update 2023-05-07 23:35:16

This commit is contained in:
github-actions[bot] 2023-05-07 23:35:16 +08:00
parent 3cab2f5c28
commit fefd44fafd
27 changed files with 302 additions and 251 deletions

View File

@ -5,12 +5,12 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=ipt2socks
PKG_VERSION:=1.1.3
PKG_VERSION:=1.1.3
PKG_RELEASE:=3
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://codeload.github.com/zfl9/ipt2socks/tar.gz/v$(PKG_VERSION)?
PKG_HASH:=5279eb1cb7555cf9292423cc9f672dc43e6e214b3411a6df26a6a1cfa59d88b7
PKG_HASH:=5279eb1cb7555cf9292423cc9f672dc43e6e214b3411a6df26a6a1cfa59d88b7
PKG_BUILD_PARALLEL:=1
PKG_USE_MIPS16:=0

View File

@ -6,7 +6,7 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=luci-app-passwall
PKG_VERSION:=4.65-2
PKG_VERSION:=4.66-1
PKG_RELEASE:=
PKG_CONFIG_DEPENDS:= \

View File

@ -290,7 +290,7 @@ end
function copy_node()
local section = luci.http.formvalue("section")
local uuid = api.gen_uuid()
local uuid = api.gen_short_uuid()
ucic:section(appname, "nodes", uuid)
for k, v in pairs(ucic:get_all(appname, section)) do
local filter = k:find("%.")

View File

@ -155,7 +155,7 @@ if (has_v2ray or has_xray) and #nodes_table > 0 then
end
if #normal_list > 0 then
for k, v in pairs(shunt_list) do
local vid = v.id:sub(1, 8)
local vid = v.id
-- shunt node type, V2ray or Xray
local type = s:taboption("Main", ListValue, vid .. "-type", translate("Type"))
if has_v2ray then
@ -400,7 +400,7 @@ end
o = s:taboption("DNS", Button, "clear_ipset", translate("Clear IPSET"), translate("Try this feature if the rule modification does not take effect."))
o.inputstyle = "remove"
function o.write(e, e)
luci.sys.call("[ -n \"$(nft list sets 2>/dev/null | grep \"gfwlist\")\" ] && sh /usr/share/" .. appname .. "/nftables.sh flush_nftset || sh /usr/share/" .. appname .. "/iptables.sh flush_ipset > /dev/null 2>&1 &")
luci.sys.call("[ -n \"$(nft list sets 2>/dev/null | grep \"passwall_\")\" ] && sh /usr/share/" .. appname .. "/nftables.sh flush_nftset || sh /usr/share/" .. appname .. "/iptables.sh flush_ipset > /dev/null 2>&1 &")
luci.http.redirect(api.url("log"))
end
@ -512,7 +512,7 @@ s.anonymous = true
s.addremove = true
s.template = "cbi/tblsection"
function s.create(e, t)
TypedSection.create(e, api.gen_uuid())
TypedSection.create(e, api.gen_short_uuid())
end
o = s:option(DummyValue, "status", translate("Status"))

View File

@ -76,7 +76,7 @@ s.anonymous = true
s.addremove = true
s.create = function(e, t)
TypedSection.create(e, api.gen_uuid())
TypedSection.create(e, api.gen_short_uuid())
end
s.remove = function(self, section)

View File

@ -26,7 +26,7 @@ s.addremove = true
s.template = "cbi/tblsection"
s.extedit = api.url("node_config", "%s")
function s.create(e, t)
local uuid = api.gen_uuid()
local uuid = api.gen_short_uuid()
t = uuid
TypedSection.create(e, t)
luci.http.redirect(e.extedit:format(t))

View File

@ -365,6 +365,10 @@ function gen_uuid(format)
return uuid
end
function gen_short_uuid()
return sys.exec("echo -n $(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 8)")
end
function uci_get_type(type, config, default)
local value = uci:get_first(appname, type, config, default) or sys.exec("echo -n $(uci -q get " .. appname .. ".@" .. type .."[0]." .. config .. ")")
if (value == nil or value == "") and (default and default ~= "") then

View File

@ -602,7 +602,7 @@ function gen_config(var)
end
local function get_balancer_tag(_node_id)
return "balancer-" .. _node_id:sub(1, 8)
return "balancer-" .. _node_id
end
local function gen_balancer(_node, loopbackTag)
@ -611,7 +611,7 @@ function gen_config(var)
local valid_nodes = {}
for i = 1, length do
local blc_node_id = blc_nodes[i]
local blc_node_tag = "blc-" .. blc_node_id:sub(1, 8)
local blc_node_tag = "blc-" .. blc_node_id
local is_new_blc_node = true
for _, outbound in ipairs(outbounds) do
if outbound.tag == blc_node_tag then

View File

@ -50,10 +50,11 @@ local auto_switch = api.uci_get_type("auto_switch", "enable", 0)
if (dom.id) {
var s = dom.id.match(reg1);
if (s) {
dom_id = dom.id.split("cbi-").join("cbid-").split("-").join(".");
var cbi_id = global_id + "-"
var dom_id = dom.id.split(cbi_id).join(cbi_id.split("-").join(".")).split("cbi.").join("cbid.")
var node_select = document.getElementsByName(dom_id)[0];
var node_select_value = node_select.value;
if (node_select_value && node_select_value != "nil" && node_select_value.indexOf("_default") != 0 && node_select_value.indexOf("_direct") != 0 && node_select_value.indexOf("_blackhole") != 0) {
if (node_select_value && node_select_value != "nil" && node_select_value.indexOf("socks://") != 0 && node_select_value.indexOf("_default") != 0 && node_select_value.indexOf("_direct") != 0 && node_select_value.indexOf("_blackhole") != 0) {
if (global_id != null && node_select_value.indexOf("tcp") == 0) {
var d = global_id + "-tcp_node";
d = d.replace("cbi-", "cbid-").replace(new RegExp("-", 'g'), ".");
@ -63,20 +64,16 @@ local auto_switch = api.uci_get_type("auto_switch", "enable", 0)
node_select_value = _node_select_value;
}
}
var v = document.getElementById(dom_id + "-" + node_select_value);
if (v) {
node_select.title = v.text;
} else {
node_select.title = node_select.options[node_select.options.selectedIndex].text;
if (node_select.tagName == "INPUT") {
node_select = document.getElementById("cbi.combobox." + dom_id);
}
var new_html = "";
var new_a = document.createElement("a");
new_a.innerHTML = "<%:Edit%>";
new_a.href = "#";
new_a.setAttribute("onclick", "location.href='" + '<%=api.url("node_config")%>' + "/" + node_select_value + "'");
new_html = new_a.outerHTML;
var new_html = new_a.outerHTML;
if (s[0] == "tcp" || s[0] == "udp") {
var log_a = document.createElement("a");

View File

@ -416,11 +416,11 @@ run_chinadns_ng() {
[ -s "${RULES_PATH}/chnlist" ] && {
local _chnlist_file="${TMP_PATH}/chinadns_chnlist"
cp -a "${RULES_PATH}/chnlist" "${_chnlist_file}"
local chnroute4_set="chnroute"
local chnroute6_set="chnroute6"
local chnroute4_set="passwall_chnroute"
local chnroute6_set="passwall_chnroute6"
[ "$nftflag" = "1" ] && {
chnroute4_set="inet@fw4@chnroute"
chnroute6_set="inet@fw4@chnroute6"
chnroute4_set="inet@fw4@passwall_chnroute"
chnroute6_set="inet@fw4@passwall_chnroute6"
}
_extra_param="${_extra_param} -4 ${chnroute4_set} -6 ${chnroute6_set} -m ${_chnlist_file} -M -a"
}
@ -429,8 +429,8 @@ run_chinadns_ng() {
([ -n "$_chnlist" ] || [ -n "$_gfwlist" ]) && [ -s "${RULES_PATH}/gfwlist" ] && {
local _gfwlist_file="${TMP_PATH}/chinadns_gfwlist"
cp -a "${RULES_PATH}/gfwlist" "${_gfwlist_file}"
local gfwlist_set="gfwlist,gfwlist6"
[ "$nftflag" = "1" ] && gfwlist_set="inet@fw4@gfwlist,inet@fw4@gfwlist6"
local gfwlist_set="passwall_gfwlist,passwall_gfwlist6"
[ "$nftflag" = "1" ] && gfwlist_set="inet@fw4@passwall_gfwlist,inet@fw4@passwall_gfwlist6"
_extra_param="${_extra_param} -g ${_gfwlist_file} -A ${gfwlist_set}"
#当只有使用gfwlist模式时设置默认DNS为本地直连
[ -n "$_gfwlist" ] && [ -z "$_chnlist" ] && _default_tag="chn"

View File

@ -197,7 +197,7 @@ if not fs.access(CACHE_DNS_PATH) then
local address = t.address
if datatypes.hostname(address) then
set_domain_dns(address, LOCAL_DNS)
set_domain_ipset(address, setflag_4 .. "vpsiplist," .. setflag_6 .. "vpsiplist6")
set_domain_ipset(address, setflag_4 .. "passwall_vpsiplist," .. setflag_6 .. "passwall_vpsiplist6")
end
end)
log(string.format(" - 节点列表中的域名(vpsiplist)%s", LOCAL_DNS or "默认"))
@ -207,7 +207,7 @@ if not fs.access(CACHE_DNS_PATH) then
if line ~= "" and not line:find("#") then
add_excluded_domain(line)
set_domain_dns(line, LOCAL_DNS)
set_domain_ipset(line, setflag_4 .. "whitelist," .. setflag_6 .. "whitelist6")
set_domain_ipset(line, setflag_4 .. "passwall_whitelist," .. setflag_6 .. "passwall_whitelist6")
end
end
log(string.format(" - 域名白名单(whitelist)%s", LOCAL_DNS or "默认"))
@ -220,10 +220,10 @@ if not fs.access(CACHE_DNS_PATH) then
for line in io.lines("/usr/share/passwall/rules/proxy_host") do
if line ~= "" and not line:find("#") then
add_excluded_domain(line)
local ipset_flag = setflag_4 .. "blacklist," .. setflag_6 .. "blacklist6"
local ipset_flag = setflag_4 .. "passwall_blacklist," .. setflag_6 .. "passwall_blacklist6"
if NO_PROXY_IPV6 == "1" then
set_domain_address(line, "::")
ipset_flag = setflag_4 .. "blacklist"
ipset_flag = setflag_4 .. "passwall_blacklist"
end
if REMOTE_FAKEDNS == "1" then
ipset_flag = nil
@ -251,12 +251,12 @@ if not fs.access(CACHE_DNS_PATH) then
if _node_id == "_direct" then
fwd_dns = LOCAL_DNS
ipset_flag = setflag_4 .. "whitelist," .. setflag_6 .. "whitelist6"
ipset_flag = setflag_4 .. "passwall_whitelist," .. setflag_6 .. "passwall_whitelist6"
else
fwd_dns = TUN_DNS
ipset_flag = setflag_4 .. "shuntlist," .. setflag_6 .. "shuntlist6"
ipset_flag = setflag_4 .. "passwall_shuntlist," .. setflag_6 .. "passwall_shuntlist6"
if NO_PROXY_IPV6 == "1" then
ipset_flag = setflag_4 .. "shuntlist"
ipset_flag = setflag_4 .. "passwall_shuntlist"
no_ipv6 = true
end
if not only_global then
@ -295,9 +295,9 @@ if not fs.access(CACHE_DNS_PATH) then
if CHNROUTE_MODE_DEFAULT_DNS == "chinadns_ng" and CHINADNS_DNS ~= "0" then
fwd_dns = nil
else
local ipset_flag = setflag_4 .. "gfwlist," .. setflag_6 .. "gfwlist6"
local ipset_flag = setflag_4 .. "passwall_gfwlist," .. setflag_6 .. "passwall_gfwlist6"
if NO_PROXY_IPV6 == "1" then
ipset_flag = setflag_4 .. "gfwlist"
ipset_flag = setflag_4 .. "passwall_gfwlist"
end
if not only_global then
if REMOTE_FAKEDNS == "1" then
@ -329,7 +329,7 @@ if not fs.access(CACHE_DNS_PATH) then
for line in string.gmatch(chnlist_str, "[^\r\n]+") do
if line ~= "" then
set_domain_dns(line, fwd_dns)
set_domain_ipset(line, setflag_4 .. "chnroute," .. setflag_6 .. "chnroute6")
set_domain_ipset(line, setflag_4 .. "passwall_chnroute," .. setflag_6 .. "passwall_chnroute6")
end
end
end
@ -340,9 +340,9 @@ if not fs.access(CACHE_DNS_PATH) then
local chnlist_str = sys.exec('cat /usr/share/passwall/rules/chnlist | grep -v -E "^#" | grep -v -E "' .. excluded_domain_str .. '"')
for line in string.gmatch(chnlist_str, "[^\r\n]+") do
if line ~= "" then
local ipset_flag = setflag_4 .. "chnroute," .. setflag_6 .. "chnroute6"
local ipset_flag = setflag_4 .. "passwall_chnroute," .. setflag_6 .. "passwall_chnroute6"
if NO_PROXY_IPV6 == "1" then
ipset_flag = setflag_4 .. "chnroute"
ipset_flag = setflag_4 .. "passwall_chnroute"
set_domain_address(line, "::")
end
if not only_global then

View File

@ -2,23 +2,23 @@
DIR="$(cd "$(dirname "$0")" && pwd)"
MY_PATH=$DIR/iptables.sh
IPSET_LANIPLIST="laniplist"
IPSET_VPSIPLIST="vpsiplist"
IPSET_SHUNTLIST="shuntlist"
IPSET_GFW="gfwlist"
IPSET_CHN="chnroute"
IPSET_BLACKLIST="blacklist"
IPSET_WHITELIST="whitelist"
IPSET_BLOCKLIST="blocklist"
IPSET_LANLIST="passwall_lanlist"
IPSET_VPSLIST="passwall_vpslist"
IPSET_SHUNTLIST="passwall_shuntlist"
IPSET_GFW="passwall_gfwlist"
IPSET_CHN="passwall_chnroute"
IPSET_BLACKLIST="passwall_blacklist"
IPSET_WHITELIST="passwall_whitelist"
IPSET_BLOCKLIST="passwall_blocklist"
IPSET_LANIPLIST6="laniplist6"
IPSET_VPSIPLIST6="vpsiplist6"
IPSET_SHUNTLIST6="shuntlist6"
IPSET_GFW6="gfwlist6"
IPSET_CHN6="chnroute6"
IPSET_BLACKLIST6="blacklist6"
IPSET_WHITELIST6="whitelist6"
IPSET_BLOCKLIST6="blocklist6"
IPSET_LANLIST6="passwall_lanlist6"
IPSET_VPSLIST6="passwall_vpslist6"
IPSET_SHUNTLIST6="passwall_shuntlist6"
IPSET_GFW6="passwall_gfwlist6"
IPSET_CHN6="passwall_chnroute6"
IPSET_BLACKLIST6="passwall_blacklist6"
IPSET_WHITELIST6="passwall_whitelist6"
IPSET_BLOCKLIST6="passwall_blocklist6"
FORCE_INDEX=2
@ -223,11 +223,11 @@ get_action_chain_name() {
esac
}
gen_laniplist() {
gen_lanlist() {
cat $RULES_PATH/lanlist_ipv4 | tr -s '\n' | grep -v "^#"
}
gen_laniplist_6() {
gen_lanlist_6() {
cat $RULES_PATH/lanlist_ipv6 | tr -s '\n' | grep -v "^#"
}
@ -557,15 +557,15 @@ load_acl() {
filter_haproxy() {
for item in ${haproxy_items}; do
local ip=$(get_host_ip ipv4 $(echo $item | awk -F ":" '{print $1}') 1)
ipset -q add $IPSET_VPSIPLIST $ip
ipset -q add $IPSET_VPSLIST $ip
done
echolog "加入负载均衡的节点到ipset[$IPSET_VPSIPLIST]直连完成"
echolog "加入负载均衡的节点到ipset[$IPSET_VPSLIST]直连完成"
}
filter_vpsip() {
uci show $CONFIG | grep ".address=" | cut -d "'" -f 2 | grep -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | sed -e "/^$/d" | sed -e "s/^/add $IPSET_VPSIPLIST &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
uci show $CONFIG | grep ".address=" | cut -d "'" -f 2 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "/^$/d" | sed -e "s/^/add $IPSET_VPSIPLIST6 &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
echolog "加入所有节点到ipset[$IPSET_VPSIPLIST]直连完成"
uci show $CONFIG | grep ".address=" | cut -d "'" -f 2 | grep -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | sed -e "/^$/d" | sed -e "s/^/add $IPSET_VPSLIST &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
uci show $CONFIG | grep ".address=" | cut -d "'" -f 2 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "/^$/d" | sed -e "s/^/add $IPSET_VPSLIST6 &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
echolog "加入所有节点到ipset[$IPSET_VPSLIST]直连完成"
}
filter_node() {
@ -600,8 +600,8 @@ filter_node() {
local ADD_INDEX=$FORCE_INDEX
for _ipt in 4 6; do
[ "$_ipt" == "4" ] && _ipt=$ipt_tmp && _set_name=$IPSET_VPSIPLIST
[ "$_ipt" == "6" ] && _ipt=$ip6t_m && _set_name=$IPSET_VPSIPLIST6
[ "$_ipt" == "4" ] && _ipt=$ipt_tmp && _set_name=$IPSET_VPSLIST
[ "$_ipt" == "6" ] && _ipt=$ip6t_m && _set_name=$IPSET_VPSLIST6
$_ipt -n -L PSW_OUTPUT | grep -q "${address}:${port}"
if [ $? -ne 0 ]; then
unset dst_rule
@ -679,8 +679,8 @@ dns_hijack() {
add_firewall_rule() {
echolog "开始加载防火墙规则..."
ipset -! create $IPSET_LANIPLIST nethash maxelem 1048576
ipset -! create $IPSET_VPSIPLIST nethash maxelem 1048576
ipset -! create $IPSET_LANLIST nethash maxelem 1048576
ipset -! create $IPSET_VPSLIST nethash maxelem 1048576
ipset -! create $IPSET_SHUNTLIST nethash maxelem 1048576
ipset -! create $IPSET_GFW nethash maxelem 1048576
ipset -! create $IPSET_CHN nethash maxelem 1048576
@ -688,8 +688,8 @@ add_firewall_rule() {
ipset -! create $IPSET_WHITELIST nethash maxelem 1048576
ipset -! create $IPSET_BLOCKLIST nethash maxelem 1048576
ipset -! create $IPSET_LANIPLIST6 nethash family inet6 maxelem 1048576
ipset -! create $IPSET_VPSIPLIST6 nethash family inet6 maxelem 1048576
ipset -! create $IPSET_LANLIST6 nethash family inet6 maxelem 1048576
ipset -! create $IPSET_VPSLIST6 nethash family inet6 maxelem 1048576
ipset -! create $IPSET_SHUNTLIST6 nethash family inet6 maxelem 1048576
ipset -! create $IPSET_GFW6 nethash family inet6 maxelem 1048576
ipset -! create $IPSET_CHN6 nethash family inet6 maxelem 1048576
@ -718,11 +718,11 @@ add_firewall_rule() {
cat $RULES_PATH/block_ip | tr -s '\n' | grep -v "^#" | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "/^$/d" | sed -e "s/^/add $IPSET_BLOCKLIST6 &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
ipset -! -R <<-EOF
$(gen_laniplist | sed -e "s/^/add $IPSET_LANIPLIST /")
$(gen_lanlist | sed -e "s/^/add $IPSET_LANLIST /")
EOF
ipset -! -R <<-EOF
$(gen_laniplist_6 | sed -e "s/^/add $IPSET_LANIPLIST6 /")
$(gen_lanlist_6 | sed -e "s/^/add $IPSET_LANLIST6 /")
EOF
# 忽略特殊IP段
@ -735,11 +735,11 @@ add_firewall_rule() {
#echolog "本机IPv6网段互访直连${lan_ip6}"
[ -n "$lan_ip" ] && ipset -! -R <<-EOF
$(echo $lan_ip | sed -e "s/ /\n/g" | sed -e "s/^/add $IPSET_LANIPLIST /")
$(echo $lan_ip | sed -e "s/ /\n/g" | sed -e "s/^/add $IPSET_LANLIST /")
EOF
[ -n "$lan_ip6" ] && ipset -! -R <<-EOF
$(echo $lan_ip6 | sed -e "s/ /\n/g" | sed -e "s/^/add $IPSET_LANIPLIST6 /")
$(echo $lan_ip6 | sed -e "s/ /\n/g" | sed -e "s/^/add $IPSET_LANLIST6 /")
EOF
}
@ -774,8 +774,8 @@ add_firewall_rule() {
fi
$ipt_n -N PSW
$ipt_n -A PSW $(dst $IPSET_LANIPLIST) -j RETURN
$ipt_n -A PSW $(dst $IPSET_VPSIPLIST) -j RETURN
$ipt_n -A PSW $(dst $IPSET_LANLIST) -j RETURN
$ipt_n -A PSW $(dst $IPSET_VPSLIST) -j RETURN
$ipt_n -A PSW $(dst $IPSET_WHITELIST) -j RETURN
WAN_IP=$(get_wan_ip)
@ -785,8 +785,8 @@ add_firewall_rule() {
[ -z "${is_tproxy}" ] && insert_rule_after "$ipt_n" "PREROUTING" "prerouting_rule" "-p tcp -j PSW"
$ipt_n -N PSW_OUTPUT
$ipt_n -A PSW_OUTPUT $(dst $IPSET_LANIPLIST) -j RETURN
$ipt_n -A PSW_OUTPUT $(dst $IPSET_VPSIPLIST) -j RETURN
$ipt_n -A PSW_OUTPUT $(dst $IPSET_LANLIST) -j RETURN
$ipt_n -A PSW_OUTPUT $(dst $IPSET_VPSLIST) -j RETURN
$ipt_n -A PSW_OUTPUT $(dst $IPSET_WHITELIST) -j RETURN
$ipt_n -A PSW_OUTPUT -m mark --mark 0xff -j RETURN
@ -805,8 +805,8 @@ add_firewall_rule() {
$ipt_m -A PSW_RULE -j CONNMARK --save-mark
$ipt_m -N PSW
$ipt_m -A PSW $(dst $IPSET_LANIPLIST) -j RETURN
$ipt_m -A PSW $(dst $IPSET_VPSIPLIST) -j RETURN
$ipt_m -A PSW $(dst $IPSET_LANLIST) -j RETURN
$ipt_m -A PSW $(dst $IPSET_VPSLIST) -j RETURN
$ipt_m -A PSW $(dst $IPSET_WHITELIST) -j RETURN
$ipt_m -A PSW $(dst $IPSET_BLOCKLIST) -j DROP
@ -817,8 +817,8 @@ add_firewall_rule() {
insert_rule_before "$ipt_m" "PREROUTING" "PSW" "-p tcp -m socket -j PSW_DIVERT"
$ipt_m -N PSW_OUTPUT
$ipt_m -A PSW_OUTPUT $(dst $IPSET_LANIPLIST) -j RETURN
$ipt_m -A PSW_OUTPUT $(dst $IPSET_VPSIPLIST) -j RETURN
$ipt_m -A PSW_OUTPUT $(dst $IPSET_LANLIST) -j RETURN
$ipt_m -A PSW_OUTPUT $(dst $IPSET_VPSLIST) -j RETURN
$ipt_m -A PSW_OUTPUT $(dst $IPSET_WHITELIST) -j RETURN
$ipt_m -A PSW_OUTPUT -m mark --mark 0xff -j RETURN
$ipt_m -A PSW_OUTPUT $(dst $IPSET_BLOCKLIST) -j DROP
@ -828,14 +828,14 @@ add_firewall_rule() {
[ "$accept_icmpv6" = "1" ] && {
$ip6t_n -N PSW
$ip6t_n -A PSW $(dst $IPSET_LANIPLIST6) -j RETURN
$ip6t_n -A PSW $(dst $IPSET_VPSIPLIST6) -j RETURN
$ip6t_n -A PSW $(dst $IPSET_LANLIST6) -j RETURN
$ip6t_n -A PSW $(dst $IPSET_VPSLIST6) -j RETURN
$ip6t_n -A PSW $(dst $IPSET_WHITELIST6) -j RETURN
$ip6t_n -A PREROUTING -p ipv6-icmp -j PSW
$ip6t_n -N PSW_OUTPUT
$ip6t_n -A PSW_OUTPUT $(dst $IPSET_LANIPLIST6) -j RETURN
$ip6t_n -A PSW_OUTPUT $(dst $IPSET_VPSIPLIST6) -j RETURN
$ip6t_n -A PSW_OUTPUT $(dst $IPSET_LANLIST6) -j RETURN
$ip6t_n -A PSW_OUTPUT $(dst $IPSET_VPSLIST6) -j RETURN
$ip6t_n -A PSW_OUTPUT $(dst $IPSET_WHITELIST6) -j RETURN
$ip6t_n -A PSW_OUTPUT -m mark --mark 0xff -j RETURN
}
@ -852,8 +852,8 @@ add_firewall_rule() {
$ip6t_m -A PSW_RULE -j CONNMARK --save-mark
$ip6t_m -N PSW
$ip6t_m -A PSW $(dst $IPSET_LANIPLIST6) -j RETURN
$ip6t_m -A PSW $(dst $IPSET_VPSIPLIST6) -j RETURN
$ip6t_m -A PSW $(dst $IPSET_LANLIST6) -j RETURN
$ip6t_m -A PSW $(dst $IPSET_VPSLIST6) -j RETURN
$ip6t_m -A PSW $(dst $IPSET_WHITELIST6) -j RETURN
$ip6t_m -A PSW $(dst $IPSET_BLOCKLIST6) -j DROP
@ -866,8 +866,8 @@ add_firewall_rule() {
$ip6t_m -N PSW_OUTPUT
$ip6t_m -A PSW_OUTPUT -m mark --mark 0xff -j RETURN
$ip6t_m -A PSW_OUTPUT $(dst $IPSET_LANIPLIST6) -j RETURN
$ip6t_m -A PSW_OUTPUT $(dst $IPSET_VPSIPLIST6) -j RETURN
$ip6t_m -A PSW_OUTPUT $(dst $IPSET_LANLIST6) -j RETURN
$ip6t_m -A PSW_OUTPUT $(dst $IPSET_VPSLIST6) -j RETURN
$ip6t_m -A PSW_OUTPUT $(dst $IPSET_WHITELIST6) -j RETURN
$ip6t_m -A PSW_OUTPUT $(dst $IPSET_BLOCKLIST6) -j DROP
@ -938,7 +938,7 @@ add_firewall_rule() {
_proxy_tcp_access() {
[ -n "${2}" ] || return 0
ipset -q test $IPSET_LANIPLIST ${2}
ipset -q test $IPSET_LANLIST ${2}
[ $? -eq 0 ] && {
echolog " - 上游 DNS 服务器 ${2} 已在直接访问的列表中,不强制向 TCP 代理转发对该服务器 TCP/${3} 端口的访问"
return 0
@ -1010,7 +1010,7 @@ add_firewall_rule() {
echolog "加载路由器自身 UDP 代理..."
_proxy_udp_access() {
[ -n "${2}" ] || return 0
ipset -q test $IPSET_LANIPLIST ${2}
ipset -q test $IPSET_LANLIST ${2}
[ $? == 0 ] && {
echolog " - 上游 DNS 服务器 ${2} 已在直接访问的列表中,不强制向 UDP 代理转发对该服务器 UDP/${3} 端口的访问"
return 0
@ -1099,8 +1099,8 @@ del_firewall_rule() {
ip -6 rule del fwmark 1 table 100 2>/dev/null
ip -6 route del local ::/0 dev lo table 100 2>/dev/null
destroy_ipset $IPSET_LANIPLIST
destroy_ipset $IPSET_VPSIPLIST
destroy_ipset $IPSET_LANLIST
destroy_ipset $IPSET_VPSLIST
#destroy_ipset $IPSET_SHUNTLIST
#destroy_ipset $IPSET_GFW
#destroy_ipset $IPSET_CHN
@ -1108,8 +1108,8 @@ del_firewall_rule() {
destroy_ipset $IPSET_BLOCKLIST
destroy_ipset $IPSET_WHITELIST
destroy_ipset $IPSET_LANIPLIST6
destroy_ipset $IPSET_VPSIPLIST6
destroy_ipset $IPSET_LANLIST6
destroy_ipset $IPSET_VPSLIST6
#destroy_ipset $IPSET_SHUNTLIST6
#destroy_ipset $IPSET_GFW6
#destroy_ipset $IPSET_CHN6
@ -1122,8 +1122,9 @@ del_firewall_rule() {
flush_ipset() {
del_firewall_rule
destroy_ipset $IPSET_VPSIPLIST $IPSET_SHUNTLIST $IPSET_GFW $IPSET_CHN $IPSET_BLACKLIST $IPSET_BLOCKLIST $IPSET_WHITELIST $IPSET_LANIPLIST
destroy_ipset $IPSET_VPSIPLIST6 $IPSET_SHUNTLIST6 $IPSET_GFW6 $IPSET_CHN6 $IPSET_BLACKLIST6 $IPSET_BLOCKLIST6 $IPSET_WHITELIST6 $IPSET_LANIPLIST6
for _name in $(ipset list | grep "Name: " | grep "passwall_" | awk '{print $2}'); do
destroy_ipset ${_name}
done
rm -rf /tmp/etc/passwall_tmp/dnsmasq*
/etc/init.d/passwall reload
}

View File

@ -2,23 +2,23 @@
DIR="$(cd "$(dirname "$0")" && pwd)"
MY_PATH=$DIR/nftables.sh
NFTSET_LANIPLIST="laniplist"
NFTSET_VPSIPLIST="vpsiplist"
NFTSET_SHUNTLIST="shuntlist"
NFTSET_GFW="gfwlist"
NFTSET_CHN="chnroute"
NFTSET_BLACKLIST="blacklist"
NFTSET_WHITELIST="whitelist"
NFTSET_BLOCKLIST="blocklist"
NFTSET_LANLIST="passwall_lanlist"
NFTSET_VPSLIST="passwall_vpslist"
NFTSET_SHUNTLIST="passwall_shuntlist"
NFTSET_GFW="passwall_gfwlist"
NFTSET_CHN="passwall_chnroute"
NFTSET_BLACKLIST="passwall_blacklist"
NFTSET_WHITELIST="passwall_whitelist"
NFTSET_BLOCKLIST="passwall_blocklist"
NFTSET_LANIPLIST6="laniplist6"
NFTSET_VPSIPLIST6="vpsiplist6"
NFTSET_SHUNTLIST6="shuntlist6"
NFTSET_GFW6="gfwlist6"
NFTSET_CHN6="chnroute6"
NFTSET_BLACKLIST6="blacklist6"
NFTSET_WHITELIST6="whitelist6"
NFTSET_BLOCKLIST6="blocklist6"
NFTSET_LANLIST6="passwall_lanlist6"
NFTSET_VPSLIST6="passwall_vpslist6"
NFTSET_SHUNTLIST6="passwall_shuntlist6"
NFTSET_GFW6="passwall_gfwlist6"
NFTSET_CHN6="passwall_chnroute6"
NFTSET_BLACKLIST6="passwall_blacklist6"
NFTSET_WHITELIST6="passwall_whitelist6"
NFTSET_BLOCKLIST6="passwall_blocklist6"
FORCE_INDEX=2
@ -233,11 +233,11 @@ get_action_chain_name() {
esac
}
gen_laniplist() {
gen_lanlist() {
cat $RULES_PATH/lanlist_ipv4 | tr -s '\n' | grep -v "^#"
}
gen_laniplist_6() {
gen_lanlist_6() {
cat $RULES_PATH/lanlist_ipv6 | tr -s '\n' | grep -v "^#"
}
@ -563,24 +563,24 @@ load_acl() {
filter_haproxy() {
for item in ${haproxy_items}; do
local ip=$(get_host_ip ipv4 $(echo $item | awk -F ":" '{print $1}') 1)
insert_nftset $NFTSET_VPSIPLIST $ip
insert_nftset $NFTSET_VPSLIST $ip
done
echolog "加入负载均衡的节点到nftset[$NFTSET_VPSIPLIST]直连完成"
echolog "加入负载均衡的节点到nftset[$NFTSET_VPSLIST]直连完成"
}
filter_vps_addr() {
for server_host in $@; do
local vps_ip4=$(get_host_ip "ipv4" ${server_host})
local vps_ip6=$(get_host_ip "ipv6" ${server_host})
[ -n "$vps_ip4" ] && insert_nftset $NFTSET_VPSIPLIST $vps_ip4
[ -n "$vps_ip6" ] && insert_nftset $NFTSET_VPSIPLIST6 $vps_ip6
[ -n "$vps_ip4" ] && insert_nftset $NFTSET_VPSLIST $vps_ip4
[ -n "$vps_ip6" ] && insert_nftset $NFTSET_VPSLIST6 $vps_ip6
done
}
filter_vpsip() {
insert_nftset $NFTSET_VPSIPLIST $(uci show $CONFIG | grep ".address=" | cut -d "'" -f 2 | grep -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | sed -e "/^$/d")
insert_nftset $NFTSET_VPSIPLIST6 $(uci show $CONFIG | grep ".address=" | cut -d "'" -f 2 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "/^$/d")
echolog "加入所有节点到nftset[$NFTSET_VPSIPLIST]直连完成"
insert_nftset $NFTSET_VPSLIST $(uci show $CONFIG | grep ".address=" | cut -d "'" -f 2 | grep -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | sed -e "/^$/d")
insert_nftset $NFTSET_VPSLIST6 $(uci show $CONFIG | grep ".address=" | cut -d "'" -f 2 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "/^$/d")
echolog "加入所有节点到nftset[$NFTSET_VPSLIST]直连完成"
}
filter_node() {
@ -613,8 +613,8 @@ filter_node() {
local ADD_INDEX=$FORCE_INDEX
for _ipt in 4 6; do
[ "$_ipt" == "4" ] && _ip_type=ip4 && _set_name=$NFTSET_VPSIPLIST
[ "$_ipt" == "6" ] && _ip_type=ip6 && _set_name=$NFTSET_VPSIPLIST6
[ "$_ipt" == "4" ] && _ip_type=ip4 && _set_name=$NFTSET_VPSLIST
[ "$_ipt" == "6" ] && _ip_type=ip6 && _set_name=$NFTSET_VPSLIST6
nft "list chain inet fw4 $nft_output_chain" | grep -q "${address}:${port}"
if [ $? -ne 0 ]; then
unset dst_rule
@ -693,18 +693,18 @@ dns_hijack() {
add_firewall_rule() {
echolog "开始加载防火墙规则..."
gen_nftset $NFTSET_VPSIPLIST ipv4_addr
gen_nftset $NFTSET_VPSLIST ipv4_addr
gen_nftset $NFTSET_GFW ipv4_addr
gen_nftset $NFTSET_LANIPLIST ipv4_addr $(gen_laniplist)
gen_nftset $NFTSET_LANLIST ipv4_addr $(gen_lanlist)
gen_nftset $NFTSET_CHN ipv4_addr $(cat $RULES_PATH/chnroute | tr -s '\n' | grep -v "^#")
gen_nftset $NFTSET_BLACKLIST ipv4_addr $(cat $RULES_PATH/proxy_ip | tr -s '\n' | grep -v "^#" | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}")
gen_nftset $NFTSET_WHITELIST ipv4_addr $(cat $RULES_PATH/direct_ip | tr -s '\n' | grep -v "^#" | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}")
gen_nftset $NFTSET_BLOCKLIST ipv4_addr $(cat $RULES_PATH/block_ip | tr -s '\n' | grep -v "^#" | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}")
gen_nftset $NFTSET_SHUNTLIST ipv4_addr
gen_nftset $NFTSET_VPSIPLIST6 ipv6_addr
gen_nftset $NFTSET_VPSLIST6 ipv6_addr
gen_nftset $NFTSET_GFW6 ipv6_addr
gen_nftset $NFTSET_LANIPLIST6 ipv6_addr $(gen_laniplist_6)
gen_nftset $NFTSET_LANLIST6 ipv6_addr $(gen_lanlist_6)
gen_nftset $NFTSET_CHN6 ipv6_addr $(cat $RULES_PATH/chnroute6 | tr -s '\n' | grep -v "^#")
gen_nftset $NFTSET_BLACKLIST6 ipv6_addr $(cat $RULES_PATH/proxy_ip | tr -s '\n' | grep -v "^#" | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}")
gen_nftset $NFTSET_WHITELIST6 ipv6_addr $(cat $RULES_PATH/direct_ip | tr -s '\n' | grep -v "^#" | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}")
@ -730,8 +730,8 @@ add_firewall_rule() {
#echolog "本机IPv4网段互访直连${lan_ip}"
#echolog "本机IPv6网段互访直连${lan_ip6}"
[ -n "$lan_ip" ] && insert_nftset $NFTSET_LANIPLIST $(echo $lan_ip | sed -e "s/ /\n/g")
[ -n "$lan_ip6" ] && insert_nftset $NFTSET_LANIPLIST6 $(echo $lan_ip6 | sed -e "s/ /\n/g")
[ -n "$lan_ip" ] && insert_nftset $NFTSET_LANLIST $(echo $lan_ip | sed -e "s/ /\n/g")
[ -n "$lan_ip6" ] && insert_nftset $NFTSET_LANLIST6 $(echo $lan_ip6 | sed -e "s/ /\n/g")
}
[ -n "$ISP_DNS" ] && {
@ -792,15 +792,15 @@ add_firewall_rule() {
#ipv4 tproxy mode and udp
nft "add chain inet fw4 PSW_MANGLE"
nft "flush chain inet fw4 PSW_MANGLE"
nft "add rule inet fw4 PSW_MANGLE ip daddr @$NFTSET_LANIPLIST counter return"
nft "add rule inet fw4 PSW_MANGLE ip daddr @$NFTSET_VPSIPLIST counter return"
nft "add rule inet fw4 PSW_MANGLE ip daddr @$NFTSET_LANLIST counter return"
nft "add rule inet fw4 PSW_MANGLE ip daddr @$NFTSET_VPSLIST counter return"
nft "add rule inet fw4 PSW_MANGLE ip daddr @$NFTSET_WHITELIST counter return"
nft "add rule inet fw4 PSW_MANGLE ip daddr @$NFTSET_BLOCKLIST counter drop"
nft "add chain inet fw4 PSW_OUTPUT_MANGLE"
nft "flush chain inet fw4 PSW_OUTPUT_MANGLE"
nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip daddr @$NFTSET_LANIPLIST counter return"
nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip daddr @$NFTSET_VPSIPLIST counter return"
nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip daddr @$NFTSET_LANLIST counter return"
nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip daddr @$NFTSET_VPSLIST counter return"
nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip daddr @$NFTSET_WHITELIST counter return"
nft "add rule inet fw4 PSW_OUTPUT_MANGLE meta mark 0xff counter return"
nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip daddr @$NFTSET_BLOCKLIST counter drop"
@ -813,16 +813,16 @@ add_firewall_rule() {
[ -z "${is_tproxy}" ] && {
nft "add chain inet fw4 PSW"
nft "flush chain inet fw4 PSW"
nft "add rule inet fw4 PSW ip daddr @$NFTSET_LANIPLIST counter return"
nft "add rule inet fw4 PSW ip daddr @$NFTSET_VPSIPLIST counter return"
nft "add rule inet fw4 PSW ip daddr @$NFTSET_LANLIST counter return"
nft "add rule inet fw4 PSW ip daddr @$NFTSET_VPSLIST counter return"
nft "add rule inet fw4 PSW ip daddr @$NFTSET_WHITELIST counter return"
nft "add rule inet fw4 PSW ip daddr @$NFTSET_BLOCKLIST counter drop"
nft "add rule inet fw4 dstnat ip protocol tcp counter jump PSW"
nft "add chain inet fw4 PSW_OUTPUT"
nft "flush chain inet fw4 PSW_OUTPUT"
nft "add rule inet fw4 PSW_OUTPUT ip daddr @$NFTSET_LANIPLIST counter return"
nft "add rule inet fw4 PSW_OUTPUT ip daddr @$NFTSET_VPSIPLIST counter return"
nft "add rule inet fw4 PSW_OUTPUT ip daddr @$NFTSET_LANLIST counter return"
nft "add rule inet fw4 PSW_OUTPUT ip daddr @$NFTSET_VPSLIST counter return"
nft "add rule inet fw4 PSW_OUTPUT ip daddr @$NFTSET_WHITELIST counter return"
nft "add rule inet fw4 PSW_OUTPUT meta mark 0xff counter return"
nft "add rule inet fw4 PSW_OUTPUT ip daddr @$NFTSET_BLOCKLIST counter drop"
@ -832,13 +832,13 @@ add_firewall_rule() {
if [ "$accept_icmp" = "1" ]; then
nft "add chain inet fw4 PSW_ICMP_REDIRECT"
nft "flush chain inet fw4 PSW_ICMP_REDIRECT"
nft "add rule inet fw4 PSW_ICMP_REDIRECT ip daddr @$NFTSET_LANIPLIST counter return"
nft "add rule inet fw4 PSW_ICMP_REDIRECT ip daddr @$NFTSET_VPSIPLIST counter return"
nft "add rule inet fw4 PSW_ICMP_REDIRECT ip daddr @$NFTSET_LANLIST counter return"
nft "add rule inet fw4 PSW_ICMP_REDIRECT ip daddr @$NFTSET_VPSLIST counter return"
nft "add rule inet fw4 PSW_ICMP_REDIRECT ip daddr @$NFTSET_WHITELIST counter return"
[ "$accept_icmpv6" = "1" ] && {
nft "add rule inet fw4 PSW_ICMP_REDIRECT ip6 daddr @$NFTSET_LANIPLIST6 counter return"
nft "add rule inet fw4 PSW_ICMP_REDIRECT ip6 daddr @$NFTSET_VPSIPLIST6 counter return"
nft "add rule inet fw4 PSW_ICMP_REDIRECT ip6 daddr @$NFTSET_LANLIST6 counter return"
nft "add rule inet fw4 PSW_ICMP_REDIRECT ip6 daddr @$NFTSET_VPSLIST6 counter return"
nft "add rule inet fw4 PSW_ICMP_REDIRECT ip6 daddr @$NFTSET_WHITELIST6 counter return"
}
@ -858,15 +858,15 @@ add_firewall_rule() {
#ipv6 tproxy mode and udp
nft "add chain inet fw4 PSW_MANGLE_V6"
nft "flush chain inet fw4 PSW_MANGLE_V6"
nft "add rule inet fw4 PSW_MANGLE_V6 ip6 daddr @$NFTSET_LANIPLIST6 counter return"
nft "add rule inet fw4 PSW_MANGLE_V6 ip6 daddr @$NFTSET_VPSIPLIST6 counter return"
nft "add rule inet fw4 PSW_MANGLE_V6 ip6 daddr @$NFTSET_LANLIST6 counter return"
nft "add rule inet fw4 PSW_MANGLE_V6 ip6 daddr @$NFTSET_VPSLIST6 counter return"
nft "add rule inet fw4 PSW_MANGLE_V6 ip6 daddr @$NFTSET_WHITELIST6 counter return"
nft "add rule inet fw4 PSW_MANGLE_V6 ip6 daddr @$NFTSET_BLOCKLIST6 counter drop"
nft "add chain inet fw4 PSW_OUTPUT_MANGLE_V6"
nft "flush chain inet fw4 PSW_OUTPUT_MANGLE_V6"
nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 ip6 daddr @$NFTSET_LANIPLIST6 counter return"
nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 ip6 daddr @$NFTSET_VPSIPLIST6 counter return"
nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 ip6 daddr @$NFTSET_LANLIST6 counter return"
nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 ip6 daddr @$NFTSET_VPSLIST6 counter return"
nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 ip6 daddr @$NFTSET_WHITELIST6 counter return"
nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta mark 0xff counter return"
nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 ip6 daddr @$NFTSET_BLOCKLIST6 counter drop"
@ -944,7 +944,7 @@ add_firewall_rule() {
_proxy_tcp_access() {
[ -n "${2}" ] || return 0
nft "get element inet fw4 $NFTSET_LANIPLIST {${2}}" &>/dev/null
nft "get element inet fw4 $NFTSET_LANLIST {${2}}" &>/dev/null
[ $? -eq 0 ] && {
echolog " - 上游 DNS 服务器 ${2} 已在直接访问的列表中,不强制向 TCP 代理转发对该服务器 TCP/${3} 端口的访问"
return 0
@ -1015,7 +1015,7 @@ add_firewall_rule() {
echolog "加载路由器自身 UDP 代理..."
_proxy_udp_access() {
[ -n "${2}" ] || return 0
nft "get element inet fw4 $NFTSET_LANIPLIST {${2}}" &>/dev/null
nft "get element inet fw4 $NFTSET_LANLIST {${2}}" &>/dev/null
[ $? == 0 ] && {
echolog " - 上游 DNS 服务器 ${2} 已在直接访问的列表中,不强制向 UDP 代理转发对该服务器 UDP/${3} 端口的访问"
return 0
@ -1101,8 +1101,8 @@ del_firewall_rule() {
ip -6 rule del fwmark 1 table 100 2>/dev/null
ip -6 route del local ::/0 dev lo table 100 2>/dev/null
destroy_nftset $NFTSET_LANIPLIST
destroy_nftset $NFTSET_VPSIPLIST
destroy_nftset $NFTSET_LANLIST
destroy_nftset $NFTSET_VPSLIST
#destroy_nftset $NFTSET_SHUNTLIST
#destroy_nftset $NFTSET_GFW
#destroy_nftset $NFTSET_CHN
@ -1110,8 +1110,8 @@ del_firewall_rule() {
destroy_nftset $NFTSET_BLOCKLIST
destroy_nftset $NFTSET_WHITELIST
destroy_nftset $NFTSET_LANIPLIST6
destroy_nftset $NFTSET_VPSIPLIST6
destroy_nftset $NFTSET_LANLIST6
destroy_nftset $NFTSET_VPSLIST6
#destroy_nftset $NFTSET_SHUNTLIST6
#destroy_nftset $NFTSET_GFW6
#destroy_nftset $NFTSET_CHN6
@ -1124,8 +1124,8 @@ del_firewall_rule() {
flush_nftset() {
del_firewall_rule
destroy_nftset $NFTSET_VPSIPLIST $NFTSET_SHUNTLIST $NFTSET_GFW $NFTSET_CHN $NFTSET_BLACKLIST $NFTSET_BLOCKLIST $NFTSET_WHITELIST $NFTSET_LANIPLIST
destroy_nftset $NFTSET_VPSIPLIST6 $NFTSET_SHUNTLIST6 $NFTSET_GFW6 $NFTSET_CHN6 $NFTSET_BLACKLIST6 $NFTSET_BLOCKLIST6 $NFTSET_WHITELIST6 $NFTSET_LANIPLIST6
destroy_nftset $NFTSET_VPSLIST $NFTSET_SHUNTLIST $NFTSET_GFW $NFTSET_CHN $NFTSET_BLACKLIST $NFTSET_BLOCKLIST $NFTSET_WHITELIST $NFTSET_LANLIST
destroy_nftset $NFTSET_VPSLIST6 $NFTSET_SHUNTLIST6 $NFTSET_GFW6 $NFTSET_CHN6 $NFTSET_BLACKLIST6 $NFTSET_BLOCKLIST6 $NFTSET_WHITELIST6 $NFTSET_LANLIST6
rm -rf /tmp/etc/passwall_tmp/dnsmasq*
/etc/init.d/passwall reload
}

View File

@ -1059,7 +1059,7 @@ local function update_node(manual)
local remark = v["remark"]
local list = v["list"]
for _, vv in ipairs(list) do
local cfgid = uci:section(appname, "nodes", api.gen_uuid())
local cfgid = uci:section(appname, "nodes", api.gen_short_uuid())
for kkk, vvv in pairs(vv) do
uci:set(appname, cfgid, kkk, vvv)
end

View File

@ -5,7 +5,7 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=luci-app-passwall2
PKG_VERSION:=1.14-3
PKG_VERSION:=1.15-1
PKG_RELEASE:=
PKG_CONFIG_DEPENDS:= \

View File

@ -275,7 +275,7 @@ end
function copy_node()
local section = luci.http.formvalue("section")
local uuid = api.gen_uuid()
local uuid = api.gen_short_uuid()
ucic:section(appname, "nodes", uuid)
for k, v in pairs(ucic:get_all(appname, section)) do
local filter = k:find("%.")

View File

@ -298,7 +298,7 @@ s.anonymous = true
s.addremove = true
s.template = "cbi/tblsection"
function s.create(e, t)
TypedSection.create(e, api.gen_uuid())
TypedSection.create(e, api.gen_short_uuid())
end
o = s:option(DummyValue, "status", translate("Status"))

View File

@ -76,7 +76,7 @@ s.anonymous = true
s.addremove = true
s.create = function(e, t)
TypedSection.create(e, api.gen_uuid())
TypedSection.create(e, api.gen_short_uuid())
end
s.remove = function(self, section)

View File

@ -26,7 +26,7 @@ s.addremove = true
s.template = "cbi/tblsection"
s.extedit = api.url("node_config", "%s")
function s.create(e, t)
local uuid = api.gen_uuid()
local uuid = api.gen_short_uuid()
t = uuid
TypedSection.create(e, t)
luci.http.redirect(e.extedit:format(t))

View File

@ -348,6 +348,10 @@ function gen_uuid(format)
return uuid
end
function gen_short_uuid()
return sys.exec("echo -n $(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 8)")
end
function uci_get_type(type, config, default)
local value = uci:get_first(appname, type, config, default) or sys.exec("echo -n $(uci -q get " .. appname .. ".@" .. type .."[0]." .. config .. ")")
if (value == nil or value == "") and (default and default ~= "") then

View File

@ -350,7 +350,7 @@ run_v2ray() {
ln_run "$(first_type $(config_t_get global_app ${type}_file) ${type})" ${type} $V2RAY_DNS_DIRECT_LOG run -c "$V2RAY_DNS_DIRECT_CONFIG"
direct_dnsmasq_listen_port=$(get_new_port $(expr $dns_direct_listen_port + 1) udp)
run_ipset_dnsmasq listen_port=${direct_dnsmasq_listen_port} server_dns=127.0.0.1#${dns_direct_listen_port} ipset=whitelist,whitelist6 config_file=$TMP_PATH/dnsmasq_${flag}_direct.conf
run_ipset_dnsmasq listen_port=${direct_dnsmasq_listen_port} server_dns=127.0.0.1#${dns_direct_listen_port} ipset=passwall2_whitelist,passwall2_whitelist6 config_file=$TMP_PATH/dnsmasq_${flag}_direct.conf
V2RAY_DNS_REMOTE_CONFIG="${TMP_PATH}/${flag}_dns_remote.json"
V2RAY_DNS_REMOTE_LOG="${TMP_PATH}/${flag}_dns_remote.log"

View File

@ -94,7 +94,7 @@ add() {
#始终用国内DNS解析节点域名
servers=$(uci show "${CONFIG}" | grep ".address=" | cut -d "'" -f 2)
hosts_foreach "servers" host_from_url | grep '[a-zA-Z]$' | sort -u | gen_items ipsets="vpsiplist,vpsiplist6" dnss="${LOCAL_DNS:-${DEFAULT_DNS}}" outf="${TMP_DNSMASQ_PATH}/10-vpsiplist_host.conf" ipsetoutf="${TMP_DNSMASQ_PATH}/ipset.conf"
hosts_foreach "servers" host_from_url | grep '[a-zA-Z]$' | sort -u | gen_items ipsets="passwall2_vpsiplist,passwall2_vpsiplist6" dnss="${LOCAL_DNS:-${DEFAULT_DNS}}" outf="${TMP_DNSMASQ_PATH}/10-vpsiplist_host.conf" ipsetoutf="${TMP_DNSMASQ_PATH}/ipset.conf"
echolog " - [$?]节点列表中的域名(vpsiplist)${DEFAULT_DNS:-默认}"
echo "conf-dir=${TMP_DNSMASQ_PATH}" > $DNSMASQ_CONF_FILE

View File

@ -2,13 +2,13 @@
DIR="$(cd "$(dirname "$0")" && pwd)"
MY_PATH=$DIR/iptables.sh
IPSET_LANIPLIST="laniplist"
IPSET_VPSIPLIST="vpsiplist"
IPSET_WHITELIST="whitelist"
IPSET_LANLIST="passwall2_lanlist"
IPSET_VPSLIST="passwall2_vpslist"
IPSET_WHITELIST="passwall2_whitelist"
IPSET_LANIPLIST6="laniplist6"
IPSET_VPSIPLIST6="vpsiplist6"
IPSET_WHITELIST6="whitelist6"
IPSET_LANLIST6="passwall2_lanlist6"
IPSET_VPSLIST6="passwall2_vpslist6"
IPSET_WHITELIST6="passwall2_whitelist6"
FORCE_INDEX=2
@ -117,7 +117,7 @@ get_action_chain_name() {
echo "全局代理"
}
gen_laniplist() {
gen_lanlist() {
cat <<-EOF
0.0.0.0/8
10.0.0.0/8
@ -131,7 +131,7 @@ gen_laniplist() {
EOF
}
gen_laniplist_6() {
gen_lanlist_6() {
cat <<-EOF
::/128
::1/128
@ -388,15 +388,15 @@ load_acl() {
filter_haproxy() {
for item in $(uci show $CONFIG | grep ".lbss=" | cut -d "'" -f 2); do
local ip=$(get_host_ip ipv4 $(echo $item | awk -F ":" '{print $1}') 1)
[ -n "$ip" ] && ipset -q add $IPSET_VPSIPLIST $ip
[ -n "$ip" ] && ipset -q add $IPSET_VPSLIST $ip
done
echolog "加入负载均衡的节点到ipset[$IPSET_VPSIPLIST]直连完成"
echolog "加入负载均衡的节点到ipset[$IPSET_VPSLIST]直连完成"
}
filter_vpsip() {
uci show $CONFIG | grep ".address=" | cut -d "'" -f 2 | grep -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | sed -e "/^$/d" | sed -e "s/^/add $IPSET_VPSIPLIST &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
uci show $CONFIG | grep ".address=" | cut -d "'" -f 2 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "/^$/d" | sed -e "s/^/add $IPSET_VPSIPLIST6 &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
echolog "加入所有节点到ipset[$IPSET_VPSIPLIST]直连完成"
uci show $CONFIG | grep ".address=" | cut -d "'" -f 2 | grep -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | sed -e "/^$/d" | sed -e "s/^/add $IPSET_VPSLIST &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
uci show $CONFIG | grep ".address=" | cut -d "'" -f 2 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "/^$/d" | sed -e "s/^/add $IPSET_VPSLIST6 &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
echolog "加入所有节点到ipset[$IPSET_VPSLIST]直连完成"
}
filter_node() {
@ -443,7 +443,7 @@ filter_node() {
msg2="套娃使用(${msg}:${port} -> ${_port})"
}
[ -n "$_proxy" ] && [ "$_proxy" == "1" ] && [ -n "$_port" ] || {
ADD_INDEX=$(RULE_LAST_INDEX "$_ipt" PSW2_OUTPUT "$IPSET_VPSIPLIST" $FORCE_INDEX)
ADD_INDEX=$(RULE_LAST_INDEX "$_ipt" PSW2_OUTPUT "$IPSET_VPSLIST" $FORCE_INDEX)
dst_rule=" -j RETURN"
msg2="直连代理"
}
@ -510,20 +510,20 @@ dns_hijack() {
add_firewall_rule() {
echolog "开始加载防火墙规则..."
ipset -! create $IPSET_LANIPLIST nethash maxelem 1048576
ipset -! create $IPSET_VPSIPLIST nethash maxelem 1048576
ipset -! create $IPSET_LANLIST nethash maxelem 1048576
ipset -! create $IPSET_VPSLIST nethash maxelem 1048576
ipset -! create $IPSET_WHITELIST nethash maxelem 1048576
ipset -! create $IPSET_LANIPLIST6 nethash family inet6 maxelem 1048576
ipset -! create $IPSET_VPSIPLIST6 nethash family inet6 maxelem 1048576
ipset -! create $IPSET_LANLIST6 nethash family inet6 maxelem 1048576
ipset -! create $IPSET_VPSLIST6 nethash family inet6 maxelem 1048576
ipset -! create $IPSET_WHITELIST6 nethash family inet6 maxelem 1048576
ipset -! -R <<-EOF
$(gen_laniplist | sed -e "s/^/add $IPSET_LANIPLIST /")
$(gen_lanlist | sed -e "s/^/add $IPSET_LANLIST /")
EOF
ipset -! -R <<-EOF
$(gen_laniplist_6 | sed -e "s/^/add $IPSET_LANIPLIST6 /")
$(gen_lanlist_6 | sed -e "s/^/add $IPSET_LANLIST6 /")
EOF
# 忽略特殊IP段
@ -536,18 +536,18 @@ add_firewall_rule() {
#echolog "本机IPv6网段互访直连${lan_ip6}"
[ -n "$lan_ip" ] && ipset -! -R <<-EOF
$(echo $lan_ip | sed -e "s/ /\n/g" | sed -e "s/^/add $IPSET_LANIPLIST /")
$(echo $lan_ip | sed -e "s/ /\n/g" | sed -e "s/^/add $IPSET_LANLIST /")
EOF
[ -n "$lan_ip6" ] && ipset -! -R <<-EOF
$(echo $lan_ip6 | sed -e "s/ /\n/g" | sed -e "s/^/add $IPSET_LANIPLIST6 /")
$(echo $lan_ip6 | sed -e "s/ /\n/g" | sed -e "s/^/add $IPSET_LANLIST6 /")
EOF
}
[ -n "$ISP_DNS" ] && {
#echolog "处理 ISP DNS 例外..."
for ispip in $ISP_DNS; do
ipset -! add $IPSET_LANIPLIST $ispip >/dev/null 2>&1 &
ipset -! add $IPSET_LANLIST $ispip >/dev/null 2>&1 &
#echolog " - 追加到白名单:${ispip}"
done
}
@ -555,7 +555,7 @@ add_firewall_rule() {
[ -n "$ISP_DNS6" ] && {
#echolog "处理 ISP IPv6 DNS 例外..."
for ispip6 in $ISP_DNS6; do
ipset -! add $IPSET_LANIPLIST6 $ispip6 >/dev/null 2>&1 &
ipset -! add $IPSET_LANLIST6 $ispip6 >/dev/null 2>&1 &
#echolog " - 追加到白名单:${ispip6}"
done
}
@ -575,8 +575,8 @@ add_firewall_rule() {
fi
$ipt_n -N PSW2
$ipt_n -A PSW2 $(dst $IPSET_LANIPLIST) -j RETURN
$ipt_n -A PSW2 $(dst $IPSET_VPSIPLIST) -j RETURN
$ipt_n -A PSW2 $(dst $IPSET_LANLIST) -j RETURN
$ipt_n -A PSW2 $(dst $IPSET_VPSLIST) -j RETURN
$ipt_n -A PSW2 $(dst $IPSET_WHITELIST) ! -d $FAKE_IP -j RETURN
WAN_IP=$(get_wan_ip)
@ -586,8 +586,8 @@ add_firewall_rule() {
[ -z "${is_tproxy}" ] && insert_rule_after "$ipt_n" "PREROUTING" "prerouting_rule" "-p tcp -j PSW2"
$ipt_n -N PSW2_OUTPUT
$ipt_n -A PSW2_OUTPUT $(dst $IPSET_LANIPLIST) -j RETURN
$ipt_n -A PSW2_OUTPUT $(dst $IPSET_VPSIPLIST) -j RETURN
$ipt_n -A PSW2_OUTPUT $(dst $IPSET_LANLIST) -j RETURN
$ipt_n -A PSW2_OUTPUT $(dst $IPSET_VPSLIST) -j RETURN
$ipt_n -A PSW2_OUTPUT $(dst $IPSET_WHITELIST) ! -d $FAKE_IP -j RETURN
$ipt_n -A PSW2_OUTPUT -m mark --mark 0xff -j RETURN
@ -606,8 +606,8 @@ add_firewall_rule() {
$ipt_m -A PSW2_RULE -j CONNMARK --save-mark
$ipt_m -N PSW2
$ipt_m -A PSW2 $(dst $IPSET_LANIPLIST) -j RETURN
$ipt_m -A PSW2 $(dst $IPSET_VPSIPLIST) -j RETURN
$ipt_m -A PSW2 $(dst $IPSET_LANLIST) -j RETURN
$ipt_m -A PSW2 $(dst $IPSET_VPSLIST) -j RETURN
$ipt_m -A PSW2 $(dst $IPSET_WHITELIST) ! -d $FAKE_IP -j RETURN
[ ! -z "${WAN_IP}" ] && $ipt_m -A PSW2 $(comment "WAN_IP_RETURN") -d "${WAN_IP}" -j RETURN
@ -618,8 +618,8 @@ add_firewall_rule() {
$ipt_m -N PSW2_OUTPUT
$ipt_m -A PSW2_OUTPUT -m mark --mark 0xff -j RETURN
$ipt_m -A PSW2_OUTPUT $(dst $IPSET_LANIPLIST) -j RETURN
$ipt_m -A PSW2_OUTPUT $(dst $IPSET_VPSIPLIST) -j RETURN
$ipt_m -A PSW2_OUTPUT $(dst $IPSET_LANLIST) -j RETURN
$ipt_m -A PSW2_OUTPUT $(dst $IPSET_VPSLIST) -j RETURN
$ipt_m -A PSW2_OUTPUT $(dst $IPSET_WHITELIST) ! -d $FAKE_IP -j RETURN
ip rule add fwmark 1 lookup 100
@ -627,14 +627,14 @@ add_firewall_rule() {
[ "$accept_icmpv6" = "1" ] && {
$ip6t_n -N PSW2
$ip6t_n -A PSW2 $(dst $IPSET_LANIPLIST6) -j RETURN
$ip6t_n -A PSW2 $(dst $IPSET_VPSIPLIST6) -j RETURN
$ip6t_n -A PSW2 $(dst $IPSET_LANLIST6) -j RETURN
$ip6t_n -A PSW2 $(dst $IPSET_VPSLIST6) -j RETURN
$ip6t_n -A PSW2 $(dst $IPSET_WHITELIST6) ! -d $FAKE_IP_6 -j RETURN
$ip6t_n -A PREROUTING -p ipv6-icmp -j PSW2
$ip6t_n -N PSW2_OUTPUT
$ip6t_n -A PSW2_OUTPUT $(dst $IPSET_LANIPLIST6) -j RETURN
$ip6t_n -A PSW2_OUTPUT $(dst $IPSET_VPSIPLIST6) -j RETURN
$ip6t_n -A PSW2_OUTPUT $(dst $IPSET_LANLIST6) -j RETURN
$ip6t_n -A PSW2_OUTPUT $(dst $IPSET_VPSLIST6) -j RETURN
$ip6t_n -A PSW2_OUTPUT $(dst $IPSET_WHITELIST6) ! -d $FAKE_IP_6 -j RETURN
$ip6t_n -A PSW2_OUTPUT -m mark --mark 0xff -j RETURN
}
@ -651,8 +651,8 @@ add_firewall_rule() {
$ip6t_m -A PSW2_RULE -j CONNMARK --save-mark
$ip6t_m -N PSW2
$ip6t_m -A PSW2 $(dst $IPSET_LANIPLIST6) -j RETURN
$ip6t_m -A PSW2 $(dst $IPSET_VPSIPLIST6) -j RETURN
$ip6t_m -A PSW2 $(dst $IPSET_LANLIST6) -j RETURN
$ip6t_m -A PSW2 $(dst $IPSET_VPSLIST6) -j RETURN
$ip6t_m -A PSW2 $(dst $IPSET_WHITELIST6) ! -d $FAKE_IP_6 -j RETURN
WAN6_IP=$(get_wan6_ip)
@ -664,8 +664,8 @@ add_firewall_rule() {
$ip6t_m -N PSW2_OUTPUT
$ip6t_m -A PSW2_OUTPUT -m mark --mark 0xff -j RETURN
$ip6t_m -A PSW2_OUTPUT $(dst $IPSET_LANIPLIST6) -j RETURN
$ip6t_m -A PSW2_OUTPUT $(dst $IPSET_VPSIPLIST6) -j RETURN
$ip6t_m -A PSW2_OUTPUT $(dst $IPSET_LANLIST6) -j RETURN
$ip6t_m -A PSW2_OUTPUT $(dst $IPSET_VPSLIST6) -j RETURN
$ip6t_m -A PSW2_OUTPUT $(dst $IPSET_WHITELIST6) ! -d $FAKE_IP_6 -j RETURN
ip -6 rule add fwmark 1 table 100
@ -816,8 +816,9 @@ del_firewall_rule() {
flush_ipset() {
del_firewall_rule
destroy_ipset $IPSET_WHITELIST $IPSET_VPSIPLIST $IPSET_LANIPLIST
destroy_ipset $IPSET_WHITELIST6 $IPSET_VPSIPLIST6 $IPSET_LANIPLIST6
for _name in $(ipset list | grep "Name: " | grep "passwall2_" | awk '{print $2}'); do
destroy_ipset ${_name}
done
/etc/init.d/passwall2 reload
}

View File

@ -954,7 +954,7 @@ local function update_node(manual)
local remark = v["remark"]
local list = v["list"]
for _, vv in ipairs(list) do
local cfgid = uci:section(appname, "nodes", api.gen_uuid())
local cfgid = uci:section(appname, "nodes", api.gen_short_uuid())
for kkk, vvv in pairs(vv) do
uci:set(appname, cfgid, kkk, vvv)
end

View File

@ -1,7 +1,7 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=luci-app-serverchan
PKG_VERSION:=2.06.2
PKG_VERSION:=2.07.0
PKG_RELEASE:=10
PKG_MAINTAINER:=tty228 <tty228@yeah.net>

View File

@ -335,6 +335,7 @@ a = s:taboption("ipset", Flag, "port_knocking", translate("端口敲门"))
a.default = 0
a.rmempty = true
a.description = translate("登录成功后开放端口")
a.description = translate("如在 防火墙 - 区域设置 中禁用了 LAN 口入站和转发,将不起作用<br/>写起来太鸡儿麻烦了,告辞")
a = s:taboption("ipset", Value, "ip_port_white", "端口")
a.default = ""

View File

@ -59,14 +59,14 @@ function read_config(){
# 初始化
function serverchan_init(){
enable_detection
echo "---------------------------------------------------------------------------------------" >> ${logfile}
echo "`date "+%Y-%m-%d %H:%M:%S"` 【初始化】start running..." >> ${logfile}
if [ -f "/usr/share/serverchan/errlog" ]; then
cat /usr/share/serverchan/errlog > ${logfile}
echo "`date "+%Y-%m-%d %H:%M:%S"` 【!!!】载入上次重启前日志" >> ${logfile}
echo "--------------------------------------------------------" >> ${logfile}
fi
down_oui &
get_syslog
set_ip_black
rm -f ${dir}fd1 ${dir}sheep_usage ${dir}old_sheep_usage ${dir}client_usage_aliases ${dir}old_client_usage_aliases /usr/share/serverchan/errlog >/dev/null 2>&1
[ ! -f "/usr/sbin/wrtbwmon" ] && echo "`date "+%Y-%m-%d %H:%M:%S"` 【info】未安装 wrtbwmon ,流量统计不可用" >> ${logfile}
@ -74,6 +74,14 @@ function serverchan_init(){
[ -z "$cu_version" ] && echo "`date "+%Y-%m-%d %H:%M:%S"` 【!!!】无法获取依赖项 curl 版本号,请确认插件是否正常运行" >> ${logfile}
[ -z "${sckey}${tg_token}${pushplus_token}${corpid}${wxpusher_apptoken}${wxpusher_uids}${wxpusher_topicIds}" -a "${jsonpath}" != "/usr/share/serverchan/api/diy.json" ] && echo "`date "+%Y-%m-%d %H:%M:%S"` 【!!!】请填写正确的 key " >> ${logfile} && return 1
local interfacelist=`getinterfacelist` && [ -z "$interfacelist" ] && echo "`date "+%Y-%m-%d %H:%M:%S"` 【!!!】无法获取接口在线时间等信息,可能存在多个接口或配置错误,请确认插件是否正常运行" >> ${logfile}
[ ! -z "$temperature_enable" ] && [ "$temperature_enable" -eq "1" ] && [ ! -z "$temperature" ] && local cpu_wendu=`soc_temp` || local cpu_wendu="null"
[ -z "$cpu_wendu" ] && echo "`date "+%Y-%m-%d %H:%M:%S"` 【!!!】无法读取设备温度,请检查命令" >> ${logfile}
[ ! -z "$cpuload_enable" ] && [ "$cpuload_enable" -eq "1" ] && [ ! -z "$cpuload" ] && local cpu_fuzai=`cat /proc/loadavg|awk '{print $1}'` 2>/dev/null || local cpu_fuzai="null"
[ -z "$cpu_fuzai" ] && echo "`date "+%Y-%m-%d %H:%M:%S"` 【!!!】无法读取设备负载,请检查命令" >> ${logfile}
set_ip_black
[ -n "$port_knocking" ] && [ "$port_knocking" -eq "1" ] && init_ip_white "ipv4"
[ -n "$port_knocking" ] && [ "$port_knocking" -eq "1" ] && init_ip_white "ipv6"
return 0
}
@ -194,7 +202,7 @@ function getip(){
# 获取接口信息
function getinterfacelist(){
[ `ubus list|grep -w -i "network.interface.wan"|wc -l` -ge "1" ] && ubus call network.interface.wan status && return
local ubuslist=`ubus list|grep -i "network.interface."|grep -v "loopback"|grep -v -i "wan6"|grep -v -i "lan6"|grep -v -i "ipsec_server*"|grep -v -i "VPN*"|grep -v -i "DOCKER*"`
local ubuslist=`ubus list|grep -i "network.interface."|grep -v "loopback"|grep -v -i "wan6"|grep -v -i "lan6"|grep -v -i "ipsec.*"|grep -v -i "VPN.*"|grep -v -i "DOCKER.*"`
[ `echo "${ubuslist}" |wc -l` -eq "1" ] && ubus call ${ubuslist} status && return
}
@ -327,7 +335,7 @@ function soc_temp(){
[ "$soc_code" == "pve" ] && [ ! -z "$server_host" ] && [ -z "$soctemp" ] || [ "$soctemp" == "null" ] && local soctemp=`ssh -i /root/.ssh/id_rsa root@${server_host} -p ${server_port} sensors -j 2>/dev/null|jq '."zenpower-pci-00c3"."Tctl"."temp1_input"'`
# PVE 应该没啥特殊设备了,懒得写了
[ ! -z "$soctemp" ] && echo "$soctemp" && return
[ ! -z "$soctemp" ] && echo "$soctemp" && return 0
[ ! -z "$soc_code" ] && eval `echo "$soc_code"` 2>/dev/null
}
@ -984,15 +992,14 @@ function cpu_load(){
if [ ! -z "$temperature_enable" ] && [ "$temperature_enable" -eq "1" ] && [ ! -z "$temperature" ]; then
[ -z "$temperature_time" ] && temperature_time=`date +%s`
local cpu_wendu=`soc_temp`;
[ -z "$cpu_wendu" ] && echo "`date "+%Y-%m-%d %H:%M:%S"` 【!!!】无法读取设备温度,请检查命令" >> ${logfile}
if [ `expr $cpu_wendu \> $temperature` -eq "1" ]; then
if [ ! -z "$cpu_wendu" ] && [ `expr $cpu_wendu \> $temperature` -eq "1" ]; then
echo "`date "+%Y-%m-%d %H:%M:%S"` 【!!警报!!】 CPU 温度过高: ${cpu_wendu}" >> ${logfile}
else
temperature_time=`date +%s`
fi
if [ "$((`date +%s`-$temperature_time))" -ge "300" ] && [ -z "$temperaturecd_time" ]; then
if [ ! -z "$cpu_wendu" ] && [ "$((`date +%s`-$temperature_time))" -ge "300" ] && [ -z "$temperaturecd_time" ]; then
title="CPU 温度过高!"
temperaturecd_time=`date +%s`
echo "`date "+%Y-%m-%d %H:%M:%S"` ${disturb_text} CPU 温 度过高: ${cpu_wendu}" >> ${logfile}
@ -1005,16 +1012,15 @@ function cpu_load(){
if [ ! -z "$cpuload_enable" ] && [ "$cpuload_enable" -eq "1" ] && [ ! -z "$cpuload" ]; then
[ -z "$cpuload_time" ] && cpuload_time=`date +%s`
local cpu_fuzai=`cat /proc/loadavg|awk '{print $1}'` 2>/dev/null
[ -z "$cpu_fuzai" ] && echo "`date "+%Y-%m-%d %H:%M:%S"` 【!!!】无法读取设备负载,请检查命令" >> ${logfile}
if [ `expr $cpu_fuzai \> $cpuload` -eq "1" ]; then
if [ ! -z "$cpu_fuzai" ] && [ `expr $cpu_fuzai \> $cpuload` -eq "1" ]; then
echo "`date "+%Y-%m-%d %H:%M:%S"` 【!!警报!!】 CPU 负载过高: ${cpu_fuzai}" >> ${logfile}
cputop log
else
elif [ ! -z "$cpu_fuzai" ]; then
cpuload_time=`date +%s`
fi
if [ "$((`date +%s`-$cpuload_time))" -ge "300" ] && [ -z "$cpucd_time" ]; then
if [ ! -z "$cpu_fuzai" ] && [ "$((`date +%s`-$cpuload_time))" -ge "300" ] && [ -z "$cpucd_time" ]; then
unset getlogtop
if [ ! -z "$title" ] && ( echo "$title"|grep -q "过高" ); then
title="设备报警!"
@ -1175,43 +1181,80 @@ function login_send(){
unset login_ip login_sum
}
# 添加白名单,懒得写删除项和信息显示了,感觉没啥必要
# 添加白名单,懒得写删除项和信息显示了,纯粹就是懒
function add_ip_white() {
local ip=$1
[ -n "$port_knocking" ] && [ "$port_knocking" -eq "1" ] || return
# 检查 IP 版本
if ( echo "$ip" | grep -Eq '^([0-9]{1,3}\.){3}[0-9]{1,3}$' ); then
local ipset_name="ip_whitelist"
local iptables_cmd="iptables"
local nat_table_cmd=""
elif ( echo "$ip" | grep -Eq '^([0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}$' ); then
local ipset_name="ip_whitelistv6"
local iptables_cmd="ip6tables"
local nat_table_cmd="family inet6"
else
echo "`date "+%Y-%m-%d %H:%M:%S"` 【!!!】白名单添加失败IP 格式错误" >> ${logfile} && return
fi
ipset list $ipset_name >/dev/null 2>&1 || ipset create $ipset_name hash:ip timeout ${ip_white_timeout} >/dev/null 2>&1
# 端口放行
if [ ! -z $ip_port_white ]; then
$iptables_cmd -C INPUT -m set --match-set $ipset_name src -p tcp -m multiport --dport $ip_port_white -j ACCEPT >/dev/null 2>&1 || $iptables_cmd -I INPUT -m set --match-set $ipset_name src -p tcp -m multiport --dport $ip_port_white -j ACCEPT >/dev/null 2>&1
fi
# 端口转发
for port_forward in "$port_forward_list"; do
port_forward=`echo "$port_forward"|sed 's/,/ /g'` 2>/dev/null
[ `echo $port_forward| awk -F" " '{print NF}'` -ne "4" ] && continue
local src_ip=`echo ${port_forward}|awk '{print $1}'`
local src_port=`echo ${port_forward}|awk '{print $2}'`
local dst_ip=`echo ${port_forward}|awk '{print $3}'`
local dst_port=`echo ${port_forward}|awk '{print $4}'`
$iptables_cmd -t nat -C PREROUTING -m set --match-set $ipset_name src -p tcp --dport $src_port -j DNAT --to-destination "$dst_ip:$dst_port" >/dev/null 2>&1 || $iptables_cmd -t nat -I PREROUTING -m set --match-set $ipset_name src -p tcp --dport $src_port -j DNAT --to-destination "$dst_ip:$dst_port" >/dev/null 2>&1
$iptables_cmd -t nat -C POSTROUTING -m set --match-set $ipset_name src -p tcp -d $dst_ip --dport $dst_port -j SNAT --to-source $src_ip >/dev/null 2>&1 || $iptables_cmd -t nat -I POSTROUTING -m set --match-set $ipset_name src -p tcp -d $dst_ip --dport $dst_port -j SNAT --to-source $src_ip >/dev/null 2>&1
done
unset port_forward
ipset -exist add $ipset_name $ip timeout $ip_white_timeout
[ -n "$port_knocking" ] && [ "$port_knocking" -eq "1" ] || return
# 检查 IP 版本
( echo "$1"|grep -Eq '^([0-9]{1,3}\.){3}[0-9]{1,3}$' ) && local ipset_name="ip_whitelist"
( echo "$1"|grep -Eq '^([0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}$' ) && local ipset_name="ip_whitelistv6"
[ -z $ipset_name ] && echo "`date "+%Y-%m-%d %H:%M:%S"` 【!!!】白名单添加失败IP 格式错误" >> ${logfile} && return
( opkg list-installed|grep -w -q ^firewall4 ) && nft list set inet fw4 $ipset_name >/dev/null 2>&1|grep $1 >/dev/null 2>&1 && nft delete element inet fw4 $ipset_name { $1 } >/dev/null 2>&1
( opkg list-installed|grep -w -q ^firewall4 ) && nft add element inet fw4 $ipset_name { $1 } && return #没找到刷新时间的命令,删除再添加
ipset -exist add $ipset_name $1 timeout $ip_white_timeout
}
# 初始化白名单
function init_ip_white() {
[ -z $web_login_black ] && [ -z $port_knocking ] && return
# 设置 IP 版本变量
if [ $1=="ipv4" ]; then
local ipset_name="ip_whitelist"
local ip_version="ip"
elif [ $1=="ipv6" ]; then
local ipset_name="ip_whitelistv6"
local ip_version="ip6"
local nat_table_cmd="family inet6"
fi
if ( opkg list-installed|grep -w -q ^firewall4 ); then
! nft list set inet fw4 $ipset_name >/dev/null 2>&1 && nft add set inet fw4 $ipset_name { type ${1}_addr\; flags timeout\; timeout ${ip_white_timeout}s\; }
nft add chain inet fw4 serverchan_dstnat { type nat hook prerouting priority -100 \; }
nft add chain inet fw4 serverchan_srcnat { type nat hook postrouting priority 100 \; }
else
! ipset list $ipset_name >/dev/null 2>&1 && ipset create $ipset_name hash:ip timeout $ip_white_timeout $nat_table_cmd >/dev/null 2>&1
fi
# 端口放行
if [ ! -z $ip_port_white ]; then
local ip_port_white=`echo "$ip_port_white"|sed 's/ //g'|sed 's/,/, /g'` 2>/dev/null
if ( opkg list-installed|grep -w -q ^firewall4 ); then
local count_accept_rules=`nft list ruleset | grep -c "tcp dport.* ${ip_port_white}.* $ip_version saddr @${ipset_name} counter packets .* accept comment \"!serverchan Accept rule\""`
if [ $count_accept_rules -eq 0 ]; then
nft insert rule inet fw4 input tcp dport { $ip_port_white } $ip_version saddr @$ipset_name counter accept comment "!serverchan Accept rule" >/dev/null 2>&1
elif [ $count_accept_rules -ne 1 ]; then
local i=0
local handles=`nft --handle list ruleset | grep "!serverchan Accept rule" | grep -v "tcp dport.* ${ip_port_white}.* $ip_version saddr @${ipset_name} counter packets .* accept comment \"!serverchan Accept rule\"" | awk '{print $NF}'`
for handle in $handles; do
[ $i -eq 0 ] && i=1 && continue
nft delete rule $handle
done
fi
else
${ip_version}tables -C INPUT -m set --match-set $ipset_name src -p tcp -m multiport --dport $ip_port_white -j ACCEPT >/dev/null 2>&1 || ${ip_version}tables -I INPUT -m set --match-set $ipset_name src -p tcp -m multiport --dport $ip_port_white -j ACCEPT >/dev/null 2>&1
fi
fi
unset handle
# 端口转发
for port_forward in `echo "$port_forward_list"`; do
port_forward=`echo "$port_forward"|sed 's/,/ /g'` 2>/dev/null
[ `echo $port_forward| awk -F" " '{print NF}'` -ne "4" ] && continue
local src_ip=`echo ${port_forward}|awk '{print $1}'`
local src_port=`echo ${port_forward}|awk '{print $2}'`
local dst_ip=`echo ${port_forward}|awk '{print $3}'`
local dst_port=`echo ${port_forward}|awk '{print $4}'`
if ( opkg list-installed|grep -w -q ^firewall4 ); then
! nft list ruleset|grep "$ip_version saddr @${ipset_name} tcp dport $src_port counter .* dnat $ip_version to $dst_ip:$dst_port comment \"!serverchan DNAT rule\"" >/dev/null 2>&1 && nft insert rule inet fw4 serverchan_dstnat meta nfproto $1 $ip_version saddr @${ipset_name} tcp dport $src_port counter dnat to "$dst_ip:$dst_port" comment \"!serverchan DNAT rule\" >/dev/null 2>&1
! nft list ruleset|grep "$ip_version saddr $dst_ip tcp dport $dst_port counter .* snat $ip_version to $src_ip comment \"!serverchan SNAT rule\"" >/dev/null 2>&1 && nft insert rule inet fw4 serverchan_srcnat $ip_version saddr $dst_ip tcp dport $dst_port counter snat to $src_ip comment \"!serverchan SNAT rule\" >/dev/null 2>&1
else
${ip_version}tables -t nat -C PREROUTING -m set --match-set $ipset_name src -p tcp --dport $src_port -j DNAT --to-destination "$dst_ip:$dst_port" >/dev/null 2>&1 || ${ip_version}tables -t nat -I PREROUTING -m set --match-set $ipset_name src -p tcp --dport $src_port -j DNAT --to-destination "$dst_ip:$dst_port" >/dev/null 2>&1
${ip_version}tables -t nat -C POSTROUTING -m set --match-set $ipset_name src -p tcp -d $dst_ip --dport $dst_port -j SNAT --to-source $src_ip >/dev/null 2>&1 || ${ip_version}tables -t nat -I POSTROUTING -m set --match-set $ipset_name src -p tcp -d $dst_ip --dport $dst_port -j SNAT --to-source $src_ip >/dev/null 2>&1
fi
done
unset port_forward
}
# 封禁 iptables 暂时还可以使用,以后再说吧
# 添加黑名单
function add_ip_black(){
[ ! "$1" ] && return
@ -1372,7 +1415,7 @@ fi
# 载入在线设备
serverchan_init;[ $? -eq 1 ] && echo "`date "+%Y-%m-%d %H:%M:%S"` 【!!!】读取设置出错,请检查设置项 " >> ${logfile} && exit
echo "`date "+%Y-%m-%d %H:%M:%S"` 【初始化】载入在线设备" >> ${logfile}
echo "`date "+%Y-%m-%d %H:%M:%S"` 【初始化】载入在线设备..." >> ${logfile}
> ${dir}send_enable.lock && serverchan_first && deltemp
echo "`date "+%Y-%m-%d %H:%M:%S"` 【初始化】初始化完成" >> ${logfile}