set iptables mark with xor mask to avoid change OEM mark

CHIZI-0618 · May 17, 2024 · f900e66 · f900e66
1 parent 0ce0440
commit f900e66
Showing 1 changed file with 51 additions and 47 deletions.
diff --git a/box/scripts/box.tproxy b/box/scripts/box.tproxy
@@ -6,7 +6,8 @@ scripts=$(realpath $0)
 scripts_dir=$(dirname ${scripts})
 
 source ${scripts_dir}/box.config
-id="222"
+mark_id="16777216/16777216"
+table_id="2024"
 # routing_mark="233"
 
 log() {
@@ -162,11 +163,11 @@ stop_redirect() {
 
 start_tproxy() {
   if [ "${iptables}" = "ip6tables -w 100" ] ; then
-    ip -6 rule add fwmark ${id} table ${id} pref ${id}
-    ip -6 route add local default dev lo table ${id}
+    ip -6 rule add fwmark ${mark_id} table ${table_id} pref ${table_id}
+    ip -6 route add local default dev lo table ${table_id}
   else
-    ip rule add fwmark ${id} table ${id} pref ${id}
-    ip route add local default dev lo table ${id}
+    ip rule add fwmark ${mark_id} table ${table_id} pref ${table_id}
+    ip route add local default dev lo table ${table_id}
   fi
 
   ${iptables} -t mangle -N BOX_EXTERNAL
@@ -178,13 +179,13 @@ start_tproxy() {
   # Bypass other if
   # Notice: Some interface is named with r_ / oem / nm_ / qcom_
   # It might need more complicated solution.
-  # ${iptables} -t mangle -I BOX_EXTERNAL -i rmnet_data+ -j RETURN
-  # ${iptables} -t mangle -I BOX_EXTERNAL -i ccmni+ -j RETURN
+  # ${iptables} -t mangle -A BOX_EXTERNAL -i rmnet_data+ -j RETURN
+  # ${iptables} -t mangle -A BOX_EXTERNAL -i ccmni+ -j RETURN
 
   # Skip traffic already handled by TProxy
   # If the interface of the default route has a public IPv4 or IPv6 address assigned by the ISP, omitting these rules will result in abnormal proxy behavior for local traffic, which may cause the entire network to run slower
-  ${iptables} -t mangle -A BOX_EXTERNAL -p tcp -m socket --transparent -j MARK --set-mark ${id}
-  ${iptables} -t mangle -A BOX_EXTERNAL -p udp -m socket --transparent -j MARK --set-mark ${id}
+  ${iptables} -t mangle -A BOX_EXTERNAL -p tcp -m socket --transparent -j MARK --set-xmark ${mark_id}
+  ${iptables} -t mangle -A BOX_EXTERNAL -p udp -m socket --transparent -j MARK --set-xmark ${mark_id}
   ${iptables} -t mangle -A BOX_EXTERNAL -m socket -j RETURN
 
   if [ "${bin_name}" = "clash" ] ; then
@@ -198,23 +199,26 @@ start_tproxy() {
   # Bypass intranet
   # Run `su -c 'zcat /proc/config.gz | grep -i addrtype'` to check compatibility
   # ${iptables} -t mangle -A BOX_EXTERNAL -m addrtype --dst-type LOCAL -j RETURN
-  for subnet6 in ${intranet6[@]} ; do
-    ip6tables -w 100 -t mangle -A BOX_EXTERNAL -d ${subnet6} -j RETURN
-  done
-  for subnet in ${intranet[@]} ; do
-    iptables -w 100 -t mangle -A BOX_EXTERNAL -d ${subnet} -j RETURN
-  done
+  if [ "${iptables}" = "ip6tables -w 100" ] ; then
+    for subnet6 in ${intranet6[@]} ; do
+      ${iptables} -t mangle -A BOX_EXTERNAL -d ${subnet6} -j RETURN
+    done
+  else
+    for subnet in ${intranet[@]} ; do
+      ${iptables} -t mangle -A BOX_EXTERNAL -d ${subnet} -j RETURN
+    done
+  fi
 
-  ${iptables} -t mangle -A BOX_EXTERNAL -p tcp -i lo -j TPROXY --on-port ${tproxy_port} --tproxy-mark ${id}
-  ${iptables} -t mangle -A BOX_EXTERNAL -p udp -i lo -j TPROXY --on-port ${tproxy_port} --tproxy-mark ${id}
+  ${iptables} -t mangle -A BOX_EXTERNAL -p tcp -m mark --mark ${mark_id} -j TPROXY --on-port ${tproxy_port} --tproxy-mark ${mark_id}
+  ${iptables} -t mangle -A BOX_EXTERNAL -p udp -m mark --mark ${mark_id} -j TPROXY --on-port ${tproxy_port} --tproxy-mark ${mark_id}
 
   # Allow ap interface
   # Notice: Old android device may only have one wlan interface.
   # Some new android device have multiple wlan interface like wlan0(for internet), wlan1(for AP).
   if [ "${ap_list}" != "" ] ; then
     for ap in ${ap_list[@]} ; do
-      ${iptables} -t mangle -A BOX_EXTERNAL -p tcp -i ${ap} -j TPROXY --on-port ${tproxy_port} --tproxy-mark ${id}
-      ${iptables} -t mangle -A BOX_EXTERNAL -p udp -i ${ap} -j TPROXY --on-port ${tproxy_port} --tproxy-mark ${id}
+      ${iptables} -t mangle -A BOX_EXTERNAL -p tcp -i ${ap} -j TPROXY --on-port ${tproxy_port} --tproxy-mark ${mark_id}
+      ${iptables} -t mangle -A BOX_EXTERNAL -p udp -i ${ap} -j TPROXY --on-port ${tproxy_port} --tproxy-mark ${mark_id}
     done
     log Info "${ap_list[*]} transparent proxy."
   fi
@@ -247,30 +251,33 @@ start_tproxy() {
   fi
   # Bypass intranet
   # ${iptables} -t mangle -A BOX_LOCAL -m addrtype --dst-type LOCAL -j RETURN
-  for subnet6 in ${intranet6[@]} ; do
-    ip6tables -w 100 -t mangle -A BOX_LOCAL -d ${subnet6} -j RETURN
-  done
-  for subnet in ${intranet[@]} ; do
-    iptables -w 100 -t mangle -A BOX_LOCAL -d ${subnet} -j RETURN
-  done
+  if [ "${iptables}" = "ip6tables -w 100" ] ; then
+    for subnet6 in ${intranet6[@]} ; do
+      ${iptables} -t mangle -A BOX_LOCAL -d ${subnet6} -j RETURN
+    done
+  else
+    for subnet in ${intranet[@]} ; do
+      ${iptables} -t mangle -A BOX_LOCAL -d ${subnet} -j RETURN
+    done
+  fi
 
   # Disable kernel
   # ${iptables} -t mangle -A BOX_LOCAL -m owner ! --uid 0-99999999 -j DROP
 
   if [ "${proxy_mode}" = "blacklist" ] ; then
     if [ "${uid_list}" = "" ] ; then
       # Route Everything
-      ${iptables} -t mangle -A BOX_LOCAL -p tcp -j MARK --set-mark ${id}
-      ${iptables} -t mangle -A BOX_LOCAL -p udp -j MARK --set-mark ${id}
+      ${iptables} -t mangle -A BOX_LOCAL -p tcp -j MARK --set-xmark ${mark_id}
+      ${iptables} -t mangle -A BOX_LOCAL -p udp -j MARK --set-xmark ${mark_id}
       log Info "transparent proxy for all apps."
     else
       # Bypass apps
       for appid in ${uid_list[@]} ; do
         ${iptables} -t mangle -A BOX_LOCAL -m owner --uid-owner ${appid} -j RETURN
       done
       # Allow !app
-      ${iptables} -t mangle -A BOX_LOCAL -p tcp -j MARK --set-mark ${id}
-      ${iptables} -t mangle -A BOX_LOCAL -p udp -j MARK --set-mark ${id}
+      ${iptables} -t mangle -A BOX_LOCAL -p tcp -j MARK --set-xmark ${mark_id}
+      ${iptables} -t mangle -A BOX_LOCAL -p udp -j MARK --set-xmark ${mark_id}
       log Info "proxy mode: ${proxy_mode}, ${user_packages_list[*]} no transparent proxy."
     fi
     if [ "${gid_list}" != "" ] ; then
@@ -284,29 +291,29 @@ start_tproxy() {
     if [ "${uid_list}" != "" ] ; then
       # Route apps to Box
       for appid in ${uid_list[@]} ; do
-        ${iptables} -t mangle -A BOX_LOCAL -p tcp -m owner --uid-owner ${appid} -j MARK --set-mark ${id}
-        ${iptables} -t mangle -A BOX_LOCAL -p udp -m owner --uid-owner ${appid} -j MARK --set-mark ${id}
+        ${iptables} -t mangle -A BOX_LOCAL -p tcp -m owner --uid-owner ${appid} -j MARK --set-xmark ${mark_id}
+        ${iptables} -t mangle -A BOX_LOCAL -p udp -m owner --uid-owner ${appid} -j MARK --set-xmark ${mark_id}
       done
-      ${iptables} -t mangle -A BOX_LOCAL -p tcp -m owner --uid-owner 0 -j MARK --set-mark ${id}
-      ${iptables} -t mangle -A BOX_LOCAL -p udp -m owner --uid-owner 0 -j MARK --set-mark ${id}
+      ${iptables} -t mangle -A BOX_LOCAL -p tcp -m owner --uid-owner 0 -j MARK --set-xmark ${mark_id}
+      ${iptables} -t mangle -A BOX_LOCAL -p udp -m owner --uid-owner 0 -j MARK --set-xmark ${mark_id}
       # Route dnsmasq to Box
-      ${iptables} -t mangle -A BOX_LOCAL -p tcp -m owner --uid-owner 1052 -j MARK --set-mark ${id}
-      ${iptables} -t mangle -A BOX_LOCAL -p udp -m owner --uid-owner 1052 -j MARK --set-mark ${id}
+      ${iptables} -t mangle -A BOX_LOCAL -p tcp -m owner --uid-owner 1052 -j MARK --set-xmark ${mark_id}
+      ${iptables} -t mangle -A BOX_LOCAL -p udp -m owner --uid-owner 1052 -j MARK --set-xmark ${mark_id}
       log Info "proxy mode: ${proxy_mode}, ${user_packages_list[*]} transparent proxy."
     fi
     if [ "${gid_list}" != "" ] ; then
       # Route gids to Box
       for gid in ${gid_list[@]} ; do
-        ${iptables} -t mangle -A BOX_LOCAL -p tcp -m owner --gid-owner ${gid} -j MARK --set-mark ${id}
-        ${iptables} -t mangle -A BOX_LOCAL -p udp -m owner --gid-owner ${gid} -j MARK --set-mark ${id}
+        ${iptables} -t mangle -A BOX_LOCAL -p tcp -m owner --gid-owner ${gid} -j MARK --set-xmark ${mark_id}
+        ${iptables} -t mangle -A BOX_LOCAL -p udp -m owner --gid-owner ${gid} -j MARK --set-xmark ${mark_id}
       done
       log Info "proxy mode: ${proxy_mode}, GID ${gid_list[*]} transparent proxy."
     fi
   else
     log Warn "proxy mode: ${proxy_mode} error."
     # Route Everything
-    ${iptables} -t mangle -A BOX_LOCAL -p tcp -j MARK --set-mark ${id}
-    ${iptables} -t mangle -A BOX_LOCAL -p udp -j MARK --set-mark ${id}
+    ${iptables} -t mangle -A BOX_LOCAL -p tcp -j MARK --set-xmark ${mark_id}
+    ${iptables} -t mangle -A BOX_LOCAL -p udp -j MARK --set-xmark ${mark_id}
     log Info "transparent proxy for all apps."
   fi
 
@@ -316,7 +323,7 @@ start_tproxy() {
   # ${iptables} -t mangle -N DIVERT
   # ${iptables} -t mangle -F DIVERT
 
-  # ${iptables} -t mangle -A DIVERT -j MARK --set-mark ${id}
+  # ${iptables} -t mangle -A DIVERT -j MARK --set-xmark ${mark_id}
   # ${iptables} -t mangle -A DIVERT -j ACCEPT
 
   # ${iptables} -t mangle -I PREROUTING -p tcp -m socket -j DIVERT
@@ -359,13 +366,10 @@ start_tproxy() {
 }
 
 stop_tproxy() {
-  if [ "${iptables}" = "ip6tables -w 100" ] ; then
-    ip -6 rule del fwmark ${id} table ${id}
-    ip -6 route flush table ${id}
-  else
-    ip rule del fwmark ${id} table ${id}
-    ip route flush table ${id}
-  fi
+  ip -6 rule del fwmark ${mark_id} table ${table_id} pref ${table_id}
+  ip -6 route flush table ${table_id}
+  ip rule del fwmark ${mark_id} table ${table_id} pref ${table_id}
+  ip route flush table ${table_id}
 
   ${iptables} -t mangle -D PREROUTING -j BOX_EXTERNAL