chore(init): rewrite func to add pub_access rule with nft

root/etc/init.d/unblockneteasemusic

@@ -73,19 +73,18 @@ start_service()
 	[ "${hijack_ways}" = "use_hosts" ] && { http_port="80"; https_port="443"; }
 	append_param "-p" "${http_port}":"${https_port}"
 
-	if is_enabled "config" "pub_access"; then
-		if [ -e "$(command -v fw4)" ]; then
-			uci -q batch <<-EOF
-				add firewall rule
-				set firewall.@rule[-1].name='unblockneteasemusic_pub_access'
-				set firewall.@rule[-1].proto='tcp'
-				set firewall.@rule[-1].src='wan'
-				set firewall.@rule[-1].dest_port='${http_port}-${https_port}'
-				set firewall.@rule[-1].target='ACCEPT'
-				commit firewall
-			EOF
-			fw4 reload
+	if [ -e "$(command -v fw4)" ]; then
+		json_init
+		if is_enabled "config" "pub_access"; then
+			json_add_int o_pub_access "1"
 		else
+			json_add_int o_pub_access "0"
+		fi
+		json_add_int o_http_port "${http_port}"
+		json_add_int o_https_port "${https_port}"
+		json_add_string o_hijack_ways "${hijack_ways}"
+	else
+		if is_enabled "config" "pub_access"; then
 			iptables -I "INPUT" -p "tcp" --dport "${http_port}" -j "ACCEPT"
 			iptables -I "INPUT" -p "tcp" --dport "${https_port}" -j "ACCEPT"
 			echo "${http_port}:${https_port}" > "/tmp/$NAME.ports"
@@ -129,6 +128,7 @@ start_service()
 	procd_set_param respawn
 
 	local lan_addr="$(uci -q get network.lan.ipaddr)"
+	local tmp="/tmp/$NAME"
 	if [ "${hijack_ways}" = "use_ipset" ]; then
 		# TODO: wating for dnsmasq support nftset
 		mkdir -p "/tmp/dnsmasq.d"
@@ -189,11 +189,8 @@ start_service()
 		local netease_music_ips="$(uclient-fetch -qO- "http://httpdns.n.netease.com/httpdns/v2/d?domain=music.163.com,interface.music.163.com,interface3.music.163.com,apm.music.163.com,apm3.music.163.com,clientlog.music.163.com,clientlog3.music.163.com" |jsonfilter -e '@.data.*.ip.*')"
 		local netease_music_ips2="$(uclient-fetch -qO- "https://music.httpdns.c.163.com/d" --post-data="music.163.com,interface.music.163.com,interface3.music.163.com,apm.music.163.com,apm3.music.163.com,clientlog.music.163.com,clientlog3.music.163.com" |jsonfilter -e '@.dns.*["ips"].*')"
 		if [ -e "$(command -v fw4)" ]; then
-			local tmp="/tmp/$NAME"
 			local neteasemusic_addr="$(echo -e "${netease_music_ips}\n${netease_music_ips2}" |sort -u |awk '{print $1}')"
-			json_init
-			json_add_int o_http_port "${http_port}"
-			json_add_int o_https_port "${https_port}"
+
 			json_add_string o_acl_http_addr "$acl_http_addr"
 			json_add_string o_acl_https_addr "$acl_https_addr"
 			json_add_string o_neteasemusic_addr "$neteasemusic_addr"
@@ -241,6 +238,19 @@ start_service()
 		/etc/init.d/dnsmasq reload
 
 		ip route add "223.252.199.10" dev lo
+		if [ -e "$(command -v fw4)" ]; then
+			json_dump -i >"$tmp.json"
+			if ucode -S -i "$RULES_UC" -E "$tmp.json" >"$tmp.nft" \
+				&& ! cmp -s "$tmp.nft" "$RULES_NFT"; then
+				echo "table inet chk {include \"$tmp.nft\";}" >"$tmp.nft.chk"
+				if nft -f "$tmp.nft.chk" -c; then
+					mv -f "$tmp.nft" "$RULES_NFT"
+					fw4 reload
+				fi
+				rm -f "$tmp.nft.chk"
+			fi
+			rm -f "$tmp.json" "$tmp.nft"
+		fi
 	fi
 
 	procd_close_instance
@@ -268,16 +278,7 @@ stop_service()
 	}
 
 	if [ -e "$(command -v fw4)" ]; then
-		local rule="$(uci show firewall | grep "name='unblockneteasemusic_pub_access'" | awk -F '.' '{ print $2}')"
-		[ -n "${rule}" ] && {
-			uci -q batch <<-EOF
-				delete firewall.${rule}
-				commit firewall
-			EOF
-		}
-
 		[ ! -e "$RULES_NFT" ] || rm -f "$RULES_NFT"
-
 		fw4 reload
 	else
 		[ ! -e "/tmp/$NAME.ports" ] || {

root/etc/uci-defaults/luci-unblockneteasemusic

@@ -5,6 +5,9 @@ uci -q batch <<-EOF >/dev/null
 	add ucitrack unblockneteasemusic
 	set ucitrack.@unblockneteasemusic[-1].init=unblockneteasemusic
 	commit ucitrack
+EOF
+[ -e "$(command -v fw4)" ] || {
+uci -q batch <<-EOF >/dev/null
 	delete firewall.unblockneteasemusic
 	set firewall.unblockneteasemusic=include
 	set firewall.unblockneteasemusic.type=script
@@ -12,6 +15,7 @@ uci -q batch <<-EOF >/dev/null
 	set firewall.unblockneteasemusic.reload=1
 	commit firewall
 EOF
+}
 
 rm -f /tmp/luci-indexcache
 exit 0

root/usr/share/unblockneteasemusic/debugging.sh

@@ -64,13 +64,17 @@ echo -e "\n"
 
 [ "$procd_running_status" != "running" ] || {
 	echo -e "Firewall info:"
-	iptables -t "nat" -L "netease_cloud_music" 2>"/dev/null" || echo -e 'Chain "netease_cloud_music" not found.'
-	echo -e ""
-	ipset list "neteasemusic" 2>"/dev/null" || echo -e 'Table "neteasemusic" not found.'
-	echo -e ""
-	ipset list "acl_neteasemusic_http" 2>"/dev/null" || echo -e 'Table "acl_neteasemusic_http" not found.'
-	echo -e ""
-	ipset list "acl_neteasemusic_https" 2>"/dev/null" || echo -e 'Table "acl_neteasemusic_https" not found.'
+	[ -e "$(command -v fw4)" ] && {
+		[ -e "/etc/nftables.d/90-unblockneteasemusic-rules.nft" ] && cat "/etc/nftables.d/90-unblockneteasemusic-rules.nft" || echo -e 'netease_cloud_music nft rule file not found.'
+	} || {
+		iptables -t "nat" -L "netease_cloud_music" 2>"/dev/null" || echo -e 'Chain "netease_cloud_music" not found.'
+		echo -e ""
+		ipset list "neteasemusic" 2>"/dev/null" || echo -e 'Table "neteasemusic" not found.'
+		echo -e ""
+		ipset list "acl_neteasemusic_http" 2>"/dev/null" || echo -e 'Table "acl_neteasemusic_http" not found.'
+		echo -e ""
+		ipset list "acl_neteasemusic_https" 2>"/dev/null" || echo -e 'Table "acl_neteasemusic_https" not found.'
+	}
 	echo -e ""
 	cat "/tmp/dnsmasq.d/dnsmasq-unblockneteasemusic.conf"
 	echo -e "\n"

root/usr/share/unblockneteasemusic/rules/chain.uc

@@ -2,11 +2,21 @@
 
 let http_port = o_http_port;
 let https_port = o_https_port;
+let pub_access = o_pub_access;
+let hijack_ways = o_hijack_ways;
 
 %}
 
+{% if (pub_access == 1): %}
+chain input_wan {
+	tcp dport {{ http_port }} counter accept comment "!fw4: unblockneteasemusic-http-pub-access"
+	tcp dport {{ https_port }} counter accept comment "!fw4: unblockneteasemusic-https-pub-access"
+}
+{% endif %}
+
+{% if (hijack_ways == "use_ipset"): %}
 chain netease_cloud_music {
-	type nat hook prerouting priority -1;
+	type nat hook prerouting priority -1; policy accept;
 	meta l4proto tcp ip daddr @neteasemusic_ipv4 jump netease_cloud_music_redir;
 	meta l4proto tcp ip6 daddr @neteasemusic_ipv6 jump netease_cloud_music_redir;
 }
@@ -21,5 +31,4 @@ chain netease_cloud_music_redir {
 	tcp dport 80 counter redirect to :{{ http_port }};
 	tcp dport 443 counter redirect to :{{ https_port }};
 }
-
-
+{% endif %}

root/usr/share/unblockneteasemusic/rules/default.uc

@@ -1,6 +1,9 @@
 {%
 
-include("set.uc");
+let hijack_ways = o_hijack_ways;
+if (hijack_ways == "use_ipset") {
+    include("set.uc");
+}
 include("chain.uc");
 
 %}