zhao/openwrt_helloworld
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

luci-app-passwall2: sync upstream

Browse Source 
last commit: 23aea927d1
This commit is contained in:
gitea-action 2024-12-16 00:30:23 +08:00
parent a2b228f052
commit 0028bd59e1
5 changed files with 54 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
luci-app-passwall2/luasrc/model/cbi/passwall2/client/global.lua
View File

@ -325,6 +325,10 @@ o.remove = function(self, section)
end end
end end
o = s:taboption("DNS", Flag, "dns_redirect", translate("DNS Redirect"), translate("Force special DNS server to need proxy devices."))
o.default = "1"
o.rmempty = false
o = s:taboption("DNS", Button, "clear_ipset", translate("Clear IPSet"), translate("Try this feature if the rule modification does not take effect.")) o = s:taboption("DNS", Button, "clear_ipset", translate("Clear IPSet"), translate("Try this feature if the rule modification does not take effect."))
o.inputstyle = "remove" o.inputstyle = "remove"
function o.write(e, e) function o.write(e, e)

6
luci-app-passwall2/po/zh-cn/passwall2.po
View File

@ -172,6 +172,12 @@ msgstr "直连 DNS 解析结果写入到 IPSet"
msgid "Perform the matching direct domain name rules into IP to IPSet/NFTSet, and then connect directly (not entering the core). Maybe conflict with some special circumstances." msgid "Perform the matching direct domain name rules into IP to IPSet/NFTSet, and then connect directly (not entering the core). Maybe conflict with some special circumstances."
msgstr "将匹配到的直连规则的域名解析IP写入到 IPSet/NFTSet然后直连不进入内核。可能和某些特殊情况冲突。" msgstr "将匹配到的直连规则的域名解析IP写入到 IPSet/NFTSet然后直连不进入内核。可能和某些特殊情况冲突。"
msgid "DNS Redirect"
msgstr "DNS 重定向"
msgid "Force special DNS server to need proxy devices."
msgstr "强制需要代理的设备使用专用 DNS 服务器。"
msgid "Clear IPSet" msgid "Clear IPSet"
msgstr "清空 IPSet" msgstr "清空 IPSet"

3
luci-app-passwall2/root/usr/share/passwall2/app.sh
View File

@ -1079,8 +1079,7 @@ acl_app() {
local ipt_tmp msg msg2 local ipt_tmp msg msg2
redir_port=11200 redir_port=11200
dns_port=11300 dns_port=11300
dnsmasq_port=11400 dnsmasq_port=${GLOBAL_DNSMASQ_PORT:-11400}
[ -n "${GLOBAL_DNSMASQ_PORT}" ] && dnsmasq_port=$(get_new_port $GLOBAL_DNSMASQ_PORT)
for item in $items; do for item in $items; do
index=$(expr $index + 1) index=$(expr $index + 1)
local enabled sid remarks sources node direct_dns_query_strategy remote_dns_protocol remote_dns remote_dns_doh remote_dns_client_ip remote_dns_detour remote_fakedns remote_dns_query_strategy interface use_interface local enabled sid remarks sources node direct_dns_query_strategy remote_dns_protocol remote_dns remote_dns_doh remote_dns_client_ip remote_dns_detour remote_fakedns remote_dns_query_strategy interface use_interface

27
luci-app-passwall2/root/usr/share/passwall2/iptables.sh
View File

@ -2,9 +2,11 @@
DIR="$(cd "$(dirname "$0")" && pwd)" DIR="$(cd "$(dirname "$0")" && pwd)"
MY_PATH=$DIR/iptables.sh MY_PATH=$DIR/iptables.sh
IPSET_LOCALLIST="passwall2_locallist"
IPSET_LANLIST="passwall2_lanlist" IPSET_LANLIST="passwall2_lanlist"
IPSET_VPSLIST="passwall2_vpslist" IPSET_VPSLIST="passwall2_vpslist"
IPSET_LOCALLIST6="passwall2_locallist6"
IPSET_LANLIST6="passwall2_lanlist6" IPSET_LANLIST6="passwall2_lanlist6"
IPSET_VPSLIST6="passwall2_vpslist6" IPSET_VPSLIST6="passwall2_vpslist6"
@ -386,12 +388,10 @@ load_acl() {
} }
if ([ "$tcp_proxy_mode" != "disable" ] || [ "$udp_proxy_mode" != "disable" ]) && [ -n "$redir_port" ]; then if ([ "$tcp_proxy_mode" != "disable" ] || [ "$udp_proxy_mode" != "disable" ]) && [ -n "$redir_port" ]; then
[ -n "$dns_redirect_port" ] && {
$ipt_n -A PSW2_DNS $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $dns_redirect_port $ipt_n -A PSW2_DNS $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $dns_redirect_port
$ip6t_n -A PSW2_DNS $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $dns_redirect_port 2>/dev/null $ip6t_n -A PSW2_DNS $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $dns_redirect_port 2>/dev/null
$ipt_n -A PSW2_DNS $(comment "$remarks") -p tcp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $dns_redirect_port $ipt_n -A PSW2_DNS $(comment "$remarks") -p tcp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $dns_redirect_port
$ip6t_n -A PSW2_DNS $(comment "$remarks") -p tcp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $dns_redirect_port 2>/dev/null $ip6t_n -A PSW2_DNS $(comment "$remarks") -p tcp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $dns_redirect_port 2>/dev/null
}
else else
$ipt_n -A PSW2_DNS $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j RETURN $ipt_n -A PSW2_DNS $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j RETURN
$ip6t_n -A PSW2_DNS $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j RETURN 2>/dev/null $ip6t_n -A PSW2_DNS $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j RETURN 2>/dev/null
@ -678,12 +678,21 @@ filter_node() {
add_firewall_rule() { add_firewall_rule() {
echolog "开始加载防火墙规则..." echolog "开始加载防火墙规则..."
ipset -! create $IPSET_LOCALLIST nethash maxelem 1048576
ipset -! create $IPSET_LANLIST nethash maxelem 1048576 ipset -! create $IPSET_LANLIST nethash maxelem 1048576
ipset -! create $IPSET_VPSLIST nethash maxelem 1048576 ipset -! create $IPSET_VPSLIST nethash maxelem 1048576
ipset -! create $IPSET_LOCALLIST6 nethash family inet6 maxelem 1048576
ipset -! create $IPSET_LANLIST6 nethash family inet6 maxelem 1048576 ipset -! create $IPSET_LANLIST6 nethash family inet6 maxelem 1048576
ipset -! create $IPSET_VPSLIST6 nethash family inet6 maxelem 1048576 ipset -! create $IPSET_VPSLIST6 nethash family inet6 maxelem 1048576
ipset -! -R <<-EOF
$(ip address show | grep -w "inet" | awk '{print $2}' | awk -F '/' '{print $1}' | sed -e "s/^/add $IPSET_LOCALLIST /")
EOF
ipset -! -R <<-EOF
$(ip address show | grep -w "inet6" | awk '{print $2}' | awk -F '/' '{print $1}' | sed -e "s/^/add $IPSET_LOCALLIST6 /")
EOF
ipset -! -R <<-EOF ipset -! -R <<-EOF
$(gen_lanlist | sed -e "s/^/add $IPSET_LANLIST /") $(gen_lanlist | sed -e "s/^/add $IPSET_LANLIST /")
EOF EOF
@ -764,7 +773,12 @@ add_firewall_rule() {
$ipt_n -A PSW2_OUTPUT -m mark --mark 0xff -j RETURN $ipt_n -A PSW2_OUTPUT -m mark --mark 0xff -j RETURN
$ipt_n -N PSW2_DNS $ipt_n -N PSW2_DNS
$ipt_n -I PREROUTING 1 -j PSW2_DNS if [ $(config_t_get global dns_redirect "1") = "0" ]; then
#Only hijack when dest address is local IP
$ipt_n -I PREROUTING $(dst $IPSET_LOCALLIST) -j PSW2_DNS
else
$ipt_n -I PREROUTING -j PSW2_DNS
fi
$ipt_m -N PSW2_DIVERT $ipt_m -N PSW2_DIVERT
$ipt_m -A PSW2_DIVERT -j MARK --set-mark 1 $ipt_m -A PSW2_DIVERT -j MARK --set-mark 1
@ -816,7 +830,12 @@ add_firewall_rule() {
} }
$ip6t_n -N PSW2_DNS $ip6t_n -N PSW2_DNS
$ip6t_n -I PREROUTING 1 -j PSW2_DNS if [ $(config_t_get global dns_redirect "1") = "0" ]; then
#Only hijack when dest address is local IP
$ip6t_n -I PREROUTING $(dst $IPSET_LOCALLIST6) -j PSW2_DNS
else
$ip6t_n -I PREROUTING -j PSW2_DNS
fi
$ip6t_m -N PSW2_DIVERT $ip6t_m -N PSW2_DIVERT
$ip6t_m -A PSW2_DIVERT -j MARK --set-mark 1 $ip6t_m -A PSW2_DIVERT -j MARK --set-mark 1

15
luci-app-passwall2/root/usr/share/passwall2/nftables.sh
View File

@ -3,9 +3,11 @@
DIR="$(cd "$(dirname "$0")" && pwd)" DIR="$(cd "$(dirname "$0")" && pwd)"
MY_PATH=$DIR/nftables.sh MY_PATH=$DIR/nftables.sh
NFTABLE_NAME="inet passwall2" NFTABLE_NAME="inet passwall2"
NFTSET_LOCALLIST="passwall2_locallist"
NFTSET_LANLIST="passwall2_lanlist" NFTSET_LANLIST="passwall2_lanlist"
NFTSET_VPSLIST="passwall2_vpslist" NFTSET_VPSLIST="passwall2_vpslist"
NFTSET_LOCALLIST6="passwall2_locallist6"
NFTSET_LANLIST6="passwall2_lanlist6" NFTSET_LANLIST6="passwall2_lanlist6"
NFTSET_VPSLIST6="passwall2_vpslist6" NFTSET_VPSLIST6="passwall2_vpslist6"
@ -738,12 +740,17 @@ filter_node() {
add_firewall_rule() { add_firewall_rule() {
echolog "开始加载防火墙规则..." echolog "开始加载防火墙规则..."
gen_nft_tables gen_nft_tables
gen_nftset $NFTSET_LOCALLIST ipv4_addr 0 "-1"
gen_nftset $NFTSET_LANLIST ipv4_addr 0 "-1" $(gen_lanlist) gen_nftset $NFTSET_LANLIST ipv4_addr 0 "-1" $(gen_lanlist)
gen_nftset $NFTSET_VPSLIST ipv4_addr 0 0 gen_nftset $NFTSET_VPSLIST ipv4_addr 0 0
gen_nftset $NFTSET_LOCALLIST6 ipv6_addr 0 "-1"
gen_nftset $NFTSET_LANLIST6 ipv6_addr 0 "-1" $(gen_lanlist_6) gen_nftset $NFTSET_LANLIST6 ipv6_addr 0 "-1" $(gen_lanlist_6)
gen_nftset $NFTSET_VPSLIST6 ipv6_addr 0 0 gen_nftset $NFTSET_VPSLIST6 ipv6_addr 0 0
insert_nftset $NFTSET_LOCALLIST "-1" $(ip address show | grep -w "inet" | awk '{print $2}' | awk -F '/' '{print $1}' | sed -e "s/ /\n/g")
insert_nftset $NFTSET_LOCALLIST6 "-1" $(ip address show | grep -w "inet6" | awk '{print $2}' | awk -F '/' '{print $1}' | sed -e "s/ /\n/g")
# 忽略特殊IP段 # 忽略特殊IP段
local lan_ifname lan_ip local lan_ifname lan_ip
lan_ifname=$(uci -q -p /tmp/state get network.lan.ifname) lan_ifname=$(uci -q -p /tmp/state get network.lan.ifname)
@ -808,7 +815,13 @@ add_firewall_rule() {
nft "add chain $NFTABLE_NAME PSW2_DNS" nft "add chain $NFTABLE_NAME PSW2_DNS"
nft "flush chain $NFTABLE_NAME PSW2_DNS" nft "flush chain $NFTABLE_NAME PSW2_DNS"
if [ $(config_t_get global dns_redirect "1") = "0" ]; then
#Only hijack when dest address is local IP
nft "insert rule $NFTABLE_NAME dstnat ip daddr @${NFTSET_LOCALLIST} jump PSW2_DNS"
nft "insert rule $NFTABLE_NAME dstnat ip6 daddr @${NFTSET_LOCALLIST6} jump PSW2_DNS"
else
nft "insert rule $NFTABLE_NAME dstnat jump PSW2_DNS" nft "insert rule $NFTABLE_NAME dstnat jump PSW2_DNS"
fi
# for ipv4 ipv6 tproxy mark # for ipv4 ipv6 tproxy mark
nft "add chain $NFTABLE_NAME PSW2_RULE" nft "add chain $NFTABLE_NAME PSW2_RULE"
@ -1086,9 +1099,11 @@ del_firewall_rule() {
ip -6 rule del fwmark 1 table 100 2>/dev/null ip -6 rule del fwmark 1 table 100 2>/dev/null
ip -6 route del local ::/0 dev lo table 100 2>/dev/null ip -6 route del local ::/0 dev lo table 100 2>/dev/null
destroy_nftset $NFTSET_LOCALLIST
destroy_nftset $NFTSET_LANLIST destroy_nftset $NFTSET_LANLIST
destroy_nftset $NFTSET_VPSLIST destroy_nftset $NFTSET_VPSLIST
destroy_nftset $NFTSET_LOCALLIST6
destroy_nftset $NFTSET_LANLIST6 destroy_nftset $NFTSET_LANLIST6
destroy_nftset $NFTSET_VPSLIST6 destroy_nftset $NFTSET_VPSLIST6