@@ -131,4 +130,3 @@
<%:Restore Backup File%>
}
}
-<%+cbi/valuefooter%>
diff --git a/applications/luci-app-passwall/luasrc/view/passwall/node_list/link_share_man.htm b/applications/luci-app-passwall/luasrc/view/passwall/node_list/link_share_man.htm
index 777afab83be..08d54e499a6 100644
--- a/applications/luci-app-passwall/luasrc/view/passwall/node_list/link_share_man.htm
+++ b/applications/luci-app-passwall/luasrc/view/passwall/node_list/link_share_man.htm
@@ -1,12 +1,24 @@
<%+cbi/valueheader%>
<%
local api = require "luci.passwall.api"
+local appname = 'passwall'
+local map = self.map
+local ss_type = map:get("@global_subscribe[0]", "ss_type") or "xray"
+local trojan_type = map:get("@global_subscribe[0]", "trojan_type") or "xray"
+local vmess_type = map:get("@global_subscribe[0]", "vmess_type") or "xray"
+local vless_type = map:get("@global_subscribe[0]", "vless_type") or "xray"
+local hysteria2_type = map:get("@global_subscribe[0]", "hysteria2_type") or "sing-box"
-%>
-
-
+
diff --git a/applications/luci-app-passwall/po/zh_Hans/passwall.po b/applications/luci-app-passwall/po/zh_Hans/passwall.po
index 42884cf4191..92144fb2219 100644
--- a/applications/luci-app-passwall/po/zh_Hans/passwall.po
+++ b/applications/luci-app-passwall/po/zh_Hans/passwall.po
@@ -1510,6 +1510,9 @@ msgstr "要执行的 Shell 命令,用 %s 代替日志内容。"
msgid "Not enabled log"
msgstr "未启用日志"
+msgid "It is recommended to disable logging during regular use to reduce system overhead."
+msgstr "正常使用时建议关闭日志,以减少系统开销。"
+
msgid "UDP Forward"
msgstr "UDP 转发"
diff --git a/applications/luci-app-passwall/root/usr/share/passwall/0_default_config b/applications/luci-app-passwall/root/usr/share/passwall/0_default_config
index 551c824f960..acacfedbd5b 100644
--- a/applications/luci-app-passwall/root/usr/share/passwall/0_default_config
+++ b/applications/luci-app-passwall/root/usr/share/passwall/0_default_config
@@ -21,10 +21,11 @@ config global
option localhost_proxy '1'
option client_proxy '1'
option acl_enable '0'
- option log_tcp '1'
- option log_udp '1'
+ option log_tcp '0'
+ option log_udp '0'
option loglevel 'error'
option trojan_loglevel '4'
+ option log_chinadns_ng '0'
config global_haproxy
option balancing_enable '0'
diff --git a/applications/luci-app-passwall/root/usr/share/passwall/app.sh b/applications/luci-app-passwall/root/usr/share/passwall/app.sh
index 8dff1270ba6..1d2dc45f585 100755
--- a/applications/luci-app-passwall/root/usr/share/passwall/app.sh
+++ b/applications/luci-app-passwall/root/usr/share/passwall/app.sh
@@ -1,6 +1,6 @@
#!/bin/sh
# Copyright (C) 2018-2020 L-WRT Team
-# Copyright (C) 2021-2023 xiaorouji
+# Copyright (C) 2021-2025 xiaorouji
. $IPKG_INSTROOT/lib/functions.sh
. $IPKG_INSTROOT/lib/functions/service.sh
@@ -17,17 +17,6 @@ GLOBAL_ACL_PATH=${TMP_ACL_PATH}/default
LOG_FILE=/tmp/log/$CONFIG.log
APP_PATH=/usr/share/$CONFIG
RULES_PATH=/usr/share/${CONFIG}/rules
-DNS_PORT=15353
-TUN_DNS="127.0.0.1#${DNS_PORT}"
-LOCAL_DNS=119.29.29.29,223.5.5.5
-DEFAULT_DNS=
-IPT_APPEND_DNS=
-ENABLED_DEFAULT_ACL=0
-PROXY_IPV6=0
-PROXY_IPV6_UDP=0
-resolve_dns=0
-use_tcp_node_resolve_dns=0
-use_udp_node_resolve_dns=0
LUA_UTIL_PATH=/usr/lib/lua/luci/passwall
UTIL_SINGBOX=$LUA_UTIL_PATH/util_sing-box.lua
UTIL_SS=$LUA_UTIL_PATH/util_shadowsocks.lua
@@ -296,7 +285,10 @@ ln_run() {
fi
#echo "${file_func} $*" >&2
[ -n "${file_func}" ] || echolog " - 找不到 ${ln_name},无法启动..."
- [ "${output}" != "/dev/null" ] && local persist_log_path=$(config_t_get global persist_log_path) && local sys_log=$(config_t_get global sys_log "0")
+ [ "${output}" != "/dev/null" ] && [ "${ln_name}" != "chinadns-ng" ] && {
+ local persist_log_path=$(config_t_get global persist_log_path)
+ local sys_log=$(config_t_get global sys_log "0")
+ }
if [ -z "$persist_log_path" ] && [ "$sys_log" != "1" ]; then
${file_func:-echolog " - ${ln_name}"} "$@" >${output} 2>&1 &
else
@@ -376,7 +368,11 @@ set_cache_var() {
local key="${1}"
shift 1
local val="$@"
- [ -n "${key}" ] && [ -n "${val}" ] && echo "${key}=\"${val}\"" >> $TMP_PATH/var
+ [ -n "${key}" ] && [ -n "${val}" ] && {
+ sed -i "/${key}=/d" $TMP_PATH/var >/dev/null 2>&1
+ echo "${key}=\"${val}\"" >> $TMP_PATH/var
+ eval ${key}=\"${val}\"
+ }
}
get_cache_var() {
@@ -386,6 +382,10 @@ get_cache_var() {
}
}
+eval_cache_var() {
+ [ -s "$TMP_PATH/var" ] && eval $(cat "$TMP_PATH/var")
+}
+
run_ipt2socks() {
local flag proto tcp_tproxy local_port socks_address socks_port socks_username socks_password log_file
local _extra_param=""
@@ -412,8 +412,8 @@ run_ipt2socks() {
}
run_singbox() {
- local flag type node tcp_redir_port udp_redir_port socks_address socks_port socks_username socks_password http_address http_port http_username http_password
- local dns_listen_port direct_dns_port direct_dns_udp_server direct_dns_tcp_server direct_dns_dot_server remote_dns_protocol remote_dns_udp_server remote_dns_tcp_server remote_dns_doh remote_dns_client_ip remote_fakedns remote_dns_query_strategy dns_cache dns_socks_address dns_socks_port
+ local flag type node tcp_redir_port tcp_proxy_way udp_redir_port socks_address socks_port socks_username socks_password http_address http_port http_username http_password
+ local dns_listen_port direct_dns_query_strategy direct_dns_port direct_dns_udp_server direct_dns_tcp_server direct_dns_dot_server remote_dns_protocol remote_dns_udp_server remote_dns_tcp_server remote_dns_doh remote_dns_client_ip remote_fakedns remote_dns_query_strategy dns_cache dns_socks_address dns_socks_port
local loglevel log_file config_file server_host server_port
local _extra_param=""
eval_set_val $@
@@ -443,6 +443,7 @@ run_singbox() {
[ -n "$server_host" ] && _extra_param="${_extra_param} -server_host $server_host"
[ -n "$server_port" ] && _extra_param="${_extra_param} -server_port $server_port"
[ -n "$tcp_redir_port" ] && _extra_param="${_extra_param} -tcp_redir_port $tcp_redir_port"
+ [ -n "$tcp_proxy_way" ] && _extra_param="${_extra_param} -tcp_proxy_way $tcp_proxy_way"
[ -n "$udp_redir_port" ] && _extra_param="${_extra_param} -udp_redir_port $udp_redir_port"
[ -n "$socks_address" ] && _extra_param="${_extra_param} -local_socks_address $socks_address"
[ -n "$socks_port" ] && _extra_param="${_extra_param} -local_socks_port $socks_port"
@@ -469,7 +470,8 @@ run_singbox() {
direct_dns_port=$(echo ${local_dns} | awk -F '#' '{print $2}')
fi
_extra_param="${_extra_param} -direct_dns_port ${direct_dns_port:-53}"
- _extra_param="${_extra_param} -direct_dns_query_strategy ${DIRECT_DNS_QUERY_STRATEGY}"
+ direct_dns_query_strategy=${direct_dns_query_strategy:-UseIP}
+ _extra_param="${_extra_param} -direct_dns_query_strategy ${direct_dns_query_strategy}"
[ -n "$remote_dns_query_strategy" ] && _extra_param="${_extra_param} -remote_dns_query_strategy ${remote_dns_query_strategy}"
case "$remote_dns_protocol" in
@@ -488,14 +490,13 @@ run_singbox() {
esac
[ -n "$remote_dns_client_ip" ] && _extra_param="${_extra_param} -remote_dns_client_ip ${remote_dns_client_ip}"
[ "$remote_fakedns" = "1" ] && _extra_param="${_extra_param} -remote_dns_fake 1"
- _extra_param="${_extra_param} -tcp_proxy_way $tcp_proxy_way"
lua $UTIL_SINGBOX gen_config ${_extra_param} > $config_file
ln_run "$(first_type $(config_t_get global_app singbox_file) sing-box)" "sing-box" $log_file run -c "$config_file"
}
run_xray() {
- local flag type node tcp_redir_port udp_redir_port socks_address socks_port socks_username socks_password http_address http_port http_username http_password
- local dns_listen_port remote_dns_udp_server remote_dns_tcp_server remote_dns_doh remote_dns_client_ip remote_fakedns remote_dns_query_strategy dns_cache dns_socks_address dns_socks_port
+ local flag type node tcp_redir_port tcp_proxy_way udp_redir_port socks_address socks_port socks_username socks_password http_address http_port http_username http_password
+ local dns_listen_port direct_dns_query_strategy remote_dns_udp_server remote_dns_tcp_server remote_dns_doh remote_dns_client_ip remote_fakedns remote_dns_query_strategy dns_cache dns_socks_address dns_socks_port
local loglevel log_file config_file server_host server_port
local _extra_param=""
eval_set_val $@
@@ -514,6 +515,7 @@ run_xray() {
[ -n "$server_host" ] && _extra_param="${_extra_param} -server_host $server_host"
[ -n "$server_port" ] && _extra_param="${_extra_param} -server_port $server_port"
[ -n "$tcp_redir_port" ] && _extra_param="${_extra_param} -tcp_redir_port $tcp_redir_port"
+ [ -n "$tcp_proxy_way" ] && _extra_param="${_extra_param} -tcp_proxy_way $tcp_proxy_way"
[ -n "$udp_redir_port" ] && _extra_param="${_extra_param} -udp_redir_port $udp_redir_port"
[ -n "$socks_address" ] && _extra_param="${_extra_param} -local_socks_address $socks_address"
[ -n "$socks_port" ] && _extra_param="${_extra_param} -local_socks_port $socks_port"
@@ -523,7 +525,8 @@ run_xray() {
[ -n "$http_username" ] && [ -n "$http_password" ] && _extra_param="${_extra_param} -local_http_username $http_username -local_http_password $http_password"
[ -n "$dns_socks_address" ] && [ -n "$dns_socks_port" ] && _extra_param="${_extra_param} -dns_socks_address ${dns_socks_address} -dns_socks_port ${dns_socks_port}"
[ -n "$dns_listen_port" ] && _extra_param="${_extra_param} -dns_listen_port ${dns_listen_port}"
- _extra_param="${_extra_param} -direct_dns_query_strategy ${DIRECT_DNS_QUERY_STRATEGY}"
+ direct_dns_query_strategy=${direct_dns_query_strategy:-UseIP}
+ _extra_param="${_extra_param} -direct_dns_query_strategy ${direct_dns_query_strategy}"
[ -n "$remote_dns_query_strategy" ] && _extra_param="${_extra_param} -remote_dns_query_strategy ${remote_dns_query_strategy}"
[ -n "$remote_dns_client_ip" ] && _extra_param="${_extra_param} -remote_dns_client_ip ${remote_dns_client_ip}"
[ "$remote_fakedns" = "1" ] && _extra_param="${_extra_param} -remote_dns_fake 1"
@@ -540,7 +543,6 @@ run_xray() {
[ -n "$_doh_bootstrap" ] && _extra_param="${_extra_param} -remote_dns_doh_ip ${_doh_bootstrap}"
_extra_param="${_extra_param} -remote_dns_doh_port ${_doh_port} -remote_dns_doh_url ${_doh_url} -remote_dns_doh_host ${_doh_host}"
}
- _extra_param="${_extra_param} -tcp_proxy_way $tcp_proxy_way"
_extra_param="${_extra_param} -loglevel $loglevel"
lua $UTIL_XRAY gen_config ${_extra_param} > $config_file
ln_run "$(first_type $(config_t_get global_app ${type}_file) ${type})" ${type} $log_file run -c "$config_file"
@@ -570,13 +572,14 @@ run_chinadns_ng() {
eval_set_val $@
local _CONF_FILE=$TMP_ACL_PATH/$_flag/chinadns_ng.conf
- local _LOG_FILE=$TMP_ACL_PATH/$_flag/chinadns_ng.log
- _LOG_FILE="/dev/null"
+ local _LOG_FILE="/dev/null"
+ [ "$(config_t_get global log_chinadns_ng "0")" == "1" ] && _LOG_FILE=$TMP_ACL_PATH/$_flag/chinadns_ng.log
_extra_param="-FLAG ${_flag} -TCP_NODE ${_tcp_node} -LISTEN_PORT ${_listen_port} -DNS_LOCAL ${_dns_local} -DNS_TRUST ${_dns_trust}"
_extra_param="${_extra_param} -USE_DIRECT_LIST ${_use_direct_list} -USE_PROXY_LIST ${_use_proxy_list} -USE_BLOCK_LIST ${_use_block_list}"
_extra_param="${_extra_param} -GFWLIST ${_gfwlist} -CHNLIST ${_chnlist} -NO_IPV6_TRUST ${_no_ipv6_trust} -DEFAULT_MODE ${_default_mode}"
_extra_param="${_extra_param} -DEFAULT_TAG ${_default_tag} -NFTFLAG ${nftflag} -NO_LOGIC_LOG ${_no_logic_log} -REMOTE_FAKEDNS ${_remote_fakedns}"
+ _extra_param="${_extra_param} -LOG_FILE ${_LOG_FILE}"
lua $APP_PATH/helper_chinadns_add.lua ${_extra_param} > ${_CONF_FILE}
ln_run "$(first_type chinadns-ng)" chinadns-ng "${_LOG_FILE}" -C ${_CONF_FILE}
@@ -758,7 +761,6 @@ run_redir() {
}
}
[ "$bind" != "127.0.0.1" ] && echolog "${PROTO}节点:[$remarks],监听端口:$local_port"
- set_cache_var "${PROTO}_NODE_PORT" "${port}"
case "$PROTO" in
UDP)
@@ -816,12 +818,11 @@ run_redir() {
[ "$tcp_node_http_port" != "0" ] && tcp_node_http=1
if [ $PROXY_IPV6 == "1" ]; then
echolog "开启实验性IPv6透明代理(TProxy),请确认您的节点及类型支持IPv6!"
- PROXY_IPV6_UDP=1
fi
- if [ "$tcp_proxy_way" = "redirect" ]; then
+ if [ "${TCP_PROXY_WAY}" = "redirect" ]; then
can_ipt=$(echo "$REDIRECT_LIST" | grep "$type")
- elif [ "$tcp_proxy_way" = "tproxy" ]; then
+ elif [ "${TCP_PROXY_WAY}" = "tproxy" ]; then
can_ipt=$(echo "$TPROXY_LIST" | grep "$type")
fi
[ -z "$can_ipt" ] && type="socks"
@@ -875,14 +876,14 @@ run_redir() {
}
[ "${DNS_MODE}" = "sing-box" ] && {
- resolve_dns=1
+ NO_PLUGIN_DNS=1
config_file=$(echo $config_file | sed "s/.json/_DNS.json/g")
_args="${_args} remote_dns_query_strategy=${REMOTE_DNS_QUERY_STRATEGY}"
DNSMASQ_FILTER_PROXY_IPV6=0
local _remote_dns_client_ip=$(config_t_get global remote_dns_client_ip)
[ -n "${_remote_dns_client_ip}" ] && _args="${_args} remote_dns_client_ip=${_remote_dns_client_ip}"
[ "${DNS_CACHE}" == "0" ] && _args="${_args} dns_cache=0"
- resolve_dns_port=${dns_listen_port}
+ resolve_dns_port=${NEXT_DNS_LISTEN_PORT}
_args="${_args} dns_listen_port=${resolve_dns_port}"
case "$(config_t_get global direct_dns_mode "auto")" in
@@ -918,9 +919,9 @@ run_redir() {
_args="${_args} remote_fakedns=1"
resolve_dns_log="${resolve_dns_log} + FakeDNS"
}
- dns_listen_port=$(expr $dns_listen_port + 1)
+ NEXT_DNS_LISTEN_PORT=$(expr $NEXT_DNS_LISTEN_PORT + 1)
}
- run_singbox flag=$_flag node=$node tcp_redir_port=$local_port config_file=$config_file log_file=$log_file ${_args}
+ run_singbox flag=$_flag node=$node tcp_redir_port=$local_port tcp_proxy_way=$TCP_PROXY_WAY config_file=$config_file log_file=$log_file ${_args}
;;
xray)
local _flag="TCP"
@@ -953,14 +954,14 @@ run_redir() {
}
[ "${DNS_MODE}" = "xray" ] && {
- resolve_dns=1
+ NO_PLUGIN_DNS=1
config_file=$(echo $config_file | sed "s/.json/_DNS.json/g")
_args="${_args} remote_dns_query_strategy=${REMOTE_DNS_QUERY_STRATEGY}"
DNSMASQ_FILTER_PROXY_IPV6=0
local _remote_dns_client_ip=$(config_t_get global remote_dns_client_ip)
[ -n "${_remote_dns_client_ip}" ] && _args="${_args} remote_dns_client_ip=${_remote_dns_client_ip}"
[ "${DNS_CACHE}" == "0" ] && _args="${_args} dns_cache=0"
- resolve_dns_port=${dns_listen_port}
+ resolve_dns_port=${NEXT_DNS_LISTEN_PORT}
_args="${_args} dns_listen_port=${resolve_dns_port}"
_args="${_args} remote_dns_tcp_server=${REMOTE_DNS}"
if [ "$v2ray_dns_mode" = "tcp+doh" ]; then
@@ -976,12 +977,12 @@ run_redir() {
_args="${_args} remote_fakedns=1"
resolve_dns_log="${resolve_dns_log} + FakeDNS"
}
- dns_listen_port=$(expr $dns_listen_port + 1)
+ NEXT_DNS_LISTEN_PORT=$(expr $NEXT_DNS_LISTEN_PORT + 1)
}
- run_xray flag=$_flag node=$node tcp_redir_port=$local_port config_file=$config_file log_file=$log_file ${_args}
+ run_xray flag=$_flag node=$node tcp_redir_port=$local_port tcp_proxy_way=$TCP_PROXY_WAY config_file=$config_file log_file=$log_file ${_args}
;;
trojan*)
- [ "$tcp_proxy_way" = "tproxy" ] && lua_tproxy_arg="-use_tproxy true"
+ [ "${TCP_PROXY_WAY}" = "tproxy" ] && lua_tproxy_arg="-use_tproxy true"
[ "$TCP_UDP" = "1" ] && {
config_file=$(echo $config_file | sed "s/TCP/TCP_UDP/g")
UDP_REDIR_PORT=$TCP_REDIR_PORT
@@ -996,7 +997,7 @@ run_redir() {
ln_run "$(first_type naive)" naive $log_file "$config_file"
;;
ssr)
- [ "$tcp_proxy_way" = "tproxy" ] && lua_tproxy_arg="-tcp_tproxy true"
+ [ "${TCP_PROXY_WAY}" = "tproxy" ] && lua_tproxy_arg="-tcp_tproxy true"
[ "$TCP_UDP" = "1" ] && {
config_file=$(echo $config_file | sed "s/TCP/TCP_UDP/g")
UDP_REDIR_PORT=$TCP_REDIR_PORT
@@ -1007,7 +1008,7 @@ run_redir() {
ln_run "$(first_type ssr-redir)" "ssr-redir" $log_file -c "$config_file" -v ${_extra_param}
;;
ss)
- [ "$tcp_proxy_way" = "tproxy" ] && lua_tproxy_arg="-tcp_tproxy true"
+ [ "${TCP_PROXY_WAY}" = "tproxy" ] && lua_tproxy_arg="-tcp_tproxy true"
lua_mode_arg="-mode tcp_only"
[ "$TCP_UDP" = "1" ] && {
config_file=$(echo $config_file | sed "s/TCP/TCP_UDP/g")
@@ -1020,7 +1021,7 @@ run_redir() {
;;
ss-rust)
local _extra_param="-local_tcp_redir_port $local_port"
- [ "$tcp_proxy_way" = "tproxy" ] && _extra_param="${_extra_param} -tcp_tproxy true"
+ [ "${TCP_PROXY_WAY}" = "tproxy" ] && _extra_param="${_extra_param} -tcp_tproxy true"
[ "$tcp_node_socks" = "1" ] && {
tcp_node_socks_flag=1
config_file=$(echo $config_file | sed "s/TCP/TCP_SOCKS/g")
@@ -1058,7 +1059,7 @@ run_redir() {
unset UDP_NODE
_extra_param="${_extra_param} -local_udp_redir_port $local_port"
}
- _extra_param="${_extra_param} -tcp_proxy_way $tcp_proxy_way"
+ _extra_param="${_extra_param} -tcp_proxy_way ${TCP_PROXY_WAY}"
lua $UTIL_HYSTERIA2 gen_config -node $node ${_extra_param} > $config_file
ln_run "$(first_type $(config_t_get global_app hysteria_file))" "hysteria" $log_file -c "$config_file" client
;;
@@ -1071,7 +1072,7 @@ run_redir() {
unset UDP_NODE
}
local _socks_tproxy=""
- [ "$tcp_proxy_way" = "tproxy" ] && _socks_tproxy="1"
+ [ "${TCP_PROXY_WAY}" = "tproxy" ] && _socks_tproxy="1"
run_ipt2socks flag=default proto=${_flag} tcp_tproxy=${_socks_tproxy} local_port=${local_port} socks_address=${_socks_address} socks_port=${_socks_port} socks_username=${_socks_username} socks_password=${_socks_password} log_file=${log_file}
fi
@@ -1352,12 +1353,12 @@ start_dns() {
#当全局(包括访问控制节点)开启chinadns-ng时,不启动新进程。
[ "$DNS_SHUNT" != "chinadns-ng" ] || [ "$ACL_RULE_DNSMASQ" = "1" ] && {
- LOCAL_DNS="127.0.0.1#${dns_listen_port}"
+ LOCAL_DNS="127.0.0.1#${NEXT_DNS_LISTEN_PORT}"
local china_ng_c_dns="tcp://$(get_first_dns DIRECT_DNS 53 | sed 's/:/#/g')"
- ln_run "$(first_type chinadns-ng)" chinadns-ng "/dev/null" -b 127.0.0.1 -l ${dns_listen_port} -c ${china_ng_c_dns} -d chn
+ ln_run "$(first_type chinadns-ng)" chinadns-ng "/dev/null" -b 127.0.0.1 -l ${NEXT_DNS_LISTEN_PORT} -c ${china_ng_c_dns} -d chn
echolog " - ChinaDNS-NG(${LOCAL_DNS}) -> ${china_ng_c_dns}"
echolog " * 请确保上游直连 DNS 支持 TCP 查询。"
- dns_listen_port=$(expr $dns_listen_port + 1)
+ NEXT_DNS_LISTEN_PORT=$(expr $NEXT_DNS_LISTEN_PORT + 1)
}
;;
dot)
@@ -1367,11 +1368,11 @@ start_dns() {
#当全局(包括访问控制节点)开启chinadns-ng时,不启动新进程。
[ "$DNS_SHUNT" != "chinadns-ng" ] || [ "$ACL_RULE_DNSMASQ" = "1" ] && {
- LOCAL_DNS="127.0.0.1#${dns_listen_port}"
- ln_run "$(first_type chinadns-ng)" chinadns-ng "/dev/null" -b 127.0.0.1 -l ${dns_listen_port} -c ${DIRECT_DNS} -d chn
+ LOCAL_DNS="127.0.0.1#${NEXT_DNS_LISTEN_PORT}"
+ ln_run "$(first_type chinadns-ng)" chinadns-ng "/dev/null" -b 127.0.0.1 -l ${NEXT_DNS_LISTEN_PORT} -c ${DIRECT_DNS} -d chn
echolog " - ChinaDNS-NG(${LOCAL_DNS}) -> ${DIRECT_DNS}"
echolog " * 请确保上游直连 DNS 支持 DoT 查询。"
- dns_listen_port=$(expr $dns_listen_port + 1)
+ NEXT_DNS_LISTEN_PORT=$(expr $NEXT_DNS_LISTEN_PORT + 1)
}
local tmp_dot_ip=$(echo "$DIRECT_DNS" | sed -n 's/.*:\/\/\([^@#]*@\)*\([^@#]*\).*/\2/p')
@@ -1403,30 +1404,31 @@ start_dns() {
# 排除127.0.0.1的条目
IPT_APPEND_DNS=$(echo "$IPT_APPEND_DNS" | awk -F',' '{for(i=1;i<=NF;i++) if($i !~ /^127\.0\.0\.1/) printf (i>1?",":"") $i; print ""}' | sed 's/^,\|,$//g')
- TUN_DNS="127.0.0.1#${dns_listen_port}"
- [ "${resolve_dns}" == "1" ] && TUN_DNS="127.0.0.1#${resolve_dns_port}"
+ TUN_DNS="127.0.0.1#${NEXT_DNS_LISTEN_PORT}"
+ [ -n "${NO_PLUGIN_DNS}" ] && TUN_DNS="127.0.0.1#${resolve_dns_port}"
case "$DNS_MODE" in
dns2socks)
local dns2socks_socks_server=$(echo $(config_t_get global socks_server 127.0.0.1:1080) | sed "s/#/:/g")
local dns2socks_forward=$(get_first_dns REMOTE_DNS 53 | sed 's/#/:/g')
- run_dns2socks socks=$dns2socks_socks_server listen_address=127.0.0.1 listen_port=${dns_listen_port} dns=$dns2socks_forward cache=$DNS_CACHE
+ run_dns2socks socks=$dns2socks_socks_server listen_address=127.0.0.1 listen_port=${NEXT_DNS_LISTEN_PORT} dns=$dns2socks_forward cache=$DNS_CACHE
echolog " - dns2socks(${TUN_DNS}),${dns2socks_socks_server} -> tcp://${dns2socks_forward}"
;;
sing-box)
- [ "${resolve_dns}" == "0" ] && {
+ [ -z "${NO_PLUGIN_DNS}" ] && {
local config_file=$TMP_PATH/DNS.json
local log_file=$TMP_PATH/DNS.log
local log_file=/dev/null
local _args="type=$DNS_MODE config_file=$config_file log_file=$log_file"
[ "${DNS_CACHE}" == "0" ] && _args="${_args} dns_cache=0"
+ _args="${_args} direct_dns_query_strategy=${DIRECT_DNS_QUERY_STRATEGY}"
_args="${_args} remote_dns_query_strategy=${REMOTE_DNS_QUERY_STRATEGY}"
DNSMASQ_FILTER_PROXY_IPV6=0
local _remote_dns_client_ip=$(config_t_get global remote_dns_client_ip)
[ -n "${_remote_dns_client_ip}" ] && _args="${_args} remote_dns_client_ip=${_remote_dns_client_ip}"
- use_tcp_node_resolve_dns=1
+ TCP_PROXY_DNS=1
local v2ray_dns_mode=$(config_t_get global v2ray_dns_mode tcp)
- _args="${_args} dns_listen_port=${dns_listen_port}"
+ _args="${_args} dns_listen_port=${NEXT_DNS_LISTEN_PORT}"
_args="${_args} remote_dns_protocol=${v2ray_dns_mode}"
case "$v2ray_dns_mode" in
tcp)
@@ -1449,18 +1451,19 @@ start_dns() {
}
;;
xray)
- [ "${resolve_dns}" == "0" ] && {
+ [ -z "${NO_PLUGIN_DNS}" ] && {
local config_file=$TMP_PATH/DNS.json
local log_file=$TMP_PATH/DNS.log
local log_file=/dev/null
local _args="type=$DNS_MODE config_file=$config_file log_file=$log_file"
[ "${DNS_CACHE}" == "0" ] && _args="${_args} dns_cache=0"
+ _args="${_args} direct_dns_query_strategy=${DIRECT_DNS_QUERY_STRATEGY}"
_args="${_args} remote_dns_query_strategy=${REMOTE_DNS_QUERY_STRATEGY}"
DNSMASQ_FILTER_PROXY_IPV6=0
local _remote_dns_client_ip=$(config_t_get global remote_dns_client_ip)
[ -n "${_remote_dns_client_ip}" ] && _args="${_args} remote_dns_client_ip=${_remote_dns_client_ip}"
- use_tcp_node_resolve_dns=1
- _args="${_args} dns_listen_port=${dns_listen_port}"
+ TCP_PROXY_DNS=1
+ _args="${_args} dns_listen_port=${NEXT_DNS_LISTEN_PORT}"
_args="${_args} remote_dns_tcp_server=${REMOTE_DNS}"
local v2ray_dns_mode=$(config_t_get global v2ray_dns_mode tcp)
if [ "$v2ray_dns_mode" = "tcp+doh" ]; then
@@ -1479,9 +1482,9 @@ start_dns() {
}
;;
dot)
- use_tcp_node_resolve_dns=1
+ TCP_PROXY_DNS=1
if [ "$chinadns_tls" != "nil" ]; then
- local china_ng_listen_port=${dns_listen_port}
+ local china_ng_listen_port=${NEXT_DNS_LISTEN_PORT}
local china_ng_trust_dns=$(config_t_get global remote_dns_dot "tls://dns.google@8.8.4.4")
local tmp_dot_ip=$(echo "$china_ng_trust_dns" | sed -n 's/.*:\/\/\([^@#]*@\)*\([^@#]*\).*/\2/p')
local tmp_dot_port=$(echo "$china_ng_trust_dns" | sed -n 's/.*#\([0-9]\+\).*/\1/p')
@@ -1494,7 +1497,7 @@ start_dns() {
else
echolog " - 你的ChinaDNS-NG版本不支持DoT,远程DNS将默认使用tcp://1.1.1.1"
REMOTE_DNS="1.1.1.1"
- local china_ng_listen_port=${dns_listen_port}
+ local china_ng_listen_port=${NEXT_DNS_LISTEN_PORT}
local china_ng_trust_dns="tcp://${REMOTE_DNS}"
[ "$DNS_SHUNT" != "chinadns-ng" ] && {
[ "$FILTER_PROXY_IPV6" = "1" ] && DNSMASQ_FILTER_PROXY_IPV6=0 && local no_ipv6_trust="-N"
@@ -1504,8 +1507,8 @@ start_dns() {
fi
;;
udp)
- use_udp_node_resolve_dns=1
- local china_ng_listen_port=${dns_listen_port}
+ UDP_PROXY_DNS=1
+ local china_ng_listen_port=${NEXT_DNS_LISTEN_PORT}
local china_ng_trust_dns="udp://$(get_first_dns REMOTE_DNS 53 | sed 's/:/#/g')"
if [ "$DNS_SHUNT" != "chinadns-ng" ] && [ "$FILTER_PROXY_IPV6" = "1" ]; then
DNSMASQ_FILTER_PROXY_IPV6=0
@@ -1518,8 +1521,8 @@ start_dns() {
fi
;;
tcp)
- use_tcp_node_resolve_dns=1
- local china_ng_listen_port=${dns_listen_port}
+ TCP_PROXY_DNS=1
+ local china_ng_listen_port=${NEXT_DNS_LISTEN_PORT}
local china_ng_trust_dns="tcp://$(get_first_dns REMOTE_DNS 53 | sed 's/:/#/g')"
[ "$DNS_SHUNT" != "chinadns-ng" ] && {
[ "$FILTER_PROXY_IPV6" = "1" ] && DNSMASQ_FILTER_PROXY_IPV6=0 && local no_ipv6_trust="-N"
@@ -1531,8 +1534,8 @@ start_dns() {
[ -n "${resolve_dns_log}" ] && echolog " - ${resolve_dns_log}"
- [ "${use_tcp_node_resolve_dns}" = "1" ] && echolog " * 请确认上游 DNS 支持 TCP/DoT/DoH 查询,如非直连地址,确保 TCP 代理打开,并且已经正确转发!"
- [ "${use_udp_node_resolve_dns}" = "1" ] && echolog " * 请确认上游 DNS 支持 UDP 查询并已使用 UDP 节点,如上游 DNS 非直连地址,确保 UDP 代理打开,并且已经正确转发!"
+ [ -n "${TCP_PROXY_DNS}" ] && echolog " * 请确认上游 DNS 支持 TCP/DoT/DoH 查询,如非直连地址,确保 TCP 代理打开,并且已经正确转发!"
+ [ -n "${UDP_PROXY_DNS}" ] && echolog " * 请确认上游 DNS 支持 UDP 查询并已使用 UDP 节点,如上游 DNS 非直连地址,确保 UDP 代理打开,并且已经正确转发!"
[ "${DNS_SHUNT}" = "smartdns" ] && {
if command -v smartdns > /dev/null 2>&1; then
@@ -1558,7 +1561,6 @@ start_dns() {
echolog " * 未安装SmartDNS,默认使用Dnsmasq进行域名解析!"
fi
}
- rm -rf $TMP_PATH2/smartdns_default*
[ "$DNS_SHUNT" = "chinadns-ng" ] && [ -n "$(first_type chinadns-ng)" ] && {
chinadns_ng_min=2024.04.13
@@ -1568,7 +1570,7 @@ start_dns() {
fi
[ "$FILTER_PROXY_IPV6" = "1" ] && DNSMASQ_FILTER_PROXY_IPV6=0
- [ -z "${china_ng_listen_port}" ] && local china_ng_listen_port=$(expr $dns_listen_port + 1)
+ [ -z "${china_ng_listen_port}" ] && local china_ng_listen_port=$(expr $NEXT_DNS_LISTEN_PORT + 1)
local china_ng_listen="127.0.0.1#${china_ng_listen_port}"
[ -z "${china_ng_trust_dns}" ] && local china_ng_trust_dns=${TUN_DNS}
@@ -1857,7 +1859,7 @@ acl_app() {
local dnsmasq_conf=${acl_path}/dnsmasq.conf
local dnsmasq_conf_path=${acl_path}/dnsmasq.d
lua $APP_PATH/helper_dnsmasq.lua add_rule -FLAG ${sid} -TMP_DNSMASQ_PATH ${dnsmasq_conf_path} -DNSMASQ_CONF_FILE ${dnsmasq_conf} \
- -LISTEN_PORT ${dnsmasq_port} -DEFAULT_DNS $DEFAULT_DNS -LOCAL_DNS $LOCAL_DNS \
+ -LISTEN_PORT ${dnsmasq_port} -DEFAULT_DNS ${DEFAULT_DNS} -LOCAL_DNS $LOCAL_DNS \
-USE_DIRECT_LIST "${use_direct_list}" -USE_PROXY_LIST "${use_proxy_list}" -USE_BLOCK_LIST "${use_block_list}" -USE_GFW_LIST "${use_gfw_list}" -CHN_LIST "${chn_list}" \
-TUN_DNS "127.0.0.1#${_dns_port}" -REMOTE_FAKEDNS 0 -USE_DEFAULT_DNS "${use_default_dns:-direct}" -CHINADNS_DNS ${_china_ng_listen:-0} \
-TCP_NODE $tcp_node -DEFAULT_PROXY_MODE ${tcp_proxy_mode} -NO_PROXY_IPV6 ${dnsmasq_filter_proxy_ipv6:-0} -NFTFLAG ${nftflag:-0} \
@@ -1986,6 +1988,10 @@ acl_app() {
}
start() {
+ mkdir -p /tmp/etc $TMP_PATH $TMP_BIN_PATH $TMP_SCRIPT_FUNC_PATH $TMP_ROUTE_PATH $TMP_ACL_PATH $TMP_PATH2
+ get_config
+ export V2RAY_LOCATION_ASSET=$(config_t_get global_rules v2ray_location_asset "/usr/share/v2ray/")
+ export XRAY_LOCATION_ASSET=$V2RAY_LOCATION_ASSET
ulimit -n 65535
start_haproxy
start_socks
@@ -2056,14 +2062,12 @@ start() {
stop() {
clean_log
- [ -n "$($(source $APP_PATH/iptables.sh get_ipt_bin) -t mangle -t nat -L -nv 2>/dev/null | grep "PSW")" ] && source $APP_PATH/iptables.sh stop
- [ -n "$(nft list chains 2>/dev/null | grep "PSW")" ] && source $APP_PATH/nftables.sh stop
+ eval_cache_var
+ [ -n "$USE_TABLES" ] && source $APP_PATH/${USE_TABLES}.sh stop
delete_ip2route
kill_all v2ray-plugin obfs-local
pgrep -f "sleep.*(6s|9s|58s)" | xargs kill -9 >/dev/null 2>&1
pgrep -af "${CONFIG}/" | awk '! /app\.sh|subscribe\.lua|rule_update\.lua|tasks\.sh|ujail/{print $1}' | xargs kill -9 >/dev/null 2>&1
- unset V2RAY_LOCATION_ASSET
- unset XRAY_LOCATION_ASSET
stop_crontab
source $APP_PATH/helper_smartdns.sh del
rm -rf $GLOBAL_DNSMASQ_CONF
@@ -2077,14 +2081,12 @@ stop() {
uci -q delete ${CONFIG}.@global[0].dnsmasq_dns_redirect
uci -q commit ${CONFIG}
}
- if [ -z "$(get_cache_var "ACL_default_dns_port")" ] || [ -n "${bak_dnsmasq_dns_redirect}" ]; then
+ if [ -z "${ACL_default_dns_port}" ] || [ -n "${bak_dnsmasq_dns_redirect}" ]; then
uci -q del_list dhcp.@dnsmasq[0].addnmount="${GLOBAL_DNSMASQ_CONF_PATH}"
uci -q commit dhcp
lua $APP_PATH/helper_dnsmasq.lua restart -LOG 0
fi
- bak_bridge_nf_ipt=$(get_cache_var "bak_bridge_nf_ipt")
[ -n "${bak_bridge_nf_ipt}" ] && sysctl -w net.bridge.bridge-nf-call-iptables=${bak_bridge_nf_ipt} >/dev/null 2>&1
- bak_bridge_nf_ip6t=$(get_cache_var "bak_bridge_nf_ip6t")
[ -n "${bak_bridge_nf_ip6t}" ] && sysctl -w net.bridge.bridge-nf-call-ip6tables=${bak_bridge_nf_ip6t} >/dev/null 2>&1
}
rm -rf $TMP_PATH
@@ -2093,97 +2095,97 @@ stop() {
exit 0
}
-ENABLED=$(config_t_get global enabled 0)
-SOCKS_ENABLED=$(config_t_get global socks_enabled 0)
-TCP_REDIR_PORT=1041
-TCP_NODE=$(config_t_get global tcp_node)
-UDP_REDIR_PORT=1051
-UDP_NODE=$(config_t_get global udp_node)
-TCP_UDP=0
-if [ "$UDP_NODE" == "tcp" ]; then
- UDP_NODE=$TCP_NODE
- TCP_UDP=1
-elif [ "$UDP_NODE" == "$TCP_NODE" ]; then
- TCP_UDP=1
-fi
-[ "$ENABLED" == 1 ] && {
- [ -n "$TCP_NODE" ] && [ "$(config_get_type $TCP_NODE)" == "nodes" ] && ENABLED_DEFAULT_ACL=1
- [ -n "$UDP_NODE" ] && [ "$(config_get_type $UDP_NODE)" == "nodes" ] && ENABLED_DEFAULT_ACL=1
-}
-ENABLED_ACLS=$(config_t_get global acl_enable 0)
-[ "$ENABLED_ACLS" == 1 ] && {
- [ "$(uci show ${CONFIG} | grep "@acl_rule" | grep "enabled='1'" | wc -l)" == 0 ] && ENABLED_ACLS=0
-}
-
-tcp_proxy_way=$(config_t_get global_forwarding tcp_proxy_way redirect)
-PROXY_IPV6=$(config_t_get global_forwarding ipv6_tproxy 0)
-TCP_REDIR_PORTS=$(config_t_get global_forwarding tcp_redir_ports '80,443')
-UDP_REDIR_PORTS=$(config_t_get global_forwarding udp_redir_ports '1:65535')
-TCP_NO_REDIR_PORTS=$(config_t_get global_forwarding tcp_no_redir_ports 'disable')
-UDP_NO_REDIR_PORTS=$(config_t_get global_forwarding udp_no_redir_ports 'disable')
-TCP_PROXY_DROP_PORTS=$(config_t_get global_forwarding tcp_proxy_drop_ports 'disable')
-UDP_PROXY_DROP_PORTS=$(config_t_get global_forwarding udp_proxy_drop_ports '80,443')
-USE_DIRECT_LIST=$(config_t_get global use_direct_list 1)
-USE_PROXY_LIST=$(config_t_get global use_proxy_list 1)
-USE_BLOCK_LIST=$(config_t_get global use_block_list 1)
-USE_GFW_LIST=$(config_t_get global use_gfw_list 1)
-CHN_LIST=$(config_t_get global chn_list direct)
-TCP_PROXY_MODE=$(config_t_get global tcp_proxy_mode proxy)
-UDP_PROXY_MODE=$(config_t_get global udp_proxy_mode proxy)
-[ "${TCP_PROXY_MODE}" != "disable" ] && TCP_PROXY_MODE="proxy"
-[ "${UDP_PROXY_MODE}" != "disable" ] && UDP_PROXY_MODE="proxy"
-LOCALHOST_PROXY=$(config_t_get global localhost_proxy 1)
-[ "${LOCALHOST_PROXY}" == 1 ] && {
- LOCALHOST_TCP_PROXY_MODE=$TCP_PROXY_MODE
- LOCALHOST_UDP_PROXY_MODE=$UDP_PROXY_MODE
-}
-CLIENT_PROXY=$(config_t_get global client_proxy 1)
-DNS_SHUNT=$(config_t_get global dns_shunt dnsmasq)
-[ -z "$(first_type $DNS_SHUNT)" ] && DNS_SHUNT="dnsmasq"
-DNS_MODE=$(config_t_get global dns_mode tcp)
-SMARTDNS_DNS_MODE=$(config_t_get global smartdns_dns_mode socks)
-[ "$DNS_SHUNT" = "smartdns" ] && DNS_MODE=$SMARTDNS_DNS_MODE
-DNS_CACHE=0
-REMOTE_DNS=$(config_t_get global remote_dns 1.1.1.1:53 | sed 's/#/:/g' | sed -E 's/\:([^:]+)$/#\1/g')
-USE_DEFAULT_DNS=$(config_t_get global use_default_dns direct)
-FILTER_PROXY_IPV6=$(config_t_get global filter_proxy_ipv6 0)
-DNS_REDIRECT=$(config_t_get global dns_redirect 1)
-dns_listen_port=${DNS_PORT}
-
-REDIRECT_LIST="socks ss ss-rust ssr sing-box xray trojan-plus naiveproxy hysteria2"
-TPROXY_LIST="socks ss ss-rust ssr sing-box xray trojan-plus hysteria2"
-RESOLVFILE=/tmp/resolv.conf.d/resolv.conf.auto
-[ -f "${RESOLVFILE}" ] && [ -s "${RESOLVFILE}" ] || RESOLVFILE=/tmp/resolv.conf.auto
-
-ISP_DNS=$(cat $RESOLVFILE 2>/dev/null | grep -E -o "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" | sort -u | grep -v 0.0.0.0 | grep -v 127.0.0.1)
-ISP_DNS6=$(cat $RESOLVFILE 2>/dev/null | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | awk -F % '{print $1}' | awk -F " " '{print $2}'| sort -u | grep -v -Fx ::1 | grep -v -Fx ::)
-
-DEFAULT_DNS=$(uci show dhcp.@dnsmasq[0] | grep "\.server=" | awk -F '=' '{print $2}' | sed "s/'//g" | tr ' ' '\n' | grep -v "\/" | head -2 | sed ':label;N;s/\n/,/;b label')
-[ -z "${DEFAULT_DNS}" ] && [ "$(echo $ISP_DNS | tr ' ' '\n' | wc -l)" -le 2 ] && DEFAULT_DNS=$(echo -n $ISP_DNS | tr ' ' '\n' | head -2 | tr '\n' ',')
-LOCAL_DNS="${DEFAULT_DNS:-119.29.29.29,223.5.5.5}"
-IPT_APPEND_DNS=${LOCAL_DNS}
-
-DNSMASQ_CONF_DIR=/tmp/dnsmasq.d
-DEFAULT_DNSMASQ_CFGID="$(uci -q show "dhcp.@dnsmasq[0]" | awk 'NR==1 {split($0, conf, /[.=]/); print conf[2]}')"
-if [ -f "/tmp/etc/dnsmasq.conf.$DEFAULT_DNSMASQ_CFGID" ]; then
- DNSMASQ_CONF_DIR="$(awk -F '=' '/^conf-dir=/ {print $2}' "/tmp/etc/dnsmasq.conf.$DEFAULT_DNSMASQ_CFGID")"
- if [ -n "$DNSMASQ_CONF_DIR" ]; then
- DNSMASQ_CONF_DIR=${DNSMASQ_CONF_DIR%*/}
- else
- DNSMASQ_CONF_DIR="/tmp/dnsmasq.d"
+get_config() {
+ ENABLED_DEFAULT_ACL=0
+ TCP_REDIR_PORT=1041
+ UDP_REDIR_PORT=1051
+ ENABLED=$(config_t_get global enabled 0)
+ SOCKS_ENABLED=$(config_t_get global socks_enabled 0)
+ TCP_NODE=$(config_t_get global tcp_node)
+ UDP_NODE=$(config_t_get global udp_node)
+ TCP_UDP=0
+ if [ "$UDP_NODE" == "tcp" ]; then
+ UDP_NODE=$TCP_NODE
+ TCP_UDP=1
+ elif [ "$UDP_NODE" == "$TCP_NODE" ]; then
+ TCP_UDP=1
fi
-fi
-GLOBAL_DNSMASQ_CONF=${DNSMASQ_CONF_DIR}/dnsmasq-${CONFIG}.conf
-GLOBAL_DNSMASQ_CONF_PATH=${GLOBAL_ACL_PATH}/dnsmasq.d
-
-DIRECT_DNS_QUERY_STRATEGY="UseIP"
-REMOTE_DNS_QUERY_STRATEGY="UseIP"
-[ "$FILTER_PROXY_IPV6" = "1" ] && REMOTE_DNS_QUERY_STRATEGY="UseIPv4"
-DNSMASQ_FILTER_PROXY_IPV6=${FILTER_PROXY_IPV6}
+ [ "$ENABLED" == 1 ] && {
+ [ -n "$TCP_NODE" ] && [ "$(config_get_type $TCP_NODE)" == "nodes" ] && ENABLED_DEFAULT_ACL=1
+ [ -n "$UDP_NODE" ] && [ "$(config_get_type $UDP_NODE)" == "nodes" ] && ENABLED_DEFAULT_ACL=1
+ }
+ ENABLED_ACLS=$(config_t_get global acl_enable 0)
+ [ "$ENABLED_ACLS" == 1 ] && {
+ [ "$(uci show ${CONFIG} | grep "@acl_rule" | grep "enabled='1'" | wc -l)" == 0 ] && ENABLED_ACLS=0
+ }
-export V2RAY_LOCATION_ASSET=$(config_t_get global_rules v2ray_location_asset "/usr/share/v2ray/")
-export XRAY_LOCATION_ASSET=$V2RAY_LOCATION_ASSET
-mkdir -p /tmp/etc $TMP_PATH $TMP_BIN_PATH $TMP_SCRIPT_FUNC_PATH $TMP_ROUTE_PATH $TMP_ACL_PATH $TMP_PATH2
+ TCP_PROXY_WAY=$(config_t_get global_forwarding tcp_proxy_way redirect)
+ PROXY_IPV6=$(config_t_get global_forwarding ipv6_tproxy 0)
+ TCP_REDIR_PORTS=$(config_t_get global_forwarding tcp_redir_ports '80,443')
+ UDP_REDIR_PORTS=$(config_t_get global_forwarding udp_redir_ports '1:65535')
+ TCP_NO_REDIR_PORTS=$(config_t_get global_forwarding tcp_no_redir_ports 'disable')
+ UDP_NO_REDIR_PORTS=$(config_t_get global_forwarding udp_no_redir_ports 'disable')
+ TCP_PROXY_DROP_PORTS=$(config_t_get global_forwarding tcp_proxy_drop_ports 'disable')
+ UDP_PROXY_DROP_PORTS=$(config_t_get global_forwarding udp_proxy_drop_ports '80,443')
+ USE_DIRECT_LIST=$(config_t_get global use_direct_list 1)
+ USE_PROXY_LIST=$(config_t_get global use_proxy_list 1)
+ USE_BLOCK_LIST=$(config_t_get global use_block_list 1)
+ USE_GFW_LIST=$(config_t_get global use_gfw_list 1)
+ CHN_LIST=$(config_t_get global chn_list direct)
+ TCP_PROXY_MODE=$(config_t_get global tcp_proxy_mode proxy)
+ UDP_PROXY_MODE=$(config_t_get global udp_proxy_mode proxy)
+ [ "${TCP_PROXY_MODE}" != "disable" ] && TCP_PROXY_MODE="proxy"
+ [ "${UDP_PROXY_MODE}" != "disable" ] && UDP_PROXY_MODE="proxy"
+ LOCALHOST_PROXY=$(config_t_get global localhost_proxy 1)
+ [ "${LOCALHOST_PROXY}" == 1 ] && {
+ LOCALHOST_TCP_PROXY_MODE=$TCP_PROXY_MODE
+ LOCALHOST_UDP_PROXY_MODE=$UDP_PROXY_MODE
+ }
+ CLIENT_PROXY=$(config_t_get global client_proxy 1)
+ DNS_SHUNT=$(config_t_get global dns_shunt dnsmasq)
+ [ -z "$(first_type $DNS_SHUNT)" ] && DNS_SHUNT="dnsmasq"
+ DNS_MODE=$(config_t_get global dns_mode tcp)
+ [ "$DNS_SHUNT" = "smartdns" ] && DNS_MODE=$(config_t_get global smartdns_dns_mode socks)
+ REMOTE_DNS=$(config_t_get global remote_dns 1.1.1.1:53 | sed 's/#/:/g' | sed -E 's/\:([^:]+)$/#\1/g')
+ USE_DEFAULT_DNS=$(config_t_get global use_default_dns direct)
+ FILTER_PROXY_IPV6=$(config_t_get global filter_proxy_ipv6 0)
+ DNS_REDIRECT=$(config_t_get global dns_redirect 1)
+
+ REDIRECT_LIST="socks ss ss-rust ssr sing-box xray trojan-plus naiveproxy hysteria2"
+ TPROXY_LIST="socks ss ss-rust ssr sing-box xray trojan-plus hysteria2"
+
+ NEXT_DNS_LISTEN_PORT=15353
+ TUN_DNS="127.0.0.1#${NEXT_DNS_LISTEN_PORT}"
+ DNS_CACHE=0
+ DIRECT_DNS_QUERY_STRATEGY="UseIP"
+ REMOTE_DNS_QUERY_STRATEGY="UseIP"
+ [ "$FILTER_PROXY_IPV6" = "1" ] && REMOTE_DNS_QUERY_STRATEGY="UseIPv4"
+ DNSMASQ_FILTER_PROXY_IPV6=${FILTER_PROXY_IPV6}
+
+ RESOLVFILE=/tmp/resolv.conf.d/resolv.conf.auto
+ [ -f "${RESOLVFILE}" ] && [ -s "${RESOLVFILE}" ] || RESOLVFILE=/tmp/resolv.conf.auto
+
+ ISP_DNS=$(cat $RESOLVFILE 2>/dev/null | grep -E -o "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" | sort -u | grep -v 0.0.0.0 | grep -v 127.0.0.1)
+ ISP_DNS6=$(cat $RESOLVFILE 2>/dev/null | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | awk -F % '{print $1}' | awk -F " " '{print $2}'| sort -u | grep -v -Fx ::1 | grep -v -Fx ::)
+
+ DEFAULT_DNS=$(uci show dhcp.@dnsmasq[0] | grep "\.server=" | awk -F '=' '{print $2}' | sed "s/'//g" | tr ' ' '\n' | grep -v "\/" | head -2 | sed ':label;N;s/\n/,/;b label')
+ [ -z "${DEFAULT_DNS}" ] && [ "$(echo $ISP_DNS | tr ' ' '\n' | wc -l)" -le 2 ] && DEFAULT_DNS=$(echo -n $ISP_DNS | tr ' ' '\n' | head -2 | tr '\n' ',' | sed 's/,$//')
+ LOCAL_DNS="${DEFAULT_DNS:-119.29.29.29,223.5.5.5}"
+ IPT_APPEND_DNS=${LOCAL_DNS}
+
+ DNSMASQ_CONF_DIR=/tmp/dnsmasq.d
+ DEFAULT_DNSMASQ_CFGID="$(uci -q show "dhcp.@dnsmasq[0]" | awk 'NR==1 {split($0, conf, /[.=]/); print conf[2]}')"
+ if [ -f "/tmp/etc/dnsmasq.conf.$DEFAULT_DNSMASQ_CFGID" ]; then
+ DNSMASQ_CONF_DIR="$(awk -F '=' '/^conf-dir=/ {print $2}' "/tmp/etc/dnsmasq.conf.$DEFAULT_DNSMASQ_CFGID")"
+ if [ -n "$DNSMASQ_CONF_DIR" ]; then
+ DNSMASQ_CONF_DIR=${DNSMASQ_CONF_DIR%*/}
+ else
+ DNSMASQ_CONF_DIR="/tmp/dnsmasq.d"
+ fi
+ fi
+ set_cache_var GLOBAL_DNSMASQ_CONF ${DNSMASQ_CONF_DIR}/dnsmasq-${CONFIG}.conf
+ set_cache_var GLOBAL_DNSMASQ_CONF_PATH ${GLOBAL_ACL_PATH}/dnsmasq.d
+}
arg1=$1
shift
@@ -2191,31 +2193,28 @@ case $arg1 in
add_ip2route)
add_ip2route $@
;;
-get_new_port)
- get_new_port $@
- ;;
-run_socks)
- run_socks $@
- ;;
-run_redir)
- run_redir $@
- ;;
-socks_node_switch)
- socks_node_switch $@
- ;;
echolog)
echolog $@
;;
+get_new_port)
+ get_new_port $@
+ ;;
get_cache_var)
get_cache_var $@
;;
set_cache_var)
set_cache_var $@
;;
-stop)
- stop
+run_socks)
+ run_socks $@
+ ;;
+socks_node_switch)
+ socks_node_switch $@
;;
start)
start
;;
+stop)
+ stop
+ ;;
esac
diff --git a/applications/luci-app-passwall/root/usr/share/passwall/haproxy.lua b/applications/luci-app-passwall/root/usr/share/passwall/haproxy.lua
index 46da40d4bff..50a3c4f39df 100755
--- a/applications/luci-app-passwall/root/usr/share/passwall/haproxy.lua
+++ b/applications/luci-app-passwall/root/usr/share/passwall/haproxy.lua
@@ -4,7 +4,7 @@ local api = require ("luci.passwall.api")
local appname = "passwall"
local fs = api.fs
local jsonc = api.jsonc
-local uci = api.libuci
+local uci = api.uci
local sys = api.sys
local log = function(...)
diff --git a/applications/luci-app-passwall/root/usr/share/passwall/helper_chinadns_add.lua b/applications/luci-app-passwall/root/usr/share/passwall/helper_chinadns_add.lua
index 94d3869495e..72b3c7e0417 100644
--- a/applications/luci-app-passwall/root/usr/share/passwall/helper_chinadns_add.lua
+++ b/applications/luci-app-passwall/root/usr/share/passwall/helper_chinadns_add.lua
@@ -19,8 +19,9 @@ local NO_LOGIC_LOG = var["-NO_LOGIC_LOG"]
local TCP_NODE = var["-TCP_NODE"]
local NFTFLAG = var["-NFTFLAG"]
local REMOTE_FAKEDNS = var["-REMOTE_FAKEDNS"]
+local LOG_FILE = var["-LOG_FILE"]
-local uci = api.libuci
+local uci = api.uci
local sys = api.sys
local fs = api.fs
local datatypes = api.datatypes
@@ -104,7 +105,7 @@ local setflag = (NFTFLAG == "1") and "inet@passwall@" or ""
local only_global = (DEFAULT_MODE == "proxy" and CHNLIST == "0" and GFWLIST == "0") and 1
config_lines = {
- --"verbose",
+ LOG_FILE ~= "/dev/null" and "verbose" or "",
"bind-addr 127.0.0.1",
"bind-port " .. LISTEN_PORT,
"china-dns " .. DNS_LOCAL,
@@ -270,7 +271,7 @@ if USE_PROXY_LIST == "1" and is_file_nonzero(file_proxy_host) then
"group proxylist",
"group-dnl " .. file_proxy_host,
"group-upstream " .. DNS_TRUST,
- REMOTE_FAKEDNS ~= "1" and "group-ipset " .. table.concat(sets, ",") or nil
+ REMOTE_FAKEDNS ~= "1" and "group-ipset " .. table.concat(sets, ",") or ""
}
if NO_IPV6_TRUST == "1" then table.insert(tmp_lines, "no-ipv6 tag:proxylist") end
insert_array_after(config_lines, tmp_lines, "#--3")
@@ -292,7 +293,7 @@ if GFWLIST == "1" and is_file_nonzero(RULES_PATH .. "/gfwlist") then
end
tmp_lines = {
"gfwlist-file " .. RULES_PATH .. "/gfwlist",
- REMOTE_FAKEDNS ~= "1" and "add-taggfw-ip " .. table.concat(sets, ",") or nil
+ REMOTE_FAKEDNS ~= "1" and "add-taggfw-ip " .. table.concat(sets, ",") or ""
}
if NO_IPV6_TRUST == "1" then table.insert(tmp_lines, "no-ipv6 tag:gfw") end
merge_array(config_lines, tmp_lines)
@@ -323,7 +324,7 @@ if CHNLIST ~= "0" and is_file_nonzero(RULES_PATH .. "/chnlist") then
"group chn_proxy",
"group-dnl " .. RULES_PATH .. "/chnlist",
"group-upstream " .. DNS_TRUST,
- REMOTE_FAKEDNS ~= "1" and "group-ipset " .. table.concat(sets, ",") or nil
+ REMOTE_FAKEDNS ~= "1" and "group-ipset " .. table.concat(sets, ",") or ""
}
if NO_IPV6_TRUST == "1" then table.insert(tmp_lines, "no-ipv6 tag:chn_proxy") end
insert_array_after(config_lines, tmp_lines, "#--1")
@@ -448,7 +449,7 @@ if uci:get(appname, TCP_NODE, "protocol") == "_shunt" then
"group shuntlist",
"group-dnl " .. file_shunt_host,
"group-upstream " .. DNS_TRUST,
- (not only_global and REMOTE_FAKEDNS == "1") and nil or ("group-ipset " .. table.concat(sets, ","))
+ (not only_global and REMOTE_FAKEDNS == "1") and "" or ("group-ipset " .. table.concat(sets, ","))
}
if NO_IPV6_TRUST == "1" then table.insert(tmp_lines, "no-ipv6 tag:shuntlist") end
insert_array_after(config_lines, tmp_lines, "#--2")
diff --git a/applications/luci-app-passwall/root/usr/share/passwall/helper_dnsmasq.lua b/applications/luci-app-passwall/root/usr/share/passwall/helper_dnsmasq.lua
index 6744e903af9..df0c9fe5091 100644
--- a/applications/luci-app-passwall/root/usr/share/passwall/helper_dnsmasq.lua
+++ b/applications/luci-app-passwall/root/usr/share/passwall/helper_dnsmasq.lua
@@ -1,6 +1,6 @@
local api = require "luci.passwall.api"
local appname = "passwall"
-local uci = api.libuci
+local uci = api.uci
local sys = api.sys
local fs = api.fs
local datatypes = api.datatypes
@@ -25,7 +25,7 @@ local function backup_servers()
local DNSMASQ_DNS = uci:get("dhcp", "@dnsmasq[0]", "server")
if DNSMASQ_DNS and #DNSMASQ_DNS > 0 then
uci:set(appname, "@global[0]", "dnsmasq_servers", DNSMASQ_DNS)
- uci:commit(appname)
+ api.uci_save(uci, appname, true)
end
end
@@ -43,11 +43,11 @@ local function restore_servers()
tinsert(dns_table, v)
end
uci:delete(appname, "@global[0]", "dnsmasq_servers")
- uci:commit(appname)
+ api.uci_save(uci, appname, true)
end
if dns_table and #dns_table > 0 then
- api.uci_set_list(uci, "dhcp", "@dnsmasq[0]", "server", dns_table)
- uci:commit("dhcp")
+ uci:set_list("dhcp", "@dnsmasq[0]", "server", dns_table)
+ api.uci_save(uci, "dhcp", true)
end
end
@@ -76,7 +76,7 @@ function stretch()
end
end
uci:set("dhcp", "@dnsmasq[0]", "resolvfile", RESOLVFILE)
- uci:commit("dhcp")
+ api.uci_save(uci, "dhcp", true)
end
end
@@ -102,8 +102,8 @@ function logic_restart(var)
tinsert(dns_table, v)
end
end
- api.uci_set_list(uci, "dhcp", "@dnsmasq[0]", "server", dns_table)
- uci:commit("dhcp")
+ uci:set_list("dhcp", "@dnsmasq[0]", "server", dns_table)
+ api.uci_save(uci, "dhcp", true)
end
sys.call("/etc/init.d/dnsmasq restart >/dev/null 2>&1")
restore_servers()
diff --git a/applications/luci-app-passwall/root/usr/share/passwall/helper_smartdns_add.lua b/applications/luci-app-passwall/root/usr/share/passwall/helper_smartdns_add.lua
index 38caf5508cb..ef87747608b 100644
--- a/applications/luci-app-passwall/root/usr/share/passwall/helper_smartdns_add.lua
+++ b/applications/luci-app-passwall/root/usr/share/passwall/helper_smartdns_add.lua
@@ -23,12 +23,8 @@ local DEFAULT_PROXY_MODE = var["-DEFAULT_PROXY_MODE"]
local NO_PROXY_IPV6 = var["-NO_PROXY_IPV6"]
local NO_LOGIC_LOG = var["-NO_LOGIC_LOG"]
local NFTFLAG = var["-NFTFLAG"]
-local CACHE_PATH = api.CACHE_PATH
-local CACHE_FLAG = "smartdns_" .. FLAG
-local CACHE_DNS_PATH = CACHE_PATH .. "/" .. CACHE_FLAG
-local CACHE_DNS_FILE = CACHE_DNS_PATH .. ".conf"
-local uci = api.libuci
+local uci = api.uci
local sys = api.sys
local fs = api.fs
local datatypes = api.datatypes
@@ -37,6 +33,7 @@ local TMP_PATH = "/tmp/etc/" .. appname
local TMP_ACL_PATH = TMP_PATH .. "/acl"
local RULES_PATH = "/usr/share/" .. appname .. "/rules"
local FLAG_PATH = TMP_ACL_PATH .. "/" .. FLAG
+local TMP_CONF_FILE = FLAG_PATH .. "/smartdns.conf"
local config_lines = {}
local tmp_lines = {}
local USE_GEOVIEW = uci:get(appname, "@global_rules[0]", "enable_geoview")
@@ -107,10 +104,6 @@ if not fs.access(FLAG_PATH) then
fs.mkdir(FLAG_PATH)
end
-if not fs.access(CACHE_PATH) then
- fs.mkdir(CACHE_PATH)
-end
-
local LOCAL_EXTEND_ARG = ""
if LOCAL_GROUP == "nil" then
LOCAL_GROUP = nil
@@ -603,7 +596,7 @@ if uci:get(appname, TCP_NODE, "protocol") == "_shunt" then
end
if #config_lines > 0 then
- local f_out = io.open(CACHE_DNS_FILE, "w")
+ local f_out = io.open(TMP_CONF_FILE, "w")
for i = 1, #config_lines do
line = config_lines[i]
if line ~= "" and not line:find("^#--") then
@@ -617,6 +610,6 @@ if DEFAULT_DNS_GROUP then
log(string.format(" - 默认 DNS 分组:%s", DEFAULT_DNS_GROUP))
end
-fs.symlink(CACHE_DNS_FILE, SMARTDNS_CONF)
+fs.symlink(TMP_CONF_FILE, SMARTDNS_CONF)
sys.call(string.format('echo "conf-file %s" >> /etc/smartdns/custom.conf', string.gsub(SMARTDNS_CONF, appname, appname .. "*")))
log(" - 请让SmartDNS作为Dnsmasq的上游或重定向!")
diff --git a/applications/luci-app-passwall/root/usr/share/passwall/iptables.sh b/applications/luci-app-passwall/root/usr/share/passwall/iptables.sh
index dd1aee966e7..d51a2260912 100755
--- a/applications/luci-app-passwall/root/usr/share/passwall/iptables.sh
+++ b/applications/luci-app-passwall/root/usr/share/passwall/iptables.sh
@@ -476,7 +476,7 @@ load_acl() {
[ "${udp_proxy_mode}" != "disable" ] && $ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") -j PSW_RULE
$ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(REDIRECT $udp_port TPROXY)
- [ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && {
+ [ "$PROXY_IPV6" == "1" ] && {
[ "${use_proxy_list}" = "1" ] && $ip6t_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") $(dst $black6_set_name) -j PSW_RULE 2>/dev/null
[ "${use_gfw_list}" = "1" ] && $ip6t_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") $(dst $gfw6_set_name) -j PSW_RULE 2>/dev/null
[ "${chn_list}" != "0" ] && $ip6t_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") $(dst $IPSET_CHN6) $(get_jump_ipt ${chn_list} "-j PSW_RULE") 2>/dev/null
@@ -653,7 +653,7 @@ load_acl() {
[ "${UDP_PROXY_MODE}" != "disable" ] && $ipt_m -A PSW $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") -j PSW_RULE
$ipt_m -A PSW $(comment "默认") -p udp $(REDIRECT $UDP_REDIR_PORT TPROXY)
- [ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && {
+ [ "$PROXY_IPV6" == "1" ] && {
[ "${USE_PROXY_LIST}" = "1" ] && $ip6t_m -A PSW $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACK6) -j PSW_RULE
[ "${USE_GFW_LIST}" = "1" ] && $ip6t_m -A PSW $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_GFW6) -j PSW_RULE
[ "${CHN_LIST}" != "0" ] && $ip6t_m -A PSW $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_CHN6) $(get_jump_ipt ${CHN_LIST} "-j PSW_RULE")
@@ -751,8 +751,8 @@ add_firewall_rule() {
ipset -! create $IPSET_WHITE6 nethash family inet6 maxelem 1048576 timeout 172800
ipset -! create $IPSET_BLOCK6 nethash family inet6 maxelem 1048576 timeout 172800
- cat $RULES_PATH/chnroute | tr -s '\n' | grep -v "^#" | sed -e "/^$/d" | sed -e "s/^/add $IPSET_CHN &/g" -e "s/$/ timeout 0/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
- cat $RULES_PATH/chnroute6 | tr -s '\n' | grep -v "^#" | sed -e "/^$/d" | sed -e "s/^/add $IPSET_CHN6 &/g" -e "s/$/ timeout 0/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
+ cat $RULES_PATH/chnroute | tr -s '\n' | grep -v "^#" | sed -e "/^$/d" | sed -e "s/^/add $IPSET_CHN &/g" -e "s/$/ timeout 0/g" | ipset -! -R
+ cat $RULES_PATH/chnroute6 | tr -s '\n' | grep -v "^#" | sed -e "/^$/d" | sed -e "s/^/add $IPSET_CHN6 &/g" -e "s/$/ timeout 0/g" | ipset -! -R
#导入规则列表、分流规则中的IP列表
local USE_SHUNT_NODE=0
@@ -782,13 +782,13 @@ add_firewall_rule() {
#直连列表
[ "$USE_DIRECT_LIST_ALL" = "1" ] && {
- cat $RULES_PATH/direct_ip | tr -s "\r\n" "\n" | grep -v "^#" | sed -e "/^$/d" | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}" | sed -e "s/^/add $IPSET_WHITE &/g" -e "s/$/ timeout 0/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
- cat $RULES_PATH/direct_ip | tr -s "\r\n" "\n" | grep -v "^#" | sed -e "/^$/d" | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "s/^/add $IPSET_WHITE6 &/g" -e "s/$/ timeout 0/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
+ cat $RULES_PATH/direct_ip | tr -s "\r\n" "\n" | grep -v "^#" | sed -e "/^$/d" | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}" | sed -e "s/^/add $IPSET_WHITE &/g" -e "s/$/ timeout 0/g" | ipset -! -R
+ cat $RULES_PATH/direct_ip | tr -s "\r\n" "\n" | grep -v "^#" | sed -e "/^$/d" | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "s/^/add $IPSET_WHITE6 &/g" -e "s/$/ timeout 0/g" | ipset -! -R
[ "$USE_GEOVIEW" = "1" ] && {
local GEOIP_CODE=$(cat $RULES_PATH/direct_ip | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "^geoip:" | grep -v "^geoip:private" | sed -E 's/^geoip:(.*)/\1/' | sed ':a;N;$!ba;s/\n/,/g')
if [ -n "$GEOIP_CODE" ] && type geoview &> /dev/null; then
- get_geoip $GEOIP_CODE ipv4 | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}" | sed -e "s/^/add $IPSET_WHITE &/g" -e "s/$/ timeout 0/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
- get_geoip $GEOIP_CODE ipv6 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "s/^/add $IPSET_WHITE6 &/g" -e "s/$/ timeout 0/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
+ get_geoip $GEOIP_CODE ipv4 | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}" | sed -e "s/^/add $IPSET_WHITE &/g" -e "s/$/ timeout 0/g" | ipset -! -R
+ get_geoip $GEOIP_CODE ipv6 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "s/^/add $IPSET_WHITE6 &/g" -e "s/$/ timeout 0/g" | ipset -! -R
echolog " - [$?]解析并加入[直连列表] GeoIP 到 IPSET 完成"
fi
}
@@ -796,13 +796,13 @@ add_firewall_rule() {
#代理列表
[ "$USE_PROXY_LIST_ALL" = "1" ] && {
- cat $RULES_PATH/proxy_ip | tr -s "\r\n" "\n" | grep -v "^#" | sed -e "/^$/d" | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}" | sed -e "s/^/add $IPSET_BLACK &/g" -e "s/$/ timeout 0/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
- cat $RULES_PATH/proxy_ip | tr -s "\r\n" "\n" | grep -v "^#" | sed -e "/^$/d" | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "s/^/add $IPSET_BLACK6 &/g" -e "s/$/ timeout 0/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
+ cat $RULES_PATH/proxy_ip | tr -s "\r\n" "\n" | grep -v "^#" | sed -e "/^$/d" | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}" | sed -e "s/^/add $IPSET_BLACK &/g" -e "s/$/ timeout 0/g" | ipset -! -R
+ cat $RULES_PATH/proxy_ip | tr -s "\r\n" "\n" | grep -v "^#" | sed -e "/^$/d" | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "s/^/add $IPSET_BLACK6 &/g" -e "s/$/ timeout 0/g" | ipset -! -R
[ "$USE_GEOVIEW" = "1" ] && {
local GEOIP_CODE=$(cat $RULES_PATH/proxy_ip | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "^geoip:" | grep -v "^geoip:private" | sed -E 's/^geoip:(.*)/\1/' | sed ':a;N;$!ba;s/\n/,/g')
if [ -n "$GEOIP_CODE" ] && type geoview &> /dev/null; then
- get_geoip $GEOIP_CODE ipv4 | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}" | sed -e "s/^/add $IPSET_BLACK &/g" -e "s/$/ timeout 0/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
- get_geoip $GEOIP_CODE ipv6 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "s/^/add $IPSET_BLACK6 &/g" -e "s/$/ timeout 0/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
+ get_geoip $GEOIP_CODE ipv4 | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}" | sed -e "s/^/add $IPSET_BLACK &/g" -e "s/$/ timeout 0/g" | ipset -! -R
+ get_geoip $GEOIP_CODE ipv6 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "s/^/add $IPSET_BLACK6 &/g" -e "s/$/ timeout 0/g" | ipset -! -R
echolog " - [$?]解析并加入[代理列表] GeoIP 到 IPSET 完成"
fi
}
@@ -810,13 +810,13 @@ add_firewall_rule() {
#屏蔽列表
[ "$USE_BLOCK_LIST_ALL" = "1" ] && {
- cat $RULES_PATH/block_ip | tr -s "\r\n" "\n" | grep -v "^#" | sed -e "/^$/d" | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}" | sed -e "s/^/add $IPSET_BLOCK &/g" -e "s/$/ timeout 0/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
- cat $RULES_PATH/block_ip | tr -s "\r\n" "\n" | grep -v "^#" | sed -e "/^$/d" | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "s/^/add $IPSET_BLOCK6 &/g" -e "s/$/ timeout 0/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
+ cat $RULES_PATH/block_ip | tr -s "\r\n" "\n" | grep -v "^#" | sed -e "/^$/d" | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}" | sed -e "s/^/add $IPSET_BLOCK &/g" -e "s/$/ timeout 0/g" | ipset -! -R
+ cat $RULES_PATH/block_ip | tr -s "\r\n" "\n" | grep -v "^#" | sed -e "/^$/d" | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "s/^/add $IPSET_BLOCK6 &/g" -e "s/$/ timeout 0/g" | ipset -! -R
[ "$USE_GEOVIEW" = "1" ] && {
local GEOIP_CODE=$(cat $RULES_PATH/block_ip | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "^geoip:" | grep -v "^geoip:private" | sed -E 's/^geoip:(.*)/\1/' | sed ':a;N;$!ba;s/\n/,/g')
if [ -n "$GEOIP_CODE" ] && type geoview &> /dev/null; then
- get_geoip $GEOIP_CODE ipv4 | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}" | sed -e "s/^/add $IPSET_BLOCK &/g" -e "s/$/ timeout 0/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
- get_geoip $GEOIP_CODE ipv6 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "s/^/add $IPSET_BLOCK6 &/g" -e "s/$/ timeout 0/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
+ get_geoip $GEOIP_CODE ipv4 | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}" | sed -e "s/^/add $IPSET_BLOCK &/g" -e "s/$/ timeout 0/g" | ipset -! -R
+ get_geoip $GEOIP_CODE ipv6 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "s/^/add $IPSET_BLOCK6 &/g" -e "s/$/ timeout 0/g" | ipset -! -R
echolog " - [$?]解析并加入[屏蔽列表] GeoIP 到 IPSET 完成"
fi
}
@@ -827,16 +827,16 @@ add_firewall_rule() {
local GEOIP_CODE=""
local shunt_ids=$(uci show $CONFIG | grep "=shunt_rules" | awk -F '.' '{print $2}' | awk -F '=' '{print $1}')
for shunt_id in $shunt_ids; do
- config_n_get $shunt_id ip_list | tr -s "\r\n" "\n" | grep -v "^#" | sed -e "/^$/d" | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}" | sed -e "s/^/add $IPSET_SHUNT &/g" -e "s/$/ timeout 0/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
- config_n_get $shunt_id ip_list | tr -s "\r\n" "\n" | grep -v "^#" | sed -e "/^$/d" | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "s/^/add $IPSET_SHUNT6 &/g" -e "s/$/ timeout 0/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
+ config_n_get $shunt_id ip_list | tr -s "\r\n" "\n" | grep -v "^#" | sed -e "/^$/d" | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}" | sed -e "s/^/add $IPSET_SHUNT &/g" -e "s/$/ timeout 0/g" | ipset -! -R
+ config_n_get $shunt_id ip_list | tr -s "\r\n" "\n" | grep -v "^#" | sed -e "/^$/d" | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "s/^/add $IPSET_SHUNT6 &/g" -e "s/$/ timeout 0/g" | ipset -! -R
[ "$USE_GEOVIEW" = "1" ] && {
local geoip_code=$(config_n_get $shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "^geoip:" | grep -v "^geoip:private" | sed -E 's/^geoip:(.*)/\1/' | sed ':a;N;$!ba;s/\n/,/g')
[ -n "$geoip_code" ] && GEOIP_CODE="${GEOIP_CODE:+$GEOIP_CODE,}$geoip_code"
}
done
if [ -n "$GEOIP_CODE" ] && type geoview &> /dev/null; then
- get_geoip $GEOIP_CODE ipv4 | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}" | sed -e "s/^/add $IPSET_SHUNT &/g" -e "s/$/ timeout 0/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
- get_geoip $GEOIP_CODE ipv6 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "s/^/add $IPSET_SHUNT6 &/g" -e "s/$/ timeout 0/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
+ get_geoip $GEOIP_CODE ipv4 | grep -E "(\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}" | sed -e "s/^/add $IPSET_SHUNT &/g" -e "s/$/ timeout 0/g" | ipset -! -R
+ get_geoip $GEOIP_CODE ipv6 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "s/^/add $IPSET_SHUNT6 &/g" -e "s/$/ timeout 0/g" | ipset -! -R
echolog " - [$?]解析并加入[分流节点] GeoIP 到 IPSET 完成"
fi
}
@@ -899,10 +899,9 @@ add_firewall_rule() {
accept_icmp=$(config_t_get global_forwarding accept_icmp 0)
accept_icmpv6=$(config_t_get global_forwarding accept_icmpv6 0)
- local tcp_proxy_way=$(config_t_get global_forwarding tcp_proxy_way redirect)
- if [ "$tcp_proxy_way" = "redirect" ]; then
+ if [ "${TCP_PROXY_WAY}" = "redirect" ]; then
unset is_tproxy
- elif [ "$tcp_proxy_way" = "tproxy" ]; then
+ elif [ "${TCP_PROXY_WAY}" = "tproxy" ]; then
is_tproxy="TPROXY"
fi
@@ -1128,7 +1127,7 @@ add_firewall_rule() {
echolog " - [$?]将上游 DNS 服务器 [${2}]:${3} 加入到路由器自身代理的 TCP 转发链,请确保您的节点支持IPv6,并开启IPv6透明代理!"
fi
}
- [ "$use_tcp_node_resolve_dns" == 1 ] && hosts_foreach REMOTE_DNS _proxy_tcp_access 53
+ [ -n "${TCP_PROXY_DNS}" ] && hosts_foreach REMOTE_DNS _proxy_tcp_access 53
[ "$accept_icmp" = "1" ] && {
$ipt_n -A OUTPUT -p icmp -j PSW_OUTPUT
@@ -1202,8 +1201,7 @@ add_firewall_rule() {
echolog " - [$?]将上游 DNS 服务器 [${2}]:${3} 加入到路由器自身代理的 UDP 转发链,请确保您的节点支持IPv6,并开启IPv6透明代理!"
fi
}
- [ "$use_udp_node_resolve_dns" == 1 ] && hosts_foreach REMOTE_DNS _proxy_udp_access 53
-
+ [ -n "${UDP_PROXY_DNS}" ] && hosts_foreach REMOTE_DNS _proxy_udp_access 53
[ -n "${LOCALHOST_UDP_PROXY_MODE}" ] && {
$ipt_m -A PSW_OUTPUT -p udp -d $FAKE_IP -j PSW_RULE
[ "${USE_PROXY_LIST}" = "1" ] && $ipt_m -A PSW_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACK) -j PSW_RULE
@@ -1216,7 +1214,7 @@ add_firewall_rule() {
$ipt_m -A PSW $(comment "本机") -p udp -i lo -j RETURN
insert_rule_before "$ipt_m" "OUTPUT" "mwan3" "$(comment mangle-OUTPUT-PSW) -p udp -j PSW_OUTPUT"
- [ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && {
+ [ "$PROXY_IPV6" == "1" ] && {
[ -n "$LOCALHOST_UDP_PROXY_MODE" ] && {
[ "${USE_PROXY_LIST}" = "1" ] && $ip6t_m -A PSW_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACK6) -j PSW_RULE
[ "${USE_GFW_LIST}" = "1" ] && $ip6t_m -A PSW_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_GFW6) -j PSW_RULE
@@ -1295,25 +1293,16 @@ del_firewall_rule() {
destroy_ipset $IPSET_BLOCK6
destroy_ipset $IPSET_WHITE6
- $DIR/app.sh echolog "删除iptables防火墙规则完成。"
+ $DIR/app.sh echolog "删除 iptables 规则完成。"
}
flush_ipset() {
- $DIR/app.sh echolog "清空 IPSET。"
+ $DIR/app.sh echolog "清空 IPSet。"
for _name in $(ipset list | grep "Name: " | grep "passwall_" | awk '{print $2}'); do
destroy_ipset ${_name}
done
}
-flush_ipset_reload() {
- del_firewall_rule
- flush_ipset
- rm -rf /tmp/etc/passwall_tmp/singbox*
- rm -rf /tmp/etc/passwall_tmp/smartdns*
- rm -rf /tmp/etc/passwall_tmp/dnsmasq*
- /etc/init.d/passwall reload
-}
-
flush_include() {
echo '#!/bin/sh' >$FWI
}
@@ -1414,6 +1403,13 @@ start() {
stop() {
del_firewall_rule
+ [ $(config_t_get global flush_set "0") = "1" ] && {
+ uci -q delete ${CONFIG}.@global[0].flush_set
+ uci -q commit ${CONFIG}
+ flush_ipset
+ rm -rf /tmp/etc/passwall_tmp/singbox*
+ rm -rf /tmp/etc/passwall_tmp/dnsmasq*
+ }
flush_include
}
@@ -1429,12 +1425,6 @@ insert_rule_before)
insert_rule_after)
insert_rule_after "$@"
;;
-flush_ipset)
- flush_ipset
- ;;
-flush_ipset_reload)
- flush_ipset_reload
- ;;
get_ipt_bin)
get_ipt_bin
;;
diff --git a/applications/luci-app-passwall/root/usr/share/passwall/nftables.sh b/applications/luci-app-passwall/root/usr/share/passwall/nftables.sh
index 7676457ae8b..45a00f51895 100755
--- a/applications/luci-app-passwall/root/usr/share/passwall/nftables.sh
+++ b/applications/luci-app-passwall/root/usr/share/passwall/nftables.sh
@@ -130,10 +130,8 @@ destroy_nftset() {
}
gen_nft_tables() {
- if [ -z "$(nft list tables | grep 'inet passwall')" ]; then
- local nft_table_file="$TMP_PATH/PSW_TABLE.nft"
- # Set the correct priority to fit fw4
- cat > "$nft_table_file" <<-EOF
+ if ! nft list tables | grep -q "^table inet passwall$"; then
+ nft -f - <<-EOF
table $NFTABLE_NAME {
chain dstnat {
type nat hook prerouting priority dstnat - 1; policy accept;
@@ -149,33 +147,23 @@ gen_nft_tables() {
}
}
EOF
-
- nft -f "$nft_table_file"
- rm -rf "$nft_table_file"
fi
}
insert_nftset() {
local nftset_name="${1}"; shift
local timeout_argument="${1}"; shift
- local defalut_timeout_argument="3650d"
- local nftset_elements
-
+ local default_timeout_argument="3650d"
[ -n "${1}" ] && {
- if [ "$timeout_argument" == "-1" ]; then
- nftset_elements=$(echo -e $@ | sed 's/\s/, /g')
- elif [ "$timeout_argument" == "0" ]; then
- nftset_elements=$(echo -e $@ | sed "s/\s/ timeout $defalut_timeout_argument, /g" | sed "s/$/ timeout $defalut_timeout_argument/")
- else
- nftset_elements=$(echo -e $@ | sed "s/\s/ timeout $timeout_argument, /g" | sed "s/$/ timeout $timeout_argument/")
- fi
- mkdir -p $TMP_PATH2/nftset
- cat > "$TMP_PATH2/nftset/$nftset_name" <<-EOF
- define $nftset_name = {$nftset_elements}
- add element $NFTABLE_NAME $nftset_name \$$nftset_name
+ local nftset_elements
+ case "$timeout_argument" in
+ "-1") nftset_elements=$(echo -e $@ | sed 's/\s/, /g') ;;
+ "0") nftset_elements=$(echo -e $@ | sed "s/\s/ timeout $default_timeout_argument, /g" | sed "s/$/ timeout $default_timeout_argument/") ;;
+ *) nftset_elements=$(echo -e $@ | sed "s/\s/ timeout $timeout_argument, /g" | sed "s/$/ timeout $timeout_argument/") ;;
+ esac
+ nft -f - <<-EOF
+ add element $NFTABLE_NAME $nftset_name {$nftset_elements}
EOF
- nft -f "$TMP_PATH2/nftset/$nftset_name"
- rm -rf "$TMP_PATH2/nftset"
}
}
@@ -533,7 +521,7 @@ load_acl() {
[ "${udp_proxy_mode}" != "disable" ] && nft "add rule $NFTABLE_NAME PSW_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_redir_ports "udp dport") counter jump PSW_RULE comment \"$remarks\""
nft "add rule $NFTABLE_NAME PSW_MANGLE ip protocol udp ${_ipt_source} $(REDIRECT $udp_port TPROXY4) comment \"$remarks\""
- [ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && {
+ [ "$PROXY_IPV6" == "1" ] && {
[ "${use_proxy_list}" = "1" ] && nft "add rule $NFTABLE_NAME PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_redir_ports "udp dport") ip6 daddr @$black6_set_name counter jump PSW_RULE comment \"$remarks\"" 2>/dev/null
[ "${use_gfw_list}" = "1" ] && nft "add rule $NFTABLE_NAME PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_redir_ports "udp dport") ip6 daddr @$gfw6_set_name counter jump PSW_RULE comment \"$remarks\"" 2>/dev/null
[ "${chn_list}" != "0" ] && nft "add rule $NFTABLE_NAME PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_redir_ports "udp dport") ip6 daddr @$NFTSET_CHN6 $(get_jump_ipt ${chn_list} "counter jump PSW_RULE") comment \"$remarks\"" 2>/dev/null
@@ -716,7 +704,7 @@ load_acl() {
nft "add rule $NFTABLE_NAME PSW_MANGLE ip protocol udp $(REDIRECT $UDP_REDIR_PORT TPROXY4) comment \"默认\""
nft "add rule $NFTABLE_NAME PSW_MANGLE ip protocol udp counter return comment \"默认\""
- [ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && {
+ [ "$PROXY_IPV6" == "1" ] && {
[ "${USE_PROXY_LIST}" = "1" ] && nft "add rule $NFTABLE_NAME PSW_MANGLE_V6 meta l4proto udp $(factor $UDP_REDIR_PORTS "udp dport") ip6 daddr @$NFTSET_BLACK6 counter jump PSW_RULE comment \"默认\""
[ "${USE_GFW_LIST}" = "1" ] && nft "add rule $NFTABLE_NAME PSW_MANGLE_V6 meta l4proto udp $(factor $UDP_REDIR_PORTS "udp dport") ip6 daddr @$NFTSET_GFW6 counter jump PSW_RULE comment \"默认\""
[ "${CHN_LIST}" != "0" ] && nft "add rule $NFTABLE_NAME PSW_MANGLE_V6 meta l4proto udp $(factor $UDP_REDIR_PORTS "udp dport") ip6 daddr @$NFTSET_CHN6 $(get_jump_ipt ${CHN_LIST} "counter jump PSW_RULE") comment \"默认\""
@@ -960,12 +948,11 @@ add_firewall_rule() {
accept_icmp=$(config_t_get global_forwarding accept_icmp 0)
accept_icmpv6=$(config_t_get global_forwarding accept_icmpv6 0)
- local tcp_proxy_way=$(config_t_get global_forwarding tcp_proxy_way redirect)
- if [ "$tcp_proxy_way" = "redirect" ]; then
+ if [ "${TCP_PROXY_WAY}" = "redirect" ]; then
unset is_tproxy
nft_prerouting_chain="PSW_NAT"
nft_output_chain="PSW_OUTPUT_NAT"
- elif [ "$tcp_proxy_way" = "tproxy" ]; then
+ elif [ "${TCP_PROXY_WAY}" = "tproxy" ]; then
is_tproxy="TPROXY"
nft_prerouting_chain="PSW_MANGLE"
nft_output_chain="PSW_OUTPUT_MANGLE"
@@ -1188,7 +1175,7 @@ add_firewall_rule() {
echolog " - [$?]将上游 DNS 服务器 [${2}]:${3} 加入到路由器自身代理的 TCP 转发链,请确保您的节点支持IPv6,并开启IPv6透明代理!"
fi
}
- [ "$use_tcp_node_resolve_dns" == 1 ] && hosts_foreach REMOTE_DNS _proxy_tcp_access 53
+ [ "$TCP_PROXY_DNS" == 1 ] && hosts_foreach REMOTE_DNS _proxy_tcp_access 53
[ "$accept_icmp" = "1" ] && {
nft "add rule $NFTABLE_NAME PSW_ICMP_REDIRECT oif lo ip protocol icmp ip daddr $FAKE_IP counter redirect"
@@ -1267,7 +1254,7 @@ add_firewall_rule() {
echolog " - [$?]将上游 DNS 服务器 [${2}]:${3} 加入到路由器自身代理的 UDP 转发链,请确保您的节点支持IPv6,并开启IPv6透明代理!"
fi
}
- [ "$use_udp_node_resolve_dns" == 1 ] && hosts_foreach REMOTE_DNS _proxy_udp_access 53
+ [ -n "${UDP_PROXY_DNS}" ] && hosts_foreach REMOTE_DNS _proxy_udp_access 53
[ -n "${LOCALHOST_UDP_PROXY_MODE}" ] && {
nft "add rule $NFTABLE_NAME PSW_OUTPUT_MANGLE ip protocol udp ip daddr $FAKE_IP counter jump PSW_RULE"
[ "${USE_PROXY_LIST}" = "1" ] && nft "add rule $NFTABLE_NAME PSW_OUTPUT_MANGLE ip protocol udp ip daddr @$NFTSET_BLACK $(factor $UDP_REDIR_PORTS "udp dport") counter jump PSW_RULE"
@@ -1280,7 +1267,7 @@ add_firewall_rule() {
nft "add rule $NFTABLE_NAME PSW_MANGLE ip protocol udp iif lo counter return comment \"本机\""
nft "add rule $NFTABLE_NAME mangle_output ip protocol udp counter jump PSW_OUTPUT_MANGLE comment \"PSW_OUTPUT_MANGLE\""
- [ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && {
+ [ "$PROXY_IPV6" == "1" ] && {
[ -n "${LOCALHOST_UDP_PROXY_MODE}" ] && {
[ "${USE_PROXY_LIST}" = "1" ] && nft "add rule $NFTABLE_NAME PSW_OUTPUT_MANGLE_V6 meta l4proto udp ip6 daddr @$NFTSET_BLACK6 $(factor $UDP_REDIR_PORTS "udp dport") counter jump PSW_RULE"
[ "${USE_GFW_LIST}" = "1" ] && nft "add rule $NFTABLE_NAME PSW_OUTPUT_MANGLE_V6 meta l4proto udp ip6 daddr @$NFTSET_GFW6 $(factor $UDP_REDIR_PORTS "udp dport") counter jump PSW_RULE"
@@ -1353,11 +1340,11 @@ del_firewall_rule() {
destroy_nftset $NFTSET_BLOCK6
destroy_nftset $NFTSET_WHITE6
- $DIR/app.sh echolog "删除nftables防火墙规则完成。"
+ $DIR/app.sh echolog "删除 nftables 规则完成。"
}
flush_nftset() {
- $DIR/app.sh echolog "清空 NFTSET。"
+ $DIR/app.sh echolog "清空 NFTSet。"
for _name in $(nft -a list sets | grep -E "passwall" | awk -F 'set ' '{print $2}' | awk '{print $1}'); do
destroy_nftset ${_name}
done
@@ -1368,15 +1355,6 @@ flush_table() {
nft delete table $NFTABLE_NAME
}
-flush_nftset_reload() {
- del_firewall_rule
- flush_table
- rm -rf /tmp/etc/passwall_tmp/singbox*
- rm -rf /tmp/etc/passwall_tmp/smartdns*
- rm -rf /tmp/etc/passwall_tmp/dnsmasq*
- /etc/init.d/passwall reload
-}
-
flush_include() {
echo '#!/bin/sh' >$FWI
}
@@ -1428,6 +1406,14 @@ start() {
stop() {
del_firewall_rule
+ [ $(config_t_get global flush_set "0") = "1" ] && {
+ uci -q delete ${CONFIG}.@global[0].flush_set
+ uci -q commit ${CONFIG}
+ #flush_table
+ flush_nftset
+ rm -rf /tmp/etc/passwall_tmp/singbox*
+ rm -rf /tmp/etc/passwall_tmp/dnsmasq*
+ }
flush_include
}
@@ -1443,12 +1429,6 @@ insert_rule_before)
insert_rule_after)
insert_rule_after "$@"
;;
-flush_nftset)
- flush_nftset
- ;;
-flush_nftset_reload)
- flush_nftset_reload
- ;;
get_wan_ip)
get_wan_ip
;;
diff --git a/applications/luci-app-passwall/root/usr/share/passwall/rule_update.lua b/applications/luci-app-passwall/root/usr/share/passwall/rule_update.lua
index e399a70e8c8..f6c11a1fdd4 100755
--- a/applications/luci-app-passwall/root/usr/share/passwall/rule_update.lua
+++ b/applications/luci-app-passwall/root/usr/share/passwall/rule_update.lua
@@ -2,7 +2,7 @@
local api = require ("luci.passwall.api")
local name = api.appname
-local uci = api.libuci
+local uci = api.uci
local sys = api.sys
local jsonc = api.jsonc
local fs = api.fs
@@ -469,7 +469,7 @@ uci:set(name, "@global_rules[0]", "chnroute6_update", chnroute6_update)
uci:set(name, "@global_rules[0]", "chnlist_update", chnlist_update)
uci:set(name, "@global_rules[0]", "geoip_update", geoip_update)
uci:set(name, "@global_rules[0]", "geosite_update", geosite_update)
-uci:commit(name)
+api.uci_save(uci, name, true)
if reboot == 1 then
if arg3 == "cron" then
@@ -479,10 +479,7 @@ if reboot == 1 then
end
log("重启服务,应用新的规则。")
- if use_nft == "1" then
- sys.call("sh /usr/share/" .. name .. "/nftables.sh flush_nftset_reload > /dev/null 2>&1 &")
- else
- sys.call("sh /usr/share/" .. name .. "/iptables.sh flush_ipset_reload > /dev/null 2>&1 &")
- end
+ uci:set(name, "@global[0]", "flush_set", "1")
+ api.uci_save(uci, name, true, true)
end
log("规则更新完毕...")
diff --git a/applications/luci-app-passwall/root/usr/share/passwall/subscribe.lua b/applications/luci-app-passwall/root/usr/share/passwall/subscribe.lua
index a672c3ed984..67b88a81691 100755
--- a/applications/luci-app-passwall/root/usr/share/passwall/subscribe.lua
+++ b/applications/luci-app-passwall/root/usr/share/passwall/subscribe.lua
@@ -17,7 +17,7 @@ local ssub, slen, schar, sbyte, sformat, sgsub = string.sub, string.len, string.
local split = api.split
local jsonParse, jsonStringify = luci.jsonc.parse, luci.jsonc.stringify
local base64Decode = api.base64Decode
-local uci = api.libuci
+local uci = api.uci
local fs = api.fs
uci:revert(appname)
@@ -228,7 +228,7 @@ do
set = function(o)
for kk, vv in pairs(CONFIG) do
if (vv.remarks == id .. "备用节点的列表") then
- api.uci_set_list(uci, appname, id, "autoswitch_backup_node", vv.new_nodes)
+ uci:set_list(appname, id, "autoswitch_backup_node", vv.new_nodes)
end
end
end
@@ -299,8 +299,8 @@ do
if (vv.remarks == "Xray负载均衡节点[" .. node_id .. "]列表") then
uci:foreach(appname, "nodes", function(node2)
if node2[".name"] == node[".name"] then
- local section = api.uci_section(uci, appname, "nodes", node_id)
- api.uci_set_list(uci, appname, section, "balancing_node", vv.new_nodes)
+ local section = uci:section(appname, "nodes", node_id)
+ uci:set_list(appname, section, "balancing_node", vv.new_nodes)
end
end)
end
@@ -465,6 +465,7 @@ local function processData(szType, content, add_mode, add_from)
elseif result.type == "Xray" and info.net == "tcp" then
info.net = "raw"
end
+ if info.net == "splithttp" then info.net = "xhttp" end
if info.net == 'h2' or info.net == 'http' then
info.net = "http"
result.transport = (result.type == "Xray") and "xhttp" or "http"
@@ -527,7 +528,7 @@ local function processData(szType, content, add_mode, add_from)
if info.net == 'grpc' then
result.grpc_serviceName = info.path
end
- if info.net == 'xhttp' or info.net == 'splithttp' then
+ if info.net == 'xhttp' then
result.xhttp_host = info.host
result.xhttp_path = info.path
end
@@ -593,7 +594,7 @@ local function processData(szType, content, add_mode, add_from)
info = info:sub(1, find_index - 1)
end
- local hostInfo = split(base64Decode(info), "@")
+ local hostInfo = split(base64Decode(UrlDecode(info)), "@")
if hostInfo and #hostInfo > 0 then
local host_port = hostInfo[#hostInfo]
-- [2001:4860:4860::8888]:443
@@ -639,12 +640,9 @@ local function processData(szType, content, add_mode, add_from)
result.protocol = 'shadowsocks'
end
- if result.type == "SS-Rust" and method:lower() == "chacha20-poly1305" then
- result.method = "chacha20-ietf-poly1305"
- end
-
- if result.type == "Xray" and method:lower() == "chacha20-ietf-poly1305" then
- result.method = "chacha20-poly1305"
+ if result.type ~= "Xray" then
+ result.method = (method:lower() == "chacha20-poly1305" and "chacha20-ietf-poly1305") or
+ (method:lower() == "xchacha20-poly1305" and "xchacha20-ietf-poly1305") or method
end
if result.plugin then
@@ -977,6 +975,7 @@ local function processData(szType, content, add_mode, add_from)
elseif result.type == "Xray" and params.type == "tcp" then
params.type = "raw"
end
+ if params.type == "splithttp" then params.type = "xhttp" end
if params.type == "h2" or params.type == "http" then
params.type = "http"
result.transport = (result.type == "Xray") and "xhttp" or "http"
@@ -1040,7 +1039,7 @@ local function processData(szType, content, add_mode, add_from)
if params.serviceName then result.grpc_serviceName = params.serviceName end
result.grpc_mode = params.mode or "gun"
end
- if params.type == 'xhttp' or params.type == 'splithttp' then
+ if params.type == 'xhttp' then
result.xhttp_host = params.host
result.xhttp_path = params.path
result.xhttp_mode = params.mode or "auto"
@@ -1313,7 +1312,7 @@ local function truncate_nodes(add_from)
end
end
end)
- uci:commit(appname)
+ api.uci_save(uci, appname, true)
end
local function select_node(nodes, config)
@@ -1434,7 +1433,7 @@ end
local function update_node(manual)
if next(nodeResult) == nil then
- log("更新失败,没有可用的节点信息")
+ log("没有可用的节点信息更新。")
return
end
@@ -1455,7 +1454,7 @@ local function update_node(manual)
local remark = v["remark"]
local list = v["list"]
for _, vv in ipairs(list) do
- local cfgid = api.uci_section(uci, appname, "nodes", api.gen_short_uuid())
+ local cfgid = uci:section(appname, "nodes", api.gen_short_uuid())
for kkk, vvv in pairs(vv) do
uci:set(appname, cfgid, kkk, vvv)
-- sing-box 域名解析策略
@@ -1465,7 +1464,7 @@ local function update_node(manual)
end
end
end
- uci:commit(appname)
+ api.uci_save(uci, appname, true)
if next(CONFIG) then
local nodes = {}
@@ -1500,7 +1499,7 @@ local function update_node(manual)
end
]]--
- uci:commit(appname)
+ api.uci_save(uci, appname, true)
end
if arg[3] == "cron" then
@@ -1671,8 +1670,15 @@ local execute = function()
local stdout = f:read("*all")
f:close()
raw = trim(stdout)
- os.remove("/tmp/" .. cfgid)
- parse_link(raw, "2", remark)
+ local old_md5 = value.md5 or ""
+ local new_md5 = luci.sys.exec(string.format("echo -n $(echo '%s' | md5sum | awk '{print $1}')", raw))
+ if old_md5 == new_md5 then
+ log('订阅:【' .. remark .. '】没有变化,无需更新。')
+ else
+ os.remove("/tmp/" .. cfgid)
+ parse_link(raw, "2", remark)
+ uci:set(appname, cfgid, "md5", new_md5)
+ end
else
fail_list[#fail_list + 1] = value
end
diff --git a/applications/luci-app-passwall/root/usr/share/passwall/test.sh b/applications/luci-app-passwall/root/usr/share/passwall/test.sh
index 1f596e92923..015f4f35804 100755
--- a/applications/luci-app-passwall/root/usr/share/passwall/test.sh
+++ b/applications/luci-app-passwall/root/usr/share/passwall/test.sh
@@ -14,6 +14,15 @@ config_n_get() {
echo "${ret:=$3}"
}
+lua_api() {
+ local func=${1}
+ [ -z "${func}" ] && {
+ echo "nil"
+ return
+ }
+ echo $(lua -e "local api = require 'luci.passwall.api' print(api.${func})")
+}
+
test_url() {
local url=$1
local try=1
@@ -73,10 +82,18 @@ url_test_node() {
local curlx="socks5h://127.0.0.1:${_tmp_port}"
fi
sleep 1s
+ # 兼容 curl 8.6 time_starttransfer 错误
+ local _cmd="-V 2>/dev/null | head -n 1 | awk '{print \$2}' | cut -d. -f1,2 | tr -d ' \\n'"
+ local _curl="/usr/bin/curl"
+ local curl_ver=$(lua_api "get_bin_version_cache(\"${_curl}\", \"${_cmd}\")")
+
+ local curl_arg="-w %{http_code}:%{time_starttransfer} http://"
+ [ "${curl_ver}" = "8.6" ] && curl_arg="-w %{http_code}:%{time_appconnect} https://"
+
local chn_list=$(config_n_get @global[0] chn_list direct)
- local probeUrl="https://www.google.com/generate_204"
- [ "${chn_list}" = "proxy" ] && probeUrl="https://www.baidu.com"
- result=$(curl --connect-timeout 3 -o /dev/null -I -skL -w "%{http_code}:%{time_appconnect}" -x $curlx "${probeUrl}")
+ local probeUrl="www.google.com/generate_204"
+ [ "${chn_list}" = "proxy" ] && probeUrl="www.baidu.com"
+ result=$(${_curl} --connect-timeout 3 -o /dev/null -I -skL -x ${curlx} ${curl_arg}${probeUrl})
pgrep -af "url_test_${node_id}" | awk '! /test\.sh/{print $1}' | xargs kill -9 >/dev/null 2>&1
rm -rf "/tmp/etc/${CONFIG}/url_test_${node_id}.json"
}