gitea-action
parent
98924da3b7
commit
ca4eb9606b
@ -1,7 +1,7 @@
|
||||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=mihomo
|
||||
PKG_RELEASE:=2
|
||||
PKG_RELEASE:=3
|
||||
|
||||
PKG_SOURCE_PROTO:=git
|
||||
PKG_SOURCE_URL:=https://github.com/MetaCubeX/mihomo.git
|
||||
|
||||
@ -24,9 +24,24 @@ config proxy 'proxy'
|
||||
option 'acl_ip' ''
|
||||
option 'acl_ip6' ''
|
||||
option 'acl_mac' ''
|
||||
option 'acl_interface' ''
|
||||
list 'bypass_user' 'aria2'
|
||||
list 'bypass_user' 'dnsmasq'
|
||||
list 'bypass_user' 'ftp'
|
||||
list 'bypass_user' 'logd'
|
||||
list 'bypass_user' 'nobody'
|
||||
list 'bypass_user' 'ntp'
|
||||
list 'bypass_user' 'ubus'
|
||||
list 'bypass_group' 'aria2'
|
||||
list 'bypass_group' 'dnsmasq'
|
||||
list 'bypass_group' 'ftp'
|
||||
list 'bypass_group' 'logd'
|
||||
list 'bypass_group' 'nogroup'
|
||||
list 'bypass_group' 'ntp'
|
||||
list 'bypass_group' 'ubus'
|
||||
option 'bypass_china_mainland_ip' '0'
|
||||
option 'acl_tcp_dport' '0-65535'
|
||||
option 'acl_udp_dport' '0-65535'
|
||||
option 'proxy_tcp_dport' '0-65535'
|
||||
option 'proxy_udp_dport' '0-65535'
|
||||
|
||||
config subscription 'subscription'
|
||||
option 'name' 'default'
|
||||
|
||||
@ -64,11 +64,11 @@ start_service() {
|
||||
config_get_bool router_proxy "proxy" "router_proxy" 0
|
||||
config_get_bool lan_proxy "proxy" "lan_proxy" 0
|
||||
### access control
|
||||
local access_control_mode bypass_china_mainland_ip acl_tcp_dport acl_udp_dport
|
||||
local access_control_mode bypass_china_mainland_ip proxy_tcp_dport proxy_udp_dport
|
||||
config_get access_control_mode "proxy" "access_control_mode"
|
||||
config_get_bool bypass_china_mainland_ip "proxy" "bypass_china_mainland_ip" 0
|
||||
config_get acl_tcp_dport "proxy" "acl_tcp_dport" "0-65535"
|
||||
config_get acl_udp_dport "proxy" "acl_udp_dport" "0-65535"
|
||||
config_get proxy_tcp_dport "proxy" "proxy_tcp_dport" "0-65535"
|
||||
config_get proxy_udp_dport "proxy" "proxy_udp_dport" "0-65535"
|
||||
## mixin config
|
||||
### general
|
||||
local mode match_process outbound_interface ipv6 tcp_keep_alive_idle tcp_keep_alive_interval log_level
|
||||
@ -336,11 +336,9 @@ start_service() {
|
||||
ip -6 rule add pref "$UDP_RULE_PREF" fwmark "$FW_MARK/$FW_MARK_MASK" ipproto udp table "$udp_route_table"
|
||||
fi
|
||||
fi
|
||||
nft -f "$HIJACK_NFT" -D FW_MARK="$FW_MARK" -D FW_MARK_MASK="$FW_MARK_MASK" -D TUN_DEVICE="$TUN_DEVICE" -D DNS_PORT="$dns_port" -D REDIR_PORT="$redir_port" -D TPROXY_PORT="$tproxy_port"
|
||||
nft -f "$HIJACK_NFT" -D MIHOMO_GROUP="$MIHOMO_GROUP" -D FW_MARK="$FW_MARK" -D FW_MARK_MASK="$FW_MARK_MASK" -D TUN_DEVICE="$TUN_DEVICE" -D FAKE_IP="$fake_ip_range" -D DNS_PORT="$dns_port" -D REDIR_PORT="$redir_port" -D TPROXY_PORT="$tproxy_port"
|
||||
nft -f "$RESERVED_IP_NFT"
|
||||
nft -f "$RESERVED_IP6_NFT"
|
||||
nft add element inet "$FW_TABLE" bypass_group \{ "$MIHOMO_GROUP" \}
|
||||
nft add element inet "$FW_TABLE" fake_ip \{ "$fake_ip_range" \}
|
||||
# dns hijack
|
||||
if [ "$ipv4_dns_hijack" == 1 ]; then
|
||||
log "Transparent Proxy: IPv4 DNS Hijack is enabled, IPv4 dns request will redirect to the core."
|
||||
@ -359,7 +357,9 @@ start_service() {
|
||||
log "Transparent Proxy: IPv6 Proxy is enabled, set proxy for IPv6 traffic."
|
||||
nft add element inet "$FW_TABLE" proxy_nfproto \{ ipv6 \}
|
||||
fi
|
||||
# bypass china mainland ip
|
||||
# bypass
|
||||
config_list_foreach "proxy" "bypass_user" add_bypass_user
|
||||
config_list_foreach "proxy" "bypass_group" add_bypass_group
|
||||
if [ "$bypass_china_mainland_ip" == 1 ]; then
|
||||
log "Transparent Proxy: Bypass china mainland ip is enabled."
|
||||
if [ "$ipv4_proxy" == 1 ]; then
|
||||
@ -369,15 +369,14 @@ start_service() {
|
||||
nft -f "$GEOIP6_CN_NFT"
|
||||
fi
|
||||
fi
|
||||
# destination port to proxy
|
||||
log "Transparent Proxy: Destination TCP Port to Proxy: $acl_tcp_dport."
|
||||
log "Transparent Proxy: Destination UDP Port to Proxy: $acl_udp_dport."
|
||||
local acl_dport
|
||||
for acl_dport in $acl_tcp_dport; do
|
||||
nft add element inet "$FW_TABLE" acl_dport \{ "tcp" . "$acl_dport" \}
|
||||
log "Transparent Proxy: Destination TCP Port to Proxy: $proxy_tcp_dport."
|
||||
log "Transparent Proxy: Destination UDP Port to Proxy: $proxy_udp_dport."
|
||||
local proxy_dport
|
||||
for proxy_dport in $proxy_tcp_dport; do
|
||||
nft add element inet "$FW_TABLE" proxy_dport \{ "tcp" . "$proxy_dport" \}
|
||||
done
|
||||
for acl_dport in $acl_udp_dport; do
|
||||
nft add element inet "$FW_TABLE" acl_dport \{ "udp" . "$acl_dport" \}
|
||||
for proxy_dport in $proxy_udp_dport; do
|
||||
nft add element inet "$FW_TABLE" proxy_dport \{ "udp" . "$proxy_dport" \}
|
||||
done
|
||||
# router proxy
|
||||
if [ "$router_proxy" == 1 ]; then
|
||||
@ -406,6 +405,7 @@ start_service() {
|
||||
config_list_foreach "proxy" "acl_ip" add_acl_ip
|
||||
config_list_foreach "proxy" "acl_ip6" add_acl_ip6
|
||||
config_list_foreach "proxy" "acl_mac" add_acl_mac
|
||||
config_list_foreach "proxy" "acl_interface" add_acl_interface
|
||||
if [ "$tcp_transparent_proxy_mode" == "redirect" ]; then
|
||||
nft insert rule inet "$FW_TABLE" dstnat jump "${access_control_mode}_dns_hijack"
|
||||
nft add rule inet "$FW_TABLE" dstnat meta l4proto tcp jump "${access_control_mode}_${tcp_transparent_proxy_mode}"
|
||||
@ -592,6 +592,20 @@ mixin_nameserver_policy() {
|
||||
nameserver="$1" matcher="$2" yq -M -i '.dns.nameserver-policy.[env(matcher)] += [env(nameserver)]' "$RUN_PROFILE_PATH"
|
||||
}
|
||||
|
||||
add_bypass_user() {
|
||||
local user; user="$1"
|
||||
if [ "$user" != "root" ] && (cut -d ':' -f 1 < /etc/passwd | grep -q "$user"); then
|
||||
nft add element inet "$FW_TABLE" bypass_user \{ "$user" \}
|
||||
fi
|
||||
}
|
||||
|
||||
add_bypass_group() {
|
||||
local group; group="$1"
|
||||
if [ "$group" != "root" ] && (cut -d ':' -f 1 < /etc/group | grep -q "$group"); then
|
||||
nft add element inet "$FW_TABLE" bypass_group \{ "$group" \}
|
||||
fi
|
||||
}
|
||||
|
||||
add_acl_ip() {
|
||||
nft add element inet "$FW_TABLE" acl_ip \{ "$1" \}
|
||||
}
|
||||
@ -604,6 +618,14 @@ add_acl_mac() {
|
||||
nft add element inet "$FW_TABLE" acl_mac \{ "$1" \}
|
||||
}
|
||||
|
||||
add_acl_interface() {
|
||||
local interface; interface="$1"
|
||||
local device; network_get_device device "$interface"
|
||||
if [ -n "$device" ]; then
|
||||
nft add element inet "$FW_TABLE" acl_interface \{ "$device" \}
|
||||
fi
|
||||
}
|
||||
|
||||
update_subscription() {
|
||||
local subscription_section; subscription_section="$1"
|
||||
if [ -n "$subscription_section" ]; then
|
||||
|
||||
@ -1,14 +1,18 @@
|
||||
#!/usr/sbin/nft -f
|
||||
|
||||
table inet mihomo {
|
||||
set bypass_user {
|
||||
type uid
|
||||
flags interval
|
||||
auto-merge
|
||||
}
|
||||
|
||||
set bypass_group {
|
||||
type gid
|
||||
flags interval
|
||||
auto-merge
|
||||
elements = {
|
||||
ntp,
|
||||
dnsmasq,
|
||||
logd
|
||||
$MIHOMO_GROUP
|
||||
}
|
||||
}
|
||||
|
||||
@ -44,12 +48,7 @@ table inet mihomo {
|
||||
auto-merge
|
||||
}
|
||||
|
||||
set fake_ip {
|
||||
type ipv4_addr
|
||||
flags interval
|
||||
}
|
||||
|
||||
set acl_dport {
|
||||
set proxy_dport {
|
||||
type inet_proto . inet_service
|
||||
flags interval
|
||||
auto-merge
|
||||
@ -73,7 +72,14 @@ table inet mihomo {
|
||||
auto-merge
|
||||
}
|
||||
|
||||
set acl_interface {
|
||||
type ifname
|
||||
flags interval
|
||||
auto-merge
|
||||
}
|
||||
|
||||
chain router_dns_hijack {
|
||||
meta skuid @bypass_user counter return
|
||||
meta skgid @bypass_group counter return
|
||||
meta nfproto @dns_hijack_nfproto meta l4proto udp th dport 53 counter redirect to :$DNS_PORT
|
||||
}
|
||||
@ -86,12 +92,14 @@ table inet mihomo {
|
||||
meta nfproto @dns_hijack_nfproto meta l4proto udp th dport 53 ip saddr @acl_ip counter redirect to :$DNS_PORT
|
||||
meta nfproto @dns_hijack_nfproto meta l4proto udp th dport 53 ip6 saddr @acl_ip6 counter redirect to :$DNS_PORT
|
||||
meta nfproto @dns_hijack_nfproto meta l4proto udp th dport 53 ether saddr @acl_mac counter redirect to :$DNS_PORT
|
||||
meta nfproto @dns_hijack_nfproto meta l4proto udp th dport 53 iifname @acl_interface counter redirect to :$DNS_PORT
|
||||
}
|
||||
|
||||
chain block_dns_hijack {
|
||||
meta nfproto @dns_hijack_nfproto meta l4proto udp th dport 53 ip saddr @acl_ip counter return
|
||||
meta nfproto @dns_hijack_nfproto meta l4proto udp th dport 53 ip6 saddr @acl_ip6 counter return
|
||||
meta nfproto @dns_hijack_nfproto meta l4proto udp th dport 53 ether saddr @acl_mac counter return
|
||||
meta nfproto @dns_hijack_nfproto meta l4proto udp th dport 53 iifname @acl_interface counter return
|
||||
meta nfproto @dns_hijack_nfproto meta l4proto udp th dport 53 counter redirect to :$DNS_PORT
|
||||
}
|
||||
|
||||
@ -103,12 +111,14 @@ table inet mihomo {
|
||||
meta nfproto @proxy_nfproto meta l4proto { tcp, udp } ip saddr @acl_ip counter redirect to :$REDIR_PORT
|
||||
meta nfproto @proxy_nfproto meta l4proto { tcp, udp } ip6 saddr @acl_ip6 counter redirect to :$REDIR_PORT
|
||||
meta nfproto @proxy_nfproto meta l4proto { tcp, udp } ether saddr @acl_mac counter redirect to :$REDIR_PORT
|
||||
meta nfproto @proxy_nfproto meta l4proto { tcp, udp } iifname @acl_interface counter redirect to :$REDIR_PORT
|
||||
}
|
||||
|
||||
chain block_redirect {
|
||||
meta nfproto @proxy_nfproto meta l4proto { tcp, udp } ip saddr @acl_ip counter return
|
||||
meta nfproto @proxy_nfproto meta l4proto { tcp, udp } ip6 saddr @acl_ip6 counter return
|
||||
meta nfproto @proxy_nfproto meta l4proto { tcp, udp } ether saddr @acl_mac counter return
|
||||
meta nfproto @proxy_nfproto meta l4proto { tcp, udp } iifname @acl_interface counter return
|
||||
meta nfproto @proxy_nfproto meta l4proto { tcp, udp } counter redirect to :$REDIR_PORT
|
||||
}
|
||||
|
||||
@ -120,12 +130,14 @@ table inet mihomo {
|
||||
meta nfproto @proxy_nfproto meta l4proto { tcp, udp } ip saddr @acl_ip meta mark set mark ^ $FW_MARK tproxy ip to :$TPROXY_PORT counter accept
|
||||
meta nfproto @proxy_nfproto meta l4proto { tcp, udp } ip6 saddr @acl_ip6 meta mark set mark ^ $FW_MARK tproxy ip6 to :$TPROXY_PORT counter accept
|
||||
meta nfproto @proxy_nfproto meta l4proto { tcp, udp } ether saddr @acl_mac meta mark set mark ^ $FW_MARK tproxy to :$TPROXY_PORT counter accept
|
||||
meta nfproto @proxy_nfproto meta l4proto { tcp, udp } iifname @acl_interface meta mark set mark ^ $FW_MARK tproxy to :$TPROXY_PORT counter accept
|
||||
}
|
||||
|
||||
chain block_tproxy {
|
||||
meta nfproto @proxy_nfproto meta l4proto { tcp, udp } ip saddr @acl_ip counter return
|
||||
meta nfproto @proxy_nfproto meta l4proto { tcp, udp } ip6 saddr @acl_ip6 counter return
|
||||
meta nfproto @proxy_nfproto meta l4proto { tcp, udp } ether saddr @acl_mac counter return
|
||||
meta nfproto @proxy_nfproto meta l4proto { tcp, udp } iifname @acl_interface counter return
|
||||
meta nfproto @proxy_nfproto meta l4proto { tcp, udp } meta mark set mark ^ $FW_MARK tproxy to :$TPROXY_PORT counter accept
|
||||
}
|
||||
|
||||
@ -137,12 +149,14 @@ table inet mihomo {
|
||||
meta nfproto @proxy_nfproto meta l4proto { tcp, udp } ip saddr @acl_ip meta mark set mark ^ $FW_MARK counter
|
||||
meta nfproto @proxy_nfproto meta l4proto { tcp, udp } ip6 saddr @acl_ip6 meta mark set mark ^ $FW_MARK counter
|
||||
meta nfproto @proxy_nfproto meta l4proto { tcp, udp } ether saddr @acl_mac meta mark set mark ^ $FW_MARK counter
|
||||
meta nfproto @proxy_nfproto meta l4proto { tcp, udp } iifname @acl_interface meta mark set mark ^ $FW_MARK counter
|
||||
}
|
||||
|
||||
chain block_tun {
|
||||
meta nfproto @proxy_nfproto meta l4proto { tcp, udp } ip saddr @acl_ip counter return
|
||||
meta nfproto @proxy_nfproto meta l4proto { tcp, udp } ip6 saddr @acl_ip6 counter return
|
||||
meta nfproto @proxy_nfproto meta l4proto { tcp, udp } ether saddr @acl_mac counter return
|
||||
meta nfproto @proxy_nfproto meta l4proto { tcp, udp } iifname @acl_interface counter return
|
||||
meta nfproto @proxy_nfproto meta l4proto { tcp, udp } meta mark set mark ^ $FW_MARK counter
|
||||
}
|
||||
|
||||
@ -162,12 +176,13 @@ table inet mihomo {
|
||||
ip6 daddr @reserved_ip6 counter return
|
||||
ip daddr @china_ip counter return
|
||||
ip6 daddr @china_ip6 counter return
|
||||
meta l4proto . th dport != @acl_dport ip daddr != @fake_ip counter return
|
||||
meta nfproto ipv6 meta l4proto . th dport != @acl_dport counter return
|
||||
meta nfproto ipv4 meta l4proto . th dport != @proxy_dport ip daddr != $FAKE_IP counter return
|
||||
meta nfproto ipv6 meta l4proto . th dport != @proxy_dport counter return
|
||||
}
|
||||
|
||||
chain nat_output {
|
||||
type nat hook output priority filter; policy accept;
|
||||
meta skuid @bypass_user counter return
|
||||
meta skgid @bypass_group counter return
|
||||
fib daddr type local counter return
|
||||
ct direction reply counter return
|
||||
@ -175,8 +190,8 @@ table inet mihomo {
|
||||
ip6 daddr @reserved_ip6 counter return
|
||||
ip daddr @china_ip counter return
|
||||
ip6 daddr @china_ip6 counter return
|
||||
meta l4proto . th dport != @acl_dport ip daddr != @fake_ip counter return
|
||||
meta nfproto ipv6 meta l4proto . th dport != @acl_dport counter return
|
||||
meta nfproto ipv4 meta l4proto . th dport != @proxy_dport ip daddr != $FAKE_IP counter return
|
||||
meta nfproto ipv6 meta l4proto . th dport != @proxy_dport counter return
|
||||
}
|
||||
|
||||
chain mangle_prerouting {
|
||||
@ -189,13 +204,14 @@ table inet mihomo {
|
||||
ip6 daddr @reserved_ip6 counter return
|
||||
ip daddr @china_ip counter return
|
||||
ip6 daddr @china_ip6 counter return
|
||||
meta l4proto . th dport != @acl_dport ip daddr != @fake_ip counter return
|
||||
meta nfproto ipv6 meta l4proto . th dport != @acl_dport counter return
|
||||
meta nfproto ipv4 meta l4proto . th dport != @proxy_dport ip daddr != $FAKE_IP counter return
|
||||
meta nfproto ipv6 meta l4proto . th dport != @proxy_dport counter return
|
||||
meta l4proto udp th dport 53 counter return
|
||||
}
|
||||
|
||||
chain mangle_output {
|
||||
type route hook output priority mangle; policy accept;
|
||||
meta skuid @bypass_user counter return
|
||||
meta skgid @bypass_group counter return
|
||||
fib daddr type local counter return
|
||||
ct direction reply counter return
|
||||
@ -203,8 +219,8 @@ table inet mihomo {
|
||||
ip6 daddr @reserved_ip6 counter return
|
||||
ip daddr @china_ip counter return
|
||||
ip6 daddr @china_ip6 counter return
|
||||
meta l4proto . th dport != @acl_dport ip daddr != @fake_ip counter return
|
||||
meta nfproto ipv6 meta l4proto . th dport != @acl_dport counter return
|
||||
meta nfproto ipv4 meta l4proto . th dport != @proxy_dport ip daddr != $FAKE_IP counter return
|
||||
meta nfproto ipv6 meta l4proto . th dport != @proxy_dport counter return
|
||||
meta l4proto udp th dport 53 counter return
|
||||
}
|
||||
}
|
||||
|
||||
@ -14,6 +14,32 @@ mixin_file_content=$(uci -q get mihomo.mixin.mixin_file_content); [ -z "$mixin_f
|
||||
|
||||
start_delay=$(uci -q get mihomo.config.start_delay); [ -z "$start_delay" ] && uci set mihomo.config.start_delay=0
|
||||
|
||||
# since v1.11.0
|
||||
|
||||
acl_tcp_dport=$(uci -q get mihomo.proxy.acl_tcp_dport); [ -n "$acl_tcp_dport" ] && uci rename mihomo.proxy.acl_tcp_dport=proxy_tcp_dport
|
||||
|
||||
acl_udp_dport=$(uci -q get mihomo.proxy.acl_udp_dport); [ -n "$acl_udp_dport" ] && uci rename mihomo.proxy.acl_udp_dport=proxy_udp_dport
|
||||
|
||||
bypass_user=$(uci -q get mihomo.proxy.bypass_user); [ -z "$bypass_user" ] && {
|
||||
uci add_list mihomo.proxy.bypass_user="aria2"
|
||||
uci add_list mihomo.proxy.bypass_user="dnsmasq"
|
||||
uci add_list mihomo.proxy.bypass_user="ftp"
|
||||
uci add_list mihomo.proxy.bypass_user="logd"
|
||||
uci add_list mihomo.proxy.bypass_user="nobody"
|
||||
uci add_list mihomo.proxy.bypass_user="ntp"
|
||||
uci add_list mihomo.proxy.bypass_user="ubus"
|
||||
}
|
||||
|
||||
bypass_group=$(uci -q get mihomo.proxy.bypass_group); [ -z "$bypass_group" ] && {
|
||||
uci add_list mihomo.proxy.bypass_group="aria2"
|
||||
uci add_list mihomo.proxy.bypass_group="dnsmasq"
|
||||
uci add_list mihomo.proxy.bypass_group="ftp"
|
||||
uci add_list mihomo.proxy.bypass_group="logd"
|
||||
uci add_list mihomo.proxy.bypass_group="nogroup"
|
||||
uci add_list mihomo.proxy.bypass_group="ntp"
|
||||
uci add_list mihomo.proxy.bypass_group="ubus"
|
||||
}
|
||||
|
||||
# commit
|
||||
uci commit mihomo
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user