|
|
@@ -7,7 +7,7 @@ Usage: start-transparent.sh [-v|--verbose] [--enable-udp] [--capture-uid UID] [c
|
|
|
|
|
|
Options:
|
|
|
-v, --verbose 启动后实时输出 mynetspeeder 日志
|
|
|
- --capture-uid UID 只接管该 UID 发起的 TCP 出站
|
|
|
+ --capture-uid UID 指定时只接管该 UID;不指定时接管所有用户流量
|
|
|
--enable-udp 额外启用 UDP 透明接管(实验性,默认关闭)
|
|
|
-h, --help 显示帮助
|
|
|
EOF
|
|
|
@@ -47,8 +47,7 @@ CHAIN6="MYNETSPEEDER6"
|
|
|
|
|
|
if [[ $EUID -ne 0 ]]; then echo "need root"; exit 1; fi
|
|
|
if [[ ! -f "$CONFIG_PATH" ]]; then echo "config not found: $CONFIG_PATH"; exit 1; fi
|
|
|
-if [[ -z "$CAPTURE_UID" ]]; then echo "refusing unsafe global capture"; exit 1; fi
|
|
|
-if ! [[ "$CAPTURE_UID" =~ ^[0-9]+$ ]]; then echo "capture uid must be numeric"; exit 1; fi
|
|
|
+if [[ -n "$CAPTURE_UID" ]] && ! [[ "$CAPTURE_UID" =~ ^[0-9]+$ ]]; then echo "capture uid must be numeric"; exit 1; fi
|
|
|
|
|
|
id -u "$RUNTIME_USER" >/dev/null 2>&1 || useradd --system --no-create-home --shell /usr/sbin/nologin "$RUNTIME_USER"
|
|
|
mkdir -p /var/log
|
|
|
@@ -81,10 +80,18 @@ for relay in cfg.get('relays', []):
|
|
|
print(relay['host'])
|
|
|
PY
|
|
|
)
|
|
|
-iptables -t nat -A "$CHAIN4" -p tcp -m owner --uid-owner "$CAPTURE_UID" -j REDIRECT --to-ports "$LISTEN_PORT"
|
|
|
+if [[ -n "$CAPTURE_UID" ]]; then
|
|
|
+ iptables -t nat -A "$CHAIN4" -p tcp -m owner --uid-owner "$CAPTURE_UID" -j REDIRECT --to-ports "$LISTEN_PORT"
|
|
|
+else
|
|
|
+ iptables -t nat -A "$CHAIN4" -p tcp -j REDIRECT --to-ports "$LISTEN_PORT"
|
|
|
+fi
|
|
|
iptables -t nat -C OUTPUT -p tcp -j "$CHAIN4" 2>/dev/null || iptables -t nat -A OUTPUT -p tcp -j "$CHAIN4"
|
|
|
if [[ "$ENABLE_UDP" == "1" ]]; then
|
|
|
- iptables -t nat -A "$CHAIN4" -p udp -m owner --uid-owner "$CAPTURE_UID" -j REDIRECT --to-ports "$LISTEN_PORT"
|
|
|
+ if [[ -n "$CAPTURE_UID" ]]; then
|
|
|
+ iptables -t nat -A "$CHAIN4" -p udp -m owner --uid-owner "$CAPTURE_UID" -j REDIRECT --to-ports "$LISTEN_PORT"
|
|
|
+ else
|
|
|
+ iptables -t nat -A "$CHAIN4" -p udp -j REDIRECT --to-ports "$LISTEN_PORT"
|
|
|
+ fi
|
|
|
iptables -t nat -C OUTPUT -p udp -j "$CHAIN4" 2>/dev/null || iptables -t nat -A OUTPUT -p udp -j "$CHAIN4"
|
|
|
fi
|
|
|
|
|
|
@@ -102,16 +109,28 @@ for relay in cfg.get('relays', []):
|
|
|
print(relay['host'])
|
|
|
PY
|
|
|
)
|
|
|
- ip6tables -t nat -A "$CHAIN6" -p tcp -m owner --uid-owner "$CAPTURE_UID" -j REDIRECT --to-ports "$LISTEN_PORT"
|
|
|
+ if [[ -n "$CAPTURE_UID" ]]; then
|
|
|
+ ip6tables -t nat -A "$CHAIN6" -p tcp -m owner --uid-owner "$CAPTURE_UID" -j REDIRECT --to-ports "$LISTEN_PORT"
|
|
|
+ else
|
|
|
+ ip6tables -t nat -A "$CHAIN6" -p tcp -j REDIRECT --to-ports "$LISTEN_PORT"
|
|
|
+ fi
|
|
|
ip6tables -t nat -C OUTPUT -p tcp -j "$CHAIN6" 2>/dev/null || ip6tables -t nat -A OUTPUT -p tcp -j "$CHAIN6"
|
|
|
if [[ "$ENABLE_UDP" == "1" ]]; then
|
|
|
- ip6tables -t nat -A "$CHAIN6" -p udp -m owner --uid-owner "$CAPTURE_UID" -j REDIRECT --to-ports "$LISTEN_PORT"
|
|
|
+ if [[ -n "$CAPTURE_UID" ]]; then
|
|
|
+ ip6tables -t nat -A "$CHAIN6" -p udp -m owner --uid-owner "$CAPTURE_UID" -j REDIRECT --to-ports "$LISTEN_PORT"
|
|
|
+ else
|
|
|
+ ip6tables -t nat -A "$CHAIN6" -p udp -j REDIRECT --to-ports "$LISTEN_PORT"
|
|
|
+ fi
|
|
|
ip6tables -t nat -C OUTPUT -p udp -j "$CHAIN6" 2>/dev/null || ip6tables -t nat -A OUTPUT -p udp -j "$CHAIN6"
|
|
|
fi
|
|
|
fi
|
|
|
|
|
|
echo "mynetspeeder transparent mode started on ${LISTEN_HOST}:${LISTEN_PORT}"
|
|
|
-echo "capture uid: $CAPTURE_UID"
|
|
|
+if [[ -n "$CAPTURE_UID" ]]; then
|
|
|
+ echo "capture uid: $CAPTURE_UID"
|
|
|
+else
|
|
|
+ echo "capture uid: all users"
|
|
|
+fi
|
|
|
echo "udp capture: $ENABLE_UDP"
|
|
|
echo "log file: $LOG_FILE"
|
|
|
echo "log max: ${LOG_MAX_MB}MB x ${LOG_BACKUPS}"
|
Gogs