Skip to content

Commit

Permalink
fix ipv6 rules #3919
Browse files Browse the repository at this point in the history
  • Loading branch information
@vernesong
vernesong committed Jun 16, 2024
1 parent d2cae1b commit 9d5e4d0
Showing 1 changed file with 41 additions and 33 deletions.
74 changes: 41 additions & 33 deletions luci-app-openclash/root/etc/init.d/openclash
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1231,15 +1231,20 @@ firewall_redirect_exclude()
if [ "$ipv6_enable" -eq 1 ]; then
if $e_tcp ; then
if [ -n "$dest_ip" ]; then
nft insert rule inet fw4 openclash_mangle_v6 position 0 ip6 saddr { "$dest_ip" } tcp sport "$dest_port" counter return >/dev/null 2>&1
if [ "$ipv6_mode" -eq 1 ]; then
nft insert rule inet fw4 openclash_v6 position 0 ip6 saddr { "$dest_ip" } tcp sport "$dest_port" counter return >/dev/null 2>&1
nft insert rule inet fw4 openclash_output_v6 position 0 ip6 saddr { "$dest_ip" } tcp sport "$dest_port" counter return >/dev/null 2>&1
else
nft insert rule inet fw4 openclash_mangle_v6 position 0 ip6 saddr { "$dest_ip" } tcp sport "$dest_port" counter return >/dev/null 2>&1
nft insert rule inet fw4 openclash_mangle_output_v6 position 0 ip6 saddr { "$dest_ip" } tcp sport "$dest_port" counter return >/dev/null 2>&1
fi
fi
nft insert rule inet fw4 openclash_mangle_output_v6 position 0 ip6 saddr { "$dest_ip" } tcp sport "$dest_port" counter return >/dev/null 2>&1
fi
if $e_udp ; then
if [ -n "$dest_ip" ]; then
nft insert rule inet fw4 openclash_mangle_v6 position 0 ip6 saddr { "$dest_ip" } udp sport "$dest_port" counter return >/dev/null 2>&1
nft insert rule inet fw4 openclash_mangle_output_v6 position 0 ip6 saddr { "$dest_ip" } udp sport "$dest_port" counter return >/dev/null 2>&1
fi
nft insert rule inet fw4 openclash_mangle_output_v6 position 0 ip6 saddr { "$dest_ip" } udp sport "$dest_port" counter return >/dev/null 2>&1
fi
fi
else
Expand Down Expand Up @@ -1275,15 +1280,21 @@ firewall_redirect_exclude()
if [ "$ipv6_enable" -eq 1 ] && [ -n "$(ip6tables -t mangle -L 2>&1 | grep -o 'Chain')" ]; then
if $e_tcp ; then
if [ -n "$dest_ip" ]; then
ip6tables -t mangle -I openclash -p tcp "$dest_ip" --sport "$dest_port" -j RETURN >/dev/null 2>&1
if [ "$ipv6_mode" -eq 1 ]; then
ip6tables -t nat -I openclash -p tcp "$dest_ip" --sport "$dest_port" -j RETURN >/dev/null 2>&1
ip6tables -t nat -I openclash_output -p tcp "$dest_ip" --sport "$dest_port" -j RETURN >/dev/null 2>&1
else
ip6tables -t mangle -I openclash -p tcp "$dest_ip" --sport "$dest_port" -j RETURN >/dev/null 2>&1
ip6tables -t mangle -I openclash_output -p tcp "$dest_ip" --sport "$dest_port" -j RETURN >/dev/null 2>&1
fi
fi
ip6tables -t mangle -I openclash_output -p tcp "$dest_ip" --sport "$dest_port" -j RETURN >/dev/null 2>&1

fi
if $e_udp ; then
if [ -n "$dest_ip" ]; then
ip6tables -t mangle -I openclash -p udp "$dest_ip" --sport "$dest_port" -j RETURN >/dev/null 2>&1
ip6tables -t mangle -I openclash_output -p udp "$dest_ip" --sport "$dest_port" -j RETURN >/dev/null 2>&1
fi
ip6tables -t mangle -I openclash_output -p udp "$dest_ip" --sport "$dest_port" -j RETURN >/dev/null 2>&1
fi
fi
fi
Expand Down Expand Up @@ -2049,7 +2060,10 @@ if [ -n "$FW4" ]; then
fi
nft add rule inet fw4 openclash_v6 meta nfproto {ipv6} tcp dport { 0-65535 } counter redirect to "$proxy_port"
nft 'add rule inet fw4 dstnat meta nfproto {ipv6} tcp dport { 0-65535 } counter jump openclash_v6'
fi

#tproxy not support output chain
if [ "$ipv6_mode" -eq 0 ] || [ "$ipv6_mode" -eq 1 ]; then
if [ "$router_self_proxy" = "1" ]; then
nft 'add chain inet fw4 openclash_output_v6'
nft 'flush chain inet fw4 openclash_output_v6'
Expand All @@ -2067,16 +2081,12 @@ if [ -n "$FW4" ]; then
nft 'add rule inet fw4 openclash_output_v6 skuid != 65534 ip6 daddr @china_ip6_route counter return'
fi
fi
if [ "$ipv6_mode" -eq 2 ]; then
nft add rule inet fw4 openclash_output_v6 meta nfproto {ipv6} skuid != 65534 tcp dport { 0-65535 } mark set "$PROXY_FWMARK" counter
elif [ "$ipv6_mode" -eq 0 ]; then
nft add rule inet fw4 openclash_output_v6 meta nfproto {ipv6} skuid != 65534 tcp dport { 0-65535 } mark set "$PROXY_FWMARK" tproxy ip6 to :"$tproxy_port" counter accept comment \"OpenClash TCP Tproxy\"
fi
nft add rule inet fw4 openclash_output_v6 meta nfproto {ipv6} tcp dport { 0-65535 } counter redirect to "$proxy_port"
nft 'add chain inet fw4 nat_output { type nat hook output priority -1; }'
nft 'add rule inet fw4 nat_output meta nfproto {ipv6} ip protocol tcp counter jump openclash_output_v6'
nft 'add rule inet fw4 nat_output meta nfproto {ipv6} counter jump openclash_output_v6'
fi
fi

if [ "$enable_v6_udp_proxy" -eq 1 ] || [ "$ipv6_mode" -eq 0 ] || [ "$ipv6_mode" -eq 2 ]; then
nft 'add chain inet fw4 openclash_mangle_v6'
nft 'flush chain inet fw4 openclash_mangle_v6'
Expand Down Expand Up @@ -2117,28 +2127,26 @@ if [ -n "$FW4" ]; then
fi

if [ "$router_self_proxy" = "1" ]; then
nft 'add chain inet fw4 openclash_mangle_output_v6'
nft 'flush chain inet fw4 openclash_mangle_output_v6'
nft 'add rule inet fw4 openclash_mangle_output_v6 ip6 daddr @localnetwork6 counter return'
nft 'add rule inet fw4 openclash_mangle_output_v6 ip6 saddr @localnetwork6 meta nfproto {ipv6} sport @lan_ac_black_ports counter return'
nft 'add rule inet fw4 openclash_mangle_output_v6 skuid != 65534 ip6 daddr @wan_ac_black_ipv6s counter return'
if [ "$en_mode" = "redir-host" ]; then
nft 'add rule inet fw4 openclash_mangle_output_v6 meta nfproto {ipv6} th dport != @common_ports skuid != 65534 counter return'
fi
if [ "$ipv6_mode" -eq 2 ]; then
nft 'add chain inet fw4 openclash_mangle_output_v6'
nft 'flush chain inet fw4 openclash_mangle_output_v6'
nft 'add rule inet fw4 openclash_mangle_output_v6 ip6 daddr @localnetwork6 counter return'
nft 'add rule inet fw4 openclash_mangle_output_v6 ip6 saddr @localnetwork6 meta nfproto {ipv6} sport @lan_ac_black_ports counter return'
nft 'add rule inet fw4 openclash_mangle_output_v6 skuid != 65534 ip6 daddr @wan_ac_black_ipv6s counter return'
if [ "$en_mode" = "redir-host" ]; then
nft 'add rule inet fw4 openclash_mangle_output_v6 meta nfproto {ipv6} th dport != @common_ports skuid != 65534 counter return'
fi

if [ "$china_ip6_route" = "1" ]; then
if [ "$enable_redirect_dns" != "2" ]; then
nft 'add rule inet fw4 openclash_mangle_output_v6 skuid != 65534 ip6 daddr @china_ip6_route ip6 daddr != @china_ip6_route_pass counter return'
else
nft 'add rule inet fw4 openclash_mangle_output_v6 skuid != 65534 ip6 daddr @china_ip6_route counter return'
if [ "$china_ip6_route" = "1" ]; then
if [ "$enable_redirect_dns" != "2" ]; then
nft 'add rule inet fw4 openclash_mangle_output_v6 skuid != 65534 ip6 daddr @china_ip6_route ip6 daddr != @china_ip6_route_pass counter return'
else
nft 'add rule inet fw4 openclash_mangle_output_v6 skuid != 65534 ip6 daddr @china_ip6_route counter return'
fi
fi
fi
if [ "$ipv6_mode" -eq 2 ]; then
nft add rule inet fw4 openclash_mangle_output_v6 meta nfproto {ipv6} skuid != 65534 tcp dport { 0-65535 } mark set "$PROXY_FWMARK" counter
elif [ "$ipv6_mode" -eq 0 ]; then
nft add rule inet fw4 openclash_mangle_output_v6 meta nfproto {ipv6} skuid != 65534 tcp dport { 0-65535 } mark set "$PROXY_FWMARK" tproxy ip6 to :"$tproxy_port" counter accept comment \"OpenClash TCP Tproxy\"
nft 'add rule inet fw4 mangle_output meta nfproto {ipv6} counter jump openclash_mangle_output_v6'
fi
nft 'add rule inet fw4 mangle_output meta nfproto {ipv6} counter jump openclash_mangle_output_v6'
fi
fi

Expand Down Expand Up @@ -2904,8 +2912,8 @@ if [ -z "$FW4" ]; then
ip6tables -t mangle -A openclash -p tcp -j MARK --set-mark "$PROXY_FWMARK"
fi

if [ "$ipv6_mode" -eq 2 ]; then
if [ "$router_self_proxy" = "1" ]; then
if [ "$router_self_proxy" = "1" ]; then
if [ "$ipv6_mode" -eq 2 ]; then
ip6tables -t mangle -N openclash_output
ip6tables -t mangle -F openclash_output
ip6tables -t mangle -A openclash_output -m set --match-set localnetwork6 dst -j RETURN
Expand Down

0 comments on commit 9d5e4d0

Please sign in to comment.