zhao/openwrt_helloworld
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

nikki: sync upstream

Browse Source 
last commit: d3b6f8ce56
This commit is contained in:
gitea-action 2025-02-25 21:30:26 +08:00
parent 2c881ac066
commit 4cda0fac83
4 changed files with 117 additions and 113 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
nikki/Makefile
View File

@ -1,7 +1,7 @@
include $(TOPDIR)/rules.mk include $(TOPDIR)/rules.mk
PKG_NAME:=nikki PKG_NAME:=nikki
PKG_RELEASE:=5 PKG_RELEASE:=6
PKG_SOURCE_PROTO:=git PKG_SOURCE_PROTO:=git
PKG_SOURCE_URL:=https://github.com/MetaCubeX/mihomo.git PKG_SOURCE_URL:=https://github.com/MetaCubeX/mihomo.git

1
nikki/files/nikki.conf
View File

@ -40,6 +40,7 @@ config proxy 'proxy'
list 'bypass_group' 'nogroup' list 'bypass_group' 'nogroup'
list 'bypass_group' 'ntp' list 'bypass_group' 'ntp'
list 'bypass_group' 'ubus' list 'bypass_group' 'ubus'
list 'bypass_dscp' '4'
option 'bypass_china_mainland_ip' '0' option 'bypass_china_mainland_ip' '0'
option 'proxy_tcp_dport' '0-65535' option 'proxy_tcp_dport' '0-65535'
option 'proxy_udp_dport' '0-65535' option 'proxy_udp_dport' '0-65535'

8
nikki/files/nikki.init
View File

@ -244,8 +244,6 @@ service_started() {
$FIREWALL_INCLUDE_SH $FIREWALL_INCLUDE_SH
fi fi
utpl -D nikki_group="$NIKKI_GROUP" -D tproxy_fw_mark="$TPROXY_FW_MARK" -D tun_fw_mark="$TUN_FW_MARK" -S "$HIJACK_UT" | nft -f - utpl -D nikki_group="$NIKKI_GROUP" -D tproxy_fw_mark="$TPROXY_FW_MARK" -D tun_fw_mark="$TUN_FW_MARK" -S "$HIJACK_UT" | nft -f -
nft -f "$RESERVED_IP_NFT"
nft -f "$RESERVED_IP6_NFT"
# dns hijack # dns hijack
if [ "$ipv4_dns_hijack" == 1 ]; then if [ "$ipv4_dns_hijack" == 1 ]; then
log "Transparent Proxy" "Hijack IPv4 dns request." log "Transparent Proxy" "Hijack IPv4 dns request."
@ -269,12 +267,6 @@ service_started() {
fi fi
if [ "$bypass_china_mainland_ip" == 1 ]; then if [ "$bypass_china_mainland_ip" == 1 ]; then
log "Transparent Proxy" "Bypass china mainland ip." log "Transparent Proxy" "Bypass china mainland ip."
if [ "$ipv4_proxy" == 1 ]; then
nft -f "$GEOIP_CN_NFT"
fi
if [ "$ipv6_proxy" == 1 ]; then
nft -f "$GEOIP6_CN_NFT"
fi
fi fi
log "Transparent Proxy" "Destination TCP Port to Proxy: $proxy_tcp_dport." log "Transparent Proxy" "Destination TCP Port to Proxy: $proxy_tcp_dport."
log "Transparent Proxy" "Destination UDP Port to Proxy: $proxy_udp_dport." log "Transparent Proxy" "Destination UDP Port to Proxy: $proxy_udp_dport."

219
nikki/files/ucode/hijack.ut
View File

@ -5,12 +5,14 @@
import { readfile } from 'fs'; import { readfile } from 'fs';
import { cursor } from 'uci'; import { cursor } from 'uci';
import { connect } from 'ubus';
import { uci_bool, uci_array } from '/etc/nikki/ucode/include.uc'; import { uci_bool, uci_array } from '/etc/nikki/ucode/include.uc';
let users = map(split(readfile('/etc/passwd'), '\n'), (x) => split(x, ':')[0]); let users = map(split(readfile('/etc/passwd'), '\n'), (x) => split(x, ':')[0]);
let groups = map(split(readfile('/etc/group'), '\n'), (x) => split(x, ':')[0]); let groups = map(split(readfile('/etc/group'), '\n'), (x) => split(x, ':')[0]);
const uci = cursor(); const uci = cursor();
const ubus = connect();
uci.load('nikki'); uci.load('nikki');
@ -40,38 +42,71 @@
const bypass_user = filter(uci_array(uci.get('nikki', 'proxy', 'bypass_user')), (x) => x != "root" && index(users, x) >= 0); const bypass_user = filter(uci_array(uci.get('nikki', 'proxy', 'bypass_user')), (x) => x != "root" && index(users, x) >= 0);
const bypass_group = filter(uci_array(uci.get('nikki', 'proxy', 'bypass_group')), (x) => x != "root" && index(groups, x) >= 0); const bypass_group = filter(uci_array(uci.get('nikki', 'proxy', 'bypass_group')), (x) => x != "root" && index(groups, x) >= 0);
const bypass_dscp = uci_array(uci.get('nikki', 'proxy', 'bypass_dscp'));
const bypass_china_mainland_ip = uci_bool(uci.get('nikki', 'proxy', 'bypass_china_mainland_ip'));
const proxy_tcp_dport = split((uci.get('nikki', 'proxy', 'proxy_tcp_dport') ?? '0-65535'), ' '); const proxy_tcp_dport = split((uci.get('nikki', 'proxy', 'proxy_tcp_dport') ?? '0-65535'), ' ');
const proxy_udp_dport = split((uci.get('nikki', 'proxy', 'proxy_udp_dport') ?? '0-65535'), ' '); const proxy_udp_dport = split((uci.get('nikki', 'proxy', 'proxy_udp_dport') ?? '0-65535'), ' ');
const bypass_dscp = uci_array(uci.get('nikki', 'proxy', 'bypass_dscp'));
const dns_hijack_nfproto = []; const dns_hijack_nfproto = [];
if (ipv4_dns_hijack) { if (ipv4_dns_hijack) {
push(dns_hijack_nfproto, 'ipv4') push(dns_hijack_nfproto, 'ipv4');
} }
if (ipv6_dns_hijack) { if (ipv6_dns_hijack) {
push(dns_hijack_nfproto, 'ipv6') push(dns_hijack_nfproto, 'ipv6');
}
const acl_device = [];
for (let i = 0; i < length(acl_interface); i++) {
const device = ubus.call('network.interface', 'status', {'interface': acl_interface[i]})?.l3_device ?? '';
if (device != '') {
push(acl_device, device);
}
} }
const proxy_nfproto = []; const proxy_nfproto = [];
if (ipv4_proxy) { if (ipv4_proxy) {
push(proxy_nfproto, 'ipv4') push(proxy_nfproto, 'ipv4');
} }
if (ipv6_proxy) { if (ipv6_proxy) {
push(proxy_nfproto, 'ipv6') push(proxy_nfproto, 'ipv6');
} }
const proxy_dport = []; const proxy_dport = [];
for (let port in proxy_tcp_dport) { for (let port in proxy_tcp_dport) {
push(proxy_dport, `tcp . ${port}`) push(proxy_dport, `tcp . ${port}`);
} }
for (let port in proxy_udp_dport) { for (let port in proxy_udp_dport) {
push(proxy_dport, `udp . ${port}`) push(proxy_dport, `udp . ${port}`);
} }
push(bypass_group, nikki_group); push(bypass_group, nikki_group);
-%} -%}
table inet nikki { table inet nikki {
set dns_hijack_nfproto {
type nf_proto
flags interval
{% if (length(dns_hijack_nfproto) > 0): %}
elements = {
{% for (let x in dns_hijack_nfproto): %}
{{ x }},
{% endfor %}
}
{% endif %}
}
set proxy_nfproto {
type nf_proto
flags interval
{% if (length(proxy_nfproto) > 0): %}
elements = {
{% for (let x in proxy_nfproto): %}
{{ x }},
{% endfor %}
}
{% endif %}
}
set bypass_user { set bypass_user {
type uid type uid
flags interval flags interval
@ -98,53 +133,6 @@ table inet nikki {
{% endif %} {% endif %}
} }
set bypass_dscp {
type dscp
flags interval
auto-merge
{% if (length(bypass_dscp) > 0): %}
elements = {
{% for (let x in bypass_dscp): %}
{{ x }},
{% endfor %}
}
{% endif %}
}
set dns_hijack_nfproto {
type nf_proto
flags interval
{% if (length(dns_hijack_nfproto) > 0): %}
elements = {
{% for (let x in dns_hijack_nfproto): %}
{{ x }},
{% endfor %}
}
{% endif %}
}
set proxy_nfproto {
type nf_proto
flags interval
{% if (length(proxy_nfproto) > 0): %}
elements = {
{% for (let x in proxy_nfproto): %}
{{ x }},
{% endfor %}
}
{% endif %}
}
set china_ip {
type ipv4_addr
flags interval
}
set china_ip6 {
type ipv6_addr
flags interval
}
set reserved_ip { set reserved_ip {
type ipv4_addr type ipv4_addr
flags interval flags interval
@ -157,6 +145,16 @@ table inet nikki {
auto-merge auto-merge
} }
set china_ip {
type ipv4_addr
flags interval
}
set china_ip6 {
type ipv6_addr
flags interval
}
set proxy_dport { set proxy_dport {
type inet_proto . inet_service type inet_proto . inet_service
flags interval flags interval
@ -170,6 +168,19 @@ table inet nikki {
{% endif %} {% endif %}
} }
set bypass_dscp {
type dscp
flags interval
auto-merge
{% if (length(bypass_dscp) > 0): %}
elements = {
{% for (let x in bypass_dscp): %}
{{ x }},
{% endfor %}
}
{% endif %}
}
set acl_ip { set acl_ip {
type ipv4_addr type ipv4_addr
flags interval flags interval
@ -209,96 +220,88 @@ table inet nikki {
{% endif %} {% endif %}
} }
set acl_interface { set acl_device {
type ifname type ifname
flags interval flags interval
auto-merge auto-merge
{% if (length(acl_interface) > 0): %} {% if (length(acl_device) > 0): %}
elements = { elements = {
{% for (let x in acl_interface): %} {% for (let x in acl_device): %}
{{ x }}, {{ x }},
{% endfor %} {% endfor %}
} }
{% endif %} {% endif %}
} }
chain all_dns_hijack { chain lan_dns_hijack {
{% if (access_control_mode == 'all'): %}
meta l4proto { tcp, udp } th dport 53 counter redirect to :{{ dns_port }} meta l4proto { tcp, udp } th dport 53 counter redirect to :{{ dns_port }}
} {% elif (access_control_mode == 'allow'): %}
chain allow_dns_hijack {
meta l4proto { tcp, udp } th dport 53 ip saddr @acl_ip counter redirect to :{{ dns_port }} meta l4proto { tcp, udp } th dport 53 ip saddr @acl_ip counter redirect to :{{ dns_port }}
meta l4proto { tcp, udp } th dport 53 ip6 saddr @acl_ip6 counter redirect to :{{ dns_port }} meta l4proto { tcp, udp } th dport 53 ip6 saddr @acl_ip6 counter redirect to :{{ dns_port }}
meta l4proto { tcp, udp } th dport 53 ether saddr @acl_mac counter redirect to :{{ dns_port }} meta l4proto { tcp, udp } th dport 53 ether saddr @acl_mac counter redirect to :{{ dns_port }}
meta l4proto { tcp, udp } th dport 53 iifname @acl_interface counter redirect to :{{ dns_port }} meta l4proto { tcp, udp } th dport 53 iifname @acl_device counter redirect to :{{ dns_port }}
} {% elif (access_control_mode == 'block'): %}
chain block_dns_hijack {
meta l4proto { tcp, udp } th dport 53 ip saddr @acl_ip counter return meta l4proto { tcp, udp } th dport 53 ip saddr @acl_ip counter return
meta l4proto { tcp, udp } th dport 53 ip6 saddr @acl_ip6 counter return meta l4proto { tcp, udp } th dport 53 ip6 saddr @acl_ip6 counter return
meta l4proto { tcp, udp } th dport 53 ether saddr @acl_mac counter return meta l4proto { tcp, udp } th dport 53 ether saddr @acl_mac counter return
meta l4proto { tcp, udp } th dport 53 iifname @acl_interface counter return meta l4proto { tcp, udp } th dport 53 iifname @acl_device counter return
meta l4proto { tcp, udp } th dport 53 counter redirect to :{{ dns_port }} meta l4proto { tcp, udp } th dport 53 counter redirect to :{{ dns_port }}
{% endif %}
} }
chain all_redirect { chain lan_redirect {
{% if (access_control_mode == 'all'): %}
meta l4proto tcp counter redirect to :{{ redir_port }} meta l4proto tcp counter redirect to :{{ redir_port }}
} {% elif (access_control_mode == 'allow'): %}
chain allow_redirect {
meta l4proto tcp ip saddr @acl_ip counter redirect to :{{ redir_port }} meta l4proto tcp ip saddr @acl_ip counter redirect to :{{ redir_port }}
meta l4proto tcp ip6 saddr @acl_ip6 counter redirect to :{{ redir_port }} meta l4proto tcp ip6 saddr @acl_ip6 counter redirect to :{{ redir_port }}
meta l4proto tcp ether saddr @acl_mac counter redirect to :{{ redir_port }} meta l4proto tcp ether saddr @acl_mac counter redirect to :{{ redir_port }}
meta l4proto tcp iifname @acl_interface counter redirect to :{{ redir_port }} meta l4proto tcp iifname @acl_device counter redirect to :{{ redir_port }}
} {% elif (access_control_mode == 'block'): %}
chain block_redirect {
meta l4proto tcp ip saddr @acl_ip counter return meta l4proto tcp ip saddr @acl_ip counter return
meta l4proto tcp ip6 saddr @acl_ip6 counter return meta l4proto tcp ip6 saddr @acl_ip6 counter return
meta l4proto tcp ether saddr @acl_mac counter return meta l4proto tcp ether saddr @acl_mac counter return
meta l4proto tcp iifname @acl_interface counter return meta l4proto tcp iifname @acl_device counter return
meta l4proto tcp counter redirect to :{{ redir_port }} meta l4proto tcp counter redirect to :{{ redir_port }}
{% endif %}
} }
chain all_tproxy { chain lan_tproxy {
{% if (access_control_mode == 'all'): %}
meta l4proto { tcp, udp } meta mark set {{ tproxy_fw_mark }} tproxy to :{{ tproxy_port }} counter accept meta l4proto { tcp, udp } meta mark set {{ tproxy_fw_mark }} tproxy to :{{ tproxy_port }} counter accept
} {% elif (access_control_mode == 'allow'): %}
chain allow_tproxy {
meta l4proto { tcp, udp } ip saddr @acl_ip meta mark set {{ tproxy_fw_mark }} tproxy ip to :{{ tproxy_port }} counter accept meta l4proto { tcp, udp } ip saddr @acl_ip meta mark set {{ tproxy_fw_mark }} tproxy ip to :{{ tproxy_port }} counter accept
meta l4proto { tcp, udp } ip6 saddr @acl_ip6 meta mark set {{ tproxy_fw_mark }} tproxy ip6 to :{{ tproxy_port }} counter accept meta l4proto { tcp, udp } ip6 saddr @acl_ip6 meta mark set {{ tproxy_fw_mark }} tproxy ip6 to :{{ tproxy_port }} counter accept
meta l4proto { tcp, udp } ether saddr @acl_mac meta mark set {{ tproxy_fw_mark }} tproxy to :{{ tproxy_port }} counter accept meta l4proto { tcp, udp } ether saddr @acl_mac meta mark set {{ tproxy_fw_mark }} tproxy to :{{ tproxy_port }} counter accept
meta l4proto { tcp, udp } iifname @acl_interface meta mark set {{ tproxy_fw_mark }} tproxy to :{{ tproxy_port }} counter accept meta l4proto { tcp, udp } iifname @acl_device meta mark set {{ tproxy_fw_mark }} tproxy to :{{ tproxy_port }} counter accept
} {% elif (access_control_mode == 'block'): %}
chain block_tproxy {
meta l4proto { tcp, udp } ip saddr @acl_ip counter return meta l4proto { tcp, udp } ip saddr @acl_ip counter return
meta l4proto { tcp, udp } ip6 saddr @acl_ip6 counter return meta l4proto { tcp, udp } ip6 saddr @acl_ip6 counter return
meta l4proto { tcp, udp } ether saddr @acl_mac counter return meta l4proto { tcp, udp } ether saddr @acl_mac counter return
meta l4proto { tcp, udp } iifname @acl_interface counter return meta l4proto { tcp, udp } iifname @acl_device counter return
meta l4proto { tcp, udp } meta mark set {{ tproxy_fw_mark }} tproxy to :{{ tproxy_port }} counter accept meta l4proto { tcp, udp } meta mark set {{ tproxy_fw_mark }} tproxy to :{{ tproxy_port }} counter accept
{% endif %}
} }
chain all_tun { chain lan_tun {
{% if (access_control_mode == 'all'): %}
meta l4proto { tcp, udp } meta mark set {{ tun_fw_mark }} counter meta l4proto { tcp, udp } meta mark set {{ tun_fw_mark }} counter
} {% elif (access_control_mode == 'allow'): %}
chain allow_tun {
meta l4proto { tcp, udp } ip saddr @acl_ip meta mark set {{ tun_fw_mark }} counter meta l4proto { tcp, udp } ip saddr @acl_ip meta mark set {{ tun_fw_mark }} counter
meta l4proto { tcp, udp } ip6 saddr @acl_ip6 meta mark set {{ tun_fw_mark }} counter meta l4proto { tcp, udp } ip6 saddr @acl_ip6 meta mark set {{ tun_fw_mark }} counter
meta l4proto { tcp, udp } ether saddr @acl_mac meta mark set {{ tun_fw_mark }} counter meta l4proto { tcp, udp } ether saddr @acl_mac meta mark set {{ tun_fw_mark }} counter
meta l4proto { tcp, udp } iifname @acl_interface meta mark set {{ tun_fw_mark }} counter meta l4proto { tcp, udp } iifname @acl_device meta mark set {{ tun_fw_mark }} counter
} {% elif (access_control_mode == 'block'): %}
chain block_tun {
meta l4proto { tcp, udp } ip saddr @acl_ip counter return meta l4proto { tcp, udp } ip saddr @acl_ip counter return
meta l4proto { tcp, udp } ip6 saddr @acl_ip6 counter return meta l4proto { tcp, udp } ip6 saddr @acl_ip6 counter return
meta l4proto { tcp, udp } ether saddr @acl_mac counter return meta l4proto { tcp, udp } ether saddr @acl_mac counter return
meta l4proto { tcp, udp } iifname @acl_interface counter return meta l4proto { tcp, udp } iifname @acl_device counter return
meta l4proto { tcp, udp } meta mark set {{ tun_fw_mark }} counter meta l4proto { tcp, udp } meta mark set {{ tun_fw_mark }} counter
{% endif %}
} }
{% if (router_proxy == '1'): %} {% if (router_proxy): %}
chain nat_output { chain nat_output {
type nat hook output priority filter; policy accept; type nat hook output priority filter; policy accept;
meta skuid @bypass_user counter return meta skuid @bypass_user counter return
@ -317,7 +320,7 @@ table inet nikki {
meta l4proto { tcp, udp } ip6 dscp @bypass_dscp counter return meta l4proto { tcp, udp } ip6 dscp @bypass_dscp counter return
meta nfproto @proxy_nfproto meta l4proto tcp counter redirect to :{{ redir_port }} meta nfproto @proxy_nfproto meta l4proto tcp counter redirect to :{{ redir_port }}
{% endif %} {% endif %}
{% if (fake_ip_ping_hijack == '1'): %} {% if (fake_ip_ping_hijack): %}
ip protocol icmp ip daddr {{ fake_ip_range }} counter redirect ip protocol icmp ip daddr {{ fake_ip_range }} counter redirect
{% endif %} {% endif %}
} }
@ -360,10 +363,10 @@ table inet nikki {
} }
{% endif %} {% endif %}
{% if (lan_proxy == '1'): %} {% if (lan_proxy): %}
chain dstnat { chain dstnat {
type nat hook prerouting priority dstnat + 1; policy accept; type nat hook prerouting priority dstnat + 1; policy accept;
meta nfproto @dns_hijack_nfproto jump {{ access_control_mode }}_dns_hijack meta nfproto @dns_hijack_nfproto jump lan_dns_hijack
{% if (tcp_transparent_proxy_mode == 'redirect'): %} {% if (tcp_transparent_proxy_mode == 'redirect'): %}
fib daddr type { local, multicast, broadcast, anycast } counter return fib daddr type { local, multicast, broadcast, anycast } counter return
ct direction reply counter return ct direction reply counter return
@ -375,9 +378,9 @@ table inet nikki {
meta nfproto ipv6 meta l4proto . th dport != @proxy_dport counter return meta nfproto ipv6 meta l4proto . th dport != @proxy_dport counter return
meta l4proto { tcp, udp } ip dscp @bypass_dscp ip daddr != {{ fake_ip_range }} counter return meta l4proto { tcp, udp } ip dscp @bypass_dscp ip daddr != {{ fake_ip_range }} counter return
meta l4proto { tcp, udp } ip6 dscp @bypass_dscp counter return meta l4proto { tcp, udp } ip6 dscp @bypass_dscp counter return
meta nfproto @proxy_nfproto jump {{ access_control_mode }}_redirect meta nfproto @proxy_nfproto jump lan_redirect
{% endif %} {% endif %}
{% if (fake_ip_ping_hijack == '1'): %} {% if (fake_ip_ping_hijack): %}
ip protocol icmp ip daddr {{ fake_ip_range }} counter redirect ip protocol icmp ip daddr {{ fake_ip_range }} counter redirect
{% endif %} {% endif %}
} }
@ -396,15 +399,23 @@ table inet nikki {
meta l4proto { tcp, udp } ip6 dscp @bypass_dscp counter return meta l4proto { tcp, udp } ip6 dscp @bypass_dscp counter return
meta nfproto @dns_hijack_nfproto meta l4proto { tcp, udp } th dport 53 counter return meta nfproto @dns_hijack_nfproto meta l4proto { tcp, udp } th dport 53 counter return
{% if (tcp_transparent_proxy_mode == 'tproxy'): %} {% if (tcp_transparent_proxy_mode == 'tproxy'): %}
meta nfproto @proxy_nfproto meta l4proto tcp jump {{ access_control_mode }}_tproxy meta nfproto @proxy_nfproto meta l4proto tcp jump lan_tproxy
{% elif (tcp_transparent_proxy_mode == 'tun'): %} {% elif (tcp_transparent_proxy_mode == 'tun'): %}
meta nfproto @proxy_nfproto meta l4proto tcp jump {{ access_control_mode }}_tun meta nfproto @proxy_nfproto meta l4proto tcp jump lan_tun
{% endif %} {% endif %}
{% if (udp_transparent_proxy_mode == 'tproxy'): %} {% if (udp_transparent_proxy_mode == 'tproxy'): %}
meta nfproto @proxy_nfproto meta l4proto udp jump {{ access_control_mode }}_tproxy meta nfproto @proxy_nfproto meta l4proto udp jump lan_tproxy
{% elif (udp_transparent_proxy_mode == 'tun'): %} {% elif (udp_transparent_proxy_mode == 'tun'): %}
meta nfproto @proxy_nfproto meta l4proto udp jump {{ access_control_mode }}_tun meta nfproto @proxy_nfproto meta l4proto udp jump lan_tun
{% endif %} {% endif %}
} }
{% endif %} {% endif %}
} }
include "/etc/nikki/nftables/reserved_ip.nft"
include "/etc/nikki/nftables/reserved_ip6.nft"
{% if (bypass_china_mainland_ip): %}
include "/etc/nikki/nftables/geoip_cn.nft"
include "/etc/nikki/nftables/geoip6_cn.nft"
{% endif %}