luci: optimization acl logic

2023-03-06 17:34:47 +08:00 · 2023-03-06 17:34:47 +08:00 · 364731602e
commit 364731602e
parent df434fb899
5 changed files with 898 additions and 869 deletions
--- a/luci-app-passwall/luasrc/model/cbi/passwall/client/acl.lua
+++ b/luci-app-passwall/luasrc/model/cbi/passwall/client/acl.lua
@ -5,10 +5,17 @@ local has_chnlist = api.fs.access("/usr/share/passwall/rules/chnlist")
 m = Map(appname)
 s = m:section(TypedSection, "global", translate("ACLs"), "<font color='red'>" .. translate("ACLs is a tools which used to designate specific IP proxy mode.") .. "</font>")
 s.anonymous = true
 o = s:option(Flag, "acl_enable", translate("Main switch"))
 o.rmempty = false
 o.default = false
 local global_proxy_mode = (m:get("@global[0]", "tcp_proxy_mode") or "") .. (m:get("@global[0]", "udp_proxy_mode") or "")
 -- [[ ACLs Settings ]]--
-s = m:section(TypedSection, "acl_rule", translate("ACLs"), "<font color='red'>" .. translate("ACLs is a tools which used to designate specific IP proxy mode.") .. "</font>")
+s = m:section(TypedSection, "acl_rule")
 s.template = "cbi/tblsection"
 s.sortable = true
 s.anonymous = true
--- a/luci-app-passwall/root/usr/share/passwall/0_default_config
+++ b/luci-app-passwall/root/usr/share/passwall/0_default_config
@ -12,6 +12,7 @@ config global
 	option udp_proxy_mode 'chnroute'
 	option localhost_tcp_proxy_mode 'default'
 	option localhost_udp_proxy_mode 'default'
 	option acl_enable '0'
 	option close_log_tcp '0'
 	option close_log_udp '0'
 	option loglevel 'error'
--- a/luci-app-passwall/root/usr/share/passwall/app.sh
+++ b/luci-app-passwall/root/usr/share/passwall/app.sh
@ -25,7 +25,7 @@ TUN_DNS="127.0.0.1#${DNS_PORT}"
 LOCAL_DNS=119.29.29.29
 DEFAULT_DNS=
 IFACES=
-NO_PROXY=0
+ENABLED_DEFAULT_ACL=0
 PROXY_IPV6=0
 PROXY_IPV6_UDP=0
 resolve_dns=0
@ -1023,7 +1023,7 @@ start_crontab() {
 		rm -rf $TMP_SUB_PATH
 	}
-	if [ "$NO_PROXY" == 0 ]; then
+	if [ "$ENABLED_DEFAULT_ACL" == 1 ] || [ "$ENABLED_ACLS" == 1 ]; then
 		start_daemon=$(config_t_get global_delay start_daemon 0)
 		[ "$start_daemon" = "1" ] && $APP_PATH/monitor.sh > /dev/null 2>&1 &
@ -1563,28 +1563,26 @@ start() {
 	start_socks
 	nftflag=0
 	local use_nft=$(config_t_get global_forwarding use_nft 0)
-
+	local USE_TABLES
 	[ "$NO_PROXY" == 1 ] || {
 	if [ "$use_nft" == 1 ] && [ -z "$(dnsmasq --version | grep 'Compile time options:.* nftset')" ]; then
 		echolog "Dnsmasq软件包不满足nftables透明代理要求，如需使用请确保dnsmasq版本在2.87以上并开启nftset支持。"
 	elif [ "$use_nft" == 1 ] && [ -n "$(dnsmasq --version | grep 'Compile time options:.* nftset')" ]; then
 		echolog "使用nftables进行透明代理，一些不支持nftables的组件如chinadns-ng等可能不会正常工作。"
 		USE_TABLES="nftables"
 		nftflag=1
 			start_redir TCP
 			start_redir UDP
 			start_dns
 			source $APP_PATH/nftables.sh start
 			source $APP_PATH/helper_${DNS_N}.sh logic_restart
 	elif [ -z "$(command -v iptables-legacy || command -v iptables)" ] || [ -z "$(command -v ipset)" ]; then
 		echolog "系统未安装iptables或ipset，无法透明代理！"
 	else
 		USE_TABLES="iptables"
 	fi
 	[ "$ENABLED_DEFAULT_ACL" == 1 ] && {
 		start_redir TCP
 		start_redir UDP
 		start_dns
 			source $APP_PATH/iptables.sh start
 			source $APP_PATH/helper_${DNS_N}.sh logic_restart
 		fi
 	}
 	[ -n "$USE_TABLES" ] && source $APP_PATH/${USE_TABLES}.sh start
 	[ "$ENABLED_DEFAULT_ACL" == 1 ] && source $APP_PATH/helper_${DNS_N}.sh logic_restart
 	start_crontab
 	echolog "运行完成！\n"
 }
@ -1621,14 +1619,16 @@ TCP_UDP=0
 	UDP_NODE=$TCP_NODE
 	TCP_UDP=1
 }
-[ "$ENABLED" != 1 ] && NO_PROXY=1
+[ "$ENABLED" == 1 ] && {
-[ "$TCP_NODE" == "nil" -a "$UDP_NODE" == "nil" ] && NO_PROXY=1
+	[ "$TCP_NODE" != "nil" ] && [ "$(config_get_type $TCP_NODE nil)" != "nil" ] && ENABLED_DEFAULT_ACL=1
-[ "$(config_get_type $TCP_NODE nil)" == "nil" -a "$(config_get_type $UDP_NODE nil)" == "nil" ] && NO_PROXY=1
+	[ "$UDP_NODE" != "nil" ] && [ "$(config_get_type $UDP_NODE nil)" != "nil" ] && ENABLED_DEFAULT_ACL=1
 }
 ENABLED_ACLS=$(config_t_get global acl_enable 0)
 [ "$ENABLED_ACLS" == 1 ] && {
 	[ "$(uci show ${CONFIG} | grep "@acl_rule" | grep "enabled='1'" | wc -l)" == 0 ] && ENABLED_ACLS=0
 }
 tcp_proxy_way=$(config_t_get global_forwarding tcp_proxy_way redirect)
 REDIRECT_LIST="socks ss ss-rust ssr v2ray xray trojan-go trojan-plus naiveproxy hysteria"
 TPROXY_LIST="brook socks ss ss-rust ssr v2ray xray trojan-go trojan-plus hysteria"
 RESOLVFILE=/tmp/resolv.conf.d/resolv.conf.auto
 [ -f "${RESOLVFILE}" ] && [ -s "${RESOLVFILE}" ] || RESOLVFILE=/tmp/resolv.conf.auto
 TCP_REDIR_PORTS=$(config_t_get global_forwarding tcp_redir_ports '80,443')
 UDP_REDIR_PORTS=$(config_t_get global_forwarding udp_redir_ports '1:65535')
 TCP_NO_REDIR_PORTS=$(config_t_get global_forwarding tcp_no_redir_ports 'disable')
@ -1653,8 +1653,16 @@ CHINADNS_NG=$(config_t_get global chinadns_ng 0)
 FILTER_PROXY_IPV6=$(config_t_get global filter_proxy_ipv6 0)
 dns_listen_port=${DNS_PORT}
 REDIRECT_LIST="socks ss ss-rust ssr v2ray xray trojan-go trojan-plus naiveproxy hysteria"
 TPROXY_LIST="brook socks ss ss-rust ssr v2ray xray trojan-go trojan-plus hysteria"
 RESOLVFILE=/tmp/resolv.conf.d/resolv.conf.auto
 [ -f "${RESOLVFILE}" ] && [ -s "${RESOLVFILE}" ] || RESOLVFILE=/tmp/resolv.conf.auto
 ISP_DNS=$(cat $RESOLVFILE 2>/dev/null | grep -E -o "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" | sort -u | grep -v 0.0.0.0 | grep -v 127.0.0.1)
 ISP_DNS6=$(cat $RESOLVFILE 2>/dev/null | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | awk -F % '{print $1}' | awk -F " " '{print $2}'| sort -u | grep -v -Fx ::1 | grep -v -Fx ::)
 DEFAULT_DNS=$(uci show dhcp | grep "@dnsmasq" | grep "\.server=" | awk -F '=' '{print $2}' | sed "s/'//g" | tr ' ' '\n' | grep -v "\/" | head -2 | sed ':label;N;s/\n/,/;b label')
-[ -z "${DEFAULT_DNS}" ] && DEFAULT_DNS=$(echo -n $(sed -n 's/^nameserver[ \t]*\([^ ]*\)$/\1/p' "${RESOLVFILE}" | grep -v -E "0.0.0.0|127.0.0.1|::" | head -2) | tr ' ' ',')
+[ -z "${DEFAULT_DNS}" ] && DEFAULT_DNS=$(echo -n $ISP_DNS | tr ' ' '\n' | head -2 | tr '\n' ',')
 LOCAL_DNS="${DEFAULT_DNS:-119.29.29.29}"
 PROXY_IPV6=$(config_t_get global_forwarding ipv6_tproxy 0)
--- a/luci-app-passwall/root/usr/share/passwall/iptables.sh
+++ b/luci-app-passwall/root/usr/share/passwall/iptables.sh
@ -260,6 +260,7 @@ get_wan6_ip() {
 }
 load_acl() {
 	[ "$ENABLED_ACLS" == 1 ] && {
 		acl_app
 		echolog "访问控制："
 		for sid in $(ls -F ${TMP_ACL_PATH} | grep '/$' | awk -F '/' '{print $1}'); do
@ -436,7 +437,9 @@ load_acl() {
 			unset _ip _mac _iprange _ipset _ip_or_mac rule_list tcp_port udp_port tcp_node_remark udp_node_remark
 			unset ipt_tmp msg msg2
 		done
 	}
 	[ "$ENABLED_DEFAULT_ACL" == 1 ] && {
 		#  加载TCP默认代理模式
 		[ "$TCP_PROXY_DROP_PORTS" != "disable" ] && {
 			[ "$PROXY_IPV6" == "1" ] && {
@ -553,6 +556,7 @@ load_acl() {
 		$ipt_m -A PSW $(comment "默认") -p udp -j RETURN
 		$ip6t_m -A PSW $(comment "默认") -p udp -j RETURN
 	}
 }
 filter_haproxy() {
 	for item in ${haproxy_items}; do
@ -743,7 +747,6 @@ add_firewall_rule() {
 		EOF
 	}
 	local ISP_DNS=$(cat $RESOLVFILE 2>/dev/null | grep -E -o "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" | sort -u | grep -v 0.0.0.0 | grep -v 127.0.0.1)
 	[ -n "$ISP_DNS" ] && {
 		#echolog "处理 ISP DNS 例外..."
 		for ispip in $ISP_DNS; do
@ -752,10 +755,9 @@ add_firewall_rule() {
 		done
 	}
-	local ISP_DNS6=$(cat $RESOLVFILE 2>/dev/null | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | awk -F % '{print $1}' | awk -F " " '{print $2}'| sort -u | grep -v -Fx ::1 | grep -v -Fx ::)
+	[ -n "$ISP_DNS6" ] && {
 	[ -n "$ISP_DNS" ] && {
 		#echolog "处理 ISP IPv6 DNS 例外..."
-		for ispip6 in $ISP_DNS; do
+		for ispip6 in $ISP_DNS6; do
 			ipset -! add $IPSET_WHITELIST6 $ispip6 >/dev/null 2>&1 &
 			#echolog "  - 追加到白名单：${ispip6}"
 		done
@ -876,6 +878,43 @@ add_firewall_rule() {
 	ip -6 rule add fwmark 1 table 100
 	ip -6 route add local ::/0 dev lo table 100
 	# 过滤Socks节点
 	[ "$SOCKS_ENABLED" = "1" ] && {
 		local ids=$(uci show $CONFIG | grep "=socks" | awk -F '.' '{print $2}' | awk -F '=' '{print $1}')
 		#echolog "分析 Socks 服务所使用节点..."
 		local id enabled node port msg num
 		for id in $ids; do
 			enabled=$(config_n_get $id enabled 0)
 			[ "$enabled" == "1" ] || continue
 			node=$(config_n_get $id node nil)
 			port=$(config_n_get $id port 0)
 			msg="Socks 服务 [:${port}]"
 			if [ "$node" == "nil" ] || [ "$port" == "0" ]; then
 				msg="${msg} 未配置完全，略过"
 			else
 				filter_node $node TCP > /dev/null 2>&1 &
 				filter_node $node UDP > /dev/null 2>&1 &
 			fi
 			#echolog "  - ${msg}"
 		done
 	}
 	[ "$ENABLED_DEFAULT_ACL" == 1 ] && {
 		# 处理轮换节点的分流或套娃
 		local node port stream switch
 		for stream in TCP UDP; do
 			eval "node=\${${stream}_NODE}"
 			eval "port=\${${stream}_REDIR_PORT}"
 			#echolog "分析 $stream 代理自动切换..."
 			[ "$stream" == "UDP" ] && [ "$node" == "tcp" ] && {
 				eval "node=\${TCP_NODE}"
 				eval "port=\${TCP_REDIR_PORT}"
 			}
 			if [ "$node" != "nil" ] && [ "$(config_get_type $node nil)" != "nil" ]; then
 				filter_node $node $stream $port > /dev/null 2>&1 &
 			fi
 		done
 		# 加载路由器自身代理 TCP
 		if [ "$TCP_NODE" != "nil" ]; then
 			echolog "加载路由器自身 TCP 代理..."
@ -957,42 +996,6 @@ add_firewall_rule() {
 			}
 		fi
 	# 过滤Socks节点
 	[ "$SOCKS_ENABLED" = "1" ] && {
 		local ids=$(uci show $CONFIG | grep "=socks" | awk -F '.' '{print $2}' | awk -F '=' '{print $1}')
 		#echolog "分析 Socks 服务所使用节点..."
 		local id enabled node port msg num
 		for id in $ids; do
 			enabled=$(config_n_get $id enabled 0)
 			[ "$enabled" == "1" ] || continue
 			node=$(config_n_get $id node nil)
 			port=$(config_n_get $id port 0)
 			msg="Socks 服务 [:${port}]"
 			if [ "$node" == "nil" ] || [ "$port" == "0" ]; then
 				msg="${msg} 未配置完全，略过"
 			else
 				filter_node $node TCP > /dev/null 2>&1 &
 				filter_node $node UDP > /dev/null 2>&1 &
 			fi
 			#echolog "  - ${msg}"
 		done
 	}
 	# 处理轮换节点的分流或套娃
 	local node port stream switch
 	for stream in TCP UDP; do
 		eval "node=\${${stream}_NODE}"
 		eval "port=\${${stream}_REDIR_PORT}"
 		#echolog "分析 $stream 代理自动切换..."
 		[ "$stream" == "UDP" ] && [ "$node" == "tcp" ] && {
 			eval "node=\${TCP_NODE}"
 			eval "port=\${TCP_REDIR_PORT}"
 		}
 		if [ "$node" != "nil" ]; then
 			filter_node $node $stream $port > /dev/null 2>&1 &
 		fi
 	done
 		# 加载路由器自身代理 UDP
 		[ "$UDP_PROXY_DROP_PORTS" != "disable" ] && {
 			$ipt_m -A PSW_OUTPUT -p udp $(factor $UDP_PROXY_DROP_PORTS "-m multiport --dport") -d $FAKE_IP -j DROP
@ -1047,11 +1050,11 @@ add_firewall_rule() {
 		$ipt_m -A PSW -p udp --dport 53 -j RETURN
 		$ip6t_m -A PSW -p udp --dport 53 -j RETURN
 	}
 	#  加载ACLS
 	load_acl
 	# dns_hijack "force"
 	for iface in $IFACES; do
 		$ipt_n -I PSW_OUTPUT -o $iface -j RETURN
 		$ipt_m -I PSW_OUTPUT -o $iface -j RETURN
@ -1212,6 +1215,7 @@ get_ip6t_bin() {
 }
 start() {
 	[ "$ENABLED_DEFAULT_ACL" == 0 -a "$ENABLED_ACLS" == 0 ] && return
 	add_firewall_rule
 	gen_include
 }
--- a/luci-app-passwall/root/usr/share/passwall/nftables.sh
+++ b/luci-app-passwall/root/usr/share/passwall/nftables.sh
@ -271,6 +271,7 @@ get_wan6_ip() {
 }
 load_acl() {
 	[ "$ENABLED_ACLS" == 1 ] && {
 		acl_app
 		echolog "访问控制："
 		for sid in $(ls -F ${TMP_ACL_PATH} | grep '/$' | awk -F '/' '{print $1}'); do
@ -444,7 +445,9 @@ load_acl() {
 			unset _ip _mac _iprange _ipset _ip_or_mac rule_list tcp_port udp_port tcp_node_remark udp_node_remark
 			unset ipt_tmp msg msg2
 		done
 	}
 	[ "$ENABLED_DEFAULT_ACL" == 1 ] && {
 		#  加载TCP默认代理模式
 		[ "$TCP_PROXY_DROP_PORTS" != "disable" ] && {
 			[ "$PROXY_IPV6" == "1" ] && {
@ -560,6 +563,7 @@ load_acl() {
 			}
 		fi
 	}
 }
 filter_haproxy() {
 	for item in ${haproxy_items}; do
@ -735,7 +739,6 @@ add_firewall_rule() {
 		[ -n "$lan_ip6" ] && insert_nftset $NFTSET_LANIPLIST6 $(echo $lan_ip6 | sed -e "s/ /\n/g" | sed -e 's/$/,/' )
 	}
 	local ISP_DNS=$(cat $RESOLVFILE 2>/dev/null | grep -E -o "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" | sort -u | grep -v 0.0.0.0 | grep -v 127.0.0.1)
 	[ -n "$ISP_DNS" ] && {
 		#echolog "处理 ISP DNS 例外..."
 		for ispip in $ISP_DNS; do
@ -744,10 +747,9 @@ add_firewall_rule() {
 		done
 	}
-	local ISP_DNS6=$(cat $RESOLVFILE 2>/dev/null | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | awk -F % '{print $1}' | awk -F " " '{print $2}'| sort -u | grep -v -Fx ::1 | grep -v -Fx ::)
+	[ -n "$ISP_DNS6" ] && {
 	[ -n "$ISP_DNS" ] && {
 		#echolog "处理 ISP IPv6 DNS 例外..."
-		for ispip6 in $ISP_DNS; do
+		for ispip6 in $ISP_DNS6; do
 			insert_nftset $NFTSET_WHITELIST6 $ispip6 >/dev/null 2>&1 &
 			#echolog "  - 追加到白名单：${ispip6}"
 		done
@ -887,6 +889,43 @@ add_firewall_rule() {
 		ip -6 route add local ::/0 dev lo table 100
 	}
 	# 过滤Socks节点
 	[ "$SOCKS_ENABLED" = "1" ] && {
 		local ids=$(uci show $CONFIG | grep "=socks" | awk -F '.' '{print $2}' | awk -F '=' '{print $1}')
 		#echolog "分析 Socks 服务所使用节点..."
 		local id enabled node port msg num
 		for id in $ids; do
 			enabled=$(config_n_get $id enabled 0)
 			[ "$enabled" == "1" ] || continue
 			node=$(config_n_get $id node nil)
 			port=$(config_n_get $id port 0)
 			msg="Socks 服务 [:${port}]"
 			if [ "$node" == "nil" ] || [ "$port" == "0" ]; then
 				msg="${msg} 未配置完全，略过"
 			else
 				filter_node $node TCP > /dev/null 2>&1 &
 				filter_node $node UDP > /dev/null 2>&1 &
 			fi
 			#echolog "  - ${msg}"
 		done
 	}
 	[ "$ENABLED_DEFAULT_ACL" == 1 ] && {
 		# 处理轮换节点的分流或套娃
 		local node port stream switch
 		for stream in TCP UDP; do
 			eval "node=\${${stream}_NODE}"
 			eval "port=\${${stream}_REDIR_PORT}"
 			#echolog "分析 $stream 代理自动切换..."
 			[ "$stream" == "UDP" ] && [ "$node" == "tcp" ] && {
 				eval "node=\${TCP_NODE}"
 				eval "port=\${TCP_REDIR_PORT}"
 			}
 			if [ "$node" != "nil" ] && [ "$(config_get_type $node nil)" != "nil" ]; then
 				filter_node $node $stream $port > /dev/null 2>&1 &
 			fi
 		done
 		# 加载路由器自身代理 TCP
 		if [ "$TCP_NODE" != "nil" ]; then
 			echolog "加载路由器自身 TCP 代理..."
@ -963,42 +1002,6 @@ add_firewall_rule() {
 			}
 		fi
 	# 过滤Socks节点
 	[ "$SOCKS_ENABLED" = "1" ] && {
 		local ids=$(uci show $CONFIG | grep "=socks" | awk -F '.' '{print $2}' | awk -F '=' '{print $1}')
 		#echolog "分析 Socks 服务所使用节点..."
 		local id enabled node port msg num
 		for id in $ids; do
 			enabled=$(config_n_get $id enabled 0)
 			[ "$enabled" == "1" ] || continue
 			node=$(config_n_get $id node nil)
 			port=$(config_n_get $id port 0)
 			msg="Socks 服务 [:${port}]"
 			if [ "$node" == "nil" ] || [ "$port" == "0" ]; then
 				msg="${msg} 未配置完全，略过"
 			else
 				filter_node $node TCP > /dev/null 2>&1 &
 				filter_node $node UDP > /dev/null 2>&1 &
 			fi
 			#echolog "  - ${msg}"
 		done
 	}
 	# 处理轮换节点的分流或套娃
 	local node port stream switch
 	for stream in TCP UDP; do
 		eval "node=\${${stream}_NODE}"
 		eval "port=\${${stream}_REDIR_PORT}"
 		#echolog "分析 $stream 代理自动切换..."
 		[ "$stream" == "UDP" ] && [ "$node" == "tcp" ] && {
 			eval "node=\${TCP_NODE}"
 			eval "port=\${TCP_REDIR_PORT}"
 		}
 		if [ "$node" != "nil" ]; then
 			filter_node $node $stream $port > /dev/null 2>&1 &
 		fi
 	done
 		# 加载路由器自身代理 UDP
 		[ "$UDP_PROXY_DROP_PORTS" != "disable" ] && {
 			nft add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol udp ip daddr $FAKE_IP $(factor $UDP_PROXY_DROP_PORTS "udp dport") counter drop
@ -1049,10 +1052,15 @@ add_firewall_rule() {
 		nft "add rule inet fw4 PSW_MANGLE ip protocol udp udp dport 53 counter return"
 		nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp udp dport 53 counter return"
 	}
 	#  加载ACLS
 	load_acl
-	# dns_hijack "force"
+	for iface in $IFACES; do
 		nft "insert rule inet fw4 $nft_output_chain oif $iface counter return"
 		nft "insert rule inet fw4 PSW_OUTPUT_MANGLE_V6 oif $iface counter return"
 	done
 	[ -n "${is_tproxy}" -o -n "${udp_flag}" ] && {
 		bridge_nf_ipt=$(sysctl -e -n net.bridge.bridge-nf-call-iptables)
@ -1170,6 +1178,7 @@ gen_include() {
 }
 start() {
 	[ "$ENABLED_DEFAULT_ACL" == 0 -a "$ENABLED_ACLS" == 0 ] && return
 	add_firewall_rule
 	gen_include
 }