zhao/openwrt_helloworld
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

luci: fix

Browse Source
This commit is contained in:
ShanStone 2023-06-07 01:00:40 +08:00 committed by sbwml
parent 5328affdc2
commit 0ef19aa2fe
3 changed files with 111 additions and 101 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
luci-app-passwall/Makefile
View File

@ -6,7 +6,7 @@
include $(TOPDIR)/rules.mk include $(TOPDIR)/rules.mk
PKG_NAME:=luci-app-passwall PKG_NAME:=luci-app-passwall
PKG_VERSION:=4.66-6 PKG_VERSION:=4.66-7
PKG_RELEASE:= PKG_RELEASE:=
PKG_CONFIG_DEPENDS:= \ PKG_CONFIG_DEPENDS:= \

25
luci-app-passwall/luasrc/passwall/server_app.lua
View File

@ -8,6 +8,7 @@ local jsonc = api.jsonc
local CONFIG = "passwall_server" local CONFIG = "passwall_server"
local CONFIG_PATH = "/tmp/etc/" .. CONFIG local CONFIG_PATH = "/tmp/etc/" .. CONFIG
local NFT_INCLUDE_FILE = CONFIG_PATH .. "/" .. CONFIG .. ".nft"
local LOG_APP_FILE = "/tmp/log/" .. CONFIG .. ".log" local LOG_APP_FILE = "/tmp/log/" .. CONFIG .. ".log"
local TMP_BIN_PATH = CONFIG_PATH .. "/bin" local TMP_BIN_PATH = CONFIG_PATH .. "/bin"
local require_dir = "luci.passwall." local require_dir = "luci.passwall."
@ -49,11 +50,6 @@ end
local function gen_include() local function gen_include()
cmd(string.format("echo '#!/bin/sh' > /tmp/etc/%s.include", CONFIG)) cmd(string.format("echo '#!/bin/sh' > /tmp/etc/%s.include", CONFIG))
if nft_flag == "1" then
cmd("echo \"\" > " .. CONFIG_PATH .. "/" .. CONFIG .. ".nft")
local nft_cmd = "for chain in $(nft -a list chains |grep -E \"chain PSW-SERVER\" |awk -F ' ' '{print$2}'); do\n nft list chain inet fw4 ${chain} >> " .. CONFIG_PATH .. "/" .. CONFIG .. ".nft\n done"
cmd(nft_cmd)
end
local function extract_rules(n, a) local function extract_rules(n, a)
local _ipt = ipt_bin local _ipt = ipt_bin
if n == "6" then if n == "6" then
@ -77,8 +73,7 @@ local function gen_include()
f:write("EOT" .. "\n") f:write("EOT" .. "\n")
f:close() f:close()
else else
f:write("nft -f " .. CONFIG_PATH .. "/" .. CONFIG .. ".nft\n") f:write("nft -f " .. NFT_INCLUDE_FILE .. "\n")
f:write("nft insert rule inet fw4 input position 0 counter jump PSW-SERVER")
f:close() f:close()
end end
end end
@ -97,8 +92,11 @@ local function start()
ip6t("-N PSW-SERVER") ip6t("-N PSW-SERVER")
ip6t("-I INPUT -j PSW-SERVER") ip6t("-I INPUT -j PSW-SERVER")
else else
cmd("nft add chain inet fw4 PSW-SERVER\n") nft_file, err = io.open(NFT_INCLUDE_FILE, "w")
cmd("nft insert rule inet fw4 input position 0 counter jump PSW-SERVER") nft_file:write('#!/usr/sbin/nft -f\n')
nft_file:write('add chain inet fw4 PSW-SERVER\n')
nft_file:write('flush chain inet fw4 PSW-SERVER\n')
nft_file:write('insert rule inet fw4 input position 0 jump PSW-SERVER comment "PSW-SERVER"\n')
end end
uci:foreach(CONFIG, "user", function(user) uci:foreach(CONFIG, "user", function(user)
local id = user[".name"] local id = user[".name"]
@ -194,14 +192,19 @@ local function start()
ip6t(string.format('-A PSW-SERVER -p udp --dport %s -m comment --comment "%s" -j ACCEPT', port, remarks)) ip6t(string.format('-A PSW-SERVER -p udp --dport %s -m comment --comment "%s" -j ACCEPT', port, remarks))
end end
else else
cmd(string.format('nft add rule inet fw4 PSW-SERVER meta l4proto tcp tcp dport {%s} accept', port)) nft_file:write(string.format('add rule inet fw4 PSW-SERVER meta l4proto tcp tcp dport {%s} counter accept comment "%s"\n', port, remarks))
if udp_forward == 1 then if udp_forward == 1 then
cmd(string.format('nft add rule inet fw4 PSW-SERVER meta l4proto udp udp dport {%s} accept', port)) nft_file:write(string.format('add rule inet fw4 PSW-SERVER meta l4proto udp udp dport {%s} counter accept comment "%s"\n', port, remarks))
end end
end end
end end
end end
end) end)
if nft_flag == "1" then
nft_file:write("add rule inet fw4 PSW-SERVER return\n")
nft_file:close()
cmd("nft -f " .. NFT_INCLUDE_FILE)
end
gen_include() gen_include()
end end

185
luci-app-passwall/root/usr/share/passwall/nftables.sh
View File

@ -20,7 +20,7 @@ NFTSET_BLACKLIST6="passwall_blacklist6"
NFTSET_WHITELIST6="passwall_whitelist6" NFTSET_WHITELIST6="passwall_whitelist6"
NFTSET_BLOCKLIST6="passwall_blocklist6" NFTSET_BLOCKLIST6="passwall_blocklist6"
FORCE_INDEX=2 FORCE_INDEX=0
. /lib/functions/network.sh . /lib/functions/network.sh
@ -377,10 +377,10 @@ load_acl() {
} }
if [ -z "${is_tproxy}" ]; then if [ -z "${is_tproxy}" ]; then
nft "add rule inet fw4 PSW ${_ipt_source} ip daddr $FAKE_IP $(REDIRECT $tcp_port) comment \"$remarks\"" nft "add rule inet fw4 PSW_NAT ${_ipt_source} ip daddr $FAKE_IP $(REDIRECT $tcp_port) comment \"$remarks\""
nft "add rule inet fw4 PSW ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ip daddr @$NFTSET_SHUNTLIST $(REDIRECT $tcp_port) comment \"$remarks\"" nft "add rule inet fw4 PSW_NAT ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ip daddr @$NFTSET_SHUNTLIST $(REDIRECT $tcp_port) comment \"$remarks\""
nft "add rule inet fw4 PSW ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ip daddr @$NFTSET_BLACKLIST $(REDIRECT $tcp_port) comment \"$remarks\"" nft "add rule inet fw4 PSW_NAT ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ip daddr @$NFTSET_BLACKLIST $(REDIRECT $tcp_port) comment \"$remarks\""
[ "$tcp_proxy_mode" != "direct/proxy" ] && nft "add rule inet fw4 PSW ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") $(get_redirect_ipv4 $tcp_proxy_mode $tcp_port) comment \"$remarks\"" [ "$tcp_proxy_mode" != "direct/proxy" ] && nft "add rule inet fw4 PSW_NAT ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") $(get_redirect_ipv4 $tcp_proxy_mode $tcp_port) comment \"$remarks\""
else else
nft "add rule inet fw4 PSW_MANGLE ip protocol tcp ${_ipt_source} ip daddr $FAKE_IP counter jump PSW_RULE comment \"$remarks\"" nft "add rule inet fw4 PSW_MANGLE ip protocol tcp ${_ipt_source} ip daddr $FAKE_IP counter jump PSW_RULE comment \"$remarks\""
nft "add rule inet fw4 PSW_MANGLE ip protocol tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ip daddr @$NFTSET_SHUNTLIST counter jump PSW_RULE comment \"$remarks\"" nft "add rule inet fw4 PSW_MANGLE ip protocol tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ip daddr @$NFTSET_SHUNTLIST counter jump PSW_RULE comment \"$remarks\""
@ -499,11 +499,11 @@ load_acl() {
} }
if [ -z "${is_tproxy}" ]; then if [ -z "${is_tproxy}" ]; then
nft "add rule inet fw4 PSW ip protocol tcp ip daddr $FAKE_IP $(REDIRECT $TCP_REDIR_PORT) comment \"默认\"" nft "add rule inet fw4 PSW_NAT ip protocol tcp ip daddr $FAKE_IP $(REDIRECT $TCP_REDIR_PORT) comment \"默认\""
nft "add rule inet fw4 PSW ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip daddr @$NFTSET_SHUNTLIST $(REDIRECT $TCP_REDIR_PORT) comment \"默认\"" nft "add rule inet fw4 PSW_NAT ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip daddr @$NFTSET_SHUNTLIST $(REDIRECT $TCP_REDIR_PORT) comment \"默认\""
nft "add rule inet fw4 PSW ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip daddr @$NFTSET_BLACKLIST $(REDIRECT $TCP_REDIR_PORT) comment \"默认\"" nft "add rule inet fw4 PSW_NAT ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip daddr @$NFTSET_BLACKLIST $(REDIRECT $TCP_REDIR_PORT) comment \"默认\""
[ "$TCP_PROXY_MODE" != "direct/proxy" ] && nft "add rule inet fw4 PSW ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") $(get_redirect_ipv4 $TCP_PROXY_MODE $TCP_REDIR_PORT) comment \"默认\"" [ "$TCP_PROXY_MODE" != "direct/proxy" ] && nft "add rule inet fw4 PSW_NAT ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") $(get_redirect_ipv4 $TCP_PROXY_MODE $TCP_REDIR_PORT) comment \"默认\""
nft "add rule inet fw4 PSW ip protocol tcp counter return comment \"默认\"" nft "add rule inet fw4 PSW_NAT ip protocol tcp counter return comment \"默认\""
else else
nft "add rule inet fw4 PSW_MANGLE ip protocol tcp ip daddr $FAKE_IP counter jump PSW_RULE comment \"默认\"" nft "add rule inet fw4 PSW_MANGLE ip protocol tcp ip daddr $FAKE_IP counter jump PSW_RULE comment \"默认\""
nft "add rule inet fw4 PSW_MANGLE ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip daddr @$NFTSET_SHUNTLIST counter jump PSW_RULE comment \"默认\"" nft "add rule inet fw4 PSW_MANGLE ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip daddr @$NFTSET_SHUNTLIST counter jump PSW_RULE comment \"默认\""
@ -625,7 +625,7 @@ filter_node() {
local ADD_INDEX=$FORCE_INDEX local ADD_INDEX=$FORCE_INDEX
for _ipt in 4 6; do for _ipt in 4 6; do
[ "$_ipt" == "4" ] && _ip_type=ip4 && _set_name=$NFTSET_VPSLIST [ "$_ipt" == "4" ] && _ip_type=ip && _set_name=$NFTSET_VPSLIST
[ "$_ipt" == "6" ] && _ip_type=ip6 && _set_name=$NFTSET_VPSLIST6 [ "$_ipt" == "6" ] && _ip_type=ip6 && _set_name=$NFTSET_VPSLIST6
nft "list chain inet fw4 $nft_output_chain" 2>/dev/null | grep -q "${address}:${port}" nft "list chain inet fw4 $nft_output_chain" 2>/dev/null | grep -q "${address}:${port}"
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
@ -641,8 +641,7 @@ filter_node() {
dst_rule="return" dst_rule="return"
msg2="直连代理" msg2="直连代理"
} }
nft "insert rule inet fw4 $nft_output_chain position $ADD_INDEX comment \"${address}:${port}\" meta l4proto $stream $_ip_type daddr $address tcp dport $port $dst_rule" 2>/dev/null nft "insert rule inet fw4 $nft_output_chain position $ADD_INDEX meta l4proto $stream $_ip_type daddr $address $stream dport $port $dst_rule comment \"${address}:${port}\"" 2>/dev/null
nft "insert rule inet fw4 $nft_output_chain position $ADD_INDEX comment \"${address}:${port}\" meta l4proto $stream $_ip_type daddr $address udp dport $port $dst_rule" 2>/dev/null
else else
msg2="已配置过的节点," msg2="已配置过的节点,"
fi fi
@ -774,8 +773,8 @@ add_firewall_rule() {
local tcp_proxy_way=$(config_t_get global_forwarding tcp_proxy_way redirect) local tcp_proxy_way=$(config_t_get global_forwarding tcp_proxy_way redirect)
if [ "$tcp_proxy_way" = "redirect" ]; then if [ "$tcp_proxy_way" = "redirect" ]; then
unset is_tproxy unset is_tproxy
nft_prerouting_chain="PSW" nft_prerouting_chain="PSW_NAT"
nft_output_chain="PSW_OUTPUT" nft_output_chain="PSW_OUTPUT_NAT"
elif [ "$tcp_proxy_way" = "tproxy" ]; then elif [ "$tcp_proxy_way" = "tproxy" ]; then
is_tproxy="TPROXY" is_tproxy="TPROXY"
nft_prerouting_chain="PSW_MANGLE" nft_prerouting_chain="PSW_MANGLE"
@ -823,21 +822,21 @@ add_firewall_rule() {
#ipv4 tcp redirect mode #ipv4 tcp redirect mode
[ -z "${is_tproxy}" ] && { [ -z "${is_tproxy}" ] && {
nft "add chain inet fw4 PSW" nft "add chain inet fw4 PSW_NAT"
nft "flush chain inet fw4 PSW" nft "flush chain inet fw4 PSW_NAT"
nft "add rule inet fw4 PSW ip daddr @$NFTSET_LANLIST counter return" nft "add rule inet fw4 PSW_NAT ip daddr @$NFTSET_LANLIST counter return"
nft "add rule inet fw4 PSW ip daddr @$NFTSET_VPSLIST counter return" nft "add rule inet fw4 PSW_NAT ip daddr @$NFTSET_VPSLIST counter return"
nft "add rule inet fw4 PSW ip daddr @$NFTSET_WHITELIST counter return" nft "add rule inet fw4 PSW_NAT ip daddr @$NFTSET_WHITELIST counter return"
nft "add rule inet fw4 PSW ip daddr @$NFTSET_BLOCKLIST counter drop" nft "add rule inet fw4 PSW_NAT ip daddr @$NFTSET_BLOCKLIST counter drop"
nft "add rule inet fw4 dstnat ip protocol tcp counter jump PSW" nft "add rule inet fw4 dstnat ip protocol tcp counter jump PSW_NAT"
nft "add chain inet fw4 PSW_OUTPUT" nft "add chain inet fw4 PSW_OUTPUT_NAT"
nft "flush chain inet fw4 PSW_OUTPUT" nft "flush chain inet fw4 PSW_OUTPUT_NAT"
nft "add rule inet fw4 PSW_OUTPUT ip daddr @$NFTSET_LANLIST counter return" nft "add rule inet fw4 PSW_OUTPUT_NAT ip daddr @$NFTSET_LANLIST counter return"
nft "add rule inet fw4 PSW_OUTPUT ip daddr @$NFTSET_VPSLIST counter return" nft "add rule inet fw4 PSW_OUTPUT_NAT ip daddr @$NFTSET_VPSLIST counter return"
nft "add rule inet fw4 PSW_OUTPUT ip daddr @$NFTSET_WHITELIST counter return" nft "add rule inet fw4 PSW_OUTPUT_NAT ip daddr @$NFTSET_WHITELIST counter return"
nft "add rule inet fw4 PSW_OUTPUT meta mark 0xff counter return" nft "add rule inet fw4 PSW_OUTPUT_NAT meta mark 0xff counter return"
nft "add rule inet fw4 PSW_OUTPUT ip daddr @$NFTSET_BLOCKLIST counter drop" nft "add rule inet fw4 PSW_OUTPUT_NAT ip daddr @$NFTSET_BLOCKLIST counter drop"
} }
#icmp ipv6-icmp redirect #icmp ipv6-icmp redirect
@ -860,7 +859,7 @@ add_firewall_rule() {
WAN_IP=$(get_wan_ip) WAN_IP=$(get_wan_ip)
if [ -n "${WAN_IP}" ]; then if [ -n "${WAN_IP}" ]; then
[ -n "${is_tproxy}" ] && nft "add rule inet fw4 PSW_MANGLE ip daddr ${WAN_IP} counter return comment \"WAN_IP_RETURN\"" || nft "add rule inet fw4 PSW ip daddr ${WAN_IP} counter return comment \"WAN_IP_RETURN\"" [ -n "${is_tproxy}" ] && nft "add rule inet fw4 PSW_MANGLE ip daddr ${WAN_IP} counter return comment \"WAN_IP_RETURN\"" || nft "add rule inet fw4 PSW_NAT ip daddr ${WAN_IP} counter return comment \"WAN_IP_RETURN\""
fi fi
unset WAN_IP unset WAN_IP
@ -886,7 +885,7 @@ add_firewall_rule() {
# jump chains # jump chains
[ "$PROXY_IPV6" == "1" ] && { [ "$PROXY_IPV6" == "1" ] && {
nft "add rule inet fw4 mangle_prerouting meta nfproto {ipv6} counter jump PSW_MANGLE_V6" nft "add rule inet fw4 mangle_prerouting meta nfproto {ipv6} counter jump PSW_MANGLE_V6"
nft "add rule inet fw4 mangle_output meta nfproto {ipv6} counter jump PSW_OUTPUT_MANGLE_V6 comment \"mangle-OUTPUT-PSW\"" nft "add rule inet fw4 mangle_output meta nfproto {ipv6} counter jump PSW_OUTPUT_MANGLE_V6 comment \"PSW_OUTPUT_MANGLE\""
WAN6_IP=$(get_wan6_ip) WAN6_IP=$(get_wan6_ip)
[ -n "${WAN6_IP}" ] && nft "add rule inet fw4 PSW_MANGLE_V6 ip6 daddr ${WAN6_IP} counter return comment \"WAN6_IP_RETURN\"" [ -n "${WAN6_IP}" ] && nft "add rule inet fw4 PSW_MANGLE_V6 ip6 daddr ${WAN6_IP} counter return comment \"WAN6_IP_RETURN\""
@ -962,7 +961,7 @@ add_firewall_rule() {
return 0 return 0
} }
if [ -z "${is_tproxy}" ]; then if [ -z "${is_tproxy}" ]; then
nft add rule inet fw4 PSW_OUTPUT ip protocol tcp ip daddr ${2} tcp dport ${3} $(REDIRECT $TCP_REDIR_PORT) nft add rule inet fw4 PSW_OUTPUT_NAT ip protocol tcp ip daddr ${2} tcp dport ${3} $(REDIRECT $TCP_REDIR_PORT)
else else
nft add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol tcp ip daddr ${2} tcp dport ${3} counter jump PSW_RULE nft add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol tcp ip daddr ${2} tcp dport ${3} counter jump PSW_RULE
nft add rule inet fw4 PSW_MANGLE iif lo tcp dport ${3} ip daddr ${2} $(REDIRECT $TCP_REDIR_PORT TPROXY4) comment \"本机\" nft add rule inet fw4 PSW_MANGLE iif lo tcp dport ${3} ip daddr ${2} $(REDIRECT $TCP_REDIR_PORT TPROXY4) comment \"本机\"
@ -986,12 +985,12 @@ add_firewall_rule() {
if [ -z "${is_tproxy}" ]; then if [ -z "${is_tproxy}" ]; then
[ "$LOCALHOST_TCP_PROXY_MODE" != "disable" ] && { [ "$LOCALHOST_TCP_PROXY_MODE" != "disable" ] && {
nft "add rule inet fw4 PSW_OUTPUT ip protocol tcp ip daddr $FAKE_IP $(REDIRECT $TCP_REDIR_PORT)" nft "add rule inet fw4 PSW_OUTPUT_NAT ip protocol tcp ip daddr $FAKE_IP $(REDIRECT $TCP_REDIR_PORT)"
nft "add rule inet fw4 PSW_OUTPUT ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip daddr @$NFTSET_SHUNTLIST counter $(REDIRECT $TCP_REDIR_PORT)" nft "add rule inet fw4 PSW_OUTPUT_NAT ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip daddr @$NFTSET_SHUNTLIST counter $(REDIRECT $TCP_REDIR_PORT)"
nft "add rule inet fw4 PSW_OUTPUT ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip daddr @$NFTSET_BLACKLIST counter $(REDIRECT $TCP_REDIR_PORT)" nft "add rule inet fw4 PSW_OUTPUT_NAT ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip daddr @$NFTSET_BLACKLIST counter $(REDIRECT $TCP_REDIR_PORT)"
[ "$LOCALHOST_TCP_PROXY_MODE" != "direct/proxy" ] && nft "add rule inet fw4 PSW_OUTPUT ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") $(get_redirect_ipv4 $LOCALHOST_TCP_PROXY_MODE $TCP_REDIR_PORT)" [ "$LOCALHOST_TCP_PROXY_MODE" != "direct/proxy" ] && nft "add rule inet fw4 PSW_OUTPUT_NAT ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") $(get_redirect_ipv4 $LOCALHOST_TCP_PROXY_MODE $TCP_REDIR_PORT)"
} }
nft "add rule inet fw4 nat_output ip protocol tcp counter jump PSW_OUTPUT" nft "add rule inet fw4 nat_output ip protocol tcp counter jump PSW_OUTPUT_NAT"
else else
[ "$LOCALHOST_TCP_PROXY_MODE" != "disable" ] && { [ "$LOCALHOST_TCP_PROXY_MODE" != "disable" ] && {
nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol tcp ip daddr $FAKE_IP counter jump PSW_RULE" nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol tcp ip daddr $FAKE_IP counter jump PSW_RULE"
@ -1001,7 +1000,7 @@ add_firewall_rule() {
nft "add rule inet fw4 PSW_MANGLE meta l4proto tcp iif lo $(REDIRECT $TCP_REDIR_PORT TPROXY) comment \"本机\"" nft "add rule inet fw4 PSW_MANGLE meta l4proto tcp iif lo $(REDIRECT $TCP_REDIR_PORT TPROXY) comment \"本机\""
} }
nft "add rule inet fw4 PSW_MANGLE ip protocol tcp iif lo counter return comment \"本机\"" nft "add rule inet fw4 PSW_MANGLE ip protocol tcp iif lo counter return comment \"本机\""
nft "add rule inet fw4 mangle_output meta nfproto {ipv4} meta l4proto tcp counter jump PSW_OUTPUT_MANGLE comment \"mangle-OUTPUT-PSW\"" nft "add rule inet fw4 mangle_output meta nfproto {ipv4} meta l4proto tcp counter jump PSW_OUTPUT_MANGLE comment \"PSW_OUTPUT_MANGLE\""
fi fi
[ "$PROXY_IPV6" == "1" ] && { [ "$PROXY_IPV6" == "1" ] && {
@ -1051,7 +1050,7 @@ add_firewall_rule() {
nft "add rule inet fw4 PSW_MANGLE meta l4proto udp iif lo $(REDIRECT $UDP_REDIR_PORT TPROXY) comment \"本机\"" nft "add rule inet fw4 PSW_MANGLE meta l4proto udp iif lo $(REDIRECT $UDP_REDIR_PORT TPROXY) comment \"本机\""
} }
nft "add rule inet fw4 PSW_MANGLE ip protocol udp iif lo counter return comment \"本机\"" nft "add rule inet fw4 PSW_MANGLE ip protocol udp iif lo counter return comment \"本机\""
nft "add rule inet fw4 mangle_output meta nfproto {ipv4} meta l4proto udp counter jump PSW_OUTPUT_MANGLE comment \"mangle-OUTPUT-PSW\"" nft "add rule inet fw4 mangle_output meta nfproto {ipv4} meta l4proto udp counter jump PSW_OUTPUT_MANGLE comment \"PSW_OUTPUT_MANGLE\""
[ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && { [ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && {
[ "$LOCALHOST_UDP_PROXY_MODE" != "disable" ] && { [ "$LOCALHOST_UDP_PROXY_MODE" != "disable" ] && {
@ -1064,8 +1063,8 @@ add_firewall_rule() {
} }
fi fi
nft "add rule inet fw4 mangle_output oif lo counter return comment \"mangle-OUTPUT-PSW\"" nft "add rule inet fw4 mangle_output oif lo counter return comment \"PSW_OUTPUT_MANGLE\""
nft "add rule inet fw4 mangle_output meta mark 1 counter return comment \"mangle-OUTPUT-PSW\"" nft "add rule inet fw4 mangle_output meta mark 1 counter return comment \"PSW_OUTPUT_MANGLE\""
nft "add rule inet fw4 PSW_MANGLE ip protocol udp udp dport 53 counter return" nft "add rule inet fw4 PSW_MANGLE ip protocol udp udp dport 53 counter return"
nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp udp dport 53 counter return" nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp udp dport 53 counter return"
@ -1093,14 +1092,14 @@ add_firewall_rule() {
} }
del_firewall_rule() { del_firewall_rule() {
for nft in "input" "forward" "dstnat" "srcnat" "nat_output" "mangle_prerouting" "mangle_output"; do for nft in "forward" "dstnat" "srcnat" "nat_output" "mangle_prerouting" "mangle_output"; do
local handles=$(nft -a list chain inet fw4 ${nft} 2>/dev/null | grep -E "PSW" | awk -F '# handle ' '{print$2}') local handles=$(nft -a list chain inet fw4 ${nft} 2>/dev/null | grep -E "PSW_" | awk -F '# handle ' '{print$2}')
for handle in $handles; do for handle in $handles; do
nft delete rule inet fw4 ${nft} handle ${handle} 2>/dev/null nft delete rule inet fw4 ${nft} handle ${handle} 2>/dev/null
done done
done done
for handle in $(nft -a list chains | grep -E "chain PSW" | grep -v "PSW_RULE" | awk -F '# handle ' '{print$2}'); do for handle in $(nft -a list chains | grep -E "chain PSW_" | grep -v "PSW_RULE" | awk -F '# handle ' '{print$2}'); do
nft delete chain inet fw4 handle ${handle} 2>/dev/null nft delete chain inet fw4 handle ${handle} 2>/dev/null
done done
@ -1147,62 +1146,70 @@ flush_include() {
} }
gen_include() { gen_include() {
local nft_chain_file=$TMP_PATH/PSW.nft local nft_chain_file=$TMP_PATH/PSW_RULE.nft
echo "" > $nft_chain_file local nft_set_file=$TMP_PATH/PSW_SETS.nft
for chain in $(nft -a list chains | grep -E "chain PSW" |awk -F ' ' '{print$2}'); do echo "#!/usr/sbin/nft -f" > $nft_chain_file
echo "#!/usr/sbin/nft -f" > $nft_set_file
for chain in $(nft -a list chains | grep -E "chain PSW_" | awk -F ' ' '{print$2}'); do
nft list chain inet fw4 ${chain} >> $nft_chain_file nft list chain inet fw4 ${chain} >> $nft_chain_file
done done
for set_name in $(nft -a list sets | grep -E "set passwall_" | awk -F ' ' '{print$2}'); do
nft list set inet fw4 ${set_name} >> $nft_set_file
done
local __nft=" " local __nft=" "
[ -z "${nft}" ] && { __nft=$(cat <<- EOF
__nft=$(cat <<- EOF
nft -f ${nft_chain_file}
nft "add rule inet fw4 dstnat jump PSW_REDIRECT" [ -z "\$(nft list sets 2>/dev/null | grep "passwall_")" ] && nft -f ${nft_set_file}
[ -z "\$(nft list chain inet fw4 nat_output 2>/dev/null)" ] && nft "add chain inet fw4 nat_output { type nat hook output priority -1; }"
nft -f ${nft_chain_file}
[ "$accept_icmp" == "1" ] && { nft "add rule inet fw4 dstnat jump PSW_REDIRECT"
nft "add rule inet fw4 dstnat meta l4proto {icmp,icmpv6} counter jump PSW_ICMP_REDIRECT"
nft "add rule inet fw4 nat_output meta l4proto {icmp,icmpv6} counter jump PSW_ICMP_REDIRECT"
}
[ -z "${is_tproxy}" ] && { [ "$accept_icmp" == "1" ] && {
PR_INDEX=\$(${MY_PATH} RULE_LAST_INDEX "inet fw4" PSW WAN_IP_RETURN -1) nft "add rule inet fw4 dstnat meta l4proto {icmp,icmpv6} counter jump PSW_ICMP_REDIRECT"
if [ \$PR_INDEX -ge 0 ]; then nft "add rule inet fw4 nat_output meta l4proto {icmp,icmpv6} counter jump PSW_ICMP_REDIRECT"
WAN_IP=\$(${MY_PATH} get_wan_ip) }
[ ! -z "\${WAN_IP}" ] && nft "replace rule inet fw4 PSW handle \$PR_INDEX ip daddr "\${WAN_IP}" counter return comment \"WAN_IP_RETURN\""
fi
nft "add rule inet fw4 dstnat ip protocol tcp counter jump PSW"
nft "add rule inet fw4 nat_output ip protocol tcp counter jump PSW_OUTPUT"
}
[ -n "${is_tproxy}" ] && { [ -z "${is_tproxy}" ] && {
PR_INDEX=\$(${MY_PATH} RULE_LAST_INDEX "inet fw4" PSW_MANGLE WAN_IP_RETURN -1) PR_INDEX=\$(sh ${MY_PATH} RULE_LAST_INDEX "inet fw4" PSW_NAT WAN_IP_RETURN -1)
if [ \$PR_INDEX -ge 0 ]; then if [ \$PR_INDEX -ge 0 ]; then
WAN_IP=\$(${MY_PATH} get_wan_ip) WAN_IP=\$(sh ${MY_PATH} get_wan_ip)
[ ! -z "\${WAN_IP}" ] && nft "replace rule inet fw4 PSW_MANGLE handle \$PR_INDEX ip daddr "\${WAN_IP}" counter return comment \"WAN_IP_RETURN\"" [ ! -z "\${WAN_IP}" ] && nft "replace rule inet fw4 PSW_NAT handle \$PR_INDEX ip daddr "\${WAN_IP}" counter return comment \"WAN_IP_RETURN\""
fi fi
nft "add rule inet fw4 mangle_prerouting meta nfproto {ipv4} counter jump PSW_MANGLE" nft "add rule inet fw4 dstnat ip protocol tcp counter jump PSW_NAT"
nft "add rule inet fw4 mangle_output meta nfproto {ipv4} meta l4proto tcp counter jump PSW_OUTPUT_MANGLE comment \"mangle-OUTPUT-PSW\"" nft "add rule inet fw4 nat_output ip protocol tcp counter jump PSW_OUTPUT_NAT"
} }
\$(${MY_PATH} insert_rule_before "inet fw4" "mangle_prerouting" "PSW_MANGLE" "counter jump PSW_DIVERT")
[ "$UDP_NODE" != "nil" -o "$TCP_UDP" = "1" ] && nft "add rule inet fw4 mangle_output meta nfproto {ipv4} meta l4proto udp counter jump PSW_OUTPUT_MANGLE comment \"mangle-OUTPUT-PSW\"" [ -n "${is_tproxy}" ] && {
PR_INDEX=\$(sh ${MY_PATH} RULE_LAST_INDEX "inet fw4" PSW_MANGLE WAN_IP_RETURN -1)
if [ \$PR_INDEX -ge 0 ]; then
WAN_IP=\$(sh ${MY_PATH} get_wan_ip)
[ ! -z "\${WAN_IP}" ] && nft "replace rule inet fw4 PSW_MANGLE handle \$PR_INDEX ip daddr "\${WAN_IP}" counter return comment \"WAN_IP_RETURN\""
fi
nft "add rule inet fw4 mangle_prerouting meta nfproto {ipv4} counter jump PSW_MANGLE"
nft "add rule inet fw4 mangle_output meta nfproto {ipv4} meta l4proto tcp counter jump PSW_OUTPUT_MANGLE comment \"PSW_OUTPUT_MANGLE\""
}
\$(sh ${MY_PATH} insert_rule_before "inet fw4" "mangle_prerouting" "PSW_MANGLE" "counter jump PSW_DIVERT")
[ "$PROXY_IPV6" == "1" ] && { [ "$UDP_NODE" != "nil" -o "$TCP_UDP" = "1" ] && nft "add rule inet fw4 mangle_output meta nfproto {ipv4} meta l4proto udp counter jump PSW_OUTPUT_MANGLE comment \"PSW_OUTPUT_MANGLE\""
PR_INDEX=\$(${MY_PATH} RULE_LAST_INDEX "inet fw4" PSW_MANGLE_V6 WAN6_IP_RETURN -1)
if [ \$PR_INDEX -ge 0 ]; then [ "$PROXY_IPV6" == "1" ] && {
WAN6_IP=\$(${MY_PATH} get_wan6_ip) PR_INDEX=\$(sh ${MY_PATH} RULE_LAST_INDEX "inet fw4" PSW_MANGLE_V6 WAN6_IP_RETURN -1)
[ ! -z "\${WAN_IP}" ] && nft "replace rule inet fw4 PSW_MANGLE_V6 handle \$PR_INDEX ip6 daddr "\${WAN6_IP}" counter return comment \"WAN6_IP_RETURN\"" if [ \$PR_INDEX -ge 0 ]; then
fi WAN6_IP=\$(sh ${MY_PATH} get_wan6_ip)
nft "add rule inet fw4 mangle_prerouting meta nfproto {ipv6} counter jump PSW_MANGLE_V6" [ ! -z "\${WAN_IP}" ] && nft "replace rule inet fw4 PSW_MANGLE_V6 handle \$PR_INDEX ip6 daddr "\${WAN6_IP}" counter return comment \"WAN6_IP_RETURN\""
nft "add rule inet fw4 mangle_output meta nfproto {ipv6} counter jump PSW_OUTPUT_MANGLE_V6 comment \"mangle-OUTPUT-PSW\"" fi
} nft "add rule inet fw4 mangle_prerouting meta nfproto {ipv6} counter jump PSW_MANGLE_V6"
nft "add rule inet fw4 mangle_output meta nfproto {ipv6} counter jump PSW_OUTPUT_MANGLE_V6 comment \"PSW_OUTPUT_MANGLE\""
}
nft "add rule inet fw4 mangle_output oif lo counter return comment \"PSW_OUTPUT_MANGLE\""
nft "add rule inet fw4 mangle_output meta mark 1 counter return comment \"PSW_OUTPUT_MANGLE\""
EOF
)
nft "add rule inet fw4 mangle_output oif lo counter return comment \"mangle-OUTPUT-PSW\""
nft "add rule inet fw4 mangle_output meta mark 1 counter return comment \"mangle-OUTPUT-PSW\""
EOF
)
}
cat <<-EOF >> $FWI cat <<-EOF >> $FWI
${__nft} ${__nft}
EOF EOF