From 4cda0fac83ecccfc7ac3b808495dca7cd5a8b4cc Mon Sep 17 00:00:00 2001 From: gitea-action Date: Tue, 25 Feb 2025 21:30:26 +0800 Subject: [PATCH] nikki: sync upstream last commit: https://github.com/nikkinikki-org/OpenWrt-nikki/commit/d3b6f8ce561fff9fd8aa846cdf0c36aebb8353a4 --- nikki/Makefile | 2 +- nikki/files/nikki.conf | 1 + nikki/files/nikki.init | 8 -- nikki/files/ucode/hijack.ut | 219 +++++++++++++++++++----------------- 4 files changed, 117 insertions(+), 113 deletions(-) diff --git a/nikki/Makefile b/nikki/Makefile index 017771f2c..18d886051 100644 --- a/nikki/Makefile +++ b/nikki/Makefile @@ -1,7 +1,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=nikki -PKG_RELEASE:=5 +PKG_RELEASE:=6 PKG_SOURCE_PROTO:=git PKG_SOURCE_URL:=https://github.com/MetaCubeX/mihomo.git diff --git a/nikki/files/nikki.conf b/nikki/files/nikki.conf index cc1c4603f..253569e8c 100644 --- a/nikki/files/nikki.conf +++ b/nikki/files/nikki.conf @@ -40,6 +40,7 @@ config proxy 'proxy' list 'bypass_group' 'nogroup' list 'bypass_group' 'ntp' list 'bypass_group' 'ubus' + list 'bypass_dscp' '4' option 'bypass_china_mainland_ip' '0' option 'proxy_tcp_dport' '0-65535' option 'proxy_udp_dport' '0-65535' diff --git a/nikki/files/nikki.init b/nikki/files/nikki.init index 58a7e536e..073764fc3 100644 --- a/nikki/files/nikki.init +++ b/nikki/files/nikki.init @@ -244,8 +244,6 @@ service_started() { $FIREWALL_INCLUDE_SH fi utpl -D nikki_group="$NIKKI_GROUP" -D tproxy_fw_mark="$TPROXY_FW_MARK" -D tun_fw_mark="$TUN_FW_MARK" -S "$HIJACK_UT" | nft -f - - nft -f "$RESERVED_IP_NFT" - nft -f "$RESERVED_IP6_NFT" # dns hijack if [ "$ipv4_dns_hijack" == 1 ]; then log "Transparent Proxy" "Hijack IPv4 dns request." @@ -269,12 +267,6 @@ service_started() { fi if [ "$bypass_china_mainland_ip" == 1 ]; then log "Transparent Proxy" "Bypass china mainland ip." - if [ "$ipv4_proxy" == 1 ]; then - nft -f "$GEOIP_CN_NFT" - fi - if [ "$ipv6_proxy" == 1 ]; then - nft -f "$GEOIP6_CN_NFT" - fi fi log "Transparent Proxy" "Destination TCP Port to Proxy: $proxy_tcp_dport." log "Transparent Proxy" "Destination UDP Port to Proxy: $proxy_udp_dport." diff --git a/nikki/files/ucode/hijack.ut b/nikki/files/ucode/hijack.ut index 8f9287d56..c33a32be6 100644 --- a/nikki/files/ucode/hijack.ut +++ b/nikki/files/ucode/hijack.ut @@ -5,12 +5,14 @@ import { readfile } from 'fs'; import { cursor } from 'uci'; + import { connect } from 'ubus'; import { uci_bool, uci_array } from '/etc/nikki/ucode/include.uc'; let users = map(split(readfile('/etc/passwd'), '\n'), (x) => split(x, ':')[0]); let groups = map(split(readfile('/etc/group'), '\n'), (x) => split(x, ':')[0]); const uci = cursor(); + const ubus = connect(); uci.load('nikki'); @@ -40,38 +42,71 @@ const bypass_user = filter(uci_array(uci.get('nikki', 'proxy', 'bypass_user')), (x) => x != "root" && index(users, x) >= 0); const bypass_group = filter(uci_array(uci.get('nikki', 'proxy', 'bypass_group')), (x) => x != "root" && index(groups, x) >= 0); + const bypass_dscp = uci_array(uci.get('nikki', 'proxy', 'bypass_dscp')); + const bypass_china_mainland_ip = uci_bool(uci.get('nikki', 'proxy', 'bypass_china_mainland_ip')); const proxy_tcp_dport = split((uci.get('nikki', 'proxy', 'proxy_tcp_dport') ?? '0-65535'), ' '); const proxy_udp_dport = split((uci.get('nikki', 'proxy', 'proxy_udp_dport') ?? '0-65535'), ' '); - const bypass_dscp = uci_array(uci.get('nikki', 'proxy', 'bypass_dscp')); const dns_hijack_nfproto = []; if (ipv4_dns_hijack) { - push(dns_hijack_nfproto, 'ipv4') + push(dns_hijack_nfproto, 'ipv4'); } if (ipv6_dns_hijack) { - push(dns_hijack_nfproto, 'ipv6') + push(dns_hijack_nfproto, 'ipv6'); + } + + const acl_device = []; + for (let i = 0; i < length(acl_interface); i++) { + const device = ubus.call('network.interface', 'status', {'interface': acl_interface[i]})?.l3_device ?? ''; + if (device != '') { + push(acl_device, device); + } } const proxy_nfproto = []; if (ipv4_proxy) { - push(proxy_nfproto, 'ipv4') + push(proxy_nfproto, 'ipv4'); } if (ipv6_proxy) { - push(proxy_nfproto, 'ipv6') + push(proxy_nfproto, 'ipv6'); } const proxy_dport = []; for (let port in proxy_tcp_dport) { - push(proxy_dport, `tcp . ${port}`) + push(proxy_dport, `tcp . ${port}`); } for (let port in proxy_udp_dport) { - push(proxy_dport, `udp . ${port}`) + push(proxy_dport, `udp . ${port}`); } push(bypass_group, nikki_group); -%} table inet nikki { + set dns_hijack_nfproto { + type nf_proto + flags interval + {% if (length(dns_hijack_nfproto) > 0): %} + elements = { + {% for (let x in dns_hijack_nfproto): %} + {{ x }}, + {% endfor %} + } + {% endif %} + } + + set proxy_nfproto { + type nf_proto + flags interval + {% if (length(proxy_nfproto) > 0): %} + elements = { + {% for (let x in proxy_nfproto): %} + {{ x }}, + {% endfor %} + } + {% endif %} + } + set bypass_user { type uid flags interval @@ -98,53 +133,6 @@ table inet nikki { {% endif %} } - set bypass_dscp { - type dscp - flags interval - auto-merge - {% if (length(bypass_dscp) > 0): %} - elements = { - {% for (let x in bypass_dscp): %} - {{ x }}, - {% endfor %} - } - {% endif %} - } - - set dns_hijack_nfproto { - type nf_proto - flags interval - {% if (length(dns_hijack_nfproto) > 0): %} - elements = { - {% for (let x in dns_hijack_nfproto): %} - {{ x }}, - {% endfor %} - } - {% endif %} - } - - set proxy_nfproto { - type nf_proto - flags interval - {% if (length(proxy_nfproto) > 0): %} - elements = { - {% for (let x in proxy_nfproto): %} - {{ x }}, - {% endfor %} - } - {% endif %} - } - - set china_ip { - type ipv4_addr - flags interval - } - - set china_ip6 { - type ipv6_addr - flags interval - } - set reserved_ip { type ipv4_addr flags interval @@ -157,6 +145,16 @@ table inet nikki { auto-merge } + set china_ip { + type ipv4_addr + flags interval + } + + set china_ip6 { + type ipv6_addr + flags interval + } + set proxy_dport { type inet_proto . inet_service flags interval @@ -170,6 +168,19 @@ table inet nikki { {% endif %} } + set bypass_dscp { + type dscp + flags interval + auto-merge + {% if (length(bypass_dscp) > 0): %} + elements = { + {% for (let x in bypass_dscp): %} + {{ x }}, + {% endfor %} + } + {% endif %} + } + set acl_ip { type ipv4_addr flags interval @@ -209,96 +220,88 @@ table inet nikki { {% endif %} } - set acl_interface { + set acl_device { type ifname flags interval auto-merge - {% if (length(acl_interface) > 0): %} + {% if (length(acl_device) > 0): %} elements = { - {% for (let x in acl_interface): %} + {% for (let x in acl_device): %} {{ x }}, {% endfor %} } {% endif %} } - chain all_dns_hijack { + chain lan_dns_hijack { + {% if (access_control_mode == 'all'): %} meta l4proto { tcp, udp } th dport 53 counter redirect to :{{ dns_port }} - } - - chain allow_dns_hijack { + {% elif (access_control_mode == 'allow'): %} meta l4proto { tcp, udp } th dport 53 ip saddr @acl_ip counter redirect to :{{ dns_port }} meta l4proto { tcp, udp } th dport 53 ip6 saddr @acl_ip6 counter redirect to :{{ dns_port }} meta l4proto { tcp, udp } th dport 53 ether saddr @acl_mac counter redirect to :{{ dns_port }} - meta l4proto { tcp, udp } th dport 53 iifname @acl_interface counter redirect to :{{ dns_port }} - } - - chain block_dns_hijack { + meta l4proto { tcp, udp } th dport 53 iifname @acl_device counter redirect to :{{ dns_port }} + {% elif (access_control_mode == 'block'): %} meta l4proto { tcp, udp } th dport 53 ip saddr @acl_ip counter return meta l4proto { tcp, udp } th dport 53 ip6 saddr @acl_ip6 counter return meta l4proto { tcp, udp } th dport 53 ether saddr @acl_mac counter return - meta l4proto { tcp, udp } th dport 53 iifname @acl_interface counter return + meta l4proto { tcp, udp } th dport 53 iifname @acl_device counter return meta l4proto { tcp, udp } th dport 53 counter redirect to :{{ dns_port }} + {% endif %} } - chain all_redirect { + chain lan_redirect { + {% if (access_control_mode == 'all'): %} meta l4proto tcp counter redirect to :{{ redir_port }} - } - - chain allow_redirect { + {% elif (access_control_mode == 'allow'): %} meta l4proto tcp ip saddr @acl_ip counter redirect to :{{ redir_port }} meta l4proto tcp ip6 saddr @acl_ip6 counter redirect to :{{ redir_port }} meta l4proto tcp ether saddr @acl_mac counter redirect to :{{ redir_port }} - meta l4proto tcp iifname @acl_interface counter redirect to :{{ redir_port }} - } - - chain block_redirect { + meta l4proto tcp iifname @acl_device counter redirect to :{{ redir_port }} + {% elif (access_control_mode == 'block'): %} meta l4proto tcp ip saddr @acl_ip counter return meta l4proto tcp ip6 saddr @acl_ip6 counter return meta l4proto tcp ether saddr @acl_mac counter return - meta l4proto tcp iifname @acl_interface counter return + meta l4proto tcp iifname @acl_device counter return meta l4proto tcp counter redirect to :{{ redir_port }} + {% endif %} } - chain all_tproxy { + chain lan_tproxy { + {% if (access_control_mode == 'all'): %} meta l4proto { tcp, udp } meta mark set {{ tproxy_fw_mark }} tproxy to :{{ tproxy_port }} counter accept - } - - chain allow_tproxy { + {% elif (access_control_mode == 'allow'): %} meta l4proto { tcp, udp } ip saddr @acl_ip meta mark set {{ tproxy_fw_mark }} tproxy ip to :{{ tproxy_port }} counter accept meta l4proto { tcp, udp } ip6 saddr @acl_ip6 meta mark set {{ tproxy_fw_mark }} tproxy ip6 to :{{ tproxy_port }} counter accept meta l4proto { tcp, udp } ether saddr @acl_mac meta mark set {{ tproxy_fw_mark }} tproxy to :{{ tproxy_port }} counter accept - meta l4proto { tcp, udp } iifname @acl_interface meta mark set {{ tproxy_fw_mark }} tproxy to :{{ tproxy_port }} counter accept - } - - chain block_tproxy { + meta l4proto { tcp, udp } iifname @acl_device meta mark set {{ tproxy_fw_mark }} tproxy to :{{ tproxy_port }} counter accept + {% elif (access_control_mode == 'block'): %} meta l4proto { tcp, udp } ip saddr @acl_ip counter return meta l4proto { tcp, udp } ip6 saddr @acl_ip6 counter return meta l4proto { tcp, udp } ether saddr @acl_mac counter return - meta l4proto { tcp, udp } iifname @acl_interface counter return + meta l4proto { tcp, udp } iifname @acl_device counter return meta l4proto { tcp, udp } meta mark set {{ tproxy_fw_mark }} tproxy to :{{ tproxy_port }} counter accept + {% endif %} } - chain all_tun { + chain lan_tun { + {% if (access_control_mode == 'all'): %} meta l4proto { tcp, udp } meta mark set {{ tun_fw_mark }} counter - } - - chain allow_tun { + {% elif (access_control_mode == 'allow'): %} meta l4proto { tcp, udp } ip saddr @acl_ip meta mark set {{ tun_fw_mark }} counter meta l4proto { tcp, udp } ip6 saddr @acl_ip6 meta mark set {{ tun_fw_mark }} counter meta l4proto { tcp, udp } ether saddr @acl_mac meta mark set {{ tun_fw_mark }} counter - meta l4proto { tcp, udp } iifname @acl_interface meta mark set {{ tun_fw_mark }} counter - } - - chain block_tun { + meta l4proto { tcp, udp } iifname @acl_device meta mark set {{ tun_fw_mark }} counter + {% elif (access_control_mode == 'block'): %} meta l4proto { tcp, udp } ip saddr @acl_ip counter return meta l4proto { tcp, udp } ip6 saddr @acl_ip6 counter return meta l4proto { tcp, udp } ether saddr @acl_mac counter return - meta l4proto { tcp, udp } iifname @acl_interface counter return + meta l4proto { tcp, udp } iifname @acl_device counter return meta l4proto { tcp, udp } meta mark set {{ tun_fw_mark }} counter + {% endif %} } - {% if (router_proxy == '1'): %} + {% if (router_proxy): %} chain nat_output { type nat hook output priority filter; policy accept; meta skuid @bypass_user counter return @@ -317,7 +320,7 @@ table inet nikki { meta l4proto { tcp, udp } ip6 dscp @bypass_dscp counter return meta nfproto @proxy_nfproto meta l4proto tcp counter redirect to :{{ redir_port }} {% endif %} - {% if (fake_ip_ping_hijack == '1'): %} + {% if (fake_ip_ping_hijack): %} ip protocol icmp ip daddr {{ fake_ip_range }} counter redirect {% endif %} } @@ -360,10 +363,10 @@ table inet nikki { } {% endif %} - {% if (lan_proxy == '1'): %} + {% if (lan_proxy): %} chain dstnat { type nat hook prerouting priority dstnat + 1; policy accept; - meta nfproto @dns_hijack_nfproto jump {{ access_control_mode }}_dns_hijack + meta nfproto @dns_hijack_nfproto jump lan_dns_hijack {% if (tcp_transparent_proxy_mode == 'redirect'): %} fib daddr type { local, multicast, broadcast, anycast } counter return ct direction reply counter return @@ -375,9 +378,9 @@ table inet nikki { meta nfproto ipv6 meta l4proto . th dport != @proxy_dport counter return meta l4proto { tcp, udp } ip dscp @bypass_dscp ip daddr != {{ fake_ip_range }} counter return meta l4proto { tcp, udp } ip6 dscp @bypass_dscp counter return - meta nfproto @proxy_nfproto jump {{ access_control_mode }}_redirect + meta nfproto @proxy_nfproto jump lan_redirect {% endif %} - {% if (fake_ip_ping_hijack == '1'): %} + {% if (fake_ip_ping_hijack): %} ip protocol icmp ip daddr {{ fake_ip_range }} counter redirect {% endif %} } @@ -396,15 +399,23 @@ table inet nikki { meta l4proto { tcp, udp } ip6 dscp @bypass_dscp counter return meta nfproto @dns_hijack_nfproto meta l4proto { tcp, udp } th dport 53 counter return {% if (tcp_transparent_proxy_mode == 'tproxy'): %} - meta nfproto @proxy_nfproto meta l4proto tcp jump {{ access_control_mode }}_tproxy + meta nfproto @proxy_nfproto meta l4proto tcp jump lan_tproxy {% elif (tcp_transparent_proxy_mode == 'tun'): %} - meta nfproto @proxy_nfproto meta l4proto tcp jump {{ access_control_mode }}_tun + meta nfproto @proxy_nfproto meta l4proto tcp jump lan_tun {% endif %} {% if (udp_transparent_proxy_mode == 'tproxy'): %} - meta nfproto @proxy_nfproto meta l4proto udp jump {{ access_control_mode }}_tproxy + meta nfproto @proxy_nfproto meta l4proto udp jump lan_tproxy {% elif (udp_transparent_proxy_mode == 'tun'): %} - meta nfproto @proxy_nfproto meta l4proto udp jump {{ access_control_mode }}_tun + meta nfproto @proxy_nfproto meta l4proto udp jump lan_tun {% endif %} } {% endif %} -} \ No newline at end of file +} + +include "/etc/nikki/nftables/reserved_ip.nft" +include "/etc/nikki/nftables/reserved_ip6.nft" + +{% if (bypass_china_mainland_ip): %} +include "/etc/nikki/nftables/geoip_cn.nft" +include "/etc/nikki/nftables/geoip6_cn.nft" +{% endif %} \ No newline at end of file