From 1c8d49a636288fa924800a9505f4392ec7c6099a Mon Sep 17 00:00:00 2001
From: DaTekShaman <datekshaman@yandex.ru>
Date: Sun, 12 Apr 2026 13:05:06 +0300
Subject: [PATCH] feat: Refactor Mihomo setup script to improve interface
 handling and add new rule logic

---
 config-clash/solar/solar.yaml                 | 71 ++++++++++++++-----
 .../iptables-mihomo-setup-alpine-mark2.sh     | 16 ++++-
 2 files changed, 69 insertions(+), 18 deletions(-)

diff --git a/config-clash/solar/solar.yaml b/config-clash/solar/solar.yaml
index 1f65048..bbcbb0c 100644
--- a/config-clash/solar/solar.yaml
+++ b/config-clash/solar/solar.yaml
@@ -193,17 +193,17 @@ dns:
   # - https://d.adguard-dns.com/dns-query/5ffb7de2
 
 hosts:
-  'solar.shamanlanding.org':        192.168.25.8
-  
-  'battlescribe.shamanlanding.org': 192.168.25.8
-  'kavanah.shamanlanding.org':      192.168.25.8
-  'loremaster.shamanlanding.org':   192.168.25.8
-  'omnissiah.shamanlanding.org':    192.168.25.8
-  'sanctum.shamanlanding.org':      192.168.25.8
-  'tesseract.shamanlanding.org':    192.168.25.8
-  'synaxis.shamanlanding.org':      192.168.25.8
-  
-  '+.solar.shamanlanding.org':      192.168.25.8
+#  'solar.shamanlanding.org':        192.168.25.8
+#  
+#  'battlescribe.shamanlanding.org': 192.168.25.8
+#  'kavanah.shamanlanding.org':      192.168.25.8
+#  'loremaster.shamanlanding.org':   192.168.25.8
+#  'omnissiah.shamanlanding.org':    192.168.25.8
+#  'sanctum.shamanlanding.org':      192.168.25.8
+#  'tesseract.shamanlanding.org':    192.168.25.8
+#  'synaxis.shamanlanding.org':      192.168.25.8
+#  
+#  '+.solar.shamanlanding.org':      192.168.25.8
 
 proxy-providers:
   🐦 fallback package:
@@ -311,6 +311,7 @@ proxy-groups:
     exclude-filter: ""
     exclude-type: ""
     proxies:
+      - PASS
       - Заблокированные сайты
       - Личный список
     <<: [*health_check_groups, *use_all, *p_selector_udp]
@@ -319,7 +320,7 @@ proxy-groups:
     exclude-filter: ""
     exclude-type: ""
     proxies:
-      - Testzone A
+      - PASS
       - Заблокированные сайты
       - Личный список
     <<: [*health_check_groups, *use_all, *p_selector_udp]
@@ -352,18 +353,56 @@ rule-providers:
     path: "./rule_provider/consolidated-lists-private/adaptation-scarus-ip-proxy.yaml"
     <<: *default_rule_provider_config
   
+  🛝 Testzone A:
+    url: https://gitea.shamanlanding.org/DaTekShaman/clash-rules/raw/branch/main/rule-provider/consolidated-lists-private/testzone-a.yaml
+    path: "./rule_provider/services/consolidated-lists-private/testzone-a.yaml"
+    <<: *default_rule_provider_config
+  🛝 Testzone B:
+    url: https://gitea.shamanlanding.org/DaTekShaman/clash-rules/raw/branch/main/rule-provider/consolidated-lists-private/testzone-b.yaml
+    path: "./rule_provider/services/consolidated-lists-private/testzone-b.yaml"
+    <<: *default_rule_provider_config
+  🛜 Webway Unprivileged:
+    url: https://gitea.shamanlanding.org/DaTekShaman/clash-rules/raw/branch/main/rule-provider/consolidated-lists-private/webway-unprivileged.yaml
+    path: "./rule_provider/services/consolidated-lists-private/webway-unprivileged.yaml"
+    <<: *default_rule_provider_config
+  🛜 VLAN10:
+    url: https://gitea.shamanlanding.org/DaTekShaman/clash-rules/raw/branch/main/rule-provider/consolidated-lists-private/vlan10.yaml
+    path: "./rule_provider/services/consolidated-lists-private/vlan10.yaml"
+    <<: *default_rule_provider_config
+  🛜 VLAN40:
+    url: https://gitea.shamanlanding.org/DaTekShaman/clash-rules/raw/branch/main/rule-provider/consolidated-lists-private/vlan40.yaml
+    path: "./rule_provider/services/consolidated-lists-private/vlan40.yaml"
+    <<: *default_rule_provider_config
+
+  👥 Current Antifilter/Refilter:
+    url: https://gitea.shamanlanding.org/DaTekShaman/clash-rules/raw/branch/main/rule-provider/consolidated-lists-public/current-public-set.yaml
+    path: "./rule_provider/consolidated-lists-public/current-public-set.yaml"
+    <<: *default_rule_provider_config
+
   📦 RU Services Manual:
     url: https://gitea.shamanlanding.org/DaTekShaman/clash-rules/raw/branch/main/rule-provider/consolidated-services/ru-services.yaml
     path: "./rule_provider/consolidated-services/ru-services.yaml"
     <<: *default_rule_provider_config
 
 rules:
-  - OR,((RULE-SET,📦 RU Services Manual),(GEOIP,RU),(GEOSITE,category-ru)),RU-зона локально
-
+  - SUB-RULE,(OR,((RULE-SET,📦 RU Services Manual),(GEOIP,RU),(GEOSITE,category-ru))),russian_internet
+  
+  - RULE-SET,🛝 Testzone A,Testzone A
+  - RULE-SET,🛝 Testzone B,Testzone B
+  
   - RULE-SET,📃 Solar Proxy Domain List,Личный список
   - RULE-SET,📃 Solar Proxy IP List,Личный список,no-resolve
+  
   - RULE-SET,📃 Shared Proxy Domain List,Заблокированные сайты
   - RULE-SET,📃 Shared Proxy IP List,Заблокированные сайты,no-resolve
-
+  - RULE-SET,👥 Current Antifilter/Refilter,Заблокированные сайты
+  
   - MATCH,DIRECT
-  
\ No newline at end of file
+
+sub-rules:
+  russian_internet:
+    - DOMAIN-SUFFIX,shamanlanding.org,DIRECT
+    - SRC-IP-CIDR,100.98.0.0/16,RU-зона через webway
+    - SRC-IP-CIDR,10.10.0.0/16,RU-зона локально
+    - SRC-IP-CIDR,10.40.0.0/16,RU-зона локально
+    - MATCH,REJECT
\ No newline at end of file
diff --git a/scripts/warpgates/iptables-mihomo-setup-alpine-mark2.sh b/scripts/warpgates/iptables-mihomo-setup-alpine-mark2.sh
index cdd835e..6c47b8b 100644
--- a/scripts/warpgates/iptables-mihomo-setup-alpine-mark2.sh
+++ b/scripts/warpgates/iptables-mihomo-setup-alpine-mark2.sh
@@ -11,6 +11,7 @@ FW_MARK="0x1"
 ROUTE_TABLE="100"
 
 EXCLUDE_IFACES=("tun0")  
+INCLUDE_IFACES=("wt0" "eth1" "eth2")
 
 # ----------------------------
 # Helpers
@@ -86,7 +87,15 @@ ipt -t nat -A OUTPUT -m owner --uid-owner "${MIHOMO_UID}" -m comment --comment "
 ipt -t nat -A OUTPUT -p tcp -m comment --comment "MIHOMO-JUMP" -j MIHOMO_REDIR
 
 # Apply to PREROUTING (wt0 Ingress) - Force Redir for NetBird (skips exclusions by design)
-ipt -t nat -A PREROUTING -i wt0 -p tcp -m comment --comment "MIHOMO-REDIRECT" -j REDIRECT --to-port "${REDIR_PORT}"
+for IFACE in "${INCLUDE_IFACES[@]}"; do
+  if [ "$IFACE" = "wt0" ]; then
+    # wt0 (Netbird) пропускает исключения локальных подсетей по твоему дизайну
+    ipt -t nat -A PREROUTING -i "$IFACE" -p tcp -m comment --comment "MIHOMO-REDIRECT" -j REDIRECT --to-port "${REDIR_PORT}"
+  else
+    # LAN-трафик (eth1, eth2) должен прыгать в цепочку MIHOMO_REDIR для проверки исключений (192.168.x.x и т.д.)
+    ipt -t nat -A PREROUTING -i "$IFACE" -p tcp -m comment --comment "MIHOMO-JUMP-$IFACE" -j MIHOMO_REDIR
+  fi
+done
 
 # ----------------------------
 # MANGLE (TPROXY) - UDP
@@ -116,6 +125,9 @@ ipt -t mangle -A OUTPUT -p udp -m comment --comment "MIHOMO-MARK" -j MARK --set-
 for IFACE in "${EXCLUDE_IFACES[@]}"; do
   ipt -t mangle -A PREROUTING -i "${IFACE}" -m comment --comment "MIHOMO-EXCLUDE" -j RETURN
 done
-ipt -t mangle -A PREROUTING -i wt0 -m comment --comment "MIHOMO-JUMP" -j MIHOMO_TPROXY
+
+for IFACE in "${INCLUDE_IFACES[@]}"; do
+  ipt -t mangle -A PREROUTING -i "$IFACE" -m comment --comment "MIHOMO-JUMP-$IFACE" -j MIHOMO_TPROXY
+done
 
 echo "Done. Suboptimal hypervisor constraints bypassed successfully."
\ No newline at end of file