From 665a1cdd3987a45084b22754df6868559a8aefd7 Mon Sep 17 00:00:00 2001
From: Tianling Shen <cnsztl@immortalwrt.org>
Date: Sun, 4 Jul 2021 17:20:47 +0800
Subject: [PATCH] feat(init): handle firewall rules (#25)

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
---
 Makefile          | 21 ++++++++++---
 files/ua2f.config |  8 +++++
 files/ua2f.init   | 75 +++++++++++++++++++++++++++++++++++++++++++++++
 files/ua2f.uci    | 10 +++++++
 init/ua2f         | 15 ----------
 5 files changed, 110 insertions(+), 19 deletions(-)
 create mode 100644 files/ua2f.config
 create mode 100755 files/ua2f.init
 create mode 100644 files/ua2f.uci
 delete mode 100644 init/ua2f

diff --git a/Makefile b/Makefile
index 7add192..31c2b4e 100644
--- a/Makefile
+++ b/Makefile
@@ -2,7 +2,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=UA2F
 PKG_VERSION:=3.7
-PKG_RELEASE:=13
+PKG_RELEASE:=14
 
 PKG_LICENSE:=GPL-3.0-only
 PKG_LICENSE_FILE:=LICENSE
@@ -15,7 +15,7 @@ define Package/ua2f
   SUBMENU:=Routing and Redirection
   TITLE:=Change User-Agent to Fwords
   URL:=https://github.com/Zxilly/UA2F
-  DEPENDS:=+iptables-mod-nfqueue +libipset +libnetfilter-conntrack +libnetfilter-queue
+  DEPENDS:=+ipset +iptables-mod-nfqueue +libnetfilter-conntrack +libnetfilter-queue
 endef
 
 define Package/ua2f/description
@@ -32,8 +32,21 @@ endef
 define Package/ua2f/install
 	$(INSTALL_DIR) $(1)/usr/bin
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/ua2f $(1)/usr/bin/
-	$(INSTALL_DIR) $(1)/etc/init.d
-	$(INSTALL_BIN) ./init/ua2f $(1)/etc/init.d/ua2f
+
+	$(INSTALL_DIR) $(1)/etc/config $(1)/etc/init.d $(1)/etc/uci-defaults
+	$(INSTALL_BIN) ./files/ua2f.config $(1)/etc/config/ua2f
+	$(INSTALL_BIN) ./files/ua2f.init $(1)/etc/init.d/ua2f
+	$(INSTALL_BIN) ./files/ua2f.uci $(1)/etc/uci-defaults/80-ua2f
+endef
+
+define Package/ua2f/postinst
+#!/bin/sh
+
+# check if we are on real system
+[ -n "$${IPKG_INSTROOT}" ] || {
+	(. /etc/uci-defaults/80-ua2f) && rm -f /etc/uci-defaults/80-ua2f
+	exit 0
+}
 endef
 
 $(eval $(call BuildPackage,ua2f))
diff --git a/files/ua2f.config b/files/ua2f.config
new file mode 100644
index 0000000..1aa6ff0
--- /dev/null
+++ b/files/ua2f.config
@@ -0,0 +1,8 @@
+
+config ua2f 'enabled'
+	option enabled '0'
+
+config ua2f 'firewall'
+	option handle_fw '0'
+	option handle_tls '0'
+
diff --git a/files/ua2f.init b/files/ua2f.init
new file mode 100755
index 0000000..e4769df
--- /dev/null
+++ b/files/ua2f.init
@@ -0,0 +1,75 @@
+#!/bin/sh /etc/rc.common
+# Copyright (C) 2020 Zxilly <zhouxinyu1001@gmail.com>
+# Copyright (C) 2021 Tianling Shen <cnsztl@immortalwrt.org>
+
+USE_PROCD=1
+
+START=99
+STOP=10
+
+NAME="ua2f"
+FW_DIR="/var/etc"
+FW_CONF="$FW_DIR/ua2f.include"
+
+start_service() {
+	config_load "$NAME"
+	local enabled
+	config_get enabled "enabled" "enabled" "0"
+	[ "$enabled" -eq "1" ] || exit 1
+
+	local handle_fw
+	local handle_tls
+	config_get handle_fw "firewall" "handle_fw"
+	config_get handle_tls "firewall" "handle_tls"
+
+	procd_open_instance "$NAME"
+	procd_set_param command "$NAME"
+	procd_set_param stdout 1
+	procd_set_param stderr 1
+	procd_set_param respawn
+	procd_close_instance
+
+	[ "$handle_fw" -eq "1" ] && {
+		ipset create nohttp hash:ip,port hashsize 16384 timeout 300
+		iptables -t mangle -N ua2f
+		iptables -t mangle -A ua2f -d 0.0.0.0/8 -j RETURN
+		iptables -t mangle -A ua2f -d 10.0.0.0/8 -j RETURN
+		iptables -t mangle -A ua2f -d 127.0.0.0/8 -j RETURN
+		iptables -t mangle -A ua2f -d 169.254.0.0/16 -j RETURN
+		iptables -t mangle -A ua2f -d 172.16.0.0/12 -j RETURN
+		iptables -t mangle -A ua2f -d 192.168.0.0/16 -j RETURN
+		iptables -t mangle -A ua2f -d 224.0.0.0/4 -j RETURN
+		iptables -t mangle -A ua2f -d 240.0.0.0/4 -j RETURN # 不处理流向保留地址的包
+		iptables -t mangle -A ua2f -p tcp --dport 443 -j RETURN
+		iptables -t mangle -A ua2f -p tcp --dport 22 -j RETURN # 不处理 SSH
+		[ "$handle_tls" -eq "1" ] || iptables -t mangle -A ua2f -p tcp --dport 443 -j RETURN # 不处理 HTTPS
+		iptables -t mangle -A ua2f -p tcp --dport 80 -j CONNMARK --set-mark 44
+		iptables -t mangle -A ua2f -m connmark --mark 43 -j RETURN # 不处理标记为非 http 的流 (实验性)
+		iptables -t mangle -A ua2f -m set --set nohttp dst,dst -j RETURN
+		iptables -t mangle -A ua2f -j NFQUEUE --queue-num 10010
+		iptables -t mangle -A FORWARD -p tcp -m conntrack --ctdir ORIGINAL -j ua2f
+		iptables -t mangle -A FORWARD -p tcp -m conntrack --ctdir REPLY
+	}
+
+	mkdir -p "$FW_DIR"
+	echo -e "/etc/init.d/$NAME restart" > "$FW_CONF"
+}
+
+stop_service() {
+	iptables -t mangle -D FORWARD -p tcp -m conntrack --ctdir ORIGINAL -j ua2f
+	iptables -t mangle -D FORWARD -p tcp -m conntrack --ctdir REPLY
+	iptables -t mangle -F ua2f
+	iptables -t mangle -X ua2f
+	ipset destroy nohttp
+	rm -f "$FW_CONF"
+}
+
+reload_service() {
+	stop
+	sleep 2s
+	start
+}
+
+service_triggers() {
+	procd_add_reload_trigger "$NAME"
+}
diff --git a/files/ua2f.uci b/files/ua2f.uci
new file mode 100644
index 0000000..6aedec8
--- /dev/null
+++ b/files/ua2f.uci
@@ -0,0 +1,10 @@
+#!/bin/sh
+
+uci -q batch <<-EOF >/dev/null
+	delete firewall.ua2f
+	set firewall.ua2f=include
+	set firewall.ua2f.type=script
+	set firewall.ua2f.path=/var/etc/ua2f.include
+	set firewall.ua2f.reload=1
+	commit firewall
+EOF
diff --git a/init/ua2f b/init/ua2f
deleted file mode 100644
index 0626c60..0000000
--- a/init/ua2f
+++ /dev/null
@@ -1,15 +0,0 @@
-#!/bin/sh /etc/rc.common
-# Copyright (C) 2020 Zxilly
-
-START=50
-APP=ua2f
-SERVICE_WRITE_PID=1
-SERVICE_DAEMONIZE=1
-
-start() {
-        service_start /usr/bin/$APP
-}
-
-stop() {
-        service_stop /usr/bin/$APP
-}
\ No newline at end of file