From 2468b5a41508dfa4d8043dc2c2561572a8bfcd89 Mon Sep 17 00:00:00 2001 From: garywill Date: Sun, 29 Aug 2021 10:27:17 +0800 Subject: [PATCH] Version 0.6.3. Tested nftables Stop judging xt_comment by lsmod, which wasn't reliable Users who want to disable iptables comment should set env var --- README.md | 2 +- lnxrouter | 38 ++++++++++++++++++++------------------ 2 files changed, 21 insertions(+), 19 deletions(-) mode change 100644 => 100755 lnxrouter diff --git a/README.md b/README.md index b26d0e1..67cd2e4 100644 --- a/README.md +++ b/README.md @@ -338,7 +338,7 @@ Options: - procps or procps-ng - iproute2 - dnsmasq -- iptables (legacy. nft not tested) +- iptables (or nftables with `iptables-nft` translation linked) - WiFi hotspot dependencies - hostapd - iw diff --git a/lnxrouter b/lnxrouter old mode 100644 new mode 100755 index 27de201..32d2729 --- a/lnxrouter +++ b/lnxrouter @@ -1,6 +1,6 @@ #!/bin/bash -VERSION=0.6.2 +VERSION=0.6.3 PROGNAME="$(basename $0)" export LC_ALL=C @@ -205,7 +205,6 @@ define_global_variables(){ CONFDIR= NM_RUNNING=0 NM_UNM_LIST= # it's called "list" but for now one interface - XT_COMMENT=1 } parse_user_options(){ @@ -814,21 +813,34 @@ nm_restore_manage() { fi } #========= +check_iptables() +{ + echo + iptables --version + + if which firewall-cmd > /dev/null 2>&1; then + if [[ "$(firewall-cmd --state)" == "running" ]]; then + echo "firewalld is running ($(firewall-cmd --version))" + #echo "firewalld version " + fi + fi +} iptables_() { - if [[ $XT_COMMENT -eq 1 ]]; then - iptables -w $@ -m comment --comment "lnxrouter-$$-$SUBNET_IFACE" - else + # NETFILTER_XT_MATCH_COMMENT would be a env variable if user wants to disable '-m comment' + if [[ "$NETFILTER_XT_MATCH_COMMENT" == "0" ]]; then iptables -w $@ + else + iptables -w $@ -m comment --comment "lnxrouter-$$-$SUBNET_IFACE" fi return $? } ip6tables_() { - if [[ $XT_COMMENT -eq 1 ]]; then - ip6tables -w $@ -m comment --comment "lnxrouter-$$-$SUBNET_IFACE" - else + if [[ "$NETFILTER_XT_MATCH_COMMENT" == "0" ]]; then ip6tables -w $@ + else + ip6tables -w $@ -m comment --comment "lnxrouter-$$-$SUBNET_IFACE" fi return $? } @@ -2034,16 +2046,6 @@ if [[ $IPV6 -eq 1 ]] ; then ip -6 addr add ${GATEWAY6}/64 dev ${SUBNET_IFACE} || die "Failed setting ${SUBNET_IFACE} IPv6 address" fi -function check_iptables() { - if iptables --version | grep "nf_tables" >/dev/null 2>&1 ; then - echo -e "\nWARN: Your system is using nftables. This script is tested with iptables legacy only. If you encounter problems, visit following URL for infomation:\n https://github.com/oblique/create_ap/issues/373\n https://github.com/oblique/create_ap/issues/433\n https://github.com/garywill/linux-router/issues/18\n" >&2 - fi - - if ! lsmod | grep -E "\bxt_comment\b" >/dev/null 2>&1 ; then - XT_COMMENT=0 - fi -} - check_iptables # enable Internet sharing