|
|
@@ -47,6 +47,7 @@ LISTEN_PORT="${MYNETSPEEDER_LISTEN_PORT:-19080}"
|
|
|
RUNTIME_USER="${MYNETSPEEDER_USER:-mynetspeeder}"
|
|
|
PID_FILE="/var/run/mynetspeeder-edge.pid"
|
|
|
SOCKS_PID_FILE="/var/run/mynetspeeder-socks.pid"
|
|
|
+IPTABLES_WATCHDOG_PID_FILE="/var/run/mynetspeeder-iptables-watchdog.pid"
|
|
|
LOG_FILE="/var/log/mynetspeeder-edge.log"
|
|
|
SOCKS_LOG_FILE="/var/log/mynetspeeder-socks.log"
|
|
|
LOG_MAX_MB="${MYNETSPEEDER_LOG_MAX_MB:-50}"
|
|
|
@@ -111,6 +112,35 @@ ensure_rule() {
|
|
|
fi
|
|
|
}
|
|
|
|
|
|
+ensure_first_rule() {
|
|
|
+ local cmd="$1"
|
|
|
+ local table="$2"
|
|
|
+ local chain="$3"
|
|
|
+ shift 3
|
|
|
+ if ! "$cmd" -t "$table" -C "$chain" "$@" >/dev/null 2>&1; then
|
|
|
+ "$cmd" -t "$table" -I "$chain" 1 "$@"
|
|
|
+ fi
|
|
|
+}
|
|
|
+
|
|
|
+start_iptables_watchdog() {
|
|
|
+ (
|
|
|
+ while true; do
|
|
|
+ sleep 5
|
|
|
+ ensure_first_rule iptables nat OUTPUT -p tcp -j "$CHAIN4" || true
|
|
|
+ if [[ "$UDP_CAPTURE_EFFECTIVE" == "1" ]]; then
|
|
|
+ ensure_first_rule iptables nat OUTPUT -p udp -j "$CHAIN4" || true
|
|
|
+ fi
|
|
|
+ if [[ "${IP6_ENABLED:-0}" == "1" && "${IP6_NAT_SUPPORTED:-0}" == "1" ]]; then
|
|
|
+ ensure_first_rule ip6tables nat OUTPUT -p tcp -j "$CHAIN6" || true
|
|
|
+ if [[ "$UDP_CAPTURE_EFFECTIVE" == "1" ]]; then
|
|
|
+ ensure_first_rule ip6tables nat OUTPUT -p udp -j "$CHAIN6" || true
|
|
|
+ fi
|
|
|
+ fi
|
|
|
+ done
|
|
|
+ ) >/dev/null 2>&1 &
|
|
|
+ echo $! > "$IPTABLES_WATCHDOG_PID_FILE"
|
|
|
+}
|
|
|
+
|
|
|
add_exclusions_v4() {
|
|
|
iptables -t nat -A "$CHAIN4" -m addrtype --dst-type LOCAL -j RETURN
|
|
|
for cidr in $SELF_EXCLUDE_V4; do
|
|
|
@@ -207,7 +237,7 @@ if [[ -n "$CAPTURE_UID" ]]; then
|
|
|
else
|
|
|
iptables -t nat -A "$CHAIN4" -p tcp -j REDIRECT --to-ports "$LISTEN_PORT"
|
|
|
fi
|
|
|
-ensure_rule iptables nat OUTPUT -p tcp -j "$CHAIN4"
|
|
|
+ensure_first_rule iptables nat OUTPUT -p tcp -j "$CHAIN4"
|
|
|
if [[ "$UDP_CAPTURE_EFFECTIVE" == "1" ]]; then
|
|
|
add_udp_exclusions_v4
|
|
|
if [[ -n "$CAPTURE_UID" ]]; then
|
|
|
@@ -215,7 +245,7 @@ if [[ "$UDP_CAPTURE_EFFECTIVE" == "1" ]]; then
|
|
|
else
|
|
|
iptables -t nat -A "$CHAIN4" -p udp -j REDIRECT --to-ports "$LISTEN_PORT"
|
|
|
fi
|
|
|
- ensure_rule iptables nat OUTPUT -p udp -j "$CHAIN4"
|
|
|
+ ensure_first_rule iptables nat OUTPUT -p udp -j "$CHAIN4"
|
|
|
fi
|
|
|
|
|
|
IP6_ENABLED=0
|
|
|
@@ -226,21 +256,21 @@ if command -v ip6tables >/dev/null 2>&1; then
|
|
|
IP6_NAT_SUPPORTED=1
|
|
|
ip6tables -t nat -N "$CHAIN6" 2>/dev/null || true
|
|
|
ip6tables -t nat -F "$CHAIN6"
|
|
|
+ ensure_first_rule ip6tables nat OUTPUT -p tcp -j "$CHAIN6"
|
|
|
add_exclusions_v6
|
|
|
if [[ -n "$CAPTURE_UID" ]]; then
|
|
|
ip6tables -t nat -A "$CHAIN6" -p tcp -m owner --uid-owner "$CAPTURE_UID" -j REDIRECT --to-ports "$LISTEN_PORT"
|
|
|
else
|
|
|
ip6tables -t nat -A "$CHAIN6" -p tcp -j REDIRECT --to-ports "$LISTEN_PORT"
|
|
|
fi
|
|
|
- ensure_rule ip6tables nat OUTPUT -p tcp -j "$CHAIN6"
|
|
|
if [[ "$UDP_CAPTURE_EFFECTIVE" == "1" ]]; then
|
|
|
+ ensure_first_rule ip6tables nat OUTPUT -p udp -j "$CHAIN6"
|
|
|
add_udp_exclusions_v6
|
|
|
if [[ -n "$CAPTURE_UID" ]]; then
|
|
|
ip6tables -t nat -A "$CHAIN6" -p udp -m owner --uid-owner "$CAPTURE_UID" -j REDIRECT --to-ports "$LISTEN_PORT"
|
|
|
else
|
|
|
ip6tables -t nat -A "$CHAIN6" -p udp -j REDIRECT --to-ports "$LISTEN_PORT"
|
|
|
fi
|
|
|
- ensure_rule ip6tables nat OUTPUT -p udp -j "$CHAIN6"
|
|
|
fi
|
|
|
else
|
|
|
echo "ipv6 nat unavailable: ip6tables nat table not supported, skip ipv6 transparent rules"
|
|
|
@@ -263,6 +293,8 @@ if [[ "$IP6_ENABLED" == "1" && "$IP6_NAT_SUPPORTED" == "1" ]]; then
|
|
|
fi
|
|
|
fi
|
|
|
|
|
|
+start_iptables_watchdog
|
|
|
+
|
|
|
echo "mynetspeeder transparent mode started on ${LISTEN_HOST}:${LISTEN_PORT}"
|
|
|
echo "kernel mode: $KERNEL_MODE"
|
|
|
echo "iptables backend: $IPTABLES_BACKEND"
|
Gogs