From 864167235072d011a109a656a3e268a98576b7f9 Mon Sep 17 00:00:00 2001
From: ShanStone <31815718+ShanStone@users.noreply.github.com>
Date: Sun, 2 Oct 2022 18:50:59 +0800
Subject: [PATCH] luci-app-passwall: optimize

---
 .../model/cbi/passwall/client/global.lua      |  2 +-
 .../model/cbi/passwall/client/other.lua       | 12 +++++++++++
 luci-app-passwall/po/zh-cn/passwall.po        |  3 +++
 .../root/usr/share/passwall/0_default_config  |  1 +
 .../root/usr/share/passwall/app.sh            | 14 ++++++-------
 .../usr/share/passwall/helper_dnsmasq_add.lua |  2 +-
 .../root/usr/share/passwall/nftables.sh       | 21 +++++++------------
 7 files changed, 33 insertions(+), 22 deletions(-)

diff --git a/luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua b/luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua
index a40ddf18e..6d27ebbea 100644
--- a/luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua
+++ b/luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua
@@ -304,7 +304,7 @@ end
 o = s:taboption("DNS", Button, "clear_ipset", translate("Clear IPSET"), translate("Try this feature if the rule modification does not take effect."))
 o.inputstyle = "remove"
 function o.write(e, e)
-    luci.sys.call("/usr/share/" .. appname .. "/iptables.sh flush_ipset > /dev/null 2>&1 &")
+    luci.sys.call("[ -n \"$(nft list sets 2>/dev/null | grep \"gfwlist\")\" ] && /usr/share/" .. appname .. "/nftables.sh flush_nftset || /usr/share/" .. appname .. "/iptables.sh flush_ipset > /dev/null 2>&1 &")
     luci.http.redirect(api.url("log"))
 end
 
diff --git a/luci-app-passwall/luasrc/model/cbi/passwall/client/other.lua b/luci-app-passwall/luasrc/model/cbi/passwall/client/other.lua
index d9e231c4f..32edee5a9 100644
--- a/luci-app-passwall/luasrc/model/cbi/passwall/client/other.lua
+++ b/luci-app-passwall/luasrc/model/cbi/passwall/client/other.lua
@@ -3,6 +3,8 @@ local appname = api.appname
 local fs = api.fs
 local has_v2ray = api.is_finded("v2ray")
 local has_xray = api.is_finded("xray")
+local has_fw3 = api.is_finded("fw3")
+local has_fw4 = api.is_finded("fw4")
 
 m = Map(appname)
 
@@ -95,6 +97,16 @@ o.default = "1:65535"
 o:value("1:65535", translate("All"))
 o:value("53", "DNS")
 
+---- Use nftables
+o = s:option(ListValue, "use_nft", translate("Firewall tools"))
+o.default = "0"
+if has_fw3 then
+    o:value("0", "IPtables")
+end
+if has_fw4 then
+    o:value("1", "NFtables")
+end
+
 if (os.execute("lsmod | grep -i REDIRECT >/dev/null") == 0 and os.execute("lsmod | grep -i TPROXY >/dev/null") == 0) or (os.execute("lsmod | grep -i nft_redir >/dev/null") == 0 and os.execute("lsmod | grep -i nft_tproxy >/dev/null") == 0) then
     o = s:option(ListValue, "tcp_proxy_way", translate("TCP Proxy Way"))
     o.default = "tproxy"
diff --git a/luci-app-passwall/po/zh-cn/passwall.po b/luci-app-passwall/po/zh-cn/passwall.po
index 3cc91228c..e0a858478 100644
--- a/luci-app-passwall/po/zh-cn/passwall.po
+++ b/luci-app-passwall/po/zh-cn/passwall.po
@@ -1114,6 +1114,9 @@ msgstr "节点数量"
 msgid "You can only set up a maximum of %s nodes for the time being, Used for access control."
 msgstr "目前最多只能设置%s个节点，用于给访问控制使用。"
 
+msgid "Firewall tools"
+msgstr "防火墙工具"
+
 msgid "IPv6 TProxy"
 msgstr "IPv6透明代理(TProxy)"
 
diff --git a/luci-app-passwall/root/usr/share/passwall/0_default_config b/luci-app-passwall/root/usr/share/passwall/0_default_config
index 4e8d49917..426502042 100644
--- a/luci-app-passwall/root/usr/share/passwall/0_default_config
+++ b/luci-app-passwall/root/usr/share/passwall/0_default_config
@@ -32,6 +32,7 @@ config global_forwarding
 	option tcp_redir_ports '22,25,53,143,465,587,853,993,995,80,443'
 	option udp_redir_ports '1:65535'
 	option accept_icmp '0'
+	option use_nft '0'
 	option tcp_proxy_way 'redirect'
 	option ipv6_tproxy '0'
 	option sniffing '1'
diff --git a/luci-app-passwall/root/usr/share/passwall/app.sh b/luci-app-passwall/root/usr/share/passwall/app.sh
index ab611dd7f..28c196ef4 100755
--- a/luci-app-passwall/root/usr/share/passwall/app.sh
+++ b/luci-app-passwall/root/usr/share/passwall/app.sh
@@ -1349,14 +1349,13 @@ start() {
 	start_haproxy
 	start_socks
 	nftflag=0
+	local use_nft=$(config_t_get global_forwarding use_nft 0)
 
 	[ "$NO_PROXY" == 1 ] || {
-		if [ -n "$(command -v fw4)" ] && [ -z "$(dnsmasq --version | grep 'nftset')" ]; then
-			echolog "检测到fw4防火墙，但Dnsmasq软件包不满足nftables透明代理要求，如需使用请确保dnsmasq版本在2.87以上并开启nftset支持。"
-		fi
-
-		if [ -n "$(command -v fw4)" ] && [ -n "$(dnsmasq --version | grep 'nftset')" ]; then
-			echolog "检测fw4防火墙，使用nftables进行透明代理，一些不支持nftables的组件如smartdns分流等将不可用。"
+		if [ "$use_nft" == 1 ] && [ -z "$(dnsmasq --version | grep 'Compile time options:.* nftset')" ]; then
+			echolog "Dnsmasq软件包不满足nftables透明代理要求，如需使用请确保dnsmasq版本在2.87以上并开启nftset支持。"
+		elif [ "$use_nft" == 1 ] && [ -n "$(dnsmasq --version | grep 'Compile time options:.* nftset')" ]; then
+			echolog "使用nftables进行透明代理，一些不支持nftables的组件如smartdns分流等将不可用。"
 			nftflag=1
 			start_redir TCP
 			start_redir UDP
@@ -1379,7 +1378,8 @@ start() {
 
 stop() {
 	clean_log
-	[ -n "$(command -v fw4)" ] && [ -n "$(dnsmasq --version | grep 'nftset')" ] && source $APP_PATH/nftables.sh stop || source $APP_PATH/iptables.sh stop
+	[ -n "$($(source $APP_PATH/iptables.sh get_ipt_bin) -t mangle -t nat -L -nv 2>/dev/null | grep "PSW")" ] && source $APP_PATH/iptables.sh stop
+	[ -n "$(nft list chains 2>/dev/null | grep "PSW")" ] && source $APP_PATH/nftables.sh stop
 	delete_ip2route
 	kill_all v2ray-plugin obfs-local
 	pgrep -f "sleep.*(6s|9s|58s)" | xargs kill -9 >/dev/null 2>&1
diff --git a/luci-app-passwall/root/usr/share/passwall/helper_dnsmasq_add.lua b/luci-app-passwall/root/usr/share/passwall/helper_dnsmasq_add.lua
index e412fe5f7..62d42041a 100644
--- a/luci-app-passwall/root/usr/share/passwall/helper_dnsmasq_add.lua
+++ b/luci-app-passwall/root/usr/share/passwall/helper_dnsmasq_add.lua
@@ -168,7 +168,7 @@ local dnsmasq_default_dns
 local cache_text = ""
 local subscribe_proxy=uci:get(appname, "@global_subscribe[0]", "subscribe_proxy") or "0"
 local new_rules = luci.sys.exec("echo -n $(find /usr/share/passwall/rules -type f | xargs md5sum)")
-local new_text = TMP_DNSMASQ_PATH .. DNSMASQ_CONF_FILE .. DEFAULT_DNS .. LOCAL_DNS .. TUN_DNS .. REMOTE_FAKEDNS .. CHINADNS_DNS .. PROXY_MODE .. NO_PROXY_IPV6 .. subscribe_proxy .. new_rules
+local new_text = TMP_DNSMASQ_PATH .. DNSMASQ_CONF_FILE .. DEFAULT_DNS .. LOCAL_DNS .. TUN_DNS .. REMOTE_FAKEDNS .. CHINADNS_DNS .. PROXY_MODE .. NO_PROXY_IPV6 .. subscribe_proxy .. new_rules .. NFTFLAG
 if fs.access(CACHE_TEXT_FILE) then
     for line in io.lines(CACHE_TEXT_FILE) do
         cache_text = line
diff --git a/luci-app-passwall/root/usr/share/passwall/nftables.sh b/luci-app-passwall/root/usr/share/passwall/nftables.sh
index 887842381..4ed637ae1 100755
--- a/luci-app-passwall/root/usr/share/passwall/nftables.sh
+++ b/luci-app-passwall/root/usr/share/passwall/nftables.sh
@@ -461,7 +461,7 @@ load_acl() {
 				elif [ -n "$(echo ${i} | grep '^ipset:')" ]; then
 					_ipset=$(echo ${i} | sed 's#ipset:##g')
 					_ipt_source="ip daddr @${_ipset}"
-					msg="备注【$remarks】，IPset【${_ipset}】，"
+					msg="备注【$remarks】，NFTset【${_ipset}】，"
 				elif [ -n "$(echo ${i} | grep '^ip:')" ]; then
 					_ip=$(echo ${i} | sed 's#ip:##g')
 					_ipt_source=$(factor ${_ip} "ip saddr")
@@ -717,13 +717,13 @@ filter_haproxy() {
 		local ip=$(get_host_ip ipv4 $(echo $item | awk -F ":" '{print $1}') 1)
 		insert_nftset $NFTSET_VPSIPLIST $ip
 	done
-	echolog "加入负载均衡的节点到ipset[$NFTSET_VPSIPLIST]直连完成"
+	echolog "加入负载均衡的节点到nftset[$NFTSET_VPSIPLIST]直连完成"
 }
 
 filter_vpsip() {
 	insert_nftset $NFTSET_VPSIPLIST $(uci show $CONFIG | grep ".address=" | cut -d "'" -f 2 | grep -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | sed -e "/^$/d" | sed -e 's/$/,/' )
 	insert_nftset $NFTSET_VPSIPLIST6 $(uci show $CONFIG | grep ".address=" | cut -d "'" -f 2 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "/^$/d" | sed -e 's/$/,/' )
-	echolog "加入所有节点到ipset[$NFTSET_VPSIPLIST]直连完成"
+	echolog "加入所有节点到nftset[$NFTSET_VPSIPLIST]直连完成"
 }
 
 filter_node() {
@@ -1207,10 +1207,13 @@ del_firewall_rule() {
 		done
 	done
 
-	for handle in $(nft -a list chains |grep -E "chain PSW" |awk -F '# handle ' '{print$2}'); do
+	for handle in $(nft -a list chains | grep -E "chain PSW" | grep -v "PSW_RULE" | awk -F '# handle ' '{print$2}'); do
 		nft delete chain inet fw4 handle ${handle} 2>/dev/null
 	done
 
+	# Need to be removed at the end, otherwise it will show "Resource busy"
+	nft delete chain inet fw4 handle $(nft -a list chains | grep -E "PSW_RULE" | awk -F '# handle ' '{print$2}') 2>/dev/null
+
 	ip rule del fwmark 1 lookup 100 2>/dev/null
 	ip route del local 0.0.0.0/0 dev lo table 100 2>/dev/null
 
@@ -1295,14 +1298,6 @@ gen_include() {
 	return 0
 }
 
-get_ipt_bin() {
-	echo $ipt
-}
-
-get_ip6t_bin() {
-	echo $ip6t
-}
-
 start() {
 	add_firewall_rule
 	gen_include
@@ -1325,7 +1320,7 @@ insert_rule_before)
 insert_rule_after)
 	insert_rule_after "$@"
 	;;
-flush_ipset)
+flush_nftset)
 	flush_nftset
 	;;
 get_wan_ip)