gitea-action
parent
646c691392
commit
92f3696ec8
@ -1,7 +1,7 @@
|
||||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=mihomo
|
||||
PKG_RELEASE:=1
|
||||
PKG_RELEASE:=2
|
||||
|
||||
PKG_SOURCE_PROTO:=git
|
||||
PKG_SOURCE_URL:=https://github.com/MetaCubeX/mihomo.git
|
||||
@ -53,6 +53,7 @@ define Package/mihomo/install
|
||||
$(INSTALL_DIR) $(1)/etc/mihomo/scripts
|
||||
$(INSTALL_DIR) $(1)/etc/mihomo/nftables
|
||||
$(INSTALL_DIR) $(1)/etc/mihomo/profiles
|
||||
$(INSTALL_DIR) $(1)/etc/mihomo/subscriptions
|
||||
$(INSTALL_DIR) $(1)/etc/mihomo/run
|
||||
$(INSTALL_DIR) $(1)/etc/mihomo/run/ui
|
||||
|
||||
|
||||
@ -7,6 +7,8 @@ USE_PROCD=1
|
||||
. "$IPKG_INSTROOT/lib/functions/network.sh"
|
||||
. "$IPKG_INSTROOT/etc/mihomo/scripts/constants.sh"
|
||||
|
||||
extra_command 'update_subscription' 'Update subscription by section id'
|
||||
|
||||
boot() {
|
||||
# prepare log
|
||||
prepare_log
|
||||
@ -141,21 +143,38 @@ start_service() {
|
||||
# get profile
|
||||
if [[ "$profile" == "file:"* ]]; then
|
||||
local profile_name; profile_name=$(basename "${profile/file:/}")
|
||||
cp -f "$PROFILES_DIR/$profile_name" "$RUN_PROFILE_PATH"
|
||||
log "Use Profile: $profile_name"
|
||||
elif [[ "$profile" == "subscription:"* ]]; then
|
||||
local subscription_section; subscription_section="${profile/subscription:/}"
|
||||
local subscription_name subscription_url subscription_user_agent
|
||||
config_get subscription_name "$subscription_section" "name"
|
||||
config_get subscription_url "$subscription_section" "url"
|
||||
config_get subscription_user_agent "$subscription_section" "user_agent"
|
||||
curl -s --connect-timeout 15 --retry 3 -o "$RUN_PROFILE_PATH" -L -H "User-Agent: $subscription_user_agent" "$subscription_url"
|
||||
if [ "$?" != 0 ]; then
|
||||
log "Subscription download failed."
|
||||
local profile_file; profile_file="$PROFILES_DIR/$profile_name"
|
||||
log "Use Profile: $profile_name."
|
||||
if [ ! -f "$profile_file" ]; then
|
||||
log "File not found."
|
||||
log "Exiting..."
|
||||
return
|
||||
fi
|
||||
log "Use Subscription: $subscription_name"
|
||||
cp -f "$profile_file" "$RUN_PROFILE_PATH"
|
||||
elif [[ "$profile" == "subscription:"* ]]; then
|
||||
local subscription_section; subscription_section="${profile/subscription:/}"
|
||||
local subscription_name subscription_url subscription_user_agent subscription_prefer
|
||||
config_get subscription_name "$subscription_section" "name"
|
||||
config_get subscription_url "$subscription_section" "url"
|
||||
config_get subscription_user_agent "$subscription_section" "user_agent"
|
||||
config_get subscription_prefer "$subscription_section" "prefer" "remote"
|
||||
log "Use Subscription: $subscription_name."
|
||||
local subscription_tmpfile; subscription_tmpfile="/tmp/$subscription_section.yaml"
|
||||
local subscription_file; subscription_file="$SUBSCRIPTIONS_DIR/$subscription_section.yaml"
|
||||
if [ "$subscription_prefer" == "remote" ] || [[ "$subscription_prefer" == "local" && ! -f "$subscription_file" ]]; then
|
||||
if (curl -s -f --connect-timeout 15 --retry 3 -o "$subscription_tmpfile" -L -H "User-Agent: $subscription_user_agent" "$subscription_url"); then
|
||||
log "Subscription download succeed."
|
||||
cp -f "$subscription_tmpfile" "$subscription_file"
|
||||
else
|
||||
log "Subscription download failed, fallback to subscription file."
|
||||
fi
|
||||
fi
|
||||
if [ ! -f "$subscription_file" ]; then
|
||||
log "Subscription file not found."
|
||||
log "Exiting..."
|
||||
return
|
||||
fi
|
||||
cp -f "$subscription_file" "$RUN_PROFILE_PATH"
|
||||
else
|
||||
log "No profile/subscription selected."
|
||||
log "Exiting..."
|
||||
@ -320,10 +339,6 @@ start_service() {
|
||||
nft -f "$HIJACK_NFT" -D FW_MARK="$FW_MARK" -D FW_MARK_MASK="$FW_MARK_MASK" -D TUN_DEVICE="$TUN_DEVICE" -D DNS_PORT="$dns_port" -D REDIR_PORT="$redir_port" -D TPROXY_PORT="$tproxy_port"
|
||||
nft -f "$RESERVED_IP_NFT"
|
||||
nft -f "$RESERVED_IP6_NFT"
|
||||
if [ "$tcp_transparent_proxy_mode" != "redirect" ]; then
|
||||
nft flush chain inet "$FW_TABLE" nat_output
|
||||
nft flush chain inet "$FW_TABLE" dstnat
|
||||
fi
|
||||
nft add element inet "$FW_TABLE" bypass_group \{ "$MIHOMO_GROUP" \}
|
||||
nft add element inet "$FW_TABLE" fake_ip \{ "$fake_ip_range" \}
|
||||
# dns hijack
|
||||
@ -367,10 +382,12 @@ start_service() {
|
||||
# router proxy
|
||||
if [ "$router_proxy" == 1 ]; then
|
||||
log "Transparent Proxy: Router Proxy is enabled, set proxy for router."
|
||||
nft insert rule inet "$FW_TABLE" nat_output jump router_dns_hijack
|
||||
if [ "$tcp_transparent_proxy_mode" == "redirect" ]; then
|
||||
nft add rule inet "$FW_TABLE" nat_output meta l4proto tcp jump router_redirect
|
||||
nft insert rule inet "$FW_TABLE" nat_output jump router_dns_hijack
|
||||
nft add rule inet "$FW_TABLE" nat_output meta l4proto tcp jump router_${tcp_transparent_proxy_mode}
|
||||
else
|
||||
nft flush chain inet "$FW_TABLE" nat_output
|
||||
nft add rule inet "$FW_TABLE" nat_output jump router_dns_hijack
|
||||
nft add rule inet "$FW_TABLE" mangle_output meta l4proto tcp jump router_reroute
|
||||
fi
|
||||
nft add rule inet "$FW_TABLE" mangle_output meta l4proto udp jump router_reroute
|
||||
@ -389,10 +406,12 @@ start_service() {
|
||||
config_list_foreach "proxy" "acl_ip" add_acl_ip
|
||||
config_list_foreach "proxy" "acl_ip6" add_acl_ip6
|
||||
config_list_foreach "proxy" "acl_mac" add_acl_mac
|
||||
nft insert rule inet "$FW_TABLE" dstnat jump "${access_control_mode}_dns_hijack"
|
||||
if [ "$tcp_transparent_proxy_mode" == "redirect" ]; then
|
||||
nft add rule inet "$FW_TABLE" dstnat meta l4proto tcp jump "${access_control_mode}_redirect"
|
||||
nft insert rule inet "$FW_TABLE" dstnat jump "${access_control_mode}_dns_hijack"
|
||||
nft add rule inet "$FW_TABLE" dstnat meta l4proto tcp jump "${access_control_mode}_${tcp_transparent_proxy_mode}"
|
||||
else
|
||||
nft flush chain inet "$FW_TABLE" dstnat
|
||||
nft add rule inet "$FW_TABLE" dstnat jump "${access_control_mode}_dns_hijack"
|
||||
nft add rule inet "$FW_TABLE" mangle_prerouting meta l4proto tcp jump "${access_control_mode}_${tcp_transparent_proxy_mode}"
|
||||
fi
|
||||
nft add rule inet "$FW_TABLE" mangle_prerouting meta l4proto udp jump "${access_control_mode}_${udp_transparent_proxy_mode}"
|
||||
@ -476,7 +495,7 @@ cleanup() {
|
||||
sysctl -q -w net.bridge.bridge-nf-call-ip6tables=1
|
||||
fi
|
||||
# delete cron
|
||||
sed -i '/#mihomo/d' "/etc/crontabs/root" > /dev/null 2>&1
|
||||
sed -i "/#mihomo/d" "/etc/crontabs/root" > /dev/null 2>&1
|
||||
/etc/init.d/cron restart
|
||||
}
|
||||
|
||||
@ -497,7 +516,7 @@ prepare_log() {
|
||||
}
|
||||
|
||||
log() {
|
||||
echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1" >> "$APP_LOG_PATH"
|
||||
echo "[$(date "+%Y-%m-%d %H:%M:%S")] $1" >> "$APP_LOG_PATH"
|
||||
}
|
||||
|
||||
mixin_authentications() {
|
||||
@ -584,3 +603,17 @@ add_acl_ip6() {
|
||||
add_acl_mac() {
|
||||
nft add element inet "$FW_TABLE" acl_mac \{ "$1" \}
|
||||
}
|
||||
|
||||
update_subscription() {
|
||||
local subscription_section; subscription_section="$1"
|
||||
if [ -n "$subscription_section" ]; then
|
||||
config_load mihomo
|
||||
local profile subscription_name subscription_url subscription_user_agent
|
||||
config_get profile "config" "profile"
|
||||
config_get subscription_name "$subscription_section" "name"
|
||||
config_get subscription_url "$subscription_section" "url"
|
||||
config_get subscription_user_agent "$subscription_section" "user_agent"
|
||||
local subscription_file; subscription_file="$SUBSCRIPTIONS_DIR/$subscription_section.yaml"
|
||||
curl -s -f --connect-timeout 15 --retry 3 -o "$subscription_file" -L -H "User-Agent: $subscription_user_agent" "$subscription_url"
|
||||
fi
|
||||
}
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
/etc/mihomo/profiles/
|
||||
/etc/mihomo/subscriptions/
|
||||
/etc/mihomo/mixin.yaml
|
||||
/etc/mihomo/nftables/reserved_ip.nft
|
||||
/etc/mihomo/nftables/reserved_ip6.nft
|
||||
|
||||
@ -75,24 +75,24 @@ table inet mihomo {
|
||||
|
||||
chain router_dns_hijack {
|
||||
meta skgid @bypass_group counter return
|
||||
meta nfproto @dns_hijack_nfproto meta l4proto { tcp, udp } th dport 53 oifname lo counter redirect to :$DNS_PORT
|
||||
meta nfproto @dns_hijack_nfproto meta l4proto udp th dport 53 counter redirect to :$DNS_PORT
|
||||
}
|
||||
|
||||
chain all_dns_hijack {
|
||||
meta nfproto @dns_hijack_nfproto meta l4proto { tcp, udp } th dport 53 counter redirect to :$DNS_PORT
|
||||
meta nfproto @dns_hijack_nfproto meta l4proto udp th dport 53 counter redirect to :$DNS_PORT
|
||||
}
|
||||
|
||||
chain allow_dns_hijack {
|
||||
meta nfproto @dns_hijack_nfproto meta l4proto { tcp, udp } th dport 53 ip saddr @acl_ip counter redirect to :$DNS_PORT
|
||||
meta nfproto @dns_hijack_nfproto meta l4proto { tcp, udp } th dport 53 ip6 saddr @acl_ip6 counter redirect to :$DNS_PORT
|
||||
meta nfproto @dns_hijack_nfproto meta l4proto { tcp, udp } th dport 53 ether saddr @acl_mac counter redirect to :$DNS_PORT
|
||||
meta nfproto @dns_hijack_nfproto meta l4proto udp th dport 53 ip saddr @acl_ip counter redirect to :$DNS_PORT
|
||||
meta nfproto @dns_hijack_nfproto meta l4proto udp th dport 53 ip6 saddr @acl_ip6 counter redirect to :$DNS_PORT
|
||||
meta nfproto @dns_hijack_nfproto meta l4proto udp th dport 53 ether saddr @acl_mac counter redirect to :$DNS_PORT
|
||||
}
|
||||
|
||||
chain block_dns_hijack {
|
||||
meta nfproto @dns_hijack_nfproto meta l4proto { tcp, udp } th dport 53 ip saddr @acl_ip counter return
|
||||
meta nfproto @dns_hijack_nfproto meta l4proto { tcp, udp } th dport 53 ip6 saddr @acl_ip6 counter return
|
||||
meta nfproto @dns_hijack_nfproto meta l4proto { tcp, udp } th dport 53 ether saddr @acl_mac counter return
|
||||
meta nfproto @dns_hijack_nfproto meta l4proto { tcp, udp } th dport 53 counter redirect to :$DNS_PORT
|
||||
meta nfproto @dns_hijack_nfproto meta l4proto udp th dport 53 ip saddr @acl_ip counter return
|
||||
meta nfproto @dns_hijack_nfproto meta l4proto udp th dport 53 ip6 saddr @acl_ip6 counter return
|
||||
meta nfproto @dns_hijack_nfproto meta l4proto udp th dport 53 ether saddr @acl_mac counter return
|
||||
meta nfproto @dns_hijack_nfproto meta l4proto udp th dport 53 counter redirect to :$DNS_PORT
|
||||
}
|
||||
|
||||
chain all_redirect {
|
||||
@ -182,7 +182,7 @@ table inet mihomo {
|
||||
chain mangle_prerouting {
|
||||
type filter hook prerouting priority mangle; policy accept;
|
||||
meta l4proto { tcp, udp } iifname lo meta mark & $FW_MARK_MASK == $FW_MARK tproxy to :$TPROXY_PORT counter accept
|
||||
meta l4proto { tcp, udp } iifname $TUN_DEVICE counter return
|
||||
meta l4proto { tcp, udp } iifname $TUN_DEVICE counter accept
|
||||
fib daddr type local counter return
|
||||
ct direction reply counter return
|
||||
ip daddr @reserved_ip counter return
|
||||
|
||||
@ -18,6 +18,7 @@ TUN_DEVICE="mihomo"
|
||||
PROG="/usr/bin/mihomo"
|
||||
HOME_DIR="/etc/mihomo"
|
||||
PROFILES_DIR="$HOME_DIR/profiles"
|
||||
SUBSCRIPTIONS_DIR="$HOME_DIR/subscriptions"
|
||||
MIXIN_FILE_PATH="$HOME_DIR/mixin.yaml"
|
||||
RUN_DIR="$HOME_DIR/run"
|
||||
RUN_PROFILE_PATH="$RUN_DIR/config.yaml"
|
||||
|
||||
Loading…
Reference in New Issue
Block a user