github-mirror/zapret
1
0
Fork 0
mirror of https://github.com/bol-van/zapret.git synced 2026-03-12 08:11:49 +00:00
Code Issues Packages Projects Releases Wiki Activity

autohostlist mode

Browse Source
This commit is contained in:
bol-van
2023-10-26 15:12:32 +03:00
parent 6f3a814f73
commit ac574ce2ce
63 changed files with 1584 additions and 573 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
common/linux_fw.sh
View File

@@ -1,3 +1,7 @@
set_conntrack_liberal_mode()
{
[ -n "$SKIP_CONNTRACK_LIBERAL_MODE" ] || sysctl -w net.netfilter.nf_conntrack_tcp_be_liberal=$1
}
zapret_do_firewall()
{
linux_fwtype
@@ -14,6 +18,13 @@ zapret_do_firewall()
;;
esac
# russian DPI sends RST,ACK with wrong ACK.
# this is sometimes treated by conntrack as invalid and connbytes fw rules do not pass RST packet to nfqws.
# swith on liberal mode on zapret firewall start and switch off on zapret firewall stop
# this is only required for processing incoming bad RSTs. incoming rules are only applied in autohostlist mode
# calling this after firewall because conntrack module can be not loaded before applying conntrack firewall rules
[ "$MODE_FILTER" = "autohostlist" -a "$MODE" != tpws-socks ] && set_conntrack_liberal_mode $1
[ "$1" = 1 -a -n "$INIT_FW_POST_UP_HOOK" ] && $INIT_FW_POST_UP_HOOK
[ "$1" = 0 -a -n "$INIT_FW_POST_DOWN_HOOK" ] && $INIT_FW_POST_DOWN_HOOK