refactor: rewrite nft rules and code lint

Signed-off-by: Tianling Shen <[email protected]>

htdocs/luci-static/resources/view/unblockneteasemusic/status.js

@@ -180,7 +180,7 @@ return view.extend({
 			);
 
 			poll.add(L.bind(function() {
-				return fs.read('/tmp/unblockneteasemusic.log', 'text')
+				return fs.read('/var/run/unblockneteasemusic/run.log', 'text')
 				.then(function(res) {
 					var log = E('pre', { 'wrap': 'pre' }, [
 						res.trim() || _('当前无日志。')

root/etc/init.d/unblockneteasemusic

@@ -10,12 +10,12 @@ STOP=10
 
 NAME="unblockneteasemusic"
 UPGRADE_CONF="/lib/upgrade/keep.d/$NAME"
+UNM_DIR="/usr/share/$NAME"
+RUN_DIR="/var/run/$NAME"
 
 IPT_N="iptables -t nat"
-
+IPT_INPUT_RULE="unblockneteasemusic_input_rule"
 FW4="$(command -v fw4)"
-RULES_UC="/usr/share/$NAME/rules/default.uc"
-RULES_NFT="/etc/nftables.d/90-$NAME-rules.nft"
 
 is_enabled() {
 	local enabled
@@ -91,15 +91,15 @@ start_service() {
 	local update_time
 	config_get update_time "config" "update_time" "3"
 	sed -i "/$NAME/d" /etc/crontabs/root
-	is_enabled "config" "auto_update" && echo "0 ${update_time} * * * /usr/share/$NAME/update.sh update_core" >> "/etc/crontabs/root"
-	echo "*/5 * * * * /usr/share/$NAME/log_check.sh" >> "/etc/crontabs/root"
+	is_enabled "config" "auto_update" && echo "0 ${update_time} * * * $UNM_DIR/update.sh update_core" >> "/etc/crontabs/root"
 	/etc/init.d/cron restart
 
-	[ ! -s "/usr/share/$NAME/core/app.js" ] && { rm -f "/usr/share/$NAME/local_ver"; sh "/usr/share/$NAME/update.sh" "update_core_non_restart"; }
-	[ ! -s "/usr/share/$NAME/core/app.js" ] && { echo "Core Not Found, please download it before starting." >> "/tmp/$NAME.log"; exit 1; }
+	mkdir -p "$RUN_DIR"
+	[ ! -s "$UNM_DIR/core/app.js" ] && { rm -f "$UNM_DIR/local_ver"; sh "$UNM_DIR/update.sh" "update_core_non_restart"; }
+	[ ! -s "$UNM_DIR/core/app.js" ] && { echo "Core Not Found, please download it before starting." >> "$RUN_DIR/run.log"; return 1; }
 
 	procd_open_instance "$NAME"
-	procd_set_param command node "/usr/share/$NAME/core/app.js"
+	procd_set_param command node "$UNM_DIR/core/app.js"
 	append_param "-a" "0.0.0.0"
 
 	local http_port https_port hijack_ways
@@ -111,22 +111,17 @@ start_service() {
 
 	if [ -n "$FW4" ]; then
 		json_init
-		if is_enabled "config" "pub_access"; then
-			json_add_int o_pub_access "1"
-		else
-			json_add_int o_pub_access "0"
-		fi
-		json_add_int o_http_port "${http_port}"
-		json_add_int o_https_port "${https_port}"
-		json_add_string o_hijack_ways "${hijack_ways}"
+		json_add_int http_port "${http_port}"
+		json_add_int https_port "${https_port}"
+		json_add_string hijack_ways "${hijack_ways}"
 	else
 		if is_enabled "config" "pub_access"; then
-			iptables -I "INPUT" -p "tcp" --dport "${http_port}" -j "ACCEPT"
-			iptables -I "INPUT" -p "tcp" --dport "${https_port}" -j "ACCEPT"
-			echo "${http_port}:${https_port}" > "/tmp/$NAME.ports"
+			iptables -N "$IPT_RULE_NAME"
+			iptables -t filter -I INPUT -j "$IPT_RULE_NAME"
+			iptables -t filter -A "$IPT_RULE_NAME" -p tcp --dport "${http_port}" -j ACCEPT
+			iptables -t filter -A "$IPT_RULE_NAME" -p tcp --dport "${https_port}" -j ACCEPT
 
-			mkdir -p "/var/etc/"
-			echo "/etc/init.d/$NAME restart" > "/var/etc/$NAME.include"
+			echo "/etc/init.d/$NAME restart" > "$RUN_DIR/fw3.include"
 		fi
 	fi
 
@@ -139,15 +134,15 @@ start_service() {
 
 	local log_level
 	config_get log_level "config" "log_level" "info"
-	procd_set_param env LOG_FILE="/tmp/$NAME.log"
+	procd_set_param env LOG_FILE="$RUN_DIR/run.log"
 	procd_append_param env LOG_LEVEL="$log_level"
 
 	append_param_env "config" "joox_cookie" "JOOX_COOKIE"
 	append_param_env "config" "migu_cookie" "MIGU_COOKIE"
 	append_param_env "config" "qq_cookie" "QQ_COOKIE"
 	append_param_env "config" "youtube_key" "YOUTUBE_KEY"
-	append_param_env "config" "self_issue_cert_crt" "SIGN_CERT" "/usr/share/$NAME/core/server.crt"
-	append_param_env "config" "self_issue_cert_key" "SIGN_KEY" "/usr/share/$NAME/core/server.key"
+	append_param_env "config" "self_issue_cert_crt" "SIGN_CERT" "$UNM_DIR/core/server.crt"
+	append_param_env "config" "self_issue_cert_key" "SIGN_KEY" "$UNM_DIR/core/server.key"
 
 	append_param_boolenv "config" "follow_source_order" "FOLLOW_SOURCE_ORDER"
 	append_param_boolenv "config" "search_album" "SEARCH_ALBUM"
@@ -188,23 +183,48 @@ start_service() {
 			${settype}=/clientlog.music.163.com/${nftflag}neteasemusic
 			${settype}=/clientlog3.music.163.com/${nftflag}neteasemusic
 		EOF
-		/etc/init.d/dnsmasq reload
+		/etc/init.d/dnsmasq reload 2>"/dev/null"
 
-		[ -n "$FW4" ] || {
+		if [ -z "$FW4" ]; then
 			ipset create "acl_neteasemusic_http" hash:ip
 			ipset create "acl_neteasemusic_https" hash:ip
 			ipset create "neteasemusic" hash:ip
-		}
+		fi
 		config_foreach append_filter_client "acl_rule"
 
 		local netease_music_ips="$(uclient-fetch -qO- "http://httpdns.n.netease.com/httpdns/v2/d?domain=music.163.com,interface.music.163.com,interface3.music.163.com,apm.music.163.com,apm3.music.163.com,clientlog.music.163.com,clientlog3.music.163.com" |jsonfilter -e '@.data.*.ip.*')"
 		local netease_music_ips2="$(uclient-fetch -qO- "https://music.httpdns.c.163.com/d" --post-data="music.163.com,interface.music.163.com,interface3.music.163.com,apm.music.163.com,apm3.music.163.com,clientlog.music.163.com,clientlog3.music.163.com" |jsonfilter -e '@.dns.*["ips"].*')"
 		if [ -n "$FW4" ]; then
-			local neteasemusic_addr="$(echo -e "${netease_music_ips}\n${netease_music_ips2}" | sort -u | awk '{print $1}')"
-
-			json_add_string o_acl_http_addr "$(echo -e "${acl_http_addr}" | sort -u | awk '{print $1}')"
-			json_add_string o_acl_https_addr "$(echo -e "${acl_https_addr}" | sort -u | awk '{print $1}')"
-			json_add_string o_neteasemusic_addr "$neteasemusic_addr"
+			json_add_string acl_http_addr "$(echo -e "${acl_http_addr}" | sort -u)"
+			json_add_string acl_https_addr "$(echo -e "${acl_https_addr}" | sort -u)"
+			json_add_string neteasemusic_addr "$(echo -e "${netease_music_ips}\n${netease_music_ips2}" | sort -u)"
+
+			json_dump > "$RUN_DIR/fw4.info"
+			utpl -F "$RUN_DIR/fw4.info" -S "$UNM_DIR/nftables.ut" > "$RUN_DIR/fw4.nft"
+
+			if is_enabled "config" "pub_access"; then
+				procd_open_data
+				json_add_array firewall
+					json_add_object ""
+					json_add_string type rule
+					json_add_string name "Allow-access-UNM-http-$http_port"
+					json_add_string src "*"
+					json_add_string dest_port "$http_port"
+					json_add_string proto tcp
+					json_add_string target ACCEPT
+					json_close_object
+
+					json_add_object ""
+					json_add_string type rule
+					json_add_string name "Allow-access-UNM-https-$https_port"
+					json_add_string src "*"
+					json_add_string dest_port "$https_port"
+					json_add_string proto tcp
+					json_add_string target ACCEPT
+					json_close_object
+				json_close_array
+				procd_close_data
+			fi
 		else
 			echo -e "${netease_music_ips}\n${netease_music_ips2}" | sort -u | awk '{print "ipset add neteasemusic "$1}' | sh
 
@@ -217,8 +237,7 @@ start_service() {
 			$IPT_N -A "netease_cloud_music" -p "tcp" -m "set" ! --match-set "acl_neteasemusic_https" "src" --dport "443" -j "REDIRECT" --to-ports "${https_port}"
 			$IPT_N -I "PREROUTING" -p "tcp" -m "set" --match-set "neteasemusic" "dst" -j "netease_cloud_music"
 
-			mkdir -p "/var/etc/"
-			echo "/etc/init.d/$NAME restart" > "/var/etc/$NAME.include"
+			echo "/etc/init.d/$NAME restart" > "$RUN_DIR/fw3.include"
 		fi
 	elif [ "${hijack_ways}" = "use_hosts" ]; then
 		mkdir -p "/tmp/dnsmasq.d"
@@ -234,24 +253,23 @@ start_service() {
 			address=/clientlog3.music.163.com/${lan_addr}
 			address=/music.httpdns.c.163.com/0.0.0.0
 		EOF
-		/etc/init.d/dnsmasq reload
+		/etc/init.d/dnsmasq reload 2>"/dev/null"
 
 		ip route add "223.252.199.10" dev lo
 	fi
 
-	if [ -n "$FW4" ]; then
-		local nft_tmp="/tmp/$NAME"
-		json_dump -i > "$nft_tmp.json"
-		if utpl -F "$nft_tmp.json" -S "$RULES_UC" > "$nft_tmp.nft" && ! cmp -s "$nft_tmp.nft" "$RULES_NFT"; then
-			echo "table inet chk {include \"$nft_tmp.nft\";}" > "$nft_tmp.nft.chk"
-			! nft -f "$nft_tmp.nft.chk" -c || { mv -f "$nft_tmp.nft" "$RULES_NFT"; fw4 reload; }
-		fi
-		rm -f "$nft_tmp.json" "$nft_tmp.nft" "$nft_tmp.nft.chk"
-	fi
+	procd_close_instance
 
+	procd_open_instance "log-check"
+	procd_set_param command "$UNM_DIR/log_check.sh"
+	procd_set_param respawn
 	procd_close_instance
 }
 
+service_started() {
+	[ -z "$FW4" ] || procd_set_config_changed firewall
+}
+
 stop_service() {
 	config_load "$NAME"
 
@@ -260,52 +278,57 @@ stop_service() {
 
 	rm -f "${UPGRADE_CONF}"
 	is_enabled "config" "keep_core_when_upgrade" && {
-		echo "/usr/share/$NAME/core/" >> "${UPGRADE_CONF}"
-		echo "/usr/share/$NAME/local_ver" >> "${UPGRADE_CONF}"
+		echo "$UNM_DIR/core/" >> "${UPGRADE_CONF}"
+		echo "$UNM_DIR/local_ver" >> "${UPGRADE_CONF}"
 	}
 
 	local self_issue_cert_crt self_issue_cert_key
 	config_get "self_issue_cert_crt" "config" "self_issue_cert_crt"
 	config_get "self_issue_cert_key" "config" "self_issue_cert_key"
-	{ [ -f "${self_issue_cert_crt}" ] && [ -f "${self_issue_cert_key}" ]; } && {
+	if [ -f "${self_issue_cert_crt}" ] && [ -f "${self_issue_cert_key}" ]; then
 		echo "${self_issue_cert_crt}" >> "${UPGRADE_CONF}"
 		echo "${self_issue_cert_key}" >> "${UPGRADE_CONF}"
-	}
+	fi
 
 	local chain settable
 	if [ -n "$FW4" ]; then
 		for chain in "netease_cloud_music_redir" "netease_cloud_music"; do
 			nft flush chain inet fw4 "$chain" 2>"/dev/null"
+			nft delete chain inet fw4 "$chain" 2>"/dev/null"
 		done
-		for settable in "acl_neteasemusic_http" "acl_neteasemusic_https" "local_addr" "neteasemusic"; do
+		for settable in "acl_neteasemusic_http" "acl_neteasemusic_https" "neteasemusic"; do
 			nft flush set inet fw4 "$settable" 2>"/dev/null"
+			nft delete set inet fw4 "$settable" 2>"/dev/null"
 		done
 
-		rm -f "$RULES_NFT"
-		fw4 reload
+		rm -f "$RUN_DIR/fw4.info"
+		echo > "$RUN_DIR/fw4.nft"
 	else
-		[ ! -e "/tmp/$NAME.ports" ] || {
-			iptables -D "INPUT" -p "tcp" --dport "$(awk -F ':' '{print $1}' "/tmp/$NAME.ports")" -j "ACCEPT"
-			iptables -D "INPUT" -p "tcp" --dport "$(awk -F ':' '{print $2}' "/tmp/$NAME.ports")" -j "ACCEPT"
-			rm -f "/tmp/$NAME.ports"
-		}
-		$IPT_N -D "PREROUTING" -p "tcp" -m set --match-set "neteasemusic" "dst" -j "netease_cloud_music"
-		$IPT_N -F "netease_cloud_music"
-		$IPT_N -X "netease_cloud_music"
-
-		for settable in "acl_neteasemusic_http" "acl_neteasemusic_https" "local_addr" "neteasemusic"; do
+		iptables -t filter -D INPUT -j "$IPT_RULE_NAME" 2>"/dev/null"
+		iptables -F "$IPT_RULE_NAME" 2>"/dev/null"
+		iptables -X "$IPT_RULE_NAME" 2>"/dev/null"
+
+		$IPT_N -D "PREROUTING" -p "tcp" -m set --match-set "neteasemusic" "dst" -j "netease_cloud_music" 2>"/dev/null"
+		$IPT_N -F "netease_cloud_music" 2>"/dev/null"
+		$IPT_N -X "netease_cloud_music" 2>"/dev/null"
+
+		for settable in "acl_neteasemusic_http" "acl_neteasemusic_https" "neteasemusic"; do
 			ipset destroy "$settable" 2>"/dev/null"
 		done
 
-		echo "" > "/var/etc/$NAME.include"
+		echo > "$RUN_DIR/fw3.include"
 	fi
 
 	rm -f "/tmp/dnsmasq.d/dnsmasq-$NAME.conf"
-	/etc/init.d/dnsmasq reload
+	/etc/init.d/dnsmasq reload 2>"/dev/null"
 
 	ip route del "223.252.199.10" 2>"/dev/null"
 
-	rm -f "/tmp/$NAME.log"
+	rm -f "$RUN_DIR/run.log"
+}
+
+service_stopped() {
+	[ -z "$FW4" ] || procd_set_config_changed firewall
 }
 
 reload_service() {

root/etc/uci-defaults/luci-unblockneteasemusic

@@ -9,16 +9,26 @@ uci -q batch <<-EOF >"/dev/null"
 	delete ucitrack.@unblockneteasemusic[-1]
 	commit ucitrack
 EOF
-[ -e "$(command -v fw4)" ] || {
+
+if [ -e "$(command -v fw4)" ]; then
+	uci -q batch <<-EOF >"/dev/null"
+		delete firewall.unblockneteasemusic
+		set firewall.unblockneteasemusic=include
+		set firewall.unblockneteasemusic.type=nftables
+		set firewall.unblockneteasemusic.path=/var/run/unblockneteasemusic/fw4.nft
+		set firewall.unblockneteasemusic.position=table-post
+		commit firewall
+	EOF
+else
 	uci -q batch <<-EOF >"/dev/null"
 		delete firewall.unblockneteasemusic
 		set firewall.unblockneteasemusic=include
 		set firewall.unblockneteasemusic.type=script
-		set firewall.unblockneteasemusic.path=/var/etc/unblockneteasemusic.include
+		set firewall.unblockneteasemusic.path=/var/run/unblockneteasemusic/fw3.include
 		set firewall.unblockneteasemusic.reload=1
 		commit firewall
 	EOF
-}
+fi
 
 rm -f /tmp/luci-indexcache
 exit 0

root/usr/bin/unm-debug

@@ -3,14 +3,15 @@
 
 command -v "curl" >"/dev/null" || { echo -e "curl is not found."; exit 1; }
 
-mkdir -p "/tmp"
-/usr/share/unblockneteasemusic/debugging.sh 2>&1 | tee "/tmp/unm-debugging-output.txt"
+RUN_DIR="/var/run/unblockneteasemusic"
+mkdir -p "$RUN_DIR"
+/usr/share/unblockneteasemusic/debugging.sh 2>&1 | tee "$RUN_DIR/unm-debugging-output.txt"
 
-catbox_link="$(curl -fsS -F "reqtype=fileupload" -F "time=72h" -F "fileToUpload=@/tmp/unm-debugging-output.txt" "https://litterbox.catbox.moe/resources/internals/api.php")"
-transfer_link="$(curl -fsS --upload-file "/tmp/unm-debugging-output.txt" "https://transfer.sh/unm-debugging-output.txt")"
+catbox_link="$(curl -fsS -F "reqtype=fileupload" -F "time=72h" -F "fileToUpload=@$RUN_DIR/unm-debugging-output.txt" "https://litterbox.catbox.moe/resources/internals/api.php")"
+transfer_link="$(curl -fsS --upload-file "$RUN_DIR/unm-debugging-output.txt" "https://transfer.sh/unm-debugging-output.txt")"
 echo -e "\n"
 echo -e "Log is available at:"
 echo -e "$catbox_link"
 echo -e "$transfer_link"
 
-rm -f "/tmp/unm-debugging-output.txt"
+rm -f "$RUN_DIR/unm-debugging-output.txt"

root/usr/share/rpcd/acl.d/luci-app-unblockneteasemusic.json

@@ -4,10 +4,10 @@
 		"read": {
 			"file": {
 				"/etc/init.d/unblockneteasemusic": [ "exec" ],
-				"/tmp/unblockneteasemusic.log": [ "read" ],
 				"/usr/bin/unm-debug": [ "exec" ],
 				"/usr/share/unblockneteasemusic/update.sh": [ "exec" ],
-				"/usr/share/unblockneteasemusic/core/ca.crt": [ "read" ]
+				"/usr/share/unblockneteasemusic/core/ca.crt": [ "read" ],
+				"/var/run/unblockneteasemusic/run.log": [ "read" ]
 			},
 			"ubus": {
 				"service": [ "list" ]

root/usr/share/unblockneteasemusic/debugging.sh

@@ -111,4 +111,4 @@ echo -e "\n"
 	echo -e ""
 }
 
-cat "/tmp/$NAME.log" 2>"/dev/null" || echo -e "Log is not avaiable."
+cat "/var/run/$NAME/run.log" 2>"/dev/null" || echo -e "Log is not avaiable."

root/usr/share/unblockneteasemusic/log_check.sh

@@ -1,11 +1,14 @@
 #!/bin/sh
 # SPDX-License-Identifier: GPL-3.0-only
-# Copyright (C) 2019-2022 Tianling Shen <[email protected]>
+# Copyright (C) 2019-2023 Tianling Shen <[email protected]>
 
 NAME="unblockneteasemusic"
 
-log_max_size="4" #使用KB计算
-log_file="/tmp/$NAME.log"
+log_max_size="10" #使用KB计算
+log_file="/var/run/$NAME/run.log"
 
-log_size="$(expr $(ls -l "${log_file}" | awk -F ' ' '{print $5}') / "1024")"
-[ "${log_size}" -lt "${log_max_size}" ] || echo "" > "${log_file}"
+while true; do
+	[ -s "$log_file" ] || continue
+	[ "$(( $(ls -l "$log_file" | awk -F ' ' '{print $5}') / 1024 >= log_max_size))" -eq "0" ] || echo "" > "$log_file"
+	sleep 300
+done

root/usr/share/unblockneteasemusic/nftables.ut

@@ -0,0 +1,67 @@
+#!/usr/bin/utpl -S
+
+{% if (acl_http_addr): -%}
+set acl_neteasemusic_http {
+	type ipv4_addr;
+	flags interval;
+	auto-merge;
+
+	elements = {
+		{% for (let addr in split(trim(acl_http_addr), '\n')): %}
+		{{ addr }},
+		{% endfor %}
+	};
+}
+{% endif -%}
+
+{% if (acl_https_addr): %}
+set acl_neteasemusic_https {
+	type ipv4_addr;
+	flags interval;
+	auto-merge;
+
+	elements = {
+		{% for (let addr in split(trim(acl_https_addr), '\n')): %}
+		{{ addr }},
+		{% endfor %}
+	};
+}
+{% endif -%}
+
+{% if (hijack_ways === 'use_ipset'): %}
+set neteasemusic {
+	type ipv4_addr;
+	flags interval;
+	auto-merge;
+
+	elements = {
+		{% for (let addr in split(trim(neteasemusic_addr), '\n')): %}
+		{{ addr }},
+		{% endfor %}
+	}
+}
+
+chain netease_cloud_music {
+	type nat hook prerouting priority -1; policy accept;
+	meta l4proto tcp ip daddr @neteasemusic jump netease_cloud_music_redir;
+}
+
+chain netease_cloud_music_redir {
+	ip daddr { 0.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 127.0.0.0/8,
+		169.254.0.0/16, 172.16.0.0/12, 192.0.0.0/24,
+		192.0.2.0/24, 192.31.196.0/24, 192.52.193.0/24,
+		192.88.99.0/24, 192.168.0.0/16, 192.175.48.0/24,
+		198.18.0.0/15, 198.51.100.0/24, 203.0.113.0/24,
+		224.0.0.0/4, 240.0.0.0/4 } counter return;
+
+	{% if (acl_http_addr): %}
+	ip saddr @acl_neteasemusic_http tcp dport 80 counter return;
+	{% endif %}
+	{% if (acl_https_addr): %}
+	ip saddr @acl_neteasemusic_https tcp dport 443 counter return;
+	{% endif %}
+
+	tcp dport 80 counter redirect to :{{ http_port }};
+	tcp dport 443 counter redirect to :{{ https_port }};
+}
+{% endif %}

root/usr/share/unblockneteasemusic/rules/chain.uc

@@ -1,30 +0,0 @@
-{%
-
-let http_port = o_http_port;
-let https_port = o_https_port;
-let pub_access = o_pub_access;
-let hijack_ways = o_hijack_ways;
-
-%}
-
-{% if (pub_access == 1): %}
-chain input_wan {
-	tcp dport {{ http_port }} counter accept comment "!fw4: unblockneteasemusic-http-pub-access"
-	tcp dport {{ https_port }} counter accept comment "!fw4: unblockneteasemusic-https-pub-access"
-}
-{% endif %}
-
-{% if (hijack_ways == "use_ipset"): %}
-chain netease_cloud_music {
-	type nat hook prerouting priority -1; policy accept;
-	meta l4proto tcp ip daddr @neteasemusic jump netease_cloud_music_redir;
-}
-
-chain netease_cloud_music_redir {
-	ip daddr @local_addr return;
-	ip saddr @acl_neteasemusic_http accept;
-	ip saddr @acl_neteasemusic_https accept;
-	tcp dport 80 counter redirect to :{{ http_port }};
-	tcp dport 443 counter redirect to :{{ https_port }};
-}
-{% endif %}

root/usr/share/unblockneteasemusic/rules/default.uc

@@ -1,9 +0,0 @@
-{%
-
-let hijack_ways = o_hijack_ways;
-if (hijack_ways == "use_ipset") {
-    include("set.uc");
-}
-include("chain.uc");
-
-%}

root/usr/share/unblockneteasemusic/rules/set.uc

@@ -1,73 +0,0 @@
-{%
-
-let o_local_bypass = "
-	0.0.0.0/8
-	10.0.0.0/8
-	100.64.0.0/10
-	127.0.0.0/8
-	169.254.0.0/16
-	172.16.0.0/12
-	192.0.0.0/24
-	192.0.2.0/24
-	192.31.196.0/24
-	192.52.193.0/24
-	192.88.99.0/24
-	192.168.0.0/16
-	192.175.48.0/24
-	198.18.0.0/15
-	198.51.100.0/24
-	203.0.113.0/24
-	224.0.0.0/4
-	240.0.0.0/4
-";
-
-let set_suffix = {
-	"acl_neteasemusic_http": {
-		str: o_acl_http_addr,
-	},
-	"acl_neteasemusic_https": {
-		str: o_acl_https_addr,
-	},
-	"local_addr": {
-		str: o_local_bypass,
-	},
-	"neteasemusic": {
-		str: o_neteasemusic_addr,
-	},
-};
-
-function set_elements_parse(res, str) {
-	for (let addr in split(str, /[ \t\n]/)) {
-		addr = trim(addr);
-		if (!addr) continue;
-		push(res, addr);
-	}
-}
-
-function set_elements(suf) {
-	let obj = set_suffix[suf];
-	let res = [];
-	let addr;
-
-	let str = obj["str"];
-	if (str) {
-		set_elements_parse(res, str);
-	}
-
-	return res;
-}
-%}
-
-{% for (let suf in set_suffix): %}
-set {{ suf }} {
-	type ipv4_addr;
-	flags interval;
-{%   let elems = set_elements(suf); if (length(elems)): %}
-	elements = {
-{%     for (let i = 0; i < length(elems); i++): %}
-		{{ elems[i] }}{% if (i < length(elems) - 1): %},{% endif %}{% print("\n") %}
-{%     endfor %}
-	}
-{%   endif %}
-}
-{% endfor %}

root/usr/share/unblockneteasemusic/update.sh

@@ -3,11 +3,16 @@
 # Copyright (C) 2019-2023 Tianling Shen <[email protected]>
 
 NAME="unblockneteasemusic"
-LOCK="/tmp/$NAME.update_core.lock"
+UNM_DIR="/usr/share/$NAME"
+RUN_DIR="/var/run/$NAME"
+mkdir -p "$RUN_DIR"
+
+LOCK="$RUN_DIR/update_core.lock"
+LOG="$RUN_DIR/run.log"
 
 check_core_if_already_running() {
 	if [ -e "$LOCK" ]; then
-		echo -e "\nA task is already running." >> "/tmp/$NAME.log"
+		echo -e "\nA task is already running." >> "$LOG"
 		exit 2
 	else
 		touch "$LOCK"
@@ -15,24 +20,24 @@ check_core_if_already_running() {
 }
 
 clean_log(){
-	echo "" > "/tmp/$NAME.log"
+	echo "" > "$LOG"
 }
 
 check_core_latest_version() {
 	core_latest_ver="$(uclient-fetch -qO- 'https://api.github.com/repos/UnblockNeteaseMusic/server/commits?sha=enhanced&path=precompiled' | jsonfilter -e '@[0].sha')"
-	[ -n "${core_latest_ver}" ] || { echo -e "\nFailed to check latest core version, please try again later." >> "/tmp/$NAME.log"; rm -f "$LOCK"; exit 1; }
-	if [ ! -e "/usr/share/$NAME/core_local_ver" ]; then
+	[ -n "${core_latest_ver}" ] || { echo -e "\nFailed to check latest core version, please try again later." >> "$LOG"; rm -f "$LOCK"; exit 1; }
+	if [ ! -e "$$UNM_DIR/core_local_ver" ]; then
 		clean_log
-		echo -e "Local version: NOT FOUND, latest version: ${core_latest_ver}." >> "/tmp/$NAME.log"
+		echo -e "Local version: NOT FOUND, latest version: ${core_latest_ver}." >> "$LOG"
 		update_core
 	else
-		if [ "$(cat /usr/share/$NAME/core_local_ver)" != "${core_latest_ver}" ]; then
+		if [ "$(cat $UNM_DIR/core_local_ver)" != "${core_latest_ver}" ]; then
 			clean_log
-			echo -e "Local version: $(cat /usr/share/$NAME/core_local_ver 2>"/dev/null"), latest version: ${core_latest_ver}." >> "/tmp/$NAME.log"
+			echo -e "Local version: $(cat $UNM_DIR/core_local_ver 2>"/dev/null"), latest version: ${core_latest_ver}." >> "$LOG"
 			update_core
 		else
-			echo -e "\nLocal version: $(cat /usr/share/$NAME/core_local_ver 2>"/dev/null"), latest version: ${core_latest_ver}." >> "/tmp/$NAME.log"
-			echo -e "You're already using the latest version." >> "/tmp/$NAME.log"
+			echo -e "\nLocal version: $(cat $UNM_DIR/core_local_ver 2>"/dev/null"), latest version: ${core_latest_ver}." >> "$LOG"
+			echo -e "You're already using the latest version." >> "$LOG"
 			rm -f "$LOCK"
 			exit 3
 		fi
@@ -40,16 +45,16 @@ check_core_latest_version() {
 }
 
 update_core() {
-	echo -e "Updating core..." >> "/tmp/$NAME.log"
+	echo -e "Updating core..." >> "$LOG"
 
-	mkdir -p "/usr/share/$NAME/core"
-	rm -rf "/usr/share/$NAME/core"/*
+	mkdir -p "$UNM_DIR/core"
+	rm -rf "$UNM_DIR/core"/*
 
 	for file in $(uclient-fetch -qO- "https://api.github.com/repos/UnblockNeteaseMusic/server/contents/precompiled" | jsonfilter -e '@[*].path')
 	do
-		uclient-fetch "https://fastly.jsdelivr.net/gh/UnblockNeteaseMusic/server@$core_latest_ver/$file" -qO "/usr/share/$NAME/core/${file##*/}"
-		[ -s "/usr/share/$NAME/core/${file##*/}" ] || {
-			echo -e "Failed to download ${file##*/}." >> "/tmp/$NAME.log"
+		uclient-fetch "https://fastly.jsdelivr.net/gh/UnblockNeteaseMusic/server@$core_latest_ver/$file" -qO "$UNM_DIR/core/${file##*/}"
+		[ -s "$UNM_DIR/core/${file##*/}" ] || {
+			echo -e "Failed to download ${file##*/}." >> "$LOG"
 			rm -f "$LOCK"
 			exit 1
 		}
@@ -57,30 +62,30 @@ update_core() {
 
 	for cert in "ca.crt" "server.crt" "server.key"
 	do
-		uclient-fetch "https://fastly.jsdelivr.net/gh/UnblockNeteaseMusic/server@enhanced/${cert}" -qO "/usr/share/$NAME/core/${cert}"
-		[ -s "/usr/share/$NAME/core/${cert}" ] || {
-			echo -e "Failed to download ${cert}." >> "/tmp/$NAME.log"
+		uclient-fetch "https://fastly.jsdelivr.net/gh/UnblockNeteaseMusic/server@enhanced/${cert}" -qO "$UNM_DIR/core/${cert}"
+		[ -s "$UNM_DIR/core/${cert}" ] || {
+			echo -e "Failed to download ${cert}." >> "$LOG"
 			rm -f "$LOCK"
 			exit 1
 		}
 	done
 
-	echo -e "${core_latest_ver}" > "/usr/share/$NAME/core_local_ver"
+	echo -e "${core_latest_ver}" > "$UNM_DIR/core_local_ver"
 	[ -n "${non_restart}" ] || /etc/init.d/"$NAME" restart
 
-	echo -e "Succeeded in updating core." > "/tmp/$NAME.log"
-	echo -e "Current core version: ${core_latest_ver}.\n" >> "/tmp/$NAME.log"
+	echo -e "Succeeded in updating core." > "$LOG"
+	echo -e "Current core version: ${core_latest_ver}.\n" >> "$LOG"
 	rm -f "$LOCK"
 }
 
 case "$1" in
 	"check_version")
-		if [ ! -e "/usr/share/$NAME/core_local_ver" ] || [ ! -e "/usr/share/$NAME/core/app.js" ]; then
+		if [ ! -e "$UNM_DIR/core_local_ver" ] || [ ! -e "$UNM_DIR/core/app.js" ]; then
 			echo -e "Not installed."
 			exit 2
 		else
-			version="$(node "/usr/share/$NAME/core/app.js" -v)"
-			commit="$(cat "/usr/share/$NAME/core_local_ver" | head -c7)"
+			version="$(node "$UNM_DIR/core/app.js" -v)"
+			commit="$(cat "$UNM_DIR/core_local_ver" | head -c7)"
 			echo "$version ($commit)"
 			exit 0
 		fi
@@ -95,8 +100,8 @@ case "$1" in
 		check_core_latest_version
 		;;
 	"remove_core")
-		/etc/init.d/"$NAME" stop
-		rm -rf "/usr/share/$NAME/core" "/usr/share/$NAME/core_local_ver" "$LOCK"
+		"/etc/init.d/$NAME" stop
+		rm -rf "$UNM_DIR/core" "$UNM_DIR/core_local_ver" "$LOCK"
 		;;
 	*)
 		echo -e "Usage: $0/update.sh check_version | update_core | remove_core"