mirror of
https://github.com/roacn/openwrt-packages.git
synced 2025-01-05 10:27:05 +08:00
🚀 Sync 2024-03-09 09:15
This commit is contained in:
github-actions[bot]
parent
2f2e5d46d4
commit
5d4f97cd8c
@ -7,5 +7,5 @@
|
||||
[ -f /usr/share/netdata/webcn/index.html ] && mv -f /usr/share/netdata/webcn/index.html /usr/share/netdata/web/index.html
|
||||
[ -f /usr/share/netdata/webcn/netdata.init ] && mv -f /usr/share/netdata/webcn/netdata.init /etc/init.d/netdata
|
||||
rm -rf /tmp/luci-modulecache /tmp/luci-indexcache*
|
||||
chmod +x chmod +x /etc/init.d/netdata
|
||||
chmod +x /etc/init.d/netdata
|
||||
exit 0
|
||||
|
||||
@ -5,7 +5,7 @@
|
||||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=luci-app-passwall2
|
||||
PKG_VERSION:=1.27-4
|
||||
PKG_VERSION:=1.27-5
|
||||
PKG_RELEASE:=
|
||||
|
||||
PKG_CONFIG_DEPENDS:= \
|
||||
|
||||
@ -285,4 +285,8 @@ for k, v in pairs(nodes_table) do
|
||||
end
|
||||
end
|
||||
|
||||
o = s:option(Flag, "write_ipset_direct", translate("Direct DNS result write to IPSet"), translate("Perform the matching direct domain name rules into IP to IPSet/NFTSet, and then connect directly (not entering the core). Maybe conflict with some special circumstances."))
|
||||
o.default = "1"
|
||||
o:depends({ node = "default", ['!reverse'] = true })
|
||||
|
||||
return m
|
||||
|
||||
@ -286,7 +286,11 @@ o.remove = function(self, section)
|
||||
end
|
||||
end
|
||||
|
||||
o = s:taboption("DNS", Button, "clear_ipset", translate("Clear IPSET"), translate("Try this feature if the rule modification does not take effect."))
|
||||
o = s:taboption("DNS", Flag, "write_ipset_direct", translate("Direct DNS result write to IPSet"), translate("Perform the matching direct domain name rules into IP to IPSet/NFTSet, and then connect directly (not entering the core). Maybe conflict with some special circumstances."))
|
||||
o.default = "1"
|
||||
o.rmempty = false
|
||||
|
||||
o = s:taboption("DNS", Button, "clear_ipset", translate("Clear IPSet"), translate("Try this feature if the rule modification does not take effect."))
|
||||
o.inputstyle = "remove"
|
||||
function o.write(e, e)
|
||||
luci.sys.call("[ -n \"$(nft list sets 2>/dev/null | grep \"passwall2_\")\" ] && sh /usr/share/" .. appname .. "/nftables.sh flush_nftset || sh /usr/share/" .. appname .. "/iptables.sh flush_ipset > /dev/null 2>&1 &")
|
||||
|
||||
@ -536,8 +536,15 @@ function gen_config(var)
|
||||
local direct_nftset = var["-direct_nftset"]
|
||||
local remote_dns_udp_server = var["-remote_dns_udp_server"]
|
||||
local remote_dns_udp_port = var["-remote_dns_udp_port"]
|
||||
local remote_dns_tcp_server = var["-remote_dns_tcp_server"]
|
||||
local remote_dns_tcp_port = var["-remote_dns_tcp_port"]
|
||||
local remote_dns_doh_url = var["-remote_dns_doh_url"]
|
||||
local remote_dns_doh_host = var["-remote_dns_doh_host"]
|
||||
local remote_dns_doh_ip = var["-remote_dns_doh_ip"]
|
||||
local remote_dns_doh_port = var["-remote_dns_doh_port"]
|
||||
local remote_dns_fake = var["-remote_dns_fake"]
|
||||
local remote_dns_query_strategy = var["-remote_dns_query_strategy"]
|
||||
local remote_dns_detour = var["-remote_dns_detour"]
|
||||
local dns_cache = var["-dns_cache"]
|
||||
|
||||
local dns_domain_rules = {}
|
||||
@ -1060,9 +1067,9 @@ function gen_config(var)
|
||||
end
|
||||
end
|
||||
|
||||
if remote_dns_udp_server then
|
||||
if dns_listen_port then
|
||||
local rules = {}
|
||||
local _remote_dns_proto
|
||||
local _remote_dns_proto = "tcp"
|
||||
|
||||
if not routing then
|
||||
routing = {
|
||||
@ -1105,27 +1112,46 @@ function gen_config(var)
|
||||
end)
|
||||
end
|
||||
|
||||
local _remote_dns = nil
|
||||
if remote_dns_udp_server then
|
||||
_remote_dns = {
|
||||
_flag = "remote",
|
||||
address = remote_dns_udp_server,
|
||||
port = tonumber(remote_dns_udp_port) or 53,
|
||||
queryStrategy = (remote_dns_query_strategy and remote_dns_query_strategy ~= "") and remote_dns_query_strategy or "UseIPv4"
|
||||
}
|
||||
_remote_dns_proto = "udp"
|
||||
table.insert(dns.servers, _remote_dns)
|
||||
local _remote_dns = {
|
||||
_flag = "remote",
|
||||
queryStrategy = (remote_dns_query_strategy and remote_dns_query_strategy ~= "") and remote_dns_query_strategy or "UseIPv4"
|
||||
}
|
||||
|
||||
table.insert(routing.rules, 1, {
|
||||
type = "field",
|
||||
ip = {
|
||||
remote_dns_udp_server
|
||||
},
|
||||
port = tonumber(remote_dns_udp_port) or 53,
|
||||
network = _remote_dns_proto,
|
||||
outboundTag = "direct"
|
||||
})
|
||||
if remote_dns_udp_server then
|
||||
_remote_dns.address = remote_dns_udp_server
|
||||
_remote_dns.port = tonumber(remote_dns_udp_port) or 53
|
||||
_remote_dns_proto = "udp"
|
||||
end
|
||||
|
||||
if remote_dns_tcp_server then
|
||||
_remote_dns.address = "tcp://" .. remote_dns_tcp_server
|
||||
_remote_dns.port = tonumber(remote_dns_tcp_port) or 53
|
||||
_remote_dns_proto = "tcp"
|
||||
end
|
||||
|
||||
if remote_dns_doh_url and remote_dns_doh_host then
|
||||
if remote_dns_doh_ip and remote_dns_doh_host ~= remote_dns_doh_ip and not api.is_ip(remote_dns_doh_host) then
|
||||
dns.hosts[remote_dns_doh_host] = remote_dns_doh_ip
|
||||
end
|
||||
_remote_dns.address = remote_dns_doh_url
|
||||
_remote_dns.port = tonumber(remote_dns_doh_port) or 443
|
||||
end
|
||||
|
||||
if _remote_dns.address then
|
||||
table.insert(dns.servers, _remote_dns)
|
||||
if remote_dns_detour == "direct" then
|
||||
table.insert(routing.rules, 1, {
|
||||
type = "field",
|
||||
ip = {
|
||||
_remote_dns.address
|
||||
},
|
||||
port = _remote_dns.port,
|
||||
network = _remote_dns_proto,
|
||||
outboundTag = "direct"
|
||||
})
|
||||
end
|
||||
end
|
||||
|
||||
local _remote_fakedns = nil
|
||||
if remote_dns_fake then
|
||||
fakedns = {}
|
||||
@ -1192,8 +1218,7 @@ function gen_config(var)
|
||||
protocol = "dokodemo-door",
|
||||
tag = "dns-in",
|
||||
settings = {
|
||||
address = "1.1.1.1",
|
||||
port = 53,
|
||||
address = "0.0.0.0",
|
||||
network = "tcp,udp"
|
||||
}
|
||||
})
|
||||
@ -1214,12 +1239,9 @@ function gen_config(var)
|
||||
port = tonumber(remote_dns_udp_port) or 53,
|
||||
network = _remote_dns_proto or "tcp",
|
||||
nonIPQuery = "drop"
|
||||
},
|
||||
proxySettings = {
|
||||
tag = "direct"
|
||||
}
|
||||
}
|
||||
local type_dns = remote_type_dns
|
||||
local type_dns = direct_type_dns
|
||||
table.insert(outbounds, {
|
||||
tag = "dns-out",
|
||||
protocol = "dns",
|
||||
|
||||
@ -160,8 +160,14 @@ msgstr "需要代理的分流规则域名使用 FakeDNS。"
|
||||
msgid "Domain Override"
|
||||
msgstr "域名重写"
|
||||
|
||||
msgid "Clear IPSET"
|
||||
msgstr "清空 IPSET"
|
||||
msgid "Direct DNS result write to IPSet"
|
||||
msgstr "直连 DNS 解析结果写入到 IPSet"
|
||||
|
||||
msgid "Perform the matching direct domain name rules into IP to IPSet/NFTSet, and then connect directly (not entering the core). Maybe conflict with some special circumstances."
|
||||
msgstr "将匹配到的直连规则的域名解析IP写入到 IPSet/NFTSet,然后直连(不进入内核)。可能和某些特殊情况冲突。"
|
||||
|
||||
msgid "Clear IPSet"
|
||||
msgstr "清空 IPSet"
|
||||
|
||||
msgid "Try this feature if the rule modification does not take effect."
|
||||
msgstr "如果修改规则后没有生效,请尝试此功能。"
|
||||
|
||||
@ -286,7 +286,7 @@ lua_api() {
|
||||
|
||||
run_xray() {
|
||||
local flag node redir_port socks_address socks_port socks_username socks_password http_address http_port http_username http_password
|
||||
local dns_listen_port remote_dns_protocol remote_dns_udp_server remote_dns_tcp_server remote_dns_doh remote_dns_client_ip remote_dns_detour remote_fakedns remote_dns_query_strategy dns_cache
|
||||
local dns_listen_port remote_dns_protocol remote_dns_udp_server remote_dns_tcp_server remote_dns_doh remote_dns_client_ip remote_dns_detour remote_fakedns remote_dns_query_strategy dns_cache write_ipset_direct
|
||||
local loglevel log_file config_file
|
||||
local _extra_param=""
|
||||
eval_set_val $@
|
||||
@ -308,38 +308,50 @@ run_xray() {
|
||||
[ -n "$http_username" ] && [ -n "$http_password" ] && _extra_param="${_extra_param} -local_http_username $http_username -local_http_password $http_password"
|
||||
|
||||
[ -n "$dns_listen_port" ] && {
|
||||
direct_dnsmasq_listen_port=$(get_new_port $(expr $dns_listen_port + 1) udp)
|
||||
local set_flag="${flag}"
|
||||
local direct_ipset_conf=$TMP_PATH/dnsmasq_${flag}_direct.conf
|
||||
[ -n "$(echo ${flag} | grep '^acl')" ] && {
|
||||
direct_ipset_conf=${TMP_ACL_PATH}/${sid}/dnsmasq_${flag}_direct.conf
|
||||
set_flag=$(echo ${flag} | awk -F '_' '{print $2}')
|
||||
}
|
||||
if [ "${nftflag}" = "1" ]; then
|
||||
local direct_nftset="4#inet#fw4#passwall2_${set_flag}_whitelist,6#inet#fw4#passwall2_${set_flag}_whitelist6"
|
||||
else
|
||||
local direct_ipset="passwall2_${set_flag}_whitelist,passwall2_${set_flag}_whitelist6"
|
||||
fi
|
||||
run_ipset_dnsmasq listen_port=${direct_dnsmasq_listen_port} server_dns=${AUTO_DNS} ipset="${direct_ipset}" nftset="${direct_nftset}" config_file=${direct_ipset_conf}
|
||||
_extra_param="${_extra_param} -dns_listen_port ${dns_listen_port}"
|
||||
[ -n "$dns_cache" ] && _extra_param="${_extra_param} -dns_cache ${dns_cache}"
|
||||
|
||||
V2RAY_DNS_REMOTE_CONFIG="${TMP_PATH}/${flag}_dns_remote.json"
|
||||
V2RAY_DNS_REMOTE_LOG="${TMP_PATH}/${flag}_dns_remote.log"
|
||||
V2RAY_DNS_REMOTE_LOG="/dev/null"
|
||||
V2RAY_DNS_REMOTE_ARGS="-dns_out_tag remote"
|
||||
dns_remote_listen_port=$(get_new_port $(expr $direct_dnsmasq_listen_port + 1) udp)
|
||||
V2RAY_DNS_REMOTE_ARGS="${V2RAY_DNS_REMOTE_ARGS} -dns_listen_port ${dns_remote_listen_port}"
|
||||
local _dns=$(get_first_dns AUTO_DNS 53 | sed 's/#/:/g')
|
||||
local _dns_address=$(echo ${_dns} | awk -F ':' '{print $1}')
|
||||
local _dns_port=$(echo ${_dns} | awk -F ':' '{print $2}')
|
||||
|
||||
DIRECT_DNS_UDP_SERVER=${_dns_address}
|
||||
DIRECT_DNS_UDP_PORT=${_dns_port}
|
||||
|
||||
[ "${write_ipset_direct}" = "1" ] && {
|
||||
direct_dnsmasq_listen_port=$(get_new_port $(expr $dns_listen_port + 1) udp)
|
||||
local set_flag="${flag}"
|
||||
local direct_ipset_conf=$TMP_PATH/dnsmasq_${flag}_direct.conf
|
||||
[ -n "$(echo ${flag} | grep '^acl')" ] && {
|
||||
direct_ipset_conf=${TMP_ACL_PATH}/${sid}/dnsmasq_${flag}_direct.conf
|
||||
set_flag=$(echo ${flag} | awk -F '_' '{print $2}')
|
||||
}
|
||||
if [ "${nftflag}" = "1" ]; then
|
||||
local direct_nftset="4#inet#fw4#passwall2_${set_flag}_whitelist,6#inet#fw4#passwall2_${set_flag}_whitelist6"
|
||||
else
|
||||
local direct_ipset="passwall2_${set_flag}_whitelist,passwall2_${set_flag}_whitelist6"
|
||||
fi
|
||||
run_ipset_dnsmasq listen_port=${direct_dnsmasq_listen_port} server_dns=${AUTO_DNS} ipset="${direct_ipset}" nftset="${direct_nftset}" config_file=${direct_ipset_conf}
|
||||
DIRECT_DNS_UDP_PORT=${direct_dnsmasq_listen_port}
|
||||
DIRECT_DNS_UDP_SERVER="127.0.0.1"
|
||||
[ -n "${direct_ipset}" ] && _extra_param="${_extra_param} -direct_ipset ${direct_ipset}"
|
||||
[ -n "${direct_nftset}" ] && _extra_param="${_extra_param} -direct_nftset ${direct_nftset}"
|
||||
}
|
||||
_extra_param="${_extra_param} -direct_dns_udp_port ${DIRECT_DNS_UDP_PORT} -direct_dns_udp_server ${DIRECT_DNS_UDP_SERVER} -direct_dns_query_strategy UseIP"
|
||||
|
||||
DNS_REMOTE_ARGS=""
|
||||
case "$remote_dns_protocol" in
|
||||
udp)
|
||||
local _dns=$(get_first_dns remote_dns_udp_server 53 | sed 's/#/:/g')
|
||||
local _dns_address=$(echo ${_dns} | awk -F ':' '{print $1}')
|
||||
local _dns_port=$(echo ${_dns} | awk -F ':' '{print $2}')
|
||||
V2RAY_DNS_REMOTE_ARGS="${V2RAY_DNS_REMOTE_ARGS} -remote_dns_udp_port ${_dns_port} -remote_dns_udp_server ${_dns_address}"
|
||||
DNS_REMOTE_ARGS="-remote_dns_udp_port ${_dns_port} -remote_dns_udp_server ${_dns_address}"
|
||||
;;
|
||||
tcp)
|
||||
local _dns=$(get_first_dns remote_dns_tcp_server 53 | sed 's/#/:/g')
|
||||
local _dns_address=$(echo ${_dns} | awk -F ':' '{print $1}')
|
||||
local _dns_port=$(echo ${_dns} | awk -F ':' '{print $2}')
|
||||
V2RAY_DNS_REMOTE_ARGS="${V2RAY_DNS_REMOTE_ARGS} -remote_dns_tcp_port ${_dns_port} -remote_dns_tcp_server ${_dns_address}"
|
||||
DNS_REMOTE_ARGS="-remote_dns_tcp_port ${_dns_port} -remote_dns_tcp_server ${_dns_address}"
|
||||
;;
|
||||
doh)
|
||||
local _doh_url=$(echo $remote_dns_doh | awk -F ',' '{print $1}')
|
||||
@ -351,26 +363,29 @@ run_xray() {
|
||||
[ -z "${_doh_port}" ] && _doh_port=443
|
||||
local _doh_bootstrap=$(echo $remote_dns_doh | cut -d ',' -sf 2-)
|
||||
[ "${is_ip}" = "true" ] && _doh_bootstrap=${_doh_host}
|
||||
[ -n "$_doh_bootstrap" ] && V2RAY_DNS_REMOTE_ARGS="${V2RAY_DNS_REMOTE_ARGS} -remote_dns_doh_ip ${_doh_bootstrap}"
|
||||
V2RAY_DNS_REMOTE_ARGS="${V2RAY_DNS_REMOTE_ARGS} -remote_dns_doh_port ${_doh_port} -remote_dns_doh_url ${_doh_url} -remote_dns_doh_host ${_doh_host}"
|
||||
DNS_REMOTE_ARGS="-remote_dns_doh_port ${_doh_port} -remote_dns_doh_url ${_doh_url} -remote_dns_doh_host ${_doh_host}"
|
||||
[ -n "$_doh_bootstrap" ] && DNS_REMOTE_ARGS="${DNS_REMOTE_ARGS} -remote_dns_doh_ip ${_doh_bootstrap}"
|
||||
;;
|
||||
esac
|
||||
[ -n "$remote_dns_detour" ] && V2RAY_DNS_REMOTE_ARGS="${V2RAY_DNS_REMOTE_ARGS} -remote_dns_detour ${remote_dns_detour}"
|
||||
|
||||
[ -n "$remote_dns_query_strategy" ] && V2RAY_DNS_REMOTE_ARGS="${V2RAY_DNS_REMOTE_ARGS} -remote_dns_query_strategy ${remote_dns_query_strategy}"
|
||||
[ -n "$remote_dns_client_ip" ] && V2RAY_DNS_REMOTE_ARGS="${V2RAY_DNS_REMOTE_ARGS} -dns_client_ip ${remote_dns_client_ip}"
|
||||
|
||||
V2RAY_DNS_REMOTE_ARGS="${V2RAY_DNS_REMOTE_ARGS} -remote_dns_outbound_socks_address 127.0.0.1 -remote_dns_outbound_socks_port ${socks_port}"
|
||||
lua $UTIL_XRAY gen_dns_config ${V2RAY_DNS_REMOTE_ARGS} > $V2RAY_DNS_REMOTE_CONFIG
|
||||
ln_run "$(first_type $(config_t_get global_app ${type}_file) ${type})" ${type} $V2RAY_DNS_REMOTE_LOG run -c "$V2RAY_DNS_REMOTE_CONFIG"
|
||||
|
||||
[ -n "$dns_listen_port" ] && _extra_param="${_extra_param} -dns_listen_port ${dns_listen_port}"
|
||||
[ -n "$dns_cache" ] && _extra_param="${_extra_param} -dns_cache ${dns_cache}"
|
||||
_extra_param="${_extra_param} -direct_dns_udp_port ${direct_dnsmasq_listen_port} -direct_dns_udp_server 127.0.0.1 -direct_dns_query_strategy UseIP"
|
||||
[ -n "${direct_ipset}" ] && _extra_param="${_extra_param} -direct_ipset ${direct_ipset}"
|
||||
[ -n "${direct_nftset}" ] && _extra_param="${_extra_param} -direct_nftset ${direct_nftset}"
|
||||
_extra_param="${_extra_param} -remote_dns_udp_port ${dns_remote_listen_port} -remote_dns_udp_server 127.0.0.1 -remote_dns_query_strategy ${remote_dns_query_strategy}"
|
||||
[ -n "$remote_dns_detour" ] && DNS_REMOTE_ARGS="${DNS_REMOTE_ARGS} -remote_dns_detour ${remote_dns_detour}"
|
||||
[ -n "$remote_dns_query_strategy" ] && DNS_REMOTE_ARGS="${DNS_REMOTE_ARGS} -remote_dns_query_strategy ${remote_dns_query_strategy}"
|
||||
[ -n "$remote_dns_client_ip" ] && DNS_REMOTE_ARGS="${DNS_REMOTE_ARGS} -dns_client_ip ${remote_dns_client_ip}"
|
||||
[ "$remote_fakedns" = "1" ] && _extra_param="${_extra_param} -remote_dns_fake 1 -remote_dns_fake_strategy ${remote_dns_query_strategy}"
|
||||
|
||||
local independent_dns
|
||||
if [ -z "${independent_dns}" ]; then
|
||||
_extra_param="${_extra_param} ${DNS_REMOTE_ARGS}"
|
||||
else
|
||||
dns_remote_listen_port=$(get_new_port $(expr ${direct_dnsmasq_listen_port:-${dns_listen_port}} + 1) udp)
|
||||
V2RAY_DNS_REMOTE_CONFIG="${TMP_PATH}/${flag}_dns_remote.json"
|
||||
V2RAY_DNS_REMOTE_LOG="${TMP_PATH}/${flag}_dns_remote.log"
|
||||
V2RAY_DNS_REMOTE_LOG="/dev/null"
|
||||
DNS_REMOTE_ARGS="${DNS_REMOTE_ARGS} -dns_out_tag remote -dns_listen_port ${dns_remote_listen_port} -remote_dns_outbound_socks_address 127.0.0.1 -remote_dns_outbound_socks_port ${socks_port}"
|
||||
|
||||
lua $UTIL_XRAY gen_dns_config ${DNS_REMOTE_ARGS} > $V2RAY_DNS_REMOTE_CONFIG
|
||||
ln_run "$(first_type $(config_t_get global_app ${type}_file) ${type})" ${type} $V2RAY_DNS_REMOTE_LOG run -c "$V2RAY_DNS_REMOTE_CONFIG"
|
||||
_extra_param="${_extra_param} -remote_dns_udp_port ${dns_remote_listen_port} -remote_dns_udp_server 127.0.0.1 -remote_dns_query_strategy ${remote_dns_query_strategy}"
|
||||
fi
|
||||
}
|
||||
|
||||
lua $UTIL_XRAY gen_config -node $node -redir_port $redir_port -tcp_proxy_way $tcp_proxy_way -loglevel $loglevel ${_extra_param} > $config_file
|
||||
@ -379,7 +394,7 @@ run_xray() {
|
||||
|
||||
run_singbox() {
|
||||
local flag node redir_port socks_address socks_port socks_username socks_password http_address http_port http_username http_password
|
||||
local dns_listen_port remote_dns_protocol remote_dns_udp_server remote_dns_tcp_server remote_dns_doh remote_dns_detour remote_fakedns remote_dns_query_strategy dns_cache
|
||||
local dns_listen_port remote_dns_protocol remote_dns_udp_server remote_dns_tcp_server remote_dns_doh remote_dns_detour remote_fakedns remote_dns_query_strategy dns_cache write_ipset_direct
|
||||
local loglevel log_file config_file
|
||||
local _extra_param=""
|
||||
eval_set_val $@
|
||||
@ -408,23 +423,33 @@ run_singbox() {
|
||||
[ -n "$http_username" ] && [ -n "$http_password" ] && _extra_param="${_extra_param} -local_http_username $http_username -local_http_password $http_password"
|
||||
|
||||
[ -n "$dns_listen_port" ] && {
|
||||
direct_dnsmasq_listen_port=$(get_new_port $(expr $dns_listen_port + 1) udp)
|
||||
local set_flag="${flag}"
|
||||
local direct_ipset_conf=$TMP_PATH/dnsmasq_${flag}_direct.conf
|
||||
[ -n "$(echo ${flag} | grep '^acl')" ] && {
|
||||
direct_ipset_conf=${TMP_ACL_PATH}/${sid}/dnsmasq_${flag}_direct.conf
|
||||
set_flag=$(echo ${flag} | awk -F '_' '{print $2}')
|
||||
local _dns=$(get_first_dns AUTO_DNS 53 | sed 's/#/:/g')
|
||||
local _dns_address=$(echo ${_dns} | awk -F ':' '{print $1}')
|
||||
local _dns_port=$(echo ${_dns} | awk -F ':' '{print $2}')
|
||||
|
||||
DIRECT_DNS_UDP_SERVER=${_dns_address}
|
||||
DIRECT_DNS_UDP_PORT=${_dns_port}
|
||||
|
||||
[ "${write_ipset_direct}" = "1" ] && {
|
||||
direct_dnsmasq_listen_port=$(get_new_port $(expr $dns_listen_port + 1) udp)
|
||||
local set_flag="${flag}"
|
||||
local direct_ipset_conf=$TMP_PATH/dnsmasq_${flag}_direct.conf
|
||||
[ -n "$(echo ${flag} | grep '^acl')" ] && {
|
||||
direct_ipset_conf=${TMP_ACL_PATH}/${sid}/dnsmasq_${flag}_direct.conf
|
||||
set_flag=$(echo ${flag} | awk -F '_' '{print $2}')
|
||||
}
|
||||
if [ "${nftflag}" = "1" ]; then
|
||||
local direct_nftset="4#inet#fw4#passwall2_${set_flag}_whitelist,6#inet#fw4#passwall2_${set_flag}_whitelist6"
|
||||
else
|
||||
local direct_ipset="passwall2_${set_flag}_whitelist,passwall2_${set_flag}_whitelist6"
|
||||
fi
|
||||
run_ipset_dnsmasq listen_port=${direct_dnsmasq_listen_port} server_dns=${AUTO_DNS} ipset="${direct_ipset}" nftset="${direct_nftset}" config_file=${direct_ipset_conf}
|
||||
DIRECT_DNS_UDP_PORT=${direct_dnsmasq_listen_port}
|
||||
DIRECT_DNS_UDP_SERVER="127.0.0.1"
|
||||
[ -n "${direct_ipset}" ] && _extra_param="${_extra_param} -direct_ipset ${direct_ipset}"
|
||||
[ -n "${direct_nftset}" ] && _extra_param="${_extra_param} -direct_nftset ${direct_nftset}"
|
||||
}
|
||||
if [ "${nftflag}" = "1" ]; then
|
||||
local direct_nftset="4#inet#fw4#passwall2_${set_flag}_whitelist,6#inet#fw4#passwall2_${set_flag}_whitelist6"
|
||||
else
|
||||
local direct_ipset="passwall2_${set_flag}_whitelist,passwall2_${set_flag}_whitelist6"
|
||||
fi
|
||||
run_ipset_dnsmasq listen_port=${direct_dnsmasq_listen_port} server_dns=${AUTO_DNS} ipset="${direct_ipset}" nftset="${direct_nftset}" config_file=${direct_ipset_conf}
|
||||
|
||||
_extra_param="${_extra_param} -direct_dns_udp_port ${direct_dnsmasq_listen_port} -direct_dns_udp_server 127.0.0.1 -direct_dns_query_strategy UseIP"
|
||||
[ -n "${direct_ipset}" ] && _extra_param="${_extra_param} -direct_ipset ${direct_ipset}"
|
||||
[ -n "${direct_nftset}" ] && _extra_param="${_extra_param} -direct_nftset ${direct_nftset}"
|
||||
_extra_param="${_extra_param} -direct_dns_udp_port ${DIRECT_DNS_UDP_PORT} -direct_dns_udp_server ${DIRECT_DNS_UDP_SERVER} -direct_dns_query_strategy UseIP"
|
||||
|
||||
case "$remote_dns_protocol" in
|
||||
udp)
|
||||
@ -688,6 +713,8 @@ run_global() {
|
||||
node_http_port=$(config_t_get global node_http_port 0)
|
||||
[ "$node_http_port" != "0" ] && V2RAY_ARGS="${V2RAY_ARGS} http_port=${node_http_port}"
|
||||
|
||||
V2RAY_ARGS="${V2RAY_ARGS} write_ipset_direct=${WRITE_IPSET_DIRECT}"
|
||||
|
||||
local run_func
|
||||
[ -n "${XRAY_BIN}" ] && run_func="run_xray"
|
||||
[ -n "${SINGBOX_BIN}" ] && run_func="run_singbox"
|
||||
@ -930,6 +957,8 @@ acl_app() {
|
||||
remote_fakedns=${remote_fakedns:-0}
|
||||
remote_dns_query_strategy=${remote_dns_query_strategy:-UseIPv4}
|
||||
|
||||
write_ipset_direct=${write_ipset_direct:-1}
|
||||
|
||||
[ "$node" != "nil" ] && {
|
||||
if [ "$node" = "default" ]; then
|
||||
node=$NODE
|
||||
@ -955,7 +984,7 @@ acl_app() {
|
||||
elif [ "${type}" = "sing-box" ] && [ -n "${SINGBOX_BIN}" ]; then
|
||||
run_func="run_singbox"
|
||||
fi
|
||||
${run_func} flag=acl_$sid node=$node redir_port=$redir_port socks_address=127.0.0.1 socks_port=$acl_socks_port dns_listen_port=${dns_port} direct_dns_query_strategy=UseIP remote_dns_protocol=${remote_dns_protocol} remote_dns_tcp_server=${remote_dns} remote_dns_udp_server=${remote_dns} remote_dns_doh="${remote_dns}" remote_dns_client_ip=${remote_dns_client_ip} remote_dns_detour=${remote_dns_detour} remote_fakedns=${remote_fakedns} remote_dns_query_strategy=${remote_dns_query_strategy} config_file=${config_file}
|
||||
${run_func} flag=acl_$sid node=$node redir_port=$redir_port socks_address=127.0.0.1 socks_port=$acl_socks_port dns_listen_port=${dns_port} direct_dns_query_strategy=UseIP remote_dns_protocol=${remote_dns_protocol} remote_dns_tcp_server=${remote_dns} remote_dns_udp_server=${remote_dns} remote_dns_doh="${remote_dns}" remote_dns_client_ip=${remote_dns_client_ip} remote_dns_detour=${remote_dns_detour} remote_fakedns=${remote_fakedns} remote_dns_query_strategy=${remote_dns_query_strategy} write_ipset_direct=${write_ipset_direct} config_file=${config_file}
|
||||
fi
|
||||
dnsmasq_port=$(get_new_port $(expr $dnsmasq_port + 1))
|
||||
redirect_dns_port=$dnsmasq_port
|
||||
@ -1098,6 +1127,7 @@ REMOTE_DNS_DETOUR=$(config_t_get global remote_dns_detour remote)
|
||||
REMOTE_DNS=$(config_t_get global remote_dns 1.1.1.1:53 | sed 's/#/:/g' | sed -E 's/\:([^:]+)$/#\1/g')
|
||||
REMOTE_FAKEDNS=$(config_t_get global remote_fakedns '0')
|
||||
REMOTE_DNS_QUERY_STRATEGY=$(config_t_get global remote_dns_query_strategy UseIPv4)
|
||||
WRITE_IPSET_DIRECT=$(config_t_get global write_ipset_direct 1)
|
||||
DNS_CACHE=$(config_t_get global dns_cache 1)
|
||||
|
||||
RESOLVFILE=/tmp/resolv.conf.d/resolv.conf.auto
|
||||
|
||||
@ -208,6 +208,8 @@ load_acl() {
|
||||
[ -s "${TMP_ACL_PATH}/${sid}/var_node" ] && node=$(cat ${TMP_ACL_PATH}/${sid}/var_node)
|
||||
[ -s "${TMP_ACL_PATH}/${sid}/var_port" ] && redir_port=$(cat ${TMP_ACL_PATH}/${sid}/var_port)
|
||||
[ -n "$node" ] && [ "$node" != "default" ] && node_remark=$(config_n_get $node remarks)
|
||||
|
||||
write_ipset_direct=${write_ipset_direct:-1}
|
||||
|
||||
for i in $(cat ${TMP_ACL_PATH}/${sid}/rule_list); do
|
||||
if [ -n "$(echo ${i} | grep '^iprange:')" ]; then
|
||||
@ -249,7 +251,7 @@ load_acl() {
|
||||
msg2="${msg2}(REDIRECT:${redir_port})代理"
|
||||
fi
|
||||
|
||||
$ipt_tmp -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(dst $ipset_whitelist) ! -d $FAKE_IP -j RETURN
|
||||
[ "${write_ipset_direct}" = "1" ] && $ipt_tmp -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(dst $ipset_whitelist) ! -d $FAKE_IP -j RETURN
|
||||
|
||||
[ "$accept_icmp" = "1" ] && {
|
||||
$ipt_n -A PSW2 $(comment "$remarks") -p icmp ${_ipt_source} -d $FAKE_IP $(REDIRECT)
|
||||
@ -277,7 +279,7 @@ load_acl() {
|
||||
$ipt_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(REDIRECT $redir_port TPROXY)
|
||||
fi
|
||||
[ "$PROXY_IPV6" == "1" ] && {
|
||||
$ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(dst $ipset_whitelist6) ! -d $FAKE_IP_6 -j RETURN
|
||||
[ "${write_ipset_direct}" = "1" ] && $ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(dst $ipset_whitelist6) ! -d $FAKE_IP_6 -j RETURN
|
||||
$ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} -d $FAKE_IP_6 -j PSW2_RULE 2>/dev/null
|
||||
$ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") -j PSW2_RULE 2>/dev/null
|
||||
$ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(REDIRECT $redir_port TPROXY) 2>/dev/null
|
||||
@ -302,13 +304,13 @@ load_acl() {
|
||||
}
|
||||
msg2="${msg2}所有端口"
|
||||
|
||||
$ipt_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(dst $ipset_whitelist) ! -d $FAKE_IP -j RETURN
|
||||
[ "${write_ipset_direct}" = "1" ] && $ipt_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(dst $ipset_whitelist) ! -d $FAKE_IP -j RETURN
|
||||
$ipt_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} -d $FAKE_IP -j PSW2_RULE
|
||||
$ipt_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") -j PSW2_RULE
|
||||
$ipt_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(REDIRECT $redir_port TPROXY)
|
||||
|
||||
[ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && {
|
||||
$ip6t_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(dst $ipset_whitelist6) ! -d $FAKE_IP_6 -j RETURN
|
||||
[ "${write_ipset_direct}" = "1" ] && $ip6t_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(dst $ipset_whitelist6) ! -d $FAKE_IP_6 -j RETURN
|
||||
$ip6t_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} -d $FAKE_IP_6 -j PSW2_RULE 2>/dev/null
|
||||
$ip6t_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") -j PSW2_RULE 2>/dev/null
|
||||
$ip6t_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(REDIRECT $redir_port TPROXY) 2>/dev/null
|
||||
@ -348,7 +350,7 @@ load_acl() {
|
||||
[ "$TCP_NO_REDIR_PORTS" != "disable" ] && msg="${msg}除${TCP_NO_REDIR_PORTS}外的"
|
||||
msg="${msg}所有端口"
|
||||
|
||||
$ipt_tmp -A PSW2 $(comment "默认") -p tcp $(dst $ipset_global_whitelist) ! -d $FAKE_IP -j RETURN
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && $ipt_tmp -A PSW2 $(comment "默认") -p tcp $(dst $ipset_global_whitelist) ! -d $FAKE_IP -j RETURN
|
||||
|
||||
[ "$accept_icmp" = "1" ] && {
|
||||
$ipt_n -A PSW2 $(comment "默认") -p icmp -d $FAKE_IP $(REDIRECT)
|
||||
@ -370,7 +372,7 @@ load_acl() {
|
||||
fi
|
||||
|
||||
[ "$PROXY_IPV6" == "1" ] && {
|
||||
$ip6t_m -A PSW2 $(comment "默认") -p tcp $(dst $ipset_global_whitelist6) ! -d $FAKE_IP_6 -j RETURN
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && $ip6t_m -A PSW2 $(comment "默认") -p tcp $(dst $ipset_global_whitelist6) ! -d $FAKE_IP_6 -j RETURN
|
||||
$ip6t_m -A PSW2 $(comment "默认") -p tcp -d $FAKE_IP_6 -j PSW2_RULE
|
||||
$ip6t_m -A PSW2 $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") -j PSW2_RULE
|
||||
$ip6t_m -A PSW2 $(comment "默认") -p tcp $(REDIRECT $REDIR_PORT TPROXY)
|
||||
@ -396,13 +398,13 @@ load_acl() {
|
||||
[ "$UDP_NO_REDIR_PORTS" != "disable" ] && msg="${msg}除${UDP_NO_REDIR_PORTS}外的"
|
||||
msg="${msg}所有端口"
|
||||
|
||||
$ipt_m -A PSW2 $(comment "默认") -p udp $(dst $ipset_global_whitelist) ! -d $FAKE_IP -j RETURN
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && $ipt_m -A PSW2 $(comment "默认") -p udp $(dst $ipset_global_whitelist) ! -d $FAKE_IP -j RETURN
|
||||
$ipt_m -A PSW2 $(comment "默认") -p udp -d $FAKE_IP -j PSW2_RULE
|
||||
$ipt_m -A PSW2 $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") -j PSW2_RULE
|
||||
$ipt_m -A PSW2 $(comment "默认") -p udp $(REDIRECT $REDIR_PORT TPROXY)
|
||||
|
||||
if [ "$PROXY_IPV6_UDP" == "1" ]; then
|
||||
$ip6t_m -A PSW2 $(comment "默认") -p udp $(dst $ipset_global_whitelist6) ! -d $FAKE_IP_6 -j RETURN
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && $ip6t_m -A PSW2 $(comment "默认") -p udp $(dst $ipset_global_whitelist6) ! -d $FAKE_IP_6 -j RETURN
|
||||
$ip6t_m -A PSW2 $(comment "默认") -p udp -d $FAKE_IP_6 -j PSW2_RULE
|
||||
$ip6t_m -A PSW2 $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") -j PSW2_RULE
|
||||
$ip6t_m -A PSW2 $(comment "默认") -p udp $(REDIRECT $REDIR_PORT TPROXY)
|
||||
@ -621,7 +623,7 @@ add_firewall_rule() {
|
||||
$ipt_n -N PSW2_OUTPUT
|
||||
$ipt_n -A PSW2_OUTPUT $(dst $IPSET_LANLIST) -j RETURN
|
||||
$ipt_n -A PSW2_OUTPUT $(dst $IPSET_VPSLIST) -j RETURN
|
||||
$ipt_n -A PSW2_OUTPUT $(dst $ipset_global_whitelist) ! -d $FAKE_IP -j RETURN
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && $ipt_n -A PSW2_OUTPUT $(dst $ipset_global_whitelist) ! -d $FAKE_IP -j RETURN
|
||||
$ipt_n -A PSW2_OUTPUT -m mark --mark 0xff -j RETURN
|
||||
|
||||
$ipt_n -N PSW2_REDIRECT
|
||||
@ -659,7 +661,7 @@ add_firewall_rule() {
|
||||
echolog " - [$?]追加直连DNS到iptables:${dns_address}:${dns_port:-53}"
|
||||
done
|
||||
}
|
||||
$ipt_m -A PSW2_OUTPUT $(dst $ipset_global_whitelist) ! -d $FAKE_IP -j RETURN
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && $ipt_m -A PSW2_OUTPUT $(dst $ipset_global_whitelist) ! -d $FAKE_IP -j RETURN
|
||||
$ipt_m -A PSW2_OUTPUT -m mark --mark 0xff -j RETURN
|
||||
|
||||
ip rule add fwmark 1 lookup 100
|
||||
@ -674,7 +676,7 @@ add_firewall_rule() {
|
||||
$ip6t_n -N PSW2_OUTPUT
|
||||
$ip6t_n -A PSW2_OUTPUT $(dst $IPSET_LANLIST6) -j RETURN
|
||||
$ip6t_n -A PSW2_OUTPUT $(dst $IPSET_VPSLIST6) -j RETURN
|
||||
$ip6t_n -A PSW2_OUTPUT $(dst $ipset_global_whitelist6) ! -d $FAKE_IP_6 -j RETURN
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && $ip6t_n -A PSW2_OUTPUT $(dst $ipset_global_whitelist6) ! -d $FAKE_IP_6 -j RETURN
|
||||
$ip6t_n -A PSW2_OUTPUT -m mark --mark 0xff -j RETURN
|
||||
}
|
||||
|
||||
@ -704,7 +706,7 @@ add_firewall_rule() {
|
||||
$ip6t_m -A PSW2_OUTPUT -m mark --mark 0xff -j RETURN
|
||||
$ip6t_m -A PSW2_OUTPUT $(dst $IPSET_LANLIST6) -j RETURN
|
||||
$ip6t_m -A PSW2_OUTPUT $(dst $IPSET_VPSLIST6) -j RETURN
|
||||
$ip6t_m -A PSW2_OUTPUT $(dst $ipset_global_whitelist6) ! -d $FAKE_IP_6 -j RETURN
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && $ip6t_m -A PSW2_OUTPUT $(dst $ipset_global_whitelist6) ! -d $FAKE_IP_6 -j RETURN
|
||||
|
||||
ip -6 rule add fwmark 1 table 100
|
||||
ip -6 route add local ::/0 dev lo table 100
|
||||
|
||||
@ -237,6 +237,8 @@ load_acl() {
|
||||
[ -s "${TMP_ACL_PATH}/${sid}/var_node" ] && node=$(cat ${TMP_ACL_PATH}/${sid}/var_node)
|
||||
[ -s "${TMP_ACL_PATH}/${sid}/var_port" ] && redir_port=$(cat ${TMP_ACL_PATH}/${sid}/var_port)
|
||||
[ -n "$node" ] && [ "$node" != "default" ] && node_remark=$(config_n_get $node remarks)
|
||||
|
||||
write_ipset_direct=${write_ipset_direct:-1}
|
||||
|
||||
for i in $(cat ${TMP_ACL_PATH}/${sid}/rule_list); do
|
||||
if [ -n "$(echo ${i} | grep '^iprange:')" ]; then
|
||||
@ -274,8 +276,8 @@ load_acl() {
|
||||
msg2="${msg2}(REDIRECT:${redir_port})代理"
|
||||
fi
|
||||
|
||||
[ -z "${is_tproxy}" ] && nft "add rule inet fw4 PSW2_NAT ip protocol tcp ${_ipt_source} ip daddr @$nftset_whitelist counter return comment \"$remarks\""
|
||||
[ -n "${is_tproxy}" ] && nft "add rule inet fw4 PSW2_MANGLE ip protocol tcp ${_ipt_source} ip daddr @$nftset_whitelist counter return comment \"$remarks\""
|
||||
[ "${write_ipset_direct}" = "1" ] && [ -z "${is_tproxy}" ] && nft "add rule inet fw4 PSW2_NAT ip protocol tcp ${_ipt_source} ip daddr @$nftset_whitelist counter return comment \"$remarks\""
|
||||
[ "${write_ipset_direct}" = "1" ] && [ -n "${is_tproxy}" ] && nft "add rule inet fw4 PSW2_MANGLE ip protocol tcp ${_ipt_source} ip daddr @$nftset_whitelist counter return comment \"$remarks\""
|
||||
|
||||
[ "$accept_icmp" = "1" ] && {
|
||||
nft "add rule inet fw4 PSW2_ICMP_REDIRECT ip protocol icmp ${_ipt_source} ip daddr $FAKE_IP $(REDIRECT) comment \"$remarks\""
|
||||
@ -306,7 +308,7 @@ load_acl() {
|
||||
fi
|
||||
|
||||
[ "$PROXY_IPV6" == "1" ] && {
|
||||
nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} ip6 daddr @$nftset_whitelist6 counter return comment \"$remarks\""
|
||||
[ "${write_ipset_direct}" = "1" ] && nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} ip6 daddr @$nftset_whitelist6 counter return comment \"$remarks\""
|
||||
nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} ip6 daddr $FAKE_IP_6 counter jump PSW2_RULE comment \"$remarks\""
|
||||
nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") jump PSW2_RULE comment \"$remarks\"" 2>/dev/null
|
||||
nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(REDIRECT $redir_port TPROXY) comment \"$remarks\"" 2>/dev/null
|
||||
@ -331,13 +333,13 @@ load_acl() {
|
||||
}
|
||||
msg2="${msg2}所有端口"
|
||||
|
||||
nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ${_ipt_source} ip daddr @$nftset_whitelist counter return comment \"$remarks\""
|
||||
[ "${write_ipset_direct}" = "1" ] && nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ${_ipt_source} ip daddr @$nftset_whitelist counter return comment \"$remarks\""
|
||||
nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ${_ipt_source} ip daddr $FAKE_IP counter jump PSW2_RULE comment \"$remarks\""
|
||||
nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_redir_ports "udp dport") jump PSW2_RULE comment \"$remarks\""
|
||||
nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ${_ipt_source} $(REDIRECT $redir_port TPROXY4) comment \"$remarks\""
|
||||
|
||||
[ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && {
|
||||
nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} ip6 daddr @$nftset_whitelist6 counter return comment \"$remarks\""
|
||||
[ "${write_ipset_direct}" = "1" ] && nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} ip6 daddr @$nftset_whitelist6 counter return comment \"$remarks\""
|
||||
nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} ip6 daddr $FAKE_IP_6 counter jump PSW2_RULE comment \"$remarks\""
|
||||
nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_redir_ports "udp dport") counter jump PSW2_RULE comment \"$remarks\"" 2>/dev/null
|
||||
nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} $(REDIRECT $redir_port TPROXY) comment \"$remarks\"" 2>/dev/null
|
||||
@ -374,8 +376,8 @@ load_acl() {
|
||||
[ "$TCP_NO_REDIR_PORTS" != "disable" ] && msg="${msg}除${TCP_NO_REDIR_PORTS}外的"
|
||||
msg="${msg}所有端口"
|
||||
|
||||
[ -z "${is_tproxy}" ] && nft "add rule inet fw4 PSW2_NAT ip protocol tcp ip daddr @$nftset_global_whitelist counter return comment \"$remarks\""
|
||||
[ -n "${is_tproxy}" ] && nft "add rule inet fw4 PSW2_MANGLE ip protocol tcp ip daddr @$nftset_global_whitelist counter return comment \"$remarks\""
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && [ -z "${is_tproxy}" ] && nft "add rule inet fw4 PSW2_NAT ip protocol tcp ip daddr @$nftset_global_whitelist counter return comment \"$remarks\""
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && [ -n "${is_tproxy}" ] && nft "add rule inet fw4 PSW2_MANGLE ip protocol tcp ip daddr @$nftset_global_whitelist counter return comment \"$remarks\""
|
||||
|
||||
[ "$accept_icmp" = "1" ] && {
|
||||
nft "add rule inet fw4 PSW2_ICMP_REDIRECT ip protocol icmp ip daddr $FAKE_IP $(REDIRECT) comment \"默认\""
|
||||
@ -399,7 +401,7 @@ load_acl() {
|
||||
fi
|
||||
|
||||
[ "$PROXY_IPV6" == "1" ] && {
|
||||
nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp ip6 daddr @$nftset_global_whitelist6 counter return comment \"$remarks\""
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp ip6 daddr @$nftset_global_whitelist6 counter return comment \"$remarks\""
|
||||
nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp ip6 daddr $FAKE_IP_6 jump PSW2_RULE comment \"默认\""
|
||||
nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp $(factor $TCP_REDIR_PORTS "tcp dport") jump PSW2_RULE comment \"默认\""
|
||||
nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto tcp $(REDIRECT $REDIR_PORT TPROXY) comment \"默认\""
|
||||
@ -422,13 +424,13 @@ load_acl() {
|
||||
[ "$UDP_NO_REDIR_PORTS" != "disable" ] && msg="${msg}除${UDP_NO_REDIR_PORTS}外的"
|
||||
msg="${msg}所有端口"
|
||||
|
||||
nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ip daddr @$nftset_global_whitelist counter return comment \"$remarks\""
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ip daddr @$nftset_global_whitelist counter return comment \"$remarks\""
|
||||
nft "add rule inet fw4 PSW2_MANGLE ip protocol udp ip daddr $FAKE_IP counter jump PSW2_RULE comment \"默认\""
|
||||
nft "add rule inet fw4 PSW2_MANGLE ip protocol udp $(factor $UDP_REDIR_PORTS "udp dport") jump PSW2_RULE comment \"默认\""
|
||||
nft "add rule inet fw4 PSW2_MANGLE ip protocol udp $(REDIRECT $REDIR_PORT TPROXY4) comment \"默认\""
|
||||
|
||||
[ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && {
|
||||
nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp ip6 daddr @$nftset_global_whitelist6 counter return comment \"$remarks\""
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp ip6 daddr @$nftset_global_whitelist6 counter return comment \"$remarks\""
|
||||
nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp ip6 daddr $FAKE_IP_6 jump PSW2_RULE comment \"默认\""
|
||||
nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp $(factor $UDP_REDIR_PORTS "udp dport") jump PSW2_RULE comment \"默认\""
|
||||
nft "add rule inet fw4 PSW2_MANGLE_V6 meta l4proto udp $(REDIRECT $REDIR_PORT TPROXY) comment \"默认\""
|
||||
@ -670,7 +672,7 @@ add_firewall_rule() {
|
||||
echolog " - [$?]追加直连DNS到nftables:${dns_address}:${dns_port:-53}"
|
||||
done
|
||||
}
|
||||
nft "add rule inet fw4 PSW2_OUTPUT_MANGLE ip daddr @$nftset_global_whitelist counter return"
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && nft "add rule inet fw4 PSW2_OUTPUT_MANGLE ip daddr @$nftset_global_whitelist counter return"
|
||||
nft "add rule inet fw4 PSW2_OUTPUT_MANGLE meta mark 0xff counter return"
|
||||
|
||||
# jump chains
|
||||
@ -689,7 +691,7 @@ add_firewall_rule() {
|
||||
nft "flush chain inet fw4 PSW2_OUTPUT_NAT"
|
||||
nft "add rule inet fw4 PSW2_OUTPUT_NAT ip daddr @$NFTSET_LANLIST counter return"
|
||||
nft "add rule inet fw4 PSW2_OUTPUT_NAT ip daddr @$NFTSET_VPSLIST counter return"
|
||||
nft "add rule inet fw4 PSW2_OUTPUT_NAT ip daddr @$nftset_global_whitelist counter return"
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && nft "add rule inet fw4 PSW2_OUTPUT_NAT ip daddr @$nftset_global_whitelist counter return"
|
||||
nft "add rule inet fw4 PSW2_OUTPUT_NAT meta mark 0xff counter return"
|
||||
}
|
||||
|
||||
@ -723,13 +725,13 @@ add_firewall_rule() {
|
||||
nft "flush chain inet fw4 PSW2_MANGLE_V6"
|
||||
nft "add rule inet fw4 PSW2_MANGLE_V6 ip6 daddr @$NFTSET_LANLIST6 counter return"
|
||||
nft "add rule inet fw4 PSW2_MANGLE_V6 ip6 daddr @$NFTSET_VPSLIST6 counter return"
|
||||
nft "add rule inet fw4 PSW2_MANGLE_V6 ip6 daddr @$nftset_global_whitelist6 counter return"
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && nft "add rule inet fw4 PSW2_MANGLE_V6 ip6 daddr @$nftset_global_whitelist6 counter return"
|
||||
|
||||
nft "add chain inet fw4 PSW2_OUTPUT_MANGLE_V6"
|
||||
nft "flush chain inet fw4 PSW2_OUTPUT_MANGLE_V6"
|
||||
nft "add rule inet fw4 PSW2_OUTPUT_MANGLE_V6 ip6 daddr @$NFTSET_LANLIST6 counter return"
|
||||
nft "add rule inet fw4 PSW2_OUTPUT_MANGLE_V6 ip6 daddr @$NFTSET_VPSLIST6 counter return"
|
||||
nft "add rule inet fw4 PSW2_OUTPUT_MANGLE_V6 ip6 daddr @$nftset_global_whitelist6 counter return"
|
||||
[ "${WRITE_IPSET_DIRECT}" = "1" ] && nft "add rule inet fw4 PSW2_OUTPUT_MANGLE_V6 ip6 daddr @$nftset_global_whitelist6 counter return"
|
||||
nft "add rule inet fw4 PSW2_OUTPUT_MANGLE_V6 meta mark 0xff counter return"
|
||||
|
||||
# jump chains
|
||||
|
||||
Loading…
Reference in New Issue
Block a user