Diagnostics: add check_nft_rules

2025-12-06 11:36:50 +03:00 · 2025-10-11 14:36:04 +03:00
parent 63d56e736d
commit 791cc1c945
1 changed files with 75 additions and 0 deletions
--- a/podkop/files/usr/bin/podkop
+++ b/podkop/files/usr/bin/podkop
@@ -1868,6 +1868,77 @@ check_dhcp_has_podkop_dns() {
    fi
 }

+check_nft_rules() {
+    local table_exist=0
+    local rules_mangle_exist=0
+    local rules_mangle_counters=0
+    local rules_mangle_output_exist=0
+    local rules_mangle_output_counters=0
+    local rules_proxy_exist=0
+    local rules_proxy_counters=0
+    local rules_other_mark_exist=0
+    
+    # Check if PodkopTable exists
+    if nft list table inet "$NFT_TABLE_NAME" > /dev/null 2>&1; then
+        table_exist=1
+        
+        # Check mangle chain rules
+        if nft list chain inet "$NFT_TABLE_NAME" mangle > /dev/null 2>&1; then
+            local mangle_output=$(nft list chain inet "$NFT_TABLE_NAME" mangle)
+            if echo "$mangle_output" | grep -q "counter"; then
+                rules_mangle_exist=1
+                
+                if echo "$mangle_output" | grep "counter" | grep -qv "packets 0 bytes 0"; then
+                    rules_mangle_counters=1
+                fi
+            fi
+        fi
+        
+        # Check mangle_output chain rules
+        if nft list chain inet "$NFT_TABLE_NAME" mangle_output > /dev/null 2>&1; then
+            local mangle_output_output=$(nft list chain inet "$NFT_TABLE_NAME" mangle_output)
+            if echo "$mangle_output_output" | grep -q "counter"; then
+                rules_mangle_output_exist=1
+                
+                if echo "$mangle_output_output" | grep "counter" | grep -qv "packets 0 bytes 0"; then
+                    rules_mangle_output_counters=1
+                fi
+            fi
+        fi
+        
+        # Check proxy chain rules
+        if nft list chain inet "$NFT_TABLE_NAME" proxy > /dev/null 2>&1; then
+            local proxy_output=$(nft list chain inet "$NFT_TABLE_NAME" proxy)
+            if echo "$proxy_output" | grep -q "counter"; then
+                rules_proxy_exist=1
+                
+                if echo "$proxy_output" | grep "counter" | grep -qv "packets 0 bytes 0"; then
+                    rules_proxy_counters=1
+                fi
+            fi
+        fi
+    fi
+    
+    # Check for other mark rules outside PodkopTable
+    nft list tables 2>/dev/null | while read -r keyword family table_name; do
+        [ -z "$table_name" ] && continue
+        
+        [ "$table_name" = "$NFT_TABLE_NAME" ] && continue
+        
+        if nft list table "$family" "$table_name" 2>/dev/null | grep -q "meta mark set"; then
+            touch /tmp/podkop/mark_check.$$
+            break
+        fi
+    done
+
+    if [ -f /tmp/podkop/mark_check.$$ ]; then
+        rules_other_mark_exist=1
+        rm -f /tmp/podkop/mark_check.$$
+    fi
+    
+    echo "{\"table_exist\":$table_exist,\"rules_mangle_exist\":$rules_mangle_exist,\"rules_mangle_counters\":$rules_mangle_counters,\"rules_mangle_output_exist\":$rules_mangle_output_exist,\"rules_mangle_output_counters\":$rules_mangle_output_counters,\"rules_proxy_exist\":$rules_proxy_exist,\"rules_proxy_counters\":$rules_proxy_counters,\"rules_other_mark_exist\":$rules_other_mark_exist}" | jq .
+}
+
 print_global() {
    local message="$1"
    echo "$message"
@@ -2026,6 +2097,7 @@ Available commands:
    list_update             Update domain lists
    check_proxy             Check proxy connectivity
    check_nft               Check NFT rules
+    check_nft_rules         Check NFT rules status
    check_github            Check GitHub connectivity
    check_logs              Show podkop logs from system journal
    check_sing_box_connections  Show active sing-box connections
@@ -2068,6 +2140,9 @@ check_proxy)
 check_nft)
    check_nft
    ;;
+check_nft_rules)
+    check_nft_rules
+    ;;
 check_github)
    check_github
    ;;