zhao/openwrt_helloworld
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

luci-app-passwall2: sync upstream

Browse Source
This commit is contained in:
actions 2024-03-14 18:30:11 +08:00
parent fe4cfe53ca
commit 9546a23f04
13 changed files with 493 additions and 431 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
luci-app-passwall2/Makefile
View File

@ -5,7 +5,7 @@
include $(TOPDIR)/rules.mk include $(TOPDIR)/rules.mk
PKG_NAME:=luci-app-passwall2 PKG_NAME:=luci-app-passwall2
PKG_VERSION:=1.27-5 PKG_VERSION:=1.28-1
PKG_RELEASE:= PKG_RELEASE:=
PKG_CONFIG_DEPENDS:= \ PKG_CONFIG_DEPENDS:= \

10
luci-app-passwall2/luasrc/controller/passwall2.lua
View File

@ -176,13 +176,13 @@ end
function status() function status()
local e = {} local e = {}
e["global_status"] = luci.sys.call(string.format("top -bn1 | grep -v -E 'grep|acl/|acl_' | grep '%s/bin/' | grep -i 'global\\.json' >/dev/null", appname)) == 0 e["global_status"] = luci.sys.call(string.format("/bin/busybox top -bn1 | grep -v -E 'grep|acl/|acl_' | grep '%s/bin/' | grep -i 'global\\.json' >/dev/null", appname)) == 0
luci.http.prepare_content("application/json") luci.http.prepare_content("application/json")
luci.http.write_json(e) luci.http.write_json(e)
end end
function haproxy_status() function haproxy_status()
local e = luci.sys.call(string.format("top -bn1 | grep -v grep | grep '%s/bin/' | grep haproxy >/dev/null", appname)) == 0 local e = luci.sys.call(string.format("/bin/busybox top -bn1 | grep -v grep | grep '%s/bin/' | grep haproxy >/dev/null", appname)) == 0
luci.http.prepare_content("application/json") luci.http.prepare_content("application/json")
luci.http.write_json(e) luci.http.write_json(e)
end end
@ -192,12 +192,12 @@ function socks_status()
local index = luci.http.formvalue("index") local index = luci.http.formvalue("index")
local id = luci.http.formvalue("id") local id = luci.http.formvalue("id")
e.index = index e.index = index
e.socks_status = luci.sys.call(string.format("top -bn1 | grep -v -E 'grep|acl/|acl_' | grep '%s/bin/' | grep '%s' | grep 'SOCKS_' > /dev/null", appname, id)) == 0 e.socks_status = luci.sys.call(string.format("/bin/busybox top -bn1 | grep -v -E 'grep|acl/|acl_' | grep '%s/bin/' | grep '%s' | grep 'SOCKS_' > /dev/null", appname, id)) == 0
local use_http = ucic:get(appname, id, "http_port") or 0 local use_http = ucic:get(appname, id, "http_port") or 0
e.use_http = 0 e.use_http = 0
if tonumber(use_http) > 0 then if tonumber(use_http) > 0 then
e.use_http = 1 e.use_http = 1
e.http_status = luci.sys.call(string.format("top -bn1 | grep -v -E 'grep|acl/|acl_' | grep '%s/bin/' | grep '%s' | grep -E 'HTTP_|HTTP2SOCKS' > /dev/null", appname, id)) == 0 e.http_status = luci.sys.call(string.format("/bin/busybox top -bn1 | grep -v -E 'grep|acl/|acl_' | grep '%s/bin/' | grep '%s' | grep -E 'HTTP_|HTTP2SOCKS' > /dev/null", appname, id)) == 0
end end
luci.http.prepare_content("application/json") luci.http.prepare_content("application/json")
luci.http.write_json(e) luci.http.write_json(e)
@ -355,7 +355,7 @@ end
function server_user_status() function server_user_status()
local e = {} local e = {}
e.index = luci.http.formvalue("index") e.index = luci.http.formvalue("index")
e.status = luci.sys.call(string.format("top -bn1 | grep -v 'grep' | grep '%s/bin/' | grep -i '%s' >/dev/null", appname .. "_server", luci.http.formvalue("id"))) == 0 e.status = luci.sys.call(string.format("/bin/busybox top -bn1 | grep -v 'grep' | grep '%s/bin/' | grep -i '%s' >/dev/null", appname .. "_server", luci.http.formvalue("id"))) == 0
http_write_json(e) http_write_json(e)
end end

28
luci-app-passwall2/luasrc/model/cbi/passwall2/client/acl_config.lua
View File

@ -1,5 +1,6 @@
local api = require "luci.passwall2.api" local api = require "luci.passwall2.api"
local appname = api.appname local appname = api.appname
local uci = api.uci
local sys = api.sys local sys = api.sys
local port_validate = function(self, value, t) local port_validate = function(self, value, t)
@ -156,48 +157,51 @@ end
sources.write = dynamicList_write sources.write = dynamicList_write
---- TCP No Redir Ports ---- TCP No Redir Ports
local TCP_NO_REDIR_PORTS = uci:get(appname, "@global_forwarding[0]", "tcp_no_redir_ports")
o = s:option(Value, "tcp_no_redir_ports", translate("TCP No Redir Ports")) o = s:option(Value, "tcp_no_redir_ports", translate("TCP No Redir Ports"))
o.default = "default" o.default = "default"
o:value("disable", translate("No patterns are used")) o:value("disable", translate("No patterns are used"))
o:value("default", translate("Default")) o:value("default", translate("Use global config") .. "(" .. TCP_NO_REDIR_PORTS .. ")")
o:value("1:65535", translate("All")) o:value("1:65535", translate("All"))
o.validate = port_validate o.validate = port_validate
---- UDP No Redir Ports ---- UDP No Redir Ports
local UDP_NO_REDIR_PORTS = uci:get(appname, "@global_forwarding[0]", "udp_no_redir_ports")
o = s:option(Value, "udp_no_redir_ports", translate("UDP No Redir Ports"), o = s:option(Value, "udp_no_redir_ports", translate("UDP No Redir Ports"),
"<font color='red'>" .. "<font color='red'>" ..
translate("If you don't want to let the device in the list to go proxy, please choose all.") .. translate("If you don't want to let the device in the list to go proxy, please choose all.") ..
"</font>") "</font>")
o.default = "default" o.default = "default"
o:value("disable", translate("No patterns are used")) o:value("disable", translate("No patterns are used"))
o:value("default", translate("Default")) o:value("default", translate("Use global config") .. "(" .. UDP_NO_REDIR_PORTS .. ")")
o:value("1:65535", translate("All")) o:value("1:65535", translate("All"))
o.validate = port_validate o.validate = port_validate
node = s:option(ListValue, "node", "<a style='color: red'>" .. translate("Node") .. "</a>")
node.default = "default"
node:value("default", translate("Use global config"))
for k, v in pairs(nodes_table) do
node:value(v.id, v["remark"])
end
---- TCP Redir Ports ---- TCP Redir Ports
local TCP_REDIR_PORTS = uci:get(appname, "@global_forwarding[0]", "tcp_redir_ports")
o = s:option(Value, "tcp_redir_ports", translate("TCP Redir Ports")) o = s:option(Value, "tcp_redir_ports", translate("TCP Redir Ports"))
o.default = "default" o.default = "default"
o:value("default", translate("Default")) o:value("default", translate("Use global config") .. "(" .. TCP_REDIR_PORTS .. ")")
o:value("1:65535", translate("All")) o:value("1:65535", translate("All"))
o:value("22,25,53,143,465,587,853,993,995,80,443", translate("Common Use")) o:value("22,25,53,143,465,587,853,993,995,80,443", translate("Common Use"))
o:value("80,443", "80,443") o:value("80,443", "80,443")
o.validate = port_validate o.validate = port_validate
---- UDP Redir Ports ---- UDP Redir Ports
local UDP_REDIR_PORTS = uci:get(appname, "@global_forwarding[0]", "udp_redir_ports")
o = s:option(Value, "udp_redir_ports", translate("UDP Redir Ports")) o = s:option(Value, "udp_redir_ports", translate("UDP Redir Ports"))
o.default = "default" o.default = "default"
o:value("default", translate("Default")) o:value("default", translate("Use global config") .. "(" .. UDP_REDIR_PORTS .. ")")
o:value("1:65535", translate("All")) o:value("1:65535", translate("All"))
o.validate = port_validate o.validate = port_validate
node = s:option(ListValue, "node", "<a style='color: red'>" .. translate("Node") .. "</a>")
node.default = "default"
node:value("default", translate("Default"))
for k, v in pairs(nodes_table) do
node:value(v.id, v["remark"])
end
o = s:option(ListValue, "remote_dns_protocol", translate("Remote DNS Protocol")) o = s:option(ListValue, "remote_dns_protocol", translate("Remote DNS Protocol"))
o:value("tcp", "TCP") o:value("tcp", "TCP")
o:value("doh", "DoH") o:value("doh", "DoH")

4
luci-app-passwall2/luasrc/model/cbi/passwall2/client/global.lua
View File

@ -211,6 +211,10 @@ o = s:taboption("Main", Flag, "localhost_proxy", translate("Localhost Proxy"), t
o.default = "1" o.default = "1"
o.rmempty = false o.rmempty = false
o = s:taboption("Main", Flag, "client_proxy", translate("Client Proxy"), translate("When selected, devices in LAN can transparent proxy. Otherwise, it will not be proxy. But you can still use access control to allow the designated device to proxy."))
o.default = "1"
o.rmempty = false
node_socks_port = s:taboption("Main", Value, "node_socks_port", translate("Node") .. " Socks " .. translate("Listen Port")) node_socks_port = s:taboption("Main", Value, "node_socks_port", translate("Node") .. " Socks " .. translate("Listen Port"))
node_socks_port.default = 1070 node_socks_port.default = 1070
node_socks_port.datatype = "port" node_socks_port.datatype = "port"

16
luci-app-passwall2/luasrc/model/cbi/passwall2/client/node_subscribe.lua
View File

@ -5,23 +5,23 @@ local has_ss_rust = api.is_finded("sslocal")
local has_singbox = api.finded_com("singbox") local has_singbox = api.finded_com("singbox")
local has_xray = api.finded_com("xray") local has_xray = api.finded_com("xray")
local has_hysteria2 = api.finded_com("hysteria") local has_hysteria2 = api.finded_com("hysteria")
local ss_aead_type = {} local ss_type = {}
local trojan_type = {} local trojan_type = {}
local vmess_type = {} local vmess_type = {}
local vless_type = {} local vless_type = {}
local hysteria2_type = {} local hysteria2_type = {}
if has_ss then if has_ss then
local s = "shadowsocks-libev" local s = "shadowsocks-libev"
table.insert(ss_aead_type, s) table.insert(ss_type, s)
end end
if has_ss_rust then if has_ss_rust then
local s = "shadowsocks-rust" local s = "shadowsocks-rust"
table.insert(ss_aead_type, s) table.insert(ss_type, s)
end end
if has_singbox then if has_singbox then
local s = "sing-box" local s = "sing-box"
table.insert(trojan_type, s) table.insert(trojan_type, s)
table.insert(ss_aead_type, s) table.insert(ss_type, s)
table.insert(vmess_type, s) table.insert(vmess_type, s)
table.insert(vless_type, s) table.insert(vless_type, s)
table.insert(hysteria2_type, s) table.insert(hysteria2_type, s)
@ -29,7 +29,7 @@ end
if has_xray then if has_xray then
local s = "xray" local s = "xray"
table.insert(trojan_type, s) table.insert(trojan_type, s)
table.insert(ss_aead_type, s) table.insert(ss_type, s)
table.insert(vmess_type, s) table.insert(vmess_type, s)
table.insert(vless_type, s) table.insert(vless_type, s)
end end
@ -56,9 +56,9 @@ o = s:option(DynamicList, "filter_discard_list", translate("Discard List"))
o = s:option(DynamicList, "filter_keep_list", translate("Keep List")) o = s:option(DynamicList, "filter_keep_list", translate("Keep List"))
if #ss_aead_type > 0 then if #ss_type > 0 then
o = s:option(ListValue, "ss_aead_type", translatef("%s Node Use Type", "SS AEAD")) o = s:option(ListValue, "ss_type", translatef("%s Node Use Type", "Shadowsocks"))
for key, value in pairs(ss_aead_type) do for key, value in pairs(ss_type) do
o:value(value) o:value(value)
end end
end end

16
luci-app-passwall2/luasrc/model/cbi/passwall2/client/node_subscribe_config.lua
View File

@ -5,23 +5,23 @@ local has_ss_rust = api.is_finded("sslocal")
local has_singbox = api.finded_com("singbox") local has_singbox = api.finded_com("singbox")
local has_xray = api.finded_com("xray") local has_xray = api.finded_com("xray")
local has_hysteria2 = api.finded_com("hysteria") local has_hysteria2 = api.finded_com("hysteria")
local ss_aead_type = {} local ss_type = {}
local trojan_type = {} local trojan_type = {}
local vmess_type = {} local vmess_type = {}
local vless_type = {} local vless_type = {}
local hysteria2_type = {} local hysteria2_type = {}
if has_ss then if has_ss then
local s = "shadowsocks-libev" local s = "shadowsocks-libev"
table.insert(ss_aead_type, s) table.insert(ss_type, s)
end end
if has_ss_rust then if has_ss_rust then
local s = "shadowsocks-rust" local s = "shadowsocks-rust"
table.insert(ss_aead_type, s) table.insert(ss_type, s)
end end
if has_singbox then if has_singbox then
local s = "sing-box" local s = "sing-box"
table.insert(trojan_type, s) table.insert(trojan_type, s)
table.insert(ss_aead_type, s) table.insert(ss_type, s)
table.insert(vmess_type, s) table.insert(vmess_type, s)
table.insert(vless_type, s) table.insert(vless_type, s)
table.insert(hysteria2_type, s) table.insert(hysteria2_type, s)
@ -29,7 +29,7 @@ end
if has_xray then if has_xray then
local s = "xray" local s = "xray"
table.insert(trojan_type, s) table.insert(trojan_type, s)
table.insert(ss_aead_type, s) table.insert(ss_type, s)
table.insert(vmess_type, s) table.insert(vmess_type, s)
table.insert(vless_type, s) table.insert(vless_type, s)
end end
@ -76,11 +76,11 @@ o:depends("filter_keyword_mode", "2")
o:depends("filter_keyword_mode", "3") o:depends("filter_keyword_mode", "3")
o:depends("filter_keyword_mode", "4") o:depends("filter_keyword_mode", "4")
if #ss_aead_type > 0 then if #ss_type > 0 then
o = s:option(ListValue, "ss_aead_type", translatef("%s Node Use Type", "SS AEAD")) o = s:option(ListValue, "ss_type", translatef("%s Node Use Type", "Shadowsocks"))
o.default = "global" o.default = "global"
o:value("global", translate("Use global config")) o:value("global", translate("Use global config"))
for key, value in pairs(ss_aead_type) do for key, value in pairs(ss_type) do
o:value(value) o:value(value)
end end
end end

2
luci-app-passwall2/luasrc/passwall2/server_app.lua
View File

@ -204,7 +204,7 @@ local function start()
end end
local function stop() local function stop()
cmd(string.format("top -bn1 | grep -v 'grep' | grep '%s/' | awk '{print $1}' | xargs kill -9 >/dev/null 2>&1", CONFIG_PATH)) cmd(string.format("/bin/busybox top -bn1 | grep -v 'grep' | grep '%s/' | awk '{print $1}' | xargs kill -9 >/dev/null 2>&1", CONFIG_PATH))
if nft_flag == "0" then if nft_flag == "0" then
ipt("-D INPUT -j PSW2-SERVER 2>/dev/null") ipt("-D INPUT -j PSW2-SERVER 2>/dev/null")
ipt("-F PSW2-SERVER 2>/dev/null") ipt("-F PSW2-SERVER 2>/dev/null")

6
luci-app-passwall2/po/zh-cn/passwall2.po
View File

@ -91,6 +91,12 @@ msgstr "路由器本机代理"
msgid "When selected, localhost can transparent proxy." msgid "When selected, localhost can transparent proxy."
msgstr "当勾选时,路由器本机可以透明代理。" msgstr "当勾选时,路由器本机可以透明代理。"
msgid "Client Proxy"
msgstr "客户端代理"
msgid "When selected, devices in LAN can transparent proxy. Otherwise, it will not be proxy. But you can still use access control to allow the designated device to proxy."
msgstr "当勾选时,局域网内的设备可以透明代理。否则,将不代理。但您仍然可以使用访问控制允许指定的设备代理。"
msgid "Socks Config" msgid "Socks Config"
msgstr "Socks配置" msgstr "Socks配置"

1
luci-app-passwall2/root/usr/share/passwall2/0_default_config
View File

@ -3,6 +3,7 @@ config global
option enabled '0' option enabled '0'
option node_socks_port '1070' option node_socks_port '1070'
option localhost_proxy '1' option localhost_proxy '1'
option client_proxy '1'
option socks_enabled '0' option socks_enabled '0'
option acl_enable '0' option acl_enable '0'
option node 'myshunt' option node 'myshunt'

1
luci-app-passwall2/root/usr/share/passwall2/app.sh
View File

@ -1122,6 +1122,7 @@ UDP_REDIR_PORTS=$(config_t_get global_forwarding udp_redir_ports '1:65535')
TCP_PROXY_MODE="global" TCP_PROXY_MODE="global"
UDP_PROXY_MODE="global" UDP_PROXY_MODE="global"
LOCALHOST_PROXY=$(config_t_get global localhost_proxy '1') LOCALHOST_PROXY=$(config_t_get global localhost_proxy '1')
CLIENT_PROXY=$(config_t_get global client_proxy '1')
REMOTE_DNS_PROTOCOL=$(config_t_get global remote_dns_protocol tcp) REMOTE_DNS_PROTOCOL=$(config_t_get global remote_dns_protocol tcp)
REMOTE_DNS_DETOUR=$(config_t_get global remote_dns_detour remote) REMOTE_DNS_DETOUR=$(config_t_get global remote_dns_detour remote)
REMOTE_DNS=$(config_t_get global remote_dns 1.1.1.1:53 | sed 's/#/:/g' | sed -E 's/\:([^:]+)$/#\1/g') REMOTE_DNS=$(config_t_get global remote_dns 1.1.1.1:53 | sed 's/#/:/g' | sed -E 's/\:([^:]+)$/#\1/g')

227
luci-app-passwall2/root/usr/share/passwall2/iptables.sh
View File

@ -210,45 +210,73 @@ load_acl() {
[ -n "$node" ] && [ "$node" != "default" ] && node_remark=$(config_n_get $node remarks) [ -n "$node" ] && [ "$node" != "default" ] && node_remark=$(config_n_get $node remarks)
write_ipset_direct=${write_ipset_direct:-1} write_ipset_direct=${write_ipset_direct:-1}
[ "${write_ipset_direct}" = "1" ] && {
if [ "$node" = "default" ]; then
local ipset_whitelist=${ipset_global_whitelist}
local ipset_whitelist6=${ipset_global_whitelist6}
else
local ipset_whitelist="passwall2_${sid}_whitelist"
local ipset_whitelist6="passwall2_${sid}_whitelist6"
ipset -! create $ipset_whitelist nethash maxelem 1048576
ipset -! create $ipset_whitelist6 nethash family inet6 maxelem 1048576
fi
}
for i in $(cat ${TMP_ACL_PATH}/${sid}/rule_list); do for i in $(cat ${TMP_ACL_PATH}/${sid}/rule_list); do
if [ -n "$(echo ${i} | grep '^iprange:')" ]; then if [ -n "$(echo ${i} | grep '^iprange:')" ]; then
_iprange=$(echo ${i} | sed 's#iprange:##g') _iprange=$(echo ${i} | sed 's#iprange:##g')
_ipt_source=$(factor ${_iprange} "-m iprange --src-range") _ipt_source=$(factor ${_iprange} "-m iprange --src-range")
msg="备注【$remarksIP range【${_iprange}】," msg="$remarksIP range【${_iprange}】,"
elif [ -n "$(echo ${i} | grep '^ipset:')" ]; then elif [ -n "$(echo ${i} | grep '^ipset:')" ]; then
_ipset=$(echo ${i} | sed 's#ipset:##g') _ipset=$(echo ${i} | sed 's#ipset:##g')
_ipt_source="-m set --match-set ${_ipset} src" _ipt_source="-m set --match-set ${_ipset} src"
msg="备注【$remarksIPset【${_ipset}】," msg="$remarksIPset【${_ipset}】,"
elif [ -n "$(echo ${i} | grep '^ip:')" ]; then elif [ -n "$(echo ${i} | grep '^ip:')" ]; then
_ip=$(echo ${i} | sed 's#ip:##g') _ip=$(echo ${i} | sed 's#ip:##g')
_ipt_source=$(factor ${_ip} "-s") _ipt_source=$(factor ${_ip} "-s")
msg="备注$remarksIP【${_ip}】," msg="$remarksIP【${_ip}】,"
elif [ -n "$(echo ${i} | grep '^mac:')" ]; then elif [ -n "$(echo ${i} | grep '^mac:')" ]; then
_mac=$(echo ${i} | sed 's#mac:##g') _mac=$(echo ${i} | sed 's#mac:##g')
_ipt_source=$(factor ${_mac} "-m mac --mac-source") _ipt_source=$(factor ${_mac} "-m mac --mac-source")
msg="备注$remarksMAC【${_mac}】," msg="$remarksMAC【${_mac}】,"
else else
continue continue
fi fi
local ipset_whitelist="passwall2_${sid}_whitelist"
local ipset_whitelist6="passwall2_${sid}_whitelist6"
ipset -! create $ipset_whitelist nethash maxelem 1048576
ipset -! create $ipset_whitelist6 nethash family inet6 maxelem 1048576
ipt_tmp=$ipt_n ipt_tmp=$ipt_n
[ -n "${is_tproxy}" ] && ipt_tmp=$ipt_m [ -n "${is_tproxy}" ] && ipt_tmp=$ipt_m
[ -n "$redir_port" ] && { [ "$tcp_no_redir_ports" != "disable" ] && {
if [ "$tcp_proxy_mode" != "disable" ]; then if [ "$tcp_no_redir_ports" != "1:65535" ]; then
[ -s "${TMP_ACL_PATH}/${sid}/var_redirect_dns_port" ] && $ipt_n -A PSW2_REDIRECT $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port) $ip6t_m -A PSW2 $(comment "$remarks") ${_ipt_source} -p tcp -m multiport --dport $tcp_no_redir_ports -j RETURN 2>/dev/null
msg2="${msg}使用TCP节点[$node_remark] [$(get_action_chain_name $tcp_proxy_mode)]" $ipt_tmp -A PSW2 $(comment "$remarks") ${_ipt_source} -p tcp -m multiport --dport $tcp_no_redir_ports -j RETURN
if [ -n "${is_tproxy}" ]; then echolog " - ${msg}不代理 TCP 端口[${tcp_no_redir_ports}]"
msg2="${msg2}(TPROXY:${redir_port})代理"
ipt_tmp=$ipt_m
else else
msg2="${msg2}(REDIRECT:${redir_port})代理" #结束时会return无需加多余的规则。
tcp_proxy_mode="disable"
echolog " - ${msg}不代理所有 TCP"
fi
}
[ "$udp_no_redir_ports" != "disable" ] && {
if [ "$udp_no_redir_ports" != "1:65535" ]; then
$ip6t_m -A PSW2 $(comment "$remarks") ${_ipt_source} -p udp -m multiport --dport $udp_no_redir_ports -j RETURN 2>/dev/null
$ipt_m -A PSW2 $(comment "$remarks") ${_ipt_source} -p udp -m multiport --dport $udp_no_redir_ports -j RETURN
echolog " - ${msg}不代理 UDP 端口[${udp_no_redir_ports}]"
else
#结束时会return无需加多余的规则。
udp_proxy_mode="disable"
echolog " - ${msg}不代理所有 UDP"
fi
}
[ "$tcp_proxy_mode" != "disable" ] && [ -n "$redir_port" ] && {
[ -s "${TMP_ACL_PATH}/${sid}/var_redirect_dns_port" ] && $ipt_n -A PSW2_REDIRECT $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port)
msg2="${msg}使用 TCP 节点[$node_remark]"
if [ -n "${is_tproxy}" ]; then
msg2="${msg2}(TPROXY:${redir_port})"
else
msg2="${msg2}(REDIRECT:${redir_port})"
fi fi
[ "${write_ipset_direct}" = "1" ] && $ipt_tmp -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(dst $ipset_whitelist) ! -d $FAKE_IP -j RETURN [ "${write_ipset_direct}" = "1" ] && $ipt_tmp -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(dst $ipset_whitelist) ! -d $FAKE_IP -j RETURN
@ -263,13 +291,6 @@ load_acl() {
$ip6t_n -A PSW2 $(comment "$remarks") -p ipv6-icmp ${_ipt_source} $(REDIRECT) 2>/dev/null $ip6t_n -A PSW2 $(comment "$remarks") -p ipv6-icmp ${_ipt_source} $(REDIRECT) 2>/dev/null
} }
[ "$tcp_no_redir_ports" != "disable" ] && {
$ipt_tmp -A PSW2 $(comment "$remarks") ${_ipt_source} -p tcp -m multiport --dport $tcp_no_redir_ports -j RETURN
$ip6t_m -A PSW2 $(comment "$remarks") ${_ipt_source} -p tcp -m multiport --dport $tcp_no_redir_ports -j RETURN 2>/dev/null
msg2="${msg2}[$?]除${tcp_no_redir_ports}外的"
}
msg2="${msg2}所有端口"
if [ "${ipt_tmp}" = "${ipt_n}" ]; then if [ "${ipt_tmp}" = "${ipt_n}" ]; then
$ipt_n -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} -d $FAKE_IP $(REDIRECT $redir_port) $ipt_n -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} -d $FAKE_IP $(REDIRECT $redir_port)
$ipt_n -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(REDIRECT $redir_port) $ipt_n -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(REDIRECT $redir_port)
@ -284,25 +305,13 @@ load_acl() {
$ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") -j PSW2_RULE 2>/dev/null $ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") -j PSW2_RULE 2>/dev/null
$ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(REDIRECT $redir_port TPROXY) 2>/dev/null $ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(REDIRECT $redir_port TPROXY) 2>/dev/null
} }
else
msg2="${msg}不代理TCP"
fi
echolog " - ${msg2}" echolog " - ${msg2}"
} }
$ipt_tmp -A PSW2 $(comment "$remarks") ${_ipt_source} -p tcp -j RETURN $ipt_tmp -A PSW2 $(comment "$remarks") ${_ipt_source} -p tcp -j RETURN
$ip6t_m -A PSW2 $(comment "$remarks") ${_ipt_source} -p tcp -j RETURN 2>/dev/null $ip6t_m -A PSW2 $(comment "$remarks") ${_ipt_source} -p tcp -j RETURN 2>/dev/null
[ -n "$redir_port" ] && { [ "$udp_proxy_mode" != "disable" ] && [ -n "$redir_port" ] && {
if [ "$udp_proxy_mode" != "disable" ]; then msg2="${msg}使用 UDP 节点[$node_remark](TPROXY:${redir_port})"
msg2="${msg}使用UDP节点[$node_remark] [$(get_action_chain_name $udp_proxy_mode)]"
msg2="${msg2}(TPROXY:${redir_port})代理"
[ "$udp_no_redir_ports" != "disable" ] && {
$ipt_m -A PSW2 $(comment "$remarks") ${_ipt_source} -p udp -m multiport --dport $udp_no_redir_ports -j RETURN
$ip6t_m -A PSW2 $(comment "$remarks") ${_ipt_source} -p udp -m multiport --dport $udp_no_redir_ports -j RETURN 2>/dev/null
msg2="${msg2}[$?]除${udp_no_redir_ports}外的"
}
msg2="${msg2}所有端口"
[ "${write_ipset_direct}" = "1" ] && $ipt_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(dst $ipset_whitelist) ! -d $FAKE_IP -j RETURN [ "${write_ipset_direct}" = "1" ] && $ipt_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(dst $ipset_whitelist) ! -d $FAKE_IP -j RETURN
$ipt_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} -d $FAKE_IP -j PSW2_RULE $ipt_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} -d $FAKE_IP -j PSW2_RULE
@ -315,9 +324,6 @@ load_acl() {
$ip6t_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") -j PSW2_RULE 2>/dev/null $ip6t_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") -j PSW2_RULE 2>/dev/null
$ip6t_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(REDIRECT $redir_port TPROXY) 2>/dev/null $ip6t_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(REDIRECT $redir_port TPROXY) 2>/dev/null
} }
else
msg2="${msg}不代理UDP"
fi
echolog " - ${msg2}" echolog " - ${msg2}"
} }
$ipt_m -A PSW2 $(comment "$remarks") ${_ipt_source} -p udp -j RETURN $ipt_m -A PSW2 $(comment "$remarks") ${_ipt_source} -p udp -j RETURN
@ -329,26 +335,41 @@ load_acl() {
done done
} }
[ "$ENABLED_DEFAULT_ACL" == 1 ] && { [ "$ENABLED_DEFAULT_ACL" == 1 ] && [ "$CLIENT_PROXY" == 1 ] && {
# 加载默认代理模式 # 加载默认代理模式
if [ "$TCP_PROXY_MODE" != "disable" ]; then msg="【默认】,"
local ipt_tmp=$ipt_n local ipt_tmp=$ipt_n
[ -n "${is_tproxy}" ] && ipt_tmp=$ipt_m [ -n "${is_tproxy}" ] && ipt_tmp=$ipt_m
[ "$TCP_NO_REDIR_PORTS" != "disable" ] && {
$ipt_tmp -A PSW2 $(comment "默认") -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
$ip6t_m -A PSW2 $(comment "默认") -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
msg="${msg}${TCP_NO_REDIR_PORTS}外的"
}
[ "$NODE" != "nil" ] && {
msg="TCP默认代理使用节点[$(config_n_get $NODE remarks)] [$(get_action_chain_name $TCP_PROXY_MODE)]"
if [ -n "${is_tproxy}" ]; then
msg="${msg}(TPROXY:${REDIR_PORT})代理"
else
msg="${msg}(REDIRECT:${REDIR_PORT})代理"
fi
[ "$TCP_NO_REDIR_PORTS" != "disable" ] && msg="${msg}${TCP_NO_REDIR_PORTS}外的" [ "$TCP_NO_REDIR_PORTS" != "disable" ] && {
msg="${msg}所有端口" $ip6t_m -A PSW2 $(comment "默认") -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
$ipt_tmp -A PSW2 $(comment "默认") -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
if [ "$TCP_NO_REDIR_PORTS" != "1:65535" ]; then
echolog " - ${msg}不代理 TCP 端口[${TCP_NO_REDIR_PORTS}]"
else
TCP_PROXY_MODE="disable"
echolog " - ${msg}不代理所有 TCP 端口"
fi
}
[ "$UDP_NO_REDIR_PORTS" != "disable" ] && {
$ip6t_m -A PSW2 $(comment "默认") -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN
$ipt_m -A PSW2 $(comment "默认") -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN
if [ "$UDP_NO_REDIR_PORTS" != "1:65535" ]; then
echolog " - ${msg}不代理 UDP 端口[${UDP_NO_REDIR_PORTS}]"
else
UDP_PROXY_MODE="disable"
echolog " - ${msg}不代理所有 UDP 端口"
fi
}
if [ "$TCP_PROXY_MODE" != "disable" ] && [ "$NODE" != "nil" ]; then
msg2="${msg}使用 TCP 节点[$(config_n_get $NODE remarks)]"
if [ -n "${is_tproxy}" ]; then
msg2="${msg2}(TPROXY:${REDIR_PORT})"
else
msg2="${msg2}(REDIRECT:${REDIR_PORT})"
fi
[ "${WRITE_IPSET_DIRECT}" = "1" ] && $ipt_tmp -A PSW2 $(comment "默认") -p tcp $(dst $ipset_global_whitelist) ! -d $FAKE_IP -j RETURN [ "${WRITE_IPSET_DIRECT}" = "1" ] && $ipt_tmp -A PSW2 $(comment "默认") -p tcp $(dst $ipset_global_whitelist) ! -d $FAKE_IP -j RETURN
@ -362,7 +383,7 @@ load_acl() {
$ip6t_n -A PSW2 $(comment "默认") -p ipv6-icmp $(REDIRECT) $ip6t_n -A PSW2 $(comment "默认") -p ipv6-icmp $(REDIRECT)
} }
if [ "${ipt_tmp}" = "${ipt_n}" ]; then if [ -z "${is_tproxy}" ]; then
$ipt_n -A PSW2 $(comment "默认") -p tcp -d $FAKE_IP $(REDIRECT $REDIR_PORT) $ipt_n -A PSW2 $(comment "默认") -p tcp -d $FAKE_IP $(REDIRECT $REDIR_PORT)
$ipt_n -A PSW2 $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(REDIRECT $REDIR_PORT) $ipt_n -A PSW2 $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(REDIRECT $REDIR_PORT)
else else
@ -378,25 +399,11 @@ load_acl() {
$ip6t_m -A PSW2 $(comment "默认") -p tcp $(REDIRECT $REDIR_PORT TPROXY) $ip6t_m -A PSW2 $(comment "默认") -p tcp $(REDIRECT $REDIR_PORT TPROXY)
} }
echolog "${msg}" echolog "${msg2}"
}
fi fi
$ipt_n -A PSW2 $(comment "默认") -p tcp -j RETURN
$ipt_m -A PSW2 $(comment "默认") -p tcp -j RETURN
$ip6t_m -A PSW2 $(comment "默认") -p tcp -j RETURN
# 加载UDP默认代理模式 if [ "$UDP_PROXY_MODE" != "disable" ] && [ "$NODE" != "nil" ]; then
if [ "$UDP_PROXY_MODE" != "disable" ]; then msg2="${msg}使用 UDP 节点[$(config_n_get $NODE remarks)](TPROXY:${REDIR_PORT})"
[ "$UDP_NO_REDIR_PORTS" != "disable" ] && {
$ipt_m -A PSW2 $(comment "默认") -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN
$ip6t_m -A PSW2 $(comment "默认") -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN
}
[ -n "1" ] && {
msg="UDP默认代理使用节点[$(config_n_get $NODE remarks)] [$(get_action_chain_name $UDP_PROXY_MODE)](TPROXY:${REDIR_PORT})代理"
[ "$UDP_NO_REDIR_PORTS" != "disable" ] && msg="${msg}${UDP_NO_REDIR_PORTS}外的"
msg="${msg}所有端口"
[ "${WRITE_IPSET_DIRECT}" = "1" ] && $ipt_m -A PSW2 $(comment "默认") -p udp $(dst $ipset_global_whitelist) ! -d $FAKE_IP -j RETURN [ "${WRITE_IPSET_DIRECT}" = "1" ] && $ipt_m -A PSW2 $(comment "默认") -p udp $(dst $ipset_global_whitelist) ! -d $FAKE_IP -j RETURN
$ipt_m -A PSW2 $(comment "默认") -p udp -d $FAKE_IP -j PSW2_RULE $ipt_m -A PSW2 $(comment "默认") -p udp -d $FAKE_IP -j PSW2_RULE
@ -410,11 +417,8 @@ load_acl() {
$ip6t_m -A PSW2 $(comment "默认") -p udp $(REDIRECT $REDIR_PORT TPROXY) $ip6t_m -A PSW2 $(comment "默认") -p udp $(REDIRECT $REDIR_PORT TPROXY)
fi fi
echolog "${msg}" echolog "${msg2}"
}
fi fi
$ipt_m -A PSW2 $(comment "默认") -p udp -j RETURN
$ip6t_m -A PSW2 $(comment "默认") -p udp -j RETURN
} }
} }
@ -733,10 +737,41 @@ add_firewall_rule() {
} }
[ "$ENABLED_DEFAULT_ACL" == 1 ] && { [ "$ENABLED_DEFAULT_ACL" == 1 ] && {
# 加载路由器自身代理 TCP local ipt_tmp=$ipt_n
if [ "$NODE" != "nil" ] && [ "$LOCALHOST_PROXY" = "1" ]; then [ -n "${is_tproxy}" ] && ipt_tmp=$ipt_m
echolog "加载路由器自身 TCP 代理..."
# 过滤节点
filter_node $NODE TCP > /dev/null 2>&1 &
filter_node $NODE UDP > /dev/null 2>&1 &
TCP_LOCALHOST_PROXY=$LOCALHOST_PROXY
UDP_LOCALHOST_PROXY=$LOCALHOST_PROXY
msg="【路由器本机】,"
[ "$TCP_NO_REDIR_PORTS" != "disable" ] && {
$ipt_tmp -A PSW2_OUTPUT -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
$ip6t_m -A PSW2_OUTPUT -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
if [ "$TCP_NO_REDIR_PORTS" != "1:65535" ]; then
echolog " - ${msg}不代理 TCP 端口[${TCP_NO_REDIR_PORTS}]"
else
unset TCP_LOCALHOST_PROXY
echolog " - ${msg}不代理所有 TCP"
fi
}
[ "$UDP_NO_REDIR_PORTS" != "disable" ] && {
$ipt_m -A PSW2_OUTPUT -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN
$ip6t_m -A PSW2_OUTPUT -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN
if [ "$UDP_NO_REDIR_PORTS" != "1:65535" ]; then
echolog " - ${msg}不代理 UDP 端口[${UDP_NO_REDIR_PORTS}]"
else
unset UDP_LOCALHOST_PROXY
echolog " - ${msg}不代理所有 UDP"
fi
}
# 加载路由器自身代理 TCP
if [ "$NODE" != "nil" ] && [ "$TCP_LOCALHOST_PROXY" = "1" ]; then
[ "$accept_icmp" = "1" ] && { [ "$accept_icmp" = "1" ] && {
$ipt_n -A OUTPUT -p icmp -j PSW2_OUTPUT $ipt_n -A OUTPUT -p icmp -j PSW2_OUTPUT
$ipt_n -A PSW2_OUTPUT -p icmp -d $FAKE_IP $(REDIRECT) $ipt_n -A PSW2_OUTPUT -p icmp -d $FAKE_IP $(REDIRECT)
@ -749,19 +784,7 @@ add_firewall_rule() {
$ip6t_n -A PSW2_OUTPUT -p ipv6-icmp $(REDIRECT) $ip6t_n -A PSW2_OUTPUT -p ipv6-icmp $(REDIRECT)
} }
local ipt_tmp=$ipt_n if [ -z "${is_tproxy}" ]; then
[ -n "${is_tproxy}" ] && {
echolog " - 启用 TPROXY 模式"
ipt_tmp=$ipt_m
}
[ "$TCP_NO_REDIR_PORTS" != "disable" ] && {
$ipt_tmp -A PSW2_OUTPUT -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
$ip6t_m -A PSW2_OUTPUT -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
echolog " - [$?]不代理TCP 端口:$TCP_NO_REDIR_PORTS"
}
if [ "${ipt_tmp}" = "${ipt_n}" ]; then
$ipt_n -A PSW2_OUTPUT -p tcp -d $FAKE_IP $(REDIRECT $REDIR_PORT) $ipt_n -A PSW2_OUTPUT -p tcp -d $FAKE_IP $(REDIRECT $REDIR_PORT)
$ipt_n -A PSW2_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(REDIRECT $REDIR_PORT) $ipt_n -A PSW2_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(REDIRECT $REDIR_PORT)
$ipt_n -A OUTPUT -p tcp -j PSW2_OUTPUT $ipt_n -A OUTPUT -p tcp -j PSW2_OUTPUT
@ -787,20 +810,8 @@ add_firewall_rule() {
done done
fi fi
# 处理轮换节点的分流或套娃
filter_node $NODE TCP > /dev/null 2>&1 &
filter_node $NODE UDP > /dev/null 2>&1 &
# 加载路由器自身代理 UDP # 加载路由器自身代理 UDP
if [ "$NODE" != "nil" ] && [ "$LOCALHOST_PROXY" = "1" ]; then if [ "$NODE" != "nil" ] && [ "$UDP_LOCALHOST_PROXY" = "1" ]; then
echolog "加载路由器自身 UDP 代理..."
[ "$UDP_NO_REDIR_PORTS" != "disable" ] && {
$ipt_m -A PSW2_OUTPUT -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN
$ip6t_m -A PSW2_OUTPUT -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN
echolog " - [$?]不代理 UDP 端口:$UDP_NO_REDIR_PORTS"
}
$ipt_m -A PSW2_OUTPUT -p udp -d $FAKE_IP -j PSW2_RULE $ipt_m -A PSW2_OUTPUT -p udp -d $FAKE_IP -j PSW2_RULE
$ipt_m -A PSW2_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") -j PSW2_RULE $ipt_m -A PSW2_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") -j PSW2_RULE
$ipt_m -A PSW2 $(comment "本机") -p udp -i lo $(REDIRECT $REDIR_PORT TPROXY) $ipt_m -A PSW2 $(comment "本机") -p udp -i lo $(REDIRECT $REDIR_PORT TPROXY)

203
luci-app-passwall2/root/usr/share/passwall2/nftables.sh
View File

@ -230,8 +230,6 @@ load_acl() {
[ "$udp_no_redir_ports" = "default" ] && udp_no_redir_ports=$UDP_NO_REDIR_PORTS [ "$udp_no_redir_ports" = "default" ] && udp_no_redir_ports=$UDP_NO_REDIR_PORTS
[ "$tcp_redir_ports" = "default" ] && tcp_redir_ports=$TCP_REDIR_PORTS [ "$tcp_redir_ports" = "default" ] && tcp_redir_ports=$TCP_REDIR_PORTS
[ "$udp_redir_ports" = "default" ] && udp_redir_ports=$UDP_REDIR_PORTS [ "$udp_redir_ports" = "default" ] && udp_redir_ports=$UDP_REDIR_PORTS
[ "$tcp_no_redir_ports" = "1:65535" ] && tcp_proxy_mode="disable"
[ "$udp_no_redir_ports" = "1:65535" ] && udp_proxy_mode="disable"
node_remark=$(config_n_get $NODE remarks) node_remark=$(config_n_get $NODE remarks)
[ -s "${TMP_ACL_PATH}/${sid}/var_node" ] && node=$(cat ${TMP_ACL_PATH}/${sid}/var_node) [ -s "${TMP_ACL_PATH}/${sid}/var_node" ] && node=$(cat ${TMP_ACL_PATH}/${sid}/var_node)
@ -239,41 +237,70 @@ load_acl() {
[ -n "$node" ] && [ "$node" != "default" ] && node_remark=$(config_n_get $node remarks) [ -n "$node" ] && [ "$node" != "default" ] && node_remark=$(config_n_get $node remarks)
write_ipset_direct=${write_ipset_direct:-1} write_ipset_direct=${write_ipset_direct:-1}
[ "${write_ipset_direct}" = "1" ] && {
if [ "$node" = "default" ]; then
local nftset_whitelist=${nftset_global_whitelist}
local nftset_whitelist6=${nftset_global_whitelist6}
else
local nftset_whitelist="passwall2_${sid}_whitelist"
local nftset_whitelist6="passwall2_${sid}_whitelist6"
gen_nftset $nftset_whitelist ipv4_addr 0 0
gen_nftset $nftset_whitelist6 ipv6_addr 0 0
fi
}
for i in $(cat ${TMP_ACL_PATH}/${sid}/rule_list); do for i in $(cat ${TMP_ACL_PATH}/${sid}/rule_list); do
if [ -n "$(echo ${i} | grep '^iprange:')" ]; then if [ -n "$(echo ${i} | grep '^iprange:')" ]; then
_iprange=$(echo ${i} | sed 's#iprange:##g') _iprange=$(echo ${i} | sed 's#iprange:##g')
_ipt_source=$(factor ${_iprange} "ip saddr") _ipt_source=$(factor ${_iprange} "ip saddr")
msg="备注【$remarksIP range【${_iprange}】," msg="$remarksIP range【${_iprange}】,"
elif [ -n "$(echo ${i} | grep '^ipset:')" ]; then elif [ -n "$(echo ${i} | grep '^ipset:')" ]; then
_ipset=$(echo ${i} | sed 's#ipset:##g') _ipset=$(echo ${i} | sed 's#ipset:##g')
_ipt_source="ip daddr @${_ipset}" _ipt_source="ip daddr @${_ipset}"
msg="备注【$remarksNFTset【${_ipset}】," msg="$remarksNFTset【${_ipset}】,"
elif [ -n "$(echo ${i} | grep '^ip:')" ]; then elif [ -n "$(echo ${i} | grep '^ip:')" ]; then
_ip=$(echo ${i} | sed 's#ip:##g') _ip=$(echo ${i} | sed 's#ip:##g')
_ipt_source=$(factor ${_ip} "ip saddr") _ipt_source=$(factor ${_ip} "ip saddr")
msg="备注$remarksIP【${_ip}】," msg="$remarksIP【${_ip}】,"
elif [ -n "$(echo ${i} | grep '^mac:')" ]; then elif [ -n "$(echo ${i} | grep '^mac:')" ]; then
_mac=$(echo ${i} | sed 's#mac:##g') _mac=$(echo ${i} | sed 's#mac:##g')
_ipt_source=$(factor ${_mac} "ether saddr") _ipt_source=$(factor ${_mac} "ether saddr")
msg="备注$remarksMAC【${_mac}】," msg="$remarksMAC【${_mac}】,"
else else
continue continue
fi fi
local nftset_whitelist="passwall2_${sid}_whitelist" [ "$tcp_no_redir_ports" != "disable" ] && {
local nftset_whitelist6="passwall2_${sid}_whitelist6" if [ "$tcp_no_redir_ports" != "1:65535" ]; then
gen_nftset $nftset_whitelist ipv4_addr 0 0 nft "add rule inet fw4 $nft_prerouting_chain ${_ipt_source} ip protocol tcp $(factor $tcp_no_redir_ports "tcp dport") counter return comment \"$remarks\""
gen_nftset $nftset_whitelist6 ipv6_addr 0 0 nft "add rule inet fw4 PSW2_MANGLE_V6 ${_ipt_source} meta l4proto tcp $(factor $tcp_no_redir_ports "tcp dport") counter return comment \"$remarks\""
echolog " - ${msg}不代理 TCP 端口[${tcp_no_redir_ports}]"
[ -n "$redir_port" ] && {
if [ "$tcp_proxy_mode" != "disable" ]; then
[ -s "${TMP_ACL_PATH}/${sid}/var_redirect_dns_port" ] && nft "add rule inet fw4 PSW2_REDIRECT ip protocol udp ${_ipt_source} udp dport 53 counter redirect to $(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port) comment \"$remarks\""
msg2="${msg}使用TCP节点[$node_remark] [$(get_action_chain_name $tcp_proxy_mode)]"
if [ -n "${is_tproxy}" ]; then
msg2="${msg2}(TPROXY:${redir_port})代理"
else else
msg2="${msg2}(REDIRECT:${redir_port})代理" #结束时会return无需加多余的规则。
tcp_proxy_mode="disable"
echolog " - ${msg}不代理所有 TCP"
fi
}
[ "$udp_no_redir_ports" != "disable" ] && {
if [ "$udp_no_redir_ports" != "1:65535" ]; then
nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_no_redir_ports "udp dport") counter return comment \"$remarks\""
nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_no_redir_ports "udp dport") counter return comment \"$remarks\"" 2>/dev/null
echolog " - ${msg}不代理 UDP 端口[${udp_no_redir_ports}]"
else
#结束时会return无需加多余的规则。
udp_proxy_mode="disable"
echolog " - ${msg}不代理所有 UDP"
fi
}
[ "$tcp_proxy_mode" != "disable" ] && [ -n "$redir_port" ] && {
[ -s "${TMP_ACL_PATH}/${sid}/var_redirect_dns_port" ] && nft "add rule inet fw4 PSW2_REDIRECT ip protocol udp ${_ipt_source} udp dport 53 counter redirect to $(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port) comment \"$remarks\""
msg2="${msg}使用 TCP 节点[$node_remark]"
if [ -n "${is_tproxy}" ]; then
msg2="${msg2}(TPROXY:${redir_port})"
else
msg2="${msg2}(REDIRECT:${redir_port})"
fi fi
[ "${write_ipset_direct}" = "1" ] && [ -z "${is_tproxy}" ] && nft "add rule inet fw4 PSW2_NAT ip protocol tcp ${_ipt_source} ip daddr @$nftset_whitelist counter return comment \"$remarks\"" [ "${write_ipset_direct}" = "1" ] && [ -z "${is_tproxy}" ] && nft "add rule inet fw4 PSW2_NAT ip protocol tcp ${_ipt_source} ip daddr @$nftset_whitelist counter return comment \"$remarks\""
@ -291,13 +318,6 @@ load_acl() {
nft "add rule inet fw4 PSW2_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} return comment \"$remarks\"" 2>/dev/null nft "add rule inet fw4 PSW2_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} return comment \"$remarks\"" 2>/dev/null
} }
[ "$tcp_no_redir_ports" != "disable" ] && {
nft "add rule inet fw4 $nft_prerouting_chain ${_ipt_source} ip protocol tcp $(factor $tcp_no_redir_ports "tcp dport") counter return comment \"$remarks\""
nft "add rule inet fw4 PSW2_MANGLE_V6 ${_ipt_source} meta l4proto tcp $(factor $tcp_no_redir_ports "tcp dport") counter return comment \"$remarks\""
msg2="${msg2}[$?]除${tcp_no_redir_ports}外的"
}
msg2="${msg2}所有端口"
if [ -z "${is_tproxy}" ]; then if [ -z "${is_tproxy}" ]; then
nft "add rule inet fw4 PSW2_NAT ip protocol tcp ${_ipt_source} ip daddr $FAKE_IP $(REDIRECT $redir_port) comment \"$remarks\"" nft "add rule inet fw4 PSW2_NAT ip protocol tcp ${_ipt_source} ip daddr $FAKE_IP $(REDIRECT $redir_port) comment \"$remarks\""
nft "add rule inet fw4 PSW2_NAT ip protocol tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") $(REDIRECT $redir_port) comment \"$remarks\"" nft "add rule inet fw4 PSW2_NAT ip protocol tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") $(REDIRECT $redir_port) comment \"$remarks\""
@ -313,25 +333,13 @@ load_acl() {
nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") jump PSW2_RULE comment \"$remarks\"" 2>/dev/null nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") jump PSW2_RULE comment \"$remarks\"" 2>/dev/null
nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(REDIRECT $redir_port TPROXY) comment \"$remarks\"" 2>/dev/null nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(REDIRECT $redir_port TPROXY) comment \"$remarks\"" 2>/dev/null
} }
else
msg2="${msg}不代理TCP"
fi
echolog " - ${msg2}" echolog " - ${msg2}"
} }
nft "add rule inet fw4 $nft_prerouting_chain ip protocol tcp ${_ipt_source} counter return comment \"$remarks\"" nft "add rule inet fw4 $nft_prerouting_chain ip protocol tcp ${_ipt_source} counter return comment \"$remarks\""
nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} counter return comment \"$remarks\"" 2>/dev/null nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} counter return comment \"$remarks\"" 2>/dev/null
[ -n "$redir_port" ] && { [ "$udp_proxy_mode" != "disable" ] && [ -n "$redir_port" ] && {
if [ "$udp_proxy_mode" != "disable" ]; then msg2="${msg}使用 UDP 节点[$node_remark](TPROXY:${redir_port})"
msg2="${msg}使用UDP节点[$node_remark] [$(get_action_chain_name $udp_proxy_mode)]"
msg2="${msg2}(TPROXY:${redir_port})代理"
[ "$udp_no_redir_ports" != "disable" ] && {
nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_no_redir_ports "udp dport") counter return comment \"$remarks\""
nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_no_redir_ports "udp dport") counter return comment \"$remarks\"" 2>/dev/null
msg2="${msg2}[$?]除${udp_no_redir_ports}外的"
}
msg2="${msg2}所有端口"
[ "${write_ipset_direct}" = "1" ] && nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ${_ipt_source} ip daddr @$nftset_whitelist counter return comment \"$remarks\"" [ "${write_ipset_direct}" = "1" ] && nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ${_ipt_source} ip daddr @$nftset_whitelist counter return comment \"$remarks\""
nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ${_ipt_source} ip daddr $FAKE_IP counter jump PSW2_RULE comment \"$remarks\"" nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ${_ipt_source} ip daddr $FAKE_IP counter jump PSW2_RULE comment \"$remarks\""
@ -344,9 +352,6 @@ load_acl() {
nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_redir_ports "udp dport") counter jump PSW2_RULE comment \"$remarks\"" 2>/dev/null nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_redir_ports "udp dport") counter jump PSW2_RULE comment \"$remarks\"" 2>/dev/null
nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} $(REDIRECT $redir_port TPROXY) comment \"$remarks\"" 2>/dev/null nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} $(REDIRECT $redir_port TPROXY) comment \"$remarks\"" 2>/dev/null
} }
else
msg2="${msg}不代理UDP"
fi
echolog " - ${msg2}" echolog " - ${msg2}"
} }
nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ${_ipt_source} counter return comment \"$remarks\"" nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ${_ipt_source} counter return comment \"$remarks\""
@ -358,23 +363,39 @@ load_acl() {
done done
} }
[ "$ENABLED_DEFAULT_ACL" == 1 ] && { [ "$ENABLED_DEFAULT_ACL" == 1 ] && [ "$CLIENT_PROXY" == 1 ] && {
# 加载默认代理模式 # 加载默认代理模式
if [ "$TCP_PROXY_MODE" != "disable" ]; then msg="【默认】,"
[ "$TCP_NO_REDIR_PORTS" != "disable" ] && { [ "$TCP_NO_REDIR_PORTS" != "disable" ] && {
nft add rule inet fw4 $nft_prerouting_chain ip protocol tcp $(factor $TCP_NO_REDIR_PORTS "tcp dport") counter return comment \"默认\" nft add rule inet fw4 $nft_prerouting_chain ip protocol tcp $(factor $TCP_NO_REDIR_PORTS "tcp dport") counter return comment \"默认\"
nft add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp $(factor $TCP_NO_REDIR_PORTS "tcp dport") counter return comment \"默认\" nft add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp $(factor $TCP_NO_REDIR_PORTS "tcp dport") counter return comment \"默认\"
} if [ "$TCP_NO_REDIR_PORTS" != "1:65535" ]; then
[ "$NODE" != "nil" ] && { echolog " - ${msg}不代理 TCP 端口[${TCP_NO_REDIR_PORTS}]"
msg="TCP默认代理使用TCP节点[$(config_n_get $NODE remarks)] [$(get_action_chain_name $TCP_PROXY_MODE)]"
if [ -n "${is_tproxy}" ]; then
msg="${msg}(TPROXY:${REDIR_PORT})代理"
else else
msg="${msg}(REDIRECT:${REDIR_PORT})代理" TCP_PROXY_MODE="disable"
echolog " - ${msg}不代理所有 TCP 端口"
fi fi
}
[ "$TCP_NO_REDIR_PORTS" != "disable" ] && msg="${msg}${TCP_NO_REDIR_PORTS}外的" [ "$UDP_NO_REDIR_PORTS" != "disable" ] && {
msg="${msg}所有端口" nft "add inet fw4 PSW2_MANGLE ip protocol udp $(factor $UDP_NO_REDIR_PORTS "udp dport") counter return comment \"默认\""
nft "add inet fw4 PSW2_MANGLE_V6 counter meta l4proto udp $(factor $UDP_NO_REDIR_PORTS "udp dport") counter return comment \"默认\""
if [ "$UDP_NO_REDIR_PORTS" != "1:65535" ]; then
echolog " - ${msg}不代理 UDP 端口[${UDP_NO_REDIR_PORTS}]"
else
UDP_PROXY_MODE="disable"
echolog " - ${msg}不代理所有 UDP 端口"
fi
}
if [ "$TCP_PROXY_MODE" != "disable" ] && [ "$NODE" != "nil" ]; then
msg2="${msg}使用 TCP 节点[$(config_n_get $NODE remarks)]"
if [ -n "${is_tproxy}" ]; then
msg2="${msg2}(TPROXY:${REDIR_PORT})"
else
msg2="${msg2}(REDIRECT:${REDIR_PORT})"
fi
[ "${WRITE_IPSET_DIRECT}" = "1" ] && [ -z "${is_tproxy}" ] && nft "add rule inet fw4 PSW2_NAT ip protocol tcp ip daddr @$nftset_global_whitelist counter return comment \"$remarks\"" [ "${WRITE_IPSET_DIRECT}" = "1" ] && [ -z "${is_tproxy}" ] && nft "add rule inet fw4 PSW2_NAT ip protocol tcp ip daddr @$nftset_global_whitelist counter return comment \"$remarks\""
[ "${WRITE_IPSET_DIRECT}" = "1" ] && [ -n "${is_tproxy}" ] && nft "add rule inet fw4 PSW2_MANGLE ip protocol tcp ip daddr @$nftset_global_whitelist counter return comment \"$remarks\"" [ "${WRITE_IPSET_DIRECT}" = "1" ] && [ -n "${is_tproxy}" ] && nft "add rule inet fw4 PSW2_MANGLE ip protocol tcp ip daddr @$nftset_global_whitelist counter return comment \"$remarks\""
@ -407,22 +428,11 @@ load_acl() {
nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp $(REDIRECT $REDIR_PORT TPROXY) comment \"默认\"" nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp $(REDIRECT $REDIR_PORT TPROXY) comment \"默认\""
} }
echolog "${msg}" echolog "${msg2}"
}
fi fi
# 加载UDP默认代理模式 if [ "$UDP_PROXY_MODE" != "disable" ] && [ "$NODE" != "nil" ]; then
if [ "$UDP_PROXY_MODE" != "disable" ]; then msg2="${msg}使用 UDP 节点[$(config_n_get $NODE remarks)](TPROXY:${REDIR_PORT})"
[ "$UDP_NO_REDIR_PORTS" != "disable" ] && {
nft "add inet fw4 PSW2_MANGLE ip protocol udp $(factor $UDP_NO_REDIR_PORTS "udp dport") counter return comment \"默认\""
nft "add inet fw4 PSW2_MANGLE_V6 counter meta l4proto udp $(factor $UDP_NO_REDIR_PORTS "udp dport") counter return comment \"默认\""
}
[ -n "1" ] && {
msg="UDP默认代理使用UDP节点[$(config_n_get $NODE remarks)] [$(get_action_chain_name $UDP_PROXY_MODE)](TPROXY:${REDIR_PORT})代理"
[ "$UDP_NO_REDIR_PORTS" != "disable" ] && msg="${msg}${UDP_NO_REDIR_PORTS}外的"
msg="${msg}所有端口"
[ "${WRITE_IPSET_DIRECT}" = "1" ] && nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ip daddr @$nftset_global_whitelist counter return comment \"$remarks\"" [ "${WRITE_IPSET_DIRECT}" = "1" ] && nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ip daddr @$nftset_global_whitelist counter return comment \"$remarks\""
nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ip daddr $FAKE_IP counter jump PSW2_RULE comment \"默认\"" nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ip daddr $FAKE_IP counter jump PSW2_RULE comment \"默认\""
@ -436,9 +446,8 @@ load_acl() {
nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp $(REDIRECT $REDIR_PORT TPROXY) comment \"默认\"" nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp $(REDIRECT $REDIR_PORT TPROXY) comment \"默认\""
} }
echolog "${msg}" echolog "${msg2}"
udp_flag=1 udp_flag=1
}
fi fi
} }
} }
@ -769,10 +778,38 @@ add_firewall_rule() {
} }
[ "$ENABLED_DEFAULT_ACL" == 1 ] && { [ "$ENABLED_DEFAULT_ACL" == 1 ] && {
# 加载路由器自身代理 TCP # 过滤节点
if [ "$NODE" != "nil" ] && [ "$LOCALHOST_PROXY" = "1" ]; then filter_node $NODE TCP > /dev/null 2>&1 &
echolog "加载路由器自身 TCP 代理..." filter_node $NODE UDP > /dev/null 2>&1 &
TCP_LOCALHOST_PROXY=$LOCALHOST_PROXY
UDP_LOCALHOST_PROXY=$LOCALHOST_PROXY
msg="【路由器本机】,"
[ "$TCP_NO_REDIR_PORTS" != "disable" ] && {
nft "add rule inet fw4 $nft_output_chain ip protocol tcp $(factor $TCP_NO_REDIR_PORTS "tcp dport") counter return"
nft "add rule inet fw4 PSW2_OUTPUT_MANGLE_V6 meta l4proto tcp $(factor $TCP_NO_REDIR_PORTS "tcp dport") counter return"
if [ "$TCP_NO_REDIR_PORTS" != "1:65535" ]; then
echolog " - ${msg}不代理 TCP 端口[${TCP_NO_REDIR_PORTS}]"
else
unset TCP_LOCALHOST_PROXY
echolog " - ${msg}不代理所有 TCP"
fi
}
[ "$UDP_NO_REDIR_PORTS" != "disable" ] && {
nft add rule inet fw4 PSW2_OUTPUT_MANGLE ip protocol udp $(factor $UDP_NO_REDIR_PORTS "udp dport") counter return
nft add rule inet fw4 PSW2_OUTPUT_MANGLE_V6 meta l4proto udp $(factor $UDP_NO_REDIR_PORTS "udp dport") counter return
if [ "$UDP_NO_REDIR_PORTS" != "1:65535" ]; then
echolog " - ${msg}不代理 UDP 端口[${UDP_NO_REDIR_PORTS}]"
else
unset UDP_LOCALHOST_PROXY
echolog " - ${msg}不代理所有 UDP"
fi
}
# 加载路由器自身代理 TCP
if [ "$NODE" != "nil" ] && [ "$TCP_LOCALHOST_PROXY" = "1" ]; then
[ "$accept_icmp" = "1" ] && { [ "$accept_icmp" = "1" ] && {
nft "add rule inet fw4 PSW2_ICMP_REDIRECT oif lo ip protocol icmp ip daddr $FAKE_IP counter redirect" nft "add rule inet fw4 PSW2_ICMP_REDIRECT oif lo ip protocol icmp ip daddr $FAKE_IP counter redirect"
nft "add rule inet fw4 PSW2_ICMP_REDIRECT oif lo ip protocol icmp counter redirect" nft "add rule inet fw4 PSW2_ICMP_REDIRECT oif lo ip protocol icmp counter redirect"
@ -785,16 +822,6 @@ add_firewall_rule() {
nft "add rule inet fw4 PSW2_ICMP_REDIRECT oif lo meta l4proto icmpv6 counter return" nft "add rule inet fw4 PSW2_ICMP_REDIRECT oif lo meta l4proto icmpv6 counter return"
} }
[ -n "${is_tproxy}" ] && {
echolog " - 启用 TPROXY 模式"
}
[ "$TCP_NO_REDIR_PORTS" != "disable" ] && {
nft "add rule inet fw4 $nft_output_chain ip protocol tcp $(factor $TCP_NO_REDIR_PORTS "tcp dport") counter return"
nft "add rule inet fw4 PSW2_OUTPUT_MANGLE_V6 meta l4proto tcp $(factor $TCP_NO_REDIR_PORTS "tcp dport") counter return"
echolog " - [$?]不代理TCP 端口:$TCP_NO_REDIR_PORTS"
}
if [ -z "${is_tproxy}" ]; then if [ -z "${is_tproxy}" ]; then
nft "add rule inet fw4 PSW2_OUTPUT_NAT ip protocol tcp ip daddr $FAKE_IP $(REDIRECT $REDIR_PORT)" nft "add rule inet fw4 PSW2_OUTPUT_NAT ip protocol tcp ip daddr $FAKE_IP $(REDIRECT $REDIR_PORT)"
nft "add rule inet fw4 PSW2_OUTPUT_NAT ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") $(REDIRECT $REDIR_PORT)" nft "add rule inet fw4 PSW2_OUTPUT_NAT ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") $(REDIRECT $REDIR_PORT)"
@ -820,20 +847,8 @@ add_firewall_rule() {
done done
fi fi
# 处理轮换节点的分流或套娃
filter_node $NODE TCP > /dev/null 2>&1 &
filter_node $NODE UDP > /dev/null 2>&1 &
# 加载路由器自身代理 UDP # 加载路由器自身代理 UDP
if [ "$NODE" != "nil" ] && [ "$LOCALHOST_PROXY" = "1" ]; then if [ "$NODE" != "nil" ] && [ "$UDP_LOCALHOST_PROXY" = "1" ]; then
echolog "加载路由器自身 UDP 代理..."
[ "$UDP_NO_REDIR_PORTS" != "disable" ] && {
nft add rule inet fw4 PSW2_OUTPUT_MANGLE ip protocol udp $(factor $UDP_NO_REDIR_PORTS "udp dport") counter return
nft add rule inet fw4 PSW2_OUTPUT_MANGLE_V6 meta l4proto udp $(factor $UDP_NO_REDIR_PORTS "udp dport") counter return
echolog " - [$?]不代理 UDP 端口:$UDP_NO_REDIR_PORTS"
}
nft "add rule inet fw4 PSW2_OUTPUT_MANGLE ip protocol udp ip daddr $FAKE_IP counter jump PSW2_RULE" nft "add rule inet fw4 PSW2_OUTPUT_MANGLE ip protocol udp ip daddr $FAKE_IP counter jump PSW2_RULE"
nft "add rule inet fw4 PSW2_OUTPUT_MANGLE ip protocol udp $(factor $UDP_REDIR_PORTS "udp dport") jump PSW2_RULE" nft "add rule inet fw4 PSW2_OUTPUT_MANGLE ip protocol udp $(factor $UDP_REDIR_PORTS "udp dport") jump PSW2_RULE"
nft "add rule inet fw4 PSW2_MANGLE ip protocol udp iif lo $(REDIRECT $REDIR_PORT TPROXY4) comment \"本机\"" nft "add rule inet fw4 PSW2_MANGLE ip protocol udp iif lo $(REDIRECT $REDIR_PORT TPROXY4) comment \"本机\""

66
luci-app-passwall2/root/usr/share/passwall2/subscribe.lua
View File

@ -28,7 +28,7 @@ local has_singbox = api.finded_com("singbox")
local has_xray = api.finded_com("xray") local has_xray = api.finded_com("xray")
local has_hysteria2 = api.finded_com("hysteria") local has_hysteria2 = api.finded_com("hysteria")
local allowInsecure_default = true local allowInsecure_default = true
local ss_aead_type_default = uci:get(appname, "@global_subscribe[0]", "ss_aead_type") or "shadowsocks-libev" local ss_type_default = uci:get(appname, "@global_subscribe[0]", "ss_type") or "shadowsocks-libev"
local trojan_type_default = uci:get(appname, "@global_subscribe[0]", "trojan_type") or "sing-box" local trojan_type_default = uci:get(appname, "@global_subscribe[0]", "trojan_type") or "sing-box"
local vmess_type_default = uci:get(appname, "@global_subscribe[0]", "vmess_type") or "xray" local vmess_type_default = uci:get(appname, "@global_subscribe[0]", "vmess_type") or "xray"
local vless_type_default = uci:get(appname, "@global_subscribe[0]", "vless_type") or "xray" local vless_type_default = uci:get(appname, "@global_subscribe[0]", "vless_type") or "xray"
@ -531,30 +531,48 @@ local function processData(szType, content, add_mode, add_from)
result.method = method result.method = method
result.password = password result.password = password
local aead = false if ss_type_default == "shadowsocks-rust" and has_ss_rust then
for k, v in ipairs({"aes-128-gcm", "aes-256-gcm", "chacha20-poly1305", "chacha20-ietf-poly1305"}) do
if method:lower() == v:lower() then
aead = true
end
end
if aead then
if ss_aead_type_default == "shadowsocks-libev" and has_ss then
result.type = "SS"
elseif ss_aead_type_default == "shadowsocks-rust" and has_ss_rust then
result.type = 'SS-Rust' result.type = 'SS-Rust'
if method:lower() == "chacha20-poly1305" then
result.method = "chacha20-ietf-poly1305"
end end
elseif ss_aead_type_default == "sing-box" and has_singbox and not result.plugin then if ss_type_default == "xray" and has_xray then
result.type = 'sing-box'
result.protocol = 'shadowsocks'
elseif ss_aead_type_default == "xray" and has_xray and not result.plugin then
result.type = 'Xray' result.type = 'Xray'
result.protocol = 'shadowsocks' result.protocol = 'shadowsocks'
result.transport = 'tcp' result.transport = 'tcp'
if method:lower() == "chacha20-ietf-poly1305" then end
if ss_type_default == "sing-box" and has_singbox then
result.type = 'sing-box'
result.protocol = 'shadowsocks'
end
if result.type == "SS-Rust" and method:lower() == "chacha20-poly1305" then
result.method = "chacha20-ietf-poly1305"
end
if result.type == "Xray" and method:lower() == "chacha20-ietf-poly1305" then
result.method = "chacha20-poly1305" result.method = "chacha20-poly1305"
end end
if result.plugin then
if result.type == 'Xray' then
--不支持插件
result.error_msg = "Xray不支持插件."
end
if result.type == "sing-box" then
result.plugin_enabled = "1"
end
end
if result.type == "SS" then
local aead2022_methods = { "2022-blake3-aes-128-gcm", "2022-blake3-aes-256-gcm", "2022-blake3-chacha20-poly1305" }
local aead2022 = false
for k, v in ipairs(aead2022_methods) do
if method:lower() == v:lower() then
aead2022 = true
end
end
if aead2022 then
-- shadowsocks-libev 不支持2022加密
result.error_msg = "shadowsocks-libev 不支持2022加密."
end end
end end
end end
@ -1159,7 +1177,9 @@ local function parse_link(raw, add_mode, add_from)
end end
-- log(result) -- log(result)
if result then if result then
if not result.type then if result.error_msg then
log('丢弃节点: ' .. result.remarks .. ", 原因:" .. result.error_msg)
elseif not result.type then
log('丢弃节点: ' .. result.remarks .. ", 找不到可使用二进制.") log('丢弃节点: ' .. result.remarks .. ", 找不到可使用二进制.")
elseif (add_mode == "2" and is_filter_keyword(result.remarks)) or not result.address or result.remarks == "NULL" or result.address == "127.0.0.1" or elseif (add_mode == "2" and is_filter_keyword(result.remarks)) or not result.address or result.remarks == "NULL" or result.address == "127.0.0.1" or
(not datatypes.hostname(result.address) and not (api.is_ip(result.address))) then (not datatypes.hostname(result.address) and not (api.is_ip(result.address))) then
@ -1227,9 +1247,9 @@ local execute = function()
filter_keyword_keep_list_default = value.filter_keep_list or {} filter_keyword_keep_list_default = value.filter_keep_list or {}
filter_keyword_discard_list_default = value.filter_discard_list or {} filter_keyword_discard_list_default = value.filter_discard_list or {}
end end
local ss_aead_type = value.ss_aead_type or "global" local ss_type = value.ss_type or "global"
if ss_aead_type ~= "global" then if ss_type ~= "global" then
ss_aead_type_default = ss_aead_type ss_type_default = ss_type
end end
local trojan_type = value.trojan_type or "global" local trojan_type = value.trojan_type or "global"
if trojan_type ~= "global" then if trojan_type ~= "global" then
@ -1264,7 +1284,7 @@ local execute = function()
filter_keyword_mode_default = uci:get(appname, "@global_subscribe[0]", "filter_keyword_mode") or "0" filter_keyword_mode_default = uci:get(appname, "@global_subscribe[0]", "filter_keyword_mode") or "0"
filter_keyword_discard_list_default = uci:get(appname, "@global_subscribe[0]", "filter_discard_list") or {} filter_keyword_discard_list_default = uci:get(appname, "@global_subscribe[0]", "filter_discard_list") or {}
filter_keyword_keep_list_default = uci:get(appname, "@global_subscribe[0]", "filter_keep_list") or {} filter_keyword_keep_list_default = uci:get(appname, "@global_subscribe[0]", "filter_keep_list") or {}
ss_aead_type_default = uci:get(appname, "@global_subscribe[0]", "ss_aead_type") or "shadowsocks-libev" ss_type_default = uci:get(appname, "@global_subscribe[0]", "ss_type") or "shadowsocks-libev"
trojan_type_default = uci:get(appname, "@global_subscribe[0]", "trojan_type") or "sing-box" trojan_type_default = uci:get(appname, "@global_subscribe[0]", "trojan_type") or "sing-box"
vmess_type_default = uci:get(appname, "@global_subscribe[0]", "vmess_type") or "xray" vmess_type_default = uci:get(appname, "@global_subscribe[0]", "vmess_type") or "xray"
vless_type_default = uci:get(appname, "@global_subscribe[0]", "vless_type") or "xray" vless_type_default = uci:get(appname, "@global_subscribe[0]", "vless_type") or "xray"