From 5c581db85893580b9ecad86f539d84ef871a2e50 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 14 Mar 2024 20:28:56 +0800 Subject: [PATCH] update 2024-03-14 20:28:56 --- luci-app-mtphotos/Makefile | 18 + .../luasrc/controller/mtphotos.lua | 7 + .../luasrc/model/cbi/mtphotos.lua | 73 ++++ luci-app-mtphotos/luasrc/model/mtphotos.lua | 55 +++ .../luasrc/view/mtphotos/status.htm | 31 ++ luci-app-mtphotos/po/zh-cn/mtphotos.po | 47 +++ luci-app-mtphotos/po/zh_Hans | 1 + luci-app-mtphotos/root/etc/config/mtphotos | 5 + .../root/usr/libexec/istorec/mtphotos.sh | 77 ++++ .../share/rpcd/acl.d/luci-app-mtphotos.json | 11 + luci-app-passwall2/Makefile | 2 +- .../luasrc/controller/passwall2.lua | 10 +- .../model/cbi/passwall2/client/acl_config.lua | 28 +- .../model/cbi/passwall2/client/global.lua | 4 + .../cbi/passwall2/client/node_subscribe.lua | 16 +- .../client/node_subscribe_config.lua | 16 +- .../luasrc/passwall2/server_app.lua | 2 +- luci-app-passwall2/po/zh-cn/passwall2.po | 6 + .../root/usr/share/passwall2/0_default_config | 1 + .../root/usr/share/passwall2/app.sh | 1 + .../root/usr/share/passwall2/iptables.sh | 383 +++++++++--------- .../root/usr/share/passwall2/nftables.sh | 379 ++++++++--------- .../root/usr/share/passwall2/subscribe.lua | 76 ++-- 23 files changed, 818 insertions(+), 431 deletions(-) create mode 100644 luci-app-mtphotos/Makefile create mode 100755 luci-app-mtphotos/luasrc/controller/mtphotos.lua create mode 100644 luci-app-mtphotos/luasrc/model/cbi/mtphotos.lua create mode 100644 luci-app-mtphotos/luasrc/model/mtphotos.lua create mode 100644 luci-app-mtphotos/luasrc/view/mtphotos/status.htm create mode 100644 luci-app-mtphotos/po/zh-cn/mtphotos.po create mode 120000 luci-app-mtphotos/po/zh_Hans create mode 100644 luci-app-mtphotos/root/etc/config/mtphotos create mode 100755 luci-app-mtphotos/root/usr/libexec/istorec/mtphotos.sh create mode 100644 luci-app-mtphotos/root/usr/share/rpcd/acl.d/luci-app-mtphotos.json diff --git a/luci-app-mtphotos/Makefile b/luci-app-mtphotos/Makefile new file mode 100644 index 000000000..c8cff5921 --- /dev/null +++ b/luci-app-mtphotos/Makefile @@ -0,0 +1,18 @@ + + +include $(TOPDIR)/rules.mk + +PKG_VERSION:=1.0.2-20231208 +PKG_RELEASE:= + +LUCI_TITLE:=LuCI support for MTPhotos +LUCI_PKGARCH:=all +LUCI_DEPENDS:=+lsblk +docker +dockerd +luci-lib-taskd +luci-lib-docker + +define Package/luci-app-mtphotos/conffiles +/etc/config/mtphotos +endef + +include $(TOPDIR)/feeds/luci/luci.mk + +# call BuildPackage - OpenWrt buildroot signature diff --git a/luci-app-mtphotos/luasrc/controller/mtphotos.lua b/luci-app-mtphotos/luasrc/controller/mtphotos.lua new file mode 100755 index 000000000..53b15c19e --- /dev/null +++ b/luci-app-mtphotos/luasrc/controller/mtphotos.lua @@ -0,0 +1,7 @@ + +module("luci.controller.mtphotos", package.seeall) + +function index() + entry({"admin", "services", "mtphotos"}, alias("admin", "services", "mtphotos", "config"), _("MTPhotos"), 30).dependent = true + entry({"admin", "services", "mtphotos", "config"}, cbi("mtphotos")) +end diff --git a/luci-app-mtphotos/luasrc/model/cbi/mtphotos.lua b/luci-app-mtphotos/luasrc/model/cbi/mtphotos.lua new file mode 100644 index 000000000..601501816 --- /dev/null +++ b/luci-app-mtphotos/luasrc/model/cbi/mtphotos.lua @@ -0,0 +1,73 @@ +--[[ +LuCI - Lua Configuration Interface +]]-- + +local taskd = require "luci.model.tasks" +local docker = require "luci.docker" +local mtphotos_model = require "luci.model.mtphotos" +local m, s, o + +m = taskd.docker_map("mtphotos", "mtphotos", "/usr/libexec/istorec/mtphotos.sh", + translate("MTPhotos"), + translate("MTPhotos is a photo manager, made by MTPhotos, Inc.") + .. translate("Official website:") .. ' https://mtmt.tech/') + +local dk = docker.new({socket_path="/var/run/docker.sock"}) +local dockerd_running = dk:_ping().code == 200 +local docker_info = dockerd_running and dk:info().body or {} +local docker_aspace = 0 +if docker_info.DockerRootDir then + local statvfs = nixio.fs.statvfs(docker_info.DockerRootDir) + docker_aspace = statvfs and (statvfs.bavail * statvfs.bsize) or 0 +end + +s = m:section(SimpleSection, translate("Service Status"), translate("MTPhotos status:")) +s:append(Template("mtphotos/status")) + +s = m:section(TypedSection, "main", translate("Setup"), + (docker_aspace < 2147483648 and + (translate("The free space of Docker is less than 2GB, which may cause the installation to fail.") + .. "
") or "") .. translate("The following parameters will only take effect during installation or upgrade:")) +s.addremove=false +s.anonymous=true + +o = s:option(Value, "port", translate("Port").."*") +o.default = "8063" +o.datatype = "port" +o:depends("hostnet", 0) + +o = s:option(Value, "image_name", translate("Image").."*") +o.rmempty = false +o.datatype = "string" +o:value("mtphotos/mt-photos:nodb-latest", "mtphotos/mt-photos:nodb-latest") +o:value("mtphotos/mt-photos:latest", "mtphotos/mt-photos:latest") +if "x86_64" == docker_info.Architecture then + o.default = "mtphotos/mt-photos:latest" +else + o:value("mtphotos/mt-photos:arm-latest", "mtphotos/mt-photos:arm-latest") + o.default = "mtphotos/mt-photos:arm-latest" +end + +local blocks = mtphotos_model.blocks() +local home = mtphotos_model.home() + +o = s:option(Value, "config_path", translate("Config path").."*") +o.rmempty = false +o.datatype = "string" + +local paths, default_path = mtphotos_model.find_paths(blocks, home, "Configs") +for _, val in pairs(paths) do + o:value(val.."/Config", val.."/Config") +end +o.default = default_path.."/Config" + +o = s:option(Value, "upload_path", translate("Upload path").."*") +o.rmempty = false +o.datatype = "string" + +for _, val in pairs(paths) do + o:value(val.."/Upload", val.."/Upload") +end +o.default = default_path.."/Upload" + +return m diff --git a/luci-app-mtphotos/luasrc/model/mtphotos.lua b/luci-app-mtphotos/luasrc/model/mtphotos.lua new file mode 100644 index 000000000..3aad421b5 --- /dev/null +++ b/luci-app-mtphotos/luasrc/model/mtphotos.lua @@ -0,0 +1,55 @@ +local util = require "luci.util" +local jsonc = require "luci.jsonc" + +local mtphotos = {} + +mtphotos.blocks = function() + local f = io.popen("lsblk -s -f -b -o NAME,FSSIZE,MOUNTPOINT --json", "r") + local vals = {} + if f then + local ret = f:read("*all") + f:close() + local obj = jsonc.parse(ret) + for _, val in pairs(obj["blockdevices"]) do + local fsize = val["fssize"] + if fsize ~= nil and string.len(fsize) > 10 and val["mountpoint"] then + -- fsize > 1G + vals[#vals+1] = val["mountpoint"] + end + end + end + return vals +end + +mtphotos.home = function() + local uci = require "luci.model.uci".cursor() + local home_dirs = {} + home_dirs["main_dir"] = uci:get_first("quickstart", "main", "main_dir", "/root") + home_dirs["Configs"] = uci:get_first("quickstart", "main", "conf_dir", home_dirs["main_dir"].."/Configs") + home_dirs["Public"] = uci:get_first("quickstart", "main", "pub_dir", home_dirs["main_dir"].."/Public") + home_dirs["Downloads"] = uci:get_first("quickstart", "main", "dl_dir", home_dirs["Public"].."/Downloads") + home_dirs["Caches"] = uci:get_first("quickstart", "main", "tmp_dir", home_dirs["main_dir"].."/Caches") + return home_dirs +end + +mtphotos.find_paths = function(blocks, home_dirs, path_name) + local default_path = '' + local configs = {} + + default_path = home_dirs[path_name] .. "/MTPhotos" + if #blocks == 0 then + table.insert(configs, default_path) + else + for _, val in pairs(blocks) do + table.insert(configs, val .. "/" .. path_name .. "/MTPhotos") + end + local without_conf_dir = "/root/" .. path_name .. "/MTPhotos" + if default_path == without_conf_dir then + default_path = configs[1] + end + end + + return configs, default_path +end + +return mtphotos diff --git a/luci-app-mtphotos/luasrc/view/mtphotos/status.htm b/luci-app-mtphotos/luasrc/view/mtphotos/status.htm new file mode 100644 index 000000000..df8fc6653 --- /dev/null +++ b/luci-app-mtphotos/luasrc/view/mtphotos/status.htm @@ -0,0 +1,31 @@ +<% +local util = require "luci.util" +local container_status = util.trim(util.exec("/usr/libexec/istorec/mtphotos.sh status")) +local container_install = (string.len(container_status) > 0) +local container_running = container_status == "running" +-%> +
+ +
+ <% if container_running then %> + + <% else %> + + <% end %> +
+
+<% +if container_running then + local port=util.trim(util.exec("/usr/libexec/istorec/mtphotos.sh port")) + if port == "" then + port="8063" + end +-%> +
+ +
+ + +
+
+<% end %> diff --git a/luci-app-mtphotos/po/zh-cn/mtphotos.po b/luci-app-mtphotos/po/zh-cn/mtphotos.po new file mode 100644 index 000000000..21e90deb9 --- /dev/null +++ b/luci-app-mtphotos/po/zh-cn/mtphotos.po @@ -0,0 +1,47 @@ +msgid "" +msgstr "Content-Type: text/plain; charset=UTF-8" + +msgid "Official website:" +msgstr "官方网站:" + +msgid "MTPhotos is a photo manager, made by MTPhotos, Inc." +msgstr "MTPhotos 是一个相册管理软件。" + +msgid "Config path" +msgstr "配置文件路径" + +msgid "Upload path" +msgstr "上传文件路径" + +msgid "Port" +msgstr "端口" + +msgid "Service Status" +msgstr "服务状态" + +msgid "MTPhotos status:" +msgstr "MTPhotos 的状态信息如下:" + +msgid "Setup" +msgstr "安装配置" + +msgid "The following parameters will only take effect during installation or upgrade:" +msgstr "以下参数只在安装或者升级时才会生效:" + +msgid "Status" +msgstr "状态" + +msgid "MTPhotos is running" +msgstr "MTPhotos 运行中" + +msgid "MTPhotos is not running" +msgstr "MTPhotos 未运行" + +msgid "Open MTPhotos" +msgstr "打开 MTPhotos" + +msgid "The free space of Docker is less than 2GB, which may cause the installation to fail." +msgstr "Docker 可用空间已不足2GB,可能导致安装失败。" + +msgid "Please make sure there has enough space" +msgstr "请确保有足够空间" diff --git a/luci-app-mtphotos/po/zh_Hans b/luci-app-mtphotos/po/zh_Hans new file mode 120000 index 000000000..41451e4a1 --- /dev/null +++ b/luci-app-mtphotos/po/zh_Hans @@ -0,0 +1 @@ +zh-cn \ No newline at end of file diff --git a/luci-app-mtphotos/root/etc/config/mtphotos b/luci-app-mtphotos/root/etc/config/mtphotos new file mode 100644 index 000000000..69abbb987 --- /dev/null +++ b/luci-app-mtphotos/root/etc/config/mtphotos @@ -0,0 +1,5 @@ +config main + option 'port' '8063' +# option 'config_path' '' +# option 'upload_path' '' + diff --git a/luci-app-mtphotos/root/usr/libexec/istorec/mtphotos.sh b/luci-app-mtphotos/root/usr/libexec/istorec/mtphotos.sh new file mode 100755 index 000000000..ce6a99a8c --- /dev/null +++ b/luci-app-mtphotos/root/usr/libexec/istorec/mtphotos.sh @@ -0,0 +1,77 @@ +#!/bin/sh +# Author Xiaobao(xiaobao@linkease.com) + +ACTION=${1} +shift 1 + +do_install() { + local port=`uci get mtphotos.@main[0].port 2>/dev/null` + local image_name=`uci get mtphotos.@main[0].image_name 2>/dev/null` + local config=`uci get mtphotos.@main[0].config_path 2>/dev/null` + local upload=`uci get mtphotos.@main[0].upload_path 2>/dev/null` + + if [ -z "$config" ]; then + echo "config path is empty!" + exit 1 + fi + + [ -z "$image_name" ] && image_name="mtphotos/mt-photos:latest" + echo "docker pull ${image_name}" + docker pull ${image_name} + docker rm -f mtphotos + + [ -z "$port" ] && port=8063 + + local cmd="docker run --restart=unless-stopped -d -h MTPhotosServer \ + -v \"$upload:/upload\" \ + -v \"$config:/config\" " + + cmd="$cmd\ + --dns=172.17.0.1 \ + -p $port:8063 " + + local tz="`uci get system.@system[0].zonename | sed 's/ /_/g'`" + [ -z "$tz" ] || cmd="$cmd -e TZ=$tz" + + cmd="$cmd -v /mnt:/mnt" + mountpoint -q /mnt && cmd="$cmd:rslave" + cmd="$cmd --name mtphotos \"$image_name\"" + + echo "$cmd" + eval "$cmd" +} + +usage() { + echo "usage: $0 sub-command" + echo "where sub-command is one of:" + echo " install Install the mtphotos" + echo " upgrade Upgrade the mtphotos" + echo " rm/start/stop/restart Remove/Start/Stop/Restart the mtphotos" + echo " status MTPhotos status" + echo " port MTPhotos port" +} + +case ${ACTION} in + "install") + do_install + ;; + "upgrade") + do_install + ;; + "rm") + docker rm -f mtphotos + ;; + "start" | "stop" | "restart") + docker ${ACTION} mtphotos + ;; + "status") + docker ps --all -f 'name=mtphotos' --format '{{.State}}' + ;; + "port") + docker ps --all -f 'name=mtphotos' --format '{{.Ports}}' | grep -om1 '0.0.0.0:[0-9]*->8063/tcp' | sed 's/0.0.0.0:\([0-9]*\)->.*/\1/' + ;; + *) + usage + exit 1 + ;; +esac diff --git a/luci-app-mtphotos/root/usr/share/rpcd/acl.d/luci-app-mtphotos.json b/luci-app-mtphotos/root/usr/share/rpcd/acl.d/luci-app-mtphotos.json new file mode 100644 index 000000000..a548b4506 --- /dev/null +++ b/luci-app-mtphotos/root/usr/share/rpcd/acl.d/luci-app-mtphotos.json @@ -0,0 +1,11 @@ +{ + "luci-app-mtphotos": { + "description": "Grant UCI access for luci-app-mtphotos", + "read": { + "uci": [ "mtphotos" ] + }, + "write": { + "uci": [ "mtphotos" ] + } + } +} diff --git a/luci-app-passwall2/Makefile b/luci-app-passwall2/Makefile index 54de3b735..eb9954136 100644 --- a/luci-app-passwall2/Makefile +++ b/luci-app-passwall2/Makefile @@ -5,7 +5,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=luci-app-passwall2 -PKG_VERSION:=1.27-5 +PKG_VERSION:=1.28-1 PKG_RELEASE:= PKG_CONFIG_DEPENDS:= \ diff --git a/luci-app-passwall2/luasrc/controller/passwall2.lua b/luci-app-passwall2/luasrc/controller/passwall2.lua index db7f4bfdb..7a7c7630f 100644 --- a/luci-app-passwall2/luasrc/controller/passwall2.lua +++ b/luci-app-passwall2/luasrc/controller/passwall2.lua @@ -176,13 +176,13 @@ end function status() local e = {} - e["global_status"] = luci.sys.call(string.format("top -bn1 | grep -v -E 'grep|acl/|acl_' | grep '%s/bin/' | grep -i 'global\\.json' >/dev/null", appname)) == 0 + e["global_status"] = luci.sys.call(string.format("/bin/busybox top -bn1 | grep -v -E 'grep|acl/|acl_' | grep '%s/bin/' | grep -i 'global\\.json' >/dev/null", appname)) == 0 luci.http.prepare_content("application/json") luci.http.write_json(e) end function haproxy_status() - local e = luci.sys.call(string.format("top -bn1 | grep -v grep | grep '%s/bin/' | grep haproxy >/dev/null", appname)) == 0 + local e = luci.sys.call(string.format("/bin/busybox top -bn1 | grep -v grep | grep '%s/bin/' | grep haproxy >/dev/null", appname)) == 0 luci.http.prepare_content("application/json") luci.http.write_json(e) end @@ -192,12 +192,12 @@ function socks_status() local index = luci.http.formvalue("index") local id = luci.http.formvalue("id") e.index = index - e.socks_status = luci.sys.call(string.format("top -bn1 | grep -v -E 'grep|acl/|acl_' | grep '%s/bin/' | grep '%s' | grep 'SOCKS_' > /dev/null", appname, id)) == 0 + e.socks_status = luci.sys.call(string.format("/bin/busybox top -bn1 | grep -v -E 'grep|acl/|acl_' | grep '%s/bin/' | grep '%s' | grep 'SOCKS_' > /dev/null", appname, id)) == 0 local use_http = ucic:get(appname, id, "http_port") or 0 e.use_http = 0 if tonumber(use_http) > 0 then e.use_http = 1 - e.http_status = luci.sys.call(string.format("top -bn1 | grep -v -E 'grep|acl/|acl_' | grep '%s/bin/' | grep '%s' | grep -E 'HTTP_|HTTP2SOCKS' > /dev/null", appname, id)) == 0 + e.http_status = luci.sys.call(string.format("/bin/busybox top -bn1 | grep -v -E 'grep|acl/|acl_' | grep '%s/bin/' | grep '%s' | grep -E 'HTTP_|HTTP2SOCKS' > /dev/null", appname, id)) == 0 end luci.http.prepare_content("application/json") luci.http.write_json(e) @@ -355,7 +355,7 @@ end function server_user_status() local e = {} e.index = luci.http.formvalue("index") - e.status = luci.sys.call(string.format("top -bn1 | grep -v 'grep' | grep '%s/bin/' | grep -i '%s' >/dev/null", appname .. "_server", luci.http.formvalue("id"))) == 0 + e.status = luci.sys.call(string.format("/bin/busybox top -bn1 | grep -v 'grep' | grep '%s/bin/' | grep -i '%s' >/dev/null", appname .. "_server", luci.http.formvalue("id"))) == 0 http_write_json(e) end diff --git a/luci-app-passwall2/luasrc/model/cbi/passwall2/client/acl_config.lua b/luci-app-passwall2/luasrc/model/cbi/passwall2/client/acl_config.lua index b48aabfd4..fc686b5cb 100644 --- a/luci-app-passwall2/luasrc/model/cbi/passwall2/client/acl_config.lua +++ b/luci-app-passwall2/luasrc/model/cbi/passwall2/client/acl_config.lua @@ -1,5 +1,6 @@ local api = require "luci.passwall2.api" local appname = api.appname +local uci = api.uci local sys = api.sys local port_validate = function(self, value, t) @@ -156,48 +157,51 @@ end sources.write = dynamicList_write ---- TCP No Redir Ports +local TCP_NO_REDIR_PORTS = uci:get(appname, "@global_forwarding[0]", "tcp_no_redir_ports") o = s:option(Value, "tcp_no_redir_ports", translate("TCP No Redir Ports")) o.default = "default" o:value("disable", translate("No patterns are used")) -o:value("default", translate("Default")) +o:value("default", translate("Use global config") .. "(" .. TCP_NO_REDIR_PORTS .. ")") o:value("1:65535", translate("All")) o.validate = port_validate ---- UDP No Redir Ports +local UDP_NO_REDIR_PORTS = uci:get(appname, "@global_forwarding[0]", "udp_no_redir_ports") o = s:option(Value, "udp_no_redir_ports", translate("UDP No Redir Ports"), "" .. translate("If you don't want to let the device in the list to go proxy, please choose all.") .. "") o.default = "default" o:value("disable", translate("No patterns are used")) -o:value("default", translate("Default")) +o:value("default", translate("Use global config") .. "(" .. UDP_NO_REDIR_PORTS .. ")") o:value("1:65535", translate("All")) o.validate = port_validate +node = s:option(ListValue, "node", "" .. translate("Node") .. "") +node.default = "default" +node:value("default", translate("Use global config")) +for k, v in pairs(nodes_table) do + node:value(v.id, v["remark"]) +end + ---- TCP Redir Ports +local TCP_REDIR_PORTS = uci:get(appname, "@global_forwarding[0]", "tcp_redir_ports") o = s:option(Value, "tcp_redir_ports", translate("TCP Redir Ports")) o.default = "default" -o:value("default", translate("Default")) +o:value("default", translate("Use global config") .. "(" .. TCP_REDIR_PORTS .. ")") o:value("1:65535", translate("All")) o:value("22,25,53,143,465,587,853,993,995,80,443", translate("Common Use")) o:value("80,443", "80,443") o.validate = port_validate ---- UDP Redir Ports +local UDP_REDIR_PORTS = uci:get(appname, "@global_forwarding[0]", "udp_redir_ports") o = s:option(Value, "udp_redir_ports", translate("UDP Redir Ports")) o.default = "default" -o:value("default", translate("Default")) +o:value("default", translate("Use global config") .. "(" .. UDP_REDIR_PORTS .. ")") o:value("1:65535", translate("All")) o.validate = port_validate -node = s:option(ListValue, "node", "" .. translate("Node") .. "") -node.default = "default" -node:value("default", translate("Default")) - -for k, v in pairs(nodes_table) do - node:value(v.id, v["remark"]) -end - o = s:option(ListValue, "remote_dns_protocol", translate("Remote DNS Protocol")) o:value("tcp", "TCP") o:value("doh", "DoH") diff --git a/luci-app-passwall2/luasrc/model/cbi/passwall2/client/global.lua b/luci-app-passwall2/luasrc/model/cbi/passwall2/client/global.lua index a600670a4..6afb0b2ba 100644 --- a/luci-app-passwall2/luasrc/model/cbi/passwall2/client/global.lua +++ b/luci-app-passwall2/luasrc/model/cbi/passwall2/client/global.lua @@ -211,6 +211,10 @@ o = s:taboption("Main", Flag, "localhost_proxy", translate("Localhost Proxy"), t o.default = "1" o.rmempty = false +o = s:taboption("Main", Flag, "client_proxy", translate("Client Proxy"), translate("When selected, devices in LAN can transparent proxy. Otherwise, it will not be proxy. But you can still use access control to allow the designated device to proxy.")) +o.default = "1" +o.rmempty = false + node_socks_port = s:taboption("Main", Value, "node_socks_port", translate("Node") .. " Socks " .. translate("Listen Port")) node_socks_port.default = 1070 node_socks_port.datatype = "port" diff --git a/luci-app-passwall2/luasrc/model/cbi/passwall2/client/node_subscribe.lua b/luci-app-passwall2/luasrc/model/cbi/passwall2/client/node_subscribe.lua index 75ada90e1..222ff7d13 100644 --- a/luci-app-passwall2/luasrc/model/cbi/passwall2/client/node_subscribe.lua +++ b/luci-app-passwall2/luasrc/model/cbi/passwall2/client/node_subscribe.lua @@ -5,23 +5,23 @@ local has_ss_rust = api.is_finded("sslocal") local has_singbox = api.finded_com("singbox") local has_xray = api.finded_com("xray") local has_hysteria2 = api.finded_com("hysteria") -local ss_aead_type = {} +local ss_type = {} local trojan_type = {} local vmess_type = {} local vless_type = {} local hysteria2_type = {} if has_ss then local s = "shadowsocks-libev" - table.insert(ss_aead_type, s) + table.insert(ss_type, s) end if has_ss_rust then local s = "shadowsocks-rust" - table.insert(ss_aead_type, s) + table.insert(ss_type, s) end if has_singbox then local s = "sing-box" table.insert(trojan_type, s) - table.insert(ss_aead_type, s) + table.insert(ss_type, s) table.insert(vmess_type, s) table.insert(vless_type, s) table.insert(hysteria2_type, s) @@ -29,7 +29,7 @@ end if has_xray then local s = "xray" table.insert(trojan_type, s) - table.insert(ss_aead_type, s) + table.insert(ss_type, s) table.insert(vmess_type, s) table.insert(vless_type, s) end @@ -56,9 +56,9 @@ o = s:option(DynamicList, "filter_discard_list", translate("Discard List")) o = s:option(DynamicList, "filter_keep_list", translate("Keep List")) -if #ss_aead_type > 0 then - o = s:option(ListValue, "ss_aead_type", translatef("%s Node Use Type", "SS AEAD")) - for key, value in pairs(ss_aead_type) do +if #ss_type > 0 then + o = s:option(ListValue, "ss_type", translatef("%s Node Use Type", "Shadowsocks")) + for key, value in pairs(ss_type) do o:value(value) end end diff --git a/luci-app-passwall2/luasrc/model/cbi/passwall2/client/node_subscribe_config.lua b/luci-app-passwall2/luasrc/model/cbi/passwall2/client/node_subscribe_config.lua index 7764dd6d1..0ca1e2e93 100644 --- a/luci-app-passwall2/luasrc/model/cbi/passwall2/client/node_subscribe_config.lua +++ b/luci-app-passwall2/luasrc/model/cbi/passwall2/client/node_subscribe_config.lua @@ -5,23 +5,23 @@ local has_ss_rust = api.is_finded("sslocal") local has_singbox = api.finded_com("singbox") local has_xray = api.finded_com("xray") local has_hysteria2 = api.finded_com("hysteria") -local ss_aead_type = {} +local ss_type = {} local trojan_type = {} local vmess_type = {} local vless_type = {} local hysteria2_type = {} if has_ss then local s = "shadowsocks-libev" - table.insert(ss_aead_type, s) + table.insert(ss_type, s) end if has_ss_rust then local s = "shadowsocks-rust" - table.insert(ss_aead_type, s) + table.insert(ss_type, s) end if has_singbox then local s = "sing-box" table.insert(trojan_type, s) - table.insert(ss_aead_type, s) + table.insert(ss_type, s) table.insert(vmess_type, s) table.insert(vless_type, s) table.insert(hysteria2_type, s) @@ -29,7 +29,7 @@ end if has_xray then local s = "xray" table.insert(trojan_type, s) - table.insert(ss_aead_type, s) + table.insert(ss_type, s) table.insert(vmess_type, s) table.insert(vless_type, s) end @@ -76,11 +76,11 @@ o:depends("filter_keyword_mode", "2") o:depends("filter_keyword_mode", "3") o:depends("filter_keyword_mode", "4") -if #ss_aead_type > 0 then - o = s:option(ListValue, "ss_aead_type", translatef("%s Node Use Type", "SS AEAD")) +if #ss_type > 0 then + o = s:option(ListValue, "ss_type", translatef("%s Node Use Type", "Shadowsocks")) o.default = "global" o:value("global", translate("Use global config")) - for key, value in pairs(ss_aead_type) do + for key, value in pairs(ss_type) do o:value(value) end end diff --git a/luci-app-passwall2/luasrc/passwall2/server_app.lua b/luci-app-passwall2/luasrc/passwall2/server_app.lua index d77a65d7a..eadef9270 100644 --- a/luci-app-passwall2/luasrc/passwall2/server_app.lua +++ b/luci-app-passwall2/luasrc/passwall2/server_app.lua @@ -204,7 +204,7 @@ local function start() end local function stop() - cmd(string.format("top -bn1 | grep -v 'grep' | grep '%s/' | awk '{print $1}' | xargs kill -9 >/dev/null 2>&1", CONFIG_PATH)) + cmd(string.format("/bin/busybox top -bn1 | grep -v 'grep' | grep '%s/' | awk '{print $1}' | xargs kill -9 >/dev/null 2>&1", CONFIG_PATH)) if nft_flag == "0" then ipt("-D INPUT -j PSW2-SERVER 2>/dev/null") ipt("-F PSW2-SERVER 2>/dev/null") diff --git a/luci-app-passwall2/po/zh-cn/passwall2.po b/luci-app-passwall2/po/zh-cn/passwall2.po index 205071c69..d1f82d163 100644 --- a/luci-app-passwall2/po/zh-cn/passwall2.po +++ b/luci-app-passwall2/po/zh-cn/passwall2.po @@ -91,6 +91,12 @@ msgstr "路由器本机代理" msgid "When selected, localhost can transparent proxy." msgstr "当勾选时,路由器本机可以透明代理。" +msgid "Client Proxy" +msgstr "客户端代理" + +msgid "When selected, devices in LAN can transparent proxy. Otherwise, it will not be proxy. But you can still use access control to allow the designated device to proxy." +msgstr "当勾选时,局域网内的设备可以透明代理。否则,将不代理。但您仍然可以使用访问控制允许指定的设备代理。" + msgid "Socks Config" msgstr "Socks配置" diff --git a/luci-app-passwall2/root/usr/share/passwall2/0_default_config b/luci-app-passwall2/root/usr/share/passwall2/0_default_config index 9547718f8..5392092bc 100644 --- a/luci-app-passwall2/root/usr/share/passwall2/0_default_config +++ b/luci-app-passwall2/root/usr/share/passwall2/0_default_config @@ -3,6 +3,7 @@ config global option enabled '0' option node_socks_port '1070' option localhost_proxy '1' + option client_proxy '1' option socks_enabled '0' option acl_enable '0' option node 'myshunt' diff --git a/luci-app-passwall2/root/usr/share/passwall2/app.sh b/luci-app-passwall2/root/usr/share/passwall2/app.sh index ea203b0ff..a9ee2150d 100644 --- a/luci-app-passwall2/root/usr/share/passwall2/app.sh +++ b/luci-app-passwall2/root/usr/share/passwall2/app.sh @@ -1122,6 +1122,7 @@ UDP_REDIR_PORTS=$(config_t_get global_forwarding udp_redir_ports '1:65535') TCP_PROXY_MODE="global" UDP_PROXY_MODE="global" LOCALHOST_PROXY=$(config_t_get global localhost_proxy '1') +CLIENT_PROXY=$(config_t_get global client_proxy '1') REMOTE_DNS_PROTOCOL=$(config_t_get global remote_dns_protocol tcp) REMOTE_DNS_DETOUR=$(config_t_get global remote_dns_detour remote) REMOTE_DNS=$(config_t_get global remote_dns 1.1.1.1:53 | sed 's/#/:/g' | sed -E 's/\:([^:]+)$/#\1/g') diff --git a/luci-app-passwall2/root/usr/share/passwall2/iptables.sh b/luci-app-passwall2/root/usr/share/passwall2/iptables.sh index 68abe4e14..e26198477 100755 --- a/luci-app-passwall2/root/usr/share/passwall2/iptables.sh +++ b/luci-app-passwall2/root/usr/share/passwall2/iptables.sh @@ -203,121 +203,127 @@ load_acl() { [ "$udp_no_redir_ports" = "default" ] && udp_no_redir_ports=$UDP_NO_REDIR_PORTS [ "$tcp_redir_ports" = "default" ] && tcp_redir_ports=$TCP_REDIR_PORTS [ "$udp_redir_ports" = "default" ] && udp_redir_ports=$UDP_REDIR_PORTS - + node_remark=$(config_n_get $NODE remarks) [ -s "${TMP_ACL_PATH}/${sid}/var_node" ] && node=$(cat ${TMP_ACL_PATH}/${sid}/var_node) [ -s "${TMP_ACL_PATH}/${sid}/var_port" ] && redir_port=$(cat ${TMP_ACL_PATH}/${sid}/var_port) [ -n "$node" ] && [ "$node" != "default" ] && node_remark=$(config_n_get $node remarks) write_ipset_direct=${write_ipset_direct:-1} + [ "${write_ipset_direct}" = "1" ] && { + if [ "$node" = "default" ]; then + local ipset_whitelist=${ipset_global_whitelist} + local ipset_whitelist6=${ipset_global_whitelist6} + else + local ipset_whitelist="passwall2_${sid}_whitelist" + local ipset_whitelist6="passwall2_${sid}_whitelist6" + ipset -! create $ipset_whitelist nethash maxelem 1048576 + ipset -! create $ipset_whitelist6 nethash family inet6 maxelem 1048576 + fi + } for i in $(cat ${TMP_ACL_PATH}/${sid}/rule_list); do if [ -n "$(echo ${i} | grep '^iprange:')" ]; then _iprange=$(echo ${i} | sed 's#iprange:##g') _ipt_source=$(factor ${_iprange} "-m iprange --src-range") - msg="备注【$remarks】,IP range【${_iprange}】," + msg="【$remarks】,IP range【${_iprange}】," elif [ -n "$(echo ${i} | grep '^ipset:')" ]; then _ipset=$(echo ${i} | sed 's#ipset:##g') _ipt_source="-m set --match-set ${_ipset} src" - msg="备注【$remarks】,IPset【${_ipset}】," + msg="【$remarks】,IPset【${_ipset}】," elif [ -n "$(echo ${i} | grep '^ip:')" ]; then _ip=$(echo ${i} | sed 's#ip:##g') _ipt_source=$(factor ${_ip} "-s") - msg="备注【$remarks】,IP【${_ip}】," + msg="【$remarks】,IP【${_ip}】," elif [ -n "$(echo ${i} | grep '^mac:')" ]; then _mac=$(echo ${i} | sed 's#mac:##g') _ipt_source=$(factor ${_mac} "-m mac --mac-source") - msg="备注【$remarks】,MAC【${_mac}】," + msg="【$remarks】,MAC【${_mac}】," else continue fi - - local ipset_whitelist="passwall2_${sid}_whitelist" - local ipset_whitelist6="passwall2_${sid}_whitelist6" - ipset -! create $ipset_whitelist nethash maxelem 1048576 - ipset -! create $ipset_whitelist6 nethash family inet6 maxelem 1048576 ipt_tmp=$ipt_n [ -n "${is_tproxy}" ] && ipt_tmp=$ipt_m - - [ -n "$redir_port" ] && { - if [ "$tcp_proxy_mode" != "disable" ]; then - [ -s "${TMP_ACL_PATH}/${sid}/var_redirect_dns_port" ] && $ipt_n -A PSW2_REDIRECT $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port) - msg2="${msg}使用TCP节点[$node_remark] [$(get_action_chain_name $tcp_proxy_mode)]" - if [ -n "${is_tproxy}" ]; then - msg2="${msg2}(TPROXY:${redir_port})代理" - ipt_tmp=$ipt_m - else - msg2="${msg2}(REDIRECT:${redir_port})代理" - fi - - [ "${write_ipset_direct}" = "1" ] && $ipt_tmp -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(dst $ipset_whitelist) ! -d $FAKE_IP -j RETURN - - [ "$accept_icmp" = "1" ] && { - $ipt_n -A PSW2 $(comment "$remarks") -p icmp ${_ipt_source} -d $FAKE_IP $(REDIRECT) - $ipt_n -A PSW2 $(comment "$remarks") -p icmp ${_ipt_source} $(REDIRECT) - } - - [ "$accept_icmpv6" = "1" ] && [ "$PROXY_IPV6" == "1" ] && { - $ip6t_n -A PSW2 $(comment "$remarks") -p ipv6-icmp ${_ipt_source} -d $FAKE_IP_6 $(REDIRECT) 2>/dev/null - $ip6t_n -A PSW2 $(comment "$remarks") -p ipv6-icmp ${_ipt_source} $(REDIRECT) 2>/dev/null - } - - [ "$tcp_no_redir_ports" != "disable" ] && { - $ipt_tmp -A PSW2 $(comment "$remarks") ${_ipt_source} -p tcp -m multiport --dport $tcp_no_redir_ports -j RETURN - $ip6t_m -A PSW2 $(comment "$remarks") ${_ipt_source} -p tcp -m multiport --dport $tcp_no_redir_ports -j RETURN 2>/dev/null - msg2="${msg2}[$?]除${tcp_no_redir_ports}外的" - } - msg2="${msg2}所有端口" - - if [ "${ipt_tmp}" = "${ipt_n}" ]; then - $ipt_n -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} -d $FAKE_IP $(REDIRECT $redir_port) - $ipt_n -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(REDIRECT $redir_port) - else - $ipt_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} -d $FAKE_IP -j PSW2_RULE - $ipt_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") -j PSW2_RULE - $ipt_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(REDIRECT $redir_port TPROXY) - fi - [ "$PROXY_IPV6" == "1" ] && { - [ "${write_ipset_direct}" = "1" ] && $ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(dst $ipset_whitelist6) ! -d $FAKE_IP_6 -j RETURN - $ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} -d $FAKE_IP_6 -j PSW2_RULE 2>/dev/null - $ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") -j PSW2_RULE 2>/dev/null - $ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(REDIRECT $redir_port TPROXY) 2>/dev/null - } + + [ "$tcp_no_redir_ports" != "disable" ] && { + if [ "$tcp_no_redir_ports" != "1:65535" ]; then + $ip6t_m -A PSW2 $(comment "$remarks") ${_ipt_source} -p tcp -m multiport --dport $tcp_no_redir_ports -j RETURN 2>/dev/null + $ipt_tmp -A PSW2 $(comment "$remarks") ${_ipt_source} -p tcp -m multiport --dport $tcp_no_redir_ports -j RETURN + echolog " - ${msg}不代理 TCP 端口[${tcp_no_redir_ports}]" else - msg2="${msg}不代理TCP" + #结束时会return,无需加多余的规则。 + tcp_proxy_mode="disable" + echolog " - ${msg}不代理所有 TCP" + fi + } + + [ "$udp_no_redir_ports" != "disable" ] && { + if [ "$udp_no_redir_ports" != "1:65535" ]; then + $ip6t_m -A PSW2 $(comment "$remarks") ${_ipt_source} -p udp -m multiport --dport $udp_no_redir_ports -j RETURN 2>/dev/null + $ipt_m -A PSW2 $(comment "$remarks") ${_ipt_source} -p udp -m multiport --dport $udp_no_redir_ports -j RETURN + echolog " - ${msg}不代理 UDP 端口[${udp_no_redir_ports}]" + else + #结束时会return,无需加多余的规则。 + udp_proxy_mode="disable" + echolog " - ${msg}不代理所有 UDP" fi - echolog " - ${msg2}" } + [ "$tcp_proxy_mode" != "disable" ] && [ -n "$redir_port" ] && { + [ -s "${TMP_ACL_PATH}/${sid}/var_redirect_dns_port" ] && $ipt_n -A PSW2_REDIRECT $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port) + msg2="${msg}使用 TCP 节点[$node_remark]" + if [ -n "${is_tproxy}" ]; then + msg2="${msg2}(TPROXY:${redir_port})" + else + msg2="${msg2}(REDIRECT:${redir_port})" + fi + + [ "${write_ipset_direct}" = "1" ] && $ipt_tmp -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(dst $ipset_whitelist) ! -d $FAKE_IP -j RETURN + + [ "$accept_icmp" = "1" ] && { + $ipt_n -A PSW2 $(comment "$remarks") -p icmp ${_ipt_source} -d $FAKE_IP $(REDIRECT) + $ipt_n -A PSW2 $(comment "$remarks") -p icmp ${_ipt_source} $(REDIRECT) + } + + [ "$accept_icmpv6" = "1" ] && [ "$PROXY_IPV6" == "1" ] && { + $ip6t_n -A PSW2 $(comment "$remarks") -p ipv6-icmp ${_ipt_source} -d $FAKE_IP_6 $(REDIRECT) 2>/dev/null + $ip6t_n -A PSW2 $(comment "$remarks") -p ipv6-icmp ${_ipt_source} $(REDIRECT) 2>/dev/null + } + + if [ "${ipt_tmp}" = "${ipt_n}" ]; then + $ipt_n -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} -d $FAKE_IP $(REDIRECT $redir_port) + $ipt_n -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(REDIRECT $redir_port) + else + $ipt_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} -d $FAKE_IP -j PSW2_RULE + $ipt_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") -j PSW2_RULE + $ipt_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(REDIRECT $redir_port TPROXY) + fi + [ "$PROXY_IPV6" == "1" ] && { + [ "${write_ipset_direct}" = "1" ] && $ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(dst $ipset_whitelist6) ! -d $FAKE_IP_6 -j RETURN + $ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} -d $FAKE_IP_6 -j PSW2_RULE 2>/dev/null + $ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") -j PSW2_RULE 2>/dev/null + $ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(REDIRECT $redir_port TPROXY) 2>/dev/null + } + echolog " - ${msg2}" + } $ipt_tmp -A PSW2 $(comment "$remarks") ${_ipt_source} -p tcp -j RETURN $ip6t_m -A PSW2 $(comment "$remarks") ${_ipt_source} -p tcp -j RETURN 2>/dev/null - [ -n "$redir_port" ] && { - if [ "$udp_proxy_mode" != "disable" ]; then - msg2="${msg}使用UDP节点[$node_remark] [$(get_action_chain_name $udp_proxy_mode)]" - msg2="${msg2}(TPROXY:${redir_port})代理" - [ "$udp_no_redir_ports" != "disable" ] && { - $ipt_m -A PSW2 $(comment "$remarks") ${_ipt_source} -p udp -m multiport --dport $udp_no_redir_ports -j RETURN - $ip6t_m -A PSW2 $(comment "$remarks") ${_ipt_source} -p udp -m multiport --dport $udp_no_redir_ports -j RETURN 2>/dev/null - msg2="${msg2}[$?]除${udp_no_redir_ports}外的" - } - msg2="${msg2}所有端口" + [ "$udp_proxy_mode" != "disable" ] && [ -n "$redir_port" ] && { + msg2="${msg}使用 UDP 节点[$node_remark](TPROXY:${redir_port})" - [ "${write_ipset_direct}" = "1" ] && $ipt_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(dst $ipset_whitelist) ! -d $FAKE_IP -j RETURN - $ipt_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} -d $FAKE_IP -j PSW2_RULE - $ipt_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") -j PSW2_RULE - $ipt_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(REDIRECT $redir_port TPROXY) + [ "${write_ipset_direct}" = "1" ] && $ipt_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(dst $ipset_whitelist) ! -d $FAKE_IP -j RETURN + $ipt_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} -d $FAKE_IP -j PSW2_RULE + $ipt_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") -j PSW2_RULE + $ipt_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(REDIRECT $redir_port TPROXY) - [ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && { - [ "${write_ipset_direct}" = "1" ] && $ip6t_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(dst $ipset_whitelist6) ! -d $FAKE_IP_6 -j RETURN - $ip6t_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} -d $FAKE_IP_6 -j PSW2_RULE 2>/dev/null - $ip6t_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") -j PSW2_RULE 2>/dev/null - $ip6t_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(REDIRECT $redir_port TPROXY) 2>/dev/null - } - else - msg2="${msg}不代理UDP" - fi + [ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && { + [ "${write_ipset_direct}" = "1" ] && $ip6t_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(dst $ipset_whitelist6) ! -d $FAKE_IP_6 -j RETURN + $ip6t_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} -d $FAKE_IP_6 -j PSW2_RULE 2>/dev/null + $ip6t_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") -j PSW2_RULE 2>/dev/null + $ip6t_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(REDIRECT $redir_port TPROXY) 2>/dev/null + } echolog " - ${msg2}" } $ipt_m -A PSW2 $(comment "$remarks") ${_ipt_source} -p udp -j RETURN @@ -329,92 +335,90 @@ load_acl() { done } - [ "$ENABLED_DEFAULT_ACL" == 1 ] && { + [ "$ENABLED_DEFAULT_ACL" == 1 ] && [ "$CLIENT_PROXY" == 1 ] && { # 加载默认代理模式 - if [ "$TCP_PROXY_MODE" != "disable" ]; then - local ipt_tmp=$ipt_n - [ -n "${is_tproxy}" ] && ipt_tmp=$ipt_m - [ "$TCP_NO_REDIR_PORTS" != "disable" ] && { - $ipt_tmp -A PSW2 $(comment "默认") -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN - $ip6t_m -A PSW2 $(comment "默认") -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN - msg="${msg}除${TCP_NO_REDIR_PORTS}外的" + msg="【默认】," + local ipt_tmp=$ipt_n + [ -n "${is_tproxy}" ] && ipt_tmp=$ipt_m + + [ "$TCP_NO_REDIR_PORTS" != "disable" ] && { + $ip6t_m -A PSW2 $(comment "默认") -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN + $ipt_tmp -A PSW2 $(comment "默认") -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN + if [ "$TCP_NO_REDIR_PORTS" != "1:65535" ]; then + echolog " - ${msg}不代理 TCP 端口[${TCP_NO_REDIR_PORTS}]" + else + TCP_PROXY_MODE="disable" + echolog " - ${msg}不代理所有 TCP 端口" + fi + } + + [ "$UDP_NO_REDIR_PORTS" != "disable" ] && { + $ip6t_m -A PSW2 $(comment "默认") -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN + $ipt_m -A PSW2 $(comment "默认") -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN + if [ "$UDP_NO_REDIR_PORTS" != "1:65535" ]; then + echolog " - ${msg}不代理 UDP 端口[${UDP_NO_REDIR_PORTS}]" + else + UDP_PROXY_MODE="disable" + echolog " - ${msg}不代理所有 UDP 端口" + fi + } + + if [ "$TCP_PROXY_MODE" != "disable" ] && [ "$NODE" != "nil" ]; then + msg2="${msg}使用 TCP 节点[$(config_n_get $NODE remarks)]" + if [ -n "${is_tproxy}" ]; then + msg2="${msg2}(TPROXY:${REDIR_PORT})" + else + msg2="${msg2}(REDIRECT:${REDIR_PORT})" + fi + + [ "${WRITE_IPSET_DIRECT}" = "1" ] && $ipt_tmp -A PSW2 $(comment "默认") -p tcp $(dst $ipset_global_whitelist) ! -d $FAKE_IP -j RETURN + + [ "$accept_icmp" = "1" ] && { + $ipt_n -A PSW2 $(comment "默认") -p icmp -d $FAKE_IP $(REDIRECT) + $ipt_n -A PSW2 $(comment "默认") -p icmp $(REDIRECT) } - [ "$NODE" != "nil" ] && { - msg="TCP默认代理:使用节点[$(config_n_get $NODE remarks)] [$(get_action_chain_name $TCP_PROXY_MODE)]" - if [ -n "${is_tproxy}" ]; then - msg="${msg}(TPROXY:${REDIR_PORT})代理" - else - msg="${msg}(REDIRECT:${REDIR_PORT})代理" - fi - - [ "$TCP_NO_REDIR_PORTS" != "disable" ] && msg="${msg}除${TCP_NO_REDIR_PORTS}外的" - msg="${msg}所有端口" - - [ "${WRITE_IPSET_DIRECT}" = "1" ] && $ipt_tmp -A PSW2 $(comment "默认") -p tcp $(dst $ipset_global_whitelist) ! -d $FAKE_IP -j RETURN - - [ "$accept_icmp" = "1" ] && { - $ipt_n -A PSW2 $(comment "默认") -p icmp -d $FAKE_IP $(REDIRECT) - $ipt_n -A PSW2 $(comment "默认") -p icmp $(REDIRECT) - } - - [ "$accept_icmpv6" = "1" ] && [ "$PROXY_IPV6" == "1" ] && { - $ip6t_n -A PSW2 $(comment "默认") -p ipv6-icmp -d $FAKE_IP_6 $(REDIRECT) - $ip6t_n -A PSW2 $(comment "默认") -p ipv6-icmp $(REDIRECT) - } - - if [ "${ipt_tmp}" = "${ipt_n}" ]; then - $ipt_n -A PSW2 $(comment "默认") -p tcp -d $FAKE_IP $(REDIRECT $REDIR_PORT) - $ipt_n -A PSW2 $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(REDIRECT $REDIR_PORT) - else - $ipt_m -A PSW2 $(comment "默认") -p tcp -d $FAKE_IP -j PSW2_RULE - $ipt_m -A PSW2 $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") -j PSW2_RULE - $ipt_m -A PSW2 $(comment "默认") -p tcp $(REDIRECT $REDIR_PORT TPROXY) - fi - - [ "$PROXY_IPV6" == "1" ] && { - [ "${WRITE_IPSET_DIRECT}" = "1" ] && $ip6t_m -A PSW2 $(comment "默认") -p tcp $(dst $ipset_global_whitelist6) ! -d $FAKE_IP_6 -j RETURN - $ip6t_m -A PSW2 $(comment "默认") -p tcp -d $FAKE_IP_6 -j PSW2_RULE - $ip6t_m -A PSW2 $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") -j PSW2_RULE - $ip6t_m -A PSW2 $(comment "默认") -p tcp $(REDIRECT $REDIR_PORT TPROXY) - } - - echolog "${msg}" + + [ "$accept_icmpv6" = "1" ] && [ "$PROXY_IPV6" == "1" ] && { + $ip6t_n -A PSW2 $(comment "默认") -p ipv6-icmp -d $FAKE_IP_6 $(REDIRECT) + $ip6t_n -A PSW2 $(comment "默认") -p ipv6-icmp $(REDIRECT) } + + if [ -z "${is_tproxy}" ]; then + $ipt_n -A PSW2 $(comment "默认") -p tcp -d $FAKE_IP $(REDIRECT $REDIR_PORT) + $ipt_n -A PSW2 $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(REDIRECT $REDIR_PORT) + else + $ipt_m -A PSW2 $(comment "默认") -p tcp -d $FAKE_IP -j PSW2_RULE + $ipt_m -A PSW2 $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") -j PSW2_RULE + $ipt_m -A PSW2 $(comment "默认") -p tcp $(REDIRECT $REDIR_PORT TPROXY) + fi + + [ "$PROXY_IPV6" == "1" ] && { + [ "${WRITE_IPSET_DIRECT}" = "1" ] && $ip6t_m -A PSW2 $(comment "默认") -p tcp $(dst $ipset_global_whitelist6) ! -d $FAKE_IP_6 -j RETURN + $ip6t_m -A PSW2 $(comment "默认") -p tcp -d $FAKE_IP_6 -j PSW2_RULE + $ip6t_m -A PSW2 $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") -j PSW2_RULE + $ip6t_m -A PSW2 $(comment "默认") -p tcp $(REDIRECT $REDIR_PORT TPROXY) + } + + echolog "${msg2}" fi - $ipt_n -A PSW2 $(comment "默认") -p tcp -j RETURN - $ipt_m -A PSW2 $(comment "默认") -p tcp -j RETURN - $ip6t_m -A PSW2 $(comment "默认") -p tcp -j RETURN - # 加载UDP默认代理模式 - if [ "$UDP_PROXY_MODE" != "disable" ]; then - [ "$UDP_NO_REDIR_PORTS" != "disable" ] && { - $ipt_m -A PSW2 $(comment "默认") -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN - $ip6t_m -A PSW2 $(comment "默认") -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN - } + if [ "$UDP_PROXY_MODE" != "disable" ] && [ "$NODE" != "nil" ]; then + msg2="${msg}使用 UDP 节点[$(config_n_get $NODE remarks)](TPROXY:${REDIR_PORT})" - [ -n "1" ] && { - msg="UDP默认代理:使用节点[$(config_n_get $NODE remarks)] [$(get_action_chain_name $UDP_PROXY_MODE)](TPROXY:${REDIR_PORT})代理" - - [ "$UDP_NO_REDIR_PORTS" != "disable" ] && msg="${msg}除${UDP_NO_REDIR_PORTS}外的" - msg="${msg}所有端口" + [ "${WRITE_IPSET_DIRECT}" = "1" ] && $ipt_m -A PSW2 $(comment "默认") -p udp $(dst $ipset_global_whitelist) ! -d $FAKE_IP -j RETURN + $ipt_m -A PSW2 $(comment "默认") -p udp -d $FAKE_IP -j PSW2_RULE + $ipt_m -A PSW2 $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") -j PSW2_RULE + $ipt_m -A PSW2 $(comment "默认") -p udp $(REDIRECT $REDIR_PORT TPROXY) - [ "${WRITE_IPSET_DIRECT}" = "1" ] && $ipt_m -A PSW2 $(comment "默认") -p udp $(dst $ipset_global_whitelist) ! -d $FAKE_IP -j RETURN - $ipt_m -A PSW2 $(comment "默认") -p udp -d $FAKE_IP -j PSW2_RULE - $ipt_m -A PSW2 $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") -j PSW2_RULE - $ipt_m -A PSW2 $(comment "默认") -p udp $(REDIRECT $REDIR_PORT TPROXY) + if [ "$PROXY_IPV6_UDP" == "1" ]; then + [ "${WRITE_IPSET_DIRECT}" = "1" ] && $ip6t_m -A PSW2 $(comment "默认") -p udp $(dst $ipset_global_whitelist6) ! -d $FAKE_IP_6 -j RETURN + $ip6t_m -A PSW2 $(comment "默认") -p udp -d $FAKE_IP_6 -j PSW2_RULE + $ip6t_m -A PSW2 $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") -j PSW2_RULE + $ip6t_m -A PSW2 $(comment "默认") -p udp $(REDIRECT $REDIR_PORT TPROXY) + fi - if [ "$PROXY_IPV6_UDP" == "1" ]; then - [ "${WRITE_IPSET_DIRECT}" = "1" ] && $ip6t_m -A PSW2 $(comment "默认") -p udp $(dst $ipset_global_whitelist6) ! -d $FAKE_IP_6 -j RETURN - $ip6t_m -A PSW2 $(comment "默认") -p udp -d $FAKE_IP_6 -j PSW2_RULE - $ip6t_m -A PSW2 $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") -j PSW2_RULE - $ip6t_m -A PSW2 $(comment "默认") -p udp $(REDIRECT $REDIR_PORT TPROXY) - fi - - echolog "${msg}" - } + echolog "${msg2}" fi - $ipt_m -A PSW2 $(comment "默认") -p udp -j RETURN - $ip6t_m -A PSW2 $(comment "默认") -p udp -j RETURN } } @@ -733,10 +737,41 @@ add_firewall_rule() { } [ "$ENABLED_DEFAULT_ACL" == 1 ] && { + local ipt_tmp=$ipt_n + [ -n "${is_tproxy}" ] && ipt_tmp=$ipt_m + + # 过滤节点 + filter_node $NODE TCP > /dev/null 2>&1 & + filter_node $NODE UDP > /dev/null 2>&1 & + + TCP_LOCALHOST_PROXY=$LOCALHOST_PROXY + UDP_LOCALHOST_PROXY=$LOCALHOST_PROXY + + msg="【路由器本机】," + [ "$TCP_NO_REDIR_PORTS" != "disable" ] && { + $ipt_tmp -A PSW2_OUTPUT -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN + $ip6t_m -A PSW2_OUTPUT -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN + if [ "$TCP_NO_REDIR_PORTS" != "1:65535" ]; then + echolog " - ${msg}不代理 TCP 端口[${TCP_NO_REDIR_PORTS}]" + else + unset TCP_LOCALHOST_PROXY + echolog " - ${msg}不代理所有 TCP" + fi + } + + [ "$UDP_NO_REDIR_PORTS" != "disable" ] && { + $ipt_m -A PSW2_OUTPUT -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN + $ip6t_m -A PSW2_OUTPUT -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN + if [ "$UDP_NO_REDIR_PORTS" != "1:65535" ]; then + echolog " - ${msg}不代理 UDP 端口[${UDP_NO_REDIR_PORTS}]" + else + unset UDP_LOCALHOST_PROXY + echolog " - ${msg}不代理所有 UDP" + fi + } + # 加载路由器自身代理 TCP - if [ "$NODE" != "nil" ] && [ "$LOCALHOST_PROXY" = "1" ]; then - echolog "加载路由器自身 TCP 代理..." - + if [ "$NODE" != "nil" ] && [ "$TCP_LOCALHOST_PROXY" = "1" ]; then [ "$accept_icmp" = "1" ] && { $ipt_n -A OUTPUT -p icmp -j PSW2_OUTPUT $ipt_n -A PSW2_OUTPUT -p icmp -d $FAKE_IP $(REDIRECT) @@ -748,20 +783,8 @@ add_firewall_rule() { $ip6t_n -A PSW2_OUTPUT -p ipv6-icmp -d $FAKE_IP_6 $(REDIRECT) $ip6t_n -A PSW2_OUTPUT -p ipv6-icmp $(REDIRECT) } - - local ipt_tmp=$ipt_n - [ -n "${is_tproxy}" ] && { - echolog " - 启用 TPROXY 模式" - ipt_tmp=$ipt_m - } - [ "$TCP_NO_REDIR_PORTS" != "disable" ] && { - $ipt_tmp -A PSW2_OUTPUT -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN - $ip6t_m -A PSW2_OUTPUT -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN - echolog " - [$?]不代理TCP 端口:$TCP_NO_REDIR_PORTS" - } - - if [ "${ipt_tmp}" = "${ipt_n}" ]; then + if [ -z "${is_tproxy}" ]; then $ipt_n -A PSW2_OUTPUT -p tcp -d $FAKE_IP $(REDIRECT $REDIR_PORT) $ipt_n -A PSW2_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(REDIRECT $REDIR_PORT) $ipt_n -A OUTPUT -p tcp -j PSW2_OUTPUT @@ -787,20 +810,8 @@ add_firewall_rule() { done fi - # 处理轮换节点的分流或套娃 - filter_node $NODE TCP > /dev/null 2>&1 & - filter_node $NODE UDP > /dev/null 2>&1 & - # 加载路由器自身代理 UDP - if [ "$NODE" != "nil" ] && [ "$LOCALHOST_PROXY" = "1" ]; then - echolog "加载路由器自身 UDP 代理..." - - [ "$UDP_NO_REDIR_PORTS" != "disable" ] && { - $ipt_m -A PSW2_OUTPUT -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN - $ip6t_m -A PSW2_OUTPUT -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN - echolog " - [$?]不代理 UDP 端口:$UDP_NO_REDIR_PORTS" - } - + if [ "$NODE" != "nil" ] && [ "$UDP_LOCALHOST_PROXY" = "1" ]; then $ipt_m -A PSW2_OUTPUT -p udp -d $FAKE_IP -j PSW2_RULE $ipt_m -A PSW2_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") -j PSW2_RULE $ipt_m -A PSW2 $(comment "本机") -p udp -i lo $(REDIRECT $REDIR_PORT TPROXY) diff --git a/luci-app-passwall2/root/usr/share/passwall2/nftables.sh b/luci-app-passwall2/root/usr/share/passwall2/nftables.sh index 83a13dc17..13301db9b 100755 --- a/luci-app-passwall2/root/usr/share/passwall2/nftables.sh +++ b/luci-app-passwall2/root/usr/share/passwall2/nftables.sh @@ -230,8 +230,6 @@ load_acl() { [ "$udp_no_redir_ports" = "default" ] && udp_no_redir_ports=$UDP_NO_REDIR_PORTS [ "$tcp_redir_ports" = "default" ] && tcp_redir_ports=$TCP_REDIR_PORTS [ "$udp_redir_ports" = "default" ] && udp_redir_ports=$UDP_REDIR_PORTS - [ "$tcp_no_redir_ports" = "1:65535" ] && tcp_proxy_mode="disable" - [ "$udp_no_redir_ports" = "1:65535" ] && udp_proxy_mode="disable" node_remark=$(config_n_get $NODE remarks) [ -s "${TMP_ACL_PATH}/${sid}/var_node" ] && node=$(cat ${TMP_ACL_PATH}/${sid}/var_node) @@ -239,114 +237,121 @@ load_acl() { [ -n "$node" ] && [ "$node" != "default" ] && node_remark=$(config_n_get $node remarks) write_ipset_direct=${write_ipset_direct:-1} + [ "${write_ipset_direct}" = "1" ] && { + if [ "$node" = "default" ]; then + local nftset_whitelist=${nftset_global_whitelist} + local nftset_whitelist6=${nftset_global_whitelist6} + else + local nftset_whitelist="passwall2_${sid}_whitelist" + local nftset_whitelist6="passwall2_${sid}_whitelist6" + gen_nftset $nftset_whitelist ipv4_addr 0 0 + gen_nftset $nftset_whitelist6 ipv6_addr 0 0 + fi + } for i in $(cat ${TMP_ACL_PATH}/${sid}/rule_list); do if [ -n "$(echo ${i} | grep '^iprange:')" ]; then _iprange=$(echo ${i} | sed 's#iprange:##g') _ipt_source=$(factor ${_iprange} "ip saddr") - msg="备注【$remarks】,IP range【${_iprange}】," + msg="【$remarks】,IP range【${_iprange}】," elif [ -n "$(echo ${i} | grep '^ipset:')" ]; then _ipset=$(echo ${i} | sed 's#ipset:##g') _ipt_source="ip daddr @${_ipset}" - msg="备注【$remarks】,NFTset【${_ipset}】," + msg="【$remarks】,NFTset【${_ipset}】," elif [ -n "$(echo ${i} | grep '^ip:')" ]; then _ip=$(echo ${i} | sed 's#ip:##g') _ipt_source=$(factor ${_ip} "ip saddr") - msg="备注【$remarks】,IP【${_ip}】," + msg="【$remarks】,IP【${_ip}】," elif [ -n "$(echo ${i} | grep '^mac:')" ]; then _mac=$(echo ${i} | sed 's#mac:##g') _ipt_source=$(factor ${_mac} "ether saddr") - msg="备注【$remarks】,MAC【${_mac}】," + msg="【$remarks】,MAC【${_mac}】," else continue fi - local nftset_whitelist="passwall2_${sid}_whitelist" - local nftset_whitelist6="passwall2_${sid}_whitelist6" - gen_nftset $nftset_whitelist ipv4_addr 0 0 - gen_nftset $nftset_whitelist6 ipv6_addr 0 0 - - [ -n "$redir_port" ] && { - if [ "$tcp_proxy_mode" != "disable" ]; then - [ -s "${TMP_ACL_PATH}/${sid}/var_redirect_dns_port" ] && nft "add rule inet fw4 PSW2_REDIRECT ip protocol udp ${_ipt_source} udp dport 53 counter redirect to $(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port) comment \"$remarks\"" - msg2="${msg}使用TCP节点[$node_remark] [$(get_action_chain_name $tcp_proxy_mode)]" - if [ -n "${is_tproxy}" ]; then - msg2="${msg2}(TPROXY:${redir_port})代理" - else - msg2="${msg2}(REDIRECT:${redir_port})代理" - fi - - [ "${write_ipset_direct}" = "1" ] && [ -z "${is_tproxy}" ] && nft "add rule inet fw4 PSW2_NAT ip protocol tcp ${_ipt_source} ip daddr @$nftset_whitelist counter return comment \"$remarks\"" - [ "${write_ipset_direct}" = "1" ] && [ -n "${is_tproxy}" ] && nft "add rule inet fw4 PSW2_MANGLE ip protocol tcp ${_ipt_source} ip daddr @$nftset_whitelist counter return comment \"$remarks\"" - - [ "$accept_icmp" = "1" ] && { - nft "add rule inet fw4 PSW2_ICMP_REDIRECT ip protocol icmp ${_ipt_source} ip daddr $FAKE_IP $(REDIRECT) comment \"$remarks\"" - nft "add rule inet fw4 PSW2_ICMP_REDIRECT ip protocol icmp ${_ipt_source} $(REDIRECT) comment \"$remarks\"" - nft "add rule inet fw4 PSW2_ICMP_REDIRECT ip protocol icmp ${_ipt_source} return comment \"$remarks\"" - } - - [ "$accept_icmpv6" = "1" ] && [ "$PROXY_IPV6" == "1" ] && { - nft "add rule inet fw4 PSW2_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} ip6 daddr $FAKE_IP_6 $(REDIRECT) comment \"$remarks\"" 2>/dev/null - nft "add rule inet fw4 PSW2_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} $(REDIRECT) comment \"$remarks\"" 2>/dev/null - nft "add rule inet fw4 PSW2_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} return comment \"$remarks\"" 2>/dev/null - } - - [ "$tcp_no_redir_ports" != "disable" ] && { - nft "add rule inet fw4 $nft_prerouting_chain ${_ipt_source} ip protocol tcp $(factor $tcp_no_redir_ports "tcp dport") counter return comment \"$remarks\"" - nft "add rule inet fw4 PSW2_MANGLE_V6 ${_ipt_source} meta l4proto tcp $(factor $tcp_no_redir_ports "tcp dport") counter return comment \"$remarks\"" - msg2="${msg2}[$?]除${tcp_no_redir_ports}外的" - } - msg2="${msg2}所有端口" - - if [ -z "${is_tproxy}" ]; then - nft "add rule inet fw4 PSW2_NAT ip protocol tcp ${_ipt_source} ip daddr $FAKE_IP $(REDIRECT $redir_port) comment \"$remarks\"" - nft "add rule inet fw4 PSW2_NAT ip protocol tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") $(REDIRECT $redir_port) comment \"$remarks\"" - else - nft "add rule inet fw4 PSW2_MANGLE ip protocol tcp ${_ipt_source} ip daddr $FAKE_IP counter jump PSW2_RULE comment \"$remarks\"" - nft "add rule inet fw4 PSW2_MANGLE ip protocol tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") counter jump PSW2_RULE comment \"$remarks\"" - nft "add rule inet fw4 PSW2_MANGLE ip protocol tcp ${_ipt_source} $(REDIRECT $redir_port TPROXY4) comment \"$remarks\"" - fi - - [ "$PROXY_IPV6" == "1" ] && { - [ "${write_ipset_direct}" = "1" ] && nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} ip6 daddr @$nftset_whitelist6 counter return comment \"$remarks\"" - nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} ip6 daddr $FAKE_IP_6 counter jump PSW2_RULE comment \"$remarks\"" - nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") jump PSW2_RULE comment \"$remarks\"" 2>/dev/null - nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(REDIRECT $redir_port TPROXY) comment \"$remarks\"" 2>/dev/null - } + [ "$tcp_no_redir_ports" != "disable" ] && { + if [ "$tcp_no_redir_ports" != "1:65535" ]; then + nft "add rule inet fw4 $nft_prerouting_chain ${_ipt_source} ip protocol tcp $(factor $tcp_no_redir_ports "tcp dport") counter return comment \"$remarks\"" + nft "add rule inet fw4 PSW2_MANGLE_V6 ${_ipt_source} meta l4proto tcp $(factor $tcp_no_redir_ports "tcp dport") counter return comment \"$remarks\"" + echolog " - ${msg}不代理 TCP 端口[${tcp_no_redir_ports}]" else - msg2="${msg}不代理TCP" + #结束时会return,无需加多余的规则。 + tcp_proxy_mode="disable" + echolog " - ${msg}不代理所有 TCP" + fi + } + + [ "$udp_no_redir_ports" != "disable" ] && { + if [ "$udp_no_redir_ports" != "1:65535" ]; then + nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_no_redir_ports "udp dport") counter return comment \"$remarks\"" + nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_no_redir_ports "udp dport") counter return comment \"$remarks\"" 2>/dev/null + echolog " - ${msg}不代理 UDP 端口[${udp_no_redir_ports}]" + else + #结束时会return,无需加多余的规则。 + udp_proxy_mode="disable" + echolog " - ${msg}不代理所有 UDP" fi - echolog " - ${msg2}" } + [ "$tcp_proxy_mode" != "disable" ] && [ -n "$redir_port" ] && { + [ -s "${TMP_ACL_PATH}/${sid}/var_redirect_dns_port" ] && nft "add rule inet fw4 PSW2_REDIRECT ip protocol udp ${_ipt_source} udp dport 53 counter redirect to $(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port) comment \"$remarks\"" + msg2="${msg}使用 TCP 节点[$node_remark]" + if [ -n "${is_tproxy}" ]; then + msg2="${msg2}(TPROXY:${redir_port})" + else + msg2="${msg2}(REDIRECT:${redir_port})" + fi + + [ "${write_ipset_direct}" = "1" ] && [ -z "${is_tproxy}" ] && nft "add rule inet fw4 PSW2_NAT ip protocol tcp ${_ipt_source} ip daddr @$nftset_whitelist counter return comment \"$remarks\"" + [ "${write_ipset_direct}" = "1" ] && [ -n "${is_tproxy}" ] && nft "add rule inet fw4 PSW2_MANGLE ip protocol tcp ${_ipt_source} ip daddr @$nftset_whitelist counter return comment \"$remarks\"" + + [ "$accept_icmp" = "1" ] && { + nft "add rule inet fw4 PSW2_ICMP_REDIRECT ip protocol icmp ${_ipt_source} ip daddr $FAKE_IP $(REDIRECT) comment \"$remarks\"" + nft "add rule inet fw4 PSW2_ICMP_REDIRECT ip protocol icmp ${_ipt_source} $(REDIRECT) comment \"$remarks\"" + nft "add rule inet fw4 PSW2_ICMP_REDIRECT ip protocol icmp ${_ipt_source} return comment \"$remarks\"" + } + + [ "$accept_icmpv6" = "1" ] && [ "$PROXY_IPV6" == "1" ] && { + nft "add rule inet fw4 PSW2_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} ip6 daddr $FAKE_IP_6 $(REDIRECT) comment \"$remarks\"" 2>/dev/null + nft "add rule inet fw4 PSW2_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} $(REDIRECT) comment \"$remarks\"" 2>/dev/null + nft "add rule inet fw4 PSW2_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} return comment \"$remarks\"" 2>/dev/null + } + + if [ -z "${is_tproxy}" ]; then + nft "add rule inet fw4 PSW2_NAT ip protocol tcp ${_ipt_source} ip daddr $FAKE_IP $(REDIRECT $redir_port) comment \"$remarks\"" + nft "add rule inet fw4 PSW2_NAT ip protocol tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") $(REDIRECT $redir_port) comment \"$remarks\"" + else + nft "add rule inet fw4 PSW2_MANGLE ip protocol tcp ${_ipt_source} ip daddr $FAKE_IP counter jump PSW2_RULE comment \"$remarks\"" + nft "add rule inet fw4 PSW2_MANGLE ip protocol tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") counter jump PSW2_RULE comment \"$remarks\"" + nft "add rule inet fw4 PSW2_MANGLE ip protocol tcp ${_ipt_source} $(REDIRECT $redir_port TPROXY4) comment \"$remarks\"" + fi + + [ "$PROXY_IPV6" == "1" ] && { + [ "${write_ipset_direct}" = "1" ] && nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} ip6 daddr @$nftset_whitelist6 counter return comment \"$remarks\"" + nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} ip6 daddr $FAKE_IP_6 counter jump PSW2_RULE comment \"$remarks\"" + nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") jump PSW2_RULE comment \"$remarks\"" 2>/dev/null + nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(REDIRECT $redir_port TPROXY) comment \"$remarks\"" 2>/dev/null + } + echolog " - ${msg2}" + } nft "add rule inet fw4 $nft_prerouting_chain ip protocol tcp ${_ipt_source} counter return comment \"$remarks\"" nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} counter return comment \"$remarks\"" 2>/dev/null - [ -n "$redir_port" ] && { - if [ "$udp_proxy_mode" != "disable" ]; then - msg2="${msg}使用UDP节点[$node_remark] [$(get_action_chain_name $udp_proxy_mode)]" - msg2="${msg2}(TPROXY:${redir_port})代理" - [ "$udp_no_redir_ports" != "disable" ] && { - nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_no_redir_ports "udp dport") counter return comment \"$remarks\"" - nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_no_redir_ports "udp dport") counter return comment \"$remarks\"" 2>/dev/null - msg2="${msg2}[$?]除${udp_no_redir_ports}外的" - } - msg2="${msg2}所有端口" + [ "$udp_proxy_mode" != "disable" ] && [ -n "$redir_port" ] && { + msg2="${msg}使用 UDP 节点[$node_remark](TPROXY:${redir_port})" - [ "${write_ipset_direct}" = "1" ] && nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ${_ipt_source} ip daddr @$nftset_whitelist counter return comment \"$remarks\"" - nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ${_ipt_source} ip daddr $FAKE_IP counter jump PSW2_RULE comment \"$remarks\"" - nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_redir_ports "udp dport") jump PSW2_RULE comment \"$remarks\"" - nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ${_ipt_source} $(REDIRECT $redir_port TPROXY4) comment \"$remarks\"" + [ "${write_ipset_direct}" = "1" ] && nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ${_ipt_source} ip daddr @$nftset_whitelist counter return comment \"$remarks\"" + nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ${_ipt_source} ip daddr $FAKE_IP counter jump PSW2_RULE comment \"$remarks\"" + nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_redir_ports "udp dport") jump PSW2_RULE comment \"$remarks\"" + nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ${_ipt_source} $(REDIRECT $redir_port TPROXY4) comment \"$remarks\"" - [ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && { - [ "${write_ipset_direct}" = "1" ] && nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} ip6 daddr @$nftset_whitelist6 counter return comment \"$remarks\"" - nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} ip6 daddr $FAKE_IP_6 counter jump PSW2_RULE comment \"$remarks\"" - nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_redir_ports "udp dport") counter jump PSW2_RULE comment \"$remarks\"" 2>/dev/null - nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} $(REDIRECT $redir_port TPROXY) comment \"$remarks\"" 2>/dev/null - } - else - msg2="${msg}不代理UDP" - fi + [ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && { + [ "${write_ipset_direct}" = "1" ] && nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} ip6 daddr @$nftset_whitelist6 counter return comment \"$remarks\"" + nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} ip6 daddr $FAKE_IP_6 counter jump PSW2_RULE comment \"$remarks\"" + nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_redir_ports "udp dport") counter jump PSW2_RULE comment \"$remarks\"" 2>/dev/null + nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} $(REDIRECT $redir_port TPROXY) comment \"$remarks\"" 2>/dev/null + } echolog " - ${msg2}" } nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ${_ipt_source} counter return comment \"$remarks\"" @@ -358,87 +363,91 @@ load_acl() { done } - [ "$ENABLED_DEFAULT_ACL" == 1 ] && { + [ "$ENABLED_DEFAULT_ACL" == 1 ] && [ "$CLIENT_PROXY" == 1 ] && { # 加载默认代理模式 - if [ "$TCP_PROXY_MODE" != "disable" ]; then - [ "$TCP_NO_REDIR_PORTS" != "disable" ] && { - nft add rule inet fw4 $nft_prerouting_chain ip protocol tcp $(factor $TCP_NO_REDIR_PORTS "tcp dport") counter return comment \"默认\" - nft add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp $(factor $TCP_NO_REDIR_PORTS "tcp dport") counter return comment \"默认\" + msg="【默认】," + + [ "$TCP_NO_REDIR_PORTS" != "disable" ] && { + nft add rule inet fw4 $nft_prerouting_chain ip protocol tcp $(factor $TCP_NO_REDIR_PORTS "tcp dport") counter return comment \"默认\" + nft add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp $(factor $TCP_NO_REDIR_PORTS "tcp dport") counter return comment \"默认\" + if [ "$TCP_NO_REDIR_PORTS" != "1:65535" ]; then + echolog " - ${msg}不代理 TCP 端口[${TCP_NO_REDIR_PORTS}]" + else + TCP_PROXY_MODE="disable" + echolog " - ${msg}不代理所有 TCP 端口" + fi + } + + [ "$UDP_NO_REDIR_PORTS" != "disable" ] && { + nft "add inet fw4 PSW2_MANGLE ip protocol udp $(factor $UDP_NO_REDIR_PORTS "udp dport") counter return comment \"默认\"" + nft "add inet fw4 PSW2_MANGLE_V6 counter meta l4proto udp $(factor $UDP_NO_REDIR_PORTS "udp dport") counter return comment \"默认\"" + if [ "$UDP_NO_REDIR_PORTS" != "1:65535" ]; then + echolog " - ${msg}不代理 UDP 端口[${UDP_NO_REDIR_PORTS}]" + else + UDP_PROXY_MODE="disable" + echolog " - ${msg}不代理所有 UDP 端口" + fi + } + + if [ "$TCP_PROXY_MODE" != "disable" ] && [ "$NODE" != "nil" ]; then + msg2="${msg}使用 TCP 节点[$(config_n_get $NODE remarks)]" + if [ -n "${is_tproxy}" ]; then + msg2="${msg2}(TPROXY:${REDIR_PORT})" + else + msg2="${msg2}(REDIRECT:${REDIR_PORT})" + fi + + [ "${WRITE_IPSET_DIRECT}" = "1" ] && [ -z "${is_tproxy}" ] && nft "add rule inet fw4 PSW2_NAT ip protocol tcp ip daddr @$nftset_global_whitelist counter return comment \"$remarks\"" + [ "${WRITE_IPSET_DIRECT}" = "1" ] && [ -n "${is_tproxy}" ] && nft "add rule inet fw4 PSW2_MANGLE ip protocol tcp ip daddr @$nftset_global_whitelist counter return comment \"$remarks\"" + + [ "$accept_icmp" = "1" ] && { + nft "add rule inet fw4 PSW2_ICMP_REDIRECT ip protocol icmp ip daddr $FAKE_IP $(REDIRECT) comment \"默认\"" + nft "add rule inet fw4 PSW2_ICMP_REDIRECT ip protocol icmp $(REDIRECT) comment \"默认\"" + nft "add rule inet fw4 PSW2_ICMP_REDIRECT ip protocol icmp return comment \"默认\"" } - [ "$NODE" != "nil" ] && { - msg="TCP默认代理:使用TCP节点[$(config_n_get $NODE remarks)] [$(get_action_chain_name $TCP_PROXY_MODE)]" - if [ -n "${is_tproxy}" ]; then - msg="${msg}(TPROXY:${REDIR_PORT})代理" - else - msg="${msg}(REDIRECT:${REDIR_PORT})代理" - fi - - [ "$TCP_NO_REDIR_PORTS" != "disable" ] && msg="${msg}除${TCP_NO_REDIR_PORTS}外的" - msg="${msg}所有端口" - [ "${WRITE_IPSET_DIRECT}" = "1" ] && [ -z "${is_tproxy}" ] && nft "add rule inet fw4 PSW2_NAT ip protocol tcp ip daddr @$nftset_global_whitelist counter return comment \"$remarks\"" - [ "${WRITE_IPSET_DIRECT}" = "1" ] && [ -n "${is_tproxy}" ] && nft "add rule inet fw4 PSW2_MANGLE ip protocol tcp ip daddr @$nftset_global_whitelist counter return comment \"$remarks\"" - - [ "$accept_icmp" = "1" ] && { - nft "add rule inet fw4 PSW2_ICMP_REDIRECT ip protocol icmp ip daddr $FAKE_IP $(REDIRECT) comment \"默认\"" - nft "add rule inet fw4 PSW2_ICMP_REDIRECT ip protocol icmp $(REDIRECT) comment \"默认\"" - nft "add rule inet fw4 PSW2_ICMP_REDIRECT ip protocol icmp return comment \"默认\"" - } - - [ "$accept_icmpv6" = "1" ] && [ "$PROXY_IPV6" == "1" ] && { - nft "add rule inet fw4 PSW2_ICMP_REDIRECT meta l4proto icmpv6 ip6 daddr $FAKE_IP_6 $(REDIRECT) comment \"默认\"" - nft "add rule inet fw4 PSW2_ICMP_REDIRECT meta l4proto icmpv6 $(REDIRECT) comment \"默认\"" - nft "add rule inet fw4 PSW2_ICMP_REDIRECT meta l4proto icmpv6 return comment \"默认\"" - } - - if [ -z "${is_tproxy}" ]; then - nft "add rule inet fw4 PSW2_NAT ip protocol tcp ip daddr $FAKE_IP $(REDIRECT $REDIR_PORT) comment \"默认\"" - nft "add rule inet fw4 PSW2_NAT ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") $(REDIRECT $REDIR_PORT) comment \"默认\"" - else - nft "add rule inet fw4 PSW2_MANGLE ip protocol tcp ip daddr $FAKE_IP counter jump PSW2_RULE comment \"默认\"" - nft "add rule inet fw4 PSW2_MANGLE ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") jump PSW2_RULE comment \"默认\"" - nft "add rule inet fw4 PSW2_MANGLE ip protocol tcp $(REDIRECT $REDIR_PORT TPROXY4) comment \"默认\"" - fi - - [ "$PROXY_IPV6" == "1" ] && { - [ "${WRITE_IPSET_DIRECT}" = "1" ] && nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp ip6 daddr @$nftset_global_whitelist6 counter return comment \"$remarks\"" - nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp ip6 daddr $FAKE_IP_6 jump PSW2_RULE comment \"默认\"" - nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp $(factor $TCP_REDIR_PORTS "tcp dport") jump PSW2_RULE comment \"默认\"" - nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp $(REDIRECT $REDIR_PORT TPROXY) comment \"默认\"" - } - - echolog "${msg}" + [ "$accept_icmpv6" = "1" ] && [ "$PROXY_IPV6" == "1" ] && { + nft "add rule inet fw4 PSW2_ICMP_REDIRECT meta l4proto icmpv6 ip6 daddr $FAKE_IP_6 $(REDIRECT) comment \"默认\"" + nft "add rule inet fw4 PSW2_ICMP_REDIRECT meta l4proto icmpv6 $(REDIRECT) comment \"默认\"" + nft "add rule inet fw4 PSW2_ICMP_REDIRECT meta l4proto icmpv6 return comment \"默认\"" } + + if [ -z "${is_tproxy}" ]; then + nft "add rule inet fw4 PSW2_NAT ip protocol tcp ip daddr $FAKE_IP $(REDIRECT $REDIR_PORT) comment \"默认\"" + nft "add rule inet fw4 PSW2_NAT ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") $(REDIRECT $REDIR_PORT) comment \"默认\"" + else + nft "add rule inet fw4 PSW2_MANGLE ip protocol tcp ip daddr $FAKE_IP counter jump PSW2_RULE comment \"默认\"" + nft "add rule inet fw4 PSW2_MANGLE ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") jump PSW2_RULE comment \"默认\"" + nft "add rule inet fw4 PSW2_MANGLE ip protocol tcp $(REDIRECT $REDIR_PORT TPROXY4) comment \"默认\"" + fi + + [ "$PROXY_IPV6" == "1" ] && { + [ "${WRITE_IPSET_DIRECT}" = "1" ] && nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp ip6 daddr @$nftset_global_whitelist6 counter return comment \"$remarks\"" + nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp ip6 daddr $FAKE_IP_6 jump PSW2_RULE comment \"默认\"" + nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp $(factor $TCP_REDIR_PORTS "tcp dport") jump PSW2_RULE comment \"默认\"" + nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp $(REDIRECT $REDIR_PORT TPROXY) comment \"默认\"" + } + + echolog "${msg2}" fi - # 加载UDP默认代理模式 - if [ "$UDP_PROXY_MODE" != "disable" ]; then - [ "$UDP_NO_REDIR_PORTS" != "disable" ] && { - nft "add inet fw4 PSW2_MANGLE ip protocol udp $(factor $UDP_NO_REDIR_PORTS "udp dport") counter return comment \"默认\"" - nft "add inet fw4 PSW2_MANGLE_V6 counter meta l4proto udp $(factor $UDP_NO_REDIR_PORTS "udp dport") counter return comment \"默认\"" + if [ "$UDP_PROXY_MODE" != "disable" ] && [ "$NODE" != "nil" ]; then + msg2="${msg}使用 UDP 节点[$(config_n_get $NODE remarks)](TPROXY:${REDIR_PORT})" + + [ "${WRITE_IPSET_DIRECT}" = "1" ] && nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ip daddr @$nftset_global_whitelist counter return comment \"$remarks\"" + nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ip daddr $FAKE_IP counter jump PSW2_RULE comment \"默认\"" + nft "add rule inet fw4 PSW2_MANGLE ip protocol udp $(factor $UDP_REDIR_PORTS "udp dport") jump PSW2_RULE comment \"默认\"" + nft "add rule inet fw4 PSW2_MANGLE ip protocol udp $(REDIRECT $REDIR_PORT TPROXY4) comment \"默认\"" + + [ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && { + [ "${WRITE_IPSET_DIRECT}" = "1" ] && nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp ip6 daddr @$nftset_global_whitelist6 counter return comment \"$remarks\"" + nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp ip6 daddr $FAKE_IP_6 jump PSW2_RULE comment \"默认\"" + nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp $(factor $UDP_REDIR_PORTS "udp dport") jump PSW2_RULE comment \"默认\"" + nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp $(REDIRECT $REDIR_PORT TPROXY) comment \"默认\"" } - [ -n "1" ] && { - msg="UDP默认代理:使用UDP节点[$(config_n_get $NODE remarks)] [$(get_action_chain_name $UDP_PROXY_MODE)](TPROXY:${REDIR_PORT})代理" - - [ "$UDP_NO_REDIR_PORTS" != "disable" ] && msg="${msg}除${UDP_NO_REDIR_PORTS}外的" - msg="${msg}所有端口" - - [ "${WRITE_IPSET_DIRECT}" = "1" ] && nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ip daddr @$nftset_global_whitelist counter return comment \"$remarks\"" - nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ip daddr $FAKE_IP counter jump PSW2_RULE comment \"默认\"" - nft "add rule inet fw4 PSW2_MANGLE ip protocol udp $(factor $UDP_REDIR_PORTS "udp dport") jump PSW2_RULE comment \"默认\"" - nft "add rule inet fw4 PSW2_MANGLE ip protocol udp $(REDIRECT $REDIR_PORT TPROXY4) comment \"默认\"" - - [ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && { - [ "${WRITE_IPSET_DIRECT}" = "1" ] && nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp ip6 daddr @$nftset_global_whitelist6 counter return comment \"$remarks\"" - nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp ip6 daddr $FAKE_IP_6 jump PSW2_RULE comment \"默认\"" - nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp $(factor $UDP_REDIR_PORTS "udp dport") jump PSW2_RULE comment \"默认\"" - nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp $(REDIRECT $REDIR_PORT TPROXY) comment \"默认\"" - } - - echolog "${msg}" - udp_flag=1 - } + echolog "${msg2}" + udp_flag=1 fi } } @@ -769,10 +778,38 @@ add_firewall_rule() { } [ "$ENABLED_DEFAULT_ACL" == 1 ] && { - # 加载路由器自身代理 TCP - if [ "$NODE" != "nil" ] && [ "$LOCALHOST_PROXY" = "1" ]; then - echolog "加载路由器自身 TCP 代理..." + # 过滤节点 + filter_node $NODE TCP > /dev/null 2>&1 & + filter_node $NODE UDP > /dev/null 2>&1 & + TCP_LOCALHOST_PROXY=$LOCALHOST_PROXY + UDP_LOCALHOST_PROXY=$LOCALHOST_PROXY + + msg="【路由器本机】," + [ "$TCP_NO_REDIR_PORTS" != "disable" ] && { + nft "add rule inet fw4 $nft_output_chain ip protocol tcp $(factor $TCP_NO_REDIR_PORTS "tcp dport") counter return" + nft "add rule inet fw4 PSW2_OUTPUT_MANGLE_V6 meta l4proto tcp $(factor $TCP_NO_REDIR_PORTS "tcp dport") counter return" + if [ "$TCP_NO_REDIR_PORTS" != "1:65535" ]; then + echolog " - ${msg}不代理 TCP 端口[${TCP_NO_REDIR_PORTS}]" + else + unset TCP_LOCALHOST_PROXY + echolog " - ${msg}不代理所有 TCP" + fi + } + + [ "$UDP_NO_REDIR_PORTS" != "disable" ] && { + nft add rule inet fw4 PSW2_OUTPUT_MANGLE ip protocol udp $(factor $UDP_NO_REDIR_PORTS "udp dport") counter return + nft add rule inet fw4 PSW2_OUTPUT_MANGLE_V6 meta l4proto udp $(factor $UDP_NO_REDIR_PORTS "udp dport") counter return + if [ "$UDP_NO_REDIR_PORTS" != "1:65535" ]; then + echolog " - ${msg}不代理 UDP 端口[${UDP_NO_REDIR_PORTS}]" + else + unset UDP_LOCALHOST_PROXY + echolog " - ${msg}不代理所有 UDP" + fi + } + + # 加载路由器自身代理 TCP + if [ "$NODE" != "nil" ] && [ "$TCP_LOCALHOST_PROXY" = "1" ]; then [ "$accept_icmp" = "1" ] && { nft "add rule inet fw4 PSW2_ICMP_REDIRECT oif lo ip protocol icmp ip daddr $FAKE_IP counter redirect" nft "add rule inet fw4 PSW2_ICMP_REDIRECT oif lo ip protocol icmp counter redirect" @@ -785,16 +822,6 @@ add_firewall_rule() { nft "add rule inet fw4 PSW2_ICMP_REDIRECT oif lo meta l4proto icmpv6 counter return" } - [ -n "${is_tproxy}" ] && { - echolog " - 启用 TPROXY 模式" - } - - [ "$TCP_NO_REDIR_PORTS" != "disable" ] && { - nft "add rule inet fw4 $nft_output_chain ip protocol tcp $(factor $TCP_NO_REDIR_PORTS "tcp dport") counter return" - nft "add rule inet fw4 PSW2_OUTPUT_MANGLE_V6 meta l4proto tcp $(factor $TCP_NO_REDIR_PORTS "tcp dport") counter return" - echolog " - [$?]不代理TCP 端口:$TCP_NO_REDIR_PORTS" - } - if [ -z "${is_tproxy}" ]; then nft "add rule inet fw4 PSW2_OUTPUT_NAT ip protocol tcp ip daddr $FAKE_IP $(REDIRECT $REDIR_PORT)" nft "add rule inet fw4 PSW2_OUTPUT_NAT ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") $(REDIRECT $REDIR_PORT)" @@ -819,21 +846,9 @@ add_firewall_rule() { nft "insert rule inet fw4 PSW2_OUTPUT_MANGLE_V6 ip protocol tcp oif $iface counter return" done fi - - # 处理轮换节点的分流或套娃 - filter_node $NODE TCP > /dev/null 2>&1 & - filter_node $NODE UDP > /dev/null 2>&1 & # 加载路由器自身代理 UDP - if [ "$NODE" != "nil" ] && [ "$LOCALHOST_PROXY" = "1" ]; then - echolog "加载路由器自身 UDP 代理..." - - [ "$UDP_NO_REDIR_PORTS" != "disable" ] && { - nft add rule inet fw4 PSW2_OUTPUT_MANGLE ip protocol udp $(factor $UDP_NO_REDIR_PORTS "udp dport") counter return - nft add rule inet fw4 PSW2_OUTPUT_MANGLE_V6 meta l4proto udp $(factor $UDP_NO_REDIR_PORTS "udp dport") counter return - echolog " - [$?]不代理 UDP 端口:$UDP_NO_REDIR_PORTS" - } - + if [ "$NODE" != "nil" ] && [ "$UDP_LOCALHOST_PROXY" = "1" ]; then nft "add rule inet fw4 PSW2_OUTPUT_MANGLE ip protocol udp ip daddr $FAKE_IP counter jump PSW2_RULE" nft "add rule inet fw4 PSW2_OUTPUT_MANGLE ip protocol udp $(factor $UDP_REDIR_PORTS "udp dport") jump PSW2_RULE" nft "add rule inet fw4 PSW2_MANGLE ip protocol udp iif lo $(REDIRECT $REDIR_PORT TPROXY4) comment \"本机\"" diff --git a/luci-app-passwall2/root/usr/share/passwall2/subscribe.lua b/luci-app-passwall2/root/usr/share/passwall2/subscribe.lua index b3a1217d6..2fc190438 100755 --- a/luci-app-passwall2/root/usr/share/passwall2/subscribe.lua +++ b/luci-app-passwall2/root/usr/share/passwall2/subscribe.lua @@ -28,7 +28,7 @@ local has_singbox = api.finded_com("singbox") local has_xray = api.finded_com("xray") local has_hysteria2 = api.finded_com("hysteria") local allowInsecure_default = true -local ss_aead_type_default = uci:get(appname, "@global_subscribe[0]", "ss_aead_type") or "shadowsocks-libev" +local ss_type_default = uci:get(appname, "@global_subscribe[0]", "ss_type") or "shadowsocks-libev" local trojan_type_default = uci:get(appname, "@global_subscribe[0]", "trojan_type") or "sing-box" local vmess_type_default = uci:get(appname, "@global_subscribe[0]", "vmess_type") or "xray" local vless_type_default = uci:get(appname, "@global_subscribe[0]", "vless_type") or "xray" @@ -531,31 +531,49 @@ local function processData(szType, content, add_mode, add_from) result.method = method result.password = password - local aead = false - for k, v in ipairs({"aes-128-gcm", "aes-256-gcm", "chacha20-poly1305", "chacha20-ietf-poly1305"}) do - if method:lower() == v:lower() then - aead = true + if ss_type_default == "shadowsocks-rust" and has_ss_rust then + result.type = 'SS-Rust' + end + if ss_type_default == "xray" and has_xray then + result.type = 'Xray' + result.protocol = 'shadowsocks' + result.transport = 'tcp' + end + if ss_type_default == "sing-box" and has_singbox then + result.type = 'sing-box' + result.protocol = 'shadowsocks' + end + + if result.type == "SS-Rust" and method:lower() == "chacha20-poly1305" then + result.method = "chacha20-ietf-poly1305" + end + + if result.type == "Xray" and method:lower() == "chacha20-ietf-poly1305" then + result.method = "chacha20-poly1305" + end + + if result.plugin then + if result.type == 'Xray' then + --不支持插件 + result.error_msg = "Xray不支持插件." + end + if result.type == "sing-box" then + result.plugin_enabled = "1" end end - if aead then - if ss_aead_type_default == "shadowsocks-libev" and has_ss then - result.type = "SS" - elseif ss_aead_type_default == "shadowsocks-rust" and has_ss_rust then - result.type = 'SS-Rust' - if method:lower() == "chacha20-poly1305" then - result.method = "chacha20-ietf-poly1305" - end - elseif ss_aead_type_default == "sing-box" and has_singbox and not result.plugin then - result.type = 'sing-box' - result.protocol = 'shadowsocks' - elseif ss_aead_type_default == "xray" and has_xray and not result.plugin then - result.type = 'Xray' - result.protocol = 'shadowsocks' - result.transport = 'tcp' - if method:lower() == "chacha20-ietf-poly1305" then - result.method = "chacha20-poly1305" + + if result.type == "SS" then + local aead2022_methods = { "2022-blake3-aes-128-gcm", "2022-blake3-aes-256-gcm", "2022-blake3-chacha20-poly1305" } + local aead2022 = false + for k, v in ipairs(aead2022_methods) do + if method:lower() == v:lower() then + aead2022 = true end end + if aead2022 then + -- shadowsocks-libev 不支持2022加密 + result.error_msg = "shadowsocks-libev 不支持2022加密." + end end end elseif szType == "trojan" then @@ -1159,8 +1177,10 @@ local function parse_link(raw, add_mode, add_from) end -- log(result) if result then - if not result.type then - log('丢弃节点:' .. result.remarks .. ",找不到可使用二进制.") + if result.error_msg then + log('丢弃节点: ' .. result.remarks .. ", 原因:" .. result.error_msg) + elseif not result.type then + log('丢弃节点: ' .. result.remarks .. ", 找不到可使用二进制.") elseif (add_mode == "2" and is_filter_keyword(result.remarks)) or not result.address or result.remarks == "NULL" or result.address == "127.0.0.1" or (not datatypes.hostname(result.address) and not (api.is_ip(result.address))) then log('丢弃过滤节点: ' .. result.type .. ' 节点, ' .. result.remarks) @@ -1227,9 +1247,9 @@ local execute = function() filter_keyword_keep_list_default = value.filter_keep_list or {} filter_keyword_discard_list_default = value.filter_discard_list or {} end - local ss_aead_type = value.ss_aead_type or "global" - if ss_aead_type ~= "global" then - ss_aead_type_default = ss_aead_type + local ss_type = value.ss_type or "global" + if ss_type ~= "global" then + ss_type_default = ss_type end local trojan_type = value.trojan_type or "global" if trojan_type ~= "global" then @@ -1264,7 +1284,7 @@ local execute = function() filter_keyword_mode_default = uci:get(appname, "@global_subscribe[0]", "filter_keyword_mode") or "0" filter_keyword_discard_list_default = uci:get(appname, "@global_subscribe[0]", "filter_discard_list") or {} filter_keyword_keep_list_default = uci:get(appname, "@global_subscribe[0]", "filter_keep_list") or {} - ss_aead_type_default = uci:get(appname, "@global_subscribe[0]", "ss_aead_type") or "shadowsocks-libev" + ss_type_default = uci:get(appname, "@global_subscribe[0]", "ss_type") or "shadowsocks-libev" trojan_type_default = uci:get(appname, "@global_subscribe[0]", "trojan_type") or "sing-box" vmess_type_default = uci:get(appname, "@global_subscribe[0]", "vmess_type") or "xray" vless_type_default = uci:get(appname, "@global_subscribe[0]", "vless_type") or "xray"