fix firewall error

#216 (comment)

root/etc/homeproxy/scripts/firewall_pre_forward.ut

@@ -0,0 +1,35 @@
+#!/usr/bin/utpl -S
+
+{%-
+	import { cursor } from 'uci';
+
+	const cfgname = 'homeproxy';
+	const uci = cursor();
+	uci.load(cfgname);
+
+	const routing_mode = uci.get(cfgname, 'config', 'routing_mode') || 'bypass_mainland_china',
+	      proxy_mode = uci.get(cfgname, 'config', 'proxy_mode') || 'redirect_tproxy';
+
+	let outbound_node, tun_name;
+	if (match(proxy_mode, /tun/)) {
+		if (routing_mode === 'custom')
+			outbound_node = uci.get(cfgname, 'routing', 'default_outbound') || 'nil';
+		else
+			outbound_node = uci.get(cfgname, 'config', 'main_node') || 'nil';
+
+		if (outbound_node !== 'nil')
+			tun_name = uci.get(cfgname, 'infra', 'tun_name') || 'singtun0';
+	}
+
+	const server_enabled = uci.get(cfgname, 'server', 'enabled');
+	let auto_firewall = '0';
+	if (server_enabled === '1')
+		auto_firewall = uci.get(cfgname, 'server', 'auto_firewall') || '0';
+
+-%}
+
+{% if (tun_name): %}
+chain forward {
+	oifname {{ tun_name }} counter accept comment "!{{ cfgname }}: accept tun forward"
+}
+{% endif %}

root/etc/homeproxy/scripts/firewall_pre.ut → root/etc/homeproxy/scripts/firewall_pre_input.ut

@@ -28,27 +28,20 @@
 
 -%}
 
-{% if (tun_name): %}
-chain forward {
-	oifname {{ tun_name }} counter accept comment "!{{ cfgname }}: accept tun forward"
-}
-{% endif %}
-
 {% if (tun_name || auto_firewall === '1'): %}
-chain input {
-	{% if (tun_name): %}
+
+{% if (tun_name): %}
 	iifname {{ tun_name }} counter accept comment "!{{ cfgname }}: accept tun input"
-	{% endif %}
+{% endif %}
 {%
-	if (auto_firewall === '1')
-		uci.foreach(cfgname, 'server', (s) => {
-			if (s.enabled !== '1')
-				return;
-
-			let proto = s.network || '{ tcp, udp }';
-			printf('	meta l4proto %s th dport %s counter accept comment "!%s: accept server %s"\n',
-				proto, s.port, cfgname, s['.name']);
-		});
+if (auto_firewall === '1')
+	uci.foreach(cfgname, 'server', (s) => {
+		if (s.enabled !== '1')
+			return;
+
+		let proto = s.network || '{ tcp, udp }';
+		printf('	meta l4proto %s th dport %s counter accept comment "!%s: accept server %s"\n',
+			proto, s.port, cfgname, s['.name']);
+	});
 %}
-}
 {% endif %}

root/etc/init.d/homeproxy

@@ -300,7 +300,8 @@ start_service() {
 	fi
 
 	# Setup firewall
-	utpl -S "$HP_DIR/scripts/firewall_pre.ut" > "$RUN_DIR/fw4_pre.nft"
+	utpl -S "$HP_DIR/scripts/firewall_pre_forward.ut" > "$RUN_DIR/fw4_pre_forward.nft"
+	utpl -S "$HP_DIR/scripts/firewall_pre_input.ut" > "$RUN_DIR/fw4_pre_input.nft"
 	[ "$outbound_node" = "nil" ] || utpl -S "$HP_DIR/scripts/firewall_post.ut" > "$RUN_DIR/fw4_post.nft"
 	fw4 reload >"/dev/null" 2>&1
 
@@ -353,7 +354,8 @@ stop_service() {
 		nft flush set inet fw4 "$i"
 		nft delete set inet fw4 "$i"
 	done 2>"/dev/null"
-	echo > "$RUN_DIR/fw4_pre.nft" 2>"/dev/null"
+	echo > "$RUN_DIR/fw4_pre_forward.nft" 2>"/dev/null"
+	echo > "$RUN_DIR/fw4_pre_input.nft" 2>"/dev/null"
 	echo > "$RUN_DIR/fw4_post.nft" 2>"/dev/null"
 	fw4 reload >"/dev/null" 2>&1
 

root/etc/uci-defaults/luci-homeproxy

@@ -2,10 +2,20 @@
 
 uci -q batch <<-EOF >"/dev/null"
 	delete firewall.homeproxy_pre
-	set firewall.homeproxy_pre=include
-	set firewall.homeproxy_pre.type=nftables
-	set firewall.homeproxy_pre.path="/var/run/homeproxy/fw4_pre.nft"
-	set firewall.homeproxy_pre.position="table-pre"
+
+	delete firewall.homeproxy_pre_input
+	set firewall.homeproxy_pre_input=include
+	set firewall.homeproxy_pre_input.type=nftables
+	set firewall.homeproxy_pre_input.path="/var/run/homeproxy/fw4_pre_input.nft"
+	set firewall.homeproxy_pre_input.position="chain-pre"
+	set firewall.homeproxy_pre_input.position="input"
+
+	delete firewall.homeproxy_pre_forward
+	set firewall.homeproxy_pre_forward=include
+	set firewall.homeproxy_pre_forward.type=nftables
+	set firewall.homeproxy_pre_forward.path="/var/run/homeproxy/fw4_pre_forward.nft"
+	set firewall.homeproxy_pre_forward.position="chain-pre"
+	set firewall.homeproxy_pre_forward.position="forward"
 
 	delete firewall.homeproxy_post
 	set firewall.homeproxy_post=include