luci-app-passwall2: sync upstream

2023-09-13 12:57:55 +08:00 · 2023-09-13 12:57:55 +08:00 · 2728e7b0db
commit 2728e7b0db
parent a9e22bbdc5
9 changed files with 206 additions and 85 deletions
--- a/luci-app-passwall2/Makefile
+++ b/luci-app-passwall2/Makefile
@ -5,7 +5,7 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=luci-app-passwall2
-PKG_VERSION:=1.20-8
+PKG_VERSION:=1.20-10
 PKG_RELEASE:=

 PKG_CONFIG_DEPENDS:= \
--- a/luci-app-passwall2/luasrc/model/cbi/passwall2/client/type/sing-box.lua
+++ b/luci-app-passwall2/luasrc/model/cbi/passwall2/client/type/sing-box.lua
@ -252,6 +252,19 @@ o:depends({ [option_name("protocol")] = "vmess" })
 o:depends({ [option_name("protocol")] = "vless" })
 o:depends({ [option_name("protocol")] = "tuic" })

+o = s:option(Value, option_name("alter_id"), "Alter ID")
+o.datatype = "uinteger"
+o.default = "0"
+o:depends({ [option_name("protocol")] = "vmess" })
+
+o = s:option(Flag, option_name("global_padding"), "global_padding", translate("Protocol parameter. Will waste traffic randomly if enabled."))
+o.default = "0"
+o:depends({ [option_name("protocol")] = "vmess" })
+
+o = s:option(Flag, option_name("authenticated_length"), "authenticated_length", translate("Protocol parameter. Enable length block encryption."))
+o.default = "0"
+o:depends({ [option_name("protocol")] = "vmess" })
+
 o = s:option(ListValue, option_name("flow"), translate("flow"))
 o.default = ""
 o:value("", translate("Disable"))
@ -355,19 +368,6 @@ o:depends({ [option_name("protocol")] = "trojan" })
 o:depends({ [option_name("protocol")] = "shadowsocks" })
 o:depends({ [option_name("protocol")] = "shadowtls" })

-if singbox_tags:find("with_reality") then
-	o = s:option(Flag, option_name("reality"), translate("REALITY"))
-	o.default = 0
-	o:depends({ [option_name("protocol")] = "vless", [option_name("tls")] = true })
-
-	-- [[ REALITY部分 ]] --
-	o = s:option(Value, option_name("reality_publicKey"), translate("Public Key"))
-	o:depends({ [option_name("tls")] = true, [option_name("reality")] = true })
-
-	o = s:option(Value, option_name("reality_shortId"), translate("Short Id"))
-	o:depends({ [option_name("tls")] = true, [option_name("reality")] = true })
-end
-
 o = s:option(ListValue, option_name("alpn"), translate("alpn"))
 o.default = "default"
 o:value("default", translate("Default"))
@ -392,22 +392,36 @@ o:depends({ [option_name("protocol")] = "hysteria2" })
 if singbox_tags:find("with_utls") then
 	o = s:option(Flag, option_name("utls"), translate("uTLS"))
 	o.default = "0"
-	o:depends({ [option_name("tls")] = true, [option_name("reality")] = false })
+	o:depends({ [option_name("tls")] = true })

 	o = s:option(ListValue, option_name("fingerprint"), translate("Finger Print"))
 	o:value("chrome")
 	o:value("firefox")
 	o:value("edge")
 	o:value("safari")
-	o:value("360")
+	-- o:value("360")
 	o:value("qq")
 	o:value("ios")
-	o:value("android")
+	-- o:value("android")
 	o:value("random")
-	o:value("randomized")
+	-- o:value("randomized")
 	o.default = "chrome"
 	o:depends({ [option_name("tls")] = true, [option_name("utls")] = true })
-	o:depends({ [option_name("tls")] = true, [option_name("reality")] = true })
+
+	-- [[ REALITY部分 ]] --
+	o = s:option(Flag, option_name("reality"), translate("REALITY"))
+	o.default = 0
+	o:depends({ [option_name("protocol")] = "vless", [option_name("utls")] = true })
+	o:depends({ [option_name("protocol")] = "vmess", [option_name("utls")] = true })
+	o:depends({ [option_name("protocol")] = "shadowsocks", [option_name("utls")] = true })
+	o:depends({ [option_name("protocol")] = "socks", [option_name("utls")] = true })
+	o:depends({ [option_name("protocol")] = "trojan", [option_name("utls")] = true })
+	
+	o = s:option(Value, option_name("reality_publicKey"), translate("Public Key"))
+	o:depends({ [option_name("utls")] = true, [option_name("reality")] = true })
+	
+	o = s:option(Value, option_name("reality_shortId"), translate("Short Id"))
+	o:depends({ [option_name("utls")] = true, [option_name("reality")] = true })
 end

 o = s:option(ListValue, option_name("transport"), translate("Transport"))
@ -512,7 +526,7 @@ o:depends({ [option_name("protocol")] = "vmess" })
 o:depends({ [option_name("protocol")] = "vless", [option_name("flow")] = "" })
 o:depends({ [option_name("protocol")] = "http" })
 o:depends({ [option_name("protocol")] = "socks" })
-o:depends({ [option_name("protocol")] = "shadowsocks" })
+o:depends({ [option_name("protocol")] = "shadowsocks", [option_name("uot")] = "" })
 o:depends({ [option_name("protocol")] = "trojan" })

 o = s:option(ListValue, option_name("mux_type"), translate("Mux"))
@ -525,4 +539,8 @@ o = s:option(Value, option_name("mux_concurrency"), translate("Mux concurrency")
 o.default = 8
 o:depends({ [option_name("mux")] = true })

+o = s:option(Flag, option_name("mux_padding"), translate("Padding"))
+o.default = 0
+o:depends({ [option_name("mux")] = true })
+
 api.luci_types(arg[1], m, s, type_name, option_prefix)
--- a/luci-app-passwall2/luasrc/model/cbi/passwall2/server/type/ray.lua
+++ b/luci-app-passwall2/luasrc/model/cbi/passwall2/server/type/ray.lua
@ -115,6 +115,8 @@ o = s:option(Flag, option_name("tls"), translate("TLS"))
 o.default = 0
 o.validate = function(self, value, t)
 	if value then
+		local reality = s.fields[option_name("reality")]:formvalue(t)
+		if reality and reality == "1" then return value end
 		if value == "1" then
 			local ca = s.fields[option_name("tls_certificateFile")]:formvalue(t) or ""
 			local key = s.fields[option_name("tls_keyFile")]:formvalue(t) or ""
@ -131,6 +133,24 @@ o:depends({ [option_name("protocol")] = "socks" })
 o:depends({ [option_name("protocol")] = "shadowsocks" })
 o:depends({ [option_name("protocol")] = "trojan" })

+-- [[ REALITY部分 ]] --
+o = s:option(Flag, option_name("reality"), translate("REALITY"))
+o.default = 0
+o:depends({ [option_name("tls")] = true })
+
+o = s:option(Value, option_name("reality_private_key"), translate("Private Key"))
+o:depends({ [option_name("reality")] = true })
+
+o = s:option(Value, option_name("reality_shortId"), translate("Short Id"))
+o:depends({ [option_name("reality")] = true })
+
+o = s:option(Value, option_name("reality_dest"), translate("Dest"))
+o.default = "google.com:443"
+o:depends({ [option_name("reality")] = true })
+
+o = s:option(Value, option_name("reality_serverNames"), translate("serverNames"))
+o:depends({ [option_name("reality")] = true })
+
 o = s:option(ListValue, option_name("alpn"), translate("alpn"))
 o.default = "h2,http/1.1"
 o:value("h2,http/1.1")
@ -147,7 +167,7 @@ o:depends({ [option_name("tls")] = true })

 o = s:option(FileUpload, option_name("tls_certificateFile"), translate("Public key absolute path"), translate("as:") .. "/etc/ssl/fullchain.pem")
 o.default = m:get(s.section, "tls_certificateFile") or "/etc/config/ssl/" .. arg[1] .. ".pem"
-o:depends({ [option_name("tls")] = true })
+o:depends({ [option_name("tls")] = true, [option_name("reality")] = false })
 o.validate = function(self, value, t)
 	if value and value ~= "" then
 		if not nixio.fs.access(value) then
@ -161,7 +181,7 @@ end

 o = s:option(FileUpload, option_name("tls_keyFile"), translate("Private key absolute path"), translate("as:") .. "/etc/ssl/private.key")
 o.default = m:get(s.section, "tls_keyFile") or "/etc/config/ssl/" .. arg[1] .. ".key"
-o:depends({ [option_name("tls")] = true })
+o:depends({ [option_name("tls")] = true, [option_name("reality")] = false })
 o.validate = function(self, value, t)
 	if value and value ~= "" then
 		if not nixio.fs.access(value) then
--- a/luci-app-passwall2/luasrc/model/cbi/passwall2/server/type/sing-box.lua
+++ b/luci-app-passwall2/luasrc/model/cbi/passwall2/server/type/sing-box.lua
@ -202,6 +202,8 @@ o = s:option(Flag, option_name("tls"), translate("TLS"))
 o.default = 0
 o.validate = function(self, value, t)
 	if value then
+		local reality = s.fields[option_name("reality")]:formvalue(t)
+		if reality and reality == "1" then return value end
 		if value == "1" then
 			local ca = s.fields[option_name("tls_certificateFile")]:formvalue(t) or ""
 			local key = s.fields[option_name("tls_keyFile")]:formvalue(t) or ""
@ -218,11 +220,38 @@ o:depends({ [option_name("protocol")] = "vmess" })
 o:depends({ [option_name("protocol")] = "vless" })
 o:depends({ [option_name("protocol")] = "trojan" })

+if singbox_tags:find("with_reality_server") then
+	-- [[ REALITY部分 ]] --
+	o = s:option(Flag, option_name("reality"), translate("REALITY"))
+	o.default = 0
+	o:depends({ [option_name("protocol")] = "vless", [option_name("tls")] = true })
+	o:depends({ [option_name("protocol")] = "vmess", [option_name("tls")] = true })
+	o:depends({ [option_name("protocol")] = "shadowsocks", [option_name("tls")] = true })
+	o:depends({ [option_name("protocol")] = "http", [option_name("tls")] = true })
+	o:depends({ [option_name("protocol")] = "trojan", [option_name("tls")] = true })
+	
+	o = s:option(Value, option_name("reality_private_key"), translate("Private Key"))
+	o:depends({ [option_name("reality")] = true })
+	
+	o = s:option(Value, option_name("reality_shortId"), translate("Short Id"))
+	o:depends({ [option_name("reality")] = true })
+
+	o = s:option(Value, option_name("reality_handshake_server"), translate("Handshake Server"))
+	o.default = "google.com"
+	o:depends({ [option_name("reality")] = true })
+
+	o = s:option(Value, option_name("reality_handshake_server_port"), translate("Handshake Server Port"))
+	o.datatype = "port"
+	o.default = "443"
+	o:depends({ [option_name("reality")] = true })
+end
+
 -- [[ TLS部分 ]] --

 o = s:option(FileUpload, option_name("tls_certificateFile"), translate("Public key absolute path"), translate("as:") .. "/etc/ssl/fullchain.pem")
 o.default = m:get(s.section, "tls_certificateFile") or "/etc/config/ssl/" .. arg[1] .. ".pem"
-o:depends({ [option_name("tls")] = true })
+o:depends({ [option_name("tls")] = true, [option_name("reality")] = false })
+o:depends({ [option_name("protocol")] = "naive" })
 o:depends({ [option_name("protocol")] = "hysteria" })
 o:depends({ [option_name("protocol")] = "tuic" })
 o:depends({ [option_name("protocol")] = "hysteria2" })
@ -239,7 +268,8 @@ end

 o = s:option(FileUpload, option_name("tls_keyFile"), translate("Private key absolute path"), translate("as:") .. "/etc/ssl/private.key")
 o.default = m:get(s.section, "tls_keyFile") or "/etc/config/ssl/" .. arg[1] .. ".key"
-o:depends({ [option_name("tls")] = true })
+o:depends({ [option_name("tls")] = true, [option_name("reality")] = false })
+o:depends({ [option_name("protocol")] = "naive" })
 o:depends({ [option_name("protocol")] = "hysteria" })
 o:depends({ [option_name("protocol")] = "tuic" })
 o:depends({ [option_name("protocol")] = "hysteria2" })
--- a/luci-app-passwall2/luasrc/passwall2/util_sing-box.lua
+++ b/luci-app-passwall2/luasrc/passwall2/util_sing-box.lua
@ -111,6 +111,7 @@ function gen_outbound(flag, node, tag, proxy_table)
 				enabled = true,
 				protocol = node.mux_type or "h2mux",
 				max_connections = tonumber(node.mux_concurrency) or 4,
+				padding = (node.mux_padding == "1") and true or false
 				--min_streams = 4,
 				--max_streams = 0,
 			}
@ -215,9 +216,9 @@ function gen_outbound(flag, node, tag, proxy_table)
 			protocol_table = {
 				uuid = node.uuid,
 				security = node.security,
-				alter_id = 0,
-				global_padding = false,
-				authenticated_length = true,
+				alter_id = (node.alter_id) and tonumber(node.alter_id) or 0,
+				global_padding = (node.global_padding == "1") and true or false,
+				authenticated_length = (node.authenticated_length == "1") and true or false,
 				tls = tls,
 				packet_encoding = "", --UDP 包编码。(空)：禁用	packetaddr：由 v2ray 5+ 支持	xudp：由 xray 支持
 				multiplex = mux,
@ -231,6 +232,7 @@ function gen_outbound(flag, node, tag, proxy_table)
 				flow = (node.tls == '1' and node.flow) and node.flow or nil,
 				tls = tls,
 				packet_encoding = "xudp", --UDP 包编码。(空)：禁用	packetaddr：由 v2ray 5+ 支持	xudp：由 xray 支持
+				multiplex = mux,
 				transport = v2ray_transport,
 			}
 		end
@ -345,14 +347,26 @@ function gen_config_server(node)
 		{ type = "block", tag = "block" }
 	}

-	local tls = nil
-
-	if node.tls == "1" then
-		tls = {
+	local tls = {
 		enabled = true,
 		certificate_path = node.tls_certificateFile,
 		key_path = node.tls_keyFile,
 	}
+
+	if node.tls == "1" and node.reality == "1" then
+		tls.certificate_path = nil
+		tls.key_path = nil
+		tls.reality = {
+			enabled = true,
+			private_key = node.reality_private_key,
+			short_id = {
+				node.reality_shortId
+			},
+			handshake = {
+				server = node.reality_handshake_server,
+				server_port = tonumber(node.reality_handshake_server_port)
+			}
+		}
 	end

 	local v2ray_transport = nil
@ -428,7 +442,7 @@ function gen_config_server(node)
 					password = node.password
 				}
 			} or nil,
-			tls = tls,
+			tls = (node.tls == "1") and tls or nil,
 		}
 	end

@ -451,7 +465,7 @@ function gen_config_server(node)
 			end
 			protocol_table = {
 				users = users,
-				tls = tls,
+				tls = (node.tls == "1") and tls or nil,
 				transport = v2ray_transport,
 			}
 		end
@ -469,7 +483,7 @@ function gen_config_server(node)
 			end
 			protocol_table = {
 				users = users,
-				tls = tls,
+				tls = (node.tls == "1") and tls or nil,
 				transport = v2ray_transport,
 			}
 		end
@ -481,12 +495,12 @@ function gen_config_server(node)
 			for i = 1, #node.uuid do
 				users[i] = {
 					name = node.uuid[i],
-					uuid = node.uuid[i],
+					password = node.uuid[i],
 				}
 			end
 			protocol_table = {
 				users = users,
-				tls = tls,
+				tls = (node.tls == "1") and tls or nil,
 				fallback = nil,
 				fallback_for_alpn = nil,
 				transport = v2ray_transport,
@ -502,11 +516,14 @@ function gen_config_server(node)
 					password = node.password
 				}
 			},
-			tls = tls,
+			tls = tls
 		}
 	end

 	if node.protocol == "hysteria" then
+		tls.alpn = (node.hysteria_alpn and node.hysteria_alpn ~= "") and {
+			node.hysteria_alpn
+		} or nil
 		protocol_table = {
 			up = node.hysteria_up_mbps .. " Mbps",
 			down = node.hysteria_down_mbps .. " Mbps",
@ -524,18 +541,14 @@ function gen_config_server(node)
 			recv_window_client = node.hysteria_recv_window_client and tonumber(node.hysteria_recv_window_client) or nil,
 			max_conn_client = node.hysteria_max_conn_client and tonumber(node.hysteria_max_conn_client) or nil,
 			disable_mtu_discovery = (node.hysteria_disable_mtu_discovery == "1") and true or false,
-			tls = {
-				enabled = true,
-				certificate_path = node.tls_certificateFile,
-				key_path = node.tls_keyFile,
-				alpn = (node.hysteria_alpn and node.hysteria_alpn ~= "") and {
-					node.hysteria_alpn
-				} or nil
-			}
+			tls = tls
 		}
 	end

 	if node.protocol == "tuic" then
+		tls.alpn = (node.tuic_alpn and node.tuic_alpn ~= "") and {
+			node.tuic_alpn
+		} or nil
 		protocol_table = {
 			users = {
 				{
@ -547,14 +560,7 @@ function gen_config_server(node)
 			congestion_control = node.tuic_congestion_control or "cubic",
 			zero_rtt_handshake = (node.tuic_zero_rtt_handshake == "1") and true or false,
 			heartbeat = node.tuic_heartbeat .. "s",
-			tls = {
-				enabled = true,
-				certificate_path = node.tls_certificateFile,
-				key_path = node.tls_keyFile,
-				alpn = (node.tuic_alpn and node.tuic_alpn ~= "") and {
-					node.tuic_alpn
-				} or nil,
-			}
+			tls = tls
 		}
 	end

@ -573,11 +579,7 @@ function gen_config_server(node)
 				}
 			},
 			ignore_client_bandwidth = (node.hysteria2_ignore_client_bandwidth == "1") and true or false,
-			tls = {
-				enabled = true,
-				certificate_path = node.tls_certificateFile,
-				key_path = node.tls_keyFile,
-			}
+			tls = tls
 		}
 	end

@ -1278,6 +1280,7 @@ function gen_config(var)
 					default_dns_flag = "direct"
 				end
 			end
+		else default_dns_flag = "direct"
 		end
 		dns.final = default_dns_flag
 	end
--- a/luci-app-passwall2/luasrc/passwall2/util_xray.lua
+++ b/luci-app-passwall2/luasrc/passwall2/util_xray.lua
@ -482,6 +482,21 @@ function gen_config_server(node)

 	if "1" == node.tls then
 		config.inbounds[1].streamSettings.security = "tls"
+		if "1" == node.reality then
+			config.inbounds[1].streamSettings.tlsSettings = nil
+			config.inbounds[1].streamSettings.security = "reality"
+			config.inbounds[1].streamSettings.realitySettings = {
+				show = false,
+				dest = node.reality_dest,
+				serverNames = {
+					node.reality_serverNames
+				},
+				privateKey = node.reality_private_key,
+				shortIds = {
+					node.reality_shortId
+				}
+			} or nil
+		end
 	end

 	return config
--- a/luci-app-passwall2/po/zh-cn/passwall2.po
+++ b/luci-app-passwall2/po/zh-cn/passwall2.po
@ -1303,6 +1303,9 @@ msgstr "XUDP 最大并发连接数"
 msgid "Mux idle timeout"
 msgstr "最大闲置时间"

+msgid "Padding"
+msgstr "填充"
+
 msgid "Enable early data"
 msgstr "启用前置数据"

@ -1371,3 +1374,15 @@ msgstr "覆盖连接目标地址"

 msgid "Override the connection destination address with the sniffed domain."
 msgstr "用探测出的域名覆盖连接目标地址。"
+
+msgid "Handshake Server"
+msgstr "握手服务器"
+
+msgid "Handshake Server Port"
+msgstr "握手服务器端口"
+
+msgid "Protocol parameter. Will waste traffic randomly if enabled."
+msgstr "协议参数。 如果启用会随机浪费流量。"
+
+msgid "Protocol parameter. Enable length block encryption."
+msgstr "协议参数。启用长度块加密。"
--- a/luci-app-passwall2/root/usr/share/passwall2/nftables.sh
+++ b/luci-app-passwall2/root/usr/share/passwall2/nftables.sh
@ -114,12 +114,17 @@ destroy_nftset() {

 insert_nftset() {
 	local nftset_name="${1}"; shift
+	local timeout_argument="${1}"; shift
+	local defalut_timeout_argument="3650d"
 	local nftset_elements

-	nftset_elements=$(echo -e $@ | sed 's/\s/, /g')
-	[ -n "${nftset_elements}" ] && {
+	[ -n "${1}" ] && {
+		if [ "$timeout_argument" == "0" ]; then
+			nftset_elements=$(echo -e $@ | sed "s/\s/ timeout $defalut_timeout_argument, /g" | sed "s/$/ timeout $defalut_timeout_argument/")
+		else
+			nftset_elements=$(echo -e $@ | sed "s/\s/ timeout $timeout_argument, /g" | sed "s/$/ timeout $timeout_argument/")
+		fi
 		mkdir -p $TMP_PATH2/nftset
-
 		cat > "$TMP_PATH2/nftset/$nftset_name" <<-EOF
 			define $nftset_name = {$nftset_elements}	
 			add element inet fw4 $nftset_name \$$nftset_name
@ -132,12 +137,20 @@ insert_nftset() {
 gen_nftset() {
 	local nftset_name="${1}"; shift
 	local ip_type="${1}"; shift
+	#  0 - don't set defalut timeout
+	local timeout_argument_set="${1}"; shift
+	#  0 - don't let element timeout(3650 days)
+	local timeout_argument_element="${1}"; shift

 	nft "list set inet fw4 $nftset_name" &>/dev/null
 	if [ $? -ne 0 ]; then
-		nft "add set inet fw4 $nftset_name { type $ip_type; flags interval; auto-merge; }"
+		if [ "$timeout_argument_set" == "0" ]; then
+			nft "add set inet fw4 $nftset_name { type $ip_type; flags interval, timeout; auto-merge; }"
+		else
+			nft "add set inet fw4 $nftset_name { type $ip_type; flags interval, timeout; timeout $timeout_argument_set; gc-interval $timeout_argument_set; auto-merge; }"
 		fi
-	[ -n "${1}" ] && insert_nftset $nftset_name $@
+	fi
+	[ -n "${1}" ] && insert_nftset $nftset_name $timeout_argument_element $@
 }

 get_action_chain_name() {
@ -245,8 +258,8 @@ load_acl() {
 				
 				local nftset_whitelist="passwall2_${sid}_whitelist"
 				local nftset_whitelist6="passwall2_${sid}_whitelist6"
-				gen_nftset $nftset_whitelist ipv4_addr
-				gen_nftset $nftset_whitelist6 ipv6_addr
+				gen_nftset $nftset_whitelist 0 0 ipv4_addr
+				gen_nftset $nftset_whitelist6 0 0 ipv6_addr

 				[ -n "$redir_port" ] && {
 					if [ "$tcp_proxy_mode" != "disable" ]; then
@ -264,11 +277,13 @@ load_acl() {
 						[ "$accept_icmp" = "1" ] && {
 							nft "add rule inet fw4 PSW2_ICMP_REDIRECT ip protocol icmp ${_ipt_source} ip daddr $FAKE_IP $(REDIRECT) comment \"$remarks\""
 							nft "add rule inet fw4 PSW2_ICMP_REDIRECT ip protocol icmp ${_ipt_source} $(REDIRECT) comment \"$remarks\""
+							nft "add rule inet fw4 PSW2_ICMP_REDIRECT ip protocol icmp ${_ipt_source} return comment \"$remarks\""
 						}

 						[ "$accept_icmpv6" = "1" ] && [ "$PROXY_IPV6" == "1" ] && {
 							nft "add rule inet fw4 PSW2_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} ip6 daddr $FAKE_IP_6 $(REDIRECT) comment \"$remarks\"" 2>/dev/null
 							nft "add rule inet fw4 PSW2_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} $(REDIRECT) comment \"$remarks\"" 2>/dev/null
+							nft "add rule inet fw4 PSW2_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} return comment \"$remarks\"" 2>/dev/null
 						}

 						[ "$tcp_no_redir_ports" != "disable" ] && {
@ -362,11 +377,13 @@ load_acl() {
 				[ "$accept_icmp" = "1" ] && {
 					nft "add rule inet fw4 PSW2_ICMP_REDIRECT ip protocol icmp ip daddr $FAKE_IP $(REDIRECT) comment \"默认\""
 					nft "add rule inet fw4 PSW2_ICMP_REDIRECT ip protocol icmp $(REDIRECT) comment \"默认\""
+					nft "add rule inet fw4 PSW2_ICMP_REDIRECT ip protocol icmp return comment \"默认\""
 				}

 				[ "$accept_icmpv6" = "1" ] && [ "$PROXY_IPV6" == "1" ] && {
 					nft "add rule inet fw4 PSW2_ICMP_REDIRECT meta l4proto icmpv6 ip6 daddr $FAKE_IP_6 $(REDIRECT) comment \"默认\""
 					nft "add rule inet fw4 PSW2_ICMP_REDIRECT meta l4proto icmpv6 $(REDIRECT) comment \"默认\""
+					nft "add rule inet fw4 PSW2_ICMP_REDIRECT meta l4proto icmpv6 return comment \"默认\""
 				}

 				if [ -z "${is_tproxy}" ]; then
@ -424,7 +441,7 @@ load_acl() {
 filter_haproxy() {
 	for item in $(uci show $CONFIG | grep ".lbss=" | cut -d "'" -f 2); do
 		local ip=$(get_host_ip ipv4 $(echo $item | awk -F ":" '{print $1}') 1)
-		[ -n "$ip" ] && insert_nftset $NFTSET_VPSLIST $ip
+		[ -n "$ip" ] && insert_nftset $NFTSET_VPSLIST 0 $ip
 	done
 	echolog "加入负载均衡的节点到nftset[$NFTSET_VPSLIST]直连完成"
 }
@ -433,14 +450,14 @@ filter_vps_addr() {
 	for server_host in $@; do
 		local vps_ip4=$(get_host_ip "ipv4" ${server_host})
 		local vps_ip6=$(get_host_ip "ipv6" ${server_host})
-		[ -n "$vps_ip4" ] && insert_nftset $NFTSET_VPSLIST $vps_ip4
-		[ -n "$vps_ip6" ] && insert_nftset $NFTSET_VPSLIST6 $vps_ip6
+		[ -n "$vps_ip4" ] && insert_nftset $NFTSET_VPSLIST 0 $vps_ip4
+		[ -n "$vps_ip6" ] && insert_nftset $NFTSET_VPSLIST6 0 $vps_ip6
 	done
 }

 filter_vpsip() {
-	insert_nftset $NFTSET_VPSLIST $(uci show $CONFIG | grep ".address=" | cut -d "'" -f 2 | grep -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | sed -e "/^$/d")
-	insert_nftset $NFTSET_VPSLIST6 $(uci show $CONFIG | grep ".address=" | cut -d "'" -f 2 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "/^$/d")
+	insert_nftset $NFTSET_VPSLIST 0 $(uci show $CONFIG | grep ".address=" | cut -d "'" -f 2 | grep -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | sed -e "/^$/d")
+	insert_nftset $NFTSET_VPSLIST6 0 $(uci show $CONFIG | grep ".address=" | cut -d "'" -f 2 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "/^$/d")
 	echolog "加入所有节点到nftset[$NFTSET_VPSLIST]直连完成"
 }

@ -553,11 +570,11 @@ dns_hijack() {

 add_firewall_rule() {
 	echolog "开始加载防火墙规则..."
-	gen_nftset $NFTSET_LANLIST ipv4_addr $(gen_lanlist)
-	gen_nftset $NFTSET_VPSLIST ipv4_addr
+	gen_nftset $NFTSET_LANLIST ipv4_addr 0 0 $(gen_lanlist)
+	gen_nftset $NFTSET_VPSLIST ipv4_addr 0 0

-	gen_nftset $NFTSET_LANLIST6 ipv6_addr $(gen_lanlist_6)
-	gen_nftset $NFTSET_VPSLIST6 ipv6_addr
+	gen_nftset $NFTSET_LANLIST6 ipv6_addr 0 0 $(gen_lanlist_6)
+	gen_nftset $NFTSET_VPSLIST6 ipv6_addr 0 0

 	# 忽略特殊IP段
 	local lan_ifname lan_ip
@ -568,14 +585,14 @@ add_firewall_rule() {
 		#echolog "本机IPv4网段互访直连：${lan_ip}"
 		#echolog "本机IPv6网段互访直连：${lan_ip6}"

-		[ -n "$lan_ip" ] && insert_nftset $NFTSET_LANLIST $(echo $lan_ip | sed -e "s/ /\n/g")
-		[ -n "$lan_ip6" ] && insert_nftset $NFTSET_LANLIST6 $(echo $lan_ip6 | sed -e "s/ /\n/g")
+		[ -n "$lan_ip" ] && insert_nftset $NFTSET_LANLIST 0 $(echo $lan_ip | sed -e "s/ /\n/g")
+		[ -n "$lan_ip6" ] && insert_nftset $NFTSET_LANLIST6 0 $(echo $lan_ip6 | sed -e "s/ /\n/g")
 	}

 	[ -n "$ISP_DNS" ] && {
 		#echolog "处理 ISP DNS 例外..."
 		for ispip in $ISP_DNS; do
-			insert_nftset $NFTSET_LANLIST $ispip >/dev/null 2>&1 &
+			insert_nftset $NFTSET_LANLIST 0 $ispip >/dev/null 2>&1 &
 			#echolog "  - 追加到白名单：${ispip}"
 		done
 	}
@ -583,15 +600,15 @@ add_firewall_rule() {
 	[ -n "$ISP_DNS6" ] && {
 		#echolog "处理 ISP IPv6 DNS 例外..."
 		for ispip6 in $ISP_DNS6; do
-			insert_nftset $NFTSET_LANLIST6 $ispip6 >/dev/null 2>&1 &
+			insert_nftset $NFTSET_LANLIST6 0 $ispip6 >/dev/null 2>&1 &
 			#echolog "  - 追加到白名单：${ispip6}"
 		done
 	}
 	
 	local nftset_global_whitelist="passwall2_global_whitelist"
 	local nftset_global_whitelist6="passwall2_global_whitelist6"
-	gen_nftset $nftset_global_whitelist ipv4_addr
-	gen_nftset $nftset_global_whitelist6 ipv6_addr
+	gen_nftset $nftset_global_whitelist 0 0 ipv4_addr
+	gen_nftset $nftset_global_whitelist6 0 0 ipv6_addr

 	#  过滤所有节点IP
 	filter_vpsip > /dev/null 2>&1 &
@ -744,13 +761,15 @@ add_firewall_rule() {
 			echolog "加载路由器自身 TCP 代理..."

 			[ "$accept_icmp" = "1" ] && {
-				nft "add rule inet fw4 PSW2_ICMP_REDIRECT meta l4proto icmp ip daddr $FAKE_IP counter redirect"
-				nft "add rule inet fw4 PSW2_ICMP_REDIRECT meta l4proto icmp counter redirect"
+				nft "add rule inet fw4 PSW2_ICMP_REDIRECT oif lo ip protocol icmp ip daddr $FAKE_IP counter redirect"
+				nft "add rule inet fw4 PSW2_ICMP_REDIRECT oif lo ip protocol icmp counter redirect"
+				nft "add rule inet fw4 PSW2_ICMP_REDIRECT oif lo ip protocol icmp counter return"
 			}

 			[ "$accept_icmpv6" = "1" ] && {
-				nft "add rule inet fw4 PSW2_ICMP_REDIRECT meta l4proto icmpv6 ip6 daddr $FAKE_IP_6 counter redirect"
-				nft "add rule inet fw4 PSW2_ICMP_REDIRECT meta l4proto icmpv6 counter redirect"
+				nft "add rule inet fw4 PSW2_ICMP_REDIRECT oif lo meta l4proto icmpv6 ip6 daddr $FAKE_IP_6 counter redirect"
+				nft "add rule inet fw4 PSW2_ICMP_REDIRECT oif lo meta l4proto counter redirect"
+				nft "add rule inet fw4 PSW2_ICMP_REDIRECT oif lo meta l4proto icmpv6 counter return"
 			}

 			[ -n "${is_tproxy}" ] && {
--- a/luci-app-passwall2/root/usr/share/passwall2/subscribe.lua
+++ b/luci-app-passwall2/root/usr/share/passwall2/subscribe.lua
@ -396,6 +396,7 @@ local function processData(szType, content, add_mode, add_from)
 		result.address = info.add
 		result.port = info.port
 		result.protocol = 'vmess'
+		result.alter_id = info.aid
 		result.uuid = info.id
 		result.remarks = info.ps
 		-- result.mux = 1