luci-app-passwall: sync upstream

last commit: 4353cefac9
This commit is contained in:
gitea-action 2024-12-12 23:00:23 +08:00
parent 3d801163a7
commit b1bf3bdac9
8 changed files with 216 additions and 270 deletions

View File

@ -563,9 +563,6 @@ if api.is_finded("smartdns") then
o:depends({dns_shunt = "smartdns", tcp_proxy_mode = "proxy", chn_list = "direct"}) o:depends({dns_shunt = "smartdns", tcp_proxy_mode = "proxy", chn_list = "direct"})
end end
o = s:taboption("DNS", Flag, "dns_redirect", "DNS " .. translate("Redirect"), translate("Force Router DNS server to all local devices."))
o.default = "0"
if (uci:get(appname, "@global_forwarding[0]", "use_nft") or "0") == "1" then if (uci:get(appname, "@global_forwarding[0]", "use_nft") or "0") == "1" then
o = s:taboption("DNS", Button, "clear_ipset", translate("Clear NFTSET"), translate("Try this feature if the rule modification does not take effect.")) o = s:taboption("DNS", Button, "clear_ipset", translate("Clear NFTSET"), translate("Try this feature if the rule modification does not take effect."))
else else

View File

@ -223,9 +223,6 @@ msgstr "需要代理的分流规则域名使用 FakeDNS。"
msgid "Redirect" msgid "Redirect"
msgstr "重定向" msgstr "重定向"
msgid "Force Router DNS server to all local devices."
msgstr "强制所有本地设备使用路由器 DNS。"
msgid "Clear IPSET" msgid "Clear IPSET"
msgstr "清空 IPSET" msgstr "清空 IPSET"

View File

@ -14,13 +14,10 @@ TMP_ROUTE_PATH=$TMP_PATH/route
TMP_ACL_PATH=$TMP_PATH/acl TMP_ACL_PATH=$TMP_PATH/acl
TMP_IFACE_PATH=$TMP_PATH/iface TMP_IFACE_PATH=$TMP_PATH/iface
TMP_PATH2=/tmp/etc/${CONFIG}_tmp TMP_PATH2=/tmp/etc/${CONFIG}_tmp
DNSMASQ_PATH=/etc/dnsmasq.d GLOBAL_ACL_PATH=${TMP_ACL_PATH}/default
DNSMASQ_CONF_DIR=/tmp/dnsmasq.d
TMP_DNSMASQ_PATH=${DNSMASQ_CONF_DIR}/${CONFIG}
LOG_FILE=/tmp/log/$CONFIG.log LOG_FILE=/tmp/log/$CONFIG.log
APP_PATH=/usr/share/$CONFIG APP_PATH=/usr/share/$CONFIG
RULES_PATH=/usr/share/${CONFIG}/rules RULES_PATH=/usr/share/${CONFIG}/rules
DNS_N=dnsmasq
DNS_PORT=15353 DNS_PORT=15353
TUN_DNS="127.0.0.1#${DNS_PORT}" TUN_DNS="127.0.0.1#${DNS_PORT}"
LOCAL_DNS=119.29.29.29,223.5.5.5 LOCAL_DNS=119.29.29.29,223.5.5.5
@ -359,6 +356,23 @@ parse_doh() {
eval "${__url_var}='${__url}' ${__host_var}='${__host}' ${__port_var}='${__port}' ${__bootstrap_var}='${__bootstrap}'" eval "${__url_var}='${__url}' ${__host_var}='${__host}' ${__port_var}='${__port}' ${__bootstrap_var}='${__bootstrap}'"
} }
get_geoip() {
local geoip_code="$1"
local geoip_type_flag=""
local geoip_path="$(config_t_get global_rules v2ray_location_asset)"
geoip_path="${geoip_path%*/}/geoip.dat"
[ -e "$geoip_path" ] || { echo ""; return; }
case "$2" in
"ipv4") geoip_type_flag="-ipv6=false" ;;
"ipv6") geoip_type_flag="-ipv4=false" ;;
esac
if type geoview &> /dev/null; then
geoview -input "$geoip_path" -list "$geoip_code" $geoip_type_flag -lowmem=true
else
echo ""
fi
}
run_ipt2socks() { run_ipt2socks() {
local flag proto tcp_tproxy local_port socks_address socks_port socks_username socks_password log_file local flag proto tcp_tproxy local_port socks_address socks_port socks_username socks_password log_file
local _extra_param="" local _extra_param=""
@ -704,9 +718,9 @@ run_redir() {
local node proto bind local_port config_file log_file local node proto bind local_port config_file log_file
eval_set_val $@ eval_set_val $@
local tcp_node_socks_flag tcp_node_http_flag local tcp_node_socks_flag tcp_node_http_flag
[ -n "$config_file" ] && [ -z "$(echo ${config_file} | grep $TMP_PATH)" ] && config_file=${TMP_ACL_PATH}/default/${config_file} [ -n "$config_file" ] && [ -z "$(echo ${config_file} | grep $TMP_PATH)" ] && config_file=${GLOBAL_ACL_PATH}/${config_file}
if [ -n "$log_file" ] && [ -z "$(echo ${log_file} | grep $TMP_PATH)" ]; then if [ -n "$log_file" ] && [ -z "$(echo ${log_file} | grep $TMP_PATH)" ]; then
log_file=${TMP_ACL_PATH}/default/${log_file} log_file=${GLOBAL_ACL_PATH}/${log_file}
else else
log_file="/dev/null" log_file="/dev/null"
fi fi
@ -1050,7 +1064,7 @@ run_redir() {
[ "$tcp_node_socks" = "1" ] && { [ "$tcp_node_socks" = "1" ] && {
TCP_SOCKS_server="127.0.0.1:$tcp_node_socks_port" TCP_SOCKS_server="127.0.0.1:$tcp_node_socks_port"
echo "${TCP_SOCKS_server}" > $TMP_ACL_PATH/default/TCP_SOCKS_server echo "${TCP_SOCKS_server}" > ${GLOBAL_ACL_PATH}/TCP_SOCKS_server
} }
;; ;;
esac esac
@ -1069,7 +1083,7 @@ start_redir() {
local port=$(echo $(get_new_port $current_port $proto)) local port=$(echo $(get_new_port $current_port $proto))
eval ${proto}_REDIR=$port eval ${proto}_REDIR=$port
run_redir node=$node proto=${proto} bind=0.0.0.0 local_port=$port config_file=$config_file log_file=$log_file run_redir node=$node proto=${proto} bind=0.0.0.0 local_port=$port config_file=$config_file log_file=$log_file
echo $node > $TMP_ACL_PATH/default/${proto}.id echo $node > ${GLOBAL_ACL_PATH}/${proto}.id
else else
[ "${proto}" = "UDP" ] && [ "$TCP_UDP" = "1" ] && return [ "${proto}" = "UDP" ] && [ "$TCP_UDP" = "1" ] && return
echolog "${proto}节点没有选择或为空,不代理${proto}" echolog "${proto}节点没有选择或为空,不代理${proto}"
@ -1533,13 +1547,20 @@ start_dns() {
dnsmasq_version=$(dnsmasq -v | grep -i "Dnsmasq version " | awk '{print $3}') dnsmasq_version=$(dnsmasq -v | grep -i "Dnsmasq version " | awk '{print $3}')
[ "$(expr $dnsmasq_version \>= 2.87)" == 0 ] && echolog "Dnsmasq版本低于2.87,有可能无法正常使用!!!" [ "$(expr $dnsmasq_version \>= 2.87)" == 0 ] && echolog "Dnsmasq版本低于2.87,有可能无法正常使用!!!"
} }
source $APP_PATH/helper_dnsmasq.sh stretch
lua $APP_PATH/helper_dnsmasq_add.lua -FLAG "default" -TMP_DNSMASQ_PATH ${TMP_DNSMASQ_PATH} -DNSMASQ_CONF_DIR ${DNSMASQ_CONF_DIR} \ GLOBAL_DNSMASQ_PORT=$(get_new_port 11400)
-DNSMASQ_CONF_FILE "${DNSMASQ_CONF_DIR}/dnsmasq-${CONFIG}.conf" -DEFAULT_DNS ${DEFAULT_DNS} -LOCAL_DNS ${LOCAL_DNS} \ local GLOBAL_DNSMASQ_CONF=${GLOBAL_ACL_PATH}/dnsmasq.conf
local GLOBAL_DNSMASQ_CONF_PATH=${GLOBAL_ACL_PATH}/dnsmasq.d
source $APP_PATH/helper_dnsmasq.sh copy_instance listen_port=$GLOBAL_DNSMASQ_PORT dnsmasq_conf="${GLOBAL_DNSMASQ_CONF}" dnsmasq_conf_path="${GLOBAL_DNSMASQ_CONF_PATH}"
lua $APP_PATH/helper_dnsmasq_add.lua -FLAG "default" -TMP_DNSMASQ_PATH ${GLOBAL_DNSMASQ_CONF_PATH} \
-DNSMASQ_CONF_FILE ${GLOBAL_DNSMASQ_CONF} -DEFAULT_DNS ${DEFAULT_DNS} -LOCAL_DNS ${LOCAL_DNS} \
-TUN_DNS ${TUN_DNS} -REMOTE_FAKEDNS ${fakedns:-0} -USE_DEFAULT_DNS "${USE_DEFAULT_DNS:-direct}" -CHINADNS_DNS ${china_ng_listen:-0} \ -TUN_DNS ${TUN_DNS} -REMOTE_FAKEDNS ${fakedns:-0} -USE_DEFAULT_DNS "${USE_DEFAULT_DNS:-direct}" -CHINADNS_DNS ${china_ng_listen:-0} \
-USE_DIRECT_LIST "${USE_DIRECT_LIST}" -USE_PROXY_LIST "${USE_PROXY_LIST}" -USE_BLOCK_LIST "${USE_BLOCK_LIST}" -USE_GFW_LIST "${USE_GFW_LIST}" -CHN_LIST "${CHN_LIST}" \ -USE_DIRECT_LIST "${USE_DIRECT_LIST}" -USE_PROXY_LIST "${USE_PROXY_LIST}" -USE_BLOCK_LIST "${USE_BLOCK_LIST}" -USE_GFW_LIST "${USE_GFW_LIST}" -CHN_LIST "${CHN_LIST}" \
-TCP_NODE ${TCP_NODE} -DEFAULT_PROXY_MODE ${TCP_PROXY_MODE} -NO_PROXY_IPV6 ${DNSMASQ_FILTER_PROXY_IPV6:-0} -NFTFLAG ${nftflag:-0} \ -TCP_NODE ${TCP_NODE} -DEFAULT_PROXY_MODE ${TCP_PROXY_MODE} -NO_PROXY_IPV6 ${DNSMASQ_FILTER_PROXY_IPV6:-0} -NFTFLAG ${nftflag:-0} \
-NO_LOGIC_LOG ${NO_LOGIC_LOG:-0} -NO_LOGIC_LOG ${NO_LOGIC_LOG:-0}
ln_run "$(first_type dnsmasq)" "dnsmasq_default" "/dev/null" -C ${GLOBAL_DNSMASQ_CONF} -x ${GLOBAL_ACL_PATH}/dnsmasq.pid
echo "${GLOBAL_DNSMASQ_PORT}" > ${GLOBAL_ACL_PATH}/var_redirect_dns_port
DNS_REDIRECT_PORT=${GLOBAL_DNSMASQ_PORT}
} }
add_ip2route() { add_ip2route() {
@ -1599,6 +1620,7 @@ acl_app() {
redir_port=11200 redir_port=11200
dns_port=11300 dns_port=11300
dnsmasq_port=11400 dnsmasq_port=11400
[ -n "${GLOBAL_DNSMASQ_PORT}" ] && dnsmasq_port=$(get_new_port $GLOBAL_DNSMASQ_PORT)
chinadns_port=11500 chinadns_port=11500
for item in $items; do for item in $items; do
sid=$(uci -q show "${CONFIG}.${item}" | grep "=acl_rule" | awk -F '=' '{print $1}' | awk -F '.' '{print $2}') sid=$(uci -q show "${CONFIG}.${item}" | grep "=acl_rule" | awk -F '=' '{print $1}' | awk -F '.' '{print $2}')
@ -1625,9 +1647,10 @@ acl_app() {
unset s2 unset s2
done done
mkdir -p $TMP_ACL_PATH/$sid local acl_path=${TMP_ACL_PATH}/$sid
mkdir -p ${acl_path}
[ ! -z "${source_list}" ] && echo -e "${source_list}" | sed '/^$/d' > $TMP_ACL_PATH/$sid/source_list [ ! -z "${source_list}" ] && echo -e "${source_list}" | sed '/^$/d' > ${acl_path}/source_list
use_global_config=${use_global_config:-0} use_global_config=${use_global_config:-0}
tcp_node=${tcp_node:-nil} tcp_node=${tcp_node:-nil}
@ -1726,28 +1749,17 @@ acl_app() {
} }
dnsmasq_port=$(get_new_port $(expr $dnsmasq_port + 1)) dnsmasq_port=$(get_new_port $(expr $dnsmasq_port + 1))
redirect_dns_port=$dnsmasq_port local dnsmasq_conf=${acl_path}/dnsmasq.conf
mkdir -p $TMP_ACL_PATH/$sid/dnsmasq.d local dnsmasq_conf_path=${acl_path}/dnsmasq.d
[ -s "/tmp/etc/dnsmasq.conf.${DEFAULT_DNSMASQ_CFGID}" ] && { source $APP_PATH/helper_dnsmasq.sh copy_instance listen_port=$dnsmasq_port dnsmasq_conf="${dnsmasq_conf}" dnsmasq_conf_path="${dnsmasq_conf_path}"
cp -r /tmp/etc/dnsmasq.conf.${DEFAULT_DNSMASQ_CFGID} $TMP_ACL_PATH/$sid/dnsmasq.conf lua $APP_PATH/helper_dnsmasq_add.lua -FLAG ${sid} -TMP_DNSMASQ_PATH ${dnsmasq_conf_path} \
sed -i "/ubus/d" $TMP_ACL_PATH/$sid/dnsmasq.conf -DNSMASQ_CONF_FILE ${dnsmasq_conf} -DEFAULT_DNS $DEFAULT_DNS -LOCAL_DNS $LOCAL_DNS \
sed -i "/dhcp/d" $TMP_ACL_PATH/$sid/dnsmasq.conf
sed -i "/port=/d" $TMP_ACL_PATH/$sid/dnsmasq.conf
sed -i "/conf-dir/d" $TMP_ACL_PATH/$sid/dnsmasq.conf
sed -i "/server/d" $TMP_ACL_PATH/$sid/dnsmasq.conf
}
echo "port=${dnsmasq_port}" >> $TMP_ACL_PATH/$sid/dnsmasq.conf
[ "$use_default_dns" = "remote" ] && {
dnsmasq_version=$(dnsmasq -v | grep -i "Dnsmasq version " | awk '{print $3}')
[ "$(expr $dnsmasq_version \>= 2.87)" == 0 ] && echolog "Dnsmasq版本低于2.87,有可能无法正常使用!!!"
}
lua $APP_PATH/helper_dnsmasq_add.lua -FLAG ${sid} -TMP_DNSMASQ_PATH $TMP_ACL_PATH/$sid/dnsmasq.d -DNSMASQ_CONF_DIR ${DNSMASQ_CONF_DIR} \
-DNSMASQ_CONF_FILE $TMP_ACL_PATH/$sid/dnsmasq.conf -DEFAULT_DNS $DEFAULT_DNS -LOCAL_DNS $LOCAL_DNS \
-USE_DIRECT_LIST "${use_direct_list}" -USE_PROXY_LIST "${use_proxy_list}" -USE_BLOCK_LIST "${use_block_list}" -USE_GFW_LIST "${use_gfw_list}" -CHN_LIST "${chn_list}" \ -USE_DIRECT_LIST "${use_direct_list}" -USE_PROXY_LIST "${use_proxy_list}" -USE_BLOCK_LIST "${use_block_list}" -USE_GFW_LIST "${use_gfw_list}" -CHN_LIST "${chn_list}" \
-TUN_DNS "127.0.0.1#${_dns_port}" -REMOTE_FAKEDNS 0 -USE_DEFAULT_DNS "${use_default_dns:-direct}" -CHINADNS_DNS ${_china_ng_listen:-0} \ -TUN_DNS "127.0.0.1#${_dns_port}" -REMOTE_FAKEDNS 0 -USE_DEFAULT_DNS "${use_default_dns:-direct}" -CHINADNS_DNS ${_china_ng_listen:-0} \
-TCP_NODE $tcp_node -DEFAULT_PROXY_MODE ${tcp_proxy_mode} -NO_PROXY_IPV6 ${dnsmasq_filter_proxy_ipv6:-0} -NFTFLAG ${nftflag:-0} \ -TCP_NODE $tcp_node -DEFAULT_PROXY_MODE ${tcp_proxy_mode} -NO_PROXY_IPV6 ${dnsmasq_filter_proxy_ipv6:-0} -NFTFLAG ${nftflag:-0} \
-NO_LOGIC_LOG 1 -NO_LOGIC_LOG 1
ln_run "$(first_type dnsmasq)" "dnsmasq_${sid}" "/dev/null" -C $TMP_ACL_PATH/$sid/dnsmasq.conf -x $TMP_ACL_PATH/$sid/dnsmasq.pid ln_run "$(first_type dnsmasq)" "dnsmasq_${sid}" "/dev/null" -C ${dnsmasq_conf} -x ${acl_path}/dnsmasq.pid
echo "${dnsmasq_port}" > ${acl_path}/var_redirect_dns_port
eval node_${tcp_node}_$(echo -n "${tcp_proxy_mode}${remote_dns}" | md5sum | cut -d " " -f1)=${dnsmasq_port} eval node_${tcp_node}_$(echo -n "${tcp_proxy_mode}${remote_dns}" | md5sum | cut -d " " -f1)=${dnsmasq_port}
} }
_redir_port=$(eval echo \${node_${tcp_node}_redir_port}) _redir_port=$(eval echo \${node_${tcp_node}_redir_port})
@ -1760,7 +1772,7 @@ acl_app() {
_dns_port=$(eval echo \${node_${tcp_node}_$(echo -n "${remote_dns}" | md5sum | cut -d " " -f1)}) _dns_port=$(eval echo \${node_${tcp_node}_$(echo -n "${remote_dns}" | md5sum | cut -d " " -f1)})
run_dns ${_dns_port} run_dns ${_dns_port}
else else
redirect_dns_port=${_dnsmasq_port} [ -n "${_dnsmasq_port}" ] && echo "${_dnsmasq_port}" > ${acl_path}/var_redirect_dns_port
fi fi
else else
socks_port=$(get_new_port $(expr $socks_port + 1)) socks_port=$(get_new_port $(expr $socks_port + 1))
@ -1798,10 +1810,10 @@ acl_app() {
fi fi
run_dns ${_dns_port} run_dns ${_dns_port}
fi fi
echo "${tcp_node}" > $TMP_ACL_PATH/$sid/var_tcp_node echo "${tcp_node}" > ${acl_path}/var_tcp_node
} }
fi fi
echo "${tcp_port}" > $TMP_ACL_PATH/$sid/var_tcp_port echo "${tcp_port}" > ${acl_path}/var_tcp_port
} }
[ "$udp_node" != "nil" ] && { [ "$udp_node" != "nil" ] && {
[ "$udp_node" = "tcp" ] && udp_node=$tcp_node [ "$udp_node" = "tcp" ] && udp_node=$tcp_node
@ -1850,18 +1862,16 @@ acl_app() {
run_ipt2socks flag=acl_${udp_node} local_port=$redir_port socks_address=127.0.0.1 socks_port=$socks_port log_file=$log_file run_ipt2socks flag=acl_${udp_node} local_port=$redir_port socks_address=127.0.0.1 socks_port=$socks_port log_file=$log_file
fi fi
fi fi
echo "${udp_node}" > $TMP_ACL_PATH/$sid/var_udp_node echo "${udp_node}" > ${acl_path}/var_udp_node
fi fi
} }
fi fi
echo "${udp_port}" > $TMP_ACL_PATH/$sid/var_udp_port echo "${udp_port}" > ${acl_path}/var_udp_port
udp_flag=1 udp_flag=1
} }
[ -n "$redirect_dns_port" ] && echo "${redirect_dns_port}" > $TMP_ACL_PATH/$sid/var_redirect_dns_port
unset enabled sid remarks sources interface use_global_config tcp_node udp_node use_direct_list use_proxy_list use_block_list use_gfw_list chn_list tcp_proxy_mode udp_proxy_mode filter_proxy_ipv6 dns_mode remote_dns v2ray_dns_mode remote_dns_doh dns_client_ip unset enabled sid remarks sources interface use_global_config tcp_node udp_node use_direct_list use_proxy_list use_block_list use_gfw_list chn_list tcp_proxy_mode udp_proxy_mode filter_proxy_ipv6 dns_mode remote_dns v2ray_dns_mode remote_dns_doh dns_client_ip
unset _ip _mac _iprange _ipset _ip_or_mac source_list tcp_port udp_port config_file _extra_param unset _ip _mac _iprange _ipset _ip_or_mac source_list tcp_port udp_port config_file _extra_param
unset _china_ng_listen _chinadns_local_dns _direct_dns_mode chinadns_ng_default_tag dnsmasq_filter_proxy_ipv6 unset _china_ng_listen _chinadns_local_dns _direct_dns_mode chinadns_ng_default_tag dnsmasq_filter_proxy_ipv6
unset redirect_dns_port
done done
unset socks_port redir_port dns_port dnsmasq_port chinadns_port unset socks_port redir_port dns_port dnsmasq_port chinadns_port
} }
@ -1904,13 +1914,12 @@ start() {
} }
[ "$ENABLED_DEFAULT_ACL" == 1 ] && { [ "$ENABLED_DEFAULT_ACL" == 1 ] && {
mkdir -p $TMP_ACL_PATH/default mkdir -p ${GLOBAL_ACL_PATH}
start_redir TCP start_redir TCP
start_redir UDP start_redir UDP
start_dns start_dns
} }
[ -n "$USE_TABLES" ] && source $APP_PATH/${USE_TABLES}.sh start [ -n "$USE_TABLES" ] && source $APP_PATH/${USE_TABLES}.sh start
[ "$ENABLED_DEFAULT_ACL" == 1 ] && source $APP_PATH/helper_${DNS_N}.sh logic_restart
start_crontab start_crontab
echolog "运行完成!\n" echolog "运行完成!\n"
} }
@ -1927,8 +1936,6 @@ stop() {
unset XRAY_LOCATION_ASSET unset XRAY_LOCATION_ASSET
stop_crontab stop_crontab
source $APP_PATH/helper_smartdns.sh del source $APP_PATH/helper_smartdns.sh del
source $APP_PATH/helper_dnsmasq.sh del
source $APP_PATH/helper_dnsmasq.sh restart no_log=1
[ -s "$TMP_PATH/bridge_nf_ipt" ] && sysctl -w net.bridge.bridge-nf-call-iptables=$(cat $TMP_PATH/bridge_nf_ipt) >/dev/null 2>&1 [ -s "$TMP_PATH/bridge_nf_ipt" ] && sysctl -w net.bridge.bridge-nf-call-iptables=$(cat $TMP_PATH/bridge_nf_ipt) >/dev/null 2>&1
[ -s "$TMP_PATH/bridge_nf_ip6t" ] && sysctl -w net.bridge.bridge-nf-call-ip6tables=$(cat $TMP_PATH/bridge_nf_ip6t) >/dev/null 2>&1 [ -s "$TMP_PATH/bridge_nf_ip6t" ] && sysctl -w net.bridge.bridge-nf-call-ip6tables=$(cat $TMP_PATH/bridge_nf_ip6t) >/dev/null 2>&1
rm -rf ${TMP_PATH} rm -rf ${TMP_PATH}
@ -1999,17 +2006,6 @@ RESOLVFILE=/tmp/resolv.conf.d/resolv.conf.auto
ISP_DNS=$(cat $RESOLVFILE 2>/dev/null | grep -E -o "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" | sort -u | grep -v 0.0.0.0 | grep -v 127.0.0.1) ISP_DNS=$(cat $RESOLVFILE 2>/dev/null | grep -E -o "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" | sort -u | grep -v 0.0.0.0 | grep -v 127.0.0.1)
ISP_DNS6=$(cat $RESOLVFILE 2>/dev/null | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | awk -F % '{print $1}' | awk -F " " '{print $2}'| sort -u | grep -v -Fx ::1 | grep -v -Fx ::) ISP_DNS6=$(cat $RESOLVFILE 2>/dev/null | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | awk -F % '{print $1}' | awk -F " " '{print $2}'| sort -u | grep -v -Fx ::1 | grep -v -Fx ::)
DEFAULT_DNSMASQ_CFGID="$(uci -q show "dhcp.@dnsmasq[0]" | awk 'NR==1 {split($0, conf, /[.=]/); print conf[2]}')"
if [ -f "/tmp/etc/dnsmasq.conf.$DEFAULT_DNSMASQ_CFGID" ]; then
DNSMASQ_CONF_DIR="$(awk -F '=' '/^conf-dir=/ {print $2}' "/tmp/etc/dnsmasq.conf.$DEFAULT_DNSMASQ_CFGID")"
if [ -n "$DNSMASQ_CONF_DIR" ]; then
DNSMASQ_CONF_DIR=${DNSMASQ_CONF_DIR%*/}
TMP_DNSMASQ_PATH=${DNSMASQ_CONF_DIR}/${CONFIG}
else
DNSMASQ_CONF_DIR="/tmp/dnsmasq.d"
fi
fi
DEFAULT_DNS=$(uci show dhcp.@dnsmasq[0] | grep "\.server=" | awk -F '=' '{print $2}' | sed "s/'//g" | tr ' ' '\n' | grep -v "\/" | head -2 | sed ':label;N;s/\n/,/;b label') DEFAULT_DNS=$(uci show dhcp.@dnsmasq[0] | grep "\.server=" | awk -F '=' '{print $2}' | sed "s/'//g" | tr ' ' '\n' | grep -v "\/" | head -2 | sed ':label;N;s/\n/,/;b label')
[ -z "${DEFAULT_DNS}" ] && [ "$(echo $ISP_DNS | tr ' ' '\n' | wc -l)" -le 2 ] && DEFAULT_DNS=$(echo -n $ISP_DNS | tr ' ' '\n' | head -2 | tr '\n' ',') [ -z "${DEFAULT_DNS}" ] && [ "$(echo $ISP_DNS | tr ' ' '\n' | wc -l)" -le 2 ] && DEFAULT_DNS=$(echo -n $ISP_DNS | tr ' ' '\n' | head -2 | tr '\n' ',')
LOCAL_DNS="${DEFAULT_DNS:-119.29.29.29,223.5.5.5}" LOCAL_DNS="${DEFAULT_DNS:-119.29.29.29,223.5.5.5}"

View File

@ -1,89 +1,27 @@
#!/bin/sh #!/bin/sh
stretch() { copy_instance() {
#zhenduiluanshezhiDNSderen local listen_port dnsmasq_conf
local dnsmasq_server=$(uci -q get dhcp.@dnsmasq[0].server) eval_set_val $@
local dnsmasq_noresolv=$(uci -q get dhcp.@dnsmasq[0].noresolv) [ -s "/tmp/etc/dnsmasq.conf.${DEFAULT_DNSMASQ_CFGID}" ] && {
local _flag cp -r /tmp/etc/dnsmasq.conf.${DEFAULT_DNSMASQ_CFGID} $dnsmasq_conf
for server in $dnsmasq_server; do sed -i "/ubus/d" $dnsmasq_conf
[ -z "$(echo $server | grep '\/')" ] && _flag=1 sed -i "/dhcp/d" $dnsmasq_conf
done sed -i "/port=/d" $dnsmasq_conf
[ -z "$_flag" ] && [ "$dnsmasq_noresolv" = "1" ] && { sed -i "/conf-dir/d" $dnsmasq_conf
uci -q delete dhcp.@dnsmasq[0].noresolv sed -i "/no-poll/d" $dnsmasq_conf
uci -q set dhcp.@dnsmasq[0].resolvfile="$RESOLVFILE" sed -i "/no-resolv/d" $dnsmasq_conf
uci commit dhcp
} }
echo "port=${listen_port}" >> $dnsmasq_conf
} }
backup_servers() { DEFAULT_DNSMASQ_CFGID="$(uci -q show "dhcp.@dnsmasq[0]" | awk 'NR==1 {split($0, conf, /[.=]/); print conf[2]}')"
DNSMASQ_DNS=$(uci show dhcp.@dnsmasq[0] | grep ".server=" | awk -F '=' '{print $2}' | sed "s/'//g" | tr ' ' ',')
if [ -n "${DNSMASQ_DNS}" ]; then
uci -q set $CONFIG.@global[0].dnsmasq_servers="${DNSMASQ_DNS}"
uci commit $CONFIG
fi
}
restore_servers() {
OLD_SERVER=$(uci -q get $CONFIG.@global[0].dnsmasq_servers | tr "," " ")
for server in $OLD_SERVER; do
uci -q del_list dhcp.@dnsmasq[0].server=$server
uci -q add_list dhcp.@dnsmasq[0].server=$server
done
uci commit dhcp
uci -q delete $CONFIG.@global[0].dnsmasq_servers
uci commit $CONFIG
}
logic_restart() {
local no_log
eval_set_val $@
_LOG_FILE=$LOG_FILE
[ -n "$no_log" ] && LOG_FILE="/dev/null"
if [ -f "$TMP_PATH/default_DNS" ]; then
backup_servers
#sed -i "/list server/d" /etc/config/dhcp >/dev/null 2>&1
for server in $(uci -q get dhcp.@dnsmasq[0].server); do
[ -n "$(echo $server | grep '\/')" ] || uci -q del_list dhcp.@dnsmasq[0].server="$server"
done
/etc/init.d/dnsmasq restart >/dev/null 2>&1
restore_servers
else
/etc/init.d/dnsmasq restart >/dev/null 2>&1
fi
echolog "重启 dnsmasq 服务"
LOG_FILE=${_LOG_FILE}
}
restart() {
local no_log
eval_set_val $@
_LOG_FILE=$LOG_FILE
[ -n "$no_log" ] && LOG_FILE="/dev/null"
/etc/init.d/dnsmasq restart >/dev/null 2>&1
echolog "重启 dnsmasq 服务"
LOG_FILE=${_LOG_FILE}
}
del() {
rm -rf $DNSMASQ_CONF_DIR/dnsmasq-$CONFIG.conf
rm -rf $DNSMASQ_PATH/dnsmasq-$CONFIG.conf
rm -rf $TMP_DNSMASQ_PATH
}
arg1=$1 arg1=$1
shift shift
case $arg1 in case $arg1 in
stretch) copy_instance)
stretch $@ copy_instance $@
;;
del)
del $@
;;
restart)
restart $@
;;
logic_restart)
logic_restart $@
;; ;;
*) ;; *) ;;
esac esac

View File

@ -4,7 +4,6 @@ local appname = "passwall"
local var = api.get_args(arg) local var = api.get_args(arg)
local FLAG = var["-FLAG"] local FLAG = var["-FLAG"]
local DNSMASQ_CONF_DIR = var["-DNSMASQ_CONF_DIR"]
local TMP_DNSMASQ_PATH = var["-TMP_DNSMASQ_PATH"] local TMP_DNSMASQ_PATH = var["-TMP_DNSMASQ_PATH"]
local DNSMASQ_CONF_FILE = var["-DNSMASQ_CONF_FILE"] local DNSMASQ_CONF_FILE = var["-DNSMASQ_CONF_FILE"]
local DEFAULT_DNS = var["-DEFAULT_DNS"] local DEFAULT_DNS = var["-DEFAULT_DNS"]
@ -192,7 +191,6 @@ local setflag_4= (NFTFLAG == "1") and "4#inet#passwall#" or ""
local setflag_6= (NFTFLAG == "1") and "6#inet#passwall#" or "" local setflag_6= (NFTFLAG == "1") and "6#inet#passwall#" or ""
if not fs.access(CACHE_DNS_PATH) then if not fs.access(CACHE_DNS_PATH) then
fs.mkdir(DNSMASQ_CONF_DIR)
fs.mkdir(CACHE_DNS_PATH) fs.mkdir(CACHE_DNS_PATH)
--屏蔽列表 --屏蔽列表

View File

@ -182,23 +182,6 @@ get_wan6_ip() {
echo $NET_ADDR echo $NET_ADDR
} }
get_geoip() {
local geoip_code="$1"
local geoip_type_flag=""
local geoip_path="$(config_t_get global_rules v2ray_location_asset)"
geoip_path="${geoip_path%*/}/geoip.dat"
[ -e "$geoip_path" ] || { echo ""; return; }
case "$2" in
"ipv4") geoip_type_flag="-ipv6=false" ;;
"ipv6") geoip_type_flag="-ipv4=false" ;;
esac
if type geoview &> /dev/null; then
geoview -input "$geoip_path" -list "$geoip_code" $geoip_type_flag -lowmem=true
else
echo ""
fi
}
load_acl() { load_acl() {
([ "$ENABLED_ACLS" == 1 ] || ([ "$ENABLED_DEFAULT_ACL" == 1 ] && [ "$CLIENT_PROXY" == 1 ])) && echolog " - 访问控制:" ([ "$ENABLED_ACLS" == 1 ] || ([ "$ENABLED_DEFAULT_ACL" == 1 ] && [ "$CLIENT_PROXY" == 1 ])) && echolog " - 访问控制:"
[ "$ENABLED_ACLS" == 1 ] && { [ "$ENABLED_ACLS" == 1 ] && {
@ -233,6 +216,7 @@ load_acl() {
[ -s "${TMP_ACL_PATH}/${sid}/var_udp_node" ] && udp_node=$(cat ${TMP_ACL_PATH}/${sid}/var_udp_node) [ -s "${TMP_ACL_PATH}/${sid}/var_udp_node" ] && udp_node=$(cat ${TMP_ACL_PATH}/${sid}/var_udp_node)
[ -s "${TMP_ACL_PATH}/${sid}/var_tcp_port" ] && tcp_port=$(cat ${TMP_ACL_PATH}/${sid}/var_tcp_port) [ -s "${TMP_ACL_PATH}/${sid}/var_tcp_port" ] && tcp_port=$(cat ${TMP_ACL_PATH}/${sid}/var_tcp_port)
[ -s "${TMP_ACL_PATH}/${sid}/var_udp_port" ] && udp_port=$(cat ${TMP_ACL_PATH}/${sid}/var_udp_port) [ -s "${TMP_ACL_PATH}/${sid}/var_udp_port" ] && udp_port=$(cat ${TMP_ACL_PATH}/${sid}/var_udp_port)
[ -s "${TMP_ACL_PATH}/${sid}/var_redirect_dns_port" ] && dns_redirect_port=$(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port)
use_shunt_tcp=0 use_shunt_tcp=0
use_shunt_udp=0 use_shunt_udp=0
@ -259,6 +243,9 @@ load_acl() {
chn_list=${CHN_LIST} chn_list=${CHN_LIST}
tcp_proxy_mode=${TCP_PROXY_MODE} tcp_proxy_mode=${TCP_PROXY_MODE}
udp_proxy_mode=${UDP_PROXY_MODE} udp_proxy_mode=${UDP_PROXY_MODE}
use_shunt_tcp=${USE_SHUNT_TCP}
use_shunt_udp=${USE_SHUNT_UDP}
dns_redirect_port=${DNS_REDIRECT_PORT}
} }
_acl_list=${TMP_ACL_PATH}/${sid}/source_list _acl_list=${TMP_ACL_PATH}/${sid}/source_list
@ -333,7 +320,25 @@ load_acl() {
echolog " - ${msg}不代理所有 UDP 端口" echolog " - ${msg}不代理所有 UDP 端口"
fi fi
} }
if ([ -n "$tcp_port" ] && [ -n "${tcp_proxy_mode}" ]) || ([ -n "$udp_port" ] && [ -n "${udp_proxy_mode}" ]); then
[ -n "$dns_redirect_port" ] && {
$ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j RETURN
$ip6t_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j RETURN 2>/dev/null
$ipt_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} --dport 53 -j RETURN
$ip6t_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} --dport 53 -j RETURN 2>/dev/null
$ipt_n -A PSW_REDIRECT $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $dns_redirect_port
$ip6t_n -A PSW_REDIRECT $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $dns_redirect_port 2>/dev/null
$ipt_n -A PSW_REDIRECT $(comment "$remarks") -p tcp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $dns_redirect_port
$ip6t_n -A PSW_REDIRECT $(comment "$remarks") -p tcp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $dns_redirect_port 2>/dev/null
}
else
$ipt_n -A PSW_REDIRECT $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j RETURN
$ip6t_n -A PSW_REDIRECT $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j RETURN 2>/dev/null
$ipt_n -A PSW_REDIRECT $(comment "$remarks") -p tcp ${_ipt_source} --dport 53 -j RETURN
$ip6t_n -A PSW_REDIRECT $(comment "$remarks") -p tcp ${_ipt_source} --dport 53 -j RETURN 2>/dev/null
fi
[ -n "$tcp_port" -o -n "$udp_port" ] && { [ -n "$tcp_port" -o -n "$udp_port" ] && {
[ "${use_direct_list}" = "1" ] && $ipt_n -A PSW $(comment "$remarks") ${_ipt_source} $(dst $IPSET_WHITELIST) -j RETURN [ "${use_direct_list}" = "1" ] && $ipt_n -A PSW $(comment "$remarks") ${_ipt_source} $(dst $IPSET_WHITELIST) -j RETURN
[ "${use_direct_list}" = "1" ] && $ipt_m -A PSW $(comment "$remarks") ${_ipt_source} $(dst $IPSET_WHITELIST) -j RETURN [ "${use_direct_list}" = "1" ] && $ipt_m -A PSW $(comment "$remarks") ${_ipt_source} $(dst $IPSET_WHITELIST) -j RETURN
@ -380,7 +385,6 @@ load_acl() {
[ -n "$tcp_port" ] && { [ -n "$tcp_port" ] && {
if [ -n "${tcp_proxy_mode}" ]; then if [ -n "${tcp_proxy_mode}" ]; then
[ -s "${TMP_ACL_PATH}/${sid}/var_redirect_dns_port" ] && $ipt_n -A PSW_REDIRECT $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port)
msg2="${msg}使用 TCP 节点[$tcp_node_remark]" msg2="${msg}使用 TCP 节点[$tcp_node_remark]"
if [ -n "${is_tproxy}" ]; then if [ -n "${is_tproxy}" ]; then
msg2="${msg2}(TPROXY:${tcp_port})" msg2="${msg2}(TPROXY:${tcp_port})"
@ -463,7 +467,7 @@ load_acl() {
$ipt_m -A PSW $(comment "$remarks") ${_ipt_source} -p udp -j RETURN $ipt_m -A PSW $(comment "$remarks") ${_ipt_source} -p udp -j RETURN
unset ipt_tmp ipt_j _ipt_source msg msg2 unset ipt_tmp ipt_j _ipt_source msg msg2
done done
unset enabled sid remarks sources use_global_config use_direct_list use_proxy_list use_block_list use_gfw_list chn_list tcp_proxy_mode udp_proxy_mode tcp_no_redir_ports udp_no_redir_ports tcp_proxy_drop_ports udp_proxy_drop_ports tcp_redir_ports udp_redir_ports tcp_node udp_node interface unset enabled sid remarks sources use_global_config use_direct_list use_proxy_list use_block_list use_gfw_list chn_list tcp_proxy_mode udp_proxy_mode dns_redirect_port tcp_no_redir_ports udp_no_redir_ports tcp_proxy_drop_ports udp_proxy_drop_ports tcp_redir_ports udp_redir_ports tcp_node udp_node interface
unset tcp_port udp_port tcp_node_remark udp_node_remark _acl_list use_shunt_tcp use_shunt_udp unset tcp_port udp_port tcp_node_remark udp_node_remark _acl_list use_shunt_tcp use_shunt_udp
done done
} }
@ -495,6 +499,19 @@ load_acl() {
fi fi
} }
if ([ "$TCP_NODE" != "nil" ] && [ -n "${TCP_PROXY_MODE}" ]) || ([ "$UDP_NODE" != "nil" ] && [ -n "${UDP_PROXY_MODE}" ]); then
[ -n "$DNS_REDIRECT_PORT" ] && {
$ipt_m -A PSW $(comment "默认") -p udp --dport 53 -j RETURN
$ip6t_m -A PSW $(comment "默认") -p udp --dport 53 -j RETURN 2>/dev/null
$ipt_m -A PSW $(comment "默认") -p tcp --dport 53 -j RETURN
$ip6t_m -A PSW $(comment "默认") -p tcp --dport 53 -j RETURN 2>/dev/null
$ipt_n -A PSW_REDIRECT $(comment "默认") -p udp --dport 53 -j REDIRECT --to-ports $DNS_REDIRECT_PORT
$ip6t_n -A PSW_REDIRECT $(comment "默认") -p udp --dport 53 -j REDIRECT --to-ports $DNS_REDIRECT_PORT 2>/dev/null
$ipt_n -A PSW_REDIRECT $(comment "默认") -p tcp --dport 53 -j REDIRECT --to-ports $DNS_REDIRECT_PORT
$ip6t_n -A PSW_REDIRECT $(comment "默认") -p tcp --dport 53 -j REDIRECT --to-ports $DNS_REDIRECT_PORT 2>/dev/null
}
fi
[ -n "${TCP_PROXY_MODE}" -o -n "${UDP_PROXY_MODE}" ] && { [ -n "${TCP_PROXY_MODE}" -o -n "${UDP_PROXY_MODE}" ] && {
[ "${USE_DIRECT_LIST}" = "1" ] && $ipt_n -A PSW $(comment "默认") $(dst $IPSET_WHITELIST) -j RETURN [ "${USE_DIRECT_LIST}" = "1" ] && $ipt_n -A PSW $(comment "默认") $(dst $IPSET_WHITELIST) -j RETURN
[ "${USE_DIRECT_LIST}" = "1" ] && $ipt_m -A PSW $(comment "默认") $(dst $IPSET_WHITELIST) -j RETURN [ "${USE_DIRECT_LIST}" = "1" ] && $ipt_m -A PSW $(comment "默认") $(dst $IPSET_WHITELIST) -j RETURN
@ -654,6 +671,10 @@ filter_node() {
local type=$(echo $(config_n_get $node type) | tr 'A-Z' 'a-z') local type=$(echo $(config_n_get $node type) | tr 'A-Z' 'a-z')
local address=$(config_n_get $node address) local address=$(config_n_get $node address)
local port=$(config_n_get $node port) local port=$(config_n_get $node port)
[ -z "$address" ] && [ -z "$port" ] && {
echolog " - 节点配置不正常,略过"
return 1
}
ipt_tmp=$ipt_n ipt_tmp=$ipt_n
_is_tproxy=${is_tproxy} _is_tproxy=${is_tproxy}
[ "$stream" == "udp" ] && _is_tproxy="TPROXY" [ "$stream" == "udp" ] && _is_tproxy="TPROXY"
@ -665,7 +686,7 @@ filter_node() {
fi fi
else else
echolog " - 节点配置不正常,略过" echolog " - 节点配置不正常,略过"
return 0 return 1
fi fi
local ADD_INDEX=$FORCE_INDEX local ADD_INDEX=$FORCE_INDEX
@ -674,7 +695,6 @@ filter_node() {
[ "$_ipt" == "6" ] && _ipt=$ip6t_m && _set_name=$IPSET_VPSLIST6 [ "$_ipt" == "6" ] && _ipt=$ip6t_m && _set_name=$IPSET_VPSLIST6
$_ipt -n -L PSW_OUTPUT | grep -q "${address}:${port}" $_ipt -n -L PSW_OUTPUT | grep -q "${address}:${port}"
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
unset dst_rule
local dst_rule="-j PSW_RULE" local dst_rule="-j PSW_RULE"
msg2="按规则路由(${msg})" msg2="按规则路由(${msg})"
[ "$_ipt" == "$ipt_m" -o "$_ipt" == "$ip6t_m" ] || { [ "$_ipt" == "$ipt_m" -o "$_ipt" == "$ip6t_m" ] || {
@ -697,7 +717,7 @@ filter_node() {
local proxy_protocol=$(config_n_get $proxy_node protocol) local proxy_protocol=$(config_n_get $proxy_node protocol)
local proxy_type=$(echo $(config_n_get $proxy_node type nil) | tr 'A-Z' 'a-z') local proxy_type=$(echo $(config_n_get $proxy_node type nil) | tr 'A-Z' 'a-z')
[ "$proxy_type" == "nil" ] && echolog " - 节点配置不正常,略过!:${proxy_node}" && return 0 [ "$proxy_type" == "nil" ] && echolog " - 节点配置不正常,略过!:${proxy_node}" && return 1
if [ "$proxy_protocol" == "_balancing" ]; then if [ "$proxy_protocol" == "_balancing" ]; then
#echolog " - 多节点负载均衡(${proxy_type}..." #echolog " - 多节点负载均衡(${proxy_type}..."
proxy_node=$(config_n_get $proxy_node balancing_node) proxy_node=$(config_n_get $proxy_node balancing_node)
@ -706,56 +726,40 @@ filter_node() {
done done
elif [ "$proxy_protocol" == "_shunt" ]; then elif [ "$proxy_protocol" == "_shunt" ]; then
#echolog " - 按请求目的地址分流(${proxy_type}..." #echolog " - 按请求目的地址分流(${proxy_type}..."
local preproxy_enabled=$(config_n_get $proxy_node preproxy_enabled 0)
[ "$preproxy_enabled" == "1" ] && {
local preproxy_node=$(config_n_get $proxy_node main_node nil)
[ "$preproxy_node" != "nil" ] && {
local preproxy_node_address=$(config_n_get $preproxy_node address)
if [ -n "$preproxy_node_address" ]; then
filter_rules $preproxy_node $stream
else
preproxy_enabled=0
fi
}
}
local default_node=$(config_n_get $proxy_node default_node _direct) local default_node=$(config_n_get $proxy_node default_node _direct)
local main_node=$(config_n_get $proxy_node main_node nil) if [ "$default_node" != "_direct" ] && [ "$default_node" != "_blackhole" ]; then
if [ "$main_node" != "nil" ]; then local default_proxy_tag=$(config_n_get $proxy_node default_proxy_tag nil)
filter_rules $main_node $stream [ "$default_proxy_tag" == "main" ] && [ "$preproxy_enabled" == "0" ] && default_proxy_tag="nil"
else [ "$default_proxy_tag" == "nil" ] && filter_rules $default_node $stream
if [ "$default_node" != "_direct" ] && [ "$default_node" != "_blackhole" ]; then
filter_rules $default_node $stream
fi
fi fi
:<<!
local default_node_address=$(get_host_ip ipv4 $(config_n_get $default_node address) 1)
local default_node_port=$(config_n_get $default_node port)
local shunt_ids=$(uci show $CONFIG | grep "=shunt_rules" | awk -F '.' '{print $2}' | awk -F '=' '{print $1}') local shunt_ids=$(uci show $CONFIG | grep "=shunt_rules" | awk -F '.' '{print $2}' | awk -F '=' '{print $1}')
for shunt_id in $shunt_ids; do for shunt_id in $shunt_ids; do
#local shunt_proxy=$(config_n_get $proxy_node "${shunt_id}_proxy" 0)
local shunt_proxy=0
local shunt_node=$(config_n_get $proxy_node "${shunt_id}" nil) local shunt_node=$(config_n_get $proxy_node "${shunt_id}" nil)
[ "$shunt_node" != "nil" ] && { [ "$shunt_node" == "nil" -o "$shunt_node" == "_default" -o "$shunt_node" == "_direct" -o "$shunt_node" == "_blackhole" ] && continue
[ "$shunt_proxy" == 1 ] && { local shunt_node_address=$(config_n_get $shunt_node address)
local shunt_node_address=$(get_host_ip ipv4 $(config_n_get $shunt_node address) 1) [ -z "$shunt_node_address" ] && continue
local shunt_node_port=$(config_n_get $shunt_node port) local shunt_proxy_tag=$(config_n_get $proxy_node "${shunt_id}_proxy_tag" nil)
[ "$shunt_node_address" == "$default_node_address" ] && [ "$shunt_node_port" == "$default_node_port" ] && { [ "$shunt_proxy_tag" == "main" ] && [ "$preproxy_enabled" == "0" ] && shunt_proxy_tag="nil"
shunt_proxy=0 [ "$shunt_proxy_tag" == "nil" ] && filter_rules $shunt_node $stream
}
}
filter_rules "$(config_n_get $proxy_node $shunt_id)" "$stream" "$shunt_proxy" "$proxy_port"
}
done done
!
else else
#echolog " - 普通节点(${proxy_type}..." #echolog " - 普通节点(${proxy_type}..."
filter_rules "$proxy_node" "$stream" filter_rules "$proxy_node" "$stream"
fi fi
} }
dns_hijack() {
[ $(config_t_get global dns_redirect "0") = "1" ] && {
$ipt_m -A PSW -p udp --dport 53 -j RETURN
$ipt_m -A PSW -p tcp --dport 53 -j RETURN
$ip6t_m -A PSW -p udp --dport 53 -j RETURN
$ip6t_m -A PSW -p tcp --dport 53 -j RETURN
$ipt_n -I PREROUTING -p udp --dport 53 -j REDIRECT --to-ports 53 -m comment --comment "PSW_DNS_Hijack" 2>/dev/null
$ipt_n -I PREROUTING -p tcp --dport 53 -j REDIRECT --to-ports 53 -m comment --comment "PSW_DNS_Hijack" 2>/dev/null
$ip6t_n -I PREROUTING -p udp --dport 53 -j REDIRECT --to-ports 53 -m comment --comment "PSW_DNS_Hijack" 2>/dev/null
$ip6t_n -I PREROUTING -p tcp --dport 53 -j REDIRECT --to-ports 53 -m comment --comment "PSW_DNS_Hijack" 2>/dev/null
echolog " - 开启 DNS 重定向"
}
}
add_firewall_rule() { add_firewall_rule() {
echolog "开始加载防火墙规则..." echolog "开始加载防火墙规则..."
ipset -! create $IPSET_LANLIST nethash maxelem 1048576 ipset -! create $IPSET_LANLIST nethash maxelem 1048576
@ -1007,6 +1011,9 @@ add_firewall_rule() {
$ip6t_n -A PSW_OUTPUT -m mark --mark 0xff -j RETURN $ip6t_n -A PSW_OUTPUT -m mark --mark 0xff -j RETURN
} }
$ip6t_n -N PSW_REDIRECT
$ip6t_n -I PREROUTING 1 -j PSW_REDIRECT
$ip6t_m -N PSW_DIVERT $ip6t_m -N PSW_DIVERT
$ip6t_m -A PSW_DIVERT -j MARK --set-mark 1 $ip6t_m -A PSW_DIVERT -j MARK --set-mark 1
$ip6t_m -A PSW_DIVERT -j ACCEPT $ip6t_m -A PSW_DIVERT -j ACCEPT
@ -1108,7 +1115,16 @@ add_firewall_rule() {
echolog " - ${msg}不代理所有 UDP 端口" echolog " - ${msg}不代理所有 UDP 端口"
fi fi
} }
if ([ "$TCP_NODE" != "nil" ] && [ -n "${LOCALHOST_TCP_PROXY_MODE}" ]) || ([ "$UDP_NODE" != "nil" ] && [ -n "${LOCALHOST_UDP_PROXY_MODE}" ]); then
[ -n "$DNS_REDIRECT_PORT" ] && {
$ipt_n -A OUTPUT $(comment "PSW") -p udp -o lo --dport 53 -j REDIRECT --to-ports $DNS_REDIRECT_PORT
$ip6t_n -A OUTPUT $(comment "PSW") -p udp -o lo --dport 53 -j REDIRECT --to-ports $DNS_REDIRECT_PORT 2>/dev/null
$ipt_n -A OUTPUT $(comment "PSW") -p tcp -o lo --dport 53 -j REDIRECT --to-ports $DNS_REDIRECT_PORT
$ip6t_n -A OUTPUT $(comment "PSW") -p tcp -o lo --dport 53 -j REDIRECT --to-ports $DNS_REDIRECT_PORT 2>/dev/null
}
fi
[ -n "${LOCALHOST_TCP_PROXY_MODE}" -o -n "${LOCALHOST_UDP_PROXY_MODE}" ] && { [ -n "${LOCALHOST_TCP_PROXY_MODE}" -o -n "${LOCALHOST_UDP_PROXY_MODE}" ] && {
[ "$TCP_PROXY_DROP_PORTS" != "disable" ] && { [ "$TCP_PROXY_DROP_PORTS" != "disable" ] && {
$ipt_m -A PSW_OUTPUT -p tcp $(factor $TCP_PROXY_DROP_PORTS "-m multiport --dport") -d $FAKE_IP -j DROP $ipt_m -A PSW_OUTPUT -p tcp $(factor $TCP_PROXY_DROP_PORTS "-m multiport --dport") -d $FAKE_IP -j DROP
@ -1266,9 +1282,6 @@ add_firewall_rule() {
$ip6t_m -I OUTPUT $(comment "mangle-OUTPUT-PSW") -o lo -j RETURN $ip6t_m -I OUTPUT $(comment "mangle-OUTPUT-PSW") -o lo -j RETURN
insert_rule_before "$ip6t_m" "OUTPUT" "mwan3" "$(comment mangle-OUTPUT-PSW) -m mark --mark 1 -j RETURN" insert_rule_before "$ip6t_m" "OUTPUT" "mwan3" "$(comment mangle-OUTPUT-PSW) -m mark --mark 1 -j RETURN"
dns_hijack
} }
# 加载ACLS # 加载ACLS

View File

@ -242,23 +242,6 @@ get_wan6_ip() {
echo $NET_ADDR echo $NET_ADDR
} }
get_geoip() {
local geoip_code="$1"
local geoip_type_flag=""
local geoip_path="$(config_t_get global_rules v2ray_location_asset)"
geoip_path="${geoip_path%*/}/geoip.dat"
[ -e "$geoip_path" ] || { echo ""; return; }
case "$2" in
"ipv4") geoip_type_flag="-ipv6=false" ;;
"ipv6") geoip_type_flag="-ipv4=false" ;;
esac
if type geoview &> /dev/null; then
geoview -input "$geoip_path" -list "$geoip_code" $geoip_type_flag -lowmem=true
else
echo ""
fi
}
load_acl() { load_acl() {
([ "$ENABLED_ACLS" == 1 ] || ([ "$ENABLED_DEFAULT_ACL" == 1 ] && [ "$CLIENT_PROXY" == 1 ])) && echolog " - 访问控制:" ([ "$ENABLED_ACLS" == 1 ] || ([ "$ENABLED_DEFAULT_ACL" == 1 ] && [ "$CLIENT_PROXY" == 1 ])) && echolog " - 访问控制:"
[ "$ENABLED_ACLS" == 1 ] && { [ "$ENABLED_ACLS" == 1 ] && {
@ -293,6 +276,7 @@ load_acl() {
[ -s "${TMP_ACL_PATH}/${sid}/var_udp_node" ] && udp_node=$(cat ${TMP_ACL_PATH}/${sid}/var_udp_node) [ -s "${TMP_ACL_PATH}/${sid}/var_udp_node" ] && udp_node=$(cat ${TMP_ACL_PATH}/${sid}/var_udp_node)
[ -s "${TMP_ACL_PATH}/${sid}/var_tcp_port" ] && tcp_port=$(cat ${TMP_ACL_PATH}/${sid}/var_tcp_port) [ -s "${TMP_ACL_PATH}/${sid}/var_tcp_port" ] && tcp_port=$(cat ${TMP_ACL_PATH}/${sid}/var_tcp_port)
[ -s "${TMP_ACL_PATH}/${sid}/var_udp_port" ] && udp_port=$(cat ${TMP_ACL_PATH}/${sid}/var_udp_port) [ -s "${TMP_ACL_PATH}/${sid}/var_udp_port" ] && udp_port=$(cat ${TMP_ACL_PATH}/${sid}/var_udp_port)
[ -s "${TMP_ACL_PATH}/${sid}/var_redirect_dns_port" ] && dns_redirect_port=$(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port)
use_shunt_tcp=0 use_shunt_tcp=0
use_shunt_udp=0 use_shunt_udp=0
@ -321,6 +305,7 @@ load_acl() {
udp_proxy_mode=${UDP_PROXY_MODE} udp_proxy_mode=${UDP_PROXY_MODE}
use_shunt_tcp=${USE_SHUNT_TCP} use_shunt_tcp=${USE_SHUNT_TCP}
use_shunt_udp=${USE_SHUNT_UDP} use_shunt_udp=${USE_SHUNT_UDP}
dns_redirect_port=${DNS_REDIRECT_PORT}
} }
_acl_list=${TMP_ACL_PATH}/${sid}/source_list _acl_list=${TMP_ACL_PATH}/${sid}/source_list
@ -385,7 +370,25 @@ load_acl() {
echolog " - ${msg}不代理所有 UDP 端口" echolog " - ${msg}不代理所有 UDP 端口"
fi fi
} }
if ([ -n "$tcp_port" ] && [ -n "${tcp_proxy_mode}" ]) || ([ -n "$udp_port" ] && [ -n "${udp_proxy_mode}" ]); then
[ -n "$dns_redirect_port" ] && {
nft "add rule $NFTABLE_NAME PSW_MANGLE ip protocol udp ${_ipt_source} udp dport 53 counter return comment \"$remarks\""
nft "add rule $NFTABLE_NAME PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} udp dport 53 counter return comment \"$remarks\""
nft "add rule $NFTABLE_NAME PSW_MANGLE ip protocol tcp ${_ipt_source} tcp dport 53 counter return comment \"$remarks\""
nft "add rule $NFTABLE_NAME PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} tcp dport 53 counter return comment \"$remarks\""
nft "add rule $NFTABLE_NAME PSW_REDIRECT ip protocol udp ${_ipt_source} udp dport 53 counter redirect to :$dns_redirect_port comment \"$remarks\""
nft "add rule $NFTABLE_NAME PSW_REDIRECT ip protocol tcp ${_ipt_source} tcp dport 53 counter redirect to :$dns_redirect_port comment \"$remarks\""
nft "add rule $NFTABLE_NAME PSW_REDIRECT meta l4proto udp ${_ipt_source} udp dport 53 counter redirect to :$dns_redirect_port comment \"$remarks\""
nft "add rule $NFTABLE_NAME PSW_REDIRECT meta l4proto tcp ${_ipt_source} tcp dport 53 counter redirect to :$dns_redirect_port comment \"$remarks\""
}
else
nft "add rule $NFTABLE_NAME PSW_REDIRECT ip protocol udp ${_ipt_source} udp dport 53 counter return comment \"$remarks\""
nft "add rule $NFTABLE_NAME PSW_REDIRECT ip protocol tcp ${_ipt_source} tcp dport 53 counter return comment \"$remarks\""
nft "add rule $NFTABLE_NAME PSW_REDIRECT meta l4proto udp ${_ipt_source} udp dport 53 counter return comment \"$remarks\""
nft "add rule $NFTABLE_NAME PSW_REDIRECT meta l4proto tcp ${_ipt_source} tcp dport 53 counter return comment \"$remarks\""
fi
[ -n "$tcp_port" -o -n "$udp_port" ] && { [ -n "$tcp_port" -o -n "$udp_port" ] && {
[ "${use_direct_list}" = "1" ] && nft "add rule $NFTABLE_NAME PSW_MANGLE ${_ipt_source} ip daddr @$NFTSET_WHITELIST counter return comment \"$remarks\"" [ "${use_direct_list}" = "1" ] && nft "add rule $NFTABLE_NAME PSW_MANGLE ${_ipt_source} ip daddr @$NFTSET_WHITELIST counter return comment \"$remarks\""
[ "${use_direct_list}" = "1" ] && [ -z "${is_tproxy}" ] && nft "add rule $NFTABLE_NAME PSW_NAT ${_ipt_source} ip daddr @$NFTSET_WHITELIST counter return comment \"$remarks\"" [ "${use_direct_list}" = "1" ] && [ -z "${is_tproxy}" ] && nft "add rule $NFTABLE_NAME PSW_NAT ${_ipt_source} ip daddr @$NFTSET_WHITELIST counter return comment \"$remarks\""
@ -433,7 +436,6 @@ load_acl() {
[ -n "$tcp_port" ] && { [ -n "$tcp_port" ] && {
if [ -n "${tcp_proxy_mode}" ]; then if [ -n "${tcp_proxy_mode}" ]; then
[ -s "${TMP_ACL_PATH}/${sid}/var_redirect_dns_port" ] && nft "add rule $NFTABLE_NAME PSW_REDIRECT ip protocol udp ${_ipt_source} udp dport 53 counter redirect to $(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port) comment \"$remarks\""
msg2="${msg}使用 TCP 节点[$tcp_node_remark]" msg2="${msg}使用 TCP 节点[$tcp_node_remark]"
if [ -n "${is_tproxy}" ]; then if [ -n "${is_tproxy}" ]; then
msg2="${msg2}(TPROXY:${tcp_port})" msg2="${msg2}(TPROXY:${tcp_port})"
@ -521,7 +523,7 @@ load_acl() {
nft "add rule $NFTABLE_NAME PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} counter return comment \"$remarks\"" 2>/dev/null nft "add rule $NFTABLE_NAME PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} counter return comment \"$remarks\"" 2>/dev/null
unset nft_chain nft_j _ipt_source msg msg2 unset nft_chain nft_j _ipt_source msg msg2
done done
unset enabled sid remarks sources use_global_config use_direct_list use_proxy_list use_block_list use_gfw_list chn_list tcp_proxy_mode udp_proxy_mode tcp_no_redir_ports udp_no_redir_ports tcp_proxy_drop_ports udp_proxy_drop_ports tcp_redir_ports udp_redir_ports tcp_node udp_node interface unset enabled sid remarks sources use_global_config use_direct_list use_proxy_list use_block_list use_gfw_list chn_list tcp_proxy_mode udp_proxy_mode dns_redirect_port tcp_no_redir_ports udp_no_redir_ports tcp_proxy_drop_ports udp_proxy_drop_ports tcp_redir_ports udp_redir_ports tcp_node udp_node interface
unset tcp_port udp_port tcp_node_remark udp_node_remark _acl_list use_shunt_tcp use_shunt_udp unset tcp_port udp_port tcp_node_remark udp_node_remark _acl_list use_shunt_tcp use_shunt_udp
done done
} }
@ -550,6 +552,19 @@ load_acl() {
fi fi
} }
if ([ "$TCP_NODE" != "nil" ] && [ -n "${TCP_PROXY_MODE}" ]) || ([ "$UDP_NODE" != "nil" ] && [ -n "${UDP_PROXY_MODE}" ]); then
[ -n "$DNS_REDIRECT_PORT" ] && {
nft "add rule $NFTABLE_NAME PSW_MANGLE ip protocol udp udp dport 53 counter return comment \"默认\""
nft "add rule $NFTABLE_NAME PSW_MANGLE_V6 meta l4proto udp udp dport 53 counter return comment \"默认\""
nft "add rule $NFTABLE_NAME PSW_MANGLE ip protocol tcp tcp dport 53 counter return comment \"默认\""
nft "add rule $NFTABLE_NAME PSW_MANGLE_V6 meta l4proto tcp tcp dport 53 counter return comment \"默认\""
nft "add rule $NFTABLE_NAME PSW_REDIRECT ip protocol udp udp dport 53 counter redirect to :$DNS_REDIRECT_PORT comment \"默认\""
nft "add rule $NFTABLE_NAME PSW_REDIRECT ip protocol tcp tcp dport 53 counter redirect to :$DNS_REDIRECT_PORT comment \"默认\""
nft "add rule $NFTABLE_NAME PSW_REDIRECT meta l4proto udp udp dport 53 counter redirect to :$DNS_REDIRECT_PORT comment \"默认\""
nft "add rule $NFTABLE_NAME PSW_REDIRECT meta l4proto tcp tcp dport 53 counter redirect to :$DNS_REDIRECT_PORT comment \"默认\""
}
fi
[ -n "${TCP_PROXY_MODE}" -o -n "${UDP_PROXY_MODE}" ] && { [ -n "${TCP_PROXY_MODE}" -o -n "${UDP_PROXY_MODE}" ] && {
[ "${USE_DIRECT_LIST}" = "1" ] && nft "add rule $NFTABLE_NAME PSW_MANGLE ip daddr @$NFTSET_WHITELIST counter return comment \"默认\"" [ "${USE_DIRECT_LIST}" = "1" ] && nft "add rule $NFTABLE_NAME PSW_MANGLE ip daddr @$NFTSET_WHITELIST counter return comment \"默认\""
[ "${USE_DIRECT_LIST}" = "1" ] && [ -z "${is_tproxy}" ] && nft "add rule $NFTABLE_NAME PSW_NAT ip daddr @$NFTSET_WHITELIST counter return comment \"默认\"" [ "${USE_DIRECT_LIST}" = "1" ] && [ -z "${is_tproxy}" ] && nft "add rule $NFTABLE_NAME PSW_NAT ip daddr @$NFTSET_WHITELIST counter return comment \"默认\""
@ -725,6 +740,10 @@ filter_node() {
local type=$(echo $(config_n_get $node type) | tr 'A-Z' 'a-z') local type=$(echo $(config_n_get $node type) | tr 'A-Z' 'a-z')
local address=$(config_n_get $node address) local address=$(config_n_get $node address)
local port=$(config_n_get $node port) local port=$(config_n_get $node port)
[ -z "$address" ] && [ -z "$port" ] && {
echolog " - 节点配置不正常,略过"
return 1
}
_is_tproxy=${is_tproxy} _is_tproxy=${is_tproxy}
[ "$stream" == "udp" ] && _is_tproxy="TPROXY" [ "$stream" == "udp" ] && _is_tproxy="TPROXY"
if [ -n "${_is_tproxy}" ]; then if [ -n "${_is_tproxy}" ]; then
@ -734,7 +753,7 @@ filter_node() {
fi fi
else else
echolog " - 节点配置不正常,略过" echolog " - 节点配置不正常,略过"
return 0 return 1
fi fi
local ADD_INDEX=$FORCE_INDEX local ADD_INDEX=$FORCE_INDEX
@ -743,7 +762,6 @@ filter_node() {
[ "$_ipt" == "6" ] && _ip_type=ip6 && _set_name=$NFTSET_VPSLIST6 [ "$_ipt" == "6" ] && _ip_type=ip6 && _set_name=$NFTSET_VPSLIST6
nft "list chain $NFTABLE_NAME $nft_output_chain" 2>/dev/null | grep -q "${address}:${port}" nft "list chain $NFTABLE_NAME $nft_output_chain" 2>/dev/null | grep -q "${address}:${port}"
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
unset dst_rule
local dst_rule="jump PSW_RULE" local dst_rule="jump PSW_RULE"
msg2="按规则路由(${msg})" msg2="按规则路由(${msg})"
[ -n "${is_tproxy}" ] || { [ -n "${is_tproxy}" ] || {
@ -766,7 +784,7 @@ filter_node() {
local proxy_protocol=$(config_n_get $proxy_node protocol) local proxy_protocol=$(config_n_get $proxy_node protocol)
local proxy_type=$(echo $(config_n_get $proxy_node type nil) | tr 'A-Z' 'a-z') local proxy_type=$(echo $(config_n_get $proxy_node type nil) | tr 'A-Z' 'a-z')
[ "$proxy_type" == "nil" ] && echolog " - 节点配置不正常,略过!:${proxy_node}" && return 0 [ "$proxy_type" == "nil" ] && echolog " - 节点配置不正常,略过!:${proxy_node}" && return 1
if [ "$proxy_protocol" == "_balancing" ]; then if [ "$proxy_protocol" == "_balancing" ]; then
#echolog " - 多节点负载均衡(${proxy_type}..." #echolog " - 多节点负载均衡(${proxy_type}..."
proxy_node=$(config_n_get $proxy_node balancing_node) proxy_node=$(config_n_get $proxy_node balancing_node)
@ -775,58 +793,40 @@ filter_node() {
done done
elif [ "$proxy_protocol" == "_shunt" ]; then elif [ "$proxy_protocol" == "_shunt" ]; then
#echolog " - 按请求目的地址分流(${proxy_type}..." #echolog " - 按请求目的地址分流(${proxy_type}..."
local preproxy_enabled=$(config_n_get $proxy_node preproxy_enabled 0)
[ "$preproxy_enabled" == "1" ] && {
local preproxy_node=$(config_n_get $proxy_node main_node nil)
[ "$preproxy_node" != "nil" ] && {
local preproxy_node_address=$(config_n_get $preproxy_node address)
if [ -n "$preproxy_node_address" ]; then
filter_rules $preproxy_node $stream
else
preproxy_enabled=0
fi
}
}
local default_node=$(config_n_get $proxy_node default_node _direct) local default_node=$(config_n_get $proxy_node default_node _direct)
local main_node=$(config_n_get $proxy_node main_node nil) if [ "$default_node" != "_direct" ] && [ "$default_node" != "_blackhole" ]; then
if [ "$main_node" != "nil" ]; then local default_proxy_tag=$(config_n_get $proxy_node default_proxy_tag nil)
filter_rules $main_node $stream [ "$default_proxy_tag" == "main" ] && [ "$preproxy_enabled" == "0" ] && default_proxy_tag="nil"
else [ "$default_proxy_tag" == "nil" ] && filter_rules $default_node $stream
if [ "$default_node" != "_direct" ] && [ "$default_node" != "_blackhole" ]; then
filter_rules $default_node $stream
fi
fi fi
:<<!
local default_node_address=$(get_host_ip ipv4 $(config_n_get $default_node address) 1)
local default_node_port=$(config_n_get $default_node port)
local shunt_ids=$(uci show $CONFIG | grep "=shunt_rules" | awk -F '.' '{print $2}' | awk -F '=' '{print $1}') local shunt_ids=$(uci show $CONFIG | grep "=shunt_rules" | awk -F '.' '{print $2}' | awk -F '=' '{print $1}')
for shunt_id in $shunt_ids; do for shunt_id in $shunt_ids; do
#local shunt_proxy=$(config_n_get $proxy_node "${shunt_id}_proxy" 0)
local shunt_proxy=0
local shunt_node=$(config_n_get $proxy_node "${shunt_id}" nil) local shunt_node=$(config_n_get $proxy_node "${shunt_id}" nil)
[ "$shunt_node" != "nil" ] && { [ "$shunt_node" == "nil" -o "$shunt_node" == "_default" -o "$shunt_node" == "_direct" -o "$shunt_node" == "_blackhole" ] && continue
[ "$shunt_proxy" == 1 ] && { local shunt_node_address=$(config_n_get $shunt_node address)
local shunt_node_address=$(get_host_ip ipv4 $(config_n_get $shunt_node address) 1) [ -z "$shunt_node_address" ] && continue
local shunt_node_port=$(config_n_get $shunt_node port) local shunt_proxy_tag=$(config_n_get $proxy_node "${shunt_id}_proxy_tag" nil)
[ "$shunt_node_address" == "$default_node_address" ] && [ "$shunt_node_port" == "$default_node_port" ] && { [ "$shunt_proxy_tag" == "main" ] && [ "$preproxy_enabled" == "0" ] && shunt_proxy_tag="nil"
shunt_proxy=0 [ "$shunt_proxy_tag" == "nil" ] && filter_rules $shunt_node $stream
}
}
filter_rules "$(config_n_get $proxy_node $shunt_id)" "$stream" "$shunt_proxy" "$proxy_port"
}
done done
!
else else
#echolog " - 普通节点(${proxy_type}..." #echolog " - 普通节点(${proxy_type}..."
filter_rules "$proxy_node" "$stream" filter_rules "$proxy_node" "$stream"
fi fi
} }
dns_hijack() {
[ $(config_t_get global dns_redirect "0") = "1" ] && {
nft "add rule $NFTABLE_NAME PSW_MANGLE ip protocol udp udp dport 53 counter return"
nft "add rule $NFTABLE_NAME PSW_MANGLE ip protocol tcp tcp dport 53 counter return"
nft "add rule $NFTABLE_NAME PSW_MANGLE_V6 meta l4proto udp udp dport 53 counter return"
nft "add rule $NFTABLE_NAME PSW_MANGLE_V6 meta l4proto tcp tcp dport 53 counter return"
nft insert rule $NFTABLE_NAME dstnat position 0 tcp dport 53 counter redirect to :53 comment \"PSW_DNS_Hijack\" 2>/dev/null
nft insert rule $NFTABLE_NAME dstnat position 0 udp dport 53 counter redirect to :53 comment \"PSW_DNS_Hijack\" 2>/dev/null
nft insert rule $NFTABLE_NAME dstnat position 0 meta nfproto {ipv6} tcp dport 53 counter redirect to :53 comment \"PSW_DNS_Hijack\" 2>/dev/null
nft insert rule $NFTABLE_NAME dstnat position 0 meta nfproto {ipv6} udp dport 53 counter redirect to :53 comment \"PSW_DNS_Hijack\" 2>/dev/null
uci -q set dhcp.@dnsmasq[0].dns_redirect='0' 2>/dev/null
uci commit dhcp 2>/dev/null
echolog " - 开启 DNS 重定向"
}
}
add_firewall_rule() { add_firewall_rule() {
echolog "开始加载防火墙规则..." echolog "开始加载防火墙规则..."
gen_nft_tables gen_nft_tables
@ -1182,7 +1182,16 @@ add_firewall_rule() {
echolog " - ${msg}不代理所有 UDP 端口" echolog " - ${msg}不代理所有 UDP 端口"
fi fi
} }
if ([ "$TCP_NODE" != "nil" ] && [ -n "${LOCALHOST_TCP_PROXY_MODE}" ]) || ([ "$UDP_NODE" != "nil" ] && [ -n "${LOCALHOST_UDP_PROXY_MODE}" ]); then
[ -n "$DNS_REDIRECT_PORT" ] && {
nft "add rule $NFTABLE_NAME nat_output ip protocol udp oif lo udp dport 53 counter redirect to :$DNS_REDIRECT_PORT comment \"PSW\""
nft "add rule $NFTABLE_NAME nat_output ip protocol tcp oif lo tcp dport 53 counter redirect to :$DNS_REDIRECT_PORT comment \"PSW\""
nft "add rule $NFTABLE_NAME nat_output meta l4proto udp oif lo udp dport 53 counter redirect to :$DNS_REDIRECT_PORT comment \"PSW\""
nft "add rule $NFTABLE_NAME nat_output meta l4proto tcp oif lo tcp dport 53 counter redirect to :$DNS_REDIRECT_PORT comment \"PSW\""
}
fi
[ -n "${LOCALHOST_TCP_PROXY_MODE}" -o -n "${LOCALHOST_UDP_PROXY_MODE}" ] && { [ -n "${LOCALHOST_TCP_PROXY_MODE}" -o -n "${LOCALHOST_UDP_PROXY_MODE}" ] && {
[ "$TCP_PROXY_DROP_PORTS" != "disable" ] && { [ "$TCP_PROXY_DROP_PORTS" != "disable" ] && {
nft add rule $NFTABLE_NAME $nft_output_chain ip protocol tcp ip daddr $FAKE_IP $(factor $TCP_PROXY_DROP_PORTS "tcp dport") counter drop nft add rule $NFTABLE_NAME $nft_output_chain ip protocol tcp ip daddr $FAKE_IP $(factor $TCP_PROXY_DROP_PORTS "tcp dport") counter drop
@ -1340,8 +1349,6 @@ add_firewall_rule() {
nft "add rule $NFTABLE_NAME mangle_output oif lo counter return comment \"PSW_OUTPUT_MANGLE\"" nft "add rule $NFTABLE_NAME mangle_output oif lo counter return comment \"PSW_OUTPUT_MANGLE\""
nft "add rule $NFTABLE_NAME mangle_output meta mark 1 counter return comment \"PSW_OUTPUT_MANGLE\"" nft "add rule $NFTABLE_NAME mangle_output meta mark 1 counter return comment \"PSW_OUTPUT_MANGLE\""
dns_hijack
} }
# 加载ACLS # 加载ACLS

View File

@ -33,7 +33,7 @@ index ce89a37..a3b132b 100644
if code ~= 0 then if code ~= 0 then
local use_time = luci.sys.exec("echo -n '" .. result .. "' | awk -F ':' '{print $2}'") local use_time = luci.sys.exec("echo -n '" .. result .. "' | awk -F ':' '{print $2}'")
diff --git a/luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua b/luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua diff --git a/luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua b/luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua
index a63c1af..b2a564b 100644 index d766646..e5d6a46 100644
--- a/luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua --- a/luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua
+++ b/luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua +++ b/luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua
@@ -467,6 +467,12 @@ o:value("9.9.9.9", "9.9.9.9 (Quad9)") @@ -467,6 +467,12 @@ o:value("9.9.9.9", "9.9.9.9 (Quad9)")