diff --git a/chinadns-ng/Makefile b/chinadns-ng/Makefile index dcb8d06b8..e6bb2a1a1 100644 --- a/chinadns-ng/Makefile +++ b/chinadns-ng/Makefile @@ -63,4 +63,4 @@ define Package/chinadns-ng/install $(INSTALL_BIN) $(PKG_BUILD_DIR)/chinadns-ng $(1)/usr/bin endef -$(eval $(call BuildPackage,chinadns-ng)) \ No newline at end of file +$(eval $(call BuildPackage,chinadns-ng)) diff --git a/luci-app-lucky/root/usr/bin/luckyarch b/luci-app-lucky/root/usr/bin/luckyarch new file mode 100644 index 000000000..cb7a8e0cf --- /dev/null +++ b/luci-app-lucky/root/usr/bin/luckyarch @@ -0,0 +1,14 @@ +#!/bin/sh + + cputype=$(uname -ms | tr ' ' '_' | tr '[A-Z]' '[a-z]') + [ -n "$(echo $cputype | grep -E "linux.*armv.*")" ] && cpucore="armv5" + [ -n "$(echo $cputype | grep -E "linux.*armv7.*")" ] && [ -n "$(cat /proc/cpuinfo | grep vfp)" ] && [ ! -d /jffs/clash ] && cpucore="armv7" + [ -n "$(echo $cputype | grep -E "linux.*aarch64.*|linux.*armv8.*")" ] && cpucore="arm64" + [ -n "$(echo $cputype | grep -E "linux.*86.*")" ] && cpucore="i386" + [ -n "$(echo $cputype | grep -E "linux.*86_64.*")" ] && cpucore="x86_64" + if [ -n "$(echo $cputype | grep -E "linux.*mips.*")" ];then + mipstype=$(echo -n I | hexdump -o 2>/dev/null | awk '{ print substr($2,6,1); exit}') #通过判断大小端判断mips或mipsle + [ "$mipstype" = "0" ] && cpucore="mips_softfloat" || cpucore="mipsle_softfloat" + fi + +echo $cpucore diff --git a/luci-app-netdata/root/etc/uci-defaults/40_luci-app-netdata b/luci-app-netdata/root/etc/uci-defaults/40_luci-app-netdata index aa554f8cb..6c86c538a 100644 --- a/luci-app-netdata/root/etc/uci-defaults/40_luci-app-netdata +++ b/luci-app-netdata/root/etc/uci-defaults/40_luci-app-netdata @@ -7,5 +7,5 @@ [ -f /usr/share/netdata/webcn/index.html ] && mv -f /usr/share/netdata/webcn/index.html /usr/share/netdata/web/index.html [ -f /usr/share/netdata/webcn/netdata.init ] && mv -f /usr/share/netdata/webcn/netdata.init /etc/init.d/netdata rm -rf /tmp/luci-modulecache /tmp/luci-indexcache* -chmod +x chmod +x /etc/init.d/netdata +chmod +x /etc/init.d/netdata exit 0 diff --git a/luci-app-passwall2/Makefile b/luci-app-passwall2/Makefile index 1881ae2a8..54de3b735 100644 --- a/luci-app-passwall2/Makefile +++ b/luci-app-passwall2/Makefile @@ -5,7 +5,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=luci-app-passwall2 -PKG_VERSION:=1.27-4 +PKG_VERSION:=1.27-5 PKG_RELEASE:= PKG_CONFIG_DEPENDS:= \ diff --git a/luci-app-passwall2/luasrc/model/cbi/passwall2/client/acl_config.lua b/luci-app-passwall2/luasrc/model/cbi/passwall2/client/acl_config.lua index 11c4b4a1e..b48aabfd4 100644 --- a/luci-app-passwall2/luasrc/model/cbi/passwall2/client/acl_config.lua +++ b/luci-app-passwall2/luasrc/model/cbi/passwall2/client/acl_config.lua @@ -285,4 +285,8 @@ for k, v in pairs(nodes_table) do end end +o = s:option(Flag, "write_ipset_direct", translate("Direct DNS result write to IPSet"), translate("Perform the matching direct domain name rules into IP to IPSet/NFTSet, and then connect directly (not entering the core). Maybe conflict with some special circumstances.")) +o.default = "1" +o:depends({ node = "default", ['!reverse'] = true }) + return m diff --git a/luci-app-passwall2/luasrc/model/cbi/passwall2/client/global.lua b/luci-app-passwall2/luasrc/model/cbi/passwall2/client/global.lua index b88476ee1..a600670a4 100644 --- a/luci-app-passwall2/luasrc/model/cbi/passwall2/client/global.lua +++ b/luci-app-passwall2/luasrc/model/cbi/passwall2/client/global.lua @@ -286,7 +286,11 @@ o.remove = function(self, section) end end -o = s:taboption("DNS", Button, "clear_ipset", translate("Clear IPSET"), translate("Try this feature if the rule modification does not take effect.")) +o = s:taboption("DNS", Flag, "write_ipset_direct", translate("Direct DNS result write to IPSet"), translate("Perform the matching direct domain name rules into IP to IPSet/NFTSet, and then connect directly (not entering the core). Maybe conflict with some special circumstances.")) +o.default = "1" +o.rmempty = false + +o = s:taboption("DNS", Button, "clear_ipset", translate("Clear IPSet"), translate("Try this feature if the rule modification does not take effect.")) o.inputstyle = "remove" function o.write(e, e) luci.sys.call("[ -n \"$(nft list sets 2>/dev/null | grep \"passwall2_\")\" ] && sh /usr/share/" .. appname .. "/nftables.sh flush_nftset || sh /usr/share/" .. appname .. "/iptables.sh flush_ipset > /dev/null 2>&1 &") diff --git a/luci-app-passwall2/luasrc/passwall2/util_xray.lua b/luci-app-passwall2/luasrc/passwall2/util_xray.lua index 57935b9ae..3d26ed0be 100644 --- a/luci-app-passwall2/luasrc/passwall2/util_xray.lua +++ b/luci-app-passwall2/luasrc/passwall2/util_xray.lua @@ -536,8 +536,15 @@ function gen_config(var) local direct_nftset = var["-direct_nftset"] local remote_dns_udp_server = var["-remote_dns_udp_server"] local remote_dns_udp_port = var["-remote_dns_udp_port"] + local remote_dns_tcp_server = var["-remote_dns_tcp_server"] + local remote_dns_tcp_port = var["-remote_dns_tcp_port"] + local remote_dns_doh_url = var["-remote_dns_doh_url"] + local remote_dns_doh_host = var["-remote_dns_doh_host"] + local remote_dns_doh_ip = var["-remote_dns_doh_ip"] + local remote_dns_doh_port = var["-remote_dns_doh_port"] local remote_dns_fake = var["-remote_dns_fake"] local remote_dns_query_strategy = var["-remote_dns_query_strategy"] + local remote_dns_detour = var["-remote_dns_detour"] local dns_cache = var["-dns_cache"] local dns_domain_rules = {} @@ -1060,9 +1067,9 @@ function gen_config(var) end end - if remote_dns_udp_server then + if dns_listen_port then local rules = {} - local _remote_dns_proto + local _remote_dns_proto = "tcp" if not routing then routing = { @@ -1105,27 +1112,46 @@ function gen_config(var) end) end - local _remote_dns = nil - if remote_dns_udp_server then - _remote_dns = { - _flag = "remote", - address = remote_dns_udp_server, - port = tonumber(remote_dns_udp_port) or 53, - queryStrategy = (remote_dns_query_strategy and remote_dns_query_strategy ~= "") and remote_dns_query_strategy or "UseIPv4" - } - _remote_dns_proto = "udp" - table.insert(dns.servers, _remote_dns) + local _remote_dns = { + _flag = "remote", + queryStrategy = (remote_dns_query_strategy and remote_dns_query_strategy ~= "") and remote_dns_query_strategy or "UseIPv4" + } - table.insert(routing.rules, 1, { - type = "field", - ip = { - remote_dns_udp_server - }, - port = tonumber(remote_dns_udp_port) or 53, - network = _remote_dns_proto, - outboundTag = "direct" - }) + if remote_dns_udp_server then + _remote_dns.address = remote_dns_udp_server + _remote_dns.port = tonumber(remote_dns_udp_port) or 53 + _remote_dns_proto = "udp" end + + if remote_dns_tcp_server then + _remote_dns.address = "tcp://" .. remote_dns_tcp_server + _remote_dns.port = tonumber(remote_dns_tcp_port) or 53 + _remote_dns_proto = "tcp" + end + + if remote_dns_doh_url and remote_dns_doh_host then + if remote_dns_doh_ip and remote_dns_doh_host ~= remote_dns_doh_ip and not api.is_ip(remote_dns_doh_host) then + dns.hosts[remote_dns_doh_host] = remote_dns_doh_ip + end + _remote_dns.address = remote_dns_doh_url + _remote_dns.port = tonumber(remote_dns_doh_port) or 443 + end + + if _remote_dns.address then + table.insert(dns.servers, _remote_dns) + if remote_dns_detour == "direct" then + table.insert(routing.rules, 1, { + type = "field", + ip = { + _remote_dns.address + }, + port = _remote_dns.port, + network = _remote_dns_proto, + outboundTag = "direct" + }) + end + end + local _remote_fakedns = nil if remote_dns_fake then fakedns = {} @@ -1192,8 +1218,7 @@ function gen_config(var) protocol = "dokodemo-door", tag = "dns-in", settings = { - address = "1.1.1.1", - port = 53, + address = "0.0.0.0", network = "tcp,udp" } }) @@ -1214,12 +1239,9 @@ function gen_config(var) port = tonumber(remote_dns_udp_port) or 53, network = _remote_dns_proto or "tcp", nonIPQuery = "drop" - }, - proxySettings = { - tag = "direct" } } - local type_dns = remote_type_dns + local type_dns = direct_type_dns table.insert(outbounds, { tag = "dns-out", protocol = "dns", diff --git a/luci-app-passwall2/po/zh-cn/passwall2.po b/luci-app-passwall2/po/zh-cn/passwall2.po index 7b6d6f0f6..205071c69 100644 --- a/luci-app-passwall2/po/zh-cn/passwall2.po +++ b/luci-app-passwall2/po/zh-cn/passwall2.po @@ -160,8 +160,14 @@ msgstr "需要代理的分流规则域名使用 FakeDNS。" msgid "Domain Override" msgstr "域名重写" -msgid "Clear IPSET" -msgstr "清空 IPSET" +msgid "Direct DNS result write to IPSet" +msgstr "直连 DNS 解析结果写入到 IPSet" + +msgid "Perform the matching direct domain name rules into IP to IPSet/NFTSet, and then connect directly (not entering the core). Maybe conflict with some special circumstances." +msgstr "将匹配到的直连规则的域名解析IP写入到 IPSet/NFTSet,然后直连(不进入内核)。可能和某些特殊情况冲突。" + +msgid "Clear IPSet" +msgstr "清空 IPSet" msgid "Try this feature if the rule modification does not take effect." msgstr "如果修改规则后没有生效,请尝试此功能。" diff --git a/luci-app-passwall2/root/usr/share/passwall2/app.sh b/luci-app-passwall2/root/usr/share/passwall2/app.sh index 22731d74e..ea203b0ff 100644 --- a/luci-app-passwall2/root/usr/share/passwall2/app.sh +++ b/luci-app-passwall2/root/usr/share/passwall2/app.sh @@ -286,7 +286,7 @@ lua_api() { run_xray() { local flag node redir_port socks_address socks_port socks_username socks_password http_address http_port http_username http_password - local dns_listen_port remote_dns_protocol remote_dns_udp_server remote_dns_tcp_server remote_dns_doh remote_dns_client_ip remote_dns_detour remote_fakedns remote_dns_query_strategy dns_cache + local dns_listen_port remote_dns_protocol remote_dns_udp_server remote_dns_tcp_server remote_dns_doh remote_dns_client_ip remote_dns_detour remote_fakedns remote_dns_query_strategy dns_cache write_ipset_direct local loglevel log_file config_file local _extra_param="" eval_set_val $@ @@ -308,38 +308,50 @@ run_xray() { [ -n "$http_username" ] && [ -n "$http_password" ] && _extra_param="${_extra_param} -local_http_username $http_username -local_http_password $http_password" [ -n "$dns_listen_port" ] && { - direct_dnsmasq_listen_port=$(get_new_port $(expr $dns_listen_port + 1) udp) - local set_flag="${flag}" - local direct_ipset_conf=$TMP_PATH/dnsmasq_${flag}_direct.conf - [ -n "$(echo ${flag} | grep '^acl')" ] && { - direct_ipset_conf=${TMP_ACL_PATH}/${sid}/dnsmasq_${flag}_direct.conf - set_flag=$(echo ${flag} | awk -F '_' '{print $2}') - } - if [ "${nftflag}" = "1" ]; then - local direct_nftset="4#inet#fw4#passwall2_${set_flag}_whitelist,6#inet#fw4#passwall2_${set_flag}_whitelist6" - else - local direct_ipset="passwall2_${set_flag}_whitelist,passwall2_${set_flag}_whitelist6" - fi - run_ipset_dnsmasq listen_port=${direct_dnsmasq_listen_port} server_dns=${AUTO_DNS} ipset="${direct_ipset}" nftset="${direct_nftset}" config_file=${direct_ipset_conf} + _extra_param="${_extra_param} -dns_listen_port ${dns_listen_port}" + [ -n "$dns_cache" ] && _extra_param="${_extra_param} -dns_cache ${dns_cache}" - V2RAY_DNS_REMOTE_CONFIG="${TMP_PATH}/${flag}_dns_remote.json" - V2RAY_DNS_REMOTE_LOG="${TMP_PATH}/${flag}_dns_remote.log" - V2RAY_DNS_REMOTE_LOG="/dev/null" - V2RAY_DNS_REMOTE_ARGS="-dns_out_tag remote" - dns_remote_listen_port=$(get_new_port $(expr $direct_dnsmasq_listen_port + 1) udp) - V2RAY_DNS_REMOTE_ARGS="${V2RAY_DNS_REMOTE_ARGS} -dns_listen_port ${dns_remote_listen_port}" + local _dns=$(get_first_dns AUTO_DNS 53 | sed 's/#/:/g') + local _dns_address=$(echo ${_dns} | awk -F ':' '{print $1}') + local _dns_port=$(echo ${_dns} | awk -F ':' '{print $2}') + + DIRECT_DNS_UDP_SERVER=${_dns_address} + DIRECT_DNS_UDP_PORT=${_dns_port} + + [ "${write_ipset_direct}" = "1" ] && { + direct_dnsmasq_listen_port=$(get_new_port $(expr $dns_listen_port + 1) udp) + local set_flag="${flag}" + local direct_ipset_conf=$TMP_PATH/dnsmasq_${flag}_direct.conf + [ -n "$(echo ${flag} | grep '^acl')" ] && { + direct_ipset_conf=${TMP_ACL_PATH}/${sid}/dnsmasq_${flag}_direct.conf + set_flag=$(echo ${flag} | awk -F '_' '{print $2}') + } + if [ "${nftflag}" = "1" ]; then + local direct_nftset="4#inet#fw4#passwall2_${set_flag}_whitelist,6#inet#fw4#passwall2_${set_flag}_whitelist6" + else + local direct_ipset="passwall2_${set_flag}_whitelist,passwall2_${set_flag}_whitelist6" + fi + run_ipset_dnsmasq listen_port=${direct_dnsmasq_listen_port} server_dns=${AUTO_DNS} ipset="${direct_ipset}" nftset="${direct_nftset}" config_file=${direct_ipset_conf} + DIRECT_DNS_UDP_PORT=${direct_dnsmasq_listen_port} + DIRECT_DNS_UDP_SERVER="127.0.0.1" + [ -n "${direct_ipset}" ] && _extra_param="${_extra_param} -direct_ipset ${direct_ipset}" + [ -n "${direct_nftset}" ] && _extra_param="${_extra_param} -direct_nftset ${direct_nftset}" + } + _extra_param="${_extra_param} -direct_dns_udp_port ${DIRECT_DNS_UDP_PORT} -direct_dns_udp_server ${DIRECT_DNS_UDP_SERVER} -direct_dns_query_strategy UseIP" + + DNS_REMOTE_ARGS="" case "$remote_dns_protocol" in udp) local _dns=$(get_first_dns remote_dns_udp_server 53 | sed 's/#/:/g') local _dns_address=$(echo ${_dns} | awk -F ':' '{print $1}') local _dns_port=$(echo ${_dns} | awk -F ':' '{print $2}') - V2RAY_DNS_REMOTE_ARGS="${V2RAY_DNS_REMOTE_ARGS} -remote_dns_udp_port ${_dns_port} -remote_dns_udp_server ${_dns_address}" + DNS_REMOTE_ARGS="-remote_dns_udp_port ${_dns_port} -remote_dns_udp_server ${_dns_address}" ;; tcp) local _dns=$(get_first_dns remote_dns_tcp_server 53 | sed 's/#/:/g') local _dns_address=$(echo ${_dns} | awk -F ':' '{print $1}') local _dns_port=$(echo ${_dns} | awk -F ':' '{print $2}') - V2RAY_DNS_REMOTE_ARGS="${V2RAY_DNS_REMOTE_ARGS} -remote_dns_tcp_port ${_dns_port} -remote_dns_tcp_server ${_dns_address}" + DNS_REMOTE_ARGS="-remote_dns_tcp_port ${_dns_port} -remote_dns_tcp_server ${_dns_address}" ;; doh) local _doh_url=$(echo $remote_dns_doh | awk -F ',' '{print $1}') @@ -351,26 +363,29 @@ run_xray() { [ -z "${_doh_port}" ] && _doh_port=443 local _doh_bootstrap=$(echo $remote_dns_doh | cut -d ',' -sf 2-) [ "${is_ip}" = "true" ] && _doh_bootstrap=${_doh_host} - [ -n "$_doh_bootstrap" ] && V2RAY_DNS_REMOTE_ARGS="${V2RAY_DNS_REMOTE_ARGS} -remote_dns_doh_ip ${_doh_bootstrap}" - V2RAY_DNS_REMOTE_ARGS="${V2RAY_DNS_REMOTE_ARGS} -remote_dns_doh_port ${_doh_port} -remote_dns_doh_url ${_doh_url} -remote_dns_doh_host ${_doh_host}" + DNS_REMOTE_ARGS="-remote_dns_doh_port ${_doh_port} -remote_dns_doh_url ${_doh_url} -remote_dns_doh_host ${_doh_host}" + [ -n "$_doh_bootstrap" ] && DNS_REMOTE_ARGS="${DNS_REMOTE_ARGS} -remote_dns_doh_ip ${_doh_bootstrap}" ;; esac - [ -n "$remote_dns_detour" ] && V2RAY_DNS_REMOTE_ARGS="${V2RAY_DNS_REMOTE_ARGS} -remote_dns_detour ${remote_dns_detour}" - - [ -n "$remote_dns_query_strategy" ] && V2RAY_DNS_REMOTE_ARGS="${V2RAY_DNS_REMOTE_ARGS} -remote_dns_query_strategy ${remote_dns_query_strategy}" - [ -n "$remote_dns_client_ip" ] && V2RAY_DNS_REMOTE_ARGS="${V2RAY_DNS_REMOTE_ARGS} -dns_client_ip ${remote_dns_client_ip}" - - V2RAY_DNS_REMOTE_ARGS="${V2RAY_DNS_REMOTE_ARGS} -remote_dns_outbound_socks_address 127.0.0.1 -remote_dns_outbound_socks_port ${socks_port}" - lua $UTIL_XRAY gen_dns_config ${V2RAY_DNS_REMOTE_ARGS} > $V2RAY_DNS_REMOTE_CONFIG - ln_run "$(first_type $(config_t_get global_app ${type}_file) ${type})" ${type} $V2RAY_DNS_REMOTE_LOG run -c "$V2RAY_DNS_REMOTE_CONFIG" - - [ -n "$dns_listen_port" ] && _extra_param="${_extra_param} -dns_listen_port ${dns_listen_port}" - [ -n "$dns_cache" ] && _extra_param="${_extra_param} -dns_cache ${dns_cache}" - _extra_param="${_extra_param} -direct_dns_udp_port ${direct_dnsmasq_listen_port} -direct_dns_udp_server 127.0.0.1 -direct_dns_query_strategy UseIP" - [ -n "${direct_ipset}" ] && _extra_param="${_extra_param} -direct_ipset ${direct_ipset}" - [ -n "${direct_nftset}" ] && _extra_param="${_extra_param} -direct_nftset ${direct_nftset}" - _extra_param="${_extra_param} -remote_dns_udp_port ${dns_remote_listen_port} -remote_dns_udp_server 127.0.0.1 -remote_dns_query_strategy ${remote_dns_query_strategy}" + [ -n "$remote_dns_detour" ] && DNS_REMOTE_ARGS="${DNS_REMOTE_ARGS} -remote_dns_detour ${remote_dns_detour}" + [ -n "$remote_dns_query_strategy" ] && DNS_REMOTE_ARGS="${DNS_REMOTE_ARGS} -remote_dns_query_strategy ${remote_dns_query_strategy}" + [ -n "$remote_dns_client_ip" ] && DNS_REMOTE_ARGS="${DNS_REMOTE_ARGS} -dns_client_ip ${remote_dns_client_ip}" [ "$remote_fakedns" = "1" ] && _extra_param="${_extra_param} -remote_dns_fake 1 -remote_dns_fake_strategy ${remote_dns_query_strategy}" + + local independent_dns + if [ -z "${independent_dns}" ]; then + _extra_param="${_extra_param} ${DNS_REMOTE_ARGS}" + else + dns_remote_listen_port=$(get_new_port $(expr ${direct_dnsmasq_listen_port:-${dns_listen_port}} + 1) udp) + V2RAY_DNS_REMOTE_CONFIG="${TMP_PATH}/${flag}_dns_remote.json" + V2RAY_DNS_REMOTE_LOG="${TMP_PATH}/${flag}_dns_remote.log" + V2RAY_DNS_REMOTE_LOG="/dev/null" + DNS_REMOTE_ARGS="${DNS_REMOTE_ARGS} -dns_out_tag remote -dns_listen_port ${dns_remote_listen_port} -remote_dns_outbound_socks_address 127.0.0.1 -remote_dns_outbound_socks_port ${socks_port}" + + lua $UTIL_XRAY gen_dns_config ${DNS_REMOTE_ARGS} > $V2RAY_DNS_REMOTE_CONFIG + ln_run "$(first_type $(config_t_get global_app ${type}_file) ${type})" ${type} $V2RAY_DNS_REMOTE_LOG run -c "$V2RAY_DNS_REMOTE_CONFIG" + _extra_param="${_extra_param} -remote_dns_udp_port ${dns_remote_listen_port} -remote_dns_udp_server 127.0.0.1 -remote_dns_query_strategy ${remote_dns_query_strategy}" + fi } lua $UTIL_XRAY gen_config -node $node -redir_port $redir_port -tcp_proxy_way $tcp_proxy_way -loglevel $loglevel ${_extra_param} > $config_file @@ -379,7 +394,7 @@ run_xray() { run_singbox() { local flag node redir_port socks_address socks_port socks_username socks_password http_address http_port http_username http_password - local dns_listen_port remote_dns_protocol remote_dns_udp_server remote_dns_tcp_server remote_dns_doh remote_dns_detour remote_fakedns remote_dns_query_strategy dns_cache + local dns_listen_port remote_dns_protocol remote_dns_udp_server remote_dns_tcp_server remote_dns_doh remote_dns_detour remote_fakedns remote_dns_query_strategy dns_cache write_ipset_direct local loglevel log_file config_file local _extra_param="" eval_set_val $@ @@ -408,23 +423,33 @@ run_singbox() { [ -n "$http_username" ] && [ -n "$http_password" ] && _extra_param="${_extra_param} -local_http_username $http_username -local_http_password $http_password" [ -n "$dns_listen_port" ] && { - direct_dnsmasq_listen_port=$(get_new_port $(expr $dns_listen_port + 1) udp) - local set_flag="${flag}" - local direct_ipset_conf=$TMP_PATH/dnsmasq_${flag}_direct.conf - [ -n "$(echo ${flag} | grep '^acl')" ] && { - direct_ipset_conf=${TMP_ACL_PATH}/${sid}/dnsmasq_${flag}_direct.conf - set_flag=$(echo ${flag} | awk -F '_' '{print $2}') + local _dns=$(get_first_dns AUTO_DNS 53 | sed 's/#/:/g') + local _dns_address=$(echo ${_dns} | awk -F ':' '{print $1}') + local _dns_port=$(echo ${_dns} | awk -F ':' '{print $2}') + + DIRECT_DNS_UDP_SERVER=${_dns_address} + DIRECT_DNS_UDP_PORT=${_dns_port} + + [ "${write_ipset_direct}" = "1" ] && { + direct_dnsmasq_listen_port=$(get_new_port $(expr $dns_listen_port + 1) udp) + local set_flag="${flag}" + local direct_ipset_conf=$TMP_PATH/dnsmasq_${flag}_direct.conf + [ -n "$(echo ${flag} | grep '^acl')" ] && { + direct_ipset_conf=${TMP_ACL_PATH}/${sid}/dnsmasq_${flag}_direct.conf + set_flag=$(echo ${flag} | awk -F '_' '{print $2}') + } + if [ "${nftflag}" = "1" ]; then + local direct_nftset="4#inet#fw4#passwall2_${set_flag}_whitelist,6#inet#fw4#passwall2_${set_flag}_whitelist6" + else + local direct_ipset="passwall2_${set_flag}_whitelist,passwall2_${set_flag}_whitelist6" + fi + run_ipset_dnsmasq listen_port=${direct_dnsmasq_listen_port} server_dns=${AUTO_DNS} ipset="${direct_ipset}" nftset="${direct_nftset}" config_file=${direct_ipset_conf} + DIRECT_DNS_UDP_PORT=${direct_dnsmasq_listen_port} + DIRECT_DNS_UDP_SERVER="127.0.0.1" + [ -n "${direct_ipset}" ] && _extra_param="${_extra_param} -direct_ipset ${direct_ipset}" + [ -n "${direct_nftset}" ] && _extra_param="${_extra_param} -direct_nftset ${direct_nftset}" } - if [ "${nftflag}" = "1" ]; then - local direct_nftset="4#inet#fw4#passwall2_${set_flag}_whitelist,6#inet#fw4#passwall2_${set_flag}_whitelist6" - else - local direct_ipset="passwall2_${set_flag}_whitelist,passwall2_${set_flag}_whitelist6" - fi - run_ipset_dnsmasq listen_port=${direct_dnsmasq_listen_port} server_dns=${AUTO_DNS} ipset="${direct_ipset}" nftset="${direct_nftset}" config_file=${direct_ipset_conf} - - _extra_param="${_extra_param} -direct_dns_udp_port ${direct_dnsmasq_listen_port} -direct_dns_udp_server 127.0.0.1 -direct_dns_query_strategy UseIP" - [ -n "${direct_ipset}" ] && _extra_param="${_extra_param} -direct_ipset ${direct_ipset}" - [ -n "${direct_nftset}" ] && _extra_param="${_extra_param} -direct_nftset ${direct_nftset}" + _extra_param="${_extra_param} -direct_dns_udp_port ${DIRECT_DNS_UDP_PORT} -direct_dns_udp_server ${DIRECT_DNS_UDP_SERVER} -direct_dns_query_strategy UseIP" case "$remote_dns_protocol" in udp) @@ -688,6 +713,8 @@ run_global() { node_http_port=$(config_t_get global node_http_port 0) [ "$node_http_port" != "0" ] && V2RAY_ARGS="${V2RAY_ARGS} http_port=${node_http_port}" + V2RAY_ARGS="${V2RAY_ARGS} write_ipset_direct=${WRITE_IPSET_DIRECT}" + local run_func [ -n "${XRAY_BIN}" ] && run_func="run_xray" [ -n "${SINGBOX_BIN}" ] && run_func="run_singbox" @@ -930,6 +957,8 @@ acl_app() { remote_fakedns=${remote_fakedns:-0} remote_dns_query_strategy=${remote_dns_query_strategy:-UseIPv4} + write_ipset_direct=${write_ipset_direct:-1} + [ "$node" != "nil" ] && { if [ "$node" = "default" ]; then node=$NODE @@ -955,7 +984,7 @@ acl_app() { elif [ "${type}" = "sing-box" ] && [ -n "${SINGBOX_BIN}" ]; then run_func="run_singbox" fi - ${run_func} flag=acl_$sid node=$node redir_port=$redir_port socks_address=127.0.0.1 socks_port=$acl_socks_port dns_listen_port=${dns_port} direct_dns_query_strategy=UseIP remote_dns_protocol=${remote_dns_protocol} remote_dns_tcp_server=${remote_dns} remote_dns_udp_server=${remote_dns} remote_dns_doh="${remote_dns}" remote_dns_client_ip=${remote_dns_client_ip} remote_dns_detour=${remote_dns_detour} remote_fakedns=${remote_fakedns} remote_dns_query_strategy=${remote_dns_query_strategy} config_file=${config_file} + ${run_func} flag=acl_$sid node=$node redir_port=$redir_port socks_address=127.0.0.1 socks_port=$acl_socks_port dns_listen_port=${dns_port} direct_dns_query_strategy=UseIP remote_dns_protocol=${remote_dns_protocol} remote_dns_tcp_server=${remote_dns} remote_dns_udp_server=${remote_dns} remote_dns_doh="${remote_dns}" remote_dns_client_ip=${remote_dns_client_ip} remote_dns_detour=${remote_dns_detour} remote_fakedns=${remote_fakedns} remote_dns_query_strategy=${remote_dns_query_strategy} write_ipset_direct=${write_ipset_direct} config_file=${config_file} fi dnsmasq_port=$(get_new_port $(expr $dnsmasq_port + 1)) redirect_dns_port=$dnsmasq_port @@ -1098,6 +1127,7 @@ REMOTE_DNS_DETOUR=$(config_t_get global remote_dns_detour remote) REMOTE_DNS=$(config_t_get global remote_dns 1.1.1.1:53 | sed 's/#/:/g' | sed -E 's/\:([^:]+)$/#\1/g') REMOTE_FAKEDNS=$(config_t_get global remote_fakedns '0') REMOTE_DNS_QUERY_STRATEGY=$(config_t_get global remote_dns_query_strategy UseIPv4) +WRITE_IPSET_DIRECT=$(config_t_get global write_ipset_direct 1) DNS_CACHE=$(config_t_get global dns_cache 1) RESOLVFILE=/tmp/resolv.conf.d/resolv.conf.auto diff --git a/luci-app-passwall2/root/usr/share/passwall2/iptables.sh b/luci-app-passwall2/root/usr/share/passwall2/iptables.sh index d118c120a..68abe4e14 100755 --- a/luci-app-passwall2/root/usr/share/passwall2/iptables.sh +++ b/luci-app-passwall2/root/usr/share/passwall2/iptables.sh @@ -208,6 +208,8 @@ load_acl() { [ -s "${TMP_ACL_PATH}/${sid}/var_node" ] && node=$(cat ${TMP_ACL_PATH}/${sid}/var_node) [ -s "${TMP_ACL_PATH}/${sid}/var_port" ] && redir_port=$(cat ${TMP_ACL_PATH}/${sid}/var_port) [ -n "$node" ] && [ "$node" != "default" ] && node_remark=$(config_n_get $node remarks) + + write_ipset_direct=${write_ipset_direct:-1} for i in $(cat ${TMP_ACL_PATH}/${sid}/rule_list); do if [ -n "$(echo ${i} | grep '^iprange:')" ]; then @@ -249,7 +251,7 @@ load_acl() { msg2="${msg2}(REDIRECT:${redir_port})代理" fi - $ipt_tmp -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(dst $ipset_whitelist) ! -d $FAKE_IP -j RETURN + [ "${write_ipset_direct}" = "1" ] && $ipt_tmp -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(dst $ipset_whitelist) ! -d $FAKE_IP -j RETURN [ "$accept_icmp" = "1" ] && { $ipt_n -A PSW2 $(comment "$remarks") -p icmp ${_ipt_source} -d $FAKE_IP $(REDIRECT) @@ -277,7 +279,7 @@ load_acl() { $ipt_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(REDIRECT $redir_port TPROXY) fi [ "$PROXY_IPV6" == "1" ] && { - $ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(dst $ipset_whitelist6) ! -d $FAKE_IP_6 -j RETURN + [ "${write_ipset_direct}" = "1" ] && $ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(dst $ipset_whitelist6) ! -d $FAKE_IP_6 -j RETURN $ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} -d $FAKE_IP_6 -j PSW2_RULE 2>/dev/null $ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") -j PSW2_RULE 2>/dev/null $ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(REDIRECT $redir_port TPROXY) 2>/dev/null @@ -302,13 +304,13 @@ load_acl() { } msg2="${msg2}所有端口" - $ipt_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(dst $ipset_whitelist) ! -d $FAKE_IP -j RETURN + [ "${write_ipset_direct}" = "1" ] && $ipt_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(dst $ipset_whitelist) ! -d $FAKE_IP -j RETURN $ipt_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} -d $FAKE_IP -j PSW2_RULE $ipt_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") -j PSW2_RULE $ipt_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(REDIRECT $redir_port TPROXY) [ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && { - $ip6t_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(dst $ipset_whitelist6) ! -d $FAKE_IP_6 -j RETURN + [ "${write_ipset_direct}" = "1" ] && $ip6t_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(dst $ipset_whitelist6) ! -d $FAKE_IP_6 -j RETURN $ip6t_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} -d $FAKE_IP_6 -j PSW2_RULE 2>/dev/null $ip6t_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") -j PSW2_RULE 2>/dev/null $ip6t_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(REDIRECT $redir_port TPROXY) 2>/dev/null @@ -348,7 +350,7 @@ load_acl() { [ "$TCP_NO_REDIR_PORTS" != "disable" ] && msg="${msg}除${TCP_NO_REDIR_PORTS}外的" msg="${msg}所有端口" - $ipt_tmp -A PSW2 $(comment "默认") -p tcp $(dst $ipset_global_whitelist) ! -d $FAKE_IP -j RETURN + [ "${WRITE_IPSET_DIRECT}" = "1" ] && $ipt_tmp -A PSW2 $(comment "默认") -p tcp $(dst $ipset_global_whitelist) ! -d $FAKE_IP -j RETURN [ "$accept_icmp" = "1" ] && { $ipt_n -A PSW2 $(comment "默认") -p icmp -d $FAKE_IP $(REDIRECT) @@ -370,7 +372,7 @@ load_acl() { fi [ "$PROXY_IPV6" == "1" ] && { - $ip6t_m -A PSW2 $(comment "默认") -p tcp $(dst $ipset_global_whitelist6) ! -d $FAKE_IP_6 -j RETURN + [ "${WRITE_IPSET_DIRECT}" = "1" ] && $ip6t_m -A PSW2 $(comment "默认") -p tcp $(dst $ipset_global_whitelist6) ! -d $FAKE_IP_6 -j RETURN $ip6t_m -A PSW2 $(comment "默认") -p tcp -d $FAKE_IP_6 -j PSW2_RULE $ip6t_m -A PSW2 $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") -j PSW2_RULE $ip6t_m -A PSW2 $(comment "默认") -p tcp $(REDIRECT $REDIR_PORT TPROXY) @@ -396,13 +398,13 @@ load_acl() { [ "$UDP_NO_REDIR_PORTS" != "disable" ] && msg="${msg}除${UDP_NO_REDIR_PORTS}外的" msg="${msg}所有端口" - $ipt_m -A PSW2 $(comment "默认") -p udp $(dst $ipset_global_whitelist) ! -d $FAKE_IP -j RETURN + [ "${WRITE_IPSET_DIRECT}" = "1" ] && $ipt_m -A PSW2 $(comment "默认") -p udp $(dst $ipset_global_whitelist) ! -d $FAKE_IP -j RETURN $ipt_m -A PSW2 $(comment "默认") -p udp -d $FAKE_IP -j PSW2_RULE $ipt_m -A PSW2 $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") -j PSW2_RULE $ipt_m -A PSW2 $(comment "默认") -p udp $(REDIRECT $REDIR_PORT TPROXY) if [ "$PROXY_IPV6_UDP" == "1" ]; then - $ip6t_m -A PSW2 $(comment "默认") -p udp $(dst $ipset_global_whitelist6) ! -d $FAKE_IP_6 -j RETURN + [ "${WRITE_IPSET_DIRECT}" = "1" ] && $ip6t_m -A PSW2 $(comment "默认") -p udp $(dst $ipset_global_whitelist6) ! -d $FAKE_IP_6 -j RETURN $ip6t_m -A PSW2 $(comment "默认") -p udp -d $FAKE_IP_6 -j PSW2_RULE $ip6t_m -A PSW2 $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") -j PSW2_RULE $ip6t_m -A PSW2 $(comment "默认") -p udp $(REDIRECT $REDIR_PORT TPROXY) @@ -621,7 +623,7 @@ add_firewall_rule() { $ipt_n -N PSW2_OUTPUT $ipt_n -A PSW2_OUTPUT $(dst $IPSET_LANLIST) -j RETURN $ipt_n -A PSW2_OUTPUT $(dst $IPSET_VPSLIST) -j RETURN - $ipt_n -A PSW2_OUTPUT $(dst $ipset_global_whitelist) ! -d $FAKE_IP -j RETURN + [ "${WRITE_IPSET_DIRECT}" = "1" ] && $ipt_n -A PSW2_OUTPUT $(dst $ipset_global_whitelist) ! -d $FAKE_IP -j RETURN $ipt_n -A PSW2_OUTPUT -m mark --mark 0xff -j RETURN $ipt_n -N PSW2_REDIRECT @@ -659,7 +661,7 @@ add_firewall_rule() { echolog " - [$?]追加直连DNS到iptables:${dns_address}:${dns_port:-53}" done } - $ipt_m -A PSW2_OUTPUT $(dst $ipset_global_whitelist) ! -d $FAKE_IP -j RETURN + [ "${WRITE_IPSET_DIRECT}" = "1" ] && $ipt_m -A PSW2_OUTPUT $(dst $ipset_global_whitelist) ! -d $FAKE_IP -j RETURN $ipt_m -A PSW2_OUTPUT -m mark --mark 0xff -j RETURN ip rule add fwmark 1 lookup 100 @@ -674,7 +676,7 @@ add_firewall_rule() { $ip6t_n -N PSW2_OUTPUT $ip6t_n -A PSW2_OUTPUT $(dst $IPSET_LANLIST6) -j RETURN $ip6t_n -A PSW2_OUTPUT $(dst $IPSET_VPSLIST6) -j RETURN - $ip6t_n -A PSW2_OUTPUT $(dst $ipset_global_whitelist6) ! -d $FAKE_IP_6 -j RETURN + [ "${WRITE_IPSET_DIRECT}" = "1" ] && $ip6t_n -A PSW2_OUTPUT $(dst $ipset_global_whitelist6) ! -d $FAKE_IP_6 -j RETURN $ip6t_n -A PSW2_OUTPUT -m mark --mark 0xff -j RETURN } @@ -704,7 +706,7 @@ add_firewall_rule() { $ip6t_m -A PSW2_OUTPUT -m mark --mark 0xff -j RETURN $ip6t_m -A PSW2_OUTPUT $(dst $IPSET_LANLIST6) -j RETURN $ip6t_m -A PSW2_OUTPUT $(dst $IPSET_VPSLIST6) -j RETURN - $ip6t_m -A PSW2_OUTPUT $(dst $ipset_global_whitelist6) ! -d $FAKE_IP_6 -j RETURN + [ "${WRITE_IPSET_DIRECT}" = "1" ] && $ip6t_m -A PSW2_OUTPUT $(dst $ipset_global_whitelist6) ! -d $FAKE_IP_6 -j RETURN ip -6 rule add fwmark 1 table 100 ip -6 route add local ::/0 dev lo table 100 diff --git a/luci-app-passwall2/root/usr/share/passwall2/nftables.sh b/luci-app-passwall2/root/usr/share/passwall2/nftables.sh index 8f305e34e..83a13dc17 100755 --- a/luci-app-passwall2/root/usr/share/passwall2/nftables.sh +++ b/luci-app-passwall2/root/usr/share/passwall2/nftables.sh @@ -237,6 +237,8 @@ load_acl() { [ -s "${TMP_ACL_PATH}/${sid}/var_node" ] && node=$(cat ${TMP_ACL_PATH}/${sid}/var_node) [ -s "${TMP_ACL_PATH}/${sid}/var_port" ] && redir_port=$(cat ${TMP_ACL_PATH}/${sid}/var_port) [ -n "$node" ] && [ "$node" != "default" ] && node_remark=$(config_n_get $node remarks) + + write_ipset_direct=${write_ipset_direct:-1} for i in $(cat ${TMP_ACL_PATH}/${sid}/rule_list); do if [ -n "$(echo ${i} | grep '^iprange:')" ]; then @@ -274,8 +276,8 @@ load_acl() { msg2="${msg2}(REDIRECT:${redir_port})代理" fi - [ -z "${is_tproxy}" ] && nft "add rule inet fw4 PSW2_NAT ip protocol tcp ${_ipt_source} ip daddr @$nftset_whitelist counter return comment \"$remarks\"" - [ -n "${is_tproxy}" ] && nft "add rule inet fw4 PSW2_MANGLE ip protocol tcp ${_ipt_source} ip daddr @$nftset_whitelist counter return comment \"$remarks\"" + [ "${write_ipset_direct}" = "1" ] && [ -z "${is_tproxy}" ] && nft "add rule inet fw4 PSW2_NAT ip protocol tcp ${_ipt_source} ip daddr @$nftset_whitelist counter return comment \"$remarks\"" + [ "${write_ipset_direct}" = "1" ] && [ -n "${is_tproxy}" ] && nft "add rule inet fw4 PSW2_MANGLE ip protocol tcp ${_ipt_source} ip daddr @$nftset_whitelist counter return comment \"$remarks\"" [ "$accept_icmp" = "1" ] && { nft "add rule inet fw4 PSW2_ICMP_REDIRECT ip protocol icmp ${_ipt_source} ip daddr $FAKE_IP $(REDIRECT) comment \"$remarks\"" @@ -306,7 +308,7 @@ load_acl() { fi [ "$PROXY_IPV6" == "1" ] && { - nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} ip6 daddr @$nftset_whitelist6 counter return comment \"$remarks\"" + [ "${write_ipset_direct}" = "1" ] && nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} ip6 daddr @$nftset_whitelist6 counter return comment \"$remarks\"" nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} ip6 daddr $FAKE_IP_6 counter jump PSW2_RULE comment \"$remarks\"" nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") jump PSW2_RULE comment \"$remarks\"" 2>/dev/null nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(REDIRECT $redir_port TPROXY) comment \"$remarks\"" 2>/dev/null @@ -331,13 +333,13 @@ load_acl() { } msg2="${msg2}所有端口" - nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ${_ipt_source} ip daddr @$nftset_whitelist counter return comment \"$remarks\"" + [ "${write_ipset_direct}" = "1" ] && nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ${_ipt_source} ip daddr @$nftset_whitelist counter return comment \"$remarks\"" nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ${_ipt_source} ip daddr $FAKE_IP counter jump PSW2_RULE comment \"$remarks\"" nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_redir_ports "udp dport") jump PSW2_RULE comment \"$remarks\"" nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ${_ipt_source} $(REDIRECT $redir_port TPROXY4) comment \"$remarks\"" [ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && { - nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} ip6 daddr @$nftset_whitelist6 counter return comment \"$remarks\"" + [ "${write_ipset_direct}" = "1" ] && nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} ip6 daddr @$nftset_whitelist6 counter return comment \"$remarks\"" nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} ip6 daddr $FAKE_IP_6 counter jump PSW2_RULE comment \"$remarks\"" nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_redir_ports "udp dport") counter jump PSW2_RULE comment \"$remarks\"" 2>/dev/null nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} $(REDIRECT $redir_port TPROXY) comment \"$remarks\"" 2>/dev/null @@ -374,8 +376,8 @@ load_acl() { [ "$TCP_NO_REDIR_PORTS" != "disable" ] && msg="${msg}除${TCP_NO_REDIR_PORTS}外的" msg="${msg}所有端口" - [ -z "${is_tproxy}" ] && nft "add rule inet fw4 PSW2_NAT ip protocol tcp ip daddr @$nftset_global_whitelist counter return comment \"$remarks\"" - [ -n "${is_tproxy}" ] && nft "add rule inet fw4 PSW2_MANGLE ip protocol tcp ip daddr @$nftset_global_whitelist counter return comment \"$remarks\"" + [ "${WRITE_IPSET_DIRECT}" = "1" ] && [ -z "${is_tproxy}" ] && nft "add rule inet fw4 PSW2_NAT ip protocol tcp ip daddr @$nftset_global_whitelist counter return comment \"$remarks\"" + [ "${WRITE_IPSET_DIRECT}" = "1" ] && [ -n "${is_tproxy}" ] && nft "add rule inet fw4 PSW2_MANGLE ip protocol tcp ip daddr @$nftset_global_whitelist counter return comment \"$remarks\"" [ "$accept_icmp" = "1" ] && { nft "add rule inet fw4 PSW2_ICMP_REDIRECT ip protocol icmp ip daddr $FAKE_IP $(REDIRECT) comment \"默认\"" @@ -399,7 +401,7 @@ load_acl() { fi [ "$PROXY_IPV6" == "1" ] && { - nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp ip6 daddr @$nftset_global_whitelist6 counter return comment \"$remarks\"" + [ "${WRITE_IPSET_DIRECT}" = "1" ] && nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp ip6 daddr @$nftset_global_whitelist6 counter return comment \"$remarks\"" nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp ip6 daddr $FAKE_IP_6 jump PSW2_RULE comment \"默认\"" nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp $(factor $TCP_REDIR_PORTS "tcp dport") jump PSW2_RULE comment \"默认\"" nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp $(REDIRECT $REDIR_PORT TPROXY) comment \"默认\"" @@ -422,13 +424,13 @@ load_acl() { [ "$UDP_NO_REDIR_PORTS" != "disable" ] && msg="${msg}除${UDP_NO_REDIR_PORTS}外的" msg="${msg}所有端口" - nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ip daddr @$nftset_global_whitelist counter return comment \"$remarks\"" + [ "${WRITE_IPSET_DIRECT}" = "1" ] && nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ip daddr @$nftset_global_whitelist counter return comment \"$remarks\"" nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ip daddr $FAKE_IP counter jump PSW2_RULE comment \"默认\"" nft "add rule inet fw4 PSW2_MANGLE ip protocol udp $(factor $UDP_REDIR_PORTS "udp dport") jump PSW2_RULE comment \"默认\"" nft "add rule inet fw4 PSW2_MANGLE ip protocol udp $(REDIRECT $REDIR_PORT TPROXY4) comment \"默认\"" [ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && { - nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp ip6 daddr @$nftset_global_whitelist6 counter return comment \"$remarks\"" + [ "${WRITE_IPSET_DIRECT}" = "1" ] && nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp ip6 daddr @$nftset_global_whitelist6 counter return comment \"$remarks\"" nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp ip6 daddr $FAKE_IP_6 jump PSW2_RULE comment \"默认\"" nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp $(factor $UDP_REDIR_PORTS "udp dport") jump PSW2_RULE comment \"默认\"" nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp $(REDIRECT $REDIR_PORT TPROXY) comment \"默认\"" @@ -670,7 +672,7 @@ add_firewall_rule() { echolog " - [$?]追加直连DNS到nftables:${dns_address}:${dns_port:-53}" done } - nft "add rule inet fw4 PSW2_OUTPUT_MANGLE ip daddr @$nftset_global_whitelist counter return" + [ "${WRITE_IPSET_DIRECT}" = "1" ] && nft "add rule inet fw4 PSW2_OUTPUT_MANGLE ip daddr @$nftset_global_whitelist counter return" nft "add rule inet fw4 PSW2_OUTPUT_MANGLE meta mark 0xff counter return" # jump chains @@ -689,7 +691,7 @@ add_firewall_rule() { nft "flush chain inet fw4 PSW2_OUTPUT_NAT" nft "add rule inet fw4 PSW2_OUTPUT_NAT ip daddr @$NFTSET_LANLIST counter return" nft "add rule inet fw4 PSW2_OUTPUT_NAT ip daddr @$NFTSET_VPSLIST counter return" - nft "add rule inet fw4 PSW2_OUTPUT_NAT ip daddr @$nftset_global_whitelist counter return" + [ "${WRITE_IPSET_DIRECT}" = "1" ] && nft "add rule inet fw4 PSW2_OUTPUT_NAT ip daddr @$nftset_global_whitelist counter return" nft "add rule inet fw4 PSW2_OUTPUT_NAT meta mark 0xff counter return" } @@ -723,13 +725,13 @@ add_firewall_rule() { nft "flush chain inet fw4 PSW2_MANGLE_V6" nft "add rule inet fw4 PSW2_MANGLE_V6 ip6 daddr @$NFTSET_LANLIST6 counter return" nft "add rule inet fw4 PSW2_MANGLE_V6 ip6 daddr @$NFTSET_VPSLIST6 counter return" - nft "add rule inet fw4 PSW2_MANGLE_V6 ip6 daddr @$nftset_global_whitelist6 counter return" + [ "${WRITE_IPSET_DIRECT}" = "1" ] && nft "add rule inet fw4 PSW2_MANGLE_V6 ip6 daddr @$nftset_global_whitelist6 counter return" nft "add chain inet fw4 PSW2_OUTPUT_MANGLE_V6" nft "flush chain inet fw4 PSW2_OUTPUT_MANGLE_V6" nft "add rule inet fw4 PSW2_OUTPUT_MANGLE_V6 ip6 daddr @$NFTSET_LANLIST6 counter return" nft "add rule inet fw4 PSW2_OUTPUT_MANGLE_V6 ip6 daddr @$NFTSET_VPSLIST6 counter return" - nft "add rule inet fw4 PSW2_OUTPUT_MANGLE_V6 ip6 daddr @$nftset_global_whitelist6 counter return" + [ "${WRITE_IPSET_DIRECT}" = "1" ] && nft "add rule inet fw4 PSW2_OUTPUT_MANGLE_V6 ip6 daddr @$nftset_global_whitelist6 counter return" nft "add rule inet fw4 PSW2_OUTPUT_MANGLE_V6 meta mark 0xff counter return" # jump chains