diff --git a/luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua b/luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua index b2a564b0c..e5d6a46a6 100644 --- a/luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua +++ b/luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua @@ -563,9 +563,6 @@ if api.is_finded("smartdns") then o:depends({dns_shunt = "smartdns", tcp_proxy_mode = "proxy", chn_list = "direct"}) end -o = s:taboption("DNS", Flag, "dns_redirect", "DNS " .. translate("Redirect"), translate("Force Router DNS server to all local devices.")) -o.default = "0" - if (uci:get(appname, "@global_forwarding[0]", "use_nft") or "0") == "1" then o = s:taboption("DNS", Button, "clear_ipset", translate("Clear NFTSET"), translate("Try this feature if the rule modification does not take effect.")) else diff --git a/luci-app-passwall/po/zh-cn/passwall.po b/luci-app-passwall/po/zh-cn/passwall.po index 610fe9bca..fa15bafc9 100644 --- a/luci-app-passwall/po/zh-cn/passwall.po +++ b/luci-app-passwall/po/zh-cn/passwall.po @@ -223,9 +223,6 @@ msgstr "需要代理的分流规则域名使用 FakeDNS。" msgid "Redirect" msgstr "重定向" -msgid "Force Router DNS server to all local devices." -msgstr "强制所有本地设备使用路由器 DNS。" - msgid "Clear IPSET" msgstr "清空 IPSET" diff --git a/luci-app-passwall/root/usr/share/passwall/app.sh b/luci-app-passwall/root/usr/share/passwall/app.sh index 4e1968a1f..56a46c00a 100755 --- a/luci-app-passwall/root/usr/share/passwall/app.sh +++ b/luci-app-passwall/root/usr/share/passwall/app.sh @@ -14,13 +14,10 @@ TMP_ROUTE_PATH=$TMP_PATH/route TMP_ACL_PATH=$TMP_PATH/acl TMP_IFACE_PATH=$TMP_PATH/iface TMP_PATH2=/tmp/etc/${CONFIG}_tmp -DNSMASQ_PATH=/etc/dnsmasq.d -DNSMASQ_CONF_DIR=/tmp/dnsmasq.d -TMP_DNSMASQ_PATH=${DNSMASQ_CONF_DIR}/${CONFIG} +GLOBAL_ACL_PATH=${TMP_ACL_PATH}/default LOG_FILE=/tmp/log/$CONFIG.log APP_PATH=/usr/share/$CONFIG RULES_PATH=/usr/share/${CONFIG}/rules -DNS_N=dnsmasq DNS_PORT=15353 TUN_DNS="127.0.0.1#${DNS_PORT}" LOCAL_DNS=119.29.29.29,223.5.5.5 @@ -359,6 +356,23 @@ parse_doh() { eval "${__url_var}='${__url}' ${__host_var}='${__host}' ${__port_var}='${__port}' ${__bootstrap_var}='${__bootstrap}'" } +get_geoip() { + local geoip_code="$1" + local geoip_type_flag="" + local geoip_path="$(config_t_get global_rules v2ray_location_asset)" + geoip_path="${geoip_path%*/}/geoip.dat" + [ -e "$geoip_path" ] || { echo ""; return; } + case "$2" in + "ipv4") geoip_type_flag="-ipv6=false" ;; + "ipv6") geoip_type_flag="-ipv4=false" ;; + esac + if type geoview &> /dev/null; then + geoview -input "$geoip_path" -list "$geoip_code" $geoip_type_flag -lowmem=true + else + echo "" + fi +} + run_ipt2socks() { local flag proto tcp_tproxy local_port socks_address socks_port socks_username socks_password log_file local _extra_param="" @@ -704,9 +718,9 @@ run_redir() { local node proto bind local_port config_file log_file eval_set_val $@ local tcp_node_socks_flag tcp_node_http_flag - [ -n "$config_file" ] && [ -z "$(echo ${config_file} | grep $TMP_PATH)" ] && config_file=${TMP_ACL_PATH}/default/${config_file} + [ -n "$config_file" ] && [ -z "$(echo ${config_file} | grep $TMP_PATH)" ] && config_file=${GLOBAL_ACL_PATH}/${config_file} if [ -n "$log_file" ] && [ -z "$(echo ${log_file} | grep $TMP_PATH)" ]; then - log_file=${TMP_ACL_PATH}/default/${log_file} + log_file=${GLOBAL_ACL_PATH}/${log_file} else log_file="/dev/null" fi @@ -1050,7 +1064,7 @@ run_redir() { [ "$tcp_node_socks" = "1" ] && { TCP_SOCKS_server="127.0.0.1:$tcp_node_socks_port" - echo "${TCP_SOCKS_server}" > $TMP_ACL_PATH/default/TCP_SOCKS_server + echo "${TCP_SOCKS_server}" > ${GLOBAL_ACL_PATH}/TCP_SOCKS_server } ;; esac @@ -1069,7 +1083,7 @@ start_redir() { local port=$(echo $(get_new_port $current_port $proto)) eval ${proto}_REDIR=$port run_redir node=$node proto=${proto} bind=0.0.0.0 local_port=$port config_file=$config_file log_file=$log_file - echo $node > $TMP_ACL_PATH/default/${proto}.id + echo $node > ${GLOBAL_ACL_PATH}/${proto}.id else [ "${proto}" = "UDP" ] && [ "$TCP_UDP" = "1" ] && return echolog "${proto}节点没有选择或为空,不代理${proto}。" @@ -1533,13 +1547,20 @@ start_dns() { dnsmasq_version=$(dnsmasq -v | grep -i "Dnsmasq version " | awk '{print $3}') [ "$(expr $dnsmasq_version \>= 2.87)" == 0 ] && echolog "Dnsmasq版本低于2.87,有可能无法正常使用!!!" } - source $APP_PATH/helper_dnsmasq.sh stretch - lua $APP_PATH/helper_dnsmasq_add.lua -FLAG "default" -TMP_DNSMASQ_PATH ${TMP_DNSMASQ_PATH} -DNSMASQ_CONF_DIR ${DNSMASQ_CONF_DIR} \ - -DNSMASQ_CONF_FILE "${DNSMASQ_CONF_DIR}/dnsmasq-${CONFIG}.conf" -DEFAULT_DNS ${DEFAULT_DNS} -LOCAL_DNS ${LOCAL_DNS} \ + + GLOBAL_DNSMASQ_PORT=$(get_new_port 11400) + local GLOBAL_DNSMASQ_CONF=${GLOBAL_ACL_PATH}/dnsmasq.conf + local GLOBAL_DNSMASQ_CONF_PATH=${GLOBAL_ACL_PATH}/dnsmasq.d + source $APP_PATH/helper_dnsmasq.sh copy_instance listen_port=$GLOBAL_DNSMASQ_PORT dnsmasq_conf="${GLOBAL_DNSMASQ_CONF}" dnsmasq_conf_path="${GLOBAL_DNSMASQ_CONF_PATH}" + lua $APP_PATH/helper_dnsmasq_add.lua -FLAG "default" -TMP_DNSMASQ_PATH ${GLOBAL_DNSMASQ_CONF_PATH} \ + -DNSMASQ_CONF_FILE ${GLOBAL_DNSMASQ_CONF} -DEFAULT_DNS ${DEFAULT_DNS} -LOCAL_DNS ${LOCAL_DNS} \ -TUN_DNS ${TUN_DNS} -REMOTE_FAKEDNS ${fakedns:-0} -USE_DEFAULT_DNS "${USE_DEFAULT_DNS:-direct}" -CHINADNS_DNS ${china_ng_listen:-0} \ -USE_DIRECT_LIST "${USE_DIRECT_LIST}" -USE_PROXY_LIST "${USE_PROXY_LIST}" -USE_BLOCK_LIST "${USE_BLOCK_LIST}" -USE_GFW_LIST "${USE_GFW_LIST}" -CHN_LIST "${CHN_LIST}" \ -TCP_NODE ${TCP_NODE} -DEFAULT_PROXY_MODE ${TCP_PROXY_MODE} -NO_PROXY_IPV6 ${DNSMASQ_FILTER_PROXY_IPV6:-0} -NFTFLAG ${nftflag:-0} \ -NO_LOGIC_LOG ${NO_LOGIC_LOG:-0} + ln_run "$(first_type dnsmasq)" "dnsmasq_default" "/dev/null" -C ${GLOBAL_DNSMASQ_CONF} -x ${GLOBAL_ACL_PATH}/dnsmasq.pid + echo "${GLOBAL_DNSMASQ_PORT}" > ${GLOBAL_ACL_PATH}/var_redirect_dns_port + DNS_REDIRECT_PORT=${GLOBAL_DNSMASQ_PORT} } add_ip2route() { @@ -1599,6 +1620,7 @@ acl_app() { redir_port=11200 dns_port=11300 dnsmasq_port=11400 + [ -n "${GLOBAL_DNSMASQ_PORT}" ] && dnsmasq_port=$(get_new_port $GLOBAL_DNSMASQ_PORT) chinadns_port=11500 for item in $items; do sid=$(uci -q show "${CONFIG}.${item}" | grep "=acl_rule" | awk -F '=' '{print $1}' | awk -F '.' '{print $2}') @@ -1625,9 +1647,10 @@ acl_app() { unset s2 done - mkdir -p $TMP_ACL_PATH/$sid + local acl_path=${TMP_ACL_PATH}/$sid + mkdir -p ${acl_path} - [ ! -z "${source_list}" ] && echo -e "${source_list}" | sed '/^$/d' > $TMP_ACL_PATH/$sid/source_list + [ ! -z "${source_list}" ] && echo -e "${source_list}" | sed '/^$/d' > ${acl_path}/source_list use_global_config=${use_global_config:-0} tcp_node=${tcp_node:-nil} @@ -1726,28 +1749,17 @@ acl_app() { } dnsmasq_port=$(get_new_port $(expr $dnsmasq_port + 1)) - redirect_dns_port=$dnsmasq_port - mkdir -p $TMP_ACL_PATH/$sid/dnsmasq.d - [ -s "/tmp/etc/dnsmasq.conf.${DEFAULT_DNSMASQ_CFGID}" ] && { - cp -r /tmp/etc/dnsmasq.conf.${DEFAULT_DNSMASQ_CFGID} $TMP_ACL_PATH/$sid/dnsmasq.conf - sed -i "/ubus/d" $TMP_ACL_PATH/$sid/dnsmasq.conf - sed -i "/dhcp/d" $TMP_ACL_PATH/$sid/dnsmasq.conf - sed -i "/port=/d" $TMP_ACL_PATH/$sid/dnsmasq.conf - sed -i "/conf-dir/d" $TMP_ACL_PATH/$sid/dnsmasq.conf - sed -i "/server/d" $TMP_ACL_PATH/$sid/dnsmasq.conf - } - echo "port=${dnsmasq_port}" >> $TMP_ACL_PATH/$sid/dnsmasq.conf - [ "$use_default_dns" = "remote" ] && { - dnsmasq_version=$(dnsmasq -v | grep -i "Dnsmasq version " | awk '{print $3}') - [ "$(expr $dnsmasq_version \>= 2.87)" == 0 ] && echolog "Dnsmasq版本低于2.87,有可能无法正常使用!!!" - } - lua $APP_PATH/helper_dnsmasq_add.lua -FLAG ${sid} -TMP_DNSMASQ_PATH $TMP_ACL_PATH/$sid/dnsmasq.d -DNSMASQ_CONF_DIR ${DNSMASQ_CONF_DIR} \ - -DNSMASQ_CONF_FILE $TMP_ACL_PATH/$sid/dnsmasq.conf -DEFAULT_DNS $DEFAULT_DNS -LOCAL_DNS $LOCAL_DNS \ + local dnsmasq_conf=${acl_path}/dnsmasq.conf + local dnsmasq_conf_path=${acl_path}/dnsmasq.d + source $APP_PATH/helper_dnsmasq.sh copy_instance listen_port=$dnsmasq_port dnsmasq_conf="${dnsmasq_conf}" dnsmasq_conf_path="${dnsmasq_conf_path}" + lua $APP_PATH/helper_dnsmasq_add.lua -FLAG ${sid} -TMP_DNSMASQ_PATH ${dnsmasq_conf_path} \ + -DNSMASQ_CONF_FILE ${dnsmasq_conf} -DEFAULT_DNS $DEFAULT_DNS -LOCAL_DNS $LOCAL_DNS \ -USE_DIRECT_LIST "${use_direct_list}" -USE_PROXY_LIST "${use_proxy_list}" -USE_BLOCK_LIST "${use_block_list}" -USE_GFW_LIST "${use_gfw_list}" -CHN_LIST "${chn_list}" \ -TUN_DNS "127.0.0.1#${_dns_port}" -REMOTE_FAKEDNS 0 -USE_DEFAULT_DNS "${use_default_dns:-direct}" -CHINADNS_DNS ${_china_ng_listen:-0} \ -TCP_NODE $tcp_node -DEFAULT_PROXY_MODE ${tcp_proxy_mode} -NO_PROXY_IPV6 ${dnsmasq_filter_proxy_ipv6:-0} -NFTFLAG ${nftflag:-0} \ -NO_LOGIC_LOG 1 - ln_run "$(first_type dnsmasq)" "dnsmasq_${sid}" "/dev/null" -C $TMP_ACL_PATH/$sid/dnsmasq.conf -x $TMP_ACL_PATH/$sid/dnsmasq.pid + ln_run "$(first_type dnsmasq)" "dnsmasq_${sid}" "/dev/null" -C ${dnsmasq_conf} -x ${acl_path}/dnsmasq.pid + echo "${dnsmasq_port}" > ${acl_path}/var_redirect_dns_port eval node_${tcp_node}_$(echo -n "${tcp_proxy_mode}${remote_dns}" | md5sum | cut -d " " -f1)=${dnsmasq_port} } _redir_port=$(eval echo \${node_${tcp_node}_redir_port}) @@ -1760,7 +1772,7 @@ acl_app() { _dns_port=$(eval echo \${node_${tcp_node}_$(echo -n "${remote_dns}" | md5sum | cut -d " " -f1)}) run_dns ${_dns_port} else - redirect_dns_port=${_dnsmasq_port} + [ -n "${_dnsmasq_port}" ] && echo "${_dnsmasq_port}" > ${acl_path}/var_redirect_dns_port fi else socks_port=$(get_new_port $(expr $socks_port + 1)) @@ -1798,10 +1810,10 @@ acl_app() { fi run_dns ${_dns_port} fi - echo "${tcp_node}" > $TMP_ACL_PATH/$sid/var_tcp_node + echo "${tcp_node}" > ${acl_path}/var_tcp_node } fi - echo "${tcp_port}" > $TMP_ACL_PATH/$sid/var_tcp_port + echo "${tcp_port}" > ${acl_path}/var_tcp_port } [ "$udp_node" != "nil" ] && { [ "$udp_node" = "tcp" ] && udp_node=$tcp_node @@ -1850,18 +1862,16 @@ acl_app() { run_ipt2socks flag=acl_${udp_node} local_port=$redir_port socks_address=127.0.0.1 socks_port=$socks_port log_file=$log_file fi fi - echo "${udp_node}" > $TMP_ACL_PATH/$sid/var_udp_node + echo "${udp_node}" > ${acl_path}/var_udp_node fi } fi - echo "${udp_port}" > $TMP_ACL_PATH/$sid/var_udp_port + echo "${udp_port}" > ${acl_path}/var_udp_port udp_flag=1 } - [ -n "$redirect_dns_port" ] && echo "${redirect_dns_port}" > $TMP_ACL_PATH/$sid/var_redirect_dns_port unset enabled sid remarks sources interface use_global_config tcp_node udp_node use_direct_list use_proxy_list use_block_list use_gfw_list chn_list tcp_proxy_mode udp_proxy_mode filter_proxy_ipv6 dns_mode remote_dns v2ray_dns_mode remote_dns_doh dns_client_ip unset _ip _mac _iprange _ipset _ip_or_mac source_list tcp_port udp_port config_file _extra_param unset _china_ng_listen _chinadns_local_dns _direct_dns_mode chinadns_ng_default_tag dnsmasq_filter_proxy_ipv6 - unset redirect_dns_port done unset socks_port redir_port dns_port dnsmasq_port chinadns_port } @@ -1904,13 +1914,12 @@ start() { } [ "$ENABLED_DEFAULT_ACL" == 1 ] && { - mkdir -p $TMP_ACL_PATH/default + mkdir -p ${GLOBAL_ACL_PATH} start_redir TCP start_redir UDP start_dns } [ -n "$USE_TABLES" ] && source $APP_PATH/${USE_TABLES}.sh start - [ "$ENABLED_DEFAULT_ACL" == 1 ] && source $APP_PATH/helper_${DNS_N}.sh logic_restart start_crontab echolog "运行完成!\n" } @@ -1927,8 +1936,6 @@ stop() { unset XRAY_LOCATION_ASSET stop_crontab source $APP_PATH/helper_smartdns.sh del - source $APP_PATH/helper_dnsmasq.sh del - source $APP_PATH/helper_dnsmasq.sh restart no_log=1 [ -s "$TMP_PATH/bridge_nf_ipt" ] && sysctl -w net.bridge.bridge-nf-call-iptables=$(cat $TMP_PATH/bridge_nf_ipt) >/dev/null 2>&1 [ -s "$TMP_PATH/bridge_nf_ip6t" ] && sysctl -w net.bridge.bridge-nf-call-ip6tables=$(cat $TMP_PATH/bridge_nf_ip6t) >/dev/null 2>&1 rm -rf ${TMP_PATH} @@ -1999,17 +2006,6 @@ RESOLVFILE=/tmp/resolv.conf.d/resolv.conf.auto ISP_DNS=$(cat $RESOLVFILE 2>/dev/null | grep -E -o "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" | sort -u | grep -v 0.0.0.0 | grep -v 127.0.0.1) ISP_DNS6=$(cat $RESOLVFILE 2>/dev/null | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | awk -F % '{print $1}' | awk -F " " '{print $2}'| sort -u | grep -v -Fx ::1 | grep -v -Fx ::) -DEFAULT_DNSMASQ_CFGID="$(uci -q show "dhcp.@dnsmasq[0]" | awk 'NR==1 {split($0, conf, /[.=]/); print conf[2]}')" -if [ -f "/tmp/etc/dnsmasq.conf.$DEFAULT_DNSMASQ_CFGID" ]; then - DNSMASQ_CONF_DIR="$(awk -F '=' '/^conf-dir=/ {print $2}' "/tmp/etc/dnsmasq.conf.$DEFAULT_DNSMASQ_CFGID")" - if [ -n "$DNSMASQ_CONF_DIR" ]; then - DNSMASQ_CONF_DIR=${DNSMASQ_CONF_DIR%*/} - TMP_DNSMASQ_PATH=${DNSMASQ_CONF_DIR}/${CONFIG} - else - DNSMASQ_CONF_DIR="/tmp/dnsmasq.d" - fi -fi - DEFAULT_DNS=$(uci show dhcp.@dnsmasq[0] | grep "\.server=" | awk -F '=' '{print $2}' | sed "s/'//g" | tr ' ' '\n' | grep -v "\/" | head -2 | sed ':label;N;s/\n/,/;b label') [ -z "${DEFAULT_DNS}" ] && [ "$(echo $ISP_DNS | tr ' ' '\n' | wc -l)" -le 2 ] && DEFAULT_DNS=$(echo -n $ISP_DNS | tr ' ' '\n' | head -2 | tr '\n' ',') LOCAL_DNS="${DEFAULT_DNS:-119.29.29.29,223.5.5.5}" diff --git a/luci-app-passwall/root/usr/share/passwall/helper_dnsmasq.sh b/luci-app-passwall/root/usr/share/passwall/helper_dnsmasq.sh index d3d4bbd05..746726084 100755 --- a/luci-app-passwall/root/usr/share/passwall/helper_dnsmasq.sh +++ b/luci-app-passwall/root/usr/share/passwall/helper_dnsmasq.sh @@ -1,89 +1,27 @@ #!/bin/sh -stretch() { - #zhenduiluanshezhiDNSderen - local dnsmasq_server=$(uci -q get dhcp.@dnsmasq[0].server) - local dnsmasq_noresolv=$(uci -q get dhcp.@dnsmasq[0].noresolv) - local _flag - for server in $dnsmasq_server; do - [ -z "$(echo $server | grep '\/')" ] && _flag=1 - done - [ -z "$_flag" ] && [ "$dnsmasq_noresolv" = "1" ] && { - uci -q delete dhcp.@dnsmasq[0].noresolv - uci -q set dhcp.@dnsmasq[0].resolvfile="$RESOLVFILE" - uci commit dhcp +copy_instance() { + local listen_port dnsmasq_conf + eval_set_val $@ + [ -s "/tmp/etc/dnsmasq.conf.${DEFAULT_DNSMASQ_CFGID}" ] && { + cp -r /tmp/etc/dnsmasq.conf.${DEFAULT_DNSMASQ_CFGID} $dnsmasq_conf + sed -i "/ubus/d" $dnsmasq_conf + sed -i "/dhcp/d" $dnsmasq_conf + sed -i "/port=/d" $dnsmasq_conf + sed -i "/conf-dir/d" $dnsmasq_conf + sed -i "/no-poll/d" $dnsmasq_conf + sed -i "/no-resolv/d" $dnsmasq_conf } + echo "port=${listen_port}" >> $dnsmasq_conf } -backup_servers() { - DNSMASQ_DNS=$(uci show dhcp.@dnsmasq[0] | grep ".server=" | awk -F '=' '{print $2}' | sed "s/'//g" | tr ' ' ',') - if [ -n "${DNSMASQ_DNS}" ]; then - uci -q set $CONFIG.@global[0].dnsmasq_servers="${DNSMASQ_DNS}" - uci commit $CONFIG - fi -} - -restore_servers() { - OLD_SERVER=$(uci -q get $CONFIG.@global[0].dnsmasq_servers | tr "," " ") - for server in $OLD_SERVER; do - uci -q del_list dhcp.@dnsmasq[0].server=$server - uci -q add_list dhcp.@dnsmasq[0].server=$server - done - uci commit dhcp - uci -q delete $CONFIG.@global[0].dnsmasq_servers - uci commit $CONFIG -} - -logic_restart() { - local no_log - eval_set_val $@ - _LOG_FILE=$LOG_FILE - [ -n "$no_log" ] && LOG_FILE="/dev/null" - if [ -f "$TMP_PATH/default_DNS" ]; then - backup_servers - #sed -i "/list server/d" /etc/config/dhcp >/dev/null 2>&1 - for server in $(uci -q get dhcp.@dnsmasq[0].server); do - [ -n "$(echo $server | grep '\/')" ] || uci -q del_list dhcp.@dnsmasq[0].server="$server" - done - /etc/init.d/dnsmasq restart >/dev/null 2>&1 - restore_servers - else - /etc/init.d/dnsmasq restart >/dev/null 2>&1 - fi - echolog "重启 dnsmasq 服务" - LOG_FILE=${_LOG_FILE} -} - -restart() { - local no_log - eval_set_val $@ - _LOG_FILE=$LOG_FILE - [ -n "$no_log" ] && LOG_FILE="/dev/null" - /etc/init.d/dnsmasq restart >/dev/null 2>&1 - echolog "重启 dnsmasq 服务" - LOG_FILE=${_LOG_FILE} -} - -del() { - rm -rf $DNSMASQ_CONF_DIR/dnsmasq-$CONFIG.conf - rm -rf $DNSMASQ_PATH/dnsmasq-$CONFIG.conf - rm -rf $TMP_DNSMASQ_PATH -} +DEFAULT_DNSMASQ_CFGID="$(uci -q show "dhcp.@dnsmasq[0]" | awk 'NR==1 {split($0, conf, /[.=]/); print conf[2]}')" arg1=$1 shift case $arg1 in -stretch) - stretch $@ - ;; -del) - del $@ - ;; -restart) - restart $@ - ;; -logic_restart) - logic_restart $@ +copy_instance) + copy_instance $@ ;; *) ;; esac diff --git a/luci-app-passwall/root/usr/share/passwall/helper_dnsmasq_add.lua b/luci-app-passwall/root/usr/share/passwall/helper_dnsmasq_add.lua index fbb3e2978..6c0176607 100644 --- a/luci-app-passwall/root/usr/share/passwall/helper_dnsmasq_add.lua +++ b/luci-app-passwall/root/usr/share/passwall/helper_dnsmasq_add.lua @@ -4,7 +4,6 @@ local appname = "passwall" local var = api.get_args(arg) local FLAG = var["-FLAG"] -local DNSMASQ_CONF_DIR = var["-DNSMASQ_CONF_DIR"] local TMP_DNSMASQ_PATH = var["-TMP_DNSMASQ_PATH"] local DNSMASQ_CONF_FILE = var["-DNSMASQ_CONF_FILE"] local DEFAULT_DNS = var["-DEFAULT_DNS"] @@ -192,7 +191,6 @@ local setflag_4= (NFTFLAG == "1") and "4#inet#passwall#" or "" local setflag_6= (NFTFLAG == "1") and "6#inet#passwall#" or "" if not fs.access(CACHE_DNS_PATH) then - fs.mkdir(DNSMASQ_CONF_DIR) fs.mkdir(CACHE_DNS_PATH) --屏蔽列表 diff --git a/luci-app-passwall/root/usr/share/passwall/iptables.sh b/luci-app-passwall/root/usr/share/passwall/iptables.sh index 601567261..ac2895566 100755 --- a/luci-app-passwall/root/usr/share/passwall/iptables.sh +++ b/luci-app-passwall/root/usr/share/passwall/iptables.sh @@ -182,23 +182,6 @@ get_wan6_ip() { echo $NET_ADDR } -get_geoip() { - local geoip_code="$1" - local geoip_type_flag="" - local geoip_path="$(config_t_get global_rules v2ray_location_asset)" - geoip_path="${geoip_path%*/}/geoip.dat" - [ -e "$geoip_path" ] || { echo ""; return; } - case "$2" in - "ipv4") geoip_type_flag="-ipv6=false" ;; - "ipv6") geoip_type_flag="-ipv4=false" ;; - esac - if type geoview &> /dev/null; then - geoview -input "$geoip_path" -list "$geoip_code" $geoip_type_flag -lowmem=true - else - echo "" - fi -} - load_acl() { ([ "$ENABLED_ACLS" == 1 ] || ([ "$ENABLED_DEFAULT_ACL" == 1 ] && [ "$CLIENT_PROXY" == 1 ])) && echolog " - 访问控制:" [ "$ENABLED_ACLS" == 1 ] && { @@ -233,6 +216,7 @@ load_acl() { [ -s "${TMP_ACL_PATH}/${sid}/var_udp_node" ] && udp_node=$(cat ${TMP_ACL_PATH}/${sid}/var_udp_node) [ -s "${TMP_ACL_PATH}/${sid}/var_tcp_port" ] && tcp_port=$(cat ${TMP_ACL_PATH}/${sid}/var_tcp_port) [ -s "${TMP_ACL_PATH}/${sid}/var_udp_port" ] && udp_port=$(cat ${TMP_ACL_PATH}/${sid}/var_udp_port) + [ -s "${TMP_ACL_PATH}/${sid}/var_redirect_dns_port" ] && dns_redirect_port=$(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port) use_shunt_tcp=0 use_shunt_udp=0 @@ -259,6 +243,9 @@ load_acl() { chn_list=${CHN_LIST} tcp_proxy_mode=${TCP_PROXY_MODE} udp_proxy_mode=${UDP_PROXY_MODE} + use_shunt_tcp=${USE_SHUNT_TCP} + use_shunt_udp=${USE_SHUNT_UDP} + dns_redirect_port=${DNS_REDIRECT_PORT} } _acl_list=${TMP_ACL_PATH}/${sid}/source_list @@ -333,7 +320,25 @@ load_acl() { echolog " - ${msg}不代理所有 UDP 端口" fi } - + + if ([ -n "$tcp_port" ] && [ -n "${tcp_proxy_mode}" ]) || ([ -n "$udp_port" ] && [ -n "${udp_proxy_mode}" ]); then + [ -n "$dns_redirect_port" ] && { + $ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j RETURN + $ip6t_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j RETURN 2>/dev/null + $ipt_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} --dport 53 -j RETURN + $ip6t_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} --dport 53 -j RETURN 2>/dev/null + $ipt_n -A PSW_REDIRECT $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $dns_redirect_port + $ip6t_n -A PSW_REDIRECT $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $dns_redirect_port 2>/dev/null + $ipt_n -A PSW_REDIRECT $(comment "$remarks") -p tcp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $dns_redirect_port + $ip6t_n -A PSW_REDIRECT $(comment "$remarks") -p tcp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $dns_redirect_port 2>/dev/null + } + else + $ipt_n -A PSW_REDIRECT $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j RETURN + $ip6t_n -A PSW_REDIRECT $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j RETURN 2>/dev/null + $ipt_n -A PSW_REDIRECT $(comment "$remarks") -p tcp ${_ipt_source} --dport 53 -j RETURN + $ip6t_n -A PSW_REDIRECT $(comment "$remarks") -p tcp ${_ipt_source} --dport 53 -j RETURN 2>/dev/null + fi + [ -n "$tcp_port" -o -n "$udp_port" ] && { [ "${use_direct_list}" = "1" ] && $ipt_n -A PSW $(comment "$remarks") ${_ipt_source} $(dst $IPSET_WHITELIST) -j RETURN [ "${use_direct_list}" = "1" ] && $ipt_m -A PSW $(comment "$remarks") ${_ipt_source} $(dst $IPSET_WHITELIST) -j RETURN @@ -380,7 +385,6 @@ load_acl() { [ -n "$tcp_port" ] && { if [ -n "${tcp_proxy_mode}" ]; then - [ -s "${TMP_ACL_PATH}/${sid}/var_redirect_dns_port" ] && $ipt_n -A PSW_REDIRECT $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port) msg2="${msg}使用 TCP 节点[$tcp_node_remark]" if [ -n "${is_tproxy}" ]; then msg2="${msg2}(TPROXY:${tcp_port})" @@ -463,7 +467,7 @@ load_acl() { $ipt_m -A PSW $(comment "$remarks") ${_ipt_source} -p udp -j RETURN unset ipt_tmp ipt_j _ipt_source msg msg2 done - unset enabled sid remarks sources use_global_config use_direct_list use_proxy_list use_block_list use_gfw_list chn_list tcp_proxy_mode udp_proxy_mode tcp_no_redir_ports udp_no_redir_ports tcp_proxy_drop_ports udp_proxy_drop_ports tcp_redir_ports udp_redir_ports tcp_node udp_node interface + unset enabled sid remarks sources use_global_config use_direct_list use_proxy_list use_block_list use_gfw_list chn_list tcp_proxy_mode udp_proxy_mode dns_redirect_port tcp_no_redir_ports udp_no_redir_ports tcp_proxy_drop_ports udp_proxy_drop_ports tcp_redir_ports udp_redir_ports tcp_node udp_node interface unset tcp_port udp_port tcp_node_remark udp_node_remark _acl_list use_shunt_tcp use_shunt_udp done } @@ -495,6 +499,19 @@ load_acl() { fi } + if ([ "$TCP_NODE" != "nil" ] && [ -n "${TCP_PROXY_MODE}" ]) || ([ "$UDP_NODE" != "nil" ] && [ -n "${UDP_PROXY_MODE}" ]); then + [ -n "$DNS_REDIRECT_PORT" ] && { + $ipt_m -A PSW $(comment "默认") -p udp --dport 53 -j RETURN + $ip6t_m -A PSW $(comment "默认") -p udp --dport 53 -j RETURN 2>/dev/null + $ipt_m -A PSW $(comment "默认") -p tcp --dport 53 -j RETURN + $ip6t_m -A PSW $(comment "默认") -p tcp --dport 53 -j RETURN 2>/dev/null + $ipt_n -A PSW_REDIRECT $(comment "默认") -p udp --dport 53 -j REDIRECT --to-ports $DNS_REDIRECT_PORT + $ip6t_n -A PSW_REDIRECT $(comment "默认") -p udp --dport 53 -j REDIRECT --to-ports $DNS_REDIRECT_PORT 2>/dev/null + $ipt_n -A PSW_REDIRECT $(comment "默认") -p tcp --dport 53 -j REDIRECT --to-ports $DNS_REDIRECT_PORT + $ip6t_n -A PSW_REDIRECT $(comment "默认") -p tcp --dport 53 -j REDIRECT --to-ports $DNS_REDIRECT_PORT 2>/dev/null + } + fi + [ -n "${TCP_PROXY_MODE}" -o -n "${UDP_PROXY_MODE}" ] && { [ "${USE_DIRECT_LIST}" = "1" ] && $ipt_n -A PSW $(comment "默认") $(dst $IPSET_WHITELIST) -j RETURN [ "${USE_DIRECT_LIST}" = "1" ] && $ipt_m -A PSW $(comment "默认") $(dst $IPSET_WHITELIST) -j RETURN @@ -654,6 +671,10 @@ filter_node() { local type=$(echo $(config_n_get $node type) | tr 'A-Z' 'a-z') local address=$(config_n_get $node address) local port=$(config_n_get $node port) + [ -z "$address" ] && [ -z "$port" ] && { + echolog " - 节点配置不正常,略过" + return 1 + } ipt_tmp=$ipt_n _is_tproxy=${is_tproxy} [ "$stream" == "udp" ] && _is_tproxy="TPROXY" @@ -665,7 +686,7 @@ filter_node() { fi else echolog " - 节点配置不正常,略过" - return 0 + return 1 fi local ADD_INDEX=$FORCE_INDEX @@ -674,7 +695,6 @@ filter_node() { [ "$_ipt" == "6" ] && _ipt=$ip6t_m && _set_name=$IPSET_VPSLIST6 $_ipt -n -L PSW_OUTPUT | grep -q "${address}:${port}" if [ $? -ne 0 ]; then - unset dst_rule local dst_rule="-j PSW_RULE" msg2="按规则路由(${msg})" [ "$_ipt" == "$ipt_m" -o "$_ipt" == "$ip6t_m" ] || { @@ -697,7 +717,7 @@ filter_node() { local proxy_protocol=$(config_n_get $proxy_node protocol) local proxy_type=$(echo $(config_n_get $proxy_node type nil) | tr 'A-Z' 'a-z') - [ "$proxy_type" == "nil" ] && echolog " - 节点配置不正常,略过!:${proxy_node}" && return 0 + [ "$proxy_type" == "nil" ] && echolog " - 节点配置不正常,略过!:${proxy_node}" && return 1 if [ "$proxy_protocol" == "_balancing" ]; then #echolog " - 多节点负载均衡(${proxy_type})..." proxy_node=$(config_n_get $proxy_node balancing_node) @@ -706,56 +726,40 @@ filter_node() { done elif [ "$proxy_protocol" == "_shunt" ]; then #echolog " - 按请求目的地址分流(${proxy_type})..." + local preproxy_enabled=$(config_n_get $proxy_node preproxy_enabled 0) + [ "$preproxy_enabled" == "1" ] && { + local preproxy_node=$(config_n_get $proxy_node main_node nil) + [ "$preproxy_node" != "nil" ] && { + local preproxy_node_address=$(config_n_get $preproxy_node address) + if [ -n "$preproxy_node_address" ]; then + filter_rules $preproxy_node $stream + else + preproxy_enabled=0 + fi + } + } local default_node=$(config_n_get $proxy_node default_node _direct) - local main_node=$(config_n_get $proxy_node main_node nil) - if [ "$main_node" != "nil" ]; then - filter_rules $main_node $stream - else - if [ "$default_node" != "_direct" ] && [ "$default_node" != "_blackhole" ]; then - filter_rules $default_node $stream - fi + if [ "$default_node" != "_direct" ] && [ "$default_node" != "_blackhole" ]; then + local default_proxy_tag=$(config_n_get $proxy_node default_proxy_tag nil) + [ "$default_proxy_tag" == "main" ] && [ "$preproxy_enabled" == "0" ] && default_proxy_tag="nil" + [ "$default_proxy_tag" == "nil" ] && filter_rules $default_node $stream fi -:</dev/null - $ipt_n -I PREROUTING -p tcp --dport 53 -j REDIRECT --to-ports 53 -m comment --comment "PSW_DNS_Hijack" 2>/dev/null - $ip6t_n -I PREROUTING -p udp --dport 53 -j REDIRECT --to-ports 53 -m comment --comment "PSW_DNS_Hijack" 2>/dev/null - $ip6t_n -I PREROUTING -p tcp --dport 53 -j REDIRECT --to-ports 53 -m comment --comment "PSW_DNS_Hijack" 2>/dev/null - echolog " - 开启 DNS 重定向" - } -} - add_firewall_rule() { echolog "开始加载防火墙规则..." ipset -! create $IPSET_LANLIST nethash maxelem 1048576 @@ -1007,6 +1011,9 @@ add_firewall_rule() { $ip6t_n -A PSW_OUTPUT -m mark --mark 0xff -j RETURN } + $ip6t_n -N PSW_REDIRECT + $ip6t_n -I PREROUTING 1 -j PSW_REDIRECT + $ip6t_m -N PSW_DIVERT $ip6t_m -A PSW_DIVERT -j MARK --set-mark 1 $ip6t_m -A PSW_DIVERT -j ACCEPT @@ -1108,7 +1115,16 @@ add_firewall_rule() { echolog " - ${msg}不代理所有 UDP 端口" fi } - + + if ([ "$TCP_NODE" != "nil" ] && [ -n "${LOCALHOST_TCP_PROXY_MODE}" ]) || ([ "$UDP_NODE" != "nil" ] && [ -n "${LOCALHOST_UDP_PROXY_MODE}" ]); then + [ -n "$DNS_REDIRECT_PORT" ] && { + $ipt_n -A OUTPUT $(comment "PSW") -p udp -o lo --dport 53 -j REDIRECT --to-ports $DNS_REDIRECT_PORT + $ip6t_n -A OUTPUT $(comment "PSW") -p udp -o lo --dport 53 -j REDIRECT --to-ports $DNS_REDIRECT_PORT 2>/dev/null + $ipt_n -A OUTPUT $(comment "PSW") -p tcp -o lo --dport 53 -j REDIRECT --to-ports $DNS_REDIRECT_PORT + $ip6t_n -A OUTPUT $(comment "PSW") -p tcp -o lo --dport 53 -j REDIRECT --to-ports $DNS_REDIRECT_PORT 2>/dev/null + } + fi + [ -n "${LOCALHOST_TCP_PROXY_MODE}" -o -n "${LOCALHOST_UDP_PROXY_MODE}" ] && { [ "$TCP_PROXY_DROP_PORTS" != "disable" ] && { $ipt_m -A PSW_OUTPUT -p tcp $(factor $TCP_PROXY_DROP_PORTS "-m multiport --dport") -d $FAKE_IP -j DROP @@ -1266,9 +1282,6 @@ add_firewall_rule() { $ip6t_m -I OUTPUT $(comment "mangle-OUTPUT-PSW") -o lo -j RETURN insert_rule_before "$ip6t_m" "OUTPUT" "mwan3" "$(comment mangle-OUTPUT-PSW) -m mark --mark 1 -j RETURN" - - dns_hijack - } # 加载ACLS diff --git a/luci-app-passwall/root/usr/share/passwall/nftables.sh b/luci-app-passwall/root/usr/share/passwall/nftables.sh index 53affc84e..eca8b922d 100755 --- a/luci-app-passwall/root/usr/share/passwall/nftables.sh +++ b/luci-app-passwall/root/usr/share/passwall/nftables.sh @@ -242,23 +242,6 @@ get_wan6_ip() { echo $NET_ADDR } -get_geoip() { - local geoip_code="$1" - local geoip_type_flag="" - local geoip_path="$(config_t_get global_rules v2ray_location_asset)" - geoip_path="${geoip_path%*/}/geoip.dat" - [ -e "$geoip_path" ] || { echo ""; return; } - case "$2" in - "ipv4") geoip_type_flag="-ipv6=false" ;; - "ipv6") geoip_type_flag="-ipv4=false" ;; - esac - if type geoview &> /dev/null; then - geoview -input "$geoip_path" -list "$geoip_code" $geoip_type_flag -lowmem=true - else - echo "" - fi -} - load_acl() { ([ "$ENABLED_ACLS" == 1 ] || ([ "$ENABLED_DEFAULT_ACL" == 1 ] && [ "$CLIENT_PROXY" == 1 ])) && echolog " - 访问控制:" [ "$ENABLED_ACLS" == 1 ] && { @@ -293,6 +276,7 @@ load_acl() { [ -s "${TMP_ACL_PATH}/${sid}/var_udp_node" ] && udp_node=$(cat ${TMP_ACL_PATH}/${sid}/var_udp_node) [ -s "${TMP_ACL_PATH}/${sid}/var_tcp_port" ] && tcp_port=$(cat ${TMP_ACL_PATH}/${sid}/var_tcp_port) [ -s "${TMP_ACL_PATH}/${sid}/var_udp_port" ] && udp_port=$(cat ${TMP_ACL_PATH}/${sid}/var_udp_port) + [ -s "${TMP_ACL_PATH}/${sid}/var_redirect_dns_port" ] && dns_redirect_port=$(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port) use_shunt_tcp=0 use_shunt_udp=0 @@ -321,6 +305,7 @@ load_acl() { udp_proxy_mode=${UDP_PROXY_MODE} use_shunt_tcp=${USE_SHUNT_TCP} use_shunt_udp=${USE_SHUNT_UDP} + dns_redirect_port=${DNS_REDIRECT_PORT} } _acl_list=${TMP_ACL_PATH}/${sid}/source_list @@ -385,7 +370,25 @@ load_acl() { echolog " - ${msg}不代理所有 UDP 端口" fi } - + + if ([ -n "$tcp_port" ] && [ -n "${tcp_proxy_mode}" ]) || ([ -n "$udp_port" ] && [ -n "${udp_proxy_mode}" ]); then + [ -n "$dns_redirect_port" ] && { + nft "add rule $NFTABLE_NAME PSW_MANGLE ip protocol udp ${_ipt_source} udp dport 53 counter return comment \"$remarks\"" + nft "add rule $NFTABLE_NAME PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} udp dport 53 counter return comment \"$remarks\"" + nft "add rule $NFTABLE_NAME PSW_MANGLE ip protocol tcp ${_ipt_source} tcp dport 53 counter return comment \"$remarks\"" + nft "add rule $NFTABLE_NAME PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} tcp dport 53 counter return comment \"$remarks\"" + nft "add rule $NFTABLE_NAME PSW_REDIRECT ip protocol udp ${_ipt_source} udp dport 53 counter redirect to :$dns_redirect_port comment \"$remarks\"" + nft "add rule $NFTABLE_NAME PSW_REDIRECT ip protocol tcp ${_ipt_source} tcp dport 53 counter redirect to :$dns_redirect_port comment \"$remarks\"" + nft "add rule $NFTABLE_NAME PSW_REDIRECT meta l4proto udp ${_ipt_source} udp dport 53 counter redirect to :$dns_redirect_port comment \"$remarks\"" + nft "add rule $NFTABLE_NAME PSW_REDIRECT meta l4proto tcp ${_ipt_source} tcp dport 53 counter redirect to :$dns_redirect_port comment \"$remarks\"" + } + else + nft "add rule $NFTABLE_NAME PSW_REDIRECT ip protocol udp ${_ipt_source} udp dport 53 counter return comment \"$remarks\"" + nft "add rule $NFTABLE_NAME PSW_REDIRECT ip protocol tcp ${_ipt_source} tcp dport 53 counter return comment \"$remarks\"" + nft "add rule $NFTABLE_NAME PSW_REDIRECT meta l4proto udp ${_ipt_source} udp dport 53 counter return comment \"$remarks\"" + nft "add rule $NFTABLE_NAME PSW_REDIRECT meta l4proto tcp ${_ipt_source} tcp dport 53 counter return comment \"$remarks\"" + fi + [ -n "$tcp_port" -o -n "$udp_port" ] && { [ "${use_direct_list}" = "1" ] && nft "add rule $NFTABLE_NAME PSW_MANGLE ${_ipt_source} ip daddr @$NFTSET_WHITELIST counter return comment \"$remarks\"" [ "${use_direct_list}" = "1" ] && [ -z "${is_tproxy}" ] && nft "add rule $NFTABLE_NAME PSW_NAT ${_ipt_source} ip daddr @$NFTSET_WHITELIST counter return comment \"$remarks\"" @@ -433,7 +436,6 @@ load_acl() { [ -n "$tcp_port" ] && { if [ -n "${tcp_proxy_mode}" ]; then - [ -s "${TMP_ACL_PATH}/${sid}/var_redirect_dns_port" ] && nft "add rule $NFTABLE_NAME PSW_REDIRECT ip protocol udp ${_ipt_source} udp dport 53 counter redirect to $(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port) comment \"$remarks\"" msg2="${msg}使用 TCP 节点[$tcp_node_remark]" if [ -n "${is_tproxy}" ]; then msg2="${msg2}(TPROXY:${tcp_port})" @@ -521,7 +523,7 @@ load_acl() { nft "add rule $NFTABLE_NAME PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} counter return comment \"$remarks\"" 2>/dev/null unset nft_chain nft_j _ipt_source msg msg2 done - unset enabled sid remarks sources use_global_config use_direct_list use_proxy_list use_block_list use_gfw_list chn_list tcp_proxy_mode udp_proxy_mode tcp_no_redir_ports udp_no_redir_ports tcp_proxy_drop_ports udp_proxy_drop_ports tcp_redir_ports udp_redir_ports tcp_node udp_node interface + unset enabled sid remarks sources use_global_config use_direct_list use_proxy_list use_block_list use_gfw_list chn_list tcp_proxy_mode udp_proxy_mode dns_redirect_port tcp_no_redir_ports udp_no_redir_ports tcp_proxy_drop_ports udp_proxy_drop_ports tcp_redir_ports udp_redir_ports tcp_node udp_node interface unset tcp_port udp_port tcp_node_remark udp_node_remark _acl_list use_shunt_tcp use_shunt_udp done } @@ -550,6 +552,19 @@ load_acl() { fi } + if ([ "$TCP_NODE" != "nil" ] && [ -n "${TCP_PROXY_MODE}" ]) || ([ "$UDP_NODE" != "nil" ] && [ -n "${UDP_PROXY_MODE}" ]); then + [ -n "$DNS_REDIRECT_PORT" ] && { + nft "add rule $NFTABLE_NAME PSW_MANGLE ip protocol udp udp dport 53 counter return comment \"默认\"" + nft "add rule $NFTABLE_NAME PSW_MANGLE_V6 meta l4proto udp udp dport 53 counter return comment \"默认\"" + nft "add rule $NFTABLE_NAME PSW_MANGLE ip protocol tcp tcp dport 53 counter return comment \"默认\"" + nft "add rule $NFTABLE_NAME PSW_MANGLE_V6 meta l4proto tcp tcp dport 53 counter return comment \"默认\"" + nft "add rule $NFTABLE_NAME PSW_REDIRECT ip protocol udp udp dport 53 counter redirect to :$DNS_REDIRECT_PORT comment \"默认\"" + nft "add rule $NFTABLE_NAME PSW_REDIRECT ip protocol tcp tcp dport 53 counter redirect to :$DNS_REDIRECT_PORT comment \"默认\"" + nft "add rule $NFTABLE_NAME PSW_REDIRECT meta l4proto udp udp dport 53 counter redirect to :$DNS_REDIRECT_PORT comment \"默认\"" + nft "add rule $NFTABLE_NAME PSW_REDIRECT meta l4proto tcp tcp dport 53 counter redirect to :$DNS_REDIRECT_PORT comment \"默认\"" + } + fi + [ -n "${TCP_PROXY_MODE}" -o -n "${UDP_PROXY_MODE}" ] && { [ "${USE_DIRECT_LIST}" = "1" ] && nft "add rule $NFTABLE_NAME PSW_MANGLE ip daddr @$NFTSET_WHITELIST counter return comment \"默认\"" [ "${USE_DIRECT_LIST}" = "1" ] && [ -z "${is_tproxy}" ] && nft "add rule $NFTABLE_NAME PSW_NAT ip daddr @$NFTSET_WHITELIST counter return comment \"默认\"" @@ -725,6 +740,10 @@ filter_node() { local type=$(echo $(config_n_get $node type) | tr 'A-Z' 'a-z') local address=$(config_n_get $node address) local port=$(config_n_get $node port) + [ -z "$address" ] && [ -z "$port" ] && { + echolog " - 节点配置不正常,略过" + return 1 + } _is_tproxy=${is_tproxy} [ "$stream" == "udp" ] && _is_tproxy="TPROXY" if [ -n "${_is_tproxy}" ]; then @@ -734,7 +753,7 @@ filter_node() { fi else echolog " - 节点配置不正常,略过" - return 0 + return 1 fi local ADD_INDEX=$FORCE_INDEX @@ -743,7 +762,6 @@ filter_node() { [ "$_ipt" == "6" ] && _ip_type=ip6 && _set_name=$NFTSET_VPSLIST6 nft "list chain $NFTABLE_NAME $nft_output_chain" 2>/dev/null | grep -q "${address}:${port}" if [ $? -ne 0 ]; then - unset dst_rule local dst_rule="jump PSW_RULE" msg2="按规则路由(${msg})" [ -n "${is_tproxy}" ] || { @@ -766,7 +784,7 @@ filter_node() { local proxy_protocol=$(config_n_get $proxy_node protocol) local proxy_type=$(echo $(config_n_get $proxy_node type nil) | tr 'A-Z' 'a-z') - [ "$proxy_type" == "nil" ] && echolog " - 节点配置不正常,略过!:${proxy_node}" && return 0 + [ "$proxy_type" == "nil" ] && echolog " - 节点配置不正常,略过!:${proxy_node}" && return 1 if [ "$proxy_protocol" == "_balancing" ]; then #echolog " - 多节点负载均衡(${proxy_type})..." proxy_node=$(config_n_get $proxy_node balancing_node) @@ -775,58 +793,40 @@ filter_node() { done elif [ "$proxy_protocol" == "_shunt" ]; then #echolog " - 按请求目的地址分流(${proxy_type})..." + local preproxy_enabled=$(config_n_get $proxy_node preproxy_enabled 0) + [ "$preproxy_enabled" == "1" ] && { + local preproxy_node=$(config_n_get $proxy_node main_node nil) + [ "$preproxy_node" != "nil" ] && { + local preproxy_node_address=$(config_n_get $preproxy_node address) + if [ -n "$preproxy_node_address" ]; then + filter_rules $preproxy_node $stream + else + preproxy_enabled=0 + fi + } + } local default_node=$(config_n_get $proxy_node default_node _direct) - local main_node=$(config_n_get $proxy_node main_node nil) - if [ "$main_node" != "nil" ]; then - filter_rules $main_node $stream - else - if [ "$default_node" != "_direct" ] && [ "$default_node" != "_blackhole" ]; then - filter_rules $default_node $stream - fi + if [ "$default_node" != "_direct" ] && [ "$default_node" != "_blackhole" ]; then + local default_proxy_tag=$(config_n_get $proxy_node default_proxy_tag nil) + [ "$default_proxy_tag" == "main" ] && [ "$preproxy_enabled" == "0" ] && default_proxy_tag="nil" + [ "$default_proxy_tag" == "nil" ] && filter_rules $default_node $stream fi -:</dev/null - nft insert rule $NFTABLE_NAME dstnat position 0 udp dport 53 counter redirect to :53 comment \"PSW_DNS_Hijack\" 2>/dev/null - nft insert rule $NFTABLE_NAME dstnat position 0 meta nfproto {ipv6} tcp dport 53 counter redirect to :53 comment \"PSW_DNS_Hijack\" 2>/dev/null - nft insert rule $NFTABLE_NAME dstnat position 0 meta nfproto {ipv6} udp dport 53 counter redirect to :53 comment \"PSW_DNS_Hijack\" 2>/dev/null - uci -q set dhcp.@dnsmasq[0].dns_redirect='0' 2>/dev/null - uci commit dhcp 2>/dev/null - echolog " - 开启 DNS 重定向" - } -} - add_firewall_rule() { echolog "开始加载防火墙规则..." gen_nft_tables @@ -1182,7 +1182,16 @@ add_firewall_rule() { echolog " - ${msg}不代理所有 UDP 端口" fi } - + + if ([ "$TCP_NODE" != "nil" ] && [ -n "${LOCALHOST_TCP_PROXY_MODE}" ]) || ([ "$UDP_NODE" != "nil" ] && [ -n "${LOCALHOST_UDP_PROXY_MODE}" ]); then + [ -n "$DNS_REDIRECT_PORT" ] && { + nft "add rule $NFTABLE_NAME nat_output ip protocol udp oif lo udp dport 53 counter redirect to :$DNS_REDIRECT_PORT comment \"PSW\"" + nft "add rule $NFTABLE_NAME nat_output ip protocol tcp oif lo tcp dport 53 counter redirect to :$DNS_REDIRECT_PORT comment \"PSW\"" + nft "add rule $NFTABLE_NAME nat_output meta l4proto udp oif lo udp dport 53 counter redirect to :$DNS_REDIRECT_PORT comment \"PSW\"" + nft "add rule $NFTABLE_NAME nat_output meta l4proto tcp oif lo tcp dport 53 counter redirect to :$DNS_REDIRECT_PORT comment \"PSW\"" + } + fi + [ -n "${LOCALHOST_TCP_PROXY_MODE}" -o -n "${LOCALHOST_UDP_PROXY_MODE}" ] && { [ "$TCP_PROXY_DROP_PORTS" != "disable" ] && { nft add rule $NFTABLE_NAME $nft_output_chain ip protocol tcp ip daddr $FAKE_IP $(factor $TCP_PROXY_DROP_PORTS "tcp dport") counter drop @@ -1340,8 +1349,6 @@ add_firewall_rule() { nft "add rule $NFTABLE_NAME mangle_output oif lo counter return comment \"PSW_OUTPUT_MANGLE\"" nft "add rule $NFTABLE_NAME mangle_output meta mark 1 counter return comment \"PSW_OUTPUT_MANGLE\"" - - dns_hijack } # 加载ACLS diff --git a/patch-luci-app-passwall.patch b/patch-luci-app-passwall.patch index e58975834..0f213ef21 100644 --- a/patch-luci-app-passwall.patch +++ b/patch-luci-app-passwall.patch @@ -33,7 +33,7 @@ index ce89a37..a3b132b 100644 if code ~= 0 then local use_time = luci.sys.exec("echo -n '" .. result .. "' | awk -F ':' '{print $2}'") diff --git a/luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua b/luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua -index a63c1af..b2a564b 100644 +index d766646..e5d6a46 100644 --- a/luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua +++ b/luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua @@ -467,6 +467,12 @@ o:value("9.9.9.9", "9.9.9.9 (Quad9)")