From 98daf13a87daea9c7cbff8d922df680be0bda494 Mon Sep 17 00:00:00 2001 From: actions Date: Sun, 9 Jun 2024 02:00:07 +0800 Subject: [PATCH] luci-app-passwall: sync upstream last commit: https://github.com/xiaorouji/openwrt-passwall/commit/a7f56b4070fe86af011e56397efb26ccebc4e867 --- .../luasrc/model/cbi/passwall/client/global.lua | 9 ++++++++- luci-app-passwall/po/zh-cn/passwall.po | 9 +++++++++ luci-app-passwall/root/usr/share/passwall/app.sh | 5 +++-- luci-app-passwall/root/usr/share/passwall/iptables.sh | 10 ++++++++++ luci-app-passwall/root/usr/share/passwall/nftables.sh | 11 +++++++++++ patch-luci-app-passwall.patch | 2 +- 6 files changed, 42 insertions(+), 4 deletions(-) diff --git a/luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua b/luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua index 5590dd9cb..dcd414b01 100644 --- a/luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua +++ b/luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua @@ -408,7 +408,14 @@ o.description = "" o:depends({dns_shunt = "dnsmasq", tcp_proxy_mode = "proxy", chn_list = "direct"}) -o = s:taboption("DNS", Button, "clear_ipset", translate("Clear IPSET"), translate("Try this feature if the rule modification does not take effect.")) +o = s:taboption("DNS", Flag, "dns_redirect", "DNS " .. translate("Redirect"), translate("Force Router DNS server to all local devices.")) +o.default = "0" + +if (uci:get(appname, "@global_forwarding[0]", "use_nft") or "0") == "1" then + o = s:taboption("DNS", Button, "clear_ipset", translate("Clear NFTSET"), translate("Try this feature if the rule modification does not take effect.")) +else + o = s:taboption("DNS", Button, "clear_ipset", translate("Clear IPSET"), translate("Try this feature if the rule modification does not take effect.")) +end o.inputstyle = "remove" function o.write(e, e) luci.sys.call('[ -n "$(nft list sets 2>/dev/null | grep \"passwall_\")" ] && sh /usr/share/passwall/nftables.sh flush_nftset_reload || sh /usr/share/passwall/iptables.sh flush_ipset_reload > /dev/null 2>&1 &') diff --git a/luci-app-passwall/po/zh-cn/passwall.po b/luci-app-passwall/po/zh-cn/passwall.po index 4cd5cdfe5..f3d5894c4 100644 --- a/luci-app-passwall/po/zh-cn/passwall.po +++ b/luci-app-passwall/po/zh-cn/passwall.po @@ -187,9 +187,18 @@ msgstr "实验性功能。" msgid "Use FakeDNS work in the shunt domain that proxy." msgstr "需要代理的分流规则域名使用 FakeDNS。" +msgid "Redirect" +msgstr "重定向" + +msgid "Force Router DNS server to all local devices." +msgstr "强制所有本地设备使用路由器 DNS。" + msgid "Clear IPSET" msgstr "清空 IPSET" +msgid "Clear NFTSET" +msgstr "清空 NFTSET" + msgid "Try this feature if the rule modification does not take effect." msgstr "如果修改规则后没有生效,请尝试此功能。" diff --git a/luci-app-passwall/root/usr/share/passwall/app.sh b/luci-app-passwall/root/usr/share/passwall/app.sh index 9b6319de5..1d7f5e2c0 100755 --- a/luci-app-passwall/root/usr/share/passwall/app.sh +++ b/luci-app-passwall/root/usr/share/passwall/app.sh @@ -204,14 +204,15 @@ check_port_exists() { } check_depends() { + local depends local tables=${1} if [ "$tables" == "iptables" ]; then for depends in "iptables-mod-tproxy" "iptables-mod-socket" "iptables-mod-iprange" "iptables-mod-conntrack-extra" "kmod-ipt-nat"; do - [ -z "$(opkg status ${depends} 2>/dev/null | grep 'Status' | awk -F ': ' '{print $2}' 2>/dev/null)" ] && echolog "$tables透明代理基础依赖 $depends 未安装..." + [ -s "/usr/lib/opkg/info/${depends}.control" ] || echolog "$tables透明代理基础依赖 $depends 未安装..." done else for depends in "kmod-nft-socket" "kmod-nft-tproxy" "kmod-nft-nat"; do - [ -z "$(opkg status ${depends} 2>/dev/null | grep 'Status' | awk -F ': ' '{print $2}' 2>/dev/null)" ] && echolog "$tables透明代理基础依赖 $depends 未安装..." + [ -s "/usr/lib/opkg/info/${depends}.control" ] || echolog "$tables透明代理基础依赖 $depends 未安装..." done fi } diff --git a/luci-app-passwall/root/usr/share/passwall/iptables.sh b/luci-app-passwall/root/usr/share/passwall/iptables.sh index 2a7e94d89..07dcc3079 100755 --- a/luci-app-passwall/root/usr/share/passwall/iptables.sh +++ b/luci-app-passwall/root/usr/share/passwall/iptables.sh @@ -1108,6 +1108,16 @@ add_firewall_rule() { $ip6t_m -I OUTPUT $(comment "mangle-OUTPUT-PSW") -o lo -j RETURN insert_rule_before "$ip6t_m" "OUTPUT" "mwan3" "$(comment mangle-OUTPUT-PSW) -m mark --mark 1 -j RETURN" + + [ $(config_t_get global dns_redirect) == "1" ] && { + $ipt_m -A PSW -p udp --dport 53 -j RETURN + $ip6t_m -A PSW -p udp --dport 53 -j RETURN + $ipt_n -I PREROUTING -p udp --dport 53 -j REDIRECT --to-ports 53 -m comment --comment "PSW_DNS_Hijack" 2>/dev/null + $ipt_n -I PREROUTING -p tcp --dport 53 -j REDIRECT --to-ports 53 -m comment --comment "PSW_DNS_Hijack" 2>/dev/null + $ip6t_n -I PREROUTING -p udp --dport 53 -j REDIRECT --to-ports 53 -m comment --comment "PSW_DNS_Hijack" 2>/dev/null + $ip6t_n -I PREROUTING -p tcp --dport 53 -j REDIRECT --to-ports 53 -m comment --comment "PSW_DNS_Hijack" 2>/dev/null + } + } # 加载ACLS diff --git a/luci-app-passwall/root/usr/share/passwall/nftables.sh b/luci-app-passwall/root/usr/share/passwall/nftables.sh index 0bff3d45f..f8f340142 100755 --- a/luci-app-passwall/root/usr/share/passwall/nftables.sh +++ b/luci-app-passwall/root/usr/share/passwall/nftables.sh @@ -1149,6 +1149,17 @@ add_firewall_rule() { nft "add rule inet fw4 mangle_output oif lo counter return comment \"PSW_OUTPUT_MANGLE\"" nft "add rule inet fw4 mangle_output meta mark 1 counter return comment \"PSW_OUTPUT_MANGLE\"" + + [ $(config_t_get global dns_redirect) == "1" ] && { + nft "add rule inet fw4 PSW_MANGLE ip protocol udp udp dport 53 counter return" + nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp udp dport 53 counter return" + nft insert rule inet fw4 dstnat position 0 tcp dport 53 counter redirect to :53 comment \"PSW_DNS_Hijack\" 2>/dev/null + nft insert rule inet fw4 dstnat position 0 udp dport 53 counter redirect to :53 comment \"PSW_DNS_Hijack\" 2>/dev/null + nft insert rule inet fw4 dstnat position 0 meta nfproto {ipv6} tcp dport 53 counter redirect to :53 comment \"PSW_DNS_Hijack\" 2>/dev/null + nft insert rule inet fw4 dstnat position 0 meta nfproto {ipv6} udp dport 53 counter redirect to :53 comment \"PSW_DNS_Hijack\" 2>/dev/null + uci -q set dhcp.@dnsmasq[0].dns_redirect='0' 2>/dev/null + uci commit dhcp 2>/dev/null + } } # 加载ACLS diff --git a/patch-luci-app-passwall.patch b/patch-luci-app-passwall.patch index 49c6a2719..83aa128de 100644 --- a/patch-luci-app-passwall.patch +++ b/patch-luci-app-passwall.patch @@ -24,7 +24,7 @@ index e52338c..7c71fff 100644 if code ~= 0 then local use_time = luci.sys.exec("echo -n '" .. result .. "' | awk -F ':' '{print $2}'") diff --git a/luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua b/luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua -index ef406ad..5590dd9 100644 +index 13bd889..dcd414b 100644 --- a/luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua +++ b/luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua @@ -332,6 +332,12 @@ o:value("9.9.9.9", "9.9.9.9 (Quad9-Recommended)")