mirror of
https://github.com/kenzok8/small-package
synced 2025-01-08 11:17:34 +08:00
update 2023-05-07 23:35:16
This commit is contained in:
parent
3cab2f5c28
commit
fefd44fafd
@ -5,12 +5,12 @@
|
||||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=ipt2socks
|
||||
PKG_VERSION:=1.1.3
|
||||
PKG_VERSION:=1.1.3
|
||||
PKG_RELEASE:=3
|
||||
|
||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
|
||||
PKG_SOURCE_URL:=https://codeload.github.com/zfl9/ipt2socks/tar.gz/v$(PKG_VERSION)?
|
||||
PKG_HASH:=5279eb1cb7555cf9292423cc9f672dc43e6e214b3411a6df26a6a1cfa59d88b7
|
||||
PKG_HASH:=5279eb1cb7555cf9292423cc9f672dc43e6e214b3411a6df26a6a1cfa59d88b7
|
||||
|
||||
PKG_BUILD_PARALLEL:=1
|
||||
PKG_USE_MIPS16:=0
|
||||
|
@ -6,7 +6,7 @@
|
||||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=luci-app-passwall
|
||||
PKG_VERSION:=4.65-2
|
||||
PKG_VERSION:=4.66-1
|
||||
PKG_RELEASE:=
|
||||
|
||||
PKG_CONFIG_DEPENDS:= \
|
||||
|
@ -290,7 +290,7 @@ end
|
||||
|
||||
function copy_node()
|
||||
local section = luci.http.formvalue("section")
|
||||
local uuid = api.gen_uuid()
|
||||
local uuid = api.gen_short_uuid()
|
||||
ucic:section(appname, "nodes", uuid)
|
||||
for k, v in pairs(ucic:get_all(appname, section)) do
|
||||
local filter = k:find("%.")
|
||||
|
@ -155,7 +155,7 @@ if (has_v2ray or has_xray) and #nodes_table > 0 then
|
||||
end
|
||||
if #normal_list > 0 then
|
||||
for k, v in pairs(shunt_list) do
|
||||
local vid = v.id:sub(1, 8)
|
||||
local vid = v.id
|
||||
-- shunt node type, V2ray or Xray
|
||||
local type = s:taboption("Main", ListValue, vid .. "-type", translate("Type"))
|
||||
if has_v2ray then
|
||||
@ -400,7 +400,7 @@ end
|
||||
o = s:taboption("DNS", Button, "clear_ipset", translate("Clear IPSET"), translate("Try this feature if the rule modification does not take effect."))
|
||||
o.inputstyle = "remove"
|
||||
function o.write(e, e)
|
||||
luci.sys.call("[ -n \"$(nft list sets 2>/dev/null | grep \"gfwlist\")\" ] && sh /usr/share/" .. appname .. "/nftables.sh flush_nftset || sh /usr/share/" .. appname .. "/iptables.sh flush_ipset > /dev/null 2>&1 &")
|
||||
luci.sys.call("[ -n \"$(nft list sets 2>/dev/null | grep \"passwall_\")\" ] && sh /usr/share/" .. appname .. "/nftables.sh flush_nftset || sh /usr/share/" .. appname .. "/iptables.sh flush_ipset > /dev/null 2>&1 &")
|
||||
luci.http.redirect(api.url("log"))
|
||||
end
|
||||
|
||||
@ -512,7 +512,7 @@ s.anonymous = true
|
||||
s.addremove = true
|
||||
s.template = "cbi/tblsection"
|
||||
function s.create(e, t)
|
||||
TypedSection.create(e, api.gen_uuid())
|
||||
TypedSection.create(e, api.gen_short_uuid())
|
||||
end
|
||||
|
||||
o = s:option(DummyValue, "status", translate("Status"))
|
||||
|
@ -76,7 +76,7 @@ s.anonymous = true
|
||||
s.addremove = true
|
||||
|
||||
s.create = function(e, t)
|
||||
TypedSection.create(e, api.gen_uuid())
|
||||
TypedSection.create(e, api.gen_short_uuid())
|
||||
end
|
||||
|
||||
s.remove = function(self, section)
|
||||
|
@ -26,7 +26,7 @@ s.addremove = true
|
||||
s.template = "cbi/tblsection"
|
||||
s.extedit = api.url("node_config", "%s")
|
||||
function s.create(e, t)
|
||||
local uuid = api.gen_uuid()
|
||||
local uuid = api.gen_short_uuid()
|
||||
t = uuid
|
||||
TypedSection.create(e, t)
|
||||
luci.http.redirect(e.extedit:format(t))
|
||||
|
@ -365,6 +365,10 @@ function gen_uuid(format)
|
||||
return uuid
|
||||
end
|
||||
|
||||
function gen_short_uuid()
|
||||
return sys.exec("echo -n $(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 8)")
|
||||
end
|
||||
|
||||
function uci_get_type(type, config, default)
|
||||
local value = uci:get_first(appname, type, config, default) or sys.exec("echo -n $(uci -q get " .. appname .. ".@" .. type .."[0]." .. config .. ")")
|
||||
if (value == nil or value == "") and (default and default ~= "") then
|
||||
|
@ -602,7 +602,7 @@ function gen_config(var)
|
||||
end
|
||||
|
||||
local function get_balancer_tag(_node_id)
|
||||
return "balancer-" .. _node_id:sub(1, 8)
|
||||
return "balancer-" .. _node_id
|
||||
end
|
||||
|
||||
local function gen_balancer(_node, loopbackTag)
|
||||
@ -611,7 +611,7 @@ function gen_config(var)
|
||||
local valid_nodes = {}
|
||||
for i = 1, length do
|
||||
local blc_node_id = blc_nodes[i]
|
||||
local blc_node_tag = "blc-" .. blc_node_id:sub(1, 8)
|
||||
local blc_node_tag = "blc-" .. blc_node_id
|
||||
local is_new_blc_node = true
|
||||
for _, outbound in ipairs(outbounds) do
|
||||
if outbound.tag == blc_node_tag then
|
||||
|
@ -50,10 +50,11 @@ local auto_switch = api.uci_get_type("auto_switch", "enable", 0)
|
||||
if (dom.id) {
|
||||
var s = dom.id.match(reg1);
|
||||
if (s) {
|
||||
dom_id = dom.id.split("cbi-").join("cbid-").split("-").join(".");
|
||||
var cbi_id = global_id + "-"
|
||||
var dom_id = dom.id.split(cbi_id).join(cbi_id.split("-").join(".")).split("cbi.").join("cbid.")
|
||||
var node_select = document.getElementsByName(dom_id)[0];
|
||||
var node_select_value = node_select.value;
|
||||
if (node_select_value && node_select_value != "nil" && node_select_value.indexOf("_default") != 0 && node_select_value.indexOf("_direct") != 0 && node_select_value.indexOf("_blackhole") != 0) {
|
||||
if (node_select_value && node_select_value != "nil" && node_select_value.indexOf("socks://") != 0 && node_select_value.indexOf("_default") != 0 && node_select_value.indexOf("_direct") != 0 && node_select_value.indexOf("_blackhole") != 0) {
|
||||
if (global_id != null && node_select_value.indexOf("tcp") == 0) {
|
||||
var d = global_id + "-tcp_node";
|
||||
d = d.replace("cbi-", "cbid-").replace(new RegExp("-", 'g'), ".");
|
||||
@ -63,20 +64,16 @@ local auto_switch = api.uci_get_type("auto_switch", "enable", 0)
|
||||
node_select_value = _node_select_value;
|
||||
}
|
||||
}
|
||||
var v = document.getElementById(dom_id + "-" + node_select_value);
|
||||
if (v) {
|
||||
node_select.title = v.text;
|
||||
} else {
|
||||
node_select.title = node_select.options[node_select.options.selectedIndex].text;
|
||||
|
||||
if (node_select.tagName == "INPUT") {
|
||||
node_select = document.getElementById("cbi.combobox." + dom_id);
|
||||
}
|
||||
|
||||
var new_html = "";
|
||||
|
||||
var new_a = document.createElement("a");
|
||||
new_a.innerHTML = "<%:Edit%>";
|
||||
new_a.href = "#";
|
||||
new_a.setAttribute("onclick", "location.href='" + '<%=api.url("node_config")%>' + "/" + node_select_value + "'");
|
||||
new_html = new_a.outerHTML;
|
||||
var new_html = new_a.outerHTML;
|
||||
|
||||
if (s[0] == "tcp" || s[0] == "udp") {
|
||||
var log_a = document.createElement("a");
|
||||
|
@ -416,11 +416,11 @@ run_chinadns_ng() {
|
||||
[ -s "${RULES_PATH}/chnlist" ] && {
|
||||
local _chnlist_file="${TMP_PATH}/chinadns_chnlist"
|
||||
cp -a "${RULES_PATH}/chnlist" "${_chnlist_file}"
|
||||
local chnroute4_set="chnroute"
|
||||
local chnroute6_set="chnroute6"
|
||||
local chnroute4_set="passwall_chnroute"
|
||||
local chnroute6_set="passwall_chnroute6"
|
||||
[ "$nftflag" = "1" ] && {
|
||||
chnroute4_set="inet@fw4@chnroute"
|
||||
chnroute6_set="inet@fw4@chnroute6"
|
||||
chnroute4_set="inet@fw4@passwall_chnroute"
|
||||
chnroute6_set="inet@fw4@passwall_chnroute6"
|
||||
}
|
||||
_extra_param="${_extra_param} -4 ${chnroute4_set} -6 ${chnroute6_set} -m ${_chnlist_file} -M -a"
|
||||
}
|
||||
@ -429,8 +429,8 @@ run_chinadns_ng() {
|
||||
([ -n "$_chnlist" ] || [ -n "$_gfwlist" ]) && [ -s "${RULES_PATH}/gfwlist" ] && {
|
||||
local _gfwlist_file="${TMP_PATH}/chinadns_gfwlist"
|
||||
cp -a "${RULES_PATH}/gfwlist" "${_gfwlist_file}"
|
||||
local gfwlist_set="gfwlist,gfwlist6"
|
||||
[ "$nftflag" = "1" ] && gfwlist_set="inet@fw4@gfwlist,inet@fw4@gfwlist6"
|
||||
local gfwlist_set="passwall_gfwlist,passwall_gfwlist6"
|
||||
[ "$nftflag" = "1" ] && gfwlist_set="inet@fw4@passwall_gfwlist,inet@fw4@passwall_gfwlist6"
|
||||
_extra_param="${_extra_param} -g ${_gfwlist_file} -A ${gfwlist_set}"
|
||||
#当只有使用gfwlist模式时设置默认DNS为本地直连
|
||||
[ -n "$_gfwlist" ] && [ -z "$_chnlist" ] && _default_tag="chn"
|
||||
|
@ -197,7 +197,7 @@ if not fs.access(CACHE_DNS_PATH) then
|
||||
local address = t.address
|
||||
if datatypes.hostname(address) then
|
||||
set_domain_dns(address, LOCAL_DNS)
|
||||
set_domain_ipset(address, setflag_4 .. "vpsiplist," .. setflag_6 .. "vpsiplist6")
|
||||
set_domain_ipset(address, setflag_4 .. "passwall_vpsiplist," .. setflag_6 .. "passwall_vpsiplist6")
|
||||
end
|
||||
end)
|
||||
log(string.format(" - 节点列表中的域名(vpsiplist):%s", LOCAL_DNS or "默认"))
|
||||
@ -207,7 +207,7 @@ if not fs.access(CACHE_DNS_PATH) then
|
||||
if line ~= "" and not line:find("#") then
|
||||
add_excluded_domain(line)
|
||||
set_domain_dns(line, LOCAL_DNS)
|
||||
set_domain_ipset(line, setflag_4 .. "whitelist," .. setflag_6 .. "whitelist6")
|
||||
set_domain_ipset(line, setflag_4 .. "passwall_whitelist," .. setflag_6 .. "passwall_whitelist6")
|
||||
end
|
||||
end
|
||||
log(string.format(" - 域名白名单(whitelist):%s", LOCAL_DNS or "默认"))
|
||||
@ -220,10 +220,10 @@ if not fs.access(CACHE_DNS_PATH) then
|
||||
for line in io.lines("/usr/share/passwall/rules/proxy_host") do
|
||||
if line ~= "" and not line:find("#") then
|
||||
add_excluded_domain(line)
|
||||
local ipset_flag = setflag_4 .. "blacklist," .. setflag_6 .. "blacklist6"
|
||||
local ipset_flag = setflag_4 .. "passwall_blacklist," .. setflag_6 .. "passwall_blacklist6"
|
||||
if NO_PROXY_IPV6 == "1" then
|
||||
set_domain_address(line, "::")
|
||||
ipset_flag = setflag_4 .. "blacklist"
|
||||
ipset_flag = setflag_4 .. "passwall_blacklist"
|
||||
end
|
||||
if REMOTE_FAKEDNS == "1" then
|
||||
ipset_flag = nil
|
||||
@ -251,12 +251,12 @@ if not fs.access(CACHE_DNS_PATH) then
|
||||
|
||||
if _node_id == "_direct" then
|
||||
fwd_dns = LOCAL_DNS
|
||||
ipset_flag = setflag_4 .. "whitelist," .. setflag_6 .. "whitelist6"
|
||||
ipset_flag = setflag_4 .. "passwall_whitelist," .. setflag_6 .. "passwall_whitelist6"
|
||||
else
|
||||
fwd_dns = TUN_DNS
|
||||
ipset_flag = setflag_4 .. "shuntlist," .. setflag_6 .. "shuntlist6"
|
||||
ipset_flag = setflag_4 .. "passwall_shuntlist," .. setflag_6 .. "passwall_shuntlist6"
|
||||
if NO_PROXY_IPV6 == "1" then
|
||||
ipset_flag = setflag_4 .. "shuntlist"
|
||||
ipset_flag = setflag_4 .. "passwall_shuntlist"
|
||||
no_ipv6 = true
|
||||
end
|
||||
if not only_global then
|
||||
@ -295,9 +295,9 @@ if not fs.access(CACHE_DNS_PATH) then
|
||||
if CHNROUTE_MODE_DEFAULT_DNS == "chinadns_ng" and CHINADNS_DNS ~= "0" then
|
||||
fwd_dns = nil
|
||||
else
|
||||
local ipset_flag = setflag_4 .. "gfwlist," .. setflag_6 .. "gfwlist6"
|
||||
local ipset_flag = setflag_4 .. "passwall_gfwlist," .. setflag_6 .. "passwall_gfwlist6"
|
||||
if NO_PROXY_IPV6 == "1" then
|
||||
ipset_flag = setflag_4 .. "gfwlist"
|
||||
ipset_flag = setflag_4 .. "passwall_gfwlist"
|
||||
end
|
||||
if not only_global then
|
||||
if REMOTE_FAKEDNS == "1" then
|
||||
@ -329,7 +329,7 @@ if not fs.access(CACHE_DNS_PATH) then
|
||||
for line in string.gmatch(chnlist_str, "[^\r\n]+") do
|
||||
if line ~= "" then
|
||||
set_domain_dns(line, fwd_dns)
|
||||
set_domain_ipset(line, setflag_4 .. "chnroute," .. setflag_6 .. "chnroute6")
|
||||
set_domain_ipset(line, setflag_4 .. "passwall_chnroute," .. setflag_6 .. "passwall_chnroute6")
|
||||
end
|
||||
end
|
||||
end
|
||||
@ -340,9 +340,9 @@ if not fs.access(CACHE_DNS_PATH) then
|
||||
local chnlist_str = sys.exec('cat /usr/share/passwall/rules/chnlist | grep -v -E "^#" | grep -v -E "' .. excluded_domain_str .. '"')
|
||||
for line in string.gmatch(chnlist_str, "[^\r\n]+") do
|
||||
if line ~= "" then
|
||||
local ipset_flag = setflag_4 .. "chnroute," .. setflag_6 .. "chnroute6"
|
||||
local ipset_flag = setflag_4 .. "passwall_chnroute," .. setflag_6 .. "passwall_chnroute6"
|
||||
if NO_PROXY_IPV6 == "1" then
|
||||
ipset_flag = setflag_4 .. "chnroute"
|
||||
ipset_flag = setflag_4 .. "passwall_chnroute"
|
||||
set_domain_address(line, "::")
|
||||
end
|
||||
if not only_global then
|
||||
|
@ -2,23 +2,23 @@
|
||||
|
||||
DIR="$(cd "$(dirname "$0")" && pwd)"
|
||||
MY_PATH=$DIR/iptables.sh
|
||||
IPSET_LANIPLIST="laniplist"
|
||||
IPSET_VPSIPLIST="vpsiplist"
|
||||
IPSET_SHUNTLIST="shuntlist"
|
||||
IPSET_GFW="gfwlist"
|
||||
IPSET_CHN="chnroute"
|
||||
IPSET_BLACKLIST="blacklist"
|
||||
IPSET_WHITELIST="whitelist"
|
||||
IPSET_BLOCKLIST="blocklist"
|
||||
IPSET_LANLIST="passwall_lanlist"
|
||||
IPSET_VPSLIST="passwall_vpslist"
|
||||
IPSET_SHUNTLIST="passwall_shuntlist"
|
||||
IPSET_GFW="passwall_gfwlist"
|
||||
IPSET_CHN="passwall_chnroute"
|
||||
IPSET_BLACKLIST="passwall_blacklist"
|
||||
IPSET_WHITELIST="passwall_whitelist"
|
||||
IPSET_BLOCKLIST="passwall_blocklist"
|
||||
|
||||
IPSET_LANIPLIST6="laniplist6"
|
||||
IPSET_VPSIPLIST6="vpsiplist6"
|
||||
IPSET_SHUNTLIST6="shuntlist6"
|
||||
IPSET_GFW6="gfwlist6"
|
||||
IPSET_CHN6="chnroute6"
|
||||
IPSET_BLACKLIST6="blacklist6"
|
||||
IPSET_WHITELIST6="whitelist6"
|
||||
IPSET_BLOCKLIST6="blocklist6"
|
||||
IPSET_LANLIST6="passwall_lanlist6"
|
||||
IPSET_VPSLIST6="passwall_vpslist6"
|
||||
IPSET_SHUNTLIST6="passwall_shuntlist6"
|
||||
IPSET_GFW6="passwall_gfwlist6"
|
||||
IPSET_CHN6="passwall_chnroute6"
|
||||
IPSET_BLACKLIST6="passwall_blacklist6"
|
||||
IPSET_WHITELIST6="passwall_whitelist6"
|
||||
IPSET_BLOCKLIST6="passwall_blocklist6"
|
||||
|
||||
FORCE_INDEX=2
|
||||
|
||||
@ -223,11 +223,11 @@ get_action_chain_name() {
|
||||
esac
|
||||
}
|
||||
|
||||
gen_laniplist() {
|
||||
gen_lanlist() {
|
||||
cat $RULES_PATH/lanlist_ipv4 | tr -s '\n' | grep -v "^#"
|
||||
}
|
||||
|
||||
gen_laniplist_6() {
|
||||
gen_lanlist_6() {
|
||||
cat $RULES_PATH/lanlist_ipv6 | tr -s '\n' | grep -v "^#"
|
||||
}
|
||||
|
||||
@ -557,15 +557,15 @@ load_acl() {
|
||||
filter_haproxy() {
|
||||
for item in ${haproxy_items}; do
|
||||
local ip=$(get_host_ip ipv4 $(echo $item | awk -F ":" '{print $1}') 1)
|
||||
ipset -q add $IPSET_VPSIPLIST $ip
|
||||
ipset -q add $IPSET_VPSLIST $ip
|
||||
done
|
||||
echolog "加入负载均衡的节点到ipset[$IPSET_VPSIPLIST]直连完成"
|
||||
echolog "加入负载均衡的节点到ipset[$IPSET_VPSLIST]直连完成"
|
||||
}
|
||||
|
||||
filter_vpsip() {
|
||||
uci show $CONFIG | grep ".address=" | cut -d "'" -f 2 | grep -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | sed -e "/^$/d" | sed -e "s/^/add $IPSET_VPSIPLIST &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
|
||||
uci show $CONFIG | grep ".address=" | cut -d "'" -f 2 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "/^$/d" | sed -e "s/^/add $IPSET_VPSIPLIST6 &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
|
||||
echolog "加入所有节点到ipset[$IPSET_VPSIPLIST]直连完成"
|
||||
uci show $CONFIG | grep ".address=" | cut -d "'" -f 2 | grep -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | sed -e "/^$/d" | sed -e "s/^/add $IPSET_VPSLIST &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
|
||||
uci show $CONFIG | grep ".address=" | cut -d "'" -f 2 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "/^$/d" | sed -e "s/^/add $IPSET_VPSLIST6 &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
|
||||
echolog "加入所有节点到ipset[$IPSET_VPSLIST]直连完成"
|
||||
}
|
||||
|
||||
filter_node() {
|
||||
@ -600,8 +600,8 @@ filter_node() {
|
||||
|
||||
local ADD_INDEX=$FORCE_INDEX
|
||||
for _ipt in 4 6; do
|
||||
[ "$_ipt" == "4" ] && _ipt=$ipt_tmp && _set_name=$IPSET_VPSIPLIST
|
||||
[ "$_ipt" == "6" ] && _ipt=$ip6t_m && _set_name=$IPSET_VPSIPLIST6
|
||||
[ "$_ipt" == "4" ] && _ipt=$ipt_tmp && _set_name=$IPSET_VPSLIST
|
||||
[ "$_ipt" == "6" ] && _ipt=$ip6t_m && _set_name=$IPSET_VPSLIST6
|
||||
$_ipt -n -L PSW_OUTPUT | grep -q "${address}:${port}"
|
||||
if [ $? -ne 0 ]; then
|
||||
unset dst_rule
|
||||
@ -679,8 +679,8 @@ dns_hijack() {
|
||||
|
||||
add_firewall_rule() {
|
||||
echolog "开始加载防火墙规则..."
|
||||
ipset -! create $IPSET_LANIPLIST nethash maxelem 1048576
|
||||
ipset -! create $IPSET_VPSIPLIST nethash maxelem 1048576
|
||||
ipset -! create $IPSET_LANLIST nethash maxelem 1048576
|
||||
ipset -! create $IPSET_VPSLIST nethash maxelem 1048576
|
||||
ipset -! create $IPSET_SHUNTLIST nethash maxelem 1048576
|
||||
ipset -! create $IPSET_GFW nethash maxelem 1048576
|
||||
ipset -! create $IPSET_CHN nethash maxelem 1048576
|
||||
@ -688,8 +688,8 @@ add_firewall_rule() {
|
||||
ipset -! create $IPSET_WHITELIST nethash maxelem 1048576
|
||||
ipset -! create $IPSET_BLOCKLIST nethash maxelem 1048576
|
||||
|
||||
ipset -! create $IPSET_LANIPLIST6 nethash family inet6 maxelem 1048576
|
||||
ipset -! create $IPSET_VPSIPLIST6 nethash family inet6 maxelem 1048576
|
||||
ipset -! create $IPSET_LANLIST6 nethash family inet6 maxelem 1048576
|
||||
ipset -! create $IPSET_VPSLIST6 nethash family inet6 maxelem 1048576
|
||||
ipset -! create $IPSET_SHUNTLIST6 nethash family inet6 maxelem 1048576
|
||||
ipset -! create $IPSET_GFW6 nethash family inet6 maxelem 1048576
|
||||
ipset -! create $IPSET_CHN6 nethash family inet6 maxelem 1048576
|
||||
@ -718,11 +718,11 @@ add_firewall_rule() {
|
||||
cat $RULES_PATH/block_ip | tr -s '\n' | grep -v "^#" | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "/^$/d" | sed -e "s/^/add $IPSET_BLOCKLIST6 &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
|
||||
|
||||
ipset -! -R <<-EOF
|
||||
$(gen_laniplist | sed -e "s/^/add $IPSET_LANIPLIST /")
|
||||
$(gen_lanlist | sed -e "s/^/add $IPSET_LANLIST /")
|
||||
EOF
|
||||
|
||||
ipset -! -R <<-EOF
|
||||
$(gen_laniplist_6 | sed -e "s/^/add $IPSET_LANIPLIST6 /")
|
||||
$(gen_lanlist_6 | sed -e "s/^/add $IPSET_LANLIST6 /")
|
||||
EOF
|
||||
|
||||
# 忽略特殊IP段
|
||||
@ -735,11 +735,11 @@ add_firewall_rule() {
|
||||
#echolog "本机IPv6网段互访直连:${lan_ip6}"
|
||||
|
||||
[ -n "$lan_ip" ] && ipset -! -R <<-EOF
|
||||
$(echo $lan_ip | sed -e "s/ /\n/g" | sed -e "s/^/add $IPSET_LANIPLIST /")
|
||||
$(echo $lan_ip | sed -e "s/ /\n/g" | sed -e "s/^/add $IPSET_LANLIST /")
|
||||
EOF
|
||||
|
||||
[ -n "$lan_ip6" ] && ipset -! -R <<-EOF
|
||||
$(echo $lan_ip6 | sed -e "s/ /\n/g" | sed -e "s/^/add $IPSET_LANIPLIST6 /")
|
||||
$(echo $lan_ip6 | sed -e "s/ /\n/g" | sed -e "s/^/add $IPSET_LANLIST6 /")
|
||||
EOF
|
||||
}
|
||||
|
||||
@ -774,8 +774,8 @@ add_firewall_rule() {
|
||||
fi
|
||||
|
||||
$ipt_n -N PSW
|
||||
$ipt_n -A PSW $(dst $IPSET_LANIPLIST) -j RETURN
|
||||
$ipt_n -A PSW $(dst $IPSET_VPSIPLIST) -j RETURN
|
||||
$ipt_n -A PSW $(dst $IPSET_LANLIST) -j RETURN
|
||||
$ipt_n -A PSW $(dst $IPSET_VPSLIST) -j RETURN
|
||||
$ipt_n -A PSW $(dst $IPSET_WHITELIST) -j RETURN
|
||||
|
||||
WAN_IP=$(get_wan_ip)
|
||||
@ -785,8 +785,8 @@ add_firewall_rule() {
|
||||
[ -z "${is_tproxy}" ] && insert_rule_after "$ipt_n" "PREROUTING" "prerouting_rule" "-p tcp -j PSW"
|
||||
|
||||
$ipt_n -N PSW_OUTPUT
|
||||
$ipt_n -A PSW_OUTPUT $(dst $IPSET_LANIPLIST) -j RETURN
|
||||
$ipt_n -A PSW_OUTPUT $(dst $IPSET_VPSIPLIST) -j RETURN
|
||||
$ipt_n -A PSW_OUTPUT $(dst $IPSET_LANLIST) -j RETURN
|
||||
$ipt_n -A PSW_OUTPUT $(dst $IPSET_VPSLIST) -j RETURN
|
||||
$ipt_n -A PSW_OUTPUT $(dst $IPSET_WHITELIST) -j RETURN
|
||||
$ipt_n -A PSW_OUTPUT -m mark --mark 0xff -j RETURN
|
||||
|
||||
@ -805,8 +805,8 @@ add_firewall_rule() {
|
||||
$ipt_m -A PSW_RULE -j CONNMARK --save-mark
|
||||
|
||||
$ipt_m -N PSW
|
||||
$ipt_m -A PSW $(dst $IPSET_LANIPLIST) -j RETURN
|
||||
$ipt_m -A PSW $(dst $IPSET_VPSIPLIST) -j RETURN
|
||||
$ipt_m -A PSW $(dst $IPSET_LANLIST) -j RETURN
|
||||
$ipt_m -A PSW $(dst $IPSET_VPSLIST) -j RETURN
|
||||
$ipt_m -A PSW $(dst $IPSET_WHITELIST) -j RETURN
|
||||
$ipt_m -A PSW $(dst $IPSET_BLOCKLIST) -j DROP
|
||||
|
||||
@ -817,8 +817,8 @@ add_firewall_rule() {
|
||||
insert_rule_before "$ipt_m" "PREROUTING" "PSW" "-p tcp -m socket -j PSW_DIVERT"
|
||||
|
||||
$ipt_m -N PSW_OUTPUT
|
||||
$ipt_m -A PSW_OUTPUT $(dst $IPSET_LANIPLIST) -j RETURN
|
||||
$ipt_m -A PSW_OUTPUT $(dst $IPSET_VPSIPLIST) -j RETURN
|
||||
$ipt_m -A PSW_OUTPUT $(dst $IPSET_LANLIST) -j RETURN
|
||||
$ipt_m -A PSW_OUTPUT $(dst $IPSET_VPSLIST) -j RETURN
|
||||
$ipt_m -A PSW_OUTPUT $(dst $IPSET_WHITELIST) -j RETURN
|
||||
$ipt_m -A PSW_OUTPUT -m mark --mark 0xff -j RETURN
|
||||
$ipt_m -A PSW_OUTPUT $(dst $IPSET_BLOCKLIST) -j DROP
|
||||
@ -828,14 +828,14 @@ add_firewall_rule() {
|
||||
|
||||
[ "$accept_icmpv6" = "1" ] && {
|
||||
$ip6t_n -N PSW
|
||||
$ip6t_n -A PSW $(dst $IPSET_LANIPLIST6) -j RETURN
|
||||
$ip6t_n -A PSW $(dst $IPSET_VPSIPLIST6) -j RETURN
|
||||
$ip6t_n -A PSW $(dst $IPSET_LANLIST6) -j RETURN
|
||||
$ip6t_n -A PSW $(dst $IPSET_VPSLIST6) -j RETURN
|
||||
$ip6t_n -A PSW $(dst $IPSET_WHITELIST6) -j RETURN
|
||||
$ip6t_n -A PREROUTING -p ipv6-icmp -j PSW
|
||||
|
||||
$ip6t_n -N PSW_OUTPUT
|
||||
$ip6t_n -A PSW_OUTPUT $(dst $IPSET_LANIPLIST6) -j RETURN
|
||||
$ip6t_n -A PSW_OUTPUT $(dst $IPSET_VPSIPLIST6) -j RETURN
|
||||
$ip6t_n -A PSW_OUTPUT $(dst $IPSET_LANLIST6) -j RETURN
|
||||
$ip6t_n -A PSW_OUTPUT $(dst $IPSET_VPSLIST6) -j RETURN
|
||||
$ip6t_n -A PSW_OUTPUT $(dst $IPSET_WHITELIST6) -j RETURN
|
||||
$ip6t_n -A PSW_OUTPUT -m mark --mark 0xff -j RETURN
|
||||
}
|
||||
@ -852,8 +852,8 @@ add_firewall_rule() {
|
||||
$ip6t_m -A PSW_RULE -j CONNMARK --save-mark
|
||||
|
||||
$ip6t_m -N PSW
|
||||
$ip6t_m -A PSW $(dst $IPSET_LANIPLIST6) -j RETURN
|
||||
$ip6t_m -A PSW $(dst $IPSET_VPSIPLIST6) -j RETURN
|
||||
$ip6t_m -A PSW $(dst $IPSET_LANLIST6) -j RETURN
|
||||
$ip6t_m -A PSW $(dst $IPSET_VPSLIST6) -j RETURN
|
||||
$ip6t_m -A PSW $(dst $IPSET_WHITELIST6) -j RETURN
|
||||
$ip6t_m -A PSW $(dst $IPSET_BLOCKLIST6) -j DROP
|
||||
|
||||
@ -866,8 +866,8 @@ add_firewall_rule() {
|
||||
|
||||
$ip6t_m -N PSW_OUTPUT
|
||||
$ip6t_m -A PSW_OUTPUT -m mark --mark 0xff -j RETURN
|
||||
$ip6t_m -A PSW_OUTPUT $(dst $IPSET_LANIPLIST6) -j RETURN
|
||||
$ip6t_m -A PSW_OUTPUT $(dst $IPSET_VPSIPLIST6) -j RETURN
|
||||
$ip6t_m -A PSW_OUTPUT $(dst $IPSET_LANLIST6) -j RETURN
|
||||
$ip6t_m -A PSW_OUTPUT $(dst $IPSET_VPSLIST6) -j RETURN
|
||||
$ip6t_m -A PSW_OUTPUT $(dst $IPSET_WHITELIST6) -j RETURN
|
||||
$ip6t_m -A PSW_OUTPUT $(dst $IPSET_BLOCKLIST6) -j DROP
|
||||
|
||||
@ -938,7 +938,7 @@ add_firewall_rule() {
|
||||
|
||||
_proxy_tcp_access() {
|
||||
[ -n "${2}" ] || return 0
|
||||
ipset -q test $IPSET_LANIPLIST ${2}
|
||||
ipset -q test $IPSET_LANLIST ${2}
|
||||
[ $? -eq 0 ] && {
|
||||
echolog " - 上游 DNS 服务器 ${2} 已在直接访问的列表中,不强制向 TCP 代理转发对该服务器 TCP/${3} 端口的访问"
|
||||
return 0
|
||||
@ -1010,7 +1010,7 @@ add_firewall_rule() {
|
||||
echolog "加载路由器自身 UDP 代理..."
|
||||
_proxy_udp_access() {
|
||||
[ -n "${2}" ] || return 0
|
||||
ipset -q test $IPSET_LANIPLIST ${2}
|
||||
ipset -q test $IPSET_LANLIST ${2}
|
||||
[ $? == 0 ] && {
|
||||
echolog " - 上游 DNS 服务器 ${2} 已在直接访问的列表中,不强制向 UDP 代理转发对该服务器 UDP/${3} 端口的访问"
|
||||
return 0
|
||||
@ -1099,8 +1099,8 @@ del_firewall_rule() {
|
||||
ip -6 rule del fwmark 1 table 100 2>/dev/null
|
||||
ip -6 route del local ::/0 dev lo table 100 2>/dev/null
|
||||
|
||||
destroy_ipset $IPSET_LANIPLIST
|
||||
destroy_ipset $IPSET_VPSIPLIST
|
||||
destroy_ipset $IPSET_LANLIST
|
||||
destroy_ipset $IPSET_VPSLIST
|
||||
#destroy_ipset $IPSET_SHUNTLIST
|
||||
#destroy_ipset $IPSET_GFW
|
||||
#destroy_ipset $IPSET_CHN
|
||||
@ -1108,8 +1108,8 @@ del_firewall_rule() {
|
||||
destroy_ipset $IPSET_BLOCKLIST
|
||||
destroy_ipset $IPSET_WHITELIST
|
||||
|
||||
destroy_ipset $IPSET_LANIPLIST6
|
||||
destroy_ipset $IPSET_VPSIPLIST6
|
||||
destroy_ipset $IPSET_LANLIST6
|
||||
destroy_ipset $IPSET_VPSLIST6
|
||||
#destroy_ipset $IPSET_SHUNTLIST6
|
||||
#destroy_ipset $IPSET_GFW6
|
||||
#destroy_ipset $IPSET_CHN6
|
||||
@ -1122,8 +1122,9 @@ del_firewall_rule() {
|
||||
|
||||
flush_ipset() {
|
||||
del_firewall_rule
|
||||
destroy_ipset $IPSET_VPSIPLIST $IPSET_SHUNTLIST $IPSET_GFW $IPSET_CHN $IPSET_BLACKLIST $IPSET_BLOCKLIST $IPSET_WHITELIST $IPSET_LANIPLIST
|
||||
destroy_ipset $IPSET_VPSIPLIST6 $IPSET_SHUNTLIST6 $IPSET_GFW6 $IPSET_CHN6 $IPSET_BLACKLIST6 $IPSET_BLOCKLIST6 $IPSET_WHITELIST6 $IPSET_LANIPLIST6
|
||||
for _name in $(ipset list | grep "Name: " | grep "passwall_" | awk '{print $2}'); do
|
||||
destroy_ipset ${_name}
|
||||
done
|
||||
rm -rf /tmp/etc/passwall_tmp/dnsmasq*
|
||||
/etc/init.d/passwall reload
|
||||
}
|
||||
|
@ -2,23 +2,23 @@
|
||||
|
||||
DIR="$(cd "$(dirname "$0")" && pwd)"
|
||||
MY_PATH=$DIR/nftables.sh
|
||||
NFTSET_LANIPLIST="laniplist"
|
||||
NFTSET_VPSIPLIST="vpsiplist"
|
||||
NFTSET_SHUNTLIST="shuntlist"
|
||||
NFTSET_GFW="gfwlist"
|
||||
NFTSET_CHN="chnroute"
|
||||
NFTSET_BLACKLIST="blacklist"
|
||||
NFTSET_WHITELIST="whitelist"
|
||||
NFTSET_BLOCKLIST="blocklist"
|
||||
NFTSET_LANLIST="passwall_lanlist"
|
||||
NFTSET_VPSLIST="passwall_vpslist"
|
||||
NFTSET_SHUNTLIST="passwall_shuntlist"
|
||||
NFTSET_GFW="passwall_gfwlist"
|
||||
NFTSET_CHN="passwall_chnroute"
|
||||
NFTSET_BLACKLIST="passwall_blacklist"
|
||||
NFTSET_WHITELIST="passwall_whitelist"
|
||||
NFTSET_BLOCKLIST="passwall_blocklist"
|
||||
|
||||
NFTSET_LANIPLIST6="laniplist6"
|
||||
NFTSET_VPSIPLIST6="vpsiplist6"
|
||||
NFTSET_SHUNTLIST6="shuntlist6"
|
||||
NFTSET_GFW6="gfwlist6"
|
||||
NFTSET_CHN6="chnroute6"
|
||||
NFTSET_BLACKLIST6="blacklist6"
|
||||
NFTSET_WHITELIST6="whitelist6"
|
||||
NFTSET_BLOCKLIST6="blocklist6"
|
||||
NFTSET_LANLIST6="passwall_lanlist6"
|
||||
NFTSET_VPSLIST6="passwall_vpslist6"
|
||||
NFTSET_SHUNTLIST6="passwall_shuntlist6"
|
||||
NFTSET_GFW6="passwall_gfwlist6"
|
||||
NFTSET_CHN6="passwall_chnroute6"
|
||||
NFTSET_BLACKLIST6="passwall_blacklist6"
|
||||
NFTSET_WHITELIST6="passwall_whitelist6"
|
||||
NFTSET_BLOCKLIST6="passwall_blocklist6"
|
||||
|
||||
FORCE_INDEX=2
|
||||
|
||||
@ -233,11 +233,11 @@ get_action_chain_name() {
|
||||
esac
|
||||
}
|
||||
|
||||
gen_laniplist() {
|
||||
gen_lanlist() {
|
||||
cat $RULES_PATH/lanlist_ipv4 | tr -s '\n' | grep -v "^#"
|
||||
}
|
||||
|
||||
gen_laniplist_6() {
|
||||
gen_lanlist_6() {
|
||||
cat $RULES_PATH/lanlist_ipv6 | tr -s '\n' | grep -v "^#"
|
||||
}
|
||||
|
||||
@ -563,24 +563,24 @@ load_acl() {
|
||||
filter_haproxy() {
|
||||
for item in ${haproxy_items}; do
|
||||
local ip=$(get_host_ip ipv4 $(echo $item | awk -F ":" '{print $1}') 1)
|
||||
insert_nftset $NFTSET_VPSIPLIST $ip
|
||||
insert_nftset $NFTSET_VPSLIST $ip
|
||||
done
|
||||
echolog "加入负载均衡的节点到nftset[$NFTSET_VPSIPLIST]直连完成"
|
||||
echolog "加入负载均衡的节点到nftset[$NFTSET_VPSLIST]直连完成"
|
||||
}
|
||||
|
||||
filter_vps_addr() {
|
||||
for server_host in $@; do
|
||||
local vps_ip4=$(get_host_ip "ipv4" ${server_host})
|
||||
local vps_ip6=$(get_host_ip "ipv6" ${server_host})
|
||||
[ -n "$vps_ip4" ] && insert_nftset $NFTSET_VPSIPLIST $vps_ip4
|
||||
[ -n "$vps_ip6" ] && insert_nftset $NFTSET_VPSIPLIST6 $vps_ip6
|
||||
[ -n "$vps_ip4" ] && insert_nftset $NFTSET_VPSLIST $vps_ip4
|
||||
[ -n "$vps_ip6" ] && insert_nftset $NFTSET_VPSLIST6 $vps_ip6
|
||||
done
|
||||
}
|
||||
|
||||
filter_vpsip() {
|
||||
insert_nftset $NFTSET_VPSIPLIST $(uci show $CONFIG | grep ".address=" | cut -d "'" -f 2 | grep -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | sed -e "/^$/d")
|
||||
insert_nftset $NFTSET_VPSIPLIST6 $(uci show $CONFIG | grep ".address=" | cut -d "'" -f 2 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "/^$/d")
|
||||
echolog "加入所有节点到nftset[$NFTSET_VPSIPLIST]直连完成"
|
||||
insert_nftset $NFTSET_VPSLIST $(uci show $CONFIG | grep ".address=" | cut -d "'" -f 2 | grep -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | sed -e "/^$/d")
|
||||
insert_nftset $NFTSET_VPSLIST6 $(uci show $CONFIG | grep ".address=" | cut -d "'" -f 2 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "/^$/d")
|
||||
echolog "加入所有节点到nftset[$NFTSET_VPSLIST]直连完成"
|
||||
}
|
||||
|
||||
filter_node() {
|
||||
@ -613,8 +613,8 @@ filter_node() {
|
||||
|
||||
local ADD_INDEX=$FORCE_INDEX
|
||||
for _ipt in 4 6; do
|
||||
[ "$_ipt" == "4" ] && _ip_type=ip4 && _set_name=$NFTSET_VPSIPLIST
|
||||
[ "$_ipt" == "6" ] && _ip_type=ip6 && _set_name=$NFTSET_VPSIPLIST6
|
||||
[ "$_ipt" == "4" ] && _ip_type=ip4 && _set_name=$NFTSET_VPSLIST
|
||||
[ "$_ipt" == "6" ] && _ip_type=ip6 && _set_name=$NFTSET_VPSLIST6
|
||||
nft "list chain inet fw4 $nft_output_chain" | grep -q "${address}:${port}"
|
||||
if [ $? -ne 0 ]; then
|
||||
unset dst_rule
|
||||
@ -693,18 +693,18 @@ dns_hijack() {
|
||||
|
||||
add_firewall_rule() {
|
||||
echolog "开始加载防火墙规则..."
|
||||
gen_nftset $NFTSET_VPSIPLIST ipv4_addr
|
||||
gen_nftset $NFTSET_VPSLIST ipv4_addr
|
||||
gen_nftset $NFTSET_GFW ipv4_addr
|
||||
gen_nftset $NFTSET_LANIPLIST ipv4_addr $(gen_laniplist)
|
||||
gen_nftset $NFTSET_LANLIST ipv4_addr $(gen_lanlist)
|
||||
gen_nftset $NFTSET_CHN ipv4_addr $(cat $RULES_PATH/chnroute | tr -s '\n' | grep -v "^#")
|
||||
gen_nftset $NFTSET_BLACKLIST ipv4_addr $(cat $RULES_PATH/proxy_ip | tr -s '\n' | grep -v "^#" | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}")
|
||||
gen_nftset $NFTSET_WHITELIST ipv4_addr $(cat $RULES_PATH/direct_ip | tr -s '\n' | grep -v "^#" | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}")
|
||||
gen_nftset $NFTSET_BLOCKLIST ipv4_addr $(cat $RULES_PATH/block_ip | tr -s '\n' | grep -v "^#" | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}")
|
||||
gen_nftset $NFTSET_SHUNTLIST ipv4_addr
|
||||
|
||||
gen_nftset $NFTSET_VPSIPLIST6 ipv6_addr
|
||||
gen_nftset $NFTSET_VPSLIST6 ipv6_addr
|
||||
gen_nftset $NFTSET_GFW6 ipv6_addr
|
||||
gen_nftset $NFTSET_LANIPLIST6 ipv6_addr $(gen_laniplist_6)
|
||||
gen_nftset $NFTSET_LANLIST6 ipv6_addr $(gen_lanlist_6)
|
||||
gen_nftset $NFTSET_CHN6 ipv6_addr $(cat $RULES_PATH/chnroute6 | tr -s '\n' | grep -v "^#")
|
||||
gen_nftset $NFTSET_BLACKLIST6 ipv6_addr $(cat $RULES_PATH/proxy_ip | tr -s '\n' | grep -v "^#" | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}")
|
||||
gen_nftset $NFTSET_WHITELIST6 ipv6_addr $(cat $RULES_PATH/direct_ip | tr -s '\n' | grep -v "^#" | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}")
|
||||
@ -730,8 +730,8 @@ add_firewall_rule() {
|
||||
#echolog "本机IPv4网段互访直连:${lan_ip}"
|
||||
#echolog "本机IPv6网段互访直连:${lan_ip6}"
|
||||
|
||||
[ -n "$lan_ip" ] && insert_nftset $NFTSET_LANIPLIST $(echo $lan_ip | sed -e "s/ /\n/g")
|
||||
[ -n "$lan_ip6" ] && insert_nftset $NFTSET_LANIPLIST6 $(echo $lan_ip6 | sed -e "s/ /\n/g")
|
||||
[ -n "$lan_ip" ] && insert_nftset $NFTSET_LANLIST $(echo $lan_ip | sed -e "s/ /\n/g")
|
||||
[ -n "$lan_ip6" ] && insert_nftset $NFTSET_LANLIST6 $(echo $lan_ip6 | sed -e "s/ /\n/g")
|
||||
}
|
||||
|
||||
[ -n "$ISP_DNS" ] && {
|
||||
@ -792,15 +792,15 @@ add_firewall_rule() {
|
||||
#ipv4 tproxy mode and udp
|
||||
nft "add chain inet fw4 PSW_MANGLE"
|
||||
nft "flush chain inet fw4 PSW_MANGLE"
|
||||
nft "add rule inet fw4 PSW_MANGLE ip daddr @$NFTSET_LANIPLIST counter return"
|
||||
nft "add rule inet fw4 PSW_MANGLE ip daddr @$NFTSET_VPSIPLIST counter return"
|
||||
nft "add rule inet fw4 PSW_MANGLE ip daddr @$NFTSET_LANLIST counter return"
|
||||
nft "add rule inet fw4 PSW_MANGLE ip daddr @$NFTSET_VPSLIST counter return"
|
||||
nft "add rule inet fw4 PSW_MANGLE ip daddr @$NFTSET_WHITELIST counter return"
|
||||
nft "add rule inet fw4 PSW_MANGLE ip daddr @$NFTSET_BLOCKLIST counter drop"
|
||||
|
||||
nft "add chain inet fw4 PSW_OUTPUT_MANGLE"
|
||||
nft "flush chain inet fw4 PSW_OUTPUT_MANGLE"
|
||||
nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip daddr @$NFTSET_LANIPLIST counter return"
|
||||
nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip daddr @$NFTSET_VPSIPLIST counter return"
|
||||
nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip daddr @$NFTSET_LANLIST counter return"
|
||||
nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip daddr @$NFTSET_VPSLIST counter return"
|
||||
nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip daddr @$NFTSET_WHITELIST counter return"
|
||||
nft "add rule inet fw4 PSW_OUTPUT_MANGLE meta mark 0xff counter return"
|
||||
nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip daddr @$NFTSET_BLOCKLIST counter drop"
|
||||
@ -813,16 +813,16 @@ add_firewall_rule() {
|
||||
[ -z "${is_tproxy}" ] && {
|
||||
nft "add chain inet fw4 PSW"
|
||||
nft "flush chain inet fw4 PSW"
|
||||
nft "add rule inet fw4 PSW ip daddr @$NFTSET_LANIPLIST counter return"
|
||||
nft "add rule inet fw4 PSW ip daddr @$NFTSET_VPSIPLIST counter return"
|
||||
nft "add rule inet fw4 PSW ip daddr @$NFTSET_LANLIST counter return"
|
||||
nft "add rule inet fw4 PSW ip daddr @$NFTSET_VPSLIST counter return"
|
||||
nft "add rule inet fw4 PSW ip daddr @$NFTSET_WHITELIST counter return"
|
||||
nft "add rule inet fw4 PSW ip daddr @$NFTSET_BLOCKLIST counter drop"
|
||||
nft "add rule inet fw4 dstnat ip protocol tcp counter jump PSW"
|
||||
|
||||
nft "add chain inet fw4 PSW_OUTPUT"
|
||||
nft "flush chain inet fw4 PSW_OUTPUT"
|
||||
nft "add rule inet fw4 PSW_OUTPUT ip daddr @$NFTSET_LANIPLIST counter return"
|
||||
nft "add rule inet fw4 PSW_OUTPUT ip daddr @$NFTSET_VPSIPLIST counter return"
|
||||
nft "add rule inet fw4 PSW_OUTPUT ip daddr @$NFTSET_LANLIST counter return"
|
||||
nft "add rule inet fw4 PSW_OUTPUT ip daddr @$NFTSET_VPSLIST counter return"
|
||||
nft "add rule inet fw4 PSW_OUTPUT ip daddr @$NFTSET_WHITELIST counter return"
|
||||
nft "add rule inet fw4 PSW_OUTPUT meta mark 0xff counter return"
|
||||
nft "add rule inet fw4 PSW_OUTPUT ip daddr @$NFTSET_BLOCKLIST counter drop"
|
||||
@ -832,13 +832,13 @@ add_firewall_rule() {
|
||||
if [ "$accept_icmp" = "1" ]; then
|
||||
nft "add chain inet fw4 PSW_ICMP_REDIRECT"
|
||||
nft "flush chain inet fw4 PSW_ICMP_REDIRECT"
|
||||
nft "add rule inet fw4 PSW_ICMP_REDIRECT ip daddr @$NFTSET_LANIPLIST counter return"
|
||||
nft "add rule inet fw4 PSW_ICMP_REDIRECT ip daddr @$NFTSET_VPSIPLIST counter return"
|
||||
nft "add rule inet fw4 PSW_ICMP_REDIRECT ip daddr @$NFTSET_LANLIST counter return"
|
||||
nft "add rule inet fw4 PSW_ICMP_REDIRECT ip daddr @$NFTSET_VPSLIST counter return"
|
||||
nft "add rule inet fw4 PSW_ICMP_REDIRECT ip daddr @$NFTSET_WHITELIST counter return"
|
||||
|
||||
[ "$accept_icmpv6" = "1" ] && {
|
||||
nft "add rule inet fw4 PSW_ICMP_REDIRECT ip6 daddr @$NFTSET_LANIPLIST6 counter return"
|
||||
nft "add rule inet fw4 PSW_ICMP_REDIRECT ip6 daddr @$NFTSET_VPSIPLIST6 counter return"
|
||||
nft "add rule inet fw4 PSW_ICMP_REDIRECT ip6 daddr @$NFTSET_LANLIST6 counter return"
|
||||
nft "add rule inet fw4 PSW_ICMP_REDIRECT ip6 daddr @$NFTSET_VPSLIST6 counter return"
|
||||
nft "add rule inet fw4 PSW_ICMP_REDIRECT ip6 daddr @$NFTSET_WHITELIST6 counter return"
|
||||
}
|
||||
|
||||
@ -858,15 +858,15 @@ add_firewall_rule() {
|
||||
#ipv6 tproxy mode and udp
|
||||
nft "add chain inet fw4 PSW_MANGLE_V6"
|
||||
nft "flush chain inet fw4 PSW_MANGLE_V6"
|
||||
nft "add rule inet fw4 PSW_MANGLE_V6 ip6 daddr @$NFTSET_LANIPLIST6 counter return"
|
||||
nft "add rule inet fw4 PSW_MANGLE_V6 ip6 daddr @$NFTSET_VPSIPLIST6 counter return"
|
||||
nft "add rule inet fw4 PSW_MANGLE_V6 ip6 daddr @$NFTSET_LANLIST6 counter return"
|
||||
nft "add rule inet fw4 PSW_MANGLE_V6 ip6 daddr @$NFTSET_VPSLIST6 counter return"
|
||||
nft "add rule inet fw4 PSW_MANGLE_V6 ip6 daddr @$NFTSET_WHITELIST6 counter return"
|
||||
nft "add rule inet fw4 PSW_MANGLE_V6 ip6 daddr @$NFTSET_BLOCKLIST6 counter drop"
|
||||
|
||||
nft "add chain inet fw4 PSW_OUTPUT_MANGLE_V6"
|
||||
nft "flush chain inet fw4 PSW_OUTPUT_MANGLE_V6"
|
||||
nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 ip6 daddr @$NFTSET_LANIPLIST6 counter return"
|
||||
nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 ip6 daddr @$NFTSET_VPSIPLIST6 counter return"
|
||||
nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 ip6 daddr @$NFTSET_LANLIST6 counter return"
|
||||
nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 ip6 daddr @$NFTSET_VPSLIST6 counter return"
|
||||
nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 ip6 daddr @$NFTSET_WHITELIST6 counter return"
|
||||
nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta mark 0xff counter return"
|
||||
nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 ip6 daddr @$NFTSET_BLOCKLIST6 counter drop"
|
||||
@ -944,7 +944,7 @@ add_firewall_rule() {
|
||||
|
||||
_proxy_tcp_access() {
|
||||
[ -n "${2}" ] || return 0
|
||||
nft "get element inet fw4 $NFTSET_LANIPLIST {${2}}" &>/dev/null
|
||||
nft "get element inet fw4 $NFTSET_LANLIST {${2}}" &>/dev/null
|
||||
[ $? -eq 0 ] && {
|
||||
echolog " - 上游 DNS 服务器 ${2} 已在直接访问的列表中,不强制向 TCP 代理转发对该服务器 TCP/${3} 端口的访问"
|
||||
return 0
|
||||
@ -1015,7 +1015,7 @@ add_firewall_rule() {
|
||||
echolog "加载路由器自身 UDP 代理..."
|
||||
_proxy_udp_access() {
|
||||
[ -n "${2}" ] || return 0
|
||||
nft "get element inet fw4 $NFTSET_LANIPLIST {${2}}" &>/dev/null
|
||||
nft "get element inet fw4 $NFTSET_LANLIST {${2}}" &>/dev/null
|
||||
[ $? == 0 ] && {
|
||||
echolog " - 上游 DNS 服务器 ${2} 已在直接访问的列表中,不强制向 UDP 代理转发对该服务器 UDP/${3} 端口的访问"
|
||||
return 0
|
||||
@ -1101,8 +1101,8 @@ del_firewall_rule() {
|
||||
ip -6 rule del fwmark 1 table 100 2>/dev/null
|
||||
ip -6 route del local ::/0 dev lo table 100 2>/dev/null
|
||||
|
||||
destroy_nftset $NFTSET_LANIPLIST
|
||||
destroy_nftset $NFTSET_VPSIPLIST
|
||||
destroy_nftset $NFTSET_LANLIST
|
||||
destroy_nftset $NFTSET_VPSLIST
|
||||
#destroy_nftset $NFTSET_SHUNTLIST
|
||||
#destroy_nftset $NFTSET_GFW
|
||||
#destroy_nftset $NFTSET_CHN
|
||||
@ -1110,8 +1110,8 @@ del_firewall_rule() {
|
||||
destroy_nftset $NFTSET_BLOCKLIST
|
||||
destroy_nftset $NFTSET_WHITELIST
|
||||
|
||||
destroy_nftset $NFTSET_LANIPLIST6
|
||||
destroy_nftset $NFTSET_VPSIPLIST6
|
||||
destroy_nftset $NFTSET_LANLIST6
|
||||
destroy_nftset $NFTSET_VPSLIST6
|
||||
#destroy_nftset $NFTSET_SHUNTLIST6
|
||||
#destroy_nftset $NFTSET_GFW6
|
||||
#destroy_nftset $NFTSET_CHN6
|
||||
@ -1124,8 +1124,8 @@ del_firewall_rule() {
|
||||
|
||||
flush_nftset() {
|
||||
del_firewall_rule
|
||||
destroy_nftset $NFTSET_VPSIPLIST $NFTSET_SHUNTLIST $NFTSET_GFW $NFTSET_CHN $NFTSET_BLACKLIST $NFTSET_BLOCKLIST $NFTSET_WHITELIST $NFTSET_LANIPLIST
|
||||
destroy_nftset $NFTSET_VPSIPLIST6 $NFTSET_SHUNTLIST6 $NFTSET_GFW6 $NFTSET_CHN6 $NFTSET_BLACKLIST6 $NFTSET_BLOCKLIST6 $NFTSET_WHITELIST6 $NFTSET_LANIPLIST6
|
||||
destroy_nftset $NFTSET_VPSLIST $NFTSET_SHUNTLIST $NFTSET_GFW $NFTSET_CHN $NFTSET_BLACKLIST $NFTSET_BLOCKLIST $NFTSET_WHITELIST $NFTSET_LANLIST
|
||||
destroy_nftset $NFTSET_VPSLIST6 $NFTSET_SHUNTLIST6 $NFTSET_GFW6 $NFTSET_CHN6 $NFTSET_BLACKLIST6 $NFTSET_BLOCKLIST6 $NFTSET_WHITELIST6 $NFTSET_LANLIST6
|
||||
rm -rf /tmp/etc/passwall_tmp/dnsmasq*
|
||||
/etc/init.d/passwall reload
|
||||
}
|
||||
|
@ -1059,7 +1059,7 @@ local function update_node(manual)
|
||||
local remark = v["remark"]
|
||||
local list = v["list"]
|
||||
for _, vv in ipairs(list) do
|
||||
local cfgid = uci:section(appname, "nodes", api.gen_uuid())
|
||||
local cfgid = uci:section(appname, "nodes", api.gen_short_uuid())
|
||||
for kkk, vvv in pairs(vv) do
|
||||
uci:set(appname, cfgid, kkk, vvv)
|
||||
end
|
||||
|
@ -5,7 +5,7 @@
|
||||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=luci-app-passwall2
|
||||
PKG_VERSION:=1.14-3
|
||||
PKG_VERSION:=1.15-1
|
||||
PKG_RELEASE:=
|
||||
|
||||
PKG_CONFIG_DEPENDS:= \
|
||||
|
@ -275,7 +275,7 @@ end
|
||||
|
||||
function copy_node()
|
||||
local section = luci.http.formvalue("section")
|
||||
local uuid = api.gen_uuid()
|
||||
local uuid = api.gen_short_uuid()
|
||||
ucic:section(appname, "nodes", uuid)
|
||||
for k, v in pairs(ucic:get_all(appname, section)) do
|
||||
local filter = k:find("%.")
|
||||
|
@ -298,7 +298,7 @@ s.anonymous = true
|
||||
s.addremove = true
|
||||
s.template = "cbi/tblsection"
|
||||
function s.create(e, t)
|
||||
TypedSection.create(e, api.gen_uuid())
|
||||
TypedSection.create(e, api.gen_short_uuid())
|
||||
end
|
||||
|
||||
o = s:option(DummyValue, "status", translate("Status"))
|
||||
|
@ -76,7 +76,7 @@ s.anonymous = true
|
||||
s.addremove = true
|
||||
|
||||
s.create = function(e, t)
|
||||
TypedSection.create(e, api.gen_uuid())
|
||||
TypedSection.create(e, api.gen_short_uuid())
|
||||
end
|
||||
|
||||
s.remove = function(self, section)
|
||||
|
@ -26,7 +26,7 @@ s.addremove = true
|
||||
s.template = "cbi/tblsection"
|
||||
s.extedit = api.url("node_config", "%s")
|
||||
function s.create(e, t)
|
||||
local uuid = api.gen_uuid()
|
||||
local uuid = api.gen_short_uuid()
|
||||
t = uuid
|
||||
TypedSection.create(e, t)
|
||||
luci.http.redirect(e.extedit:format(t))
|
||||
|
@ -348,6 +348,10 @@ function gen_uuid(format)
|
||||
return uuid
|
||||
end
|
||||
|
||||
function gen_short_uuid()
|
||||
return sys.exec("echo -n $(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 8)")
|
||||
end
|
||||
|
||||
function uci_get_type(type, config, default)
|
||||
local value = uci:get_first(appname, type, config, default) or sys.exec("echo -n $(uci -q get " .. appname .. ".@" .. type .."[0]." .. config .. ")")
|
||||
if (value == nil or value == "") and (default and default ~= "") then
|
||||
|
@ -350,7 +350,7 @@ run_v2ray() {
|
||||
ln_run "$(first_type $(config_t_get global_app ${type}_file) ${type})" ${type} $V2RAY_DNS_DIRECT_LOG run -c "$V2RAY_DNS_DIRECT_CONFIG"
|
||||
|
||||
direct_dnsmasq_listen_port=$(get_new_port $(expr $dns_direct_listen_port + 1) udp)
|
||||
run_ipset_dnsmasq listen_port=${direct_dnsmasq_listen_port} server_dns=127.0.0.1#${dns_direct_listen_port} ipset=whitelist,whitelist6 config_file=$TMP_PATH/dnsmasq_${flag}_direct.conf
|
||||
run_ipset_dnsmasq listen_port=${direct_dnsmasq_listen_port} server_dns=127.0.0.1#${dns_direct_listen_port} ipset=passwall2_whitelist,passwall2_whitelist6 config_file=$TMP_PATH/dnsmasq_${flag}_direct.conf
|
||||
|
||||
V2RAY_DNS_REMOTE_CONFIG="${TMP_PATH}/${flag}_dns_remote.json"
|
||||
V2RAY_DNS_REMOTE_LOG="${TMP_PATH}/${flag}_dns_remote.log"
|
||||
|
@ -94,7 +94,7 @@ add() {
|
||||
|
||||
#始终用国内DNS解析节点域名
|
||||
servers=$(uci show "${CONFIG}" | grep ".address=" | cut -d "'" -f 2)
|
||||
hosts_foreach "servers" host_from_url | grep '[a-zA-Z]$' | sort -u | gen_items ipsets="vpsiplist,vpsiplist6" dnss="${LOCAL_DNS:-${DEFAULT_DNS}}" outf="${TMP_DNSMASQ_PATH}/10-vpsiplist_host.conf" ipsetoutf="${TMP_DNSMASQ_PATH}/ipset.conf"
|
||||
hosts_foreach "servers" host_from_url | grep '[a-zA-Z]$' | sort -u | gen_items ipsets="passwall2_vpsiplist,passwall2_vpsiplist6" dnss="${LOCAL_DNS:-${DEFAULT_DNS}}" outf="${TMP_DNSMASQ_PATH}/10-vpsiplist_host.conf" ipsetoutf="${TMP_DNSMASQ_PATH}/ipset.conf"
|
||||
echolog " - [$?]节点列表中的域名(vpsiplist):${DEFAULT_DNS:-默认}"
|
||||
|
||||
echo "conf-dir=${TMP_DNSMASQ_PATH}" > $DNSMASQ_CONF_FILE
|
||||
|
@ -2,13 +2,13 @@
|
||||
|
||||
DIR="$(cd "$(dirname "$0")" && pwd)"
|
||||
MY_PATH=$DIR/iptables.sh
|
||||
IPSET_LANIPLIST="laniplist"
|
||||
IPSET_VPSIPLIST="vpsiplist"
|
||||
IPSET_WHITELIST="whitelist"
|
||||
IPSET_LANLIST="passwall2_lanlist"
|
||||
IPSET_VPSLIST="passwall2_vpslist"
|
||||
IPSET_WHITELIST="passwall2_whitelist"
|
||||
|
||||
IPSET_LANIPLIST6="laniplist6"
|
||||
IPSET_VPSIPLIST6="vpsiplist6"
|
||||
IPSET_WHITELIST6="whitelist6"
|
||||
IPSET_LANLIST6="passwall2_lanlist6"
|
||||
IPSET_VPSLIST6="passwall2_vpslist6"
|
||||
IPSET_WHITELIST6="passwall2_whitelist6"
|
||||
|
||||
FORCE_INDEX=2
|
||||
|
||||
@ -117,7 +117,7 @@ get_action_chain_name() {
|
||||
echo "全局代理"
|
||||
}
|
||||
|
||||
gen_laniplist() {
|
||||
gen_lanlist() {
|
||||
cat <<-EOF
|
||||
0.0.0.0/8
|
||||
10.0.0.0/8
|
||||
@ -131,7 +131,7 @@ gen_laniplist() {
|
||||
EOF
|
||||
}
|
||||
|
||||
gen_laniplist_6() {
|
||||
gen_lanlist_6() {
|
||||
cat <<-EOF
|
||||
::/128
|
||||
::1/128
|
||||
@ -388,15 +388,15 @@ load_acl() {
|
||||
filter_haproxy() {
|
||||
for item in $(uci show $CONFIG | grep ".lbss=" | cut -d "'" -f 2); do
|
||||
local ip=$(get_host_ip ipv4 $(echo $item | awk -F ":" '{print $1}') 1)
|
||||
[ -n "$ip" ] && ipset -q add $IPSET_VPSIPLIST $ip
|
||||
[ -n "$ip" ] && ipset -q add $IPSET_VPSLIST $ip
|
||||
done
|
||||
echolog "加入负载均衡的节点到ipset[$IPSET_VPSIPLIST]直连完成"
|
||||
echolog "加入负载均衡的节点到ipset[$IPSET_VPSLIST]直连完成"
|
||||
}
|
||||
|
||||
filter_vpsip() {
|
||||
uci show $CONFIG | grep ".address=" | cut -d "'" -f 2 | grep -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | sed -e "/^$/d" | sed -e "s/^/add $IPSET_VPSIPLIST &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
|
||||
uci show $CONFIG | grep ".address=" | cut -d "'" -f 2 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "/^$/d" | sed -e "s/^/add $IPSET_VPSIPLIST6 &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
|
||||
echolog "加入所有节点到ipset[$IPSET_VPSIPLIST]直连完成"
|
||||
uci show $CONFIG | grep ".address=" | cut -d "'" -f 2 | grep -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | sed -e "/^$/d" | sed -e "s/^/add $IPSET_VPSLIST &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
|
||||
uci show $CONFIG | grep ".address=" | cut -d "'" -f 2 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "/^$/d" | sed -e "s/^/add $IPSET_VPSLIST6 &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
|
||||
echolog "加入所有节点到ipset[$IPSET_VPSLIST]直连完成"
|
||||
}
|
||||
|
||||
filter_node() {
|
||||
@ -443,7 +443,7 @@ filter_node() {
|
||||
msg2="套娃使用(${msg}:${port} -> ${_port})"
|
||||
}
|
||||
[ -n "$_proxy" ] && [ "$_proxy" == "1" ] && [ -n "$_port" ] || {
|
||||
ADD_INDEX=$(RULE_LAST_INDEX "$_ipt" PSW2_OUTPUT "$IPSET_VPSIPLIST" $FORCE_INDEX)
|
||||
ADD_INDEX=$(RULE_LAST_INDEX "$_ipt" PSW2_OUTPUT "$IPSET_VPSLIST" $FORCE_INDEX)
|
||||
dst_rule=" -j RETURN"
|
||||
msg2="直连代理"
|
||||
}
|
||||
@ -510,20 +510,20 @@ dns_hijack() {
|
||||
|
||||
add_firewall_rule() {
|
||||
echolog "开始加载防火墙规则..."
|
||||
ipset -! create $IPSET_LANIPLIST nethash maxelem 1048576
|
||||
ipset -! create $IPSET_VPSIPLIST nethash maxelem 1048576
|
||||
ipset -! create $IPSET_LANLIST nethash maxelem 1048576
|
||||
ipset -! create $IPSET_VPSLIST nethash maxelem 1048576
|
||||
ipset -! create $IPSET_WHITELIST nethash maxelem 1048576
|
||||
|
||||
ipset -! create $IPSET_LANIPLIST6 nethash family inet6 maxelem 1048576
|
||||
ipset -! create $IPSET_VPSIPLIST6 nethash family inet6 maxelem 1048576
|
||||
ipset -! create $IPSET_LANLIST6 nethash family inet6 maxelem 1048576
|
||||
ipset -! create $IPSET_VPSLIST6 nethash family inet6 maxelem 1048576
|
||||
ipset -! create $IPSET_WHITELIST6 nethash family inet6 maxelem 1048576
|
||||
|
||||
ipset -! -R <<-EOF
|
||||
$(gen_laniplist | sed -e "s/^/add $IPSET_LANIPLIST /")
|
||||
$(gen_lanlist | sed -e "s/^/add $IPSET_LANLIST /")
|
||||
EOF
|
||||
|
||||
ipset -! -R <<-EOF
|
||||
$(gen_laniplist_6 | sed -e "s/^/add $IPSET_LANIPLIST6 /")
|
||||
$(gen_lanlist_6 | sed -e "s/^/add $IPSET_LANLIST6 /")
|
||||
EOF
|
||||
|
||||
# 忽略特殊IP段
|
||||
@ -536,18 +536,18 @@ add_firewall_rule() {
|
||||
#echolog "本机IPv6网段互访直连:${lan_ip6}"
|
||||
|
||||
[ -n "$lan_ip" ] && ipset -! -R <<-EOF
|
||||
$(echo $lan_ip | sed -e "s/ /\n/g" | sed -e "s/^/add $IPSET_LANIPLIST /")
|
||||
$(echo $lan_ip | sed -e "s/ /\n/g" | sed -e "s/^/add $IPSET_LANLIST /")
|
||||
EOF
|
||||
|
||||
[ -n "$lan_ip6" ] && ipset -! -R <<-EOF
|
||||
$(echo $lan_ip6 | sed -e "s/ /\n/g" | sed -e "s/^/add $IPSET_LANIPLIST6 /")
|
||||
$(echo $lan_ip6 | sed -e "s/ /\n/g" | sed -e "s/^/add $IPSET_LANLIST6 /")
|
||||
EOF
|
||||
}
|
||||
|
||||
[ -n "$ISP_DNS" ] && {
|
||||
#echolog "处理 ISP DNS 例外..."
|
||||
for ispip in $ISP_DNS; do
|
||||
ipset -! add $IPSET_LANIPLIST $ispip >/dev/null 2>&1 &
|
||||
ipset -! add $IPSET_LANLIST $ispip >/dev/null 2>&1 &
|
||||
#echolog " - 追加到白名单:${ispip}"
|
||||
done
|
||||
}
|
||||
@ -555,7 +555,7 @@ add_firewall_rule() {
|
||||
[ -n "$ISP_DNS6" ] && {
|
||||
#echolog "处理 ISP IPv6 DNS 例外..."
|
||||
for ispip6 in $ISP_DNS6; do
|
||||
ipset -! add $IPSET_LANIPLIST6 $ispip6 >/dev/null 2>&1 &
|
||||
ipset -! add $IPSET_LANLIST6 $ispip6 >/dev/null 2>&1 &
|
||||
#echolog " - 追加到白名单:${ispip6}"
|
||||
done
|
||||
}
|
||||
@ -575,8 +575,8 @@ add_firewall_rule() {
|
||||
fi
|
||||
|
||||
$ipt_n -N PSW2
|
||||
$ipt_n -A PSW2 $(dst $IPSET_LANIPLIST) -j RETURN
|
||||
$ipt_n -A PSW2 $(dst $IPSET_VPSIPLIST) -j RETURN
|
||||
$ipt_n -A PSW2 $(dst $IPSET_LANLIST) -j RETURN
|
||||
$ipt_n -A PSW2 $(dst $IPSET_VPSLIST) -j RETURN
|
||||
$ipt_n -A PSW2 $(dst $IPSET_WHITELIST) ! -d $FAKE_IP -j RETURN
|
||||
|
||||
WAN_IP=$(get_wan_ip)
|
||||
@ -586,8 +586,8 @@ add_firewall_rule() {
|
||||
[ -z "${is_tproxy}" ] && insert_rule_after "$ipt_n" "PREROUTING" "prerouting_rule" "-p tcp -j PSW2"
|
||||
|
||||
$ipt_n -N PSW2_OUTPUT
|
||||
$ipt_n -A PSW2_OUTPUT $(dst $IPSET_LANIPLIST) -j RETURN
|
||||
$ipt_n -A PSW2_OUTPUT $(dst $IPSET_VPSIPLIST) -j RETURN
|
||||
$ipt_n -A PSW2_OUTPUT $(dst $IPSET_LANLIST) -j RETURN
|
||||
$ipt_n -A PSW2_OUTPUT $(dst $IPSET_VPSLIST) -j RETURN
|
||||
$ipt_n -A PSW2_OUTPUT $(dst $IPSET_WHITELIST) ! -d $FAKE_IP -j RETURN
|
||||
$ipt_n -A PSW2_OUTPUT -m mark --mark 0xff -j RETURN
|
||||
|
||||
@ -606,8 +606,8 @@ add_firewall_rule() {
|
||||
$ipt_m -A PSW2_RULE -j CONNMARK --save-mark
|
||||
|
||||
$ipt_m -N PSW2
|
||||
$ipt_m -A PSW2 $(dst $IPSET_LANIPLIST) -j RETURN
|
||||
$ipt_m -A PSW2 $(dst $IPSET_VPSIPLIST) -j RETURN
|
||||
$ipt_m -A PSW2 $(dst $IPSET_LANLIST) -j RETURN
|
||||
$ipt_m -A PSW2 $(dst $IPSET_VPSLIST) -j RETURN
|
||||
$ipt_m -A PSW2 $(dst $IPSET_WHITELIST) ! -d $FAKE_IP -j RETURN
|
||||
|
||||
[ ! -z "${WAN_IP}" ] && $ipt_m -A PSW2 $(comment "WAN_IP_RETURN") -d "${WAN_IP}" -j RETURN
|
||||
@ -618,8 +618,8 @@ add_firewall_rule() {
|
||||
|
||||
$ipt_m -N PSW2_OUTPUT
|
||||
$ipt_m -A PSW2_OUTPUT -m mark --mark 0xff -j RETURN
|
||||
$ipt_m -A PSW2_OUTPUT $(dst $IPSET_LANIPLIST) -j RETURN
|
||||
$ipt_m -A PSW2_OUTPUT $(dst $IPSET_VPSIPLIST) -j RETURN
|
||||
$ipt_m -A PSW2_OUTPUT $(dst $IPSET_LANLIST) -j RETURN
|
||||
$ipt_m -A PSW2_OUTPUT $(dst $IPSET_VPSLIST) -j RETURN
|
||||
$ipt_m -A PSW2_OUTPUT $(dst $IPSET_WHITELIST) ! -d $FAKE_IP -j RETURN
|
||||
|
||||
ip rule add fwmark 1 lookup 100
|
||||
@ -627,14 +627,14 @@ add_firewall_rule() {
|
||||
|
||||
[ "$accept_icmpv6" = "1" ] && {
|
||||
$ip6t_n -N PSW2
|
||||
$ip6t_n -A PSW2 $(dst $IPSET_LANIPLIST6) -j RETURN
|
||||
$ip6t_n -A PSW2 $(dst $IPSET_VPSIPLIST6) -j RETURN
|
||||
$ip6t_n -A PSW2 $(dst $IPSET_LANLIST6) -j RETURN
|
||||
$ip6t_n -A PSW2 $(dst $IPSET_VPSLIST6) -j RETURN
|
||||
$ip6t_n -A PSW2 $(dst $IPSET_WHITELIST6) ! -d $FAKE_IP_6 -j RETURN
|
||||
$ip6t_n -A PREROUTING -p ipv6-icmp -j PSW2
|
||||
|
||||
$ip6t_n -N PSW2_OUTPUT
|
||||
$ip6t_n -A PSW2_OUTPUT $(dst $IPSET_LANIPLIST6) -j RETURN
|
||||
$ip6t_n -A PSW2_OUTPUT $(dst $IPSET_VPSIPLIST6) -j RETURN
|
||||
$ip6t_n -A PSW2_OUTPUT $(dst $IPSET_LANLIST6) -j RETURN
|
||||
$ip6t_n -A PSW2_OUTPUT $(dst $IPSET_VPSLIST6) -j RETURN
|
||||
$ip6t_n -A PSW2_OUTPUT $(dst $IPSET_WHITELIST6) ! -d $FAKE_IP_6 -j RETURN
|
||||
$ip6t_n -A PSW2_OUTPUT -m mark --mark 0xff -j RETURN
|
||||
}
|
||||
@ -651,8 +651,8 @@ add_firewall_rule() {
|
||||
$ip6t_m -A PSW2_RULE -j CONNMARK --save-mark
|
||||
|
||||
$ip6t_m -N PSW2
|
||||
$ip6t_m -A PSW2 $(dst $IPSET_LANIPLIST6) -j RETURN
|
||||
$ip6t_m -A PSW2 $(dst $IPSET_VPSIPLIST6) -j RETURN
|
||||
$ip6t_m -A PSW2 $(dst $IPSET_LANLIST6) -j RETURN
|
||||
$ip6t_m -A PSW2 $(dst $IPSET_VPSLIST6) -j RETURN
|
||||
$ip6t_m -A PSW2 $(dst $IPSET_WHITELIST6) ! -d $FAKE_IP_6 -j RETURN
|
||||
|
||||
WAN6_IP=$(get_wan6_ip)
|
||||
@ -664,8 +664,8 @@ add_firewall_rule() {
|
||||
|
||||
$ip6t_m -N PSW2_OUTPUT
|
||||
$ip6t_m -A PSW2_OUTPUT -m mark --mark 0xff -j RETURN
|
||||
$ip6t_m -A PSW2_OUTPUT $(dst $IPSET_LANIPLIST6) -j RETURN
|
||||
$ip6t_m -A PSW2_OUTPUT $(dst $IPSET_VPSIPLIST6) -j RETURN
|
||||
$ip6t_m -A PSW2_OUTPUT $(dst $IPSET_LANLIST6) -j RETURN
|
||||
$ip6t_m -A PSW2_OUTPUT $(dst $IPSET_VPSLIST6) -j RETURN
|
||||
$ip6t_m -A PSW2_OUTPUT $(dst $IPSET_WHITELIST6) ! -d $FAKE_IP_6 -j RETURN
|
||||
|
||||
ip -6 rule add fwmark 1 table 100
|
||||
@ -816,8 +816,9 @@ del_firewall_rule() {
|
||||
|
||||
flush_ipset() {
|
||||
del_firewall_rule
|
||||
destroy_ipset $IPSET_WHITELIST $IPSET_VPSIPLIST $IPSET_LANIPLIST
|
||||
destroy_ipset $IPSET_WHITELIST6 $IPSET_VPSIPLIST6 $IPSET_LANIPLIST6
|
||||
for _name in $(ipset list | grep "Name: " | grep "passwall2_" | awk '{print $2}'); do
|
||||
destroy_ipset ${_name}
|
||||
done
|
||||
/etc/init.d/passwall2 reload
|
||||
}
|
||||
|
||||
|
@ -954,7 +954,7 @@ local function update_node(manual)
|
||||
local remark = v["remark"]
|
||||
local list = v["list"]
|
||||
for _, vv in ipairs(list) do
|
||||
local cfgid = uci:section(appname, "nodes", api.gen_uuid())
|
||||
local cfgid = uci:section(appname, "nodes", api.gen_short_uuid())
|
||||
for kkk, vvv in pairs(vv) do
|
||||
uci:set(appname, cfgid, kkk, vvv)
|
||||
end
|
||||
|
@ -1,7 +1,7 @@
|
||||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=luci-app-serverchan
|
||||
PKG_VERSION:=2.06.2
|
||||
PKG_VERSION:=2.07.0
|
||||
PKG_RELEASE:=10
|
||||
|
||||
PKG_MAINTAINER:=tty228 <tty228@yeah.net>
|
||||
|
@ -335,6 +335,7 @@ a = s:taboption("ipset", Flag, "port_knocking", translate("端口敲门"))
|
||||
a.default = 0
|
||||
a.rmempty = true
|
||||
a.description = translate("登录成功后开放端口")
|
||||
a.description = translate("如在 防火墙 - 区域设置 中禁用了 LAN 口入站和转发,将不起作用<br/>写起来太鸡儿麻烦了,告辞")
|
||||
|
||||
a = s:taboption("ipset", Value, "ip_port_white", "端口")
|
||||
a.default = ""
|
||||
|
@ -59,14 +59,14 @@ function read_config(){
|
||||
# 初始化
|
||||
function serverchan_init(){
|
||||
enable_detection
|
||||
echo "---------------------------------------------------------------------------------------" >> ${logfile}
|
||||
echo "`date "+%Y-%m-%d %H:%M:%S"` 【初始化】start running..." >> ${logfile}
|
||||
if [ -f "/usr/share/serverchan/errlog" ]; then
|
||||
cat /usr/share/serverchan/errlog > ${logfile}
|
||||
echo "`date "+%Y-%m-%d %H:%M:%S"` 【!!!】载入上次重启前日志" >> ${logfile}
|
||||
echo "--------------------------------------------------------" >> ${logfile}
|
||||
fi
|
||||
down_oui &
|
||||
get_syslog
|
||||
set_ip_black
|
||||
|
||||
rm -f ${dir}fd1 ${dir}sheep_usage ${dir}old_sheep_usage ${dir}client_usage_aliases ${dir}old_client_usage_aliases /usr/share/serverchan/errlog >/dev/null 2>&1
|
||||
[ ! -f "/usr/sbin/wrtbwmon" ] && echo "`date "+%Y-%m-%d %H:%M:%S"` 【info】未安装 wrtbwmon ,流量统计不可用" >> ${logfile}
|
||||
@ -74,6 +74,14 @@ function serverchan_init(){
|
||||
[ -z "$cu_version" ] && echo "`date "+%Y-%m-%d %H:%M:%S"` 【!!!】无法获取依赖项 curl 版本号,请确认插件是否正常运行" >> ${logfile}
|
||||
[ -z "${sckey}${tg_token}${pushplus_token}${corpid}${wxpusher_apptoken}${wxpusher_uids}${wxpusher_topicIds}" -a "${jsonpath}" != "/usr/share/serverchan/api/diy.json" ] && echo "`date "+%Y-%m-%d %H:%M:%S"` 【!!!】请填写正确的 key " >> ${logfile} && return 1
|
||||
local interfacelist=`getinterfacelist` && [ -z "$interfacelist" ] && echo "`date "+%Y-%m-%d %H:%M:%S"` 【!!!】无法获取接口在线时间等信息,可能存在多个接口或配置错误,请确认插件是否正常运行" >> ${logfile}
|
||||
[ ! -z "$temperature_enable" ] && [ "$temperature_enable" -eq "1" ] && [ ! -z "$temperature" ] && local cpu_wendu=`soc_temp` || local cpu_wendu="null"
|
||||
[ -z "$cpu_wendu" ] && echo "`date "+%Y-%m-%d %H:%M:%S"` 【!!!】无法读取设备温度,请检查命令" >> ${logfile}
|
||||
[ ! -z "$cpuload_enable" ] && [ "$cpuload_enable" -eq "1" ] && [ ! -z "$cpuload" ] && local cpu_fuzai=`cat /proc/loadavg|awk '{print $1}'` 2>/dev/null || local cpu_fuzai="null"
|
||||
[ -z "$cpu_fuzai" ] && echo "`date "+%Y-%m-%d %H:%M:%S"` 【!!!】无法读取设备负载,请检查命令" >> ${logfile}
|
||||
|
||||
set_ip_black
|
||||
[ -n "$port_knocking" ] && [ "$port_knocking" -eq "1" ] && init_ip_white "ipv4"
|
||||
[ -n "$port_knocking" ] && [ "$port_knocking" -eq "1" ] && init_ip_white "ipv6"
|
||||
return 0
|
||||
}
|
||||
|
||||
@ -194,7 +202,7 @@ function getip(){
|
||||
# 获取接口信息
|
||||
function getinterfacelist(){
|
||||
[ `ubus list|grep -w -i "network.interface.wan"|wc -l` -ge "1" ] && ubus call network.interface.wan status && return
|
||||
local ubuslist=`ubus list|grep -i "network.interface."|grep -v "loopback"|grep -v -i "wan6"|grep -v -i "lan6"|grep -v -i "ipsec_server*"|grep -v -i "VPN*"|grep -v -i "DOCKER*"`
|
||||
local ubuslist=`ubus list|grep -i "network.interface."|grep -v "loopback"|grep -v -i "wan6"|grep -v -i "lan6"|grep -v -i "ipsec.*"|grep -v -i "VPN.*"|grep -v -i "DOCKER.*"`
|
||||
[ `echo "${ubuslist}" |wc -l` -eq "1" ] && ubus call ${ubuslist} status && return
|
||||
}
|
||||
|
||||
@ -327,7 +335,7 @@ function soc_temp(){
|
||||
[ "$soc_code" == "pve" ] && [ ! -z "$server_host" ] && [ -z "$soctemp" ] || [ "$soctemp" == "null" ] && local soctemp=`ssh -i /root/.ssh/id_rsa root@${server_host} -p ${server_port} sensors -j 2>/dev/null|jq '."zenpower-pci-00c3"."Tctl"."temp1_input"'`
|
||||
# PVE 应该没啥特殊设备了,懒得写了
|
||||
|
||||
[ ! -z "$soctemp" ] && echo "$soctemp" && return
|
||||
[ ! -z "$soctemp" ] && echo "$soctemp" && return 0
|
||||
[ ! -z "$soc_code" ] && eval `echo "$soc_code"` 2>/dev/null
|
||||
}
|
||||
|
||||
@ -984,15 +992,14 @@ function cpu_load(){
|
||||
if [ ! -z "$temperature_enable" ] && [ "$temperature_enable" -eq "1" ] && [ ! -z "$temperature" ]; then
|
||||
[ -z "$temperature_time" ] && temperature_time=`date +%s`
|
||||
local cpu_wendu=`soc_temp`;
|
||||
[ -z "$cpu_wendu" ] && echo "`date "+%Y-%m-%d %H:%M:%S"` 【!!!】无法读取设备温度,请检查命令" >> ${logfile}
|
||||
|
||||
if [ `expr $cpu_wendu \> $temperature` -eq "1" ]; then
|
||||
if [ ! -z "$cpu_wendu" ] && [ `expr $cpu_wendu \> $temperature` -eq "1" ]; then
|
||||
echo "`date "+%Y-%m-%d %H:%M:%S"` 【!!警报!!】 CPU 温度过高: ${cpu_wendu}" >> ${logfile}
|
||||
else
|
||||
temperature_time=`date +%s`
|
||||
fi
|
||||
|
||||
if [ "$((`date +%s`-$temperature_time))" -ge "300" ] && [ -z "$temperaturecd_time" ]; then
|
||||
if [ ! -z "$cpu_wendu" ] && [ "$((`date +%s`-$temperature_time))" -ge "300" ] && [ -z "$temperaturecd_time" ]; then
|
||||
title="CPU 温度过高!"
|
||||
temperaturecd_time=`date +%s`
|
||||
echo "`date "+%Y-%m-%d %H:%M:%S"` ${disturb_text} CPU 温 度过高: ${cpu_wendu}" >> ${logfile}
|
||||
@ -1005,16 +1012,15 @@ function cpu_load(){
|
||||
if [ ! -z "$cpuload_enable" ] && [ "$cpuload_enable" -eq "1" ] && [ ! -z "$cpuload" ]; then
|
||||
[ -z "$cpuload_time" ] && cpuload_time=`date +%s`
|
||||
local cpu_fuzai=`cat /proc/loadavg|awk '{print $1}'` 2>/dev/null
|
||||
[ -z "$cpu_fuzai" ] && echo "`date "+%Y-%m-%d %H:%M:%S"` 【!!!】无法读取设备负载,请检查命令" >> ${logfile}
|
||||
|
||||
if [ `expr $cpu_fuzai \> $cpuload` -eq "1" ]; then
|
||||
if [ ! -z "$cpu_fuzai" ] && [ `expr $cpu_fuzai \> $cpuload` -eq "1" ]; then
|
||||
echo "`date "+%Y-%m-%d %H:%M:%S"` 【!!警报!!】 CPU 负载过高: ${cpu_fuzai}" >> ${logfile}
|
||||
cputop log
|
||||
else
|
||||
elif [ ! -z "$cpu_fuzai" ]; then
|
||||
cpuload_time=`date +%s`
|
||||
fi
|
||||
|
||||
if [ "$((`date +%s`-$cpuload_time))" -ge "300" ] && [ -z "$cpucd_time" ]; then
|
||||
if [ ! -z "$cpu_fuzai" ] && [ "$((`date +%s`-$cpuload_time))" -ge "300" ] && [ -z "$cpucd_time" ]; then
|
||||
unset getlogtop
|
||||
if [ ! -z "$title" ] && ( echo "$title"|grep -q "过高" ); then
|
||||
title="设备报警!"
|
||||
@ -1175,43 +1181,80 @@ function login_send(){
|
||||
unset login_ip login_sum
|
||||
}
|
||||
|
||||
# 添加白名单,懒得写删除项和信息显示了,感觉没啥必要
|
||||
# 添加白名单,懒得写删除项和信息显示了,纯粹就是懒
|
||||
function add_ip_white() {
|
||||
local ip=$1
|
||||
[ -n "$port_knocking" ] && [ "$port_knocking" -eq "1" ] || return
|
||||
# 检查 IP 版本
|
||||
if ( echo "$ip" | grep -Eq '^([0-9]{1,3}\.){3}[0-9]{1,3}$' ); then
|
||||
local ipset_name="ip_whitelist"
|
||||
local iptables_cmd="iptables"
|
||||
local nat_table_cmd=""
|
||||
elif ( echo "$ip" | grep -Eq '^([0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}$' ); then
|
||||
local ipset_name="ip_whitelistv6"
|
||||
local iptables_cmd="ip6tables"
|
||||
local nat_table_cmd="family inet6"
|
||||
else
|
||||
echo "`date "+%Y-%m-%d %H:%M:%S"` 【!!!】白名单添加失败,IP 格式错误" >> ${logfile} && return
|
||||
fi
|
||||
|
||||
ipset list $ipset_name >/dev/null 2>&1 || ipset create $ipset_name hash:ip timeout ${ip_white_timeout} >/dev/null 2>&1
|
||||
# 端口放行
|
||||
if [ ! -z $ip_port_white ]; then
|
||||
$iptables_cmd -C INPUT -m set --match-set $ipset_name src -p tcp -m multiport --dport $ip_port_white -j ACCEPT >/dev/null 2>&1 || $iptables_cmd -I INPUT -m set --match-set $ipset_name src -p tcp -m multiport --dport $ip_port_white -j ACCEPT >/dev/null 2>&1
|
||||
fi
|
||||
# 端口转发
|
||||
for port_forward in "$port_forward_list"; do
|
||||
port_forward=`echo "$port_forward"|sed 's/,/ /g'` 2>/dev/null
|
||||
[ `echo $port_forward| awk -F" " '{print NF}'` -ne "4" ] && continue
|
||||
local src_ip=`echo ${port_forward}|awk '{print $1}'`
|
||||
local src_port=`echo ${port_forward}|awk '{print $2}'`
|
||||
local dst_ip=`echo ${port_forward}|awk '{print $3}'`
|
||||
local dst_port=`echo ${port_forward}|awk '{print $4}'`
|
||||
$iptables_cmd -t nat -C PREROUTING -m set --match-set $ipset_name src -p tcp --dport $src_port -j DNAT --to-destination "$dst_ip:$dst_port" >/dev/null 2>&1 || $iptables_cmd -t nat -I PREROUTING -m set --match-set $ipset_name src -p tcp --dport $src_port -j DNAT --to-destination "$dst_ip:$dst_port" >/dev/null 2>&1
|
||||
$iptables_cmd -t nat -C POSTROUTING -m set --match-set $ipset_name src -p tcp -d $dst_ip --dport $dst_port -j SNAT --to-source $src_ip >/dev/null 2>&1 || $iptables_cmd -t nat -I POSTROUTING -m set --match-set $ipset_name src -p tcp -d $dst_ip --dport $dst_port -j SNAT --to-source $src_ip >/dev/null 2>&1
|
||||
done
|
||||
unset port_forward
|
||||
ipset -exist add $ipset_name $ip timeout $ip_white_timeout
|
||||
[ -n "$port_knocking" ] && [ "$port_knocking" -eq "1" ] || return
|
||||
# 检查 IP 版本
|
||||
( echo "$1"|grep -Eq '^([0-9]{1,3}\.){3}[0-9]{1,3}$' ) && local ipset_name="ip_whitelist"
|
||||
( echo "$1"|grep -Eq '^([0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}$' ) && local ipset_name="ip_whitelistv6"
|
||||
[ -z $ipset_name ] && echo "`date "+%Y-%m-%d %H:%M:%S"` 【!!!】白名单添加失败,IP 格式错误" >> ${logfile} && return
|
||||
|
||||
( opkg list-installed|grep -w -q ^firewall4 ) && nft list set inet fw4 $ipset_name >/dev/null 2>&1|grep $1 >/dev/null 2>&1 && nft delete element inet fw4 $ipset_name { $1 } >/dev/null 2>&1
|
||||
( opkg list-installed|grep -w -q ^firewall4 ) && nft add element inet fw4 $ipset_name { $1 } && return #没找到刷新时间的命令,删除再添加
|
||||
ipset -exist add $ipset_name $1 timeout $ip_white_timeout
|
||||
}
|
||||
|
||||
# 初始化白名单
|
||||
function init_ip_white() {
|
||||
[ -z $web_login_black ] && [ -z $port_knocking ] && return
|
||||
# 设置 IP 版本变量
|
||||
if [ $1=="ipv4" ]; then
|
||||
local ipset_name="ip_whitelist"
|
||||
local ip_version="ip"
|
||||
elif [ $1=="ipv6" ]; then
|
||||
local ipset_name="ip_whitelistv6"
|
||||
local ip_version="ip6"
|
||||
local nat_table_cmd="family inet6"
|
||||
fi
|
||||
|
||||
if ( opkg list-installed|grep -w -q ^firewall4 ); then
|
||||
! nft list set inet fw4 $ipset_name >/dev/null 2>&1 && nft add set inet fw4 $ipset_name { type ${1}_addr\; flags timeout\; timeout ${ip_white_timeout}s\; }
|
||||
nft add chain inet fw4 serverchan_dstnat { type nat hook prerouting priority -100 \; }
|
||||
nft add chain inet fw4 serverchan_srcnat { type nat hook postrouting priority 100 \; }
|
||||
else
|
||||
! ipset list $ipset_name >/dev/null 2>&1 && ipset create $ipset_name hash:ip timeout $ip_white_timeout $nat_table_cmd >/dev/null 2>&1
|
||||
fi
|
||||
|
||||
# 端口放行
|
||||
if [ ! -z $ip_port_white ]; then
|
||||
local ip_port_white=`echo "$ip_port_white"|sed 's/ //g'|sed 's/,/, /g'` 2>/dev/null
|
||||
if ( opkg list-installed|grep -w -q ^firewall4 ); then
|
||||
local count_accept_rules=`nft list ruleset | grep -c "tcp dport.* ${ip_port_white}.* $ip_version saddr @${ipset_name} counter packets .* accept comment \"!serverchan Accept rule\""`
|
||||
if [ $count_accept_rules -eq 0 ]; then
|
||||
nft insert rule inet fw4 input tcp dport { $ip_port_white } $ip_version saddr @$ipset_name counter accept comment "!serverchan Accept rule" >/dev/null 2>&1
|
||||
elif [ $count_accept_rules -ne 1 ]; then
|
||||
local i=0
|
||||
local handles=`nft --handle list ruleset | grep "!serverchan Accept rule" | grep -v "tcp dport.* ${ip_port_white}.* $ip_version saddr @${ipset_name} counter packets .* accept comment \"!serverchan Accept rule\"" | awk '{print $NF}'`
|
||||
for handle in $handles; do
|
||||
[ $i -eq 0 ] && i=1 && continue
|
||||
nft delete rule $handle
|
||||
done
|
||||
fi
|
||||
else
|
||||
${ip_version}tables -C INPUT -m set --match-set $ipset_name src -p tcp -m multiport --dport $ip_port_white -j ACCEPT >/dev/null 2>&1 || ${ip_version}tables -I INPUT -m set --match-set $ipset_name src -p tcp -m multiport --dport $ip_port_white -j ACCEPT >/dev/null 2>&1
|
||||
fi
|
||||
fi
|
||||
unset handle
|
||||
# 端口转发
|
||||
for port_forward in `echo "$port_forward_list"`; do
|
||||
port_forward=`echo "$port_forward"|sed 's/,/ /g'` 2>/dev/null
|
||||
[ `echo $port_forward| awk -F" " '{print NF}'` -ne "4" ] && continue
|
||||
local src_ip=`echo ${port_forward}|awk '{print $1}'`
|
||||
local src_port=`echo ${port_forward}|awk '{print $2}'`
|
||||
local dst_ip=`echo ${port_forward}|awk '{print $3}'`
|
||||
local dst_port=`echo ${port_forward}|awk '{print $4}'`
|
||||
if ( opkg list-installed|grep -w -q ^firewall4 ); then
|
||||
! nft list ruleset|grep "$ip_version saddr @${ipset_name} tcp dport $src_port counter .* dnat $ip_version to $dst_ip:$dst_port comment \"!serverchan DNAT rule\"" >/dev/null 2>&1 && nft insert rule inet fw4 serverchan_dstnat meta nfproto $1 $ip_version saddr @${ipset_name} tcp dport $src_port counter dnat to "$dst_ip:$dst_port" comment \"!serverchan DNAT rule\" >/dev/null 2>&1
|
||||
! nft list ruleset|grep "$ip_version saddr $dst_ip tcp dport $dst_port counter .* snat $ip_version to $src_ip comment \"!serverchan SNAT rule\"" >/dev/null 2>&1 && nft insert rule inet fw4 serverchan_srcnat $ip_version saddr $dst_ip tcp dport $dst_port counter snat to $src_ip comment \"!serverchan SNAT rule\" >/dev/null 2>&1
|
||||
else
|
||||
${ip_version}tables -t nat -C PREROUTING -m set --match-set $ipset_name src -p tcp --dport $src_port -j DNAT --to-destination "$dst_ip:$dst_port" >/dev/null 2>&1 || ${ip_version}tables -t nat -I PREROUTING -m set --match-set $ipset_name src -p tcp --dport $src_port -j DNAT --to-destination "$dst_ip:$dst_port" >/dev/null 2>&1
|
||||
${ip_version}tables -t nat -C POSTROUTING -m set --match-set $ipset_name src -p tcp -d $dst_ip --dport $dst_port -j SNAT --to-source $src_ip >/dev/null 2>&1 || ${ip_version}tables -t nat -I POSTROUTING -m set --match-set $ipset_name src -p tcp -d $dst_ip --dport $dst_port -j SNAT --to-source $src_ip >/dev/null 2>&1
|
||||
fi
|
||||
done
|
||||
unset port_forward
|
||||
}
|
||||
|
||||
# 封禁 iptables 暂时还可以使用,以后再说吧
|
||||
# 添加黑名单
|
||||
function add_ip_black(){
|
||||
[ ! "$1" ] && return
|
||||
@ -1372,7 +1415,7 @@ fi
|
||||
|
||||
# 载入在线设备
|
||||
serverchan_init;[ $? -eq 1 ] && echo "`date "+%Y-%m-%d %H:%M:%S"` 【!!!】读取设置出错,请检查设置项 " >> ${logfile} && exit
|
||||
echo "`date "+%Y-%m-%d %H:%M:%S"` 【初始化】载入在线设备" >> ${logfile}
|
||||
echo "`date "+%Y-%m-%d %H:%M:%S"` 【初始化】载入在线设备..." >> ${logfile}
|
||||
> ${dir}send_enable.lock && serverchan_first && deltemp
|
||||
echo "`date "+%Y-%m-%d %H:%M:%S"` 【初始化】初始化完成" >> ${logfile}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user