From 9eb7df489b06a57a543b1eade35179da912c4b1f Mon Sep 17 00:00:00 2001
From: xiaorouji <60100640+xiaorouji@users.noreply.github.com>
Date: Sat, 8 Apr 2023 13:14:14 +0800
Subject: [PATCH] luci: chinadns-ng logic update and optimization
chinadns-ng 2023-04-01 version
* start support nftset.
* support adding chnlist to ipset now, and now there is no need to generate dnsmasq conf.
---
.../model/cbi/passwall/client/acl_config.lua | 12 +-
.../model/cbi/passwall/client/global.lua | 3 +
.../root/usr/share/passwall/app.sh | 125 +++++++++---------
.../usr/share/passwall/helper_dnsmasq_add.lua | 15 ++-
4 files changed, 83 insertions(+), 72 deletions(-)
diff --git a/luci-app-passwall/luasrc/model/cbi/passwall/client/acl_config.lua b/luci-app-passwall/luasrc/model/cbi/passwall/client/acl_config.lua
index d557d12f7..93d7c73b0 100644
--- a/luci-app-passwall/luasrc/model/cbi/passwall/client/acl_config.lua
+++ b/luci-app-passwall/luasrc/model/cbi/passwall/client/acl_config.lua
@@ -313,7 +313,17 @@ if has_chnlist then
.. "" .. translate("Remote DNS can avoid more DNS leaks, but some domestic domain names maybe to proxy!") .. ""
.. "" .. translate("Direct DNS Internet experience may be better, but DNS will be leaked!") .. ""
.. ""
- when_chnroute_default_dns:depends("tcp_proxy_mode", "chnroute")
+ local _depends = {
+ { dns_mode = "dns2socks" },
+ { dns_mode = "xray" }
+ }
+ for i, d in ipairs(_depends) do
+ d["tcp_proxy_mode"] = "chnroute"
+ if api.is_finded("chinadns-ng") then
+ d["chinadns_ng"] = false
+ end
+ when_chnroute_default_dns:depends(d)
+ end
end
return m
diff --git a/luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua b/luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua
index 9d93c4000..6a7b9c3e5 100644
--- a/luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua
+++ b/luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua
@@ -390,6 +390,9 @@ if has_chnlist then
.. "" .. translate("Remote DNS can avoid more DNS leaks, but some domestic domain names maybe to proxy!") .. ""
.. "" .. translate("Direct DNS Internet experience may be better, but DNS will be leaked!") .. ""
.. ""
+ if api.is_finded("chinadns-ng") then
+ when_chnroute_default_dns:depends("chinadns_ng", false)
+ end
end
o = s:taboption("DNS", Button, "clear_ipset", translate("Clear IPSET"), translate("Try this feature if the rule modification does not take effect."))
diff --git a/luci-app-passwall/root/usr/share/passwall/app.sh b/luci-app-passwall/root/usr/share/passwall/app.sh
index ef83342d1..2697ffa89 100755
--- a/luci-app-passwall/root/usr/share/passwall/app.sh
+++ b/luci-app-passwall/root/usr/share/passwall/app.sh
@@ -401,6 +401,40 @@ run_dns2socks() {
ln_run "$(first_type dns2socks)" "dns2socks${flag}" $log_file ${_extra_param} "${socks_address}:${socks_port}" "${dns}" "${listen_address}:${listen_port}"
}
+run_chinadns_ng() {
+ local _listen_port _dns_china _dns_trust _chnlist _gfwlist _no_ipv6_rules _log_path _no_logic_log
+ eval_set_val $@
+
+ local _LOG_FILE=$LOG_FILE
+ [ -n "$_no_logic_log" ] && LOG_FILE="/dev/null"
+
+ echolog " | - (chinadns-ng) 最高支持4级域名过滤..."
+
+ local _default_tag
+ local _extra_param=""
+ [ -n "$_chnlist" ] && {
+ [ -s "${RULES_PATH}/chnlist" ] && {
+ local _chnlist_file="${TMP_PATH}/chinadns_chnlist"
+ cp -a "${RULES_PATH}/chnlist" "${_chnlist_file}"
+ _extra_param="${_extra_param} -m ${_chnlist_file} -M -a"
+ }
+ }
+
+ ([ -n "$_chnlist" ] || [ -n "$_gfwlist" ]) && [ -s "${RULES_PATH}/gfwlist" ] && {
+ local _gfwlist_file="${TMP_PATH}/chinadns_gfwlist"
+ cp -a "${RULES_PATH}/gfwlist" "${_gfwlist_file}"
+ _extra_param="${_extra_param} -g ${_gfwlist_file}"
+ #当只有使用gfwlist模式时设置默认DNS为本地直连
+ [ -n "$_gfwlist" ] && [ -z "$_chnlist" ] && _default_tag="chn"
+ }
+ [ -n "$_default_tag" ] && _extra_param="${_extra_param} -d ${_default_tag}"
+
+ _log_path="/dev/null"
+ ln_run "$(first_type chinadns-ng)" chinadns-ng "$_log_path" -v -b 127.0.0.1 -l "${_listen_port}" ${_dns_china:+-c "${_dns_china}"} ${_dns_trust:+-t "${_dns_trust}"} ${_extra_param} -f ${_no_ipv6_rules:+-N=${_no_ipv6_rules}}
+ echolog " + 过滤服务:ChinaDNS-NG(:${_listen_port}):国内DNS:${_dns_china},可信DNS:${_dns_trust}"
+ LOG_FILE=${_LOG_FILE}
+}
+
run_socks() {
local flag node bind socks_port config_file http_port http_config_file relay_port log_file
eval_set_val $@
@@ -1153,41 +1187,21 @@ start_dns() {
[ "${use_udp_node_resolve_dns}" = "1" ] && echolog " * 要求代理 DNS 请求,如上游 DNS 非直连地址,确保 UDP 代理打开,并且已经正确转发!"
[ "$CHINADNS_NG" = "1" ] && [ -n "$(first_type chinadns-ng)" ] && ([ -n "$chnlist" ] || [ -n "$gfwlist" ]) && {
- china_ng_listen_port=$(expr $dns_listen_port + 1)
- china_ng_listen="127.0.0.1#${china_ng_listen_port}"
- china_ng_chn=$(echo -n $(echo "${LOCAL_DNS}" | sed "s/,/\n/g" | head -n2) | tr " " ",")
- china_ng_gfw="${TUN_DNS}"
- echolog " | - (chinadns-ng) 最高支持4级域名过滤..."
-
- local china_ng_extra_param=""
- [ -n "$chnlist" ] && {
- [ -s "${RULES_PATH}/chnlist" ] && {
- local chnlist_file="${TMP_PATH}/chinadns_chnlist"
- cp -a "${RULES_PATH}/chnlist" "${chnlist_file}"
- china_ng_extra_param="${china_ng_extra_param} -m ${chnlist_file} -M"
- }
- #当使用中国列表外时的默认DNS
- [ "$WHEN_CHNROUTE_DEFAULT_DNS" = "remote" ] && china_ng_default_tag="gfw"
- [ "$WHEN_CHNROUTE_DEFAULT_DNS" = "direct" ] && china_ng_default_tag="chn"
- }
-
- ([ -n "$chnlist" ] || [ -n "$gfwlist" ]) && [ -s "${RULES_PATH}/gfwlist" ] && {
- local gfwlist_file="${TMP_PATH}/chinadns_gfwlist"
- cp -a "${RULES_PATH}/gfwlist" "${gfwlist_file}"
- china_ng_extra_param="${china_ng_extra_param} -g ${gfwlist_file}"
- #当只有使用gfwlist模式时设置默认DNS为本地直连
- [ -n "$gfwlist" ] && [ -z "$chnlist" ] && china_ng_default_tag="chn"
- }
- [ -n "$china_ng_default_tag" ] && china_ng_extra_param="${china_ng_extra_param} -d ${china_ng_default_tag}"
-
- local log_path="${TMP_PATH}/chinadns-ng.log"
- log_path="/dev/null"
[ "$FILTER_PROXY_IPV6" = "1" ] && {
- noipv6="-N=gt"
+ local _no_ipv6_rules="gt"
DNSMASQ_FILTER_IPV6=0
}
- ln_run "$(first_type chinadns-ng)" chinadns-ng "$log_path" -v -b 0.0.0.0 -l "${china_ng_listen_port}" ${china_ng_chn:+-c "${china_ng_chn}"} ${china_ng_gfw:+-t "${china_ng_gfw}"} ${china_ng_extra_param} -f ${noipv6}
- echolog " + 过滤服务:ChinaDNS-NG(:${china_ng_listen_port}):国内DNS:${china_ng_chn},可信DNS:${china_ng_gfw}"
+ local china_ng_listen_port=$(expr $dns_listen_port + 1)
+ local china_ng_listen="127.0.0.1#${china_ng_listen_port}"
+ run_chinadns_ng \
+ _listen_port=${china_ng_listen_port} \
+ _dns_china=$(echo -n $(echo "${LOCAL_DNS}" | sed "s/,/\n/g" | head -n2) | tr " " ",") \
+ _dns_trust="${TUN_DNS}" \
+ _chnlist="${chnlist}" \
+ _gfwlist="${gfwlist}" \
+ _no_ipv6_rules="${_no_ipv6_rules}" \
+ _log_path="${TMP_PATH}/chinadns-ng.log"
+
WHEN_CHNROUTE_DEFAULT_DNS="chinadns_ng"
}
@@ -1327,39 +1341,23 @@ acl_app() {
local _dnsmasq_filter_ipv6=$filter_proxy_ipv6
[ "$chinadns_ng" = "1" ] && [ -n "$(first_type chinadns-ng)" ] && ([ "$tcp_proxy_mode" = "chnroute" ] || [ "$tcp_proxy_mode" = "gfwlist" ]) && {
- chinadns_port=$(expr $chinadns_port + 1)
- _china_ng_listen="127.0.0.1#${chinadns_port}"
- local _china_ng_chn=$(echo -n $(echo "${LOCAL_DNS}" | sed "s/,/\n/g" | head -n2) | tr " " ",")
- local _china_ng_gfw="127.0.0.1#${_dns_port}"
-
- local _china_ng_extra_param=""
- [ "$tcp_proxy_mode" = "chnroute" ] && {
- [ -s "${RULES_PATH}/chnlist" ] && {
- local _chnlist_file="${TMP_PATH}/chinadns_chnlist"
- cp -a "${RULES_PATH}/chnlist" "${_chnlist_file}"
- _china_ng_extra_param="${_china_ng_extra_param} -m ${_chnlist_file} -M"
- }
- #当使用中国列表外时的默认DNS
- [ "$when_chnroute_default_dns" = "remote" ] && _china_ng_default_tag="gfw"
- [ "$when_chnroute_default_dns" = "direct" ] && _china_ng_default_tag="chn"
- }
-
- ([ "$tcp_proxy_mode" = "chnroute" ] || [ "$tcp_proxy_mode" = "gfwlist" ]) && [ -s "${RULES_PATH}/gfwlist" ] && {
- local _gfwlist_file="${TMP_PATH}/chinadns_gfwlist"
- cp -a "${RULES_PATH}/gfwlist" "${_gfwlist_file}"
- _china_ng_extra_param="${_china_ng_extra_param} -g ${_gfwlist_file}"
- #当使用gfwlist模式时设置默认DNS为本地直连
- [ "$tcp_proxy_mode" = "gfwlist" ] && _china_ng_default_tag="chn"
- }
- [ -n "$_china_ng_default_tag" ] && _china_ng_extra_param="${_china_ng_extra_param} -d ${_china_ng_default_tag}"
-
- #local _china_ng_log_file="${TMP_ACL_PATH}/${sid}/chinadns-ng.log"
- local _china_ng_log_file="/dev/null"
[ "$filter_proxy_ipv6" = "1" ] && {
- local _china_ng_noipv6="-N=gt"
+ local _no_ipv6_rules="gt"
_dnsmasq_filter_ipv6=0
}
- ln_run "$(first_type chinadns-ng)" chinadns-ng "$_china_ng_log_file" -v -b 0.0.0.0 -l "${chinadns_port}" ${_china_ng_chn:+-c "${_china_ng_chn}"} ${_china_ng_gfw:+-t "${_china_ng_gfw}"} ${_china_ng_extra_param} -f ${_china_ng_noipv6}
+ chinadns_port=$(expr $chinadns_port + 1)
+ _china_ng_listen="127.0.0.1#${chinadns_port}"
+
+ run_chinadns_ng \
+ _listen_port=${chinadns_port} \
+ _dns_china=$(echo -n $(echo "${LOCAL_DNS}" | sed "s/,/\n/g" | head -n2) | tr " " ",") \
+ _dns_trust="127.0.0.1#${_dns_port}" \
+ _chnlist=$(echo "${tcp_proxy_mode}" | grep "chnroute") \
+ _gfwlist=$(echo "${tcp_proxy_mode}" | grep "gfwlist") \
+ _no_ipv6_rules="${_no_ipv6_rules}" \
+ _log_path="${TMP_ACL_PATH}/${sid}/chinadns-ng.log" \
+ _no_logic_log=1
+
when_chnroute_default_dns="chinadns_ng"
}
@@ -1502,7 +1500,7 @@ acl_app() {
[ -n "$redirect_dns_port" ] && echo "${redirect_dns_port}" > $TMP_ACL_PATH/$sid/var_redirect_dns_port
unset enabled sid remarks sources tcp_proxy_mode udp_proxy_mode tcp_node udp_node filter_proxy_ipv6 dns_mode remote_dns v2ray_dns_mode remote_dns_doh dns_client_ip
unset _ip _mac _iprange _ipset _ip_or_mac rule_list tcp_port udp_port config_file _extra_param
- unset _china_ng_listen _china_ng_chn _china_ng_gfw _gfwlist_file _chnlist_file _china_ng_log_file _china_ng_noipv6 _china_ng_extra_param _dnsmasq_filter_ipv6
+ unset _china_ng_listen _china_ng_chn _china_ng_gfw _gfwlist_file _chnlist_file _china_ng_log_file _no_ipv6_rules _china_ng_extra_param _dnsmasq_filter_ipv6
unset redirect_dns_port
done
unset socks_port redir_port dns_port dnsmasq_port chinadns_port
@@ -1529,7 +1527,6 @@ start() {
if [ "$use_nft" == 1 ] && [ -z "$(dnsmasq --version | grep 'Compile time options:.* nftset')" ]; then
echolog "Dnsmasq软件包不满足nftables透明代理要求,如需使用请确保dnsmasq版本在2.87以上并开启nftset支持。"
elif [ "$use_nft" == 1 ] && [ -n "$(dnsmasq --version | grep 'Compile time options:.* nftset')" ]; then
- echolog "使用nftables进行透明代理,一些不支持nftables的组件如chinadns-ng等可能不会正常工作。"
USE_TABLES="nftables"
nftflag=1
elif [ -z "$(command -v iptables-legacy || command -v iptables)" ] || [ -z "$(command -v ipset)" ]; then
diff --git a/luci-app-passwall/root/usr/share/passwall/helper_dnsmasq_add.lua b/luci-app-passwall/root/usr/share/passwall/helper_dnsmasq_add.lua
index 22359b94f..667d6ca80 100644
--- a/luci-app-passwall/root/usr/share/passwall/helper_dnsmasq_add.lua
+++ b/luci-app-passwall/root/usr/share/passwall/helper_dnsmasq_add.lua
@@ -317,14 +317,15 @@ if not fs.access(CACHE_DNS_PATH) then
if chnlist and fs.access("/usr/share/passwall/rules/chnlist") and (CHNROUTE_MODE_DEFAULT_DNS == "remote" or (CHNROUTE_MODE_DEFAULT_DNS == "chinadns_ng" and CHINADNS_DNS ~= "0")) then
fwd_dns = LOCAL_DNS
- local chnlist_str = sys.exec('cat /usr/share/passwall/rules/chnlist | grep -v -E "^#" | grep -v -E "' .. excluded_domain_str .. '"')
- for line in string.gmatch(chnlist_str, "[^\r\n]+") do
- if line ~= "" then
- if CHNROUTE_MODE_DEFAULT_DNS == "chinadns_ng" and CHINADNS_DNS ~= "0" then
- fwd_dns = nil
+ if CHNROUTE_MODE_DEFAULT_DNS == "chinadns_ng" and CHINADNS_DNS ~= "0" then
+ fwd_dns = nil
+ else
+ local chnlist_str = sys.exec('cat /usr/share/passwall/rules/chnlist | grep -v -E "^#" | grep -v -E "' .. excluded_domain_str .. '"')
+ for line in string.gmatch(chnlist_str, "[^\r\n]+") do
+ if line ~= "" then
+ set_domain_dns(line, fwd_dns)
+ set_domain_ipset(line, setflag_4 .. "chnroute," .. setflag_6 .. "chnroute6")
end
- set_domain_dns(line, fwd_dns)
- set_domain_ipset(line, setflag_4 .. "chnroute," .. setflag_6 .. "chnroute6")
end
end
log(string.format(" - 中国域名表(chnroute):%s", fwd_dns or "默认"))