-
Notifications
You must be signed in to change notification settings - Fork 175
Expand file tree
/
Copy pathredirect_nftables_rules_openwrt.go
More file actions
52 lines (48 loc) · 1.48 KB
/
redirect_nftables_rules_openwrt.go
File metadata and controls
52 lines (48 loc) · 1.48 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
//go:build linux
package tun
import (
"os"
"os/exec"
"github.com/sagernet/nftables"
E "github.com/sagernet/sing/common/exceptions"
"github.com/sagernet/sing/common/shell"
)
func (r *autoRedirect) configureOpenWRTFirewall4(nft *nftables.Conn, cleanup bool) error {
_, err := nft.ListTableOfFamily("fw4", nftables.TableFamilyINet)
if err != nil {
return nil
}
fw4Path, err := exec.LookPath("fw4")
if err != nil {
return nil
}
rulePath := "/etc/nftables.d/0-" + r.tableName + "-auto-redirect.nft"
if !cleanup {
err = os.WriteFile(rulePath, []byte(`chain input {
type filter hook input priority filter; policy accept;
iifname "`+r.tunOptions.Name+`" counter accept comment "!`+r.tableName+`: Accept traffic from tun"
oifname "`+r.tunOptions.Name+`" counter accept comment "!`+r.tableName+`: Accept traffic from tun"
}
chain forward {
type filter hook forward priority filter; policy accept;
iifname "`+r.tunOptions.Name+`" counter accept comment "!`+r.tableName+`: Accept traffic from tun"
oifname "`+r.tunOptions.Name+`" counter accept comment "!`+r.tableName+`: Accept traffic from tun"
}
`), 0o644)
if err != nil {
return E.Cause(err, "write fw4 rules")
}
} else if _, err = os.Stat(rulePath); os.IsNotExist(err) {
return nil
} else {
err = os.Remove(rulePath)
if err != nil {
return E.Cause(err, "clean fw4 rules")
}
}
output, err := shell.Exec(fw4Path, "reload").Read()
if err != nil {
return E.Extend(E.Cause(err, "reload fw4 rules"), output)
}
return nil
}