Skip to content

Commit

Permalink
chore: refine
Browse files Browse the repository at this point in the history
  • Loading branch information
@vernesong
vernesong committed Jan 24, 2025
1 parent 7496422 commit d7a59be
Show file tree
Hide file tree
Showing 5 changed files with 124 additions and 34 deletions.
10 changes: 6 additions & 4 deletions luci-app-openclash/luasrc/model/cbi/openclash/settings.lua
View file
Original file line number Diff line number Diff line change
Expand Up @@ -216,9 +216,10 @@ o.cfgvalue = function(...)
end

ip_ac = s2:option(Value, "src_ip", translate("Internal addresses"))
ip_ac.datatype = "ipmask"
ip_ac.datatype = "or(ipmask, string)"
ip_ac.placeholder = "0.0.0.0/0"
ip_ac.rmempty = false
ip_ac.rmempty = true
ip_ac:value("localnetwork", translate("Local Network"))

o = s2:option(Value, "src_port", translate("Internal ports"))
o.datatype = "or(port, portrange)"
Expand All @@ -240,8 +241,9 @@ o.default = "tcp"
o.rmempty = false

o = s2:option(ListValue, "target", translate("Target"))
o:value("return", translate("Return"))
o:value("accept", translate("Accept"))
o:value("return", translate("RETURN"))
o:value("accept", translate("ACCEPT"))
o:value("drop", translate("DROP"))
o.rmempty = false

luci.ip.neighbors({ family = 4 }, function(n)
Expand Down
5 changes: 4 additions & 1 deletion luci-app-openclash/po/zh-cn/openclash.zh-cn.po
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3463,4 +3463,7 @@ msgid "(Not Support mrs Format)"
msgstr "(不支持 mrs 格式)"

msgid "UpDate"
msgstr "更新"
msgstr "更新"

msgid "Local Network"
msgstr "常用内部网络地址"
89 changes: 60 additions & 29 deletions luci-app-openclash/root/etc/init.d/openclash
View file
Original file line number Diff line number Diff line change
Expand Up @@ -819,7 +819,7 @@ firewall_lan_ac_traffic()
{
local src_port src_ip proto target enabled family comment
config_get "src_port" "$section" "src_port" ""
config_get "src_ip" "$section" "src_ip" ""
config_get "src_ip" "$section" "src_ip" "localnetwork"
config_get "proto" "$section" "proto" "both"
config_get "target" "$section" "target" "return"
config_get "enabled" "$section" "enabled" "0"
Expand All @@ -837,80 +837,111 @@ firewall_lan_ac_traffic()
if [ $proto == "both" ]; then e_tcp=true; e_udp=true; fi

if [ -n "$FW4" ]; then
if [ "$src_ip" == "localnetwork" ]; then
src_ip="@localnetwork"
src_ip_v6="@localnetwork6"
else
src_ip="{ $src_ip }"
src_ip_v6="{ $src_ip }"
fi

if [ "$family" == "both" ] || [ "$family" == "ipv4" ]; then
if [ -z "$en_mode_tun" ] || [ "$en_mode_tun" -eq 2 ]; then
if $e_tcp ; then
nft insert rule inet fw4 openclash_output position 0 meta nfproto {ipv4} ip daddr != { "$fakeip_range" } ip saddr { "$src_ip" } tcp sport "$src_port" counter $target comment "\"$comment\"" >/dev/null 2>&1
nft insert rule inet fw4 openclash position 0 ip daddr != { "$fakeip_range" } ip saddr { "$src_ip" } tcp sport "$src_port" counter $target comment "\"$comment\"" >/dev/null 2>&1
nft insert rule inet fw4 openclash_output position 0 meta nfproto {ipv4} ip daddr != { "$fakeip_range" } ip saddr "$src_ip" tcp sport "$src_port" counter $target comment "\"$comment\"" >/dev/null 2>&1
nft insert rule inet fw4 openclash position 0 ip daddr != { "$fakeip_range" } ip saddr "$src_ip" tcp sport "$src_port" counter $target comment "\"$comment\"" >/dev/null 2>&1
fi
if $e_udp ; then
nft insert rule inet fw4 openclash_mangle_output position 0 meta nfproto {ipv4} ip daddr != { "$fakeip_range" } ip saddr { "$src_ip" } udp sport "$src_port" counter $target comment "\"$comment\"" >/dev/null 2>&1
nft insert rule inet fw4 openclash_mangle position 0 ip daddr != { "$fakeip_range" } ip saddr { "$src_ip" } udp sport "$src_port" counter $target comment "\"$comment\"" >/dev/null 2>&1
nft insert rule inet fw4 openclash_mangle_output position 0 meta nfproto {ipv4} ip daddr != { "$fakeip_range" } ip saddr "$src_ip" udp sport "$src_port" counter $target comment "\"$comment\"" >/dev/null 2>&1
nft insert rule inet fw4 openclash_mangle position 0 ip daddr != { "$fakeip_range" } ip saddr "$src_ip" udp sport "$src_port" counter $target comment "\"$comment\"" >/dev/null 2>&1
fi
elif [ "$en_mode_tun" -eq 1 ]; then
if $e_tcp ; then
nft insert rule inet fw4 openclash_mangle_output position 0 meta nfproto {ipv4} ip daddr != { "$fakeip_range" } ip saddr { "$src_ip" } tcp sport "$src_port" counter $target comment "\"$comment\"" >/dev/null 2>&1
nft insert rule inet fw4 openclash_mangle position 0 ip daddr != { "$fakeip_range" } ip saddr { "$src_ip" } tcp sport "$src_port" counter $target comment "\"$comment\"" >/dev/null 2>&1
nft insert rule inet fw4 openclash_mangle_output position 0 meta nfproto {ipv4} ip daddr != { "$fakeip_range" } ip saddr "$src_ip" tcp sport "$src_port" counter $target comment "\"$comment\"" >/dev/null 2>&1
nft insert rule inet fw4 openclash_mangle position 0 ip daddr != { "$fakeip_range" } ip saddr "$src_ip" tcp sport "$src_port" counter $target comment "\"$comment\"" >/dev/null 2>&1
fi
if $e_udp ; then
nft insert rule inet fw4 openclash_mangle_output position 0 meta nfproto {ipv4} ip daddr != { "$fakeip_range" } ip saddr { "$src_ip" } udp sport "$src_port" counter $target comment "\"$comment\"" >/dev/null 2>&1
nft insert rule inet fw4 openclash_mangle position 0 ip daddr != { "$fakeip_range" } ip saddr { "$src_ip" } udp sport "$src_port" counter $target comment "\"$comment\"" >/dev/null 2>&1
nft insert rule inet fw4 openclash_mangle_output position 0 meta nfproto {ipv4} ip daddr != { "$fakeip_range" } ip saddr "$src_ip" udp sport "$src_port" counter $target comment "\"$comment\"" >/dev/null 2>&1
nft insert rule inet fw4 openclash_mangle position 0 ip daddr != { "$fakeip_range" } ip saddr "$src_ip" udp sport "$src_port" counter $target comment "\"$comment\"" >/dev/null 2>&1
fi
fi
if $e_tcp ; then
nft insert rule inet fw4 openclash_post position 0 ip daddr != { "$fakeip_range" } ip saddr "$src_ip" tcp sport "$src_port" counter $target comment "\"$comment\"" >/dev/null 2>&1
fi
if $e_udp ; then
nft insert rule inet fw4 openclash_post position 0 ip daddr != { "$fakeip_range" } ip saddr "$src_ip" udp sport "$src_port" counter $target comment "\"$comment\"" >/dev/null 2>&1
fi
fi

if [ "$ipv6_enable" -eq 1 ]; then
if [ "$family" == "both" ] || [ "$family" == "ipv6" ]; then
if $e_tcp ; then
nft insert rule inet fw4 openclash_v6 position 0 ip6 saddr { "$src_ip" } tcp sport "$src_port" counter $target comment "\"$comment\"" >/dev/null 2>&1
nft insert rule inet fw4 openclash_output_v6 position 0 ip6 saddr { "$src_ip" } tcp sport "$src_port" counter $target comment "\"$comment\"" >/dev/null 2>&1
nft insert rule inet fw4 openclash_mangle_v6 position 0 ip6 saddr { "$src_ip" } tcp sport "$src_port" counter $target comment "\"$comment\"" >/dev/null 2>&1
nft insert rule inet fw4 openclash_mangle_output_v6 position 0 meta nfproto {ipv6} ip6 saddr { "$src_ip" } tcp sport "$src_port" counter $target comment "\"$comment\"" >/dev/null 2>&1
nft insert rule inet fw4 openclash_v6 position 0 ip6 saddr "$src_ip_v6" tcp sport "$src_port" counter $target comment "\"$comment\"" >/dev/null 2>&1
nft insert rule inet fw4 openclash_output_v6 position 0 ip6 saddr "$src_ip_v6" tcp sport "$src_port" counter $target comment "\"$comment\"" >/dev/null 2>&1
nft insert rule inet fw4 openclash_mangle_v6 position 0 ip6 saddr "$src_ip_v6" tcp sport "$src_port" counter $target comment "\"$comment\"" >/dev/null 2>&1
nft insert rule inet fw4 openclash_mangle_output_v6 position 0 meta nfproto {ipv6} ip6 saddr "$src_ip_v6" tcp sport "$src_port" counter $target comment "\"$comment\"" >/dev/null 2>&1
nft insert rule inet fw4 openclash_post_v6 position 0 ip6 saddr "$src_ip_v6" tcp sport "$src_port" counter $target comment "\"$comment\"" >/dev/null 2>&1
fi
if $e_udp ; then
nft insert rule inet fw4 openclash_mangle_v6 position 0 ip6 saddr { "$src_ip" } udp sport "$src_port" counter $target comment "\"$comment\"" >/dev/null 2>&1
nft insert rule inet fw4 openclash_mangle_output_v6 position 0 meta nfproto {ipv6} ip6 saddr { "$src_ip" } udp sport "$src_port" counter $target comment "\"$comment\"" >/dev/null 2>&1
nft insert rule inet fw4 openclash_mangle_v6 position 0 ip6 saddr "$src_ip_v6" udp sport "$src_port" counter $target comment "\"$comment\"" >/dev/null 2>&1
nft insert rule inet fw4 openclash_mangle_output_v6 position 0 meta nfproto {ipv6} ip6 saddr "$src_ip_v6" udp sport "$src_port" counter $target comment "\"$comment\"" >/dev/null 2>&1
nft insert rule inet fw4 openclash_post_v6 position 0 ip6 saddr "$src_ip_v6" udp sport "$src_port" counter $target comment "\"$comment\"" >/dev/null 2>&1
fi
fi
fi
else
if [ "$src_ip" == "localnetwork" ]; then
src_ip="-m set --match-set localnetwork src"
src_ip_v6="-m set --match-set localnetwork6 src"
else
src_ip="-s ${src_ip}"
src_ip_v6="-s ${src_ip}"
fi
src_port=$(echo $src_port |sed "s/-/:/g" 2>/dev/null)
if [ $target == "accept" ]; then target="ACCEPT"; fi
if [ $target == "return" ]; then target="RETURN"; fi

if [ "$family" == "both" ] || [ "$family" == "ipv4" ]; then
if [ -z "$en_mode_tun" ] || [ "$en_mode_tun" -eq 2 ]; then
if $e_tcp ; then
iptables -t nat -I openclash_output -p tcp ! -d "$fakeip_range" -s "$src_ip" --sport "$src_port" -j $target -m comment --comment "$comment" >/dev/null 2>&1
iptables -t nat -I openclash -p tcp ! -d "$fakeip_range" -s "$src_ip" --sport "$src_port" -j $target -m comment --comment "$comment" >/dev/null 2>&1
iptables -t nat -I openclash_output -p tcp ! -d "$fakeip_range" "$src_ip" --sport "$src_port" -j $target -m comment --comment "$comment" >/dev/null 2>&1
iptables -t nat -I openclash -p tcp ! -d "$fakeip_range" "$src_ip" --sport "$src_port" -j $target -m comment --comment "$comment" >/dev/null 2>&1
fi
if $e_udp ; then
iptables -t mangle -I openclash_output -p udp ! -d "$fakeip_range" -s "$src_ip" --sport "$src_port" -j $target -m comment --comment "$comment" >/dev/null 2>&1
iptables -t mangle -I openclash -p udp ! -d "$fakeip_range" -s "$src_ip" --sport "$src_port" -j $target -m comment --comment "$comment" >/dev/null 2>&1
iptables -t mangle -I openclash_output -p udp ! -d "$fakeip_range" "$src_ip" --sport "$src_port" -j $target -m comment --comment "$comment" >/dev/null 2>&1
iptables -t mangle -I openclash -p udp ! -d "$fakeip_range" "$src_ip" --sport "$src_port" -j $target -m comment --comment "$comment" >/dev/null 2>&1
fi
elif [ "$en_mode_tun" -eq 1 ]; then
if $e_tcp ; then
iptables -t mangle -I openclash_output -p tcp ! -d "$fakeip_range" -s "$src_ip" --sport "$src_port" -j $target -m comment --comment "$comment" >/dev/null 2>&1
iptables -t mangle -I openclash -p tcp ! -d "$fakeip_range" -s "$src_ip" --sport "$src_port" -j $target -m comment --comment "$comment" >/dev/null 2>&1
iptables -t mangle -I openclash_output -p tcp ! -d "$fakeip_range" "$src_ip" --sport "$src_port" -j $target -m comment --comment "$comment" >/dev/null 2>&1
iptables -t mangle -I openclash -p tcp ! -d "$fakeip_range" "$src_ip" --sport "$src_port" -j $target -m comment --comment "$comment" >/dev/null 2>&1
fi
if $e_udp ; then
iptables -t mangle -I openclash_output -p udp ! -d "$fakeip_range" -s "$src_ip" --sport "$src_port" -j $target -m comment --comment "$comment" >/dev/null 2>&1
iptables -t mangle -I openclash -p udp ! -d "$fakeip_range" -s "$src_ip" --sport "$src_port" -j $target -m comment --comment "$comment" >/dev/null 2>&1
iptables -t mangle -I openclash_output -p udp ! -d "$fakeip_range" "$src_ip" --sport "$src_port" -j $target -m comment --comment "$comment" >/dev/null 2>&1
iptables -t mangle -I openclash -p udp ! -d "$fakeip_range" "$src_ip" --sport "$src_port" -j $target -m comment --comment "$comment" >/dev/null 2>&1
fi
fi
if $e_tcp ; then
iptables -t nat -I openclash_post -p tcp ! -d "$fakeip_range" "$src_ip" --sport "$src_port" -j $target -m comment --comment "$comment" >/dev/null 2>&1
fi
if $e_udp ; then
iptables -t nat -I openclash_post -p udp ! -d "$fakeip_range" "$src_ip" --sport "$src_port" -j $target -m comment --comment "$comment" >/dev/null 2>&1
fi
fi

if [ "$ipv6_enable" -eq 1 ]; then
if [ "$family" == "both" ] || [ "$family" == "ipv6" ]; then
if $e_tcp ; then
ip6tables -t nat -I openclash -s "$src_ip" -p tcp --sport "$src_port" -j $target -m comment --comment "$comment" >/dev/null 2>&1
ip6tables -t nat -A openclash_output -s "$src_ip" -p tcp --sport "$src_port" -j $target -m comment --comment "$comment" >/dev/null 2>&1
ip6tables -t mangle -I openclash -s "$src_ip" -p tcp --sport "$src_port" -j $target -m comment --comment "$comment" >/dev/null 2>&1
ip6tables -t mangle -I openclash_output -p tcp -s "$src_ip" --sport "$src_port" -j $target -m comment --comment "$comment" >/dev/null 2>&1
ip6tables -t nat -I openclash "$src_ip_v6" -p tcp --sport "$src_port" -j $target -m comment --comment "$comment" >/dev/null 2>&1
ip6tables -t nat -A openclash_output "$src_ip_v6" -p tcp --sport "$src_port" -j $target -m comment --comment "$comment" >/dev/null 2>&1
ip6tables -t mangle -I openclash "$src_ip_v6" -p tcp --sport "$src_port" -j $target -m comment --comment "$comment" >/dev/null 2>&1
ip6tables -t mangle -I openclash_output -p tcp "$src_ip_v6" --sport "$src_port" -j $target -m comment --comment "$comment" >/dev/null 2>&1
ip6tables -t nat -I openclash_post -p tcp "$src_ip_v6" --sport "$src_port" -j $target -m comment --comment "$comment" >/dev/null 2>&1
fi
if $e_udp ; then
ip6tables -t mangle -I openclash -p udp -s "$src_ip" --sport "$src_port" -j $target -m comment --comment "$comment" >/dev/null 2>&1
ip6tables -t mangle -I openclash_output -p udp -s "$src_ip" --sport "$src_port" -j $target -m comment --comment "$comment" >/dev/null 2>&1
ip6tables -t mangle -I openclash -p udp "$src_ip_v6" --sport "$src_port" -j $target -m comment --comment "$comment" >/dev/null 2>&1
ip6tables -t mangle -I openclash_output -p udp "$src_ip_v6" --sport "$src_port" -j $target -m comment --comment "$comment" >/dev/null 2>&1
ip6tables -t nat -I openclash_post -p udp "$src_ip_v6" --sport "$src_port" -j $target -m comment --comment "$comment" >/dev/null 2>&1
fi
fi
fi
Expand Down
32 changes: 32 additions & 0 deletions luci-app-openclash/root/usr/share/openclash/openclash_get_network.lua
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@ require "nixio"
require "luci.util"
require "luci.sys"
local ntm = require "luci.model.network".init()
local cidr = require "luci.ip"
local fs = require "luci.openclash"
local type = arg[1]
local rv = {}
local wan, wan6
Expand All @@ -30,6 +32,7 @@ if wan then
for i = 1, #wan do
rv.wan[i] = {
ipaddr = wan[i]:ipaddr(),
ip6addr = wan[i]:ip6addr(),
gwaddr = wan[i]:gwaddr(),
netmask = wan[i]:netmask(),
dns = wan[i]:dnsaddrs(),
Expand Down Expand Up @@ -150,4 +153,33 @@ if type == "wanip6" then
end
end

if type == "lan_cidr" then
if wan then
for o = 1, #(rv.wan) do
if rv.wan[o].proto ~= "pppoe" then
if rv.wan[o].ipaddr and rv.wan[o].netmask then
local network = cidr.IPv4(rv.wan[o].ipaddr, rv.wan[o].netmask):network():string()
local prefix = cidr.IPv4(rv.wan[o].ipaddr, rv.wan[o].netmask):prefix()
print(network.."/"..prefix)
end
end
end
end
end

if type == "lan_cidr6" then
if wan then
for o = 1, #(rv.wan) do
if rv.wan[o].proto ~= "pppoe" then
if rv.wan[o].ip6addr then
local ip6, prefix = rv.wan[o].ip6addr:match("([^/]+)/(%d+)")
local network = cidr.IPv6(ip6, tonumber(prefix)):network():string()
local prefix = cidr.IPv6(ip6, tonumber(prefix)):prefix()
print(network.."/"..prefix)
end
end
end
end
end

os.exit(0)
22 changes: 22 additions & 0 deletions luci-app-openclash/root/usr/share/openclash/openclash_watchdog.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -234,32 +234,54 @@ fi
## Localnetwork 刷新
wan_ip4s=$(/usr/share/openclash/openclash_get_network.lua "wanip" 2>/dev/null)
wan_ip6s=$(ifconfig | grep 'inet6 addr' | awk '{print $3}' 2>/dev/null)
lan_ip4s=$(/usr/share/openclash/openclash_get_network.lua "lan_cidr" 2>/dev/null)
lan_ip6s=$(/usr/share/openclash/openclash_get_network.lua "lan_cidr6" 2>/dev/null)
if [ -n "$FW4" ]; then
if [ -n "$wan_ip4s" ]; then
for wan_ip4 in $wan_ip4s; do
nft add element inet fw4 localnetwork { "$wan_ip4" } 2>/dev/null
done
fi
if [ -n "$lan_ip4s" ]; then
for lan_ip4 in $lan_ip4s; do
nft add element inet fw4 localnetwork { "$lan_ip4" } 2>/dev/null
done
fi

if [ "$ipv6_enable" -eq 1 ]; then
if [ -n "$wan_ip6s" ]; then
for wan_ip6 in $wan_ip6s; do
nft add element inet fw4 localnetwork6 { "$wan_ip6" } 2>/dev/null
done
fi
if [ -n "$lan_ip6s" ]; then
for lan_ip6 in $lan_ip6s; do
nft add element inet fw4 localnetwork6 { "$lan_ip6" } 2>/dev/null
done
fi
fi
else
if [ -n "$wan_ip4s" ]; then
for wan_ip4 in $wan_ip4s; do
ipset add localnetwork "$wan_ip4" 2>/dev/null
done
fi
if [ -n "$lan_ip4s" ]; then
for lan_ip4 in $lan_ip4s; do
ipset add localnetwork "$lan_ip4" 2>/dev/null
done
fi
if [ "$ipv6_enable" -eq 1 ]; then
if [ -n "$wan_ip6s" ]; then
for wan_ip6 in $wan_ip6s; do
ipset add localnetwork6 "$wan_ip6" 2>/dev/null
done
fi
if [ -n "$lan_ip6s" ]; then
for lan_ip6 in $lan_ip6s; do
ipset add localnetwork6 "$lan_ip6" 2>/dev/null
done
fi
fi
fi

Expand Down

0 comments on commit d7a59be

Please sign in to comment.