nftables support

blockcheck.sh

@@ -4,6 +4,12 @@ EXEDIR="$(dirname "$0")"
 EXEDIR="$(cd "$EXEDIR"; pwd)"
 ZAPRET_BASE="$EXEDIR"
 
+[ -f "$ZAPRET_BASE/config" ] && . "$ZAPRET_BASE/config"
+. "$ZAPRET_BASE/common/base.sh"
+. "$ZAPRET_BASE/common/dialog.sh"
+. "$ZAPRET_BASE/common/elevate.sh"
+. "$ZAPRET_BASE/common/fwtype.sh"
+
 [ -n "$QNUM" ] || QNUM=59780
 [ -n "$TPPORT" ] || TPPORT=993
 [ -n "$TPWS_UID" ] || TPWS_UID=1
@@ -32,14 +38,6 @@ DNSCHECK_DIG2=/tmp/dig2.txt
 DNSCHECK_DIGS=/tmp/digs.txt
 
 
-exists()
-{
-	which $1 >/dev/null 2>/dev/null
-}
-whichq()
-{
-	which $1 2>/dev/null
-}
 killwait()
 {
 	# $1 - signal (-9, -2, ...)
@@ -59,53 +57,6 @@ exitp()
 	exit $1
 }
 
-read_yes_no()
-{
-	# $1 - default (Y/N)
-	local A
-	read A
-	[ -z "$A" ] || ([ "$A" != "Y" ] && [ "$A" != "y" ] && [ "$A" != "N" ] && [ "$A" != "n" ]) && A=$1
-	[ "$A" = "Y" ] || [ "$A" = "y" ] || [ "$A" = "1" ]
-}
-ask_yes_no()
-{
-	# $1 - default (Y/N or 0/1)
-	# $2 - text
-	local DEFAULT=$1
-	[ "$1" = "1" ] && DEFAULT=Y
-	[ "$1" = "0" ] && DEFAULT=N
-	[ -z "$DEFAULT" ] && DEFAULT=N
-	$ECHON "$2 (default : $DEFAULT) (Y/N) ? "
-	read_yes_no $DEFAULT
-}
-ask_yes_no_var()
-{
-	# $1 - variable name for answer : 0/1
-	# $2 - text
-	local DEFAULT
-	eval DEFAULT="\$$1"
-	if ask_yes_no "$DEFAULT" "$2"; then
-		eval $1=1
-	else
-		eval $1=0
-	fi
-}
-
-
-require_root()
-{
-	local exe
-	echo \* checking privileges
-	[ $(id -u) -ne "0" ] && {
-		echo root is required
-		exe="$EXEDIR/$(basename "$0")"
-		exists sudo && exec sudo "$exe"
-		exists su && exec su root -c "$exe"
-		echo su or sudo not found
-		exitp 2
-	}
-}
-
 IPT()
 {
 	$IPTABLES -C "$@" >/dev/null 2>/dev/null || $IPTABLES -I "$@"
@@ -165,29 +116,11 @@ check_system()
 		Linux)
 			PKTWS="$NFQWS"
 			PKTWSD=nfqws
-			local INIT=$(sed 's/\x0/\n/g' /proc/1/cmdline | head -n 1)
-			[ -L "$INIT" ] && INIT=$(readlink "$INIT")
-			INIT=$(basename "$INIT")
-			if [ -f "/etc/openwrt_release" ] && exists opkg && exists uci && [ "$INIT" = "procd" ] ; then
-				SUBSYS=openwrt
-				# new openwrt version abandon iptables and use nftables instead
-				# no iptables/ip6tables/ipt-kmods are installed by default
-				# fw4 firewall is used, fw3 is symbolic link to fw4
-				# no more firewall includes
-				# make sure nft was not just installed by user but all the system is based on fw4
-				if [ -x /sbin/fw4 ] && exists nft && [ "$FWTYPE" != "iptables" ] ; then
-					FWTYPE=nftables
-				else
-					FWTYPE=iptables
-				fi
-			else
-				# generic linux
-				if exists nft && [ "$FWTYPE" != "iptables" ]; then
-					FWTYPE=nftables
-				else
-					FWTYPE=iptables
-				fi
-			fi
+			linux_fwtype
+			[ "$FWTYPE" = iptables -o "$FWTYPE" = nftables ] || {
+				echo firewall type $FWTYPE not supported in $UNAME
+				exitp 5
+			}
 			;;
 		FreeBSD)
 			PKTWS="$DVTWS"
@@ -403,10 +336,10 @@ pktws_ipt_prepare()
 		nftables)
 			nft add table inet $NFT_TABLE
 			[ "$IPV" = 6 -a -n "$IP6_DEFRAG_DISABLE" ] && {
-				nft "add chain inet $NFT_TABLE predefrag { type filter hook output priority -401; }"
+				nft "add chain inet $NFT_TABLE predefrag { type filter hook output priority -402; }"
 				nft "add rule inet $NFT_TABLE predefrag meta nfproto ipv${IPV} exthdr frag exists notrack"
 			}
-			nft "add chain inet $NFT_TABLE premangle { type filter hook output priority -151; }"
+			nft "add chain inet $NFT_TABLE premangle { type filter hook output priority -152; }"
 			nft "add rule inet $NFT_TABLE premangle meta nfproto ipv${IPV} tcp dport $1 mark and 0x40000000 != 0x40000000 queue num $QNUM bypass"
 			;;
 		ipfw)
@@ -447,7 +380,7 @@ tpws_ipt_prepare()
 		nftables)
 			nft add table inet $NFT_TABLE
 			# -101 = pre dstnat
-			nft "add chain inet $NFT_TABLE output { type nat hook output priority -101; }"
+			nft "add chain inet $NFT_TABLE output { type nat hook output priority -102; }"
 			nft "add rule inet $NFT_TABLE output tcp dport $1 skuid != $TPWS_UID dnat ip${IPVV} to $LOCALHOST_IPT:$TPPORT"
 			;;
 		ipfw)
@@ -801,9 +734,7 @@ configure_curl_opt()
 
 linux_ipv6_defrag_can_be_disabled()
 {
-	local V1=$(sed -nre 's/^Linux version ([0-9]+)\.[0-9]+.*$/\1/p' /proc/version)
-	local V2=$(sed -nre 's/^Linux version [0-9]+\.([0-9]+).*$/\1/p' /proc/version)
-	[ -n "$V1" -a -n "$V2" ] && [ "$V1" -gt 4 -o "$V1" = 4 -a "$V2" -ge 16 ]
+	linux_min_version 4 16
 }
 
 configure_defrag()
@@ -836,7 +767,7 @@ configure_defrag()
 			fi
 			[ -n "$IP6_DEFRAG_DISABLE" ] && {
 				local ipexe="$(readlink -f $(whichq ip6tables))"
-				if [ "${ipexe#*nft}" != "$ipexe" ]; then
+				if contains "$ipexe" nft; then
 					echo "WARNING ! ipv6 ipfrag tests may have no effect if ip6tables-nft is used. current ip6tables point to : $ipexe"
 				else
 					echo "WARNING ! ipv6 ipfrag tests may have no effect if ip6table_raw kernel module is not loaded with parameter : raw_before_defrag=1"

common/base.sh

@@ -0,0 +1,135 @@
+exists()
+{
+	which "$1" >/dev/null 2>/dev/null
+}
+existf()
+{
+	type "$1" >/dev/null 2>/dev/null
+}
+whichq()
+{
+	which $1 2>/dev/null
+}
+exist_all()
+{
+	while [ -n "$1" ]; do
+		exists "$1" || return 1
+		shift
+	done
+	return 0
+}
+on_off_function()
+{
+	# $1 : function name on
+	# $2 : function name off
+	# $3 : 0 - off, 1 - on
+	local F="$1"
+	[ "$3" = "1" ] || F="$2"
+	shift
+	shift
+	shift
+	"$F" "$@"
+}
+contains()
+{
+	# check if substring $2 contains in $1
+	[ "${1#*$2}" != "$1" ]
+}
+find_str_in_list()
+{
+	[ -n "$1" ] && {
+		for v in $2; do
+			[ "$v" = "$1" ] && return 0
+		done
+	}
+	return 1
+}
+end_with_newline()
+{
+	local c=$(tail -c 1)
+	[ "$c" = "" ]
+}
+make_separator_list()
+{
+	# $1 - var name to receive result
+	# $2 - separator
+	# $3,$4,... - elements
+	local var="$1" sep="$2" i
+
+	shift; shift
+	while [ -n "$1" ]; do
+		if [ -n "$i" ] ; then
+			i=$i$sep$1
+		else
+			i=$1
+		fi
+		shift
+	done
+	eval $var=$i
+}
+make_comma_list()
+{
+	# $1 - var name to receive result
+	# $2,$3,... - elements
+	local var="$1"
+	shift
+	make_separator_list $var , "$@"
+}
+
+is_linked_to_busybox()
+{
+	local IFS F P
+
+	IFS=:
+	for path in $PATH; do
+		F=$path/$1
+		P="$(readlink $F)"
+		if [ -z "$P" ] && [ -x $F ] && [ ! -L $F ]; then return 1; fi
+		[ "${P%busybox*}" != "$P" ] && return
+	done
+}
+get_dir_inode()
+{
+	local dir="$1"
+	[ -L "$dir" ] && dir=$(readlink "$dir")
+	ls -id "$dir" | awk '{print $1}'
+}
+
+linux_min_version()
+{
+	# $1 - major ver
+	# $2 - minor ver
+	local V1=$(sed -nre 's/^Linux version ([0-9]+)\.[0-9]+.*$/\1/p' /proc/version)
+	local V2=$(sed -nre 's/^Linux version [0-9]+\.([0-9]+).*$/\1/p' /proc/version)
+	[ -n "$V1" -a -n "$V2" ] && [ "$V1" -gt "$1" -o "$V1" -eq "$1" -a "$V2" -ge "$2" ]
+}
+linux_get_subsys()
+{
+	local INIT=$(sed 's/\x0/\n/g' /proc/1/cmdline | head -n 1)
+
+	[ -L "$INIT" ] && INIT=$(readlink "$INIT")
+	INIT=$(basename "$INIT")
+	if [ -f "/etc/openwrt_release" ] && [ "$INIT" = "procd" ] ; then
+		SUBSYS=openwrt
+	else
+		# generic linux
+		SUBSYS=
+	fi
+}
+openwrt_fw3()
+{
+	[ ! -x /sbin/fw4 -a -x /sbin/fw3 ]
+}
+openwrt_fw4()
+{
+	[ -x /sbin/fw4 ]
+}
+openwrt_fw3_integration()
+{
+	[ "$FWTYPE" = iptables ] && openwrt_fw3
+}
+
+create_dev_stdin()
+{
+	[ -e /dev/stdin ] || ln -s /proc/self/fd/0 /dev/stdin
+}

common/dialog.sh

@@ -0,0 +1,58 @@
+read_yes_no()
+{
+	# $1 - default (Y/N)
+	local A
+	read A
+	[ -z "$A" ] || ([ "$A" != "Y" ] && [ "$A" != "y" ] && [ "$A" != "N" ] && [ "$A" != "n" ]) && A=$1
+	[ "$A" = "Y" ] || [ "$A" = "y" ] || [ "$A" = "1" ]
+}
+ask_yes_no()
+{
+	# $1 - default (Y/N or 0/1)
+	# $2 - text
+	local DEFAULT=$1
+	[ "$1" = "1" ] && DEFAULT=Y
+	[ "$1" = "0" ] && DEFAULT=N
+	[ -z "$DEFAULT" ] && DEFAULT=N
+	printf "$2 (default : $DEFAULT) (Y/N) ? "
+	read_yes_no $DEFAULT
+}
+ask_yes_no_var()
+{
+	# $1 - variable name for answer : 0/1
+	# $2 - text
+	local DEFAULT
+	eval DEFAULT="\$$1"
+	if ask_yes_no "$DEFAULT" "$2"; then
+		eval $1=1
+	else
+		eval $1=0
+	fi
+}
+ask_list()
+{
+	# $1 - mode var
+	# $2 - space separated value list
+	# $3 - (optional) default value
+	local M_DEFAULT
+	eval M_DEFAULT="\$$1"
+	local M_ALL=$M_DEFAULT
+	local M=""
+	local m
+
+	[ -n "$3" ] && { find_str_in_list "$M_DEFAULT" "$2" || M_DEFAULT="$3" ;}
+
+	n=1
+	for m in $2; do
+		echo $n : $m
+		n=$(($n+1))
+	done
+	printf "your choice (default : $M_DEFAULT) : "
+	read m
+	[ -n "$m" ] && M=$(echo $2 | cut -d ' ' -f$m 2>/dev/null)
+	[ -z "$M" ] && M="$M_DEFAULT"
+	echo selected : $M
+	eval $1="\"$M\""
+
+	[ "$M" != "$M_OLD" ]
+}

common/elevate.sh

@@ -0,0 +1,13 @@
+require_root()
+{
+	local exe
+	echo \* checking privileges
+	[ $(id -u) -ne "0" ] && {
+		echo root is required
+		exe="$EXEDIR/$(basename "$0")"
+		exists sudo && exec sudo "$exe"
+		exists su && exec su root -c "$exe"
+		echo su or sudo not found
+		exitp 2
+	}
+}