diff --git a/box/scripts/box.config b/box/scripts/box.config index 14cf1e3..2a23565 100755 --- a/box/scripts/box.config +++ b/box/scripts/box.config @@ -9,6 +9,7 @@ clash_dns_listen="0.0.0.0:${clash_dns_port}" fake_ip_range_v4="198.18.0.0/15" fake_ip_range_v6="fc00::/18" tun_device="tun0" +tun_forward="enable" box_user_group="root:net_admin" # If you want to change the user or group, you must make the Box core in the /system/bin directory, otherwise the changes will not take effect. diff --git a/box/scripts/box.service b/box/scripts/box.service index 71e8f26..4a1a346 100755 --- a/box/scripts/box.service +++ b/box/scripts/box.service @@ -37,24 +37,6 @@ log() { esac } -create_tun_link() { - mkdir -p /dev/net - [ ! -L /dev/net/tun ] && ln -s /dev/tun /dev/net/tun -} - -probe_tun_device() { - ifconfig | grep -q ${tun_device} || return 1 -} - -forward() { - iptables -w 100 $1 FORWARD -o ${tun_device} -j ACCEPT - iptables -w 100 $1 FORWARD -i ${tun_device} -j ACCEPT - ip6tables -w 100 $1 FORWARD -o ${tun_device} -j ACCEPT - ip6tables -w 100 $1 FORWARD -i ${tun_device} -j ACCEPT - echo 2 > /proc/sys/net/ipv4/conf/default/rp_filter=2 - echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter=2 -} - check_permission() { if which ${bin_name} | grep -q "/system/bin/" ; then box_user=$(echo ${box_user_group} | awk -F ':' '{print $1}') @@ -186,15 +168,12 @@ display_bin_status() { start_service() { if check_permission ; then log Info "${bin_name} will be started with the ${box_user_group} user group." - [ "${proxy_method}" != "TPROXY" ] && create_tun_link if start_bin && wait_bin_listen ; then log Info "${bin_name} service is running. ( PID: $(cat ${pid_file}) )" - probe_tun_device && forward -I return 0 else if bin_pid=$(pidof ${bin_name}) ; then log Warn "${bin_name} service is running but may not listening. ( PID: ${bin_pid} )" - probe_tun_device && forward -I return 0 else log Error "start ${bin_name} service failed, please check the ${run_path}/error_${bin_name}.log file." @@ -212,7 +191,6 @@ stop_service() { if display_bin_status ; then log Warn "stopping ${bin_name} service." kill $(cat ${pid_file}) || killall ${bin_name} - forward -D >> /dev/null 2>&1 sleep 1 display_bin_status fi diff --git a/box/scripts/box.tproxy b/box/scripts/box.tproxy index e6cc44a..a7cd448 100755 --- a/box/scripts/box.tproxy +++ b/box/scripts/box.tproxy @@ -429,6 +429,88 @@ enable_ipv6() { echo 0 > /proc/sys/net/ipv6/conf/wlan0/disable_ipv6 } +# create_tun_link() { +# mkdir -p /dev/net +# [ ! -L /dev/net/tun ] && ln -s /dev/tun /dev/net/tun +# } + +probe_tun_device() { + ifconfig | grep -q ${tun_device} || return 1 +} + +probe_tun_index() { + while [ ! -f "/data/misc/net/rt_tables" ] ; do + sleep 3 + done + cat /data/misc/net/rt_tables | while read -r index name ; do + if [ ${name} = ${tun_device} ] ; then + tun_table_index=${index} + return 0 + fi + done + return 1 +} + +tun_forward_ip_rules() { + ip rule $1 iif lo goto 6000 pref 5000 + ip rule $1 iif ${tun_device} lookup main suppress_prefixlength 0 pref 5010 + ip rule $1 iif ${tun_device} goto 6000 pref 5020 + ip rule $1 from 10.0.0.0/8 lookup ${tun_table_index} pref 5030 + ip rule $1 from 172.16.0.0/12 lookup ${tun_table_index} pref 5040 + ip rule $1 from 192.168.0.0/16 lookup ${tun_table_index} pref 5050 + ip rule $1 nop pref 6000 +} + +tun_forward_ip_rules_del() { + ip rule del pref 5000 + ip rule del pref 5010 + ip rule del pref 5020 + ip rule del pref 5030 + ip rule del pref 5040 + ip rule del pref 5050 + ip rule del pref 6000 +} + +tun_forward_iptables_rules() { + # iptables $1 FORWARD -s 10.0.0.0/8 -o ${tun_device} -j ACCEPT + # iptables $1 FORWARD -s 172.16.0.0/12 -o ${tun_device} -j ACCEPT + # iptables $1 FORWARD -s 192.168.0.0/16 -o ${tun_device} -j ACCEPT + iptables $1 FORWARD -i ${tun_device} -j ACCEPT + iptables $1 FORWARD -o ${tun_device} -j ACCEPT + # iptables $1 PREROUTING -t nat ! -i ${tun_device} -s 10.0.0.0/8 -p udp --dport 53 -j DNAT --to 1.1.1.1 + # iptables $1 PREROUTING -t nat ! -i ${tun_device} -s 172.16.0.0/12 -p udp --dport 53 -j DNAT --to 1.1.1.1 + # iptables $1 PREROUTING -t nat ! -i ${tun_device} -s 192.168.0.0/16 -p udp --dport 53 -j DNAT --to 1.1.1.1 + iptables $1 PREROUTING -t nat ! -i ${tun_device} -p udp --dport 53 -j DNAT --to 1.1.1.1 + ip6tables $1 FORWARD -j REJECT --reject-with icmp6-no-route +} + +tun_forward_enable() { + # create_tun_link + probe_tun_device && tun_forward_iptables_rules "-I" + probe_tun_index && tun_forward_ip_rules "add" + + echo 1 > /proc/sys/net/ipv4/ip_forward + echo 0 > /dev/ip_forward_stub + chown $(stat -c '%u:%g' /data/misc/net/rt_tables) /dev/ip_forward_stub + chcon $(stat -Z -c '%C' /data/misc/net/rt_tables) /dev/ip_forward_stub + mount -o bind /dev/ip_forward_stub /proc/sys/net/ipv4/ip_forward + + log Info "tun hotspot support is enabled." +} + +tun_forward_disable() { + # tun_forward_ip_rules "del" >> /dev/null 2>&1 + tun_forward_ip_rules_del >> /dev/null 2>&1 + tun_forward_iptables_rules "-D" >> /dev/null 2>&1 + log Warn "tun hotspot support is disabled." +} + +if [ "${tun_forward}" = "enable" ] ; then + tun_forward_enable +else + tun_forward_disable +fi + if [ "${proxy_mode}" = "core" ] ; then iptables="iptables -w 100" && stop_tproxy >> /dev/null 2>&1 iptables="ip6tables -w 100" && stop_tproxy >> /dev/null 2>&1 @@ -545,6 +627,12 @@ case "$1" in disable_ipv6 log Warn "disable IPv6." ;; + tun_forward_enable) + tun_forward_enable + ;; + tun_forward_disable) + tun_forward_disable + ;; *) log Error "$0 $1 usage: $0 {enable|disable|renew|enable_ipv6|disable_ipv6}" ;;