zhao/openwrt_helloworld
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

nikki: sync upstream

Browse Source 
last commit: 277a7d97d9
This commit is contained in:
gitea-action 2025-03-23 17:30:27 +08:00
parent ef1cf031f5
commit 6032ccb861
5 changed files with 110 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
nikki/Makefile
View File

@ -5,9 +5,9 @@ PKG_RELEASE:=1
PKG_SOURCE_PROTO:=git PKG_SOURCE_PROTO:=git
PKG_SOURCE_URL:=https://github.com/MetaCubeX/mihomo.git PKG_SOURCE_URL:=https://github.com/MetaCubeX/mihomo.git
PKG_SOURCE_DATE:=2025-03-17 PKG_SOURCE_DATE:=2025-03-20
PKG_SOURCE_VERSION:=e3d4ec247670dc88f8a3410e9bca2c69ca053f32 PKG_SOURCE_VERSION:=0f32c054f47641a2ee9c9362fc65652e772924b2
PKG_MIRROR_HASH:=ab8e39fec0675a77d575acf5ed705bb327a5f9f2b8d72792896e884e491b25e6 PKG_MIRROR_HASH:=276f1dcc81b3cece5c7de5b16ddac8d596bf20e7c3bb8993d963042acf845a14
PKG_LICENSE:=GPL3.0+ PKG_LICENSE:=GPL3.0+
PKG_MAINTAINER:=Joseph Mory <morytyann@gmail.com> PKG_MAINTAINER:=Joseph Mory <morytyann@gmail.com>
@ -16,7 +16,7 @@ PKG_BUILD_DEPENDS:=golang/host
PKG_BUILD_PARALLEL:=1 PKG_BUILD_PARALLEL:=1
PKG_BUILD_FLAGS:=no-mips16 PKG_BUILD_FLAGS:=no-mips16
PKG_BUILD_VERSION:=alpha-e3d4ec2 PKG_BUILD_VERSION:=alpha-0f32c05
PKG_BUILD_TIME:=$(shell date -u -Iseconds) PKG_BUILD_TIME:=$(shell date -u -Iseconds)
GO_PKG:=github.com/metacubex/mihomo GO_PKG:=github.com/metacubex/mihomo

79
nikki/files/nikki.init
View File

@ -69,7 +69,7 @@ start_service() {
config_get_bool disable_quic_go_ecn "env" "disable_quic_go_ecn" 0 config_get_bool disable_quic_go_ecn "env" "disable_quic_go_ecn" 0
# get profile # get profile
if [[ "$profile" == "file:"* ]]; then if [[ "$profile" == "file:"* ]]; then
local profile_name; profile_name=$(basename "${profile/file:/}") local profile_name; profile_name="${profile/file:/}"
local profile_file; profile_file="$PROFILES_DIR/$profile_name" local profile_file; profile_file="$PROFILES_DIR/$profile_name"
log "Profile" "Use file: $profile_name." log "Profile" "Use file: $profile_name."
if [ ! -f "$profile_file" ]; then if [ ! -f "$profile_file" ]; then
@ -128,8 +128,8 @@ start_service() {
if [ "$fast_reload" == 1 ]; then if [ "$fast_reload" == 1 ]; then
procd_set_param reload_signal HUP procd_set_param reload_signal HUP
fi fi
procd_set_param pidfile "$PID_FILE_PATH"
procd_set_param respawn procd_set_param respawn
procd_set_param limits core="unlimited" nofile="1048576 1048576" procd_set_param limits core="unlimited" nofile="1048576 1048576"
procd_close_instance procd_close_instance
@ -140,12 +140,12 @@ start_service() {
/etc/init.d/cron restart /etc/init.d/cron restart
fi fi
# set started flag # set started flag
touch "$STARTED_FLAG" touch "$STARTED_FLAG_PATH"
} }
service_started() { service_started() {
# check if started # check if started
if [ ! -f "$STARTED_FLAG" ]; then if [ ! -f "$STARTED_FLAG_PATH" ]; then
return return
fi fi
# load config # load config
@ -169,7 +169,7 @@ service_started() {
config_get udp_transparent_proxy_mode "proxy" "udp_transparent_proxy_mode" config_get udp_transparent_proxy_mode "proxy" "udp_transparent_proxy_mode"
config_get_bool ipv4_proxy "proxy" "ipv4_proxy" 0 config_get_bool ipv4_proxy "proxy" "ipv4_proxy" 0
config_get_bool ipv6_proxy "proxy" "ipv6_proxy" 0 config_get_bool ipv6_proxy "proxy" "ipv6_proxy" 0
# prepare # prepare config
local tproxy_enable; tproxy_enable=0 local tproxy_enable; tproxy_enable=0
if [[ "$tcp_transparent_proxy_mode" == "tproxy" || "$udp_transparent_proxy_mode" == "tproxy" ]]; then if [[ "$tcp_transparent_proxy_mode" == "tproxy" || "$udp_transparent_proxy_mode" == "tproxy" ]]; then
tproxy_enable=1 tproxy_enable=1
@ -178,6 +178,40 @@ service_started() {
if [[ "$tcp_transparent_proxy_mode" == "tun" || "$udp_transparent_proxy_mode" == "tun" ]]; then if [[ "$tcp_transparent_proxy_mode" == "tun" || "$udp_transparent_proxy_mode" == "tun" ]]; then
tun_enable=1 tun_enable=1
fi fi
# fix compatible with dockerd
## cgroupfs-mount
### when cgroupfs-mount is installed, cgroupv1 will mounted instead of cgroupv2, we need to create cgroup manually
if (mount | grep -q -w "^cgroup"); then
local cgroup_v1_path; cgroup_v1_path="/sys/fs/cgroup/net_cls/$CGROUP_NAME"
mkdir -p "$cgroup_v1_path"
echo "$CGROUP_ID" > "$cgroup_v1_path/net_cls.classid"
cat "$PID_FILE_PATH" > "$cgroup_v1_path/cgroup.procs"
# local bypass_cgroup; config_get bypass_cgroup "proxy" "bypass_cgroup"
# if [ -n "$bypass_cgroup" ]; then
# local cgroup
# for cgroup in $bypass_cgroup; do
# ubus call service list "{\"name\": \"$cgroup\"}" | jsonfilter -e "$.$cgroup.instances.*.pid" >> "$cgroup_v1_path/cgroup.procs"
# done
# fi
fi
## kmod-br-netfilter
### when kmod-br-netfilter is loaded, bridge-nf-call-iptables and bridge-nf-call-ip6tables are set to 1, we need to set them to 0 if tproxy is enabled
if [ "$tproxy_enable" == 1 ] && (lsmod | grep -q br_netfilter); then
if [ "$ipv4_proxy" == 1 ]; then
local bridge_nf_call_iptables; bridge_nf_call_iptables=$(sysctl -e -n net.bridge.bridge-nf-call-iptables)
if [ "$bridge_nf_call_iptables" == 1 ]; then
touch "$BRIDGE_NF_CALL_IPTABLES_FLAG_PATH"
sysctl -q -w net.bridge.bridge-nf-call-iptables=0
fi
fi
if [ "$ipv6_proxy" == 1 ]; then
local bridge_nf_call_ip6tables; bridge_nf_call_ip6tables=$(sysctl -e -n net.bridge.bridge-nf-call-ip6tables)
if [ "$bridge_nf_call_ip6tables" == 1 ]; then
touch "$BRIDGE_NF_CALL_IP6TABLES_FLAG_PATH"
sysctl -q -w net.bridge.bridge-nf-call-ip6tables=0
fi
fi
fi
# transparent proxy # transparent proxy
log "Transparent Proxy" "Enabled." log "Transparent Proxy" "Enabled."
# wait for tun device online # wait for tun device online
@ -201,7 +235,7 @@ service_started() {
return return
fi fi
fi fi
# prepare # ip route and rule
if [ "$tproxy_enable" == 1 ]; then if [ "$tproxy_enable" == 1 ]; then
if [ "$ipv4_proxy" == 1 ]; then if [ "$ipv4_proxy" == 1 ]; then
ip -4 route add local default dev lo table "$TPROXY_ROUTE_TABLE" ip -4 route add local default dev lo table "$TPROXY_ROUTE_TABLE"
@ -224,7 +258,7 @@ service_started() {
$FIREWALL_INCLUDE_SH $FIREWALL_INCLUDE_SH
fi fi
# hijack # hijack
utpl -D tproxy_fw_mark="$TPROXY_FW_MARK" -D tun_fw_mark="$TUN_FW_MARK" -S "$HIJACK_UT" | nft -f - utpl -D cgroup_name="$CGROUP_NAME" -D cgroup_id="$CGROUP_ID" -D tproxy_fw_mark="$TPROXY_FW_MARK" -D tun_fw_mark="$TUN_FW_MARK" -S "$HIJACK_UT" | nft -f -
# check hijack # check hijack
if (nft list tables | grep -q nikki); then if (nft list tables | grep -q nikki); then
log "Transparent Proxy" "Hijack successful." log "Transparent Proxy" "Hijack successful."
@ -232,23 +266,6 @@ service_started() {
log "Transparent Proxy" "Hijack failed." log "Transparent Proxy" "Hijack failed."
log "App" "Exit." log "App" "Exit."
fi fi
# fix compatible between tproxy and dockerd (kmod-br-netfilter)
if [ "$tproxy_enable" == 1 ] && (lsmod | grep -q br_netfilter); then
if [ "$ipv4_proxy" == 1 ]; then
local bridge_nf_call_iptables; bridge_nf_call_iptables=$(sysctl -e -n net.bridge.bridge-nf-call-iptables)
if [ "$bridge_nf_call_iptables" == 1 ]; then
touch "$BRIDGE_NF_CALL_IPTABLES_FLAG"
sysctl -q -w net.bridge.bridge-nf-call-iptables=0
fi
fi
if [ "$ipv6_proxy" == 1 ]; then
local bridge_nf_call_ip6tables; bridge_nf_call_ip6tables=$(sysctl -e -n net.bridge.bridge-nf-call-ip6tables)
if [ "$bridge_nf_call_ip6tables" == 1 ]; then
touch "$BRIDGE_NF_CALL_IP6TABLES_FLAG"
sysctl -q -w net.bridge.bridge-nf-call-ip6tables=0
fi
fi
fi
} }
service_stopped() { service_stopped() {
@ -289,14 +306,14 @@ cleanup() {
nft delete rule inet fw4 forward handle "$handle" nft delete rule inet fw4 forward handle "$handle"
done done
# delete started flag # delete started flag
rm -f "$STARTED_FLAG" rm -f "$STARTED_FLAG_PATH"
# revert fix compatible between tproxy and dockerd (kmod-br-netfilter) # revert fix compatible between tproxy and dockerd (kmod-br-netfilter)
if [ -f "$BRIDGE_NF_CALL_IPTABLES_FLAG" ]; then if [ -f "$BRIDGE_NF_CALL_IPTABLES_FLAG_PATH" ]; then
rm -f "$BRIDGE_NF_CALL_IPTABLES_FLAG" rm -f "$BRIDGE_NF_CALL_IPTABLES_FLAG_PATH"
sysctl -q -w net.bridge.bridge-nf-call-iptables=1 sysctl -q -w net.bridge.bridge-nf-call-iptables=1
fi fi
if [ -f "$BRIDGE_NF_CALL_IP6TABLES_FLAG" ]; then if [ -f "$BRIDGE_NF_CALL_IP6TABLES_FLAG_PATH" ]; then
rm -f "$BRIDGE_NF_CALL_IP6TABLES_FLAG" rm -f "$BRIDGE_NF_CALL_IP6TABLES_FLAG_PATH"
sysctl -q -w net.bridge.bridge-nf-call-ip6tables=1 sysctl -q -w net.bridge.bridge-nf-call-ip6tables=1
fi fi
# delete cron # delete cron
@ -327,8 +344,8 @@ update_subscription() {
uci_remove "nikki" "$subscription_section" "success" uci_remove "nikki" "$subscription_section" "success"
# update subscription # update subscription
log "Profile" "Update subscription: $subscription_name." log "Profile" "Update subscription: $subscription_name."
local subscription_header_tmpfile; subscription_header_tmpfile="/tmp/$subscription_section.header" local subscription_header_tmpfile; subscription_header_tmpfile="$TEMP_DIR/$subscription_section.header"
local subscription_tmpfile; subscription_tmpfile="/tmp/$subscription_section.yaml" local subscription_tmpfile; subscription_tmpfile="$TEMP_DIR/$subscription_section.yaml"
local subscription_file; subscription_file="$SUBSCRIPTIONS_DIR/$subscription_section.yaml" local subscription_file; subscription_file="$SUBSCRIPTIONS_DIR/$subscription_section.yaml"
if (curl -s -f --connect-timeout 15 --retry 3 -L -X GET -A "$subscription_user_agent" -D "$subscription_header_tmpfile" -o "$subscription_tmpfile" "$subscription_url"); then if (curl -s -f --connect-timeout 15 --retry 3 -L -X GET -A "$subscription_user_agent" -D "$subscription_header_tmpfile" -o "$subscription_tmpfile" "$subscription_url"); then
log "Profile" "Subscription update successful." log "Profile" "Subscription update successful."

15
nikki/files/scripts/include.sh
View File

@ -7,6 +7,8 @@ TPROXY_RULE_PREF="1024"
TUN_RULE_PREF="1025" TUN_RULE_PREF="1025"
TPROXY_ROUTE_TABLE="80" TPROXY_ROUTE_TABLE="80"
TUN_ROUTE_TABLE="81" TUN_ROUTE_TABLE="81"
CGROUP_ID="0x12061206"
CGROUP_NAME="nikki"
# paths # paths
PROG="/usr/bin/mihomo" PROG="/usr/bin/mihomo"
@ -26,10 +28,11 @@ APP_LOG_PATH="$LOG_DIR/app.log"
CORE_LOG_PATH="$LOG_DIR/core.log" CORE_LOG_PATH="$LOG_DIR/core.log"
# flag # flag
FLAG_DIR="/var/run/nikki" TEMP_DIR="/var/run/nikki"
STARTED_FLAG="$FLAG_DIR/started.flag" PID_FILE_PATH="$TEMP_DIR/nikki.pid"
BRIDGE_NF_CALL_IPTABLES_FLAG="$FLAG_DIR/bridge_nf_call_iptables.flag" STARTED_FLAG_PATH="$TEMP_DIR/started.flag"
BRIDGE_NF_CALL_IP6TABLES_FLAG="$FLAG_DIR/bridge_nf_call_ip6tables.flag" BRIDGE_NF_CALL_IPTABLES_FLAG_PATH="$TEMP_DIR/bridge_nf_call_iptables.flag"
BRIDGE_NF_CALL_IP6TABLES_FLAG_PATH="$TEMP_DIR/bridge_nf_call_ip6tables.flag"
# ucode # ucode
UCODE_DIR="$HOME_DIR/ucode" UCODE_DIR="$HOME_DIR/ucode"
@ -84,8 +87,8 @@ prepare_files() {
if [ ! -f "$CORE_LOG_PATH" ]; then if [ ! -f "$CORE_LOG_PATH" ]; then
touch "$CORE_LOG_PATH" touch "$CORE_LOG_PATH"
fi fi
if [ ! -d "$FLAG_DIR" ]; then if [ ! -d "$TEMP_DIR" ]; then
mkdir -p "$FLAG_DIR" mkdir -p "$TEMP_DIR"
fi fi
} }

39
nikki/files/ucode/hijack.ut
View File

@ -5,7 +5,9 @@
import { cursor } from 'uci'; import { cursor } from 'uci';
import { connect } from 'ubus'; import { connect } from 'ubus';
import { uci_bool, uci_array, get_users, get_groups, get_cgroups } from '/etc/nikki/ucode/include.uc'; import { uci_bool, uci_array, get_cgroups_version, get_users, get_groups, get_cgroups } from '/etc/nikki/ucode/include.uc';
const cgroups_version = get_cgroups_version();
const users = get_users(); const users = get_users();
const groups = get_groups(); const groups = get_groups();
@ -43,7 +45,15 @@
const bypass_user = filter(uci_array(uci.get('nikki', 'proxy', 'bypass_user')), (x) => x != 'root' && index(users, x) >= 0); const bypass_user = filter(uci_array(uci.get('nikki', 'proxy', 'bypass_user')), (x) => x != 'root' && index(users, x) >= 0);
const bypass_group = filter(uci_array(uci.get('nikki', 'proxy', 'bypass_group')), (x) => x != 'root' && index(groups, x) >= 0); const bypass_group = filter(uci_array(uci.get('nikki', 'proxy', 'bypass_group')), (x) => x != 'root' && index(groups, x) >= 0);
const bypass_cgroup = filter(uci_array(uci.get('nikki', 'proxy', 'bypass_cgroup')), (x) => x != 'nikki' && index(cgroups, x) >= 0);
let bypass_cgroup = [];
if (cgroups_version == 1) {
push(bypass_cgroup, cgroup_id);
} else if (cgroups_version == 2) {
bypass_cgroup = filter(uci_array(uci.get('nikki', 'proxy', 'bypass_cgroup')), (x) => x != 'nikki' && index(cgroups, x) >= 0);
push(bypass_cgroup, cgroup_name);
}
const bypass_dscp = uci_array(uci.get('nikki', 'proxy', 'bypass_dscp')); const bypass_dscp = uci_array(uci.get('nikki', 'proxy', 'bypass_dscp'));
const bypass_china_mainland_ip = uci_bool(uci.get('nikki', 'proxy', 'bypass_china_mainland_ip')); const bypass_china_mainland_ip = uci_bool(uci.get('nikki', 'proxy', 'bypass_china_mainland_ip'));
const proxy_tcp_dport = split((uci.get('nikki', 'proxy', 'proxy_tcp_dport') ?? '0-65535'), ' '); const proxy_tcp_dport = split((uci.get('nikki', 'proxy', 'proxy_tcp_dport') ?? '0-65535'), ' ');
@ -80,8 +90,6 @@
for (let port in proxy_udp_dport) { for (let port in proxy_udp_dport) {
push(proxy_dport, `udp . ${port}`); push(proxy_dport, `udp . ${port}`);
} }
push(bypass_cgroup, 'nikki');
-%} -%}
table inet nikki { table inet nikki {
@ -135,6 +143,20 @@ table inet nikki {
{% endif %} {% endif %}
} }
{% if (cgroups_version == 1): %}
set bypass_cgroup {
typeof meta cgroup
flags interval
auto-merge
{% if (length(bypass_cgroup) > 0): %}
elements = {
{% for (let x in bypass_cgroup): %}
{{ x }},
{% endfor %}
}
{% endif %}
}
{% elif (cgroups_version == 2): %}
set bypass_cgroup { set bypass_cgroup {
type cgroupsv2 type cgroupsv2
flags interval flags interval
@ -147,6 +169,7 @@ table inet nikki {
} }
{% endif %} {% endif %}
} }
{% endif %}
set reserved_ip { set reserved_ip {
type ipv4_addr type ipv4_addr
@ -319,7 +342,11 @@ table inet nikki {
{% if (router_proxy): %} {% if (router_proxy): %}
chain nat_output { chain nat_output {
type nat hook output priority filter; policy accept; type nat hook output priority filter; policy accept;
{% if (cgroups_version == 1): %}
meta cgroup @bypass_cgroup counter return
{% elif (cgroups_version == 2): %}
socket cgroupv2 level 2 @bypass_cgroup counter return socket cgroupv2 level 2 @bypass_cgroup counter return
{% endif %}
meta skuid @bypass_user counter return meta skuid @bypass_user counter return
meta skgid @bypass_group counter return meta skgid @bypass_group counter return
meta nfproto @dns_hijack_nfproto meta l4proto { tcp, udp } th dport 53 counter redirect to :{{ dns_port }} meta nfproto @dns_hijack_nfproto meta l4proto { tcp, udp } th dport 53 counter redirect to :{{ dns_port }}
@ -343,7 +370,11 @@ table inet nikki {
chain mangle_output { chain mangle_output {
type route hook output priority mangle; policy accept; type route hook output priority mangle; policy accept;
{% if (cgroups_version == 1): %}
meta cgroup @bypass_cgroup counter return
{% elif (cgroups_version == 2): %}
socket cgroupv2 level 2 @bypass_cgroup counter return socket cgroupv2 level 2 @bypass_cgroup counter return
{% endif %}
meta skuid @bypass_user counter return meta skuid @bypass_user counter return
meta skgid @bypass_group counter return meta skgid @bypass_group counter return
fib daddr type { local, multicast, broadcast, anycast } counter return fib daddr type { local, multicast, broadcast, anycast } counter return

15
nikki/files/ucode/include.uc
View File

@ -1,4 +1,5 @@
import { readfile, lsdir, lstat } from 'fs'; import { readfile, lsdir, lstat } from 'fs';
import { connect } from 'ubus';
export function uci_bool(obj) { export function uci_bool(obj) {
return obj == null ? null : obj == '1'; return obj == null ? null : obj == '1';
@ -50,6 +51,10 @@ export function trim_all(obj) {
return obj; return obj;
}; };
export function get_cgroups_version() {
return system('mount | grep -q -w -e "^cgroup"') == 0 ? 1 : 2;
};
export function get_users() { export function get_users() {
return map(split(readfile('/etc/passwd'), '\n'), (x) => split(x, ':')[0]); return map(split(readfile('/etc/passwd'), '\n'), (x) => split(x, ':')[0]);
}; };
@ -59,5 +64,13 @@ export function get_groups() {
}; };
export function get_cgroups() { export function get_cgroups() {
return filter(lsdir('/sys/fs/cgroup/services'), (x) => lstat(`/sys/fs/cgroup/services/${x}`).type == 'directory'); const ubus = connect();
const services = ubus.call('service', 'list');
const result = [];
for (let name in services) {
if (length(services[name]['instances']) > 0) {
push(result, name);
}
}
return result;
}; };