#!/bin/sh /etc/rc.common
# Example script
# Copyright (C) 2007 OpenWrt.org

USE_PROCD=1
START=92

getconfig(){
#开机加载环境变量保证找到文件路径
source /etc/profile > /dev/null 2>&1
ccfg=$clashdir/mark
if [ ! -f "$ccfg" ]; then
	echo mark文件不存在，默认以Redir模式运行！
cat >$ccfg<<EOF
#标识clash运行状态的文件，不明勿动！
EOF
	#指定一些默认状态
	redir_mod=redir模式
	modify_yaml=未开启
fi
source $ccfg #加载配置文件
#是否代理常用端口
if [ "$common_ports" = "已开启" ];then
	ports='-m multiport --dports 22,53,587,465,995,993,143,80,443 '
fi
#检测系统端口占用
for portx in 1053 7890 7892 9999 ;do
	[ -n "$(netstat -ntulp |grep :$portx|grep -v clash)" ] && echo -e "检测到端口：\033[30;47m $portx \033[0m被以下进程占用！clash无法启动！" && echo $(netstat -ntulp |grep :$portx) && exit;
done
}
modify_yaml(){
##########需要变更的配置###########
mix='mixed-port: 7890'
redir='redir-port: 7892'
lan='allow-lan: true'
mode='mode: Rule'
log='log-level: info'
if [ "$ipv6_support" = "已开启" ];then
ipv6='ipv6: true'
else
ipv6='ipv6: false'
fi
external='external-controller: 0.0.0.0:9999'
if [ "$dns_mod" = "fake-ip" ];then
dns='dns: {enable: true, listen: 0.0.0.0:1053, fake-ip-range: 198.18.0.1/16, enhanced-mode: fake-ip, nameserver: [114.114.114.114, 127.0.0.1:53], fallback: [tcp://1.0.0.1, 8.8.4.4]}'
elif [ "$dns_over" = "已开启" ];then
dns='dns: {enable: true, ipv6: true, listen: 0.0.0.0:1053, enhanced-mode: redir-host, nameserver: [114.114.114.114, 223.5.5.5], fallback: [1.0.0.1, 8.8.4.4]}'
else
dns='dns: {enable: true, ipv6: true, listen: 0.0.0.0:1053, enhanced-mode: redir-host, nameserver: [114.114.114.114, 223.5.5.5, 127.0.0.1:53], fallback: [1.0.0.1, 8.8.4.4]}'
fi
if [ "$redir_mod" != "Redir模式" ];then
tun='tun: {enable: true, stack: system}'
else
tun='tun: {enable: false}'
fi 
exper='experimental: {ignore-resolve-fail: true, interface-name: en0}'
###################################
	#预删除需要添加的项目
	i=$(grep  -n  "^proxies:" $clashdir/config.yaml | head -1 | cut -d ":" -f 1)
	i=$(($i-1))
	sed -i '1,'$i'd' $clashdir/config.yaml
	#添加配置
	sed -i "1i$mix" $clashdir/config.yaml
	sed -i "1a$redir" $clashdir/config.yaml
	sed -i "2a$lan" $clashdir/config.yaml
	sed -i "3a$mode" $clashdir/config.yaml
	sed -i "4a$log" $clashdir/config.yaml
	sed -i "5a$ipv6" $clashdir/config.yaml
	sed -i "6a$external" $clashdir/config.yaml
	sed -i "7a$dns" $clashdir/config.yaml
	sed -i "8a$tun" $clashdir/config.yaml
	sed -i "9a$exper" $clashdir/config.yaml
	#跳过本地tls证书验证
	if [ "$skip_cert" != "未开启" ];then
	sed -i "10,99s/sni: \S*/\1skip-cert-verify: true}/" $clashdir/config.yaml  #跳过trojan本地证书验证
	sed -i '10,99s/}}/}, skip-cert-verify: true}/' $clashdir/config.yaml  #跳过v2+ssl本地证书验证
	fi
}
mark_time(){
	start_time=`date +%s`
	sed -i '/start_time*/'d $ccfg
	sed -i "3i\start_time=$start_time" $ccfg
}
start_redir(){
	#修改iptables规则使流量进入clash
	iptables -t nat -N clash
	iptables -t nat -A clash -d 0.0.0.0/8 -j RETURN
	iptables -t nat -A clash -d 10.0.0.0/8 -j RETURN
	iptables -t nat -A clash -d 127.0.0.0/8 -j RETURN
	iptables -t nat -A clash -d 169.254.0.0/16 -j RETURN
	iptables -t nat -A clash -d 172.16.0.0/12 -j RETURN
	iptables -t nat -A clash -d 192.168.0.0/16 -j RETURN
	iptables -t nat -A clash -d 224.0.0.0/4 -j RETURN
	iptables -t nat -A clash -d 240.0.0.0/4 -j RETURN
	for mac in $(cat $clashdir/mac); do
		iptables -t nat -A clash -m mac --mac-source $mac -j RETURN
	done
	
	iptables -t nat -A clash -p tcp $ports-j REDIRECT --to-ports 7892
	iptables -t nat -A PREROUTING -p tcp -j clash
	if [ "$ipv6_support" = "已开启" ];then
		ip6tables -t nat -N clash
		for mac in $(cat $clashdir/mac); do
			ip6tables -t nat -A clash -m mac --mac-source $mac -j RETURN
		done
		ip6tables -t nat -A clash -p tcp $ports-j REDIRECT --to-ports 7892
		ip6tables -t nat -A PREROUTING -p tcp -j clash
	fi
}
stop_iptables(){
    #重置iptables规则
	iptables -t nat -D PREROUTING -p tcp -j clash > /dev/null 2>&1
	iptables -t nat -D PREROUTING -p udp -j clash_dns > /dev/null 2>&1
	iptables -t nat -F clash > /dev/null 2>&1
	iptables -t nat -X clash > /dev/null 2>&1
	iptables -t nat -F clash_dns > /dev/null 2>&1
	iptables -t nat -X clash_dns > /dev/null 2>&1
	#重置ipv6规则
	ip6tables -t nat -D PREROUTING -p tcp -j clash > /dev/null 2>&1
	ip6tables -t nat -D PREROUTING -p udp -j clash_dns > /dev/null 2>&1
	ip6tables -t nat -F clash > /dev/null 2>&1
	ip6tables -t nat -X clash > /dev/null 2>&1
	ip6tables -t nat -F clash_dns > /dev/null 2>&1
	ip6tables -t nat -X clash_dns > /dev/null 2>&1
}
start_dns(){
	#允许tun网卡接受流量
	iptables -I FORWARD -o utun -j ACCEPT
	ip6tables -I FORWARD -o utun -j ACCEPT
	#设置dns转发
	iptables -t nat -N clash_dns
	for mac in $(cat $clashdir/mac); do
		iptables -t nat -A clash_dns -m mac --mac-source $mac -j RETURN
	done
	iptables -t nat -A clash_dns -p udp --dport 53 -j REDIRECT --to 1053
	iptables -t nat -A PREROUTING -p udp -j clash_dns
	#ipv6DNS
	ip6tables -t nat -N clash_dns
	for mac in $(cat $clashdir/mac); do
		ip6tables -t nat -A clash_dns -m mac --mac-source $mac -j RETURN
	done
	ip6tables -t nat -A clash_dns -p udp --dport 53 -j REDIRECT --to 1053
	ip6tables -t nat -A PREROUTING -p udp -j clash_dns
}
start_service() {
	getconfig
	#使用内置规则强行覆盖config配置文件
	if [ "$modify_yaml" != "已开启" ];then
	modify_yaml
	fi
    #创建clash后台进程
	procd_open_instance
	procd_set_param respawn
	procd_set_param stderr 1
	procd_set_param stdout 1
	procd_set_param command $clashdir/clash -d $clashdir
	procd_close_instance
	#修改iptables规则使流量进入clash
	stop_iptables
	start_dns
	if [ "$redir_mod" != "Tun模式" ];then
	start_redir
	fi
	mark_time
}
stop_service() {
	stop_iptables
}