From 2d2c13e1ee52a4fcdb1cda1f01a4e922387127e1 Mon Sep 17 00:00:00 2001 From: gitea-action Date: Sat, 15 Mar 2025 01:00:27 +0800 Subject: [PATCH] nikki: sync upstream last commit: https://github.com/nikkinikki-org/OpenWrt-nikki/commit/a73c3678e8ec5419de69f55ba3a4f5134b55781f --- nikki/Makefile | 9 ++++----- nikki/files/nikki.init | 2 -- nikki/files/scripts/include.sh | 4 ---- nikki/files/ucode/hijack.ut | 30 +++++++++++++++++++++++------- nikki/files/ucode/include.uc | 14 ++++++++++++++ 5 files changed, 41 insertions(+), 18 deletions(-) diff --git a/nikki/Makefile b/nikki/Makefile index aca6ae041..389317ccb 100644 --- a/nikki/Makefile +++ b/nikki/Makefile @@ -5,9 +5,9 @@ PKG_RELEASE:=1 PKG_SOURCE_PROTO:=git PKG_SOURCE_URL:=https://github.com/MetaCubeX/mihomo.git -PKG_SOURCE_DATE:=2025-03-10 -PKG_SOURCE_VERSION:=c0de3c0e42dcbd7f6176143b00741f7774b70a08 -PKG_MIRROR_HASH:=1131cc9abde1cfbc0c5f5c228e835e2d5ce630565db661b7297f286c019da950 +PKG_SOURCE_DATE:=2025-03-14 +PKG_SOURCE_VERSION:=1e22f4daa964c54abea4c8b0f09f8171398a2821 +PKG_MIRROR_HASH:=0b65cd12cb6927b118d3802303b97dbc3299db1b3e6d8a849dedb32a276c30ff PKG_LICENSE:=GPL3.0+ PKG_MAINTAINER:=Joseph Mory @@ -16,7 +16,7 @@ PKG_BUILD_DEPENDS:=golang/host PKG_BUILD_PARALLEL:=1 PKG_BUILD_FLAGS:=no-mips16 -PKG_BUILD_VERSION:=alpha-c0de3c0 +PKG_BUILD_VERSION:=alpha-1e22f4d PKG_BUILD_TIME:=$(shell date -u -Iseconds) GO_PKG:=github.com/metacubex/mihomo @@ -33,7 +33,6 @@ define Package/nikki URL:=https://wiki.metacubex.one DEPENDS:=$(GO_ARCH_DEPENDS) +ca-bundle +curl +yq firewall4 +ip-full +kmod-inet-diag +kmod-nft-tproxy +kmod-tun PROVIDES:=nikki mihomo - USERID:=root:nikki=1206 endef define Package/nikki/description diff --git a/nikki/files/nikki.init b/nikki/files/nikki.init index fbb91171d..a5c1d4d65 100644 --- a/nikki/files/nikki.init +++ b/nikki/files/nikki.init @@ -122,8 +122,6 @@ start_service() { procd_set_param reload_signal HUP fi procd_set_param respawn - procd_set_param user "$NIKKI_USER" - procd_set_param group "$NIKKI_GROUP" procd_set_param limits core="unlimited" nofile="1048576 1048576" diff --git a/nikki/files/scripts/include.sh b/nikki/files/scripts/include.sh index 94de99539..6a0b09105 100644 --- a/nikki/files/scripts/include.sh +++ b/nikki/files/scripts/include.sh @@ -1,9 +1,5 @@ #!/bin/sh -# permission -NIKKI_USER="root" -NIKKI_GROUP="nikki" - # routing TPROXY_FW_MARK="0x80" TUN_FW_MARK="0x81" diff --git a/nikki/files/ucode/hijack.ut b/nikki/files/ucode/hijack.ut index afdec5e29..9f0abfb0d 100644 --- a/nikki/files/ucode/hijack.ut +++ b/nikki/files/ucode/hijack.ut @@ -3,13 +3,13 @@ {%- 'use strict'; - import { readfile } from 'fs'; import { cursor } from 'uci'; import { connect } from 'ubus'; - import { uci_bool, uci_array } from '/etc/nikki/ucode/include.uc'; + import { uci_bool, uci_array, get_users, get_groups, get_cgroups } from '/etc/nikki/ucode/include.uc'; - const users = map(split(readfile('/etc/passwd'), '\n'), (x) => split(x, ':')[0]); - const groups = map(split(readfile('/etc/group'), '\n'), (x) => split(x, ':')[0]); + const users = get_users(); + const groups = get_groups(); + const cgroups = get_cgroups(); const uci = cursor(); const ubus = connect(); @@ -41,8 +41,9 @@ const acl_mac = uci_array(uci.get('nikki', 'proxy', 'acl_mac')); const acl_interface = uci_array(uci.get('nikki', 'proxy', 'acl_interface')); - const bypass_user = filter(uci_array(uci.get('nikki', 'proxy', 'bypass_user')), (x) => x != "root" && index(users, x) >= 0); - const bypass_group = filter(uci_array(uci.get('nikki', 'proxy', 'bypass_group')), (x) => x != "root" && index(groups, x) >= 0); + const bypass_user = filter(uci_array(uci.get('nikki', 'proxy', 'bypass_user')), (x) => x != 'root' && index(users, x) >= 0); + const bypass_group = filter(uci_array(uci.get('nikki', 'proxy', 'bypass_group')), (x) => x != 'root' && index(groups, x) >= 0); + const bypass_cgroup = filter(uci_array(uci.get('nikki', 'proxy', 'bypass_cgroup')), (x) => x != 'nikki' && index(cgroups, x) >= 0); const bypass_dscp = uci_array(uci.get('nikki', 'proxy', 'bypass_dscp')); const bypass_china_mainland_ip = uci_bool(uci.get('nikki', 'proxy', 'bypass_china_mainland_ip')); const proxy_tcp_dport = split((uci.get('nikki', 'proxy', 'proxy_tcp_dport') ?? '0-65535'), ' '); @@ -80,7 +81,7 @@ push(proxy_dport, `udp . ${port}`); } - push(bypass_group, nikki_group); + push(bypass_cgroup, 'nikki'); -%} table inet nikki { @@ -134,6 +135,19 @@ table inet nikki { {% endif %} } + set bypass_cgroup { + type cgroupsv2 + flags interval + auto-merge + {% if (length(bypass_cgroup) > 0): %} + elements = { + {% for (let x in bypass_cgroup): %} + services/{{ x }}, + {% endfor %} + } + {% endif %} + } + set reserved_ip { type ipv4_addr flags interval @@ -305,6 +319,7 @@ table inet nikki { {% if (router_proxy): %} chain nat_output { type nat hook output priority filter; policy accept; + socket cgroupv2 level 2 @bypass_cgroup counter return meta skuid @bypass_user counter return meta skgid @bypass_group counter return meta nfproto @dns_hijack_nfproto meta l4proto { tcp, udp } th dport 53 counter redirect to :{{ dns_port }} @@ -328,6 +343,7 @@ table inet nikki { chain mangle_output { type route hook output priority mangle; policy accept; + socket cgroupv2 level 2 @bypass_cgroup counter return meta skuid @bypass_user counter return meta skgid @bypass_group counter return fib daddr type { local, multicast, broadcast, anycast } counter return diff --git a/nikki/files/ucode/include.uc b/nikki/files/ucode/include.uc index 7282a457c..a9985bb7b 100644 --- a/nikki/files/ucode/include.uc +++ b/nikki/files/ucode/include.uc @@ -1,3 +1,5 @@ +import { readfile, lsdir, lstat } from 'fs'; + export function uci_bool(obj) { return obj == null ? null : obj == '1'; }; @@ -46,4 +48,16 @@ export function trim_all(obj) { return obj; } return obj; +}; + +export function get_users() { + return map(split(readfile('/etc/passwd'), '\n'), (x) => split(x, ':')[0]); +}; + +export function get_groups() { + return map(split(readfile('/etc/group'), '\n'), (x) => split(x, ':')[0]); +}; + +export function get_cgroups() { + return filter(lsdir('/sys/fs/cgroup/services'), (x) => lstat(`/sys/fs/cgroup/services/${x}`).type == 'directory'); }; \ No newline at end of file