From ab61277ea98f4760265eea3c30a4cc699c2bb45a Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Sun, 13 Mar 2022 13:54:42 +0800
Subject: [PATCH] update 03-13 13:54

---
 luci-app-unblockneteasemusic/Makefile         |   3 +-
 .../root/etc/init.d/unblockneteasemusic       | 154 +++++++++++++-----
 .../share/unblockneteasemusic/rules/chain.uc  |  25 +++
 .../unblockneteasemusic/rules/default.uc      |   6 +
 .../share/unblockneteasemusic/rules/set.uc    |  94 +++++++++++
 5 files changed, 242 insertions(+), 40 deletions(-)
 create mode 100644 luci-app-unblockneteasemusic/root/usr/share/unblockneteasemusic/rules/chain.uc
 create mode 100644 luci-app-unblockneteasemusic/root/usr/share/unblockneteasemusic/rules/default.uc
 create mode 100644 luci-app-unblockneteasemusic/root/usr/share/unblockneteasemusic/rules/set.uc

diff --git a/luci-app-unblockneteasemusic/Makefile b/luci-app-unblockneteasemusic/Makefile
index 8a8e7d021..eae83423c 100644
--- a/luci-app-unblockneteasemusic/Makefile
+++ b/luci-app-unblockneteasemusic/Makefile
@@ -6,12 +6,13 @@ include $(TOPDIR)/rules.mk
 
 LUCI_TITLE:=LuCI support for UnblockNeteaseMusic
 LUCI_DEPENDS:=+busybox +dnsmasq-full +ipset +jsonfilter +node +uclient-fetch \
+	+PACKAGE_firewall4:ucode \
 	@(PACKAGE_libustream-mbedtls||PACKAGE_libustream-openssl||PACKAGE_libustream-wolfssl)
 LUCI_PKGARCH:=all
 
 PKG_NAME:=luci-app-unblockneteasemusic
 PKG_VERSION:=2.12
-PKG_RELEASE:=2
+PKG_RELEASE:=3
 
 PKG_MAINTAINER:=Tianling Shen <cnsztl@immortalwrt.org>
 
diff --git a/luci-app-unblockneteasemusic/root/etc/init.d/unblockneteasemusic b/luci-app-unblockneteasemusic/root/etc/init.d/unblockneteasemusic
index dcbec0e81..34f27ee2a 100755
--- a/luci-app-unblockneteasemusic/root/etc/init.d/unblockneteasemusic
+++ b/luci-app-unblockneteasemusic/root/etc/init.d/unblockneteasemusic
@@ -12,6 +12,8 @@ NAME="unblockneteasemusic"
 UPGRADE_CONF="/lib/upgrade/keep.d/$NAME"
 
 IPT_N="iptables -t nat"
+RULES_UC="/usr/share/$NAME/rules/default.uc"
+RULES_NFT="/etc/nftables.d/90-$NAME-rules.nft"
 
 is_enabled() {
 	local enabled
@@ -72,12 +74,25 @@ start_service()
 	append_param "-p" "${http_port}":"${https_port}"
 
 	if is_enabled "config" "pub_access"; then
-		iptables -I "INPUT" -p "tcp" --dport "${http_port}" -j "ACCEPT"
-		iptables -I "INPUT" -p "tcp" --dport "${https_port}" -j "ACCEPT"
-		echo "${http_port}:${https_port}" > "/tmp/$NAME.ports"
+		if [ -e "$(command -v fw4)" ]; then
+			uci -q batch <<-EOF
+				add firewall rule
+				set firewall.@rule[-1].name='unblockneteasemusic_pub_access'
+				set firewall.@rule[-1].proto='tcp'
+				set firewall.@rule[-1].src='wan'
+				set firewall.@rule[-1].dest_port='${http_port}-${https_port}'
+				set firewall.@rule[-1].target='ACCEPT'
+				commit firewall
+			EOF
+			fw4 reload
+		else
+			iptables -I "INPUT" -p "tcp" --dport "${http_port}" -j "ACCEPT"
+			iptables -I "INPUT" -p "tcp" --dport "${https_port}" -j "ACCEPT"
+			echo "${http_port}:${https_port}" > "/tmp/$NAME.ports"
 
-		mkdir -p "/var/etc/"
-		echo "/etc/init.d/$NAME restart" > "/var/etc/$NAME.include"
+			mkdir -p "/var/etc/"
+			echo "/etc/init.d/$NAME restart" > "/var/etc/$NAME.include"
+		fi
 	fi
 
 	local music_source
@@ -113,9 +128,9 @@ start_service()
 	procd_set_param stderr 1
 	procd_set_param respawn
 
-	local lan_addr
-	lan_addr="$(uci -q get network.lan.ipaddr)"
+	local lan_addr="$(uci -q get network.lan.ipaddr)"
 	if [ "${hijack_ways}" = "use_ipset" ]; then
+		# TODO: wating for dnsmasq support nftset
 		mkdir -p "/tmp/dnsmasq.d"
 		rm -f "/tmp/dnsmasq.d/dnsmasq-$NAME.conf"
 		cat <<-EOF > "/tmp/dnsmasq.d/dnsmasq-$NAME.conf"
@@ -130,42 +145,85 @@ start_service()
 		EOF
 		/etc/init.d/dnsmasq reload
 
-		ipset create "acl_neteasemusic_http" hash:ip
-		ipset create "acl_neteasemusic_https" hash:ip
-		ip_addr_num="$(uci show "$NAME" | grep -c "filter_mode")"
+		[ -e "$(command -v fw4)" ] || {
+			ipset create "acl_neteasemusic_http" hash:ip
+			ipset create "acl_neteasemusic_https" hash:ip
+			ipset create "neteasemusic" hash:ip
+		}
+
+		local ip_addr_num="$(uci show "$NAME" | grep -c "filter_mode")"
 		let ip_addr_num="ip_addr_num-1"
+		local acl_http_addr acl_https_addr
 		[ "${ip_addr_num}" -ge "0" ] && for i in $(seq 0 "${ip_addr_num}")
 		do
 			ip_addr="$(uci_get_by_name "acl_rule" "ip_addr" "" "$i")"
 			filter_mode="$(uci_get_by_name "acl_rule" "filter_mode" "" "$i")"
+
 			case "${filter_mode}" in
 			"disable_http")
-				ipset -! add "acl_neteasemusic_http" "${ip_addr}"
+				if [ -e "$(command -v fw4)" ];then
+					acl_http_addr="${acl_http_addr}${ip_addr}\n"
+				else
+					ipset -! add "acl_neteasemusic_http" "${ip_addr}"
+				fi
 				;;
 			"disable_https")
-				ipset -! add "acl_neteasemusic_https" "${ip_addr}"
+				if [ -e "$(command -v fw4)" ]; then
+					acl_https_addr="${acl_https_addr}${ip_addr}\n"
+				else
+					ipset -! add "acl_neteasemusic_https" "${ip_addr}"
+				fi
 				;;
 			"disable_all")
-				ipset -! add "acl_neteasemusic_http" "${ip_addr}"
-				ipset -! add "acl_neteasemusic_https" "${ip_addr}"
+				if [ -e "$(command -v fw4)" ]; then
+					acl_http_addr="${acl_http_addr}${ip_addr}\n"
+					acl_https_addr="${acl_https_addr}${ip_addr}\n"
+				else
+					ipset -! add "acl_neteasemusic_http" "${ip_addr}"
+					ipset -! add "acl_neteasemusic_https" "${ip_addr}"
+				fi
 				;;
 			esac
 		done
 
-		ipset create "neteasemusic" hash:ip
-		netease_music_ips="$(uclient-fetch -qO- "http://httpdns.n.netease.com/httpdns/v2/d?domain=music.163.com,interface.music.163.com,interface3.music.163.com,apm.music.163.com,apm3.music.163.com,clientlog.music.163.com,clientlog3.music.163.com" |jsonfilter -e '@.data.*.ip.*')"
-		netease_music_ips2="$(uclient-fetch -qO- "https://music.httpdns.c.163.com/d" --post-data="music.163.com,interface.music.163.com,interface3.music.163.com,apm.music.163.com,apm3.music.163.com,clientlog.music.163.com,clientlog3.music.163.com" |jsonfilter -e '@.dns.*["ips"].*')"
-		echo -e "${netease_music_ips}\n${netease_music_ips2}" |sort -u |awk '{print "ipset add neteasemusic "$1}' |sh
-		$IPT_N -N "netease_cloud_music"
-		for local_addr in "0.0.0.0/8" "10.0.0.0/8" "127.0.0.0/8" "169.254.0.0/16" "172.16.0.0/12" "192.168.0.0/16" "224.0.0.0/4" "240.0.0.0/4"; do
-			$IPT_N -A "netease_cloud_music" -d "${local_addr}" -j "RETURN"
-		done
-		$IPT_N -A "netease_cloud_music" -p "tcp" -m "set" ! --match-set "acl_neteasemusic_http" "src" --dport "80" -j "REDIRECT" --to-ports "${http_port}"
-		$IPT_N -A "netease_cloud_music" -p "tcp" -m "set" ! --match-set "acl_neteasemusic_https" "src" --dport "443" -j "REDIRECT" --to-ports "${https_port}"
-		$IPT_N -I "PREROUTING" -p "tcp" -m "set" --match-set "neteasemusic" "dst" -j "netease_cloud_music"
+		local netease_music_ips="$(uclient-fetch -qO- "http://httpdns.n.netease.com/httpdns/v2/d?domain=music.163.com,interface.music.163.com,interface3.music.163.com,apm.music.163.com,apm3.music.163.com,clientlog.music.163.com,clientlog3.music.163.com" |jsonfilter -e '@.data.*.ip.*')"
+		local netease_music_ips2="$(uclient-fetch -qO- "https://music.httpdns.c.163.com/d" --post-data="music.163.com,interface.music.163.com,interface3.music.163.com,apm.music.163.com,apm3.music.163.com,clientlog.music.163.com,clientlog3.music.163.com" |jsonfilter -e '@.dns.*["ips"].*')"
+		if [ -e "$(command -v fw4)" ]; then
+			local tmp="/tmp/$NAME"
+			local neteasemusic_addr="$(echo -e "${netease_music_ips}\n${netease_music_ips2}" |sort -u |awk '{print $1}')"
+			json_init
+			json_add_int o_http_port "${http_port}"
+			json_add_int o_https_port "${https_port}"
+			json_add_string o_acl_http_addr "$acl_http_addr"
+			json_add_string o_acl_https_addr "$acl_https_addr"
+			json_add_string o_neteasemusic_addr "$neteasemusic_addr"
+			json_dump -i >"$tmp.json"
 
-		mkdir -p "/var/etc/"
-		echo "/etc/init.d/$NAME restart" > "/var/etc/$NAME.include"
+			if ucode -S -i "$RULES_UC" -E "$tmp.json" >"$tmp.nft" \
+				&& ! cmp -s "$tmp.nft" "$RULES_NFT"; then
+				echo "table inet chk {include \"$tmp.nft\";}" >"$tmp.nft.chk"
+				if nft -f "$tmp.nft.chk" -c; then
+					mv -f "$tmp.nft" "$RULES_NFT"
+					fw4 reload
+				fi
+				rm -f "$tmp.nft.chk"
+			fi
+			rm -f "$tmp.json" "$tmp.nft"
+		else
+			echo -e "${netease_music_ips}\n${netease_music_ips2}" |sort -u |awk '{print "ipset add neteasemusic "$1}' |sh
+
+			$IPT_N -N "netease_cloud_music"
+			for local_addr in "0.0.0.0/8" "10.0.0.0/8" "127.0.0.0/8" "169.254.0.0/16" "172.16.0.0/12" "192.168.0.0/16" "224.0.0.0/4" "240.0.0.0/4"; do
+				$IPT_N -A "netease_cloud_music" -d "${local_addr}" -j "RETURN"
+			done
+
+			$IPT_N -A "netease_cloud_music" -p "tcp" -m "set" ! --match-set "acl_neteasemusic_http" "src" --dport "80" -j "REDIRECT" --to-ports "${http_port}"
+			$IPT_N -A "netease_cloud_music" -p "tcp" -m "set" ! --match-set "acl_neteasemusic_https" "src" --dport "443" -j "REDIRECT" --to-ports "${https_port}"
+			$IPT_N -I "PREROUTING" -p "tcp" -m "set" --match-set "neteasemusic" "dst" -j "netease_cloud_music"
+
+			mkdir -p "/var/etc/"
+			echo "/etc/init.d/$NAME restart" > "/var/etc/$NAME.include"
+		fi
 	elif [ "${hijack_ways}" = "use_hosts" ]; then
 		mkdir -p "/tmp/dnsmasq.d"
 		rm -f "/tmp/dnsmasq.d/dnsmasq-$NAME.conf"
@@ -200,6 +258,7 @@ stop_service()
 		echo "/usr/share/$NAME/core/" >> "${UPGRADE_CONF}"
 		echo "/usr/share/$NAME/local_ver" >> "${UPGRADE_CONF}"
 	}
+
 	local self_issue_cert_crt self_issue_cert_key
 	config_get "self_issue_cert_crt" "config" "self_issue_cert_crt"
 	config_get "self_issue_cert_key" "config" "self_issue_cert_key"
@@ -208,22 +267,39 @@ stop_service()
 		echo "${self_issue_cert_key}" >> "${UPGRADE_CONF}"
 	}
 
-	[ -f "/tmp/$NAME.ports" ] && {
-		iptables -D "INPUT" -p "tcp" --dport "$(awk -F ':' 'print $1' "/tmp/$NAME.ports")" -j "ACCEPT"
-		iptables -D "INPUT" -p "tcp" --dport "$(awk -F ':' 'print $2' "/tmp/$NAME.ports")" -j "ACCEPT"
-		rm -f "/tmp/$NAME.ports"
-	}
+	if [ -e "$(command -v fw4)" ]; then
+		local rule="$(uci show firewall | grep "name='unblockneteasemusic_pub_access'" | awk -F '.' '{ print $2}')"
+		[ -n "${rule}" ] && {
+			uci -q batch <<-EOF
+				delete firewall.${rule}
+				commit firewall
+			EOF
+		}
 
-	$IPT_N -D "PREROUTING" -p "tcp" -m set --match-set "neteasemusic" "dst" -j "netease_cloud_music"
-	$IPT_N -F "netease_cloud_music"
-	$IPT_N -X "netease_cloud_music"
-	ipset destroy "neteasemusic"
-	ipset destroy "acl_neteasemusic_http"
-	ipset destroy "acl_neteasemusic_https"
-	echo "" > "/var/etc/$NAME.include"
+		[ ! -e "$RULES_NFT" ] || rm -f "$RULES_NFT"
+
+		fw4 reload
+	else
+		[ ! -e "/tmp/$NAME.ports" ] || {
+			iptables -D "INPUT" -p "tcp" --dport "$(awk -F ':' 'print $1' "/tmp/$NAME.ports")" -j "ACCEPT"
+			iptables -D "INPUT" -p "tcp" --dport "$(awk -F ':' 'print $2' "/tmp/$NAME.ports")" -j "ACCEPT"
+		}
+		rm -f "/tmp/$NAME.ports"
+
+		$IPT_N -D "PREROUTING" -p "tcp" -m set --match-set "neteasemusic" "dst" -j "netease_cloud_music"
+		$IPT_N -F "netease_cloud_music"
+		$IPT_N -X "netease_cloud_music"
+
+		ipset destroy "neteasemusic"
+		ipset destroy "acl_neteasemusic_http"
+		ipset destroy "acl_neteasemusic_https"
+
+		echo "" > "/var/etc/$NAME.include"
+	fi
 
 	rm -f "/tmp/dnsmasq.d/dnsmasq-$NAME.conf"
 	/etc/init.d/dnsmasq reload
+
 	ip route del "223.252.199.10"
 
 	rm -f "/tmp/$NAME.log"
diff --git a/luci-app-unblockneteasemusic/root/usr/share/unblockneteasemusic/rules/chain.uc b/luci-app-unblockneteasemusic/root/usr/share/unblockneteasemusic/rules/chain.uc
new file mode 100644
index 000000000..8e513f7ef
--- /dev/null
+++ b/luci-app-unblockneteasemusic/root/usr/share/unblockneteasemusic/rules/chain.uc
@@ -0,0 +1,25 @@
+{%
+
+let http_port = o_http_port;
+let https_port = o_https_port;
+
+%}
+
+chain netease_cloud_music {
+	type nat hook prerouting priority -1;
+	meta l4proto tcp ip daddr @neteasemusic_ipv4 jump netease_cloud_music_redir;
+	meta l4proto tcp ip6 daddr @neteasemusic_ipv6 jump netease_cloud_music_redir;
+}
+
+chain netease_cloud_music_redir {
+	ip daddr @local_addr_ipv4 return;
+	ip saddr @acl_neteasemusic_http_ipv4 accept;
+	ip saddr @acl_neteasemusic_https_ipv4 accept;
+	ip6 daddr @local_addr_ipv6 return;
+	ip6 saddr @acl_neteasemusic_http_ipv6 accept;
+	ip6 saddr @acl_neteasemusic_https_ipv6 accept;
+	tcp dport 80 counter redirect to :{{ http_port }};
+	tcp dport 443 counter redirect to :{{ https_port }};
+}
+
+
diff --git a/luci-app-unblockneteasemusic/root/usr/share/unblockneteasemusic/rules/default.uc b/luci-app-unblockneteasemusic/root/usr/share/unblockneteasemusic/rules/default.uc
new file mode 100644
index 000000000..9b9388a99
--- /dev/null
+++ b/luci-app-unblockneteasemusic/root/usr/share/unblockneteasemusic/rules/default.uc
@@ -0,0 +1,6 @@
+{%
+
+include("set.uc");
+include("chain.uc");
+
+%}
diff --git a/luci-app-unblockneteasemusic/root/usr/share/unblockneteasemusic/rules/set.uc b/luci-app-unblockneteasemusic/root/usr/share/unblockneteasemusic/rules/set.uc
new file mode 100644
index 000000000..0bcf372ac
--- /dev/null
+++ b/luci-app-unblockneteasemusic/root/usr/share/unblockneteasemusic/rules/set.uc
@@ -0,0 +1,94 @@
+{%
+
+let local_addr4 = "
+	0.0.0.0/8
+	10.0.0.0/8
+	100.64.0.0/10
+	127.0.0.0/8
+	169.254.0.0/16
+	172.16.0.0/12
+	192.0.0.0/24
+	192.0.2.0/24
+	192.31.196.0/24
+	192.52.193.0/24
+	192.88.99.0/24
+	192.168.0.0/16
+	192.175.48.0/24
+	198.18.0.0/15
+	198.51.100.0/24
+	203.0.113.0/24
+	224.0.0.0/4
+	240.0.0.0/4
+";
+let local_addr6 = "
+	::1/128
+	::/128
+	::ffff:0:0/96
+	64:ff9b:1::/48
+	100::/64
+	fe80::/10
+	2001::/23
+	fc00::/7
+";
+let o_local_bypass = local_addr4 + " " + local_addr6;
+
+let set_suffix = {
+	"acl_neteasemusic_http": {
+		str: o_acl_http_addr,
+	},
+	"acl_neteasemusic_https": {
+		str: o_acl_https_addr,
+	},
+	"local_addr": {
+		str: o_local_bypass,
+	},
+	"neteasemusic": {
+		str: o_neteasemusic_addr,
+	},
+};
+
+function set_name(suf, af) {
+	if (af == 4) {
+		return suf+"_ipv4";
+	} else {
+		return suf+"_ipv6";
+	}
+}
+
+function set_elements_parse(res, str, af) {
+	for (let addr in split(str, /[ \t\n]/)) {
+		addr = trim(addr);
+		if (!addr) continue;
+		if (af == 4 && index(addr, ":") != -1) continue;
+		if (af == 6 && index(addr, ":") == -1) continue;
+		push(res, addr);
+	}
+}
+
+function set_elements(suf, af) {
+	let obj = set_suffix[suf];
+	let res = [];
+	let addr;
+
+	let str = obj["str"];
+	if (str) {
+		set_elements_parse(res, str, af);
+	}
+
+	return res;
+}
+%}
+
+{% for (let suf in set_suffix): for (let af in [4, 6]): %}
+set {{ set_name(suf, af) }} {
+	type ipv{{af}}_addr;
+	flags interval;
+{%   let elems = set_elements(suf, af); if (length(elems)): %}
+	elements = {
+{%     for (let i = 0; i < length(elems); i++): %}
+		{{ elems[i] }}{% if (i < length(elems) - 1): %},{% endif %}{% print("\n") %}
+{%     endfor %}
+	}
+{%   endif %}
+}
+{% endfor; endfor %}