luci-app-passwall: sync upstream

2024-04-19 03:00:05 +08:00 · 2024-04-19 03:00:05 +08:00 · adc9715e59
commit adc9715e59
parent 102cb34409
10 changed files with 399 additions and 72 deletions
--- a/luci-app-passwall/Makefile
+++ b/luci-app-passwall/Makefile
@ -6,7 +6,7 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=luci-app-passwall
-PKG_VERSION:=4.76-5
+PKG_VERSION:=4.77-1
 PKG_RELEASE:=

 PKG_CONFIG_DEPENDS:= \
--- a/luci-app-passwall/luasrc/model/cbi/passwall/client/shunt_rules.lua
+++ b/luci-app-passwall/luasrc/model/cbi/passwall/client/shunt_rules.lua
@ -118,6 +118,8 @@ domain_list.validate = function(self, value)
 			flag = 0
 		elseif host:find("ext:") and host:find("ext:") == 1 then
 			flag = 0
+		elseif host:find("#") and host:find("#") == 1 then
+			flag = 0
 		end
 		if flag == 1 then
 			if not datatypes.hostname(tmp_host) then
@ -132,7 +134,7 @@ domain_list.description = "<br /><ul><li>" .. translate("Plaintext: If this stri
 .. "</li><li>" .. translate("Subdomain (recommended): Begining with 'domain:' and the rest is a domain. When the targeting domain is exactly the value, or is a subdomain of the value, this rule takes effect. Example: rule 'domain:v2ray.com' matches 'www.v2ray.com', 'v2ray.com', but not 'xv2ray.com'.")
 .. "</li><li>" .. translate("Full domain: Begining with 'full:' and the rest is a domain. When the targeting domain is exactly the value, the rule takes effect. Example: rule 'domain:v2ray.com' matches 'v2ray.com', but not 'www.v2ray.com'.")
 .. "</li><li>" .. translate("Pre-defined domain list: Begining with 'geosite:' and the rest is a name, such as geosite:google or geosite:cn.")
-.. "</li><li>" .. translate("Domains from file: Such as 'ext:file:tag'. The value must begin with ext: (lowercase), and followed by filename and tag. The file is placed in resource directory, and has the same format of geosite.dat. The tag must exist in the file.")
+.. "</li><li>" .. translate("Annotation: Begining with #")
 .. "</li></ul>"
 ip_list = s:option(TextValue, "ip_list", "IP")
 ip_list.rows = 10
@ -143,6 +145,7 @@ ip_list.validate = function(self, value)
 	for index, ipmask in ipairs(ipmasks) do
 		if ipmask:find("geoip:") and ipmask:find("geoip:") == 1 then
 		elseif ipmask:find("ext:") and ipmask:find("ext:") == 1 then
+		elseif ipmask:find("#") and ipmask:find("#") == 1 then
 		else
 			if not (datatypes.ipmask4(ipmask) or datatypes.ipmask6(ipmask)) then
 				return nil, ipmask .. " " .. translate("Not valid IP format, please re-enter!")
@ -154,7 +157,7 @@ end
 ip_list.description = "<br /><ul><li>" .. translate("IP: such as '127.0.0.1'.")
 .. "</li><li>" .. translate("CIDR: such as '127.0.0.0/8'.")
 .. "</li><li>" .. translate("GeoIP: such as 'geoip:cn'. It begins with geoip: (lower case) and followed by two letter of country code.")
-.. "</li><li>" .. translate("IPs from file: Such as 'ext:file:tag'. The value must begin with ext: (lowercase), and followed by filename and tag. The file is placed in resource directory, and has the same format of geoip.dat. The tag must exist in the file.")
+.. "</li><li>" .. translate("Annotation: Begining with #")
 .. "</li></ul>"

 return m
--- a/luci-app-passwall/luasrc/passwall/util_sing-box.lua
+++ b/luci-app-passwall/luasrc/passwall/util_sing-box.lua
@ -1159,6 +1159,7 @@ function gen_config(var)
 							geosite = {},
 						}
 						string.gsub(e.domain_list, '[^' .. "\r\n" .. ']+', function(w)
+							if w:find("#") == 1 then return end
 							if w:find("geosite:") == 1 then
 								table.insert(domain_table.geosite, w:sub(1 + #"geosite:"))
 							elseif w:find("regexp:") == 1 then
@ -1187,6 +1188,7 @@ function gen_config(var)
 						local ip_cidr = {}
 						local geoip = {}
 						string.gsub(e.ip_list, '[^' .. "\r\n" .. ']+', function(w)
+							if w:find("#") == 1 then return end
 							if w:find("geoip:") == 1 then
 								table.insert(geoip, w:sub(1 + #"geoip:"))
 							else
--- a/luci-app-passwall/luasrc/passwall/util_xray.lua
+++ b/luci-app-passwall/luasrc/passwall/util_xray.lua
@ -944,6 +944,7 @@ function gen_config(var)
 					if e.domain_list then
 						domains = {}
 						string.gsub(e.domain_list, '[^' .. "\r\n" .. ']+', function(w)
+							if w:find("#") == 1 then return end
 							table.insert(domains, w)
 						end)
 					end
@ -951,6 +952,7 @@ function gen_config(var)
 					if e.ip_list then
 						ip = {}
 						string.gsub(e.ip_list, '[^' .. "\r\n" .. ']+', function(w)
+							if w:find("#") == 1 then return end
 							table.insert(ip, w)
 						end)
 					end
--- a/luci-app-passwall/po/zh-cn/passwall.po
+++ b/luci-app-passwall/po/zh-cn/passwall.po
@ -1075,8 +1075,8 @@ msgstr "完整匹配: 由'full:'开始，余下部分是一个域名。当此域
 msgid "Pre-defined domain list: Begining with 'geosite:' and the rest is a name, such as geosite:google or geosite:cn."
 msgstr "预定义域名列表：由'geosite:'开头，余下部分是一个名称，如geosite:google或者geosite:cn。"

-msgid "Domains from file: Such as 'ext:file:tag'. The value must begin with ext: (lowercase), and followed by filename and tag. The file is placed in resource directory, and has the same format of geosite.dat. The tag must exist in the file."
-msgstr "从文件中加载域名: 形如'ext:file:tag'，必须以ext:（小写）开头，后面跟文件名和标签，文件存放在资源目录中，文件格式与geosite.dat相同，标签必须在文件中存在。"
+msgid "Annotation: Begining with #"
+msgstr "注释: 由 # 开头"

 msgid "IP: such as '127.0.0.1'."
 msgstr "IP: 形如'127.0.0.1'。"
@ -1087,9 +1087,6 @@ msgstr "CIDR: 形如'10.0.0.0/8'."
 msgid "GeoIP: such as 'geoip:cn'. It begins with geoip: (lower case) and followed by two letter of country code."
 msgstr "GeoIP: 形如'geoip:cn'，必须以geoip:（小写）开头，后面跟双字符国家代码，支持几乎所有可以上网的国家。"

-msgid "IPs from file: Such as 'ext:file:tag'. The value must begin with ext: (lowercase), and followed by filename and tag. The file is placed in resource directory, and has the same format of geoip.dat. The tag must exist in the file."
-msgstr "从文件中加载 IP: 形如'ext:file:tag'，必须以ext:（小写）开头，后面跟文件名和标签，文件存放在资源目录中，文件格式与geoip.dat相同标签必须在文件中存在。"
-
 msgid "Clear logs"
 msgstr "清空日志"

--- a/luci-app-passwall/root/usr/share/passwall/0_default_config
+++ b/luci-app-passwall/root/usr/share/passwall/0_default_config
@ -5,10 +5,12 @@ config global
 	option tcp_node 'nil'
 	option udp_node 'nil'
 	option tcp_node_socks_port '1070'
-	option filter_proxy_ipv6 '0'
+	option filter_proxy_ipv6 '1'
 	option dns_mode 'dns2tcp'
 	option remote_dns '1.1.1.1'
 	option use_default_dns 'direct'
+	option chinadns_ng '1'
+	option chinadns_ng_default_tag 'smart'
 	option use_direct_list '1'
 	option use_proxy_list '1'
 	option use_block_list '1'
--- a/luci-app-passwall/root/usr/share/passwall/0_default_config.orig
+++ b/luci-app-passwall/root/usr/share/passwall/0_default_config.orig
@ -0,0 +1,212 @@
+
+config global
+	option enabled '0'
+	option socks_enabled '0'
+	option tcp_node 'nil'
+	option udp_node 'nil'
+	option tcp_node_socks_port '1070'
+	option filter_proxy_ipv6 '1'
+	option dns_mode 'dns2tcp'
+	option remote_dns '1.1.1.1'
+	option use_default_dns 'direct'
+	option chinadns_ng '1'
+	option chinadns_ng_default_tag 'smart'
+	option use_direct_list '1'
+	option use_proxy_list '1'
+	option use_block_list '1'
+	option use_gfw_list '1'
+	option chn_list 'direct'
+	option tcp_proxy_mode 'proxy'
+	option udp_proxy_mode 'proxy'
+	option localhost_proxy '1'
+	option client_proxy '1'
+	option acl_enable '0'
+	option close_log_tcp '0'
+	option close_log_udp '0'
+	option loglevel 'error'
+	option trojan_loglevel '4'
+
+config global_haproxy
+	option balancing_enable '0'
+
+config global_delay
+	option auto_on '0'
+	option start_daemon '1'
+	option start_delay '60'
+
+config global_forwarding
+	option tcp_no_redir_ports 'disable'
+	option udp_no_redir_ports 'disable'
+	option tcp_proxy_drop_ports 'disable'
+	option udp_proxy_drop_ports '443'
+	option tcp_redir_ports '22,25,53,143,465,587,853,993,995,80,443'
+	option udp_redir_ports '1:65535'
+	option accept_icmp '0'
+	option use_nft '0'
+	option tcp_proxy_way 'redirect'
+	option ipv6_tproxy '0'
+
+config global_xray
+	option sniffing '1'
+	option route_only '0'
+
+config global_singbox
+	option sniff_override_destination '0'
+	option geoip_path '/usr/share/singbox/geoip.db'
+	option geoip_url 'https://github.com/MetaCubeX/meta-rules-dat/releases/download/latest/geoip.db'
+	option geosite_path '/usr/share/singbox/geosite.db'
+	option geosite_url 'https://github.com/MetaCubeX/meta-rules-dat/releases/download/latest/geosite.db'
+
+config global_other
+	option auto_detection_time 'tcping'
+	option show_node_info '0'
+
+config global_rules
+	option auto_update '0'
+	option chnlist_update '1'
+	option chnroute_update '1'
+	option chnroute6_update '1'
+	option gfwlist_update '1'
+	option geosite_update '0'
+	option geoip_update '0'
+	list gfwlist_url 'https://fastly.jsdelivr.net/gh/Loyalsoldier/v2ray-rules-dat@release/gfw.txt'
+	list chnroute_url 'https://ispip.clang.cn/all_cn.txt'
+	list chnroute_url 'https://fastly.jsdelivr.net/gh/gaoyifan/china-operator-ip@ip-lists/china.txt'
+	list chnroute6_url 'https://ispip.clang.cn/all_cn_ipv6.txt'
+	list chnroute6_url 'https://fastly.jsdelivr.net/gh/gaoyifan/china-operator-ip@ip-lists/china6.txt'
+	list chnlist_url 'https://fastly.jsdelivr.net/gh/felixonmars/dnsmasq-china-list/accelerated-domains.china.conf'
+	list chnlist_url 'https://fastly.jsdelivr.net/gh/felixonmars/dnsmasq-china-list/apple.china.conf'
+	option v2ray_location_asset '/usr/share/v2ray/'
+
+config global_app
+	option singbox_file '/usr/bin/sing-box'
+	option xray_file '/usr/bin/xray'
+	option hysteria_file '/usr/bin/hysteria'
+	option chinadns_ng '/usr/bin/chinadns-ng'
+
+config global_subscribe
+	option filter_keyword_mode '1'
+	list filter_discard_list '过期时间'
+	list filter_discard_list '剩余流量'
+	list filter_discard_list 'QQ群'
+	list filter_discard_list '官网'
+
+config nodes 'myshunt'
+	option remarks '分流总节点'
+	option type 'Xray'
+	option protocol '_shunt'
+	option DirectGame '_direct'
+	option ProxyGame '_default'
+	option Proxy '_default'
+	option Netflix '_default'
+	option OpenAI '_default'
+	option Direct '_direct'
+	option default_node 'nil'
+	option domainStrategy 'IPOnDemand'
+
+config shunt_rules 'DirectGame'
+	option remarks 'DirectGame'
+	option domain_list 'api.steampowered.com
+regexp:\.cm.steampowered.com$
+regexp:\.steamserver.net$
+geosite:category-games@cn'
+	option ip_list '103.10.124.0/24
+103.10.125.0/24
+103.28.54.0/24
+146.66.152.0/24
+146.66.155.0/24
+153.254.86.0/24
+155.133.224.0/23
+155.133.226.0/24
+155.133.227.0/24
+155.133.230.0/24
+155.133.232.0/24
+155.133.233.0/24
+155.133.234.0/24
+155.133.236.0/23
+155.133.238.0/24
+155.133.239.0/24
+155.133.240.0/23
+155.133.245.0/24
+155.133.246.0/24
+155.133.248.0/24
+155.133.249.0/24
+155.133.250.0/24
+155.133.251.0/24
+155.133.252.0/24
+155.133.253.0/24
+155.133.254.0/24
+155.133.255.0/24
+162.254.192.0/24
+162.254.193.0/24
+162.254.194.0/23
+162.254.195.0/24
+162.254.196.0/24
+162.254.197.0/24
+162.254.198.0/24
+162.254.199.0/24
+185.25.182.0/24
+185.25.183.0/24
+190.217.33.0/24
+192.69.96.0/22
+205.185.194.0/24
+205.196.6.0/24
+208.64.200.0/24
+208.64.201.0/24
+208.64.202.0/24
+208.64.203.0/24
+208.78.164.0/22'
+
+config shunt_rules 'ProxyGame'
+	option remarks 'ProxyGame'
+	option domain_list 'geosite:category-games
+domain:store.steampowered.com'
+
+config shunt_rules 'OpenAI'
+	option remarks 'OpenAI'
+	option domain_list 'geosite:openai'
+
+config shunt_rules 'Proxy'
+	option remarks 'Proxy'
+	option domain_list 'geosite:geolocation-!cn'
+	option ip_list '149.154.160.0/20
+91.108.4.0/22
+91.108.56.0/24
+109.239.140.0/24
+67.198.55.0/24
+8.8.4.4
+8.8.8.8
+208.67.222.222
+208.67.220.220
+1.1.1.1
+1.1.1.2
+1.0.0.1
+9.9.9.9
+149.112.112.112
+2001:67c:4e8::/48
+2001:b28:f23c::/48
+2001:b28:f23d::/48
+2001:b28:f23f::/48
+2001:b28:f242::/48
+2001:4860:4860::8888
+2001:4860:4860::8844
+2606:4700:4700::1111
+2606:4700:4700::1001'
+
+config shunt_rules 'Netflix'
+	option remarks 'Netflix'
+	option domain_list 'geosite:netflix'
+
+config shunt_rules 'Direct'
+	option remarks 'Direct'
+	option domain_list 'geosite:cn'
+	option ip_list '223.5.5.5/32
+223.6.6.6/32
+119.29.29.29/32
+180.76.76.76/32
+114.114.114.114/32
+114.114.115.115/32
+1.12.12.12/32
+120.53.53.53/32
+geoip:cn
+geoip:private'
--- a/luci-app-passwall/root/usr/share/passwall/app.sh
+++ b/luci-app-passwall/root/usr/share/passwall/app.sh
@ -480,47 +480,103 @@ run_dns2socks() {
 }

 run_chinadns_ng() {
-	local _listen_port _dns_china _dns_trust _chnlist _gfwlist _no_ipv6_rules _log_path _no_logic_log
+	local _flag _listen_port _dns_china _dns_trust _use_direct_list _use_proxy_list _chnlist _gfwlist _no_ipv6_dns _no_logic_log
 	eval_set_val $@

-	local _LOG_FILE=$LOG_FILE
-	[ -n "$_no_logic_log" ] && LOG_FILE="/dev/null"
+	[ -n "$_no_logic_log" ] && {
+		local ORIGIN_LOG_FILE=$LOG_FILE
+		LOG_FILE="/dev/null"
+	}
 	
-	echolog "  | - (chinadns-ng) 最高支持4级域名过滤..."
+	local _CONF_FILE=$TMP_ACL_PATH/$_flag/chinadns_ng.conf
+	local _LOG_FILE=$TMP_ACL_PATH/$_flag/chinadns_ng.log
+	_LOG_FILE="/dev/null"
+
+	cat <<-EOF > ${_CONF_FILE}
+		verbose
+		bind-addr 127.0.0.1
+		bind-port ${_listen_port}@udp
+		china-dns ${_dns_china}
+		trust-dns ${_dns_trust}
+		filter-qtype 65
+
+	EOF
+
+	[ "${_use_direct_list}" = "1" ] && [ -s "${RULES_PATH}/direct_host" ] && {
+		local whitelist4_set="passwall_whitelist"
+		local whitelist6_set="passwall_whitelist6"
+		[ "$nftflag" = "1" ] && {
+			whitelist4_set="inet@fw4@${whitelist4_set}"
+			whitelist6_set="inet@fw4@${whitelist6_set}"
+		}
+		cat <<-EOF >> ${_CONF_FILE}
+			group directlist
+			group-dnl ${RULES_PATH}/direct_host
+			group-upstream ${_dns_china}
+			group-ipset ${whitelist4_set},${whitelist6_set}
+		EOF
+		[ "${_no_ipv6_dns}" = "china" ] && echo "no-ipv6 tag:directlist" >> ${_CONF_FILE}
+	}
+	
+	[ "${_use_proxy_list}" = "1" ] && [ -s "${RULES_PATH}/proxy_host" ] && {
+		local blacklist4_set="passwall_blacklist"
+		local blacklist6_set="passwall_blacklist6"
+		[ "$nftflag" = "1" ] && {
+			blacklist4_set="inet@fw4@${blacklist4_set}"
+			blacklist6_set="inet@fw4@${blacklist6_set}"
+		}
+		cat <<-EOF >> ${_CONF_FILE}
+			group proxylist
+			group-dnl ${RULES_PATH}/proxy_host
+			group-upstream ${_dns_trust}
+			group-ipset ${blacklist4_set},${blacklist6_set}
+		EOF
+		[ "${_no_ipv6_dns}" = "trust" ] && echo "no-ipv6 tag:proxylist" >> ${_CONF_FILE}
+	}

 	local _default_tag=$(config_t_get global chinadns_ng_default_tag smart)
-	local _extra_param=""
 	[ "${_chnlist}" = "direct" ] && {
 		[ -s "${RULES_PATH}/chnlist" ] && {
-			local _chnlist_file="${TMP_PATH}/chinadns_chnlist"
-			cp -a "${RULES_PATH}/chnlist" "${_chnlist_file}"
 			local chnroute4_set="passwall_chnroute"
 			local chnroute6_set="passwall_chnroute6"
 			[ "$nftflag" = "1" ] && {
-				chnroute4_set="inet@fw4@passwall_chnroute"
-				chnroute6_set="inet@fw4@passwall_chnroute6"
+				chnroute4_set="inet@fw4@${chnroute4_set}"
+				chnroute6_set="inet@fw4@${chnroute6_set}"
 			}
-			_extra_param="${_extra_param} -4 ${chnroute4_set} -6 ${chnroute6_set} -m ${_chnlist_file} -M -a"
+			cat <<-EOF >> ${_CONF_FILE}
+				chnlist-file ${RULES_PATH}/chnlist
+				ipset-name4 ${chnroute4_set}
+				ipset-name6 ${chnroute6_set}
+				add-tagchn-ip
+				chnlist-first
+			EOF
+			[ "${_no_ipv6_dns}" = "china" ] && echo "no-ipv6 tag:chn" >> ${_CONF_FILE}
 		}
 	}
 	[ "${_gfwlist}" = "1" ] && {
 		[ -s "${RULES_PATH}/gfwlist" ] && {
-			local _gfwlist_file="${TMP_PATH}/chinadns_gfwlist"
-			cp -a "${RULES_PATH}/gfwlist" "${_gfwlist_file}"
-			local gfwlist_set="passwall_gfwlist,passwall_gfwlist6"
-			[ "$nftflag" = "1" ] && gfwlist_set="inet@fw4@passwall_gfwlist,inet@fw4@passwall_gfwlist6"
-			_extra_param="${_extra_param} -g ${_gfwlist_file} -A ${gfwlist_set}"
+			local gfwlist4_set="passwall_gfwlist"
+			local gfwlist6_set="passwall_gfwlist6"
+			[ "$nftflag" = "1" ] && {
+				gfwlist4_set="inet@fw4@${gfwlist4_set}"
+				gfwlist6_set="inet@fw4@${gfwlist6_set}"
+			}
+			cat <<-EOF >> ${_CONF_FILE}
+				gfwlist-file ${RULES_PATH}/gfwlist
+				add-taggfw-ip ${gfwlist4_set},${gfwlist6_set}
+			EOF
+			[ "${_no_ipv6_dns}" = "trust" ] && echo "no-ipv6 tag:gfw" >> ${_CONF_FILE}
 			#当只有使用gfwlist模式时设置默认DNS为本地直连
-			[ "${_gfwlist}" = "1" ] && [ "${_chnlist}" = "0" ] && _default_tag="chn"
+			[ "${_chnlist}" = "0" ] && _default_tag="chn"
 		}
 	}

-	[ -n "$_default_tag" ] && [ "$_default_tag" != "smart" ] && _extra_param="${_extra_param} -d ${_default_tag}"
+	[ -n "$_default_tag" ] && [ "$_default_tag" != "smart" ] && echo "default-tag ${_default_tag}" >> ${_CONF_FILE}

-	_log_path="/dev/null"
-	ln_run "$(first_type chinadns-ng)" chinadns-ng "$_log_path" -v -b 127.0.0.1 -l "${_listen_port}" ${_dns_china:+-c "${_dns_china}"} ${_dns_trust:+-t "${_dns_trust}"} ${_extra_param} -f ${_no_ipv6_rules:+-N=${_no_ipv6_rules}}
-	echolog "  + 过滤服务：ChinaDNS-NG(:${_listen_port})：国内DNS：${_dns_china}，可信DNS：${_dns_trust}"
-	LOG_FILE=${_LOG_FILE}
+	ln_run "$(first_type chinadns-ng)" chinadns-ng "${_LOG_FILE}" -C ${_CONF_FILE}
+	echolog "  | - 过滤服务：ChinaDNS-NG(127.0.0.1#${_listen_port})：国内DNS：${_dns_china}，可信DNS：${_dns_trust}"
+
+	[ -n "${ORIGIN_LOG_FILE}" ] && LOG_FILE=${ORIGIN_LOG_FILE}
 }

 run_socks() {
@ -1256,19 +1312,21 @@ start_dns() {

 	[ "$CHINADNS_NG" = "1" ] && [ -n "$(first_type chinadns-ng)" ] && ([ "${CHN_LIST}" = "direct" ] || [ "${USE_GFW_LIST}" = "1" ]) && {
 		[ "$FILTER_PROXY_IPV6" = "1" ] && {
-			local _no_ipv6_rules="tag:gfw"
+			local _no_ipv6_dns="trust"
 			FILTER_PROXY_IPV6=0
 		}
 		local china_ng_listen_port=$(expr $dns_listen_port + 1)
 		local china_ng_listen="127.0.0.1#${china_ng_listen_port}"
 		run_chinadns_ng \
+			_flag="default" \
 			_listen_port=${china_ng_listen_port} \
 			_dns_china=$(echo -n $(echo "${LOCAL_DNS}" | sed "s/,/\n/g" | head -n2) | tr " " ",") \
 			_dns_trust="${TUN_DNS}" \
+			_use_direct_list="${USE_DIRECT_LIST}" \
+			_use_proxy_list="${USE_PROXY_LIST}" \
 			_chnlist="${CHN_LIST}" \
 			_gfwlist="${USE_GFW_LIST}" \
-			_no_ipv6_rules="${_no_ipv6_rules}" \
-			_log_path="${TMP_PATH}/chinadns-ng.log"
+			_no_ipv6_dns="${_no_ipv6_dns}"

 		USE_DEFAULT_DNS="chinadns_ng"
 	}
@ -1419,20 +1477,22 @@ acl_app() {

 							[ "$chinadns_ng" = "1" ] && [ -n "$(first_type chinadns-ng)" ] && ([ "${chn_list}" = "direct" ] || [ "${use_gfw_list}" = "1" ]) && {
 								[ "$filter_proxy_ipv6" = "1" ] && {
-									local _no_ipv6_rules="tag:gfw"
+									local _no_ipv6_dns="trust"
 									filter_proxy_ipv6=0
 								}
 								chinadns_port=$(expr $chinadns_port + 1)
 								_china_ng_listen="127.0.0.1#${chinadns_port}"

 								run_chinadns_ng \
+									_flag="$sid" \
 									_listen_port=${chinadns_port} \
 									_dns_china=$(echo -n $(echo "${LOCAL_DNS}" | sed "s/,/\n/g" | head -n2) | tr " " ",") \
 									_dns_trust="127.0.0.1#${_dns_port}" \
+									_use_direct_list="${use_direct_list}" \
+									_use_proxy_list="${use_proxy_list}" \
 									_chnlist=${chn_list} \
 									_gfwlist=${use_gfw_list} \
-									_no_ipv6_rules="${_no_ipv6_rules}" \
-									_log_path="${TMP_ACL_PATH}/${sid}/chinadns-ng.log" \
+									_no_ipv6_dns="${_no_ipv6_dns}" \
 									_no_logic_log=1

 								use_default_dns="chinadns_ng"
@ -1573,7 +1633,7 @@ acl_app() {
 			[ -n "$redirect_dns_port" ] && echo "${redirect_dns_port}" > $TMP_ACL_PATH/$sid/var_redirect_dns_port
 			unset enabled sid remarks sources use_global_config tcp_node udp_node use_direct_list use_proxy_list use_block_list use_gfw_list chn_list tcp_proxy_mode udp_proxy_mode filter_proxy_ipv6 dns_mode remote_dns v2ray_dns_mode remote_dns_doh dns_client_ip
 			unset _ip _mac _iprange _ipset _ip_or_mac rule_list tcp_port udp_port config_file _extra_param
-			unset _china_ng_listen _china_ng_chn _china_ng_gfw _gfwlist_file _chnlist_file _china_ng_log_file _no_ipv6_rules _china_ng_extra_param
+			unset _china_ng_listen _china_ng_chn _china_ng_gfw _gfwlist_file _chnlist_file _china_ng_log_file _no_ipv6_dns _china_ng_extra_param
 			unset redirect_dns_port
 		done
 		unset socks_port redir_port dns_port dnsmasq_port chinadns_port
--- a/luci-app-passwall/root/usr/share/passwall/helper_dnsmasq_add.lua
+++ b/luci-app-passwall/root/usr/share/passwall/helper_dnsmasq_add.lua
@ -213,8 +213,18 @@ if not fs.access(CACHE_DNS_PATH) then
 	end)
 	log(string.format("  - 节点列表中的域名(vpslist)：%s", LOCAL_DNS or "默认"))

+	local fwd_dns
+	local ipset_flag
+	local no_ipv6
+
 	--直连（白名单）列表
 	if USE_DIRECT_LIST == "1" then
+		if fs.access("/usr/share/passwall/rules/direct_host") then
+			fwd_dns = TUN_DNS
+			if USE_DEFAULT_DNS == "chinadns_ng" and CHINADNS_DNS ~= "0" then
+				fwd_dns = nil
+			end
+			if fwd_dns then
 				--始终用国内DNS解析直连（白名单）列表
 				for line in io.lines("/usr/share/passwall/rules/direct_host") do
 					if line ~= "" and not line:find("#") then
@ -223,15 +233,19 @@ if not fs.access(CACHE_DNS_PATH) then
 						set_domain_ipset(line, setflag_4 .. "passwall_whitelist," .. setflag_6 .. "passwall_whitelist6")
 					end
 				end
-		log(string.format("  - 域名白名单(whitelist)：%s", LOCAL_DNS or "默认"))
 			end
-
-	local fwd_dns
-	local ipset_flag
-	local no_ipv6
+			log(string.format("  - 域名白名单(whitelist)：%s", fwd_dns or "默认"))
+		end
+	end

 	--代理（黑名单）列表
 	if USE_PROXY_LIST == "1" then
+		if fs.access("/usr/share/passwall/rules/proxy_host") then
+			fwd_dns = TUN_DNS
+			if USE_DEFAULT_DNS == "chinadns_ng" and CHINADNS_DNS ~= "0" then
+				fwd_dns = nil
+			end
+			if fwd_dns then
 				--始终使用远程DNS解析代理（黑名单）列表
 				for line in io.lines("/usr/share/passwall/rules/proxy_host") do
 					if line ~= "" and not line:find("#") then
@ -248,7 +262,9 @@ if not fs.access(CACHE_DNS_PATH) then
 						set_domain_ipset(line, ipset_flag)
 					end
 				end
-		log(string.format("  - 代理域名表(blacklist)：%s", TUN_DNS or "默认"))
+			end
+			log(string.format("  - 代理域名表(blacklist)：%s", fwd_dns or "默认"))
+		end
 	end

 	--GFW列表
--- a/luci-app-passwall/root/usr/share/passwall/subscribe.lua
+++ b/luci-app-passwall/root/usr/share/passwall/subscribe.lua
@ -227,9 +227,8 @@ do
 	end)

 	uci:foreach(appname, "nodes", function(node)
-		if node.protocol and node.protocol == '_shunt' then
 		local node_id = node[".name"]
-
+		if node.protocol and node.protocol == '_shunt' then
 			local rules = {}
 			uci:foreach(appname, "shunt_rules", function(e)
 				if e[".name"] and e.remarks then
@ -262,7 +261,6 @@ do
 				end
 			end
 		elseif node.protocol and node.protocol == '_balancing' then
-			local node_id = node[".name"]
 			local nodes = {}
 			local new_nodes = {}
 			if node.balancing_node then
@ -274,7 +272,7 @@ do
 						remarks = node,
 						set = function(o, server)
 							for kk, vv in pairs(CONFIG) do
-								if (vv.remarks == "负载均衡节点列表" .. node_id) then
+								if (vv.remarks == "Xray负载均衡节点[" .. node_id .. "]列表") then
 									table.insert(vv.new_nodes, server)
 								end
 							end
@ -283,13 +281,12 @@ do
 				end
 			end
 			CONFIG[#CONFIG + 1] = {
-				remarks = "负载均衡节点列表" .. node_id,
+				remarks = "Xray负载均衡节点[" .. node_id .. "]列表",
 				nodes = nodes,
 				new_nodes = new_nodes,
 				set = function(o)
 					for kk, vv in pairs(CONFIG) do
-						if (vv.remarks == "负载均衡节点列表" .. node_id) then
-							--log("刷新负载均衡节点列表")
+						if (vv.remarks == "Xray负载均衡节点[" .. node_id .. "]列表") then
 							uci:foreach(appname, "nodes", function(node2)
 								if node2[".name"] == node[".name"] then
 									local section = uci:section(appname, "nodes", node_id)
@ -300,6 +297,42 @@ do
 					end
 				end
 			}
+
+			--后备节点
+			local currentNode = uci:get_all(appname, node_id) or nil
+			if currentNode and currentNode.fallback_node then
+				CONFIG[#CONFIG + 1] = {
+					log = true,
+					id = node_id,
+					remarks = "Xray负载均衡节点[" .. node_id .. "]后备节点",
+					currentNode = uci:get_all(appname, currentNode.fallback_node) or nil,
+					set = function(o, server)
+						uci:set(appname, node_id, "fallback_node", server)
+						o.newNodeId = server
+					end,
+					delete = function(o)
+						uci:delete(appname, node_id, "fallback_node")
+					end
+				}
+			end
+		else
+			--落地节点
+			local currentNode = uci:get_all(appname, node_id) or nil
+			if currentNode and currentNode.to_node then
+				CONFIG[#CONFIG + 1] = {
+					log = true,
+					id = node_id,
+					remarks = "节点[" .. node_id .. "]落地节点",
+					currentNode = uci:get_all(appname, currentNode.to_node) or nil,
+					set = function(o, server)
+						uci:set(appname, node_id, "to_node", server)
+						o.newNodeId = server
+					end,
+					delete = function(o)
+						uci:delete(appname, node_id, "to_node")
+					end
+				}
+			end
 		end
 	end)