#!/bin/bash
set -u

# ----------------------------
# Config
# ----------------------------
MIHOMO_UID="mihomo"
TPROXY_PORT="7893"
FW_MARK="0x1"
ROUTE_TABLE="100"

# Интерфейсы клиентов (откуда прилетают запросы)
LAN_IFACES=("eth1" "wt0")

# Порты самого сервера, которые НЕ надо проксировать (Web UI, SSH)
LOCAL_PORTS="9090,22"

# ----------------------------
# Helpers
# ----------------------------
ipt() { iptables "$@"; }

cleanup_references() {
    local chain=$1
    iptables-save | grep "\-j $chain" | sed "s/^-A/-D/" | while read rule; do
        iptables -t mangle $rule 2>/dev/null || true
    done
}

ensure_ip_rule() {
  if ! ip rule list | grep -q "fwmark ${FW_MARK} lookup ${ROUTE_TABLE}"; then
    ip rule add fwmark ${FW_MARK} lookup ${ROUTE_TABLE}
  fi
  if ! ip route show table ${ROUTE_TABLE} | grep -q "local default"; then
    ip route add local 0.0.0.0/0 dev lo table ${ROUTE_TABLE}
  fi
}

# ----------------------------
# 1. CLEANUP
# ----------------------------
echo "--- Cleaning up rules ---"
cleanup_references "MIHOMO_TPROXY"
ipt -t mangle -F MIHOMO_TPROXY 2>/dev/null || true
ipt -t mangle -X MIHOMO_TPROXY 2>/dev/null || true

# ----------------------------
# 2. SETUP
# ----------------------------
ensure_ip_rule

# --- CHAIN: PREROUTING (Для клиентов) ---
ipt -t mangle -N MIHOMO_TPROXY

# === 1. Исключения по Портам (CRITICAL FIX) ===
# Если стучатся в веб-морду или SSH - пропускаем мимо TProxy
ipt -t mangle -A MIHOMO_TPROXY -p tcp -m multiport --dports "${LOCAL_PORTS}" -j RETURN

# === 2. Исключения по IP (Bypass) ===
# RFC1918 Private Networks
ipt -t mangle -A MIHOMO_TPROXY -d 0.0.0.0/8 -j RETURN
ipt -t mangle -A MIHOMO_TPROXY -d 10.0.0.0/8 -j RETURN
ipt -t mangle -A MIHOMO_TPROXY -d 127.0.0.0/8 -j RETURN
ipt -t mangle -A MIHOMO_TPROXY -d 169.254.0.0/16 -j RETURN
ipt -t mangle -A MIHOMO_TPROXY -d 172.16.0.0/12 -j RETURN
ipt -t mangle -A MIHOMO_TPROXY -d 192.168.0.0/16 -j RETURN
# Multicast
ipt -t mangle -A MIHOMO_TPROXY -d 224.0.0.0/4 -j RETURN
ipt -t mangle -A MIHOMO_TPROXY -d 240.0.0.0/4 -j RETURN
# !!! NETBIRD / CGNAT (Fix for VPN access) !!!
ipt -t mangle -A MIHOMO_TPROXY -d 100.64.0.0/10 -j RETURN

# === 3. Заворачиваем в TProxy ===
ipt -t mangle -A MIHOMO_TPROXY -p tcp -j TPROXY --on-port "${TPROXY_PORT}" --tproxy-mark "${FW_MARK}"
ipt -t mangle -A MIHOMO_TPROXY -p udp -j TPROXY --on-port "${TPROXY_PORT}" --tproxy-mark "${FW_MARK}"

# ----------------------------
# 3. APPLY
# ----------------------------
for IFACE in "${LAN_IFACES[@]}"; do
    echo "Adding TProxy rules for interface: $IFACE"
    ipt -t mangle -A PREROUTING -i "$IFACE" -j MIHOMO_TPROXY
done