update 04-22 18:55:32

luci-app-xray/root/usr/share/luci/menu.d/luci-app-xray.json

@@ -0,0 +1,17 @@
+{
+    "admin/services/xray": {
+        "title": "Xray",
+        "action": {
+            "type": "view",
+            "path": "xray"
+        },
+        "depends": {
+            "acl": [
+                "luci-app-xray"
+            ],
+            "uci": {
+                "xray": true
+            }
+        }
+    }
+}

luci-app-xray/root/usr/share/rpcd/acl.d/luci-app-xray.json

@@ -0,0 +1,15 @@
+{
+    "luci-app-xray": {
+        "description": "Grant access to xray configurations",
+        "read": {
+            "uci": [
+                "xray"
+            ]
+        },
+        "write": {
+            "uci": [
+                "xray"
+            ]
+        }
+    }
+}

luci-app-xray/root/usr/share/xray/firewall_include.lua

@@ -0,0 +1,65 @@
+#!/usr/bin/lua
+local ucursor = require "luci.model.uci"
+
+local flush = [[# firewall include file to stop transparent proxy
+ip rule del fwmark 251 lookup 251
+ip rule del fwmark 252 lookup 252
+ip route del local default dev lo table 251
+ip route del local default dev lo table 252
+iptables-save -c | grep -v "TP_SPEC" | iptables-restore -c]]
+local header = [[# firewall include file to start transparent proxy
+ip rule add fwmark 251 lookup 251
+ip rule add fwmark 252 lookup 252
+ip route add local default dev lo table 251
+ip route add local default dev lo table 252
+iptables-restore -n <<-EOF
+*nat
+COMMIT
+*mangle
+:TP_SPEC_LAN_AC - [0:0]
+:TP_SPEC_LAN_DG - [0:0]
+:TP_SPEC_WAN_AC - [0:0]
+:TP_SPEC_WAN_DG - [0:0]
+:TP_SPEC_WAN_FW - [0:0]
+-I PREROUTING 1 -m mark --mark 0xfc -j TP_SPEC_WAN_AC]]
+local lan = "-I PREROUTING 1 -i %s -j TP_SPEC_LAN_DG"
+local rules = [[-A OUTPUT -j TP_SPEC_WAN_DG
+-A TP_SPEC_LAN_AC -m set --match-set tp_spec_src_bp src -j RETURN
+-A TP_SPEC_LAN_AC -m set --match-set tp_spec_src_fw src -j TP_SPEC_WAN_FW
+-A TP_SPEC_LAN_AC -m set --match-set tp_spec_src_ac src -j TP_SPEC_WAN_AC
+-A TP_SPEC_LAN_AC -j TP_SPEC_WAN_AC
+-A TP_SPEC_LAN_DG -m set --match-set tp_spec_dst_sp dst -j RETURN
+-A TP_SPEC_LAN_DG -p tcp -j TP_SPEC_LAN_AC
+-A TP_SPEC_LAN_DG -p udp -j TP_SPEC_LAN_AC
+-A TP_SPEC_WAN_AC -m set --match-set tp_spec_dst_fw dst -j TP_SPEC_WAN_FW
+-A TP_SPEC_WAN_AC -m set --match-set tp_spec_dst_bp dst -j RETURN
+-A TP_SPEC_WAN_AC -j TP_SPEC_WAN_FW
+-A TP_SPEC_WAN_DG -m set --match-set tp_spec_dst_sp dst -j RETURN
+-A TP_SPEC_WAN_DG -m set --match-set tp_spec_dst_bp dst -j RETURN
+-A TP_SPEC_WAN_DG -m set --match-set tp_spec_def_gw dst -j RETURN
+-A TP_SPEC_WAN_DG -m mark --mark 0x%x -j RETURN
+-A TP_SPEC_WAN_DG -p tcp -j MARK --set-xmark 0xfc/0xffffffff
+-A TP_SPEC_WAN_DG -p udp -j MARK --set-xmark 0xfc/0xffffffff
+-A TP_SPEC_WAN_FW -p tcp -j TPROXY --on-port %d --on-ip 0.0.0.0 --tproxy-mark 0xfb/0xffffffff
+-A TP_SPEC_WAN_FW -p udp -j TPROXY --on-port %d --on-ip 0.0.0.0 --tproxy-mark 0xfb/0xffffffff
+COMMIT
+*filter
+COMMIT
+EOF]]
+
+local proxy_section = ucursor:get_first("xray", "general")
+local proxy = ucursor:get_all("xray", proxy_section)
+
+print(flush)
+if proxy.transparent_proxy_enable ~= "1" then
+    do
+        return
+    end
+end
+if arg[1] == "enable" then
+    print(header)
+    print(string.format(lan, proxy.lan_ifaces))
+    print(string.format(rules, tonumber(proxy.mark), proxy.tproxy_port_tcp, proxy.tproxy_port_udp))
+else
+    print("# arg[1] == " .. arg[1] .. ", not enable")
+end

luci-app-xray/root/usr/share/xray/gen_ipset_rules.lua

@@ -0,0 +1,80 @@
+#!/usr/bin/lua
+
+local io = require("io")
+local ucursor = require "luci.model.uci"
+local proxy_section = ucursor:get_first("xray", "general")
+local proxy = ucursor:get_all("xray", proxy_section)
+local gen_ipset_rules_extra = dofile("/usr/share/xray/gen_ipset_rules_extra.lua")
+
+local create_ipset_rules = [[create tp_spec_src_ac hash:mac hashsize 64
+create tp_spec_src_bp hash:mac hashsize 64
+create tp_spec_src_fw hash:mac hashsize 64
+create tp_spec_dst_sp hash:net hashsize 64
+create tp_spec_dst_bp hash:net hashsize 64
+create tp_spec_dst_fw hash:net hashsize 64
+create tp_spec_def_gw hash:net hashsize 64]]
+
+local function create_ipset()
+    print(create_ipset_rules)
+end
+
+local function split_ipv4_host_port(val, port_default)
+    local found, _, ip, port = val:find("([%d.]+):(%d+)")
+    if found == nil then
+        return val, tonumber(port_default)
+    else
+        return ip, tonumber(port)
+    end
+end
+
+local function lan_access_control()
+    ucursor:foreach("xray", "lan_hosts", function(v)
+        if v.bypassed == '0' then
+            print(string.format("add tp_spec_src_fw %s", v.macaddr))
+        else
+            print(string.format("add tp_spec_src_bp %s", v.macaddr))
+        end
+    end)
+end
+
+local function iterate_list(ln, set_name)
+    local ip_list = proxy[ln]
+    if ip_list == nil then
+        return
+    end
+    for _, line in ipairs(ip_list) do
+        print(string.format("add %s %s", set_name, line))
+    end
+end
+
+local function iterate_file(fn, set_name)
+    if fn == nil then
+        return
+    end
+    local f = io.open(fn)
+    if f == nil then
+        return
+    end
+    for line in io.lines(fn) do
+        if line ~= "" then
+            print(string.format("add %s %s", set_name, line))
+        end
+    end
+    f:close()
+end
+
+local function dns_ips()
+    local fast_dns_ip, fast_dns_port = split_ipv4_host_port(proxy.fast_dns, 53)
+    local secure_dns_ip, secure_dns_port = split_ipv4_host_port(proxy.secure_dns, 53)
+    print(string.format("add tp_spec_dst_bp %s", fast_dns_ip))
+    print(string.format("add tp_spec_dst_fw %s", secure_dns_ip))
+end
+
+create_ipset()
+dns_ips()
+lan_access_control()
+iterate_list("wan_bp_ips", "tp_spec_dst_bp")
+iterate_file(proxy.wan_bp_list or "/dev/null", "tp_spec_dst_bp")
+iterate_list("wan_fw_ips", "tp_spec_dst_fw")
+iterate_file(proxy.wan_fw_list or "/dev/null", "tp_spec_dst_fw")
+gen_ipset_rules_extra(proxy)

luci-app-xray/root/usr/share/xray/gen_ipset_rules_extra_normal.lua

@@ -0,0 +1,20 @@
+#!/usr/bin/lua
+
+local special_purpose_rules = [[add tp_spec_dst_sp 255.255.255.255
+add tp_spec_dst_sp 0.0.0.0/8
+add tp_spec_dst_sp 10.0.0.0/8
+add tp_spec_dst_sp 100.64.0.0/10
+add tp_spec_dst_sp 127.0.0.0/8
+add tp_spec_dst_sp 169.254.0.0/16
+add tp_spec_dst_sp 172.16.0.0/12
+add tp_spec_dst_sp 192.0.0.0/24
+add tp_spec_dst_sp 192.31.196.0/24
+add tp_spec_dst_sp 192.52.193.0/24
+add tp_spec_dst_sp 192.88.99.0/24
+add tp_spec_dst_sp 192.168.0.0/16
+add tp_spec_dst_sp 192.175.48.0/24
+add tp_spec_dst_sp 224.0.0.0/3]]
+
+return function(proxy)
+    print(special_purpose_rules)
+end

luci-app-xray/root/usr/share/xray/infinite_retry

@@ -0,0 +1 @@
+Remove this file to disable infinite retry on Xray startup.

luci-app-xray/root/usr/share/xray/optional_feature_1000

@@ -0,0 +1 @@
+See https://github.com/XTLS/Xray-core/pull/1000 for details.

luci-app-xray/root/usr/share/xray/rlimit_data_large

@@ -0,0 +1 @@
+200000000 222222222

luci-app-xray/root/usr/share/xray/rlimit_data_small

@@ -0,0 +1 @@
+44444444 55555555

luci-app-xray/root/usr/share/xray/rlimit_nofile_large

@@ -0,0 +1 @@
+8192 16384