mirror of
				https://github.com/Ysurac/openmptcprouter-feeds.git
				synced 2025-03-09 15:40:03 +00:00 
			
		
		
		
	Add nftables support to xray
This commit is contained in:
		
							parent
							
								
									3f890976ed
								
							
						
					
					
						commit
						d4eb02e586
					
				
					 5 changed files with 2650 additions and 11 deletions
				
			
		
							
								
								
									
										2360
									
								
								xray-core/files/etc/init.d/xray-nft
									
										
									
									
									
										Executable file
									
								
							
							
						
						
									
										2360
									
								
								xray-core/files/etc/init.d/xray-nft
									
										
									
									
									
										Executable file
									
								
							
										
											
												File diff suppressed because it is too large
												Load diff
											
										
									
								
							
							
								
								
									
										126
									
								
								xray-core/files/usr/share/xray-rules/chain.uc
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										126
									
								
								xray-core/files/usr/share/xray-rules/chain.uc
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,126 @@ | |||
| {% | ||||
| function get_local_verdict() { | ||||
| 	let v = o_local_default; | ||||
| 	if (v == "checkdst") { | ||||
| 		return "goto xr_rules_dst_" + proto; | ||||
| 	} else if (v == "forward") { | ||||
| 		return "goto xr_rules_forward_" + proto; | ||||
| 	} else { | ||||
| 		return null; | ||||
| 	} | ||||
| } | ||||
| 
 | ||||
| function get_src_default_verdict() { | ||||
| 	let v = o_src_default; | ||||
| 	if (v == "checkdst") { | ||||
| 		return "goto xr_rules_dst_" + proto; | ||||
| 	} else if (v == "forward") { | ||||
| 		return "goto xr_rules_forward_" + proto; | ||||
| 	} else { | ||||
| 		return "accept"; | ||||
| 	} | ||||
| } | ||||
| 
 | ||||
| function get_dst_default_verdict() { | ||||
| 	let v = o_dst_default; | ||||
| 	if (v == "forward") { | ||||
| 		return "goto xr_rules_forward_" + proto; | ||||
| 	} else { | ||||
| 		return "accept"; | ||||
| 	} | ||||
| } | ||||
| 
 | ||||
| function get_ifnames() { | ||||
| 	let res = []; | ||||
| 	for (let ifname in split(o_ifnames, /[ \t\n]/)) { | ||||
| 		ifname = trim(ifname); | ||||
| 		if (ifname) push(res, ifname); | ||||
| 	} | ||||
| 	return res; | ||||
| } | ||||
| 
 | ||||
| let type, hook, priority, redir_port; | ||||
| if (proto == "tcp") { | ||||
| 	type = "nat"; | ||||
| 	hook = "prerouting"; | ||||
| 	priority = -1; | ||||
| 	redir_port = o_redir_tcp_port; | ||||
| } else if (proto == "udp") { | ||||
| 	type = "filter"; | ||||
| 	hook = "prerouting"; | ||||
| 	priority = "mangle"; | ||||
| 	redir_port = o_redir_udp_port; | ||||
| 	if (system(" | ||||
| 		set -o errexit | ||||
| 		iprr() { | ||||
| 			while ip $1 rule del fwmark 1 lookup 100 2>/dev/null; do true; done | ||||
| 			      ip $1 rule add fwmark 1 lookup 100 | ||||
| 			ip $1 route flush table 100 2>/dev/null || true | ||||
| 			ip $1 route add local default dev lo table 100 | ||||
| 		} | ||||
| 		iprr -4 | ||||
| 		iprr -6 | ||||
| 	") != 0) { | ||||
| 		return ; | ||||
| 	} | ||||
| } else { | ||||
| 	return; | ||||
| } | ||||
| 
 | ||||
| %} | ||||
| {% if (redir_port): %} | ||||
| 
 | ||||
| chain xr_rules_pre_{{ proto }} { | ||||
| 	type {{ type }} hook {{ hook }} priority {{ priority }}; | ||||
| 	meta l4proto {{ proto }}{%- let ifnames=get_ifnames(); if (length(ifnames)): %} iifname { {{join(", ", ifnames)}} }{% endif %} goto xr_rules_pre_src_{{ proto }}; | ||||
| } | ||||
| 
 | ||||
| chain xr_rules_pre_src_{{ proto }} { | ||||
| 	ip daddr @xr_rules_dst_bypass_ accept; | ||||
| 	ip6 daddr @xr_rules6_dst_bypass_ accept; | ||||
| 	goto xr_rules_src_{{ proto }}; | ||||
| } | ||||
| 
 | ||||
| chain xr_rules_src_{{ proto }} { | ||||
| 	ip saddr @xr_rules_src_bypass accept; | ||||
| 	ip saddr @xr_rules_src_forward goto xr_rules_forward_{{ proto }}; | ||||
| 	ip saddr @xr_rules_src_checkdst goto xr_rules_dst_{{ proto }}; | ||||
| 	ip6 saddr @xr_rules6_src_bypass accept; | ||||
| 	ip6 saddr @xr_rules6_src_forward goto xr_rules_forward_{{ proto }}; | ||||
| 	ip6 saddr @xr_rules6_src_checkdst goto xr_rules_dst_{{ proto }}; | ||||
| 	{{ get_src_default_verdict() }}; | ||||
| } | ||||
| 
 | ||||
| chain xr_rules_dst_{{ proto }} { | ||||
| 	ip daddr @xr_rules_dst_bypass accept; | ||||
| 	ip daddr @xr_rules_remote_servers accept; | ||||
| 	ip daddr @xr_rules_dst_forward goto xr_rules_forward_{{ proto }}; | ||||
| 	ip6 daddr @xr_rules6_dst_bypass accept; | ||||
| 	ip6 daddr @xr_rules6_remote_servers accept; | ||||
| 	ip6 daddr @xr_rules6_dst_forward goto xr_rules_forward_{{ proto }}; | ||||
| 	{{ get_dst_default_verdict() }}; | ||||
| } | ||||
| 
 | ||||
| {%   if (proto == "tcp"): %} | ||||
| chain xr_rules_forward_{{ proto }} { | ||||
| 	meta l4proto tcp {{ o_nft_tcp_extra }} redirect to :{{ redir_port }}; | ||||
| } | ||||
| {%   let local_verdict = get_local_verdict(); if (local_verdict): %} | ||||
| chain xr_rules_local_out { | ||||
| 	type {{ type }} hook output priority -1; | ||||
| 	meta l4proto != tcp accept; | ||||
| 	ip daddr @xr_rules_remote_servers accept; | ||||
| 	ip daddr @xr_rules_dst_bypass_ accept; | ||||
| 	ip daddr @xr_rules_dst_bypass accept; | ||||
| 	ip6 daddr @xr_rules6_remote_servers accept; | ||||
| 	ip6 daddr @xr_rules6_dst_bypass_ accept; | ||||
| 	ip6 daddr @xr_rules6_dst_bypass accept; | ||||
| 	{{ local_verdict }}; | ||||
| } | ||||
| {%     endif %} | ||||
| {%   elif (proto == "udp"): %} | ||||
| chain xr_rules_forward_{{ proto }} { | ||||
| 	meta l4proto udp {{ o_nft_udp_extra }} meta mark set 1 tproxy to :{{ redir_port }}; | ||||
| } | ||||
| {%   endif %} | ||||
| {% endif %} | ||||
							
								
								
									
										117
									
								
								xray-core/files/usr/share/xray-rules/set.uc
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										117
									
								
								xray-core/files/usr/share/xray-rules/set.uc
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,117 @@ | |||
| {% | ||||
| let fs = require("fs"); | ||||
| 
 | ||||
| let o_dst_bypass4_ = " | ||||
| 	0.0.0.0/8 | ||||
| 	10.0.0.0/8 | ||||
| 	100.64.0.0/10 | ||||
| 	127.0.0.0/8 | ||||
| 	169.254.0.0/16 | ||||
| 	172.16.0.0/12 | ||||
| 	192.0.0.0/24 | ||||
| 	192.0.2.0/24 | ||||
| 	192.168.0.0/16 | ||||
| 	192.31.196.0/24 | ||||
| 	192.52.193.0/24 | ||||
| 	192.88.99.0/24 | ||||
| 	192.175.48.0/24 | ||||
| 	198.18.0.0/15 | ||||
| 	198.51.100.0/24 | ||||
| 	203.0.113.0/24 | ||||
| 	224.0.0.0/4 | ||||
| 	240.0.0.0/4 | ||||
| "; | ||||
| let o_dst_bypass6_ = " | ||||
| 	::1/128 | ||||
| 	::/128 | ||||
| 	::ffff:0:0/96 | ||||
| 	64:ff9b:1::/48 | ||||
| 	100::/64 | ||||
| 	fe80::/10 | ||||
| 	2001::/23 | ||||
| 	fc00::/7 | ||||
| "; | ||||
| let o_dst_bypass_ = o_dst_bypass4_ + " " + o_dst_bypass6_; | ||||
| 
 | ||||
| let set_suffix = { | ||||
| 	"src_bypass": { | ||||
| 		str: o_src_bypass, | ||||
| 	}, | ||||
| 	"src_forward": { | ||||
| 		str: o_src_forward, | ||||
| 	}, | ||||
| 	"src_checkdst": { | ||||
| 		str: o_src_checkdst, | ||||
| 	}, | ||||
| 	"remote_servers": { | ||||
| 		str: o_remote_servers | ||||
| 	}, | ||||
| 	"dst_bypass": { | ||||
| 		str: o_dst_bypass, | ||||
| 		file: o_dst_bypass_file, | ||||
| 	}, | ||||
| 	"dst_bypass_": { | ||||
| 		str: o_dst_bypass_, | ||||
| 	}, | ||||
| 	"dst_forward": { | ||||
| 		str: o_dst_forward, | ||||
| 		file: o_dst_forward_file, | ||||
| 	}, | ||||
| 	"dst_forward_rrst_": {}, | ||||
| }; | ||||
| 
 | ||||
| function set_name(suf, af) { | ||||
| 	if (af == 4) { | ||||
| 		return "xr_rules_"+suf; | ||||
| 	} else { | ||||
| 		return "xr_rules6_"+suf; | ||||
| 	} | ||||
| } | ||||
| 
 | ||||
| function set_elements_parse(res, str, af) { | ||||
| 	for (let addr in split(str, /[ \t\n]/)) { | ||||
| 		addr = trim(addr); | ||||
| 		if (!addr) continue; | ||||
| 		if (af == 4 && index(addr, ":") != -1) continue; | ||||
| 		if (af == 6 && index(addr, ":") == -1) continue; | ||||
| 		push(res, addr); | ||||
| 	} | ||||
| } | ||||
| 
 | ||||
| function set_elements(suf, af) { | ||||
| 	let obj = set_suffix[suf]; | ||||
| 	let res = []; | ||||
| 	let addr; | ||||
| 
 | ||||
| 	let str = obj["str"]; | ||||
| 	if (str) { | ||||
| 		set_elements_parse(res, str, af); | ||||
| 	} | ||||
| 
 | ||||
| 	let file = obj["file"]; | ||||
| 	if (file) { | ||||
| 		let fd = fs.open(file); | ||||
| 		if (fd) { | ||||
| 			str = fd.read("all"); | ||||
| 			set_elements_parse(res, str, af); | ||||
| 		} | ||||
| 	} | ||||
| 
 | ||||
| 	return res; | ||||
| } | ||||
| %} | ||||
| 
 | ||||
| {% for (let suf in set_suffix): for (let af in [4, 6]): %} | ||||
| set {{ set_name(suf, af) }} { | ||||
| 	type ipv{{af}}_addr; | ||||
| 	flags interval; | ||||
| 	auto-merge; | ||||
| {%   let elems = set_elements(suf, af); if (length(elems)): %} | ||||
| 	elements = { | ||||
| {%     for (let i = 0; i < length(elems); i++): %} | ||||
| 		{{ elems[i] }}{% if (i < length(elems) - 1): %},{% endif %}{% print("\n") %} | ||||
| {%     endfor %} | ||||
| 	} | ||||
| {%   endif %} | ||||
| } | ||||
| {% endfor; endfor %} | ||||
							
								
								
									
										8
									
								
								xray-core/files/usr/share/xray-rules/xr-rules.uc
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										8
									
								
								xray-core/files/usr/share/xray-rules/xr-rules.uc
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,8 @@ | |||
| {% | ||||
| 
 | ||||
| include("set.uc"); | ||||
| include("chain.uc", {proto: "tcp"}); | ||||
| include("chain.uc", {proto: "udp"}); | ||||
| 
 | ||||
| %} | ||||
| 
 | ||||
		Loading…
	
	Add table
		Add a link
		
	
		Reference in a new issue