show distro and kernel

Stop judging xt_comment by lsmod, which wasn't reliable
Users who want to disable iptables comment should set env var

NOTICE

@@ -1,42 +0,0 @@
-Copyright (c) 2013, oblique
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are met:
-
-* Redistributions of source code must retain the above copyright notice, this
-  list of conditions and the following disclaimer.
-
-* Redistributions in binary form must reproduce the above copyright notice,
-  this list of conditions and the following disclaimer in the documentation
-  and/or other materials provided with the distribution.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
-FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
-OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-================================================================================
-
-linux-router
-Copyright (C) 2018  garywill
-
-This library is free software; you can redistribute it and/or
-modify it under the terms of the GNU Lesser General Public
-License as published by the Free Software Foundation; either
-version 2.1 of the License, or (at your option) any later version.
-
-This library is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-Lesser General Public License for more details.
-
-You should have received a copy of the GNU Lesser General Public
-License along with this library; if not, write to the Free Software
-Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA

README.md

@@ -1,11 +1,10 @@
 # Linux-router
 
-Set Linux as router in one command. Able to Provide Internet, or create Wifi hotspot. Support transparent proxy (redsocks). Also useful for routing VM/containers.
+Set Linux as router in one command. Able to provide Internet, or create WiFi hotspot. Support transparent proxy (redsocks). Also useful for routing VM/containers.
 
 It wraps `iptables`, `dnsmasq` etc. stuff. Use in one command, restore in one command or by `control-c` (or even by closing terminal window).
 
-[Buy me a coffee](https://github.com/garywill/receiving/blob/master/receiving_methods.md)
+[Linux-Router News & Developer Notes 📰](https://github.com/garywill/linux-router/issues/28) | [More tools and projects 🛠️](https://garywill.github.io) | [🍻 Buy me a coffee ❤️](https://github.com/garywill/receiving/blob/master/receiving_methods.md)
-
 
 ## Features
 
@@ -13,16 +12,19 @@ Basic features:
 
 - Create a NATed sub-network
 - Provide Internet
-- DHCP server and RA
+- DHCP server (and RA)
+  - Specify what DNS the DHCP server assigns to clients
 - DNS server
+  - Specify upstream DNS (kind of a plain DNS proxy)
 - IPv6 (behind NATed LAN, like IPv4)
-- Creating Wifi hotspot:
+- Creating WiFi hotspot:
   - Channel selecting
   - Choose encryptions: WPA2/WPA, WPA2, WPA, No encryption
-  - Create AP on the same interface you are getting Internet (require same channel)
+  - Create AP on the same interface you are getting Internet (usually require same channel)
 - Transparent proxy (redsocks)
-- DNS proxy
+- Transparent DNS proxy (hijack port 53 packets)
-- Compatible with NetworkManager (automatically set interface as unmanaged)
+- Detect NetworkManager and make sure it won't interfere (handle interface (un)managed status)
+- You can run many instances, to create many different networks. Has instances managing feature.
 
 **For many other features, see below [CLI usage](#cli-usage-and-other-features)**
 
@@ -36,7 +38,7 @@ Internet----(eth0/wlan0)-Linux-(wlanX)AP
 
 ```
                                     Internet
-Wifi AP(no DHCP)                        |
+WiFi AP(no DHCP)                        |
     |----(wlan1)-Linux-(eth0/wlan0)------
     |           (DHCP)
     |--client
@@ -67,21 +69,39 @@ Internet----(eth0/wlan0)-Linux-(virtual interface)-----VM/container
 sudo lnxrouter -i eth1
 ```
 
-### Provide an interface's Internet to another interface
+no matter which interface (other than `eth1`) you're getting Internet from.
 
-```
+### Create WiFi hotspot
-sudo lnxrouter -i eth1 -o vpn0 --dhcp-dns 1.1.1.1 -6 --dhcp-dns6 [2606:4700:4700::1111]
-```
-> Read _Notice 1_
-
-### Create Wifi hotspot
 
 ```
 sudo lnxrouter --ap wlan0 MyAccessPoint -p MyPassPhrase
 ```
 
+no matter which interface you're getting Internet from (even from `wlan0`). Will create virtual Interface `x0wlan0` for hotspot.
+
+### Provide an interface's Internet to another interface
+
+Clients access Internet through only `isp5`
+
+<details>
+
+```
+sudo lnxrouter -i eth1 -o isp5  --no-dns  --dhcp-dns 1.1.1.1  -6 --dhcp-dns6 [2606:4700:4700::1111]
+```
+
+> In this case of usage, it's recommended to:
+> 
+> 1. Stop serving local DNS
+> 2. Tell clients which DNS to use (ISP5's DNS. Or, a safe public DNS, like above example)
+
+> Also, read *Notice 1*
+
+</details>
+
 ### LAN without Internet
 
+<details>
+
 ```
 sudo lnxrouter -n -i eth1
 sudo lnxrouter -n --ap wlan0 MyAccessPoint -p MyPassPhrase
@@ -89,9 +109,12 @@ sudo lnxrouter -n --ap wlan0 MyAccessPoint -p MyPassPhrase
 
 > Read _Notice 1_
 
+</details>
 
 ### Internet for LXC
 
+<details>
+
 Create a bridge
 
 ```
@@ -111,12 +134,16 @@ lxc.network.hwaddr = xx:xx:xx:xx:xx:xx
 sudo lnxrouter -i lxcbr5
 ```
 
+</details>
+
 ### Transparent proxy
 
-For example through Tor
+All clients' Internet traffic go through, for example, Tor
+
+<details>
 
 ```
-sudo lnxrouter -i eth1 --tp 9040 --dns 9053 -g 192.168.55.1 --p6 fd00:5:6:7::
+sudo lnxrouter -i eth1 --tp 9040 --dns 9053 -g 192.168.55.1 -6 --p6 fd00:5:6:7::
 ```
 
 In `torrc`
@@ -128,10 +155,14 @@ TransPort [fd00:5:6:7::1]:9040
 DNSPort [fd00:5:6:7::1]:9053
 ```
 
+</details>
+
 ### Clients-in-sandbox network
 
 To not give our infomation to clients. Clients can still access Internet.
 
+<details>
+
 ```
 sudo lnxrouter -i eth1 \
     --tp 9040 --dns 9053 \
@@ -140,11 +171,14 @@ sudo lnxrouter -i eth1 \
     --catch-dns --log-dns   # optional
 ```
 
-> This script comes with no warrenty, use on your own risk
+</details>
 
+> This script comes with no warrenty. Use on your own risk
 
 ### Use as transparent proxy for LXD
 
+<details>
+
 Create a bridge
 
 ```
@@ -195,16 +229,24 @@ To remove the customized `eth0` to restore default `eth0`
 lxc config device remove <container> eth0
 ```
 
+</details>
+
 ### Use as transparent proxy for VirtualBox
 
+<details>
+
 In VirtualBox's global settings, create a host-only network `vboxnet5` with DHCP disabled.
 
 ```
 sudo lnxrouter -i vboxnet5 --tp 9040 --dns 9053
 ```
 
+</details>
+
 ### Use as transparent proxy for firejail
 
+<details>
+
 Create a bridge
 
 ```
@@ -216,8 +258,16 @@ sudo lnxrouter -i firejail5 -g 192.168.55.1 --tp 9040 --dns 9053
 firejail --net=firejail5 --dns=192.168.55.1 --blacklist=/var/run/nscd
 ```
 
+Firejail's `/etc/resolv.conf` doesn't obtain DNS from DHCP, so we need to assign.
+
+nscd is domain name cache service, which shouldn't be accessed from in jail here.
+
+</details>
+
 ### CLI usage and other features
 
+<details>
+
 ```
 Usage: lnxrouter <options>
 
@@ -227,8 +277,9 @@ Options:
 
     -i <interface>          Interface to make NATed sub-network,
                             and to provide Internet to
-                            (To create Wifi hotspot use '--ap' instead)
+                            (To create WiFi hotspot use '--ap' instead)
     -o <interface>          Specify an inteface to provide Internet from.
+                            (See Notice 1)
                             (Note using this with default DNS option may leak
                             queries to other interfaces)
     -n                      Do not provide Internet (See Notice 1)
@@ -253,13 +304,14 @@ Options:
     --no-dnsmasq            Disable dnsmasq server (DHCP, DNS, RA)
     --catch-dns             Transparent DNS proxy, redirect packets(TCP/UDP) 
                             whose destination port is 53 to this host
-    --log-dns               Show DNS query log
+    --log-dns               Show DNS query log (dnsmasq)
     --dhcp-dns <IP1[,IP2]>|no
-                            Set IPv4 DNS offered by DHCP (default: this host)
+                            Set IPv4 DNS offered by DHCP (default: this host).
     --dhcp-dns6 <IP1[,IP2]>|no
                             Set IPv6 DNS offered by DHCP (RA) 
                             (default: this host)
                             (Note IPv6 addresses need '[]' around)
+                            Using both above two will enable '--no-dns' 
     --hostname <name>       DNS server associate this name with this host.
                             Use '-' to read name from /etc/hostname
     -d                      DNS server will take into account /etc/hosts
@@ -273,12 +325,12 @@ Options:
                             redirect non-LAN TCP and UDP traffic to port.
                             (usually used with '--dns')
 
-  Wifi hotspot options:
+  WiFi hotspot options:
     --ap <wifi interface> <SSID>
-                            Create Wifi access point
+                            Create WiFi access point
     -p, --password <password>   
-                            Wifi password
+                            WiFi password
-    --qr                    Show Wifi QR code in terminal
+    --qr                    Show WiFi QR code in terminal
 
     --hidden                Hide access point (not broadcast SSID)
     --no-virt               Do not create virtual interface
@@ -293,8 +345,8 @@ Options:
                             (default: 2)
     --psk                   Use 64 hex digits pre-shared-key instead of
                             passphrase
-    --mac-filter            Enable Wifi hotspot MAC address filtering
+    --mac-filter            Enable WiFi hotspot MAC address filtering
-    --mac-filter-accept     Location of Wifi hotspot MAC address filter list
+    --mac-filter-accept     Location of WiFi hotspot MAC address filter list
                             (defaults to /etc/hostapd/hostapd.accept)
     --hostapd-debug <level> 1 or 2. Passes -d or -dd to hostapd
     --isolate-clients       Disable wifi communication between clients
@@ -316,21 +368,34 @@ Options:
     --stop <id>             Stop a running instance
         For <id> you can use PID or subnet interface name.
         You can get them with '--list-running'
-
-    Notice 1:   This script assume your host's default policy won't forward
-                packets, so the script won't explictly ban forwarding in any
-                mode. In some unexpected case may cause unwanted packets 
-                leakage between 2 networks, which you should be aware of if you
-                want isolated network
 ```
 
-> These changes to system will not be restored by script's cleanup:
+</details>
-> 1. `/proc/sys/net/ipv4/ip_forward = 1` and `/proc/sys/net/ipv6/conf/all/forwarding = 1`
-> 1. dnsmasq in Apparmor complain mode
-> 1. Kernel module `nf_nat_pptp` loaded
-> 1. The wifi device which is used to create hotspot is `rfkill unblock`ed
-> 1. Wifi country code, if user specified
 
+## Notice
+
+<details>
+
+```
+    Notice 1:   This script assume your host's default policy won't forward
+                packets, so the script won't explictly ban forwarding in any
+                mode. In some unexpected case (eg. mistaken configurations) may
+                cause unwanted packets leakage between 2 networks, which you
+                should be aware of if you want isolated network
+```
+
+</details>
+
+## What changes are done to Linux system
+
+On exit of a linux-router instance, script **will do cleanup**, i.e. undo most changes to system. Though, **some** changes (if needed) will **not** be undone, which are:
+
+1. `/proc/sys/net/ipv4/ip_forward = 1` and `/proc/sys/net/ipv6/conf/all/forwarding = 1`
+2. dnsmasq in Apparmor complain mode
+3. hostapd in Apparmor complain mode
+4. Kernel module `nf_nat_pptp` loaded
+5. The wifi device which is used to create hotspot is `rfkill unblock`ed
+6. WiFi country code, if user assigns
 
 ## Dependencies
 
@@ -338,7 +403,7 @@ Options:
 - procps or procps-ng
 - iproute2
 - dnsmasq
-- iptables (legacy. nft not tested)
+- iptables (or nftables with `iptables-nft` translation linked)
 - WiFi hotspot dependencies
   - hostapd
   - iw
@@ -348,27 +413,82 @@ Options:
 
 ## TODO
 
+Sooner is better:
+- Detect firewalld and make sure it won't interfere our interface
+
+Future:
 - WPA3
 - Global IPv6
 - Explictly ban forwarding if not needed
 - Bring bridging method back
 
-## Donate
+## License
 
-[Buy me a coffee](https://github.com/garywill/receiving/blob/master/receiving_methods.md) , this project took me lots of time!
+linux-router is LGPL licensed
 
+<details>
 
-[打赏一个](https://github.com/garywill/receiving/blob/master/receiving_methods.md) 
+```
+linux-router
+Copyright (C) 2018  garywill
 
-## For developers
+This library is free software; you can redistribute it and/or
+modify it under the terms of the GNU Lesser General Public
+License as published by the Free Software Foundation; either
+version 2.1 of the License, or (at your option) any later version.
 
-**Many thanks to project [create_ap](https://github.com/oblique/create_ap)**.
+This library is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+Lesser General Public License for more details.
 
-This script was forked from create\_ap. Now it's quite different from it. (See `history` branch for how I modified create_ap)
+You should have received a copy of the GNU Lesser General Public
+License along with this library; if not, write to the Free Software
+Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+```
 
-There're some TO-DOs listed, at both above and in the code file. We'll appreciate your help.
+</details>
 
-------------------
+Upstream create_ap was BSD licensed
 
-More of my projects: https://garywill.github.io
+<details>
 
+```
+Copyright (c) 2013, oblique
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+* Redistributions of source code must retain the above copyright notice, this
+  list of conditions and the following disclaimer.
+
+* Redistributions in binary form must reproduce the above copyright notice,
+  this list of conditions and the following disclaimer in the documentation
+  and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+```
+
+</details>
+
+## Meet developer(s) and become one of them
+
+Visit [**my homepage** 🏡](https://garywill.github.io) to see **more tools and projects** 🛠️.
+
+> [❤️ Buy me a coffee](https://github.com/garywill/receiving/blob/master/receiving_methods.md) , this project took me lots of time! ([❤️ 扫码领红包并打赏一个!](https://github.com/garywill/receiving/blob/master/receiving_methods.md))
+> 
+> 🥂 ( ^\_^) o自自o (^_^ ) 🍻
+
+🤝 Bisides, thank [create_ap](https://github.com/oblique/create_ap) by [oblique](https://github.com/oblique). This script was forked from create\_ap. Now they are quite different. (See `history` branch for how I modified create_ap). 🤝 Also thank those who contributed to that project.
+
+👨‍💻 You can be contributor, too! 🍃 There're some TO-DOs listed, at both [above](#todo) and [in the code file](https://github.com/garywill/linux-router/search?q=TODO&type=code). 🍃 Also some [unfulfilled enhancements in the Issues](https://github.com/garywill/linux-router/issues?q=is%3Aissue+is%3Aopen+label%3Aenhancement). Your name can be here!

lnxrouter

@@ -1,7 +1,6 @@
 #!/bin/bash
 
-# TODO: showing version (or git commit) on running
+VERSION=0.6.6
-VERSION=0.6.2
 PROGNAME="$(basename $0)"
 
 export LC_ALL=C
@@ -9,10 +8,16 @@ export LC_ALL=C
 SCRIPT_UMASK=0122
 umask $SCRIPT_UMASK
 
+phead() {
+    echo "linux-router $VERSION (https://github.com/garywill/linux-router)"
+}
+phead2() {
+    echo "Released under LGPL, with no warranty. Use on your own risk."
+}
 usage() {
+    phead
+    phead2
     cat << EOF
-linux-router $VERSION (https://github.com/garywill/linux-router)
-Released under LGPL, with no warranty. Use on your own risk.
 
 Usage: $PROGNAME <options>
 
@@ -22,8 +27,9 @@ Options:
 
     -i <interface>          Interface to make NATed sub-network,
                             and to provide Internet to
-                            (To create Wifi hotspot use '--ap' instead)
+                            (To create WiFi hotspot use '--ap' instead)
     -o <interface>          Specify an inteface to provide Internet from.
+                            (See Notice 1)
                             (Note using this with default DNS option may leak
                             queries to other interfaces)
     -n                      Do not provide Internet (See Notice 1)
@@ -48,13 +54,14 @@ Options:
     --no-dnsmasq            Disable dnsmasq server (DHCP, DNS, RA)
     --catch-dns             Transparent DNS proxy, redirect packets(TCP/UDP) 
                             whose destination port is 53 to this host
-    --log-dns               Show DNS query log
+    --log-dns               Show DNS query log (dnsmasq)
     --dhcp-dns <IP1[,IP2]>|no
-                            Set IPv4 DNS offered by DHCP (default: this host)
+                            Set IPv4 DNS offered by DHCP (default: this host).
     --dhcp-dns6 <IP1[,IP2]>|no
                             Set IPv6 DNS offered by DHCP (RA) 
                             (default: this host)
                             (Note IPv6 addresses need '[]' around)
+                            Using both above two will enable '--no-dns' 
     --hostname <name>       DNS server associate this name with this host.
                             Use '-' to read name from /etc/hostname
     -d                      DNS server will take into account /etc/hosts
@@ -68,12 +75,12 @@ Options:
                             redirect non-LAN TCP and UDP traffic to port.
                             (usually used with '--dns')
     
-  Wifi hotspot options:
+  WiFi hotspot options:
     --ap <wifi interface> <SSID>
-                            Create Wifi access point
+                            Create WiFi access point
     -p, --password <password>   
-                            Wifi password
+                            WiFi password
-    --qr                    Show Wifi QR code in terminal
+    --qr                    Show WiFi QR code in terminal
     
     --hidden                Hide access point (not broadcast SSID)
     --no-virt               Do not create virtual interface
@@ -88,8 +95,8 @@ Options:
                             (default: 2)
     --psk                   Use 64 hex digits pre-shared-key instead of
                             passphrase
-    --mac-filter            Enable Wifi hotspot MAC address filtering
+    --mac-filter            Enable WiFi hotspot MAC address filtering
-    --mac-filter-accept     Location of Wifi hotspot MAC address filter list
+    --mac-filter-accept     Location of WiFi hotspot MAC address filter list
                             (defaults to /etc/hostapd/hostapd.accept)
     --hostapd-debug <level> 1 or 2. Passes -d or -dd to hostapd
     --isolate-clients       Disable wifi communication between clients
@@ -114,13 +121,12 @@ Options:
 
     Notice 1:   This script assume your host's default policy won't forward
                 packets, so the script won't explictly ban forwarding in any
-                mode. In some unexpected case may cause unwanted packets 
+                mode. In some unexpected case (eg. mistaken configurations) may
-                leakage between 2 networks, which you should be aware of if you
+                cause unwanted packets leakage between 2 networks, which you
-                want isolated network
+                should be aware of if you want isolated network
                 
 Examples:
     $PROGNAME -i eth1
-    $PROGNAME --ap wlan0 MyAccessPoint
     $PROGNAME --ap wlan0 MyAccessPoint -p MyPassPhrase
     $PROGNAME -i eth1 --tp <transparent-proxy> --dns <dns-proxy>
 EOF
@@ -203,7 +209,6 @@ define_global_variables(){
     CONFDIR=
     NM_RUNNING=0
     NM_UNM_LIST=  # it's called "list" but for now one interface
-    XT_COMMENT=1
 }
 
 parse_user_options(){
@@ -226,16 +231,10 @@ parse_user_options(){
                 shift
                 INTERNET_IFACE="$1"
                 shift
-                echo ""
-                echo "WARN: Since you're using in this mode, make sure you've read Notice 1" >&2
-                echo ""
                 ;;
             -n)
                 shift
                 SHARE_METHOD=none
-                echo ""
-                echo "WARN: Since you're using in this mode, make sure you've read Notice 1" >&2
-                echo ""
                 ;;
             --ban-priv)
                 shift
@@ -261,9 +260,6 @@ parse_user_options(){
             --no4)
                 shift
                 NO4=1
-                echo ""
-                echo "WARN: Since you're using in this mode, make sure you've read Notice 1" >&2
-                echo ""
                 ;;
             --p6)
                 shift
@@ -630,6 +626,32 @@ get_interface_mac() {
     cat "/sys/class/net/${1}/address"
 }
 
+get_interface_pci_info() {  # pci id / model / virtual
+    is_interface "$1" || return
+    
+    local device_path
+    local pci_id
+    local pci_full
+    
+    device_path="$(readlink -f /sys/class/net/$1)"
+    
+    if [[ "$device_path" == "/sys/devices/pci"* ]]; then
+        pci_id="$(echo $device_path | sed 's/\//\n/g' | tail -n 3 |sed -n 1p)"
+        
+        if which lspci >/dev/null 2>&1 ; then
+            pci_full="$( lspci -D -nn | grep -E "^$pci_id " )"
+            echo "  PCI: $pci_full"
+        else
+            echo "  PCI: $pci_id"
+        fi
+    elif [[ "$device_path" == *"/virtual/"* ]]; then
+        echo "  virtual interface"
+    fi
+    # TODO usb
+    # TODO current driver
+}
+
+
 alloc_new_vface_name() { # only for wifi
     local i=0
     local v_iface_name=
@@ -812,22 +834,96 @@ nm_restore_manage() {
     fi
 }
 #=========
-iptables_()
+check_iptables()
 {
-    if [[ $XT_COMMENT -eq 1 ]]; then
+    echo
-        iptables -w $@ -m comment --comment "lnxrouter-$$-$SUBNET_IFACE"
+    iptables --version
-    else
+    
-        iptables -w $@ 
+    if which firewall-cmd > /dev/null 2>&1; then
+        if [[ "$(firewall-cmd --state 2>&1)" == "running" ]]; then
+            echo "firewalld is running ($(firewall-cmd --version))"
+            echo -e "\nWARN: We haven't completed the compatibility with firewalld.\nWARN: If you see any trouble, try:\nWARN:     1) 'firewall-cmd --zone=trusted --add-interface=<SUBN_IFACE>'\nWARN:     2) disable firewalld\n" >&2 
+            # TODO
+        fi
     fi
-    return $?
 }
-ip6tables_()
+
+CUSTOM_CHAINS_4_filter=
+CUSTOM_CHAINS_4_nat=
+CUSTOM_CHAINS_6_filter=
+CUSTOM_CHAINS_6_nat=
+iptb() 
 {
-    if [[ $XT_COMMENT -eq 1 ]]; then
+    local FoS=$1 # 4 | 6
-        ip6tables -w $@ -m comment --comment "lnxrouter-$$-$SUBNET_IFACE"
+    shift
-    else
+    local Vis=$1 # 'v' | 'n'
-        ip6tables -w $@
+    shift
+    local T=$1 # table
+    shift
+    local ACT=$1 # action: I | A | N  .  On undo: I or A -> D , N -> F+X
+    shift
+    local CH=$1 # chain
+    shift
+    
+    [[ "$IPV6" -ne 1 && "$FoS" == "6" ]] && return
+    
+    local CMD_HEAD=""
+    local MOUTH=""
+    local NECK=""
+    local HAND_UN_NC=0
+    local TAIL=""
+    
+    local FULL=""
+    local ADD_TO_UNDO=1
+    
+    for arr_name in CUSTOM_CHAINS_4_filter CUSTOM_CHAINS_4_nat CUSTOM_CHAINS_6_filter CUSTOM_CHAINS_6_nat
+    do
+        local arr_content
+        eval arr_content=\"\${$arr_name}\"
+        #echo $arr_content
+        
+        for w in  $arr_content
+        do
+            if [[ "$arr_name" =~ "$FoS" && "$arr_name" =~ "$T" && "$w" == "$CH" ]]; then
+                ADD_TO_UNDO=0
             fi
+        done
+    done
+    
+
+    [[ "$FoS" == "4" ]] && CMD_HEAD="iptables -w "
+    [[ "$FoS" == "6" ]] && CMD_HEAD="ip6tables -w "
+    
+    [[ "$Vis" == 'v' ]] && MOUTH="-v"
+    
+    NECK="-t ${T}"
+    
+    if [[ "$ACT" == "N" ]]; then
+        eval CUSTOM_CHAINS_${FoS}_${T}=\"\${CUSTOM_CHAINS_${FoS}_${T}} ${CH}\"
+        HAND_UN_NC=1
+    fi
+    
+    
+    
+    [[ ! "$NETFILTER_XT_MATCH_COMMENT" == "0" ]] && TAIL="-m comment --comment lrt${$}${SUBNET_IFACE}"
+    
+    if [[ "$ADD_TO_UNDO" -eq 1 ]]; then
+        if [[ "$ACT" == "I" || "$ACT" == "A" ]]; then
+            echo "$CMD_HEAD $NECK -D ${CH} $@ $TAIL" >> $CONFDIR/undo_iptables.sh 
+        fi
+        
+        if [[ "$HAND_UN_NC" -eq 1 ]]; then
+            echo "$CMD_HEAD $NECK -F ${CH} $@ $TAIL" >> $CONFDIR/undo_iptables_2.sh
+            echo "$CMD_HEAD $NECK -X ${CH} $@ $TAIL" >> $CONFDIR/undo_iptables_2.sh
+        fi
+    fi
+    
+ 
+    
+
+    FULL="$CMD_HEAD $MOUTH $NECK -${ACT} ${CH} $@ $TAIL"
+    #echo $FULL
+    $FULL
     return $?
 }
 
@@ -842,151 +938,84 @@ start_nat() {
     echo
     echo "iptables: NAT "
     if [[ $NO4 -eq 0 ]]; then
-        iptables_ -v -t nat -I POSTROUTING -s ${GATEWAY%.*}.0/24 $IPTABLES_NAT_OUT $MASQUERADE_NOTOUT ! -d ${GATEWAY%.*}.0/24  -j MASQUERADE || die
+        iptb 4 v nat I POSTROUTING -s ${GATEWAY%.*}.0/24 $IPTABLES_NAT_OUT $MASQUERADE_NOTOUT ! -d ${GATEWAY%.*}.0/24  -j MASQUERADE || die
-        iptables_ -v -I FORWARD -i ${SUBNET_IFACE} $IPTABLES_NAT_OUT -s ${GATEWAY%.*}.0/24 -j ACCEPT || die
+        iptb 4 v filter I FORWARD  -i ${SUBNET_IFACE} $IPTABLES_NAT_OUT -s ${GATEWAY%.*}.0/24 -j ACCEPT || die
-        iptables_ -v -I FORWARD -o ${SUBNET_IFACE} $IPTABLES_NAT_IN  -d ${GATEWAY%.*}.0/24 -j ACCEPT || die
+        iptb 4 v filter I FORWARD  -o ${SUBNET_IFACE} $IPTABLES_NAT_IN  -d ${GATEWAY%.*}.0/24 -j ACCEPT || die
-    fi
-    if [[ $IPV6 -eq 1 ]]; then
-        ip6tables_ -v -t nat -I POSTROUTING -s ${PREFIX6}/64 $IPTABLES_NAT_OUT $MASQUERADE_NOTOUT ! -d ${PREFIX6}/64  -j MASQUERADE || die
-        ip6tables_ -v -I FORWARD -i ${SUBNET_IFACE} $IPTABLES_NAT_OUT -s ${PREFIX6}/64 -j ACCEPT || die
-        ip6tables_ -v -I FORWARD -o ${SUBNET_IFACE} $IPTABLES_NAT_IN   -d ${PREFIX6}/64 -j ACCEPT || die
-    fi
-}
-stop_nat() {
-    echo "iptables: stop NAT"
-    if [[ $NO4 -eq 0 ]]; then
-        iptables_ -t nat -D POSTROUTING -s ${GATEWAY%.*}.0/24 $IPTABLES_NAT_OUT $MASQUERADE_NOTOUT ! -d ${GATEWAY%.*}.0/24  -j MASQUERADE
-        iptables_ -D FORWARD -i ${SUBNET_IFACE} $IPTABLES_NAT_OUT -s ${GATEWAY%.*}.0/24 -j ACCEPT
-        iptables_ -D FORWARD -o ${SUBNET_IFACE} $IPTABLES_NAT_IN  -d ${GATEWAY%.*}.0/24 -j ACCEPT
-    fi
-    if [[ $IPV6 -eq 1 ]]; then
-        ip6tables_ -t nat -D POSTROUTING -s ${PREFIX6}/64 $IPTABLES_NAT_OUT $MASQUERADE_NOTOUT ! -d ${PREFIX6}/64  -j MASQUERADE
-        ip6tables_ -D FORWARD -i ${SUBNET_IFACE} $IPTABLES_NAT_OUT -s ${PREFIX6}/64 -j ACCEPT
-        ip6tables_ -D FORWARD -o ${SUBNET_IFACE} $IPTABLES_NAT_IN  -d ${PREFIX6}/64 -j ACCEPT
     fi
+
+        iptb 6 v nat I POSTROUTING  -s ${PREFIX6}/64 $IPTABLES_NAT_OUT $MASQUERADE_NOTOUT ! -d ${PREFIX6}/64  -j MASQUERADE || die
+        iptb 6 v filter I FORWARD   -i ${SUBNET_IFACE} $IPTABLES_NAT_OUT -s ${PREFIX6}/64 -j ACCEPT || die
+        iptb 6 v filter I FORWARD   -o ${SUBNET_IFACE} $IPTABLES_NAT_IN   -d ${PREFIX6}/64 -j ACCEPT || die
 }
 
 start_ban_lan() {
     echo
     echo "iptables: Disallow clients to access LAN"
-    iptables_ -N BANLAN-f-${SUBNET_IFACE}  || die
+    iptb 4 n filter N lrt${$}${SUBNET_IFACE}-BLF || die
-    iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 0.0.0.0/8 -j REJECT || die # TODO: use array
+    # TODO: allow '--dhcp-dns(6)' address port 53, which can be something needed, e.g. a VPN's internal private IP
-    iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 10.0.0.0/8 -j REJECT || die
+    iptb 4 v filter I lrt${$}${SUBNET_IFACE}-BLF -d 0.0.0.0/8 -j REJECT || die # TODO: use array
-    iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 100.64.0.0/10 -j REJECT || die
+    iptb 4 v filter I lrt${$}${SUBNET_IFACE}-BLF -d 10.0.0.0/8 -j REJECT || die
-    iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 127.0.0.0/8 -j REJECT || die
+    iptb 4 v filter I lrt${$}${SUBNET_IFACE}-BLF -d 100.64.0.0/10 -j REJECT || die
-    iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 169.254.0.0/16 -j REJECT || die
+    iptb 4 v filter I lrt${$}${SUBNET_IFACE}-BLF -d 127.0.0.0/8 -j REJECT || die
-    iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 172.16.0.0/12 -j REJECT || die
+    iptb 4 v filter I lrt${$}${SUBNET_IFACE}-BLF -d 169.254.0.0/16 -j REJECT || die
-    iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 192.168.0.0/16 -j REJECT || die
+    iptb 4 v filter I lrt${$}${SUBNET_IFACE}-BLF -d 172.16.0.0/12 -j REJECT || die
-    iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 224.0.0.0/4 -j REJECT || die
+    iptb 4 v filter I lrt${$}${SUBNET_IFACE}-BLF -d 192.168.0.0/16 -j REJECT || die
-    iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 255.255.255.255 -j REJECT || die
+    iptb 4 v filter I lrt${$}${SUBNET_IFACE}-BLF -d 224.0.0.0/4 -j REJECT || die
+    iptb 4 v filter I lrt${$}${SUBNET_IFACE}-BLF -d 255.255.255.255 -j REJECT || die
     
-    iptables_ -I FORWARD -i ${SUBNET_IFACE} -j BANLAN-f-${SUBNET_IFACE} || die
+    iptb 4 n filter I FORWARD -i ${SUBNET_IFACE} -j lrt${$}${SUBNET_IFACE}-BLF || die
     
-    iptables_ -N BANLAN-i-${SUBNET_IFACE}
+    iptb 4 n filter N lrt${$}${SUBNET_IFACE}-BLI || die
-    #iptables_ -v -I BANLAN-i-${SUBNET_IFACE} -i ${SUBNET_IFACE} -j REJECT || die
+    iptb 4 v filter I lrt${$}${SUBNET_IFACE}-BLI -i ${SUBNET_IFACE} ! -p icmp -j REJECT || die # ipv6 need icmp to function. TODO: maybe we can block some unneeded icmp to improve security
-    iptables_ -v -I BANLAN-i-${SUBNET_IFACE} -i ${SUBNET_IFACE} ! -p icmp -j REJECT || die
-    # TODO: ipv6 need icmp to function. maybe we can block some unneeded icmp to improve security
     
-    iptables_ -I INPUT -i ${SUBNET_IFACE} -j BANLAN-i-${SUBNET_IFACE} || die
+    iptb 4 n filter I INPUT -i ${SUBNET_IFACE} -j lrt${$}${SUBNET_IFACE}-BLI || die
     
-    if [[ $IPV6 -eq 1 ]]; then
-        ip6tables_ -N BANLAN-f-${SUBNET_IFACE}  || die
-        ip6tables_ -v -I BANLAN-f-${SUBNET_IFACE} -d fc00::/7 -j REJECT || die
-        ip6tables_ -v -I BANLAN-f-${SUBNET_IFACE} -d fe80::/10 -j REJECT || die
-        ip6tables_ -v -I BANLAN-f-${SUBNET_IFACE} -d ff00::/8 -j REJECT || die
-        ip6tables_ -v -I BANLAN-f-${SUBNET_IFACE} -d ::1 -j REJECT || die
-        ip6tables_ -v -I BANLAN-f-${SUBNET_IFACE} -d ::/128 -j REJECT || die
-        ip6tables_ -v -I BANLAN-f-${SUBNET_IFACE} -d ::ffff:0:0/96 -j REJECT || die
-        ip6tables_ -v -I BANLAN-f-${SUBNET_IFACE} -d ::ffff:0:0:0/96 -j REJECT || die
 
-        ip6tables_ -I FORWARD -i ${SUBNET_IFACE} -j BANLAN-f-${SUBNET_IFACE} || die
+    iptb 6 n filter N lrt${$}${SUBNET_IFACE}-BLF  || die
+    iptb 6 v filter I lrt${$}${SUBNET_IFACE}-BLF -d fc00::/7 -j REJECT || die
+    iptb 6 v filter I lrt${$}${SUBNET_IFACE}-BLF -d fe80::/10 -j REJECT || die
+    iptb 6 v filter I lrt${$}${SUBNET_IFACE}-BLF -d ff00::/8 -j REJECT || die
+    iptb 6 v filter I lrt${$}${SUBNET_IFACE}-BLF -d ::1 -j REJECT || die
+    iptb 6 v filter I lrt${$}${SUBNET_IFACE}-BLF -d ::/128 -j REJECT || die
+    iptb 6 v filter I lrt${$}${SUBNET_IFACE}-BLF -d ::ffff:0:0/96 -j REJECT || die
+    iptb 6 v filter I lrt${$}${SUBNET_IFACE}-BLF -d ::ffff:0:0:0/96 -j REJECT || die
 
-        ip6tables_ -N BANLAN-i-${SUBNET_IFACE}  || die
+    iptb 6 n filter I FORWARD -i ${SUBNET_IFACE} -j lrt${$}${SUBNET_IFACE}-BLF || die
-        #ip6tables_ -v -I BANLAN-i-${SUBNET_IFACE} -i ${SUBNET_IFACE} -j REJECT || die
-        ip6tables_ -v -I BANLAN-i-${SUBNET_IFACE} -i ${SUBNET_IFACE} ! -p icmpv6 -j REJECT || die
     
-        ip6tables_ -I INPUT -i ${SUBNET_IFACE} -j BANLAN-i-${SUBNET_IFACE} || die
+    iptb 6 n filter N lrt${$}${SUBNET_IFACE}-BLI  || die
-    fi
+    iptb 6 v filter I lrt${$}${SUBNET_IFACE}-BLI -i ${SUBNET_IFACE} ! -p icmpv6 -j REJECT || die
-}
-stop_ban_lan() {
-    echo "iptables: Unban clients' LAN access"
 
-    iptables_ -D FORWARD -i ${SUBNET_IFACE} -j BANLAN-f-${SUBNET_IFACE} 
+    iptb 6 n filter I INPUT -i ${SUBNET_IFACE} -j lrt${$}${SUBNET_IFACE}-BLI || die
 
-    iptables_ -F BANLAN-f-${SUBNET_IFACE}
-    iptables_ -X BANLAN-f-${SUBNET_IFACE}
-    
-    iptables_ -D INPUT -i ${SUBNET_IFACE} -j BANLAN-i-${SUBNET_IFACE}
-    
-    iptables_ -F BANLAN-i-${SUBNET_IFACE}
-    iptables_ -X BANLAN-i-${SUBNET_IFACE}
-    if [[ $IPV6 -eq 1 ]]; then
-        ip6tables_ -D FORWARD -i ${SUBNET_IFACE} -j BANLAN-f-${SUBNET_IFACE} 
-    
-        ip6tables_ -F BANLAN-f-${SUBNET_IFACE}
-        ip6tables_ -X BANLAN-f-${SUBNET_IFACE} 
-        
-        ip6tables_ -D INPUT -i ${SUBNET_IFACE} -j BANLAN-i-${SUBNET_IFACE}
-        
-        ip6tables_ -F BANLAN-i-${SUBNET_IFACE}
-        ip6tables_ -X BANLAN-i-${SUBNET_IFACE} 
-    fi
 }
 
 allow_dns_port() {
     echo
     echo "iptables: allow DNS"
-    iptables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p tcp -m tcp --dport 53 -j ACCEPT || die
+    iptb 4 v filter I INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p tcp -m tcp --dport 53 -j ACCEPT || die
-    iptables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p udp -m udp --dport 53 -j ACCEPT || die
+    iptb 4 v filter I INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p udp -m udp --dport 53 -j ACCEPT || die
-    if [[ $IPV6 -eq 1 ]]; then
+    iptb 6 v filter I INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p tcp -m tcp --dport 53 -j ACCEPT || die
-        ip6tables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p tcp -m tcp --dport 53 -j ACCEPT || die
+    iptb 6 v filter I INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p udp -m udp --dport 53 -j ACCEPT || die
-        ip6tables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p udp -m udp --dport 53 -j ACCEPT || die
-    fi
-}
-unallow_dns_port() {
-    echo "iptables: unallow DNS"
-    iptables_ -D INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p tcp -m tcp --dport 53 -j ACCEPT
-    iptables_ -D INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY}  -p udp -m udp --dport 53 -j ACCEPT
-    if [[ $IPV6 -eq 1 ]]; then
-        ip6tables_ -D INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p tcp -m tcp --dport 53 -j ACCEPT
-        ip6tables_ -D INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p udp -m udp --dport 53 -j ACCEPT
-    fi
 }
 
+
 start_catch_dns() {
     echo
-    echo "iptables: redirect all TCP/UDP packet that destination port is 53"
+    echo "iptables: redirect DNS queries to this host"
-    iptables_ -v -t nat -I PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY} -p udp -m udp --dport 53 -j REDIRECT --to-ports 53 || die
+    iptb 4 v nat I PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY} -p udp -m udp --dport 53 -j REDIRECT --to-ports 53 || die
-    iptables_ -v -t nat -I PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY} -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53 || die
+    iptb 4 v nat I PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY} -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53 || die
-    if [[ $IPV6 -eq 1 ]]; then
+
-        ip6tables_ -v -t nat -I PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY6} -p udp -m udp --dport 53 -j REDIRECT --to-ports 53 || die
+    iptb 6 v nat I PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY6} -p udp -m udp --dport 53 -j REDIRECT --to-ports 53 || die
-        ip6tables_ -v -t nat -I PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY6} -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53 || die
+    iptb 6 v nat I PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY6} -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53 || die
-    fi
-}
-stop_catch_dns() {
-    echo "iptables: stop redirecting DNS queries"
-    iptables_ -t nat -D PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY} -p udp -m udp --dport 53 -j REDIRECT --to-ports 53 
-    iptables_ -t nat -D PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY} -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53 
-    if [[ $IPV6 -eq 1 ]]; then
-        ip6tables_ -t nat -D PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY6} -p udp -m udp --dport 53 -j REDIRECT --to-ports 53 
-        ip6tables_ -t nat -D PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY6} -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53 
-    fi
 }
 
+
 allow_dhcp() {
     echo 
     echo "iptables: allow dhcp"
-    iptables_ -v -I INPUT -i ${SUBNET_IFACE} -p udp -m udp --dport 67 -j ACCEPT || die
+    
-    if [[ $IPV6 -eq 1 ]]; then
+    iptb 4 v filter I INPUT -i ${SUBNET_IFACE} -p udp -m udp --dport 67 -j ACCEPT || die
-        ip6tables_ -v -I INPUT -i ${SUBNET_IFACE} -p udp -m udp --dport 547 -j ACCEPT || die
+    iptb 6 v filter I INPUT -i ${SUBNET_IFACE} -p udp -m udp --dport 547 -j ACCEPT || die
-    fi
-}
-unallow_dhcp() {
-    echo "iptables: unallow dhcp"
-    iptables_ -D INPUT -i ${SUBNET_IFACE} -p udp -m udp --dport 67 -j ACCEPT
-    if [[ $IPV6 -eq 1 ]]; then
-        ip6tables_ -D INPUT -i ${SUBNET_IFACE} -p udp -m udp --dport 547 -j ACCEPT
-    fi
 }
 
 # TODO: use 'DNAT' instead of '--to-ports' to support other IP
@@ -994,61 +1023,43 @@ start_redsocks() {
     echo
     echo "iptables: transparent proxy non-LAN TCP/UDP traffic to port ${TP_PORT}"
     if [[ $NO4 -eq 0 ]]; then
-        iptables_ -t nat -N REDSOCKS-${SUBNET_IFACE} || die
+        iptb 4 n nat N lrt${$}${SUBNET_IFACE}-TP || die
-        iptables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d 0.0.0.0/8 -j RETURN || die
+        iptb 4 n nat A lrt${$}${SUBNET_IFACE}-TP -d 0.0.0.0/8 -j RETURN || die
-        iptables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d 10.0.0.0/8 -j RETURN || die
+        iptb 4 n nat A lrt${$}${SUBNET_IFACE}-TP -d 10.0.0.0/8 -j RETURN || die
-        iptables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d 100.64.0.0/10  -j RETURN || die
+        iptb 4 n nat A lrt${$}${SUBNET_IFACE}-TP -d 100.64.0.0/10  -j RETURN || die
-        iptables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d 127.0.0.0/8 -j RETURN || die
+        iptb 4 n nat A lrt${$}${SUBNET_IFACE}-TP -d 127.0.0.0/8 -j RETURN || die
-        iptables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d 169.254.0.0/16 -j RETURN || die
+        iptb 4 n nat A lrt${$}${SUBNET_IFACE}-TP -d 169.254.0.0/16 -j RETURN || die
-        iptables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d 172.16.0.0/12 -j RETURN || die
+        iptb 4 n nat A lrt${$}${SUBNET_IFACE}-TP -d 172.16.0.0/12 -j RETURN || die
-        iptables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d 192.168.0.0/16 -j RETURN || die
+        iptb 4 n nat A lrt${$}${SUBNET_IFACE}-TP -d 192.168.0.0/16 -j RETURN || die
-        iptables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d 224.0.0.0/4 -j RETURN || die
+        iptb 4 n nat A lrt${$}${SUBNET_IFACE}-TP -d 224.0.0.0/4 -j RETURN || die
-        iptables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d 255.255.255.255 -j RETURN || die
+        iptb 4 n nat A lrt${$}${SUBNET_IFACE}-TP -d 255.255.255.255 -j RETURN || die
         
-        iptables_ -v -t nat -A REDSOCKS-${SUBNET_IFACE} -p tcp -j REDIRECT --to-ports ${TP_PORT} || die
+        iptb 4 v nat A lrt${$}${SUBNET_IFACE}-TP -p tcp -j REDIRECT --to-ports ${TP_PORT} || die
-        iptables_ -v -t nat -A REDSOCKS-${SUBNET_IFACE} -p udp -j REDIRECT --to-ports ${TP_PORT} || die
+        iptb 4 v nat A lrt${$}${SUBNET_IFACE}-TP -p udp -j REDIRECT --to-ports ${TP_PORT} || die
 
-        iptables_ -v -t nat -I PREROUTING -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -j REDSOCKS-${SUBNET_IFACE} || die
+        iptb 4 v nat I PREROUTING -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -j lrt${$}${SUBNET_IFACE}-TP || die
 
-        iptables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -p tcp -m tcp --dport ${TP_PORT}  -j ACCEPT || die
+        iptb 4 v filter I INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -p tcp -m tcp --dport ${TP_PORT}  -j ACCEPT || die
-        iptables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -p udp -m udp --dport ${TP_PORT}  -j ACCEPT || die
+        iptb 4 v filter I INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -p udp -m udp --dport ${TP_PORT}  -j ACCEPT || die
     fi
-    if [[ $IPV6 -eq 1 ]]; then
-        ip6tables_ -t nat -N REDSOCKS-${SUBNET_IFACE} || die
-        ip6tables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d fc00::/7 -j RETURN || die
-        ip6tables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d fe80::/10 -j RETURN || die
-        ip6tables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d ff00::/8 -j RETURN || die
-        ip6tables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d ::1 -j RETURN || die
-        ip6tables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d :: -j RETURN || die
 
-        ip6tables_ -v -t nat -A REDSOCKS-${SUBNET_IFACE} -p tcp -j REDIRECT --to-ports ${TP_PORT} || die
+        iptb 6 n nat N lrt${$}${SUBNET_IFACE}-TP || die
-        ip6tables_ -v -t nat -A REDSOCKS-${SUBNET_IFACE} -p udp -j REDIRECT --to-ports ${TP_PORT} || die
+        iptb 6 n nat A lrt${$}${SUBNET_IFACE}-TP -d fc00::/7 -j RETURN || die
+        iptb 6 n nat A lrt${$}${SUBNET_IFACE}-TP -d fe80::/10 -j RETURN || die
+        iptb 6 n nat A lrt${$}${SUBNET_IFACE}-TP -d ff00::/8 -j RETURN || die
+        iptb 6 n nat A lrt${$}${SUBNET_IFACE}-TP -d ::1 -j RETURN || die
+        iptb 6 n nat A lrt${$}${SUBNET_IFACE}-TP -d :: -j RETURN || die
 
-        ip6tables_ -v -t nat -I PREROUTING -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -j REDSOCKS-${SUBNET_IFACE} || die
+        iptb 6 v nat A lrt${$}${SUBNET_IFACE}-TP -p tcp -j REDIRECT --to-ports ${TP_PORT} || die
+        iptb 6 v nat A lrt${$}${SUBNET_IFACE}-TP -p udp -j REDIRECT --to-ports ${TP_PORT} || die
+
+        iptb 6 v nat I PREROUTING -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -j lrt${$}${SUBNET_IFACE}-TP || die
+
+        iptb 6 v filter I INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -p tcp -m tcp --dport ${TP_PORT}  -j ACCEPT || die
+        iptb 6 v filter I INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -p udp -m udp --dport ${TP_PORT}  -j ACCEPT || die   
 
-        ip6tables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -p tcp -m tcp --dport ${TP_PORT}  -j ACCEPT || die
-        ip6tables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -p udp -m udp --dport ${TP_PORT}  -j ACCEPT || die   
-    fi
 }
-stop_redsocks() {
-    echo "iptables: stop transparent proxy"
-    if [[ $NO4 -eq 0 ]]; then
-        iptables_ -t nat -D PREROUTING -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24  -j REDSOCKS-${SUBNET_IFACE}
-        iptables_ -t nat -F REDSOCKS-${SUBNET_IFACE}
-        iptables_ -t nat -X REDSOCKS-${SUBNET_IFACE}
 
-        iptables_ -D INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -p tcp -m tcp --dport ${TP_PORT}  -j ACCEPT
-        iptables_ -D INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -p udp -m udp --dport ${TP_PORT}  -j ACCEPT
-    fi
-    if [[ $IPV6 -eq 1 ]]; then
-        ip6tables_ -t nat -D PREROUTING -i ${SUBNET_IFACE} -s ${PREFIX6}/64  -j REDSOCKS-${SUBNET_IFACE}
-        ip6tables_ -t nat -F REDSOCKS-${SUBNET_IFACE}
-        ip6tables_ -t nat -X REDSOCKS-${SUBNET_IFACE}
-        
-        ip6tables_ -D INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -p tcp -m tcp --dport ${TP_PORT}  -j ACCEPT
-        ip6tables_ -D INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -p udp -m udp --dport ${TP_PORT}  -j ACCEPT
-    fi
-}
 #---------------------------------------
 backup_ipv6_bits() {
     mkdir "$CONFDIR/sys_6_conf_iface" || die "Failed making dir to save interface IPv6 status"
@@ -1103,7 +1114,7 @@ backup_interface_status() {
     
     backup_ipv6_bits
     
-    # TODO : backup ip and others
+    # TODO : ? backup ip and others???
     
     # nm managing status is saved when nm_set_unmanaged()
 }
@@ -1136,7 +1147,7 @@ kill_processes() { # for this instance
             pn=$( ps -p $pid -o comm= ) 
             #echo "Killing $pid $pn ... "
             pkill -P $pid
-            kill $pid 2>/dev/null && ( echo "Killed $pid $pn" && rm $x ) || echo "Failed to kill $pid $pn, it may have exited"
+            kill $pid 2>/dev/null && ( echo "Killed $(basename $x) $pid $pn" && rm $x ) || echo "Failed to kill $(basename $x) $pid $pn, it may have exited"
         fi
     done
 }
@@ -1173,25 +1184,9 @@ _cleanup() {
 }
 
 clean_iptables() {
+    [[ -f $CONFDIR/undo_iptables.sh ]] && bash $CONFDIR/undo_iptables.sh
     
-    if [[ "$SHARE_METHOD" == "nat" ]]; then
+    [[ -f $CONFDIR/undo_iptables_2.sh ]] && bash $CONFDIR/undo_iptables_2.sh
-        stop_nat
-    elif [[ "$SHARE_METHOD" == "redsocks" ]]; then
-        stop_redsocks
-    fi
-    
-    if [[ "$DHCP_DNS" == "gateway" || "$DHCP_DNS6" == "gateway" ]]; then
-        unallow_dns_port
-    fi
-    
-    [[ "$CATCH_DNS" -eq 1 ]] && stop_catch_dns
-    
-    
-    if [[ $NO_DNSMASQ -eq 0 ]]; then
-        unallow_dhcp
-    fi
-    
-    [[ "$BANLAN" -eq 1 ]] && stop_ban_lan
 }
 
 cleanup() {
@@ -1200,12 +1195,14 @@ cleanup() {
     echo
     echo "Doing cleanup.. "
     kill_processes
-    clean_iptables  2> /dev/null
+    echo "Undoing iptables changes .."
+    clean_iptables > /dev/null
     _cleanup 2> /dev/null
     
-    pgid=$(ps opgid= $$ |awk '{print $1}' )
+    #pgid=$(ps opgid= $$ |awk '{print $1}' )
-    kill -15 -$pgid
+    #echo "Killing PGID $pgid ..."
-    sleep 1 
+    #kill -15 -$pgid
+    #sleep 1 
     echo "Cleaning up done"
     #kill -9 -$pgid
 }
@@ -1467,7 +1464,7 @@ check_other_functions(){
 
     ##### root test ##### NOTE above don't require root ##########
     if [[ $(id -u) -ne 0 ]]; then
-        echo "You must run it as root." >&2
+        echo "ERROR: Need root to continue" >&2
         exit 1
     fi
     ###### NOTE below require root ##########
@@ -1617,6 +1614,10 @@ decide_ip_addresses() {
 }
 
 prepare_wifi_interface() {
+
+    sleep 1
+    echo; echo; echo;
+    echo "Trying to set power_save off ..."
     if [[ $USE_IWCONFIG -eq 0 ]]; then
         iw dev ${WIFI_IFACE} set power_save off
     fi
@@ -1640,6 +1641,8 @@ prepare_wifi_interface() {
             fi
         fi
         
+        sleep 6
+        echo; echo; echo;
         echo "Creating a virtual WiFi interface... "
         VWIFI_IFACE=$(alloc_new_vface_name)
         if iw dev ${WIFI_IFACE} interface add ${VWIFI_IFACE} type __ap; then
@@ -1751,7 +1754,7 @@ write_hostapd_conf() {
 			rsn_pairwise=CCMP
 		EOF
     else
-        echo "WARN: Wifi is not protected by password" >&2
+        echo "WARN: WiFi is not protected by password" >&2
     fi
     chmod 600 "$CONFDIR/hostapd.conf"
 }
@@ -1848,6 +1851,7 @@ run_wifi_ap_processes() {
         haveged_watchdog &
         HAVEGED_WATCHDOG_PID=$!
         echo "$HAVEGED_WATCHDOG_PID" > "$CONFDIR/haveged_watchdog.pid"
+        echo
         echo "haveged_watchdog PID: $HAVEGED_WATCHDOG_PID" 
     fi
 
@@ -1860,6 +1864,11 @@ run_wifi_ap_processes() {
     fi
     echo 
     echo "Starting hostapd"
+    
+    if which complain > /dev/null 2>&1; then
+        complain hostapd
+    fi
+    
     # hostapd '-P' works only when use '-B' (run in background)
     $STDBUF_PATH hostapd $HOSTAPD_DEBUG_ARGS -P "$CONFDIR/hostapd.pid" "$CONFDIR/hostapd.conf"  &
     HOSTAPD_PID=$!
@@ -1874,14 +1883,15 @@ run_wifi_ap_processes() {
 }
 
 start_dnsmasq() {
+    echo 
+    echo "Starting dnsmasq"
+    
     if which complain > /dev/null 2>&1; then
         # openSUSE's apparmor does not allow dnsmasq to read files.
         # remove restriction.
         complain dnsmasq
     fi
     
-    echo 
-    echo "Starting dnsmasq"
     # Using '-d'(no daemon) dnsmasq will not turn into 'nobody'
     # '-x' works only when no '-d'
     dnsmasq  -k -C "$CONFDIR/dnsmasq.conf" -x "$CONFDIR/dnsmasq.pid" -l "$CONFDIR/dnsmasq.leases" & 
@@ -1943,11 +1953,16 @@ daemonizing_check
 
 ## ===== Above don't echo anything if no warning or error====================
 ## ========================================================
+phead
+phead2
+echo
+
+echo " ============ In dev branch for issue #12 ==========="
+
 echo "PID: $$"
 
 TARGET_IFACE="$(decide_target_interface)" || exit 1 # judge wired (-i CONN_IFACE) or wireless hotspot (--ap $WIFI_IFACE)
-echo "Target interface is ${TARGET_IFACE} ($(get_interface_mac $TARGET_IFACE))"
+echo "Target interface is ${TARGET_IFACE} ($(get_interface_mac $TARGET_IFACE)) $(get_interface_pci_info $TARGET_IFACE)"
-# TODO: show interface type, device model and pci/usb id (hwdata  pci.ids), current driver
 
 if [[ "$MAC_USE_RANDOM" -eq 1 ]] ; then
     NEW_MACADDR="$(generate_random_mac)"
@@ -1967,10 +1982,33 @@ init_trap
 
 init_conf_dirs #   CONFDIR  , COMMON_CONFDIR  . make dir
 
+echo -e "\nDistro:"
+cat /etc/os-release 
+
+echo -e "\nKernel:"
+uname -a
+echo
+
+echo "setting NM log level: nmcli general logging level TRACE domains ALL"
+nmcli general logging level TRACE domains ALL
+
+echo "Logging journalctl -f"
+journalctl -f &
+echo $! > $CONFDIR/journalctl.pid 
+
+echo "Logging dmesg -W"
+dmesg -W &
+echo $! > $CONFDIR/dmesg.pid 
+
+echo "Logging wpa_supplicant.log"
+tail -f /var/log/wpa_supplicant.log &
+echo $! > $CONFDIR/wpa_supplicant_log.pid 
+
 [[ $WIFI_IFACE ]] && prepare_wifi_interface # this will create virtual ap interface (if needed) and set VWIFI_IFACE and AP_IFACE (if success)
 
 SUBNET_IFACE="$(decide_subnet_interface)"  # SUBNET_IFACE can be TARGET_IFACE (wired) or AP_IFACE (ap) .this is after prepare_wifi_interface()
 echo "$SUBNET_IFACE" > "$CONFDIR/subn_iface"
+ip addr show dev ${SUBNET_IFACE}
 
 # if virtual wifi interface, will be destroyed, so only need to save status when not
 [[ -z $VWIFI_IFACE ]] && backup_interface_status
@@ -1990,6 +2028,10 @@ fi
 #===================================================
 #===================================================
 
+sleep 1
+echo; echo; echo;
+ip addr show dev ${SUBNET_IFACE}
+echo "Trying to set NM unmanage ..."
 # set interface unmanaged by networkManager
 if [[ $NM_RUNNING -eq 1 ]] && nm_knows $TARGET_IFACE; then # if nm knows target iface, should know subnet iface too. but need to wait until nm finds subnet iface (waiting code is in nm_set_unmanaged()
     nm_set_unmanaged ${SUBNET_IFACE} # will write NM_UNM_LIST
@@ -1998,19 +2040,47 @@ fi
 [[ $NO_DNSMASQ -eq 0 ]] && write_dnsmasq_conf
 #===========================
 
+
+sleep 1
+echo; echo; echo;
+ip addr show dev ${SUBNET_IFACE}
+echo "Trying to set ${SUBNET_IFACE} down ..."
 # initialize subnet interface
 # take subnet interface down first
 ip link set down dev ${SUBNET_IFACE} || die "Failed setting ${SUBNET_IFACE} down"
+
+sleep 1
+echo; echo; echo;
+ip addr show dev ${SUBNET_IFACE}
+echo "Trying to flush ${SUBNET_IFACE} ..."
 # flush old IPs of subnet interface
 ip addr flush ${SUBNET_IFACE} || die "Failed flush ${SUBNET_IFACE} IP"
 
+sleep 1
+echo; echo; echo;
+ip addr show dev ${SUBNET_IFACE}
 dealwith_mac # setting MAC should be after setting NM unmanaged
 
+sleep 1
+echo; echo; echo;
+ip addr show dev ${SUBNET_IFACE}
+echo "Trying to check and do rfkill unblock ..."
 [[ $WIFI_IFACE ]] && check_rfkill_unblock_wifi
 
+sleep 1
+echo; echo; echo;
+ip addr show dev ${SUBNET_IFACE}
+echo "Trying to bring interface ${SUBNET_IFACE} up ..."
 # bring subnet interface up
 ip link set up dev ${SUBNET_IFACE} || die "Failed bringing ${SUBNET_IFACE} up"
 
+sleep 1
+echo; echo; echo;
+echo "Finished test. Exiting ..."
+clean_exit
+exit
+
+
 # hostapd , haveged
 [[ $WIFI_IFACE ]] && run_wifi_ap_processes
 
@@ -2024,37 +2094,35 @@ if [[ $IPV6 -eq 1 ]] ; then
     ip -6 addr add ${GATEWAY6}/64  dev ${SUBNET_IFACE} || die "Failed setting ${SUBNET_IFACE} IPv6 address"
 fi
 
-function check_iptables() {
-    if iptables --version | grep "nf_tables" >/dev/null 2>&1 ; then
-        echo -e "\nWARN: Your system is using nftables. This script is tested with iptables legacy only. If you encounter problems, visit following URL for infomation:\n  https://github.com/oblique/create_ap/issues/373\n  https://github.com/oblique/create_ap/issues/433\n  https://github.com/garywill/linux-router/issues/18\n" >&2
-    fi
-    
-    if ! lsmod | grep -E "\bxt_comment\b" >/dev/null 2>&1 ; then
-        XT_COMMENT=0
-    fi
-}
-
 check_iptables
 
+echo "NOTICE: Not showing all operations done to iptables rules"
+
+[[ "$NO4" -eq 1 ]] && echo -e "\nWARN: Since you're using in this mode (no IPv4 Internet), make sure you've read Notice 1\n" >&2
+
 # enable Internet sharing
 if [[ "$SHARE_METHOD" == "none" ]]; then
 
     echo "No Internet sharing"
     
+    echo -e "\nWARN: Since you're using in this mode (no Internet share), make sure you've read Notice 1\n" >&2
+    
     [[ "$BANLAN" -eq 1 ]] && start_ban_lan
     
 elif [[ "$SHARE_METHOD" == "nat" ]]; then
 
-    [[ "$INTERNET_IFACE" && "$dnsmasq_NO_DNS" -eq 0 ]] && echo -e "\nWARN: You specified Internet interface but this host is providing local DNS, queries may leak to other interfaces!!!\n" >&2
+    [[ "$INTERNET_IFACE" ]] && echo -e "\nWARN: Since you're using in this mode (specify Internet interface), make sure you've read Notice 1\n" >&2
+
+    [[ "$INTERNET_IFACE" && "$dnsmasq_NO_DNS" -eq 0 ]] && echo -e "\nWARN: You specified Internet interface but this host is providing local DNS. In some unexpected case (eg. mistaken configurations), queries may leak to other interfaces, which you should be aware of.\n" >&2
     
     start_nat
     
     [[ "$BANLAN" -eq 1 ]] && start_ban_lan
     
-    echo 1 > "/proc/sys/net/ipv4/ip_forward" || die "Failed enabling system ipv4 forwarding"
+    echo 1 > "/proc/sys/net/ipv4/ip_forward" || die "Failed enabling system ipv4 forwarding" # TODO maybe uneeded in '--no4' mode
     
     if [[ $IPV6 -eq 1 ]]; then
-        echo 1 > "/proc/sys/net/ipv6/conf/all/forwarding" || die "Failed enabling system ipv6 forwarding"
+        echo 1 > "/proc/sys/net/ipv6/conf/all/forwarding" || die "Failed enabling system ipv6 forwarding" # TODO if '-o' used, set only 2 interfaces' bits
     fi
     
     # to enable clients to establish PPTP connections we must
@@ -2067,7 +2135,7 @@ elif [[ "$SHARE_METHOD" == "redsocks" ]]; then
         echo 1 > "/proc/sys/net/ipv6/conf/$SUBNET_IFACE/forwarding" || die "Failed enabling $SUBNET_IFACE ipv6 forwarding" # to set NA router bit
     fi
     
-    [[ "$dnsmasq_NO_DNS" -eq 0 && ! $DNS ]] &&  echo -e "\nWARN: You are using in transparent proxy mode but this host is providing local DNS, this may cause privacy leak !!!\n" >&2
+    [[ "$dnsmasq_NO_DNS" -eq 0 && ! $DNS ]] &&  echo -e "\nWARN: You are using in transparent proxy mode but this host is providing local DNS. In some unexpected case (eg. mistaken configurations), queries may leak to other interfaces, which you should be aware of.\n" >&2
 
     [[ "$BANLAN" -eq 1 ]] && start_ban_lan
     
@@ -2085,7 +2153,7 @@ fi
 [[ $NO_DNSMASQ -eq 0 ]] && ( allow_dhcp ; start_dnsmasq )
 
 echo 
-echo "== Setting up completed, now linux-router is working =="
+echo "== Setting up completed, now linux-router should be working =="
 
 #============================================================
 #============================================================