💋 Sync 2023-03-07 20:45

2025-04-04 23:53:33 +08:00 · 2023-03-07 20:45:13 +08:00 · 2023-03-07 20:45:13 +08:00 · 840b20b064
commit 840b20b064
parent a9b2517a59
70 changed files with 4226 additions and 1201 deletions
--- a/aliyundrive-fuse/Makefile
+++ b/aliyundrive-fuse/Makefile
@ -0,0 +1,77 @@
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=aliyundrive-fuse
+PKG_VERSION:=0.1.14
+PKG_RELEASE:=1
+
+PKG_LICENSE:=MIT
+PKG_MAINTAINER:=messense <messense@icloud.com>
+
+PKG_LIBC:=musl
+ifeq ($(ARCH),arm)
+  PKG_LIBC:=musleabi
+
+  ARM_CPU_FEATURES:=$(word 2,$(subst +,$(space),$(call qstrip,$(CONFIG_CPU_TYPE))))
+  ifneq ($(filter $(ARM_CPU_FEATURES),vfp vfpv2),)
+    PKG_LIBC:=musleabihf
+  endif
+endif
+
+PKG_ARCH=$(ARCH)
+ifeq ($(ARCH),i386)
+  PKG_ARCH:=i686
+endif
+
+PKG_SOURCE:=aliyundrive-fuse-v$(PKG_VERSION).$(PKG_ARCH)-unknown-linux-$(PKG_LIBC).tar.gz
+PKG_SOURCE_URL:=https://github.com/messense/aliyundrive-fuse/releases/download/v$(PKG_VERSION)/
+PKG_HASH:=skip
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/aliyundrive-fuse
+  SECTION:=multimedia
+  CATEGORY:=Multimedia
+  DEPENDS:=+fuse-utils
+  TITLE:=FUSE for AliyunDrive
+  URL:=https://github.com/messense/aliyundrive-fuse
+endef
+
+define Package/aliyundrive-fuse/description
+  FUSE for AliyunDrive.
+endef
+
+define Package/aliyundrive-fuse/conffiles
+/etc/config/aliyundrive-fuse
+endef
+
+define Download/sha256sum
+  FILE:=$(PKG_SOURCE).sha256
+  URL_FILE:=$(FILE)
+  URL:=$(PKG_SOURCE_URL)
+  HASH:=skip
+endef
+$(eval $(call Download,sha256sum))
+
+define Build/Prepare
+	mv $(DL_DIR)/$(PKG_SOURCE).sha256 .
+	cp $(DL_DIR)/$(PKG_SOURCE) .
+	shasum -a 256 -c $(PKG_SOURCE).sha256
+	rm $(PKG_SOURCE).sha256 $(PKG_SOURCE)
+
+	tar -C $(PKG_BUILD_DIR)/ -zxf $(DL_DIR)/$(PKG_SOURCE)
+endef
+
+define Build/Compile
+	echo "aliyundrive-fuse using precompiled binary."
+endef
+
+define Package/aliyundrive-fuse/install
+	$(INSTALL_DIR) $(1)/usr/bin
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/aliyundrive-fuse $(1)/usr/bin/aliyundrive-fuse
+	$(INSTALL_DIR) $(1)/etc/init.d
+	$(INSTALL_BIN) ./files/aliyundrive-fuse.init $(1)/etc/init.d/aliyundrive-fuse
+	$(INSTALL_DIR) $(1)/etc/config
+	$(INSTALL_CONF) ./files/aliyundrive-fuse.config $(1)/etc/config/aliyundrive-fuse
+endef
+
+$(eval $(call BuildPackage,aliyundrive-fuse))
--- a/aliyundrive-fuse/files/aliyundrive-fuse.config
+++ b/aliyundrive-fuse/files/aliyundrive-fuse.config
@ -0,0 +1,7 @@
+config default
+    option enable '0'
+    option debug '0'
+    option refresh_token ''
+    option mount_point '/mnt/aliyundrive'
+    option read_buffer_size '10485760'
+    option allow_other '1'
--- a/aliyundrive-fuse/files/aliyundrive-fuse.init
+++ b/aliyundrive-fuse/files/aliyundrive-fuse.init
@ -0,0 +1,48 @@
+#!/bin/sh /etc/rc.common
+
+USE_PROCD=1
+
+START=99
+STOP=15
+
+NAME=aliyundrive-fuse
+
+uci_get_by_type() {
+	local ret=$(uci get $NAME.@$1[0].$2 2>/dev/null)
+	echo ${ret:=$3}
+}
+
+start_service() {
+  local enable=$(uci_get_by_type default enable)
+  case "$enable" in
+    1|on|true|yes|enabled)
+      local refresh_token=$(uci_get_by_type default refresh_token)
+      local mount_point=$(uci_get_by_type default mount_point)
+      local read_buf_size=$(uci_get_by_type default read_buffer_size 10485760)
+      local allow_other=$(uci_get_by_type default allow_other 0)
+
+      local extra_options=""
+
+      if [ "$allow_other" = "1" ]; then
+        extra_options="$extra_options --allow-other"
+      fi
+
+      mkdir -p "$mount_point"
+      procd_open_instance
+      procd_set_param command /bin/sh -c "/usr/bin/$NAME $extra_options -S $read_buf_size --workdir /var/run/$NAME $mount_point >>/var/log/$NAME.log 2>&1"
+      procd_set_param pidfile /var/run/$NAME.pid
+      procd_set_param env REFRESH_TOKEN="$refresh_token"
+      case $(uci_get_by_type default debug) in
+        1|on|true|yes|enabled)
+          procd_append_param env RUST_LOG="aliyundrive_fuse=debug" ;;
+        *) ;;
+      esac
+      procd_close_instance ;;
+    *)
+      stop_service ;;
+  esac
+}
+
+service_triggers() {
+	procd_add_reload_trigger "aliyundrive-fuse"
+}
--- a/luci-app-aliyundrive-fuse/Makefile
+++ b/luci-app-aliyundrive-fuse/Makefile
@ -0,0 +1,17 @@
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=luci-app-aliyundrive-fuse
+PKG_VERSION:=0.1.14
+PKG_RELEASE:=1
+PKG_PO_VERSION:=$(PKG_VERSION)-$(PKG_RELEASE)
+
+PKG_LICENSE:=MIT
+PKG_MAINTAINER:=messense <messense@icloud.com>
+
+LUCI_TITLE:=LuCI Support for aliyundrive-fuse
+LUCI_PKGARCH:=all
+LUCI_DEPENDS:=+aliyundrive-fuse
+
+include $(TOPDIR)/feeds/luci/luci.mk
+
+# call BuildPackage - OpenWrt buildroot signature
--- a/luci-app-aliyundrive-fuse/luasrc/controller/aliyundrive-fuse.lua
+++ b/luci-app-aliyundrive-fuse/luasrc/controller/aliyundrive-fuse.lua
@ -0,0 +1,40 @@
+module("luci.controller.aliyundrive-fuse", package.seeall)
+
+function index()
+	if not nixio.fs.access("/etc/config/aliyundrive-fuse") then
+		return
+	end
+
+	local page
+	page = entry({"admin", "services", "aliyundrive-fuse"}, alias("admin", "services", "aliyundrive-fuse", "client"), _("AliyunDrive FUSE"), 10) -- 首页
+	page.dependent = true
+	page.acl_depends = { "luci-app-aliyundrive-fuse" }
+
+	entry({"admin", "services", "aliyundrive-fuse", "client"}, cbi("aliyundrive-fuse/client"), _("Settings"), 10).leaf = true -- 客户端配置
+	entry({"admin", "services", "aliyundrive-fuse", "log"}, form("aliyundrive-fuse/log"), _("Log"), 30).leaf = true -- 日志页面
+
+	entry({"admin", "services", "aliyundrive-fuse", "status"}, call("action_status")).leaf = true
+	entry({"admin", "services", "aliyundrive-fuse", "logtail"}, call("action_logtail")).leaf = true
+end
+
+function action_status()
+	local e = {}
+	e.running = luci.sys.call("pidof aliyundrive-fuse >/dev/null") == 0
+	e.application = luci.sys.exec("aliyundrive-fuse --version")
+	luci.http.prepare_content("application/json")
+	luci.http.write_json(e)
+end
+
+function action_logtail()
+	local fs = require "nixio.fs"
+	local log_path = "/var/log/aliyundrive-fuse.log"
+	local e = {}
+	e.running = luci.sys.call("pidof aliyundrive-fuse >/dev/null") == 0
+	if fs.access(log_path) then
+		e.log = luci.sys.exec("tail -n 100 %s | sed 's/\\x1b\\[[0-9;]*m//g'" % log_path)
+	else
+		e.log = ""
+	end
+	luci.http.prepare_content("application/json")
+	luci.http.write_json(e)
+end
--- a/luci-app-aliyundrive-fuse/luasrc/model/cbi/aliyundrive-fuse/client.lua
+++ b/luci-app-aliyundrive-fuse/luasrc/model/cbi/aliyundrive-fuse/client.lua
@ -0,0 +1,30 @@
+m = Map("aliyundrive-fuse")
+m.title = translate("AliyunDrive FUSE")
+m.description = translate("<a href=\"https://github.com/messense/aliyundrive-fuse\" target=\"_blank\">Project GitHub URL</a>")
+
+m:section(SimpleSection).template = "aliyundrive-fuse/aliyundrive-fuse_status"
+
+e = m:section(TypedSection, "default")
+e.anonymous = true
+
+enable = e:option(Flag, "enable", translate("Enable"))
+enable.rmempty = false
+
+refresh_token = e:option(Value, "refresh_token", translate("Refresh Token"))
+refresh_token.description = translate("<a href=\"https://github.com/messense/aliyundrive-webdav#%E8%8E%B7%E5%8F%96-refresh_token\" target=\"_blank\">How to get refresh token</a>")
+
+mount_point = e:option(Value, "mount_point", translate("Mount Point"))
+mount_point.default = "/mnt/aliyundrive"
+
+read_buffer_size = e:option(Value, "read_buffer_size", translate("Read Buffer Size"))
+read_buffer_size.default = "10485760"
+read_buffer_size.datatype = "uinteger"
+
+allow_other = e:option(Flag, "allow_other", translate("Allow Other users Access"))
+allow_other.description = translate("Allow other users to access the drive, enable this if you share with samba")
+allow_other.rmempty = false
+
+debug = e:option(Flag, "debug", translate("Debug Mode"))
+debug.rmempty = false
+
+return m
--- a/luci-app-aliyundrive-fuse/luasrc/model/cbi/aliyundrive-fuse/log.lua
+++ b/luci-app-aliyundrive-fuse/luasrc/model/cbi/aliyundrive-fuse/log.lua
@ -0,0 +1,9 @@
+log = SimpleForm("logview")
+log.submit = false
+log.reset = false
+
+t = log:field(DummyValue, '', '')
+t.rawhtml = true
+t.template = 'aliyundrive-fuse/aliyundrive-fuse_log'
+
+return log
--- a/luci-app-aliyundrive-fuse/luasrc/view/aliyundrive-fuse/aliyundrive-fuse_log.htm
+++ b/luci-app-aliyundrive-fuse/luasrc/view/aliyundrive-fuse/aliyundrive-fuse_log.htm
@ -0,0 +1,15 @@
+<%+cbi/valueheader%>
+<textarea id="logview" class="cbi-input-textarea" style="width: 100%" rows="30" readonly="readonly"></textarea>
+
+<script type="text/javascript">
+	const LOG_URL = '<%=luci.dispatcher.build_url("admin", "services", "aliyundrive-fuse", "logtail")%>';
+	XHR.poll(1, LOG_URL, null, (x, d) => {
+		let logview = document.getElementById("logview");
+		if (!d.running) {
+			XHR.halt();
+		}
+		logview.value = d.log;
+		logview.scrollTop = logview.scrollHeight;
+	});
+</script>
+<%+cbi/valuefooter%>
--- a/luci-app-aliyundrive-fuse/luasrc/view/aliyundrive-fuse/aliyundrive-fuse_status.htm
+++ b/luci-app-aliyundrive-fuse/luasrc/view/aliyundrive-fuse/aliyundrive-fuse_status.htm
@ -0,0 +1,21 @@
+<script type="text/javascript">//<![CDATA[
+XHR.poll(3, '<%=url([[admin]], [[services]], [[aliyundrive-fuse]], [[status]])%>', null,
+	function(x, data) {
+		var tb = document.getElementById('aliyundrive-fuse_status');
+		if (data && tb) {
+			if (data.running) {
+				tb.innerHTML = '<em><b style=color:green>' + data.application + '<%:RUNNING%></b></em>';
+			} else {
+				tb.innerHTML = '<em><b style=color:red>' + data.application + '<%:NOT RUNNING%></b></em>';
+			}
+		}
+	}
+);
+//]]>
+</script>
+<style>.mar-10 {margin-left: 50px; margin-right: 10px;}</style>
+<fieldset class="cbi-section">
+	<p id="aliyundrive-fuse_status">
+		<em><%:Collecting data...%></em>
+	</p>
+</fieldset>
--- a/luci-app-aliyundrive-fuse/po/zh-cn/aliyundrive-fuse.po
+++ b/luci-app-aliyundrive-fuse/po/zh-cn/aliyundrive-fuse.po
@ -0,0 +1,50 @@
+msgid ""
+msgstr "Content-Type: text/plain; charset=UTF-8\n"
+
+msgid "AliyunDrive"
+msgstr "阿里云盘"
+
+msgid "AliyunDrive FUSE"
+msgstr "阿里云盘 FUSE"
+
+msgid "Enable"
+msgstr "启用"
+
+msgid "Refresh Token"
+msgstr "Refresh Token"
+
+msgid "Mount Point"
+msgstr "挂载点"
+
+msgid "Read Buffer Size"
+msgstr "下载缓冲大小(bytes)"
+
+msgid "Collecting data..."
+msgstr "获取数据中..."
+
+msgid "RUNNING"
+msgstr "运行中"
+
+msgid "NOT RUNNING"
+msgstr "未运行"
+
+msgid "Settings"
+msgstr "设置"
+
+msgid "Log"
+msgstr "日志"
+
+msgid "Debug Mode"
+msgstr "调试模式"
+
+msgid "<a href=\"https://github.com/messense/aliyundrive-fuse\" target=\"_blank\">Project GitHub URL</a>"
+msgstr "<a href=\"https://github.com/messense/aliyundrive-fuse\" target=\"_blank\">GitHub 项目地址</a>"
+
+msgid "<a href=\"https://github.com/messense/aliyundrive-webdav#%E8%8E%B7%E5%8F%96-refresh_token\" target=\"_blank\">How to get refresh token</a>"
+msgstr "<a href=\"https://github.com/messense/aliyundrive-webdav#%E8%8E%B7%E5%8F%96-refresh_token\" target=\"_blank\">查看获取 refresh token 的方法</a>"
+
+msgid "Allow Other users Access"
+msgstr "允许其他用户访问"
+
+msgid "Allow other users to access the drive, enable this if you share with samba"
+msgstr "允许其他用户访问此驱动，如果你想用Samba分享请开启此开关"
--- a/luci-app-aliyundrive-fuse/po/zh_Hans
+++ b/luci-app-aliyundrive-fuse/po/zh_Hans
@ -0,0 +1 @@
+zh-cn
--- a/luci-app-aliyundrive-fuse/root/etc/uci-defaults/luci-aliyundrive-fuse
+++ b/luci-app-aliyundrive-fuse/root/etc/uci-defaults/luci-aliyundrive-fuse
@ -0,0 +1,11 @@
+#!/bin/sh
+
+uci -q batch <<-EOF >/dev/null
+	delete ucitrack.@aliyundrive-fuse[-1]
+	add ucitrack aliyundrive-fuse
+	set ucitrack.@aliyundrive-fuse[-1].init=aliyundrive-fuse
+	commit ucitrack
+EOF
+
+rm -f /tmp/luci-indexcache
+exit 0
--- a/luci-app-aliyundrive-fuse/root/usr/share/rpcd/acl.d/luci-app-aliyundrive-fuse.json
+++ b/luci-app-aliyundrive-fuse/root/usr/share/rpcd/acl.d/luci-app-aliyundrive-fuse.json
@ -0,0 +1,11 @@
+{
+	"luci-app-aliyundrive-fuse": {
+		"description": "Grant UCI access for luci-app-aliyundrive-fuse",
+		"read": {
+			"uci": [ "aliyundrive-fuse" ]
+		},
+		"write": {
+			"uci": [ "aliyundrive-fuse" ]
+		}
+	}
+}
--- a/luci-app-cloudflarespeedtest/Makefile
+++ b/luci-app-cloudflarespeedtest/Makefile
@ -0,0 +1,21 @@
+# Author: mingxiaoyu (fengying0347@163.com)
+#
+# Licensed to the public under the GNU General Public License v3.
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=luci-app-cloudflarespeedtest
+
+LUCI_TITLE:=LuCI support for Cloudflares Speed Test
+LUCI_DEPENDS:=+cdnspeedtest +openssl-util +curl
+LUCI_PKGARCH:=all
+PKG_VERSION:=1.5.0
+PKG_RELEASE:=0
+PKG_LICENSE:=AGPL-3.0
+PKG_MAINTAINER:=mingxiaoyu <fengying0347@163.com>
+
+include $(TOPDIR)/feeds/luci/luci.mk
+
+# call BuildPackage - OpenWrt buildroot signature
+
--- a/luci-app-cloudflarespeedtest/luasrc/controller/cloudflarespeedtest.lua
+++ b/luci-app-cloudflarespeedtest/luasrc/controller/cloudflarespeedtest.lua
@ -0,0 +1,50 @@
+-- Copyright (C) 2020 mingxiaoyu <fengying0347@163.com>
+-- Licensed to the public under the GNU General Public License v3.
+module("luci.controller.cloudflarespeedtest",package.seeall)
+
+function index()
+
+	if not nixio.fs.access('/etc/config/cloudflarespeedtest') then
+		return
+	end
+
+	local page
+	page = entry({"admin", "services", "cloudflarespeedtest"}, firstchild(), _("Cloudflare Speed Test"), 99)
+	page.dependent = false
+	page.acl_depends = { "luci-app-cloudflarespeedtest" }
+
+	entry({"admin", "services", "cloudflarespeedtest", "general"}, cbi("cloudflarespeedtest/cloudflarespeedtest"), _("Base Setting"), 1)
+	entry({"admin", "services", "cloudflarespeedtest", "logread"}, form("cloudflarespeedtest/logread"), _("Logs"), 2)
+
+	entry({"admin", "services", "cloudflarespeedtest", "status"}, call("act_status")).leaf = true
+	entry({"admin", "services", "cloudflarespeedtest", "stop"}, call("act_stop"))
+	entry({"admin", "services", "cloudflarespeedtest", "start"}, call("act_start"))
+	entry({"admin", "services", "cloudflarespeedtest", "getlog"}, call("get_log"))
+end
+
+function act_status()
+	local e = {}
+	e.running = luci.sys.call("busybox ps -w | grep cdnspeedtest | grep -v grep >/dev/null") == 0
+	luci.http.prepare_content("application/json")
+	luci.http.write_json(e)
+end
+
+function act_stop()
+ 	luci.sys.call("busybox ps -w | grep cdnspeedtest | grep -v grep | xargs kill -9 >/dev/null")
+	luci.http.write('')
+end
+
+function act_start()
+	act_stop()
+	luci.sys.call("/usr/bin/cloudflarespeedtest/cloudflarespeedtest.sh start")
+	luci.http.write('')
+end
+
+function get_log()
+	local fs = require "nixio.fs"
+	local e = {}
+	e.running = luci.sys.call("busybox ps -w | grep cdnspeedtest | grep -v grep >/dev/null") == 0
+	e.log= fs.readfile("/var/log/cloudflarespeedtest.log") or ""	 
+	luci.http.prepare_content("application/json")
+	luci.http.write_json(e)
+end
--- a/luci-app-cloudflarespeedtest/luasrc/model/cbi/cloudflarespeedtest/cloudflarespeedtest.lua
+++ b/luci-app-cloudflarespeedtest/luasrc/model/cbi/cloudflarespeedtest/cloudflarespeedtest.lua
@ -0,0 +1,335 @@
+require("luci.sys")
+
+local uci = luci.model.uci.cursor()
+
+m = Map('cloudflarespeedtest')
+m.title = translate('Cloudflare Speed Test')
+m.description = '<a href=\"https://github.com/mingxiaoyu/luci-app-cloudflarespeedtest\" target=\"_blank\">GitHub</a>'
+
+-- [[ 基本设置 ]]--
+
+s = m:section(NamedSection, 'global')
+s.addremove = false
+s.anonymous = true
+
+o=s:option(Flag,"enabled",translate("Enabled"))
+o.description = translate("Enabled scheduled task test Cloudflare IP")
+o.rmempty=false
+o.default = 0
+
+o=s:option(Flag,"ipv6_enabled",translate("IPv6 Enabled"))
+o.description = translate("Provides only one method, if IPv6 is enabled, IPv4 will not be tested")
+o.default = 0
+o.rmempty=false
+
+o=s:option(Value,"speed",translate("Broadband speed"))
+o.description =translate("100M broadband download speed is about 12M/s. It is not recommended to fill in an excessively large value, and it may run all the time.");
+o.datatype ="uinteger" 
+o.rmempty=false
+
+o=s:option(Value,"custome_url",translate("Custome Url"))
+o.description = translate("<a href=\"https://github.com/XIU2/CloudflareSpeedTest/issues/168\" target=\"_blank\">How to create</a>")
+o.rmempty=false
+
+o=s:option(Flag,"custome_cors_enabled",translate("Custome Cron Enabled"))
+o.default = 0
+o.rmempty=false
+
+o = s:option(Value, "custome_cron", translate("Custome Cron"))
+o:depends("custome_cors_enabled", 1)
+
+hour = s:option(Value, "hour", translate("Hour"))
+hour.datatype = "range(0,23)"
+hour:depends("custome_cors_enabled", 0)
+
+minute = s:option(Value, "minute", translate("Minute"))
+minute.datatype = "range(0,59)"
+minute:depends("custome_cors_enabled", 0)
+
+o = s:option(ListValue, "proxy_mode", translate("Proxy Mode"))
+o:value("nil", translate("HOLD"))
+o.description = translate("during the speed testing, swith to which mode")
+o:value("gfw", translate("GFW List"))
+o:value("close", translate("CLOSE"))
+o.default = "gfw"
+
+o=s:option(Flag,"advanced",translate("Advanced"))
+o.description = translate("Not recommended")
+o.default = 0
+o.rmempty=false
+
+o = s:option(Value, "threads", translate("Thread"))
+o.datatype ="uinteger" 
+o.default = 200
+o.rmempty=true
+o:depends("advanced", 1)
+
+o = s:option(Value, "tl", translate("Average Latency Cap"))
+o.datatype ="uinteger" 
+o.default = 200
+o.rmempty=true
+o:depends("advanced", 1)
+
+o = s:option(Value, "tll", translate("Average Latency Lower Bound"))
+o.datatype ="uinteger" 
+o.default = 40
+o.rmempty=true
+o:depends("advanced", 1)
+
+o = s:option(Value, "t", translate("Delayed speed measurement time"))
+o.datatype ="uinteger" 
+o.default = 4
+o.rmempty=true
+o:depends("advanced", 1)
+ 
+o = s:option(Value, "dt", translate("Download speed test time"))
+o.datatype ="uinteger" 
+o.default = 10
+o.rmempty=true
+o:depends("advanced", 1)
+ 
+o = s:option(Value, "dn", translate("Number of download speed tests"))
+o.datatype ="uinteger" 
+o.default = 1
+o.rmempty=true
+o:depends("advanced", 1)  
+
+o = s:option(Flag, "dd", translate("Disable download speed test"))
+o.default = 0
+o.rmempty=true
+o:depends("advanced", 1)  
+ 
+o = s:option(Value, "tp", translate("Port"))
+o.rmempty=true
+o.default = 443
+o.datatype ="port"
+o:depends("advanced", 1)
+
+o = s:option(DummyValue, '', '')
+o.rawhtml = true
+o.template = "cloudflarespeedtest/actions"
+
+s = m:section(NamedSection, "servers", "section", translate("Third party applications settings"))
+
+if nixio.fs.access("/etc/config/shadowsocksr") then
+	s:tab("ssr", translate("Shadowsocksr Plus+"))	
+
+	o=s:taboption("ssr", Flag, "ssr_enabled",translate("Shadowsocksr Plus+ Enabled"))
+	o.rmempty=true	
+
+	local ssr_server_table = {}
+	uci:foreach("shadowsocksr", "servers", function(s)
+		if s.alias then
+			ssr_server_table[s[".name"]] = "[%s]:%s" % {string.upper(s.v2ray_protocol or s.type), s.alias}
+		elseif s.server and s.server_port then
+			ssr_server_table[s[".name"]] = "[%s]:%s:%s" % {string.upper(s.v2ray_protocol or s.type), s.server, s.server_port}
+		end
+	end)
+
+	local ssr_key_table = {}
+	for key, _ in pairs(ssr_server_table) do
+		table.insert(ssr_key_table, key)
+	end
+
+	table.sort(ssr_key_table)
+
+	o = s:taboption("ssr", DynamicList, "ssr_services",
+			translate("Shadowsocksr Servers"),
+			translate("Please select a service"))
+			
+	for _, key in pairs(ssr_key_table) do
+		o:value(key, ssr_server_table[key])
+	end
+	o:depends("ssr_enabled", 1)
+	o.forcewrite = true
+
+end
+
+
+if nixio.fs.access("/etc/config/passwall") then
+	s:tab("passwalltab", translate("passwall"))
+
+	o=s:taboption("passwalltab", Flag, "passwall_enabled",translate("Passwall Enabled"))
+	o.rmempty=true	
+
+	local passwall_server_table = {}
+	uci:foreach("passwall", "nodes", function(s)
+		if s.remarks then
+			passwall_server_table[s[".name"]] = "[%s]:%s" % {string.upper(s.protocol or s.type), s.remarks}
+		end
+	end)
+
+	local passwall_key_table = {}
+	for key, _ in pairs(passwall_server_table) do
+		table.insert(passwall_key_table, key)
+	end
+
+	table.sort(passwall_key_table)
+
+	o = s:taboption("passwalltab", DynamicList, "passwall_services",
+			translate("Passwall Servers"),
+			translate("Please select a service"))
+			
+	for _, key in pairs(passwall_key_table) do
+		o:value(key, passwall_server_table[key])
+	end
+	o:depends("passwall_enabled", 1)
+	o.forcewrite = true
+
+end
+
+if nixio.fs.access("/etc/config/passwall2") then
+	s:tab("passwall2tab", translate("passwall2"))
+
+	o=s:taboption("passwall2tab", Flag, "passwall2_enabled",translate("PassWall2 Enabled"))
+	o.rmempty=true	
+
+	local passwall2_server_table = {}
+	uci:foreach("passwall2", "nodes", function(s)
+		if s.remarks then
+			passwall2_server_table[s[".name"]] = "[%s]:%s" % {string.upper(s.protocol or s.type), s.remarks}
+		end
+	end)
+
+	local passwall2_key_table = {}
+	for key, _ in pairs(passwall2_server_table) do
+		table.insert(passwall2_key_table, key)
+	end
+
+	table.sort(passwall2_key_table)
+
+	o = s:taboption("passwall2tab", DynamicList, "passwall2_services",
+			translate("Passwall2 Servers"),
+			translate("Please select a service"))
+			
+	for _, key in pairs(passwall2_key_table) do
+		o:value(key, passwall2_server_table[key])
+	end
+	o:depends("passwall2_enabled", 1)
+	o.forcewrite = true
+
+end
+
+s:tab("bypasstab", translate("Bypass"))
+if nixio.fs.access("/etc/config/bypass") then
+	
+	o=s:taboption("bypasstab", Flag, "bypass_enabled",translate("Bypass Enabled"))
+	o.rmempty=true	
+
+	local bypass_server_table = {}
+	uci:foreach("bypass", "servers", function(s)
+		if s.alias then
+			bypass_server_table[s[".name"]] = "[%s]:%s" % {string.upper(s.protocol or s.type), s.alias}
+		elseif s.server and s.server_port then
+			bypass_server_table[s[".name"]] = "[%s]:%s:%s" % {string.upper(s.protocol or s.type), s.server, s.server_port}
+		end
+	end)
+
+	local bypass_key_table = {}
+	for key, _ in pairs(bypass_server_table) do
+		table.insert(bypass_key_table, key)
+	end
+
+	table.sort(bypass_key_table)
+
+	o = s:taboption("bypasstab", DynamicList, "bypass_services",
+			translate("Bypass Servers"),
+			translate("Please select a service"))
+			
+	for _, key in pairs(bypass_key_table) do
+		o:value(key, bypass_server_table[key])
+	end
+	o:depends("bypass_enabled", 1)
+	o.forcewrite = true
+
+end
+
+s:tab("vssrtab", translate("Vssr"))
+if nixio.fs.access("/etc/config/vssr") then
+	
+	o=s:taboption("vssrtab", Flag, "vssr_enabled",translate("Vssr Enabled"))
+	o.rmempty=true	
+
+	local vssr_server_table = {}
+	uci:foreach("vssr", "servers", function(s)
+		if s.alias then
+			vssr_server_table[s[".name"]] = "[%s]:%s" % {string.upper(s.protocol or s.type), s.alias}
+		elseif s.server and s.server_port then
+			vssr_server_table[s[".name"]] = "[%s]:%s:%s" % {string.upper(s.protocol or s.type), s.server, s.server_port}
+		end
+	end)
+
+	local vssr_key_table = {}
+	for key, _ in pairs(vssr_server_table) do
+		table.insert(vssr_key_table, key)
+	end
+
+	table.sort(vssr_key_table)
+
+	o = s:taboption("vssrtab", DynamicList, "vssr_services",
+			translate("Vssr Servers"),
+			translate("Please select a service"))
+			
+	for _, key in pairs(vssr_key_table) do
+		o:value(key, vssr_server_table[key])
+	end
+	o:depends("vssr_enabled", 1)
+	o.forcewrite = true
+
+end
+
+s:tab("dnstab", translate("DNS"))
+
+o=s:taboption("dnstab", Flag, "DNS_enabled",translate("DNS Enabled"))
+
+o=s:taboption("dnstab", ListValue, "DNS_type", translate("DNS Type"))
+o:value("aliyu", translate("AliyuDNS"))
+o:depends("DNS_enabled", 1)
+
+o=s:taboption("dnstab", Value,"app_key",translate("Access Key ID"))
+o.rmempty=true
+o:depends("DNS_enabled", 1)
+o=s:taboption("dnstab", Value,"app_secret",translate("Access Key Secret"))
+o.rmempty=true
+o:depends("DNS_enabled", 1)
+
+o=s:taboption("dnstab", Value,"main_domain",translate("Main Domain"),translate("For example: test.github.com -> github.com"))
+o.rmempty=true
+o:depends("DNS_enabled", 1)
+o=s:taboption("dnstab", DynamicList,"sub_domain",translate("Sub Domain"),translate("For example: test.github.com -> test"))
+o.rmempty=true
+o:depends("DNS_enabled", 1)
+
+o=s:taboption("dnstab", ListValue, "line", translate("Lines"))
+o:value("default", translate("default"))
+o:value("telecom", translate("telecom"))
+o:value("unicom", translate("unicom"))
+o:value("mobile", translate("mobile"))
+o:depends("DNS_enabled", 1)
+o.default ="telecom"
+
+s:tab("dnshost", translate("HOST"))
+o=s:taboption("dnshost", Flag, "HOST_enabled",translate("HOST Enabled"))
+o=s:taboption("dnshost", Value,"host_domain",translate("Domain"))
+o.rmempty=true
+o:depends("HOST_enabled", 1)
+
+e=m:section(TypedSection,"global",translate("Best IP"))
+e.anonymous=true
+local a="/usr/share/cloudflarespeedtestresult.txt"
+tvIPs=e:option(TextValue,"syipstext")
+tvIPs.rows=8
+tvIPs.readonly="readonly"
+tvIPs.wrap="off"
+
+function tvIPs.cfgvalue(e,e)
+	sylogtext=""
+	if a and nixio.fs.access(a) then
+		sylogtext=luci.sys.exec("tail -n 100 %s"%a)
+	end
+	return sylogtext
+end
+tvIPs.write=function(e,e,e)
+end
+
+return m
--- a/luci-app-cloudflarespeedtest/luasrc/model/cbi/cloudflarespeedtest/logread.lua
+++ b/luci-app-cloudflarespeedtest/luasrc/model/cbi/cloudflarespeedtest/logread.lua
@ -0,0 +1,9 @@
+log = SimpleForm("logview")
+log.submit = false
+log.reset = false
+
+t = log:field(DummyValue, '', '')
+t.rawhtml = true
+t.template = 'cloudflarespeedtest/logread'
+
+return log
--- a/luci-app-cloudflarespeedtest/luasrc/view/cloudflarespeedtest/actions.htm
+++ b/luci-app-cloudflarespeedtest/luasrc/view/cloudflarespeedtest/actions.htm
@ -0,0 +1,56 @@
+<%+cbi/valueheader%>
+<script type="text/javascript">//<![CDATA[
+    const STATUS_URL = '<%=luci.dispatcher.build_url("admin", "services", "cloudflarespeedtest","status")%>';
+    const RUN_URL = '<%=luci.dispatcher.build_url("admin", "services", "cloudflarespeedtest","start")%>';
+    const STOP_URL = '<%=luci.dispatcher.build_url("admin", "services", "cloudflarespeedtest","stop")%>';
+    const LOG_URL = '<%=luci.dispatcher.build_url("admin", "services", "cloudflarespeedtest","logread")%>';
+  
+    XHR.poll(3, STATUS_URL, null,
+        function(x, data) {
+            var tb = document.getElementById('cloudflarespeedtest_status');        
+          
+            if (data && tb) {
+                if (data.running) {
+                    buttonStatus(true)          
+                    tb.innerHTML = '<em><b><font color=green><%:RUNNING %></font></b></em>';
+                } else {
+                    buttonStatus(false)  
+                    tb.innerHTML = '<em><b><font color=red> <%:NOT RUNNING %></font></b></em>';
+                }
+            }
+        }
+    );
+
+	function cloudflarespeedtest_act_start() {
+        buttonStatus(true)
+		XHR.get(RUN_URL, null, () => {          
+        });
+        setTimeout(() => { window.location = LOG_URL }, 500);
+        return false;	
+	}
+
+    function cloudflarespeedtest_act_stop(){
+        XHR.get(STOP_URL, null, () => {    
+            buttonStatus(false)      
+        });
+        return false;	
+    }
+
+    function buttonStatus(running){
+        document.getElementById('cloudflarespeedtest_start').style.display  =  running ? "none" : "block"
+        document.getElementById('cloudflarespeedtest_stop').style.display   =  running ? "block" : "none"
+    }
+    
+//]]></script>
+<label class="cbi-value-title"><%= translate("Status") %></label>
+<div class="cbi-value-field">
+    <p id="cloudflarespeedtest_status"><em><%:Collecting data...%></em></p>
+</div>
+
+<label class="cbi-value-title"><%= translate("Speed Test") %></label>
+<div class="cbi-value-field">
+    <input id="cloudflarespeedtest_start" type="button" style="display:block;" class="btn cbi-button cbi-button-apply" value="<%= translate('TEST AND APPLY') %>" onclick="cloudflarespeedtest_act_start()" />
+	<input id="cloudflarespeedtest_stop" type="button" style="display:none;" class="btn cbi-button cbi-button-apply" value="<%= translate('STOP') %>" onclick="cloudflarespeedtest_act_stop()" />
+</div>
+
+<%+cbi/valuefooter%>
--- a/luci-app-cloudflarespeedtest/luasrc/view/cloudflarespeedtest/logread.htm
+++ b/luci-app-cloudflarespeedtest/luasrc/view/cloudflarespeedtest/logread.htm
@ -0,0 +1,23 @@
+<%+cbi/valueheader%>
+<input type="checkbox" id="checkbox1" checked><%:Auto refresh%></input>
+<textarea id="logview" class="cbi-input-textarea" style="width: 100%" rows="30" readonly="readonly"></textarea>
+
+<script type="text/javascript">
+    const LOG_URL = '<%=luci.dispatcher.build_url("admin", "services", "cloudflarespeedtest","getlog")%>';
+    
+    function getlog(){
+        XHR.get(LOG_URL, null, function(x, data) {            
+             logview.value = data.log;   
+             if(document.getElementById("checkbox1").checked == true){
+                logview.scrollTop = logview.scrollHeight;
+             }     
+        });
+    }
+    getlog()
+    setInterval(() => { 
+        if(document.getElementById("checkbox1").checked == true){
+            getlog()
+        }
+    }, 2000);
+</script>
+<%+cbi/valuefooter%>
--- a/luci-app-cloudflarespeedtest/po/zh-cn
+++ b/luci-app-cloudflarespeedtest/po/zh-cn
@ -0,0 +1 @@
+zh_Hans
--- a/luci-app-cloudflarespeedtest/po/zh_Hans/cloudflarespeedtest.po
+++ b/luci-app-cloudflarespeedtest/po/zh_Hans/cloudflarespeedtest.po
@ -0,0 +1,221 @@
+msgid ""
+msgstr ""
+"Project-Id-Version: \n"
+"POT-Creation-Date: \n"
+"PO-Revision-Date: 2022-02-10 20:44+0000\n"
+"Last-Translator: mingxiaoyu <fengying0347@163.com>\n"
+"Language: zh_Hans\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"Plural-Forms: nplurals=1; plural=0;\n"
+"X-Generator: Weblate 4.8-dev\n"
+
+msgid "<a href=\"https://github.com/mingxiaoyu/luci-app-cloudflarespeedtest\" target=\"_blank\">GitHub</a>"
+msgstr "<a href=\"https://github.com/mingxiaoyu/luci-app-cloudflarespeedtest\" target=\"_blank\">GitHub项目地址</a>"
+
+msgid "Cloudflare Speed Test"
+msgstr "Cloudflare速度测试"
+
+msgid "Base Setting"
+msgstr "基本设置"
+
+msgid "Logs"
+msgstr "日志"
+
+msgid "Enabled"
+msgstr "启用"
+
+msgid "Enabled scheduled task test Cloudflare IP"
+msgstr "启用计划任务测试 Cloudflare IP"
+
+msgid "Broadband speed"
+msgstr "宽带速度"
+
+msgid "Custome Url Enabled"
+msgstr "启用自定义地址"
+
+msgid "Custome Url"
+msgstr "自定义地址"
+
+msgid "Custome Cron Enabled"
+msgstr "启用自定义Cron"
+
+msgid "Custome Cron"
+msgstr "自定义Cron"
+
+msgid "Hour"
+msgstr "小时"
+
+msgid "Minute"
+msgstr "分钟"
+
+msgid "100M broadband download speed is about 12M/s. It is not recommended to fill in an excessively large value, and it may run all the time."
+msgstr "100M的宽带下载大概为速度12M/s。不推荐填过大的值，可能出现一直运行。"
+
+msgid "Shadowsocksr Plus+ Enabled"
+msgstr "启用ShadowSocksR Plus+"
+
+msgid "Passwall Enabled"
+msgstr "启用Passwall"
+
+msgid "PassWall2 Enabled"
+msgstr "启用PassWall2"
+
+msgid "Bypass Enabled"
+msgstr "启用Bypass"
+
+msgid "Vssr Enabled"
+msgstr "启用Vssr"
+msgid "Shadowsocksr Servers"
+msgstr "ShadowSocksR Plus+服务"
+
+msgid "Passwall Servers"
+msgstr "Passwall服务"
+
+msgid "Passwall2 Servers"
+msgstr "Passwall2服务"
+
+msgid "Bypass Servers"
+msgstr "Bypass服务"
+
+msgid "Vssr Servers"
+msgstr "Vssr服务"
+
+msgid "Please select a service"
+msgstr "请选择一项服务"
+
+msgid "Speed Test"
+msgstr "速度测试"
+
+msgid "Best IP"
+msgstr "最佳IP"
+
+msgid "TEST AND APPLY"
+msgstr "测试并应用"
+
+msgid "STOP"
+msgstr "停止"
+
+msgid "Advanced"
+msgstr "高级模式"
+
+msgid "Thread"
+msgid "线程数"
+
+msgid "Average Latency Cap"
+msgstr "平均延迟上限"
+
+msgid "Average Latency Lower Bound"
+msgstr "平均延迟下限"
+
+msgid "IPv6 Enabled"
+msgstr "启用IPv6"
+
+msgid "Delayed speed measurement time"
+msgstr "延迟测速次数"
+ 
+msgid "Download speed test time"
+msgstr "下载测速时间"
+
+msgid "Number of download speed tests"
+msgstr "下载测速数量"
+
+msgid "Disable download speed test"
+msgstr "禁用下载测速"
+
+msgid "Port"
+msgstr "端口"
+
+msgid "Not recommended"
+msgstr "不推荐"
+
+msgid "Provides only one method, if IPv6 is enabled, IPv4 will not be tested"
+msgstr "IPv4和IPv6只能选一个！！！！！！"
+
+msgid "<a href=\"https://github.com/XIU2/CloudflareSpeedTest/issues/168\" target=\"_blank\">How to create</a>"
+msgstr "<a href=\"https://github.com/XIU2/CloudflareSpeedTest/issues/168\" target=\"_blank\">如何创建</a>"
+
+msgid "RUNNING" 
+msgstr "运行中"
+
+msgid "NOT RUNNING"
+msgstr "未运行"
+
+msgid "Collecting data..."
+msgstr "收集数据中..."
+
+msgid "Third party applications settings"
+msgstr "第三方应用设置"
+
+msgid "Auto refresh"
+msgstr "自动刷新"
+
+msgid "Status"
+msgstr "状态"
+
+msgid "Proxy Mode"
+msgstr "代理模式"
+
+msgid "HOLD"
+msgstr "保持"
+
+msgid "GFW List"
+msgid "GFW列表"
+
+msgid "CLOSE"
+msgstr "关闭"
+
+msgid "during the speed testing, swith to which mode"
+msgstr "在速度测试期间，切换到哪种模式"
+
+msgid "DNS"
+msgstr "DNS"
+
+msgid "DNS Enabled"
+msgstr "启用DNS"
+
+msgid "DNS Type"
+msgstr "DNS类型"
+
+msgid "AliyuDNS"
+msgstr "阿里云DNS"
+
+msgid "Access Key ID"
+msgstr "Access Key ID"
+
+msgid "Access Key Secret"
+msgstr "Access Key Secret"
+
+msgid "Main Domain"
+msgstr "主域名"
+
+msgid "Sub Domain"
+msgstr "子域名"
+
+msgid "For example: test.github.com -> github.com"
+msgstr "例如: test.github.com 则填: github.com"
+
+msgid "For example: test.github.com -> test"
+msgstr "例如: test.github.com, 则填: test"
+
+msgid "Lines"
+msgstr "解析线路"
+
+msgid "default"
+msgstr "默认"
+
+msgid "telecom"
+msgstr "电信"
+
+msgid "unicom"
+msgstr "联通"
+
+msgid "mobile"
+msgstr "移动"
+
+msgid "HOST Enabled"
+msgstr "启用HOST"
+
+msgid "Domain"
+msgstr "域名"
--- a/luci-app-cloudflarespeedtest/root/etc/config/cloudflarespeedtest
+++ b/luci-app-cloudflarespeedtest/root/etc/config/cloudflarespeedtest
@ -0,0 +1,21 @@
+
+config global 'global'
+	option hour '5'
+	option minute '0'
+	option enabled '0'
+	option ipv6_enabled '0'
+	option advanced '0'
+	option tl '200'
+	option tll '40'
+	option custome_url 'https://speed.cloudflare.com/__down?bytes=300000000'
+	option threads '200'
+	option speed '100'
+
+config servers 'servers'
+	option ssr_enabled '0'
+	option passwall_enabled '0'
+	option passwall2_enabled '0'
+	option bypass_enabled '0'
+	option vssr_enabled '0'
+	option DNS_enabled '0'
+
--- a/luci-app-cloudflarespeedtest/root/etc/init.d/cloudflarespeedtest
+++ b/luci-app-cloudflarespeedtest/root/etc/init.d/cloudflarespeedtest
@ -0,0 +1,59 @@
+#!/bin/sh /etc/rc.common
+
+START=99
+
+USE_PROCD=1
+
+CRON_FILE=/etc/crontabs/root
+
+service_triggers() {
+	procd_add_reload_trigger "cloudflarespeedtest"
+}
+
+add_cron(){
+	local enabled
+	config_get_bool enabled $1 enabled
+	
+	del_cron
+	
+	if	[ $enabled = 1 ] ; then 
+		local minute
+		local hour
+		local custome_cors_enabled
+		local custome_cron
+
+		config_get minute $1 minute
+		config_get hour $1 hour
+		config_get_bool custome_cors_enabled $1 custome_cors_enabled
+		config_get custome_cron $1 custome_cron
+
+		if [ $custome_cors_enabled = 1 ] ; then 
+ 			echo "$custome_cron /usr/bin/cloudflarespeedtest/cloudflarespeedtest.sh start" >> $CRON_FILE
+		else
+			echo "$minute $hour * * * /usr/bin/cloudflarespeedtest/cloudflarespeedtest.sh start" >> $CRON_FILE
+		fi
+		crontab $CRON_FILE	 
+	fi
+}
+
+del_cron(){	
+	sed -i '/cloudflarespeedtest/d' $CRON_FILE
+	/etc/init.d/cron restart
+}
+
+stop_instance(){
+	del_cron
+}
+
+stop_service() {
+	config_load cloudflarespeedtest
+	config_foreach stop_instance global
+}
+start_service() {
+	config_load cloudflarespeedtest
+	config_foreach add_cron global	 
+}
+reload_service() {
+	stop
+	start
+}
--- a/luci-app-cloudflarespeedtest/root/usr/bin/cloudflarespeedtest/aliddns.sh
+++ b/luci-app-cloudflarespeedtest/root/usr/bin/cloudflarespeedtest/aliddns.sh
@ -0,0 +1,81 @@
+#!/bin/sh
+LOG_FILE='/var/log/cloudflarespeedtest.log'
+
+echolog() {
+	local d="$(date "+%Y-%m-%d %H:%M:%S")"
+	echo -e "$d: $*" >>$LOG_FILE
+}
+
+urlencode() {
+	# urlencode url<string>
+	out=''
+	for c in $(echo -n $1 | sed 's/[^\n]/&\n/g'); do
+		case $c in
+			[a-zA-Z0-9._-]) out="$out$c" ;;
+			*) out="$out$(printf '%%%02X' "'$c")" ;;
+		esac
+	done
+	echo -n $out
+}
+
+send_request() {
+	# send_request action<string> args<string>
+	local args="AccessKeyId=$ak_id&Action=$1&Format=json&$2&Version=2015-01-09"
+	local hash=$(urlencode $(echo -n "GET&%2F&$(urlencode $args)" | openssl dgst -sha1 -hmac "$ak_sec&" -binary | openssl base64))
+	curl -sSL --connect-timeout 5 "http://alidns.aliyuncs.com/?$args&Signature=$hash"
+}
+
+get_recordid() {
+	sed 's/RR/\n/g' | sed -n 's/.*RecordId[^0-9]*\([0-9]*\).*/\1\n/p' | sort -ru | sed /^$/d
+}
+
+query_recordid() {
+	send_request "DescribeSubDomainRecords" "SignatureMethod=HMAC-SHA1&SignatureNonce=$timestamp&SignatureVersion=1.0&SubDomain=$sub_dm.$main_dm&Timestamp=$timestamp&Type=A"
+}
+
+update_record() {
+	send_request "UpdateDomainRecord" "Line=$line&RR=$sub_dm&RecordId=$1&SignatureMethod=HMAC-SHA1&SignatureNonce=$timestamp&SignatureVersion=1.0&Timestamp=$timestamp&Type=$type&Value=$ip"
+}
+
+add_record() {
+	send_request "AddDomainRecord&DomainName=$main_dm" "Line=$line&RR=$sub_dm&SignatureMethod=HMAC-SHA1&SignatureNonce=$timestamp&SignatureVersion=1.0&Timestamp=$timestamp&Type=$type&Value=$ip"
+}
+
+del_record() {
+	send_request "DeleteDomainRecord" "RecordId=$1&SignatureMethod=HMAC-SHA1&SignatureNonce=$timestamp&SignatureVersion=1.0&Timestamp=$timestamp"
+}
+
+aliddns() {
+	ak_id=$1
+	ak_sec=$2
+	main_dm=$3
+	sub_dm=$4
+	line=$5
+	isIpv6=$6
+	ip=$7
+	type=A
+	
+	if [ $isIpv6 -eq "1" ] ;then
+		type=AAAA
+	fi
+echo  $ip
+echo  $type
+	rrid=`query_recordid | get_recordid`
+	
+	if [ -z "$rrid" ]; then
+		rrid=`add_record | get_recordid`
+		echolog "ADD record $rrid"
+	else
+		update_record $rrid
+		echolog "UPDATE record $rrid"
+	fi
+	if [ -z "$rrid" ]; then
+		# failed
+		echolog "# ERROR, Please Check Config/Time"
+	fi
+}
+
+
+timestamp=$(date -u "+%Y-%m-%dT%H%%3A%M%%3A%SZ")
+
+aliddns "$@"
--- a/luci-app-cloudflarespeedtest/root/usr/bin/cloudflarespeedtest/cloudflarespeedtest.sh
+++ b/luci-app-cloudflarespeedtest/root/usr/bin/cloudflarespeedtest/cloudflarespeedtest.sh
@ -0,0 +1,314 @@
+#!/bin/sh
+
+LOG_FILE='/var/log/cloudflarespeedtest.log'
+IP_FILE='/usr/share/cloudflarespeedtestresult.txt'
+IPV4_TXT='/usr/share/CloudflareSpeedTest/ip.txt'
+IPV6_TXT='/usr/share/CloudflareSpeedTest/ipv6.txt'
+
+function get_global_config(){
+	while [[ "$*" != "" ]]; do
+		eval ${1}='`uci get cloudflarespeedtest.global.$1`' 2>/dev/null
+		shift
+	done
+}
+
+function get_servers_config(){
+	while [[ "$*" != "" ]]; do
+		eval ${1}='`uci get cloudflarespeedtest.servers.$1`' 2>/dev/null
+		shift
+	done
+}
+
+echolog() {
+	local d="$(date "+%Y-%m-%d %H:%M:%S")"
+	echo -e "$d: $*" 
+	echo -e "$d: $*" >>$LOG_FILE
+}
+
+function read_config(){
+	get_global_config "enabled" "speed" "custome_url" "threads" "custome_cors_enabled" "custome_cron" "t" "tp" "dt" "dn" "dd" "tl" "tll" "ipv6_enabled" "advanced" "proxy_mode"
+	get_servers_config "ssr_services" "ssr_enabled" "passwall_enabled" "passwall_services" "passwall2_enabled" "passwall2_services" "bypass_enabled" "bypass_services" "vssr_enabled" "vssr_services" "DNS_enabled" "HOST_enabled"
+}
+
+function appinit(){
+	ssr_started='';
+	passwall_started='';
+	passwall2_started='';
+	bypass_started='';
+	vssr_started='';
+}
+
+function speed_test(){
+
+	rm -rf $LOG_FILE
+
+	command="/usr/bin/cdnspeedtest -sl $((speed*125/1000)) -url ${custome_url} -o ${IP_FILE}"
+
+	if [ $ipv6_enabled -eq "1" ] ;then
+		command="${command} -f ${IPV6_TXT}"
+	else
+		command="${command} -f ${IPV4_TXT}"
+	fi
+
+	if [ $advanced -eq "1" ] ; then
+		command="${command} -tl ${tl} -tll ${tll} -n ${threads} -t ${t} -dt ${dt} -dn ${dn}"
+		if [ $dd -eq "1" ] ; then
+			command="${command} -dd"
+		fi
+		if [ $tp -ne "443" ] ; then
+		 	command="${command} -tp ${tp}"
+		fi
+	else
+		command="${command} -tl 200 -tll 40 -n 200 -t 4 -dt 10 -dn 1"
+	fi
+
+	appinit
+
+	ssr_original_server=$(uci get shadowsocksr.@global[0].global_server 2>/dev/null)
+	ssr_original_run_mode=$(uci get shadowsocksr.@global[0].run_mode 2>/dev/null)
+	if [ "x${ssr_original_server}" != "xnil" ] && [ "x${ssr_original_server}"  !=  "x" ] ;then
+		if [ $proxy_mode  == "close" ] ;then
+			uci set shadowsocksr.@global[0].global_server="nil"			
+		elif  [ $proxy_mode  == "gfw" ] ;then
+			uci set shadowsocksr.@global[0].run_mode="gfw"
+		fi
+		ssr_started='1';
+		uci commit shadowsocksr
+		/etc/init.d/shadowsocksr restart
+	fi
+
+	passwall_server_enabled=$(uci get passwall.@global[0].enabled 2>/dev/null)
+	passwall_original_run_mode=$(uci get passwall.@global[0].tcp_proxy_mode 2>/dev/null)
+	if [ "x${passwall_server_enabled}" == "x1" ] ;then
+		if [ $proxy_mode  == "close" ] ;then
+			uci set passwall.@global[0].enabled="0"			
+		elif  [ $proxy_mode  == "gfw" ] ;then
+			uci set passwall.@global[0].tcp_proxy_mode="gfwlist"
+		fi	 
+		passwall_started='1'; 
+		uci commit passwall
+		/etc/init.d/passwall  restart 2>/dev/null
+	fi
+
+	passwall2_server_enabled=$(uci get passwall2.@global[0].enabled 2>/dev/null)
+	passwall2_original_run_mode=$(uci get passwall2.@global[0].tcp_proxy_mode 2>/dev/null)
+	if [ "x${passwall2_server_enabled}" == "x1" ] ;then
+		if [ $proxy_mode  == "close" ] ;then
+			uci set passwall2.@global[0].enabled="0"			
+		elif  [ $proxy_mode  == "gfw" ] ;then
+			uci set passwall2.@global[0].tcp_proxy_mode="gfwlist"
+		fi 
+		passwall2_started='1'; 
+		uci commit passwall2
+		/etc/init.d/passwall2 restart 2>/dev/null
+	fi
+	
+	vssr_original_server=$(uci get vssr.@global[0].global_server 2>/dev/null)
+	vssr_original_run_mode=$(uci get vssr.@global[0].run_mode 2>/dev/null)
+	if [ "x${vssr_original_server}" != "xnil" ] && [ "x${vssr_original_server}"  !=  "x" ] ;then
+
+		if [ $proxy_mode  == "close" ] ;then
+			uci set vssr.@global[0].global_server="nil"		
+		elif  [ $proxy_mode  == "gfw" ] ;then
+			uci set vssr.@global[0].run_mode="gfw"
+		fi
+		vssr_started='1';
+		uci commit vssr
+		/etc/init.d/vssr restart
+	fi
+
+	bypass_original_server=$(uci get bypass.@global[0].global_server 2>/dev/null)
+	bypass_original_run_mode=$(uci get bypass.@global[0].run_mode 2>/dev/null)
+	if [ "x${bypass_original_server}" != "x" ] ;then
+		if [ $proxy_mode  == "close" ] ;then
+			uci set bypass.@global[0].global_server=""			
+		elif  [ $proxy_mode  == "gfw" ] ;then
+			uci set bypass.@global[0].run_mode="gfw"
+		fi
+		bypass_started='1';
+		uci commit bypass
+		/etc/init.d/bypass restart
+	fi
+
+	echo $command  >> $LOG_FILE 2>&1 
+	echolog "-----------start----------" 
+	$command >> $LOG_FILE 2>&1
+	echolog "-----------end------------"
+}
+
+function ip_replace(){
+
+	# 获取最快 IP（从 result.csv 结果文件中获取第一个 IP）
+	bestip=$(sed -n "2,1p" $IP_FILE | awk -F, '{print $1}')
+	if [[ -z "${bestip}" ]]; then
+		echolog "CloudflareST 测速结果 IP 数量为 0,跳过下面步骤..."
+	else
+		alidns_ip
+		ssr_best_ip
+		vssr_best_ip
+		bypass_best_ip
+		passwall_best_ip
+		passwall2_best_ip
+		restart_app
+		host_ip	
+	fi
+}
+
+function passwall_best_ip(){
+	if [ "x${passwall_enabled}" == "x1" ] ;then
+		echolog "设置passwall IP"
+		for ssrname in $passwall_services
+		do
+			echo $ssrname
+			uci set passwall.$ssrname.address="${bestip}"
+		done
+		uci commit passwall
+	fi
+}
+
+function passwall2_best_ip(){
+	if [ "x${passwall2_enabled}" == "x1" ] ;then
+		echolog "设置passwall2 IP"
+		for ssrname in $passwall2_services
+		do
+			echo $ssrname
+			uci set passwall2.$ssrname.address="${bestip}"
+		done
+		uci commit passwall2
+	fi
+}
+
+function ssr_best_ip(){
+	if [ "x${ssr_enabled}" == "x1" ] ;then
+		echolog "设置ssr IP"
+		for ssrname in $ssr_services
+		do
+			echo $ssrname
+			uci set shadowsocksr.$ssrname.server="${bestip}"
+			uci set shadowsocksr.$ssrname.ip="${bestip}"
+		done	
+    	uci commit shadowsocksr
+	fi
+}
+
+function vssr_best_ip(){
+	if [ "x${vssr_enabled}" == "x1" ] ;then
+		echolog "设置Vssr IP"
+		for ssrname in $vssr_services
+		do
+			echo $ssrname
+			uci set vssr.$ssrname.server="${bestip}"
+		done    
+    	uci commit vssr
+	fi
+}
+
+function bypass_best_ip(){
+	if [ "x${bypass_enabled}" == "x1" ] ;then
+		echolog "设置Bypass IP"
+		for ssrname in $bypass_services
+		do
+			echo $ssrname
+			uci set bypass.$ssrname.server="${bestip}"
+		done    
+    	uci commit bypass   
+	fi
+}
+
+function restart_app(){
+	if [ "x${ssr_started}" == "x1" ] ;then
+		if [ $proxy_mode  == "close" ] ;then
+			uci set shadowsocksr.@global[0].global_server="${ssr_original_server}"		
+		elif [ $proxy_mode  == "gfw" ] ;then
+			uci set  shadowsocksr.@global[0].run_mode="${ssr_original_run_mode}"
+		fi
+		uci commit shadowsocksr
+		/etc/init.d/shadowsocksr restart &>/dev/null
+    	echolog "ssr重启完成"
+    fi
+
+	if [ "x${passwall_started}" == "x1" ] ;then
+		if [ $proxy_mode  == "close" ] ;then
+				uci set passwall.@global[0].enabled="${passwall_server_enabled}"		
+		elif [ $proxy_mode  == "gfw" ] ;then
+				uci set passwall.@global[0].tcp_proxy_mode="${passwall_original_run_mode}"
+		fi	
+		uci commit passwall
+		/etc/init.d/passwall restart 2>/dev/null
+		echolog "passwall重启完成"
+	fi	 
+
+	if [ "x${passwall2_started}" == "x1" ] ;then
+		if [ $proxy_mode  == "close" ] ;then
+				uci set passwall2.@global[0].enabled="${passwall2_server_enabled}"		
+		elif [ $proxy_mode  == "gfw" ] ;then
+		 		uci set passwall2.@global[0].tcp_proxy_mode="${passwall2_original_run_mode}"
+		fi
+		uci commit passwall2
+		/etc/init.d/passwall2 restart 2>/dev/null
+		echolog "passwall2重启完成"		 
+	fi
+
+	if [ "x${vssr_started}" == "x1" ] ;then
+      	if [ $proxy_mode  == "close" ] ;then
+        	uci set vssr.@global[0].global_server="${vssr_original_server}"		
+      	elif [ $proxy_mode  == "gfw" ] ;then
+        	uci set vssr.@global[0].run_mode="${vssr_original_run_mode}"
+      	fi	
+		uci commit vssr
+		/etc/init.d/vssr restart &>/dev/null
+    	echolog "Vssr重启完成"
+	fi
+
+	if [ "x${bypass_started}" == "x1" ] ;then
+		if [ $proxy_mode  == "close" ] ;then
+        	uci set bypass.@global[0].global_server="${bypass_original_server}"		
+      	elif [ $proxy_mode  == "gfw" ] ;then
+        	uci set  bypass.@global[0].run_mode="${bypass_original_run_mode}"
+      	fi	
+     	uci commit bypass 
+	 	/etc/init.d/bypass restart &>/dev/null
+    	echolog "Bypass重启完成"
+	fi
+}
+
+function alidns_ip(){
+	if [ "x${DNS_enabled}" == "x1" ] ;then
+		get_servers_config "DNS_type" "app_key" "app_secret" "main_domain" "sub_domain" "line"
+		if [ $DNS_type == "aliyu" ] ;then
+		for sub in $sub_domain
+		do
+			/usr/bin/cloudflarespeedtest/aliddns.sh $app_key $app_secret $main_domain $sub $line $ipv6_enabled $bestip 
+			echolog "更新域名${sub}阿里云DNS完成"
+			sleep 1s
+		done
+		fi
+		echo "aliyun done"
+	fi
+}
+
+function host_ip() {
+	if [ "x${HOST_enabled}" == "x1" ] ;then
+    get_servers_config "host_domain"
+    HOSTS_LINE="$bestip $host_domain"
+    if [ -n "$(grep $host_domain /etc/hosts)" ]
+        then
+          sed -i".bak" "/$host_domain/d" /etc/hosts
+          echo $HOSTS_LINE >> /etc/hosts;
+        else                             
+          echo $HOSTS_LINE >> /etc/hosts;
+    fi                                
+    /etc/init.d/dnsmasq reload &>/dev/null
+    echolog "HOST 完成"
+  fi
+}
+
+read_config
+
+# 启动参数
+if [ "$1" ] ;then
+	[ $1 == "start" ] && speed_test && ip_replace
+	[ $1 == "test" ] && speed_test
+	[ $1 == "replace" ] && ip_replace
+	exit
+fi
--- a/luci-app-cloudflarespeedtest/root/usr/share/rpcd/acl.d/luci-app-cloudflarespeedtest.json
+++ b/luci-app-cloudflarespeedtest/root/usr/share/rpcd/acl.d/luci-app-cloudflarespeedtest.json
@ -0,0 +1,11 @@
+{
+	"luci-app-cloudflarespeedtest": {
+		"description": "Grant UCI access for luci-app-cloudflarespeedtest",
+		"read": {
+			"uci": [ "cloudflarespeedtest" ]
+		},
+		"write": {
+			"uci": [ "cloudflarespeedtest" ]
+		}
+	}
+}
--- a/luci-app-mosdns/Makefile
+++ b/luci-app-mosdns/Makefile
@ -0,0 +1,19 @@
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=luci-app-mosdns
+PKG_VERSION:=1.4.4
+PKG_RELEASE:=2
+
+LUCI_TITLE:=LuCI Support for mosdns
+LUCI_PKGARCH:=all
+LUCI_DEPENDS:=+mosdns +jsonfilter +luci-compat +curl +v2ray-geoip +v2ray-geosite
+
+define Package/$(PKG_NAME)/conffiles
+/etc/config/mosdns
+/etc/mosdns/config_custom.yaml
+/etc/mosdns/rule
+endef
+
+include $(TOPDIR)/feeds/luci/luci.mk
+
+# call BuildPackage - OpenWrt buildroot signature
--- a/luci-app-mosdns/luasrc/controller/mosdns.lua
+++ b/luci-app-mosdns/luasrc/controller/mosdns.lua
@ -0,0 +1,42 @@
+module("luci.controller.mosdns", package.seeall)
+
+function index()
+	if not nixio.fs.access("/etc/config/mosdns") then
+		return
+	end
+
+	local page = entry({"admin", "services", "mosdns"}, alias("admin", "services", "mosdns", "basic"), _("MosDNS"), 30)
+	page.dependent = true
+	page.acl_depends = { "luci-app-mosdns" }
+
+	entry({"admin", "services", "mosdns", "basic"}, cbi("mosdns/basic"), _("Basic Setting"), 1).leaf = true
+	entry({"admin", "services", "mosdns", "rule_list"}, cbi("mosdns/rule_list"), _("Rule List"), 2).leaf = true
+	entry({"admin", "services", "mosdns", "update"}, cbi("mosdns/update"), _("Geodata Update"), 3).leaf = true
+	entry({"admin", "services", "mosdns", "log"}, cbi("mosdns/log"), _("Logs"), 4).leaf = true
+	entry({"admin", "services", "mosdns", "status"}, call("act_status")).leaf = true
+	entry({"admin", "services", "mosdns", "get_log"}, call("get_log")).leaf = true
+	entry({"admin", "services", "mosdns", "clear_log"}, call("clear_log")).leaf = true
+	entry({"admin", "services", "mosdns", "geo_update"}, call("geo_update")).leaf = true
+end
+
+function act_status()
+	local e = {}
+	e.running = luci.sys.call("pgrep -f mosdns >/dev/null") == 0
+	luci.http.prepare_content("application/json")
+	luci.http.write_json(e)
+end
+
+function get_log()
+	luci.http.write(luci.sys.exec("cat $(/usr/share/mosdns/mosdns.sh logfile)"))
+end
+
+function clear_log()
+	luci.sys.call("cat /dev/null > $(/usr/share/mosdns/mosdns.sh logfile)")
+end
+
+function geo_update()
+	local e = {}
+	e.updating = luci.sys.call("/usr/share/mosdns/mosdns.sh geodata >/dev/null") == 0
+	luci.http.prepare_content("application/json")
+	luci.http.write_json(e)
+end
--- a/luci-app-mosdns/luasrc/model/cbi/mosdns/basic.lua
+++ b/luci-app-mosdns/luasrc/model/cbi/mosdns/basic.lua
@ -0,0 +1,136 @@
+m = Map("mosdns")
+m.title = translate("MosDNS")
+m.description = translate("MosDNS is a 'programmable' DNS forwarder.")
+
+m:section(SimpleSection).template = "mosdns/mosdns_status"
+
+s = m:section(TypedSection, "mosdns")
+s.addremove = false
+s.anonymous = true
+
+enable = s:option(Flag, "enabled", translate("Enable"))
+enable.rmempty = false
+
+configfile = s:option(ListValue, "configfile", translate("Config File"))
+configfile:value("/etc/mosdns/config.yaml", translate("Default Config"))
+configfile:value("/etc/mosdns/config_custom.yaml", translate("Custom Config"))
+configfile.default = "/etc/mosdns/config.yaml"
+
+listenport = s:option(Value, "listen_port", translate("Listen port"))
+listenport.datatype = "and(port,min(1))"
+listenport.default = 5335
+listenport:depends( "configfile", "/etc/mosdns/config.yaml")
+
+loglevel = s:option(ListValue, "log_level", translate("Log Level"))
+loglevel:value("debug", translate("Debug"))
+loglevel:value("info", translate("Info"))
+loglevel:value("warn", translate("Warning"))
+loglevel:value("error", translate("Error"))
+loglevel.default = "info"
+loglevel:depends( "configfile", "/etc/mosdns/config.yaml")
+
+logfile = s:option(Value, "logfile", translate("Log File"))
+logfile.placeholder = "/tmp/mosdns.log"
+logfile.default = "/tmp/mosdns.log"
+logfile:depends( "configfile", "/etc/mosdns/config.yaml")
+
+redirect = s:option(Flag, "redirect", translate("DNS Forward"), translate("Forward Dnsmasq Domain Name resolution requests to MosDNS"))
+redirect.default = true
+
+custom_local_dns = s:option(Flag, "custom_local_dns", translate("Local DNS"), translate("Follow WAN interface DNS if not enabled"))
+custom_local_dns:depends( "configfile", "/etc/mosdns/config.yaml")
+custom_local_dns.default = false
+
+custom_local_dns = s:option(DynamicList, "local_dns", translate("Upstream DNS servers"))
+custom_local_dns:value("119.29.29.29", "119.29.29.29 (DNSPod Primary)")
+custom_local_dns:value("119.28.28.28", "119.28.28.28 (DNSPod Secondary)")
+custom_local_dns:value("223.5.5.5", "223.5.5.5 (AliDNS Primary)")
+custom_local_dns:value("223.6.6.6", "223.6.6.6 (AliDNS Secondary)")
+custom_local_dns:value("114.114.114.114", "114.114.114.114 (114DNS Primary)")
+custom_local_dns:value("114.114.115.115", "114.114.115.115 (114DNS Secondary)")
+custom_local_dns:value("180.76.76.76", "180.76.76.76 (Baidu DNS)")
+custom_local_dns:depends("custom_local_dns", "1")
+
+custom_local_dns = s:option(ListValue, "bootstrap_dns", translate("Bootstrap DNS servers"), translate("Bootstrap DNS servers are used to resolve IP addresses of the DoH/DoT resolvers you specify as upstreams"))
+custom_local_dns:value("119.29.29.29", "119.29.29.29 (DNSPod Primary)")
+custom_local_dns:value("119.28.28.28", "119.28.28.28 (DNSPod Secondary)")
+custom_local_dns:value("223.5.5.5", "223.5.5.5 (AliDNS Primary)")
+custom_local_dns:value("223.6.6.6", "223.6.6.6 (AliDNS Secondary)")
+custom_local_dns:value("114.114.114.114", "114.114.114.114 (114DNS Primary)")
+custom_local_dns:value("114.114.115.115", "114.114.115.115 (114DNS Secondary)")
+custom_local_dns:value("180.76.76.76", "180.76.76.76 (Baidu DNS)")
+custom_local_dns.default = "119.29.29.29"
+custom_local_dns:depends("custom_local_dns", "1")
+
+remote_dns = s:option(DynamicList, "remote_dns", translate("Remote DNS"))
+remote_dns:value("tls://1.1.1.1", "1.1.1.1 (CloudFlare DNS)")
+remote_dns:value("tls://1.0.0.1", "1.0.0.1 (CloudFlare DNS)")
+remote_dns:value("tls://8.8.8.8", "8.8.8.8 (Google DNS)")
+remote_dns:value("tls://8.8.4.4", "8.8.4.4 (Google DNS)")
+remote_dns:value("tls://9.9.9.9", "9.9.9.9 (Quad9 DNS)")
+remote_dns:value("tls://149.112.112.112", "149.112.112.112 (Quad9 DNS)")
+remote_dns:value("tls://45.11.45.11", "45.11.45.11 (DNS.SB)")
+remote_dns:value("tls://208.67.222.222", "208.67.222.222 (Open DNS)")
+remote_dns:value("tls://208.67.220.220", "208.67.220.220 (Open DNS)")
+remote_dns:depends( "configfile", "/etc/mosdns/config.yaml")
+
+remote_dns_pipeline = s:option(Flag, "enable_pipeline", translate("Remote DNS Connection Multiplexing"), translate("Enable TCP/DoT RFC 7766 new Query Pipelining connection multiplexing mode"))
+remote_dns_pipeline.rmempty = false
+remote_dns_pipeline.default = false
+remote_dns_pipeline:depends( "configfile", "/etc/mosdns/config.yaml")
+
+cache_size = s:option(Value, "cache_size", translate("DNS Cache Size"))
+cache_size.datatype = "and(uinteger,min(0))"
+cache_size.default = "200000"
+cache_size:depends( "configfile", "/etc/mosdns/config.yaml")
+
+cache_size = s:option(Value, "cache_survival_time", translate("Cache Survival Time"))
+cache_size.datatype = "and(uinteger,min(0))"
+cache_size.default = "259200"
+cache_size:depends( "configfile", "/etc/mosdns/config.yaml")
+
+minimal_ttl = s:option(Value, "minimal_ttl", translate("Minimum TTL"))
+minimal_ttl.datatype = "and(uinteger,min(0))"
+minimal_ttl.datatype = "and(uinteger,max(3600))"
+minimal_ttl.default = "0"
+minimal_ttl:depends( "configfile", "/etc/mosdns/config.yaml")
+
+maximum_ttl = s:option(Value, "maximum_ttl", translate("Maximum TTL"))
+maximum_ttl.datatype = "and(uinteger,min(0))"
+maximum_ttl.default = "0"
+maximum_ttl:depends( "configfile", "/etc/mosdns/config.yaml")
+
+adblock = s:option(Flag, "adblock", translate("Enable DNS ADblock"))
+adblock:depends( "configfile", "/etc/mosdns/config.yaml")
+adblock.default = false
+
+adblock = s:option(Value, "ad_source", translate("ADblock Source"))
+adblock:depends("adblock", "1")
+adblock.default = "https://raw.githubusercontent.com/privacy-protection-tools/anti-AD/master/anti-ad-domains.txt"
+adblock:value("geosite.dat", "v2ray-geosite")
+adblock:value("https://raw.githubusercontent.com/privacy-protection-tools/anti-AD/master/anti-ad-domains.txt", "anti-AD")
+adblock:value("https://raw.githubusercontent.com/sjhgvr/oisd/main/dbl_basic.txt", "oisd (basic)")
+adblock:value("https://raw.githubusercontent.com/QiuSimons/openwrt-mos/master/dat/serverlist.txt", "QiuSimons/openwrt-mos")
+
+reload_service = s:option( Button, "_reload", translate("Reload Service"), translate("Reload service to take effect of new configuration"))
+reload_service.write = function()
+  luci.sys.exec("/etc/init.d/mosdns reload")
+end
+reload_service:depends( "configfile", "/etc/mosdns/config_custom.yaml")
+
+config = s:option(TextValue, "manual-config")
+config.description = translate("<font color=\"ff0000\"><strong>View the Custom YAML Configuration file used by this MosDNS. You can edit it as you own need.</strong></font>")
+config.template = "cbi/tvalue"
+config.rows = 25
+config:depends( "configfile", "/etc/mosdns/config_custom.yaml")
+
+function config.cfgvalue(self, section)
+  return nixio.fs.readfile("/etc/mosdns/config_custom.yaml")
+end
+
+function config.write(self, section, value)
+  value = value:gsub("\r\n?", "\n")
+  nixio.fs.writefile("/etc/mosdns/config_custom.yaml", value)
+end
+
+return m
--- a/luci-app-mosdns/luasrc/model/cbi/mosdns/log.lua
+++ b/luci-app-mosdns/luasrc/model/cbi/mosdns/log.lua
@ -0,0 +1,5 @@
+m = Map("mosdns")
+
+m:append(Template("mosdns/mosdns_log"))
+
+return m
--- a/luci-app-mosdns/luasrc/model/cbi/mosdns/rule_list.lua
+++ b/luci-app-mosdns/luasrc/model/cbi/mosdns/rule_list.lua
@ -0,0 +1,87 @@
+local datatypes = require "luci.cbi.datatypes"
+
+local white_list_file = "/etc/mosdns/rule/whitelist.txt"
+local block_list_file = "/etc/mosdns/rule/blocklist.txt"
+local grey_list_file = "/etc/mosdns/rule/greylist.txt"
+local hosts_list_file = "/etc/mosdns/rule/hosts.txt"
+local redirect_list_file = "/etc/mosdns/rule/redirect.txt"
+local local_ptr_file = "/etc/mosdns/rule/local-ptr.txt"
+
+m = Map("mosdns")
+
+s = m:section(TypedSection, "mosdns", translate("Rule Settings"))
+s.anonymous = true
+
+s:tab("white_list", translate("White Lists"))
+s:tab("block_list", translate("Block Lists"))
+s:tab("grey_list", translate("Grey Lists"))
+s:tab("hosts_list", translate("Hosts"))
+s:tab("redirect_list", translate("Redirect"))
+s:tab("local_ptr_list", translate("Block PTR"))
+
+o = s:taboption("white_list", TextValue, "whitelist", "", "<font color='red'>" .. translate("These domain names allow DNS resolution with the highest priority. Please input the domain names of websites, every line can input only one website domain. For example: hm.baidu.com.") .. "</font>" .. "<font color='#00bd3e'>" .. translate("<br>The list of rules only apply to 'Default Config' profiles.") .. "</font>")
+o.rows = 15
+o.wrap = "off"
+o.cfgvalue = function(self, section) return nixio.fs.readfile(white_list_file) or "" end
+o.write = function(self, section, value) nixio.fs.writefile(white_list_file , value:gsub("\r\n", "\n")) end
+o.remove = function(self, section, value) nixio.fs.writefile(white_list_file , "") end
+o.validate = function(self, value)
+    return value
+end
+
+o = s:taboption("block_list", TextValue, "blocklist", "", "<font color='red'>" .. translate("These domains are blocked from DNS resolution. Please input the domain names of websites, every line can input only one website domain. For example: baidu.com.") .. "</font>" .. "<font color='#00bd3e'>" .. translate("<br>The list of rules only apply to 'Default Config' profiles.") .. "</font>")
+o.rows = 15
+o.wrap = "off"
+o.cfgvalue = function(self, section) return nixio.fs.readfile(block_list_file) or "" end
+o.write = function(self, section, value) nixio.fs.writefile(block_list_file, value:gsub("\r\n", "\n")) end
+o.remove = function(self, section, value) nixio.fs.writefile(block_list_file, "") end
+o.validate = function(self, value)
+    return value
+end
+
+o = s:taboption("grey_list", TextValue, "greylist", "", "<font color='red'>" .. translate("These domains are always resolved using remote DNS. Please input the domain names of websites, every line can input only one website domain. For example: google.com.") .. "</font>" .. "<font color='#00bd3e'>" .. translate("<br>The list of rules only apply to 'Default Config' profiles.") .. "</font>")
+o.rows = 15
+o.wrap = "off"
+o.cfgvalue = function(self, section) return nixio.fs.readfile(grey_list_file) or "" end
+o.write = function(self, section, value) nixio.fs.writefile(grey_list_file, value:gsub("\r\n", "\n")) end
+o.remove = function(self, section, value) nixio.fs.writefile(grey_list_file, "") end
+o.validate = function(self, value)
+    return value
+end
+
+o = s:taboption("hosts_list", TextValue, "hosts", "", "<font color='red'>" .. translate("Hosts For example: baidu.com 10.0.0.1") .. "</font>" .. "<font color='#00bd3e'>" .. translate("<br>The list of rules only apply to 'Default Config' profiles.") .. "</font>")
+o.rows = 15
+o.wrap = "off"
+o.cfgvalue = function(self, section) return nixio.fs.readfile(hosts_list_file) or "" end
+o.write = function(self, section, value) nixio.fs.writefile(hosts_list_file, value:gsub("\r\n", "\n")) end
+o.remove = function(self, section, value) nixio.fs.writefile(hosts_list_file, "") end
+o.validate = function(self, value)
+    return value
+end
+
+o = s:taboption("redirect_list", TextValue, "redirect", "", "<font color='red'>" .. translate("The domain name to redirect the request to. Requests domain A, but returns records for domain B. example: a.com b.com") .. "</font>" .. "<font color='#00bd3e'>" .. translate("<br>The list of rules only apply to 'Default Config' profiles.") .. "</font>")
+o.rows = 15
+o.wrap = "off"
+o.cfgvalue = function(self, section) return nixio.fs.readfile(redirect_list_file) or "" end
+o.write = function(self, section, value) nixio.fs.writefile(redirect_list_file, value:gsub("\r\n", "\n")) end
+o.remove = function(self, section, value) nixio.fs.writefile(redirect_list_file, "") end
+o.validate = function(self, value)
+    return value
+end
+
+o = s:taboption("local_ptr_list", TextValue, "local_ptr", "", "<font color='red'>" .. translate("These domains are blocked from PTR requests") .. "</font>" .. "<font color='#00bd3e'>" .. translate("<br>The list of rules only apply to 'Default Config' profiles.") .. "</font>")
+o.rows = 15
+o.wrap = "off"
+o.cfgvalue = function(self, section) return nixio.fs.readfile(local_ptr_file) or "" end
+o.write = function(self, section, value) nixio.fs.writefile(local_ptr_file, value:gsub("\r\n", "\n")) end
+o.remove = function(self, section, value) nixio.fs.writefile(local_ptr_file, "") end
+o.validate = function(self, value)
+    return value
+end
+
+local apply = luci.http.formvalue("cbi.apply")
+if apply then
+    luci.sys.exec("/etc/init.d/mosdns reload")
+end
+
+return m
--- a/luci-app-mosdns/luasrc/model/cbi/mosdns/update.lua
+++ b/luci-app-mosdns/luasrc/model/cbi/mosdns/update.lua
@ -0,0 +1,31 @@
+m = Map("mosdns")
+
+s = m:section(TypedSection, "mosdns", translate("Update GeoIP & GeoSite dat"))
+s.addremove = false
+s.anonymous = true
+
+enable = s:option(Flag, "geo_auto_update", translate("Enable Auto Database Update"))
+enable.rmempty = false
+
+o = s:option(ListValue, "geo_update_week_time", translate("Update Cycle"))
+o:value("*", translate("Every Day"))
+o:value("1", translate("Every Monday"))
+o:value("2", translate("Every Tuesday"))
+o:value("3", translate("Every Wednesday"))
+o:value("4", translate("Every Thursday"))
+o:value("5", translate("Every Friday"))
+o:value("6", translate("Every Saturday"))
+o:value("7", translate("Every Sunday"))
+o.default = "*"
+
+update_time = s:option(ListValue, "geo_update_day_time", translate("Update Time"))
+for t = 0, 23 do
+  update_time:value(t, t..":00")
+end
+update_time.default = 0
+
+data_update = s:option(Button, "geo_update_database", translate("Database Update"))
+data_update.rawhtml = true
+data_update.template = "mosdns/geo_update"
+
+return m
--- a/luci-app-mosdns/luasrc/view/mosdns/geo_update.htm
+++ b/luci-app-mosdns/luasrc/view/mosdns/geo_update.htm
@ -0,0 +1,34 @@
+<%+cbi/valueheader%>
+<script type="text/javascript">//<![CDATA[
+	function update_data(btn, dataname)
+	{
+		btn.disabled = true;
+		btn.value = '<%:Updating...%> ';
+		st=dataname;
+		XHR.get('<%=luci.dispatcher.build_url("admin", "services", "mosdns", "geo_update")%>',
+			{ set:st },
+			function(x,data)
+			{
+			var tb = document.getElementById(dataname+'-status');
+			if (tb)
+			{
+				switch (data.updating)
+				{
+					case true:
+						tb.innerHTML = "<font color='green'>" + "<%:Update success%>" + "</font>";
+						break;
+					case false:
+						tb.innerHTML = "<font color='red'>" + "<%:Update failed, Please check the network status%>" + "</font>";
+						break;
+				}
+			}
+				btn.disabled = false;
+				btn.value    = '<%:Check And Update%>';
+			}
+		);
+		return false;
+	}
+//]]></script>
+<input type="button" class="btn cbi-button cbi-button-reload" value="<%:Check And Update%>" onclick="return update_data(this,'<%=self.option%>')" />
+<span id="<%=self.option%>-status"><em><%=self.value%></em></span>
+<%+cbi/valuefooter%>
--- a/luci-app-mosdns/luasrc/view/mosdns/mosdns_log.htm
+++ b/luci-app-mosdns/luasrc/view/mosdns/mosdns_log.htm
@ -0,0 +1,29 @@
+<script type="text/javascript">
+	//<![CDATA[
+	function clear_log(btn) {
+		XHR.get('<%=url([[admin]], [[services]], [[mosdns]], [[clear_log]])%>', null,
+			function(x, data) {
+				if(x && x.status == 200) {
+					var log_textarea = document.getElementById('log_textarea');
+					log_textarea.innerHTML = "";
+					log_textarea.scrollTop = log_textarea.scrollHeight;
+				}
+				location.reload();
+			}
+		);
+	}
+	XHR.poll(1, '<%=url([[admin]], [[services]], [[mosdns]], [[get_log]])%>', null,
+		function(x, data) {
+			if(x && x.status == 200) {
+				var log_textarea = document.getElementById('log_textarea');
+				log_textarea.innerHTML = x.responseText;
+				log_textarea.scrollTop = log_textarea.scrollHeight;
+			}
+		}
+	);
+	//]]>
+</script>
+<fieldset class="cbi-section" id="_log_fieldset">
+	<input class="cbi-button cbi-input-remove" type="button" onclick="clear_log()" value="<%:Clear logs%>" style="margin-left: 10px; margin-top: 10px;">
+	<textarea id="log_textarea" class="cbi-input-textarea" style="width: calc(100% - 20px); height: 600px; margin: 10px;" data-update="change" rows="5" wrap="off" readonly="readonly"></textarea>
+</fieldset>
--- a/luci-app-mosdns/luasrc/view/mosdns/mosdns_status.htm
+++ b/luci-app-mosdns/luasrc/view/mosdns/mosdns_status.htm
@ -0,0 +1,28 @@
+<script type="text/javascript">
+	//<![CDATA[
+	XHR.poll(3, '<%=url([[admin]], [[services]], [[mosdns]], [[status]])%>', null,
+		function(x, data) {
+			var tb = document.getElementById('mosdns_status');
+			if (data && tb) {
+				if (data.running) {
+					var links = '<em><b style=color:green>MosDNS <%:RUNNING%></b></em>';
+					tb.innerHTML = links;
+				} else {
+					tb.innerHTML = '<em><b style=color:red>MosDNS <%:NOT RUNNING%></b></em>';
+				}
+			}
+		}
+	);
+	//]]>
+</script>
+<style>
+	.mar-10 {
+		margin-left: 50px;
+		margin-right: 10px;
+	}
+</style>
+<fieldset class="cbi-section">
+	<p id="mosdns_status">
+		<em><%:Collecting data...%></em>
+	</p>
+</fieldset>
--- a/luci-app-mosdns/po/zh-cn/mosdns.po
+++ b/luci-app-mosdns/po/zh-cn/mosdns.po
@ -0,0 +1,194 @@
+msgid "Basic Setting"
+msgstr "基本设置"
+
+msgid "MosDNS is a 'programmable' DNS forwarder."
+msgstr "MosDNS 是一个插件化的 DNS 转发/分流器。"
+
+msgid "RUNNING"
+msgstr "运行中"
+
+msgid "NOT RUNNING"
+msgstr "未运行"
+
+msgid "Collecting data..."
+msgstr "获取数据中..."
+
+msgid "Enable"
+msgstr "启用"
+
+msgid "Listen port"
+msgstr "监听端口"
+
+msgid "Log Level"
+msgstr "日志等级"
+
+msgid "DNS Forward"
+msgstr "DNS 转发"
+
+msgid "Forward Dnsmasq Domain Name resolution requests to MosDNS"
+msgstr "将 Dnsmasq 域名解析请求转发到 MosDNS 服务器"
+
+msgid "Enable DNS ADblock"
+msgstr "启用 DNS 广告过滤"
+
+msgid "ADblock Source"
+msgstr "广告过滤来源"
+
+msgid "Reload Service"
+msgstr "重载服务"
+
+msgid "Reload service to take effect of new configuration"
+msgstr "重载 MosDNS 服务生效配置文件"
+
+msgid "<font color=\"ff0000\"><strong>View the Custom YAML Configuration file used by this MosDNS. You can edit it as you own need.</strong></font>"
+msgstr "<font color=\"ff0000\"><strong>注意！此页的更改仅当配置文件为 “自定义” 时才会生效</strong></font>"
+
+msgid "Geodata Update"
+msgstr "更新数据库"
+
+msgid "Update GeoIP & GeoSite dat"
+msgstr "更新 GeoIP & GeoSite 数据库"
+
+msgid "Update Time"
+msgstr "更新时间"
+
+msgid "Update Cycle"
+msgstr "更新周期"
+
+msgid "Every Day"
+msgstr "每天"
+
+msgid "Every Monday"
+msgstr "每周一"
+
+msgid "Every Tuesday"
+msgstr "每周二"
+
+msgid "Every Wednesday"
+msgstr "每周三"
+
+msgid "Every Thursday"
+msgstr "每周四"
+
+msgid "Every Friday"
+msgstr "每周五"
+
+msgid "Every Saturday"
+msgstr "每周六"
+
+msgid "Every Sunday"
+msgstr "每周日"
+
+msgid "Database Update"
+msgstr "数据库更新"
+
+msgid "Check And Update"
+msgstr "检查并更新"
+
+msgid "Enable Auto Database Update"
+msgstr "启用自动更新"
+
+msgid "Updating..."
+msgstr "正在更新..."
+
+msgid "Update success"
+msgstr "更新成功"
+
+msgid "Update failed, Please check the network status"
+msgstr "更新失败，请检查网络状态"
+
+msgid "Config File"
+msgstr "配置文件"
+
+msgid "Default Config"
+msgstr "内置预设"
+
+msgid "Custom Config"
+msgstr "自定义"
+
+msgid "Log File"
+msgstr "日志文件"
+
+msgid "Local DNS"
+msgstr "本地 DNS"
+
+msgid "Follow WAN interface DNS if not enabled"
+msgstr "不启用则遵循 WAN 接口 DNS"
+
+msgid "Upstream DNS servers"
+msgstr "上游 DNS 服务器"
+
+msgid "Bootstrap DNS servers"
+msgstr "Bootstrap DNS 服务器"
+
+msgid "Bootstrap DNS servers are used to resolve IP addresses of the DoH/DoT resolvers you specify as upstreams"
+msgstr "Bootstrap DNS 服务器用于解析所指定为上游的 DoH / DoT 解析器的 IP 地址"
+
+msgid "Remote DNS"
+msgstr "远程 DNS"
+
+msgid "Remote DNS Connection Multiplexing"
+msgstr "远程 DNS 连接复用"
+
+msgid "Enable TCP/DoT RFC 7766 new Query Pipelining connection multiplexing mode"
+msgstr "启用 TCP/DoT RFC 7766 新型 Query Pipelining 连接复用模式"
+
+msgid "DNS Cache Size"
+msgstr "DNS 缓存大小（条）"
+
+msgid "Cache Survival Time"
+msgstr "缓存生存时间（秒）"
+
+msgid "Minimum TTL"
+msgstr "覆盖最小 TTL 值（默认 0）"
+
+msgid "Maximum TTL"
+msgstr "覆盖最大 TTL 值（默认 0）"
+
+msgid "Logs"
+msgstr "日志"
+
+msgid "Clear logs"
+msgstr "清空日志"
+
+msgid "Rule List"
+msgstr "规则列表"
+
+msgid "Rule Settings"
+msgstr "自定义规则列表"
+
+msgid "<br>The list of rules only apply to 'Default Config' profiles."
+msgstr "<br>规则列表仅适用于 “内置预设” 配置文件"
+
+msgid "White Lists"
+msgstr "白名单"
+
+msgid "These domain names allow DNS resolution with the highest priority. Please input the domain names of websites, every line can input only one website domain. For example: hm.baidu.com."
+msgstr "加入的域名始终允许使用 “本地 DNS” 进行解析，且优先级最高（每个域名一行，支持域名匹配规则）"
+
+msgid "Block Lists"
+msgstr "黑名单"
+
+msgid "These domains are blocked from DNS resolution. Please input the domain names of websites, every line can input only one website domain. For example: baidu.com."
+msgstr "加入的域名将屏蔽 DNS 解析（每个域名一行，支持域名匹配规则）"
+
+msgid "Grey Lists"
+msgstr "灰名单"
+
+msgid "These domains are always resolved using remote DNS. Please input the domain names of websites, every line can input only one website domain. For example: google.com."
+msgstr "加入的域名始终使用 “远程 DNS” 进行解析（每个域名一行，支持域名匹配规则）"
+
+msgid "Hosts For example: baidu.com 10.0.0.1"
+msgstr "自定义 Hosts 重写，如：baidu.com 10.0.0.1（每个规则一行）"
+
+msgid "Redirect"
+msgstr "重定向"
+
+msgid "The domain name to redirect the request to. Requests domain A, but returns records for domain B. example: a.com b.com"
+msgstr "重定向请求的域名。请求域名 A，但返回域名 B 的记录，如：baidu.com qq.com（每个规则一行）"
+
+msgid "Block PTR"
+msgstr "PTR 黑名单"
+
+msgid "These domains are blocked from PTR requests"
+msgstr "加入的域名将阻止 PTR 请求（每个域名一行，支持域名匹配规则）"
--- a/luci-app-mosdns/po/zh_Hans
+++ b/luci-app-mosdns/po/zh_Hans
@ -0,0 +1 @@
+zh-cn
--- a/luci-app-mosdns/root/etc/config/mosdns
+++ b/luci-app-mosdns/root/etc/config/mosdns
@ -0,0 +1,21 @@
+
+config mosdns 'config'
+	option enabled '0'
+	option listen_port '5335'
+	option geo_auto_update '0'
+	option geo_update_week_time '*'
+	option geo_update_day_time '2'
+	option redirect '1'
+	option adblock '0'
+	option configfile '/etc/mosdns/config.yaml'
+	option log_level 'info'
+	option logfile '/tmp/mosdns.log'
+	option cache_size '200000'
+	option cache_survival_time '259200'
+	option minimal_ttl '0'
+	option maximum_ttl '0'
+	option custom_local_dns '0'
+	option enable_pipeline '0'
+	list remote_dns 'tls://8.8.8.8'
+	list remote_dns 'tls://1.1.1.1'
+
--- a/luci-app-mosdns/root/etc/hotplug.d/iface/99-mosdns
+++ b/luci-app-mosdns/root/etc/hotplug.d/iface/99-mosdns
@ -0,0 +1,2 @@
+#!/bin/sh
+[ "$ACTION" = ifup ] && /etc/init.d/mosdns restart
--- a/luci-app-mosdns/root/etc/init.d/mosdns
+++ b/luci-app-mosdns/root/etc/init.d/mosdns
@ -0,0 +1,157 @@
+#!/bin/sh /etc/rc.common
+#
+# Copyright (C) 2020-2022, IrineSistiana
+#
+# This file is part of mosdns.
+#
+# mosdns is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# mosdns is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+START=99
+USE_PROCD=1
+
+PROG=/usr/bin/mosdns
+CONF=$(uci -q get mosdns.config.configfile)
+CRON_FILE=/etc/crontabs/root
+
+get_config() {
+	config_get enabled $1 enabled 0
+	config_get adblock $1 adblock 0
+	config_get ad_source $1 ad_source ""
+	config_get cache_size $1 cache_size 200000
+	config_get cache_survival_time $1 cache_survival_time 259200
+	config_get enable_pipeline $1 enable_pipeline 0
+	config_get geo_auto_update $1 geo_auto_update 0
+	config_get geo_update_day_time $1 geo_update_day_time 2
+	config_get geo_update_week_time $1 geo_update_week_time "*"
+	config_get listen_port $1 listen_port 5335
+	config_get log_file $1 logfile "/tmp/mosdns.log"
+	config_get log_level $1 log_level "info"
+	config_get maximum_ttl_custom $1 maximum_ttl 0
+	config_get minimal_ttl_custom $1 minimal_ttl 0
+	config_get redirect $1 redirect 0
+	config_get remote_dns $1 remote_dns "tls://8.8.8.8 tls://1.1.1.1"
+	config_get custom_local_dns $1 custom_local_dns 0
+	config_get bootstrap_dns $1 bootstrap_dns "119.29.29.29"
+}
+
+init_yaml() {
+	tmpdir=$(mktemp -d) || exit 1
+	adlist=$(/usr/share/mosdns/mosdns.sh ad)
+	[ $enable_pipeline = 1 ] && enable_pipeline=true || enable_pipeline=false
+	local_dns=$(/usr/share/mosdns/mosdns.sh dns | xargs -n1 echo "        - addr:")
+	remote_dns=$(echo $remote_dns | awk '{for(i=1;i<=NF;i++)printf "%s- addr: %s\n%s  enable_pipeline: '${enable_pipeline}'\n",s,$i,s}' s='        ')
+	sed "s,log_level,$log_level,g;s,log_file,$log_file,g; \
+	s,listen_port,$listen_port,g;s,cache_size,$cache_size,g; \
+	s,cache_survival_time,$cache_survival_time,g; \
+	s,minimal_ttl_custom,$minimal_ttl_custom,g; \
+	s,maximum_ttl_custom,$maximum_ttl_custom,g; \
+	s,adblock,$adlist,g;s,remote_dns_pipeline,$enable_pipeline,g" \
+	/usr/share/mosdns/default.yaml > $CONF
+	[ "$custom_local_dns" -eq 0 ] && sed -i "/bootstrap/d" $CONF || \
+	sed -i "s,bootstrap_dns,$bootstrap_dns,g" $CONF
+	echo "${local_dns}" > $tmpdir/local_dns.txt
+	echo "${remote_dns}" > $tmpdir/remote_dns.txt
+	sed -i -e '/- addr: local_dns/{r '$tmpdir/local_dns.txt -e';d};/- addr: remote_dns/{r '$tmpdir/remote_dns.txt -e';d}' \
+	$CONF
+	rm -rf $tmpdir
+}
+
+service_triggers() {
+	procd_add_reload_trigger "mosdns"
+}
+
+restore_setting() {
+	rm -f /etc/mosdns/redirect.lock
+	sed -i "/list server/d" /etc/config/dhcp
+	uci set dhcp.@dnsmasq[0].noresolv='0'
+	uci del dhcp.@dnsmasq[0].cachesize
+	uci commit dhcp
+}
+
+redirect_setting() {
+	if [ "${CONF}" = "/etc/mosdns/config.yaml" ]; then
+		sed -i "/list server/d" /etc/config/dhcp
+		uci add_list dhcp.@dnsmasq[0].server="127.0.0.1#$listen_port"
+		uci set dhcp.@dnsmasq[0].rebind_protection='0'
+		uci set dhcp.@dnsmasq[0].noresolv="1"
+		uci set dhcp.@dnsmasq[0].cachesize='0'
+		uci commit dhcp
+	else
+		sed -i "/list server/d" /etc/config/dhcp
+		uci add_list dhcp.@dnsmasq[0].server="127.0.0.1#$(cat /etc/mosdns/config_custom.yaml | awk -F'[:" ]+' '/^\s+addr:/{for(i=1;i<=NF;i++){if($i~/^[0-9]+$/){print $i;exit}}}')"
+		uci set dhcp.@dnsmasq[0].rebind_protection='0'
+		uci set dhcp.@dnsmasq[0].noresolv="1"
+		uci set dhcp.@dnsmasq[0].cachesize='0'
+		uci commit dhcp
+	fi
+	touch /etc/mosdns/redirect.lock
+}
+
+reload_others() {
+	/etc/init.d/network reload
+	/etc/init.d/dnsmasq reload
+}
+
+reload_service() {
+	stop
+	sleep 1
+	start
+}
+
+setcron() {
+	sed -i '/mosdns.sh/d' $CRON_FILE 2>/dev/null
+	[ "$geo_auto_update" -eq 1 ] && echo "0 $geo_update_day_time * * $geo_update_week_time /usr/share/mosdns/mosdns.sh geodata" >>$CRON_FILE
+	crontab $CRON_FILE
+}
+
+delcron() {
+	sed -i '/mosdns.sh/d' $CRON_FILE 2>/dev/null
+	crontab $CRON_FILE
+}
+
+start_service() {
+	config_load "mosdns"
+	config_foreach get_config "mosdns"
+	[ $enabled != 1 ] && return 1
+	delcron
+	setcron
+	[ "${CONF}" = "/etc/mosdns/config.yaml" ] && init_yaml
+	:> $(/usr/share/mosdns/mosdns.sh logfile)
+	procd_open_instance mosdns
+	procd_set_param command $PROG start -c "$CONF"
+	procd_set_param user root
+	procd_set_param stdout 1
+	procd_set_param stderr 1
+	procd_set_param respawn "${respawn_threshold:-3600}" "${respawn_timeout:-5}" "${respawn_retry:-5}"
+	procd_close_instance mosdns
+	[ "$redirect" -ne 1 ] && [ -f "/etc/mosdns/redirect.lock" ] && restore_setting
+	[ "$redirect" -eq 1 ] && redirect_setting
+	reload_others
+	update_list=0
+	[ "$adblock" -eq 1 ] && [ "$ad_source" != "geosite.dat" ] && {
+		[ -s "/etc/mosdns/rule/adlist.txt" ] && [ -f "/etc/mosdns/rule/.ad_source" ] && url_adlist=$(cat /etc/mosdns/rule/.ad_source) || update_list=1
+		[ "$ad_source" != "$url_adlist" ] && update_list=1
+	}
+	[ "$update_list" -eq 1 ] && /usr/share/mosdns/mosdns.sh adlist_update &> /dev/null &
+}
+
+stop_service() {
+	pgrep -f /usr/bin/mosdns | xargs kill -9 >/dev/null 2>&1
+	config_load "mosdns"
+	config_foreach get_config "mosdns"
+	[ "$enabled" = "0" ] && [ -f "/etc/mosdns/redirect.lock" ] && restore_setting
+	reload_others
+	delcron
+}
--- a/luci-app-mosdns/root/etc/mosdns/config_custom.yaml
+++ b/luci-app-mosdns/root/etc/mosdns/config_custom.yaml
@ -0,0 +1,162 @@
+log:
+  level: info
+  file: "/tmp/mosdns.log"
+
+include: []
+
+data_providers:
+  - tag: geoip
+    file: "/usr/share/v2ray/geoip.dat"
+    auto_reload: true
+
+  - tag: geosite
+    file: "/usr/share/v2ray/geosite.dat"
+    auto_reload: true
+
+  - tag: whitelist
+    file: "/etc/mosdns/rule/whitelist.txt"
+    auto_reload: true
+
+  - tag: blocklist
+    file: "/etc/mosdns/rule/blocklist.txt"
+    auto_reload: true
+
+  - tag: hosts
+    file: "/etc/mosdns/rule/hosts.txt"
+    auto_reload: true
+
+  - tag: redirect
+    file: "/etc/mosdns/rule/redirect.txt"
+    auto_reload: true
+
+plugins:
+  - tag: lazy_cache
+    type: cache
+    args:
+      size: 200000
+      lazy_cache_ttl: 259200
+
+  - tag: modify_ttl
+    type: ttl
+    args:
+      minimal_ttl: 0
+      maximum_ttl: 0
+
+  - tag: "forward_local"
+    type: fast_forward
+    args:
+      upstream:
+        - addr: 119.29.29.29
+        - addr: 114.114.114.114
+
+  - tag: "forward_remote"
+    type: fast_forward
+    args:
+      upstream:
+        - addr: tls://8.8.8.8
+        - addr: tls://1.1.1.1
+
+  - tag: query_is_whitelist_domain
+    type: query_matcher
+    args:
+      domain:
+        - "provider:whitelist"
+
+  - tag: query_is_blocklist_domain
+    type: query_matcher
+    args:
+      domain:
+        - "provider:blocklist"
+
+  - tag: query_is_hosts_domain
+    type: hosts
+    args:
+      hosts:
+        - "provider:hosts"
+
+  - tag: query_is_redirect_domain
+    type: redirect
+    args:
+      rule:
+        - "provider:redirect"
+
+  - tag: query_is_local_domain
+    type: query_matcher
+    args:
+      domain:
+        - "provider:geosite:cn"
+
+  - tag: query_is_non_local_domain
+    type: query_matcher
+    args:
+      domain:
+        - "provider:geosite:geolocation-!cn"
+
+  - tag: response_has_local_ip
+    type: response_matcher
+    args:
+      ip:
+        - "provider:geoip:cn"
+
+  - tag: query_is_ad_domain
+    type: query_matcher
+    args:
+      domain:
+        - "provider:geosite:category-ads-all"
+
+  - tag: match_qtype65
+    type: query_matcher
+    args:
+      qtype: [65]
+
+  - tag: "main_sequence"
+    type: "sequence"
+    args:
+      exec:
+        - _misc_optm
+        - query_is_hosts_domain
+        - query_is_redirect_domain
+
+        - if: query_is_whitelist_domain
+          exec:
+            - forward_local
+            - modify_ttl
+            - _return
+
+        - if: "query_is_blocklist_domain || query_is_ad_domain || match_qtype65"
+          exec:
+            - _new_nxdomain_response
+            - _return
+
+        - lazy_cache
+
+        - if: query_is_local_domain
+          exec:
+            - forward_local
+            - modify_ttl
+            - _return
+
+        - if: query_is_non_local_domain
+          exec:
+            - _prefer_ipv4
+            - forward_remote
+            - modify_ttl
+            - _return
+        - primary:
+            - forward_local
+            - if: "(! response_has_local_ip) && [_response_valid_answer]"
+              exec:
+                - _drop_response
+          secondary:
+            - _prefer_ipv4
+            - forward_remote
+            - modify_ttl
+          fast_fallback: 200
+
+servers:
+  - exec: main_sequence
+    listeners:
+      - protocol: udp
+        addr: ":5335"
+      - protocol: tcp
+        addr: ":5335"
--- a/luci-app-mosdns/root/etc/mosdns/rule/adlist.txt
+++ b/luci-app-mosdns/root/etc/mosdns/rule/adlist.txt
--- a/luci-app-mosdns/root/etc/mosdns/rule/blocklist.txt
+++ b/luci-app-mosdns/root/etc/mosdns/rule/blocklist.txt
--- a/luci-app-mosdns/root/etc/mosdns/rule/greylist.txt
+++ b/luci-app-mosdns/root/etc/mosdns/rule/greylist.txt
@ -0,0 +1,3 @@
+domain:gstatic.com
+domain:kernel.org
+keyword:github
--- a/luci-app-mosdns/root/etc/mosdns/rule/hosts.txt
+++ b/luci-app-mosdns/root/etc/mosdns/rule/hosts.txt
--- a/luci-app-mosdns/root/etc/mosdns/rule/local-ptr.txt
+++ b/luci-app-mosdns/root/etc/mosdns/rule/local-ptr.txt
@ -0,0 +1,87 @@
+0.in-addr.arpa
+10.in-addr.arpa
+127.in-addr.arpa
+16.172.in-addr.arpa
+17.172.in-addr.arpa
+18.172.in-addr.arpa
+19.172.in-addr.arpa
+20.172.in-addr.arpa
+21.172.in-addr.arpa
+22.172.in-addr.arpa
+23.172.in-addr.arpa
+24.172.in-addr.arpa
+25.172.in-addr.arpa
+26.172.in-addr.arpa
+27.172.in-addr.arpa
+28.172.in-addr.arpa
+29.172.in-addr.arpa
+30.172.in-addr.arpa
+31.172.in-addr.arpa
+64.100.in-addr.arpa
+65.100.in-addr.arpa
+66.100.in-addr.arpa
+67.100.in-addr.arpa
+68.100.in-addr.arpa
+69.100.in-addr.arpa
+70.100.in-addr.arpa
+71.100.in-addr.arpa
+72.100.in-addr.arpa
+73.100.in-addr.arpa
+74.100.in-addr.arpa
+75.100.in-addr.arpa
+76.100.in-addr.arpa
+77.100.in-addr.arpa
+78.100.in-addr.arpa
+79.100.in-addr.arpa
+80.100.in-addr.arpa
+81.100.in-addr.arpa
+82.100.in-addr.arpa
+83.100.in-addr.arpa
+84.100.in-addr.arpa
+85.100.in-addr.arpa
+86.100.in-addr.arpa
+87.100.in-addr.arpa
+88.100.in-addr.arpa
+89.100.in-addr.arpa
+90.100.in-addr.arpa
+91.100.in-addr.arpa
+92.100.in-addr.arpa
+93.100.in-addr.arpa
+94.100.in-addr.arpa
+95.100.in-addr.arpa
+96.100.in-addr.arpa
+97.100.in-addr.arpa
+98.100.in-addr.arpa
+99.100.in-addr.arpa
+100.100.in-addr.arpa
+101.100.in-addr.arpa
+102.100.in-addr.arpa
+103.100.in-addr.arpa
+104.100.in-addr.arpa
+105.100.in-addr.arpa
+106.100.in-addr.arpa
+107.100.in-addr.arpa
+108.100.in-addr.arpa
+109.100.in-addr.arpa
+110.100.in-addr.arpa
+111.100.in-addr.arpa
+112.100.in-addr.arpa
+113.100.in-addr.arpa
+114.100.in-addr.arpa
+115.100.in-addr.arpa
+116.100.in-addr.arpa
+117.100.in-addr.arpa
+118.100.in-addr.arpa
+119.100.in-addr.arpa
+120.100.in-addr.arpa
+121.100.in-addr.arpa
+122.100.in-addr.arpa
+123.100.in-addr.arpa
+124.100.in-addr.arpa
+125.100.in-addr.arpa
+126.100.in-addr.arpa
+127.100.in-addr.arpa
+2.0.192.in-addr.arpa
+168.192.in-addr.arpa
+255.255.255.255.in-addr.arpa
+domain:ip6.arpa
--- a/luci-app-mosdns/root/etc/mosdns/rule/redirect.txt
+++ b/luci-app-mosdns/root/etc/mosdns/rule/redirect.txt
--- a/luci-app-mosdns/root/etc/mosdns/rule/whitelist.txt
+++ b/luci-app-mosdns/root/etc/mosdns/rule/whitelist.txt
@ -0,0 +1,24 @@
+domain:bing.com
+domain:live.com
+domain:msn.com
+domain:ntp.org
+domain:office.com
+domain:qlogo.cn
+domain:qq.com
+domain:redhat.com
+keyword:aaplimg
+keyword:aicdn
+keyword:akadns
+keyword:akamai
+keyword:apple
+keyword:douyin
+keyword:fclouddns
+keyword:icloud
+keyword:itunes
+keyword:microsoft
+keyword:mzstatic
+keyword:ssrcdn
+keyword:windows
+keyword:xxpkg
+keyword:yximgs
+keyword:yxygslb
--- a/luci-app-mosdns/root/etc/uci-defaults/luci-mosdns
+++ b/luci-app-mosdns/root/etc/uci-defaults/luci-mosdns
@ -0,0 +1,11 @@
+#!/bin/sh
+
+uci -q batch <<-EOF >/dev/null
+	delete ucitrack.@mosdns[-1]
+	add ucitrack mosdns
+	set ucitrack.@mosdns[-1].init=mosdns
+	commit ucitrack
+EOF
+
+rm -rf /tmp/luci-*
+exit 0
--- a/luci-app-mosdns/root/usr/share/mosdns/default.yaml
+++ b/luci-app-mosdns/root/usr/share/mosdns/default.yaml
@ -0,0 +1,193 @@
+log:
+  level: log_level
+  file: "log_file"
+
+include: []
+
+data_providers:
+  - tag: geoip
+    file: "/usr/share/v2ray/geoip.dat"
+    auto_reload: true
+
+  - tag: geosite
+    file: "/usr/share/v2ray/geosite.dat"
+    auto_reload: true
+
+  - tag: whitelist
+    file: "/etc/mosdns/rule/whitelist.txt"
+    auto_reload: true
+
+  - tag: blocklist
+    file: "/etc/mosdns/rule/blocklist.txt"
+    auto_reload: true
+
+  - tag: greylist
+    file: "/etc/mosdns/rule/greylist.txt"
+    auto_reload: true
+
+  - tag: hosts
+    file: "/etc/mosdns/rule/hosts.txt"
+    auto_reload: true
+
+  - tag: redirect
+    file: "/etc/mosdns/rule/redirect.txt"
+    auto_reload: true
+
+  - tag: local_ptr
+    file: "/etc/mosdns/rule/local-ptr.txt"
+    auto_reload: true
+
+  - tag: adlist
+    file: "/etc/mosdns/rule/adlist.txt"
+    auto_reload: true
+
+plugins:
+  - tag: lazy_cache
+    type: cache
+    args:
+      size: cache_size
+      lazy_cache_ttl: cache_survival_time
+
+  - tag: modify_ttl
+    type: ttl
+    args:
+      minimal_ttl: minimal_ttl_custom
+      maximum_ttl: maximum_ttl_custom
+
+  - tag: "forward_local"
+    type: forward
+    args:
+      upstream:
+        - addr: local_dns
+      bootstrap:
+        - "bootstrap_dns"
+
+  - tag: "forward_remote"
+    type: fast_forward
+    args:
+      upstream:
+        - addr: remote_dns
+
+  - tag: query_is_whitelist_domain
+    type: query_matcher
+    args:
+      domain:
+        - "provider:whitelist"
+
+  - tag: query_is_blocklist_domain
+    type: query_matcher
+    args:
+      domain:
+        - "provider:blocklist"
+
+  - tag: query_is_greylist_domain
+    type: query_matcher
+    args:
+      domain:
+        - "provider:greylist"
+
+  - tag: query_is_hosts_domain
+    type: hosts
+    args:
+      hosts:
+        - "provider:hosts"
+
+  - tag: query_is_redirect_domain
+    type: redirect
+    args:
+      rule:
+        - "provider:redirect"
+
+  - tag: query_is_local_domain
+    type: query_matcher
+    args:
+      domain:
+        - "provider:geosite:cn"
+
+  - tag: query_is_non_local_domain
+    type: query_matcher
+    args:
+      domain:
+        - "provider:geosite:geolocation-!cn"
+
+  - tag: response_has_local_ip
+    type: response_matcher
+    args:
+      ip:
+        - "provider:geoip:cn"
+
+  - tag: query_is_ad_domain
+    type: query_matcher
+    args:
+      domain:
+        - "adblock"
+
+  - tag: match_local_ptr
+    type: query_matcher
+    args:
+      qtype: [12]
+      domain:
+        - "provider:local_ptr"
+
+  - tag: match_qtype65
+    type: query_matcher
+    args:
+      qtype: [65]
+
+  - tag: "main_sequence"
+    type: "sequence"
+    args:
+      exec:
+        - _misc_optm
+        - query_is_hosts_domain
+        - query_is_redirect_domain
+
+        - if: query_is_whitelist_domain
+          exec:
+            - forward_local
+            - modify_ttl
+            - _return
+
+        - if: "query_is_blocklist_domain || query_is_ad_domain || match_local_ptr || match_qtype65"
+          exec:
+            - _new_nxdomain_response
+            - _return
+
+        - lazy_cache
+
+        - if: query_is_greylist_domain
+          exec:
+            - forward_remote
+            - modify_ttl
+            - _return
+
+        - if: query_is_local_domain
+          exec:
+            - forward_local
+            - modify_ttl
+            - _return
+
+        - if: query_is_non_local_domain
+          exec:
+            - _prefer_ipv4
+            - forward_remote
+            - modify_ttl
+            - _return
+        - primary:
+            - forward_local
+            - if: "(! response_has_local_ip) && [_response_valid_answer]"
+              exec:
+                - _drop_response
+          secondary:
+            - _prefer_ipv4
+            - forward_remote
+            - modify_ttl
+          fast_fallback: 200
+
+servers:
+  - exec: main_sequence
+    listeners:
+      - protocol: udp
+        addr: ":listen_port"
+      - protocol: tcp
+        addr: ":listen_port"
--- a/luci-app-mosdns/root/usr/share/mosdns/mosdns.sh
+++ b/luci-app-mosdns/root/usr/share/mosdns/mosdns.sh
@ -0,0 +1,102 @@
+#!/bin/sh
+
+script_action=${1}
+
+logfile_path() (
+	configfile=$(uci -q get mosdns.config.configfile)
+	if [ "$configfile" = "/etc/mosdns/config.yaml" ]; then
+		uci -q get mosdns.config.logfile
+	else
+		[ ! -f /etc/mosdns/config_custom.yaml ] && exit 1
+		awk '/^log:/{f=1;next}f==1{if($0~/file:/){print;exit}if($0~/^[^ ]/)exit}' /etc/mosdns/config_custom.yaml | grep -Eo "/[^'\"]+"
+	fi
+)
+
+interface_dns() (
+	if [ "$(uci -q get mosdns.config.custom_local_dns)" -eq 1 ]; then
+		uci -q get mosdns.config.local_dns
+	else
+		peerdns=$(uci -q get network.wan.peerdns)
+		proto=$(uci -q get network.wan.proto)
+		if [ "$peerdns" = 0 ] || [ "$proto" = "static" ]; then
+			uci -q get network.wan.dns
+		else
+			interface_status=$(ubus call network.interface.wan status)
+			echo $interface_status | jsonfilter -e "@['dns-server'][0]"
+			echo $interface_status | jsonfilter -e "@['dns-server'][1]"
+		fi
+		[ $? -ne 0 ] && echo "119.29.29.29"
+	fi
+)
+
+ad_block() (
+	adblock=$(uci -q get mosdns.config.adblock)
+	if [ "$adblock" -eq 1 ]; then
+		ad_source=$(uci -q get mosdns.config.ad_source)
+		if [ "$ad_source" = "geosite.dat" ]; then
+			echo "provider:geosite:category-ads-all"
+		else
+			echo "provider:adlist"
+		fi
+	else
+		echo "full:disable-category-ads-all.null"
+	fi
+)
+
+adlist_update() (
+	ad_source=$(uci -q get mosdns.config.ad_source)
+	[ "$ad_source" = "geosite.dat" ] || [ -z "$ad_source" ] && exit 0
+	AD_TMPDIR=$(mktemp -d) || exit 1
+	if echo "$ad_source" | grep -Eq "^https://raw.githubusercontent.com" ; then
+		google_status=$(curl -I -4 -m 3 -o /dev/null -s -w %{http_code} http://www.google.com/generate_204)
+		[ "$google_status" -ne "204" ] && mirror="https://ghproxy.com/"
+	fi
+	echo -e "\e[1;32mDownloading $mirror$ad_source\e[0m"
+	curl --connect-timeout 60 -m 90 --ipv4 -fSLo "$AD_TMPDIR/adlist.txt" "$mirror$ad_source"
+	if [ $? -ne 0 ]; then
+		rm -rf "$AD_TMPDIR"
+		exit 1
+	else
+		\cp "$AD_TMPDIR/adlist.txt" /etc/mosdns/rule/adlist.txt
+		echo "$ad_source" > /etc/mosdns/rule/.ad_source
+		rm -rf "$AD_TMPDIR"
+	fi
+)
+
+geodat_update() (
+	geodat_download() (
+		google_status=$(curl -I -4 -m 3 -o /dev/null -s -w %{http_code} http://www.google.com/generate_204)
+		[ "$google_status" -ne "204" ] && mirror="https://ghproxy.com/"
+		echo -e "\e[1;32mDownloading "$mirror"https://github.com/Loyalsoldier/v2ray-rules-dat/releases/latest/download/$1\e[0m"
+		curl --connect-timeout 60 -m 900 --ipv4 -fSLo "$TMPDIR/$1" ""$mirror"https://github.com/Loyalsoldier/v2ray-rules-dat/releases/latest/download/$1"
+	)
+	TMPDIR=$(mktemp -d) || exit 1
+	geodat_download geoip.dat && geodat_download geosite.dat
+	if [ $? -ne 0 ]; then
+		rm -rf "$TMPDIR"
+		exit 1
+	fi
+	cp -f "$TMPDIR"/* /usr/share/v2ray
+	rm -rf "$TMPDIR"
+)
+
+case $script_action in
+	"dns")
+		interface_dns
+	;;
+	"ad")
+		ad_block
+	;;
+	"geodata")
+		geodat_update && adlist_update
+	;;
+	"logfile")
+		logfile_path
+	;;
+	"adlist_update")
+		adlist_update
+	;;
+	*)
+		exit 0
+	;;
+esac
--- a/luci-app-mosdns/root/usr/share/rpcd/acl.d/luci-app-mosdns.json
+++ b/luci-app-mosdns/root/usr/share/rpcd/acl.d/luci-app-mosdns.json
@ -0,0 +1,11 @@
+{
+	"luci-app-mosdns": {
+		"description": "Grant UCI access for luci-app-mosdns",
+		"read": {
+			"uci": [ "mosdns" ]
+		},
+		"write": {
+			"uci": [ "mosdns" ]
+		}
+	}
+}
--- a/luci-app-passwall/Makefile
+++ b/luci-app-passwall/Makefile
@ -6,8 +6,8 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=luci-app-passwall
-PKG_VERSION:=4.59
-PKG_RELEASE:=8
+PKG_VERSION:=4.60
+PKG_RELEASE:=1

 PKG_CONFIG_DEPENDS:= \
 	CONFIG_PACKAGE_$(PKG_NAME)_Iptables_Transparent_Proxy \
--- a/luci-app-passwall/luasrc/model/cbi/passwall/client/acl.lua
+++ b/luci-app-passwall/luasrc/model/cbi/passwall/client/acl.lua
@ -5,10 +5,17 @@ local has_chnlist = api.fs.access("/usr/share/passwall/rules/chnlist")

 m = Map(appname)

+s = m:section(TypedSection, "global", translate("ACLs"), "<font color='red'>" .. translate("ACLs is a tools which used to designate specific IP proxy mode.") .. "</font>")
+s.anonymous = true
+
+o = s:option(Flag, "acl_enable", translate("Main switch"))
+o.rmempty = false
+o.default = false
+
 local global_proxy_mode = (m:get("@global[0]", "tcp_proxy_mode") or "") .. (m:get("@global[0]", "udp_proxy_mode") or "")

 -- [[ ACLs Settings ]]--
-s = m:section(TypedSection, "acl_rule", translate("ACLs"), "<font color='red'>" .. translate("ACLs is a tools which used to designate specific IP proxy mode.") .. "</font>")
+s = m:section(TypedSection, "acl_rule")
 s.template = "cbi/tblsection"
 s.sortable = true
 s.anonymous = true
--- a/luci-app-passwall/root/usr/share/passwall/0_default_config
+++ b/luci-app-passwall/root/usr/share/passwall/0_default_config
@ -12,6 +12,7 @@ config global
 	option udp_proxy_mode 'chnroute'
 	option localhost_tcp_proxy_mode 'default'
 	option localhost_udp_proxy_mode 'default'
+	option acl_enable '0'
 	option close_log_tcp '0'
 	option close_log_udp '0'
 	option loglevel 'error'
--- a/luci-app-passwall/root/usr/share/passwall/app.sh
+++ b/luci-app-passwall/root/usr/share/passwall/app.sh
@ -25,7 +25,7 @@ TUN_DNS="127.0.0.1#${DNS_PORT}"
 LOCAL_DNS=119.29.29.29
 DEFAULT_DNS=
 IFACES=
-NO_PROXY=0
+ENABLED_DEFAULT_ACL=0
 PROXY_IPV6=0
 PROXY_IPV6_UDP=0
 resolve_dns=0
@ -1023,7 +1023,7 @@ start_crontab() {
 		rm -rf $TMP_SUB_PATH
 	}

-	if [ "$NO_PROXY" == 0 ]; then
+	if [ "$ENABLED_DEFAULT_ACL" == 1 ] || [ "$ENABLED_ACLS" == 1 ]; then
 		start_daemon=$(config_t_get global_delay start_daemon 0)
 		[ "$start_daemon" = "1" ] && $APP_PATH/monitor.sh > /dev/null 2>&1 &

@ -1563,28 +1563,26 @@ start() {
 	start_socks
 	nftflag=0
 	local use_nft=$(config_t_get global_forwarding use_nft 0)
-
-	[ "$NO_PROXY" == 1 ] || {
-		if [ "$use_nft" == 1 ] && [ -z "$(dnsmasq --version | grep 'Compile time options:.* nftset')" ]; then
-			echolog "Dnsmasq软件包不满足nftables透明代理要求，如需使用请确保dnsmasq版本在2.87以上并开启nftset支持。"
-		elif [ "$use_nft" == 1 ] && [ -n "$(dnsmasq --version | grep 'Compile time options:.* nftset')" ]; then
-			echolog "使用nftables进行透明代理，一些不支持nftables的组件如chinadns-ng等可能不会正常工作。"
-			nftflag=1
-			start_redir TCP
-			start_redir UDP
-			start_dns
-			source $APP_PATH/nftables.sh start
-			source $APP_PATH/helper_${DNS_N}.sh logic_restart
-		elif [ -z "$(command -v iptables-legacy || command -v iptables)" ] || [ -z "$(command -v ipset)" ]; then
-			echolog "系统未安装iptables或ipset，无法透明代理！"
-		else
-			start_redir TCP
-			start_redir UDP
-			start_dns
-			source $APP_PATH/iptables.sh start
-			source $APP_PATH/helper_${DNS_N}.sh logic_restart
-		fi
+	local USE_TABLES
+	if [ "$use_nft" == 1 ] && [ -z "$(dnsmasq --version | grep 'Compile time options:.* nftset')" ]; then
+		echolog "Dnsmasq软件包不满足nftables透明代理要求，如需使用请确保dnsmasq版本在2.87以上并开启nftset支持。"
+	elif [ "$use_nft" == 1 ] && [ -n "$(dnsmasq --version | grep 'Compile time options:.* nftset')" ]; then
+		echolog "使用nftables进行透明代理，一些不支持nftables的组件如chinadns-ng等可能不会正常工作。"
+		USE_TABLES="nftables"
+		nftflag=1
+	elif [ -z "$(command -v iptables-legacy || command -v iptables)" ] || [ -z "$(command -v ipset)" ]; then
+		echolog "系统未安装iptables或ipset，无法透明代理！"
+	else
+		USE_TABLES="iptables"
+	fi
+	
+	[ "$ENABLED_DEFAULT_ACL" == 1 ] && {
+		start_redir TCP
+		start_redir UDP
+		start_dns
 	}
+	[ -n "$USE_TABLES" ] && source $APP_PATH/${USE_TABLES}.sh start
+	[ "$ENABLED_DEFAULT_ACL" == 1 ] && source $APP_PATH/helper_${DNS_N}.sh logic_restart
 	start_crontab
 	echolog "运行完成！\n"
 }
@ -1621,14 +1619,16 @@ TCP_UDP=0
 	UDP_NODE=$TCP_NODE
 	TCP_UDP=1
 }
-[ "$ENABLED" != 1 ] && NO_PROXY=1
-[ "$TCP_NODE" == "nil" -a "$UDP_NODE" == "nil" ] && NO_PROXY=1
-[ "$(config_get_type $TCP_NODE nil)" == "nil" -a "$(config_get_type $UDP_NODE nil)" == "nil" ] && NO_PROXY=1
+[ "$ENABLED" == 1 ] && {
+	[ "$TCP_NODE" != "nil" ] && [ "$(config_get_type $TCP_NODE nil)" != "nil" ] && ENABLED_DEFAULT_ACL=1
+	[ "$UDP_NODE" != "nil" ] && [ "$(config_get_type $UDP_NODE nil)" != "nil" ] && ENABLED_DEFAULT_ACL=1
+}
+ENABLED_ACLS=$(config_t_get global acl_enable 0)
+[ "$ENABLED_ACLS" == 1 ] && {
+	[ "$(uci show ${CONFIG} | grep "@acl_rule" | grep "enabled='1'" | wc -l)" == 0 ] && ENABLED_ACLS=0
+}
+
 tcp_proxy_way=$(config_t_get global_forwarding tcp_proxy_way redirect)
-REDIRECT_LIST="socks ss ss-rust ssr v2ray xray trojan-go trojan-plus naiveproxy hysteria"
-TPROXY_LIST="brook socks ss ss-rust ssr v2ray xray trojan-go trojan-plus hysteria"
-RESOLVFILE=/tmp/resolv.conf.d/resolv.conf.auto
-[ -f "${RESOLVFILE}" ] && [ -s "${RESOLVFILE}" ] || RESOLVFILE=/tmp/resolv.conf.auto
 TCP_REDIR_PORTS=$(config_t_get global_forwarding tcp_redir_ports '80,443')
 UDP_REDIR_PORTS=$(config_t_get global_forwarding udp_redir_ports '1:65535')
 TCP_NO_REDIR_PORTS=$(config_t_get global_forwarding tcp_no_redir_ports 'disable')
@ -1653,8 +1653,16 @@ CHINADNS_NG=$(config_t_get global chinadns_ng 0)
 FILTER_PROXY_IPV6=$(config_t_get global filter_proxy_ipv6 0)
 dns_listen_port=${DNS_PORT}

+REDIRECT_LIST="socks ss ss-rust ssr v2ray xray trojan-go trojan-plus naiveproxy hysteria"
+TPROXY_LIST="brook socks ss ss-rust ssr v2ray xray trojan-go trojan-plus hysteria"
+RESOLVFILE=/tmp/resolv.conf.d/resolv.conf.auto
+[ -f "${RESOLVFILE}" ] && [ -s "${RESOLVFILE}" ] || RESOLVFILE=/tmp/resolv.conf.auto
+
+ISP_DNS=$(cat $RESOLVFILE 2>/dev/null | grep -E -o "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" | sort -u | grep -v 0.0.0.0 | grep -v 127.0.0.1)
+ISP_DNS6=$(cat $RESOLVFILE 2>/dev/null | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | awk -F % '{print $1}' | awk -F " " '{print $2}'| sort -u | grep -v -Fx ::1 | grep -v -Fx ::)
+
 DEFAULT_DNS=$(uci show dhcp | grep "@dnsmasq" | grep "\.server=" | awk -F '=' '{print $2}' | sed "s/'//g" | tr ' ' '\n' | grep -v "\/" | head -2 | sed ':label;N;s/\n/,/;b label')
-[ -z "${DEFAULT_DNS}" ] && DEFAULT_DNS=$(echo -n $(sed -n 's/^nameserver[ \t]*\([^ ]*\)$/\1/p' "${RESOLVFILE}" | grep -v -E "0.0.0.0|127.0.0.1|::" | head -2) | tr ' ' ',')
+[ -z "${DEFAULT_DNS}" ] && DEFAULT_DNS=$(echo -n $ISP_DNS | tr ' ' '\n' | head -2 | tr '\n' ',')
 LOCAL_DNS="${DEFAULT_DNS:-119.29.29.29}"

 PROXY_IPV6=$(config_t_get global_forwarding ipv6_tproxy 0)
--- a/luci-app-passwall/root/usr/share/passwall/iptables.sh
+++ b/luci-app-passwall/root/usr/share/passwall/iptables.sh
@ -260,298 +260,302 @@ get_wan6_ip() {
 }

 load_acl() {
-	acl_app
-	echolog "访问控制："
-	for sid in $(ls -F ${TMP_ACL_PATH} | grep '/$' | awk -F '/' '{print $1}'); do
-		eval $(uci -q show "${CONFIG}.${sid}" | cut -d'.' -sf 3-)
-		
-		tcp_proxy_mode=${tcp_proxy_mode:-default}
-		udp_proxy_mode=${udp_proxy_mode:-default}
-		tcp_no_redir_ports=${tcp_no_redir_ports:-default}
-		udp_no_redir_ports=${udp_no_redir_ports:-default}
-		tcp_proxy_drop_ports=${tcp_proxy_drop_ports:-default}
-		udp_proxy_drop_ports=${udp_proxy_drop_ports:-default}
-		tcp_redir_ports=${tcp_redir_ports:-default}
-		udp_redir_ports=${udp_redir_ports:-default}
-		tcp_node=${tcp_node:-default}
-		udp_node=${udp_node:-default}
-		[ "$tcp_proxy_mode" = "default" ] && tcp_proxy_mode=$TCP_PROXY_MODE
-		[ "$udp_proxy_mode" = "default" ] && udp_proxy_mode=$UDP_PROXY_MODE
-		[ "$tcp_no_redir_ports" = "default" ] && tcp_no_redir_ports=$TCP_NO_REDIR_PORTS
-		[ "$udp_no_redir_ports" = "default" ] && udp_no_redir_ports=$UDP_NO_REDIR_PORTS
-		[ "$tcp_proxy_drop_ports" = "default" ] && tcp_proxy_drop_ports=$TCP_PROXY_DROP_PORTS
-		[ "$udp_proxy_drop_ports" = "default" ] && udp_proxy_drop_ports=$UDP_PROXY_DROP_PORTS
-		[ "$tcp_redir_ports" = "default" ] && tcp_redir_ports=$TCP_REDIR_PORTS
-		[ "$udp_redir_ports" = "default" ] && udp_redir_ports=$UDP_REDIR_PORTS
-		
-		tcp_node_remark=$(config_n_get $TCP_NODE remarks)
-		udp_node_remark=$(config_n_get $UDP_NODE remarks)
-		[ -s "${TMP_ACL_PATH}/${sid}/var_tcp_node" ] && tcp_node=$(cat ${TMP_ACL_PATH}/${sid}/var_tcp_node)
-		[ -s "${TMP_ACL_PATH}/${sid}/var_udp_node" ] && udp_node=$(cat ${TMP_ACL_PATH}/${sid}/var_udp_node)
-		[ -s "${TMP_ACL_PATH}/${sid}/var_tcp_port" ] && tcp_port=$(cat ${TMP_ACL_PATH}/${sid}/var_tcp_port)
-		[ -s "${TMP_ACL_PATH}/${sid}/var_udp_port" ] && udp_port=$(cat ${TMP_ACL_PATH}/${sid}/var_udp_port)
-		[ -n "$tcp_node" ] && [ "$tcp_node" != "default" ] && tcp_node_remark=$(config_n_get $tcp_node remarks)
-		[ -n "$udp_node" ] && [ "$udp_node" != "default" ] && udp_node_remark=$(config_n_get $udp_node remarks)
-		
-		for i in $(cat ${TMP_ACL_PATH}/${sid}/rule_list); do
-			if [ -n "$(echo ${i} | grep '^iprange:')" ]; then
-				_iprange=$(echo ${i} | sed 's#iprange:##g')
-				_ipt_source=$(factor ${_iprange} "-m iprange --src-range")
-				msg="备注【$remarks】，IP range【${_iprange}】，"
-			elif [ -n "$(echo ${i} | grep '^ipset:')" ]; then
-				_ipset=$(echo ${i} | sed 's#ipset:##g')
-				_ipt_source="-m set --match-set ${_ipset} src"
-				msg="备注【$remarks】，IPset【${_ipset}】，"
-			elif [ -n "$(echo ${i} | grep '^ip:')" ]; then
-				_ip=$(echo ${i} | sed 's#ip:##g')
-				_ipt_source=$(factor ${_ip} "-s")
-				msg="备注【$remarks】，IP【${_ip}】，"
-			elif [ -n "$(echo ${i} | grep '^mac:')" ]; then
-				_mac=$(echo ${i} | sed 's#mac:##g')
-				_ipt_source=$(factor ${_mac} "-m mac --mac-source")
-				msg="备注【$remarks】，MAC【${_mac}】，"
-			else
-				continue
-			fi
+	[ "$ENABLED_ACLS" == 1 ] && {
+		acl_app
+		echolog "访问控制："
+		for sid in $(ls -F ${TMP_ACL_PATH} | grep '/$' | awk -F '/' '{print $1}'); do
+			eval $(uci -q show "${CONFIG}.${sid}" | cut -d'.' -sf 3-)
 			
-			ipt_tmp=$ipt_n
-			[ -n "${is_tproxy}" ] && ipt_tmp=$ipt_m
+			tcp_proxy_mode=${tcp_proxy_mode:-default}
+			udp_proxy_mode=${udp_proxy_mode:-default}
+			tcp_no_redir_ports=${tcp_no_redir_ports:-default}
+			udp_no_redir_ports=${udp_no_redir_ports:-default}
+			tcp_proxy_drop_ports=${tcp_proxy_drop_ports:-default}
+			udp_proxy_drop_ports=${udp_proxy_drop_ports:-default}
+			tcp_redir_ports=${tcp_redir_ports:-default}
+			udp_redir_ports=${udp_redir_ports:-default}
+			tcp_node=${tcp_node:-default}
+			udp_node=${udp_node:-default}
+			[ "$tcp_proxy_mode" = "default" ] && tcp_proxy_mode=$TCP_PROXY_MODE
+			[ "$udp_proxy_mode" = "default" ] && udp_proxy_mode=$UDP_PROXY_MODE
+			[ "$tcp_no_redir_ports" = "default" ] && tcp_no_redir_ports=$TCP_NO_REDIR_PORTS
+			[ "$udp_no_redir_ports" = "default" ] && udp_no_redir_ports=$UDP_NO_REDIR_PORTS
+			[ "$tcp_proxy_drop_ports" = "default" ] && tcp_proxy_drop_ports=$TCP_PROXY_DROP_PORTS
+			[ "$udp_proxy_drop_ports" = "default" ] && udp_proxy_drop_ports=$UDP_PROXY_DROP_PORTS
+			[ "$tcp_redir_ports" = "default" ] && tcp_redir_ports=$TCP_REDIR_PORTS
+			[ "$udp_redir_ports" = "default" ] && udp_redir_ports=$UDP_REDIR_PORTS
 			
-			[ -n "$tcp_port" ] && {
-				if [ "$tcp_proxy_mode" != "disable" ]; then
-					[ -s "${TMP_ACL_PATH}/${sid}/var_redirect_dns_port" ] && $ipt_n -A PSW_REDIRECT $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port)
-					msg2="${msg}使用TCP节点[$tcp_node_remark] [$(get_action_chain_name $tcp_proxy_mode)]"
-					if [ -n "${is_tproxy}" ]; then
-						msg2="${msg2}(TPROXY:${tcp_port})代理"
-						ipt_tmp=$ipt_m
-					else
-						msg2="${msg2}(REDIRECT:${tcp_port})代理"
-					fi
-					
-					[ "$accept_icmp" = "1" ] && {
-						$ipt_n -A PSW $(comment "$remarks") -p icmp ${_ipt_source} -d $FAKE_IP $(REDIRECT)
-						$ipt_n -A PSW $(comment "$remarks") -p icmp ${_ipt_source} $(dst $IPSET_SHUNTLIST) $(REDIRECT)
-						$ipt_n -A PSW $(comment "$remarks") -p icmp ${_ipt_source} $(dst $IPSET_BLACKLIST) $(REDIRECT)
-						$ipt_n -A PSW $(comment "$remarks") -p icmp ${_ipt_source} $(get_redirect_ipt $tcp_proxy_mode)
-					}
-					
-					[ "$accept_icmpv6" = "1" ] && [ "$PROXY_IPV6" == "1" ] && {
-						$ip6t_n -A PSW $(comment "$remarks") -p ipv6-icmp ${_ipt_source} $(dst $IPSET_SHUNTLIST6) $(REDIRECT) 2>/dev/null
-						$ip6t_n -A PSW $(comment "$remarks") -p ipv6-icmp ${_ipt_source} $(dst $IPSET_BLACKLIST6) $(REDIRECT) 2>/dev/null
-						$ip6t_n -A PSW $(comment "$remarks") -p ipv6-icmp ${_ipt_source} $(get_redirect_ip6t $tcp_proxy_mode) 2>/dev/null
-					}
-					
-					[ "$tcp_no_redir_ports" != "disable" ] && {
-						$ip6t_m -A PSW $(comment "$remarks") ${_ipt_source} -p tcp -m multiport --dport $tcp_no_redir_ports -j RETURN 2>/dev/null
-						$ipt_tmp -A PSW $(comment "$remarks") ${_ipt_source} -p tcp -m multiport --dport $tcp_no_redir_ports -j RETURN
-						msg2="${msg2}[$?]除${tcp_no_redir_ports}外的"
-					}
-					msg2="${msg2}所有端口"
-					
-					[ "$tcp_proxy_drop_ports" != "disable" ] && {
-						[ "$PROXY_IPV6" == "1" ] && {
-							$ip6t_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) -j DROP 2>/dev/null
-							$ip6t_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST6) -j DROP 2>/dev/null
-							[ "$tcp_proxy_mode" != "direct/proxy" ] && $ip6t_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "-m multiport --dport") $(get_ipset_ip6t $tcp_proxy_mode) -j DROP 2>/dev/null
+			tcp_node_remark=$(config_n_get $TCP_NODE remarks)
+			udp_node_remark=$(config_n_get $UDP_NODE remarks)
+			[ -s "${TMP_ACL_PATH}/${sid}/var_tcp_node" ] && tcp_node=$(cat ${TMP_ACL_PATH}/${sid}/var_tcp_node)
+			[ -s "${TMP_ACL_PATH}/${sid}/var_udp_node" ] && udp_node=$(cat ${TMP_ACL_PATH}/${sid}/var_udp_node)
+			[ -s "${TMP_ACL_PATH}/${sid}/var_tcp_port" ] && tcp_port=$(cat ${TMP_ACL_PATH}/${sid}/var_tcp_port)
+			[ -s "${TMP_ACL_PATH}/${sid}/var_udp_port" ] && udp_port=$(cat ${TMP_ACL_PATH}/${sid}/var_udp_port)
+			[ -n "$tcp_node" ] && [ "$tcp_node" != "default" ] && tcp_node_remark=$(config_n_get $tcp_node remarks)
+			[ -n "$udp_node" ] && [ "$udp_node" != "default" ] && udp_node_remark=$(config_n_get $udp_node remarks)
+			
+			for i in $(cat ${TMP_ACL_PATH}/${sid}/rule_list); do
+				if [ -n "$(echo ${i} | grep '^iprange:')" ]; then
+					_iprange=$(echo ${i} | sed 's#iprange:##g')
+					_ipt_source=$(factor ${_iprange} "-m iprange --src-range")
+					msg="备注【$remarks】，IP range【${_iprange}】，"
+				elif [ -n "$(echo ${i} | grep '^ipset:')" ]; then
+					_ipset=$(echo ${i} | sed 's#ipset:##g')
+					_ipt_source="-m set --match-set ${_ipset} src"
+					msg="备注【$remarks】，IPset【${_ipset}】，"
+				elif [ -n "$(echo ${i} | grep '^ip:')" ]; then
+					_ip=$(echo ${i} | sed 's#ip:##g')
+					_ipt_source=$(factor ${_ip} "-s")
+					msg="备注【$remarks】，IP【${_ip}】，"
+				elif [ -n "$(echo ${i} | grep '^mac:')" ]; then
+					_mac=$(echo ${i} | sed 's#mac:##g')
+					_ipt_source=$(factor ${_mac} "-m mac --mac-source")
+					msg="备注【$remarks】，MAC【${_mac}】，"
+				else
+					continue
+				fi
+				
+				ipt_tmp=$ipt_n
+				[ -n "${is_tproxy}" ] && ipt_tmp=$ipt_m
+				
+				[ -n "$tcp_port" ] && {
+					if [ "$tcp_proxy_mode" != "disable" ]; then
+						[ -s "${TMP_ACL_PATH}/${sid}/var_redirect_dns_port" ] && $ipt_n -A PSW_REDIRECT $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port)
+						msg2="${msg}使用TCP节点[$tcp_node_remark] [$(get_action_chain_name $tcp_proxy_mode)]"
+						if [ -n "${is_tproxy}" ]; then
+							msg2="${msg2}(TPROXY:${tcp_port})代理"
+							ipt_tmp=$ipt_m
+						else
+							msg2="${msg2}(REDIRECT:${tcp_port})代理"
+						fi
+						
+						[ "$accept_icmp" = "1" ] && {
+							$ipt_n -A PSW $(comment "$remarks") -p icmp ${_ipt_source} -d $FAKE_IP $(REDIRECT)
+							$ipt_n -A PSW $(comment "$remarks") -p icmp ${_ipt_source} $(dst $IPSET_SHUNTLIST) $(REDIRECT)
+							$ipt_n -A PSW $(comment "$remarks") -p icmp ${_ipt_source} $(dst $IPSET_BLACKLIST) $(REDIRECT)
+							$ipt_n -A PSW $(comment "$remarks") -p icmp ${_ipt_source} $(get_redirect_ipt $tcp_proxy_mode)
+						}
+						
+						[ "$accept_icmpv6" = "1" ] && [ "$PROXY_IPV6" == "1" ] && {
+							$ip6t_n -A PSW $(comment "$remarks") -p ipv6-icmp ${_ipt_source} $(dst $IPSET_SHUNTLIST6) $(REDIRECT) 2>/dev/null
+							$ip6t_n -A PSW $(comment "$remarks") -p ipv6-icmp ${_ipt_source} $(dst $IPSET_BLACKLIST6) $(REDIRECT) 2>/dev/null
+							$ip6t_n -A PSW $(comment "$remarks") -p ipv6-icmp ${_ipt_source} $(get_redirect_ip6t $tcp_proxy_mode) 2>/dev/null
+						}
+						
+						[ "$tcp_no_redir_ports" != "disable" ] && {
+							$ip6t_m -A PSW $(comment "$remarks") ${_ipt_source} -p tcp -m multiport --dport $tcp_no_redir_ports -j RETURN 2>/dev/null
+							$ipt_tmp -A PSW $(comment "$remarks") ${_ipt_source} -p tcp -m multiport --dport $tcp_no_redir_ports -j RETURN
+							msg2="${msg2}[$?]除${tcp_no_redir_ports}外的"
+						}
+						msg2="${msg2}所有端口"
+						
+						[ "$tcp_proxy_drop_ports" != "disable" ] && {
+							[ "$PROXY_IPV6" == "1" ] && {
+								$ip6t_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) -j DROP 2>/dev/null
+								$ip6t_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST6) -j DROP 2>/dev/null
+								[ "$tcp_proxy_mode" != "direct/proxy" ] && $ip6t_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "-m multiport --dport") $(get_ipset_ip6t $tcp_proxy_mode) -j DROP 2>/dev/null
+							}
+							$ipt_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "-m multiport --dport") -d $FAKE_IP -j DROP
+							$ipt_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "-m multiport --dport") $(dst $IPSET_SHUNTLIST) -j DROP
+							$ipt_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j DROP
+							[ "$tcp_proxy_mode" != "direct/proxy" ] && $ipt_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "-m multiport --dport") $(get_ipset_ipt $tcp_proxy_mode) -j DROP
+							msg2="${msg2}[$?]，屏蔽代理TCP 端口：${tcp_proxy_drop_ports}"
+						}
+						
+						if [ "${ipt_tmp}" = "${ipt_n}" ]; then
+							$ipt_n -A PSW $(comment "$remarks") -p tcp ${_ipt_source} -d $FAKE_IP $(REDIRECT $tcp_port)
+							$ipt_n -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(dst $IPSET_SHUNTLIST) $(REDIRECT $tcp_port)
+							$ipt_n -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST) $(REDIRECT $tcp_port)
+							$ipt_n -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(get_redirect_ipt $tcp_proxy_mode $tcp_port)
+						else
+							$ipt_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} -d $FAKE_IP -j PSW_RULE
+							$ipt_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(dst $IPSET_SHUNTLIST) -j PSW_RULE
+							$ipt_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j PSW_RULE
+							$ipt_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(get_ipset_ipt $tcp_proxy_mode) -j PSW_RULE
+							$ipt_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(REDIRECT $tcp_port TPROXY)
+						fi
+						[ "$PROXY_IPV6" == "1" ] && {
+							$ip6t_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) -j PSW_RULE 2>/dev/null
+							$ip6t_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST6) -j PSW_RULE 2>/dev/null
+							$ip6t_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(get_ipset_ip6t $tcp_proxy_mode) -j PSW_RULE 2>/dev/null
+							$ip6t_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(REDIRECT $tcp_port TPROXY) 2>/dev/null
 						}
-						$ipt_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "-m multiport --dport") -d $FAKE_IP -j DROP
-						$ipt_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "-m multiport --dport") $(dst $IPSET_SHUNTLIST) -j DROP
-						$ipt_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j DROP
-						[ "$tcp_proxy_mode" != "direct/proxy" ] && $ipt_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "-m multiport --dport") $(get_ipset_ipt $tcp_proxy_mode) -j DROP
-						msg2="${msg2}[$?]，屏蔽代理TCP 端口：${tcp_proxy_drop_ports}"
-					}
-					
-					if [ "${ipt_tmp}" = "${ipt_n}" ]; then
-						$ipt_n -A PSW $(comment "$remarks") -p tcp ${_ipt_source} -d $FAKE_IP $(REDIRECT $tcp_port)
-						$ipt_n -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(dst $IPSET_SHUNTLIST) $(REDIRECT $tcp_port)
-						$ipt_n -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST) $(REDIRECT $tcp_port)
-						$ipt_n -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(get_redirect_ipt $tcp_proxy_mode $tcp_port)
 					else
-						$ipt_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} -d $FAKE_IP -j PSW_RULE
-						$ipt_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(dst $IPSET_SHUNTLIST) -j PSW_RULE
-						$ipt_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j PSW_RULE
-						$ipt_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(get_ipset_ipt $tcp_proxy_mode) -j PSW_RULE
-						$ipt_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(REDIRECT $tcp_port TPROXY)
+						msg2="${msg}不代理TCP"
 					fi
-					[ "$PROXY_IPV6" == "1" ] && {
-						$ip6t_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) -j PSW_RULE 2>/dev/null
-						$ip6t_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST6) -j PSW_RULE 2>/dev/null
-						$ip6t_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(get_ipset_ip6t $tcp_proxy_mode) -j PSW_RULE 2>/dev/null
-						$ip6t_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(REDIRECT $tcp_port TPROXY) 2>/dev/null
-					}
-				else
-					msg2="${msg}不代理TCP"
-				fi
-				echolog "  - ${msg2}"
-			}
-
-			$ip6t_m -A PSW $(comment "$remarks") ${_ipt_source} -p tcp -j RETURN 2>/dev/null
-			$ipt_tmp -A PSW $(comment "$remarks") ${_ipt_source} -p tcp -j RETURN
-			
-			[ "$udp_proxy_drop_ports" != "disable" ] && {
-				[ "$PROXY_IPV6" == "1" ] && {
-					$ip6t_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_proxy_drop_ports "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) -j DROP 2>/dev/null
-					$ip6t_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_proxy_drop_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST6) -j DROP 2>/dev/null
-					[ "$udp_proxy_mode" != "direct/proxy" ] && $ip6t_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_proxy_drop_ports "-m multiport --dport") $(get_ipset_ip6t $udp_proxy_mode) -j DROP 2>/dev/null
+					echolog "  - ${msg2}"
 				}
-				$ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_proxy_drop_ports "-m multiport --dport") -d $FAKE_IP -j DROP
-				$ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_proxy_drop_ports "-m multiport --dport") $(dst $IPSET_SHUNTLIST) -j DROP
-				$ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_proxy_drop_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j DROP
-				[ "$udp_proxy_mode" != "direct/proxy" ] && $ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_proxy_drop_ports "-m multiport --dport") $(get_ipset_ipt $udp_proxy_mode) -j DROP
-				msg2="${msg2}[$?]，屏蔽代理UDP 端口：${udp_proxy_drop_ports}"
-			}

-			[ -n "$udp_port" ] && {
-				if [ "$udp_proxy_mode" != "disable" ]; then
-					msg2="${msg}使用UDP节点[$udp_node_remark] [$(get_action_chain_name $udp_proxy_mode)]"
-					msg2="${msg2}(TPROXY:${udp_port})代理"
-					[ "$udp_no_redir_ports" != "disable" ] && {
-						$ip6t_m -A PSW $(comment "$remarks") ${_ipt_source} -p udp -m multiport --dport $udp_no_redir_ports -j RETURN 2>/dev/null
-						$ipt_m -A PSW $(comment "$remarks") ${_ipt_source} -p udp -m multiport --dport $udp_no_redir_ports -j RETURN
-						msg2="${msg2}[$?]除${udp_no_redir_ports}外的"
+				$ip6t_m -A PSW $(comment "$remarks") ${_ipt_source} -p tcp -j RETURN 2>/dev/null
+				$ipt_tmp -A PSW $(comment "$remarks") ${_ipt_source} -p tcp -j RETURN
+				
+				[ "$udp_proxy_drop_ports" != "disable" ] && {
+					[ "$PROXY_IPV6" == "1" ] && {
+						$ip6t_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_proxy_drop_ports "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) -j DROP 2>/dev/null
+						$ip6t_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_proxy_drop_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST6) -j DROP 2>/dev/null
+						[ "$udp_proxy_mode" != "direct/proxy" ] && $ip6t_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_proxy_drop_ports "-m multiport --dport") $(get_ipset_ip6t $udp_proxy_mode) -j DROP 2>/dev/null
 					}
-					msg2="${msg2}所有端口"
+					$ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_proxy_drop_ports "-m multiport --dport") -d $FAKE_IP -j DROP
+					$ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_proxy_drop_ports "-m multiport --dport") $(dst $IPSET_SHUNTLIST) -j DROP
+					$ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_proxy_drop_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j DROP
+					[ "$udp_proxy_mode" != "direct/proxy" ] && $ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_proxy_drop_ports "-m multiport --dport") $(get_ipset_ipt $udp_proxy_mode) -j DROP
+					msg2="${msg2}[$?]，屏蔽代理UDP 端口：${udp_proxy_drop_ports}"
+				}

-					$ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} -d $FAKE_IP -j PSW_RULE
-					$ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") $(dst $IPSET_SHUNTLIST) -j PSW_RULE
-					$ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j PSW_RULE
-					$ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") $(get_ipset_ipt $udp_proxy_mode) -j PSW_RULE
-					$ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(REDIRECT $udp_port TPROXY)
+				[ -n "$udp_port" ] && {
+					if [ "$udp_proxy_mode" != "disable" ]; then
+						msg2="${msg}使用UDP节点[$udp_node_remark] [$(get_action_chain_name $udp_proxy_mode)]"
+						msg2="${msg2}(TPROXY:${udp_port})代理"
+						[ "$udp_no_redir_ports" != "disable" ] && {
+							$ip6t_m -A PSW $(comment "$remarks") ${_ipt_source} -p udp -m multiport --dport $udp_no_redir_ports -j RETURN 2>/dev/null
+							$ipt_m -A PSW $(comment "$remarks") ${_ipt_source} -p udp -m multiport --dport $udp_no_redir_ports -j RETURN
+							msg2="${msg2}[$?]除${udp_no_redir_ports}外的"
+						}
+						msg2="${msg2}所有端口"

-					[ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && {
-						$ip6t_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) -j PSW_RULE 2>/dev/null
-						$ip6t_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST6) -j PSW_RULE 2>/dev/null
-						$ip6t_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") $(get_ipset_ip6t $udp_proxy_mode) -j PSW_RULE 2>/dev/null
-						$ip6t_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(REDIRECT $udp_port TPROXY) 2>/dev/null
-					}
-				else
-					msg2="${msg}不代理UDP"
-				fi
-				echolog "  - ${msg2}"
-			}
-			$ip6t_m -A PSW $(comment "$remarks") ${_ipt_source} -p udp -j RETURN 2>/dev/null
-			$ipt_m -A PSW $(comment "$remarks") ${_ipt_source} -p udp -j RETURN
+						$ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} -d $FAKE_IP -j PSW_RULE
+						$ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") $(dst $IPSET_SHUNTLIST) -j PSW_RULE
+						$ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j PSW_RULE
+						$ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") $(get_ipset_ipt $udp_proxy_mode) -j PSW_RULE
+						$ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(REDIRECT $udp_port TPROXY)
+
+						[ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && {
+							$ip6t_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) -j PSW_RULE 2>/dev/null
+							$ip6t_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST6) -j PSW_RULE 2>/dev/null
+							$ip6t_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") $(get_ipset_ip6t $udp_proxy_mode) -j PSW_RULE 2>/dev/null
+							$ip6t_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(REDIRECT $udp_port TPROXY) 2>/dev/null
+						}
+					else
+						msg2="${msg}不代理UDP"
+					fi
+					echolog "  - ${msg2}"
+				}
+				$ip6t_m -A PSW $(comment "$remarks") ${_ipt_source} -p udp -j RETURN 2>/dev/null
+				$ipt_m -A PSW $(comment "$remarks") ${_ipt_source} -p udp -j RETURN
+			done
+			unset enabled sid remarks sources tcp_proxy_mode udp_proxy_mode tcp_no_redir_ports udp_no_redir_ports tcp_proxy_drop_ports udp_proxy_drop_ports tcp_redir_ports udp_redir_ports tcp_node udp_node
+			unset _ip _mac _iprange _ipset _ip_or_mac rule_list tcp_port udp_port tcp_node_remark udp_node_remark
+			unset ipt_tmp msg msg2
 		done
-		unset enabled sid remarks sources tcp_proxy_mode udp_proxy_mode tcp_no_redir_ports udp_no_redir_ports tcp_proxy_drop_ports udp_proxy_drop_ports tcp_redir_ports udp_redir_ports tcp_node udp_node
-		unset _ip _mac _iprange _ipset _ip_or_mac rule_list tcp_port udp_port tcp_node_remark udp_node_remark
-		unset ipt_tmp msg msg2
-	done
+	}
 	
-	#  加载TCP默认代理模式
-	[ "$TCP_PROXY_DROP_PORTS" != "disable" ] && {
-		[ "$PROXY_IPV6" == "1" ] && {
-			$ip6t_m -A PSW $(comment "默认") -p tcp $(factor $TCP_PROXY_DROP_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) -j DROP
-			$ip6t_m -A PSW $(comment "默认") -p tcp $(factor $TCP_PROXY_DROP_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST6) -j DROP
-			[ "$TCP_PROXY_MODE" != "direct/proxy" ] && $ip6t_m -A PSW $(comment "默认") -p tcp $(factor $TCP_PROXY_DROP_PORTS "-m multiport --dport") $(get_ipset_ip6t $TCP_PROXY_MODE) -j DROP
-		}
-		$ipt_m -A PSW $(comment "默认") -p tcp $(factor $TCP_PROXY_DROP_PORTS "-m multiport --dport") -d $FAKE_IP -j DROP
-		$ipt_m -A PSW $(comment "默认") -p tcp $(factor $TCP_PROXY_DROP_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST) -j DROP
-		$ipt_m -A PSW $(comment "默认") -p tcp $(factor $TCP_PROXY_DROP_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j DROP
-		[ "$TCP_PROXY_MODE" != "direct/proxy" ] && $ipt_m -A PSW $(comment "默认") -p tcp $(factor $TCP_PROXY_DROP_PORTS "-m multiport --dport") $(get_ipset_ipt $TCP_PROXY_MODE) -j DROP
-	}
-
-	if [ "$TCP_PROXY_MODE" != "disable" ]; then
-		local ipt_tmp=$ipt_n
-		[ -n "${is_tproxy}" ] && ipt_tmp=$ipt_m
-		[ "$TCP_NO_REDIR_PORTS" != "disable" ] && {
-			$ip6t_m -A PSW $(comment "默认") -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
-			$ipt_tmp -A PSW $(comment "默认") -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
-		}
-		[ "$TCP_NODE" != "nil" ] && {
-			msg="TCP默认代理：使用TCP节点[$(config_n_get $TCP_NODE remarks)] [$(get_action_chain_name $TCP_PROXY_MODE)]"
-			if [ -n "${is_tproxy}" ]; then
-				msg="${msg}(TPROXY:${TCP_REDIR_PORT})代理"
-			else
-				msg="${msg}(REDIRECT:${TCP_REDIR_PORT})代理"
-			fi
-			
-			[ "$TCP_NO_REDIR_PORTS" != "disable" ] && msg="${msg}除${TCP_NO_REDIR_PORTS}外的"
-			msg="${msg}所有端口"
-			
-			[ "$accept_icmp" = "1" ] && {
-				$ipt_n -A PSW $(comment "默认") -p icmp -d $FAKE_IP $(REDIRECT)
-				$ipt_n -A PSW $(comment "默认") -p icmp $(dst $IPSET_SHUNTLIST) $(REDIRECT)
-				$ipt_n -A PSW $(comment "默认") -p icmp $(dst $IPSET_BLACKLIST) $(REDIRECT)
-				$ipt_n -A PSW $(comment "默认") -p icmp $(get_redirect_ipt $TCP_PROXY_MODE)
-			}
-			
-			[ "$accept_icmpv6" = "1" ] && [ "$PROXY_IPV6" == "1" ] && {
-				$ip6t_n -A PSW $(comment "默认") -p ipv6-icmp $(dst $IPSET_SHUNTLIST6) $(REDIRECT)
-				$ip6t_n -A PSW $(comment "默认") -p ipv6-icmp $(dst $IPSET_BLACKLIST6) $(REDIRECT)
-				$ip6t_n -A PSW $(comment "默认") -p ipv6-icmp $(get_redirect_ip6t $TCP_PROXY_MODE)
-			}
-			
-			if [ "${ipt_tmp}" = "${ipt_n}" ]; then
-				$ipt_n -A PSW $(comment "默认") -p tcp -d $FAKE_IP $(REDIRECT $TCP_REDIR_PORT)
-				$ipt_n -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST) $(REDIRECT $TCP_REDIR_PORT)
-				$ipt_n -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) $(REDIRECT $TCP_REDIR_PORT)
-				$ipt_n -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(get_redirect_ipt $TCP_PROXY_MODE $TCP_REDIR_PORT)
-			else
-				$ipt_m -A PSW $(comment "默认") -p tcp -d $FAKE_IP -j PSW_RULE
-				$ipt_m -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST) -j PSW_RULE
-				$ipt_m -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j PSW_RULE
-				$ipt_m -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(get_ipset_ipt $TCP_PROXY_MODE) -j PSW_RULE
-				$ipt_m -A PSW $(comment "默认") -p tcp $(REDIRECT $TCP_REDIR_PORT TPROXY)
-			fi
-
+	[ "$ENABLED_DEFAULT_ACL" == 1 ] && {
+		#  加载TCP默认代理模式
+		[ "$TCP_PROXY_DROP_PORTS" != "disable" ] && {
 			[ "$PROXY_IPV6" == "1" ] && {
-				$ip6t_m -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) -j PSW_RULE
-				$ip6t_m -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST6) -j PSW_RULE
-				$ip6t_m -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(get_ipset_ip6t $TCP_PROXY_MODE) -j PSW_RULE
-				$ip6t_m -A PSW $(comment "默认") -p tcp $(REDIRECT $TCP_REDIR_PORT TPROXY)
+				$ip6t_m -A PSW $(comment "默认") -p tcp $(factor $TCP_PROXY_DROP_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) -j DROP
+				$ip6t_m -A PSW $(comment "默认") -p tcp $(factor $TCP_PROXY_DROP_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST6) -j DROP
+				[ "$TCP_PROXY_MODE" != "direct/proxy" ] && $ip6t_m -A PSW $(comment "默认") -p tcp $(factor $TCP_PROXY_DROP_PORTS "-m multiport --dport") $(get_ipset_ip6t $TCP_PROXY_MODE) -j DROP
+			}
+			$ipt_m -A PSW $(comment "默认") -p tcp $(factor $TCP_PROXY_DROP_PORTS "-m multiport --dport") -d $FAKE_IP -j DROP
+			$ipt_m -A PSW $(comment "默认") -p tcp $(factor $TCP_PROXY_DROP_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST) -j DROP
+			$ipt_m -A PSW $(comment "默认") -p tcp $(factor $TCP_PROXY_DROP_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j DROP
+			[ "$TCP_PROXY_MODE" != "direct/proxy" ] && $ipt_m -A PSW $(comment "默认") -p tcp $(factor $TCP_PROXY_DROP_PORTS "-m multiport --dport") $(get_ipset_ipt $TCP_PROXY_MODE) -j DROP
+		}
+
+		if [ "$TCP_PROXY_MODE" != "disable" ]; then
+			local ipt_tmp=$ipt_n
+			[ -n "${is_tproxy}" ] && ipt_tmp=$ipt_m
+			[ "$TCP_NO_REDIR_PORTS" != "disable" ] && {
+				$ip6t_m -A PSW $(comment "默认") -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
+				$ipt_tmp -A PSW $(comment "默认") -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
+			}
+			[ "$TCP_NODE" != "nil" ] && {
+				msg="TCP默认代理：使用TCP节点[$(config_n_get $TCP_NODE remarks)] [$(get_action_chain_name $TCP_PROXY_MODE)]"
+				if [ -n "${is_tproxy}" ]; then
+					msg="${msg}(TPROXY:${TCP_REDIR_PORT})代理"
+				else
+					msg="${msg}(REDIRECT:${TCP_REDIR_PORT})代理"
+				fi
+				
+				[ "$TCP_NO_REDIR_PORTS" != "disable" ] && msg="${msg}除${TCP_NO_REDIR_PORTS}外的"
+				msg="${msg}所有端口"
+				
+				[ "$accept_icmp" = "1" ] && {
+					$ipt_n -A PSW $(comment "默认") -p icmp -d $FAKE_IP $(REDIRECT)
+					$ipt_n -A PSW $(comment "默认") -p icmp $(dst $IPSET_SHUNTLIST) $(REDIRECT)
+					$ipt_n -A PSW $(comment "默认") -p icmp $(dst $IPSET_BLACKLIST) $(REDIRECT)
+					$ipt_n -A PSW $(comment "默认") -p icmp $(get_redirect_ipt $TCP_PROXY_MODE)
+				}
+				
+				[ "$accept_icmpv6" = "1" ] && [ "$PROXY_IPV6" == "1" ] && {
+					$ip6t_n -A PSW $(comment "默认") -p ipv6-icmp $(dst $IPSET_SHUNTLIST6) $(REDIRECT)
+					$ip6t_n -A PSW $(comment "默认") -p ipv6-icmp $(dst $IPSET_BLACKLIST6) $(REDIRECT)
+					$ip6t_n -A PSW $(comment "默认") -p ipv6-icmp $(get_redirect_ip6t $TCP_PROXY_MODE)
+				}
+				
+				if [ "${ipt_tmp}" = "${ipt_n}" ]; then
+					$ipt_n -A PSW $(comment "默认") -p tcp -d $FAKE_IP $(REDIRECT $TCP_REDIR_PORT)
+					$ipt_n -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST) $(REDIRECT $TCP_REDIR_PORT)
+					$ipt_n -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) $(REDIRECT $TCP_REDIR_PORT)
+					$ipt_n -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(get_redirect_ipt $TCP_PROXY_MODE $TCP_REDIR_PORT)
+				else
+					$ipt_m -A PSW $(comment "默认") -p tcp -d $FAKE_IP -j PSW_RULE
+					$ipt_m -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST) -j PSW_RULE
+					$ipt_m -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j PSW_RULE
+					$ipt_m -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(get_ipset_ipt $TCP_PROXY_MODE) -j PSW_RULE
+					$ipt_m -A PSW $(comment "默认") -p tcp $(REDIRECT $TCP_REDIR_PORT TPROXY)
+				fi
+
+				[ "$PROXY_IPV6" == "1" ] && {
+					$ip6t_m -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) -j PSW_RULE
+					$ip6t_m -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST6) -j PSW_RULE
+					$ip6t_m -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(get_ipset_ip6t $TCP_PROXY_MODE) -j PSW_RULE
+					$ip6t_m -A PSW $(comment "默认") -p tcp $(REDIRECT $TCP_REDIR_PORT TPROXY)
+				}
+
+				echolog "${msg}"
+			}
+		fi
+		$ipt_n -A PSW $(comment "默认") -p tcp -j RETURN
+		$ipt_m -A PSW $(comment "默认") -p tcp -j RETURN
+		$ip6t_m -A PSW $(comment "默认") -p tcp -j RETURN
+
+		#  加载UDP默认代理模式
+		[ "$UDP_PROXY_DROP_PORTS" != "disable" ] && {
+			[ "$PROXY_IPV6" == "1" ] && {
+				$ip6t_m -A PSW $(comment "默认") -p udp $(factor $UDP_PROXY_DROP_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) -j DROP
+				$ip6t_m -A PSW $(comment "默认") -p udp $(factor $UDP_PROXY_DROP_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST6) -j DROP
+				[ "$UDP_PROXY_MODE" != "direct/proxy" ] && $ip6t_m -A PSW $(comment "默认") -p udp $(factor $UDP_PROXY_DROP_PORTS "-m multiport --dport") $(get_ipset_ip6t $UDP_PROXY_MODE) -j DROP
+			}
+			$ipt_m -A PSW $(comment "默认") -p udp $(factor $UDP_PROXY_DROP_PORTS "-m multiport --dport") -d $FAKE_IP -j DROP
+			$ipt_m -A PSW $(comment "默认") -p udp $(factor $UDP_PROXY_DROP_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST) -j DROP
+			$ipt_m -A PSW $(comment "默认") -p udp $(factor $UDP_PROXY_DROP_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j DROP
+			[ "$UDP_PROXY_MODE" != "direct/proxy" ] && $ipt_m -A PSW $(comment "默认") -p udp $(factor $UDP_PROXY_DROP_PORTS "-m multiport --dport") $(get_ipset_ipt $UDP_PROXY_MODE) -j DROP
+		}
+		if [ "$UDP_PROXY_MODE" != "disable" ]; then
+			[ "$UDP_NO_REDIR_PORTS" != "disable" ] && {
+				$ip6t_m -A PSW $(comment "默认") -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN
+				$ipt_m -A PSW $(comment "默认") -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN
 			}

-			echolog "${msg}"
-		}
-	fi
-	$ipt_n -A PSW $(comment "默认") -p tcp -j RETURN
-	$ipt_m -A PSW $(comment "默认") -p tcp -j RETURN
-	$ip6t_m -A PSW $(comment "默认") -p tcp -j RETURN
+			[ "$UDP_NODE" != "nil" -o "$TCP_UDP" = "1" ] && {
+				[ "$TCP_UDP" = "1" ] && [ "$UDP_NODE" = "nil" ] && UDP_NODE=$TCP_NODE
+				msg="UDP默认代理：使用UDP节点[$(config_n_get $UDP_NODE remarks)] [$(get_action_chain_name $UDP_PROXY_MODE)](TPROXY:${UDP_REDIR_PORT})代理"

-	#  加载UDP默认代理模式
-	[ "$UDP_PROXY_DROP_PORTS" != "disable" ] && {
-		[ "$PROXY_IPV6" == "1" ] && {
-			$ip6t_m -A PSW $(comment "默认") -p udp $(factor $UDP_PROXY_DROP_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) -j DROP
-			$ip6t_m -A PSW $(comment "默认") -p udp $(factor $UDP_PROXY_DROP_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST6) -j DROP
-			[ "$UDP_PROXY_MODE" != "direct/proxy" ] && $ip6t_m -A PSW $(comment "默认") -p udp $(factor $UDP_PROXY_DROP_PORTS "-m multiport --dport") $(get_ipset_ip6t $UDP_PROXY_MODE) -j DROP
-		}
-		$ipt_m -A PSW $(comment "默认") -p udp $(factor $UDP_PROXY_DROP_PORTS "-m multiport --dport") -d $FAKE_IP -j DROP
-		$ipt_m -A PSW $(comment "默认") -p udp $(factor $UDP_PROXY_DROP_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST) -j DROP
-		$ipt_m -A PSW $(comment "默认") -p udp $(factor $UDP_PROXY_DROP_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j DROP
-		[ "$UDP_PROXY_MODE" != "direct/proxy" ] && $ipt_m -A PSW $(comment "默认") -p udp $(factor $UDP_PROXY_DROP_PORTS "-m multiport --dport") $(get_ipset_ipt $UDP_PROXY_MODE) -j DROP
+				[ "$UDP_NO_REDIR_PORTS" != "disable" ] && msg="${msg}除${UDP_NO_REDIR_PORTS}外的"
+				msg="${msg}所有端口"
+
+				$ipt_m -A PSW $(comment "默认") -p udp -d $FAKE_IP -j PSW_RULE
+				$ipt_m -A PSW $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST) -j PSW_RULE
+				$ipt_m -A PSW $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j PSW_RULE
+				$ipt_m -A PSW $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(get_ipset_ipt $UDP_PROXY_MODE) -j PSW_RULE
+				$ipt_m -A PSW $(comment "默认") -p udp $(REDIRECT $UDP_REDIR_PORT TPROXY)
+
+				[ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && {
+					$ip6t_m -A PSW $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) -j PSW_RULE
+					$ip6t_m -A PSW $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST6) -j PSW_RULE
+					$ip6t_m -A PSW $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(get_ipset_ip6t $UDP_PROXY_MODE) -j PSW_RULE
+					$ip6t_m -A PSW $(comment "默认") -p udp $(REDIRECT $UDP_REDIR_PORT TPROXY)
+				}
+
+				echolog "${msg}"
+				udp_flag=1
+			}
+		fi
+		$ipt_m -A PSW $(comment "默认") -p udp -j RETURN
+		$ip6t_m -A PSW $(comment "默认") -p udp -j RETURN
 	}
-	if [ "$UDP_PROXY_MODE" != "disable" ]; then
-		[ "$UDP_NO_REDIR_PORTS" != "disable" ] && {
-			$ip6t_m -A PSW $(comment "默认") -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN
-			$ipt_m -A PSW $(comment "默认") -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN
-		}
-
-		[ "$UDP_NODE" != "nil" -o "$TCP_UDP" = "1" ] && {
-			[ "$TCP_UDP" = "1" ] && [ "$UDP_NODE" = "nil" ] && UDP_NODE=$TCP_NODE
-			msg="UDP默认代理：使用UDP节点[$(config_n_get $UDP_NODE remarks)] [$(get_action_chain_name $UDP_PROXY_MODE)](TPROXY:${UDP_REDIR_PORT})代理"
-
-			[ "$UDP_NO_REDIR_PORTS" != "disable" ] && msg="${msg}除${UDP_NO_REDIR_PORTS}外的"
-			msg="${msg}所有端口"
-
-			$ipt_m -A PSW $(comment "默认") -p udp -d $FAKE_IP -j PSW_RULE
-			$ipt_m -A PSW $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST) -j PSW_RULE
-			$ipt_m -A PSW $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j PSW_RULE
-			$ipt_m -A PSW $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(get_ipset_ipt $UDP_PROXY_MODE) -j PSW_RULE
-			$ipt_m -A PSW $(comment "默认") -p udp $(REDIRECT $UDP_REDIR_PORT TPROXY)
-
-			[ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && {
-				$ip6t_m -A PSW $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) -j PSW_RULE
-				$ip6t_m -A PSW $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST6) -j PSW_RULE
-				$ip6t_m -A PSW $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(get_ipset_ip6t $UDP_PROXY_MODE) -j PSW_RULE
-				$ip6t_m -A PSW $(comment "默认") -p udp $(REDIRECT $UDP_REDIR_PORT TPROXY)
-			}
-
-			echolog "${msg}"
-			udp_flag=1
-		}
-	fi
-	$ipt_m -A PSW $(comment "默认") -p udp -j RETURN
-	$ip6t_m -A PSW $(comment "默认") -p udp -j RETURN
 }

 filter_haproxy() {
@ -743,7 +747,6 @@ add_firewall_rule() {
 		EOF
 	}

-	local ISP_DNS=$(cat $RESOLVFILE 2>/dev/null | grep -E -o "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" | sort -u | grep -v 0.0.0.0 | grep -v 127.0.0.1)
 	[ -n "$ISP_DNS" ] && {
 		#echolog "处理 ISP DNS 例外..."
 		for ispip in $ISP_DNS; do
@ -752,10 +755,9 @@ add_firewall_rule() {
 		done
 	}

-	local ISP_DNS6=$(cat $RESOLVFILE 2>/dev/null | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | awk -F % '{print $1}' | awk -F " " '{print $2}'| sort -u | grep -v -Fx ::1 | grep -v -Fx ::)
-	[ -n "$ISP_DNS" ] && {
+	[ -n "$ISP_DNS6" ] && {
 		#echolog "处理 ISP IPv6 DNS 例外..."
-		for ispip6 in $ISP_DNS; do
+		for ispip6 in $ISP_DNS6; do
 			ipset -! add $IPSET_WHITELIST6 $ispip6 >/dev/null 2>&1 &
 			#echolog "  - 追加到白名单：${ispip6}"
 		done
@ -875,88 +877,7 @@ add_firewall_rule() {

 	ip -6 rule add fwmark 1 table 100
 	ip -6 route add local ::/0 dev lo table 100
-
-	# 加载路由器自身代理 TCP
-	if [ "$TCP_NODE" != "nil" ]; then
-		echolog "加载路由器自身 TCP 代理..."
-
-		[ "$accept_icmp" = "1" ] && {
-			$ipt_n -A OUTPUT -p icmp -j PSW_OUTPUT
-			$ipt_n -A PSW_OUTPUT -p icmp -d $FAKE_IP $(REDIRECT)
-			$ipt_n -A PSW_OUTPUT -p icmp $(dst $IPSET_SHUNTLIST) $(REDIRECT)
-			$ipt_n -A PSW_OUTPUT -p icmp $(dst $IPSET_BLACKLIST) $(REDIRECT)
-			$ipt_n -A PSW_OUTPUT -p icmp $(get_redirect_ipt $TCP_PROXY_MODE )
-		}
-
-		[ "$accept_icmpv6" = "1" ] && {
-			$ip6t_n -A OUTPUT -p ipv6-icmp -j PSW_OUTPUT
-			$ip6t_n -A PSW_OUTPUT -p ipv6-icmp $(dst $IPSET_SHUNTLIST6) $(REDIRECT)
-			$ip6t_n -A PSW_OUTPUT -p ipv6-icmp $(dst $IPSET_BLACKLIST6) $(REDIRECT)
-			$ip6t_n -A PSW_OUTPUT -p ipv6-icmp $(get_redirect_ip6t $TCP_PROXY_MODE)
-		}
-
-		local ipt_tmp=$ipt_n
-		[ -n "${is_tproxy}" ] && {
-			echolog "  - 启用 TPROXY 模式"
-			ipt_tmp=$ipt_m
-		}
-
-		_proxy_tcp_access() {
-			[ -n "${2}" ] || return 0
-			ipset -q test $IPSET_LANIPLIST ${2}
-			[ $? -eq 0 ] && {
-				echolog "  - 上游 DNS 服务器 ${2} 已在直接访问的列表中，不强制向 TCP 代理转发对该服务器 TCP/${3} 端口的访问"
-				return 0
-			}
-			if [ "${ipt_tmp}" = "${ipt_n}" ]; then
-				$ipt_n -I PSW_OUTPUT -p tcp -d ${2} --dport ${3} $(REDIRECT $TCP_REDIR_PORT)
-			else
-				$ipt_m -I PSW_OUTPUT -p tcp -d ${2} --dport ${3} -j PSW_RULE
-				$ipt_m -I PSW $(comment "本机") -p tcp -i lo -d ${2} --dport ${3} $(REDIRECT $TCP_REDIR_PORT TPROXY)
-			fi
-			echolog "  - [$?]将上游 DNS 服务器 ${2}:${3} 加入到路由器自身代理的 TCP 转发链"
-		}
-
-		[ "$use_tcp_node_resolve_dns" == 1 ] && hosts_foreach REMOTE_DNS _proxy_tcp_access 53
-		[ "$TCP_NO_REDIR_PORTS" != "disable" ] && {
-			$ipt_tmp -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
-			$ip6t_m -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
-			echolog "  - [$?]不代理TCP 端口：$TCP_NO_REDIR_PORTS"
-		}
-		[ "$TCP_PROXY_DROP_PORTS" != "disable" ] && {
-			$ipt_m -A PSW_OUTPUT -p tcp $(factor $TCP_PROXY_DROP_PORTS "-m multiport --dport") -d $FAKE_IP -j DROP
-			$ipt_m -A PSW_OUTPUT -p tcp $(factor $TCP_PROXY_DROP_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST) -j DROP
-			$ipt_m -A PSW_OUTPUT -p tcp $(factor $TCP_PROXY_DROP_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j DROP
-			[ "$LOCALHOST_TCP_PROXY_MODE" != "direct/proxy" ] && $ipt_m -A PSW_OUTPUT -p tcp $(factor $TCP_PROXY_DROP_PORTS "-m multiport --dport") $(get_ipset_ipt $LOCALHOST_TCP_PROXY_MODE) -j DROP
-			echolog "  - [$?]，屏蔽代理TCP 端口：$TCP_PROXY_DROP_PORTS"
-		}
-
-		if [ "${ipt_tmp}" = "${ipt_n}" ]; then
-			$ipt_n -A PSW_OUTPUT -p tcp -d $FAKE_IP $(REDIRECT $TCP_REDIR_PORT)
-			$ipt_n -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST) $(REDIRECT $TCP_REDIR_PORT)
-			$ipt_n -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) $(REDIRECT $TCP_REDIR_PORT)
-			$ipt_n -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(get_redirect_ipt $LOCALHOST_TCP_PROXY_MODE $TCP_REDIR_PORT)
-			$ipt_n -A OUTPUT -p tcp -j PSW_OUTPUT
-		else
-			$ipt_m -A PSW_OUTPUT -p tcp -d $FAKE_IP -j PSW_RULE
-			$ipt_m -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST) -j PSW_RULE
-			$ipt_m -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j PSW_RULE
-			$ipt_m -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(get_ipset_ipt $LOCALHOST_TCP_PROXY_MODE) -j PSW_RULE
-			$ipt_m -A PSW $(comment "本机") -p tcp -i lo $(REDIRECT $TCP_REDIR_PORT TPROXY)
-			$ipt_m -A PSW $(comment "本机") -p tcp -i lo -j RETURN
-			insert_rule_before "$ipt_m" "OUTPUT" "mwan3" "$(comment mangle-OUTPUT-PSW) -p tcp -j PSW_OUTPUT"
-		fi
-
-		[ "$PROXY_IPV6" == "1" ] && {
-			$ip6t_m -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) -j PSW_RULE
-			$ip6t_m -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST6) -j PSW_RULE
-			$ip6t_m -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(get_ipset_ip6t $LOCALHOST_TCP_PROXY_MODE) -j PSW_RULE
-			$ip6t_m -A PSW $(comment "本机") -p tcp -i lo $(REDIRECT $TCP_REDIR_PORT TPROXY)
-			$ip6t_m -A PSW $(comment "本机") -p tcp -i lo -j RETURN
-			insert_rule_before "$ip6t_m" "OUTPUT" "mwan3" "$(comment mangle-OUTPUT-PSW) -p tcp -j PSW_OUTPUT"
-		}
-	fi
-
+	
 	# 过滤Socks节点
 	[ "$SOCKS_ENABLED" = "1" ] && {
 		local ids=$(uci show $CONFIG | grep "=socks" | awk -F '.' '{print $2}' | awk -F '=' '{print $1}')
@ -978,80 +899,162 @@ add_firewall_rule() {
 		done
 	}

-	# 处理轮换节点的分流或套娃
-	local node port stream switch
-	for stream in TCP UDP; do
-		eval "node=\${${stream}_NODE}"
-		eval "port=\${${stream}_REDIR_PORT}"
-		#echolog "分析 $stream 代理自动切换..."
-		[ "$stream" == "UDP" ] && [ "$node" == "tcp" ] && {
-			eval "node=\${TCP_NODE}"
-			eval "port=\${TCP_REDIR_PORT}"
-		}
-		if [ "$node" != "nil" ]; then
-			filter_node $node $stream $port > /dev/null 2>&1 &
-		fi
-	done
-
-	# 加载路由器自身代理 UDP
-	[ "$UDP_PROXY_DROP_PORTS" != "disable" ] && {
-		$ipt_m -A PSW_OUTPUT -p udp $(factor $UDP_PROXY_DROP_PORTS "-m multiport --dport") -d $FAKE_IP -j DROP
-		$ipt_m -A PSW_OUTPUT -p udp $(factor $UDP_PROXY_DROP_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST) -j DROP
-		$ipt_m -A PSW_OUTPUT -p udp $(factor $UDP_PROXY_DROP_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j DROP
-		[ "$LOCALHOST_UDP_PROXY_MODE" != "direct/proxy" ] && $ipt_m -A PSW_OUTPUT -p udp $(factor $UDP_PROXY_DROP_PORTS "-m multiport --dport") $(get_ipset_ipt $LOCALHOST_UDP_PROXY_MODE) -j DROP
-		echolog "  - [$?]，屏蔽代理UDP 端口：$UDP_PROXY_DROP_PORTS"
-	}
-	if [ "$UDP_NODE" != "nil" -o "$TCP_UDP" = "1" ]; then
-		echolog "加载路由器自身 UDP 代理..."
-		_proxy_udp_access() {
-			[ -n "${2}" ] || return 0
-			ipset -q test $IPSET_LANIPLIST ${2}
-			[ $? == 0 ] && {
-				echolog "  - 上游 DNS 服务器 ${2} 已在直接访问的列表中，不强制向 UDP 代理转发对该服务器 UDP/${3} 端口的访问"
-				return 0
+	[ "$ENABLED_DEFAULT_ACL" == 1 ] && {
+		# 处理轮换节点的分流或套娃
+		local node port stream switch
+		for stream in TCP UDP; do
+			eval "node=\${${stream}_NODE}"
+			eval "port=\${${stream}_REDIR_PORT}"
+			#echolog "分析 $stream 代理自动切换..."
+			[ "$stream" == "UDP" ] && [ "$node" == "tcp" ] && {
+				eval "node=\${TCP_NODE}"
+				eval "port=\${TCP_REDIR_PORT}"
 			}
-			$ipt_m -I PSW_OUTPUT -p udp -d ${2} --dport ${3} -j PSW_RULE
-			$ipt_m -I PSW $(comment "本机") -p udp -i lo -d ${2} --dport ${3} $(REDIRECT $UDP_REDIR_PORT TPROXY)
-			echolog "  - [$?]将上游 DNS 服务器 ${2}:${3} 加入到路由器自身代理的 UDP 转发链"
-		}
-		[ "$use_udp_node_resolve_dns" == 1 ] && hosts_foreach REMOTE_DNS _proxy_udp_access 53
-		[ "$UDP_NO_REDIR_PORTS" != "disable" ] && {
-			$ipt_m -A PSW_OUTPUT -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN
-			$ip6t_m -A PSW_OUTPUT -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN
-			echolog "  - [$?]不代理 UDP 端口：$UDP_NO_REDIR_PORTS"
+			if [ "$node" != "nil" ] && [ "$(config_get_type $node nil)" != "nil" ]; then
+				filter_node $node $stream $port > /dev/null 2>&1 &
+			fi
+		done
+
+		# 加载路由器自身代理 TCP
+		if [ "$TCP_NODE" != "nil" ]; then
+			echolog "加载路由器自身 TCP 代理..."
+
+			[ "$accept_icmp" = "1" ] && {
+				$ipt_n -A OUTPUT -p icmp -j PSW_OUTPUT
+				$ipt_n -A PSW_OUTPUT -p icmp -d $FAKE_IP $(REDIRECT)
+				$ipt_n -A PSW_OUTPUT -p icmp $(dst $IPSET_SHUNTLIST) $(REDIRECT)
+				$ipt_n -A PSW_OUTPUT -p icmp $(dst $IPSET_BLACKLIST) $(REDIRECT)
+				$ipt_n -A PSW_OUTPUT -p icmp $(get_redirect_ipt $TCP_PROXY_MODE )
+			}
+
+			[ "$accept_icmpv6" = "1" ] && {
+				$ip6t_n -A OUTPUT -p ipv6-icmp -j PSW_OUTPUT
+				$ip6t_n -A PSW_OUTPUT -p ipv6-icmp $(dst $IPSET_SHUNTLIST6) $(REDIRECT)
+				$ip6t_n -A PSW_OUTPUT -p ipv6-icmp $(dst $IPSET_BLACKLIST6) $(REDIRECT)
+				$ip6t_n -A PSW_OUTPUT -p ipv6-icmp $(get_redirect_ip6t $TCP_PROXY_MODE)
+			}
+
+			local ipt_tmp=$ipt_n
+			[ -n "${is_tproxy}" ] && {
+				echolog "  - 启用 TPROXY 模式"
+				ipt_tmp=$ipt_m
+			}
+
+			_proxy_tcp_access() {
+				[ -n "${2}" ] || return 0
+				ipset -q test $IPSET_LANIPLIST ${2}
+				[ $? -eq 0 ] && {
+					echolog "  - 上游 DNS 服务器 ${2} 已在直接访问的列表中，不强制向 TCP 代理转发对该服务器 TCP/${3} 端口的访问"
+					return 0
+				}
+				if [ "${ipt_tmp}" = "${ipt_n}" ]; then
+					$ipt_n -I PSW_OUTPUT -p tcp -d ${2} --dport ${3} $(REDIRECT $TCP_REDIR_PORT)
+				else
+					$ipt_m -I PSW_OUTPUT -p tcp -d ${2} --dport ${3} -j PSW_RULE
+					$ipt_m -I PSW $(comment "本机") -p tcp -i lo -d ${2} --dport ${3} $(REDIRECT $TCP_REDIR_PORT TPROXY)
+				fi
+				echolog "  - [$?]将上游 DNS 服务器 ${2}:${3} 加入到路由器自身代理的 TCP 转发链"
+			}
+
+			[ "$use_tcp_node_resolve_dns" == 1 ] && hosts_foreach REMOTE_DNS _proxy_tcp_access 53
+			[ "$TCP_NO_REDIR_PORTS" != "disable" ] && {
+				$ipt_tmp -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
+				$ip6t_m -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
+				echolog "  - [$?]不代理TCP 端口：$TCP_NO_REDIR_PORTS"
+			}
+			[ "$TCP_PROXY_DROP_PORTS" != "disable" ] && {
+				$ipt_m -A PSW_OUTPUT -p tcp $(factor $TCP_PROXY_DROP_PORTS "-m multiport --dport") -d $FAKE_IP -j DROP
+				$ipt_m -A PSW_OUTPUT -p tcp $(factor $TCP_PROXY_DROP_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST) -j DROP
+				$ipt_m -A PSW_OUTPUT -p tcp $(factor $TCP_PROXY_DROP_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j DROP
+				[ "$LOCALHOST_TCP_PROXY_MODE" != "direct/proxy" ] && $ipt_m -A PSW_OUTPUT -p tcp $(factor $TCP_PROXY_DROP_PORTS "-m multiport --dport") $(get_ipset_ipt $LOCALHOST_TCP_PROXY_MODE) -j DROP
+				echolog "  - [$?]，屏蔽代理TCP 端口：$TCP_PROXY_DROP_PORTS"
+			}
+
+			if [ "${ipt_tmp}" = "${ipt_n}" ]; then
+				$ipt_n -A PSW_OUTPUT -p tcp -d $FAKE_IP $(REDIRECT $TCP_REDIR_PORT)
+				$ipt_n -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST) $(REDIRECT $TCP_REDIR_PORT)
+				$ipt_n -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) $(REDIRECT $TCP_REDIR_PORT)
+				$ipt_n -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(get_redirect_ipt $LOCALHOST_TCP_PROXY_MODE $TCP_REDIR_PORT)
+				$ipt_n -A OUTPUT -p tcp -j PSW_OUTPUT
+			else
+				$ipt_m -A PSW_OUTPUT -p tcp -d $FAKE_IP -j PSW_RULE
+				$ipt_m -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST) -j PSW_RULE
+				$ipt_m -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j PSW_RULE
+				$ipt_m -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(get_ipset_ipt $LOCALHOST_TCP_PROXY_MODE) -j PSW_RULE
+				$ipt_m -A PSW $(comment "本机") -p tcp -i lo $(REDIRECT $TCP_REDIR_PORT TPROXY)
+				$ipt_m -A PSW $(comment "本机") -p tcp -i lo -j RETURN
+				insert_rule_before "$ipt_m" "OUTPUT" "mwan3" "$(comment mangle-OUTPUT-PSW) -p tcp -j PSW_OUTPUT"
+			fi
+
+			[ "$PROXY_IPV6" == "1" ] && {
+				$ip6t_m -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) -j PSW_RULE
+				$ip6t_m -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST6) -j PSW_RULE
+				$ip6t_m -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(get_ipset_ip6t $LOCALHOST_TCP_PROXY_MODE) -j PSW_RULE
+				$ip6t_m -A PSW $(comment "本机") -p tcp -i lo $(REDIRECT $TCP_REDIR_PORT TPROXY)
+				$ip6t_m -A PSW $(comment "本机") -p tcp -i lo -j RETURN
+				insert_rule_before "$ip6t_m" "OUTPUT" "mwan3" "$(comment mangle-OUTPUT-PSW) -p tcp -j PSW_OUTPUT"
+			}
+		fi
+
+		# 加载路由器自身代理 UDP
+		[ "$UDP_PROXY_DROP_PORTS" != "disable" ] && {
+			$ipt_m -A PSW_OUTPUT -p udp $(factor $UDP_PROXY_DROP_PORTS "-m multiport --dport") -d $FAKE_IP -j DROP
+			$ipt_m -A PSW_OUTPUT -p udp $(factor $UDP_PROXY_DROP_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST) -j DROP
+			$ipt_m -A PSW_OUTPUT -p udp $(factor $UDP_PROXY_DROP_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j DROP
+			[ "$LOCALHOST_UDP_PROXY_MODE" != "direct/proxy" ] && $ipt_m -A PSW_OUTPUT -p udp $(factor $UDP_PROXY_DROP_PORTS "-m multiport --dport") $(get_ipset_ipt $LOCALHOST_UDP_PROXY_MODE) -j DROP
+			echolog "  - [$?]，屏蔽代理UDP 端口：$UDP_PROXY_DROP_PORTS"
 		}
+		if [ "$UDP_NODE" != "nil" -o "$TCP_UDP" = "1" ]; then
+			echolog "加载路由器自身 UDP 代理..."
+			_proxy_udp_access() {
+				[ -n "${2}" ] || return 0
+				ipset -q test $IPSET_LANIPLIST ${2}
+				[ $? == 0 ] && {
+					echolog "  - 上游 DNS 服务器 ${2} 已在直接访问的列表中，不强制向 UDP 代理转发对该服务器 UDP/${3} 端口的访问"
+					return 0
+				}
+				$ipt_m -I PSW_OUTPUT -p udp -d ${2} --dport ${3} -j PSW_RULE
+				$ipt_m -I PSW $(comment "本机") -p udp -i lo -d ${2} --dport ${3} $(REDIRECT $UDP_REDIR_PORT TPROXY)
+				echolog "  - [$?]将上游 DNS 服务器 ${2}:${3} 加入到路由器自身代理的 UDP 转发链"
+			}
+			[ "$use_udp_node_resolve_dns" == 1 ] && hosts_foreach REMOTE_DNS _proxy_udp_access 53
+			[ "$UDP_NO_REDIR_PORTS" != "disable" ] && {
+				$ipt_m -A PSW_OUTPUT -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN
+				$ip6t_m -A PSW_OUTPUT -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN
+				echolog "  - [$?]不代理 UDP 端口：$UDP_NO_REDIR_PORTS"
+			}

-		$ipt_m -A PSW_OUTPUT -p udp -d $FAKE_IP -j PSW_RULE
-		$ipt_m -A PSW_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST) -j PSW_RULE
-		$ipt_m -A PSW_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j PSW_RULE
-		$ipt_m -A PSW_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(get_ipset_ipt $LOCALHOST_UDP_PROXY_MODE) -j PSW_RULE
-		$ipt_m -A PSW $(comment "本机") -p udp -i lo $(REDIRECT $UDP_REDIR_PORT TPROXY)
-		$ipt_m -A PSW $(comment "本机") -p udp -i lo -j RETURN
-		insert_rule_before "$ipt_m" "OUTPUT" "mwan3" "$(comment mangle-OUTPUT-PSW) -p udp -j PSW_OUTPUT"
+			$ipt_m -A PSW_OUTPUT -p udp -d $FAKE_IP -j PSW_RULE
+			$ipt_m -A PSW_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST) -j PSW_RULE
+			$ipt_m -A PSW_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j PSW_RULE
+			$ipt_m -A PSW_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(get_ipset_ipt $LOCALHOST_UDP_PROXY_MODE) -j PSW_RULE
+			$ipt_m -A PSW $(comment "本机") -p udp -i lo $(REDIRECT $UDP_REDIR_PORT TPROXY)
+			$ipt_m -A PSW $(comment "本机") -p udp -i lo -j RETURN
+			insert_rule_before "$ipt_m" "OUTPUT" "mwan3" "$(comment mangle-OUTPUT-PSW) -p udp -j PSW_OUTPUT"

-		[ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && {
-			$ip6t_m -A PSW_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) -j PSW_RULE
-			$ip6t_m -A PSW_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST6) -j PSW_RULE
-			$ip6t_m -A PSW_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(get_ipset_ip6t $LOCALHOST_UDP_PROXY_MODE) -j PSW_RULE
-			$ip6t_m -A PSW $(comment "本机") -p udp -i lo $(REDIRECT $UDP_REDIR_PORT TPROXY)
-			$ip6t_m -A PSW $(comment "本机") -p udp -i lo -j RETURN
-			insert_rule_before "$ip6t_m" "OUTPUT" "mwan3" "$(comment mangle-OUTPUT-PSW) -p udp -j PSW_OUTPUT"
-		}
-	fi
+			[ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && {
+				$ip6t_m -A PSW_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) -j PSW_RULE
+				$ip6t_m -A PSW_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST6) -j PSW_RULE
+				$ip6t_m -A PSW_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(get_ipset_ip6t $LOCALHOST_UDP_PROXY_MODE) -j PSW_RULE
+				$ip6t_m -A PSW $(comment "本机") -p udp -i lo $(REDIRECT $UDP_REDIR_PORT TPROXY)
+				$ip6t_m -A PSW $(comment "本机") -p udp -i lo -j RETURN
+				insert_rule_before "$ip6t_m" "OUTPUT" "mwan3" "$(comment mangle-OUTPUT-PSW) -p udp -j PSW_OUTPUT"
+			}
+		fi

-	$ipt_m -I OUTPUT $(comment "mangle-OUTPUT-PSW") -o lo -j RETURN
-	insert_rule_before "$ipt_m" "OUTPUT" "mwan3" "$(comment mangle-OUTPUT-PSW) -m mark --mark 1 -j RETURN"
-	
-	$ip6t_m -I OUTPUT $(comment "mangle-OUTPUT-PSW") -o lo -j RETURN
-	insert_rule_before "$ip6t_m" "OUTPUT" "mwan3" "$(comment mangle-OUTPUT-PSW) -m mark --mark 1 -j RETURN"
+		$ipt_m -I OUTPUT $(comment "mangle-OUTPUT-PSW") -o lo -j RETURN
+		insert_rule_before "$ipt_m" "OUTPUT" "mwan3" "$(comment mangle-OUTPUT-PSW) -m mark --mark 1 -j RETURN"
+		
+		$ip6t_m -I OUTPUT $(comment "mangle-OUTPUT-PSW") -o lo -j RETURN
+		insert_rule_before "$ip6t_m" "OUTPUT" "mwan3" "$(comment mangle-OUTPUT-PSW) -m mark --mark 1 -j RETURN"
+
+		$ipt_m -A PSW -p udp --dport 53 -j RETURN
+		$ip6t_m -A PSW -p udp --dport 53 -j RETURN
+	}

-	$ipt_m -A PSW -p udp --dport 53 -j RETURN
-	$ip6t_m -A PSW -p udp --dport 53 -j RETURN
 	#  加载ACLS
 	load_acl
-
-	# dns_hijack "force"
-	
+		
 	for iface in $IFACES; do
 		$ipt_n -I PSW_OUTPUT -o $iface -j RETURN
 		$ipt_m -I PSW_OUTPUT -o $iface -j RETURN
@ -1212,6 +1215,7 @@ get_ip6t_bin() {
 }

 start() {
+	[ "$ENABLED_DEFAULT_ACL" == 0 -a "$ENABLED_ACLS" == 0 ] && return
 	add_firewall_rule
 	gen_include
 }
--- a/luci-app-passwall/root/usr/share/passwall/nftables.sh
+++ b/luci-app-passwall/root/usr/share/passwall/nftables.sh
@ -271,294 +271,298 @@ get_wan6_ip() {
 }

 load_acl() {
-	acl_app
-	echolog "访问控制："
-	for sid in $(ls -F ${TMP_ACL_PATH} | grep '/$' | awk -F '/' '{print $1}'); do
-		eval $(uci -q show "${CONFIG}.${sid}" | cut -d'.' -sf 3-)
-		
-		tcp_proxy_mode=${tcp_proxy_mode:-default}
-		udp_proxy_mode=${udp_proxy_mode:-default}
-		tcp_no_redir_ports=${tcp_no_redir_ports:-default}
-		udp_no_redir_ports=${udp_no_redir_ports:-default}
-		tcp_proxy_drop_ports=${tcp_proxy_drop_ports:-default}
-		udp_proxy_drop_ports=${udp_proxy_drop_ports:-default}
-		tcp_redir_ports=${tcp_redir_ports:-default}
-		udp_redir_ports=${udp_redir_ports:-default}
-		tcp_node=${tcp_node:-default}
-		udp_node=${udp_node:-default}
-		[ "$tcp_proxy_mode" = "default" ] && tcp_proxy_mode=$TCP_PROXY_MODE
-		[ "$udp_proxy_mode" = "default" ] && udp_proxy_mode=$UDP_PROXY_MODE
-		[ "$tcp_no_redir_ports" = "default" ] && tcp_no_redir_ports=$TCP_NO_REDIR_PORTS
-		[ "$udp_no_redir_ports" = "default" ] && udp_no_redir_ports=$UDP_NO_REDIR_PORTS
-		[ "$tcp_proxy_drop_ports" = "default" ] && tcp_proxy_drop_ports=$TCP_PROXY_DROP_PORTS
-		[ "$udp_proxy_drop_ports" = "default" ] && udp_proxy_drop_ports=$UDP_PROXY_DROP_PORTS
-		[ "$tcp_redir_ports" = "default" ] && tcp_redir_ports=$TCP_REDIR_PORTS
-		[ "$udp_redir_ports" = "default" ] && udp_redir_ports=$UDP_REDIR_PORTS
-		
-		tcp_node_remark=$(config_n_get $TCP_NODE remarks)
-		udp_node_remark=$(config_n_get $UDP_NODE remarks)
-		[ -s "${TMP_ACL_PATH}/${sid}/var_tcp_node" ] && tcp_node=$(cat ${TMP_ACL_PATH}/${sid}/var_tcp_node)
-		[ -s "${TMP_ACL_PATH}/${sid}/var_udp_node" ] && udp_node=$(cat ${TMP_ACL_PATH}/${sid}/var_udp_node)
-		[ -s "${TMP_ACL_PATH}/${sid}/var_tcp_port" ] && tcp_port=$(cat ${TMP_ACL_PATH}/${sid}/var_tcp_port)
-		[ -s "${TMP_ACL_PATH}/${sid}/var_udp_port" ] && udp_port=$(cat ${TMP_ACL_PATH}/${sid}/var_udp_port)
-		[ -n "$tcp_node" ] && [ "$tcp_node" != "default" ] && tcp_node_remark=$(config_n_get $tcp_node remarks)
-		[ -n "$udp_node" ] && [ "$udp_node" != "default" ] && udp_node_remark=$(config_n_get $udp_node remarks)
-		
-		for i in $(cat ${TMP_ACL_PATH}/${sid}/rule_list); do
-			if [ -n "$(echo ${i} | grep '^iprange:')" ]; then
-				_iprange=$(echo ${i} | sed 's#iprange:##g')
-				_ipt_source=$(factor ${_iprange} "ip saddr")
-				msg="备注【$remarks】，IP range【${_iprange}】，"
-			elif [ -n "$(echo ${i} | grep '^ipset:')" ]; then
-				_ipset=$(echo ${i} | sed 's#ipset:##g')
-				_ipt_source="ip daddr @${_ipset}"
-				msg="备注【$remarks】，NFTset【${_ipset}】，"
-			elif [ -n "$(echo ${i} | grep '^ip:')" ]; then
-				_ip=$(echo ${i} | sed 's#ip:##g')
-				_ipt_source=$(factor ${_ip} "ip saddr")
-				msg="备注【$remarks】，IP【${_ip}】，"
-			elif [ -n "$(echo ${i} | grep '^mac:')" ]; then
-				_mac=$(echo ${i} | sed 's#mac:##g')
-				_ipt_source=$(factor ${_mac} "ether saddr")
-				msg="备注【$remarks】，MAC【${_mac}】，"
-			else
-				continue
-			fi
+	[ "$ENABLED_ACLS" == 1 ] && {
+		acl_app
+		echolog "访问控制："
+		for sid in $(ls -F ${TMP_ACL_PATH} | grep '/$' | awk -F '/' '{print $1}'); do
+			eval $(uci -q show "${CONFIG}.${sid}" | cut -d'.' -sf 3-)
+			
+			tcp_proxy_mode=${tcp_proxy_mode:-default}
+			udp_proxy_mode=${udp_proxy_mode:-default}
+			tcp_no_redir_ports=${tcp_no_redir_ports:-default}
+			udp_no_redir_ports=${udp_no_redir_ports:-default}
+			tcp_proxy_drop_ports=${tcp_proxy_drop_ports:-default}
+			udp_proxy_drop_ports=${udp_proxy_drop_ports:-default}
+			tcp_redir_ports=${tcp_redir_ports:-default}
+			udp_redir_ports=${udp_redir_ports:-default}
+			tcp_node=${tcp_node:-default}
+			udp_node=${udp_node:-default}
+			[ "$tcp_proxy_mode" = "default" ] && tcp_proxy_mode=$TCP_PROXY_MODE
+			[ "$udp_proxy_mode" = "default" ] && udp_proxy_mode=$UDP_PROXY_MODE
+			[ "$tcp_no_redir_ports" = "default" ] && tcp_no_redir_ports=$TCP_NO_REDIR_PORTS
+			[ "$udp_no_redir_ports" = "default" ] && udp_no_redir_ports=$UDP_NO_REDIR_PORTS
+			[ "$tcp_proxy_drop_ports" = "default" ] && tcp_proxy_drop_ports=$TCP_PROXY_DROP_PORTS
+			[ "$udp_proxy_drop_ports" = "default" ] && udp_proxy_drop_ports=$UDP_PROXY_DROP_PORTS
+			[ "$tcp_redir_ports" = "default" ] && tcp_redir_ports=$TCP_REDIR_PORTS
+			[ "$udp_redir_ports" = "default" ] && udp_redir_ports=$UDP_REDIR_PORTS
+			
+			tcp_node_remark=$(config_n_get $TCP_NODE remarks)
+			udp_node_remark=$(config_n_get $UDP_NODE remarks)
+			[ -s "${TMP_ACL_PATH}/${sid}/var_tcp_node" ] && tcp_node=$(cat ${TMP_ACL_PATH}/${sid}/var_tcp_node)
+			[ -s "${TMP_ACL_PATH}/${sid}/var_udp_node" ] && udp_node=$(cat ${TMP_ACL_PATH}/${sid}/var_udp_node)
+			[ -s "${TMP_ACL_PATH}/${sid}/var_tcp_port" ] && tcp_port=$(cat ${TMP_ACL_PATH}/${sid}/var_tcp_port)
+			[ -s "${TMP_ACL_PATH}/${sid}/var_udp_port" ] && udp_port=$(cat ${TMP_ACL_PATH}/${sid}/var_udp_port)
+			[ -n "$tcp_node" ] && [ "$tcp_node" != "default" ] && tcp_node_remark=$(config_n_get $tcp_node remarks)
+			[ -n "$udp_node" ] && [ "$udp_node" != "default" ] && udp_node_remark=$(config_n_get $udp_node remarks)
+			
+			for i in $(cat ${TMP_ACL_PATH}/${sid}/rule_list); do
+				if [ -n "$(echo ${i} | grep '^iprange:')" ]; then
+					_iprange=$(echo ${i} | sed 's#iprange:##g')
+					_ipt_source=$(factor ${_iprange} "ip saddr")
+					msg="备注【$remarks】，IP range【${_iprange}】，"
+				elif [ -n "$(echo ${i} | grep '^ipset:')" ]; then
+					_ipset=$(echo ${i} | sed 's#ipset:##g')
+					_ipt_source="ip daddr @${_ipset}"
+					msg="备注【$remarks】，NFTset【${_ipset}】，"
+				elif [ -n "$(echo ${i} | grep '^ip:')" ]; then
+					_ip=$(echo ${i} | sed 's#ip:##g')
+					_ipt_source=$(factor ${_ip} "ip saddr")
+					msg="备注【$remarks】，IP【${_ip}】，"
+				elif [ -n "$(echo ${i} | grep '^mac:')" ]; then
+					_mac=$(echo ${i} | sed 's#mac:##g')
+					_ipt_source=$(factor ${_mac} "ether saddr")
+					msg="备注【$remarks】，MAC【${_mac}】，"
+				else
+					continue
+				fi

-			[ -n "$tcp_port" ] && {
-				if [ "$tcp_proxy_mode" != "disable" ]; then
-					[ -s "${TMP_ACL_PATH}/${sid}/var_redirect_dns_port" ] && nft "add rule inet fw4 PSW_REDIRECT ip protocol udp ${_ipt_source} udp dport 53 counter redirect to $(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port) comment \"$remarks\""
-					msg2="${msg}使用TCP节点[$tcp_node_remark] [$(get_action_chain_name $tcp_proxy_mode)]"
-					if [ -n "${is_tproxy}" ]; then
-						msg2="${msg2}(TPROXY:${tcp_port})代理"
-					else
-						msg2="${msg2}(REDIRECT:${tcp_port})代理"
-					fi
-					
-					[ "$accept_icmp" = "1" ] && {
-						nft "add rule inet fw4 PSW_ICMP_REDIRECT ip protocol icmp ${_ipt_source} ip daddr $FAKE_IP $(REDIRECT) comment \"$remarks\""
-						nft "add rule inet fw4 PSW_ICMP_REDIRECT ip protocol icmp ${_ipt_source} ip daddr @$NFTSET_SHUNTLIST $(REDIRECT) comment \"$remarks\""
-						nft "add rule inet fw4 PSW_ICMP_REDIRECT ip protocol icmp ${_ipt_source} ip daddr @$NFTSET_BLACKLIST $(REDIRECT) comment \"$remarks\""
-						nft "add rule inet fw4 PSW_ICMP_REDIRECT ip protocol icmp ${_ipt_source} $(get_redirect_ipv4 $tcp_proxy_mode) comment \"$remarks\""
-					}
-
-					[ "$accept_icmpv6" = "1" ] && [ "$PROXY_IPV6" == "1" ] && {
-						nft "add rule inet fw4 PSW_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} ip6 daddr @$NFTSET_SHUNTLIST6 $(REDIRECT) comment \"$remarks\"" 2>/dev/null
-						nft "add rule inet fw4 PSW_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} ip6 daddr @$NFTSET_BLACKLIST6 $(REDIRECT) comment \"$remarks\"" 2>/dev/null
-						nft "add rule inet fw4 PSW_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} $(get_redirect_ipv6 $tcp_proxy_mode) comment \"$remarks\"" 2>/dev/null
-					}
-
-					[ "$tcp_no_redir_ports" != "disable" ] && {
-						nft "add rule inet fw4 $nft_prerouting_chain ${_ipt_source} ip protocol tcp tcp dport {$tcp_no_redir_ports} counter return comment \"$remarks\""
-						nft "add rule inet fw4 PSW_MANGLE_V6 comment ${_ipt_source} meta l4proto tcp tcp dport {$tcp_no_redir_ports} counter return comment \"$remarks\""
-						msg2="${msg2}[$?]除${tcp_no_redir_ports}外的"
-					}
-					msg2="${msg2}所有端口"
-
-					[ "$tcp_proxy_drop_ports" != "disable" ] && {
-						[ "$PROXY_IPV6" == "1" ] && {
-							nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "tcp dport") ip6 daddr @$NFTSET_SHUNTLIST6 counter drop comment \"$remarks\"" 2>/dev/null
-							nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "tcp dport") ip6 daddr @$NFTSET_BLACKLIST6 counter drop comment \"$remarks\"" 2>/dev/null
-							[ "$tcp_proxy_mode" != "direct/proxy" ] && nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "tcp dport") $(get_nftset_ipv6 $tcp_proxy_mode) counter drop comment \"$remarks\"" 2>/dev/null
+				[ -n "$tcp_port" ] && {
+					if [ "$tcp_proxy_mode" != "disable" ]; then
+						[ -s "${TMP_ACL_PATH}/${sid}/var_redirect_dns_port" ] && nft "add rule inet fw4 PSW_REDIRECT ip protocol udp ${_ipt_source} udp dport 53 counter redirect to $(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port) comment \"$remarks\""
+						msg2="${msg}使用TCP节点[$tcp_node_remark] [$(get_action_chain_name $tcp_proxy_mode)]"
+						if [ -n "${is_tproxy}" ]; then
+							msg2="${msg2}(TPROXY:${tcp_port})代理"
+						else
+							msg2="${msg2}(REDIRECT:${tcp_port})代理"
+						fi
+						
+						[ "$accept_icmp" = "1" ] && {
+							nft "add rule inet fw4 PSW_ICMP_REDIRECT ip protocol icmp ${_ipt_source} ip daddr $FAKE_IP $(REDIRECT) comment \"$remarks\""
+							nft "add rule inet fw4 PSW_ICMP_REDIRECT ip protocol icmp ${_ipt_source} ip daddr @$NFTSET_SHUNTLIST $(REDIRECT) comment \"$remarks\""
+							nft "add rule inet fw4 PSW_ICMP_REDIRECT ip protocol icmp ${_ipt_source} ip daddr @$NFTSET_BLACKLIST $(REDIRECT) comment \"$remarks\""
+							nft "add rule inet fw4 PSW_ICMP_REDIRECT ip protocol icmp ${_ipt_source} $(get_redirect_ipv4 $tcp_proxy_mode) comment \"$remarks\""
 						}
-						nft "add rule inet fw4 $nft_prerouting_chain ip protocol tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "tcp dport") ip daddr $FAKE_IP counter drop comment \"$remarks\""
-						nft "add rule inet fw4 $nft_prerouting_chain ip protocol tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "tcp dport") ip daddr @$NFTSET_SHUNTLIST counter drop comment \"$remarks\""
-						nft "add rule inet fw4 $nft_prerouting_chain ip protocol tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "tcp dport") ip daddr @$NFTSET_BLACKLIST counter drop comment \"$remarks\""
-						[ "$tcp_proxy_mode" != "direct/proxy" ] && nft "add rule inet fw4 $nft_prerouting_chain ip protocol tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "tcp dport") $(get_nftset_ipv4 $tcp_proxy_mode) counter drop comment \"$remarks\""
-						msg2="${msg2}[$?]，屏蔽代理TCP 端口：${tcp_proxy_drop_ports}"
-					}

-					if [ -z "${is_tproxy}" ]; then
-						nft "add rule inet fw4 PSW ${_ipt_source} ip daddr $FAKE_IP $(REDIRECT $tcp_port) comment \"$remarks\""
-						nft "add rule inet fw4 PSW ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ip daddr @$NFTSET_SHUNTLIST $(REDIRECT $tcp_port) comment \"$remarks\""
-						nft "add rule inet fw4 PSW ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ip daddr @$NFTSET_BLACKLIST $(REDIRECT $tcp_port) comment \"$remarks\""
-						nft "add rule inet fw4 PSW ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") $(get_redirect_ipv4 $tcp_proxy_mode $tcp_port) comment \"$remarks\""
+						[ "$accept_icmpv6" = "1" ] && [ "$PROXY_IPV6" == "1" ] && {
+							nft "add rule inet fw4 PSW_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} ip6 daddr @$NFTSET_SHUNTLIST6 $(REDIRECT) comment \"$remarks\"" 2>/dev/null
+							nft "add rule inet fw4 PSW_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} ip6 daddr @$NFTSET_BLACKLIST6 $(REDIRECT) comment \"$remarks\"" 2>/dev/null
+							nft "add rule inet fw4 PSW_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} $(get_redirect_ipv6 $tcp_proxy_mode) comment \"$remarks\"" 2>/dev/null
+						}
+
+						[ "$tcp_no_redir_ports" != "disable" ] && {
+							nft "add rule inet fw4 $nft_prerouting_chain ${_ipt_source} ip protocol tcp tcp dport {$tcp_no_redir_ports} counter return comment \"$remarks\""
+							nft "add rule inet fw4 PSW_MANGLE_V6 comment ${_ipt_source} meta l4proto tcp tcp dport {$tcp_no_redir_ports} counter return comment \"$remarks\""
+							msg2="${msg2}[$?]除${tcp_no_redir_ports}外的"
+						}
+						msg2="${msg2}所有端口"
+
+						[ "$tcp_proxy_drop_ports" != "disable" ] && {
+							[ "$PROXY_IPV6" == "1" ] && {
+								nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "tcp dport") ip6 daddr @$NFTSET_SHUNTLIST6 counter drop comment \"$remarks\"" 2>/dev/null
+								nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "tcp dport") ip6 daddr @$NFTSET_BLACKLIST6 counter drop comment \"$remarks\"" 2>/dev/null
+								[ "$tcp_proxy_mode" != "direct/proxy" ] && nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "tcp dport") $(get_nftset_ipv6 $tcp_proxy_mode) counter drop comment \"$remarks\"" 2>/dev/null
+							}
+							nft "add rule inet fw4 $nft_prerouting_chain ip protocol tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "tcp dport") ip daddr $FAKE_IP counter drop comment \"$remarks\""
+							nft "add rule inet fw4 $nft_prerouting_chain ip protocol tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "tcp dport") ip daddr @$NFTSET_SHUNTLIST counter drop comment \"$remarks\""
+							nft "add rule inet fw4 $nft_prerouting_chain ip protocol tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "tcp dport") ip daddr @$NFTSET_BLACKLIST counter drop comment \"$remarks\""
+							[ "$tcp_proxy_mode" != "direct/proxy" ] && nft "add rule inet fw4 $nft_prerouting_chain ip protocol tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "tcp dport") $(get_nftset_ipv4 $tcp_proxy_mode) counter drop comment \"$remarks\""
+							msg2="${msg2}[$?]，屏蔽代理TCP 端口：${tcp_proxy_drop_ports}"
+						}
+
+						if [ -z "${is_tproxy}" ]; then
+							nft "add rule inet fw4 PSW ${_ipt_source} ip daddr $FAKE_IP $(REDIRECT $tcp_port) comment \"$remarks\""
+							nft "add rule inet fw4 PSW ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ip daddr @$NFTSET_SHUNTLIST $(REDIRECT $tcp_port) comment \"$remarks\""
+							nft "add rule inet fw4 PSW ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ip daddr @$NFTSET_BLACKLIST $(REDIRECT $tcp_port) comment \"$remarks\""
+							nft "add rule inet fw4 PSW ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") $(get_redirect_ipv4 $tcp_proxy_mode $tcp_port) comment \"$remarks\""
+						else
+							nft "add rule inet fw4 PSW_MANGLE ip protocol tcp ${_ipt_source} ip daddr $FAKE_IP counter jump PSW_RULE comment \"$remarks\""
+							nft "add rule inet fw4 PSW_MANGLE ip protocol tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ip daddr @$NFTSET_SHUNTLIST counter jump PSW_RULE comment \"$remarks\""
+							nft "add rule inet fw4 PSW_MANGLE ip protocol tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ip daddr @$NFTSET_BLACKLIST counter jump PSW_RULE comment \"$remarks\" "
+							nft "add rule inet fw4 PSW_MANGLE ip protocol tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") $(get_nftset_ipv4 $tcp_proxy_mode) counter jump PSW_RULE comment \"$remarks\""
+							nft "add rule inet fw4 PSW_MANGLE meta nfproto {ipv4} meta l4proto tcp ${_ipt_source} $(REDIRECT $tcp_port TPROXY4) comment \"$remarks\""
+						fi
+
+						[ "$PROXY_IPV6" == "1" ] && {
+							nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ip6 daddr @$NFTSET_SHUNTLIST6 counter jump PSW_RULE comment \"$remarks\"" 2>/dev/null
+							nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ip6 daddr @$NFTSET_BLACKLIST6 counter jump PSW_RULE comment \"$remarks\"" 2>/dev/null
+							nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") $(get_nftset_ipv6 $tcp_proxy_mode) jump PSW_RULE comment \"$remarks\"" 2>/dev/null
+							nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(REDIRECT $tcp_port TPROXY) comment \"$remarks\"" 2>/dev/null
+						}
 					else
-						nft "add rule inet fw4 PSW_MANGLE ip protocol tcp ${_ipt_source} ip daddr $FAKE_IP counter jump PSW_RULE comment \"$remarks\""
-						nft "add rule inet fw4 PSW_MANGLE ip protocol tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ip daddr @$NFTSET_SHUNTLIST counter jump PSW_RULE comment \"$remarks\""
-						nft "add rule inet fw4 PSW_MANGLE ip protocol tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ip daddr @$NFTSET_BLACKLIST counter jump PSW_RULE comment \"$remarks\" "
-						nft "add rule inet fw4 PSW_MANGLE ip protocol tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") $(get_nftset_ipv4 $tcp_proxy_mode) counter jump PSW_RULE comment \"$remarks\""
-						nft "add rule inet fw4 PSW_MANGLE meta nfproto {ipv4} meta l4proto tcp ${_ipt_source} $(REDIRECT $tcp_port TPROXY4) comment \"$remarks\""
+						msg2="${msg}不代理TCP"
 					fi
-
-					[ "$PROXY_IPV6" == "1" ] && {
-						nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ip6 daddr @$NFTSET_SHUNTLIST6 counter jump PSW_RULE comment \"$remarks\"" 2>/dev/null
-						nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ip6 daddr @$NFTSET_BLACKLIST6 counter jump PSW_RULE comment \"$remarks\"" 2>/dev/null
-						nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") $(get_nftset_ipv6 $tcp_proxy_mode) jump PSW_RULE comment \"$remarks\"" 2>/dev/null
-						nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(REDIRECT $tcp_port TPROXY) comment \"$remarks\"" 2>/dev/null
-					}
-				else
-					msg2="${msg}不代理TCP"
-				fi
-				echolog "  - ${msg2}"
-			}
-
-			nft "add rule inet fw4 $nft_prerouting_chain ip protocol tcp ${_ipt_source} counter return comment \"$remarks\""
-			nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} counter return comment \"$remarks\"" 2>/dev/null
-
-			[ "$udp_proxy_drop_ports" != "disable" ] && {
-				[ "$PROXY_IPV6" == "1" ] && {
-					nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_proxy_drop_ports "udp dport") ip6 daddr @$NFTSET_SHUNTLIST6 counter drop comment \"$remarks\"" 2>/dev/null
-					nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_proxy_drop_ports "udp dport") ip6 daddr @$NFTSET_BLACKLIST6 counter drop comment \"$remarks\"" 2>/dev/null
-					[ "$udp_proxy_mode" != "direct/proxy" ] && nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_proxy_drop_ports "udp dport") $(get_nftset_ipv6 $udp_proxy_mode) counter drop comment \"$remarks\"" 2>/dev/null
+					echolog "  - ${msg2}"
 				}
-				nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_proxy_drop_ports "udp dport") ip daddr $FAKE_IP counter drop comment \"$remarks\"" 2>/dev/null
-				nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_proxy_drop_ports "udp dport") ip daddr @$NFTSET_SHUNTLIST counter drop comment \"$remarks\"" 2>/dev/null
-				nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_proxy_drop_ports "udp dport") ip daddr @$NFTSET_BLACKLIST counter drop comment \"$remarks\"" 2>/dev/null
-				[ "$udp_proxy_mode" != "direct/proxy" ] && nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_proxy_drop_ports "udp dport") $(get_nftset_ipv4 $udp_proxy_mode) counter drop comment \"$remarks\"" 2>/dev/null
-				msg2="${msg2}[$?]，屏蔽代理UDP 端口：${udp_proxy_drop_ports}"
-			}

-			[ -n "$udp_port" ] && {
-				if [ "$udp_proxy_mode" != "disable" ]; then
-					msg2="${msg}使用UDP节点[$udp_node_remark] [$(get_action_chain_name $udp_proxy_mode)]"
-					msg2="${msg2}(TPROXY:${udp_port})代理"
-					[ "$udp_no_redir_ports" != "disable" ] && {
-						nft add rule inet fw4 PSW_MANGLE meta l4proto udp ${_ipt_source} $(factor $udp_no_redir_ports "udp dport") counter return
-						nft add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_no_redir_ports "udp dport") counter return 2>/dev/null
-						msg2="${msg2}[$?]除${udp_no_redir_ports}外的"
+				nft "add rule inet fw4 $nft_prerouting_chain ip protocol tcp ${_ipt_source} counter return comment \"$remarks\""
+				nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} counter return comment \"$remarks\"" 2>/dev/null
+
+				[ "$udp_proxy_drop_ports" != "disable" ] && {
+					[ "$PROXY_IPV6" == "1" ] && {
+						nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_proxy_drop_ports "udp dport") ip6 daddr @$NFTSET_SHUNTLIST6 counter drop comment \"$remarks\"" 2>/dev/null
+						nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_proxy_drop_ports "udp dport") ip6 daddr @$NFTSET_BLACKLIST6 counter drop comment \"$remarks\"" 2>/dev/null
+						[ "$udp_proxy_mode" != "direct/proxy" ] && nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_proxy_drop_ports "udp dport") $(get_nftset_ipv6 $udp_proxy_mode) counter drop comment \"$remarks\"" 2>/dev/null
 					}
-					msg2="${msg2}所有端口"
+					nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_proxy_drop_ports "udp dport") ip daddr $FAKE_IP counter drop comment \"$remarks\"" 2>/dev/null
+					nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_proxy_drop_ports "udp dport") ip daddr @$NFTSET_SHUNTLIST counter drop comment \"$remarks\"" 2>/dev/null
+					nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_proxy_drop_ports "udp dport") ip daddr @$NFTSET_BLACKLIST counter drop comment \"$remarks\"" 2>/dev/null
+					[ "$udp_proxy_mode" != "direct/proxy" ] && nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_proxy_drop_ports "udp dport") $(get_nftset_ipv4 $udp_proxy_mode) counter drop comment \"$remarks\"" 2>/dev/null
+					msg2="${msg2}[$?]，屏蔽代理UDP 端口：${udp_proxy_drop_ports}"
+				}

-					nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} ip daddr $FAKE_IP counter jump PSW_RULE comment \"$remarks\""
-					nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_redir_ports "udp dport") ip daddr @$NFTSET_SHUNTLIST counter jump PSW_RULE comment \"$remarks\""
-					nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_redir_ports "udp dport") ip daddr @$NFTSET_BLACKLIST counter jump PSW_RULE comment \"$remarks\""
-					nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_redir_ports "udp dport") $(get_nftset_ipv4 $udp_proxy_mode) jump PSW_RULE comment \"$remarks\""
-					nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} $(REDIRECT $udp_port TPROXY4) comment \"$remarks\""
+				[ -n "$udp_port" ] && {
+					if [ "$udp_proxy_mode" != "disable" ]; then
+						msg2="${msg}使用UDP节点[$udp_node_remark] [$(get_action_chain_name $udp_proxy_mode)]"
+						msg2="${msg2}(TPROXY:${udp_port})代理"
+						[ "$udp_no_redir_ports" != "disable" ] && {
+							nft add rule inet fw4 PSW_MANGLE meta l4proto udp ${_ipt_source} $(factor $udp_no_redir_ports "udp dport") counter return
+							nft add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_no_redir_ports "udp dport") counter return 2>/dev/null
+							msg2="${msg2}[$?]除${udp_no_redir_ports}外的"
+						}
+						msg2="${msg2}所有端口"

-					[ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && {
-						nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_redir_ports "tcp dport") ip6 daddr @$NFTSET_SHUNTLIST6 counter jump PSW_RULE comment \"$remarks\"" 2>/dev/null
-						nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_redir_ports "tcp dport") ip6 daddr @$NFTSET_BLACKLIST6 counter jump PSW_RULE comment \"$remarks\"" 2>/dev/null
-						nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_redir_ports "tcp dport") $(get_nftset_ipv6 $udp_proxy_mode) counter jump PSW_RULE comment \"$remarks\"" 2>/dev/null
-						nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(REDIRECT $udp_port TPROXY) comment \"$remarks\"" 2>/dev/null
-					}
-				else
-					msg2="${msg}不代理UDP"
-				fi
-				echolog "  - ${msg2}"
-			}
-			nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} counter return comment \"$remarks\""
-			nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} counter return comment \"$remarks\"" 2>/dev/null
+						nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} ip daddr $FAKE_IP counter jump PSW_RULE comment \"$remarks\""
+						nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_redir_ports "udp dport") ip daddr @$NFTSET_SHUNTLIST counter jump PSW_RULE comment \"$remarks\""
+						nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_redir_ports "udp dport") ip daddr @$NFTSET_BLACKLIST counter jump PSW_RULE comment \"$remarks\""
+						nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_redir_ports "udp dport") $(get_nftset_ipv4 $udp_proxy_mode) jump PSW_RULE comment \"$remarks\""
+						nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} $(REDIRECT $udp_port TPROXY4) comment \"$remarks\""
+
+						[ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && {
+							nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_redir_ports "tcp dport") ip6 daddr @$NFTSET_SHUNTLIST6 counter jump PSW_RULE comment \"$remarks\"" 2>/dev/null
+							nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_redir_ports "tcp dport") ip6 daddr @$NFTSET_BLACKLIST6 counter jump PSW_RULE comment \"$remarks\"" 2>/dev/null
+							nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_redir_ports "tcp dport") $(get_nftset_ipv6 $udp_proxy_mode) counter jump PSW_RULE comment \"$remarks\"" 2>/dev/null
+							nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(REDIRECT $udp_port TPROXY) comment \"$remarks\"" 2>/dev/null
+						}
+					else
+						msg2="${msg}不代理UDP"
+					fi
+					echolog "  - ${msg2}"
+				}
+				nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} counter return comment \"$remarks\""
+				nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} counter return comment \"$remarks\"" 2>/dev/null
+			done
+			unset enabled sid remarks sources tcp_proxy_mode udp_proxy_mode tcp_no_redir_ports udp_no_redir_ports tcp_proxy_drop_ports udp_proxy_drop_ports tcp_redir_ports udp_redir_ports tcp_node udp_node
+			unset _ip _mac _iprange _ipset _ip_or_mac rule_list tcp_port udp_port tcp_node_remark udp_node_remark
+			unset ipt_tmp msg msg2
 		done
-		unset enabled sid remarks sources tcp_proxy_mode udp_proxy_mode tcp_no_redir_ports udp_no_redir_ports tcp_proxy_drop_ports udp_proxy_drop_ports tcp_redir_ports udp_redir_ports tcp_node udp_node
-		unset _ip _mac _iprange _ipset _ip_or_mac rule_list tcp_port udp_port tcp_node_remark udp_node_remark
-		unset ipt_tmp msg msg2
-	done
-
-	#  加载TCP默认代理模式
-	[ "$TCP_PROXY_DROP_PORTS" != "disable" ] && {
-		[ "$PROXY_IPV6" == "1" ] && {
-			nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp $(factor $TCP_PROXY_DROP_PORTS "tcp dport") ip6 daddr @$NFTSET_SHUNTLIST6 counter drop comment \"默认\""
-			nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp $(factor $TCP_PROXY_DROP_PORTS "tcp dport") ip6 daddr @$NFTSET_BLACKLIST6 counter drop comment \"默认\""
-			[ "$TCP_PROXY_MODE" != "direct/proxy" ] && nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp $(factor $TCP_PROXY_DROP_PORTS "tcp dport") $(get_nftset_ipv6 $TCP_PROXY_MODE) counter drop comment \"默认\""
-		}
-
-		nft "add inet fw4 $nft_prerouting_chain ip protocol tcp $(factor $TCP_PROXY_DROP_PORTS "tcp dport") ip daddr $FAKE_IP counter drop comment \"默认\""
-		nft "add inet fw4 $nft_prerouting_chain ip protocol tcp $(factor $TCP_PROXY_DROP_PORTS "tcp dport") ip daddr @$NFTSET_SHUNTLIST counter drop comment \"默认\""
-		nft "add inet fw4 $nft_prerouting_chain ip protocol tcp $(factor $TCP_PROXY_DROP_PORTS "tcp dport") ip daddr @$NFTSET_BLACKLIST counter drop comment \"默认\""
-		[ "$TCP_PROXY_MODE" != "direct/proxy" ] && nft "add inet fw4 $nft_prerouting_chain ip protocol tcp $(factor $TCP_PROXY_DROP_PORTS "tcp dport") $(get_nftset_ipv4 $TCP_PROXY_MODE) counter drop comment \"默认\""
 	}

-	if [ "$TCP_PROXY_MODE" != "disable" ]; then
-		[ "$TCP_NO_REDIR_PORTS" != "disable" ] && {
-			nft add rule inet fw4 $nft_prerouting_chain ip protocol tcp $(factor $TCP_NO_REDIR_PORTS "tcp dport") counter return comment \"默认\"
-			nft add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp $(factor $TCP_NO_REDIR_PORTS "tcp dport") counter return comment \"默认\"
-		}
-		[ "$TCP_NODE" != "nil" ] && {
-			msg="TCP默认代理：使用TCP节点[$(config_n_get $TCP_NODE remarks)] [$(get_action_chain_name $TCP_PROXY_MODE)]"
-			if [ -n "${is_tproxy}" ]; then
-				msg="${msg}(TPROXY:${TCP_REDIR_PORT})代理"
-			else
-				msg="${msg}(REDIRECT:${TCP_REDIR_PORT})代理"
-			fi
-			
-			[ "$TCP_NO_REDIR_PORTS" != "disable" ] && msg="${msg}除${TCP_NO_REDIR_PORTS}外的"
-			msg="${msg}所有端口"
-			
-			[ "$accept_icmp" = "1" ] && {
-				nft "add rule inet fw4 PSW_ICMP_REDIRECT ip protocol icmp ip daddr $FAKE_IP $(REDIRECT) comment \"默认\""
-				nft "add rule inet fw4 PSW_ICMP_REDIRECT ip protocol icmp ip daddr @$NFTSET_SHUNTLIST $(REDIRECT) comment \"默认\""
-				nft "add rule inet fw4 PSW_ICMP_REDIRECT ip protocol icmp ip daddr @$NFTSET_BLACKLIST $(REDIRECT) comment \"默认\""
-				nft "add rule inet fw4 PSW_ICMP_REDIRECT ip protocol icmp $(get_redirect_ipv4 $TCP_PROXY_MODE) comment \"默认\""
-			}
-
-			[ "$accept_icmpv6" = "1" ] && [ "$PROXY_IPV6" == "1" ] && {
-				nft "add rule inet fw4 PSW_ICMP_REDIRECT meta l4proto icmpv6 ip6 daddr @$NFTSET_SHUNTLIST6 $(REDIRECT) comment \"默认\""
-				nft "add rule inet fw4 PSW_ICMP_REDIRECT meta l4proto icmpv6 ip6 daddr @$NFTSET_BLACKLIST6 $(REDIRECT) comment \"默认\""
-				nft "add rule inet fw4 PSW_ICMP_REDIRECT meta l4proto icmpv6 $(get_redirect_ipv6 $TCP_PROXY_MODE) comment \"默认\""
-			}
-
-			if [ -z "${is_tproxy}" ]; then
-				nft "add rule inet fw4 PSW ip protocol tcp ip daddr $FAKE_IP $(REDIRECT $TCP_REDIR_PORT) comment \"默认\""
-				nft "add rule inet fw4 PSW ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip daddr @$NFTSET_SHUNTLIST $(REDIRECT $TCP_REDIR_PORT) comment \"默认\""
-				nft "add rule inet fw4 PSW ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip daddr @$NFTSET_BLACKLIST $(REDIRECT $TCP_REDIR_PORT) comment \"默认\""
-				nft "add rule inet fw4 PSW ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") $(get_redirect_ipv4 $TCP_PROXY_MODE $TCP_REDIR_PORT) comment \"默认\""
-				nft "add rule inet fw4 PSW ip protocol tcp counter return comment \"默认\""
-			else
-				nft "add rule inet fw4 PSW_MANGLE ip protocol tcp ip daddr $FAKE_IP counter jump PSW_RULE comment \"默认\""
-				nft "add rule inet fw4 PSW_MANGLE ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip daddr @$NFTSET_SHUNTLIST counter jump PSW_RULE comment \"默认\""
-				nft "add rule inet fw4 PSW_MANGLE ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip daddr @$NFTSET_BLACKLIST counter jump PSW_RULE comment \"默认\""
-				nft "add rule inet fw4 PSW_MANGLE ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") $(get_nftset_ipv4 $TCP_PROXY_MODE) jump PSW_RULE comment \"默认\""
-				nft "add rule inet fw4 PSW_MANGLE meta l4proto tcp $(REDIRECT $TCP_REDIR_PORT TPROXY) comment \"默认\""
-				nft "add rule inet fw4 PSW_MANGLE ip protocol tcp counter return comment \"默认\""
-			fi
-
+	[ "$ENABLED_DEFAULT_ACL" == 1 ] && {
+		#  加载TCP默认代理模式
+		[ "$TCP_PROXY_DROP_PORTS" != "disable" ] && {
 			[ "$PROXY_IPV6" == "1" ] && {
-				nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip6 daddr @$NFTSET_SHUNTLIST6 counter jump PSW_RULE comment \"默认\""
-				nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip6 daddr @$NFTSET_BLACKLIST6 counter jump PSW_RULE comment \"默认\""
-				nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp $(factor $TCP_REDIR_PORTS "tcp dport") $(get_nftset_ipv6 $TCP_PROXY_MODE) jump PSW_RULE comment \"默认\""
-				nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp $(REDIRECT $TCP_REDIR_PORT TPROXY) comment \"默认\""
-				nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp counter return comment \"默认\""
+				nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp $(factor $TCP_PROXY_DROP_PORTS "tcp dport") ip6 daddr @$NFTSET_SHUNTLIST6 counter drop comment \"默认\""
+				nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp $(factor $TCP_PROXY_DROP_PORTS "tcp dport") ip6 daddr @$NFTSET_BLACKLIST6 counter drop comment \"默认\""
+				[ "$TCP_PROXY_MODE" != "direct/proxy" ] && nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp $(factor $TCP_PROXY_DROP_PORTS "tcp dport") $(get_nftset_ipv6 $TCP_PROXY_MODE) counter drop comment \"默认\""
 			}

-			echolog "${msg}"
+			nft "add inet fw4 $nft_prerouting_chain ip protocol tcp $(factor $TCP_PROXY_DROP_PORTS "tcp dport") ip daddr $FAKE_IP counter drop comment \"默认\""
+			nft "add inet fw4 $nft_prerouting_chain ip protocol tcp $(factor $TCP_PROXY_DROP_PORTS "tcp dport") ip daddr @$NFTSET_SHUNTLIST counter drop comment \"默认\""
+			nft "add inet fw4 $nft_prerouting_chain ip protocol tcp $(factor $TCP_PROXY_DROP_PORTS "tcp dport") ip daddr @$NFTSET_BLACKLIST counter drop comment \"默认\""
+			[ "$TCP_PROXY_MODE" != "direct/proxy" ] && nft "add inet fw4 $nft_prerouting_chain ip protocol tcp $(factor $TCP_PROXY_DROP_PORTS "tcp dport") $(get_nftset_ipv4 $TCP_PROXY_MODE) counter drop comment \"默认\""
 		}
-	fi

-	#  加载UDP默认代理模式
-	[ "$UDP_PROXY_DROP_PORTS" != "disable" ] && {
-		[ "$PROXY_IPV6" == "1" ] && {
-			nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp $(factor $UDP_PROXY_DROP_PORTS "udp dport") ip6 daddr @$NFTSET_SHUNTLIST6 counter drop comment \"默认\""
-			nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp $(factor $UDP_PROXY_DROP_PORTS "udp dport") ip6 daddr @$NFTSET_BLACKLIST6 counter drop comment \"默认\""
-			[ "$UDP_PROXY_MODE" != "direct/proxy" ] && nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp $(factor $UDP_PROXY_DROP_PORTS "udp dport") $(get_nftset_ipv6 $UDP_PROXY_MODE) counter drop comment \"默认\""
+		if [ "$TCP_PROXY_MODE" != "disable" ]; then
+			[ "$TCP_NO_REDIR_PORTS" != "disable" ] && {
+				nft add rule inet fw4 $nft_prerouting_chain ip protocol tcp $(factor $TCP_NO_REDIR_PORTS "tcp dport") counter return comment \"默认\"
+				nft add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp $(factor $TCP_NO_REDIR_PORTS "tcp dport") counter return comment \"默认\"
+			}
+			[ "$TCP_NODE" != "nil" ] && {
+				msg="TCP默认代理：使用TCP节点[$(config_n_get $TCP_NODE remarks)] [$(get_action_chain_name $TCP_PROXY_MODE)]"
+				if [ -n "${is_tproxy}" ]; then
+					msg="${msg}(TPROXY:${TCP_REDIR_PORT})代理"
+				else
+					msg="${msg}(REDIRECT:${TCP_REDIR_PORT})代理"
+				fi
+				
+				[ "$TCP_NO_REDIR_PORTS" != "disable" ] && msg="${msg}除${TCP_NO_REDIR_PORTS}外的"
+				msg="${msg}所有端口"
+				
+				[ "$accept_icmp" = "1" ] && {
+					nft "add rule inet fw4 PSW_ICMP_REDIRECT ip protocol icmp ip daddr $FAKE_IP $(REDIRECT) comment \"默认\""
+					nft "add rule inet fw4 PSW_ICMP_REDIRECT ip protocol icmp ip daddr @$NFTSET_SHUNTLIST $(REDIRECT) comment \"默认\""
+					nft "add rule inet fw4 PSW_ICMP_REDIRECT ip protocol icmp ip daddr @$NFTSET_BLACKLIST $(REDIRECT) comment \"默认\""
+					nft "add rule inet fw4 PSW_ICMP_REDIRECT ip protocol icmp $(get_redirect_ipv4 $TCP_PROXY_MODE) comment \"默认\""
+				}
+
+				[ "$accept_icmpv6" = "1" ] && [ "$PROXY_IPV6" == "1" ] && {
+					nft "add rule inet fw4 PSW_ICMP_REDIRECT meta l4proto icmpv6 ip6 daddr @$NFTSET_SHUNTLIST6 $(REDIRECT) comment \"默认\""
+					nft "add rule inet fw4 PSW_ICMP_REDIRECT meta l4proto icmpv6 ip6 daddr @$NFTSET_BLACKLIST6 $(REDIRECT) comment \"默认\""
+					nft "add rule inet fw4 PSW_ICMP_REDIRECT meta l4proto icmpv6 $(get_redirect_ipv6 $TCP_PROXY_MODE) comment \"默认\""
+				}
+
+				if [ -z "${is_tproxy}" ]; then
+					nft "add rule inet fw4 PSW ip protocol tcp ip daddr $FAKE_IP $(REDIRECT $TCP_REDIR_PORT) comment \"默认\""
+					nft "add rule inet fw4 PSW ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip daddr @$NFTSET_SHUNTLIST $(REDIRECT $TCP_REDIR_PORT) comment \"默认\""
+					nft "add rule inet fw4 PSW ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip daddr @$NFTSET_BLACKLIST $(REDIRECT $TCP_REDIR_PORT) comment \"默认\""
+					nft "add rule inet fw4 PSW ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") $(get_redirect_ipv4 $TCP_PROXY_MODE $TCP_REDIR_PORT) comment \"默认\""
+					nft "add rule inet fw4 PSW ip protocol tcp counter return comment \"默认\""
+				else
+					nft "add rule inet fw4 PSW_MANGLE ip protocol tcp ip daddr $FAKE_IP counter jump PSW_RULE comment \"默认\""
+					nft "add rule inet fw4 PSW_MANGLE ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip daddr @$NFTSET_SHUNTLIST counter jump PSW_RULE comment \"默认\""
+					nft "add rule inet fw4 PSW_MANGLE ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip daddr @$NFTSET_BLACKLIST counter jump PSW_RULE comment \"默认\""
+					nft "add rule inet fw4 PSW_MANGLE ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") $(get_nftset_ipv4 $TCP_PROXY_MODE) jump PSW_RULE comment \"默认\""
+					nft "add rule inet fw4 PSW_MANGLE meta l4proto tcp $(REDIRECT $TCP_REDIR_PORT TPROXY) comment \"默认\""
+					nft "add rule inet fw4 PSW_MANGLE ip protocol tcp counter return comment \"默认\""
+				fi
+
+				[ "$PROXY_IPV6" == "1" ] && {
+					nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip6 daddr @$NFTSET_SHUNTLIST6 counter jump PSW_RULE comment \"默认\""
+					nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip6 daddr @$NFTSET_BLACKLIST6 counter jump PSW_RULE comment \"默认\""
+					nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp $(factor $TCP_REDIR_PORTS "tcp dport") $(get_nftset_ipv6 $TCP_PROXY_MODE) jump PSW_RULE comment \"默认\""
+					nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp $(REDIRECT $TCP_REDIR_PORT TPROXY) comment \"默认\""
+					nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp counter return comment \"默认\""
+				}
+
+				echolog "${msg}"
+			}
+		fi
+
+		#  加载UDP默认代理模式
+		[ "$UDP_PROXY_DROP_PORTS" != "disable" ] && {
+			[ "$PROXY_IPV6" == "1" ] && {
+				nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp $(factor $UDP_PROXY_DROP_PORTS "udp dport") ip6 daddr @$NFTSET_SHUNTLIST6 counter drop comment \"默认\""
+				nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp $(factor $UDP_PROXY_DROP_PORTS "udp dport") ip6 daddr @$NFTSET_BLACKLIST6 counter drop comment \"默认\""
+				[ "$UDP_PROXY_MODE" != "direct/proxy" ] && nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp $(factor $UDP_PROXY_DROP_PORTS "udp dport") $(get_nftset_ipv6 $UDP_PROXY_MODE) counter drop comment \"默认\""
+			}
+			nft "add rule inet fw4 PSW_MANGLE $(factor $UDP_PROXY_DROP_PORTS "udp dport") ip daddr $FAKE_IP counter drop comment \"默认\""
+			nft "add rule inet fw4 PSW_MANGLE $(factor $UDP_PROXY_DROP_PORTS "udp dport") ip daddr @$NFTSET_SHUNTLIST counter drop comment \"默认\""
+			nft "add rule inet fw4 PSW_MANGLE $(factor $UDP_PROXY_DROP_PORTS "udp dport") ip daddr @$NFTSET_BLACKLIST counter drop comment \"默认\""
+			[ "$UDP_PROXY_MODE" != "direct/proxy" ] && nft "add inet fw4 PSW_MANGLE ip protocol udp $(factor $UDP_PROXY_DROP_PORTS "udp dport") $(get_nftset_ipv4 $UDP_PROXY_MODE) counter drop comment \"默认\""
 		}
-		nft "add rule inet fw4 PSW_MANGLE $(factor $UDP_PROXY_DROP_PORTS "udp dport") ip daddr $FAKE_IP counter drop comment \"默认\""
-		nft "add rule inet fw4 PSW_MANGLE $(factor $UDP_PROXY_DROP_PORTS "udp dport") ip daddr @$NFTSET_SHUNTLIST counter drop comment \"默认\""
-		nft "add rule inet fw4 PSW_MANGLE $(factor $UDP_PROXY_DROP_PORTS "udp dport") ip daddr @$NFTSET_BLACKLIST counter drop comment \"默认\""
-		[ "$UDP_PROXY_MODE" != "direct/proxy" ] && nft "add inet fw4 PSW_MANGLE ip protocol udp $(factor $UDP_PROXY_DROP_PORTS "udp dport") $(get_nftset_ipv4 $UDP_PROXY_MODE) counter drop comment \"默认\""
+		if [ "$UDP_PROXY_MODE" != "disable" ]; then
+			[ "$UDP_NO_REDIR_PORTS" != "disable" ] && {
+				nft "add inet fw4 PSW_MANGLE ip protocol udp $(factor $UDP_NO_REDIR_PORTS "udp dport") counter return comment \"默认\""
+				nft "add inet fw4 PSW_MANGLE_V6 counter meta l4proto udp $(factor $UDP_NO_REDIR_PORTS "udp dport") counter return comment \"默认\""
+			}
+
+			[ "$UDP_NODE" != "nil" -o "$TCP_UDP" = "1" ] && {
+				[ "$TCP_UDP" = "1" ] && [ "$UDP_NODE" = "nil" ] && UDP_NODE=$TCP_NODE
+				msg="UDP默认代理：使用UDP节点[$(config_n_get $UDP_NODE remarks)] [$(get_action_chain_name $UDP_PROXY_MODE)](TPROXY:${UDP_REDIR_PORT})代理"
+
+				[ "$UDP_NO_REDIR_PORTS" != "disable" ] && msg="${msg}除${UDP_NO_REDIR_PORTS}外的"
+				msg="${msg}所有端口"
+
+				nft "add rule inet fw4 PSW_MANGLE ip protocol udp ip daddr $FAKE_IP counter jump PSW_RULE comment \"默认\""
+				nft "add rule inet fw4 PSW_MANGLE ip protocol udp $(factor $UDP_REDIR_PORTS "udp dport") ip daddr @$NFTSET_SHUNTLIST counter jump PSW_RULE comment \"默认\""
+				nft "add rule inet fw4 PSW_MANGLE ip protocol udp $(factor $UDP_REDIR_PORTS "udp dport") ip daddr @$NFTSET_BLACKLIST counter jump PSW_RULE comment \"默认\""
+				nft "add rule inet fw4 PSW_MANGLE ip protocol udp $(factor $UDP_REDIR_PORTS "udp dport") $(get_nftset_ipv4 $TCP_PROXY_MODE) jump PSW_RULE comment \"默认\""
+				nft "add rule inet fw4 PSW_MANGLE meta l4proto udp $(REDIRECT $UDP_REDIR_PORT TPROXY) comment \"默认\""
+				nft "add rule inet fw4 PSW_MANGLE ip protocol udp counter return comment \"默认\""
+
+				[ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && {
+					nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp $(factor $UDP_REDIR_PORTS "udp dport") ip6 daddr @$NFTSET_SHUNTLIST6 counter jump PSW_RULE comment \"默认\""
+					nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp $(factor $UDP_REDIR_PORTS "udp dport") ip6 daddr @$NFTSET_BLACKLIST6 counter jump PSW_RULE comment \"默认\""
+					nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp $(factor $UDP_REDIR_PORTS "udp dport") $(get_nftset_ipv6 $UDP_PROXY_MODE) jump PSW_RULE comment \"默认\""
+					nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp $(REDIRECT $UDP_REDIR_PORT TPROXY) comment \"默认\""
+					nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp counter return comment \"默认\""
+				}
+
+				echolog "${msg}"
+				udp_flag=1
+			}
+		fi
 	}
-	if [ "$UDP_PROXY_MODE" != "disable" ]; then
-		[ "$UDP_NO_REDIR_PORTS" != "disable" ] && {
-			nft "add inet fw4 PSW_MANGLE ip protocol udp $(factor $UDP_NO_REDIR_PORTS "udp dport") counter return comment \"默认\""
-			nft "add inet fw4 PSW_MANGLE_V6 counter meta l4proto udp $(factor $UDP_NO_REDIR_PORTS "udp dport") counter return comment \"默认\""
-		}
-
-		[ "$UDP_NODE" != "nil" -o "$TCP_UDP" = "1" ] && {
-			[ "$TCP_UDP" = "1" ] && [ "$UDP_NODE" = "nil" ] && UDP_NODE=$TCP_NODE
-			msg="UDP默认代理：使用UDP节点[$(config_n_get $UDP_NODE remarks)] [$(get_action_chain_name $UDP_PROXY_MODE)](TPROXY:${UDP_REDIR_PORT})代理"
-
-			[ "$UDP_NO_REDIR_PORTS" != "disable" ] && msg="${msg}除${UDP_NO_REDIR_PORTS}外的"
-			msg="${msg}所有端口"
-
-			nft "add rule inet fw4 PSW_MANGLE ip protocol udp ip daddr $FAKE_IP counter jump PSW_RULE comment \"默认\""
-			nft "add rule inet fw4 PSW_MANGLE ip protocol udp $(factor $UDP_REDIR_PORTS "udp dport") ip daddr @$NFTSET_SHUNTLIST counter jump PSW_RULE comment \"默认\""
-			nft "add rule inet fw4 PSW_MANGLE ip protocol udp $(factor $UDP_REDIR_PORTS "udp dport") ip daddr @$NFTSET_BLACKLIST counter jump PSW_RULE comment \"默认\""
-			nft "add rule inet fw4 PSW_MANGLE ip protocol udp $(factor $UDP_REDIR_PORTS "udp dport") $(get_nftset_ipv4 $TCP_PROXY_MODE) jump PSW_RULE comment \"默认\""
-			nft "add rule inet fw4 PSW_MANGLE meta l4proto udp $(REDIRECT $UDP_REDIR_PORT TPROXY) comment \"默认\""
-			nft "add rule inet fw4 PSW_MANGLE ip protocol udp counter return comment \"默认\""
-
-			[ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && {
-				nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp $(factor $UDP_REDIR_PORTS "udp dport") ip6 daddr @$NFTSET_SHUNTLIST6 counter jump PSW_RULE comment \"默认\""
-				nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp $(factor $UDP_REDIR_PORTS "udp dport") ip6 daddr @$NFTSET_BLACKLIST6 counter jump PSW_RULE comment \"默认\""
-				nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp $(factor $UDP_REDIR_PORTS "udp dport") $(get_nftset_ipv6 $UDP_PROXY_MODE) jump PSW_RULE comment \"默认\""
-				nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp $(REDIRECT $UDP_REDIR_PORT TPROXY) comment \"默认\""
-				nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp counter return comment \"默认\""
-			}
-
-			echolog "${msg}"
-			udp_flag=1
-		}
-	fi
 }

 filter_haproxy() {
@ -735,7 +739,6 @@ add_firewall_rule() {
 		[ -n "$lan_ip6" ] && insert_nftset $NFTSET_LANIPLIST6 $(echo $lan_ip6 | sed -e "s/ /\n/g" | sed -e 's/$/,/' )
 	}

-	local ISP_DNS=$(cat $RESOLVFILE 2>/dev/null | grep -E -o "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" | sort -u | grep -v 0.0.0.0 | grep -v 127.0.0.1)
 	[ -n "$ISP_DNS" ] && {
 		#echolog "处理 ISP DNS 例外..."
 		for ispip in $ISP_DNS; do
@ -744,10 +747,9 @@ add_firewall_rule() {
 		done
 	}

-	local ISP_DNS6=$(cat $RESOLVFILE 2>/dev/null | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | awk -F % '{print $1}' | awk -F " " '{print $2}'| sort -u | grep -v -Fx ::1 | grep -v -Fx ::)
-	[ -n "$ISP_DNS" ] && {
+	[ -n "$ISP_DNS6" ] && {
 		#echolog "处理 ISP IPv6 DNS 例外..."
-		for ispip6 in $ISP_DNS; do
+		for ispip6 in $ISP_DNS6; do
 			insert_nftset $NFTSET_WHITELIST6 $ispip6 >/dev/null 2>&1 &
 			#echolog "  - 追加到白名单：${ispip6}"
 		done
@ -886,83 +888,7 @@ add_firewall_rule() {
 		ip -6 rule add fwmark 1 table 100
 		ip -6 route add local ::/0 dev lo table 100
 	}
-
-	# 加载路由器自身代理 TCP
-	if [ "$TCP_NODE" != "nil" ]; then
-		echolog "加载路由器自身 TCP 代理..."
-
-		[ "$accept_icmp" = "1" ] && {
-			nft "add rule inet fw4 PSW_ICMP_REDIRECT meta l4proto icmp ip daddr 198.18.0.0/16 counter redirect"
-			nft "add rule inet fw4 PSW_ICMP_REDIRECT meta l4proto icmp ip daddr @$NFTSET_SHUNTLIST counter redirect"
-			nft "add rule inet fw4 PSW_ICMP_REDIRECT meta l4proto icmp ip daddr @$NFTSET_BLACKLIST counter redirect"
-			nft "add rule inet fw4 PSW_ICMP_REDIRECT meta l4proto icmp $(get_nftset_ipv4 $LOCALHOST_TCP_PROXY_MODE) counter redirect"
-		}
-
-		[ "$accept_icmpv6" = "1" ] && {
-			nft "add rule inet fw4 PSW_ICMP_REDIRECT meta l4proto icmpv6 ip6 daddr @$NFTSET_SHUNTLIST6 counter redirect"
-			nft "add rule inet fw4 PSW_ICMP_REDIRECT meta l4proto icmpv6 ip6 daddr @$NFTSET_BLACKLIST6 counter redirect"
-			nft "add rule inet fw4 PSW_ICMP_REDIRECT meta l4proto icmpv6 $(get_nftset_ipv6 $LOCALHOST_TCP_PROXY_MODE) counter redirect"
-		}
-
-		[ -n "${is_tproxy}" ] && {
-			echolog "  - 启用 TPROXY 模式"
-		}
-
-		_proxy_tcp_access() {
-			[ -n "${2}" ] || return 0
-			nft "get element inet fw4 $NFTSET_LANIPLIST {${2}}" &>/dev/null
-			[ $? -eq 0 ] && {
-				echolog "  - 上游 DNS 服务器 ${2} 已在直接访问的列表中，不强制向 TCP 代理转发对该服务器 TCP/${3} 端口的访问"
-				return 0
-			}
-			if [ -z "${is_tproxy}" ]; then
-				nft add rule inet fw4 PSW_OUTPUT ip protocol tcp ip daddr ${2} tcp dport ${3} $(REDIRECT $TCP_REDIR_PORT)
-			else
-				nft add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol tcp ip daddr ${2} tcp dport ${3} counter jump PSW_RULE
-				nft add rule inet fw4 PSW_MANGLE iif lo tcp dport ${3} ip daddr ${2} $(REDIRECT $TCP_REDIR_PORT TPROXY4) comment \"本机\"
-			fi
-			echolog "  - [$?]将上游 DNS 服务器 ${2}:${3} 加入到路由器自身代理的 TCP 转发链"
-		}
-
-		[ "$use_tcp_node_resolve_dns" == 1 ] && hosts_foreach REMOTE_DNS _proxy_tcp_access 53
-		[ "$TCP_NO_REDIR_PORTS" != "disable" ] && {
-			nft "add rule inet fw4 $nft_output_chain ip protocol tcp $(factor $TCP_PROXY_DROP_PORTS "tcp dport") counter return"
-			nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta l4proto tcp $(factor $TCP_PROXY_DROP_PORTS "tcp dport") counter return"
-			echolog "  - [$?]不代理TCP 端口：$TCP_NO_REDIR_PORTS"
-		}
-		[ "$TCP_PROXY_DROP_PORTS" != "disable" ] && {
-			nft add rule inet fw4 $nft_output_chain ip protocol tcp ip daddr $FAKE_IP $(factor $TCP_PROXY_DROP_PORTS "tcp dport") counter drop
-			nft add rule inet fw4 $nft_output_chain ip protocol tcp ip daddr @$NFTSET_SHUNTLIST $(factor $TCP_PROXY_DROP_PORTS "tcp dport") counter drop
-			nft add rule inet fw4 $nft_output_chain ip protocol tcp ip daddr @$NFTSET_BLACKLIST $(factor $TCP_PROXY_DROP_PORTS "tcp dport") counter drop
-			[ "$LOCALHOST_TCP_PROXY_MODE" != "direct/proxy" ] && nft add rule inet fw4 $nft_output_chain ip protocol tcp $(factor $TCP_PROXY_DROP_PORTS "tcp dport") $(get_nftset_ipv4 $LOCALHOST_TCP_PROXY_MODE) counter drop
-			echolog "  - [$?]，屏蔽代理TCP 端口：$TCP_PROXY_DROP_PORTS"
-		}
-
-		if [ -z "${is_tproxy}" ]; then
-			nft "add rule inet fw4 PSW_OUTPUT ip protocol tcp ip daddr $FAKE_IP $(REDIRECT $TCP_REDIR_PORT)"
-			nft "add rule inet fw4 PSW_OUTPUT ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip daddr @$NFTSET_SHUNTLIST counter $(REDIRECT $TCP_REDIR_PORT)"
-			nft "add rule inet fw4 PSW_OUTPUT ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip daddr @$NFTSET_BLACKLIST counter $(REDIRECT $TCP_REDIR_PORT)"
-			nft "add rule inet fw4 PSW_OUTPUT ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") $(get_redirect_ipv4 $LOCALHOST_TCP_PROXY_MODE $TCP_REDIR_PORT)"
-			nft "add rule inet fw4 nat_output ip protocol tcp counter jump PSW_OUTPUT"
-		else
-			nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol tcp ip daddr $FAKE_IP counter jump PSW_RULE"
-			nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol tcp ip daddr @$NFTSET_SHUNTLIST $(factor $TCP_REDIR_PORTS "tcp dport") counter jump PSW_RULE"
-			nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol tcp ip daddr @$NFTSET_BLACKLIST $(factor $TCP_REDIR_PORTS "tcp dport") counter jump PSW_RULE"
-			nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") $(get_nftset_ipv4 $LOCALHOST_TCP_PROXY_MODE) jump PSW_RULE"
-			nft "add rule inet fw4 PSW_MANGLE meta l4proto tcp iif lo $(REDIRECT $TCP_REDIR_PORT TPROXY) comment \"本机\""
-			nft "add rule inet fw4 PSW_MANGLE ip protocol tcp iif lo counter return comment \"本机\""
-			nft "add rule inet fw4 mangle_output meta nfproto {ipv4} meta l4proto tcp counter jump PSW_OUTPUT_MANGLE comment \"mangle-OUTPUT-PSW\""
-		fi
-
-		[ "$PROXY_IPV6" == "1" ] && {
-			nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta l4proto tcp ip6 daddr @$NFTSET_SHUNTLIST6 $(factor $TCP_REDIR_PORTS "tcp dport") counter jump PSW_RULE"
-			nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta l4proto tcp ip6 daddr @$NFTSET_BLACKLIST6 $(factor $TCP_REDIR_PORTS "tcp dport") counter jump PSW_RULE"
-			nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta l4proto tcp $(factor $TCP_REDIR_PORTS "tcp dport") $(get_nftset_ipv6 $LOCALHOST_TCP_PROXY_MODE) jump PSW_RULE"
-			nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp iif lo $(REDIRECT $TCP_REDIR_PORT TPROXY) comment \"本机\""
-			nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp iif lo counter return comment \"本机\""
-		}
-	fi
-
+	
 	# 过滤Socks节点
 	[ "$SOCKS_ENABLED" = "1" ] && {
 		local ids=$(uci show $CONFIG | grep "=socks" | awk -F '.' '{print $2}' | awk -F '=' '{print $1}')
@ -984,75 +910,157 @@ add_firewall_rule() {
 		done
 	}

-	# 处理轮换节点的分流或套娃
-	local node port stream switch
-	for stream in TCP UDP; do
-		eval "node=\${${stream}_NODE}"
-		eval "port=\${${stream}_REDIR_PORT}"
-		#echolog "分析 $stream 代理自动切换..."
-		[ "$stream" == "UDP" ] && [ "$node" == "tcp" ] && {
-			eval "node=\${TCP_NODE}"
-			eval "port=\${TCP_REDIR_PORT}"
-		}
-		if [ "$node" != "nil" ]; then
-			filter_node $node $stream $port > /dev/null 2>&1 &
-		fi
-	done
-
-	# 加载路由器自身代理 UDP
-	[ "$UDP_PROXY_DROP_PORTS" != "disable" ] && {
-		nft add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol udp ip daddr $FAKE_IP $(factor $UDP_PROXY_DROP_PORTS "udp dport") counter drop
-		nft add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol udp ip daddr @$NFTSET_SHUNTLIST $(factor $UDP_PROXY_DROP_PORTS "udp dport") counter drop
-		nft add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol udp ip daddr @$NFTSET_BLACKLIST $(factor $UDP_PROXY_DROP_PORTS "udp dport") counter drop
-		[ "$LOCALHOST_UDP_PROXY_MODE" != "direct/proxy" ] && nft add rule inet fw4 PSW_OUTPUT_MANGLE counter ip protocol udp $(factor $UDP_PROXY_DROP_PORTS "udp dport") $(get_nftset_ipv4 $LOCALHOST_UDP_PROXY_MODE) counter drop
-		echolog "  - [$?]，屏蔽代理UDP 端口：$UDP_PROXY_DROP_PORTS"
-	}
-	if [ "$UDP_NODE" != "nil" -o "$TCP_UDP" = "1" ]; then
-		echolog "加载路由器自身 UDP 代理..."
-		_proxy_udp_access() {
-			[ -n "${2}" ] || return 0
-			nft "get element inet fw4 $NFTSET_LANIPLIST {${2}}" &>/dev/null
-			[ $? == 0 ] && {
-				echolog "  - 上游 DNS 服务器 ${2} 已在直接访问的列表中，不强制向 UDP 代理转发对该服务器 UDP/${3} 端口的访问"
-				return 0
+	[ "$ENABLED_DEFAULT_ACL" == 1 ] && {
+		# 处理轮换节点的分流或套娃
+		local node port stream switch
+		for stream in TCP UDP; do
+			eval "node=\${${stream}_NODE}"
+			eval "port=\${${stream}_REDIR_PORT}"
+			#echolog "分析 $stream 代理自动切换..."
+			[ "$stream" == "UDP" ] && [ "$node" == "tcp" ] && {
+				eval "node=\${TCP_NODE}"
+				eval "port=\${TCP_REDIR_PORT}"
 			}
-			nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol udp ip daddr ${2} udp dport ${3} counter jump PSW_RULE"
-			nft "add rule inet fw4 PSW_MANGLE iif lo meta l4proto udp ip daddr ${2} $(REDIRECT $UDP_REDIR_PORT TPROXY4) comment \"本机\""
-			echolog "  - [$?]将上游 DNS 服务器 ${2}:${3} 加入到路由器自身代理的 UDP 转发链"
-		}
-		[ "$use_udp_node_resolve_dns" == 1 ] && hosts_foreach REMOTE_DNS _proxy_udp_access 53
-		[ "$UDP_NO_REDIR_PORTS" != "disable" ] && {
-			nft add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol udp $(factor $UDP_NO_REDIR_PORTS "udp dport") counter return
-			nft add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta l4proto udp $(factor $UDP_NO_REDIR_PORTS "udp dport") counter return
-			echolog "  - [$?]不代理 UDP 端口：$UDP_NO_REDIR_PORTS"
+			if [ "$node" != "nil" ] && [ "$(config_get_type $node nil)" != "nil" ]; then
+				filter_node $node $stream $port > /dev/null 2>&1 &
+			fi
+		done
+
+		# 加载路由器自身代理 TCP
+		if [ "$TCP_NODE" != "nil" ]; then
+			echolog "加载路由器自身 TCP 代理..."
+
+			[ "$accept_icmp" = "1" ] && {
+				nft "add rule inet fw4 PSW_ICMP_REDIRECT meta l4proto icmp ip daddr 198.18.0.0/16 counter redirect"
+				nft "add rule inet fw4 PSW_ICMP_REDIRECT meta l4proto icmp ip daddr @$NFTSET_SHUNTLIST counter redirect"
+				nft "add rule inet fw4 PSW_ICMP_REDIRECT meta l4proto icmp ip daddr @$NFTSET_BLACKLIST counter redirect"
+				nft "add rule inet fw4 PSW_ICMP_REDIRECT meta l4proto icmp $(get_nftset_ipv4 $LOCALHOST_TCP_PROXY_MODE) counter redirect"
+			}
+
+			[ "$accept_icmpv6" = "1" ] && {
+				nft "add rule inet fw4 PSW_ICMP_REDIRECT meta l4proto icmpv6 ip6 daddr @$NFTSET_SHUNTLIST6 counter redirect"
+				nft "add rule inet fw4 PSW_ICMP_REDIRECT meta l4proto icmpv6 ip6 daddr @$NFTSET_BLACKLIST6 counter redirect"
+				nft "add rule inet fw4 PSW_ICMP_REDIRECT meta l4proto icmpv6 $(get_nftset_ipv6 $LOCALHOST_TCP_PROXY_MODE) counter redirect"
+			}
+
+			[ -n "${is_tproxy}" ] && {
+				echolog "  - 启用 TPROXY 模式"
+			}
+
+			_proxy_tcp_access() {
+				[ -n "${2}" ] || return 0
+				nft "get element inet fw4 $NFTSET_LANIPLIST {${2}}" &>/dev/null
+				[ $? -eq 0 ] && {
+					echolog "  - 上游 DNS 服务器 ${2} 已在直接访问的列表中，不强制向 TCP 代理转发对该服务器 TCP/${3} 端口的访问"
+					return 0
+				}
+				if [ -z "${is_tproxy}" ]; then
+					nft add rule inet fw4 PSW_OUTPUT ip protocol tcp ip daddr ${2} tcp dport ${3} $(REDIRECT $TCP_REDIR_PORT)
+				else
+					nft add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol tcp ip daddr ${2} tcp dport ${3} counter jump PSW_RULE
+					nft add rule inet fw4 PSW_MANGLE iif lo tcp dport ${3} ip daddr ${2} $(REDIRECT $TCP_REDIR_PORT TPROXY4) comment \"本机\"
+				fi
+				echolog "  - [$?]将上游 DNS 服务器 ${2}:${3} 加入到路由器自身代理的 TCP 转发链"
+			}
+
+			[ "$use_tcp_node_resolve_dns" == 1 ] && hosts_foreach REMOTE_DNS _proxy_tcp_access 53
+			[ "$TCP_NO_REDIR_PORTS" != "disable" ] && {
+				nft "add rule inet fw4 $nft_output_chain ip protocol tcp $(factor $TCP_PROXY_DROP_PORTS "tcp dport") counter return"
+				nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta l4proto tcp $(factor $TCP_PROXY_DROP_PORTS "tcp dport") counter return"
+				echolog "  - [$?]不代理TCP 端口：$TCP_NO_REDIR_PORTS"
+			}
+			[ "$TCP_PROXY_DROP_PORTS" != "disable" ] && {
+				nft add rule inet fw4 $nft_output_chain ip protocol tcp ip daddr $FAKE_IP $(factor $TCP_PROXY_DROP_PORTS "tcp dport") counter drop
+				nft add rule inet fw4 $nft_output_chain ip protocol tcp ip daddr @$NFTSET_SHUNTLIST $(factor $TCP_PROXY_DROP_PORTS "tcp dport") counter drop
+				nft add rule inet fw4 $nft_output_chain ip protocol tcp ip daddr @$NFTSET_BLACKLIST $(factor $TCP_PROXY_DROP_PORTS "tcp dport") counter drop
+				[ "$LOCALHOST_TCP_PROXY_MODE" != "direct/proxy" ] && nft add rule inet fw4 $nft_output_chain ip protocol tcp $(factor $TCP_PROXY_DROP_PORTS "tcp dport") $(get_nftset_ipv4 $LOCALHOST_TCP_PROXY_MODE) counter drop
+				echolog "  - [$?]，屏蔽代理TCP 端口：$TCP_PROXY_DROP_PORTS"
+			}
+
+			if [ -z "${is_tproxy}" ]; then
+				nft "add rule inet fw4 PSW_OUTPUT ip protocol tcp ip daddr $FAKE_IP $(REDIRECT $TCP_REDIR_PORT)"
+				nft "add rule inet fw4 PSW_OUTPUT ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip daddr @$NFTSET_SHUNTLIST counter $(REDIRECT $TCP_REDIR_PORT)"
+				nft "add rule inet fw4 PSW_OUTPUT ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip daddr @$NFTSET_BLACKLIST counter $(REDIRECT $TCP_REDIR_PORT)"
+				nft "add rule inet fw4 PSW_OUTPUT ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") $(get_redirect_ipv4 $LOCALHOST_TCP_PROXY_MODE $TCP_REDIR_PORT)"
+				nft "add rule inet fw4 nat_output ip protocol tcp counter jump PSW_OUTPUT"
+			else
+				nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol tcp ip daddr $FAKE_IP counter jump PSW_RULE"
+				nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol tcp ip daddr @$NFTSET_SHUNTLIST $(factor $TCP_REDIR_PORTS "tcp dport") counter jump PSW_RULE"
+				nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol tcp ip daddr @$NFTSET_BLACKLIST $(factor $TCP_REDIR_PORTS "tcp dport") counter jump PSW_RULE"
+				nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") $(get_nftset_ipv4 $LOCALHOST_TCP_PROXY_MODE) jump PSW_RULE"
+				nft "add rule inet fw4 PSW_MANGLE meta l4proto tcp iif lo $(REDIRECT $TCP_REDIR_PORT TPROXY) comment \"本机\""
+				nft "add rule inet fw4 PSW_MANGLE ip protocol tcp iif lo counter return comment \"本机\""
+				nft "add rule inet fw4 mangle_output meta nfproto {ipv4} meta l4proto tcp counter jump PSW_OUTPUT_MANGLE comment \"mangle-OUTPUT-PSW\""
+			fi
+
+			[ "$PROXY_IPV6" == "1" ] && {
+				nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta l4proto tcp ip6 daddr @$NFTSET_SHUNTLIST6 $(factor $TCP_REDIR_PORTS "tcp dport") counter jump PSW_RULE"
+				nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta l4proto tcp ip6 daddr @$NFTSET_BLACKLIST6 $(factor $TCP_REDIR_PORTS "tcp dport") counter jump PSW_RULE"
+				nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta l4proto tcp $(factor $TCP_REDIR_PORTS "tcp dport") $(get_nftset_ipv6 $LOCALHOST_TCP_PROXY_MODE) jump PSW_RULE"
+				nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp iif lo $(REDIRECT $TCP_REDIR_PORT TPROXY) comment \"本机\""
+				nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp iif lo counter return comment \"本机\""
+			}
+		fi
+
+		# 加载路由器自身代理 UDP
+		[ "$UDP_PROXY_DROP_PORTS" != "disable" ] && {
+			nft add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol udp ip daddr $FAKE_IP $(factor $UDP_PROXY_DROP_PORTS "udp dport") counter drop
+			nft add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol udp ip daddr @$NFTSET_SHUNTLIST $(factor $UDP_PROXY_DROP_PORTS "udp dport") counter drop
+			nft add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol udp ip daddr @$NFTSET_BLACKLIST $(factor $UDP_PROXY_DROP_PORTS "udp dport") counter drop
+			[ "$LOCALHOST_UDP_PROXY_MODE" != "direct/proxy" ] && nft add rule inet fw4 PSW_OUTPUT_MANGLE counter ip protocol udp $(factor $UDP_PROXY_DROP_PORTS "udp dport") $(get_nftset_ipv4 $LOCALHOST_UDP_PROXY_MODE) counter drop
+			echolog "  - [$?]，屏蔽代理UDP 端口：$UDP_PROXY_DROP_PORTS"
 		}
+		if [ "$UDP_NODE" != "nil" -o "$TCP_UDP" = "1" ]; then
+			echolog "加载路由器自身 UDP 代理..."
+			_proxy_udp_access() {
+				[ -n "${2}" ] || return 0
+				nft "get element inet fw4 $NFTSET_LANIPLIST {${2}}" &>/dev/null
+				[ $? == 0 ] && {
+					echolog "  - 上游 DNS 服务器 ${2} 已在直接访问的列表中，不强制向 UDP 代理转发对该服务器 UDP/${3} 端口的访问"
+					return 0
+				}
+				nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol udp ip daddr ${2} udp dport ${3} counter jump PSW_RULE"
+				nft "add rule inet fw4 PSW_MANGLE iif lo meta l4proto udp ip daddr ${2} $(REDIRECT $UDP_REDIR_PORT TPROXY4) comment \"本机\""
+				echolog "  - [$?]将上游 DNS 服务器 ${2}:${3} 加入到路由器自身代理的 UDP 转发链"
+			}
+			[ "$use_udp_node_resolve_dns" == 1 ] && hosts_foreach REMOTE_DNS _proxy_udp_access 53
+			[ "$UDP_NO_REDIR_PORTS" != "disable" ] && {
+				nft add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol udp $(factor $UDP_NO_REDIR_PORTS "udp dport") counter return
+				nft add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta l4proto udp $(factor $UDP_NO_REDIR_PORTS "udp dport") counter return
+				echolog "  - [$?]不代理 UDP 端口：$UDP_NO_REDIR_PORTS"
+			}

-		nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol udp ip daddr $FAKE_IP counter jump PSW_RULE"
-		nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol udp ip daddr @$NFTSET_SHUNTLIST $(factor $UDP_REDIR_PORTS "udp dport") counter jump PSW_RULE"
-		nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol udp ip daddr @$NFTSET_BLACKLIST $(factor $UDP_REDIR_PORTS "udp dport") counter jump PSW_RULE"
-		nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol udp $(factor $UDP_REDIR_PORTS "udp dport") $(get_nftset_ipv4 $LOCALHOST_UDP_PROXY_MODE) jump PSW_RULE"
-		nft "add rule inet fw4 PSW_MANGLE meta l4proto udp iif lo $(REDIRECT $UDP_REDIR_PORT TPROXY) comment \"本机\""
-		nft "add rule inet fw4 PSW_MANGLE ip protocol udp iif lo counter return comment \"本机\""
-		nft "add rule inet fw4 mangle_output meta nfproto {ipv4} meta l4proto udp counter jump PSW_OUTPUT_MANGLE comment \"mangle-OUTPUT-PSW\""
+			nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol udp ip daddr $FAKE_IP counter jump PSW_RULE"
+			nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol udp ip daddr @$NFTSET_SHUNTLIST $(factor $UDP_REDIR_PORTS "udp dport") counter jump PSW_RULE"
+			nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol udp ip daddr @$NFTSET_BLACKLIST $(factor $UDP_REDIR_PORTS "udp dport") counter jump PSW_RULE"
+			nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol udp $(factor $UDP_REDIR_PORTS "udp dport") $(get_nftset_ipv4 $LOCALHOST_UDP_PROXY_MODE) jump PSW_RULE"
+			nft "add rule inet fw4 PSW_MANGLE meta l4proto udp iif lo $(REDIRECT $UDP_REDIR_PORT TPROXY) comment \"本机\""
+			nft "add rule inet fw4 PSW_MANGLE ip protocol udp iif lo counter return comment \"本机\""
+			nft "add rule inet fw4 mangle_output meta nfproto {ipv4} meta l4proto udp counter jump PSW_OUTPUT_MANGLE comment \"mangle-OUTPUT-PSW\""

-		[ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && {
-			nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta l4proto udp ip6 daddr @$NFTSET_SHUNTLIST6 $(factor $UDP_REDIR_PORTS "udp dport") counter jump PSW_RULE"
-			nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta l4proto udp ip6 daddr @$NFTSET_BLACKLIST6 $(factor $UDP_REDIR_PORTS "udp dport") counter jump PSW_RULE"
-			nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta l4proto udp $(factor $UDP_REDIR_PORTS "udp dport") $(get_nftset_ipv6 $LOCALHOST_PROXY_MODE) jump PSW_RULE"
-			nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp iif lo $(REDIRECT $UDP_REDIR_PORT TPROXY) comment \"本机\""
-			nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp iif lo counter return comment \"本机\""
-		}
-	fi
+			[ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && {
+				nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta l4proto udp ip6 daddr @$NFTSET_SHUNTLIST6 $(factor $UDP_REDIR_PORTS "udp dport") counter jump PSW_RULE"
+				nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta l4proto udp ip6 daddr @$NFTSET_BLACKLIST6 $(factor $UDP_REDIR_PORTS "udp dport") counter jump PSW_RULE"
+				nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta l4proto udp $(factor $UDP_REDIR_PORTS "udp dport") $(get_nftset_ipv6 $LOCALHOST_PROXY_MODE) jump PSW_RULE"
+				nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp iif lo $(REDIRECT $UDP_REDIR_PORT TPROXY) comment \"本机\""
+				nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp iif lo counter return comment \"本机\""
+			}
+		fi

-	nft "add rule inet fw4 mangle_output oif lo counter return comment \"mangle-OUTPUT-PSW\""
-	nft "add rule inet fw4 mangle_output meta mark 1 counter return comment \"mangle-OUTPUT-PSW\""
+		nft "add rule inet fw4 mangle_output oif lo counter return comment \"mangle-OUTPUT-PSW\""
+		nft "add rule inet fw4 mangle_output meta mark 1 counter return comment \"mangle-OUTPUT-PSW\""
+
+		nft "add rule inet fw4 PSW_MANGLE ip protocol udp udp dport 53 counter return"
+		nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp udp dport 53 counter return"
+	}

-	nft "add rule inet fw4 PSW_MANGLE ip protocol udp udp dport 53 counter return"
-	nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp udp dport 53 counter return"
 	#  加载ACLS
 	load_acl
-
-	# dns_hijack "force"
+	
+	for iface in $IFACES; do
+		nft "insert rule inet fw4 $nft_output_chain oif $iface counter return"
+		nft "insert rule inet fw4 PSW_OUTPUT_MANGLE_V6 oif $iface counter return"
+	done

 	[ -n "${is_tproxy}" -o -n "${udp_flag}" ] && {
 		bridge_nf_ipt=$(sysctl -e -n net.bridge.bridge-nf-call-iptables)
@ -1170,6 +1178,7 @@ gen_include() {
 }

 start() {
+	[ "$ENABLED_DEFAULT_ACL" == 0 -a "$ENABLED_ACLS" == 0 ] && return
 	add_firewall_rule
 	gen_include
 }
--- a/luci-app-passwall2/Makefile
+++ b/luci-app-passwall2/Makefile
@ -5,8 +5,8 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=luci-app-passwall2
-PKG_VERSION:=1.9
-PKG_RELEASE:=3
+PKG_VERSION:=1.10
+PKG_RELEASE:=1

 PKG_CONFIG_DEPENDS:= \
 	CONFIG_PACKAGE_$(PKG_NAME)_Transparent_Proxy \
--- a/luci-app-passwall2/luasrc/controller/passwall2.lua
+++ b/luci-app-passwall2/luasrc/controller/passwall2.lua
@ -110,11 +110,19 @@ end
 function autoswitch_add_node()
 	local key = luci.http.formvalue("key")
 	if key and key ~= "" then
-		for k, e in ipairs(api.get_valid_nodes()) do
-			if e.node_type == "normal" and e["remark"]:find(key) then
-				luci.sys.call(string.format("uci -q del_list passwall2.@auto_switch[0].node='%s' && uci -q add_list passwall2.@auto_switch[0].node='%s'", e.id, e.id))
+		local new_list = ucic:get(appname, "@auto_switch[0]", "node") or {}
+		for i = #new_list, 1, -1 do
+			if (ucic:get(appname, new_list[i], "remarks") or ""):find(key) then
+				table.remove(new_list, i)
 			end
 		end
+		for k, e in ipairs(api.get_valid_nodes()) do
+			if e.node_type == "normal" and e["remark"]:find(key) then
+				table.insert(new_list, e.id)
+			end
+		end
+		ucic:set_list(appname, "@auto_switch[0]", "node", new_list)
+		ucic:commit(appname)
 	end
 	luci.http.redirect(api.url("auto_switch"))
 end
@ -122,11 +130,14 @@ end
 function autoswitch_remove_node()
 	local key = luci.http.formvalue("key")
 	if key and key ~= "" then
-		for k, e in ipairs(ucic:get(appname, "@auto_switch[0]", "node") or {}) do
-			if e and (ucic:get(appname, e, "remarks") or ""):find(key) then
-				luci.sys.call(string.format("uci -q del_list passwall2.@auto_switch[0].node='%s'", e))
+		local new_list = ucic:get(appname, "@auto_switch[0]", "node") or {}
+		for i = #new_list, 1, -1 do
+			if (ucic:get(appname, new_list[i], "remarks") or ""):find(key) then
+				table.remove(new_list, i)
 			end
 		end
+		ucic:set_list(appname, "@auto_switch[0]", "node", new_list)
+		ucic:commit(appname)
 	end
 	luci.http.redirect(api.url("auto_switch"))
 end
@ -188,7 +199,7 @@ function connect_status()
 	local e = {}
 	e.use_time = ""
 	local url = luci.http.formvalue("url")
-	local result = luci.sys.exec('curl --connect-timeout 3 -o /dev/null -I -skL -w "%{http_code}:%{time_starttransfer}" ' .. url)
+	local result = luci.sys.exec('curl --connect-timeout 3 -o /dev/null -I -sk -w "%{http_code}:%{time_starttransfer}" ' .. url)
 	local code = tonumber(luci.sys.exec("echo -n '" .. result .. "' | awk -F ':' '{print $1}'") or "0")
 	if code ~= 0 then
 		local use_time = luci.sys.exec("echo -n '" .. result .. "' | awk -F ':' '{print $2}'")
@ -294,11 +305,12 @@ function delete_select_nodes()
 	local ids = luci.http.formvalue("ids")
 	local auto_switch_node_list = ucic:get(appname, "@auto_switch[0]", "node") or {}
 	string.gsub(ids, '[^' .. "," .. ']+', function(w)
-		for k, v in ipairs(auto_switch_node_list) do
-			if v == w then
-				luci.sys.call(string.format("uci -q del_list passwall2.@auto_switch[0].node='%s'", w))
+		for i = #auto_switch_node_list, 1, -1 do
+			if w == auto_switch_node_list[i] then
+				table.remove(auto_switch_node_list, i)
 			end
 		end
+		ucic:set_list(appname, "@auto_switch[0]", "node", auto_switch_node_list)
 		if (ucic:get(appname, "@global[0]", "node") or "nil") == w then
 			ucic:set(appname, '@global[0]', "node", "nil")
 		end
--- a/luci-app-passwall2/luasrc/model/cbi/passwall2/client/acl.lua
+++ b/luci-app-passwall2/luasrc/model/cbi/passwall2/client/acl.lua
@ -5,8 +5,15 @@ local has_chnlist = api.fs.access("/usr/share/passwall2/rules/chnlist")

 m = Map(appname)

+s = m:section(TypedSection, "global", translate("ACLs"), "<font color='red'>" .. translate("ACLs is a tools which used to designate specific IP proxy mode.") .. "</font>")
+s.anonymous = true
+
+o = s:option(Flag, "acl_enable", translate("Main switch"))
+o.rmempty = false
+o.default = false
+
 -- [[ ACLs Settings ]]--
-s = m:section(TypedSection, "acl_rule", translate("ACLs"), "<font color='red'>" .. translate("ACLs is a tools which used to designate specific IP proxy mode.") .. "</font>")
+s = m:section(TypedSection, "acl_rule")
 s.template = "cbi/tblsection"
 s.sortable = true
 s.anonymous = true
--- a/luci-app-passwall2/luasrc/model/cbi/passwall2/client/node_config.lua
+++ b/luci-app-passwall2/luasrc/model/cbi/passwall2/client/node_config.lua
@ -412,12 +412,17 @@ function x_ss_encrypt_method.write(self, section, value)
 	m:set(section, "method", value)
 end

-uot = s:option(Flag, "uot", translate("UDP over TCP"), translate("Need Xray server side with Shadowsocks-2022 protocol"))
-uot:depends({ type = "Xray", protocol = "shadowsocks" })
-
 iv_check = s:option(Flag, "iv_check", translate("IV Check"))
 iv_check:depends({ type = "V2ray", protocol = "shadowsocks" })
-iv_check:depends({ type = "Xray", protocol = "shadowsocks" })
+iv_check:depends({ type = "Xray", protocol = "shadowsocks", x_ss_encrypt_method = "aes-128-gcm" })
+iv_check:depends({ type = "Xray", protocol = "shadowsocks", x_ss_encrypt_method = "aes-256-gcm" })
+iv_check:depends({ type = "Xray", protocol = "shadowsocks", x_ss_encrypt_method = "chacha20-poly1305" })
+iv_check:depends({ type = "Xray", protocol = "shadowsocks", x_ss_encrypt_method = "xchacha20-poly1305" })
+
+uot = s:option(Flag, "uot", translate("UDP over TCP"), translate("Need Xray-core or sing-box as server side."))
+uot:depends({ type = "Xray", protocol = "shadowsocks", x_ss_encrypt_method = "2022-blake3-aes-128-gcm" })
+uot:depends({ type = "Xray", protocol = "shadowsocks", x_ss_encrypt_method = "2022-blake3-aes-256-gcm" })
+uot:depends({ type = "Xray", protocol = "shadowsocks", x_ss_encrypt_method = "2022-blake3-chacha20-poly1305" })

 ssr_protocol = s:option(Value, "ssr_protocol", translate("Protocol"))
 for a, t in ipairs(ssr_protocol_list) do ssr_protocol:value(t) end
--- a/luci-app-passwall2/luasrc/passwall2/util_xray.lua
+++ b/luci-app-passwall2/luasrc/passwall2/util_xray.lua
@ -966,7 +966,7 @@ function gen_config(var)
                port = tonumber(remote_dns_port) or 53,
                network = _remote_dns_proto or "tcp",
            }
-            local type_dns = remote_type_dns
+            local type_dns = direct_type_dns
            table.insert(outbounds, {
                tag = "dns-out",
                protocol = "dns",
--- a/luci-app-passwall2/luasrc/view/passwall2/global/faq.htm
+++ b/luci-app-passwall2/luasrc/view/passwall2/global/faq.htm
@ -5,7 +5,7 @@ local api = require "luci.passwall2.api"
 	<div id="dns_div">
 		<ul><b style="color:red"><%:About DNS issues:%></b>
 			<li style="color:red">1. <span><%:Some browsers may have built-in DNS, be sure to close. Example: Chrome. Settings - Security and Privacy - Security - Use secure DNS disabled.%></span></li>
-			<li style="color:red">2. <span><%:Sometimes after restart, you can not internet. At this time, close all browsers (important), Windows Client, please `ipconfig / flushdns`. Please close the WiFi on the phone, cut the flight mode and then cut back.%></span></li>
+			<li style="color:red">2. <span><%:Sometimes after restart, you can not internet. At this time, close all browsers (important), Windows Client, please `ipconfig /flushdns`. Please close the WiFi on the phone, cut the flight mode and then cut back.%></span></li>
 			<li style="color:red">3. <span><%:The client DNS and the default gateway must point to this router.%></span></li>
 		</ul>
 	</div>
--- a/luci-app-passwall2/luasrc/view/passwall2/global/status.htm
+++ b/luci-app-passwall2/luasrc/view/passwall2/global/status.htm
@ -101,7 +101,7 @@ https://github.com/pure-css/pure/blob/master/LICENSE.md
 				</div>
 			</div>
 		</div>
-		<div class="pure-u-1-4 check" onclick="check_connect('baidu', 'https://www.baidu.com')">
+		<div class="pure-u-1-4 check" onclick="check_connect('baidu', 'http://www.baidu.com')">
 			<div class="block pure-g">
 				<div class="pure-u-1-3">
 					<div class="img-con">
@ -113,7 +113,7 @@ https://github.com/pure-css/pure/blob/master/LICENSE.md
 				</div>
 			</div>
 		</div>
-		<div class="pure-u-1-4 check" onclick="check_connect('google', 'https://www.google.com/generate_204')">
+		<div class="pure-u-1-4 check" onclick="check_connect('google', 'http://www.google.com/generate_204')">
 			<div class="block pure-g">
 				<div class="pure-u-1-3">
 					<div class="img-con">
@ -125,7 +125,7 @@ https://github.com/pure-css/pure/blob/master/LICENSE.md
 				</div>
 			</div>
 		</div>
-		<div class="pure-u-1-4 check" onclick="check_connect('github', 'https://github.com')">
+		<div class="pure-u-1-4 check" onclick="check_connect('github', 'http://github.com')">
 			<div class="block pure-g">
 				<div class="pure-u-1-3">
 					<div class="img-con">
--- a/luci-app-passwall2/po/zh-cn/passwall2.po
+++ b/luci-app-passwall2/po/zh-cn/passwall2.po
@ -154,8 +154,8 @@ msgstr "关于DNS问题："
 msgid "Some browsers may have built-in DNS, be sure to close. Example: Chrome. Settings - Security and Privacy - Security - Use secure DNS disabled."
 msgstr "部分浏览器可能有内置的DNS，请务必关闭。如：chrome。 设置 - 安全和隐私设置 - 使用安全 DNS 关闭。"

-msgid "Sometimes after restart, you can not internet. At this time, close all browsers (important), Windows Client, please `ipconfig / flushdns`. Please close the WiFi on the phone, cut the flight mode and then cut back."
-msgstr "有时候重启后，上不了。这时请先关闭所有浏览器（重要），Windows客户端请`ipconfig/flushdns`。手机端请关闭WIFI，切一下飞行模式再切回来。"
+msgid "Sometimes after restart, you can not internet. At this time, close all browsers (important), Windows Client, please `ipconfig /flushdns`. Please close the WiFi on the phone, cut the flight mode and then cut back."
+msgstr "有时候重启后，上不了。这时请先关闭所有浏览器（重要），Windows客户端请`ipconfig /flushdns`。手机端请关闭WIFI，切一下飞行模式再切回来。"

 msgid "The client DNS and the default gateway must point to this router."
 msgstr "客户端DNS和默认网关必须指向本路由器。"
@ -862,8 +862,8 @@ msgstr "IV 检查"
 msgid "UDP over TCP"
 msgstr "TCP 封装 UDP"

-msgid "Need Xray server side with Shadowsocks-2022 protocol"
-msgstr "需要 Xray 作服务器端的 Shadowsocks-2022 协议"
+msgid "Need Xray-core or sing-box as server side."
+msgstr "需要 Xray-core 或者 sing-box 作为服务器端。"

 msgid "Connection Timeout"
 msgstr "连接超时时间"
--- a/luci-app-passwall2/root/usr/share/passwall2/0_default_config
+++ b/luci-app-passwall2/root/usr/share/passwall2/0_default_config
@ -4,6 +4,7 @@ config global
 	option node_socks_port '1070'
 	option localhost_proxy '1'
 	option socks_enabled '0'
+	option acl_enable '0'
 	option node 'myshunt'
 	option direct_dns_protocol 'auto'
 	option direct_dns_query_strategy 'UseIP'
--- a/luci-app-passwall2/root/usr/share/passwall2/app.sh
+++ b/luci-app-passwall2/root/usr/share/passwall2/app.sh
@ -22,7 +22,8 @@ TUN_DNS_PORT=15353
 TUN_DNS="127.0.0.1#${TUN_DNS_PORT}"
 DEFAULT_DNS=
 IFACES=
-NO_PROXY=0
+ENABLED_DEFAULT_ACL=0
+ENABLED_ACLS=0
 PROXY_IPV6=0
 PROXY_IPV6_UDP=0
 LUA_UTIL_PATH=/usr/lib/lua/luci/passwall2
@ -757,7 +758,7 @@ start_crontab() {
 		rm -rf $TMP_SUB_PATH
 	}

-	if [ "$NO_PROXY" == 0 ]; then
+	if [ "$ENABLED_DEFAULT_ACL" == 1 ] || [ "$ENABLED_ACLS" == 1 ]; then
 		start_daemon=$(config_t_get global_delay start_daemon 0)
 		[ "$start_daemon" = "1" ] && $APP_PATH/monitor.sh > /dev/null 2>&1 &

@ -790,6 +791,114 @@ boot() {
 	fi
 }

+acl_app() {
+	local items=$(uci show ${CONFIG} | grep "=acl_rule" | cut -d '.' -sf 2 | cut -d '=' -sf 1)
+	[ -n "$items" ] && {
+		local index=0
+		local item
+		local redir_port dns_port dnsmasq_port
+		local ipt_tmp msg msg2
+		redir_port=11200
+		dns_port=11300
+		dnsmasq_port=11400
+		echolog "访问控制："
+		for item in $items; do
+			index=$(expr $index + 1)
+			local enabled sid remarks sources node direct_dns_protocol direct_dns direct_dns_doh direct_dns_client_ip direct_dns_query_strategy remote_dns_protocol only_proxy_fakedns remote_dns remote_dns_doh remote_dns_client_ip remote_dns_query_strategy
+			local _ip _mac _iprange _ipset _ip_or_mac rule_list config_file
+			sid=$(uci -q show "${CONFIG}.${item}" | grep "=acl_rule" | awk -F '=' '{print $1}' | awk -F '.' '{print $2}')
+			eval $(uci -q show "${CONFIG}.${item}" | cut -d'.' -sf 3-)
+			[ "$enabled" = "1" ] || continue
+			
+			[ -z "${sources}" ] && continue
+			for s in $sources; do
+				is_iprange=$(lua_api "iprange(\"${s}\")")
+				if [ "${is_iprange}" = "true" ]; then
+					rule_list="${rule_list}\niprange:${s}"
+				elif [ -n "$(echo ${s} | grep '^ipset:')" ]; then
+					rule_list="${rule_list}\nipset:${s}"
+				else
+					_ip_or_mac=$(lua_api "ip_or_mac(\"${s}\")")
+					if [ "${_ip_or_mac}" = "ip" ]; then
+						rule_list="${rule_list}\nip:${s}"
+					elif [ "${_ip_or_mac}" = "mac" ]; then
+						rule_list="${rule_list}\nmac:${s}"
+					fi
+				fi
+			done
+			[ -z "${rule_list}" ] && continue
+			mkdir -p $TMP_ACL_PATH/$sid
+			echo -e "${rule_list}" | sed '/^$/d' > $TMP_ACL_PATH/$sid/rule_list
+			
+			tcp_proxy_mode="global"
+			udp_proxy_mode="global"
+			node=${node:-default}
+			direct_dns_protocol=${direct_dns_protocol:-auto}
+			direct_dns=${direct_dns:-119.29.29.29}
+			[ "$direct_dns_protocol" = "doh" ] && direct_dns=${direct_dns_doh:-https://223.5.5.5/dns-query}
+			direct_dns_query_strategy=${direct_dns_query_strategy:-UseIP}
+			remote_dns_protocol=${remote_dns_protocol:-tcp}
+			remote_dns=${remote_dns:-1.1.1.1}
+			[ "$remote_dns_protocol" = "doh" ] && remote_dns=${remote_dns_doh:-https://1.1.1.1/dns-query}
+			remote_dns_query_strategy=${remote_dns_query_strategy:-UseIPv4}
+			
+			[ "$node" != "nil" ] && {
+				if [ "$node" = "default" ]; then
+					node=$NODE
+					redir_port=$REDIR_PORT
+				else
+					[ "$(config_get_type $node nil)" = "nodes" ] && {
+						if [ "$node" = "$NODE" ]; then
+							redir_port=$REDIR_PORT
+						else
+							redir_port=$(get_new_port $(expr $redir_port + 1))
+							eval node_${node}_redir_port=$redir_port
+
+							local type=$(echo $(config_n_get $node type) | tr 'A-Z' 'a-z')
+							if [ -n "${type}" ]; then
+								config_file=$TMP_ACL_PATH/${node}_TCP_UDP_DNS_${redir_port}.json
+								dns_port=$(get_new_port $(expr $dns_port + 1))
+								local acl_socks_port=$(get_new_port $(expr $redir_port + $index))
+								run_v2ray flag=acl_$sid node=$node redir_port=$redir_port socks_address=127.0.0.1 socks_port=$acl_socks_port dns_listen_port=${dns_port} direct_dns_protocol=${direct_dns_protocol} direct_dns_udp_server=${direct_dns} direct_dns_tcp_server=${direct_dns} direct_dns_doh="${direct_dns}" direct_dns_client_ip=${direct_dns_client_ip} direct_dns_query_strategy=${direct_dns_query_strategy} remote_dns_protocol=${remote_dns_protocol} remote_dns_tcp_server=${remote_dns} remote_dns_udp_server=${remote_dns} remote_dns_doh="${remote_dns}" remote_dns_client_ip=${remote_dns_client_ip} remote_dns_query_strategy=${remote_dns_query_strategy} config_file=${config_file}
+							fi
+							dnsmasq_port=$(get_new_port $(expr $dnsmasq_port + 1))
+							redirect_dns_port=$dnsmasq_port
+							mkdir -p $TMP_ACL_PATH/$sid/dnsmasq.d
+							default_dnsmasq_cfgid=$(uci show dhcp.@dnsmasq[0] |  awk -F '.' '{print $2}' | awk -F '=' '{print $1}'| head -1)
+							[ -s "/tmp/etc/dnsmasq.conf.${default_dnsmasq_cfgid}" ] && {
+								cp -r /tmp/etc/dnsmasq.conf.${default_dnsmasq_cfgid} $TMP_ACL_PATH/$sid/dnsmasq.conf
+								sed -i "/ubus/d" $TMP_ACL_PATH/$sid/dnsmasq.conf
+								sed -i "/dhcp/d" $TMP_ACL_PATH/$sid/dnsmasq.conf
+								sed -i "/port=/d" $TMP_ACL_PATH/$sid/dnsmasq.conf
+								sed -i "/conf-dir/d" $TMP_ACL_PATH/$sid/dnsmasq.conf
+								sed -i "/no-poll/d" $TMP_ACL_PATH/$sid/dnsmasq.conf
+								sed -i "/no-resolv/d" $TMP_ACL_PATH/$sid/dnsmasq.conf
+							}
+							echo "port=${dnsmasq_port}" >> $TMP_ACL_PATH/$sid/dnsmasq.conf
+							echo "conf-dir=${TMP_ACL_PATH}/${sid}/dnsmasq.d" >> $TMP_ACL_PATH/$sid/dnsmasq.conf
+							echo "server=127.0.0.1#${dns_port}" >> $TMP_ACL_PATH/$sid/dnsmasq.conf
+							echo "no-poll" >> $TMP_ACL_PATH/$sid/dnsmasq.conf
+							echo "no-resolv" >> $TMP_ACL_PATH/$sid/dnsmasq.conf
+							#source $APP_PATH/helper_dnsmasq.sh add TMP_DNSMASQ_PATH=$TMP_ACL_PATH/$sid/dnsmasq.d DNSMASQ_CONF_FILE=/dev/null DEFAULT_DNS=$AUTO_DNS TUN_DNS=127.0.0.1#${dns_port} NO_LOGIC_LOG=1
+							ln_run "$(first_type dnsmasq)" "dnsmasq_${sid}" "/dev/null" -C $TMP_ACL_PATH/$sid/dnsmasq.conf -x $TMP_ACL_PATH/$sid/dnsmasq.pid
+							eval node_${node}_$(echo -n "${tcp_proxy_mode}${remote_dns}" | md5sum | cut -d " " -f1)=${dnsmasq_port}
+							filter_node $node TCP > /dev/null 2>&1 &
+							filter_node $node UDP > /dev/null 2>&1 &
+						fi
+						echo "${node}" > $TMP_ACL_PATH/$sid/var_node
+					}
+				fi
+				echo "${redir_port}" > $TMP_ACL_PATH/$sid/var_port
+			}
+			[ -n "$redirect_dns_port" ] && echo "${redirect_dns_port}" > $TMP_ACL_PATH/$sid/var_redirect_dns_port
+			unset enabled sid remarks sources node direct_dns_protocol direct_dns direct_dns_doh direct_dns_client_ip direct_dns_query_strategy remote_dns_protocol remote_dns remote_dns_doh remote_dns_client_ip remote_dns_query_strategy
+			unset _ip _mac _iprange _ipset _ip_or_mac rule_list config_file
+			unset redirect_dns_port
+		done
+		unset redir_port dns_port dnsmasq_port
+	}
+}
+
 start() {
 	pgrep -f /tmp/etc/passwall2/bin > /dev/null 2>&1 && {
 		echolog "程序已启动，无需重复启动!"
@ -798,24 +907,25 @@ start() {

 	ulimit -n 65535
 	start_socks
-
-	[ "$NO_PROXY" == 1 ] || {
-		if [ -z "$(command -v iptables-legacy || command -v iptables)" ] || [ -z "$(command -v ipset)" ]; then
-			echolog "系统未安装iptables或ipset，无法透明代理！"
-		else
-			run_global
-			source $APP_PATH/iptables.sh start
-			source $APP_PATH/helper_dnsmasq.sh logic_restart
-			bridge_nf_ipt=$(sysctl -e -n net.bridge.bridge-nf-call-iptables)
-			echo -n $bridge_nf_ipt > $TMP_PATH/bridge_nf_ipt
-			sysctl -w net.bridge.bridge-nf-call-iptables=0 >/dev/null 2>&1
-			[ "$PROXY_IPV6" == "1" ] && {
-				bridge_nf_ip6t=$(sysctl -e -n net.bridge.bridge-nf-call-ip6tables)
-				echo -n $bridge_nf_ip6t > $TMP_PATH/bridge_nf_ip6t
-				sysctl -w net.bridge.bridge-nf-call-ip6tables=0 >/dev/null 2>&1
-			}
-		fi
-	}
+	
+	local USE_TABLES="iptables"
+	if [ -z "$(command -v iptables-legacy || command -v iptables)" ] || [ -z "$(command -v ipset)" ]; then
+		echolog "系统未安装iptables或ipset，无法透明代理！"
+	fi
+	
+	[ "$ENABLED_DEFAULT_ACL" == 1 ] && run_global
+	source $APP_PATH/${USE_TABLES}.sh start
+	[ "$ENABLED_DEFAULT_ACL" == 1 ] && source $APP_PATH/helper_dnsmasq.sh logic_restart
+	if [ "$ENABLED_DEFAULT_ACL" == 1 ] || [ "$ENABLED_ACLS" == 1 ]; then
+		bridge_nf_ipt=$(sysctl -e -n net.bridge.bridge-nf-call-iptables)
+		echo -n $bridge_nf_ipt > $TMP_PATH/bridge_nf_ipt
+		sysctl -w net.bridge.bridge-nf-call-iptables=0 >/dev/null 2>&1
+		[ "$PROXY_IPV6" == "1" ] && {
+			bridge_nf_ip6t=$(sysctl -e -n net.bridge.bridge-nf-call-ip6tables)
+			echo -n $bridge_nf_ip6t > $TMP_PATH/bridge_nf_ip6t
+			sysctl -w net.bridge.bridge-nf-call-ip6tables=0 >/dev/null 2>&1
+		}
+	fi
 	start_crontab
 	echolog "运行完成！\n"
 }
@ -840,15 +950,17 @@ stop() {
 }

 ENABLED=$(config_t_get global enabled 0)
+NODE=$(config_t_get global node nil)
+[ "$ENABLED" == 1 ] && {
+	[ "$NODE" != "nil" ] && [ "$(config_get_type $NODE nil)" != "nil" ] && ENABLED_DEFAULT_ACL=1
+}
+ENABLED_ACLS=$(config_t_get global acl_enable 0)
+[ "$ENABLED_ACLS" == 1 ] && {
+	[ "$(uci show ${CONFIG} | grep "@acl_rule" | grep "enabled='1'" | wc -l)" == 0 ] && ENABLED_ACLS=0
+}
 SOCKS_ENABLED=$(config_t_get global socks_enabled 0)
 REDIR_PORT=$(echo $(get_new_port 1041 tcp,udp))
-[ "$ENABLED" != 1 ] && NO_PROXY=1
-NODE=$(config_t_get global node nil)
-[ "$NODE" == "nil" ] && NO_PROXY=1
-[ "$(config_get_type $NODE nil)" == "nil" ] && NO_PROXY=1
 tcp_proxy_way=$(config_t_get global_forwarding tcp_proxy_way redirect)
-RESOLVFILE=/tmp/resolv.conf.d/resolv.conf.auto
-[ -f "${RESOLVFILE}" ] && [ -s "${RESOLVFILE}" ] || RESOLVFILE=/tmp/resolv.conf.auto
 TCP_NO_REDIR_PORTS=$(config_t_get global_forwarding tcp_no_redir_ports 'disable')
 UDP_NO_REDIR_PORTS=$(config_t_get global_forwarding udp_no_redir_ports 'disable')
 TCP_REDIR_PORTS=$(config_t_get global_forwarding tcp_redir_ports '22,25,53,143,465,587,853,993,995,80,443')
@ -864,8 +976,14 @@ REMOTE_DNS=$(config_t_get global remote_dns 1.1.1.1:53 | sed 's/#/:/g' | sed -E
 REMOTE_DNS_QUERY_STRATEGY=$(config_t_get global remote_dns_query_strategy UseIPv4)
 DNS_CACHE=$(config_t_get global dns_cache 1)

+RESOLVFILE=/tmp/resolv.conf.d/resolv.conf.auto
+[ -f "${RESOLVFILE}" ] && [ -s "${RESOLVFILE}" ] || RESOLVFILE=/tmp/resolv.conf.auto
+
+ISP_DNS=$(cat $RESOLVFILE 2>/dev/null | grep -E -o "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" | sort -u | grep -v 0.0.0.0 | grep -v 127.0.0.1)
+ISP_DNS6=$(cat $RESOLVFILE 2>/dev/null | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | awk -F % '{print $1}' | awk -F " " '{print $2}'| sort -u | grep -v -Fx ::1 | grep -v -Fx ::)
+
 DEFAULT_DNS=$(uci show dhcp | grep "@dnsmasq" | grep "\.server=" | awk -F '=' '{print $2}' | sed "s/'//g" | tr ' ' '\n' | grep -v "\/" | head -2 | sed ':label;N;s/\n/,/;b label')
-[ -z "${DEFAULT_DNS}" ] && DEFAULT_DNS=$(echo -n $(sed -n 's/^nameserver[ \t]*\([^ ]*\)$/\1/p' "${RESOLVFILE}" | grep -v -E "0.0.0.0|127.0.0.1|::" | head -2) | tr ' ' ',')
+[ -z "${DEFAULT_DNS}" ] && DEFAULT_DNS=$(echo -n $ISP_DNS | tr ' ' '\n' | head -2 | tr '\n' ',')
 AUTO_DNS=${DEFAULT_DNS:-119.29.29.29}

 PROXY_IPV6=$(config_t_get global_forwarding ipv6_tproxy 0)
--- a/luci-app-passwall2/root/usr/share/passwall2/iptables.sh
+++ b/luci-app-passwall2/root/usr/share/passwall2/iptables.sh
@ -170,108 +170,28 @@ get_wan6_ip() {
 }

 load_acl() {
-	local items=$(uci show ${CONFIG} | grep "=acl_rule" | cut -d '.' -sf 2 | cut -d '=' -sf 1)
-	[ -n "$items" ] && {
-		local index=0
-		local item
-		local redir_port dns_port dnsmasq_port
-		local ipt_tmp msg msg2
-		redir_port=11200
-		dns_port=11300
-		dnsmasq_port=11400
+	[ "$ENABLED_ACLS" == 1 ] && {
+		acl_app
 		echolog "访问控制："
-		for item in $items; do
-			index=$(expr $index + 1)
-			local enabled sid remarks sources tcp_no_redir_ports udp_no_redir_ports tcp_redir_ports udp_redir_ports node direct_dns_protocol direct_dns direct_dns_doh direct_dns_client_ip direct_dns_query_strategy remote_dns_protocol only_proxy_fakedns remote_dns remote_dns_doh remote_dns_client_ip remote_dns_query_strategy
-			local _ip _mac _iprange _ipset _ip_or_mac rule_list node_remark config_file
-			sid=$(uci -q show "${CONFIG}.${item}" | grep "=acl_rule" | awk -F '=' '{print $1}' | awk -F '.' '{print $2}')
-			eval $(uci -q show "${CONFIG}.${item}" | cut -d'.' -sf 3-)
-			[ "$enabled" = "1" ] || continue
-			
-			[ -z "${sources}" ] && continue
-			for s in $sources; do
-				is_iprange=$(lua_api "iprange(\"${s}\")")
-				if [ "${is_iprange}" = "true" ]; then
-					rule_list="${rule_list}\niprange:${s}"
-				elif [ -n "$(echo ${s} | grep '^ipset:')" ]; then
-					rule_list="${rule_list}\nipset:${s}"
-				else
-					_ip_or_mac=$(lua_api "ip_or_mac(\"${s}\")")
-					if [ "${_ip_or_mac}" = "ip" ]; then
-						rule_list="${rule_list}\nip:${s}"
-					elif [ "${_ip_or_mac}" = "mac" ]; then
-						rule_list="${rule_list}\nmac:${s}"
-					fi
-				fi
-			done
-			[ -z "${rule_list}" ] && continue
+		for sid in $(ls -F ${TMP_ACL_PATH} | grep '/$' | awk -F '/' '{print $1}'); do
+			eval $(uci -q show "${CONFIG}.${sid}" | cut -d'.' -sf 3-)

 			tcp_no_redir_ports=${tcp_no_redir_ports:-default}
 			udp_no_redir_ports=${udp_no_redir_ports:-default}
 			tcp_proxy_mode="global"
 			udp_proxy_mode="global"
 			node=${node:-default}
-			direct_dns_protocol=${direct_dns_protocol:-auto}
-			direct_dns=${direct_dns:-119.29.29.29}
-			[ "$direct_dns_protocol" = "doh" ] && direct_dns=${direct_dns_doh:-https://223.5.5.5/dns-query}
-			direct_dns_query_strategy=${direct_dns_query_strategy:-UseIP}
-			remote_dns_protocol=${remote_dns_protocol:-tcp}
-			remote_dns=${remote_dns:-1.1.1.1}
-			[ "$remote_dns_protocol" = "doh" ] && remote_dns=${remote_dns_doh:-https://1.1.1.1/dns-query}
-			remote_dns_query_strategy=${remote_dns_query_strategy:-UseIPv4}
 			[ "$tcp_no_redir_ports" = "default" ] && tcp_no_redir_ports=$TCP_NO_REDIR_PORTS
 			[ "$udp_no_redir_ports" = "default" ] && udp_no_redir_ports=$UDP_NO_REDIR_PORTS
 			[ "$tcp_redir_ports" = "default" ] && tcp_redir_ports=$TCP_REDIR_PORTS
 			[ "$udp_redir_ports" = "default" ] && udp_redir_ports=$UDP_REDIR_PORTS
-			[ "$node" != "nil" ] && {
-				if [ "$node" = "default" ]; then
-					node=$NODE
-					redir_port=$REDIR_PORT
-				else
-					[ "$(config_get_type $node nil)" = "nodes" ] && {
-						if [ "$node" = "$NODE" ]; then
-							redir_port=$REDIR_PORT
-						else
-							redir_port=$(get_new_port $(expr $redir_port + 1))
-							eval node_${node}_redir_port=$redir_port
-
-							local type=$(echo $(config_n_get $node type) | tr 'A-Z' 'a-z')
-							if [ -n "${type}" ]; then
-								config_file=$TMP_ACL_PATH/${node}_TCP_UDP_DNS_${redir_port}.json
-								dns_port=$(get_new_port $(expr $dns_port + 1))
-								local acl_socks_port=$(get_new_port $(expr $redir_port + $index))
-								run_v2ray flag=acl_$sid node=$node redir_port=$redir_port socks_address=127.0.0.1 socks_port=$acl_socks_port dns_listen_port=${dns_port} direct_dns_protocol=${direct_dns_protocol} direct_dns_udp_server=${direct_dns} direct_dns_tcp_server=${direct_dns} direct_dns_doh="${direct_dns}" direct_dns_client_ip=${direct_dns_client_ip} direct_dns_query_strategy=${direct_dns_query_strategy} remote_dns_protocol=${remote_dns_protocol} remote_dns_tcp_server=${remote_dns} remote_dns_udp_server=${remote_dns} remote_dns_doh="${remote_dns}" remote_dns_client_ip=${remote_dns_client_ip} remote_dns_query_strategy=${remote_dns_query_strategy} config_file=${config_file}
-							fi
-							dnsmasq_port=$(get_new_port $(expr $dnsmasq_port + 1))
-							redirect_dns_port=$dnsmasq_port
-							mkdir -p $TMP_ACL_PATH/$sid/dnsmasq.d
-							default_dnsmasq_cfgid=$(uci show dhcp.@dnsmasq[0] |  awk -F '.' '{print $2}' | awk -F '=' '{print $1}'| head -1)
-							[ -s "/tmp/etc/dnsmasq.conf.${default_dnsmasq_cfgid}" ] && {
-								cp -r /tmp/etc/dnsmasq.conf.${default_dnsmasq_cfgid} $TMP_ACL_PATH/$sid/dnsmasq.conf
-								sed -i "/ubus/d" $TMP_ACL_PATH/$sid/dnsmasq.conf
-								sed -i "/dhcp/d" $TMP_ACL_PATH/$sid/dnsmasq.conf
-								sed -i "/port=/d" $TMP_ACL_PATH/$sid/dnsmasq.conf
-								sed -i "/conf-dir/d" $TMP_ACL_PATH/$sid/dnsmasq.conf
-								sed -i "/no-poll/d" $TMP_ACL_PATH/$sid/dnsmasq.conf
-								sed -i "/no-resolv/d" $TMP_ACL_PATH/$sid/dnsmasq.conf
-							}
-							echo "port=${dnsmasq_port}" >> $TMP_ACL_PATH/$sid/dnsmasq.conf
-							echo "conf-dir=${TMP_ACL_PATH}/${sid}/dnsmasq.d" >> $TMP_ACL_PATH/$sid/dnsmasq.conf
-							echo "server=127.0.0.1#${dns_port}" >> $TMP_ACL_PATH/$sid/dnsmasq.conf
-							echo "no-poll" >> $TMP_ACL_PATH/$sid/dnsmasq.conf
-							echo "no-resolv" >> $TMP_ACL_PATH/$sid/dnsmasq.conf
-							#source $APP_PATH/helper_dnsmasq.sh add TMP_DNSMASQ_PATH=$TMP_ACL_PATH/$sid/dnsmasq.d DNSMASQ_CONF_FILE=/dev/null DEFAULT_DNS=$AUTO_DNS TUN_DNS=127.0.0.1#${dns_port} NO_LOGIC_LOG=1
-							ln_run "$(first_type dnsmasq)" "dnsmasq_${sid}" "/dev/null" -C $TMP_ACL_PATH/$sid/dnsmasq.conf -x $TMP_ACL_PATH/$sid/dnsmasq.pid
-							eval node_${node}_$(echo -n "${tcp_proxy_mode}${remote_dns}" | md5sum | cut -d " " -f1)=${dnsmasq_port}
-							filter_node $node TCP > /dev/null 2>&1 &
-							filter_node $node UDP > /dev/null 2>&1 &
-						fi
-					}
-				fi
-				node_remark=$(config_n_get $node remarks)
-			}
 			
-			for i in $(echo -e ${rule_list}); do
+			node_remark=$(config_n_get $NODE remarks)
+			[ -s "${TMP_ACL_PATH}/${sid}/var_node" ] && node=$(cat ${TMP_ACL_PATH}/${sid}/var_node)
+			[ -s "${TMP_ACL_PATH}/${sid}/var_port" ] && redir_port=$(cat ${TMP_ACL_PATH}/${sid}/var_port)
+			[ -n "$node" ] && [ "$node" != "default" ] && node_remark=$(config_n_get $node remarks)
+			
+			for i in $(cat ${TMP_ACL_PATH}/${sid}/rule_list); do
 				if [ -n "$(echo ${i} | grep '^iprange:')" ]; then
 					_iprange=$(echo ${i} | sed 's#iprange:##g')
 					_ipt_source=$(factor ${_iprange} "-m iprange --src-range")
@ -291,13 +211,13 @@ load_acl() {
 				else
 					continue
 				fi
-				
+
 				ipt_tmp=$ipt_n
 				[ -n "${is_tproxy}" ] && ipt_tmp=$ipt_m

 				[ -n "$redir_port" ] && {
 					if [ "$tcp_proxy_mode" != "disable" ]; then
-						[ -n "$redirect_dns_port" ] && $ipt_n -A PSW2_REDIRECT $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $redirect_dns_port
+						[ -s "${TMP_ACL_PATH}/${sid}/var_redirect_dns_port" ] && $ipt_n -A PSW2_REDIRECT $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port)
 						msg2="${msg}使用TCP节点[$node_remark] [$(get_action_chain_name $tcp_proxy_mode)]"
 						if [ -n "${is_tproxy}" ]; then
 							msg2="${msg2}(TPROXY:${redir_port})代理"
@ -373,95 +293,94 @@ load_acl() {
 				$ipt_m -A PSW2 $(comment "$remarks") ${_ipt_source} -p udp -j RETURN
 				$ip6t_m -A PSW2 $(comment "$remarks") ${_ipt_source} -p udp -j RETURN 2>/dev/null
 			done
-			unset enabled sid remarks sources tcp_no_redir_ports udp_no_redir_ports tcp_redir_ports udp_redir_ports node direct_dns_protocol direct_dns direct_dns_doh direct_dns_client_ip direct_dns_query_strategy remote_dns_protocol remote_dns remote_dns_doh remote_dns_client_ip remote_dns_query_strategy
-			unset _ip _mac _iprange _ipset _ip_or_mac rule_list node_remark config_file
+			unset enabled sid remarks sources tcp_no_redir_ports udp_no_redir_ports tcp_redir_ports udp_redir_ports node
+			unset _ip _mac _iprange _ipset _ip_or_mac rule_list node_remark
 			unset ipt_tmp msg msg2
-			unset redirect_dns_port
 		done
-		unset redir_port dns_port dnsmasq_port
-		unset ipt_tmp msg msg2
 	}
-
-	#  加载默认代理模式
-	if [ "$TCP_PROXY_MODE" != "disable" ]; then
-		local ipt_tmp=$ipt_n
-		[ -n "${is_tproxy}" ] && ipt_tmp=$ipt_m
-		[ "$TCP_NO_REDIR_PORTS" != "disable" ] && {
-			$ipt_tmp -A PSW2 $(comment "默认") -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
-			$ip6t_m -A PSW2 $(comment "默认") -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
-			msg="${msg}除${TCP_NO_REDIR_PORTS}外的"
-		}
-		[ "$NODE" != "nil" ] && {
-			msg="TCP默认代理：使用节点[$(config_n_get $NODE remarks)] [$(get_action_chain_name $TCP_PROXY_MODE)]"
-			if [ -n "${is_tproxy}" ]; then
-				msg="${msg}(TPROXY:${REDIR_PORT})代理"
-			else
-				msg="${msg}(REDIRECT:${REDIR_PORT})代理"
-			fi
-
-			[ "$TCP_NO_REDIR_PORTS" != "disable" ] && msg="${msg}除${TCP_NO_REDIR_PORTS}外的"
-			msg="${msg}所有端口"
-
-			[ "$accept_icmp" = "1" ] && {
-				$ipt_n -A PSW2 $(comment "默认") -p icmp -d $FAKE_IP $(REDIRECT)
-				[ "$ONLY_PROXY_FAKEDNS" != "1" ] && $ipt_n -A PSW2 $(comment "默认") -p icmp $(REDIRECT)
+	
+	[ "$ENABLED_DEFAULT_ACL" == 1 ] && {
+		#  加载默认代理模式
+		if [ "$TCP_PROXY_MODE" != "disable" ]; then
+			local ipt_tmp=$ipt_n
+			[ -n "${is_tproxy}" ] && ipt_tmp=$ipt_m
+			[ "$TCP_NO_REDIR_PORTS" != "disable" ] && {
+				$ipt_tmp -A PSW2 $(comment "默认") -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
+				$ip6t_m -A PSW2 $(comment "默认") -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
+				msg="${msg}除${TCP_NO_REDIR_PORTS}外的"
 			}
-			
-			[ "$accept_icmpv6" = "1" ] && [ "$PROXY_IPV6" == "1" ] && {
-				$ip6t_n -A PSW2 $(comment "默认") -p ipv6-icmp -d $FAKE_IP_6 $(REDIRECT)
-				[ "$ONLY_PROXY_FAKEDNS" != "1" ] && $ip6t_n -A PSW2 $(comment "默认") -p ipv6-icmp $(REDIRECT)
-			}
-			
-			if [ "${ipt_tmp}" = "${ipt_n}" ]; then
-				$ipt_n -A PSW2 $(comment "默认") -p tcp -d $FAKE_IP $(REDIRECT $REDIR_PORT)
-				[ "$ONLY_PROXY_FAKEDNS" != "1" ] && $ipt_n -A PSW2 $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(REDIRECT $REDIR_PORT)
-			else
-				$ipt_m -A PSW2 $(comment "默认") -p tcp -d $FAKE_IP -j PSW2_RULE
-				[ "$ONLY_PROXY_FAKEDNS" != "1" ] && $ipt_m -A PSW2 $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") -j PSW2_RULE
-				[ "$ONLY_PROXY_FAKEDNS" != "1" ] && $ipt_m -A PSW2 $(comment "默认") -p tcp $(REDIRECT $REDIR_PORT TPROXY)
-			fi
+			[ "$NODE" != "nil" ] && {
+				msg="TCP默认代理：使用节点[$(config_n_get $NODE remarks)] [$(get_action_chain_name $TCP_PROXY_MODE)]"
+				if [ -n "${is_tproxy}" ]; then
+					msg="${msg}(TPROXY:${REDIR_PORT})代理"
+				else
+					msg="${msg}(REDIRECT:${REDIR_PORT})代理"
+				fi

-			[ "$PROXY_IPV6" == "1" ] && {
-				$ip6t_m -A PSW2 $(comment "默认") -p tcp -d $FAKE_IP_6 -j PSW2_RULE
-				[ "$ONLY_PROXY_FAKEDNS" != "1" ] && $ip6t_m -A PSW2 $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") -j PSW2_RULE
-				[ "$ONLY_PROXY_FAKEDNS" != "1" ] && $ip6t_m -A PSW2 $(comment "默认") -p tcp $(REDIRECT $REDIR_PORT TPROXY)
+				[ "$TCP_NO_REDIR_PORTS" != "disable" ] && msg="${msg}除${TCP_NO_REDIR_PORTS}外的"
+				msg="${msg}所有端口"
+
+				[ "$accept_icmp" = "1" ] && {
+					$ipt_n -A PSW2 $(comment "默认") -p icmp -d $FAKE_IP $(REDIRECT)
+					[ "$ONLY_PROXY_FAKEDNS" != "1" ] && $ipt_n -A PSW2 $(comment "默认") -p icmp $(REDIRECT)
+				}
+				
+				[ "$accept_icmpv6" = "1" ] && [ "$PROXY_IPV6" == "1" ] && {
+					$ip6t_n -A PSW2 $(comment "默认") -p ipv6-icmp -d $FAKE_IP_6 $(REDIRECT)
+					[ "$ONLY_PROXY_FAKEDNS" != "1" ] && $ip6t_n -A PSW2 $(comment "默认") -p ipv6-icmp $(REDIRECT)
+				}
+				
+				if [ "${ipt_tmp}" = "${ipt_n}" ]; then
+					$ipt_n -A PSW2 $(comment "默认") -p tcp -d $FAKE_IP $(REDIRECT $REDIR_PORT)
+					[ "$ONLY_PROXY_FAKEDNS" != "1" ] && $ipt_n -A PSW2 $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(REDIRECT $REDIR_PORT)
+				else
+					$ipt_m -A PSW2 $(comment "默认") -p tcp -d $FAKE_IP -j PSW2_RULE
+					[ "$ONLY_PROXY_FAKEDNS" != "1" ] && $ipt_m -A PSW2 $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") -j PSW2_RULE
+					[ "$ONLY_PROXY_FAKEDNS" != "1" ] && $ipt_m -A PSW2 $(comment "默认") -p tcp $(REDIRECT $REDIR_PORT TPROXY)
+				fi
+
+				[ "$PROXY_IPV6" == "1" ] && {
+					$ip6t_m -A PSW2 $(comment "默认") -p tcp -d $FAKE_IP_6 -j PSW2_RULE
+					[ "$ONLY_PROXY_FAKEDNS" != "1" ] && $ip6t_m -A PSW2 $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") -j PSW2_RULE
+					[ "$ONLY_PROXY_FAKEDNS" != "1" ] && $ip6t_m -A PSW2 $(comment "默认") -p tcp $(REDIRECT $REDIR_PORT TPROXY)
+				}
+
+				echolog "${msg}"
+			}
+		fi
+		$ipt_n -A PSW2 $(comment "默认") -p tcp -j RETURN
+		$ipt_m -A PSW2 $(comment "默认") -p tcp -j RETURN
+		$ip6t_m -A PSW2 $(comment "默认") -p tcp -j RETURN
+
+		#  加载UDP默认代理模式
+		if [ "$UDP_PROXY_MODE" != "disable" ]; then
+			[ "$UDP_NO_REDIR_PORTS" != "disable" ] && {
+				$ipt_m -A PSW2 $(comment "默认") -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN
+				$ip6t_m -A PSW2 $(comment "默认") -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN
 			}

-			echolog "${msg}"
-		}
-	fi
-	$ipt_n -A PSW2 $(comment "默认") -p tcp -j RETURN
-	$ipt_m -A PSW2 $(comment "默认") -p tcp -j RETURN
-	$ip6t_m -A PSW2 $(comment "默认") -p tcp -j RETURN
+			[ -n "1" ] && {
+				msg="UDP默认代理：使用节点[$(config_n_get $NODE remarks)] [$(get_action_chain_name $UDP_PROXY_MODE)](TPROXY:${REDIR_PORT})代理"
+				
+				[ "$UDP_NO_REDIR_PORTS" != "disable" ] && msg="${msg}除${UDP_NO_REDIR_PORTS}外的"
+				msg="${msg}所有端口"
+				
+				$ipt_m -A PSW2 $(comment "默认") -p udp -d $FAKE_IP -j PSW2_RULE
+				[ "$ONLY_PROXY_FAKEDNS" != "1" ] && $ipt_m -A PSW2 $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") -j PSW2_RULE
+				[ "$ONLY_PROXY_FAKEDNS" != "1" ] && $ipt_m -A PSW2 $(comment "默认") -p udp $(REDIRECT $REDIR_PORT TPROXY)

-	#  加载UDP默认代理模式
-	if [ "$UDP_PROXY_MODE" != "disable" ]; then
-		[ "$UDP_NO_REDIR_PORTS" != "disable" ] && {
-			$ipt_m -A PSW2 $(comment "默认") -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN
-			$ip6t_m -A PSW2 $(comment "默认") -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN
-		}
+				if [ "$PROXY_IPV6_UDP" == "1" ]; then
+					$ip6t_m -A PSW2 $(comment "默认") -p udp -d $FAKE_IP_6 -j PSW2_RULE
+					[ "$ONLY_PROXY_FAKEDNS" != "1" ] && $ip6t_m -A PSW2 $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") -j PSW2_RULE
+					[ "$ONLY_PROXY_FAKEDNS" != "1" ] && $ip6t_m -A PSW2 $(comment "默认") -p udp $(REDIRECT $REDIR_PORT TPROXY)
+				fi

-		[ -n "1" ] && {
-			msg="UDP默认代理：使用节点[$(config_n_get $NODE remarks)] [$(get_action_chain_name $UDP_PROXY_MODE)](TPROXY:${REDIR_PORT})代理"
-			
-			[ "$UDP_NO_REDIR_PORTS" != "disable" ] && msg="${msg}除${UDP_NO_REDIR_PORTS}外的"
-			msg="${msg}所有端口"
-			
-			$ipt_m -A PSW2 $(comment "默认") -p udp -d $FAKE_IP -j PSW2_RULE
-			[ "$ONLY_PROXY_FAKEDNS" != "1" ] && $ipt_m -A PSW2 $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") -j PSW2_RULE
-			[ "$ONLY_PROXY_FAKEDNS" != "1" ] && $ipt_m -A PSW2 $(comment "默认") -p udp $(REDIRECT $REDIR_PORT TPROXY)
-
-			if [ "$PROXY_IPV6_UDP" == "1" ]; then
-				$ip6t_m -A PSW2 $(comment "默认") -p udp -d $FAKE_IP_6 -j PSW2_RULE
-				[ "$ONLY_PROXY_FAKEDNS" != "1" ] && $ip6t_m -A PSW2 $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") -j PSW2_RULE
-				[ "$ONLY_PROXY_FAKEDNS" != "1" ] && $ip6t_m -A PSW2 $(comment "默认") -p udp $(REDIRECT $REDIR_PORT TPROXY)
-			fi
-
-			echolog "${msg}"
-		}
-	fi
-	$ipt_m -A PSW2 $(comment "默认") -p udp -j RETURN
-	$ip6t_m -A PSW2 $(comment "默认") -p udp -j RETURN
+				echolog "${msg}"
+			}
+		fi
+		$ipt_m -A PSW2 $(comment "默认") -p udp -j RETURN
+		$ip6t_m -A PSW2 $(comment "默认") -p udp -j RETURN
+	}
 }

 filter_vpsip() {
@ -613,7 +532,6 @@ add_firewall_rule() {
 		EOF
 	}

-	local ISP_DNS=$(cat $RESOLVFILE 2>/dev/null | grep -E -o "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" | sort -u | grep -v 0.0.0.0 | grep -v 127.0.0.1)
 	[ -n "$ISP_DNS" ] && {
 		#echolog "处理 ISP DNS 例外..."
 		for ispip in $ISP_DNS; do
@ -622,10 +540,9 @@ add_firewall_rule() {
 		done
 	}

-	local ISP_DNS6=$(cat $RESOLVFILE 2>/dev/null | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | awk -F % '{print $1}' | awk -F " " '{print $2}'| sort -u | grep -v -Fx ::1 | grep -v -Fx ::)
-	[ -n "$ISP_DNS" ] && {
+	[ -n "$ISP_DNS6" ] && {
 		#echolog "处理 ISP IPv6 DNS 例外..."
-		for ispip6 in $ISP_DNS; do
+		for ispip6 in $ISP_DNS6; do
 			ipset -! add $IPSET_LANIPLIST6 $ispip6 >/dev/null 2>&1 &
 			#echolog "  - 追加到白名单：${ispip6}"
 		done
@ -734,61 +651,7 @@ add_firewall_rule() {

 	ip -6 rule add fwmark 1 table 100
 	ip -6 route add local ::/0 dev lo table 100
-
-	# 加载路由器自身代理 TCP
-	if [ "$NODE" != "nil" ] && [ "$LOCALHOST_PROXY" = "1" ]; then
-		echolog "加载路由器自身 TCP 代理..."
-
-		[ "$accept_icmp" = "1" ] && {
-			$ipt_n -A OUTPUT -p icmp -j PSW2_OUTPUT
-			$ipt_n -A PSW2_OUTPUT -p icmp -d $FAKE_IP $(REDIRECT)
-			[ "$ONLY_PROXY_FAKEDNS" != "1" ] && $ipt_n -A PSW2_OUTPUT -p icmp $(REDIRECT)
-		}
-
-		[ "$accept_icmpv6" = "1" ] && {
-			$ip6t_n -A OUTPUT -p ipv6-icmp -j PSW2_OUTPUT
-			$ip6t_n -A PSW2_OUTPUT -p ipv6-icmp -d $FAKE_IP_6 $(REDIRECT)
-			[ "$ONLY_PROXY_FAKEDNS" != "1" ] && $ip6t_n -A PSW2_OUTPUT -p ipv6-icmp $(REDIRECT)
-		}
-		
-		local ipt_tmp=$ipt_n
-		[ -n "${is_tproxy}" ] && {
-			echolog "  - 启用 TPROXY 模式"
-			ipt_tmp=$ipt_m
-		}
-
-		[ "$TCP_NO_REDIR_PORTS" != "disable" ] && {
-			$ipt_tmp -A PSW2_OUTPUT -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
-			$ip6t_m -A PSW2_OUTPUT -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
-			echolog "  - [$?]不代理TCP 端口：$TCP_NO_REDIR_PORTS"
-		}
-
-		if [ "${ipt_tmp}" = "${ipt_n}" ]; then
-			$ipt_n -A PSW2_OUTPUT -p tcp -d $FAKE_IP $(REDIRECT $REDIR_PORT)
-			[ "$ONLY_PROXY_FAKEDNS" != "1" ] && $ipt_n -A PSW2_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(REDIRECT $REDIR_PORT)
-			$ipt_n -A OUTPUT -p tcp -j PSW2_OUTPUT
-		else
-			$ipt_m -A PSW2_OUTPUT -p tcp -d $FAKE_IP -j PSW2_RULE
-			[ "$ONLY_PROXY_FAKEDNS" != "1" ] && $ipt_m -A PSW2_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") -j PSW2_RULE
-			[ "$ONLY_PROXY_FAKEDNS" != "1" ] && $ipt_m -A PSW2 $(comment "本机") -p tcp -i lo $(REDIRECT $REDIR_PORT TPROXY)
-			$ipt_m -A PSW2 $(comment "本机") -p tcp -i lo -j RETURN
-			$ipt_m -A OUTPUT -p tcp -j PSW2_OUTPUT
-		fi
-
-		if [ "$PROXY_IPV6" == "1" ]; then
-			$ip6t_m -A PSW2_OUTPUT -p tcp -d $FAKE_IP_6 -j PSW2_RULE
-			[ "$ONLY_PROXY_FAKEDNS" != "1" ] && $ip6t_m -A PSW2_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") -j PSW2_RULE
-			[ "$ONLY_PROXY_FAKEDNS" != "1" ] && $ip6t_m -A PSW2 $(comment "本机") -p tcp -i lo $(REDIRECT $REDIR_PORT TPROXY)
-			$ip6t_m -A PSW2 $(comment "本机") -p tcp -i lo -j RETURN
-			$ip6t_m -A OUTPUT -p tcp -j PSW2_OUTPUT
-		fi
-		
-		for iface in $IFACES; do
-			$ipt_n -I PSW2_OUTPUT -o $iface -p tcp -j RETURN
-			$ipt_m -I PSW2_OUTPUT -o $iface -p tcp -j RETURN
-		done
-	fi
-
+	
 	# 过滤Socks节点
 	[ "$SOCKS_ENABLED" = "1" ] && {
 		local ids=$(uci show $CONFIG | grep "=socks" | awk -F '.' '{print $2}' | awk -F '=' '{print $1}')
@ -810,47 +673,102 @@ add_firewall_rule() {
 		done
 	}

-	# 处理轮换节点的分流或套娃
-	filter_node $NODE TCP > /dev/null 2>&1 &
-	filter_node $NODE UDP > /dev/null 2>&1 &
+	[ "$ENABLED_DEFAULT_ACL" == 1 ] && {
+		# 加载路由器自身代理 TCP
+		if [ "$NODE" != "nil" ] && [ "$LOCALHOST_PROXY" = "1" ]; then
+			echolog "加载路由器自身 TCP 代理..."

-	# 加载路由器自身代理 UDP
-	if [ "$NODE" != "nil" ] && [ "$LOCALHOST_PROXY" = "1" ]; then
-		echolog "加载路由器自身 UDP 代理..."
+			[ "$accept_icmp" = "1" ] && {
+				$ipt_n -A OUTPUT -p icmp -j PSW2_OUTPUT
+				$ipt_n -A PSW2_OUTPUT -p icmp -d $FAKE_IP $(REDIRECT)
+				[ "$ONLY_PROXY_FAKEDNS" != "1" ] && $ipt_n -A PSW2_OUTPUT -p icmp $(REDIRECT)
+			}

-		[ "$UDP_NO_REDIR_PORTS" != "disable" ] && {
-			$ipt_m -A PSW2_OUTPUT -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN
-			$ip6t_m -A PSW2_OUTPUT -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN
-			echolog "  - [$?]不代理 UDP 端口：$UDP_NO_REDIR_PORTS"
-		}
+			[ "$accept_icmpv6" = "1" ] && {
+				$ip6t_n -A OUTPUT -p ipv6-icmp -j PSW2_OUTPUT
+				$ip6t_n -A PSW2_OUTPUT -p ipv6-icmp -d $FAKE_IP_6 $(REDIRECT)
+				[ "$ONLY_PROXY_FAKEDNS" != "1" ] && $ip6t_n -A PSW2_OUTPUT -p ipv6-icmp $(REDIRECT)
+			}
+			
+			local ipt_tmp=$ipt_n
+			[ -n "${is_tproxy}" ] && {
+				echolog "  - 启用 TPROXY 模式"
+				ipt_tmp=$ipt_m
+			}

-		$ipt_m -A PSW2_OUTPUT -p udp -d $FAKE_IP -j PSW2_RULE
-		[ "$ONLY_PROXY_FAKEDNS" != "1" ] && $ipt_m -A PSW2_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") -j PSW2_RULE
-		[ "$ONLY_PROXY_FAKEDNS" != "1" ] && $ipt_m -A PSW2 $(comment "本机") -p udp -i lo $(REDIRECT $REDIR_PORT TPROXY)
-		$ipt_m -A PSW2 $(comment "本机") -p udp -i lo -j RETURN
-		$ipt_m -A OUTPUT -p udp -j PSW2_OUTPUT
+			[ "$TCP_NO_REDIR_PORTS" != "disable" ] && {
+				$ipt_tmp -A PSW2_OUTPUT -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
+				$ip6t_m -A PSW2_OUTPUT -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
+				echolog "  - [$?]不代理TCP 端口：$TCP_NO_REDIR_PORTS"
+			}

-		if [ "$PROXY_IPV6_UDP" == "1" ]; then
-			$ip6t_m -A PSW2_OUTPUT -p udp -d $FAKE_IP_6 -j PSW2_RULE
-			[ "$ONLY_PROXY_FAKEDNS" != "1" ] && $ip6t_m -A PSW2_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") -j PSW2_RULE
-			[ "$ONLY_PROXY_FAKEDNS" != "1" ] && $ip6t_m -A PSW2 $(comment "本机") -p udp -i lo $(REDIRECT $REDIR_PORT TPROXY)
-			$ip6t_m -A PSW2 $(comment "本机") -p udp -i lo -j RETURN
-			$ip6t_m -A OUTPUT -p udp -j PSW2_OUTPUT
+			if [ "${ipt_tmp}" = "${ipt_n}" ]; then
+				$ipt_n -A PSW2_OUTPUT -p tcp -d $FAKE_IP $(REDIRECT $REDIR_PORT)
+				[ "$ONLY_PROXY_FAKEDNS" != "1" ] && $ipt_n -A PSW2_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(REDIRECT $REDIR_PORT)
+				$ipt_n -A OUTPUT -p tcp -j PSW2_OUTPUT
+			else
+				$ipt_m -A PSW2_OUTPUT -p tcp -d $FAKE_IP -j PSW2_RULE
+				[ "$ONLY_PROXY_FAKEDNS" != "1" ] && $ipt_m -A PSW2_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") -j PSW2_RULE
+				[ "$ONLY_PROXY_FAKEDNS" != "1" ] && $ipt_m -A PSW2 $(comment "本机") -p tcp -i lo $(REDIRECT $REDIR_PORT TPROXY)
+				$ipt_m -A PSW2 $(comment "本机") -p tcp -i lo -j RETURN
+				$ipt_m -A OUTPUT -p tcp -j PSW2_OUTPUT
+			fi
+
+			if [ "$PROXY_IPV6" == "1" ]; then
+				$ip6t_m -A PSW2_OUTPUT -p tcp -d $FAKE_IP_6 -j PSW2_RULE
+				[ "$ONLY_PROXY_FAKEDNS" != "1" ] && $ip6t_m -A PSW2_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") -j PSW2_RULE
+				[ "$ONLY_PROXY_FAKEDNS" != "1" ] && $ip6t_m -A PSW2 $(comment "本机") -p tcp -i lo $(REDIRECT $REDIR_PORT TPROXY)
+				$ip6t_m -A PSW2 $(comment "本机") -p tcp -i lo -j RETURN
+				$ip6t_m -A OUTPUT -p tcp -j PSW2_OUTPUT
+			fi
+			
+			for iface in $IFACES; do
+				$ipt_n -I PSW2_OUTPUT -o $iface -p tcp -j RETURN
+				$ipt_m -I PSW2_OUTPUT -o $iface -p tcp -j RETURN
+			done
 		fi
-		
-		for iface in $IFACES; do
-			$ipt_n -I PSW2_OUTPUT -o $iface -p udp -j RETURN
-			$ipt_m -I PSW2_OUTPUT -o $iface -p udp -j RETURN
-		done
-	fi

-	$ipt_m -A PSW2 -p udp --dport 53 -j RETURN
-	$ip6t_m -A PSW2 -p udp --dport 53 -j RETURN
+		# 处理轮换节点的分流或套娃
+		filter_node $NODE TCP > /dev/null 2>&1 &
+		filter_node $NODE UDP > /dev/null 2>&1 &
+
+		# 加载路由器自身代理 UDP
+		if [ "$NODE" != "nil" ] && [ "$LOCALHOST_PROXY" = "1" ]; then
+			echolog "加载路由器自身 UDP 代理..."
+
+			[ "$UDP_NO_REDIR_PORTS" != "disable" ] && {
+				$ipt_m -A PSW2_OUTPUT -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN
+				$ip6t_m -A PSW2_OUTPUT -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN
+				echolog "  - [$?]不代理 UDP 端口：$UDP_NO_REDIR_PORTS"
+			}
+
+			$ipt_m -A PSW2_OUTPUT -p udp -d $FAKE_IP -j PSW2_RULE
+			[ "$ONLY_PROXY_FAKEDNS" != "1" ] && $ipt_m -A PSW2_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") -j PSW2_RULE
+			[ "$ONLY_PROXY_FAKEDNS" != "1" ] && $ipt_m -A PSW2 $(comment "本机") -p udp -i lo $(REDIRECT $REDIR_PORT TPROXY)
+			$ipt_m -A PSW2 $(comment "本机") -p udp -i lo -j RETURN
+			$ipt_m -A OUTPUT -p udp -j PSW2_OUTPUT
+
+			if [ "$PROXY_IPV6_UDP" == "1" ]; then
+				$ip6t_m -A PSW2_OUTPUT -p udp -d $FAKE_IP_6 -j PSW2_RULE
+				[ "$ONLY_PROXY_FAKEDNS" != "1" ] && $ip6t_m -A PSW2_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") -j PSW2_RULE
+				[ "$ONLY_PROXY_FAKEDNS" != "1" ] && $ip6t_m -A PSW2 $(comment "本机") -p udp -i lo $(REDIRECT $REDIR_PORT TPROXY)
+				$ip6t_m -A PSW2 $(comment "本机") -p udp -i lo -j RETURN
+				$ip6t_m -A OUTPUT -p udp -j PSW2_OUTPUT
+			fi
+			
+			for iface in $IFACES; do
+				$ipt_n -I PSW2_OUTPUT -o $iface -p udp -j RETURN
+				$ipt_m -I PSW2_OUTPUT -o $iface -p udp -j RETURN
+			done
+		fi
+
+		$ipt_m -A PSW2 -p udp --dport 53 -j RETURN
+		$ip6t_m -A PSW2 -p udp --dport 53 -j RETURN
+	}
+
 	#  加载ACLS
 	load_acl

-	# dns_hijack "force"
-
 	echolog "防火墙规则加载完成！"
 }

@ -965,6 +883,7 @@ get_ip6t_bin() {
 }

 start() {
+	[ "$ENABLED_DEFAULT_ACL" == 0 -a "$ENABLED_ACLS" == 0 ] && return
 	add_firewall_rule
 	gen_include
 }
--- a/luci-app-passwall2/root/usr/share/passwall2/subscribe.lua
+++ b/luci-app-passwall2/root/usr/share/passwall2/subscribe.lua
@ -772,12 +772,12 @@ local function select_node(nodes, config)
 				end
 			end
 		end
-		-- 第一优先级 类型 + IP + 端口
+		-- 第一优先级 类型 + 备注 + IP + 端口
 		if not server then
 			for index, node in pairs(nodes) do
-				if config.currentNode.type and config.currentNode.address and config.currentNode.port then
-					if node.type and node.address and node.port then
-						if node.type == config.currentNode.type and (node.address .. ':' .. node.port == config.currentNode.address .. ':' .. config.currentNode.port) then
+				if config.currentNode.type and config.currentNode.remarks and config.currentNode.address and config.currentNode.port then
+					if node.type and node.remarks and node.address and node.port then
+						if node.type == config.currentNode.type and node.remarks == config.currentNode.remarks and (node.address .. ':' .. node.port == config.currentNode.address .. ':' .. config.currentNode.port) then
 							if config.log == nil or config.log == true then
 								log('更新【' .. config.remarks .. '】第一匹配节点：' .. node.remarks)
 							end
@ -788,12 +788,12 @@ local function select_node(nodes, config)
 				end
 			end
 		end
-		-- 第二优先级 IP + 端口
+		-- 第二优先级 类型 + IP + 端口
 		if not server then
 			for index, node in pairs(nodes) do
-				if config.currentNode.address and config.currentNode.port then
-					if node.address and node.port then
-						if node.address .. ':' .. node.port == config.currentNode.address .. ':' .. config.currentNode.port then
+				if config.currentNode.type and config.currentNode.address and config.currentNode.port then
+					if node.type and node.address and node.port then
+						if node.type == config.currentNode.type and (node.address .. ':' .. node.port == config.currentNode.address .. ':' .. config.currentNode.port) then
 							if config.log == nil or config.log == true then
 								log('更新【' .. config.remarks .. '】第二匹配节点：' .. node.remarks)
 							end
@ -804,12 +804,12 @@ local function select_node(nodes, config)
 				end
 			end
 		end
-		-- 第三优先级 IP
+		-- 第三优先级 IP + 端口
 		if not server then
 			for index, node in pairs(nodes) do
-				if config.currentNode.address then
-					if node.address then
-						if node.address == config.currentNode.address then
+				if config.currentNode.address and config.currentNode.port then
+					if node.address and node.port then
+						if node.address .. ':' .. node.port == config.currentNode.address .. ':' .. config.currentNode.port then
 							if config.log == nil or config.log == true then
 								log('更新【' .. config.remarks .. '】第三匹配节点：' .. node.remarks)
 							end
@ -820,14 +820,30 @@ local function select_node(nodes, config)
 				end
 			end
 		end
-		-- 第四优先级备注
+		-- 第四优先级 IP
+		if not server then
+			for index, node in pairs(nodes) do
+				if config.currentNode.address then
+					if node.address then
+						if node.address == config.currentNode.address then
+							if config.log == nil or config.log == true then
+								log('更新【' .. config.remarks .. '】第四匹配节点：' .. node.remarks)
+							end
+							server = node[".name"]
+							break
+						end
+					end
+				end
+			end
+		end
+		-- 第五优先级备注
 		if not server then
 			for index, node in pairs(nodes) do
 				if config.currentNode.remarks then
 					if node.remarks then
 						if node.remarks == config.currentNode.remarks then
 							if config.log == nil or config.log == true then
-								log('更新【' .. config.remarks .. '】第四匹配节点：' .. node.remarks)
+								log('更新【' .. config.remarks .. '】第五匹配节点：' .. node.remarks)
 							end
 							server = node[".name"]
 							break