update 2024-04-12 00:17:43

2025-01-09 04:37:59 +08:00 · 2024-04-12 00:17:43 +08:00 · 2024-04-12 00:17:43 +08:00 · 4b986f3da7
commit 4b986f3da7
parent b0c864f1ab
14 changed files with 200 additions and 187 deletions
--- a/luci-app-passwall2/Makefile
+++ b/luci-app-passwall2/Makefile
@ -5,7 +5,7 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=luci-app-passwall2
-PKG_VERSION:=1.28-5
+PKG_VERSION:=1.28-6
 PKG_RELEASE:=

 PKG_CONFIG_DEPENDS:= \
--- a/luci-app-passwall2/luasrc/model/cbi/passwall2/client/global.lua
+++ b/luci-app-passwall2/luasrc/model/cbi/passwall2/client/global.lua
@ -316,7 +316,7 @@ o.rmempty = false
 o = s:taboption("DNS", Button, "clear_ipset", translate("Clear IPSet"), translate("Try this feature if the rule modification does not take effect."))
 o.inputstyle = "remove"
 function o.write(e, e)
-	luci.sys.call("[ -n \"$(nft list sets 2>/dev/null | grep \"passwall2_\")\" ] && sh /usr/share/" .. appname .. "/nftables.sh flush_nftset || sh /usr/share/" .. appname .. "/iptables.sh flush_ipset > /dev/null 2>&1 &")
+	luci.sys.call('[ -n "$(nft list sets 2>/dev/null | grep \"passwall2_\")" ] && sh /usr/share/passwall2/nftables.sh flush_nftset_reload || sh /usr/share/passwall2/iptables.sh flush_ipset_reload > /dev/null 2>&1 &')
 	luci.http.redirect(api.url("log"))
 end

--- a/luci-app-passwall2/luasrc/model/cbi/passwall2/client/shunt_rules.lua
+++ b/luci-app-passwall2/luasrc/model/cbi/passwall2/client/shunt_rules.lua
@ -121,6 +121,8 @@ domain_list.validate = function(self, value)
 			flag = 0
 		elseif host:find("ext:") and host:find("ext:") == 1 then
 			flag = 0
+		elseif host:find("#") and host:find("#") == 1 then
+			flag = 0
 		end
 		if flag == 1 then
 			if not datatypes.hostname(tmp_host) then
@ -135,7 +137,7 @@ domain_list.description = "<br /><ul><li>" .. translate("Plaintext: If this stri
 .. "</li><li>" .. translate("Subdomain (recommended): Begining with 'domain:' and the rest is a domain. When the targeting domain is exactly the value, or is a subdomain of the value, this rule takes effect. Example: rule 'domain:v2ray.com' matches 'www.v2ray.com', 'v2ray.com', but not 'xv2ray.com'.")
 .. "</li><li>" .. translate("Full domain: Begining with 'full:' and the rest is a domain. When the targeting domain is exactly the value, the rule takes effect. Example: rule 'domain:v2ray.com' matches 'v2ray.com', but not 'www.v2ray.com'.")
 .. "</li><li>" .. translate("Pre-defined domain list: Begining with 'geosite:' and the rest is a name, such as geosite:google or geosite:cn.")
-.. "</li><li>" .. translate("Domains from file: Such as 'ext:file:tag'. The value must begin with ext: (lowercase), and followed by filename and tag. The file is placed in resource directory, and has the same format of geosite.dat. The tag must exist in the file.")
+.. "</li><li>" .. translate("Annotation: Begining with #")
 .. "</li></ul>"
 ip_list = s:option(TextValue, "ip_list", "IP")
 ip_list.rows = 10
@ -146,6 +148,7 @@ ip_list.validate = function(self, value)
 	for index, ipmask in ipairs(ipmasks) do
 		if ipmask:find("geoip:") and ipmask:find("geoip:") == 1 then
 		elseif ipmask:find("ext:") and ipmask:find("ext:") == 1 then
+		elseif ipmask:find("#") and ipmask:find("#") == 1 then
 		else
 			if not (datatypes.ipmask4(ipmask) or datatypes.ipmask6(ipmask)) then
 				return nil, ipmask .. " " .. translate("Not valid IP format, please re-enter!")
@ -157,7 +160,7 @@ end
 ip_list.description = "<br /><ul><li>" .. translate("IP: such as '127.0.0.1'.")
 .. "</li><li>" .. translate("CIDR: such as '127.0.0.0/8'.")
 .. "</li><li>" .. translate("GeoIP: such as 'geoip:cn'. It begins with geoip: (lower case) and followed by two letter of country code.")
-.. "</li><li>" .. translate("IPs from file: Such as 'ext:file:tag'. The value must begin with ext: (lowercase), and followed by filename and tag. The file is placed in resource directory, and has the same format of geoip.dat. The tag must exist in the file.")
+.. "</li><li>" .. translate("Annotation: Begining with #")
 .. "</li></ul>"

 return m
--- a/luci-app-passwall2/luasrc/model/cbi/passwall2/client/type/ray.lua
+++ b/luci-app-passwall2/luasrc/model/cbi/passwall2/client/type/ray.lua
@ -49,7 +49,9 @@ o:depends({ [option_name("protocol")] = "_iface" })

 local nodes_table = {}
 local balancers_table = {}
+local fallback_table = {}
 local iface_table = {}
+local is_balancer = nil
 for k, e in ipairs(api.get_valid_nodes()) do
 	if e.node_type == "normal" then
 		nodes_table[#nodes_table + 1] = {
@ -63,6 +65,15 @@ for k, e in ipairs(api.get_valid_nodes()) do
 			id = e[".name"],
 			remark = e["remark"]
 		}
+		if e[".name"] ~= arg[1] then
+			fallback_table[#fallback_table + 1] = {
+				id = e[".name"],
+				remark = e["remark"],
+				fallback = e["fallback_node"]
+			}
+		else
+			is_balancer = true
+		end
 	end
 	if e.protocol == "_iface" then
 		iface_table[#iface_table + 1] = {
@ -90,14 +101,35 @@ for k, v in pairs(nodes_table) do o:value(v.id, v.remark) end
 local o = s:option(ListValue, option_name("balancingStrategy"), translate("Balancing Strategy"))
 o:depends({ [option_name("protocol")] = "_balancing" })
 o:value("random")
+o:value("roundRobin")
 o:value("leastPing")
-o:value("leastLoad")
-o.default = "leastLoad"
+o.default = "leastPing"
+
+-- Fallback Node
+if api.compare_versions(api.get_app_version("xray"), ">=", "1.8.10") then
+	local o = s:option(ListValue, option_name("fallback_node"), translate("Fallback Node"))
+	o:depends({ [option_name("balancingStrategy")] = "leastPing" })
+	o:value("",translate("Null"))
+	o.default = ""
+	local function check_fallback_chain(fb)
+		for k, v in pairs(fallback_table) do
+			if v.fallback == fb then
+				fallback_table[k] = nil
+				check_fallback_chain(v.id)
+			end
+		end
+	end
+	-- 检查fallback链，去掉会形成闭环的balancer节点
+	if is_balancer then
+		check_fallback_chain(arg[1])
+	end
+	for k, v in pairs(fallback_table) do o:value(v.id, v.remark) end
+	for k, v in pairs(nodes_table) do o:value(v.id, v.remark) end
+end

 -- 探测地址
 local o = s:option(Flag, option_name("useCustomProbeUrl"), translate("Use Custome Probe URL"), translate("By default the built-in probe URL will be used, enable this option to use a custom probe URL."))
 o:depends({ [option_name("balancingStrategy")] = "leastPing" })
-o:depends({ [option_name("balancingStrategy")] = "leastLoad" })

 local o = s:option(Value, option_name("probeUrl"), translate("Probe URL"))
 o:depends({ [option_name("useCustomProbeUrl")] = true })
@ -107,7 +139,6 @@ o.description = translate("The URL used to detect the connection status.")
 -- 探测间隔
 local o = s:option(Value, option_name("probeInterval"), translate("Probe Interval"))
 o:depends({ [option_name("balancingStrategy")] = "leastPing" })
-o:depends({ [option_name("balancingStrategy")] = "leastLoad" })
 o.default = "1m"
 o.description = translate("The interval between initiating probes. Every time this time elapses, a server status check is performed on a server. The time format is numbers + units, such as '10s', '2h45m', and the supported time units are <code>ns</code>, <code>us</code>, <code>ms</code>, <code>s</code>, <code>m</code>, <code>h</code>, which correspond to nanoseconds, microseconds, milliseconds, seconds, minutes, and hours, respectively.")

--- a/luci-app-passwall2/luasrc/passwall2/util_sing-box.lua
+++ b/luci-app-passwall2/luasrc/passwall2/util_sing-box.lua
@ -1155,6 +1155,7 @@ function gen_config(var)
 							geosite = {},
 						}
 						string.gsub(e.domain_list, '[^' .. "\r\n" .. ']+', function(w)
+							if w:find("#") == 1 then return end
 							if w:find("geosite:") == 1 then
 								table.insert(domain_table.geosite, w:sub(1 + #"geosite:"))
 							elseif w:find("regexp:") == 1 then
@ -1183,6 +1184,7 @@ function gen_config(var)
 						local ip_cidr = {}
 						local geoip = {}
 						string.gsub(e.ip_list, '[^' .. "\r\n" .. ']+', function(w)
+							if w:find("#") == 1 then return end
 							if w:find("geoip:") == 1 then
 								table.insert(geoip, w:sub(1 + #"geoip:"))
 							else
--- a/luci-app-passwall2/luasrc/passwall2/util_xray.lua
+++ b/luci-app-passwall2/luasrc/passwall2/util_xray.lua
@ -574,6 +574,8 @@ function gen_config(var)
 			nodes[node_id] = node
 		end
 	end
+	local balancers = {}
+	local rules = {}

 	if local_socks_port then
 		local inbound = {
@ -644,8 +646,20 @@ function gen_config(var)
 		return "balancer-" .. _node_id
 	end

+	local function gen_loopback(outboundTag, dst_node_id)
+		if not outboundTag then return nil end
+		local inboundTag = dst_node_id and "loop-in-" .. dst_node_id or outboundTag .. "-lo"
+		table.insert(outbounds, {
+			protocol = "loopback",
+			tag = outboundTag,
+			settings = { inboundTag = inboundTag }
+		})
+		return inboundTag
+	end
+
 	local function gen_balancer(_node, loopbackTag)
 		local blc_nodes = _node.balancing_node
+		local fallback_node_id = _node.fallback_node
 		local length = #blc_nodes
 		local valid_nodes = {}
 		for i = 1, length do
@ -668,40 +682,60 @@ function gen_config(var)
 				end
 			end
 		end
+		if fallback_node_id == "" then
+			fallback_node_id = nil
+		end
+		if fallback_node_id then
+			local is_new_node = true
+			for _, outbound in ipairs(outbounds) do
+				if outbound.tag == fallback_node_id then
+					is_new_node = false
+					break
+				end
+			end
+			if is_new_node then
+				local fallback_node = uci:get_all(appname, fallback_node_id)
+				if fallback_node.protocol ~= "_balancing" then
+					local outbound = gen_outbound(flag, fallback_node, fallback_node_id, { fragment = xray_settings.fragment == "1" or nil })
+					if outbound then
+						table.insert(outbounds, outbound)
+					else
+						fallback_node_id = nil
+					end
+				else
+					local valid = gen_balancer(fallback_node)
+					if not valid then
+						fallback_node_id = nil
+					end
+				end
+			end
+		end

-		local balancer, rule
+		local valid = nil
 		if #valid_nodes > 0 then
 			local balancerTag = get_balancer_tag(_node[".name"])
-			balancer = {
+			table.insert(balancers, {
 				tag = balancerTag,
 				selector = valid_nodes,
+				fallbackTag = fallback_node_id,
 				strategy = { type = _node.balancingStrategy or "random" }
-			}
-			if _node.balancingStrategy == "leastPing" or _node.balancingStrategy == "leastLoad" then
+			})
+			if _node.balancingStrategy == "leastPing" then
 				if not observatory then
 					observatory = {
 						subjectSelector = { "blc-" },
 						probeUrl = _node.useCustomProbeUrl and _node.probeUrl or nil,
 						probeInterval = _node.probeInterval or "1m",
-						enableConcurrency = (nodes[node_id] and nodes[node_id].type == "Xray") and true or nil --这里只判断顶层节点(分流总节点/单独的负载均衡节点)类型为Xray，就可以启用并发
+						enableConcurrency = true
 					}
 				end
 			end
-			if loopbackTag and loopbackTag ~= "" then
-				local inboundTag = loopbackTag .. "-in"
-				table.insert(outbounds, {
-					protocol = "loopback",
-					tag = loopbackTag,
-					settings = { inboundTag = inboundTag }
-				})
-				rule = {
-					type = "field",
-					inboundTag = { inboundTag },
-					balancerTag = balancerTag
-				}
-			end
+			if loopbackTag == nil or loopbackTag =="" then loopbackTag = _node[".name"] end
+			local inboundTag = gen_loopback(loopbackTag, _node[".name"])
+			table.insert(rules, { type = "field", inboundTag = { inboundTag }, balancerTag = balancerTag })
+			valid = true
 		end
-		return balancer, rule
+		return valid
 	end

 	local function set_outbound_detour(node, outbound, outbounds_table, shunt_rule_name)
@ -739,52 +773,10 @@ function gen_config(var)
 		end
 		local node = v
 		if node.protocol == "_shunt" then
-			local rules = {}
-			local balancers = {}
-
-			local preproxy_enabled = node.preproxy_enabled == "1"
-			local preproxy_tag = "main"
-			local preproxy_node_id = node["main_node"]
-			local preproxy_node = preproxy_enabled and preproxy_node_id and uci:get_all(appname, preproxy_node_id) or nil
-			local preproxy_is_balancer
-
-			if preproxy_node_id and preproxy_node_id:find("Socks_") then
-				local socks_id = preproxy_node_id:sub(1 + #"Socks_")
-				local socks_node = uci:get_all(appname, socks_id) or nil
-				if socks_node then
-					local _node = {
-						type = "Xray",
-						protocol = "socks",
-						address = "127.0.0.1",
-						port = socks_node.port,
-						transport = "tcp",
-						stream_security = "none"
-					}
-					local preproxy_outbound = gen_outbound(flag, _node, preproxy_tag)
-					if preproxy_outbound then
-						table.insert(outbounds, preproxy_outbound)
-					else
-						preproxy_enabled = false
-					end
-				end
-			elseif preproxy_node and api.is_normal_node(preproxy_node) then
-				local preproxy_outbound = gen_outbound(flag, preproxy_node, preproxy_tag, { fragment = xray_settings.fragment == "1" or nil })
-				if preproxy_outbound then
-					set_outbound_detour(preproxy_node, preproxy_outbound, outbounds, preproxy_tag)
-					table.insert(outbounds, preproxy_outbound)
-				else
-					preproxy_enabled = false
-				end
-			elseif preproxy_node and preproxy_node.protocol == "_balancing" then
-				preproxy_is_balancer = true
-				local preproxy_balancer, preproxy_rule = gen_balancer(preproxy_node, preproxy_tag)
-				if preproxy_balancer and preproxy_rule then
-					table.insert(balancers, preproxy_balancer)
-					table.insert(rules, preproxy_rule)
-				else
-					preproxy_enabled = false
-				end
-			end
+			local proxy_tag = "main"
+			local proxy_node_id = node["main_node"]
+			local proxy_node = node.preproxy_enabled == "1" and proxy_node_id or nil
+			local proxy_outboundTag, proxy_balancerTag

 			local function gen_shunt_node(rule_name, _node_id)
 				if not rule_name then return nil, nil end
@ -795,7 +787,7 @@ function gen_config(var)
 					rule_outboundTag = "direct"
 				elseif _node_id == "_blackhole" then
 					rule_outboundTag = "blackhole"
-				elseif _node_id == "_default" and rule_name ~= "default" then
+				elseif _node_id == "_default" then
 					rule_outboundTag = "default"
 				elseif _node_id:find("Socks_") then
 					local socks_id = _node_id:sub(1 + #"Socks_")
@ -809,9 +801,9 @@ function gen_config(var)
 							transport = "tcp",
 							stream_security = "none"
 						}
-						local _outbound = gen_outbound(flag, _node, rule_name)
-						if _outbound then
-							table.insert(outbounds, _outbound)
+						local outbound = gen_outbound(flag, _node, rule_name)
+						if outbound then
+							table.insert(outbounds, outbound)
 							rule_outboundTag = rule_name
 						end
 					end
@ -820,19 +812,19 @@ function gen_config(var)
 					if not _node then return nil, nil end

 					if api.is_normal_node(_node) then
-						local proxy = preproxy_enabled and node[rule_name .. "_proxy_tag"] == preproxy_tag and _node_id ~= preproxy_node_id
-						if proxy and preproxy_is_balancer then
-							local blc_nodes = preproxy_node.balancing_node
-							for _, blc_node_id in ipairs(blc_nodes) do
+						local _proxy_node = (proxy_node and proxy_node_id) and uci:get_all(appname, proxy_node_id) or nil
+						local use_proxy = _proxy_node and node[rule_name .. "_proxy_tag"] == proxy_tag and _node_id ~= proxy_node_id
+						if use_proxy and proxy_balancerTag then
+							for _, blc_node_id in ipairs(_proxy_node.balancing_node) do
 								if _node_id == blc_node_id then
-									proxy = false
+									use_proxy = false
 									break
 								end
 							end
 						end
 						local copied_outbound
 						for index, value in ipairs(outbounds) do
-							if value["_flag_tag"] == _node_id and value["_flag_proxy_tag"] == preproxy_tag then
+							if value["_flag_tag"] == _node_id and value["_flag_proxy_tag"] == proxy_tag then
 								copied_outbound = api.clone(value)
 								break
 							end
@ -842,70 +834,60 @@ function gen_config(var)
 							table.insert(outbounds, copied_outbound)
 							rule_outboundTag = rule_name
 						else
-							if proxy then
-								local pre_proxy = nil
-								if _node.type ~= "Xray" then
-									pre_proxy = true
-								end
-								if _node.type == "Xray" and _node.flow == "xtls-rprx-vision" then
-									pre_proxy = true
-								end
-								if pre_proxy then
-									new_port = get_new_port()
-									table.insert(inbounds, {
-										tag = "proxy_" .. rule_name,
-										listen = "127.0.0.1",
-										port = new_port,
-										protocol = "dokodemo-door",
-										settings = {network = "tcp,udp", address = _node.address, port = tonumber(_node.port)}
-									})
-									if _node.tls_serverName == nil then
-										_node.tls_serverName = _node.address
-									end
-									_node.address = "127.0.0.1"
-									_node.port = new_port
-									table.insert(rules, 1, {
-										type = "field",
-										inboundTag = {"proxy_" .. rule_name},
-										outboundTag = is_balancing_proxy and nil or preproxy_tag,
-										balancerTag = is_balancing_proxy and get_balancer_tag(proxy_node_id) or nil
-									})
+							if use_proxy and (_node.type ~= "Xray" or _node.flow == "xtls-rprx-vision") then
+								new_port = get_new_port()
+								table.insert(inbounds, {
+									tag = "proxy_" .. rule_name,
+									listen = "127.0.0.1",
+									port = new_port,
+									protocol = "dokodemo-door",
+									settings = {network = "tcp,udp", address = _node.address, port = tonumber(_node.port)}
+								})
+								if _node.tls_serverName == nil then
+									_node.tls_serverName = _node.address
 								end
+								_node.address = "127.0.0.1"
+								_node.port = new_port
+								table.insert(rules, 1, {
+									type = "field",
+									inboundTag = {"proxy_" .. rule_name},
+									outboundTag = proxy_outboundTag,
+									balancerTag = proxy_balancerTag
+								})
 							end
 							local proxy_table = {
-								proxy = proxy and 1 or 0,
-								tag = proxy and preproxy_tag or nil
+								proxy = use_proxy and 1 or 0,
+								tag = use_proxy and proxy_tag or nil
 							}
 							if xray_settings.fragment == "1" and not proxy_table.tag then
 								proxy_table.fragment = true
 							end
-							local _outbound = gen_outbound(flag, _node, rule_name, proxy_table)
-							if _outbound then
-								set_outbound_detour(_node, _outbound, outbounds, rule_name)
-								table.insert(outbounds, _outbound)
-								if proxy then preproxy_used = true end
+							local outbound = gen_outbound(flag, _node, rule_name, proxy_table)
+							if outbound then
+								set_outbound_detour(_node, outbound, outbounds, rule_name)
+								table.insert(outbounds, outbound)
 								rule_outboundTag = rule_name
 							end
 						end
 					elseif _node.protocol == "_balancing" then
 						local is_new_balancer = true
+						rule_balancerTag = get_balancer_tag(_node_id)
 						for _, v in ipairs(balancers) do
-							if v["_flag_tag"] == _node_id then
+							if v.tag == rule_balancerTag then
 								is_new_balancer = false
-								rule_balancerTag = v.tag
+								gen_loopback(rule_name, _node_id)
 								break
 							end
 						end
 						if is_new_balancer then
-							local balancer = gen_balancer(_node)
-							if balancer then
-								table.insert(balancers, balancer)
-								rule_balancerTag = balancer.tag
+							local valid = gen_balancer(_node, rule_name)
+							if not valid then
+								rule_balancerTag = nil
 							end
 						end
 					elseif _node.protocol == "_iface" then
 						if _node.iface then
-							local _outbound = {
+							local outbound = {
 								protocol = "freedom",
 								tag = rule_name,
 								streamSettings = {
@ -915,7 +897,7 @@ function gen_config(var)
 									}
 								}
 							}
-							table.insert(outbounds, _outbound)
+							table.insert(outbounds, outbound)
 							rule_outboundTag = rule_name
 							sys.call("touch /tmp/etc/passwall2/iface/" .. _node.iface)
 						end
@ -923,6 +905,14 @@ function gen_config(var)
 				end
 				return rule_outboundTag, rule_balancerTag
 			end
+
+			--proxy_node
+			if proxy_node then
+				proxy_outboundTag, proxy_balancerTag = gen_shunt_node(proxy_tag, proxy_node_id)
+				if not proxy_outboundTag  and not proxy_balancerTag then
+					proxy_node = nil
+				end
+			end
 			--default_node
 			local default_node_id = node.default_node or "_direct"
 			local default_outboundTag, default_balancerTag = gen_shunt_node("default", default_node_id)
@ -965,6 +955,7 @@ function gen_config(var)
 						}
 						domains = {}
 						string.gsub(e.domain_list, '[^' .. "\r\n" .. ']+', function(w)
+							if w:find("#") == 1 then return end
 							table.insert(domains, w)
 							table.insert(domain_table.domain, w)
 						end)
@ -976,6 +967,7 @@ function gen_config(var)
 					if e.ip_list then
 						ip = {}
 						string.gsub(e.ip_list, '[^' .. "\r\n" .. ']+', function(w)
+							if w:find("#") == 1 then return end
 							table.insert(ip, w)
 						end)
 					end
@ -1034,12 +1026,13 @@ function gen_config(var)
 			}
 		elseif node.protocol == "_balancing" then
 			if node.balancing_node then
-				local balancer = gen_balancer(node)
+				local valid = gen_balancer(node)
+				if valid then
+					table.insert(rules, { type = "field", network = "tcp,udp", balancerTag = get_balancer_tag(node_id) })
+				end
 				routing = {
-					balancers = { balancer },
-					rules = {
-						{ type = "field", network = "tcp,udp", balancerTag = balancer.tag }
-					}
+					balancers = balancers,
+					rules = rules
 				}
 			end
 		elseif node.protocol == "_iface" then
@ -1121,6 +1114,8 @@ function gen_config(var)
 				end
 			end)
 		end
+
+		local _remote_dns_ip = nil
 	
 		local _remote_dns = {
 			_flag = "remote",
@ -1131,12 +1126,14 @@ function gen_config(var)
 			_remote_dns.address = remote_dns_udp_server
 			_remote_dns.port = tonumber(remote_dns_udp_port) or 53
 			_remote_dns_proto = "udp"
+			_remote_dns_ip = remote_dns_udp_server
 		end

 		if remote_dns_tcp_server then
 			_remote_dns.address = "tcp://" .. remote_dns_tcp_server
 			_remote_dns.port = tonumber(remote_dns_tcp_port) or 53
 			_remote_dns_proto = "tcp"
+			_remote_dns_ip = remote_dns_tcp_server
 		end

 		if remote_dns_doh_url and remote_dns_doh_host then
@ -1145,6 +1142,7 @@ function gen_config(var)
 			end
 			_remote_dns.address = remote_dns_doh_url
 			_remote_dns.port = tonumber(remote_dns_doh_port) or 443
+			_remote_dns_ip = remote_dns_doh_ip
 		end

 		if _remote_dns.address then
@ -1153,7 +1151,7 @@ function gen_config(var)
 				table.insert(routing.rules, 1, {
 					type = "field",
 					ip = {
-						_remote_dns.address
+						_remote_dns_ip
 					},
 					port = _remote_dns.port,
 					network = _remote_dns_proto,
@ -1416,7 +1414,7 @@ function gen_config(var)
 				-- }
 			}
 		}
-		
+
 		if xray_settings.fragment == "1" then
 			table.insert(outbounds, {
 				protocol = "freedom",
@ -1435,9 +1433,9 @@ function gen_config(var)
 						tcpNoDelay = true
 					}
 				}
-			})		
+			})
 		end
-		
+
 		table.insert(outbounds, {
 			protocol = "freedom",
 			tag = "direct",
--- a/luci-app-passwall2/po/zh-cn/passwall2.po
+++ b/luci-app-passwall2/po/zh-cn/passwall2.po
@ -343,6 +343,9 @@ msgstr "负载均衡"
 msgid "Balancing Strategy"
 msgstr "负载均衡策略"

+msgid "Fallback Node"
+msgstr "后备节点"
+
 msgid "Use Custome Probe URL"
 msgstr "使用自定义探测网址"

@ -1003,8 +1006,8 @@ msgstr "完整匹配: 由'full:'开始，余下部分是一个域名。当此域
 msgid "Pre-defined domain list: Begining with 'geosite:' and the rest is a name, such as geosite:google or geosite:cn."
 msgstr "预定义域名列表：由'geosite:'开头，余下部分是一个名称，如geosite:google或者geosite:cn。"

-msgid "Domains from file: Such as 'ext:file:tag'. The value must begin with ext: (lowercase), and followed by filename and tag. The file is placed in resource directory, and has the same format of geosite.dat. The tag must exist in the file."
-msgstr "从文件中加载域名: 形如'ext:file:tag'，必须以ext:（小写）开头，后面跟文件名和标签，文件存放在资源目录中，文件格式与geosite.dat相同，标签必须在文件中存在。"
+msgid "Annotation: Begining with #"
+msgstr "注释: 由 # 开头"

 msgid "IP: such as '127.0.0.1'."
 msgstr "IP: 形如'127.0.0.1'。"
@ -1015,9 +1018,6 @@ msgstr "CIDR: 形如'10.0.0.0/8'."
 msgid "GeoIP: such as 'geoip:cn'. It begins with geoip: (lower case) and followed by two letter of country code."
 msgstr "GeoIP: 形如'geoip:cn'，必须以geoip:（小写）开头，后面跟双字符国家代码，支持几乎所有可以上网的国家。"

-msgid "IPs from file: Such as 'ext:file:tag'. The value must begin with ext: (lowercase), and followed by filename and tag. The file is placed in resource directory, and has the same format of geoip.dat. The tag must exist in the file."
-msgstr "从文件中加载 IP: 形如'ext:file:tag'，必须以ext:（小写）开头，后面跟文件名和标签，文件存放在资源目录中，文件格式与geoip.dat相同标签必须在文件中存在。"
-
 msgid "Clear logs"
 msgstr "清空日志"

--- a/luci-app-passwall2/root/etc/hotplug.d/iface/98-passwall2
+++ b/luci-app-passwall2/root/etc/hotplug.d/iface/98-passwall2
@ -16,7 +16,7 @@
 		echo $$ > ${LOCK_FILE}
 		
 		/etc/init.d/passwall2 restart >/dev/null 2>&1 &
-		echo "passwall2: restart when $INTERFACE ifup" > /dev/kmsg
+		logger -p notice -t network -s "passwall2: restart when $INTERFACE ifup"
 		
 		rm -rf ${LOCK_FILE}
 	}
--- a/luci-app-passwall2/root/etc/uci-defaults/luci-passwall2
+++ b/luci-app-passwall2/root/etc/uci-defaults/luci-passwall2
@ -30,46 +30,10 @@ EOF
 touch /etc/config/passwall2_show >/dev/null 2>&1
 [ ! -s "/etc/config/passwall2" ] && cp -f /usr/share/passwall2/0_default_config /etc/config/passwall2

-use_nft=$(uci -q get passwall2.@global_forwarding[0].use_nft || echo "0")
-[ "${use_nft}" = "0" ] && {
-	if [ -z "$(command -v iptables-legacy || command -v iptables)" ] || [ -z "$(command -v ipset)" ] || [ -z "$(dnsmasq --version | grep 'Compile time options:.* ipset')" ]; then
-		[ "$(opkg list-installed | grep "firewall4")" ] && [ "$(opkg list-installed | grep "nftables")" ] && {
-			[ "$(opkg list-installed | grep "kmod\-nft\-socket")" ] && [ "$(opkg list-installed | grep "kmod\-nft\-tproxy")" ] && [ "$(opkg list-installed | grep "kmod\-nft\-nat")" ] && {
-				uci -q set passwall2.@global_forwarding[0].use_nft=1
-				uci -q commit passwall2
-				sed -i "s#use_nft '0'#use_nft '1'#g" /usr/share/passwall2/0_default_config
-			}
-		}
-	fi
-}
-
-global_xray=$(uci -q get passwall2.@global_xray[0])
-[ -z "${global_xray}" ] && {
-	cfgid=$(uci add passwall2 global_xray)
-	uci -q set passwall2.${cfgid}.sniffing=$(uci -q get passwall2.@global_forwarding[0].sniffing || echo "1")
-	uci -q set passwall2.${cfgid}.route_only=$(uci -q get passwall2.@global_forwarding[0].route_only || echo "0")
-	uci -q set passwall2.${cfgid}.buffer_size=$(uci -q get passwall2.@global_forwarding[0].buffer_size || echo "")
-	
-	uci -q delete passwall2.@global_forwarding[0].sniffing
-	uci -q delete passwall2.@global_forwarding[0].route_only
-	uci -q delete passwall2.@global_forwarding[0].buffer_size
-	uci -q commit passwall2
-}
-
-global_singbox=$(uci -q get passwall2.@global_singbox[0])
-[ -z "${global_singbox}" ] && {
-	cfgid=$(uci add passwall2 global_singbox)
-	uci -q set passwall2.${cfgid}.sniff_override_destination=0
-	uci -q set passwall2.${cfgid}.geoip_path="/tmp/singbox/geoip.db"
-	uci -q set passwall2.${cfgid}.geoip_url="https://github.com/SagerNet/sing-geoip/releases/latest/download/geoip.db"
-	uci -q set passwall2.${cfgid}.geosite_path="/tmp/singbox/geosite.db"
-	uci -q set passwall2.${cfgid}.geosite_url="https://github.com/SagerNet/sing-geosite/releases/latest/download/geosite.db"
-	uci -q commit passwall2
-}
-
 chmod +x /usr/share/passwall2/*.sh

 rm -f /tmp/luci-indexcache
 rm -rf /tmp/luci-modulecache/
 killall -HUP rpcd 2>/dev/null
+
 exit 0
--- a/luci-app-passwall2/root/usr/share/passwall2/app.sh
+++ b/luci-app-passwall2/root/usr/share/passwall2/app.sh
@ -1026,14 +1026,13 @@ start() {
 		if [ -n "$(command -v iptables-legacy || command -v iptables)" ] && [ -n "$(command -v ipset)" ] && [ -n "$(dnsmasq --version | grep 'Compile time options:.* ipset')" ]; then
 			USE_TABLES="iptables"
 		else
+			echolog "系统未安装iptables或ipset或Dnsmasq没有开启ipset支持，无法使用iptables+ipset透明代理！"
 			if [ -n "$(command -v fw4)" ] && [ -n "$(command -v nft)" ] && [ -n "$(dnsmasq --version | grep 'Compile time options:.* nftset')" ]; then
 				echolog "检测到fw4，使用nftables进行透明代理。"
 				USE_TABLES="nftables"
 				nftflag=1
 				config_t_set global_forwarding use_nft 1
 				uci commit ${CONFIG}
-			else
-				echolog "系统未安装iptables或ipset或Dnsmasq没有开启ipset支持，无法透明代理！"
 			fi
 		fi
 	else
--- a/luci-app-passwall2/root/usr/share/passwall2/helper_dnsmasq.sh
+++ b/luci-app-passwall2/root/usr/share/passwall2/helper_dnsmasq.sh
@ -101,7 +101,7 @@ add() {
 	
 	#始终用国内DNS解析节点域名
 	servers=$(uci show "${CONFIG}" | grep ".address=" | cut -d "'" -f 2)
-	hosts_foreach "servers" host_from_url | grep '[a-zA-Z]$' | sort -u | gen_items settype="${set_type}" setnames="${setflag_4}passwall2_vpslist,${setflag_6}passwall2_vpslist6" dnss="${LOCAL_DNS:-${DEFAULT_DNS}}" outf="${TMP_DNSMASQ_PATH}/10-vpslist_host.conf" ipsetoutf="${TMP_DNSMASQ_PATH}/ipset.conf"
+	hosts_foreach "servers" host_from_url | grep '[a-zA-Z]$' | sort -u | grep -v "engage.cloudflareclient.com" | gen_items settype="${set_type}" setnames="${setflag_4}passwall2_vpslist,${setflag_6}passwall2_vpslist6" dnss="${LOCAL_DNS:-${DEFAULT_DNS}}" outf="${TMP_DNSMASQ_PATH}/10-vpslist_host.conf" ipsetoutf="${TMP_DNSMASQ_PATH}/ipset.conf"
 	echolog "  - [$?]节点列表中的域名(vpslist)：${DEFAULT_DNS:-默认}"
 	
 	echo "conf-dir=${TMP_DNSMASQ_PATH}" > $DNSMASQ_CONF_FILE
--- a/luci-app-passwall2/root/usr/share/passwall2/iptables.sh
+++ b/luci-app-passwall2/root/usr/share/passwall2/iptables.sh
@ -868,14 +868,19 @@ del_firewall_rule() {
 	ip -6 rule del fwmark 1 table 100 2>/dev/null
 	ip -6 route del local ::/0 dev lo table 100 2>/dev/null

-	$DIR/app.sh echolog "删除相关防火墙规则完成。"
+	$DIR/app.sh echolog "删除iptables防火墙规则完成。"
 }

 flush_ipset() {
-	del_firewall_rule
+	$DIR/app.sh echolog "清空 IPSET。"
 	for _name in $(ipset list | grep "Name: " | grep "passwall2_" | awk '{print $2}'); do
 		destroy_ipset ${_name}
 	done
+}
+
+flush_ipset_reload() {
+	del_firewall_rule
+	flush_ipset
 	rm -rf /tmp/singbox_passwall2_*
 	/etc/init.d/passwall2 reload
 }
@ -988,6 +993,9 @@ insert_rule_after)
 flush_ipset)
 	flush_ipset
 	;;
+flush_ipset_reload)
+	flush_ipset_reload
+	;;
 get_ipt_bin)
 	get_ipt_bin
 	;;
--- a/luci-app-passwall2/root/usr/share/passwall2/nftables.sh
+++ b/luci-app-passwall2/root/usr/share/passwall2/nftables.sh
@ -918,14 +918,19 @@ del_firewall_rule() {
 	destroy_nftset $NFTSET_LANLIST6
 	destroy_nftset $NFTSET_VPSLIST6

-	$DIR/app.sh echolog "删除相关防火墙规则完成。"
+	$DIR/app.sh echolog "删除nftables防火墙规则完成。"
 }

 flush_nftset() {
-	del_firewall_rule
+	$DIR/app.sh echolog "清空 NFTSET。"
 	for _name in $(nft -a list sets | grep -E "passwall2" | awk -F 'set ' '{print $2}' | awk '{print $1}'); do
 		destroy_nftset ${_name}
 	done
+}
+
+flush_nftset_reload() {
+	del_firewall_rule
+	flush_nftset
 	rm -rf /tmp/singbox_passwall2_*
 	/etc/init.d/passwall2 reload
 }
@ -1031,6 +1036,9 @@ insert_rule_after)
 flush_nftset)
 	flush_nftset
 	;;
+flush_nftset_reload)
+	flush_nftset_reload
+	;;
 get_wan_ip)
 	get_wan_ip
 	;;
--- a/luci-app-passwall2/root/usr/share/passwall2/rule_update.lua
+++ b/luci-app-passwall2/root/usr/share/passwall2/rule_update.lua
@ -186,9 +186,9 @@ luci.sys.call("uci commit " .. name)
 if reboot == 1 then
 	log("重启服务，应用新的规则。")
 	if use_nft == "1" then
-		luci.sys.call("sh /usr/share/" .. name .. "/nftables.sh flush_nftset > /dev/null 2>&1 &")
+		luci.sys.call("sh /usr/share/" .. name .. "/nftables.sh flush_nftset_reload > /dev/null 2>&1 &")
 	else
-		luci.sys.call("sh /usr/share/" .. name .. "/iptables.sh flush_ipset > /dev/null 2>&1 &")
+		luci.sys.call("sh /usr/share/" .. name .. "/iptables.sh flush_ipset_reload > /dev/null 2>&1 &")
 	end
 end
 log("规则更新完毕...")