diff --git a/mihomo/Makefile b/mihomo/Makefile index 61c0ccf30..0764dd6ca 100644 --- a/mihomo/Makefile +++ b/mihomo/Makefile @@ -1,13 +1,13 @@ include $(TOPDIR)/rules.mk PKG_NAME:=mihomo -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE_PROTO:=git PKG_SOURCE_URL:=https://github.com/MetaCubeX/mihomo.git -PKG_SOURCE_DATE:=2024-12-19 -PKG_SOURCE_VERSION:=89dfabe9b36b22df896dcd1ab03c67c667ec20f3 -PKG_MIRROR_HASH:=5d2e9fe03dffa573af6bc300e39e21d95e7cde964f54d531e040e104780abd08 +PKG_SOURCE_DATE:=2024-12-28 +PKG_SOURCE_VERSION:=a9ce5da09d38f6057bd248cd146cbd8c05dc9fd6 +PKG_MIRROR_HASH:=b893642d6bb24d64d6c36c722d44f821340027c5aa0a56e2f62d3c70bf2ea059 PKG_LICENSE:=MIT PKG_MAINTAINER:=Joseph Mory @@ -16,7 +16,7 @@ PKG_BUILD_DEPENDS:=golang/host PKG_BUILD_PARALLEL:=1 PKG_BUILD_FLAGS:=no-mips16 -PKG_BUILD_VERSION:=alpha-89dfabe +PKG_BUILD_VERSION:=alpha-a9ce5da PKG_BUILD_TIME:=$(shell date -u -Iseconds) GO_PKG:=github.com/metacubex/mihomo diff --git a/mihomo/files/mihomo.conf b/mihomo/files/mihomo.conf index 570955b49..1b6011e8a 100644 --- a/mihomo/files/mihomo.conf +++ b/mihomo/files/mihomo.conf @@ -68,6 +68,7 @@ config mixin 'mixin' option 'redir_port' '7891' option 'tproxy_port' '7892' option 'authentication' '1' + option 'tun_device' 'mihomo' option 'tun_stack' 'system' option 'tun_mtu' '9000' option 'tun_gso' '1' diff --git a/mihomo/files/mihomo.init b/mihomo/files/mihomo.init index ba113d7a0..a088bbd13 100644 --- a/mihomo/files/mihomo.init +++ b/mihomo/files/mihomo.init @@ -10,8 +10,8 @@ USE_PROCD=1 extra_command 'update_subscription' 'Update subscription by section id' boot() { - # prepare log - prepare_log + # prepare files + prepare_files # load config config_load mihomo # start delay @@ -27,8 +27,8 @@ boot() { } start_service() { - # prepare log - prepare_log + # prepare files + prepare_files # load config config_load mihomo # check if enabled @@ -53,22 +53,10 @@ start_service() { config_get_bool fast_reload "config" "fast_reload" 0 ## proxy config ### transparent proxy - local transparent_proxy tcp_transparent_proxy_mode udp_transparent_proxy_mode ipv4_dns_hijack ipv6_dns_hijack ipv4_proxy ipv6_proxy router_proxy lan_proxy + local tcp_transparent_proxy_mode udp_transparent_proxy_mode config_get_bool transparent_proxy "proxy" "transparent_proxy" 0 config_get tcp_transparent_proxy_mode "proxy" "tcp_transparent_proxy_mode" "tproxy" config_get udp_transparent_proxy_mode "proxy" "udp_transparent_proxy_mode" "tproxy" - config_get_bool ipv4_dns_hijack "proxy" "ipv4_dns_hijack" 0 - config_get_bool ipv6_dns_hijack "proxy" "ipv6_dns_hijack" 0 - config_get_bool ipv4_proxy "proxy" "ipv4_proxy" 0 - config_get_bool ipv6_proxy "proxy" "ipv6_proxy" 0 - config_get_bool router_proxy "proxy" "router_proxy" 0 - config_get_bool lan_proxy "proxy" "lan_proxy" 0 - ### access control - local access_control_mode bypass_china_mainland_ip proxy_tcp_dport proxy_udp_dport - config_get access_control_mode "proxy" "access_control_mode" - config_get_bool bypass_china_mainland_ip "proxy" "bypass_china_mainland_ip" 0 - config_get proxy_tcp_dport "proxy" "proxy_tcp_dport" "0-65535" - config_get proxy_udp_dport "proxy" "proxy_udp_dport" "0-65535" ## mixin config ### general local mode match_process outbound_interface ipv6 tcp_keep_alive_idle tcp_keep_alive_interval log_level @@ -96,7 +84,8 @@ start_service() { config_get tproxy_port "mixin" "tproxy_port" "7892" config_get_bool authentication "mixin" "authentication" 0 ### tun - local tun_stack tun_mtu tun_gso tun_gso_max_size tun_endpoint_independent_nat + local tun_device tun_stack tun_mtu tun_gso tun_gso_max_size tun_endpoint_independent_nat + config_get tun_device "mixin" "tun_device" "mihomo" config_get tun_stack "mixin" "tun_stack" "system" config_get tun_mtu "mixin" "tun_mtu" "9000" config_get_bool tun_gso "mixin" "tun_gso" 0 @@ -186,7 +175,7 @@ start_service() { log_level="$log_level" ipv6="$ipv6" \ ui_path="ui" ui_name="$ui_name" ui_url="$ui_url" api_listen="0.0.0.0:$api_port" api_secret="$api_secret" \ allow_lan="$allow_lan" http_port="$http_port" socks_port="$socks_port" mixed_port="$mixed_port" redir_port="$redir_port" tproxy_port="$tproxy_port" \ - tun_enable="$tun_enable" tun_stack="$tun_stack" tun_device="$TUN_DEVICE" tun_mtu="$tun_mtu" tun_gso="$tun_gso" tun_gso_max_size="$tun_gso_max_size" tun_endpoint_independent_nat="$tun_endpoint_independent_nat" \ + tun_enable="$tun_enable" tun_stack="$tun_stack" tun_device="$tun_device" tun_mtu="$tun_mtu" tun_gso="$tun_gso" tun_gso_max_size="$tun_gso_max_size" tun_endpoint_independent_nat="$tun_endpoint_independent_nat" \ dns_enable="true" dns_listen="0.0.0.0:$dns_port" dns_mode="$dns_mode" fake_ip_range="$fake_ip_range" \ yq -M -i ' .log-level = strenv(log_level) | .ipv6 = env(ipv6) == 1 | @@ -202,7 +191,7 @@ start_service() { log_level="$log_level" mode="$mode" match_process="$match_process" tcp_keep_alive_idle="$tcp_keep_alive_idle" tcp_keep_alive_interval="$tcp_keep_alive_interval" ipv6="$ipv6" \ ui_path="ui" ui_name="$ui_name" ui_url="$ui_url" api_listen="0.0.0.0:$api_port" api_secret="$api_secret" selection_cache="$selection_cache" \ allow_lan="$allow_lan" http_port="$http_port" socks_port="$socks_port" mixed_port="$mixed_port" redir_port="$redir_port" tproxy_port="$tproxy_port" \ - tun_enable="$tun_enable" tun_stack="$tun_stack" tun_device="$TUN_DEVICE" tun_mtu="$tun_mtu" tun_gso="$tun_gso" tun_gso_max_size="$tun_gso_max_size" tun_endpoint_independent_nat="$tun_endpoint_independent_nat" \ + tun_enable="$tun_enable" tun_stack="$tun_stack" tun_device="$tun_device" tun_mtu="$tun_mtu" tun_gso="$tun_gso" tun_gso_max_size="$tun_gso_max_size" tun_endpoint_independent_nat="$tun_endpoint_independent_nat" \ dns_enable="true" dns_listen="0.0.0.0:$dns_port" dns_mode="$dns_mode" fake_ip_range="$fake_ip_range" fake_ip_cache="$fake_ip_cache" \ dns_respect_rules="$dns_respect_rules" dns_doh_prefer_http3="$dns_doh_prefer_http3" dns_ipv6="$dns_ipv6" dns_system_hosts="$dns_system_hosts" dns_hosts="$dns_hosts" \ geoip_format="$geoip_format" geodata_loader="$geodata_loader" geosite_url="$geosite_url" geoip_mmdb_url="$geoip_mmdb_url" geoip_dat_url="$geoip_dat_url" geoip_asn_url="$geoip_asn_url" \ @@ -285,164 +274,239 @@ start_service() { procd_set_param limits nofile="1048576 1048576" procd_close_instance - # transparent proxy - if [ "$transparent_proxy" == 1 ]; then - log "Transparent Proxy" "Enabled." - log "Transparent Proxy" "TCP Mode: $tcp_transparent_proxy_mode." - log "Transparent Proxy" "UDP Mode: $udp_transparent_proxy_mode." - # prepare - if [ "$tproxy_enable" == 1 ]; then - if [ "$ipv4_proxy" == 1 ]; then - ip route add local default dev lo table "$TPROXY_ROUTE_TABLE" - fi - if [ "$ipv6_proxy" == 1 ]; then - ip -6 route add local default dev lo table "$TPROXY_ROUTE_TABLE" - fi - fi - if [ "$tun_enable" == 1 ]; then - ip tuntap add dev "$TUN_DEVICE" mode tun vnet_hdr - ip link set "$TUN_DEVICE" up - if [ "$ipv4_proxy" == 1 ]; then - ip route add unicast default dev "$TUN_DEVICE" table "$TUN_ROUTE_TABLE" - fi - if [ "$ipv6_proxy" == 1 ]; then - ip -6 route add unicast default dev "$TUN_DEVICE" table "$TUN_ROUTE_TABLE" - fi - $FIREWALL_INCLUDE_SH - fi - local tcp_route_table - if [ "$tcp_transparent_proxy_mode" == "tproxy" ]; then - tcp_route_table="$TPROXY_ROUTE_TABLE" - elif [ "$tcp_transparent_proxy_mode" == "tun" ]; then - tcp_route_table="$TUN_ROUTE_TABLE" - fi - if [ -n "$tcp_route_table" ]; then - if [ "$ipv4_proxy" == 1 ]; then - ip rule add pref "$TCP_RULE_PREF" fwmark "$FW_MARK/$FW_MARK_MASK" ipproto tcp table "$tcp_route_table" - fi - if [ "$ipv6_proxy" == 1 ]; then - ip -6 rule add pref "$TCP_RULE_PREF" fwmark "$FW_MARK/$FW_MARK_MASK" ipproto tcp table "$tcp_route_table" - fi - fi - local udp_route_table - if [ "$udp_transparent_proxy_mode" == "tproxy" ]; then - udp_route_table="$TPROXY_ROUTE_TABLE" - elif [ "$udp_transparent_proxy_mode" == "tun" ]; then - udp_route_table="$TUN_ROUTE_TABLE" - fi - if [ -n "$udp_route_table" ]; then - if [ "$ipv4_proxy" == 1 ]; then - ip rule add pref "$UDP_RULE_PREF" fwmark "$FW_MARK/$FW_MARK_MASK" ipproto udp table "$udp_route_table" - fi - if [ "$ipv6_proxy" == 1 ]; then - ip -6 rule add pref "$UDP_RULE_PREF" fwmark "$FW_MARK/$FW_MARK_MASK" ipproto udp table "$udp_route_table" - fi - fi - nft -f "$HIJACK_NFT" -D MIHOMO_GROUP="$MIHOMO_GROUP" -D FW_MARK="$FW_MARK" -D FW_MARK_MASK="$FW_MARK_MASK" -D TUN_DEVICE="$TUN_DEVICE" -D FAKE_IP="$fake_ip_range" -D DNS_PORT="$dns_port" -D REDIR_PORT="$redir_port" -D TPROXY_PORT="$tproxy_port" - nft -f "$RESERVED_IP_NFT" - nft -f "$RESERVED_IP6_NFT" - # dns hijack - if [ "$ipv4_dns_hijack" == 1 ]; then - log "Transparent Proxy" "Hijack IPv4 dns request." - nft add element inet "$FW_TABLE" dns_hijack_nfproto \{ ipv4 \} - fi - if [ "$ipv6_dns_hijack" == 1 ]; then - log "Transparent Proxy" "Hijack IPv6 dns request." - nft add element inet "$FW_TABLE" dns_hijack_nfproto \{ ipv6 \} - fi - # proxy - if [ "$ipv4_proxy" == 1 ]; then - log "Transparent Proxy" "Proxy IPv4 traffic." - nft add element inet "$FW_TABLE" proxy_nfproto \{ ipv4 \} - fi - if [ "$ipv6_proxy" == 1 ]; then - log "Transparent Proxy" "Proxy IPv6 traffic." - nft add element inet "$FW_TABLE" proxy_nfproto \{ ipv6 \} - fi - # bypass - config_list_foreach "proxy" "bypass_user" add_bypass_user - config_list_foreach "proxy" "bypass_group" add_bypass_group - if [ "$bypass_china_mainland_ip" == 1 ]; then - log "Transparent Proxy" "Bypass china mainland ip." - if [ "$ipv4_proxy" == 1 ]; then - nft -f "$GEOIP_CN_NFT" - fi - if [ "$ipv6_proxy" == 1 ]; then - nft -f "$GEOIP6_CN_NFT" - fi - fi - log "Transparent Proxy" "Destination TCP Port to Proxy: $proxy_tcp_dport." - log "Transparent Proxy" "Destination UDP Port to Proxy: $proxy_udp_dport." - local proxy_dport - for proxy_dport in $proxy_tcp_dport; do - nft add element inet "$FW_TABLE" proxy_dport \{ "tcp" . "$proxy_dport" \} - done - for proxy_dport in $proxy_udp_dport; do - nft add element inet "$FW_TABLE" proxy_dport \{ "udp" . "$proxy_dport" \} - done - # router proxy - if [ "$router_proxy" == 1 ]; then - log "Transparent Proxy" "Set proxy for router." - if [ "$tcp_transparent_proxy_mode" == "redirect" ]; then - nft insert rule inet "$FW_TABLE" nat_output jump router_dns_hijack - nft add rule inet "$FW_TABLE" nat_output meta l4proto tcp jump router_${tcp_transparent_proxy_mode} - else - nft flush chain inet "$FW_TABLE" nat_output - nft add rule inet "$FW_TABLE" nat_output jump router_dns_hijack - nft add rule inet "$FW_TABLE" mangle_output meta l4proto tcp jump router_reroute - fi - nft add rule inet "$FW_TABLE" mangle_output meta l4proto udp jump router_reroute - fi - # lan proxy - if [ "$lan_proxy" == 1 ]; then - log "Transparent Proxy" "Set proxy for lan." - # access control - if [ "$access_control_mode" == "all" ]; then - log "Transparent Proxy" "Access Control is using all mode, set proxy for all client." - elif [ "$access_control_mode" == "allow" ]; then - log "Transparent Proxy" "Access Control is using allow mode, set proxy for client which is in acl." - elif [ "$access_control_mode" == "block" ]; then - log "Transparent Proxy" "Access Control is using block mode, set proxy for client which is not in acl." - fi - config_list_foreach "proxy" "acl_ip" add_acl_ip - config_list_foreach "proxy" "acl_ip6" add_acl_ip6 - config_list_foreach "proxy" "acl_mac" add_acl_mac - config_list_foreach "proxy" "acl_interface" add_acl_interface - if [ "$tcp_transparent_proxy_mode" == "redirect" ]; then - nft insert rule inet "$FW_TABLE" dstnat jump "${access_control_mode}_dns_hijack" - nft add rule inet "$FW_TABLE" dstnat meta l4proto tcp jump "${access_control_mode}_${tcp_transparent_proxy_mode}" - else - nft flush chain inet "$FW_TABLE" dstnat - nft add rule inet "$FW_TABLE" dstnat jump "${access_control_mode}_dns_hijack" - nft add rule inet "$FW_TABLE" mangle_prerouting meta l4proto tcp jump "${access_control_mode}_${tcp_transparent_proxy_mode}" - fi - nft add rule inet "$FW_TABLE" mangle_prerouting meta l4proto udp jump "${access_control_mode}_${udp_transparent_proxy_mode}" - fi - # fix compatible between tproxy and dockerd (kmod-br-netfilter) - if [ "$tproxy_enable" == 1 ] && (lsmod | grep -q br_netfilter); then - if [ "$ipv4_proxy" == 1 ]; then - local bridge_nf_call_iptables; bridge_nf_call_iptables=$(sysctl -e -n net.bridge.bridge-nf-call-iptables) - if [ "$bridge_nf_call_iptables" == 1 ]; then - touch /tmp/bridge_nf_call_iptables.flag - sysctl -q -w net.bridge.bridge-nf-call-iptables=0 - fi - fi - if [ "$ipv6_proxy" == 1 ]; then - local bridge_nf_call_ip6tables; bridge_nf_call_ip6tables=$(sysctl -e -n net.bridge.bridge-nf-call-ip6tables) - if [ "$bridge_nf_call_ip6tables" == 1 ]; then - touch /tmp/bridge_nf_call_ip6tables.flag - sysctl -q -w net.bridge.bridge-nf-call-ip6tables=0 - fi - fi - fi - fi # cron if [[ "$scheduled_restart" == 1 && -n "$cron_expression" ]]; then log "App" "Set scheduled restart." echo "$cron_expression /etc/init.d/mihomo restart #mihomo" >> "/etc/crontabs/root" /etc/init.d/cron restart fi - log "App" "Start Successful." + # set started flag + touch "$STARTED_FLAG" +} + +service_started() { + # check if started + if [ ! -f "$STARTED_FLAG" ]; then + return + fi + # load config + config_load mihomo + # check if transparent proxy enabled + local transparent_proxy + config_get_bool transparent_proxy "proxy" "transparent_proxy" 0 + if [ "$transparent_proxy" == 0 ]; then + log "Transparent Proxy" "Disabled." + return + fi + # get config + ### inbound + local http_port socks_port mixed_port redir_port tproxy_port + config_get http_port "mixin" "http_port" "8080" + config_get socks_port "mixin" "socks_port" "1080" + config_get mixed_port "mixin" "mixed_port" "7890" + config_get redir_port "mixin" "redir_port" "7891" + config_get tproxy_port "mixin" "tproxy_port" "7892" + ### dns + local dns_port fake_ip_range + config_get dns_port "mixin" "dns_port" "1053" + config_get fake_ip_range "mixin" "fake_ip_range" "198.18.0.1/16" + ### tun + local tun_device + config_get tun_device "mixin" "tun_device" "mihomo" + ## proxy config + ### transparent proxy + local tcp_transparent_proxy_mode udp_transparent_proxy_mode ipv4_dns_hijack ipv6_dns_hijack ipv4_proxy ipv6_proxy router_proxy lan_proxy + config_get tcp_transparent_proxy_mode "proxy" "tcp_transparent_proxy_mode" "redirect" + config_get udp_transparent_proxy_mode "proxy" "udp_transparent_proxy_mode" "tun" + config_get_bool ipv4_dns_hijack "proxy" "ipv4_dns_hijack" 0 + config_get_bool ipv6_dns_hijack "proxy" "ipv6_dns_hijack" 0 + config_get_bool ipv4_proxy "proxy" "ipv4_proxy" 0 + config_get_bool ipv6_proxy "proxy" "ipv6_proxy" 0 + config_get_bool router_proxy "proxy" "router_proxy" 0 + config_get_bool lan_proxy "proxy" "lan_proxy" 0 + ### access control + local access_control_mode bypass_china_mainland_ip proxy_tcp_dport proxy_udp_dport + config_get access_control_mode "proxy" "access_control_mode" + config_get_bool bypass_china_mainland_ip "proxy" "bypass_china_mainland_ip" 0 + config_get proxy_tcp_dport "proxy" "proxy_tcp_dport" "0-65535" + config_get proxy_udp_dport "proxy" "proxy_udp_dport" "0-65535" + # prepare + local tproxy_enable; tproxy_enable=0 + if [[ "$tcp_transparent_proxy_mode" == "tproxy" || "$udp_transparent_proxy_mode" == "tproxy" ]]; then + tproxy_enable=1 + fi + local tun_enable; tun_enable=0 + if [[ "$tcp_transparent_proxy_mode" == "tun" || "$udp_transparent_proxy_mode" == "tun" ]]; then + tun_enable=1 + fi + # transparent proxy + log "Transparent Proxy" "Enabled." + log "Transparent Proxy" "TCP Mode: $tcp_transparent_proxy_mode." + log "Transparent Proxy" "UDP Mode: $udp_transparent_proxy_mode." + # wait for tun device online + if [ "$tun_enable" == 1 ]; then + log "Transparent Proxy" "Waiting for tun device online..." + local tun_timeout; tun_timeout=60 + local tun_interval; tun_interval=1 + while [ "$tun_timeout" -gt 0 ]; do + if (ip link show dev "$tun_device" > /dev/null 2>&1); then + if [ $(ip -json addr show dev mihomo | yq '.[] | select(.ifname = "mihomo") | .addr_info | length') -gt 0 ]; then + log "Transparent Proxy" "Tun device is online." + break + fi + fi + tun_timeout=$((tun_timeout - tun_interval)) + sleep "$tun_interval" + done + if [ "$tun_timeout" -le 0 ]; then + log "Transparent Proxy" "Waiting timeout, tun device is not online." + log "App" "Exit." + return + fi + fi + # prepare + if [ "$tproxy_enable" == 1 ]; then + if [ "$ipv4_proxy" == 1 ]; then + ip -4 route add local default dev lo table "$TPROXY_ROUTE_TABLE" + fi + if [ "$ipv6_proxy" == 1 ]; then + ip -6 route add local default dev lo table "$TPROXY_ROUTE_TABLE" + fi + fi + if [ "$tun_enable" == 1 ]; then + if [ "$ipv4_proxy" == 1 ]; then + ip -4 route add unicast default dev "$tun_device" table "$TUN_ROUTE_TABLE" + fi + if [ "$ipv6_proxy" == 1 ]; then + ip -6 route add unicast default dev "$tun_device" table "$TUN_ROUTE_TABLE" + fi + $FIREWALL_INCLUDE_SH + fi + local tcp_route_table + if [ "$tcp_transparent_proxy_mode" == "tproxy" ]; then + tcp_route_table="$TPROXY_ROUTE_TABLE" + elif [ "$tcp_transparent_proxy_mode" == "tun" ]; then + tcp_route_table="$TUN_ROUTE_TABLE" + fi + if [ -n "$tcp_route_table" ]; then + if [ "$ipv4_proxy" == 1 ]; then + ip -4 rule add pref "$TCP_RULE_PREF" fwmark "$FW_MARK/$FW_MARK_MASK" ipproto tcp table "$tcp_route_table" + fi + if [ "$ipv6_proxy" == 1 ]; then + ip -6 rule add pref "$TCP_RULE_PREF" fwmark "$FW_MARK/$FW_MARK_MASK" ipproto tcp table "$tcp_route_table" + fi + fi + local udp_route_table + if [ "$udp_transparent_proxy_mode" == "tproxy" ]; then + udp_route_table="$TPROXY_ROUTE_TABLE" + elif [ "$udp_transparent_proxy_mode" == "tun" ]; then + udp_route_table="$TUN_ROUTE_TABLE" + fi + if [ -n "$udp_route_table" ]; then + if [ "$ipv4_proxy" == 1 ]; then + ip -4 rule add pref "$UDP_RULE_PREF" fwmark "$FW_MARK/$FW_MARK_MASK" ipproto udp table "$udp_route_table" + fi + if [ "$ipv6_proxy" == 1 ]; then + ip -6 rule add pref "$UDP_RULE_PREF" fwmark "$FW_MARK/$FW_MARK_MASK" ipproto udp table "$udp_route_table" + fi + fi + nft -f "$HIJACK_NFT" -D MIHOMO_GROUP="$MIHOMO_GROUP" -D FW_MARK="$FW_MARK" -D FW_MARK_MASK="$FW_MARK_MASK" -D TUN_DEVICE="$tun_device" -D FAKE_IP="$fake_ip_range" -D DNS_PORT="$dns_port" -D REDIR_PORT="$redir_port" -D TPROXY_PORT="$tproxy_port" + nft -f "$RESERVED_IP_NFT" + nft -f "$RESERVED_IP6_NFT" + # dns hijack + if [ "$ipv4_dns_hijack" == 1 ]; then + log "Transparent Proxy" "Hijack IPv4 dns request." + nft add element inet "$FW_TABLE" dns_hijack_nfproto \{ ipv4 \} + fi + if [ "$ipv6_dns_hijack" == 1 ]; then + log "Transparent Proxy" "Hijack IPv6 dns request." + nft add element inet "$FW_TABLE" dns_hijack_nfproto \{ ipv6 \} + fi + # proxy + if [ "$ipv4_proxy" == 1 ]; then + log "Transparent Proxy" "Proxy IPv4 traffic." + nft add element inet "$FW_TABLE" proxy_nfproto \{ ipv4 \} + fi + if [ "$ipv6_proxy" == 1 ]; then + log "Transparent Proxy" "Proxy IPv6 traffic." + nft add element inet "$FW_TABLE" proxy_nfproto \{ ipv6 \} + fi + # bypass + config_list_foreach "proxy" "bypass_user" add_bypass_user + config_list_foreach "proxy" "bypass_group" add_bypass_group + if [ "$bypass_china_mainland_ip" == 1 ]; then + log "Transparent Proxy" "Bypass china mainland ip." + if [ "$ipv4_proxy" == 1 ]; then + nft -f "$GEOIP_CN_NFT" + fi + if [ "$ipv6_proxy" == 1 ]; then + nft -f "$GEOIP6_CN_NFT" + fi + fi + log "Transparent Proxy" "Destination TCP Port to Proxy: $proxy_tcp_dport." + log "Transparent Proxy" "Destination UDP Port to Proxy: $proxy_udp_dport." + local proxy_dport + for proxy_dport in $proxy_tcp_dport; do + nft add element inet "$FW_TABLE" proxy_dport \{ "tcp" . "$proxy_dport" \} + done + for proxy_dport in $proxy_udp_dport; do + nft add element inet "$FW_TABLE" proxy_dport \{ "udp" . "$proxy_dport" \} + done + # router proxy + if [ "$router_proxy" == 1 ]; then + log "Transparent Proxy" "Set proxy for router." + if [ "$tcp_transparent_proxy_mode" == "redirect" ]; then + nft insert rule inet "$FW_TABLE" nat_output jump router_dns_hijack + nft add rule inet "$FW_TABLE" nat_output meta l4proto tcp jump router_${tcp_transparent_proxy_mode} + else + nft flush chain inet "$FW_TABLE" nat_output + nft add rule inet "$FW_TABLE" nat_output jump router_dns_hijack + nft add rule inet "$FW_TABLE" mangle_output meta l4proto tcp jump router_reroute + fi + nft add rule inet "$FW_TABLE" mangle_output meta l4proto udp jump router_reroute + fi + # lan proxy + if [ "$lan_proxy" == 1 ]; then + log "Transparent Proxy" "Set proxy for lan." + # access control + if [ "$access_control_mode" == "all" ]; then + log "Transparent Proxy" "Access Control is using all mode, set proxy for all client." + elif [ "$access_control_mode" == "allow" ]; then + log "Transparent Proxy" "Access Control is using allow mode, set proxy for client which is in acl." + elif [ "$access_control_mode" == "block" ]; then + log "Transparent Proxy" "Access Control is using block mode, set proxy for client which is not in acl." + fi + config_list_foreach "proxy" "acl_ip" add_acl_ip + config_list_foreach "proxy" "acl_ip6" add_acl_ip6 + config_list_foreach "proxy" "acl_mac" add_acl_mac + config_list_foreach "proxy" "acl_interface" add_acl_interface + if [ "$tcp_transparent_proxy_mode" == "redirect" ]; then + nft insert rule inet "$FW_TABLE" dstnat jump "${access_control_mode}_dns_hijack" + nft add rule inet "$FW_TABLE" dstnat meta l4proto tcp jump "${access_control_mode}_${tcp_transparent_proxy_mode}" + else + nft flush chain inet "$FW_TABLE" dstnat + nft add rule inet "$FW_TABLE" dstnat jump "${access_control_mode}_dns_hijack" + nft add rule inet "$FW_TABLE" mangle_prerouting meta l4proto tcp jump "${access_control_mode}_${tcp_transparent_proxy_mode}" + fi + nft add rule inet "$FW_TABLE" mangle_prerouting meta l4proto udp jump "${access_control_mode}_${udp_transparent_proxy_mode}" + fi + # fix compatible between tproxy and dockerd (kmod-br-netfilter) + if [ "$tproxy_enable" == 1 ] && (lsmod | grep -q br_netfilter); then + if [ "$ipv4_proxy" == 1 ]; then + local bridge_nf_call_iptables; bridge_nf_call_iptables=$(sysctl -e -n net.bridge.bridge-nf-call-iptables) + if [ "$bridge_nf_call_iptables" == 1 ]; then + touch "$BRIDGE_NF_CALL_IPTABLES_FLAG" + sysctl -q -w net.bridge.bridge-nf-call-iptables=0 + fi + fi + if [ "$ipv6_proxy" == 1 ]; then + local bridge_nf_call_ip6tables; bridge_nf_call_ip6tables=$(sysctl -e -n net.bridge.bridge-nf-call-ip6tables) + if [ "$bridge_nf_call_ip6tables" == 1 ]; then + touch "$BRIDGE_NF_CALL_IP6TABLES_FLAG" + sysctl -q -w net.bridge.bridge-nf-call-ip6tables=0 + fi + fi + fi } service_stopped() { @@ -462,22 +526,19 @@ cleanup() { # clear log clear_log # delete routing policy - ip rule del ipproto tcp table "$TPROXY_ROUTE_TABLE" > /dev/null 2>&1 - ip rule del ipproto udp table "$TPROXY_ROUTE_TABLE" > /dev/null 2>&1 - ip rule del ipproto tcp table "$TUN_ROUTE_TABLE" > /dev/null 2>&1 - ip rule del ipproto udp table "$TUN_ROUTE_TABLE" > /dev/null 2>&1 + ip -4 rule del ipproto tcp table "$TPROXY_ROUTE_TABLE" > /dev/null 2>&1 + ip -4 rule del ipproto udp table "$TPROXY_ROUTE_TABLE" > /dev/null 2>&1 + ip -4 rule del ipproto tcp table "$TUN_ROUTE_TABLE" > /dev/null 2>&1 + ip -4 rule del ipproto udp table "$TUN_ROUTE_TABLE" > /dev/null 2>&1 ip -6 rule del ipproto tcp table "$TPROXY_ROUTE_TABLE" > /dev/null 2>&1 ip -6 rule del ipproto udp table "$TPROXY_ROUTE_TABLE" > /dev/null 2>&1 ip -6 rule del ipproto tcp table "$TUN_ROUTE_TABLE" > /dev/null 2>&1 ip -6 rule del ipproto udp table "$TUN_ROUTE_TABLE" > /dev/null 2>&1 # delete routing table - ip route flush table "$TPROXY_ROUTE_TABLE" > /dev/null 2>&1 - ip route flush table "$TUN_ROUTE_TABLE" > /dev/null 2>&1 + ip -4 route flush table "$TPROXY_ROUTE_TABLE" > /dev/null 2>&1 + ip -4 route flush table "$TUN_ROUTE_TABLE" > /dev/null 2>&1 ip -6 route flush table "$TPROXY_ROUTE_TABLE" > /dev/null 2>&1 ip -6 route flush table "$TUN_ROUTE_TABLE" > /dev/null 2>&1 - # delete tun - ip link set "$TUN_DEVICE" down > /dev/null 2>&1 - ip tuntap del dev "$TUN_DEVICE" mode tun > /dev/null 2>&1 # delete hijack nft delete table inet "$FW_TABLE" > /dev/null 2>&1 local handles handle @@ -489,13 +550,15 @@ cleanup() { for handle in $handles; do nft delete rule inet fw4 forward handle "$handle" done + # delete started flag + rm -f "$STARTED_FLAG" # revert fix compatible between tproxy and dockerd (kmod-br-netfilter) - if [ -f "/tmp/bridge_nf_call_iptables.flag" ]; then - rm -f /tmp/bridge_nf_call_iptables.flag + if [ -f "$BRIDGE_NF_CALL_IPTABLES_FLAG" ]; then + rm -f "$BRIDGE_NF_CALL_IPTABLES_FLAG" sysctl -q -w net.bridge.bridge-nf-call-iptables=1 fi - if [ -f "/tmp/bridge_nf_call_ip6tables.flag" ]; then - rm -f /tmp/bridge_nf_call_ip6tables.flag + if [ -f "$BRIDGE_NF_CALL_IP6TABLES_FLAG" ]; then + rm -f "$BRIDGE_NF_CALL_IP6TABLES_FLAG" sysctl -q -w net.bridge.bridge-nf-call-ip6tables=1 fi # delete cron @@ -503,27 +566,6 @@ cleanup() { /etc/init.d/cron restart } -prepare_log() { - if [ ! -d "$LOG_DIR" ]; then - mkdir -p "$LOG_DIR" - fi - if [ ! -f "$APP_LOG_PATH" ]; then - touch "$APP_LOG_PATH" - fi - if [ ! -f "$CORE_LOG_PATH" ]; then - touch "$CORE_LOG_PATH" - fi -} - -clear_log() { - echo -n > "$APP_LOG_PATH" - echo -n > "$CORE_LOG_PATH" -} - -log() { - echo "[$(date "+%Y-%m-%d %H:%M:%S")] [$1] $2" >> "$APP_LOG_PATH" -} - mixin_authentications() { local section="$1" diff --git a/mihomo/files/nftables/hijack.nft b/mihomo/files/nftables/hijack.nft index a2940151a..2cd85091e 100644 --- a/mihomo/files/nftables/hijack.nft +++ b/mihomo/files/nftables/hijack.nft @@ -170,7 +170,7 @@ table inet mihomo { chain dstnat { type nat hook prerouting priority dstnat + 1; policy accept; - fib daddr type local counter return + fib daddr type { local, multicast, broadcast, anycast } counter return ct direction reply counter return ip daddr @reserved_ip counter return ip6 daddr @reserved_ip6 counter return @@ -184,7 +184,7 @@ table inet mihomo { type nat hook output priority filter; policy accept; meta skuid @bypass_user counter return meta skgid @bypass_group counter return - fib daddr type local counter return + fib daddr type { local, multicast, broadcast, anycast } counter return ct direction reply counter return ip daddr @reserved_ip counter return ip6 daddr @reserved_ip6 counter return @@ -198,7 +198,7 @@ table inet mihomo { type filter hook prerouting priority mangle; policy accept; meta l4proto { tcp, udp } iifname lo meta mark & $FW_MARK_MASK == $FW_MARK tproxy to :$TPROXY_PORT counter accept meta l4proto { tcp, udp } iifname $TUN_DEVICE counter accept - fib daddr type local counter return + fib daddr type { local, multicast, broadcast, anycast } counter return ct direction reply counter return ip daddr @reserved_ip counter return ip6 daddr @reserved_ip6 counter return @@ -213,7 +213,7 @@ table inet mihomo { type route hook output priority mangle; policy accept; meta skuid @bypass_user counter return meta skgid @bypass_group counter return - fib daddr type local counter return + fib daddr type { local, multicast, broadcast, anycast } counter return ct direction reply counter return ip daddr @reserved_ip counter return ip6 daddr @reserved_ip6 counter return diff --git a/mihomo/files/scripts/firewall_include.sh b/mihomo/files/scripts/firewall_include.sh index 9c8ae9605..b1ce87bb4 100644 --- a/mihomo/files/scripts/firewall_include.sh +++ b/mihomo/files/scripts/firewall_include.sh @@ -7,11 +7,12 @@ config_load mihomo config_get enabled "config" "enabled" 0 config_get tcp_transparent_proxy_mode "proxy" "tcp_transparent_proxy_mode" config_get udp_transparent_proxy_mode "proxy" "udp_transparent_proxy_mode" +config_get tun_device "mixin" "tun_device" if [ "$enabled" == 1 ] && [[ "$tcp_transparent_proxy_mode" == "tun" || "$udp_transparent_proxy_mode" == "tun" ]]; then - nft insert rule inet fw4 input iifname "$TUN_DEVICE" counter accept comment "mihomo" - nft insert rule inet fw4 forward oifname "$TUN_DEVICE" counter accept comment "mihomo" - nft insert rule inet fw4 forward iifname "$TUN_DEVICE" counter accept comment "mihomo" + nft insert rule inet fw4 input iifname "$tun_device" counter accept comment "mihomo" + nft insert rule inet fw4 forward oifname "$tun_device" counter accept comment "mihomo" + nft insert rule inet fw4 forward iifname "$tun_device" counter accept comment "mihomo" fi exit 0 diff --git a/mihomo/files/scripts/include.sh b/mihomo/files/scripts/include.sh index 3b12c7bc6..413b90172 100644 --- a/mihomo/files/scripts/include.sh +++ b/mihomo/files/scripts/include.sh @@ -12,7 +12,6 @@ TCP_RULE_PREF="1024" UDP_RULE_PREF="1025" TPROXY_ROUTE_TABLE="80" TUN_ROUTE_TABLE="81" -TUN_DEVICE="mihomo" # paths PROG="/usr/bin/mihomo" @@ -23,10 +22,18 @@ MIXIN_FILE_PATH="$HOME_DIR/mixin.yaml" RUN_DIR="$HOME_DIR/run" RUN_PROFILE_PATH="$RUN_DIR/config.yaml" RUN_UI_DIR="$RUN_DIR/ui" + +# log LOG_DIR="/var/log/mihomo" APP_LOG_PATH="$LOG_DIR/app.log" CORE_LOG_PATH="$LOG_DIR/core.log" +# flag +FLAG_DIR="/var/run/mihomo" +STARTED_FLAG="$FLAG_DIR/started.flag" +BRIDGE_NF_CALL_IPTABLES_FLAG="$FLAG_DIR/bridge_nf_call_iptables.flag" +BRIDGE_NF_CALL_IP6TABLES_FLAG="$FLAG_DIR/bridge_nf_call_ip6tables.flag" + # scripts SH_DIR="$HOME_DIR/scripts" INCLUDE_SH="$SH_DIR/include.sh" @@ -64,3 +71,27 @@ format_filesize() { echo "$(awk "BEGIN {print $size / $pb}") PB" fi } + +prepare_files() { + if [ ! -d "$LOG_DIR" ]; then + mkdir -p "$LOG_DIR" + fi + if [ ! -f "$APP_LOG_PATH" ]; then + touch "$APP_LOG_PATH" + fi + if [ ! -f "$CORE_LOG_PATH" ]; then + touch "$CORE_LOG_PATH" + fi + if [ ! -d "$FLAG_DIR" ]; then + mkdir -p "$FLAG_DIR" + fi +} + +clear_log() { + echo -n > "$APP_LOG_PATH" + echo -n > "$CORE_LOG_PATH" +} + +log() { + echo "[$(date "+%Y-%m-%d %H:%M:%S")] [$1] $2" >> "$APP_LOG_PATH" +} diff --git a/mihomo/files/uci-defaults/migrate.sh b/mihomo/files/uci-defaults/migrate.sh index ddfb78335..312dfe25e 100644 --- a/mihomo/files/uci-defaults/migrate.sh +++ b/mihomo/files/uci-defaults/migrate.sh @@ -50,6 +50,9 @@ env=$(uci -q get mihomo.env); [ -z "$env" ] && { uci set mihomo.env.disable_quic_go_ecn=0 } +# since v1.15.0 +tun_device=$(uci -q get mihomo.mixin.tun_device); [ -z "$tun_device" ] && uci set mihomo.mixin.tun_device=mihomo + # commit uci commit mihomo