From 2728e7b0db6fee9c63eaf0cb96183e5e1f9d45a7 Mon Sep 17 00:00:00 2001 From: sbwml Date: Wed, 13 Sep 2023 12:57:55 +0800 Subject: [PATCH] luci-app-passwall2: sync upstream --- luci-app-passwall2/Makefile | 2 +- .../cbi/passwall2/client/type/sing-box.lua | 56 +++++++++----- .../model/cbi/passwall2/server/type/ray.lua | 24 +++++- .../cbi/passwall2/server/type/sing-box.lua | 34 ++++++++- .../luasrc/passwall2/util_sing-box.lua | 73 ++++++++++--------- .../luasrc/passwall2/util_xray.lua | 15 ++++ luci-app-passwall2/po/zh-cn/passwall2.po | 15 ++++ .../root/usr/share/passwall2/nftables.sh | 71 +++++++++++------- .../root/usr/share/passwall2/subscribe.lua | 1 + 9 files changed, 206 insertions(+), 85 deletions(-) diff --git a/luci-app-passwall2/Makefile b/luci-app-passwall2/Makefile index 8416528ca..32c5404da 100644 --- a/luci-app-passwall2/Makefile +++ b/luci-app-passwall2/Makefile @@ -5,7 +5,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=luci-app-passwall2 -PKG_VERSION:=1.20-8 +PKG_VERSION:=1.20-10 PKG_RELEASE:= PKG_CONFIG_DEPENDS:= \ diff --git a/luci-app-passwall2/luasrc/model/cbi/passwall2/client/type/sing-box.lua b/luci-app-passwall2/luasrc/model/cbi/passwall2/client/type/sing-box.lua index 799455d73..f67d7090b 100644 --- a/luci-app-passwall2/luasrc/model/cbi/passwall2/client/type/sing-box.lua +++ b/luci-app-passwall2/luasrc/model/cbi/passwall2/client/type/sing-box.lua @@ -252,6 +252,19 @@ o:depends({ [option_name("protocol")] = "vmess" }) o:depends({ [option_name("protocol")] = "vless" }) o:depends({ [option_name("protocol")] = "tuic" }) +o = s:option(Value, option_name("alter_id"), "Alter ID") +o.datatype = "uinteger" +o.default = "0" +o:depends({ [option_name("protocol")] = "vmess" }) + +o = s:option(Flag, option_name("global_padding"), "global_padding", translate("Protocol parameter. Will waste traffic randomly if enabled.")) +o.default = "0" +o:depends({ [option_name("protocol")] = "vmess" }) + +o = s:option(Flag, option_name("authenticated_length"), "authenticated_length", translate("Protocol parameter. Enable length block encryption.")) +o.default = "0" +o:depends({ [option_name("protocol")] = "vmess" }) + o = s:option(ListValue, option_name("flow"), translate("flow")) o.default = "" o:value("", translate("Disable")) @@ -355,19 +368,6 @@ o:depends({ [option_name("protocol")] = "trojan" }) o:depends({ [option_name("protocol")] = "shadowsocks" }) o:depends({ [option_name("protocol")] = "shadowtls" }) -if singbox_tags:find("with_reality") then - o = s:option(Flag, option_name("reality"), translate("REALITY")) - o.default = 0 - o:depends({ [option_name("protocol")] = "vless", [option_name("tls")] = true }) - - -- [[ REALITY部分 ]] -- - o = s:option(Value, option_name("reality_publicKey"), translate("Public Key")) - o:depends({ [option_name("tls")] = true, [option_name("reality")] = true }) - - o = s:option(Value, option_name("reality_shortId"), translate("Short Id")) - o:depends({ [option_name("tls")] = true, [option_name("reality")] = true }) -end - o = s:option(ListValue, option_name("alpn"), translate("alpn")) o.default = "default" o:value("default", translate("Default")) @@ -392,22 +392,36 @@ o:depends({ [option_name("protocol")] = "hysteria2" }) if singbox_tags:find("with_utls") then o = s:option(Flag, option_name("utls"), translate("uTLS")) o.default = "0" - o:depends({ [option_name("tls")] = true, [option_name("reality")] = false }) + o:depends({ [option_name("tls")] = true }) o = s:option(ListValue, option_name("fingerprint"), translate("Finger Print")) o:value("chrome") o:value("firefox") o:value("edge") o:value("safari") - o:value("360") + -- o:value("360") o:value("qq") o:value("ios") - o:value("android") + -- o:value("android") o:value("random") - o:value("randomized") + -- o:value("randomized") o.default = "chrome" o:depends({ [option_name("tls")] = true, [option_name("utls")] = true }) - o:depends({ [option_name("tls")] = true, [option_name("reality")] = true }) + + -- [[ REALITY部分 ]] -- + o = s:option(Flag, option_name("reality"), translate("REALITY")) + o.default = 0 + o:depends({ [option_name("protocol")] = "vless", [option_name("utls")] = true }) + o:depends({ [option_name("protocol")] = "vmess", [option_name("utls")] = true }) + o:depends({ [option_name("protocol")] = "shadowsocks", [option_name("utls")] = true }) + o:depends({ [option_name("protocol")] = "socks", [option_name("utls")] = true }) + o:depends({ [option_name("protocol")] = "trojan", [option_name("utls")] = true }) + + o = s:option(Value, option_name("reality_publicKey"), translate("Public Key")) + o:depends({ [option_name("utls")] = true, [option_name("reality")] = true }) + + o = s:option(Value, option_name("reality_shortId"), translate("Short Id")) + o:depends({ [option_name("utls")] = true, [option_name("reality")] = true }) end o = s:option(ListValue, option_name("transport"), translate("Transport")) @@ -512,7 +526,7 @@ o:depends({ [option_name("protocol")] = "vmess" }) o:depends({ [option_name("protocol")] = "vless", [option_name("flow")] = "" }) o:depends({ [option_name("protocol")] = "http" }) o:depends({ [option_name("protocol")] = "socks" }) -o:depends({ [option_name("protocol")] = "shadowsocks" }) +o:depends({ [option_name("protocol")] = "shadowsocks", [option_name("uot")] = "" }) o:depends({ [option_name("protocol")] = "trojan" }) o = s:option(ListValue, option_name("mux_type"), translate("Mux")) @@ -525,4 +539,8 @@ o = s:option(Value, option_name("mux_concurrency"), translate("Mux concurrency") o.default = 8 o:depends({ [option_name("mux")] = true }) +o = s:option(Flag, option_name("mux_padding"), translate("Padding")) +o.default = 0 +o:depends({ [option_name("mux")] = true }) + api.luci_types(arg[1], m, s, type_name, option_prefix) diff --git a/luci-app-passwall2/luasrc/model/cbi/passwall2/server/type/ray.lua b/luci-app-passwall2/luasrc/model/cbi/passwall2/server/type/ray.lua index caa8bd601..a13d961a8 100644 --- a/luci-app-passwall2/luasrc/model/cbi/passwall2/server/type/ray.lua +++ b/luci-app-passwall2/luasrc/model/cbi/passwall2/server/type/ray.lua @@ -115,6 +115,8 @@ o = s:option(Flag, option_name("tls"), translate("TLS")) o.default = 0 o.validate = function(self, value, t) if value then + local reality = s.fields[option_name("reality")]:formvalue(t) + if reality and reality == "1" then return value end if value == "1" then local ca = s.fields[option_name("tls_certificateFile")]:formvalue(t) or "" local key = s.fields[option_name("tls_keyFile")]:formvalue(t) or "" @@ -131,6 +133,24 @@ o:depends({ [option_name("protocol")] = "socks" }) o:depends({ [option_name("protocol")] = "shadowsocks" }) o:depends({ [option_name("protocol")] = "trojan" }) +-- [[ REALITY部分 ]] -- +o = s:option(Flag, option_name("reality"), translate("REALITY")) +o.default = 0 +o:depends({ [option_name("tls")] = true }) + +o = s:option(Value, option_name("reality_private_key"), translate("Private Key")) +o:depends({ [option_name("reality")] = true }) + +o = s:option(Value, option_name("reality_shortId"), translate("Short Id")) +o:depends({ [option_name("reality")] = true }) + +o = s:option(Value, option_name("reality_dest"), translate("Dest")) +o.default = "google.com:443" +o:depends({ [option_name("reality")] = true }) + +o = s:option(Value, option_name("reality_serverNames"), translate("serverNames")) +o:depends({ [option_name("reality")] = true }) + o = s:option(ListValue, option_name("alpn"), translate("alpn")) o.default = "h2,http/1.1" o:value("h2,http/1.1") @@ -147,7 +167,7 @@ o:depends({ [option_name("tls")] = true }) o = s:option(FileUpload, option_name("tls_certificateFile"), translate("Public key absolute path"), translate("as:") .. "/etc/ssl/fullchain.pem") o.default = m:get(s.section, "tls_certificateFile") or "/etc/config/ssl/" .. arg[1] .. ".pem" -o:depends({ [option_name("tls")] = true }) +o:depends({ [option_name("tls")] = true, [option_name("reality")] = false }) o.validate = function(self, value, t) if value and value ~= "" then if not nixio.fs.access(value) then @@ -161,7 +181,7 @@ end o = s:option(FileUpload, option_name("tls_keyFile"), translate("Private key absolute path"), translate("as:") .. "/etc/ssl/private.key") o.default = m:get(s.section, "tls_keyFile") or "/etc/config/ssl/" .. arg[1] .. ".key" -o:depends({ [option_name("tls")] = true }) +o:depends({ [option_name("tls")] = true, [option_name("reality")] = false }) o.validate = function(self, value, t) if value and value ~= "" then if not nixio.fs.access(value) then diff --git a/luci-app-passwall2/luasrc/model/cbi/passwall2/server/type/sing-box.lua b/luci-app-passwall2/luasrc/model/cbi/passwall2/server/type/sing-box.lua index 4ff5e0e5f..310e0e79f 100644 --- a/luci-app-passwall2/luasrc/model/cbi/passwall2/server/type/sing-box.lua +++ b/luci-app-passwall2/luasrc/model/cbi/passwall2/server/type/sing-box.lua @@ -202,6 +202,8 @@ o = s:option(Flag, option_name("tls"), translate("TLS")) o.default = 0 o.validate = function(self, value, t) if value then + local reality = s.fields[option_name("reality")]:formvalue(t) + if reality and reality == "1" then return value end if value == "1" then local ca = s.fields[option_name("tls_certificateFile")]:formvalue(t) or "" local key = s.fields[option_name("tls_keyFile")]:formvalue(t) or "" @@ -218,11 +220,38 @@ o:depends({ [option_name("protocol")] = "vmess" }) o:depends({ [option_name("protocol")] = "vless" }) o:depends({ [option_name("protocol")] = "trojan" }) +if singbox_tags:find("with_reality_server") then + -- [[ REALITY部分 ]] -- + o = s:option(Flag, option_name("reality"), translate("REALITY")) + o.default = 0 + o:depends({ [option_name("protocol")] = "vless", [option_name("tls")] = true }) + o:depends({ [option_name("protocol")] = "vmess", [option_name("tls")] = true }) + o:depends({ [option_name("protocol")] = "shadowsocks", [option_name("tls")] = true }) + o:depends({ [option_name("protocol")] = "http", [option_name("tls")] = true }) + o:depends({ [option_name("protocol")] = "trojan", [option_name("tls")] = true }) + + o = s:option(Value, option_name("reality_private_key"), translate("Private Key")) + o:depends({ [option_name("reality")] = true }) + + o = s:option(Value, option_name("reality_shortId"), translate("Short Id")) + o:depends({ [option_name("reality")] = true }) + + o = s:option(Value, option_name("reality_handshake_server"), translate("Handshake Server")) + o.default = "google.com" + o:depends({ [option_name("reality")] = true }) + + o = s:option(Value, option_name("reality_handshake_server_port"), translate("Handshake Server Port")) + o.datatype = "port" + o.default = "443" + o:depends({ [option_name("reality")] = true }) +end + -- [[ TLS部分 ]] -- o = s:option(FileUpload, option_name("tls_certificateFile"), translate("Public key absolute path"), translate("as:") .. "/etc/ssl/fullchain.pem") o.default = m:get(s.section, "tls_certificateFile") or "/etc/config/ssl/" .. arg[1] .. ".pem" -o:depends({ [option_name("tls")] = true }) +o:depends({ [option_name("tls")] = true, [option_name("reality")] = false }) +o:depends({ [option_name("protocol")] = "naive" }) o:depends({ [option_name("protocol")] = "hysteria" }) o:depends({ [option_name("protocol")] = "tuic" }) o:depends({ [option_name("protocol")] = "hysteria2" }) @@ -239,7 +268,8 @@ end o = s:option(FileUpload, option_name("tls_keyFile"), translate("Private key absolute path"), translate("as:") .. "/etc/ssl/private.key") o.default = m:get(s.section, "tls_keyFile") or "/etc/config/ssl/" .. arg[1] .. ".key" -o:depends({ [option_name("tls")] = true }) +o:depends({ [option_name("tls")] = true, [option_name("reality")] = false }) +o:depends({ [option_name("protocol")] = "naive" }) o:depends({ [option_name("protocol")] = "hysteria" }) o:depends({ [option_name("protocol")] = "tuic" }) o:depends({ [option_name("protocol")] = "hysteria2" }) diff --git a/luci-app-passwall2/luasrc/passwall2/util_sing-box.lua b/luci-app-passwall2/luasrc/passwall2/util_sing-box.lua index 7b80750e8..808b0e0b0 100644 --- a/luci-app-passwall2/luasrc/passwall2/util_sing-box.lua +++ b/luci-app-passwall2/luasrc/passwall2/util_sing-box.lua @@ -111,6 +111,7 @@ function gen_outbound(flag, node, tag, proxy_table) enabled = true, protocol = node.mux_type or "h2mux", max_connections = tonumber(node.mux_concurrency) or 4, + padding = (node.mux_padding == "1") and true or false --min_streams = 4, --max_streams = 0, } @@ -215,9 +216,9 @@ function gen_outbound(flag, node, tag, proxy_table) protocol_table = { uuid = node.uuid, security = node.security, - alter_id = 0, - global_padding = false, - authenticated_length = true, + alter_id = (node.alter_id) and tonumber(node.alter_id) or 0, + global_padding = (node.global_padding == "1") and true or false, + authenticated_length = (node.authenticated_length == "1") and true or false, tls = tls, packet_encoding = "", --UDP 包编码。(空):禁用 packetaddr:由 v2ray 5+ 支持 xudp:由 xray 支持 multiplex = mux, @@ -231,6 +232,7 @@ function gen_outbound(flag, node, tag, proxy_table) flow = (node.tls == '1' and node.flow) and node.flow or nil, tls = tls, packet_encoding = "xudp", --UDP 包编码。(空):禁用 packetaddr:由 v2ray 5+ 支持 xudp:由 xray 支持 + multiplex = mux, transport = v2ray_transport, } end @@ -345,13 +347,25 @@ function gen_config_server(node) { type = "block", tag = "block" } } - local tls = nil + local tls = { + enabled = true, + certificate_path = node.tls_certificateFile, + key_path = node.tls_keyFile, + } - if node.tls == "1" then - tls = { + if node.tls == "1" and node.reality == "1" then + tls.certificate_path = nil + tls.key_path = nil + tls.reality = { enabled = true, - certificate_path = node.tls_certificateFile, - key_path = node.tls_keyFile, + private_key = node.reality_private_key, + short_id = { + node.reality_shortId + }, + handshake = { + server = node.reality_handshake_server, + server_port = tonumber(node.reality_handshake_server_port) + } } end @@ -428,7 +442,7 @@ function gen_config_server(node) password = node.password } } or nil, - tls = tls, + tls = (node.tls == "1") and tls or nil, } end @@ -451,7 +465,7 @@ function gen_config_server(node) end protocol_table = { users = users, - tls = tls, + tls = (node.tls == "1") and tls or nil, transport = v2ray_transport, } end @@ -469,7 +483,7 @@ function gen_config_server(node) end protocol_table = { users = users, - tls = tls, + tls = (node.tls == "1") and tls or nil, transport = v2ray_transport, } end @@ -481,12 +495,12 @@ function gen_config_server(node) for i = 1, #node.uuid do users[i] = { name = node.uuid[i], - uuid = node.uuid[i], + password = node.uuid[i], } end protocol_table = { users = users, - tls = tls, + tls = (node.tls == "1") and tls or nil, fallback = nil, fallback_for_alpn = nil, transport = v2ray_transport, @@ -502,11 +516,14 @@ function gen_config_server(node) password = node.password } }, - tls = tls, + tls = tls } end if node.protocol == "hysteria" then + tls.alpn = (node.hysteria_alpn and node.hysteria_alpn ~= "") and { + node.hysteria_alpn + } or nil protocol_table = { up = node.hysteria_up_mbps .. " Mbps", down = node.hysteria_down_mbps .. " Mbps", @@ -524,18 +541,14 @@ function gen_config_server(node) recv_window_client = node.hysteria_recv_window_client and tonumber(node.hysteria_recv_window_client) or nil, max_conn_client = node.hysteria_max_conn_client and tonumber(node.hysteria_max_conn_client) or nil, disable_mtu_discovery = (node.hysteria_disable_mtu_discovery == "1") and true or false, - tls = { - enabled = true, - certificate_path = node.tls_certificateFile, - key_path = node.tls_keyFile, - alpn = (node.hysteria_alpn and node.hysteria_alpn ~= "") and { - node.hysteria_alpn - } or nil - } + tls = tls } end if node.protocol == "tuic" then + tls.alpn = (node.tuic_alpn and node.tuic_alpn ~= "") and { + node.tuic_alpn + } or nil protocol_table = { users = { { @@ -547,14 +560,7 @@ function gen_config_server(node) congestion_control = node.tuic_congestion_control or "cubic", zero_rtt_handshake = (node.tuic_zero_rtt_handshake == "1") and true or false, heartbeat = node.tuic_heartbeat .. "s", - tls = { - enabled = true, - certificate_path = node.tls_certificateFile, - key_path = node.tls_keyFile, - alpn = (node.tuic_alpn and node.tuic_alpn ~= "") and { - node.tuic_alpn - } or nil, - } + tls = tls } end @@ -573,11 +579,7 @@ function gen_config_server(node) } }, ignore_client_bandwidth = (node.hysteria2_ignore_client_bandwidth == "1") and true or false, - tls = { - enabled = true, - certificate_path = node.tls_certificateFile, - key_path = node.tls_keyFile, - } + tls = tls } end @@ -1278,6 +1280,7 @@ function gen_config(var) default_dns_flag = "direct" end end + else default_dns_flag = "direct" end dns.final = default_dns_flag end diff --git a/luci-app-passwall2/luasrc/passwall2/util_xray.lua b/luci-app-passwall2/luasrc/passwall2/util_xray.lua index 6c7bd04e7..e8e8e6a51 100644 --- a/luci-app-passwall2/luasrc/passwall2/util_xray.lua +++ b/luci-app-passwall2/luasrc/passwall2/util_xray.lua @@ -482,6 +482,21 @@ function gen_config_server(node) if "1" == node.tls then config.inbounds[1].streamSettings.security = "tls" + if "1" == node.reality then + config.inbounds[1].streamSettings.tlsSettings = nil + config.inbounds[1].streamSettings.security = "reality" + config.inbounds[1].streamSettings.realitySettings = { + show = false, + dest = node.reality_dest, + serverNames = { + node.reality_serverNames + }, + privateKey = node.reality_private_key, + shortIds = { + node.reality_shortId + } + } or nil + end end return config diff --git a/luci-app-passwall2/po/zh-cn/passwall2.po b/luci-app-passwall2/po/zh-cn/passwall2.po index 06c869743..4c21e2000 100644 --- a/luci-app-passwall2/po/zh-cn/passwall2.po +++ b/luci-app-passwall2/po/zh-cn/passwall2.po @@ -1303,6 +1303,9 @@ msgstr "XUDP 最大并发连接数" msgid "Mux idle timeout" msgstr "最大闲置时间" +msgid "Padding" +msgstr "填充" + msgid "Enable early data" msgstr "启用前置数据" @@ -1371,3 +1374,15 @@ msgstr "覆盖连接目标地址" msgid "Override the connection destination address with the sniffed domain." msgstr "用探测出的域名覆盖连接目标地址。" + +msgid "Handshake Server" +msgstr "握手服务器" + +msgid "Handshake Server Port" +msgstr "握手服务器端口" + +msgid "Protocol parameter. Will waste traffic randomly if enabled." +msgstr "协议参数。 如果启用会随机浪费流量。" + +msgid "Protocol parameter. Enable length block encryption." +msgstr "协议参数。启用长度块加密。" diff --git a/luci-app-passwall2/root/usr/share/passwall2/nftables.sh b/luci-app-passwall2/root/usr/share/passwall2/nftables.sh index 3e44d804d..c33091a2b 100755 --- a/luci-app-passwall2/root/usr/share/passwall2/nftables.sh +++ b/luci-app-passwall2/root/usr/share/passwall2/nftables.sh @@ -114,12 +114,17 @@ destroy_nftset() { insert_nftset() { local nftset_name="${1}"; shift + local timeout_argument="${1}"; shift + local defalut_timeout_argument="3650d" local nftset_elements - nftset_elements=$(echo -e $@ | sed 's/\s/, /g') - [ -n "${nftset_elements}" ] && { + [ -n "${1}" ] && { + if [ "$timeout_argument" == "0" ]; then + nftset_elements=$(echo -e $@ | sed "s/\s/ timeout $defalut_timeout_argument, /g" | sed "s/$/ timeout $defalut_timeout_argument/") + else + nftset_elements=$(echo -e $@ | sed "s/\s/ timeout $timeout_argument, /g" | sed "s/$/ timeout $timeout_argument/") + fi mkdir -p $TMP_PATH2/nftset - cat > "$TMP_PATH2/nftset/$nftset_name" <<-EOF define $nftset_name = {$nftset_elements} add element inet fw4 $nftset_name \$$nftset_name @@ -132,12 +137,20 @@ insert_nftset() { gen_nftset() { local nftset_name="${1}"; shift local ip_type="${1}"; shift + # 0 - don't set defalut timeout + local timeout_argument_set="${1}"; shift + # 0 - don't let element timeout(3650 days) + local timeout_argument_element="${1}"; shift nft "list set inet fw4 $nftset_name" &>/dev/null if [ $? -ne 0 ]; then - nft "add set inet fw4 $nftset_name { type $ip_type; flags interval; auto-merge; }" + if [ "$timeout_argument_set" == "0" ]; then + nft "add set inet fw4 $nftset_name { type $ip_type; flags interval, timeout; auto-merge; }" + else + nft "add set inet fw4 $nftset_name { type $ip_type; flags interval, timeout; timeout $timeout_argument_set; gc-interval $timeout_argument_set; auto-merge; }" + fi fi - [ -n "${1}" ] && insert_nftset $nftset_name $@ + [ -n "${1}" ] && insert_nftset $nftset_name $timeout_argument_element $@ } get_action_chain_name() { @@ -245,8 +258,8 @@ load_acl() { local nftset_whitelist="passwall2_${sid}_whitelist" local nftset_whitelist6="passwall2_${sid}_whitelist6" - gen_nftset $nftset_whitelist ipv4_addr - gen_nftset $nftset_whitelist6 ipv6_addr + gen_nftset $nftset_whitelist 0 0 ipv4_addr + gen_nftset $nftset_whitelist6 0 0 ipv6_addr [ -n "$redir_port" ] && { if [ "$tcp_proxy_mode" != "disable" ]; then @@ -264,11 +277,13 @@ load_acl() { [ "$accept_icmp" = "1" ] && { nft "add rule inet fw4 PSW2_ICMP_REDIRECT ip protocol icmp ${_ipt_source} ip daddr $FAKE_IP $(REDIRECT) comment \"$remarks\"" nft "add rule inet fw4 PSW2_ICMP_REDIRECT ip protocol icmp ${_ipt_source} $(REDIRECT) comment \"$remarks\"" + nft "add rule inet fw4 PSW2_ICMP_REDIRECT ip protocol icmp ${_ipt_source} return comment \"$remarks\"" } [ "$accept_icmpv6" = "1" ] && [ "$PROXY_IPV6" == "1" ] && { nft "add rule inet fw4 PSW2_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} ip6 daddr $FAKE_IP_6 $(REDIRECT) comment \"$remarks\"" 2>/dev/null nft "add rule inet fw4 PSW2_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} $(REDIRECT) comment \"$remarks\"" 2>/dev/null + nft "add rule inet fw4 PSW2_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} return comment \"$remarks\"" 2>/dev/null } [ "$tcp_no_redir_ports" != "disable" ] && { @@ -362,11 +377,13 @@ load_acl() { [ "$accept_icmp" = "1" ] && { nft "add rule inet fw4 PSW2_ICMP_REDIRECT ip protocol icmp ip daddr $FAKE_IP $(REDIRECT) comment \"默认\"" nft "add rule inet fw4 PSW2_ICMP_REDIRECT ip protocol icmp $(REDIRECT) comment \"默认\"" + nft "add rule inet fw4 PSW2_ICMP_REDIRECT ip protocol icmp return comment \"默认\"" } [ "$accept_icmpv6" = "1" ] && [ "$PROXY_IPV6" == "1" ] && { nft "add rule inet fw4 PSW2_ICMP_REDIRECT meta l4proto icmpv6 ip6 daddr $FAKE_IP_6 $(REDIRECT) comment \"默认\"" nft "add rule inet fw4 PSW2_ICMP_REDIRECT meta l4proto icmpv6 $(REDIRECT) comment \"默认\"" + nft "add rule inet fw4 PSW2_ICMP_REDIRECT meta l4proto icmpv6 return comment \"默认\"" } if [ -z "${is_tproxy}" ]; then @@ -424,7 +441,7 @@ load_acl() { filter_haproxy() { for item in $(uci show $CONFIG | grep ".lbss=" | cut -d "'" -f 2); do local ip=$(get_host_ip ipv4 $(echo $item | awk -F ":" '{print $1}') 1) - [ -n "$ip" ] && insert_nftset $NFTSET_VPSLIST $ip + [ -n "$ip" ] && insert_nftset $NFTSET_VPSLIST 0 $ip done echolog "加入负载均衡的节点到nftset[$NFTSET_VPSLIST]直连完成" } @@ -433,14 +450,14 @@ filter_vps_addr() { for server_host in $@; do local vps_ip4=$(get_host_ip "ipv4" ${server_host}) local vps_ip6=$(get_host_ip "ipv6" ${server_host}) - [ -n "$vps_ip4" ] && insert_nftset $NFTSET_VPSLIST $vps_ip4 - [ -n "$vps_ip6" ] && insert_nftset $NFTSET_VPSLIST6 $vps_ip6 + [ -n "$vps_ip4" ] && insert_nftset $NFTSET_VPSLIST 0 $vps_ip4 + [ -n "$vps_ip6" ] && insert_nftset $NFTSET_VPSLIST6 0 $vps_ip6 done } filter_vpsip() { - insert_nftset $NFTSET_VPSLIST $(uci show $CONFIG | grep ".address=" | cut -d "'" -f 2 | grep -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | sed -e "/^$/d") - insert_nftset $NFTSET_VPSLIST6 $(uci show $CONFIG | grep ".address=" | cut -d "'" -f 2 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "/^$/d") + insert_nftset $NFTSET_VPSLIST 0 $(uci show $CONFIG | grep ".address=" | cut -d "'" -f 2 | grep -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | sed -e "/^$/d") + insert_nftset $NFTSET_VPSLIST6 0 $(uci show $CONFIG | grep ".address=" | cut -d "'" -f 2 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "/^$/d") echolog "加入所有节点到nftset[$NFTSET_VPSLIST]直连完成" } @@ -553,11 +570,11 @@ dns_hijack() { add_firewall_rule() { echolog "开始加载防火墙规则..." - gen_nftset $NFTSET_LANLIST ipv4_addr $(gen_lanlist) - gen_nftset $NFTSET_VPSLIST ipv4_addr + gen_nftset $NFTSET_LANLIST ipv4_addr 0 0 $(gen_lanlist) + gen_nftset $NFTSET_VPSLIST ipv4_addr 0 0 - gen_nftset $NFTSET_LANLIST6 ipv6_addr $(gen_lanlist_6) - gen_nftset $NFTSET_VPSLIST6 ipv6_addr + gen_nftset $NFTSET_LANLIST6 ipv6_addr 0 0 $(gen_lanlist_6) + gen_nftset $NFTSET_VPSLIST6 ipv6_addr 0 0 # 忽略特殊IP段 local lan_ifname lan_ip @@ -568,14 +585,14 @@ add_firewall_rule() { #echolog "本机IPv4网段互访直连:${lan_ip}" #echolog "本机IPv6网段互访直连:${lan_ip6}" - [ -n "$lan_ip" ] && insert_nftset $NFTSET_LANLIST $(echo $lan_ip | sed -e "s/ /\n/g") - [ -n "$lan_ip6" ] && insert_nftset $NFTSET_LANLIST6 $(echo $lan_ip6 | sed -e "s/ /\n/g") + [ -n "$lan_ip" ] && insert_nftset $NFTSET_LANLIST 0 $(echo $lan_ip | sed -e "s/ /\n/g") + [ -n "$lan_ip6" ] && insert_nftset $NFTSET_LANLIST6 0 $(echo $lan_ip6 | sed -e "s/ /\n/g") } [ -n "$ISP_DNS" ] && { #echolog "处理 ISP DNS 例外..." for ispip in $ISP_DNS; do - insert_nftset $NFTSET_LANLIST $ispip >/dev/null 2>&1 & + insert_nftset $NFTSET_LANLIST 0 $ispip >/dev/null 2>&1 & #echolog " - 追加到白名单:${ispip}" done } @@ -583,15 +600,15 @@ add_firewall_rule() { [ -n "$ISP_DNS6" ] && { #echolog "处理 ISP IPv6 DNS 例外..." for ispip6 in $ISP_DNS6; do - insert_nftset $NFTSET_LANLIST6 $ispip6 >/dev/null 2>&1 & + insert_nftset $NFTSET_LANLIST6 0 $ispip6 >/dev/null 2>&1 & #echolog " - 追加到白名单:${ispip6}" done } local nftset_global_whitelist="passwall2_global_whitelist" local nftset_global_whitelist6="passwall2_global_whitelist6" - gen_nftset $nftset_global_whitelist ipv4_addr - gen_nftset $nftset_global_whitelist6 ipv6_addr + gen_nftset $nftset_global_whitelist 0 0 ipv4_addr + gen_nftset $nftset_global_whitelist6 0 0 ipv6_addr # 过滤所有节点IP filter_vpsip > /dev/null 2>&1 & @@ -744,13 +761,15 @@ add_firewall_rule() { echolog "加载路由器自身 TCP 代理..." [ "$accept_icmp" = "1" ] && { - nft "add rule inet fw4 PSW2_ICMP_REDIRECT meta l4proto icmp ip daddr $FAKE_IP counter redirect" - nft "add rule inet fw4 PSW2_ICMP_REDIRECT meta l4proto icmp counter redirect" + nft "add rule inet fw4 PSW2_ICMP_REDIRECT oif lo ip protocol icmp ip daddr $FAKE_IP counter redirect" + nft "add rule inet fw4 PSW2_ICMP_REDIRECT oif lo ip protocol icmp counter redirect" + nft "add rule inet fw4 PSW2_ICMP_REDIRECT oif lo ip protocol icmp counter return" } [ "$accept_icmpv6" = "1" ] && { - nft "add rule inet fw4 PSW2_ICMP_REDIRECT meta l4proto icmpv6 ip6 daddr $FAKE_IP_6 counter redirect" - nft "add rule inet fw4 PSW2_ICMP_REDIRECT meta l4proto icmpv6 counter redirect" + nft "add rule inet fw4 PSW2_ICMP_REDIRECT oif lo meta l4proto icmpv6 ip6 daddr $FAKE_IP_6 counter redirect" + nft "add rule inet fw4 PSW2_ICMP_REDIRECT oif lo meta l4proto counter redirect" + nft "add rule inet fw4 PSW2_ICMP_REDIRECT oif lo meta l4proto icmpv6 counter return" } [ -n "${is_tproxy}" ] && { diff --git a/luci-app-passwall2/root/usr/share/passwall2/subscribe.lua b/luci-app-passwall2/root/usr/share/passwall2/subscribe.lua index 1f87bb904..1ff6325f2 100755 --- a/luci-app-passwall2/root/usr/share/passwall2/subscribe.lua +++ b/luci-app-passwall2/root/usr/share/passwall2/subscribe.lua @@ -396,6 +396,7 @@ local function processData(szType, content, add_mode, add_from) result.address = info.add result.port = info.port result.protocol = 'vmess' + result.alter_id = info.aid result.uuid = info.id result.remarks = info.ps -- result.mux = 1