🍕 Sync 2025-11-10 00:09:51

nikki/files/uci-defaults/migrate.sh

@@ -140,12 +140,6 @@ uci show nikki | grep -o -E 'nikki\.@router_access_control\[[[:digit:]]+\]=route
 	done
 done
 
-# since v1.23.2
-
-env_disable_safe_path_check=$(uci -q get nikki.env.disable_safe_path_check); [ -n "$env_disable_safe_path_check" ] && uci del nikki.env.disable_safe_path_check
-
-env_skip_system_ipv6_check=$(uci -q get nikki.env.skip_system_ipv6_check); [ -z "$env_skip_system_ipv6_check" ] && uci set nikki.env.skip_system_ipv6_check=0
-
 # since v1.23.3
 
 uci show nikki | grep -o -E 'nikki\.@router_access_control\[[[:digit:]]+\]=router_access_control' | cut -d '=' -f 1 | while read -r router_access_control; do

nikki/files/ucode/hijack.ut

@@ -26,6 +26,7 @@
 	let dns_listen;
 	let dns_port;
 	let fake_ip_range;
+	let fake_ip6_range;
 	if (profile['dns']) {
 		dns_listen = profile['dns']['listen'];
 		const dns_listen_rindex = rindex(dns_listen, ':');
@@ -33,6 +34,7 @@
 			dns_port = substr(dns_listen, dns_listen_rindex + 1);
 		}
 		fake_ip_range = profile['dns']['fake-ip-range'];
+		fake_ip6_range = profile['dns']['fake-ip-range6'];
 	}
 
 	let tun_device;
@@ -445,20 +447,23 @@ table inet nikki {
 		{% if (tcp_mode == 'redirect'): %}
 		fib daddr type { local, broadcast, anycast, multicast } counter return
 		ct direction reply counter return
-		ip daddr @reserved_ip counter return
-		ip6 daddr @reserved_ip6 counter return
+		ip daddr @reserved_ip {% if (fake_ip_range): %} ip daddr != {{ fake_ip_range }} {% endif %} counter return
+		ip6 daddr @reserved_ip6 {% if (fake_ip6_range): %} ip6 daddr != {{ fake_ip6_range }} {% endif %} counter return
 		ip daddr @china_ip counter return
 		ip6 daddr @china_ip6 counter return
 		meta nfproto ipv4 meta l4proto . th dport != @proxy_dport {% if (fake_ip_range): %} ip daddr != {{ fake_ip_range }} {% endif %} counter return
-		meta nfproto ipv6 meta l4proto . th dport != @proxy_dport counter return
+		meta nfproto ipv6 meta l4proto . th dport != @proxy_dport {% if (fake_ip6_range): %} ip6 daddr != {{ fake_ip6_range }} {% endif %} counter return
 		meta l4proto { tcp, udp } ip dscp @bypass_dscp {% if (fake_ip_range): %} ip daddr != {{ fake_ip_range }} {% endif %} counter return
-		meta l4proto { tcp, udp } ip6 dscp @bypass_dscp counter return
+		meta l4proto { tcp, udp } ip6 dscp @bypass_dscp {% if (fake_ip6_range): %} ip6 daddr != {{ fake_ip6_range }} {% endif %} counter return
 		meta nfproto @proxy_nfproto jump router_redirect
 		{% endif %}
 		{% if (fake_ip_ping_hijack): %}
 		{% if (fake_ip_range ): %}
 		icmp type echo-request ip daddr {{ fake_ip_range }} counter redirect
 		{% endif %}
+		{% if (fake_ip6_range ): %}
+		icmpv6 type echo-request ip6 daddr {{ fake_ip6_range }} counter redirect
+		{% endif %}
 		{% endif %}
 	}
 
@@ -471,14 +476,14 @@ table inet nikki {
 		{% endif %}
 		fib daddr type { local, broadcast, anycast, multicast } counter return
 		ct direction reply counter return
-		ip daddr @reserved_ip counter return
-		ip6 daddr @reserved_ip6 counter return
+		ip daddr @reserved_ip {% if (fake_ip_range): %} ip daddr != {{ fake_ip_range }} {% endif %} counter return
+		ip6 daddr @reserved_ip6 {% if (fake_ip6_range): %} ip6 daddr != {{ fake_ip6_range }} {% endif %} counter return
 		ip daddr @china_ip counter return
 		ip6 daddr @china_ip6 counter return
 		meta nfproto ipv4 meta l4proto . th dport != @proxy_dport {% if (fake_ip_range): %} ip daddr != {{ fake_ip_range }} {% endif %} counter return
-		meta nfproto ipv6 meta l4proto . th dport != @proxy_dport counter return
+		meta nfproto ipv6 meta l4proto . th dport != @proxy_dport {% if (fake_ip6_range): %} ip6 daddr != {{ fake_ip6_range }} {% endif %} counter return
 		meta l4proto { tcp, udp } ip dscp @bypass_dscp {% if (fake_ip_range): %} ip daddr != {{ fake_ip_range }} {% endif %} counter return
-		meta l4proto { tcp, udp } ip6 dscp @bypass_dscp counter return
+		meta l4proto { tcp, udp } ip6 dscp @bypass_dscp {% if (fake_ip6_range): %} ip6 daddr != {{ fake_ip6_range }} {% endif %} counter return
 		{% if (length(dns_hijack_nfproto) > 0): %}
 		meta nfproto @dns_hijack_nfproto meta l4proto { tcp, udp } th dport 53 counter return
 		{% endif %}
@@ -514,20 +519,23 @@ table inet nikki {
 		{% if (tcp_mode == 'redirect'): %}
 		fib daddr type { local, broadcast, anycast, multicast } counter return
 		ct direction reply counter return
-		ip daddr @reserved_ip counter return
-		ip6 daddr @reserved_ip6 counter return
+		ip daddr @reserved_ip {% if (fake_ip_range): %} ip daddr != {{ fake_ip_range }} {% endif %} counter return
+		ip6 daddr @reserved_ip6 {% if (fake_ip6_range): %} ip6 daddr != {{ fake_ip6_range }} {% endif %} counter return
 		ip daddr @china_ip counter return
 		ip6 daddr @china_ip6 counter return
 		meta nfproto ipv4 meta l4proto . th dport != @proxy_dport {% if (fake_ip_range): %} ip daddr != {{ fake_ip_range }} {% endif %} counter return
-		meta nfproto ipv6 meta l4proto . th dport != @proxy_dport counter return
+		meta nfproto ipv6 meta l4proto . th dport != @proxy_dport {% if (fake_ip6_range): %} ip6 daddr != {{ fake_ip6_range }} {% endif %} counter return
 		meta l4proto { tcp, udp } ip dscp @bypass_dscp {% if (fake_ip_range): %} ip daddr != {{ fake_ip_range }} {% endif %} counter return
-		meta l4proto { tcp, udp } ip6 dscp @bypass_dscp counter return
+		meta l4proto { tcp, udp } ip6 dscp @bypass_dscp {% if (fake_ip6_range): %} ip6 daddr != {{ fake_ip6_range }} {% endif %} counter return
 		iifname @lan_inbound_device meta nfproto @proxy_nfproto jump lan_redirect
 		{% endif %}
 		{% if (fake_ip_ping_hijack): %}
 		{% if (fake_ip_range): %}
 		icmp type echo-request ip daddr {{ fake_ip_range }} counter redirect
 		{% endif %}
+		{% if (fake_ip6_range ): %}
+		icmpv6 type echo-request ip6 daddr {{ fake_ip6_range }} counter redirect
+		{% endif %}
 		{% endif %}
 	}
 
@@ -535,14 +543,14 @@ table inet nikki {
 		type filter hook prerouting priority mangle; policy accept;
 		fib daddr type { local, broadcast, anycast, multicast } counter return
 		ct direction reply counter return
-		ip daddr @reserved_ip counter return
-		ip6 daddr @reserved_ip6 counter return
+		ip daddr @reserved_ip {% if (fake_ip_range): %} ip daddr != {{ fake_ip_range }} {% endif %} counter return
+		ip6 daddr @reserved_ip6 {% if (fake_ip6_range): %} ip6 daddr != {{ fake_ip6_range }} {% endif %} counter return
 		ip daddr @china_ip counter return
 		ip6 daddr @china_ip6 counter return
 		meta nfproto ipv4 meta l4proto . th dport != @proxy_dport {% if (fake_ip_range): %} ip daddr != {{ fake_ip_range }} {% endif %} counter return
-		meta nfproto ipv6 meta l4proto . th dport != @proxy_dport counter return
+		meta nfproto ipv6 meta l4proto . th dport != @proxy_dport {% if (fake_ip6_range): %} ip6 daddr != {{ fake_ip6_range }} {% endif %} counter return
 		meta l4proto { tcp, udp } ip dscp @bypass_dscp {% if (fake_ip_range): %} ip daddr != {{ fake_ip_range }} {% endif %} counter return
-		meta l4proto { tcp, udp } ip6 dscp @bypass_dscp counter return
+		meta l4proto { tcp, udp } ip6 dscp @bypass_dscp {% if (fake_ip6_range): %} ip6 daddr != {{ fake_ip6_range }} {% endif %} counter return
 		{% if (length(dns_hijack_nfproto) > 0): %}
 		meta nfproto @dns_hijack_nfproto meta l4proto { tcp, udp } th dport 53 counter return
 		{% endif %}

nikki/files/ucode/mixin.uc

@@ -72,6 +72,7 @@ config['dns']['listen'] = uci.get('nikki', 'mixin', 'dns_listen');
 config['dns']['ipv6'] = uci_bool(uci.get('nikki', 'mixin', 'dns_ipv6'));
 config['dns']['enhanced-mode'] = uci.get('nikki', 'mixin', 'dns_mode');
 config['dns']['fake-ip-range'] = uci.get('nikki', 'mixin', 'fake_ip_range');
+config['dns']['fake-ip-range6'] = uci.get('nikki', 'mixin', 'fake_ip6_range');
 if (uci_bool(uci.get('nikki', 'mixin', 'fake_ip_filter'))) {
 	config['dns']['fake-ip-filter'] = uci_array(uci.get('nikki', 'mixin', 'fake_ip_filters'));
 }