luci-app-passwall: fix
This commit is contained in:
ShanStone
sbwml
parent
4d93b86d8f
commit
d35f5f19f3
@ -10,7 +10,7 @@ NFTSET_CHN="chnroute"
|
||||
NFTSET_BLACKLIST="blacklist"
|
||||
NFTSET_WHITELIST="whitelist"
|
||||
NFTSET_BLOCKLIST="blocklist"
|
||||
|
||||
|
||||
NFTSET_LANIPLIST6="laniplist6"
|
||||
NFTSET_VPSIPLIST6="vpsiplist6"
|
||||
NFTSET_SHUNTLIST6="shuntlist6"
|
||||
@ -19,11 +19,11 @@ NFTSET_CHN6="chnroute6"
|
||||
NFTSET_BLACKLIST6="blacklist6"
|
||||
NFTSET_WHITELIST6="whitelist6"
|
||||
NFTSET_BLOCKLIST6="blocklist6"
|
||||
|
||||
|
||||
FORCE_INDEX=2
|
||||
|
||||
|
||||
. /lib/functions/network.sh
|
||||
|
||||
|
||||
FWI=$(uci -q get firewall.passwall.path 2>/dev/null)
|
||||
FAKE_IP="198.18.0.0/16"
|
||||
|
||||
@ -950,7 +950,7 @@ add_firewall_rule() {
|
||||
nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip daddr @$NFTSET_BLOCKLIST counter drop"
|
||||
|
||||
# jump chains
|
||||
nft "add rule inet fw4 mangle_prerouting counter jump PSW_MANGLE"
|
||||
nft "add rule inet fw4 mangle_prerouting meta nfproto {ipv4} counter jump PSW_MANGLE"
|
||||
insert_rule_before "inet fw4" "mangle_prerouting" "PSW_MANGLE" "counter jump PSW_DIVERT"
|
||||
|
||||
#ipv4 tcp redirect mode
|
||||
@ -990,7 +990,9 @@ add_firewall_rule() {
|
||||
fi
|
||||
|
||||
WAN_IP=$(get_wan_ip)
|
||||
[ -n "${WAN_IP}" ] && nft "add rule inet fw4 PSW_MANGLE ip daddr ${WAN_IP} counter return comment \"WAN_IP_RETURN\"" || nft "add rule inet fw4 PSW ip daddr ${WAN_IP} counter return comment \"WAN_IP_RETURN\""
|
||||
if [ -n "${WAN_IP}" ]; then
|
||||
[ -n "${is_tproxy}" ] && nft "add rule inet fw4 PSW_MANGLE ip daddr ${WAN_IP} counter return comment \"WAN_IP_RETURN\"" || nft "add rule inet fw4 PSW ip daddr ${WAN_IP} counter return comment \"WAN_IP_RETURN\""
|
||||
fi
|
||||
unset WAN_IP
|
||||
|
||||
ip rule add fwmark 1 lookup 100
|
||||
@ -1057,7 +1059,7 @@ add_firewall_rule() {
|
||||
nft add rule inet fw4 PSW_OUTPUT ip protocol tcp ip daddr ${2} tcp dport ${3} $(REDIRECT $TCP_REDIR_PORT)
|
||||
else
|
||||
nft add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol tcp ip daddr ${2} tcp dport ${3} counter jump PSW_RULE
|
||||
nft add rule inet fw4 PSW_MANGLE iifname lo tcp dport ${3} ip daddr ${2} $(REDIRECT $TCP_REDIR_PORT TPROXY4) comment \"本机\"
|
||||
nft add rule inet fw4 PSW_MANGLE iif lo tcp dport ${3} ip daddr ${2} $(REDIRECT $TCP_REDIR_PORT TPROXY4) comment \"本机\"
|
||||
fi
|
||||
echolog " - [$?]将上游 DNS 服务器 ${2}:${3} 加入到路由器自身代理的 TCP 转发链"
|
||||
}
|
||||
@ -1087,8 +1089,8 @@ add_firewall_rule() {
|
||||
nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol tcp ip daddr @$NFTSET_SHUNTLIST $(factor $TCP_REDIR_PORTS "tcp dport") counter jump PSW_RULE"
|
||||
nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol tcp ip daddr @$NFTSET_BLACKLIST $(factor $TCP_REDIR_PORTS "tcp dport") counter jump PSW_RULE"
|
||||
nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") $(get_nftset_ipv4 $LOCALHOST_TCP_PROXY_MODE) jump PSW_RULE"
|
||||
nft "add rule inet fw4 PSW_OUTPUT_MANGLE meta l4proto tcp iifname lo $(REDIRECT $TCP_REDIR_PORT TPROXY) comment \"本机\""
|
||||
nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol tcp iifname lo counter return comment \"本机\""
|
||||
nft "add rule inet fw4 PSW_MANGLE meta l4proto tcp iif lo $(REDIRECT $TCP_REDIR_PORT TPROXY) comment \"本机\""
|
||||
nft "add rule inet fw4 PSW_MANGLE ip protocol tcp iif lo counter return comment \"本机\""
|
||||
nft "add rule inet fw4 mangle_output meta nfproto {ipv4} meta l4proto tcp counter jump PSW_OUTPUT_MANGLE comment \"mangle-OUTPUT-PSW\""
|
||||
fi
|
||||
|
||||
@ -1096,8 +1098,8 @@ add_firewall_rule() {
|
||||
nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta l4proto tcp ip6 daddr @$NFTSET_SHUNTLIST6 $(factor $TCP_REDIR_PORTS "tcp dport") counter jump PSW_RULE"
|
||||
nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta l4proto tcp ip6 daddr @$NFTSET_BLACKLIST6 $(factor $TCP_REDIR_PORTS "tcp dport") counter jump PSW_RULE"
|
||||
nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta l4proto tcp $(factor $TCP_REDIR_PORTS "tcp dport") $(get_nftset_ipv6 $LOCALHOST_TCP_PROXY_MODE) jump PSW_RULE"
|
||||
nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp iifname lo $(REDIRECT $TCP_REDIR_PORT TPROXY) comment \"本机\""
|
||||
nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp iifname lo counter return comment \"本机\""
|
||||
nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp iif lo $(REDIRECT $TCP_REDIR_PORT TPROXY) comment \"本机\""
|
||||
nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp iif lo counter return comment \"本机\""
|
||||
}
|
||||
fi
|
||||
|
||||
@ -1159,7 +1161,7 @@ add_firewall_rule() {
|
||||
return 0
|
||||
}
|
||||
nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol udp ip daddr ${2} udp dport ${3} counter jump PSW_RULE"
|
||||
nft "add rule inet fw4 PSW_MANGLE iifname lo meta l4proto udp ip daddr ${2} $(REDIRECT $UDP_REDIR_PORT TPROXY4) comment \"本机\""
|
||||
nft "add rule inet fw4 PSW_MANGLE iif lo meta l4proto udp ip daddr ${2} $(REDIRECT $UDP_REDIR_PORT TPROXY4) comment \"本机\""
|
||||
echolog " - [$?]将上游 DNS 服务器 ${2}:${3} 加入到路由器自身代理的 UDP 转发链"
|
||||
}
|
||||
[ "$use_udp_node_resolve_dns" == 1 ] && hosts_foreach REMOTE_DNS _proxy_udp_access 53
|
||||
@ -1173,24 +1175,24 @@ add_firewall_rule() {
|
||||
nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol udp ip daddr @$NFTSET_SHUNTLIST $(factor $UDP_REDIR_PORTS "udp dport") counter jump PSW_RULE"
|
||||
nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol udp ip daddr @$NFTSET_BLACKLIST $(factor $UDP_REDIR_PORTS "udp dport") counter jump PSW_RULE"
|
||||
nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol udp $(factor $UDP_REDIR_PORTS "udp dport") $(get_nftset_ipv4 $LOCALHOST_UDP_PROXY_MODE) jump PSW_RULE"
|
||||
nft "add rule inet fw4 PSW_MANGLE meta l4proto udp iifname lo $(REDIRECT $UDP_REDIR_PORT TPROXY) comment \"本机\""
|
||||
nft "add rule inet fw4 PSW_MANGLE ip protocol udp iifname lo counter return comment \"本机\""
|
||||
nft "add rule inet fw4 PSW_MANGLE meta l4proto udp iif lo $(REDIRECT $UDP_REDIR_PORT TPROXY) comment \"本机\""
|
||||
nft "add rule inet fw4 PSW_MANGLE ip protocol udp iif lo counter return comment \"本机\""
|
||||
nft "add rule inet fw4 mangle_output meta nfproto {ipv4} meta l4proto udp counter jump PSW_OUTPUT_MANGLE"
|
||||
|
||||
[ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && {
|
||||
nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta l4proto udp ip6 daddr @$NFTSET_SHUNTLIST6 $(factor $UDP_REDIR_PORTS "udp dport") counter jump PSW_RULE"
|
||||
nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta l4proto udp ip6 daddr @$NFTSET_BLACKLIST6 $(factor $UDP_REDIR_PORTS "udp dport") counter jump PSW_RULE"
|
||||
nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta l4proto udp $(factor $UDP_REDIR_PORTS "udp dport") $(get_nftset_ipv6 $LOCALHOST_PROXY_MODE) jump PSW_RULE"
|
||||
nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp iifname lo $(REDIRECT $UDP_REDIR_PORT TPROXY) comment \"本机\""
|
||||
nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp iifname lo counter return comment \"本机\""
|
||||
nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp iif lo $(REDIRECT $UDP_REDIR_PORT TPROXY) comment \"本机\""
|
||||
nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp iif lo counter return comment \"本机\""
|
||||
}
|
||||
fi
|
||||
|
||||
nft "add rule inet fw4 mangle_output oifname lo counter return comment \"mangle-OUTPUT-PSW\""
|
||||
nft "add rule inet fw4 mangle_output oif lo counter return comment \"mangle-OUTPUT-PSW\""
|
||||
nft "add rule inet fw4 mangle_output meta mark 1 counter return comment \"mangle-OUTPUT-PSW\""
|
||||
|
||||
nft "add rule inet fw4 PSW_MANGLE counter ip protocol udp udp dport 53 counter return"
|
||||
nft "add rule inet fw4 PSW_MANGLE_V6 counter meta l4proto udp udp dport 53 counter return"
|
||||
nft "add rule inet fw4 PSW_MANGLE ip protocol udp udp dport 53 counter return"
|
||||
nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp udp dport 53 counter return"
|
||||
# 加载ACLS
|
||||
load_acl
|
||||
|
||||
@ -1277,7 +1279,7 @@ gen_include() {
|
||||
nft "add rule inet fw4 nat_output ip protocol tcp counter jump PSW_OUTPUT"
|
||||
}
|
||||
|
||||
nft "add rule inet fw4 mangle_prerouting counter jump PSW_MANGLE"
|
||||
nft "add rule inet fw4 mangle_prerouting meta nfproto {ipv4} counter jump PSW_MANGLE"
|
||||
[ -n "${is_tproxy}" ] && nft "add rule inet fw4 mangle_output meta nfproto {ipv4} meta l4proto tcp counter jump PSW_OUTPUT_MANGLE comment \"mangle-OUTPUT-PSW\""
|
||||
nft "add rule inet fw4 mangle_output meta nfproto {ipv4} meta l4proto udp counter jump PSW_OUTPUT_MANGLE"
|
||||
\$(${MY_PATH} insert_rule_before "inet fw4" "mangle_prerouting" "PSW_MANGLE" "counter jump PSW_DIVERT")
|
||||
@ -1287,7 +1289,7 @@ gen_include() {
|
||||
nft "add rule inet fw4 mangle_output meta nfproto {ipv6} counter jump PSW_OUTPUT_MANGLE_V6 comment \"mangle-OUTPUT-PSW\""
|
||||
}
|
||||
|
||||
nft "add rule inet fw4 mangle_output oifname lo counter return comment \"mangle-OUTPUT-PSW\""
|
||||
nft "add rule inet fw4 mangle_output oif lo counter return comment \"mangle-OUTPUT-PSW\""
|
||||
nft "add rule inet fw4 mangle_output meta mark 1 counter return comment \"mangle-OUTPUT-PSW\""
|
||||
EOF
|
||||
)
|
||||
|
||||
@ -91,19 +91,21 @@ local function line_count(file_path)
|
||||
end
|
||||
|
||||
local function non_file_check(file_path, vali_file)
|
||||
if nixio.fs.readfile(file_path, 1000) then
|
||||
local remote_file_size = luci.sys.exec("cat " .. vali_file .. " | grep -i Content-Length | awk '{print $2}'")
|
||||
local local_file_size = luci.sys.exec("ls -l " .. file_path .. "| awk '{print $5}'")
|
||||
if remote_file_size then
|
||||
if nixio.fs.readfile(file_path, 10) then
|
||||
local remote_file_size = luci.sys.exec("cat " .. vali_file .. " | grep -i 'Content-Length' | awk '{print $2}'")
|
||||
local local_file_size = nixio.fs.stat(file_path, "size")
|
||||
if remote_file_size and local_file_size then
|
||||
if tonumber(remote_file_size) == tonumber(local_file_size) then
|
||||
return nil;
|
||||
else
|
||||
log("下载文件大小校验出错,原始文件大小" .. remote_file_size .. "B,下载文件大小:" .. local_file_size .. "B。")
|
||||
return true;
|
||||
end
|
||||
else
|
||||
return nil;
|
||||
end
|
||||
else
|
||||
log("下载文件读取出错。")
|
||||
return true;
|
||||
end
|
||||
end
|
||||
@ -122,14 +124,14 @@ local function fetch_rule(rule_name,rule_type,url,exclude_domain)
|
||||
for k,v in ipairs(url) do
|
||||
sret_tmp = curl(v, download_file_tmp..k, vali_file..k)
|
||||
if sret_tmp == 200 and non_file_check(download_file_tmp..k, vali_file..k) then
|
||||
log(rule_name.. " 第" ..k.. "条规则:" ..v.. "下载文件读取出错,尝试重新下载。")
|
||||
log(rule_name.. " 第" ..k.. "条规则:" ..v.. "下载文件过程出错,尝试重新下载。")
|
||||
os.remove(download_file_tmp..k)
|
||||
os.remove(vali_file..k)
|
||||
sret_tmp = curl(v, download_file_tmp..k, vali_file..k)
|
||||
if sret_tmp == 200 and non_file_check(download_file_tmp..k, vali_file..k) then
|
||||
sret = 0
|
||||
sret_tmp = 0
|
||||
log(rule_name.. " 第" ..k.. "条规则:" ..v.. "下载文件读取出错,请检查网络或下载链接后重试!")
|
||||
log(rule_name.. " 第" ..k.. "条规则:" ..v.. "下载文件过程出错,请检查网络或下载链接后重试!")
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user