zhao/openwrt_helloworld
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

nikki: sync upstream

Browse Source 
last commit: 0df3fc2941
This commit is contained in:
gitea-action 2025-04-12 13:30:27 +08:00
parent 30cf173156
commit 73586f1afa
7 changed files with 382 additions and 267 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
nikki/Makefile
View File

@ -5,9 +5,9 @@ PKG_RELEASE:=1
PKG_SOURCE_PROTO:=git PKG_SOURCE_PROTO:=git
PKG_SOURCE_URL:=https://github.com/MetaCubeX/mihomo.git PKG_SOURCE_URL:=https://github.com/MetaCubeX/mihomo.git
PKG_SOURCE_DATE:=2025-04-06 PKG_SOURCE_DATE:=2025-04-12
PKG_SOURCE_VERSION:=9e8f4ada4754ae95b002535acbeb457e40b06731 PKG_SOURCE_VERSION:=cedb36df5fe58d5d972b1507c1ab656aca5f046d
PKG_MIRROR_HASH:=1c8a7d70de0cb903b58eca1937b6561003cae7e76f9f021fd3eb9007b6a1f65f PKG_MIRROR_HASH:=b2f9fe4e2ebd38036eac0f2c5af79362cb2afbb780c36c236259ecace9db11da
PKG_LICENSE:=GPL3.0+ PKG_LICENSE:=GPL3.0+
PKG_MAINTAINER:=Joseph Mory <morytyann@gmail.com> PKG_MAINTAINER:=Joseph Mory <morytyann@gmail.com>
@ -16,7 +16,7 @@ PKG_BUILD_DEPENDS:=golang/host
PKG_BUILD_PARALLEL:=1 PKG_BUILD_PARALLEL:=1
PKG_BUILD_FLAGS:=no-mips16 PKG_BUILD_FLAGS:=no-mips16
PKG_BUILD_VERSION:=alpha-9e8f4ad PKG_BUILD_VERSION:=alpha-cedb36d
PKG_BUILD_TIME:=$(shell date -u -Iseconds) PKG_BUILD_TIME:=$(shell date -u -Iseconds)
GO_PKG:=github.com/metacubex/mihomo GO_PKG:=github.com/metacubex/mihomo

63
nikki/files/nikki.conf
View File

@ -10,9 +10,9 @@ config config 'config'
option 'test_profile' '1' option 'test_profile' '1'
config proxy 'proxy' config proxy 'proxy'
option 'transparent_proxy' '1' option 'enabled' '1'
option 'tcp_transparent_proxy_mode' 'redirect' option 'tcp_mode' 'redirect'
option 'udp_transparent_proxy_mode' 'tun' option 'udp_mode' 'tun'
option 'ipv4_dns_hijack' '1' option 'ipv4_dns_hijack' '1'
option 'ipv6_dns_hijack' '1' option 'ipv6_dns_hijack' '1'
option 'ipv4_proxy' '1' option 'ipv4_proxy' '1'
@ -20,30 +20,7 @@ config proxy 'proxy'
option 'fake_ip_ping_hijack' '1' option 'fake_ip_ping_hijack' '1'
option 'router_proxy' '1' option 'router_proxy' '1'
option 'lan_proxy' '1' option 'lan_proxy' '1'
option 'access_control_mode' 'all' list 'lan_inbound_interface' 'lan'
option 'acl_ip' ''
option 'acl_ip6' ''
option 'acl_mac' ''
option 'acl_interface' ''
list 'bypass_user' 'dnsmasq'
list 'bypass_user' 'ftp'
list 'bypass_user' 'logd'
list 'bypass_user' 'nobody'
list 'bypass_user' 'ntp'
list 'bypass_user' 'ubus'
list 'bypass_group' 'dnsmasq'
list 'bypass_group' 'ftp'
list 'bypass_group' 'logd'
list 'bypass_group' 'nogroup'
list 'bypass_group' 'ntp'
list 'bypass_group' 'ubus'
list 'bypass_cgroup' 'adguardhome'
list 'bypass_cgroup' 'aria2'
list 'bypass_cgroup' 'dnsmasq'
list 'bypass_cgroup' 'netbird'
list 'bypass_cgroup' 'qbittorrent'
list 'bypass_cgroup' 'tailscale'
list 'bypass_cgroup' 'zerotier'
list 'bypass_dscp' '4' list 'bypass_dscp' '4'
option 'bypass_china_mainland_ip' '0' option 'bypass_china_mainland_ip' '0'
option 'proxy_tcp_dport' '0-65535' option 'proxy_tcp_dport' '0-65535'
@ -100,6 +77,38 @@ config env 'env'
option 'disable_quic_go_gso' '0' option 'disable_quic_go_gso' '0'
option 'disable_quic_go_ecn' '0' option 'disable_quic_go_ecn' '0'
config router_access_control
option 'enabled' '1'
list 'user' 'dnsmasq'
list 'user' 'ftp'
list 'user' 'logd'
list 'user' 'nobody'
list 'user' 'ntp'
list 'user' 'ubus'
list 'group' 'dnsmasq'
list 'group' 'ftp'
list 'group' 'logd'
list 'group' 'nogroup'
list 'group' 'ntp'
list 'group' 'ubus'
list 'cgroup' 'adguardhome'
list 'cgroup' 'aria2'
list 'cgroup' 'dnsmasq'
list 'cgroup' 'netbird'
list 'cgroup' 'qbittorrent'
list 'cgroup' 'sysntpd'
list 'cgroup' 'tailscale'
list 'cgroup' 'zerotier'
option 'proxy' '0'
config router_access_control
option 'enabled' '1'
option 'proxy' '1'
config lan_access_control
option 'enabled' '1'
option 'proxy' '1'
config authentication config authentication
option 'enabled' '1' option 'enabled' '1'
option 'username' 'nikki' option 'username' 'nikki'

36
nikki/files/nikki.init
View File

@ -143,11 +143,11 @@ service_started() {
fi fi
# load config # load config
config_load nikki config_load nikki
# check if transparent proxy enabled # check if proxy enabled
local transparent_proxy local enabled
config_get_bool transparent_proxy "proxy" "transparent_proxy" 0 config_get_bool enabled "proxy" "enabled" 0
if [ "$transparent_proxy" == 0 ]; then if [ "$enabled" == 0 ]; then
log "Transparent Proxy" "Disabled." log "Proxy" "Disabled."
return return
fi fi
# get config # get config
@ -156,19 +156,19 @@ service_started() {
local tun_device local tun_device
config_get tun_device "mixin" "tun_device" "nikki" config_get tun_device "mixin" "tun_device" "nikki"
## proxy config ## proxy config
### transparent proxy ### general
local tcp_transparent_proxy_mode udp_transparent_proxy_mode ipv4_proxy ipv6_proxy local tcp_mode udp_mode ipv4_proxy ipv6_proxy
config_get tcp_transparent_proxy_mode "proxy" "tcp_transparent_proxy_mode" config_get tcp_mode "proxy" "tcp_mode"
config_get udp_transparent_proxy_mode "proxy" "udp_transparent_proxy_mode" config_get udp_mode "proxy" "udp_mode"
config_get_bool ipv4_proxy "proxy" "ipv4_proxy" 0 config_get_bool ipv4_proxy "proxy" "ipv4_proxy" 0
config_get_bool ipv6_proxy "proxy" "ipv6_proxy" 0 config_get_bool ipv6_proxy "proxy" "ipv6_proxy" 0
# prepare config # prepare config
local tproxy_enable; tproxy_enable=0 local tproxy_enable; tproxy_enable=0
if [[ "$tcp_transparent_proxy_mode" == "tproxy" || "$udp_transparent_proxy_mode" == "tproxy" ]]; then if [[ "$tcp_mode" == "tproxy" || "$udp_mode" == "tproxy" ]]; then
tproxy_enable=1 tproxy_enable=1
fi fi
local tun_enable; tun_enable=0 local tun_enable; tun_enable=0
if [[ "$tcp_transparent_proxy_mode" == "tun" || "$udp_transparent_proxy_mode" == "tun" ]]; then if [[ "$tcp_mode" == "tun" || "$udp_mode" == "tun" ]]; then
tun_enable=1 tun_enable=1
fi fi
# fix compatible with dockerd # fix compatible with dockerd
@ -197,17 +197,17 @@ service_started() {
fi fi
fi fi
fi fi
# transparent proxy # proxy
log "Transparent Proxy" "Enabled." log "Proxy" "Enabled."
# wait for tun device online # wait for tun device online
if [ "$tun_enable" == 1 ]; then if [ "$tun_enable" == 1 ]; then
log "Transparent Proxy" "Waiting for tun device online..." log "Proxy" "Waiting for tun device online..."
local tun_timeout; tun_timeout=15 local tun_timeout; tun_timeout=15
local tun_interval; tun_interval=1 local tun_interval; tun_interval=1
while [ "$tun_timeout" -gt 0 ]; do while [ "$tun_timeout" -gt 0 ]; do
if (ip link show dev "$tun_device" > /dev/null 2>&1); then if (ip link show dev "$tun_device" > /dev/null 2>&1); then
if [ $(ip -json addr show dev "$tun_device" | tun_device="$tun_device" yq -M '.[] | select(.ifname = strenv(tun_device)) | .addr_info | length') -gt 0 ]; then if [ $(ip -json addr show dev "$tun_device" | tun_device="$tun_device" yq -M '.[] | select(.ifname = strenv(tun_device)) | .addr_info | length') -gt 0 ]; then
log "Transparent Proxy" "Tun device is online." log "Proxy" "Tun device is online."
break break
fi fi
fi fi
@ -215,7 +215,7 @@ service_started() {
sleep "$tun_interval" sleep "$tun_interval"
done done
if [ "$tun_timeout" -le 0 ]; then if [ "$tun_timeout" -le 0 ]; then
log "Transparent Proxy" "Waiting timeout, tun device is not online." log "Proxy" "Waiting timeout, tun device is not online."
log "App" "Exit." log "App" "Exit."
return return
fi fi
@ -246,9 +246,9 @@ service_started() {
utpl -D cgroup_name="$CGROUP_NAME" -D cgroup_id="$CGROUP_ID" -D tproxy_fw_mark="$TPROXY_FW_MARK" -D tun_fw_mark="$TUN_FW_MARK" -S "$HIJACK_UT" | nft -f - utpl -D cgroup_name="$CGROUP_NAME" -D cgroup_id="$CGROUP_ID" -D tproxy_fw_mark="$TPROXY_FW_MARK" -D tun_fw_mark="$TUN_FW_MARK" -S "$HIJACK_UT" | nft -f -
# check hijack # check hijack
if (nft list tables | grep -q nikki); then if (nft list tables | grep -q nikki); then
log "Transparent Proxy" "Hijack successful." log "Proxy" "Hijack successful."
else else
log "Transparent Proxy" "Hijack failed." log "Proxy" "Hijack failed."
log "App" "Exit." log "App" "Exit."
fi fi
} }

6
nikki/files/scripts/firewall_include.sh
View File

@ -5,11 +5,11 @@
config_load nikki config_load nikki
config_get enabled "config" "enabled" 0 config_get enabled "config" "enabled" 0
config_get tcp_transparent_proxy_mode "proxy" "tcp_transparent_proxy_mode" config_get tcp_mode "proxy" "tcp_mode"
config_get udp_transparent_proxy_mode "proxy" "udp_transparent_proxy_mode" config_get udp_mode "proxy" "udp_mode"
config_get tun_device "mixin" "tun_device" config_get tun_device "mixin" "tun_device"
if [ "$enabled" == 1 ] && [[ "$tcp_transparent_proxy_mode" == "tun" || "$udp_transparent_proxy_mode" == "tun" ]]; then if [ "$enabled" == 1 ] && [[ "$tcp_mode" == "tun" || "$udp_mode" == "tun" ]]; then
nft insert rule inet fw4 input iifname "$tun_device" counter accept comment "nikki" nft insert rule inet fw4 input iifname "$tun_device" counter accept comment "nikki"
nft insert rule inet fw4 forward oifname "$tun_device" counter accept comment "nikki" nft insert rule inet fw4 forward oifname "$tun_device" counter accept comment "nikki"
nft insert rule inet fw4 forward iifname "$tun_device" counter accept comment "nikki" nft insert rule inet fw4 forward iifname "$tun_device" counter accept comment "nikki"

76
nikki/files/uci-defaults/migrate.sh
View File

@ -30,6 +30,82 @@ mixin_dns_port=$(uci -q get nikki.mixin.dns_port); [ -n "$mixin_dns_port" ] && {
uci set nikki.mixin.dns_listen=[::]:$mixin_dns_port uci set nikki.mixin.dns_listen=[::]:$mixin_dns_port
} }
# since v1.22.0
proxy_transparent_proxy=$(uci -q get nikki.proxy.transparent_proxy); [ -n "$proxy_transparent_proxy" ] && {
uci rename nikki.proxy.transparent_proxy=enabled
uci rename nikki.proxy.tcp_transparent_proxy_mode=tcp_mode
uci rename nikki.proxy.udp_transparent_proxy_mode=udp_mode
uci add nikki router_access_control
uci set nikki.@router_access_control[-1].enabled=1
proxy_bypass_user=$(uci -q get nikki.proxy.bypass_user); [ -n "$proxy_bypass_user" ] && {
for user in $proxy_bypass_user; do
uci add_list nikki.@router_access_control[-1].user="$user"
done
}
proxy_bypass_group=$(uci -q get nikki.proxy.bypass_group); [ -n "$proxy_bypass_group" ] && {
for group in $proxy_bypass_group; do
uci add_list nikki.@router_access_control[-1].group="$group"
done
}
proxy_bypass_cgroup=$(uci -q get nikki.proxy.bypass_cgroup); [ -n "$proxy_bypass_cgroup" ] && {
for cgroup in $proxy_bypass_cgroup; do
uci add_list nikki.@router_access_control[-1].cgroup="$cgroup"
done
}
uci set nikki.@router_access_control[-1].proxy=0
uci add nikki router_access_control
uci set nikki.@router_access_control[-1].enabled=1
uci set nikki.@router_access_control[-1].proxy=1
uci add_list nikki.proxy.lan_inbound_interface=lan
proxy_access_control_mode=$(uci -q get nikki.proxy.access_control_mode); [ "$proxy_access_control_mode" != "all" ] && {
proxy_acl_ip=$(uci -q get nikki.proxy.acl_ip); [ -n "$proxy_acl_ip" ] && {
for ip in $proxy_acl_ip; do
uci add nikki lan_access_control
uci set nikki.@lan_access_control[-1].enabled=1
uci add_list nikki.@lan_access_control[-1].ip="$ip"
[ "$proxy_access_control_mode" == "allow" ] && uci set nikki.@lan_access_control[-1].proxy=1
[ "$proxy_access_control_mode" == "block" ] && uci set nikki.@lan_access_control[-1].proxy=0
done
}
proxy_acl_ip6=$(uci -q get nikki.proxy.acl_ip6); [ -n "$proxy_acl_ip6" ] && {
for ip6 in $proxy_acl_ip6; do
uci add nikki lan_access_control
uci set nikki.@lan_access_control[-1].enabled=1
uci add_list nikki.@lan_access_control[-1].ip6="$ip6"
[ "$proxy_access_control_mode" == "allow" ] && uci set nikki.@lan_access_control[-1].proxy=1
[ "$proxy_access_control_mode" == "block" ] && uci set nikki.@lan_access_control[-1].proxy=0
done
}
proxy_acl_mac=$(uci -q get nikki.proxy.acl_mac); [ -n "$proxy_acl_mac" ] && {
for mac in $proxy_acl_mac; do
uci add nikki lan_access_control
uci set nikki.@lan_access_control[-1].enabled=1
uci add_list nikki.@lan_access_control[-1].mac="$mac"
[ "$proxy_access_control_mode" == "allow" ] && uci set nikki.@lan_access_control[-1].proxy=1
[ "$proxy_access_control_mode" == "block" ] && uci set nikki.@lan_access_control[-1].proxy=0
done
}
[ "$proxy_access_control_mode" == "block" ] && {
uci add nikki lan_access_control
uci set nikki.@lan_access_control[-1].enabled=1
uci set nikki.@lan_access_control[-1].proxy=1
}
}
uci del nikki.proxy.access_control_mode
uci del nikki.proxy.acl_ip
uci del nikki.proxy.acl_ip6
uci del nikki.proxy.acl_mac
uci del nikki.proxy.acl_interface
uci del nikki.proxy.bypass_user
uci del nikki.proxy.bypass_group
uci del nikki.proxy.bypass_cgroup
}
# commit # commit
uci commit nikki uci commit nikki

458
nikki/files/ucode/hijack.ut
View File

@ -27,32 +27,43 @@
const tun_device = uci.get('nikki', 'mixin', 'tun_device'); const tun_device = uci.get('nikki', 'mixin', 'tun_device');
const tcp_transparent_proxy_mode = uci.get('nikki', 'proxy', 'tcp_transparent_proxy_mode'); const tcp_mode = uci.get('nikki', 'proxy', 'tcp_mode');
const udp_transparent_proxy_mode = uci.get('nikki', 'proxy', 'udp_transparent_proxy_mode'); const udp_mode = uci.get('nikki', 'proxy', 'udp_mode');
const ipv4_dns_hijack = uci_bool(uci.get('nikki', 'proxy', 'ipv4_dns_hijack')); const ipv4_dns_hijack = uci_bool(uci.get('nikki', 'proxy', 'ipv4_dns_hijack'));
const ipv6_dns_hijack = uci_bool(uci.get('nikki', 'proxy', 'ipv6_dns_hijack')); const ipv6_dns_hijack = uci_bool(uci.get('nikki', 'proxy', 'ipv6_dns_hijack'));
const ipv4_proxy = uci_bool(uci.get('nikki', 'proxy', 'ipv4_proxy')); const ipv4_proxy = uci_bool(uci.get('nikki', 'proxy', 'ipv4_proxy'));
const ipv6_proxy = uci_bool(uci.get('nikki', 'proxy', 'ipv6_proxy')); const ipv6_proxy = uci_bool(uci.get('nikki', 'proxy', 'ipv6_proxy'));
const fake_ip_ping_hijack = uci_bool(uci.get('nikki', 'proxy', 'fake_ip_ping_hijack')); const fake_ip_ping_hijack = uci_bool(uci.get('nikki', 'proxy', 'fake_ip_ping_hijack'));
const router_proxy = uci_bool(uci.get('nikki', 'proxy', 'router_proxy')); const router_proxy = uci_bool(uci.get('nikki', 'proxy', 'router_proxy'));
const router_access_control = [];
uci.foreach('nikki', 'router_access_control', (access_control) => {
access_control['enabled'] = uci_bool(access_control['enabled']);
access_control['user'] = filter(uci_array(access_control['user']), (x) => index(users, x) >= 0);
access_control['group'] = filter(uci_array(access_control['group']), (x) => index(groups, x) >= 0);
access_control['cgroup'] = filter(uci_array(access_control['cgroup']), (x) => index(cgroups, x) >= 0);
access_control['proxy'] = uci_bool(access_control['proxy']);
push(router_access_control, access_control);
});
const lan_proxy = uci_bool(uci.get('nikki', 'proxy', 'lan_proxy')); const lan_proxy = uci_bool(uci.get('nikki', 'proxy', 'lan_proxy'));
const lan_inbound_interface = uci_array(uci.get('nikki', 'proxy', 'lan_inbound_interface'));
const access_control_mode = uci.get('nikki', 'proxy', 'access_control_mode'); const lan_inbound_device = [];
const acl_ip = uci_array(uci.get('nikki', 'proxy', 'acl_ip')); for (let interface in lan_inbound_interface) {
const acl_ip6 = uci_array(uci.get('nikki', 'proxy', 'acl_ip6')); const device = ubus.call('network.interface', 'status', {'interface': interface})?.l3_device ?? '';
const acl_mac = uci_array(uci.get('nikki', 'proxy', 'acl_mac')); if (device != '') {
const acl_interface = uci_array(uci.get('nikki', 'proxy', 'acl_interface')); push(lan_inbound_device, device);
const bypass_user = filter(uci_array(uci.get('nikki', 'proxy', 'bypass_user')), (x) => x != 'root' && index(users, x) >= 0);
const bypass_group = filter(uci_array(uci.get('nikki', 'proxy', 'bypass_group')), (x) => x != 'root' && index(groups, x) >= 0);
let bypass_cgroup = [];
if (cgroups_version == 1) {
push(bypass_cgroup, cgroup_id);
} else if (cgroups_version == 2) {
bypass_cgroup = filter(uci_array(uci.get('nikki', 'proxy', 'bypass_cgroup')), (x) => x != 'nikki' && index(cgroups, x) >= 0);
push(bypass_cgroup, cgroup_name);
} }
}
const lan_access_control = [];
uci.foreach('nikki', 'lan_access_control', (access_control) => {
access_control['enabled'] = uci_bool(access_control['enabled']);
access_control['ip'] = uci_array(access_control['ip']);
access_control['ip6'] = uci_array(access_control['ip6']);
access_control['mac'] = uci_array(access_control['mac']);
access_control['proxy'] = uci_bool(access_control['proxy']);
push(lan_access_control, access_control);
});
const bypass_dscp = uci_array(uci.get('nikki', 'proxy', 'bypass_dscp')); const bypass_dscp = uci_array(uci.get('nikki', 'proxy', 'bypass_dscp'));
const bypass_china_mainland_ip = uci_bool(uci.get('nikki', 'proxy', 'bypass_china_mainland_ip')); const bypass_china_mainland_ip = uci_bool(uci.get('nikki', 'proxy', 'bypass_china_mainland_ip'));
@ -67,14 +78,6 @@
push(dns_hijack_nfproto, 'ipv6'); push(dns_hijack_nfproto, 'ipv6');
} }
const acl_device = [];
for (let i = 0; i < length(acl_interface); i++) {
const device = ubus.call('network.interface', 'status', {'interface': acl_interface[i]})?.l3_device ?? '';
if (device != '') {
push(acl_device, device);
}
}
const proxy_nfproto = []; const proxy_nfproto = [];
if (ipv4_proxy) { if (ipv4_proxy) {
push(proxy_nfproto, 'ipv4'); push(proxy_nfproto, 'ipv4');
@ -98,8 +101,8 @@ table inet nikki {
flags interval flags interval
{% if (length(dns_hijack_nfproto) > 0): %} {% if (length(dns_hijack_nfproto) > 0): %}
elements = { elements = {
{% for (let x in dns_hijack_nfproto): %} {% for (let nfproto in dns_hijack_nfproto): %}
{{ x }}, {{ nfproto }},
{% endfor %} {% endfor %}
} }
{% endif %} {% endif %}
@ -110,67 +113,13 @@ table inet nikki {
flags interval flags interval
{% if (length(proxy_nfproto) > 0): %} {% if (length(proxy_nfproto) > 0): %}
elements = { elements = {
{% for (let x in proxy_nfproto): %} {% for (let nfproto in proxy_nfproto): %}
{{ x }}, {{ nfproto }},
{% endfor %} {% endfor %}
} }
{% endif %} {% endif %}
} }
set bypass_user {
type uid
flags interval
auto-merge
{% if (length(bypass_user) > 0): %}
elements = {
{% for (let x in bypass_user): %}
{{ x }},
{% endfor %}
}
{% endif %}
}
set bypass_group {
type gid
flags interval
auto-merge
{% if (length(bypass_group) > 0): %}
elements = {
{% for (let x in bypass_group): %}
{{ x }},
{% endfor %}
}
{% endif %}
}
{% if (cgroups_version == 1): %}
set bypass_cgroup {
typeof meta cgroup
flags interval
auto-merge
{% if (length(bypass_cgroup) > 0): %}
elements = {
{% for (let x in bypass_cgroup): %}
{{ x }},
{% endfor %}
}
{% endif %}
}
{% elif (cgroups_version == 2): %}
set bypass_cgroup {
type cgroupsv2
flags interval
auto-merge
{% if (length(bypass_cgroup) > 0): %}
elements = {
{% for (let x in bypass_cgroup): %}
services/{{ x }},
{% endfor %}
}
{% endif %}
}
{% endif %}
set reserved_ip { set reserved_ip {
type ipv4_addr type ipv4_addr
flags interval flags interval
@ -183,6 +132,19 @@ table inet nikki {
auto-merge auto-merge
} }
set lan_inbound_device {
type ifname
flags interval
auto-merge
{% if (length(lan_inbound_device) > 0): %}
elements = {
{% for (let device in lan_inbound_device): %}
{{ device }},
{% endfor %}
}
{% endif %}
}
set china_ip { set china_ip {
type ipv4_addr type ipv4_addr
flags interval flags interval
@ -199,8 +161,8 @@ table inet nikki {
auto-merge auto-merge
{% if (length(proxy_dport) > 0): %} {% if (length(proxy_dport) > 0): %}
elements = { elements = {
{% for (let x in proxy_dport): %} {% for (let dport in proxy_dport): %}
{{ x }}, {{ dport }},
{% endfor %} {% endfor %}
} }
{% endif %} {% endif %}
@ -212,145 +174,215 @@ table inet nikki {
auto-merge auto-merge
{% if (length(bypass_dscp) > 0): %} {% if (length(bypass_dscp) > 0): %}
elements = { elements = {
{% for (let x in bypass_dscp): %} {% for (let dscp in bypass_dscp): %}
{{ x }}, {{ dscp }},
{% endfor %} {% endfor %}
} }
{% endif %} {% endif %}
} }
set acl_ip { chain router_dns_hijack {
type ipv4_addr {% for (let access_control in router_access_control): %}
flags interval {% if (access_control['enabled']): %}
auto-merge {% if (length(access_control['user']) == 0 && length(access_control['group']) == 0 && length(access_control['cgroup']) == 0): %}
{% if (length(acl_ip) > 0): %} meta l4proto { tcp, udp } th dport 53 counter {% if (access_control.proxy == '1'): %} redirect to :{{ dns_port }} {% else %} return {% endif %}
elements = {
{% for (let x in acl_ip): %} {% else %}
{{ x }}, {% if (length(access_control['user']) > 0): %}
{% endfor %} meta l4proto { tcp, udp } meta skuid { {% for (let user in access_control['user']): %} {{ user }}, {% endfor %} } th dport 53 counter {% if (access_control.proxy == '1'): %} redirect to :{{ dns_port }} {% else %} return {% endif %}
}
{% endif %} {% endif %}
{% if (length(access_control['group']) > 0): %}
meta l4proto { tcp, udp } meta skgid { {% for (let group in access_control['group']): %} {{ group }}, {% endfor %} } th dport 53 counter {% if (access_control.proxy == '1'): %} redirect to :{{ dns_port }} {% else %} return {% endif %}
{% endif %}
{% if (cgroups_version == 2 && length(access_control['cgroup']) > 0): %}
meta l4proto { tcp, udp } socket cgroupv2 level 2 { {% for (let cgroup in access_control['cgroup']): %} services/{{ cgroup }}, {% endfor %} } th dport 53 counter {% if (access_control.proxy == '1'): %} redirect to :{{ dns_port }} {% else %} return {% endif %}
{% endif %}
{% endif %}
{% endif %}
{% endfor %}
} }
set acl_ip6 { chain router_redirect {
type ipv6_addr {% for (let access_control in router_access_control): %}
flags interval {% if (access_control['enabled']): %}
auto-merge {% if (length(access_control['user']) == 0 && length(access_control['group']) == 0 && length(access_control['cgroup']) == 0): %}
{% if (length(acl_ip6) > 0): %} meta l4proto tcp counter {% if (access_control.proxy == '1'): %} redirect to :{{ redir_port }} {% else %} return {% endif %}
elements = {
{% for (let x in acl_ip6): %} {% else %}
{{ x }}, {% if (length(access_control['user']) > 0): %}
{% endfor %} meta l4proto tcp meta skuid { {% for (let user in access_control['user']): %} {{ user }}, {% endfor %} } counter {% if (access_control.proxy == '1'): %} redirect to :{{ redir_port }} {% else %} return {% endif %}
}
{% endif %} {% endif %}
{% if (length(access_control['group']) > 0): %}
meta l4proto tcp meta skgid { {% for (let group in access_control['group']): %} {{ group }}, {% endfor %} } counter {% if (access_control.proxy == '1'): %} redirect to :{{ redir_port }} {% else %} return {% endif %}
{% endif %}
{% if (cgroups_version == 2 && length(access_control['cgroup']) > 0): %}
meta l4proto tcp socket cgroupv2 level 2 { {% for (let cgroup in access_control['cgroup']): %} services/{{ cgroup }}, {% endfor %} } counter {% if (access_control.proxy == '1'): %} redirect to :{{ redir_port }} {% else %} return {% endif %}
{% endif %}
{% endif %}
{% endif %}
{% endfor %}
} }
set acl_mac { chain router_tproxy {
type ether_addr {% for (let access_control in router_access_control): %}
flags interval {% if (access_control['enabled']): %}
auto-merge {% if (length(access_control['user']) == 0 && length(access_control['group']) == 0 && length(access_control['cgroup']) == 0): %}
{% if (length(acl_mac) > 0): %} meta l4proto { tcp, udp } {% if (access_control.proxy == '1'): %} meta mark set {{ tproxy_fw_mark }} tproxy to :{{ tproxy_port }} counter accept {% else %} counter return {% endif %}
elements = {
{% for (let x in acl_mac): %} {% else %}
{{ x }}, {% if (length(access_control['user']) > 0): %}
{% endfor %} meta l4proto { tcp, udp } meta skuid { {% for (let user in access_control['user']): %} {{ user }}, {% endfor %} } {% if (access_control.proxy == '1'): %} meta mark set {{ tproxy_fw_mark }} tproxy to :{{ tproxy_port }} counter accept {% else %} counter return {% endif %}
}
{% endif %} {% endif %}
{% if (length(access_control['group']) > 0): %}
meta l4proto { tcp, udp } meta skgid { {% for (let group in access_control['group']): %} {{ group }}, {% endfor %} } {% if (access_control.proxy == '1'): %} meta mark set {{ tproxy_fw_mark }} tproxy to :{{ tproxy_port }} counter accept {% else %} counter return {% endif %}
{% endif %}
{% if (cgroups_version == 2 && length(access_control['cgroup']) > 0): %}
meta l4proto { tcp, udp } socket cgroupv2 level 2 { {% for (let cgroup in access_control['cgroup']): %} services/{{ cgroup }}, {% endfor %} } {% if (access_control.proxy == '1'): %} meta mark set {{ tproxy_fw_mark }} tproxy to :{{ tproxy_port }} counter accept {% else %} counter return {% endif %}
{% endif %}
{% endif %}
{% endif %}
{% endfor %}
} }
set acl_device { chain router_tun {
type ifname {% for (let access_control in router_access_control): %}
flags interval {% if (access_control['enabled']): %}
auto-merge {% if (length(access_control['user']) == 0 && length(access_control['group']) == 0 && length(access_control['cgroup']) == 0): %}
{% if (length(acl_device) > 0): %} meta l4proto { tcp, udp } {% if (access_control.proxy == '1'): %} meta mark set {{ tun_fw_mark }} counter accept {% else %} counter return {% endif %}
elements = {
{% for (let x in acl_device): %} {% else %}
{{ x }}, {% if (length(access_control['user']) > 0): %}
{% endfor %} meta l4proto { tcp, udp } meta skuid { {% for (let user in access_control['user']): %} {{ user }}, {% endfor %} } {% if (access_control.proxy == '1'): %} meta mark set {{ tun_fw_mark }} counter accept {% else %} counter return {% endif %}
}
{% endif %} {% endif %}
{% if (length(access_control['group']) > 0): %}
meta l4proto { tcp, udp } meta skgid { {% for (let group in access_control['group']): %} {{ group }}, {% endfor %} } {% if (access_control.proxy == '1'): %} meta mark set {{ tun_fw_mark }} counter accept {% else %} counter return {% endif %}
{% endif %}
{% if (cgroups_version == 2 && length(access_control['cgroup']) > 0): %}
meta l4proto { tcp, udp } socket cgroupv2 level 2 { {% for (let cgroup in access_control['cgroup']): %} services/{{ cgroup }}, {% endfor %} } {% if (access_control.proxy == '1'): %} meta mark set {{ tun_fw_mark }} counter accept {% else %} counter return {% endif %}
{% endif %}
{% endif %}
{% endif %}
{% endfor %}
} }
chain lan_dns_hijack { chain lan_dns_hijack {
{% if (access_control_mode == 'all'): %} {% for (let access_control in lan_access_control): %}
meta l4proto { tcp, udp } th dport 53 counter redirect to :{{ dns_port }} {% if (access_control['enabled']): %}
{% elif (access_control_mode == 'allow'): %} {% if (length(access_control['ip']) == 0 && length(access_control['ip6']) == 0 && length(access_control['mac']) == 0): %}
meta l4proto { tcp, udp } th dport 53 ip saddr @acl_ip counter redirect to :{{ dns_port }} meta l4proto { tcp, udp } th dport 53 counter {% if (access_control.proxy == '1'): %} redirect to :{{ dns_port }} {% else %} return {% endif %}
meta l4proto { tcp, udp } th dport 53 ip6 saddr @acl_ip6 counter redirect to :{{ dns_port }}
meta l4proto { tcp, udp } th dport 53 ether saddr @acl_mac counter redirect to :{{ dns_port }} {% else %}
meta l4proto { tcp, udp } th dport 53 iifname @acl_device counter redirect to :{{ dns_port }} {% if (length(access_control['ip']) > 0): %}
{% elif (access_control_mode == 'block'): %} meta l4proto { tcp, udp } ip saddr { {% for (let ip in access_control['ip']): %} {{ ip }}, {% endfor %} } th dport 53 counter {% if (access_control.proxy == '1'): %} redirect to :{{ dns_port }} {% else %} return {% endif %}
meta l4proto { tcp, udp } th dport 53 ip saddr @acl_ip counter return
meta l4proto { tcp, udp } th dport 53 ip6 saddr @acl_ip6 counter return
meta l4proto { tcp, udp } th dport 53 ether saddr @acl_mac counter return
meta l4proto { tcp, udp } th dport 53 iifname @acl_device counter return
meta l4proto { tcp, udp } th dport 53 counter redirect to :{{ dns_port }}
{% endif %} {% endif %}
{% if (length(access_control['ip6']) > 0): %}
meta l4proto { tcp, udp } ip6 saddr { {% for (let ip6 in access_control['ip6']): %} {{ ip6 }}, {% endfor %} } th dport 53 counter {% if (access_control.proxy == '1'): %} redirect to :{{ dns_port }} {% else %} return {% endif %}
{% endif %}
{% if (length(access_control['mac']) > 0): %}
meta l4proto { tcp, udp } ether saddr { {% for (let mac in access_control['mac']): %} {{ mac }}, {% endfor %} } th dport 53 counter {% if (access_control.proxy == '1'): %} redirect to :{{ dns_port }} {% else %} return {% endif %}
{% endif %}
{% endif %}
{% endif %}
{% endfor %}
} }
chain lan_redirect { chain lan_redirect {
{% if (access_control_mode == 'all'): %} {% for (let access_control in lan_access_control): %}
meta l4proto tcp counter redirect to :{{ redir_port }} {% if (access_control['enabled']): %}
{% elif (access_control_mode == 'allow'): %} {% if (length(access_control['ip']) == 0 && length(access_control['ip6']) == 0 && length(access_control['mac']) == 0): %}
meta l4proto tcp ip saddr @acl_ip counter redirect to :{{ redir_port }} meta l4proto tcp tcp counter {% if (access_control.proxy == '1'): %} redirect to :{{ redir_port }} {% else %} counter return {% endif %}
meta l4proto tcp ip6 saddr @acl_ip6 counter redirect to :{{ redir_port }}
meta l4proto tcp ether saddr @acl_mac counter redirect to :{{ redir_port }} {% else %}
meta l4proto tcp iifname @acl_device counter redirect to :{{ redir_port }} {% if (length(access_control['ip']) > 0): %}
{% elif (access_control_mode == 'block'): %} meta l4proto tcp ip saddr { {% for (let ip in access_control['ip']): %} {{ ip }}, {% endfor %} } counter {% if (access_control.proxy == '1'): %} redirect to :{{ redir_port }} {% else %} return {% endif %}
meta l4proto tcp ip saddr @acl_ip counter return
meta l4proto tcp ip6 saddr @acl_ip6 counter return
meta l4proto tcp ether saddr @acl_mac counter return
meta l4proto tcp iifname @acl_device counter return
meta l4proto tcp counter redirect to :{{ redir_port }}
{% endif %} {% endif %}
{% if (length(access_control['ip6']) > 0): %}
meta l4proto tcp ip6 saddr { {% for (let ip6 in access_control['ip6']): %} {{ ip6 }}, {% endfor %} } counter {% if (access_control.proxy == '1'): %} redirect to :{{ redir_port }} {% else %} return {% endif %}
{% endif %}
{% if (length(access_control['mac']) > 0): %}
meta l4proto tcp ether saddr { {% for (let mac in access_control['mac']): %} {{ mac }}, {% endfor %} } counter {% if (access_control.proxy == '1'): %} redirect to :{{ redir_port }} {% else %} return {% endif %}
{% endif %}
{% endif %}
{% endif %}
{% endfor %}
} }
chain lan_tproxy { chain lan_tproxy {
{% if (access_control_mode == 'all'): %} {% for (let access_control in lan_access_control): %}
meta l4proto { tcp, udp } meta mark set {{ tproxy_fw_mark }} tproxy to :{{ tproxy_port }} counter accept {% if (access_control['enabled']): %}
{% elif (access_control_mode == 'allow'): %} {% if (length(access_control['ip']) == 0 && length(access_control['ip6']) == 0 && length(access_control['mac']) == 0): %}
meta l4proto { tcp, udp } ip saddr @acl_ip meta mark set {{ tproxy_fw_mark }} tproxy ip to :{{ tproxy_port }} counter accept meta l4proto { tcp, udp } {% if (access_control.proxy == '1'): %} meta mark set {{ tproxy_fw_mark }} tproxy to :{{ tproxy_port }} counter accept {% else %} counter return {% endif %}
meta l4proto { tcp, udp } ip6 saddr @acl_ip6 meta mark set {{ tproxy_fw_mark }} tproxy ip6 to :{{ tproxy_port }} counter accept
meta l4proto { tcp, udp } ether saddr @acl_mac meta mark set {{ tproxy_fw_mark }} tproxy to :{{ tproxy_port }} counter accept {% else %}
meta l4proto { tcp, udp } iifname @acl_device meta mark set {{ tproxy_fw_mark }} tproxy to :{{ tproxy_port }} counter accept {% if (length(access_control['ip']) > 0): %}
{% elif (access_control_mode == 'block'): %} meta l4proto { tcp, udp } ip saddr { {% for (let ip in access_control['ip']): %} {{ ip }}, {% endfor %} } {% if (access_control.proxy == '1'): %} meta mark set {{ tproxy_fw_mark }} tproxy ip to :{{ tproxy_port }} counter accept {% else %} counter return {% endif %}
meta l4proto { tcp, udp } ip saddr @acl_ip counter return
meta l4proto { tcp, udp } ip6 saddr @acl_ip6 counter return
meta l4proto { tcp, udp } ether saddr @acl_mac counter return
meta l4proto { tcp, udp } iifname @acl_device counter return
meta l4proto { tcp, udp } meta mark set {{ tproxy_fw_mark }} tproxy to :{{ tproxy_port }} counter accept
{% endif %} {% endif %}
{% if (length(access_control['ip6']) > 0): %}
meta l4proto { tcp, udp } ip6 saddr { {% for (let ip6 in access_control['ip6']): %} {{ ip6 }}, {% endfor %} } {% if (access_control.proxy == '1'): %} meta mark set {{ tproxy_fw_mark }} tproxy ip6 to :{{ tproxy_port }} counter accept {% else %} counter return {% endif %}
{% endif %}
{% if (length(access_control['mac']) > 0): %}
meta l4proto { tcp, udp } ether saddr { {% for (let mac in access_control['mac']): %} {{ mac }}, {% endfor %} } {% if (access_control.proxy == '1'): %} meta mark set {{ tproxy_fw_mark }} tproxy to :{{ tproxy_port }} counter accept {% else %} counter return {% endif %}
{% endif %}
{% endif %}
{% endif %}
{% endfor %}
} }
chain lan_tun { chain lan_tun {
{% if (access_control_mode == 'all'): %} {% for (let access_control in lan_access_control): %}
meta l4proto { tcp, udp } meta mark set {{ tun_fw_mark }} counter {% if (access_control['enabled']): %}
{% elif (access_control_mode == 'allow'): %} {% if (length(access_control['ip']) == 0 && length(access_control['ip6']) == 0 && length(access_control['mac']) == 0): %}
meta l4proto { tcp, udp } ip saddr @acl_ip meta mark set {{ tun_fw_mark }} counter meta l4proto { tcp, udp } {% if (access_control.proxy == '1'): %} meta mark set {{ tun_fw_mark }} counter accept {% else %}counter return {% endif %}
meta l4proto { tcp, udp } ip6 saddr @acl_ip6 meta mark set {{ tun_fw_mark }} counter
meta l4proto { tcp, udp } ether saddr @acl_mac meta mark set {{ tun_fw_mark }} counter {% else %}
meta l4proto { tcp, udp } iifname @acl_device meta mark set {{ tun_fw_mark }} counter {% if (length(access_control['ip']) > 0): %}
{% elif (access_control_mode == 'block'): %} meta l4proto { tcp, udp } ip saddr { {% for (let ip in access_control['ip']): %} {{ ip }}, {% endfor %} } {% if (access_control.proxy == '1'): %} meta mark set {{ tun_fw_mark }} counter accept {% else %}counter return {% endif %}
meta l4proto { tcp, udp } ip saddr @acl_ip counter return
meta l4proto { tcp, udp } ip6 saddr @acl_ip6 counter return
meta l4proto { tcp, udp } ether saddr @acl_mac counter return
meta l4proto { tcp, udp } iifname @acl_device counter return
meta l4proto { tcp, udp } meta mark set {{ tun_fw_mark }} counter
{% endif %} {% endif %}
{% if (length(access_control['ip6']) > 0): %}
meta l4proto { tcp, udp } ip6 saddr { {% for (let ip6 in access_control['ip6']): %} {{ ip6 }}, {% endfor %} } {% if (access_control.proxy == '1'): %} meta mark set {{ tun_fw_mark }} counter accept {% else %}counter return {% endif %}
{% endif %}
{% if (length(access_control['mac']) > 0): %}
meta l4proto { tcp, udp } ether saddr { {% for (let mac in access_control['mac']): %} {{ mac }}, {% endfor %} } {% if (access_control.proxy == '1'): %} meta mark set {{ tun_fw_mark }} counter accept {% else %}counter return {% endif %}
{% endif %}
{% endif %}
{% endif %}
{% endfor %}
} }
{% if (router_proxy): %} {% if (router_proxy): %}
chain nat_output { chain nat_output {
type nat hook output priority filter; policy accept; type nat hook output priority filter; policy accept;
{% if (cgroups_version == 1): %} {% if (cgroups_version == 1): %}
meta cgroup @bypass_cgroup counter return meta cgroup {{ cgroup_id }} counter return
{% elif (cgroups_version == 2): %} {% elif (cgroups_version == 2): %}
socket cgroupv2 level 2 @bypass_cgroup counter return socket cgroupv2 level 2 services/{{ cgroup_name }} counter return
{% endif %} {% endif %}
meta skuid @bypass_user counter return meta nfproto @dns_hijack_nfproto jump router_dns_hijack
meta skgid @bypass_group counter return {% if (tcp_mode == 'redirect'): %}
meta nfproto @dns_hijack_nfproto meta l4proto { tcp, udp } th dport 53 counter redirect to :{{ dns_port }}
{% if (tcp_transparent_proxy_mode == 'redirect'): %}
fib daddr type { local, multicast, broadcast, anycast } counter return fib daddr type { local, multicast, broadcast, anycast } counter return
ct direction reply counter return ct direction reply counter return
ip daddr @reserved_ip counter return ip daddr @reserved_ip counter return
@ -361,7 +393,7 @@ table inet nikki {
meta nfproto ipv6 meta l4proto . th dport != @proxy_dport counter return meta nfproto ipv6 meta l4proto . th dport != @proxy_dport counter return
meta l4proto { tcp, udp } ip dscp @bypass_dscp ip daddr != {{ fake_ip_range }} counter return meta l4proto { tcp, udp } ip dscp @bypass_dscp ip daddr != {{ fake_ip_range }} counter return
meta l4proto { tcp, udp } ip6 dscp @bypass_dscp counter return meta l4proto { tcp, udp } ip6 dscp @bypass_dscp counter return
meta nfproto @proxy_nfproto meta l4proto tcp counter redirect to :{{ redir_port }} meta nfproto @proxy_nfproto jump router_redirect
{% endif %} {% endif %}
{% if (fake_ip_ping_hijack): %} {% if (fake_ip_ping_hijack): %}
ip protocol icmp icmp type echo-request ip daddr {{ fake_ip_range }} counter redirect ip protocol icmp icmp type echo-request ip daddr {{ fake_ip_range }} counter redirect
@ -371,12 +403,10 @@ table inet nikki {
chain mangle_output { chain mangle_output {
type route hook output priority mangle; policy accept; type route hook output priority mangle; policy accept;
{% if (cgroups_version == 1): %} {% if (cgroups_version == 1): %}
meta cgroup @bypass_cgroup counter return meta cgroup {{ cgroup_id }} counter return
{% elif (cgroups_version == 2): %} {% elif (cgroups_version == 2): %}
socket cgroupv2 level 2 @bypass_cgroup counter return socket cgroupv2 level 2 services/{{ cgroup_name }} counter return
{% endif %} {% endif %}
meta skuid @bypass_user counter return
meta skgid @bypass_group counter return
fib daddr type { local, multicast, broadcast, anycast } counter return fib daddr type { local, multicast, broadcast, anycast } counter return
ct direction reply counter return ct direction reply counter return
ip daddr @reserved_ip counter return ip daddr @reserved_ip counter return
@ -388,25 +418,25 @@ table inet nikki {
meta l4proto { tcp, udp } ip dscp @bypass_dscp ip daddr != {{ fake_ip_range }} counter return meta l4proto { tcp, udp } ip dscp @bypass_dscp ip daddr != {{ fake_ip_range }} counter return
meta l4proto { tcp, udp } ip6 dscp @bypass_dscp counter return meta l4proto { tcp, udp } ip6 dscp @bypass_dscp counter return
meta nfproto @dns_hijack_nfproto meta l4proto { tcp, udp } th dport 53 counter return meta nfproto @dns_hijack_nfproto meta l4proto { tcp, udp } th dport 53 counter return
{% if (tcp_transparent_proxy_mode == 'tproxy'): %} {% if (tcp_mode == 'tproxy'): %}
meta nfproto @proxy_nfproto meta l4proto tcp meta mark set {{ tproxy_fw_mark }} counter meta nfproto @proxy_nfproto meta l4proto tcp jump router_tproxy
{% elif (tcp_transparent_proxy_mode == 'tun'): %} {% elif (tcp_mode == 'tun'): %}
meta nfproto @proxy_nfproto meta l4proto tcp meta mark set {{ tun_fw_mark }} counter meta nfproto @proxy_nfproto meta l4proto tcp jump router_tun
{% endif %} {% endif %}
{% if (udp_transparent_proxy_mode == 'tproxy'): %} {% if (udp_mode == 'tproxy'): %}
meta nfproto @proxy_nfproto meta l4proto udp meta mark set {{ tproxy_fw_mark }} counter meta nfproto @proxy_nfproto meta l4proto udp jump router_tproxy
{% elif (udp_transparent_proxy_mode == 'tun'): %} {% elif (udp_mode == 'tun'): %}
meta nfproto @proxy_nfproto meta l4proto udp meta mark set {{ tun_fw_mark }} counter meta nfproto @proxy_nfproto meta l4proto udp jump router_tun
{% endif %} {% endif %}
} }
chain mangle_prerouting_router { chain mangle_prerouting_router {
type filter hook prerouting priority mangle - 1; policy accept; type filter hook prerouting priority mangle - 1; policy accept;
{% if (tcp_transparent_proxy_mode == 'tproxy' || udp_transparent_proxy_mode == 'tproxy'): %} {% if (tcp_mode == 'tproxy' || udp_mode == 'tproxy'): %}
meta l4proto { tcp, udp } iifname lo meta mark {{ tproxy_fw_mark }} tproxy to :{{ tproxy_port }} counter accept iifname lo meta l4proto { tcp, udp } meta mark {{ tproxy_fw_mark }} tproxy to :{{ tproxy_port }} counter accept
{% endif %} {% endif %}
{% if (tcp_transparent_proxy_mode == 'tun' || udp_transparent_proxy_mode == 'tun'): %} {% if (tcp_mode == 'tun' || udp_mode == 'tun'): %}
meta l4proto { tcp, udp } iifname {{ tun_device }} counter accept iifname {{ tun_device }} meta l4proto { icmp, tcp, udp } counter accept
{% endif %} {% endif %}
} }
{% endif %} {% endif %}
@ -414,8 +444,8 @@ table inet nikki {
{% if (lan_proxy): %} {% if (lan_proxy): %}
chain dstnat { chain dstnat {
type nat hook prerouting priority dstnat + 1; policy accept; type nat hook prerouting priority dstnat + 1; policy accept;
meta nfproto @dns_hijack_nfproto jump lan_dns_hijack iifname @lan_inbound_device meta nfproto @dns_hijack_nfproto jump lan_dns_hijack
{% if (tcp_transparent_proxy_mode == 'redirect'): %} {% if (tcp_mode == 'redirect'): %}
fib daddr type { local, multicast, broadcast, anycast } counter return fib daddr type { local, multicast, broadcast, anycast } counter return
ct direction reply counter return ct direction reply counter return
ip daddr @reserved_ip counter return ip daddr @reserved_ip counter return
@ -426,7 +456,7 @@ table inet nikki {
meta nfproto ipv6 meta l4proto . th dport != @proxy_dport counter return meta nfproto ipv6 meta l4proto . th dport != @proxy_dport counter return
meta l4proto { tcp, udp } ip dscp @bypass_dscp ip daddr != {{ fake_ip_range }} counter return meta l4proto { tcp, udp } ip dscp @bypass_dscp ip daddr != {{ fake_ip_range }} counter return
meta l4proto { tcp, udp } ip6 dscp @bypass_dscp counter return meta l4proto { tcp, udp } ip6 dscp @bypass_dscp counter return
meta nfproto @proxy_nfproto jump lan_redirect iifname @lan_inbound_device meta nfproto @proxy_nfproto jump lan_redirect
{% endif %} {% endif %}
{% if (fake_ip_ping_hijack): %} {% if (fake_ip_ping_hijack): %}
ip protocol icmp icmp type echo-request ip daddr {{ fake_ip_range }} counter redirect ip protocol icmp icmp type echo-request ip daddr {{ fake_ip_range }} counter redirect
@ -446,15 +476,15 @@ table inet nikki {
meta l4proto { tcp, udp } ip dscp @bypass_dscp ip daddr != {{ fake_ip_range }} counter return meta l4proto { tcp, udp } ip dscp @bypass_dscp ip daddr != {{ fake_ip_range }} counter return
meta l4proto { tcp, udp } ip6 dscp @bypass_dscp counter return meta l4proto { tcp, udp } ip6 dscp @bypass_dscp counter return
meta nfproto @dns_hijack_nfproto meta l4proto { tcp, udp } th dport 53 counter return meta nfproto @dns_hijack_nfproto meta l4proto { tcp, udp } th dport 53 counter return
{% if (tcp_transparent_proxy_mode == 'tproxy'): %} {% if (tcp_mode == 'tproxy'): %}
meta nfproto @proxy_nfproto meta l4proto tcp jump lan_tproxy iifname @lan_inbound_device meta nfproto @proxy_nfproto meta l4proto tcp jump lan_tproxy
{% elif (tcp_transparent_proxy_mode == 'tun'): %} {% elif (tcp_mode == 'tun'): %}
meta nfproto @proxy_nfproto meta l4proto tcp jump lan_tun iifname @lan_inbound_device meta nfproto @proxy_nfproto meta l4proto tcp jump lan_tun
{% endif %} {% endif %}
{% if (udp_transparent_proxy_mode == 'tproxy'): %} {% if (udp_mode == 'tproxy'): %}
meta nfproto @proxy_nfproto meta l4proto udp jump lan_tproxy iifname @lan_inbound_device meta nfproto @proxy_nfproto meta l4proto udp jump lan_tproxy
{% elif (udp_transparent_proxy_mode == 'tun'): %} {% elif (udp_mode == 'tun'): %}
meta nfproto @proxy_nfproto meta l4proto udp jump lan_tun iifname @lan_inbound_device meta nfproto @proxy_nfproto meta l4proto udp jump lan_tun
{% endif %} {% endif %}
} }
{% endif %} {% endif %}

2
nikki/files/ucode/mixin.uc
View File

@ -47,7 +47,7 @@ if (uci_bool(uci.get('nikki', 'mixin', 'authentication'))) {
} }
config['tun'] = {}; config['tun'] = {};
if (uci.get('nikki', 'proxy', 'tcp_transparent_proxy_mode') == 'tun' || uci.get('nikki', 'proxy', 'udp_transparent_proxy_mode') == 'tun') { if (uci.get('nikki', 'proxy', 'tcp_mode') == 'tun' || uci.get('nikki', 'proxy', 'udp_mode') == 'tun') {
config['tun']['enable'] = true; config['tun']['enable'] = true;
config['tun']['auto-route'] = false; config['tun']['auto-route'] = false;
config['tun']['auto-redirect'] = false; config['tun']['auto-redirect'] = false;