zhao/openwrt_helloworld
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

luci-app-passwall: optimize

Browse Source
This commit is contained in:
ShanStone 2022-10-02 18:50:59 +08:00 committed by sbwml
parent 52737683b0
commit 8641672350
7 changed files with 33 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua
View File

@ -304,7 +304,7 @@ end
o = s:taboption("DNS", Button, "clear_ipset", translate("Clear IPSET"), translate("Try this feature if the rule modification does not take effect.")) o = s:taboption("DNS", Button, "clear_ipset", translate("Clear IPSET"), translate("Try this feature if the rule modification does not take effect."))
o.inputstyle = "remove" o.inputstyle = "remove"
function o.write(e, e) function o.write(e, e)
luci.sys.call("/usr/share/" .. appname .. "/iptables.sh flush_ipset > /dev/null 2>&1 &") luci.sys.call("[ -n \"$(nft list sets 2>/dev/null | grep \"gfwlist\")\" ] && /usr/share/" .. appname .. "/nftables.sh flush_nftset || /usr/share/" .. appname .. "/iptables.sh flush_ipset > /dev/null 2>&1 &")
luci.http.redirect(api.url("log")) luci.http.redirect(api.url("log"))
end end

12
luci-app-passwall/luasrc/model/cbi/passwall/client/other.lua
View File

@ -3,6 +3,8 @@ local appname = api.appname
local fs = api.fs local fs = api.fs
local has_v2ray = api.is_finded("v2ray") local has_v2ray = api.is_finded("v2ray")
local has_xray = api.is_finded("xray") local has_xray = api.is_finded("xray")
local has_fw3 = api.is_finded("fw3")
local has_fw4 = api.is_finded("fw4")
m = Map(appname) m = Map(appname)
@ -95,6 +97,16 @@ o.default = "1:65535"
o:value("1:65535", translate("All")) o:value("1:65535", translate("All"))
o:value("53", "DNS") o:value("53", "DNS")
---- Use nftables
o = s:option(ListValue, "use_nft", translate("Firewall tools"))
o.default = "0"
if has_fw3 then
o:value("0", "IPtables")
end
if has_fw4 then
o:value("1", "NFtables")
end
if (os.execute("lsmod | grep -i REDIRECT >/dev/null") == 0 and os.execute("lsmod | grep -i TPROXY >/dev/null") == 0) or (os.execute("lsmod | grep -i nft_redir >/dev/null") == 0 and os.execute("lsmod | grep -i nft_tproxy >/dev/null") == 0) then if (os.execute("lsmod | grep -i REDIRECT >/dev/null") == 0 and os.execute("lsmod | grep -i TPROXY >/dev/null") == 0) or (os.execute("lsmod | grep -i nft_redir >/dev/null") == 0 and os.execute("lsmod | grep -i nft_tproxy >/dev/null") == 0) then
o = s:option(ListValue, "tcp_proxy_way", translate("TCP Proxy Way")) o = s:option(ListValue, "tcp_proxy_way", translate("TCP Proxy Way"))
o.default = "tproxy" o.default = "tproxy"

3
luci-app-passwall/po/zh-cn/passwall.po
View File

@ -1114,6 +1114,9 @@ msgstr "节点数量"
msgid "You can only set up a maximum of %s nodes for the time being, Used for access control." msgid "You can only set up a maximum of %s nodes for the time being, Used for access control."
msgstr "目前最多只能设置%s个节点用于给访问控制使用。" msgstr "目前最多只能设置%s个节点用于给访问控制使用。"
msgid "Firewall tools"
msgstr "防火墙工具"
msgid "IPv6 TProxy" msgid "IPv6 TProxy"
msgstr "IPv6透明代理(TProxy)" msgstr "IPv6透明代理(TProxy)"

1
luci-app-passwall/root/usr/share/passwall/0_default_config
View File

@ -32,6 +32,7 @@ config global_forwarding
option tcp_redir_ports '22,25,53,143,465,587,853,993,995,80,443' option tcp_redir_ports '22,25,53,143,465,587,853,993,995,80,443'
option udp_redir_ports '1:65535' option udp_redir_ports '1:65535'
option accept_icmp '0' option accept_icmp '0'
option use_nft '0'
option tcp_proxy_way 'redirect' option tcp_proxy_way 'redirect'
option ipv6_tproxy '0' option ipv6_tproxy '0'
option sniffing '1' option sniffing '1'

14
luci-app-passwall/root/usr/share/passwall/app.sh
View File

@ -1349,14 +1349,13 @@ start() {
start_haproxy start_haproxy
start_socks start_socks
nftflag=0 nftflag=0
local use_nft=$(config_t_get global_forwarding use_nft 0)
[ "$NO_PROXY" == 1 ] || { [ "$NO_PROXY" == 1 ] || {
if [ -n "$(command -v fw4)" ] && [ -z "$(dnsmasq --version | grep 'nftset')" ]; then if [ "$use_nft" == 1 ] && [ -z "$(dnsmasq --version | grep 'Compile time options:.* nftset')" ]; then
echolog "检测到fw4防火墙但Dnsmasq软件包不满足nftables透明代理要求如需使用请确保dnsmasq版本在2.87以上并开启nftset支持。" echolog "Dnsmasq软件包不满足nftables透明代理要求如需使用请确保dnsmasq版本在2.87以上并开启nftset支持。"
fi elif [ "$use_nft" == 1 ] && [ -n "$(dnsmasq --version | grep 'Compile time options:.* nftset')" ]; then
echolog "使用nftables进行透明代理一些不支持nftables的组件如smartdns分流等将不可用。"
if [ -n "$(command -v fw4)" ] && [ -n "$(dnsmasq --version | grep 'nftset')" ]; then
echolog "检测fw4防火墙使用nftables进行透明代理一些不支持nftables的组件如smartdns分流等将不可用。"
nftflag=1 nftflag=1
start_redir TCP start_redir TCP
start_redir UDP start_redir UDP
@ -1379,7 +1378,8 @@ start() {
stop() { stop() {
clean_log clean_log
[ -n "$(command -v fw4)" ] && [ -n "$(dnsmasq --version | grep 'nftset')" ] && source $APP_PATH/nftables.sh stop || source $APP_PATH/iptables.sh stop [ -n "$($(source $APP_PATH/iptables.sh get_ipt_bin) -t mangle -t nat -L -nv 2>/dev/null | grep "PSW")" ] && source $APP_PATH/iptables.sh stop
[ -n "$(nft list chains 2>/dev/null | grep "PSW")" ] && source $APP_PATH/nftables.sh stop
delete_ip2route delete_ip2route
kill_all v2ray-plugin obfs-local kill_all v2ray-plugin obfs-local
pgrep -f "sleep.*(6s|9s|58s)" | xargs kill -9 >/dev/null 2>&1 pgrep -f "sleep.*(6s|9s|58s)" | xargs kill -9 >/dev/null 2>&1

2
luci-app-passwall/root/usr/share/passwall/helper_dnsmasq_add.lua
View File

@ -168,7 +168,7 @@ local dnsmasq_default_dns
local cache_text = "" local cache_text = ""
local subscribe_proxy=uci:get(appname, "@global_subscribe[0]", "subscribe_proxy") or "0" local subscribe_proxy=uci:get(appname, "@global_subscribe[0]", "subscribe_proxy") or "0"
local new_rules = luci.sys.exec("echo -n $(find /usr/share/passwall/rules -type f | xargs md5sum)") local new_rules = luci.sys.exec("echo -n $(find /usr/share/passwall/rules -type f | xargs md5sum)")
local new_text = TMP_DNSMASQ_PATH .. DNSMASQ_CONF_FILE .. DEFAULT_DNS .. LOCAL_DNS .. TUN_DNS .. REMOTE_FAKEDNS .. CHINADNS_DNS .. PROXY_MODE .. NO_PROXY_IPV6 .. subscribe_proxy .. new_rules local new_text = TMP_DNSMASQ_PATH .. DNSMASQ_CONF_FILE .. DEFAULT_DNS .. LOCAL_DNS .. TUN_DNS .. REMOTE_FAKEDNS .. CHINADNS_DNS .. PROXY_MODE .. NO_PROXY_IPV6 .. subscribe_proxy .. new_rules .. NFTFLAG
if fs.access(CACHE_TEXT_FILE) then if fs.access(CACHE_TEXT_FILE) then
for line in io.lines(CACHE_TEXT_FILE) do for line in io.lines(CACHE_TEXT_FILE) do
cache_text = line cache_text = line

21
luci-app-passwall/root/usr/share/passwall/nftables.sh
View File

@ -461,7 +461,7 @@ load_acl() {
elif [ -n "$(echo ${i} | grep '^ipset:')" ]; then elif [ -n "$(echo ${i} | grep '^ipset:')" ]; then
_ipset=$(echo ${i} | sed 's#ipset:##g') _ipset=$(echo ${i} | sed 's#ipset:##g')
_ipt_source="ip daddr @${_ipset}" _ipt_source="ip daddr @${_ipset}"
msg="备注【$remarks】,IPset【${_ipset}】," msg="备注【$remarks】,NFTset【${_ipset}】,"
elif [ -n "$(echo ${i} | grep '^ip:')" ]; then elif [ -n "$(echo ${i} | grep '^ip:')" ]; then
_ip=$(echo ${i} | sed 's#ip:##g') _ip=$(echo ${i} | sed 's#ip:##g')
_ipt_source=$(factor ${_ip} "ip saddr") _ipt_source=$(factor ${_ip} "ip saddr")
@ -717,13 +717,13 @@ filter_haproxy() {
local ip=$(get_host_ip ipv4 $(echo $item | awk -F ":" '{print $1}') 1) local ip=$(get_host_ip ipv4 $(echo $item | awk -F ":" '{print $1}') 1)
insert_nftset $NFTSET_VPSIPLIST $ip insert_nftset $NFTSET_VPSIPLIST $ip
done done
echolog "加入负载均衡的节点到ipset[$NFTSET_VPSIPLIST]直连完成" echolog "加入负载均衡的节点到nftset[$NFTSET_VPSIPLIST]直连完成"
} }
filter_vpsip() { filter_vpsip() {
insert_nftset $NFTSET_VPSIPLIST $(uci show $CONFIG | grep ".address=" | cut -d "'" -f 2 | grep -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | sed -e "/^$/d" | sed -e 's/$/,/' ) insert_nftset $NFTSET_VPSIPLIST $(uci show $CONFIG | grep ".address=" | cut -d "'" -f 2 | grep -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | sed -e "/^$/d" | sed -e 's/$/,/' )
insert_nftset $NFTSET_VPSIPLIST6 $(uci show $CONFIG | grep ".address=" | cut -d "'" -f 2 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "/^$/d" | sed -e 's/$/,/' ) insert_nftset $NFTSET_VPSIPLIST6 $(uci show $CONFIG | grep ".address=" | cut -d "'" -f 2 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "/^$/d" | sed -e 's/$/,/' )
echolog "加入所有节点到ipset[$NFTSET_VPSIPLIST]直连完成" echolog "加入所有节点到nftset[$NFTSET_VPSIPLIST]直连完成"
} }
filter_node() { filter_node() {
@ -1207,10 +1207,13 @@ del_firewall_rule() {
done done
done done
for handle in $(nft -a list chains |grep -E "chain PSW" |awk -F '# handle ' '{print$2}'); do for handle in $(nft -a list chains | grep -E "chain PSW" | grep -v "PSW_RULE" | awk -F '# handle ' '{print$2}'); do
nft delete chain inet fw4 handle ${handle} 2>/dev/null nft delete chain inet fw4 handle ${handle} 2>/dev/null
done done
# Need to be removed at the end, otherwise it will show "Resource busy"
nft delete chain inet fw4 handle $(nft -a list chains | grep -E "PSW_RULE" | awk -F '# handle ' '{print$2}') 2>/dev/null
ip rule del fwmark 1 lookup 100 2>/dev/null ip rule del fwmark 1 lookup 100 2>/dev/null
ip route del local 0.0.0.0/0 dev lo table 100 2>/dev/null ip route del local 0.0.0.0/0 dev lo table 100 2>/dev/null
@ -1295,14 +1298,6 @@ gen_include() {
return 0 return 0
} }
get_ipt_bin() {
echo $ipt
}
get_ip6t_bin() {
echo $ip6t
}
start() { start() {
add_firewall_rule add_firewall_rule
gen_include gen_include
@ -1325,7 +1320,7 @@ insert_rule_before)
insert_rule_after) insert_rule_after)
insert_rule_after "$@" insert_rule_after "$@"
;; ;;
flush_ipset) flush_nftset)
flush_nftset flush_nftset
;; ;;
get_wan_ip) get_wan_ip)