From d42b45b72b7cfccd2cb9b8b24bd59eaa741721c8 Mon Sep 17 00:00:00 2001 From: gitea-action Date: Thu, 12 Dec 2024 04:00:23 +0800 Subject: [PATCH] luci-app-passwall2: sync upstream last commit: https://github.com/xiaorouji/openwrt-passwall2/commit/dababefbd25fa57b4c54b8715ccaf0bade1456f0 --- luci-app-passwall2/Makefile | 2 +- .../root/usr/share/passwall2/app.sh | 48 +++--- .../usr/share/passwall2/helper_dnsmasq.sh | 146 ------------------ .../root/usr/share/passwall2/iptables.sh | 47 ++++-- .../root/usr/share/passwall2/nftables.sh | 73 +++++---- 5 files changed, 107 insertions(+), 209 deletions(-) delete mode 100755 luci-app-passwall2/root/usr/share/passwall2/helper_dnsmasq.sh diff --git a/luci-app-passwall2/Makefile b/luci-app-passwall2/Makefile index 19aacfb96..08f79b5f3 100644 --- a/luci-app-passwall2/Makefile +++ b/luci-app-passwall2/Makefile @@ -6,7 +6,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=luci-app-passwall2 PKG_VERSION:=24.12.11 -PKG_RELEASE:=2 +PKG_RELEASE:=3 PKG_CONFIG_DEPENDS:= \ CONFIG_PACKAGE_$(PKG_NAME)_Iptables_Transparent_Proxy \ diff --git a/luci-app-passwall2/root/usr/share/passwall2/app.sh b/luci-app-passwall2/root/usr/share/passwall2/app.sh index bc3bb6e85..b2834441a 100755 --- a/luci-app-passwall2/root/usr/share/passwall2/app.sh +++ b/luci-app-passwall2/root/usr/share/passwall2/app.sh @@ -13,9 +13,6 @@ TMP_ROUTE_PATH=$TMP_PATH/route TMP_ACL_PATH=$TMP_PATH/acl TMP_IFACE_PATH=$TMP_PATH/iface TMP_PATH2=/tmp/etc/${CONFIG}_tmp -DNSMASQ_PATH=/etc/dnsmasq.d -DNSMASQ_CONF_DIR=/tmp/dnsmasq.d -TMP_DNSMASQ_PATH=${DNSMASQ_CONF_DIR}/${CONFIG} LOG_FILE=/tmp/log/$CONFIG.log APP_PATH=/usr/share/$CONFIG RULES_PATH=/usr/share/${CONFIG}/rules @@ -288,17 +285,6 @@ lua_api() { echo $(lua -e "local api = require 'luci.passwall2.api' print(api.${func})") } -get_dnsmasq_conf_dir() { - local dnsmasq_conf_path=$(grep -l "^conf-dir=" /tmp/etc/dnsmasq.conf.${DEFAULT_DNSMASQ_CFGID}) - [ -n "$dnsmasq_conf_path" ] && { - local dnsmasq_conf_dir=$(grep '^conf-dir=' "$dnsmasq_conf_path" | cut -d'=' -f2 | head -n 1) - [ -n "$dnsmasq_conf_dir" ] && { - DNSMASQ_CONF_DIR=${dnsmasq_conf_dir%*/} - TMP_DNSMASQ_PATH=${DNSMASQ_CONF_DIR}/${CONFIG} - } - } -} - get_geoip() { local geoip_code="$1" local geoip_type_flag="" @@ -719,9 +705,6 @@ run_global() { msg="${msg})" echolog ${msg} - source $APP_PATH/helper_dnsmasq.sh stretch - source $APP_PATH/helper_dnsmasq.sh add TMP_DNSMASQ_PATH=$TMP_DNSMASQ_PATH DNSMASQ_CONF_FILE=${DNSMASQ_CONF_DIR}/dnsmasq-${CONFIG}.conf DEFAULT_DNS=$AUTO_DNS LOCAL_DNS=$LOCAL_DNS TUN_DNS=$TUN_DNS NFTFLAG=${nftflag:-0} - V2RAY_CONFIG=$TMP_ACL_PATH/default/global.json V2RAY_LOG=$TMP_ACL_PATH/default/global.log [ "$(config_t_get global log_node 1)" != "1" ] && V2RAY_LOG="/dev/null" @@ -747,8 +730,30 @@ run_global() { elif [ "${TYPE}" = "sing-box" ] && [ -n "${SINGBOX_BIN}" ]; then run_func="run_singbox" fi - + ${run_func} $V2RAY_ARGS + + GLOBAL_DNSMASQ_PORT=$(get_new_port 11400) + mkdir -p $TMP_ACL_PATH/default/dnsmasq.d + local GLOBAL_DNSMASQ_CONF=$TMP_ACL_PATH/default/dnsmasq.conf + [ -s "/tmp/etc/dnsmasq.conf.${DEFAULT_DNSMASQ_CFGID}" ] && { + cp -r /tmp/etc/dnsmasq.conf.${DEFAULT_DNSMASQ_CFGID} $GLOBAL_DNSMASQ_CONF + sed -i "/ubus/d" $GLOBAL_DNSMASQ_CONF + sed -i "/dhcp/d" $GLOBAL_DNSMASQ_CONF + sed -i "/port=/d" $GLOBAL_DNSMASQ_CONF + sed -i "/conf-dir/d" $GLOBAL_DNSMASQ_CONF + sed -i "/no-poll/d" $GLOBAL_DNSMASQ_CONF + sed -i "/no-resolv/d" $GLOBAL_DNSMASQ_CONF + } + cat <<-EOF >> $GLOBAL_DNSMASQ_CONF + port=${GLOBAL_DNSMASQ_PORT} + conf-dir=${TMP_ACL_PATH}/default/dnsmasq.d + server=${TUN_DNS} + no-poll + no-resolv + EOF + ln_run "$(first_type dnsmasq)" "dnsmasq_default" "/dev/null" -C $GLOBAL_DNSMASQ_CONF -x $TMP_ACL_PATH/default/dnsmasq.pid + echo "${GLOBAL_DNSMASQ_PORT}" > $TMP_ACL_PATH/default/var_redirect_dns_port } start_socks() { @@ -1011,6 +1016,7 @@ acl_app() { redir_port=11200 dns_port=11300 dnsmasq_port=11400 + [ -n "${GLOBAL_DNSMASQ_PORT}" ] && dnsmasq_port=$(get_new_port $GLOBAL_DNSMASQ_PORT) for item in $items; do index=$(expr $index + 1) local enabled sid remarks sources node direct_dns_query_strategy remote_dns_protocol remote_dns remote_dns_doh remote_dns_client_ip remote_dns_detour remote_fakedns remote_dns_query_strategy interface use_interface @@ -1099,7 +1105,6 @@ acl_app() { echo "server=127.0.0.1#${dns_port}" >> $TMP_ACL_PATH/$sid/dnsmasq.conf echo "no-poll" >> $TMP_ACL_PATH/$sid/dnsmasq.conf echo "no-resolv" >> $TMP_ACL_PATH/$sid/dnsmasq.conf - #source $APP_PATH/helper_dnsmasq.sh add TMP_DNSMASQ_PATH=$TMP_ACL_PATH/$sid/dnsmasq.d DNSMASQ_CONF_FILE=/dev/null DEFAULT_DNS=$AUTO_DNS TUN_DNS=127.0.0.1#${dns_port} NFTFLAG=${nftflag:-0} NO_LOGIC_LOG=1 ln_run "$(first_type dnsmasq)" "dnsmasq_${sid}" "/dev/null" -C $TMP_ACL_PATH/$sid/dnsmasq.conf -x $TMP_ACL_PATH/$sid/dnsmasq.pid eval node_${node}_$(echo -n "${tcp_proxy_mode}${remote_dns}" | md5sum | cut -d " " -f1)=${dnsmasq_port} filter_node $node TCP > /dev/null 2>&1 & @@ -1162,7 +1167,6 @@ start() { [ "$ENABLED_DEFAULT_ACL" == 1 ] && run_global [ -n "$USE_TABLES" ] && source $APP_PATH/${USE_TABLES}.sh start - [ "$ENABLED_DEFAULT_ACL" == 1 ] && source $APP_PATH/helper_dnsmasq.sh logic_restart if [ "$ENABLED_DEFAULT_ACL" == 1 ] || [ "$ENABLED_ACLS" == 1 ]; then [ -n "$(first_type chinadns-ng)" ] && { node_servers=$(uci show "${CONFIG}" | grep -E "(.address=|.download_address=)" | cut -d "'" -f 2) @@ -1192,8 +1196,6 @@ stop() { unset V2RAY_LOCATION_ASSET unset XRAY_LOCATION_ASSET stop_crontab - source $APP_PATH/helper_dnsmasq.sh del - source $APP_PATH/helper_dnsmasq.sh restart no_log=1 [ -s "$TMP_PATH/bridge_nf_ipt" ] && sysctl -w net.bridge.bridge-nf-call-iptables=$(cat $TMP_PATH/bridge_nf_ipt) >/dev/null 2>&1 [ -s "$TMP_PATH/bridge_nf_ip6t" ] && sysctl -w net.bridge.bridge-nf-call-ip6tables=$(cat $TMP_PATH/bridge_nf_ip6t) >/dev/null 2>&1 rm -rf ${TMP_PATH} @@ -1247,8 +1249,6 @@ PROXY_IPV6=$(config_t_get global_forwarding ipv6_tproxy 0) XRAY_BIN=$(first_type $(config_t_get global_app xray_file) xray) SINGBOX_BIN=$(first_type $(config_t_get global_app singbox_file) sing-box) -get_dnsmasq_conf_dir - export V2RAY_LOCATION_ASSET=$(config_t_get global_rules v2ray_location_asset "/usr/share/v2ray/") export XRAY_LOCATION_ASSET=$V2RAY_LOCATION_ASSET mkdir -p /tmp/etc $TMP_PATH $TMP_BIN_PATH $TMP_SCRIPT_FUNC_PATH $TMP_ID_PATH $TMP_ROUTE_PATH $TMP_ACL_PATH $TMP_IFACE_PATH $TMP_PATH2 diff --git a/luci-app-passwall2/root/usr/share/passwall2/helper_dnsmasq.sh b/luci-app-passwall2/root/usr/share/passwall2/helper_dnsmasq.sh deleted file mode 100755 index 470ab1e6c..000000000 --- a/luci-app-passwall2/root/usr/share/passwall2/helper_dnsmasq.sh +++ /dev/null @@ -1,146 +0,0 @@ -#!/bin/sh - -stretch() { - #zhenduiluanshezhiDNSderen - local dnsmasq_server=$(uci -q get dhcp.@dnsmasq[0].server) - local dnsmasq_noresolv=$(uci -q get dhcp.@dnsmasq[0].noresolv) - local _flag - for server in $dnsmasq_server; do - [ -z "$(echo $server | grep '\/')" ] && _flag=1 - done - [ -z "$_flag" ] && [ "$dnsmasq_noresolv" = "1" ] && { - uci -q delete dhcp.@dnsmasq[0].noresolv - uci -q set dhcp.@dnsmasq[0].resolvfile="$RESOLVFILE" - uci commit dhcp - } -} - -backup_servers() { - DNSMASQ_DNS=$(uci show dhcp.@dnsmasq[0] | grep ".server=" | awk -F '=' '{print $2}' | sed "s/'//g" | tr ' ' ',') - if [ -n "${DNSMASQ_DNS}" ]; then - uci -q set $CONFIG.@global[0].dnsmasq_servers="${DNSMASQ_DNS}" - uci commit $CONFIG - fi -} - -restore_servers() { - OLD_SERVER=$(uci -q get $CONFIG.@global[0].dnsmasq_servers | tr "," " ") - for server in $OLD_SERVER; do - uci -q del_list dhcp.@dnsmasq[0].server=$server - uci -q add_list dhcp.@dnsmasq[0].server=$server - done - uci commit dhcp - uci -q delete $CONFIG.@global[0].dnsmasq_servers - uci commit $CONFIG -} - -logic_restart() { - local no_log - eval_set_val $@ - _LOG_FILE=$LOG_FILE - [ -n "$no_log" ] && LOG_FILE="/dev/null" - if [ -f "$TMP_PATH/default_DNS" ]; then - backup_servers - #sed -i "/list server/d" /etc/config/dhcp >/dev/null 2>&1 - for server in $(uci -q get dhcp.@dnsmasq[0].server); do - [ -n "$(echo $server | grep '\/')" ] || uci -q del_list dhcp.@dnsmasq[0].server="$server" - done - /etc/init.d/dnsmasq restart >/dev/null 2>&1 - restore_servers - else - /etc/init.d/dnsmasq restart >/dev/null 2>&1 - fi - echolog "重启 dnsmasq 服务" - LOG_FILE=${_LOG_FILE} -} - -restart() { - local no_log - eval_set_val $@ - _LOG_FILE=$LOG_FILE - [ -n "$no_log" ] && LOG_FILE="/dev/null" - /etc/init.d/dnsmasq restart >/dev/null 2>&1 - echolog "重启 dnsmasq 服务" - LOG_FILE=${_LOG_FILE} -} - -gen_items() { - local dnss settype setnames outf ipsetoutf - eval_set_val $@ - - awk -v dnss="${dnss}" -v settype="${settype}" -v setnames="${setnames}" -v outf="${outf}" -v ipsetoutf="${ipsetoutf}" ' - BEGIN { - if(outf == "") outf="/dev/stdout"; - if(ipsetoutf == "") ipsetoutf=outf; - split(dnss, dns, ","); setdns=length(dns)>0; setlist=length(setnames)>0; - if(setdns) for(i in dns) if(length(dns[i])==0) delete dns[i]; - fail=1; - } - ! /^$/&&!/^#/ { - fail=0 - if(setdns) for(i in dns) printf("server=/.%s/%s\n", $0, dns[i]) >>outf; - if(setlist) printf("%s=/.%s/%s\n", settype, $0, setnames) >>ipsetoutf; - } - END {fflush(outf); close(outf); fflush(ipsetoutf); close(ipsetoutf); exit(fail);} - ' -} - -add() { - local TMP_DNSMASQ_PATH DNSMASQ_CONF_FILE DEFAULT_DNS LOCAL_DNS TUN_DNS NFTFLAG NO_LOGIC_LOG - eval_set_val $@ - _LOG_FILE=$LOG_FILE - [ -n "$NO_LOGIC_LOG" ] && LOG_FILE="/dev/null" - mkdir -p "${TMP_DNSMASQ_PATH}" "${DNSMASQ_PATH}" "${DNSMASQ_CONF_DIR}" - - local set_type="ipset" - [ "${NFTFLAG}" = "1" ] && { - set_type="nftset" - local setflag_4="4#inet#passwall2#" - local setflag_6="6#inet#passwall2#" - } - - #始终用国内DNS解析节点域名 - servers=$(uci show "${CONFIG}" | grep -E "(.address=|.download_address=)" | cut -d "'" -f 2) - hosts_foreach "servers" host_from_url | grep '[a-zA-Z]$' | sort -u | grep -v "engage.cloudflareclient.com" | gen_items settype="${set_type}" setnames="${setflag_4}passwall2_vpslist,${setflag_6}passwall2_vpslist6" dnss="${LOCAL_DNS:-${DEFAULT_DNS}}" outf="${TMP_DNSMASQ_PATH}/10-vpslist_host.conf" ipsetoutf="${TMP_DNSMASQ_PATH}/ipset.conf" - echolog " - [$?]节点列表中的域名(vpslist):${DEFAULT_DNS:-默认}" - - echo "conf-dir=${TMP_DNSMASQ_PATH}" > $DNSMASQ_CONF_FILE - [ -n "${TUN_DNS}" ] && { - echo "${DEFAULT_DNS}" > $TMP_PATH/default_DNS - cat <<-EOF >> $DNSMASQ_CONF_FILE - server=${TUN_DNS} - all-servers - no-poll - no-resolv - EOF - echolog " - [$?]默认:${TUN_DNS}" - } - LOG_FILE=${_LOG_FILE} -} - -del() { - rm -rf $DNSMASQ_CONF_DIR/dnsmasq-$CONFIG.conf - rm -rf $DNSMASQ_PATH/dnsmasq-$CONFIG.conf - rm -rf $TMP_DNSMASQ_PATH -} - -arg1=$1 -shift -case $arg1 in -stretch) - stretch $@ - ;; -add) - add $@ - ;; -del) - del $@ - ;; -restart) - restart $@ - ;; -logic_restart) - logic_restart $@ - ;; -*) ;; -esac diff --git a/luci-app-passwall2/root/usr/share/passwall2/iptables.sh b/luci-app-passwall2/root/usr/share/passwall2/iptables.sh index af9679bd4..ae79608f8 100755 --- a/luci-app-passwall2/root/usr/share/passwall2/iptables.sh +++ b/luci-app-passwall2/root/usr/share/passwall2/iptables.sh @@ -322,9 +322,22 @@ load_acl() { echolog " - ${msg}不代理所有 UDP" fi } + + if ([ "$tcp_proxy_mode" != "disable" ] || [ "$udp_proxy_mode" != "disable" ]) && [ -n "$redir_port" ]; then + [ -s "${TMP_ACL_PATH}/${sid}/var_redirect_dns_port" ] && { + $ipt_n -A PSW2_REDIRECT $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port) + $ip6t_n -A PSW2_REDIRECT $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port) 2>/dev/null + $ipt_n -A PSW2_REDIRECT $(comment "$remarks") -p tcp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port) + $ip6t_n -A PSW2_REDIRECT $(comment "$remarks") -p tcp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port) 2>/dev/null + } + else + $ipt_n -A PSW2_REDIRECT $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j RETURN + $ip6t_n -A PSW2_REDIRECT $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j RETURN 2>/dev/null + $ipt_n -A PSW2_REDIRECT $(comment "$remarks") -p tcp ${_ipt_source} --dport 53 -j RETURN + $ip6t_n -A PSW2_REDIRECT $(comment "$remarks") -p tcp ${_ipt_source} --dport 53 -j RETURN 2>/dev/null + fi [ "$tcp_proxy_mode" != "disable" ] && [ -n "$redir_port" ] && { - [ -s "${TMP_ACL_PATH}/${sid}/var_redirect_dns_port" ] && $ipt_n -A PSW2_REDIRECT $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port) msg2="${msg}使用 TCP 节点[$node_remark]" if [ -n "${is_tproxy}" ]; then msg2="${msg2}(TPROXY:${redir_port})" @@ -342,7 +355,7 @@ load_acl() { [ "$accept_icmpv6" = "1" ] && [ "$PROXY_IPV6" == "1" ] && { $ip6t_n -A PSW2 $(comment "$remarks") -p ipv6-icmp ${_ipt_source} -d $FAKE_IP_6 $(REDIRECT) 2>/dev/null - [ "${write_ipset_direct}" = "1" ] && $ip6t_n -A PSW2 $(comment "$remarks") -p ipv6-icmp ${_ipt_source} $(dst $ipset_whitelist6) -j RETURN + [ "${write_ipset_direct}" = "1" ] && $ip6t_n -A PSW2 $(comment "$remarks") -p ipv6-icmp ${_ipt_source} $(dst $ipset_whitelist6) -j RETURN 2>/dev/null $ip6t_n -A PSW2 $(comment "$remarks") -p ipv6-icmp ${_ipt_source} $(REDIRECT) 2>/dev/null } @@ -353,7 +366,7 @@ load_acl() { [ "$PROXY_IPV6" == "1" ] && { $ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} -d $FAKE_IP_6 -j PSW2_RULE 2>/dev/null - [ "${write_ipset_direct}" = "1" ] && $ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(dst $ipset_whitelist6) -j RETURN + [ "${write_ipset_direct}" = "1" ] && $ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(dst $ipset_whitelist6) -j RETURN 2>/dev/null $ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") -j PSW2_RULE 2>/dev/null $ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(REDIRECT $redir_port TPROXY) 2>/dev/null } @@ -372,7 +385,7 @@ load_acl() { [ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && { $ip6t_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} -d $FAKE_IP_6 -j PSW2_RULE 2>/dev/null - [ "${write_ipset_direct}" = "1" ] && $ip6t_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(dst $ipset_whitelist6) -j RETURN + [ "${write_ipset_direct}" = "1" ] && $ip6t_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(dst $ipset_whitelist6) -j RETURN 2>/dev/null $ip6t_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") -j PSW2_RULE 2>/dev/null $ip6t_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(REDIRECT $redir_port TPROXY) 2>/dev/null } @@ -415,6 +428,15 @@ load_acl() { fi } + if ([ "$TCP_PROXY_MODE" != "disable" ] || [ "$UDP_PROXY_MODE" != "disable" ]) && [ "$NODE" != "nil" ]; then + [ -s "${TMP_ACL_PATH}/default/var_redirect_dns_port" ] && { + $ipt_n -A PSW2_REDIRECT $(comment "默认") -p udp --dport 53 -j REDIRECT --to-ports $(cat ${TMP_ACL_PATH}/default/var_redirect_dns_port) + $ip6t_n -A PSW2_REDIRECT $(comment "默认") -p udp --dport 53 -j REDIRECT --to-ports $(cat ${TMP_ACL_PATH}/default/var_redirect_dns_port) 2>/dev/null + $ipt_n -A PSW2_REDIRECT $(comment "默认") -p tcp --dport 53 -j REDIRECT --to-ports $(cat ${TMP_ACL_PATH}/default/var_redirect_dns_port) + $ip6t_n -A PSW2_REDIRECT $(comment "默认") -p tcp --dport 53 -j REDIRECT --to-ports $(cat ${TMP_ACL_PATH}/default/var_redirect_dns_port) 2>/dev/null + } + fi + if [ "$TCP_PROXY_MODE" != "disable" ] && [ "$NODE" != "nil" ]; then msg2="${msg}使用 TCP 节点[$(config_n_get $NODE remarks)]" if [ -n "${is_tproxy}" ]; then @@ -592,11 +614,6 @@ filter_node() { fi } -dns_hijack() { - $ipt_n -I PSW2 -p udp --dport 53 -j REDIRECT --to-ports 53 - echolog "强制转发本机DNS端口 UDP/53 的请求[$?]" -} - add_firewall_rule() { echolog "开始加载防火墙规则..." ipset -! create $IPSET_LANLIST nethash maxelem 1048576 @@ -760,6 +777,9 @@ add_firewall_rule() { $ip6t_n -A PSW2_OUTPUT $(dst $IPSET_VPSLIST6) -j RETURN $ip6t_n -A PSW2_OUTPUT -m mark --mark 0xff -j RETURN } + + $ip6t_n -N PSW2_REDIRECT + $ip6t_n -I PREROUTING 1 -j PSW2_REDIRECT $ip6t_m -N PSW2_DIVERT $ip6t_m -A PSW2_DIVERT -j MARK --set-mark 1 @@ -845,6 +865,15 @@ add_firewall_rule() { echolog " - ${msg}不代理所有 UDP" fi } + + if [ "$NODE" != "nil" ] && ([ "$TCP_LOCALHOST_PROXY" = "1" ] || [ "$UDP_LOCALHOST_PROXY" = "1" ]); then + [ -s "${TMP_ACL_PATH}/default/var_redirect_dns_port" ] && { + $ipt_n -A OUTPUT $(comment "PSW2") -p udp -o lo --dport 53 -j REDIRECT --to-ports $(cat ${TMP_ACL_PATH}/default/var_redirect_dns_port) + $ip6t_n -A OUTPUT $(comment "PSW2") -p udp -o lo --dport 53 -j REDIRECT --to-ports $(cat ${TMP_ACL_PATH}/default/var_redirect_dns_port) 2>/dev/null + $ipt_n -A OUTPUT $(comment "PSW2") -p tcp -o lo --dport 53 -j REDIRECT --to-ports $(cat ${TMP_ACL_PATH}/default/var_redirect_dns_port) + $ip6t_n -A OUTPUT $(comment "PSW2") -p tcp -o lo --dport 53 -j REDIRECT --to-ports $(cat ${TMP_ACL_PATH}/default/var_redirect_dns_port) 2>/dev/null + } + fi # 加载路由器自身代理 TCP if [ "$NODE" != "nil" ] && [ "$TCP_LOCALHOST_PROXY" = "1" ]; then diff --git a/luci-app-passwall2/root/usr/share/passwall2/nftables.sh b/luci-app-passwall2/root/usr/share/passwall2/nftables.sh index fe39cc9f6..fb0112ec2 100755 --- a/luci-app-passwall2/root/usr/share/passwall2/nftables.sh +++ b/luci-app-passwall2/root/usr/share/passwall2/nftables.sh @@ -286,8 +286,8 @@ load_acl() { local _SHUNT_RULE_NODE=$(config_n_get $NODE ${_shunt_id} nil) [ "${_SHUNT_RULE_NODE}" == "_default" ] && _SHUNT_RULE_NODE=${_SHUNT_DEFAULT_NODE} [ "${_SHUNT_RULE_NODE}" == "_direct" ] && { - insert_nftset $ipset_whitelist "0" $(config_n_get $_shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}") - insert_nftset $ipset_whitelist6 "0" $(config_n_get $_shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}") + insert_nftset $nftset_whitelist "0" $(config_n_get $_shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}") + insert_nftset $nftset_whitelist6 "0" $(config_n_get $_shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}") [ "$(config_t_get global_rules enable_geoview)" = "1" ] && { local _geoip_code=$(config_n_get $_shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "^geoip:" | grep -v "^geoip:private" | sed -E 's/^geoip:(.*)/\1/' | sed ':a;N;$!ba;s/\n/,/g') [ -n "$_geoip_code" ] && _GEOIP_CODE="${_GEOIP_CODE:+$_GEOIP_CODE,}$_geoip_code" @@ -297,8 +297,8 @@ load_acl() { } if [ -n "$_GEOIP_CODE" ] && type geoview &> /dev/null; then - insert_nftset $ipset_whitelist "0" $(get_geoip $_GEOIP_CODE ipv4 | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}") - insert_nftset $ipset_whitelist6 "0" $(get_geoip $_GEOIP_CODE ipv6 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}") + insert_nftset $nftset_whitelist "0" $(get_geoip $_GEOIP_CODE ipv4 | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}") + insert_nftset $nftset_whitelist6 "0" $(get_geoip $_GEOIP_CODE ipv6 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}") echolog " - [$?]解析并加入分流节点 GeoIP 到 IPSET 完成" fi fi @@ -367,8 +367,21 @@ load_acl() { fi } + if ([ "$tcp_proxy_mode" != "disable" ] || [ "$udp_proxy_mode" != "disable" ]) && [ -n "$redir_port" ]; then + [ -s "${TMP_ACL_PATH}/${sid}/var_redirect_dns_port" ] && { + nft "add rule $NFTABLE_NAME PSW2_REDIRECT ip protocol udp ${_ipt_source} udp dport 53 counter redirect to :$(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port) comment \"$remarks\"" + nft "add rule $NFTABLE_NAME PSW2_REDIRECT ip protocol tcp ${_ipt_source} tcp dport 53 counter redirect to :$(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port) comment \"$remarks\"" + nft "add rule $NFTABLE_NAME PSW2_REDIRECT meta l4proto udp ${_ipt_source} udp dport 53 counter redirect to :$(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port) comment \"$remarks\"" + nft "add rule $NFTABLE_NAME PSW2_REDIRECT meta l4proto tcp ${_ipt_source} tcp dport 53 counter redirect to :$(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port) comment \"$remarks\"" + } + else + nft "add rule $NFTABLE_NAME PSW2_REDIRECT ip protocol udp ${_ipt_source} udp dport 53 counter return comment \"$remarks\"" + nft "add rule $NFTABLE_NAME PSW2_REDIRECT ip protocol tcp ${_ipt_source} tcp dport 53 counter return comment \"$remarks\"" + nft "add rule $NFTABLE_NAME PSW2_REDIRECT meta l4proto udp ${_ipt_source} udp dport 53 counter return comment \"$remarks\"" + nft "add rule $NFTABLE_NAME PSW2_REDIRECT meta l4proto tcp ${_ipt_source} tcp dport 53 counter return comment \"$remarks\"" + fi + [ "$tcp_proxy_mode" != "disable" ] && [ -n "$redir_port" ] && { - [ -s "${TMP_ACL_PATH}/${sid}/var_redirect_dns_port" ] && nft "add rule $NFTABLE_NAME PSW2_REDIRECT ip protocol udp ${_ipt_source} udp dport 53 counter redirect to $(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port) comment \"$remarks\"" msg2="${msg}使用 TCP 节点[$node_remark]" if [ -n "${is_tproxy}" ]; then msg2="${msg2}(TPROXY:${redir_port})" @@ -389,7 +402,7 @@ load_acl() { [ "$accept_icmpv6" = "1" ] && [ "$PROXY_IPV6" == "1" ] && { nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} ip6 daddr $FAKE_IP_6 $(REDIRECT) comment \"$remarks\"" 2>/dev/null - [ "${write_ipset_direct}" = "1" ] && nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} ip6 daddr @$nftset_whitelist6 counter return comment \"$remarks\"" + [ "${write_ipset_direct}" = "1" ] && nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} ip6 daddr @$nftset_whitelist6 counter return comment \"$remarks\"" 2>/dev/null nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} $(REDIRECT) comment \"$remarks\"" 2>/dev/null nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} return comment \"$remarks\"" 2>/dev/null } @@ -401,7 +414,7 @@ load_acl() { [ "$PROXY_IPV6" == "1" ] && { nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} ip6 daddr $FAKE_IP_6 counter jump PSW2_RULE comment \"$remarks\"" - [ "${write_ipset_direct}" = "1" ] && nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} ip6 daddr @$nftset_whitelist6 counter return comment \"$remarks\"" + [ "${write_ipset_direct}" = "1" ] && nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} ip6 daddr @$nftset_whitelist6 counter return comment \"$remarks\"" 2>/dev/null nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") counter jump PSW2_RULE comment \"$remarks\"" 2>/dev/null nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(REDIRECT $redir_port TPROXY) comment \"$remarks\"" 2>/dev/null } @@ -420,7 +433,7 @@ load_acl() { [ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && { nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} ip6 daddr $FAKE_IP_6 counter jump PSW2_RULE comment \"$remarks\"" - [ "${write_ipset_direct}" = "1" ] && nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} ip6 daddr @$nftset_whitelist6 counter return comment \"$remarks\"" + [ "${write_ipset_direct}" = "1" ] && nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} ip6 daddr @$nftset_whitelist6 counter return comment \"$remarks\"" 2>/dev/null nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_redir_ports "udp dport") counter jump PSW2_RULE comment \"$remarks\"" 2>/dev/null nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} $(REDIRECT $redir_port TPROXY) comment \"$remarks\"" 2>/dev/null } @@ -461,6 +474,15 @@ load_acl() { fi } + if ([ "$TCP_PROXY_MODE" != "disable" ] || [ "$UDP_PROXY_MODE" != "disable" ]) && [ "$NODE" != "nil" ]; then + [ -s "${TMP_ACL_PATH}/default/var_redirect_dns_port" ] && { + nft "add rule $NFTABLE_NAME PSW2_REDIRECT ip protocol udp udp dport 53 counter redirect to :$(cat ${TMP_ACL_PATH}/default/var_redirect_dns_port) comment \"默认\"" + nft "add rule $NFTABLE_NAME PSW2_REDIRECT ip protocol tcp tcp dport 53 counter redirect to :$(cat ${TMP_ACL_PATH}/default/var_redirect_dns_port) comment \"默认\"" + nft "add rule $NFTABLE_NAME PSW2_REDIRECT meta l4proto udp udp dport 53 counter redirect to :$(cat ${TMP_ACL_PATH}/default/var_redirect_dns_port) comment \"默认\"" + nft "add rule $NFTABLE_NAME PSW2_REDIRECT meta l4proto tcp tcp dport 53 counter redirect to :$(cat ${TMP_ACL_PATH}/default/var_redirect_dns_port) comment \"默认\"" + } + fi + if [ "$TCP_PROXY_MODE" != "disable" ] && [ "$NODE" != "nil" ]; then msg2="${msg}使用 TCP 节点[$(config_n_get $NODE remarks)]" if [ -n "${is_tproxy}" ]; then @@ -650,22 +672,6 @@ filter_node() { fi } -dns_hijack() { - [ $(config_t_get global dns_redirect "0") = "1" ] && { - nft "add rule $NFTABLE_NAME PSW2_MANGLE ip protocol udp udp dport 53 counter return" - nft "add rule $NFTABLE_NAME PSW2_MANGLE ip protocol tcp tcp dport 53 counter return" - nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto udp udp dport 53 counter return" - nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto tcp tcp dport 53 counter return" - nft insert rule $NFTABLE_NAME dstnat position 0 tcp dport 53 counter redirect to :53 comment \"PSW2_DNS_Hijack\" 2>/dev/null - nft insert rule $NFTABLE_NAME dstnat position 0 udp dport 53 counter redirect to :53 comment \"PSW2_DNS_Hijack\" 2>/dev/null - nft insert rule $NFTABLE_NAME dstnat position 0 meta nfproto {ipv6} tcp dport 53 counter redirect to :53 comment \"PSW2_DNS_Hijack\" 2>/dev/null - nft insert rule $NFTABLE_NAME dstnat position 0 meta nfproto {ipv6} udp dport 53 counter redirect to :53 comment \"PSW2_DNS_Hijack\" 2>/dev/null - uci -q set dhcp.@dnsmasq[0].dns_redirect='0' 2>/dev/null - uci commit dhcp 2>/dev/null - echolog " - 开启 DNS 重定向" - } -} - add_firewall_rule() { echolog "开始加载防火墙规则..." gen_nft_tables @@ -721,8 +727,8 @@ add_firewall_rule() { local SHUNT_RULE_NODE=$(config_n_get $NODE ${shunt_id} nil) [ "${SHUNT_RULE_NODE}" == "_default" ] && SHUNT_RULE_NODE=${SHUNT_DEFAULT_NODE} [ "${SHUNT_RULE_NODE}" == "_direct" ] && { - insert_nftset $ipset_global_whitelist "0" $(config_n_get $shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}") - insert_nftset $ipset_global_whitelist6 "0" $(config_n_get $shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}") + insert_nftset $nftset_global_whitelist "0" $(config_n_get $shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}") + insert_nftset $nftset_global_whitelist6 "0" $(config_n_get $shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}") [ "$(config_t_get global_rules enable_geoview)" = "1" ] && { local geoip_code=$(config_n_get $shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "^geoip:" | grep -v "^geoip:private" | sed -E 's/^geoip:(.*)/\1/' | sed ':a;N;$!ba;s/\n/,/g') [ -n "$geoip_code" ] && GEOIP_CODE="${GEOIP_CODE:+$GEOIP_CODE,}$geoip_code" @@ -732,8 +738,8 @@ add_firewall_rule() { } if [ -n "$GEOIP_CODE" ] && type geoview &> /dev/null; then - insert_nftset $ipset_global_whitelist "0" $(get_geoip $GEOIP_CODE ipv4 | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}") - insert_nftset $ipset_global_whitelist6 "0" $(get_geoip $GEOIP_CODE ipv6 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}") + insert_nftset $nftset_global_whitelist "0" $(get_geoip $GEOIP_CODE ipv4 | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}") + insert_nftset $nftset_global_whitelist6 "0" $(get_geoip $GEOIP_CODE ipv6 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}") echolog " - [$?]解析并加入分流节点 GeoIP 到 IPSET 完成" fi @@ -917,7 +923,16 @@ add_firewall_rule() { echolog " - ${msg}不代理所有 UDP" fi } - + + if [ "$NODE" != "nil" ] && ([ "$TCP_LOCALHOST_PROXY" = "1" ] || [ "$UDP_LOCALHOST_PROXY" = "1" ]); then + [ -s "${TMP_ACL_PATH}/default/var_redirect_dns_port" ] && { + nft "add rule $NFTABLE_NAME nat_output ip protocol udp oif lo udp dport 53 counter redirect to :$(cat ${TMP_ACL_PATH}/default/var_redirect_dns_port) comment \"PSW2\"" + nft "add rule $NFTABLE_NAME nat_output ip protocol tcp oif lo tcp dport 53 counter redirect to :$(cat ${TMP_ACL_PATH}/default/var_redirect_dns_port) comment \"PSW2\"" + nft "add rule $NFTABLE_NAME nat_output meta l4proto udp oif lo udp dport 53 counter redirect to :$(cat ${TMP_ACL_PATH}/default/var_redirect_dns_port) comment \"PSW2\"" + nft "add rule $NFTABLE_NAME nat_output meta l4proto tcp oif lo tcp dport 53 counter redirect to :$(cat ${TMP_ACL_PATH}/default/var_redirect_dns_port) comment \"PSW2\"" + } + fi + # 加载路由器自身代理 TCP if [ "$NODE" != "nil" ] && [ "$TCP_LOCALHOST_PROXY" = "1" ]; then [ "$accept_icmp" = "1" ] && {