diff --git a/luci-app-passwall/luasrc/model/cbi/passwall/client/acl_config.lua b/luci-app-passwall/luasrc/model/cbi/passwall/client/acl_config.lua index 3bce1c883..d1beff4f1 100644 --- a/luci-app-passwall/luasrc/model/cbi/passwall/client/acl_config.lua +++ b/luci-app-passwall/luasrc/model/cbi/passwall/client/acl_config.lua @@ -279,7 +279,7 @@ o:depends({ tcp_node = "", ['!reverse'] = true }) o = s:option(ListValue, "dns_shunt", "DNS " .. translate("Shunt")) o:depends({ tcp_node = "", ['!reverse'] = true }) o:value("dnsmasq", "Dnsmasq") -o:value("chinadns-ng", "Dnsmasq + ChinaDNS-NG") +o:value("chinadns-ng", translate("ChinaDNS-NG (recommended)")) o = s:option(Flag, "filter_proxy_ipv6", translate("Filter Proxy Host IPv6"), translate("Experimental feature.")) o.default = "0" diff --git a/luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua b/luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua index 0e5299b9a..9995c4c2b 100644 --- a/luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua +++ b/luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua @@ -292,7 +292,7 @@ s:tab("DNS", translate("DNS")) dns_shunt = s:taboption("DNS", ListValue, "dns_shunt", "DNS " .. translate("Shunt")) dns_shunt:value("dnsmasq", "Dnsmasq") -dns_shunt:value("chinadns-ng", "Dnsmasq + ChinaDNS-NG") +dns_shunt:value("chinadns-ng", translate("ChinaDNS-NG (recommended)")) o = s:taboption("DNS", ListValue, "direct_dns_mode", translate("Direct DNS") .. " " .. translate("Request protocol")) o.default = "" diff --git a/luci-app-passwall/po/zh-cn/passwall.po b/luci-app-passwall/po/zh-cn/passwall.po index 97e4d5b15..bdf380291 100644 --- a/luci-app-passwall/po/zh-cn/passwall.po +++ b/luci-app-passwall/po/zh-cn/passwall.po @@ -169,6 +169,9 @@ msgstr "此功能需要 DNS 服务器支持 EDNS Client Subnet(RFC7871)。" msgid "The effect is better, recommend." msgstr "效果更好,推荐使用。" +msgid "ChinaDNS-NG (recommended)" +msgstr "ChinaDNS-NG (推荐)" + msgid "Default DNS" msgstr "默认 DNS" diff --git a/luci-app-passwall/root/usr/share/passwall/app.sh b/luci-app-passwall/root/usr/share/passwall/app.sh index 8724d10bf..ce5c6494e 100755 --- a/luci-app-passwall/root/usr/share/passwall/app.sh +++ b/luci-app-passwall/root/usr/share/passwall/app.sh @@ -551,10 +551,10 @@ run_chinadns_ng() { local _LOG_FILE=$TMP_ACL_PATH/$_flag/chinadns_ng.log _LOG_FILE="/dev/null" - _extra_param="-FLAG ${_flag} -LISTEN_PORT ${_listen_port} -DNS_LOCAL ${_dns_local} -DNS_TRUST ${_dns_trust}" - _extra_param="${_extra_param} -USE_DIRECT_LIST ${_use_direct_list} -USE_PROXY_LIST ${_use_proxy_list} -GFWLIST ${_gfwlist} -CHNLIST ${_chnlist}" - _extra_param="${_extra_param} -NO_IPV6_TRUST ${_no_ipv6_trust} -DEFAULT_MODE ${_default_mode} -DEFAULT_TAG ${_default_tag} -NFTFLAG ${nftflag}" - _extra_param="${_extra_param} -NO_LOGIC_LOG ${_no_logic_log} -TCP_NODE ${_tcp_node}" + _extra_param="-FLAG ${_flag} -TCP_NODE ${_tcp_node} -LISTEN_PORT ${_listen_port} -DNS_LOCAL ${_dns_local} -DNS_TRUST ${_dns_trust}" + _extra_param="${_extra_param} -USE_DIRECT_LIST ${_use_direct_list} -USE_PROXY_LIST ${_use_proxy_list} -USE_BLOCK_LIST ${_use_block_list}" + _extra_param="${_extra_param} -GFWLIST ${_gfwlist} -CHNLIST ${_chnlist} -NO_IPV6_TRUST ${_no_ipv6_trust} -DEFAULT_MODE ${_default_mode}" + _extra_param="${_extra_param} -DEFAULT_TAG ${_default_tag} -NFTFLAG ${nftflag} -NO_LOGIC_LOG ${_no_logic_log}" lua $APP_PATH/helper_chinadns_add.lua ${_extra_param} > ${_CONF_FILE} ln_run "$(first_type chinadns-ng)" chinadns-ng "${_LOG_FILE}" -C ${_CONF_FILE} @@ -1500,6 +1500,7 @@ start_dns() { _no_ipv6_trust=${FILTER_PROXY_IPV6} \ _use_direct_list=${USE_DIRECT_LIST} \ _use_proxy_list=${USE_PROXY_LIST} \ + _use_block_list=${USE_BLOCK_LIST} \ _gfwlist=${USE_GFW_LIST} \ _chnlist=${CHN_LIST} \ _default_mode=${TCP_PROXY_MODE} \ @@ -1696,6 +1697,7 @@ acl_app() { _no_ipv6_trust=${filter_proxy_ipv6} \ _use_direct_list=${use_direct_list} \ _use_proxy_list=${use_proxy_list} \ + _use_block_list=${use_block_list} \ _gfwlist=${use_gfw_list} \ _chnlist=${chn_list} \ _default_mode=${tcp_proxy_mode} \ diff --git a/luci-app-passwall/root/usr/share/passwall/helper_chinadns_add.lua b/luci-app-passwall/root/usr/share/passwall/helper_chinadns_add.lua index 127a170ec..2f430f843 100644 --- a/luci-app-passwall/root/usr/share/passwall/helper_chinadns_add.lua +++ b/luci-app-passwall/root/usr/share/passwall/helper_chinadns_add.lua @@ -9,6 +9,7 @@ local DNS_LOCAL = var["-DNS_LOCAL"] local DNS_TRUST = var["-DNS_TRUST"] local USE_DIRECT_LIST = var["-USE_DIRECT_LIST"] local USE_PROXY_LIST = var["-USE_PROXY_LIST"] +local USE_BLOCK_LIST = var["-USE_BLOCK_LIST"] local GFWLIST = var["-GFWLIST"] local CHNLIST = var["-CHNLIST"] local NO_IPV6_TRUST = var["-NO_IPV6_TRUST"] @@ -73,91 +74,6 @@ config_lines = { "filter-qtype 65" } ---始终用国内DNS解析节点域名 -local file_vpslist = TMP_ACL_PATH .. "/vpslist" -if not is_file_nonzero(file_vpslist) then - local f_out = io.open(file_vpslist, "w") - uci:foreach(appname, "nodes", function(t) - local address = t.address - if address == "engage.cloudflareclient.com" then return end - if datatypes.hostname(address) then - f_out:write(address .. "\n") - end - end) - f_out:close() -end -if is_file_nonzero(file_vpslist) then - tmp_lines = { - "group vpslist", - "group-dnl " .. file_vpslist, - "group-upstream " .. DNS_LOCAL, - "group-ipset " .. setflag .. "passwall_vpslist," .. setflag .. "passwall_vpslist6" - } - merge_array(config_lines, tmp_lines) - log(string.format(" - 节点列表中的域名(vpslist):%s", DNS_LOCAL or "默认")) -end - ---直连(白名单)列表 -local file_direct_host = TMP_ACL_PATH .. "/direct_host" -if USE_DIRECT_LIST == "1" and not fs.access(file_direct_host) then --对自定义列表进行清洗 - local direct_domain = {} - local lookup_direct_domain = {} - for line in io.lines(RULES_PATH .. "/direct_host") do - line = api.get_std_domain(line) - if line ~= "" and not line:find("#") then - insert_unique(direct_domain, line, lookup_direct_domain) - end - end - if #direct_domain > 0 then - local f_out = io.open(file_direct_host, "w") - for i = 1, #direct_domain do - f_out:write(direct_domain[i] .. "\n") - end - f_out:close() - end -end -if USE_DIRECT_LIST == "1" and is_file_nonzero(file_direct_host) then - tmp_lines = { - "group directlist", - "group-dnl " .. file_direct_host, - "group-upstream " .. DNS_LOCAL, - "group-ipset " .. setflag .. "passwall_whitelist," .. setflag .. "passwall_whitelist6" - } - merge_array(config_lines, tmp_lines) - log(string.format(" - 域名白名单(whitelist):%s", DNS_LOCAL or "默认")) -end - ---代理(黑名单)列表 -local file_proxy_host = TMP_ACL_PATH .. "/proxy_host" -if USE_PROXY_LIST == "1" and not fs.access(file_proxy_host) then --对自定义列表进行清洗 - local proxy_domain = {} - local lookup_proxy_domain = {} - for line in io.lines(RULES_PATH .. "/proxy_host") do - line = api.get_std_domain(line) - if line ~= "" and not line:find("#") then - insert_unique(proxy_domain, line, lookup_proxy_domain) - end - end - if #proxy_domain > 0 then - local f_out = io.open(file_proxy_host, "w") - for i = 1, #proxy_domain do - f_out:write(proxy_domain[i] .. "\n") - end - f_out:close() - end -end -if USE_PROXY_LIST == "1" and is_file_nonzero(file_proxy_host) then - tmp_lines = { - "group proxylist", - "group-dnl " .. file_proxy_host, - "group-upstream " .. DNS_TRUST, - "group-ipset " .. setflag .. "passwall_blacklist," .. setflag .. "passwall_blacklist6" - } - merge_array(config_lines, tmp_lines) - if NO_IPV6_TRUST == "1" then table.insert(config_lines, "no-ipv6 tag:proxylist") end - log(string.format(" - 代理域名表(blacklist):%s", DNS_TRUST or "默认")) -end - --GFW列表 if GFWLIST == "1" and is_file_nonzero(RULES_PATH .. "/gfwlist") then tmp_lines = { @@ -197,14 +113,121 @@ if CHNLIST ~= "0" and is_file_nonzero(RULES_PATH .. "/chnlist") then end end +--自定义规则组,后声明的组具有更高优先级 +--直连(白名单)列表 +local file_direct_host = TMP_ACL_PATH .. "/direct_host" +if USE_DIRECT_LIST == "1" and not fs.access(file_direct_host) then --对自定义列表进行清洗 + local direct_domain, lookup_direct_domain = {}, {} + for line in io.lines(RULES_PATH .. "/direct_host") do + line = api.get_std_domain(line) + if line ~= "" and not line:find("#") then + insert_unique(direct_domain, line, lookup_direct_domain) + end + end + if #direct_domain > 0 then + local f_out = io.open(file_direct_host, "w") + for i = 1, #direct_domain do + f_out:write(direct_domain[i] .. "\n") + end + f_out:close() + end +end +if USE_DIRECT_LIST == "1" and is_file_nonzero(file_direct_host) then + tmp_lines = { + "group directlist", + "group-dnl " .. file_direct_host, + "group-upstream " .. DNS_LOCAL, + "group-ipset " .. setflag .. "passwall_whitelist," .. setflag .. "passwall_whitelist6" + } + merge_array(config_lines, tmp_lines) + log(string.format(" - 域名白名单(whitelist):%s", DNS_LOCAL or "默认")) +end + +--代理(黑名单)列表 +local file_proxy_host = TMP_ACL_PATH .. "/proxy_host" +if USE_PROXY_LIST == "1" and not fs.access(file_proxy_host) then --对自定义列表进行清洗 + local proxy_domain, lookup_proxy_domain = {}, {} + for line in io.lines(RULES_PATH .. "/proxy_host") do + line = api.get_std_domain(line) + if line ~= "" and not line:find("#") then + insert_unique(proxy_domain, line, lookup_proxy_domain) + end + end + if #proxy_domain > 0 then + local f_out = io.open(file_proxy_host, "w") + for i = 1, #proxy_domain do + f_out:write(proxy_domain[i] .. "\n") + end + f_out:close() + end +end +if USE_PROXY_LIST == "1" and is_file_nonzero(file_proxy_host) then + tmp_lines = { + "group proxylist", + "group-dnl " .. file_proxy_host, + "group-upstream " .. DNS_TRUST, + "group-ipset " .. setflag .. "passwall_blacklist," .. setflag .. "passwall_blacklist6" + } + merge_array(config_lines, tmp_lines) + if NO_IPV6_TRUST == "1" then table.insert(config_lines, "no-ipv6 tag:proxylist") end + log(string.format(" - 代理域名表(blacklist):%s", DNS_TRUST or "默认")) +end + +--屏蔽列表 +local file_block_host = TMP_ACL_PATH .. "/block_host" +if USE_BLOCK_LIST == "1" and not fs.access(file_block_host) then --对自定义列表进行清洗 + local block_domain, lookup_block_domain = {}, {} + for line in io.lines(RULES_PATH .. "/block_host") do + line = api.get_std_domain(line) + if line ~= "" and not line:find("#") then + insert_unique(block_domain, line, lookup_block_domain) + end + end + if #block_domain > 0 then + local f_out = io.open(file_block_host, "w") + for i = 1, #block_domain do + f_out:write(block_domain[i] .. "\n") + end + f_out:close() + end +end +if USE_BLOCK_LIST == "1" and is_file_nonzero(file_block_host) then + table.insert(config_lines, "group null") + table.insert(config_lines, "group-dnl " .. file_block_host) +end + +--始终用国内DNS解析节点域名 +local file_vpslist = TMP_ACL_PATH .. "/vpslist" +if not is_file_nonzero(file_vpslist) then + local f_out = io.open(file_vpslist, "w") + uci:foreach(appname, "nodes", function(t) + local address = t.address + if address == "engage.cloudflareclient.com" then return end + if datatypes.hostname(address) then + f_out:write(address .. "\n") + end + end) + f_out:close() +end +if is_file_nonzero(file_vpslist) then + tmp_lines = { + "group vpslist", + "group-dnl " .. file_vpslist, + "group-upstream " .. DNS_LOCAL, + "group-ipset " .. setflag .. "passwall_vpslist," .. setflag .. "passwall_vpslist6" + } + merge_array(config_lines, tmp_lines) + log(string.format(" - 节点列表中的域名(vpslist):%s", DNS_LOCAL or "默认")) +end + --分流规则 if uci:get(appname, TCP_NODE, "protocol") == "_shunt" then - local white_domain = {} - local shunt_domain = {} - local lookup_white_domain = {} - local lookup_shunt_domain = {} + local white_domain, lookup_white_domain = {}, {} + local shunt_domain, lookup_shunt_domain = {}, {} + local blackhole_domain, lookup_blackhole_domain = {}, {} local file_white_host = TMP_ACL_PATH .. "/white_host" local file_shunt_host = TMP_ACL_PATH .. "/shunt_host" + local file_blackhole_host = TMP_ACL_PATH .. "/blackhole_host" local t = uci:get_all(appname, TCP_NODE) local default_node_id = t["default_node"] or "_direct" @@ -222,7 +245,12 @@ if uci:get(appname, TCP_NODE, "protocol") == "_shunt" then line = string.match(line, ":([^:]+)$") end line = api.get_std_domain(line) - if _node_id == "_direct" then + + if _node_id == "_blackhole" then + if line ~= "" and not line:find("#") then + insert_unique(blackhole_domain, line, lookup_blackhole_domain) + end + elseif _node_id == "_direct" then if line ~= "" and not line:find("#") then insert_unique(white_domain, line, lookup_white_domain) end @@ -240,6 +268,16 @@ if uci:get(appname, TCP_NODE, "protocol") == "_shunt" then end end) + if is_file_nonzero(file_blackhole_host) == nil then + if #blackhole_domain > 0 then + local f_out = io.open(file_blackhole_host, "w") + for i = 1, #blackhole_domain do + f_out:write(blackhole_domain[i] .. "\n") + end + f_out:close() + end + end + if is_file_nonzero(file_white_host) == nil then if #white_domain > 0 then local f_out = io.open(file_white_host, "w") @@ -260,14 +298,22 @@ if uci:get(appname, TCP_NODE, "protocol") == "_shunt" then end end + if is_file_nonzero(file_blackhole_host) then + for i, v in ipairs(config_lines) do --添加到屏蔽组一同处理 + if v == "group-dnl " .. file_block_host then + config_lines[i] = "group-dnl " .. file_block_host .. "," .. file_blackhole_host + break + end + end + end + if is_file_nonzero(file_white_host) then - tmp_lines = { - "group whitelist", - "group-dnl " .. file_white_host, - "group-upstream " .. DNS_LOCAL, - "group-ipset " .. setflag .. "passwall_whitelist," .. setflag .. "passwall_whitelist6" - } - merge_array(config_lines, tmp_lines) + for i, v in ipairs(config_lines) do --添加到白名单组一同处理 + if v == "group-dnl " .. file_direct_host then + config_lines[i] = "group-dnl " .. file_direct_host .. "," .. file_white_host + break + end + end end if is_file_nonzero(file_shunt_host) then @@ -277,9 +323,18 @@ if uci:get(appname, TCP_NODE, "protocol") == "_shunt" then "group-upstream " .. DNS_TRUST, "group-ipset " .. setflag .. "passwall_shuntlist," .. setflag .. "passwall_shuntlist6" } - merge_array(config_lines, tmp_lines) - if NO_IPV6_TRUST == "1" then table.insert(config_lines, "no-ipv6 tag:shuntlist") end + if NO_IPV6_TRUST == "1" then table.insert(tmp_lines, "no-ipv6 tag:shuntlist") end + -- 在 "filter-qtype 65" 后插入 tmp_lines (shuntlist优先级最低) + for i, line in ipairs(config_lines) do + if line == "filter-qtype 65" then + for j, tmp_line in ipairs(tmp_lines) do + table.insert(config_lines, i + j, tmp_line) + end + break + end + end end + end --只使用gfwlist模式,GFW列表以外的域名及默认使用本地DNS @@ -307,6 +362,8 @@ if DEFAULT_TAG == "none" then table.insert(config_lines, "verdict-cache 5000") end +table.insert(config_lines, "hosts") + if DEFAULT_TAG == "chn" then log(string.format(" - 默认:%s", DNS_LOCAL)) elseif DEFAULT_TAG == "gfw" then @@ -321,3 +378,5 @@ if #config_lines > 0 then print(config_lines[i]) end end + +log(" - ChinaDNS-NG已作为Dnsmasq上游,如果你自行配置了错误的DNS流程,将会导致域名(直连/代理域名)分流失效!!!") diff --git a/luci-app-passwall/root/usr/share/passwall/helper_dnsmasq_add.lua b/luci-app-passwall/root/usr/share/passwall/helper_dnsmasq_add.lua index 9962309ba..850c59e81 100644 --- a/luci-app-passwall/root/usr/share/passwall/helper_dnsmasq_add.lua +++ b/luci-app-passwall/root/usr/share/passwall/helper_dnsmasq_add.lua @@ -194,11 +194,13 @@ if not fs.access(CACHE_DNS_PATH) then fs.mkdir(CACHE_DNS_PATH) --屏蔽列表 - if USE_BLOCK_LIST == "1" then - for line in io.lines("/usr/share/passwall/rules/block_host") do - line = api.get_std_domain(line) - if line ~= "" and not line:find("#") then - set_domain_address(line, "") + if USE_DEFAULT_DNS ~= "chinadns_ng" or CHINADNS_DNS == "0" then + if USE_BLOCK_LIST == "1" then + for line in io.lines("/usr/share/passwall/rules/block_host") do + line = api.get_std_domain(line) + if line ~= "" and not line:find("#") then + set_domain_address(line, "") + end end end end @@ -488,4 +490,6 @@ if DNSMASQ_CONF_FILE ~= "nil" then end end -log(" - PassWall必须依赖于Dnsmasq,如果你自行配置了错误的DNS流程,将会导致域名(直连/代理域名)分流失效!!!") +if USE_DEFAULT_DNS ~= "chinadns_ng" or CHINADNS_DNS == "0" then + log(" - PassWall必须依赖于Dnsmasq,如果你自行配置了错误的DNS流程,将会导致域名(直连/代理域名)分流失效!!!") +end diff --git a/patch-luci-app-passwall.patch b/patch-luci-app-passwall.patch index 49cd743d6..ae5d5bdfe 100644 --- a/patch-luci-app-passwall.patch +++ b/patch-luci-app-passwall.patch @@ -24,7 +24,7 @@ index 03006a6..f384bbc 100644 if code ~= 0 then local use_time = luci.sys.exec("echo -n '" .. result .. "' | awk -F ':' '{print $2}'") diff --git a/luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua b/luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua -index cd9d8d4..0e5299b 100644 +index 474e7a7..9995c4c 100644 --- a/luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua +++ b/luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua @@ -413,6 +413,12 @@ o:value("9.9.9.9", "9.9.9.9 (Quad9)")