From a82c568408552cb1c337d4be84b7e5d69661d7ab Mon Sep 17 00:00:00 2001 From: SunBK201 Date: Mon, 3 Nov 2025 04:45:59 +0800 Subject: [PATCH] feat: clash sidecar --- ipkg/CONTROL/control | 2 +- ipkg/CONTROL/control-e | 2 +- openwrt/files/ua3f.init | 252 ++++++++++++++++++++++------------------ 3 files changed, 143 insertions(+), 113 deletions(-) diff --git a/ipkg/CONTROL/control b/ipkg/CONTROL/control index 1293313..97f3e5c 100644 --- a/ipkg/CONTROL/control +++ b/ipkg/CONTROL/control @@ -7,5 +7,5 @@ License: GPL-3.0-only Section: net SourceDateEpoch: 1711267200 Architecture: all -Installed-Size: 4372480 +Installed-Size: 4495360 Description: Advanced HTTP User-Agent Rewriting Tool. diff --git a/ipkg/CONTROL/control-e b/ipkg/CONTROL/control-e index 1293313..97f3e5c 100644 --- a/ipkg/CONTROL/control-e +++ b/ipkg/CONTROL/control-e @@ -7,5 +7,5 @@ License: GPL-3.0-only Section: net SourceDateEpoch: 1711267200 Architecture: all -Installed-Size: 4372480 +Installed-Size: 4495360 Description: Advanced HTTP User-Agent Rewriting Tool. diff --git a/openwrt/files/ua3f.init b/openwrt/files/ua3f.init index 713d3f0..5411228 100755 --- a/openwrt/files/ua3f.init +++ b/openwrt/files/ua3f.init @@ -1,4 +1,5 @@ #!/bin/sh /etc/rc.common +# shellcheck disable=SC2034,SC1083,SC3043,SC2086 USE_PROCD=1 @@ -14,23 +15,23 @@ FW_BACKEND="" NFT_TABLE="UA3F" UA3F_CHAIN="UA3F" UA3F_OUT_CHAIN="UA3F_OUTPUT" -UA3F_LOCAL="ua3f_localnetwork" -UA3FMARK="0xc9" -FWMARK="0x1c9" +UA3F_LANSET="ua3f_localnetwork" +UA3F_SOMARK="0xc9" +UA3F_FWMARK="0x1c9" ROUTE_TABLE="0x1c9" UA3F_GID="65534" UA3F_GROUP="nogroup" SKIP_GIDS="" +SIDECAR="OC" +FAKEIP_RANGE="198.18.0.0/16, 198.18.0.1/15, 28.0.0.1/8" RUNDIR="/var/run/${NAME}" [ -d "$RUNDIR" ] || mkdir -p "$RUNDIR" -ROUTE_CREATED_FLAG="$RUNDIR/route_created" -IPSET_CREATED_FLAG="$RUNDIR/ipset_created" LOG_FILE="/var/log/ua3f/ua3f.log" LOG() { if [ -n "${1}" ]; then - echo -e "[$(date "+%Y-%m-%d %H:%M:%S")] ${1}" >>$LOG_FILE + printf '[%s] %s\n' "$(date "+%Y-%m-%d %H:%M:%S")" "$1" >>"$LOG_FILE" fi } @@ -78,41 +79,44 @@ set_ua3f_group() { if openclash_running; then UA3F_GID="65534" UA3F_GROUP="nogroup" + SIDECAR="OCSC" add_skip_gids "7890" elif shellclash_running; then UA3F_GID="7890" UA3F_GROUP="shellcrash" - FWMARK="0x1ed6" add_skip_gids "65534" + SIDECAR="SC" elif openclash_exists; then UA3F_GID="65534" UA3F_GROUP="nogroup" add_skip_gids "7890" + SIDECAR="OC" elif shellclash_exists; then UA3F_GID="7890" UA3F_GROUP="shellcrash" - FWMARK="0x1ed6" add_skip_gids "65534" + SIDECAR="SC" else UA3F_GID="65534" UA3F_GROUP="nogroup" add_skip_gids "7890" + SIDECAR="OC" fi - LOG "Run as GID: $UA3F_GID, Group: $UA3F_GROUP" - LOG "Skip GIDs: $SKIP_GIDS" - LOG "FWMARK: $FWMARK" } add_skip_gids() { for gid in "$@"; do - [[ -z "$gid" ]] && continue - if [[ ! ",$SKIP_GIDS," =~ ,$gid, ]]; then - if [[ -z "$SKIP_GIDS" ]]; then - SKIP_GIDS="$gid" + [ -z "$gid" ] && continue + case ",$SKIP_GIDS," in + *,"$gid",*) ;; + *) + if [ -z "$SKIP_GIDS" ]; then + SKIP_GIDS=$gid else - SKIP_GIDS="$SKIP_GIDS,$gid" + SKIP_GIDS=$SKIP_GIDS,$gid fi - fi + ;; + esac done } @@ -138,17 +142,25 @@ detect_backend() { return 1 } -ensure_tproxy_route() { - ip rule add fwmark "$FWMARK" table "$ROUTE_TABLE" 2>/dev/null - ip route add local 0.0.0.0/0 dev lo table "$ROUTE_TABLE" 2>/dev/null - echo 1 >"$ROUTE_CREATED_FLAG" +add_tproxy_route() { sysctl -w net.bridge.bridge-nf-call-iptables=0 >/dev/null 2>&1 sysctl -w net.bridge.bridge-nf-call-ip6tables=0 >/dev/null 2>&1 + + if ! output=$(ip rule add fwmark "$UA3F_FWMARK" table "$ROUTE_TABLE" 2>&1); then + LOG "Failed to add ip rule fwmark: $output" + return 1 + fi + + if ! output=$(ip route add local 0.0.0.0/0 dev lo table "$ROUTE_TABLE" 2>&1); then + LOG "Failed to add ip route local lo: $output" + return 1 + fi } + cleanup_tproxy_route() { - ip route del local 0.0.0.0/0 dev lo table "$ROUTE_TABLE" 2>/dev/null - ip rule del fwmark "$FWMARK" table "$ROUTE_TABLE" 2>/dev/null - rm -f "$ROUTE_CREATED_FLAG" + ip route flush table "$ROUTE_TABLE" >/dev/null 2>&1 + ip rule del fwmark "$UA3F_FWMARK" table "$ROUTE_TABLE" >/dev/null 2>&1 + ip rule del fwmark 0x1c9 table "$ROUTE_TABLE" >/dev/null 2>&1 } nft_drop_table() { nft delete table ip "$NFT_TABLE" 2>/dev/null; } @@ -158,34 +170,46 @@ nft_reinit_table() { nft add table ip "$NFT_TABLE" || return 1 # set: localnetwork - nft "add set ip $NFT_TABLE $UA3F_LOCAL { type ipv4_addr; flags interval; auto-merge; }" || return 1 - nft "add element ip $NFT_TABLE $UA3F_LOCAL { 0.0.0.0/8, 127.0.0.0/8, 10.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/4, 240.0.0.0/4, 100.64.0.0/10 }" >/dev/null 2>&1 + nft "add set ip $NFT_TABLE $UA3F_LANSET { type ipv4_addr; flags interval; auto-merge; }" || return 1 + nft "add element ip $NFT_TABLE $UA3F_LANSET { 0.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/4, 240.0.0.0/4 }" >/dev/null 2>&1 } fw_setup_nft_tproxy_tcp() { - nft_reinit_table || return 1 - ensure_tproxy_route + nft_reinit_table || { + LOG "Failed to reinitialize nft table" + return 1 + } + add_tproxy_route || { + LOG "Failed to add tproxy route" + return 1 + } + + if [ "$SIDECAR" = "SC" ]; then + nft add chain ip $NFT_TABLE sidecar '{ type filter hook prerouting priority mangle - 20; }' + nft add rule ip $NFT_TABLE sidecar meta l4proto tcp mark $UA3F_FWMARK mark set 7894 tproxy to 127.0.0.1:$SERVER_PORT counter accept comment '"cap sc"' + fi # PREROUTING -> UA3F nft add chain ip $NFT_TABLE prerouting '{ type filter hook prerouting priority filter + 20; }' - nft add rule ip $NFT_TABLE prerouting mark {$UA3FMARK, 0x162, 0x1ed4} counter return - nft add rule ip $NFT_TABLE prerouting ip daddr {198.18.0.0/16, 198.18.0.1/15, 28.0.0.1/8} counter return - nft add rule ip $NFT_TABLE prerouting meta l4proto {tcp, udp} th dport {53, 1053} counter return - nft add rule ip $NFT_TABLE prerouting ip daddr @$UA3F_LOCAL counter return + nft add rule ip $NFT_TABLE prerouting meta l4proto != tcp counter return nft add rule ip $NFT_TABLE prerouting ct direction reply counter return - nft add rule ip $NFT_TABLE prerouting meta l4proto tcp mark $FWMARK tproxy to 127.0.0.1:$SERVER_PORT counter accept - nft add rule ip $NFT_TABLE prerouting meta l4proto tcp mark set $FWMARK tproxy to 127.0.0.1:$SERVER_PORT counter accept + nft add rule ip $NFT_TABLE prerouting mark {$UA3F_SOMARK} counter return comment '"UA3F somark, never hit"' + nft add rule ip $NFT_TABLE prerouting mark {0x162} counter return comment '"354"' + nft add rule ip $NFT_TABLE prerouting mark {0x1ed4} counter return comment '"sc tproxy mark 7892"' + nft add rule ip $NFT_TABLE prerouting ip daddr {$FAKEIP_RANGE} counter return comment '"fakeip range"' + nft add rule ip $NFT_TABLE prerouting ip daddr @$UA3F_LANSET counter return + nft add rule ip $NFT_TABLE prerouting meta l4proto tcp mark $UA3F_FWMARK tproxy to 127.0.0.1:$SERVER_PORT counter accept comment '"cap oc"' + nft add rule ip $NFT_TABLE prerouting meta l4proto tcp mark set $UA3F_FWMARK tproxy to 127.0.0.1:$SERVER_PORT counter accept comment '"default less hit. sc"' # OUTPUT -> UA3F_OUTPUT nft add chain ip $NFT_TABLE output '{ type route hook output priority filter + 20; }' - nft add rule ip $NFT_TABLE output mark $UA3FMARK counter return - nft add rule ip $NFT_TABLE output ip daddr {198.18.0.0/16, 198.18.0.1/15, 28.0.0.1/8} counter return - nft add rule ip $NFT_TABLE output meta l4proto {tcp, udp} th dport {53, 1053} counter return + nft add rule ip $NFT_TABLE output meta l4proto != tcp counter return + nft add rule ip $NFT_TABLE output mark $UA3F_SOMARK counter return comment '"UA3F somark"' + nft add rule ip $NFT_TABLE output ip daddr {$FAKEIP_RANGE} counter return nft add rule ip $NFT_TABLE output meta skgid {$SKIP_GIDS} counter return - nft add rule ip $NFT_TABLE output ip daddr @$UA3F_LOCAL counter return - nft add rule ip $NFT_TABLE output meta l4proto tcp mark {0x1ed6} mark set $FWMARK counter accept - nft add rule ip $NFT_TABLE output meta l4proto tcp meta skgid $UA3F_GID mark set $FWMARK counter accept - nft add rule ip $NFT_TABLE output meta l4proto tcp mark set $FWMARK counter accept + nft add rule ip $NFT_TABLE output ip daddr @$UA3F_LANSET counter return + nft add rule ip $NFT_TABLE output meta l4proto tcp meta skgid $UA3F_GID mark set $UA3F_FWMARK counter accept comment '"ghost oc"' + nft add rule ip $NFT_TABLE output meta l4proto tcp mark set $UA3F_FWMARK counter accept comment '"default tproxy mark. bypass sc pre pollution"' } fw_setup_nft_redirect_tcp() { @@ -193,49 +217,58 @@ fw_setup_nft_redirect_tcp() { # PREROUTING -> UA3F nft add chain ip $NFT_TABLE prerouting '{ type nat hook prerouting priority filter + 20; }' - nft add rule ip $NFT_TABLE prerouting mark {$UA3FMARK, 0x162, 0x1ed4} counter return - nft add rule ip $NFT_TABLE prerouting ip daddr {198.18.0.0/16, 198.18.0.1/15, 28.0.0.1/8} counter return - nft add rule ip $NFT_TABLE prerouting meta l4proto {tcp, udp} th dport {53, 1053} counter return - nft add rule ip $NFT_TABLE prerouting ip daddr @$UA3F_LOCAL counter return + nft add rule ip $NFT_TABLE prerouting meta l4proto != tcp counter return nft add rule ip $NFT_TABLE prerouting ct direction reply counter return + nft add rule ip $NFT_TABLE prerouting mark {$UA3F_SOMARK} counter return comment '"UA3F somark, never hit"' + nft add rule ip $NFT_TABLE prerouting mark {0x162} counter return comment '"354"' + nft add rule ip $NFT_TABLE prerouting mark {0x1ed4} counter return comment '"sc tproxy mark 7892"' + nft add rule ip $NFT_TABLE prerouting ip daddr {$FAKEIP_RANGE} counter return comment '"fakeip range"' + nft add rule ip $NFT_TABLE prerouting ip daddr @$UA3F_LANSET counter return nft add rule ip $NFT_TABLE prerouting tcp dport != {22} counter redirect to :$SERVER_PORT # OUTPUT -> UA3F_OUTPUT nft add chain ip $NFT_TABLE output '{ type nat hook output priority filter + 20; }' - nft add rule ip $NFT_TABLE output mark $UA3FMARK counter return - nft add rule ip $NFT_TABLE output ip daddr {198.18.0.0/16, 198.18.0.1/15, 28.0.0.1/8} counter return - nft add rule ip $NFT_TABLE output meta l4proto {tcp, udp} th dport {53, 1053} counter return + nft add rule ip $NFT_TABLE output meta l4proto != tcp counter return + nft add rule ip $NFT_TABLE output mark $UA3F_SOMARK counter return comment '"UA3F somark"' + nft add rule ip $NFT_TABLE output ip daddr {$FAKEIP_RANGE} counter return + nft add rule ip $NFT_TABLE output ip daddr @$UA3F_LANSET counter return nft add rule ip $NFT_TABLE output meta skgid {$SKIP_GIDS} counter return - nft add rule ip $NFT_TABLE output ip daddr @$UA3F_LOCAL counter return - nft add rule ip $NFT_TABLE output meta l4proto tcp mark {0x1ed6} counter redirect to :$SERVER_PORT - nft add rule ip $NFT_TABLE output meta skgid $UA3F_GID tcp dport != {22} counter redirect to :$SERVER_PORT - nft add rule ip $NFT_TABLE output tcp dport != {22} counter redirect to :$SERVER_PORT + nft add rule ip $NFT_TABLE output meta l4proto tcp mark {0x1ed6} counter redirect to :$SERVER_PORT comment '"cap sc meta"' + nft add rule ip $NFT_TABLE output meta skgid $UA3F_GID tcp dport != {22} counter redirect to :$SERVER_PORT comment '"cap oc"' + nft add rule ip $NFT_TABLE output tcp dport != {22} counter redirect to :$SERVER_PORT comment '"cap scc"' } fw_revert_nft() { nft_drop_table - [ -f "$ROUTE_CREATED_FLAG" ] && cleanup_tproxy_route + cleanup_tproxy_route } -ensure_local_set_ipt() { - if ! ipset list "$UA3F_LOCAL" >/dev/null 2>&1; then - ipset create "$UA3F_LOCAL" hash:net maxelem 1048576 || return 1 - echo 1 >"$IPSET_CREATED_FLAG" - ipset add "$UA3F_LOCAL" 0.0.0.0/8 - ipset add "$UA3F_LOCAL" 127.0.0.0/8 - ipset add "$UA3F_LOCAL" 10.0.0.0/8 - ipset add "$UA3F_LOCAL" 169.254.0.0/16 - ipset add "$UA3F_LOCAL" 172.16.0.0/12 - ipset add "$UA3F_LOCAL" 192.168.0.0/16 - ipset add "$UA3F_LOCAL" 224.0.0.0/4 - ipset add "$UA3F_LOCAL" 240.0.0.0/4 - ipset add "$UA3F_LOCAL" 100.64.0.0/10 - fi +setup_ipset_ipt() { + cleanup_ipset_ipt + ipset create $UA3F_LANSET hash:net || return 1 + ipset add $UA3F_LANSET 0.0.0.0/8 + ipset add $UA3F_LANSET 10.0.0.0/8 + ipset add $UA3F_LANSET 100.64.0.0/10 + ipset add $UA3F_LANSET 127.0.0.0/8 + ipset add $UA3F_LANSET 169.254.0.0/16 + ipset add $UA3F_LANSET 172.16.0.0/12 + ipset add $UA3F_LANSET 192.168.0.0/16 + ipset add $UA3F_LANSET 224.0.0.0/4 + ipset add $UA3F_LANSET 240.0.0.0/4 } fw_setup_ipt_tproxy_tcp() { - ensure_local_set_ipt || return 1 - ensure_tproxy_route + setup_ipset_ipt || return 1 + add_tproxy_route || return 1 + + if [ "$SIDECAR" = "SC" ]; then + iptables -t mangle -F SIDECAR 2>/dev/null + iptables -t mangle -D PREROUTING -p tcp -j SIDECAR 2>/dev/null + iptables -t mangle -X SIDECAR 2>/dev/null + iptables -t mangle -N SIDECAR + iptables -t mangle -I PREROUTING -p tcp -j SIDECAR + iptables -t mangle -A SIDECAR -m mark --mark $UA3F_FWMARK -p tcp -j TPROXY --on-ip 127.0.0.1 --on-port $SERVER_PORT --tproxy-mark 7894 + fi # PREROUTING iptables -t mangle -F $UA3F_CHAIN 2>/dev/null @@ -243,18 +276,16 @@ fw_setup_ipt_tproxy_tcp() { iptables -t mangle -X $UA3F_CHAIN 2>/dev/null iptables -t mangle -N $UA3F_CHAIN iptables -t mangle -A PREROUTING -p tcp -j $UA3F_CHAIN - iptables -t mangle -A $UA3F_CHAIN -m mark --mark $UA3FMARK -j RETURN + iptables -t mangle -A $UA3F_CHAIN -m conntrack --ctdir REPLY -j RETURN + iptables -t mangle -A $UA3F_CHAIN -m mark --mark $UA3F_SOMARK -j RETURN iptables -t mangle -A $UA3F_CHAIN -m mark --mark 0x162 -j RETURN iptables -t mangle -A $UA3F_CHAIN -m mark --mark 0x1ed4 -j RETURN iptables -t mangle -A $UA3F_CHAIN -d 198.18.0.0/16 -j RETURN iptables -t mangle -A $UA3F_CHAIN -d 28.0.0.1/8 -j RETURN iptables -t mangle -A $UA3F_CHAIN -d 198.18.0.1/15 -j RETURN - iptables -t mangle -A $UA3F_CHAIN -p tcp --dport 53 -j RETURN - iptables -t mangle -A $UA3F_CHAIN -p tcp --dport 1053 -j RETURN - iptables -t mangle -A $UA3F_CHAIN -m set --match-set $UA3F_LOCAL dst -j RETURN - iptables -t mangle -A $UA3F_CHAIN -m conntrack --ctdir REPLY -j RETURN - iptables -t mangle -A $UA3F_CHAIN -p tcp -m mark --mark $FWMARK -j TPROXY --on-ip 127.0.0.1 --on-port $SERVER_PORT - iptables -t mangle -A $UA3F_CHAIN -p tcp -j TPROXY --on-ip 127.0.0.1 --on-port $SERVER_PORT --tproxy-mark $FWMARK + iptables -t mangle -A $UA3F_CHAIN -m set --match-set $UA3F_LANSET dst -j RETURN + iptables -t mangle -A $UA3F_CHAIN -p tcp -m mark --mark $UA3F_FWMARK -j TPROXY --on-ip 127.0.0.1 --on-port $SERVER_PORT + iptables -t mangle -A $UA3F_CHAIN -p tcp -j TPROXY --on-ip 127.0.0.1 --on-port $SERVER_PORT --tproxy-mark $UA3F_FWMARK # OUTPUT iptables -t mangle -F $UA3F_OUT_CHAIN 2>/dev/null @@ -262,21 +293,18 @@ fw_setup_ipt_tproxy_tcp() { iptables -t mangle -X $UA3F_OUT_CHAIN 2>/dev/null iptables -t mangle -N $UA3F_OUT_CHAIN iptables -t mangle -I OUTPUT -p tcp -j $UA3F_OUT_CHAIN - iptables -t mangle -A $UA3F_OUT_CHAIN -m mark --mark $UA3FMARK -j RETURN + iptables -t mangle -A $UA3F_OUT_CHAIN -m mark --mark $UA3F_SOMARK -j RETURN iptables -t mangle -A $UA3F_OUT_CHAIN -d 198.18.0.0/16 -j RETURN iptables -t mangle -A $UA3F_OUT_CHAIN -d 28.0.0.1/8 -j RETURN iptables -t mangle -A $UA3F_OUT_CHAIN -d 198.18.0.1/15 -j RETURN - iptables -t mangle -A $UA3F_OUT_CHAIN -p tcp --dport 53 -j RETURN - iptables -t mangle -A $UA3F_OUT_CHAIN -p tcp --dport 1053 -j RETURN iptables -t mangle -A $UA3F_OUT_CHAIN -p tcp -m owner --gid-owner 453 -j RETURN - iptables -t mangle -A $UA3F_OUT_CHAIN -m set --match-set $UA3F_LOCAL dst -j RETURN - iptables -t mangle -A $UA3F_OUT_CHAIN -p tcp -m mark --mark 0x1ed6 -j MARK --set-mark $FWMARK - iptables -t mangle -A $UA3F_OUT_CHAIN -p tcp -m owner --gid-owner $UA3F_GID -j MARK --set-mark $FWMARK - iptables -t mangle -A $UA3F_OUT_CHAIN -p tcp -j MARK --set-mark $FWMARK + iptables -t mangle -A $UA3F_OUT_CHAIN -m set --match-set $UA3F_LANSET dst -j RETURN + iptables -t mangle -A $UA3F_OUT_CHAIN -p tcp -m owner --gid-owner $UA3F_GID -j MARK --set-mark $UA3F_FWMARK + iptables -t mangle -A $UA3F_OUT_CHAIN -p tcp -j MARK --set-mark $UA3F_FWMARK } fw_setup_ipt_redirect_tcp() { - ensure_local_set_ipt || return 1 + setup_ipset_ipt || return 1 # PREROUTING iptables -t nat -F $UA3F_CHAIN 2>/dev/null @@ -284,16 +312,14 @@ fw_setup_ipt_redirect_tcp() { iptables -t nat -X $UA3F_CHAIN 2>/dev/null iptables -t nat -N $UA3F_CHAIN iptables -t nat -A PREROUTING -p tcp -j $UA3F_CHAIN - iptables -t nat -A $UA3F_CHAIN -m mark --mark $UA3FMARK -j RETURN + iptables -t nat -A $UA3F_CHAIN -m conntrack --ctdir REPLY -j RETURN + iptables -t nat -A $UA3F_CHAIN -m mark --mark $UA3F_SOMARK -j RETURN iptables -t nat -A $UA3F_CHAIN -m mark --mark 0x162 -j RETURN iptables -t nat -A $UA3F_CHAIN -m mark --mark 0x1ed4 -j RETURN iptables -t nat -A $UA3F_CHAIN -d 198.18.0.0/16 -j RETURN iptables -t nat -A $UA3F_CHAIN -d 28.0.0.1/8 -j RETURN iptables -t nat -A $UA3F_CHAIN -d 198.18.0.1/15 -j RETURN - iptables -t nat -A $UA3F_CHAIN -p tcp --dport 53 -j RETURN - iptables -t nat -A $UA3F_CHAIN -p tcp --dport 1053 -j RETURN - iptables -t nat -A $UA3F_CHAIN -m set --match-set $UA3F_LOCAL dst -j RETURN - iptables -t nat -A $UA3F_CHAIN -m conntrack --ctdir REPLY -j RETURN + iptables -t nat -A $UA3F_CHAIN -m set --match-set $UA3F_LANSET dst -j RETURN iptables -t nat -A $UA3F_CHAIN -p tcp -j REDIRECT --to-ports $SERVER_PORT # OUTPUT @@ -301,21 +327,27 @@ fw_setup_ipt_redirect_tcp() { iptables -t nat -D OUTPUT -p tcp -j $UA3F_OUT_CHAIN 2>/dev/null iptables -t nat -X $UA3F_OUT_CHAIN 2>/dev/null iptables -t nat -N $UA3F_OUT_CHAIN - iptables -t nat -A OUTPUT -p tcp -j $UA3F_OUT_CHAIN - iptables -t nat -A $UA3F_OUT_CHAIN -m mark --mark $UA3FMARK -j RETURN + iptables -t nat -I OUTPUT -p tcp -j $UA3F_OUT_CHAIN + iptables -t nat -A $UA3F_OUT_CHAIN -m mark --mark $UA3F_SOMARK -j RETURN iptables -t nat -A $UA3F_OUT_CHAIN -d 198.18.0.0/16 -j RETURN iptables -t nat -A $UA3F_OUT_CHAIN -d 28.0.0.1/8 -j RETURN iptables -t nat -A $UA3F_OUT_CHAIN -d 198.18.0.1/15 -j RETURN - iptables -t nat -A $UA3F_OUT_CHAIN -p tcp --dport 53 -j RETURN - iptables -t nat -A $UA3F_OUT_CHAIN -p tcp --dport 1053 -j RETURN - iptables -t nat -A $UA3F_OUT_CHAIN -p tcp -m owner --gid-owner 453 -j RETURN - iptables -t nat -A $UA3F_OUT_CHAIN -m set --match-set $UA3F_LOCAL dst -j RETURN + iptables -t nat -A $UA3F_OUT_CHAIN -m set --match-set $UA3F_LANSET dst -j RETURN + iptables -t nat -A $UA3F_OUT_CHAIN -m owner --gid-owner 453 -j RETURN iptables -t nat -A $UA3F_OUT_CHAIN -p tcp -m mark --mark 0x1ed6 -j REDIRECT --to-ports $SERVER_PORT iptables -t nat -A $UA3F_OUT_CHAIN -p tcp -m owner --gid-owner $UA3F_GID -j REDIRECT --to-ports $SERVER_PORT iptables -t nat -A $UA3F_OUT_CHAIN -p tcp -j REDIRECT --to-ports $SERVER_PORT } +cleanup_ipset_ipt() { + ipset destroy $UA3F_LANSET 2>/dev/null +} + fw_revert_ipt() { + # sidecar + iptables -t mangle -F SIDECAR 2>/dev/null + iptables -t mangle -D PREROUTING -p tcp -j SIDECAR 2>/dev/null + iptables -t mangle -X SIDECAR 2>/dev/null # mangle iptables -t mangle -D PREROUTING -p tcp -j $UA3F_CHAIN 2>/dev/null iptables -t mangle -F $UA3F_CHAIN 2>/dev/null @@ -331,11 +363,8 @@ fw_revert_ipt() { iptables -t nat -F $UA3F_OUT_CHAIN 2>/dev/null iptables -t nat -X $UA3F_OUT_CHAIN 2>/dev/null # ipset - if [ -f "$IPSET_CREATED_FLAG" ]; then - ipset destroy "$UA3F_LOCAL" 2>/dev/null - rm -f "$IPSET_CREATED_FLAG" - fi - [ -f "$ROUTE_CREATED_FLAG" ] && cleanup_tproxy_route + cleanup_ipset_ipt + cleanup_tproxy_route } start_service() { @@ -366,14 +395,17 @@ start_service() { SERVER_MODE="$server_mode" LOG "Server Mode: $SERVER_MODE" - LOG "Port: $(echo $port)" - LOG "Bind: $(echo $bind)" - LOG "User-Agent: $(echo $ua)" - LOG "User-Agent Regex: $(echo $ua_regex)" - LOG "Log level: $(echo $log_level)" - LOG "Partial Replace: $(echo $partial_replace)" + LOG "Port: $port" + LOG "Bind: $bind" + LOG "User-Agent: $ua" + LOG "User-Agent Regex: $ua_regex" + LOG "Log level: $log_level" + LOG "Partial Replace: $partial_replace" set_ua3f_group + LOG "Run as GID: $UA3F_GID, Group: $UA3F_GROUP" + LOG "Skip GIDs: $SKIP_GIDS" + LOG "UA3F_FWMARK: $UA3F_FWMARK" detect_backend || { LOG "No supported firewall backend found (nftables or iptables)" @@ -429,11 +461,11 @@ start_service() { procd_open_instance "$NAME" procd_set_param command "$PROG" procd_append_param command -m "$server_mode" - procd_append_param command -p $port + procd_append_param command -p "$port" procd_append_param command -b "$bind" procd_append_param command -f "$ua" procd_append_param command -r "$ua_regex" - procd_append_param command -l $log_level + procd_append_param command -l "$log_level" [ "$partial_replace" = "1" ] && procd_append_param command -s procd_set_param respawn @@ -448,15 +480,13 @@ start_service() { stop_service() { LOG "Stopping $NAME service..." - fw_revert_ipt >/dev/null 2>&1 fw_revert_nft >/dev/null 2>&1 - rm -f "$IPSET_CREATED_FLAG" "$ROUTE_CREATED_FLAG" - LOG "$NAME service stopped" } reload_service() { + set_ua3f_group stop start }