Policy-Based-Routing (pbr) package discussion

Used to have the same issue with regards to interfaces not appearing, but with version 1.1.0-21 now I am able to see them.

Thing is, trying to start the service now ends with a segmentation fault. I'll attach the log here:

❯ service pbr start
# Warning: iptables-legacy tables present, use iptables-legacy to see them
Activating traffic killswitch [✓]
# Warning: iptables-legacy tables present, use iptables-legacy-save to see them
Setting up routing for 'wan/pppoe-wan/REDACTED/REDACTED/64
REDACTED/64
fe80::1' RTNETLINK answers: File exists
[✓]
Setting up routing for 'wg0/10.0.5.1/ddf8:f929:5f71:3::1/64
fe80::e097:46ff:fef0:2d8e/64' RTNETLINK answers: File exists
[✓]
Setting up routing for 'ZeroTier/ztrta4adry/192.168.2.1/REDACTED/88
REDACTED/40
REDACTED/64
REDACTED/64' RTNETLINK answers: File exists
[✓]
Setting up routing for 'wg_usa/10.2.0.2/::/0' RTNETLINK answers: File exists
RTNETLINK answers: File exists
[✓]
Setting up routing for 'wg_uk/10.2.0.2/::/0' RTNETLINK answers: File exists
RTNETLINK answers: File exists
[✓]
Setting up routing for 'wg_spa/10.2.0.2/::/0' RTNETLINK answers: File exists
RTNETLINK answers: File exists
[✓]
Deactivating traffic killswitch [✓]
Segmentation fault

Thanks for the help!

Now ok. Thanks

Hi all,

I disabled my wireguard clients "zone" in openwrts firewall settings to make my setup compatible with pbr. (Old Rule: Zone ⇒ Forwardings lan --> wireguard, wan). Now the rule is only: zone > forwardings lan -> wan. And wginterface is assigned to the wan via Interface -> wginterface -> firewall settings -> assign interface.

I previously blocked all access to the internet from one ip on my lan to the wan network via traffic rule so it could only connect via the wireguard interface.

Now this rule stopped working. How can I implement a sort of kill-switch while using pbr. Something like if interface wireguard down, reject traffic from ip x.

Sorry about interfaces missing in WebUI, that should have been fixed in last build, just upgrade from my repo.

Hi @stangri

Is it possible to setup pbr with wireguard client and server but with a separated firewall zone each? using the old vpn-policy-routing package used to work fine but with pbr it doesn't. I see that the documentation only takes into consideration if the interfaces are added to the already existing wan and lan zones.

Thanks

@Smim0 if each tunnel has their own firewall zone it should still work. Documentation covers the easiest/least changes to the stock config as a recommended/preferred method, but if you create firewall zones and configure them correctly, pbr should work.

@stangri I can confirm it works amazing.

I have the ovpn tunnel setup not as a default gateway, so pbr is need to forward the traffic of a specific network to the tunnel.

Is there a possiblity to redirect the router's traffic also via the tunnel?

Thanks

Use OUTGOING chain for router traffic.

Hello. I've got a lot errors

Wed Mar 29 16:03:46 2023 daemon.err dnsmasq[1]: nftset inet fw4 pbr_wg0_4_dst_ip_cfg206ff5 netlink: Error: cache initialization failed: Protocol error
Wed Mar 29 16:03:46 2023 daemon.err dnsmasq[1]: nftset inet fw4 pbr_wg0_4_dst_ip_cfg206ff5 netlink: Error: cache initialization failed: Protocol error
Wed Mar 29 16:03:46 2023 daemon.err dnsmasq[1]: nftset inet fw4 pbr_wg0_4_dst_ip_cfg206ff5 netlink: Error: cache initialization failed: Protocol error
Wed Mar 29 16:03:46 2023 daemon.err dnsmasq[1]: nftset inet fw4 pbr_wg0_4_dst_ip_cfg206ff5 netlink: Error: cache initialization failed: Protocol error
Wed Mar 29 16:03:46 2023 daemon.err dnsmasq[1]: nftset inet fw4 pbr_wg0_4_dst_ip_cfg206ff5 netlink: Error: cache initialization failed: Protocol error
Wed Mar 29 16:03:46 2023 daemon.err dnsmasq[1]: nftset inet fw4 pbr_wg0_4_dst_ip_cfg206ff5 netlink: Error: cache initialization failed: Protocol error
Wed Mar 29 16:03:46 2023 daemon.err dnsmasq[1]: nftset inet fw4 pbr_wg0_4_dst_ip_cfg206ff5 netlink: Error: cache initialization failed: Protocol error
Wed Mar 29 16:03:46 2023 daemon.err dnsmasq[1]: nftset inet fw4 pbr_wg0_4_dst_ip_cfg206ff5 netlink: Error: cache initialization failed: Protocol error
Wed Mar 29 16:03:48 2023 daemon.err dnsmasq[1]: nftset inet fw4 pbr_wg0_4_dst_ip_cfg126ff5 netlink: Error: cache initialization failed: Protocol error
Wed Mar 29 16:03:48 2023 daemon.err dnsmasq[1]: nftset inet fw4 pbr_wg0_4_dst_ip_cfg126ff5 netlink: Error: cache initialization failed: Protocol error

Am i did something wrong?

I have no idea, tried looking up the error message and didn't find anything useful. If I were you I'd start with checking out Getting Help section in the README.

I tried find any information too. But no clues
Yeah, already tried this section from README too. But no help.
Thank you for trying to help

I'm getting errors on WAN + all Wireguard interfaces, but it seems to still work. (But I have to restart the service manually after rebooting the router). Any ideas?

Failed to set up any gateway!

Status:

Running (version: 1.0.1-16 using nft)

Yes, check Getting Help section of the README.

I just updated to OpenWRT 21.02.6, set up my dhcp and openvpn. Then I did dnsmasq-full, configured your repo and installed pbr-iptables and luci-app-pbr (after accidentally installing the "normal" pbr and then removing it). I then enabled pbr and set up a single policy for ipchicken.com so I could test it.

Unfortunately the service did not appear to work. It kept telling me:
user.notice pbr: Reload on interface status aborted: service not running.

On the Luci page it states:
Invalid OpenVPN config for nordvpn interface.

The VPN works fine, I'm connected just fine. The exact same configuration also worked on a test-router I did yesterday, where I installed OpenWRT 22.03. Exact same labels, names, tunnel configuration.

I did notice there's no IP listed:
Failed to set up 'nordvpn/tun0/0.0.0.0'!

In the log it stated:
daemon.notice procd: /etc/rc.d/S94pbr: Object "-full" is unknown, try "ip help".

So I tried starting it manually through /etc/rc.d/pbr (changed the IPs):

Activating traffic killswitch [✓]
Object "-full" is unknown, try "ip help".
Setting up routing for 'wan/111.222.333.444' Object "-full" is unknown, try "ip help".
Object "-full" is unknown, try "ip help".
[✗]
Object "-full" is unknown, try "ip help".
Setting up routing for 'nordvpn/tun0/0.0.0.0' Object "-full" is unknown, try "ip help".
Object "-full" is unknown, try "ip help".
[✗]
Routing 'IP Chicken' via wan [✓]
Deactivating traffic killswitch [✓]
pbr 1.1.0-21 monitoring interfaces: wan nordvpn
ERROR: Failed to set up 'wan/111.222.333.444'!
ERROR: Failed to set up 'nordvpn/tun0/0.0.0.0'!
ERROR: Failed to set up any gateway!
WARNING: Invalid OpenVPN config for 'nordvpn' interface.

This annoyed the heck out of me.

I noticed this line:
cat /etc/init.d/pbr | grep '\-full'
readonly ip_full='/usr/libexec/ip-full'

Which did exist:
ls -l /usr/libexec/
-rwxr-xr-x 1 root root 426308 Oct 27 2021 ip-full

But gave me the same error as in the logs:
/usr/libexec/ip-full
Object "-full" is unknown, try "ip help".

So on a whim I changed the line to /sbin/ip and tried starting pbr again:

Activating traffic killswitch [✓]
Setting up routing for 'wan/111.222.333.444' [✓]
Setting up routing for 'nordvpn/tun0/222.333.444.555' [✓]
Routing 'IP Chicken' via wan [✓]
Deactivating traffic killswitch [✓]
pbr 1.1.0-21 monitoring interfaces: wan nordvpn
pbr 1.1.0-21 (iptables) started with gateways:
wan/111.222.333.444
nordvpn/tun0/222.333.444.555 [✓]
WARNING: Invalid OpenVPN config for 'nordvpn' interface.

Apart from that odd error about the OpenVPN config (which comes straight from them) the service reports no further errors.

IPChicken still thinks I'm NordVPN though.

I'm just about out of ideas. Here's hoping somebody can help me over the weekend, otherwise connecting to work on Monday will be a challenge without a bypass.

EDIT: Yay, my browser forgot a few things and ipchicken now reports my ISP. So I guess it's working - sort of?

I installed 2 other routers with 22 and both were fine. I guess it must be a bugged ip-full package.

PS I know a better workaround would have been to create a symlink rather than edit the init file. What can I say, I was frustrated.

There is one thing I don't quite get. The nft set support. The interface keeps telling me it does not support it, as does the instruction page on several locations. And yet...

image765×259 6.56 KB

By the way, those instructions didn't work on either of the 3 routers I upgraded to 21 & 22. Each ended up without any dnsmasq because dependencies were not installed.

These from the simple-adblock page do work:

opkg update; cd /tmp/ && opkg download dnsmasq-full; opkg install ipset libnettle8 libnetfilter-conntrack3;
opkg remove dnsmasq; opkg install dnsmasq-full --cache /tmp/; rm -f /tmp/dnsmasq-full*.ipk;

Although I did an opkg download of all of them and their dependencies so I didn't have to explicitly install anything except dnsmasq-full.

1.1.0-23 should have this addressed.

Elaborate please.

If installed dnsmasq-full has nft support it will be enabled.

Did you receive any errors? What were they?

Thank you, I will reverse my duct tape and update the -21 version I have now.

So, there is a version right now in OpenWRT which supports it? Or is it simply not yet supported in any version of OpenWRT because neither dnsmasq nor dnsmasq-full in the OpenWRT repos support it? It's confusing to me because it reads as if the support can be enabled right now simply by installing dnsmasq-full.

Basically it tried to pull in dependencies. Since the removal of dnsmasq disabled name resolution the repo (downloads.openwrt.org) could no longer be found.

On the vanilla OpenWRT 22 I had to download:

• libgmp10
• libnettle8
• kmod-nf-ipt
• kmod-ipt-core
• kmod-ipt-ipset
• libnfnetlink0
• kmod-nf-conntrack-netlink
• libnetfilter-conntrack3

It was not kind to me either, it only gave me one at a time.

The code-block I posted previously has opkg install ipset libnettle8 libnetfilter-conntrack3 in it, which is likely why that works. It pulls all these things in.

I guess these packages are (in)directory required by dnsmasq-full but not installed by default on vanilla OWRT.

master snapshots version supports it. there were binaries floating around for 22.03 which support it. if you install dnsmasq 2.88 or higher on OpenWrt, it only supports nft sets, not ipsets.

Hello.
When trying to install the latest version of the package on the openwrt-21.02 branch (git-23.093.57360-e98243e), I encountered a number of problems.
There was a package conflict when trying to install pbr over vpn-policy-routing, even though the instructions say that pbr will remove the old package automatically.
After manually deleting vpn-policy-routing, the config from vpn-policy-routing to pbr was successfully migrated
After that, I had exactly the same problem as here. So on a when I changed the line to /sbin/ip and tried starting pbr again.
Now with partial success. Some routings have error was like "ERROR: The ipset name 'pbr_CloudFlare_4_src_net_cfg0e6ff5' is longer than allowed 31 characters!"
OK. After changing interface names it's finaly started without any problems, except.

• I don't see my interfaces except "wan" in luci-pbr even after adding them in list "supported_interface" parameter, but they are routing fine if manualy added in parameter "option interface" of pbr config.
• Seems like pbr ignoring "list ignored_interface" parameter also.
  Is it all cause incompatible versions of pbr and my openwrt or what? thank you.

ubus call system board

{
        "kernel": "5.4.154",
        "hostname": "Owlishka",
        "system": "Qualcomm Atheros QCA956X ver 1 rev 0",
        "model": "TP-Link Archer C59 v1",
        "board_name": "tplink,archer-c59-v1",
        "release": {
                "distribution": "OpenWrt",
                "version": "21.02.1",
                "revision": "r16325-88151b8303",
                "target": "ath79/generic",
                "description": "OpenWrt 21.02.1 r16325-88151b8303"
        }
}

uci export dhcp

package dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option rebind_protection '0'
        list server '/use-application-dns.net/'
        list server '127.0.0.1#5053'
        list server '127.0.0.1#5054'
        list server '127.0.0.1#5055'
        option noresolv '1'
        option doh_backup_noresolv '-1'
        list doh_backup_server '/use-application-dns.net/'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        list ra_flags 'none'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

uci export firewall

package firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        list network 'lan'

config zone 'wan'
        option name 'wan'
        option output 'ACCEPT'
        option mtu_fix '1'
        option masq '1'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        list network 'wan6'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config ipset
        option name 'rublack-dns'
        option storage 'hash'
        option match 'dest_ip'
        option timeout '86400'

config ipset
        option name 'rublack-ip'
        option storage 'hash'
        option match 'dest_ip'

config ipset
        option name 'rublack-ip-tmp'
        option storage 'hash'
        option match 'dest_ip'

config ipset
        option name 'onion'
        option storage 'hash'
        option match 'dest_ip'
        option timeout '86400'

config redirect
        option name 'torify-blocked-dns'
        option src 'lan'
        option proto 'tcp'
        option ipset 'rublack-dns'
        option dest_port '9040'
        option dest 'lan'
        option enabled '0'

config redirect
        option name 'torify-blocked-ip'
        option src 'lan'
        option proto 'tcp'
        option ipset 'rublack-ip'
        option dest_port '9040'
        option dest 'lan'
        option enabled '0'

config redirect
        option name 'torify-onion'
        option src 'lan'
        option proto 'tcp'
        option ipset 'onion'
        option dest_port '9040'
        option dest 'lan'
        option enabled '0'

config redirect
        option name 'torify-blocked-dns-zerotier'
        option src 'vpn'
        option proto 'tcp'
        option ipset 'rublack-dns'
        option dest_port '9040'
        option dest 'lan'
        option enabled '0'

config redirect
        option name 'torify-blocked-ip-zerotier'
        option src 'vpn'
        option proto 'tcp'
        option ipset 'rublack-ip'
        option dest_port '9040'
        option dest 'lan'
        option enabled '0'

config redirect
        option name 'torify-onion-zerotier'
        option src 'vpn'
        option proto 'tcp'
        option ipset 'onion'
        option dest_port '9040'
        option dest 'lan'
        option enabled '0'

config rule
        option dest_port '9993'
        option src '*'
        option name 'Allow-ZeroTier-Inbound'
        option target 'ACCEPT'
        list proto 'udp'

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option output 'ACCEPT'
        option masq '1'
        list network 'ZeroTier'

config zone
        option input 'ACCEPT'
        option output 'ACCEPT'
        option masq '1'
        option forward 'ACCEPT'
        option name 'wgzone'
        list network 'CF'
        list network 'j_hongkong'
        list network 'CF_USA'

config forwarding
        option dest 'lan'
        option src 'wgzone'

config forwarding
        option src 'wan'
        option dest 'wgzone'

config forwarding
        option src 'wgzone'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'wgzone'

config redirect
        option target 'DNAT'
        option name 'zerotier-wan'
        option dest_ip '192.168.1.1'
        option src 'lan'
        list proto 'all'
        option src_ip '192.168.0.182'
        option dest 'wgzone'

config forwarding
        option src 'wan'
        option dest 'lan'

config forwarding
        option src 'vpn'
        option dest 'lan'

config forwarding
        option src 'vpn'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'vpn'

config redirect
        option target 'DNAT'
        option src 'lan'
        option name 'Intercept-DNS'
        option dest 'wan'
        list proto 'tcp'
        list proto 'udp'
        option src_dport '53'

config forwarding
        option src 'vpn'
        option dest 'wgzone'

config forwarding
        option src 'wan'
        option dest 'vpn'

config forwarding
        option src 'wgzone'
        option dest 'vpn'

config nat
        option src_ip '192.168.1.144'
        option target 'MASQUERADE'
        option device 'CloudFlare'
        option src 'wan'
        list proto 'all'
        option enabled '0'

config rule
        option name 'tv'
        option src 'lan'
        list src_ip '192.168.1.108'
        option target 'REJECT'
        list proto 'all'
        option dest '*'
        option enabled '0'

config rule
        option name 'beeline box'
        list proto 'all'
        option src 'lan'
        list src_ip '192.168.1.161'
        option dest '*'
        option target 'REJECT'
        option enabled '0'

uci export network

package network

config interface 'loopback'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'
        option device 'lo'

config globals 'globals'
        option ula_prefix 'fd15:8c5f:7f43::/48'

config interface 'wan'
        option proto 'dhcp'
        option force_link '1'
        option device 'eth1'

config interface 'wan6'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option force_link '1'
        option device 'eth1'

config interface 'lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option device 'br-lan'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0t 1 4 3 2'

config interface 'ZeroTier'
        option proto 'none'
        option device 'zt2lr2oxhx'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'CF'
        option proto 'wireguard'
        option private_key 'xxx'
        list addresses '172.16.0.2/32'
        list addresses 'fd01:5ca1:ab1e:8942:ef0d:607f:30c2:e9ec/128'

config wireguard_CF
        option public_key 'xxx'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::/0'
        option endpoint_port '2408'
        option persistent_keepalive '25'
        option endpoint_host '162.159.193.5'

config interface 'CF_USA'
        option proto 'wireguard'
        option peerdns '0'
        list dns '162.159.36.1'
        list dns '2606:4700:4700::1111'
        option private_key 'xxx'
        list addresses '172.16.0.2/32'
        list addresses 'fd01:5ca1:ab1e:8a2d:a4ea:9215:7908:5d53/128'
        option force_link '1'

config wireguard_CF_USA
        option public_key 'xxx'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::/0'
        option persistent_keepalive '25'
        option endpoint_port '2408'
        option endpoint_host '162.159.192.1'

config interface 'j_hongkong'
        option proto 'wireguard'
        option peerdns '0'
        list dns '8.8.8.8'
        option auto '0'
        option private_key 'xxx'
        list addresses '192.168.6.131/32'

config wireguard_j_hongkong
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::/0'
        option persistent_keepalive '25'
        option endpoint_port '1024'
        option public_key 'xxx'
        option endpoint_host 'premiuk.vpnjantit.com'

uci export pbr

package pbr

config pbr 'config'
        option verbosity '2'
        option strict_enforcement '1'
        option src_ipset '0'
        option dest_ipset '0'
        option resolver_set 'dnsmasq.ipset'
        option ipv6_enabled '0'
        list ignored_interface 'vpnserver wgserver zerotier tor'
        option boot_timeout '30'
        option procd_reload_delay '1'
        option webui_protocol_column '0'
        option webui_show_ignore_target '0'
        list webui_supported_protocol 'tcp'
        list webui_supported_protocol 'udp'
        list webui_supported_protocol 'tcp udp'
        list webui_supported_protocol 'icmp'
        list webui_supported_protocol 'all'
        option webui_enable_column '1'
        option webui_sorting '0'
        option webui_chain_column '1'
        option secure_reload '0'
        option enabled '1'
        list supported_interface 'wan CF CF_USA'
        option rule_create_option 'add'

config include
        option path '/etc/pbr.netflix.user'
        option enabled '0'

config include
        option path '/etc/pbr.aws.user'
        option enabled '0'

config include
        option path '/etc/pbr.rkn.user'
        option enabled '0'

config policy
        option name 'zerotier'
        option src_addr '192.168.0.80'
        option interface 'CF'
        option chain 'output'
        option enabled '0'
        option dest_addr '2ip.ru'

config policy
        option name 'zerotier2'
        option src_addr '192.168.0.80'
        option interface 'CF'
        option chain 'forward'
        option enabled '0'
        option dest_addr '2ip.ru'

config policy
        option name 'WARP_all'
        option enabled '0'
        option src_addr '192.168.1.144'
        option chain 'forward'
        option interface 'CF'

config policy
        option src_addr '192.168.0.0/23'
        option interface 'CF'
        option name 'jamonshop.es'
        option dest_addr 'jamonshop.es'

config policy
        option name '2ip.ru'
        option dest_addr '2ip.ru'
        option src_addr '192.168.0.0/23'
        option interface 'CF'

config policy
        option name 'whatismyipaddress.com'
        option dest_addr 'whatismyipaddress.com'
        option src_addr '192.168.0.0/23'
        option interface 'CF_USA'

config policy
        option name 'whatismyip.com'
        option dest_addr 'www.whatismyip.com'
        option src_addr '192.168.0.0/23'
        option interface 'CF'

config policy
        option name 'rutracker.org'
        option dest_addr 'rutracker.org rutracker.net rutracker.nl'
        option interface 'CF'
        option src_addr '192.168.0.0/23'

config policy
        option src_addr '192.168.0.0/23'
        option dest_addr 'speedtest.net'
        option name 'speedtest.net'
        option interface 'CF'

config policy
        option name 'nnmclub.to'
        option src_addr '192.168.0.0/23'
        option dest_addr 'nnmclub.to 172.67.144.20'
        option interface 'CF'

config policy
        option name 'flibusta.is'
        option src_addr '192.168.0.0/23'
        option dest_addr 'flibusta.is'
        option interface 'CF'

config policy
        option name 'lib.rus.ec'
        option src_addr '192.168.0.0/23'
        option dest_addr 'lib.rus.ec'
        option interface 'CF'

config policy
        option name 'rustorka.com'
        option src_addr '192.168.0.0/23'
        option dest_addr 'rustorka.com'
        option interface 'CF'

config policy
        option name 'bt.t-ru.org'
        option src_addr '192.168.0.0/23'
        option dest_addr 'bt.t-ru.org bt2.t-ru.org bt3.t-ru.org bt4.t-ru.org'
        option interface 'CF'

config policy
        option name 'rutor.org'
        option src_addr '192.168.0.0/23'
        option dest_addr 'rutor.info new-rutor.org rutor.is'
        option interface 'CF'

config policy
        option name 'underver.se'
        option src_addr '192.168.0.0/23'
        option dest_addr 'underver.se'
        option interface 'CF'

config policy
        option name '4pda.ru'
        option src_addr '192.168.0.0/23'
        option dest_addr '4pda.ru'
        option interface 'CF'

config policy
        option name 'navalny.com'
        option src_addr '192.168.0.0/23'
        option dest_addr 'navalny.com fbk.info'
        option interface 'CF'

config policy
        option name 'hdrezka.com'
        option src_addr '192.168.0.0/23'
        option interface 'CF'
        option dest_addr 'hdrezka.com hdrezka.bet'

config policy
        option name 'hdkinoteatr.com'
        option src_addr '192.168.0.0/23'
        option dest_addr 'hdkinoteatr.com'
        option interface 'CF'

config policy
        option name 'rarbgmirror.org'
        option src_addr '192.168.0.0/23'
        option interface 'CF'
        option dest_addr 'rarbgmirror.org rarbg.to'

config policy
        option src_addr '192.168.0.0/23'
        option interface 'CF'
        option name 'lurklurk.com'
        option dest_addr 'lurklurk.com'

config policy
        option name 'linkedin.com'
        option src_addr '192.168.0.0/23'
        option dest_addr 'linkedin.com static-exp1.licdn.com'
        option interface 'CF'

config policy
        option name 'ookla.com'
        option src_addr '192.168.0.0/23'
        option dest_addr 'ookla.com'
        option interface 'CF'

config policy
        option name 'trakt.tv'
        option src_addr '192.168.0.0/23'
        option dest_addr 'trakt.tv'
        option interface 'CF'

config policy
        option name 'thepiratebay'
        option src_addr '192.168.0.0/23'
        option dest_addr 'thepiratebay.party'
        option interface 'CF'

config policy
        option name 'torproject.org'
        option src_addr '192.168.0.0/23'
        option dest_addr 'torproject.org'
        option interface 'CF'

config policy
        option src_addr '192.168.0.0/23'
        option interface 'CF'
        option name 'tvrain.ru'
        option dest_addr 'tvrain.ru'

config policy
        option src_addr '192.168.0.0/23'
        option interface 'CF'
        option name 'echo'
        option dest_addr 'echo.msk.ru echofm.online'

config policy
        option src_addr '192.168.0.0/23'
        option interface 'CF'
        option name 'wisdomjobs.com'
        option dest_addr 'wisdomjobs.com'

config policy
        option name 'facebook.com'
        option src_addr '192.168.0.0/23'
        option interface 'CF'
        option dest_addr 'facebook.com connect.facebook.net fbcdn.net fb.com ru-ru.facebook.com'

config policy
        option src_addr '192.168.0.0/23'
        option interface 'CF'
        option name 'svoboda.org'
        option dest_addr 'svoboda.org www.svoboda.org vp.www.svoboda.org.edgekey.net gdb.rferl.org e4887.dscb.akamaiedge.net 95.100.107.1/23 80.239.254.1/23'

config policy
        option name 'twitter.com'
        option src_addr '192.168.0.0/23'
        option interface 'CF'
        option dest_addr 'twitter.com api.twitter.com mobile.twitter.com abs.twimg.com pbs.twimg.com'

config policy
        option name 'anonfiles.com'
        option src_addr '192.168.0.0/23'
        option dest_addr 'anonfiles.com'
        option interface 'CF'

config policy
        option name 'cloudflare.com'
        option src_addr '192.168.0.0/23'
        option dest_addr 'CF.com'
        option interface 'CF'

config policy
        option name 'instagram.com'
        option src_addr '192.168.0.0/23'
        option interface 'CF'
        option dest_addr 'i.instagram.com www.instagram.com instagram.com graph.instagram.com scontent.cdninstagram.com scontent-arn2-1.cdninstagram.com static.cdninstagram.com'

config policy
        option name 'zona.media'
        option src_addr '192.168.0.0/23'
        option dest_addr 'zona.media'
        option interface 'CF'

config policy
        option name 'meduza.io'
        option src_addr '192.168.0.0/23'
        option dest_addr 'meduza.io'
        option interface 'CF'

config policy
        option name 'theins.ru'
        option src_addr '192.168.0.0/23'
        option dest_addr 'theins.ru'
        option interface 'CF'

config policy
        option src_addr '192.168.0.0/23'
        option interface 'CF'
        option name 'google.com'
        option enabled '0'
        option dest_addr 'news.google.com play.google.com safebrosing.googleapis.com signaler-pa.clients6.google.com'

config policy
        option src_addr '192.168.0.0/23'
        option interface 'CF'
        option name 'mrakopedia.net'
        option dest_addr 'mrakopedia.net'

config policy
        option name 'fantasy-worlds.org'
        option src_addr '192.168.0.0/23'
        option dest_addr 'fantasy-worlds.org'
        option interface 'CF'

config policy
        option src_addr '192.168.0.0/23'
        option interface 'CF'
        option name 'youtube'
        option dest_addr 'yt3.ggpht.com'

config policy
        option name 'istories.media'
        option src_addr '192.168.0.0/23'
        option dest_addr 'istories.media'
        option interface 'CF'

config policy
        option src_addr '192.168.0.0/23'
        option interface 'CF'
        option name 'db'
        option dest_addr 'saverudata.info saverudata.net saverudata.online'

config policy
        option name 'bbc.com'
        option src_addr '192.168.0.0/23'
        option dest_addr 'bbc.com'
        option interface 'CF'

config policy
        option name 'igg-games.com'
        option src_addr '192.168.0.0/23'
        option interface 'CF'
        option dest_addr 'igg-games.com pcgamestorrents.com'

config policy
        option name 'hackernoon.com'
        option src_addr '192.168.0.0/23'
        option dest_addr 'hackernoon.com'
        option interface 'CF'

config policy
        option name 'wikiwand.com'
        option src_addr '192.168.0.0/23'
        option dest_addr 'www.wikiwand.com'
        option interface 'CF'

config policy
        option name 'quora.com'
        option src_addr '192.168.0.0/23'
        option dest_addr 'quora.com www.quora.com'
        option interface 'CF'

config policy
        option name 'dailymotion.com'
        option src_addr '192.168.0.0/23'
        option dest_addr 'dailymotion.com'
        option interface 'CF'

config policy
        option name 'torrentgalaxy.to'
        option src_addr '192.168.0.0/23'
        option dest_addr 'torrentgalaxy.to'
        option interface 'CF'

Sorry, characters limit 1.
/etc/init.d/pbr status

pbr 1.1.0-21 running on OpenWrt 21.02.1. WAN (IPv4): wan/eth1/100.116.0.1.
============================================================
Dnsmasq version 2.85  Copyright (c) 2000-2021 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth cryptohash DNSSEC no-ID loop-detect inotify dumpfile
============================================================
Routes/IP Rules
default         100.116.0.1     0.0.0.0         UG    0      0        0 eth1
IPv4 table 256 route: default via 100.116.0.1 dev eth1
IPv4 table 256 rule(s):
30000:  from all fwmark 0x10000/0xff0000 lookup pbr_wan
IPv4 table 257 route: default via 192.168.0.111 dev zt2lr2oxhx
IPv4 table 257 rule(s):
30001:  from all fwmark 0x20000/0xff0000 lookup pbr_ZeroTier
IPv4 table 258 route: default via 172.16.0.2 dev CF
IPv4 table 258 rule(s):
30002:  from all fwmark 0x30000/0xff0000 lookup pbr_CF
IPv4 table 259 route: default via 172.16.0.2 dev CF_USA
IPv4 table 259 rule(s):
30003:  from all fwmark 0x40000/0xff0000 lookup pbr_CF_USA
IPv4 table 260 route: unreachable default
IPv4 table 260 rule(s):
30004:  from all fwmark 0x50000/0xff0000 lookup pbr_j_hongkong
============================================================
Mangle IP Table: FORWARD
-N PBR_FORWARD
============================================================
Mangle IP Table: INPUT
-N PBR_INPUT
============================================================
Mangle IP Table: OUTPUT
-N PBR_OUTPUT
============================================================
Mangle IP Table: POSTROUTING
-N PBR_POSTROUTING
============================================================
Mangle IP Table: PREROUTING
-N PBR_PREROUTING
-A PBR_PREROUTING -s 192.168.0.0/23 -m set --match-set pbr_CF_4_dst_ip_cfg086ff5 dst -m comment --comment jamonshop_es -c 0 0 -g PBR_MARK_0x030000
-A PBR_PREROUTING -s 192.168.0.0/23 -m set --match-set pbr_CF_4_dst_ip_cfg096ff5 dst -m comment --comment 2ip_ru -c 0 0 -g PBR_MARK_0x030000
-A PBR_PREROUTING -s 192.168.0.0/23 -m set --match-set pbr_CF_USA_4_dst_ip_cfg0a6ff5 dst -m comment --comment whatismyipaddress_com -c 0 0 -g PBR_MARK_0x040000
-A PBR_PREROUTING -s 192.168.0.0/23 -m set --match-set pbr_CF_4_dst_ip_cfg0b6ff5 dst -m comment --comment whatismyip_com -c 0 0 -g PBR_MARK_0x030000
-A PBR_PREROUTING -s 192.168.0.0/23 -m set --match-set pbr_CF_4_dst_ip_cfg0c6ff5 dst -m comment --comment rutracker_org -c 0 0 -g PBR_MARK_0x030000
-A PBR_PREROUTING -s 192.168.0.0/23 -m set --match-set pbr_CF_4_dst_ip_cfg0d6ff5 dst -m comment --comment speedtest_net -c 0 0 -g PBR_MARK_0x030000
-A PBR_PREROUTING -s 192.168.0.0/23 -m set --match-set pbr_CF_4_dst_ip_cfg0e6ff5 dst -m comment --comment nnmclub_to -c 0 0 -g PBR_MARK_0x030000
-A PBR_PREROUTING -s 192.168.0.0/23 -m set --match-set pbr_CF_4_dst_ip_cfg0f6ff5 dst -m comment --comment flibusta_is -c 0 0 -g PBR_MARK_0x030000
-A PBR_PREROUTING -s 192.168.0.0/23 -m set --match-set pbr_CF_4_dst_ip_cfg106ff5 dst -m comment --comment lib_rus_ec -c 0 0 -g PBR_MARK_0x030000
-A PBR_PREROUTING -s 192.168.0.0/23 -m set --match-set pbr_CF_4_dst_ip_cfg116ff5 dst -m comment --comment rustorka_com -c 0 0 -g PBR_MARK_0x030000
-A PBR_PREROUTING -s 192.168.0.0/23 -m set --match-set pbr_CF_4_dst_ip_cfg126ff5 dst -m comment --comment bt_t-ru_org -c 0 0 -g PBR_MARK_0x030000
-A PBR_PREROUTING -s 192.168.0.0/23 -m set --match-set pbr_CF_4_dst_ip_cfg136ff5 dst -m comment --comment rutor_org -c 0 0 -g PBR_MARK_0x030000
-A PBR_PREROUTING -s 192.168.0.0/23 -m set --match-set pbr_CF_4_dst_ip_cfg146ff5 dst -m comment --comment underver_se -c 0 0 -g PBR_MARK_0x030000
-A PBR_PREROUTING -s 192.168.0.0/23 -m set --match-set pbr_CF_4_dst_ip_cfg156ff5 dst -m comment --comment 4pda_ru -c 0 0 -g PBR_MARK_0x030000
-A PBR_PREROUTING -s 192.168.0.0/23 -m set --match-set pbr_CF_4_dst_ip_cfg166ff5 dst -m comment --comment navalny_com -c 0 0 -g PBR_MARK_0x030000
-A PBR_PREROUTING -s 192.168.0.0/23 -m set --match-set pbr_CF_4_dst_ip_cfg176ff5 dst -m comment --comment hdrezka_com -c 0 0 -g PBR_MARK_0x030000
-A PBR_PREROUTING -s 192.168.0.0/23 -m set --match-set pbr_CF_4_dst_ip_cfg186ff5 dst -m comment --comment hdkinoteatr_com -c 0 0 -g PBR_MARK_0x030000
-A PBR_PREROUTING -s 192.168.0.0/23 -m set --match-set pbr_CF_4_dst_ip_cfg196ff5 dst -m comment --comment rarbgmirror_org -c 0 0 -g PBR_MARK_0x030000
-A PBR_PREROUTING -s 192.168.0.0/23 -m set --match-set pbr_CF_4_dst_ip_cfg1a6ff5 dst -m comment --comment lurklurk_com -c 0 0 -g PBR_MARK_0x030000
-A PBR_PREROUTING -s 192.168.0.0/23 -m set --match-set pbr_CF_4_dst_ip_cfg1b6ff5 dst -m comment --comment linkedin_com -c 0 0 -g PBR_MARK_0x030000
-A PBR_PREROUTING -s 192.168.0.0/23 -m set --match-set pbr_CF_4_dst_ip_cfg1c6ff5 dst -m comment --comment ookla_com -c 0 0 -g PBR_MARK_0x030000
-A PBR_PREROUTING -s 192.168.0.0/23 -m set --match-set pbr_CF_4_dst_ip_cfg1d6ff5 dst -m comment --comment trakt_tv -c 0 0 -g PBR_MARK_0x030000
-A PBR_PREROUTING -s 192.168.0.0/23 -m set --match-set pbr_CF_4_dst_ip_cfg1e6ff5 dst -m comment --comment thepiratebay -c 0 0 -g PBR_MARK_0x030000
-A PBR_PREROUTING -s 192.168.0.0/23 -m set --match-set pbr_CF_4_dst_ip_cfg1f6ff5 dst -m comment --comment torproject_org -c 0 0 -g PBR_MARK_0x030000
-A PBR_PREROUTING -s 192.168.0.0/23 -m set --match-set pbr_CF_4_dst_ip_cfg206ff5 dst -m comment --comment tvrain_ru -c 0 0 -g PBR_MARK_0x030000
-A PBR_PREROUTING -s 192.168.0.0/23 -m set --match-set pbr_CF_4_dst_ip_cfg216ff5 dst -m comment --comment echo -c 0 0 -g PBR_MARK_0x030000
-A PBR_PREROUTING -s 192.168.0.0/23 -m set --match-set pbr_CF_4_dst_ip_cfg226ff5 dst -m comment --comment wisdomjobs_com -c 0 0 -g PBR_MARK_0x030000
-A PBR_PREROUTING -s 192.168.0.0/23 -m set --match-set pbr_CF_4_dst_ip_cfg236ff5 dst -m comment --comment facebook_com -c 0 0 -g PBR_MARK_0x030000
-A PBR_PREROUTING -s 192.168.0.0/23 -m set --match-set pbr_CF_4_dst_ip_cfg246ff5 dst -m comment --comment svoboda_org -c 0 0 -g PBR_MARK_0x030000
-A PBR_PREROUTING -s 192.168.0.0/23 -d 95.100.106.0/23 -m comment --comment svoboda_org -c 0 0 -g PBR_MARK_0x030000
-A PBR_PREROUTING -s 192.168.0.0/23 -d 80.239.254.0/23 -m comment --comment svoboda_org -c 0 0 -g PBR_MARK_0x030000
-A PBR_PREROUTING -s 192.168.0.0/23 -m set --match-set pbr_CF_4_dst_ip_cfg256ff5 dst -m comment --comment twitter_com -c 0 0 -g PBR_MARK_0x030000
-A PBR_PREROUTING -s 192.168.0.0/23 -m set --match-set pbr_CF_4_dst_ip_cfg266ff5 dst -m comment --comment anonfiles_com -c 0 0 -g PBR_MARK_0x030000
-A PBR_PREROUTING -s 192.168.0.0/23 -m set --match-set pbr_CF_4_dst_ip_cfg276ff5 dst -m comment --comment cloudflare_com -c 0 0 -g PBR_MARK_0x030000
-A PBR_PREROUTING -s 192.168.0.0/23 -m set --match-set pbr_CF_4_dst_ip_cfg286ff5 dst -m comment --comment instagram_com -c 0 0 -g PBR_MARK_0x030000
-A PBR_PREROUTING -s 192.168.0.0/23 -m set --match-set pbr_CF_4_dst_ip_cfg296ff5 dst -m comment --comment zona_media -c 0 0 -g PBR_MARK_0x030000
-A PBR_PREROUTING -s 192.168.0.0/23 -m set --match-set pbr_CF_4_dst_ip_cfg2a6ff5 dst -m comment --comment meduza_io -c 0 0 -g PBR_MARK_0x030000
-A PBR_PREROUTING -s 192.168.0.0/23 -m set --match-set pbr_CF_4_dst_ip_cfg2b6ff5 dst -m comment --comment theins_ru -c 0 0 -g PBR_MARK_0x030000
-A PBR_PREROUTING -s 192.168.0.0/23 -m set --match-set pbr_CF_4_dst_ip_cfg2d6ff5 dst -m comment --comment mrakopedia_net -c 0 0 -g PBR_MARK_0x030000
-A PBR_PREROUTING -s 192.168.0.0/23 -m set --match-set pbr_CF_4_dst_ip_cfg2e6ff5 dst -m comment --comment fantasy-worlds_org -c 0 0 -g PBR_MARK_0x030000
-A PBR_PREROUTING -s 192.168.0.0/23 -m set --match-set pbr_CF_4_dst_ip_cfg2f6ff5 dst -m comment --comment youtube -c 0 0 -g PBR_MARK_0x030000
-A PBR_PREROUTING -s 192.168.0.0/23 -m set --match-set pbr_CF_4_dst_ip_cfg306ff5 dst -m comment --comment istories_media -c 0 0 -g PBR_MARK_0x030000
-A PBR_PREROUTING -s 192.168.0.0/23 -m set --match-set pbr_CF_4_dst_ip_cfg316ff5 dst -m comment --comment db -c 0 0 -g PBR_MARK_0x030000
-A PBR_PREROUTING -s 192.168.0.0/23 -m set --match-set pbr_CF_4_dst_ip_cfg326ff5 dst -m comment --comment bbc_com -c 0 0 -g PBR_MARK_0x030000
-A PBR_PREROUTING -s 192.168.0.0/23 -m set --match-set pbr_CF_4_dst_ip_cfg336ff5 dst -m comment --comment igg-games_com -c 0 0 -g PBR_MARK_0x030000
-A PBR_PREROUTING -s 192.168.0.0/23 -m set --match-set pbr_CF_4_dst_ip_cfg346ff5 dst -m comment --comment hackernoon_com -c 0 0 -g PBR_MARK_0x030000
-A PBR_PREROUTING -s 192.168.0.0/23 -m set --match-set pbr_CF_4_dst_ip_cfg356ff5 dst -m comment --comment wikiwand_com -c 0 0 -g PBR_MARK_0x030000
-A PBR_PREROUTING -s 192.168.0.0/23 -m set --match-set pbr_CF_4_dst_ip_cfg366ff5 dst -m comment --comment quora_com -c 0 0 -g PBR_MARK_0x030000
-A PBR_PREROUTING -s 192.168.0.0/23 -m set --match-set pbr_CF_4_dst_ip_cfg376ff5 dst -m comment --comment dailymotion_com -c 0 0 -g PBR_MARK_0x030000
-A PBR_PREROUTING -s 192.168.0.0/23 -m set --match-set pbr_CF_4_dst_ip_cfg386ff5 dst -m comment --comment torrentgalaxy_to -c 0 0 -g PBR_MARK_0x030000
============================================================
Mangle IP Table MARK Chain: PBR_MARK_0x010000
-N PBR_MARK_0x010000
-A PBR_MARK_0x010000 -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A PBR_MARK_0x010000 -c 0 0 -j RETURN
============================================================
Mangle IP Table MARK Chain: PBR_MARK_0x020000
-N PBR_MARK_0x020000
-A PBR_MARK_0x020000 -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A PBR_MARK_0x020000 -c 0 0 -j RETURN
============================================================
Mangle IP Table MARK Chain: PBR_MARK_0x030000
-N PBR_MARK_0x030000
-A PBR_MARK_0x030000 -c 0 0 -j MARK --set-xmark 0x30000/0xff0000
-A PBR_MARK_0x030000 -c 0 0 -j RETURN
============================================================
Mangle IP Table MARK Chain: PBR_MARK_0x040000
-N PBR_MARK_0x040000
-A PBR_MARK_0x040000 -c 0 0 -j MARK --set-xmark 0x40000/0xff0000
-A PBR_MARK_0x040000 -c 0 0 -j RETURN
============================================================
Mangle IP Table MARK Chain: PBR_MARK_0x050000
-N PBR_MARK_0x050000
-A PBR_MARK_0x050000 -c 0 0 -j MARK --set-xmark 0x50000/0xff0000
-A PBR_MARK_0x050000 -c 0 0 -j RETURN
============================================================
NAT IP Table: FORWARD
-N PBR_FORWARD
-A PBR_FORWARD -p udp -m udp --dport 443 -m set --match-set pbr_tor_4_dst_ip dst -m comment --comment TorHTTPS-UDP -c 0 0 -j REDIRECT --to-ports 9040
-A PBR_FORWARD -p tcp -m tcp --dport 443 -m set --match-set pbr_tor_4_dst_ip dst -m comment --comment TorHTTPS-TCP -c 0 0 -j REDIRECT --to-ports 9040
-A PBR_FORWARD -p udp -m udp --dport 80 -m set --match-set pbr_tor_4_dst_ip dst -m comment --comment TorHTTP-UDP -c 0 0 -j REDIRECT --to-ports 9040
-A PBR_FORWARD -p tcp -m tcp --dport 80 -m set --match-set pbr_tor_4_dst_ip dst -m comment --comment TorHTTP-TCP -c 0 0 -j REDIRECT --to-ports 9040
-A PBR_FORWARD -p udp -m udp --dport 53 -m set --match-set pbr_tor_4_dst_ip dst -m comment --comment TorDNS-UDP -c 0 0 -j REDIRECT --to-ports 9053
============================================================
NAT IP Table: INPUT
-N PBR_INPUT
============================================================
NAT IP Table: OUTPUT
-N PBR_OUTPUT
-A PBR_OUTPUT -p udp -m udp --dport 443 -m set --match-set pbr_tor_4_dst_ip dst -m comment --comment TorHTTPS-UDP -c 0 0 -j REDIRECT --to-ports 9040
-A PBR_OUTPUT -p tcp -m tcp --dport 443 -m set --match-set pbr_tor_4_dst_ip dst -m comment --comment TorHTTPS-TCP -c 0 0 -j REDIRECT --to-ports 9040
-A PBR_OUTPUT -p udp -m udp --dport 80 -m set --match-set pbr_tor_4_dst_ip dst -m comment --comment TorHTTP-UDP -c 0 0 -j REDIRECT --to-ports 9040
-A PBR_OUTPUT -p tcp -m tcp --dport 80 -m set --match-set pbr_tor_4_dst_ip dst -m comment --comment TorHTTP-TCP -c 0 0 -j REDIRECT --to-ports 9040
-A PBR_OUTPUT -p udp -m udp --dport 53 -m set --match-set pbr_tor_4_dst_ip dst -m comment --comment TorDNS-UDP -c 0 0 -j REDIRECT --to-ports 9053
============================================================
NAT IP Table: POSTROUTING
-N PBR_POSTROUTING
============================================================
NAT IP Table: PREROUTING
-N PBR_PREROUTING
-A PBR_PREROUTING -p udp -m udp --dport 443 -m set --match-set pbr_tor_4_dst_ip dst -m comment --comment TorHTTPS-UDP -c 0 0 -j REDIRECT --to-ports 9040
-A PBR_PREROUTING -p tcp -m tcp --dport 443 -m set --match-set pbr_tor_4_dst_ip dst -m comment --comment TorHTTPS-TCP -c 0 0 -j REDIRECT --to-ports 9040
-A PBR_PREROUTING -p udp -m udp --dport 80 -m set --match-set pbr_tor_4_dst_ip dst -m comment --comment TorHTTP-UDP -c 0 0 -j REDIRECT --to-ports 9040
-A PBR_PREROUTING -p tcp -m tcp --dport 80 -m set --match-set pbr_tor_4_dst_ip dst -m comment --comment TorHTTP-TCP -c 0 0 -j REDIRECT --to-ports 9040
-A PBR_PREROUTING -p udp -m udp --dport 53 -m set --match-set pbr_tor_4_dst_ip dst -m comment --comment TorDNS-UDP -c 0 0 -j REDIRECT --to-ports 9053
============================================================
Current ipsets
create rublack-dns hash:ip family inet hashsize 1024 maxelem 65536 timeout 86400
create rublack-ip hash:ip family inet hashsize 1024 maxelem 65536
create rublack-ip-tmp hash:ip family inet hashsize 1024 maxelem 65536
create onion hash:ip family inet hashsize 1024 maxelem 65536 timeout 86400
create pbr_tor_4_dst_ip hash:ip family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_src_net_cfg086ff5 hash:net family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_dst_ip_cfg086ff5 hash:ip family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_src_net_cfg096ff5 hash:net family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_dst_ip_cfg096ff5 hash:ip family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_USA_4_src_net_cfg0a6ff5 hash:net family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_USA_4_dst_ip_cfg0a6ff5 hash:ip family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_src_net_cfg0b6ff5 hash:net family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_dst_ip_cfg0b6ff5 hash:ip family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_src_net_cfg0c6ff5 hash:net family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_dst_ip_cfg0c6ff5 hash:ip family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_src_net_cfg0d6ff5 hash:net family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_dst_ip_cfg0d6ff5 hash:ip family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_src_net_cfg0e6ff5 hash:net family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_dst_ip_cfg0e6ff5 hash:ip family inet hashsize 1024 maxelem 65536 comment
add pbr_CF_4_dst_ip_cfg0e6ff5 172.67.144.20 comment "nnmclub.to: 172.67.144.20"
create pbr_CF_4_src_net_cfg0f6ff5 hash:net family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_dst_ip_cfg0f6ff5 hash:ip family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_src_net_cfg106ff5 hash:net family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_dst_ip_cfg106ff5 hash:ip family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_src_net_cfg116ff5 hash:net family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_dst_ip_cfg116ff5 hash:ip family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_src_net_cfg126ff5 hash:net family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_dst_ip_cfg126ff5 hash:ip family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_src_net_cfg136ff5 hash:net family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_dst_ip_cfg136ff5 hash:ip family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_src_net_cfg146ff5 hash:net family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_dst_ip_cfg146ff5 hash:ip family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_src_net_cfg156ff5 hash:net family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_dst_ip_cfg156ff5 hash:ip family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_src_net_cfg166ff5 hash:net family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_dst_ip_cfg166ff5 hash:ip family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_src_net_cfg176ff5 hash:net family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_dst_ip_cfg176ff5 hash:ip family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_src_net_cfg186ff5 hash:net family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_dst_ip_cfg186ff5 hash:ip family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_src_net_cfg196ff5 hash:net family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_dst_ip_cfg196ff5 hash:ip family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_src_net_cfg1a6ff5 hash:net family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_dst_ip_cfg1a6ff5 hash:ip family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_src_net_cfg1b6ff5 hash:net family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_dst_ip_cfg1b6ff5 hash:ip family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_src_net_cfg1c6ff5 hash:net family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_dst_ip_cfg1c6ff5 hash:ip family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_src_net_cfg1d6ff5 hash:net family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_dst_ip_cfg1d6ff5 hash:ip family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_src_net_cfg1e6ff5 hash:net family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_dst_ip_cfg1e6ff5 hash:ip family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_src_net_cfg1f6ff5 hash:net family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_dst_ip_cfg1f6ff5 hash:ip family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_src_net_cfg206ff5 hash:net family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_dst_ip_cfg206ff5 hash:ip family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_src_net_cfg216ff5 hash:net family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_dst_ip_cfg216ff5 hash:ip family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_src_net_cfg226ff5 hash:net family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_dst_ip_cfg226ff5 hash:ip family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_src_net_cfg236ff5 hash:net family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_dst_ip_cfg236ff5 hash:ip family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_src_net_cfg246ff5 hash:net family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_dst_ip_cfg246ff5 hash:ip family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_dst_net_cfg246ff5 hash:net family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_src_net_cfg256ff5 hash:net family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_dst_ip_cfg256ff5 hash:ip family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_src_net_cfg266ff5 hash:net family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_dst_ip_cfg266ff5 hash:ip family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_src_net_cfg276ff5 hash:net family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_dst_ip_cfg276ff5 hash:ip family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_src_net_cfg286ff5 hash:net family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_dst_ip_cfg286ff5 hash:ip family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_src_net_cfg296ff5 hash:net family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_dst_ip_cfg296ff5 hash:ip family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_src_net_cfg2a6ff5 hash:net family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_dst_ip_cfg2a6ff5 hash:ip family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_src_net_cfg2b6ff5 hash:net family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_dst_ip_cfg2b6ff5 hash:ip family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_src_net_cfg2d6ff5 hash:net family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_dst_ip_cfg2d6ff5 hash:ip family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_src_net_cfg2e6ff5 hash:net family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_dst_ip_cfg2e6ff5 hash:ip family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_src_net_cfg2f6ff5 hash:net family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_dst_ip_cfg2f6ff5 hash:ip family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_src_net_cfg306ff5 hash:net family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_dst_ip_cfg306ff5 hash:ip family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_src_net_cfg316ff5 hash:net family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_dst_ip_cfg316ff5 hash:ip family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_src_net_cfg326ff5 hash:net family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_dst_ip_cfg326ff5 hash:ip family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_src_net_cfg336ff5 hash:net family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_dst_ip_cfg336ff5 hash:ip family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_src_net_cfg346ff5 hash:net family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_dst_ip_cfg346ff5 hash:ip family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_src_net_cfg356ff5 hash:net family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_dst_ip_cfg356ff5 hash:ip family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_src_net_cfg366ff5 hash:net family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_dst_ip_cfg366ff5 hash:ip family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_src_net_cfg376ff5 hash:net family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_dst_ip_cfg376ff5 hash:ip family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_src_net_cfg386ff5 hash:net family inet hashsize 1024 maxelem 65536 comment
create pbr_CF_4_dst_ip_cfg386ff5 hash:ip family inet hashsize 1024 maxelem 65536 comment
============================================================
DNSMASQ sets
ipset=/jamonshop.es/pbr_CF_4_dst_ip_cfg086ff5 # jamonshop.es: jamonshop.es
ipset=/2ip.ru/pbr_CF_4_dst_ip_cfg096ff5 # 2ip.ru: 2ip.ru
ipset=/whatismyipaddress.com/pbr_CF_USA_4_dst_ip_cfg0a6ff5 # whatismyipaddress.com: whatismyipaddress.com
ipset=/www.whatismyip.com/pbr_CF_4_dst_ip_cfg0b6ff5 # whatismyip.com: www.whatismyip.com
ipset=/rutracker.org/pbr_CF_4_dst_ip_cfg0c6ff5 # rutracker.org: rutracker.org
ipset=/rutracker.net/pbr_CF_4_dst_ip_cfg0c6ff5 # rutracker.org: rutracker.net
ipset=/rutracker.nl/pbr_CF_4_dst_ip_cfg0c6ff5 # rutracker.org: rutracker.nl
ipset=/speedtest.net/pbr_CF_4_dst_ip_cfg0d6ff5 # speedtest.net: speedtest.net
ipset=/nnmclub.to/pbr_CF_4_dst_ip_cfg0e6ff5 # nnmclub.to: nnmclub.to
ipset=/flibusta.is/pbr_CF_4_dst_ip_cfg0f6ff5 # flibusta.is: flibusta.is
ipset=/lib.rus.ec/pbr_CF_4_dst_ip_cfg106ff5 # lib.rus.ec: lib.rus.ec
ipset=/rustorka.com/pbr_CF_4_dst_ip_cfg116ff5 # rustorka.com: rustorka.com
ipset=/bt.t-ru.org/pbr_CF_4_dst_ip_cfg126ff5 # bt.t-ru.org: bt.t-ru.org
ipset=/bt2.t-ru.org/pbr_CF_4_dst_ip_cfg126ff5 # bt.t-ru.org: bt2.t-ru.org
ipset=/bt3.t-ru.org/pbr_CF_4_dst_ip_cfg126ff5 # bt.t-ru.org: bt3.t-ru.org
ipset=/bt4.t-ru.org/pbr_CF_4_dst_ip_cfg126ff5 # bt.t-ru.org: bt4.t-ru.org
ipset=/rutor.info/pbr_CF_4_dst_ip_cfg136ff5 # rutor.org: rutor.info
ipset=/new-rutor.org/pbr_CF_4_dst_ip_cfg136ff5 # rutor.org: new-rutor.org
ipset=/rutor.is/pbr_CF_4_dst_ip_cfg136ff5 # rutor.org: rutor.is
ipset=/underver.se/pbr_CF_4_dst_ip_cfg146ff5 # underver.se: underver.se
ipset=/4pda.ru/pbr_CF_4_dst_ip_cfg156ff5 # 4pda.ru: 4pda.ru
ipset=/navalny.com/pbr_CF_4_dst_ip_cfg166ff5 # navalny.com: navalny.com
ipset=/fbk.info/pbr_CF_4_dst_ip_cfg166ff5 # navalny.com: fbk.info
ipset=/hdrezka.com/pbr_CF_4_dst_ip_cfg176ff5 # hdrezka.com: hdrezka.com
ipset=/hdrezka.bet/pbr_CF_4_dst_ip_cfg176ff5 # hdrezka.com: hdrezka.bet
ipset=/hdkinoteatr.com/pbr_CF_4_dst_ip_cfg186ff5 # hdkinoteatr.com: hdkinoteatr.com
ipset=/rarbgmirror.org/pbr_CF_4_dst_ip_cfg196ff5 # rarbgmirror.org: rarbgmirror.org
ipset=/rarbg.to/pbr_CF_4_dst_ip_cfg196ff5 # rarbgmirror.org: rarbg.to
ipset=/lurklurk.com/pbr_CF_4_dst_ip_cfg1a6ff5 # lurklurk.com: lurklurk.com
ipset=/linkedin.com/pbr_CF_4_dst_ip_cfg1b6ff5 # linkedin.com: linkedin.com
ipset=/static-exp1.licdn.com/pbr_CF_4_dst_ip_cfg1b6ff5 # linkedin.com: static-exp1.licdn.com
ipset=/ookla.com/pbr_CF_4_dst_ip_cfg1c6ff5 # ookla.com: ookla.com
ipset=/trakt.tv/pbr_CF_4_dst_ip_cfg1d6ff5 # trakt.tv: trakt.tv
ipset=/thepiratebay.party/pbr_CF_4_dst_ip_cfg1e6ff5 # thepiratebay: thepiratebay.party
ipset=/torproject.org/pbr_CF_4_dst_ip_cfg1f6ff5 # torproject.org: torproject.org
ipset=/tvrain.ru/pbr_CF_4_dst_ip_cfg206ff5 # tvrain.ru: tvrain.ru
ipset=/echo.msk.ru/pbr_CF_4_dst_ip_cfg216ff5 # echo: echo.msk.ru
ipset=/echofm.online/pbr_CF_4_dst_ip_cfg216ff5 # echo: echofm.online
ipset=/wisdomjobs.com/pbr_CF_4_dst_ip_cfg226ff5 # wisdomjobs.com: wisdomjobs.com
ipset=/facebook.com/pbr_CF_4_dst_ip_cfg236ff5 # facebook.com: facebook.com
ipset=/connect.facebook.net/pbr_CF_4_dst_ip_cfg236ff5 # facebook.com: connect.facebook.net
ipset=/fbcdn.net/pbr_CF_4_dst_ip_cfg236ff5 # facebook.com: fbcdn.net
ipset=/fb.com/pbr_CF_4_dst_ip_cfg236ff5 # facebook.com: fb.com
ipset=/ru-ru.facebook.com/pbr_CF_4_dst_ip_cfg236ff5 # facebook.com: ru-ru.facebook.com
ipset=/svoboda.org/pbr_CF_4_dst_ip_cfg246ff5 # svoboda.org: svoboda.org
ipset=/www.svoboda.org/pbr_CF_4_dst_ip_cfg246ff5 # svoboda.org: www.svoboda.org
ipset=/vp.www.svoboda.org.edgekey.net/pbr_CF_4_dst_ip_cfg246ff5 # svoboda.org: vp.www.svoboda.org.edgekey.net
ipset=/gdb.rferl.org/pbr_CF_4_dst_ip_cfg246ff5 # svoboda.org: gdb.rferl.org
ipset=/e4887.dscb.akamaiedge.net/pbr_CF_4_dst_ip_cfg246ff5 # svoboda.org: e4887.dscb.akamaiedge.net
ipset=/twitter.com/pbr_CF_4_dst_ip_cfg256ff5 # twitter.com: twitter.com
ipset=/api.twitter.com/pbr_CF_4_dst_ip_cfg256ff5 # twitter.com: api.twitter.com
ipset=/mobile.twitter.com/pbr_CF_4_dst_ip_cfg256ff5 # twitter.com: mobile.twitter.com
ipset=/abs.twimg.com/pbr_CF_4_dst_ip_cfg256ff5 # twitter.com: abs.twimg.com
ipset=/pbs.twimg.com/pbr_CF_4_dst_ip_cfg256ff5 # twitter.com: pbs.twimg.com
ipset=/anonfiles.com/pbr_CF_4_dst_ip_cfg266ff5 # anonfiles.com: anonfiles.com
ipset=/CF.com/pbr_CF_4_dst_ip_cfg276ff5 # cloudflare.com: CF.com
ipset=/i.instagram.com/pbr_CF_4_dst_ip_cfg286ff5 # instagram.com: i.instagram.com
ipset=/www.instagram.com/pbr_CF_4_dst_ip_cfg286ff5 # instagram.com: www.instagram.com
ipset=/instagram.com/pbr_CF_4_dst_ip_cfg286ff5 # instagram.com: instagram.com
ipset=/graph.instagram.com/pbr_CF_4_dst_ip_cfg286ff5 # instagram.com: graph.instagram.com
ipset=/scontent.cdninstagram.com/pbr_CF_4_dst_ip_cfg286ff5 # instagram.com: scontent.cdninstagram.com
ipset=/scontent-arn2-1.cdninstagram.com/pbr_CF_4_dst_ip_cfg286ff5 # instagram.com: scontent-arn2-1.cdninstagram.com
ipset=/static.cdninstagram.com/pbr_CF_4_dst_ip_cfg286ff5 # instagram.com: static.cdninstagram.com
ipset=/zona.media/pbr_CF_4_dst_ip_cfg296ff5 # zona.media: zona.media
ipset=/meduza.io/pbr_CF_4_dst_ip_cfg2a6ff5 # meduza.io: meduza.io
ipset=/theins.ru/pbr_CF_4_dst_ip_cfg2b6ff5 # theins.ru: theins.ru
ipset=/mrakopedia.net/pbr_CF_4_dst_ip_cfg2d6ff5 # mrakopedia.net: mrakopedia.net
ipset=/fantasy-worlds.org/pbr_CF_4_dst_ip_cfg2e6ff5 # fantasy-worlds.org: fantasy-worlds.org
ipset=/yt3.ggpht.com/pbr_CF_4_dst_ip_cfg2f6ff5 # youtube: yt3.ggpht.com
ipset=/istories.media/pbr_CF_4_dst_ip_cfg306ff5 # istories.media: istories.media
ipset=/saverudata.info/pbr_CF_4_dst_ip_cfg316ff5 # db: saverudata.info
ipset=/saverudata.net/pbr_CF_4_dst_ip_cfg316ff5 # db: saverudata.net
ipset=/saverudata.online/pbr_CF_4_dst_ip_cfg316ff5 # db: saverudata.online
ipset=/bbc.com/pbr_CF_4_dst_ip_cfg326ff5 # bbc.com: bbc.com
ipset=/igg-games.com/pbr_CF_4_dst_ip_cfg336ff5 # igg-games.com: igg-games.com
ipset=/pcgamestorrents.com/pbr_CF_4_dst_ip_cfg336ff5 # igg-games.com: pcgamestorrents.com
ipset=/hackernoon.com/pbr_CF_4_dst_ip_cfg346ff5 # hackernoon.com: hackernoon.com
ipset=/www.wikiwand.com/pbr_CF_4_dst_ip_cfg356ff5 # wikiwand.com: www.wikiwand.com
ipset=/quora.com/pbr_CF_4_dst_ip_cfg366ff5 # quora.com: quora.com
ipset=/www.quora.com/pbr_CF_4_dst_ip_cfg366ff5 # quora.com: www.quora.com
ipset=/dailymotion.com/pbr_CF_4_dst_ip_cfg376ff5 # dailymotion.com: dailymotion.com
ipset=/torrentgalaxy.to/pbr_CF_4_dst_ip_cfg386ff5 # torrentgalaxy.to: torrentgalaxy.to
============================================================
Your support details have been logged to '/var/pbr-support'. [✓]

/etc/init.d/pbr reload

Setting up routing for 'wan/eth1/100.116.0.1' [✓]
Setting up routing for 'ZeroTier/zt2lr2oxhx/192.168.0.111' [✓]
Setting up routing for 'CF/172.16.0.2' [✓]
Setting up routing for 'CF_USA/172.16.0.2' [✓]
Setting up routing for 'j_hongkong/0.0.0.0' [✓]
WARNING: Variable 'tor' does not exist or is not an array/object
WARNING: Variable 'instances' does not exist or is not an array/object
WARNING: Variable 'instance1' does not exist or is not an array/object
Creating TOR redirects [✗]
Routing 'jamonshop.es' via CF [✓]
Routing '2ip.ru' via CF [✓]
Routing 'whatismyipaddress.com' via CF_USA [✓]
Routing 'whatismyip.com' via CF [✓]
Routing 'rutracker.org' via CF [✓]
Routing 'speedtest.net' via CF [✓]
Routing 'nnmclub.to' via CF [✓]
Routing 'flibusta.is' via CF [✓]
Routing 'lib.rus.ec' via CF [✓]
Routing 'rustorka.com' via CF [✓]
Routing 'bt.t-ru.org' via CF [✓]
Routing 'rutor.org' via CF [✓]
Routing 'underver.se' via CF [✓]
Routing '4pda.ru' via CF [✓]
Routing 'navalny.com' via CF [✓]
Routing 'hdrezka.com' via CF [✓]
Routing 'hdkinoteatr.com' via CF [✓]
Routing 'rarbgmirror.org' via CF [✓]
Routing 'lurklurk.com' via CF [✓]
Routing 'linkedin.com' via CF [✓]
Routing 'ookla.com' via CF [✓]
Routing 'trakt.tv' via CF [✓]
Routing 'thepiratebay' via CF [✓]
Routing 'torproject.org' via CF [✓]
Routing 'tvrain.ru' via CF [✓]
Routing 'echo' via CF [✓]
Routing 'wisdomjobs.com' via CF [✓]
Routing 'facebook.com' via CF [✓]
Routing 'svoboda.org' via CF [✓]
Routing 'twitter.com' via CF [✓]
Routing 'anonfiles.com' via CF [✓]
Routing 'cloudflare.com' via CF [✓]
Routing 'instagram.com' via CF [✓]
Routing 'zona.media' via CF [✓]
Routing 'meduza.io' via CF [✓]
Routing 'theins.ru' via CF [✓]
Routing 'mrakopedia.net' via CF [✓]
Routing 'fantasy-worlds.org' via CF [✓]
Routing 'youtube' via CF [✓]
Routing 'istories.media' via CF [✓]
Routing 'db' via CF [✓]
Routing 'bbc.com' via CF [✓]
Routing 'igg-games.com' via CF [✓]
Routing 'hackernoon.com' via CF [✓]
Routing 'wikiwand.com' via CF [✓]
Routing 'quora.com' via CF [✓]
Routing 'dailymotion.com' via CF [✓]
Routing 'torrentgalaxy.to' via CF [✓]
pbr 1.1.0-21 monitoring interfaces: wan ZeroTier CF CF_USA j_hongkong
Command failed: Invalid argument
pbr 1.1.0-21 (iptables) started with gateways:
wan/eth1/100.116.0.1 [✓]
ZeroTier/zt2lr2oxhx/192.168.0.111
CF/172.16.0.2
CF_USA/172.16.0.2
j_hongkong/0.0.0.0
ERROR: Failed to set up 'tor/53->9053/80,443->9040'!
WARNING: Invalid OpenVPN config for 'ZeroTier' interface.