luci-app-passwall: fix

luci-app-passwall/root/usr/share/passwall/nftables.sh

@@ -950,7 +950,7 @@ add_firewall_rule() {
 	nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip daddr @$NFTSET_BLOCKLIST counter drop"
 
 	# jump chains
-	nft "add rule inet fw4 mangle_prerouting counter jump PSW_MANGLE"
+	nft "add rule inet fw4 mangle_prerouting meta nfproto {ipv4} counter jump PSW_MANGLE"
 	insert_rule_before "inet fw4" "mangle_prerouting" "PSW_MANGLE" "counter jump PSW_DIVERT"
 
 	#ipv4 tcp redirect mode
@@ -990,7 +990,9 @@ add_firewall_rule() {
 	fi
 
 	WAN_IP=$(get_wan_ip)
-	[ -n "${WAN_IP}" ] && nft "add rule inet fw4 PSW_MANGLE ip daddr ${WAN_IP} counter return comment \"WAN_IP_RETURN\"" || nft "add rule inet fw4 PSW ip daddr ${WAN_IP} counter return comment \"WAN_IP_RETURN\""
+	if [ -n "${WAN_IP}" ]; then
+		[ -n "${is_tproxy}" ] && nft "add rule inet fw4 PSW_MANGLE ip daddr ${WAN_IP} counter return comment \"WAN_IP_RETURN\"" || nft "add rule inet fw4 PSW ip daddr ${WAN_IP} counter return comment \"WAN_IP_RETURN\""
+	fi
 	unset WAN_IP
 
 	ip rule add fwmark 1 lookup 100
@@ -1057,7 +1059,7 @@ add_firewall_rule() {
 				nft add rule inet fw4 PSW_OUTPUT ip protocol tcp ip daddr ${2} tcp dport ${3} $(REDIRECT $TCP_REDIR_PORT)
 			else
 				nft add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol tcp ip daddr ${2} tcp dport ${3} counter jump PSW_RULE
-				nft add rule inet fw4 PSW_MANGLE iifname lo tcp dport ${3} ip daddr ${2} $(REDIRECT $TCP_REDIR_PORT TPROXY4) comment \"本机\"
+				nft add rule inet fw4 PSW_MANGLE iif lo tcp dport ${3} ip daddr ${2} $(REDIRECT $TCP_REDIR_PORT TPROXY4) comment \"本机\"
 			fi
 			echolog "  - [$?]将上游 DNS 服务器 ${2}:${3} 加入到路由器自身代理的 TCP 转发链"
 		}
@@ -1087,8 +1089,8 @@ add_firewall_rule() {
 			nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol tcp ip daddr @$NFTSET_SHUNTLIST $(factor $TCP_REDIR_PORTS "tcp dport") counter jump PSW_RULE"
 			nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol tcp ip daddr @$NFTSET_BLACKLIST $(factor $TCP_REDIR_PORTS "tcp dport") counter jump PSW_RULE"
 			nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") $(get_nftset_ipv4 $LOCALHOST_TCP_PROXY_MODE) jump PSW_RULE"
-			nft "add rule inet fw4 PSW_OUTPUT_MANGLE meta l4proto tcp iifname lo $(REDIRECT $TCP_REDIR_PORT TPROXY) comment \"本机\""
-			nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol tcp iifname lo counter return comment \"本机\""
+			nft "add rule inet fw4 PSW_MANGLE meta l4proto tcp iif lo $(REDIRECT $TCP_REDIR_PORT TPROXY) comment \"本机\""
+			nft "add rule inet fw4 PSW_MANGLE ip protocol tcp iif lo counter return comment \"本机\""
 			nft "add rule inet fw4 mangle_output meta nfproto {ipv4} meta l4proto tcp counter jump PSW_OUTPUT_MANGLE comment \"mangle-OUTPUT-PSW\""
 		fi
 
@@ -1096,8 +1098,8 @@ add_firewall_rule() {
 			nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta l4proto tcp ip6 daddr @$NFTSET_SHUNTLIST6 $(factor $TCP_REDIR_PORTS "tcp dport") counter jump PSW_RULE"
 			nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta l4proto tcp ip6 daddr @$NFTSET_BLACKLIST6 $(factor $TCP_REDIR_PORTS "tcp dport") counter jump PSW_RULE"
 			nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta l4proto tcp $(factor $TCP_REDIR_PORTS "tcp dport") $(get_nftset_ipv6 $LOCALHOST_TCP_PROXY_MODE) jump PSW_RULE"
-			nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp iifname lo $(REDIRECT $TCP_REDIR_PORT TPROXY) comment \"本机\""
-			nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp iifname lo counter return comment \"本机\""
+			nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp iif lo $(REDIRECT $TCP_REDIR_PORT TPROXY) comment \"本机\""
+			nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp iif lo counter return comment \"本机\""
 		}
 	fi
 
@@ -1159,7 +1161,7 @@ add_firewall_rule() {
 				return 0
 			}
 			nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol udp ip daddr ${2} udp dport ${3} counter jump PSW_RULE"
-			nft "add rule inet fw4 PSW_MANGLE iifname lo meta l4proto udp ip daddr ${2} $(REDIRECT $UDP_REDIR_PORT TPROXY4) comment \"本机\""
+			nft "add rule inet fw4 PSW_MANGLE iif lo meta l4proto udp ip daddr ${2} $(REDIRECT $UDP_REDIR_PORT TPROXY4) comment \"本机\""
 			echolog "  - [$?]将上游 DNS 服务器 ${2}:${3} 加入到路由器自身代理的 UDP 转发链"
 		}
 		[ "$use_udp_node_resolve_dns" == 1 ] && hosts_foreach REMOTE_DNS _proxy_udp_access 53
@@ -1173,24 +1175,24 @@ add_firewall_rule() {
 		nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol udp ip daddr @$NFTSET_SHUNTLIST $(factor $UDP_REDIR_PORTS "udp dport") counter jump PSW_RULE"
 		nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol udp ip daddr @$NFTSET_BLACKLIST $(factor $UDP_REDIR_PORTS "udp dport") counter jump PSW_RULE"
 		nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol udp $(factor $UDP_REDIR_PORTS "udp dport") $(get_nftset_ipv4 $LOCALHOST_UDP_PROXY_MODE) jump PSW_RULE"
-		nft "add rule inet fw4 PSW_MANGLE meta l4proto udp iifname lo $(REDIRECT $UDP_REDIR_PORT TPROXY) comment \"本机\""
-		nft "add rule inet fw4 PSW_MANGLE ip protocol udp iifname lo counter return comment \"本机\""
+		nft "add rule inet fw4 PSW_MANGLE meta l4proto udp iif lo $(REDIRECT $UDP_REDIR_PORT TPROXY) comment \"本机\""
+		nft "add rule inet fw4 PSW_MANGLE ip protocol udp iif lo counter return comment \"本机\""
 		nft "add rule inet fw4 mangle_output meta nfproto {ipv4} meta l4proto udp counter jump PSW_OUTPUT_MANGLE"
 
 		[ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && {
 			nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta l4proto udp ip6 daddr @$NFTSET_SHUNTLIST6 $(factor $UDP_REDIR_PORTS "udp dport") counter jump PSW_RULE"
 			nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta l4proto udp ip6 daddr @$NFTSET_BLACKLIST6 $(factor $UDP_REDIR_PORTS "udp dport") counter jump PSW_RULE"
 			nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta l4proto udp $(factor $UDP_REDIR_PORTS "udp dport") $(get_nftset_ipv6 $LOCALHOST_PROXY_MODE) jump PSW_RULE"
-			nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp iifname lo $(REDIRECT $UDP_REDIR_PORT TPROXY) comment \"本机\""
-			nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp iifname lo counter return comment \"本机\""
+			nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp iif lo $(REDIRECT $UDP_REDIR_PORT TPROXY) comment \"本机\""
+			nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp iif lo counter return comment \"本机\""
 		}
 	fi
 
-	nft "add rule inet fw4 mangle_output oifname lo counter return comment \"mangle-OUTPUT-PSW\""
+	nft "add rule inet fw4 mangle_output oif lo counter return comment \"mangle-OUTPUT-PSW\""
 	nft "add rule inet fw4 mangle_output meta mark 1 counter return comment \"mangle-OUTPUT-PSW\""
 
-	nft "add rule inet fw4 PSW_MANGLE counter ip protocol udp udp dport 53 counter return"
-	nft "add rule inet fw4 PSW_MANGLE_V6 counter meta l4proto udp udp dport 53 counter return"
+	nft "add rule inet fw4 PSW_MANGLE ip protocol udp udp dport 53 counter return"
+	nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp udp dport 53 counter return"
 	#  加载ACLS
 	load_acl
 
@@ -1277,7 +1279,7 @@ gen_include() {
 				nft "add rule inet fw4 nat_output ip protocol tcp counter jump PSW_OUTPUT"
 			}
 
-			nft "add rule inet fw4 mangle_prerouting counter jump PSW_MANGLE"
+			nft "add rule inet fw4 mangle_prerouting meta nfproto {ipv4} counter jump PSW_MANGLE"
 			[ -n "${is_tproxy}" ] && nft "add rule inet fw4 mangle_output meta nfproto {ipv4} meta l4proto tcp counter jump PSW_OUTPUT_MANGLE comment \"mangle-OUTPUT-PSW\""
 			nft "add rule inet fw4 mangle_output meta nfproto {ipv4} meta l4proto udp counter jump PSW_OUTPUT_MANGLE"
 			\$(${MY_PATH} insert_rule_before "inet fw4" "mangle_prerouting" "PSW_MANGLE" "counter jump PSW_DIVERT")
@@ -1287,7 +1289,7 @@ gen_include() {
 				nft "add rule inet fw4 mangle_output meta nfproto {ipv6} counter jump PSW_OUTPUT_MANGLE_V6 comment \"mangle-OUTPUT-PSW\""
 			}
 
-			nft "add rule inet fw4 mangle_output oifname lo counter return comment \"mangle-OUTPUT-PSW\""
+			nft "add rule inet fw4 mangle_output oif lo counter return comment \"mangle-OUTPUT-PSW\""
 			nft "add rule inet fw4 mangle_output meta mark 1 counter return comment \"mangle-OUTPUT-PSW\""
 		EOF
 		)

luci-app-passwall/root/usr/share/passwall/rule_update.lua

@@ -91,19 +91,21 @@ local function line_count(file_path)
 end
 
 local function non_file_check(file_path, vali_file)
-	if nixio.fs.readfile(file_path, 1000) then
-		local remote_file_size = luci.sys.exec("cat " .. vali_file .. " | grep -i Content-Length | awk '{print $2}'")
-		local local_file_size = luci.sys.exec("ls -l " .. file_path .. "| awk '{print $5}'")
-		if remote_file_size then
+	if nixio.fs.readfile(file_path, 10) then
+		local remote_file_size = luci.sys.exec("cat " .. vali_file .. " | grep -i 'Content-Length' | awk '{print $2}'")
+		local local_file_size = nixio.fs.stat(file_path, "size")
+		if remote_file_size and local_file_size then
 			if tonumber(remote_file_size) == tonumber(local_file_size) then
 				return nil;
 			else
+				log("下载文件大小校验出错，原始文件大小" .. remote_file_size .. "B，下载文件大小：" .. local_file_size .. "B。")
 				return true;
 			end
 		else
 			return nil;
 		end
 	else
+		log("下载文件读取出错。")
 		return true;
 	end
 end
@@ -122,14 +124,14 @@ local function fetch_rule(rule_name,rule_type,url,exclude_domain)
 	for k,v in ipairs(url) do
 		sret_tmp = curl(v, download_file_tmp..k, vali_file..k)
 		if sret_tmp == 200 and non_file_check(download_file_tmp..k, vali_file..k) then
-			log(rule_name.. " 第" ..k.. "条规则:" ..v.. "下载文件读取出错，尝试重新下载。")
+			log(rule_name.. " 第" ..k.. "条规则:" ..v.. "下载文件过程出错，尝试重新下载。")
 			os.remove(download_file_tmp..k)
 			os.remove(vali_file..k)
 			sret_tmp = curl(v, download_file_tmp..k, vali_file..k)
 			if sret_tmp == 200 and non_file_check(download_file_tmp..k, vali_file..k) then
 				sret = 0
 				sret_tmp = 0
-				log(rule_name.. " 第" ..k.. "条规则:" ..v.. "下载文件读取出错，请检查网络或下载链接后重试！")
+				log(rule_name.. " 第" ..k.. "条规则:" ..v.. "下载文件过程出错，请检查网络或下载链接后重试！")
 			end
 		end