diff --git a/luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua b/luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua index d766646af..488cd50ac 100644 --- a/luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua +++ b/luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua @@ -557,6 +557,10 @@ if api.is_finded("smartdns") then o:depends({dns_shunt = "smartdns", tcp_proxy_mode = "proxy", chn_list = "direct"}) end +o = s:taboption("DNS", Flag, "dns_redirect", translate("DNS Redirect"), translate("Force special DNS server to need proxy devices.")) +o.default = "1" +o.rmempty = false + if (uci:get(appname, "@global_forwarding[0]", "use_nft") or "0") == "1" then o = s:taboption("DNS", Button, "clear_ipset", translate("Clear NFTSET"), translate("Try this feature if the rule modification does not take effect.")) else diff --git a/luci-app-passwall/luasrc/passwall/api.lua b/luci-app-passwall/luasrc/passwall/api.lua index 5d67e767c..f696a06a9 100644 --- a/luci-app-passwall/luasrc/passwall/api.lua +++ b/luci-app-passwall/luasrc/passwall/api.lua @@ -16,8 +16,9 @@ OPENWRT_ARCH = nil DISTRIB_ARCH = nil OPENWRT_BOARD = nil -LOG_FILE = "/tmp/log/" .. appname .. ".log" CACHE_PATH = "/tmp/etc/" .. appname .. "_tmp" +LOG_FILE = "/tmp/log/" .. appname .. ".log" +TMP_PATH = "/tmp/etc/" .. appname function log(...) local result = os.date("%Y-%m-%d %H:%M:%S: ") .. table.concat({...}, " ") diff --git a/luci-app-passwall/po/zh-cn/passwall.po b/luci-app-passwall/po/zh-cn/passwall.po index 28fbc6854..df66671e9 100644 --- a/luci-app-passwall/po/zh-cn/passwall.po +++ b/luci-app-passwall/po/zh-cn/passwall.po @@ -223,6 +223,12 @@ msgstr "需要代理的分流规则域名使用 FakeDNS。" msgid "Redirect" msgstr "重定向" +msgid "DNS Redirect" +msgstr "DNS 重定向" + +msgid "Force special DNS server to need proxy devices." +msgstr "强制需要代理的设备使用专用 DNS 服务器。" + msgid "Clear IPSET" msgstr "清空 IPSET" diff --git a/luci-app-passwall/root/usr/share/passwall/0_default_config b/luci-app-passwall/root/usr/share/passwall/0_default_config index 918aaa4a9..834821793 100644 --- a/luci-app-passwall/root/usr/share/passwall/0_default_config +++ b/luci-app-passwall/root/usr/share/passwall/0_default_config @@ -12,6 +12,7 @@ config global list smartdns_remote_dns 'https://1.1.1.1/dns-query' option use_default_dns 'direct' option chinadns_ng_default_tag 'none' + option dns_redirect '1' option use_direct_list '1' option use_proxy_list '1' option use_block_list '1' diff --git a/luci-app-passwall/root/usr/share/passwall/iptables.sh b/luci-app-passwall/root/usr/share/passwall/iptables.sh index 06c9e3871..fba4aa08c 100755 --- a/luci-app-passwall/root/usr/share/passwall/iptables.sh +++ b/luci-app-passwall/root/usr/share/passwall/iptables.sh @@ -324,6 +324,7 @@ load_acl() { } local dns_redirect + [ $(config_t_get global dns_redirect "1") = "1" ] && dns_redirect=53 if ([ -n "$tcp_port" ] && [ -n "${tcp_proxy_mode}" ]) || ([ -n "$udp_port" ] && [ -n "${udp_proxy_mode}" ]); then [ -n "${dns_redirect_port}" ] && dns_redirect=${dns_redirect_port} else @@ -334,10 +335,10 @@ load_acl() { $ip6t_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j RETURN 2>/dev/null $ipt_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} --dport 53 -j RETURN $ip6t_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} --dport 53 -j RETURN 2>/dev/null - $ipt_n -A PSW_DNS $(comment "$remarks") -p udp ${_ipt_source} $(dst $IPSET_LOCALLIST) --dport 53 -j REDIRECT --to-ports ${dns_redirect} - $ip6t_n -A PSW_DNS $(comment "$remarks") -p udp ${_ipt_source} $(dst $IPSET_LOCALLIST) --dport 53 -j REDIRECT --to-ports ${dns_redirect} 2>/dev/null - $ipt_n -A PSW_DNS $(comment "$remarks") -p tcp ${_ipt_source} $(dst $IPSET_LOCALLIST) --dport 53 -j REDIRECT --to-ports ${dns_redirect} - $ip6t_n -A PSW_DNS $(comment "$remarks") -p tcp ${_ipt_source} $(dst $IPSET_LOCALLIST) --dport 53 -j REDIRECT --to-ports ${dns_redirect} 2>/dev/null + $ipt_n -A PSW_DNS $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j REDIRECT --to-ports ${dns_redirect} + $ip6t_n -A PSW_DNS $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j REDIRECT --to-ports ${dns_redirect} 2>/dev/null + $ipt_n -A PSW_DNS $(comment "$remarks") -p tcp ${_ipt_source} --dport 53 -j REDIRECT --to-ports ${dns_redirect} + $ip6t_n -A PSW_DNS $(comment "$remarks") -p tcp ${_ipt_source} --dport 53 -j REDIRECT --to-ports ${dns_redirect} 2>/dev/null fi [ -n "$tcp_port" -o -n "$udp_port" ] && { @@ -499,19 +500,24 @@ load_acl() { echolog " - ${msg}不代理所有 UDP 端口" fi } - + + local DNS_REDIRECT + [ $(config_t_get global dns_redirect "1") = "1" ] && DNS_REDIRECT=53 if ([ "$TCP_NODE" != "nil" ] && [ -n "${TCP_PROXY_MODE}" ]) || ([ "$UDP_NODE" != "nil" ] && [ -n "${UDP_PROXY_MODE}" ]); then - [ -n "$DNS_REDIRECT_PORT" ] && { - $ipt_m -A PSW $(comment "默认") -p udp --dport 53 -j RETURN - $ip6t_m -A PSW $(comment "默认") -p udp --dport 53 -j RETURN 2>/dev/null - $ipt_m -A PSW $(comment "默认") -p tcp --dport 53 -j RETURN - $ip6t_m -A PSW $(comment "默认") -p tcp --dport 53 -j RETURN 2>/dev/null - #Only hijack when dest address is local IP - $ipt_n -A PSW_DNS $(comment "默认") -p udp $(dst $IPSET_LOCALLIST) --dport 53 -j REDIRECT --to-ports $DNS_REDIRECT_PORT - $ip6t_n -A PSW_DNS $(comment "默认") -p udp $(dst $IPSET_LOCALLIST6) --dport 53 -j REDIRECT --to-ports $DNS_REDIRECT_PORT 2>/dev/null - $ipt_n -A PSW_DNS $(comment "默认") -p tcp $(dst $IPSET_LOCALLIST) --dport 53 -j REDIRECT --to-ports $DNS_REDIRECT_PORT - $ip6t_n -A PSW_DNS $(comment "默认") -p tcp $(dst $IPSET_LOCALLIST6) --dport 53 -j REDIRECT --to-ports $DNS_REDIRECT_PORT 2>/dev/null - } + [ -n "${DNS_REDIRECT_PORT}" ] && DNS_REDIRECT=${DNS_REDIRECT_PORT} + else + [ -n "${DIRECT_DNSMASQ_PORT}" ] && DNS_REDIRECT=${DIRECT_DNSMASQ_PORT} + fi + + if [ -n "${DNS_REDIRECT}" ]; then + $ipt_m -A PSW $(comment "默认") -p udp --dport 53 -j RETURN + $ip6t_m -A PSW $(comment "默认") -p udp --dport 53 -j RETURN 2>/dev/null + $ipt_m -A PSW $(comment "默认") -p tcp --dport 53 -j RETURN + $ip6t_m -A PSW $(comment "默认") -p tcp --dport 53 -j RETURN 2>/dev/null + $ipt_n -A PSW_DNS $(comment "默认") -p udp --dport 53 -j REDIRECT --to-ports ${DNS_REDIRECT} + $ip6t_n -A PSW_DNS $(comment "默认") -p udp --dport 53 -j REDIRECT --to-ports ${DNS_REDIRECT} 2>/dev/null + $ipt_n -A PSW_DNS $(comment "默认") -p tcp --dport 53 -j REDIRECT --to-ports ${DNS_REDIRECT} + $ip6t_n -A PSW_DNS $(comment "默认") -p tcp --dport 53 -j REDIRECT --to-ports ${DNS_REDIRECT} 2>/dev/null fi [ -n "${TCP_PROXY_MODE}" -o -n "${UDP_PROXY_MODE}" ] && { @@ -956,7 +962,12 @@ add_firewall_rule() { $ipt_n -A PSW_OUTPUT -m mark --mark 0xff -j RETURN $ipt_n -N PSW_DNS - $ipt_n -I PREROUTING 1 -j PSW_DNS + if [ $(config_t_get global dns_redirect "1") = "0" ]; then + #Only hijack when dest address is local IP + $ipt_n -I PREROUTING $(dst $IPSET_LOCALLIST) -j PSW_DNS + else + $ipt_n -I PREROUTING 1 -j PSW_DNS + fi $ipt_m -N PSW_DIVERT $ipt_m -A PSW_DIVERT -j MARK --set-mark 1 @@ -1024,7 +1035,12 @@ add_firewall_rule() { } $ip6t_n -N PSW_DNS - $ip6t_n -I PREROUTING 1 -j PSW_DNS + if [ $(config_t_get global dns_redirect "1") = "0" ]; then + #Only hijack when dest address is local IP + $ip6t_n -I PREROUTING $(dst $IPSET_LOCALLIST6) -j PSW_DNS + else + $ip6t_n -I PREROUTING 1 -j PSW_DNS + fi $ip6t_m -N PSW_DIVERT $ip6t_m -A PSW_DIVERT -j MARK --set-mark 1 @@ -1130,7 +1146,6 @@ add_firewall_rule() { if ([ "$TCP_NODE" != "nil" ] && [ -n "${LOCALHOST_TCP_PROXY_MODE}" ]) || ([ "$UDP_NODE" != "nil" ] && [ -n "${LOCALHOST_UDP_PROXY_MODE}" ]); then [ -n "$DNS_REDIRECT_PORT" ] && { - #Only hijack when dest address is local IP $ipt_n -A OUTPUT $(comment "PSW") -p udp -o lo --dport 53 -j REDIRECT --to-ports $DNS_REDIRECT_PORT $ip6t_n -A OUTPUT $(comment "PSW") -p udp -o lo --dport 53 -j REDIRECT --to-ports $DNS_REDIRECT_PORT 2>/dev/null $ipt_n -A OUTPUT $(comment "PSW") -p tcp -o lo --dport 53 -j REDIRECT --to-ports $DNS_REDIRECT_PORT diff --git a/luci-app-passwall/root/usr/share/passwall/nftables.sh b/luci-app-passwall/root/usr/share/passwall/nftables.sh index 76703bcc8..e10bb4ccd 100755 --- a/luci-app-passwall/root/usr/share/passwall/nftables.sh +++ b/luci-app-passwall/root/usr/share/passwall/nftables.sh @@ -374,6 +374,7 @@ load_acl() { } local dns_redirect + [ $(config_t_get global dns_redirect "1") = "1" ] && dns_redirect=53 if ([ -n "$tcp_port" ] && [ -n "${tcp_proxy_mode}" ]) || ([ -n "$udp_port" ] && [ -n "${udp_proxy_mode}" ]); then [ -n "${dns_redirect_port}" ] && dns_redirect=${dns_redirect_port} else @@ -384,10 +385,10 @@ load_acl() { nft "add rule $NFTABLE_NAME PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} udp dport 53 counter return comment \"$remarks\"" nft "add rule $NFTABLE_NAME PSW_MANGLE ip protocol tcp ${_ipt_source} tcp dport 53 counter return comment \"$remarks\"" nft "add rule $NFTABLE_NAME PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} tcp dport 53 counter return comment \"$remarks\"" - nft "add rule $NFTABLE_NAME PSW_DNS ip protocol udp ${_ipt_source} udp dport 53 ip daddr @$NFTSET_LOCALLIST counter redirect to :${dns_redirect} comment \"$remarks\"" - nft "add rule $NFTABLE_NAME PSW_DNS ip protocol tcp ${_ipt_source} tcp dport 53 ip daddr @$NFTSET_LOCALLIST counter redirect to :${dns_redirect} comment \"$remarks\"" - nft "add rule $NFTABLE_NAME PSW_DNS meta l4proto udp ${_ipt_source} udp dport 53 ip6 daddr @$NFTSET_LOCALLIST6 counter redirect to :${dns_redirect} comment \"$remarks\"" - nft "add rule $NFTABLE_NAME PSW_DNS meta l4proto tcp ${_ipt_source} tcp dport 53 ip6 daddr @$NFTSET_LOCALLIST6 counter redirect to :${dns_redirect} comment \"$remarks\"" + nft "add rule $NFTABLE_NAME PSW_DNS ip protocol udp ${_ipt_source} udp dport 53 counter redirect to :${dns_redirect} comment \"$remarks\"" + nft "add rule $NFTABLE_NAME PSW_DNS ip protocol tcp ${_ipt_source} tcp dport 53 counter redirect to :${dns_redirect} comment \"$remarks\"" + nft "add rule $NFTABLE_NAME PSW_DNS meta l4proto udp ${_ipt_source} udp dport 53 counter redirect to :${dns_redirect} comment \"$remarks\"" + nft "add rule $NFTABLE_NAME PSW_DNS meta l4proto tcp ${_ipt_source} tcp dport 53 counter redirect to :${dns_redirect} comment \"$remarks\"" fi [ -n "$tcp_port" -o -n "$udp_port" ] && { @@ -553,18 +554,23 @@ load_acl() { fi } + local DNS_REDIRECT + [ $(config_t_get global dns_redirect "1") = "1" ] && DNS_REDIRECT=53 if ([ "$TCP_NODE" != "nil" ] && [ -n "${TCP_PROXY_MODE}" ]) || ([ "$UDP_NODE" != "nil" ] && [ -n "${UDP_PROXY_MODE}" ]); then - [ -n "$DNS_REDIRECT_PORT" ] && { - #Only hijack when dest address is local IP - nft "add rule $NFTABLE_NAME PSW_MANGLE ip protocol udp udp dport 53 counter return comment \"默认\"" - nft "add rule $NFTABLE_NAME PSW_MANGLE_V6 meta l4proto udp udp dport 53 counter return comment \"默认\"" - nft "add rule $NFTABLE_NAME PSW_MANGLE ip protocol tcp tcp dport 53 counter return comment \"默认\"" - nft "add rule $NFTABLE_NAME PSW_MANGLE_V6 meta l4proto tcp tcp dport 53 counter return comment \"默认\"" - nft "add rule $NFTABLE_NAME PSW_DNS ip protocol udp udp dport 53 ip daddr @$NFTSET_LOCALLIST counter redirect to :$DNS_REDIRECT_PORT comment \"默认\"" - nft "add rule $NFTABLE_NAME PSW_DNS ip protocol tcp tcp dport 53 ip daddr @$NFTSET_LOCALLIST counter redirect to :$DNS_REDIRECT_PORT comment \"默认\"" - nft "add rule $NFTABLE_NAME PSW_DNS meta l4proto udp udp dport 53 ip daddr @$NFTSET_LOCALLIST6 counter redirect to :$DNS_REDIRECT_PORT comment \"默认\"" - nft "add rule $NFTABLE_NAME PSW_DNS meta l4proto tcp tcp dport 53 ip daddr @$NFTSET_LOCALLIST6 counter redirect to :$DNS_REDIRECT_PORT comment \"默认\"" - } + [ -n "${DNS_REDIRECT_PORT}" ] && DNS_REDIRECT=${DNS_REDIRECT_PORT} + else + [ -n "${DIRECT_DNSMASQ_PORT}" ] && DNS_REDIRECT=${DIRECT_DNSMASQ_PORT} + fi + + if [ -n "${DNS_REDIRECT}" ]; then + nft "add rule $NFTABLE_NAME PSW_MANGLE ip protocol udp udp dport 53 counter return comment \"默认\"" + nft "add rule $NFTABLE_NAME PSW_MANGLE_V6 meta l4proto udp udp dport 53 counter return comment \"默认\"" + nft "add rule $NFTABLE_NAME PSW_MANGLE ip protocol tcp tcp dport 53 counter return comment \"默认\"" + nft "add rule $NFTABLE_NAME PSW_MANGLE_V6 meta l4proto tcp tcp dport 53 counter return comment \"默认\"" + nft "add rule $NFTABLE_NAME PSW_DNS ip protocol udp udp dport 53 counter redirect to :${DNS_REDIRECT} comment \"默认\"" + nft "add rule $NFTABLE_NAME PSW_DNS ip protocol tcp tcp dport 53 counter redirect to :${DNS_REDIRECT} comment \"默认\"" + nft "add rule $NFTABLE_NAME PSW_DNS meta l4proto udp udp dport 53 counter redirect to :${DNS_REDIRECT} comment \"默认\"" + nft "add rule $NFTABLE_NAME PSW_DNS meta l4proto tcp tcp dport 53 counter redirect to :${DNS_REDIRECT} comment \"默认\"" fi [ -n "${TCP_PROXY_MODE}" -o -n "${UDP_PROXY_MODE}" ] && { @@ -1008,7 +1014,13 @@ add_firewall_rule() { nft "add chain $NFTABLE_NAME PSW_DNS" nft "flush chain $NFTABLE_NAME PSW_DNS" - nft "insert rule $NFTABLE_NAME dstnat jump PSW_DNS" + if [ $(config_t_get global dns_redirect "1") = "0" ]; then + #Only hijack when dest address is local IP + nft "insert rule $NFTABLE_NAME dstnat ip daddr @${NFTSET_LOCALLIST} jump PSW_DNS" + nft "insert rule $NFTABLE_NAME dstnat ip6 daddr @${NFTSET_LOCALLIST6} jump PSW_DNS" + else + nft "insert rule $NFTABLE_NAME dstnat jump PSW2_DNS" + fi # for ipv4 ipv6 tproxy mark nft "add chain $NFTABLE_NAME PSW_RULE" @@ -1192,7 +1204,6 @@ add_firewall_rule() { if ([ "$TCP_NODE" != "nil" ] && [ -n "${LOCALHOST_TCP_PROXY_MODE}" ]) || ([ "$UDP_NODE" != "nil" ] && [ -n "${LOCALHOST_UDP_PROXY_MODE}" ]); then [ -n "$DNS_REDIRECT_PORT" ] && { - #Only hijack when dest address is local IP nft "add rule $NFTABLE_NAME nat_output ip protocol udp oif lo udp dport 53 counter redirect to :$DNS_REDIRECT_PORT comment \"PSW\"" nft "add rule $NFTABLE_NAME nat_output ip protocol tcp oif lo tcp dport 53 counter redirect to :$DNS_REDIRECT_PORT comment \"PSW\"" nft "add rule $NFTABLE_NAME nat_output meta l4proto udp oif lo udp dport 53 counter redirect to :$DNS_REDIRECT_PORT comment \"PSW\"" diff --git a/luci-app-passwall2/luasrc/model/cbi/passwall2/client/global.lua b/luci-app-passwall2/luasrc/model/cbi/passwall2/client/global.lua index 6e3ea5c9f..4eb095f6d 100644 --- a/luci-app-passwall2/luasrc/model/cbi/passwall2/client/global.lua +++ b/luci-app-passwall2/luasrc/model/cbi/passwall2/client/global.lua @@ -325,6 +325,10 @@ o.remove = function(self, section) end end +o = s:taboption("DNS", Flag, "dns_redirect", translate("DNS Redirect"), translate("Force special DNS server to need proxy devices.")) +o.default = "1" +o.rmempty = false + o = s:taboption("DNS", Button, "clear_ipset", translate("Clear IPSet"), translate("Try this feature if the rule modification does not take effect.")) o.inputstyle = "remove" function o.write(e, e) diff --git a/luci-app-passwall2/luasrc/view/passwall2/node_list/link_share_man.htm b/luci-app-passwall2/luasrc/view/passwall2/node_list/link_share_man.htm index 80003a302..42d8ddb1c 100644 --- a/luci-app-passwall2/luasrc/view/passwall2/node_list/link_share_man.htm +++ b/luci-app-passwall2/luasrc/view/passwall2/node_list/link_share_man.htm @@ -1083,7 +1083,7 @@ local api = require "luci.passwall2.api" } } - opt.set(dom_prefix + 'encryption', queryParam.encryption); + opt.set(dom_prefix + 'encryption', queryParam.encryption || "none"); if (queryParam.security) { if (queryParam.security == "tls") { opt.set(dom_prefix + 'tls', true); diff --git a/luci-app-passwall2/po/zh-cn/passwall2.po b/luci-app-passwall2/po/zh-cn/passwall2.po index 6e79108d7..67f48a1a7 100644 --- a/luci-app-passwall2/po/zh-cn/passwall2.po +++ b/luci-app-passwall2/po/zh-cn/passwall2.po @@ -172,6 +172,12 @@ msgstr "直连 DNS 解析结果写入到 IPSet" msgid "Perform the matching direct domain name rules into IP to IPSet/NFTSet, and then connect directly (not entering the core). Maybe conflict with some special circumstances." msgstr "将匹配到的直连规则的域名解析IP写入到 IPSet/NFTSet,然后直连(不进入内核)。可能和某些特殊情况冲突。" +msgid "DNS Redirect" +msgstr "DNS 重定向" + +msgid "Force special DNS server to need proxy devices." +msgstr "强制需要代理的设备使用专用 DNS 服务器。" + msgid "Clear IPSet" msgstr "清空 IPSet" diff --git a/luci-app-passwall2/root/usr/share/passwall2/app.sh b/luci-app-passwall2/root/usr/share/passwall2/app.sh index 95be20850..7f555fd9a 100755 --- a/luci-app-passwall2/root/usr/share/passwall2/app.sh +++ b/luci-app-passwall2/root/usr/share/passwall2/app.sh @@ -1079,8 +1079,7 @@ acl_app() { local ipt_tmp msg msg2 redir_port=11200 dns_port=11300 - dnsmasq_port=11400 - [ -n "${GLOBAL_DNSMASQ_PORT}" ] && dnsmasq_port=$(get_new_port $GLOBAL_DNSMASQ_PORT) + dnsmasq_port=${GLOBAL_DNSMASQ_PORT:-11400} for item in $items; do index=$(expr $index + 1) local enabled sid remarks sources node direct_dns_query_strategy remote_dns_protocol remote_dns remote_dns_doh remote_dns_client_ip remote_dns_detour remote_fakedns remote_dns_query_strategy interface use_interface diff --git a/luci-app-passwall2/root/usr/share/passwall2/iptables.sh b/luci-app-passwall2/root/usr/share/passwall2/iptables.sh index cfb55614e..6dd34b2e8 100755 --- a/luci-app-passwall2/root/usr/share/passwall2/iptables.sh +++ b/luci-app-passwall2/root/usr/share/passwall2/iptables.sh @@ -2,9 +2,11 @@ DIR="$(cd "$(dirname "$0")" && pwd)" MY_PATH=$DIR/iptables.sh +IPSET_LOCALLIST="passwall2_locallist" IPSET_LANLIST="passwall2_lanlist" IPSET_VPSLIST="passwall2_vpslist" +IPSET_LOCALLIST6="passwall2_locallist6" IPSET_LANLIST6="passwall2_lanlist6" IPSET_VPSLIST6="passwall2_vpslist6" @@ -386,12 +388,10 @@ load_acl() { } if ([ "$tcp_proxy_mode" != "disable" ] || [ "$udp_proxy_mode" != "disable" ]) && [ -n "$redir_port" ]; then - [ -n "$dns_redirect_port" ] && { - $ipt_n -A PSW2_DNS $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $dns_redirect_port - $ip6t_n -A PSW2_DNS $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $dns_redirect_port 2>/dev/null - $ipt_n -A PSW2_DNS $(comment "$remarks") -p tcp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $dns_redirect_port - $ip6t_n -A PSW2_DNS $(comment "$remarks") -p tcp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $dns_redirect_port 2>/dev/null - } + $ipt_n -A PSW2_DNS $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $dns_redirect_port + $ip6t_n -A PSW2_DNS $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $dns_redirect_port 2>/dev/null + $ipt_n -A PSW2_DNS $(comment "$remarks") -p tcp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $dns_redirect_port + $ip6t_n -A PSW2_DNS $(comment "$remarks") -p tcp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $dns_redirect_port 2>/dev/null else $ipt_n -A PSW2_DNS $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j RETURN $ip6t_n -A PSW2_DNS $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j RETURN 2>/dev/null @@ -678,11 +678,20 @@ filter_node() { add_firewall_rule() { echolog "开始加载防火墙规则..." + ipset -! create $IPSET_LOCALLIST nethash maxelem 1048576 ipset -! create $IPSET_LANLIST nethash maxelem 1048576 ipset -! create $IPSET_VPSLIST nethash maxelem 1048576 + ipset -! create $IPSET_LOCALLIST6 nethash family inet6 maxelem 1048576 ipset -! create $IPSET_LANLIST6 nethash family inet6 maxelem 1048576 ipset -! create $IPSET_VPSLIST6 nethash family inet6 maxelem 1048576 + + ipset -! -R <<-EOF + $(ip address show | grep -w "inet" | awk '{print $2}' | awk -F '/' '{print $1}' | sed -e "s/^/add $IPSET_LOCALLIST /") + EOF + ipset -! -R <<-EOF + $(ip address show | grep -w "inet6" | awk '{print $2}' | awk -F '/' '{print $1}' | sed -e "s/^/add $IPSET_LOCALLIST6 /") + EOF ipset -! -R <<-EOF $(gen_lanlist | sed -e "s/^/add $IPSET_LANLIST /") @@ -764,7 +773,12 @@ add_firewall_rule() { $ipt_n -A PSW2_OUTPUT -m mark --mark 0xff -j RETURN $ipt_n -N PSW2_DNS - $ipt_n -I PREROUTING 1 -j PSW2_DNS + if [ $(config_t_get global dns_redirect "1") = "0" ]; then + #Only hijack when dest address is local IP + $ipt_n -I PREROUTING $(dst $IPSET_LOCALLIST) -j PSW2_DNS + else + $ipt_n -I PREROUTING -j PSW2_DNS + fi $ipt_m -N PSW2_DIVERT $ipt_m -A PSW2_DIVERT -j MARK --set-mark 1 @@ -816,7 +830,12 @@ add_firewall_rule() { } $ip6t_n -N PSW2_DNS - $ip6t_n -I PREROUTING 1 -j PSW2_DNS + if [ $(config_t_get global dns_redirect "1") = "0" ]; then + #Only hijack when dest address is local IP + $ip6t_n -I PREROUTING $(dst $IPSET_LOCALLIST6) -j PSW2_DNS + else + $ip6t_n -I PREROUTING -j PSW2_DNS + fi $ip6t_m -N PSW2_DIVERT $ip6t_m -A PSW2_DIVERT -j MARK --set-mark 1 diff --git a/luci-app-passwall2/root/usr/share/passwall2/nftables.sh b/luci-app-passwall2/root/usr/share/passwall2/nftables.sh index 9b0e06545..5f7f3a80e 100755 --- a/luci-app-passwall2/root/usr/share/passwall2/nftables.sh +++ b/luci-app-passwall2/root/usr/share/passwall2/nftables.sh @@ -3,9 +3,11 @@ DIR="$(cd "$(dirname "$0")" && pwd)" MY_PATH=$DIR/nftables.sh NFTABLE_NAME="inet passwall2" +NFTSET_LOCALLIST="passwall2_locallist" NFTSET_LANLIST="passwall2_lanlist" NFTSET_VPSLIST="passwall2_vpslist" +NFTSET_LOCALLIST6="passwall2_locallist6" NFTSET_LANLIST6="passwall2_lanlist6" NFTSET_VPSLIST6="passwall2_vpslist6" @@ -738,12 +740,17 @@ filter_node() { add_firewall_rule() { echolog "开始加载防火墙规则..." gen_nft_tables + gen_nftset $NFTSET_LOCALLIST ipv4_addr 0 "-1" gen_nftset $NFTSET_LANLIST ipv4_addr 0 "-1" $(gen_lanlist) gen_nftset $NFTSET_VPSLIST ipv4_addr 0 0 + gen_nftset $NFTSET_LOCALLIST6 ipv6_addr 0 "-1" gen_nftset $NFTSET_LANLIST6 ipv6_addr 0 "-1" $(gen_lanlist_6) gen_nftset $NFTSET_VPSLIST6 ipv6_addr 0 0 + insert_nftset $NFTSET_LOCALLIST "-1" $(ip address show | grep -w "inet" | awk '{print $2}' | awk -F '/' '{print $1}' | sed -e "s/ /\n/g") + insert_nftset $NFTSET_LOCALLIST6 "-1" $(ip address show | grep -w "inet6" | awk '{print $2}' | awk -F '/' '{print $1}' | sed -e "s/ /\n/g") + # 忽略特殊IP段 local lan_ifname lan_ip lan_ifname=$(uci -q -p /tmp/state get network.lan.ifname) @@ -808,7 +815,13 @@ add_firewall_rule() { nft "add chain $NFTABLE_NAME PSW2_DNS" nft "flush chain $NFTABLE_NAME PSW2_DNS" - nft "insert rule $NFTABLE_NAME dstnat jump PSW2_DNS" + if [ $(config_t_get global dns_redirect "1") = "0" ]; then + #Only hijack when dest address is local IP + nft "insert rule $NFTABLE_NAME dstnat ip daddr @${NFTSET_LOCALLIST} jump PSW2_DNS" + nft "insert rule $NFTABLE_NAME dstnat ip6 daddr @${NFTSET_LOCALLIST6} jump PSW2_DNS" + else + nft "insert rule $NFTABLE_NAME dstnat jump PSW2_DNS" + fi # for ipv4 ipv6 tproxy mark nft "add chain $NFTABLE_NAME PSW2_RULE" @@ -1086,9 +1099,11 @@ del_firewall_rule() { ip -6 rule del fwmark 1 table 100 2>/dev/null ip -6 route del local ::/0 dev lo table 100 2>/dev/null + destroy_nftset $NFTSET_LOCALLIST destroy_nftset $NFTSET_LANLIST destroy_nftset $NFTSET_VPSLIST + destroy_nftset $NFTSET_LOCALLIST6 destroy_nftset $NFTSET_LANLIST6 destroy_nftset $NFTSET_VPSLIST6