fix: dnsmasq jail adaptation; firewall improvements

ffgan · Nov 22, 2024 · 06df32d · 06df32d
1 parent fd3e3ac
commit 06df32d
Show file tree

Hide file tree

Showing 3 changed files with 47 additions and 8 deletions.
diff --git a/core/root/etc/init.d/xray_core b/core/root/etc/init.d/xray_core
@@ -100,14 +100,25 @@ gen_config_file() {
     [ ! "${#custom_config}" == "0" ] && echo ${custom_config} > /var/etc/xray/config_custom.json
 }
 
+setup_dnsmasq_instance() {
+    mkdir -p $1
+    utpl /usr/share/xray/dnsmasq_include.ut > $1/xray.conf
+    logger -st xray[$$] -p4 $(cat $1/xray.conf)
+}
+
 setup_dnsmasq() {
-    utpl /usr/share/xray/dnsmasq_include.ut > /tmp/dnsmasq.d/xray.conf
-    logger -st xray[$$] -p4 $(cat /tmp/dnsmasq.d/xray.conf)
+    if [ "$(uci_get_by_type general dnsmasq_integration_mode)" == "per_instance" ]; then
+        for instance in $(uci_get_by_type general dnsmasq_instances); do
+            setup_dnsmasq_instance /tmp/dnsmasq.${instance}.d
+        done
+    else
+        setup_dnsmasq_instance /tmp/dnsmasq.d
+    fi
     /etc/init.d/dnsmasq restart > /dev/null 2>&1
 }
 
 flush_dnsmasq() {
-    rm -f /tmp/dnsmasq.d/xray.conf
+    rm -f /tmp/dnsmasq.d/xray.conf /tmp/dnsmasq.*.d/xray.conf
     /etc/init.d/dnsmasq restart > /dev/null 2>&1
 }
 

diff --git a/core/root/usr/share/xray/firewall_include.ut b/core/root/usr/share/xray/firewall_include.ut
@@ -105,25 +105,25 @@
     const ttl_hop_limit_match = int(general.ttl_hop_limit_match);
     const dynamic_direct_tcp4 = function () {
         if (general.dynamic_direct_tcp4 == "1") {
-            return `add @tp_spec_dv4_dt { ip daddr timeout ${general.dynamic_direct_timeout || 300}s }`;
+            return `update @tp_spec_dv4_dt { ip daddr timeout ${general.dynamic_direct_timeout || 300}s }`;
         }
         return "";
     }();
     const dynamic_direct_tcp6 = function () {
         if (general.dynamic_direct_tcp6 == "1") {
-            return `add @tp_spec_dv6_dt { ip6 daddr timeout ${general.dynamic_direct_timeout || 300}s }`;
+            return `update @tp_spec_dv6_dt { ip6 daddr timeout ${general.dynamic_direct_timeout || 300}s }`;
         }
         return "";
     }();
     const dynamic_direct_udp4 = function () {
         if (general.dynamic_direct_udp4 == "1") {
-            return `add @tp_spec_dv4_du { ip daddr timeout ${general.dynamic_direct_timeout || 300}s }`;
+            return `update @tp_spec_dv4_du { ip daddr timeout ${general.dynamic_direct_timeout || 300}s }`;
         }
         return "";
     }();
     const dynamic_direct_udp6 = function () {
         if (general.dynamic_direct_udp6 == "1") {
-            return `add @tp_spec_dv6_du { ip6 daddr timeout ${general.dynamic_direct_timeout || 300}s }`;
+            return `update @tp_spec_dv6_du { ip6 daddr timeout ${general.dynamic_direct_timeout || 300}s }`;
         }
         return "";
     }();
@@ -371,6 +371,10 @@
 
     chain xray_prerouting {
         type filter hook prerouting priority mangle {{ firewall_priority }}; policy accept;
+{% if (length(general.ttl_override_bypass_ports) > 0): %}
+        tcp dport { {{ join(', ', general.ttl_override_bypass_ports) }} } {{ counter }} accept
+        udp dport { {{ join(', ', general.ttl_override_bypass_ports) }} } {{ counter }} accept
+{% endif %}
 {% if (ttl_override > 0): %}
         ip ttl {{ ttl_hop_limit_match }} {{ counter }} ip ttl set {{ ttl_override }}
 {% endif %}

diff --git a/core/root/www/luci-static/resources/view/xray/preview.js b/core/root/www/luci-static/resources/view/xray/preview.js
@@ -1,10 +1,15 @@
 'use strict';
 'require form';
+'require uci';
 'require view';
 'require view.xray.shared as shared';
 
 return view.extend({
-    render: function () {
+    load: function () {
+        return uci.load("dhcp");
+    },
+
+    render: function (result) {
         const m = new form.Map(shared.variant, _('Xray (preview)'), _("WARNING: These features are experimental, may cause a lot of problems and are not guaranteed to be compatible across minor versions."));
 
         let s = m.section(form.TypedSection, 'general');
@@ -13,6 +18,22 @@ return view.extend({
 
         s.tab("dns_hijack", _("DNS Hijacking"));
 
+        let dnsmasq_integration_mode = s.taboption('dns_hijack', form.ListValue, 'dnsmasq_integration_mode', _('Dnsmasq Integration Mode'), _('Global mode may not work on OpenWrt 24.10 or later; per instance mode is NOT supported on OpenWrt 23.05 or earlier.'));
+        dnsmasq_integration_mode.value("global", _("Global"));
+        dnsmasq_integration_mode.value("per_instance", _("Per Instance"));
+        dnsmasq_integration_mode.default = "global";
+
+        let dnsmasq_instances = s.taboption('dns_hijack', form.MultiValue, 'dnsmasq_instances', _('Integrated Instances'), _('Select none to disable dnsmasq integration. This could also be used to avoid conflicts with other DNS services, for example<br/>AdGuard Home. Some features like manual transparent proxy with associated domain names still need dnsmasq integration.'));
+        dnsmasq_instances.depends("dnsmasq_integration_mode", "per_instance");
+        for (let i of uci.sections("dhcp", "dnsmasq")) {
+            dnsmasq_instances.value(i[".name"], function () {
+                if (i[".anonymous"]) {
+                    return _("Default instance");
+                }
+                return `${_("Instance")} "${i[".name"]}"`;
+            }());
+        }
+
         let dns_tcp_hijack = s.taboption('dns_hijack', form.Value, 'dns_tcp_hijack', _('Hijack TCP DNS Requests'), _("Redirect all outgoing TCP requests with destination port 53 to the address specified. In most cases not necessary."));
         dns_tcp_hijack.datatype = 'ip4addrport';
 
@@ -38,6 +59,9 @@ return view.extend({
         let ttl_hop_limit_match = s.taboption('firewall', form.Value, 'ttl_hop_limit_match', _('TTL / Hop Limit Match'), _("Only override TTL / hop limit for packets with specific TTL / hop limit."));
         ttl_hop_limit_match.datatype = 'uinteger';
 
+        let ttl_override_bypass_ports = s.taboption('firewall', form.DynamicList, 'ttl_override_bypass_ports', _('Ports to bypass TTL override'), _("Do not override TTL for packets with these destination TCP / UDP ports."));
+        ttl_override_bypass_ports.datatype = 'port';
+
         s.tab("sniffing", _("Sniffing"));
 
         s.taboption('sniffing', form.Flag, 'tproxy_sniffing', _('Enable Sniffing'), _('Route requests according to domain settings in "DNS Settings" tab in core settings. Deprecated; use FakeDNS instead.'));