feat(init): handle firewall rules (#25)

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
2026-01-09 03:37:35 +00:00 · 2021-07-04 17:20:47 +08:00 · 2021-07-04 17:20:47 +08:00 · 665a1cdd39
commit 665a1cdd39
parent d82e7543e7
5 changed files with 110 additions and 19 deletions
--- a/21
+++ b/21
@ -2,7 +2,7 @@ include $(TOPDIR)/rules.mk

 PKG_NAME:=UA2F
 PKG_VERSION:=3.7
-PKG_RELEASE:=13
+PKG_RELEASE:=14

 PKG_LICENSE:=GPL-3.0-only
 PKG_LICENSE_FILE:=LICENSE
@ -15,7 +15,7 @@ define Package/ua2f
  SUBMENU:=Routing and Redirection
  TITLE:=Change User-Agent to Fwords
  URL:=https://github.com/Zxilly/UA2F
-  DEPENDS:=+iptables-mod-nfqueue +libipset +libnetfilter-conntrack +libnetfilter-queue
+  DEPENDS:=+ipset +iptables-mod-nfqueue +libnetfilter-conntrack +libnetfilter-queue
 endef

 define Package/ua2f/description
@ -32,8 +32,21 @@ endef
 define Package/ua2f/install
 	$(INSTALL_DIR) $(1)/usr/bin
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/ua2f $(1)/usr/bin/
-	$(INSTALL_DIR) $(1)/etc/init.d
-	$(INSTALL_BIN) ./init/ua2f $(1)/etc/init.d/ua2f
+
+	$(INSTALL_DIR) $(1)/etc/config $(1)/etc/init.d $(1)/etc/uci-defaults
+	$(INSTALL_BIN) ./files/ua2f.config $(1)/etc/config/ua2f
+	$(INSTALL_BIN) ./files/ua2f.init $(1)/etc/init.d/ua2f
+	$(INSTALL_BIN) ./files/ua2f.uci $(1)/etc/uci-defaults/80-ua2f
+endef
+
+define Package/ua2f/postinst
+#!/bin/sh
+
+# check if we are on real system
+[ -n "$${IPKG_INSTROOT}" ] || {
+	(. /etc/uci-defaults/80-ua2f) && rm -f /etc/uci-defaults/80-ua2f
+	exit 0
+}
 endef

 $(eval $(call BuildPackage,ua2f))
--- a/files/ua2f.config
+++ b/files/ua2f.config
@ -0,0 +1,8 @@
+
+config ua2f 'enabled'
+	option enabled '0'
+
+config ua2f 'firewall'
+	option handle_fw '0'
+	option handle_tls '0'
+
--- a/files/ua2f.init
+++ b/files/ua2f.init
@ -0,0 +1,75 @@
+#!/bin/sh /etc/rc.common
+# Copyright (C) 2020 Zxilly <zhouxinyu1001@gmail.com>
+# Copyright (C) 2021 Tianling Shen <cnsztl@immortalwrt.org>
+
+USE_PROCD=1
+
+START=99
+STOP=10
+
+NAME="ua2f"
+FW_DIR="/var/etc"
+FW_CONF="$FW_DIR/ua2f.include"
+
+start_service() {
+	config_load "$NAME"
+	local enabled
+	config_get enabled "enabled" "enabled" "0"
+	[ "$enabled" -eq "1" ] || exit 1
+
+	local handle_fw
+	local handle_tls
+	config_get handle_fw "firewall" "handle_fw"
+	config_get handle_tls "firewall" "handle_tls"
+
+	procd_open_instance "$NAME"
+	procd_set_param command "$NAME"
+	procd_set_param stdout 1
+	procd_set_param stderr 1
+	procd_set_param respawn
+	procd_close_instance
+
+	[ "$handle_fw" -eq "1" ] && {
+		ipset create nohttp hash:ip,port hashsize 16384 timeout 300
+		iptables -t mangle -N ua2f
+		iptables -t mangle -A ua2f -d 0.0.0.0/8 -j RETURN
+		iptables -t mangle -A ua2f -d 10.0.0.0/8 -j RETURN
+		iptables -t mangle -A ua2f -d 127.0.0.0/8 -j RETURN
+		iptables -t mangle -A ua2f -d 169.254.0.0/16 -j RETURN
+		iptables -t mangle -A ua2f -d 172.16.0.0/12 -j RETURN
+		iptables -t mangle -A ua2f -d 192.168.0.0/16 -j RETURN
+		iptables -t mangle -A ua2f -d 224.0.0.0/4 -j RETURN
+		iptables -t mangle -A ua2f -d 240.0.0.0/4 -j RETURN # 不处理流向保留地址的包
+		iptables -t mangle -A ua2f -p tcp --dport 443 -j RETURN
+		iptables -t mangle -A ua2f -p tcp --dport 22 -j RETURN # 不处理 SSH
+		[ "$handle_tls" -eq "1" ] || iptables -t mangle -A ua2f -p tcp --dport 443 -j RETURN # 不处理 HTTPS
+		iptables -t mangle -A ua2f -p tcp --dport 80 -j CONNMARK --set-mark 44
+		iptables -t mangle -A ua2f -m connmark --mark 43 -j RETURN # 不处理标记为非 http 的流 (实验性)
+		iptables -t mangle -A ua2f -m set --set nohttp dst,dst -j RETURN
+		iptables -t mangle -A ua2f -j NFQUEUE --queue-num 10010
+		iptables -t mangle -A FORWARD -p tcp -m conntrack --ctdir ORIGINAL -j ua2f
+		iptables -t mangle -A FORWARD -p tcp -m conntrack --ctdir REPLY
+	}
+
+	mkdir -p "$FW_DIR"
+	echo -e "/etc/init.d/$NAME restart" > "$FW_CONF"
+}
+
+stop_service() {
+	iptables -t mangle -D FORWARD -p tcp -m conntrack --ctdir ORIGINAL -j ua2f
+	iptables -t mangle -D FORWARD -p tcp -m conntrack --ctdir REPLY
+	iptables -t mangle -F ua2f
+	iptables -t mangle -X ua2f
+	ipset destroy nohttp
+	rm -f "$FW_CONF"
+}
+
+reload_service() {
+	stop
+	sleep 2s
+	start
+}
+
+service_triggers() {
+	procd_add_reload_trigger "$NAME"
+}
--- a/files/ua2f.uci
+++ b/files/ua2f.uci
@ -0,0 +1,10 @@
+#!/bin/sh
+
+uci -q batch <<-EOF >/dev/null
+	delete firewall.ua2f
+	set firewall.ua2f=include
+	set firewall.ua2f.type=script
+	set firewall.ua2f.path=/var/etc/ua2f.include
+	set firewall.ua2f.reload=1
+	commit firewall
+EOF
--- a/init/ua2f
+++ b/init/ua2f
@ -1,15 +0,0 @@
-#!/bin/sh /etc/rc.common
-# Copyright (C) 2020 Zxilly
-
-START=50
-APP=ua2f
-SERVICE_WRITE_PID=1
-SERVICE_DAEMONIZE=1
-
-start() {
-        service_start /usr/bin/$APP
-}
-
-stop() {
-        service_stop /usr/bin/$APP
-}