🎁 Sync 2022-10-12 13:49

luci-app-passwall/Makefile

@@ -35,131 +35,131 @@ LUCI_TITLE:=LuCI support for PassWall
 LUCI_PKGARCH:=all
 LUCI_DEPENDS:=+coreutils +coreutils-base64 +coreutils-nohup +curl \
 	+dns2socks +dns2tcp +ip-full +libuci-lua +lua +luci-compat +luci-lib-jsonc \
-	+microsocks +resolveip +tcping +unzip \
-	+PACKAGE_$(PKG_NAME)_INCLUDE_Brook:brook \
-	+PACKAGE_$(PKG_NAME)_INCLUDE_ChinaDNS_NG:chinadns-ng \
-	+PACKAGE_$(PKG_NAME)_INCLUDE_Haproxy:haproxy \
-	+PACKAGE_$(PKG_NAME)_INCLUDE_Hysteria:hysteria \
-	+PACKAGE_$(PKG_NAME)_INCLUDE_NaiveProxy:naiveproxy \
-	+PACKAGE_$(PKG_NAME)_INCLUDE_Shadowsocks_Libev_Client:shadowsocks-libev-ss-local \
-	+PACKAGE_$(PKG_NAME)_INCLUDE_Shadowsocks_Libev_Client:shadowsocks-libev-ss-redir \
-	+PACKAGE_$(PKG_NAME)_INCLUDE_Shadowsocks_Libev_Server:shadowsocks-libev-ss-server \
-	+PACKAGE_$(PKG_NAME)_INCLUDE_Shadowsocks_Rust_Client:shadowsocks-rust-sslocal \
-	+PACKAGE_$(PKG_NAME)_INCLUDE_Shadowsocks_Rust_Server:shadowsocks-rust-ssserver \
-	+PACKAGE_$(PKG_NAME)_INCLUDE_ShadowsocksR_Libev_Client:shadowsocksr-libev-ssr-local \
-	+PACKAGE_$(PKG_NAME)_INCLUDE_ShadowsocksR_Libev_Client:shadowsocksr-libev-ssr-redir \
-	+PACKAGE_$(PKG_NAME)_INCLUDE_ShadowsocksR_Libev_Server:shadowsocksr-libev-ssr-server \
-	+PACKAGE_$(PKG_NAME)_INCLUDE_Simple_Obfs:simple-obfs \
-	+PACKAGE_$(PKG_NAME)_INCLUDE_Trojan_GO:trojan-go \
-	+PACKAGE_$(PKG_NAME)_INCLUDE_Trojan_Plus:trojan-plus \
-	+PACKAGE_$(PKG_NAME)_INCLUDE_V2ray:v2ray-core \
-	+PACKAGE_$(PKG_NAME)_INCLUDE_V2ray_Plugin:v2ray-plugin \
-	+PACKAGE_$(PKG_NAME)_INCLUDE_Xray:xray-core \
-	+PACKAGE_$(PKG_NAME)_INCLUDE_Xray_Plugin:xray-plugin
+	+microsocks +resolveip +tcping +unzip
 
 define Package/$(PKG_NAME)/config
-menu "Configuration"
+	if PACKAGE_$(PKG_NAME)
+		menu "PassWall Configuration"
+			config PACKAGE_$(PKG_NAME)_Iptables_Transparent_Proxy
+				bool "Iptables Transparent Proxy"
+				select PACKAGE_dnsmasq-full
+				select PACKAGE_ipset
+				select PACKAGE_ipt2socks
+				select PACKAGE_iptables
+				select PACKAGE_iptables-legacy
+				select PACKAGE_iptables-mod-conntrack-extra
+				select PACKAGE_iptables-mod-iprange
+				select PACKAGE_iptables-mod-socket
+				select PACKAGE_iptables-mod-tproxy
+				select PACKAGE_kmod-ipt-nat
+				default y if ! PACKAGE_firewall4
 
-config PACKAGE_$(PKG_NAME)_Iptables_Transparent_Proxy
-	bool "Iptables Transparent Proxy"
-	select PACKAGE_dnsmasq-full
-	select PACKAGE_ipset
-	select PACKAGE_ipt2socks
-	select PACKAGE_iptables
-	select PACKAGE_iptables-legacy
-	select PACKAGE_iptables-mod-conntrack-extra
-	select PACKAGE_iptables-mod-iprange
-	select PACKAGE_iptables-mod-socket
-	select PACKAGE_iptables-mod-tproxy
-	select PACKAGE_kmod-ipt-nat
-	default y if ! PACKAGE_firewall4
+			config PACKAGE_$(PKG_NAME)_Nftables_Transparent_Proxy
+				bool "Nftables Transparent Proxy"
+				select PACKAGE_dnsmasq-full
+				select PACKAGE_nftables
+				select PACKAGE_kmod-nft-socket
+				select PACKAGE_kmod-nft-tproxy
+				select PACKAGE_kmod-nft-nat
+				default y if PACKAGE_firewall4
 
-config PACKAGE_$(PKG_NAME)_Nftables_Transparent_Proxy
-	bool "Nftables Transparent Proxy"
-	select PACKAGE_dnsmasq-full
-	select PACKAGE_nftables
-	select PACKAGE_kmod-nft-socket
-	select PACKAGE_kmod-nft-tproxy
-	select PACKAGE_kmod-nft-nat
-	default y if PACKAGE_firewall4
+			config PACKAGE_$(PKG_NAME)_INCLUDE_Brook
+				bool "Include Brook"
+				select PACKAGE_brook
+				default n
 
-config PACKAGE_$(PKG_NAME)_INCLUDE_Brook
-	bool "Include Brook"
-	default n
+			config PACKAGE_$(PKG_NAME)_INCLUDE_ChinaDNS_NG
+				bool "Include ChinaDNS-NG"
+				select PACKAGE_ipset
+				select PACKAGE_chinadns-ng
+				default n
 
-config PACKAGE_$(PKG_NAME)_INCLUDE_ChinaDNS_NG
-	bool "Include ChinaDNS-NG"
-	select PACKAGE_ipset
-	default n
+			config PACKAGE_$(PKG_NAME)_INCLUDE_Haproxy
+				bool "Include Haproxy"
+				select PACKAGE_haproxy
+				default y if aarch64||arm||i386||x86_64
 
-config PACKAGE_$(PKG_NAME)_INCLUDE_Haproxy
-	bool "Include Haproxy"
-	default y if aarch64||arm||i386||x86_64
+			config PACKAGE_$(PKG_NAME)_INCLUDE_Hysteria
+				bool "Include Hysteria"
+				select PACKAGE_hysteria
+				default n
 
-config PACKAGE_$(PKG_NAME)_INCLUDE_Hysteria
-	bool "Include Hysteria"
-	default n
+			config PACKAGE_$(PKG_NAME)_INCLUDE_NaiveProxy
+				bool "Include NaiveProxy"
+				depends on !(arc||(arm&&TARGET_gemini)||armeb||mips||mips64||powerpc)
+				select PACKAGE_naiveproxy
+				default n
 
-config PACKAGE_$(PKG_NAME)_INCLUDE_NaiveProxy
-	bool "Include NaiveProxy"
-	depends on !(arc||(arm&&TARGET_gemini)||armeb||mips||mips64||powerpc)
-	default n
+			config PACKAGE_$(PKG_NAME)_INCLUDE_Shadowsocks_Libev_Client
+				bool "Include Shadowsocks Libev Client"
+				select PACKAGE_shadowsocks-libev-ss-local
+				select PACKAGE_shadowsocks-libev-ss-redir
+				default y
 
-config PACKAGE_$(PKG_NAME)_INCLUDE_Shadowsocks_Libev_Client
-	bool "Include Shadowsocks Libev Client"
-	default y
+			config PACKAGE_$(PKG_NAME)_INCLUDE_Shadowsocks_Libev_Server
+				bool "Include Shadowsocks Libev Server"
+				select PACKAGE_shadowsocks-libev-ss-server
+				default y if aarch64||arm||i386||x86_64
 
-config PACKAGE_$(PKG_NAME)_INCLUDE_Shadowsocks_Libev_Server
-	bool "Include Shadowsocks Libev Server"
-	default y if aarch64||arm||i386||x86_64
+			config PACKAGE_$(PKG_NAME)_INCLUDE_Shadowsocks_Rust_Client
+				bool "Include Shadowsocks Rust Client"
+				depends on aarch64||arm||i386||mips||mipsel||x86_64
+				select PACKAGE_shadowsocks-rust-sslocal
+				default y if aarch64
 
-config PACKAGE_$(PKG_NAME)_INCLUDE_Shadowsocks_Rust_Client
-	bool "Include Shadowsocks Rust Client"
-	depends on aarch64||arm||i386||mips||mipsel||x86_64
-	default y if aarch64
+			config PACKAGE_$(PKG_NAME)_INCLUDE_Shadowsocks_Rust_Server
+				bool "Include Shadowsocks Rust Server"
+				depends on aarch64||arm||i386||mips||mipsel||x86_64
+				select PACKAGE_shadowsocks-rust-ssserver
+				default n
 
-config PACKAGE_$(PKG_NAME)_INCLUDE_Shadowsocks_Rust_Server
-	bool "Include Shadowsocks Rust Server"
-	depends on aarch64||arm||i386||mips||mipsel||x86_64
-	default n
+			config PACKAGE_$(PKG_NAME)_INCLUDE_ShadowsocksR_Libev_Client
+				bool "Include ShadowsocksR Libev Client"
+				select PACKAGE_shadowsocksr-libev-ssr-local
+				select PACKAGE_shadowsocksr-libev-ssr-redir
+				default y
 
-config PACKAGE_$(PKG_NAME)_INCLUDE_ShadowsocksR_Libev_Client
-	bool "Include ShadowsocksR Libev Client"
-	default y
+			config PACKAGE_$(PKG_NAME)_INCLUDE_ShadowsocksR_Libev_Server
+				bool "Include ShadowsocksR Libev Server"
+				select PACKAGE_shadowsocksr-libev-ssr-server
+				default n
 
-config PACKAGE_$(PKG_NAME)_INCLUDE_ShadowsocksR_Libev_Server
-	bool "Include ShadowsocksR Libev Server"
-	default n
+			config PACKAGE_$(PKG_NAME)_INCLUDE_Simple_Obfs
+				bool "Include Simple-Obfs (Shadowsocks Plugin)"
+				select PACKAGE_simple-obfs
+				default y
 
-config PACKAGE_$(PKG_NAME)_INCLUDE_Simple_Obfs
-	bool "Include Simple-Obfs (Shadowsocks Plugin)"
-	default y
+			config PACKAGE_$(PKG_NAME)_INCLUDE_Trojan_GO
+				bool "Include Trojan-GO"
+				select PACKAGE_trojan-go
+				default n
 
-config PACKAGE_$(PKG_NAME)_INCLUDE_Trojan_GO
-	bool "Include Trojan-GO"
-	default n
+			config PACKAGE_$(PKG_NAME)_INCLUDE_Trojan_Plus
+				bool "Include Trojan-Plus"
+				select PACKAGE_trojan-plus
+				default y
 
-config PACKAGE_$(PKG_NAME)_INCLUDE_Trojan_Plus
-	bool "Include Trojan-Plus"
-	default y
+			config PACKAGE_$(PKG_NAME)_INCLUDE_V2ray
+				bool "Include V2ray"
+				select PACKAGE_v2ray-core
+				default y if aarch64||arm||i386||x86_64
 
-config PACKAGE_$(PKG_NAME)_INCLUDE_V2ray
-	bool "Include V2ray"
-	default y if aarch64||arm||i386||x86_64
+			config PACKAGE_$(PKG_NAME)_INCLUDE_V2ray_Plugin
+				bool "Include V2ray-Plugin (Shadowsocks Plugin)"
+				select PACKAGE_v2ray-plugin
+				default y if aarch64||arm||i386||x86_64
 
-config PACKAGE_$(PKG_NAME)_INCLUDE_V2ray_Plugin
-	bool "Include V2ray-Plugin (Shadowsocks Plugin)"
-	default y if aarch64||arm||i386||x86_64
+			config PACKAGE_$(PKG_NAME)_INCLUDE_Xray
+				bool "Include Xray"
+				select PACKAGE_xray-core
+				default y if aarch64||arm||i386||x86_64
 
-config PACKAGE_$(PKG_NAME)_INCLUDE_Xray
-	bool "Include Xray"
-	default y if aarch64||arm||i386||x86_64
-
-config PACKAGE_$(PKG_NAME)_INCLUDE_Xray_Plugin
-	bool "Include Xray-Plugin (Shadowsocks Plugin)"
-	default n
-
-endmenu
+			config PACKAGE_$(PKG_NAME)_INCLUDE_Xray_Plugin
+				bool "Include Xray-Plugin (Shadowsocks Plugin)"
+				select PACKAGE_xray-plugin
+				default n
+		endmenu
+	endif
 endef
 
 define Package/$(PKG_NAME)/conffiles

luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua

@@ -303,7 +303,7 @@ end
 o = s:taboption("DNS", Button, "clear_ipset", translate("Clear IPSET"), translate("Try this feature if the rule modification does not take effect."))
 o.inputstyle = "remove"
 function o.write(e, e)
-    luci.sys.call("/usr/share/" .. appname .. "/iptables.sh flush_ipset > /dev/null 2>&1 &")
+    luci.sys.call("[ -n \"$(nft list sets 2>/dev/null | grep \"gfwlist\")\" ] && /usr/share/" .. appname .. "/nftables.sh flush_nftset || /usr/share/" .. appname .. "/iptables.sh flush_ipset > /dev/null 2>&1 &")
     luci.http.redirect(api.url("log"))
 end
 

luci-app-passwall/luasrc/model/cbi/passwall/client/node_config.lua

@@ -15,7 +15,8 @@ local ss_encrypt_method_list = {
 
 local ss_rust_encrypt_method_list = {
     "plain", "none",
-    "aes-128-gcm", "aes-256-gcm", "chacha20-ietf-poly1305"
+    "aes-128-gcm", "aes-256-gcm", "chacha20-ietf-poly1305",
+    "2022-blake3-aes-128-gcm", "2022-blake3-aes-256-gcm", "2022-blake3-chacha8-poly1305", "2022-blake3-chacha20-poly1305"
 }
 
 local ssr_encrypt_method_list = {

luci-app-passwall/luasrc/model/cbi/passwall/client/other.lua

@@ -3,6 +3,8 @@ local appname = api.appname
 local fs = api.fs
 local has_v2ray = api.is_finded("v2ray")
 local has_xray = api.is_finded("xray")
+local has_fw3 = api.is_finded("fw3")
+local has_fw4 = api.is_finded("fw4")
 
 m = Map(appname)
 
@@ -95,6 +97,16 @@ o.default = "1:65535"
 o:value("1:65535", translate("All"))
 o:value("53", "DNS")
 
+---- Use nftables
+o = s:option(ListValue, "use_nft", translate("Firewall tools"))
+o.default = "0"
+if has_fw3 then
+    o:value("0", "IPtables")
+end
+if has_fw4 then
+    o:value("1", "NFtables")
+end
+
 if (os.execute("lsmod | grep -i REDIRECT >/dev/null") == 0 and os.execute("lsmod | grep -i TPROXY >/dev/null") == 0) or (os.execute("lsmod | grep -i nft_redir >/dev/null") == 0 and os.execute("lsmod | grep -i nft_tproxy >/dev/null") == 0) then
     o = s:option(ListValue, "tcp_proxy_way", translate("TCP Proxy Way"))
     o.default = "redirect"

luci-app-passwall/luasrc/model/cbi/passwall/server/api/app.lua

@@ -15,6 +15,8 @@ local require_dir = "luci.model.cbi.passwall.server.api."
 local ipt_bin = sys.exec("echo -n $(/usr/share/passwall/iptables.sh get_ipt_bin)")
 local ip6t_bin = sys.exec("echo -n $(/usr/share/passwall/iptables.sh get_ip6t_bin)")
 
+local nft_flag = sys.exec("command -v fw4") and "1" or "0"
+
 local function log(...)
 	local f, err = io.open(LOG_APP_FILE, "a")
     if f and err == nil then
@@ -47,6 +49,11 @@ end
 
 local function gen_include()
     cmd(string.format("echo '#!/bin/sh' > /tmp/etc/%s.include", CONFIG))
+    if nft_flag == "1" then
+        cmd("echo \"\" > " .. CONFIG_PATH .. "/" .. CONFIG .. ".nft")
+        local nft_cmd="for chain in $(nft -a list chains |grep -E \"chain PSW-SERVER\" |awk -F ' ' '{print$2}'); do\n nft list chain inet fw4 ${chain} >> " .. CONFIG_PATH .. "/" .. CONFIG .. ".nft\n done"
+        cmd(nft_cmd)
+    end
     local function extract_rules(n, a)
         local _ipt = ipt_bin
         if n == "6" then
@@ -59,15 +66,21 @@ local function gen_include()
     end
     local f, err = io.open("/tmp/etc/" .. CONFIG .. ".include", "a")
     if f and err == nil then
-        f:write(ipt_bin .. '-save -c | grep -v "PSW-SERVER" | ' .. ipt_bin .. '-restore -c' .. "\n")
-        f:write(ipt_bin .. '-restore -n <<-EOT' .. "\n")
-        f:write(extract_rules("4", "filter") .. "\n")
-        f:write("EOT" .. "\n")
-        f:write(ip6t_bin .. '-save -c | grep -v "PSW-SERVER" | ' .. ip6t_bin .. '-restore -c' .. "\n")
-        f:write(ip6t_bin .. '-restore -n <<-EOT' .. "\n")
-        f:write(extract_rules("6", "filter") .. "\n")
-        f:write("EOT" .. "\n")
-        f:close()
+        if nft_flag == "0" then
+            f:write(ipt_bin .. '-save -c | grep -v "PSW-SERVER" | ' .. ipt_bin .. '-restore -c' .. "\n")
+            f:write(ipt_bin .. '-restore -n <<-EOT' .. "\n")
+            f:write(extract_rules("4", "filter") .. "\n")
+            f:write("EOT" .. "\n")
+            f:write(ip6t_bin .. '-save -c | grep -v "PSW-SERVER" | ' .. ip6t_bin .. '-restore -c' .. "\n")
+            f:write(ip6t_bin .. '-restore -n <<-EOT' .. "\n")
+            f:write(extract_rules("6", "filter") .. "\n")
+            f:write("EOT" .. "\n")
+            f:close()
+        else
+            f:write("nft -f " .. CONFIG_PATH .. "/" .. CONFIG .. ".nft\n")
+            f:write("nft insert rule inet fw4 input position 0 counter jump PSW-SERVER")
+            f:close()
+        end
     end
 end
 
@@ -78,10 +91,15 @@ local function start()
     end
     cmd(string.format("mkdir -p %s %s", CONFIG_PATH, TMP_BIN_PATH))
     cmd(string.format("touch %s", LOG_APP_FILE))
-    ipt("-N PSW-SERVER")
-    ipt("-I INPUT -j PSW-SERVER")
-    ip6t("-N PSW-SERVER")
-    ip6t("-I INPUT -j PSW-SERVER")
+	if nft_flag == "0" then
+        ipt("-N PSW-SERVER")
+        ipt("-I INPUT -j PSW-SERVER")
+        ip6t("-N PSW-SERVER")
+        ip6t("-I INPUT -j PSW-SERVER")
+	else
+        cmd("nft add chain inet fw4 PSW-SERVER\n")
+        cmd("nft insert rule inet fw4 input position 0 counter jump PSW-SERVER")
+    end
     uci:foreach(CONFIG, "user", function(user)
         local id = user[".name"]
         local enable = user.enable
@@ -168,12 +186,19 @@ local function start()
 
             local bind_local = user.bind_local or 0
             if bind_local and tonumber(bind_local) ~= 1 then
-                ipt(string.format('-A PSW-SERVER -p tcp --dport %s -m comment --comment "%s" -j ACCEPT', port, remarks))
-                ip6t(string.format('-A PSW-SERVER -p tcp --dport %s -m comment --comment "%s" -j ACCEPT', port, remarks))
-                if udp_forward == 1 then
-                    ipt(string.format('-A PSW-SERVER -p udp --dport %s -m comment --comment "%s" -j ACCEPT', port, remarks))
-                    ip6t(string.format('-A PSW-SERVER -p udp --dport %s -m comment --comment "%s" -j ACCEPT', port, remarks))
-                end 
+                if nft_flag == "0" then
+                    ipt(string.format('-A PSW-SERVER -p tcp --dport %s -m comment --comment "%s" -j ACCEPT', port, remarks))
+                    ip6t(string.format('-A PSW-SERVER -p tcp --dport %s -m comment --comment "%s" -j ACCEPT', port, remarks))
+                    if udp_forward == 1 then
+                        ipt(string.format('-A PSW-SERVER -p udp --dport %s -m comment --comment "%s" -j ACCEPT', port, remarks))
+                        ip6t(string.format('-A PSW-SERVER -p udp --dport %s -m comment --comment "%s" -j ACCEPT', port, remarks))
+                    end
+                else	
+                    cmd(string.format('nft add rule inet fw4 PSW-SERVER meta l4proto tcp tcp dport {%s} accept', port))
+                    if udp_forward == 1 then
+                        cmd(string.format('nft add rule inet fw4 PSW-SERVER meta l4proto udp udp dport {%s} accept', port))
+                    end
+                end
             end
         end
     end)
@@ -182,12 +207,19 @@ end
 
 local function stop()
     cmd(string.format("top -bn1 | grep -v 'grep' | grep '%s/' | awk '{print $1}' | xargs kill -9 >/dev/null 2>&1", CONFIG_PATH))
-    ipt("-D INPUT -j PSW-SERVER 2>/dev/null")
-    ipt("-F PSW-SERVER 2>/dev/null")
-    ipt("-X PSW-SERVER 2>/dev/null")
-    ip6t("-D INPUT -j PSW-SERVER 2>/dev/null")
-    ip6t("-F PSW-SERVER 2>/dev/null")
-    ip6t("-X PSW-SERVER 2>/dev/null")
+    if nft_flag == "0" then
+        ipt("-D INPUT -j PSW-SERVER 2>/dev/null")
+        ipt("-F PSW-SERVER 2>/dev/null")
+        ipt("-X PSW-SERVER 2>/dev/null")
+        ip6t("-D INPUT -j PSW-SERVER 2>/dev/null")
+        ip6t("-F PSW-SERVER 2>/dev/null")
+        ip6t("-X PSW-SERVER 2>/dev/null")
+	else
+        nft_cmd="handles=$(nft -a list chain inet fw4 input | grep -E \"PSW-SERVER\" | awk -F '# handle ' '{print$2}')\n for handle in $handles; do\n nft delete rule inet fw4 input handle ${handle} 2>/dev/null\n done"
+        cmd(nft_cmd)
+        cmd("nft flush chain inet fw4 PSW-SERVER 2>/dev/null")
+        cmd("nft delete chain inet fw4 PSW-SERVER 2>/dev/null")
+    end
     cmd(string.format("rm -rf %s %s /tmp/etc/%s.include", CONFIG_PATH, LOG_APP_FILE, CONFIG))
 end
 

luci-app-passwall/po/zh-cn/passwall.po

@@ -1114,6 +1114,9 @@ msgstr "节点数量"
 msgid "You can only set up a maximum of %s nodes for the time being, Used for access control."
 msgstr "目前最多只能设置%s个节点，用于给访问控制使用。"
 
+msgid "Firewall tools"
+msgstr "防火墙工具"
+
 msgid "IPv6 TProxy"
 msgstr "IPv6透明代理(TProxy)"
 

luci-app-passwall/root/usr/share/passwall/0_default_config

@@ -32,6 +32,7 @@ config global_forwarding
 	option tcp_redir_ports '22,25,53,143,465,587,853,993,995,80,443'
 	option udp_redir_ports '1:65535'
 	option accept_icmp '0'
+	option use_nft '0'
 	option tcp_proxy_way 'redirect'
 	option ipv6_tproxy '0'
 	option sniffing '1'

luci-app-passwall/root/usr/share/passwall/app.sh

@@ -1349,14 +1349,13 @@ start() {
 	start_haproxy
 	start_socks
 	nftflag=0
+	local use_nft=$(config_t_get global_forwarding use_nft 0)
 
 	[ "$NO_PROXY" == 1 ] || {
-		if [ -n "$(command -v fw4)" ] && [ -z "$(dnsmasq --version | grep 'nftset')" ]; then
-			echolog "检测到fw4防火墙，但Dnsmasq软件包不满足nftables透明代理要求，如需使用请确保dnsmasq版本在2.87以上并开启nftset支持。"
-		fi
-
-		if [ -n "$(command -v fw4)" ] && [ -n "$(dnsmasq --version | grep 'nftset')" ]; then
-			echolog "检测fw4防火墙，使用nftables进行透明代理，一些不支持nftables的组件如smartdns分流等将不可用。"
+		if [ "$use_nft" == 1 ] && [ -z "$(dnsmasq --version | grep 'Compile time options:.* nftset')" ]; then
+			echolog "Dnsmasq软件包不满足nftables透明代理要求，如需使用请确保dnsmasq版本在2.87以上并开启nftset支持。"
+		elif [ "$use_nft" == 1 ] && [ -n "$(dnsmasq --version | grep 'Compile time options:.* nftset')" ]; then
+			echolog "使用nftables进行透明代理，一些不支持nftables的组件如smartdns分流等将不可用。"
 			nftflag=1
 			start_redir TCP
 			start_redir UDP
@@ -1379,7 +1378,8 @@ start() {
 
 stop() {
 	clean_log
-	[ -n "$(command -v fw4)" ] && [ -n "$(dnsmasq --version | grep 'nftset')" ] && source $APP_PATH/nftables.sh stop || source $APP_PATH/iptables.sh stop
+	[ -n "$($(source $APP_PATH/iptables.sh get_ipt_bin) -t mangle -t nat -L -nv 2>/dev/null | grep "PSW")" ] && source $APP_PATH/iptables.sh stop
+	[ -n "$(nft list chains 2>/dev/null | grep "PSW")" ] && source $APP_PATH/nftables.sh stop
 	delete_ip2route
 	kill_all v2ray-plugin obfs-local
 	pgrep -f "sleep.*(6s|9s|58s)" | xargs kill -9 >/dev/null 2>&1

luci-app-passwall/root/usr/share/passwall/helper_dnsmasq_add.lua

@@ -168,7 +168,7 @@ local dnsmasq_default_dns
 local cache_text = ""
 local subscribe_proxy=uci:get(appname, "@global_subscribe[0]", "subscribe_proxy") or "0"
 local new_rules = luci.sys.exec("echo -n $(find /usr/share/passwall/rules -type f | xargs md5sum)")
-local new_text = TMP_DNSMASQ_PATH .. DNSMASQ_CONF_FILE .. DEFAULT_DNS .. LOCAL_DNS .. TUN_DNS .. REMOTE_FAKEDNS .. CHINADNS_DNS .. PROXY_MODE .. NO_PROXY_IPV6 .. subscribe_proxy .. new_rules
+local new_text = TMP_DNSMASQ_PATH .. DNSMASQ_CONF_FILE .. DEFAULT_DNS .. LOCAL_DNS .. TUN_DNS .. REMOTE_FAKEDNS .. CHINADNS_DNS .. PROXY_MODE .. NO_PROXY_IPV6 .. subscribe_proxy .. new_rules .. NFTFLAG
 if fs.access(CACHE_TEXT_FILE) then
     for line in io.lines(CACHE_TEXT_FILE) do
         cache_text = line
@@ -211,7 +211,7 @@ if not fs.access(CACHE_DNS_PATH) then
         local address = t.address
         if datatypes.hostname(address) then
             set_domain_dns(address, LOCAL_DNS)
-            set_domain_ipset(address, "vpsiplist,vpsiplist6")
+            set_domain_ipset(address, setflag .. "vpsiplist," .. setflag .. "vpsiplist6")
         end
     end)
     log(string.format("  - 节点列表中的域名(vpsiplist)：%s", LOCAL_DNS or "默认"))
@@ -221,19 +221,19 @@ if not fs.access(CACHE_DNS_PATH) then
         if line ~= "" and not line:find("#") then
             add_excluded_domain(line)
             set_domain_dns(line, LOCAL_DNS)
-            set_domain_ipset(line, "whitelist,whitelist6")
+            set_domain_ipset(line, setflag .. "whitelist," .. setflag .. "whitelist6")
         end
     end
     log(string.format("  - 域名白名单(whitelist)：%s", LOCAL_DNS or "默认"))
 
     local fwd_dns = LOCAL_DNS
-    local ipset_flag = setflag.."whitelist,"..setflag.."whitelist6"
+    local ipset_flag = setflag .. "whitelist," .. setflag .. "whitelist6"
     local no_ipv6
     if subscribe_proxy == "1" then
         fwd_dns = TUN_DNS
-        ipset_flag = setflag.."blacklist,"..setflag.."blacklist6"
+        ipset_flag = setflag .. "blacklist," .. setflag .. "blacklist6"
         if NO_PROXY_IPV6 == "1" then
-            ipset_flag = setflag.."blacklist"
+            ipset_flag = setflag .. "blacklist"
             no_ipv6 = true
         end
         if not only_global then
@@ -258,10 +258,10 @@ if not fs.access(CACHE_DNS_PATH) then
     for line in io.lines("/usr/share/passwall/rules/proxy_host") do
         if line ~= "" and not line:find("#") then
             add_excluded_domain(line)
-            local ipset_flag = setflag.."blacklist,"..setflag.."blacklist6"
+            local ipset_flag = setflag .. "blacklist," .. setflag .. "blacklist6"
             if NO_PROXY_IPV6 == "1" then
                 set_domain_address(line, "::")
-                ipset_flag = setflag.."blacklist"
+                ipset_flag = setflag .. "blacklist"
             end
             if REMOTE_FAKEDNS == "1" then
                 ipset_flag = nil
@@ -289,12 +289,12 @@ if not fs.access(CACHE_DNS_PATH) then
 
                 if _node_id == "_direct" then
                     fwd_dns = LOCAL_DNS
-                    ipset_flag = setflag.."whitelist,"..setflag.."whitelist6"
+                    ipset_flag = setflag .. "whitelist," .. setflag .. "whitelist6"
                 else
                     fwd_dns = TUN_DNS
-                    ipset_flag = setflag.."shuntlist,"..setflag.."shuntlist6"
+                    ipset_flag = setflag .. "shuntlist," .. setflag .. "shuntlist6"
                     if NO_PROXY_IPV6 == "1" then
-                        ipset_flag = setflag.."shuntlist"
+                        ipset_flag = setflag .. "shuntlist"
                         no_ipv6 = true
                     end
                     if not only_global then
@@ -332,9 +332,9 @@ if not fs.access(CACHE_DNS_PATH) then
             local gfwlist_str = sys.exec('cat /usr/share/passwall/rules/gfwlist | grep -v -E "^#" | grep -v -E "' .. excluded_domain_str .. '"')
             for line in string.gmatch(gfwlist_str, "[^\r\n]+") do
                 if line ~= "" then
-                    local ipset_flag = setflag.."gfwlist,"..setflag.."gfwlist6"
+                    local ipset_flag = setflag .. "gfwlist," .. setflag .. "gfwlist6"
                     if NO_PROXY_IPV6 == "1" then
-                        ipset_flag = setflag.."gfwlist"
+                        ipset_flag = setflag .. "gfwlist"
                         set_domain_address(line, "::")
                     end
                     if not only_global then
@@ -360,7 +360,7 @@ if not fs.access(CACHE_DNS_PATH) then
                 for line in string.gmatch(chnlist_str, "[^\r\n]+") do
                     if line ~= "" then
                         set_domain_dns(line, fwd_dns)
-                        set_domain_ipset(line, "chnroute,chnroute6")
+                        set_domain_ipset(line, setflag .. "chnroute," .. setflag .. "chnroute6")
                     end
                 end
             end
@@ -371,9 +371,9 @@ if not fs.access(CACHE_DNS_PATH) then
             local chnlist_str = sys.exec('cat /usr/share/passwall/rules/chnlist | grep -v -E "^#" | grep -v -E "' .. excluded_domain_str .. '"')
             for line in string.gmatch(chnlist_str, "[^\r\n]+") do
                 if line ~= "" then
-                    local ipset_flag = setflag.."chnroute,"..setflag.."chnroute6"
+                    local ipset_flag = setflag .. "chnroute," .. setflag .. "chnroute6"
                     if NO_PROXY_IPV6 == "1" then
-                        ipset_flag = setflag.."chnroute"
+                        ipset_flag = setflag .. "chnroute"
                         set_domain_address(line, "::")
                     end
                     if not only_global then

luci-app-passwall/root/usr/share/passwall/nftables.sh

@@ -10,7 +10,7 @@ NFTSET_CHN="chnroute"
 NFTSET_BLACKLIST="blacklist"
 NFTSET_WHITELIST="whitelist"
 NFTSET_BLOCKLIST="blocklist"
- 
+
 NFTSET_LANIPLIST6="laniplist6"
 NFTSET_VPSIPLIST6="vpsiplist6"
 NFTSET_SHUNTLIST6="shuntlist6"
@@ -19,11 +19,11 @@ NFTSET_CHN6="chnroute6"
 NFTSET_BLACKLIST6="blacklist6"
 NFTSET_WHITELIST6="whitelist6"
 NFTSET_BLOCKLIST6="blocklist6"
- 
+
 FORCE_INDEX=2
- 
+
 . /lib/functions/network.sh
- 
+
 FWI=$(uci -q get firewall.passwall.path 2>/dev/null)
 FAKE_IP="198.18.0.0/16"
 
@@ -461,7 +461,7 @@ load_acl() {
 				elif [ -n "$(echo ${i} | grep '^ipset:')" ]; then
 					_ipset=$(echo ${i} | sed 's#ipset:##g')
 					_ipt_source="ip daddr @${_ipset}"
-					msg="备注【$remarks】，IPset【${_ipset}】，"
+					msg="备注【$remarks】，NFTset【${_ipset}】，"
 				elif [ -n "$(echo ${i} | grep '^ip:')" ]; then
 					_ip=$(echo ${i} | sed 's#ip:##g')
 					_ipt_source=$(factor ${_ip} "ip saddr")
@@ -717,13 +717,13 @@ filter_haproxy() {
 		local ip=$(get_host_ip ipv4 $(echo $item | awk -F ":" '{print $1}') 1)
 		insert_nftset $NFTSET_VPSIPLIST $ip
 	done
-	echolog "加入负载均衡的节点到ipset[$NFTSET_VPSIPLIST]直连完成"
+	echolog "加入负载均衡的节点到nftset[$NFTSET_VPSIPLIST]直连完成"
 }
 
 filter_vpsip() {
 	insert_nftset $NFTSET_VPSIPLIST $(uci show $CONFIG | grep ".address=" | cut -d "'" -f 2 | grep -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | sed -e "/^$/d" | sed -e 's/$/,/' )
 	insert_nftset $NFTSET_VPSIPLIST6 $(uci show $CONFIG | grep ".address=" | cut -d "'" -f 2 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "/^$/d" | sed -e 's/$/,/' )
-	echolog "加入所有节点到ipset[$NFTSET_VPSIPLIST]直连完成"
+	echolog "加入所有节点到nftset[$NFTSET_VPSIPLIST]直连完成"
 }
 
 filter_node() {
@@ -950,7 +950,7 @@ add_firewall_rule() {
 	nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip daddr @$NFTSET_BLOCKLIST counter drop"
 
 	# jump chains
-	nft "add rule inet fw4 mangle_prerouting counter jump PSW_MANGLE"
+	nft "add rule inet fw4 mangle_prerouting meta nfproto {ipv4} counter jump PSW_MANGLE"
 	insert_rule_before "inet fw4" "mangle_prerouting" "PSW_MANGLE" "counter jump PSW_DIVERT"
 
 	#ipv4 tcp redirect mode
@@ -990,7 +990,9 @@ add_firewall_rule() {
 	fi
 
 	WAN_IP=$(get_wan_ip)
-	[ -n "${WAN_IP}" ] && nft "add rule inet fw4 PSW_MANGLE ip daddr ${WAN_IP} counter return comment \"WAN_IP_RETURN\"" || nft "add rule inet fw4 PSW ip daddr ${WAN_IP} counter return comment \"WAN_IP_RETURN\""
+	if [ -n "${WAN_IP}" ]; then
+		[ -n "${is_tproxy}" ] && nft "add rule inet fw4 PSW_MANGLE ip daddr ${WAN_IP} counter return comment \"WAN_IP_RETURN\"" || nft "add rule inet fw4 PSW ip daddr ${WAN_IP} counter return comment \"WAN_IP_RETURN\""
+	fi
 	unset WAN_IP
 
 	ip rule add fwmark 1 lookup 100
@@ -1057,7 +1059,7 @@ add_firewall_rule() {
 				nft add rule inet fw4 PSW_OUTPUT ip protocol tcp ip daddr ${2} tcp dport ${3} $(REDIRECT $TCP_REDIR_PORT)
 			else
 				nft add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol tcp ip daddr ${2} tcp dport ${3} counter jump PSW_RULE
-				nft add rule inet fw4 PSW_MANGLE iifname lo tcp dport ${3} ip daddr ${2} $(REDIRECT $TCP_REDIR_PORT TPROXY4) comment \"本机\"
+				nft add rule inet fw4 PSW_MANGLE iif lo tcp dport ${3} ip daddr ${2} $(REDIRECT $TCP_REDIR_PORT TPROXY4) comment \"本机\"
 			fi
 			echolog "  - [$?]将上游 DNS 服务器 ${2}:${3} 加入到路由器自身代理的 TCP 转发链"
 		}
@@ -1087,8 +1089,8 @@ add_firewall_rule() {
 			nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol tcp ip daddr @$NFTSET_SHUNTLIST $(factor $TCP_REDIR_PORTS "tcp dport") counter jump PSW_RULE"
 			nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol tcp ip daddr @$NFTSET_BLACKLIST $(factor $TCP_REDIR_PORTS "tcp dport") counter jump PSW_RULE"
 			nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") $(get_nftset_ipv4 $LOCALHOST_TCP_PROXY_MODE) jump PSW_RULE"
-			nft "add rule inet fw4 PSW_OUTPUT_MANGLE meta l4proto tcp iifname lo $(REDIRECT $TCP_REDIR_PORT TPROXY) comment \"本机\""
-			nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol tcp iifname lo counter return comment \"本机\""
+			nft "add rule inet fw4 PSW_MANGLE meta l4proto tcp iif lo $(REDIRECT $TCP_REDIR_PORT TPROXY) comment \"本机\""
+			nft "add rule inet fw4 PSW_MANGLE ip protocol tcp iif lo counter return comment \"本机\""
 			nft "add rule inet fw4 mangle_output meta nfproto {ipv4} meta l4proto tcp counter jump PSW_OUTPUT_MANGLE comment \"mangle-OUTPUT-PSW\""
 		fi
 
@@ -1096,8 +1098,8 @@ add_firewall_rule() {
 			nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta l4proto tcp ip6 daddr @$NFTSET_SHUNTLIST6 $(factor $TCP_REDIR_PORTS "tcp dport") counter jump PSW_RULE"
 			nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta l4proto tcp ip6 daddr @$NFTSET_BLACKLIST6 $(factor $TCP_REDIR_PORTS "tcp dport") counter jump PSW_RULE"
 			nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta l4proto tcp $(factor $TCP_REDIR_PORTS "tcp dport") $(get_nftset_ipv6 $LOCALHOST_TCP_PROXY_MODE) jump PSW_RULE"
-			nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp iifname lo $(REDIRECT $TCP_REDIR_PORT TPROXY) comment \"本机\""
-			nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp iifname lo counter return comment \"本机\""
+			nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp iif lo $(REDIRECT $TCP_REDIR_PORT TPROXY) comment \"本机\""
+			nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp iif lo counter return comment \"本机\""
 		}
 	fi
 
@@ -1159,7 +1161,7 @@ add_firewall_rule() {
 				return 0
 			}
 			nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol udp ip daddr ${2} udp dport ${3} counter jump PSW_RULE"
-			nft "add rule inet fw4 PSW_MANGLE iifname lo meta l4proto udp ip daddr ${2} $(REDIRECT $UDP_REDIR_PORT TPROXY4) comment \"本机\""
+			nft "add rule inet fw4 PSW_MANGLE iif lo meta l4proto udp ip daddr ${2} $(REDIRECT $UDP_REDIR_PORT TPROXY4) comment \"本机\""
 			echolog "  - [$?]将上游 DNS 服务器 ${2}:${3} 加入到路由器自身代理的 UDP 转发链"
 		}
 		[ "$use_udp_node_resolve_dns" == 1 ] && hosts_foreach REMOTE_DNS _proxy_udp_access 53
@@ -1173,24 +1175,24 @@ add_firewall_rule() {
 		nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol udp ip daddr @$NFTSET_SHUNTLIST $(factor $UDP_REDIR_PORTS "udp dport") counter jump PSW_RULE"
 		nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol udp ip daddr @$NFTSET_BLACKLIST $(factor $UDP_REDIR_PORTS "udp dport") counter jump PSW_RULE"
 		nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol udp $(factor $UDP_REDIR_PORTS "udp dport") $(get_nftset_ipv4 $LOCALHOST_UDP_PROXY_MODE) jump PSW_RULE"
-		nft "add rule inet fw4 PSW_MANGLE meta l4proto udp iifname lo $(REDIRECT $UDP_REDIR_PORT TPROXY) comment \"本机\""
-		nft "add rule inet fw4 PSW_MANGLE ip protocol udp iifname lo counter return comment \"本机\""
+		nft "add rule inet fw4 PSW_MANGLE meta l4proto udp iif lo $(REDIRECT $UDP_REDIR_PORT TPROXY) comment \"本机\""
+		nft "add rule inet fw4 PSW_MANGLE ip protocol udp iif lo counter return comment \"本机\""
 		nft "add rule inet fw4 mangle_output meta nfproto {ipv4} meta l4proto udp counter jump PSW_OUTPUT_MANGLE"
 
 		[ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && {
 			nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta l4proto udp ip6 daddr @$NFTSET_SHUNTLIST6 $(factor $UDP_REDIR_PORTS "udp dport") counter jump PSW_RULE"
 			nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta l4proto udp ip6 daddr @$NFTSET_BLACKLIST6 $(factor $UDP_REDIR_PORTS "udp dport") counter jump PSW_RULE"
 			nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta l4proto udp $(factor $UDP_REDIR_PORTS "udp dport") $(get_nftset_ipv6 $LOCALHOST_PROXY_MODE) jump PSW_RULE"
-			nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp iifname lo $(REDIRECT $UDP_REDIR_PORT TPROXY) comment \"本机\""
-			nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp iifname lo counter return comment \"本机\""
+			nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp iif lo $(REDIRECT $UDP_REDIR_PORT TPROXY) comment \"本机\""
+			nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp iif lo counter return comment \"本机\""
 		}
 	fi
 
-	nft "add rule inet fw4 mangle_output oifname lo counter return comment \"mangle-OUTPUT-PSW\""
+	nft "add rule inet fw4 mangle_output oif lo counter return comment \"mangle-OUTPUT-PSW\""
 	nft "add rule inet fw4 mangle_output meta mark 1 counter return comment \"mangle-OUTPUT-PSW\""
 
-	nft "add rule inet fw4 PSW_MANGLE counter ip protocol udp udp dport 53 counter return"
-	nft "add rule inet fw4 PSW_MANGLE_V6 counter meta l4proto udp udp dport 53 counter return"
+	nft "add rule inet fw4 PSW_MANGLE ip protocol udp udp dport 53 counter return"
+	nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp udp dport 53 counter return"
 	#  加载ACLS
 	load_acl
 
@@ -1207,10 +1209,13 @@ del_firewall_rule() {
 		done
 	done
 
-	for handle in $(nft -a list chains |grep -E "chain PSW" |awk -F '# handle ' '{print$2}'); do
+	for handle in $(nft -a list chains | grep -E "chain PSW" | grep -v "PSW_RULE" | awk -F '# handle ' '{print$2}'); do
 		nft delete chain inet fw4 handle ${handle} 2>/dev/null
 	done
 
+	# Need to be removed at the end, otherwise it will show "Resource busy"
+	nft delete chain inet fw4 handle $(nft -a list chains | grep -E "PSW_RULE" | awk -F '# handle ' '{print$2}') 2>/dev/null
+
 	ip rule del fwmark 1 lookup 100 2>/dev/null
 	ip route del local 0.0.0.0/0 dev lo table 100 2>/dev/null
 
@@ -1274,7 +1279,7 @@ gen_include() {
 				nft "add rule inet fw4 nat_output ip protocol tcp counter jump PSW_OUTPUT"
 			}
 
-			nft "add rule inet fw4 mangle_prerouting counter jump PSW_MANGLE"
+			nft "add rule inet fw4 mangle_prerouting meta nfproto {ipv4} counter jump PSW_MANGLE"
 			[ -n "${is_tproxy}" ] && nft "add rule inet fw4 mangle_output meta nfproto {ipv4} meta l4proto tcp counter jump PSW_OUTPUT_MANGLE comment \"mangle-OUTPUT-PSW\""
 			nft "add rule inet fw4 mangle_output meta nfproto {ipv4} meta l4proto udp counter jump PSW_OUTPUT_MANGLE"
 			\$(${MY_PATH} insert_rule_before "inet fw4" "mangle_prerouting" "PSW_MANGLE" "counter jump PSW_DIVERT")
@@ -1284,7 +1289,7 @@ gen_include() {
 				nft "add rule inet fw4 mangle_output meta nfproto {ipv6} counter jump PSW_OUTPUT_MANGLE_V6 comment \"mangle-OUTPUT-PSW\""
 			}
 
-			nft "add rule inet fw4 mangle_output oifname lo counter return comment \"mangle-OUTPUT-PSW\""
+			nft "add rule inet fw4 mangle_output oif lo counter return comment \"mangle-OUTPUT-PSW\""
 			nft "add rule inet fw4 mangle_output meta mark 1 counter return comment \"mangle-OUTPUT-PSW\""
 		EOF
 		)
@@ -1295,14 +1300,6 @@ gen_include() {
 	return 0
 }
 
-get_ipt_bin() {
-	echo $ipt
-}
-
-get_ip6t_bin() {
-	echo $ip6t
-}
-
 start() {
 	add_firewall_rule
 	gen_include
@@ -1325,7 +1322,7 @@ insert_rule_before)
 insert_rule_after)
 	insert_rule_after "$@"
 	;;
-flush_ipset)
+flush_nftset)
 	flush_nftset
 	;;
 get_wan_ip)

luci-app-passwall/root/usr/share/passwall/rule_update.lua

@@ -56,11 +56,14 @@ local function trim(text)
 end
 
 -- curl
-local function curl(url, file)
+local function curl(url, file, valifile)
 	local cmd = "curl -skL -w %{http_code} --retry 3 --connect-timeout 3 '" .. url .. "'"
 	if file then
 		cmd = cmd .. " -o " .. file
 	end
+	if valifile then
+		cmd = cmd .. " --dump-header " .. valifile
+	end
 	local stdout = luci.sys.exec(cmd)
 
 	if file then
@@ -87,10 +90,22 @@ local function line_count(file_path)
 	return num;
 end
 
-local function non_file_check(file_path)
-	if nixio.fs.readfile(file_path, 1000) then
-		return nil;
+local function non_file_check(file_path, vali_file)
+	if nixio.fs.readfile(file_path, 10) then
+		local remote_file_size = tonumber(luci.sys.exec("cat " .. vali_file .. " | grep -i 'Content-Length' | awk '{print $2}'"))
+		local local_file_size = tonumber(nixio.fs.stat(file_path, "size"))
+		if remote_file_size and local_file_size then
+			if remote_file_size == local_file_size then
+				return nil;
+			else
+				log("下载文件大小校验出错，原始文件大小" .. remote_file_size .. "B，下载文件大小：" .. local_file_size .. "B。")
+				return true;
+			end
+		else
+			return nil;
+		end
 	else
+		log("下载文件读取出错。")
 		return true;
 	end
 end
@@ -101,16 +116,26 @@ local function fetch_rule(rule_name,rule_type,url,exclude_domain)
 	local sret_tmp = 0
 	local domains = {}
 	local file_tmp = "/tmp/" ..rule_name.. "_tmp"
+	local vali_file = "/tmp/" ..rule_name.. "_vali"
 	local download_file_tmp = "/tmp/" ..rule_name.. "_dl"
 	local unsort_file_tmp = "/tmp/" ..rule_name.. "_unsort"
 
 	log(rule_name.. " 开始更新...")
 	for k,v in ipairs(url) do
-		sret_tmp = curl(v, download_file_tmp..k)
-		if sret_tmp == 200 and non_file_check(download_file_tmp..k) then
-			sret = 0
-			log(rule_name.. " 第" ..k.. "条规则:" ..v.. "下载文件读取出错，请检查网络或下载链接后重试！")
-		elseif sret_tmp == 200 then
+		sret_tmp = curl(v, download_file_tmp..k, vali_file..k)
+		if sret_tmp == 200 and non_file_check(download_file_tmp..k, vali_file..k) then
+			log(rule_name.. " 第" ..k.. "条规则:" ..v.. "下载文件过程出错，尝试重新下载。")
+			os.remove(download_file_tmp..k)
+			os.remove(vali_file..k)
+			sret_tmp = curl(v, download_file_tmp..k, vali_file..k)
+			if sret_tmp == 200 and non_file_check(download_file_tmp..k, vali_file..k) then
+				sret = 0
+				sret_tmp = 0
+				log(rule_name.. " 第" ..k.. "条规则:" ..v.. "下载文件过程出错，请检查网络或下载链接后重试！")
+			end
+		end
+
+		if sret_tmp == 200 then
 			if rule_name == "gfwlist" then
 				local domains = {}
 				local gfwlist = io.open(download_file_tmp..k, "r")
@@ -168,6 +193,7 @@ local function fetch_rule(rule_name,rule_type,url,exclude_domain)
 			log(rule_name.. " 第" ..k.. "条规则:" ..v.. "下载失败，请检查网络或下载链接后重试！")
 		end
 		os.remove(download_file_tmp..k)
+		os.remove(vali_file..k)
 	end
 
 	if sret == 200 then

luci-app-unblockneteasemusic/Makefile

@@ -12,7 +12,7 @@ LUCI_PKGARCH:=all
 
 PKG_NAME:=luci-app-unblockneteasemusic
 PKG_VERSION:=2.13
-PKG_RELEASE:=3
+PKG_RELEASE:=4
 
 PKG_MAINTAINER:=Tianling Shen <cnsztl@immortalwrt.org>
 

naiveproxy/Makefile

@@ -5,12 +5,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=naiveproxy
-PKG_VERSION:=105.0.5195.52-1
+PKG_VERSION:=106.0.5249.91-2
 PKG_RELEASE:=$(AUTORELEASE)
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://codeload.github.com/klzgrad/naiveproxy/tar.gz/v$(PKG_VERSION)?
-PKG_HASH:=1091aee2042ea26bb295456f264bb2f8ed69590e67b3271c1a40d97d99fa2be7
+PKG_HASH:=beecb60b13b30e6e9fedba33604ae1e578fd56ba792f30c61179f0f02a3a9b44
 
 PKG_LICENSE:=BSD 3-Clause
 PKG_LICENSE_FILES:=LICENSE
@@ -76,31 +76,31 @@ ifneq ($(CONFIG_CCACHE),)
   export naive_ccache_flags=cc_wrapper="$(CCACHE)"
 endif
 
-CLANG_VER:=15-init-15652-g89a99ec9-1
+CLANG_VER:=16-init-907-g8b740747-1
 CLANG_FILE:=clang-llvmorg-$(CLANG_VER).tgz
 define Download/CLANG
 	URL:=https://commondatastorage.googleapis.com/chromium-browser-clang/Linux_x64
 	URL_FILE:=$(CLANG_FILE)
 	FILE:=$(CLANG_FILE)
-	HASH:=79e8d47cbc6897b395742d9d0680f85bd4c278107d4da64b01991d3f0e58323a
+	HASH:=fc874a199fcb217e246c70a8280f959ad1bfed5de27ab25877421e8588237194
 endef
 
-GN_VER:=9ef321772ecc161937db69acb346397e0ccc484d
+GN_VER:=0bcd37bd2b83f1a9ee17088037ebdfe6eab6d31a
 GN_FILE:=gn-git_revision-$(GN_VER).zip
 define Download/GN_TOOL
 	URL:=https://chrome-infra-packages.appspot.com/dl/gn/gn/linux-amd64/+
 	URL_FILE:=git_revision:$(GN_VER)
 	FILE:=$(GN_FILE)
-	HASH:=cc1a18f0624cbda2d370e790eab97805a1f9533f603371c302e016e2f3a42ff8
+	HASH:=b8bd7e136e3fefe8be27b60f8492a0c7648337a7796b538d310c0dbd0b36a82f
 endef
 
-PGO_VER:=5195-1661252531-bbb1032abc1f63f4076f207ffc254ca9175d93d6
+PGO_VER:=5249-1664382991-4c3563c0a634429d8d381274051e58611ae6cfe3
 PGO_FILE:=chrome-linux-$(PGO_VER).profdata
 define Download/PGO_PROF
 	URL:=https://storage.googleapis.com/chromium-optimization-profiles/pgo_profiles
 	URL_FILE:=$(PGO_FILE)
 	FILE:=$(PGO_FILE)
-	HASH:=b953ceaa2635e151fbab47d1f667e8a043d8410a6577813892552f5a51d5fa09
+	HASH:=91cca2a7922040625c4fdb18db6035a2ffbf59b737bd1706966f1e4da06b468d
 endef
 
 define Build/Prepare

shadowsocks-rust/Makefile

@@ -6,7 +6,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=shadowsocks-rust
-PKG_VERSION:=1.15.0-alpha.8
+PKG_VERSION:=1.15.0-alpha.9
 PKG_RELEASE:=$(AUTORELEASE)
 
 PKG_SOURCE_HEADER:=shadowsocks-v$(PKG_VERSION)
@@ -16,29 +16,29 @@ PKG_SOURCE_URL:=https://github.com/shadowsocks/shadowsocks-rust/releases/downloa
 
 ifeq ($(ARCH),aarch64)
   PKG_SOURCE:=$(PKG_SOURCE_HEADER).aarch64-$(PKG_SOURCE_BODY).$(PKG_SOURCE_FOOTER)
-  PKG_HASH:=52a1da389148767e1d105232ccd3f3ab64e38169ef4c5cb2281fff388004856d
+  PKG_HASH:=bb5a88f8732f1e804ff8533e50ad5b7e4cc72bb780240886df64c3d709413002
 else ifeq ($(ARCH),arm)
   # Referred to golang/golang-values.mk
   ARM_CPU_FEATURES:=$(word 2,$(subst +,$(space),$(call qstrip,$(CONFIG_CPU_TYPE))))
   ifeq ($(ARM_CPU_FEATURES),)
     PKG_SOURCE:=$(PKG_SOURCE_HEADER).arm-$(PKG_SOURCE_BODY)eabi.$(PKG_SOURCE_FOOTER)
-    PKG_HASH:=78dd75be5417fe5980ceb4a3df0107bf326ff67d52b9b992ae5c1fa53fcd1ff0
+    PKG_HASH:=493577b1193c980b1471231f9e5b3d124700fc7845edfec39660719cc62d2828
   else
     PKG_SOURCE:=$(PKG_SOURCE_HEADER).arm-$(PKG_SOURCE_BODY)eabihf.$(PKG_SOURCE_FOOTER)
-    PKG_HASH:=45159e87d18f6d831625a32aae4db1dc3e711c37a00da35f4110d0377391bd05
+    PKG_HASH:=076b8987dcd9ec9e3d5386469d7efc8eefd0dd1c5267d6f5694ec5f191969e47
   endif
 else ifeq ($(ARCH),i386)
   PKG_SOURCE:=$(PKG_SOURCE_HEADER).i686-$(PKG_SOURCE_BODY).$(PKG_SOURCE_FOOTER)
-  PKG_HASH:=fe8aa1f8cde55f4e98b1990ed9988bcc1170129fbb7dae7abd293735975f9069
+  PKG_HASH:=72b96c5c0ab4eaad12f14970c3882e311f5f0e75df1bf8c8e9bb8e7825a3bb89
 else ifeq ($(ARCH),mips)
   PKG_SOURCE:=$(PKG_SOURCE_HEADER).mips-$(PKG_SOURCE_BODY).$(PKG_SOURCE_FOOTER)
-  PKG_HASH:=48f9a3cad7081ccc2dd2aa6af5e5861672d5b49e7f5d9f049cfac572668a37f8
+  PKG_HASH:=f3ae1d678a0e5d1566542a3be30c97b8412fb07e569691c7642498333db1b1ec
 else ifeq ($(ARCH),mipsel)
   PKG_SOURCE:=$(PKG_SOURCE_HEADER).mipsel-$(PKG_SOURCE_BODY).$(PKG_SOURCE_FOOTER)
-  PKG_HASH:=d7a0d688098e86bfaefab2c0eabcbe65792ab9cdb4447b5101781df61b13f091
+  PKG_HASH:=86bb6943a1f4bd3b61c9f43ddd7977065461915e963ee872de9edb57b2517225
 else ifeq ($(ARCH),x86_64)
   PKG_SOURCE:=$(PKG_SOURCE_HEADER).x86_64-$(PKG_SOURCE_BODY).$(PKG_SOURCE_FOOTER)
-  PKG_HASH:=9d2c62e8e047596139ee5f54bac74bb8bf2d6bc7af43a34ba884e0193dcabf08
+  PKG_HASH:=b29f9e623bb3d74717159f5d999eed41d7f89317ca3adaed84cef5012e0f4308
 # Set the default value to make OpenWrt Package Checker happy
 else
   PKG_SOURCE:=dummy

sing-box/Makefile

@@ -6,12 +6,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=sing-box
-PKG_VERSION:=1.1-beta8
+PKG_VERSION:=1.1-beta9
 PKG_RELEASE:=$(AUTORELEASE)
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://codeload.github.com/SagerNet/sing-box/tar.gz/v$(PKG_VERSION)?
-PKG_HASH:=074e7e63d7e408ce634d6aa0a8434fc56370421be37553efa04fe71bbc0611a9
+PKG_HASH:=de8400e50dd73d67f4c699a9ecaffb83fc0735431967680946424249b6d5d958
 
 PKG_LICENSE:=GPL-3.0
 PKG_LICENSE_FILE:=LICENSE
@@ -66,7 +66,7 @@ define Package/$(PKG_NAME)/config
 
     config TAG_$(PKG_NAME)_GRPC
       bool "Build with standard gRPC support"
-      default y
+      default n
 
     config TAG_$(PKG_NAME)_GVISOR
       bool "Build with gVisor support"