update 2024-11-29 00:25:38

2025-01-07 07:06:58 +08:00 · 2024-11-29 00:25:38 +08:00 · 2024-11-29 00:25:38 +08:00 · 742888f8de
commit 742888f8de
parent 73f598dcab
10 changed files with 220 additions and 75 deletions
--- a/luci-app-mosdns/htdocs/luci-static/resources/view/mosdns/update.js
+++ b/luci-app-mosdns/htdocs/luci-static/resources/view/mosdns/update.js
@ -60,7 +60,7 @@ return view.extend({
 		o = s.option(form.Value, 'github_proxy', _('GitHub Proxy'),
 			_('Update data files with GitHub Proxy, leave blank to disable proxy downloads.'));
 		o.value('https://hub.gitmirror.com', _('https://hub.gitmirror.com'));
-		o.value('https://mirror.ghproxy.com', _('https://mirror.ghproxy.com'));
+		o.value('https://ghp.ci', _('https://ghp.ci'));
 		o.rmempty = true;
 		o.default = '';

--- a/luci-app-mosdns/root/usr/share/luci/menu.d/luci-app-mosdns.json
+++ b/luci-app-mosdns/root/usr/share/luci/menu.d/luci-app-mosdns.json
@ -1,38 +1,38 @@
-{
-	"admin/services/mosdns": {
-		"title": "MosDNS",
-		"order": 30,
-		"action": {
-			"type": "firstchild"
-		},
-		"depends": {
-			"acl": [ "luci-app-mosdns" ],
-			"uci": { "mosdns": true }
-		}
-	},
-	"admin/services/mosdns/basic": {
-		"title": "Basic Setting",
-		"order": 10,
-		"action": {
-			"type": "view",
-			"path": "mosdns/basic"
-		}
-	},
-	"admin/services/mosdns/rules": {
-		"title": "Rules",
-		"order": 15,
-		"action": {
-			"type": "view",
-			"path": "mosdns/rules"
-		}
-	},
-	"admin/services/mosdns/update": {
-		"title": "Geodata Update",
-		"order": 20,
-		"action": {
-			"type": "view",
-			"path": "mosdns/update"
-		}
+{
+	"admin/services/mosdns": {
+		"title": "MosDNS",
+		"order": 30,
+		"action": {
+			"type": "firstchild"
+		},
+		"depends": {
+			"acl": [ "luci-app-mosdns" ],
+			"uci": { "mosdns": true }
+		}
+	},
+	"admin/services/mosdns/basic": {
+		"title": "Basic Setting",
+		"order": 10,
+		"action": {
+			"type": "view",
+			"path": "mosdns/basic"
+		}
+	},
+	"admin/services/mosdns/rules": {
+		"title": "Rules",
+		"order": 15,
+		"action": {
+			"type": "view",
+			"path": "mosdns/rules"
+		}
+	},
+	"admin/services/mosdns/update": {
+		"title": "Geodata Update",
+		"order": 20,
+		"action": {
+			"type": "view",
+			"path": "mosdns/update"
+		}
 	},
 	"admin/services/mosdns/logs": {
 		"title": "Logs",
@ -41,5 +41,5 @@
 			"type": "view",
 			"path": "mosdns/logs"
 		}
-	}
-}
+	}
+}
--- a/luci-app-passwall/Makefile
+++ b/luci-app-passwall/Makefile
@ -26,6 +26,7 @@ PKG_CONFIG_DEPENDS:= \
 	CONFIG_PACKAGE_$(PKG_NAME)_INCLUDE_Trojan_Plus \
 	CONFIG_PACKAGE_$(PKG_NAME)_INCLUDE_tuic_client \
 	CONFIG_PACKAGE_$(PKG_NAME)_INCLUDE_V2ray_Geodata \
+	CONFIG_PACKAGE_$(PKG_NAME)_INCLUDE_V2ray_Geoview \
 	CONFIG_PACKAGE_$(PKG_NAME)_INCLUDE_V2ray_Plugin \
 	CONFIG_PACKAGE_$(PKG_NAME)_INCLUDE_Xray \
 	CONFIG_PACKAGE_$(PKG_NAME)_INCLUDE_Xray_Plugin
@ -140,6 +141,11 @@ config PACKAGE_$(PKG_NAME)_INCLUDE_V2ray_Geodata
 	select PACKAGE_v2ray-geosite
 	default n

+config PACKAGE_$(PKG_NAME)_INCLUDE_V2ray_Geoview
+	bool "Include V2ray_Geoview"
+	select PACKAGE_geoview
+	default y if aarch64||arm||i386||x86_64
+
 config PACKAGE_$(PKG_NAME)_INCLUDE_V2ray_Plugin
 	bool "Include V2ray-Plugin (Shadowsocks Plugin)"
 	select PACKAGE_v2ray-plugin
--- a/luci-app-passwall/luasrc/model/cbi/passwall/client/rule.lua
+++ b/luci-app-passwall/luasrc/model/cbi/passwall/client/rule.lua
@ -88,6 +88,17 @@ if has_xray or has_singbox then
 	o.default = "/usr/share/v2ray/"
 	o.rmempty = false

+	if api.is_finded("geoview") then
+		o = s:option(Flag, "enable_geoview", translate("Enable Geo Data Parsing"))
+		o.default = 0
+		o.rmempty = false
+		o.description = "<ul>"
+			.. "<li>" .. translate("Experimental feature.") .. "</li>"
+			.. "<li>" .. translate("Analyzes and preloads GeoIP/Geosite data to enhance the shunt performance of Sing-box/Xray.") .. "</li>"
+			.. "<li>" .. translate("Note: Increases resource usage; Geosite analysis is only supported in ChinaDNS-NG and SmartDNS modes.") .. "</li>"
+			.. "</ul>"
+	end
+
 	s = m:section(TypedSection, "shunt_rules", "Sing-Box/Xray " .. translate("Shunt Rule"), "<a style='color: red'>" .. translate("Please note attention to the priority, the higher the order, the higher the priority.") .. "</a>")
 	s.template = "cbi/tblsection"
 	s.anonymous = false
--- a/luci-app-passwall/po/zh-cn/passwall.po
+++ b/luci-app-passwall/po/zh-cn/passwall.po
@ -928,6 +928,15 @@ msgstr "V2ray/Xray 资源文件目录"
 msgid "This variable specifies a directory where geoip.dat and geosite.dat files are."
 msgstr "此变量指定 geoip.dat 和 geosite.dat 文件所在的目录。"

+msgid "Enable Geo Data Parsing"
+msgstr "开启 Geo 数据解析"
+
+msgid "Analyzes and preloads GeoIP/Geosite data to enhance the shunt performance of Sing-box/Xray."
+msgstr "分析和预加载 GeoIP/Geosite 数据，以增强 Sing-box/Xray 的分流效果。"
+
+msgid "Note: Increases resource usage; Geosite analysis is only supported in ChinaDNS-NG and SmartDNS modes."
+msgstr "注：会增加一些系统资源的开销，仅在 ChinaDNS-NG 和 SmartDNS 模式下支持分析 Geosite 。"
+
 msgid "Shunt Rule"
 msgstr "分流规则"

--- a/luci-app-passwall/root/usr/share/passwall/helper_chinadns_add.lua
+++ b/luci-app-passwall/root/usr/share/passwall/helper_chinadns_add.lua
@ -84,6 +84,15 @@ local function insert_array_after(array1, array2, target) --将array2插入到ar
 	merge_array(array1, array2)
 end

+local function get_geosite(list_arg, out_path)
+	local geosite_path = uci:get(appname, "@global_rules[0]", "v2ray_location_asset")
+	geosite_path = geosite_path:match("^(.*)/") .. "/geosite.dat"
+	if not is_file_nonzero(geosite_path) then return end
+	if api.is_finded("geoview") and list_arg and out_path then
+		sys.exec("geoview -type geosite -append=true -input " .. geosite_path .. " -list '" .. list_arg .. "' -output " .. out_path)
+	end
+end
+
 if not fs.access(FLAG_PATH) then
 	fs.mkdir(FLAG_PATH)
 end
@ -262,6 +271,7 @@ if uci:get(appname, TCP_NODE, "protocol") == "_shunt" then
 	local shunt_domain, lookup_shunt_domain = {}, {}
 	local file_white_host = FLAG_PATH .. "/shunt_direct_host"
 	local file_shunt_host = FLAG_PATH .. "/shunt_proxy_host"
+	local geosite_white_arg, geosite_shunt_arg = "", ""

 	local t = uci:get_all(appname, TCP_NODE)
 	local default_node_id = t["default_node"] or "_direct"
@ -274,19 +284,25 @@ if uci:get(appname, TCP_NODE, "protocol") == "_shunt" then

 			local domain_list = s.domain_list or ""
 			for line in string.gmatch(domain_list, "[^\r\n]+") do
-				if line ~= "" and not line:find("#") and not line:find("regexp:") and not line:find("geosite:") and not line:find("ext:") then
-					if line:find("domain:") or line:find("full:") then
+				if line ~= "" and not line:find("#") and not line:find("regexp:") and not line:find("ext:") then
+					if line:find("geosite:") then
 						line = string.match(line, ":([^:]+)$")
-					end
-					line = api.get_std_domain(line)
-
-					if _node_id == "_direct" then
-						if line ~= "" and not line:find("#") then
-							insert_unique(white_domain, line, lookup_white_domain)
+						if _node_id == "_direct" then
+							geosite_white_arg = geosite_white_arg .. (geosite_white_arg ~= "" and "," or "") .. line
+						else
+							geosite_shunt_arg = geosite_shunt_arg .. (geosite_shunt_arg ~= "" and "," or "") .. line
 						end
 					else
+						if line:find("domain:") or line:find("full:") then
+							line = string.match(line, ":([^:]+)$")
+						end
+						line = api.get_std_domain(line)
 						if line ~= "" and not line:find("#") then
-							insert_unique(shunt_domain, line, lookup_shunt_domain)
+							if _node_id == "_direct" then
+								insert_unique(white_domain, line, lookup_white_domain)
+							else
+								insert_unique(shunt_domain, line, lookup_shunt_domain)
+							end
 						end
 					end
 				end
@ -318,13 +334,36 @@ if uci:get(appname, TCP_NODE, "protocol") == "_shunt" then
 		end
 	end

-	if is_file_nonzero(file_white_host) then
-		for i, v in ipairs(config_lines) do   --添加到白名单组一同处理
-			if v == "group-dnl " .. file_direct_host then
-				config_lines[i] = "group-dnl " .. file_direct_host .. "," .. file_white_host
-				break
-			end
+	local use_geoview = uci:get(appname, "@global_rules[0]", "enable_geoview")
+	if GFWLIST == "1" and CHNLIST == "0" and use_geoview == "1" then  --仅GFW模式解析geosite
+		if geosite_white_arg ~= "" then
+			get_geosite(geosite_white_arg, file_white_host)
 		end
+		if geosite_shunt_arg ~= "" then
+			get_geosite(geosite_shunt_arg, file_shunt_host)
+		end
+	end
+
+	if is_file_nonzero(file_white_host) then
+		if USE_DIRECT_LIST == "1" then
+			--当白名单启用时，添加到白名单组一同处理
+			for i, v in ipairs(config_lines) do
+				if v == "group-dnl " .. file_direct_host then
+					config_lines[i] = "group-dnl " .. file_direct_host .. "," .. file_white_host
+					break
+				end
+			end
+		else
+			--当白名单不启用时，创建新组，ipset到shuntlist
+			tmp_lines = {
+				"group whitelist",
+				"group-dnl " .. file_white_host,
+				"group-upstream " .. DNS_LOCAL,
+				"group-ipset " .. setflag .. "passwall_shuntlist," .. setflag .. "passwall_shuntlist6"
+			}
+			insert_array_after(config_lines, tmp_lines, "#--4")
+		end
+		
 	end

 	if is_file_nonzero(file_shunt_host) then
--- a/luci-app-passwall/root/usr/share/passwall/helper_smartdns_add.lua
+++ b/luci-app-passwall/root/usr/share/passwall/helper_smartdns_add.lua
@ -90,6 +90,15 @@ local function insert_array_after(array1, array2, target) --将array2插入到ar
 	merge_array(array1, array2)
 end

+local function get_geosite(list_arg, out_path)
+	local geosite_path = uci:get(appname, "@global_rules[0]", "v2ray_location_asset")
+	geosite_path = geosite_path:match("^(.*)/") .. "/geosite.dat"
+	if not is_file_nonzero(geosite_path) then return end
+	if api.is_finded("geoview") and list_arg and out_path then
+		sys.exec("geoview -type geosite -append=true -input " .. geosite_path .. " -list '" .. list_arg .. "' -output " .. out_path)
+	end
+end
+
 if not fs.access(FLAG_PATH) then
 	fs.mkdir(FLAG_PATH)
 end
@ -405,6 +414,7 @@ if uci:get(appname, TCP_NODE, "protocol") == "_shunt" then
 	local shunt_domain, lookup_shunt_domain = {}, {}
 	local file_white_host = FLAG_PATH .. "/shunt_direct_host"
 	local file_shunt_host = FLAG_PATH .. "/shunt_proxy_host"
+	local geosite_white_arg, geosite_shunt_arg = "", ""

 	local t = uci:get_all(appname, TCP_NODE)
 	local default_node_id = t["default_node"] or "_direct"
@ -417,19 +427,25 @@ if uci:get(appname, TCP_NODE, "protocol") == "_shunt" then

 			local domain_list = s.domain_list or ""
 			for line in string.gmatch(domain_list, "[^\r\n]+") do
-				if line ~= "" and not line:find("#") and not line:find("regexp:") and not line:find("geosite:") and not line:find("ext:") then
-					if line:find("domain:") or line:find("full:") then
+				if line ~= "" and not line:find("#") and not line:find("regexp:") and not line:find("ext:") then
+					if line:find("geosite:") then
 						line = string.match(line, ":([^:]+)$")
-					end
-					line = api.get_std_domain(line)
-
-					if _node_id == "_direct" then
-						if line ~= "" and not line:find("#") then
-							insert_unique(white_domain, line, lookup_white_domain)
+						if _node_id == "_direct" then
+							geosite_white_arg = geosite_white_arg .. (geosite_white_arg ~= "" and "," or "") .. line
+						else
+							geosite_shunt_arg = geosite_shunt_arg .. (geosite_shunt_arg ~= "" and "," or "") .. line
 						end
 					else
+						if line:find("domain:") or line:find("full:") then
+							line = string.match(line, ":([^:]+)$")
+						end
+						line = api.get_std_domain(line)
 						if line ~= "" and not line:find("#") then
-							insert_unique(shunt_domain, line, lookup_shunt_domain)
+							if _node_id == "_direct" then
+								insert_unique(white_domain, line, lookup_white_domain)
+							else
+								insert_unique(shunt_domain, line, lookup_shunt_domain)
+							end
 						end
 					end
 				end
@ -461,16 +477,30 @@ if uci:get(appname, TCP_NODE, "protocol") == "_shunt" then
 		end
 	end

+	local use_geoview = uci:get(appname, "@global_rules[0]", "enable_geoview")
+	if USE_GFW_LIST == "1" and CHN_LIST == "0" and use_geoview == "1" then  --仅GFW模式解析geosite
+		if geosite_white_arg ~= "" then
+			get_geosite(geosite_white_arg, file_white_host)
+		end
+		if geosite_shunt_arg ~= "" then
+			get_geosite(geosite_shunt_arg, file_shunt_host)
+		end
+	end
+
 	if is_file_nonzero(file_white_host) then
 		local domain_set_name = "passwall-whitehost"
 		tmp_lines = {
 			string.format("domain-set -name %s -file %s", domain_set_name, file_white_host)
 		}
 		local domain_rules_str = string.format('domain-rules /domain-set:%s/ %s', domain_set_name, LOCAL_GROUP and "-nameserver " .. LOCAL_GROUP or "")
-		domain_rules_str = domain_rules_str .. " " .. set_type .. " #4:" .. setflag .. "passwall_whitelist,#6:" .. setflag .. "passwall_whitelist6"
+		if USE_DIRECT_LIST == "1" then
+			domain_rules_str = domain_rules_str .. " " .. set_type .. " #4:" .. setflag .. "passwall_whitelist,#6:" .. setflag .. "passwall_whitelist6"
+		else
+			domain_rules_str = domain_rules_str .. " " .. set_type .. " #4:" .. setflag .. "passwall_shuntlist,#6:" .. setflag .. "passwall_shuntlist6"
+		end
 		domain_rules_str = domain_rules_str .. (LOCAL_EXTEND_ARG ~= "" and " " .. LOCAL_EXTEND_ARG or "")
 		table.insert(tmp_lines, domain_rules_str)
-		insert_array_after(config_lines, tmp_lines, "#--3")
+		insert_array_after(config_lines, tmp_lines, "#--4")
 	end

 	if is_file_nonzero(file_shunt_host) then
@ -488,7 +518,7 @@ if uci:get(appname, TCP_NODE, "protocol") == "_shunt" then
 			domain_rules_str = domain_rules_str .. " -d no " .. set_type .. " #4:" .. setflag .. "passwall_shuntlist" .. ",#6:" .. setflag .. "passwall_shuntlist6"
 		end
 		table.insert(tmp_lines, domain_rules_str)
-		insert_array_after(config_lines, tmp_lines, "#--4")
+		insert_array_after(config_lines, tmp_lines, "#--3")
 	end

 end
--- a/luci-app-passwall/root/usr/share/passwall/iptables.sh
+++ b/luci-app-passwall/root/usr/share/passwall/iptables.sh
@ -179,6 +179,23 @@ get_wan6_ip() {
 	echo $NET_ADDR
 }

+get_geoip() {
+	local geoip_code="$1"
+	local geoip_type_flag=""
+	local geoip_path="$(config_t_get global_rules v2ray_location_asset)"
+	geoip_path="${geoip_path%*/}/geoip.dat"
+	[ -e "$geoip_path" ] || { echo ""; return; }
+	case "$2" in
+		"ipv4") geoip_type_flag="-ipv6=false" ;;
+		"ipv6") geoip_type_flag="-ipv4=false" ;;
+	esac
+	if type geoview &> /dev/null; then
+		geoview -input "$geoip_path" -list "$geoip_code" $geoip_type_flag
+	else
+		echo ""
+	fi
+}
+
 load_acl() {
 	([ "$ENABLED_ACLS" == 1 ] || ([ "$ENABLED_DEFAULT_ACL" == 1 ] && [ "$CLIENT_PROXY" == 1 ])) && echolog "  - 访问控制："
 	[ "$ENABLED_ACLS" == 1 ] && {
@ -613,11 +630,9 @@ filter_haproxy() {
 }

 filter_vpsip() {
-	uci show $CONFIG | grep ".download_address=" | cut -d "'" -f 2 | grep -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | grep -v "^127\.0\.0\.1$" | sed -e "/^$/d" | sed -e "s/^/add $IPSET_VPSLIST &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
-	uci show $CONFIG | grep ".address=" | cut -d "'" -f 2 | grep -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | grep -v "^127\.0\.0\.1$" | sed -e "/^$/d" | sed -e "s/^/add $IPSET_VPSLIST &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
+	uci show $CONFIG | grep -E "(.address=|.download_address=)" | cut -d "'" -f 2 | grep -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | grep -v "^127\.0\.0\.1$" | sed -e "/^$/d" | sed -e "s/^/add $IPSET_VPSLIST &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
 	echolog "  - [$?]加入所有IPv4节点到ipset[$IPSET_VPSLIST]直连完成"
-	uci show $CONFIG | grep ".download_address=" | cut -d "'" -f 2 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "/^$/d" | sed -e "s/^/add $IPSET_VPSLIST6 &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
-	uci show $CONFIG | grep ".address=" | cut -d "'" -f 2 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "/^$/d" | sed -e "s/^/add $IPSET_VPSLIST6 &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
+	uci show $CONFIG | grep -E "(.address=|.download_address=)" | cut -d "'" -f 2 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "/^$/d" | sed -e "s/^/add $IPSET_VPSLIST6 &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
 	echolog "  - [$?]加入所有IPv6节点到ipset[$IPSET_VPSLIST6]直连完成"
 }

@ -775,12 +790,22 @@ add_firewall_rule() {
 		done
 	}
 	[ "$USE_SHUNT_NODE" = "1" ] && {
+		local GEOIP_CODE=""
 		local shunt_ids=$(uci show $CONFIG | grep "=shunt_rules" | awk -F '.' '{print $2}' | awk -F '=' '{print $1}')
 		for shunt_id in $shunt_ids; do
 			config_n_get $shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}" | sed -e "s/^/add $IPSET_SHUNTLIST &/g" -e "s/$/ timeout 0/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
 			config_n_get $shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "s/^/add $IPSET_SHUNTLIST6 &/g" -e "s/$/ timeout 0/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
+			[ "$(config_t_get global_rules enable_geoview)" = "1" ] && {
+				local geoip_code=$(config_n_get $shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "^geoip:" | grep -v "^geoip:private" | sed -E 's/^geoip:(.*)/\1/' | sed ':a;N;$!ba;s/\n/,/g')
+				[ -n "$geoip_code" ] && GEOIP_CODE="${GEOIP_CODE:+$GEOIP_CODE,}$geoip_code"
+			}
 		done
 	}
+	if [ -n "$GEOIP_CODE" ] && type geoview &> /dev/null; then
+		get_geoip $GEOIP_CODE ipv4 | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}" | sed -e "s/^/add $IPSET_SHUNTLIST &/g" -e "s/$/ timeout 0/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
+		get_geoip $GEOIP_CODE ipv6 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "s/^/add $IPSET_SHUNTLIST6 &/g" -e "s/$/ timeout 0/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
+		echolog "  - [$?]解析并加入分流节点 GeoIP 到 IPSET 完成"
+	fi

 	cat $RULES_PATH/chnroute | tr -s '\n' | grep -v "^#" | sed -e "/^$/d" | sed -e "s/^/add $IPSET_CHN &/g" -e "s/$/ timeout 0/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
 	cat $RULES_PATH/proxy_ip | tr -s '\n' | grep -v "^#" | sed -e "/^$/d" | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}" | sed -e "s/^/add $IPSET_BLACKLIST &/g" -e "s/$/ timeout 0/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
--- a/luci-app-passwall/root/usr/share/passwall/nftables.sh
+++ b/luci-app-passwall/root/usr/share/passwall/nftables.sh
@ -239,6 +239,23 @@ get_wan6_ip() {
 	echo $NET_ADDR
 }

+get_geoip() {
+	local geoip_code="$1"
+	local geoip_type_flag=""
+	local geoip_path="$(config_t_get global_rules v2ray_location_asset)"
+	geoip_path="${geoip_path%*/}/geoip.dat"
+	[ -e "$geoip_path" ] || { echo ""; return; }
+	case "$2" in
+		"ipv4") geoip_type_flag="-ipv6=false" ;;
+		"ipv6") geoip_type_flag="-ipv4=false" ;;
+	esac
+	if type geoview &> /dev/null; then
+		geoview -input "$geoip_path" -list "$geoip_code" $geoip_type_flag
+	else
+		echo ""
+	fi
+}
+
 load_acl() {
 	([ "$ENABLED_ACLS" == 1 ] || ([ "$ENABLED_DEFAULT_ACL" == 1 ] && [ "$CLIENT_PROXY" == 1 ])) && echolog "  - 访问控制："
 	[ "$ENABLED_ACLS" == 1 ] && {
@ -680,11 +697,9 @@ filter_vps_addr() {
 }

 filter_vpsip() {
-	insert_nftset $NFTSET_VPSLIST "-1" $(uci show $CONFIG | grep ".download_address=" | cut -d "'" -f 2 | grep -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | grep -v "^127\.0\.0\.1$" | sed -e "/^$/d")
-	insert_nftset $NFTSET_VPSLIST "-1" $(uci show $CONFIG | grep ".address=" | cut -d "'" -f 2 | grep -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | grep -v "^127\.0\.0\.1$" | sed -e "/^$/d")
+	insert_nftset $NFTSET_VPSLIST "-1" $(uci show $CONFIG | grep -E "(.address=|.download_address=)" | cut -d "'" -f 2 | grep -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | grep -v "^127\.0\.0\.1$" | sed -e "/^$/d")
 	echolog "  - [$?]加入所有IPv4节点到nftset[$NFTSET_VPSLIST]直连完成"
-	insert_nftset $NFTSET_VPSLIST6 "-1" $(uci show $CONFIG | grep ".download_address=" | cut -d "'" -f 2 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "/^$/d")
-	insert_nftset $NFTSET_VPSLIST6 "-1" $(uci show $CONFIG | grep ".address=" | cut -d "'" -f 2 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "/^$/d")
+	insert_nftset $NFTSET_VPSLIST6 "-1" $(uci show $CONFIG | grep -E "(.address=|.download_address=)" | cut -d "'" -f 2 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "/^$/d")
 	echolog "  - [$?]加入所有IPv6节点到nftset[$NFTSET_VPSLIST6]直连完成"
 }

@ -853,12 +868,22 @@ add_firewall_rule() {
 		done
 	}
 	[ "$USE_SHUNT_NODE" = "1" ] && {
+		local GEOIP_CODE=""
 		local shunt_ids=$(uci show $CONFIG | grep "=shunt_rules" | awk -F '.' '{print $2}' | awk -F '=' '{print $1}')
 		for shunt_id in $shunt_ids; do
 			insert_nftset $NFTSET_SHUNTLIST "0" $(config_n_get $shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}")
 			insert_nftset $NFTSET_SHUNTLIST6 "0" $(config_n_get $shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}")
+			[ "$(config_t_get global_rules enable_geoview)" = "1" ] && {
+				local geoip_code=$(config_n_get $shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "^geoip:" | grep -v "^geoip:private" | sed -E 's/^geoip:(.*)/\1/' | sed ':a;N;$!ba;s/\n/,/g')
+				[ -n "$geoip_code" ] && GEOIP_CODE="${GEOIP_CODE:+$GEOIP_CODE,}$geoip_code"
+			}
 		done
 	}
+	if [ -n "$GEOIP_CODE" ] && type geoview &> /dev/null; then
+		insert_nftset $NFTSET_SHUNTLIST "0" $(get_geoip $GEOIP_CODE ipv4 | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}")
+		insert_nftset $NFTSET_SHUNTLIST6 "0" $(get_geoip $GEOIP_CODE ipv6 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}")
+		echolog "  - [$?]解析并加入分流节点 GeoIP 到 NFTSET 完成"
+	fi

 	# 忽略特殊IP段
 	local lan_ifname lan_ip
--- a/natflow/Makefile
+++ b/natflow/Makefile
@ -9,10 +9,10 @@ include $(TOPDIR)/rules.mk
 include $(INCLUDE_DIR)/kernel.mk

 PKG_NAME:=natflow
-PKG_VERSION:=20241125
+PKG_VERSION:=20241128

 PKG_SOURCE_URL:=https://codeload.github.com/ptpt52/natflow/tar.gz/$(PKG_VERSION)?
-PKG_HASH:=604d78af4292db4793bb2c86b279f8a0d362bb0a050ddd510d1c1178d1bf3eb8
+PKG_HASH:=5048d3ec5d588bd4788e64969c3ada3ddf0b3f180545ec66b42ca9baee960992
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz

 PKG_MAINTAINER:=Chen Minqiang <ptpt52@gmail.com>