mihomo: sync upstream

last commit: 1cca1d841c

mihomo/Makefile

@@ -1,13 +1,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=mihomo
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://github.com/MetaCubeX/mihomo.git
-PKG_SOURCE_DATE:=2024-12-19
-PKG_SOURCE_VERSION:=89dfabe9b36b22df896dcd1ab03c67c667ec20f3
-PKG_MIRROR_HASH:=5d2e9fe03dffa573af6bc300e39e21d95e7cde964f54d531e040e104780abd08
+PKG_SOURCE_DATE:=2024-12-28
+PKG_SOURCE_VERSION:=a9ce5da09d38f6057bd248cd146cbd8c05dc9fd6
+PKG_MIRROR_HASH:=b893642d6bb24d64d6c36c722d44f821340027c5aa0a56e2f62d3c70bf2ea059
 
 PKG_LICENSE:=MIT
 PKG_MAINTAINER:=Joseph Mory <morytyann@gmail.com>
@@ -16,7 +16,7 @@ PKG_BUILD_DEPENDS:=golang/host
 PKG_BUILD_PARALLEL:=1
 PKG_BUILD_FLAGS:=no-mips16
 
-PKG_BUILD_VERSION:=alpha-89dfabe
+PKG_BUILD_VERSION:=alpha-a9ce5da
 PKG_BUILD_TIME:=$(shell date -u -Iseconds)
 
 GO_PKG:=github.com/metacubex/mihomo

mihomo/files/mihomo.conf

@@ -68,6 +68,7 @@ config mixin 'mixin'
 	option 'redir_port' '7891'
 	option 'tproxy_port' '7892'
 	option 'authentication' '1'
+	option 'tun_device' 'mihomo'
 	option 'tun_stack' 'system'
 	option 'tun_mtu' '9000'
 	option 'tun_gso' '1'

mihomo/files/mihomo.init

@@ -10,8 +10,8 @@ USE_PROCD=1
 extra_command 'update_subscription' 'Update subscription by section id'
 
 boot() {
-	# prepare log
-	prepare_log
+	# prepare files
+	prepare_files
 	# load config
 	config_load mihomo
 	# start delay
@@ -27,8 +27,8 @@ boot() {
 }
 
 start_service() {
-	# prepare log
-	prepare_log
+	# prepare files
+	prepare_files
 	# load config
 	config_load mihomo
 	# check if enabled
@@ -53,22 +53,10 @@ start_service() {
 	config_get_bool fast_reload "config" "fast_reload" 0
 	## proxy config
 	### transparent proxy
-	local transparent_proxy tcp_transparent_proxy_mode udp_transparent_proxy_mode ipv4_dns_hijack ipv6_dns_hijack ipv4_proxy ipv6_proxy router_proxy lan_proxy
+	local tcp_transparent_proxy_mode udp_transparent_proxy_mode
 	config_get_bool transparent_proxy "proxy" "transparent_proxy" 0
 	config_get tcp_transparent_proxy_mode "proxy" "tcp_transparent_proxy_mode" "tproxy"
 	config_get udp_transparent_proxy_mode "proxy" "udp_transparent_proxy_mode" "tproxy"
-	config_get_bool ipv4_dns_hijack "proxy" "ipv4_dns_hijack" 0
-	config_get_bool ipv6_dns_hijack "proxy" "ipv6_dns_hijack" 0
-	config_get_bool ipv4_proxy "proxy" "ipv4_proxy" 0
-	config_get_bool ipv6_proxy "proxy" "ipv6_proxy" 0
-	config_get_bool router_proxy "proxy" "router_proxy" 0
-	config_get_bool lan_proxy "proxy" "lan_proxy" 0
-	### access control
-	local access_control_mode bypass_china_mainland_ip proxy_tcp_dport proxy_udp_dport
-	config_get access_control_mode "proxy" "access_control_mode"
-	config_get_bool bypass_china_mainland_ip "proxy" "bypass_china_mainland_ip" 0
-	config_get proxy_tcp_dport "proxy" "proxy_tcp_dport" "0-65535"
-	config_get proxy_udp_dport "proxy" "proxy_udp_dport" "0-65535"
 	## mixin config
 	### general
 	local mode match_process outbound_interface ipv6 tcp_keep_alive_idle tcp_keep_alive_interval log_level
@@ -96,7 +84,8 @@ start_service() {
 	config_get tproxy_port "mixin" "tproxy_port" "7892"
 	config_get_bool authentication "mixin" "authentication" 0
 	### tun
-	local tun_stack tun_mtu tun_gso tun_gso_max_size tun_endpoint_independent_nat
+	local tun_device tun_stack tun_mtu tun_gso tun_gso_max_size tun_endpoint_independent_nat
+	config_get tun_device "mixin" "tun_device" "mihomo"
 	config_get tun_stack "mixin" "tun_stack" "system"
 	config_get tun_mtu "mixin" "tun_mtu" "9000"
 	config_get_bool tun_gso "mixin" "tun_gso" 0
@@ -186,7 +175,7 @@ start_service() {
 		log_level="$log_level" ipv6="$ipv6" \
 		ui_path="ui" ui_name="$ui_name" ui_url="$ui_url" api_listen="0.0.0.0:$api_port" api_secret="$api_secret" \
 		allow_lan="$allow_lan" http_port="$http_port" socks_port="$socks_port" mixed_port="$mixed_port" redir_port="$redir_port" tproxy_port="$tproxy_port" \
-		tun_enable="$tun_enable" tun_stack="$tun_stack" tun_device="$TUN_DEVICE" tun_mtu="$tun_mtu" tun_gso="$tun_gso" tun_gso_max_size="$tun_gso_max_size" tun_endpoint_independent_nat="$tun_endpoint_independent_nat" \
+		tun_enable="$tun_enable" tun_stack="$tun_stack" tun_device="$tun_device" tun_mtu="$tun_mtu" tun_gso="$tun_gso" tun_gso_max_size="$tun_gso_max_size" tun_endpoint_independent_nat="$tun_endpoint_independent_nat" \
 		dns_enable="true" dns_listen="0.0.0.0:$dns_port" dns_mode="$dns_mode" fake_ip_range="$fake_ip_range" \
 		yq -M -i '
 		.log-level = strenv(log_level) | .ipv6 = env(ipv6) == 1 |
@@ -202,7 +191,7 @@ start_service() {
 		log_level="$log_level" mode="$mode" match_process="$match_process" tcp_keep_alive_idle="$tcp_keep_alive_idle" tcp_keep_alive_interval="$tcp_keep_alive_interval" ipv6="$ipv6" \
 		ui_path="ui" ui_name="$ui_name" ui_url="$ui_url" api_listen="0.0.0.0:$api_port" api_secret="$api_secret" selection_cache="$selection_cache" \
 		allow_lan="$allow_lan" http_port="$http_port" socks_port="$socks_port" mixed_port="$mixed_port" redir_port="$redir_port" tproxy_port="$tproxy_port" \
-		tun_enable="$tun_enable" tun_stack="$tun_stack" tun_device="$TUN_DEVICE" tun_mtu="$tun_mtu" tun_gso="$tun_gso" tun_gso_max_size="$tun_gso_max_size" tun_endpoint_independent_nat="$tun_endpoint_independent_nat" \
+		tun_enable="$tun_enable" tun_stack="$tun_stack" tun_device="$tun_device" tun_mtu="$tun_mtu" tun_gso="$tun_gso" tun_gso_max_size="$tun_gso_max_size" tun_endpoint_independent_nat="$tun_endpoint_independent_nat" \
 		dns_enable="true" dns_listen="0.0.0.0:$dns_port" dns_mode="$dns_mode" fake_ip_range="$fake_ip_range" fake_ip_cache="$fake_ip_cache" \
 		dns_respect_rules="$dns_respect_rules" dns_doh_prefer_http3="$dns_doh_prefer_http3" dns_ipv6="$dns_ipv6" dns_system_hosts="$dns_system_hosts" dns_hosts="$dns_hosts" \
 		geoip_format="$geoip_format" geodata_loader="$geodata_loader" geosite_url="$geosite_url" geoip_mmdb_url="$geoip_mmdb_url" geoip_dat_url="$geoip_dat_url" geoip_asn_url="$geoip_asn_url" \
@@ -285,164 +274,239 @@ start_service() {
 	procd_set_param limits nofile="1048576 1048576"
 
 	procd_close_instance
-	# transparent proxy
-	if [ "$transparent_proxy" == 1 ]; then
-		log "Transparent Proxy" "Enabled."
-		log "Transparent Proxy" "TCP Mode: $tcp_transparent_proxy_mode."
-		log "Transparent Proxy" "UDP Mode: $udp_transparent_proxy_mode."
-		# prepare
-		if [ "$tproxy_enable" == 1 ]; then
-			if [ "$ipv4_proxy" == 1 ]; then
-				ip route add local default dev lo table "$TPROXY_ROUTE_TABLE"
-			fi
-			if [ "$ipv6_proxy" == 1 ]; then
-				ip -6 route add local default dev lo table "$TPROXY_ROUTE_TABLE"
-			fi
-		fi
-		if [ "$tun_enable" == 1 ]; then
-			ip tuntap add dev "$TUN_DEVICE" mode tun vnet_hdr
-			ip link set "$TUN_DEVICE" up
-			if [ "$ipv4_proxy" == 1 ]; then
-				ip route add unicast default dev "$TUN_DEVICE" table "$TUN_ROUTE_TABLE"
-			fi
-			if [ "$ipv6_proxy" == 1 ]; then
-				ip -6 route add unicast default dev "$TUN_DEVICE" table "$TUN_ROUTE_TABLE"
-			fi
-			$FIREWALL_INCLUDE_SH
-		fi
-		local tcp_route_table
-		if [ "$tcp_transparent_proxy_mode" == "tproxy" ]; then
-			tcp_route_table="$TPROXY_ROUTE_TABLE"
-		elif [ "$tcp_transparent_proxy_mode" == "tun" ]; then
-			tcp_route_table="$TUN_ROUTE_TABLE"
-		fi
-		if [ -n "$tcp_route_table" ]; then
-			if [ "$ipv4_proxy" == 1 ]; then
-				ip rule add pref "$TCP_RULE_PREF" fwmark "$FW_MARK/$FW_MARK_MASK" ipproto tcp table "$tcp_route_table"
-			fi
-			if [ "$ipv6_proxy" == 1 ]; then
-				ip -6 rule add pref "$TCP_RULE_PREF" fwmark "$FW_MARK/$FW_MARK_MASK" ipproto tcp table "$tcp_route_table"
-			fi
-		fi
-		local udp_route_table
-		if [ "$udp_transparent_proxy_mode" == "tproxy" ]; then
-			udp_route_table="$TPROXY_ROUTE_TABLE"
-		elif [ "$udp_transparent_proxy_mode" == "tun" ]; then
-			udp_route_table="$TUN_ROUTE_TABLE"
-		fi
-		if [ -n "$udp_route_table" ]; then
-			if [ "$ipv4_proxy" == 1 ]; then
-				ip rule add pref "$UDP_RULE_PREF" fwmark "$FW_MARK/$FW_MARK_MASK" ipproto udp table "$udp_route_table"
-			fi
-			if [ "$ipv6_proxy" == 1 ]; then
-				ip -6 rule add pref "$UDP_RULE_PREF" fwmark "$FW_MARK/$FW_MARK_MASK" ipproto udp table "$udp_route_table"
-			fi
-		fi
-		nft -f "$HIJACK_NFT" -D MIHOMO_GROUP="$MIHOMO_GROUP" -D FW_MARK="$FW_MARK" -D FW_MARK_MASK="$FW_MARK_MASK" -D TUN_DEVICE="$TUN_DEVICE" -D FAKE_IP="$fake_ip_range" -D DNS_PORT="$dns_port" -D REDIR_PORT="$redir_port" -D TPROXY_PORT="$tproxy_port"
-		nft -f "$RESERVED_IP_NFT"
-		nft -f "$RESERVED_IP6_NFT"
-		# dns hijack
-		if [ "$ipv4_dns_hijack" == 1 ]; then
-			log "Transparent Proxy" "Hijack IPv4 dns request."
-			nft add element inet "$FW_TABLE" dns_hijack_nfproto \{ ipv4 \}
-		fi
-		if [ "$ipv6_dns_hijack" == 1 ]; then
-			log "Transparent Proxy" "Hijack IPv6 dns request."
-			nft add element inet "$FW_TABLE" dns_hijack_nfproto \{ ipv6 \}
-		fi
-		# proxy
-		if [ "$ipv4_proxy" == 1 ]; then
-			log "Transparent Proxy" "Proxy IPv4 traffic."
-			nft add element inet "$FW_TABLE" proxy_nfproto \{ ipv4 \}
-		fi
-		if [ "$ipv6_proxy" == 1 ]; then
-			log "Transparent Proxy" "Proxy IPv6 traffic."
-			nft add element inet "$FW_TABLE" proxy_nfproto \{ ipv6 \}
-		fi
-		# bypass
-		config_list_foreach "proxy" "bypass_user" add_bypass_user
-		config_list_foreach "proxy" "bypass_group" add_bypass_group
-		if [ "$bypass_china_mainland_ip" == 1 ]; then
-			log "Transparent Proxy" "Bypass china mainland ip."
-			if [ "$ipv4_proxy" == 1 ]; then
-				nft -f "$GEOIP_CN_NFT"
-			fi
-			if [ "$ipv6_proxy" == 1 ]; then
-				nft -f "$GEOIP6_CN_NFT"
-			fi
-		fi
-		log "Transparent Proxy" "Destination TCP Port to Proxy: $proxy_tcp_dport."
-		log "Transparent Proxy" "Destination UDP Port to Proxy: $proxy_udp_dport."
-		local proxy_dport
-		for proxy_dport in $proxy_tcp_dport; do
-			nft add element inet "$FW_TABLE" proxy_dport \{ "tcp" . "$proxy_dport" \}
-		done
-		for proxy_dport in $proxy_udp_dport; do
-			nft add element inet "$FW_TABLE" proxy_dport \{ "udp" . "$proxy_dport" \}
-		done
-		# router proxy
-		if [ "$router_proxy" == 1 ]; then
-			log "Transparent Proxy" "Set proxy for router."
-			if [ "$tcp_transparent_proxy_mode" == "redirect" ]; then
-				nft insert rule inet "$FW_TABLE" nat_output jump router_dns_hijack
-				nft add rule inet "$FW_TABLE" nat_output meta l4proto tcp jump router_${tcp_transparent_proxy_mode}
-			else
-				nft flush chain inet "$FW_TABLE" nat_output
-				nft add rule inet "$FW_TABLE" nat_output jump router_dns_hijack
-				nft add rule inet "$FW_TABLE" mangle_output meta l4proto tcp jump router_reroute
-			fi
-			nft add rule inet "$FW_TABLE" mangle_output meta l4proto udp jump router_reroute
-		fi
-		# lan proxy
-		if [ "$lan_proxy" == 1 ]; then
-			log "Transparent Proxy" "Set proxy for lan."
-			# access control
-			if [ "$access_control_mode" == "all" ]; then
-				log "Transparent Proxy" "Access Control is using all mode, set proxy for all client."
-			elif [ "$access_control_mode" == "allow" ]; then
-				log "Transparent Proxy" "Access Control is using allow mode, set proxy for client which is in acl."
-			elif [ "$access_control_mode" == "block" ]; then
-				log "Transparent Proxy" "Access Control is using block mode, set proxy for client which is not in acl."
-			fi
-			config_list_foreach "proxy" "acl_ip" add_acl_ip
-			config_list_foreach "proxy" "acl_ip6" add_acl_ip6
-			config_list_foreach "proxy" "acl_mac" add_acl_mac
-			config_list_foreach "proxy" "acl_interface" add_acl_interface
-			if [ "$tcp_transparent_proxy_mode" == "redirect" ]; then
-				nft insert rule inet "$FW_TABLE" dstnat jump "${access_control_mode}_dns_hijack"
-				nft add rule inet "$FW_TABLE" dstnat meta l4proto tcp jump "${access_control_mode}_${tcp_transparent_proxy_mode}"
-			else
-				nft flush chain inet "$FW_TABLE" dstnat
-				nft add rule inet "$FW_TABLE" dstnat jump "${access_control_mode}_dns_hijack"
-				nft add rule inet "$FW_TABLE" mangle_prerouting meta l4proto tcp jump "${access_control_mode}_${tcp_transparent_proxy_mode}"
-			fi
-			nft add rule inet "$FW_TABLE" mangle_prerouting meta l4proto udp jump "${access_control_mode}_${udp_transparent_proxy_mode}"
-		fi
-		# fix compatible between tproxy and dockerd (kmod-br-netfilter)
-		if [ "$tproxy_enable" == 1 ] && (lsmod | grep -q br_netfilter); then
-			if [ "$ipv4_proxy" == 1 ]; then
-				local bridge_nf_call_iptables; bridge_nf_call_iptables=$(sysctl -e -n net.bridge.bridge-nf-call-iptables)
-				if [ "$bridge_nf_call_iptables" == 1 ]; then
-					touch /tmp/bridge_nf_call_iptables.flag
-					sysctl -q -w net.bridge.bridge-nf-call-iptables=0
-				fi
-			fi
-			if [ "$ipv6_proxy" == 1 ]; then
-				local bridge_nf_call_ip6tables; bridge_nf_call_ip6tables=$(sysctl -e -n net.bridge.bridge-nf-call-ip6tables)
-				if [ "$bridge_nf_call_ip6tables" == 1 ]; then
-					touch /tmp/bridge_nf_call_ip6tables.flag
-					sysctl -q -w net.bridge.bridge-nf-call-ip6tables=0
-				fi
-			fi
-		fi
-	fi
 	# cron
 	if [[ "$scheduled_restart" == 1 && -n "$cron_expression" ]]; then
 		log "App" "Set scheduled restart."
 		echo "$cron_expression /etc/init.d/mihomo restart #mihomo" >> "/etc/crontabs/root"
 		/etc/init.d/cron restart
 	fi
-	log "App" "Start Successful."
+	# set started flag
+	touch "$STARTED_FLAG"
+}
+
+service_started() {
+	# check if started
+	if [ ! -f "$STARTED_FLAG" ]; then
+		return
+	fi
+	# load config
+	config_load mihomo
+	# check if transparent proxy enabled
+	local transparent_proxy
+	config_get_bool transparent_proxy "proxy" "transparent_proxy" 0
+	if [ "$transparent_proxy" == 0 ]; then
+		log "Transparent Proxy" "Disabled."
+		return
+	fi
+	# get config
+	### inbound
+	local http_port socks_port mixed_port redir_port tproxy_port
+	config_get http_port "mixin" "http_port" "8080"
+	config_get socks_port "mixin" "socks_port" "1080"
+	config_get mixed_port "mixin" "mixed_port" "7890"
+	config_get redir_port "mixin" "redir_port" "7891"
+	config_get tproxy_port "mixin" "tproxy_port" "7892"
+	### dns
+	local dns_port fake_ip_range
+	config_get dns_port "mixin" "dns_port" "1053"
+	config_get fake_ip_range "mixin" "fake_ip_range" "198.18.0.1/16"
+	### tun
+	local tun_device
+	config_get tun_device "mixin" "tun_device" "mihomo"
+	## proxy config
+	### transparent proxy
+	local tcp_transparent_proxy_mode udp_transparent_proxy_mode ipv4_dns_hijack ipv6_dns_hijack ipv4_proxy ipv6_proxy router_proxy lan_proxy
+	config_get tcp_transparent_proxy_mode "proxy" "tcp_transparent_proxy_mode" "redirect"
+	config_get udp_transparent_proxy_mode "proxy" "udp_transparent_proxy_mode" "tun"
+	config_get_bool ipv4_dns_hijack "proxy" "ipv4_dns_hijack" 0
+	config_get_bool ipv6_dns_hijack "proxy" "ipv6_dns_hijack" 0
+	config_get_bool ipv4_proxy "proxy" "ipv4_proxy" 0
+	config_get_bool ipv6_proxy "proxy" "ipv6_proxy" 0
+	config_get_bool router_proxy "proxy" "router_proxy" 0
+	config_get_bool lan_proxy "proxy" "lan_proxy" 0
+	### access control
+	local access_control_mode bypass_china_mainland_ip proxy_tcp_dport proxy_udp_dport
+	config_get access_control_mode "proxy" "access_control_mode"
+	config_get_bool bypass_china_mainland_ip "proxy" "bypass_china_mainland_ip" 0
+	config_get proxy_tcp_dport "proxy" "proxy_tcp_dport" "0-65535"
+	config_get proxy_udp_dport "proxy" "proxy_udp_dport" "0-65535"
+	# prepare
+	local tproxy_enable; tproxy_enable=0
+	if [[ "$tcp_transparent_proxy_mode" == "tproxy" || "$udp_transparent_proxy_mode" == "tproxy" ]]; then
+		tproxy_enable=1
+	fi
+	local tun_enable; tun_enable=0
+	if [[ "$tcp_transparent_proxy_mode" == "tun" || "$udp_transparent_proxy_mode" == "tun" ]]; then
+		tun_enable=1
+	fi
+	# transparent proxy
+	log "Transparent Proxy" "Enabled."
+	log "Transparent Proxy" "TCP Mode: $tcp_transparent_proxy_mode."
+	log "Transparent Proxy" "UDP Mode: $udp_transparent_proxy_mode."
+	# wait for tun device online
+	if [ "$tun_enable" == 1 ]; then
+		log "Transparent Proxy" "Waiting for tun device online..."
+		local tun_timeout; tun_timeout=60
+		local tun_interval; tun_interval=1
+		while [ "$tun_timeout" -gt 0 ]; do
+			if (ip link show dev "$tun_device" > /dev/null 2>&1); then
+				if [ $(ip -json addr show dev mihomo | yq '.[] | select(.ifname = "mihomo") | .addr_info | length') -gt 0 ]; then
+					log "Transparent Proxy" "Tun device is online."
+					break
+				fi
+			fi
+			tun_timeout=$((tun_timeout - tun_interval))
+			sleep "$tun_interval"
+		done
+		if [ "$tun_timeout" -le 0 ]; then
+			log "Transparent Proxy" "Waiting timeout, tun device is not online."
+			log "App" "Exit."
+			return
+		fi
+	fi
+	# prepare
+	if [ "$tproxy_enable" == 1 ]; then
+		if [ "$ipv4_proxy" == 1 ]; then
+			ip -4 route add local default dev lo table "$TPROXY_ROUTE_TABLE"
+		fi
+		if [ "$ipv6_proxy" == 1 ]; then
+			ip -6 route add local default dev lo table "$TPROXY_ROUTE_TABLE"
+		fi
+	fi
+	if [ "$tun_enable" == 1 ]; then
+		if [ "$ipv4_proxy" == 1 ]; then
+			ip -4 route add unicast default dev "$tun_device" table "$TUN_ROUTE_TABLE"
+		fi
+		if [ "$ipv6_proxy" == 1 ]; then
+			ip -6 route add unicast default dev "$tun_device" table "$TUN_ROUTE_TABLE"
+		fi
+		$FIREWALL_INCLUDE_SH
+	fi
+	local tcp_route_table
+	if [ "$tcp_transparent_proxy_mode" == "tproxy" ]; then
+		tcp_route_table="$TPROXY_ROUTE_TABLE"
+	elif [ "$tcp_transparent_proxy_mode" == "tun" ]; then
+		tcp_route_table="$TUN_ROUTE_TABLE"
+	fi
+	if [ -n "$tcp_route_table" ]; then
+		if [ "$ipv4_proxy" == 1 ]; then
+			ip -4 rule add pref "$TCP_RULE_PREF" fwmark "$FW_MARK/$FW_MARK_MASK" ipproto tcp table "$tcp_route_table"
+		fi
+		if [ "$ipv6_proxy" == 1 ]; then
+			ip -6 rule add pref "$TCP_RULE_PREF" fwmark "$FW_MARK/$FW_MARK_MASK" ipproto tcp table "$tcp_route_table"
+		fi
+	fi
+	local udp_route_table
+	if [ "$udp_transparent_proxy_mode" == "tproxy" ]; then
+		udp_route_table="$TPROXY_ROUTE_TABLE"
+	elif [ "$udp_transparent_proxy_mode" == "tun" ]; then
+		udp_route_table="$TUN_ROUTE_TABLE"
+	fi
+	if [ -n "$udp_route_table" ]; then
+		if [ "$ipv4_proxy" == 1 ]; then
+			ip -4 rule add pref "$UDP_RULE_PREF" fwmark "$FW_MARK/$FW_MARK_MASK" ipproto udp table "$udp_route_table"
+		fi
+		if [ "$ipv6_proxy" == 1 ]; then
+			ip -6 rule add pref "$UDP_RULE_PREF" fwmark "$FW_MARK/$FW_MARK_MASK" ipproto udp table "$udp_route_table"
+		fi
+	fi
+	nft -f "$HIJACK_NFT" -D MIHOMO_GROUP="$MIHOMO_GROUP" -D FW_MARK="$FW_MARK" -D FW_MARK_MASK="$FW_MARK_MASK" -D TUN_DEVICE="$tun_device" -D FAKE_IP="$fake_ip_range" -D DNS_PORT="$dns_port" -D REDIR_PORT="$redir_port" -D TPROXY_PORT="$tproxy_port"
+	nft -f "$RESERVED_IP_NFT"
+	nft -f "$RESERVED_IP6_NFT"
+	# dns hijack
+	if [ "$ipv4_dns_hijack" == 1 ]; then
+		log "Transparent Proxy" "Hijack IPv4 dns request."
+		nft add element inet "$FW_TABLE" dns_hijack_nfproto \{ ipv4 \}
+	fi
+	if [ "$ipv6_dns_hijack" == 1 ]; then
+		log "Transparent Proxy" "Hijack IPv6 dns request."
+		nft add element inet "$FW_TABLE" dns_hijack_nfproto \{ ipv6 \}
+	fi
+	# proxy
+	if [ "$ipv4_proxy" == 1 ]; then
+		log "Transparent Proxy" "Proxy IPv4 traffic."
+		nft add element inet "$FW_TABLE" proxy_nfproto \{ ipv4 \}
+	fi
+	if [ "$ipv6_proxy" == 1 ]; then
+		log "Transparent Proxy" "Proxy IPv6 traffic."
+		nft add element inet "$FW_TABLE" proxy_nfproto \{ ipv6 \}
+	fi
+	# bypass
+	config_list_foreach "proxy" "bypass_user" add_bypass_user
+	config_list_foreach "proxy" "bypass_group" add_bypass_group
+	if [ "$bypass_china_mainland_ip" == 1 ]; then
+		log "Transparent Proxy" "Bypass china mainland ip."
+		if [ "$ipv4_proxy" == 1 ]; then
+			nft -f "$GEOIP_CN_NFT"
+		fi
+		if [ "$ipv6_proxy" == 1 ]; then
+			nft -f "$GEOIP6_CN_NFT"
+		fi
+	fi
+	log "Transparent Proxy" "Destination TCP Port to Proxy: $proxy_tcp_dport."
+	log "Transparent Proxy" "Destination UDP Port to Proxy: $proxy_udp_dport."
+	local proxy_dport
+	for proxy_dport in $proxy_tcp_dport; do
+		nft add element inet "$FW_TABLE" proxy_dport \{ "tcp" . "$proxy_dport" \}
+	done
+	for proxy_dport in $proxy_udp_dport; do
+		nft add element inet "$FW_TABLE" proxy_dport \{ "udp" . "$proxy_dport" \}
+	done
+	# router proxy
+	if [ "$router_proxy" == 1 ]; then
+		log "Transparent Proxy" "Set proxy for router."
+		if [ "$tcp_transparent_proxy_mode" == "redirect" ]; then
+			nft insert rule inet "$FW_TABLE" nat_output jump router_dns_hijack
+			nft add rule inet "$FW_TABLE" nat_output meta l4proto tcp jump router_${tcp_transparent_proxy_mode}
+		else
+			nft flush chain inet "$FW_TABLE" nat_output
+			nft add rule inet "$FW_TABLE" nat_output jump router_dns_hijack
+			nft add rule inet "$FW_TABLE" mangle_output meta l4proto tcp jump router_reroute
+		fi
+		nft add rule inet "$FW_TABLE" mangle_output meta l4proto udp jump router_reroute
+	fi
+	# lan proxy
+	if [ "$lan_proxy" == 1 ]; then
+		log "Transparent Proxy" "Set proxy for lan."
+		# access control
+		if [ "$access_control_mode" == "all" ]; then
+			log "Transparent Proxy" "Access Control is using all mode, set proxy for all client."
+		elif [ "$access_control_mode" == "allow" ]; then
+			log "Transparent Proxy" "Access Control is using allow mode, set proxy for client which is in acl."
+		elif [ "$access_control_mode" == "block" ]; then
+			log "Transparent Proxy" "Access Control is using block mode, set proxy for client which is not in acl."
+		fi
+		config_list_foreach "proxy" "acl_ip" add_acl_ip
+		config_list_foreach "proxy" "acl_ip6" add_acl_ip6
+		config_list_foreach "proxy" "acl_mac" add_acl_mac
+		config_list_foreach "proxy" "acl_interface" add_acl_interface
+		if [ "$tcp_transparent_proxy_mode" == "redirect" ]; then
+			nft insert rule inet "$FW_TABLE" dstnat jump "${access_control_mode}_dns_hijack"
+			nft add rule inet "$FW_TABLE" dstnat meta l4proto tcp jump "${access_control_mode}_${tcp_transparent_proxy_mode}"
+		else
+			nft flush chain inet "$FW_TABLE" dstnat
+			nft add rule inet "$FW_TABLE" dstnat jump "${access_control_mode}_dns_hijack"
+			nft add rule inet "$FW_TABLE" mangle_prerouting meta l4proto tcp jump "${access_control_mode}_${tcp_transparent_proxy_mode}"
+		fi
+		nft add rule inet "$FW_TABLE" mangle_prerouting meta l4proto udp jump "${access_control_mode}_${udp_transparent_proxy_mode}"
+	fi
+	# fix compatible between tproxy and dockerd (kmod-br-netfilter)
+	if [ "$tproxy_enable" == 1 ] && (lsmod | grep -q br_netfilter); then
+		if [ "$ipv4_proxy" == 1 ]; then
+			local bridge_nf_call_iptables; bridge_nf_call_iptables=$(sysctl -e -n net.bridge.bridge-nf-call-iptables)
+			if [ "$bridge_nf_call_iptables" == 1 ]; then
+				touch "$BRIDGE_NF_CALL_IPTABLES_FLAG"
+				sysctl -q -w net.bridge.bridge-nf-call-iptables=0
+			fi
+		fi
+		if [ "$ipv6_proxy" == 1 ]; then
+			local bridge_nf_call_ip6tables; bridge_nf_call_ip6tables=$(sysctl -e -n net.bridge.bridge-nf-call-ip6tables)
+			if [ "$bridge_nf_call_ip6tables" == 1 ]; then
+				touch "$BRIDGE_NF_CALL_IP6TABLES_FLAG"
+				sysctl -q -w net.bridge.bridge-nf-call-ip6tables=0
+			fi
+		fi
+	fi
 }
 
 service_stopped() {
@@ -462,22 +526,19 @@ cleanup() {
 	# clear log
 	clear_log
 	# delete routing policy
-	ip rule del ipproto tcp table "$TPROXY_ROUTE_TABLE" > /dev/null 2>&1
-	ip rule del ipproto udp table "$TPROXY_ROUTE_TABLE" > /dev/null 2>&1
-	ip rule del ipproto tcp table "$TUN_ROUTE_TABLE" > /dev/null 2>&1
-	ip rule del ipproto udp table "$TUN_ROUTE_TABLE" > /dev/null 2>&1
+	ip -4 rule del ipproto tcp table "$TPROXY_ROUTE_TABLE" > /dev/null 2>&1
+	ip -4 rule del ipproto udp table "$TPROXY_ROUTE_TABLE" > /dev/null 2>&1
+	ip -4 rule del ipproto tcp table "$TUN_ROUTE_TABLE" > /dev/null 2>&1
+	ip -4 rule del ipproto udp table "$TUN_ROUTE_TABLE" > /dev/null 2>&1
 	ip -6 rule del ipproto tcp table "$TPROXY_ROUTE_TABLE" > /dev/null 2>&1
 	ip -6 rule del ipproto udp table "$TPROXY_ROUTE_TABLE" > /dev/null 2>&1
 	ip -6 rule del ipproto tcp table "$TUN_ROUTE_TABLE" > /dev/null 2>&1
 	ip -6 rule del ipproto udp table "$TUN_ROUTE_TABLE" > /dev/null 2>&1
 	# delete routing table
-	ip route flush table "$TPROXY_ROUTE_TABLE" > /dev/null 2>&1
-	ip route flush table "$TUN_ROUTE_TABLE" > /dev/null 2>&1
+	ip -4 route flush table "$TPROXY_ROUTE_TABLE" > /dev/null 2>&1
+	ip -4 route flush table "$TUN_ROUTE_TABLE" > /dev/null 2>&1
 	ip -6 route flush table "$TPROXY_ROUTE_TABLE" > /dev/null 2>&1
 	ip -6 route flush table "$TUN_ROUTE_TABLE" > /dev/null 2>&1
-	# delete tun
-	ip link set "$TUN_DEVICE" down > /dev/null 2>&1
-	ip tuntap del dev "$TUN_DEVICE" mode tun > /dev/null 2>&1
 	# delete hijack
 	nft delete table inet "$FW_TABLE" > /dev/null 2>&1
 	local handles handle
@@ -489,13 +550,15 @@ cleanup() {
 	for handle in $handles; do
 		nft delete rule inet fw4 forward handle "$handle"
 	done
+	# delete started flag
+	rm -f "$STARTED_FLAG"
 	# revert fix compatible between tproxy and dockerd (kmod-br-netfilter)
-	if [ -f "/tmp/bridge_nf_call_iptables.flag" ]; then
-		rm -f /tmp/bridge_nf_call_iptables.flag
+	if [ -f "$BRIDGE_NF_CALL_IPTABLES_FLAG" ]; then
+		rm -f "$BRIDGE_NF_CALL_IPTABLES_FLAG"
 		sysctl -q -w net.bridge.bridge-nf-call-iptables=1
 	fi
-	if [ -f "/tmp/bridge_nf_call_ip6tables.flag" ]; then
-		rm -f /tmp/bridge_nf_call_ip6tables.flag
+	if [ -f "$BRIDGE_NF_CALL_IP6TABLES_FLAG" ]; then
+		rm -f "$BRIDGE_NF_CALL_IP6TABLES_FLAG"
 		sysctl -q -w net.bridge.bridge-nf-call-ip6tables=1
 	fi
 	# delete cron
@@ -503,27 +566,6 @@ cleanup() {
 	/etc/init.d/cron restart
 }
 
-prepare_log() {
-	if [ ! -d "$LOG_DIR" ]; then
-		mkdir -p "$LOG_DIR"
-	fi
-	if [ ! -f "$APP_LOG_PATH" ]; then
-		touch "$APP_LOG_PATH"
-	fi
-	if [ ! -f "$CORE_LOG_PATH" ]; then
-		touch "$CORE_LOG_PATH"
-	fi
-}
-
-clear_log() {
-	echo -n > "$APP_LOG_PATH"
-	echo -n > "$CORE_LOG_PATH"
-}
-
-log() {
-	echo "[$(date "+%Y-%m-%d %H:%M:%S")] [$1] $2" >> "$APP_LOG_PATH"
-}
-
 mixin_authentications() {
 	local section="$1"
 

mihomo/files/nftables/hijack.nft

@@ -170,7 +170,7 @@ table inet mihomo {
 
 	chain dstnat {
 		type nat hook prerouting priority dstnat + 1; policy accept;
-		fib daddr type local counter return
+		fib daddr type { local, multicast, broadcast, anycast } counter return
 		ct direction reply counter return
 		ip daddr @reserved_ip counter return
 		ip6 daddr @reserved_ip6 counter return
@@ -184,7 +184,7 @@ table inet mihomo {
 		type nat hook output priority filter; policy accept;
 		meta skuid @bypass_user counter return
 		meta skgid @bypass_group counter return
-		fib daddr type local counter return
+		fib daddr type { local, multicast, broadcast, anycast } counter return
 		ct direction reply counter return
 		ip daddr @reserved_ip counter return
 		ip6 daddr @reserved_ip6 counter return
@@ -198,7 +198,7 @@ table inet mihomo {
 		type filter hook prerouting priority mangle; policy accept;
 		meta l4proto { tcp, udp } iifname lo meta mark & $FW_MARK_MASK == $FW_MARK tproxy to :$TPROXY_PORT counter accept
 		meta l4proto { tcp, udp } iifname $TUN_DEVICE counter accept
-		fib daddr type local counter return
+		fib daddr type { local, multicast, broadcast, anycast } counter return
 		ct direction reply counter return
 		ip daddr @reserved_ip counter return
 		ip6 daddr @reserved_ip6 counter return
@@ -213,7 +213,7 @@ table inet mihomo {
 		type route hook output priority mangle; policy accept;
 		meta skuid @bypass_user counter return
 		meta skgid @bypass_group counter return
-		fib daddr type local counter return
+		fib daddr type { local, multicast, broadcast, anycast } counter return
 		ct direction reply counter return
 		ip daddr @reserved_ip counter return
 		ip6 daddr @reserved_ip6 counter return

mihomo/files/scripts/firewall_include.sh

@@ -7,11 +7,12 @@ config_load mihomo
 config_get enabled "config" "enabled" 0
 config_get tcp_transparent_proxy_mode "proxy" "tcp_transparent_proxy_mode"
 config_get udp_transparent_proxy_mode "proxy" "udp_transparent_proxy_mode"
+config_get tun_device "mixin" "tun_device"
 
 if [ "$enabled" == 1 ] && [[ "$tcp_transparent_proxy_mode" == "tun" || "$udp_transparent_proxy_mode" == "tun" ]]; then
-	nft insert rule inet fw4 input iifname "$TUN_DEVICE" counter accept comment "mihomo"
-	nft insert rule inet fw4 forward oifname "$TUN_DEVICE" counter accept comment "mihomo"
-	nft insert rule inet fw4 forward iifname "$TUN_DEVICE" counter accept comment "mihomo"
+	nft insert rule inet fw4 input iifname "$tun_device" counter accept comment "mihomo"
+	nft insert rule inet fw4 forward oifname "$tun_device" counter accept comment "mihomo"
+	nft insert rule inet fw4 forward iifname "$tun_device" counter accept comment "mihomo"
 fi
 
 exit 0

mihomo/files/scripts/include.sh

@@ -12,7 +12,6 @@ TCP_RULE_PREF="1024"
 UDP_RULE_PREF="1025"
 TPROXY_ROUTE_TABLE="80"
 TUN_ROUTE_TABLE="81"
-TUN_DEVICE="mihomo"
 
 # paths
 PROG="/usr/bin/mihomo"
@@ -23,10 +22,18 @@ MIXIN_FILE_PATH="$HOME_DIR/mixin.yaml"
 RUN_DIR="$HOME_DIR/run"
 RUN_PROFILE_PATH="$RUN_DIR/config.yaml"
 RUN_UI_DIR="$RUN_DIR/ui"
+
+# log
 LOG_DIR="/var/log/mihomo"
 APP_LOG_PATH="$LOG_DIR/app.log"
 CORE_LOG_PATH="$LOG_DIR/core.log"
 
+# flag
+FLAG_DIR="/var/run/mihomo"
+STARTED_FLAG="$FLAG_DIR/started.flag"
+BRIDGE_NF_CALL_IPTABLES_FLAG="$FLAG_DIR/bridge_nf_call_iptables.flag"
+BRIDGE_NF_CALL_IP6TABLES_FLAG="$FLAG_DIR/bridge_nf_call_ip6tables.flag"
+
 # scripts
 SH_DIR="$HOME_DIR/scripts"
 INCLUDE_SH="$SH_DIR/include.sh"
@@ -64,3 +71,27 @@ format_filesize() {
 		echo "$(awk "BEGIN {print $size / $pb}") PB"
 	fi
 }
+
+prepare_files() {
+	if [ ! -d "$LOG_DIR" ]; then
+		mkdir -p "$LOG_DIR"
+	fi
+	if [ ! -f "$APP_LOG_PATH" ]; then
+		touch "$APP_LOG_PATH"
+	fi
+	if [ ! -f "$CORE_LOG_PATH" ]; then
+		touch "$CORE_LOG_PATH"
+	fi
+	if [ ! -d "$FLAG_DIR" ]; then
+		mkdir -p "$FLAG_DIR"
+	fi
+}
+
+clear_log() {
+	echo -n > "$APP_LOG_PATH"
+	echo -n > "$CORE_LOG_PATH"
+}
+
+log() {
+	echo "[$(date "+%Y-%m-%d %H:%M:%S")] [$1] $2" >> "$APP_LOG_PATH"
+}

mihomo/files/uci-defaults/migrate.sh

@@ -50,6 +50,9 @@ env=$(uci -q get mihomo.env); [ -z "$env" ] && {
     uci set mihomo.env.disable_quic_go_ecn=0
 }
 
+# since v1.15.0
+tun_device=$(uci -q get mihomo.mixin.tun_device); [ -z "$tun_device" ] && uci set mihomo.mixin.tun_device=mihomo
+
 # commit
 uci commit mihomo