luci: ipset/nftset name change
This commit is contained in:
xiaorouji
sbwml
parent
b663c9bd7c
commit
c9ceb1feaf
@ -401,7 +401,7 @@ end
|
|||||||
o = s:taboption("DNS", Button, "clear_ipset", translate("Clear IPSET"), translate("Try this feature if the rule modification does not take effect."))
|
o = s:taboption("DNS", Button, "clear_ipset", translate("Clear IPSET"), translate("Try this feature if the rule modification does not take effect."))
|
||||||
o.inputstyle = "remove"
|
o.inputstyle = "remove"
|
||||||
function o.write(e, e)
|
function o.write(e, e)
|
||||||
luci.sys.call("[ -n \"$(nft list sets 2>/dev/null | grep \"gfwlist\")\" ] && sh /usr/share/" .. appname .. "/nftables.sh flush_nftset || sh /usr/share/" .. appname .. "/iptables.sh flush_ipset > /dev/null 2>&1 &")
|
luci.sys.call("[ -n \"$(nft list sets 2>/dev/null | grep \"passwall_\")\" ] && sh /usr/share/" .. appname .. "/nftables.sh flush_nftset || sh /usr/share/" .. appname .. "/iptables.sh flush_ipset > /dev/null 2>&1 &")
|
||||||
luci.http.redirect(api.url("log"))
|
luci.http.redirect(api.url("log"))
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|||||||
@ -416,11 +416,11 @@ run_chinadns_ng() {
|
|||||||
[ -s "${RULES_PATH}/chnlist" ] && {
|
[ -s "${RULES_PATH}/chnlist" ] && {
|
||||||
local _chnlist_file="${TMP_PATH}/chinadns_chnlist"
|
local _chnlist_file="${TMP_PATH}/chinadns_chnlist"
|
||||||
cp -a "${RULES_PATH}/chnlist" "${_chnlist_file}"
|
cp -a "${RULES_PATH}/chnlist" "${_chnlist_file}"
|
||||||
local chnroute4_set="chnroute"
|
local chnroute4_set="passwall_chnroute"
|
||||||
local chnroute6_set="chnroute6"
|
local chnroute6_set="passwall_chnroute6"
|
||||||
[ "$nftflag" = "1" ] && {
|
[ "$nftflag" = "1" ] && {
|
||||||
chnroute4_set="inet@fw4@chnroute"
|
chnroute4_set="inet@fw4@passwall_chnroute"
|
||||||
chnroute6_set="inet@fw4@chnroute6"
|
chnroute6_set="inet@fw4@passwall_chnroute6"
|
||||||
}
|
}
|
||||||
_extra_param="${_extra_param} -4 ${chnroute4_set} -6 ${chnroute6_set} -m ${_chnlist_file} -M -a"
|
_extra_param="${_extra_param} -4 ${chnroute4_set} -6 ${chnroute6_set} -m ${_chnlist_file} -M -a"
|
||||||
}
|
}
|
||||||
@ -429,8 +429,8 @@ run_chinadns_ng() {
|
|||||||
([ -n "$_chnlist" ] || [ -n "$_gfwlist" ]) && [ -s "${RULES_PATH}/gfwlist" ] && {
|
([ -n "$_chnlist" ] || [ -n "$_gfwlist" ]) && [ -s "${RULES_PATH}/gfwlist" ] && {
|
||||||
local _gfwlist_file="${TMP_PATH}/chinadns_gfwlist"
|
local _gfwlist_file="${TMP_PATH}/chinadns_gfwlist"
|
||||||
cp -a "${RULES_PATH}/gfwlist" "${_gfwlist_file}"
|
cp -a "${RULES_PATH}/gfwlist" "${_gfwlist_file}"
|
||||||
local gfwlist_set="gfwlist,gfwlist6"
|
local gfwlist_set="passwall_gfwlist,passwall_gfwlist6"
|
||||||
[ "$nftflag" = "1" ] && gfwlist_set="inet@fw4@gfwlist,inet@fw4@gfwlist6"
|
[ "$nftflag" = "1" ] && gfwlist_set="inet@fw4@passwall_gfwlist,inet@fw4@passwall_gfwlist6"
|
||||||
_extra_param="${_extra_param} -g ${_gfwlist_file} -A ${gfwlist_set}"
|
_extra_param="${_extra_param} -g ${_gfwlist_file} -A ${gfwlist_set}"
|
||||||
#当只有使用gfwlist模式时设置默认DNS为本地直连
|
#当只有使用gfwlist模式时设置默认DNS为本地直连
|
||||||
[ -n "$_gfwlist" ] && [ -z "$_chnlist" ] && _default_tag="chn"
|
[ -n "$_gfwlist" ] && [ -z "$_chnlist" ] && _default_tag="chn"
|
||||||
|
|||||||
@ -197,7 +197,7 @@ if not fs.access(CACHE_DNS_PATH) then
|
|||||||
local address = t.address
|
local address = t.address
|
||||||
if datatypes.hostname(address) then
|
if datatypes.hostname(address) then
|
||||||
set_domain_dns(address, LOCAL_DNS)
|
set_domain_dns(address, LOCAL_DNS)
|
||||||
set_domain_ipset(address, setflag_4 .. "vpsiplist," .. setflag_6 .. "vpsiplist6")
|
set_domain_ipset(address, setflag_4 .. "passwall_vpsiplist," .. setflag_6 .. "passwall_vpsiplist6")
|
||||||
end
|
end
|
||||||
end)
|
end)
|
||||||
log(string.format(" - 节点列表中的域名(vpsiplist):%s", LOCAL_DNS or "默认"))
|
log(string.format(" - 节点列表中的域名(vpsiplist):%s", LOCAL_DNS or "默认"))
|
||||||
@ -207,7 +207,7 @@ if not fs.access(CACHE_DNS_PATH) then
|
|||||||
if line ~= "" and not line:find("#") then
|
if line ~= "" and not line:find("#") then
|
||||||
add_excluded_domain(line)
|
add_excluded_domain(line)
|
||||||
set_domain_dns(line, LOCAL_DNS)
|
set_domain_dns(line, LOCAL_DNS)
|
||||||
set_domain_ipset(line, setflag_4 .. "whitelist," .. setflag_6 .. "whitelist6")
|
set_domain_ipset(line, setflag_4 .. "passwall_whitelist," .. setflag_6 .. "passwall_whitelist6")
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
log(string.format(" - 域名白名单(whitelist):%s", LOCAL_DNS or "默认"))
|
log(string.format(" - 域名白名单(whitelist):%s", LOCAL_DNS or "默认"))
|
||||||
@ -220,10 +220,10 @@ if not fs.access(CACHE_DNS_PATH) then
|
|||||||
for line in io.lines("/usr/share/passwall/rules/proxy_host") do
|
for line in io.lines("/usr/share/passwall/rules/proxy_host") do
|
||||||
if line ~= "" and not line:find("#") then
|
if line ~= "" and not line:find("#") then
|
||||||
add_excluded_domain(line)
|
add_excluded_domain(line)
|
||||||
local ipset_flag = setflag_4 .. "blacklist," .. setflag_6 .. "blacklist6"
|
local ipset_flag = setflag_4 .. "passwall_blacklist," .. setflag_6 .. "passwall_blacklist6"
|
||||||
if NO_PROXY_IPV6 == "1" then
|
if NO_PROXY_IPV6 == "1" then
|
||||||
set_domain_address(line, "::")
|
set_domain_address(line, "::")
|
||||||
ipset_flag = setflag_4 .. "blacklist"
|
ipset_flag = setflag_4 .. "passwall_blacklist"
|
||||||
end
|
end
|
||||||
if REMOTE_FAKEDNS == "1" then
|
if REMOTE_FAKEDNS == "1" then
|
||||||
ipset_flag = nil
|
ipset_flag = nil
|
||||||
@ -251,12 +251,12 @@ if not fs.access(CACHE_DNS_PATH) then
|
|||||||
|
|
||||||
if _node_id == "_direct" then
|
if _node_id == "_direct" then
|
||||||
fwd_dns = LOCAL_DNS
|
fwd_dns = LOCAL_DNS
|
||||||
ipset_flag = setflag_4 .. "whitelist," .. setflag_6 .. "whitelist6"
|
ipset_flag = setflag_4 .. "passwall_whitelist," .. setflag_6 .. "passwall_whitelist6"
|
||||||
else
|
else
|
||||||
fwd_dns = TUN_DNS
|
fwd_dns = TUN_DNS
|
||||||
ipset_flag = setflag_4 .. "shuntlist," .. setflag_6 .. "shuntlist6"
|
ipset_flag = setflag_4 .. "passwall_shuntlist," .. setflag_6 .. "passwall_shuntlist6"
|
||||||
if NO_PROXY_IPV6 == "1" then
|
if NO_PROXY_IPV6 == "1" then
|
||||||
ipset_flag = setflag_4 .. "shuntlist"
|
ipset_flag = setflag_4 .. "passwall_shuntlist"
|
||||||
no_ipv6 = true
|
no_ipv6 = true
|
||||||
end
|
end
|
||||||
if not only_global then
|
if not only_global then
|
||||||
@ -295,9 +295,9 @@ if not fs.access(CACHE_DNS_PATH) then
|
|||||||
if CHNROUTE_MODE_DEFAULT_DNS == "chinadns_ng" and CHINADNS_DNS ~= "0" then
|
if CHNROUTE_MODE_DEFAULT_DNS == "chinadns_ng" and CHINADNS_DNS ~= "0" then
|
||||||
fwd_dns = nil
|
fwd_dns = nil
|
||||||
else
|
else
|
||||||
local ipset_flag = setflag_4 .. "gfwlist," .. setflag_6 .. "gfwlist6"
|
local ipset_flag = setflag_4 .. "passwall_gfwlist," .. setflag_6 .. "passwall_gfwlist6"
|
||||||
if NO_PROXY_IPV6 == "1" then
|
if NO_PROXY_IPV6 == "1" then
|
||||||
ipset_flag = setflag_4 .. "gfwlist"
|
ipset_flag = setflag_4 .. "passwall_gfwlist"
|
||||||
end
|
end
|
||||||
if not only_global then
|
if not only_global then
|
||||||
if REMOTE_FAKEDNS == "1" then
|
if REMOTE_FAKEDNS == "1" then
|
||||||
@ -329,7 +329,7 @@ if not fs.access(CACHE_DNS_PATH) then
|
|||||||
for line in string.gmatch(chnlist_str, "[^\r\n]+") do
|
for line in string.gmatch(chnlist_str, "[^\r\n]+") do
|
||||||
if line ~= "" then
|
if line ~= "" then
|
||||||
set_domain_dns(line, fwd_dns)
|
set_domain_dns(line, fwd_dns)
|
||||||
set_domain_ipset(line, setflag_4 .. "chnroute," .. setflag_6 .. "chnroute6")
|
set_domain_ipset(line, setflag_4 .. "passwall_chnroute," .. setflag_6 .. "passwall_chnroute6")
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
@ -340,9 +340,9 @@ if not fs.access(CACHE_DNS_PATH) then
|
|||||||
local chnlist_str = sys.exec('cat /usr/share/passwall/rules/chnlist | grep -v -E "^#" | grep -v -E "' .. excluded_domain_str .. '"')
|
local chnlist_str = sys.exec('cat /usr/share/passwall/rules/chnlist | grep -v -E "^#" | grep -v -E "' .. excluded_domain_str .. '"')
|
||||||
for line in string.gmatch(chnlist_str, "[^\r\n]+") do
|
for line in string.gmatch(chnlist_str, "[^\r\n]+") do
|
||||||
if line ~= "" then
|
if line ~= "" then
|
||||||
local ipset_flag = setflag_4 .. "chnroute," .. setflag_6 .. "chnroute6"
|
local ipset_flag = setflag_4 .. "passwall_chnroute," .. setflag_6 .. "passwall_chnroute6"
|
||||||
if NO_PROXY_IPV6 == "1" then
|
if NO_PROXY_IPV6 == "1" then
|
||||||
ipset_flag = setflag_4 .. "chnroute"
|
ipset_flag = setflag_4 .. "passwall_chnroute"
|
||||||
set_domain_address(line, "::")
|
set_domain_address(line, "::")
|
||||||
end
|
end
|
||||||
if not only_global then
|
if not only_global then
|
||||||
|
|||||||
@ -2,23 +2,23 @@
|
|||||||
|
|
||||||
DIR="$(cd "$(dirname "$0")" && pwd)"
|
DIR="$(cd "$(dirname "$0")" && pwd)"
|
||||||
MY_PATH=$DIR/iptables.sh
|
MY_PATH=$DIR/iptables.sh
|
||||||
IPSET_LANIPLIST="laniplist"
|
IPSET_LANLIST="passwall_lanlist"
|
||||||
IPSET_VPSIPLIST="vpsiplist"
|
IPSET_VPSLIST="passwall_vpslist"
|
||||||
IPSET_SHUNTLIST="shuntlist"
|
IPSET_SHUNTLIST="passwall_shuntlist"
|
||||||
IPSET_GFW="gfwlist"
|
IPSET_GFW="passwall_gfwlist"
|
||||||
IPSET_CHN="chnroute"
|
IPSET_CHN="passwall_chnroute"
|
||||||
IPSET_BLACKLIST="blacklist"
|
IPSET_BLACKLIST="passwall_blacklist"
|
||||||
IPSET_WHITELIST="whitelist"
|
IPSET_WHITELIST="passwall_whitelist"
|
||||||
IPSET_BLOCKLIST="blocklist"
|
IPSET_BLOCKLIST="passwall_blocklist"
|
||||||
|
|
||||||
IPSET_LANIPLIST6="laniplist6"
|
IPSET_LANLIST6="passwall_lanlist6"
|
||||||
IPSET_VPSIPLIST6="vpsiplist6"
|
IPSET_VPSLIST6="passwall_vpslist6"
|
||||||
IPSET_SHUNTLIST6="shuntlist6"
|
IPSET_SHUNTLIST6="passwall_shuntlist6"
|
||||||
IPSET_GFW6="gfwlist6"
|
IPSET_GFW6="passwall_gfwlist6"
|
||||||
IPSET_CHN6="chnroute6"
|
IPSET_CHN6="passwall_chnroute6"
|
||||||
IPSET_BLACKLIST6="blacklist6"
|
IPSET_BLACKLIST6="passwall_blacklist6"
|
||||||
IPSET_WHITELIST6="whitelist6"
|
IPSET_WHITELIST6="passwall_whitelist6"
|
||||||
IPSET_BLOCKLIST6="blocklist6"
|
IPSET_BLOCKLIST6="passwall_blocklist6"
|
||||||
|
|
||||||
FORCE_INDEX=2
|
FORCE_INDEX=2
|
||||||
|
|
||||||
@ -223,11 +223,11 @@ get_action_chain_name() {
|
|||||||
esac
|
esac
|
||||||
}
|
}
|
||||||
|
|
||||||
gen_laniplist() {
|
gen_lanlist() {
|
||||||
cat $RULES_PATH/lanlist_ipv4 | tr -s '\n' | grep -v "^#"
|
cat $RULES_PATH/lanlist_ipv4 | tr -s '\n' | grep -v "^#"
|
||||||
}
|
}
|
||||||
|
|
||||||
gen_laniplist_6() {
|
gen_lanlist_6() {
|
||||||
cat $RULES_PATH/lanlist_ipv6 | tr -s '\n' | grep -v "^#"
|
cat $RULES_PATH/lanlist_ipv6 | tr -s '\n' | grep -v "^#"
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -557,15 +557,15 @@ load_acl() {
|
|||||||
filter_haproxy() {
|
filter_haproxy() {
|
||||||
for item in ${haproxy_items}; do
|
for item in ${haproxy_items}; do
|
||||||
local ip=$(get_host_ip ipv4 $(echo $item | awk -F ":" '{print $1}') 1)
|
local ip=$(get_host_ip ipv4 $(echo $item | awk -F ":" '{print $1}') 1)
|
||||||
ipset -q add $IPSET_VPSIPLIST $ip
|
ipset -q add $IPSET_VPSLIST $ip
|
||||||
done
|
done
|
||||||
echolog "加入负载均衡的节点到ipset[$IPSET_VPSIPLIST]直连完成"
|
echolog "加入负载均衡的节点到ipset[$IPSET_VPSLIST]直连完成"
|
||||||
}
|
}
|
||||||
|
|
||||||
filter_vpsip() {
|
filter_vpsip() {
|
||||||
uci show $CONFIG | grep ".address=" | cut -d "'" -f 2 | grep -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | sed -e "/^$/d" | sed -e "s/^/add $IPSET_VPSIPLIST &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
|
uci show $CONFIG | grep ".address=" | cut -d "'" -f 2 | grep -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | sed -e "/^$/d" | sed -e "s/^/add $IPSET_VPSLIST &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
|
||||||
uci show $CONFIG | grep ".address=" | cut -d "'" -f 2 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "/^$/d" | sed -e "s/^/add $IPSET_VPSIPLIST6 &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
|
uci show $CONFIG | grep ".address=" | cut -d "'" -f 2 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "/^$/d" | sed -e "s/^/add $IPSET_VPSLIST6 &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
|
||||||
echolog "加入所有节点到ipset[$IPSET_VPSIPLIST]直连完成"
|
echolog "加入所有节点到ipset[$IPSET_VPSLIST]直连完成"
|
||||||
}
|
}
|
||||||
|
|
||||||
filter_node() {
|
filter_node() {
|
||||||
@ -600,8 +600,8 @@ filter_node() {
|
|||||||
|
|
||||||
local ADD_INDEX=$FORCE_INDEX
|
local ADD_INDEX=$FORCE_INDEX
|
||||||
for _ipt in 4 6; do
|
for _ipt in 4 6; do
|
||||||
[ "$_ipt" == "4" ] && _ipt=$ipt_tmp && _set_name=$IPSET_VPSIPLIST
|
[ "$_ipt" == "4" ] && _ipt=$ipt_tmp && _set_name=$IPSET_VPSLIST
|
||||||
[ "$_ipt" == "6" ] && _ipt=$ip6t_m && _set_name=$IPSET_VPSIPLIST6
|
[ "$_ipt" == "6" ] && _ipt=$ip6t_m && _set_name=$IPSET_VPSLIST6
|
||||||
$_ipt -n -L PSW_OUTPUT | grep -q "${address}:${port}"
|
$_ipt -n -L PSW_OUTPUT | grep -q "${address}:${port}"
|
||||||
if [ $? -ne 0 ]; then
|
if [ $? -ne 0 ]; then
|
||||||
unset dst_rule
|
unset dst_rule
|
||||||
@ -679,8 +679,8 @@ dns_hijack() {
|
|||||||
|
|
||||||
add_firewall_rule() {
|
add_firewall_rule() {
|
||||||
echolog "开始加载防火墙规则..."
|
echolog "开始加载防火墙规则..."
|
||||||
ipset -! create $IPSET_LANIPLIST nethash maxelem 1048576
|
ipset -! create $IPSET_LANLIST nethash maxelem 1048576
|
||||||
ipset -! create $IPSET_VPSIPLIST nethash maxelem 1048576
|
ipset -! create $IPSET_VPSLIST nethash maxelem 1048576
|
||||||
ipset -! create $IPSET_SHUNTLIST nethash maxelem 1048576
|
ipset -! create $IPSET_SHUNTLIST nethash maxelem 1048576
|
||||||
ipset -! create $IPSET_GFW nethash maxelem 1048576
|
ipset -! create $IPSET_GFW nethash maxelem 1048576
|
||||||
ipset -! create $IPSET_CHN nethash maxelem 1048576
|
ipset -! create $IPSET_CHN nethash maxelem 1048576
|
||||||
@ -688,8 +688,8 @@ add_firewall_rule() {
|
|||||||
ipset -! create $IPSET_WHITELIST nethash maxelem 1048576
|
ipset -! create $IPSET_WHITELIST nethash maxelem 1048576
|
||||||
ipset -! create $IPSET_BLOCKLIST nethash maxelem 1048576
|
ipset -! create $IPSET_BLOCKLIST nethash maxelem 1048576
|
||||||
|
|
||||||
ipset -! create $IPSET_LANIPLIST6 nethash family inet6 maxelem 1048576
|
ipset -! create $IPSET_LANLIST6 nethash family inet6 maxelem 1048576
|
||||||
ipset -! create $IPSET_VPSIPLIST6 nethash family inet6 maxelem 1048576
|
ipset -! create $IPSET_VPSLIST6 nethash family inet6 maxelem 1048576
|
||||||
ipset -! create $IPSET_SHUNTLIST6 nethash family inet6 maxelem 1048576
|
ipset -! create $IPSET_SHUNTLIST6 nethash family inet6 maxelem 1048576
|
||||||
ipset -! create $IPSET_GFW6 nethash family inet6 maxelem 1048576
|
ipset -! create $IPSET_GFW6 nethash family inet6 maxelem 1048576
|
||||||
ipset -! create $IPSET_CHN6 nethash family inet6 maxelem 1048576
|
ipset -! create $IPSET_CHN6 nethash family inet6 maxelem 1048576
|
||||||
@ -718,11 +718,11 @@ add_firewall_rule() {
|
|||||||
cat $RULES_PATH/block_ip | tr -s '\n' | grep -v "^#" | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "/^$/d" | sed -e "s/^/add $IPSET_BLOCKLIST6 &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
|
cat $RULES_PATH/block_ip | tr -s '\n' | grep -v "^#" | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "/^$/d" | sed -e "s/^/add $IPSET_BLOCKLIST6 &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
|
||||||
|
|
||||||
ipset -! -R <<-EOF
|
ipset -! -R <<-EOF
|
||||||
$(gen_laniplist | sed -e "s/^/add $IPSET_LANIPLIST /")
|
$(gen_lanlist | sed -e "s/^/add $IPSET_LANLIST /")
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
ipset -! -R <<-EOF
|
ipset -! -R <<-EOF
|
||||||
$(gen_laniplist_6 | sed -e "s/^/add $IPSET_LANIPLIST6 /")
|
$(gen_lanlist_6 | sed -e "s/^/add $IPSET_LANLIST6 /")
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
# 忽略特殊IP段
|
# 忽略特殊IP段
|
||||||
@ -735,11 +735,11 @@ add_firewall_rule() {
|
|||||||
#echolog "本机IPv6网段互访直连:${lan_ip6}"
|
#echolog "本机IPv6网段互访直连:${lan_ip6}"
|
||||||
|
|
||||||
[ -n "$lan_ip" ] && ipset -! -R <<-EOF
|
[ -n "$lan_ip" ] && ipset -! -R <<-EOF
|
||||||
$(echo $lan_ip | sed -e "s/ /\n/g" | sed -e "s/^/add $IPSET_LANIPLIST /")
|
$(echo $lan_ip | sed -e "s/ /\n/g" | sed -e "s/^/add $IPSET_LANLIST /")
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
[ -n "$lan_ip6" ] && ipset -! -R <<-EOF
|
[ -n "$lan_ip6" ] && ipset -! -R <<-EOF
|
||||||
$(echo $lan_ip6 | sed -e "s/ /\n/g" | sed -e "s/^/add $IPSET_LANIPLIST6 /")
|
$(echo $lan_ip6 | sed -e "s/ /\n/g" | sed -e "s/^/add $IPSET_LANLIST6 /")
|
||||||
EOF
|
EOF
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -774,8 +774,8 @@ add_firewall_rule() {
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
$ipt_n -N PSW
|
$ipt_n -N PSW
|
||||||
$ipt_n -A PSW $(dst $IPSET_LANIPLIST) -j RETURN
|
$ipt_n -A PSW $(dst $IPSET_LANLIST) -j RETURN
|
||||||
$ipt_n -A PSW $(dst $IPSET_VPSIPLIST) -j RETURN
|
$ipt_n -A PSW $(dst $IPSET_VPSLIST) -j RETURN
|
||||||
$ipt_n -A PSW $(dst $IPSET_WHITELIST) -j RETURN
|
$ipt_n -A PSW $(dst $IPSET_WHITELIST) -j RETURN
|
||||||
|
|
||||||
WAN_IP=$(get_wan_ip)
|
WAN_IP=$(get_wan_ip)
|
||||||
@ -785,8 +785,8 @@ add_firewall_rule() {
|
|||||||
[ -z "${is_tproxy}" ] && insert_rule_after "$ipt_n" "PREROUTING" "prerouting_rule" "-p tcp -j PSW"
|
[ -z "${is_tproxy}" ] && insert_rule_after "$ipt_n" "PREROUTING" "prerouting_rule" "-p tcp -j PSW"
|
||||||
|
|
||||||
$ipt_n -N PSW_OUTPUT
|
$ipt_n -N PSW_OUTPUT
|
||||||
$ipt_n -A PSW_OUTPUT $(dst $IPSET_LANIPLIST) -j RETURN
|
$ipt_n -A PSW_OUTPUT $(dst $IPSET_LANLIST) -j RETURN
|
||||||
$ipt_n -A PSW_OUTPUT $(dst $IPSET_VPSIPLIST) -j RETURN
|
$ipt_n -A PSW_OUTPUT $(dst $IPSET_VPSLIST) -j RETURN
|
||||||
$ipt_n -A PSW_OUTPUT $(dst $IPSET_WHITELIST) -j RETURN
|
$ipt_n -A PSW_OUTPUT $(dst $IPSET_WHITELIST) -j RETURN
|
||||||
$ipt_n -A PSW_OUTPUT -m mark --mark 0xff -j RETURN
|
$ipt_n -A PSW_OUTPUT -m mark --mark 0xff -j RETURN
|
||||||
|
|
||||||
@ -805,8 +805,8 @@ add_firewall_rule() {
|
|||||||
$ipt_m -A PSW_RULE -j CONNMARK --save-mark
|
$ipt_m -A PSW_RULE -j CONNMARK --save-mark
|
||||||
|
|
||||||
$ipt_m -N PSW
|
$ipt_m -N PSW
|
||||||
$ipt_m -A PSW $(dst $IPSET_LANIPLIST) -j RETURN
|
$ipt_m -A PSW $(dst $IPSET_LANLIST) -j RETURN
|
||||||
$ipt_m -A PSW $(dst $IPSET_VPSIPLIST) -j RETURN
|
$ipt_m -A PSW $(dst $IPSET_VPSLIST) -j RETURN
|
||||||
$ipt_m -A PSW $(dst $IPSET_WHITELIST) -j RETURN
|
$ipt_m -A PSW $(dst $IPSET_WHITELIST) -j RETURN
|
||||||
$ipt_m -A PSW $(dst $IPSET_BLOCKLIST) -j DROP
|
$ipt_m -A PSW $(dst $IPSET_BLOCKLIST) -j DROP
|
||||||
|
|
||||||
@ -817,8 +817,8 @@ add_firewall_rule() {
|
|||||||
insert_rule_before "$ipt_m" "PREROUTING" "PSW" "-p tcp -m socket -j PSW_DIVERT"
|
insert_rule_before "$ipt_m" "PREROUTING" "PSW" "-p tcp -m socket -j PSW_DIVERT"
|
||||||
|
|
||||||
$ipt_m -N PSW_OUTPUT
|
$ipt_m -N PSW_OUTPUT
|
||||||
$ipt_m -A PSW_OUTPUT $(dst $IPSET_LANIPLIST) -j RETURN
|
$ipt_m -A PSW_OUTPUT $(dst $IPSET_LANLIST) -j RETURN
|
||||||
$ipt_m -A PSW_OUTPUT $(dst $IPSET_VPSIPLIST) -j RETURN
|
$ipt_m -A PSW_OUTPUT $(dst $IPSET_VPSLIST) -j RETURN
|
||||||
$ipt_m -A PSW_OUTPUT $(dst $IPSET_WHITELIST) -j RETURN
|
$ipt_m -A PSW_OUTPUT $(dst $IPSET_WHITELIST) -j RETURN
|
||||||
$ipt_m -A PSW_OUTPUT -m mark --mark 0xff -j RETURN
|
$ipt_m -A PSW_OUTPUT -m mark --mark 0xff -j RETURN
|
||||||
$ipt_m -A PSW_OUTPUT $(dst $IPSET_BLOCKLIST) -j DROP
|
$ipt_m -A PSW_OUTPUT $(dst $IPSET_BLOCKLIST) -j DROP
|
||||||
@ -828,14 +828,14 @@ add_firewall_rule() {
|
|||||||
|
|
||||||
[ "$accept_icmpv6" = "1" ] && {
|
[ "$accept_icmpv6" = "1" ] && {
|
||||||
$ip6t_n -N PSW
|
$ip6t_n -N PSW
|
||||||
$ip6t_n -A PSW $(dst $IPSET_LANIPLIST6) -j RETURN
|
$ip6t_n -A PSW $(dst $IPSET_LANLIST6) -j RETURN
|
||||||
$ip6t_n -A PSW $(dst $IPSET_VPSIPLIST6) -j RETURN
|
$ip6t_n -A PSW $(dst $IPSET_VPSLIST6) -j RETURN
|
||||||
$ip6t_n -A PSW $(dst $IPSET_WHITELIST6) -j RETURN
|
$ip6t_n -A PSW $(dst $IPSET_WHITELIST6) -j RETURN
|
||||||
$ip6t_n -A PREROUTING -p ipv6-icmp -j PSW
|
$ip6t_n -A PREROUTING -p ipv6-icmp -j PSW
|
||||||
|
|
||||||
$ip6t_n -N PSW_OUTPUT
|
$ip6t_n -N PSW_OUTPUT
|
||||||
$ip6t_n -A PSW_OUTPUT $(dst $IPSET_LANIPLIST6) -j RETURN
|
$ip6t_n -A PSW_OUTPUT $(dst $IPSET_LANLIST6) -j RETURN
|
||||||
$ip6t_n -A PSW_OUTPUT $(dst $IPSET_VPSIPLIST6) -j RETURN
|
$ip6t_n -A PSW_OUTPUT $(dst $IPSET_VPSLIST6) -j RETURN
|
||||||
$ip6t_n -A PSW_OUTPUT $(dst $IPSET_WHITELIST6) -j RETURN
|
$ip6t_n -A PSW_OUTPUT $(dst $IPSET_WHITELIST6) -j RETURN
|
||||||
$ip6t_n -A PSW_OUTPUT -m mark --mark 0xff -j RETURN
|
$ip6t_n -A PSW_OUTPUT -m mark --mark 0xff -j RETURN
|
||||||
}
|
}
|
||||||
@ -852,8 +852,8 @@ add_firewall_rule() {
|
|||||||
$ip6t_m -A PSW_RULE -j CONNMARK --save-mark
|
$ip6t_m -A PSW_RULE -j CONNMARK --save-mark
|
||||||
|
|
||||||
$ip6t_m -N PSW
|
$ip6t_m -N PSW
|
||||||
$ip6t_m -A PSW $(dst $IPSET_LANIPLIST6) -j RETURN
|
$ip6t_m -A PSW $(dst $IPSET_LANLIST6) -j RETURN
|
||||||
$ip6t_m -A PSW $(dst $IPSET_VPSIPLIST6) -j RETURN
|
$ip6t_m -A PSW $(dst $IPSET_VPSLIST6) -j RETURN
|
||||||
$ip6t_m -A PSW $(dst $IPSET_WHITELIST6) -j RETURN
|
$ip6t_m -A PSW $(dst $IPSET_WHITELIST6) -j RETURN
|
||||||
$ip6t_m -A PSW $(dst $IPSET_BLOCKLIST6) -j DROP
|
$ip6t_m -A PSW $(dst $IPSET_BLOCKLIST6) -j DROP
|
||||||
|
|
||||||
@ -866,8 +866,8 @@ add_firewall_rule() {
|
|||||||
|
|
||||||
$ip6t_m -N PSW_OUTPUT
|
$ip6t_m -N PSW_OUTPUT
|
||||||
$ip6t_m -A PSW_OUTPUT -m mark --mark 0xff -j RETURN
|
$ip6t_m -A PSW_OUTPUT -m mark --mark 0xff -j RETURN
|
||||||
$ip6t_m -A PSW_OUTPUT $(dst $IPSET_LANIPLIST6) -j RETURN
|
$ip6t_m -A PSW_OUTPUT $(dst $IPSET_LANLIST6) -j RETURN
|
||||||
$ip6t_m -A PSW_OUTPUT $(dst $IPSET_VPSIPLIST6) -j RETURN
|
$ip6t_m -A PSW_OUTPUT $(dst $IPSET_VPSLIST6) -j RETURN
|
||||||
$ip6t_m -A PSW_OUTPUT $(dst $IPSET_WHITELIST6) -j RETURN
|
$ip6t_m -A PSW_OUTPUT $(dst $IPSET_WHITELIST6) -j RETURN
|
||||||
$ip6t_m -A PSW_OUTPUT $(dst $IPSET_BLOCKLIST6) -j DROP
|
$ip6t_m -A PSW_OUTPUT $(dst $IPSET_BLOCKLIST6) -j DROP
|
||||||
|
|
||||||
@ -938,7 +938,7 @@ add_firewall_rule() {
|
|||||||
|
|
||||||
_proxy_tcp_access() {
|
_proxy_tcp_access() {
|
||||||
[ -n "${2}" ] || return 0
|
[ -n "${2}" ] || return 0
|
||||||
ipset -q test $IPSET_LANIPLIST ${2}
|
ipset -q test $IPSET_LANLIST ${2}
|
||||||
[ $? -eq 0 ] && {
|
[ $? -eq 0 ] && {
|
||||||
echolog " - 上游 DNS 服务器 ${2} 已在直接访问的列表中,不强制向 TCP 代理转发对该服务器 TCP/${3} 端口的访问"
|
echolog " - 上游 DNS 服务器 ${2} 已在直接访问的列表中,不强制向 TCP 代理转发对该服务器 TCP/${3} 端口的访问"
|
||||||
return 0
|
return 0
|
||||||
@ -1010,7 +1010,7 @@ add_firewall_rule() {
|
|||||||
echolog "加载路由器自身 UDP 代理..."
|
echolog "加载路由器自身 UDP 代理..."
|
||||||
_proxy_udp_access() {
|
_proxy_udp_access() {
|
||||||
[ -n "${2}" ] || return 0
|
[ -n "${2}" ] || return 0
|
||||||
ipset -q test $IPSET_LANIPLIST ${2}
|
ipset -q test $IPSET_LANLIST ${2}
|
||||||
[ $? == 0 ] && {
|
[ $? == 0 ] && {
|
||||||
echolog " - 上游 DNS 服务器 ${2} 已在直接访问的列表中,不强制向 UDP 代理转发对该服务器 UDP/${3} 端口的访问"
|
echolog " - 上游 DNS 服务器 ${2} 已在直接访问的列表中,不强制向 UDP 代理转发对该服务器 UDP/${3} 端口的访问"
|
||||||
return 0
|
return 0
|
||||||
@ -1099,8 +1099,8 @@ del_firewall_rule() {
|
|||||||
ip -6 rule del fwmark 1 table 100 2>/dev/null
|
ip -6 rule del fwmark 1 table 100 2>/dev/null
|
||||||
ip -6 route del local ::/0 dev lo table 100 2>/dev/null
|
ip -6 route del local ::/0 dev lo table 100 2>/dev/null
|
||||||
|
|
||||||
destroy_ipset $IPSET_LANIPLIST
|
destroy_ipset $IPSET_LANLIST
|
||||||
destroy_ipset $IPSET_VPSIPLIST
|
destroy_ipset $IPSET_VPSLIST
|
||||||
#destroy_ipset $IPSET_SHUNTLIST
|
#destroy_ipset $IPSET_SHUNTLIST
|
||||||
#destroy_ipset $IPSET_GFW
|
#destroy_ipset $IPSET_GFW
|
||||||
#destroy_ipset $IPSET_CHN
|
#destroy_ipset $IPSET_CHN
|
||||||
@ -1108,8 +1108,8 @@ del_firewall_rule() {
|
|||||||
destroy_ipset $IPSET_BLOCKLIST
|
destroy_ipset $IPSET_BLOCKLIST
|
||||||
destroy_ipset $IPSET_WHITELIST
|
destroy_ipset $IPSET_WHITELIST
|
||||||
|
|
||||||
destroy_ipset $IPSET_LANIPLIST6
|
destroy_ipset $IPSET_LANLIST6
|
||||||
destroy_ipset $IPSET_VPSIPLIST6
|
destroy_ipset $IPSET_VPSLIST6
|
||||||
#destroy_ipset $IPSET_SHUNTLIST6
|
#destroy_ipset $IPSET_SHUNTLIST6
|
||||||
#destroy_ipset $IPSET_GFW6
|
#destroy_ipset $IPSET_GFW6
|
||||||
#destroy_ipset $IPSET_CHN6
|
#destroy_ipset $IPSET_CHN6
|
||||||
@ -1122,8 +1122,9 @@ del_firewall_rule() {
|
|||||||
|
|
||||||
flush_ipset() {
|
flush_ipset() {
|
||||||
del_firewall_rule
|
del_firewall_rule
|
||||||
destroy_ipset $IPSET_VPSIPLIST $IPSET_SHUNTLIST $IPSET_GFW $IPSET_CHN $IPSET_BLACKLIST $IPSET_BLOCKLIST $IPSET_WHITELIST $IPSET_LANIPLIST
|
for _name in $(ipset list | grep "Name: " | grep "passwall_" | awk '{print $2}'); do
|
||||||
destroy_ipset $IPSET_VPSIPLIST6 $IPSET_SHUNTLIST6 $IPSET_GFW6 $IPSET_CHN6 $IPSET_BLACKLIST6 $IPSET_BLOCKLIST6 $IPSET_WHITELIST6 $IPSET_LANIPLIST6
|
destroy_ipset ${_name}
|
||||||
|
done
|
||||||
rm -rf /tmp/etc/passwall_tmp/dnsmasq*
|
rm -rf /tmp/etc/passwall_tmp/dnsmasq*
|
||||||
/etc/init.d/passwall reload
|
/etc/init.d/passwall reload
|
||||||
}
|
}
|
||||||
|
|||||||
@ -2,23 +2,23 @@
|
|||||||
|
|
||||||
DIR="$(cd "$(dirname "$0")" && pwd)"
|
DIR="$(cd "$(dirname "$0")" && pwd)"
|
||||||
MY_PATH=$DIR/nftables.sh
|
MY_PATH=$DIR/nftables.sh
|
||||||
NFTSET_LANIPLIST="laniplist"
|
NFTSET_LANLIST="passwall_lanlist"
|
||||||
NFTSET_VPSIPLIST="vpsiplist"
|
NFTSET_VPSLIST="passwall_vpslist"
|
||||||
NFTSET_SHUNTLIST="shuntlist"
|
NFTSET_SHUNTLIST="passwall_shuntlist"
|
||||||
NFTSET_GFW="gfwlist"
|
NFTSET_GFW="passwall_gfwlist"
|
||||||
NFTSET_CHN="chnroute"
|
NFTSET_CHN="passwall_chnroute"
|
||||||
NFTSET_BLACKLIST="blacklist"
|
NFTSET_BLACKLIST="passwall_blacklist"
|
||||||
NFTSET_WHITELIST="whitelist"
|
NFTSET_WHITELIST="passwall_whitelist"
|
||||||
NFTSET_BLOCKLIST="blocklist"
|
NFTSET_BLOCKLIST="passwall_blocklist"
|
||||||
|
|
||||||
NFTSET_LANIPLIST6="laniplist6"
|
NFTSET_LANLIST6="passwall_lanlist6"
|
||||||
NFTSET_VPSIPLIST6="vpsiplist6"
|
NFTSET_VPSLIST6="passwall_vpslist6"
|
||||||
NFTSET_SHUNTLIST6="shuntlist6"
|
NFTSET_SHUNTLIST6="passwall_shuntlist6"
|
||||||
NFTSET_GFW6="gfwlist6"
|
NFTSET_GFW6="passwall_gfwlist6"
|
||||||
NFTSET_CHN6="chnroute6"
|
NFTSET_CHN6="passwall_chnroute6"
|
||||||
NFTSET_BLACKLIST6="blacklist6"
|
NFTSET_BLACKLIST6="passwall_blacklist6"
|
||||||
NFTSET_WHITELIST6="whitelist6"
|
NFTSET_WHITELIST6="passwall_whitelist6"
|
||||||
NFTSET_BLOCKLIST6="blocklist6"
|
NFTSET_BLOCKLIST6="passwall_blocklist6"
|
||||||
|
|
||||||
FORCE_INDEX=2
|
FORCE_INDEX=2
|
||||||
|
|
||||||
@ -233,11 +233,11 @@ get_action_chain_name() {
|
|||||||
esac
|
esac
|
||||||
}
|
}
|
||||||
|
|
||||||
gen_laniplist() {
|
gen_lanlist() {
|
||||||
cat $RULES_PATH/lanlist_ipv4 | tr -s '\n' | grep -v "^#"
|
cat $RULES_PATH/lanlist_ipv4 | tr -s '\n' | grep -v "^#"
|
||||||
}
|
}
|
||||||
|
|
||||||
gen_laniplist_6() {
|
gen_lanlist_6() {
|
||||||
cat $RULES_PATH/lanlist_ipv6 | tr -s '\n' | grep -v "^#"
|
cat $RULES_PATH/lanlist_ipv6 | tr -s '\n' | grep -v "^#"
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -563,24 +563,24 @@ load_acl() {
|
|||||||
filter_haproxy() {
|
filter_haproxy() {
|
||||||
for item in ${haproxy_items}; do
|
for item in ${haproxy_items}; do
|
||||||
local ip=$(get_host_ip ipv4 $(echo $item | awk -F ":" '{print $1}') 1)
|
local ip=$(get_host_ip ipv4 $(echo $item | awk -F ":" '{print $1}') 1)
|
||||||
insert_nftset $NFTSET_VPSIPLIST $ip
|
insert_nftset $NFTSET_VPSLIST $ip
|
||||||
done
|
done
|
||||||
echolog "加入负载均衡的节点到nftset[$NFTSET_VPSIPLIST]直连完成"
|
echolog "加入负载均衡的节点到nftset[$NFTSET_VPSLIST]直连完成"
|
||||||
}
|
}
|
||||||
|
|
||||||
filter_vps_addr() {
|
filter_vps_addr() {
|
||||||
for server_host in $@; do
|
for server_host in $@; do
|
||||||
local vps_ip4=$(get_host_ip "ipv4" ${server_host})
|
local vps_ip4=$(get_host_ip "ipv4" ${server_host})
|
||||||
local vps_ip6=$(get_host_ip "ipv6" ${server_host})
|
local vps_ip6=$(get_host_ip "ipv6" ${server_host})
|
||||||
[ -n "$vps_ip4" ] && insert_nftset $NFTSET_VPSIPLIST $vps_ip4
|
[ -n "$vps_ip4" ] && insert_nftset $NFTSET_VPSLIST $vps_ip4
|
||||||
[ -n "$vps_ip6" ] && insert_nftset $NFTSET_VPSIPLIST6 $vps_ip6
|
[ -n "$vps_ip6" ] && insert_nftset $NFTSET_VPSLIST6 $vps_ip6
|
||||||
done
|
done
|
||||||
}
|
}
|
||||||
|
|
||||||
filter_vpsip() {
|
filter_vpsip() {
|
||||||
insert_nftset $NFTSET_VPSIPLIST $(uci show $CONFIG | grep ".address=" | cut -d "'" -f 2 | grep -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | sed -e "/^$/d")
|
insert_nftset $NFTSET_VPSLIST $(uci show $CONFIG | grep ".address=" | cut -d "'" -f 2 | grep -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | sed -e "/^$/d")
|
||||||
insert_nftset $NFTSET_VPSIPLIST6 $(uci show $CONFIG | grep ".address=" | cut -d "'" -f 2 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "/^$/d")
|
insert_nftset $NFTSET_VPSLIST6 $(uci show $CONFIG | grep ".address=" | cut -d "'" -f 2 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "/^$/d")
|
||||||
echolog "加入所有节点到nftset[$NFTSET_VPSIPLIST]直连完成"
|
echolog "加入所有节点到nftset[$NFTSET_VPSLIST]直连完成"
|
||||||
}
|
}
|
||||||
|
|
||||||
filter_node() {
|
filter_node() {
|
||||||
@ -613,8 +613,8 @@ filter_node() {
|
|||||||
|
|
||||||
local ADD_INDEX=$FORCE_INDEX
|
local ADD_INDEX=$FORCE_INDEX
|
||||||
for _ipt in 4 6; do
|
for _ipt in 4 6; do
|
||||||
[ "$_ipt" == "4" ] && _ip_type=ip4 && _set_name=$NFTSET_VPSIPLIST
|
[ "$_ipt" == "4" ] && _ip_type=ip4 && _set_name=$NFTSET_VPSLIST
|
||||||
[ "$_ipt" == "6" ] && _ip_type=ip6 && _set_name=$NFTSET_VPSIPLIST6
|
[ "$_ipt" == "6" ] && _ip_type=ip6 && _set_name=$NFTSET_VPSLIST6
|
||||||
nft "list chain inet fw4 $nft_output_chain" | grep -q "${address}:${port}"
|
nft "list chain inet fw4 $nft_output_chain" | grep -q "${address}:${port}"
|
||||||
if [ $? -ne 0 ]; then
|
if [ $? -ne 0 ]; then
|
||||||
unset dst_rule
|
unset dst_rule
|
||||||
@ -693,18 +693,18 @@ dns_hijack() {
|
|||||||
|
|
||||||
add_firewall_rule() {
|
add_firewall_rule() {
|
||||||
echolog "开始加载防火墙规则..."
|
echolog "开始加载防火墙规则..."
|
||||||
gen_nftset $NFTSET_VPSIPLIST ipv4_addr
|
gen_nftset $NFTSET_VPSLIST ipv4_addr
|
||||||
gen_nftset $NFTSET_GFW ipv4_addr
|
gen_nftset $NFTSET_GFW ipv4_addr
|
||||||
gen_nftset $NFTSET_LANIPLIST ipv4_addr $(gen_laniplist)
|
gen_nftset $NFTSET_LANLIST ipv4_addr $(gen_lanlist)
|
||||||
gen_nftset $NFTSET_CHN ipv4_addr $(cat $RULES_PATH/chnroute | tr -s '\n' | grep -v "^#")
|
gen_nftset $NFTSET_CHN ipv4_addr $(cat $RULES_PATH/chnroute | tr -s '\n' | grep -v "^#")
|
||||||
gen_nftset $NFTSET_BLACKLIST ipv4_addr $(cat $RULES_PATH/proxy_ip | tr -s '\n' | grep -v "^#" | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}")
|
gen_nftset $NFTSET_BLACKLIST ipv4_addr $(cat $RULES_PATH/proxy_ip | tr -s '\n' | grep -v "^#" | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}")
|
||||||
gen_nftset $NFTSET_WHITELIST ipv4_addr $(cat $RULES_PATH/direct_ip | tr -s '\n' | grep -v "^#" | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}")
|
gen_nftset $NFTSET_WHITELIST ipv4_addr $(cat $RULES_PATH/direct_ip | tr -s '\n' | grep -v "^#" | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}")
|
||||||
gen_nftset $NFTSET_BLOCKLIST ipv4_addr $(cat $RULES_PATH/block_ip | tr -s '\n' | grep -v "^#" | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}")
|
gen_nftset $NFTSET_BLOCKLIST ipv4_addr $(cat $RULES_PATH/block_ip | tr -s '\n' | grep -v "^#" | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}")
|
||||||
gen_nftset $NFTSET_SHUNTLIST ipv4_addr
|
gen_nftset $NFTSET_SHUNTLIST ipv4_addr
|
||||||
|
|
||||||
gen_nftset $NFTSET_VPSIPLIST6 ipv6_addr
|
gen_nftset $NFTSET_VPSLIST6 ipv6_addr
|
||||||
gen_nftset $NFTSET_GFW6 ipv6_addr
|
gen_nftset $NFTSET_GFW6 ipv6_addr
|
||||||
gen_nftset $NFTSET_LANIPLIST6 ipv6_addr $(gen_laniplist_6)
|
gen_nftset $NFTSET_LANLIST6 ipv6_addr $(gen_lanlist_6)
|
||||||
gen_nftset $NFTSET_CHN6 ipv6_addr $(cat $RULES_PATH/chnroute6 | tr -s '\n' | grep -v "^#")
|
gen_nftset $NFTSET_CHN6 ipv6_addr $(cat $RULES_PATH/chnroute6 | tr -s '\n' | grep -v "^#")
|
||||||
gen_nftset $NFTSET_BLACKLIST6 ipv6_addr $(cat $RULES_PATH/proxy_ip | tr -s '\n' | grep -v "^#" | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}")
|
gen_nftset $NFTSET_BLACKLIST6 ipv6_addr $(cat $RULES_PATH/proxy_ip | tr -s '\n' | grep -v "^#" | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}")
|
||||||
gen_nftset $NFTSET_WHITELIST6 ipv6_addr $(cat $RULES_PATH/direct_ip | tr -s '\n' | grep -v "^#" | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}")
|
gen_nftset $NFTSET_WHITELIST6 ipv6_addr $(cat $RULES_PATH/direct_ip | tr -s '\n' | grep -v "^#" | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}")
|
||||||
@ -730,8 +730,8 @@ add_firewall_rule() {
|
|||||||
#echolog "本机IPv4网段互访直连:${lan_ip}"
|
#echolog "本机IPv4网段互访直连:${lan_ip}"
|
||||||
#echolog "本机IPv6网段互访直连:${lan_ip6}"
|
#echolog "本机IPv6网段互访直连:${lan_ip6}"
|
||||||
|
|
||||||
[ -n "$lan_ip" ] && insert_nftset $NFTSET_LANIPLIST $(echo $lan_ip | sed -e "s/ /\n/g")
|
[ -n "$lan_ip" ] && insert_nftset $NFTSET_LANLIST $(echo $lan_ip | sed -e "s/ /\n/g")
|
||||||
[ -n "$lan_ip6" ] && insert_nftset $NFTSET_LANIPLIST6 $(echo $lan_ip6 | sed -e "s/ /\n/g")
|
[ -n "$lan_ip6" ] && insert_nftset $NFTSET_LANLIST6 $(echo $lan_ip6 | sed -e "s/ /\n/g")
|
||||||
}
|
}
|
||||||
|
|
||||||
[ -n "$ISP_DNS" ] && {
|
[ -n "$ISP_DNS" ] && {
|
||||||
@ -792,15 +792,15 @@ add_firewall_rule() {
|
|||||||
#ipv4 tproxy mode and udp
|
#ipv4 tproxy mode and udp
|
||||||
nft "add chain inet fw4 PSW_MANGLE"
|
nft "add chain inet fw4 PSW_MANGLE"
|
||||||
nft "flush chain inet fw4 PSW_MANGLE"
|
nft "flush chain inet fw4 PSW_MANGLE"
|
||||||
nft "add rule inet fw4 PSW_MANGLE ip daddr @$NFTSET_LANIPLIST counter return"
|
nft "add rule inet fw4 PSW_MANGLE ip daddr @$NFTSET_LANLIST counter return"
|
||||||
nft "add rule inet fw4 PSW_MANGLE ip daddr @$NFTSET_VPSIPLIST counter return"
|
nft "add rule inet fw4 PSW_MANGLE ip daddr @$NFTSET_VPSLIST counter return"
|
||||||
nft "add rule inet fw4 PSW_MANGLE ip daddr @$NFTSET_WHITELIST counter return"
|
nft "add rule inet fw4 PSW_MANGLE ip daddr @$NFTSET_WHITELIST counter return"
|
||||||
nft "add rule inet fw4 PSW_MANGLE ip daddr @$NFTSET_BLOCKLIST counter drop"
|
nft "add rule inet fw4 PSW_MANGLE ip daddr @$NFTSET_BLOCKLIST counter drop"
|
||||||
|
|
||||||
nft "add chain inet fw4 PSW_OUTPUT_MANGLE"
|
nft "add chain inet fw4 PSW_OUTPUT_MANGLE"
|
||||||
nft "flush chain inet fw4 PSW_OUTPUT_MANGLE"
|
nft "flush chain inet fw4 PSW_OUTPUT_MANGLE"
|
||||||
nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip daddr @$NFTSET_LANIPLIST counter return"
|
nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip daddr @$NFTSET_LANLIST counter return"
|
||||||
nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip daddr @$NFTSET_VPSIPLIST counter return"
|
nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip daddr @$NFTSET_VPSLIST counter return"
|
||||||
nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip daddr @$NFTSET_WHITELIST counter return"
|
nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip daddr @$NFTSET_WHITELIST counter return"
|
||||||
nft "add rule inet fw4 PSW_OUTPUT_MANGLE meta mark 0xff counter return"
|
nft "add rule inet fw4 PSW_OUTPUT_MANGLE meta mark 0xff counter return"
|
||||||
nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip daddr @$NFTSET_BLOCKLIST counter drop"
|
nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip daddr @$NFTSET_BLOCKLIST counter drop"
|
||||||
@ -813,16 +813,16 @@ add_firewall_rule() {
|
|||||||
[ -z "${is_tproxy}" ] && {
|
[ -z "${is_tproxy}" ] && {
|
||||||
nft "add chain inet fw4 PSW"
|
nft "add chain inet fw4 PSW"
|
||||||
nft "flush chain inet fw4 PSW"
|
nft "flush chain inet fw4 PSW"
|
||||||
nft "add rule inet fw4 PSW ip daddr @$NFTSET_LANIPLIST counter return"
|
nft "add rule inet fw4 PSW ip daddr @$NFTSET_LANLIST counter return"
|
||||||
nft "add rule inet fw4 PSW ip daddr @$NFTSET_VPSIPLIST counter return"
|
nft "add rule inet fw4 PSW ip daddr @$NFTSET_VPSLIST counter return"
|
||||||
nft "add rule inet fw4 PSW ip daddr @$NFTSET_WHITELIST counter return"
|
nft "add rule inet fw4 PSW ip daddr @$NFTSET_WHITELIST counter return"
|
||||||
nft "add rule inet fw4 PSW ip daddr @$NFTSET_BLOCKLIST counter drop"
|
nft "add rule inet fw4 PSW ip daddr @$NFTSET_BLOCKLIST counter drop"
|
||||||
nft "add rule inet fw4 dstnat ip protocol tcp counter jump PSW"
|
nft "add rule inet fw4 dstnat ip protocol tcp counter jump PSW"
|
||||||
|
|
||||||
nft "add chain inet fw4 PSW_OUTPUT"
|
nft "add chain inet fw4 PSW_OUTPUT"
|
||||||
nft "flush chain inet fw4 PSW_OUTPUT"
|
nft "flush chain inet fw4 PSW_OUTPUT"
|
||||||
nft "add rule inet fw4 PSW_OUTPUT ip daddr @$NFTSET_LANIPLIST counter return"
|
nft "add rule inet fw4 PSW_OUTPUT ip daddr @$NFTSET_LANLIST counter return"
|
||||||
nft "add rule inet fw4 PSW_OUTPUT ip daddr @$NFTSET_VPSIPLIST counter return"
|
nft "add rule inet fw4 PSW_OUTPUT ip daddr @$NFTSET_VPSLIST counter return"
|
||||||
nft "add rule inet fw4 PSW_OUTPUT ip daddr @$NFTSET_WHITELIST counter return"
|
nft "add rule inet fw4 PSW_OUTPUT ip daddr @$NFTSET_WHITELIST counter return"
|
||||||
nft "add rule inet fw4 PSW_OUTPUT meta mark 0xff counter return"
|
nft "add rule inet fw4 PSW_OUTPUT meta mark 0xff counter return"
|
||||||
nft "add rule inet fw4 PSW_OUTPUT ip daddr @$NFTSET_BLOCKLIST counter drop"
|
nft "add rule inet fw4 PSW_OUTPUT ip daddr @$NFTSET_BLOCKLIST counter drop"
|
||||||
@ -832,13 +832,13 @@ add_firewall_rule() {
|
|||||||
if [ "$accept_icmp" = "1" ]; then
|
if [ "$accept_icmp" = "1" ]; then
|
||||||
nft "add chain inet fw4 PSW_ICMP_REDIRECT"
|
nft "add chain inet fw4 PSW_ICMP_REDIRECT"
|
||||||
nft "flush chain inet fw4 PSW_ICMP_REDIRECT"
|
nft "flush chain inet fw4 PSW_ICMP_REDIRECT"
|
||||||
nft "add rule inet fw4 PSW_ICMP_REDIRECT ip daddr @$NFTSET_LANIPLIST counter return"
|
nft "add rule inet fw4 PSW_ICMP_REDIRECT ip daddr @$NFTSET_LANLIST counter return"
|
||||||
nft "add rule inet fw4 PSW_ICMP_REDIRECT ip daddr @$NFTSET_VPSIPLIST counter return"
|
nft "add rule inet fw4 PSW_ICMP_REDIRECT ip daddr @$NFTSET_VPSLIST counter return"
|
||||||
nft "add rule inet fw4 PSW_ICMP_REDIRECT ip daddr @$NFTSET_WHITELIST counter return"
|
nft "add rule inet fw4 PSW_ICMP_REDIRECT ip daddr @$NFTSET_WHITELIST counter return"
|
||||||
|
|
||||||
[ "$accept_icmpv6" = "1" ] && {
|
[ "$accept_icmpv6" = "1" ] && {
|
||||||
nft "add rule inet fw4 PSW_ICMP_REDIRECT ip6 daddr @$NFTSET_LANIPLIST6 counter return"
|
nft "add rule inet fw4 PSW_ICMP_REDIRECT ip6 daddr @$NFTSET_LANLIST6 counter return"
|
||||||
nft "add rule inet fw4 PSW_ICMP_REDIRECT ip6 daddr @$NFTSET_VPSIPLIST6 counter return"
|
nft "add rule inet fw4 PSW_ICMP_REDIRECT ip6 daddr @$NFTSET_VPSLIST6 counter return"
|
||||||
nft "add rule inet fw4 PSW_ICMP_REDIRECT ip6 daddr @$NFTSET_WHITELIST6 counter return"
|
nft "add rule inet fw4 PSW_ICMP_REDIRECT ip6 daddr @$NFTSET_WHITELIST6 counter return"
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -858,15 +858,15 @@ add_firewall_rule() {
|
|||||||
#ipv6 tproxy mode and udp
|
#ipv6 tproxy mode and udp
|
||||||
nft "add chain inet fw4 PSW_MANGLE_V6"
|
nft "add chain inet fw4 PSW_MANGLE_V6"
|
||||||
nft "flush chain inet fw4 PSW_MANGLE_V6"
|
nft "flush chain inet fw4 PSW_MANGLE_V6"
|
||||||
nft "add rule inet fw4 PSW_MANGLE_V6 ip6 daddr @$NFTSET_LANIPLIST6 counter return"
|
nft "add rule inet fw4 PSW_MANGLE_V6 ip6 daddr @$NFTSET_LANLIST6 counter return"
|
||||||
nft "add rule inet fw4 PSW_MANGLE_V6 ip6 daddr @$NFTSET_VPSIPLIST6 counter return"
|
nft "add rule inet fw4 PSW_MANGLE_V6 ip6 daddr @$NFTSET_VPSLIST6 counter return"
|
||||||
nft "add rule inet fw4 PSW_MANGLE_V6 ip6 daddr @$NFTSET_WHITELIST6 counter return"
|
nft "add rule inet fw4 PSW_MANGLE_V6 ip6 daddr @$NFTSET_WHITELIST6 counter return"
|
||||||
nft "add rule inet fw4 PSW_MANGLE_V6 ip6 daddr @$NFTSET_BLOCKLIST6 counter drop"
|
nft "add rule inet fw4 PSW_MANGLE_V6 ip6 daddr @$NFTSET_BLOCKLIST6 counter drop"
|
||||||
|
|
||||||
nft "add chain inet fw4 PSW_OUTPUT_MANGLE_V6"
|
nft "add chain inet fw4 PSW_OUTPUT_MANGLE_V6"
|
||||||
nft "flush chain inet fw4 PSW_OUTPUT_MANGLE_V6"
|
nft "flush chain inet fw4 PSW_OUTPUT_MANGLE_V6"
|
||||||
nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 ip6 daddr @$NFTSET_LANIPLIST6 counter return"
|
nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 ip6 daddr @$NFTSET_LANLIST6 counter return"
|
||||||
nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 ip6 daddr @$NFTSET_VPSIPLIST6 counter return"
|
nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 ip6 daddr @$NFTSET_VPSLIST6 counter return"
|
||||||
nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 ip6 daddr @$NFTSET_WHITELIST6 counter return"
|
nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 ip6 daddr @$NFTSET_WHITELIST6 counter return"
|
||||||
nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta mark 0xff counter return"
|
nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta mark 0xff counter return"
|
||||||
nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 ip6 daddr @$NFTSET_BLOCKLIST6 counter drop"
|
nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 ip6 daddr @$NFTSET_BLOCKLIST6 counter drop"
|
||||||
@ -944,7 +944,7 @@ add_firewall_rule() {
|
|||||||
|
|
||||||
_proxy_tcp_access() {
|
_proxy_tcp_access() {
|
||||||
[ -n "${2}" ] || return 0
|
[ -n "${2}" ] || return 0
|
||||||
nft "get element inet fw4 $NFTSET_LANIPLIST {${2}}" &>/dev/null
|
nft "get element inet fw4 $NFTSET_LANLIST {${2}}" &>/dev/null
|
||||||
[ $? -eq 0 ] && {
|
[ $? -eq 0 ] && {
|
||||||
echolog " - 上游 DNS 服务器 ${2} 已在直接访问的列表中,不强制向 TCP 代理转发对该服务器 TCP/${3} 端口的访问"
|
echolog " - 上游 DNS 服务器 ${2} 已在直接访问的列表中,不强制向 TCP 代理转发对该服务器 TCP/${3} 端口的访问"
|
||||||
return 0
|
return 0
|
||||||
@ -1015,7 +1015,7 @@ add_firewall_rule() {
|
|||||||
echolog "加载路由器自身 UDP 代理..."
|
echolog "加载路由器自身 UDP 代理..."
|
||||||
_proxy_udp_access() {
|
_proxy_udp_access() {
|
||||||
[ -n "${2}" ] || return 0
|
[ -n "${2}" ] || return 0
|
||||||
nft "get element inet fw4 $NFTSET_LANIPLIST {${2}}" &>/dev/null
|
nft "get element inet fw4 $NFTSET_LANLIST {${2}}" &>/dev/null
|
||||||
[ $? == 0 ] && {
|
[ $? == 0 ] && {
|
||||||
echolog " - 上游 DNS 服务器 ${2} 已在直接访问的列表中,不强制向 UDP 代理转发对该服务器 UDP/${3} 端口的访问"
|
echolog " - 上游 DNS 服务器 ${2} 已在直接访问的列表中,不强制向 UDP 代理转发对该服务器 UDP/${3} 端口的访问"
|
||||||
return 0
|
return 0
|
||||||
@ -1101,8 +1101,8 @@ del_firewall_rule() {
|
|||||||
ip -6 rule del fwmark 1 table 100 2>/dev/null
|
ip -6 rule del fwmark 1 table 100 2>/dev/null
|
||||||
ip -6 route del local ::/0 dev lo table 100 2>/dev/null
|
ip -6 route del local ::/0 dev lo table 100 2>/dev/null
|
||||||
|
|
||||||
destroy_nftset $NFTSET_LANIPLIST
|
destroy_nftset $NFTSET_LANLIST
|
||||||
destroy_nftset $NFTSET_VPSIPLIST
|
destroy_nftset $NFTSET_VPSLIST
|
||||||
#destroy_nftset $NFTSET_SHUNTLIST
|
#destroy_nftset $NFTSET_SHUNTLIST
|
||||||
#destroy_nftset $NFTSET_GFW
|
#destroy_nftset $NFTSET_GFW
|
||||||
#destroy_nftset $NFTSET_CHN
|
#destroy_nftset $NFTSET_CHN
|
||||||
@ -1110,8 +1110,8 @@ del_firewall_rule() {
|
|||||||
destroy_nftset $NFTSET_BLOCKLIST
|
destroy_nftset $NFTSET_BLOCKLIST
|
||||||
destroy_nftset $NFTSET_WHITELIST
|
destroy_nftset $NFTSET_WHITELIST
|
||||||
|
|
||||||
destroy_nftset $NFTSET_LANIPLIST6
|
destroy_nftset $NFTSET_LANLIST6
|
||||||
destroy_nftset $NFTSET_VPSIPLIST6
|
destroy_nftset $NFTSET_VPSLIST6
|
||||||
#destroy_nftset $NFTSET_SHUNTLIST6
|
#destroy_nftset $NFTSET_SHUNTLIST6
|
||||||
#destroy_nftset $NFTSET_GFW6
|
#destroy_nftset $NFTSET_GFW6
|
||||||
#destroy_nftset $NFTSET_CHN6
|
#destroy_nftset $NFTSET_CHN6
|
||||||
@ -1124,8 +1124,8 @@ del_firewall_rule() {
|
|||||||
|
|
||||||
flush_nftset() {
|
flush_nftset() {
|
||||||
del_firewall_rule
|
del_firewall_rule
|
||||||
destroy_nftset $NFTSET_VPSIPLIST $NFTSET_SHUNTLIST $NFTSET_GFW $NFTSET_CHN $NFTSET_BLACKLIST $NFTSET_BLOCKLIST $NFTSET_WHITELIST $NFTSET_LANIPLIST
|
destroy_nftset $NFTSET_VPSLIST $NFTSET_SHUNTLIST $NFTSET_GFW $NFTSET_CHN $NFTSET_BLACKLIST $NFTSET_BLOCKLIST $NFTSET_WHITELIST $NFTSET_LANLIST
|
||||||
destroy_nftset $NFTSET_VPSIPLIST6 $NFTSET_SHUNTLIST6 $NFTSET_GFW6 $NFTSET_CHN6 $NFTSET_BLACKLIST6 $NFTSET_BLOCKLIST6 $NFTSET_WHITELIST6 $NFTSET_LANIPLIST6
|
destroy_nftset $NFTSET_VPSLIST6 $NFTSET_SHUNTLIST6 $NFTSET_GFW6 $NFTSET_CHN6 $NFTSET_BLACKLIST6 $NFTSET_BLOCKLIST6 $NFTSET_WHITELIST6 $NFTSET_LANLIST6
|
||||||
rm -rf /tmp/etc/passwall_tmp/dnsmasq*
|
rm -rf /tmp/etc/passwall_tmp/dnsmasq*
|
||||||
/etc/init.d/passwall reload
|
/etc/init.d/passwall reload
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user