From 9d5e4d0910037586d95ac18f0b7e1b004f909541 Mon Sep 17 00:00:00 2001 From: vernesong <42875168+vernesong@users.noreply.github.com> Date: Sun, 16 Jun 2024 21:54:16 +0800 Subject: [PATCH] fix ipv6 rules #3919 --- luci-app-openclash/root/etc/init.d/openclash | 74 +++++++++++--------- 1 file changed, 41 insertions(+), 33 deletions(-) diff --git a/luci-app-openclash/root/etc/init.d/openclash b/luci-app-openclash/root/etc/init.d/openclash index e0f6b45d7f..6d8d7e60e8 100644 --- a/luci-app-openclash/root/etc/init.d/openclash +++ b/luci-app-openclash/root/etc/init.d/openclash @@ -1231,15 +1231,20 @@ firewall_redirect_exclude() if [ "$ipv6_enable" -eq 1 ]; then if $e_tcp ; then if [ -n "$dest_ip" ]; then - nft insert rule inet fw4 openclash_mangle_v6 position 0 ip6 saddr { "$dest_ip" } tcp sport "$dest_port" counter return >/dev/null 2>&1 + if [ "$ipv6_mode" -eq 1 ]; then + nft insert rule inet fw4 openclash_v6 position 0 ip6 saddr { "$dest_ip" } tcp sport "$dest_port" counter return >/dev/null 2>&1 + nft insert rule inet fw4 openclash_output_v6 position 0 ip6 saddr { "$dest_ip" } tcp sport "$dest_port" counter return >/dev/null 2>&1 + else + nft insert rule inet fw4 openclash_mangle_v6 position 0 ip6 saddr { "$dest_ip" } tcp sport "$dest_port" counter return >/dev/null 2>&1 + nft insert rule inet fw4 openclash_mangle_output_v6 position 0 ip6 saddr { "$dest_ip" } tcp sport "$dest_port" counter return >/dev/null 2>&1 + fi fi - nft insert rule inet fw4 openclash_mangle_output_v6 position 0 ip6 saddr { "$dest_ip" } tcp sport "$dest_port" counter return >/dev/null 2>&1 fi if $e_udp ; then if [ -n "$dest_ip" ]; then nft insert rule inet fw4 openclash_mangle_v6 position 0 ip6 saddr { "$dest_ip" } udp sport "$dest_port" counter return >/dev/null 2>&1 + nft insert rule inet fw4 openclash_mangle_output_v6 position 0 ip6 saddr { "$dest_ip" } udp sport "$dest_port" counter return >/dev/null 2>&1 fi - nft insert rule inet fw4 openclash_mangle_output_v6 position 0 ip6 saddr { "$dest_ip" } udp sport "$dest_port" counter return >/dev/null 2>&1 fi fi else @@ -1275,15 +1280,21 @@ firewall_redirect_exclude() if [ "$ipv6_enable" -eq 1 ] && [ -n "$(ip6tables -t mangle -L 2>&1 | grep -o 'Chain')" ]; then if $e_tcp ; then if [ -n "$dest_ip" ]; then - ip6tables -t mangle -I openclash -p tcp "$dest_ip" --sport "$dest_port" -j RETURN >/dev/null 2>&1 + if [ "$ipv6_mode" -eq 1 ]; then + ip6tables -t nat -I openclash -p tcp "$dest_ip" --sport "$dest_port" -j RETURN >/dev/null 2>&1 + ip6tables -t nat -I openclash_output -p tcp "$dest_ip" --sport "$dest_port" -j RETURN >/dev/null 2>&1 + else + ip6tables -t mangle -I openclash -p tcp "$dest_ip" --sport "$dest_port" -j RETURN >/dev/null 2>&1 + ip6tables -t mangle -I openclash_output -p tcp "$dest_ip" --sport "$dest_port" -j RETURN >/dev/null 2>&1 + fi fi - ip6tables -t mangle -I openclash_output -p tcp "$dest_ip" --sport "$dest_port" -j RETURN >/dev/null 2>&1 + fi if $e_udp ; then if [ -n "$dest_ip" ]; then ip6tables -t mangle -I openclash -p udp "$dest_ip" --sport "$dest_port" -j RETURN >/dev/null 2>&1 + ip6tables -t mangle -I openclash_output -p udp "$dest_ip" --sport "$dest_port" -j RETURN >/dev/null 2>&1 fi - ip6tables -t mangle -I openclash_output -p udp "$dest_ip" --sport "$dest_port" -j RETURN >/dev/null 2>&1 fi fi fi @@ -2049,7 +2060,10 @@ if [ -n "$FW4" ]; then fi nft add rule inet fw4 openclash_v6 meta nfproto {ipv6} tcp dport { 0-65535 } counter redirect to "$proxy_port" nft 'add rule inet fw4 dstnat meta nfproto {ipv6} tcp dport { 0-65535 } counter jump openclash_v6' + fi + #tproxy not support output chain + if [ "$ipv6_mode" -eq 0 ] || [ "$ipv6_mode" -eq 1 ]; then if [ "$router_self_proxy" = "1" ]; then nft 'add chain inet fw4 openclash_output_v6' nft 'flush chain inet fw4 openclash_output_v6' @@ -2067,16 +2081,12 @@ if [ -n "$FW4" ]; then nft 'add rule inet fw4 openclash_output_v6 skuid != 65534 ip6 daddr @china_ip6_route counter return' fi fi - if [ "$ipv6_mode" -eq 2 ]; then - nft add rule inet fw4 openclash_output_v6 meta nfproto {ipv6} skuid != 65534 tcp dport { 0-65535 } mark set "$PROXY_FWMARK" counter - elif [ "$ipv6_mode" -eq 0 ]; then - nft add rule inet fw4 openclash_output_v6 meta nfproto {ipv6} skuid != 65534 tcp dport { 0-65535 } mark set "$PROXY_FWMARK" tproxy ip6 to :"$tproxy_port" counter accept comment \"OpenClash TCP Tproxy\" - fi + nft add rule inet fw4 openclash_output_v6 meta nfproto {ipv6} tcp dport { 0-65535 } counter redirect to "$proxy_port" nft 'add chain inet fw4 nat_output { type nat hook output priority -1; }' - nft 'add rule inet fw4 nat_output meta nfproto {ipv6} ip protocol tcp counter jump openclash_output_v6' + nft 'add rule inet fw4 nat_output meta nfproto {ipv6} counter jump openclash_output_v6' fi fi - + if [ "$enable_v6_udp_proxy" -eq 1 ] || [ "$ipv6_mode" -eq 0 ] || [ "$ipv6_mode" -eq 2 ]; then nft 'add chain inet fw4 openclash_mangle_v6' nft 'flush chain inet fw4 openclash_mangle_v6' @@ -2117,28 +2127,26 @@ if [ -n "$FW4" ]; then fi if [ "$router_self_proxy" = "1" ]; then - nft 'add chain inet fw4 openclash_mangle_output_v6' - nft 'flush chain inet fw4 openclash_mangle_output_v6' - nft 'add rule inet fw4 openclash_mangle_output_v6 ip6 daddr @localnetwork6 counter return' - nft 'add rule inet fw4 openclash_mangle_output_v6 ip6 saddr @localnetwork6 meta nfproto {ipv6} sport @lan_ac_black_ports counter return' - nft 'add rule inet fw4 openclash_mangle_output_v6 skuid != 65534 ip6 daddr @wan_ac_black_ipv6s counter return' - if [ "$en_mode" = "redir-host" ]; then - nft 'add rule inet fw4 openclash_mangle_output_v6 meta nfproto {ipv6} th dport != @common_ports skuid != 65534 counter return' - fi + if [ "$ipv6_mode" -eq 2 ]; then + nft 'add chain inet fw4 openclash_mangle_output_v6' + nft 'flush chain inet fw4 openclash_mangle_output_v6' + nft 'add rule inet fw4 openclash_mangle_output_v6 ip6 daddr @localnetwork6 counter return' + nft 'add rule inet fw4 openclash_mangle_output_v6 ip6 saddr @localnetwork6 meta nfproto {ipv6} sport @lan_ac_black_ports counter return' + nft 'add rule inet fw4 openclash_mangle_output_v6 skuid != 65534 ip6 daddr @wan_ac_black_ipv6s counter return' + if [ "$en_mode" = "redir-host" ]; then + nft 'add rule inet fw4 openclash_mangle_output_v6 meta nfproto {ipv6} th dport != @common_ports skuid != 65534 counter return' + fi - if [ "$china_ip6_route" = "1" ]; then - if [ "$enable_redirect_dns" != "2" ]; then - nft 'add rule inet fw4 openclash_mangle_output_v6 skuid != 65534 ip6 daddr @china_ip6_route ip6 daddr != @china_ip6_route_pass counter return' - else - nft 'add rule inet fw4 openclash_mangle_output_v6 skuid != 65534 ip6 daddr @china_ip6_route counter return' + if [ "$china_ip6_route" = "1" ]; then + if [ "$enable_redirect_dns" != "2" ]; then + nft 'add rule inet fw4 openclash_mangle_output_v6 skuid != 65534 ip6 daddr @china_ip6_route ip6 daddr != @china_ip6_route_pass counter return' + else + nft 'add rule inet fw4 openclash_mangle_output_v6 skuid != 65534 ip6 daddr @china_ip6_route counter return' + fi fi - fi - if [ "$ipv6_mode" -eq 2 ]; then nft add rule inet fw4 openclash_mangle_output_v6 meta nfproto {ipv6} skuid != 65534 tcp dport { 0-65535 } mark set "$PROXY_FWMARK" counter - elif [ "$ipv6_mode" -eq 0 ]; then - nft add rule inet fw4 openclash_mangle_output_v6 meta nfproto {ipv6} skuid != 65534 tcp dport { 0-65535 } mark set "$PROXY_FWMARK" tproxy ip6 to :"$tproxy_port" counter accept comment \"OpenClash TCP Tproxy\" + nft 'add rule inet fw4 mangle_output meta nfproto {ipv6} counter jump openclash_mangle_output_v6' fi - nft 'add rule inet fw4 mangle_output meta nfproto {ipv6} counter jump openclash_mangle_output_v6' fi fi @@ -2904,8 +2912,8 @@ if [ -z "$FW4" ]; then ip6tables -t mangle -A openclash -p tcp -j MARK --set-mark "$PROXY_FWMARK" fi - if [ "$ipv6_mode" -eq 2 ]; then - if [ "$router_self_proxy" = "1" ]; then + if [ "$router_self_proxy" = "1" ]; then + if [ "$ipv6_mode" -eq 2 ]; then ip6tables -t mangle -N openclash_output ip6tables -t mangle -F openclash_output ip6tables -t mangle -A openclash_output -m set --match-set localnetwork6 dst -j RETURN