Add nftables support to xray

xray-core/Makefile

@@ -1,6 +1,6 @@
 include $(TOPDIR)/rules.mk
 
-PKG_NAME:=xray-core
+PKG_NAME:=xray
 PKG_VERSION:=1.8.6
 PKG_RELEASE:=1
 
@@ -19,7 +19,7 @@ GO_PKG:=github.com/XTLS/Xray-core
 include $(INCLUDE_DIR)/package.mk
 include $(TOPDIR)/feeds/openmptcprouter/golang/golang-package.mk
 
-define Package/$(PKG_NAME)
+define Package/$(PKG_NAME)/template
 	SECTION:=Custom
 	CATEGORY:=Extra packages
 	TITLE:=Xray-core
@@ -27,13 +27,35 @@ define Package/$(PKG_NAME)
 	PROVIDES:=xray-core
 endef
 
+define Package/$(PKG_NAME)-core
+	$(call Package/$(PKG_NAME)/template)
+endef
+
+define Package/$(PKG_NAME)-config
+	$(call Package/$(PKG_NAME)/template)
+	TITLE+= (init script)
+endef
+
+define Package/$(PKG_NAME)-config-nft
+	$(call Package/$(PKG_NAME)/template)
+	TITLE+= (init script with nft)
+endef
+
 define Package/$(PKG_NAME)/description
 	Xray-core bare bones binary (compiled without cgo)
 endef
 
+define Package/$(PKG_NAME)-config/description
+	Xray-core init script
+endef
+
+define Package/$(PKG_NAME)-config-nft/description
+	Xray-core init script with nft support
+endef
+
 define Package/$(PKG_NAME)/config
 menu "Xray Configuration"
-	depends on PACKAGE_$(PKG_NAME)
+	depends on PACKAGE_$(PKG_NAME)-core
 
 config PACKAGE_XRAY_ENABLE_GOPROXY_IO
 	bool "Use goproxy.io to speed up module fetching (recommended for some network situations)"
@@ -50,19 +72,25 @@ endif
 MAKE_PATH:=$(GO_PKG_WORK_DIR_NAME)/build/src/$(GO_PKG)
 MAKE_VARS += $(GO_PKG_VARS)
 
-#define Build/Patch
-#	$(CP) $(PKG_BUILD_DIR)/../Xray-core-$(PKG_VERSION)/* $(PKG_BUILD_DIR)
-#	$(Build/Patch/Default)
-#endef
-
 define Build/Compile
 	cd $(PKG_BUILD_DIR); $(GO_PKG_VARS) $(USE_GOPROXY) CGO_ENABLED=0 go build -trimpath -ldflags "-s -w" -o $(PKG_INSTALL_DIR)/bin/xray ./main; 
 endef
 
-define Package/$(PKG_NAME)/install
+define Package/$(PKG_NAME)-core/install
 	$(INSTALL_DIR) $(1)/usr/bin
 	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/bin/xray $(1)/usr/bin/xray
-	$(CP) ./files/* $(1)/
 endef
 
-$(eval $(call BuildPackage,$(PKG_NAME)))
+define Package/$(PKG_NAME)-config/install
+	$(CP) ./files/* $(1)/
+	rm -f $(1)/etc/init.d/xray-nft
+endef
+
+define Package/$(PKG_NAME)-config-nft/install
+	$(CP) ./files/* $(1)/
+	mv $(1)/etc/init.d/xray-nft $(1)/etc/init.d/xray
+endef
+
+$(eval $(call BuildPackage,$(PKG_NAME)-core))
+$(eval $(call BuildPackage,$(PKG_NAME)-config))
+$(eval $(call BuildPackage,$(PKG_NAME)-config-nft))

xray-core/files/usr/share/xray-rules/chain.uc

@@ -0,0 +1,126 @@
+{%
+function get_local_verdict() {
+	let v = o_local_default;
+	if (v == "checkdst") {
+		return "goto xr_rules_dst_" + proto;
+	} else if (v == "forward") {
+		return "goto xr_rules_forward_" + proto;
+	} else {
+		return null;
+	}
+}
+
+function get_src_default_verdict() {
+	let v = o_src_default;
+	if (v == "checkdst") {
+		return "goto xr_rules_dst_" + proto;
+	} else if (v == "forward") {
+		return "goto xr_rules_forward_" + proto;
+	} else {
+		return "accept";
+	}
+}
+
+function get_dst_default_verdict() {
+	let v = o_dst_default;
+	if (v == "forward") {
+		return "goto xr_rules_forward_" + proto;
+	} else {
+		return "accept";
+	}
+}
+
+function get_ifnames() {
+	let res = [];
+	for (let ifname in split(o_ifnames, /[ \t\n]/)) {
+		ifname = trim(ifname);
+		if (ifname) push(res, ifname);
+	}
+	return res;
+}
+
+let type, hook, priority, redir_port;
+if (proto == "tcp") {
+	type = "nat";
+	hook = "prerouting";
+	priority = -1;
+	redir_port = o_redir_tcp_port;
+} else if (proto == "udp") {
+	type = "filter";
+	hook = "prerouting";
+	priority = "mangle";
+	redir_port = o_redir_udp_port;
+	if (system("
+		set -o errexit
+		iprr() {
+			while ip $1 rule del fwmark 1 lookup 100 2>/dev/null; do true; done
+			      ip $1 rule add fwmark 1 lookup 100
+			ip $1 route flush table 100 2>/dev/null || true
+			ip $1 route add local default dev lo table 100
+		}
+		iprr -4
+		iprr -6
+	") != 0) {
+		return ;
+	}
+} else {
+	return;
+}
+
+%}
+{% if (redir_port): %}
+
+chain xr_rules_pre_{{ proto }} {
+	type {{ type }} hook {{ hook }} priority {{ priority }};
+	meta l4proto {{ proto }}{%- let ifnames=get_ifnames(); if (length(ifnames)): %} iifname { {{join(", ", ifnames)}} }{% endif %} goto xr_rules_pre_src_{{ proto }};
+}
+
+chain xr_rules_pre_src_{{ proto }} {
+	ip daddr @xr_rules_dst_bypass_ accept;
+	ip6 daddr @xr_rules6_dst_bypass_ accept;
+	goto xr_rules_src_{{ proto }};
+}
+
+chain xr_rules_src_{{ proto }} {
+	ip saddr @xr_rules_src_bypass accept;
+	ip saddr @xr_rules_src_forward goto xr_rules_forward_{{ proto }};
+	ip saddr @xr_rules_src_checkdst goto xr_rules_dst_{{ proto }};
+	ip6 saddr @xr_rules6_src_bypass accept;
+	ip6 saddr @xr_rules6_src_forward goto xr_rules_forward_{{ proto }};
+	ip6 saddr @xr_rules6_src_checkdst goto xr_rules_dst_{{ proto }};
+	{{ get_src_default_verdict() }};
+}
+
+chain xr_rules_dst_{{ proto }} {
+	ip daddr @xr_rules_dst_bypass accept;
+	ip daddr @xr_rules_remote_servers accept;
+	ip daddr @xr_rules_dst_forward goto xr_rules_forward_{{ proto }};
+	ip6 daddr @xr_rules6_dst_bypass accept;
+	ip6 daddr @xr_rules6_remote_servers accept;
+	ip6 daddr @xr_rules6_dst_forward goto xr_rules_forward_{{ proto }};
+	{{ get_dst_default_verdict() }};
+}
+
+{%   if (proto == "tcp"): %}
+chain xr_rules_forward_{{ proto }} {
+	meta l4proto tcp {{ o_nft_tcp_extra }} redirect to :{{ redir_port }};
+}
+{%   let local_verdict = get_local_verdict(); if (local_verdict): %}
+chain xr_rules_local_out {
+	type {{ type }} hook output priority -1;
+	meta l4proto != tcp accept;
+	ip daddr @xr_rules_remote_servers accept;
+	ip daddr @xr_rules_dst_bypass_ accept;
+	ip daddr @xr_rules_dst_bypass accept;
+	ip6 daddr @xr_rules6_remote_servers accept;
+	ip6 daddr @xr_rules6_dst_bypass_ accept;
+	ip6 daddr @xr_rules6_dst_bypass accept;
+	{{ local_verdict }};
+}
+{%     endif %}
+{%   elif (proto == "udp"): %}
+chain xr_rules_forward_{{ proto }} {
+	meta l4proto udp {{ o_nft_udp_extra }} meta mark set 1 tproxy to :{{ redir_port }};
+}
+{%   endif %}
+{% endif %}

xray-core/files/usr/share/xray-rules/set.uc

@@ -0,0 +1,117 @@
+{%
+let fs = require("fs");
+
+let o_dst_bypass4_ = "
+	0.0.0.0/8
+	10.0.0.0/8
+	100.64.0.0/10
+	127.0.0.0/8
+	169.254.0.0/16
+	172.16.0.0/12
+	192.0.0.0/24
+	192.0.2.0/24
+	192.168.0.0/16
+	192.31.196.0/24
+	192.52.193.0/24
+	192.88.99.0/24
+	192.175.48.0/24
+	198.18.0.0/15
+	198.51.100.0/24
+	203.0.113.0/24
+	224.0.0.0/4
+	240.0.0.0/4
+";
+let o_dst_bypass6_ = "
+	::1/128
+	::/128
+	::ffff:0:0/96
+	64:ff9b:1::/48
+	100::/64
+	fe80::/10
+	2001::/23
+	fc00::/7
+";
+let o_dst_bypass_ = o_dst_bypass4_ + " " + o_dst_bypass6_;
+
+let set_suffix = {
+	"src_bypass": {
+		str: o_src_bypass,
+	},
+	"src_forward": {
+		str: o_src_forward,
+	},
+	"src_checkdst": {
+		str: o_src_checkdst,
+	},
+	"remote_servers": {
+		str: o_remote_servers
+	},
+	"dst_bypass": {
+		str: o_dst_bypass,
+		file: o_dst_bypass_file,
+	},
+	"dst_bypass_": {
+		str: o_dst_bypass_,
+	},
+	"dst_forward": {
+		str: o_dst_forward,
+		file: o_dst_forward_file,
+	},
+	"dst_forward_rrst_": {},
+};
+
+function set_name(suf, af) {
+	if (af == 4) {
+		return "xr_rules_"+suf;
+	} else {
+		return "xr_rules6_"+suf;
+	}
+}
+
+function set_elements_parse(res, str, af) {
+	for (let addr in split(str, /[ \t\n]/)) {
+		addr = trim(addr);
+		if (!addr) continue;
+		if (af == 4 && index(addr, ":") != -1) continue;
+		if (af == 6 && index(addr, ":") == -1) continue;
+		push(res, addr);
+	}
+}
+
+function set_elements(suf, af) {
+	let obj = set_suffix[suf];
+	let res = [];
+	let addr;
+
+	let str = obj["str"];
+	if (str) {
+		set_elements_parse(res, str, af);
+	}
+
+	let file = obj["file"];
+	if (file) {
+		let fd = fs.open(file);
+		if (fd) {
+			str = fd.read("all");
+			set_elements_parse(res, str, af);
+		}
+	}
+
+	return res;
+}
+%}
+
+{% for (let suf in set_suffix): for (let af in [4, 6]): %}
+set {{ set_name(suf, af) }} {
+	type ipv{{af}}_addr;
+	flags interval;
+	auto-merge;
+{%   let elems = set_elements(suf, af); if (length(elems)): %}
+	elements = {
+{%     for (let i = 0; i < length(elems); i++): %}
+		{{ elems[i] }}{% if (i < length(elems) - 1): %},{% endif %}{% print("\n") %}
+{%     endfor %}
+	}
+{%   endif %}
+}
+{% endfor; endfor %}

xray-core/files/usr/share/xray-rules/xr-rules.uc

@@ -0,0 +1,8 @@
+{%
+
+include("set.uc");
+include("chain.uc", {proto: "tcp"});
+include("chain.uc", {proto: "udp"});
+
+%}
+