zhao/openwrt_helloworld
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

luci-app-passwall2: sync upstream

Browse Source
This commit is contained in:
actions 2024-03-14 18:30:11 +08:00
parent fe4cfe53ca
commit 9546a23f04
13 changed files with 493 additions and 431 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
luci-app-passwall2/Makefile
View File

@ -5,7 +5,7 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=luci-app-passwall2
PKG_VERSION:=1.27-5
PKG_VERSION:=1.28-1
PKG_RELEASE:=
PKG_CONFIG_DEPENDS:= \

10
luci-app-passwall2/luasrc/controller/passwall2.lua
View File

@ -176,13 +176,13 @@ end
function status()
local e = {}
e["global_status"] = luci.sys.call(string.format("top -bn1 | grep -v -E 'grep|acl/|acl_' | grep '%s/bin/' | grep -i 'global\\.json' >/dev/null", appname)) == 0
e["global_status"] = luci.sys.call(string.format("/bin/busybox top -bn1 | grep -v -E 'grep|acl/|acl_' | grep '%s/bin/' | grep -i 'global\\.json' >/dev/null", appname)) == 0
luci.http.prepare_content("application/json")
luci.http.write_json(e)
end
function haproxy_status()
local e = luci.sys.call(string.format("top -bn1 | grep -v grep | grep '%s/bin/' | grep haproxy >/dev/null", appname)) == 0
local e = luci.sys.call(string.format("/bin/busybox top -bn1 | grep -v grep | grep '%s/bin/' | grep haproxy >/dev/null", appname)) == 0
luci.http.prepare_content("application/json")
luci.http.write_json(e)
end
@ -192,12 +192,12 @@ function socks_status()
local index = luci.http.formvalue("index")
local id = luci.http.formvalue("id")
e.index = index
e.socks_status = luci.sys.call(string.format("top -bn1 | grep -v -E 'grep|acl/|acl_' | grep '%s/bin/' | grep '%s' | grep 'SOCKS_' > /dev/null", appname, id)) == 0
e.socks_status = luci.sys.call(string.format("/bin/busybox top -bn1 | grep -v -E 'grep|acl/|acl_' | grep '%s/bin/' | grep '%s' | grep 'SOCKS_' > /dev/null", appname, id)) == 0
local use_http = ucic:get(appname, id, "http_port") or 0
e.use_http = 0
if tonumber(use_http) > 0 then
e.use_http = 1
e.http_status = luci.sys.call(string.format("top -bn1 | grep -v -E 'grep|acl/|acl_' | grep '%s/bin/' | grep '%s' | grep -E 'HTTP_|HTTP2SOCKS' > /dev/null", appname, id)) == 0
e.http_status = luci.sys.call(string.format("/bin/busybox top -bn1 | grep -v -E 'grep|acl/|acl_' | grep '%s/bin/' | grep '%s' | grep -E 'HTTP_|HTTP2SOCKS' > /dev/null", appname, id)) == 0
end
luci.http.prepare_content("application/json")
luci.http.write_json(e)
@ -355,7 +355,7 @@ end
function server_user_status()
local e = {}
e.index = luci.http.formvalue("index")
e.status = luci.sys.call(string.format("top -bn1 | grep -v 'grep' | grep '%s/bin/' | grep -i '%s' >/dev/null", appname .. "_server", luci.http.formvalue("id"))) == 0
e.status = luci.sys.call(string.format("/bin/busybox top -bn1 | grep -v 'grep' | grep '%s/bin/' | grep -i '%s' >/dev/null", appname .. "_server", luci.http.formvalue("id"))) == 0
http_write_json(e)
end

28
luci-app-passwall2/luasrc/model/cbi/passwall2/client/acl_config.lua
View File

@ -1,5 +1,6 @@
local api = require "luci.passwall2.api"
local appname = api.appname
local uci = api.uci
local sys = api.sys
local port_validate = function(self, value, t)
@ -156,48 +157,51 @@ end
sources.write = dynamicList_write
---- TCP No Redir Ports
local TCP_NO_REDIR_PORTS = uci:get(appname, "@global_forwarding[0]", "tcp_no_redir_ports")
o = s:option(Value, "tcp_no_redir_ports", translate("TCP No Redir Ports"))
o.default = "default"
o:value("disable", translate("No patterns are used"))
o:value("default", translate("Default"))
o:value("default", translate("Use global config") .. "(" .. TCP_NO_REDIR_PORTS .. ")")
o:value("1:65535", translate("All"))
o.validate = port_validate
---- UDP No Redir Ports
local UDP_NO_REDIR_PORTS = uci:get(appname, "@global_forwarding[0]", "udp_no_redir_ports")
o = s:option(Value, "udp_no_redir_ports", translate("UDP No Redir Ports"),
"<font color='red'>" ..
translate("If you don't want to let the device in the list to go proxy, please choose all.") ..
"</font>")
o.default = "default"
o:value("disable", translate("No patterns are used"))
o:value("default", translate("Default"))
o:value("default", translate("Use global config") .. "(" .. UDP_NO_REDIR_PORTS .. ")")
o:value("1:65535", translate("All"))
o.validate = port_validate
node = s:option(ListValue, "node", "<a style='color: red'>" .. translate("Node") .. "</a>")
node.default = "default"
node:value("default", translate("Use global config"))
for k, v in pairs(nodes_table) do
node:value(v.id, v["remark"])
end
---- TCP Redir Ports
local TCP_REDIR_PORTS = uci:get(appname, "@global_forwarding[0]", "tcp_redir_ports")
o = s:option(Value, "tcp_redir_ports", translate("TCP Redir Ports"))
o.default = "default"
o:value("default", translate("Default"))
o:value("default", translate("Use global config") .. "(" .. TCP_REDIR_PORTS .. ")")
o:value("1:65535", translate("All"))
o:value("22,25,53,143,465,587,853,993,995,80,443", translate("Common Use"))
o:value("80,443", "80,443")
o.validate = port_validate
---- UDP Redir Ports
local UDP_REDIR_PORTS = uci:get(appname, "@global_forwarding[0]", "udp_redir_ports")
o = s:option(Value, "udp_redir_ports", translate("UDP Redir Ports"))
o.default = "default"
o:value("default", translate("Default"))
o:value("default", translate("Use global config") .. "(" .. UDP_REDIR_PORTS .. ")")
o:value("1:65535", translate("All"))
o.validate = port_validate
node = s:option(ListValue, "node", "<a style='color: red'>" .. translate("Node") .. "</a>")
node.default = "default"
node:value("default", translate("Default"))
for k, v in pairs(nodes_table) do
node:value(v.id, v["remark"])
end
o = s:option(ListValue, "remote_dns_protocol", translate("Remote DNS Protocol"))
o:value("tcp", "TCP")
o:value("doh", "DoH")

4
luci-app-passwall2/luasrc/model/cbi/passwall2/client/global.lua
View File

@ -211,6 +211,10 @@ o = s:taboption("Main", Flag, "localhost_proxy", translate("Localhost Proxy"), t
o.default = "1"
o.rmempty = false
o = s:taboption("Main", Flag, "client_proxy", translate("Client Proxy"), translate("When selected, devices in LAN can transparent proxy. Otherwise, it will not be proxy. But you can still use access control to allow the designated device to proxy."))
o.default = "1"
o.rmempty = false
node_socks_port = s:taboption("Main", Value, "node_socks_port", translate("Node") .. " Socks " .. translate("Listen Port"))
node_socks_port.default = 1070
node_socks_port.datatype = "port"

16
luci-app-passwall2/luasrc/model/cbi/passwall2/client/node_subscribe.lua
View File

@ -5,23 +5,23 @@ local has_ss_rust = api.is_finded("sslocal")
local has_singbox = api.finded_com("singbox")
local has_xray = api.finded_com("xray")
local has_hysteria2 = api.finded_com("hysteria")
local ss_aead_type = {}
local ss_type = {}
local trojan_type = {}
local vmess_type = {}
local vless_type = {}
local hysteria2_type = {}
if has_ss then
local s = "shadowsocks-libev"
table.insert(ss_aead_type, s)
table.insert(ss_type, s)
end
if has_ss_rust then
local s = "shadowsocks-rust"
table.insert(ss_aead_type, s)
table.insert(ss_type, s)
end
if has_singbox then
local s = "sing-box"
table.insert(trojan_type, s)
table.insert(ss_aead_type, s)
table.insert(ss_type, s)
table.insert(vmess_type, s)
table.insert(vless_type, s)
table.insert(hysteria2_type, s)
@ -29,7 +29,7 @@ end
if has_xray then
local s = "xray"
table.insert(trojan_type, s)
table.insert(ss_aead_type, s)
table.insert(ss_type, s)
table.insert(vmess_type, s)
table.insert(vless_type, s)
end
@ -56,9 +56,9 @@ o = s:option(DynamicList, "filter_discard_list", translate("Discard List"))
o = s:option(DynamicList, "filter_keep_list", translate("Keep List"))
if #ss_aead_type > 0 then
o = s:option(ListValue, "ss_aead_type", translatef("%s Node Use Type", "SS AEAD"))
for key, value in pairs(ss_aead_type) do
if #ss_type > 0 then
o = s:option(ListValue, "ss_type", translatef("%s Node Use Type", "Shadowsocks"))
for key, value in pairs(ss_type) do
o:value(value)
end
end

16
luci-app-passwall2/luasrc/model/cbi/passwall2/client/node_subscribe_config.lua
View File

@ -5,23 +5,23 @@ local has_ss_rust = api.is_finded("sslocal")
local has_singbox = api.finded_com("singbox")
local has_xray = api.finded_com("xray")
local has_hysteria2 = api.finded_com("hysteria")
local ss_aead_type = {}
local ss_type = {}
local trojan_type = {}
local vmess_type = {}
local vless_type = {}
local hysteria2_type = {}
if has_ss then
local s = "shadowsocks-libev"
table.insert(ss_aead_type, s)
table.insert(ss_type, s)
end
if has_ss_rust then
local s = "shadowsocks-rust"
table.insert(ss_aead_type, s)
table.insert(ss_type, s)
end
if has_singbox then
local s = "sing-box"
table.insert(trojan_type, s)
table.insert(ss_aead_type, s)
table.insert(ss_type, s)
table.insert(vmess_type, s)
table.insert(vless_type, s)
table.insert(hysteria2_type, s)
@ -29,7 +29,7 @@ end
if has_xray then
local s = "xray"
table.insert(trojan_type, s)
table.insert(ss_aead_type, s)
table.insert(ss_type, s)
table.insert(vmess_type, s)
table.insert(vless_type, s)
end
@ -76,11 +76,11 @@ o:depends("filter_keyword_mode", "2")
o:depends("filter_keyword_mode", "3")
o:depends("filter_keyword_mode", "4")
if #ss_aead_type > 0 then
o = s:option(ListValue, "ss_aead_type", translatef("%s Node Use Type", "SS AEAD"))
if #ss_type > 0 then
o = s:option(ListValue, "ss_type", translatef("%s Node Use Type", "Shadowsocks"))
o.default = "global"
o:value("global", translate("Use global config"))
for key, value in pairs(ss_aead_type) do
for key, value in pairs(ss_type) do
o:value(value)
end
end

2
luci-app-passwall2/luasrc/passwall2/server_app.lua
View File

@ -204,7 +204,7 @@ local function start()
end
local function stop()
cmd(string.format("top -bn1 | grep -v 'grep' | grep '%s/' | awk '{print $1}' | xargs kill -9 >/dev/null 2>&1", CONFIG_PATH))
cmd(string.format("/bin/busybox top -bn1 | grep -v 'grep' | grep '%s/' | awk '{print $1}' | xargs kill -9 >/dev/null 2>&1", CONFIG_PATH))
if nft_flag == "0" then
ipt("-D INPUT -j PSW2-SERVER 2>/dev/null")
ipt("-F PSW2-SERVER 2>/dev/null")

6
luci-app-passwall2/po/zh-cn/passwall2.po
View File

@ -91,6 +91,12 @@ msgstr "路由器本机代理"
msgid "When selected, localhost can transparent proxy."
msgstr "当勾选时,路由器本机可以透明代理。"
msgid "Client Proxy"
msgstr "客户端代理"
msgid "When selected, devices in LAN can transparent proxy. Otherwise, it will not be proxy. But you can still use access control to allow the designated device to proxy."
msgstr "当勾选时,局域网内的设备可以透明代理。否则,将不代理。但您仍然可以使用访问控制允许指定的设备代理。"
msgid "Socks Config"
msgstr "Socks配置"

1
luci-app-passwall2/root/usr/share/passwall2/0_default_config
View File

@ -3,6 +3,7 @@ config global
option enabled '0'
option node_socks_port '1070'
option localhost_proxy '1'
option client_proxy '1'
option socks_enabled '0'
option acl_enable '0'
option node 'myshunt'

1
luci-app-passwall2/root/usr/share/passwall2/app.sh
View File

@ -1122,6 +1122,7 @@ UDP_REDIR_PORTS=$(config_t_get global_forwarding udp_redir_ports '1:65535')
TCP_PROXY_MODE="global"
UDP_PROXY_MODE="global"
LOCALHOST_PROXY=$(config_t_get global localhost_proxy '1')
CLIENT_PROXY=$(config_t_get global client_proxy '1')
REMOTE_DNS_PROTOCOL=$(config_t_get global remote_dns_protocol tcp)
REMOTE_DNS_DETOUR=$(config_t_get global remote_dns_detour remote)
REMOTE_DNS=$(config_t_get global remote_dns 1.1.1.1:53 | sed 's/#/:/g' | sed -E 's/\:([^:]+)$/#\1/g')

377
luci-app-passwall2/root/usr/share/passwall2/iptables.sh
View File

@ -210,114 +210,120 @@ load_acl() {
[ -n "$node" ] && [ "$node" != "default" ] && node_remark=$(config_n_get $node remarks)
write_ipset_direct=${write_ipset_direct:-1}
[ "${write_ipset_direct}" = "1" ] && {
if [ "$node" = "default" ]; then
local ipset_whitelist=${ipset_global_whitelist}
local ipset_whitelist6=${ipset_global_whitelist6}
else
local ipset_whitelist="passwall2_${sid}_whitelist"
local ipset_whitelist6="passwall2_${sid}_whitelist6"
ipset -! create $ipset_whitelist nethash maxelem 1048576
ipset -! create $ipset_whitelist6 nethash family inet6 maxelem 1048576
fi
}
for i in $(cat ${TMP_ACL_PATH}/${sid}/rule_list); do
if [ -n "$(echo ${i} | grep '^iprange:')" ]; then
_iprange=$(echo ${i} | sed 's#iprange:##g')
_ipt_source=$(factor ${_iprange} "-m iprange --src-range")
msg="备注【$remarksIP range【${_iprange}】,"
msg="$remarksIP range【${_iprange}】,"
elif [ -n "$(echo ${i} | grep '^ipset:')" ]; then
_ipset=$(echo ${i} | sed 's#ipset:##g')
_ipt_source="-m set --match-set ${_ipset} src"
msg="备注【$remarksIPset【${_ipset}】,"
msg="$remarksIPset【${_ipset}】,"
elif [ -n "$(echo ${i} | grep '^ip:')" ]; then
_ip=$(echo ${i} | sed 's#ip:##g')
_ipt_source=$(factor ${_ip} "-s")
msg="备注$remarksIP【${_ip}】,"
msg="$remarksIP【${_ip}】,"
elif [ -n "$(echo ${i} | grep '^mac:')" ]; then
_mac=$(echo ${i} | sed 's#mac:##g')
_ipt_source=$(factor ${_mac} "-m mac --mac-source")
msg="备注$remarksMAC【${_mac}】,"
msg="$remarksMAC【${_mac}】,"
else
continue
fi
local ipset_whitelist="passwall2_${sid}_whitelist"
local ipset_whitelist6="passwall2_${sid}_whitelist6"
ipset -! create $ipset_whitelist nethash maxelem 1048576
ipset -! create $ipset_whitelist6 nethash family inet6 maxelem 1048576
ipt_tmp=$ipt_n
[ -n "${is_tproxy}" ] && ipt_tmp=$ipt_m
[ -n "$redir_port" ] && {
if [ "$tcp_proxy_mode" != "disable" ]; then
[ -s "${TMP_ACL_PATH}/${sid}/var_redirect_dns_port" ] && $ipt_n -A PSW2_REDIRECT $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port)
msg2="${msg}使用TCP节点[$node_remark] [$(get_action_chain_name $tcp_proxy_mode)]"
if [ -n "${is_tproxy}" ]; then
msg2="${msg2}(TPROXY:${redir_port})代理"
ipt_tmp=$ipt_m
else
msg2="${msg2}(REDIRECT:${redir_port})代理"
fi
[ "${write_ipset_direct}" = "1" ] && $ipt_tmp -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(dst $ipset_whitelist) ! -d $FAKE_IP -j RETURN
[ "$accept_icmp" = "1" ] && {
$ipt_n -A PSW2 $(comment "$remarks") -p icmp ${_ipt_source} -d $FAKE_IP $(REDIRECT)
$ipt_n -A PSW2 $(comment "$remarks") -p icmp ${_ipt_source} $(REDIRECT)
}
[ "$accept_icmpv6" = "1" ] && [ "$PROXY_IPV6" == "1" ] && {
$ip6t_n -A PSW2 $(comment "$remarks") -p ipv6-icmp ${_ipt_source} -d $FAKE_IP_6 $(REDIRECT) 2>/dev/null
$ip6t_n -A PSW2 $(comment "$remarks") -p ipv6-icmp ${_ipt_source} $(REDIRECT) 2>/dev/null
}
[ "$tcp_no_redir_ports" != "disable" ] && {
$ipt_tmp -A PSW2 $(comment "$remarks") ${_ipt_source} -p tcp -m multiport --dport $tcp_no_redir_ports -j RETURN
$ip6t_m -A PSW2 $(comment "$remarks") ${_ipt_source} -p tcp -m multiport --dport $tcp_no_redir_ports -j RETURN 2>/dev/null
msg2="${msg2}[$?]除${tcp_no_redir_ports}外的"
}
msg2="${msg2}所有端口"
if [ "${ipt_tmp}" = "${ipt_n}" ]; then
$ipt_n -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} -d $FAKE_IP $(REDIRECT $redir_port)
$ipt_n -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(REDIRECT $redir_port)
else
$ipt_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} -d $FAKE_IP -j PSW2_RULE
$ipt_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") -j PSW2_RULE
$ipt_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(REDIRECT $redir_port TPROXY)
fi
[ "$PROXY_IPV6" == "1" ] && {
[ "${write_ipset_direct}" = "1" ] && $ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(dst $ipset_whitelist6) ! -d $FAKE_IP_6 -j RETURN
$ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} -d $FAKE_IP_6 -j PSW2_RULE 2>/dev/null
$ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") -j PSW2_RULE 2>/dev/null
$ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(REDIRECT $redir_port TPROXY) 2>/dev/null
}
[ "$tcp_no_redir_ports" != "disable" ] && {
if [ "$tcp_no_redir_ports" != "1:65535" ]; then
$ip6t_m -A PSW2 $(comment "$remarks") ${_ipt_source} -p tcp -m multiport --dport $tcp_no_redir_ports -j RETURN 2>/dev/null
$ipt_tmp -A PSW2 $(comment "$remarks") ${_ipt_source} -p tcp -m multiport --dport $tcp_no_redir_ports -j RETURN
echolog " - ${msg}不代理 TCP 端口[${tcp_no_redir_ports}]"
else
msg2="${msg}不代理TCP"
#结束时会return无需加多余的规则。
tcp_proxy_mode="disable"
echolog " - ${msg}不代理所有 TCP"
fi
echolog " - ${msg2}"
}
[ "$udp_no_redir_ports" != "disable" ] && {
if [ "$udp_no_redir_ports" != "1:65535" ]; then
$ip6t_m -A PSW2 $(comment "$remarks") ${_ipt_source} -p udp -m multiport --dport $udp_no_redir_ports -j RETURN 2>/dev/null
$ipt_m -A PSW2 $(comment "$remarks") ${_ipt_source} -p udp -m multiport --dport $udp_no_redir_ports -j RETURN
echolog " - ${msg}不代理 UDP 端口[${udp_no_redir_ports}]"
else
#结束时会return无需加多余的规则。
udp_proxy_mode="disable"
echolog " - ${msg}不代理所有 UDP"
fi
}
[ "$tcp_proxy_mode" != "disable" ] && [ -n "$redir_port" ] && {
[ -s "${TMP_ACL_PATH}/${sid}/var_redirect_dns_port" ] && $ipt_n -A PSW2_REDIRECT $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port)
msg2="${msg}使用 TCP 节点[$node_remark]"
if [ -n "${is_tproxy}" ]; then
msg2="${msg2}(TPROXY:${redir_port})"
else
msg2="${msg2}(REDIRECT:${redir_port})"
fi
[ "${write_ipset_direct}" = "1" ] && $ipt_tmp -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(dst $ipset_whitelist) ! -d $FAKE_IP -j RETURN
[ "$accept_icmp" = "1" ] && {
$ipt_n -A PSW2 $(comment "$remarks") -p icmp ${_ipt_source} -d $FAKE_IP $(REDIRECT)
$ipt_n -A PSW2 $(comment "$remarks") -p icmp ${_ipt_source} $(REDIRECT)
}
[ "$accept_icmpv6" = "1" ] && [ "$PROXY_IPV6" == "1" ] && {
$ip6t_n -A PSW2 $(comment "$remarks") -p ipv6-icmp ${_ipt_source} -d $FAKE_IP_6 $(REDIRECT) 2>/dev/null
$ip6t_n -A PSW2 $(comment "$remarks") -p ipv6-icmp ${_ipt_source} $(REDIRECT) 2>/dev/null
}
if [ "${ipt_tmp}" = "${ipt_n}" ]; then
$ipt_n -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} -d $FAKE_IP $(REDIRECT $redir_port)
$ipt_n -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(REDIRECT $redir_port)
else
$ipt_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} -d $FAKE_IP -j PSW2_RULE
$ipt_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") -j PSW2_RULE
$ipt_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(REDIRECT $redir_port TPROXY)
fi
[ "$PROXY_IPV6" == "1" ] && {
[ "${write_ipset_direct}" = "1" ] && $ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(dst $ipset_whitelist6) ! -d $FAKE_IP_6 -j RETURN
$ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} -d $FAKE_IP_6 -j PSW2_RULE 2>/dev/null
$ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") -j PSW2_RULE 2>/dev/null
$ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(REDIRECT $redir_port TPROXY) 2>/dev/null
}
echolog " - ${msg2}"
}
$ipt_tmp -A PSW2 $(comment "$remarks") ${_ipt_source} -p tcp -j RETURN
$ip6t_m -A PSW2 $(comment "$remarks") ${_ipt_source} -p tcp -j RETURN 2>/dev/null
[ -n "$redir_port" ] && {
if [ "$udp_proxy_mode" != "disable" ]; then
msg2="${msg}使用UDP节点[$node_remark] [$(get_action_chain_name $udp_proxy_mode)]"
msg2="${msg2}(TPROXY:${redir_port})代理"
[ "$udp_no_redir_ports" != "disable" ] && {
$ipt_m -A PSW2 $(comment "$remarks") ${_ipt_source} -p udp -m multiport --dport $udp_no_redir_ports -j RETURN
$ip6t_m -A PSW2 $(comment "$remarks") ${_ipt_source} -p udp -m multiport --dport $udp_no_redir_ports -j RETURN 2>/dev/null
msg2="${msg2}[$?]除${udp_no_redir_ports}外的"
}
msg2="${msg2}所有端口"
[ "$udp_proxy_mode" != "disable" ] && [ -n "$redir_port" ] && {
msg2="${msg}使用 UDP 节点[$node_remark](TPROXY:${redir_port})"
[ "${write_ipset_direct}" = "1" ] && $ipt_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(dst $ipset_whitelist) ! -d $FAKE_IP -j RETURN
$ipt_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} -d $FAKE_IP -j PSW2_RULE
$ipt_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") -j PSW2_RULE
$ipt_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(REDIRECT $redir_port TPROXY)
[ "${write_ipset_direct}" = "1" ] && $ipt_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(dst $ipset_whitelist) ! -d $FAKE_IP -j RETURN
$ipt_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} -d $FAKE_IP -j PSW2_RULE
$ipt_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") -j PSW2_RULE
$ipt_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(REDIRECT $redir_port TPROXY)
[ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && {
[ "${write_ipset_direct}" = "1" ] && $ip6t_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(dst $ipset_whitelist6) ! -d $FAKE_IP_6 -j RETURN
$ip6t_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} -d $FAKE_IP_6 -j PSW2_RULE 2>/dev/null
$ip6t_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") -j PSW2_RULE 2>/dev/null
$ip6t_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(REDIRECT $redir_port TPROXY) 2>/dev/null
}
else
msg2="${msg}不代理UDP"
fi
[ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && {
[ "${write_ipset_direct}" = "1" ] && $ip6t_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(dst $ipset_whitelist6) ! -d $FAKE_IP_6 -j RETURN
$ip6t_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} -d $FAKE_IP_6 -j PSW2_RULE 2>/dev/null
$ip6t_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") -j PSW2_RULE 2>/dev/null
$ip6t_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(REDIRECT $redir_port TPROXY) 2>/dev/null
}
echolog " - ${msg2}"
}
$ipt_m -A PSW2 $(comment "$remarks") ${_ipt_source} -p udp -j RETURN
@ -329,92 +335,90 @@ load_acl() {
done
}
[ "$ENABLED_DEFAULT_ACL" == 1 ] && {
[ "$ENABLED_DEFAULT_ACL" == 1 ] && [ "$CLIENT_PROXY" == 1 ] && {
# 加载默认代理模式
if [ "$TCP_PROXY_MODE" != "disable" ]; then
local ipt_tmp=$ipt_n
[ -n "${is_tproxy}" ] && ipt_tmp=$ipt_m
[ "$TCP_NO_REDIR_PORTS" != "disable" ] && {
$ipt_tmp -A PSW2 $(comment "默认") -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
$ip6t_m -A PSW2 $(comment "默认") -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
msg="${msg}${TCP_NO_REDIR_PORTS}外的"
msg="【默认】,"
local ipt_tmp=$ipt_n
[ -n "${is_tproxy}" ] && ipt_tmp=$ipt_m
[ "$TCP_NO_REDIR_PORTS" != "disable" ] && {
$ip6t_m -A PSW2 $(comment "默认") -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
$ipt_tmp -A PSW2 $(comment "默认") -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
if [ "$TCP_NO_REDIR_PORTS" != "1:65535" ]; then
echolog " - ${msg}不代理 TCP 端口[${TCP_NO_REDIR_PORTS}]"
else
TCP_PROXY_MODE="disable"
echolog " - ${msg}不代理所有 TCP 端口"
fi
}
[ "$UDP_NO_REDIR_PORTS" != "disable" ] && {
$ip6t_m -A PSW2 $(comment "默认") -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN
$ipt_m -A PSW2 $(comment "默认") -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN
if [ "$UDP_NO_REDIR_PORTS" != "1:65535" ]; then
echolog " - ${msg}不代理 UDP 端口[${UDP_NO_REDIR_PORTS}]"
else
UDP_PROXY_MODE="disable"
echolog " - ${msg}不代理所有 UDP 端口"
fi
}
if [ "$TCP_PROXY_MODE" != "disable" ] && [ "$NODE" != "nil" ]; then
msg2="${msg}使用 TCP 节点[$(config_n_get $NODE remarks)]"
if [ -n "${is_tproxy}" ]; then
msg2="${msg2}(TPROXY:${REDIR_PORT})"
else
msg2="${msg2}(REDIRECT:${REDIR_PORT})"
fi
[ "${WRITE_IPSET_DIRECT}" = "1" ] && $ipt_tmp -A PSW2 $(comment "默认") -p tcp $(dst $ipset_global_whitelist) ! -d $FAKE_IP -j RETURN
[ "$accept_icmp" = "1" ] && {
$ipt_n -A PSW2 $(comment "默认") -p icmp -d $FAKE_IP $(REDIRECT)
$ipt_n -A PSW2 $(comment "默认") -p icmp $(REDIRECT)
}
[ "$NODE" != "nil" ] && {
msg="TCP默认代理使用节点[$(config_n_get $NODE remarks)] [$(get_action_chain_name $TCP_PROXY_MODE)]"
if [ -n "${is_tproxy}" ]; then
msg="${msg}(TPROXY:${REDIR_PORT})代理"
else
msg="${msg}(REDIRECT:${REDIR_PORT})代理"
fi
[ "$TCP_NO_REDIR_PORTS" != "disable" ] && msg="${msg}${TCP_NO_REDIR_PORTS}外的"
msg="${msg}所有端口"
[ "${WRITE_IPSET_DIRECT}" = "1" ] && $ipt_tmp -A PSW2 $(comment "默认") -p tcp $(dst $ipset_global_whitelist) ! -d $FAKE_IP -j RETURN
[ "$accept_icmp" = "1" ] && {
$ipt_n -A PSW2 $(comment "默认") -p icmp -d $FAKE_IP $(REDIRECT)
$ipt_n -A PSW2 $(comment "默认") -p icmp $(REDIRECT)
}
[ "$accept_icmpv6" = "1" ] && [ "$PROXY_IPV6" == "1" ] && {
$ip6t_n -A PSW2 $(comment "默认") -p ipv6-icmp -d $FAKE_IP_6 $(REDIRECT)
$ip6t_n -A PSW2 $(comment "默认") -p ipv6-icmp $(REDIRECT)
}
if [ "${ipt_tmp}" = "${ipt_n}" ]; then
$ipt_n -A PSW2 $(comment "默认") -p tcp -d $FAKE_IP $(REDIRECT $REDIR_PORT)
$ipt_n -A PSW2 $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(REDIRECT $REDIR_PORT)
else
$ipt_m -A PSW2 $(comment "默认") -p tcp -d $FAKE_IP -j PSW2_RULE
$ipt_m -A PSW2 $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") -j PSW2_RULE
$ipt_m -A PSW2 $(comment "默认") -p tcp $(REDIRECT $REDIR_PORT TPROXY)
fi
[ "$PROXY_IPV6" == "1" ] && {
[ "${WRITE_IPSET_DIRECT}" = "1" ] && $ip6t_m -A PSW2 $(comment "默认") -p tcp $(dst $ipset_global_whitelist6) ! -d $FAKE_IP_6 -j RETURN
$ip6t_m -A PSW2 $(comment "默认") -p tcp -d $FAKE_IP_6 -j PSW2_RULE
$ip6t_m -A PSW2 $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") -j PSW2_RULE
$ip6t_m -A PSW2 $(comment "默认") -p tcp $(REDIRECT $REDIR_PORT TPROXY)
}
echolog "${msg}"
[ "$accept_icmpv6" = "1" ] && [ "$PROXY_IPV6" == "1" ] && {
$ip6t_n -A PSW2 $(comment "默认") -p ipv6-icmp -d $FAKE_IP_6 $(REDIRECT)
$ip6t_n -A PSW2 $(comment "默认") -p ipv6-icmp $(REDIRECT)
}
if [ -z "${is_tproxy}" ]; then
$ipt_n -A PSW2 $(comment "默认") -p tcp -d $FAKE_IP $(REDIRECT $REDIR_PORT)
$ipt_n -A PSW2 $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(REDIRECT $REDIR_PORT)
else
$ipt_m -A PSW2 $(comment "默认") -p tcp -d $FAKE_IP -j PSW2_RULE
$ipt_m -A PSW2 $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") -j PSW2_RULE
$ipt_m -A PSW2 $(comment "默认") -p tcp $(REDIRECT $REDIR_PORT TPROXY)
fi
[ "$PROXY_IPV6" == "1" ] && {
[ "${WRITE_IPSET_DIRECT}" = "1" ] && $ip6t_m -A PSW2 $(comment "默认") -p tcp $(dst $ipset_global_whitelist6) ! -d $FAKE_IP_6 -j RETURN
$ip6t_m -A PSW2 $(comment "默认") -p tcp -d $FAKE_IP_6 -j PSW2_RULE
$ip6t_m -A PSW2 $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") -j PSW2_RULE
$ip6t_m -A PSW2 $(comment "默认") -p tcp $(REDIRECT $REDIR_PORT TPROXY)
}
echolog "${msg2}"
fi
$ipt_n -A PSW2 $(comment "默认") -p tcp -j RETURN
$ipt_m -A PSW2 $(comment "默认") -p tcp -j RETURN
$ip6t_m -A PSW2 $(comment "默认") -p tcp -j RETURN
# 加载UDP默认代理模式
if [ "$UDP_PROXY_MODE" != "disable" ]; then
[ "$UDP_NO_REDIR_PORTS" != "disable" ] && {
$ipt_m -A PSW2 $(comment "默认") -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN
$ip6t_m -A PSW2 $(comment "默认") -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN
}
if [ "$UDP_PROXY_MODE" != "disable" ] && [ "$NODE" != "nil" ]; then
msg2="${msg}使用 UDP 节点[$(config_n_get $NODE remarks)](TPROXY:${REDIR_PORT})"
[ -n "1" ] && {
msg="UDP默认代理使用节点[$(config_n_get $NODE remarks)] [$(get_action_chain_name $UDP_PROXY_MODE)](TPROXY:${REDIR_PORT})代理"
[ "${WRITE_IPSET_DIRECT}" = "1" ] && $ipt_m -A PSW2 $(comment "默认") -p udp $(dst $ipset_global_whitelist) ! -d $FAKE_IP -j RETURN
$ipt_m -A PSW2 $(comment "默认") -p udp -d $FAKE_IP -j PSW2_RULE
$ipt_m -A PSW2 $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") -j PSW2_RULE
$ipt_m -A PSW2 $(comment "默认") -p udp $(REDIRECT $REDIR_PORT TPROXY)
[ "$UDP_NO_REDIR_PORTS" != "disable" ] && msg="${msg}${UDP_NO_REDIR_PORTS}外的"
msg="${msg}所有端口"
if [ "$PROXY_IPV6_UDP" == "1" ]; then
[ "${WRITE_IPSET_DIRECT}" = "1" ] && $ip6t_m -A PSW2 $(comment "默认") -p udp $(dst $ipset_global_whitelist6) ! -d $FAKE_IP_6 -j RETURN
$ip6t_m -A PSW2 $(comment "默认") -p udp -d $FAKE_IP_6 -j PSW2_RULE
$ip6t_m -A PSW2 $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") -j PSW2_RULE
$ip6t_m -A PSW2 $(comment "默认") -p udp $(REDIRECT $REDIR_PORT TPROXY)
fi
[ "${WRITE_IPSET_DIRECT}" = "1" ] && $ipt_m -A PSW2 $(comment "默认") -p udp $(dst $ipset_global_whitelist) ! -d $FAKE_IP -j RETURN
$ipt_m -A PSW2 $(comment "默认") -p udp -d $FAKE_IP -j PSW2_RULE
$ipt_m -A PSW2 $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") -j PSW2_RULE
$ipt_m -A PSW2 $(comment "默认") -p udp $(REDIRECT $REDIR_PORT TPROXY)
if [ "$PROXY_IPV6_UDP" == "1" ]; then
[ "${WRITE_IPSET_DIRECT}" = "1" ] && $ip6t_m -A PSW2 $(comment "默认") -p udp $(dst $ipset_global_whitelist6) ! -d $FAKE_IP_6 -j RETURN
$ip6t_m -A PSW2 $(comment "默认") -p udp -d $FAKE_IP_6 -j PSW2_RULE
$ip6t_m -A PSW2 $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") -j PSW2_RULE
$ip6t_m -A PSW2 $(comment "默认") -p udp $(REDIRECT $REDIR_PORT TPROXY)
fi
echolog "${msg}"
}
echolog "${msg2}"
fi
$ipt_m -A PSW2 $(comment "默认") -p udp -j RETURN
$ip6t_m -A PSW2 $(comment "默认") -p udp -j RETURN
}
}
@ -733,10 +737,41 @@ add_firewall_rule() {
}
[ "$ENABLED_DEFAULT_ACL" == 1 ] && {
# 加载路由器自身代理 TCP
if [ "$NODE" != "nil" ] && [ "$LOCALHOST_PROXY" = "1" ]; then
echolog "加载路由器自身 TCP 代理..."
local ipt_tmp=$ipt_n
[ -n "${is_tproxy}" ] && ipt_tmp=$ipt_m
# 过滤节点
filter_node $NODE TCP > /dev/null 2>&1 &
filter_node $NODE UDP > /dev/null 2>&1 &
TCP_LOCALHOST_PROXY=$LOCALHOST_PROXY
UDP_LOCALHOST_PROXY=$LOCALHOST_PROXY
msg="【路由器本机】,"
[ "$TCP_NO_REDIR_PORTS" != "disable" ] && {
$ipt_tmp -A PSW2_OUTPUT -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
$ip6t_m -A PSW2_OUTPUT -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
if [ "$TCP_NO_REDIR_PORTS" != "1:65535" ]; then
echolog " - ${msg}不代理 TCP 端口[${TCP_NO_REDIR_PORTS}]"
else
unset TCP_LOCALHOST_PROXY
echolog " - ${msg}不代理所有 TCP"
fi
}
[ "$UDP_NO_REDIR_PORTS" != "disable" ] && {
$ipt_m -A PSW2_OUTPUT -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN
$ip6t_m -A PSW2_OUTPUT -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN
if [ "$UDP_NO_REDIR_PORTS" != "1:65535" ]; then
echolog " - ${msg}不代理 UDP 端口[${UDP_NO_REDIR_PORTS}]"
else
unset UDP_LOCALHOST_PROXY
echolog " - ${msg}不代理所有 UDP"
fi
}
# 加载路由器自身代理 TCP
if [ "$NODE" != "nil" ] && [ "$TCP_LOCALHOST_PROXY" = "1" ]; then
[ "$accept_icmp" = "1" ] && {
$ipt_n -A OUTPUT -p icmp -j PSW2_OUTPUT
$ipt_n -A PSW2_OUTPUT -p icmp -d $FAKE_IP $(REDIRECT)
@ -749,19 +784,7 @@ add_firewall_rule() {
$ip6t_n -A PSW2_OUTPUT -p ipv6-icmp $(REDIRECT)
}
local ipt_tmp=$ipt_n
[ -n "${is_tproxy}" ] && {
echolog " - 启用 TPROXY 模式"
ipt_tmp=$ipt_m
}
[ "$TCP_NO_REDIR_PORTS" != "disable" ] && {
$ipt_tmp -A PSW2_OUTPUT -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
$ip6t_m -A PSW2_OUTPUT -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
echolog " - [$?]不代理TCP 端口:$TCP_NO_REDIR_PORTS"
}
if [ "${ipt_tmp}" = "${ipt_n}" ]; then
if [ -z "${is_tproxy}" ]; then
$ipt_n -A PSW2_OUTPUT -p tcp -d $FAKE_IP $(REDIRECT $REDIR_PORT)
$ipt_n -A PSW2_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(REDIRECT $REDIR_PORT)
$ipt_n -A OUTPUT -p tcp -j PSW2_OUTPUT
@ -787,20 +810,8 @@ add_firewall_rule() {
done
fi
# 处理轮换节点的分流或套娃
filter_node $NODE TCP > /dev/null 2>&1 &
filter_node $NODE UDP > /dev/null 2>&1 &
# 加载路由器自身代理 UDP
if [ "$NODE" != "nil" ] && [ "$LOCALHOST_PROXY" = "1" ]; then
echolog "加载路由器自身 UDP 代理..."
[ "$UDP_NO_REDIR_PORTS" != "disable" ] && {
$ipt_m -A PSW2_OUTPUT -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN
$ip6t_m -A PSW2_OUTPUT -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN
echolog " - [$?]不代理 UDP 端口:$UDP_NO_REDIR_PORTS"
}
if [ "$NODE" != "nil" ] && [ "$UDP_LOCALHOST_PROXY" = "1" ]; then
$ipt_m -A PSW2_OUTPUT -p udp -d $FAKE_IP -j PSW2_RULE
$ipt_m -A PSW2_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") -j PSW2_RULE
$ipt_m -A PSW2 $(comment "本机") -p udp -i lo $(REDIRECT $REDIR_PORT TPROXY)

379
luci-app-passwall2/root/usr/share/passwall2/nftables.sh
View File

@ -230,8 +230,6 @@ load_acl() {
[ "$udp_no_redir_ports" = "default" ] && udp_no_redir_ports=$UDP_NO_REDIR_PORTS
[ "$tcp_redir_ports" = "default" ] && tcp_redir_ports=$TCP_REDIR_PORTS
[ "$udp_redir_ports" = "default" ] && udp_redir_ports=$UDP_REDIR_PORTS
[ "$tcp_no_redir_ports" = "1:65535" ] && tcp_proxy_mode="disable"
[ "$udp_no_redir_ports" = "1:65535" ] && udp_proxy_mode="disable"
node_remark=$(config_n_get $NODE remarks)
[ -s "${TMP_ACL_PATH}/${sid}/var_node" ] && node=$(cat ${TMP_ACL_PATH}/${sid}/var_node)
@ -239,114 +237,121 @@ load_acl() {
[ -n "$node" ] && [ "$node" != "default" ] && node_remark=$(config_n_get $node remarks)
write_ipset_direct=${write_ipset_direct:-1}
[ "${write_ipset_direct}" = "1" ] && {
if [ "$node" = "default" ]; then
local nftset_whitelist=${nftset_global_whitelist}
local nftset_whitelist6=${nftset_global_whitelist6}
else
local nftset_whitelist="passwall2_${sid}_whitelist"
local nftset_whitelist6="passwall2_${sid}_whitelist6"
gen_nftset $nftset_whitelist ipv4_addr 0 0
gen_nftset $nftset_whitelist6 ipv6_addr 0 0
fi
}
for i in $(cat ${TMP_ACL_PATH}/${sid}/rule_list); do
if [ -n "$(echo ${i} | grep '^iprange:')" ]; then
_iprange=$(echo ${i} | sed 's#iprange:##g')
_ipt_source=$(factor ${_iprange} "ip saddr")
msg="备注【$remarksIP range【${_iprange}】,"
msg="$remarksIP range【${_iprange}】,"
elif [ -n "$(echo ${i} | grep '^ipset:')" ]; then
_ipset=$(echo ${i} | sed 's#ipset:##g')
_ipt_source="ip daddr @${_ipset}"
msg="备注【$remarksNFTset【${_ipset}】,"
msg="$remarksNFTset【${_ipset}】,"
elif [ -n "$(echo ${i} | grep '^ip:')" ]; then
_ip=$(echo ${i} | sed 's#ip:##g')
_ipt_source=$(factor ${_ip} "ip saddr")
msg="备注$remarksIP【${_ip}】,"
msg="$remarksIP【${_ip}】,"
elif [ -n "$(echo ${i} | grep '^mac:')" ]; then
_mac=$(echo ${i} | sed 's#mac:##g')
_ipt_source=$(factor ${_mac} "ether saddr")
msg="备注$remarksMAC【${_mac}】,"
msg="$remarksMAC【${_mac}】,"
else
continue
fi
local nftset_whitelist="passwall2_${sid}_whitelist"
local nftset_whitelist6="passwall2_${sid}_whitelist6"
gen_nftset $nftset_whitelist ipv4_addr 0 0
gen_nftset $nftset_whitelist6 ipv6_addr 0 0
[ -n "$redir_port" ] && {
if [ "$tcp_proxy_mode" != "disable" ]; then
[ -s "${TMP_ACL_PATH}/${sid}/var_redirect_dns_port" ] && nft "add rule inet fw4 PSW2_REDIRECT ip protocol udp ${_ipt_source} udp dport 53 counter redirect to $(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port) comment \"$remarks\""
msg2="${msg}使用TCP节点[$node_remark] [$(get_action_chain_name $tcp_proxy_mode)]"
if [ -n "${is_tproxy}" ]; then
msg2="${msg2}(TPROXY:${redir_port})代理"
else
msg2="${msg2}(REDIRECT:${redir_port})代理"
fi
[ "${write_ipset_direct}" = "1" ] && [ -z "${is_tproxy}" ] && nft "add rule inet fw4 PSW2_NAT ip protocol tcp ${_ipt_source} ip daddr @$nftset_whitelist counter return comment \"$remarks\""
[ "${write_ipset_direct}" = "1" ] && [ -n "${is_tproxy}" ] && nft "add rule inet fw4 PSW2_MANGLE ip protocol tcp ${_ipt_source} ip daddr @$nftset_whitelist counter return comment \"$remarks\""
[ "$accept_icmp" = "1" ] && {
nft "add rule inet fw4 PSW2_ICMP_REDIRECT ip protocol icmp ${_ipt_source} ip daddr $FAKE_IP $(REDIRECT) comment \"$remarks\""
nft "add rule inet fw4 PSW2_ICMP_REDIRECT ip protocol icmp ${_ipt_source} $(REDIRECT) comment \"$remarks\""
nft "add rule inet fw4 PSW2_ICMP_REDIRECT ip protocol icmp ${_ipt_source} return comment \"$remarks\""
}
[ "$accept_icmpv6" = "1" ] && [ "$PROXY_IPV6" == "1" ] && {
nft "add rule inet fw4 PSW2_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} ip6 daddr $FAKE_IP_6 $(REDIRECT) comment \"$remarks\"" 2>/dev/null
nft "add rule inet fw4 PSW2_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} $(REDIRECT) comment \"$remarks\"" 2>/dev/null
nft "add rule inet fw4 PSW2_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} return comment \"$remarks\"" 2>/dev/null
}
[ "$tcp_no_redir_ports" != "disable" ] && {
nft "add rule inet fw4 $nft_prerouting_chain ${_ipt_source} ip protocol tcp $(factor $tcp_no_redir_ports "tcp dport") counter return comment \"$remarks\""
nft "add rule inet fw4 PSW2_MANGLE_V6 ${_ipt_source} meta l4proto tcp $(factor $tcp_no_redir_ports "tcp dport") counter return comment \"$remarks\""
msg2="${msg2}[$?]除${tcp_no_redir_ports}外的"
}
msg2="${msg2}所有端口"
if [ -z "${is_tproxy}" ]; then
nft "add rule inet fw4 PSW2_NAT ip protocol tcp ${_ipt_source} ip daddr $FAKE_IP $(REDIRECT $redir_port) comment \"$remarks\""
nft "add rule inet fw4 PSW2_NAT ip protocol tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") $(REDIRECT $redir_port) comment \"$remarks\""
else
nft "add rule inet fw4 PSW2_MANGLE ip protocol tcp ${_ipt_source} ip daddr $FAKE_IP counter jump PSW2_RULE comment \"$remarks\""
nft "add rule inet fw4 PSW2_MANGLE ip protocol tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") counter jump PSW2_RULE comment \"$remarks\""
nft "add rule inet fw4 PSW2_MANGLE ip protocol tcp ${_ipt_source} $(REDIRECT $redir_port TPROXY4) comment \"$remarks\""
fi
[ "$PROXY_IPV6" == "1" ] && {
[ "${write_ipset_direct}" = "1" ] && nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} ip6 daddr @$nftset_whitelist6 counter return comment \"$remarks\""
nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} ip6 daddr $FAKE_IP_6 counter jump PSW2_RULE comment \"$remarks\""
nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") jump PSW2_RULE comment \"$remarks\"" 2>/dev/null
nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(REDIRECT $redir_port TPROXY) comment \"$remarks\"" 2>/dev/null
}
[ "$tcp_no_redir_ports" != "disable" ] && {
if [ "$tcp_no_redir_ports" != "1:65535" ]; then
nft "add rule inet fw4 $nft_prerouting_chain ${_ipt_source} ip protocol tcp $(factor $tcp_no_redir_ports "tcp dport") counter return comment \"$remarks\""
nft "add rule inet fw4 PSW2_MANGLE_V6 ${_ipt_source} meta l4proto tcp $(factor $tcp_no_redir_ports "tcp dport") counter return comment \"$remarks\""
echolog " - ${msg}不代理 TCP 端口[${tcp_no_redir_ports}]"
else
msg2="${msg}不代理TCP"
#结束时会return无需加多余的规则。
tcp_proxy_mode="disable"
echolog " - ${msg}不代理所有 TCP"
fi
echolog " - ${msg2}"
}
[ "$udp_no_redir_ports" != "disable" ] && {
if [ "$udp_no_redir_ports" != "1:65535" ]; then
nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_no_redir_ports "udp dport") counter return comment \"$remarks\""
nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_no_redir_ports "udp dport") counter return comment \"$remarks\"" 2>/dev/null
echolog " - ${msg}不代理 UDP 端口[${udp_no_redir_ports}]"
else
#结束时会return无需加多余的规则。
udp_proxy_mode="disable"
echolog " - ${msg}不代理所有 UDP"
fi
}
[ "$tcp_proxy_mode" != "disable" ] && [ -n "$redir_port" ] && {
[ -s "${TMP_ACL_PATH}/${sid}/var_redirect_dns_port" ] && nft "add rule inet fw4 PSW2_REDIRECT ip protocol udp ${_ipt_source} udp dport 53 counter redirect to $(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port) comment \"$remarks\""
msg2="${msg}使用 TCP 节点[$node_remark]"
if [ -n "${is_tproxy}" ]; then
msg2="${msg2}(TPROXY:${redir_port})"
else
msg2="${msg2}(REDIRECT:${redir_port})"
fi
[ "${write_ipset_direct}" = "1" ] && [ -z "${is_tproxy}" ] && nft "add rule inet fw4 PSW2_NAT ip protocol tcp ${_ipt_source} ip daddr @$nftset_whitelist counter return comment \"$remarks\""
[ "${write_ipset_direct}" = "1" ] && [ -n "${is_tproxy}" ] && nft "add rule inet fw4 PSW2_MANGLE ip protocol tcp ${_ipt_source} ip daddr @$nftset_whitelist counter return comment \"$remarks\""
[ "$accept_icmp" = "1" ] && {
nft "add rule inet fw4 PSW2_ICMP_REDIRECT ip protocol icmp ${_ipt_source} ip daddr $FAKE_IP $(REDIRECT) comment \"$remarks\""
nft "add rule inet fw4 PSW2_ICMP_REDIRECT ip protocol icmp ${_ipt_source} $(REDIRECT) comment \"$remarks\""
nft "add rule inet fw4 PSW2_ICMP_REDIRECT ip protocol icmp ${_ipt_source} return comment \"$remarks\""
}
[ "$accept_icmpv6" = "1" ] && [ "$PROXY_IPV6" == "1" ] && {
nft "add rule inet fw4 PSW2_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} ip6 daddr $FAKE_IP_6 $(REDIRECT) comment \"$remarks\"" 2>/dev/null
nft "add rule inet fw4 PSW2_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} $(REDIRECT) comment \"$remarks\"" 2>/dev/null
nft "add rule inet fw4 PSW2_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} return comment \"$remarks\"" 2>/dev/null
}
if [ -z "${is_tproxy}" ]; then
nft "add rule inet fw4 PSW2_NAT ip protocol tcp ${_ipt_source} ip daddr $FAKE_IP $(REDIRECT $redir_port) comment \"$remarks\""
nft "add rule inet fw4 PSW2_NAT ip protocol tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") $(REDIRECT $redir_port) comment \"$remarks\""
else
nft "add rule inet fw4 PSW2_MANGLE ip protocol tcp ${_ipt_source} ip daddr $FAKE_IP counter jump PSW2_RULE comment \"$remarks\""
nft "add rule inet fw4 PSW2_MANGLE ip protocol tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") counter jump PSW2_RULE comment \"$remarks\""
nft "add rule inet fw4 PSW2_MANGLE ip protocol tcp ${_ipt_source} $(REDIRECT $redir_port TPROXY4) comment \"$remarks\""
fi
[ "$PROXY_IPV6" == "1" ] && {
[ "${write_ipset_direct}" = "1" ] && nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} ip6 daddr @$nftset_whitelist6 counter return comment \"$remarks\""
nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} ip6 daddr $FAKE_IP_6 counter jump PSW2_RULE comment \"$remarks\""
nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") jump PSW2_RULE comment \"$remarks\"" 2>/dev/null
nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(REDIRECT $redir_port TPROXY) comment \"$remarks\"" 2>/dev/null
}
echolog " - ${msg2}"
}
nft "add rule inet fw4 $nft_prerouting_chain ip protocol tcp ${_ipt_source} counter return comment \"$remarks\""
nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} counter return comment \"$remarks\"" 2>/dev/null
[ -n "$redir_port" ] && {
if [ "$udp_proxy_mode" != "disable" ]; then
msg2="${msg}使用UDP节点[$node_remark] [$(get_action_chain_name $udp_proxy_mode)]"
msg2="${msg2}(TPROXY:${redir_port})代理"
[ "$udp_no_redir_ports" != "disable" ] && {
nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_no_redir_ports "udp dport") counter return comment \"$remarks\""
nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_no_redir_ports "udp dport") counter return comment \"$remarks\"" 2>/dev/null
msg2="${msg2}[$?]除${udp_no_redir_ports}外的"
}
msg2="${msg2}所有端口"
[ "$udp_proxy_mode" != "disable" ] && [ -n "$redir_port" ] && {
msg2="${msg}使用 UDP 节点[$node_remark](TPROXY:${redir_port})"
[ "${write_ipset_direct}" = "1" ] && nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ${_ipt_source} ip daddr @$nftset_whitelist counter return comment \"$remarks\""
nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ${_ipt_source} ip daddr $FAKE_IP counter jump PSW2_RULE comment \"$remarks\""
nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_redir_ports "udp dport") jump PSW2_RULE comment \"$remarks\""
nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ${_ipt_source} $(REDIRECT $redir_port TPROXY4) comment \"$remarks\""
[ "${write_ipset_direct}" = "1" ] && nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ${_ipt_source} ip daddr @$nftset_whitelist counter return comment \"$remarks\""
nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ${_ipt_source} ip daddr $FAKE_IP counter jump PSW2_RULE comment \"$remarks\""
nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_redir_ports "udp dport") jump PSW2_RULE comment \"$remarks\""
nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ${_ipt_source} $(REDIRECT $redir_port TPROXY4) comment \"$remarks\""
[ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && {
[ "${write_ipset_direct}" = "1" ] && nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} ip6 daddr @$nftset_whitelist6 counter return comment \"$remarks\""
nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} ip6 daddr $FAKE_IP_6 counter jump PSW2_RULE comment \"$remarks\""
nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_redir_ports "udp dport") counter jump PSW2_RULE comment \"$remarks\"" 2>/dev/null
nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} $(REDIRECT $redir_port TPROXY) comment \"$remarks\"" 2>/dev/null
}
else
msg2="${msg}不代理UDP"
fi
[ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && {
[ "${write_ipset_direct}" = "1" ] && nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} ip6 daddr @$nftset_whitelist6 counter return comment \"$remarks\""
nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} ip6 daddr $FAKE_IP_6 counter jump PSW2_RULE comment \"$remarks\""
nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_redir_ports "udp dport") counter jump PSW2_RULE comment \"$remarks\"" 2>/dev/null
nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} $(REDIRECT $redir_port TPROXY) comment \"$remarks\"" 2>/dev/null
}
echolog " - ${msg2}"
}
nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ${_ipt_source} counter return comment \"$remarks\""
@ -358,87 +363,91 @@ load_acl() {
done
}
[ "$ENABLED_DEFAULT_ACL" == 1 ] && {
[ "$ENABLED_DEFAULT_ACL" == 1 ] && [ "$CLIENT_PROXY" == 1 ] && {
# 加载默认代理模式
if [ "$TCP_PROXY_MODE" != "disable" ]; then
[ "$TCP_NO_REDIR_PORTS" != "disable" ] && {
nft add rule inet fw4 $nft_prerouting_chain ip protocol tcp $(factor $TCP_NO_REDIR_PORTS "tcp dport") counter return comment \"默认\"
nft add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp $(factor $TCP_NO_REDIR_PORTS "tcp dport") counter return comment \"默认\"
msg="【默认】,"
[ "$TCP_NO_REDIR_PORTS" != "disable" ] && {
nft add rule inet fw4 $nft_prerouting_chain ip protocol tcp $(factor $TCP_NO_REDIR_PORTS "tcp dport") counter return comment \"默认\"
nft add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp $(factor $TCP_NO_REDIR_PORTS "tcp dport") counter return comment \"默认\"
if [ "$TCP_NO_REDIR_PORTS" != "1:65535" ]; then
echolog " - ${msg}不代理 TCP 端口[${TCP_NO_REDIR_PORTS}]"
else
TCP_PROXY_MODE="disable"
echolog " - ${msg}不代理所有 TCP 端口"
fi
}
[ "$UDP_NO_REDIR_PORTS" != "disable" ] && {
nft "add inet fw4 PSW2_MANGLE ip protocol udp $(factor $UDP_NO_REDIR_PORTS "udp dport") counter return comment \"默认\""
nft "add inet fw4 PSW2_MANGLE_V6 counter meta l4proto udp $(factor $UDP_NO_REDIR_PORTS "udp dport") counter return comment \"默认\""
if [ "$UDP_NO_REDIR_PORTS" != "1:65535" ]; then
echolog " - ${msg}不代理 UDP 端口[${UDP_NO_REDIR_PORTS}]"
else
UDP_PROXY_MODE="disable"
echolog " - ${msg}不代理所有 UDP 端口"
fi
}
if [ "$TCP_PROXY_MODE" != "disable" ] && [ "$NODE" != "nil" ]; then
msg2="${msg}使用 TCP 节点[$(config_n_get $NODE remarks)]"
if [ -n "${is_tproxy}" ]; then
msg2="${msg2}(TPROXY:${REDIR_PORT})"
else
msg2="${msg2}(REDIRECT:${REDIR_PORT})"
fi
[ "${WRITE_IPSET_DIRECT}" = "1" ] && [ -z "${is_tproxy}" ] && nft "add rule inet fw4 PSW2_NAT ip protocol tcp ip daddr @$nftset_global_whitelist counter return comment \"$remarks\""
[ "${WRITE_IPSET_DIRECT}" = "1" ] && [ -n "${is_tproxy}" ] && nft "add rule inet fw4 PSW2_MANGLE ip protocol tcp ip daddr @$nftset_global_whitelist counter return comment \"$remarks\""
[ "$accept_icmp" = "1" ] && {
nft "add rule inet fw4 PSW2_ICMP_REDIRECT ip protocol icmp ip daddr $FAKE_IP $(REDIRECT) comment \"默认\""
nft "add rule inet fw4 PSW2_ICMP_REDIRECT ip protocol icmp $(REDIRECT) comment \"默认\""
nft "add rule inet fw4 PSW2_ICMP_REDIRECT ip protocol icmp return comment \"默认\""
}
[ "$NODE" != "nil" ] && {
msg="TCP默认代理使用TCP节点[$(config_n_get $NODE remarks)] [$(get_action_chain_name $TCP_PROXY_MODE)]"
if [ -n "${is_tproxy}" ]; then
msg="${msg}(TPROXY:${REDIR_PORT})代理"
else
msg="${msg}(REDIRECT:${REDIR_PORT})代理"
fi
[ "$TCP_NO_REDIR_PORTS" != "disable" ] && msg="${msg}${TCP_NO_REDIR_PORTS}外的"
msg="${msg}所有端口"
[ "${WRITE_IPSET_DIRECT}" = "1" ] && [ -z "${is_tproxy}" ] && nft "add rule inet fw4 PSW2_NAT ip protocol tcp ip daddr @$nftset_global_whitelist counter return comment \"$remarks\""
[ "${WRITE_IPSET_DIRECT}" = "1" ] && [ -n "${is_tproxy}" ] && nft "add rule inet fw4 PSW2_MANGLE ip protocol tcp ip daddr @$nftset_global_whitelist counter return comment \"$remarks\""
[ "$accept_icmp" = "1" ] && {
nft "add rule inet fw4 PSW2_ICMP_REDIRECT ip protocol icmp ip daddr $FAKE_IP $(REDIRECT) comment \"默认\""
nft "add rule inet fw4 PSW2_ICMP_REDIRECT ip protocol icmp $(REDIRECT) comment \"默认\""
nft "add rule inet fw4 PSW2_ICMP_REDIRECT ip protocol icmp return comment \"默认\""
}
[ "$accept_icmpv6" = "1" ] && [ "$PROXY_IPV6" == "1" ] && {
nft "add rule inet fw4 PSW2_ICMP_REDIRECT meta l4proto icmpv6 ip6 daddr $FAKE_IP_6 $(REDIRECT) comment \"默认\""
nft "add rule inet fw4 PSW2_ICMP_REDIRECT meta l4proto icmpv6 $(REDIRECT) comment \"默认\""
nft "add rule inet fw4 PSW2_ICMP_REDIRECT meta l4proto icmpv6 return comment \"默认\""
}
if [ -z "${is_tproxy}" ]; then
nft "add rule inet fw4 PSW2_NAT ip protocol tcp ip daddr $FAKE_IP $(REDIRECT $REDIR_PORT) comment \"默认\""
nft "add rule inet fw4 PSW2_NAT ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") $(REDIRECT $REDIR_PORT) comment \"默认\""
else
nft "add rule inet fw4 PSW2_MANGLE ip protocol tcp ip daddr $FAKE_IP counter jump PSW2_RULE comment \"默认\""
nft "add rule inet fw4 PSW2_MANGLE ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") jump PSW2_RULE comment \"默认\""
nft "add rule inet fw4 PSW2_MANGLE ip protocol tcp $(REDIRECT $REDIR_PORT TPROXY4) comment \"默认\""
fi
[ "$PROXY_IPV6" == "1" ] && {
[ "${WRITE_IPSET_DIRECT}" = "1" ] && nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp ip6 daddr @$nftset_global_whitelist6 counter return comment \"$remarks\""
nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp ip6 daddr $FAKE_IP_6 jump PSW2_RULE comment \"默认\""
nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp $(factor $TCP_REDIR_PORTS "tcp dport") jump PSW2_RULE comment \"默认\""
nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp $(REDIRECT $REDIR_PORT TPROXY) comment \"默认\""
}
echolog "${msg}"
[ "$accept_icmpv6" = "1" ] && [ "$PROXY_IPV6" == "1" ] && {
nft "add rule inet fw4 PSW2_ICMP_REDIRECT meta l4proto icmpv6 ip6 daddr $FAKE_IP_6 $(REDIRECT) comment \"默认\""
nft "add rule inet fw4 PSW2_ICMP_REDIRECT meta l4proto icmpv6 $(REDIRECT) comment \"默认\""
nft "add rule inet fw4 PSW2_ICMP_REDIRECT meta l4proto icmpv6 return comment \"默认\""
}
if [ -z "${is_tproxy}" ]; then
nft "add rule inet fw4 PSW2_NAT ip protocol tcp ip daddr $FAKE_IP $(REDIRECT $REDIR_PORT) comment \"默认\""
nft "add rule inet fw4 PSW2_NAT ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") $(REDIRECT $REDIR_PORT) comment \"默认\""
else
nft "add rule inet fw4 PSW2_MANGLE ip protocol tcp ip daddr $FAKE_IP counter jump PSW2_RULE comment \"默认\""
nft "add rule inet fw4 PSW2_MANGLE ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") jump PSW2_RULE comment \"默认\""
nft "add rule inet fw4 PSW2_MANGLE ip protocol tcp $(REDIRECT $REDIR_PORT TPROXY4) comment \"默认\""
fi
[ "$PROXY_IPV6" == "1" ] && {
[ "${WRITE_IPSET_DIRECT}" = "1" ] && nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp ip6 daddr @$nftset_global_whitelist6 counter return comment \"$remarks\""
nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp ip6 daddr $FAKE_IP_6 jump PSW2_RULE comment \"默认\""
nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp $(factor $TCP_REDIR_PORTS "tcp dport") jump PSW2_RULE comment \"默认\""
nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp $(REDIRECT $REDIR_PORT TPROXY) comment \"默认\""
}
echolog "${msg2}"
fi
# 加载UDP默认代理模式
if [ "$UDP_PROXY_MODE" != "disable" ]; then
[ "$UDP_NO_REDIR_PORTS" != "disable" ] && {
nft "add inet fw4 PSW2_MANGLE ip protocol udp $(factor $UDP_NO_REDIR_PORTS "udp dport") counter return comment \"默认\""
nft "add inet fw4 PSW2_MANGLE_V6 counter meta l4proto udp $(factor $UDP_NO_REDIR_PORTS "udp dport") counter return comment \"默认\""
if [ "$UDP_PROXY_MODE" != "disable" ] && [ "$NODE" != "nil" ]; then
msg2="${msg}使用 UDP 节点[$(config_n_get $NODE remarks)](TPROXY:${REDIR_PORT})"
[ "${WRITE_IPSET_DIRECT}" = "1" ] && nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ip daddr @$nftset_global_whitelist counter return comment \"$remarks\""
nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ip daddr $FAKE_IP counter jump PSW2_RULE comment \"默认\""
nft "add rule inet fw4 PSW2_MANGLE ip protocol udp $(factor $UDP_REDIR_PORTS "udp dport") jump PSW2_RULE comment \"默认\""
nft "add rule inet fw4 PSW2_MANGLE ip protocol udp $(REDIRECT $REDIR_PORT TPROXY4) comment \"默认\""
[ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && {
[ "${WRITE_IPSET_DIRECT}" = "1" ] && nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp ip6 daddr @$nftset_global_whitelist6 counter return comment \"$remarks\""
nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp ip6 daddr $FAKE_IP_6 jump PSW2_RULE comment \"默认\""
nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp $(factor $UDP_REDIR_PORTS "udp dport") jump PSW2_RULE comment \"默认\""
nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp $(REDIRECT $REDIR_PORT TPROXY) comment \"默认\""
}
[ -n "1" ] && {
msg="UDP默认代理使用UDP节点[$(config_n_get $NODE remarks)] [$(get_action_chain_name $UDP_PROXY_MODE)](TPROXY:${REDIR_PORT})代理"
[ "$UDP_NO_REDIR_PORTS" != "disable" ] && msg="${msg}${UDP_NO_REDIR_PORTS}外的"
msg="${msg}所有端口"
[ "${WRITE_IPSET_DIRECT}" = "1" ] && nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ip daddr @$nftset_global_whitelist counter return comment \"$remarks\""
nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ip daddr $FAKE_IP counter jump PSW2_RULE comment \"默认\""
nft "add rule inet fw4 PSW2_MANGLE ip protocol udp $(factor $UDP_REDIR_PORTS "udp dport") jump PSW2_RULE comment \"默认\""
nft "add rule inet fw4 PSW2_MANGLE ip protocol udp $(REDIRECT $REDIR_PORT TPROXY4) comment \"默认\""
[ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && {
[ "${WRITE_IPSET_DIRECT}" = "1" ] && nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp ip6 daddr @$nftset_global_whitelist6 counter return comment \"$remarks\""
nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp ip6 daddr $FAKE_IP_6 jump PSW2_RULE comment \"默认\""
nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp $(factor $UDP_REDIR_PORTS "udp dport") jump PSW2_RULE comment \"默认\""
nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp $(REDIRECT $REDIR_PORT TPROXY) comment \"默认\""
}
echolog "${msg}"
udp_flag=1
}
echolog "${msg2}"
udp_flag=1
fi
}
}
@ -769,10 +778,38 @@ add_firewall_rule() {
}
[ "$ENABLED_DEFAULT_ACL" == 1 ] && {
# 加载路由器自身代理 TCP
if [ "$NODE" != "nil" ] && [ "$LOCALHOST_PROXY" = "1" ]; then
echolog "加载路由器自身 TCP 代理..."
# 过滤节点
filter_node $NODE TCP > /dev/null 2>&1 &
filter_node $NODE UDP > /dev/null 2>&1 &
TCP_LOCALHOST_PROXY=$LOCALHOST_PROXY
UDP_LOCALHOST_PROXY=$LOCALHOST_PROXY
msg="【路由器本机】,"
[ "$TCP_NO_REDIR_PORTS" != "disable" ] && {
nft "add rule inet fw4 $nft_output_chain ip protocol tcp $(factor $TCP_NO_REDIR_PORTS "tcp dport") counter return"
nft "add rule inet fw4 PSW2_OUTPUT_MANGLE_V6 meta l4proto tcp $(factor $TCP_NO_REDIR_PORTS "tcp dport") counter return"
if [ "$TCP_NO_REDIR_PORTS" != "1:65535" ]; then
echolog " - ${msg}不代理 TCP 端口[${TCP_NO_REDIR_PORTS}]"
else
unset TCP_LOCALHOST_PROXY
echolog " - ${msg}不代理所有 TCP"
fi
}
[ "$UDP_NO_REDIR_PORTS" != "disable" ] && {
nft add rule inet fw4 PSW2_OUTPUT_MANGLE ip protocol udp $(factor $UDP_NO_REDIR_PORTS "udp dport") counter return
nft add rule inet fw4 PSW2_OUTPUT_MANGLE_V6 meta l4proto udp $(factor $UDP_NO_REDIR_PORTS "udp dport") counter return
if [ "$UDP_NO_REDIR_PORTS" != "1:65535" ]; then
echolog " - ${msg}不代理 UDP 端口[${UDP_NO_REDIR_PORTS}]"
else
unset UDP_LOCALHOST_PROXY
echolog " - ${msg}不代理所有 UDP"
fi
}
# 加载路由器自身代理 TCP
if [ "$NODE" != "nil" ] && [ "$TCP_LOCALHOST_PROXY" = "1" ]; then
[ "$accept_icmp" = "1" ] && {
nft "add rule inet fw4 PSW2_ICMP_REDIRECT oif lo ip protocol icmp ip daddr $FAKE_IP counter redirect"
nft "add rule inet fw4 PSW2_ICMP_REDIRECT oif lo ip protocol icmp counter redirect"
@ -785,16 +822,6 @@ add_firewall_rule() {
nft "add rule inet fw4 PSW2_ICMP_REDIRECT oif lo meta l4proto icmpv6 counter return"
}
[ -n "${is_tproxy}" ] && {
echolog " - 启用 TPROXY 模式"
}
[ "$TCP_NO_REDIR_PORTS" != "disable" ] && {
nft "add rule inet fw4 $nft_output_chain ip protocol tcp $(factor $TCP_NO_REDIR_PORTS "tcp dport") counter return"
nft "add rule inet fw4 PSW2_OUTPUT_MANGLE_V6 meta l4proto tcp $(factor $TCP_NO_REDIR_PORTS "tcp dport") counter return"
echolog " - [$?]不代理TCP 端口:$TCP_NO_REDIR_PORTS"
}
if [ -z "${is_tproxy}" ]; then
nft "add rule inet fw4 PSW2_OUTPUT_NAT ip protocol tcp ip daddr $FAKE_IP $(REDIRECT $REDIR_PORT)"
nft "add rule inet fw4 PSW2_OUTPUT_NAT ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") $(REDIRECT $REDIR_PORT)"
@ -820,20 +847,8 @@ add_firewall_rule() {
done
fi
# 处理轮换节点的分流或套娃
filter_node $NODE TCP > /dev/null 2>&1 &
filter_node $NODE UDP > /dev/null 2>&1 &
# 加载路由器自身代理 UDP
if [ "$NODE" != "nil" ] && [ "$LOCALHOST_PROXY" = "1" ]; then
echolog "加载路由器自身 UDP 代理..."
[ "$UDP_NO_REDIR_PORTS" != "disable" ] && {
nft add rule inet fw4 PSW2_OUTPUT_MANGLE ip protocol udp $(factor $UDP_NO_REDIR_PORTS "udp dport") counter return
nft add rule inet fw4 PSW2_OUTPUT_MANGLE_V6 meta l4proto udp $(factor $UDP_NO_REDIR_PORTS "udp dport") counter return
echolog " - [$?]不代理 UDP 端口:$UDP_NO_REDIR_PORTS"
}
if [ "$NODE" != "nil" ] && [ "$UDP_LOCALHOST_PROXY" = "1" ]; then
nft "add rule inet fw4 PSW2_OUTPUT_MANGLE ip protocol udp ip daddr $FAKE_IP counter jump PSW2_RULE"
nft "add rule inet fw4 PSW2_OUTPUT_MANGLE ip protocol udp $(factor $UDP_REDIR_PORTS "udp dport") jump PSW2_RULE"
nft "add rule inet fw4 PSW2_MANGLE ip protocol udp iif lo $(REDIRECT $REDIR_PORT TPROXY4) comment \"本机\""

76
luci-app-passwall2/root/usr/share/passwall2/subscribe.lua
View File

@ -28,7 +28,7 @@ local has_singbox = api.finded_com("singbox")
local has_xray = api.finded_com("xray")
local has_hysteria2 = api.finded_com("hysteria")
local allowInsecure_default = true
local ss_aead_type_default = uci:get(appname, "@global_subscribe[0]", "ss_aead_type") or "shadowsocks-libev"
local ss_type_default = uci:get(appname, "@global_subscribe[0]", "ss_type") or "shadowsocks-libev"
local trojan_type_default = uci:get(appname, "@global_subscribe[0]", "trojan_type") or "sing-box"
local vmess_type_default = uci:get(appname, "@global_subscribe[0]", "vmess_type") or "xray"
local vless_type_default = uci:get(appname, "@global_subscribe[0]", "vless_type") or "xray"
@ -531,31 +531,49 @@ local function processData(szType, content, add_mode, add_from)
result.method = method
result.password = password
local aead = false
for k, v in ipairs({"aes-128-gcm", "aes-256-gcm", "chacha20-poly1305", "chacha20-ietf-poly1305"}) do
if method:lower() == v:lower() then
aead = true
if ss_type_default == "shadowsocks-rust" and has_ss_rust then
result.type = 'SS-Rust'
end
if ss_type_default == "xray" and has_xray then
result.type = 'Xray'
result.protocol = 'shadowsocks'
result.transport = 'tcp'
end
if ss_type_default == "sing-box" and has_singbox then
result.type = 'sing-box'
result.protocol = 'shadowsocks'
end
if result.type == "SS-Rust" and method:lower() == "chacha20-poly1305" then
result.method = "chacha20-ietf-poly1305"
end
if result.type == "Xray" and method:lower() == "chacha20-ietf-poly1305" then
result.method = "chacha20-poly1305"
end
if result.plugin then
if result.type == 'Xray' then
--不支持插件
result.error_msg = "Xray不支持插件."
end
if result.type == "sing-box" then
result.plugin_enabled = "1"
end
end
if aead then
if ss_aead_type_default == "shadowsocks-libev" and has_ss then
result.type = "SS"
elseif ss_aead_type_default == "shadowsocks-rust" and has_ss_rust then
result.type = 'SS-Rust'
if method:lower() == "chacha20-poly1305" then
result.method = "chacha20-ietf-poly1305"
end
elseif ss_aead_type_default == "sing-box" and has_singbox and not result.plugin then
result.type = 'sing-box'
result.protocol = 'shadowsocks'
elseif ss_aead_type_default == "xray" and has_xray and not result.plugin then
result.type = 'Xray'
result.protocol = 'shadowsocks'
result.transport = 'tcp'
if method:lower() == "chacha20-ietf-poly1305" then
result.method = "chacha20-poly1305"
if result.type == "SS" then
local aead2022_methods = { "2022-blake3-aes-128-gcm", "2022-blake3-aes-256-gcm", "2022-blake3-chacha20-poly1305" }
local aead2022 = false
for k, v in ipairs(aead2022_methods) do
if method:lower() == v:lower() then
aead2022 = true
end
end
if aead2022 then
-- shadowsocks-libev 不支持2022加密
result.error_msg = "shadowsocks-libev 不支持2022加密."
end
end
end
elseif szType == "trojan" then
@ -1159,8 +1177,10 @@ local function parse_link(raw, add_mode, add_from)
end
-- log(result)
if result then
if not result.type then
log('丢弃节点:' .. result.remarks .. ",找不到可使用二进制.")
if result.error_msg then
log('丢弃节点: ' .. result.remarks .. ", 原因:" .. result.error_msg)
elseif not result.type then
log('丢弃节点: ' .. result.remarks .. ", 找不到可使用二进制.")
elseif (add_mode == "2" and is_filter_keyword(result.remarks)) or not result.address or result.remarks == "NULL" or result.address == "127.0.0.1" or
(not datatypes.hostname(result.address) and not (api.is_ip(result.address))) then
log('丢弃过滤节点: ' .. result.type .. ' 节点, ' .. result.remarks)
@ -1227,9 +1247,9 @@ local execute = function()
filter_keyword_keep_list_default = value.filter_keep_list or {}
filter_keyword_discard_list_default = value.filter_discard_list or {}
end
local ss_aead_type = value.ss_aead_type or "global"
if ss_aead_type ~= "global" then
ss_aead_type_default = ss_aead_type
local ss_type = value.ss_type or "global"
if ss_type ~= "global" then
ss_type_default = ss_type
end
local trojan_type = value.trojan_type or "global"
if trojan_type ~= "global" then
@ -1264,7 +1284,7 @@ local execute = function()
filter_keyword_mode_default = uci:get(appname, "@global_subscribe[0]", "filter_keyword_mode") or "0"
filter_keyword_discard_list_default = uci:get(appname, "@global_subscribe[0]", "filter_discard_list") or {}
filter_keyword_keep_list_default = uci:get(appname, "@global_subscribe[0]", "filter_keep_list") or {}
ss_aead_type_default = uci:get(appname, "@global_subscribe[0]", "ss_aead_type") or "shadowsocks-libev"
ss_type_default = uci:get(appname, "@global_subscribe[0]", "ss_type") or "shadowsocks-libev"
trojan_type_default = uci:get(appname, "@global_subscribe[0]", "trojan_type") or "sing-box"
vmess_type_default = uci:get(appname, "@global_subscribe[0]", "vmess_type") or "xray"
vless_type_default = uci:get(appname, "@global_subscribe[0]", "vless_type") or "xray"