/set_policy.sh

make_ipset()
{
	ipset create chinaips hash:net family inet hash size 1024 maxelem 1000000 
}

set_ipset()
{
	ipset flush chinaips 2>/dev/null
	while read -r line;do ipset add chinaips $line;done < /etc/chinaips
}

destroy_ipset()
{
	ipset destroy chinaips 2>/dev/null
}

set_route()
{
	ip route flush table 20
	route="$(ip route)"
	IFS_sav=$IFS
	IFS=$'\\n\\n'
	for line in $route
	do
		IFS=$IFS_sav
		if [ -n "$(echo "$line"|grep -w -e eth1 -e br-lan)" ];then
			ip route add $line table 20
		fi
		IFS=$'\\n\\n'
	done
	IFS=$IFS_sav
}

set_route_rule()
{
	ip rule  del from all fwmark 0x200000/0x200000 lookup 20 pref 20
	ip rule add from all fwmark 0x200000/0x200000 lookup 20 pref 20
}

set_firewall()
{
	while [ true ];do
		[ ! -f /var/run/fw3.lock ] && break
		sleep 1
	done
	touch /var/run/fw3.lock
	iptables -t mangle -N ROUTE_CHINAIPS
	iptables -t mangle -F ROUTE_CHINAIPS
	iptables -t mangle -D PREROUTING -j ROUTE_CHINAIPS 2>/dev/null
	iptables -t mangle -I PREROUTING -j ROUTE_CHINAIPS
	iptables -t mangle -I ROUTE_CHINAIPS -i br-lan -m set ! --match-set chinaips dst -j MARK --set-mark 0x200000/0x200000
	iptables -t mangle -A ROUTE_CHINAIPS -j CONNMARK --save-mark --nfmask 0x200000 --ctmask 0x200000
	
	iptables -t mangle -N ROUTE_CHINAIPS_OUT
	iptables -t mangle -F ROUTE_CHINAIPS_OUT
	iptables -t mangle -D OUTPUT -j ROUTE_CHINAIPS_OUT 2>/dev/null
	iptables -t mangle -I OUTPUT -j ROUTE_CHINAIPS_OUT
	iptables -t mangle -I ROUTE_CHINAIPS_OUT -m set ! --match-set chinaips dst -j MARK --set-mark 0x200000/0x200000
	iptables -t mangle -A ROUTE_CHINAIPS_OUT -j CONNMARK --save-mark --nfmask 0x200000 --ctmask 0x200000
	rm /var/run/fw3.lock
}

make_ipset
set_ipset
set_route
set_route_rule
set_firewall

/etc/rc.local

# Put your custom commands here that should be executed once
# the system init finished. By default this file does nothing.

/set_policy.sh

exit 0

/etc/chinaips

chinaips

/etc/hotplug.d/iface/22-cnpolicy

!/bin/sh

[ $ACTION = "ifup" -o $ACTION = "ifdown" -o "$ACTION" = "ifupdate" ] || exit 0

set_route()                                                                       
{                                  
        ip route flush table 20                                                        
        route="$(ip route)"                                                
        IFS_sav=$IFS             
        IFS=$'\\n\\n'                                                         
        for line in $route                                  
        do                                 
                IFS=$IFS_sav                                          
                if [ -n "$(echo "$line"|grep -w -e eth1 -e br-lan)" ];then
                        ip route add $line table 20          
                fi  
                IFS=$'\\n\\n'
        done                                  
        IFS=$IFS_sav    
}                                                               
                                                                                                
set_route                                                                                                 
~