diff --git a/luci-app-passwall/root/usr/share/passwall/app.sh b/luci-app-passwall/root/usr/share/passwall/app.sh index 08ea6e3b2..0188e32a1 100755 --- a/luci-app-passwall/root/usr/share/passwall/app.sh +++ b/luci-app-passwall/root/usr/share/passwall/app.sh @@ -24,7 +24,7 @@ DNS_PORT=15353 TUN_DNS="127.0.0.1#${DNS_PORT}" LOCAL_DNS=119.29.29.29,223.5.5.5 DEFAULT_DNS= -FW_APPEND_DNS= +IPT_APPEND_DNS= ENABLED_DEFAULT_ACL=0 PROXY_IPV6=0 PROXY_IPV6_UDP=0 @@ -1357,7 +1357,7 @@ stop_crontab() { start_dns() { echolog "DNS域名解析:" - local china_ng_local_dns=${LOCAL_DNS} + local china_ng_local_dns=$(IFS=','; set -- $LOCAL_DNS; [ "${1%%[#:]*}" = "127.0.0.1" ] && echo "$1" || ([ -n "$2" ] && echo "$1,$2" || echo "$1")) local sing_box_local_dns= local direct_dns_mode=$(config_t_get global direct_dns_mode "auto") case "$direct_dns_mode" in @@ -1365,7 +1365,7 @@ start_dns() { LOCAL_DNS=$(config_t_get global direct_dns_udp 223.5.5.5 | sed 's/:/#/g') china_ng_local_dns=${LOCAL_DNS} sing_box_local_dns="direct_dns_udp_server=${LOCAL_DNS}" - FW_APPEND_DNS=${LOCAL_DNS} + IPT_APPEND_DNS=${LOCAL_DNS} ;; tcp) LOCAL_DNS="127.0.0.1#${dns_listen_port}" @@ -1373,7 +1373,7 @@ start_dns() { local DIRECT_DNS=$(config_t_get global direct_dns_tcp 223.5.5.5 | sed 's/:/#/g') china_ng_local_dns="tcp://${DIRECT_DNS}" sing_box_local_dns="direct_dns_tcp_server=${DIRECT_DNS}" - FW_APPEND_DNS="${LOCAL_DNS},${DIRECT_DNS}" + IPT_APPEND_DNS="${LOCAL_DNS},${DIRECT_DNS}" ln_run "$(first_type dns2tcp)" dns2tcp "/dev/null" -L "${LOCAL_DNS}" -R "$(get_first_dns DIRECT_DNS 53)" -v echolog " - dns2tcp(${LOCAL_DNS}) -> tcp://$(get_first_dns DIRECT_DNS 53 | sed 's/#/:/g')" echolog " * 请确保上游直连 DNS 支持 TCP 查询。" @@ -1392,7 +1392,7 @@ start_dns() { local tmp_dot_ip=$(echo "$DIRECT_DNS" | sed -n 's/.*:\/\/\([^@#]*@\)*\([^@#]*\).*/\2/p') local tmp_dot_port=$(echo "$DIRECT_DNS" | sed -n 's/.*#\([0-9]\+\).*/\1/p') sing_box_local_dns="direct_dns_dot_server=$tmp_dot_ip#${tmp_dot_port:-853}" - FW_APPEND_DNS="${LOCAL_DNS},$tmp_dot_ip#${tmp_dot_port:-853}" + IPT_APPEND_DNS="${LOCAL_DNS},$tmp_dot_ip#${tmp_dot_port:-853}" else echolog " - 你的ChinaDNS-NG版本不支持DoT,直连DNS将使用默认地址。" fi @@ -1692,7 +1692,7 @@ acl_app() { chinadns_port=$(expr $chinadns_port + 1) _china_ng_listen="127.0.0.1#${chinadns_port}" - _chinadns_local_dns=${LOCAL_DNS} + _chinadns_local_dns=$(IFS=','; set -- $LOCAL_DNS; [ "${1%%[#:]*}" = "127.0.0.1" ] && echo "$1" || ([ -n "$2" ] && echo "$1,$2" || echo "$1")) _direct_dns_mode=$(config_t_get global direct_dns_mode "auto") case "${_direct_dns_mode}" in udp) @@ -1999,7 +1999,7 @@ DEFAULT_DNSMASQ_CFGID=$(uci show dhcp.@dnsmasq[0] | awk -F '.' '{print $2}' | a DEFAULT_DNS=$(uci show dhcp.@dnsmasq[0] | grep "\.server=" | awk -F '=' '{print $2}' | sed "s/'//g" | tr ' ' '\n' | grep -v "\/" | head -2 | sed ':label;N;s/\n/,/;b label') [ -z "${DEFAULT_DNS}" ] && [ "$(echo $ISP_DNS | tr ' ' '\n' | wc -l)" -le 2 ] && DEFAULT_DNS=$(echo -n $ISP_DNS | tr ' ' '\n' | head -2 | tr '\n' ',') LOCAL_DNS="${DEFAULT_DNS:-119.29.29.29,223.5.5.5}" -FW_APPEND_DNS=${LOCAL_DNS} +IPT_APPEND_DNS=${LOCAL_DNS} DNS_QUERY_STRATEGY="UseIP" [ "$FILTER_PROXY_IPV6" = "1" ] && DNS_QUERY_STRATEGY="UseIPv4" diff --git a/luci-app-passwall/root/usr/share/passwall/iptables.sh b/luci-app-passwall/root/usr/share/passwall/iptables.sh index 1b69f2122..3cb7bbfb2 100755 --- a/luci-app-passwall/root/usr/share/passwall/iptables.sh +++ b/luci-app-passwall/root/usr/share/passwall/iptables.sh @@ -841,21 +841,24 @@ add_firewall_rule() { $ipt_m -N PSW_OUTPUT $ipt_m -A PSW_OUTPUT $(dst $IPSET_LANLIST) -j RETURN $ipt_m -A PSW_OUTPUT $(dst $IPSET_VPSLIST) -j RETURN - [ -n "$FW_APPEND_DNS" ] && { - for local_dns in $(echo $FW_APPEND_DNS | tr ',' ' '); do - local dns_address=$(echo "$local_dns" | sed -E 's/(@|\[)?([0-9a-fA-F:.]+)(@|#|$).*/\2/') - local dns_port=$(echo "$local_dns" | sed -nE 's/.*#([0-9]+)$/\1/p') - if echo "$dns_address" | grep -q ':'; then - $ip6t_m -A PSW_OUTPUT -p udp -d ${dns_address} --dport ${dns_port:-53} -j RETURN - $ip6t_m -A PSW_OUTPUT -p tcp -d ${dns_address} --dport ${dns_port:-53} -j RETURN - echolog " - [$?]追加直连DNS到iptables:[${dns_address}]:${dns_port:-53}" - else + + [ -n "$IPT_APPEND_DNS" ] && { + local local_dns dns_address dns_port + for local_dns in $(echo $IPT_APPEND_DNS | tr ',' ' '); do + dns_address=$(echo "$local_dns" | sed -E 's/(@|\[)?([0-9a-fA-F:.]+)(@|#|$).*/\2/') + dns_port=$(echo "$local_dns" | sed -nE 's/.*#([0-9]+)$/\1/p') + if echo "$dns_address" | grep -q -v ':'; then $ipt_m -A PSW_OUTPUT -p udp -d ${dns_address} --dport ${dns_port:-53} -j RETURN $ipt_m -A PSW_OUTPUT -p tcp -d ${dns_address} --dport ${dns_port:-53} -j RETURN echolog " - [$?]追加直连DNS到iptables:${dns_address}:${dns_port:-53}" + else + $ip6t_m -A PSW_OUTPUT -p udp -d ${dns_address} --dport ${dns_port:-53} -j RETURN + $ip6t_m -A PSW_OUTPUT -p tcp -d ${dns_address} --dport ${dns_port:-53} -j RETURN + echolog " - [$?]追加直连DNS到iptables:[${dns_address}]:${dns_port:-53}" fi done } + [ "${USE_DIRECT_LIST}" = "1" ] && $ipt_m -A PSW_OUTPUT $(dst $IPSET_WHITELIST) -j RETURN $ipt_m -A PSW_OUTPUT -m mark --mark 0xff -j RETURN [ "${USE_BLOCK_LIST}" = "1" ] && $ipt_m -A PSW_OUTPUT $(dst $IPSET_BLOCKLIST) -j DROP diff --git a/luci-app-passwall/root/usr/share/passwall/nftables.sh b/luci-app-passwall/root/usr/share/passwall/nftables.sh index 0a7135adb..84b60880a 100755 --- a/luci-app-passwall/root/usr/share/passwall/nftables.sh +++ b/luci-app-passwall/root/usr/share/passwall/nftables.sh @@ -865,21 +865,7 @@ add_firewall_rule() { nft "flush chain inet fw4 PSW_OUTPUT_MANGLE" nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip daddr @$NFTSET_LANLIST counter return" nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip daddr @$NFTSET_VPSLIST counter return" - [ -n "$FW_APPEND_DNS" ] && { - for local_dns in $(echo $FW_APPEND_DNS | tr ',' ' '); do - local dns_address=$(echo "$local_dns" | sed -E 's/(@|\[)?([0-9a-fA-F:.]+)(@|#|$).*/\2/') - local dns_port=$(echo "$local_dns" | sed -nE 's/.*#([0-9]+)$/\1/p') - if echo "$dns_address" | grep -q ':'; then - nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta l4proto udp ip6 daddr ${dns_address} $(factor ${dns_port:-53} "udp dport") counter return" - nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta l4proto tcp ip6 daddr ${dns_address} $(factor ${dns_port:-53} "tcp dport") counter return" - echolog " - [$?]追加直连DNS到nftables:[${dns_address}]:${dns_port:-53}" - else - nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol udp ip daddr ${dns_address} $(factor ${dns_port:-53} "udp dport") counter return" - nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol tcp ip daddr ${dns_address} $(factor ${dns_port:-53} "tcp dport") counter return" - echolog " - [$?]追加直连DNS到nftables:${dns_address}:${dns_port:-53}" - fi - done - } + [ "${USE_DIRECT_LIST}" = "1" ] && nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip daddr @$NFTSET_WHITELIST counter return" nft "add rule inet fw4 PSW_OUTPUT_MANGLE meta mark 0xff counter return" [ "${USE_BLOCK_LIST}" = "1" ] && nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip daddr @$NFTSET_BLOCKLIST counter drop" @@ -946,6 +932,23 @@ add_firewall_rule() { nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta mark 0xff counter return" [ "${USE_BLOCK_LIST}" = "1" ] && nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 ip6 daddr @$NFTSET_BLOCKLIST6 counter drop" + [ -n "$IPT_APPEND_DNS" ] && { + local local_dns dns_address dns_port + for local_dns in $(echo $IPT_APPEND_DNS | tr ',' ' '); do + dns_address=$(echo "$local_dns" | sed -E 's/(@|\[)?([0-9a-fA-F:.]+)(@|#|$).*/\2/') + dns_port=$(echo "$local_dns" | sed -nE 's/.*#([0-9]+)$/\1/p') + if echo "$dns_address" | grep -q -v ':'; then + nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol udp ip daddr ${dns_address} $(factor ${dns_port:-53} "udp dport") counter return" + nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol tcp ip daddr ${dns_address} $(factor ${dns_port:-53} "tcp dport") counter return" + echolog " - [$?]追加直连DNS到nftables:${dns_address}:${dns_port:-53}" + else + nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta l4proto udp ip6 daddr ${dns_address} $(factor ${dns_port:-53} "udp dport") counter return" + nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta l4proto tcp ip6 daddr ${dns_address} $(factor ${dns_port:-53} "tcp dport") counter return" + echolog " - [$?]追加直连DNS到nftables:[${dns_address}]:${dns_port:-53}" + fi + done + } + # jump chains [ "$PROXY_IPV6" == "1" ] && { nft "add rule inet fw4 mangle_prerouting meta nfproto {ipv6} counter jump PSW_MANGLE_V6"