From b3123a3adce7ef5c7451dcce8f4b01b83429fb2c Mon Sep 17 00:00:00 2001 From: Dimariqe Date: Sun, 22 Dec 2024 20:04:05 +0700 Subject: [PATCH] fix firewall error https://github.com/immortalwrt/homeproxy/issues/216#issuecomment-2558443614 --- .../homeproxy/scripts/firewall_pre_forward.ut | 35 +++++++++++++++++++ ...{firewall_pre.ut => firewall_pre_input.ut} | 31 +++++++--------- root/etc/init.d/homeproxy | 6 ++-- root/etc/uci-defaults/luci-homeproxy | 18 +++++++--- 4 files changed, 65 insertions(+), 25 deletions(-) create mode 100644 root/etc/homeproxy/scripts/firewall_pre_forward.ut rename root/etc/homeproxy/scripts/{firewall_pre.ut => firewall_pre_input.ut} (70%) mode change 100755 => 100644 diff --git a/root/etc/homeproxy/scripts/firewall_pre_forward.ut b/root/etc/homeproxy/scripts/firewall_pre_forward.ut new file mode 100644 index 00000000..36551701 --- /dev/null +++ b/root/etc/homeproxy/scripts/firewall_pre_forward.ut @@ -0,0 +1,35 @@ +#!/usr/bin/utpl -S + +{%- + import { cursor } from 'uci'; + + const cfgname = 'homeproxy'; + const uci = cursor(); + uci.load(cfgname); + + const routing_mode = uci.get(cfgname, 'config', 'routing_mode') || 'bypass_mainland_china', + proxy_mode = uci.get(cfgname, 'config', 'proxy_mode') || 'redirect_tproxy'; + + let outbound_node, tun_name; + if (match(proxy_mode, /tun/)) { + if (routing_mode === 'custom') + outbound_node = uci.get(cfgname, 'routing', 'default_outbound') || 'nil'; + else + outbound_node = uci.get(cfgname, 'config', 'main_node') || 'nil'; + + if (outbound_node !== 'nil') + tun_name = uci.get(cfgname, 'infra', 'tun_name') || 'singtun0'; + } + + const server_enabled = uci.get(cfgname, 'server', 'enabled'); + let auto_firewall = '0'; + if (server_enabled === '1') + auto_firewall = uci.get(cfgname, 'server', 'auto_firewall') || '0'; + +-%} + +{% if (tun_name): %} +chain forward { + oifname {{ tun_name }} counter accept comment "!{{ cfgname }}: accept tun forward" +} +{% endif %} diff --git a/root/etc/homeproxy/scripts/firewall_pre.ut b/root/etc/homeproxy/scripts/firewall_pre_input.ut old mode 100755 new mode 100644 similarity index 70% rename from root/etc/homeproxy/scripts/firewall_pre.ut rename to root/etc/homeproxy/scripts/firewall_pre_input.ut index f53addd3..81ac3b5f --- a/root/etc/homeproxy/scripts/firewall_pre.ut +++ b/root/etc/homeproxy/scripts/firewall_pre_input.ut @@ -28,27 +28,20 @@ -%} -{% if (tun_name): %} -chain forward { - oifname {{ tun_name }} counter accept comment "!{{ cfgname }}: accept tun forward" -} -{% endif %} - {% if (tun_name || auto_firewall === '1'): %} -chain input { - {% if (tun_name): %} + +{% if (tun_name): %} iifname {{ tun_name }} counter accept comment "!{{ cfgname }}: accept tun input" - {% endif %} +{% endif %} {% - if (auto_firewall === '1') - uci.foreach(cfgname, 'server', (s) => { - if (s.enabled !== '1') - return; - - let proto = s.network || '{ tcp, udp }'; - printf(' meta l4proto %s th dport %s counter accept comment "!%s: accept server %s"\n', - proto, s.port, cfgname, s['.name']); - }); +if (auto_firewall === '1') + uci.foreach(cfgname, 'server', (s) => { + if (s.enabled !== '1') + return; + + let proto = s.network || '{ tcp, udp }'; + printf(' meta l4proto %s th dport %s counter accept comment "!%s: accept server %s"\n', + proto, s.port, cfgname, s['.name']); + }); %} -} {% endif %} diff --git a/root/etc/init.d/homeproxy b/root/etc/init.d/homeproxy index d25a12e2..e4a0c812 100755 --- a/root/etc/init.d/homeproxy +++ b/root/etc/init.d/homeproxy @@ -300,7 +300,8 @@ start_service() { fi # Setup firewall - utpl -S "$HP_DIR/scripts/firewall_pre.ut" > "$RUN_DIR/fw4_pre.nft" + utpl -S "$HP_DIR/scripts/firewall_pre_forward.ut" > "$RUN_DIR/fw4_pre_forward.nft" + utpl -S "$HP_DIR/scripts/firewall_pre_input.ut" > "$RUN_DIR/fw4_pre_input.nft" [ "$outbound_node" = "nil" ] || utpl -S "$HP_DIR/scripts/firewall_post.ut" > "$RUN_DIR/fw4_post.nft" fw4 reload >"/dev/null" 2>&1 @@ -353,7 +354,8 @@ stop_service() { nft flush set inet fw4 "$i" nft delete set inet fw4 "$i" done 2>"/dev/null" - echo > "$RUN_DIR/fw4_pre.nft" 2>"/dev/null" + echo > "$RUN_DIR/fw4_pre_forward.nft" 2>"/dev/null" + echo > "$RUN_DIR/fw4_pre_input.nft" 2>"/dev/null" echo > "$RUN_DIR/fw4_post.nft" 2>"/dev/null" fw4 reload >"/dev/null" 2>&1 diff --git a/root/etc/uci-defaults/luci-homeproxy b/root/etc/uci-defaults/luci-homeproxy index 35abcd98..1cf0970b 100644 --- a/root/etc/uci-defaults/luci-homeproxy +++ b/root/etc/uci-defaults/luci-homeproxy @@ -2,10 +2,20 @@ uci -q batch <<-EOF >"/dev/null" delete firewall.homeproxy_pre - set firewall.homeproxy_pre=include - set firewall.homeproxy_pre.type=nftables - set firewall.homeproxy_pre.path="/var/run/homeproxy/fw4_pre.nft" - set firewall.homeproxy_pre.position="table-pre" + + delete firewall.homeproxy_pre_input + set firewall.homeproxy_pre_input=include + set firewall.homeproxy_pre_input.type=nftables + set firewall.homeproxy_pre_input.path="/var/run/homeproxy/fw4_pre_input.nft" + set firewall.homeproxy_pre_input.position="chain-pre" + set firewall.homeproxy_pre_input.position="input" + + delete firewall.homeproxy_pre_forward + set firewall.homeproxy_pre_forward=include + set firewall.homeproxy_pre_forward.type=nftables + set firewall.homeproxy_pre_forward.path="/var/run/homeproxy/fw4_pre_forward.nft" + set firewall.homeproxy_pre_forward.position="chain-pre" + set firewall.homeproxy_pre_forward.position="forward" delete firewall.homeproxy_post set firewall.homeproxy_post=include