mirror of
https://github.com/roacn/openwrt-packages.git
synced 2025-01-07 03:16:45 +08:00
🍉 Sync 2024-12-12 10:00
This commit is contained in:
github-actions[bot]
parent
5368e34d3d
commit
98732c1d30
@ -186,8 +186,7 @@ function gen_outbound(flag, node, tag, proxy_table)
|
||||
} or nil,
|
||||
wsSettings = (node.transport == "ws") and {
|
||||
path = node.ws_path or "/",
|
||||
headers = (node.ws_host ~= nil) and
|
||||
{Host = node.ws_host} or nil,
|
||||
host = node.ws_host or nil,
|
||||
maxEarlyData = tonumber(node.ws_maxEarlyData) or nil,
|
||||
earlyDataHeaderName = (node.ws_earlyDataHeaderName) and node.ws_earlyDataHeaderName or nil,
|
||||
heartbeatPeriod = tonumber(node.ws_heartbeatPeriod) or nil
|
||||
@ -486,7 +485,7 @@ function gen_config_server(node)
|
||||
header = {type = node.mkcp_guise}
|
||||
} or nil,
|
||||
wsSettings = (node.transport == "ws") and {
|
||||
headers = (node.ws_host) and {Host = node.ws_host} or nil,
|
||||
host = node.ws_host or nil,
|
||||
path = node.ws_path
|
||||
} or nil,
|
||||
httpSettings = (node.transport == "h2") and {
|
||||
|
||||
@ -6,7 +6,7 @@ include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=luci-app-passwall2
|
||||
PKG_VERSION:=24.12.11
|
||||
PKG_RELEASE:=1
|
||||
PKG_RELEASE:=3
|
||||
|
||||
PKG_CONFIG_DEPENDS:= \
|
||||
CONFIG_PACKAGE_$(PKG_NAME)_Iptables_Transparent_Proxy \
|
||||
@ -47,6 +47,7 @@ if PACKAGE_$(PKG_NAME)
|
||||
|
||||
config PACKAGE_$(PKG_NAME)_Iptables_Transparent_Proxy
|
||||
bool "Iptables Transparent Proxy"
|
||||
select PACKAGE_chinadns-ng
|
||||
select PACKAGE_dnsmasq-full
|
||||
select PACKAGE_dnsmasq_full_ipset
|
||||
select PACKAGE_ipset
|
||||
@ -62,6 +63,7 @@ config PACKAGE_$(PKG_NAME)_Iptables_Transparent_Proxy
|
||||
|
||||
config PACKAGE_$(PKG_NAME)_Nftables_Transparent_Proxy
|
||||
bool "Nftables Transparent Proxy"
|
||||
select PACKAGE_chinadns-ng
|
||||
select PACKAGE_dnsmasq-full
|
||||
select PACKAGE_dnsmasq_full_nftset
|
||||
select PACKAGE_nftables
|
||||
|
||||
@ -13,9 +13,6 @@ TMP_ROUTE_PATH=$TMP_PATH/route
|
||||
TMP_ACL_PATH=$TMP_PATH/acl
|
||||
TMP_IFACE_PATH=$TMP_PATH/iface
|
||||
TMP_PATH2=/tmp/etc/${CONFIG}_tmp
|
||||
DNSMASQ_PATH=/etc/dnsmasq.d
|
||||
DNSMASQ_CONF_DIR=/tmp/dnsmasq.d
|
||||
TMP_DNSMASQ_PATH=${DNSMASQ_CONF_DIR}/${CONFIG}
|
||||
LOG_FILE=/tmp/log/$CONFIG.log
|
||||
APP_PATH=/usr/share/$CONFIG
|
||||
RULES_PATH=/usr/share/${CONFIG}/rules
|
||||
@ -288,17 +285,6 @@ lua_api() {
|
||||
echo $(lua -e "local api = require 'luci.passwall2.api' print(api.${func})")
|
||||
}
|
||||
|
||||
get_dnsmasq_conf_dir() {
|
||||
local dnsmasq_conf_path=$(grep -l "^conf-dir=" /tmp/etc/dnsmasq.conf.${DEFAULT_DNSMASQ_CFGID})
|
||||
[ -n "$dnsmasq_conf_path" ] && {
|
||||
local dnsmasq_conf_dir=$(grep '^conf-dir=' "$dnsmasq_conf_path" | cut -d'=' -f2 | head -n 1)
|
||||
[ -n "$dnsmasq_conf_dir" ] && {
|
||||
DNSMASQ_CONF_DIR=${dnsmasq_conf_dir%*/}
|
||||
TMP_DNSMASQ_PATH=${DNSMASQ_CONF_DIR}/${CONFIG}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
get_geoip() {
|
||||
local geoip_code="$1"
|
||||
local geoip_type_flag=""
|
||||
@ -353,9 +339,9 @@ run_xray() {
|
||||
[ "${write_ipset_direct}" = "1" ] && {
|
||||
direct_dnsmasq_listen_port=$(get_new_port $(expr $dns_listen_port + 1) udp)
|
||||
local set_flag="${flag}"
|
||||
local direct_ipset_conf=$TMP_PATH/dnsmasq_${flag}_direct.conf
|
||||
local direct_ipset_conf=${TMP_ACL_PATH}/default/dns_${flag}_direct.conf
|
||||
[ -n "$(echo ${flag} | grep '^acl')" ] && {
|
||||
direct_ipset_conf=${TMP_ACL_PATH}/${sid}/dnsmasq_${flag}_direct.conf
|
||||
direct_ipset_conf=${TMP_ACL_PATH}/${sid}/dns_${flag}_direct.conf
|
||||
set_flag=$(echo ${flag} | awk -F '_' '{print $2}')
|
||||
}
|
||||
if [ "${nftflag}" = "1" ]; then
|
||||
@ -363,7 +349,7 @@ run_xray() {
|
||||
else
|
||||
local direct_ipset="passwall2_${set_flag}_whitelist,passwall2_${set_flag}_whitelist6"
|
||||
fi
|
||||
run_ipset_dnsmasq listen_port=${direct_dnsmasq_listen_port} server_dns=${AUTO_DNS} ipset="${direct_ipset}" nftset="${direct_nftset}" config_file=${direct_ipset_conf}
|
||||
run_ipset_dns_server listen_port=${direct_dnsmasq_listen_port} server_dns=${AUTO_DNS} ipset="${direct_ipset}" nftset="${direct_nftset}" config_file=${direct_ipset_conf}
|
||||
DIRECT_DNS_UDP_PORT=${direct_dnsmasq_listen_port}
|
||||
DIRECT_DNS_UDP_SERVER="127.0.0.1"
|
||||
[ -n "${direct_ipset}" ] && _extra_param="${_extra_param} -direct_ipset ${direct_ipset}"
|
||||
@ -465,9 +451,9 @@ run_singbox() {
|
||||
[ "${write_ipset_direct}" = "1" ] && {
|
||||
direct_dnsmasq_listen_port=$(get_new_port $(expr $dns_listen_port + 1) udp)
|
||||
local set_flag="${flag}"
|
||||
local direct_ipset_conf=$TMP_PATH/dnsmasq_${flag}_direct.conf
|
||||
local direct_ipset_conf=${TMP_ACL_PATH}/default/dns_${flag}_direct.conf
|
||||
[ -n "$(echo ${flag} | grep '^acl')" ] && {
|
||||
direct_ipset_conf=${TMP_ACL_PATH}/${sid}/dnsmasq_${flag}_direct.conf
|
||||
direct_ipset_conf=${TMP_ACL_PATH}/${sid}/dns_${flag}_direct.conf
|
||||
set_flag=$(echo ${flag} | awk -F '_' '{print $2}')
|
||||
}
|
||||
if [ "${nftflag}" = "1" ]; then
|
||||
@ -475,7 +461,7 @@ run_singbox() {
|
||||
else
|
||||
local direct_ipset="passwall2_${set_flag}_whitelist,passwall2_${set_flag}_whitelist6"
|
||||
fi
|
||||
run_ipset_dnsmasq listen_port=${direct_dnsmasq_listen_port} server_dns=${AUTO_DNS} ipset="${direct_ipset}" nftset="${direct_nftset}" config_file=${direct_ipset_conf}
|
||||
run_ipset_dns_server listen_port=${direct_dnsmasq_listen_port} server_dns=${AUTO_DNS} ipset="${direct_ipset}" nftset="${direct_nftset}" config_file=${direct_ipset_conf}
|
||||
DIRECT_DNS_UDP_PORT=${direct_dnsmasq_listen_port}
|
||||
DIRECT_DNS_UDP_SERVER="127.0.0.1"
|
||||
[ -n "${direct_ipset}" ] && _extra_param="${_extra_param} -direct_ipset ${direct_ipset}"
|
||||
@ -719,9 +705,6 @@ run_global() {
|
||||
msg="${msg})"
|
||||
echolog ${msg}
|
||||
|
||||
source $APP_PATH/helper_dnsmasq.sh stretch
|
||||
source $APP_PATH/helper_dnsmasq.sh add TMP_DNSMASQ_PATH=$TMP_DNSMASQ_PATH DNSMASQ_CONF_FILE=${DNSMASQ_CONF_DIR}/dnsmasq-${CONFIG}.conf DEFAULT_DNS=$AUTO_DNS LOCAL_DNS=$LOCAL_DNS TUN_DNS=$TUN_DNS NFTFLAG=${nftflag:-0}
|
||||
|
||||
V2RAY_CONFIG=$TMP_ACL_PATH/default/global.json
|
||||
V2RAY_LOG=$TMP_ACL_PATH/default/global.log
|
||||
[ "$(config_t_get global log_node 1)" != "1" ] && V2RAY_LOG="/dev/null"
|
||||
@ -749,6 +732,9 @@ run_global() {
|
||||
fi
|
||||
|
||||
${run_func} $V2RAY_ARGS
|
||||
|
||||
GLOBAL_DNSMASQ_PORT=$(get_new_port 11400)
|
||||
run_copy_dnsmasq flag="default" listen_port=$GLOBAL_DNSMASQ_PORT tun_dns="${TUN_DNS}"
|
||||
}
|
||||
|
||||
start_socks() {
|
||||
@ -944,6 +930,101 @@ start_haproxy() {
|
||||
ln_run "$(first_type haproxy)" haproxy "/dev/null" -f "${haproxy_path}/${haproxy_conf}"
|
||||
}
|
||||
|
||||
run_ipset_dns_server() {
|
||||
if [ -n "$(first_type chinadns-ng)" ]; then
|
||||
run_ipset_chinadns_ng $@
|
||||
else
|
||||
run_ipset_dnsmasq $@
|
||||
fi
|
||||
}
|
||||
|
||||
gen_dnsmasq_items() {
|
||||
local dnss settype setnames outf ipsetoutf
|
||||
eval_set_val $@
|
||||
|
||||
awk -v dnss="${dnss}" -v settype="${settype}" -v setnames="${setnames}" -v outf="${outf}" -v ipsetoutf="${ipsetoutf}" '
|
||||
BEGIN {
|
||||
if(outf == "") outf="/dev/stdout";
|
||||
if(ipsetoutf == "") ipsetoutf=outf;
|
||||
split(dnss, dns, ","); setdns=length(dns)>0; setlist=length(setnames)>0;
|
||||
if(setdns) for(i in dns) if(length(dns[i])==0) delete dns[i];
|
||||
fail=1;
|
||||
}
|
||||
! /^$/&&!/^#/ {
|
||||
fail=0
|
||||
if(setdns) for(i in dns) printf("server=/.%s/%s\n", $0, dns[i]) >>outf;
|
||||
if(setlist) printf("%s=/.%s/%s\n", settype, $0, setnames) >>ipsetoutf;
|
||||
}
|
||||
END {fflush(outf); close(outf); fflush(ipsetoutf); close(ipsetoutf); exit(fail);}
|
||||
'
|
||||
}
|
||||
|
||||
run_copy_dnsmasq() {
|
||||
local flag listen_port tun_dns
|
||||
eval_set_val $@
|
||||
local dnsmasq_conf=$TMP_ACL_PATH/$flag/dnsmasq.conf
|
||||
local dnsmasq_conf_path=$TMP_ACL_PATH/$flag/dnsmasq.d
|
||||
mkdir -p $dnsmasq_conf_path
|
||||
[ -s "/tmp/etc/dnsmasq.conf.${DEFAULT_DNSMASQ_CFGID}" ] && {
|
||||
cp -r /tmp/etc/dnsmasq.conf.${DEFAULT_DNSMASQ_CFGID} $dnsmasq_conf
|
||||
sed -i "/ubus/d" $dnsmasq_conf
|
||||
sed -i "/dhcp/d" $dnsmasq_conf
|
||||
sed -i "/port=/d" $dnsmasq_conf
|
||||
sed -i "/conf-dir/d" $dnsmasq_conf
|
||||
sed -i "/no-poll/d" $dnsmasq_conf
|
||||
sed -i "/no-resolv/d" $dnsmasq_conf
|
||||
}
|
||||
local set_type="ipset"
|
||||
[ "${nftflag}" = "1" ] && {
|
||||
set_type="nftset"
|
||||
local setflag_4="4#inet#passwall2#"
|
||||
local setflag_6="6#inet#passwall2#"
|
||||
}
|
||||
cat <<-EOF >> $dnsmasq_conf
|
||||
port=${listen_port}
|
||||
conf-dir=${dnsmasq_conf_path}
|
||||
server=${tun_dns}
|
||||
no-poll
|
||||
no-resolv
|
||||
EOF
|
||||
node_servers=$(uci show "${CONFIG}" | grep -E "(.address=|.download_address=)" | cut -d "'" -f 2)
|
||||
hosts_foreach "node_servers" host_from_url | grep '[a-zA-Z]$' | sort -u | grep -v "engage.cloudflareclient.com" | gen_dnsmasq_items settype="${set_type}" setnames="${setflag_4}passwall2_vpslist,${setflag_6}passwall2_vpslist6" dnss="${LOCAL_DNS:-${AUTO_DNS}}" outf="${dnsmasq_conf_path}/10-vpslist_host.conf" ipsetoutf="${dnsmasq_conf_path}/ipset.conf"
|
||||
ln_run "$(first_type dnsmasq)" "dnsmasq_${flag}" "/dev/null" -C $dnsmasq_conf -x $TMP_ACL_PATH/$flag/dnsmasq.pid
|
||||
echo "${listen_port}" > $TMP_ACL_PATH/$flag/var_redirect_dns_port
|
||||
}
|
||||
|
||||
run_ipset_chinadns_ng() {
|
||||
local listen_port server_dns ipset nftset config_file
|
||||
eval_set_val $@
|
||||
[ ! -s "$TMP_ACL_PATH/vpslist" ] && {
|
||||
node_servers=$(uci show "${CONFIG}" | grep -E "(.address=|.download_address=)" | cut -d "'" -f 2)
|
||||
hosts_foreach "node_servers" host_from_url | grep '[a-zA-Z]$' | sort -u | grep -v "engage.cloudflareclient.com" > $TMP_ACL_PATH/vpslist
|
||||
}
|
||||
|
||||
[ -n "${ipset}" ] && {
|
||||
set_names=$ipset
|
||||
vps_set_names="passwall2_vpslist,passwall2_vpslist6"
|
||||
}
|
||||
[ -n "${nftset}" ] && {
|
||||
set_names=$(echo ${nftset} | awk -F, '{printf "%s,%s", substr($1,3), substr($2,3)}' | sed 's/#/@/g')
|
||||
vps_set_names="inet@passwall2@passwall2_vpslist,inet@passwall2@passwall2_vpslist6"
|
||||
}
|
||||
cat <<-EOF > $config_file
|
||||
bind-addr 127.0.0.1
|
||||
bind-port ${listen_port}
|
||||
china-dns ${server_dns}
|
||||
trust-dns ${server_dns}
|
||||
filter-qtype 65
|
||||
add-tagchn-ip ${set_names}
|
||||
default-tag chn
|
||||
group vpslist
|
||||
group-dnl $TMP_ACL_PATH/vpslist
|
||||
group-upstream ${server_dns}
|
||||
group-ipset ${vps_set_names}
|
||||
EOF
|
||||
ln_run "$(first_type chinadns-ng)" "chinadns-ng" "/dev/null" -C $config_file -v
|
||||
}
|
||||
|
||||
run_ipset_dnsmasq() {
|
||||
local listen_port server_dns ipset nftset cache_size dns_forward_max config_file
|
||||
eval_set_val $@
|
||||
@ -976,6 +1057,7 @@ acl_app() {
|
||||
redir_port=11200
|
||||
dns_port=11300
|
||||
dnsmasq_port=11400
|
||||
[ -n "${GLOBAL_DNSMASQ_PORT}" ] && dnsmasq_port=$(get_new_port $GLOBAL_DNSMASQ_PORT)
|
||||
for item in $items; do
|
||||
index=$(expr $index + 1)
|
||||
local enabled sid remarks sources node direct_dns_query_strategy remote_dns_protocol remote_dns remote_dns_doh remote_dns_client_ip remote_dns_detour remote_fakedns remote_dns_query_strategy interface use_interface
|
||||
@ -1048,24 +1130,7 @@ acl_app() {
|
||||
${run_func} flag=acl_$sid node=$node redir_port=$redir_port socks_address=127.0.0.1 socks_port=$acl_socks_port dns_listen_port=${dns_port} direct_dns_query_strategy=${direct_dns_query_strategy} remote_dns_protocol=${remote_dns_protocol} remote_dns_tcp_server=${remote_dns} remote_dns_udp_server=${remote_dns} remote_dns_doh="${remote_dns}" remote_dns_client_ip=${remote_dns_client_ip} remote_dns_detour=${remote_dns_detour} remote_fakedns=${remote_fakedns} remote_dns_query_strategy=${remote_dns_query_strategy} write_ipset_direct=${write_ipset_direct} config_file=${config_file}
|
||||
fi
|
||||
dnsmasq_port=$(get_new_port $(expr $dnsmasq_port + 1))
|
||||
redirect_dns_port=$dnsmasq_port
|
||||
mkdir -p $TMP_ACL_PATH/$sid/dnsmasq.d
|
||||
[ -s "/tmp/etc/dnsmasq.conf.${DEFAULT_DNSMASQ_CFGID}" ] && {
|
||||
cp -r /tmp/etc/dnsmasq.conf.${DEFAULT_DNSMASQ_CFGID} $TMP_ACL_PATH/$sid/dnsmasq.conf
|
||||
sed -i "/ubus/d" $TMP_ACL_PATH/$sid/dnsmasq.conf
|
||||
sed -i "/dhcp/d" $TMP_ACL_PATH/$sid/dnsmasq.conf
|
||||
sed -i "/port=/d" $TMP_ACL_PATH/$sid/dnsmasq.conf
|
||||
sed -i "/conf-dir/d" $TMP_ACL_PATH/$sid/dnsmasq.conf
|
||||
sed -i "/no-poll/d" $TMP_ACL_PATH/$sid/dnsmasq.conf
|
||||
sed -i "/no-resolv/d" $TMP_ACL_PATH/$sid/dnsmasq.conf
|
||||
}
|
||||
echo "port=${dnsmasq_port}" >> $TMP_ACL_PATH/$sid/dnsmasq.conf
|
||||
echo "conf-dir=${TMP_ACL_PATH}/${sid}/dnsmasq.d" >> $TMP_ACL_PATH/$sid/dnsmasq.conf
|
||||
echo "server=127.0.0.1#${dns_port}" >> $TMP_ACL_PATH/$sid/dnsmasq.conf
|
||||
echo "no-poll" >> $TMP_ACL_PATH/$sid/dnsmasq.conf
|
||||
echo "no-resolv" >> $TMP_ACL_PATH/$sid/dnsmasq.conf
|
||||
#source $APP_PATH/helper_dnsmasq.sh add TMP_DNSMASQ_PATH=$TMP_ACL_PATH/$sid/dnsmasq.d DNSMASQ_CONF_FILE=/dev/null DEFAULT_DNS=$AUTO_DNS TUN_DNS=127.0.0.1#${dns_port} NFTFLAG=${nftflag:-0} NO_LOGIC_LOG=1
|
||||
ln_run "$(first_type dnsmasq)" "dnsmasq_${sid}" "/dev/null" -C $TMP_ACL_PATH/$sid/dnsmasq.conf -x $TMP_ACL_PATH/$sid/dnsmasq.pid
|
||||
run_copy_dnsmasq flag="$sid" listen_port=$dnsmasq_port tun_dns="127.0.0.1#${dns_port}"
|
||||
eval node_${node}_$(echo -n "${tcp_proxy_mode}${remote_dns}" | md5sum | cut -d " " -f1)=${dnsmasq_port}
|
||||
filter_node $node TCP > /dev/null 2>&1 &
|
||||
filter_node $node UDP > /dev/null 2>&1 &
|
||||
@ -1075,10 +1140,8 @@ acl_app() {
|
||||
fi
|
||||
echo "${redir_port}" > $TMP_ACL_PATH/$sid/var_port
|
||||
}
|
||||
[ -n "$redirect_dns_port" ] && echo "${redirect_dns_port}" > $TMP_ACL_PATH/$sid/var_redirect_dns_port
|
||||
unset enabled sid remarks sources interface node direct_dns_query_strategy remote_dns_protocol remote_dns remote_dns_doh remote_dns_client_ip remote_dns_detour remote_fakedns remote_dns_query_strategy
|
||||
unset _ip _mac _iprange _ipset _ip_or_mac source_list config_file
|
||||
unset redirect_dns_port
|
||||
done
|
||||
unset redir_port dns_port dnsmasq_port
|
||||
}
|
||||
@ -1127,7 +1190,6 @@ start() {
|
||||
|
||||
[ "$ENABLED_DEFAULT_ACL" == 1 ] && run_global
|
||||
[ -n "$USE_TABLES" ] && source $APP_PATH/${USE_TABLES}.sh start
|
||||
[ "$ENABLED_DEFAULT_ACL" == 1 ] && source $APP_PATH/helper_dnsmasq.sh logic_restart
|
||||
if [ "$ENABLED_DEFAULT_ACL" == 1 ] || [ "$ENABLED_ACLS" == 1 ]; then
|
||||
bridge_nf_ipt=$(sysctl -e -n net.bridge.bridge-nf-call-iptables)
|
||||
echo -n $bridge_nf_ipt > $TMP_PATH/bridge_nf_ipt
|
||||
@ -1153,8 +1215,6 @@ stop() {
|
||||
unset V2RAY_LOCATION_ASSET
|
||||
unset XRAY_LOCATION_ASSET
|
||||
stop_crontab
|
||||
source $APP_PATH/helper_dnsmasq.sh del
|
||||
source $APP_PATH/helper_dnsmasq.sh restart no_log=1
|
||||
[ -s "$TMP_PATH/bridge_nf_ipt" ] && sysctl -w net.bridge.bridge-nf-call-iptables=$(cat $TMP_PATH/bridge_nf_ipt) >/dev/null 2>&1
|
||||
[ -s "$TMP_PATH/bridge_nf_ip6t" ] && sysctl -w net.bridge.bridge-nf-call-ip6tables=$(cat $TMP_PATH/bridge_nf_ip6t) >/dev/null 2>&1
|
||||
rm -rf ${TMP_PATH}
|
||||
@ -1208,8 +1268,6 @@ PROXY_IPV6=$(config_t_get global_forwarding ipv6_tproxy 0)
|
||||
XRAY_BIN=$(first_type $(config_t_get global_app xray_file) xray)
|
||||
SINGBOX_BIN=$(first_type $(config_t_get global_app singbox_file) sing-box)
|
||||
|
||||
get_dnsmasq_conf_dir
|
||||
|
||||
export V2RAY_LOCATION_ASSET=$(config_t_get global_rules v2ray_location_asset "/usr/share/v2ray/")
|
||||
export XRAY_LOCATION_ASSET=$V2RAY_LOCATION_ASSET
|
||||
mkdir -p /tmp/etc $TMP_PATH $TMP_BIN_PATH $TMP_SCRIPT_FUNC_PATH $TMP_ID_PATH $TMP_ROUTE_PATH $TMP_ACL_PATH $TMP_IFACE_PATH $TMP_PATH2
|
||||
|
||||
@ -1,146 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
stretch() {
|
||||
#zhenduiluanshezhiDNSderen
|
||||
local dnsmasq_server=$(uci -q get dhcp.@dnsmasq[0].server)
|
||||
local dnsmasq_noresolv=$(uci -q get dhcp.@dnsmasq[0].noresolv)
|
||||
local _flag
|
||||
for server in $dnsmasq_server; do
|
||||
[ -z "$(echo $server | grep '\/')" ] && _flag=1
|
||||
done
|
||||
[ -z "$_flag" ] && [ "$dnsmasq_noresolv" = "1" ] && {
|
||||
uci -q delete dhcp.@dnsmasq[0].noresolv
|
||||
uci -q set dhcp.@dnsmasq[0].resolvfile="$RESOLVFILE"
|
||||
uci commit dhcp
|
||||
}
|
||||
}
|
||||
|
||||
backup_servers() {
|
||||
DNSMASQ_DNS=$(uci show dhcp.@dnsmasq[0] | grep ".server=" | awk -F '=' '{print $2}' | sed "s/'//g" | tr ' ' ',')
|
||||
if [ -n "${DNSMASQ_DNS}" ]; then
|
||||
uci -q set $CONFIG.@global[0].dnsmasq_servers="${DNSMASQ_DNS}"
|
||||
uci commit $CONFIG
|
||||
fi
|
||||
}
|
||||
|
||||
restore_servers() {
|
||||
OLD_SERVER=$(uci -q get $CONFIG.@global[0].dnsmasq_servers | tr "," " ")
|
||||
for server in $OLD_SERVER; do
|
||||
uci -q del_list dhcp.@dnsmasq[0].server=$server
|
||||
uci -q add_list dhcp.@dnsmasq[0].server=$server
|
||||
done
|
||||
uci commit dhcp
|
||||
uci -q delete $CONFIG.@global[0].dnsmasq_servers
|
||||
uci commit $CONFIG
|
||||
}
|
||||
|
||||
logic_restart() {
|
||||
local no_log
|
||||
eval_set_val $@
|
||||
_LOG_FILE=$LOG_FILE
|
||||
[ -n "$no_log" ] && LOG_FILE="/dev/null"
|
||||
if [ -f "$TMP_PATH/default_DNS" ]; then
|
||||
backup_servers
|
||||
#sed -i "/list server/d" /etc/config/dhcp >/dev/null 2>&1
|
||||
for server in $(uci -q get dhcp.@dnsmasq[0].server); do
|
||||
[ -n "$(echo $server | grep '\/')" ] || uci -q del_list dhcp.@dnsmasq[0].server="$server"
|
||||
done
|
||||
/etc/init.d/dnsmasq restart >/dev/null 2>&1
|
||||
restore_servers
|
||||
else
|
||||
/etc/init.d/dnsmasq restart >/dev/null 2>&1
|
||||
fi
|
||||
echolog "重启 dnsmasq 服务"
|
||||
LOG_FILE=${_LOG_FILE}
|
||||
}
|
||||
|
||||
restart() {
|
||||
local no_log
|
||||
eval_set_val $@
|
||||
_LOG_FILE=$LOG_FILE
|
||||
[ -n "$no_log" ] && LOG_FILE="/dev/null"
|
||||
/etc/init.d/dnsmasq restart >/dev/null 2>&1
|
||||
echolog "重启 dnsmasq 服务"
|
||||
LOG_FILE=${_LOG_FILE}
|
||||
}
|
||||
|
||||
gen_items() {
|
||||
local dnss settype setnames outf ipsetoutf
|
||||
eval_set_val $@
|
||||
|
||||
awk -v dnss="${dnss}" -v settype="${settype}" -v setnames="${setnames}" -v outf="${outf}" -v ipsetoutf="${ipsetoutf}" '
|
||||
BEGIN {
|
||||
if(outf == "") outf="/dev/stdout";
|
||||
if(ipsetoutf == "") ipsetoutf=outf;
|
||||
split(dnss, dns, ","); setdns=length(dns)>0; setlist=length(setnames)>0;
|
||||
if(setdns) for(i in dns) if(length(dns[i])==0) delete dns[i];
|
||||
fail=1;
|
||||
}
|
||||
! /^$/&&!/^#/ {
|
||||
fail=0
|
||||
if(setdns) for(i in dns) printf("server=/.%s/%s\n", $0, dns[i]) >>outf;
|
||||
if(setlist) printf("%s=/.%s/%s\n", settype, $0, setnames) >>ipsetoutf;
|
||||
}
|
||||
END {fflush(outf); close(outf); fflush(ipsetoutf); close(ipsetoutf); exit(fail);}
|
||||
'
|
||||
}
|
||||
|
||||
add() {
|
||||
local TMP_DNSMASQ_PATH DNSMASQ_CONF_FILE DEFAULT_DNS LOCAL_DNS TUN_DNS NFTFLAG NO_LOGIC_LOG
|
||||
eval_set_val $@
|
||||
_LOG_FILE=$LOG_FILE
|
||||
[ -n "$NO_LOGIC_LOG" ] && LOG_FILE="/dev/null"
|
||||
mkdir -p "${TMP_DNSMASQ_PATH}" "${DNSMASQ_PATH}" "${DNSMASQ_CONF_DIR}"
|
||||
|
||||
local set_type="ipset"
|
||||
[ "${NFTFLAG}" = "1" ] && {
|
||||
set_type="nftset"
|
||||
local setflag_4="4#inet#passwall2#"
|
||||
local setflag_6="6#inet#passwall2#"
|
||||
}
|
||||
|
||||
#始终用国内DNS解析节点域名
|
||||
servers=$(uci show "${CONFIG}" | grep -E "(.address=|.download_address=)" | cut -d "'" -f 2)
|
||||
hosts_foreach "servers" host_from_url | grep '[a-zA-Z]$' | sort -u | grep -v "engage.cloudflareclient.com" | gen_items settype="${set_type}" setnames="${setflag_4}passwall2_vpslist,${setflag_6}passwall2_vpslist6" dnss="${LOCAL_DNS:-${DEFAULT_DNS}}" outf="${TMP_DNSMASQ_PATH}/10-vpslist_host.conf" ipsetoutf="${TMP_DNSMASQ_PATH}/ipset.conf"
|
||||
echolog " - [$?]节点列表中的域名(vpslist):${DEFAULT_DNS:-默认}"
|
||||
|
||||
echo "conf-dir=${TMP_DNSMASQ_PATH}" > $DNSMASQ_CONF_FILE
|
||||
[ -n "${TUN_DNS}" ] && {
|
||||
echo "${DEFAULT_DNS}" > $TMP_PATH/default_DNS
|
||||
cat <<-EOF >> $DNSMASQ_CONF_FILE
|
||||
server=${TUN_DNS}
|
||||
all-servers
|
||||
no-poll
|
||||
no-resolv
|
||||
EOF
|
||||
echolog " - [$?]默认:${TUN_DNS}"
|
||||
}
|
||||
LOG_FILE=${_LOG_FILE}
|
||||
}
|
||||
|
||||
del() {
|
||||
rm -rf $DNSMASQ_CONF_DIR/dnsmasq-$CONFIG.conf
|
||||
rm -rf $DNSMASQ_PATH/dnsmasq-$CONFIG.conf
|
||||
rm -rf $TMP_DNSMASQ_PATH
|
||||
}
|
||||
|
||||
arg1=$1
|
||||
shift
|
||||
case $arg1 in
|
||||
stretch)
|
||||
stretch $@
|
||||
;;
|
||||
add)
|
||||
add $@
|
||||
;;
|
||||
del)
|
||||
del $@
|
||||
;;
|
||||
restart)
|
||||
restart $@
|
||||
;;
|
||||
logic_restart)
|
||||
logic_restart $@
|
||||
;;
|
||||
*) ;;
|
||||
esac
|
||||
@ -322,9 +322,22 @@ load_acl() {
|
||||
echolog " - ${msg}不代理所有 UDP"
|
||||
fi
|
||||
}
|
||||
|
||||
if ([ "$tcp_proxy_mode" != "disable" ] || [ "$udp_proxy_mode" != "disable" ]) && [ -n "$redir_port" ]; then
|
||||
[ -s "${TMP_ACL_PATH}/${sid}/var_redirect_dns_port" ] && {
|
||||
$ipt_n -A PSW2_REDIRECT $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port)
|
||||
$ip6t_n -A PSW2_REDIRECT $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port) 2>/dev/null
|
||||
$ipt_n -A PSW2_REDIRECT $(comment "$remarks") -p tcp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port)
|
||||
$ip6t_n -A PSW2_REDIRECT $(comment "$remarks") -p tcp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port) 2>/dev/null
|
||||
}
|
||||
else
|
||||
$ipt_n -A PSW2_REDIRECT $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j RETURN
|
||||
$ip6t_n -A PSW2_REDIRECT $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j RETURN 2>/dev/null
|
||||
$ipt_n -A PSW2_REDIRECT $(comment "$remarks") -p tcp ${_ipt_source} --dport 53 -j RETURN
|
||||
$ip6t_n -A PSW2_REDIRECT $(comment "$remarks") -p tcp ${_ipt_source} --dport 53 -j RETURN 2>/dev/null
|
||||
fi
|
||||
|
||||
[ "$tcp_proxy_mode" != "disable" ] && [ -n "$redir_port" ] && {
|
||||
[ -s "${TMP_ACL_PATH}/${sid}/var_redirect_dns_port" ] && $ipt_n -A PSW2_REDIRECT $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port)
|
||||
msg2="${msg}使用 TCP 节点[$node_remark]"
|
||||
if [ -n "${is_tproxy}" ]; then
|
||||
msg2="${msg2}(TPROXY:${redir_port})"
|
||||
@ -342,7 +355,7 @@ load_acl() {
|
||||
|
||||
[ "$accept_icmpv6" = "1" ] && [ "$PROXY_IPV6" == "1" ] && {
|
||||
$ip6t_n -A PSW2 $(comment "$remarks") -p ipv6-icmp ${_ipt_source} -d $FAKE_IP_6 $(REDIRECT) 2>/dev/null
|
||||
[ "${write_ipset_direct}" = "1" ] && $ip6t_n -A PSW2 $(comment "$remarks") -p ipv6-icmp ${_ipt_source} $(dst $ipset_whitelist6) -j RETURN
|
||||
[ "${write_ipset_direct}" = "1" ] && $ip6t_n -A PSW2 $(comment "$remarks") -p ipv6-icmp ${_ipt_source} $(dst $ipset_whitelist6) -j RETURN 2>/dev/null
|
||||
$ip6t_n -A PSW2 $(comment "$remarks") -p ipv6-icmp ${_ipt_source} $(REDIRECT) 2>/dev/null
|
||||
}
|
||||
|
||||
@ -353,7 +366,7 @@ load_acl() {
|
||||
|
||||
[ "$PROXY_IPV6" == "1" ] && {
|
||||
$ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} -d $FAKE_IP_6 -j PSW2_RULE 2>/dev/null
|
||||
[ "${write_ipset_direct}" = "1" ] && $ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(dst $ipset_whitelist6) -j RETURN
|
||||
[ "${write_ipset_direct}" = "1" ] && $ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(dst $ipset_whitelist6) -j RETURN 2>/dev/null
|
||||
$ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") -j PSW2_RULE 2>/dev/null
|
||||
$ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(REDIRECT $redir_port TPROXY) 2>/dev/null
|
||||
}
|
||||
@ -372,7 +385,7 @@ load_acl() {
|
||||
|
||||
[ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && {
|
||||
$ip6t_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} -d $FAKE_IP_6 -j PSW2_RULE 2>/dev/null
|
||||
[ "${write_ipset_direct}" = "1" ] && $ip6t_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(dst $ipset_whitelist6) -j RETURN
|
||||
[ "${write_ipset_direct}" = "1" ] && $ip6t_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(dst $ipset_whitelist6) -j RETURN 2>/dev/null
|
||||
$ip6t_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") -j PSW2_RULE 2>/dev/null
|
||||
$ip6t_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(REDIRECT $redir_port TPROXY) 2>/dev/null
|
||||
}
|
||||
@ -415,6 +428,15 @@ load_acl() {
|
||||
fi
|
||||
}
|
||||
|
||||
if ([ "$TCP_PROXY_MODE" != "disable" ] || [ "$UDP_PROXY_MODE" != "disable" ]) && [ "$NODE" != "nil" ]; then
|
||||
[ -s "${TMP_ACL_PATH}/default/var_redirect_dns_port" ] && {
|
||||
$ipt_n -A PSW2_REDIRECT $(comment "默认") -p udp --dport 53 -j REDIRECT --to-ports $(cat ${TMP_ACL_PATH}/default/var_redirect_dns_port)
|
||||
$ip6t_n -A PSW2_REDIRECT $(comment "默认") -p udp --dport 53 -j REDIRECT --to-ports $(cat ${TMP_ACL_PATH}/default/var_redirect_dns_port) 2>/dev/null
|
||||
$ipt_n -A PSW2_REDIRECT $(comment "默认") -p tcp --dport 53 -j REDIRECT --to-ports $(cat ${TMP_ACL_PATH}/default/var_redirect_dns_port)
|
||||
$ip6t_n -A PSW2_REDIRECT $(comment "默认") -p tcp --dport 53 -j REDIRECT --to-ports $(cat ${TMP_ACL_PATH}/default/var_redirect_dns_port) 2>/dev/null
|
||||
}
|
||||
fi
|
||||
|
||||
if [ "$TCP_PROXY_MODE" != "disable" ] && [ "$NODE" != "nil" ]; then
|
||||
msg2="${msg}使用 TCP 节点[$(config_n_get $NODE remarks)]"
|
||||
if [ -n "${is_tproxy}" ]; then
|
||||
@ -592,11 +614,6 @@ filter_node() {
|
||||
fi
|
||||
}
|
||||
|
||||
dns_hijack() {
|
||||
$ipt_n -I PSW2 -p udp --dport 53 -j REDIRECT --to-ports 53
|
||||
echolog "强制转发本机DNS端口 UDP/53 的请求[$?]"
|
||||
}
|
||||
|
||||
add_firewall_rule() {
|
||||
echolog "开始加载防火墙规则..."
|
||||
ipset -! create $IPSET_LANLIST nethash maxelem 1048576
|
||||
@ -760,6 +777,9 @@ add_firewall_rule() {
|
||||
$ip6t_n -A PSW2_OUTPUT $(dst $IPSET_VPSLIST6) -j RETURN
|
||||
$ip6t_n -A PSW2_OUTPUT -m mark --mark 0xff -j RETURN
|
||||
}
|
||||
|
||||
$ip6t_n -N PSW2_REDIRECT
|
||||
$ip6t_n -I PREROUTING 1 -j PSW2_REDIRECT
|
||||
|
||||
$ip6t_m -N PSW2_DIVERT
|
||||
$ip6t_m -A PSW2_DIVERT -j MARK --set-mark 1
|
||||
@ -845,6 +865,15 @@ add_firewall_rule() {
|
||||
echolog " - ${msg}不代理所有 UDP"
|
||||
fi
|
||||
}
|
||||
|
||||
if [ "$NODE" != "nil" ] && ([ "$TCP_LOCALHOST_PROXY" = "1" ] || [ "$UDP_LOCALHOST_PROXY" = "1" ]); then
|
||||
[ -s "${TMP_ACL_PATH}/default/var_redirect_dns_port" ] && {
|
||||
$ipt_n -A OUTPUT $(comment "PSW2") -p udp -o lo --dport 53 -j REDIRECT --to-ports $(cat ${TMP_ACL_PATH}/default/var_redirect_dns_port)
|
||||
$ip6t_n -A OUTPUT $(comment "PSW2") -p udp -o lo --dport 53 -j REDIRECT --to-ports $(cat ${TMP_ACL_PATH}/default/var_redirect_dns_port) 2>/dev/null
|
||||
$ipt_n -A OUTPUT $(comment "PSW2") -p tcp -o lo --dport 53 -j REDIRECT --to-ports $(cat ${TMP_ACL_PATH}/default/var_redirect_dns_port)
|
||||
$ip6t_n -A OUTPUT $(comment "PSW2") -p tcp -o lo --dport 53 -j REDIRECT --to-ports $(cat ${TMP_ACL_PATH}/default/var_redirect_dns_port) 2>/dev/null
|
||||
}
|
||||
fi
|
||||
|
||||
# 加载路由器自身代理 TCP
|
||||
if [ "$NODE" != "nil" ] && [ "$TCP_LOCALHOST_PROXY" = "1" ]; then
|
||||
|
||||
@ -286,8 +286,8 @@ load_acl() {
|
||||
local _SHUNT_RULE_NODE=$(config_n_get $NODE ${_shunt_id} nil)
|
||||
[ "${_SHUNT_RULE_NODE}" == "_default" ] && _SHUNT_RULE_NODE=${_SHUNT_DEFAULT_NODE}
|
||||
[ "${_SHUNT_RULE_NODE}" == "_direct" ] && {
|
||||
insert_nftset $ipset_whitelist "0" $(config_n_get $_shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}")
|
||||
insert_nftset $ipset_whitelist6 "0" $(config_n_get $_shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}")
|
||||
insert_nftset $nftset_whitelist "0" $(config_n_get $_shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}")
|
||||
insert_nftset $nftset_whitelist6 "0" $(config_n_get $_shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}")
|
||||
[ "$(config_t_get global_rules enable_geoview)" = "1" ] && {
|
||||
local _geoip_code=$(config_n_get $_shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "^geoip:" | grep -v "^geoip:private" | sed -E 's/^geoip:(.*)/\1/' | sed ':a;N;$!ba;s/\n/,/g')
|
||||
[ -n "$_geoip_code" ] && _GEOIP_CODE="${_GEOIP_CODE:+$_GEOIP_CODE,}$_geoip_code"
|
||||
@ -297,8 +297,8 @@ load_acl() {
|
||||
}
|
||||
|
||||
if [ -n "$_GEOIP_CODE" ] && type geoview &> /dev/null; then
|
||||
insert_nftset $ipset_whitelist "0" $(get_geoip $_GEOIP_CODE ipv4 | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}")
|
||||
insert_nftset $ipset_whitelist6 "0" $(get_geoip $_GEOIP_CODE ipv6 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}")
|
||||
insert_nftset $nftset_whitelist "0" $(get_geoip $_GEOIP_CODE ipv4 | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}")
|
||||
insert_nftset $nftset_whitelist6 "0" $(get_geoip $_GEOIP_CODE ipv6 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}")
|
||||
echolog " - [$?]解析并加入分流节点 GeoIP 到 IPSET 完成"
|
||||
fi
|
||||
fi
|
||||
@ -367,8 +367,21 @@ load_acl() {
|
||||
fi
|
||||
}
|
||||
|
||||
if ([ "$tcp_proxy_mode" != "disable" ] || [ "$udp_proxy_mode" != "disable" ]) && [ -n "$redir_port" ]; then
|
||||
[ -s "${TMP_ACL_PATH}/${sid}/var_redirect_dns_port" ] && {
|
||||
nft "add rule $NFTABLE_NAME PSW2_REDIRECT ip protocol udp ${_ipt_source} udp dport 53 counter redirect to :$(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port) comment \"$remarks\""
|
||||
nft "add rule $NFTABLE_NAME PSW2_REDIRECT ip protocol tcp ${_ipt_source} tcp dport 53 counter redirect to :$(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port) comment \"$remarks\""
|
||||
nft "add rule $NFTABLE_NAME PSW2_REDIRECT meta l4proto udp ${_ipt_source} udp dport 53 counter redirect to :$(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port) comment \"$remarks\""
|
||||
nft "add rule $NFTABLE_NAME PSW2_REDIRECT meta l4proto tcp ${_ipt_source} tcp dport 53 counter redirect to :$(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port) comment \"$remarks\""
|
||||
}
|
||||
else
|
||||
nft "add rule $NFTABLE_NAME PSW2_REDIRECT ip protocol udp ${_ipt_source} udp dport 53 counter return comment \"$remarks\""
|
||||
nft "add rule $NFTABLE_NAME PSW2_REDIRECT ip protocol tcp ${_ipt_source} tcp dport 53 counter return comment \"$remarks\""
|
||||
nft "add rule $NFTABLE_NAME PSW2_REDIRECT meta l4proto udp ${_ipt_source} udp dport 53 counter return comment \"$remarks\""
|
||||
nft "add rule $NFTABLE_NAME PSW2_REDIRECT meta l4proto tcp ${_ipt_source} tcp dport 53 counter return comment \"$remarks\""
|
||||
fi
|
||||
|
||||
[ "$tcp_proxy_mode" != "disable" ] && [ -n "$redir_port" ] && {
|
||||
[ -s "${TMP_ACL_PATH}/${sid}/var_redirect_dns_port" ] && nft "add rule $NFTABLE_NAME PSW2_REDIRECT ip protocol udp ${_ipt_source} udp dport 53 counter redirect to $(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port) comment \"$remarks\""
|
||||
msg2="${msg}使用 TCP 节点[$node_remark]"
|
||||
if [ -n "${is_tproxy}" ]; then
|
||||
msg2="${msg2}(TPROXY:${redir_port})"
|
||||
@ -389,7 +402,7 @@ load_acl() {
|
||||
|
||||
[ "$accept_icmpv6" = "1" ] && [ "$PROXY_IPV6" == "1" ] && {
|
||||
nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} ip6 daddr $FAKE_IP_6 $(REDIRECT) comment \"$remarks\"" 2>/dev/null
|
||||
[ "${write_ipset_direct}" = "1" ] && nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} ip6 daddr @$nftset_whitelist6 counter return comment \"$remarks\""
|
||||
[ "${write_ipset_direct}" = "1" ] && nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} ip6 daddr @$nftset_whitelist6 counter return comment \"$remarks\"" 2>/dev/null
|
||||
nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} $(REDIRECT) comment \"$remarks\"" 2>/dev/null
|
||||
nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} return comment \"$remarks\"" 2>/dev/null
|
||||
}
|
||||
@ -401,7 +414,7 @@ load_acl() {
|
||||
|
||||
[ "$PROXY_IPV6" == "1" ] && {
|
||||
nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} ip6 daddr $FAKE_IP_6 counter jump PSW2_RULE comment \"$remarks\""
|
||||
[ "${write_ipset_direct}" = "1" ] && nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} ip6 daddr @$nftset_whitelist6 counter return comment \"$remarks\""
|
||||
[ "${write_ipset_direct}" = "1" ] && nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} ip6 daddr @$nftset_whitelist6 counter return comment \"$remarks\"" 2>/dev/null
|
||||
nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") counter jump PSW2_RULE comment \"$remarks\"" 2>/dev/null
|
||||
nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(REDIRECT $redir_port TPROXY) comment \"$remarks\"" 2>/dev/null
|
||||
}
|
||||
@ -420,7 +433,7 @@ load_acl() {
|
||||
|
||||
[ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && {
|
||||
nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} ip6 daddr $FAKE_IP_6 counter jump PSW2_RULE comment \"$remarks\""
|
||||
[ "${write_ipset_direct}" = "1" ] && nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} ip6 daddr @$nftset_whitelist6 counter return comment \"$remarks\""
|
||||
[ "${write_ipset_direct}" = "1" ] && nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} ip6 daddr @$nftset_whitelist6 counter return comment \"$remarks\"" 2>/dev/null
|
||||
nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_redir_ports "udp dport") counter jump PSW2_RULE comment \"$remarks\"" 2>/dev/null
|
||||
nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} $(REDIRECT $redir_port TPROXY) comment \"$remarks\"" 2>/dev/null
|
||||
}
|
||||
@ -461,6 +474,15 @@ load_acl() {
|
||||
fi
|
||||
}
|
||||
|
||||
if ([ "$TCP_PROXY_MODE" != "disable" ] || [ "$UDP_PROXY_MODE" != "disable" ]) && [ "$NODE" != "nil" ]; then
|
||||
[ -s "${TMP_ACL_PATH}/default/var_redirect_dns_port" ] && {
|
||||
nft "add rule $NFTABLE_NAME PSW2_REDIRECT ip protocol udp udp dport 53 counter redirect to :$(cat ${TMP_ACL_PATH}/default/var_redirect_dns_port) comment \"默认\""
|
||||
nft "add rule $NFTABLE_NAME PSW2_REDIRECT ip protocol tcp tcp dport 53 counter redirect to :$(cat ${TMP_ACL_PATH}/default/var_redirect_dns_port) comment \"默认\""
|
||||
nft "add rule $NFTABLE_NAME PSW2_REDIRECT meta l4proto udp udp dport 53 counter redirect to :$(cat ${TMP_ACL_PATH}/default/var_redirect_dns_port) comment \"默认\""
|
||||
nft "add rule $NFTABLE_NAME PSW2_REDIRECT meta l4proto tcp tcp dport 53 counter redirect to :$(cat ${TMP_ACL_PATH}/default/var_redirect_dns_port) comment \"默认\""
|
||||
}
|
||||
fi
|
||||
|
||||
if [ "$TCP_PROXY_MODE" != "disable" ] && [ "$NODE" != "nil" ]; then
|
||||
msg2="${msg}使用 TCP 节点[$(config_n_get $NODE remarks)]"
|
||||
if [ -n "${is_tproxy}" ]; then
|
||||
@ -650,22 +672,6 @@ filter_node() {
|
||||
fi
|
||||
}
|
||||
|
||||
dns_hijack() {
|
||||
[ $(config_t_get global dns_redirect "0") = "1" ] && {
|
||||
nft "add rule $NFTABLE_NAME PSW2_MANGLE ip protocol udp udp dport 53 counter return"
|
||||
nft "add rule $NFTABLE_NAME PSW2_MANGLE ip protocol tcp tcp dport 53 counter return"
|
||||
nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto udp udp dport 53 counter return"
|
||||
nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto tcp tcp dport 53 counter return"
|
||||
nft insert rule $NFTABLE_NAME dstnat position 0 tcp dport 53 counter redirect to :53 comment \"PSW2_DNS_Hijack\" 2>/dev/null
|
||||
nft insert rule $NFTABLE_NAME dstnat position 0 udp dport 53 counter redirect to :53 comment \"PSW2_DNS_Hijack\" 2>/dev/null
|
||||
nft insert rule $NFTABLE_NAME dstnat position 0 meta nfproto {ipv6} tcp dport 53 counter redirect to :53 comment \"PSW2_DNS_Hijack\" 2>/dev/null
|
||||
nft insert rule $NFTABLE_NAME dstnat position 0 meta nfproto {ipv6} udp dport 53 counter redirect to :53 comment \"PSW2_DNS_Hijack\" 2>/dev/null
|
||||
uci -q set dhcp.@dnsmasq[0].dns_redirect='0' 2>/dev/null
|
||||
uci commit dhcp 2>/dev/null
|
||||
echolog " - 开启 DNS 重定向"
|
||||
}
|
||||
}
|
||||
|
||||
add_firewall_rule() {
|
||||
echolog "开始加载防火墙规则..."
|
||||
gen_nft_tables
|
||||
@ -721,8 +727,8 @@ add_firewall_rule() {
|
||||
local SHUNT_RULE_NODE=$(config_n_get $NODE ${shunt_id} nil)
|
||||
[ "${SHUNT_RULE_NODE}" == "_default" ] && SHUNT_RULE_NODE=${SHUNT_DEFAULT_NODE}
|
||||
[ "${SHUNT_RULE_NODE}" == "_direct" ] && {
|
||||
insert_nftset $ipset_global_whitelist "0" $(config_n_get $shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}")
|
||||
insert_nftset $ipset_global_whitelist6 "0" $(config_n_get $shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}")
|
||||
insert_nftset $nftset_global_whitelist "0" $(config_n_get $shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}")
|
||||
insert_nftset $nftset_global_whitelist6 "0" $(config_n_get $shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}")
|
||||
[ "$(config_t_get global_rules enable_geoview)" = "1" ] && {
|
||||
local geoip_code=$(config_n_get $shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "^geoip:" | grep -v "^geoip:private" | sed -E 's/^geoip:(.*)/\1/' | sed ':a;N;$!ba;s/\n/,/g')
|
||||
[ -n "$geoip_code" ] && GEOIP_CODE="${GEOIP_CODE:+$GEOIP_CODE,}$geoip_code"
|
||||
@ -732,8 +738,8 @@ add_firewall_rule() {
|
||||
}
|
||||
|
||||
if [ -n "$GEOIP_CODE" ] && type geoview &> /dev/null; then
|
||||
insert_nftset $ipset_global_whitelist "0" $(get_geoip $GEOIP_CODE ipv4 | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}")
|
||||
insert_nftset $ipset_global_whitelist6 "0" $(get_geoip $GEOIP_CODE ipv6 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}")
|
||||
insert_nftset $nftset_global_whitelist "0" $(get_geoip $GEOIP_CODE ipv4 | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}")
|
||||
insert_nftset $nftset_global_whitelist6 "0" $(get_geoip $GEOIP_CODE ipv6 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}")
|
||||
echolog " - [$?]解析并加入分流节点 GeoIP 到 IPSET 完成"
|
||||
fi
|
||||
|
||||
@ -917,7 +923,16 @@ add_firewall_rule() {
|
||||
echolog " - ${msg}不代理所有 UDP"
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
if [ "$NODE" != "nil" ] && ([ "$TCP_LOCALHOST_PROXY" = "1" ] || [ "$UDP_LOCALHOST_PROXY" = "1" ]); then
|
||||
[ -s "${TMP_ACL_PATH}/default/var_redirect_dns_port" ] && {
|
||||
nft "add rule $NFTABLE_NAME nat_output ip protocol udp oif lo udp dport 53 counter redirect to :$(cat ${TMP_ACL_PATH}/default/var_redirect_dns_port) comment \"PSW2\""
|
||||
nft "add rule $NFTABLE_NAME nat_output ip protocol tcp oif lo tcp dport 53 counter redirect to :$(cat ${TMP_ACL_PATH}/default/var_redirect_dns_port) comment \"PSW2\""
|
||||
nft "add rule $NFTABLE_NAME nat_output meta l4proto udp oif lo udp dport 53 counter redirect to :$(cat ${TMP_ACL_PATH}/default/var_redirect_dns_port) comment \"PSW2\""
|
||||
nft "add rule $NFTABLE_NAME nat_output meta l4proto tcp oif lo tcp dport 53 counter redirect to :$(cat ${TMP_ACL_PATH}/default/var_redirect_dns_port) comment \"PSW2\""
|
||||
}
|
||||
fi
|
||||
|
||||
# 加载路由器自身代理 TCP
|
||||
if [ "$NODE" != "nil" ] && [ "$TCP_LOCALHOST_PROXY" = "1" ]; then
|
||||
[ "$accept_icmp" = "1" ] && {
|
||||
|
||||
Loading…
Reference in New Issue
Block a user