#!/bin/sh cat /etc/group|grep -q nonevpn || echo nonevpn:x:65533:root >>/etc/group if [ "$(uci -q get vpnpolicy.global.service_policy)" = 1 ]; then services="gl_mqtt sysntpd" for item in $services; do if [ -z "$(grep 'group nonevpn' /etc/init.d/$item)" ]; then sed -i "/procd_open_instance/a procd_set_param group nonevpn" /etc/init.d/$item fi done fi fix_process_mark() { uci -q batch <<-EOF set firewall.process_mark=rule set firewall.process_mark.name='process_mark' set firewall.process_mark.dest='*' set firewall.process_mark.proto='all' set firewall.process_mark.extra='-m owner --gid-owner 65533' set firewall.process_mark.target='MARK' set firewall.process_mark.set_xmark='0x80000/0x80000' EOF } fix_port_foward(){ uci -q batch <<-EOF set firewall.wan_in_conn_mark=rule set firewall.wan_in_conn_mark.name='wan_in_conn_mark' set firewall.wan_in_conn_mark.src='wan' set firewall.wan_in_conn_mark.dest='*' set firewall.wan_in_conn_mark.set_xmark='0x80000/0x80000' set firewall.wan_in_conn_mark.target='MARK' set firewall.wan_in_conn_mark.extra='-j CONNMARK --set-xmark 0x80000/0x80000' set firewall.wan_in_conn_mark.enabled='1' set firewall.lan_in_conn_mark_restore=rule set firewall.lan_in_conn_mark_restore.name='lan_in_conn_mark_restore' set firewall.lan_in_conn_mark_restore.src='lan' set firewall.lan_in_conn_mark_restore.dest='*' set firewall.lan_in_conn_mark_restore.set_xmark='0x80000/0x80000' set firewall.lan_in_conn_mark_restore.target='MARK' set firewall.lan_in_conn_mark_restore.extra='-m connmark --mark 0x80000/0x80000 -j CONNMARK --restore-mark' set firewall.lan_in_conn_mark_restore.enabled='1' set firewall.out_conn_mark_restore=rule set firewall.out_conn_mark_restore.name='out_conn_mark_restore' set firewall.out_conn_mark_restore.dest='*' set firewall.out_conn_mark_restore.set_xmark='0x80000/0x80000' set firewall.out_conn_mark_restore.target='MARK' set firewall.out_conn_mark_restore.extra='-m connmark --mark 0x80000/0x80000 -j CONNMARK --restore-mark' set firewall.out_conn_mark_restore.enabled='1' EOF } fix_fix_port_foward(){ uci -q batch <<-EOF set firewall.wan_in_conn_mark.extra='-m mark --mark 0x0/0x3f00 -j CONNMARK --set-xmark 0x80000/0x80000' set firewall.swap_wan_in_conn_mark=include set firewall.swap_wan_in_conn_mark.type='script' set firewall.swap_wan_in_conn_mark.reload='1' set firewall.swap_wan_in_conn_mark.enabled='0' set firewall.swap_wan_in_conn_mark.path='/etc/firewall.swap_wan_in_conn_mark.sh' set firewall.wan_in_conn_mark.enabled='0' set firewall.lan_in_conn_mark_restore.enabled='0' set firewall.out_conn_mark_restore.enabled='0' EOF } fix_dns_leak(){ uci -q batch <<-EOF set firewall.block_dns=rule set firewall.block_dns.name='block_dns' set firewall.block_dns.src='*' set firewall.block_dns.device='br-+' set firewall.block_dns.dest_port='53' set firewall.block_dns.target='REJECT' set firewall.block_dns.enabled='0' EOF } if [ -z "$(which fw4)" ]; then if [ -z "$(uci -q get firewall.process_mark.name)" ]; then fix_process_mark fi if [ -z "$(uci -q get wan_in_conn_mark.name)" ]; then fix_port_foward fi fix_fix_port_foward else if [ -n "$(uci -q get firewall.process_mark.name)" ]; then uci delete firewall.process_mark uci commit firewall fi mkdir -p /usr/share/nftables.d/chain-pre/mangle_output echo "skgid 65533 counter meta mark set mark or 0x80000" >/usr/share/nftables.d/chain-pre/mangle_output/01-process_mark.nft fi if [ -n "$(grep 'list domain ' /etc/config/vpnpolicy)" ]; then cat /etc/config/vpnpolicy |grep "list domain " >/tmp/domain.old uci delete vpnpolicy.domain.domain uci set vpnpolicy.domain.domain="$(sed 's/list domain //' /tmp/domain.old | tr -d \' | sed 's/^[ \t]*//g')" uci commit vpnpolicy rm -f /tmp/domain.old fi if [ -z "$(uci -q get firewall.block_dns.name)" ]; then fix_dns_leak fi [ -n "$(uci -q get vpnpolicy.global.vpn_server_policy)" ] && exit 0 uci set vpnpolicy.global.vpn_server_policy="1" uci commit vpnpolicy uci commit firewall