diff --git a/luci-app-passwall2/Makefile b/luci-app-passwall2/Makefile index 6fac8b384..b1e68741f 100644 --- a/luci-app-passwall2/Makefile +++ b/luci-app-passwall2/Makefile @@ -5,7 +5,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=luci-app-passwall2 -PKG_VERSION:=24.12.21 +PKG_VERSION:=24.12.22 PKG_RELEASE:=1 PKG_CONFIG_DEPENDS:= \ diff --git a/luci-app-passwall2/root/usr/share/passwall2/app.sh b/luci-app-passwall2/root/usr/share/passwall2/app.sh index 3d73de5cf..f2531161a 100755 --- a/luci-app-passwall2/root/usr/share/passwall2/app.sh +++ b/luci-app-passwall2/root/usr/share/passwall2/app.sh @@ -12,6 +12,7 @@ TMP_ROUTE_PATH=$TMP_PATH/route TMP_ACL_PATH=$TMP_PATH/acl TMP_IFACE_PATH=$TMP_PATH/iface TMP_PATH2=/tmp/etc/${CONFIG}_tmp +GLOBAL_ACL_PATH=${TMP_ACL_PATH}/default LOG_FILE=/tmp/log/$CONFIG.log APP_PATH=/usr/share/$CONFIG RULES_PATH=/usr/share/${CONFIG}/rules @@ -373,15 +374,15 @@ run_xray() { [ "${write_ipset_direct}" = "1" ] && { direct_dnsmasq_listen_port=$(get_new_port $(expr $dns_listen_port + 1) udp) local set_flag="${flag}" - local direct_ipset_conf=${TMP_ACL_PATH}/default/dns_${flag}_direct.conf + local direct_ipset_conf=${GLOBAL_ACL_PATH}/dns_${flag}_direct.conf [ -n "$(echo ${flag} | grep '^acl')" ] && { direct_ipset_conf=${TMP_ACL_PATH}/${sid}/dns_${flag}_direct.conf set_flag=$(echo ${flag} | awk -F '_' '{print $2}') } if [ "${nftflag}" = "1" ]; then - local direct_nftset="4#inet#passwall2#passwall2_${set_flag}_whitelist,6#inet#passwall2#passwall2_${set_flag}_whitelist6" + local direct_nftset="4#inet#passwall2#passwall2_${set_flag}_white,6#inet#passwall2#passwall2_${set_flag}_white6" else - local direct_ipset="passwall2_${set_flag}_whitelist,passwall2_${set_flag}_whitelist6" + local direct_ipset="passwall2_${set_flag}_white,passwall2_${set_flag}_white6" fi run_ipset_dns_server listen_port=${direct_dnsmasq_listen_port} server_dns=${AUTO_DNS} ipset="${direct_ipset}" nftset="${direct_nftset}" config_file=${direct_ipset_conf} DIRECT_DNS_UDP_PORT=${direct_dnsmasq_listen_port} @@ -487,15 +488,15 @@ run_singbox() { [ "${write_ipset_direct}" = "1" ] && { direct_dnsmasq_listen_port=$(get_new_port $(expr $dns_listen_port + 1) udp) local set_flag="${flag}" - local direct_ipset_conf=${TMP_ACL_PATH}/default/dns_${flag}_direct.conf + local direct_ipset_conf=${GLOBAL_ACL_PATH}/dns_${flag}_direct.conf [ -n "$(echo ${flag} | grep '^acl')" ] && { direct_ipset_conf=${TMP_ACL_PATH}/${sid}/dns_${flag}_direct.conf set_flag=$(echo ${flag} | awk -F '_' '{print $2}') } if [ "${nftflag}" = "1" ]; then - local direct_nftset="4#inet#passwall2#passwall2_${set_flag}_whitelist,6#inet#passwall2#passwall2_${set_flag}_whitelist6" + local direct_nftset="4#inet#passwall2#passwall2_${set_flag}_white,6#inet#passwall2#passwall2_${set_flag}_white6" else - local direct_ipset="passwall2_${set_flag}_whitelist,passwall2_${set_flag}_whitelist6" + local direct_ipset="passwall2_${set_flag}_white,passwall2_${set_flag}_white6" fi run_ipset_dns_server listen_port=${direct_dnsmasq_listen_port} server_dns=${AUTO_DNS} ipset="${direct_ipset}" nftset="${direct_nftset}" config_file=${direct_ipset_conf} DIRECT_DNS_UDP_PORT=${direct_dnsmasq_listen_port} @@ -708,7 +709,7 @@ run_global() { [ -z "$NODE" ] && return 1 TYPE=$(echo $(config_n_get $NODE type) | tr 'A-Z' 'a-z') [ -z "$TYPE" ] && return 1 - mkdir -p $TMP_ACL_PATH/default + mkdir -p ${GLOBAL_ACL_PATH} if [ $PROXY_IPV6 == "1" ]; then echolog "开启实验性IPv6透明代理(TProxy),请确认您的节点及类型支持IPv6!" @@ -746,8 +747,8 @@ run_global() { msg="${msg})" echolog ${msg} - V2RAY_CONFIG=$TMP_ACL_PATH/default/global.json - V2RAY_LOG=$TMP_ACL_PATH/default/global.log + V2RAY_CONFIG=${GLOBAL_ACL_PATH}/global.json + V2RAY_LOG=${GLOBAL_ACL_PATH}/global.log [ "$(config_t_get global log_node 1)" != "1" ] && V2RAY_LOG="/dev/null" V2RAY_ARGS="${V2RAY_ARGS} log_file=${V2RAY_LOG} config_file=${V2RAY_CONFIG}" @@ -782,7 +783,9 @@ run_global() { [ "1" = "0" ] && { DIRECT_DNSMASQ_PORT=$(get_new_port 11400) DIRECT_DNSMASQ_CONF=${GLOBAL_ACL_PATH}/direct_dnsmasq.conf - lua $APP_PATH/helper_dnsmasq.lua copy_instance -LISTEN_PORT ${DIRECT_DNSMASQ_PORT} -DNSMASQ_CONF ${DIRECT_DNSMASQ_CONF} + DIRECT_DNSMASQ_CONF_PATH=${GLOBAL_ACL_PATH}/direct_dnsmasq.d + mkdir -p ${DIRECT_DNSMASQ_CONF_PATH} + lua $APP_PATH/helper_dnsmasq.lua copy_instance -LISTEN_PORT ${DIRECT_DNSMASQ_PORT} -DNSMASQ_CONF ${DIRECT_DNSMASQ_CONF} -TMP_DNSMASQ_PATH ${DIRECT_DNSMASQ_CONF_PATH} ln_run "$(first_type dnsmasq)" "dnsmasq_direct" "/dev/null" -C ${DIRECT_DNSMASQ_CONF} -x ${GLOBAL_ACL_PATH}/direct_dnsmasq.pid set_cache_var "DIRECT_DNSMASQ_PORT" "${DIRECT_DNSMASQ_PORT}" } @@ -1052,11 +1055,11 @@ run_ipset_chinadns_ng() { [ -n "${ipset}" ] && { set_names=$ipset - vps_set_names="passwall2_vpslist,passwall2_vpslist6" + vps_set_names="passwall2_vps,passwall2_vps6" } [ -n "${nftset}" ] && { set_names=$(echo ${nftset} | awk -F, '{printf "%s,%s", substr($1,3), substr($2,3)}' | sed 's/#/@/g') - vps_set_names="inet@passwall2@passwall2_vpslist,inet@passwall2@passwall2_vpslist6" + vps_set_names="inet@passwall2@passwall2_vps,inet@passwall2@passwall2_vps6" } cat <<-EOF > $config_file bind-addr 127.0.0.1 @@ -1354,19 +1357,17 @@ DEFAULT_DNS=$(uci show dhcp.@dnsmasq[0] | grep "\.server=" | awk -F '=' '{print AUTO_DNS=${DEFAULT_DNS:-119.29.29.29} DNSMASQ_CONF_DIR=/tmp/dnsmasq.d -TMP_DNSMASQ_PATH=${DNSMASQ_CONF_DIR}/${CONFIG} DEFAULT_DNSMASQ_CFGID="$(uci -q show "dhcp.@dnsmasq[0]" | awk 'NR==1 {split($0, conf, /[.=]/); print conf[2]}')" if [ -f "/tmp/etc/dnsmasq.conf.$DEFAULT_DNSMASQ_CFGID" ]; then DNSMASQ_CONF_DIR="$(awk -F '=' '/^conf-dir=/ {print $2}' "/tmp/etc/dnsmasq.conf.$DEFAULT_DNSMASQ_CFGID")" if [ -n "$DNSMASQ_CONF_DIR" ]; then DNSMASQ_CONF_DIR=${DNSMASQ_CONF_DIR%*/} - TMP_DNSMASQ_PATH=${DNSMASQ_CONF_DIR}/${CONFIG} else DNSMASQ_CONF_DIR="/tmp/dnsmasq.d" fi fi GLOBAL_DNSMASQ_CONF=${DNSMASQ_CONF_DIR}/dnsmasq-${CONFIG}.conf -GLOBAL_DNSMASQ_CONF_PATH=${TMP_DNSMASQ_PATH} +GLOBAL_DNSMASQ_CONF_PATH=${GLOBAL_ACL_PATH}/dnsmasq.d PROXY_IPV6=$(config_t_get global_forwarding ipv6_tproxy 0) diff --git a/luci-app-passwall2/root/usr/share/passwall2/helper_dnsmasq.lua b/luci-app-passwall2/root/usr/share/passwall2/helper_dnsmasq.lua index 3f74227bb..95ccebdc9 100644 --- a/luci-app-passwall2/root/usr/share/passwall2/helper_dnsmasq.lua +++ b/luci-app-passwall2/root/usr/share/passwall2/helper_dnsmasq.lua @@ -117,6 +117,7 @@ end function copy_instance(var) local LISTEN_PORT = var["-LISTEN_PORT"] + local TMP_DNSMASQ_PATH = var["-TMP_DNSMASQ_PATH"] local conf_lines = {} local DEFAULT_DNSMASQ_CFGID = sys.exec("echo -n $(uci -q show dhcp.@dnsmasq[0] | awk 'NR==1 {split($0, conf, /[.=]/); print conf[2]}')") for line in io.lines("/tmp/etc/dnsmasq.conf." .. DEFAULT_DNSMASQ_CFGID) do @@ -126,13 +127,23 @@ function copy_instance(var) if line:find("dhcp") then filter = true end if line:find("server=") == 1 then filter = true end if line:find("port=") == 1 then filter = true end + if line:find("conf%-dir=") == 1 then + filter = true + if TMP_DNSMASQ_PATH then + local tmp_path = line:sub(1 + #"conf-dir=") + sys.call(string.format("cp -r %s/* %s/ 2>/dev/null", tmp_path, TMP_DNSMASQ_PATH)) + end + end if line:find("address=") == 1 or (line:find("server=") == 1 and line:find("/")) then filter = nil end if not filter then tinsert(conf_lines, line) end end tinsert(conf_lines, "port=" .. LISTEN_PORT) - if var["-return_table"] == "1" then + if TMP_DNSMASQ_PATH then + sys.call("rm -rf " .. TMP_DNSMASQ_PATH .. "/*passwall*") + end + if var["-return"] == "1" then return conf_lines end if #conf_lines > 0 then @@ -264,7 +275,7 @@ function add_rule(var) if address == "engage.cloudflareclient.com" then return end if datatypes.hostname(address) then set_domain_dns(address, fwd_dns) - set_domain_ipset(address, setflag_4 .. "passwall2_vpslist," .. setflag_6 .. "passwall2_vpslist6") + set_domain_ipset(address, setflag_4 .. "passwall2_vps," .. setflag_6 .. "passwall2_vps6") end end process_address(t.address) @@ -314,7 +325,7 @@ function add_rule(var) local conf_lines = {} if LISTEN_PORT then --Copy dnsmasq instance - conf_lines = copy_instance({["-LISTEN_PORT"] = LISTEN_PORT, ["-return_table"] = "1"}) + conf_lines = copy_instance({["-LISTEN_PORT"] = LISTEN_PORT, ["-TMP_DNSMASQ_PATH"] = TMP_DNSMASQ_PATH, ["-return"] = "1"}) else --Modify the default dnsmasq service end @@ -334,6 +345,7 @@ function add_rule(var) if #conf_lines > 0 then local conf_out = io.open(DNSMASQ_CONF_FILE, "a") conf_out:write(table.concat(conf_lines, "\n")) + conf_out:write("\n") conf_out:close() end end diff --git a/luci-app-passwall2/root/usr/share/passwall2/iptables.sh b/luci-app-passwall2/root/usr/share/passwall2/iptables.sh index 2da502a18..9f352ee57 100755 --- a/luci-app-passwall2/root/usr/share/passwall2/iptables.sh +++ b/luci-app-passwall2/root/usr/share/passwall2/iptables.sh @@ -2,13 +2,13 @@ DIR="$(cd "$(dirname "$0")" && pwd)" MY_PATH=$DIR/iptables.sh -IPSET_LOCALLIST="passwall2_locallist" -IPSET_LANLIST="passwall2_lanlist" -IPSET_VPSLIST="passwall2_vpslist" +IPSET_LOCAL="passwall2_local" +IPSET_LAN="passwall2_lan" +IPSET_VPS="passwall2_vps" -IPSET_LOCALLIST6="passwall2_locallist6" -IPSET_LANLIST6="passwall2_lanlist6" -IPSET_VPSLIST6="passwall2_vpslist6" +IPSET_LOCAL6="passwall2_local6" +IPSET_LAN6="passwall2_lan6" +IPSET_VPS6="passwall2_vps6" FORCE_INDEX=2 @@ -301,18 +301,18 @@ load_acl() { write_ipset_direct=${write_ipset_direct:-1} [ "${write_ipset_direct}" = "1" ] && { if [ -n "$(get_cache_var "ACL_${sid}_default")" ]; then - local ipset_whitelist=${ipset_global_whitelist} - local ipset_whitelist6=${ipset_global_whitelist6} + local ipset_white=${ipset_global_white} + local ipset_white6=${ipset_global_white6} shunt_list4=${SHUNT_LIST4} shunt_list6=${SHUNT_LIST6} else - local ipset_whitelist="passwall2_${sid}_whitelist" - local ipset_whitelist6="passwall2_${sid}_whitelist6" - ipset -! create $ipset_whitelist nethash maxelem 1048576 - ipset -! create $ipset_whitelist6 nethash family inet6 maxelem 1048576 + local ipset_white="passwall2_${sid}_white" + local ipset_white6="passwall2_${sid}_white6" + ipset -! create $ipset_white nethash maxelem 1048576 + ipset -! create $ipset_white6 nethash family inet6 maxelem 1048576 #分流规则的IP列表(使用分流节点时导入) - gen_shunt_list ${node} shunt_list4 shunt_list6 ${write_ipset_direct} ${ipset_whitelist} ${ipset_whitelist6} + gen_shunt_list ${node} shunt_list4 shunt_list6 ${write_ipset_direct} ${ipset_white} ${ipset_white6} fi } @@ -562,16 +562,16 @@ load_acl() { filter_haproxy() { for item in $(uci show $CONFIG | grep ".lbss=" | cut -d "'" -f 2); do local ip=$(get_host_ip ipv4 $(echo $item | awk -F ":" '{print $1}') 1) - [ -n "$ip" ] && ipset -q add $IPSET_VPSLIST $ip + [ -n "$ip" ] && ipset -q add $IPSET_VPS $ip done - echolog "加入负载均衡的节点到ipset[$IPSET_VPSLIST]直连完成" + echolog "加入负载均衡的节点到ipset[$IPSET_VPS]直连完成" } filter_vpsip() { - uci show $CONFIG | grep -E "(.address=|.download_address=)" | cut -d "'" -f 2 | grep -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | grep -v "^127\.0\.0\.1$" | sed -e "/^$/d" | sed -e "s/^/add $IPSET_VPSLIST &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R - echolog " - [$?]加入所有IPv4节点到ipset[$IPSET_VPSLIST]直连完成" - uci show $CONFIG | grep -E "(.address=|.download_address=)" | cut -d "'" -f 2 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "/^$/d" | sed -e "s/^/add $IPSET_VPSLIST6 &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R - echolog " - [$?]加入所有IPv6节点到ipset[$IPSET_VPSLIST6]直连完成" + uci show $CONFIG | grep -E "(.address=|.download_address=)" | cut -d "'" -f 2 | grep -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | grep -v "^127\.0\.0\.1$" | sed -e "/^$/d" | sed -e "s/^/add $IPSET_VPS &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R + echolog " - [$?]加入所有IPv4节点到ipset[$IPSET_VPS]直连完成" + uci show $CONFIG | grep -E "(.address=|.download_address=)" | cut -d "'" -f 2 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "/^$/d" | sed -e "s/^/add $IPSET_VPS6 &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R + echolog " - [$?]加入所有IPv6节点到ipset[$IPSET_VPS6]直连完成" } filter_server_port() { @@ -620,27 +620,27 @@ filter_direct_node_list() { add_firewall_rule() { echolog "开始加载防火墙规则..." - ipset -! create $IPSET_LOCALLIST nethash maxelem 1048576 - ipset -! create $IPSET_LANLIST nethash maxelem 1048576 - ipset -! create $IPSET_VPSLIST nethash maxelem 1048576 + ipset -! create $IPSET_LOCAL nethash maxelem 1048576 + ipset -! create $IPSET_LAN nethash maxelem 1048576 + ipset -! create $IPSET_VPS nethash maxelem 1048576 - ipset -! create $IPSET_LOCALLIST6 nethash family inet6 maxelem 1048576 - ipset -! create $IPSET_LANLIST6 nethash family inet6 maxelem 1048576 - ipset -! create $IPSET_VPSLIST6 nethash family inet6 maxelem 1048576 + ipset -! create $IPSET_LOCAL6 nethash family inet6 maxelem 1048576 + ipset -! create $IPSET_LAN6 nethash family inet6 maxelem 1048576 + ipset -! create $IPSET_VPS6 nethash family inet6 maxelem 1048576 ipset -! -R <<-EOF - $(ip address show | grep -w "inet" | awk '{print $2}' | awk -F '/' '{print $1}' | sed -e "s/^/add $IPSET_LOCALLIST /") + $(ip address show | grep -w "inet" | awk '{print $2}' | awk -F '/' '{print $1}' | sed -e "s/^/add $IPSET_LOCAL /") EOF ipset -! -R <<-EOF - $(ip address show | grep -w "inet6" | awk '{print $2}' | awk -F '/' '{print $1}' | sed -e "s/^/add $IPSET_LOCALLIST6 /") + $(ip address show | grep -w "inet6" | awk '{print $2}' | awk -F '/' '{print $1}' | sed -e "s/^/add $IPSET_LOCAL6 /") EOF ipset -! -R <<-EOF - $(gen_lanlist | sed -e "s/^/add $IPSET_LANLIST /") + $(gen_lanlist | sed -e "s/^/add $IPSET_LAN /") EOF ipset -! -R <<-EOF - $(gen_lanlist_6 | sed -e "s/^/add $IPSET_LANLIST6 /") + $(gen_lanlist_6 | sed -e "s/^/add $IPSET_LAN6 /") EOF # 忽略特殊IP段 @@ -653,18 +653,18 @@ add_firewall_rule() { #echolog "本机IPv6网段互访直连:${lan_ip6}" [ -n "$lan_ip" ] && ipset -! -R <<-EOF - $(echo $lan_ip | sed -e "s/ /\n/g" | sed -e "s/^/add $IPSET_LANLIST /") + $(echo $lan_ip | sed -e "s/ /\n/g" | sed -e "s/^/add $IPSET_LAN /") EOF [ -n "$lan_ip6" ] && ipset -! -R <<-EOF - $(echo $lan_ip6 | sed -e "s/ /\n/g" | sed -e "s/^/add $IPSET_LANLIST6 /") + $(echo $lan_ip6 | sed -e "s/ /\n/g" | sed -e "s/^/add $IPSET_LAN6 /") EOF } [ -n "$ISP_DNS" ] && { #echolog "处理 ISP DNS 例外..." for ispip in $ISP_DNS; do - ipset -! add $IPSET_LANLIST $ispip + ipset -! add $IPSET_LAN $ispip echolog " - [$?]追加ISP IPv4 DNS到白名单:${ispip}" done } @@ -672,18 +672,18 @@ add_firewall_rule() { [ -n "$ISP_DNS6" ] && { #echolog "处理 ISP IPv6 DNS 例外..." for ispip6 in $ISP_DNS6; do - ipset -! add $IPSET_LANLIST6 $ispip6 + ipset -! add $IPSET_LAN6 $ispip6 echolog " - [$?]追加ISP IPv6 DNS到白名单:${ispip6}" done } - local ipset_global_whitelist="passwall2_global_whitelist" - local ipset_global_whitelist6="passwall2_global_whitelist6" - ipset -! create $ipset_global_whitelist nethash maxelem 1048576 timeout 259200 - ipset -! create $ipset_global_whitelist6 nethash family inet6 maxelem 1048576 timeout 259200 + local ipset_global_white="passwall2_global_white" + local ipset_global_white6="passwall2_global_white6" + ipset -! create $ipset_global_white nethash maxelem 1048576 timeout 259200 + ipset -! create $ipset_global_white6 nethash family inet6 maxelem 1048576 timeout 259200 #分流规则的IP列表(使用分流节点时导入) - gen_shunt_list ${NODE} SHUNT_LIST4 SHUNT_LIST6 ${WRITE_IPSET_DIRECT} ${ipset_global_whitelist} ${ipset_global_whitelist6} + gen_shunt_list ${NODE} SHUNT_LIST4 SHUNT_LIST6 ${WRITE_IPSET_DIRECT} ${ipset_global_white} ${ipset_global_white6} # 过滤所有节点IP filter_vpsip > /dev/null 2>&1 & @@ -700,8 +700,8 @@ add_firewall_rule() { fi $ipt_n -N PSW2 - $ipt_n -A PSW2 $(dst $IPSET_LANLIST) -j RETURN - $ipt_n -A PSW2 $(dst $IPSET_VPSLIST) -j RETURN + $ipt_n -A PSW2 $(dst $IPSET_LAN) -j RETURN + $ipt_n -A PSW2 $(dst $IPSET_VPS) -j RETURN WAN_IP=$(get_wan_ip) [ ! -z "${WAN_IP}" ] && $ipt_n -A PSW2 $(comment "WAN_IP_RETURN") -d "${WAN_IP}" -j RETURN @@ -710,14 +710,14 @@ add_firewall_rule() { [ -z "${is_tproxy}" ] && insert_rule_after "$ipt_n" "PREROUTING" "prerouting_rule" "-p tcp -j PSW2" $ipt_n -N PSW2_OUTPUT - $ipt_n -A PSW2_OUTPUT $(dst $IPSET_LANLIST) -j RETURN - $ipt_n -A PSW2_OUTPUT $(dst $IPSET_VPSLIST) -j RETURN + $ipt_n -A PSW2_OUTPUT $(dst $IPSET_LAN) -j RETURN + $ipt_n -A PSW2_OUTPUT $(dst $IPSET_VPS) -j RETURN $ipt_n -A PSW2_OUTPUT -m mark --mark 0xff -j RETURN $ipt_n -N PSW2_DNS if [ $(config_t_get global dns_redirect "1") = "0" ]; then #Only hijack when dest address is local IP - $ipt_n -I PREROUTING $(dst $IPSET_LOCALLIST) -j PSW2_DNS + $ipt_n -I PREROUTING $(dst $IPSET_LOCAL) -j PSW2_DNS else $ipt_n -I PREROUTING -j PSW2_DNS fi @@ -734,8 +734,8 @@ add_firewall_rule() { $ipt_m -A PSW2_RULE -j CONNMARK --save-mark $ipt_m -N PSW2 - $ipt_m -A PSW2 $(dst $IPSET_LANLIST) -j RETURN - $ipt_m -A PSW2 $(dst $IPSET_VPSLIST) -j RETURN + $ipt_m -A PSW2 $(dst $IPSET_LAN) -j RETURN + $ipt_m -A PSW2 $(dst $IPSET_VPS) -j RETURN [ ! -z "${WAN_IP}" ] && $ipt_m -A PSW2 $(comment "WAN_IP_RETURN") -d "${WAN_IP}" -j RETURN unset WAN_IP @@ -744,8 +744,8 @@ add_firewall_rule() { insert_rule_before "$ipt_m" "PREROUTING" "PSW2" "-p tcp -m socket -j PSW2_DIVERT" $ipt_m -N PSW2_OUTPUT - $ipt_m -A PSW2_OUTPUT $(dst $IPSET_LANLIST) -j RETURN - $ipt_m -A PSW2_OUTPUT $(dst $IPSET_VPSLIST) -j RETURN + $ipt_m -A PSW2_OUTPUT $(dst $IPSET_LAN) -j RETURN + $ipt_m -A PSW2_OUTPUT $(dst $IPSET_VPS) -j RETURN [ -n "$AUTO_DNS" ] && { for auto_dns in $(echo $AUTO_DNS | tr ',' ' '); do local dns_address=$(echo $auto_dns | awk -F '#' '{print $1}') @@ -761,20 +761,20 @@ add_firewall_rule() { [ "$accept_icmpv6" = "1" ] && { $ip6t_n -N PSW2 - $ip6t_n -A PSW2 $(dst $IPSET_LANLIST6) -j RETURN - $ip6t_n -A PSW2 $(dst $IPSET_VPSLIST6) -j RETURN + $ip6t_n -A PSW2 $(dst $IPSET_LAN6) -j RETURN + $ip6t_n -A PSW2 $(dst $IPSET_VPS6) -j RETURN $ip6t_n -A PREROUTING -p ipv6-icmp -j PSW2 $ip6t_n -N PSW2_OUTPUT - $ip6t_n -A PSW2_OUTPUT $(dst $IPSET_LANLIST6) -j RETURN - $ip6t_n -A PSW2_OUTPUT $(dst $IPSET_VPSLIST6) -j RETURN + $ip6t_n -A PSW2_OUTPUT $(dst $IPSET_LAN6) -j RETURN + $ip6t_n -A PSW2_OUTPUT $(dst $IPSET_VPS6) -j RETURN $ip6t_n -A PSW2_OUTPUT -m mark --mark 0xff -j RETURN } $ip6t_n -N PSW2_DNS if [ $(config_t_get global dns_redirect "1") = "0" ]; then #Only hijack when dest address is local IP - $ip6t_n -I PREROUTING $(dst $IPSET_LOCALLIST6) -j PSW2_DNS + $ip6t_n -I PREROUTING $(dst $IPSET_LOCAL6) -j PSW2_DNS else $ip6t_n -I PREROUTING -j PSW2_DNS fi @@ -791,8 +791,8 @@ add_firewall_rule() { $ip6t_m -A PSW2_RULE -j CONNMARK --save-mark $ip6t_m -N PSW2 - $ip6t_m -A PSW2 $(dst $IPSET_LANLIST6) -j RETURN - $ip6t_m -A PSW2 $(dst $IPSET_VPSLIST6) -j RETURN + $ip6t_m -A PSW2 $(dst $IPSET_LAN6) -j RETURN + $ip6t_m -A PSW2 $(dst $IPSET_VPS6) -j RETURN WAN6_IP=$(get_wan6_ip) [ ! -z "${WAN6_IP}" ] && $ip6t_m -A PSW2 $(comment "WAN6_IP_RETURN") -d ${WAN6_IP} -j RETURN @@ -803,8 +803,8 @@ add_firewall_rule() { $ip6t_m -N PSW2_OUTPUT $ip6t_m -A PSW2_OUTPUT -m mark --mark 0xff -j RETURN - $ip6t_m -A PSW2_OUTPUT $(dst $IPSET_LANLIST6) -j RETURN - $ip6t_m -A PSW2_OUTPUT $(dst $IPSET_VPSLIST6) -j RETURN + $ip6t_m -A PSW2_OUTPUT $(dst $IPSET_LAN6) -j RETURN + $ip6t_m -A PSW2_OUTPUT $(dst $IPSET_VPS6) -j RETURN ip -6 rule add fwmark 1 table 100 ip -6 route add local ::/0 dev lo table 100 diff --git a/luci-app-passwall2/root/usr/share/passwall2/nftables.sh b/luci-app-passwall2/root/usr/share/passwall2/nftables.sh index a7fb3f578..3711b56cf 100755 --- a/luci-app-passwall2/root/usr/share/passwall2/nftables.sh +++ b/luci-app-passwall2/root/usr/share/passwall2/nftables.sh @@ -3,13 +3,13 @@ DIR="$(cd "$(dirname "$0")" && pwd)" MY_PATH=$DIR/nftables.sh NFTABLE_NAME="inet passwall2" -NFTSET_LOCALLIST="passwall2_locallist" -NFTSET_LANLIST="passwall2_lanlist" -NFTSET_VPSLIST="passwall2_vpslist" +NFTSET_LOCAL="passwall2_local" +NFTSET_LAN="passwall2_lan" +NFTSET_VPS="passwall2_vps" -NFTSET_LOCALLIST6="passwall2_locallist6" -NFTSET_LANLIST6="passwall2_lanlist6" -NFTSET_VPSLIST6="passwall2_vpslist6" +NFTSET_LOCAL6="passwall2_local6" +NFTSET_LAN6="passwall2_lan6" +NFTSET_VPS6="passwall2_vps6" FORCE_INDEX=0 @@ -356,18 +356,18 @@ load_acl() { write_ipset_direct=${write_ipset_direct:-1} [ "${write_ipset_direct}" = "1" ] && { if [ -n "$(get_cache_var "ACL_${sid}_default")" ]; then - local nftset_whitelist=${nftset_global_whitelist} - local nftset_whitelist6=${nftset_global_whitelist6} + local nftset_white=${nftset_global_white} + local nftset_white6=${nftset_global_white6} shunt_list4=${SHUNT_LIST4} shunt_list6=${SHUNT_LIST6} else - local nftset_whitelist="passwall2_${sid}_whitelist" - local nftset_whitelist6="passwall2_${sid}_whitelist6" - gen_nftset $nftset_whitelist ipv4_addr 3d 3d - gen_nftset $nftset_whitelist6 ipv6_addr 3d 3d + local nftset_white="passwall2_${sid}_white" + local nftset_white6="passwall2_${sid}_white6" + gen_nftset $nftset_white ipv4_addr 3d 3d + gen_nftset $nftset_white6 ipv6_addr 3d 3d #分流规则的IP列表(使用分流节点时导入) - gen_shunt_list ${node} shunt_list4 shunt_list6 ${write_ipset_direct} ${nftset_whitelist} ${nftset_whitelist6} + gen_shunt_list ${node} shunt_list4 shunt_list6 ${write_ipset_direct} ${nftset_white} ${nftset_white6} fi } @@ -616,25 +616,25 @@ load_acl() { filter_haproxy() { for item in $(uci show $CONFIG | grep ".lbss=" | cut -d "'" -f 2); do local ip=$(get_host_ip ipv4 $(echo $item | awk -F ":" '{print $1}') 1) - [ -n "$ip" ] && insert_nftset $NFTSET_VPSLIST "-1" $ip + [ -n "$ip" ] && insert_nftset $NFTSET_VPS "-1" $ip done - echolog "加入负载均衡的节点到nftset[$NFTSET_VPSLIST]直连完成" + echolog "加入负载均衡的节点到nftset[$NFTSET_VPS]直连完成" } filter_vps_addr() { for server_host in $@; do local vps_ip4=$(get_host_ip "ipv4" ${server_host}) local vps_ip6=$(get_host_ip "ipv6" ${server_host}) - [ -n "$vps_ip4" ] && insert_nftset $NFTSET_VPSLIST "-1" $vps_ip4 - [ -n "$vps_ip6" ] && insert_nftset $NFTSET_VPSLIST6 "-1" $vps_ip6 + [ -n "$vps_ip4" ] && insert_nftset $NFTSET_VPS "-1" $vps_ip4 + [ -n "$vps_ip6" ] && insert_nftset $NFTSET_VPS6 "-1" $vps_ip6 done } filter_vpsip() { - insert_nftset $NFTSET_VPSLIST "-1" $(uci show $CONFIG | grep -E "(.address=|.download_address=)" | cut -d "'" -f 2 | grep -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | grep -v "^127\.0\.0\.1$" | sed -e "/^$/d") - echolog " - [$?]加入所有IPv4节点到nftset[$NFTSET_VPSLIST]直连完成" - insert_nftset $NFTSET_VPSLIST6 "-1" $(uci show $CONFIG | grep -E "(.address=|.download_address=)" | cut -d "'" -f 2 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "/^$/d") - echolog " - [$?]加入所有IPv6节点到nftset[$NFTSET_VPSLIST6]直连完成" + insert_nftset $NFTSET_VPS "-1" $(uci show $CONFIG | grep -E "(.address=|.download_address=)" | cut -d "'" -f 2 | grep -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | grep -v "^127\.0\.0\.1$" | sed -e "/^$/d") + echolog " - [$?]加入所有IPv4节点到nftset[$NFTSET_VPS]直连完成" + insert_nftset $NFTSET_VPS6 "-1" $(uci show $CONFIG | grep -E "(.address=|.download_address=)" | cut -d "'" -f 2 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "/^$/d") + echolog " - [$?]加入所有IPv6节点到nftset[$NFTSET_VPS6]直连完成" } filter_server_port() { @@ -682,16 +682,16 @@ filter_direct_node_list() { add_firewall_rule() { echolog "开始加载防火墙规则..." gen_nft_tables - gen_nftset $NFTSET_LOCALLIST ipv4_addr 0 "-1" - gen_nftset $NFTSET_LANLIST ipv4_addr 0 "-1" $(gen_lanlist) - gen_nftset $NFTSET_VPSLIST ipv4_addr 0 0 + gen_nftset $NFTSET_LOCAL ipv4_addr 0 "-1" + gen_nftset $NFTSET_LAN ipv4_addr 0 "-1" $(gen_lanlist) + gen_nftset $NFTSET_VPS ipv4_addr 0 0 - gen_nftset $NFTSET_LOCALLIST6 ipv6_addr 0 "-1" - gen_nftset $NFTSET_LANLIST6 ipv6_addr 0 "-1" $(gen_lanlist_6) - gen_nftset $NFTSET_VPSLIST6 ipv6_addr 0 0 + gen_nftset $NFTSET_LOCAL6 ipv6_addr 0 "-1" + gen_nftset $NFTSET_LAN6 ipv6_addr 0 "-1" $(gen_lanlist_6) + gen_nftset $NFTSET_VPS6 ipv6_addr 0 0 - insert_nftset $NFTSET_LOCALLIST "-1" $(ip address show | grep -w "inet" | awk '{print $2}' | awk -F '/' '{print $1}' | sed -e "s/ /\n/g") - insert_nftset $NFTSET_LOCALLIST6 "-1" $(ip address show | grep -w "inet6" | awk '{print $2}' | awk -F '/' '{print $1}' | sed -e "s/ /\n/g") + insert_nftset $NFTSET_LOCAL "-1" $(ip address show | grep -w "inet" | awk '{print $2}' | awk -F '/' '{print $1}' | sed -e "s/ /\n/g") + insert_nftset $NFTSET_LOCAL6 "-1" $(ip address show | grep -w "inet6" | awk '{print $2}' | awk -F '/' '{print $1}' | sed -e "s/ /\n/g") # 忽略特殊IP段 local lan_ifname lan_ip @@ -702,14 +702,14 @@ add_firewall_rule() { #echolog "本机IPv4网段互访直连:${lan_ip}" #echolog "本机IPv6网段互访直连:${lan_ip6}" - [ -n "$lan_ip" ] && insert_nftset $NFTSET_LANLIST "-1" $(echo $lan_ip | sed -e "s/ /\n/g") - [ -n "$lan_ip6" ] && insert_nftset $NFTSET_LANLIST6 "-1" $(echo $lan_ip6 | sed -e "s/ /\n/g") + [ -n "$lan_ip" ] && insert_nftset $NFTSET_LAN "-1" $(echo $lan_ip | sed -e "s/ /\n/g") + [ -n "$lan_ip6" ] && insert_nftset $NFTSET_LAN6 "-1" $(echo $lan_ip6 | sed -e "s/ /\n/g") } [ -n "$ISP_DNS" ] && { #echolog "处理 ISP DNS 例外..." for ispip in $ISP_DNS; do - insert_nftset $NFTSET_LANLIST "-1" $ispip + insert_nftset $NFTSET_LAN "-1" $ispip echolog " - [$?]追加ISP IPv4 DNS到白名单:${ispip}" done } @@ -717,18 +717,18 @@ add_firewall_rule() { [ -n "$ISP_DNS6" ] && { #echolog "处理 ISP IPv6 DNS 例外..." for ispip6 in $ISP_DNS6; do - insert_nftset $NFTSET_LANLIST6 "-1" $ispip6 + insert_nftset $NFTSET_LAN6 "-1" $ispip6 echolog " - [$?]追加ISP IPv6 DNS到白名单:${ispip6}" done } - local nftset_global_whitelist="passwall2_global_whitelist" - local nftset_global_whitelist6="passwall2_global_whitelist6" - gen_nftset $nftset_global_whitelist ipv4_addr 0 0 - gen_nftset $nftset_global_whitelist6 ipv6_addr 0 0 + local nftset_global_white="passwall2_global_white" + local nftset_global_white6="passwall2_global_white6" + gen_nftset $nftset_global_white ipv4_addr 0 0 + gen_nftset $nftset_global_white6 ipv6_addr 0 0 #分流规则的IP列表(使用分流节点时导入) - gen_shunt_list ${NODE} SHUNT_LIST4 SHUNT_LIST6 ${WRITE_IPSET_DIRECT} ${nftset_global_whitelist} ${nftset_global_whitelist6} + gen_shunt_list ${NODE} SHUNT_LIST4 SHUNT_LIST6 ${WRITE_IPSET_DIRECT} ${nftset_global_white} ${nftset_global_white6} # 过滤所有节点IP filter_vpsip > /dev/null 2>&1 & @@ -759,8 +759,8 @@ add_firewall_rule() { nft "flush chain $NFTABLE_NAME PSW2_DNS" if [ $(config_t_get global dns_redirect "1") = "0" ]; then #Only hijack when dest address is local IP - nft "insert rule $NFTABLE_NAME dstnat ip daddr @${NFTSET_LOCALLIST} jump PSW2_DNS" - nft "insert rule $NFTABLE_NAME dstnat ip6 daddr @${NFTSET_LOCALLIST6} jump PSW2_DNS" + nft "insert rule $NFTABLE_NAME dstnat ip daddr @${NFTSET_LOCAL} jump PSW2_DNS" + nft "insert rule $NFTABLE_NAME dstnat ip6 daddr @${NFTSET_LOCAL6} jump PSW2_DNS" else nft "insert rule $NFTABLE_NAME dstnat jump PSW2_DNS" fi @@ -777,13 +777,13 @@ add_firewall_rule() { #ipv4 tproxy mode and udp nft "add chain $NFTABLE_NAME PSW2_MANGLE" nft "flush chain $NFTABLE_NAME PSW2_MANGLE" - nft "add rule $NFTABLE_NAME PSW2_MANGLE ip daddr @$NFTSET_LANLIST counter return" - nft "add rule $NFTABLE_NAME PSW2_MANGLE ip daddr @$NFTSET_VPSLIST counter return" + nft "add rule $NFTABLE_NAME PSW2_MANGLE ip daddr @$NFTSET_LAN counter return" + nft "add rule $NFTABLE_NAME PSW2_MANGLE ip daddr @$NFTSET_VPS counter return" nft "add chain $NFTABLE_NAME PSW2_OUTPUT_MANGLE" nft "flush chain $NFTABLE_NAME PSW2_OUTPUT_MANGLE" - nft "add rule $NFTABLE_NAME PSW2_OUTPUT_MANGLE ip daddr @$NFTSET_LANLIST counter return" - nft "add rule $NFTABLE_NAME PSW2_OUTPUT_MANGLE ip daddr @$NFTSET_VPSLIST counter return" + nft "add rule $NFTABLE_NAME PSW2_OUTPUT_MANGLE ip daddr @$NFTSET_LAN counter return" + nft "add rule $NFTABLE_NAME PSW2_OUTPUT_MANGLE ip daddr @$NFTSET_VPS counter return" [ -n "$AUTO_DNS" ] && { for auto_dns in $(echo $AUTO_DNS | tr ',' ' '); do local dns_address=$(echo $auto_dns | awk -F '#' '{print $1}') @@ -803,14 +803,14 @@ add_firewall_rule() { [ -z "${is_tproxy}" ] && { nft "add chain $NFTABLE_NAME PSW2_NAT" nft "flush chain $NFTABLE_NAME PSW2_NAT" - nft "add rule $NFTABLE_NAME PSW2_NAT ip daddr @$NFTSET_LANLIST counter return" - nft "add rule $NFTABLE_NAME PSW2_NAT ip daddr @$NFTSET_VPSLIST counter return" + nft "add rule $NFTABLE_NAME PSW2_NAT ip daddr @$NFTSET_LAN counter return" + nft "add rule $NFTABLE_NAME PSW2_NAT ip daddr @$NFTSET_VPS counter return" nft "add rule $NFTABLE_NAME dstnat ip protocol tcp counter jump PSW2_NAT" nft "add chain $NFTABLE_NAME PSW2_OUTPUT_NAT" nft "flush chain $NFTABLE_NAME PSW2_OUTPUT_NAT" - nft "add rule $NFTABLE_NAME PSW2_OUTPUT_NAT ip daddr @$NFTSET_LANLIST counter return" - nft "add rule $NFTABLE_NAME PSW2_OUTPUT_NAT ip daddr @$NFTSET_VPSLIST counter return" + nft "add rule $NFTABLE_NAME PSW2_OUTPUT_NAT ip daddr @$NFTSET_LAN counter return" + nft "add rule $NFTABLE_NAME PSW2_OUTPUT_NAT ip daddr @$NFTSET_VPS counter return" nft "add rule $NFTABLE_NAME PSW2_OUTPUT_NAT meta mark 0xff counter return" } @@ -818,12 +818,12 @@ add_firewall_rule() { if [ "$accept_icmp" = "1" ]; then nft "add chain $NFTABLE_NAME PSW2_ICMP_REDIRECT" nft "flush chain $NFTABLE_NAME PSW2_ICMP_REDIRECT" - nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT ip daddr @$NFTSET_LANLIST counter return" - nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT ip daddr @$NFTSET_VPSLIST counter return" + nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT ip daddr @$NFTSET_LAN counter return" + nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT ip daddr @$NFTSET_VPS counter return" [ "$accept_icmpv6" = "1" ] && { - nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT ip6 daddr @$NFTSET_LANLIST6 counter return" - nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT ip6 daddr @$NFTSET_VPSLIST6 counter return" + nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT ip6 daddr @$NFTSET_LAN6 counter return" + nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT ip6 daddr @$NFTSET_VPS6 counter return" } nft "add rule $NFTABLE_NAME dstnat meta l4proto {icmp,icmpv6} counter jump PSW2_ICMP_REDIRECT" @@ -843,13 +843,13 @@ add_firewall_rule() { #ipv6 tproxy mode and udp nft "add chain $NFTABLE_NAME PSW2_MANGLE_V6" nft "flush chain $NFTABLE_NAME PSW2_MANGLE_V6" - nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 ip6 daddr @$NFTSET_LANLIST6 counter return" - nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 ip6 daddr @$NFTSET_VPSLIST6 counter return" + nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 ip6 daddr @$NFTSET_LAN6 counter return" + nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 ip6 daddr @$NFTSET_VPS6 counter return" nft "add chain $NFTABLE_NAME PSW2_OUTPUT_MANGLE_V6" nft "flush chain $NFTABLE_NAME PSW2_OUTPUT_MANGLE_V6" - nft "add rule $NFTABLE_NAME PSW2_OUTPUT_MANGLE_V6 ip6 daddr @$NFTSET_LANLIST6 counter return" - nft "add rule $NFTABLE_NAME PSW2_OUTPUT_MANGLE_V6 ip6 daddr @$NFTSET_VPSLIST6 counter return" + nft "add rule $NFTABLE_NAME PSW2_OUTPUT_MANGLE_V6 ip6 daddr @$NFTSET_LAN6 counter return" + nft "add rule $NFTABLE_NAME PSW2_OUTPUT_MANGLE_V6 ip6 daddr @$NFTSET_VPS6 counter return" nft "add rule $NFTABLE_NAME PSW2_OUTPUT_MANGLE_V6 meta mark 0xff counter return" # jump chains @@ -1012,13 +1012,13 @@ del_firewall_rule() { ip -6 rule del fwmark 1 table 100 2>/dev/null ip -6 route del local ::/0 dev lo table 100 2>/dev/null - destroy_nftset $NFTSET_LOCALLIST - destroy_nftset $NFTSET_LANLIST - destroy_nftset $NFTSET_VPSLIST + destroy_nftset $NFTSET_LOCAL + destroy_nftset $NFTSET_LAN + destroy_nftset $NFTSET_VPS - destroy_nftset $NFTSET_LOCALLIST6 - destroy_nftset $NFTSET_LANLIST6 - destroy_nftset $NFTSET_VPSLIST6 + destroy_nftset $NFTSET_LOCAL6 + destroy_nftset $NFTSET_LAN6 + destroy_nftset $NFTSET_VPS6 $DIR/app.sh echolog "删除nftables防火墙规则完成。" }