From 78c14a0e6265a9bf811de76fc5c22f81701d1da2 Mon Sep 17 00:00:00 2001
From: Arkadiusz Hiler <arek@hiler.eu>
Date: Mon, 19 Aug 2019 10:11:10 +0300
Subject: [PATCH 1/3] Remove unused dnsq_soa_root

Was introduced with dnsu2t module but is still unused.
---
 dnsu2t.c | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/dnsu2t.c b/dnsu2t.c
index a072bd46..bff68673 100644
--- a/dnsu2t.c
+++ b/dnsu2t.c
@@ -46,12 +46,6 @@ static void dnsu2t_pkt_from_relay(int fd, short what, void *_arg);
 static void dnsu2t_relay_writable(int fd, short what, void *_arg);
 static void dnsu2t_close_relay(dnsu2t_instance *self);
 
-// this DNS query (IN SOA for `.`) acts as in-band DNS ping
-static const uint8_t dnsq_soa_root[] = {
-	0x00, 0x00, 0x01, 0x20,
-	0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-	0x00, 0x00, 0x06, 0x00, 0x01};
-
 typedef struct inflight_req_t {
 	uint16_t id; // in network byte order
 	struct sockaddr_in clientaddr;

From 450848e39a2e810dff524791fbb4b7fc00023771 Mon Sep 17 00:00:00 2001
From: Arkadiusz Hiler <arek@hiler.eu>
Date: Mon, 19 Aug 2019 13:11:54 +0300
Subject: [PATCH 2/3] Rename Linux filtering method to netfilter

We are using SO_ORIGINAL_DST for getting the destination address on
Linux. Since it is defined by netfilter subsystem it is common to both
iptables and the newer nftables.

Let's rename define and the method name to denote we are using netfilter
API and then provide handy aliases for "redirector" backwards
compatibility.
---
 Makefile              |  2 +-
 base.c                | 11 ++++++-----
 redsocks.conf.example |  4 ++--
 3 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/Makefile b/Makefile
index 5ab12cba..c7e27c37 100644
--- a/Makefile
+++ b/Makefile
@@ -28,7 +28,7 @@ tags: *.c *.h
 $(CONF):
 	@case `uname` in \
 	Linux*) \
-		echo "#define USE_IPTABLES" >$(CONF) \
+		echo "#define USE_NETFILTER" >$(CONF) \
 		;; \
 	OpenBSD) \
 		echo "#define USE_PF" >$(CONF) \
diff --git a/base.c b/base.c
index 1dfe98fc..0d4ea0b3 100644
--- a/base.c
+++ b/base.c
@@ -28,7 +28,7 @@
 #include <grp.h>
 #include <stdlib.h>
 #include "config.h"
-#if defined USE_IPTABLES
+#if defined USE_NETFILTER
 # include <limits.h>
 # include <linux/netfilter_ipv4.h>
 #endif
@@ -214,8 +214,8 @@ static int getdestaddr_pf(
 }
 #endif
 
-#ifdef USE_IPTABLES
-static int getdestaddr_iptables(int fd, const struct sockaddr_in *client, const struct sockaddr_in *bindaddr, struct sockaddr_in *destaddr)
+#ifdef USE_NETFILTER
+static int getdestaddr_netfilter(int fd, const struct sockaddr_in *client, const struct sockaddr_in *bindaddr, struct sockaddr_in *destaddr)
 {
 	socklen_t socklen = sizeof(*destaddr);
 	int error;
@@ -290,8 +290,9 @@ static redirector_subsys redirector_subsystems[] =
 #ifdef USE_PF
 	{ .name = "pf",  .init = redir_init_pf,  .fini = redir_close_private, .getdestaddr = getdestaddr_pf },
 #endif
-#ifdef USE_IPTABLES
-	{ .name = "iptables", .getdestaddr = getdestaddr_iptables },
+#ifdef USE_NETFILTER
+	{ .name = "netfilter", .getdestaddr = getdestaddr_netfilter },
+	{ .name = "iptables", .getdestaddr = getdestaddr_netfilter },
 #endif
 	{ .name = "generic",  .getdestaddr = getdestaddr_generic  },
 };
diff --git a/redsocks.conf.example b/redsocks.conf.example
index 67bdf965..5be73f73 100644
--- a/redsocks.conf.example
+++ b/redsocks.conf.example
@@ -30,12 +30,12 @@ base {
 	// chroot = "/var/chroot";
 
 	/* possible `redirector' values are:
-	 *   iptables   - for Linux
+	 *   netfilter  - for Linux
 	 *   ipf        - for FreeBSD
 	 *   pf         - for OpenBSD
 	 *   generic    - some generic redirector that MAY work
 	 */
-	redirector = iptables;
+	redirector = netfilter;
 
 	/* Override per-socket values for TCP_KEEPIDLE, TCP_KEEPCNT,
 	 * and TCP_KEEPINTVL. see man 7 tcp for details.

From a7a57320ebd036f6efbe201b0be73e3dac4e0336 Mon Sep 17 00:00:00 2001
From: Arkadiusz Hiler <arek@hiler.eu>
Date: Mon, 19 Aug 2019 13:39:49 +0300
Subject: [PATCH 3/3] Add nftables example to README

---
 README.md | 36 ++++++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)

diff --git a/README.md b/README.md
index aba93a78..4682814f 100644
--- a/README.md
+++ b/README.md
@@ -231,6 +231,42 @@ luser$ sg socksified -c "firefox"
 root# iptables -t nat -A PREROUTING --in-interface eth_int -p tcp -j REDSOCKS
 ```
 
+## nftables example
+
+https://wiki.nftables.org/ - more modern replacemnt for iptables
+
+```
+# required to do redirects
+modprobe nft_redir
+
+nft -f - <<EOF
+table ip nat {
+	chain REDSOCKS {
+		# hook to the output
+		type nat hook output priority 0; policy accept;
+
+		# skip if the user is not uid 1000
+		ip protocol tcp skuid != 1000 return
+
+		# skip for local ip ranges
+		ip daddr 0.0.0.0/8      return
+		ip daddr 10.0.0.0/8     return
+		ip daddr 100.64.0.0/10  return
+		ip daddr 127.0.0.0/8    return
+		ip daddr 169.254.0.0/16 return
+		ip daddr 172.16.0.0/12  return
+		ip daddr 192.168.0.0/16 return
+		ip daddr 198.18.0.0/15  return
+		ip daddr 224.0.0.0/4    return
+		ip daddr 240.0.0.0/4    return
+
+		# everything else tcp = redirect to redsocks
+		ip protocol tcp redirect to 12345
+	}
+}
+EOF
+```
+
 ### Note about GID-based redirection
 
 Keep in mind, that changed GID affects filesystem permissions, so if your