mirror of
https://github.com/roacn/openwrt-packages.git
synced 2025-01-05 10:27:05 +08:00
🎈 Sync 2024-12-13 00:33
This commit is contained in:
github-actions[bot]
parent
98732c1d30
commit
0b82a480c3
@ -7,13 +7,13 @@
|
||||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=alist
|
||||
PKG_VERSION:=3.40.0
|
||||
PKG_WEB_VERSION:=3.39.2
|
||||
PKG_VERSION:=3.41.0
|
||||
PKG_WEB_VERSION:=3.41.0
|
||||
PKG_RELEASE:=1
|
||||
|
||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
|
||||
PKG_SOURCE_URL:=https://codeload.github.com/AlistGo/alist/tar.gz/v$(PKG_VERSION)?
|
||||
PKG_HASH:=350f6d0610cebb70c645e52a87aaf0e8cb5bb275593ee22778ed8348da48b005
|
||||
PKG_HASH:=0336a1c0089d558e7e3efd0337e51e9c45bc80f22ee8a71103e12417a7d647a2
|
||||
|
||||
PKG_LICENSE:=GPL-3.0
|
||||
PKG_LICENSE_FILE:=LICENSE
|
||||
@ -23,7 +23,7 @@ define Download/$(PKG_NAME)-web
|
||||
FILE:=$(PKG_NAME)-web-$(PKG_WEB_VERSION).tar.gz
|
||||
URL_FILE:=dist.tar.gz
|
||||
URL:=https://github.com/AlistGo/alist-web/releases/download/$(PKG_WEB_VERSION)/
|
||||
HASH:=d998315aff5544e7d7248214d02a3b04a92366bf0ac50fb4791b23833e8b543a
|
||||
HASH:=7fbc3e83874fca15eb6590aad2c09cd6eb4f15aa7febe2b25a961ea56ba5265b
|
||||
endef
|
||||
|
||||
PKG_BUILD_DEPENDS:=golang/host
|
||||
|
||||
@ -557,9 +557,6 @@ if api.is_finded("smartdns") then
|
||||
o:depends({dns_shunt = "smartdns", tcp_proxy_mode = "proxy", chn_list = "direct"})
|
||||
end
|
||||
|
||||
o = s:taboption("DNS", Flag, "dns_redirect", "DNS " .. translate("Redirect"), translate("Force Router DNS server to all local devices."))
|
||||
o.default = "0"
|
||||
|
||||
if (uci:get(appname, "@global_forwarding[0]", "use_nft") or "0") == "1" then
|
||||
o = s:taboption("DNS", Button, "clear_ipset", translate("Clear NFTSET"), translate("Try this feature if the rule modification does not take effect."))
|
||||
else
|
||||
|
||||
@ -223,9 +223,6 @@ msgstr "需要代理的分流规则域名使用 FakeDNS。"
|
||||
msgid "Redirect"
|
||||
msgstr "重定向"
|
||||
|
||||
msgid "Force Router DNS server to all local devices."
|
||||
msgstr "强制所有本地设备使用路由器 DNS。"
|
||||
|
||||
msgid "Clear IPSET"
|
||||
msgstr "清空 IPSET"
|
||||
|
||||
|
||||
@ -14,13 +14,10 @@ TMP_ROUTE_PATH=$TMP_PATH/route
|
||||
TMP_ACL_PATH=$TMP_PATH/acl
|
||||
TMP_IFACE_PATH=$TMP_PATH/iface
|
||||
TMP_PATH2=/tmp/etc/${CONFIG}_tmp
|
||||
DNSMASQ_PATH=/etc/dnsmasq.d
|
||||
DNSMASQ_CONF_DIR=/tmp/dnsmasq.d
|
||||
TMP_DNSMASQ_PATH=${DNSMASQ_CONF_DIR}/${CONFIG}
|
||||
GLOBAL_ACL_PATH=${TMP_ACL_PATH}/default
|
||||
LOG_FILE=/tmp/log/$CONFIG.log
|
||||
APP_PATH=/usr/share/$CONFIG
|
||||
RULES_PATH=/usr/share/${CONFIG}/rules
|
||||
DNS_N=dnsmasq
|
||||
DNS_PORT=15353
|
||||
TUN_DNS="127.0.0.1#${DNS_PORT}"
|
||||
LOCAL_DNS=119.29.29.29,223.5.5.5
|
||||
@ -359,6 +356,23 @@ parse_doh() {
|
||||
eval "${__url_var}='${__url}' ${__host_var}='${__host}' ${__port_var}='${__port}' ${__bootstrap_var}='${__bootstrap}'"
|
||||
}
|
||||
|
||||
get_geoip() {
|
||||
local geoip_code="$1"
|
||||
local geoip_type_flag=""
|
||||
local geoip_path="$(config_t_get global_rules v2ray_location_asset)"
|
||||
geoip_path="${geoip_path%*/}/geoip.dat"
|
||||
[ -e "$geoip_path" ] || { echo ""; return; }
|
||||
case "$2" in
|
||||
"ipv4") geoip_type_flag="-ipv6=false" ;;
|
||||
"ipv6") geoip_type_flag="-ipv4=false" ;;
|
||||
esac
|
||||
if type geoview &> /dev/null; then
|
||||
geoview -input "$geoip_path" -list "$geoip_code" $geoip_type_flag -lowmem=true
|
||||
else
|
||||
echo ""
|
||||
fi
|
||||
}
|
||||
|
||||
run_ipt2socks() {
|
||||
local flag proto tcp_tproxy local_port socks_address socks_port socks_username socks_password log_file
|
||||
local _extra_param=""
|
||||
@ -704,9 +718,9 @@ run_redir() {
|
||||
local node proto bind local_port config_file log_file
|
||||
eval_set_val $@
|
||||
local tcp_node_socks_flag tcp_node_http_flag
|
||||
[ -n "$config_file" ] && [ -z "$(echo ${config_file} | grep $TMP_PATH)" ] && config_file=${TMP_ACL_PATH}/default/${config_file}
|
||||
[ -n "$config_file" ] && [ -z "$(echo ${config_file} | grep $TMP_PATH)" ] && config_file=${GLOBAL_ACL_PATH}/${config_file}
|
||||
if [ -n "$log_file" ] && [ -z "$(echo ${log_file} | grep $TMP_PATH)" ]; then
|
||||
log_file=${TMP_ACL_PATH}/default/${log_file}
|
||||
log_file=${GLOBAL_ACL_PATH}/${log_file}
|
||||
else
|
||||
log_file="/dev/null"
|
||||
fi
|
||||
@ -1050,7 +1064,7 @@ run_redir() {
|
||||
|
||||
[ "$tcp_node_socks" = "1" ] && {
|
||||
TCP_SOCKS_server="127.0.0.1:$tcp_node_socks_port"
|
||||
echo "${TCP_SOCKS_server}" > $TMP_ACL_PATH/default/TCP_SOCKS_server
|
||||
echo "${TCP_SOCKS_server}" > ${GLOBAL_ACL_PATH}/TCP_SOCKS_server
|
||||
}
|
||||
;;
|
||||
esac
|
||||
@ -1069,7 +1083,7 @@ start_redir() {
|
||||
local port=$(echo $(get_new_port $current_port $proto))
|
||||
eval ${proto}_REDIR=$port
|
||||
run_redir node=$node proto=${proto} bind=0.0.0.0 local_port=$port config_file=$config_file log_file=$log_file
|
||||
echo $node > $TMP_ACL_PATH/default/${proto}.id
|
||||
echo $node > ${GLOBAL_ACL_PATH}/${proto}.id
|
||||
else
|
||||
[ "${proto}" = "UDP" ] && [ "$TCP_UDP" = "1" ] && return
|
||||
echolog "${proto}节点没有选择或为空,不代理${proto}。"
|
||||
@ -1533,13 +1547,20 @@ start_dns() {
|
||||
dnsmasq_version=$(dnsmasq -v | grep -i "Dnsmasq version " | awk '{print $3}')
|
||||
[ "$(expr $dnsmasq_version \>= 2.87)" == 0 ] && echolog "Dnsmasq版本低于2.87,有可能无法正常使用!!!"
|
||||
}
|
||||
source $APP_PATH/helper_dnsmasq.sh stretch
|
||||
lua $APP_PATH/helper_dnsmasq_add.lua -FLAG "default" -TMP_DNSMASQ_PATH ${TMP_DNSMASQ_PATH} -DNSMASQ_CONF_DIR ${DNSMASQ_CONF_DIR} \
|
||||
-DNSMASQ_CONF_FILE "${DNSMASQ_CONF_DIR}/dnsmasq-${CONFIG}.conf" -DEFAULT_DNS ${DEFAULT_DNS} -LOCAL_DNS ${LOCAL_DNS} \
|
||||
|
||||
GLOBAL_DNSMASQ_PORT=$(get_new_port 11400)
|
||||
local GLOBAL_DNSMASQ_CONF=${GLOBAL_ACL_PATH}/dnsmasq.conf
|
||||
local GLOBAL_DNSMASQ_CONF_PATH=${GLOBAL_ACL_PATH}/dnsmasq.d
|
||||
source $APP_PATH/helper_dnsmasq.sh copy_instance listen_port=$GLOBAL_DNSMASQ_PORT dnsmasq_conf="${GLOBAL_DNSMASQ_CONF}" dnsmasq_conf_path="${GLOBAL_DNSMASQ_CONF_PATH}"
|
||||
lua $APP_PATH/helper_dnsmasq_add.lua -FLAG "default" -TMP_DNSMASQ_PATH ${GLOBAL_DNSMASQ_CONF_PATH} \
|
||||
-DNSMASQ_CONF_FILE ${GLOBAL_DNSMASQ_CONF} -DEFAULT_DNS ${DEFAULT_DNS} -LOCAL_DNS ${LOCAL_DNS} \
|
||||
-TUN_DNS ${TUN_DNS} -REMOTE_FAKEDNS ${fakedns:-0} -USE_DEFAULT_DNS "${USE_DEFAULT_DNS:-direct}" -CHINADNS_DNS ${china_ng_listen:-0} \
|
||||
-USE_DIRECT_LIST "${USE_DIRECT_LIST}" -USE_PROXY_LIST "${USE_PROXY_LIST}" -USE_BLOCK_LIST "${USE_BLOCK_LIST}" -USE_GFW_LIST "${USE_GFW_LIST}" -CHN_LIST "${CHN_LIST}" \
|
||||
-TCP_NODE ${TCP_NODE} -DEFAULT_PROXY_MODE ${TCP_PROXY_MODE} -NO_PROXY_IPV6 ${DNSMASQ_FILTER_PROXY_IPV6:-0} -NFTFLAG ${nftflag:-0} \
|
||||
-NO_LOGIC_LOG ${NO_LOGIC_LOG:-0}
|
||||
ln_run "$(first_type dnsmasq)" "dnsmasq_default" "/dev/null" -C ${GLOBAL_DNSMASQ_CONF} -x ${GLOBAL_ACL_PATH}/dnsmasq.pid
|
||||
echo "${GLOBAL_DNSMASQ_PORT}" > ${GLOBAL_ACL_PATH}/var_redirect_dns_port
|
||||
DNS_REDIRECT_PORT=${GLOBAL_DNSMASQ_PORT}
|
||||
}
|
||||
|
||||
add_ip2route() {
|
||||
@ -1599,6 +1620,7 @@ acl_app() {
|
||||
redir_port=11200
|
||||
dns_port=11300
|
||||
dnsmasq_port=11400
|
||||
[ -n "${GLOBAL_DNSMASQ_PORT}" ] && dnsmasq_port=$(get_new_port $GLOBAL_DNSMASQ_PORT)
|
||||
chinadns_port=11500
|
||||
for item in $items; do
|
||||
sid=$(uci -q show "${CONFIG}.${item}" | grep "=acl_rule" | awk -F '=' '{print $1}' | awk -F '.' '{print $2}')
|
||||
@ -1625,9 +1647,10 @@ acl_app() {
|
||||
unset s2
|
||||
done
|
||||
|
||||
mkdir -p $TMP_ACL_PATH/$sid
|
||||
local acl_path=${TMP_ACL_PATH}/$sid
|
||||
mkdir -p ${acl_path}
|
||||
|
||||
[ ! -z "${source_list}" ] && echo -e "${source_list}" | sed '/^$/d' > $TMP_ACL_PATH/$sid/source_list
|
||||
[ ! -z "${source_list}" ] && echo -e "${source_list}" | sed '/^$/d' > ${acl_path}/source_list
|
||||
|
||||
use_global_config=${use_global_config:-0}
|
||||
tcp_node=${tcp_node:-nil}
|
||||
@ -1726,28 +1749,17 @@ acl_app() {
|
||||
}
|
||||
|
||||
dnsmasq_port=$(get_new_port $(expr $dnsmasq_port + 1))
|
||||
redirect_dns_port=$dnsmasq_port
|
||||
mkdir -p $TMP_ACL_PATH/$sid/dnsmasq.d
|
||||
[ -s "/tmp/etc/dnsmasq.conf.${DEFAULT_DNSMASQ_CFGID}" ] && {
|
||||
cp -r /tmp/etc/dnsmasq.conf.${DEFAULT_DNSMASQ_CFGID} $TMP_ACL_PATH/$sid/dnsmasq.conf
|
||||
sed -i "/ubus/d" $TMP_ACL_PATH/$sid/dnsmasq.conf
|
||||
sed -i "/dhcp/d" $TMP_ACL_PATH/$sid/dnsmasq.conf
|
||||
sed -i "/port=/d" $TMP_ACL_PATH/$sid/dnsmasq.conf
|
||||
sed -i "/conf-dir/d" $TMP_ACL_PATH/$sid/dnsmasq.conf
|
||||
sed -i "/server/d" $TMP_ACL_PATH/$sid/dnsmasq.conf
|
||||
}
|
||||
echo "port=${dnsmasq_port}" >> $TMP_ACL_PATH/$sid/dnsmasq.conf
|
||||
[ "$use_default_dns" = "remote" ] && {
|
||||
dnsmasq_version=$(dnsmasq -v | grep -i "Dnsmasq version " | awk '{print $3}')
|
||||
[ "$(expr $dnsmasq_version \>= 2.87)" == 0 ] && echolog "Dnsmasq版本低于2.87,有可能无法正常使用!!!"
|
||||
}
|
||||
lua $APP_PATH/helper_dnsmasq_add.lua -FLAG ${sid} -TMP_DNSMASQ_PATH $TMP_ACL_PATH/$sid/dnsmasq.d -DNSMASQ_CONF_DIR ${DNSMASQ_CONF_DIR} \
|
||||
-DNSMASQ_CONF_FILE $TMP_ACL_PATH/$sid/dnsmasq.conf -DEFAULT_DNS $DEFAULT_DNS -LOCAL_DNS $LOCAL_DNS \
|
||||
local dnsmasq_conf=${acl_path}/dnsmasq.conf
|
||||
local dnsmasq_conf_path=${acl_path}/dnsmasq.d
|
||||
source $APP_PATH/helper_dnsmasq.sh copy_instance listen_port=$dnsmasq_port dnsmasq_conf="${dnsmasq_conf}" dnsmasq_conf_path="${dnsmasq_conf_path}"
|
||||
lua $APP_PATH/helper_dnsmasq_add.lua -FLAG ${sid} -TMP_DNSMASQ_PATH ${dnsmasq_conf_path} \
|
||||
-DNSMASQ_CONF_FILE ${dnsmasq_conf} -DEFAULT_DNS $DEFAULT_DNS -LOCAL_DNS $LOCAL_DNS \
|
||||
-USE_DIRECT_LIST "${use_direct_list}" -USE_PROXY_LIST "${use_proxy_list}" -USE_BLOCK_LIST "${use_block_list}" -USE_GFW_LIST "${use_gfw_list}" -CHN_LIST "${chn_list}" \
|
||||
-TUN_DNS "127.0.0.1#${_dns_port}" -REMOTE_FAKEDNS 0 -USE_DEFAULT_DNS "${use_default_dns:-direct}" -CHINADNS_DNS ${_china_ng_listen:-0} \
|
||||
-TCP_NODE $tcp_node -DEFAULT_PROXY_MODE ${tcp_proxy_mode} -NO_PROXY_IPV6 ${dnsmasq_filter_proxy_ipv6:-0} -NFTFLAG ${nftflag:-0} \
|
||||
-NO_LOGIC_LOG 1
|
||||
ln_run "$(first_type dnsmasq)" "dnsmasq_${sid}" "/dev/null" -C $TMP_ACL_PATH/$sid/dnsmasq.conf -x $TMP_ACL_PATH/$sid/dnsmasq.pid
|
||||
ln_run "$(first_type dnsmasq)" "dnsmasq_${sid}" "/dev/null" -C ${dnsmasq_conf} -x ${acl_path}/dnsmasq.pid
|
||||
echo "${dnsmasq_port}" > ${acl_path}/var_redirect_dns_port
|
||||
eval node_${tcp_node}_$(echo -n "${tcp_proxy_mode}${remote_dns}" | md5sum | cut -d " " -f1)=${dnsmasq_port}
|
||||
}
|
||||
_redir_port=$(eval echo \${node_${tcp_node}_redir_port})
|
||||
@ -1760,7 +1772,7 @@ acl_app() {
|
||||
_dns_port=$(eval echo \${node_${tcp_node}_$(echo -n "${remote_dns}" | md5sum | cut -d " " -f1)})
|
||||
run_dns ${_dns_port}
|
||||
else
|
||||
redirect_dns_port=${_dnsmasq_port}
|
||||
[ -n "${_dnsmasq_port}" ] && echo "${_dnsmasq_port}" > ${acl_path}/var_redirect_dns_port
|
||||
fi
|
||||
else
|
||||
socks_port=$(get_new_port $(expr $socks_port + 1))
|
||||
@ -1798,10 +1810,10 @@ acl_app() {
|
||||
fi
|
||||
run_dns ${_dns_port}
|
||||
fi
|
||||
echo "${tcp_node}" > $TMP_ACL_PATH/$sid/var_tcp_node
|
||||
echo "${tcp_node}" > ${acl_path}/var_tcp_node
|
||||
}
|
||||
fi
|
||||
echo "${tcp_port}" > $TMP_ACL_PATH/$sid/var_tcp_port
|
||||
echo "${tcp_port}" > ${acl_path}/var_tcp_port
|
||||
}
|
||||
[ "$udp_node" != "nil" ] && {
|
||||
[ "$udp_node" = "tcp" ] && udp_node=$tcp_node
|
||||
@ -1850,18 +1862,16 @@ acl_app() {
|
||||
run_ipt2socks flag=acl_${udp_node} local_port=$redir_port socks_address=127.0.0.1 socks_port=$socks_port log_file=$log_file
|
||||
fi
|
||||
fi
|
||||
echo "${udp_node}" > $TMP_ACL_PATH/$sid/var_udp_node
|
||||
echo "${udp_node}" > ${acl_path}/var_udp_node
|
||||
fi
|
||||
}
|
||||
fi
|
||||
echo "${udp_port}" > $TMP_ACL_PATH/$sid/var_udp_port
|
||||
echo "${udp_port}" > ${acl_path}/var_udp_port
|
||||
udp_flag=1
|
||||
}
|
||||
[ -n "$redirect_dns_port" ] && echo "${redirect_dns_port}" > $TMP_ACL_PATH/$sid/var_redirect_dns_port
|
||||
unset enabled sid remarks sources interface use_global_config tcp_node udp_node use_direct_list use_proxy_list use_block_list use_gfw_list chn_list tcp_proxy_mode udp_proxy_mode filter_proxy_ipv6 dns_mode remote_dns v2ray_dns_mode remote_dns_doh dns_client_ip
|
||||
unset _ip _mac _iprange _ipset _ip_or_mac source_list tcp_port udp_port config_file _extra_param
|
||||
unset _china_ng_listen _chinadns_local_dns _direct_dns_mode chinadns_ng_default_tag dnsmasq_filter_proxy_ipv6
|
||||
unset redirect_dns_port
|
||||
done
|
||||
unset socks_port redir_port dns_port dnsmasq_port chinadns_port
|
||||
}
|
||||
@ -1904,13 +1914,12 @@ start() {
|
||||
}
|
||||
|
||||
[ "$ENABLED_DEFAULT_ACL" == 1 ] && {
|
||||
mkdir -p $TMP_ACL_PATH/default
|
||||
mkdir -p ${GLOBAL_ACL_PATH}
|
||||
start_redir TCP
|
||||
start_redir UDP
|
||||
start_dns
|
||||
}
|
||||
[ -n "$USE_TABLES" ] && source $APP_PATH/${USE_TABLES}.sh start
|
||||
[ "$ENABLED_DEFAULT_ACL" == 1 ] && source $APP_PATH/helper_${DNS_N}.sh logic_restart
|
||||
start_crontab
|
||||
echolog "运行完成!\n"
|
||||
}
|
||||
@ -1927,8 +1936,6 @@ stop() {
|
||||
unset XRAY_LOCATION_ASSET
|
||||
stop_crontab
|
||||
source $APP_PATH/helper_smartdns.sh del
|
||||
source $APP_PATH/helper_dnsmasq.sh del
|
||||
source $APP_PATH/helper_dnsmasq.sh restart no_log=1
|
||||
[ -s "$TMP_PATH/bridge_nf_ipt" ] && sysctl -w net.bridge.bridge-nf-call-iptables=$(cat $TMP_PATH/bridge_nf_ipt) >/dev/null 2>&1
|
||||
[ -s "$TMP_PATH/bridge_nf_ip6t" ] && sysctl -w net.bridge.bridge-nf-call-ip6tables=$(cat $TMP_PATH/bridge_nf_ip6t) >/dev/null 2>&1
|
||||
rm -rf ${TMP_PATH}
|
||||
@ -1999,17 +2006,6 @@ RESOLVFILE=/tmp/resolv.conf.d/resolv.conf.auto
|
||||
ISP_DNS=$(cat $RESOLVFILE 2>/dev/null | grep -E -o "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" | sort -u | grep -v 0.0.0.0 | grep -v 127.0.0.1)
|
||||
ISP_DNS6=$(cat $RESOLVFILE 2>/dev/null | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | awk -F % '{print $1}' | awk -F " " '{print $2}'| sort -u | grep -v -Fx ::1 | grep -v -Fx ::)
|
||||
|
||||
DEFAULT_DNSMASQ_CFGID="$(uci -q show "dhcp.@dnsmasq[0]" | awk 'NR==1 {split($0, conf, /[.=]/); print conf[2]}')"
|
||||
if [ -f "/tmp/etc/dnsmasq.conf.$DEFAULT_DNSMASQ_CFGID" ]; then
|
||||
DNSMASQ_CONF_DIR="$(awk -F '=' '/^conf-dir=/ {print $2}' "/tmp/etc/dnsmasq.conf.$DEFAULT_DNSMASQ_CFGID")"
|
||||
if [ -n "$DNSMASQ_CONF_DIR" ]; then
|
||||
DNSMASQ_CONF_DIR=${DNSMASQ_CONF_DIR%*/}
|
||||
TMP_DNSMASQ_PATH=${DNSMASQ_CONF_DIR}/${CONFIG}
|
||||
else
|
||||
DNSMASQ_CONF_DIR="/tmp/dnsmasq.d"
|
||||
fi
|
||||
fi
|
||||
|
||||
DEFAULT_DNS=$(uci show dhcp.@dnsmasq[0] | grep "\.server=" | awk -F '=' '{print $2}' | sed "s/'//g" | tr ' ' '\n' | grep -v "\/" | head -2 | sed ':label;N;s/\n/,/;b label')
|
||||
[ -z "${DEFAULT_DNS}" ] && [ "$(echo $ISP_DNS | tr ' ' '\n' | wc -l)" -le 2 ] && DEFAULT_DNS=$(echo -n $ISP_DNS | tr ' ' '\n' | head -2 | tr '\n' ',')
|
||||
LOCAL_DNS="${DEFAULT_DNS:-119.29.29.29,223.5.5.5}"
|
||||
|
||||
@ -1,89 +1,27 @@
|
||||
#!/bin/sh
|
||||
|
||||
stretch() {
|
||||
#zhenduiluanshezhiDNSderen
|
||||
local dnsmasq_server=$(uci -q get dhcp.@dnsmasq[0].server)
|
||||
local dnsmasq_noresolv=$(uci -q get dhcp.@dnsmasq[0].noresolv)
|
||||
local _flag
|
||||
for server in $dnsmasq_server; do
|
||||
[ -z "$(echo $server | grep '\/')" ] && _flag=1
|
||||
done
|
||||
[ -z "$_flag" ] && [ "$dnsmasq_noresolv" = "1" ] && {
|
||||
uci -q delete dhcp.@dnsmasq[0].noresolv
|
||||
uci -q set dhcp.@dnsmasq[0].resolvfile="$RESOLVFILE"
|
||||
uci commit dhcp
|
||||
copy_instance() {
|
||||
local listen_port dnsmasq_conf
|
||||
eval_set_val $@
|
||||
[ -s "/tmp/etc/dnsmasq.conf.${DEFAULT_DNSMASQ_CFGID}" ] && {
|
||||
cp -r /tmp/etc/dnsmasq.conf.${DEFAULT_DNSMASQ_CFGID} $dnsmasq_conf
|
||||
sed -i "/ubus/d" $dnsmasq_conf
|
||||
sed -i "/dhcp/d" $dnsmasq_conf
|
||||
sed -i "/port=/d" $dnsmasq_conf
|
||||
sed -i "/conf-dir/d" $dnsmasq_conf
|
||||
sed -i "/no-poll/d" $dnsmasq_conf
|
||||
sed -i "/no-resolv/d" $dnsmasq_conf
|
||||
}
|
||||
echo "port=${listen_port}" >> $dnsmasq_conf
|
||||
}
|
||||
|
||||
backup_servers() {
|
||||
DNSMASQ_DNS=$(uci show dhcp.@dnsmasq[0] | grep ".server=" | awk -F '=' '{print $2}' | sed "s/'//g" | tr ' ' ',')
|
||||
if [ -n "${DNSMASQ_DNS}" ]; then
|
||||
uci -q set $CONFIG.@global[0].dnsmasq_servers="${DNSMASQ_DNS}"
|
||||
uci commit $CONFIG
|
||||
fi
|
||||
}
|
||||
|
||||
restore_servers() {
|
||||
OLD_SERVER=$(uci -q get $CONFIG.@global[0].dnsmasq_servers | tr "," " ")
|
||||
for server in $OLD_SERVER; do
|
||||
uci -q del_list dhcp.@dnsmasq[0].server=$server
|
||||
uci -q add_list dhcp.@dnsmasq[0].server=$server
|
||||
done
|
||||
uci commit dhcp
|
||||
uci -q delete $CONFIG.@global[0].dnsmasq_servers
|
||||
uci commit $CONFIG
|
||||
}
|
||||
|
||||
logic_restart() {
|
||||
local no_log
|
||||
eval_set_val $@
|
||||
_LOG_FILE=$LOG_FILE
|
||||
[ -n "$no_log" ] && LOG_FILE="/dev/null"
|
||||
if [ -f "$TMP_PATH/default_DNS" ]; then
|
||||
backup_servers
|
||||
#sed -i "/list server/d" /etc/config/dhcp >/dev/null 2>&1
|
||||
for server in $(uci -q get dhcp.@dnsmasq[0].server); do
|
||||
[ -n "$(echo $server | grep '\/')" ] || uci -q del_list dhcp.@dnsmasq[0].server="$server"
|
||||
done
|
||||
/etc/init.d/dnsmasq restart >/dev/null 2>&1
|
||||
restore_servers
|
||||
else
|
||||
/etc/init.d/dnsmasq restart >/dev/null 2>&1
|
||||
fi
|
||||
echolog "重启 dnsmasq 服务"
|
||||
LOG_FILE=${_LOG_FILE}
|
||||
}
|
||||
|
||||
restart() {
|
||||
local no_log
|
||||
eval_set_val $@
|
||||
_LOG_FILE=$LOG_FILE
|
||||
[ -n "$no_log" ] && LOG_FILE="/dev/null"
|
||||
/etc/init.d/dnsmasq restart >/dev/null 2>&1
|
||||
echolog "重启 dnsmasq 服务"
|
||||
LOG_FILE=${_LOG_FILE}
|
||||
}
|
||||
|
||||
del() {
|
||||
rm -rf $DNSMASQ_CONF_DIR/dnsmasq-$CONFIG.conf
|
||||
rm -rf $DNSMASQ_PATH/dnsmasq-$CONFIG.conf
|
||||
rm -rf $TMP_DNSMASQ_PATH
|
||||
}
|
||||
DEFAULT_DNSMASQ_CFGID="$(uci -q show "dhcp.@dnsmasq[0]" | awk 'NR==1 {split($0, conf, /[.=]/); print conf[2]}')"
|
||||
|
||||
arg1=$1
|
||||
shift
|
||||
case $arg1 in
|
||||
stretch)
|
||||
stretch $@
|
||||
;;
|
||||
del)
|
||||
del $@
|
||||
;;
|
||||
restart)
|
||||
restart $@
|
||||
;;
|
||||
logic_restart)
|
||||
logic_restart $@
|
||||
copy_instance)
|
||||
copy_instance $@
|
||||
;;
|
||||
*) ;;
|
||||
esac
|
||||
|
||||
@ -4,7 +4,6 @@ local appname = "passwall"
|
||||
|
||||
local var = api.get_args(arg)
|
||||
local FLAG = var["-FLAG"]
|
||||
local DNSMASQ_CONF_DIR = var["-DNSMASQ_CONF_DIR"]
|
||||
local TMP_DNSMASQ_PATH = var["-TMP_DNSMASQ_PATH"]
|
||||
local DNSMASQ_CONF_FILE = var["-DNSMASQ_CONF_FILE"]
|
||||
local DEFAULT_DNS = var["-DEFAULT_DNS"]
|
||||
@ -192,7 +191,6 @@ local setflag_4= (NFTFLAG == "1") and "4#inet#passwall#" or ""
|
||||
local setflag_6= (NFTFLAG == "1") and "6#inet#passwall#" or ""
|
||||
|
||||
if not fs.access(CACHE_DNS_PATH) then
|
||||
fs.mkdir(DNSMASQ_CONF_DIR)
|
||||
fs.mkdir(CACHE_DNS_PATH)
|
||||
|
||||
--屏蔽列表
|
||||
|
||||
@ -182,23 +182,6 @@ get_wan6_ip() {
|
||||
echo $NET_ADDR
|
||||
}
|
||||
|
||||
get_geoip() {
|
||||
local geoip_code="$1"
|
||||
local geoip_type_flag=""
|
||||
local geoip_path="$(config_t_get global_rules v2ray_location_asset)"
|
||||
geoip_path="${geoip_path%*/}/geoip.dat"
|
||||
[ -e "$geoip_path" ] || { echo ""; return; }
|
||||
case "$2" in
|
||||
"ipv4") geoip_type_flag="-ipv6=false" ;;
|
||||
"ipv6") geoip_type_flag="-ipv4=false" ;;
|
||||
esac
|
||||
if type geoview &> /dev/null; then
|
||||
geoview -input "$geoip_path" -list "$geoip_code" $geoip_type_flag -lowmem=true
|
||||
else
|
||||
echo ""
|
||||
fi
|
||||
}
|
||||
|
||||
load_acl() {
|
||||
([ "$ENABLED_ACLS" == 1 ] || ([ "$ENABLED_DEFAULT_ACL" == 1 ] && [ "$CLIENT_PROXY" == 1 ])) && echolog " - 访问控制:"
|
||||
[ "$ENABLED_ACLS" == 1 ] && {
|
||||
@ -233,6 +216,7 @@ load_acl() {
|
||||
[ -s "${TMP_ACL_PATH}/${sid}/var_udp_node" ] && udp_node=$(cat ${TMP_ACL_PATH}/${sid}/var_udp_node)
|
||||
[ -s "${TMP_ACL_PATH}/${sid}/var_tcp_port" ] && tcp_port=$(cat ${TMP_ACL_PATH}/${sid}/var_tcp_port)
|
||||
[ -s "${TMP_ACL_PATH}/${sid}/var_udp_port" ] && udp_port=$(cat ${TMP_ACL_PATH}/${sid}/var_udp_port)
|
||||
[ -s "${TMP_ACL_PATH}/${sid}/var_redirect_dns_port" ] && dns_redirect_port=$(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port)
|
||||
|
||||
use_shunt_tcp=0
|
||||
use_shunt_udp=0
|
||||
@ -259,6 +243,9 @@ load_acl() {
|
||||
chn_list=${CHN_LIST}
|
||||
tcp_proxy_mode=${TCP_PROXY_MODE}
|
||||
udp_proxy_mode=${UDP_PROXY_MODE}
|
||||
use_shunt_tcp=${USE_SHUNT_TCP}
|
||||
use_shunt_udp=${USE_SHUNT_UDP}
|
||||
dns_redirect_port=${DNS_REDIRECT_PORT}
|
||||
}
|
||||
|
||||
_acl_list=${TMP_ACL_PATH}/${sid}/source_list
|
||||
@ -333,7 +320,25 @@ load_acl() {
|
||||
echolog " - ${msg}不代理所有 UDP 端口"
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
if ([ -n "$tcp_port" ] && [ -n "${tcp_proxy_mode}" ]) || ([ -n "$udp_port" ] && [ -n "${udp_proxy_mode}" ]); then
|
||||
[ -n "$dns_redirect_port" ] && {
|
||||
$ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j RETURN
|
||||
$ip6t_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j RETURN 2>/dev/null
|
||||
$ipt_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} --dport 53 -j RETURN
|
||||
$ip6t_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} --dport 53 -j RETURN 2>/dev/null
|
||||
$ipt_n -A PSW_REDIRECT $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $dns_redirect_port
|
||||
$ip6t_n -A PSW_REDIRECT $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $dns_redirect_port 2>/dev/null
|
||||
$ipt_n -A PSW_REDIRECT $(comment "$remarks") -p tcp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $dns_redirect_port
|
||||
$ip6t_n -A PSW_REDIRECT $(comment "$remarks") -p tcp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $dns_redirect_port 2>/dev/null
|
||||
}
|
||||
else
|
||||
$ipt_n -A PSW_REDIRECT $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j RETURN
|
||||
$ip6t_n -A PSW_REDIRECT $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j RETURN 2>/dev/null
|
||||
$ipt_n -A PSW_REDIRECT $(comment "$remarks") -p tcp ${_ipt_source} --dport 53 -j RETURN
|
||||
$ip6t_n -A PSW_REDIRECT $(comment "$remarks") -p tcp ${_ipt_source} --dport 53 -j RETURN 2>/dev/null
|
||||
fi
|
||||
|
||||
[ -n "$tcp_port" -o -n "$udp_port" ] && {
|
||||
[ "${use_direct_list}" = "1" ] && $ipt_n -A PSW $(comment "$remarks") ${_ipt_source} $(dst $IPSET_WHITELIST) -j RETURN
|
||||
[ "${use_direct_list}" = "1" ] && $ipt_m -A PSW $(comment "$remarks") ${_ipt_source} $(dst $IPSET_WHITELIST) -j RETURN
|
||||
@ -380,7 +385,6 @@ load_acl() {
|
||||
|
||||
[ -n "$tcp_port" ] && {
|
||||
if [ -n "${tcp_proxy_mode}" ]; then
|
||||
[ -s "${TMP_ACL_PATH}/${sid}/var_redirect_dns_port" ] && $ipt_n -A PSW_REDIRECT $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port)
|
||||
msg2="${msg}使用 TCP 节点[$tcp_node_remark]"
|
||||
if [ -n "${is_tproxy}" ]; then
|
||||
msg2="${msg2}(TPROXY:${tcp_port})"
|
||||
@ -463,7 +467,7 @@ load_acl() {
|
||||
$ipt_m -A PSW $(comment "$remarks") ${_ipt_source} -p udp -j RETURN
|
||||
unset ipt_tmp ipt_j _ipt_source msg msg2
|
||||
done
|
||||
unset enabled sid remarks sources use_global_config use_direct_list use_proxy_list use_block_list use_gfw_list chn_list tcp_proxy_mode udp_proxy_mode tcp_no_redir_ports udp_no_redir_ports tcp_proxy_drop_ports udp_proxy_drop_ports tcp_redir_ports udp_redir_ports tcp_node udp_node interface
|
||||
unset enabled sid remarks sources use_global_config use_direct_list use_proxy_list use_block_list use_gfw_list chn_list tcp_proxy_mode udp_proxy_mode dns_redirect_port tcp_no_redir_ports udp_no_redir_ports tcp_proxy_drop_ports udp_proxy_drop_ports tcp_redir_ports udp_redir_ports tcp_node udp_node interface
|
||||
unset tcp_port udp_port tcp_node_remark udp_node_remark _acl_list use_shunt_tcp use_shunt_udp
|
||||
done
|
||||
}
|
||||
@ -495,6 +499,19 @@ load_acl() {
|
||||
fi
|
||||
}
|
||||
|
||||
if ([ "$TCP_NODE" != "nil" ] && [ -n "${TCP_PROXY_MODE}" ]) || ([ "$UDP_NODE" != "nil" ] && [ -n "${UDP_PROXY_MODE}" ]); then
|
||||
[ -n "$DNS_REDIRECT_PORT" ] && {
|
||||
$ipt_m -A PSW $(comment "默认") -p udp --dport 53 -j RETURN
|
||||
$ip6t_m -A PSW $(comment "默认") -p udp --dport 53 -j RETURN 2>/dev/null
|
||||
$ipt_m -A PSW $(comment "默认") -p tcp --dport 53 -j RETURN
|
||||
$ip6t_m -A PSW $(comment "默认") -p tcp --dport 53 -j RETURN 2>/dev/null
|
||||
$ipt_n -A PSW_REDIRECT $(comment "默认") -p udp --dport 53 -j REDIRECT --to-ports $DNS_REDIRECT_PORT
|
||||
$ip6t_n -A PSW_REDIRECT $(comment "默认") -p udp --dport 53 -j REDIRECT --to-ports $DNS_REDIRECT_PORT 2>/dev/null
|
||||
$ipt_n -A PSW_REDIRECT $(comment "默认") -p tcp --dport 53 -j REDIRECT --to-ports $DNS_REDIRECT_PORT
|
||||
$ip6t_n -A PSW_REDIRECT $(comment "默认") -p tcp --dport 53 -j REDIRECT --to-ports $DNS_REDIRECT_PORT 2>/dev/null
|
||||
}
|
||||
fi
|
||||
|
||||
[ -n "${TCP_PROXY_MODE}" -o -n "${UDP_PROXY_MODE}" ] && {
|
||||
[ "${USE_DIRECT_LIST}" = "1" ] && $ipt_n -A PSW $(comment "默认") $(dst $IPSET_WHITELIST) -j RETURN
|
||||
[ "${USE_DIRECT_LIST}" = "1" ] && $ipt_m -A PSW $(comment "默认") $(dst $IPSET_WHITELIST) -j RETURN
|
||||
@ -654,6 +671,10 @@ filter_node() {
|
||||
local type=$(echo $(config_n_get $node type) | tr 'A-Z' 'a-z')
|
||||
local address=$(config_n_get $node address)
|
||||
local port=$(config_n_get $node port)
|
||||
[ -z "$address" ] && [ -z "$port" ] && {
|
||||
echolog " - 节点配置不正常,略过"
|
||||
return 1
|
||||
}
|
||||
ipt_tmp=$ipt_n
|
||||
_is_tproxy=${is_tproxy}
|
||||
[ "$stream" == "udp" ] && _is_tproxy="TPROXY"
|
||||
@ -665,7 +686,7 @@ filter_node() {
|
||||
fi
|
||||
else
|
||||
echolog " - 节点配置不正常,略过"
|
||||
return 0
|
||||
return 1
|
||||
fi
|
||||
|
||||
local ADD_INDEX=$FORCE_INDEX
|
||||
@ -674,7 +695,6 @@ filter_node() {
|
||||
[ "$_ipt" == "6" ] && _ipt=$ip6t_m && _set_name=$IPSET_VPSLIST6
|
||||
$_ipt -n -L PSW_OUTPUT | grep -q "${address}:${port}"
|
||||
if [ $? -ne 0 ]; then
|
||||
unset dst_rule
|
||||
local dst_rule="-j PSW_RULE"
|
||||
msg2="按规则路由(${msg})"
|
||||
[ "$_ipt" == "$ipt_m" -o "$_ipt" == "$ip6t_m" ] || {
|
||||
@ -697,7 +717,7 @@ filter_node() {
|
||||
|
||||
local proxy_protocol=$(config_n_get $proxy_node protocol)
|
||||
local proxy_type=$(echo $(config_n_get $proxy_node type nil) | tr 'A-Z' 'a-z')
|
||||
[ "$proxy_type" == "nil" ] && echolog " - 节点配置不正常,略过!:${proxy_node}" && return 0
|
||||
[ "$proxy_type" == "nil" ] && echolog " - 节点配置不正常,略过!:${proxy_node}" && return 1
|
||||
if [ "$proxy_protocol" == "_balancing" ]; then
|
||||
#echolog " - 多节点负载均衡(${proxy_type})..."
|
||||
proxy_node=$(config_n_get $proxy_node balancing_node)
|
||||
@ -706,56 +726,40 @@ filter_node() {
|
||||
done
|
||||
elif [ "$proxy_protocol" == "_shunt" ]; then
|
||||
#echolog " - 按请求目的地址分流(${proxy_type})..."
|
||||
local preproxy_enabled=$(config_n_get $proxy_node preproxy_enabled 0)
|
||||
[ "$preproxy_enabled" == "1" ] && {
|
||||
local preproxy_node=$(config_n_get $proxy_node main_node nil)
|
||||
[ "$preproxy_node" != "nil" ] && {
|
||||
local preproxy_node_address=$(config_n_get $preproxy_node address)
|
||||
if [ -n "$preproxy_node_address" ]; then
|
||||
filter_rules $preproxy_node $stream
|
||||
else
|
||||
preproxy_enabled=0
|
||||
fi
|
||||
}
|
||||
}
|
||||
local default_node=$(config_n_get $proxy_node default_node _direct)
|
||||
local main_node=$(config_n_get $proxy_node main_node nil)
|
||||
if [ "$main_node" != "nil" ]; then
|
||||
filter_rules $main_node $stream
|
||||
else
|
||||
if [ "$default_node" != "_direct" ] && [ "$default_node" != "_blackhole" ]; then
|
||||
filter_rules $default_node $stream
|
||||
fi
|
||||
if [ "$default_node" != "_direct" ] && [ "$default_node" != "_blackhole" ]; then
|
||||
local default_proxy_tag=$(config_n_get $proxy_node default_proxy_tag nil)
|
||||
[ "$default_proxy_tag" == "main" ] && [ "$preproxy_enabled" == "0" ] && default_proxy_tag="nil"
|
||||
[ "$default_proxy_tag" == "nil" ] && filter_rules $default_node $stream
|
||||
fi
|
||||
:<<!
|
||||
local default_node_address=$(get_host_ip ipv4 $(config_n_get $default_node address) 1)
|
||||
local default_node_port=$(config_n_get $default_node port)
|
||||
|
||||
local shunt_ids=$(uci show $CONFIG | grep "=shunt_rules" | awk -F '.' '{print $2}' | awk -F '=' '{print $1}')
|
||||
for shunt_id in $shunt_ids; do
|
||||
#local shunt_proxy=$(config_n_get $proxy_node "${shunt_id}_proxy" 0)
|
||||
local shunt_proxy=0
|
||||
local shunt_node=$(config_n_get $proxy_node "${shunt_id}" nil)
|
||||
[ "$shunt_node" != "nil" ] && {
|
||||
[ "$shunt_proxy" == 1 ] && {
|
||||
local shunt_node_address=$(get_host_ip ipv4 $(config_n_get $shunt_node address) 1)
|
||||
local shunt_node_port=$(config_n_get $shunt_node port)
|
||||
[ "$shunt_node_address" == "$default_node_address" ] && [ "$shunt_node_port" == "$default_node_port" ] && {
|
||||
shunt_proxy=0
|
||||
}
|
||||
}
|
||||
filter_rules "$(config_n_get $proxy_node $shunt_id)" "$stream" "$shunt_proxy" "$proxy_port"
|
||||
}
|
||||
[ "$shunt_node" == "nil" -o "$shunt_node" == "_default" -o "$shunt_node" == "_direct" -o "$shunt_node" == "_blackhole" ] && continue
|
||||
local shunt_node_address=$(config_n_get $shunt_node address)
|
||||
[ -z "$shunt_node_address" ] && continue
|
||||
local shunt_proxy_tag=$(config_n_get $proxy_node "${shunt_id}_proxy_tag" nil)
|
||||
[ "$shunt_proxy_tag" == "main" ] && [ "$preproxy_enabled" == "0" ] && shunt_proxy_tag="nil"
|
||||
[ "$shunt_proxy_tag" == "nil" ] && filter_rules $shunt_node $stream
|
||||
done
|
||||
!
|
||||
else
|
||||
#echolog " - 普通节点(${proxy_type})..."
|
||||
filter_rules "$proxy_node" "$stream"
|
||||
fi
|
||||
}
|
||||
|
||||
dns_hijack() {
|
||||
[ $(config_t_get global dns_redirect "0") = "1" ] && {
|
||||
$ipt_m -A PSW -p udp --dport 53 -j RETURN
|
||||
$ipt_m -A PSW -p tcp --dport 53 -j RETURN
|
||||
$ip6t_m -A PSW -p udp --dport 53 -j RETURN
|
||||
$ip6t_m -A PSW -p tcp --dport 53 -j RETURN
|
||||
$ipt_n -I PREROUTING -p udp --dport 53 -j REDIRECT --to-ports 53 -m comment --comment "PSW_DNS_Hijack" 2>/dev/null
|
||||
$ipt_n -I PREROUTING -p tcp --dport 53 -j REDIRECT --to-ports 53 -m comment --comment "PSW_DNS_Hijack" 2>/dev/null
|
||||
$ip6t_n -I PREROUTING -p udp --dport 53 -j REDIRECT --to-ports 53 -m comment --comment "PSW_DNS_Hijack" 2>/dev/null
|
||||
$ip6t_n -I PREROUTING -p tcp --dport 53 -j REDIRECT --to-ports 53 -m comment --comment "PSW_DNS_Hijack" 2>/dev/null
|
||||
echolog " - 开启 DNS 重定向"
|
||||
}
|
||||
}
|
||||
|
||||
add_firewall_rule() {
|
||||
echolog "开始加载防火墙规则..."
|
||||
ipset -! create $IPSET_LANLIST nethash maxelem 1048576
|
||||
@ -1007,6 +1011,9 @@ add_firewall_rule() {
|
||||
$ip6t_n -A PSW_OUTPUT -m mark --mark 0xff -j RETURN
|
||||
}
|
||||
|
||||
$ip6t_n -N PSW_REDIRECT
|
||||
$ip6t_n -I PREROUTING 1 -j PSW_REDIRECT
|
||||
|
||||
$ip6t_m -N PSW_DIVERT
|
||||
$ip6t_m -A PSW_DIVERT -j MARK --set-mark 1
|
||||
$ip6t_m -A PSW_DIVERT -j ACCEPT
|
||||
@ -1108,7 +1115,16 @@ add_firewall_rule() {
|
||||
echolog " - ${msg}不代理所有 UDP 端口"
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
if ([ "$TCP_NODE" != "nil" ] && [ -n "${LOCALHOST_TCP_PROXY_MODE}" ]) || ([ "$UDP_NODE" != "nil" ] && [ -n "${LOCALHOST_UDP_PROXY_MODE}" ]); then
|
||||
[ -n "$DNS_REDIRECT_PORT" ] && {
|
||||
$ipt_n -A OUTPUT $(comment "PSW") -p udp -o lo --dport 53 -j REDIRECT --to-ports $DNS_REDIRECT_PORT
|
||||
$ip6t_n -A OUTPUT $(comment "PSW") -p udp -o lo --dport 53 -j REDIRECT --to-ports $DNS_REDIRECT_PORT 2>/dev/null
|
||||
$ipt_n -A OUTPUT $(comment "PSW") -p tcp -o lo --dport 53 -j REDIRECT --to-ports $DNS_REDIRECT_PORT
|
||||
$ip6t_n -A OUTPUT $(comment "PSW") -p tcp -o lo --dport 53 -j REDIRECT --to-ports $DNS_REDIRECT_PORT 2>/dev/null
|
||||
}
|
||||
fi
|
||||
|
||||
[ -n "${LOCALHOST_TCP_PROXY_MODE}" -o -n "${LOCALHOST_UDP_PROXY_MODE}" ] && {
|
||||
[ "$TCP_PROXY_DROP_PORTS" != "disable" ] && {
|
||||
$ipt_m -A PSW_OUTPUT -p tcp $(factor $TCP_PROXY_DROP_PORTS "-m multiport --dport") -d $FAKE_IP -j DROP
|
||||
@ -1266,9 +1282,6 @@ add_firewall_rule() {
|
||||
|
||||
$ip6t_m -I OUTPUT $(comment "mangle-OUTPUT-PSW") -o lo -j RETURN
|
||||
insert_rule_before "$ip6t_m" "OUTPUT" "mwan3" "$(comment mangle-OUTPUT-PSW) -m mark --mark 1 -j RETURN"
|
||||
|
||||
dns_hijack
|
||||
|
||||
}
|
||||
|
||||
# 加载ACLS
|
||||
|
||||
@ -242,23 +242,6 @@ get_wan6_ip() {
|
||||
echo $NET_ADDR
|
||||
}
|
||||
|
||||
get_geoip() {
|
||||
local geoip_code="$1"
|
||||
local geoip_type_flag=""
|
||||
local geoip_path="$(config_t_get global_rules v2ray_location_asset)"
|
||||
geoip_path="${geoip_path%*/}/geoip.dat"
|
||||
[ -e "$geoip_path" ] || { echo ""; return; }
|
||||
case "$2" in
|
||||
"ipv4") geoip_type_flag="-ipv6=false" ;;
|
||||
"ipv6") geoip_type_flag="-ipv4=false" ;;
|
||||
esac
|
||||
if type geoview &> /dev/null; then
|
||||
geoview -input "$geoip_path" -list "$geoip_code" $geoip_type_flag -lowmem=true
|
||||
else
|
||||
echo ""
|
||||
fi
|
||||
}
|
||||
|
||||
load_acl() {
|
||||
([ "$ENABLED_ACLS" == 1 ] || ([ "$ENABLED_DEFAULT_ACL" == 1 ] && [ "$CLIENT_PROXY" == 1 ])) && echolog " - 访问控制:"
|
||||
[ "$ENABLED_ACLS" == 1 ] && {
|
||||
@ -293,6 +276,7 @@ load_acl() {
|
||||
[ -s "${TMP_ACL_PATH}/${sid}/var_udp_node" ] && udp_node=$(cat ${TMP_ACL_PATH}/${sid}/var_udp_node)
|
||||
[ -s "${TMP_ACL_PATH}/${sid}/var_tcp_port" ] && tcp_port=$(cat ${TMP_ACL_PATH}/${sid}/var_tcp_port)
|
||||
[ -s "${TMP_ACL_PATH}/${sid}/var_udp_port" ] && udp_port=$(cat ${TMP_ACL_PATH}/${sid}/var_udp_port)
|
||||
[ -s "${TMP_ACL_PATH}/${sid}/var_redirect_dns_port" ] && dns_redirect_port=$(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port)
|
||||
|
||||
use_shunt_tcp=0
|
||||
use_shunt_udp=0
|
||||
@ -321,6 +305,7 @@ load_acl() {
|
||||
udp_proxy_mode=${UDP_PROXY_MODE}
|
||||
use_shunt_tcp=${USE_SHUNT_TCP}
|
||||
use_shunt_udp=${USE_SHUNT_UDP}
|
||||
dns_redirect_port=${DNS_REDIRECT_PORT}
|
||||
}
|
||||
|
||||
_acl_list=${TMP_ACL_PATH}/${sid}/source_list
|
||||
@ -385,7 +370,25 @@ load_acl() {
|
||||
echolog " - ${msg}不代理所有 UDP 端口"
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
if ([ -n "$tcp_port" ] && [ -n "${tcp_proxy_mode}" ]) || ([ -n "$udp_port" ] && [ -n "${udp_proxy_mode}" ]); then
|
||||
[ -n "$dns_redirect_port" ] && {
|
||||
nft "add rule $NFTABLE_NAME PSW_MANGLE ip protocol udp ${_ipt_source} udp dport 53 counter return comment \"$remarks\""
|
||||
nft "add rule $NFTABLE_NAME PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} udp dport 53 counter return comment \"$remarks\""
|
||||
nft "add rule $NFTABLE_NAME PSW_MANGLE ip protocol tcp ${_ipt_source} tcp dport 53 counter return comment \"$remarks\""
|
||||
nft "add rule $NFTABLE_NAME PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} tcp dport 53 counter return comment \"$remarks\""
|
||||
nft "add rule $NFTABLE_NAME PSW_REDIRECT ip protocol udp ${_ipt_source} udp dport 53 counter redirect to :$dns_redirect_port comment \"$remarks\""
|
||||
nft "add rule $NFTABLE_NAME PSW_REDIRECT ip protocol tcp ${_ipt_source} tcp dport 53 counter redirect to :$dns_redirect_port comment \"$remarks\""
|
||||
nft "add rule $NFTABLE_NAME PSW_REDIRECT meta l4proto udp ${_ipt_source} udp dport 53 counter redirect to :$dns_redirect_port comment \"$remarks\""
|
||||
nft "add rule $NFTABLE_NAME PSW_REDIRECT meta l4proto tcp ${_ipt_source} tcp dport 53 counter redirect to :$dns_redirect_port comment \"$remarks\""
|
||||
}
|
||||
else
|
||||
nft "add rule $NFTABLE_NAME PSW_REDIRECT ip protocol udp ${_ipt_source} udp dport 53 counter return comment \"$remarks\""
|
||||
nft "add rule $NFTABLE_NAME PSW_REDIRECT ip protocol tcp ${_ipt_source} tcp dport 53 counter return comment \"$remarks\""
|
||||
nft "add rule $NFTABLE_NAME PSW_REDIRECT meta l4proto udp ${_ipt_source} udp dport 53 counter return comment \"$remarks\""
|
||||
nft "add rule $NFTABLE_NAME PSW_REDIRECT meta l4proto tcp ${_ipt_source} tcp dport 53 counter return comment \"$remarks\""
|
||||
fi
|
||||
|
||||
[ -n "$tcp_port" -o -n "$udp_port" ] && {
|
||||
[ "${use_direct_list}" = "1" ] && nft "add rule $NFTABLE_NAME PSW_MANGLE ${_ipt_source} ip daddr @$NFTSET_WHITELIST counter return comment \"$remarks\""
|
||||
[ "${use_direct_list}" = "1" ] && [ -z "${is_tproxy}" ] && nft "add rule $NFTABLE_NAME PSW_NAT ${_ipt_source} ip daddr @$NFTSET_WHITELIST counter return comment \"$remarks\""
|
||||
@ -433,7 +436,6 @@ load_acl() {
|
||||
|
||||
[ -n "$tcp_port" ] && {
|
||||
if [ -n "${tcp_proxy_mode}" ]; then
|
||||
[ -s "${TMP_ACL_PATH}/${sid}/var_redirect_dns_port" ] && nft "add rule $NFTABLE_NAME PSW_REDIRECT ip protocol udp ${_ipt_source} udp dport 53 counter redirect to $(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port) comment \"$remarks\""
|
||||
msg2="${msg}使用 TCP 节点[$tcp_node_remark]"
|
||||
if [ -n "${is_tproxy}" ]; then
|
||||
msg2="${msg2}(TPROXY:${tcp_port})"
|
||||
@ -521,7 +523,7 @@ load_acl() {
|
||||
nft "add rule $NFTABLE_NAME PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} counter return comment \"$remarks\"" 2>/dev/null
|
||||
unset nft_chain nft_j _ipt_source msg msg2
|
||||
done
|
||||
unset enabled sid remarks sources use_global_config use_direct_list use_proxy_list use_block_list use_gfw_list chn_list tcp_proxy_mode udp_proxy_mode tcp_no_redir_ports udp_no_redir_ports tcp_proxy_drop_ports udp_proxy_drop_ports tcp_redir_ports udp_redir_ports tcp_node udp_node interface
|
||||
unset enabled sid remarks sources use_global_config use_direct_list use_proxy_list use_block_list use_gfw_list chn_list tcp_proxy_mode udp_proxy_mode dns_redirect_port tcp_no_redir_ports udp_no_redir_ports tcp_proxy_drop_ports udp_proxy_drop_ports tcp_redir_ports udp_redir_ports tcp_node udp_node interface
|
||||
unset tcp_port udp_port tcp_node_remark udp_node_remark _acl_list use_shunt_tcp use_shunt_udp
|
||||
done
|
||||
}
|
||||
@ -550,6 +552,19 @@ load_acl() {
|
||||
fi
|
||||
}
|
||||
|
||||
if ([ "$TCP_NODE" != "nil" ] && [ -n "${TCP_PROXY_MODE}" ]) || ([ "$UDP_NODE" != "nil" ] && [ -n "${UDP_PROXY_MODE}" ]); then
|
||||
[ -n "$DNS_REDIRECT_PORT" ] && {
|
||||
nft "add rule $NFTABLE_NAME PSW_MANGLE ip protocol udp udp dport 53 counter return comment \"默认\""
|
||||
nft "add rule $NFTABLE_NAME PSW_MANGLE_V6 meta l4proto udp udp dport 53 counter return comment \"默认\""
|
||||
nft "add rule $NFTABLE_NAME PSW_MANGLE ip protocol tcp tcp dport 53 counter return comment \"默认\""
|
||||
nft "add rule $NFTABLE_NAME PSW_MANGLE_V6 meta l4proto tcp tcp dport 53 counter return comment \"默认\""
|
||||
nft "add rule $NFTABLE_NAME PSW_REDIRECT ip protocol udp udp dport 53 counter redirect to :$DNS_REDIRECT_PORT comment \"默认\""
|
||||
nft "add rule $NFTABLE_NAME PSW_REDIRECT ip protocol tcp tcp dport 53 counter redirect to :$DNS_REDIRECT_PORT comment \"默认\""
|
||||
nft "add rule $NFTABLE_NAME PSW_REDIRECT meta l4proto udp udp dport 53 counter redirect to :$DNS_REDIRECT_PORT comment \"默认\""
|
||||
nft "add rule $NFTABLE_NAME PSW_REDIRECT meta l4proto tcp tcp dport 53 counter redirect to :$DNS_REDIRECT_PORT comment \"默认\""
|
||||
}
|
||||
fi
|
||||
|
||||
[ -n "${TCP_PROXY_MODE}" -o -n "${UDP_PROXY_MODE}" ] && {
|
||||
[ "${USE_DIRECT_LIST}" = "1" ] && nft "add rule $NFTABLE_NAME PSW_MANGLE ip daddr @$NFTSET_WHITELIST counter return comment \"默认\""
|
||||
[ "${USE_DIRECT_LIST}" = "1" ] && [ -z "${is_tproxy}" ] && nft "add rule $NFTABLE_NAME PSW_NAT ip daddr @$NFTSET_WHITELIST counter return comment \"默认\""
|
||||
@ -725,6 +740,10 @@ filter_node() {
|
||||
local type=$(echo $(config_n_get $node type) | tr 'A-Z' 'a-z')
|
||||
local address=$(config_n_get $node address)
|
||||
local port=$(config_n_get $node port)
|
||||
[ -z "$address" ] && [ -z "$port" ] && {
|
||||
echolog " - 节点配置不正常,略过"
|
||||
return 1
|
||||
}
|
||||
_is_tproxy=${is_tproxy}
|
||||
[ "$stream" == "udp" ] && _is_tproxy="TPROXY"
|
||||
if [ -n "${_is_tproxy}" ]; then
|
||||
@ -734,7 +753,7 @@ filter_node() {
|
||||
fi
|
||||
else
|
||||
echolog " - 节点配置不正常,略过"
|
||||
return 0
|
||||
return 1
|
||||
fi
|
||||
|
||||
local ADD_INDEX=$FORCE_INDEX
|
||||
@ -743,7 +762,6 @@ filter_node() {
|
||||
[ "$_ipt" == "6" ] && _ip_type=ip6 && _set_name=$NFTSET_VPSLIST6
|
||||
nft "list chain $NFTABLE_NAME $nft_output_chain" 2>/dev/null | grep -q "${address}:${port}"
|
||||
if [ $? -ne 0 ]; then
|
||||
unset dst_rule
|
||||
local dst_rule="jump PSW_RULE"
|
||||
msg2="按规则路由(${msg})"
|
||||
[ -n "${is_tproxy}" ] || {
|
||||
@ -766,7 +784,7 @@ filter_node() {
|
||||
|
||||
local proxy_protocol=$(config_n_get $proxy_node protocol)
|
||||
local proxy_type=$(echo $(config_n_get $proxy_node type nil) | tr 'A-Z' 'a-z')
|
||||
[ "$proxy_type" == "nil" ] && echolog " - 节点配置不正常,略过!:${proxy_node}" && return 0
|
||||
[ "$proxy_type" == "nil" ] && echolog " - 节点配置不正常,略过!:${proxy_node}" && return 1
|
||||
if [ "$proxy_protocol" == "_balancing" ]; then
|
||||
#echolog " - 多节点负载均衡(${proxy_type})..."
|
||||
proxy_node=$(config_n_get $proxy_node balancing_node)
|
||||
@ -775,58 +793,40 @@ filter_node() {
|
||||
done
|
||||
elif [ "$proxy_protocol" == "_shunt" ]; then
|
||||
#echolog " - 按请求目的地址分流(${proxy_type})..."
|
||||
local preproxy_enabled=$(config_n_get $proxy_node preproxy_enabled 0)
|
||||
[ "$preproxy_enabled" == "1" ] && {
|
||||
local preproxy_node=$(config_n_get $proxy_node main_node nil)
|
||||
[ "$preproxy_node" != "nil" ] && {
|
||||
local preproxy_node_address=$(config_n_get $preproxy_node address)
|
||||
if [ -n "$preproxy_node_address" ]; then
|
||||
filter_rules $preproxy_node $stream
|
||||
else
|
||||
preproxy_enabled=0
|
||||
fi
|
||||
}
|
||||
}
|
||||
local default_node=$(config_n_get $proxy_node default_node _direct)
|
||||
local main_node=$(config_n_get $proxy_node main_node nil)
|
||||
if [ "$main_node" != "nil" ]; then
|
||||
filter_rules $main_node $stream
|
||||
else
|
||||
if [ "$default_node" != "_direct" ] && [ "$default_node" != "_blackhole" ]; then
|
||||
filter_rules $default_node $stream
|
||||
fi
|
||||
if [ "$default_node" != "_direct" ] && [ "$default_node" != "_blackhole" ]; then
|
||||
local default_proxy_tag=$(config_n_get $proxy_node default_proxy_tag nil)
|
||||
[ "$default_proxy_tag" == "main" ] && [ "$preproxy_enabled" == "0" ] && default_proxy_tag="nil"
|
||||
[ "$default_proxy_tag" == "nil" ] && filter_rules $default_node $stream
|
||||
fi
|
||||
:<<!
|
||||
local default_node_address=$(get_host_ip ipv4 $(config_n_get $default_node address) 1)
|
||||
local default_node_port=$(config_n_get $default_node port)
|
||||
|
||||
local shunt_ids=$(uci show $CONFIG | grep "=shunt_rules" | awk -F '.' '{print $2}' | awk -F '=' '{print $1}')
|
||||
for shunt_id in $shunt_ids; do
|
||||
#local shunt_proxy=$(config_n_get $proxy_node "${shunt_id}_proxy" 0)
|
||||
local shunt_proxy=0
|
||||
local shunt_node=$(config_n_get $proxy_node "${shunt_id}" nil)
|
||||
[ "$shunt_node" != "nil" ] && {
|
||||
[ "$shunt_proxy" == 1 ] && {
|
||||
local shunt_node_address=$(get_host_ip ipv4 $(config_n_get $shunt_node address) 1)
|
||||
local shunt_node_port=$(config_n_get $shunt_node port)
|
||||
[ "$shunt_node_address" == "$default_node_address" ] && [ "$shunt_node_port" == "$default_node_port" ] && {
|
||||
shunt_proxy=0
|
||||
}
|
||||
}
|
||||
filter_rules "$(config_n_get $proxy_node $shunt_id)" "$stream" "$shunt_proxy" "$proxy_port"
|
||||
}
|
||||
[ "$shunt_node" == "nil" -o "$shunt_node" == "_default" -o "$shunt_node" == "_direct" -o "$shunt_node" == "_blackhole" ] && continue
|
||||
local shunt_node_address=$(config_n_get $shunt_node address)
|
||||
[ -z "$shunt_node_address" ] && continue
|
||||
local shunt_proxy_tag=$(config_n_get $proxy_node "${shunt_id}_proxy_tag" nil)
|
||||
[ "$shunt_proxy_tag" == "main" ] && [ "$preproxy_enabled" == "0" ] && shunt_proxy_tag="nil"
|
||||
[ "$shunt_proxy_tag" == "nil" ] && filter_rules $shunt_node $stream
|
||||
done
|
||||
!
|
||||
else
|
||||
#echolog " - 普通节点(${proxy_type})..."
|
||||
filter_rules "$proxy_node" "$stream"
|
||||
fi
|
||||
}
|
||||
|
||||
dns_hijack() {
|
||||
[ $(config_t_get global dns_redirect "0") = "1" ] && {
|
||||
nft "add rule $NFTABLE_NAME PSW_MANGLE ip protocol udp udp dport 53 counter return"
|
||||
nft "add rule $NFTABLE_NAME PSW_MANGLE ip protocol tcp tcp dport 53 counter return"
|
||||
nft "add rule $NFTABLE_NAME PSW_MANGLE_V6 meta l4proto udp udp dport 53 counter return"
|
||||
nft "add rule $NFTABLE_NAME PSW_MANGLE_V6 meta l4proto tcp tcp dport 53 counter return"
|
||||
nft insert rule $NFTABLE_NAME dstnat position 0 tcp dport 53 counter redirect to :53 comment \"PSW_DNS_Hijack\" 2>/dev/null
|
||||
nft insert rule $NFTABLE_NAME dstnat position 0 udp dport 53 counter redirect to :53 comment \"PSW_DNS_Hijack\" 2>/dev/null
|
||||
nft insert rule $NFTABLE_NAME dstnat position 0 meta nfproto {ipv6} tcp dport 53 counter redirect to :53 comment \"PSW_DNS_Hijack\" 2>/dev/null
|
||||
nft insert rule $NFTABLE_NAME dstnat position 0 meta nfproto {ipv6} udp dport 53 counter redirect to :53 comment \"PSW_DNS_Hijack\" 2>/dev/null
|
||||
uci -q set dhcp.@dnsmasq[0].dns_redirect='0' 2>/dev/null
|
||||
uci commit dhcp 2>/dev/null
|
||||
echolog " - 开启 DNS 重定向"
|
||||
}
|
||||
}
|
||||
|
||||
add_firewall_rule() {
|
||||
echolog "开始加载防火墙规则..."
|
||||
gen_nft_tables
|
||||
@ -1182,7 +1182,16 @@ add_firewall_rule() {
|
||||
echolog " - ${msg}不代理所有 UDP 端口"
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
if ([ "$TCP_NODE" != "nil" ] && [ -n "${LOCALHOST_TCP_PROXY_MODE}" ]) || ([ "$UDP_NODE" != "nil" ] && [ -n "${LOCALHOST_UDP_PROXY_MODE}" ]); then
|
||||
[ -n "$DNS_REDIRECT_PORT" ] && {
|
||||
nft "add rule $NFTABLE_NAME nat_output ip protocol udp oif lo udp dport 53 counter redirect to :$DNS_REDIRECT_PORT comment \"PSW\""
|
||||
nft "add rule $NFTABLE_NAME nat_output ip protocol tcp oif lo tcp dport 53 counter redirect to :$DNS_REDIRECT_PORT comment \"PSW\""
|
||||
nft "add rule $NFTABLE_NAME nat_output meta l4proto udp oif lo udp dport 53 counter redirect to :$DNS_REDIRECT_PORT comment \"PSW\""
|
||||
nft "add rule $NFTABLE_NAME nat_output meta l4proto tcp oif lo tcp dport 53 counter redirect to :$DNS_REDIRECT_PORT comment \"PSW\""
|
||||
}
|
||||
fi
|
||||
|
||||
[ -n "${LOCALHOST_TCP_PROXY_MODE}" -o -n "${LOCALHOST_UDP_PROXY_MODE}" ] && {
|
||||
[ "$TCP_PROXY_DROP_PORTS" != "disable" ] && {
|
||||
nft add rule $NFTABLE_NAME $nft_output_chain ip protocol tcp ip daddr $FAKE_IP $(factor $TCP_PROXY_DROP_PORTS "tcp dport") counter drop
|
||||
@ -1340,8 +1349,6 @@ add_firewall_rule() {
|
||||
|
||||
nft "add rule $NFTABLE_NAME mangle_output oif lo counter return comment \"PSW_OUTPUT_MANGLE\""
|
||||
nft "add rule $NFTABLE_NAME mangle_output meta mark 1 counter return comment \"PSW_OUTPUT_MANGLE\""
|
||||
|
||||
dns_hijack
|
||||
}
|
||||
|
||||
# 加载ACLS
|
||||
|
||||
@ -5,8 +5,8 @@
|
||||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=luci-app-passwall2
|
||||
PKG_VERSION:=24.12.11
|
||||
PKG_RELEASE:=3
|
||||
PKG_VERSION:=24.12.12
|
||||
PKG_RELEASE:=2
|
||||
|
||||
PKG_CONFIG_DEPENDS:= \
|
||||
CONFIG_PACKAGE_$(PKG_NAME)_Iptables_Transparent_Proxy \
|
||||
@ -24,14 +24,13 @@ PKG_CONFIG_DEPENDS:= \
|
||||
CONFIG_PACKAGE_$(PKG_NAME)_INCLUDE_Simple_Obfs \
|
||||
CONFIG_PACKAGE_$(PKG_NAME)_INCLUDE_SingBox \
|
||||
CONFIG_PACKAGE_$(PKG_NAME)_INCLUDE_tuic_client \
|
||||
CONFIG_PACKAGE_$(PKG_NAME)_INCLUDE_V2ray_Geoview \
|
||||
CONFIG_PACKAGE_$(PKG_NAME)_INCLUDE_V2ray_Plugin
|
||||
|
||||
LUCI_TITLE:=LuCI support for PassWall 2
|
||||
LUCI_PKGARCH:=all
|
||||
LUCI_DEPENDS:=+coreutils +coreutils-base64 +coreutils-nohup +curl \
|
||||
+ip-full +libuci-lua +lua +luci-compat +luci-lib-jsonc +resolveip +tcping \
|
||||
+xray-core +v2ray-geoip +v2ray-geosite \
|
||||
+xray-core +geoview +v2ray-geoip +v2ray-geosite \
|
||||
+unzip \
|
||||
+PACKAGE_$(PKG_NAME)_INCLUDE_IPv6_Nat:ip6tables-mod-nat
|
||||
|
||||
@ -138,11 +137,6 @@ config PACKAGE_$(PKG_NAME)_INCLUDE_tuic_client
|
||||
select PACKAGE_tuic-client
|
||||
default n
|
||||
|
||||
config PACKAGE_$(PKG_NAME)_INCLUDE_V2ray_Geoview
|
||||
bool "Include V2ray_Geoview"
|
||||
select PACKAGE_geoview
|
||||
default y if aarch64||arm||i386||x86_64
|
||||
|
||||
config PACKAGE_$(PKG_NAME)_INCLUDE_V2ray_Plugin
|
||||
bool "Include V2ray-Plugin (Shadowsocks Plugin)"
|
||||
select PACKAGE_v2ray-plugin
|
||||
|
||||
@ -259,6 +259,7 @@ if has_singbox then
|
||||
local geoip_path = s.fields["geoip_path"] and s.fields["geoip_path"]:formvalue(section) or nil
|
||||
if geoip_path then
|
||||
os.remove(geoip_path)
|
||||
luci.sys.call("rm -f /tmp/etc/passwall2_tmp/geoip-*.json")
|
||||
end
|
||||
local geosite_path = s.fields["geosite_path"] and s.fields["geosite_path"]:formvalue(section) or nil
|
||||
if geosite_path then
|
||||
|
||||
@ -1386,6 +1386,11 @@ function gen_config(var)
|
||||
string.gsub(direct_ipset, '[^' .. "," .. ']+', function(w)
|
||||
sys.call("ipset -q -F " .. w)
|
||||
end)
|
||||
local ipset_prefix_name = "passwall2_" .. node_id .. "_"
|
||||
local ipset_list = sys.exec("ipset list | grep 'Name: ' | grep '" .. ipset_prefix_name .. "' | awk '{print $2}'")
|
||||
string.gsub(ipset_list, '[^' .. "\r\n" .. ']+', function(w)
|
||||
sys.call("ipset -q -F " .. w)
|
||||
end)
|
||||
end
|
||||
if direct_nftset then
|
||||
string.gsub(direct_nftset, '[^' .. "," .. ']+', function(w)
|
||||
@ -1398,6 +1403,13 @@ function gen_config(var)
|
||||
sys.call(string.format("nft flush set %s %s %s 2>/dev/null", family, table_name, set_name))
|
||||
end
|
||||
end)
|
||||
local family = "inet"
|
||||
local table_name = "passwall2"
|
||||
local nftset_prefix_name = "passwall2_" .. node_id .. "_"
|
||||
local nftset_list = sys.exec("nft -a list sets | grep -E '" .. nftset_prefix_name .. "' | awk -F 'set ' '{print $2}' | awk '{print $1}'")
|
||||
string.gsub(nftset_list, '[^' .. "\r\n" .. ']+', function(w)
|
||||
sys.call(string.format("nft flush set %s %s %s 2>/dev/null", family, table_name, w))
|
||||
end)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
@ -1405,6 +1405,11 @@ function gen_config(var)
|
||||
string.gsub(direct_ipset, '[^' .. "," .. ']+', function(w)
|
||||
sys.call("ipset -q -F " .. w)
|
||||
end)
|
||||
local ipset_prefix_name = "passwall2_" .. node_id .. "_"
|
||||
local ipset_list = sys.exec("ipset list | grep 'Name: ' | grep '" .. ipset_prefix_name .. "' | awk '{print $2}'")
|
||||
string.gsub(ipset_list, '[^' .. "\r\n" .. ']+', function(w)
|
||||
sys.call("ipset -q -F " .. w)
|
||||
end)
|
||||
end
|
||||
if direct_nftset then
|
||||
string.gsub(direct_nftset, '[^' .. "," .. ']+', function(w)
|
||||
@ -1417,6 +1422,13 @@ function gen_config(var)
|
||||
sys.call(string.format("nft flush set %s %s %s 2>/dev/null", family, table_name, set_name))
|
||||
end
|
||||
end)
|
||||
local family = "inet"
|
||||
local table_name = "passwall2"
|
||||
local nftset_prefix_name = "passwall2_" .. node_id .. "_"
|
||||
local nftset_list = sys.exec("nft -a list sets | grep -E '" .. nftset_prefix_name .. "' | awk -F 'set ' '{print $2}' | awk '{print $1}'")
|
||||
string.gsub(nftset_list, '[^' .. "\r\n" .. ']+', function(w)
|
||||
sys.call(string.format("nft flush set %s %s %s 2>/dev/null", family, table_name, w))
|
||||
end)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
@ -47,6 +47,7 @@ config global_rules
|
||||
option geosite_update '1'
|
||||
option geoip_update '1'
|
||||
option v2ray_location_asset '/usr/share/v2ray/'
|
||||
option enable_geoview '1'
|
||||
|
||||
config global_app
|
||||
option xray_file '/usr/bin/xray'
|
||||
|
||||
@ -302,6 +302,28 @@ get_geoip() {
|
||||
fi
|
||||
}
|
||||
|
||||
get_singbox_geoip() {
|
||||
local geoip_code="$1"
|
||||
local geoip_path=$(config_t_get global_singbox geoip_path)
|
||||
[ -e "$geoip_path" ] || { echo ""; return; }
|
||||
local has_geoip_tools=$($(first_type $(config_t_get global_app singbox_file) sing-box) geoip | grep "GeoIP tools")
|
||||
if [ -n "${has_geoip_tools}" ]; then
|
||||
[ -f "${geoip_path}" ] && local geoip_md5=$(md5sum ${geoip_path} | awk '{print $1}')
|
||||
local output_file="${TMP_PATH2}/geoip-${geoip_md5}-${geoip_code}.json"
|
||||
[ ! -f ${output_file} ] && $(first_type $(config_t_get global_app singbox_file) sing-box) geoip -f "${geoip_path}" export "${geoip_code}" -o "${output_file}"
|
||||
case "$2" in
|
||||
ipv4)
|
||||
cat ${output_file} | grep -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | awk -F '"' '{print $2}' | sed -e "/^$/d"
|
||||
;;
|
||||
ipv6)
|
||||
cat ${output_file} | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | awk -F '"' '{print $2}' | sed -e "/^$/d"
|
||||
;;
|
||||
esac
|
||||
else
|
||||
echo ""
|
||||
fi
|
||||
}
|
||||
|
||||
run_xray() {
|
||||
local flag node redir_port socks_address socks_port socks_username socks_password http_address http_port http_username http_password
|
||||
local dns_listen_port direct_dns_query_strategy remote_dns_protocol remote_dns_udp_server remote_dns_tcp_server remote_dns_doh remote_dns_client_ip remote_dns_detour remote_fakedns remote_dns_query_strategy dns_cache write_ipset_direct
|
||||
@ -735,6 +757,7 @@ run_global() {
|
||||
|
||||
GLOBAL_DNSMASQ_PORT=$(get_new_port 11400)
|
||||
run_copy_dnsmasq flag="default" listen_port=$GLOBAL_DNSMASQ_PORT tun_dns="${TUN_DNS}"
|
||||
DNS_REDIRECT_PORT=${GLOBAL_DNSMASQ_PORT}
|
||||
}
|
||||
|
||||
start_socks() {
|
||||
|
||||
@ -187,6 +187,91 @@ get_wan6_ip() {
|
||||
echo $NET_ADDR
|
||||
}
|
||||
|
||||
gen_shunt_list() {
|
||||
local node=${1}
|
||||
local shunt_list4_var_name=${2}
|
||||
local shunt_list6_var_name=${3}
|
||||
local _write_ipset_direct=${4}
|
||||
local _set_name4=${5}
|
||||
local _set_name6=${6}
|
||||
[ -z "$node" ] && continue
|
||||
unset ${shunt_list4_var_name}
|
||||
unset ${shunt_list6_var_name}
|
||||
local _SHUNT_LIST4 _SHUNT_LIST6
|
||||
local USE_SHUNT_NODE=0
|
||||
NODE_PROTOCOL=$(config_n_get $node protocol)
|
||||
[ "$NODE_PROTOCOL" = "_shunt" ] && USE_SHUNT_NODE=1
|
||||
[ "$USE_SHUNT_NODE" = "1" ] && {
|
||||
local default_node=$(config_n_get ${node} default_node _direct)
|
||||
local default_outbound="redirect"
|
||||
[ "$default_node" = "_direct" ] && default_outbound="direct"
|
||||
local shunt_ids=$(uci show $CONFIG | grep "=shunt_rules" | awk -F '.' '{print $2}' | awk -F '=' '{print $1}')
|
||||
for shunt_id in $shunt_ids; do
|
||||
local shunt_node=$(config_n_get ${node} "${shunt_id}" nil)
|
||||
[ "$shunt_node" != "nil" ] && {
|
||||
local ipset_v4="passwall2_${node}_${shunt_id}"
|
||||
local ipset_v6="passwall2_${node}_${shunt_id}6"
|
||||
ipset -! create $ipset_v4 nethash maxelem 1048576
|
||||
ipset -! create $ipset_v6 nethash family inet6 maxelem 1048576
|
||||
local outbound="redirect"
|
||||
[ "$shunt_node" = "_direct" ] && outbound="direct"
|
||||
[ "$shunt_node" = "_default" ] && outbound="${default_outbound}"
|
||||
_SHUNT_LIST4="${_SHUNT_LIST4} ${ipset_v4}:${outbound}"
|
||||
_SHUNT_LIST6="${_SHUNT_LIST6} ${ipset_v6}:${outbound}"
|
||||
|
||||
config_n_get $shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}" | sed -e "s/^/add $ipset_v4 &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
|
||||
config_n_get $shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "s/^/add $ipset_v6 &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
|
||||
[ "$(config_t_get global_rules enable_geoview)" = "1" ] && {
|
||||
local _geoip_code=$(config_n_get $shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "^geoip:" | grep -v "^geoip:private" | sed -E 's/^geoip:(.*)/\1/' | sed ':a;N;$!ba;s/\n/,/g')
|
||||
[ -n "$_geoip_code" ] && {
|
||||
if [ "$(config_n_get $node type)" = "sing-box" ]; then
|
||||
get_singbox_geoip $_geoip_code ipv4 | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}" | sed -e "s/^/add $ipset_v4 &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
|
||||
get_singbox_geoip $_geoip_code ipv6 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "s/^/add $ipset_v6 &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
|
||||
else
|
||||
if type geoview &> /dev/null; then
|
||||
get_geoip $_geoip_code ipv4 | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}" | sed -e "s/^/add $ipset_v4 &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
|
||||
get_geoip $_geoip_code ipv6 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "s/^/add $ipset_v6 &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
|
||||
fi
|
||||
fi
|
||||
echolog " - [$?]解析分流规则[$shunt_id]-[geoip:${_geoip_code}]加入到 IPSET 完成"
|
||||
}
|
||||
}
|
||||
}
|
||||
done
|
||||
[ "${_write_ipset_direct}" = "1" ] && {
|
||||
_SHUNT_LIST4="${_SHUNT_LIST4} ${_set_name4}:direct"
|
||||
_SHUNT_LIST6="${_SHUNT_LIST6} ${_set_name6}:direct"
|
||||
}
|
||||
[ "$default_node" != "nil" ] && {
|
||||
local ipset_v4="passwall2_${node}_default"
|
||||
local ipset_v6="passwall2_${node}_default6"
|
||||
ipset -! create $ipset_v4 nethash maxelem 1048576
|
||||
ipset -! create $ipset_v6 nethash family inet6 maxelem 1048576
|
||||
_SHUNT_LIST4="${_SHUNT_LIST4} ${ipset_v4}:${default_outbound}"
|
||||
_SHUNT_LIST6="${_SHUNT_LIST6} ${ipset_v6}:${default_outbound}"
|
||||
}
|
||||
}
|
||||
[ -n "${_SHUNT_LIST4}" ] && eval ${shunt_list4_var_name}=\"${_SHUNT_LIST4}\"
|
||||
[ -n "${_SHUNT_LIST6}" ] && eval ${shunt_list6_var_name}=\"${_SHUNT_LIST6}\"
|
||||
}
|
||||
|
||||
add_shunt_t_rule() {
|
||||
local shunt_args=${1}
|
||||
local t_args=${2}
|
||||
local t_jump_args=${3}
|
||||
[ -n "${shunt_args}" ] && {
|
||||
for j in ${shunt_args}; do
|
||||
local _set_name=$(echo ${j} | awk -F ':' '{print $1}')
|
||||
local _outbound=$(echo ${j} | awk -F ':' '{print $2}')
|
||||
[ -n "${_set_name}" ] && [ -n "${_outbound}" ] && {
|
||||
local _t_arg="${t_jump_args}"
|
||||
[ "${_outbound}" = "direct" ] && _t_arg="-j RETURN"
|
||||
${t_args} $(dst ${_set_name}) ${_t_arg}
|
||||
}
|
||||
done
|
||||
}
|
||||
}
|
||||
|
||||
load_acl() {
|
||||
[ "$ENABLED_ACLS" == 1 ] && {
|
||||
acl_app
|
||||
@ -207,6 +292,8 @@ load_acl() {
|
||||
node_remark=$(config_n_get $NODE remarks)
|
||||
[ -s "${TMP_ACL_PATH}/${sid}/var_node" ] && node=$(cat ${TMP_ACL_PATH}/${sid}/var_node)
|
||||
[ -s "${TMP_ACL_PATH}/${sid}/var_port" ] && redir_port=$(cat ${TMP_ACL_PATH}/${sid}/var_port)
|
||||
[ -s "${TMP_ACL_PATH}/${sid}/var_redirect_dns_port" ] && dns_redirect_port=$(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port)
|
||||
[ "$node" = "default" ] && dns_redirect_port=${DNS_REDIRECT_PORT}
|
||||
[ -n "$node" ] && [ "$node" != "default" ] && node_remark=$(config_n_get $node remarks)
|
||||
|
||||
write_ipset_direct=${write_ipset_direct:-1}
|
||||
@ -221,32 +308,7 @@ load_acl() {
|
||||
ipset -! create $ipset_whitelist6 nethash family inet6 maxelem 1048576
|
||||
|
||||
#分流规则的IP列表(使用分流节点时导入)
|
||||
local _USE_SHUNT_NODE=0
|
||||
_NODE_PROTOCOL=$(config_n_get $node protocol)
|
||||
[ "$_NODE_PROTOCOL" = "_shunt" ] && _USE_SHUNT_NODE=1
|
||||
[ "$_USE_SHUNT_NODE" = "1" ] && {
|
||||
local _SHUNT_DEFAULT_NODE=$(config_n_get $NODE default_node _direct)
|
||||
local _GEOIP_CODE=""
|
||||
local _shunt_ids=$(uci show $CONFIG | grep "=shunt_rules" | awk -F '.' '{print $2}' | awk -F '=' '{print $1}')
|
||||
for _shunt_id in $_shunt_ids; do
|
||||
local _SHUNT_RULE_NODE=$(config_n_get $NODE ${_shunt_id} nil)
|
||||
[ "${_SHUNT_RULE_NODE}" == "_default" ] && _SHUNT_RULE_NODE=${_SHUNT_DEFAULT_NODE}
|
||||
[ "${_SHUNT_RULE_NODE}" == "_direct" ] && {
|
||||
config_n_get $_shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}" | sed -e "s/^/add $ipset_whitelist &/g" -e "s/$/ timeout 0/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
|
||||
config_n_get $_shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "s/^/add $ipset_whitelist6 &/g" -e "s/$/ timeout 0/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
|
||||
[ "$(config_t_get global_rules enable_geoview)" = "1" ] && {
|
||||
local _geoip_code=$(config_n_get $_shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "^geoip:" | grep -v "^geoip:private" | sed -E 's/^geoip:(.*)/\1/' | sed ':a;N;$!ba;s/\n/,/g')
|
||||
[ -n "$_geoip_code" ] && _GEOIP_CODE="${_GEOIP_CODE:+$_GEOIP_CODE,}$_geoip_code"
|
||||
}
|
||||
}
|
||||
done
|
||||
}
|
||||
|
||||
if [ -n "$_GEOIP_CODE" ] && type geoview &> /dev/null; then
|
||||
get_geoip $_GEOIP_CODE ipv4 | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}" | sed -e "s/^/add $ipset_whitelist &/g" -e "s/$/ timeout 0/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
|
||||
get_geoip $_GEOIP_CODE ipv6 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "s/^/add $ipset_whitelist6 &/g" -e "s/$/ timeout 0/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
|
||||
echolog " - [$?]解析并加入分流节点 GeoIP 到 IPSET 完成"
|
||||
fi
|
||||
gen_shunt_list ${node} shunt_list4 shunt_list6 ${write_ipset_direct} ${ipset_whitelist} ${ipset_whitelist6}
|
||||
fi
|
||||
}
|
||||
|
||||
@ -324,11 +386,11 @@ load_acl() {
|
||||
}
|
||||
|
||||
if ([ "$tcp_proxy_mode" != "disable" ] || [ "$udp_proxy_mode" != "disable" ]) && [ -n "$redir_port" ]; then
|
||||
[ -s "${TMP_ACL_PATH}/${sid}/var_redirect_dns_port" ] && {
|
||||
$ipt_n -A PSW2_REDIRECT $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port)
|
||||
$ip6t_n -A PSW2_REDIRECT $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port) 2>/dev/null
|
||||
$ipt_n -A PSW2_REDIRECT $(comment "$remarks") -p tcp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port)
|
||||
$ip6t_n -A PSW2_REDIRECT $(comment "$remarks") -p tcp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port) 2>/dev/null
|
||||
[ -n "$dns_redirect_port" ] && {
|
||||
$ipt_n -A PSW2_REDIRECT $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $dns_redirect_port
|
||||
$ip6t_n -A PSW2_REDIRECT $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $dns_redirect_port 2>/dev/null
|
||||
$ipt_n -A PSW2_REDIRECT $(comment "$remarks") -p tcp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $dns_redirect_port
|
||||
$ip6t_n -A PSW2_REDIRECT $(comment "$remarks") -p tcp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $dns_redirect_port 2>/dev/null
|
||||
}
|
||||
else
|
||||
$ipt_n -A PSW2_REDIRECT $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j RETURN
|
||||
@ -349,24 +411,24 @@ load_acl() {
|
||||
|
||||
[ "$accept_icmp" = "1" ] && {
|
||||
$ipt_n -A PSW2 $(comment "$remarks") -p icmp ${_ipt_source} -d $FAKE_IP $(REDIRECT)
|
||||
[ "${write_ipset_direct}" = "1" ] && $ipt_n -A PSW2 $(comment "$remarks") -p icmp ${_ipt_source} $(dst $ipset_whitelist) -j RETURN
|
||||
add_shunt_t_rule "${shunt_list4}" "$ipt_n -A PSW2 $(comment "$remarks") -p icmp ${_ipt_source}" "$(REDIRECT)"
|
||||
$ipt_n -A PSW2 $(comment "$remarks") -p icmp ${_ipt_source} $(REDIRECT)
|
||||
}
|
||||
|
||||
[ "$accept_icmpv6" = "1" ] && [ "$PROXY_IPV6" == "1" ] && {
|
||||
$ip6t_n -A PSW2 $(comment "$remarks") -p ipv6-icmp ${_ipt_source} -d $FAKE_IP_6 $(REDIRECT) 2>/dev/null
|
||||
[ "${write_ipset_direct}" = "1" ] && $ip6t_n -A PSW2 $(comment "$remarks") -p ipv6-icmp ${_ipt_source} $(dst $ipset_whitelist6) -j RETURN 2>/dev/null
|
||||
add_shunt_t_rule "${shunt_list6}" "$ip6t_n -A PSW2 $(comment "$remarks") -p ipv6-icmp ${_ipt_source}" "$(REDIRECT)" 2>/dev/null
|
||||
$ip6t_n -A PSW2 $(comment "$remarks") -p ipv6-icmp ${_ipt_source} $(REDIRECT) 2>/dev/null
|
||||
}
|
||||
|
||||
$ipt_tmp -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} -d $FAKE_IP ${ipt_j}
|
||||
[ "${write_ipset_direct}" = "1" ] && $ipt_tmp -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(dst $ipset_whitelist) -j RETURN
|
||||
add_shunt_t_rule "${shunt_list4}" "$ipt_tmp -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport")" "${ipt_j}"
|
||||
$ipt_tmp -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") ${ipt_j}
|
||||
[ -n "${is_tproxy}" ] && $ipt_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(REDIRECT $redir_port TPROXY)
|
||||
|
||||
[ "$PROXY_IPV6" == "1" ] && {
|
||||
$ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} -d $FAKE_IP_6 -j PSW2_RULE 2>/dev/null
|
||||
[ "${write_ipset_direct}" = "1" ] && $ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(dst $ipset_whitelist6) -j RETURN 2>/dev/null
|
||||
add_shunt_t_rule "${shunt_list6}" "$ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport")" "${ipt_j}" 2>/dev/null
|
||||
$ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") -j PSW2_RULE 2>/dev/null
|
||||
$ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(REDIRECT $redir_port TPROXY) 2>/dev/null
|
||||
}
|
||||
@ -379,13 +441,13 @@ load_acl() {
|
||||
msg2="${msg}使用 UDP 节点[$node_remark](TPROXY:${redir_port})"
|
||||
|
||||
$ipt_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} -d $FAKE_IP -j PSW2_RULE
|
||||
[ "${write_ipset_direct}" = "1" ] && $ipt_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(dst $ipset_whitelist) -j RETURN
|
||||
add_shunt_t_rule "${shunt_list4}" "$ipt_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport")" "-j PSW2_RULE"
|
||||
$ipt_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") -j PSW2_RULE
|
||||
$ipt_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(REDIRECT $redir_port TPROXY)
|
||||
|
||||
[ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && {
|
||||
$ip6t_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} -d $FAKE_IP_6 -j PSW2_RULE 2>/dev/null
|
||||
[ "${write_ipset_direct}" = "1" ] && $ip6t_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(dst $ipset_whitelist6) -j RETURN 2>/dev/null
|
||||
add_shunt_t_rule "${shunt_list6}" "$ip6t_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport")" "-j PSW2_RULE" 2>/dev/null
|
||||
$ip6t_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") -j PSW2_RULE 2>/dev/null
|
||||
$ip6t_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(REDIRECT $redir_port TPROXY) 2>/dev/null
|
||||
}
|
||||
@ -429,11 +491,11 @@ load_acl() {
|
||||
}
|
||||
|
||||
if ([ "$TCP_PROXY_MODE" != "disable" ] || [ "$UDP_PROXY_MODE" != "disable" ]) && [ "$NODE" != "nil" ]; then
|
||||
[ -s "${TMP_ACL_PATH}/default/var_redirect_dns_port" ] && {
|
||||
$ipt_n -A PSW2_REDIRECT $(comment "默认") -p udp --dport 53 -j REDIRECT --to-ports $(cat ${TMP_ACL_PATH}/default/var_redirect_dns_port)
|
||||
$ip6t_n -A PSW2_REDIRECT $(comment "默认") -p udp --dport 53 -j REDIRECT --to-ports $(cat ${TMP_ACL_PATH}/default/var_redirect_dns_port) 2>/dev/null
|
||||
$ipt_n -A PSW2_REDIRECT $(comment "默认") -p tcp --dport 53 -j REDIRECT --to-ports $(cat ${TMP_ACL_PATH}/default/var_redirect_dns_port)
|
||||
$ip6t_n -A PSW2_REDIRECT $(comment "默认") -p tcp --dport 53 -j REDIRECT --to-ports $(cat ${TMP_ACL_PATH}/default/var_redirect_dns_port) 2>/dev/null
|
||||
[ -n "$DNS_REDIRECT_PORT" ] && {
|
||||
$ipt_n -A PSW2_REDIRECT $(comment "默认") -p udp --dport 53 -j REDIRECT --to-ports $DNS_REDIRECT_PORT
|
||||
$ip6t_n -A PSW2_REDIRECT $(comment "默认") -p udp --dport 53 -j REDIRECT --to-ports $DNS_REDIRECT_PORT 2>/dev/null
|
||||
$ipt_n -A PSW2_REDIRECT $(comment "默认") -p tcp --dport 53 -j REDIRECT --to-ports $DNS_REDIRECT_PORT
|
||||
$ip6t_n -A PSW2_REDIRECT $(comment "默认") -p tcp --dport 53 -j REDIRECT --to-ports $DNS_REDIRECT_PORT 2>/dev/null
|
||||
}
|
||||
fi
|
||||
|
||||
@ -449,24 +511,24 @@ load_acl() {
|
||||
|
||||
[ "$accept_icmp" = "1" ] && {
|
||||
$ipt_n -A PSW2 $(comment "默认") -p icmp -d $FAKE_IP $(REDIRECT)
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && $ipt_n -A PSW2 $(comment "默认") -p icmp $(dst $ipset_global_whitelist) -j RETURN
|
||||
add_shunt_t_rule "${SHUNT_LIST4}" "$ipt_n -A PSW2 $(comment "默认") -p icmp" "$(REDIRECT)"
|
||||
$ipt_n -A PSW2 $(comment "默认") -p icmp $(REDIRECT)
|
||||
}
|
||||
|
||||
[ "$accept_icmpv6" = "1" ] && [ "$PROXY_IPV6" == "1" ] && {
|
||||
$ip6t_n -A PSW2 $(comment "默认") -p ipv6-icmp -d $FAKE_IP_6 $(REDIRECT)
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && $ip6t_n -A PSW2 $(comment "默认") -p ipv6-icmp $(dst $ipset_global_whitelist6) -j RETURN
|
||||
add_shunt_t_rule "${SHUNT_LIST6}" "$ip6t_n -A PSW2 $(comment "默认") -p ipv6-icmp" "$(REDIRECT)"
|
||||
$ip6t_n -A PSW2 $(comment "默认") -p ipv6-icmp $(REDIRECT)
|
||||
}
|
||||
|
||||
$ipt_tmp -A PSW2 $(comment "默认") -p tcp -d $FAKE_IP ${ipt_j}
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && $ipt_tmp -A PSW2 $(comment "默认") -p tcp $(dst $ipset_global_whitelist) -j RETURN
|
||||
add_shunt_t_rule "${SHUNT_LIST4}" "$ipt_tmp -A PSW2 $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport")" "${ipt_j}"
|
||||
$ipt_tmp -A PSW2 $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") ${ipt_j}
|
||||
[ -n "${is_tproxy}" ] && $ipt_m -A PSW2 $(comment "默认") -p tcp $(REDIRECT $REDIR_PORT TPROXY)
|
||||
|
||||
[ "$PROXY_IPV6" == "1" ] && {
|
||||
$ip6t_m -A PSW2 $(comment "默认") -p tcp -d $FAKE_IP_6 -j PSW2_RULE
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && $ip6t_m -A PSW2 $(comment "默认") -p tcp $(dst $ipset_global_whitelist6) -j RETURN
|
||||
add_shunt_t_rule "${SHUNT_LIST6}" "$ip6t_m -A PSW2 $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport")" "-j PSW2_RULE"
|
||||
$ip6t_m -A PSW2 $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") -j PSW2_RULE
|
||||
$ip6t_m -A PSW2 $(comment "默认") -p tcp $(REDIRECT $REDIR_PORT TPROXY)
|
||||
}
|
||||
@ -478,13 +540,13 @@ load_acl() {
|
||||
msg2="${msg}使用 UDP 节点[$(config_n_get $NODE remarks)](TPROXY:${REDIR_PORT})"
|
||||
|
||||
$ipt_m -A PSW2 $(comment "默认") -p udp -d $FAKE_IP -j PSW2_RULE
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && $ipt_m -A PSW2 $(comment "默认") -p udp $(dst $ipset_global_whitelist) -j RETURN
|
||||
add_shunt_t_rule "${SHUNT_LIST4}" "$ipt_m -A PSW2 $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport")" "-j PSW2_RULE"
|
||||
$ipt_m -A PSW2 $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") -j PSW2_RULE
|
||||
$ipt_m -A PSW2 $(comment "默认") -p udp $(REDIRECT $REDIR_PORT TPROXY)
|
||||
|
||||
if [ "$PROXY_IPV6_UDP" == "1" ]; then
|
||||
$ip6t_m -A PSW2 $(comment "默认") -p udp -d $FAKE_IP_6 -j PSW2_RULE
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && $ip6t_m -A PSW2 $(comment "默认") -p udp $(dst $ipset_global_whitelist6) -j RETURN
|
||||
add_shunt_t_rule "${SHUNT_LIST6}" "$ip6t_m -A PSW2 $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport")" "-j PSW2_RULE"
|
||||
$ip6t_m -A PSW2 $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") -j PSW2_RULE
|
||||
$ip6t_m -A PSW2 $(comment "默认") -p udp $(REDIRECT $REDIR_PORT TPROXY)
|
||||
fi
|
||||
@ -670,32 +732,7 @@ add_firewall_rule() {
|
||||
ipset -! create $ipset_global_whitelist6 nethash family inet6 maxelem 1048576 timeout 259200
|
||||
|
||||
#分流规则的IP列表(使用分流节点时导入)
|
||||
local USE_SHUNT_NODE=0
|
||||
NODE_PROTOCOL=$(config_n_get $NODE protocol)
|
||||
[ "$NODE_PROTOCOL" = "_shunt" ] && USE_SHUNT_NODE=1
|
||||
[ "$USE_SHUNT_NODE" = "1" ] && {
|
||||
local SHUNT_DEFAULT_NODE=$(config_n_get $NODE default_node _direct)
|
||||
local GEOIP_CODE=""
|
||||
local shunt_ids=$(uci show $CONFIG | grep "=shunt_rules" | awk -F '.' '{print $2}' | awk -F '=' '{print $1}')
|
||||
for shunt_id in $shunt_ids; do
|
||||
local SHUNT_RULE_NODE=$(config_n_get $NODE ${shunt_id} nil)
|
||||
[ "${SHUNT_RULE_NODE}" == "_default" ] && SHUNT_RULE_NODE=${SHUNT_DEFAULT_NODE}
|
||||
[ "${SHUNT_RULE_NODE}" == "_direct" ] && {
|
||||
config_n_get $shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}" | sed -e "s/^/add $ipset_global_whitelist &/g" -e "s/$/ timeout 0/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
|
||||
config_n_get $shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "s/^/add $ipset_global_whitelist6 &/g" -e "s/$/ timeout 0/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
|
||||
[ "$(config_t_get global_rules enable_geoview)" = "1" ] && {
|
||||
local geoip_code=$(config_n_get $shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "^geoip:" | grep -v "^geoip:private" | sed -E 's/^geoip:(.*)/\1/' | sed ':a;N;$!ba;s/\n/,/g')
|
||||
[ -n "$geoip_code" ] && GEOIP_CODE="${GEOIP_CODE:+$GEOIP_CODE,}$geoip_code"
|
||||
}
|
||||
}
|
||||
done
|
||||
}
|
||||
|
||||
if [ -n "$GEOIP_CODE" ] && type geoview &> /dev/null; then
|
||||
get_geoip $GEOIP_CODE ipv4 | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}" | sed -e "s/^/add $ipset_global_whitelist &/g" -e "s/$/ timeout 0/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
|
||||
get_geoip $GEOIP_CODE ipv6 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "s/^/add $ipset_global_whitelist6 &/g" -e "s/$/ timeout 0/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
|
||||
echolog " - [$?]解析并加入分流节点 GeoIP 到 IPSET 完成"
|
||||
fi
|
||||
gen_shunt_list ${NODE} SHUNT_LIST4 SHUNT_LIST6 ${WRITE_IPSET_DIRECT} ${ipset_global_whitelist} ${ipset_global_whitelist6}
|
||||
|
||||
# 过滤所有节点IP
|
||||
filter_vpsip > /dev/null 2>&1 &
|
||||
@ -867,11 +904,11 @@ add_firewall_rule() {
|
||||
}
|
||||
|
||||
if [ "$NODE" != "nil" ] && ([ "$TCP_LOCALHOST_PROXY" = "1" ] || [ "$UDP_LOCALHOST_PROXY" = "1" ]); then
|
||||
[ -s "${TMP_ACL_PATH}/default/var_redirect_dns_port" ] && {
|
||||
$ipt_n -A OUTPUT $(comment "PSW2") -p udp -o lo --dport 53 -j REDIRECT --to-ports $(cat ${TMP_ACL_PATH}/default/var_redirect_dns_port)
|
||||
$ip6t_n -A OUTPUT $(comment "PSW2") -p udp -o lo --dport 53 -j REDIRECT --to-ports $(cat ${TMP_ACL_PATH}/default/var_redirect_dns_port) 2>/dev/null
|
||||
$ipt_n -A OUTPUT $(comment "PSW2") -p tcp -o lo --dport 53 -j REDIRECT --to-ports $(cat ${TMP_ACL_PATH}/default/var_redirect_dns_port)
|
||||
$ip6t_n -A OUTPUT $(comment "PSW2") -p tcp -o lo --dport 53 -j REDIRECT --to-ports $(cat ${TMP_ACL_PATH}/default/var_redirect_dns_port) 2>/dev/null
|
||||
[ -n "$DNS_REDIRECT_PORT" ] && {
|
||||
$ipt_n -A OUTPUT $(comment "PSW2") -p udp -o lo --dport 53 -j REDIRECT --to-ports $DNS_REDIRECT_PORT
|
||||
$ip6t_n -A OUTPUT $(comment "PSW2") -p udp -o lo --dport 53 -j REDIRECT --to-ports $DNS_REDIRECT_PORT 2>/dev/null
|
||||
$ipt_n -A OUTPUT $(comment "PSW2") -p tcp -o lo --dport 53 -j REDIRECT --to-ports $DNS_REDIRECT_PORT
|
||||
$ip6t_n -A OUTPUT $(comment "PSW2") -p tcp -o lo --dport 53 -j REDIRECT --to-ports $DNS_REDIRECT_PORT 2>/dev/null
|
||||
}
|
||||
fi
|
||||
|
||||
@ -880,14 +917,14 @@ add_firewall_rule() {
|
||||
[ "$accept_icmp" = "1" ] && {
|
||||
$ipt_n -A OUTPUT -p icmp -j PSW2_OUTPUT
|
||||
$ipt_n -A PSW2_OUTPUT -p icmp -d $FAKE_IP $(REDIRECT)
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && $ipt_n -A PSW2_OUTPUT -p icmp $(dst $ipset_global_whitelist) -j RETURN
|
||||
add_shunt_t_rule "${SHUNT_LIST4}" "$ipt_n -A PSW2_OUTPUT -p icmp" "$(REDIRECT)"
|
||||
$ipt_n -A PSW2_OUTPUT -p icmp $(REDIRECT)
|
||||
}
|
||||
|
||||
[ "$accept_icmpv6" = "1" ] && {
|
||||
$ip6t_n -A OUTPUT -p ipv6-icmp -j PSW2_OUTPUT
|
||||
$ip6t_n -A PSW2_OUTPUT -p ipv6-icmp -d $FAKE_IP_6 $(REDIRECT)
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && $ip6t_n -A PSW2_OUTPUT -p ipv6-icmp $(dst $ipset_global_whitelist6) -j RETURN
|
||||
add_shunt_t_rule "${SHUNT_LIST6}" "$ip6t_n -A PSW2_OUTPUT -p ipv6-icmp" "$(REDIRECT)"
|
||||
$ip6t_n -A PSW2_OUTPUT -p ipv6-icmp $(REDIRECT)
|
||||
}
|
||||
|
||||
@ -898,7 +935,7 @@ add_firewall_rule() {
|
||||
fi
|
||||
|
||||
$ipt_tmp -A PSW2_OUTPUT -p tcp -d $FAKE_IP ${ipt_j}
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && $ipt_tmp -A PSW2_OUTPUT -p tcp $(dst $ipset_global_whitelist) -j RETURN
|
||||
add_shunt_t_rule "${SHUNT_LIST4}" "$ipt_tmp -A PSW2_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport")" "${ipt_j}"
|
||||
$ipt_tmp -A PSW2_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") ${ipt_j}
|
||||
[ -z "${is_tproxy}" ] && $ipt_n -A OUTPUT -p tcp -j PSW2_OUTPUT
|
||||
[ -n "${is_tproxy}" ] && {
|
||||
@ -909,7 +946,7 @@ add_firewall_rule() {
|
||||
|
||||
if [ "$PROXY_IPV6" == "1" ]; then
|
||||
$ip6t_m -A PSW2_OUTPUT -p tcp -d $FAKE_IP_6 -j PSW2_RULE
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && $ip6t_m -A PSW2_OUTPUT -p tcp $(dst $ipset_global_whitelist6) -j RETURN
|
||||
add_shunt_t_rule "${SHUNT_LIST6}" "$ip6t_m -A PSW2_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport")" "-j PSW2_RULE"
|
||||
$ip6t_m -A PSW2_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") -j PSW2_RULE
|
||||
$ip6t_m -A PSW2 $(comment "本机") -p tcp -i lo $(REDIRECT $REDIR_PORT TPROXY)
|
||||
$ip6t_m -A PSW2 $(comment "本机") -p tcp -i lo -j RETURN
|
||||
@ -925,7 +962,7 @@ add_firewall_rule() {
|
||||
# 加载路由器自身代理 UDP
|
||||
if [ "$NODE" != "nil" ] && [ "$UDP_LOCALHOST_PROXY" = "1" ]; then
|
||||
$ipt_m -A PSW2_OUTPUT -p udp -d $FAKE_IP -j PSW2_RULE
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && $ipt_m -A PSW2_OUTPUT -p udp $(dst $ipset_global_whitelist) -j RETURN
|
||||
add_shunt_t_rule "${SHUNT_LIST4}" "$ipt_m -A PSW2_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport")" "-j PSW2_RULE"
|
||||
$ipt_m -A PSW2_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") -j PSW2_RULE
|
||||
$ipt_m -A PSW2 $(comment "本机") -p udp -i lo $(REDIRECT $REDIR_PORT TPROXY)
|
||||
$ipt_m -A PSW2 $(comment "本机") -p udp -i lo -j RETURN
|
||||
@ -933,7 +970,7 @@ add_firewall_rule() {
|
||||
|
||||
if [ "$PROXY_IPV6_UDP" == "1" ]; then
|
||||
$ip6t_m -A PSW2_OUTPUT -p udp -d $FAKE_IP_6 -j PSW2_RULE
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && $ip6t_m -A PSW2_OUTPUT -p udp $(dst $ipset_global_whitelist6) -j RETURN
|
||||
add_shunt_t_rule "${SHUNT_LIST6}" "$ip6t_m -A PSW2_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport")" "-j PSW2_RULE"
|
||||
$ip6t_m -A PSW2_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") -j PSW2_RULE
|
||||
$ip6t_m -A PSW2 $(comment "本机") -p udp -i lo $(REDIRECT $REDIR_PORT TPROXY)
|
||||
$ip6t_m -A PSW2 $(comment "本机") -p udp -i lo -j RETURN
|
||||
@ -996,6 +1033,7 @@ flush_ipset_reload() {
|
||||
del_firewall_rule
|
||||
flush_ipset
|
||||
rm -rf /tmp/singbox_passwall2_*
|
||||
rm -f /tmp/etc/passwall2_tmp/geoip-*.json
|
||||
/etc/init.d/passwall2 reload
|
||||
}
|
||||
|
||||
|
||||
@ -241,6 +241,92 @@ get_wan6_ip() {
|
||||
echo $NET_ADDR
|
||||
}
|
||||
|
||||
gen_shunt_list() {
|
||||
local node=${1}
|
||||
local shunt_list4_var_name=${2}
|
||||
local shunt_list6_var_name=${3}
|
||||
local _write_ipset_direct=${4}
|
||||
local _set_name4=${5}
|
||||
local _set_name6=${6}
|
||||
[ -z "$node" ] && continue
|
||||
unset ${shunt_list4_var_name}
|
||||
unset ${shunt_list6_var_name}
|
||||
local _SHUNT_LIST4 _SHUNT_LIST6
|
||||
local USE_SHUNT_NODE=0
|
||||
NODE_PROTOCOL=$(config_n_get $node protocol)
|
||||
[ "$NODE_PROTOCOL" = "_shunt" ] && USE_SHUNT_NODE=1
|
||||
[ "$USE_SHUNT_NODE" = "1" ] && {
|
||||
local default_node=$(config_n_get ${node} default_node _direct)
|
||||
local default_outbound="redirect"
|
||||
[ "$default_node" = "_direct" ] && default_outbound="direct"
|
||||
local shunt_ids=$(uci show $CONFIG | grep "=shunt_rules" | awk -F '.' '{print $2}' | awk -F '=' '{print $1}')
|
||||
for shunt_id in $shunt_ids; do
|
||||
local shunt_node=$(config_n_get ${node} "${shunt_id}" nil)
|
||||
[ "$shunt_node" != "nil" ] && {
|
||||
local nftset_v4="passwall2_${node}_${shunt_id}"
|
||||
local nftset_v6="passwall2_${node}_${shunt_id}6"
|
||||
gen_nftset $nftset_v4 ipv4_addr 0 0
|
||||
gen_nftset $nftset_v6 ipv6_addr 0 0
|
||||
local outbound="redirect"
|
||||
[ "$shunt_node" = "_direct" ] && outbound="direct"
|
||||
[ "$shunt_node" = "_default" ] && outbound="${default_outbound}"
|
||||
_SHUNT_LIST4="${_SHUNT_LIST4} ${nftset_v4}:${outbound}"
|
||||
_SHUNT_LIST6="${_SHUNT_LIST6} ${nftset_v6}:${outbound}"
|
||||
insert_nftset $nftset_v4 "0" $(config_n_get $shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}")
|
||||
insert_nftset $nftset_v6 "0" $(config_n_get $shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}")
|
||||
[ "$(config_t_get global_rules enable_geoview)" = "1" ] && {
|
||||
local _geoip_code=$(config_n_get $shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "^geoip:" | grep -v "^geoip:private" | sed -E 's/^geoip:(.*)/\1/' | sed ':a;N;$!ba;s/\n/,/g')
|
||||
[ -n "$_geoip_code" ] && {
|
||||
if [ "$(config_n_get $node type)" = "sing-box" ]; then
|
||||
insert_nftset $nftset_v4 "0" $(get_singbox_geoip $_geoip_code ipv4 | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}")
|
||||
insert_nftset $nftset_v6 "0" $(get_singbox_geoip $_geoip_code ipv6 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}")
|
||||
else
|
||||
if type geoview &> /dev/null; then
|
||||
insert_nftset $nftset_v4 "0" $(get_geoip $_geoip_code ipv4 | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}")
|
||||
insert_nftset $nftset_v6 "0" $(get_geoip $_geoip_code ipv6 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}")
|
||||
fi
|
||||
fi
|
||||
echolog " - [$?]解析分流规则[$shunt_id]-[geoip:${_geoip_code}]加入到 NFTSET 完成"
|
||||
}
|
||||
}
|
||||
}
|
||||
done
|
||||
[ "${_write_ipset_direct}" = "1" ] && {
|
||||
_SHUNT_LIST4="${_SHUNT_LIST4} ${_set_name4}:direct"
|
||||
_SHUNT_LIST6="${_SHUNT_LIST6} ${_set_name6}:direct"
|
||||
}
|
||||
[ "$default_node" != "nil" ] && {
|
||||
local nftset_v4="passwall2_${node}_default"
|
||||
local nftset_v6="passwall2_${node}_default6"
|
||||
gen_nftset $nftset_v4 ipv4_addr 0 0
|
||||
gen_nftset $nftset_v6 ipv6_addr 0 0
|
||||
_SHUNT_LIST4="${_SHUNT_LIST4} ${nftset_v4}:${default_outbound}"
|
||||
_SHUNT_LIST6="${_SHUNT_LIST6} ${nftset_v6}:${default_outbound}"
|
||||
}
|
||||
}
|
||||
[ -n "${_SHUNT_LIST4}" ] && eval ${shunt_list4_var_name}=\"${_SHUNT_LIST4}\"
|
||||
[ -n "${_SHUNT_LIST6}" ] && eval ${shunt_list6_var_name}=\"${_SHUNT_LIST6}\"
|
||||
}
|
||||
|
||||
add_shunt_t_rule() {
|
||||
local shunt_args=${1}
|
||||
local t_args=${2}
|
||||
local t_jump_args=${3}
|
||||
local t_comment=${4}
|
||||
[ -n "${shunt_args}" ] && {
|
||||
[ -n "${t_comment}" ] && t_comment="comment \"$t_comment\""
|
||||
for j in ${shunt_args}; do
|
||||
local _set_name=$(echo ${j} | awk -F ':' '{print $1}')
|
||||
local _outbound=$(echo ${j} | awk -F ':' '{print $2}')
|
||||
[ -n "${_set_name}" ] && [ -n "${_outbound}" ] && {
|
||||
local _t_arg="${t_jump_args}"
|
||||
[ "${_outbound}" = "direct" ] && _t_arg="counter return"
|
||||
${t_args} @${_set_name} ${_t_arg} ${t_comment}
|
||||
}
|
||||
done
|
||||
}
|
||||
}
|
||||
|
||||
load_acl() {
|
||||
[ "$ENABLED_ACLS" == 1 ] && {
|
||||
acl_app
|
||||
@ -261,6 +347,8 @@ load_acl() {
|
||||
node_remark=$(config_n_get $NODE remarks)
|
||||
[ -s "${TMP_ACL_PATH}/${sid}/var_node" ] && node=$(cat ${TMP_ACL_PATH}/${sid}/var_node)
|
||||
[ -s "${TMP_ACL_PATH}/${sid}/var_port" ] && redir_port=$(cat ${TMP_ACL_PATH}/${sid}/var_port)
|
||||
[ -s "${TMP_ACL_PATH}/${sid}/var_redirect_dns_port" ] && dns_redirect_port=$(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port)
|
||||
[ "$node" = "default" ] && dns_redirect_port=${DNS_REDIRECT_PORT}
|
||||
[ -n "$node" ] && [ "$node" != "default" ] && node_remark=$(config_n_get $node remarks)
|
||||
|
||||
write_ipset_direct=${write_ipset_direct:-1}
|
||||
@ -275,32 +363,7 @@ load_acl() {
|
||||
gen_nftset $nftset_whitelist6 ipv6_addr 3d 3d
|
||||
|
||||
#分流规则的IP列表(使用分流节点时导入)
|
||||
local _USE_SHUNT_NODE=0
|
||||
_NODE_PROTOCOL=$(config_n_get $node protocol)
|
||||
[ "$_NODE_PROTOCOL" = "_shunt" ] && _USE_SHUNT_NODE=1
|
||||
[ "$_USE_SHUNT_NODE" = "1" ] && {
|
||||
local _SHUNT_DEFAULT_NODE=$(config_n_get $NODE default_node _direct)
|
||||
local _GEOIP_CODE=""
|
||||
local _shunt_ids=$(uci show $CONFIG | grep "=shunt_rules" | awk -F '.' '{print $2}' | awk -F '=' '{print $1}')
|
||||
for _shunt_id in $_shunt_ids; do
|
||||
local _SHUNT_RULE_NODE=$(config_n_get $NODE ${_shunt_id} nil)
|
||||
[ "${_SHUNT_RULE_NODE}" == "_default" ] && _SHUNT_RULE_NODE=${_SHUNT_DEFAULT_NODE}
|
||||
[ "${_SHUNT_RULE_NODE}" == "_direct" ] && {
|
||||
insert_nftset $nftset_whitelist "0" $(config_n_get $_shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}")
|
||||
insert_nftset $nftset_whitelist6 "0" $(config_n_get $_shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}")
|
||||
[ "$(config_t_get global_rules enable_geoview)" = "1" ] && {
|
||||
local _geoip_code=$(config_n_get $_shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "^geoip:" | grep -v "^geoip:private" | sed -E 's/^geoip:(.*)/\1/' | sed ':a;N;$!ba;s/\n/,/g')
|
||||
[ -n "$_geoip_code" ] && _GEOIP_CODE="${_GEOIP_CODE:+$_GEOIP_CODE,}$_geoip_code"
|
||||
}
|
||||
}
|
||||
done
|
||||
}
|
||||
|
||||
if [ -n "$_GEOIP_CODE" ] && type geoview &> /dev/null; then
|
||||
insert_nftset $nftset_whitelist "0" $(get_geoip $_GEOIP_CODE ipv4 | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}")
|
||||
insert_nftset $nftset_whitelist6 "0" $(get_geoip $_GEOIP_CODE ipv6 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}")
|
||||
echolog " - [$?]解析并加入分流节点 GeoIP 到 IPSET 完成"
|
||||
fi
|
||||
gen_shunt_list ${node} shunt_list4 shunt_list6 ${write_ipset_direct} ${nftset_whitelist} ${nftset_whitelist6}
|
||||
fi
|
||||
}
|
||||
|
||||
@ -368,11 +431,11 @@ load_acl() {
|
||||
}
|
||||
|
||||
if ([ "$tcp_proxy_mode" != "disable" ] || [ "$udp_proxy_mode" != "disable" ]) && [ -n "$redir_port" ]; then
|
||||
[ -s "${TMP_ACL_PATH}/${sid}/var_redirect_dns_port" ] && {
|
||||
nft "add rule $NFTABLE_NAME PSW2_REDIRECT ip protocol udp ${_ipt_source} udp dport 53 counter redirect to :$(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port) comment \"$remarks\""
|
||||
nft "add rule $NFTABLE_NAME PSW2_REDIRECT ip protocol tcp ${_ipt_source} tcp dport 53 counter redirect to :$(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port) comment \"$remarks\""
|
||||
nft "add rule $NFTABLE_NAME PSW2_REDIRECT meta l4proto udp ${_ipt_source} udp dport 53 counter redirect to :$(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port) comment \"$remarks\""
|
||||
nft "add rule $NFTABLE_NAME PSW2_REDIRECT meta l4proto tcp ${_ipt_source} tcp dport 53 counter redirect to :$(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port) comment \"$remarks\""
|
||||
[ -n "$dns_redirect_port" ] && {
|
||||
nft "add rule $NFTABLE_NAME PSW2_REDIRECT ip protocol udp ${_ipt_source} udp dport 53 counter redirect to :$dns_redirect_port comment \"$remarks\""
|
||||
nft "add rule $NFTABLE_NAME PSW2_REDIRECT ip protocol tcp ${_ipt_source} tcp dport 53 counter redirect to :$dns_redirect_port comment \"$remarks\""
|
||||
nft "add rule $NFTABLE_NAME PSW2_REDIRECT meta l4proto udp ${_ipt_source} udp dport 53 counter redirect to :$dns_redirect_port comment \"$remarks\""
|
||||
nft "add rule $NFTABLE_NAME PSW2_REDIRECT meta l4proto tcp ${_ipt_source} tcp dport 53 counter redirect to :$dns_redirect_port comment \"$remarks\""
|
||||
}
|
||||
else
|
||||
nft "add rule $NFTABLE_NAME PSW2_REDIRECT ip protocol udp ${_ipt_source} udp dport 53 counter return comment \"$remarks\""
|
||||
@ -395,26 +458,26 @@ load_acl() {
|
||||
|
||||
[ "$accept_icmp" = "1" ] && {
|
||||
nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT ip protocol icmp ${_ipt_source} ip daddr $FAKE_IP $(REDIRECT) comment \"$remarks\""
|
||||
[ "${write_ipset_direct}" = "1" ] && nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT ip protocol icmp ${_ipt_source} ip daddr @$nftset_whitelist counter return comment \"$remarks\""
|
||||
add_shunt_t_rule "${shunt_list4}" "nft add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT ip protocol icmp ${_ipt_source} ip daddr" "$(REDIRECT)" "$remarks"
|
||||
nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT ip protocol icmp ${_ipt_source} $(REDIRECT) comment \"$remarks\""
|
||||
nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT ip protocol icmp ${_ipt_source} return comment \"$remarks\""
|
||||
}
|
||||
|
||||
[ "$accept_icmpv6" = "1" ] && [ "$PROXY_IPV6" == "1" ] && {
|
||||
nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} ip6 daddr $FAKE_IP_6 $(REDIRECT) comment \"$remarks\"" 2>/dev/null
|
||||
[ "${write_ipset_direct}" = "1" ] && nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} ip6 daddr @$nftset_whitelist6 counter return comment \"$remarks\"" 2>/dev/null
|
||||
add_shunt_t_rule "${shunt_list6}" "nft add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} ip6 daddr" "$(REDIRECT)" "$remarks" 2>/dev/null
|
||||
nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} $(REDIRECT) comment \"$remarks\"" 2>/dev/null
|
||||
nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} return comment \"$remarks\"" 2>/dev/null
|
||||
}
|
||||
|
||||
nft "add rule $NFTABLE_NAME $nft_chain ip protocol tcp ${_ipt_source} ip daddr $FAKE_IP ${nft_j} comment \"$remarks\""
|
||||
[ "${write_ipset_direct}" = "1" ] && nft "add rule $NFTABLE_NAME $nft_chain ip protocol tcp ${_ipt_source} ip daddr @$nftset_whitelist counter return comment \"$remarks\""
|
||||
add_shunt_t_rule "${shunt_list4}" "nft add rule $NFTABLE_NAME $nft_chain ip protocol tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ip daddr" "${nft_j}" "$remarks"
|
||||
nft "add rule $NFTABLE_NAME $nft_chain ip protocol tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ${nft_j} comment \"$remarks\""
|
||||
[ -n "${is_tproxy}" ] && nft "add rule $NFTABLE_NAME PSW2_MANGLE ip protocol tcp ${_ipt_source} $(REDIRECT $redir_port TPROXY4) comment \"$remarks\""
|
||||
|
||||
[ "$PROXY_IPV6" == "1" ] && {
|
||||
nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} ip6 daddr $FAKE_IP_6 counter jump PSW2_RULE comment \"$remarks\""
|
||||
[ "${write_ipset_direct}" = "1" ] && nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} ip6 daddr @$nftset_whitelist6 counter return comment \"$remarks\"" 2>/dev/null
|
||||
add_shunt_t_rule "${shunt_list6}" "nft add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ip6 daddr" "counter jump PSW2_RULE" "$remarks" 2>/dev/null
|
||||
nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") counter jump PSW2_RULE comment \"$remarks\"" 2>/dev/null
|
||||
nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(REDIRECT $redir_port TPROXY) comment \"$remarks\"" 2>/dev/null
|
||||
}
|
||||
@ -427,13 +490,13 @@ load_acl() {
|
||||
msg2="${msg}使用 UDP 节点[$node_remark](TPROXY:${redir_port})"
|
||||
|
||||
nft "add rule $NFTABLE_NAME PSW2_MANGLE ip protocol udp ${_ipt_source} ip daddr $FAKE_IP counter jump PSW2_RULE comment \"$remarks\""
|
||||
[ "${write_ipset_direct}" = "1" ] && nft "add rule $NFTABLE_NAME PSW2_MANGLE ip protocol udp ${_ipt_source} ip daddr @$nftset_whitelist counter return comment \"$remarks\""
|
||||
add_shunt_t_rule "${shunt_list4}" "nft add rule $NFTABLE_NAME PSW2_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_redir_ports "udp dport") ip daddr" "counter jump PSW2_RULE" "$remarks"
|
||||
nft "add rule $NFTABLE_NAME PSW2_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_redir_ports "udp dport") counter jump PSW2_RULE comment \"$remarks\""
|
||||
nft "add rule $NFTABLE_NAME PSW2_MANGLE ip protocol udp ${_ipt_source} $(REDIRECT $redir_port TPROXY4) comment \"$remarks\""
|
||||
|
||||
[ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && {
|
||||
nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} ip6 daddr $FAKE_IP_6 counter jump PSW2_RULE comment \"$remarks\""
|
||||
[ "${write_ipset_direct}" = "1" ] && nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} ip6 daddr @$nftset_whitelist6 counter return comment \"$remarks\"" 2>/dev/null
|
||||
add_shunt_t_rule "${shunt_list6}" "nft add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_redir_ports "udp dport") ip6 daddr" "counter jump PSW2_RULE" "$remarks"
|
||||
nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_redir_ports "udp dport") counter jump PSW2_RULE comment \"$remarks\"" 2>/dev/null
|
||||
nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} $(REDIRECT $redir_port TPROXY) comment \"$remarks\"" 2>/dev/null
|
||||
}
|
||||
@ -475,11 +538,11 @@ load_acl() {
|
||||
}
|
||||
|
||||
if ([ "$TCP_PROXY_MODE" != "disable" ] || [ "$UDP_PROXY_MODE" != "disable" ]) && [ "$NODE" != "nil" ]; then
|
||||
[ -s "${TMP_ACL_PATH}/default/var_redirect_dns_port" ] && {
|
||||
nft "add rule $NFTABLE_NAME PSW2_REDIRECT ip protocol udp udp dport 53 counter redirect to :$(cat ${TMP_ACL_PATH}/default/var_redirect_dns_port) comment \"默认\""
|
||||
nft "add rule $NFTABLE_NAME PSW2_REDIRECT ip protocol tcp tcp dport 53 counter redirect to :$(cat ${TMP_ACL_PATH}/default/var_redirect_dns_port) comment \"默认\""
|
||||
nft "add rule $NFTABLE_NAME PSW2_REDIRECT meta l4proto udp udp dport 53 counter redirect to :$(cat ${TMP_ACL_PATH}/default/var_redirect_dns_port) comment \"默认\""
|
||||
nft "add rule $NFTABLE_NAME PSW2_REDIRECT meta l4proto tcp tcp dport 53 counter redirect to :$(cat ${TMP_ACL_PATH}/default/var_redirect_dns_port) comment \"默认\""
|
||||
[ -n "$DNS_REDIRECT_PORT" ] && {
|
||||
nft "add rule $NFTABLE_NAME PSW2_REDIRECT ip protocol udp udp dport 53 counter redirect to :$DNS_REDIRECT_PORT comment \"默认\""
|
||||
nft "add rule $NFTABLE_NAME PSW2_REDIRECT ip protocol tcp tcp dport 53 counter redirect to :$DNS_REDIRECT_PORT comment \"默认\""
|
||||
nft "add rule $NFTABLE_NAME PSW2_REDIRECT meta l4proto udp udp dport 53 counter redirect to :$DNS_REDIRECT_PORT comment \"默认\""
|
||||
nft "add rule $NFTABLE_NAME PSW2_REDIRECT meta l4proto tcp tcp dport 53 counter redirect to :$DNS_REDIRECT_PORT comment \"默认\""
|
||||
}
|
||||
fi
|
||||
|
||||
@ -497,26 +560,26 @@ load_acl() {
|
||||
|
||||
[ "$accept_icmp" = "1" ] && {
|
||||
nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT ip protocol icmp ip daddr $FAKE_IP $(REDIRECT) comment \"默认\""
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT ip protocol icmp ip daddr @$nftset_global_whitelist counter return comment \"默认\""
|
||||
add_shunt_t_rule "${SHUNT_LIST4}" "nft add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT ip protocol icmp ip daddr" "$(REDIRECT)" "默认"
|
||||
nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT ip protocol icmp $(REDIRECT) comment \"默认\""
|
||||
nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT ip protocol icmp return comment \"默认\""
|
||||
}
|
||||
|
||||
[ "$accept_icmpv6" = "1" ] && [ "$PROXY_IPV6" == "1" ] && {
|
||||
nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT meta l4proto icmpv6 ip6 daddr $FAKE_IP_6 $(REDIRECT) comment \"默认\""
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT meta l4proto icmpv6 ip6 daddr @$nftset_global_whitelist6 counter return comment \"默认\""
|
||||
add_shunt_t_rule "${SHUNT_LIST6}" "nft add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT meta l4proto icmpv6 ip6 daddr" "$(REDIRECT)" "默认"
|
||||
nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT meta l4proto icmpv6 $(REDIRECT) comment \"默认\""
|
||||
nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT meta l4proto icmpv6 return comment \"默认\""
|
||||
}
|
||||
|
||||
nft "add rule $NFTABLE_NAME $nft_chain ip protocol tcp ip daddr $FAKE_IP ${nft_j} comment \"默认\""
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && nft "add rule $NFTABLE_NAME $nft_chain ip protocol tcp ip daddr @$nftset_global_whitelist counter return comment \"默认\""
|
||||
add_shunt_t_rule "${SHUNT_LIST4}" "nft add rule $NFTABLE_NAME $nft_chain ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip daddr" "${nft_j}" "默认"
|
||||
nft "add rule $NFTABLE_NAME $nft_chain ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") ${nft_j} comment \"默认\""
|
||||
[ -n "${is_tproxy}" ] && nft "add rule $NFTABLE_NAME PSW2_MANGLE ip protocol tcp $(REDIRECT $REDIR_PORT TPROXY4) comment \"默认\""
|
||||
|
||||
[ "$PROXY_IPV6" == "1" ] && {
|
||||
nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto tcp ip6 daddr $FAKE_IP_6 jump PSW2_RULE comment \"默认\""
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto tcp ip6 daddr @$nftset_global_whitelist6 counter return comment \"默认\""
|
||||
add_shunt_t_rule "${SHUNT_LIST6}" "nft add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip6 daddr" "${nft_j}" "默认"
|
||||
nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto tcp $(factor $TCP_REDIR_PORTS "tcp dport") counter jump PSW2_RULE comment \"默认\""
|
||||
nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto tcp $(REDIRECT $REDIR_PORT TPROXY) comment \"默认\""
|
||||
}
|
||||
@ -528,13 +591,13 @@ load_acl() {
|
||||
msg2="${msg}使用 UDP 节点[$(config_n_get $NODE remarks)](TPROXY:${REDIR_PORT})"
|
||||
|
||||
nft "add rule $NFTABLE_NAME PSW2_MANGLE ip protocol udp ip daddr $FAKE_IP counter jump PSW2_RULE comment \"默认\""
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && nft "add rule $NFTABLE_NAME PSW2_MANGLE ip protocol udp ip daddr @$nftset_global_whitelist counter return comment \"默认\""
|
||||
add_shunt_t_rule "${SHUNT_LIST4}" "nft add rule $NFTABLE_NAME PSW2_MANGLE ip protocol udp $(factor $UDP_REDIR_PORTS "udp dport") ip daddr" "counter jump PSW2_RULE" "默认"
|
||||
nft "add rule $NFTABLE_NAME PSW2_MANGLE ip protocol udp $(factor $UDP_REDIR_PORTS "udp dport") counter jump PSW2_RULE comment \"默认\""
|
||||
nft "add rule $NFTABLE_NAME PSW2_MANGLE ip protocol udp $(REDIRECT $REDIR_PORT TPROXY4) comment \"默认\""
|
||||
|
||||
[ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && {
|
||||
nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto udp ip6 daddr $FAKE_IP_6 jump PSW2_RULE comment \"默认\""
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto udp ip6 daddr @$nftset_global_whitelist6 counter return comment \"默认\""
|
||||
add_shunt_t_rule "${SHUNT_LIST6}" "nft add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto udp $(factor $UDP_REDIR_PORTS "udp dport") ip6 daddr" "counter jump PSW2_RULE" "默认"
|
||||
nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto udp $(factor $UDP_REDIR_PORTS "udp dport") counter jump PSW2_RULE comment \"默认\""
|
||||
nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto udp $(REDIRECT $REDIR_PORT TPROXY) comment \"默认\""
|
||||
}
|
||||
@ -716,32 +779,7 @@ add_firewall_rule() {
|
||||
gen_nftset $nftset_global_whitelist6 ipv6_addr 0 0
|
||||
|
||||
#分流规则的IP列表(使用分流节点时导入)
|
||||
local USE_SHUNT_NODE=0
|
||||
NODE_PROTOCOL=$(config_n_get $NODE protocol)
|
||||
[ "$NODE_PROTOCOL" = "_shunt" ] && USE_SHUNT_NODE=1
|
||||
[ "$USE_SHUNT_NODE" = "1" ] && {
|
||||
local SHUNT_DEFAULT_NODE=$(config_n_get $NODE default_node _direct)
|
||||
local GEOIP_CODE=""
|
||||
local shunt_ids=$(uci show $CONFIG | grep "=shunt_rules" | awk -F '.' '{print $2}' | awk -F '=' '{print $1}')
|
||||
for shunt_id in $shunt_ids; do
|
||||
local SHUNT_RULE_NODE=$(config_n_get $NODE ${shunt_id} nil)
|
||||
[ "${SHUNT_RULE_NODE}" == "_default" ] && SHUNT_RULE_NODE=${SHUNT_DEFAULT_NODE}
|
||||
[ "${SHUNT_RULE_NODE}" == "_direct" ] && {
|
||||
insert_nftset $nftset_global_whitelist "0" $(config_n_get $shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}")
|
||||
insert_nftset $nftset_global_whitelist6 "0" $(config_n_get $shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}")
|
||||
[ "$(config_t_get global_rules enable_geoview)" = "1" ] && {
|
||||
local geoip_code=$(config_n_get $shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "^geoip:" | grep -v "^geoip:private" | sed -E 's/^geoip:(.*)/\1/' | sed ':a;N;$!ba;s/\n/,/g')
|
||||
[ -n "$geoip_code" ] && GEOIP_CODE="${GEOIP_CODE:+$GEOIP_CODE,}$geoip_code"
|
||||
}
|
||||
}
|
||||
done
|
||||
}
|
||||
|
||||
if [ -n "$GEOIP_CODE" ] && type geoview &> /dev/null; then
|
||||
insert_nftset $nftset_global_whitelist "0" $(get_geoip $GEOIP_CODE ipv4 | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}")
|
||||
insert_nftset $nftset_global_whitelist6 "0" $(get_geoip $GEOIP_CODE ipv6 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}")
|
||||
echolog " - [$?]解析并加入分流节点 GeoIP 到 IPSET 完成"
|
||||
fi
|
||||
gen_shunt_list ${NODE} SHUNT_LIST4 SHUNT_LIST6 ${WRITE_IPSET_DIRECT} ${nftset_global_whitelist} ${nftset_global_whitelist6}
|
||||
|
||||
# 过滤所有节点IP
|
||||
filter_vpsip > /dev/null 2>&1 &
|
||||
@ -925,11 +963,11 @@ add_firewall_rule() {
|
||||
}
|
||||
|
||||
if [ "$NODE" != "nil" ] && ([ "$TCP_LOCALHOST_PROXY" = "1" ] || [ "$UDP_LOCALHOST_PROXY" = "1" ]); then
|
||||
[ -s "${TMP_ACL_PATH}/default/var_redirect_dns_port" ] && {
|
||||
nft "add rule $NFTABLE_NAME nat_output ip protocol udp oif lo udp dport 53 counter redirect to :$(cat ${TMP_ACL_PATH}/default/var_redirect_dns_port) comment \"PSW2\""
|
||||
nft "add rule $NFTABLE_NAME nat_output ip protocol tcp oif lo tcp dport 53 counter redirect to :$(cat ${TMP_ACL_PATH}/default/var_redirect_dns_port) comment \"PSW2\""
|
||||
nft "add rule $NFTABLE_NAME nat_output meta l4proto udp oif lo udp dport 53 counter redirect to :$(cat ${TMP_ACL_PATH}/default/var_redirect_dns_port) comment \"PSW2\""
|
||||
nft "add rule $NFTABLE_NAME nat_output meta l4proto tcp oif lo tcp dport 53 counter redirect to :$(cat ${TMP_ACL_PATH}/default/var_redirect_dns_port) comment \"PSW2\""
|
||||
[ -n "$DNS_REDIRECT_PORT" ] && {
|
||||
nft "add rule $NFTABLE_NAME nat_output ip protocol udp oif lo udp dport 53 counter redirect to :$DNS_REDIRECT_PORT comment \"PSW2\""
|
||||
nft "add rule $NFTABLE_NAME nat_output ip protocol tcp oif lo tcp dport 53 counter redirect to :$DNS_REDIRECT_PORT comment \"PSW2\""
|
||||
nft "add rule $NFTABLE_NAME nat_output meta l4proto udp oif lo udp dport 53 counter redirect to :$DNS_REDIRECT_PORT comment \"PSW2\""
|
||||
nft "add rule $NFTABLE_NAME nat_output meta l4proto tcp oif lo tcp dport 53 counter redirect to :$DNS_REDIRECT_PORT comment \"PSW2\""
|
||||
}
|
||||
fi
|
||||
|
||||
@ -937,14 +975,14 @@ add_firewall_rule() {
|
||||
if [ "$NODE" != "nil" ] && [ "$TCP_LOCALHOST_PROXY" = "1" ]; then
|
||||
[ "$accept_icmp" = "1" ] && {
|
||||
nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT oif lo ip protocol icmp ip daddr $FAKE_IP counter redirect"
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT oif lo ip protocol icmp ip daddr @$nftset_global_whitelist counter return"
|
||||
add_shunt_t_rule "${SHUNT_LIST4}" "nft add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT oif lo ip protocol icmp ip daddr" "counter redirect"
|
||||
nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT oif lo ip protocol icmp counter redirect"
|
||||
nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT oif lo ip protocol icmp counter return"
|
||||
}
|
||||
|
||||
[ "$accept_icmpv6" = "1" ] && {
|
||||
nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT oif lo meta l4proto icmpv6 ip6 daddr $FAKE_IP_6 counter redirect"
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT oif lo meta l4proto icmpv6 ip6 daddr @$nftset_global_whitelist6 counter return"
|
||||
add_shunt_t_rule "${SHUNT_LIST6}" "nft add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT oif lo meta l4proto icmpv6 ip6 daddr" "counter redirect"
|
||||
nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT oif lo meta l4proto icmpv6 counter redirect"
|
||||
nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT oif lo meta l4proto icmpv6 counter return"
|
||||
}
|
||||
@ -958,7 +996,7 @@ add_firewall_rule() {
|
||||
fi
|
||||
|
||||
nft "add rule $NFTABLE_NAME $nft_chain ip protocol tcp ip daddr $FAKE_IP ${nft_j}"
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && nft "add rule $NFTABLE_NAME $nft_chain ip protocol tcp ip daddr @$nftset_global_whitelist counter return"
|
||||
add_shunt_t_rule "${SHUNT_LIST4}" "nft add rule $NFTABLE_NAME $nft_chain ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip daddr" "${nft_j}"
|
||||
nft "add rule $NFTABLE_NAME $nft_chain ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") ${nft_j}"
|
||||
[ -z "${is_tproxy}" ] && nft "add rule $NFTABLE_NAME nat_output ip protocol tcp counter jump PSW2_OUTPUT_NAT"
|
||||
[ -n "${is_tproxy}" ] && {
|
||||
@ -969,7 +1007,7 @@ add_firewall_rule() {
|
||||
|
||||
[ "$PROXY_IPV6" == "1" ] && {
|
||||
nft "add rule $NFTABLE_NAME PSW2_OUTPUT_MANGLE_V6 meta l4proto tcp ip6 daddr $FAKE_IP_6 jump PSW2_RULE"
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && nft "add rule $NFTABLE_NAME PSW2_OUTPUT_MANGLE_V6 meta l4proto tcp ip6 daddr @$nftset_global_whitelist6 counter return"
|
||||
add_shunt_t_rule "${SHUNT_LIST6}" "nft add rule $NFTABLE_NAME PSW2_OUTPUT_MANGLE_V6 meta l4proto tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip6 daddr" "counter jump PSW2_RULE"
|
||||
nft "add rule $NFTABLE_NAME PSW2_OUTPUT_MANGLE_V6 meta l4proto tcp $(factor $TCP_REDIR_PORTS "tcp dport") counter jump PSW2_RULE"
|
||||
nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto tcp iif lo $(REDIRECT $REDIR_PORT TPROXY) comment \"本机\""
|
||||
nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto tcp iif lo counter return comment \"本机\""
|
||||
@ -984,7 +1022,7 @@ add_firewall_rule() {
|
||||
# 加载路由器自身代理 UDP
|
||||
if [ "$NODE" != "nil" ] && [ "$UDP_LOCALHOST_PROXY" = "1" ]; then
|
||||
nft "add rule $NFTABLE_NAME PSW2_OUTPUT_MANGLE ip protocol udp ip daddr $FAKE_IP counter jump PSW2_RULE"
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && nft "add rule $NFTABLE_NAME PSW2_OUTPUT_MANGLE ip protocol udp ip daddr @$nftset_global_whitelist counter return"
|
||||
add_shunt_t_rule "${SHUNT_LIST4}" "nft add rule $NFTABLE_NAME PSW2_OUTPUT_MANGLE ip protocol udp $(factor $UDP_REDIR_PORTS "udp dport") ip daddr" "counter jump PSW2_RULE"
|
||||
nft "add rule $NFTABLE_NAME PSW2_OUTPUT_MANGLE ip protocol udp $(factor $UDP_REDIR_PORTS "udp dport") counter jump PSW2_RULE"
|
||||
nft "add rule $NFTABLE_NAME PSW2_MANGLE ip protocol udp iif lo $(REDIRECT $REDIR_PORT TPROXY4) comment \"本机\""
|
||||
nft "add rule $NFTABLE_NAME PSW2_MANGLE ip protocol udp iif lo counter return comment \"本机\""
|
||||
@ -992,7 +1030,7 @@ add_firewall_rule() {
|
||||
|
||||
if [ "$PROXY_IPV6_UDP" == "1" ]; then
|
||||
nft "add rule $NFTABLE_NAME PSW2_OUTPUT_MANGLE_V6 meta l4proto udp ip6 daddr $FAKE_IP_6 jump PSW2_RULE"
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && nft "add rule $NFTABLE_NAME PSW2_OUTPUT_MANGLE_V6 meta l4proto udp ip6 daddr @$nftset_global_whitelist6 counter return"
|
||||
add_shunt_t_rule "${SHUNT_LIST6}" "nft add rule $NFTABLE_NAME PSW2_OUTPUT_MANGLE_V6 meta l4proto udp $(factor $UDP_REDIR_PORTS "udp dport") ip6 daddr" "counter jump PSW2_RULE"
|
||||
nft "add rule $NFTABLE_NAME PSW2_OUTPUT_MANGLE_V6 meta l4proto udp $(factor $UDP_REDIR_PORTS "udp dport") counter jump PSW2_RULE"
|
||||
nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto udp iif lo $(REDIRECT $REDIR_PORT TPROXY) comment \"本机\""
|
||||
nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto udp iif lo counter return comment \"本机\""
|
||||
@ -1073,6 +1111,7 @@ flush_nftset_reload() {
|
||||
del_firewall_rule
|
||||
flush_table
|
||||
rm -rf /tmp/singbox_passwall2_*
|
||||
rm -f /tmp/etc/passwall2_tmp/geoip-*.json
|
||||
/etc/init.d/passwall2 reload
|
||||
}
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user