"
1092 chain
="${chain:-prerouting}"
1093 if [ -n "${src_addr}${src_port}${dest_port}" ]; then
1094 processPolicyWarning
="${processPolicyWarning}${_WARNING_}: Please unset 'src_addr', 'src_port' and 'dest_port' for policy '$comment'\\n"
1096 if [ -n "$proto" ] && [ "$proto" != "all" ]; then
1097 processPolicyWarning
="${processPolicyWarning}${_WARNING_}: Please unset 'proto' or set 'proto' to 'all' for policy '$comment'\\n"
1099 if [ "$chain" != "prerouting" ]; then
1100 processPolicyWarning
="${processPolicyWarning}${_WARNING_}: Please unset 'chain' or set 'chain' to 'prerouting' for policy '$comment'\\n"
1102 resolver
'add_resolver_element' "$iface" 'dst' 'ip' '' "${comment}: $dest_addr" "$dest_addr" || \
1103 processPolicyError
="${processPolicyError}${_ERROR_}: resolver 'add_resolver_element' '$iface' 'dst' 'ip' '${comment}: $dest_addr' '$dest_addr'\\n"
1107 policy_routing
() { if is_nft
; then policy_routing_nft
"$@"; else policy_routing_iptables
"$@"; fi; }
1108 policy_routing_iptables
() {
1109 local mark param4 param6 i negation value dest ipInsertOption
="-A"
1110 local ip4error
='1' ip6error
='1'
1111 local name
="$1" iface
="$2" laddr
="$3" lport
="$4" raddr
="$5" rport
="$6" proto chain uid
="$9"
1112 proto
="$(str_to_lower "$7")"
1113 chain
="$(str_to_upper "$8")"
1114 chain
="${chain:-PREROUTING}"
1115 mark
=$
(eval echo "\$mark_${iface//-/_}")
1117 if [ -n "$ipv6_enabled" ] && { is_ipv6
"$laddr" || is_ipv6
"$raddr"; }; then
1118 processPolicyError
="${processPolicyError}${_ERROR_}: Skipping IPv6 policy '$name' as IPv6 support is disabled\\n"
1122 if [ -n "$mark" ]; then
1123 dest
="-g ${iptPrefix}_MARK_${mark}"
1124 elif [ "$iface" = "ignore" ]; then
1127 processPolicyError
="${processPolicyError}${_ERROR_}: Unknown fw_mark for ${iface}\\n"
1131 if [ -z "$proto" ]; then
1132 if [ -n "$lport" ] ||
[ -n "$rport" ]; then
1139 if is_family_mismatch
"$laddr" "$raddr"; then
1140 processPolicyError
="${processPolicyError}${_ERROR_}: Mismatched IP family between '$laddr' and '$raddr' in policy '$name'\\n"
1145 if [ "$i" = 'all' ]; then
1146 param4
="-t mangle ${ipInsertOption} ${iptPrefix}_${chain} $dest"
1147 param6
="-t mangle ${ipInsertOption} ${iptPrefix}_${chain} $dest"
1148 elif ! is_supported_protocol
"$i"; then
1149 processPolicyError
="${processPolicyError}${_ERROR_}: Unknown protocol '$i' in policy '$name'\\n"
1152 param4
="-t mangle ${ipInsertOption} ${iptPrefix}_${chain} $dest -p $i"
1153 param6
="-t mangle ${ipInsertOption} ${iptPrefix}_${chain} $dest -p $i"
1156 if [ -n "$laddr" ]; then
1157 if [ "${laddr:0:1}" = "!" ]; then
1158 negation
='!'; value
="${laddr:1}"
1160 unset negation
; value
="$laddr";
1162 if is_phys_dev
"$value"; then
1163 param4
="$param4 $negation -m physdev --physdev-in ${value:1}"
1164 param6
="$param6 $negation -m physdev --physdev-in ${value:1}"
1165 elif is_netmask
"$value"; then
1166 local target
='src' type='net'
1167 if ips
'create' "$iface" "$target" "$type" "$uid" "${name}: $laddr" && \
1168 ips
'add' "$iface" "$target" "$type" "$uid" "${name}: $laddr" "$value"; then
1169 param4
="$param4 -m set $negation --match-set ${ipsPrefix}_${iface}_4_${target}_${type}_${uid} $target"
1170 param6
="$param6 -m set $negation --match-set ${ipsPrefix}_${iface}_6_${target}_${type}_${uid} $target"
1172 param4
="$param4 $negation -s $value"
1173 param6
="$param6 $negation -s $value"
1175 elif is_mac_address
"$value"; then
1176 local target
='src' type='mac'
1177 if ips
'create' "$iface" "$target" "$type" "$uid" "${name}: $laddr" && \
1178 ips
'add' "$iface" "$target" "$type" "$uid" "${name}: $laddr" "$value"; then
1179 param4
="$param4 -m set $negation --match-set ${ipsPrefix}_${iface}_4_${target}_${type}_${uid} $target"
1180 param6
="$param6 -m set $negation --match-set ${ipsPrefix}_${iface}_6_${target}_${type}_${uid} $target"
1182 param4
="$param4 -m mac $negation --mac-source $value"
1183 param6
="$param6 -m mac $negation --mac-source $value"
1186 local target
='src' type='ip'
1187 if ips
'create' "$iface" "$target" "$type" "$uid" "${name}: $laddr" && \
1188 ips
'add' "$iface" "$target" "$type" "$uid" "${name}: $laddr" "$value"; then
1189 param4
="$param4 -m set $negation --match-set ${ipsPrefix}_${iface}_4_${target}_${type}_${uid} $target"
1190 param6
="$param6 -m set $negation --match-set ${ipsPrefix}_${iface}_6_${target}_${type}_${uid} $target"
1192 param4
="$param4 $negation -s $(resolveip_to_ipt -4 "$value")"
1193 param6
="$param6 $negation -s $(resolveip_to_ipt -6 "$value")"
1198 if [ -n "$lport" ]; then
1199 if [ "${lport:0:1}" = "!" ]; then
1200 negation
='!'; value
="${lport:1}"
1202 unset negation
; value
="$lport";
1204 param4
="$param4 -m multiport $negation --sport ${value//-/:}"
1205 param6
="$param6 -m multiport $negation --sport ${value//-/:}"
1208 if [ -n "$raddr" ]; then
1209 if [ "${raddr:0:1}" = "!" ]; then
1210 negation
='!'; value
="${raddr:1}"
1212 unset negation
; value
="$raddr";
1214 if is_netmask
"$value"; then
1215 local target
='dst' type='net'
1216 if ips
'create' "$iface" "$target" "$type" "$uid" "${name}: $raddr" && \
1217 ips
'add' "$iface" "$target" "$type" "$uid" "${name}: $raddr" "$value"; then
1218 param4
="$param4 -m set $negation --match-set ${ipsPrefix}_${iface}_4_${target}_${type}_${uid} $target"
1219 param6
="$param6 -m set $negation --match-set ${ipsPrefix}_${iface}_6_${target}_${type}_${uid} $target"
1221 param4
="$param4 $negation -d $value"
1222 param6
="$param6 $negation -d $value"
1224 elif is_domain
"$value"; then
1225 local target
='dst' type='ip'
1226 if resolver
'create_resolver_set' "$iface" "$target" "$type" "$uid" "${name}: $raddr" && \
1227 resolver
'add_resolver_element' "$iface" "$target" "$type" "$uid" "${name}: $raddr" "$value"; then
1228 param4
="$param4 -m set $negation --match-set ${ipsPrefix}_${iface}_4_${target}_${type}_${uid} $target"
1229 param6
="$param6 -m set $negation --match-set ${ipsPrefix}_${iface}_6_${target}_${type}_${uid} $target"
1230 elif ips
'create' "$iface" "$target" "$type" "$uid" "${name}: $raddr" && \
1231 ips
'add' "$iface" "$target" "$type" "$uid" "${name}: $raddr" "$value"; then
1232 param4
="$param4 -m set $negation --match-set ${ipsPrefix}_${iface}_4_${target}_${type}_${uid} $target"
1233 param6
="$param6 -m set $negation --match-set ${ipsPrefix}_${iface}_6_${target}_${type}_${uid} $target"
1235 param4
="$param4 $negation -d $(resolveip_to_ipt -4 "$value")"
1236 param6
="$param6 $negation -d $(resolveip_to_ipt -6 "$value")"
1239 local target
='dst' type='ip'
1240 if ips
'create' "$iface" "$target" "$type" "$uid" "${name}: $raddr" && \
1241 ips
'add' "$iface" "$target" "$type" "$uid" "${name}: $raddr" "$value"; then
1242 param4
="$param4 -m set $negation --match-set ${ipsPrefix}_${iface}_4_${target}_${type}_${uid} $target"
1243 param6
="$param6 -m set $negation --match-set ${ipsPrefix}_${iface}_6_${target}_${type}_${uid} $target"
1245 param4
="$param4 $negation -d $value"
1246 param6
="$param6 $negation -d $value"
1251 if [ -n "$rport" ]; then
1252 if [ "${rport:0:1}" = "!" ]; then
1253 negation
='!'; value
="${rport:1}"
1255 unset negation
; value
="$rport";
1257 param4
="$param4 -m multiport $negation --dport ${value//-/:}"
1258 param6
="$param6 -m multiport $negation --dport ${value//-/:}"
1261 if [ -n "$name" ]; then
1262 param4
="$param4 -m comment --comment $(str_extras_to_underscore "$name")"
1263 param6
="$param6 -m comment --comment $(str_extras_to_underscore "$name")"
1266 local ipv4_error
='0' ipv6_error
='0'
1267 if [ "$param4" = "$param6" ]; then
1268 ipt4
"$param4" || ipv4_error
='1'
1270 ipt4
"$param4" || ipv4_error
='1'
1271 ipt6
"$param6" || ipv6_error
='1'
1274 # ipt6 returns true if IPv6 support is not enabled
1275 [ -z "$ipv6_enabled" ] && ipv6_error
='1'
1276 if [ "$ipv4_error" -eq '1' ] && [ "$ipv6_error" -eq '1' ]; then
1277 if [ -n "$ipv6_enabled" ]; then
1278 processPolicyError
="${processPolicyError}${_ERROR_}: Policy insertion failed for both IPv4 and IPv6!\\n"
1279 processPolicyError
="${processPolicyError}${_ERROR_}: iptables $param4\\n"
1280 processPolicyError
="${processPolicyError}${_ERROR_}: iptables $param6\\n"
1282 processPolicyError
="${processPolicyError}${_ERROR_}: iptables $param4\\n"
1288 policy_routing_nft
() {
1289 local mark param4 param6 i negation value dest nftInsertOption
='add'
1290 local ip4Flag
='ip' ip6Flag
='ip6'
1291 local name
="$1" iface
="$2" laddr
="$3" lport
="$4" raddr
="$5" rport
="$6" proto chain uid
="$9"
1292 proto
="$(str_to_lower "$7")"
1293 chain
="$(str_to_lower "$8")"
1294 chain
="${chain:-prerouting}"
1295 mark
=$
(eval echo "\$mark_${iface//-/_}")
1297 if [ -z "$ipv6_enabled" ] && { is_ipv6
"$src_addr" || is_ipv6
"$dest_addr"; }; then
1298 processPolicyError
="${processPolicyError}${_ERROR_}: Skipping IPv6 policy '$name' as IPv6 support is disabled\\n"
1302 if [ -n "$mark" ]; then
1303 dest
="goto ${nftPrefix}_mark_${mark}"
1304 elif [ "$iface" = "ignore" ]; then
1307 processPolicyError
="${processPolicyError}${_ERROR_}: Unknown packet mark for ${iface}\\n"
1311 if is_family_mismatch
"$src_addr" "$dest_addr"; then
1312 processPolicyError
="${processPolicyError}${_ERROR_}: Mismatched IP family between '$src_addr' and '$dest_addr' in policy '$name'\\n"
1316 if [ -n "$proto" ] && ! is_supported_protocol
"$proto"; then
1317 processPolicyError
="${processPolicyError}${_ERROR_}: Unknown protocol '$i' in policy '$name'\\n"
1321 if [ -n "$src_addr" ]; then
1322 if [ "${src_addr:0:1}" = "!" ]; then
1323 negation
='!='; value
="${src_addr:1}"
1325 unset negation
; value
="$src_addr";
1327 if is_phys_dev
"$value"; then
1328 param4
="$param4 iifname $negation ${value:1}"
1329 param6
="$param6 iifname $negation ${value:1}"
1330 elif is_mac_address
"$value"; then
1331 local target
='src' type='mac'
1332 if nftset
'create' "$iface" "$target" "$type" "$uid" "$name" && \
1333 nftset
'add' "$iface" "$target" "$type" "$uid" "$name" "$value"; then
1334 param4
="$param4 ether saddr $negation @${nftPrefix}_${iface}_4_${target}_${type}_${uid}"
1335 param6
="$param6 ether saddr $negation @${nftPrefix}_${iface}_6_${target}_${type}_${uid}"
1337 param4
="$param4 ether saddr $negation $value"
1338 param6
="$param6 ether saddr $negation $value"
1341 local target
='src' type='ip'
1342 if nftset
'create' "$iface" "$target" "$type" "$uid" "$name" && \
1343 nftset
'add' "$iface" "$target" "$type" "$uid" "$name" "$value"; then
1344 param4
="$param4 $ip4Flag saddr $negation @${nftPrefix}_${iface}_4_${target}_${type}_${uid}"
1345 param6
="$param6 $ip6Flag saddr $negation @${nftPrefix}_${iface}_6_${target}_${type}_${uid}"
1347 param4
="$param4 $ip4Flag saddr $negation $value"
1348 param6
="$param6 $ip6Flag saddr $negation $value"
1353 if [ -n "$dest_addr" ]; then
1354 if [ "${dest_addr:0:1}" = "!" ]; then
1355 negation
='!='; value
="${dest_addr:1}"
1357 unset negation
; value
="$dest_addr";
1359 if is_phys_dev
"$value"; then
1360 param4
="$param4 oifname $negation ${value:1}"
1361 param6
="$param6 oifname $negation ${value:1}"
1362 elif is_domain
"$value"; then
1363 local target
='dst' type='ip'
1364 if resolver
'create_resolver_set' "$iface" "$target" "$type" "$uid" "$name" && \
1365 resolver
'add_resolver_element' "$iface" "$target" "$type" "$uid" "$name" "$value"; then
1366 param4
="$param4 $ip4Flag daddr $negation @${nftPrefix}_${iface}_4_${target}_${type}_${uid}"
1367 param6
="$param6 $ip6Flag daddr $negation @${nftPrefix}_${iface}_6_${target}_${type}_${uid}"
1368 elif nftset
'create' "$iface" "$target" "$type" "$uid" "$name" && \
1369 nftset
'add' "$iface" "$target" "$type" "$uid" "$name" "$value"; then
1370 param4
="$param4 $ip4Flag daddr $negation @${nftPrefix}_${iface}_4_${target}_${type}_${uid}"
1371 param6
="$param6 $ip6Flag daddr $negation @${nftPrefix}_${iface}_6_${target}_${type}_${uid}"
1373 param4
="$param4 $ip4Flag daddr $negation {$(resolveip_to_nftset4 "$value")}"
1374 param6
="$param6 $ip6Flag daddr $negation {$(resolveip_to_nftset6 "$value")}"
1377 local target
='dst' type='ip'
1378 if nftset
'create' "$iface" "$target" "$type" "$uid" "$name" && \
1379 nftset
'add' "$iface" "$target" "$type" "$uid" "$name" "$value"; then
1380 param4
="$param4 $ip4Flag daddr $negation @${nftPrefix}_${iface}_4_${target}_${type}_${uid}"
1381 param6
="$param6 $ip6Flag daddr $negation @${nftPrefix}_${iface}_6_${target}_${type}_${uid}"
1383 param4
="$param4 $ip4Flag daddr $negation $value"
1384 param6
="$param6 $ip6Flag daddr $negation $value"
1389 if [ -n "${src_port}${dest_port}" ]; then
1390 proto
="${proto:-tcp}"
1393 if [ -n "$src_port" ]; then
1394 if [ "${src_port:0:1}" = "!" ]; then
1395 negation
='!='; value
="${src_port:1}"
1397 unset negation
; value
="$src_port";
1399 param4
="$param4 ${proto:+$proto }sport $negation {$(ports_to_nftset "$value")}"
1400 param6
="$param6 ${proto:+$proto }sport $negation {$(ports_to_nftset "$value")}"
1403 if [ -n "$dest_port" ]; then
1404 if [ "${dest_port:0:1}" = "!" ]; then
1405 negation
='!='; value
="${dest_port:1}"
1407 unset negation
; value
="$dest_port";
1409 param4
="$param4 ${proto:+$proto }dport $negation {$(ports_to_nftset "$value")}"
1410 param6
="$param6 ${proto:+$proto }dport $negation {$(ports_to_nftset "$value")}"
1413 param4
="$nftInsertOption rule inet $nftTable ${nftPrefix}_${chain} $param4 $dest comment \"$name\""
1414 param6
="$nftInsertOption rule inet $nftTable ${nftPrefix}_${chain} $param6 $dest comment \"$name\""
1416 local ipv4_error
='0' ipv6_error
='0'
1417 if [ "$nftPrevParam4" != "$param4" ]; then
1418 nft4
"$param4" || ipv4_error
='1'
1419 nftPrevParam4
="$param4"
1421 if [ "$nftPrevParam6" != "$param6" ]; then
1422 nft6
"$param6" || ipv6_error
='1'
1423 nftPrevParam6
="$param6"
1426 # nft6 returns true if IPv6 support is not enabled
1427 [ -z "$ipv6_enabled" ] && ipv6_error
='1'
1428 if [ "$ipv4_error" -eq '1' ] && [ "$ipv6_error" -eq '1' ]; then
1429 if [ -n "$ipv6_enabled" ]; then
1430 processPolicyError
="${processPolicyError}${_ERROR_}: Policy insertion failed for both IPv4 and IPv6!\\n"
1431 processPolicyError
="${processPolicyError}${_ERROR_}: nft '$param4'\\n"
1432 processPolicyError
="${processPolicyError}${_ERROR_}: nft '$param6'\\n"
1434 processPolicyError
="${processPolicyError}${_ERROR_}: nft '$param4'\\n"
1441 if [ -z "$uid" ]; then # first non-recursive call
1442 [ "$enabled" -gt 0 ] ||
return 0
1443 unset processPolicyWarning
1444 unset processPolicyError
1447 chain
="$(str_to_lower "$chain")"
1449 chain
="$(str_to_upper "$chain")"
1451 proto
="$(str_to_lower "$proto")"
1452 [ "$proto" = 'auto' ] && unset proto
1453 [ "$proto" = 'all' ] && unset proto
1454 output
2 "Routing '$name' via $interface "
1455 if [ -z "${src_addr}${src_port}${dest_addr}${dest_port}" ]; then
1456 state add
'errorSummary' 'errorPolicyNoSrcDest' "$name"
1457 output_fail
; return 1;
1459 if [ -z "$interface" ]; then
1460 state add
'errorSummary' 'errorPolicyNoInterface' "$name"
1461 output_fail
; return 1;
1463 if ! is_supported_interface
"$interface"; then
1464 state add
'errorSummary' 'errorPolicyUnknownInterface' "$name"
1465 output_fail
; return 1;
1467 src_port
="${src_port// / }"; src_port="${src_port// /,}"; src_port="${src_port//,\!/ !}";
1468 dest_port
="${dest_port// / }"; dest_port="${dest_port// /,}"; dest_port="${dest_port//,\!/ !}";
1470 nftset
'flush' "$interface" "dst" "ip" "$uid"
1471 nftset
'flush' "$interface" "src" "ip" "$uid"
1472 nftset
'flush' "$interface" "src" "mac" "$uid"
1474 ips
'flush' "$interface" "dst" "ip" "$uid"
1475 ips
'flush' "$interface" "src" "ip" "$uid"
1476 ips
'flush' "$interface" "src" "mac" "$uid"
1478 policy_process
"$name" "$interface" "$src_addr" "$src_port" "$dest_addr" "$dest_port" "$proto" "$chain" "$uid"
1479 if [ -n "$processPolicyWarning" ]; then
1480 state add
'warningSummary' 'warningPolicyProcess' "$processPolicyWarning"
1482 if [ -n "$processPolicyError" ]; then
1484 state add
'errorSummary' 'errorPolicyProcess' "$processPolicyError"
1488 else # recursive call, get options from passed variables
1489 local name
="$1" interface
="$2" src_addr
="$3" src_port
="$4" dest_addr
="$5" dest_port
="$6" proto
="$7" chain
="$8"
1490 if str_contains
"$src_addr" '[ ;\{\}]'; then
1491 for i
in $
(str_extras_to_space
"$src_addr"); do [ -n "$i" ] && policy_process
"$name" "$interface" "$i" "$src_port" "$dest_addr" "$dest_port" "$proto" "$chain" "$uid"; done
1492 elif str_contains
"$src_port" '[ ;\{\}]'; then
1493 for i
in $
(str_extras_to_space
"$src_port"); do [ -n "$i" ] && policy_process
"$name" "$interface" "$src_addr" "$i" "$dest_addr" "$dest_port" "$proto" "$chain" "$uid"; done
1494 elif str_contains
"$dest_addr" '[ ;\{\}]'; then
1495 for i
in $
(str_extras_to_space
"$dest_addr"); do [ -n "$i" ] && policy_process
"$name" "$interface" "$src_addr" "$src_port" "$i" "$dest_port" "$proto" "$chain" "$uid"; done
1496 elif str_contains
"$dest_port" '[ ;\{\}]'; then
1497 for i
in $
(str_extras_to_space
"$dest_port"); do [ -n "$i" ] && policy_process
"$name" "$interface" "$src_addr" "$src_port" "$dest_addr" "$i" "$proto" "$chain" "$uid"; done
1498 elif str_contains
"$proto" '[ ;\{\}]'; then
1499 for i
in $
(str_extras_to_space
"$proto"); do [ -n "$i" ] && policy_process
"$name" "$interface" "$src_addr" "$src_port" "$dest_addr" "$dest_port" "$i" "$chain" "$uid"; done
1501 if is_tor
"$interface"; then
1502 policy_routing_tor
"$name" "$interface" "$src_addr" "$src_port" "$dest_addr" "$dest_port" "$proto" "$chain" "$uid"
1504 policy_routing
"$name" "$interface" "$src_addr" "$src_port" "$dest_addr" "$dest_port" "$proto" "$chain" "$uid"
1510 interface_process_tor
() { if is_nft
; then interface_process_tor_nft
"$@"; else interface_process_tor_iptables
"$@"; fi; }
1511 interface_process_tor_iptables
() {
1512 local s
=0 iface
="$1" action
="$2"
1513 local displayText set_name4 set_name6
1514 local dnsPort trafficPort
1517 displayText
="${iface}/53->${dnsPort}/80,443->${trafficPort}"
1518 gatewaySummary
="${gatewaySummary}${displayText}\\n"
1521 for i
in $chainsList; do
1522 i
="$(str_to_upper "$i")"
1523 ipt
-t nat
-D "${i}" -m mark --mark "0x0/${fw_mask}" -j "${nftPrefix}_${i}"
1524 ipt
-t nat
-F "${nftPrefix}_${i}"; ipt -t nat -X "${nftPrefix}_${i}";
1528 output
2 "Creating TOR redirects "
1529 dnsPort
="$(grep -m1 DNSPort /etc/tor/torrc | awk -F: '{print $2}')"
1530 trafficPort
="$(grep -m1 TransPort /etc/tor/torrc | awk -F: '{print $2}')"
1531 dnsPort
="${dnsPort:-9053}"; trafficPort
="${trafficPort:-9040}";
1532 for i
in $chainsList; do
1533 ipt
-t nat
-N "${nftPrefix}_${i}"
1534 ipt
-t nat
-A "$i" -m mark
--mark "0x0/${fw_mask}" -j "${nftPrefix}_${i}"
1536 if resolver
'create_resolver_set' "$iface" 'dst' 'ip' && ips
'flush' "$iface" 'dst' 'ip'; then
1537 set_name4
="${ipsPrefix}_${iface}_4_dst_ip"
1538 for i
in $chainsList; do
1539 i
="$(str_to_lower "$i")"
1540 ipt
-t nat
-I "${nftPrefix}_${i}" -p udp -m udp --dport 53 -m set --match-set "${set_name4}" dst
-j REDIRECT
--to-ports "$dnsPort" -m comment
--comment "TorDNS-UDP" || s
=1
1541 ipt
-t nat
-I "${nftPrefix}_${i}" -p tcp -m tcp --dport 80 -m set --match-set "${set_name4}" dst
-j REDIRECT
--to-ports "$trafficPort" -m comment
--comment "TorHTTP-TCP" || s
=1
1542 ipt
-t nat
-I "${nftPrefix}_${i}" -p udp -m udp --dport 80 -m set --match-set "${set_name4}" dst
-j REDIRECT
--to-ports "$trafficPort" -m comment
--comment "TorHTTP-UDP" || s
=1
1543 ipt
-t nat
-I "${nftPrefix}_${i}" -p tcp -m tcp --dport 443 -m set --match-set "${set_name4}" dst
-j REDIRECT
--to-ports "$trafficPort" -m comment
--comment "TorHTTPS-TCP" || s
=1
1544 ipt
-t nat
-I "${nftPrefix}_${i}" -p udp -m udp --dport 443 -m set --match-set "${set_name4}" dst
-j REDIRECT
--to-ports "$trafficPort" -m comment
--comment "TorHTTPS-UDP" || s
=1
1549 displayText
="${iface}/53->${dnsPort}/80,443->${trafficPort}"
1550 if [ "$s" -eq 0 ]; then
1551 gatewaySummary
="${gatewaySummary}${displayText}\\n"
1554 state add
'errorSummary' 'errorFailedSetup' "$displayText"
1561 interface_process_tor_nft
() {
1562 local s
=0 iface
="$1" action
="$2"
1563 local displayText set_name4 set_name6
1564 local dnsPort trafficPort
1567 displayText
="${iface}/53->${dnsPort}/80,443->${trafficPort}"
1568 gatewaySummary
="${gatewaySummary}${displayText}\\n"
1573 output
2 "Creating TOR redirects "
1574 dnsPort
="$(grep -m1 DNSPort /etc/tor/torrc | awk -F: '{print $2}')"
1575 trafficPort
="$(grep -m1 TransPort /etc/tor/torrc | awk -F: '{print $2}')"
1576 dnsPort
="${dnsPort:-9053}"; trafficPort
="${trafficPort:-9040}";
1577 if resolver
'create_resolver_set' "$iface" 'dst' 'ip' && nftset
'flush' "$iface" 'dst' 'ip'; then
1578 set_name4
="${nftPrefix}_${iface}_4_dst_ip"
1579 set_name6
="${nftPrefix}_${iface}_6_dst_ip"
1580 nft meta nfproto ipv4 udp daddr
"@${set_name4}" dport
53 counter redirect to
:"$dnsPort" comment
"Tor-DNS-UDP-ipv4" || s
=1
1581 nft meta nfproto ipv4 tcp daddr
"@${set_name4}" dport
80 counter redirect to
:"$trafficPort" comment
"Tor-HTTP-TCP-ipv4" || s
=1
1582 nft meta nfproto ipv4 udp daddr
"@${set_name4}" dport
80 counter redirect to
:"$trafficPort" comment
"Tor-HTTP-UDP-ipv4" || s
=1
1583 nft meta nfproto ipv4 tcp daddr
"@${set_name4}" dport
443 counter redirect to
:"$trafficPort" comment
"Tor-HTTPS-TCP-ipv4" || s
=1
1584 nft meta nfproto ipv4 udp daddr
"@${set_name4}" dport
443 counter redirect to
:"$trafficPort" comment
"Tor-HTTPS-UDP-ipv4" || s
=1
1585 nft6 meta nfproto ipv6 udp daddr
"@${set_name6}" dport
53 counter redirect to
:"$dnsPort" comment
"Tor-DNS-UDP-ipv6" || s
=1
1586 nft6 meta nfproto ipv6 tcp daddr
"@${set_name6}" dport
80 counter redirect to
:"$trafficPort" comment
"Tor-HTTP-TCP-ipv6" || s
=1
1587 nft6 meta nfproto ipv6 udp daddr
"@${set_name6}" dport
80 counter redirect to
:"$trafficPort" comment
"Tor-HTTP-UDP-ipv6" || s
=1
1588 nft6 meta nfproto ipv6 tcp daddr
"@${set_name6}" dport
443 counter redirect to
:"$trafficPort" comment
"Tor-HTTPS-TCP-ipv6" || s
=1
1589 nft6 meta nfproto ipv6 udp daddr
"@${set_name6}" dport
443 counter redirect to
:"$trafficPort" comment
"Tor-HTTPS-UDP-ipv6" || s
=1
1593 displayText
="${iface}/53->${dnsPort}/80,443->${trafficPort}"
1594 if [ "$s" -eq 0 ]; then
1595 gatewaySummary
="${gatewaySummary}${displayText}\\n"
1598 state add
'errorSummary' 'errorFailedSetup' "$displayText"
1606 interface_routing
() {
1607 local action
="$1" tid
="$2" mark
="$3" iface
="$4" gw4
="$5" dev
="$6" gw6
="$7" dev6
="$8" priority
="$9"
1608 local dscp s
=0 i ipv4_error
=1 ipv6_error
=1
1609 if [ -z "$tid" ] ||
[ -z "$mark" ] ||
[ -z "$iface" ]; then
1614 if is_netifd_table
"$iface"; then
1616 $ip_full -4 rule del fwmark
"${mark}/${fw_mask}" table
"$tid" >/dev
/null
2>&1
1617 $ip_full -4 rule add fwmark
"${mark}/${fw_mask}" table
"$tid" priority
"$priority" || ipv4_error
=1
1619 nft add chain inet
"$nftTable" "${nftPrefix}_mark_${mark}" || ipv4_error
=1
1620 nft add rule inet
"$nftTable" "${nftPrefix}_mark_${mark} counter mark set mark and ${fw_maskXor} xor ${mark}" || ipv4_error
=1
1621 nft add rule inet
"$nftTable" "${nftPrefix}_mark_${mark} return" || ipv4_error
=1
1623 ipt
-t mangle
-N "${iptPrefix}_MARK_${mark}" || ipv4_error
=1
1624 ipt
-t mangle
-A "${iptPrefix}_MARK_${mark}" -j MARK --set-xmark "${mark}/${fw_mask}" || ipv4_error
=1
1625 ipt
-t mangle
-A "${iptPrefix}_MARK_${mark}" -j RETURN || ipv4_error
=1
1627 if [ -n "$ipv6_enabled" ]; then
1629 $ip_full -6 rule del fwmark
"${mark}/${fw_mask}" table
"$tid" >/dev
/null
2>&1
1630 $ip_full -6 rule add fwmark
"${mark}/${fw_mask}" table
"$tid" priority
"$priority" || ipv6_error
=1
1633 sed -i "/${ipTablePrefix}_${iface}/d" /etc
/iproute
2/rt_tables
1634 $ip_full -4 rule del fwmark
"${mark}/${fw_mask}" table
"$tid" >/dev
/null
2>&1
1635 $ip_full -4 route flush table
"$tid" >/dev
/null
2>&1
1636 if [ -n "$gw4" ] ||
[ "$strict_enforcement" -ne 0 ]; then
1638 echo "$tid ${ipTablePrefix}_${iface}" >> /etc
/iproute
2/rt_tables
1639 if [ -z "$gw4" ]; then
1640 $ip_full -4 route add unreachable default table
"$tid" >/dev
/null
2>&1 || ipv4_error
=1
1642 $ip_full -4 route add default via
"$gw4" dev
"$dev" table
"$tid" >/dev
/null
2>&1 || ipv4_error
=1
1644 # shellcheck disable=SC2086
1646 i
="$(echo "$i" | sed 's/ linkdown$//')"
1647 i
="$(echo "$i" | sed 's/ onlink$//')"
1648 idev
="$(echo "$i" | grep -Eso 'dev [^ ]*' | awk '{print $2}')"
1649 if ! is_supported_iface_dev
"$idev"; then
1650 $ip_full -4 route add
$i table
"$tid" >/dev
/null
2>&1 || ipv4_error
=1
1653 $($ip_full -4 route list table main)
1655 $ip_full -4 rule add fwmark
"${mark}/${fw_mask}" table
"$tid" priority
"$priority" || ipv4_error
=1
1657 nft add chain inet
"$nftTable" "${nftPrefix}_mark_${mark}" || ipv4_error
=1
1658 nft add rule inet
"$nftTable" "${nftPrefix}_mark_${mark} counter mark set mark and ${fw_maskXor} xor ${mark}" || ipv4_error
=1
1659 nft add rule inet
"$nftTable" "${nftPrefix}_mark_${mark} return" || ipv4_error
=1
1661 ipt
-t mangle
-N "${iptPrefix}_MARK_${mark}" || ipv4_error
=1
1662 ipt
-t mangle
-A "${iptPrefix}_MARK_${mark}" -j MARK --set-xmark "${mark}/${fw_mask}" || ipv4_error
=1
1663 ipt
-t mangle
-A "${iptPrefix}_MARK_${mark}" -j RETURN || ipv4_error
=1
1666 if [ -n "$ipv6_enabled" ]; then
1668 $ip_full -6 rule del fwmark
"${mark}/${fw_mask}" table
"$tid" >/dev
/null
2>&1
1669 $ip_full -6 route flush table
"$tid" >/dev
/null
2>&1
1670 if { [ -n "$gw6" ] && [ "$gw6" != "::/0" ]; } ||
[ "$strict_enforcement" -ne 0 ]; then
1671 if [ -z "$gw6" ] ||
[ "$gw6" = "::/0" ]; then
1672 $ip_full -6 route add unreachable default table
"$tid" || ipv6_error
=1
1673 elif $ip_full -6 route list table main |
grep -q " dev $dev6 "; then
1675 i
="$(echo "$i" | sed 's/ linkdown$//')"
1676 i
="$(echo "$i" | sed 's/ onlink$//')"
1677 $ip_full -6 route add
"$i" table
"$tid" >/dev
/null
2>&1 || ipv6_error
=1
1679 $($ip_full -6 route list table main | grep " dev $dev6 ")
1682 $ip_full -6 route add
"$($ip_full -6 -o a show "$dev6" | awk '{print $4}')" dev
"$dev6" table
"$tid" >/dev
/null
2>&1 || ipv6_error
=1
1683 $ip_full -6 route add default dev
"$dev6" table
"$tid" >/dev
/null
2>&1 || ipv6_error
=1
1686 $ip_full -6 rule add fwmark
"${mark}/${fw_mask}" table
"$tid" priority
"$priority" || ipv6_error
=1
1689 if [ "$ipv4_error" -eq 0 ] ||
[ "$ipv6_error" -eq 0 ]; then
1690 dscp
="$(uci -q get "${packageName}".config."${iface}"_dscp)"
1692 if [ "${dscp:-0}" -ge 1 ] && [ "${dscp:-0}" -le 63 ]; then
1693 nft add rule inet
"$nftTable" "${nftPrefix}_prerouting ip dscp ${dscp} goto ${nftPrefix}_mark_${mark}" || s
=1
1695 if [ "$iface" = "$icmp_interface" ]; then
1696 nft add rule inet
"$nftTable" "${nftPrefix}_output ip protocol icmp goto ${nftPrefix}_mark_${mark}" || s
=1
1699 if [ "${dscp:-0}" -ge 1 ] && [ "${dscp:-0}" -le 63 ]; then
1700 ipt
-t mangle
-I "${iptPrefix}_PREROUTING" -m dscp --dscp "${dscp}" -g "${iptPrefix}_MARK_${mark}" || s
=1
1702 if [ "$iface" = "$icmp_interface" ]; then
1703 ipt
-t mangle
-I "${iptPrefix}_OUTPUT" -p icmp -g "${iptPrefix}_MARK_${mark}" || s
=1
1712 [ -z "$createUserSets" ] && return 0;
1714 nftset
'create_user_set' "$iface" 'dst' 'ip' 'user' '' "$mark" || s
=1
1715 nftset
'create_user_set' "$iface" 'src' 'ip' 'user' '' "$mark" || s
=1
1716 nftset
'create_user_set' "$iface" 'src' 'mac' 'user' '' "$mark" || s
=1
1718 ips
'create_user_set' "$iface" 'dst' 'ip' 'user' '' "$mark" || s
=1
1719 ips
'create_user_set' "$iface" 'src' 'ip' 'user' '' "$mark" || s
=1
1720 ips
'create_user_set' "$iface" 'dst' 'net' 'user' '' "$mark" || s
=1
1721 ips
'create_user_set' "$iface" 'src' 'net' 'user' '' "$mark" || s
=1
1722 ips
'create_user_set' "$iface" 'src' 'mac' 'user' '' "$mark" || s
=1
1727 $ip_full rule del fwmark
"${mark}/${fw_mask}" table
"$tid" >/dev
/null
2>&1
1728 if ! is_netifd_table
"$iface"; then
1729 $ip_full route flush table
"$tid" >/dev
/null
2>&1
1730 sed -i "/${ipTablePrefix}_${iface}/d" /etc
/iproute
2/rt_tables
1735 is_netifd_table
"$iface" && return 0;
1737 $ip_full -4 rule del fwmark
"${mark}/${fw_mask}" table
"$tid" >/dev
/null
2>&1
1738 $ip_full -4 route flush table
"$tid" >/dev
/null
2>&1
1739 if [ -n "$gw4" ] ||
[ "$strict_enforcement" -ne 0 ]; then
1740 if [ -z "$gw4" ]; then
1741 $ip_full -4 route add unreachable default table
"$tid" >/dev
/null
2>&1 || ipv4_error
=1
1743 $ip_full -4 route add default via
"$gw4" dev
"$dev" table
"$tid" >/dev
/null
2>&1 || ipv4_error
=1
1745 $ip_full rule add fwmark
"${mark}/${fw_mask}" table
"$tid" priority
"$priority" || ipv4_error
=1
1747 if [ -n "$ipv6_enabled" ]; then
1749 $ip_full -6 rule del fwmark
"${mark}/${fw_mask}" table
"$tid" >/dev
/null
2>&1
1750 $ip_full -6 route flush table
"$tid" >/dev
/null
2>&1
1751 if { [ -n "$gw6" ] && [ "$gw6" != "::/0" ]; } ||
[ "$strict_enforcement" -ne 0 ]; then
1752 if [ -z "$gw6" ] ||
[ "$gw6" = "::/0" ]; then
1753 $ip_full -6 route add unreachable default table
"$tid" || ipv6_error
=1
1754 elif $ip_full -6 route list table main |
grep -q " dev $dev6 "; then
1756 $ip_full -6 route add
"$i" table
"$tid" >/dev
/null
2>&1 || ipv6_error
=1
1758 $($ip_full -6 route list table main | grep " dev $dev6 ")
1761 $ip_full -6 route add
"$($ip_full -6 -o a show "$dev6" | awk '{print $4}')" dev
"$dev6" table
"$tid" >/dev
/null
2>&1 || ipv6_error
=1
1762 $ip_full -6 route add default dev
"$dev6" table
"$tid" >/dev
/null
2>&1 || ipv6_error
=1
1765 $ip_full -6 rule add fwmark
"${mark}/${fw_mask}" table
"$tid" priority
"$priority" || ipv6_error
=1
1767 if [ "$ipv4_error" -eq 0 ] ||
[ "$ipv6_error" -eq 0 ]; then
1777 json_add_gateway
() {
1778 local action
="$1" tid
="$2" mark
="$3" iface
="$4" gw4
="$5" dev4
="$6" gw6
="$7" dev6
="$8" priority
="$9" default
="${10}"
1780 json_add_string name
"$iface"
1781 json_add_string device_ipv4
"$dev4"
1782 json_add_string gateway_ipv4
"$gw4"
1783 json_add_string device_ipv6
"$dev6"
1784 json_add_string gateway_ipv6
"$gw6"
1785 if [ -n "$default" ]; then
1786 json_add_boolean default true
1788 json_add_boolean default false
1790 json_add_string action
"$action"
1791 json_add_string table_id
"$tid"
1792 json_add_string mark
"$mark"
1793 json_add_string priority
"$priority"
1797 interface_process
() {
1798 local gw4 gw6 dev dev6 s
=0 dscp iface
="$1" action
="$2" reloadedIface
="$3"
1799 local displayText dispDev dispGw4 dispGw6 dispStatus
1801 if [ "$iface" = 'all' ] && [ "$action" = 'prepare' ]; then
1802 config_load
'network'
1803 ifaceMark
="$(printf '0x%06x' "$wan_mark")"
1804 ifacePriority
="$wan_ip_rules_priority"
1808 is_supported_interface
"$iface" ||
return 0
1809 is_wan6
"$iface" && return 0
1810 [ $
((ifaceMark
)) -gt $
((fw_mask
)) ] && return 1
1812 network_get_device dev
"$iface"
1813 if is_wan
"$iface" && [ -n "$wanIface6" ] && str_contains
"$wanIface6" "$iface"; then
1814 network_get_device dev6
"$wanIface6"
1817 [ -z "$dev6" ] && dev6
="$dev"
1818 [ -z "$ifaceMark" ] && ifaceMark
="$(printf '0x%06x' "$wan_mark")"
1819 [ -z "$ifacePriority" ] && ifacePriority
="$wan_ip_rules_priority"
1821 ifaceTableID
="$(get_rt_tables_id "$iface")"
1822 [ -z "$ifaceTableID" ] && ifaceTableID
="$(get_rt_tables_next_id)"
1823 eval "mark_${iface//-/_}"='$ifaceMark'
1824 eval "tid_${iface//-/_}"='$ifaceTableID'
1825 pbr_get_gateway gw4
"$iface" "$dev"
1826 pbr_get_gateway6 gw6
"$iface" "$dev6"
1827 dispGw4
="${gw4:-0.0.0.0}"
1828 dispGw6
="${gw6:-::/0}"
1829 [ "$iface" != "$dev" ] && dispDev
="$dev"
1830 is_default_dev
"$dev" && dispStatus
="${__OK__}"
1831 displayText
="${iface}/${dispDev:+$dispDev/}${dispGw4}${ipv6_enabled:+/$dispGw6}"
1835 output
2 "Setting up routing for '$displayText' "
1836 if interface_routing
'create' "$ifaceTableID" "$ifaceMark" "$iface" "$gw4" "$dev" "$gw6" "$dev6" "$ifacePriority" && \
1837 interface_routing
'create_user_set' "$ifaceTableID" "$ifaceMark" "$iface" "$gw4" "$dev" "$gw6" "$dev6" "$ifacePriority"; then
1838 json_add_gateway
'create' "$ifaceTableID" "$ifaceMark" "$iface" "$gw4" "$dev" "$gw6" "$dev6" "$ifacePriority" "$dispStatus"
1839 gatewaySummary
="${gatewaySummary}${displayText}${dispStatus:+ $dispStatus}\\n"
1842 state add
'errorSummary' 'errorFailedSetup' "$displayText"
1847 # interface_routing 'create_user_set' "$ifaceTableID" "$ifaceMark" "$iface" "$gw4" "$dev" "$gw6" "$dev6" "$ifacePriority"
1850 displayText
="${iface}/${dispDev:+$dispDev/}${dispGw4}${ipv6_enabled:+/$dispGw6}"
1851 output
2 "Removing routing for '$displayText' "
1852 interface_routing
'destroy' "${ifaceTableID}" "${ifaceMark}" "${iface}"
1856 gatewaySummary
="${gatewaySummary}${displayText}${dispStatus:+ $dispStatus}\\n"
1859 if [ "$iface" = "$reloadedIface" ]; then
1860 output
2 "Reloading routing for '$displayText' "
1861 if interface_routing
'reload_interface' "$ifaceTableID" "$ifaceMark" "$iface" "$gw4" "$dev" "$gw6" "$dev6" "$ifacePriority"; then
1862 json_add_gateway
'reload_interface' "$ifaceTableID" "$ifaceMark" "$iface" "$gw4" "$dev" "$gw6" "$dev6" "$ifacePriority" "$dispStatus"
1863 gatewaySummary
="${gatewaySummary}${displayText}${dispStatus:+ $dispStatus}\\n"
1866 state add
'errorSummary' 'errorFailedReload' "$displayText"
1870 gatewaySummary
="${gatewaySummary}${displayText}${dispStatus:+ $dispStatus}\\n"
1874 # ifaceTableID="$((ifaceTableID + 1))"
1875 ifaceMark
="$(printf '0x%06x' $((ifaceMark + wan_mark)))"
1876 ifacePriority
="$((ifacePriority + 1))"
1880 user_file_process
() {
1881 local shellBin
="${SHELL:-/bin/ash}"
1882 [ "$enabled" -gt 0 ] ||
return 0
1883 if [ ! -s "$path" ]; then
1884 state add
'errorSummary' 'errorUserFileNotFound' "$path"
1888 if ! $shellBin -n "$path"; then
1889 state add
'errorSummary' 'ererrorUserFileSyntax' "$path"
1893 output
2 "Running $path "
1894 # shellcheck disable=SC1090
1895 if ! .
"$path"; then
1896 state add
'errorSummary' 'errorUserFileRunning' "$path"
1897 if grep -q -w 'curl' "$path" && ! is_present
'curl'; then
1898 state add
'errorSummary' 'errorUserFileNoCurl' "$path"
1908 on_firewall_reload
() {
1909 if [ -z "$(ubus_get_status 'gateways')" ]; then # service is not running, do not start it on firewall reload
1910 logger
-t "$packageName" "Reload on firewall action aborted: service not running."
1913 rc_procd start_service
'on_firewall_reload' "$1"
1916 on_interface_reload
() { rc_procd start_service
'on_interface_reload' "$1"; }
1919 local resolverStoredHash resolverNewHash i reloadedIface param
="$1"
1920 local createUserSets
1922 load_environment
'on_start' "$(load_validate_config)" ||
return 1
1923 is_wan_up ||
return 1
1924 rm -f "$nftTempFile"
1928 serviceStartTrigger
='on_start'
1931 serviceStartTrigger
='on_start'
1933 on_interface_reload
)
1934 serviceStartTrigger
='on_interface_reload'
1938 serviceStartTrigger
='on_reload'
1941 serviceStartTrigger
='on_start'
1945 if [ -n "$reloadedIface" ] && ! is_supported_interface
"$reloadedIface"; then
1949 if [ -n "$(ubus_get_status error)" ] ||
[ -n "$(ubus_get_status warning)" ]; then
1950 serviceStartTrigger
='on_start'
1952 elif ! is_service_running
; then
1953 serviceStartTrigger
='on_start'
1955 elif [ -z "$(ubus_get_status gateway)" ]; then
1956 serviceStartTrigger
='on_start'
1958 elif [ "$serviceStartTrigger" = 'on_interface_reload' ] && \
1959 [ -z "$(ubus_get_interface "$reloadedIface" 'gateway_4')" ] && \
1960 [ -z "$(ubus_get_interface "$reloadedIface" 'gateway_6')" ]; then
1961 serviceStartTrigger
='on_start'
1964 serviceStartTrigger
="${serviceStartTrigger:-on_start}"
1967 if is_config_enabled
'include'; then
1968 createUserSets
='true'
1971 procd_open_instance
"main"
1972 procd_set_param
command /bin
/true
1973 procd_set_param stdout
1
1974 procd_set_param stderr
1
1977 case $serviceStartTrigger in
1978 on_interface_reload
)
1979 output
1 "Reloading Interface: $reloadedIface "
1980 json_add_array
'gateways'
1981 interface_process
'all' 'prepare'
1982 config_foreach interface_process
'interface' 'reload_interface' "$reloadedIface"
1987 traffic_killswitch
'insert'
1988 resolver
'store_hash'
1989 resolver
'cleanup_all'
1990 resolver
'configure'
1995 for i
in $chainsList; do
1996 i
="$(str_to_upper "$i")"
1997 ipt
-t mangle
-N "${iptPrefix}_${i}"
1998 ipt
-t mangle
"$rule_create_option" "$i" -m mark
--mark "0x0/${fw_mask}" -j "${iptPrefix}_${i}"
2001 json_add_array
'gateways'
2002 interface_process
'all' 'prepare'
2003 config_foreach interface_process
'interface' 'reload'
2004 interface_process_tor
'tor' 'destroy'
2005 is_tor_running
&& interface_process_tor
'tor' 'reload'
2007 if is_config_enabled
'policy'; then
2008 output
1 'Processing policies '
2009 config_load
"$packageName"
2010 config_foreach load_validate_policy
'policy' policy_process
2013 if is_config_enabled
'include'; then
2014 traffic_killswitch
'remove'
2015 output
1 'Processing user file(s) '
2016 config_load
"$packageName"
2017 config_foreach load_validate_include
'include' user_file_process
2020 resolver
'compare_hash' && resolver
'restart'
2023 resolver
'compare_hash' && resolver
'restart'
2024 traffic_killswitch
'remove'
2028 traffic_killswitch
'insert'
2029 resolver
'store_hash'
2030 resolver
'cleanup_all'
2031 resolver
'configure'
2035 cleanup_marking_chains
2037 for i
in $chainsList; do
2038 i
="$(str_to_upper "$i")"
2039 ipt
-t mangle
-N "${iptPrefix}_${i}"
2040 ipt
-t mangle
"$rule_create_option" "$i" -m mark
--mark "0x0/${fw_mask}" -j "${iptPrefix}_${i}"
2043 output
1 'Processing interfaces '
2044 json_add_array
'gateways'
2045 interface_process
'all' 'prepare'
2046 config_foreach interface_process
'interface' 'create'
2047 interface_process_tor
'tor' 'destroy'
2048 is_tor_running
&& interface_process_tor
'tor' 'create'
2050 ip route flush cache
2052 if is_config_enabled
'policy'; then
2053 output
1 'Processing policies '
2054 config_load
"$packageName"
2055 config_foreach load_validate_policy
'policy' policy_process
2058 if is_config_enabled
'include'; then
2059 traffic_killswitch
'remove'
2060 output
1 'Processing user file(s) '
2061 config_load
"$packageName"
2062 config_foreach load_validate_include
'include' user_file_process
2065 resolver
'compare_hash' && resolver
'restart'
2068 resolver
'compare_hash' && resolver
'restart'
2069 traffic_killswitch
'remove'
2074 if [ -z "$gatewaySummary" ]; then
2075 state add
'errorSummary' 'errorNoGateways'
2077 json_add_object
'status'
2078 [ -n "$gatewaySummary" ] && json_add_string
'gateways' "$gatewaySummary"
2079 [ -n "$errorSummary" ] && json_add_string
'errors' "$errorSummary"
2080 [ -n "$warningSummary" ] && json_add_string
'warnings' "$warningSummary"
2081 if [ "$strict_enforcement" -ne 0 ] && str_contains
"$gatewaySummary" '0.0.0.0'; then
2082 json_add_string
'mode' "strict"
2086 procd_close_instance
2091 [ -n "$gatewaySummary" ] && output
"$serviceName (nft) started with gateways:\\n${gatewaySummary}"
2093 [ -n "$gatewaySummary" ] && output
"$serviceName (iptables) started with gateways:\\n${gatewaySummary}"
2095 state print
'errorSummary'
2096 state print
'warningSummary'
2097 if [ -n "$errorSummary" ]; then
2099 elif [ -n "$warningSummary" ]; then
2106 service_triggers
() {
2108 load_environment
'on_triggers'
2109 # shellcheck disable=SC2034
2110 PROCD_RELOAD_DELAY
=$
(( procd_reload_delay
* 1000 ))
2112 load_validate_config
2113 load_validate_policy
2114 load_validate_include
2115 procd_close_validate
2117 procd_add_reload_trigger
'openvpn'
2118 procd_add_config_trigger
"config.change" "${packageName}" /etc
/init.d
/${packageName} reload
2119 for n
in $ifacesSupported; do
2120 procd_add_interface_trigger
"interface.*" "$n" /etc
/init.d
/${packageName} on_interface_reload
"$n"
2123 if [ "$serviceStartTrigger" = 'on_start' ]; then
2124 output
3 "$serviceName monitoring interfaces: ${ifacesSupported}\\n"
2130 load_environment
'on_stop'
2131 is_service_running ||
return 0
2132 traffic_killswitch
'insert'
2135 cleanup_marking_chains
2136 output
1 'Resetting interfaces '
2137 config_load
'network'
2138 config_foreach interface_process
'interface' 'destroy'
2139 interface_process_tor
'tor' 'destroy'
2141 ip route flush cache
2144 resolver
'store_hash'
2145 resolver
'cleanup_all'
2146 resolver
'compare_hash' && resolver
'restart'
2147 traffic_killswitch
'remove'
2148 if [ "$enabled" -ne 0 ]; then
2150 output
"$serviceName (nft) stopped "; output_okn
;
2152 output
"$serviceName (iptables) stopped "; output_okn
;
2158 local _SEPARATOR_
='============================================================'
2159 load_environment
'on_status'
2161 status_service_nft
"$@"
2163 status_service_iptables
"$@"
2167 status_service_nft
() {
2168 local i dev dev6 wan_tid
2170 json_load
"$(ubus call system board)"; json_select release
; json_get_var dist distribution
; json_get_var vers version
2171 if [ -n "$wanIface4" ]; then
2172 network_get_gateway wanGW4
"$wanIface4"
2173 network_get_device dev
"$wanIface4"
2175 if [ -n "$wanIface6" ]; then
2176 network_get_device dev6
"$wanIface6"
2177 wanGW6
=$
($ip_full -6 route show |
grep -m1 " dev $dev6 " |
awk '{print $1}')
2178 [ "$wanGW6" = "default" ] && wanGW6
=$
($ip_full -6 route show |
grep -m1 " dev $dev6 " |
awk '{print $3}')
2180 while [ "${1:0:1}" = "-" ]; do param
="${1//-/}"; eval "set_$param=1"; shift; done
2181 [ -e "/var/${packageName}-support" ] && rm -f "/var/${packageName}-support"
2182 status
="$serviceName running on $dist $vers."
2183 [ -n "$wanIface4" ] && status
="$status WAN (IPv4): ${wanIface4}/${dev}/${wanGW4:-0.0.0.0}."
2184 [ -n "$wanIface6" ] && status
="$status WAN (IPv6): ${wanIface6}/${dev6}/${wanGW6:-::/0}."
2187 echo "$packageName - environment"
2190 dnsmasq
--version 2>/dev
/null |
sed '/^$/,$d'
2192 echo "$packageName chains - policies"
2193 for i
in forward input output prerouting postrouting
; do
2194 "$nft" list table inet
"$nftTable" |
sed -n "/chain ${nftPrefix}_${i} {/,/\t}/p"
2197 echo "$packageName chains - marking"
2198 for i
in $
(get_mark_nft_chains
); do
2199 "$nft" list table inet
"$nftTable" |
sed -n "/chain ${i} {/,/\t}/p"
2202 echo "$packageName nft sets"
2203 for i
in $
(get_nft_sets
); do
2204 "$nft" list table inet
"$nftTable" |
sed -n "/set ${i} {/,/\t}/p"
2206 if [ -s "$dnsmasqFile" ]; then
2211 # echo "$_SEPARATOR_"
2212 # ip rule list | grep "${packageName}_"
2214 tableCount
="$(grep -c "${packageName}_
" /etc/iproute2/rt_tables)" || tableCount
=0
2215 wan_tid
=$
(($
(get_rt_tables_next_id
)-tableCount))
2216 i
=0; while [ $i -lt $tableCount ]; do
2217 echo "IPv4 table $((wan_tid + i)) route: $($ip_full -4 route show table $((wan_tid + i)) | grep default)"
2218 echo "IPv4 table $((wan_tid + i)) rule(s):"
2219 $ip_full -4 rule list table
"$((wan_tid + i))"
2224 status_service_iptables
() {
2225 local dist vers out id s param status set_d set_p tableCount i
=0 dev dev6 j wan_tid
2227 json_load
"$(ubus call system board)"; json_select release
; json_get_var dist distribution
; json_get_var vers version
2228 if [ -n "$wanIface4" ]; then
2229 network_get_gateway wanGW4
"$wanIface4"
2230 network_get_device dev
"$wanIface4"
2232 if [ -n "$wanIface6" ]; then
2233 network_get_device dev6
"$wanIface6"
2234 wanGW6
=$
($ip_full -6 route show |
grep -m1 " dev $dev6 " |
awk '{print $1}')
2235 [ "$wanGW6" = "default" ] && wanGW6
=$
($ip_full -6 route show |
grep -m1 " dev $dev6 " |
awk '{print $3}')
2237 while [ "${1:0:1}" = "-" ]; do param
="${1//-/}"; eval "set_$param=1"; shift; done
2238 [ -e "/var/${packageName}-support" ] && rm -f "/var/${packageName}-support"
2239 status
="$serviceName running on $dist $vers."
2240 [ -n "$wanIface4" ] && status
="$status WAN (IPv4): ${wanIface4}/${dev}/${wanGW4:-0.0.0.0}."
2241 [ -n "$wanIface6" ] && status
="$status WAN (IPv6): ${wanIface6}/${dev6}/${wanGW6:-::/0}."
2245 dnsmasq
--version 2>/dev
/null |
sed '/^$/,$d'
2246 if [ -n "$1" ]; then
2248 echo "Resolving domains"
2250 echo "$i: $(resolveip "$i" | tr '\n' ' ')"
2255 echo "Routes/IP Rules"
2256 tableCount
="$(grep -c "${packageName}_
" /etc/iproute2/rt_tables)" || tableCount
=0
2257 if [ -n "$set_d" ]; then route
; else route |
grep '^default'; fi
2258 if [ -n "$set_d" ]; then ip rule list
; fi
2259 wan_tid
=$
(($
(get_rt_tables_next_id
)-tableCount))
2260 i
=0; while [ $i -lt $tableCount ]; do
2261 echo "IPv4 table $((wan_tid + i)) route: $($ip_full -4 route show table $((wan_tid + i)) | grep default)"
2262 echo "IPv4 table $((wan_tid + i)) rule(s):"
2263 $ip_full -4 rule list table
"$((wan_tid + i))"
2267 if [ -n "$ipv6_enabled" ]; then
2268 i
=0; while [ $i -lt $tableCount ]; do
2269 $ip_full -6 route show table $
((wan_tid
+ i
)) |
while read -r param
; do
2270 echo "IPv6 Table $((wan_tid + i)): $param"
2276 for j
in Mangle NAT
; do
2277 if [ -z "$set_d" ]; then
2278 for i
in $chainsList; do
2279 i
="$(str_to_upper "$i")"
2280 if iptables
-v -t "$(str_to_lower $j)" -S "${iptPrefix}_${i}" >/dev
/null
2>&1; then
2282 echo "$j IP Table: $i"
2283 iptables
-v -t "$(str_to_lower $j)" -S "${iptPrefix}_${i}"
2284 if [ -n "$ipv6_enabled" ]; then
2286 echo "$j IPv6 Table: $i"
2287 iptables
-v -t "$(str_to_lower $j)" -S "${iptPrefix}_${i}"
2294 iptables
-L -t "$(str_to_lower $j)"
2295 if [ -n "$ipv6_enabled" ]; then
2297 echo "$j IPv6 Table"
2298 iptables
-L -t "$(str_to_lower $j)"
2301 i
=0; ifaceMark
="$wan_mark";
2302 while [ $i -lt $tableCount ]; do
2303 if iptables
-v -t "$(str_to_lower $j)" -S "${iptPrefix}_MARK_${ifaceMark}" >/dev
/null
2>&1; then
2305 echo "$j IP Table MARK Chain: ${iptPrefix}_MARK_${ifaceMark}"
2306 iptables
-v -t "$(str_to_lower $j)" -S "${iptPrefix}_MARK_${ifaceMark}"
2307 ifaceMark
="$(printf '0x%06x' $((ifaceMark + wan_mark)))";
2314 echo "Current ipsets"
2316 if [ -s "$dnsmasqFile" ]; then
2321 if [ -s "$aghIpsetFile" ]; then
2323 echo "AdGuardHome sets"
2327 } |
tee -a /var
/${packageName}-support
2328 if [ -n "$set_p" ]; then
2329 printf "%b" "Pasting to paste.ee... "
2330 if is_present
'curl' && is_variant_installed
'libopenssl' && is_installed
'ca-bundle'; then
2331 json_init
; json_add_string
"description" "${packageName}-support"
2332 json_add_array
"sections"; json_add_object
'0'
2333 json_add_string
"name" "$(uci -q get system.@system[0].hostname)"
2334 json_add_string
"contents" "$(cat /var/${packageName}-support)"
2335 json_close_object
; json_close_array
; payload
=$
(json_dump
)
2336 out
=$
(curl
-s -k "https://api.paste.ee/v1/pastes" -X "POST" -H "Content-Type: application/json" -H "X-Auth-Token:uVOJt6pNqjcEWu7qiuUuuxWQafpHhwMvNEBviRV2B" -d "$payload")
2337 json_load
"$out"; json_get_var id id
; json_get_var s success
2338 [ "$s" = "1" ] && printf "%b" "https://paste.ee/p/$id $__OK__\\n" ||
printf "%b" "$__FAIL__\\n"
2339 [ -e "/var/${packageName}-support" ] && rm -f "/var/${packageName}-support"
2341 printf "%b" "${__FAIL__}\\n"
2342 printf "%b" "${_ERROR_}: The curl, libopenssl or ca-bundle packages were not found!\\nRun 'opkg update; opkg install curl libopenssl ca-bundle' to install them.\\n"
2345 printf "%b" "Your support details have been logged to '/var/${packageName}-support'. $__OK__\\n"
2349 # shellcheck disable=SC2120
2350 load_validate_config
() {
2351 uci_load_validate
"$packageName" "$packageName" "$1" "${2}${3:+ $3}" \
2353 'procd_boot_delay:integer:0' \
2354 'strict_enforcement:bool:1' \
2355 'secure_reload:bool:0' \
2356 'ipv6_enabled:bool:0' \
2357 'resolver_set:or("", "none", "dnsmasq.ipset", "dnsmasq.nftset")' \
2358 'verbosity:range(0,2):1' \
2359 "wan_mark:regex('0x[A-Fa-f0-9]{8}'):0x010000" \
2360 "fw_mask:regex('0x[A-Fa-f0-9]{8}'):0xff0000" \
2361 'icmp_interface:or("","ignore", uci("network", "@interface"))' \
2362 'ignored_interface:list(uci("network", "@interface"))' \
2363 'supported_interface:list(uci("network", "@interface"))' \
2364 'boot_timeout:integer:30' \
2365 'wan_ip_rules_priority:uinteger:30000' \
2366 'rule_create_option:or("", "add", "insert"):add' \
2367 'procd_reload_delay:integer:0' \
2368 'webui_supported_protocol:list(string)'
2371 # shellcheck disable=SC2120
2372 load_validate_policy
() {
2382 uci_load_validate
"$packageName" 'policy' "$1" "${2}${3:+ $3}" \
2383 'name:string:Untitled' \
2385 'interface:or(uci("network", "@interface"),"ignore"):wan' \
2386 'proto:or(string)' \
2387 'chain:or("", "forward", "input", "output", "prerouting", "postrouting", "FORWARD", "INPUT", "OUTPUT", "PREROUTING", "POSTROUTING"):prerouting' \
2388 'src_addr:list(neg(or(host,network,macaddr,string)))' \
2389 'src_port:list(neg(or(portrange,string)))' \
2390 'dest_addr:list(neg(or(host,network,string)))' \
2391 'dest_port:list(neg(or(portrange,string)))'
2394 # shellcheck disable=SC2120
2395 load_validate_include
() {
2398 uci_load_validate
"$packageName" 'include' "$1" "${2}${3:+ $3}" \