gitea-action
parent
a2b228f052
commit
0028bd59e1
@ -325,6 +325,10 @@ o.remove = function(self, section)
|
||||
end
|
||||
end
|
||||
|
||||
o = s:taboption("DNS", Flag, "dns_redirect", translate("DNS Redirect"), translate("Force special DNS server to need proxy devices."))
|
||||
o.default = "1"
|
||||
o.rmempty = false
|
||||
|
||||
o = s:taboption("DNS", Button, "clear_ipset", translate("Clear IPSet"), translate("Try this feature if the rule modification does not take effect."))
|
||||
o.inputstyle = "remove"
|
||||
function o.write(e, e)
|
||||
|
||||
@ -172,6 +172,12 @@ msgstr "直连 DNS 解析结果写入到 IPSet"
|
||||
msgid "Perform the matching direct domain name rules into IP to IPSet/NFTSet, and then connect directly (not entering the core). Maybe conflict with some special circumstances."
|
||||
msgstr "将匹配到的直连规则的域名解析IP写入到 IPSet/NFTSet,然后直连(不进入内核)。可能和某些特殊情况冲突。"
|
||||
|
||||
msgid "DNS Redirect"
|
||||
msgstr "DNS 重定向"
|
||||
|
||||
msgid "Force special DNS server to need proxy devices."
|
||||
msgstr "强制需要代理的设备使用专用 DNS 服务器。"
|
||||
|
||||
msgid "Clear IPSet"
|
||||
msgstr "清空 IPSet"
|
||||
|
||||
|
||||
@ -1079,8 +1079,7 @@ acl_app() {
|
||||
local ipt_tmp msg msg2
|
||||
redir_port=11200
|
||||
dns_port=11300
|
||||
dnsmasq_port=11400
|
||||
[ -n "${GLOBAL_DNSMASQ_PORT}" ] && dnsmasq_port=$(get_new_port $GLOBAL_DNSMASQ_PORT)
|
||||
dnsmasq_port=${GLOBAL_DNSMASQ_PORT:-11400}
|
||||
for item in $items; do
|
||||
index=$(expr $index + 1)
|
||||
local enabled sid remarks sources node direct_dns_query_strategy remote_dns_protocol remote_dns remote_dns_doh remote_dns_client_ip remote_dns_detour remote_fakedns remote_dns_query_strategy interface use_interface
|
||||
|
||||
@ -2,9 +2,11 @@
|
||||
|
||||
DIR="$(cd "$(dirname "$0")" && pwd)"
|
||||
MY_PATH=$DIR/iptables.sh
|
||||
IPSET_LOCALLIST="passwall2_locallist"
|
||||
IPSET_LANLIST="passwall2_lanlist"
|
||||
IPSET_VPSLIST="passwall2_vpslist"
|
||||
|
||||
IPSET_LOCALLIST6="passwall2_locallist6"
|
||||
IPSET_LANLIST6="passwall2_lanlist6"
|
||||
IPSET_VPSLIST6="passwall2_vpslist6"
|
||||
|
||||
@ -386,12 +388,10 @@ load_acl() {
|
||||
}
|
||||
|
||||
if ([ "$tcp_proxy_mode" != "disable" ] || [ "$udp_proxy_mode" != "disable" ]) && [ -n "$redir_port" ]; then
|
||||
[ -n "$dns_redirect_port" ] && {
|
||||
$ipt_n -A PSW2_DNS $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $dns_redirect_port
|
||||
$ip6t_n -A PSW2_DNS $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $dns_redirect_port 2>/dev/null
|
||||
$ipt_n -A PSW2_DNS $(comment "$remarks") -p tcp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $dns_redirect_port
|
||||
$ip6t_n -A PSW2_DNS $(comment "$remarks") -p tcp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $dns_redirect_port 2>/dev/null
|
||||
}
|
||||
else
|
||||
$ipt_n -A PSW2_DNS $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j RETURN
|
||||
$ip6t_n -A PSW2_DNS $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j RETURN 2>/dev/null
|
||||
@ -678,12 +678,21 @@ filter_node() {
|
||||
|
||||
add_firewall_rule() {
|
||||
echolog "开始加载防火墙规则..."
|
||||
ipset -! create $IPSET_LOCALLIST nethash maxelem 1048576
|
||||
ipset -! create $IPSET_LANLIST nethash maxelem 1048576
|
||||
ipset -! create $IPSET_VPSLIST nethash maxelem 1048576
|
||||
|
||||
ipset -! create $IPSET_LOCALLIST6 nethash family inet6 maxelem 1048576
|
||||
ipset -! create $IPSET_LANLIST6 nethash family inet6 maxelem 1048576
|
||||
ipset -! create $IPSET_VPSLIST6 nethash family inet6 maxelem 1048576
|
||||
|
||||
ipset -! -R <<-EOF
|
||||
$(ip address show | grep -w "inet" | awk '{print $2}' | awk -F '/' '{print $1}' | sed -e "s/^/add $IPSET_LOCALLIST /")
|
||||
EOF
|
||||
ipset -! -R <<-EOF
|
||||
$(ip address show | grep -w "inet6" | awk '{print $2}' | awk -F '/' '{print $1}' | sed -e "s/^/add $IPSET_LOCALLIST6 /")
|
||||
EOF
|
||||
|
||||
ipset -! -R <<-EOF
|
||||
$(gen_lanlist | sed -e "s/^/add $IPSET_LANLIST /")
|
||||
EOF
|
||||
@ -764,7 +773,12 @@ add_firewall_rule() {
|
||||
$ipt_n -A PSW2_OUTPUT -m mark --mark 0xff -j RETURN
|
||||
|
||||
$ipt_n -N PSW2_DNS
|
||||
$ipt_n -I PREROUTING 1 -j PSW2_DNS
|
||||
if [ $(config_t_get global dns_redirect "1") = "0" ]; then
|
||||
#Only hijack when dest address is local IP
|
||||
$ipt_n -I PREROUTING $(dst $IPSET_LOCALLIST) -j PSW2_DNS
|
||||
else
|
||||
$ipt_n -I PREROUTING -j PSW2_DNS
|
||||
fi
|
||||
|
||||
$ipt_m -N PSW2_DIVERT
|
||||
$ipt_m -A PSW2_DIVERT -j MARK --set-mark 1
|
||||
@ -816,7 +830,12 @@ add_firewall_rule() {
|
||||
}
|
||||
|
||||
$ip6t_n -N PSW2_DNS
|
||||
$ip6t_n -I PREROUTING 1 -j PSW2_DNS
|
||||
if [ $(config_t_get global dns_redirect "1") = "0" ]; then
|
||||
#Only hijack when dest address is local IP
|
||||
$ip6t_n -I PREROUTING $(dst $IPSET_LOCALLIST6) -j PSW2_DNS
|
||||
else
|
||||
$ip6t_n -I PREROUTING -j PSW2_DNS
|
||||
fi
|
||||
|
||||
$ip6t_m -N PSW2_DIVERT
|
||||
$ip6t_m -A PSW2_DIVERT -j MARK --set-mark 1
|
||||
|
||||
@ -3,9 +3,11 @@
|
||||
DIR="$(cd "$(dirname "$0")" && pwd)"
|
||||
MY_PATH=$DIR/nftables.sh
|
||||
NFTABLE_NAME="inet passwall2"
|
||||
NFTSET_LOCALLIST="passwall2_locallist"
|
||||
NFTSET_LANLIST="passwall2_lanlist"
|
||||
NFTSET_VPSLIST="passwall2_vpslist"
|
||||
|
||||
NFTSET_LOCALLIST6="passwall2_locallist6"
|
||||
NFTSET_LANLIST6="passwall2_lanlist6"
|
||||
NFTSET_VPSLIST6="passwall2_vpslist6"
|
||||
|
||||
@ -738,12 +740,17 @@ filter_node() {
|
||||
add_firewall_rule() {
|
||||
echolog "开始加载防火墙规则..."
|
||||
gen_nft_tables
|
||||
gen_nftset $NFTSET_LOCALLIST ipv4_addr 0 "-1"
|
||||
gen_nftset $NFTSET_LANLIST ipv4_addr 0 "-1" $(gen_lanlist)
|
||||
gen_nftset $NFTSET_VPSLIST ipv4_addr 0 0
|
||||
|
||||
gen_nftset $NFTSET_LOCALLIST6 ipv6_addr 0 "-1"
|
||||
gen_nftset $NFTSET_LANLIST6 ipv6_addr 0 "-1" $(gen_lanlist_6)
|
||||
gen_nftset $NFTSET_VPSLIST6 ipv6_addr 0 0
|
||||
|
||||
insert_nftset $NFTSET_LOCALLIST "-1" $(ip address show | grep -w "inet" | awk '{print $2}' | awk -F '/' '{print $1}' | sed -e "s/ /\n/g")
|
||||
insert_nftset $NFTSET_LOCALLIST6 "-1" $(ip address show | grep -w "inet6" | awk '{print $2}' | awk -F '/' '{print $1}' | sed -e "s/ /\n/g")
|
||||
|
||||
# 忽略特殊IP段
|
||||
local lan_ifname lan_ip
|
||||
lan_ifname=$(uci -q -p /tmp/state get network.lan.ifname)
|
||||
@ -808,7 +815,13 @@ add_firewall_rule() {
|
||||
|
||||
nft "add chain $NFTABLE_NAME PSW2_DNS"
|
||||
nft "flush chain $NFTABLE_NAME PSW2_DNS"
|
||||
if [ $(config_t_get global dns_redirect "1") = "0" ]; then
|
||||
#Only hijack when dest address is local IP
|
||||
nft "insert rule $NFTABLE_NAME dstnat ip daddr @${NFTSET_LOCALLIST} jump PSW2_DNS"
|
||||
nft "insert rule $NFTABLE_NAME dstnat ip6 daddr @${NFTSET_LOCALLIST6} jump PSW2_DNS"
|
||||
else
|
||||
nft "insert rule $NFTABLE_NAME dstnat jump PSW2_DNS"
|
||||
fi
|
||||
|
||||
# for ipv4 ipv6 tproxy mark
|
||||
nft "add chain $NFTABLE_NAME PSW2_RULE"
|
||||
@ -1086,9 +1099,11 @@ del_firewall_rule() {
|
||||
ip -6 rule del fwmark 1 table 100 2>/dev/null
|
||||
ip -6 route del local ::/0 dev lo table 100 2>/dev/null
|
||||
|
||||
destroy_nftset $NFTSET_LOCALLIST
|
||||
destroy_nftset $NFTSET_LANLIST
|
||||
destroy_nftset $NFTSET_VPSLIST
|
||||
|
||||
destroy_nftset $NFTSET_LOCALLIST6
|
||||
destroy_nftset $NFTSET_LANLIST6
|
||||
destroy_nftset $NFTSET_VPSLIST6
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user