mirror of
https://github.com/roacn/openwrt-packages.git
synced 2025-01-05 10:27:05 +08:00
🎄 Sync 2024-12-12 00:34
This commit is contained in:
github-actions[bot]
parent
f0bd208295
commit
5368e34d3d
@ -3,18 +3,18 @@
|
||||
# Copyright (C) 2021-2023 sirpdboy <herboy2008@gmail.com>
|
||||
#
|
||||
# This is free software, licensed under the Apache License, Version 2.0 .
|
||||
#
|
||||
|
||||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=ddns-go
|
||||
PKG_VERSION:=6.7.6
|
||||
PKG_VERSION:=6.7.7
|
||||
PKG_RELEASE:=1
|
||||
|
||||
PKG_SOURCE_PROTO:=git
|
||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
|
||||
PKG_SOURCE_URL:=https://github.com/jeessy2/ddns-go.git
|
||||
PKG_MIRROR_HASH:=34bd601fdc310b8b9f5cb4972708adf8a7e1eae09ac8e04bdb4079624ac4cf5a
|
||||
PKG_SOURCE_VERSION:=52f0e67a4e3391b7c02060492d07414ed62b881c
|
||||
PKG_MIRROR_HASH:=424ef8965c2fe26cfbe469be6e5cd8637ba36313862631caa764c33fd8337a21
|
||||
PKG_SOURCE_VERSION:=e0dc641faefa350af644381b5dd8bc43a211b0db
|
||||
|
||||
PKG_LICENSE:=AGPL-3.0-only
|
||||
PKG_LICENSE_FILES:=LICENSE
|
||||
|
||||
@ -1,8 +1,7 @@
|
||||
-- Copyright 2022-2023 sirpdboy <herboy2008@gmail.com>
|
||||
-- Licensed to the public under the Apache License 2.0.
|
||||
local sys = require "luci.sys"
|
||||
local ifaces = sys.net:devices()
|
||||
local WADM = require "luci.tools.webadmin"
|
||||
local interfaces = sys.exec("ls -l /sys/class/net/ 2>/dev/null |awk '{print $9}' 2>/dev/null")
|
||||
local ipc = require "luci.ip"
|
||||
local a, t, e
|
||||
|
||||
@ -22,11 +21,10 @@ ipi = t:option(ListValue, "ifname", translate("Interface"), translate("Set the i
|
||||
ipi.default = "1"
|
||||
ipi:value(1,translate("Automatic settings"))
|
||||
ipi.rmempty = false
|
||||
for _, v in pairs(ifaces) do
|
||||
net = WADM.iface_get_network(v)
|
||||
if net and net ~= "loopback" then
|
||||
ipi:value(v)
|
||||
end
|
||||
for interface in string.gmatch(interfaces, "%S+") do
|
||||
if interface and interface ~= "loopback" then
|
||||
ipi:value(interface)
|
||||
end
|
||||
end
|
||||
|
||||
t = a:section(TypedSection, "device")
|
||||
@ -41,18 +39,26 @@ e = t:option(Flag, "enable", translate("Enabled"))
|
||||
e.rmempty = false
|
||||
e.size = 4
|
||||
|
||||
ip = t:option(Value, "mac", translate("IP/MAC"))
|
||||
local lan_interfaces = {}
|
||||
for interface in string.gmatch(interfaces, "%S+") do
|
||||
if string.match(interface, "lan") then
|
||||
table.insert(lan_interfaces, interface)
|
||||
end
|
||||
end
|
||||
|
||||
ipc.neighbors({family = 4, dev = "br-lan"}, function(n)
|
||||
if n.mac and n.dest then
|
||||
ip:value(n.dest:string(), "%s (%s)" %{ n.dest:string(), n.mac })
|
||||
end
|
||||
end)
|
||||
ipc.neighbors({family = 4, dev = "br-lan"}, function(n)
|
||||
if n.mac and n.dest then
|
||||
ip:value(n.mac, "%s (%s)" %{n.mac, n.dest:string() })
|
||||
end
|
||||
end)
|
||||
ip = t:option(Value, "mac", translate("IP/MAC"))
|
||||
for _, lan_interface in ipairs(lan_interfaces) do
|
||||
ipc.neighbors({family = 4, dev = lan_interface}, function(n)
|
||||
if n.mac and n.dest then
|
||||
ip:value(n.dest:string(), "%s (%s)" %{ n.dest:string(), n.mac })
|
||||
end
|
||||
end)
|
||||
ipc.neighbors({family = 4, dev = lan_interface}, function(n)
|
||||
if n.mac and n.dest then
|
||||
ip:value(n.mac, "%s (%s)" %{n.mac, n.dest:string() })
|
||||
end
|
||||
end)
|
||||
end
|
||||
|
||||
e.size = 8
|
||||
dl = t:option(Value, "download", translate("Downloads"))
|
||||
|
||||
@ -180,7 +180,7 @@ if has_xray then
|
||||
|
||||
o = s_xray:option(Flag, "sniffing_override_dest", translate("Override the connection destination address"))
|
||||
o.default = 0
|
||||
o.description = translate("Override the connection destination address with the sniffed domain.<br />When enabled, traffic will match only by domain, ignoring IP rules.<br />If using shunt nodes, configure the domain shunt rules correctly.")
|
||||
o.description = translate("Override the connection destination address with the sniffed domain.<br />Otherwise use sniffed domain for routing only.<br />If using shunt nodes, configure the domain shunt rules correctly.")
|
||||
|
||||
local domains_excluded = string.format("/usr/share/%s/rules/domains_excluded", appname)
|
||||
o = s_xray:option(TextValue, "excluded_domains", translate("Excluded Domains"), translate("If the traffic sniffing result is in this list, the destination address will not be overridden."))
|
||||
|
||||
@ -612,8 +612,15 @@ function gen_config(var)
|
||||
port = tonumber(local_socks_port),
|
||||
protocol = "socks",
|
||||
settings = {auth = "noauth", udp = true},
|
||||
sniffing = {enabled = true, destOverride = {"http", "tls", "quic"}}
|
||||
sniffing = {
|
||||
enabled = xray_settings.sniffing_override_dest == "1" or node.protocol == "_shunt"
|
||||
}
|
||||
}
|
||||
if inbound.sniffing.enabled == true then
|
||||
inbound.sniffing.destOverride = {"http", "tls", "quic"}
|
||||
inbound.sniffing.routeOnly = xray_settings.sniffing_override_dest ~= "1" or nil
|
||||
inbound.sniffing.domainsExcluded = xray_settings.sniffing_override_dest == "1" and get_domain_excluded() or nil
|
||||
end
|
||||
if local_socks_username and local_socks_password and local_socks_username ~= "" and local_socks_password ~= "" then
|
||||
inbound.settings.auth = "password"
|
||||
inbound.settings.accounts = {
|
||||
@ -649,13 +656,15 @@ function gen_config(var)
|
||||
settings = {network = "tcp,udp", followRedirect = true},
|
||||
streamSettings = {sockopt = {tproxy = "tproxy"}},
|
||||
sniffing = {
|
||||
enabled = xray_settings.sniffing_override_dest == "1" or node.protocol == "_shunt",
|
||||
destOverride = {"http", "tls", "quic"},
|
||||
metadataOnly = false,
|
||||
routeOnly = node.protocol == "_shunt" and xray_settings.sniffing_override_dest ~= "1" or nil,
|
||||
domainsExcluded = xray_settings.sniffing_override_dest == "1" and get_domain_excluded() or nil
|
||||
enabled = xray_settings.sniffing_override_dest == "1" or node.protocol == "_shunt"
|
||||
}
|
||||
}
|
||||
if inbound.sniffing.enabled == true then
|
||||
inbound.sniffing.destOverride = {"http", "tls", "quic", (remote_dns_fake) and "fakedns"}
|
||||
inbound.sniffing.metadataOnly = false
|
||||
inbound.sniffing.routeOnly = xray_settings.sniffing_override_dest ~= "1" or nil
|
||||
inbound.sniffing.domainsExcluded = xray_settings.sniffing_override_dest == "1" and get_domain_excluded() or nil
|
||||
end
|
||||
|
||||
if tcp_redir_port then
|
||||
local tcp_inbound = api.clone(inbound)
|
||||
|
||||
@ -976,6 +976,18 @@ local api = require "luci.passwall.api"
|
||||
opt.set(dom_prefix + 'grpc_mode', queryParam.mode || "gun");
|
||||
}
|
||||
|
||||
opt.set(dom_prefix + 'tls', queryParam.security === "tls");
|
||||
if (queryParam.security === "tls") {
|
||||
var tls_serverName = queryParam.peer;
|
||||
if (queryParam.sni) {
|
||||
tls_serverName = queryParam.sni
|
||||
}
|
||||
opt.set(dom_prefix + 'tls_serverName', tls_serverName);
|
||||
}
|
||||
if (queryParam.allowinsecure === '1') {
|
||||
opt.set(dom_prefix + 'tls_allowInsecure', true);
|
||||
}
|
||||
|
||||
if (m.hash) {
|
||||
opt.set('remarks', decodeURIComponent(m.hash.substr(1)));
|
||||
}
|
||||
|
||||
@ -1645,6 +1645,9 @@ msgstr "握手服务器"
|
||||
msgid "Handshake Server Port"
|
||||
msgstr "握手服务器端口"
|
||||
|
||||
msgid "Override the connection destination address with the sniffed domain.<br />Otherwise use sniffed domain for routing only.<br />If using shunt nodes, configure the domain shunt rules correctly."
|
||||
msgstr "用探测出的域名覆盖连接目标地址。<br />否则仅将探测得到的域名用于路由。<br />如使用分流节点,请正确设置域名分流规则。"
|
||||
|
||||
msgid "Override the connection destination address with the sniffed domain.<br />When enabled, traffic will match only by domain, ignoring IP rules.<br />If using shunt nodes, configure the domain shunt rules correctly."
|
||||
msgstr "用探测出的域名覆盖连接目标地址。<br />启用后仅使用域名进行流量匹配,将忽略IP规则。<br />如使用分流节点,请正确设置域名分流规则。"
|
||||
|
||||
|
||||
@ -5,7 +5,7 @@
|
||||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=luci-app-passwall2
|
||||
PKG_VERSION:=24.12.05
|
||||
PKG_VERSION:=24.12.11
|
||||
PKG_RELEASE:=1
|
||||
|
||||
PKG_CONFIG_DEPENDS:= \
|
||||
|
||||
@ -166,7 +166,7 @@ if has_xray then
|
||||
|
||||
o = s_xray:option(Flag, "sniffing_override_dest", translate("Override the connection destination address"))
|
||||
o.default = 0
|
||||
o.description = translate("Override the connection destination address with the sniffed domain.<br />When enabled, traffic will match only by domain, ignoring IP rules.<br />If using shunt nodes, configure the domain shunt rules correctly.")
|
||||
o.description = translate("Override the connection destination address with the sniffed domain.<br />Otherwise use sniffed domain for routing only.<br />If using shunt nodes, configure the domain shunt rules correctly.")
|
||||
|
||||
o = s_xray:option(Flag, "route_only", translate("Sniffing Route Only"))
|
||||
o.default = 0
|
||||
|
||||
@ -612,8 +612,15 @@ function gen_config(var)
|
||||
port = tonumber(local_socks_port),
|
||||
protocol = "socks",
|
||||
settings = {auth = "noauth", udp = true},
|
||||
sniffing = {enabled = true, destOverride = {"http", "tls", "quic"}}
|
||||
sniffing = {
|
||||
enabled = xray_settings.sniffing_override_dest == "1" or node.protocol == "_shunt"
|
||||
}
|
||||
}
|
||||
if inbound.sniffing.enabled == true then
|
||||
inbound.sniffing.destOverride = {"http", "tls", "quic"}
|
||||
inbound.sniffing.routeOnly = xray_settings.sniffing_override_dest ~= "1" or nil
|
||||
inbound.sniffing.domainsExcluded = xray_settings.sniffing_override_dest == "1" and get_domain_excluded() or nil
|
||||
end
|
||||
if local_socks_username and local_socks_password and local_socks_username ~= "" and local_socks_password ~= "" then
|
||||
inbound.settings.auth = "password"
|
||||
inbound.settings.accounts = {
|
||||
@ -651,13 +658,16 @@ function gen_config(var)
|
||||
settings = {network = "tcp,udp", followRedirect = true},
|
||||
streamSettings = {sockopt = {tproxy = "tproxy"}},
|
||||
sniffing = {
|
||||
enabled = xray_settings.sniffing_override_dest == "1" or node.protocol == "_shunt",
|
||||
destOverride = {"http", "tls", "quic", (remote_dns_fake) and "fakedns"},
|
||||
metadataOnly = false,
|
||||
routeOnly = node.protocol == "_shunt" and xray_settings.sniffing_override_dest ~= "1" or nil,
|
||||
domainsExcluded = xray_settings.sniffing_override_dest == "1" and get_domain_excluded() or nil
|
||||
enabled = xray_settings.sniffing_override_dest == "1" or node.protocol == "_shunt"
|
||||
}
|
||||
}
|
||||
if inbound.sniffing.enabled == true then
|
||||
inbound.sniffing.destOverride = {"http", "tls", "quic", (remote_dns_fake) and "fakedns"}
|
||||
inbound.sniffing.metadataOnly = false
|
||||
inbound.sniffing.routeOnly = xray_settings.sniffing_override_dest ~= "1" or nil
|
||||
inbound.sniffing.domainsExcluded = xray_settings.sniffing_override_dest == "1" and get_domain_excluded() or nil
|
||||
end
|
||||
|
||||
local tcp_inbound = api.clone(inbound)
|
||||
tcp_inbound.tag = "tcp_redir"
|
||||
tcp_inbound.settings.network = "tcp"
|
||||
|
||||
@ -957,6 +957,18 @@ local api = require "luci.passwall2.api"
|
||||
opt.set(dom_prefix + 'grpc_mode', queryParam.mode || "gun");
|
||||
}
|
||||
|
||||
opt.set(dom_prefix + 'tls', queryParam.security === "tls");
|
||||
if (queryParam.security === "tls") {
|
||||
var tls_serverName = queryParam.peer;
|
||||
if (queryParam.sni) {
|
||||
tls_serverName = queryParam.sni
|
||||
}
|
||||
opt.set(dom_prefix + 'tls_serverName', tls_serverName);
|
||||
}
|
||||
if (queryParam.allowinsecure === '1') {
|
||||
opt.set(dom_prefix + 'tls_allowInsecure', true);
|
||||
}
|
||||
|
||||
opt.set(dom_prefix + 'mux', queryParam.mux === '1');
|
||||
if (m.hash) {
|
||||
opt.set('remarks', decodeURIComponent(m.hash.substr(1)));
|
||||
|
||||
@ -1486,6 +1486,9 @@ msgstr "Sing-Box 会在启动时自动下载资源文件,您可以使用此功
|
||||
msgid "Override the connection destination address"
|
||||
msgstr "覆盖连接目标地址"
|
||||
|
||||
msgid "Override the connection destination address with the sniffed domain.<br />Otherwise use sniffed domain for routing only.<br />If using shunt nodes, configure the domain shunt rules correctly."
|
||||
msgstr "用探测出的域名覆盖连接目标地址。<br />否则仅将探测得到的域名用于路由。<br />如使用分流节点,请正确设置域名分流规则。"
|
||||
|
||||
msgid "Override the connection destination address with the sniffed domain.<br />When enabled, traffic will match only by domain, ignoring IP rules.<br />If using shunt nodes, configure the domain shunt rules correctly."
|
||||
msgstr "用探测出的域名覆盖连接目标地址。<br />启用后仅使用域名进行流量匹配,将忽略IP规则。<br />如使用分流节点,请正确设置域名分流规则。"
|
||||
|
||||
|
||||
@ -334,25 +334,26 @@ load_acl() {
|
||||
ipt_j="$(REDIRECT $redir_port)"
|
||||
fi
|
||||
|
||||
[ "${write_ipset_direct}" = "1" ] && $ipt_tmp -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(dst $ipset_whitelist) ! -d $FAKE_IP -j RETURN
|
||||
|
||||
[ "$accept_icmp" = "1" ] && {
|
||||
$ipt_n -A PSW2 $(comment "$remarks") -p icmp ${_ipt_source} -d $FAKE_IP $(REDIRECT)
|
||||
[ "${write_ipset_direct}" = "1" ] && $ipt_n -A PSW2 $(comment "$remarks") -p icmp ${_ipt_source} $(dst $ipset_whitelist) -j RETURN
|
||||
$ipt_n -A PSW2 $(comment "$remarks") -p icmp ${_ipt_source} $(REDIRECT)
|
||||
}
|
||||
|
||||
[ "$accept_icmpv6" = "1" ] && [ "$PROXY_IPV6" == "1" ] && {
|
||||
$ip6t_n -A PSW2 $(comment "$remarks") -p ipv6-icmp ${_ipt_source} -d $FAKE_IP_6 $(REDIRECT) 2>/dev/null
|
||||
[ "${write_ipset_direct}" = "1" ] && $ip6t_n -A PSW2 $(comment "$remarks") -p ipv6-icmp ${_ipt_source} $(dst $ipset_whitelist6) -j RETURN
|
||||
$ip6t_n -A PSW2 $(comment "$remarks") -p ipv6-icmp ${_ipt_source} $(REDIRECT) 2>/dev/null
|
||||
}
|
||||
|
||||
$ipt_tmp -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} -d $FAKE_IP ${ipt_j}
|
||||
[ "${write_ipset_direct}" = "1" ] && $ipt_tmp -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(dst $ipset_whitelist) -j RETURN
|
||||
$ipt_tmp -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") ${ipt_j}
|
||||
[ -n "${is_tproxy}" ] && $ipt_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(REDIRECT $redir_port TPROXY)
|
||||
|
||||
[ "$PROXY_IPV6" == "1" ] && {
|
||||
[ "${write_ipset_direct}" = "1" ] && $ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(dst $ipset_whitelist6) ! -d $FAKE_IP_6 -j RETURN
|
||||
$ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} -d $FAKE_IP_6 -j PSW2_RULE 2>/dev/null
|
||||
[ "${write_ipset_direct}" = "1" ] && $ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(dst $ipset_whitelist6) -j RETURN
|
||||
$ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") -j PSW2_RULE 2>/dev/null
|
||||
$ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(REDIRECT $redir_port TPROXY) 2>/dev/null
|
||||
}
|
||||
@ -364,14 +365,14 @@ load_acl() {
|
||||
[ "$udp_proxy_mode" != "disable" ] && [ -n "$redir_port" ] && {
|
||||
msg2="${msg}使用 UDP 节点[$node_remark](TPROXY:${redir_port})"
|
||||
|
||||
[ "${write_ipset_direct}" = "1" ] && $ipt_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(dst $ipset_whitelist) ! -d $FAKE_IP -j RETURN
|
||||
$ipt_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} -d $FAKE_IP -j PSW2_RULE
|
||||
[ "${write_ipset_direct}" = "1" ] && $ipt_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(dst $ipset_whitelist) -j RETURN
|
||||
$ipt_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") -j PSW2_RULE
|
||||
$ipt_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(REDIRECT $redir_port TPROXY)
|
||||
|
||||
[ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && {
|
||||
[ "${write_ipset_direct}" = "1" ] && $ip6t_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(dst $ipset_whitelist6) ! -d $FAKE_IP_6 -j RETURN
|
||||
$ip6t_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} -d $FAKE_IP_6 -j PSW2_RULE 2>/dev/null
|
||||
[ "${write_ipset_direct}" = "1" ] && $ip6t_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(dst $ipset_whitelist6) -j RETURN
|
||||
$ip6t_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") -j PSW2_RULE 2>/dev/null
|
||||
$ip6t_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(REDIRECT $redir_port TPROXY) 2>/dev/null
|
||||
}
|
||||
@ -424,25 +425,26 @@ load_acl() {
|
||||
ipt_j="$(REDIRECT $REDIR_PORT)"
|
||||
fi
|
||||
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && $ipt_tmp -A PSW2 $(comment "默认") -p tcp $(dst $ipset_global_whitelist) ! -d $FAKE_IP -j RETURN
|
||||
|
||||
[ "$accept_icmp" = "1" ] && {
|
||||
$ipt_n -A PSW2 $(comment "默认") -p icmp -d $FAKE_IP $(REDIRECT)
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && $ipt_n -A PSW2 $(comment "默认") -p icmp $(dst $ipset_global_whitelist) -j RETURN
|
||||
$ipt_n -A PSW2 $(comment "默认") -p icmp $(REDIRECT)
|
||||
}
|
||||
|
||||
[ "$accept_icmpv6" = "1" ] && [ "$PROXY_IPV6" == "1" ] && {
|
||||
$ip6t_n -A PSW2 $(comment "默认") -p ipv6-icmp -d $FAKE_IP_6 $(REDIRECT)
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && $ip6t_n -A PSW2 $(comment "默认") -p ipv6-icmp $(dst $ipset_global_whitelist6) -j RETURN
|
||||
$ip6t_n -A PSW2 $(comment "默认") -p ipv6-icmp $(REDIRECT)
|
||||
}
|
||||
|
||||
$ipt_tmp -A PSW2 $(comment "默认") -p tcp -d $FAKE_IP ${ipt_j}
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && $ipt_tmp -A PSW2 $(comment "默认") -p tcp $(dst $ipset_global_whitelist) -j RETURN
|
||||
$ipt_tmp -A PSW2 $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") ${ipt_j}
|
||||
[ -n "${is_tproxy}" ] && $ipt_m -A PSW2 $(comment "默认") -p tcp $(REDIRECT $REDIR_PORT TPROXY)
|
||||
|
||||
[ "$PROXY_IPV6" == "1" ] && {
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && $ip6t_m -A PSW2 $(comment "默认") -p tcp $(dst $ipset_global_whitelist6) ! -d $FAKE_IP_6 -j RETURN
|
||||
$ip6t_m -A PSW2 $(comment "默认") -p tcp -d $FAKE_IP_6 -j PSW2_RULE
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && $ip6t_m -A PSW2 $(comment "默认") -p tcp $(dst $ipset_global_whitelist6) -j RETURN
|
||||
$ip6t_m -A PSW2 $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") -j PSW2_RULE
|
||||
$ip6t_m -A PSW2 $(comment "默认") -p tcp $(REDIRECT $REDIR_PORT TPROXY)
|
||||
}
|
||||
@ -453,14 +455,14 @@ load_acl() {
|
||||
if [ "$UDP_PROXY_MODE" != "disable" ] && [ "$NODE" != "nil" ]; then
|
||||
msg2="${msg}使用 UDP 节点[$(config_n_get $NODE remarks)](TPROXY:${REDIR_PORT})"
|
||||
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && $ipt_m -A PSW2 $(comment "默认") -p udp $(dst $ipset_global_whitelist) ! -d $FAKE_IP -j RETURN
|
||||
$ipt_m -A PSW2 $(comment "默认") -p udp -d $FAKE_IP -j PSW2_RULE
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && $ipt_m -A PSW2 $(comment "默认") -p udp $(dst $ipset_global_whitelist) -j RETURN
|
||||
$ipt_m -A PSW2 $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") -j PSW2_RULE
|
||||
$ipt_m -A PSW2 $(comment "默认") -p udp $(REDIRECT $REDIR_PORT TPROXY)
|
||||
|
||||
if [ "$PROXY_IPV6_UDP" == "1" ]; then
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && $ip6t_m -A PSW2 $(comment "默认") -p udp $(dst $ipset_global_whitelist6) ! -d $FAKE_IP_6 -j RETURN
|
||||
$ip6t_m -A PSW2 $(comment "默认") -p udp -d $FAKE_IP_6 -j PSW2_RULE
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && $ip6t_m -A PSW2 $(comment "默认") -p udp $(dst $ipset_global_whitelist6) -j RETURN
|
||||
$ip6t_m -A PSW2 $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") -j PSW2_RULE
|
||||
$ip6t_m -A PSW2 $(comment "默认") -p udp $(REDIRECT $REDIR_PORT TPROXY)
|
||||
fi
|
||||
@ -501,6 +503,10 @@ filter_node() {
|
||||
local type=$(echo $(config_n_get $node type) | tr 'A-Z' 'a-z')
|
||||
local address=$(config_n_get $node address)
|
||||
local port=$(config_n_get $node port)
|
||||
[ -z "$address" ] && [ -z "$port" ] && {
|
||||
echolog " - 节点配置不正常,略过"
|
||||
return 1
|
||||
}
|
||||
ipt_tmp=$ipt_n
|
||||
_is_tproxy=${is_tproxy}
|
||||
[ "$stream" == "udp" ] && _is_tproxy="TPROXY"
|
||||
@ -512,7 +518,7 @@ filter_node() {
|
||||
fi
|
||||
else
|
||||
echolog " - 节点配置不正常,略过"
|
||||
return 0
|
||||
return 1
|
||||
fi
|
||||
|
||||
local ADD_INDEX=$FORCE_INDEX
|
||||
@ -521,7 +527,6 @@ filter_node() {
|
||||
[ "$_ipt" == "6" ] && _ipt=$ip6t_m
|
||||
$_ipt -n -L PSW2_OUTPUT | grep -q "${address}:${port}"
|
||||
if [ $? -ne 0 ]; then
|
||||
unset dst_rule
|
||||
local dst_rule="-j PSW2_RULE"
|
||||
msg2="按规则路由(${msg})"
|
||||
[ "$_ipt" == "$ipt_m" -o "$_ipt" == "$ip6t_m" ] || {
|
||||
@ -544,7 +549,7 @@ filter_node() {
|
||||
|
||||
local proxy_protocol=$(config_n_get $proxy_node protocol)
|
||||
local proxy_type=$(echo $(config_n_get $proxy_node type nil) | tr 'A-Z' 'a-z')
|
||||
[ "$proxy_type" == "nil" ] && echolog " - 节点配置不正常,略过!:${proxy_node}" && return 0
|
||||
[ "$proxy_type" == "nil" ] && echolog " - 节点配置不正常,略过!:${proxy_node}" && return 1
|
||||
if [ "$proxy_protocol" == "_balancing" ]; then
|
||||
#echolog " - 多节点负载均衡(${proxy_type})..."
|
||||
proxy_node=$(config_n_get $proxy_node balancing_node)
|
||||
@ -553,36 +558,34 @@ filter_node() {
|
||||
done
|
||||
elif [ "$proxy_protocol" == "_shunt" ]; then
|
||||
#echolog " - 按请求目的地址分流(${proxy_type})..."
|
||||
local preproxy_enabled=$(config_n_get $proxy_node preproxy_enabled 0)
|
||||
[ "$preproxy_enabled" == "1" ] && {
|
||||
local preproxy_node=$(config_n_get $proxy_node main_node nil)
|
||||
[ "$preproxy_node" != "nil" ] && {
|
||||
local preproxy_node_address=$(config_n_get $preproxy_node address)
|
||||
if [ -n "$preproxy_node_address" ]; then
|
||||
filter_rules $preproxy_node $stream
|
||||
else
|
||||
preproxy_enabled=0
|
||||
fi
|
||||
}
|
||||
}
|
||||
local default_node=$(config_n_get $proxy_node default_node _direct)
|
||||
local main_node=$(config_n_get $proxy_node main_node nil)
|
||||
if [ "$main_node" != "nil" ]; then
|
||||
filter_rules $main_node $stream
|
||||
else
|
||||
if [ "$default_node" != "_direct" ] && [ "$default_node" != "_blackhole" ]; then
|
||||
filter_rules $default_node $stream
|
||||
fi
|
||||
if [ "$default_node" != "_direct" ] && [ "$default_node" != "_blackhole" ]; then
|
||||
local default_proxy_tag=$(config_n_get $proxy_node default_proxy_tag nil)
|
||||
[ "$default_proxy_tag" == "main" ] && [ "$preproxy_enabled" == "0" ] && default_proxy_tag="nil"
|
||||
[ "$default_proxy_tag" == "nil" ] && filter_rules $default_node $stream
|
||||
fi
|
||||
:<<!
|
||||
local default_node_address=$(get_host_ip ipv4 $(config_n_get $default_node address) 1)
|
||||
local default_node_port=$(config_n_get $default_node port)
|
||||
|
||||
local shunt_ids=$(uci show $CONFIG | grep "=shunt_rules" | awk -F '.' '{print $2}' | awk -F '=' '{print $1}')
|
||||
for shunt_id in $shunt_ids; do
|
||||
#local shunt_proxy=$(config_n_get $proxy_node "${shunt_id}_proxy" 0)
|
||||
local shunt_proxy=0
|
||||
local shunt_node=$(config_n_get $proxy_node "${shunt_id}" nil)
|
||||
[ "$shunt_node" != "nil" ] && {
|
||||
[ "$shunt_proxy" == 1 ] && {
|
||||
local shunt_node_address=$(get_host_ip ipv4 $(config_n_get $shunt_node address) 1)
|
||||
local shunt_node_port=$(config_n_get $shunt_node port)
|
||||
[ "$shunt_node_address" == "$default_node_address" ] && [ "$shunt_node_port" == "$default_node_port" ] && {
|
||||
shunt_proxy=0
|
||||
}
|
||||
}
|
||||
filter_rules "$(config_n_get $proxy_node $shunt_id)" "$stream" "$shunt_proxy" "$proxy_port"
|
||||
}
|
||||
[ "$shunt_node" == "nil" -o "$shunt_node" == "_default" -o "$shunt_node" == "_direct" -o "$shunt_node" == "_blackhole" ] && continue
|
||||
local shunt_node_address=$(config_n_get $shunt_node address)
|
||||
[ -z "$shunt_node_address" ] && continue
|
||||
local shunt_proxy_tag=$(config_n_get $proxy_node "${shunt_id}_proxy_tag" nil)
|
||||
[ "$shunt_proxy_tag" == "main" ] && [ "$preproxy_enabled" == "0" ] && shunt_proxy_tag="nil"
|
||||
[ "$shunt_proxy_tag" == "nil" ] && filter_rules $shunt_node $stream
|
||||
done
|
||||
!
|
||||
else
|
||||
#echolog " - 普通节点(${proxy_type})..."
|
||||
filter_rules "$proxy_node" "$stream"
|
||||
@ -704,7 +707,6 @@ add_firewall_rule() {
|
||||
$ipt_n -N PSW2_OUTPUT
|
||||
$ipt_n -A PSW2_OUTPUT $(dst $IPSET_LANLIST) -j RETURN
|
||||
$ipt_n -A PSW2_OUTPUT $(dst $IPSET_VPSLIST) -j RETURN
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && $ipt_n -A PSW2_OUTPUT $(dst $ipset_global_whitelist) ! -d $FAKE_IP -j RETURN
|
||||
$ipt_n -A PSW2_OUTPUT -m mark --mark 0xff -j RETURN
|
||||
|
||||
$ipt_n -N PSW2_REDIRECT
|
||||
@ -742,7 +744,6 @@ add_firewall_rule() {
|
||||
echolog " - [$?]追加直连DNS到iptables:${dns_address}:${dns_port:-53}"
|
||||
done
|
||||
}
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && $ipt_m -A PSW2_OUTPUT $(dst $ipset_global_whitelist) ! -d $FAKE_IP -j RETURN
|
||||
$ipt_m -A PSW2_OUTPUT -m mark --mark 0xff -j RETURN
|
||||
|
||||
ip rule add fwmark 1 lookup 100
|
||||
@ -757,7 +758,6 @@ add_firewall_rule() {
|
||||
$ip6t_n -N PSW2_OUTPUT
|
||||
$ip6t_n -A PSW2_OUTPUT $(dst $IPSET_LANLIST6) -j RETURN
|
||||
$ip6t_n -A PSW2_OUTPUT $(dst $IPSET_VPSLIST6) -j RETURN
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && $ip6t_n -A PSW2_OUTPUT $(dst $ipset_global_whitelist6) ! -d $FAKE_IP_6 -j RETURN
|
||||
$ip6t_n -A PSW2_OUTPUT -m mark --mark 0xff -j RETURN
|
||||
}
|
||||
|
||||
@ -787,7 +787,6 @@ add_firewall_rule() {
|
||||
$ip6t_m -A PSW2_OUTPUT -m mark --mark 0xff -j RETURN
|
||||
$ip6t_m -A PSW2_OUTPUT $(dst $IPSET_LANLIST6) -j RETURN
|
||||
$ip6t_m -A PSW2_OUTPUT $(dst $IPSET_VPSLIST6) -j RETURN
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && $ip6t_m -A PSW2_OUTPUT $(dst $ipset_global_whitelist6) ! -d $FAKE_IP_6 -j RETURN
|
||||
|
||||
ip -6 rule add fwmark 1 table 100
|
||||
ip -6 route add local ::/0 dev lo table 100
|
||||
@ -852,12 +851,14 @@ add_firewall_rule() {
|
||||
[ "$accept_icmp" = "1" ] && {
|
||||
$ipt_n -A OUTPUT -p icmp -j PSW2_OUTPUT
|
||||
$ipt_n -A PSW2_OUTPUT -p icmp -d $FAKE_IP $(REDIRECT)
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && $ipt_n -A PSW2_OUTPUT -p icmp $(dst $ipset_global_whitelist) -j RETURN
|
||||
$ipt_n -A PSW2_OUTPUT -p icmp $(REDIRECT)
|
||||
}
|
||||
|
||||
[ "$accept_icmpv6" = "1" ] && {
|
||||
$ip6t_n -A OUTPUT -p ipv6-icmp -j PSW2_OUTPUT
|
||||
$ip6t_n -A PSW2_OUTPUT -p ipv6-icmp -d $FAKE_IP_6 $(REDIRECT)
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && $ip6t_n -A PSW2_OUTPUT -p ipv6-icmp $(dst $ipset_global_whitelist6) -j RETURN
|
||||
$ip6t_n -A PSW2_OUTPUT -p ipv6-icmp $(REDIRECT)
|
||||
}
|
||||
|
||||
@ -868,6 +869,7 @@ add_firewall_rule() {
|
||||
fi
|
||||
|
||||
$ipt_tmp -A PSW2_OUTPUT -p tcp -d $FAKE_IP ${ipt_j}
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && $ipt_tmp -A PSW2_OUTPUT -p tcp $(dst $ipset_global_whitelist) -j RETURN
|
||||
$ipt_tmp -A PSW2_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") ${ipt_j}
|
||||
[ -z "${is_tproxy}" ] && $ipt_n -A OUTPUT -p tcp -j PSW2_OUTPUT
|
||||
[ -n "${is_tproxy}" ] && {
|
||||
@ -878,6 +880,7 @@ add_firewall_rule() {
|
||||
|
||||
if [ "$PROXY_IPV6" == "1" ]; then
|
||||
$ip6t_m -A PSW2_OUTPUT -p tcp -d $FAKE_IP_6 -j PSW2_RULE
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && $ip6t_m -A PSW2_OUTPUT -p tcp $(dst $ipset_global_whitelist6) -j RETURN
|
||||
$ip6t_m -A PSW2_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") -j PSW2_RULE
|
||||
$ip6t_m -A PSW2 $(comment "本机") -p tcp -i lo $(REDIRECT $REDIR_PORT TPROXY)
|
||||
$ip6t_m -A PSW2 $(comment "本机") -p tcp -i lo -j RETURN
|
||||
@ -893,6 +896,7 @@ add_firewall_rule() {
|
||||
# 加载路由器自身代理 UDP
|
||||
if [ "$NODE" != "nil" ] && [ "$UDP_LOCALHOST_PROXY" = "1" ]; then
|
||||
$ipt_m -A PSW2_OUTPUT -p udp -d $FAKE_IP -j PSW2_RULE
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && $ipt_m -A PSW2_OUTPUT -p udp $(dst $ipset_global_whitelist) -j RETURN
|
||||
$ipt_m -A PSW2_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") -j PSW2_RULE
|
||||
$ipt_m -A PSW2 $(comment "本机") -p udp -i lo $(REDIRECT $REDIR_PORT TPROXY)
|
||||
$ipt_m -A PSW2 $(comment "本机") -p udp -i lo -j RETURN
|
||||
@ -900,6 +904,7 @@ add_firewall_rule() {
|
||||
|
||||
if [ "$PROXY_IPV6_UDP" == "1" ]; then
|
||||
$ip6t_m -A PSW2_OUTPUT -p udp -d $FAKE_IP_6 -j PSW2_RULE
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && $ip6t_m -A PSW2_OUTPUT -p udp $(dst $ipset_global_whitelist6) -j RETURN
|
||||
$ip6t_m -A PSW2_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") -j PSW2_RULE
|
||||
$ip6t_m -A PSW2 $(comment "本机") -p udp -i lo $(REDIRECT $REDIR_PORT TPROXY)
|
||||
$ip6t_m -A PSW2 $(comment "本机") -p udp -i lo -j RETURN
|
||||
|
||||
@ -380,28 +380,28 @@ load_acl() {
|
||||
nft_j="$(REDIRECT $redir_port)"
|
||||
fi
|
||||
|
||||
[ "${write_ipset_direct}" = "1" ] && [ -z "${is_tproxy}" ] && nft "add rule $NFTABLE_NAME PSW2_NAT ip protocol tcp ${_ipt_source} ip daddr @$nftset_whitelist counter return comment \"$remarks\""
|
||||
[ "${write_ipset_direct}" = "1" ] && [ -n "${is_tproxy}" ] && nft "add rule $NFTABLE_NAME PSW2_MANGLE ip protocol tcp ${_ipt_source} ip daddr @$nftset_whitelist counter return comment \"$remarks\""
|
||||
|
||||
[ "$accept_icmp" = "1" ] && {
|
||||
nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT ip protocol icmp ${_ipt_source} ip daddr $FAKE_IP $(REDIRECT) comment \"$remarks\""
|
||||
[ "${write_ipset_direct}" = "1" ] && nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT ip protocol icmp ${_ipt_source} ip daddr @$nftset_whitelist counter return comment \"$remarks\""
|
||||
nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT ip protocol icmp ${_ipt_source} $(REDIRECT) comment \"$remarks\""
|
||||
nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT ip protocol icmp ${_ipt_source} return comment \"$remarks\""
|
||||
}
|
||||
|
||||
[ "$accept_icmpv6" = "1" ] && [ "$PROXY_IPV6" == "1" ] && {
|
||||
nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} ip6 daddr $FAKE_IP_6 $(REDIRECT) comment \"$remarks\"" 2>/dev/null
|
||||
[ "${write_ipset_direct}" = "1" ] && nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} ip6 daddr @$nftset_whitelist6 counter return comment \"$remarks\""
|
||||
nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} $(REDIRECT) comment \"$remarks\"" 2>/dev/null
|
||||
nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} return comment \"$remarks\"" 2>/dev/null
|
||||
}
|
||||
|
||||
nft "add rule $NFTABLE_NAME $nft_chain ip protocol tcp ${_ipt_source} ip daddr $FAKE_IP ${nft_j} comment \"$remarks\""
|
||||
[ "${write_ipset_direct}" = "1" ] && nft "add rule $NFTABLE_NAME $nft_chain ip protocol tcp ${_ipt_source} ip daddr @$nftset_whitelist counter return comment \"$remarks\""
|
||||
nft "add rule $NFTABLE_NAME $nft_chain ip protocol tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ${nft_j} comment \"$remarks\""
|
||||
[ -n "${is_tproxy}" ] && nft "add rule $NFTABLE_NAME PSW2_MANGLE ip protocol tcp ${_ipt_source} $(REDIRECT $redir_port TPROXY4) comment \"$remarks\""
|
||||
|
||||
[ "$PROXY_IPV6" == "1" ] && {
|
||||
[ "${write_ipset_direct}" = "1" ] && nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} ip6 daddr @$nftset_whitelist6 counter return comment \"$remarks\""
|
||||
nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} ip6 daddr $FAKE_IP_6 counter jump PSW2_RULE comment \"$remarks\""
|
||||
[ "${write_ipset_direct}" = "1" ] && nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} ip6 daddr @$nftset_whitelist6 counter return comment \"$remarks\""
|
||||
nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") counter jump PSW2_RULE comment \"$remarks\"" 2>/dev/null
|
||||
nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(REDIRECT $redir_port TPROXY) comment \"$remarks\"" 2>/dev/null
|
||||
}
|
||||
@ -413,14 +413,14 @@ load_acl() {
|
||||
[ "$udp_proxy_mode" != "disable" ] && [ -n "$redir_port" ] && {
|
||||
msg2="${msg}使用 UDP 节点[$node_remark](TPROXY:${redir_port})"
|
||||
|
||||
[ "${write_ipset_direct}" = "1" ] && nft "add rule $NFTABLE_NAME PSW2_MANGLE ip protocol udp ${_ipt_source} ip daddr @$nftset_whitelist counter return comment \"$remarks\""
|
||||
nft "add rule $NFTABLE_NAME PSW2_MANGLE ip protocol udp ${_ipt_source} ip daddr $FAKE_IP counter jump PSW2_RULE comment \"$remarks\""
|
||||
[ "${write_ipset_direct}" = "1" ] && nft "add rule $NFTABLE_NAME PSW2_MANGLE ip protocol udp ${_ipt_source} ip daddr @$nftset_whitelist counter return comment \"$remarks\""
|
||||
nft "add rule $NFTABLE_NAME PSW2_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_redir_ports "udp dport") counter jump PSW2_RULE comment \"$remarks\""
|
||||
nft "add rule $NFTABLE_NAME PSW2_MANGLE ip protocol udp ${_ipt_source} $(REDIRECT $redir_port TPROXY4) comment \"$remarks\""
|
||||
|
||||
[ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && {
|
||||
[ "${write_ipset_direct}" = "1" ] && nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} ip6 daddr @$nftset_whitelist6 counter return comment \"$remarks\""
|
||||
nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} ip6 daddr $FAKE_IP_6 counter jump PSW2_RULE comment \"$remarks\""
|
||||
[ "${write_ipset_direct}" = "1" ] && nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} ip6 daddr @$nftset_whitelist6 counter return comment \"$remarks\""
|
||||
nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_redir_ports "udp dport") counter jump PSW2_RULE comment \"$remarks\"" 2>/dev/null
|
||||
nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} $(REDIRECT $redir_port TPROXY) comment \"$remarks\"" 2>/dev/null
|
||||
}
|
||||
@ -473,28 +473,28 @@ load_acl() {
|
||||
nft_j="$(REDIRECT $REDIR_PORT)"
|
||||
fi
|
||||
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && [ -z "${is_tproxy}" ] && nft "add rule $NFTABLE_NAME PSW2_NAT ip protocol tcp ip daddr @$nftset_global_whitelist counter return comment \"默认\""
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && [ -n "${is_tproxy}" ] && nft "add rule $NFTABLE_NAME PSW2_MANGLE ip protocol tcp ip daddr @$nftset_global_whitelist counter return comment \"默认\""
|
||||
|
||||
[ "$accept_icmp" = "1" ] && {
|
||||
nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT ip protocol icmp ip daddr $FAKE_IP $(REDIRECT) comment \"默认\""
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT ip protocol icmp ip daddr @$nftset_global_whitelist counter return comment \"默认\""
|
||||
nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT ip protocol icmp $(REDIRECT) comment \"默认\""
|
||||
nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT ip protocol icmp return comment \"默认\""
|
||||
}
|
||||
|
||||
[ "$accept_icmpv6" = "1" ] && [ "$PROXY_IPV6" == "1" ] && {
|
||||
nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT meta l4proto icmpv6 ip6 daddr $FAKE_IP_6 $(REDIRECT) comment \"默认\""
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT meta l4proto icmpv6 ip6 daddr @$nftset_global_whitelist6 counter return comment \"默认\""
|
||||
nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT meta l4proto icmpv6 $(REDIRECT) comment \"默认\""
|
||||
nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT meta l4proto icmpv6 return comment \"默认\""
|
||||
}
|
||||
|
||||
nft "add rule $NFTABLE_NAME $nft_chain ip protocol tcp ip daddr $FAKE_IP ${nft_j} comment \"默认\""
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && nft "add rule $NFTABLE_NAME $nft_chain ip protocol tcp ip daddr @$nftset_global_whitelist counter return comment \"默认\""
|
||||
nft "add rule $NFTABLE_NAME $nft_chain ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") ${nft_j} comment \"默认\""
|
||||
[ -n "${is_tproxy}" ] && nft "add rule $NFTABLE_NAME PSW2_MANGLE ip protocol tcp $(REDIRECT $REDIR_PORT TPROXY4) comment \"默认\""
|
||||
|
||||
[ "$PROXY_IPV6" == "1" ] && {
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto tcp ip6 daddr @$nftset_global_whitelist6 counter return comment \"默认\""
|
||||
nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto tcp ip6 daddr $FAKE_IP_6 jump PSW2_RULE comment \"默认\""
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto tcp ip6 daddr @$nftset_global_whitelist6 counter return comment \"默认\""
|
||||
nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto tcp $(factor $TCP_REDIR_PORTS "tcp dport") counter jump PSW2_RULE comment \"默认\""
|
||||
nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto tcp $(REDIRECT $REDIR_PORT TPROXY) comment \"默认\""
|
||||
}
|
||||
@ -505,14 +505,14 @@ load_acl() {
|
||||
if [ "$UDP_PROXY_MODE" != "disable" ] && [ "$NODE" != "nil" ]; then
|
||||
msg2="${msg}使用 UDP 节点[$(config_n_get $NODE remarks)](TPROXY:${REDIR_PORT})"
|
||||
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && nft "add rule $NFTABLE_NAME PSW2_MANGLE ip protocol udp ip daddr @$nftset_global_whitelist counter return comment \"默认\""
|
||||
nft "add rule $NFTABLE_NAME PSW2_MANGLE ip protocol udp ip daddr $FAKE_IP counter jump PSW2_RULE comment \"默认\""
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && nft "add rule $NFTABLE_NAME PSW2_MANGLE ip protocol udp ip daddr @$nftset_global_whitelist counter return comment \"默认\""
|
||||
nft "add rule $NFTABLE_NAME PSW2_MANGLE ip protocol udp $(factor $UDP_REDIR_PORTS "udp dport") counter jump PSW2_RULE comment \"默认\""
|
||||
nft "add rule $NFTABLE_NAME PSW2_MANGLE ip protocol udp $(REDIRECT $REDIR_PORT TPROXY4) comment \"默认\""
|
||||
|
||||
[ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && {
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto udp ip6 daddr @$nftset_global_whitelist6 counter return comment \"默认\""
|
||||
nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto udp ip6 daddr $FAKE_IP_6 jump PSW2_RULE comment \"默认\""
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto udp ip6 daddr @$nftset_global_whitelist6 counter return comment \"默认\""
|
||||
nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto udp $(factor $UDP_REDIR_PORTS "udp dport") counter jump PSW2_RULE comment \"默认\""
|
||||
nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto udp $(REDIRECT $REDIR_PORT TPROXY) comment \"默认\""
|
||||
}
|
||||
@ -563,6 +563,10 @@ filter_node() {
|
||||
local type=$(echo $(config_n_get $node type) | tr 'A-Z' 'a-z')
|
||||
local address=$(config_n_get $node address)
|
||||
local port=$(config_n_get $node port)
|
||||
[ -z "$address" ] && [ -z "$port" ] && {
|
||||
echolog " - 节点配置不正常,略过"
|
||||
return 1
|
||||
}
|
||||
_is_tproxy=${is_tproxy}
|
||||
[ "$stream" == "udp" ] && _is_tproxy="TPROXY"
|
||||
if [ -n "${_is_tproxy}" ]; then
|
||||
@ -572,7 +576,7 @@ filter_node() {
|
||||
fi
|
||||
else
|
||||
echolog " - 节点配置不正常,略过"
|
||||
return 0
|
||||
return 1
|
||||
fi
|
||||
|
||||
local ADD_INDEX=$FORCE_INDEX
|
||||
@ -581,7 +585,6 @@ filter_node() {
|
||||
[ "$_ipt" == "6" ] && _ip_type=ip6 && _set_name=$NFTSET_VPSLIST6
|
||||
nft "list chain $NFTABLE_NAME $nft_output_chain" 2>/dev/null | grep -q "${address}:${port}"
|
||||
if [ $? -ne 0 ]; then
|
||||
unset dst_rule
|
||||
local dst_rule="jump PSW2_RULE"
|
||||
msg2="按规则路由(${msg})"
|
||||
[ -n "${is_tproxy}" ] || {
|
||||
@ -604,7 +607,7 @@ filter_node() {
|
||||
|
||||
local proxy_protocol=$(config_n_get $proxy_node protocol)
|
||||
local proxy_type=$(echo $(config_n_get $proxy_node type nil) | tr 'A-Z' 'a-z')
|
||||
[ "$proxy_type" == "nil" ] && echolog " - 节点配置不正常,略过!:${proxy_node}" && return 0
|
||||
[ "$proxy_type" == "nil" ] && echolog " - 节点配置不正常,略过!:${proxy_node}" && return 1
|
||||
if [ "$proxy_protocol" == "_balancing" ]; then
|
||||
#echolog " - 多节点负载均衡(${proxy_type})..."
|
||||
proxy_node=$(config_n_get $proxy_node balancing_node)
|
||||
@ -613,36 +616,34 @@ filter_node() {
|
||||
done
|
||||
elif [ "$proxy_protocol" == "_shunt" ]; then
|
||||
#echolog " - 按请求目的地址分流(${proxy_type})..."
|
||||
local preproxy_enabled=$(config_n_get $proxy_node preproxy_enabled 0)
|
||||
[ "$preproxy_enabled" == "1" ] && {
|
||||
local preproxy_node=$(config_n_get $proxy_node main_node nil)
|
||||
[ "$preproxy_node" != "nil" ] && {
|
||||
local preproxy_node_address=$(config_n_get $preproxy_node address)
|
||||
if [ -n "$preproxy_node_address" ]; then
|
||||
filter_rules $preproxy_node $stream
|
||||
else
|
||||
preproxy_enabled=0
|
||||
fi
|
||||
}
|
||||
}
|
||||
local default_node=$(config_n_get $proxy_node default_node _direct)
|
||||
local main_node=$(config_n_get $proxy_node main_node nil)
|
||||
if [ "$main_node" != "nil" ]; then
|
||||
filter_rules $main_node $stream
|
||||
else
|
||||
if [ "$default_node" != "_direct" ] && [ "$default_node" != "_blackhole" ]; then
|
||||
filter_rules $default_node $stream
|
||||
fi
|
||||
if [ "$default_node" != "_direct" ] && [ "$default_node" != "_blackhole" ]; then
|
||||
local default_proxy_tag=$(config_n_get $proxy_node default_proxy_tag nil)
|
||||
[ "$default_proxy_tag" == "main" ] && [ "$preproxy_enabled" == "0" ] && default_proxy_tag="nil"
|
||||
[ "$default_proxy_tag" == "nil" ] && filter_rules $default_node $stream
|
||||
fi
|
||||
:<<!
|
||||
local default_node_address=$(get_host_ip ipv4 $(config_n_get $default_node address) 1)
|
||||
local default_node_port=$(config_n_get $default_node port)
|
||||
|
||||
local shunt_ids=$(uci show $CONFIG | grep "=shunt_rules" | awk -F '.' '{print $2}' | awk -F '=' '{print $1}')
|
||||
for shunt_id in $shunt_ids; do
|
||||
#local shunt_proxy=$(config_n_get $proxy_node "${shunt_id}_proxy" 0)
|
||||
local shunt_proxy=0
|
||||
local shunt_node=$(config_n_get $proxy_node "${shunt_id}" nil)
|
||||
[ "$shunt_node" != "nil" ] && {
|
||||
[ "$shunt_proxy" == 1 ] && {
|
||||
local shunt_node_address=$(get_host_ip ipv4 $(config_n_get $shunt_node address) 1)
|
||||
local shunt_node_port=$(config_n_get $shunt_node port)
|
||||
[ "$shunt_node_address" == "$default_node_address" ] && [ "$shunt_node_port" == "$default_node_port" ] && {
|
||||
shunt_proxy=0
|
||||
}
|
||||
}
|
||||
filter_rules "$(config_n_get $proxy_node $shunt_id)" "$stream" "$shunt_proxy" "$proxy_port"
|
||||
}
|
||||
[ "$shunt_node" == "nil" -o "$shunt_node" == "_default" -o "$shunt_node" == "_direct" -o "$shunt_node" == "_blackhole" ] && continue
|
||||
local shunt_node_address=$(config_n_get $shunt_node address)
|
||||
[ -z "$shunt_node_address" ] && continue
|
||||
local shunt_proxy_tag=$(config_n_get $proxy_node "${shunt_id}_proxy_tag" nil)
|
||||
[ "$shunt_proxy_tag" == "main" ] && [ "$preproxy_enabled" == "0" ] && shunt_proxy_tag="nil"
|
||||
[ "$shunt_proxy_tag" == "nil" ] && filter_rules $shunt_node $stream
|
||||
done
|
||||
!
|
||||
else
|
||||
#echolog " - 普通节点(${proxy_type})..."
|
||||
filter_rules "$proxy_node" "$stream"
|
||||
@ -792,7 +793,6 @@ add_firewall_rule() {
|
||||
echolog " - [$?]追加直连DNS到nftables:${dns_address}:${dns_port:-53}"
|
||||
done
|
||||
}
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && nft "add rule $NFTABLE_NAME PSW2_OUTPUT_MANGLE ip daddr @$nftset_global_whitelist counter return"
|
||||
nft "add rule $NFTABLE_NAME PSW2_OUTPUT_MANGLE meta mark 0xff counter return"
|
||||
|
||||
# jump chains
|
||||
@ -812,7 +812,6 @@ add_firewall_rule() {
|
||||
nft "flush chain $NFTABLE_NAME PSW2_OUTPUT_NAT"
|
||||
nft "add rule $NFTABLE_NAME PSW2_OUTPUT_NAT ip daddr @$NFTSET_LANLIST counter return"
|
||||
nft "add rule $NFTABLE_NAME PSW2_OUTPUT_NAT ip daddr @$NFTSET_VPSLIST counter return"
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && nft "add rule $NFTABLE_NAME PSW2_OUTPUT_NAT ip daddr @$nftset_global_whitelist counter return"
|
||||
nft "add rule $NFTABLE_NAME PSW2_OUTPUT_NAT meta mark 0xff counter return"
|
||||
}
|
||||
|
||||
@ -822,12 +821,10 @@ add_firewall_rule() {
|
||||
nft "flush chain $NFTABLE_NAME PSW2_ICMP_REDIRECT"
|
||||
nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT ip daddr @$NFTSET_LANLIST counter return"
|
||||
nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT ip daddr @$NFTSET_VPSLIST counter return"
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT ip daddr @$nftset_global_whitelist counter return"
|
||||
|
||||
[ "$accept_icmpv6" = "1" ] && {
|
||||
nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT ip6 daddr @$NFTSET_LANLIST6 counter return"
|
||||
nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT ip6 daddr @$NFTSET_VPSLIST6 counter return"
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT ip6 daddr @$nftset_global_whitelist6 counter return"
|
||||
}
|
||||
|
||||
nft "add rule $NFTABLE_NAME dstnat meta l4proto {icmp,icmpv6} counter jump PSW2_ICMP_REDIRECT"
|
||||
@ -849,13 +846,11 @@ add_firewall_rule() {
|
||||
nft "flush chain $NFTABLE_NAME PSW2_MANGLE_V6"
|
||||
nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 ip6 daddr @$NFTSET_LANLIST6 counter return"
|
||||
nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 ip6 daddr @$NFTSET_VPSLIST6 counter return"
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 ip6 daddr @$nftset_global_whitelist6 counter return"
|
||||
|
||||
nft "add chain $NFTABLE_NAME PSW2_OUTPUT_MANGLE_V6"
|
||||
nft "flush chain $NFTABLE_NAME PSW2_OUTPUT_MANGLE_V6"
|
||||
nft "add rule $NFTABLE_NAME PSW2_OUTPUT_MANGLE_V6 ip6 daddr @$NFTSET_LANLIST6 counter return"
|
||||
nft "add rule $NFTABLE_NAME PSW2_OUTPUT_MANGLE_V6 ip6 daddr @$NFTSET_VPSLIST6 counter return"
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && nft "add rule $NFTABLE_NAME PSW2_OUTPUT_MANGLE_V6 ip6 daddr @$nftset_global_whitelist6 counter return"
|
||||
nft "add rule $NFTABLE_NAME PSW2_OUTPUT_MANGLE_V6 meta mark 0xff counter return"
|
||||
|
||||
# jump chains
|
||||
@ -927,12 +922,14 @@ add_firewall_rule() {
|
||||
if [ "$NODE" != "nil" ] && [ "$TCP_LOCALHOST_PROXY" = "1" ]; then
|
||||
[ "$accept_icmp" = "1" ] && {
|
||||
nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT oif lo ip protocol icmp ip daddr $FAKE_IP counter redirect"
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT oif lo ip protocol icmp ip daddr @$nftset_global_whitelist counter return"
|
||||
nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT oif lo ip protocol icmp counter redirect"
|
||||
nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT oif lo ip protocol icmp counter return"
|
||||
}
|
||||
|
||||
[ "$accept_icmpv6" = "1" ] && {
|
||||
nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT oif lo meta l4proto icmpv6 ip6 daddr $FAKE_IP_6 counter redirect"
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT oif lo meta l4proto icmpv6 ip6 daddr @$nftset_global_whitelist6 counter return"
|
||||
nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT oif lo meta l4proto icmpv6 counter redirect"
|
||||
nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT oif lo meta l4proto icmpv6 counter return"
|
||||
}
|
||||
@ -946,6 +943,7 @@ add_firewall_rule() {
|
||||
fi
|
||||
|
||||
nft "add rule $NFTABLE_NAME $nft_chain ip protocol tcp ip daddr $FAKE_IP ${nft_j}"
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && nft "add rule $NFTABLE_NAME $nft_chain ip protocol tcp ip daddr @$nftset_global_whitelist counter return"
|
||||
nft "add rule $NFTABLE_NAME $nft_chain ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") ${nft_j}"
|
||||
[ -z "${is_tproxy}" ] && nft "add rule $NFTABLE_NAME nat_output ip protocol tcp counter jump PSW2_OUTPUT_NAT"
|
||||
[ -n "${is_tproxy}" ] && {
|
||||
@ -956,6 +954,7 @@ add_firewall_rule() {
|
||||
|
||||
[ "$PROXY_IPV6" == "1" ] && {
|
||||
nft "add rule $NFTABLE_NAME PSW2_OUTPUT_MANGLE_V6 meta l4proto tcp ip6 daddr $FAKE_IP_6 jump PSW2_RULE"
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && nft "add rule $NFTABLE_NAME PSW2_OUTPUT_MANGLE_V6 meta l4proto tcp ip6 daddr @$nftset_global_whitelist6 counter return"
|
||||
nft "add rule $NFTABLE_NAME PSW2_OUTPUT_MANGLE_V6 meta l4proto tcp $(factor $TCP_REDIR_PORTS "tcp dport") counter jump PSW2_RULE"
|
||||
nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto tcp iif lo $(REDIRECT $REDIR_PORT TPROXY) comment \"本机\""
|
||||
nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto tcp iif lo counter return comment \"本机\""
|
||||
@ -970,6 +969,7 @@ add_firewall_rule() {
|
||||
# 加载路由器自身代理 UDP
|
||||
if [ "$NODE" != "nil" ] && [ "$UDP_LOCALHOST_PROXY" = "1" ]; then
|
||||
nft "add rule $NFTABLE_NAME PSW2_OUTPUT_MANGLE ip protocol udp ip daddr $FAKE_IP counter jump PSW2_RULE"
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && nft "add rule $NFTABLE_NAME PSW2_OUTPUT_MANGLE ip protocol udp ip daddr @$nftset_global_whitelist counter return"
|
||||
nft "add rule $NFTABLE_NAME PSW2_OUTPUT_MANGLE ip protocol udp $(factor $UDP_REDIR_PORTS "udp dport") counter jump PSW2_RULE"
|
||||
nft "add rule $NFTABLE_NAME PSW2_MANGLE ip protocol udp iif lo $(REDIRECT $REDIR_PORT TPROXY4) comment \"本机\""
|
||||
nft "add rule $NFTABLE_NAME PSW2_MANGLE ip protocol udp iif lo counter return comment \"本机\""
|
||||
@ -977,6 +977,7 @@ add_firewall_rule() {
|
||||
|
||||
if [ "$PROXY_IPV6_UDP" == "1" ]; then
|
||||
nft "add rule $NFTABLE_NAME PSW2_OUTPUT_MANGLE_V6 meta l4proto udp ip6 daddr $FAKE_IP_6 jump PSW2_RULE"
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && nft "add rule $NFTABLE_NAME PSW2_OUTPUT_MANGLE_V6 meta l4proto udp ip6 daddr @$nftset_global_whitelist6 counter return"
|
||||
nft "add rule $NFTABLE_NAME PSW2_OUTPUT_MANGLE_V6 meta l4proto udp $(factor $UDP_REDIR_PORTS "udp dport") counter jump PSW2_RULE"
|
||||
nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto udp iif lo $(REDIRECT $REDIR_PORT TPROXY) comment \"本机\""
|
||||
nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto udp iif lo counter return comment \"本机\""
|
||||
|
||||
Loading…
Reference in New Issue
Block a user