From 904e9c152f17e58c31899eb885b338ec920c5f87 Mon Sep 17 00:00:00 2001
From: ccbkkb <9201575@gmail.com>
Date: Thu, 30 Apr 2026 18:25:12 +0800
Subject: [PATCH] Refactor comments and improve script clarity

---
 entrypoint.sh | 45 ++++++++++++++++++++++++++++++++++-----------
 1 file changed, 34 insertions(+), 11 deletions(-)

diff --git a/entrypoint.sh b/entrypoint.sh
index 65c3855..dd62e82 100644
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -73,49 +73,72 @@ fi
 # 1. 智能提取出纯 IPv4 地址 (防止 wgcf v2.2.30 将双栈 IP 写在同一行导致误杀)
 IPV4_ADDR=$(grep '^Address' "$WG_CONF" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}/[0-9]{1,2}' | head -n 1)
 
-# 2. 物理删除所有原始的 Address, AllowedIPs, DNS，防止 RTNETLINK 崩溃或 DNS 死锁
+# 2. 物理删除所有原始的 Address, AllowedIPs, DNS
 sed -i '/^Address/d' "$WG_CONF"
 sed -i '/^AllowedIPs/d' "$WG_CONF"
 sed -i '/^DNS.*/d' "$WG_CONF"
+# 清除可能存在的旧 MTU (兼容 Alpine Busybox 的正则写法)
+sed -i '/^[Mm][Tt][Uu].*/d' "$WG_CONF"
 
 # 3. 重建最纯净的 IPv4 路由规则
 if [ -n "$IPV4_ADDR" ]; then
     sed -i "/\[Interface\]/a Address = $IPV4_ADDR" "$WG_CONF"
 fi
+
+# 4. 动态注入 MTU 变量 (默认 1280)
+WG_MTU=${MTU:-1280}
+sed -i "/\[Interface\]/a MTU = $WG_MTU" "$WG_CONF"
+echo "==> [MicroWARP] 🛜 MTU 值已设置为: $WG_MTU"
+
 sed -i "/\[Peer\]/a AllowedIPs = 0.0.0.0\/0" "$WG_CONF"
 
 # 删除 Alpine 系统自带 wg-quick 中不兼容的路由标记
 sed -i '/src_valid_mark/d' /usr/bin/wg-quick
 
-# 【新增：抗断流绝杀】强制注入 15 秒 UDP 心跳保活，对抗运营商 QoS 丢包
+# 【核心功能】强制注入 15 秒 UDP 心跳保活，对抗运营商 QoS 丢包
 if ! grep -q "PersistentKeepalive" "$WG_CONF"; then
     sed -i '/\[Peer\]/a PersistentKeepalive = 15' "$WG_CONF"
 else
     sed -i 's/PersistentKeepalive.*/PersistentKeepalive = 15/g' "$WG_CONF"
 fi
 
-# 【新增：防阻断绝杀】针对 HK/US 强校验机房，注入自定义优选 Endpoint IP
+# 【核心功能】针对 HK/US 强校验机房，注入自定义优选 Endpoint IP
 if [ -n "$ENDPOINT_IP" ]; then
-    echo "==> [MicroWARP] 🔀 检测到自定义 Endpoint IP，正在覆盖默认节点: $ENDPOINT_IP"
+    echo "==>[MicroWARP] 🔀 检测到自定义 Endpoint IP，正在覆盖默认节点: $ENDPOINT_IP"
     sed -i "s/^Endpoint.*/Endpoint = $ENDPOINT_IP/g" "$WG_CONF"
 fi
 
 # ==========================================
-# 3. 拉起内核网卡
+# 3. 拉起内核网卡 & 修复非对称路由
 # ==========================================
-# 在启用 WARP 前记录 100.64.0.0/10 的原始回程路径，避免发布端口后 Tailscale 客户端握手卡死
+# 3.1 记录 100.64.0.0/10 的原始回程路径，避免发布端口后 Tailscale 客户端握手卡死
 PRE_WARP_ROUTE=$(ip route get 100.64.0.1 2>/dev/null | head -n 1 || true)
 PRE_WARP_GW=$(printf '%s\n' "$PRE_WARP_ROUTE" | awk '{for (i = 1; i <= NF; i++) if ($i == "via") print $(i + 1)}')
 PRE_WARP_DEV=$(printf '%s\n' "$PRE_WARP_ROUTE" | awk '{for (i = 1; i <= NF; i++) if ($i == "dev") print $(i + 1)}')
 
+# 3.2 记录当前容器主网卡 IP 和网关，用于修复外部入站流量的非对称路由
+ORIG_GW=$(ip -4 route show default | awk '{print $3}' | head -n 1)
+ORIG_DEV=$(ip -4 route show default | awk '{print $5}' | head -n 1)
+if [ -n "$ORIG_DEV" ]; then
+    ORIG_IP=$(ip -4 addr show dev "$ORIG_DEV" | awk '/inet / {print $2}' | cut -d/ -f1 | head -n 1)
+fi
+
 echo "==> [MicroWARP] 正在启动 Linux 内核级 wg0 网卡..."
 wg-quick up wg0 > /dev/null 2>&1
 
-# 仅在 WARP 启动前确实存在原始回程路径时恢复 100.64.0.0/10，减少对非 Tailscale 场景的影响
+# 3.3 注入源地址策略路由 (Policy-Based Routing) 修复入站非对称路由劫持
+if [ -n "$ORIG_IP" ] && [ -n "$ORIG_GW" ] $$ [ -n "$ORIG_DEV" ]; then
+    echo "==> [MicroWARP] 正在注入策略路由修复非对称路由死锁 (源IP: $ORIG_IP)..."
+    # 添加容错 || true，防止部分精简版内核不支持多路由表导致启动崩溃
+    ip rule add from "$ORIG_IP" table 128 priority 100 2>/dev/null || true
+    ip route add table 128 default via "$ORIG_GW" dev "$ORIG_DEV" 2>/dev/null || true
+fi
+
+# 3.4 恢复 Tailscale 等指定内网网段的回程路由
 TAILSCALE_CIDR=${TAILSCALE_CIDR:-"100.64.0.0/10"}
 if [ -n "$PRE_WARP_GW" ] && [ -n "$PRE_WARP_DEV" ]; then
     if ip route replace "$TAILSCALE_CIDR" via "$PRE_WARP_GW" dev "$PRE_WARP_DEV" > /dev/null 2>&1; then
-        echo "==> [MicroWARP] 已为 ${TAILSCALE_CIDR} 恢复 WARP 启动前的回程路由: via ${PRE_WARP_GW} dev ${PRE_WARP_DEV}"
+        echo "==>[MicroWARP] 已为 ${TAILSCALE_CIDR} 恢复 WARP 启动前的回程路由: via ${PRE_WARP_GW} dev ${PRE_WARP_DEV}"
     fi
 fi
 
@@ -131,12 +154,12 @@ LISTEN_ADDR=${BIND_ADDR:-"0.0.0.0"}
 LISTEN_PORT=${BIND_PORT:-"1080"}
 
 if [ -n "$SOCKS_USER" ] && [ -n "$SOCKS_PASS" ]; then
-    echo "==> [MicroWARP] 🔒 身份认证已开启 (User: $SOCKS_USER)"
-    echo "==> [MicroWARP] 🚀 MicroSOCKS 引擎已启动，正在监听 ${LISTEN_ADDR}:${LISTEN_PORT}"
+    echo "==>[MicroWARP] 🔒 身份认证已开启 (User: $SOCKS_USER)"
+    echo "==>[MicroWARP] 🚀 MicroSOCKS 引擎已启动，正在监听 ${LISTEN_ADDR}:${LISTEN_PORT}"
     # 使用 exec 接管进程，实现 Zero-Overhead 的底层进程控制
     exec microsocks -i "$LISTEN_ADDR" -p "$LISTEN_PORT" -u "$SOCKS_USER" -P "$SOCKS_PASS"
 else
     echo "==> [MicroWARP] ⚠️ 未设置密码，当前为公开访问模式"
-    echo "==>[MicroWARP] 🚀 MicroSOCKS 引擎已启动，正在监听 ${LISTEN_ADDR}:${LISTEN_PORT}"
+    echo "==> [MicroWARP] 🚀 MicroSOCKS 引擎已启动，正在监听 ${LISTEN_ADDR}:${LISTEN_PORT}"
     exec microsocks -i "$LISTEN_ADDR" -p "$LISTEN_PORT"
 fi