zhao/openwrt_helloworld
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

luci-app-passwall: sync upstream

Browse Source 
last commit: afff9eec8e
This commit is contained in:
gitea-action 2024-11-07 21:30:45 +08:00
parent 8bb10dd89a
commit 2f44521929
2 changed files with 11 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
luci-app-passwall/root/usr/share/passwall/iptables.sh
View File

@ -726,7 +726,7 @@ add_firewall_rule() {
echolog "开始加载防火墙规则..." echolog "开始加载防火墙规则..."
ipset -! create $IPSET_LANLIST nethash maxelem 1048576 ipset -! create $IPSET_LANLIST nethash maxelem 1048576
ipset -! create $IPSET_VPSLIST nethash maxelem 1048576 ipset -! create $IPSET_VPSLIST nethash maxelem 1048576
ipset -! create $IPSET_SHUNTLIST nethash maxelem 1048576 ipset -! create $IPSET_SHUNTLIST nethash maxelem 1048576 timeout 172800
ipset -! create $IPSET_GFW nethash maxelem 1048576 timeout 172800 ipset -! create $IPSET_GFW nethash maxelem 1048576 timeout 172800
ipset -! create $IPSET_CHN nethash maxelem 1048576 timeout 172800 ipset -! create $IPSET_CHN nethash maxelem 1048576 timeout 172800
ipset -! create $IPSET_BLACKLIST nethash maxelem 1048576 timeout 172800 ipset -! create $IPSET_BLACKLIST nethash maxelem 1048576 timeout 172800
@ -735,7 +735,7 @@ add_firewall_rule() {
ipset -! create $IPSET_LANLIST6 nethash family inet6 maxelem 1048576 ipset -! create $IPSET_LANLIST6 nethash family inet6 maxelem 1048576
ipset -! create $IPSET_VPSLIST6 nethash family inet6 maxelem 1048576 ipset -! create $IPSET_VPSLIST6 nethash family inet6 maxelem 1048576
ipset -! create $IPSET_SHUNTLIST6 nethash family inet6 maxelem 1048576 ipset -! create $IPSET_SHUNTLIST6 nethash family inet6 maxelem 1048576 timeout 172800
ipset -! create $IPSET_GFW6 nethash family inet6 maxelem 1048576 timeout 172800 ipset -! create $IPSET_GFW6 nethash family inet6 maxelem 1048576 timeout 172800
ipset -! create $IPSET_CHN6 nethash family inet6 maxelem 1048576 timeout 172800 ipset -! create $IPSET_CHN6 nethash family inet6 maxelem 1048576 timeout 172800
ipset -! create $IPSET_BLACKLIST6 nethash family inet6 maxelem 1048576 timeout 172800 ipset -! create $IPSET_BLACKLIST6 nethash family inet6 maxelem 1048576 timeout 172800
@ -745,8 +745,6 @@ add_firewall_rule() {
#分流规则的IP列表 #分流规则的IP列表
local node_protocol=$(config_n_get $TCP_NODE protocol) local node_protocol=$(config_n_get $TCP_NODE protocol)
if [ "$node_protocol" = "_shunt" ]; then if [ "$node_protocol" = "_shunt" ]; then
USE_DIRECT_LIST = "1"
USE_BLOCK_LIST = "1"
local default_node_id=$(config_n_get $TCP_NODE default_node "_direct") local default_node_id=$(config_n_get $TCP_NODE default_node "_direct")
local shunt_ids=$(uci show $CONFIG | grep "=shunt_rules" | awk -F '.' '{print $2}' | awk -F '=' '{print $1}') local shunt_ids=$(uci show $CONFIG | grep "=shunt_rules" | awk -F '.' '{print $2}' | awk -F '=' '{print $1}')
for shunt_id in $shunt_ids; do for shunt_id in $shunt_ids; do
@ -761,7 +759,7 @@ add_firewall_rule() {
config_n_get $shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "s/^/add $IPSET_WHITELIST6 &/g" -e "s/$/ timeout 0/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R config_n_get $shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "s/^/add $IPSET_WHITELIST6 &/g" -e "s/$/ timeout 0/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
else else
config_n_get $shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}" | sed -e "s/^/add $IPSET_SHUNTLIST &/g" -e "s/$/ timeout 0/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R config_n_get $shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}" | sed -e "s/^/add $IPSET_SHUNTLIST &/g" -e "s/$/ timeout 0/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
[ "$PROXY_IPV6" != "1" ] && { [ "$PROXY_IPV6" = "1" ] && {
config_n_get $shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "s/^/add $IPSET_SHUNTLIST6 &/g" -e "s/$/ timeout 0/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R config_n_get $shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "s/^/add $IPSET_SHUNTLIST6 &/g" -e "s/$/ timeout 0/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
} }
fi fi

17
luci-app-passwall/root/usr/share/passwall/nftables.sh
View File

@ -166,8 +166,9 @@ insert_nftset() {
fi fi
mkdir -p $TMP_PATH2/nftset mkdir -p $TMP_PATH2/nftset
cat > "$TMP_PATH2/nftset/$nftset_name" <<-EOF cat > "$TMP_PATH2/nftset/$nftset_name" <<-EOF
define $nftset_name = {$nftset_elements} #define $nftset_name = {$nftset_elements}
add element $NFTABLE_NAME $nftset_name \$$nftset_name #add element $NFTABLE_NAME $nftset_name \$$nftset_name
add element $NFTABLE_NAME $nftset_name {$nftset_elements}
EOF EOF
nft -f "$TMP_PATH2/nftset/$nftset_name" nft -f "$TMP_PATH2/nftset/$nftset_name"
rm -rf "$TMP_PATH2/nftset" rm -rf "$TMP_PATH2/nftset"
@ -811,7 +812,7 @@ add_firewall_rule() {
gen_nftset $NFTSET_BLACKLIST ipv4_addr "2d" 0 $(cat $RULES_PATH/proxy_ip | tr -s '\n' | grep -v "^#" | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}") gen_nftset $NFTSET_BLACKLIST ipv4_addr "2d" 0 $(cat $RULES_PATH/proxy_ip | tr -s '\n' | grep -v "^#" | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}")
gen_nftset $NFTSET_WHITELIST ipv4_addr "2d" 0 $(cat $RULES_PATH/direct_ip | tr -s '\n' | grep -v "^#" | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}") gen_nftset $NFTSET_WHITELIST ipv4_addr "2d" 0 $(cat $RULES_PATH/direct_ip | tr -s '\n' | grep -v "^#" | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}")
gen_nftset $NFTSET_BLOCKLIST ipv4_addr "2d" 0 $(cat $RULES_PATH/block_ip | tr -s '\n' | grep -v "^#" | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}") gen_nftset $NFTSET_BLOCKLIST ipv4_addr "2d" 0 $(cat $RULES_PATH/block_ip | tr -s '\n' | grep -v "^#" | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}")
gen_nftset $NFTSET_SHUNTLIST ipv4_addr 0 0 gen_nftset $NFTSET_SHUNTLIST ipv4_addr "2d" 0
gen_nftset $NFTSET_VPSLIST6 ipv6_addr 0 0 gen_nftset $NFTSET_VPSLIST6 ipv6_addr 0 0
gen_nftset $NFTSET_GFW6 ipv6_addr "2d" 0 gen_nftset $NFTSET_GFW6 ipv6_addr "2d" 0
@ -825,13 +826,11 @@ add_firewall_rule() {
gen_nftset $NFTSET_BLACKLIST6 ipv6_addr "2d" 0 $(cat $RULES_PATH/proxy_ip | tr -s '\n' | grep -v "^#" | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}") gen_nftset $NFTSET_BLACKLIST6 ipv6_addr "2d" 0 $(cat $RULES_PATH/proxy_ip | tr -s '\n' | grep -v "^#" | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}")
gen_nftset $NFTSET_WHITELIST6 ipv6_addr "2d" 0 $(cat $RULES_PATH/direct_ip | tr -s '\n' | grep -v "^#" | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}") gen_nftset $NFTSET_WHITELIST6 ipv6_addr "2d" 0 $(cat $RULES_PATH/direct_ip | tr -s '\n' | grep -v "^#" | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}")
gen_nftset $NFTSET_BLOCKLIST6 ipv6_addr "2d" 0 $(cat $RULES_PATH/block_ip | tr -s '\n' | grep -v "^#" | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}") gen_nftset $NFTSET_BLOCKLIST6 ipv6_addr "2d" 0 $(cat $RULES_PATH/block_ip | tr -s '\n' | grep -v "^#" | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}")
gen_nftset $NFTSET_SHUNTLIST6 ipv6_addr 0 0 gen_nftset $NFTSET_SHUNTLIST6 ipv6_addr "2d" 0
#分流规则的IP列表 #分流规则的IP列表
local node_protocol=$(config_n_get $TCP_NODE protocol) local node_protocol=$(config_n_get $TCP_NODE protocol)
if [ "$node_protocol" = "_shunt" ]; then if [ "$node_protocol" = "_shunt" ]; then
USE_DIRECT_LIST = "1"
USE_BLOCK_LIST = "1"
local default_node_id=$(config_n_get $TCP_NODE default_node "_direct") local default_node_id=$(config_n_get $TCP_NODE default_node "_direct")
local shunt_ids=$(uci show $CONFIG | grep "=shunt_rules" | awk -F '.' '{print $2}' | awk -F '=' '{print $1}') local shunt_ids=$(uci show $CONFIG | grep "=shunt_rules" | awk -F '.' '{print $2}' | awk -F '=' '{print $1}')
for shunt_id in $shunt_ids; do for shunt_id in $shunt_ids; do
@ -845,9 +844,9 @@ add_firewall_rule() {
insert_nftset $NFTSET_WHITELIST "0" $(config_n_get $shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}") insert_nftset $NFTSET_WHITELIST "0" $(config_n_get $shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}")
insert_nftset $NFTSET_WHITELIST6 "0" $(config_n_get $shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}") insert_nftset $NFTSET_WHITELIST6 "0" $(config_n_get $shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}")
else else
insert_nftset $NFTSET_SHUNTLIST "-1" $(config_n_get $shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}") insert_nftset $NFTSET_SHUNTLIST "0" $(config_n_get $shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}")
[ "$PROXY_IPV6" != "1" ] && { [ "$PROXY_IPV6" = "1" ] && {
insert_nftset $NFTSET_SHUNTLIST6 "-1" $(config_n_get $shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}") insert_nftset $NFTSET_SHUNTLIST6 "0" $(config_n_get $shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}")
} }
fi fi
} }