mirror of
https://github.com/kenzok8/small-package
synced 2025-01-08 13:27:36 +08:00
update 2024-12-16 04:22:23
This commit is contained in:
kenzok8
parent
35a7d2bf4a
commit
69c64c1c17
@ -557,6 +557,10 @@ if api.is_finded("smartdns") then
|
||||
o:depends({dns_shunt = "smartdns", tcp_proxy_mode = "proxy", chn_list = "direct"})
|
||||
end
|
||||
|
||||
o = s:taboption("DNS", Flag, "dns_redirect", translate("DNS Redirect"), translate("Force special DNS server to need proxy devices."))
|
||||
o.default = "1"
|
||||
o.rmempty = false
|
||||
|
||||
if (uci:get(appname, "@global_forwarding[0]", "use_nft") or "0") == "1" then
|
||||
o = s:taboption("DNS", Button, "clear_ipset", translate("Clear NFTSET"), translate("Try this feature if the rule modification does not take effect."))
|
||||
else
|
||||
|
||||
@ -16,8 +16,9 @@ OPENWRT_ARCH = nil
|
||||
DISTRIB_ARCH = nil
|
||||
OPENWRT_BOARD = nil
|
||||
|
||||
LOG_FILE = "/tmp/log/" .. appname .. ".log"
|
||||
CACHE_PATH = "/tmp/etc/" .. appname .. "_tmp"
|
||||
LOG_FILE = "/tmp/log/" .. appname .. ".log"
|
||||
TMP_PATH = "/tmp/etc/" .. appname
|
||||
|
||||
function log(...)
|
||||
local result = os.date("%Y-%m-%d %H:%M:%S: ") .. table.concat({...}, " ")
|
||||
|
||||
@ -223,6 +223,12 @@ msgstr "需要代理的分流规则域名使用 FakeDNS。"
|
||||
msgid "Redirect"
|
||||
msgstr "重定向"
|
||||
|
||||
msgid "DNS Redirect"
|
||||
msgstr "DNS 重定向"
|
||||
|
||||
msgid "Force special DNS server to need proxy devices."
|
||||
msgstr "强制需要代理的设备使用专用 DNS 服务器。"
|
||||
|
||||
msgid "Clear IPSET"
|
||||
msgstr "清空 IPSET"
|
||||
|
||||
|
||||
@ -12,6 +12,7 @@ config global
|
||||
list smartdns_remote_dns 'https://1.1.1.1/dns-query'
|
||||
option use_default_dns 'direct'
|
||||
option chinadns_ng_default_tag 'none'
|
||||
option dns_redirect '1'
|
||||
option use_direct_list '1'
|
||||
option use_proxy_list '1'
|
||||
option use_block_list '1'
|
||||
|
||||
@ -324,6 +324,7 @@ load_acl() {
|
||||
}
|
||||
|
||||
local dns_redirect
|
||||
[ $(config_t_get global dns_redirect "1") = "1" ] && dns_redirect=53
|
||||
if ([ -n "$tcp_port" ] && [ -n "${tcp_proxy_mode}" ]) || ([ -n "$udp_port" ] && [ -n "${udp_proxy_mode}" ]); then
|
||||
[ -n "${dns_redirect_port}" ] && dns_redirect=${dns_redirect_port}
|
||||
else
|
||||
@ -334,10 +335,10 @@ load_acl() {
|
||||
$ip6t_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j RETURN 2>/dev/null
|
||||
$ipt_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} --dport 53 -j RETURN
|
||||
$ip6t_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} --dport 53 -j RETURN 2>/dev/null
|
||||
$ipt_n -A PSW_DNS $(comment "$remarks") -p udp ${_ipt_source} $(dst $IPSET_LOCALLIST) --dport 53 -j REDIRECT --to-ports ${dns_redirect}
|
||||
$ip6t_n -A PSW_DNS $(comment "$remarks") -p udp ${_ipt_source} $(dst $IPSET_LOCALLIST) --dport 53 -j REDIRECT --to-ports ${dns_redirect} 2>/dev/null
|
||||
$ipt_n -A PSW_DNS $(comment "$remarks") -p tcp ${_ipt_source} $(dst $IPSET_LOCALLIST) --dport 53 -j REDIRECT --to-ports ${dns_redirect}
|
||||
$ip6t_n -A PSW_DNS $(comment "$remarks") -p tcp ${_ipt_source} $(dst $IPSET_LOCALLIST) --dport 53 -j REDIRECT --to-ports ${dns_redirect} 2>/dev/null
|
||||
$ipt_n -A PSW_DNS $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j REDIRECT --to-ports ${dns_redirect}
|
||||
$ip6t_n -A PSW_DNS $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j REDIRECT --to-ports ${dns_redirect} 2>/dev/null
|
||||
$ipt_n -A PSW_DNS $(comment "$remarks") -p tcp ${_ipt_source} --dport 53 -j REDIRECT --to-ports ${dns_redirect}
|
||||
$ip6t_n -A PSW_DNS $(comment "$remarks") -p tcp ${_ipt_source} --dport 53 -j REDIRECT --to-ports ${dns_redirect} 2>/dev/null
|
||||
fi
|
||||
|
||||
[ -n "$tcp_port" -o -n "$udp_port" ] && {
|
||||
@ -499,19 +500,24 @@ load_acl() {
|
||||
echolog " - ${msg}不代理所有 UDP 端口"
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
local DNS_REDIRECT
|
||||
[ $(config_t_get global dns_redirect "1") = "1" ] && DNS_REDIRECT=53
|
||||
if ([ "$TCP_NODE" != "nil" ] && [ -n "${TCP_PROXY_MODE}" ]) || ([ "$UDP_NODE" != "nil" ] && [ -n "${UDP_PROXY_MODE}" ]); then
|
||||
[ -n "$DNS_REDIRECT_PORT" ] && {
|
||||
$ipt_m -A PSW $(comment "默认") -p udp --dport 53 -j RETURN
|
||||
$ip6t_m -A PSW $(comment "默认") -p udp --dport 53 -j RETURN 2>/dev/null
|
||||
$ipt_m -A PSW $(comment "默认") -p tcp --dport 53 -j RETURN
|
||||
$ip6t_m -A PSW $(comment "默认") -p tcp --dport 53 -j RETURN 2>/dev/null
|
||||
#Only hijack when dest address is local IP
|
||||
$ipt_n -A PSW_DNS $(comment "默认") -p udp $(dst $IPSET_LOCALLIST) --dport 53 -j REDIRECT --to-ports $DNS_REDIRECT_PORT
|
||||
$ip6t_n -A PSW_DNS $(comment "默认") -p udp $(dst $IPSET_LOCALLIST6) --dport 53 -j REDIRECT --to-ports $DNS_REDIRECT_PORT 2>/dev/null
|
||||
$ipt_n -A PSW_DNS $(comment "默认") -p tcp $(dst $IPSET_LOCALLIST) --dport 53 -j REDIRECT --to-ports $DNS_REDIRECT_PORT
|
||||
$ip6t_n -A PSW_DNS $(comment "默认") -p tcp $(dst $IPSET_LOCALLIST6) --dport 53 -j REDIRECT --to-ports $DNS_REDIRECT_PORT 2>/dev/null
|
||||
}
|
||||
[ -n "${DNS_REDIRECT_PORT}" ] && DNS_REDIRECT=${DNS_REDIRECT_PORT}
|
||||
else
|
||||
[ -n "${DIRECT_DNSMASQ_PORT}" ] && DNS_REDIRECT=${DIRECT_DNSMASQ_PORT}
|
||||
fi
|
||||
|
||||
if [ -n "${DNS_REDIRECT}" ]; then
|
||||
$ipt_m -A PSW $(comment "默认") -p udp --dport 53 -j RETURN
|
||||
$ip6t_m -A PSW $(comment "默认") -p udp --dport 53 -j RETURN 2>/dev/null
|
||||
$ipt_m -A PSW $(comment "默认") -p tcp --dport 53 -j RETURN
|
||||
$ip6t_m -A PSW $(comment "默认") -p tcp --dport 53 -j RETURN 2>/dev/null
|
||||
$ipt_n -A PSW_DNS $(comment "默认") -p udp --dport 53 -j REDIRECT --to-ports ${DNS_REDIRECT}
|
||||
$ip6t_n -A PSW_DNS $(comment "默认") -p udp --dport 53 -j REDIRECT --to-ports ${DNS_REDIRECT} 2>/dev/null
|
||||
$ipt_n -A PSW_DNS $(comment "默认") -p tcp --dport 53 -j REDIRECT --to-ports ${DNS_REDIRECT}
|
||||
$ip6t_n -A PSW_DNS $(comment "默认") -p tcp --dport 53 -j REDIRECT --to-ports ${DNS_REDIRECT} 2>/dev/null
|
||||
fi
|
||||
|
||||
[ -n "${TCP_PROXY_MODE}" -o -n "${UDP_PROXY_MODE}" ] && {
|
||||
@ -956,7 +962,12 @@ add_firewall_rule() {
|
||||
$ipt_n -A PSW_OUTPUT -m mark --mark 0xff -j RETURN
|
||||
|
||||
$ipt_n -N PSW_DNS
|
||||
$ipt_n -I PREROUTING 1 -j PSW_DNS
|
||||
if [ $(config_t_get global dns_redirect "1") = "0" ]; then
|
||||
#Only hijack when dest address is local IP
|
||||
$ipt_n -I PREROUTING $(dst $IPSET_LOCALLIST) -j PSW_DNS
|
||||
else
|
||||
$ipt_n -I PREROUTING 1 -j PSW_DNS
|
||||
fi
|
||||
|
||||
$ipt_m -N PSW_DIVERT
|
||||
$ipt_m -A PSW_DIVERT -j MARK --set-mark 1
|
||||
@ -1024,7 +1035,12 @@ add_firewall_rule() {
|
||||
}
|
||||
|
||||
$ip6t_n -N PSW_DNS
|
||||
$ip6t_n -I PREROUTING 1 -j PSW_DNS
|
||||
if [ $(config_t_get global dns_redirect "1") = "0" ]; then
|
||||
#Only hijack when dest address is local IP
|
||||
$ip6t_n -I PREROUTING $(dst $IPSET_LOCALLIST6) -j PSW_DNS
|
||||
else
|
||||
$ip6t_n -I PREROUTING 1 -j PSW_DNS
|
||||
fi
|
||||
|
||||
$ip6t_m -N PSW_DIVERT
|
||||
$ip6t_m -A PSW_DIVERT -j MARK --set-mark 1
|
||||
@ -1130,7 +1146,6 @@ add_firewall_rule() {
|
||||
|
||||
if ([ "$TCP_NODE" != "nil" ] && [ -n "${LOCALHOST_TCP_PROXY_MODE}" ]) || ([ "$UDP_NODE" != "nil" ] && [ -n "${LOCALHOST_UDP_PROXY_MODE}" ]); then
|
||||
[ -n "$DNS_REDIRECT_PORT" ] && {
|
||||
#Only hijack when dest address is local IP
|
||||
$ipt_n -A OUTPUT $(comment "PSW") -p udp -o lo --dport 53 -j REDIRECT --to-ports $DNS_REDIRECT_PORT
|
||||
$ip6t_n -A OUTPUT $(comment "PSW") -p udp -o lo --dport 53 -j REDIRECT --to-ports $DNS_REDIRECT_PORT 2>/dev/null
|
||||
$ipt_n -A OUTPUT $(comment "PSW") -p tcp -o lo --dport 53 -j REDIRECT --to-ports $DNS_REDIRECT_PORT
|
||||
|
||||
@ -374,6 +374,7 @@ load_acl() {
|
||||
}
|
||||
|
||||
local dns_redirect
|
||||
[ $(config_t_get global dns_redirect "1") = "1" ] && dns_redirect=53
|
||||
if ([ -n "$tcp_port" ] && [ -n "${tcp_proxy_mode}" ]) || ([ -n "$udp_port" ] && [ -n "${udp_proxy_mode}" ]); then
|
||||
[ -n "${dns_redirect_port}" ] && dns_redirect=${dns_redirect_port}
|
||||
else
|
||||
@ -384,10 +385,10 @@ load_acl() {
|
||||
nft "add rule $NFTABLE_NAME PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} udp dport 53 counter return comment \"$remarks\""
|
||||
nft "add rule $NFTABLE_NAME PSW_MANGLE ip protocol tcp ${_ipt_source} tcp dport 53 counter return comment \"$remarks\""
|
||||
nft "add rule $NFTABLE_NAME PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} tcp dport 53 counter return comment \"$remarks\""
|
||||
nft "add rule $NFTABLE_NAME PSW_DNS ip protocol udp ${_ipt_source} udp dport 53 ip daddr @$NFTSET_LOCALLIST counter redirect to :${dns_redirect} comment \"$remarks\""
|
||||
nft "add rule $NFTABLE_NAME PSW_DNS ip protocol tcp ${_ipt_source} tcp dport 53 ip daddr @$NFTSET_LOCALLIST counter redirect to :${dns_redirect} comment \"$remarks\""
|
||||
nft "add rule $NFTABLE_NAME PSW_DNS meta l4proto udp ${_ipt_source} udp dport 53 ip6 daddr @$NFTSET_LOCALLIST6 counter redirect to :${dns_redirect} comment \"$remarks\""
|
||||
nft "add rule $NFTABLE_NAME PSW_DNS meta l4proto tcp ${_ipt_source} tcp dport 53 ip6 daddr @$NFTSET_LOCALLIST6 counter redirect to :${dns_redirect} comment \"$remarks\""
|
||||
nft "add rule $NFTABLE_NAME PSW_DNS ip protocol udp ${_ipt_source} udp dport 53 counter redirect to :${dns_redirect} comment \"$remarks\""
|
||||
nft "add rule $NFTABLE_NAME PSW_DNS ip protocol tcp ${_ipt_source} tcp dport 53 counter redirect to :${dns_redirect} comment \"$remarks\""
|
||||
nft "add rule $NFTABLE_NAME PSW_DNS meta l4proto udp ${_ipt_source} udp dport 53 counter redirect to :${dns_redirect} comment \"$remarks\""
|
||||
nft "add rule $NFTABLE_NAME PSW_DNS meta l4proto tcp ${_ipt_source} tcp dport 53 counter redirect to :${dns_redirect} comment \"$remarks\""
|
||||
fi
|
||||
|
||||
[ -n "$tcp_port" -o -n "$udp_port" ] && {
|
||||
@ -553,18 +554,23 @@ load_acl() {
|
||||
fi
|
||||
}
|
||||
|
||||
local DNS_REDIRECT
|
||||
[ $(config_t_get global dns_redirect "1") = "1" ] && DNS_REDIRECT=53
|
||||
if ([ "$TCP_NODE" != "nil" ] && [ -n "${TCP_PROXY_MODE}" ]) || ([ "$UDP_NODE" != "nil" ] && [ -n "${UDP_PROXY_MODE}" ]); then
|
||||
[ -n "$DNS_REDIRECT_PORT" ] && {
|
||||
#Only hijack when dest address is local IP
|
||||
nft "add rule $NFTABLE_NAME PSW_MANGLE ip protocol udp udp dport 53 counter return comment \"默认\""
|
||||
nft "add rule $NFTABLE_NAME PSW_MANGLE_V6 meta l4proto udp udp dport 53 counter return comment \"默认\""
|
||||
nft "add rule $NFTABLE_NAME PSW_MANGLE ip protocol tcp tcp dport 53 counter return comment \"默认\""
|
||||
nft "add rule $NFTABLE_NAME PSW_MANGLE_V6 meta l4proto tcp tcp dport 53 counter return comment \"默认\""
|
||||
nft "add rule $NFTABLE_NAME PSW_DNS ip protocol udp udp dport 53 ip daddr @$NFTSET_LOCALLIST counter redirect to :$DNS_REDIRECT_PORT comment \"默认\""
|
||||
nft "add rule $NFTABLE_NAME PSW_DNS ip protocol tcp tcp dport 53 ip daddr @$NFTSET_LOCALLIST counter redirect to :$DNS_REDIRECT_PORT comment \"默认\""
|
||||
nft "add rule $NFTABLE_NAME PSW_DNS meta l4proto udp udp dport 53 ip daddr @$NFTSET_LOCALLIST6 counter redirect to :$DNS_REDIRECT_PORT comment \"默认\""
|
||||
nft "add rule $NFTABLE_NAME PSW_DNS meta l4proto tcp tcp dport 53 ip daddr @$NFTSET_LOCALLIST6 counter redirect to :$DNS_REDIRECT_PORT comment \"默认\""
|
||||
}
|
||||
[ -n "${DNS_REDIRECT_PORT}" ] && DNS_REDIRECT=${DNS_REDIRECT_PORT}
|
||||
else
|
||||
[ -n "${DIRECT_DNSMASQ_PORT}" ] && DNS_REDIRECT=${DIRECT_DNSMASQ_PORT}
|
||||
fi
|
||||
|
||||
if [ -n "${DNS_REDIRECT}" ]; then
|
||||
nft "add rule $NFTABLE_NAME PSW_MANGLE ip protocol udp udp dport 53 counter return comment \"默认\""
|
||||
nft "add rule $NFTABLE_NAME PSW_MANGLE_V6 meta l4proto udp udp dport 53 counter return comment \"默认\""
|
||||
nft "add rule $NFTABLE_NAME PSW_MANGLE ip protocol tcp tcp dport 53 counter return comment \"默认\""
|
||||
nft "add rule $NFTABLE_NAME PSW_MANGLE_V6 meta l4proto tcp tcp dport 53 counter return comment \"默认\""
|
||||
nft "add rule $NFTABLE_NAME PSW_DNS ip protocol udp udp dport 53 counter redirect to :${DNS_REDIRECT} comment \"默认\""
|
||||
nft "add rule $NFTABLE_NAME PSW_DNS ip protocol tcp tcp dport 53 counter redirect to :${DNS_REDIRECT} comment \"默认\""
|
||||
nft "add rule $NFTABLE_NAME PSW_DNS meta l4proto udp udp dport 53 counter redirect to :${DNS_REDIRECT} comment \"默认\""
|
||||
nft "add rule $NFTABLE_NAME PSW_DNS meta l4proto tcp tcp dport 53 counter redirect to :${DNS_REDIRECT} comment \"默认\""
|
||||
fi
|
||||
|
||||
[ -n "${TCP_PROXY_MODE}" -o -n "${UDP_PROXY_MODE}" ] && {
|
||||
@ -1008,7 +1014,13 @@ add_firewall_rule() {
|
||||
|
||||
nft "add chain $NFTABLE_NAME PSW_DNS"
|
||||
nft "flush chain $NFTABLE_NAME PSW_DNS"
|
||||
nft "insert rule $NFTABLE_NAME dstnat jump PSW_DNS"
|
||||
if [ $(config_t_get global dns_redirect "1") = "0" ]; then
|
||||
#Only hijack when dest address is local IP
|
||||
nft "insert rule $NFTABLE_NAME dstnat ip daddr @${NFTSET_LOCALLIST} jump PSW_DNS"
|
||||
nft "insert rule $NFTABLE_NAME dstnat ip6 daddr @${NFTSET_LOCALLIST6} jump PSW_DNS"
|
||||
else
|
||||
nft "insert rule $NFTABLE_NAME dstnat jump PSW2_DNS"
|
||||
fi
|
||||
|
||||
# for ipv4 ipv6 tproxy mark
|
||||
nft "add chain $NFTABLE_NAME PSW_RULE"
|
||||
@ -1192,7 +1204,6 @@ add_firewall_rule() {
|
||||
|
||||
if ([ "$TCP_NODE" != "nil" ] && [ -n "${LOCALHOST_TCP_PROXY_MODE}" ]) || ([ "$UDP_NODE" != "nil" ] && [ -n "${LOCALHOST_UDP_PROXY_MODE}" ]); then
|
||||
[ -n "$DNS_REDIRECT_PORT" ] && {
|
||||
#Only hijack when dest address is local IP
|
||||
nft "add rule $NFTABLE_NAME nat_output ip protocol udp oif lo udp dport 53 counter redirect to :$DNS_REDIRECT_PORT comment \"PSW\""
|
||||
nft "add rule $NFTABLE_NAME nat_output ip protocol tcp oif lo tcp dport 53 counter redirect to :$DNS_REDIRECT_PORT comment \"PSW\""
|
||||
nft "add rule $NFTABLE_NAME nat_output meta l4proto udp oif lo udp dport 53 counter redirect to :$DNS_REDIRECT_PORT comment \"PSW\""
|
||||
|
||||
@ -325,6 +325,10 @@ o.remove = function(self, section)
|
||||
end
|
||||
end
|
||||
|
||||
o = s:taboption("DNS", Flag, "dns_redirect", translate("DNS Redirect"), translate("Force special DNS server to need proxy devices."))
|
||||
o.default = "1"
|
||||
o.rmempty = false
|
||||
|
||||
o = s:taboption("DNS", Button, "clear_ipset", translate("Clear IPSet"), translate("Try this feature if the rule modification does not take effect."))
|
||||
o.inputstyle = "remove"
|
||||
function o.write(e, e)
|
||||
|
||||
@ -1083,7 +1083,7 @@ local api = require "luci.passwall2.api"
|
||||
}
|
||||
}
|
||||
|
||||
opt.set(dom_prefix + 'encryption', queryParam.encryption);
|
||||
opt.set(dom_prefix + 'encryption', queryParam.encryption || "none");
|
||||
if (queryParam.security) {
|
||||
if (queryParam.security == "tls") {
|
||||
opt.set(dom_prefix + 'tls', true);
|
||||
|
||||
@ -172,6 +172,12 @@ msgstr "直连 DNS 解析结果写入到 IPSet"
|
||||
msgid "Perform the matching direct domain name rules into IP to IPSet/NFTSet, and then connect directly (not entering the core). Maybe conflict with some special circumstances."
|
||||
msgstr "将匹配到的直连规则的域名解析IP写入到 IPSet/NFTSet,然后直连(不进入内核)。可能和某些特殊情况冲突。"
|
||||
|
||||
msgid "DNS Redirect"
|
||||
msgstr "DNS 重定向"
|
||||
|
||||
msgid "Force special DNS server to need proxy devices."
|
||||
msgstr "强制需要代理的设备使用专用 DNS 服务器。"
|
||||
|
||||
msgid "Clear IPSet"
|
||||
msgstr "清空 IPSet"
|
||||
|
||||
|
||||
@ -1079,8 +1079,7 @@ acl_app() {
|
||||
local ipt_tmp msg msg2
|
||||
redir_port=11200
|
||||
dns_port=11300
|
||||
dnsmasq_port=11400
|
||||
[ -n "${GLOBAL_DNSMASQ_PORT}" ] && dnsmasq_port=$(get_new_port $GLOBAL_DNSMASQ_PORT)
|
||||
dnsmasq_port=${GLOBAL_DNSMASQ_PORT:-11400}
|
||||
for item in $items; do
|
||||
index=$(expr $index + 1)
|
||||
local enabled sid remarks sources node direct_dns_query_strategy remote_dns_protocol remote_dns remote_dns_doh remote_dns_client_ip remote_dns_detour remote_fakedns remote_dns_query_strategy interface use_interface
|
||||
|
||||
@ -2,9 +2,11 @@
|
||||
|
||||
DIR="$(cd "$(dirname "$0")" && pwd)"
|
||||
MY_PATH=$DIR/iptables.sh
|
||||
IPSET_LOCALLIST="passwall2_locallist"
|
||||
IPSET_LANLIST="passwall2_lanlist"
|
||||
IPSET_VPSLIST="passwall2_vpslist"
|
||||
|
||||
IPSET_LOCALLIST6="passwall2_locallist6"
|
||||
IPSET_LANLIST6="passwall2_lanlist6"
|
||||
IPSET_VPSLIST6="passwall2_vpslist6"
|
||||
|
||||
@ -386,12 +388,10 @@ load_acl() {
|
||||
}
|
||||
|
||||
if ([ "$tcp_proxy_mode" != "disable" ] || [ "$udp_proxy_mode" != "disable" ]) && [ -n "$redir_port" ]; then
|
||||
[ -n "$dns_redirect_port" ] && {
|
||||
$ipt_n -A PSW2_DNS $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $dns_redirect_port
|
||||
$ip6t_n -A PSW2_DNS $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $dns_redirect_port 2>/dev/null
|
||||
$ipt_n -A PSW2_DNS $(comment "$remarks") -p tcp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $dns_redirect_port
|
||||
$ip6t_n -A PSW2_DNS $(comment "$remarks") -p tcp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $dns_redirect_port 2>/dev/null
|
||||
}
|
||||
$ipt_n -A PSW2_DNS $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $dns_redirect_port
|
||||
$ip6t_n -A PSW2_DNS $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $dns_redirect_port 2>/dev/null
|
||||
$ipt_n -A PSW2_DNS $(comment "$remarks") -p tcp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $dns_redirect_port
|
||||
$ip6t_n -A PSW2_DNS $(comment "$remarks") -p tcp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $dns_redirect_port 2>/dev/null
|
||||
else
|
||||
$ipt_n -A PSW2_DNS $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j RETURN
|
||||
$ip6t_n -A PSW2_DNS $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j RETURN 2>/dev/null
|
||||
@ -678,11 +678,20 @@ filter_node() {
|
||||
|
||||
add_firewall_rule() {
|
||||
echolog "开始加载防火墙规则..."
|
||||
ipset -! create $IPSET_LOCALLIST nethash maxelem 1048576
|
||||
ipset -! create $IPSET_LANLIST nethash maxelem 1048576
|
||||
ipset -! create $IPSET_VPSLIST nethash maxelem 1048576
|
||||
|
||||
ipset -! create $IPSET_LOCALLIST6 nethash family inet6 maxelem 1048576
|
||||
ipset -! create $IPSET_LANLIST6 nethash family inet6 maxelem 1048576
|
||||
ipset -! create $IPSET_VPSLIST6 nethash family inet6 maxelem 1048576
|
||||
|
||||
ipset -! -R <<-EOF
|
||||
$(ip address show | grep -w "inet" | awk '{print $2}' | awk -F '/' '{print $1}' | sed -e "s/^/add $IPSET_LOCALLIST /")
|
||||
EOF
|
||||
ipset -! -R <<-EOF
|
||||
$(ip address show | grep -w "inet6" | awk '{print $2}' | awk -F '/' '{print $1}' | sed -e "s/^/add $IPSET_LOCALLIST6 /")
|
||||
EOF
|
||||
|
||||
ipset -! -R <<-EOF
|
||||
$(gen_lanlist | sed -e "s/^/add $IPSET_LANLIST /")
|
||||
@ -764,7 +773,12 @@ add_firewall_rule() {
|
||||
$ipt_n -A PSW2_OUTPUT -m mark --mark 0xff -j RETURN
|
||||
|
||||
$ipt_n -N PSW2_DNS
|
||||
$ipt_n -I PREROUTING 1 -j PSW2_DNS
|
||||
if [ $(config_t_get global dns_redirect "1") = "0" ]; then
|
||||
#Only hijack when dest address is local IP
|
||||
$ipt_n -I PREROUTING $(dst $IPSET_LOCALLIST) -j PSW2_DNS
|
||||
else
|
||||
$ipt_n -I PREROUTING -j PSW2_DNS
|
||||
fi
|
||||
|
||||
$ipt_m -N PSW2_DIVERT
|
||||
$ipt_m -A PSW2_DIVERT -j MARK --set-mark 1
|
||||
@ -816,7 +830,12 @@ add_firewall_rule() {
|
||||
}
|
||||
|
||||
$ip6t_n -N PSW2_DNS
|
||||
$ip6t_n -I PREROUTING 1 -j PSW2_DNS
|
||||
if [ $(config_t_get global dns_redirect "1") = "0" ]; then
|
||||
#Only hijack when dest address is local IP
|
||||
$ip6t_n -I PREROUTING $(dst $IPSET_LOCALLIST6) -j PSW2_DNS
|
||||
else
|
||||
$ip6t_n -I PREROUTING -j PSW2_DNS
|
||||
fi
|
||||
|
||||
$ip6t_m -N PSW2_DIVERT
|
||||
$ip6t_m -A PSW2_DIVERT -j MARK --set-mark 1
|
||||
|
||||
@ -3,9 +3,11 @@
|
||||
DIR="$(cd "$(dirname "$0")" && pwd)"
|
||||
MY_PATH=$DIR/nftables.sh
|
||||
NFTABLE_NAME="inet passwall2"
|
||||
NFTSET_LOCALLIST="passwall2_locallist"
|
||||
NFTSET_LANLIST="passwall2_lanlist"
|
||||
NFTSET_VPSLIST="passwall2_vpslist"
|
||||
|
||||
NFTSET_LOCALLIST6="passwall2_locallist6"
|
||||
NFTSET_LANLIST6="passwall2_lanlist6"
|
||||
NFTSET_VPSLIST6="passwall2_vpslist6"
|
||||
|
||||
@ -738,12 +740,17 @@ filter_node() {
|
||||
add_firewall_rule() {
|
||||
echolog "开始加载防火墙规则..."
|
||||
gen_nft_tables
|
||||
gen_nftset $NFTSET_LOCALLIST ipv4_addr 0 "-1"
|
||||
gen_nftset $NFTSET_LANLIST ipv4_addr 0 "-1" $(gen_lanlist)
|
||||
gen_nftset $NFTSET_VPSLIST ipv4_addr 0 0
|
||||
|
||||
gen_nftset $NFTSET_LOCALLIST6 ipv6_addr 0 "-1"
|
||||
gen_nftset $NFTSET_LANLIST6 ipv6_addr 0 "-1" $(gen_lanlist_6)
|
||||
gen_nftset $NFTSET_VPSLIST6 ipv6_addr 0 0
|
||||
|
||||
insert_nftset $NFTSET_LOCALLIST "-1" $(ip address show | grep -w "inet" | awk '{print $2}' | awk -F '/' '{print $1}' | sed -e "s/ /\n/g")
|
||||
insert_nftset $NFTSET_LOCALLIST6 "-1" $(ip address show | grep -w "inet6" | awk '{print $2}' | awk -F '/' '{print $1}' | sed -e "s/ /\n/g")
|
||||
|
||||
# 忽略特殊IP段
|
||||
local lan_ifname lan_ip
|
||||
lan_ifname=$(uci -q -p /tmp/state get network.lan.ifname)
|
||||
@ -808,7 +815,13 @@ add_firewall_rule() {
|
||||
|
||||
nft "add chain $NFTABLE_NAME PSW2_DNS"
|
||||
nft "flush chain $NFTABLE_NAME PSW2_DNS"
|
||||
nft "insert rule $NFTABLE_NAME dstnat jump PSW2_DNS"
|
||||
if [ $(config_t_get global dns_redirect "1") = "0" ]; then
|
||||
#Only hijack when dest address is local IP
|
||||
nft "insert rule $NFTABLE_NAME dstnat ip daddr @${NFTSET_LOCALLIST} jump PSW2_DNS"
|
||||
nft "insert rule $NFTABLE_NAME dstnat ip6 daddr @${NFTSET_LOCALLIST6} jump PSW2_DNS"
|
||||
else
|
||||
nft "insert rule $NFTABLE_NAME dstnat jump PSW2_DNS"
|
||||
fi
|
||||
|
||||
# for ipv4 ipv6 tproxy mark
|
||||
nft "add chain $NFTABLE_NAME PSW2_RULE"
|
||||
@ -1086,9 +1099,11 @@ del_firewall_rule() {
|
||||
ip -6 rule del fwmark 1 table 100 2>/dev/null
|
||||
ip -6 route del local ::/0 dev lo table 100 2>/dev/null
|
||||
|
||||
destroy_nftset $NFTSET_LOCALLIST
|
||||
destroy_nftset $NFTSET_LANLIST
|
||||
destroy_nftset $NFTSET_VPSLIST
|
||||
|
||||
destroy_nftset $NFTSET_LOCALLIST6
|
||||
destroy_nftset $NFTSET_LANLIST6
|
||||
destroy_nftset $NFTSET_VPSLIST6
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user