diff --git a/luci-app-passwall2/Makefile b/luci-app-passwall2/Makefile
index 54de3b735..eb9954136 100644
--- a/luci-app-passwall2/Makefile
+++ b/luci-app-passwall2/Makefile
@@ -5,7 +5,7 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=luci-app-passwall2
-PKG_VERSION:=1.27-5
+PKG_VERSION:=1.28-1
PKG_RELEASE:=
PKG_CONFIG_DEPENDS:= \
diff --git a/luci-app-passwall2/luasrc/controller/passwall2.lua b/luci-app-passwall2/luasrc/controller/passwall2.lua
index db7f4bfdb..7a7c7630f 100644
--- a/luci-app-passwall2/luasrc/controller/passwall2.lua
+++ b/luci-app-passwall2/luasrc/controller/passwall2.lua
@@ -176,13 +176,13 @@ end
function status()
local e = {}
- e["global_status"] = luci.sys.call(string.format("top -bn1 | grep -v -E 'grep|acl/|acl_' | grep '%s/bin/' | grep -i 'global\\.json' >/dev/null", appname)) == 0
+ e["global_status"] = luci.sys.call(string.format("/bin/busybox top -bn1 | grep -v -E 'grep|acl/|acl_' | grep '%s/bin/' | grep -i 'global\\.json' >/dev/null", appname)) == 0
luci.http.prepare_content("application/json")
luci.http.write_json(e)
end
function haproxy_status()
- local e = luci.sys.call(string.format("top -bn1 | grep -v grep | grep '%s/bin/' | grep haproxy >/dev/null", appname)) == 0
+ local e = luci.sys.call(string.format("/bin/busybox top -bn1 | grep -v grep | grep '%s/bin/' | grep haproxy >/dev/null", appname)) == 0
luci.http.prepare_content("application/json")
luci.http.write_json(e)
end
@@ -192,12 +192,12 @@ function socks_status()
local index = luci.http.formvalue("index")
local id = luci.http.formvalue("id")
e.index = index
- e.socks_status = luci.sys.call(string.format("top -bn1 | grep -v -E 'grep|acl/|acl_' | grep '%s/bin/' | grep '%s' | grep 'SOCKS_' > /dev/null", appname, id)) == 0
+ e.socks_status = luci.sys.call(string.format("/bin/busybox top -bn1 | grep -v -E 'grep|acl/|acl_' | grep '%s/bin/' | grep '%s' | grep 'SOCKS_' > /dev/null", appname, id)) == 0
local use_http = ucic:get(appname, id, "http_port") or 0
e.use_http = 0
if tonumber(use_http) > 0 then
e.use_http = 1
- e.http_status = luci.sys.call(string.format("top -bn1 | grep -v -E 'grep|acl/|acl_' | grep '%s/bin/' | grep '%s' | grep -E 'HTTP_|HTTP2SOCKS' > /dev/null", appname, id)) == 0
+ e.http_status = luci.sys.call(string.format("/bin/busybox top -bn1 | grep -v -E 'grep|acl/|acl_' | grep '%s/bin/' | grep '%s' | grep -E 'HTTP_|HTTP2SOCKS' > /dev/null", appname, id)) == 0
end
luci.http.prepare_content("application/json")
luci.http.write_json(e)
@@ -355,7 +355,7 @@ end
function server_user_status()
local e = {}
e.index = luci.http.formvalue("index")
- e.status = luci.sys.call(string.format("top -bn1 | grep -v 'grep' | grep '%s/bin/' | grep -i '%s' >/dev/null", appname .. "_server", luci.http.formvalue("id"))) == 0
+ e.status = luci.sys.call(string.format("/bin/busybox top -bn1 | grep -v 'grep' | grep '%s/bin/' | grep -i '%s' >/dev/null", appname .. "_server", luci.http.formvalue("id"))) == 0
http_write_json(e)
end
diff --git a/luci-app-passwall2/luasrc/model/cbi/passwall2/client/acl_config.lua b/luci-app-passwall2/luasrc/model/cbi/passwall2/client/acl_config.lua
index b48aabfd4..fc686b5cb 100644
--- a/luci-app-passwall2/luasrc/model/cbi/passwall2/client/acl_config.lua
+++ b/luci-app-passwall2/luasrc/model/cbi/passwall2/client/acl_config.lua
@@ -1,5 +1,6 @@
local api = require "luci.passwall2.api"
local appname = api.appname
+local uci = api.uci
local sys = api.sys
local port_validate = function(self, value, t)
@@ -156,48 +157,51 @@ end
sources.write = dynamicList_write
---- TCP No Redir Ports
+local TCP_NO_REDIR_PORTS = uci:get(appname, "@global_forwarding[0]", "tcp_no_redir_ports")
o = s:option(Value, "tcp_no_redir_ports", translate("TCP No Redir Ports"))
o.default = "default"
o:value("disable", translate("No patterns are used"))
-o:value("default", translate("Default"))
+o:value("default", translate("Use global config") .. "(" .. TCP_NO_REDIR_PORTS .. ")")
o:value("1:65535", translate("All"))
o.validate = port_validate
---- UDP No Redir Ports
+local UDP_NO_REDIR_PORTS = uci:get(appname, "@global_forwarding[0]", "udp_no_redir_ports")
o = s:option(Value, "udp_no_redir_ports", translate("UDP No Redir Ports"),
"" ..
translate("If you don't want to let the device in the list to go proxy, please choose all.") ..
"")
o.default = "default"
o:value("disable", translate("No patterns are used"))
-o:value("default", translate("Default"))
+o:value("default", translate("Use global config") .. "(" .. UDP_NO_REDIR_PORTS .. ")")
o:value("1:65535", translate("All"))
o.validate = port_validate
+node = s:option(ListValue, "node", "" .. translate("Node") .. "")
+node.default = "default"
+node:value("default", translate("Use global config"))
+for k, v in pairs(nodes_table) do
+ node:value(v.id, v["remark"])
+end
+
---- TCP Redir Ports
+local TCP_REDIR_PORTS = uci:get(appname, "@global_forwarding[0]", "tcp_redir_ports")
o = s:option(Value, "tcp_redir_ports", translate("TCP Redir Ports"))
o.default = "default"
-o:value("default", translate("Default"))
+o:value("default", translate("Use global config") .. "(" .. TCP_REDIR_PORTS .. ")")
o:value("1:65535", translate("All"))
o:value("22,25,53,143,465,587,853,993,995,80,443", translate("Common Use"))
o:value("80,443", "80,443")
o.validate = port_validate
---- UDP Redir Ports
+local UDP_REDIR_PORTS = uci:get(appname, "@global_forwarding[0]", "udp_redir_ports")
o = s:option(Value, "udp_redir_ports", translate("UDP Redir Ports"))
o.default = "default"
-o:value("default", translate("Default"))
+o:value("default", translate("Use global config") .. "(" .. UDP_REDIR_PORTS .. ")")
o:value("1:65535", translate("All"))
o.validate = port_validate
-node = s:option(ListValue, "node", "" .. translate("Node") .. "")
-node.default = "default"
-node:value("default", translate("Default"))
-
-for k, v in pairs(nodes_table) do
- node:value(v.id, v["remark"])
-end
-
o = s:option(ListValue, "remote_dns_protocol", translate("Remote DNS Protocol"))
o:value("tcp", "TCP")
o:value("doh", "DoH")
diff --git a/luci-app-passwall2/luasrc/model/cbi/passwall2/client/global.lua b/luci-app-passwall2/luasrc/model/cbi/passwall2/client/global.lua
index a600670a4..6afb0b2ba 100644
--- a/luci-app-passwall2/luasrc/model/cbi/passwall2/client/global.lua
+++ b/luci-app-passwall2/luasrc/model/cbi/passwall2/client/global.lua
@@ -211,6 +211,10 @@ o = s:taboption("Main", Flag, "localhost_proxy", translate("Localhost Proxy"), t
o.default = "1"
o.rmempty = false
+o = s:taboption("Main", Flag, "client_proxy", translate("Client Proxy"), translate("When selected, devices in LAN can transparent proxy. Otherwise, it will not be proxy. But you can still use access control to allow the designated device to proxy."))
+o.default = "1"
+o.rmempty = false
+
node_socks_port = s:taboption("Main", Value, "node_socks_port", translate("Node") .. " Socks " .. translate("Listen Port"))
node_socks_port.default = 1070
node_socks_port.datatype = "port"
diff --git a/luci-app-passwall2/luasrc/model/cbi/passwall2/client/node_subscribe.lua b/luci-app-passwall2/luasrc/model/cbi/passwall2/client/node_subscribe.lua
index 75ada90e1..222ff7d13 100644
--- a/luci-app-passwall2/luasrc/model/cbi/passwall2/client/node_subscribe.lua
+++ b/luci-app-passwall2/luasrc/model/cbi/passwall2/client/node_subscribe.lua
@@ -5,23 +5,23 @@ local has_ss_rust = api.is_finded("sslocal")
local has_singbox = api.finded_com("singbox")
local has_xray = api.finded_com("xray")
local has_hysteria2 = api.finded_com("hysteria")
-local ss_aead_type = {}
+local ss_type = {}
local trojan_type = {}
local vmess_type = {}
local vless_type = {}
local hysteria2_type = {}
if has_ss then
local s = "shadowsocks-libev"
- table.insert(ss_aead_type, s)
+ table.insert(ss_type, s)
end
if has_ss_rust then
local s = "shadowsocks-rust"
- table.insert(ss_aead_type, s)
+ table.insert(ss_type, s)
end
if has_singbox then
local s = "sing-box"
table.insert(trojan_type, s)
- table.insert(ss_aead_type, s)
+ table.insert(ss_type, s)
table.insert(vmess_type, s)
table.insert(vless_type, s)
table.insert(hysteria2_type, s)
@@ -29,7 +29,7 @@ end
if has_xray then
local s = "xray"
table.insert(trojan_type, s)
- table.insert(ss_aead_type, s)
+ table.insert(ss_type, s)
table.insert(vmess_type, s)
table.insert(vless_type, s)
end
@@ -56,9 +56,9 @@ o = s:option(DynamicList, "filter_discard_list", translate("Discard List"))
o = s:option(DynamicList, "filter_keep_list", translate("Keep List"))
-if #ss_aead_type > 0 then
- o = s:option(ListValue, "ss_aead_type", translatef("%s Node Use Type", "SS AEAD"))
- for key, value in pairs(ss_aead_type) do
+if #ss_type > 0 then
+ o = s:option(ListValue, "ss_type", translatef("%s Node Use Type", "Shadowsocks"))
+ for key, value in pairs(ss_type) do
o:value(value)
end
end
diff --git a/luci-app-passwall2/luasrc/model/cbi/passwall2/client/node_subscribe_config.lua b/luci-app-passwall2/luasrc/model/cbi/passwall2/client/node_subscribe_config.lua
index 7764dd6d1..0ca1e2e93 100644
--- a/luci-app-passwall2/luasrc/model/cbi/passwall2/client/node_subscribe_config.lua
+++ b/luci-app-passwall2/luasrc/model/cbi/passwall2/client/node_subscribe_config.lua
@@ -5,23 +5,23 @@ local has_ss_rust = api.is_finded("sslocal")
local has_singbox = api.finded_com("singbox")
local has_xray = api.finded_com("xray")
local has_hysteria2 = api.finded_com("hysteria")
-local ss_aead_type = {}
+local ss_type = {}
local trojan_type = {}
local vmess_type = {}
local vless_type = {}
local hysteria2_type = {}
if has_ss then
local s = "shadowsocks-libev"
- table.insert(ss_aead_type, s)
+ table.insert(ss_type, s)
end
if has_ss_rust then
local s = "shadowsocks-rust"
- table.insert(ss_aead_type, s)
+ table.insert(ss_type, s)
end
if has_singbox then
local s = "sing-box"
table.insert(trojan_type, s)
- table.insert(ss_aead_type, s)
+ table.insert(ss_type, s)
table.insert(vmess_type, s)
table.insert(vless_type, s)
table.insert(hysteria2_type, s)
@@ -29,7 +29,7 @@ end
if has_xray then
local s = "xray"
table.insert(trojan_type, s)
- table.insert(ss_aead_type, s)
+ table.insert(ss_type, s)
table.insert(vmess_type, s)
table.insert(vless_type, s)
end
@@ -76,11 +76,11 @@ o:depends("filter_keyword_mode", "2")
o:depends("filter_keyword_mode", "3")
o:depends("filter_keyword_mode", "4")
-if #ss_aead_type > 0 then
- o = s:option(ListValue, "ss_aead_type", translatef("%s Node Use Type", "SS AEAD"))
+if #ss_type > 0 then
+ o = s:option(ListValue, "ss_type", translatef("%s Node Use Type", "Shadowsocks"))
o.default = "global"
o:value("global", translate("Use global config"))
- for key, value in pairs(ss_aead_type) do
+ for key, value in pairs(ss_type) do
o:value(value)
end
end
diff --git a/luci-app-passwall2/luasrc/passwall2/server_app.lua b/luci-app-passwall2/luasrc/passwall2/server_app.lua
index d77a65d7a..eadef9270 100644
--- a/luci-app-passwall2/luasrc/passwall2/server_app.lua
+++ b/luci-app-passwall2/luasrc/passwall2/server_app.lua
@@ -204,7 +204,7 @@ local function start()
end
local function stop()
- cmd(string.format("top -bn1 | grep -v 'grep' | grep '%s/' | awk '{print $1}' | xargs kill -9 >/dev/null 2>&1", CONFIG_PATH))
+ cmd(string.format("/bin/busybox top -bn1 | grep -v 'grep' | grep '%s/' | awk '{print $1}' | xargs kill -9 >/dev/null 2>&1", CONFIG_PATH))
if nft_flag == "0" then
ipt("-D INPUT -j PSW2-SERVER 2>/dev/null")
ipt("-F PSW2-SERVER 2>/dev/null")
diff --git a/luci-app-passwall2/po/zh-cn/passwall2.po b/luci-app-passwall2/po/zh-cn/passwall2.po
index 205071c69..d1f82d163 100644
--- a/luci-app-passwall2/po/zh-cn/passwall2.po
+++ b/luci-app-passwall2/po/zh-cn/passwall2.po
@@ -91,6 +91,12 @@ msgstr "路由器本机代理"
msgid "When selected, localhost can transparent proxy."
msgstr "当勾选时,路由器本机可以透明代理。"
+msgid "Client Proxy"
+msgstr "客户端代理"
+
+msgid "When selected, devices in LAN can transparent proxy. Otherwise, it will not be proxy. But you can still use access control to allow the designated device to proxy."
+msgstr "当勾选时,局域网内的设备可以透明代理。否则,将不代理。但您仍然可以使用访问控制允许指定的设备代理。"
+
msgid "Socks Config"
msgstr "Socks配置"
diff --git a/luci-app-passwall2/root/usr/share/passwall2/0_default_config b/luci-app-passwall2/root/usr/share/passwall2/0_default_config
index 9547718f8..5392092bc 100644
--- a/luci-app-passwall2/root/usr/share/passwall2/0_default_config
+++ b/luci-app-passwall2/root/usr/share/passwall2/0_default_config
@@ -3,6 +3,7 @@ config global
option enabled '0'
option node_socks_port '1070'
option localhost_proxy '1'
+ option client_proxy '1'
option socks_enabled '0'
option acl_enable '0'
option node 'myshunt'
diff --git a/luci-app-passwall2/root/usr/share/passwall2/app.sh b/luci-app-passwall2/root/usr/share/passwall2/app.sh
index ea203b0ff..a9ee2150d 100644
--- a/luci-app-passwall2/root/usr/share/passwall2/app.sh
+++ b/luci-app-passwall2/root/usr/share/passwall2/app.sh
@@ -1122,6 +1122,7 @@ UDP_REDIR_PORTS=$(config_t_get global_forwarding udp_redir_ports '1:65535')
TCP_PROXY_MODE="global"
UDP_PROXY_MODE="global"
LOCALHOST_PROXY=$(config_t_get global localhost_proxy '1')
+CLIENT_PROXY=$(config_t_get global client_proxy '1')
REMOTE_DNS_PROTOCOL=$(config_t_get global remote_dns_protocol tcp)
REMOTE_DNS_DETOUR=$(config_t_get global remote_dns_detour remote)
REMOTE_DNS=$(config_t_get global remote_dns 1.1.1.1:53 | sed 's/#/:/g' | sed -E 's/\:([^:]+)$/#\1/g')
diff --git a/luci-app-passwall2/root/usr/share/passwall2/iptables.sh b/luci-app-passwall2/root/usr/share/passwall2/iptables.sh
index 68abe4e14..e26198477 100755
--- a/luci-app-passwall2/root/usr/share/passwall2/iptables.sh
+++ b/luci-app-passwall2/root/usr/share/passwall2/iptables.sh
@@ -203,121 +203,127 @@ load_acl() {
[ "$udp_no_redir_ports" = "default" ] && udp_no_redir_ports=$UDP_NO_REDIR_PORTS
[ "$tcp_redir_ports" = "default" ] && tcp_redir_ports=$TCP_REDIR_PORTS
[ "$udp_redir_ports" = "default" ] && udp_redir_ports=$UDP_REDIR_PORTS
-
+
node_remark=$(config_n_get $NODE remarks)
[ -s "${TMP_ACL_PATH}/${sid}/var_node" ] && node=$(cat ${TMP_ACL_PATH}/${sid}/var_node)
[ -s "${TMP_ACL_PATH}/${sid}/var_port" ] && redir_port=$(cat ${TMP_ACL_PATH}/${sid}/var_port)
[ -n "$node" ] && [ "$node" != "default" ] && node_remark=$(config_n_get $node remarks)
write_ipset_direct=${write_ipset_direct:-1}
+ [ "${write_ipset_direct}" = "1" ] && {
+ if [ "$node" = "default" ]; then
+ local ipset_whitelist=${ipset_global_whitelist}
+ local ipset_whitelist6=${ipset_global_whitelist6}
+ else
+ local ipset_whitelist="passwall2_${sid}_whitelist"
+ local ipset_whitelist6="passwall2_${sid}_whitelist6"
+ ipset -! create $ipset_whitelist nethash maxelem 1048576
+ ipset -! create $ipset_whitelist6 nethash family inet6 maxelem 1048576
+ fi
+ }
for i in $(cat ${TMP_ACL_PATH}/${sid}/rule_list); do
if [ -n "$(echo ${i} | grep '^iprange:')" ]; then
_iprange=$(echo ${i} | sed 's#iprange:##g')
_ipt_source=$(factor ${_iprange} "-m iprange --src-range")
- msg="备注【$remarks】,IP range【${_iprange}】,"
+ msg="【$remarks】,IP range【${_iprange}】,"
elif [ -n "$(echo ${i} | grep '^ipset:')" ]; then
_ipset=$(echo ${i} | sed 's#ipset:##g')
_ipt_source="-m set --match-set ${_ipset} src"
- msg="备注【$remarks】,IPset【${_ipset}】,"
+ msg="【$remarks】,IPset【${_ipset}】,"
elif [ -n "$(echo ${i} | grep '^ip:')" ]; then
_ip=$(echo ${i} | sed 's#ip:##g')
_ipt_source=$(factor ${_ip} "-s")
- msg="备注【$remarks】,IP【${_ip}】,"
+ msg="【$remarks】,IP【${_ip}】,"
elif [ -n "$(echo ${i} | grep '^mac:')" ]; then
_mac=$(echo ${i} | sed 's#mac:##g')
_ipt_source=$(factor ${_mac} "-m mac --mac-source")
- msg="备注【$remarks】,MAC【${_mac}】,"
+ msg="【$remarks】,MAC【${_mac}】,"
else
continue
fi
-
- local ipset_whitelist="passwall2_${sid}_whitelist"
- local ipset_whitelist6="passwall2_${sid}_whitelist6"
- ipset -! create $ipset_whitelist nethash maxelem 1048576
- ipset -! create $ipset_whitelist6 nethash family inet6 maxelem 1048576
ipt_tmp=$ipt_n
[ -n "${is_tproxy}" ] && ipt_tmp=$ipt_m
-
- [ -n "$redir_port" ] && {
- if [ "$tcp_proxy_mode" != "disable" ]; then
- [ -s "${TMP_ACL_PATH}/${sid}/var_redirect_dns_port" ] && $ipt_n -A PSW2_REDIRECT $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port)
- msg2="${msg}使用TCP节点[$node_remark] [$(get_action_chain_name $tcp_proxy_mode)]"
- if [ -n "${is_tproxy}" ]; then
- msg2="${msg2}(TPROXY:${redir_port})代理"
- ipt_tmp=$ipt_m
- else
- msg2="${msg2}(REDIRECT:${redir_port})代理"
- fi
-
- [ "${write_ipset_direct}" = "1" ] && $ipt_tmp -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(dst $ipset_whitelist) ! -d $FAKE_IP -j RETURN
-
- [ "$accept_icmp" = "1" ] && {
- $ipt_n -A PSW2 $(comment "$remarks") -p icmp ${_ipt_source} -d $FAKE_IP $(REDIRECT)
- $ipt_n -A PSW2 $(comment "$remarks") -p icmp ${_ipt_source} $(REDIRECT)
- }
-
- [ "$accept_icmpv6" = "1" ] && [ "$PROXY_IPV6" == "1" ] && {
- $ip6t_n -A PSW2 $(comment "$remarks") -p ipv6-icmp ${_ipt_source} -d $FAKE_IP_6 $(REDIRECT) 2>/dev/null
- $ip6t_n -A PSW2 $(comment "$remarks") -p ipv6-icmp ${_ipt_source} $(REDIRECT) 2>/dev/null
- }
-
- [ "$tcp_no_redir_ports" != "disable" ] && {
- $ipt_tmp -A PSW2 $(comment "$remarks") ${_ipt_source} -p tcp -m multiport --dport $tcp_no_redir_ports -j RETURN
- $ip6t_m -A PSW2 $(comment "$remarks") ${_ipt_source} -p tcp -m multiport --dport $tcp_no_redir_ports -j RETURN 2>/dev/null
- msg2="${msg2}[$?]除${tcp_no_redir_ports}外的"
- }
- msg2="${msg2}所有端口"
-
- if [ "${ipt_tmp}" = "${ipt_n}" ]; then
- $ipt_n -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} -d $FAKE_IP $(REDIRECT $redir_port)
- $ipt_n -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(REDIRECT $redir_port)
- else
- $ipt_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} -d $FAKE_IP -j PSW2_RULE
- $ipt_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") -j PSW2_RULE
- $ipt_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(REDIRECT $redir_port TPROXY)
- fi
- [ "$PROXY_IPV6" == "1" ] && {
- [ "${write_ipset_direct}" = "1" ] && $ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(dst $ipset_whitelist6) ! -d $FAKE_IP_6 -j RETURN
- $ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} -d $FAKE_IP_6 -j PSW2_RULE 2>/dev/null
- $ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") -j PSW2_RULE 2>/dev/null
- $ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(REDIRECT $redir_port TPROXY) 2>/dev/null
- }
+
+ [ "$tcp_no_redir_ports" != "disable" ] && {
+ if [ "$tcp_no_redir_ports" != "1:65535" ]; then
+ $ip6t_m -A PSW2 $(comment "$remarks") ${_ipt_source} -p tcp -m multiport --dport $tcp_no_redir_ports -j RETURN 2>/dev/null
+ $ipt_tmp -A PSW2 $(comment "$remarks") ${_ipt_source} -p tcp -m multiport --dport $tcp_no_redir_ports -j RETURN
+ echolog " - ${msg}不代理 TCP 端口[${tcp_no_redir_ports}]"
else
- msg2="${msg}不代理TCP"
+ #结束时会return,无需加多余的规则。
+ tcp_proxy_mode="disable"
+ echolog " - ${msg}不代理所有 TCP"
+ fi
+ }
+
+ [ "$udp_no_redir_ports" != "disable" ] && {
+ if [ "$udp_no_redir_ports" != "1:65535" ]; then
+ $ip6t_m -A PSW2 $(comment "$remarks") ${_ipt_source} -p udp -m multiport --dport $udp_no_redir_ports -j RETURN 2>/dev/null
+ $ipt_m -A PSW2 $(comment "$remarks") ${_ipt_source} -p udp -m multiport --dport $udp_no_redir_ports -j RETURN
+ echolog " - ${msg}不代理 UDP 端口[${udp_no_redir_ports}]"
+ else
+ #结束时会return,无需加多余的规则。
+ udp_proxy_mode="disable"
+ echolog " - ${msg}不代理所有 UDP"
fi
- echolog " - ${msg2}"
}
+ [ "$tcp_proxy_mode" != "disable" ] && [ -n "$redir_port" ] && {
+ [ -s "${TMP_ACL_PATH}/${sid}/var_redirect_dns_port" ] && $ipt_n -A PSW2_REDIRECT $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port)
+ msg2="${msg}使用 TCP 节点[$node_remark]"
+ if [ -n "${is_tproxy}" ]; then
+ msg2="${msg2}(TPROXY:${redir_port})"
+ else
+ msg2="${msg2}(REDIRECT:${redir_port})"
+ fi
+
+ [ "${write_ipset_direct}" = "1" ] && $ipt_tmp -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(dst $ipset_whitelist) ! -d $FAKE_IP -j RETURN
+
+ [ "$accept_icmp" = "1" ] && {
+ $ipt_n -A PSW2 $(comment "$remarks") -p icmp ${_ipt_source} -d $FAKE_IP $(REDIRECT)
+ $ipt_n -A PSW2 $(comment "$remarks") -p icmp ${_ipt_source} $(REDIRECT)
+ }
+
+ [ "$accept_icmpv6" = "1" ] && [ "$PROXY_IPV6" == "1" ] && {
+ $ip6t_n -A PSW2 $(comment "$remarks") -p ipv6-icmp ${_ipt_source} -d $FAKE_IP_6 $(REDIRECT) 2>/dev/null
+ $ip6t_n -A PSW2 $(comment "$remarks") -p ipv6-icmp ${_ipt_source} $(REDIRECT) 2>/dev/null
+ }
+
+ if [ "${ipt_tmp}" = "${ipt_n}" ]; then
+ $ipt_n -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} -d $FAKE_IP $(REDIRECT $redir_port)
+ $ipt_n -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(REDIRECT $redir_port)
+ else
+ $ipt_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} -d $FAKE_IP -j PSW2_RULE
+ $ipt_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") -j PSW2_RULE
+ $ipt_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(REDIRECT $redir_port TPROXY)
+ fi
+ [ "$PROXY_IPV6" == "1" ] && {
+ [ "${write_ipset_direct}" = "1" ] && $ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(dst $ipset_whitelist6) ! -d $FAKE_IP_6 -j RETURN
+ $ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} -d $FAKE_IP_6 -j PSW2_RULE 2>/dev/null
+ $ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") -j PSW2_RULE 2>/dev/null
+ $ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(REDIRECT $redir_port TPROXY) 2>/dev/null
+ }
+ echolog " - ${msg2}"
+ }
$ipt_tmp -A PSW2 $(comment "$remarks") ${_ipt_source} -p tcp -j RETURN
$ip6t_m -A PSW2 $(comment "$remarks") ${_ipt_source} -p tcp -j RETURN 2>/dev/null
- [ -n "$redir_port" ] && {
- if [ "$udp_proxy_mode" != "disable" ]; then
- msg2="${msg}使用UDP节点[$node_remark] [$(get_action_chain_name $udp_proxy_mode)]"
- msg2="${msg2}(TPROXY:${redir_port})代理"
- [ "$udp_no_redir_ports" != "disable" ] && {
- $ipt_m -A PSW2 $(comment "$remarks") ${_ipt_source} -p udp -m multiport --dport $udp_no_redir_ports -j RETURN
- $ip6t_m -A PSW2 $(comment "$remarks") ${_ipt_source} -p udp -m multiport --dport $udp_no_redir_ports -j RETURN 2>/dev/null
- msg2="${msg2}[$?]除${udp_no_redir_ports}外的"
- }
- msg2="${msg2}所有端口"
+ [ "$udp_proxy_mode" != "disable" ] && [ -n "$redir_port" ] && {
+ msg2="${msg}使用 UDP 节点[$node_remark](TPROXY:${redir_port})"
- [ "${write_ipset_direct}" = "1" ] && $ipt_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(dst $ipset_whitelist) ! -d $FAKE_IP -j RETURN
- $ipt_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} -d $FAKE_IP -j PSW2_RULE
- $ipt_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") -j PSW2_RULE
- $ipt_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(REDIRECT $redir_port TPROXY)
+ [ "${write_ipset_direct}" = "1" ] && $ipt_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(dst $ipset_whitelist) ! -d $FAKE_IP -j RETURN
+ $ipt_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} -d $FAKE_IP -j PSW2_RULE
+ $ipt_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") -j PSW2_RULE
+ $ipt_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(REDIRECT $redir_port TPROXY)
- [ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && {
- [ "${write_ipset_direct}" = "1" ] && $ip6t_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(dst $ipset_whitelist6) ! -d $FAKE_IP_6 -j RETURN
- $ip6t_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} -d $FAKE_IP_6 -j PSW2_RULE 2>/dev/null
- $ip6t_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") -j PSW2_RULE 2>/dev/null
- $ip6t_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(REDIRECT $redir_port TPROXY) 2>/dev/null
- }
- else
- msg2="${msg}不代理UDP"
- fi
+ [ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && {
+ [ "${write_ipset_direct}" = "1" ] && $ip6t_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(dst $ipset_whitelist6) ! -d $FAKE_IP_6 -j RETURN
+ $ip6t_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} -d $FAKE_IP_6 -j PSW2_RULE 2>/dev/null
+ $ip6t_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") -j PSW2_RULE 2>/dev/null
+ $ip6t_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(REDIRECT $redir_port TPROXY) 2>/dev/null
+ }
echolog " - ${msg2}"
}
$ipt_m -A PSW2 $(comment "$remarks") ${_ipt_source} -p udp -j RETURN
@@ -329,92 +335,90 @@ load_acl() {
done
}
- [ "$ENABLED_DEFAULT_ACL" == 1 ] && {
+ [ "$ENABLED_DEFAULT_ACL" == 1 ] && [ "$CLIENT_PROXY" == 1 ] && {
# 加载默认代理模式
- if [ "$TCP_PROXY_MODE" != "disable" ]; then
- local ipt_tmp=$ipt_n
- [ -n "${is_tproxy}" ] && ipt_tmp=$ipt_m
- [ "$TCP_NO_REDIR_PORTS" != "disable" ] && {
- $ipt_tmp -A PSW2 $(comment "默认") -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
- $ip6t_m -A PSW2 $(comment "默认") -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
- msg="${msg}除${TCP_NO_REDIR_PORTS}外的"
+ msg="【默认】,"
+ local ipt_tmp=$ipt_n
+ [ -n "${is_tproxy}" ] && ipt_tmp=$ipt_m
+
+ [ "$TCP_NO_REDIR_PORTS" != "disable" ] && {
+ $ip6t_m -A PSW2 $(comment "默认") -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
+ $ipt_tmp -A PSW2 $(comment "默认") -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
+ if [ "$TCP_NO_REDIR_PORTS" != "1:65535" ]; then
+ echolog " - ${msg}不代理 TCP 端口[${TCP_NO_REDIR_PORTS}]"
+ else
+ TCP_PROXY_MODE="disable"
+ echolog " - ${msg}不代理所有 TCP 端口"
+ fi
+ }
+
+ [ "$UDP_NO_REDIR_PORTS" != "disable" ] && {
+ $ip6t_m -A PSW2 $(comment "默认") -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN
+ $ipt_m -A PSW2 $(comment "默认") -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN
+ if [ "$UDP_NO_REDIR_PORTS" != "1:65535" ]; then
+ echolog " - ${msg}不代理 UDP 端口[${UDP_NO_REDIR_PORTS}]"
+ else
+ UDP_PROXY_MODE="disable"
+ echolog " - ${msg}不代理所有 UDP 端口"
+ fi
+ }
+
+ if [ "$TCP_PROXY_MODE" != "disable" ] && [ "$NODE" != "nil" ]; then
+ msg2="${msg}使用 TCP 节点[$(config_n_get $NODE remarks)]"
+ if [ -n "${is_tproxy}" ]; then
+ msg2="${msg2}(TPROXY:${REDIR_PORT})"
+ else
+ msg2="${msg2}(REDIRECT:${REDIR_PORT})"
+ fi
+
+ [ "${WRITE_IPSET_DIRECT}" = "1" ] && $ipt_tmp -A PSW2 $(comment "默认") -p tcp $(dst $ipset_global_whitelist) ! -d $FAKE_IP -j RETURN
+
+ [ "$accept_icmp" = "1" ] && {
+ $ipt_n -A PSW2 $(comment "默认") -p icmp -d $FAKE_IP $(REDIRECT)
+ $ipt_n -A PSW2 $(comment "默认") -p icmp $(REDIRECT)
}
- [ "$NODE" != "nil" ] && {
- msg="TCP默认代理:使用节点[$(config_n_get $NODE remarks)] [$(get_action_chain_name $TCP_PROXY_MODE)]"
- if [ -n "${is_tproxy}" ]; then
- msg="${msg}(TPROXY:${REDIR_PORT})代理"
- else
- msg="${msg}(REDIRECT:${REDIR_PORT})代理"
- fi
-
- [ "$TCP_NO_REDIR_PORTS" != "disable" ] && msg="${msg}除${TCP_NO_REDIR_PORTS}外的"
- msg="${msg}所有端口"
-
- [ "${WRITE_IPSET_DIRECT}" = "1" ] && $ipt_tmp -A PSW2 $(comment "默认") -p tcp $(dst $ipset_global_whitelist) ! -d $FAKE_IP -j RETURN
-
- [ "$accept_icmp" = "1" ] && {
- $ipt_n -A PSW2 $(comment "默认") -p icmp -d $FAKE_IP $(REDIRECT)
- $ipt_n -A PSW2 $(comment "默认") -p icmp $(REDIRECT)
- }
-
- [ "$accept_icmpv6" = "1" ] && [ "$PROXY_IPV6" == "1" ] && {
- $ip6t_n -A PSW2 $(comment "默认") -p ipv6-icmp -d $FAKE_IP_6 $(REDIRECT)
- $ip6t_n -A PSW2 $(comment "默认") -p ipv6-icmp $(REDIRECT)
- }
-
- if [ "${ipt_tmp}" = "${ipt_n}" ]; then
- $ipt_n -A PSW2 $(comment "默认") -p tcp -d $FAKE_IP $(REDIRECT $REDIR_PORT)
- $ipt_n -A PSW2 $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(REDIRECT $REDIR_PORT)
- else
- $ipt_m -A PSW2 $(comment "默认") -p tcp -d $FAKE_IP -j PSW2_RULE
- $ipt_m -A PSW2 $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") -j PSW2_RULE
- $ipt_m -A PSW2 $(comment "默认") -p tcp $(REDIRECT $REDIR_PORT TPROXY)
- fi
-
- [ "$PROXY_IPV6" == "1" ] && {
- [ "${WRITE_IPSET_DIRECT}" = "1" ] && $ip6t_m -A PSW2 $(comment "默认") -p tcp $(dst $ipset_global_whitelist6) ! -d $FAKE_IP_6 -j RETURN
- $ip6t_m -A PSW2 $(comment "默认") -p tcp -d $FAKE_IP_6 -j PSW2_RULE
- $ip6t_m -A PSW2 $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") -j PSW2_RULE
- $ip6t_m -A PSW2 $(comment "默认") -p tcp $(REDIRECT $REDIR_PORT TPROXY)
- }
-
- echolog "${msg}"
+
+ [ "$accept_icmpv6" = "1" ] && [ "$PROXY_IPV6" == "1" ] && {
+ $ip6t_n -A PSW2 $(comment "默认") -p ipv6-icmp -d $FAKE_IP_6 $(REDIRECT)
+ $ip6t_n -A PSW2 $(comment "默认") -p ipv6-icmp $(REDIRECT)
}
+
+ if [ -z "${is_tproxy}" ]; then
+ $ipt_n -A PSW2 $(comment "默认") -p tcp -d $FAKE_IP $(REDIRECT $REDIR_PORT)
+ $ipt_n -A PSW2 $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(REDIRECT $REDIR_PORT)
+ else
+ $ipt_m -A PSW2 $(comment "默认") -p tcp -d $FAKE_IP -j PSW2_RULE
+ $ipt_m -A PSW2 $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") -j PSW2_RULE
+ $ipt_m -A PSW2 $(comment "默认") -p tcp $(REDIRECT $REDIR_PORT TPROXY)
+ fi
+
+ [ "$PROXY_IPV6" == "1" ] && {
+ [ "${WRITE_IPSET_DIRECT}" = "1" ] && $ip6t_m -A PSW2 $(comment "默认") -p tcp $(dst $ipset_global_whitelist6) ! -d $FAKE_IP_6 -j RETURN
+ $ip6t_m -A PSW2 $(comment "默认") -p tcp -d $FAKE_IP_6 -j PSW2_RULE
+ $ip6t_m -A PSW2 $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") -j PSW2_RULE
+ $ip6t_m -A PSW2 $(comment "默认") -p tcp $(REDIRECT $REDIR_PORT TPROXY)
+ }
+
+ echolog "${msg2}"
fi
- $ipt_n -A PSW2 $(comment "默认") -p tcp -j RETURN
- $ipt_m -A PSW2 $(comment "默认") -p tcp -j RETURN
- $ip6t_m -A PSW2 $(comment "默认") -p tcp -j RETURN
- # 加载UDP默认代理模式
- if [ "$UDP_PROXY_MODE" != "disable" ]; then
- [ "$UDP_NO_REDIR_PORTS" != "disable" ] && {
- $ipt_m -A PSW2 $(comment "默认") -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN
- $ip6t_m -A PSW2 $(comment "默认") -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN
- }
+ if [ "$UDP_PROXY_MODE" != "disable" ] && [ "$NODE" != "nil" ]; then
+ msg2="${msg}使用 UDP 节点[$(config_n_get $NODE remarks)](TPROXY:${REDIR_PORT})"
- [ -n "1" ] && {
- msg="UDP默认代理:使用节点[$(config_n_get $NODE remarks)] [$(get_action_chain_name $UDP_PROXY_MODE)](TPROXY:${REDIR_PORT})代理"
-
- [ "$UDP_NO_REDIR_PORTS" != "disable" ] && msg="${msg}除${UDP_NO_REDIR_PORTS}外的"
- msg="${msg}所有端口"
+ [ "${WRITE_IPSET_DIRECT}" = "1" ] && $ipt_m -A PSW2 $(comment "默认") -p udp $(dst $ipset_global_whitelist) ! -d $FAKE_IP -j RETURN
+ $ipt_m -A PSW2 $(comment "默认") -p udp -d $FAKE_IP -j PSW2_RULE
+ $ipt_m -A PSW2 $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") -j PSW2_RULE
+ $ipt_m -A PSW2 $(comment "默认") -p udp $(REDIRECT $REDIR_PORT TPROXY)
- [ "${WRITE_IPSET_DIRECT}" = "1" ] && $ipt_m -A PSW2 $(comment "默认") -p udp $(dst $ipset_global_whitelist) ! -d $FAKE_IP -j RETURN
- $ipt_m -A PSW2 $(comment "默认") -p udp -d $FAKE_IP -j PSW2_RULE
- $ipt_m -A PSW2 $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") -j PSW2_RULE
- $ipt_m -A PSW2 $(comment "默认") -p udp $(REDIRECT $REDIR_PORT TPROXY)
+ if [ "$PROXY_IPV6_UDP" == "1" ]; then
+ [ "${WRITE_IPSET_DIRECT}" = "1" ] && $ip6t_m -A PSW2 $(comment "默认") -p udp $(dst $ipset_global_whitelist6) ! -d $FAKE_IP_6 -j RETURN
+ $ip6t_m -A PSW2 $(comment "默认") -p udp -d $FAKE_IP_6 -j PSW2_RULE
+ $ip6t_m -A PSW2 $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") -j PSW2_RULE
+ $ip6t_m -A PSW2 $(comment "默认") -p udp $(REDIRECT $REDIR_PORT TPROXY)
+ fi
- if [ "$PROXY_IPV6_UDP" == "1" ]; then
- [ "${WRITE_IPSET_DIRECT}" = "1" ] && $ip6t_m -A PSW2 $(comment "默认") -p udp $(dst $ipset_global_whitelist6) ! -d $FAKE_IP_6 -j RETURN
- $ip6t_m -A PSW2 $(comment "默认") -p udp -d $FAKE_IP_6 -j PSW2_RULE
- $ip6t_m -A PSW2 $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") -j PSW2_RULE
- $ip6t_m -A PSW2 $(comment "默认") -p udp $(REDIRECT $REDIR_PORT TPROXY)
- fi
-
- echolog "${msg}"
- }
+ echolog "${msg2}"
fi
- $ipt_m -A PSW2 $(comment "默认") -p udp -j RETURN
- $ip6t_m -A PSW2 $(comment "默认") -p udp -j RETURN
}
}
@@ -733,10 +737,41 @@ add_firewall_rule() {
}
[ "$ENABLED_DEFAULT_ACL" == 1 ] && {
+ local ipt_tmp=$ipt_n
+ [ -n "${is_tproxy}" ] && ipt_tmp=$ipt_m
+
+ # 过滤节点
+ filter_node $NODE TCP > /dev/null 2>&1 &
+ filter_node $NODE UDP > /dev/null 2>&1 &
+
+ TCP_LOCALHOST_PROXY=$LOCALHOST_PROXY
+ UDP_LOCALHOST_PROXY=$LOCALHOST_PROXY
+
+ msg="【路由器本机】,"
+ [ "$TCP_NO_REDIR_PORTS" != "disable" ] && {
+ $ipt_tmp -A PSW2_OUTPUT -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
+ $ip6t_m -A PSW2_OUTPUT -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
+ if [ "$TCP_NO_REDIR_PORTS" != "1:65535" ]; then
+ echolog " - ${msg}不代理 TCP 端口[${TCP_NO_REDIR_PORTS}]"
+ else
+ unset TCP_LOCALHOST_PROXY
+ echolog " - ${msg}不代理所有 TCP"
+ fi
+ }
+
+ [ "$UDP_NO_REDIR_PORTS" != "disable" ] && {
+ $ipt_m -A PSW2_OUTPUT -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN
+ $ip6t_m -A PSW2_OUTPUT -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN
+ if [ "$UDP_NO_REDIR_PORTS" != "1:65535" ]; then
+ echolog " - ${msg}不代理 UDP 端口[${UDP_NO_REDIR_PORTS}]"
+ else
+ unset UDP_LOCALHOST_PROXY
+ echolog " - ${msg}不代理所有 UDP"
+ fi
+ }
+
# 加载路由器自身代理 TCP
- if [ "$NODE" != "nil" ] && [ "$LOCALHOST_PROXY" = "1" ]; then
- echolog "加载路由器自身 TCP 代理..."
-
+ if [ "$NODE" != "nil" ] && [ "$TCP_LOCALHOST_PROXY" = "1" ]; then
[ "$accept_icmp" = "1" ] && {
$ipt_n -A OUTPUT -p icmp -j PSW2_OUTPUT
$ipt_n -A PSW2_OUTPUT -p icmp -d $FAKE_IP $(REDIRECT)
@@ -748,20 +783,8 @@ add_firewall_rule() {
$ip6t_n -A PSW2_OUTPUT -p ipv6-icmp -d $FAKE_IP_6 $(REDIRECT)
$ip6t_n -A PSW2_OUTPUT -p ipv6-icmp $(REDIRECT)
}
-
- local ipt_tmp=$ipt_n
- [ -n "${is_tproxy}" ] && {
- echolog " - 启用 TPROXY 模式"
- ipt_tmp=$ipt_m
- }
- [ "$TCP_NO_REDIR_PORTS" != "disable" ] && {
- $ipt_tmp -A PSW2_OUTPUT -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
- $ip6t_m -A PSW2_OUTPUT -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
- echolog " - [$?]不代理TCP 端口:$TCP_NO_REDIR_PORTS"
- }
-
- if [ "${ipt_tmp}" = "${ipt_n}" ]; then
+ if [ -z "${is_tproxy}" ]; then
$ipt_n -A PSW2_OUTPUT -p tcp -d $FAKE_IP $(REDIRECT $REDIR_PORT)
$ipt_n -A PSW2_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(REDIRECT $REDIR_PORT)
$ipt_n -A OUTPUT -p tcp -j PSW2_OUTPUT
@@ -787,20 +810,8 @@ add_firewall_rule() {
done
fi
- # 处理轮换节点的分流或套娃
- filter_node $NODE TCP > /dev/null 2>&1 &
- filter_node $NODE UDP > /dev/null 2>&1 &
-
# 加载路由器自身代理 UDP
- if [ "$NODE" != "nil" ] && [ "$LOCALHOST_PROXY" = "1" ]; then
- echolog "加载路由器自身 UDP 代理..."
-
- [ "$UDP_NO_REDIR_PORTS" != "disable" ] && {
- $ipt_m -A PSW2_OUTPUT -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN
- $ip6t_m -A PSW2_OUTPUT -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN
- echolog " - [$?]不代理 UDP 端口:$UDP_NO_REDIR_PORTS"
- }
-
+ if [ "$NODE" != "nil" ] && [ "$UDP_LOCALHOST_PROXY" = "1" ]; then
$ipt_m -A PSW2_OUTPUT -p udp -d $FAKE_IP -j PSW2_RULE
$ipt_m -A PSW2_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") -j PSW2_RULE
$ipt_m -A PSW2 $(comment "本机") -p udp -i lo $(REDIRECT $REDIR_PORT TPROXY)
diff --git a/luci-app-passwall2/root/usr/share/passwall2/nftables.sh b/luci-app-passwall2/root/usr/share/passwall2/nftables.sh
index 83a13dc17..13301db9b 100755
--- a/luci-app-passwall2/root/usr/share/passwall2/nftables.sh
+++ b/luci-app-passwall2/root/usr/share/passwall2/nftables.sh
@@ -230,8 +230,6 @@ load_acl() {
[ "$udp_no_redir_ports" = "default" ] && udp_no_redir_ports=$UDP_NO_REDIR_PORTS
[ "$tcp_redir_ports" = "default" ] && tcp_redir_ports=$TCP_REDIR_PORTS
[ "$udp_redir_ports" = "default" ] && udp_redir_ports=$UDP_REDIR_PORTS
- [ "$tcp_no_redir_ports" = "1:65535" ] && tcp_proxy_mode="disable"
- [ "$udp_no_redir_ports" = "1:65535" ] && udp_proxy_mode="disable"
node_remark=$(config_n_get $NODE remarks)
[ -s "${TMP_ACL_PATH}/${sid}/var_node" ] && node=$(cat ${TMP_ACL_PATH}/${sid}/var_node)
@@ -239,114 +237,121 @@ load_acl() {
[ -n "$node" ] && [ "$node" != "default" ] && node_remark=$(config_n_get $node remarks)
write_ipset_direct=${write_ipset_direct:-1}
+ [ "${write_ipset_direct}" = "1" ] && {
+ if [ "$node" = "default" ]; then
+ local nftset_whitelist=${nftset_global_whitelist}
+ local nftset_whitelist6=${nftset_global_whitelist6}
+ else
+ local nftset_whitelist="passwall2_${sid}_whitelist"
+ local nftset_whitelist6="passwall2_${sid}_whitelist6"
+ gen_nftset $nftset_whitelist ipv4_addr 0 0
+ gen_nftset $nftset_whitelist6 ipv6_addr 0 0
+ fi
+ }
for i in $(cat ${TMP_ACL_PATH}/${sid}/rule_list); do
if [ -n "$(echo ${i} | grep '^iprange:')" ]; then
_iprange=$(echo ${i} | sed 's#iprange:##g')
_ipt_source=$(factor ${_iprange} "ip saddr")
- msg="备注【$remarks】,IP range【${_iprange}】,"
+ msg="【$remarks】,IP range【${_iprange}】,"
elif [ -n "$(echo ${i} | grep '^ipset:')" ]; then
_ipset=$(echo ${i} | sed 's#ipset:##g')
_ipt_source="ip daddr @${_ipset}"
- msg="备注【$remarks】,NFTset【${_ipset}】,"
+ msg="【$remarks】,NFTset【${_ipset}】,"
elif [ -n "$(echo ${i} | grep '^ip:')" ]; then
_ip=$(echo ${i} | sed 's#ip:##g')
_ipt_source=$(factor ${_ip} "ip saddr")
- msg="备注【$remarks】,IP【${_ip}】,"
+ msg="【$remarks】,IP【${_ip}】,"
elif [ -n "$(echo ${i} | grep '^mac:')" ]; then
_mac=$(echo ${i} | sed 's#mac:##g')
_ipt_source=$(factor ${_mac} "ether saddr")
- msg="备注【$remarks】,MAC【${_mac}】,"
+ msg="【$remarks】,MAC【${_mac}】,"
else
continue
fi
- local nftset_whitelist="passwall2_${sid}_whitelist"
- local nftset_whitelist6="passwall2_${sid}_whitelist6"
- gen_nftset $nftset_whitelist ipv4_addr 0 0
- gen_nftset $nftset_whitelist6 ipv6_addr 0 0
-
- [ -n "$redir_port" ] && {
- if [ "$tcp_proxy_mode" != "disable" ]; then
- [ -s "${TMP_ACL_PATH}/${sid}/var_redirect_dns_port" ] && nft "add rule inet fw4 PSW2_REDIRECT ip protocol udp ${_ipt_source} udp dport 53 counter redirect to $(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port) comment \"$remarks\""
- msg2="${msg}使用TCP节点[$node_remark] [$(get_action_chain_name $tcp_proxy_mode)]"
- if [ -n "${is_tproxy}" ]; then
- msg2="${msg2}(TPROXY:${redir_port})代理"
- else
- msg2="${msg2}(REDIRECT:${redir_port})代理"
- fi
-
- [ "${write_ipset_direct}" = "1" ] && [ -z "${is_tproxy}" ] && nft "add rule inet fw4 PSW2_NAT ip protocol tcp ${_ipt_source} ip daddr @$nftset_whitelist counter return comment \"$remarks\""
- [ "${write_ipset_direct}" = "1" ] && [ -n "${is_tproxy}" ] && nft "add rule inet fw4 PSW2_MANGLE ip protocol tcp ${_ipt_source} ip daddr @$nftset_whitelist counter return comment \"$remarks\""
-
- [ "$accept_icmp" = "1" ] && {
- nft "add rule inet fw4 PSW2_ICMP_REDIRECT ip protocol icmp ${_ipt_source} ip daddr $FAKE_IP $(REDIRECT) comment \"$remarks\""
- nft "add rule inet fw4 PSW2_ICMP_REDIRECT ip protocol icmp ${_ipt_source} $(REDIRECT) comment \"$remarks\""
- nft "add rule inet fw4 PSW2_ICMP_REDIRECT ip protocol icmp ${_ipt_source} return comment \"$remarks\""
- }
-
- [ "$accept_icmpv6" = "1" ] && [ "$PROXY_IPV6" == "1" ] && {
- nft "add rule inet fw4 PSW2_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} ip6 daddr $FAKE_IP_6 $(REDIRECT) comment \"$remarks\"" 2>/dev/null
- nft "add rule inet fw4 PSW2_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} $(REDIRECT) comment \"$remarks\"" 2>/dev/null
- nft "add rule inet fw4 PSW2_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} return comment \"$remarks\"" 2>/dev/null
- }
-
- [ "$tcp_no_redir_ports" != "disable" ] && {
- nft "add rule inet fw4 $nft_prerouting_chain ${_ipt_source} ip protocol tcp $(factor $tcp_no_redir_ports "tcp dport") counter return comment \"$remarks\""
- nft "add rule inet fw4 PSW2_MANGLE_V6 ${_ipt_source} meta l4proto tcp $(factor $tcp_no_redir_ports "tcp dport") counter return comment \"$remarks\""
- msg2="${msg2}[$?]除${tcp_no_redir_ports}外的"
- }
- msg2="${msg2}所有端口"
-
- if [ -z "${is_tproxy}" ]; then
- nft "add rule inet fw4 PSW2_NAT ip protocol tcp ${_ipt_source} ip daddr $FAKE_IP $(REDIRECT $redir_port) comment \"$remarks\""
- nft "add rule inet fw4 PSW2_NAT ip protocol tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") $(REDIRECT $redir_port) comment \"$remarks\""
- else
- nft "add rule inet fw4 PSW2_MANGLE ip protocol tcp ${_ipt_source} ip daddr $FAKE_IP counter jump PSW2_RULE comment \"$remarks\""
- nft "add rule inet fw4 PSW2_MANGLE ip protocol tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") counter jump PSW2_RULE comment \"$remarks\""
- nft "add rule inet fw4 PSW2_MANGLE ip protocol tcp ${_ipt_source} $(REDIRECT $redir_port TPROXY4) comment \"$remarks\""
- fi
-
- [ "$PROXY_IPV6" == "1" ] && {
- [ "${write_ipset_direct}" = "1" ] && nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} ip6 daddr @$nftset_whitelist6 counter return comment \"$remarks\""
- nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} ip6 daddr $FAKE_IP_6 counter jump PSW2_RULE comment \"$remarks\""
- nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") jump PSW2_RULE comment \"$remarks\"" 2>/dev/null
- nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(REDIRECT $redir_port TPROXY) comment \"$remarks\"" 2>/dev/null
- }
+ [ "$tcp_no_redir_ports" != "disable" ] && {
+ if [ "$tcp_no_redir_ports" != "1:65535" ]; then
+ nft "add rule inet fw4 $nft_prerouting_chain ${_ipt_source} ip protocol tcp $(factor $tcp_no_redir_ports "tcp dport") counter return comment \"$remarks\""
+ nft "add rule inet fw4 PSW2_MANGLE_V6 ${_ipt_source} meta l4proto tcp $(factor $tcp_no_redir_ports "tcp dport") counter return comment \"$remarks\""
+ echolog " - ${msg}不代理 TCP 端口[${tcp_no_redir_ports}]"
else
- msg2="${msg}不代理TCP"
+ #结束时会return,无需加多余的规则。
+ tcp_proxy_mode="disable"
+ echolog " - ${msg}不代理所有 TCP"
+ fi
+ }
+
+ [ "$udp_no_redir_ports" != "disable" ] && {
+ if [ "$udp_no_redir_ports" != "1:65535" ]; then
+ nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_no_redir_ports "udp dport") counter return comment \"$remarks\""
+ nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_no_redir_ports "udp dport") counter return comment \"$remarks\"" 2>/dev/null
+ echolog " - ${msg}不代理 UDP 端口[${udp_no_redir_ports}]"
+ else
+ #结束时会return,无需加多余的规则。
+ udp_proxy_mode="disable"
+ echolog " - ${msg}不代理所有 UDP"
fi
- echolog " - ${msg2}"
}
+ [ "$tcp_proxy_mode" != "disable" ] && [ -n "$redir_port" ] && {
+ [ -s "${TMP_ACL_PATH}/${sid}/var_redirect_dns_port" ] && nft "add rule inet fw4 PSW2_REDIRECT ip protocol udp ${_ipt_source} udp dport 53 counter redirect to $(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port) comment \"$remarks\""
+ msg2="${msg}使用 TCP 节点[$node_remark]"
+ if [ -n "${is_tproxy}" ]; then
+ msg2="${msg2}(TPROXY:${redir_port})"
+ else
+ msg2="${msg2}(REDIRECT:${redir_port})"
+ fi
+
+ [ "${write_ipset_direct}" = "1" ] && [ -z "${is_tproxy}" ] && nft "add rule inet fw4 PSW2_NAT ip protocol tcp ${_ipt_source} ip daddr @$nftset_whitelist counter return comment \"$remarks\""
+ [ "${write_ipset_direct}" = "1" ] && [ -n "${is_tproxy}" ] && nft "add rule inet fw4 PSW2_MANGLE ip protocol tcp ${_ipt_source} ip daddr @$nftset_whitelist counter return comment \"$remarks\""
+
+ [ "$accept_icmp" = "1" ] && {
+ nft "add rule inet fw4 PSW2_ICMP_REDIRECT ip protocol icmp ${_ipt_source} ip daddr $FAKE_IP $(REDIRECT) comment \"$remarks\""
+ nft "add rule inet fw4 PSW2_ICMP_REDIRECT ip protocol icmp ${_ipt_source} $(REDIRECT) comment \"$remarks\""
+ nft "add rule inet fw4 PSW2_ICMP_REDIRECT ip protocol icmp ${_ipt_source} return comment \"$remarks\""
+ }
+
+ [ "$accept_icmpv6" = "1" ] && [ "$PROXY_IPV6" == "1" ] && {
+ nft "add rule inet fw4 PSW2_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} ip6 daddr $FAKE_IP_6 $(REDIRECT) comment \"$remarks\"" 2>/dev/null
+ nft "add rule inet fw4 PSW2_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} $(REDIRECT) comment \"$remarks\"" 2>/dev/null
+ nft "add rule inet fw4 PSW2_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} return comment \"$remarks\"" 2>/dev/null
+ }
+
+ if [ -z "${is_tproxy}" ]; then
+ nft "add rule inet fw4 PSW2_NAT ip protocol tcp ${_ipt_source} ip daddr $FAKE_IP $(REDIRECT $redir_port) comment \"$remarks\""
+ nft "add rule inet fw4 PSW2_NAT ip protocol tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") $(REDIRECT $redir_port) comment \"$remarks\""
+ else
+ nft "add rule inet fw4 PSW2_MANGLE ip protocol tcp ${_ipt_source} ip daddr $FAKE_IP counter jump PSW2_RULE comment \"$remarks\""
+ nft "add rule inet fw4 PSW2_MANGLE ip protocol tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") counter jump PSW2_RULE comment \"$remarks\""
+ nft "add rule inet fw4 PSW2_MANGLE ip protocol tcp ${_ipt_source} $(REDIRECT $redir_port TPROXY4) comment \"$remarks\""
+ fi
+
+ [ "$PROXY_IPV6" == "1" ] && {
+ [ "${write_ipset_direct}" = "1" ] && nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} ip6 daddr @$nftset_whitelist6 counter return comment \"$remarks\""
+ nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} ip6 daddr $FAKE_IP_6 counter jump PSW2_RULE comment \"$remarks\""
+ nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") jump PSW2_RULE comment \"$remarks\"" 2>/dev/null
+ nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(REDIRECT $redir_port TPROXY) comment \"$remarks\"" 2>/dev/null
+ }
+ echolog " - ${msg2}"
+ }
nft "add rule inet fw4 $nft_prerouting_chain ip protocol tcp ${_ipt_source} counter return comment \"$remarks\""
nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} counter return comment \"$remarks\"" 2>/dev/null
- [ -n "$redir_port" ] && {
- if [ "$udp_proxy_mode" != "disable" ]; then
- msg2="${msg}使用UDP节点[$node_remark] [$(get_action_chain_name $udp_proxy_mode)]"
- msg2="${msg2}(TPROXY:${redir_port})代理"
- [ "$udp_no_redir_ports" != "disable" ] && {
- nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_no_redir_ports "udp dport") counter return comment \"$remarks\""
- nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_no_redir_ports "udp dport") counter return comment \"$remarks\"" 2>/dev/null
- msg2="${msg2}[$?]除${udp_no_redir_ports}外的"
- }
- msg2="${msg2}所有端口"
+ [ "$udp_proxy_mode" != "disable" ] && [ -n "$redir_port" ] && {
+ msg2="${msg}使用 UDP 节点[$node_remark](TPROXY:${redir_port})"
- [ "${write_ipset_direct}" = "1" ] && nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ${_ipt_source} ip daddr @$nftset_whitelist counter return comment \"$remarks\""
- nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ${_ipt_source} ip daddr $FAKE_IP counter jump PSW2_RULE comment \"$remarks\""
- nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_redir_ports "udp dport") jump PSW2_RULE comment \"$remarks\""
- nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ${_ipt_source} $(REDIRECT $redir_port TPROXY4) comment \"$remarks\""
+ [ "${write_ipset_direct}" = "1" ] && nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ${_ipt_source} ip daddr @$nftset_whitelist counter return comment \"$remarks\""
+ nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ${_ipt_source} ip daddr $FAKE_IP counter jump PSW2_RULE comment \"$remarks\""
+ nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_redir_ports "udp dport") jump PSW2_RULE comment \"$remarks\""
+ nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ${_ipt_source} $(REDIRECT $redir_port TPROXY4) comment \"$remarks\""
- [ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && {
- [ "${write_ipset_direct}" = "1" ] && nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} ip6 daddr @$nftset_whitelist6 counter return comment \"$remarks\""
- nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} ip6 daddr $FAKE_IP_6 counter jump PSW2_RULE comment \"$remarks\""
- nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_redir_ports "udp dport") counter jump PSW2_RULE comment \"$remarks\"" 2>/dev/null
- nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} $(REDIRECT $redir_port TPROXY) comment \"$remarks\"" 2>/dev/null
- }
- else
- msg2="${msg}不代理UDP"
- fi
+ [ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && {
+ [ "${write_ipset_direct}" = "1" ] && nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} ip6 daddr @$nftset_whitelist6 counter return comment \"$remarks\""
+ nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} ip6 daddr $FAKE_IP_6 counter jump PSW2_RULE comment \"$remarks\""
+ nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_redir_ports "udp dport") counter jump PSW2_RULE comment \"$remarks\"" 2>/dev/null
+ nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} $(REDIRECT $redir_port TPROXY) comment \"$remarks\"" 2>/dev/null
+ }
echolog " - ${msg2}"
}
nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ${_ipt_source} counter return comment \"$remarks\""
@@ -358,87 +363,91 @@ load_acl() {
done
}
- [ "$ENABLED_DEFAULT_ACL" == 1 ] && {
+ [ "$ENABLED_DEFAULT_ACL" == 1 ] && [ "$CLIENT_PROXY" == 1 ] && {
# 加载默认代理模式
- if [ "$TCP_PROXY_MODE" != "disable" ]; then
- [ "$TCP_NO_REDIR_PORTS" != "disable" ] && {
- nft add rule inet fw4 $nft_prerouting_chain ip protocol tcp $(factor $TCP_NO_REDIR_PORTS "tcp dport") counter return comment \"默认\"
- nft add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp $(factor $TCP_NO_REDIR_PORTS "tcp dport") counter return comment \"默认\"
+ msg="【默认】,"
+
+ [ "$TCP_NO_REDIR_PORTS" != "disable" ] && {
+ nft add rule inet fw4 $nft_prerouting_chain ip protocol tcp $(factor $TCP_NO_REDIR_PORTS "tcp dport") counter return comment \"默认\"
+ nft add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp $(factor $TCP_NO_REDIR_PORTS "tcp dport") counter return comment \"默认\"
+ if [ "$TCP_NO_REDIR_PORTS" != "1:65535" ]; then
+ echolog " - ${msg}不代理 TCP 端口[${TCP_NO_REDIR_PORTS}]"
+ else
+ TCP_PROXY_MODE="disable"
+ echolog " - ${msg}不代理所有 TCP 端口"
+ fi
+ }
+
+ [ "$UDP_NO_REDIR_PORTS" != "disable" ] && {
+ nft "add inet fw4 PSW2_MANGLE ip protocol udp $(factor $UDP_NO_REDIR_PORTS "udp dport") counter return comment \"默认\""
+ nft "add inet fw4 PSW2_MANGLE_V6 counter meta l4proto udp $(factor $UDP_NO_REDIR_PORTS "udp dport") counter return comment \"默认\""
+ if [ "$UDP_NO_REDIR_PORTS" != "1:65535" ]; then
+ echolog " - ${msg}不代理 UDP 端口[${UDP_NO_REDIR_PORTS}]"
+ else
+ UDP_PROXY_MODE="disable"
+ echolog " - ${msg}不代理所有 UDP 端口"
+ fi
+ }
+
+ if [ "$TCP_PROXY_MODE" != "disable" ] && [ "$NODE" != "nil" ]; then
+ msg2="${msg}使用 TCP 节点[$(config_n_get $NODE remarks)]"
+ if [ -n "${is_tproxy}" ]; then
+ msg2="${msg2}(TPROXY:${REDIR_PORT})"
+ else
+ msg2="${msg2}(REDIRECT:${REDIR_PORT})"
+ fi
+
+ [ "${WRITE_IPSET_DIRECT}" = "1" ] && [ -z "${is_tproxy}" ] && nft "add rule inet fw4 PSW2_NAT ip protocol tcp ip daddr @$nftset_global_whitelist counter return comment \"$remarks\""
+ [ "${WRITE_IPSET_DIRECT}" = "1" ] && [ -n "${is_tproxy}" ] && nft "add rule inet fw4 PSW2_MANGLE ip protocol tcp ip daddr @$nftset_global_whitelist counter return comment \"$remarks\""
+
+ [ "$accept_icmp" = "1" ] && {
+ nft "add rule inet fw4 PSW2_ICMP_REDIRECT ip protocol icmp ip daddr $FAKE_IP $(REDIRECT) comment \"默认\""
+ nft "add rule inet fw4 PSW2_ICMP_REDIRECT ip protocol icmp $(REDIRECT) comment \"默认\""
+ nft "add rule inet fw4 PSW2_ICMP_REDIRECT ip protocol icmp return comment \"默认\""
}
- [ "$NODE" != "nil" ] && {
- msg="TCP默认代理:使用TCP节点[$(config_n_get $NODE remarks)] [$(get_action_chain_name $TCP_PROXY_MODE)]"
- if [ -n "${is_tproxy}" ]; then
- msg="${msg}(TPROXY:${REDIR_PORT})代理"
- else
- msg="${msg}(REDIRECT:${REDIR_PORT})代理"
- fi
-
- [ "$TCP_NO_REDIR_PORTS" != "disable" ] && msg="${msg}除${TCP_NO_REDIR_PORTS}外的"
- msg="${msg}所有端口"
- [ "${WRITE_IPSET_DIRECT}" = "1" ] && [ -z "${is_tproxy}" ] && nft "add rule inet fw4 PSW2_NAT ip protocol tcp ip daddr @$nftset_global_whitelist counter return comment \"$remarks\""
- [ "${WRITE_IPSET_DIRECT}" = "1" ] && [ -n "${is_tproxy}" ] && nft "add rule inet fw4 PSW2_MANGLE ip protocol tcp ip daddr @$nftset_global_whitelist counter return comment \"$remarks\""
-
- [ "$accept_icmp" = "1" ] && {
- nft "add rule inet fw4 PSW2_ICMP_REDIRECT ip protocol icmp ip daddr $FAKE_IP $(REDIRECT) comment \"默认\""
- nft "add rule inet fw4 PSW2_ICMP_REDIRECT ip protocol icmp $(REDIRECT) comment \"默认\""
- nft "add rule inet fw4 PSW2_ICMP_REDIRECT ip protocol icmp return comment \"默认\""
- }
-
- [ "$accept_icmpv6" = "1" ] && [ "$PROXY_IPV6" == "1" ] && {
- nft "add rule inet fw4 PSW2_ICMP_REDIRECT meta l4proto icmpv6 ip6 daddr $FAKE_IP_6 $(REDIRECT) comment \"默认\""
- nft "add rule inet fw4 PSW2_ICMP_REDIRECT meta l4proto icmpv6 $(REDIRECT) comment \"默认\""
- nft "add rule inet fw4 PSW2_ICMP_REDIRECT meta l4proto icmpv6 return comment \"默认\""
- }
-
- if [ -z "${is_tproxy}" ]; then
- nft "add rule inet fw4 PSW2_NAT ip protocol tcp ip daddr $FAKE_IP $(REDIRECT $REDIR_PORT) comment \"默认\""
- nft "add rule inet fw4 PSW2_NAT ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") $(REDIRECT $REDIR_PORT) comment \"默认\""
- else
- nft "add rule inet fw4 PSW2_MANGLE ip protocol tcp ip daddr $FAKE_IP counter jump PSW2_RULE comment \"默认\""
- nft "add rule inet fw4 PSW2_MANGLE ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") jump PSW2_RULE comment \"默认\""
- nft "add rule inet fw4 PSW2_MANGLE ip protocol tcp $(REDIRECT $REDIR_PORT TPROXY4) comment \"默认\""
- fi
-
- [ "$PROXY_IPV6" == "1" ] && {
- [ "${WRITE_IPSET_DIRECT}" = "1" ] && nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp ip6 daddr @$nftset_global_whitelist6 counter return comment \"$remarks\""
- nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp ip6 daddr $FAKE_IP_6 jump PSW2_RULE comment \"默认\""
- nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp $(factor $TCP_REDIR_PORTS "tcp dport") jump PSW2_RULE comment \"默认\""
- nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp $(REDIRECT $REDIR_PORT TPROXY) comment \"默认\""
- }
-
- echolog "${msg}"
+ [ "$accept_icmpv6" = "1" ] && [ "$PROXY_IPV6" == "1" ] && {
+ nft "add rule inet fw4 PSW2_ICMP_REDIRECT meta l4proto icmpv6 ip6 daddr $FAKE_IP_6 $(REDIRECT) comment \"默认\""
+ nft "add rule inet fw4 PSW2_ICMP_REDIRECT meta l4proto icmpv6 $(REDIRECT) comment \"默认\""
+ nft "add rule inet fw4 PSW2_ICMP_REDIRECT meta l4proto icmpv6 return comment \"默认\""
}
+
+ if [ -z "${is_tproxy}" ]; then
+ nft "add rule inet fw4 PSW2_NAT ip protocol tcp ip daddr $FAKE_IP $(REDIRECT $REDIR_PORT) comment \"默认\""
+ nft "add rule inet fw4 PSW2_NAT ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") $(REDIRECT $REDIR_PORT) comment \"默认\""
+ else
+ nft "add rule inet fw4 PSW2_MANGLE ip protocol tcp ip daddr $FAKE_IP counter jump PSW2_RULE comment \"默认\""
+ nft "add rule inet fw4 PSW2_MANGLE ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") jump PSW2_RULE comment \"默认\""
+ nft "add rule inet fw4 PSW2_MANGLE ip protocol tcp $(REDIRECT $REDIR_PORT TPROXY4) comment \"默认\""
+ fi
+
+ [ "$PROXY_IPV6" == "1" ] && {
+ [ "${WRITE_IPSET_DIRECT}" = "1" ] && nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp ip6 daddr @$nftset_global_whitelist6 counter return comment \"$remarks\""
+ nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp ip6 daddr $FAKE_IP_6 jump PSW2_RULE comment \"默认\""
+ nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp $(factor $TCP_REDIR_PORTS "tcp dport") jump PSW2_RULE comment \"默认\""
+ nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp $(REDIRECT $REDIR_PORT TPROXY) comment \"默认\""
+ }
+
+ echolog "${msg2}"
fi
- # 加载UDP默认代理模式
- if [ "$UDP_PROXY_MODE" != "disable" ]; then
- [ "$UDP_NO_REDIR_PORTS" != "disable" ] && {
- nft "add inet fw4 PSW2_MANGLE ip protocol udp $(factor $UDP_NO_REDIR_PORTS "udp dport") counter return comment \"默认\""
- nft "add inet fw4 PSW2_MANGLE_V6 counter meta l4proto udp $(factor $UDP_NO_REDIR_PORTS "udp dport") counter return comment \"默认\""
+ if [ "$UDP_PROXY_MODE" != "disable" ] && [ "$NODE" != "nil" ]; then
+ msg2="${msg}使用 UDP 节点[$(config_n_get $NODE remarks)](TPROXY:${REDIR_PORT})"
+
+ [ "${WRITE_IPSET_DIRECT}" = "1" ] && nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ip daddr @$nftset_global_whitelist counter return comment \"$remarks\""
+ nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ip daddr $FAKE_IP counter jump PSW2_RULE comment \"默认\""
+ nft "add rule inet fw4 PSW2_MANGLE ip protocol udp $(factor $UDP_REDIR_PORTS "udp dport") jump PSW2_RULE comment \"默认\""
+ nft "add rule inet fw4 PSW2_MANGLE ip protocol udp $(REDIRECT $REDIR_PORT TPROXY4) comment \"默认\""
+
+ [ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && {
+ [ "${WRITE_IPSET_DIRECT}" = "1" ] && nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp ip6 daddr @$nftset_global_whitelist6 counter return comment \"$remarks\""
+ nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp ip6 daddr $FAKE_IP_6 jump PSW2_RULE comment \"默认\""
+ nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp $(factor $UDP_REDIR_PORTS "udp dport") jump PSW2_RULE comment \"默认\""
+ nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp $(REDIRECT $REDIR_PORT TPROXY) comment \"默认\""
}
- [ -n "1" ] && {
- msg="UDP默认代理:使用UDP节点[$(config_n_get $NODE remarks)] [$(get_action_chain_name $UDP_PROXY_MODE)](TPROXY:${REDIR_PORT})代理"
-
- [ "$UDP_NO_REDIR_PORTS" != "disable" ] && msg="${msg}除${UDP_NO_REDIR_PORTS}外的"
- msg="${msg}所有端口"
-
- [ "${WRITE_IPSET_DIRECT}" = "1" ] && nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ip daddr @$nftset_global_whitelist counter return comment \"$remarks\""
- nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ip daddr $FAKE_IP counter jump PSW2_RULE comment \"默认\""
- nft "add rule inet fw4 PSW2_MANGLE ip protocol udp $(factor $UDP_REDIR_PORTS "udp dport") jump PSW2_RULE comment \"默认\""
- nft "add rule inet fw4 PSW2_MANGLE ip protocol udp $(REDIRECT $REDIR_PORT TPROXY4) comment \"默认\""
-
- [ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && {
- [ "${WRITE_IPSET_DIRECT}" = "1" ] && nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp ip6 daddr @$nftset_global_whitelist6 counter return comment \"$remarks\""
- nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp ip6 daddr $FAKE_IP_6 jump PSW2_RULE comment \"默认\""
- nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp $(factor $UDP_REDIR_PORTS "udp dport") jump PSW2_RULE comment \"默认\""
- nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp $(REDIRECT $REDIR_PORT TPROXY) comment \"默认\""
- }
-
- echolog "${msg}"
- udp_flag=1
- }
+ echolog "${msg2}"
+ udp_flag=1
fi
}
}
@@ -769,10 +778,38 @@ add_firewall_rule() {
}
[ "$ENABLED_DEFAULT_ACL" == 1 ] && {
- # 加载路由器自身代理 TCP
- if [ "$NODE" != "nil" ] && [ "$LOCALHOST_PROXY" = "1" ]; then
- echolog "加载路由器自身 TCP 代理..."
+ # 过滤节点
+ filter_node $NODE TCP > /dev/null 2>&1 &
+ filter_node $NODE UDP > /dev/null 2>&1 &
+ TCP_LOCALHOST_PROXY=$LOCALHOST_PROXY
+ UDP_LOCALHOST_PROXY=$LOCALHOST_PROXY
+
+ msg="【路由器本机】,"
+ [ "$TCP_NO_REDIR_PORTS" != "disable" ] && {
+ nft "add rule inet fw4 $nft_output_chain ip protocol tcp $(factor $TCP_NO_REDIR_PORTS "tcp dport") counter return"
+ nft "add rule inet fw4 PSW2_OUTPUT_MANGLE_V6 meta l4proto tcp $(factor $TCP_NO_REDIR_PORTS "tcp dport") counter return"
+ if [ "$TCP_NO_REDIR_PORTS" != "1:65535" ]; then
+ echolog " - ${msg}不代理 TCP 端口[${TCP_NO_REDIR_PORTS}]"
+ else
+ unset TCP_LOCALHOST_PROXY
+ echolog " - ${msg}不代理所有 TCP"
+ fi
+ }
+
+ [ "$UDP_NO_REDIR_PORTS" != "disable" ] && {
+ nft add rule inet fw4 PSW2_OUTPUT_MANGLE ip protocol udp $(factor $UDP_NO_REDIR_PORTS "udp dport") counter return
+ nft add rule inet fw4 PSW2_OUTPUT_MANGLE_V6 meta l4proto udp $(factor $UDP_NO_REDIR_PORTS "udp dport") counter return
+ if [ "$UDP_NO_REDIR_PORTS" != "1:65535" ]; then
+ echolog " - ${msg}不代理 UDP 端口[${UDP_NO_REDIR_PORTS}]"
+ else
+ unset UDP_LOCALHOST_PROXY
+ echolog " - ${msg}不代理所有 UDP"
+ fi
+ }
+
+ # 加载路由器自身代理 TCP
+ if [ "$NODE" != "nil" ] && [ "$TCP_LOCALHOST_PROXY" = "1" ]; then
[ "$accept_icmp" = "1" ] && {
nft "add rule inet fw4 PSW2_ICMP_REDIRECT oif lo ip protocol icmp ip daddr $FAKE_IP counter redirect"
nft "add rule inet fw4 PSW2_ICMP_REDIRECT oif lo ip protocol icmp counter redirect"
@@ -785,16 +822,6 @@ add_firewall_rule() {
nft "add rule inet fw4 PSW2_ICMP_REDIRECT oif lo meta l4proto icmpv6 counter return"
}
- [ -n "${is_tproxy}" ] && {
- echolog " - 启用 TPROXY 模式"
- }
-
- [ "$TCP_NO_REDIR_PORTS" != "disable" ] && {
- nft "add rule inet fw4 $nft_output_chain ip protocol tcp $(factor $TCP_NO_REDIR_PORTS "tcp dport") counter return"
- nft "add rule inet fw4 PSW2_OUTPUT_MANGLE_V6 meta l4proto tcp $(factor $TCP_NO_REDIR_PORTS "tcp dport") counter return"
- echolog " - [$?]不代理TCP 端口:$TCP_NO_REDIR_PORTS"
- }
-
if [ -z "${is_tproxy}" ]; then
nft "add rule inet fw4 PSW2_OUTPUT_NAT ip protocol tcp ip daddr $FAKE_IP $(REDIRECT $REDIR_PORT)"
nft "add rule inet fw4 PSW2_OUTPUT_NAT ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") $(REDIRECT $REDIR_PORT)"
@@ -819,21 +846,9 @@ add_firewall_rule() {
nft "insert rule inet fw4 PSW2_OUTPUT_MANGLE_V6 ip protocol tcp oif $iface counter return"
done
fi
-
- # 处理轮换节点的分流或套娃
- filter_node $NODE TCP > /dev/null 2>&1 &
- filter_node $NODE UDP > /dev/null 2>&1 &
# 加载路由器自身代理 UDP
- if [ "$NODE" != "nil" ] && [ "$LOCALHOST_PROXY" = "1" ]; then
- echolog "加载路由器自身 UDP 代理..."
-
- [ "$UDP_NO_REDIR_PORTS" != "disable" ] && {
- nft add rule inet fw4 PSW2_OUTPUT_MANGLE ip protocol udp $(factor $UDP_NO_REDIR_PORTS "udp dport") counter return
- nft add rule inet fw4 PSW2_OUTPUT_MANGLE_V6 meta l4proto udp $(factor $UDP_NO_REDIR_PORTS "udp dport") counter return
- echolog " - [$?]不代理 UDP 端口:$UDP_NO_REDIR_PORTS"
- }
-
+ if [ "$NODE" != "nil" ] && [ "$UDP_LOCALHOST_PROXY" = "1" ]; then
nft "add rule inet fw4 PSW2_OUTPUT_MANGLE ip protocol udp ip daddr $FAKE_IP counter jump PSW2_RULE"
nft "add rule inet fw4 PSW2_OUTPUT_MANGLE ip protocol udp $(factor $UDP_REDIR_PORTS "udp dport") jump PSW2_RULE"
nft "add rule inet fw4 PSW2_MANGLE ip protocol udp iif lo $(REDIRECT $REDIR_PORT TPROXY4) comment \"本机\""
diff --git a/luci-app-passwall2/root/usr/share/passwall2/subscribe.lua b/luci-app-passwall2/root/usr/share/passwall2/subscribe.lua
index b3a1217d6..2fc190438 100755
--- a/luci-app-passwall2/root/usr/share/passwall2/subscribe.lua
+++ b/luci-app-passwall2/root/usr/share/passwall2/subscribe.lua
@@ -28,7 +28,7 @@ local has_singbox = api.finded_com("singbox")
local has_xray = api.finded_com("xray")
local has_hysteria2 = api.finded_com("hysteria")
local allowInsecure_default = true
-local ss_aead_type_default = uci:get(appname, "@global_subscribe[0]", "ss_aead_type") or "shadowsocks-libev"
+local ss_type_default = uci:get(appname, "@global_subscribe[0]", "ss_type") or "shadowsocks-libev"
local trojan_type_default = uci:get(appname, "@global_subscribe[0]", "trojan_type") or "sing-box"
local vmess_type_default = uci:get(appname, "@global_subscribe[0]", "vmess_type") or "xray"
local vless_type_default = uci:get(appname, "@global_subscribe[0]", "vless_type") or "xray"
@@ -531,31 +531,49 @@ local function processData(szType, content, add_mode, add_from)
result.method = method
result.password = password
- local aead = false
- for k, v in ipairs({"aes-128-gcm", "aes-256-gcm", "chacha20-poly1305", "chacha20-ietf-poly1305"}) do
- if method:lower() == v:lower() then
- aead = true
+ if ss_type_default == "shadowsocks-rust" and has_ss_rust then
+ result.type = 'SS-Rust'
+ end
+ if ss_type_default == "xray" and has_xray then
+ result.type = 'Xray'
+ result.protocol = 'shadowsocks'
+ result.transport = 'tcp'
+ end
+ if ss_type_default == "sing-box" and has_singbox then
+ result.type = 'sing-box'
+ result.protocol = 'shadowsocks'
+ end
+
+ if result.type == "SS-Rust" and method:lower() == "chacha20-poly1305" then
+ result.method = "chacha20-ietf-poly1305"
+ end
+
+ if result.type == "Xray" and method:lower() == "chacha20-ietf-poly1305" then
+ result.method = "chacha20-poly1305"
+ end
+
+ if result.plugin then
+ if result.type == 'Xray' then
+ --不支持插件
+ result.error_msg = "Xray不支持插件."
+ end
+ if result.type == "sing-box" then
+ result.plugin_enabled = "1"
end
end
- if aead then
- if ss_aead_type_default == "shadowsocks-libev" and has_ss then
- result.type = "SS"
- elseif ss_aead_type_default == "shadowsocks-rust" and has_ss_rust then
- result.type = 'SS-Rust'
- if method:lower() == "chacha20-poly1305" then
- result.method = "chacha20-ietf-poly1305"
- end
- elseif ss_aead_type_default == "sing-box" and has_singbox and not result.plugin then
- result.type = 'sing-box'
- result.protocol = 'shadowsocks'
- elseif ss_aead_type_default == "xray" and has_xray and not result.plugin then
- result.type = 'Xray'
- result.protocol = 'shadowsocks'
- result.transport = 'tcp'
- if method:lower() == "chacha20-ietf-poly1305" then
- result.method = "chacha20-poly1305"
+
+ if result.type == "SS" then
+ local aead2022_methods = { "2022-blake3-aes-128-gcm", "2022-blake3-aes-256-gcm", "2022-blake3-chacha20-poly1305" }
+ local aead2022 = false
+ for k, v in ipairs(aead2022_methods) do
+ if method:lower() == v:lower() then
+ aead2022 = true
end
end
+ if aead2022 then
+ -- shadowsocks-libev 不支持2022加密
+ result.error_msg = "shadowsocks-libev 不支持2022加密."
+ end
end
end
elseif szType == "trojan" then
@@ -1159,8 +1177,10 @@ local function parse_link(raw, add_mode, add_from)
end
-- log(result)
if result then
- if not result.type then
- log('丢弃节点:' .. result.remarks .. ",找不到可使用二进制.")
+ if result.error_msg then
+ log('丢弃节点: ' .. result.remarks .. ", 原因:" .. result.error_msg)
+ elseif not result.type then
+ log('丢弃节点: ' .. result.remarks .. ", 找不到可使用二进制.")
elseif (add_mode == "2" and is_filter_keyword(result.remarks)) or not result.address or result.remarks == "NULL" or result.address == "127.0.0.1" or
(not datatypes.hostname(result.address) and not (api.is_ip(result.address))) then
log('丢弃过滤节点: ' .. result.type .. ' 节点, ' .. result.remarks)
@@ -1227,9 +1247,9 @@ local execute = function()
filter_keyword_keep_list_default = value.filter_keep_list or {}
filter_keyword_discard_list_default = value.filter_discard_list or {}
end
- local ss_aead_type = value.ss_aead_type or "global"
- if ss_aead_type ~= "global" then
- ss_aead_type_default = ss_aead_type
+ local ss_type = value.ss_type or "global"
+ if ss_type ~= "global" then
+ ss_type_default = ss_type
end
local trojan_type = value.trojan_type or "global"
if trojan_type ~= "global" then
@@ -1264,7 +1284,7 @@ local execute = function()
filter_keyword_mode_default = uci:get(appname, "@global_subscribe[0]", "filter_keyword_mode") or "0"
filter_keyword_discard_list_default = uci:get(appname, "@global_subscribe[0]", "filter_discard_list") or {}
filter_keyword_keep_list_default = uci:get(appname, "@global_subscribe[0]", "filter_keep_list") or {}
- ss_aead_type_default = uci:get(appname, "@global_subscribe[0]", "ss_aead_type") or "shadowsocks-libev"
+ ss_type_default = uci:get(appname, "@global_subscribe[0]", "ss_type") or "shadowsocks-libev"
trojan_type_default = uci:get(appname, "@global_subscribe[0]", "trojan_type") or "sing-box"
vmess_type_default = uci:get(appname, "@global_subscribe[0]", "vmess_type") or "xray"
vless_type_default = uci:get(appname, "@global_subscribe[0]", "vless_type") or "xray"