douglarek · August 20, 2024 15:12
diff --git a/a-dae-init.sh b/a-dae-init.sh
 #!/bin/sh /etc/rc.common
 # Copyright (C) 2023 Tianling Shen <[email protected]>

 USE_PROCD=1
 START=99

 CONF="dae"
 PROG="/usr/bin/dae"
 LOG_DIR="/var/log/dae"

 start_service() {
        config_load "$CONF"

        local enabled
        config_get_bool enabled "config" "enabled" "0"
        [ "$enabled" -eq "1" ] || return 1

        local config_file
        config_get config_file "config" "config_file" "/etc/dae/config.dae"

        "$PROG" validate -c "$config_file" || return 1

        local log_maxbackups log_maxsize
        config_get log_maxbackups "config" "log_maxbackups" "1"
        config_get log_maxsize "config" "log_maxsize" "1"

        procd_open_instance "$CONF"
        procd_set_param command "$PROG" run
        procd_append_param command --config "$config_file"
        procd_append_param command --disable-timestamp
        procd_append_param command --logfile "$LOG_DIR/dae.log"
        procd_append_param command --logfile-maxbackups "$log_maxbackups"
        procd_append_param command --logfile-maxsize "$log_maxsize"

        procd_set_param limits core="unlimited"
        procd_set_param limits nofile="1000000 1000000"
        procd_set_param respawn
        # procd_set_param stdout 1
        procd_set_param stderr 1

        procd_close_instance

        # see https://github.com/daeuniverse/dae/issues/79
        uci -q del dhcp.@dnsmasq[0].server
        uci add_list dhcp.@dnsmasq[0].server='223.5.5.5' # set dnsmasq dns
        uci set dhcp.@dnsmasq[0].rebind_protection='0'   # disable rebind_protection
        uci set dhcp.@dnsmasq[0].noresolv='1'            # disable dnsmasq hijack
        uci del dhcp.@dnsmasq[0].dns_redirect            # disable dns redirect
        uci -q del dhcp.@dnsmasq[0].domain               # prevent the random appending of '.lan' to the DAE DNS _qname
        uci set dhcp.@dnsmasq[0].cachesize='0'           # disable dnsmasq cache
        uci commit dhcp
        /etc/init.d/dnsmasq reload
 }

 stop_service() {
        uci -q del dhcp.@dnsmasq[0].server
        uci set dhcp.@dnsmasq[0].noresolv='0'            # enable dnsmasq hijack
        uci set dhcp.@dnsmasq[0].dns_redirect='1'        # enable dns redirect
        uci set dhcp.@dnsmasq[0].cachesize='8000'        # recovery dnsmasq cache
        uci commit dhcp
        /etc/init.d/dnsmasq reload

        rm -rf "$LOG_DIR"
 }

 service_triggers() {
        procd_add_reload_trigger "$CONF"
 }

 reload_service() {
        "$PROG" reload "$(cat /var/run/dae.pid)"
 }
diff --git a/config.dae b/config.dae
 global {
    ##### Software options.

    # tproxy port to listen on. It is NOT a HTTP/SOCKS port, and is just used by eBPF program.
    # In normal case, you do not need to use it.
    tproxy_port: 12345

    # Set it true to protect tproxy port from unsolicited traffic. Set it false to allow users to use self-managed
    # iptables tproxy rules.
    tproxy_port_protect: true

    # If not zero, traffic sent from dae will be set SO_MARK. It is useful to avoid traffic loop with iptables tproxy
    # rules.
    so_mark_from_dae: 0

    # Log level: error, warn, info, debug, trace.
    log_level: info

    # Disable waiting for network before pulling subscriptions.
    disable_waiting_network: false


    ##### Interface and kernel options.

    # The LAN interface to bind. Use it if you want to proxy LAN.
    # Multiple interfaces split by ",".
    lan_interface: br-lan

    # The WAN interface to bind. Use it if you want to proxy localhost.
    # Multiple interfaces split by ",". Use "auto" to auto detect.
    wan_interface: auto

    # Automatically configure Linux kernel parameters like ip_forward and send_redirects. Check out
    # https://github.com/daeuniverse/dae/blob/main/docs/en/user-guide/kernel-parameters.md to see what will dae do.
    auto_config_kernel_parameter: true

    # Automatically configure firewall rules like firewalld and fw4.
    # firewalld: nft 'insert rule inet firewalld filter_INPUT mark 0x08000000 accept'
    # fw4: nft 'insert rule inet fw4 input mark 0x08000000 accept'
    auto_config_firewall_rule: true

    ##### Node connectivity check.

    # Host of URL should have both IPv4 and IPv6 if you have double stack in local.
    # First is URL, others are IP addresses if given.
    # Considering traffic consumption, it is recommended to choose a site with anycast IP and less response.
    #tcp_check_url: 'http://cp.cloudflare.com'
    tcp_check_url: 'http://cp.cloudflare.com,1.1.1.1,2606:4700:4700::1111'

    # The HTTP request method to `tcp_check_url`. Use 'HEAD' by default because some server implementations bypass
    # accounting for this kind of traffic.
    tcp_check_http_method: HEAD

    # This DNS will be used to check UDP connectivity of nodes. And if dns_upstream below contains tcp, it also be used to check
    # TCP DNS connectivity of nodes.
    # First is URL, others are IP addresses if given.
    # This DNS should have both IPv4 and IPv6 if you have double stack in local.
    #udp_check_dns: 'dns.google.com:53'
    udp_check_dns: 'dns.google.com:53,8.8.8.8,2001:4860:4860::8888'

    check_interval: 30s

    # Group will switch node only when new_latency <= old_latency - tolerance.
    check_tolerance: 50ms


    ##### Connecting options.

    # Optional values of dial_mode are:
    # 1. "ip". Dial proxy using the IP from DNS directly. This allows your ipv4, ipv6 to choose the optimal path
    #       respectively, and makes the IP version requested by the application meet expectations. For example, if you
    #       use curl -4 ip.sb, you will request IPv4 via proxy and get a IPv4 echo. And curl -6 ip.sb will request IPv6.
    #       This may solve some wierd full-cone problem if your are be your node support that. Sniffing will be disabled
    #       in this mode.
    # 2. "domain". Dial proxy using the domain from sniffing. This will relieve DNS pollution problem to a great extent
    #       if have impure DNS environment. Generally, this mode brings faster proxy response time because proxy will
    #       re-resolve the domain in remote, thus get better IP result to connect. This policy does not impact routing.
    #       That is to say, domain rewrite will be after traffic split of routing and dae will not re-route it.
    # 3. "domain+". Based on domain mode but do not check the reality of sniffed domain. It is useful for users whose
    #       DNS requests do not go through dae but want faster proxy response time. Notice that, if DNS requests do not
    #       go through dae, dae cannot split traffic by domain.
    # 4. "domain++". Based on domain+ mode but force to re-route traffic using sniffed domain to partially recover
    #       domain based traffic split ability. It doesn't work for direct traffic and consumes more CPU resources.
    dial_mode: domain

    # Allow insecure TLS certificates. It is not recommended to turn it on unless you have to.
    allow_insecure: false

    # Timeout to waiting for first data sending for sniffing. It is always 0 if dial_mode is ip. Set it higher is useful
    # in high latency LAN network.
    sniffing_timeout: 100ms

    # TLS implementation. tls is to use Go's crypto/tls. utls is to use uTLS, which can imitate browser's Client Hello.
    tls_implementation: tls

    # The Client Hello ID for uTLS to imitate. This takes effect only if tls_implementation is utls.
    # See more: https://github.com/daeuniverse/dae/blob/331fa23c16/component/outbound/transport/tls/utls.go#L17
    utls_imitate: chrome_auto
 }

 # Subscriptions defined here will be resolved as nodes and merged as a part of the global node pool.
 # Support to give the subscription a tag, and filter nodes from a given subscription in the group section.
 subscription {
    # Add your subscription links here.
 }

 # Nodes defined here will be merged as a part of the global node pool.
 node {
    # Add your node links here.
    # Support socks5, http, https, ss, ssr, vmess, vless, trojan, tuic, juicity, etc.
    # Full support list: https://github.com/daeuniverse/dae/blob/main/docs/en/proxy-protocols.md
 }

 # See https://github.com/daeuniverse/dae/blob/main/docs/en/configuration/dns.md for full examples.
 dns {
    # For example, if ipversion_prefer is 4 and the domain name has both type A and type AAAA records, the dae will only
    # respond to type A queries and response empty answer to type AAAA queries.
    #ipversion_prefer: 4

    # Give a fixed ttl for domains. Zero means that dae will request to upstream every time and not cache DNS results
    # for these domains.
    #fixed_domain_ttl {
    #    ddns.example.org: 10
    #    test.example.org: 3600
    #}

    upstream {
        # Value can be scheme://host:port, where the scheme can be tcp/udp/tcp+udp.
        # If host is a domain and has both IPv4 and IPv6 record, dae will automatically choose
        # IPv4 or IPv6 to use according to group policy (such as min latency policy).
        # Please make sure DNS traffic will go through and be forwarded by dae, which is REQUIRED for domain routing.
        # If dial_mode is "ip", the upstream DNS answer SHOULD NOT be polluted, so domestic public DNS is not recommended.

        alidns: 'udp://dns.alidns.com:53'
        googledns: 'tcp+udp://dns.google.com:53'
    }
    routing {
        # According to the request of dns query, decide to use which DNS upstream.
        # Match rules from top to bottom.
        request {
            qname(suffix: api.miwifi.com) -> reject
            qname(geosite:category-ads-all) -> reject
            qname(geosite:cn) -> alidns
            qname(geosite:microsoft@cn) -> alidns
            # fallback is also called default.
            fallback: googledns
        }
        # According to the response of dns query, decide to accept or re-lookup using another DNS upstream.
        # Match rules from top to bottom.
        #response {
        #    # Trusted upstream. Always accept its result.
        #    upstream(googledns) -> accept
        #    # Possibly polluted, re-lookup using googledns.
        #    ip(geoip:private) && !qname(geosite:cn) -> googledns
        #    # fallback is also called default.
        #    fallback: accept
        #}
    }
 }

 # Node group (outbound).
 group {
    kr {
        filter: name(keyword: 'kr')
        policy: fixed(0)
    }

    sg {
        filter: subtag(bigme) && name(keyword: '新加坡')
        policy: min_moving_avg
    }
    us {
        filter: subtag(bigme) && name(keyword: '美国')
        policy: min_moving_avg
    }
 }

 # See https://github.com/daeuniverse/dae/blob/main/docs/en/configuration/routing.md for full examples.
 routing {
    ### Preset rules.

    # Put it in the front to prevent broadcast, multicast and other packets that should be sent to the LAN from being
    # forwarded by the proxy.
    # "dip" means destination IP.
    dip(224.0.0.0/3, 'ff00::/8') -> direct

    # This line allows you to access private addresses directly instead of via your proxy. If you really want to access
    # private addresses in your proxy host network, modify the below line.
    dip(geoip:private) -> direct

    ### Write your rules below.
    !mac('your mac address') -> direct(must)
    # skip BT
    !dport(22, 53, 80, 143, 443, 465, 853, 993, 995, 8080, 8443, 9418) -> direct
    dscp(0x4) -> direct
    domain(suffix:meta.com) -> us
    # Disable h3 because it usually consumes too much cpu/mem resources.
    l4proto(udp) && dport(443) -> block
    dip(geoip:cn) -> direct
    domain(geosite:cn) -> direct
    domain(geosite:microsoft@cn) -> direct

    fallback: sg
 }
	#!/bin/sh /etc/rc.common
	# Copyright (C) 2023 Tianling Shen <[email protected]>

	USE_PROCD=1
	START=99

	CONF="dae"
	PROG="/usr/bin/dae"
	LOG_DIR="/var/log/dae"

	start_service() {
	config_load "$CONF"

	local enabled
	config_get_bool enabled "config" "enabled" "0"
	[ "$enabled" -eq "1" ] \|\| return 1

	local config_file
	config_get config_file "config" "config_file" "/etc/dae/config.dae"

	"$PROG" validate -c "$config_file" \|\| return 1

	local log_maxbackups log_maxsize
	config_get log_maxbackups "config" "log_maxbackups" "1"
	config_get log_maxsize "config" "log_maxsize" "1"

	procd_open_instance "$CONF"
	procd_set_param command "$PROG" run
	procd_append_param command --config "$config_file"
	procd_append_param command --disable-timestamp
	procd_append_param command --logfile "$LOG_DIR/dae.log"
	procd_append_param command --logfile-maxbackups "$log_maxbackups"
	procd_append_param command --logfile-maxsize "$log_maxsize"

	procd_set_param limits core="unlimited"
	procd_set_param limits nofile="1000000 1000000"
	procd_set_param respawn
	# procd_set_param stdout 1
	procd_set_param stderr 1

	procd_close_instance

	# see https://github.com/daeuniverse/dae/issues/79
	uci -q del dhcp.@dnsmasq[0].server
	uci add_list dhcp.@dnsmasq[0].server='223.5.5.5' # set dnsmasq dns
	uci set dhcp.@dnsmasq[0].rebind_protection='0' # disable rebind_protection
	uci set dhcp.@dnsmasq[0].noresolv='1' # disable dnsmasq hijack
	uci del dhcp.@dnsmasq[0].dns_redirect # disable dns redirect
	uci -q del dhcp.@dnsmasq[0].domain # prevent the random appending of '.lan' to the DAE DNS _qname
	uci set dhcp.@dnsmasq[0].cachesize='0' # disable dnsmasq cache
	uci commit dhcp
	/etc/init.d/dnsmasq reload
	}

	stop_service() {
	uci -q del dhcp.@dnsmasq[0].server
	uci set dhcp.@dnsmasq[0].noresolv='0' # enable dnsmasq hijack
	uci set dhcp.@dnsmasq[0].dns_redirect='1' # enable dns redirect
	uci set dhcp.@dnsmasq[0].cachesize='8000' # recovery dnsmasq cache
	uci commit dhcp
	/etc/init.d/dnsmasq reload

	rm -rf "$LOG_DIR"
	}

	service_triggers() {
	procd_add_reload_trigger "$CONF"
	}

	reload_service() {
	"$PROG" reload "$(cat /var/run/dae.pid)"
	}
	global {
	##### Software options.

	# tproxy port to listen on. It is NOT a HTTP/SOCKS port, and is just used by eBPF program.
	# In normal case, you do not need to use it.
	tproxy_port: 12345

	# Set it true to protect tproxy port from unsolicited traffic. Set it false to allow users to use self-managed
	# iptables tproxy rules.
	tproxy_port_protect: true

	# If not zero, traffic sent from dae will be set SO_MARK. It is useful to avoid traffic loop with iptables tproxy
	# rules.
	so_mark_from_dae: 0

	# Log level: error, warn, info, debug, trace.
	log_level: info

	# Disable waiting for network before pulling subscriptions.
	disable_waiting_network: false


	##### Interface and kernel options.

	# The LAN interface to bind. Use it if you want to proxy LAN.
	# Multiple interfaces split by ",".
	lan_interface: br-lan

	# The WAN interface to bind. Use it if you want to proxy localhost.
	# Multiple interfaces split by ",". Use "auto" to auto detect.
	wan_interface: auto

	# Automatically configure Linux kernel parameters like ip_forward and send_redirects. Check out
	# https://github.com/daeuniverse/dae/blob/main/docs/en/user-guide/kernel-parameters.md to see what will dae do.
	auto_config_kernel_parameter: true

	# Automatically configure firewall rules like firewalld and fw4.
	# firewalld: nft 'insert rule inet firewalld filter_INPUT mark 0x08000000 accept'
	# fw4: nft 'insert rule inet fw4 input mark 0x08000000 accept'
	auto_config_firewall_rule: true

	##### Node connectivity check.

	# Host of URL should have both IPv4 and IPv6 if you have double stack in local.
	# First is URL, others are IP addresses if given.
	# Considering traffic consumption, it is recommended to choose a site with anycast IP and less response.
	#tcp_check_url: 'http://cp.cloudflare.com'
	tcp_check_url: 'http://cp.cloudflare.com,1.1.1.1,2606:4700:4700::1111'

	# The HTTP request method to `tcp_check_url`. Use 'HEAD' by default because some server implementations bypass
	# accounting for this kind of traffic.
	tcp_check_http_method: HEAD

	# This DNS will be used to check UDP connectivity of nodes. And if dns_upstream below contains tcp, it also be used to check
	# TCP DNS connectivity of nodes.
	# First is URL, others are IP addresses if given.
	# This DNS should have both IPv4 and IPv6 if you have double stack in local.
	#udp_check_dns: 'dns.google.com:53'
	udp_check_dns: 'dns.google.com:53,8.8.8.8,2001:4860:4860::8888'

	check_interval: 30s

	# Group will switch node only when new_latency <= old_latency - tolerance.
	check_tolerance: 50ms


	##### Connecting options.

	# Optional values of dial_mode are:
	# 1. "ip". Dial proxy using the IP from DNS directly. This allows your ipv4, ipv6 to choose the optimal path
	# respectively, and makes the IP version requested by the application meet expectations. For example, if you
	# use curl -4 ip.sb, you will request IPv4 via proxy and get a IPv4 echo. And curl -6 ip.sb will request IPv6.
	# This may solve some wierd full-cone problem if your are be your node support that. Sniffing will be disabled
	# in this mode.
	# 2. "domain". Dial proxy using the domain from sniffing. This will relieve DNS pollution problem to a great extent
	# if have impure DNS environment. Generally, this mode brings faster proxy response time because proxy will
	# re-resolve the domain in remote, thus get better IP result to connect. This policy does not impact routing.
	# That is to say, domain rewrite will be after traffic split of routing and dae will not re-route it.
	# 3. "domain+". Based on domain mode but do not check the reality of sniffed domain. It is useful for users whose
	# DNS requests do not go through dae but want faster proxy response time. Notice that, if DNS requests do not
	# go through dae, dae cannot split traffic by domain.
	# 4. "domain++". Based on domain+ mode but force to re-route traffic using sniffed domain to partially recover
	# domain based traffic split ability. It doesn't work for direct traffic and consumes more CPU resources.
	dial_mode: domain

	# Allow insecure TLS certificates. It is not recommended to turn it on unless you have to.
	allow_insecure: false

	# Timeout to waiting for first data sending for sniffing. It is always 0 if dial_mode is ip. Set it higher is useful
	# in high latency LAN network.
	sniffing_timeout: 100ms

	# TLS implementation. tls is to use Go's crypto/tls. utls is to use uTLS, which can imitate browser's Client Hello.
	tls_implementation: tls

	# The Client Hello ID for uTLS to imitate. This takes effect only if tls_implementation is utls.
	# See more: https://github.com/daeuniverse/dae/blob/331fa23c16/component/outbound/transport/tls/utls.go#L17
	utls_imitate: chrome_auto
	}

	# Subscriptions defined here will be resolved as nodes and merged as a part of the global node pool.
	# Support to give the subscription a tag, and filter nodes from a given subscription in the group section.
	subscription {
	# Add your subscription links here.
	}

	# Nodes defined here will be merged as a part of the global node pool.
	node {
	# Add your node links here.
	# Support socks5, http, https, ss, ssr, vmess, vless, trojan, tuic, juicity, etc.
	# Full support list: https://github.com/daeuniverse/dae/blob/main/docs/en/proxy-protocols.md
	}

	# See https://github.com/daeuniverse/dae/blob/main/docs/en/configuration/dns.md for full examples.
	dns {
	# For example, if ipversion_prefer is 4 and the domain name has both type A and type AAAA records, the dae will only
	# respond to type A queries and response empty answer to type AAAA queries.
	#ipversion_prefer: 4

	# Give a fixed ttl for domains. Zero means that dae will request to upstream every time and not cache DNS results
	# for these domains.
	#fixed_domain_ttl {
	# ddns.example.org: 10
	# test.example.org: 3600
	#}

	upstream {
	# Value can be scheme://host:port, where the scheme can be tcp/udp/tcp+udp.
	# If host is a domain and has both IPv4 and IPv6 record, dae will automatically choose
	# IPv4 or IPv6 to use according to group policy (such as min latency policy).
	# Please make sure DNS traffic will go through and be forwarded by dae, which is REQUIRED for domain routing.
	# If dial_mode is "ip", the upstream DNS answer SHOULD NOT be polluted, so domestic public DNS is not recommended.

	alidns: 'udp://dns.alidns.com:53'
	googledns: 'tcp+udp://dns.google.com:53'
	}
	routing {
	# According to the request of dns query, decide to use which DNS upstream.
	# Match rules from top to bottom.
	request {
	qname(suffix: api.miwifi.com) -> reject
	qname(geosite:category-ads-all) -> reject
	qname(geosite:cn) -> alidns
	qname(geosite:microsoft@cn) -> alidns
	# fallback is also called default.
	fallback: googledns
	}
	# According to the response of dns query, decide to accept or re-lookup using another DNS upstream.
	# Match rules from top to bottom.
	#response {
	# # Trusted upstream. Always accept its result.
	# upstream(googledns) -> accept
	# # Possibly polluted, re-lookup using googledns.
	# ip(geoip:private) && !qname(geosite:cn) -> googledns
	# # fallback is also called default.
	# fallback: accept
	#}
	}
	}

	# Node group (outbound).
	group {
	kr {
	filter: name(keyword: 'kr')
	policy: fixed(0)
	}

	sg {
	filter: subtag(bigme) && name(keyword: '新加坡')
	policy: min_moving_avg
	}
	us {
	filter: subtag(bigme) && name(keyword: '美国')
	policy: min_moving_avg
	}
	}

	# See https://github.com/daeuniverse/dae/blob/main/docs/en/configuration/routing.md for full examples.
	routing {
	### Preset rules.

	# Put it in the front to prevent broadcast, multicast and other packets that should be sent to the LAN from being
	# forwarded by the proxy.
	# "dip" means destination IP.
	dip(224.0.0.0/3, 'ff00::/8') -> direct

	# This line allows you to access private addresses directly instead of via your proxy. If you really want to access
	# private addresses in your proxy host network, modify the below line.
	dip(geoip:private) -> direct

	### Write your rules below.
	!mac('your mac address') -> direct(must)
	# skip BT
	!dport(22, 53, 80, 143, 443, 465, 853, 993, 995, 8080, 8443, 9418) -> direct
	dscp(0x4) -> direct
	domain(suffix:meta.com) -> us
	# Disable h3 because it usually consumes too much cpu/mem resources.
	l4proto(udp) && dport(443) -> block
	dip(geoip:cn) -> direct
	domain(geosite:cn) -> direct
	domain(geosite:microsoft@cn) -> direct

	fallback: sg
	}