luci-app-passwall: sync upstream

last commit: 01f8914ed4

luci-app-passwall/luasrc/model/cbi/passwall/client/acl_config.lua

@@ -279,7 +279,7 @@ o:depends({ tcp_node = "",  ['!reverse'] = true })
 o = s:option(ListValue, "dns_shunt", "DNS " .. translate("Shunt"))
 o:depends({ tcp_node = "",  ['!reverse'] = true })
 o:value("dnsmasq", "Dnsmasq")
-o:value("chinadns-ng", "Dnsmasq + ChinaDNS-NG")
+o:value("chinadns-ng", translate("ChinaDNS-NG (recommended)"))
 
 o = s:option(Flag, "filter_proxy_ipv6", translate("Filter Proxy Host IPv6"), translate("Experimental feature."))
 o.default = "0"

luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua

@@ -292,7 +292,7 @@ s:tab("DNS", translate("DNS"))
 
 dns_shunt = s:taboption("DNS", ListValue, "dns_shunt", "DNS " .. translate("Shunt"))
 dns_shunt:value("dnsmasq", "Dnsmasq")
-dns_shunt:value("chinadns-ng", "Dnsmasq + ChinaDNS-NG")
+dns_shunt:value("chinadns-ng", translate("ChinaDNS-NG (recommended)"))
 
 o = s:taboption("DNS", ListValue, "direct_dns_mode", translate("Direct DNS") .. " " .. translate("Request protocol"))
 o.default = ""

luci-app-passwall/po/zh-cn/passwall.po

@@ -169,6 +169,9 @@ msgstr "此功能需要 DNS 服务器支持 EDNS Client Subnet（RFC7871）。"
 msgid "The effect is better, recommend."
 msgstr "效果更好，推荐使用。"
 
+msgid "ChinaDNS-NG (recommended)"
+msgstr "ChinaDNS-NG (推荐)"
+
 msgid "Default DNS"
 msgstr "默认 DNS"
 

luci-app-passwall/root/usr/share/passwall/app.sh

@@ -551,10 +551,10 @@ run_chinadns_ng() {
 	local _LOG_FILE=$TMP_ACL_PATH/$_flag/chinadns_ng.log
 	_LOG_FILE="/dev/null"
 
-	_extra_param="-FLAG ${_flag} -LISTEN_PORT ${_listen_port} -DNS_LOCAL ${_dns_local} -DNS_TRUST ${_dns_trust}"
+	_extra_param="-FLAG ${_flag} -TCP_NODE ${_tcp_node} -LISTEN_PORT ${_listen_port} -DNS_LOCAL ${_dns_local} -DNS_TRUST ${_dns_trust}"
-	_extra_param="${_extra_param} -USE_DIRECT_LIST ${_use_direct_list} -USE_PROXY_LIST ${_use_proxy_list} -GFWLIST ${_gfwlist} -CHNLIST ${_chnlist}"
+	_extra_param="${_extra_param} -USE_DIRECT_LIST ${_use_direct_list} -USE_PROXY_LIST ${_use_proxy_list} -USE_BLOCK_LIST ${_use_block_list}"
-	_extra_param="${_extra_param} -NO_IPV6_TRUST ${_no_ipv6_trust} -DEFAULT_MODE ${_default_mode} -DEFAULT_TAG ${_default_tag} -NFTFLAG ${nftflag}"
+	_extra_param="${_extra_param} -GFWLIST ${_gfwlist} -CHNLIST ${_chnlist} -NO_IPV6_TRUST ${_no_ipv6_trust} -DEFAULT_MODE ${_default_mode}"
-	_extra_param="${_extra_param} -NO_LOGIC_LOG ${_no_logic_log} -TCP_NODE ${_tcp_node}"
+	_extra_param="${_extra_param} -DEFAULT_TAG ${_default_tag} -NFTFLAG ${nftflag} -NO_LOGIC_LOG ${_no_logic_log}"
 
 	lua $APP_PATH/helper_chinadns_add.lua ${_extra_param} > ${_CONF_FILE}
 	ln_run "$(first_type chinadns-ng)" chinadns-ng "${_LOG_FILE}" -C ${_CONF_FILE}
@@ -1500,6 +1500,7 @@ start_dns() {
 			_no_ipv6_trust=${FILTER_PROXY_IPV6} \
 			_use_direct_list=${USE_DIRECT_LIST} \
 			_use_proxy_list=${USE_PROXY_LIST} \
+			_use_block_list=${USE_BLOCK_LIST} \
 			_gfwlist=${USE_GFW_LIST} \
 			_chnlist=${CHN_LIST} \
 			_default_mode=${TCP_PROXY_MODE} \
@@ -1696,6 +1697,7 @@ acl_app() {
 									_no_ipv6_trust=${filter_proxy_ipv6} \
 									_use_direct_list=${use_direct_list} \
 									_use_proxy_list=${use_proxy_list} \
+									_use_block_list=${use_block_list} \
 									_gfwlist=${use_gfw_list} \
 									_chnlist=${chn_list} \
 									_default_mode=${tcp_proxy_mode} \

luci-app-passwall/root/usr/share/passwall/helper_chinadns_add.lua

@@ -9,6 +9,7 @@ local DNS_LOCAL = var["-DNS_LOCAL"]
 local DNS_TRUST = var["-DNS_TRUST"]
 local USE_DIRECT_LIST = var["-USE_DIRECT_LIST"]
 local USE_PROXY_LIST = var["-USE_PROXY_LIST"]
+local USE_BLOCK_LIST = var["-USE_BLOCK_LIST"]
 local GFWLIST = var["-GFWLIST"]
 local CHNLIST = var["-CHNLIST"]
 local NO_IPV6_TRUST = var["-NO_IPV6_TRUST"]
@@ -73,91 +74,6 @@ config_lines = {
 	"filter-qtype 65"
 }
 
---始终用国内DNS解析节点域名
-local file_vpslist = TMP_ACL_PATH .. "/vpslist"
-if not is_file_nonzero(file_vpslist) then
-	local f_out = io.open(file_vpslist, "w")
-	uci:foreach(appname, "nodes", function(t)
-		local address = t.address
-		if address == "engage.cloudflareclient.com" then return end
-		if datatypes.hostname(address) then
-			f_out:write(address .. "\n")
-		end
-	end)
-	f_out:close()
-end
-if is_file_nonzero(file_vpslist) then
-	tmp_lines = {
-		"group vpslist",
-		"group-dnl " .. file_vpslist,
-		"group-upstream " .. DNS_LOCAL,
-		"group-ipset " .. setflag .. "passwall_vpslist," .. setflag .. "passwall_vpslist6"
-	}
-	merge_array(config_lines, tmp_lines)
-	log(string.format("  - 节点列表中的域名(vpslist)：%s", DNS_LOCAL or "默认"))
-end
-
---直连（白名单）列表
-local file_direct_host = TMP_ACL_PATH .. "/direct_host"
-if USE_DIRECT_LIST == "1" and not fs.access(file_direct_host) then   --对自定义列表进行清洗
-	local direct_domain = {}
-	local lookup_direct_domain = {}
-	for line in io.lines(RULES_PATH .. "/direct_host") do
-		line = api.get_std_domain(line)
-		if line ~= "" and not line:find("#") then
-			insert_unique(direct_domain, line, lookup_direct_domain)
-		end
-	end
-	if #direct_domain > 0 then
-		local f_out = io.open(file_direct_host, "w")
-		for i = 1, #direct_domain do
-			f_out:write(direct_domain[i] .. "\n")
-		end
-		f_out:close()
-	end
-end
-if USE_DIRECT_LIST == "1" and is_file_nonzero(file_direct_host) then
-	tmp_lines = {
-		"group directlist",
-		"group-dnl " .. file_direct_host,
-		"group-upstream " .. DNS_LOCAL,
-		"group-ipset " .. setflag .. "passwall_whitelist," .. setflag .. "passwall_whitelist6"
-	}
-	merge_array(config_lines, tmp_lines)
-	log(string.format("  - 域名白名单(whitelist)：%s", DNS_LOCAL or "默认"))
-end
-
---代理（黑名单）列表
-local file_proxy_host = TMP_ACL_PATH .. "/proxy_host"
-if USE_PROXY_LIST == "1" and not fs.access(file_proxy_host) then   --对自定义列表进行清洗
-	local proxy_domain = {}
-	local lookup_proxy_domain = {}
-	for line in io.lines(RULES_PATH .. "/proxy_host") do
-		line = api.get_std_domain(line)
-		if line ~= "" and not line:find("#") then
-			insert_unique(proxy_domain, line, lookup_proxy_domain)
-		end
-	end
-	if #proxy_domain > 0 then
-		local f_out = io.open(file_proxy_host, "w")
-		for i = 1, #proxy_domain do
-			f_out:write(proxy_domain[i] .. "\n")
-		end
-		f_out:close()
-	end
-end
-if USE_PROXY_LIST == "1" and is_file_nonzero(file_proxy_host) then
-	tmp_lines = {
-		"group proxylist",
-		"group-dnl " .. file_proxy_host,
-		"group-upstream " .. DNS_TRUST,
-		"group-ipset " .. setflag .. "passwall_blacklist," .. setflag .. "passwall_blacklist6"
-	}
-	merge_array(config_lines, tmp_lines)
-	if NO_IPV6_TRUST == "1" then table.insert(config_lines, "no-ipv6 tag:proxylist") end
-	log(string.format("  - 代理域名表(blacklist)：%s", DNS_TRUST or "默认"))
-end
-
 --GFW列表
 if GFWLIST == "1" and is_file_nonzero(RULES_PATH .. "/gfwlist") then
 	tmp_lines = {
@@ -197,14 +113,121 @@ if CHNLIST ~= "0" and is_file_nonzero(RULES_PATH .. "/chnlist") then
 	end
 end
 
+--自定义规则组，后声明的组具有更高优先级
+--直连（白名单）列表
+local file_direct_host = TMP_ACL_PATH .. "/direct_host"
+if USE_DIRECT_LIST == "1" and not fs.access(file_direct_host) then   --对自定义列表进行清洗
+	local direct_domain, lookup_direct_domain = {}, {}
+	for line in io.lines(RULES_PATH .. "/direct_host") do
+		line = api.get_std_domain(line)
+		if line ~= "" and not line:find("#") then
+			insert_unique(direct_domain, line, lookup_direct_domain)
+		end
+	end
+	if #direct_domain > 0 then
+		local f_out = io.open(file_direct_host, "w")
+		for i = 1, #direct_domain do
+			f_out:write(direct_domain[i] .. "\n")
+		end
+		f_out:close()
+	end
+end
+if USE_DIRECT_LIST == "1" and is_file_nonzero(file_direct_host) then
+	tmp_lines = {
+		"group directlist",
+		"group-dnl " .. file_direct_host,
+		"group-upstream " .. DNS_LOCAL,
+		"group-ipset " .. setflag .. "passwall_whitelist," .. setflag .. "passwall_whitelist6"
+	}
+	merge_array(config_lines, tmp_lines)
+	log(string.format("  - 域名白名单(whitelist)：%s", DNS_LOCAL or "默认"))
+end
+
+--代理（黑名单）列表
+local file_proxy_host = TMP_ACL_PATH .. "/proxy_host"
+if USE_PROXY_LIST == "1" and not fs.access(file_proxy_host) then   --对自定义列表进行清洗
+	local proxy_domain, lookup_proxy_domain = {}, {}
+	for line in io.lines(RULES_PATH .. "/proxy_host") do
+		line = api.get_std_domain(line)
+		if line ~= "" and not line:find("#") then
+			insert_unique(proxy_domain, line, lookup_proxy_domain)
+		end
+	end
+	if #proxy_domain > 0 then
+		local f_out = io.open(file_proxy_host, "w")
+		for i = 1, #proxy_domain do
+			f_out:write(proxy_domain[i] .. "\n")
+		end
+		f_out:close()
+	end
+end
+if USE_PROXY_LIST == "1" and is_file_nonzero(file_proxy_host) then
+	tmp_lines = {
+		"group proxylist",
+		"group-dnl " .. file_proxy_host,
+		"group-upstream " .. DNS_TRUST,
+		"group-ipset " .. setflag .. "passwall_blacklist," .. setflag .. "passwall_blacklist6"
+	}
+	merge_array(config_lines, tmp_lines)
+	if NO_IPV6_TRUST == "1" then table.insert(config_lines, "no-ipv6 tag:proxylist") end
+	log(string.format("  - 代理域名表(blacklist)：%s", DNS_TRUST or "默认"))
+end
+
+--屏蔽列表
+local file_block_host = TMP_ACL_PATH .. "/block_host"
+if USE_BLOCK_LIST == "1" and not fs.access(file_block_host) then   --对自定义列表进行清洗
+	local block_domain, lookup_block_domain = {}, {}
+	for line in io.lines(RULES_PATH .. "/block_host") do
+		line = api.get_std_domain(line)
+		if line ~= "" and not line:find("#") then
+			insert_unique(block_domain, line, lookup_block_domain)
+		end
+	end
+	if #block_domain > 0 then
+		local f_out = io.open(file_block_host, "w")
+		for i = 1, #block_domain do
+			f_out:write(block_domain[i] .. "\n")
+		end
+		f_out:close()
+	end
+end
+if USE_BLOCK_LIST == "1" and is_file_nonzero(file_block_host) then
+	table.insert(config_lines, "group null")
+	table.insert(config_lines, "group-dnl " .. file_block_host)
+end
+
+--始终用国内DNS解析节点域名
+local file_vpslist = TMP_ACL_PATH .. "/vpslist"
+if not is_file_nonzero(file_vpslist) then
+	local f_out = io.open(file_vpslist, "w")
+	uci:foreach(appname, "nodes", function(t)
+		local address = t.address
+		if address == "engage.cloudflareclient.com" then return end
+		if datatypes.hostname(address) then
+			f_out:write(address .. "\n")
+		end
+	end)
+	f_out:close()
+end
+if is_file_nonzero(file_vpslist) then
+	tmp_lines = {
+		"group vpslist",
+		"group-dnl " .. file_vpslist,
+		"group-upstream " .. DNS_LOCAL,
+		"group-ipset " .. setflag .. "passwall_vpslist," .. setflag .. "passwall_vpslist6"
+	}
+	merge_array(config_lines, tmp_lines)
+	log(string.format("  - 节点列表中的域名(vpslist)：%s", DNS_LOCAL or "默认"))
+end
+
 --分流规则
 if uci:get(appname, TCP_NODE, "protocol") == "_shunt" then
-	local white_domain = {}
+	local white_domain, lookup_white_domain = {}, {}
-	local shunt_domain = {}
+	local shunt_domain, lookup_shunt_domain = {}, {}
-	local lookup_white_domain = {}
+	local blackhole_domain, lookup_blackhole_domain = {}, {}
-	local lookup_shunt_domain = {}
 	local file_white_host = TMP_ACL_PATH .. "/white_host"
 	local file_shunt_host = TMP_ACL_PATH .. "/shunt_host"
+	local file_blackhole_host = TMP_ACL_PATH .. "/blackhole_host"
 
 	local t = uci:get_all(appname, TCP_NODE)
 	local default_node_id = t["default_node"] or "_direct"
@@ -222,7 +245,12 @@ if uci:get(appname, TCP_NODE, "protocol") == "_shunt" then
 						line = string.match(line, ":([^:]+)$")
 					end
 					line = api.get_std_domain(line)
-					if _node_id == "_direct" then
+
+					if _node_id == "_blackhole" then
+						if line ~= "" and not line:find("#") then
+							insert_unique(blackhole_domain, line, lookup_blackhole_domain)
+						end
+					elseif _node_id == "_direct" then
 						if line ~= "" and not line:find("#") then
 							insert_unique(white_domain, line, lookup_white_domain)
 						end
@@ -240,6 +268,16 @@ if uci:get(appname, TCP_NODE, "protocol") == "_shunt" then
 		end
 	end)
 
+	if is_file_nonzero(file_blackhole_host) == nil then
+		if #blackhole_domain > 0 then
+			local f_out = io.open(file_blackhole_host, "w")
+			for i = 1, #blackhole_domain do
+				f_out:write(blackhole_domain[i] .. "\n")
+			end
+			f_out:close()
+		end
+	end
+
 	if is_file_nonzero(file_white_host) == nil then
 		if #white_domain > 0 then
 			local f_out = io.open(file_white_host, "w")
@@ -260,14 +298,22 @@ if uci:get(appname, TCP_NODE, "protocol") == "_shunt" then
 		end
 	end
 
+	if is_file_nonzero(file_blackhole_host) then
+		for i, v in ipairs(config_lines) do   --添加到屏蔽组一同处理
+			if v == "group-dnl " .. file_block_host then
+				config_lines[i] = "group-dnl " .. file_block_host .. "," .. file_blackhole_host
+				break
+			end
+		end
+	end
+
 	if is_file_nonzero(file_white_host) then
-		tmp_lines = {
+		for i, v in ipairs(config_lines) do   --添加到白名单组一同处理
-			"group whitelist",
+			if v == "group-dnl " .. file_direct_host then
-			"group-dnl " .. file_white_host,
+				config_lines[i] = "group-dnl " .. file_direct_host .. "," .. file_white_host
-			"group-upstream " .. DNS_LOCAL,
+				break
-			"group-ipset " .. setflag .. "passwall_whitelist," .. setflag .. "passwall_whitelist6"
+			end
-		}
+		end
-		merge_array(config_lines, tmp_lines)
 	end
 
 	if is_file_nonzero(file_shunt_host) then
@@ -277,9 +323,18 @@ if uci:get(appname, TCP_NODE, "protocol") == "_shunt" then
 			"group-upstream " .. DNS_TRUST,
 			"group-ipset " .. setflag .. "passwall_shuntlist," .. setflag .. "passwall_shuntlist6"
 		}
-		merge_array(config_lines, tmp_lines)
+		if NO_IPV6_TRUST == "1" then table.insert(tmp_lines, "no-ipv6 tag:shuntlist") end
-		if NO_IPV6_TRUST == "1" then table.insert(config_lines, "no-ipv6 tag:shuntlist") end
+		-- 在 "filter-qtype 65" 后插入 tmp_lines （shuntlist优先级最低）
+		for i, line in ipairs(config_lines) do
+			if line == "filter-qtype 65" then
+				for j, tmp_line in ipairs(tmp_lines) do
+					table.insert(config_lines, i + j, tmp_line)
+				end
+				break
+			end
+		end
 	end
+
 end
 
 --只使用gfwlist模式，GFW列表以外的域名及默认使用本地DNS
@@ -307,6 +362,8 @@ if DEFAULT_TAG == "none" then
 	table.insert(config_lines, "verdict-cache 5000")
 end
 
+table.insert(config_lines, "hosts")
+
 if DEFAULT_TAG == "chn" then
 	log(string.format("  - 默认：%s", DNS_LOCAL))
 elseif  DEFAULT_TAG == "gfw" then
@@ -321,3 +378,5 @@ if #config_lines > 0 then
 		print(config_lines[i])
 	end
 end
+
+log("  - ChinaDNS-NG已作为Dnsmasq上游，如果你自行配置了错误的DNS流程，将会导致域名(直连/代理域名)分流失效！！！")

luci-app-passwall/root/usr/share/passwall/helper_dnsmasq_add.lua

@@ -194,11 +194,13 @@ if not fs.access(CACHE_DNS_PATH) then
 	fs.mkdir(CACHE_DNS_PATH)
 
 	--屏蔽列表
-	if USE_BLOCK_LIST == "1" then
+	if USE_DEFAULT_DNS ~= "chinadns_ng" or CHINADNS_DNS == "0" then
-		for line in io.lines("/usr/share/passwall/rules/block_host") do
+		if USE_BLOCK_LIST == "1" then
-			line = api.get_std_domain(line)
+			for line in io.lines("/usr/share/passwall/rules/block_host") do
-			if line ~= "" and not line:find("#") then
+				line = api.get_std_domain(line)
-				set_domain_address(line, "")
+				if line ~= "" and not line:find("#") then
+					set_domain_address(line, "")
+				end
 			end
 		end
 	end
@@ -488,4 +490,6 @@ if DNSMASQ_CONF_FILE ~= "nil" then
 	end
 end
 
-log("  - PassWall必须依赖于Dnsmasq，如果你自行配置了错误的DNS流程，将会导致域名(直连/代理域名)分流失效！！！")
+if USE_DEFAULT_DNS ~= "chinadns_ng" or CHINADNS_DNS == "0" then
+	log("  - PassWall必须依赖于Dnsmasq，如果你自行配置了错误的DNS流程，将会导致域名(直连/代理域名)分流失效！！！")
+end

patch-luci-app-passwall.patch

@@ -24,7 +24,7 @@ index 03006a6..f384bbc 100644
  	if code ~= 0 then
  		local use_time = luci.sys.exec("echo -n '" .. result .. "' | awk -F ':' '{print $2}'")
 diff --git a/luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua b/luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua
-index cd9d8d4..0e5299b 100644
+index 474e7a7..9995c4c 100644
 --- a/luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua
 +++ b/luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua
 @@ -413,6 +413,12 @@ o:value("9.9.9.9", "9.9.9.9 (Quad9)")