f14d4f8f33
- Replace hybrid iptables/ipset/nftables approach with pure nftables - Add nftables native set for Russian IP ranges (populated from RIPE) - Create update-direct-routes.sh script to load IP ranges from RIPE database - Remove ipset and iptables dependencies from postup.sh/postdown.sh - Add automatic weekly cron job for IP range updates - Update all documentation to reflect the new approach Benefits: - More reliable: no iptables/nftables conflicts - Simpler debugging: single tool for all rules (nft list ruleset) - Atomic rule loading: prevents partial failures - IP-based routing is more predictable than DNS-based Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
18 lines
464 B
Bash
18 lines
464 B
Bash
#!/bin/bash
|
|
|
|
#
|
|
# PostDown script for WireGuard wg0 interface
|
|
# Pure nftables solution - no iptables/ipset dependencies
|
|
#
|
|
|
|
# Remove policy routing rule
|
|
ip rule del from 10.10.0.0/24 fwmark 0x1 table proxy priority 100 2>/dev/null || true
|
|
|
|
# Flush routing table
|
|
ip route flush table proxy 2>/dev/null || true
|
|
|
|
# Flush nftables vpn-routing table (keeps filter and nat rules intact)
|
|
nft flush table ip vpn-routing 2>/dev/null || true
|
|
|
|
echo "PostDown script completed"
|