From 856f09dd47548a16ddd4ea47f38c1a50a735e64a Mon Sep 17 00:00:00 2001
From: Tianling Shen <cnsztl@immortalwrt.org>
Date: Sat, 14 Dec 2024 23:46:59 +0800
Subject: [PATCH] feat(fw4/post): improve dns hihack

only hijack dns traffic from specified interfaces if listen_interfaces
is set.

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
---
 root/etc/homeproxy/scripts/firewall_post.ut | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/root/etc/homeproxy/scripts/firewall_post.ut b/root/etc/homeproxy/scripts/firewall_post.ut
index 0f72d755..ef711656 100755
--- a/root/etc/homeproxy/scripts/firewall_post.ut
+++ b/root/etc/homeproxy/scripts/firewall_post.ut
@@ -254,6 +254,9 @@ set homeproxy_routing_port {
 {# DNS hijack & TCP redirect #}
 chain dstnat {
 {% if (dns_hijacked !== '1'): %}
+	{% if (control_info.listen_interfaces): %}
+	meta iifname {{ array_to_nftarr(control_info.listen_interfaces) }}
+	{%- endif /* listen_interfaces */ %}
 	meta nfproto { ipv4, ipv6 } udp dport 53 counter redirect to :{{ dns_port }} comment "!{{ cfgname }}: DNS hijack"
 {% endif /* dns_hijacked */ %}
 {% if (match(proxy_mode, /redirect/)): %}