v1.0

rootfs/etc/init.d/clash

@@ -0,0 +1,36 @@
+#!/bin/sh /etc/rc.common
+
+START=21
+STOP=89
+
+USE_PROCD=1
+
+start_service() {
+        procd_open_instance
+        procd_set_param command /opt/clash/bin/clash -d /opt/clash
+        procd_set_param respawn
+        procd_close_instance
+
+        uci add_list dhcp.@dnsmasq[0].server='127.0.0.1#7874'
+        uci set dhcp.@dnsmasq[0].cachesize='0'
+        uci set dhcp.@dnsmasq[0].noresolv='1'
+        uci commit
+
+        /opt/clash/bin/clash-rules start
+        /etc/init.d/dnsmasq restart
+}
+
+stop_service() {
+        uci del dhcp.@dnsmasq[0].server
+        uci del dhcp.@dnsmasq[0].cachesize
+        uci del dhcp.@dnsmasq[0].noresolv
+        uci commit
+
+        /opt/clash/bin/clash-rules stop
+        /etc/init.d/dnsmasq restart
+}
+
+boot() {
+        sleep 10
+        start
+}

rootfs/opt/clash/bin/clash-rules

@@ -0,0 +1,84 @@
+#!/bin/sh
+
+start(){
+    if hash nft; then
+        nft -f /opt/clash/nft.conf
+        ip route add local default dev lo table 100
+        ip rule add fwmark 1 table 100
+    elif hash iptables; then
+        iptables -t mangle -N CLASH
+        iptables -t mangle -I CLASH -p udp --dport 443 -j REJECT # Block QUIC first (for YouTube)
+        iptables -t mangle -A CLASH -d 0.0.0.0/8 -j RETURN
+        iptables -t mangle -A CLASH -d 10.0.0.0/8 -j RETURN
+        iptables -t mangle -A CLASH -d 100.64.0.0/10 -j RETURN
+        iptables -t mangle -A CLASH -d 127.0.0.0/8 -j RETURN
+        iptables -t mangle -A CLASH -d 169.254.0.0/16 -j RETURN
+        iptables -t mangle -A CLASH -d 172.16.0.0/12 -j RETURN
+        iptables -t mangle -A CLASH -d 192.168.0.0/16 -j RETURN
+        iptables -t mangle -A CLASH -d 224.0.0.0/4 -j RETURN
+        iptables -t mangle -A CLASH -d 240.0.0.0/4 -j RETURN
+        iptables -t mangle -A CLASH -i wg+ -j RETURN
+        iptables -t mangle -A CLASH -i ppp+ -j RETURN
+        iptables -t mangle -A CLASH -i veth+ -j RETURN
+        iptables -t mangle -A CLASH -i docker+ -j RETURN
+        iptables -t mangle -A CLASH -p tcp -j TPROXY --on-port 7894 --tproxy-mark 1
+        iptables -t mangle -A CLASH -p udp -j TPROXY --on-port 7894 --tproxy-mark 1
+        iptables -t mangle -A PREROUTING -m addrtype --dst-type LOCAL -j RETURN
+        iptables -t mangle -A PREROUTING -j CLASH
+
+        iptables -t mangle -N CLASH_SELF
+        iptables -t mangle -A CLASH_SELF -d 0.0.0.0/8 -j RETURN
+        iptables -t mangle -A CLASH_SELF -d 10.0.0.0/8 -j RETURN
+        iptables -t mangle -A CLASH_SELF -d 100.64.0.0/10 -j RETURN
+        iptables -t mangle -A CLASH_SELF -d 127.0.0.0/8 -j RETURN
+        iptables -t mangle -A CLASH_SELF -d 169.254.0.0/16 -j RETURN
+        iptables -t mangle -A CLASH_SELF -d 172.16.0.0/12 -j RETURN
+        iptables -t mangle -A CLASH_SELF -d 192.168.0.0/16 -j RETURN
+        iptables -t mangle -A CLASH_SELF -d 224.0.0.0/4 -j RETURN
+        iptables -t mangle -A CLASH_SELF -d 240.0.0.0/4 -j RETURN
+        iptables -t mangle -A CLASH_SELF -i wg+ -j RETURN
+        iptables -t mangle -A CLASH_SELF -i ppp+ -j RETURN
+        iptables -t mangle -A CLASH_SELF -i veth+ -j RETURN
+        iptables -t mangle -A CLASH_SELF -i docker+ -j RETURN
+        iptables -t mangle -A CLASH_SELF -m mark --mark 2 -j RETURN
+        iptables -t mangle -A CLASH_SELF -p tcp -j MARK --set-mark 1
+        iptables -t mangle -A CLASH_SELF -p udp -j MARK --set-mark 1
+        iptables -t mangle -A OUTPUT -j CLASH_SELF
+
+        ip route add local default dev lo table 100
+        ip rule add fwmark 1 table 100
+    else
+        echo "unknown firewall, ignore"
+    fi
+}
+
+stop(){
+    if hash nft; then
+        nft table ip clash
+        nft delete table ip clash
+        ip route del local default dev lo table 100
+        ip rule del table 100
+    elif hash iptables; then
+        iptables -t mangle -D PREROUTING -j CLASH
+        iptables -t mangle -F CLASH
+        iptables -t mangle -X CLASH
+
+        iptables -t mangle -D OUTPUT -j CLASH_SELF
+        iptables -t mangle -F CLASH_SELF
+        iptables -t mangle -X CLASH_SELF
+
+        ip route del local default dev lo table 100
+        ip rule del table 100
+    else
+        echo "unknown firewall, ignore"
+    fi
+}
+
+case $1 in
+start)
+    start
+    ;;
+stop)
+    stop
+    ;;
+esac

rootfs/opt/clash/config.yaml

@@ -0,0 +1,111 @@
+mode: rule
+ipv6: false
+log-level: error
+allow-lan: false
+mixed-port: 7890
+tproxy-port: 7894
+unified-delay: false
+tcp-concurrent: true
+external-controller: 0.0.0.0:9090
+external-ui: ./ui
+
+dns:
+  enable: true
+  listen: 0.0.0.0:7874
+  ipv6: false
+  # Bootstrap DNS
+  default-nameserver:
+    - 1.1.1.1
+    - 1.0.0.1
+    - 8.8.8.8
+    - 8.8.4.4
+  # Upstream DNS
+  nameserver:
+    - https://dns10.quad9.net/dns-query
+    - https://dns.aa.net.uk/dns-query
+
+profile:
+  store-selected: true
+  store-fake-ip: true
+
+routing-mark: 2
+
+find-process-mode: off
+
+sniffer:
+  enable: true
+  sniff:
+    TLS:
+      ports: [443, 8443]
+    HTTP:
+      ports: [80, 8080-8880]
+      override-destination: true
+  skip-domain:
+    - Mijia Cloud
+    - 'dlg.io.mi.com'
+
+proxies:
+  # vless
+  - name: "XX-reality"
+    type: vless
+    server: change-it
+    port: 443
+    uuid: change-it
+    network: tcp
+    tls: true
+    udp: true
+    flow: xtls-rprx-vision
+    servername: change-it
+    reality-opts:
+      public-key: change-it
+      short-id: change-it
+    client-fingerprint: chrome
+
+proxy-groups:
+  # select is used for selecting proxy or proxy group
+  # you can use RESTful API to switch proxy is recommended for use in GUI.
+  - name: PROXY
+    type: select
+    # disable-udp: true
+    proxies:
+      - SRV-reality
+
+rule-providers:
+  direct-domain:
+    behavior: classical
+    type: http
+    url: "https://YOUR_URL/direct-domain.yaml"
+    interval: 3600
+    path: ./ruleset/direct-domain.yaml
+  direct-ip:
+    behavior: classical
+    type: http
+    url: "https://YOUR_URL/direct-ip.yaml"
+    interval: 3600
+    path: ./ruleset/direct-ip.yaml
+  proxy-domain:
+    behavior: classical
+    type: http
+    url: "https://YOUR_URL/proxy-domain.yaml"
+    interval: 3600
+    path: ./ruleset/proxy-domain.yaml
+  proxy-ip:
+    behavior: classical
+    type: http
+    url: "https://YOUR_URL/proxy-ip.yaml"
+    interval: 3600
+    path: ./ruleset/proxy-ip.yaml
+  antifilter-ip:
+    behavior: classical
+    type: http
+    url: "https://YOUR_URL/antifilter-ip.yaml"
+    interval: 43200
+    path: ./ruleset/antifilter-ip.yaml
+
+rules:
+  - RULE-SET,direct-domain,DIRECT
+  - RULE-SET,proxy-domain,PROXY
+  - RULE-SET,direct-ip,DIRECT
+  - RULE-SET,proxy-ip,PROXY
+  - RULE-SET,antifilter-ip,PROXY
+  - MATCH,DIRECT

rootfs/opt/clash/nft.conf

@@ -0,0 +1,43 @@
+#!/usr/sbin/nft -f
+
+table ip clash
+delete table ip clash
+
+define RESERVED_IP = {
+    0.0.0.0/8,
+    10.0.0.0/8,
+    100.64.0.0/10,
+    127.0.0.0/8,
+    169.254.0.0/16,
+    172.16.0.0/12,
+    192.168.0.0/16,
+    224.0.0.0/4,
+    240.0.0.0/4
+}
+
+define RESERVED_IFACE = {
+    "wg*",
+    "ppp*",
+    "veth*",
+    "docker*"
+}
+
+table ip clash {
+    chain prerouting {
+        type filter hook prerouting priority mangle; policy accept;
+        udp dport 443 reject position 0 # Block QUIC first (for YouTube)
+        fib daddr type local return
+        ip daddr $RESERVED_IP return
+        iifname $RESERVED_IFACE return
+        ip protocol tcp tproxy to 127.0.0.1:7894 meta mark set 1
+        ip protocol udp tproxy to 127.0.0.1:7894 meta mark set 1
+    }
+    chain output {
+        type route hook output priority mangle; policy accept;
+        ip daddr $RESERVED_IP return
+        iifname $RESERVED_IFACE return
+        meta mark 2 return
+        ip protocol tcp meta mark set 1
+        ip protocol udp meta mark set 1
+    }
+}

rootfs/opt/clash/ui/_headers

@@ -0,0 +1,12 @@
+# for netlify hosting
+# https://docs.netlify.com/routing/headers/#syntax-for-the-headers-file
+
+/*
+  X-Frame-Options: DENY
+  X-XSS-Protection: 1; mode=block
+  X-Content-Type-Options: nosniff
+  Referrer-Policy: same-origin
+/*.css
+  Cache-Control: public, max-age=31536000, immutable
+/*.js
+  Cache-Control: public, max-age=31536000, immutable