chore: code cleanup

taamarin · Oct 24, 2023 · 643ef7e · 643ef7e
1 parent 6b51b55
commit 643ef7e
Showing 1 changed file with 114 additions and 122 deletions.
diff --git a/box/scripts/box.iptables b/box/scripts/box.iptables
@@ -109,7 +109,7 @@ probe_user_group() {
 
 disable_ipv6() {
   sysctl -w net.ipv4.ip_forward=1
-  sysctl -w net.ipv6.conf.all.forwarding=0
+  sysctl -w net.ipv6.conf.all.forwarding=1
 
   sysctl -w net.ipv6.conf.all.accept_ra=0
   sysctl -w net.ipv6.conf.wlan0.accept_ra=0
@@ -174,134 +174,133 @@ forward() {
 
 # box redirect
 start_redirect() {
-  if [ "${iptables}" = "iptables -w 64" ]; then
-    ${iptables} -t nat -N BOX_EXTERNAL
-    ${iptables} -t nat -F BOX_EXTERNAL
-    ${iptables} -t nat -N BOX_LOCAL
-    ${iptables} -t nat -F BOX_LOCAL
-  fi
+  ${iptables} -t nat -N BOX_EXTERNAL
+  ${iptables} -t nat -F BOX_EXTERNAL
+  ${iptables} -t nat -N BOX_LOCAL
+  ${iptables} -t nat -F BOX_LOCAL
 
-  if [ "${iptables}" = "iptables -w 64" ]; then
-    if [ "${bin_name}" = "clash" ]; then
-      ${iptables} -t nat -A BOX_EXTERNAL -p udp --dport 53 -j REDIRECT --to-ports "${clash_dns_port}"
-      ${iptables} -t nat -A BOX_LOCAL -p udp --dport 53 -j REDIRECT --to-ports "${clash_dns_port}"
+  if [ "${bin_name}" = "clash" ]; then
+    ${iptables} -t nat -A BOX_EXTERNAL -p udp --dport 53 -j REDIRECT --to-ports "${clash_dns_port}"
+    ${iptables} -t nat -A BOX_LOCAL -p udp --dport 53 -j REDIRECT --to-ports "${clash_dns_port}"
 
-      #  Other types of inbound should be added here to receive DNS traffic instead of sniffing
-      #  ${iptables} -t nat -A BOX_EXTERNAL -p udp --dport 53 -j REDIRECT --to-ports "${redir_port}"
-      #  ${iptables} -t nat -A BOX_LOCAL -p udp --dport 53 -j REDIRECT --to-ports "${redir_port}"
-    fi
+    #  Other types of inbound should be added here to receive DNS traffic instead of sniffing
+    #  ${iptables} -t nat -A BOX_EXTERNAL -p udp --dport 53 -j REDIRECT --to-ports "${redir_port}"
+    #  ${iptables} -t nat -A BOX_LOCAL -p udp --dport 53 -j REDIRECT --to-ports "${redir_port}"
+  fi
 
     # Fix ICMP (ping)
     # This does not guarantee that the ping result is valid
     # Just that it returns a result
     # "--to-destination" can be set to a reachable address.
 
-    if [ -n "${fake_ip_range}" ]; then
+  if [ -n "${fake_ip_range}" ]; then
+    if [ "${iptables}" = "iptables -w 64" ]; then
       ${iptables} -t nat -A BOX_EXTERNAL -d "${fake_ip_range}" -p icmp -j DNAT --to-destination 127.0.0.1
       ${iptables} -t nat -A BOX_LOCAL -d "${fake_ip_range}" -p icmp -j DNAT --to-destination 127.0.0.1
+    else
+      true
+      # ${iptables} -t nat -A BOX_EXTERNAL -d "${fake_ipv6_range}" -p icmp -j DNAT --to-destination ::1
+      # ${iptables} -t nat -A BOX_LOCAL -d "${fake_ipv6_range}" -p icmp -j DNAT --to-destination :1
     fi
+  fi
 
-# Allow access to intranet subnets
+  # Allow access to intranet subnets
+  if [ "${iptables}" = "iptables -w 64" ]; then
     for subnet in "${intranet[@]}"; do
-        ${iptables} -t nat -A BOX_EXTERNAL -d "${subnet}" -m comment --comment "Allow access to intranet subnet ${subnet}" -j RETURN
-        ${iptables} -t nat -A BOX_LOCAL -d "${subnet}" -m comment --comment "Allow access to intranet subnet ${subnet}" -j RETURN
+      ${iptables} -t nat -A BOX_EXTERNAL -d "${subnet}" -m comment --comment "Allow access to intranet subnet ${subnet}" -j RETURN
+      ${iptables} -t nat -A BOX_LOCAL -d "${subnet}" -m comment --comment "Allow access to intranet subnet ${subnet}" -j RETURN
+    done
+  else
+    for subnet6 in "${intranet6[@]}"; do
+      ${iptables} -t nat -A BOX_EXTERNAL -d "${subnet6}" -m comment --comment "Allow access to intranet subnet ${subnet6}" -j RETURN
+      ${iptables} -t nat -A BOX_LOCAL -d "${subnet6}" -m comment --comment "Allow access to intranet subnet ${subnet6}" -j RETURN
     done
+  fi
 
-    # [ "${iptables}" = "iptables -w 64" ] && log Info "intranet=(${intranet[*]})" || log Info "intranet6=(${intranet6[*]})"
+  # [ "${iptables}" = "iptables -w 64" ] && log Info "intranet=(${intranet[*]})" || log Info "intranet6=(${intranet6[*]})"
 
-    ${iptables} -t nat -A BOX_EXTERNAL -p tcp -i lo -j REDIRECT --to-ports "${redir_port}"
+  ${iptables} -t nat -A BOX_EXTERNAL -p tcp -i lo -j REDIRECT --to-ports "${redir_port}"
 
-    if [ "${ap_list}" != "" ]; then
-      for ap in "${ap_list[@]}"; do
-        ${iptables} -t nat -A BOX_EXTERNAL -p tcp -i "${ap}" -j REDIRECT --to-ports "${redir_port}"
-      done
-      log Info "${ap_list[*]} transparent proxy."
-    fi
+  if [ "${ap_list}" != "" ]; then
+    for ap in "${ap_list[@]}"; do
+      ${iptables} -t nat -A BOX_EXTERNAL -p tcp -i "${ap}" -j REDIRECT --to-ports "${redir_port}"
+    done
+    [ "${iptables}" = "iptables -w 64" ] && log Info "${ap_list[*]} transparent proxy."
+  fi
 
-    ${iptables} -t nat -I PREROUTING -j BOX_EXTERNAL  
+  ${iptables} -t nat -I PREROUTING -j BOX_EXTERNAL
 
-    ${iptables} -t nat -I BOX_LOCAL -m owner --uid-owner "${box_user}" --gid-owner "${box_group}" -j RETURN
+  ${iptables} -t nat -I BOX_LOCAL -m owner --uid-owner "${box_user}" --gid-owner "${box_group}" -j RETURN
 
-    if [ "${ignore_out_list}" != "" ]; then
-      for ignore in "${ignore_out_list[@]}"; do
-        ${iptables} -t nat -I BOX_LOCAL -o "${ignore}" -j RETURN
-      done
-      log Info "${ignore_out_list[*]} ignore transparent proxy."
-    fi
+  if [ "${ignore_out_list}" != "" ]; then
+    for ignore in "${ignore_out_list[@]}"; do
+      ${iptables} -t nat -I BOX_LOCAL -o "${ignore}" -j RETURN
+    done
+    [ "${iptables}" = "iptables -w 64" ] && log Info "${ignore_out_list[*]} ignore transparent proxy."
   fi
 
   # check if iptables is not ip6tables
-  if [ "${iptables}" = "iptables -w 64" ]; then
-    # check proxy mode
-    case "${proxy_mode}" in
-      blacklist)
-        # check if uid list is empty
-        if [ -z "$(cat "${uid_list[@]}")" ] ; then
-          # Route Everything
-          ${iptables} -t nat -A BOX_LOCAL -p tcp -j REDIRECT --to-ports "${redir_port}"
-          log Info "Transparent proxy for all apps."
-        else
-          # Bypass apps
-          # loop through the UID list
-          while read -r appid; do
-            # add iptables rules for returning packets
-            ${iptables} -t nat -I BOX_LOCAL -m owner --uid-owner "${appid}" -j RETURN
-          done < "${uid_list[@]}"
-
-          # close the file handle for the UID list
-          # exec <&-
-
-          # Allow !app
-          ${iptables} -t nat -A BOX_LOCAL -p tcp -j REDIRECT --to-ports "${redir_port}"
-          log Info "proxy-mode: ${proxy_mode}, package ${packages_list[*]} no transparent proxy."
-        fi
-        if [ "${gid_list}" != "" ] ; then
-          # Bypass gids
-          for gid in ${gid_list[@]} ; do
-            ${iptables} -t nat -I BOX_LOCAL -m owner --gid-owner ${gid} -j RETURN
-          done
-          [ "${iptables}" = "iptables -w 64" ] && log Info "proxy mode: ${proxy_mode}, GID ${gid_list[*]} no transparent proxy."
-        fi
-        ;;
-      whitelist)
-        if [ -z "$(cat "${uid_list[@]}")" ] ; then
-          # Route Everything
-          ${iptables} -t nat -A BOX_LOCAL -p tcp -j REDIRECT --to-ports "${redir_port}"
-          log Info "Transparent proxy for all apps."
-        else
-          # Route apps to Box
-          # loop through the UID list
-          while read -r appid; do
-            # add iptables rules for TCP traffic
-            ${iptables} -t nat -A BOX_LOCAL -p tcp -m owner --uid-owner "${appid}" -j REDIRECT --to-ports "${redir_port}"
-          done < "${uid_list[@]}"
-
-          # close the file handle for the UID list
-          # exec <&-
-
-          ${iptables} -t nat -A BOX_LOCAL -p tcp -m owner --uid-owner 0 -j REDIRECT --to-ports "${redir_port}"
-          ${iptables} -t nat -A BOX_LOCAL -p tcp -m owner --uid-owner 1052 -j REDIRECT --to-ports "${redir_port}"
-          log Info "proxy-mode: ${proxy_mode}, package ${packages_list[*]} transparent proxy."
-        fi
-        if [ "${gid_list}" != "" ] ; then
-          # Route gids to Box
-          for gid in ${gid_list[@]} ; do
-            ${iptables} -t nat -A BOX_LOCAL -p tcp -m owner --gid-owner ${gid} -j REDIRECT --to-ports ${redir_port}
-          done
-          [ "${iptables}" = "iptables -w 64" ] && log Info "proxy mode: ${proxy_mode}, GID ${gid_list[*]} transparent proxy."
-        fi
-        ;;
-      *)
-        log Warning "proxy-mode: ${proxy_mode} < error."
+  # check proxy mode
+  case "${proxy_mode}" in
+    blacklist)
+      # check if uid list is empty
+      if [ -z "$(cat "${uid_list[@]}")" ] ; then
+        # Route Everything
         ${iptables} -t nat -A BOX_LOCAL -p tcp -j REDIRECT --to-ports "${redir_port}"
         log Info "Transparent proxy for all apps."
-        ;;
-    esac
-  fi
+      else
+        # Bypass apps
+        # loop through the UID list
+        while read -r appid; do
+          # add iptables rules for returning packets
+          ${iptables} -t nat -I BOX_LOCAL -m owner --uid-owner "${appid}" -j RETURN
+        done < "${uid_list[@]}"
 
-  if [ "${iptables}" = "iptables -w 64" ]; then
-    ${iptables} -t nat -I OUTPUT -j BOX_LOCAL
-  fi
+        # Allow !app
+        ${iptables} -t nat -A BOX_LOCAL -p tcp -j REDIRECT --to-ports "${redir_port}"
+        log Info "proxy-mode: ${proxy_mode}, package ${packages_list[*]} no transparent proxy."
+      fi
+      if [ "${gid_list}" != "" ] ; then
+        # Bypass gids
+        for gid in ${gid_list[@]} ; do
+          ${iptables} -t nat -I BOX_LOCAL -m owner --gid-owner ${gid} -j RETURN
+        done
+        [ "${iptables}" = "iptables -w 64" ] && log Info "proxy mode: ${proxy_mode}, GID ${gid_list[*]} no transparent proxy."
+      fi
+      ;;
+    whitelist)
+      if [ -z "$(cat "${uid_list[@]}")" ] ; then
+        # Route Everything
+        ${iptables} -t nat -A BOX_LOCAL -p tcp -j REDIRECT --to-ports "${redir_port}"
+        log Info "Transparent proxy for all apps."
+      else
+        # Route apps to Box
+        # loop through the UID list
+        while read -r appid; do
+          # add iptables rules for TCP traffic
+          ${iptables} -t nat -A BOX_LOCAL -p tcp -m owner --uid-owner "${appid}" -j REDIRECT --to-ports "${redir_port}"
+        done < "${uid_list[@]}"
+
+        ${iptables} -t nat -A BOX_LOCAL -p tcp -m owner --uid-owner 0 -j REDIRECT --to-ports "${redir_port}"
+        ${iptables} -t nat -A BOX_LOCAL -p tcp -m owner --uid-owner 1052 -j REDIRECT --to-ports "${redir_port}"
+        log Info "proxy-mode: ${proxy_mode}, package ${packages_list[*]} transparent proxy."
+      fi
+      if [ "${gid_list}" != "" ] ; then
+        # Route gids to Box
+        for gid in ${gid_list[@]} ; do
+          ${iptables} -t nat -A BOX_LOCAL -p tcp -m owner --gid-owner ${gid} -j REDIRECT --to-ports ${redir_port}
+        done
+        [ "${iptables}" = "iptables -w 64" ] && log Info "proxy mode: ${proxy_mode}, GID ${gid_list[*]} transparent proxy."
+      fi
+      ;;
+    *)
+      log Warning "proxy-mode: ${proxy_mode} < error."
+      ${iptables} -t nat -A BOX_LOCAL -p tcp -j REDIRECT --to-ports "${redir_port}"
+      log Info "Transparent proxy for all apps."
+      ;;
+  esac
+
+  ${iptables} -t nat -I OUTPUT -j BOX_LOCAL
 
   if [ "${iptables}" = "iptables -w 64" ]; then
     ${iptables} -A OUTPUT -d 127.0.0.1 -p tcp -m owner --uid-owner "${box_user}" --gid-owner "${box_group}" -m tcp --dport "${redir_port}" -j REJECT
@@ -311,10 +310,8 @@ start_redirect() {
 }
 
 stop_redirect() {
-  if [ "${iptables}" = "iptables -w 64" ]; then
     ${iptables} -t nat -D PREROUTING -j BOX_EXTERNAL
     ${iptables} -t nat -D OUTPUT -j BOX_LOCAL
-  fi
 
   if [ "${iptables}" = "iptables -w 64" ]; then
     ${iptables} -D OUTPUT -d 127.0.0.1 -p tcp -m owner --uid-owner "${box_user}" --gid-owner "${box_group}" -m tcp --dport "${redir_port}" -j REJECT
@@ -325,24 +322,25 @@ stop_redirect() {
   fi
 
   if [ "${iptables}" = "iptables -w 64" ]; then
-    if [ -n "${fake_ip_range}" ]; then
-      ${iptables} -t nat -D BOX_EXTERNAL -d "${fake_ip_range}" -p icmp -j DNAT --to-destination 127.0.0.1
-      ${iptables} -t nat -D BOX_LOCAL -d "${fake_ip_range}" -p icmp -j DNAT --to-destination 127.0.0.1
-    fi
-
-    ${iptables} -t nat -F BOX_EXTERNAL
-    ${iptables} -t nat -X BOX_EXTERNAL
-    ${iptables} -t nat -F BOX_LOCAL
-    ${iptables} -t nat -X BOX_LOCAL
+    ${iptables} -t nat -D BOX_EXTERNAL -d "${fake_ip_range}" -p icmp -j DNAT --to-destination 127.0.0.1
+    ${iptables} -t nat -D BOX_LOCAL -d "${fake_ip_range}" -p icmp -j DNAT --to-destination 127.0.0.1
+  else
+    true
+    # ${iptables} -t nat -D BOX_EXTERNAL -d "${fake_ip_range}" -p icmp -j DNAT --to-destination ::1
+    # ${iptables} -t nat -D BOX_LOCAL -d "${fake_ip_range}" -p icmp -j DNAT --to-destination ::1
   fi
+
+  ${iptables} -t nat -F BOX_EXTERNAL
+  ${iptables} -t nat -X BOX_EXTERNAL
+  ${iptables} -t nat -F BOX_LOCAL
+  ${iptables} -t nat -X BOX_LOCAL
 }
 
 # box tproxy
 start_tproxy() {
   if [ "${iptables}" = "iptables -w 64" ]; then
     ip rule add fwmark "${fwmark}" table "${table}" pref "${pref}"
     ip route add local default dev lo table "${table}"
-    # ip -6 rule add unreachable pref "${pref}"
   else
     ip -6 rule add fwmark "${fwmark}" table "${table}" pref "${pref}"
     ip -6 route add local default dev lo table "${table}"
@@ -465,9 +463,6 @@ start_tproxy() {
           ${iptables} -t mangle -I BOX_LOCAL -m owner --uid-owner "${appid}" -j RETURN
         done < "${uid_list[@]}"
 
-        # close the file handle for the UID list
-        # exec <&-
-
         # Allow !app
         ${iptables} -t mangle -A BOX_LOCAL -p tcp -j MARK --set-mark "${fwmark}"
         ${iptables} -t mangle -A BOX_LOCAL -p udp -j MARK --set-mark "${fwmark}"
@@ -495,9 +490,6 @@ start_tproxy() {
           ${iptables} -t mangle -A BOX_LOCAL -p udp -m owner --uid-owner "${appid}" -j MARK --set-mark "${fwmark}"
         done < "${uid_list[@]}"
 
-        # close the file handle for the UID list
-        # exec <&-
-
         ${iptables} -t mangle -A BOX_LOCAL -p tcp -m owner --uid-owner 0 -j MARK --set-mark "${fwmark}"
         ${iptables} -t mangle -A BOX_LOCAL -p udp -m owner --uid-owner 0 -j MARK --set-mark "${fwmark}"
         # Route dnsmasq to Box
@@ -642,7 +634,7 @@ cleanup_iptables() {
       stop_redirect
       stop_tproxy
       forward -D
-    } >> /dev/null 2>&1
+    } > /dev/null 2>&1
   done
 }