luci: try to optimise nftset load

luci-app-passwall/Makefile

@@ -6,7 +6,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=luci-app-passwall
-PKG_VERSION:=4.66-7
+PKG_VERSION:=4.66-8
 PKG_RELEASE:=
 
 PKG_CONFIG_DEPENDS:= \

luci-app-passwall/root/usr/share/passwall/nftables.sh

@@ -127,10 +127,7 @@ insert_nftset() {
 	local nftset_name="${1}"; shift
 	local nftset_elements
 
-	for element in $@
-	do
-		nftset_elements="$element,$nftset_elements"
-	done
+	nftset_elements=$(echo -e $@ | sed 's/\s/, /g')
 	[ -n "${nftset_elements}" ] && {
 		mkdir -p $TMP_PATH2/nftset
 
@@ -707,7 +704,12 @@ add_firewall_rule() {
 	gen_nftset $NFTSET_VPSLIST ipv4_addr
 	gen_nftset $NFTSET_GFW ipv4_addr
 	gen_nftset $NFTSET_LANLIST ipv4_addr $(gen_lanlist)
-	gen_nftset $NFTSET_CHN ipv4_addr $(cat $RULES_PATH/chnroute | tr -s '\n' | grep -v "^#")
+	if [ -f $RULES_PATH/chnroute.nft ] && [ -s $RULES_PATH/chnroute.nft ] && [ $(awk 'END{print NR}' $RULES_PATH/chnroute.nft) -ge 8 ]; then
+		echolog "使用缓存加载chnroute..."
+		nft -f $RULES_PATH/chnroute.nft
+	else
+		gen_nftset $NFTSET_CHN ipv4_addr $(cat $RULES_PATH/chnroute | tr -s '\n' | grep -v "^#")
+	fi
 	gen_nftset $NFTSET_BLACKLIST ipv4_addr $(cat $RULES_PATH/proxy_ip | tr -s '\n' | grep -v "^#" | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}")
 	gen_nftset $NFTSET_WHITELIST ipv4_addr $(cat $RULES_PATH/direct_ip | tr -s '\n' | grep -v "^#" | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}")
 	gen_nftset $NFTSET_BLOCKLIST ipv4_addr $(cat $RULES_PATH/block_ip | tr -s '\n' | grep -v "^#" | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}")
@@ -716,7 +718,12 @@ add_firewall_rule() {
 	gen_nftset $NFTSET_VPSLIST6 ipv6_addr
 	gen_nftset $NFTSET_GFW6 ipv6_addr
 	gen_nftset $NFTSET_LANLIST6 ipv6_addr $(gen_lanlist_6)
-	gen_nftset $NFTSET_CHN6 ipv6_addr $(cat $RULES_PATH/chnroute6 | tr -s '\n' | grep -v "^#")
+	if [ -f $RULES_PATH/chnroute6.nft ] && [ -s $RULES_PATH/chnroute6.nft ] && [ $(awk 'END{print NR}' $RULES_PATH/chnroute6.nft) -ge 8 ]; then
+		echolog "使用缓存加载chnroute6..."
+		nft -f $RULES_PATH/chnroute6.nft
+	else
+		gen_nftset $NFTSET_CHN6 ipv6_addr $(cat $RULES_PATH/chnroute6 | tr -s '\n' | grep -v "^#")
+	fi
 	gen_nftset $NFTSET_BLACKLIST6 ipv6_addr $(cat $RULES_PATH/proxy_ip | tr -s '\n' | grep -v "^#" | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}")
 	gen_nftset $NFTSET_WHITELIST6 ipv6_addr $(cat $RULES_PATH/direct_ip | tr -s '\n' | grep -v "^#" | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}")
 	gen_nftset $NFTSET_BLOCKLIST6 ipv6_addr $(cat $RULES_PATH/block_ip | tr -s '\n' | grep -v "^#" | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}")

luci-app-passwall/root/usr/share/passwall/rule_update.lua

@@ -33,6 +33,7 @@ local chnlist_url = ucic:get(name, "@global_rules[0]", "chnlist_url") or {"https
 local geoip_api =  "https://api.github.com/repos/Loyalsoldier/v2ray-rules-dat/releases/latest"
 local geosite_api =  "https://api.github.com/repos/Loyalsoldier/v2ray-rules-dat/releases/latest"
 local v2ray_asset_location = ucic:get_first(name, 'global_rules', "v2ray_location_asset", "/usr/share/v2ray/")
+local use_nft = ucic:get(name, "@global_forwarding[0]", "use_nft") or "0"
 
 local log = function(...)
 	if arg1 then
@@ -45,6 +46,33 @@ local log = function(...)
 	end
 end
 
+local function gen_nftset(set_name, ip_type, tmp_file, input_file)
+	f = io.open(input_file, "r")
+	local element = f:read("*all")
+	f:close()
+
+	nft_file, err = io.open(tmp_file, "w")
+	nft_file:write('#!/usr/sbin/nft -f\n')
+	nft_file:write(string.format('define %s = {%s}\n', set_name, string.gsub(element, "%s*%c+", ", ")))
+	if luci.sys.call(string.format('nft "list set inet fw4 %s" >/dev/null 2>&1', set_name)) ~= 0 then
+		nft_file:write(string.format('add set inet fw4 %s { type %s; flags interval; auto-merge; }\n', set_name, ip_type))
+	end
+	nft_file:write(string.format('add element inet fw4 %s $%s\n', set_name, set_name))
+	nft_file:close()
+	luci.sys.call(string.format('nft -f %s &>/dev/null',tmp_file))
+	os.remove(tmp_file)
+end
+
+--gen cache for nftset from file
+local function gen_cache(set_name, ip_type, input_file, output_file)
+	local tmp_dir = "/tmp/"
+	local tmp_file = output_file .. "_tmp"
+	gen_nftset(set_name, ip_type, tmp_file, input_file)
+	luci.sys.call("nft list set inet fw4 " ..set_name.. " > " ..output_file)
+	luci.sys.call("nft flush set inet fw4 " ..set_name)
+	luci.sys.call("nft delete set inet fw4 " ..set_name)
+end
+
 -- curl
 local function curl(url, file, valifile)
 	local args = {
@@ -198,6 +226,17 @@ local function fetch_rule(rule_name,rule_type,url,exclude_domain)
 		local new_md5 = luci.sys.exec("echo -n $([ -f '" ..file_tmp.. "' ] && md5sum " ..file_tmp.." | awk '{print $1}')")
 		if old_md5 ~= new_md5 then
 			local count = line_count(file_tmp)
+			if use_nft == "1" and (rule_type == "ip6" or rule_type == "ip4") then
+				local set_name = "passwall_" ..rule_name
+				local output_file = file_tmp.. ".nft"
+				if rule_type == "ip4" then
+					gen_cache(set_name, "ipv4_addr", file_tmp, output_file)
+				elseif rule_type == "ip6" then
+					gen_cache(set_name, "ipv6_addr", file_tmp, output_file)
+				end
+				luci.sys.exec(string.format('mv -f %s %s', output_file, rule_path .. "/" ..rule_name.. ".nft"))
+				os.remove(output_file)
+			end
 			luci.sys.exec("mv -f "..file_tmp .. " " ..rule_path .. "/" ..rule_name)
 			reboot = 1
 			log(rule_name.. " 更新成功，总规则数 " ..count.. " 条。")