diff --git a/luci-app-passwall/Makefile b/luci-app-passwall/Makefile index cd8e5c41c..3313de061 100644 --- a/luci-app-passwall/Makefile +++ b/luci-app-passwall/Makefile @@ -7,7 +7,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=luci-app-passwall PKG_VERSION:=4.59 -PKG_RELEASE:=5 +PKG_RELEASE:=6 PKG_CONFIG_DEPENDS:= \ CONFIG_PACKAGE_$(PKG_NAME)_Iptables_Transparent_Proxy \ diff --git a/luci-app-passwall/root/usr/share/passwall/app.sh b/luci-app-passwall/root/usr/share/passwall/app.sh index 152e526d1..e52bcf5e9 100755 --- a/luci-app-passwall/root/usr/share/passwall/app.sh +++ b/luci-app-passwall/root/usr/share/passwall/app.sh @@ -1312,6 +1312,241 @@ kill_all() { kill -9 $(pidof "$@") >/dev/null 2>&1 } +acl_app() { + local items=$(uci show ${CONFIG} | grep "=acl_rule" | cut -d '.' -sf 2 | cut -d '=' -sf 1) + [ -n "$items" ] && { + local item + local socks_port redir_port dns_port dnsmasq_port chinadns_port + local msg msg2 + socks_port=11100 + redir_port=11200 + dns_port=11300 + dnsmasq_port=11400 + chinadns_port=11500 + for item in $items; do + local enabled sid remarks sources tcp_proxy_mode udp_proxy_mode tcp_node udp_node filter_proxy_ipv6 dns_mode remote_dns v2ray_dns_mode remote_dns_doh dns_client_ip + local _ip _mac _iprange _ipset _ip_or_mac rule_list tcp_port udp_port config_file _extra_param + sid=$(uci -q show "${CONFIG}.${item}" | grep "=acl_rule" | awk -F '=' '{print $1}' | awk -F '.' '{print $2}') + eval $(uci -q show "${CONFIG}.${item}" | cut -d'.' -sf 3-) + [ "$enabled" = "1" ] || continue + + [ -z "${sources}" ] && continue + for s in $sources; do + is_iprange=$(lua_api "iprange(\"${s}\")") + if [ "${is_iprange}" = "true" ]; then + rule_list="${rule_list}\niprange:${s}" + elif [ -n "$(echo ${s} | grep '^ipset:')" ]; then + rule_list="${rule_list}\nipset:${s}" + else + _ip_or_mac=$(lua_api "ip_or_mac(\"${s}\")") + if [ "${_ip_or_mac}" = "ip" ]; then + rule_list="${rule_list}\nip:${s}" + elif [ "${_ip_or_mac}" = "mac" ]; then + rule_list="${rule_list}\nmac:${s}" + fi + fi + done + [ -z "${rule_list}" ] && continue + mkdir -p $TMP_ACL_PATH/$sid + echo -e "${rule_list}" > $TMP_ACL_PATH/$sid/rule_list + + tcp_proxy_mode=${tcp_proxy_mode:-default} + udp_proxy_mode=${udp_proxy_mode:-default} + tcp_node=${tcp_node:-default} + udp_node=${udp_node:-default} + filter_proxy_ipv6=${filter_proxy_ipv6:-0} + dns_mode=${dns_mode:-dns2socks} + remote_dns=${remote_dns:-1.1.1.1} + chinadns_ng=${chinadns_ng:-0} + [ "$dns_mode" = "v2ray" -o "$dns_mode" = "xray" ] && { + [ "$v2ray_dns_mode" = "doh" ] && remote_dns=${remote_dns_doh:-https://1.1.1.1/dns-query} + } + [ "$tcp_proxy_mode" = "default" ] && tcp_proxy_mode=$TCP_PROXY_MODE + [ "$udp_proxy_mode" = "default" ] && udp_proxy_mode=$UDP_PROXY_MODE + + [ "$tcp_node" != "nil" ] && { + if [ "$tcp_node" = "default" ]; then + tcp_node=$TCP_NODE + tcp_port=$TCP_REDIR_PORT + else + [ "$(config_get_type $tcp_node nil)" = "nodes" ] && { + run_dns() { + local _dns_port + [ -n $1 ] && _dns_port=$1 + [ -z ${_dns_port} ] && { + dns_port=$(get_new_port $(expr $dns_port + 1)) + _dns_port=$dns_port + if [ "$dns_mode" = "dns2socks" ]; then + run_dns2socks flag=acl_${sid} socks_address=127.0.0.1 socks_port=$socks_port listen_address=0.0.0.0 listen_port=${_dns_port} dns=$remote_dns cache=1 + elif [ "$dns_mode" = "v2ray" -o "$dns_mode" = "xray" ]; then + config_file=$TMP_ACL_PATH/${tcp_node}_SOCKS_${socks_port}_DNS.json + run_v2ray flag=acl_${sid} type=$dns_mode dns_socks_address=127.0.0.1 dns_socks_port=$socks_port dns_listen_port=${_dns_port} remote_dns_protocol=${v2ray_dns_mode} remote_dns_tcp_server=${remote_dns} remote_dns_doh="${remote_dns}" dns_client_ip=${dns_client_ip} dns_query_strategy=${DNS_QUERY_STRATEGY} config_file=$config_file + fi + eval node_${tcp_node}_$(echo -n "${remote_dns}" | md5sum | cut -d " " -f1)=${_dns_port} + } + + local _dnsmasq_filter_ipv6=$filter_proxy_ipv6 + [ "$tcp_proxy_mode" = "chnroute" ] && [ "$chinadns_ng" = "1" ] && [ -n "$(first_type chinadns-ng)" ] && [ -s "${RULES_PATH}/chnlist" ] && { + chinadns_port=$(expr $chinadns_port + 1) + _china_ng_listen="127.0.0.1#${chinadns_port}" + local _china_ng_chn=$(echo -n $(echo "${LOCAL_DNS}" | sed "s/,/\n/g" | head -n2) | tr " " ",") + local _china_ng_gfw="127.0.0.1#${_dns_port}" + + local _gfwlist_param="${TMP_PATH}/chinadns_gfwlist" + [ ! -s "${_gfwlist_param}" ] && { + [ -s "${RULES_PATH}/gfwlist" ] && cp -a "${RULES_PATH}/gfwlist" "${_gfwlist_param}" + [ -s "${RULES_PATH}/proxy_host" ] && { + cat "${RULES_PATH}/proxy_host" | tr -s '\n' | grep -v "^#" | sort -u >> "${_gfwlist_param}" + } + } + local _chnlist_param="${TMP_PATH}/chinadns_chnlist" + [ ! -s "${_chnlist_param}" ] && { + [ -s "${RULES_PATH}/chnlist" ] && cp -a "${RULES_PATH}/chnlist" "${_chnlist_param}" + [ -s "${RULES_PATH}/direct_host" ] && { + cat "${RULES_PATH}/direct_host" | tr -s '\n' | grep -v "^#" | sort -u >> "${_chnlist_param}" + } + } + _chnlist_param=${_chnlist_param:+-m "${_chnlist_param}" -M} + #local _china_ng_log_file="${TMP_ACL_PATH}/${sid}/chinadns-ng.log" + local _china_ng_log_file="/dev/null" + [ "$filter_proxy_ipv6" = "1" ] && { + local _china_ng_noipv6="-N=gt" + _dnsmasq_filter_ipv6=0 + } + ln_run "$(first_type chinadns-ng)" chinadns-ng "$_china_ng_log_file" -v -b 0.0.0.0 -l "${chinadns_port}" ${_china_ng_chn:+-c "${_china_ng_chn}"} ${_chnlist_param} ${_china_ng_gfw:+-t "${_china_ng_gfw}"} ${_gfwlist_param:+-g "${_gfwlist_param}"} -f ${_china_ng_noipv6} + } + + dnsmasq_port=$(get_new_port $(expr $dnsmasq_port + 1)) + redirect_dns_port=$dnsmasq_port + mkdir -p $TMP_ACL_PATH/$sid/dnsmasq.d + default_dnsmasq_cfgid=$(uci show dhcp.@dnsmasq[0] | awk -F '.' '{print $2}' | awk -F '=' '{print $1}'| head -1) + [ -s "/tmp/etc/dnsmasq.conf.${default_dnsmasq_cfgid}" ] && { + cp -r /tmp/etc/dnsmasq.conf.${default_dnsmasq_cfgid} $TMP_ACL_PATH/$sid/dnsmasq.conf + sed -i "/ubus/d" $TMP_ACL_PATH/$sid/dnsmasq.conf + sed -i "/dhcp/d" $TMP_ACL_PATH/$sid/dnsmasq.conf + sed -i "/port=/d" $TMP_ACL_PATH/$sid/dnsmasq.conf + sed -i "/conf-dir/d" $TMP_ACL_PATH/$sid/dnsmasq.conf + } + echo "port=${dnsmasq_port}" >> $TMP_ACL_PATH/$sid/dnsmasq.conf + d_server=127.0.0.1 + [ "$tcp_proxy_mode" = "global" ] && { + d_server=${d_server}#${_dns_port} + sed -i "/no-poll/d" $TMP_ACL_PATH/$sid/dnsmasq.conf + sed -i "/no-resolv/d" $TMP_ACL_PATH/$sid/dnsmasq.conf + echo "server=${d_server}" >> $TMP_ACL_PATH/$sid/dnsmasq.conf + echo "no-poll" >> $TMP_ACL_PATH/$sid/dnsmasq.conf + echo "no-resolv" >> $TMP_ACL_PATH/$sid/dnsmasq.conf + } + lua $APP_PATH/helper_dnsmasq_add.lua -FLAG ${sid} -TMP_DNSMASQ_PATH $TMP_ACL_PATH/$sid/dnsmasq.d \ + -DNSMASQ_CONF_FILE $TMP_ACL_PATH/$sid/dnsmasq.conf -DEFAULT_DNS $DEFAULT_DNS -LOCAL_DNS $LOCAL_DNS \ + -TUN_DNS "127.0.0.1#${_dns_port}" -REMOTE_FAKEDNS 0 -CHINADNS_DNS ${_china_ng_listen:-0} \ + -TCP_NODE $tcp_node -PROXY_MODE ${tcp_proxy_mode} -NO_PROXY_IPV6 ${_dnsmasq_filter_ipv6:-0} -NFTFLAG 0 \ + -NO_LOGIC_LOG 1 + ln_run "$(first_type dnsmasq)" "dnsmasq_${sid}" "/dev/null" -C $TMP_ACL_PATH/$sid/dnsmasq.conf -x $TMP_ACL_PATH/$sid/dnsmasq.pid + eval node_${tcp_node}_$(echo -n "${tcp_proxy_mode}${remote_dns}" | md5sum | cut -d " " -f1)=${dnsmasq_port} + } + if [ "$tcp_node" = "$TCP_NODE" ]; then + tcp_port=$TCP_REDIR_PORT + else + _redir_port=$(eval echo \${node_${tcp_node}_redir_port}) + _socks_port=$(eval echo \${node_${tcp_node}_socks_port}) + if [ -n "${_socks_port}" ] && [ -n "${_redir_port}" ]; then + socks_port=${_socks_port} + tcp_port=${_redir_port} + _dnsmasq_port=$(eval echo \${node_${tcp_node}_$(echo -n "${tcp_proxy_mode}${remote_dns}" | md5sum | cut -d " " -f1)}) + if [ -z "${_dnsmasq_port}" ]; then + _dns_port=$(eval echo \${node_${tcp_node}_$(echo -n "${remote_dns}" | md5sum | cut -d " " -f1)}) + run_dns ${_dns_port} + else + redirect_dns_port=${_dnsmasq_port} + fi + else + socks_port=$(get_new_port $(expr $socks_port + 1)) + eval node_${tcp_node}_socks_port=$socks_port + redir_port=$(get_new_port $(expr $redir_port + 1)) + eval node_${tcp_node}_redir_port=$redir_port + tcp_port=$redir_port + config_file="acl/${tcp_node}_SOCKS_${socks_port}.json" + + local type=$(echo $(config_n_get $tcp_node type) | tr 'A-Z' 'a-z') + if [ -n "${type}" ] && ([ "${type}" = "v2ray" ] || [ "${type}" = "xray" ]); then + config_file=$(echo $config_file | sed "s/SOCKS/TCP_UDP_SOCKS/g") + _extra_param="socks_address=127.0.0.1 socks_port=$socks_port" + if [ "$dns_mode" = "v2ray" -o "$dns_mode" = "xray" ]; then + config_file=$(echo $config_file | sed "s/SOCKS_${socks_port}/DNS/g") + dns_port=$(get_new_port $(expr $dns_port + 1)) + _dns_port=$dns_port + _extra_param="dns_listen_port=${_dns_port} remote_dns_protocol=${v2ray_dns_mode} remote_dns_tcp_server=${remote_dns} remote_dns_doh=${remote_dns} dns_client_ip=${dns_client_ip} dns_query_strategy=${DNS_QUERY_STRATEGY}" + fi + config_file="$TMP_PATH/$config_file" + run_v2ray flag=$tcp_node node=$tcp_node tcp_redir_port=$redir_port ${_extra_param} config_file=$config_file + else + run_socks flag=$tcp_node node=$tcp_node bind=127.0.0.1 socks_port=$socks_port config_file=$config_file + local log_file=$TMP_ACL_PATH/ipt2socks_${tcp_node}_${redir_port}.log + log_file="/dev/null" + run_ipt2socks flag=acl_${tcp_node} tcp_tproxy=${is_tproxy} local_port=$redir_port socks_address=127.0.0.1 socks_port=$socks_port log_file=$log_file + fi + run_dns ${_dns_port} + fi + echo "${tcp_node}" > $TMP_ACL_PATH/$sid/var_tcp_node + fi + } + fi + echo "${tcp_port}" > $TMP_ACL_PATH/$sid/var_tcp_port + } + [ "$udp_node" != "nil" ] && { + [ "$udp_node" = "tcp" ] && udp_node=$tcp_node + if [ "$udp_node" = "default" ]; then + udp_node=$UDP_NODE + [ "$TCP_UDP" = "1" ] && [ "$udp_node" = "nil" ] && udp_node=$TCP_NODE + udp_port=$UDP_REDIR_PORT + else + [ "$(config_get_type $udp_node nil)" = "nodes" ] && { + if [ "$udp_node" = "$UDP_NODE" ]; then + udp_port=$UDP_REDIR_PORT + else + _redir_port=$(eval echo \${node_${udp_node}_redir_port}) + _socks_port=$(eval echo \${node_${udp_node}_socks_port}) + if [ -n "${_socks_port}" ] && [ -n "${_redir_port}" ]; then + socks_port=${_socks_port} + udp_port=${_redir_port} + else + socks_port=$(get_new_port $(expr $socks_port + 1)) + eval node_${udp_node}_socks_port=$socks_port + redir_port=$(get_new_port $(expr $redir_port + 1)) + eval node_${udp_node}_redir_port=$redir_port + udp_port=$redir_port + config_file="acl/${udp_node}_SOCKS_${socks_port}.json" + + local type=$(echo $(config_n_get $udp_node type) | tr 'A-Z' 'a-z') + if [ -n "${type}" ] && ([ "${type}" = "v2ray" ] || [ "${type}" = "xray" ]); then + config_file=$(echo $config_file | sed "s/SOCKS/TCP_UDP_SOCKS/g") + config_file="$TMP_PATH/$config_file" + run_v2ray flag=$udp_node node=$udp_node udp_redir_port=$redir_port config_file=$config_file + else + run_socks flag=$udp_node node=$udp_node bind=127.0.0.1 socks_port=$socks_port config_file=$config_file + local log_file=$TMP_ACL_PATH/ipt2socks_${udp_node}_${redir_port}.log + log_file="/dev/null" + run_ipt2socks flag=acl_${udp_node} local_port=$redir_port socks_address=127.0.0.1 socks_port=$socks_port log_file=$log_file + fi + fi + echo "${udp_node}" > $TMP_ACL_PATH/$sid/var_udp_node + fi + } + fi + echo "${udp_port}" > $TMP_ACL_PATH/$sid/var_udp_port + udp_flag=1 + } + [ -n $redirect_dns_port ] && echo "${redirect_dns_port}" > $TMP_ACL_PATH/$sid/var_redirect_dns_port + unset enabled sid remarks sources tcp_proxy_mode udp_proxy_mode tcp_node udp_node filter_proxy_ipv6 dns_mode remote_dns v2ray_dns_mode remote_dns_doh dns_client_ip + unset _ip _mac _iprange _ipset _ip_or_mac rule_list tcp_port udp_port config_file _extra_param + unset _china_ng_listen _china_ng_chn _china_ng_gfw _gfwlist_param _chnlist_param _china_ng_log_file _china_ng_noipv6 _dnsmasq_filter_ipv6 + unset redirect_dns_port + done + unset socks_port redir_port dns_port dnsmasq_port chinadns_port + } +} + boot() { local delay=$(config_t_get global_delay start_delay 1) if [ "$delay" -gt 0 ]; then diff --git a/luci-app-passwall/root/usr/share/passwall/iptables.sh b/luci-app-passwall/root/usr/share/passwall/iptables.sh index 7385a66c1..fa807a2ac 100755 --- a/luci-app-passwall/root/usr/share/passwall/iptables.sh +++ b/luci-app-passwall/root/usr/share/passwall/iptables.sh @@ -260,391 +260,181 @@ get_wan6_ip() { } load_acl() { - local items=$(uci show ${CONFIG} | grep "=acl_rule" | cut -d '.' -sf 2 | cut -d '=' -sf 1) - [ -n "$items" ] && { - local item - local socks_port redir_port dns_port dnsmasq_port chinadns_port - local ipt_tmp msg msg2 - socks_port=11100 - redir_port=11200 - dns_port=11300 - dnsmasq_port=11400 - chinadns_port=11500 - echolog "访问控制:" - for item in $items; do - local enabled sid remarks sources tcp_proxy_mode udp_proxy_mode tcp_no_redir_ports udp_no_redir_ports tcp_proxy_drop_ports udp_proxy_drop_ports tcp_redir_ports udp_redir_ports tcp_node udp_node filter_proxy_ipv6 dns_mode remote_dns v2ray_dns_mode remote_dns_doh dns_client_ip - local _ip _mac _iprange _ipset _ip_or_mac rule_list tcp_port udp_port tcp_node_remark udp_node_remark config_file _extra_param - sid=$(uci -q show "${CONFIG}.${item}" | grep "=acl_rule" | awk -F '=' '{print $1}' | awk -F '.' '{print $2}') - eval $(uci -q show "${CONFIG}.${item}" | cut -d'.' -sf 3-) - [ "$enabled" = "1" ] || continue + acl_app + echolog "访问控制:" + for sid in $(ls -F ${TMP_ACL_PATH} | grep '/$' | awk -F '/' '{print $1}'); do + eval $(uci -q show "${CONFIG}.${sid}" | cut -d'.' -sf 3-) + + tcp_proxy_mode=${tcp_proxy_mode:-default} + udp_proxy_mode=${udp_proxy_mode:-default} + tcp_no_redir_ports=${tcp_no_redir_ports:-default} + udp_no_redir_ports=${udp_no_redir_ports:-default} + tcp_proxy_drop_ports=${tcp_proxy_drop_ports:-default} + udp_proxy_drop_ports=${udp_proxy_drop_ports:-default} + tcp_redir_ports=${tcp_redir_ports:-default} + udp_redir_ports=${udp_redir_ports:-default} + tcp_node=${tcp_node:-default} + udp_node=${udp_node:-default} + [ "$tcp_proxy_mode" = "default" ] && tcp_proxy_mode=$TCP_PROXY_MODE + [ "$udp_proxy_mode" = "default" ] && udp_proxy_mode=$UDP_PROXY_MODE + [ "$tcp_no_redir_ports" = "default" ] && tcp_no_redir_ports=$TCP_NO_REDIR_PORTS + [ "$udp_no_redir_ports" = "default" ] && udp_no_redir_ports=$UDP_NO_REDIR_PORTS + [ "$tcp_proxy_drop_ports" = "default" ] && tcp_proxy_drop_ports=$TCP_PROXY_DROP_PORTS + [ "$udp_proxy_drop_ports" = "default" ] && udp_proxy_drop_ports=$UDP_PROXY_DROP_PORTS + [ "$tcp_redir_ports" = "default" ] && tcp_redir_ports=$TCP_REDIR_PORTS + [ "$udp_redir_ports" = "default" ] && udp_redir_ports=$UDP_REDIR_PORTS + + [ -s "${TMP_ACL_PATH}/${sid}/var_tcp_node" ] && tcp_node=$(cat ${TMP_ACL_PATH}/${sid}/var_tcp_node) + [ -s "${TMP_ACL_PATH}/${sid}/var_udp_node" ] && udp_node=$(cat ${TMP_ACL_PATH}/${sid}/var_udp_node) + [ -s "${TMP_ACL_PATH}/${sid}/var_tcp_port" ] && tcp_port=$(cat ${TMP_ACL_PATH}/${sid}/var_tcp_port) + [ -s "${TMP_ACL_PATH}/${sid}/var_udp_port" ] && udp_port=$(cat ${TMP_ACL_PATH}/${sid}/var_udp_port) + [ -n $tcp_node ] && tcp_node_remark=$(config_n_get $tcp_node remarks) + [ -n $udp_node ] && udp_node_remark=$(config_n_get $udp_node remarks) + + for i in $(cat ${TMP_ACL_PATH}/${sid}/rule_list); do + if [ -n "$(echo ${i} | grep '^iprange:')" ]; then + _iprange=$(echo ${i} | sed 's#iprange:##g') + _ipt_source=$(factor ${_iprange} "-m iprange --src-range") + msg="备注【$remarks】,IP range【${_iprange}】," + elif [ -n "$(echo ${i} | grep '^ipset:')" ]; then + _ipset=$(echo ${i} | sed 's#ipset:##g') + _ipt_source="-m set --match-set ${_ipset} src" + msg="备注【$remarks】,IPset【${_ipset}】," + elif [ -n "$(echo ${i} | grep '^ip:')" ]; then + _ip=$(echo ${i} | sed 's#ip:##g') + _ipt_source=$(factor ${_ip} "-s") + msg="备注【$remarks】,IP【${_ip}】," + elif [ -n "$(echo ${i} | grep '^mac:')" ]; then + _mac=$(echo ${i} | sed 's#mac:##g') + _ipt_source=$(factor ${_mac} "-m mac --mac-source") + msg="备注【$remarks】,MAC【${_mac}】," + else + continue + fi - [ -z "${sources}" ] && continue - for s in $sources; do - is_iprange=$(lua_api "iprange(\"${s}\")") - if [ "${is_iprange}" = "true" ]; then - rule_list="${rule_list}\niprange:${s}" - elif [ -n "$(echo ${s} | grep '^ipset:')" ]; then - rule_list="${rule_list}\nipset:${s}" - else - _ip_or_mac=$(lua_api "ip_or_mac(\"${s}\")") - if [ "${_ip_or_mac}" = "ip" ]; then - rule_list="${rule_list}\nip:${s}" - elif [ "${_ip_or_mac}" = "mac" ]; then - rule_list="${rule_list}\nmac:${s}" + ipt_tmp=$ipt_n + [ -n "${is_tproxy}" ] && ipt_tmp=$ipt_m + + [ -n "$tcp_port" ] && { + if [ "$tcp_proxy_mode" != "disable" ]; then + [ -s "${TMP_ACL_PATH}/${sid}/var_redirect_dns_port" ] && $ipt_n -A PSW_REDIRECT $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port) + msg2="${msg}使用TCP节点[$tcp_node_remark] [$(get_action_chain_name $tcp_proxy_mode)]" + if [ -n "${is_tproxy}" ]; then + msg2="${msg2}(TPROXY:${tcp_port})代理" + ipt_tmp=$ipt_m + else + msg2="${msg2}(REDIRECT:${tcp_port})代理" fi - fi - done - [ -z "${rule_list}" ] && continue - - tcp_proxy_mode=${tcp_proxy_mode:-default} - udp_proxy_mode=${udp_proxy_mode:-default} - tcp_no_redir_ports=${tcp_no_redir_ports:-default} - udp_no_redir_ports=${udp_no_redir_ports:-default} - tcp_proxy_drop_ports=${tcp_proxy_drop_ports:-default} - udp_proxy_drop_ports=${udp_proxy_drop_ports:-default} - tcp_redir_ports=${tcp_redir_ports:-default} - udp_redir_ports=${udp_redir_ports:-default} - tcp_node=${tcp_node:-default} - udp_node=${udp_node:-default} - filter_proxy_ipv6=${filter_proxy_ipv6:-0} - dns_mode=${dns_mode:-dns2socks} - remote_dns=${remote_dns:-1.1.1.1} - chinadns_ng=${chinadns_ng:-0} - [ "$dns_mode" = "v2ray" -o "$dns_mode" = "xray" ] && { - [ "$v2ray_dns_mode" = "doh" ] && remote_dns=${remote_dns_doh:-https://1.1.1.1/dns-query} - } - [ "$tcp_proxy_mode" = "default" ] && tcp_proxy_mode=$TCP_PROXY_MODE - [ "$udp_proxy_mode" = "default" ] && udp_proxy_mode=$UDP_PROXY_MODE - [ "$tcp_no_redir_ports" = "default" ] && tcp_no_redir_ports=$TCP_NO_REDIR_PORTS - [ "$udp_no_redir_ports" = "default" ] && udp_no_redir_ports=$UDP_NO_REDIR_PORTS - [ "$tcp_proxy_drop_ports" = "default" ] && tcp_proxy_drop_ports=$TCP_PROXY_DROP_PORTS - [ "$udp_proxy_drop_ports" = "default" ] && udp_proxy_drop_ports=$UDP_PROXY_DROP_PORTS - [ "$tcp_redir_ports" = "default" ] && tcp_redir_ports=$TCP_REDIR_PORTS - [ "$udp_redir_ports" = "default" ] && udp_redir_ports=$UDP_REDIR_PORTS - [ "$tcp_node" != "nil" ] && { - if [ "$tcp_node" = "default" ]; then - tcp_node=$TCP_NODE - tcp_port=$TCP_REDIR_PORT - else - [ "$(config_get_type $tcp_node nil)" = "nodes" ] && { - run_dns() { - local _dns_port - [ -n $1 ] && _dns_port=$1 - [ -z ${_dns_port} ] && { - dns_port=$(get_new_port $(expr $dns_port + 1)) - _dns_port=$dns_port - if [ "$dns_mode" = "dns2socks" ]; then - run_dns2socks flag=acl_${sid} socks_address=127.0.0.1 socks_port=$socks_port listen_address=0.0.0.0 listen_port=${_dns_port} dns=$remote_dns cache=1 - elif [ "$dns_mode" = "v2ray" -o "$dns_mode" = "xray" ]; then - config_file=$TMP_ACL_PATH/${tcp_node}_SOCKS_${socks_port}_DNS.json - run_v2ray flag=acl_${sid} type=$dns_mode dns_socks_address=127.0.0.1 dns_socks_port=$socks_port dns_listen_port=${_dns_port} remote_dns_protocol=${v2ray_dns_mode} remote_dns_tcp_server=${remote_dns} remote_dns_doh="${remote_dns}" dns_client_ip=${dns_client_ip} dns_query_strategy=${DNS_QUERY_STRATEGY} config_file=$config_file - fi - eval node_${tcp_node}_$(echo -n "${remote_dns}" | md5sum | cut -d " " -f1)=${_dns_port} - } - - local _dnsmasq_filter_ipv6=$filter_proxy_ipv6 - [ "$tcp_proxy_mode" = "chnroute" ] && [ "$chinadns_ng" = "1" ] && [ -n "$(first_type chinadns-ng)" ] && [ -s "${RULES_PATH}/chnlist" ] && { - chinadns_port=$(expr $chinadns_port + 1) - _china_ng_listen="127.0.0.1#${chinadns_port}" - local _china_ng_chn=$(echo -n $(echo "${LOCAL_DNS}" | sed "s/,/\n/g" | head -n2) | tr " " ",") - local _china_ng_gfw="127.0.0.1#${_dns_port}" - - local gfwlist_param="${TMP_PATH}/chinadns_gfwlist" - [ ! -s "${gfwlist_param}" ] && { - [ -s "${RULES_PATH}/gfwlist" ] && cp -a "${RULES_PATH}/gfwlist" "${gfwlist_param}" - [ -s "${RULES_PATH}/proxy_host" ] && { - cat "${RULES_PATH}/proxy_host" | tr -s '\n' | grep -v "^#" | sort -u >> "${gfwlist_param}" - } - } - local chnlist_param="${TMP_PATH}/chinadns_chnlist" - [ ! -s "${chnlist_param}" ] && { - [ -s "${RULES_PATH}/chnlist" ] && cp -a "${RULES_PATH}/chnlist" "${chnlist_param}" - [ -s "${RULES_PATH}/direct_host" ] && { - cat "${RULES_PATH}/direct_host" | tr -s '\n' | grep -v "^#" | sort -u >> "${chnlist_param}" - } - } - chnlist_param=${chnlist_param:+-m "${chnlist_param}" -M} - local log_path="${TMP_ACL_PATH}/${sid}/chinadns-ng.log" - log_path="/dev/null" - [ "$filter_proxy_ipv6" = "1" ] && { - local noipv6="-N=gt" - _dnsmasq_filter_ipv6=0 - } - ln_run "$(first_type chinadns-ng)" chinadns-ng "$log_path" -v -b 0.0.0.0 -l "${chinadns_port}" ${_china_ng_chn:+-c "${_china_ng_chn}"} ${chnlist_param} ${_china_ng_gfw:+-t "${_china_ng_gfw}"} ${gfwlist_param:+-g "${gfwlist_param}"} -f ${noipv6} - } - - dnsmasq_port=$(get_new_port $(expr $dnsmasq_port + 1)) - redirect_dns_port=$dnsmasq_port - mkdir -p $TMP_ACL_PATH/$sid/dnsmasq.d - default_dnsmasq_cfgid=$(uci show dhcp.@dnsmasq[0] | awk -F '.' '{print $2}' | awk -F '=' '{print $1}'| head -1) - [ -s "/tmp/etc/dnsmasq.conf.${default_dnsmasq_cfgid}" ] && { - cp -r /tmp/etc/dnsmasq.conf.${default_dnsmasq_cfgid} $TMP_ACL_PATH/$sid/dnsmasq.conf - sed -i "/ubus/d" $TMP_ACL_PATH/$sid/dnsmasq.conf - sed -i "/dhcp/d" $TMP_ACL_PATH/$sid/dnsmasq.conf - sed -i "/port=/d" $TMP_ACL_PATH/$sid/dnsmasq.conf - sed -i "/conf-dir/d" $TMP_ACL_PATH/$sid/dnsmasq.conf - } - echo "port=${dnsmasq_port}" >> $TMP_ACL_PATH/$sid/dnsmasq.conf - d_server=127.0.0.1 - [ "$tcp_proxy_mode" = "global" ] && { - d_server=${d_server}#${_dns_port} - sed -i "/no-poll/d" $TMP_ACL_PATH/$sid/dnsmasq.conf - sed -i "/no-resolv/d" $TMP_ACL_PATH/$sid/dnsmasq.conf - echo "server=${d_server}" >> $TMP_ACL_PATH/$sid/dnsmasq.conf - echo "no-poll" >> $TMP_ACL_PATH/$sid/dnsmasq.conf - echo "no-resolv" >> $TMP_ACL_PATH/$sid/dnsmasq.conf - } - lua $APP_PATH/helper_dnsmasq_add.lua -FLAG ${sid} -TMP_DNSMASQ_PATH $TMP_ACL_PATH/$sid/dnsmasq.d \ - -DNSMASQ_CONF_FILE $TMP_ACL_PATH/$sid/dnsmasq.conf -DEFAULT_DNS $DEFAULT_DNS -LOCAL_DNS $LOCAL_DNS \ - -TUN_DNS "127.0.0.1#${_dns_port}" -REMOTE_FAKEDNS 0 -CHINADNS_DNS ${_china_ng_listen:-0} \ - -TCP_NODE $tcp_node -PROXY_MODE ${tcp_proxy_mode} -NO_PROXY_IPV6 ${_dnsmasq_filter_ipv6:-0} -NFTFLAG 0 \ - -NO_LOGIC_LOG 1 - ln_run "$(first_type dnsmasq)" "dnsmasq_${sid}" "/dev/null" -C $TMP_ACL_PATH/$sid/dnsmasq.conf -x $TMP_ACL_PATH/$sid/dnsmasq.pid - eval node_${tcp_node}_$(echo -n "${tcp_proxy_mode}${remote_dns}" | md5sum | cut -d " " -f1)=${dnsmasq_port} - } - if [ "$tcp_node" = "$TCP_NODE" ]; then - tcp_port=$TCP_REDIR_PORT - else - _redir_port=$(eval echo \${node_${tcp_node}_redir_port}) - _socks_port=$(eval echo \${node_${tcp_node}_socks_port}) - if [ -n "${_socks_port}" ] && [ -n "${_redir_port}" ]; then - socks_port=${_socks_port} - tcp_port=${_redir_port} - _dnsmasq_port=$(eval echo \${node_${tcp_node}_$(echo -n "${tcp_proxy_mode}${remote_dns}" | md5sum | cut -d " " -f1)}) - if [ -z "${_dnsmasq_port}" ]; then - _dns_port=$(eval echo \${node_${tcp_node}_$(echo -n "${remote_dns}" | md5sum | cut -d " " -f1)}) - run_dns ${_dns_port} - else - redirect_dns_port=${_dnsmasq_port} - fi - else - socks_port=$(get_new_port $(expr $socks_port + 1)) - eval node_${tcp_node}_socks_port=$socks_port - redir_port=$(get_new_port $(expr $redir_port + 1)) - eval node_${tcp_node}_redir_port=$redir_port - tcp_port=$redir_port - config_file="acl/${tcp_node}_SOCKS_${socks_port}.json" - - local type=$(echo $(config_n_get $tcp_node type) | tr 'A-Z' 'a-z') - if [ -n "${type}" ] && ([ "${type}" = "v2ray" ] || [ "${type}" = "xray" ]); then - config_file=$(echo $config_file | sed "s/SOCKS/TCP_UDP_SOCKS/g") - _extra_param="socks_address=127.0.0.1 socks_port=$socks_port" - if [ "$dns_mode" = "v2ray" -o "$dns_mode" = "xray" ]; then - config_file=$(echo $config_file | sed "s/SOCKS_${socks_port}/DNS/g") - dns_port=$(get_new_port $(expr $dns_port + 1)) - _dns_port=$dns_port - _extra_param="dns_listen_port=${_dns_port} remote_dns_protocol=${v2ray_dns_mode} remote_dns_tcp_server=${remote_dns} remote_dns_doh=${remote_dns} dns_client_ip=${dns_client_ip} dns_query_strategy=${DNS_QUERY_STRATEGY}" - fi - config_file="$TMP_PATH/$config_file" - run_v2ray flag=$tcp_node node=$tcp_node tcp_redir_port=$redir_port ${_extra_param} config_file=$config_file - else - run_socks flag=$tcp_node node=$tcp_node bind=127.0.0.1 socks_port=$socks_port config_file=$config_file - local log_file=$TMP_ACL_PATH/ipt2socks_${tcp_node}_${redir_port}.log - log_file="/dev/null" - run_ipt2socks flag=acl_${tcp_node} tcp_tproxy=${is_tproxy} local_port=$redir_port socks_address=127.0.0.1 socks_port=$socks_port log_file=$log_file - fi - run_dns ${_dns_port} - fi - filter_node $tcp_node TCP > /dev/null 2>&1 & - filter_node $tcp_node UDP > /dev/null 2>&1 & - fi + + [ "$accept_icmp" = "1" ] && { + $ipt_n -A PSW $(comment "$remarks") -p icmp ${_ipt_source} -d $FAKE_IP $(REDIRECT) + $ipt_n -A PSW $(comment "$remarks") -p icmp ${_ipt_source} $(dst $IPSET_SHUNTLIST) $(REDIRECT) + $ipt_n -A PSW $(comment "$remarks") -p icmp ${_ipt_source} $(dst $IPSET_BLACKLIST) $(REDIRECT) + $ipt_n -A PSW $(comment "$remarks") -p icmp ${_ipt_source} $(get_redirect_ipt $tcp_proxy_mode) } - fi - tcp_node_remark=$(config_n_get $tcp_node remarks) - } - [ "$udp_node" != "nil" ] && { - [ "$udp_node" = "tcp" ] && udp_node=$tcp_node - if [ "$udp_node" = "default" ]; then - udp_node=$UDP_NODE - [ "$TCP_UDP" = "1" ] && [ "$udp_node" = "nil" ] && udp_node=$TCP_NODE - udp_port=$UDP_REDIR_PORT - else - [ "$(config_get_type $udp_node nil)" = "nodes" ] && { - if [ "$udp_node" = "$UDP_NODE" ]; then - udp_port=$UDP_REDIR_PORT - else - _redir_port=$(eval echo \${node_${udp_node}_redir_port}) - _socks_port=$(eval echo \${node_${udp_node}_socks_port}) - if [ -n "${_socks_port}" ] && [ -n "${_redir_port}" ]; then - socks_port=${_socks_port} - udp_port=${_redir_port} - else - socks_port=$(get_new_port $(expr $socks_port + 1)) - eval node_${udp_node}_socks_port=$socks_port - redir_port=$(get_new_port $(expr $redir_port + 1)) - eval node_${udp_node}_redir_port=$redir_port - udp_port=$redir_port - config_file="acl/${udp_node}_SOCKS_${socks_port}.json" - - local type=$(echo $(config_n_get $udp_node type) | tr 'A-Z' 'a-z') - if [ -n "${type}" ] && ([ "${type}" = "v2ray" ] || [ "${type}" = "xray" ]); then - config_file=$(echo $config_file | sed "s/SOCKS/TCP_UDP_SOCKS/g") - config_file="$TMP_PATH/$config_file" - run_v2ray flag=$udp_node node=$udp_node udp_redir_port=$redir_port config_file=$config_file - else - run_socks flag=$udp_node node=$udp_node bind=127.0.0.1 socks_port=$socks_port config_file=$config_file - local log_file=$TMP_ACL_PATH/ipt2socks_${udp_node}_${redir_port}.log - log_file="/dev/null" - run_ipt2socks flag=acl_${udp_node} local_port=$redir_port socks_address=127.0.0.1 socks_port=$socks_port log_file=$log_file - fi - fi - filter_node $udp_node TCP > /dev/null 2>&1 & - filter_node $udp_node UDP > /dev/null 2>&1 & - fi + + [ "$accept_icmpv6" = "1" ] && [ "$PROXY_IPV6" == "1" ] && { + $ip6t_n -A PSW $(comment "$remarks") -p ipv6-icmp ${_ipt_source} $(dst $IPSET_SHUNTLIST6) $(REDIRECT) 2>/dev/null + $ip6t_n -A PSW $(comment "$remarks") -p ipv6-icmp ${_ipt_source} $(dst $IPSET_BLACKLIST6) $(REDIRECT) 2>/dev/null + $ip6t_n -A PSW $(comment "$remarks") -p ipv6-icmp ${_ipt_source} $(get_redirect_ip6t $tcp_proxy_mode) 2>/dev/null } - fi - udp_node_remark=$(config_n_get $udp_node remarks) - udp_flag=1 - } - - for i in $(echo -e ${rule_list}); do - if [ -n "$(echo ${i} | grep '^iprange:')" ]; then - _iprange=$(echo ${i} | sed 's#iprange:##g') - _ipt_source=$(factor ${_iprange} "-m iprange --src-range") - msg="备注【$remarks】,IP range【${_iprange}】," - elif [ -n "$(echo ${i} | grep '^ipset:')" ]; then - _ipset=$(echo ${i} | sed 's#ipset:##g') - _ipt_source="-m set --match-set ${_ipset} src" - msg="备注【$remarks】,IPset【${_ipset}】," - elif [ -n "$(echo ${i} | grep '^ip:')" ]; then - _ip=$(echo ${i} | sed 's#ip:##g') - _ipt_source=$(factor ${_ip} "-s") - msg="备注【$remarks】,IP【${_ip}】," - elif [ -n "$(echo ${i} | grep '^mac:')" ]; then - _mac=$(echo ${i} | sed 's#mac:##g') - _ipt_source=$(factor ${_mac} "-m mac --mac-source") - msg="备注【$remarks】,MAC【${_mac}】," - else - continue - fi - - ipt_tmp=$ipt_n - [ -n "${is_tproxy}" ] && ipt_tmp=$ipt_m - - [ -n "$tcp_port" ] && { - if [ "$tcp_proxy_mode" != "disable" ]; then - [ -n "$redirect_dns_port" ] && $ipt_n -A PSW_REDIRECT $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $redirect_dns_port - msg2="${msg}使用TCP节点[$tcp_node_remark] [$(get_action_chain_name $tcp_proxy_mode)]" - if [ -n "${is_tproxy}" ]; then - msg2="${msg2}(TPROXY:${tcp_port})代理" - ipt_tmp=$ipt_m - else - msg2="${msg2}(REDIRECT:${tcp_port})代理" - fi - - [ "$accept_icmp" = "1" ] && { - $ipt_n -A PSW $(comment "$remarks") -p icmp ${_ipt_source} -d $FAKE_IP $(REDIRECT) - $ipt_n -A PSW $(comment "$remarks") -p icmp ${_ipt_source} $(dst $IPSET_SHUNTLIST) $(REDIRECT) - $ipt_n -A PSW $(comment "$remarks") -p icmp ${_ipt_source} $(dst $IPSET_BLACKLIST) $(REDIRECT) - $ipt_n -A PSW $(comment "$remarks") -p icmp ${_ipt_source} $(get_redirect_ipt $tcp_proxy_mode) - } - - [ "$accept_icmpv6" = "1" ] && [ "$PROXY_IPV6" == "1" ] && { - $ip6t_n -A PSW $(comment "$remarks") -p ipv6-icmp ${_ipt_source} $(dst $IPSET_SHUNTLIST6) $(REDIRECT) 2>/dev/null - $ip6t_n -A PSW $(comment "$remarks") -p ipv6-icmp ${_ipt_source} $(dst $IPSET_BLACKLIST6) $(REDIRECT) 2>/dev/null - $ip6t_n -A PSW $(comment "$remarks") -p ipv6-icmp ${_ipt_source} $(get_redirect_ip6t $tcp_proxy_mode) 2>/dev/null - } - - [ "$tcp_no_redir_ports" != "disable" ] && { - $ip6t_m -A PSW $(comment "$remarks") ${_ipt_source} -p tcp -m multiport --dport $tcp_no_redir_ports -j RETURN 2>/dev/null - $ipt_tmp -A PSW $(comment "$remarks") ${_ipt_source} -p tcp -m multiport --dport $tcp_no_redir_ports -j RETURN - msg2="${msg2}[$?]除${tcp_no_redir_ports}外的" - } - msg2="${msg2}所有端口" - - [ "$tcp_proxy_drop_ports" != "disable" ] && { - [ "$PROXY_IPV6" == "1" ] && { - $ip6t_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) -j DROP 2>/dev/null - $ip6t_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST6) -j DROP 2>/dev/null - [ "$tcp_proxy_mode" != "direct/proxy" ] && $ip6t_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "-m multiport --dport") $(get_ipset_ip6t $tcp_proxy_mode) -j DROP 2>/dev/null - } - $ipt_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "-m multiport --dport") -d $FAKE_IP -j DROP - $ipt_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "-m multiport --dport") $(dst $IPSET_SHUNTLIST) -j DROP - $ipt_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j DROP - [ "$tcp_proxy_mode" != "direct/proxy" ] && $ipt_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "-m multiport --dport") $(get_ipset_ipt $tcp_proxy_mode) -j DROP - msg2="${msg2}[$?],屏蔽代理TCP 端口:${tcp_proxy_drop_ports}" - } - - if [ "${ipt_tmp}" = "${ipt_n}" ]; then - $ipt_n -A PSW $(comment "$remarks") -p tcp ${_ipt_source} -d $FAKE_IP $(REDIRECT $tcp_port) - $ipt_n -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(dst $IPSET_SHUNTLIST) $(REDIRECT $tcp_port) - $ipt_n -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST) $(REDIRECT $tcp_port) - $ipt_n -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(get_redirect_ipt $tcp_proxy_mode $tcp_port) - else - $ipt_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} -d $FAKE_IP -j PSW_RULE - $ipt_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(dst $IPSET_SHUNTLIST) -j PSW_RULE - $ipt_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j PSW_RULE - $ipt_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(get_ipset_ipt $tcp_proxy_mode) -j PSW_RULE - $ipt_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(REDIRECT $tcp_port TPROXY) - fi + + [ "$tcp_no_redir_ports" != "disable" ] && { + $ip6t_m -A PSW $(comment "$remarks") ${_ipt_source} -p tcp -m multiport --dport $tcp_no_redir_ports -j RETURN 2>/dev/null + $ipt_tmp -A PSW $(comment "$remarks") ${_ipt_source} -p tcp -m multiport --dport $tcp_no_redir_ports -j RETURN + msg2="${msg2}[$?]除${tcp_no_redir_ports}外的" + } + msg2="${msg2}所有端口" + + [ "$tcp_proxy_drop_ports" != "disable" ] && { [ "$PROXY_IPV6" == "1" ] && { - $ip6t_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) -j PSW_RULE 2>/dev/null - $ip6t_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST6) -j PSW_RULE 2>/dev/null - $ip6t_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(get_ipset_ip6t $tcp_proxy_mode) -j PSW_RULE 2>/dev/null - $ip6t_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(REDIRECT $tcp_port TPROXY) 2>/dev/null + $ip6t_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) -j DROP 2>/dev/null + $ip6t_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST6) -j DROP 2>/dev/null + [ "$tcp_proxy_mode" != "direct/proxy" ] && $ip6t_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "-m multiport --dport") $(get_ipset_ip6t $tcp_proxy_mode) -j DROP 2>/dev/null } - else - msg2="${msg}不代理TCP" - fi - echolog " - ${msg2}" - } - - $ip6t_m -A PSW $(comment "$remarks") ${_ipt_source} -p tcp -j RETURN 2>/dev/null - $ipt_tmp -A PSW $(comment "$remarks") ${_ipt_source} -p tcp -j RETURN - - [ "$udp_proxy_drop_ports" != "disable" ] && { - [ "$PROXY_IPV6" == "1" ] && { - $ip6t_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_proxy_drop_ports "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) -j DROP 2>/dev/null - $ip6t_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_proxy_drop_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST6) -j DROP 2>/dev/null - [ "$udp_proxy_mode" != "direct/proxy" ] && $ip6t_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_proxy_drop_ports "-m multiport --dport") $(get_ipset_ip6t $udp_proxy_mode) -j DROP 2>/dev/null + $ipt_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "-m multiport --dport") -d $FAKE_IP -j DROP + $ipt_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "-m multiport --dport") $(dst $IPSET_SHUNTLIST) -j DROP + $ipt_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j DROP + [ "$tcp_proxy_mode" != "direct/proxy" ] && $ipt_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "-m multiport --dport") $(get_ipset_ipt $tcp_proxy_mode) -j DROP + msg2="${msg2}[$?],屏蔽代理TCP 端口:${tcp_proxy_drop_ports}" } - $ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_proxy_drop_ports "-m multiport --dport") -d $FAKE_IP -j DROP - $ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_proxy_drop_ports "-m multiport --dport") $(dst $IPSET_SHUNTLIST) -j DROP - $ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_proxy_drop_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j DROP - [ "$udp_proxy_mode" != "direct/proxy" ] && $ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_proxy_drop_ports "-m multiport --dport") $(get_ipset_ipt $udp_proxy_mode) -j DROP - msg2="${msg2}[$?],屏蔽代理UDP 端口:${udp_proxy_drop_ports}" - } - - [ -n "$udp_port" ] && { - if [ "$udp_proxy_mode" != "disable" ]; then - msg2="${msg}使用UDP节点[$udp_node_remark] [$(get_action_chain_name $udp_proxy_mode)]" - msg2="${msg2}(TPROXY:${udp_port})代理" - [ "$udp_no_redir_ports" != "disable" ] && { - $ip6t_m -A PSW $(comment "$remarks") ${_ipt_source} -p udp -m multiport --dport $udp_no_redir_ports -j RETURN 2>/dev/null - $ipt_m -A PSW $(comment "$remarks") ${_ipt_source} -p udp -m multiport --dport $udp_no_redir_ports -j RETURN - msg2="${msg2}[$?]除${udp_no_redir_ports}外的" - } - msg2="${msg2}所有端口" - - $ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} -d $FAKE_IP -j PSW_RULE - $ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") $(dst $IPSET_SHUNTLIST) -j PSW_RULE - $ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j PSW_RULE - $ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") $(get_ipset_ipt $udp_proxy_mode) -j PSW_RULE - $ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(REDIRECT $udp_port TPROXY) - - [ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && { - $ip6t_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) -j PSW_RULE 2>/dev/null - $ip6t_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST6) -j PSW_RULE 2>/dev/null - $ip6t_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") $(get_ipset_ip6t $udp_proxy_mode) -j PSW_RULE 2>/dev/null - $ip6t_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(REDIRECT $udp_port TPROXY) 2>/dev/null - } + + if [ "${ipt_tmp}" = "${ipt_n}" ]; then + $ipt_n -A PSW $(comment "$remarks") -p tcp ${_ipt_source} -d $FAKE_IP $(REDIRECT $tcp_port) + $ipt_n -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(dst $IPSET_SHUNTLIST) $(REDIRECT $tcp_port) + $ipt_n -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST) $(REDIRECT $tcp_port) + $ipt_n -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(get_redirect_ipt $tcp_proxy_mode $tcp_port) else - msg2="${msg}不代理UDP" + $ipt_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} -d $FAKE_IP -j PSW_RULE + $ipt_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(dst $IPSET_SHUNTLIST) -j PSW_RULE + $ipt_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j PSW_RULE + $ipt_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(get_ipset_ipt $tcp_proxy_mode) -j PSW_RULE + $ipt_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(REDIRECT $tcp_port TPROXY) fi - echolog " - ${msg2}" - } - $ip6t_m -A PSW $(comment "$remarks") ${_ipt_source} -p udp -j RETURN 2>/dev/null - $ipt_m -A PSW $(comment "$remarks") ${_ipt_source} -p udp -j RETURN - done - unset enabled sid remarks sources tcp_proxy_mode udp_proxy_mode tcp_no_redir_ports udp_no_redir_ports tcp_proxy_drop_ports udp_proxy_drop_ports tcp_redir_ports udp_redir_ports tcp_node udp_node filter_proxy_ipv6 dns_mode remote_dns v2ray_dns_mode remote_dns_doh dns_client_ip - unset _ip _mac _iprange _ipset _ip_or_mac rule_list tcp_port udp_port tcp_node_remark udp_node_remark config_file _extra_param - unset ipt_tmp msg msg2 - unset redirect_dns_port - done - unset socks_port redir_port dns_port dnsmasq_port chinadns_port - unset ipt_tmp msg msg2 - } + [ "$PROXY_IPV6" == "1" ] && { + $ip6t_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) -j PSW_RULE 2>/dev/null + $ip6t_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST6) -j PSW_RULE 2>/dev/null + $ip6t_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(get_ipset_ip6t $tcp_proxy_mode) -j PSW_RULE 2>/dev/null + $ip6t_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(REDIRECT $tcp_port TPROXY) 2>/dev/null + } + else + msg2="${msg}不代理TCP" + fi + echolog " - ${msg2}" + } + $ip6t_m -A PSW $(comment "$remarks") ${_ipt_source} -p tcp -j RETURN 2>/dev/null + $ipt_tmp -A PSW $(comment "$remarks") ${_ipt_source} -p tcp -j RETURN + + [ "$udp_proxy_drop_ports" != "disable" ] && { + [ "$PROXY_IPV6" == "1" ] && { + $ip6t_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_proxy_drop_ports "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) -j DROP 2>/dev/null + $ip6t_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_proxy_drop_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST6) -j DROP 2>/dev/null + [ "$udp_proxy_mode" != "direct/proxy" ] && $ip6t_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_proxy_drop_ports "-m multiport --dport") $(get_ipset_ip6t $udp_proxy_mode) -j DROP 2>/dev/null + } + $ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_proxy_drop_ports "-m multiport --dport") -d $FAKE_IP -j DROP + $ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_proxy_drop_ports "-m multiport --dport") $(dst $IPSET_SHUNTLIST) -j DROP + $ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_proxy_drop_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j DROP + [ "$udp_proxy_mode" != "direct/proxy" ] && $ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_proxy_drop_ports "-m multiport --dport") $(get_ipset_ipt $udp_proxy_mode) -j DROP + msg2="${msg2}[$?],屏蔽代理UDP 端口:${udp_proxy_drop_ports}" + } + + [ -n "$udp_port" ] && { + if [ "$udp_proxy_mode" != "disable" ]; then + msg2="${msg}使用UDP节点[$udp_node_remark] [$(get_action_chain_name $udp_proxy_mode)]" + msg2="${msg2}(TPROXY:${udp_port})代理" + [ "$udp_no_redir_ports" != "disable" ] && { + $ip6t_m -A PSW $(comment "$remarks") ${_ipt_source} -p udp -m multiport --dport $udp_no_redir_ports -j RETURN 2>/dev/null + $ipt_m -A PSW $(comment "$remarks") ${_ipt_source} -p udp -m multiport --dport $udp_no_redir_ports -j RETURN + msg2="${msg2}[$?]除${udp_no_redir_ports}外的" + } + msg2="${msg2}所有端口" + + $ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} -d $FAKE_IP -j PSW_RULE + $ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") $(dst $IPSET_SHUNTLIST) -j PSW_RULE + $ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j PSW_RULE + $ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") $(get_ipset_ipt $udp_proxy_mode) -j PSW_RULE + $ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(REDIRECT $udp_port TPROXY) + + [ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && { + $ip6t_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) -j PSW_RULE 2>/dev/null + $ip6t_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST6) -j PSW_RULE 2>/dev/null + $ip6t_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") $(get_ipset_ip6t $udp_proxy_mode) -j PSW_RULE 2>/dev/null + $ip6t_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(REDIRECT $udp_port TPROXY) 2>/dev/null + } + else + msg2="${msg}不代理UDP" + fi + echolog " - ${msg2}" + } + $ip6t_m -A PSW $(comment "$remarks") ${_ipt_source} -p udp -j RETURN 2>/dev/null + $ipt_m -A PSW $(comment "$remarks") ${_ipt_source} -p udp -j RETURN + done + unset enabled sid remarks sources tcp_proxy_mode udp_proxy_mode tcp_no_redir_ports udp_no_redir_ports tcp_proxy_drop_ports udp_proxy_drop_ports tcp_redir_ports udp_redir_ports tcp_node udp_node + unset _ip _mac _iprange _ipset _ip_or_mac rule_list tcp_port udp_port tcp_node_remark udp_node_remark + unset ipt_tmp msg msg2 + done + # 加载TCP默认代理模式 [ "$TCP_PROXY_DROP_PORTS" != "disable" ] && { [ "$PROXY_IPV6" == "1" ] && { diff --git a/luci-app-passwall/root/usr/share/passwall/nftables.sh b/luci-app-passwall/root/usr/share/passwall/nftables.sh index 6fd4e0abf..5aeb3a074 100755 --- a/luci-app-passwall/root/usr/share/passwall/nftables.sh +++ b/luci-app-passwall/root/usr/share/passwall/nftables.sh @@ -271,355 +271,177 @@ get_wan6_ip() { } load_acl() { - local items=$(uci show ${CONFIG} | grep "=acl_rule" | cut -d '.' -sf 2 | cut -d '=' -sf 1) - [ -n "$items" ] && { - local item - local socks_port redir_port dns_port dnsmasq_port - local ipt_tmp msg msg2 - socks_port=11100 - redir_port=11200 - dns_port=11300 - dnsmasq_port=11400 - echolog "访问控制:" - for item in $items; do - local enabled sid remarks sources tcp_proxy_mode udp_proxy_mode tcp_no_redir_ports udp_no_redir_ports tcp_proxy_drop_ports udp_proxy_drop_ports tcp_redir_ports udp_redir_ports tcp_node udp_node filter_proxy_ipv6 dns_mode remote_dns v2ray_dns_mode remote_dns_doh dns_client_ip - local _ip _mac _iprange _ipset _ip_or_mac rule_list tcp_port udp_port tcp_node_remark udp_node_remark config_file _extra_param - sid=$(uci -q show "${CONFIG}.${item}" | grep "=acl_rule" | awk -F '=' '{print $1}' | awk -F '.' '{print $2}') - eval $(uci -q show "${CONFIG}.${item}" | cut -d'.' -sf 3-) - [ "$enabled" = "1" ] || continue - - [ -z "${sources}" ] && continue - for s in $sources; do - is_iprange=$(lua_api "iprange(\"${s}\")") - if [ "${is_iprange}" = "true" ]; then - rule_list="${rule_list}\niprange:${s}" - elif [ -n "$(echo ${s} | grep '^ipset:')" ]; then - rule_list="${rule_list}\nipset:${s}" - else - _ip_or_mac=$(lua_api "ip_or_mac(\"${s}\")") - if [ "${_ip_or_mac}" = "ip" ]; then - rule_list="${rule_list}\nip:${s}" - elif [ "${_ip_or_mac}" = "mac" ]; then - rule_list="${rule_list}\nmac:${s}" + acl_app + echolog "访问控制:" + for sid in $(ls -F ${TMP_ACL_PATH} | grep '/$' | awk -F '/' '{print $1}'); do + eval $(uci -q show "${CONFIG}.${sid}" | cut -d'.' -sf 3-) + + tcp_proxy_mode=${tcp_proxy_mode:-default} + udp_proxy_mode=${udp_proxy_mode:-default} + tcp_no_redir_ports=${tcp_no_redir_ports:-default} + udp_no_redir_ports=${udp_no_redir_ports:-default} + tcp_proxy_drop_ports=${tcp_proxy_drop_ports:-default} + udp_proxy_drop_ports=${udp_proxy_drop_ports:-default} + tcp_redir_ports=${tcp_redir_ports:-default} + udp_redir_ports=${udp_redir_ports:-default} + tcp_node=${tcp_node:-default} + udp_node=${udp_node:-default} + [ "$tcp_proxy_mode" = "default" ] && tcp_proxy_mode=$TCP_PROXY_MODE + [ "$udp_proxy_mode" = "default" ] && udp_proxy_mode=$UDP_PROXY_MODE + [ "$tcp_no_redir_ports" = "default" ] && tcp_no_redir_ports=$TCP_NO_REDIR_PORTS + [ "$udp_no_redir_ports" = "default" ] && udp_no_redir_ports=$UDP_NO_REDIR_PORTS + [ "$tcp_proxy_drop_ports" = "default" ] && tcp_proxy_drop_ports=$TCP_PROXY_DROP_PORTS + [ "$udp_proxy_drop_ports" = "default" ] && udp_proxy_drop_ports=$UDP_PROXY_DROP_PORTS + [ "$tcp_redir_ports" = "default" ] && tcp_redir_ports=$TCP_REDIR_PORTS + [ "$udp_redir_ports" = "default" ] && udp_redir_ports=$UDP_REDIR_PORTS + + [ -s "${TMP_ACL_PATH}/${sid}/var_tcp_node" ] && tcp_node=$(cat ${TMP_ACL_PATH}/${sid}/var_tcp_node) + [ -s "${TMP_ACL_PATH}/${sid}/var_udp_node" ] && udp_node=$(cat ${TMP_ACL_PATH}/${sid}/var_udp_node) + [ -s "${TMP_ACL_PATH}/${sid}/var_tcp_port" ] && tcp_port=$(cat ${TMP_ACL_PATH}/${sid}/var_tcp_port) + [ -s "${TMP_ACL_PATH}/${sid}/var_udp_port" ] && udp_port=$(cat ${TMP_ACL_PATH}/${sid}/var_udp_port) + [ -n $tcp_node ] && tcp_node_remark=$(config_n_get $tcp_node remarks) + [ -n $udp_node ] && udp_node_remark=$(config_n_get $udp_node remarks) + + for i in $(cat ${TMP_ACL_PATH}/${sid}/rule_list); do + if [ -n "$(echo ${i} | grep '^iprange:')" ]; then + _iprange=$(echo ${i} | sed 's#iprange:##g') + _ipt_source=$(factor ${_iprange} "-m iprange --src-range") + msg="备注【$remarks】,IP range【${_iprange}】," + elif [ -n "$(echo ${i} | grep '^ipset:')" ]; then + _ipset=$(echo ${i} | sed 's#ipset:##g') + _ipt_source="-m set --match-set ${_ipset} src" + msg="备注【$remarks】,IPset【${_ipset}】," + elif [ -n "$(echo ${i} | grep '^ip:')" ]; then + _ip=$(echo ${i} | sed 's#ip:##g') + _ipt_source=$(factor ${_ip} "-s") + msg="备注【$remarks】,IP【${_ip}】," + elif [ -n "$(echo ${i} | grep '^mac:')" ]; then + _mac=$(echo ${i} | sed 's#mac:##g') + _ipt_source=$(factor ${_mac} "-m mac --mac-source") + msg="备注【$remarks】,MAC【${_mac}】," + else + continue + fi + + [ -n "$tcp_port" ] && { + if [ "$tcp_proxy_mode" != "disable" ]; then + [ -n "$redirect_dns_port" ] && nft "add rule inet fw4 PSW_REDIRECT ip protocol udp ${_ipt_source} udp dport 53 counter redirect to $redirect_dns_port comment \"$remarks\"" + msg2="${msg}使用TCP节点[$tcp_node_remark] [$(get_action_chain_name $tcp_proxy_mode)]" + if [ -n "${is_tproxy}" ]; then + msg2="${msg2}(TPROXY:${tcp_port})代理" + else + msg2="${msg2}(REDIRECT:${tcp_port})代理" fi - fi - done - [ -z "${rule_list}" ] && continue - - tcp_proxy_mode=${tcp_proxy_mode:-default} - udp_proxy_mode=${udp_proxy_mode:-default} - tcp_no_redir_ports=${tcp_no_redir_ports:-default} - udp_no_redir_ports=${udp_no_redir_ports:-default} - tcp_proxy_drop_ports=${tcp_proxy_drop_ports:-default} - udp_proxy_drop_ports=${udp_proxy_drop_ports:-default} - tcp_redir_ports=${tcp_redir_ports:-default} - udp_redir_ports=${udp_redir_ports:-default} - tcp_node=${tcp_node:-default} - udp_node=${udp_node:-default} - filter_proxy_ipv6=${filter_proxy_ipv6:-0} - dns_mode=${dns_mode:-dns2socks} - remote_dns=${remote_dns:-1.1.1.1} - [ "$dns_mode" = "v2ray" -o "$dns_mode" = "xray" ] && { - [ "$v2ray_dns_mode" = "doh" ] && remote_dns=${remote_dns_doh:-https://1.1.1.1/dns-query} - } - [ "$tcp_proxy_mode" = "default" ] && tcp_proxy_mode=$TCP_PROXY_MODE - [ "$udp_proxy_mode" = "default" ] && udp_proxy_mode=$UDP_PROXY_MODE - [ "$tcp_no_redir_ports" = "default" ] && tcp_no_redir_ports=$TCP_NO_REDIR_PORTS - [ "$udp_no_redir_ports" = "default" ] && udp_no_redir_ports=$UDP_NO_REDIR_PORTS - [ "$tcp_proxy_drop_ports" = "default" ] && tcp_proxy_drop_ports=$TCP_PROXY_DROP_PORTS - [ "$udp_proxy_drop_ports" = "default" ] && udp_proxy_drop_ports=$UDP_PROXY_DROP_PORTS - [ "$tcp_redir_ports" = "default" ] && tcp_redir_ports=$TCP_REDIR_PORTS - [ "$udp_redir_ports" = "default" ] && udp_redir_ports=$UDP_REDIR_PORTS - [ "$tcp_node" != "nil" ] && { - if [ "$tcp_node" = "default" ]; then - tcp_node=$TCP_NODE - tcp_port=$TCP_REDIR_PORT - else - [ "$(config_get_type $tcp_node nil)" = "nodes" ] && { - run_dns() { - local _dns_port - [ -n $1 ] && _dns_port=$1 - [ -z ${_dns_port} ] && { - dns_port=$(get_new_port $(expr $dns_port + 1)) - _dns_port=$dns_port - if [ "$dns_mode" = "dns2socks" ]; then - run_dns2socks flag=acl_${sid} socks_address=127.0.0.1 socks_port=$socks_port listen_address=0.0.0.0 listen_port=${_dns_port} dns=$remote_dns cache=1 - elif [ "$dns_mode" = "v2ray" -o "$dns_mode" = "xray" ]; then - config_file=$TMP_ACL_PATH/${tcp_node}_SOCKS_${socks_port}_DNS.json - run_v2ray flag=acl_${sid} type=$dns_mode dns_socks_address=127.0.0.1 dns_socks_port=$socks_port dns_listen_port=${_dns_port} remote_dns_protocol=${v2ray_dns_mode} remote_dns_tcp_server=${remote_dns} remote_dns_doh="${remote_dns}" dns_client_ip=${dns_client_ip} dns_query_strategy=${DNS_QUERY_STRATEGY} config_file=$config_file - fi - eval node_${tcp_node}_$(echo -n "${remote_dns}" | md5sum | cut -d " " -f1)=${_dns_port} - } - - dnsmasq_port=$(get_new_port $(expr $dnsmasq_port + 1)) - redirect_dns_port=$dnsmasq_port - mkdir -p $TMP_ACL_PATH/$sid/dnsmasq.d - default_dnsmasq_cfgid=$(uci show dhcp.@dnsmasq[0] | awk -F '.' '{print $2}' | awk -F '=' '{print $1}'| head -1) - [ -s "/tmp/etc/dnsmasq.conf.${default_dnsmasq_cfgid}" ] && { - cp -r /tmp/etc/dnsmasq.conf.${default_dnsmasq_cfgid} $TMP_ACL_PATH/$sid/dnsmasq.conf - sed -i "/ubus/d" $TMP_ACL_PATH/$sid/dnsmasq.conf - sed -i "/dhcp/d" $TMP_ACL_PATH/$sid/dnsmasq.conf - sed -i "/port=/d" $TMP_ACL_PATH/$sid/dnsmasq.conf - sed -i "/conf-dir/d" $TMP_ACL_PATH/$sid/dnsmasq.conf - } - echo "port=${dnsmasq_port}" >> $TMP_ACL_PATH/$sid/dnsmasq.conf - echo "conf-dir=${TMP_ACL_PATH}/${sid}/dnsmasq.d" >> $TMP_ACL_PATH/$sid/dnsmasq.conf - d_server=127.0.0.1 - [ "$tcp_proxy_mode" = "global" ] && { - d_server=${d_server}#${_dns_port} - sed -i "/no-poll/d" $TMP_ACL_PATH/$sid/dnsmasq.conf - sed -i "/no-resolv/d" $TMP_ACL_PATH/$sid/dnsmasq.conf - echo "server=${d_server}" >> $TMP_ACL_PATH/$sid/dnsmasq.conf - echo "no-poll" >> $TMP_ACL_PATH/$sid/dnsmasq.conf - echo "no-resolv" >> $TMP_ACL_PATH/$sid/dnsmasq.conf - } - lua $APP_PATH/helper_dnsmasq_add.lua -FLAG ${sid} -TMP_DNSMASQ_PATH $TMP_ACL_PATH/$sid/dnsmasq.d \ - -DNSMASQ_CONF_FILE "nil" -DEFAULT_DNS $DEFAULT_DNS -LOCAL_DNS $LOCAL_DNS \ - -TUN_DNS "127.0.0.1#${_dns_port}" -REMOTE_FAKEDNS 0 -CHINADNS_DNS 0 \ - -TCP_NODE $tcp_node -PROXY_MODE ${tcp_proxy_mode} -NO_PROXY_IPV6 ${filter_proxy_ipv6:-0} -NFTFLAG 1 \ - -NO_LOGIC_LOG 1 - ln_run "$(first_type dnsmasq)" "dnsmasq_${sid}" "/dev/null" -C $TMP_ACL_PATH/$sid/dnsmasq.conf -x $TMP_ACL_PATH/$sid/dnsmasq.pid - eval node_${tcp_node}_$(echo -n "${tcp_proxy_mode}${remote_dns}" | md5sum | cut -d " " -f1)=${dnsmasq_port} - } - if [ "$tcp_node" = "$TCP_NODE" ]; then - tcp_port=$TCP_REDIR_PORT - else - _redir_port=$(eval echo \${node_${tcp_node}_redir_port}) - _socks_port=$(eval echo \${node_${tcp_node}_socks_port}) - if [ -n "${_socks_port}" ] && [ -n "${_redir_port}" ]; then - socks_port=${_socks_port} - tcp_port=${_redir_port} - _dnsmasq_port=$(eval echo \${node_${tcp_node}_$(echo -n "${tcp_proxy_mode}${remote_dns}" | md5sum | cut -d " " -f1)}) - if [ -z "${_dnsmasq_port}" ]; then - _dns_port=$(eval echo \${node_${tcp_node}_$(echo -n "${remote_dns}" | md5sum | cut -d " " -f1)}) - run_dns ${_dns_port} - else - redirect_dns_port=${_dnsmasq_port} - fi - else - socks_port=$(get_new_port $(expr $socks_port + 1)) - eval node_${tcp_node}_socks_port=$socks_port - redir_port=$(get_new_port $(expr $redir_port + 1)) - eval node_${tcp_node}_redir_port=$redir_port - tcp_port=$redir_port - config_file="acl/${tcp_node}_SOCKS_${socks_port}.json" - - local type=$(echo $(config_n_get $tcp_node type) | tr 'A-Z' 'a-z') - if [ -n "${type}" ] && ([ "${type}" = "v2ray" ] || [ "${type}" = "xray" ]); then - config_file=$(echo $config_file | sed "s/SOCKS/TCP_UDP_SOCKS/g") - _extra_param="socks_address=127.0.0.1 socks_port=$socks_port" - if [ "$dns_mode" = "v2ray" -o "$dns_mode" = "xray" ]; then - config_file=$(echo $config_file | sed "s/SOCKS_${socks_port}/DNS/g") - dns_port=$(get_new_port $(expr $dns_port + 1)) - _dns_port=$dns_port - _extra_param="dns_listen_port=${_dns_port} remote_dns_protocol=${v2ray_dns_mode} remote_dns_tcp_server=${remote_dns} remote_dns_doh=${remote_dns} dns_client_ip=${dns_client_ip} dns_query_strategy=${DNS_QUERY_STRATEGY}" - fi - config_file="$TMP_PATH/$config_file" - run_v2ray flag=$tcp_node node=$tcp_node tcp_redir_port=$redir_port ${_extra_param} config_file=$config_file - else - run_socks flag=$tcp_node node=$tcp_node bind=127.0.0.1 socks_port=$socks_port config_file=$config_file - local log_file=$TMP_ACL_PATH/ipt2socks_${tcp_node}_${redir_port}.log - log_file="/dev/null" - run_ipt2socks flag=acl_${tcp_node} tcp_tproxy=${is_tproxy} local_port=$redir_port socks_address=127.0.0.1 socks_port=$socks_port log_file=$log_file - fi - run_dns ${_dns_port} - fi - filter_node $tcp_node TCP > /dev/null 2>&1 & - filter_node $tcp_node UDP > /dev/null 2>&1 & - fi + + [ "$accept_icmp" = "1" ] && { + nft "add rule inet fw4 PSW_ICMP_REDIRECT ip protocol icmp ${_ipt_source} ip daddr $FAKE_IP $(REDIRECT) comment \"$remarks\"" + nft "add rule inet fw4 PSW_ICMP_REDIRECT ip protocol icmp ${_ipt_source} ip daddr @$NFTSET_SHUNTLIST $(REDIRECT) comment \"$remarks\"" + nft "add rule inet fw4 PSW_ICMP_REDIRECT ip protocol icmp ${_ipt_source} ip daddr @$NFTSET_BLACKLIST $(REDIRECT) comment \"$remarks\"" + nft "add rule inet fw4 PSW_ICMP_REDIRECT ip protocol icmp ${_ipt_source} $(get_redirect_ipv4 $tcp_proxy_mode) comment \"$remarks\"" } - fi - tcp_node_remark=$(config_n_get $tcp_node remarks) - } - [ "$udp_node" != "nil" ] && { - [ "$udp_node" = "tcp" ] && udp_node=$tcp_node - if [ "$udp_node" = "default" ]; then - udp_node=$UDP_NODE - [ "$TCP_UDP" = "1" ] && [ "$udp_node" = "nil" ] && udp_node=$TCP_NODE - udp_port=$UDP_REDIR_PORT - else - [ "$(config_get_type $udp_node nil)" = "nodes" ] && { - if [ "$udp_node" = "$UDP_NODE" ]; then - udp_port=$UDP_REDIR_PORT - else - _redir_port=$(eval echo \${node_${udp_node}_redir_port}) - _socks_port=$(eval echo \${node_${udp_node}_socks_port}) - if [ -n "${_socks_port}" ] && [ -n "${_redir_port}" ]; then - socks_port=${_socks_port} - udp_port=${_redir_port} - else - socks_port=$(get_new_port $(expr $socks_port + 1)) - eval node_${udp_node}_socks_port=$socks_port - redir_port=$(get_new_port $(expr $redir_port + 1)) - eval node_${udp_node}_redir_port=$redir_port - udp_port=$redir_port - config_file="acl/${udp_node}_SOCKS_${socks_port}.json" - local type=$(echo $(config_n_get $udp_node type) | tr 'A-Z' 'a-z') - if [ -n "${type}" ] && ([ "${type}" = "v2ray" ] || [ "${type}" = "xray" ]); then - config_file=$(echo $config_file | sed "s/SOCKS/TCP_UDP_SOCKS/g") - config_file="$TMP_PATH/$config_file" - run_v2ray flag=$udp_node node=$udp_node udp_redir_port=$redir_port config_file=$config_file - else - run_socks flag=$udp_node node=$udp_node bind=127.0.0.1 socks_port=$socks_port config_file=$config_file - local log_file=$TMP_ACL_PATH/ipt2socks_${udp_node}_${redir_port}.log - log_file="/dev/null" - run_ipt2socks flag=acl_${udp_node} local_port=$redir_port socks_address=127.0.0.1 socks_port=$socks_port log_file=$log_file - fi - fi - filter_node $udp_node TCP > /dev/null 2>&1 & - filter_node $udp_node UDP > /dev/null 2>&1 & - fi + [ "$accept_icmpv6" = "1" ] && [ "$PROXY_IPV6" == "1" ] && { + nft "add rule inet fw4 PSW_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} ip6 daddr @$NFTSET_SHUNTLIST6 $(REDIRECT) comment \"$remarks\"" 2>/dev/null + nft "add rule inet fw4 PSW_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} ip6 daddr @$NFTSET_BLACKLIST6 $(REDIRECT) comment \"$remarks\"" 2>/dev/null + nft "add rule inet fw4 PSW_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} $(get_redirect_ipv6 $tcp_proxy_mode) comment \"$remarks\"" 2>/dev/null } - fi - udp_node_remark=$(config_n_get $udp_node remarks) - udp_flag=1 - } - - for i in $(echo -e ${rule_list}); do - if [ -n "$(echo ${i} | grep '^iprange:')" ]; then - _iprange=$(echo ${i} | sed 's#iprange:##g') - _ipt_source=$(factor ${_iprange} "ip saddr") - msg="备注【$remarks】,IP range【${_iprange}】," - elif [ -n "$(echo ${i} | grep '^ipset:')" ]; then - _ipset=$(echo ${i} | sed 's#ipset:##g') - _ipt_source="ip daddr @${_ipset}" - msg="备注【$remarks】,NFTset【${_ipset}】," - elif [ -n "$(echo ${i} | grep '^ip:')" ]; then - _ip=$(echo ${i} | sed 's#ip:##g') - _ipt_source=$(factor ${_ip} "ip saddr") - msg="备注【$remarks】,IP【${_ip}】," - elif [ -n "$(echo ${i} | grep '^mac:')" ]; then - _mac=$(echo ${i} | sed 's#mac:##g') - _ipt_source=$(factor ${_mac} "ether saddr") - msg="备注【$remarks】,MAC【${_mac}】," - else - continue - fi - [ -n "$tcp_port" ] && { - if [ "$tcp_proxy_mode" != "disable" ]; then - [ -n "$redirect_dns_port" ] && nft "add rule inet fw4 PSW_REDIRECT ip protocol udp ${_ipt_source} udp dport 53 counter redirect to $redirect_dns_port comment \"$remarks\"" - msg2="${msg}使用TCP节点[$tcp_node_remark] [$(get_action_chain_name $tcp_proxy_mode)]" - if [ -n "${is_tproxy}" ]; then - msg2="${msg2}(TPROXY:${tcp_port})代理" - else - msg2="${msg2}(REDIRECT:${tcp_port})代理" - fi - - [ "$accept_icmp" = "1" ] && { - nft "add rule inet fw4 PSW_ICMP_REDIRECT ip protocol icmp ${_ipt_source} ip daddr $FAKE_IP $(REDIRECT) comment \"$remarks\"" - nft "add rule inet fw4 PSW_ICMP_REDIRECT ip protocol icmp ${_ipt_source} ip daddr @$NFTSET_SHUNTLIST $(REDIRECT) comment \"$remarks\"" - nft "add rule inet fw4 PSW_ICMP_REDIRECT ip protocol icmp ${_ipt_source} ip daddr @$NFTSET_BLACKLIST $(REDIRECT) comment \"$remarks\"" - nft "add rule inet fw4 PSW_ICMP_REDIRECT ip protocol icmp ${_ipt_source} $(get_redirect_ipv4 $tcp_proxy_mode) comment \"$remarks\"" - } - - [ "$accept_icmpv6" = "1" ] && [ "$PROXY_IPV6" == "1" ] && { - nft "add rule inet fw4 PSW_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} ip6 daddr @$NFTSET_SHUNTLIST6 $(REDIRECT) comment \"$remarks\"" 2>/dev/null - nft "add rule inet fw4 PSW_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} ip6 daddr @$NFTSET_BLACKLIST6 $(REDIRECT) comment \"$remarks\"" 2>/dev/null - nft "add rule inet fw4 PSW_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} $(get_redirect_ipv6 $tcp_proxy_mode) comment \"$remarks\"" 2>/dev/null - } - - [ "$tcp_no_redir_ports" != "disable" ] && { - nft "add rule inet fw4 $nft_prerouting_chain ${_ipt_source} ip protocol tcp tcp dport {$tcp_no_redir_ports} counter return comment \"$remarks\"" - nft "add rule inet fw4 PSW_MANGLE_V6 comment ${_ipt_source} meta l4proto tcp tcp dport {$tcp_no_redir_ports} counter return comment \"$remarks\"" - msg2="${msg2}[$?]除${tcp_no_redir_ports}外的" - } - msg2="${msg2}所有端口" - - [ "$tcp_proxy_drop_ports" != "disable" ] && { - [ "$PROXY_IPV6" == "1" ] && { - nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "tcp dport") ip6 daddr @$NFTSET_SHUNTLIST6 counter drop comment \"$remarks\"" 2>/dev/null - nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "tcp dport") ip6 daddr @$NFTSET_BLACKLIST6 counter drop comment \"$remarks\"" 2>/dev/null - [ "$tcp_proxy_mode" != "direct/proxy" ] && nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "tcp dport") $(get_nftset_ipv6 $tcp_proxy_mode) counter drop comment \"$remarks\"" 2>/dev/null - } - nft "add rule inet fw4 $nft_prerouting_chain ip protocol tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "tcp dport") ip daddr $FAKE_IP counter drop comment \"$remarks\"" - nft "add rule inet fw4 $nft_prerouting_chain ip protocol tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "tcp dport") ip daddr @$NFTSET_SHUNTLIST counter drop comment \"$remarks\"" - nft "add rule inet fw4 $nft_prerouting_chain ip protocol tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "tcp dport") ip daddr @$NFTSET_BLACKLIST counter drop comment \"$remarks\"" - [ "$tcp_proxy_mode" != "direct/proxy" ] && nft "add rule inet fw4 $nft_prerouting_chain ip protocol tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "tcp dport") $(get_nftset_ipv4 $tcp_proxy_mode) counter drop comment \"$remarks\"" - msg2="${msg2}[$?],屏蔽代理TCP 端口:${tcp_proxy_drop_ports}" - } - - if [ -z "${is_tproxy}" ]; then - nft "add rule inet fw4 PSW ${_ipt_source} ip daddr $FAKE_IP $(REDIRECT $tcp_port) comment \"$remarks\"" - nft "add rule inet fw4 PSW ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ip daddr @$NFTSET_SHUNTLIST $(REDIRECT $tcp_port) comment \"$remarks\"" - nft "add rule inet fw4 PSW ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ip daddr @$NFTSET_BLACKLIST $(REDIRECT $tcp_port) comment \"$remarks\"" - nft "add rule inet fw4 PSW ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") $(get_redirect_ipv4 $tcp_proxy_mode $tcp_port) comment \"$remarks\"" - else - nft "add rule inet fw4 PSW_MANGLE ip protocol tcp ${_ipt_source} ip daddr $FAKE_IP counter jump PSW_RULE comment \"$remarks\"" - nft "add rule inet fw4 PSW_MANGLE ip protocol tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ip daddr @$NFTSET_SHUNTLIST counter jump PSW_RULE comment \"$remarks\"" - nft "add rule inet fw4 PSW_MANGLE ip protocol tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ip daddr @$NFTSET_BLACKLIST counter jump PSW_RULE comment \"$remarks\" " - nft "add rule inet fw4 PSW_MANGLE ip protocol tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") $(get_nftset_ipv4 $tcp_proxy_mode) counter jump PSW_RULE comment \"$remarks\"" - nft "add rule inet fw4 PSW_MANGLE meta nfproto {ipv4} meta l4proto tcp ${_ipt_source} $(REDIRECT $tcp_port TPROXY4) comment \"$remarks\"" - fi + [ "$tcp_no_redir_ports" != "disable" ] && { + nft "add rule inet fw4 $nft_prerouting_chain ${_ipt_source} ip protocol tcp tcp dport {$tcp_no_redir_ports} counter return comment \"$remarks\"" + nft "add rule inet fw4 PSW_MANGLE_V6 comment ${_ipt_source} meta l4proto tcp tcp dport {$tcp_no_redir_ports} counter return comment \"$remarks\"" + msg2="${msg2}[$?]除${tcp_no_redir_ports}外的" + } + msg2="${msg2}所有端口" + [ "$tcp_proxy_drop_ports" != "disable" ] && { [ "$PROXY_IPV6" == "1" ] && { - nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ip6 daddr @$NFTSET_SHUNTLIST6 counter jump PSW_RULE comment \"$remarks\"" 2>/dev/null - nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ip6 daddr @$NFTSET_BLACKLIST6 counter jump PSW_RULE comment \"$remarks\"" 2>/dev/null - nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") $(get_nftset_ipv6 $tcp_proxy_mode) jump PSW_RULE comment \"$remarks\"" 2>/dev/null - nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(REDIRECT $tcp_port TPROXY) comment \"$remarks\"" 2>/dev/null + nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "tcp dport") ip6 daddr @$NFTSET_SHUNTLIST6 counter drop comment \"$remarks\"" 2>/dev/null + nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "tcp dport") ip6 daddr @$NFTSET_BLACKLIST6 counter drop comment \"$remarks\"" 2>/dev/null + [ "$tcp_proxy_mode" != "direct/proxy" ] && nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "tcp dport") $(get_nftset_ipv6 $tcp_proxy_mode) counter drop comment \"$remarks\"" 2>/dev/null } - else - msg2="${msg}不代理TCP" - fi - echolog " - ${msg2}" - } - - nft "add rule inet fw4 $nft_prerouting_chain ip protocol tcp ${_ipt_source} counter return comment \"$remarks\"" - nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} counter return comment \"$remarks\"" 2>/dev/null - - [ "$udp_proxy_drop_ports" != "disable" ] && { - [ "$PROXY_IPV6" == "1" ] && { - nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_proxy_drop_ports "udp dport") ip6 daddr @$NFTSET_SHUNTLIST6 counter drop comment \"$remarks\"" 2>/dev/null - nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_proxy_drop_ports "udp dport") ip6 daddr @$NFTSET_BLACKLIST6 counter drop comment \"$remarks\"" 2>/dev/null - [ "$udp_proxy_mode" != "direct/proxy" ] && nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_proxy_drop_ports "udp dport") $(get_nftset_ipv6 $udp_proxy_mode) counter drop comment \"$remarks\"" 2>/dev/null + nft "add rule inet fw4 $nft_prerouting_chain ip protocol tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "tcp dport") ip daddr $FAKE_IP counter drop comment \"$remarks\"" + nft "add rule inet fw4 $nft_prerouting_chain ip protocol tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "tcp dport") ip daddr @$NFTSET_SHUNTLIST counter drop comment \"$remarks\"" + nft "add rule inet fw4 $nft_prerouting_chain ip protocol tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "tcp dport") ip daddr @$NFTSET_BLACKLIST counter drop comment \"$remarks\"" + [ "$tcp_proxy_mode" != "direct/proxy" ] && nft "add rule inet fw4 $nft_prerouting_chain ip protocol tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "tcp dport") $(get_nftset_ipv4 $tcp_proxy_mode) counter drop comment \"$remarks\"" + msg2="${msg2}[$?],屏蔽代理TCP 端口:${tcp_proxy_drop_ports}" } - nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_proxy_drop_ports "udp dport") ip daddr $FAKE_IP counter drop comment \"$remarks\"" 2>/dev/null - nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_proxy_drop_ports "udp dport") ip daddr @$NFTSET_SHUNTLIST counter drop comment \"$remarks\"" 2>/dev/null - nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_proxy_drop_ports "udp dport") ip daddr @$NFTSET_BLACKLIST counter drop comment \"$remarks\"" 2>/dev/null - [ "$udp_proxy_mode" != "direct/proxy" ] && nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_proxy_drop_ports "udp dport") $(get_nftset_ipv4 $udp_proxy_mode) counter drop comment \"$remarks\"" 2>/dev/null - msg2="${msg2}[$?],屏蔽代理UDP 端口:${udp_proxy_drop_ports}" - } - [ -n "$udp_port" ] && { - if [ "$udp_proxy_mode" != "disable" ]; then - msg2="${msg}使用UDP节点[$udp_node_remark] [$(get_action_chain_name $udp_proxy_mode)]" - msg2="${msg2}(TPROXY:${udp_port})代理" - [ "$udp_no_redir_ports" != "disable" ] && { - nft add rule inet fw4 PSW_MANGLE meta l4proto udp ${_ipt_source} $(factor $udp_no_redir_ports "udp dport") counter return - nft add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_no_redir_ports "udp dport") counter return 2>/dev/null - msg2="${msg2}[$?]除${udp_no_redir_ports}外的" - } - msg2="${msg2}所有端口" - - nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} ip daddr $FAKE_IP counter jump PSW_RULE comment \"$remarks\"" - nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_redir_ports "udp dport") ip daddr @$NFTSET_SHUNTLIST counter jump PSW_RULE comment \"$remarks\"" - nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_redir_ports "udp dport") ip daddr @$NFTSET_BLACKLIST counter jump PSW_RULE comment \"$remarks\"" - nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_redir_ports "udp dport") $(get_nftset_ipv4 $udp_proxy_mode) jump PSW_RULE comment \"$remarks\"" - nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} $(REDIRECT $udp_port TPROXY4) comment \"$remarks\"" - - [ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && { - nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_redir_ports "tcp dport") ip6 daddr @$NFTSET_SHUNTLIST6 counter jump PSW_RULE comment \"$remarks\"" 2>/dev/null - nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_redir_ports "tcp dport") ip6 daddr @$NFTSET_BLACKLIST6 counter jump PSW_RULE comment \"$remarks\"" 2>/dev/null - nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_redir_ports "tcp dport") $(get_nftset_ipv6 $udp_proxy_mode) counter jump PSW_RULE comment \"$remarks\"" 2>/dev/null - nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(REDIRECT $udp_port TPROXY) comment \"$remarks\"" 2>/dev/null - } + if [ -z "${is_tproxy}" ]; then + nft "add rule inet fw4 PSW ${_ipt_source} ip daddr $FAKE_IP $(REDIRECT $tcp_port) comment \"$remarks\"" + nft "add rule inet fw4 PSW ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ip daddr @$NFTSET_SHUNTLIST $(REDIRECT $tcp_port) comment \"$remarks\"" + nft "add rule inet fw4 PSW ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ip daddr @$NFTSET_BLACKLIST $(REDIRECT $tcp_port) comment \"$remarks\"" + nft "add rule inet fw4 PSW ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") $(get_redirect_ipv4 $tcp_proxy_mode $tcp_port) comment \"$remarks\"" else - msg2="${msg}不代理UDP" + nft "add rule inet fw4 PSW_MANGLE ip protocol tcp ${_ipt_source} ip daddr $FAKE_IP counter jump PSW_RULE comment \"$remarks\"" + nft "add rule inet fw4 PSW_MANGLE ip protocol tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ip daddr @$NFTSET_SHUNTLIST counter jump PSW_RULE comment \"$remarks\"" + nft "add rule inet fw4 PSW_MANGLE ip protocol tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ip daddr @$NFTSET_BLACKLIST counter jump PSW_RULE comment \"$remarks\" " + nft "add rule inet fw4 PSW_MANGLE ip protocol tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") $(get_nftset_ipv4 $tcp_proxy_mode) counter jump PSW_RULE comment \"$remarks\"" + nft "add rule inet fw4 PSW_MANGLE meta nfproto {ipv4} meta l4proto tcp ${_ipt_source} $(REDIRECT $tcp_port TPROXY4) comment \"$remarks\"" fi - echolog " - ${msg2}" + + [ "$PROXY_IPV6" == "1" ] && { + nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ip6 daddr @$NFTSET_SHUNTLIST6 counter jump PSW_RULE comment \"$remarks\"" 2>/dev/null + nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ip6 daddr @$NFTSET_BLACKLIST6 counter jump PSW_RULE comment \"$remarks\"" 2>/dev/null + nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") $(get_nftset_ipv6 $tcp_proxy_mode) jump PSW_RULE comment \"$remarks\"" 2>/dev/null + nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(REDIRECT $tcp_port TPROXY) comment \"$remarks\"" 2>/dev/null + } + else + msg2="${msg}不代理TCP" + fi + echolog " - ${msg2}" + } + + nft "add rule inet fw4 $nft_prerouting_chain ip protocol tcp ${_ipt_source} counter return comment \"$remarks\"" + nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} counter return comment \"$remarks\"" 2>/dev/null + + [ "$udp_proxy_drop_ports" != "disable" ] && { + [ "$PROXY_IPV6" == "1" ] && { + nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_proxy_drop_ports "udp dport") ip6 daddr @$NFTSET_SHUNTLIST6 counter drop comment \"$remarks\"" 2>/dev/null + nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_proxy_drop_ports "udp dport") ip6 daddr @$NFTSET_BLACKLIST6 counter drop comment \"$remarks\"" 2>/dev/null + [ "$udp_proxy_mode" != "direct/proxy" ] && nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_proxy_drop_ports "udp dport") $(get_nftset_ipv6 $udp_proxy_mode) counter drop comment \"$remarks\"" 2>/dev/null } - nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} counter return comment \"$remarks\"" - nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} counter return comment \"$remarks\"" 2>/dev/null - done - unset enabled sid remarks sources tcp_proxy_mode udp_proxy_mode tcp_no_redir_ports udp_no_redir_ports tcp_proxy_drop_ports udp_proxy_drop_ports tcp_redir_ports udp_redir_ports tcp_node udp_node filter_proxy_ipv6 dns_mode remote_dns v2ray_dns_mode remote_dns_doh dns_client_ip - unset _ip _mac _iprange _ipset _ip_or_mac rule_list tcp_port udp_port tcp_node_remark udp_node_remark config_file _extra_param - unset ipt_tmp msg msg2 - unset redirect_dns_port + nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_proxy_drop_ports "udp dport") ip daddr $FAKE_IP counter drop comment \"$remarks\"" 2>/dev/null + nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_proxy_drop_ports "udp dport") ip daddr @$NFTSET_SHUNTLIST counter drop comment \"$remarks\"" 2>/dev/null + nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_proxy_drop_ports "udp dport") ip daddr @$NFTSET_BLACKLIST counter drop comment \"$remarks\"" 2>/dev/null + [ "$udp_proxy_mode" != "direct/proxy" ] && nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_proxy_drop_ports "udp dport") $(get_nftset_ipv4 $udp_proxy_mode) counter drop comment \"$remarks\"" 2>/dev/null + msg2="${msg2}[$?],屏蔽代理UDP 端口:${udp_proxy_drop_ports}" + } + + [ -n "$udp_port" ] && { + if [ "$udp_proxy_mode" != "disable" ]; then + msg2="${msg}使用UDP节点[$udp_node_remark] [$(get_action_chain_name $udp_proxy_mode)]" + msg2="${msg2}(TPROXY:${udp_port})代理" + [ "$udp_no_redir_ports" != "disable" ] && { + nft add rule inet fw4 PSW_MANGLE meta l4proto udp ${_ipt_source} $(factor $udp_no_redir_ports "udp dport") counter return + nft add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_no_redir_ports "udp dport") counter return 2>/dev/null + msg2="${msg2}[$?]除${udp_no_redir_ports}外的" + } + msg2="${msg2}所有端口" + + nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} ip daddr $FAKE_IP counter jump PSW_RULE comment \"$remarks\"" + nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_redir_ports "udp dport") ip daddr @$NFTSET_SHUNTLIST counter jump PSW_RULE comment \"$remarks\"" + nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_redir_ports "udp dport") ip daddr @$NFTSET_BLACKLIST counter jump PSW_RULE comment \"$remarks\"" + nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_redir_ports "udp dport") $(get_nftset_ipv4 $udp_proxy_mode) jump PSW_RULE comment \"$remarks\"" + nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} $(REDIRECT $udp_port TPROXY4) comment \"$remarks\"" + + [ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && { + nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_redir_ports "tcp dport") ip6 daddr @$NFTSET_SHUNTLIST6 counter jump PSW_RULE comment \"$remarks\"" 2>/dev/null + nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_redir_ports "tcp dport") ip6 daddr @$NFTSET_BLACKLIST6 counter jump PSW_RULE comment \"$remarks\"" 2>/dev/null + nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_redir_ports "tcp dport") $(get_nftset_ipv6 $udp_proxy_mode) counter jump PSW_RULE comment \"$remarks\"" 2>/dev/null + nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(REDIRECT $udp_port TPROXY) comment \"$remarks\"" 2>/dev/null + } + else + msg2="${msg}不代理UDP" + fi + echolog " - ${msg2}" + } + nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} counter return comment \"$remarks\"" + nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} counter return comment \"$remarks\"" 2>/dev/null done - unset socks_port redir_port dns_port dnsmasq_port + unset enabled sid remarks sources tcp_proxy_mode udp_proxy_mode tcp_no_redir_ports udp_no_redir_ports tcp_proxy_drop_ports udp_proxy_drop_ports tcp_redir_ports udp_redir_ports tcp_node udp_node + unset _ip _mac _iprange _ipset _ip_or_mac rule_list tcp_port udp_port tcp_node_remark udp_node_remark unset ipt_tmp msg msg2 - } + done # 加载TCP默认代理模式 [ "$TCP_PROXY_DROP_PORTS" != "disable" ] && {