mirror of
https://github.com/roacn/openwrt-packages.git
synced 2025-04-04 23:53:33 +08:00
🔥 Sync 2022-10-26 21:01
This commit is contained in:
github-actions[bot]
parent
46c4a58ae1
commit
c49ced5079
@ -1,83 +0,0 @@
|
||||
# SPDX-Identifier-License: GPL-3.0-only
|
||||
#
|
||||
# Copyright (C) 2021 ImmortalWrt.org
|
||||
|
||||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=UnblockNeteaseMusic-Go
|
||||
PKG_VERSION:=0.2.13
|
||||
PKG_RELEASE:=$(AUTORELEASE)
|
||||
|
||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
|
||||
PKG_SOURCE_URL:=https://codeload.github.com/cnsilvan/UnblockNeteaseMusic/tar.gz/$(PKG_VERSION)?
|
||||
PKG_HASH:=92201b7f04ab1015c806c672b98a29b97d0f137d9b60e6d35d279c2064ed86a4
|
||||
|
||||
PKG_LICENSE:=GPL-3.0
|
||||
PKG_LICENSE_FILE:=LICENSE
|
||||
PKG_MAINTAINER:=Tianling Shen <cnsztl@immortalwrt.org>
|
||||
|
||||
PKG_CONFIG_DEPENDS:= \
|
||||
CONFIG_UNBLOCKNETEASEMUSIC_GO_COMPRESS_GOPROXY \
|
||||
CONFIG_UNBLOCKNETEASEMUSIC_GO_COMPRESS_UPX
|
||||
|
||||
PKG_BUILD_DIR:=$(BUILD_DIR)/$(firstword $(subst -, ,$(PKG_NAME)))-$(PKG_VERSION)
|
||||
PKG_BUILD_DEPENDS:=golang/host
|
||||
PKG_BUILD_PARALLEL:=1
|
||||
PKG_USE_MIPS16:=0
|
||||
|
||||
GO_PKG:=github.com/cnsilvan/UnblockNeteaseMusic
|
||||
GO_PKG_BUILD_PKG:=$$(GO_PKG)
|
||||
GO_PKG_LDFLAGS:=-s -w
|
||||
COMPILE_TIME:= $(shell TZ=UTC-8 date '+%Y-%m-%d %H:%M:%S')
|
||||
GO_PKG_LDFLAGS+= \
|
||||
-X '$(GO_PKG)/version.Version=$(PKG_VERSION)' \
|
||||
-X '$(GO_PKG)/version.BuildTime=$(COMPILE_TIME)' \
|
||||
-X '$(GO_PKG)/version.ExGoVersionInfo=$(GO_ARM) $(GO_MIPS)$(GO_MIPS64)'
|
||||
|
||||
include $(INCLUDE_DIR)/package.mk
|
||||
include ../../lang/golang/golang-package.mk
|
||||
|
||||
define Package/UnblockNeteaseMusic-Go/config
|
||||
config UNBLOCKNETEASEMUSIC_GO_COMPRESS_GOPROXY
|
||||
bool "Compiling with GOPROXY proxy"
|
||||
default n
|
||||
|
||||
config UNBLOCKNETEASEMUSIC_GO_COMPRESS_UPX
|
||||
bool "Compress executable files with UPX"
|
||||
depends on !mips64
|
||||
default n
|
||||
endef
|
||||
|
||||
ifeq ($(CONFIG_UNBLOCKNETEASEMUSIC_GO_COMPRESS_GOPROXY),y)
|
||||
export GO111MODULE=on
|
||||
export GOPROXY=https://goproxy.io
|
||||
endif
|
||||
|
||||
define Package/UnblockNeteaseMusic-Go
|
||||
SECTION:=multimedia
|
||||
CATEGORY:=Multimedia
|
||||
TITLE:=Revive Netease Cloud Music (Golang)
|
||||
URL:=https://github.com/cnsilvan/UnblockNeteaseMusic
|
||||
DEPENDS:=$(GO_ARCH_DEPENDS)
|
||||
endef
|
||||
|
||||
define Build/Compile
|
||||
$(call GoPackage/Build/Compile)
|
||||
ifeq ($(CONFIG_UNBLOCKNETEASEMUSIC_GO_COMPRESS_UPX),y)
|
||||
$(STAGING_DIR_HOST)/bin/upx --lzma --best $(GO_PKG_BUILD_BIN_DIR)/UnblockNeteaseMusic
|
||||
endif
|
||||
endef
|
||||
|
||||
define Package/UnblockNeteaseMusic-Go/install
|
||||
$(call GoPackage/Package/Install/Bin,$(PKG_INSTALL_DIR))
|
||||
|
||||
$(INSTALL_DIR) $(1)/usr/bin
|
||||
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/UnblockNeteaseMusic $(1)/usr/bin/UnblockNeteaseMusic
|
||||
|
||||
$(INSTALL_DIR) $(1)/usr/share/UnblockNeteaseMusicGo
|
||||
$(CP) ./files/* $(1)/usr/share/UnblockNeteaseMusicGo/
|
||||
|
||||
endef
|
||||
|
||||
$(eval $(call GoBinPackage,UnblockNeteaseMusic-Go))
|
||||
$(eval $(call BuildPackage,UnblockNeteaseMusic-Go))
|
||||
@ -1,14 +0,0 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIICIjCCAaigAwIBAgIUTc9HQDej5hLCQ74u436a5yE4MDcwCgYIKoZIzj0EAwMw
|
||||
SDELMAkGA1UEBhMCQ04xJDAiBgNVBAMMG1VuYmxvY2tOZXRlYXNlTXVzaWMgUm9v
|
||||
dCBDQTETMBEGA1UECgwKMTcxNTE3MzMyOTAeFw0yMTA0MzAwNzIzMDJaFw0yNjA0
|
||||
MjkwNzIzMDJaMEgxCzAJBgNVBAYTAkNOMSQwIgYDVQQDDBtVbmJsb2NrTmV0ZWFz
|
||||
ZU11c2ljIFJvb3QgQ0ExEzARBgNVBAoMCjE3MTUxNzMzMjkwdjAQBgcqhkjOPQIB
|
||||
BgUrgQQAIgNiAASIyI7lYgGlq49qWtY1O2/XNDeowYf7W/Z+l7C14bphxAJ9jSDo
|
||||
tLwbFPWy5VPENc0rB0/yeHA2z7LU67POL2gGgp+17y7scLkkBk3Q7wRMETrtP44Z
|
||||
ITBstZ0wzVyyQEKjUzBRMB0GA1UdDgQWBBQ2F7+t8cPHJaWuCD8RHTSdLugKYzAf
|
||||
BgNVHSMEGDAWgBQ2F7+t8cPHJaWuCD8RHTSdLugKYzAPBgNVHRMBAf8EBTADAQH/
|
||||
MAoGCCqGSM49BAMDA2gAMGUCMQDqaRX2e01e0U+f0As/KUKDhmG5ElkK5CjYK9jk
|
||||
kXLNGFXJLGta6CDvjtMLBPc20qkCMBvDs+JnJKVBEJNZVsRBBs+v2YxNU/u2aYJa
|
||||
dMwXuFveSDWOS7mBeRztX/geEggiSw==
|
||||
-----END CERTIFICATE-----
|
||||
@ -1,15 +0,0 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIICRDCCAcqgAwIBAgIUeVqRrT2mHG5Mc8JD+ErphiAmlgkwCgYIKoZIzj0EAwMw
|
||||
SDELMAkGA1UEBhMCQ04xJDAiBgNVBAMMG1VuYmxvY2tOZXRlYXNlTXVzaWMgUm9v
|
||||
dCBDQTETMBEGA1UECgwKMTcxNTE3MzMyOTAeFw0yMTA0MzAwNzIzMDJaFw0yMjA0
|
||||
MzAwNzIzMDJaMHsxCzAJBgNVBAYTAkNOMREwDwYDVQQHDAhIYW5nemhvdTEsMCoG
|
||||
A1UECgwjTmV0RWFzZSAoSGFuZ3pob3UpIE5ldHdvcmsgQ28uLCBMdGQxETAPBgNV
|
||||
BAsMCElUIERlcHQuMRgwFgYDVQQDDA8qLm11c2ljLjE2My5jb20wdjAQBgcqhkjO
|
||||
PQIBBgUrgQQAIgNiAAQTPyU9RQ1pAFMLmozi+c4pEC1rrxAlPGwO9Em+qV+a5qLW
|
||||
gQjjsJeabMqJ/UQ7hDtdKVxWuXiAjMiDcXwL63I71MZKPTAEKXdCmNQwb4kXvRUn
|
||||
oOR4r7BMxEpGlf0CULWjQjBAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMCkGA1UdEQQi
|
||||
MCCCDW11c2ljLjE2My5jb22CDyoubXVzaWMuMTYzLmNvbTAKBggqhkjOPQQDAwNo
|
||||
ADBlAjEAs5bdgnNP/DiK919RiWscC0kyuY0ugG1C8m8F2Yod4MI3oTyrkVcag21o
|
||||
NSzm802uAjBoPuKEbjjFP4ics0BQdICiVd6WCVAsE69FnlmqRteAJqxvdKGpVLi+
|
||||
Qi3arfomrrc=
|
||||
-----END CERTIFICATE-----
|
||||
@ -1,9 +0,0 @@
|
||||
-----BEGIN EC PARAMETERS-----
|
||||
BgUrgQQAIg==
|
||||
-----END EC PARAMETERS-----
|
||||
-----BEGIN EC PRIVATE KEY-----
|
||||
MIGkAgEBBDBfW3twxGaQmMzP9p0/UU5EvHFVCbBw4piVFJ+pm/uFY6CKZkC5LGMa
|
||||
Uc9vn/KiewGgBwYFK4EEACKhZANiAAQTPyU9RQ1pAFMLmozi+c4pEC1rrxAlPGwO
|
||||
9Em+qV+a5qLWgQjjsJeabMqJ/UQ7hDtdKVxWuXiAjMiDcXwL63I71MZKPTAEKXdC
|
||||
mNQwb4kXvRUnoOR4r7BMxEpGlf0CULU=
|
||||
-----END EC PRIVATE KEY-----
|
||||
@ -1,144 +0,0 @@
|
||||
From f4f5d11b578a1ab2c3d089bbe5453052b43892bb Mon Sep 17 00:00:00 2001
|
||||
From: tofuliang <tofuliang@gmail.com>
|
||||
Date: Mon, 24 Jan 2022 18:53:11 +0800
|
||||
Subject: [PATCH] fix block ad,add web traffic logs
|
||||
|
||||
---
|
||||
app.go | 1 +
|
||||
config/config.go | 1 +
|
||||
processor/processor.go | 55 +++++++++++++++++++++++++++++++++---------
|
||||
3 files changed, 45 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/app.go b/app.go
|
||||
index 73a6070..1018d75 100644
|
||||
--- a/app.go
|
||||
+++ b/app.go
|
||||
@@ -45,6 +45,7 @@ func main() {
|
||||
log.Println("EnableLocalVip=", *config.EnableLocalVip)
|
||||
log.Println("UnlockSoundEffects=", *config.UnlockSoundEffects)
|
||||
log.Println("QQCookieFile=", *config.QQCookieFile)
|
||||
+ log.Println("LogWebTraffic=", *config.LogWebTraffic)
|
||||
if host.InitHosts() == nil {
|
||||
//go func() {
|
||||
// // // terminal: $ go tool pprof -http=:8081 http://localhost:6060/debug/pprof/heap
|
||||
diff --git a/config/config.go b/config/config.go
|
||||
index 6c07873..a653cdf 100644
|
||||
--- a/config/config.go
|
||||
+++ b/config/config.go
|
||||
@@ -31,6 +31,7 @@ var (
|
||||
EnableLocalVip = flag.Bool("lv", false, "enable local vip")
|
||||
UnlockSoundEffects = flag.Bool("sef", false, "unlock SoundEffects")
|
||||
QQCookieFile = flag.String("qc", "./qq.cookie", "specify cookies file ,such as : \"qq.cookie\"")
|
||||
+ LogWebTraffic = flag.Bool("wl", false, "log request url and response")
|
||||
)
|
||||
|
||||
func ValidParams() bool {
|
||||
diff --git a/processor/processor.go b/processor/processor.go
|
||||
index 8d09dbf..d07b9d3 100644
|
||||
--- a/processor/processor.go
|
||||
+++ b/processor/processor.go
|
||||
@@ -6,14 +6,6 @@ import (
|
||||
"crypto/md5"
|
||||
"encoding/hex"
|
||||
"encoding/json"
|
||||
- "github.com/cnsilvan/UnblockNeteaseMusic/cache"
|
||||
- "github.com/cnsilvan/UnblockNeteaseMusic/common"
|
||||
- "github.com/cnsilvan/UnblockNeteaseMusic/config"
|
||||
- "github.com/cnsilvan/UnblockNeteaseMusic/network"
|
||||
- "github.com/cnsilvan/UnblockNeteaseMusic/processor/crypto"
|
||||
- "github.com/cnsilvan/UnblockNeteaseMusic/provider"
|
||||
- "github.com/cnsilvan/UnblockNeteaseMusic/utils"
|
||||
- "golang.org/x/text/width"
|
||||
"io"
|
||||
"io/ioutil"
|
||||
"log"
|
||||
@@ -22,6 +14,15 @@ import (
|
||||
"regexp"
|
||||
"strconv"
|
||||
"strings"
|
||||
+
|
||||
+ "github.com/cnsilvan/UnblockNeteaseMusic/cache"
|
||||
+ "github.com/cnsilvan/UnblockNeteaseMusic/common"
|
||||
+ "github.com/cnsilvan/UnblockNeteaseMusic/config"
|
||||
+ "github.com/cnsilvan/UnblockNeteaseMusic/network"
|
||||
+ "github.com/cnsilvan/UnblockNeteaseMusic/processor/crypto"
|
||||
+ "github.com/cnsilvan/UnblockNeteaseMusic/provider"
|
||||
+ "github.com/cnsilvan/UnblockNeteaseMusic/utils"
|
||||
+ "golang.org/x/text/width"
|
||||
)
|
||||
|
||||
var (
|
||||
@@ -188,6 +189,9 @@ func RequestAfter(request *http.Request, response *http.Response, netease *Netea
|
||||
if ok {
|
||||
code = codeN.String()
|
||||
}
|
||||
+
|
||||
+ logResponse(netease)
|
||||
+
|
||||
if strings.EqualFold(netease.Path, "/api/osx/version") {
|
||||
modified = disableUpdate(netease)
|
||||
} else if strings.Contains(netease.Path, "/usertool/sound/") {
|
||||
@@ -197,9 +201,24 @@ func RequestAfter(request *http.Request, response *http.Response, netease *Netea
|
||||
for key, resp := range netease.JsonBody {
|
||||
if strings.Contains(key, "/usertool/sound/") {
|
||||
modified = unblockSoundEffects(resp.(map[string]interface{}))
|
||||
- } else if *config.BlockAds && strings.Contains(netease.Path, "api/ad/") {
|
||||
+ } else if *config.BlockAds && strings.Contains(key, "api/ad/") {
|
||||
+ log.Println("block Ad has been triggered(" + key + ").")
|
||||
resp = &common.MapType{}
|
||||
modified = true
|
||||
+ } else if *config.BlockAds && strings.EqualFold(key, "/api/v2/banner/get") {
|
||||
+ newInfo := make(common.SliceType, 0)
|
||||
+ info := netease.JsonBody[key]
|
||||
+ for _, data := range info.(common.MapType)["banners"].(common.SliceType) {
|
||||
+ if banner, ok := data.(common.MapType); ok {
|
||||
+ if banner["adid"] == nil {
|
||||
+ newInfo = append(newInfo, banner)
|
||||
+ } else {
|
||||
+ log.Println("block banner Ad has been triggered.")
|
||||
+ modified = true
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ info.(common.MapType)["banners"] = newInfo
|
||||
}
|
||||
}
|
||||
} else if !netease.Web && (code == "401" || code == "512") && strings.Contains(netease.Path, "manipulate") {
|
||||
@@ -220,7 +239,9 @@ func RequestAfter(request *http.Request, response *http.Response, netease *Netea
|
||||
// log.Println("NeedRepackage")
|
||||
modifiedJson, _ := json.Marshal(netease.JsonBody)
|
||||
// log.Println(netease)
|
||||
- // log.Println(string(modifiedJson))
|
||||
+ if *config.LogWebTraffic {
|
||||
+ log.Println("modified =>\n" + string(modifiedJson))
|
||||
+ }
|
||||
if netease.Encrypted {
|
||||
modifiedJson = crypto.AesEncryptECB(modifiedJson, []byte(aeskey))
|
||||
}
|
||||
@@ -258,14 +279,24 @@ func disableUpdate(netease *Netease) bool {
|
||||
if len(value.(common.SliceType)) > 0 {
|
||||
modified = true
|
||||
jsonBody["updateFiles"] = make(common.SliceType, 0)
|
||||
+ log.Println("disable update has been triggered.")
|
||||
}
|
||||
default:
|
||||
}
|
||||
}
|
||||
- // modifiedJson, _ := json.Marshal(jsonBody)
|
||||
- // log.Println(string(modifiedJson))
|
||||
return modified
|
||||
}
|
||||
+
|
||||
+func logResponse(netease *Netease) {
|
||||
+ if *config.LogWebTraffic {
|
||||
+ reqUrl := netease.Path
|
||||
+ jsonBody := netease.JsonBody
|
||||
+ modifiedJson, _ := json.Marshal(jsonBody)
|
||||
+ sep := "===================================\n"
|
||||
+ log.Println(sep + reqUrl + " => \n" + string(modifiedJson) + "\n")
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
func localVIP(netease *Netease) bool {
|
||||
if !*config.EnableLocalVip {
|
||||
return false
|
||||
@ -1,29 +0,0 @@
|
||||
From 6c009953d357d1cc03478cf65fc05701fb1966d6 Mon Sep 17 00:00:00 2001
|
||||
From: ameansone <ameansone@outlook.com>
|
||||
Date: Sun, 5 Dec 2021 19:18:20 +0800
|
||||
Subject: [PATCH] fix(processor): avoid unnecessary decryption
|
||||
|
||||
---
|
||||
processor/processor.go | 8 ++++++--
|
||||
1 file changed, 6 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/processor/processor.go b/processor/processor.go
|
||||
index 8d09dbf..011571b 100644
|
||||
--- a/processor/processor.go
|
||||
+++ b/processor/processor.go
|
||||
@@ -177,9 +177,13 @@ func RequestAfter(request *http.Request, response *http.Response, netease *Netea
|
||||
if netease.Forward {
|
||||
aeskey = linuxApiKey
|
||||
}
|
||||
- decryptECBBytes, encrypted := crypto.AesDecryptECB(decryptECBBytes, []byte(aeskey))
|
||||
- netease.Encrypted = encrypted
|
||||
result := utils.ParseJson(decryptECBBytes)
|
||||
+ netease.Encrypted = false;
|
||||
+ if result == nil {
|
||||
+ decryptECBBytes, encrypted := crypto.AesDecryptECB(decryptECBBytes, []byte(aeskey))
|
||||
+ netease.Encrypted = encrypted
|
||||
+ result = utils.ParseJson(decryptECBBytes)
|
||||
+ }
|
||||
netease.JsonBody = result
|
||||
|
||||
modified := false
|
||||
@ -140,6 +140,9 @@ function gen_outbound(node, tag, proxy_table)
|
||||
} or nil,
|
||||
-- 底层传输配置
|
||||
streamSettings = (node.protocol == "vmess" or node.protocol == "vless" or node.protocol == "socks" or node.protocol == "shadowsocks" or node.protocol == "trojan") and {
|
||||
sockopt = {
|
||||
mark = 255
|
||||
},
|
||||
network = node.transport,
|
||||
security = node.stream_security,
|
||||
xtlsSettings = (node.stream_security == "xtls") and {
|
||||
@ -651,7 +654,10 @@ if remote_dns_server or remote_dns_doh_url or remote_dns_fake then
|
||||
protocol = "socks",
|
||||
streamSettings = {
|
||||
network = "tcp",
|
||||
security = "none"
|
||||
security = "none",
|
||||
sockopt = {
|
||||
mark = 255
|
||||
}
|
||||
},
|
||||
settings = {
|
||||
servers = {
|
||||
|
||||
@ -93,7 +93,7 @@ end
|
||||
|
||||
-- 额外传出连接
|
||||
table.insert(outbounds, {
|
||||
protocol = "freedom", tag = "direct", settings = {keep = ""}
|
||||
protocol = "freedom", tag = "direct", settings = {keep = ""}, sockopt = {mark = 255}
|
||||
})
|
||||
|
||||
local config = {
|
||||
|
||||
@ -15,7 +15,7 @@ local require_dir = "luci.model.cbi.passwall.server.api."
|
||||
local ipt_bin = sys.exec("echo -n $(/usr/share/passwall/iptables.sh get_ipt_bin)")
|
||||
local ip6t_bin = sys.exec("echo -n $(/usr/share/passwall/iptables.sh get_ip6t_bin)")
|
||||
|
||||
local nft_flag = sys.exec("command -v fw4") and "1" or "0"
|
||||
local nft_flag = api.is_finded("fw4") and "1" or "0"
|
||||
|
||||
local function log(...)
|
||||
local f, err = io.open(LOG_APP_FILE, "a")
|
||||
|
||||
@ -73,8 +73,6 @@ get_host_ip() {
|
||||
isip=$(echo $host | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}")
|
||||
if [ -n "$isip" ]; then
|
||||
isip=$(echo $host | cut -d '[' -f2 | cut -d ']' -f1)
|
||||
else
|
||||
isip=$(echo $host | grep -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}")
|
||||
fi
|
||||
else
|
||||
isip=$(echo $host | grep -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}")
|
||||
@ -1355,7 +1353,7 @@ start() {
|
||||
if [ "$use_nft" == 1 ] && [ -z "$(dnsmasq --version | grep 'Compile time options:.* nftset')" ]; then
|
||||
echolog "Dnsmasq软件包不满足nftables透明代理要求,如需使用请确保dnsmasq版本在2.87以上并开启nftset支持。"
|
||||
elif [ "$use_nft" == 1 ] && [ -n "$(dnsmasq --version | grep 'Compile time options:.* nftset')" ]; then
|
||||
echolog "使用nftables进行透明代理,一些不支持nftables的组件如smartdns分流等将不可用。"
|
||||
echolog "使用nftables进行透明代理,一些不支持nftables的组件如chinadns-ng等可能不会正常工作。"
|
||||
nftflag=1
|
||||
start_redir TCP
|
||||
start_redir UDP
|
||||
|
||||
@ -67,7 +67,7 @@ restart() {
|
||||
add() {
|
||||
local FLAG TMP_DNSMASQ_PATH DNSMASQ_CONF_FILE DEFAULT_DNS LOCAL_DNS TUN_DNS REMOTE_FAKEDNS CHINADNS_DNS TCP_NODE PROXY_MODE NO_PROXY_IPV6 NO_LOGIC_LOG NFTFLAG
|
||||
eval_set_val $@
|
||||
lua $APP_PATH/helper_dnsmasq_add.lua -FLAG $FLAG -TMP_DNSMASQ_PATH $TMP_DNSMASQ_PATH -DNSMASQ_CONF_FILE $DNSMASQ_CONF_FILE -DEFAULT_DNS $DEFAULT_DNS -LOCAL_DNS $LOCAL_DNS -TUN_DNS $TUN_DNS -REMOTE_FAKEDNS ${REMOTE_FAKEDNS:-0} -CHINADNS_DNS ${CHINADNS_DNS:-0} -TCP_NODE $TCP_NODE -PROXY_MODE $PROXY_MODE -NO_PROXY_IPV6 ${NO_PROXY_IPV6:-0} -NO_LOGIC_LOG ${NO_LOGIC_LOG:-0} -NFTFLAG ${NFTFLAG}
|
||||
lua $APP_PATH/helper_dnsmasq_add.lua -FLAG $FLAG -TMP_DNSMASQ_PATH $TMP_DNSMASQ_PATH -DNSMASQ_CONF_FILE $DNSMASQ_CONF_FILE -DEFAULT_DNS $DEFAULT_DNS -LOCAL_DNS $LOCAL_DNS -TUN_DNS $TUN_DNS -REMOTE_FAKEDNS ${REMOTE_FAKEDNS:-0} -CHINADNS_DNS ${CHINADNS_DNS:-0} -TCP_NODE $TCP_NODE -PROXY_MODE $PROXY_MODE -NO_PROXY_IPV6 ${NO_PROXY_IPV6:-0} -NO_LOGIC_LOG ${NO_LOGIC_LOG:-0} -NFTFLAG ${NFTFLAG:-0}
|
||||
}
|
||||
|
||||
del() {
|
||||
|
||||
@ -193,7 +193,8 @@ if global and (not returnhome and not chnlist and not gfwlist) then
|
||||
only_global = 1
|
||||
end
|
||||
|
||||
local setflag= (NFTFLAG == "1") and "inet#fw4#" or ""
|
||||
local setflag_4= (NFTFLAG == "1") and "4#inet#fw4#" or ""
|
||||
local setflag_6= (NFTFLAG == "1") and "6#inet#fw4#" or ""
|
||||
|
||||
if not fs.access(CACHE_DNS_PATH) then
|
||||
fs.mkdir("/tmp/dnsmasq.d")
|
||||
@ -211,7 +212,7 @@ if not fs.access(CACHE_DNS_PATH) then
|
||||
local address = t.address
|
||||
if datatypes.hostname(address) then
|
||||
set_domain_dns(address, LOCAL_DNS)
|
||||
set_domain_ipset(address, setflag .. "vpsiplist," .. setflag .. "vpsiplist6")
|
||||
set_domain_ipset(address, setflag_4 .. "vpsiplist," .. setflag_6 .. "vpsiplist6")
|
||||
end
|
||||
end)
|
||||
log(string.format(" - 节点列表中的域名(vpsiplist):%s", LOCAL_DNS or "默认"))
|
||||
@ -221,19 +222,19 @@ if not fs.access(CACHE_DNS_PATH) then
|
||||
if line ~= "" and not line:find("#") then
|
||||
add_excluded_domain(line)
|
||||
set_domain_dns(line, LOCAL_DNS)
|
||||
set_domain_ipset(line, setflag .. "whitelist," .. setflag .. "whitelist6")
|
||||
set_domain_ipset(line, setflag_4 .. "whitelist," .. setflag_6 .. "whitelist6")
|
||||
end
|
||||
end
|
||||
log(string.format(" - 域名白名单(whitelist):%s", LOCAL_DNS or "默认"))
|
||||
|
||||
local fwd_dns = LOCAL_DNS
|
||||
local ipset_flag = setflag .. "whitelist," .. setflag .. "whitelist6"
|
||||
local ipset_flag = setflag_4 .. "whitelist," .. setflag_6 .. "whitelist6"
|
||||
local no_ipv6
|
||||
if subscribe_proxy == "1" then
|
||||
fwd_dns = TUN_DNS
|
||||
ipset_flag = setflag .. "blacklist," .. setflag .. "blacklist6"
|
||||
ipset_flag = setflag_4 .. "blacklist," .. setflag_6 .. "blacklist6"
|
||||
if NO_PROXY_IPV6 == "1" then
|
||||
ipset_flag = setflag .. "blacklist"
|
||||
ipset_flag = setflag_4 .. "blacklist"
|
||||
no_ipv6 = true
|
||||
end
|
||||
if not only_global then
|
||||
@ -258,10 +259,10 @@ if not fs.access(CACHE_DNS_PATH) then
|
||||
for line in io.lines("/usr/share/passwall/rules/proxy_host") do
|
||||
if line ~= "" and not line:find("#") then
|
||||
add_excluded_domain(line)
|
||||
local ipset_flag = setflag .. "blacklist," .. setflag .. "blacklist6"
|
||||
local ipset_flag = setflag_4 .. "blacklist," .. setflag_6 .. "blacklist6"
|
||||
if NO_PROXY_IPV6 == "1" then
|
||||
set_domain_address(line, "::")
|
||||
ipset_flag = setflag .. "blacklist"
|
||||
ipset_flag = setflag_4 .. "blacklist"
|
||||
end
|
||||
if REMOTE_FAKEDNS == "1" then
|
||||
ipset_flag = nil
|
||||
@ -289,12 +290,12 @@ if not fs.access(CACHE_DNS_PATH) then
|
||||
|
||||
if _node_id == "_direct" then
|
||||
fwd_dns = LOCAL_DNS
|
||||
ipset_flag = setflag .. "whitelist," .. setflag .. "whitelist6"
|
||||
ipset_flag = setflag_4 .. "whitelist," .. setflag_6 .. "whitelist6"
|
||||
else
|
||||
fwd_dns = TUN_DNS
|
||||
ipset_flag = setflag .. "shuntlist," .. setflag .. "shuntlist6"
|
||||
ipset_flag = setflag_4 .. "shuntlist," .. setflag_6 .. "shuntlist6"
|
||||
if NO_PROXY_IPV6 == "1" then
|
||||
ipset_flag = setflag .. "shuntlist"
|
||||
ipset_flag = setflag_4 .. "shuntlist"
|
||||
no_ipv6 = true
|
||||
end
|
||||
if not only_global then
|
||||
@ -332,9 +333,9 @@ if not fs.access(CACHE_DNS_PATH) then
|
||||
local gfwlist_str = sys.exec('cat /usr/share/passwall/rules/gfwlist | grep -v -E "^#" | grep -v -E "' .. excluded_domain_str .. '"')
|
||||
for line in string.gmatch(gfwlist_str, "[^\r\n]+") do
|
||||
if line ~= "" then
|
||||
local ipset_flag = setflag .. "gfwlist," .. setflag .. "gfwlist6"
|
||||
local ipset_flag = setflag_4 .. "gfwlist," .. setflag_6 .. "gfwlist6"
|
||||
if NO_PROXY_IPV6 == "1" then
|
||||
ipset_flag = setflag .. "gfwlist"
|
||||
ipset_flag = setflag_4 .. "gfwlist"
|
||||
set_domain_address(line, "::")
|
||||
end
|
||||
if not only_global then
|
||||
@ -360,7 +361,7 @@ if not fs.access(CACHE_DNS_PATH) then
|
||||
for line in string.gmatch(chnlist_str, "[^\r\n]+") do
|
||||
if line ~= "" then
|
||||
set_domain_dns(line, fwd_dns)
|
||||
set_domain_ipset(line, setflag .. "chnroute," .. setflag .. "chnroute6")
|
||||
set_domain_ipset(line, setflag_4 .. "chnroute," .. setflag_6 .. "chnroute6")
|
||||
end
|
||||
end
|
||||
end
|
||||
@ -371,9 +372,9 @@ if not fs.access(CACHE_DNS_PATH) then
|
||||
local chnlist_str = sys.exec('cat /usr/share/passwall/rules/chnlist | grep -v -E "^#" | grep -v -E "' .. excluded_domain_str .. '"')
|
||||
for line in string.gmatch(chnlist_str, "[^\r\n]+") do
|
||||
if line ~= "" then
|
||||
local ipset_flag = setflag .. "chnroute," .. setflag .. "chnroute6"
|
||||
local ipset_flag = setflag_4 .. "chnroute," .. setflag_6 .. "chnroute6"
|
||||
if NO_PROXY_IPV6 == "1" then
|
||||
ipset_flag = setflag .. "chnroute"
|
||||
ipset_flag = setflag_4 .. "chnroute"
|
||||
set_domain_address(line, "::")
|
||||
end
|
||||
if not only_global then
|
||||
|
||||
@ -11,9 +11,9 @@ restart() {
|
||||
}
|
||||
|
||||
add() {
|
||||
local FLAG SMARTDNS_CONF LOCAL_GROUP REMOTE_GROUP REMOTE_FAKEDNS TUN_DNS TCP_NODE PROXY_MODE NO_PROXY_IPV6 NO_LOGIC_LOG
|
||||
local FLAG SMARTDNS_CONF LOCAL_GROUP REMOTE_GROUP REMOTE_FAKEDNS TUN_DNS TCP_NODE PROXY_MODE NO_PROXY_IPV6 NO_LOGIC_LOG NFTFLAG
|
||||
eval_set_val $@
|
||||
lua $APP_PATH/helper_smartdns_add.lua -FLAG $FLAG -SMARTDNS_CONF $SMARTDNS_CONF -LOCAL_GROUP ${LOCAL_GROUP:-nil} -REMOTE_GROUP ${REMOTE_GROUP:-nil} -REMOTE_FAKEDNS ${REMOTE_FAKEDNS:-0} -TUN_DNS $TUN_DNS -TCP_NODE $TCP_NODE -PROXY_MODE $PROXY_MODE -NO_PROXY_IPV6 ${NO_PROXY_IPV6:-0} -NO_LOGIC_LOG ${NO_LOGIC_LOG:-0}
|
||||
lua $APP_PATH/helper_smartdns_add.lua -FLAG $FLAG -SMARTDNS_CONF $SMARTDNS_CONF -LOCAL_GROUP ${LOCAL_GROUP:-nil} -REMOTE_GROUP ${REMOTE_GROUP:-nil} -REMOTE_FAKEDNS ${REMOTE_FAKEDNS:-0} -TUN_DNS $TUN_DNS -TCP_NODE $TCP_NODE -PROXY_MODE $PROXY_MODE -NO_PROXY_IPV6 ${NO_PROXY_IPV6:-0} -NO_LOGIC_LOG ${NO_LOGIC_LOG:-0} -NFTFLAG ${NFTFLAG:-0}
|
||||
}
|
||||
|
||||
del() {
|
||||
|
||||
@ -12,6 +12,7 @@ local TCP_NODE = var["-TCP_NODE"]
|
||||
local PROXY_MODE = var["-PROXY_MODE"]
|
||||
local NO_PROXY_IPV6 = var["-NO_PROXY_IPV6"]
|
||||
local NO_LOGIC_LOG = var["-NO_LOGIC_LOG"]
|
||||
local NFTFLAG = var["-NFTFLAG"]
|
||||
local LOG_FILE = api.LOG_FILE
|
||||
local CACHE_PATH = api.CACHE_PATH
|
||||
local CACHE_FLAG = "dns_" .. FLAG
|
||||
@ -172,6 +173,8 @@ if not REMOTE_GROUP or REMOTE_GROUP == "nil" then
|
||||
sys.call('sed -i "/passwall/d" /etc/smartdns/custom.conf >/dev/null 2>&1')
|
||||
end
|
||||
|
||||
local setflag= (NFTFLAG == "1") and "inet#fw4#" or ""
|
||||
|
||||
if not fs.access(CACHE_DNS_FILE) then
|
||||
sys.call(string.format('echo "server %s -group %s -exclude-default-group" >> %s', TUN_DNS, REMOTE_GROUP, CACHE_DNS_FILE))
|
||||
--屏蔽列表
|
||||
@ -186,7 +189,7 @@ if not fs.access(CACHE_DNS_FILE) then
|
||||
local address = t.address
|
||||
if datatypes.hostname(address) then
|
||||
set_domain_group(address, LOCAL_GROUP)
|
||||
set_domain_ipset(address, "#4:vpsiplist,#6:vpsiplist6")
|
||||
set_domain_ipset(address, "#4:" .. setflag .. "vpsiplist,#6:" .. setflag .. "vpsiplist6")
|
||||
end
|
||||
end)
|
||||
log(string.format(" - 节点列表中的域名(vpsiplist)使用分组:%s", LOCAL_GROUP or "默认"))
|
||||
@ -196,19 +199,19 @@ if not fs.access(CACHE_DNS_FILE) then
|
||||
if line ~= "" and not line:find("#") then
|
||||
add_excluded_domain(line)
|
||||
set_domain_group(line, LOCAL_GROUP)
|
||||
set_domain_ipset(line, "#4:whitelist,#6:whitelist6")
|
||||
set_domain_ipset(line, "#4:" .. setflag .. "whitelist,#6:" .. setflag .. "whitelist6")
|
||||
end
|
||||
end
|
||||
log(string.format(" - 域名白名单(whitelist)使用分组:%s", LOCAL_GROUP or "默认"))
|
||||
|
||||
local fwd_group = LOCAL_GROUP
|
||||
local ipset_flag = "#4:whitelist,#6:whitelist6"
|
||||
local ipset_flag = "#4:" .. setflag .. "whitelist,#6:" .. setflag .. "whitelist6"
|
||||
local no_ipv6
|
||||
if subscribe_proxy == "1" then
|
||||
fwd_group = REMOTE_GROUP
|
||||
ipset_flag = "#4:blacklist,#6:blacklist6"
|
||||
ipset_flag = "#4:" .. setflag .. "blacklist,#6:" .. setflag .. "blacklist6"
|
||||
if NO_PROXY_IPV6 == "1" then
|
||||
ipset_flag = "#4:blacklist"
|
||||
ipset_flag = "#4:" .. setflag .. "blacklist"
|
||||
no_ipv6 = true
|
||||
end
|
||||
if REMOTE_FAKEDNS == "1" then
|
||||
@ -231,10 +234,10 @@ if not fs.access(CACHE_DNS_FILE) then
|
||||
for line in io.lines("/usr/share/passwall/rules/proxy_host") do
|
||||
if line ~= "" and not line:find("#") then
|
||||
add_excluded_domain(line)
|
||||
local ipset_flag = "#4:blacklist,#6:blacklist6"
|
||||
local ipset_flag = "#4:" .. setflag .. "blacklist,#6:" .. setflag .. "blacklist6"
|
||||
if NO_PROXY_IPV6 == "1" then
|
||||
set_domain_address(line, "#6")
|
||||
ipset_flag = "#4:blacklist"
|
||||
ipset_flag = "#4:" .. setflag .. "blacklist"
|
||||
end
|
||||
if REMOTE_FAKEDNS == "1" then
|
||||
ipset_flag = nil
|
||||
@ -262,12 +265,12 @@ if not fs.access(CACHE_DNS_FILE) then
|
||||
|
||||
if _node_id == "_direct" then
|
||||
fwd_group = LOCAL_GROUP
|
||||
ipset_flag = "#4:whitelist,#6:whitelist6"
|
||||
ipset_flag = "#4:" .. setflag .. "whitelist,#6:" .. setflag .. "whitelist6"
|
||||
else
|
||||
fwd_group = REMOTE_GROUP
|
||||
ipset_flag = "#4:shuntlist,#6:shuntlist6"
|
||||
ipset_flag = "#4:" .. setflag .. "shuntlist,#6:" .. setflag .. "shuntlist6"
|
||||
if NO_PROXY_IPV6 == "1" then
|
||||
ipset_flag = "shuntlist"
|
||||
ipset_flag = "#4:" .. setflag .. "shuntlist"
|
||||
no_ipv6 = true
|
||||
end
|
||||
if REMOTE_FAKEDNS == "1" then
|
||||
@ -303,9 +306,9 @@ if not fs.access(CACHE_DNS_FILE) then
|
||||
local gfwlist_str = sys.exec('cat /usr/share/passwall/rules/gfwlist | grep -v -E "^#" | grep -v -E "' .. excluded_domain_str .. '"')
|
||||
for line in string.gmatch(gfwlist_str, "[^\r\n]+") do
|
||||
if line ~= "" then
|
||||
local ipset_flag = "#4:gfwlist,#6:gfwlist6"
|
||||
local ipset_flag = "#4:" .. setflag .. "gfwlist,#6:" .. setflag .. "gfwlist6"
|
||||
if NO_PROXY_IPV6 == "1" then
|
||||
ipset_flag = "#4:gfwlist"
|
||||
ipset_flag = "#4:" .. setflag .. "gfwlist"
|
||||
set_domain_address(line, "#6")
|
||||
end
|
||||
fwd_group = REMOTE_GROUP
|
||||
@ -324,7 +327,7 @@ if not fs.access(CACHE_DNS_FILE) then
|
||||
for line in string.gmatch(chnlist_str, "[^\r\n]+") do
|
||||
if line ~= "" then
|
||||
set_domain_group(line, LOCAL_GROUP)
|
||||
set_domain_ipset(line, "#4:chnroute,#6:chnroute6")
|
||||
set_domain_ipset(line, "#4:" .. setflag .. "chnroute,#6:" .. setflag .. "chnroute6")
|
||||
end
|
||||
end
|
||||
end
|
||||
@ -334,9 +337,9 @@ if not fs.access(CACHE_DNS_FILE) then
|
||||
local chnlist_str = sys.exec('cat /usr/share/passwall/rules/chnlist | grep -v -E "^#" | grep -v -E "' .. excluded_domain_str .. '"')
|
||||
for line in string.gmatch(chnlist_str, "[^\r\n]+") do
|
||||
if line ~= "" then
|
||||
local ipset_flag = "#4:chnroute,#6:chnroute6"
|
||||
local ipset_flag = "#4:" .. setflag .. "chnroute,#6:" .. setflag .. "chnroute6"
|
||||
if NO_PROXY_IPV6 == "1" then
|
||||
ipset_flag = "#4:chnroute"
|
||||
ipset_flag = "#4:" .. setflag .. "chnroute"
|
||||
set_domain_address(line, "#6")
|
||||
end
|
||||
set_domain_group(line, REMOTE_GROUP)
|
||||
|
||||
@ -757,8 +757,8 @@ filter_node() {
|
||||
|
||||
local ADD_INDEX=$FORCE_INDEX
|
||||
for _ipt in 4 6; do
|
||||
[ "$_ipt" == "4" ] && _ipt=$ipt_tmp
|
||||
[ "$_ipt" == "6" ] && _ipt=$ip6t_m
|
||||
[ "$_ipt" == "4" ] && _ipt=$ipt_tmp && _set_name=$IPSET_VPSIPLIST
|
||||
[ "$_ipt" == "6" ] && _ipt=$ip6t_m && _set_name=$IPSET_VPSIPLIST6
|
||||
$_ipt -n -L PSW_OUTPUT | grep -q "${address}:${port}"
|
||||
if [ $? -ne 0 ]; then
|
||||
unset dst_rule
|
||||
@ -769,7 +769,7 @@ filter_node() {
|
||||
msg2="套娃使用(${msg}:${port} -> ${_port})"
|
||||
}
|
||||
[ -n "$_proxy" ] && [ "$_proxy" == "1" ] && [ -n "$_port" ] || {
|
||||
ADD_INDEX=$(RULE_LAST_INDEX "$_ipt" PSW_OUTPUT "$IPSET_VPSIPLIST" $FORCE_INDEX)
|
||||
ADD_INDEX=$(RULE_LAST_INDEX "$_ipt" PSW_OUTPUT "$_set_name" $FORCE_INDEX)
|
||||
dst_rule=" -j RETURN"
|
||||
msg2="直连代理"
|
||||
}
|
||||
|
||||
@ -32,8 +32,11 @@ factor() {
|
||||
echo ""
|
||||
elif [ "$1" == "1:65535" ]; then
|
||||
echo ""
|
||||
else
|
||||
# acl mac address
|
||||
elif [ -n "$(echo $1 | grep -E '([A-Fa-f0-9]{2}:){5}[A-Fa-f0-9]{2}')" ]; then
|
||||
echo "$2 {$1}"
|
||||
else
|
||||
echo "$2 {$(echo $1 | sed 's/:/-/g')}"
|
||||
fi
|
||||
}
|
||||
|
||||
@ -451,6 +454,7 @@ load_acl() {
|
||||
}
|
||||
fi
|
||||
udp_node_remark=$(config_n_get $udp_node remarks)
|
||||
udp_flag=1
|
||||
}
|
||||
|
||||
for i in $(echo -e ${rule_list}); do
|
||||
@ -492,9 +496,9 @@ load_acl() {
|
||||
}
|
||||
|
||||
[ "$accept_icmpv6" = "1" ] && [ "$PROXY_IPV6" == "1" ] && {
|
||||
nft "add rule inet fw4 PSW_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} ip6 daddr @$NFTSET_SHUNTLIST6 $(REDIRECT) comment \"$remarks\""
|
||||
nft "add rule inet fw4 PSW_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} ip6 daddr @$NFTSET_BLACKLIST6 $(REDIRECT) comment \"$remarks\""
|
||||
nft "add rule inet fw4 PSW_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} $(get_redirect_ipv6 $tcp_proxy_mode) comment \"$remarks\""
|
||||
nft "add rule inet fw4 PSW_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} ip6 daddr @$NFTSET_SHUNTLIST6 $(REDIRECT) comment \"$remarks\"" 2>/dev/null
|
||||
nft "add rule inet fw4 PSW_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} ip6 daddr @$NFTSET_BLACKLIST6 $(REDIRECT) comment \"$remarks\"" 2>/dev/null
|
||||
nft "add rule inet fw4 PSW_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} $(get_redirect_ipv6 $tcp_proxy_mode) comment \"$remarks\"" 2>/dev/null
|
||||
}
|
||||
|
||||
[ "$tcp_no_redir_ports" != "disable" ] && {
|
||||
@ -506,9 +510,9 @@ load_acl() {
|
||||
|
||||
[ "$tcp_proxy_drop_ports" != "disable" ] && {
|
||||
[ "$PROXY_IPV6" == "1" ] && {
|
||||
nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "tcp dport") ip6 daddr @$NFTSET_SHUNTLIST6 counter drop comment \"$remarks\""
|
||||
nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "tcp dport") ip6 daddr @$NFTSET_BLACKLIST6 counter drop comment \"$remarks\""
|
||||
[ "$tcp_proxy_mode" != "direct/proxy" ] && nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp $(factor $tcp_proxy_drop_ports "tcp dport") $(get_nftset_ipv6 $tcp_proxy_mode) counter drop comment \"$remarks\""
|
||||
nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "tcp dport") ip6 daddr @$NFTSET_SHUNTLIST6 counter drop comment \"$remarks\"" 2>/dev/null
|
||||
nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "tcp dport") ip6 daddr @$NFTSET_BLACKLIST6 counter drop comment \"$remarks\"" 2>/dev/null
|
||||
[ "$tcp_proxy_mode" != "direct/proxy" ] && nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "tcp dport") $(get_nftset_ipv6 $tcp_proxy_mode) counter drop comment \"$remarks\"" 2>/dev/null
|
||||
}
|
||||
nft "add rule inet fw4 $nft_prerouting_chain ip protocol tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "tcp dport") ip daddr $FAKE_IP counter drop comment \"$remarks\""
|
||||
nft "add rule inet fw4 $nft_prerouting_chain ip protocol tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "tcp dport") ip daddr @$NFTSET_SHUNTLIST counter drop comment \"$remarks\""
|
||||
@ -532,11 +536,11 @@ load_acl() {
|
||||
nft "add rule inet fw4 $nft_prerouting_chain ip protocol tcp ${_ipt_source} counter return comment \"$remarks\""
|
||||
|
||||
[ "$PROXY_IPV6" == "1" ] && {
|
||||
nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ip6 daddr @$NFTSET_SHUNTLIST6 counter jump PSW_RULE comment \"$remarks\""
|
||||
nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ip6 daddr @$NFTSET_BLACKLIST6 counter jump PSW_RULE comment \"$remarks\""
|
||||
nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") $(get_nftset_ipv6 $tcp_proxy_mode) jump PSW_RULE comment \"$remarks\""
|
||||
nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(REDIRECT $tcp_port TPROXY) comment \"$remarks\""
|
||||
nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} return comment \"$remarks\""
|
||||
nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ip6 daddr @$NFTSET_SHUNTLIST6 counter jump PSW_RULE comment \"$remarks\"" 2>/dev/null
|
||||
nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ip6 daddr @$NFTSET_BLACKLIST6 counter jump PSW_RULE comment \"$remarks\"" 2>/dev/null
|
||||
nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") $(get_nftset_ipv6 $tcp_proxy_mode) jump PSW_RULE comment \"$remarks\"" 2>/dev/null
|
||||
nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(REDIRECT $tcp_port TPROXY) comment \"$remarks\"" 2>/dev/null
|
||||
nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} return comment \"$remarks\"" 2>/dev/null
|
||||
}
|
||||
else
|
||||
msg2="${msg}不代理TCP"
|
||||
@ -546,14 +550,14 @@ load_acl() {
|
||||
|
||||
[ "$udp_proxy_drop_ports" != "disable" ] && {
|
||||
[ "$PROXY_IPV6" == "1" ] && {
|
||||
nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_proxy_drop_ports "udp dport") ip6 daddr @$NFTSET_SHUNTLIST6 counter drop comment \"$remarks\""
|
||||
nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_proxy_drop_ports "udp dport") ip6 daddr @$NFTSET_BLACKLIST6 counter drop comment \"$remarks\""
|
||||
[ "$udp_proxy_mode" != "direct/proxy" ] && nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp $(factor $udp_proxy_drop_ports "udp dport") $(get_nftset_ipv6 $udp_proxy_mode) counter drop comment \"$remarks\""
|
||||
nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_proxy_drop_ports "udp dport") ip6 daddr @$NFTSET_SHUNTLIST6 counter drop comment \"$remarks\"" 2>/dev/null
|
||||
nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_proxy_drop_ports "udp dport") ip6 daddr @$NFTSET_BLACKLIST6 counter drop comment \"$remarks\"" 2>/dev/null
|
||||
[ "$udp_proxy_mode" != "direct/proxy" ] && nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_proxy_drop_ports "udp dport") $(get_nftset_ipv6 $udp_proxy_mode) counter drop comment \"$remarks\"" 2>/dev/null
|
||||
}
|
||||
nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_proxy_drop_ports "udp dport") ip daddr $FAKE_IP counter drop comment \"$remarks\""
|
||||
nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_proxy_drop_ports "udp dport") ip daddr @$NFTSET_SHUNTLIST counter drop comment \"$remarks\""
|
||||
nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_proxy_drop_ports "udp dport") ip daddr @$NFTSET_BLACKLIST counter drop comment \"$remarks\""
|
||||
[ "$udp_proxy_mode" != "direct/proxy" ] && nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_proxy_drop_ports "udp dport") $(get_nftset_ipv4 $udp_proxy_mode) counter drop comment \"$remarks\""
|
||||
nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_proxy_drop_ports "udp dport") ip daddr $FAKE_IP counter drop comment \"$remarks\"" 2>/dev/null
|
||||
nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_proxy_drop_ports "udp dport") ip daddr @$NFTSET_SHUNTLIST counter drop comment \"$remarks\"" 2>/dev/null
|
||||
nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_proxy_drop_ports "udp dport") ip daddr @$NFTSET_BLACKLIST counter drop comment \"$remarks\"" 2>/dev/null
|
||||
[ "$udp_proxy_mode" != "direct/proxy" ] && nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_proxy_drop_ports "udp dport") $(get_nftset_ipv4 $udp_proxy_mode) counter drop comment \"$remarks\"" 2>/dev/null
|
||||
msg2="${msg2}[$?],屏蔽代理UDP 端口:${udp_proxy_drop_ports}"
|
||||
}
|
||||
|
||||
@ -563,7 +567,7 @@ load_acl() {
|
||||
msg2="${msg2}(TPROXY:${udp_port})代理"
|
||||
[ "$udp_no_redir_ports" != "disable" ] && {
|
||||
nft add rule inet fw4 PSW_MANGLE meta l4proto udp ${_ipt_source} $(factor $udp_no_redir_ports "udp dport") counter return
|
||||
nft add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_no_redir_ports "udp dport") counter return
|
||||
nft add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_no_redir_ports "udp dport") counter return 2>/dev/null
|
||||
msg2="${msg2}[$?]除${udp_no_redir_ports}外的"
|
||||
}
|
||||
msg2="${msg2}所有端口"
|
||||
@ -576,11 +580,11 @@ load_acl() {
|
||||
nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} return comment \"$remarks\""
|
||||
|
||||
[ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && {
|
||||
nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_redir_ports "tcp dport") ip6 daddr @$NFTSET_SHUNTLIST6 counter jump PSW_RULE comment \"$remarks\""
|
||||
nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_redir_ports "tcp dport") ip6 daddr @$NFTSET_BLACKLIST6 counter jump PSW_RULE comment \"$remarks\""
|
||||
nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_redir_ports "tcp dport") $(get_nftset_ipv6 $udp_proxy_mode) counter jump PSW_RULE comment \"$remarks\""
|
||||
nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(REDIRECT $udp_port TPROXY) comment \"$remarks\""
|
||||
nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} counter return comment \"$remarks\""
|
||||
nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_redir_ports "tcp dport") ip6 daddr @$NFTSET_SHUNTLIST6 counter jump PSW_RULE comment \"$remarks\"" 2>/dev/null
|
||||
nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_redir_ports "tcp dport") ip6 daddr @$NFTSET_BLACKLIST6 counter jump PSW_RULE comment \"$remarks\"" 2>/dev/null
|
||||
nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_redir_ports "tcp dport") $(get_nftset_ipv6 $udp_proxy_mode) counter jump PSW_RULE comment \"$remarks\"" 2>/dev/null
|
||||
nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(REDIRECT $udp_port TPROXY) comment \"$remarks\"" 2>/dev/null
|
||||
nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} counter return comment \"$remarks\"" 2>/dev/null
|
||||
}
|
||||
else
|
||||
msg2="${msg}不代理UDP"
|
||||
@ -708,6 +712,7 @@ load_acl() {
|
||||
}
|
||||
|
||||
echolog "${msg}"
|
||||
udp_flag=1
|
||||
}
|
||||
fi
|
||||
}
|
||||
@ -720,6 +725,15 @@ filter_haproxy() {
|
||||
echolog "加入负载均衡的节点到nftset[$NFTSET_VPSIPLIST]直连完成"
|
||||
}
|
||||
|
||||
filter_vps_addr() {
|
||||
for server_host in $@; do
|
||||
local vps_ip4=$(get_host_ip "ipv4" ${server_host})
|
||||
local vps_ip6=$(get_host_ip "ipv6" ${server_host})
|
||||
[ -n "$vps_ip4" ] && insert_nftset $NFTSET_VPSIPLIST $vps_ip4
|
||||
[ -n "$vps_ip6" ] && insert_nftset $NFTSET_VPSIPLIST6 $vps_ip6
|
||||
done
|
||||
}
|
||||
|
||||
filter_vpsip() {
|
||||
insert_nftset $NFTSET_VPSIPLIST $(uci show $CONFIG | grep ".address=" | cut -d "'" -f 2 | grep -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | sed -e "/^$/d" | sed -e 's/$/,/' )
|
||||
insert_nftset $NFTSET_VPSIPLIST6 $(uci show $CONFIG | grep ".address=" | cut -d "'" -f 2 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "/^$/d" | sed -e 's/$/,/' )
|
||||
@ -756,9 +770,9 @@ filter_node() {
|
||||
|
||||
local ADD_INDEX=$FORCE_INDEX
|
||||
for _ipt in 4 6; do
|
||||
[ "$_ipt" == "4" ] && _ip_type=ip6
|
||||
[ "$_ipt" == "6" ] && _ip_type=ip
|
||||
nft "list chain inet fw4 PSW_OUTPUT" | grep -q "${address}:${port}"
|
||||
[ "$_ipt" == "4" ] && _ip_type=ip4 && _set_name=$NFTSET_VPSIPLIST
|
||||
[ "$_ipt" == "6" ] && _ip_type=ip6 && _set_name=$NFTSET_VPSIPLIST6
|
||||
nft "list chain inet fw4 $nft_output_chain" | grep -q "${address}:${port}"
|
||||
if [ $? -ne 0 ]; then
|
||||
unset dst_rule
|
||||
local dst_rule="jump PSW_RULE"
|
||||
@ -768,12 +782,12 @@ filter_node() {
|
||||
msg2="套娃使用(${msg}:${port} -> ${_port})"
|
||||
}
|
||||
[ -n "$_proxy" ] && [ "$_proxy" == "1" ] && [ -n "$_port" ] || {
|
||||
ADD_INDEX=$(RULE_LAST_INDEX "inet fw4" PSW_OUTPUT "$NFTSET_VPSIPLIST" $FORCE_INDEX)
|
||||
ADD_INDEX=$(RULE_LAST_INDEX "inet fw4" $nft_output_chain $_set_name $FORCE_INDEX)
|
||||
dst_rule="return"
|
||||
msg2="直连代理"
|
||||
}
|
||||
nft "insert rule inet fw4 PSW_OUTPUT position $ADD_INDEX comment \"${address}:${port}\" meta l4proto $stream $_ip_type daddr $address tcp dport $port $dst_rule" 2>/dev/null
|
||||
nft "insert rule inet fw4 PSW_OUTPUT position $ADD_INDEX comment \"${address}:${port}\" meta l4proto $stream $_ip_type daddr $address udp dport $port $dst_rule" 2>/dev/null
|
||||
nft "insert rule inet fw4 $nft_output_chain position $ADD_INDEX comment \"${address}:${port}\" meta l4proto $stream $_ip_type daddr $address tcp dport $port $dst_rule" 2>/dev/null
|
||||
nft "insert rule inet fw4 $nft_output_chain position $ADD_INDEX comment \"${address}:${port}\" meta l4proto $stream $_ip_type daddr $address udp dport $port $dst_rule" 2>/dev/null
|
||||
else
|
||||
msg2="已配置过的节点,"
|
||||
fi
|
||||
@ -836,18 +850,18 @@ dns_hijack() {
|
||||
|
||||
add_firewall_rule() {
|
||||
echolog "开始加载防火墙规则..."
|
||||
gen_nftset $NFTSET_LANIPLIST ipv4_addr $(gen_laniplist | sed -e 's/$/,/')
|
||||
gen_nftset $NFTSET_VPSIPLIST ipv4_addr
|
||||
gen_nftset $NFTSET_GFW ipv4_addr
|
||||
gen_nftset $NFTSET_LANIPLIST ipv4_addr $(gen_laniplist | sed -e 's/$/,/')
|
||||
gen_nftset $NFTSET_CHN ipv4_addr $(cat $RULES_PATH/chnroute | tr -s '\n' | grep -v "^#" | sed -e 's/$/,/')
|
||||
gen_nftset $NFTSET_BLACKLIST ipv4_addr $(cat $RULES_PATH/proxy_ip | tr -s '\n' | grep -v "^#" | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}" | sed -e 's/$/,/')
|
||||
gen_nftset $NFTSET_WHITELIST ipv4_addr $(cat $RULES_PATH/direct_ip | tr -s '\n' | grep -v "^#" | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}" | sed -e 's/$/,/')
|
||||
gen_nftset $NFTSET_BLOCKLIST ipv4_addr $(cat $RULES_PATH/block_ip | tr -s '\n' | grep -v "^#" | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}" | sed -e 's/$/,/')
|
||||
gen_nftset $NFTSET_SHUNTLIST ipv4_addr
|
||||
|
||||
gen_nftset $NFTSET_LANIPLIST6 ipv6_addr $(gen_laniplist_6 | sed -e 's/$/,/')
|
||||
gen_nftset $NFTSET_VPSIPLIST6 ipv6_addr
|
||||
gen_nftset $NFTSET_GFW6 ipv6_addr
|
||||
gen_nftset $NFTSET_LANIPLIST6 ipv6_addr $(gen_laniplist_6 | sed -e 's/$/,/')
|
||||
gen_nftset $NFTSET_CHN6 ipv6_addr $(cat $RULES_PATH/chnroute6 | tr -s '\n' | grep -v "^#" | sed -e 's/$/,/' )
|
||||
gen_nftset $NFTSET_BLACKLIST6 ipv6_addr $(cat $RULES_PATH/proxy_ip | tr -s '\n' | grep -v "^#" | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e 's/$/,/')
|
||||
gen_nftset $NFTSET_WHITELIST6 ipv6_addr $(cat $RULES_PATH/direct_ip | tr -s '\n' | grep -v "^#" | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e 's/$/,/')
|
||||
@ -898,6 +912,8 @@ add_firewall_rule() {
|
||||
# 过滤所有节点IP
|
||||
filter_vpsip > /dev/null 2>&1 &
|
||||
filter_haproxy > /dev/null 2>&1 &
|
||||
# Prevent some conditions
|
||||
filter_vps_addr $(config_n_get $TCP_NODE address) $(config_n_get $UDP_NODE address) > /dev/null 2>&1 &
|
||||
|
||||
accept_icmp=$(config_t_get global_forwarding accept_icmp 0)
|
||||
accept_icmpv6=$(config_t_get global_forwarding accept_icmpv6 0)
|
||||
@ -928,14 +944,13 @@ add_firewall_rule() {
|
||||
nft "flush chain inet fw4 PSW_RULE"
|
||||
nft "add rule inet fw4 PSW_RULE meta mark set ct mark counter"
|
||||
nft "add rule inet fw4 PSW_RULE meta mark 1 counter return"
|
||||
nft "add rule inet fw4 PSW_RULE tcp flags &(fin|syn|rst|ack) == syn meta mark set 1 counter"
|
||||
nft "add rule inet fw4 PSW_RULE meta l4proto udp ct state new meta mark set 1 counter"
|
||||
nft "add rule inet fw4 PSW_RULE tcp flags &(fin|syn|rst|ack) == syn meta mark set mark and 0x0 xor 0x1 counter"
|
||||
nft "add rule inet fw4 PSW_RULE meta l4proto udp ct state new meta mark set mark and 0x0 xor 0x1 counter"
|
||||
nft "add rule inet fw4 PSW_RULE ct mark set mark counter"
|
||||
|
||||
#ipv4 tproxy mode and udp
|
||||
nft "add chain inet fw4 PSW_MANGLE"
|
||||
nft "flush chain inet fw4 PSW_MANGLE"
|
||||
nft "add rule inet fw4 PSW_MANGLE meta mark 0xff counter return"
|
||||
nft "add rule inet fw4 PSW_MANGLE ip daddr @$NFTSET_LANIPLIST counter return"
|
||||
nft "add rule inet fw4 PSW_MANGLE ip daddr @$NFTSET_VPSIPLIST counter return"
|
||||
nft "add rule inet fw4 PSW_MANGLE ip daddr @$NFTSET_WHITELIST counter return"
|
||||
@ -943,10 +958,10 @@ add_firewall_rule() {
|
||||
|
||||
nft "add chain inet fw4 PSW_OUTPUT_MANGLE"
|
||||
nft "flush chain inet fw4 PSW_OUTPUT_MANGLE"
|
||||
nft "add rule inet fw4 PSW_OUTPUT_MANGLE meta mark 0xff counter return"
|
||||
nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip daddr @$NFTSET_LANIPLIST counter return"
|
||||
nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip daddr @$NFTSET_VPSIPLIST counter return"
|
||||
nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip daddr @$NFTSET_WHITELIST counter return"
|
||||
nft "add rule inet fw4 PSW_OUTPUT_MANGLE meta mark 0xff counter return"
|
||||
nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip daddr @$NFTSET_BLOCKLIST counter drop"
|
||||
|
||||
# jump chains
|
||||
@ -968,6 +983,7 @@ add_firewall_rule() {
|
||||
nft "add rule inet fw4 PSW_OUTPUT ip daddr @$NFTSET_LANIPLIST counter return"
|
||||
nft "add rule inet fw4 PSW_OUTPUT ip daddr @$NFTSET_VPSIPLIST counter return"
|
||||
nft "add rule inet fw4 PSW_OUTPUT ip daddr @$NFTSET_WHITELIST counter return"
|
||||
nft "add rule inet fw4 PSW_OUTPUT meta mark 0xff counter return"
|
||||
nft "add rule inet fw4 PSW_OUTPUT ip daddr @$NFTSET_BLOCKLIST counter drop"
|
||||
}
|
||||
|
||||
@ -1008,10 +1024,10 @@ add_firewall_rule() {
|
||||
|
||||
nft "add chain inet fw4 PSW_OUTPUT_MANGLE_V6"
|
||||
nft "flush chain inet fw4 PSW_OUTPUT_MANGLE_V6"
|
||||
nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta mark 0xff return"
|
||||
nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 ip6 daddr @$NFTSET_LANIPLIST6 counter return"
|
||||
nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 ip6 daddr @$NFTSET_VPSIPLIST6 counter return"
|
||||
nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 ip6 daddr @$NFTSET_WHITELIST6 counter return"
|
||||
nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta mark 0xff counter return"
|
||||
nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 ip6 daddr @$NFTSET_BLOCKLIST6 counter drop"
|
||||
|
||||
# jump chains
|
||||
@ -1177,7 +1193,7 @@ add_firewall_rule() {
|
||||
nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol udp $(factor $UDP_REDIR_PORTS "udp dport") $(get_nftset_ipv4 $LOCALHOST_UDP_PROXY_MODE) jump PSW_RULE"
|
||||
nft "add rule inet fw4 PSW_MANGLE meta l4proto udp iif lo $(REDIRECT $UDP_REDIR_PORT TPROXY) comment \"本机\""
|
||||
nft "add rule inet fw4 PSW_MANGLE ip protocol udp iif lo counter return comment \"本机\""
|
||||
nft "add rule inet fw4 mangle_output meta nfproto {ipv4} meta l4proto udp counter jump PSW_OUTPUT_MANGLE"
|
||||
nft "add rule inet fw4 mangle_output meta nfproto {ipv4} meta l4proto udp counter jump PSW_OUTPUT_MANGLE comment \"mangle-OUTPUT-PSW\""
|
||||
|
||||
[ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && {
|
||||
nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta l4proto udp ip6 daddr @$NFTSET_SHUNTLIST6 $(factor $UDP_REDIR_PORTS "udp dport") counter jump PSW_RULE"
|
||||
@ -1198,6 +1214,10 @@ add_firewall_rule() {
|
||||
|
||||
# dns_hijack "force"
|
||||
|
||||
[ -n "${is_tproxy}" -o -n "${udp_flag}" ] && {
|
||||
sysctl -w net.bridge.bridge-nf-call-iptables=0 >/dev/null 2>&1
|
||||
[ "$PROXY_IPV6" == "1" ] && sysctl -w net.bridge.bridge-nf-call-ip6tables=0 >/dev/null 2>&1
|
||||
}
|
||||
echolog "防火墙规则加载完成!"
|
||||
}
|
||||
|
||||
@ -1257,15 +1277,16 @@ flush_include() {
|
||||
}
|
||||
|
||||
gen_include() {
|
||||
echo "" > $TMP_PATH2/passwall.nft
|
||||
local nft_chain_file=$TMP_PATH/PSW.nft
|
||||
echo "" > $nft_chain_file
|
||||
for chain in $(nft -a list chains |grep -E "chain PSW" |awk -F ' ' '{print$2}'); do
|
||||
nft list chain inet fw4 ${chain} >> $TMP_PATH2/passwall.nft
|
||||
nft list chain inet fw4 ${chain} >> $nft_chain_file
|
||||
done
|
||||
|
||||
local __nft=" "
|
||||
[ -z "${nft}" ] && {
|
||||
__nft=$(cat <<- EOF
|
||||
nft -f ${TMP_PATH2}/passwall.nft
|
||||
nft -f ${nft_chain_file}
|
||||
|
||||
nft "add rule inet fw4 dstnat jump PSW_REDIRECT"
|
||||
|
||||
@ -1279,11 +1300,14 @@ gen_include() {
|
||||
nft "add rule inet fw4 nat_output ip protocol tcp counter jump PSW_OUTPUT"
|
||||
}
|
||||
|
||||
nft "add rule inet fw4 mangle_prerouting meta nfproto {ipv4} counter jump PSW_MANGLE"
|
||||
[ -n "${is_tproxy}" ] && nft "add rule inet fw4 mangle_output meta nfproto {ipv4} meta l4proto tcp counter jump PSW_OUTPUT_MANGLE comment \"mangle-OUTPUT-PSW\""
|
||||
nft "add rule inet fw4 mangle_output meta nfproto {ipv4} meta l4proto udp counter jump PSW_OUTPUT_MANGLE"
|
||||
[ -n "${is_tproxy}" ] && {
|
||||
nft "add rule inet fw4 mangle_prerouting meta nfproto {ipv4} counter jump PSW_MANGLE"
|
||||
nft "add rule inet fw4 mangle_output meta nfproto {ipv4} meta l4proto tcp counter jump PSW_OUTPUT_MANGLE comment \"mangle-OUTPUT-PSW\""
|
||||
}
|
||||
\$(${MY_PATH} insert_rule_before "inet fw4" "mangle_prerouting" "PSW_MANGLE" "counter jump PSW_DIVERT")
|
||||
|
||||
[ "$UDP_NODE" != "nil" -o "$TCP_UDP" = "1" ] && nft "add rule inet fw4 mangle_output meta nfproto {ipv4} meta l4proto udp counter jump PSW_OUTPUT_MANGLE comment \"mangle-OUTPUT-PSW\""
|
||||
|
||||
[ "$PROXY_IPV6" == "1" ] && {
|
||||
nft "add rule inet fw4 mangle_prerouting meta nfproto {ipv6} counter jump PSW_MANGLE_V6"
|
||||
nft "add rule inet fw4 mangle_output meta nfproto {ipv6} counter jump PSW_OUTPUT_MANGLE_V6 comment \"mangle-OUTPUT-PSW\""
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user