private/openwrt_helloworld
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

update 2025-08-03 09:48:05

Browse Source
This commit is contained in:
actions-user 2025-08-03 09:48:05 +08:00
parent 513b60ffa8
commit c91bc6a992
5 changed files with 146 additions and 69 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
luci-app-passwall/luasrc/model/cbi/passwall/client/rule.lua
View File

@ -15,6 +15,7 @@ o.rmempty = false
---- gfwlist URL ---- gfwlist URL
o = s:option(DynamicList, "gfwlist_url", translate("GFW domains(gfwlist) Update URL")) o = s:option(DynamicList, "gfwlist_url", translate("GFW domains(gfwlist) Update URL"))
o:depends("geo2rule", false)
o:value("https://fastly.jsdelivr.net/gh/YW5vbnltb3Vz/domain-list-community@release/gfwlist.txt", translate("v2fly/domain-list-community")) o:value("https://fastly.jsdelivr.net/gh/YW5vbnltb3Vz/domain-list-community@release/gfwlist.txt", translate("v2fly/domain-list-community"))
o:value("https://fastly.jsdelivr.net/gh/Loyalsoldier/v2ray-rules-dat@release/gfw.txt", translate("Loyalsoldier/v2ray-rules-dat")) o:value("https://fastly.jsdelivr.net/gh/Loyalsoldier/v2ray-rules-dat@release/gfw.txt", translate("Loyalsoldier/v2ray-rules-dat"))
o:value("https://fastly.jsdelivr.net/gh/Loukky/gfwlist-by-loukky/gfwlist.txt", translate("Loukky/gfwlist-by-loukky")) o:value("https://fastly.jsdelivr.net/gh/Loukky/gfwlist-by-loukky/gfwlist.txt", translate("Loukky/gfwlist-by-loukky"))
@ -23,6 +24,7 @@ o.default = "https://fastly.jsdelivr.net/gh/Loyalsoldier/v2ray-rules-dat@release
----chnroute URL ----chnroute URL
o = s:option(DynamicList, "chnroute_url", translate("China IPs(chnroute) Update URL")) o = s:option(DynamicList, "chnroute_url", translate("China IPs(chnroute) Update URL"))
o:depends("geo2rule", false)
o:value("https://fastly.jsdelivr.net/gh/gaoyifan/china-operator-ip@ip-lists/china.txt", translate("gaoyifan/china-operator-ip/china")) o:value("https://fastly.jsdelivr.net/gh/gaoyifan/china-operator-ip@ip-lists/china.txt", translate("gaoyifan/china-operator-ip/china"))
o:value("https://ispip.clang.cn/all_cn.txt", translate("Clang.CN")) o:value("https://ispip.clang.cn/all_cn.txt", translate("Clang.CN"))
o:value("https://ispip.clang.cn/all_cn_cidr.txt", translate("Clang.CN.CIDR")) o:value("https://ispip.clang.cn/all_cn_cidr.txt", translate("Clang.CN.CIDR"))
@ -32,12 +34,14 @@ o:value("https://fastly.jsdelivr.net/gh/blackmatrix7/ios_rule_script@master/rule
----chnroute6 URL ----chnroute6 URL
o = s:option(DynamicList, "chnroute6_url", translate("China IPv6s(chnroute6) Update URL")) o = s:option(DynamicList, "chnroute6_url", translate("China IPv6s(chnroute6) Update URL"))
o:depends("geo2rule", false)
o:value("https://fastly.jsdelivr.net/gh/gaoyifan/china-operator-ip@ip-lists/china6.txt", translate("gaoyifan/china-operator-ip/china6")) o:value("https://fastly.jsdelivr.net/gh/gaoyifan/china-operator-ip@ip-lists/china6.txt", translate("gaoyifan/china-operator-ip/china6"))
o:value("https://ispip.clang.cn/all_cn_ipv6.txt", translate("Clang.CN.IPv6")) o:value("https://ispip.clang.cn/all_cn_ipv6.txt", translate("Clang.CN.IPv6"))
o:value("https://fastly.jsdelivr.net/gh/blackmatrix7/ios_rule_script@master/rule/Clash/ChinaMax/ChinaMax_IP.txt", translate("ios_rule_script/ChinaMax_IP")) o:value("https://fastly.jsdelivr.net/gh/blackmatrix7/ios_rule_script@master/rule/Clash/ChinaMax/ChinaMax_IP.txt", translate("ios_rule_script/ChinaMax_IP"))
----chnlist URL ----chnlist URL
o = s:option(DynamicList, "chnlist_url", translate("China List(Chnlist) Update URL")) o = s:option(DynamicList, "chnlist_url", translate("China List(Chnlist) Update URL"))
o:depends("geo2rule", false)
o:value("https://fastly.jsdelivr.net/gh/felixonmars/dnsmasq-china-list/accelerated-domains.china.conf", translate("felixonmars/domains.china")) o:value("https://fastly.jsdelivr.net/gh/felixonmars/dnsmasq-china-list/accelerated-domains.china.conf", translate("felixonmars/domains.china"))
o:value("https://fastly.jsdelivr.net/gh/felixonmars/dnsmasq-china-list/apple.china.conf", translate("felixonmars/apple.china")) o:value("https://fastly.jsdelivr.net/gh/felixonmars/dnsmasq-china-list/apple.china.conf", translate("felixonmars/apple.china"))
o:value("https://fastly.jsdelivr.net/gh/felixonmars/dnsmasq-china-list/google.china.conf", translate("felixonmars/google.china")) o:value("https://fastly.jsdelivr.net/gh/felixonmars/dnsmasq-china-list/google.china.conf", translate("felixonmars/google.china"))
@ -67,6 +71,10 @@ if has_xray or has_singbox then
o.rmempty = false o.rmempty = false
if api.is_finded("geoview") then if api.is_finded("geoview") then
o = s:option(Flag, "geo2rule", translate("Generate Rule List from Geo"), translate("Generate rule lists such as GFW, China domains, and China IP ranges based on Geo files."))
o.default = 0
o.rmempty = false
o = s:option(Flag, "enable_geoview", translate("Enable Geo Data Parsing")) o = s:option(Flag, "enable_geoview", translate("Enable Geo Data Parsing"))
o.default = 0 o.default = 0
o.rmempty = false o.rmempty = false

6
luci-app-passwall/po/zh-cn/passwall.po
View File

@ -982,6 +982,12 @@ msgstr "Geo 规则文件目录"
msgid "This variable specifies a directory where geoip.dat and geosite.dat files are." msgid "This variable specifies a directory where geoip.dat and geosite.dat files are."
msgstr "此变量指定 geoip.dat 和 geosite.dat 文件所在的目录。" msgstr "此变量指定 geoip.dat 和 geosite.dat 文件所在的目录。"
msgid "Generate Rule List from Geo"
msgstr "从 Geo 文件生成规则"
msgid "Generate rule lists such as GFW, China domains, and China IP ranges based on Geo files."
msgstr "根据 Geo 文件生成规则列表,包括 GFW、中国域名和中国 IP 段等。"
msgid "Enable Geo Data Parsing" msgid "Enable Geo Data Parsing"
msgstr "开启 Geo 数据解析" msgstr "开启 Geo 数据解析"

163
luci-app-passwall/root/usr/share/passwall/rule_update.lua
View File

@ -37,6 +37,9 @@ local geoip_url = uci:get(name, "@global_rules[0]", "geoip_url") or "https://gi
local geosite_url = uci:get(name, "@global_rules[0]", "geosite_url") or "https://github.com/Loyalsoldier/v2ray-rules-dat/releases/latest/download/geosite.dat" local geosite_url = uci:get(name, "@global_rules[0]", "geosite_url") or "https://github.com/Loyalsoldier/v2ray-rules-dat/releases/latest/download/geosite.dat"
local asset_location = uci:get(name, "@global_rules[0]", "v2ray_location_asset") or "/usr/share/v2ray/" local asset_location = uci:get(name, "@global_rules[0]", "v2ray_location_asset") or "/usr/share/v2ray/"
local use_nft = uci:get(name, "@global_forwarding[0]", "use_nft") or "0" local use_nft = uci:get(name, "@global_forwarding[0]", "use_nft") or "0"
local geo2rule = uci:get(name, "@global_rules[0]", "geo2rule") or "0"
local geoip_update_ok, geosite_update_ok = false, false
asset_location = asset_location:match("/$") and asset_location or (asset_location .. "/")
--兼容旧版本geo下载方式的配置择机删除。 --兼容旧版本geo下载方式的配置择机删除。
if geoip_url:match(".*/([^/]+)$") == "latest" then if geoip_url:match(".*/([^/]+)$") == "latest" then
@ -141,6 +144,31 @@ local function non_file_check(file_path, vali_file)
end end
end end
local function GeoToRule(rule_name, rule_type, out_path)
if not api.is_finded("geoview") then
log(rule_name .. "生成失败,缺少 geoview 组件。")
return false;
end
local geosite_path = asset_location .. "geosite.dat"
local geoip_path = asset_location .. "geoip.dat"
local file_path = (rule_type == "domain") and geosite_path or geoip_path
local arg
if rule_type == "domain" then
if rule_name == "gfwlist" then
arg = "-type geosite -list gfw"
else
arg = "-type geosite -list cn"
end
elseif rule_type == "ip4" then
arg = "-type geoip -list cn -ipv6=false"
elseif rule_type == "ip6" then
arg = "-type geoip -list cn -ipv4=false"
end
cmd = string.format("geoview -input '%s' %s -lowmem=true -output '%s'", file_path, arg, out_path)
sys.exec(cmd)
return true;
end
--fetch rule --fetch rule
local function fetch_rule(rule_name,rule_type,url,exclude_domain) local function fetch_rule(rule_name,rule_type,url,exclude_domain)
local sret = 200 local sret = 200
@ -151,23 +179,33 @@ local function fetch_rule(rule_name,rule_type,url,exclude_domain)
local download_file_tmp = "/tmp/" ..rule_name.. "_dl" local download_file_tmp = "/tmp/" ..rule_name.. "_dl"
local unsort_file_tmp = "/tmp/" ..rule_name.. "_unsort" local unsort_file_tmp = "/tmp/" ..rule_name.. "_unsort"
log(rule_name.. " 开始更新...") if geo2rule == "1" then
url = {"geo2rule"}
log(rule_name.. " 开始生成...")
else
log(rule_name.. " 开始更新...")
end
for k,v in ipairs(url) do for k,v in ipairs(url) do
sret_tmp = curl(v, download_file_tmp..k, vali_file..k) if v ~= "geo2rule" then
if sret_tmp == 200 and non_file_check(download_file_tmp..k, vali_file..k) then
log(rule_name.. "" ..k.. "条规则:" ..v.. "下载文件过程出错,尝试重新下载。")
os.remove(download_file_tmp..k)
os.remove(vali_file..k)
sret_tmp = curl(v, download_file_tmp..k, vali_file..k) sret_tmp = curl(v, download_file_tmp..k, vali_file..k)
if sret_tmp == 200 and non_file_check(download_file_tmp..k, vali_file..k) then if sret_tmp == 200 and non_file_check(download_file_tmp..k, vali_file..k) then
sret = 0 log(rule_name.. "" ..k.. "条规则:" ..v.. "下载文件过程出错,尝试重新下载。")
sret_tmp = 0 os.remove(download_file_tmp..k)
log(rule_name.. "" ..k.. "条规则:" ..v.. "下载文件过程出错,请检查网络或下载链接后重试!") os.remove(vali_file..k)
sret_tmp = curl(v, download_file_tmp..k, vali_file..k)
if sret_tmp == 200 and non_file_check(download_file_tmp..k, vali_file..k) then
sret = 0
sret_tmp = 0
log(rule_name.. "" ..k.. "条规则:" ..v.. "下载文件过程出错,请检查网络或下载链接后重试!")
end
end end
else
if not GeoToRule(rule_name, rule_type, download_file_tmp..k) then return 1 end
sret_tmp = 200
end end
if sret_tmp == 200 then if sret_tmp == 200 then
if rule_name == "gfwlist" then if rule_name == "gfwlist" and geo2rule == "0" then
local domains = {} local domains = {}
local gfwlist = io.open(download_file_tmp..k, "r") local gfwlist = io.open(download_file_tmp..k, "r")
local decode = api.base64Decode(gfwlist:read("*all")) local decode = api.base64Decode(gfwlist:read("*all"))
@ -314,6 +352,11 @@ local function fetch_geofile(geo_name, geo_type, url)
sys.call(string.format("mkdir -p %s && cp -f %s %s", asset_location, tmp_path, asset_path)) sys.call(string.format("mkdir -p %s && cp -f %s %s", asset_location, tmp_path, asset_path))
reboot = 1 reboot = 1
log(geo_type .. " 更新成功。") log(geo_type .. " 更新成功。")
if geo_type == "geoip" then
geoip_update_ok = true
else
geosite_update_ok = true
end
else else
log(geo_type .. " 更新失败请稍后重试或更换更新URL。") log(geo_type .. " 更新失败请稍后重试或更换更新URL。")
return 1 return 1
@ -326,6 +369,11 @@ local function fetch_geofile(geo_name, geo_type, url)
sys.call(string.format("mkdir -p %s && cp -f %s %s", asset_location, tmp_path, asset_path)) sys.call(string.format("mkdir -p %s && cp -f %s %s", asset_location, tmp_path, asset_path))
reboot = 1 reboot = 1
log(geo_type .. " 更新成功。") log(geo_type .. " 更新成功。")
if geo_type == "geoip" then
geoip_update_ok = true
else
geosite_update_ok = true
end
end end
else else
log(geo_type .. " 更新失败请稍后重试或更换更新URL。") log(geo_type .. " 更新失败请稍后重试或更换更新URL。")
@ -392,58 +440,69 @@ if gfwlist_update == "0" and chnroute_update == "0" and chnroute6_update == "0"
end end
log("开始更新规则...") log("开始更新规则...")
if gfwlist_update == "1" then local function safe_call(func, err_msg)
xpcall(fetch_gfwlist,function(e) xpcall(func, function(e)
log(e) log(e)
log(debug.traceback()) log(debug.traceback())
log('更新gfwlist发生错误...') log(err_msg)
end) end)
end end
if chnroute_update == "1" then local function remove_tmp_geofile(name)
xpcall(fetch_chnroute,function(e) os.remove("/tmp/" .. name .. ".dat")
log(e) os.remove("/tmp/" .. name .. ".dat.sha256sum")
log(debug.traceback())
log('更新chnroute发生错误...')
end)
end end
if chnroute6_update == "1" then if geo2rule == "1" then
xpcall(fetch_chnroute6,function(e) if geoip_update == "1" then
log(e) log("geoip 开始更新...")
log(debug.traceback()) safe_call(fetch_geoip, "更新geoip发生错误...")
log('更新chnroute6发生错误...') remove_tmp_geofile("geoip")
end) end
end
if chnlist_update == "1" then if geosite_update == "1" then
xpcall(fetch_chnlist,function(e) log("geosite 开始更新...")
log(e) safe_call(fetch_geosite, "更新geosite发生错误...")
log(debug.traceback()) remove_tmp_geofile("geosite")
log('更新chnlist发生错误...') end
end)
end
if geoip_update == "1" then if geoip_update_ok then
log("geoip 开始更新...") safe_call(fetch_chnroute, "生成chnroute发生错误...")
xpcall(fetch_geoip,function(e) safe_call(fetch_chnroute6, "生成chnroute6发生错误...")
log(e) end
log(debug.traceback())
log('更新geoip发生错误...')
end)
os.remove("/tmp/geoip.dat")
os.remove("/tmp/geoip.dat.sha256sum")
end
if geosite_update == "1" then if geosite_update_ok then
log("geosite 开始更新...") safe_call(fetch_gfwlist, "生成gfwlist发生错误...")
xpcall(fetch_geosite,function(e) safe_call(fetch_chnlist, "生成chnlist发生错误...")
log(e) end
log(debug.traceback()) else
log('更新geosite发生错误...') if gfwlist_update == "1" then
end) safe_call(fetch_gfwlist, "更新gfwlist发生错误...")
os.remove("/tmp/geosite.dat") end
os.remove("/tmp/geosite.dat.sha256sum")
if chnroute_update == "1" then
safe_call(fetch_chnroute, "更新chnroute发生错误...")
end
if chnroute6_update == "1" then
safe_call(fetch_chnroute6, "更新chnroute6发生错误...")
end
if chnlist_update == "1" then
safe_call(fetch_chnlist, "更新chnlist发生错误...")
end
if geoip_update == "1" then
log("geoip 开始更新...")
safe_call(fetch_geoip, "更新geoip发生错误...")
remove_tmp_geofile("geoip")
end
if geosite_update == "1" then
log("geosite 开始更新...")
safe_call(fetch_geosite, "更新geosite发生错误...")
remove_tmp_geofile("geosite")
end
end end
uci:set(name, "@global_rules[0]", "gfwlist_update", gfwlist_update) uci:set(name, "@global_rules[0]", "gfwlist_update", gfwlist_update)

18
luci-app-passwall2/root/usr/share/passwall2/iptables.sh
View File

@ -365,7 +365,7 @@ load_acl() {
_acl_list=${TMP_ACL_PATH}/${sid}/source_list _acl_list=${TMP_ACL_PATH}/${sid}/source_list
for i in $(cat $_acl_list); do for i in $(cat $_acl_list); do
local _ipt_source local _ipt_source _ipv4
local msg local msg
if [ -n "${interface}" ]; then if [ -n "${interface}" ]; then
. /lib/functions/network.sh . /lib/functions/network.sh
@ -382,6 +382,7 @@ load_acl() {
_iprange=$(echo ${i} | sed 's#iprange:##g') _iprange=$(echo ${i} | sed 's#iprange:##g')
_ipt_source=$(factor ${_iprange} "${_ipt_source}-m iprange --src-range") _ipt_source=$(factor ${_iprange} "${_ipt_source}-m iprange --src-range")
msg="${msg}IP range【${_iprange}】," msg="${msg}IP range【${_iprange}】,"
_ipv4="1"
unset _iprange unset _iprange
elif [ -n "$(echo ${i} | grep '^ipset:')" ]; then elif [ -n "$(echo ${i} | grep '^ipset:')" ]; then
_ipset=$(echo ${i} | sed 's#ipset:##g') _ipset=$(echo ${i} | sed 's#ipset:##g')
@ -399,6 +400,7 @@ load_acl() {
_ip=$(echo ${i} | sed 's#ip:##g') _ip=$(echo ${i} | sed 's#ip:##g')
_ipt_source=$(factor ${_ip} "${_ipt_source}-s") _ipt_source=$(factor ${_ip} "${_ipt_source}-s")
msg="${msg}IP【${_ip}】," msg="${msg}IP【${_ip}】,"
_ipv4="1"
unset _ip unset _ip
elif [ -n "$(echo ${i} | grep '^mac:')" ]; then elif [ -n "$(echo ${i} | grep '^mac:')" ]; then
_mac=$(echo ${i} | sed 's#mac:##g') _mac=$(echo ${i} | sed 's#mac:##g')
@ -417,7 +419,7 @@ load_acl() {
[ "$tcp_no_redir_ports" != "disable" ] && { [ "$tcp_no_redir_ports" != "disable" ] && {
if [ "$tcp_no_redir_ports" != "1:65535" ]; then if [ "$tcp_no_redir_ports" != "1:65535" ]; then
add_port_rules "$ip6t_m -A PSW2 $(comment "$remarks") ${_ipt_source} -p tcp" $tcp_no_redir_ports "-j RETURN" 2>/dev/null [ "$_ipv4" != "1" ] && add_port_rules "$ip6t_m -A PSW2 $(comment "$remarks") ${_ipt_source} -p tcp" $tcp_no_redir_ports "-j RETURN" 2>/dev/null
add_port_rules "$ipt_tmp -A PSW2 $(comment "$remarks") ${_ipt_source} -p tcp" $tcp_no_redir_ports "-j RETURN" add_port_rules "$ipt_tmp -A PSW2 $(comment "$remarks") ${_ipt_source} -p tcp" $tcp_no_redir_ports "-j RETURN"
echolog " - ${msg}不代理 TCP 端口[${tcp_no_redir_ports}]" echolog " - ${msg}不代理 TCP 端口[${tcp_no_redir_ports}]"
else else
@ -429,7 +431,7 @@ load_acl() {
[ "$udp_no_redir_ports" != "disable" ] && { [ "$udp_no_redir_ports" != "disable" ] && {
if [ "$udp_no_redir_ports" != "1:65535" ]; then if [ "$udp_no_redir_ports" != "1:65535" ]; then
add_port_rules "$ip6t_m -A PSW2 $(comment "$remarks") ${_ipt_source} -p udp" $udp_no_redir_ports "-j RETURN" 2>/dev/null [ "$_ipv4" != "1" ] && add_port_rules "$ip6t_m -A PSW2 $(comment "$remarks") ${_ipt_source} -p udp" $udp_no_redir_ports "-j RETURN" 2>/dev/null
add_port_rules "$ipt_m -A PSW2 $(comment "$remarks") ${_ipt_source} -p udp" $udp_no_redir_ports "-j RETURN" add_port_rules "$ipt_m -A PSW2 $(comment "$remarks") ${_ipt_source} -p udp" $udp_no_redir_ports "-j RETURN"
echolog " - ${msg}不代理 UDP 端口[${udp_no_redir_ports}]" echolog " - ${msg}不代理 UDP 端口[${udp_no_redir_ports}]"
else else
@ -479,7 +481,7 @@ load_acl() {
add_port_rules "$ipt_tmp -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source}" $tcp_redir_ports "${ipt_j}" add_port_rules "$ipt_tmp -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source}" $tcp_redir_ports "${ipt_j}"
[ -n "${is_tproxy}" ] && $ipt_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(REDIRECT $redir_port TPROXY) [ -n "${is_tproxy}" ] && $ipt_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(REDIRECT $redir_port TPROXY)
[ "$PROXY_IPV6" == "1" ] && { [ "$PROXY_IPV6" == "1" ] && [ "$_ipv4" != "1" ] && {
$ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} -d $FAKE_IP_6 -j PSW2_RULE 2>/dev/null $ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} -d $FAKE_IP_6 -j PSW2_RULE 2>/dev/null
add_shunt_t_rule "${shunt_list6}" "$ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source}" "${ipt_j}" $tcp_redir_ports 2>/dev/null add_shunt_t_rule "${shunt_list6}" "$ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source}" "${ipt_j}" $tcp_redir_ports 2>/dev/null
add_port_rules "$ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source}" $tcp_redir_ports "-j PSW2_RULE" 2>/dev/null add_port_rules "$ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source}" $tcp_redir_ports "-j PSW2_RULE" 2>/dev/null
@ -488,7 +490,7 @@ load_acl() {
echolog " - ${msg2}" echolog " - ${msg2}"
} }
$ipt_tmp -A PSW2 $(comment "$remarks") ${_ipt_source} -p tcp -j RETURN $ipt_tmp -A PSW2 $(comment "$remarks") ${_ipt_source} -p tcp -j RETURN
$ip6t_m -A PSW2 $(comment "$remarks") ${_ipt_source} -p tcp -j RETURN 2>/dev/null [ "$_ipv4" != "1" ] && $ip6t_m -A PSW2 $(comment "$remarks") ${_ipt_source} -p tcp -j RETURN 2>/dev/null
[ "$udp_proxy_mode" != "disable" ] && [ -n "$redir_port" ] && { [ "$udp_proxy_mode" != "disable" ] && [ -n "$redir_port" ] && {
msg2="${msg}使用 UDP 节点[$node_remark](TPROXY:${redir_port})" msg2="${msg}使用 UDP 节点[$node_remark](TPROXY:${redir_port})"
@ -498,7 +500,7 @@ load_acl() {
add_port_rules "$ipt_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source}" $udp_redir_ports "-j PSW2_RULE" add_port_rules "$ipt_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source}" $udp_redir_ports "-j PSW2_RULE"
$ipt_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(REDIRECT $redir_port TPROXY) $ipt_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(REDIRECT $redir_port TPROXY)
[ "$PROXY_IPV6" == "1" ] && { [ "$PROXY_IPV6" == "1" ] && [ "$_ipv4" != "1" ] && {
$ip6t_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} -d $FAKE_IP_6 -j PSW2_RULE 2>/dev/null $ip6t_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} -d $FAKE_IP_6 -j PSW2_RULE 2>/dev/null
add_shunt_t_rule "${shunt_list6}" "$ip6t_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source}" "-j PSW2_RULE" $udp_redir_ports 2>/dev/null add_shunt_t_rule "${shunt_list6}" "$ip6t_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source}" "-j PSW2_RULE" $udp_redir_ports 2>/dev/null
add_port_rules "$ip6t_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source}" $udp_redir_ports "-j PSW2_RULE" 2>/dev/null add_port_rules "$ip6t_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source}" $udp_redir_ports "-j PSW2_RULE" 2>/dev/null
@ -507,8 +509,8 @@ load_acl() {
echolog " - ${msg2}" echolog " - ${msg2}"
} }
$ipt_m -A PSW2 $(comment "$remarks") ${_ipt_source} -p udp -j RETURN $ipt_m -A PSW2 $(comment "$remarks") ${_ipt_source} -p udp -j RETURN
$ip6t_m -A PSW2 $(comment "$remarks") ${_ipt_source} -p udp -j RETURN 2>/dev/null [ "$_ipv4" != "1" ] && $ip6t_m -A PSW2 $(comment "$remarks") ${_ipt_source} -p udp -j RETURN 2>/dev/null
unset ipt_tmp ipt_j _ipt_source msg msg2 unset ipt_tmp ipt_j _ipt_source msg msg2 _ipv4
done done
unset enabled sid remarks sources tcp_no_redir_ports udp_no_redir_ports tcp_redir_ports udp_redir_ports node interface write_ipset_direct unset enabled sid remarks sources tcp_no_redir_ports udp_no_redir_ports tcp_redir_ports udp_redir_ports node interface write_ipset_direct
unset node_remark _acl_list unset node_remark _acl_list

20
luci-app-passwall2/root/usr/share/passwall2/nftables.sh
View File

@ -389,7 +389,7 @@ load_acl() {
_acl_list=${TMP_ACL_PATH}/${sid}/source_list _acl_list=${TMP_ACL_PATH}/${sid}/source_list
for i in $(cat $_acl_list); do for i in $(cat $_acl_list); do
local _ipt_source local _ipt_source _ipv4
local msg local msg
if [ -n "${interface}" ]; then if [ -n "${interface}" ]; then
. /lib/functions/network.sh . /lib/functions/network.sh
@ -406,6 +406,7 @@ load_acl() {
_iprange=$(echo ${i} | sed 's#iprange:##g') _iprange=$(echo ${i} | sed 's#iprange:##g')
_ipt_source=$(factor ${_iprange} "${_ipt_source}ip saddr") _ipt_source=$(factor ${_iprange} "${_ipt_source}ip saddr")
msg="${msg}IP range【${_iprange}】," msg="${msg}IP range【${_iprange}】,"
_ipv4="1"
unset _iprange unset _iprange
elif [ -n "$(echo ${i} | grep '^ipset:')" ]; then elif [ -n "$(echo ${i} | grep '^ipset:')" ]; then
_ipset=$(echo ${i} | sed 's#ipset:##g') _ipset=$(echo ${i} | sed 's#ipset:##g')
@ -416,6 +417,7 @@ load_acl() {
_ip=$(echo ${i} | sed 's#ip:##g') _ip=$(echo ${i} | sed 's#ip:##g')
_ipt_source=$(factor ${_ip} "${_ipt_source}ip saddr") _ipt_source=$(factor ${_ip} "${_ipt_source}ip saddr")
msg="${msg}IP【${_ip}】," msg="${msg}IP【${_ip}】,"
_ipv4="1"
unset _ip unset _ip
elif [ -n "$(echo ${i} | grep '^mac:')" ]; then elif [ -n "$(echo ${i} | grep '^mac:')" ]; then
_mac=$(echo ${i} | sed 's#mac:##g') _mac=$(echo ${i} | sed 's#mac:##g')
@ -432,7 +434,7 @@ load_acl() {
[ "$tcp_no_redir_ports" != "disable" ] && { [ "$tcp_no_redir_ports" != "disable" ] && {
if [ "$tcp_no_redir_ports" != "1:65535" ]; then if [ "$tcp_no_redir_ports" != "1:65535" ]; then
nft "add rule $NFTABLE_NAME $nft_prerouting_chain ${_ipt_source} ip protocol tcp $(factor $tcp_no_redir_ports "tcp dport") counter return comment \"$remarks\"" nft "add rule $NFTABLE_NAME $nft_prerouting_chain ${_ipt_source} ip protocol tcp $(factor $tcp_no_redir_ports "tcp dport") counter return comment \"$remarks\""
nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 ${_ipt_source} meta l4proto tcp $(factor $tcp_no_redir_ports "tcp dport") counter return comment \"$remarks\"" [ "$_ipv4" != "1" ] && nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 ${_ipt_source} meta l4proto tcp $(factor $tcp_no_redir_ports "tcp dport") counter return comment \"$remarks\""
echolog " - ${msg}不代理 TCP 端口[${tcp_no_redir_ports}]" echolog " - ${msg}不代理 TCP 端口[${tcp_no_redir_ports}]"
else else
#结束时会return无需加多余的规则。 #结束时会return无需加多余的规则。
@ -444,7 +446,7 @@ load_acl() {
[ "$udp_no_redir_ports" != "disable" ] && { [ "$udp_no_redir_ports" != "disable" ] && {
if [ "$udp_no_redir_ports" != "1:65535" ]; then if [ "$udp_no_redir_ports" != "1:65535" ]; then
nft "add rule $NFTABLE_NAME PSW2_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_no_redir_ports "udp dport") counter return comment \"$remarks\"" nft "add rule $NFTABLE_NAME PSW2_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_no_redir_ports "udp dport") counter return comment \"$remarks\""
nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_no_redir_ports "udp dport") counter return comment \"$remarks\"" 2>/dev/null [ "$_ipv4" != "1" ] && nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_no_redir_ports "udp dport") counter return comment \"$remarks\"" 2>/dev/null
echolog " - ${msg}不代理 UDP 端口[${udp_no_redir_ports}]" echolog " - ${msg}不代理 UDP 端口[${udp_no_redir_ports}]"
else else
#结束时会return无需加多余的规则。 #结束时会return无需加多余的规则。
@ -499,7 +501,7 @@ load_acl() {
nft "add rule $NFTABLE_NAME $nft_chain ip protocol tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ${nft_j} comment \"$remarks\"" nft "add rule $NFTABLE_NAME $nft_chain ip protocol tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ${nft_j} comment \"$remarks\""
[ -n "${is_tproxy}" ] && nft "add rule $NFTABLE_NAME PSW2_MANGLE ip protocol tcp ${_ipt_source} $(REDIRECT $redir_port TPROXY4) comment \"$remarks\"" [ -n "${is_tproxy}" ] && nft "add rule $NFTABLE_NAME PSW2_MANGLE ip protocol tcp ${_ipt_source} $(REDIRECT $redir_port TPROXY4) comment \"$remarks\""
[ "$PROXY_IPV6" == "1" ] && { [ "$PROXY_IPV6" == "1" ] && [ "$_ipv4" != "1" ] && {
nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} ip6 daddr $FAKE_IP_6 counter jump PSW2_RULE comment \"$remarks\"" nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} ip6 daddr $FAKE_IP_6 counter jump PSW2_RULE comment \"$remarks\""
add_shunt_t_rule "${shunt_list6}" "nft add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ip6 daddr" "counter jump PSW2_RULE" "$remarks" 2>/dev/null add_shunt_t_rule "${shunt_list6}" "nft add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ip6 daddr" "counter jump PSW2_RULE" "$remarks" 2>/dev/null
nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") counter jump PSW2_RULE comment \"$remarks\"" 2>/dev/null nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") counter jump PSW2_RULE comment \"$remarks\"" 2>/dev/null
@ -508,7 +510,7 @@ load_acl() {
echolog " - ${msg2}" echolog " - ${msg2}"
} }
nft "add rule $NFTABLE_NAME $nft_prerouting_chain ip protocol tcp ${_ipt_source} counter return comment \"$remarks\"" nft "add rule $NFTABLE_NAME $nft_prerouting_chain ip protocol tcp ${_ipt_source} counter return comment \"$remarks\""
nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} counter return comment \"$remarks\"" 2>/dev/null [ "$_ipv4" != "1" ] && nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} counter return comment \"$remarks\"" 2>/dev/null
[ "$udp_proxy_mode" != "disable" ] && [ -n "$redir_port" ] && { [ "$udp_proxy_mode" != "disable" ] && [ -n "$redir_port" ] && {
msg2="${msg}使用 UDP 节点[$node_remark](TPROXY:${redir_port})" msg2="${msg}使用 UDP 节点[$node_remark](TPROXY:${redir_port})"
@ -518,17 +520,17 @@ load_acl() {
nft "add rule $NFTABLE_NAME PSW2_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_redir_ports "udp dport") counter jump PSW2_RULE comment \"$remarks\"" nft "add rule $NFTABLE_NAME PSW2_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_redir_ports "udp dport") counter jump PSW2_RULE comment \"$remarks\""
nft "add rule $NFTABLE_NAME PSW2_MANGLE ip protocol udp ${_ipt_source} $(REDIRECT $redir_port TPROXY4) comment \"$remarks\"" nft "add rule $NFTABLE_NAME PSW2_MANGLE ip protocol udp ${_ipt_source} $(REDIRECT $redir_port TPROXY4) comment \"$remarks\""
[ "$PROXY_IPV6" == "1" ] && { [ "$PROXY_IPV6" == "1" ] && [ "$_ipv4" != "1" ] && {
nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} ip6 daddr $FAKE_IP_6 counter jump PSW2_RULE comment \"$remarks\"" nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} ip6 daddr $FAKE_IP_6 counter jump PSW2_RULE comment \"$remarks\""
add_shunt_t_rule "${shunt_list6}" "nft add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_redir_ports "udp dport") ip6 daddr" "counter jump PSW2_RULE" "$remarks" add_shunt_t_rule "${shunt_list6}" "nft add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_redir_ports "udp dport") ip6 daddr" "counter jump PSW2_RULE" "$remarks" 2>/dev/null
nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_redir_ports "udp dport") counter jump PSW2_RULE comment \"$remarks\"" 2>/dev/null nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_redir_ports "udp dport") counter jump PSW2_RULE comment \"$remarks\"" 2>/dev/null
nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} $(REDIRECT $redir_port TPROXY) comment \"$remarks\"" 2>/dev/null nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} $(REDIRECT $redir_port TPROXY) comment \"$remarks\"" 2>/dev/null
} }
echolog " - ${msg2}" echolog " - ${msg2}"
} }
nft "add rule $NFTABLE_NAME PSW2_MANGLE ip protocol udp ${_ipt_source} counter return comment \"$remarks\"" nft "add rule $NFTABLE_NAME PSW2_MANGLE ip protocol udp ${_ipt_source} counter return comment \"$remarks\""
nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} counter return comment \"$remarks\"" 2>/dev/null [ "$_ipv4" != "1" ] && nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} counter return comment \"$remarks\"" 2>/dev/null
unset nft_chain nft_j _ipt_source msg msg2 unset nft_chain nft_j _ipt_source msg msg2 _ipv4
done done
unset enabled sid remarks sources tcp_proxy_mode udp_proxy_mode tcp_no_redir_ports udp_no_redir_ports tcp_redir_ports udp_redir_ports node interface write_ipset_direct unset enabled sid remarks sources tcp_proxy_mode udp_proxy_mode tcp_no_redir_ports udp_no_redir_ports tcp_redir_ports udp_redir_ports node interface write_ipset_direct
unset redir_port node_remark _acl_list unset redir_port node_remark _acl_list