diff --git a/luci-app-nginx-pingos/root/etc/pingos.template b/luci-app-nginx-pingos/root/etc/pingos.template index 9e94111f9..57fad96a0 100644 --- a/luci-app-nginx-pingos/root/etc/pingos.template +++ b/luci-app-nginx-pingos/root/etc/pingos.template @@ -1,29 +1,29 @@ -user root; +user root; daemon on; master_process on; -worker_processes 1; +worker_processes 1; #worker_rlimit 4g; #error_log |TMP_PATH|/error.log; #error_log |TMP_PATH|/error.log notice; -error_log |TMP_PATH|/error.log info; +error_log |TMP_PATH|/error.log info; worker_rlimit_nofile 102400; -worker_rlimit_core 2G; -working_directory |TMP_PATH|; +worker_rlimit_core 2G; +working_directory |TMP_PATH|; pid |TMP_PATH|/pingos.pid; events { - use epoll; - worker_connections 4096; - multi_listen unix:|TMP_PATH|/http |HTTP_PORT|; - multi_listen unix:|TMP_PATH|/rtmp |RTMP_PORT|; + use epoll; + worker_connections 4096; + multi_listen unix:|TMP_PATH|/http |HTTP_PORT|; + multi_listen unix:|TMP_PATH|/rtmp |RTMP_PORT|; - dynamic_refresh_interval 5s; - dynamic_domain_buckets 1001; - resolver 114.114.114.114 valid=1m; - resolver_timeout 30s; + dynamic_refresh_interval 5s; + dynamic_domain_buckets 1001; + resolver 114.114.114.114 valid=1m; + resolver_timeout 30s; } #stream_zone buckets=1024 streams=4096; @@ -32,178 +32,178 @@ events { #dynamic_log |TMP_PATH|/dynamic.log info; rtmp { - log_format log_bandwidth '{"app":"$app","name":"$name","bitrate":$bitrate,"args":"$args","timestamp":$ntp,"ts":"$time_local","type":"$command","remote_addr":"$remote_addr","domain":"$domain"}'; - access_log |TMP_PATH|/bandwidth.log log_bandwidth trunc=60s; + log_format log_bandwidth '{"app":"$app","name":"$name","bitrate":$bitrate,"args":"$args","timestamp":$ntp,"ts":"$time_local","type":"$command","remote_addr":"$remote_addr","domain":"$domain"}'; + access_log |TMP_PATH|/bandwidth.log log_bandwidth trunc=60s; - server { - listen |RTMP_PORT|; - listen [::]:|RTMP_PORT| ipv6only=on; - serverid 000; - out_queue 2048; - server_name localhost; - rtmp_auto_pull on; - rtmp_auto_pull_port unix:|TMP_PATH|/rtmp; - - application push { - live on; - push rtmp://127.0.0.1:|RTMP_PORT|/live app=live; - } + server { + listen |RTMP_PORT|; + listen [::]:|RTMP_PORT| ipv6only=on; + serverid 000; + out_queue 2048; + server_name localhost; + rtmp_auto_pull on; + rtmp_auto_pull_port unix:|TMP_PATH|/rtmp; - application live { - live_record |TS_RECORD|; - live_record_path |RECORD_PATH|; + application push { + live on; + push rtmp://127.0.0.1:|RTMP_PORT|/live app=live; + } - recorder r1{ - record |FLV_RECORD|; - record_path |RECORD_PATH|; - } + application live { + live_record |TS_RECORD|; + live_record_path |RECORD_PATH|; - live on; - hls |HLS|; - hls_path |TMP_PATH|/hls; - hls_fragment 4000ms; + recorder r1{ + record |FLV_RECORD|; + record_path |RECORD_PATH|; + } + + live on; + hls |HLS|; + hls_path |TMP_PATH|/hls; + hls_fragment 4000ms; #hls_max_fragment 10000ms; - hls_playlist_length 12000ms; - hls_type live; + hls_playlist_length 12000ms; + hls_type live; - hls2 |HLS2|; - mpegts_cache_time 20s; + hls2 |HLS2|; + mpegts_cache_time 20s; - hls2_fragment 2000ms; - hls2_max_fragment 3000ms; - hls2_playlist_length 6000ms; + hls2_fragment 2000ms; + hls2_max_fragment 3000ms; + hls2_playlist_length 6000ms; - wait_key on; - wait_video on; - cache_time 1s; - send_all on; - low_latency off; - fix_timestamp 2s; + wait_key on; + wait_video on; + cache_time 1s; + send_all on; + low_latency off; + fix_timestamp 2s; # h265 codecid, default 12 - hevc_codecid 12; - } - } + hevc_codecid 12; + } + } } http { - include /usr/share/pingos/conf/mime.types; - default_type application/octet-stream; + include /usr/share/pingos/conf/mime.types; + default_type application/octet-stream; - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_X-Forwarded-For" "$http_X-Real-IP" "$host"'; + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_X-Forwarded-For" "$http_X-Real-IP" "$host"'; - access_log |TMP_PATH|/access.log main; + access_log |TMP_PATH|/access.log main; - sendfile on; - #tcp_nopush on; + sendfile on; + #tcp_nopush on; - #keepalive_timeout 0; - keepalive_timeout 65; + #keepalive_timeout 0; + keepalive_timeout 65; - #reset_server_name www.test1.com www.test2.com; - #gzip on; + #reset_server_name www.test1.com www.test2.com; + #gzip on; - upstream hlsm { - #hash $remote_addr consistent; - hash $arg_session consistent; - # 这里需要注意,你要开几个进程,就要按这个规则写几条记录 - server unix:|TMP_PATH|/http.0; - #server unix:|TMP_PATH|/http.1; - } + upstream hlsm { + #hash $remote_addr consistent; + hash $arg_session consistent; + # 这里需要注意,你要开几个进程,就要按这个规则写几条记录 + server unix:|TMP_PATH|/http.0; + #server unix:|TMP_PATH|/http.1; + } - server { - listen |HTTP_PORT|; - listen [::]:|HTTP_PORT|; - |ssl_certificate| - |ssl_certificate_key| - ssl_session_cache shared:SSL:1m; - ssl_session_timeout 5m; - ssl_ciphers HIGH:!aNULL:!MD5; - ssl_prefer_server_ciphers on; - - location /rtmp_stat { - rtmp_stat all; - rtmp_stat_stylesheet /stat.xsl; - } + server { + listen |HTTP_PORT|; + listen [::]:|HTTP_PORT|; + |ssl_certificate| + |ssl_certificate_key| + ssl_session_cache shared:SSL:1m; + ssl_session_timeout 5m; + ssl_ciphers HIGH:!aNULL:!MD5; + ssl_prefer_server_ciphers on; - location /xstat { - rtmp_stat all; - } + location /rtmp_stat { + rtmp_stat all; + rtmp_stat_stylesheet /stat.xsl; + } - location /sys_stat { - sys_stat; - } - location ~ .mp4$ { - root /usr/share/pingos/html; - #mp4; - } + location /xstat { + rtmp_stat all; + } - location /control { - rtmp_control all; - } - location /flv { - flv_live |RTMP_PORT| app=live; - add_header 'Access-Control-Allow-Origin' '*'; - add_header "Access-Control-Allow-Credentials" "true"; - add_header "Access-Control-Allow-Methods" "*"; - add_header "Access-Control-Allow-Headers" "Content-Type,Access-Token"; - add_header "Access-Control-Expose-Headers" "*"; - } - location /ts { - ts_live |RTMP_PORT| app=live; - expires -1; - add_header 'Access-Control-Allow-Origin' '*'; - add_header "Access-Control-Allow-Credentials" "true"; - add_header "Access-Control-Allow-Methods" "*"; - add_header "Access-Control-Allow-Headers" "Content-Type,Access-Token"; - add_header "Access-Control-Expose-Headers" "*"; - } - location /hls { - # Serve HLS fragments - types { - application/vnd.apple.mpegurl m3u8; - video/mp2t ts; - } - root |TMP_PATH|; - expires -1; - add_header Cache-Control no-cache; - add_header 'Access-Control-Allow-Origin' '*'; - add_header "Access-Control-Allow-Credentials" "true"; - add_header "Access-Control-Allow-Methods" "*"; - add_header "Access-Control-Allow-Headers" "Content-Type,Access-Token"; - add_header "Access-Control-Expose-Headers" "*"; - } + location /sys_stat { + sys_stat; + } + location ~ .mp4$ { + root /usr/share/pingos/html; + #mp4; + } - location /hlsm { - hls2_live |RTMP_PORT| app=live; - add_header 'Access-Control-Allow-Origin' '*'; - add_header Cache-Control no-cache; - add_header "Access-Control-Allow-Credentials" "true"; - add_header "Access-Control-Allow-Methods" "*"; - add_header "Access-Control-Allow-Headers" "Content-Type,Access-Token"; - add_header "Access-Control-Expose-Headers" "*"; - } + location /control { + rtmp_control all; + } + location /flv { + flv_live |RTMP_PORT| app=live; + add_header 'Access-Control-Allow-Origin' '*'; + add_header "Access-Control-Allow-Credentials" "true"; + add_header "Access-Control-Allow-Methods" "*"; + add_header "Access-Control-Allow-Headers" "Content-Type,Access-Token"; + add_header "Access-Control-Expose-Headers" "*"; + } + location /ts { + ts_live |RTMP_PORT| app=live; + expires -1; + add_header 'Access-Control-Allow-Origin' '*'; + add_header "Access-Control-Allow-Credentials" "true"; + add_header "Access-Control-Allow-Methods" "*"; + add_header "Access-Control-Allow-Headers" "Content-Type,Access-Token"; + add_header "Access-Control-Expose-Headers" "*"; + } + location /hls { + # Serve HLS fragments + types { + application/vnd.apple.mpegurl m3u8; + video/mp2t ts; + } + root |TMP_PATH|; + expires -1; + add_header Cache-Control no-cache; + add_header 'Access-Control-Allow-Origin' '*'; + add_header "Access-Control-Allow-Credentials" "true"; + add_header "Access-Control-Allow-Methods" "*"; + add_header "Access-Control-Allow-Headers" "Content-Type,Access-Token"; + add_header "Access-Control-Expose-Headers" "*"; + } - location /hls2 { - proxy_buffering on; - proxy_buffer_size 4k; - proxy_buffers 8 1M; - proxy_busy_buffers_size 2M; - proxy_max_temp_file_size 0; - set $hls_args location=/hls2&scheme=$scheme; -# if ($args) { -# set $hls_args $args&location=/hls2&scheme=$scheme; -# } - proxy_set_header Host $host:$server_port; - rewrite ^/(.*)/(.*)\.(.*)$ /hlsm/$2.$3?$hls_args break; - proxy_pass http://hlsm; - } + location /hlsm { + hls2_live |RTMP_PORT| app=live; + add_header 'Access-Control-Allow-Origin' '*'; + add_header Cache-Control no-cache; + add_header "Access-Control-Allow-Credentials" "true"; + add_header "Access-Control-Allow-Methods" "*"; + add_header "Access-Control-Allow-Headers" "Content-Type,Access-Token"; + add_header "Access-Control-Expose-Headers" "*"; + } - location / { - chunked_transfer_encoding on; - root /usr/share/pingos/html/; - } - } + location /hls2 { + proxy_buffering on; + proxy_buffer_size 4k; + proxy_buffers 8 1M; + proxy_busy_buffers_size 2M; + proxy_max_temp_file_size 0; + set $hls_args location=/hls2&scheme=$scheme; + #if ($args) { + # set $hls_args $args&location=/hls2&scheme=$scheme; + #} + proxy_set_header Host $host:$server_port; + rewrite ^/(.*)/(.*)\.(.*)$ /hlsm/$2.$3?$hls_args break; + proxy_pass http://hlsm; + } + + location / { + chunked_transfer_encoding on; + root /usr/share/pingos/html/; + } + } } diff --git a/luci-app-nginx-pingos/root/resource/conf-template/nginx.conf b/luci-app-nginx-pingos/root/resource/conf-template/nginx.conf index 0d80be84b..ee463fc4b 100644 --- a/luci-app-nginx-pingos/root/resource/conf-template/nginx.conf +++ b/luci-app-nginx-pingos/root/resource/conf-template/nginx.conf @@ -1,29 +1,29 @@ -user root; +user root; daemon on; master_process on; -worker_processes 1; +worker_processes 1; #worker_rlimit 4g; #error_log logs/error.log; #error_log logs/error.log notice; -error_log logs/error.log info; +error_log logs/error.log info; worker_rlimit_nofile 102400; -worker_rlimit_core 2G; -working_directory /tmp; +worker_rlimit_core 2G; +working_directory /tmp; -pid logs/nginx.pid; +pid logs/nginx.pid; events { - use epoll; - worker_connections 4096; - multi_listen unix:/tmp/http 8080; - multi_listen unix:/tmp/rtmp 1935; + use epoll; + worker_connections 4096; + multi_listen unix:/tmp/http 8080; + multi_listen unix:/tmp/rtmp 1935; - dynamic_refresh_interval 5s; - dynamic_domain_buckets 1001; - resolver 114.114.114.114 valid=1m; - resolver_timeout 30s; + dynamic_refresh_interval 5s; + dynamic_domain_buckets 1001; + resolver 114.114.114.114 valid=1m; + resolver_timeout 30s; } #stream_zone buckets=1024 streams=4096; @@ -31,175 +31,176 @@ events { #dynamic_conf conf/nginx_dynamic.conf 10; #dynamic_log logs/dynamic.log info; + rtmp { - log_format log_bandwidth '{"app":"$app","name":"$name","bitrate":$bitrate,"args":"$args","timestamp":$ntp,"ts":"$time_local","type":"$command","remote_addr":"$remote_addr","domain":"$domain"}'; - access_log logs/bandwidth.log log_bandwidth trunc=60s; + log_format log_bandwidth '{"app":"$app","name":"$name","bitrate":$bitrate,"args":"$args","timestamp":$ntp,"ts":"$time_local","type":"$command","remote_addr":"$remote_addr","domain":"$domain"}'; + access_log logs/bandwidth.log log_bandwidth trunc=60s; - server { - listen 1935; - serverid 000; - out_queue 2048; - server_name live.pingos.io; - rtmp_auto_pull on; - rtmp_auto_pull_port unix:/tmp/rtmp; + server { + listen 1935; + serverid 000; + out_queue 2048; + server_name live.pingos.io; + rtmp_auto_pull on; + rtmp_auto_pull_port unix:/tmp/rtmp; - application push { - live on; - push rtmp://127.0.0.1/live app=live; - } + application push { + live on; + push rtmp://127.0.0.1/live app=live; + } - application live { - live_record on; - live_record_path /data/record; + application live { + live_record on; + live_record_path /data/record; - recorder r1{ - record all; - record_path /data/record; - } + recorder r1{ + record all; + record_path /data/record; + } - live on; - hls on; - hls_path /tmp/hls; - hls_fragment 4000ms; -# hls_max_fragment 10000ms; - hls_playlist_length 12000ms; - hls_type live; + live on; + hls on; + hls_path /tmp/hls; + hls_fragment 4000ms; + #hls_max_fragment 10000ms; + hls_playlist_length 12000ms; + hls_type live; - hls2 on; - mpegts_cache_time 20s; + hls2 on; + mpegts_cache_time 20s; - hls2_fragment 2000ms; - hls2_max_fragment 3000ms; - hls2_playlist_length 6000ms; + hls2_fragment 2000ms; + hls2_max_fragment 3000ms; + hls2_playlist_length 6000ms; - wait_key on; - wait_video on; - cache_time 1s; - send_all on; - low_latency off; - fix_timestamp 2s; -# h265 codecid, default 12 - hevc_codecid 12; - } - } + wait_key on; + wait_video on; + cache_time 1s; + send_all on; + low_latency off; + fix_timestamp 2s; + # h265 codecid, default 12 + hevc_codecid 12; + } + } } http { - include mime.types; - default_type application/octet-stream; + include mime.types; + default_type application/octet-stream; - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_X-Forwarded-For" "$http_X-Real-IP" "$host"'; + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_X-Forwarded-For" "$http_X-Real-IP" "$host"'; - access_log logs/access.log main; + access_log logs/access.log main; - sendfile on; - #tcp_nopush on; + sendfile on; + #tcp_nopush on; - #keepalive_timeout 0; - keepalive_timeout 65; + #keepalive_timeout 0; + keepalive_timeout 65; - #reset_server_name www.test1.com www.test2.com; - #gzip on; + #reset_server_name www.test1.com www.test2.com; + #gzip on; - upstream hlsm { -# hash $remote_addr consistent; - hash $arg_session consistent; - # 这里需要注意,你要开几个进程,就要按这个规则写几条记录 - server unix:/tmp/http.0; -# server unix:/tmp/http.1; -# server unix:/tmp/http.2; -# server unix:/tmp/http.3; - } + upstream hlsm { + # hash $remote_addr consistent; + hash $arg_session consistent; + # 这里需要注意,你要开几个进程,就要按这个规则写几条记录 + server unix:/tmp/http.0; + # server unix:/tmp/http.1; + # server unix:/tmp/http.2; + # server unix:/tmp/http.3; + } - server { - listen 8080; -# listen 443 ssl; -# ssl_certificate /usr/local/pingos/cert/full_chain.pem; -# ssl_certificate_key /usr/local/pingos/cert/privkey.pem; - location /rtmp_stat { - rtmp_stat all; - rtmp_stat_stylesheet /stat.xsl; - } + server { + listen 8080; + # listen 443 ssl; + # ssl_certificate /usr/local/pingos/cert/full_chain.pem; + # ssl_certificate_key /usr/local/pingos/cert/privkey.pem; + location /rtmp_stat { + rtmp_stat all; + rtmp_stat_stylesheet /stat.xsl; + } - location /xstat { - rtmp_stat all; - } + location /xstat { + rtmp_stat all; + } - location /sys_stat { - sys_stat; - } - location ~ .mp4$ { - root html; - #mp4; - } + location /sys_stat { + sys_stat; + } + location ~ .mp4$ { + root html; + #mp4; + } - location /control { - rtmp_control all; - } - location /flv { - flv_live 1935 app=live; - add_header 'Access-Control-Allow-Origin' '*'; - add_header "Access-Control-Allow-Credentials" "true"; - add_header "Access-Control-Allow-Methods" "*"; - add_header "Access-Control-Allow-Headers" "Content-Type,Access-Token"; - add_header "Access-Control-Expose-Headers" "*"; - } - location /ts { - ts_live 1935 app=live; - expires -1; - add_header 'Access-Control-Allow-Origin' '*'; - add_header "Access-Control-Allow-Credentials" "true"; - add_header "Access-Control-Allow-Methods" "*"; - add_header "Access-Control-Allow-Headers" "Content-Type,Access-Token"; - add_header "Access-Control-Expose-Headers" "*"; - } - location /hls { - # Serve HLS fragments - types { - application/vnd.apple.mpegurl m3u8; - video/mp2t ts; - } - root /tmp; - expires -1; - add_header Cache-Control no-cache; - add_header 'Access-Control-Allow-Origin' '*'; - add_header "Access-Control-Allow-Credentials" "true"; - add_header "Access-Control-Allow-Methods" "*"; - add_header "Access-Control-Allow-Headers" "Content-Type,Access-Token"; - add_header "Access-Control-Expose-Headers" "*"; - } + location /control { + rtmp_control all; + } + location /flv { + flv_live 1935 app=live; + add_header 'Access-Control-Allow-Origin' '*'; + add_header "Access-Control-Allow-Credentials" "true"; + add_header "Access-Control-Allow-Methods" "*"; + add_header "Access-Control-Allow-Headers" "Content-Type,Access-Token"; + add_header "Access-Control-Expose-Headers" "*"; + } + location /ts { + ts_live 1935 app=live; + expires -1; + add_header 'Access-Control-Allow-Origin' '*'; + add_header "Access-Control-Allow-Credentials" "true"; + add_header "Access-Control-Allow-Methods" "*"; + add_header "Access-Control-Allow-Headers" "Content-Type,Access-Token"; + add_header "Access-Control-Expose-Headers" "*"; + } + location /hls { + # Serve HLS fragments + types { + application/vnd.apple.mpegurl m3u8; + video/mp2t ts; + } + root /tmp; + expires -1; + add_header Cache-Control no-cache; + add_header 'Access-Control-Allow-Origin' '*'; + add_header "Access-Control-Allow-Credentials" "true"; + add_header "Access-Control-Allow-Methods" "*"; + add_header "Access-Control-Allow-Headers" "Content-Type,Access-Token"; + add_header "Access-Control-Expose-Headers" "*"; + } - location /hlsm { - hls2_live 1935 app=live; - add_header 'Access-Control-Allow-Origin' '*'; - add_header Cache-Control no-cache; - add_header "Access-Control-Allow-Credentials" "true"; - add_header "Access-Control-Allow-Methods" "*"; - add_header "Access-Control-Allow-Headers" "Content-Type,Access-Token"; - add_header "Access-Control-Expose-Headers" "*"; - } + location /hlsm { + hls2_live 1935 app=live; + add_header 'Access-Control-Allow-Origin' '*'; + add_header Cache-Control no-cache; + add_header "Access-Control-Allow-Credentials" "true"; + add_header "Access-Control-Allow-Methods" "*"; + add_header "Access-Control-Allow-Headers" "Content-Type,Access-Token"; + add_header "Access-Control-Expose-Headers" "*"; + } - location /hls2 { - proxy_buffering on; - proxy_buffer_size 4k; - proxy_buffers 8 1M; - proxy_busy_buffers_size 2M; - proxy_max_temp_file_size 0; - set $hls_args location=/hls2&scheme=$scheme; -# if ($args) { -# set $hls_args $args&location=/hls2&scheme=$scheme; -# } - proxy_set_header Host $host:$server_port; - rewrite ^/(.*)/(.*)\.(.*)$ /hlsm/$2.$3?$hls_args break; - proxy_pass http://hlsm; - } + location /hls2 { + proxy_buffering on; + proxy_buffer_size 4k; + proxy_buffers 8 1M; + proxy_busy_buffers_size 2M; + proxy_max_temp_file_size 0; + set $hls_args location=/hls2&scheme=$scheme; + # if ($args) { + # set $hls_args $args&location=/hls2&scheme=$scheme; + # } + proxy_set_header Host $host:$server_port; + rewrite ^/(.*)/(.*)\.(.*)$ /hlsm/$2.$3?$hls_args break; + proxy_pass http://hlsm; + } - location / { - chunked_transfer_encoding on; - root html/; - } - } + location / { + chunked_transfer_encoding on; + root html/; + } + } } diff --git a/luci-app-xray/README.md b/luci-app-xray/README.md index 424e4c369..56d499e49 100644 --- a/luci-app-xray/README.md +++ b/luci-app-xray/README.md @@ -39,6 +39,8 @@ Fork this repository and: ## Changelog since 3.3.0 * 2024-01-19 chore: bump version +* 2024-01-24 feat: add alias to LAN Hosts Access Control +* 2024-02-04 fix: avoid firewall restart failure & some minor adjustments ## Changelog since 3.2.0 diff --git a/luci-app-xray/core/Makefile b/luci-app-xray/core/Makefile index d4b754079..fa5cfe9dd 100644 --- a/luci-app-xray/core/Makefile +++ b/luci-app-xray/core/Makefile @@ -1,7 +1,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=luci-app-xray -PKG_VERSION:=3.3.0 +PKG_VERSION:=3.3.1 PKG_RELEASE:=1 PKG_LICENSE:=MPLv2 diff --git a/luci-app-xray/core/root/etc/init.d/xray_core b/luci-app-xray/core/root/etc/init.d/xray_core index f33d6c2ad..49889fba9 100644 --- a/luci-app-xray/core/root/etc/init.d/xray_core +++ b/luci-app-xray/core/root/etc/init.d/xray_core @@ -5,8 +5,6 @@ STOP=15 USE_PROCD=1 NAME=xray_core -FIREWALL_INCLUDE="/usr/share/xray/firewall_include.ut" - setup_firewall() { ip rule add fwmark 251 lookup 251 ip route add local default dev lo table 251 @@ -14,7 +12,7 @@ setup_firewall() { ip -6 route add local default dev lo table 251 logger -st xray[$$] -p4 "Generating firewall4 rules..." - /usr/bin/utpl ${FIREWALL_INCLUDE} > /var/etc/xray/firewall_include.nft + /usr/bin/utpl /usr/share/xray/firewall_include.ut > /var/etc/xray/01_firewall_include.nft logger -st xray[$$] -p4 "Triggering firewall4 restart..." /etc/init.d/firewall restart @@ -27,7 +25,7 @@ flush_firewall() { ip -6 route del local default dev lo table 251 logger -st xray[$$] -p4 "Flushing firewall4 rules..." - rm -f /var/etc/xray/firewall_include.nft + rm -f /var/etc/xray/*.nft logger -st xray[$$] -p4 "Triggering firewall4 restart..." /etc/init.d/firewall restart diff --git a/luci-app-xray/core/root/usr/share/xray/default_gateway.uc b/luci-app-xray/core/root/usr/share/xray/default_gateway.uc index 10ebd0c83..f37fff56c 100644 --- a/luci-app-xray/core/root/usr/share/xray/default_gateway.uc +++ b/luci-app-xray/core/root/usr/share/xray/default_gateway.uc @@ -1,7 +1,7 @@ #!/usr/bin/ucode "use strict"; -import { popen, stat } from "fs"; +import { open, popen, stat } from "fs"; import { connect } from "ubus"; function network_dump() { @@ -48,24 +48,44 @@ function gen_tp_spec_dv4_dg(dg) { return ""; } if (length(dg) > 0) { - return `flush set inet fw4 tp_spec_dv4_dg\nadd element inet fw4 tp_spec_dv4_dg { ${join(", ", dg)} }\n`; + return `set tp_spec_dv4_dg { + type ipv4_addr + size 16 + flags interval + elements = { ${join(", ", dg)} } + }\n`; } return ""; } function gen_tp_spec_dv6_dg(pd) { if (length(pd) > 0) { - return `flush set inet fw4 tp_spec_dv6_dg\nadd element inet fw4 tp_spec_dv6_dg { ${join(", ", pd)} }\n`; + return `set tp_spec_dv6_dg { + type ipv6_addr + size 16 + flags interval + elements = { ${join(", ", pd)} } + }\n`; } return ""; } -function update_nft(dg, pd) { - const process = popen("nft -f -", "w"); - process.write(gen_tp_spec_dv4_dg(dg)); - process.write(gen_tp_spec_dv6_dg(pd)); - process.flush(); - process.close(); +function generate_include(rule_dg, rule_pd, file_path) { + const handle = open(file_path, "w"); + handle.write(rule_dg); + handle.write(rule_pd); + handle.flush(); + handle.close(); +} + +function update_nft(rule_dg, rule_pd) { + const handle = popen("nft -f -", "w"); + handle.write(`table inet fw4 { + ${rule_dg} + ${rule_pd} + }`); + handle.flush(); + handle.close(); } function restart_dnsmasq_if_necessary() { @@ -82,6 +102,9 @@ if (log == "") { print("default gateway not available, please wait for interface ready"); } else { print(`default gateway available at ${log}\n`); - update_nft(dg, pd); + const rule_dg = gen_tp_spec_dv4_dg(dg); + const rule_pd = gen_tp_spec_dv6_dg(pd); + update_nft(rule_dg, rule_pd); + generate_include(rule_dg, rule_pd, "/var/etc/xray/02_default_gateway_include.nft"); } restart_dnsmasq_if_necessary(); diff --git a/luci-app-xray/core/root/usr/share/xray/firewall_include.ut b/luci-app-xray/core/root/usr/share/xray/firewall_include.ut index 06cf12ed3..8361a540f 100644 --- a/luci-app-xray/core/root/usr/share/xray/firewall_include.ut +++ b/luci-app-xray/core/root/usr/share/xray/firewall_include.ut @@ -127,7 +127,8 @@ set tp_spec_dv4_sp { type ipv4_addr - flags constant,interval + size 32 + flags interval elements = { 0.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, @@ -137,7 +138,8 @@ set tp_spec_dv6_sp { type ipv6_addr - flags constant,interval + size 32 + flags interval elements = { ::, ::1, ::ffff:0.0.0.0/96, @@ -156,7 +158,7 @@ {% if (length(tp_spec_sm4_bp) > 0): %} set tp_spec_sm4_bp { type ether_addr - flags constant + size {{ length(tp_spec_sm4_bp) * 2 + 1 }} elements = { {{ join(", ", tp_spec_sm4_bp) }} } } {% endif %} @@ -164,7 +166,7 @@ {% if (length(tp_spec_sm6_bp) > 0): %} set tp_spec_sm6_bp { type ether_addr - flags constant + size {{ length(tp_spec_sm6_bp) * 2 + 1 }} elements = { {{ join(", ", tp_spec_sm6_bp) }} } } {% endif %} @@ -172,7 +174,7 @@ {% if (length(tp_spec_sm4_tp) > 0): %} set tp_spec_sm4_tp { type ether_addr - flags constant + size {{ length(tp_spec_sm4_tp) * 2 + 1 }} elements = { {{ join(", ", tp_spec_sm4_tp) }} } } {% endif %} @@ -180,7 +182,7 @@ {% if (length(tp_spec_sm6_tp) > 0): %} set tp_spec_sm6_tp { type ether_addr - flags constant + size {{ length(tp_spec_sm6_tp) * 2 + 1 }} elements = { {{ join(", ", tp_spec_sm6_tp) }} } } {% endif %} @@ -188,7 +190,7 @@ {% for (let i in extra_inbound_tcp_v4_map): %} set tp_spec_sm4_ft_{{ i }} { type ether_addr - flags constant + size {{ length(extra_inbound_tcp_v4_map) * 2 + 1 }} elements = { {{ join(", ", extra_inbound_tcp_v4_map[i]) }} } } {% endfor %} @@ -196,7 +198,7 @@ {% for (let i in extra_inbound_udp_v4_map): %} set tp_spec_sm4_fu_{{ i }} { type ether_addr - flags constant + size {{ length(extra_inbound_udp_v4_map) * 2 + 1 }} elements = { {{ join(", ", extra_inbound_udp_v4_map[i]) }} } } {% endfor %} @@ -204,7 +206,7 @@ {% for (let i in extra_inbound_tcp_v6_map): %} set tp_spec_sm6_ft_{{ i }} { type ether_addr - flags constant + size {{ length(extra_inbound_tcp_v6_map) * 2 + 1 }} elements = { {{ join(", ", extra_inbound_tcp_v6_map[i]) }} } } {% endfor %} @@ -212,7 +214,7 @@ {% for (let i in extra_inbound_udp_v6_map): %} set tp_spec_sm6_fu_{{ i }} { type ether_addr - flags constant + size {{ length(extra_inbound_udp_v6_map) * 2 + 1 }} elements = { {{ join(", ", extra_inbound_udp_v6_map[i]) }} } } {% endfor %} @@ -220,7 +222,7 @@ {% if (length(manual_tproxy_source_ips) > 0): %} set tp_spec_dv4_mt { type ipv4_addr - flags constant, interval + size {{ length(manual_tproxy_source_ips) * 2 + 1 }} elements = { {{ join(", ", manual_tproxy_source_ips) }} } } {% endif %} @@ -228,8 +230,8 @@ {% if (length(wan_bp_ips_v4) > 0): %} set tp_spec_dv4_bp { type ipv4_addr - size {{ length(wan_bp_ips_v4) }} - flags constant, interval + size {{ length(wan_bp_ips_v4) * 2 + 1 }} + flags interval elements = { {{ join(", ", wan_bp_ips_v4)}} } } {% endif %} @@ -237,8 +239,8 @@ {% if (length(wan_bp_ips_v6) > 0): %} set tp_spec_dv6_bp { type ipv6_addr - size {{ length(wan_bp_ips_v6) }} - flags constant, interval + size {{ length(wan_bp_ips_v6) * 2 + 1 }} + flags interval elements = { {{ join(", ", wan_bp_ips_v6)}} } } {% endif %} @@ -246,8 +248,8 @@ {% if (length(wan_fw_ips_v4) > 0): %} set tp_spec_dv4_fw { type ipv4_addr - size {{ length(wan_fw_ips_v4) }} - flags constant, interval + size {{ length(wan_fw_ips_v4) * 2 + 1 }} + flags interval elements = { {{ join(", ", wan_fw_ips_v4)}} } } {% endif %} @@ -255,8 +257,8 @@ {% if (length(wan_fw_ips_v6) > 0): %} set tp_spec_dv6_fw { type ipv6_addr - size {{ length(wan_fw_ips_v6) }} - flags constant, interval + size {{ length(wan_fw_ips_v6) * 2 + 1 }} + flags interval elements = { {{ join(", ", wan_fw_ips_v6)}} } } {% endif %} diff --git a/luci-app-xray/status/Makefile b/luci-app-xray/status/Makefile index 99c541889..fba8ab4d5 100644 --- a/luci-app-xray/status/Makefile +++ b/luci-app-xray/status/Makefile @@ -1,7 +1,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=luci-app-xray-status -PKG_VERSION:=3.3.0 +PKG_VERSION:=3.3.1 PKG_RELEASE:=1 PKG_LICENSE:=MPLv2