From 98732c1d3066319eb47a5fb00992ed439cac1f23 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 12 Dec 2024 10:00:39 +0800 Subject: [PATCH] =?UTF-8?q?=F0=9F=8D=89=20Sync=202024-12-12=2010:00?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../luasrc/passwall/util_xray.lua | 5 +- luci-app-passwall2/Makefile | 4 +- .../root/usr/share/passwall2/app.sh | 154 ++++++++++++------ .../usr/share/passwall2/helper_dnsmasq.sh | 146 ----------------- .../root/usr/share/passwall2/iptables.sh | 47 +++++- .../root/usr/share/passwall2/nftables.sh | 73 +++++---- 6 files changed, 193 insertions(+), 236 deletions(-) delete mode 100755 luci-app-passwall2/root/usr/share/passwall2/helper_dnsmasq.sh diff --git a/luci-app-passwall/luasrc/passwall/util_xray.lua b/luci-app-passwall/luasrc/passwall/util_xray.lua index 05a9f1dd..67e47332 100644 --- a/luci-app-passwall/luasrc/passwall/util_xray.lua +++ b/luci-app-passwall/luasrc/passwall/util_xray.lua @@ -186,8 +186,7 @@ function gen_outbound(flag, node, tag, proxy_table) } or nil, wsSettings = (node.transport == "ws") and { path = node.ws_path or "/", - headers = (node.ws_host ~= nil) and - {Host = node.ws_host} or nil, + host = node.ws_host or nil, maxEarlyData = tonumber(node.ws_maxEarlyData) or nil, earlyDataHeaderName = (node.ws_earlyDataHeaderName) and node.ws_earlyDataHeaderName or nil, heartbeatPeriod = tonumber(node.ws_heartbeatPeriod) or nil @@ -486,7 +485,7 @@ function gen_config_server(node) header = {type = node.mkcp_guise} } or nil, wsSettings = (node.transport == "ws") and { - headers = (node.ws_host) and {Host = node.ws_host} or nil, + host = node.ws_host or nil, path = node.ws_path } or nil, httpSettings = (node.transport == "h2") and { diff --git a/luci-app-passwall2/Makefile b/luci-app-passwall2/Makefile index a1a23df0..08f79b5f 100644 --- a/luci-app-passwall2/Makefile +++ b/luci-app-passwall2/Makefile @@ -6,7 +6,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=luci-app-passwall2 PKG_VERSION:=24.12.11 -PKG_RELEASE:=1 +PKG_RELEASE:=3 PKG_CONFIG_DEPENDS:= \ CONFIG_PACKAGE_$(PKG_NAME)_Iptables_Transparent_Proxy \ @@ -47,6 +47,7 @@ if PACKAGE_$(PKG_NAME) config PACKAGE_$(PKG_NAME)_Iptables_Transparent_Proxy bool "Iptables Transparent Proxy" + select PACKAGE_chinadns-ng select PACKAGE_dnsmasq-full select PACKAGE_dnsmasq_full_ipset select PACKAGE_ipset @@ -62,6 +63,7 @@ config PACKAGE_$(PKG_NAME)_Iptables_Transparent_Proxy config PACKAGE_$(PKG_NAME)_Nftables_Transparent_Proxy bool "Nftables Transparent Proxy" + select PACKAGE_chinadns-ng select PACKAGE_dnsmasq-full select PACKAGE_dnsmasq_full_nftset select PACKAGE_nftables diff --git a/luci-app-passwall2/root/usr/share/passwall2/app.sh b/luci-app-passwall2/root/usr/share/passwall2/app.sh index 9e0bf5c2..991ee546 100755 --- a/luci-app-passwall2/root/usr/share/passwall2/app.sh +++ b/luci-app-passwall2/root/usr/share/passwall2/app.sh @@ -13,9 +13,6 @@ TMP_ROUTE_PATH=$TMP_PATH/route TMP_ACL_PATH=$TMP_PATH/acl TMP_IFACE_PATH=$TMP_PATH/iface TMP_PATH2=/tmp/etc/${CONFIG}_tmp -DNSMASQ_PATH=/etc/dnsmasq.d -DNSMASQ_CONF_DIR=/tmp/dnsmasq.d -TMP_DNSMASQ_PATH=${DNSMASQ_CONF_DIR}/${CONFIG} LOG_FILE=/tmp/log/$CONFIG.log APP_PATH=/usr/share/$CONFIG RULES_PATH=/usr/share/${CONFIG}/rules @@ -288,17 +285,6 @@ lua_api() { echo $(lua -e "local api = require 'luci.passwall2.api' print(api.${func})") } -get_dnsmasq_conf_dir() { - local dnsmasq_conf_path=$(grep -l "^conf-dir=" /tmp/etc/dnsmasq.conf.${DEFAULT_DNSMASQ_CFGID}) - [ -n "$dnsmasq_conf_path" ] && { - local dnsmasq_conf_dir=$(grep '^conf-dir=' "$dnsmasq_conf_path" | cut -d'=' -f2 | head -n 1) - [ -n "$dnsmasq_conf_dir" ] && { - DNSMASQ_CONF_DIR=${dnsmasq_conf_dir%*/} - TMP_DNSMASQ_PATH=${DNSMASQ_CONF_DIR}/${CONFIG} - } - } -} - get_geoip() { local geoip_code="$1" local geoip_type_flag="" @@ -353,9 +339,9 @@ run_xray() { [ "${write_ipset_direct}" = "1" ] && { direct_dnsmasq_listen_port=$(get_new_port $(expr $dns_listen_port + 1) udp) local set_flag="${flag}" - local direct_ipset_conf=$TMP_PATH/dnsmasq_${flag}_direct.conf + local direct_ipset_conf=${TMP_ACL_PATH}/default/dns_${flag}_direct.conf [ -n "$(echo ${flag} | grep '^acl')" ] && { - direct_ipset_conf=${TMP_ACL_PATH}/${sid}/dnsmasq_${flag}_direct.conf + direct_ipset_conf=${TMP_ACL_PATH}/${sid}/dns_${flag}_direct.conf set_flag=$(echo ${flag} | awk -F '_' '{print $2}') } if [ "${nftflag}" = "1" ]; then @@ -363,7 +349,7 @@ run_xray() { else local direct_ipset="passwall2_${set_flag}_whitelist,passwall2_${set_flag}_whitelist6" fi - run_ipset_dnsmasq listen_port=${direct_dnsmasq_listen_port} server_dns=${AUTO_DNS} ipset="${direct_ipset}" nftset="${direct_nftset}" config_file=${direct_ipset_conf} + run_ipset_dns_server listen_port=${direct_dnsmasq_listen_port} server_dns=${AUTO_DNS} ipset="${direct_ipset}" nftset="${direct_nftset}" config_file=${direct_ipset_conf} DIRECT_DNS_UDP_PORT=${direct_dnsmasq_listen_port} DIRECT_DNS_UDP_SERVER="127.0.0.1" [ -n "${direct_ipset}" ] && _extra_param="${_extra_param} -direct_ipset ${direct_ipset}" @@ -465,9 +451,9 @@ run_singbox() { [ "${write_ipset_direct}" = "1" ] && { direct_dnsmasq_listen_port=$(get_new_port $(expr $dns_listen_port + 1) udp) local set_flag="${flag}" - local direct_ipset_conf=$TMP_PATH/dnsmasq_${flag}_direct.conf + local direct_ipset_conf=${TMP_ACL_PATH}/default/dns_${flag}_direct.conf [ -n "$(echo ${flag} | grep '^acl')" ] && { - direct_ipset_conf=${TMP_ACL_PATH}/${sid}/dnsmasq_${flag}_direct.conf + direct_ipset_conf=${TMP_ACL_PATH}/${sid}/dns_${flag}_direct.conf set_flag=$(echo ${flag} | awk -F '_' '{print $2}') } if [ "${nftflag}" = "1" ]; then @@ -475,7 +461,7 @@ run_singbox() { else local direct_ipset="passwall2_${set_flag}_whitelist,passwall2_${set_flag}_whitelist6" fi - run_ipset_dnsmasq listen_port=${direct_dnsmasq_listen_port} server_dns=${AUTO_DNS} ipset="${direct_ipset}" nftset="${direct_nftset}" config_file=${direct_ipset_conf} + run_ipset_dns_server listen_port=${direct_dnsmasq_listen_port} server_dns=${AUTO_DNS} ipset="${direct_ipset}" nftset="${direct_nftset}" config_file=${direct_ipset_conf} DIRECT_DNS_UDP_PORT=${direct_dnsmasq_listen_port} DIRECT_DNS_UDP_SERVER="127.0.0.1" [ -n "${direct_ipset}" ] && _extra_param="${_extra_param} -direct_ipset ${direct_ipset}" @@ -719,9 +705,6 @@ run_global() { msg="${msg})" echolog ${msg} - source $APP_PATH/helper_dnsmasq.sh stretch - source $APP_PATH/helper_dnsmasq.sh add TMP_DNSMASQ_PATH=$TMP_DNSMASQ_PATH DNSMASQ_CONF_FILE=${DNSMASQ_CONF_DIR}/dnsmasq-${CONFIG}.conf DEFAULT_DNS=$AUTO_DNS LOCAL_DNS=$LOCAL_DNS TUN_DNS=$TUN_DNS NFTFLAG=${nftflag:-0} - V2RAY_CONFIG=$TMP_ACL_PATH/default/global.json V2RAY_LOG=$TMP_ACL_PATH/default/global.log [ "$(config_t_get global log_node 1)" != "1" ] && V2RAY_LOG="/dev/null" @@ -749,6 +732,9 @@ run_global() { fi ${run_func} $V2RAY_ARGS + + GLOBAL_DNSMASQ_PORT=$(get_new_port 11400) + run_copy_dnsmasq flag="default" listen_port=$GLOBAL_DNSMASQ_PORT tun_dns="${TUN_DNS}" } start_socks() { @@ -944,6 +930,101 @@ start_haproxy() { ln_run "$(first_type haproxy)" haproxy "/dev/null" -f "${haproxy_path}/${haproxy_conf}" } +run_ipset_dns_server() { + if [ -n "$(first_type chinadns-ng)" ]; then + run_ipset_chinadns_ng $@ + else + run_ipset_dnsmasq $@ + fi +} + +gen_dnsmasq_items() { + local dnss settype setnames outf ipsetoutf + eval_set_val $@ + + awk -v dnss="${dnss}" -v settype="${settype}" -v setnames="${setnames}" -v outf="${outf}" -v ipsetoutf="${ipsetoutf}" ' + BEGIN { + if(outf == "") outf="/dev/stdout"; + if(ipsetoutf == "") ipsetoutf=outf; + split(dnss, dns, ","); setdns=length(dns)>0; setlist=length(setnames)>0; + if(setdns) for(i in dns) if(length(dns[i])==0) delete dns[i]; + fail=1; + } + ! /^$/&&!/^#/ { + fail=0 + if(setdns) for(i in dns) printf("server=/.%s/%s\n", $0, dns[i]) >>outf; + if(setlist) printf("%s=/.%s/%s\n", settype, $0, setnames) >>ipsetoutf; + } + END {fflush(outf); close(outf); fflush(ipsetoutf); close(ipsetoutf); exit(fail);} + ' +} + +run_copy_dnsmasq() { + local flag listen_port tun_dns + eval_set_val $@ + local dnsmasq_conf=$TMP_ACL_PATH/$flag/dnsmasq.conf + local dnsmasq_conf_path=$TMP_ACL_PATH/$flag/dnsmasq.d + mkdir -p $dnsmasq_conf_path + [ -s "/tmp/etc/dnsmasq.conf.${DEFAULT_DNSMASQ_CFGID}" ] && { + cp -r /tmp/etc/dnsmasq.conf.${DEFAULT_DNSMASQ_CFGID} $dnsmasq_conf + sed -i "/ubus/d" $dnsmasq_conf + sed -i "/dhcp/d" $dnsmasq_conf + sed -i "/port=/d" $dnsmasq_conf + sed -i "/conf-dir/d" $dnsmasq_conf + sed -i "/no-poll/d" $dnsmasq_conf + sed -i "/no-resolv/d" $dnsmasq_conf + } + local set_type="ipset" + [ "${nftflag}" = "1" ] && { + set_type="nftset" + local setflag_4="4#inet#passwall2#" + local setflag_6="6#inet#passwall2#" + } + cat <<-EOF >> $dnsmasq_conf + port=${listen_port} + conf-dir=${dnsmasq_conf_path} + server=${tun_dns} + no-poll + no-resolv + EOF + node_servers=$(uci show "${CONFIG}" | grep -E "(.address=|.download_address=)" | cut -d "'" -f 2) + hosts_foreach "node_servers" host_from_url | grep '[a-zA-Z]$' | sort -u | grep -v "engage.cloudflareclient.com" | gen_dnsmasq_items settype="${set_type}" setnames="${setflag_4}passwall2_vpslist,${setflag_6}passwall2_vpslist6" dnss="${LOCAL_DNS:-${AUTO_DNS}}" outf="${dnsmasq_conf_path}/10-vpslist_host.conf" ipsetoutf="${dnsmasq_conf_path}/ipset.conf" + ln_run "$(first_type dnsmasq)" "dnsmasq_${flag}" "/dev/null" -C $dnsmasq_conf -x $TMP_ACL_PATH/$flag/dnsmasq.pid + echo "${listen_port}" > $TMP_ACL_PATH/$flag/var_redirect_dns_port +} + +run_ipset_chinadns_ng() { + local listen_port server_dns ipset nftset config_file + eval_set_val $@ + [ ! -s "$TMP_ACL_PATH/vpslist" ] && { + node_servers=$(uci show "${CONFIG}" | grep -E "(.address=|.download_address=)" | cut -d "'" -f 2) + hosts_foreach "node_servers" host_from_url | grep '[a-zA-Z]$' | sort -u | grep -v "engage.cloudflareclient.com" > $TMP_ACL_PATH/vpslist + } + + [ -n "${ipset}" ] && { + set_names=$ipset + vps_set_names="passwall2_vpslist,passwall2_vpslist6" + } + [ -n "${nftset}" ] && { + set_names=$(echo ${nftset} | awk -F, '{printf "%s,%s", substr($1,3), substr($2,3)}' | sed 's/#/@/g') + vps_set_names="inet@passwall2@passwall2_vpslist,inet@passwall2@passwall2_vpslist6" + } + cat <<-EOF > $config_file + bind-addr 127.0.0.1 + bind-port ${listen_port} + china-dns ${server_dns} + trust-dns ${server_dns} + filter-qtype 65 + add-tagchn-ip ${set_names} + default-tag chn + group vpslist + group-dnl $TMP_ACL_PATH/vpslist + group-upstream ${server_dns} + group-ipset ${vps_set_names} + EOF + ln_run "$(first_type chinadns-ng)" "chinadns-ng" "/dev/null" -C $config_file -v +} + run_ipset_dnsmasq() { local listen_port server_dns ipset nftset cache_size dns_forward_max config_file eval_set_val $@ @@ -976,6 +1057,7 @@ acl_app() { redir_port=11200 dns_port=11300 dnsmasq_port=11400 + [ -n "${GLOBAL_DNSMASQ_PORT}" ] && dnsmasq_port=$(get_new_port $GLOBAL_DNSMASQ_PORT) for item in $items; do index=$(expr $index + 1) local enabled sid remarks sources node direct_dns_query_strategy remote_dns_protocol remote_dns remote_dns_doh remote_dns_client_ip remote_dns_detour remote_fakedns remote_dns_query_strategy interface use_interface @@ -1048,24 +1130,7 @@ acl_app() { ${run_func} flag=acl_$sid node=$node redir_port=$redir_port socks_address=127.0.0.1 socks_port=$acl_socks_port dns_listen_port=${dns_port} direct_dns_query_strategy=${direct_dns_query_strategy} remote_dns_protocol=${remote_dns_protocol} remote_dns_tcp_server=${remote_dns} remote_dns_udp_server=${remote_dns} remote_dns_doh="${remote_dns}" remote_dns_client_ip=${remote_dns_client_ip} remote_dns_detour=${remote_dns_detour} remote_fakedns=${remote_fakedns} remote_dns_query_strategy=${remote_dns_query_strategy} write_ipset_direct=${write_ipset_direct} config_file=${config_file} fi dnsmasq_port=$(get_new_port $(expr $dnsmasq_port + 1)) - redirect_dns_port=$dnsmasq_port - mkdir -p $TMP_ACL_PATH/$sid/dnsmasq.d - [ -s "/tmp/etc/dnsmasq.conf.${DEFAULT_DNSMASQ_CFGID}" ] && { - cp -r /tmp/etc/dnsmasq.conf.${DEFAULT_DNSMASQ_CFGID} $TMP_ACL_PATH/$sid/dnsmasq.conf - sed -i "/ubus/d" $TMP_ACL_PATH/$sid/dnsmasq.conf - sed -i "/dhcp/d" $TMP_ACL_PATH/$sid/dnsmasq.conf - sed -i "/port=/d" $TMP_ACL_PATH/$sid/dnsmasq.conf - sed -i "/conf-dir/d" $TMP_ACL_PATH/$sid/dnsmasq.conf - sed -i "/no-poll/d" $TMP_ACL_PATH/$sid/dnsmasq.conf - sed -i "/no-resolv/d" $TMP_ACL_PATH/$sid/dnsmasq.conf - } - echo "port=${dnsmasq_port}" >> $TMP_ACL_PATH/$sid/dnsmasq.conf - echo "conf-dir=${TMP_ACL_PATH}/${sid}/dnsmasq.d" >> $TMP_ACL_PATH/$sid/dnsmasq.conf - echo "server=127.0.0.1#${dns_port}" >> $TMP_ACL_PATH/$sid/dnsmasq.conf - echo "no-poll" >> $TMP_ACL_PATH/$sid/dnsmasq.conf - echo "no-resolv" >> $TMP_ACL_PATH/$sid/dnsmasq.conf - #source $APP_PATH/helper_dnsmasq.sh add TMP_DNSMASQ_PATH=$TMP_ACL_PATH/$sid/dnsmasq.d DNSMASQ_CONF_FILE=/dev/null DEFAULT_DNS=$AUTO_DNS TUN_DNS=127.0.0.1#${dns_port} NFTFLAG=${nftflag:-0} NO_LOGIC_LOG=1 - ln_run "$(first_type dnsmasq)" "dnsmasq_${sid}" "/dev/null" -C $TMP_ACL_PATH/$sid/dnsmasq.conf -x $TMP_ACL_PATH/$sid/dnsmasq.pid + run_copy_dnsmasq flag="$sid" listen_port=$dnsmasq_port tun_dns="127.0.0.1#${dns_port}" eval node_${node}_$(echo -n "${tcp_proxy_mode}${remote_dns}" | md5sum | cut -d " " -f1)=${dnsmasq_port} filter_node $node TCP > /dev/null 2>&1 & filter_node $node UDP > /dev/null 2>&1 & @@ -1075,10 +1140,8 @@ acl_app() { fi echo "${redir_port}" > $TMP_ACL_PATH/$sid/var_port } - [ -n "$redirect_dns_port" ] && echo "${redirect_dns_port}" > $TMP_ACL_PATH/$sid/var_redirect_dns_port unset enabled sid remarks sources interface node direct_dns_query_strategy remote_dns_protocol remote_dns remote_dns_doh remote_dns_client_ip remote_dns_detour remote_fakedns remote_dns_query_strategy unset _ip _mac _iprange _ipset _ip_or_mac source_list config_file - unset redirect_dns_port done unset redir_port dns_port dnsmasq_port } @@ -1127,7 +1190,6 @@ start() { [ "$ENABLED_DEFAULT_ACL" == 1 ] && run_global [ -n "$USE_TABLES" ] && source $APP_PATH/${USE_TABLES}.sh start - [ "$ENABLED_DEFAULT_ACL" == 1 ] && source $APP_PATH/helper_dnsmasq.sh logic_restart if [ "$ENABLED_DEFAULT_ACL" == 1 ] || [ "$ENABLED_ACLS" == 1 ]; then bridge_nf_ipt=$(sysctl -e -n net.bridge.bridge-nf-call-iptables) echo -n $bridge_nf_ipt > $TMP_PATH/bridge_nf_ipt @@ -1153,8 +1215,6 @@ stop() { unset V2RAY_LOCATION_ASSET unset XRAY_LOCATION_ASSET stop_crontab - source $APP_PATH/helper_dnsmasq.sh del - source $APP_PATH/helper_dnsmasq.sh restart no_log=1 [ -s "$TMP_PATH/bridge_nf_ipt" ] && sysctl -w net.bridge.bridge-nf-call-iptables=$(cat $TMP_PATH/bridge_nf_ipt) >/dev/null 2>&1 [ -s "$TMP_PATH/bridge_nf_ip6t" ] && sysctl -w net.bridge.bridge-nf-call-ip6tables=$(cat $TMP_PATH/bridge_nf_ip6t) >/dev/null 2>&1 rm -rf ${TMP_PATH} @@ -1208,8 +1268,6 @@ PROXY_IPV6=$(config_t_get global_forwarding ipv6_tproxy 0) XRAY_BIN=$(first_type $(config_t_get global_app xray_file) xray) SINGBOX_BIN=$(first_type $(config_t_get global_app singbox_file) sing-box) -get_dnsmasq_conf_dir - export V2RAY_LOCATION_ASSET=$(config_t_get global_rules v2ray_location_asset "/usr/share/v2ray/") export XRAY_LOCATION_ASSET=$V2RAY_LOCATION_ASSET mkdir -p /tmp/etc $TMP_PATH $TMP_BIN_PATH $TMP_SCRIPT_FUNC_PATH $TMP_ID_PATH $TMP_ROUTE_PATH $TMP_ACL_PATH $TMP_IFACE_PATH $TMP_PATH2 diff --git a/luci-app-passwall2/root/usr/share/passwall2/helper_dnsmasq.sh b/luci-app-passwall2/root/usr/share/passwall2/helper_dnsmasq.sh deleted file mode 100755 index 470ab1e6..00000000 --- a/luci-app-passwall2/root/usr/share/passwall2/helper_dnsmasq.sh +++ /dev/null @@ -1,146 +0,0 @@ -#!/bin/sh - -stretch() { - #zhenduiluanshezhiDNSderen - local dnsmasq_server=$(uci -q get dhcp.@dnsmasq[0].server) - local dnsmasq_noresolv=$(uci -q get dhcp.@dnsmasq[0].noresolv) - local _flag - for server in $dnsmasq_server; do - [ -z "$(echo $server | grep '\/')" ] && _flag=1 - done - [ -z "$_flag" ] && [ "$dnsmasq_noresolv" = "1" ] && { - uci -q delete dhcp.@dnsmasq[0].noresolv - uci -q set dhcp.@dnsmasq[0].resolvfile="$RESOLVFILE" - uci commit dhcp - } -} - -backup_servers() { - DNSMASQ_DNS=$(uci show dhcp.@dnsmasq[0] | grep ".server=" | awk -F '=' '{print $2}' | sed "s/'//g" | tr ' ' ',') - if [ -n "${DNSMASQ_DNS}" ]; then - uci -q set $CONFIG.@global[0].dnsmasq_servers="${DNSMASQ_DNS}" - uci commit $CONFIG - fi -} - -restore_servers() { - OLD_SERVER=$(uci -q get $CONFIG.@global[0].dnsmasq_servers | tr "," " ") - for server in $OLD_SERVER; do - uci -q del_list dhcp.@dnsmasq[0].server=$server - uci -q add_list dhcp.@dnsmasq[0].server=$server - done - uci commit dhcp - uci -q delete $CONFIG.@global[0].dnsmasq_servers - uci commit $CONFIG -} - -logic_restart() { - local no_log - eval_set_val $@ - _LOG_FILE=$LOG_FILE - [ -n "$no_log" ] && LOG_FILE="/dev/null" - if [ -f "$TMP_PATH/default_DNS" ]; then - backup_servers - #sed -i "/list server/d" /etc/config/dhcp >/dev/null 2>&1 - for server in $(uci -q get dhcp.@dnsmasq[0].server); do - [ -n "$(echo $server | grep '\/')" ] || uci -q del_list dhcp.@dnsmasq[0].server="$server" - done - /etc/init.d/dnsmasq restart >/dev/null 2>&1 - restore_servers - else - /etc/init.d/dnsmasq restart >/dev/null 2>&1 - fi - echolog "重启 dnsmasq 服务" - LOG_FILE=${_LOG_FILE} -} - -restart() { - local no_log - eval_set_val $@ - _LOG_FILE=$LOG_FILE - [ -n "$no_log" ] && LOG_FILE="/dev/null" - /etc/init.d/dnsmasq restart >/dev/null 2>&1 - echolog "重启 dnsmasq 服务" - LOG_FILE=${_LOG_FILE} -} - -gen_items() { - local dnss settype setnames outf ipsetoutf - eval_set_val $@ - - awk -v dnss="${dnss}" -v settype="${settype}" -v setnames="${setnames}" -v outf="${outf}" -v ipsetoutf="${ipsetoutf}" ' - BEGIN { - if(outf == "") outf="/dev/stdout"; - if(ipsetoutf == "") ipsetoutf=outf; - split(dnss, dns, ","); setdns=length(dns)>0; setlist=length(setnames)>0; - if(setdns) for(i in dns) if(length(dns[i])==0) delete dns[i]; - fail=1; - } - ! /^$/&&!/^#/ { - fail=0 - if(setdns) for(i in dns) printf("server=/.%s/%s\n", $0, dns[i]) >>outf; - if(setlist) printf("%s=/.%s/%s\n", settype, $0, setnames) >>ipsetoutf; - } - END {fflush(outf); close(outf); fflush(ipsetoutf); close(ipsetoutf); exit(fail);} - ' -} - -add() { - local TMP_DNSMASQ_PATH DNSMASQ_CONF_FILE DEFAULT_DNS LOCAL_DNS TUN_DNS NFTFLAG NO_LOGIC_LOG - eval_set_val $@ - _LOG_FILE=$LOG_FILE - [ -n "$NO_LOGIC_LOG" ] && LOG_FILE="/dev/null" - mkdir -p "${TMP_DNSMASQ_PATH}" "${DNSMASQ_PATH}" "${DNSMASQ_CONF_DIR}" - - local set_type="ipset" - [ "${NFTFLAG}" = "1" ] && { - set_type="nftset" - local setflag_4="4#inet#passwall2#" - local setflag_6="6#inet#passwall2#" - } - - #始终用国内DNS解析节点域名 - servers=$(uci show "${CONFIG}" | grep -E "(.address=|.download_address=)" | cut -d "'" -f 2) - hosts_foreach "servers" host_from_url | grep '[a-zA-Z]$' | sort -u | grep -v "engage.cloudflareclient.com" | gen_items settype="${set_type}" setnames="${setflag_4}passwall2_vpslist,${setflag_6}passwall2_vpslist6" dnss="${LOCAL_DNS:-${DEFAULT_DNS}}" outf="${TMP_DNSMASQ_PATH}/10-vpslist_host.conf" ipsetoutf="${TMP_DNSMASQ_PATH}/ipset.conf" - echolog " - [$?]节点列表中的域名(vpslist):${DEFAULT_DNS:-默认}" - - echo "conf-dir=${TMP_DNSMASQ_PATH}" > $DNSMASQ_CONF_FILE - [ -n "${TUN_DNS}" ] && { - echo "${DEFAULT_DNS}" > $TMP_PATH/default_DNS - cat <<-EOF >> $DNSMASQ_CONF_FILE - server=${TUN_DNS} - all-servers - no-poll - no-resolv - EOF - echolog " - [$?]默认:${TUN_DNS}" - } - LOG_FILE=${_LOG_FILE} -} - -del() { - rm -rf $DNSMASQ_CONF_DIR/dnsmasq-$CONFIG.conf - rm -rf $DNSMASQ_PATH/dnsmasq-$CONFIG.conf - rm -rf $TMP_DNSMASQ_PATH -} - -arg1=$1 -shift -case $arg1 in -stretch) - stretch $@ - ;; -add) - add $@ - ;; -del) - del $@ - ;; -restart) - restart $@ - ;; -logic_restart) - logic_restart $@ - ;; -*) ;; -esac diff --git a/luci-app-passwall2/root/usr/share/passwall2/iptables.sh b/luci-app-passwall2/root/usr/share/passwall2/iptables.sh index af9679bd..ae79608f 100755 --- a/luci-app-passwall2/root/usr/share/passwall2/iptables.sh +++ b/luci-app-passwall2/root/usr/share/passwall2/iptables.sh @@ -322,9 +322,22 @@ load_acl() { echolog " - ${msg}不代理所有 UDP" fi } + + if ([ "$tcp_proxy_mode" != "disable" ] || [ "$udp_proxy_mode" != "disable" ]) && [ -n "$redir_port" ]; then + [ -s "${TMP_ACL_PATH}/${sid}/var_redirect_dns_port" ] && { + $ipt_n -A PSW2_REDIRECT $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port) + $ip6t_n -A PSW2_REDIRECT $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port) 2>/dev/null + $ipt_n -A PSW2_REDIRECT $(comment "$remarks") -p tcp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port) + $ip6t_n -A PSW2_REDIRECT $(comment "$remarks") -p tcp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port) 2>/dev/null + } + else + $ipt_n -A PSW2_REDIRECT $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j RETURN + $ip6t_n -A PSW2_REDIRECT $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j RETURN 2>/dev/null + $ipt_n -A PSW2_REDIRECT $(comment "$remarks") -p tcp ${_ipt_source} --dport 53 -j RETURN + $ip6t_n -A PSW2_REDIRECT $(comment "$remarks") -p tcp ${_ipt_source} --dport 53 -j RETURN 2>/dev/null + fi [ "$tcp_proxy_mode" != "disable" ] && [ -n "$redir_port" ] && { - [ -s "${TMP_ACL_PATH}/${sid}/var_redirect_dns_port" ] && $ipt_n -A PSW2_REDIRECT $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port) msg2="${msg}使用 TCP 节点[$node_remark]" if [ -n "${is_tproxy}" ]; then msg2="${msg2}(TPROXY:${redir_port})" @@ -342,7 +355,7 @@ load_acl() { [ "$accept_icmpv6" = "1" ] && [ "$PROXY_IPV6" == "1" ] && { $ip6t_n -A PSW2 $(comment "$remarks") -p ipv6-icmp ${_ipt_source} -d $FAKE_IP_6 $(REDIRECT) 2>/dev/null - [ "${write_ipset_direct}" = "1" ] && $ip6t_n -A PSW2 $(comment "$remarks") -p ipv6-icmp ${_ipt_source} $(dst $ipset_whitelist6) -j RETURN + [ "${write_ipset_direct}" = "1" ] && $ip6t_n -A PSW2 $(comment "$remarks") -p ipv6-icmp ${_ipt_source} $(dst $ipset_whitelist6) -j RETURN 2>/dev/null $ip6t_n -A PSW2 $(comment "$remarks") -p ipv6-icmp ${_ipt_source} $(REDIRECT) 2>/dev/null } @@ -353,7 +366,7 @@ load_acl() { [ "$PROXY_IPV6" == "1" ] && { $ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} -d $FAKE_IP_6 -j PSW2_RULE 2>/dev/null - [ "${write_ipset_direct}" = "1" ] && $ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(dst $ipset_whitelist6) -j RETURN + [ "${write_ipset_direct}" = "1" ] && $ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(dst $ipset_whitelist6) -j RETURN 2>/dev/null $ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") -j PSW2_RULE 2>/dev/null $ip6t_m -A PSW2 $(comment "$remarks") -p tcp ${_ipt_source} $(REDIRECT $redir_port TPROXY) 2>/dev/null } @@ -372,7 +385,7 @@ load_acl() { [ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && { $ip6t_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} -d $FAKE_IP_6 -j PSW2_RULE 2>/dev/null - [ "${write_ipset_direct}" = "1" ] && $ip6t_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(dst $ipset_whitelist6) -j RETURN + [ "${write_ipset_direct}" = "1" ] && $ip6t_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(dst $ipset_whitelist6) -j RETURN 2>/dev/null $ip6t_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") -j PSW2_RULE 2>/dev/null $ip6t_m -A PSW2 $(comment "$remarks") -p udp ${_ipt_source} $(REDIRECT $redir_port TPROXY) 2>/dev/null } @@ -415,6 +428,15 @@ load_acl() { fi } + if ([ "$TCP_PROXY_MODE" != "disable" ] || [ "$UDP_PROXY_MODE" != "disable" ]) && [ "$NODE" != "nil" ]; then + [ -s "${TMP_ACL_PATH}/default/var_redirect_dns_port" ] && { + $ipt_n -A PSW2_REDIRECT $(comment "默认") -p udp --dport 53 -j REDIRECT --to-ports $(cat ${TMP_ACL_PATH}/default/var_redirect_dns_port) + $ip6t_n -A PSW2_REDIRECT $(comment "默认") -p udp --dport 53 -j REDIRECT --to-ports $(cat ${TMP_ACL_PATH}/default/var_redirect_dns_port) 2>/dev/null + $ipt_n -A PSW2_REDIRECT $(comment "默认") -p tcp --dport 53 -j REDIRECT --to-ports $(cat ${TMP_ACL_PATH}/default/var_redirect_dns_port) + $ip6t_n -A PSW2_REDIRECT $(comment "默认") -p tcp --dport 53 -j REDIRECT --to-ports $(cat ${TMP_ACL_PATH}/default/var_redirect_dns_port) 2>/dev/null + } + fi + if [ "$TCP_PROXY_MODE" != "disable" ] && [ "$NODE" != "nil" ]; then msg2="${msg}使用 TCP 节点[$(config_n_get $NODE remarks)]" if [ -n "${is_tproxy}" ]; then @@ -592,11 +614,6 @@ filter_node() { fi } -dns_hijack() { - $ipt_n -I PSW2 -p udp --dport 53 -j REDIRECT --to-ports 53 - echolog "强制转发本机DNS端口 UDP/53 的请求[$?]" -} - add_firewall_rule() { echolog "开始加载防火墙规则..." ipset -! create $IPSET_LANLIST nethash maxelem 1048576 @@ -760,6 +777,9 @@ add_firewall_rule() { $ip6t_n -A PSW2_OUTPUT $(dst $IPSET_VPSLIST6) -j RETURN $ip6t_n -A PSW2_OUTPUT -m mark --mark 0xff -j RETURN } + + $ip6t_n -N PSW2_REDIRECT + $ip6t_n -I PREROUTING 1 -j PSW2_REDIRECT $ip6t_m -N PSW2_DIVERT $ip6t_m -A PSW2_DIVERT -j MARK --set-mark 1 @@ -845,6 +865,15 @@ add_firewall_rule() { echolog " - ${msg}不代理所有 UDP" fi } + + if [ "$NODE" != "nil" ] && ([ "$TCP_LOCALHOST_PROXY" = "1" ] || [ "$UDP_LOCALHOST_PROXY" = "1" ]); then + [ -s "${TMP_ACL_PATH}/default/var_redirect_dns_port" ] && { + $ipt_n -A OUTPUT $(comment "PSW2") -p udp -o lo --dport 53 -j REDIRECT --to-ports $(cat ${TMP_ACL_PATH}/default/var_redirect_dns_port) + $ip6t_n -A OUTPUT $(comment "PSW2") -p udp -o lo --dport 53 -j REDIRECT --to-ports $(cat ${TMP_ACL_PATH}/default/var_redirect_dns_port) 2>/dev/null + $ipt_n -A OUTPUT $(comment "PSW2") -p tcp -o lo --dport 53 -j REDIRECT --to-ports $(cat ${TMP_ACL_PATH}/default/var_redirect_dns_port) + $ip6t_n -A OUTPUT $(comment "PSW2") -p tcp -o lo --dport 53 -j REDIRECT --to-ports $(cat ${TMP_ACL_PATH}/default/var_redirect_dns_port) 2>/dev/null + } + fi # 加载路由器自身代理 TCP if [ "$NODE" != "nil" ] && [ "$TCP_LOCALHOST_PROXY" = "1" ]; then diff --git a/luci-app-passwall2/root/usr/share/passwall2/nftables.sh b/luci-app-passwall2/root/usr/share/passwall2/nftables.sh index fe39cc9f..fb0112ec 100755 --- a/luci-app-passwall2/root/usr/share/passwall2/nftables.sh +++ b/luci-app-passwall2/root/usr/share/passwall2/nftables.sh @@ -286,8 +286,8 @@ load_acl() { local _SHUNT_RULE_NODE=$(config_n_get $NODE ${_shunt_id} nil) [ "${_SHUNT_RULE_NODE}" == "_default" ] && _SHUNT_RULE_NODE=${_SHUNT_DEFAULT_NODE} [ "${_SHUNT_RULE_NODE}" == "_direct" ] && { - insert_nftset $ipset_whitelist "0" $(config_n_get $_shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}") - insert_nftset $ipset_whitelist6 "0" $(config_n_get $_shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}") + insert_nftset $nftset_whitelist "0" $(config_n_get $_shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}") + insert_nftset $nftset_whitelist6 "0" $(config_n_get $_shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}") [ "$(config_t_get global_rules enable_geoview)" = "1" ] && { local _geoip_code=$(config_n_get $_shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "^geoip:" | grep -v "^geoip:private" | sed -E 's/^geoip:(.*)/\1/' | sed ':a;N;$!ba;s/\n/,/g') [ -n "$_geoip_code" ] && _GEOIP_CODE="${_GEOIP_CODE:+$_GEOIP_CODE,}$_geoip_code" @@ -297,8 +297,8 @@ load_acl() { } if [ -n "$_GEOIP_CODE" ] && type geoview &> /dev/null; then - insert_nftset $ipset_whitelist "0" $(get_geoip $_GEOIP_CODE ipv4 | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}") - insert_nftset $ipset_whitelist6 "0" $(get_geoip $_GEOIP_CODE ipv6 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}") + insert_nftset $nftset_whitelist "0" $(get_geoip $_GEOIP_CODE ipv4 | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}") + insert_nftset $nftset_whitelist6 "0" $(get_geoip $_GEOIP_CODE ipv6 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}") echolog " - [$?]解析并加入分流节点 GeoIP 到 IPSET 完成" fi fi @@ -367,8 +367,21 @@ load_acl() { fi } + if ([ "$tcp_proxy_mode" != "disable" ] || [ "$udp_proxy_mode" != "disable" ]) && [ -n "$redir_port" ]; then + [ -s "${TMP_ACL_PATH}/${sid}/var_redirect_dns_port" ] && { + nft "add rule $NFTABLE_NAME PSW2_REDIRECT ip protocol udp ${_ipt_source} udp dport 53 counter redirect to :$(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port) comment \"$remarks\"" + nft "add rule $NFTABLE_NAME PSW2_REDIRECT ip protocol tcp ${_ipt_source} tcp dport 53 counter redirect to :$(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port) comment \"$remarks\"" + nft "add rule $NFTABLE_NAME PSW2_REDIRECT meta l4proto udp ${_ipt_source} udp dport 53 counter redirect to :$(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port) comment \"$remarks\"" + nft "add rule $NFTABLE_NAME PSW2_REDIRECT meta l4proto tcp ${_ipt_source} tcp dport 53 counter redirect to :$(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port) comment \"$remarks\"" + } + else + nft "add rule $NFTABLE_NAME PSW2_REDIRECT ip protocol udp ${_ipt_source} udp dport 53 counter return comment \"$remarks\"" + nft "add rule $NFTABLE_NAME PSW2_REDIRECT ip protocol tcp ${_ipt_source} tcp dport 53 counter return comment \"$remarks\"" + nft "add rule $NFTABLE_NAME PSW2_REDIRECT meta l4proto udp ${_ipt_source} udp dport 53 counter return comment \"$remarks\"" + nft "add rule $NFTABLE_NAME PSW2_REDIRECT meta l4proto tcp ${_ipt_source} tcp dport 53 counter return comment \"$remarks\"" + fi + [ "$tcp_proxy_mode" != "disable" ] && [ -n "$redir_port" ] && { - [ -s "${TMP_ACL_PATH}/${sid}/var_redirect_dns_port" ] && nft "add rule $NFTABLE_NAME PSW2_REDIRECT ip protocol udp ${_ipt_source} udp dport 53 counter redirect to $(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port) comment \"$remarks\"" msg2="${msg}使用 TCP 节点[$node_remark]" if [ -n "${is_tproxy}" ]; then msg2="${msg2}(TPROXY:${redir_port})" @@ -389,7 +402,7 @@ load_acl() { [ "$accept_icmpv6" = "1" ] && [ "$PROXY_IPV6" == "1" ] && { nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} ip6 daddr $FAKE_IP_6 $(REDIRECT) comment \"$remarks\"" 2>/dev/null - [ "${write_ipset_direct}" = "1" ] && nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} ip6 daddr @$nftset_whitelist6 counter return comment \"$remarks\"" + [ "${write_ipset_direct}" = "1" ] && nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} ip6 daddr @$nftset_whitelist6 counter return comment \"$remarks\"" 2>/dev/null nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} $(REDIRECT) comment \"$remarks\"" 2>/dev/null nft "add rule $NFTABLE_NAME PSW2_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} return comment \"$remarks\"" 2>/dev/null } @@ -401,7 +414,7 @@ load_acl() { [ "$PROXY_IPV6" == "1" ] && { nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} ip6 daddr $FAKE_IP_6 counter jump PSW2_RULE comment \"$remarks\"" - [ "${write_ipset_direct}" = "1" ] && nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} ip6 daddr @$nftset_whitelist6 counter return comment \"$remarks\"" + [ "${write_ipset_direct}" = "1" ] && nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} ip6 daddr @$nftset_whitelist6 counter return comment \"$remarks\"" 2>/dev/null nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") counter jump PSW2_RULE comment \"$remarks\"" 2>/dev/null nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(REDIRECT $redir_port TPROXY) comment \"$remarks\"" 2>/dev/null } @@ -420,7 +433,7 @@ load_acl() { [ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && { nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} ip6 daddr $FAKE_IP_6 counter jump PSW2_RULE comment \"$remarks\"" - [ "${write_ipset_direct}" = "1" ] && nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} ip6 daddr @$nftset_whitelist6 counter return comment \"$remarks\"" + [ "${write_ipset_direct}" = "1" ] && nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} ip6 daddr @$nftset_whitelist6 counter return comment \"$remarks\"" 2>/dev/null nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_redir_ports "udp dport") counter jump PSW2_RULE comment \"$remarks\"" 2>/dev/null nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto udp ${_ipt_source} $(REDIRECT $redir_port TPROXY) comment \"$remarks\"" 2>/dev/null } @@ -461,6 +474,15 @@ load_acl() { fi } + if ([ "$TCP_PROXY_MODE" != "disable" ] || [ "$UDP_PROXY_MODE" != "disable" ]) && [ "$NODE" != "nil" ]; then + [ -s "${TMP_ACL_PATH}/default/var_redirect_dns_port" ] && { + nft "add rule $NFTABLE_NAME PSW2_REDIRECT ip protocol udp udp dport 53 counter redirect to :$(cat ${TMP_ACL_PATH}/default/var_redirect_dns_port) comment \"默认\"" + nft "add rule $NFTABLE_NAME PSW2_REDIRECT ip protocol tcp tcp dport 53 counter redirect to :$(cat ${TMP_ACL_PATH}/default/var_redirect_dns_port) comment \"默认\"" + nft "add rule $NFTABLE_NAME PSW2_REDIRECT meta l4proto udp udp dport 53 counter redirect to :$(cat ${TMP_ACL_PATH}/default/var_redirect_dns_port) comment \"默认\"" + nft "add rule $NFTABLE_NAME PSW2_REDIRECT meta l4proto tcp tcp dport 53 counter redirect to :$(cat ${TMP_ACL_PATH}/default/var_redirect_dns_port) comment \"默认\"" + } + fi + if [ "$TCP_PROXY_MODE" != "disable" ] && [ "$NODE" != "nil" ]; then msg2="${msg}使用 TCP 节点[$(config_n_get $NODE remarks)]" if [ -n "${is_tproxy}" ]; then @@ -650,22 +672,6 @@ filter_node() { fi } -dns_hijack() { - [ $(config_t_get global dns_redirect "0") = "1" ] && { - nft "add rule $NFTABLE_NAME PSW2_MANGLE ip protocol udp udp dport 53 counter return" - nft "add rule $NFTABLE_NAME PSW2_MANGLE ip protocol tcp tcp dport 53 counter return" - nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto udp udp dport 53 counter return" - nft "add rule $NFTABLE_NAME PSW2_MANGLE_V6 meta l4proto tcp tcp dport 53 counter return" - nft insert rule $NFTABLE_NAME dstnat position 0 tcp dport 53 counter redirect to :53 comment \"PSW2_DNS_Hijack\" 2>/dev/null - nft insert rule $NFTABLE_NAME dstnat position 0 udp dport 53 counter redirect to :53 comment \"PSW2_DNS_Hijack\" 2>/dev/null - nft insert rule $NFTABLE_NAME dstnat position 0 meta nfproto {ipv6} tcp dport 53 counter redirect to :53 comment \"PSW2_DNS_Hijack\" 2>/dev/null - nft insert rule $NFTABLE_NAME dstnat position 0 meta nfproto {ipv6} udp dport 53 counter redirect to :53 comment \"PSW2_DNS_Hijack\" 2>/dev/null - uci -q set dhcp.@dnsmasq[0].dns_redirect='0' 2>/dev/null - uci commit dhcp 2>/dev/null - echolog " - 开启 DNS 重定向" - } -} - add_firewall_rule() { echolog "开始加载防火墙规则..." gen_nft_tables @@ -721,8 +727,8 @@ add_firewall_rule() { local SHUNT_RULE_NODE=$(config_n_get $NODE ${shunt_id} nil) [ "${SHUNT_RULE_NODE}" == "_default" ] && SHUNT_RULE_NODE=${SHUNT_DEFAULT_NODE} [ "${SHUNT_RULE_NODE}" == "_direct" ] && { - insert_nftset $ipset_global_whitelist "0" $(config_n_get $shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}") - insert_nftset $ipset_global_whitelist6 "0" $(config_n_get $shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}") + insert_nftset $nftset_global_whitelist "0" $(config_n_get $shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}") + insert_nftset $nftset_global_whitelist6 "0" $(config_n_get $shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}") [ "$(config_t_get global_rules enable_geoview)" = "1" ] && { local geoip_code=$(config_n_get $shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "^geoip:" | grep -v "^geoip:private" | sed -E 's/^geoip:(.*)/\1/' | sed ':a;N;$!ba;s/\n/,/g') [ -n "$geoip_code" ] && GEOIP_CODE="${GEOIP_CODE:+$GEOIP_CODE,}$geoip_code" @@ -732,8 +738,8 @@ add_firewall_rule() { } if [ -n "$GEOIP_CODE" ] && type geoview &> /dev/null; then - insert_nftset $ipset_global_whitelist "0" $(get_geoip $GEOIP_CODE ipv4 | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}") - insert_nftset $ipset_global_whitelist6 "0" $(get_geoip $GEOIP_CODE ipv6 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}") + insert_nftset $nftset_global_whitelist "0" $(get_geoip $GEOIP_CODE ipv4 | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}") + insert_nftset $nftset_global_whitelist6 "0" $(get_geoip $GEOIP_CODE ipv6 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}") echolog " - [$?]解析并加入分流节点 GeoIP 到 IPSET 完成" fi @@ -917,7 +923,16 @@ add_firewall_rule() { echolog " - ${msg}不代理所有 UDP" fi } - + + if [ "$NODE" != "nil" ] && ([ "$TCP_LOCALHOST_PROXY" = "1" ] || [ "$UDP_LOCALHOST_PROXY" = "1" ]); then + [ -s "${TMP_ACL_PATH}/default/var_redirect_dns_port" ] && { + nft "add rule $NFTABLE_NAME nat_output ip protocol udp oif lo udp dport 53 counter redirect to :$(cat ${TMP_ACL_PATH}/default/var_redirect_dns_port) comment \"PSW2\"" + nft "add rule $NFTABLE_NAME nat_output ip protocol tcp oif lo tcp dport 53 counter redirect to :$(cat ${TMP_ACL_PATH}/default/var_redirect_dns_port) comment \"PSW2\"" + nft "add rule $NFTABLE_NAME nat_output meta l4proto udp oif lo udp dport 53 counter redirect to :$(cat ${TMP_ACL_PATH}/default/var_redirect_dns_port) comment \"PSW2\"" + nft "add rule $NFTABLE_NAME nat_output meta l4proto tcp oif lo tcp dport 53 counter redirect to :$(cat ${TMP_ACL_PATH}/default/var_redirect_dns_port) comment \"PSW2\"" + } + fi + # 加载路由器自身代理 TCP if [ "$NODE" != "nil" ] && [ "$TCP_LOCALHOST_PROXY" = "1" ]; then [ "$accept_icmp" = "1" ] && {