diff --git a/package/lienol/luci-app-passwall/Makefile b/package/lienol/luci-app-passwall/Makefile
index 75713d6219..3fe1d9daee 100644
--- a/package/lienol/luci-app-passwall/Makefile
+++ b/package/lienol/luci-app-passwall/Makefile
@@ -6,8 +6,8 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=luci-app-passwall
-PKG_VERSION:=3.5.4
-PKG_RELEASE:=20200212
+PKG_VERSION:=3.5.6
+PKG_RELEASE:=20200213
PKG_BUILD_DIR := $(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
diff --git a/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/acl.lua b/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/acl.lua
index 71d9534629..c31284cadb 100644
--- a/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/acl.lua
+++ b/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/acl.lua
@@ -81,14 +81,27 @@ o:value("disable", translate("No Proxy"))
o:value("global", translate("Global Proxy"))
o:value("gfwlist", translate("GFW List"))
o:value("chnroute", translate("China WhiteList"))
---o:value("gamemode", translate("Game Mode"))
+-- o:value("gamemode", translate("Game Mode"))
o:value("returnhome", translate("Return Home"))
+---- TCP No Redir Ports
+o = s:option(Value, "tcp_no_redir_ports", translate("TCP No Redir Ports"))
+o.default = "default"
+o:value("disable", translate("No patterns are used"))
+o:value("default", translate("Default"))
+o:value("1:65535", translate("All"))
+
+---- UDP No Redir Ports
+o = s:option(Value, "udp_no_redir_ports", translate("UDP No Redir Ports"))
+o.default = "default"
+o:value("disable", translate("No patterns are used"))
+o:value("default", translate("Default"))
+o:value("1:65535", translate("All"))
+
---- TCP Redir Ports
o = s:option(Value, "tcp_redir_ports", translate("TCP Redir Ports"))
o.default = "default"
o:value("default", translate("Default"))
-o:value("disable", translate("No Proxy"))
o:value("1:65535", translate("All"))
o:value("80,443", "80,443")
o:value("80:", "80 " .. translate("or more"))
@@ -98,7 +111,6 @@ o:value(":443", "443 " .. translate("or less"))
o = s:option(Value, "udp_redir_ports", translate("UDP Redir Ports"))
o.default = "default"
o:value("default", translate("Default"))
-o:value("disable", translate("No Proxy"))
o:value("1:65535", translate("All"))
o:value("53", "53")
diff --git a/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/global.lua b/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/global.lua
index 37cb3b83c3..d062f12e8d 100644
--- a/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/global.lua
+++ b/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/global.lua
@@ -186,26 +186,25 @@ o.rmempty = false
---- Default Proxy Mode
o = s:option(ListValue, "proxy_mode",
- translate("Default") .. translate("Proxy Mode"), translate(
- "If using GFW mode is not available, try clearing the native cache."))
+ translate("Default") .. translate("Proxy Mode"),
+ translate("If not available, try clearing the cache."))
o.default = "chnroute"
o.rmempty = false
o:value("disable", translate("No Proxy"))
o:value("global", translate("Global Proxy"))
o:value("gfwlist", translate("GFW List"))
o:value("chnroute", translate("China WhiteList"))
---o:value("gamemode", translate("Game Mode"))
+-- o:value("gamemode", translate("Game Mode"))
o:value("returnhome", translate("Return Home"))
---- Localhost Proxy Mode
o = s:option(ListValue, "localhost_proxy_mode",
translate("Localhost") .. translate("Proxy Mode"), translate(
- "The server client can also use this rule to scientifically surf the Internet.
Global and continental whitelist are not recommended for non-special cases!"))
+ "The server client can also use this rule to scientifically surf the Internet."))
o:value("default", translate("Default"))
-o:value("global",
- translate("Global Proxy") .. "(" .. translate("Danger") .. ")")
o:value("gfwlist", translate("GFW List"))
o:value("chnroute", translate("China WhiteList"))
+o:value("global", translate("Global Proxy"))
o.default = "default"
o.rmempty = false
diff --git a/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/other.lua b/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/other.lua
index 8dd494c2b7..867849ae45 100644
--- a/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/other.lua
+++ b/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/other.lua
@@ -54,10 +54,25 @@ s = m:section(TypedSection, "global_forwarding",
s.anonymous = true
s.addremove = false
+---- TCP No Redir Ports
+o = s:option(Value, "tcp_no_redir_ports", translate("TCP No Redir Ports"),
+ translate(
+ "Fill in the ports you don't want to be forwarded by the agent, with the highest priority."))
+o.default = "disable"
+o:value("disable", translate("No patterns are used"))
+o:value("1:65535", translate("All"))
+
+---- UDP No Redir Ports
+o = s:option(Value, "udp_no_redir_ports", translate("UDP No Redir Ports"),
+ translate(
+ "Fill in the ports you don't want to be forwarded by the agent, with the highest priority."))
+o.default = "disable"
+o:value("disable", translate("No patterns are used"))
+o:value("1:65535", translate("All"))
+
---- TCP Redir Ports
o = s:option(Value, "tcp_redir_ports", translate("TCP Redir Ports"))
o.default = "80,443"
-o:value("disable", translate("No Proxy"))
o:value("1:65535", translate("All"))
o:value("80,443", "80,443")
o:value("80:", "80 " .. translate("or more"))
@@ -66,7 +81,6 @@ o:value(":443", "443 " .. translate("or less"))
---- UDP Redir Ports
o = s:option(Value, "udp_redir_ports", translate("UDP Redir Ports"))
o.default = "1:65535"
-o:value("disable", translate("No Proxy"))
o:value("1:65535", translate("All"))
o:value("53", "53")
diff --git a/package/lienol/luci-app-passwall/po/zh-cn/passwall.po b/package/lienol/luci-app-passwall/po/zh-cn/passwall.po
index 714f98d234..b852a35f4c 100644
--- a/package/lienol/luci-app-passwall/po/zh-cn/passwall.po
+++ b/package/lienol/luci-app-passwall/po/zh-cn/passwall.po
@@ -166,8 +166,8 @@ msgstr "ChinaDNS-NG可信DNS"
msgid "You can use other resolving DNS services as trusted DNS, Example: dns2socks, dns-forwarder... 127.0.0.1#5353
Only use two at most, english comma separation, If you do not fill in the # and the following port, you are using port 53."
msgstr "你可以使用其他解决污染DNS服务作为可信DNS,例:dns2socks,dns-forwarder等等。127.0.0.1#5353
最多使用2个DNS服务器,英文逗号分隔,如果没有填#和后面的端口,则使用53端口。"
-msgid "The server client can also use this rule to scientifically surf the Internet.
Global and continental whitelist are not recommended for non-special cases!"
-msgstr "本机服务器的客户端也可以使用这个代理模式上网。
非特殊情况不推荐使用全局和大陆白名单!"
+msgid "The server client can also use this rule to scientifically surf the Internet."
+msgstr "本机服务器的客户端也可以使用这个代理模式上网。"
msgid "Tips"
msgstr "小提示"
@@ -226,8 +226,8 @@ msgstr "单进程"
msgid "Proxy Mode"
msgstr "代理模式"
-msgid "If using GFW mode is not available, try clearing the native cache."
-msgstr "如果使用GFW模式无法使用,请尝试清除本机缓存。"
+msgid "If not available, try clearing the cache."
+msgstr "如果无法使用,请尝试清除缓存。"
msgid "No Proxy"
msgstr "不代理"
@@ -382,6 +382,15 @@ msgstr "自动重启时间"
msgid "Forwarding Settings"
msgstr "转发配置"
+msgid "TCP No Redir Ports"
+msgstr "TCP不转发端口"
+
+msgid "UDP No Redir Ports"
+msgstr "UDP不转发端口"
+
+msgid "Fill in the ports you don't want to be forwarded by the agent, with the highest priority."
+msgstr "填写你不希望被代理转发的端口,优先级最高。"
+
msgid "TCP Redir Ports"
msgstr "TCP转发端口"
diff --git a/package/lienol/luci-app-passwall/root/etc/config/passwall b/package/lienol/luci-app-passwall/root/etc/config/passwall
index a86a5ccca9..31805a86d7 100644
--- a/package/lienol/luci-app-passwall/root/etc/config/passwall
+++ b/package/lienol/luci-app-passwall/root/etc/config/passwall
@@ -22,6 +22,8 @@ config global_delay
config global_forwarding
option process '1'
+ option tcp_no_redir_ports 'disable'
+ option udp_no_redir_ports 'disable'
option tcp_redir_ports '1:65535'
option udp_redir_ports '1:65535'
option socks5_proxy_port '1081'
diff --git a/package/lienol/luci-app-passwall/root/etc/config/passwall_rule/blacklist_host b/package/lienol/luci-app-passwall/root/etc/config/passwall_rule/blacklist_host
index f40e9d7c67..50c4253470 100644
--- a/package/lienol/luci-app-passwall/root/etc/config/passwall_rule/blacklist_host
+++ b/package/lienol/luci-app-passwall/root/etc/config/passwall_rule/blacklist_host
@@ -2,4 +2,9 @@ formyip.com
msi.com
github.com
github.io
-githubusercontent.com
\ No newline at end of file
+githubusercontent.com
+github-production-release-asset-2e65be.s3.amazonaws.com
+openwrt.proxy.ustclug.org
+easylist-downloads.adblockplus.org
+adblockplus.org
+caddyserver.com
\ No newline at end of file
diff --git a/package/lienol/luci-app-passwall/root/etc/config/passwall_rule/blacklist_ip b/package/lienol/luci-app-passwall/root/etc/config/passwall_rule/blacklist_ip
index 78e3fcfde8..0938095ef5 100644
--- a/package/lienol/luci-app-passwall/root/etc/config/passwall_rule/blacklist_ip
+++ b/package/lienol/luci-app-passwall/root/etc/config/passwall_rule/blacklist_ip
@@ -2,4 +2,6 @@
91.108.4.0/22
91.108.56.0/24
109.239.140.0/24
-67.198.55.0/24
\ No newline at end of file
+67.198.55.0/24
+8.8.4.4
+8.8.8.8
\ No newline at end of file
diff --git a/package/lienol/luci-app-passwall/root/etc/config/passwall_rule/router b/package/lienol/luci-app-passwall/root/etc/config/passwall_rule/router
index 75d07845c0..e69de29bb2 100644
--- a/package/lienol/luci-app-passwall/root/etc/config/passwall_rule/router
+++ b/package/lienol/luci-app-passwall/root/etc/config/passwall_rule/router
@@ -1,10 +0,0 @@
-google.com
-youtube.com
-github.com
-github.io
-githubusercontent.com
-github-production-release-asset-2e65be.s3.amazonaws.com
-openwrt.proxy.ustclug.org
-easylist-downloads.adblockplus.org
-adblockplus.org
-caddyserver.com
\ No newline at end of file
diff --git a/package/lienol/luci-app-passwall/root/usr/share/passwall/app.sh b/package/lienol/luci-app-passwall/root/usr/share/passwall/app.sh
index 2039162524..2e696da29f 100755
--- a/package/lienol/luci-app-passwall/root/usr/share/passwall/app.sh
+++ b/package/lienol/luci-app-passwall/root/usr/share/passwall/app.sh
@@ -89,6 +89,18 @@ get_host_ip() {
echo $ip
}
+get_node_host_ip() {
+ local ip
+ local address=$(config_n_get $1 address)
+ [ -n "$address" ] && {
+ local use_ipv6=$(config_n_get $1 use_ipv6)
+ local network_type="ipv4"
+ [ "$use_ipv6" == "1" ] && network_type="ipv6"
+ ip=$(get_host_ip $network_type $address)
+ }
+ echo $ip
+}
+
check_port_exists() {
port=$1
protocol=$2
@@ -178,6 +190,8 @@ BROOK_TCP_CMD=""
BROOK_UDP_CMD=""
TCP_REDIR_PORTS=$(config_t_get global_forwarding tcp_redir_ports '80,443')
UDP_REDIR_PORTS=$(config_t_get global_forwarding udp_redir_ports '1:65535')
+TCP_NO_REDIR_PORTS=$(config_t_get global_forwarding tcp_no_redir_ports 'disable')
+UDP_NO_REDIR_PORTS=$(config_t_get global_forwarding udp_no_redir_ports 'disable')
KCPTUN_REDIR_PORT=$(config_t_get global_forwarding kcptun_port 12948)
PROXY_MODE=$(config_t_get global proxy_mode chnroute)
@@ -198,6 +212,7 @@ load_config() {
process=$(config_t_get global_forwarding process)
fi
LOCALHOST_PROXY_MODE=$(config_t_get global localhost_proxy_mode default)
+ [ "$LOCALHOST_PROXY_MODE" == "default" ] && LOCALHOST_PROXY_MODE=$PROXY_MODE
UP_CHINA_DNS=$(config_t_get global up_china_dns dnsbyisp)
[ "$UP_CHINA_DNS" == "default" ] && IS_DEFAULT_CHINA_DNS=1
[ ! -f "$RESOLVFILE" -o ! -s "$RESOLVFILE" ] && RESOLVFILE=/tmp/resolv.conf.auto
@@ -621,38 +636,6 @@ clean_log() {
fi
}
-set_cru() {
- autoupdate=$(config_t_get global_rules auto_update)
- weekupdate=$(config_t_get global_rules week_update)
- dayupdate=$(config_t_get global_rules time_update)
- autoupdatesubscribe=$(config_t_get global_subscribe auto_update_subscribe)
- weekupdatesubscribe=$(config_t_get global_subscribe week_update_subscribe)
- dayupdatesubscribe=$(config_t_get global_subscribe time_update_subscribe)
- if [ "$autoupdate" = "1" ]; then
- if [ "$weekupdate" = "7" ]; then
- echo "0 $dayupdate * * * $APP_PATH/rule_update.sh" >>/etc/crontabs/root
- echolog "设置自动更新规则在每天 $dayupdate 点。"
- else
- echo "0 $dayupdate * * $weekupdate $APP_PATH/rule_update.sh" >>/etc/crontabs/root
- echolog "设置自动更新规则在星期 $weekupdate 的 $dayupdate 点。"
- fi
- else
- sed -i '/rule_update.sh/d' /etc/crontabs/root >/dev/null 2>&1 &
- fi
-
- if [ "$autoupdatesubscribe" = "1" ]; then
- if [ "$weekupdatesubscribe" = "7" ]; then
- echo "0 $dayupdatesubscribe * * * $APP_PATH/subscription.sh" >>/etc/crontabs/root
- echolog "设置节点订阅自动更新规则在每天 $dayupdatesubscribe 点。"
- else
- echo "0 $dayupdatesubscribe * * $weekupdate $APP_PATH/subscription.sh" >>/etc/crontabs/root
- echolog "设置节点订阅自动更新规则在星期 $weekupdate 的 $dayupdatesubscribe 点。"
- fi
- else
- sed -i '/subscription.sh/d' /etc/crontabs/root >/dev/null 2>&1 &
- fi
-}
-
start_crontab() {
sed -i '/$CONFIG/d' /etc/crontabs/root >/dev/null 2>&1 &
start_daemon=$(config_t_get global_delay start_daemon)
@@ -688,6 +671,37 @@ start_crontab() {
echolog "设置每$testing_time分钟执行检测脚本。"
}
}
+
+ autoupdate=$(config_t_get global_rules auto_update)
+ weekupdate=$(config_t_get global_rules week_update)
+ dayupdate=$(config_t_get global_rules time_update)
+ autoupdatesubscribe=$(config_t_get global_subscribe auto_update_subscribe)
+ weekupdatesubscribe=$(config_t_get global_subscribe week_update_subscribe)
+ dayupdatesubscribe=$(config_t_get global_subscribe time_update_subscribe)
+ if [ "$autoupdate" = "1" ]; then
+ if [ "$weekupdate" = "7" ]; then
+ echo "0 $dayupdate * * * $APP_PATH/rule_update.sh" >>/etc/crontabs/root
+ echolog "设置自动更新规则在每天 $dayupdate 点。"
+ else
+ echo "0 $dayupdate * * $weekupdate $APP_PATH/rule_update.sh" >>/etc/crontabs/root
+ echolog "设置自动更新规则在星期 $weekupdate 的 $dayupdate 点。"
+ fi
+ else
+ sed -i '/rule_update.sh/d' /etc/crontabs/root >/dev/null 2>&1 &
+ fi
+
+ if [ "$autoupdatesubscribe" = "1" ]; then
+ if [ "$weekupdatesubscribe" = "7" ]; then
+ echo "0 $dayupdatesubscribe * * * $APP_PATH/subscription.sh" >>/etc/crontabs/root
+ echolog "设置节点订阅自动更新规则在每天 $dayupdatesubscribe 点。"
+ else
+ echo "0 $dayupdatesubscribe * * $weekupdate $APP_PATH/subscription.sh" >>/etc/crontabs/root
+ echolog "设置节点订阅自动更新规则在星期 $weekupdate 的 $dayupdatesubscribe 点。"
+ fi
+ else
+ sed -i '/subscription.sh/d' /etc/crontabs/root >/dev/null 2>&1 &
+ fi
+
/etc/init.d/cron restart
}
@@ -724,7 +738,7 @@ start_dns() {
pdnsd_bin=$(find_bin pdnsd)
[ -n "$pdnsd_bin" ] && {
use_tcp_node_resolve_dns=1
- gen_pdnsd_config $DNS_PORT "cache"
+ gen_pdnsd_config $DNS_PORT 10240
DNS_FORWARD=$(echo $DNS_FORWARD | sed 's/,/ /g')
nohup $pdnsd_bin --daemon -c $pdnsd_dir/pdnsd.conf -d >/dev/null 2>&1 &
echolog "DNS:pdnsd..."
@@ -734,8 +748,8 @@ start_dns() {
chinadns_ng_bin=$(find_bin chinadns-ng)
[ -n "$chinadns_ng_bin" ] && {
other_port=$(expr $DNS_PORT + 1)
- cat $RULE_PATH/gfwlist.conf | sort | uniq | sed -e '/127.0.0.1/d' | sed 's/ipset=\/.//g' | sed 's/\/gfwlist//g' > $CONFIG_PATH/gfwlist_chinadns_ng.txt
- [ -f "$CONFIG_PATH/gfwlist_chinadns_ng.txt" ] && local gfwlist_param="-g $CONFIG_PATH/gfwlist_chinadns_ng.txt"
+ cat $RULE_PATH/gfwlist.conf | sort | uniq | sed -e '/127.0.0.1/d' | sed 's/ipset=\/.//g' | sed 's/\/gfwlist//g' > $CONFIG_PATH/gfwlist.txt
+ [ -f "$CONFIG_PATH/gfwlist.txt" ] && local gfwlist_param="-g $CONFIG_PATH/gfwlist.txt"
[ -f "$RULE_PATH/chnlist" ] && local chnlist_param="-m $RULE_PATH/chnlist"
up_trust_chinadns_ng_dns=$(config_t_get global up_trust_chinadns_ng_dns "pdnsd")
@@ -745,7 +759,7 @@ start_dns() {
force_stop
else
use_tcp_node_resolve_dns=1
- gen_pdnsd_config $other_port
+ gen_pdnsd_config $other_port 0
pdnsd_bin=$(find_bin pdnsd)
[ -n "$pdnsd_bin" ] && {
DNS_FORWARD=$(echo $DNS_FORWARD | sed 's/,/ /g')
@@ -780,51 +794,34 @@ start_dns() {
add_dnsmasq() {
mkdir -p $TMP_DNSMASQ_PATH $DNSMASQ_PATH /var/dnsmasq.d
-
- # if [ -n "cat /var/state/network |grep pppoe|awk -F '.' '{print $2}'" ]; then
- # sed -i '/except-interface/d' /etc/dnsmasq.conf >/dev/null 2>&1 &
- # for wanname in $(cat /var/state/network |grep pppoe|awk -F '.' '{print $2}')
- # do
- # echo "except-interface=$(uci -q get network.$wanname.ifname)" >>/etc/dnsmasq.conf
- # done
- # fi
+ cat $RULE_PATH/whitelist_host | sed "s/^/ipset=&\/./g" | sed "s/$/\/&whitelist/g" | sort | awk '{if ($0!=line) print;line=$0}' > $TMP_DNSMASQ_PATH/whitelist_host.conf
- subscribe_proxy=$(config_t_get global_subscribe subscribe_proxy 0)
- [ "$subscribe_proxy" -eq 1 ] && {
- config_foreach set_subscribe_proxy "subscribe_list"
+ [ "$DNS_MODE" != "nonuse" ] && {
+ [ -f "$RULE_PATH/blacklist_host" -a -s "$RULE_PATH/blacklist_host" ] && cat $RULE_PATH/blacklist_host | awk '{print "server=/."$1"/127.0.0.1#'$DNS_PORT'\nipset=/."$1"/blacklist"}' > $TMP_DNSMASQ_PATH/blacklist_host.conf
+ [ -f "$RULE_PATH/router" -a -s "$RULE_PATH/router" ] && cat $RULE_PATH/router | awk '{print "server=/."$1"/127.0.0.1#'$DNS_PORT'\nipset=/."$1"/router"}' > $TMP_DNSMASQ_PATH/router.conf
+ [ -f "$RULE_PATH/gfwlist.conf" -a -s "$RULE_PATH/gfwlist.conf" ] && ln -s $RULE_PATH/gfwlist.conf $TMP_DNSMASQ_PATH/gfwlist.conf
+
+ subscribe_proxy=$(config_t_get global_subscribe subscribe_proxy 0)
+ [ "$subscribe_proxy" -eq 1 ] && {
+ config_foreach set_subscribe_proxy "subscribe_list"
+ }
}
-
- if [ ! -f "$TMP_DNSMASQ_PATH/gfwlist.conf" -a "$DNS_MODE" != "nonuse" ]; then
- ln -s $RULE_PATH/gfwlist.conf $TMP_DNSMASQ_PATH/gfwlist.conf
- fi
-
- if [ ! -f "$TMP_DNSMASQ_PATH/blacklist_host.conf" -a "$DNS_MODE" != "nonuse" ]; then
- cat $RULE_PATH/blacklist_host | awk '{print "server=/."$1"/127.0.0.1#'$DNS_PORT'\nipset=/."$1"/blacklist"}' >>$TMP_DNSMASQ_PATH/blacklist_host.conf
- fi
-
- if [ ! -f "$TMP_DNSMASQ_PATH/whitelist_host.conf" ]; then
- cat $RULE_PATH/whitelist_host | sed "s/^/ipset=&\/./g" | sed "s/$/\/&whitelist/g" | sort | awk '{if ($0!=line) print;line=$0}' >$TMP_DNSMASQ_PATH/whitelist_host.conf
- fi
-
- if [ ! -f "$TMP_DNSMASQ_PATH/router.conf" -a "$DNS_MODE" != "nonuse" ]; then
- cat $RULE_PATH/router | awk '{print "server=/."$1"/127.0.0.1#'$DNS_PORT'\nipset=/."$1"/router"}' >>$TMP_DNSMASQ_PATH/router.conf
- fi
-
- if [ -z "$IS_DEFAULT_CHINA_DNS" -o "$IS_DEFAULT_CHINA_DNS" == 0 ]; then
+
+ [ -z "$IS_DEFAULT_CHINA_DNS" -o "$IS_DEFAULT_CHINA_DNS" == 0 ] && {
server="server=127.0.0.1#$DNS_PORT"
[ "$DNS_MODE" != "chinadns-ng" ] && {
local china_dns1=$(echo $UP_CHINA_DNS | awk -F "," '{print $1}')
local china_dns2=$(echo $UP_CHINA_DNS | awk -F "," '{print $2}')
[ -n "$china_dns1" ] && server="server=$china_dns1"
[ -n "$china_dns2" ] && server="${server}\n${server_2}"
+ server="${server}\nno-resolv"
}
cat <<-EOF > /var/dnsmasq.d/dnsmasq-$CONFIG.conf
$(echo -e $server)
all-servers
no-poll
- no-resolv
EOF
- fi
+ }
cat <<-EOF >> /var/dnsmasq.d/dnsmasq-$CONFIG.conf
conf-dir=$TMP_DNSMASQ_PATH
@@ -902,11 +899,12 @@ gen_redsocks_config() {
gen_pdnsd_config() {
pdnsd_dir=$CONFIG_PATH/pdnsd
mkdir -p $pdnsd_dir
+ touch $pdnsd_dir/pdnsd.cache
chown -R root.nogroup $pdnsd_dir
- [ "$2" == "cache" ] && cache_param="perm_cache = 1024;\ncache_dir = \"$pdnsd_dir\";"
cat > $pdnsd_dir/pdnsd.conf <<-EOF
global {
- $(echo -e $cache_param)
+ perm_cache = $2;
+ cache_dir = "$pdnsd_dir";
pid_file = "$RUN_PID_PATH/pdnsd.pid";
run_as = "root";
server_ip = 127.0.0.1;
@@ -940,36 +938,34 @@ gen_pdnsd_config() {
EOF
}
- [ "$DNS_MODE" != "chinadns-ng" ] && {
- cat >> $pdnsd_dir/pdnsd.conf <<-EOF
- server {
- label = "opendns";
- ip = 208.67.222.222, 208.67.220.220;
- edns_query = on;
- port = 443;
- timeout = 4;
- interval = 60;
- uptest = none;
- purge_cache = off;
- }
- server {
- label = "opendns";
- ip = 208.67.222.222, 208.67.220.220;
- edns_query = on;
- port = 5353;
- timeout = 4;
- interval = 60;
- uptest = none;
- purge_cache = off;
- }
- source {
- ttl = 86400;
- owner = "localhost.";
- serve_aliases = on;
- file = "/etc/hosts";
- }
- EOF
- }
+ cat >> $pdnsd_dir/pdnsd.conf <<-EOF
+ server {
+ label = "opendns";
+ ip = 208.67.222.222, 208.67.220.220;
+ edns_query = on;
+ port = 443;
+ timeout = 4;
+ interval = 60;
+ uptest = none;
+ purge_cache = off;
+ }
+ server {
+ label = "opendns";
+ ip = 208.67.222.222, 208.67.220.220;
+ edns_query = on;
+ port = 5353;
+ timeout = 4;
+ interval = 60;
+ uptest = none;
+ purge_cache = off;
+ }
+ source {
+ ttl = 86400;
+ owner = "localhost.";
+ serve_aliases = on;
+ file = "/etc/hosts";
+ }
+ EOF
}
stop_dnsmasq() {
@@ -1111,15 +1107,14 @@ start() {
! load_config && return 1
[ -f "$LOCK_FILE" ] && return 3
touch "$LOCK_FILE"
- start_dns
- add_dnsmasq
start_haproxy
start_redir SOCKS5 PROXY tcp
start_redir TCP REDIR tcp
start_redir UDP REDIR udp
+ start_dns
source $APP_PATH/iptables.sh start
+ add_dnsmasq
start_crontab
- set_cru
rm -f "$LOCK_FILE"
echolog "运行完成!\n"
return 0
diff --git a/package/lienol/luci-app-passwall/root/usr/share/passwall/config.default b/package/lienol/luci-app-passwall/root/usr/share/passwall/config.default
index a86a5ccca9..31805a86d7 100644
--- a/package/lienol/luci-app-passwall/root/usr/share/passwall/config.default
+++ b/package/lienol/luci-app-passwall/root/usr/share/passwall/config.default
@@ -22,6 +22,8 @@ config global_delay
config global_forwarding
option process '1'
+ option tcp_no_redir_ports 'disable'
+ option udp_no_redir_ports 'disable'
option tcp_redir_ports '1:65535'
option udp_redir_ports '1:65535'
option socks5_proxy_port '1081'
diff --git a/package/lienol/luci-app-passwall/root/usr/share/passwall/iptables.sh b/package/lienol/luci-app-passwall/root/usr/share/passwall/iptables.sh
index 1cd50ba867..b81ba285e6 100755
--- a/package/lienol/luci-app-passwall/root/usr/share/passwall/iptables.sh
+++ b/package/lienol/luci-app-passwall/root/usr/share/passwall/iptables.sh
@@ -122,9 +122,13 @@ load_acl() {
config_get proxy_mode $1 proxy_mode
config_get tcp_node $1 tcp_node
config_get udp_node $1 udp_node
+ config_get tcp_no_redir_ports $1 tcp_no_redir_ports
+ config_get udp_no_redir_ports $1 udp_no_redir_ports
config_get tcp_redir_ports $1 tcp_redir_ports
config_get udp_redir_ports $1 udp_redir_ports
[ -z "$proxy_mode" -o "$proxy_mode" = "default" ] && proxy_mode=$PROXY_MODE
+ [ -z "$tcp_no_redir_ports" -o "$tcp_no_redir_ports" = "default" ] && tcp_no_redir_ports=$TCP_NO_REDIR_PORTS
+ [ -z "$udp_no_redir_ports" -o "$udp_no_redir_ports" = "default" ] && udp_no_redir_ports=$UDP_NO_REDIR_PORTS
[ -z "$tcp_redir_ports" -o "$tcp_redir_ports" = "default" ] && tcp_redir_ports=$TCP_REDIR_PORTS
[ -z "$udp_redir_ports" -o "$udp_redir_ports" = "default" ] && udp_redir_ports=$UDP_REDIR_PORTS
[ -z "$tcp_node" -o "$TCP_NODE_NUM" == "1" ] && tcp_node=1
@@ -146,24 +150,16 @@ load_acl() {
$ipt_m -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p udp -m comment --comment "$remarks" -j RETURN
else
[ "$TCP_NODE" != "nil" ] && {
- #local TCP_NODE_TYPE=$(echo $(config_get $TCP_NODE type) | tr 'A-Z' 'a-z')
- if [ "$tcp_redir_ports" != "disable" ]; then
- eval tcp_redir_port=\$TCP_REDIR_PORT$tcp_node
- $ipt_n -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p tcp $(dst $IPSET_BLACKLIST) -m comment --comment "$remarks" -j REDIRECT --to-ports $tcp_redir_port
- $ipt_n -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p tcp $(factor $tcp_redir_ports "-m multiport --dport") -m comment --comment "$remarks" -$(get_jump_mode $proxy_mode) $(get_action_chain $proxy_mode)$tcp_node
- else
- $ipt_n -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p tcp -m comment --comment "$remarks" -j RETURN
- fi
+ [ "$TCP_NO_REDIR_PORTS" != "disable" ] && $ipt_n -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
+ eval tcp_redir_port=\$TCP_REDIR_PORT$tcp_node
+ $ipt_n -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p tcp $(dst $IPSET_BLACKLIST) -m comment --comment "$remarks" -j REDIRECT --to-ports $tcp_redir_port
+ $ipt_n -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p tcp $(factor $tcp_redir_ports "-m multiport --dport") -m comment --comment "$remarks" -$(get_jump_mode $proxy_mode) $(get_action_chain $proxy_mode)$tcp_node
}
[ "$UDP_NODE" != "nil" ] && {
- #local UDP_NODE_TYPE=$(echo $(config_get $UDP_NODE type) | tr 'A-Z' 'a-z')
- if [ "$udp_redir_ports" != "disable" ]; then
- eval udp_redir_port=\$UDP_REDIR_PORT$udp_node
- $ipt_m -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p udp $(dst $IPSET_BLACKLIST) -m comment --comment "$remarks" -j TPROXY --on-port $udp_redir_port --tproxy-mark 0x1/0x1
- $ipt_m -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p udp $(factor $udp_redir_ports "-m multiport --dport") -m comment --comment "$remarks" -$(get_jump_mode $proxy_mode) $(get_action_chain $proxy_mode)$udp_node
- else
- $ipt_m -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p udp -m comment --comment "$remarks" -j RETURN
- fi
+ [ "$UDP_NO_REDIR_PORTS" != "disable" ] && $ipt_m -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p udp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
+ eval udp_redir_port=\$UDP_REDIR_PORT$udp_node
+ $ipt_m -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p udp $(dst $IPSET_BLACKLIST) -m comment --comment "$remarks" -j TPROXY --on-port $udp_redir_port --tproxy-mark 0x1/0x1
+ $ipt_m -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p udp $(factor $udp_redir_ports "-m multiport --dport") -m comment --comment "$remarks" -$(get_jump_mode $proxy_mode) $(get_action_chain $proxy_mode)$udp_node
}
fi
[ -z "$ip" ] && {
@@ -180,15 +176,13 @@ load_acl() {
}
filter_vpsip() {
- local address server_ip use_ipv6 network_type
- address=$(config_get $1 address)
+ local server_ip use_ipv6 network_type
use_ipv6=$(config_get $1 use_ipv6)
network_type="ipv4"
[ "$use_ipv6" == "1" ] && network_type="ipv6"
- server_ip=$(get_host_ip $network_type $address)
-
- [ -n "$server_ip" -a "$server_ip" != "$TCP_NODE_IP" ] && {
- [ "$network_type" == "ipv4" ] && ipset add $IPSET_VPSIPLIST $server_ip >/dev/null 2>&1 &
+ server_ip=$(get_node_host_ip $1)
+ [ -n "$server_ip" ] && {
+ [ "$network_type" == "ipv4" ] && ipset -! add $IPSET_VPSIPLIST $server_ip >/dev/null 2>&1 &
}
}
@@ -204,18 +198,17 @@ dns_hijack() {
add_firewall_rule() {
echolog "开始加载防火墙规则..."
echolog "默认代理模式:$(get_action_chain_name $PROXY_MODE)"
- ipset -! create $IPSET_LANIPLIST nethash && ipset flush $IPSET_LANIPLIST
- ipset -! create $IPSET_VPSIPLIST nethash && ipset flush $IPSET_VPSIPLIST
- ipset -! create $IPSET_ROUTER nethash && ipset flush $IPSET_ROUTER
- #ipset -! create $IPSET_GFW nethash && ipset flush $IPSET_GFW
+ ipset -! create $IPSET_LANIPLIST nethash
+ ipset -! create $IPSET_VPSIPLIST nethash
+ ipset -! create $IPSET_ROUTER nethash
ipset -! create $IPSET_GFW nethash
- ipset -! create $IPSET_CHN nethash && ipset flush $IPSET_CHN
+ ipset -! create $IPSET_CHN nethash
ipset -! create $IPSET_BLACKLIST nethash && ipset flush $IPSET_BLACKLIST
ipset -! create $IPSET_WHITELIST nethash && ipset flush $IPSET_WHITELIST
- sed -e "s/^/add $IPSET_CHN &/g" $RULE_PATH/chnroute | awk '{print $0} END{print "COMMIT"}' | ipset -R
- sed -e "s/^/add $IPSET_BLACKLIST &/g" $RULE_PATH/blacklist_ip | awk '{print $0} END{print "COMMIT"}' | ipset -R
- sed -e "s/^/add $IPSET_WHITELIST &/g" $RULE_PATH/whitelist_ip | awk '{print $0} END{print "COMMIT"}' | ipset -R
+ sed -e "s/^/add $IPSET_CHN &/g" $RULE_PATH/chnroute | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
+ sed -e "s/^/add $IPSET_BLACKLIST &/g" $RULE_PATH/blacklist_ip | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
+ sed -e "s/^/add $IPSET_WHITELIST &/g" $RULE_PATH/whitelist_ip | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
ipset -! -R <<-EOF || return 1
$(gen_laniplist | sed -e "s/^/add $IPSET_LANIPLIST /")
@@ -231,7 +224,7 @@ add_firewall_rule() {
# 忽略特殊IP段
lan_ip=$(ifconfig br-lan | grep "inet addr" | awk '{print $2}' | awk -F : '{print $2}') #路由器lan IP
lan_ipv4=$(ip address show br-lan | grep -w "inet" | awk '{print $2}') #当前LAN IPv4段
- [ -n "$lan_ipv4" ] && ipset add $IPSET_LANIPLIST $lan_ipv4 >/dev/null 2>&1 &
+ [ -n "$lan_ipv4" ] && ipset -! add $IPSET_LANIPLIST $lan_ipv4 >/dev/null 2>&1 &
# 过滤所有节点IP
config_foreach filter_vpsip "nodes"
@@ -278,9 +271,8 @@ add_firewall_rule() {
local k=$i
eval node=\$SOCKS5_NODE$k
if [ "$node" != "nil" ]; then
- local address=$(config_get $node address)
local SOCKS5_NODE_PORT=$(config_get $node port)
- local SOCKS5_NODE_IP=$(get_host_ip "ipv4" $address)
+ local SOCKS5_NODE_IP=$(get_node_host_ip $node)
[ -n "$SOCKS5_NODE_IP" -a -n "$SOCKS5_NODE_PORT" ] && $ipt_n -A PSW -p tcp -d $SOCKS5_NODE_IP -m multiport --dports $SOCKS5_NODE_PORT -j RETURN
fi
done
@@ -294,9 +286,8 @@ add_firewall_rule() {
eval local_port=\$TCP_REDIR_PORT$k
# 生成TCP转发规则
if [ "$node" != "nil" ]; then
- local address=$(config_get $node address)
local TCP_NODE_PORT=$(config_get $node port)
- local TCP_NODE_IP=$(get_host_ip "ipv4" $address)
+ local TCP_NODE_IP=$(get_node_host_ip $node)
local TCP_NODE_TYPE=$(echo $(config_get $node type) | tr 'A-Z' 'a-z')
[ -n "$TCP_NODE_IP" -a -n "$TCP_NODE_PORT" ] && $ipt_n -A PSW -p tcp -d $TCP_NODE_IP -m multiport --dports $TCP_NODE_PORT -j RETURN
if [ "$TCP_NODE_TYPE" == "brook" ]; then
@@ -319,17 +310,15 @@ add_firewall_rule() {
# 游戏模式
$ipt_m -A PSW_GAME$k -p tcp $(dst $IPSET_CHN) -j RETURN
- # 用于本机流量转发,默认只走router
- $ipt_m -A PSW -s $lan_ip -p tcp $(dst $IPSET_ROUTER) -j TPROXY --tproxy-mark 0x1/0x1 --on-port $local_port
- if [ "$TCP_REDIR_PORTS" != "disable" ]; then
- $ipt_m -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_REDIR_PORTS $(dst $IPSET_ROUTER) -j MARK --set-mark 1
- fi
+ # 用于本机流量转发
+ [ "$TCP_NO_REDIR_PORTS" != "disable" ] && $ipt_m -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
+ $ipt_m -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_REDIR_PORTS $(dst $IPSET_ROUTER) -j MARK --set-mark 1
+ $ipt_m -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_REDIR_PORTS $(dst $IPSET_GFW) -j MARK --set-mark 1
else
# 全局模式
$ipt_n -A PSW_GLO$k -p tcp -j REDIRECT --to-ports $local_port
# GFWLIST模式
- $ipt_n -A PSW_GFW$k -p tcp $(dst $IPSET_ROUTER) -j REDIRECT --to-ports $local_port
$ipt_n -A PSW_GFW$k -p tcp $(dst $IPSET_GFW) -j REDIRECT --to-ports $local_port
# 大陆白名单模式
@@ -385,19 +374,13 @@ add_firewall_rule() {
$ipt_n -A PSW_OUTPUT $(dst $IPSET_VPSIPLIST) -j RETURN
$ipt_n -A PSW_OUTPUT $(dst $IPSET_WHITELIST) -j RETURN
- if [ "$TCP_REDIR_PORTS" != "disable" ]; then
- $ipt_n -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_REDIR_PORTS $(dst $IPSET_ROUTER) -j REDIRECT --to-ports $TCP_REDIR_PORT1
- $ipt_n -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_REDIR_PORTS $(dst $IPSET_BLACKLIST) -j REDIRECT --to-ports $TCP_REDIR_PORT1
-
- [ "$LOCALHOST_PROXY_MODE" == "global" ] && $ipt_n -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_REDIR_PORTS -j REDIRECT --to-ports $TCP_REDIR_PORT1
- [ "$LOCALHOST_PROXY_MODE" == "gfwlist" ] && $ipt_n -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_REDIR_PORTS $(dst $IPSET_GFW) -j REDIRECT --to-ports $TCP_REDIR_PORT1
- [ "$LOCALHOST_PROXY_MODE" == "chnroute" ] && {
- $ipt_n -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_REDIR_PORTS -m set ! --match-set $IPSET_CHN dst -j REDIRECT --to-ports $TCP_REDIR_PORT1
- }
- else
- $ipt_n -A PSW_OUTPUT -p tcp $(dst $IPSET_ROUTER) -j RETURN
- $ipt_n -A PSW_OUTPUT -p tcp $(dst $IPSET_BLACKLIST) -j RETURN
- fi
+ [ "$TCP_NO_REDIR_PORTS" != "disable" ] && $ipt_n -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
+
+ $ipt_n -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_REDIR_PORTS $(dst $IPSET_BLACKLIST) -j REDIRECT --to-ports $TCP_REDIR_PORT1
+ $ipt_n -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_REDIR_PORTS $(dst $IPSET_ROUTER) -j REDIRECT --to-ports $TCP_REDIR_PORT1
+ [ "$LOCALHOST_PROXY_MODE" == "global" ] && $ipt_n -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_REDIR_PORTS -j REDIRECT --to-ports $TCP_REDIR_PORT1
+ [ "$LOCALHOST_PROXY_MODE" == "gfwlist" ] && $ipt_n -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_REDIR_PORTS $(dst $IPSET_GFW) -j REDIRECT --to-ports $TCP_REDIR_PORT1
+ [ "$LOCALHOST_PROXY_MODE" == "chnroute" ] && $ipt_n -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_REDIR_PORTS -m set ! --match-set $IPSET_CHN dst -j REDIRECT --to-ports $TCP_REDIR_PORT1
}
# 重定所有流量到透明代理端口
# $ipt_n -A PSW -p tcp -m ttl --ttl-eq $ttl -j REDIRECT --to $local_port
@@ -437,9 +420,8 @@ add_firewall_rule() {
eval local_port=\$UDP_REDIR_PORT$k
# 生成UDP转发规则
if [ "$node" != "nil" ]; then
- local address=$(config_get $node address)
local UDP_NODE_PORT=$(config_get $node port)
- local UDP_NODE_IP=$(get_host_ip "ipv4" $address)
+ local UDP_NODE_IP=$(get_node_host_ip $node)
local UDP_NODE_TYPE=$(echo $(config_get $node type) | tr 'A-Z' 'a-z')
[ -n "$UDP_NODE_IP" -a -n "$UDP_NODE_PORT" ] && $ipt_m -A PSW -p udp -d $UDP_NODE_IP -m multiport --dports $UDP_NODE_PORT -j RETURN
[ "$UDP_NODE_TYPE" == "brook" ] && $ipt_m -A PSW_ACL -p udp -m socket -j MARK --set-mark 1
@@ -478,18 +460,13 @@ add_firewall_rule() {
$ipt_m -A PSW_OUTPUT -p udp $(dst $IPSET_VPSIPLIST) -j RETURN
$ipt_m -A PSW_OUTPUT -p udp $(dst $IPSET_WHITELIST) -j RETURN
- if [ "$UDP_REDIR_PORTS" != "disable" ]; then
- $ipt_m -A PSW_OUTPUT -p udp -m multiport --dport $UDP_REDIR_PORTS $(dst $IPSET_ROUTER) -j MARK --set-mark 1
- $ipt_m -A PSW_OUTPUT -p udp -m multiport --dport $UDP_REDIR_PORTS $(dst $IPSET_BLACKLIST) -j MARK --set-mark 1
- [ "$LOCALHOST_PROXY_MODE" == "global" ] && $ipt_m -A PSW_OUTPUT -p udp -m multiport --dport $UDP_REDIR_PORTS -j MARK --set-mark 1
- [ "$LOCALHOST_PROXY_MODE" == "gfwlist" ] && $ipt_m -A PSW_OUTPUT -p udp -m multiport --dport $UDP_REDIR_PORTS $(dst $IPSET_GFW) -j MARK --set-mark 1
- [ "$LOCALHOST_PROXY_MODE" == "chnroute" ] && {
- $ipt_m -A PSW_OUTPUT -p udp -m multiport --dport $UDP_REDIR_PORTS -m set ! --match-set $IPSET_CHN dst -j MARK --set-mark 1
- }
- else
- $ipt_m -A PSW_OUTPUT -p udp $(dst $IPSET_ROUTER) -j RETURN
- $ipt_m -A PSW_OUTPUT -p udp $(dst $IPSET_BLACKLIST) -j RETURN
- fi
+ [ "$UDP_NO_REDIR_PORTS" != "disable" ] && $ipt_m -A PSW_OUTPUT -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN
+
+ $ipt_m -A PSW_OUTPUT -p udp -m multiport --dport $UDP_REDIR_PORTS $(dst $IPSET_BLACKLIST) -j MARK --set-mark 1
+ $ipt_m -A PSW_OUTPUT -p udp -m multiport --dport $UDP_REDIR_PORTS $(dst $IPSET_ROUTER) -j MARK --set-mark 1
+ [ "$LOCALHOST_PROXY_MODE" == "global" ] && $ipt_m -A PSW_OUTPUT -p udp -m multiport --dport $UDP_REDIR_PORTS -j MARK --set-mark 1
+ [ "$LOCALHOST_PROXY_MODE" == "gfwlist" ] && $ipt_m -A PSW_OUTPUT -p udp -m multiport --dport $UDP_REDIR_PORTS $(dst $IPSET_GFW) -j MARK --set-mark 1
+ [ "$LOCALHOST_PROXY_MODE" == "chnroute" ] && $ipt_m -A PSW_OUTPUT -p udp -m multiport --dport $UDP_REDIR_PORTS -m set ! --match-set $IPSET_CHN dst -j MARK --set-mark 1
}
echolog "IPv4 防火墙UDP转发规则加载完成!"
@@ -524,20 +501,14 @@ add_firewall_rule() {
[ "$UDP_NODE1" != "nil" ] && $ipt_m -A PSW_ACL -p udp -m comment --comment "Default" -j $(get_action_chain $PROXY_MODE)
else
[ "$TCP_NODE1" != "nil" ] && {
- if [ "$UDP_REDIR_PORTS" != "disable" ]; then
- $ipt_n -A PSW_ACL -p tcp $(dst $IPSET_BLACKLIST) -m comment --comment "Default" -j REDIRECT --to-ports $TCP_REDIR_PORT1
- $ipt_n -A PSW_ACL -p tcp -m multiport --dport $TCP_REDIR_PORTS -m comment --comment "Default" -j $(get_action_chain $PROXY_MODE)1
- else
- $ipt_n -A PSW_ACL -p tcp -m comment --comment "$remarks" -j RETURN
- fi
+ [ "$TCP_NO_REDIR_PORTS" != "disable" ] && $ipt_n -A PSW_ACL -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -m comment --comment "Default" -j RETURN
+ $ipt_n -A PSW_ACL -p tcp $(dst $IPSET_BLACKLIST) -m comment --comment "Default" -j REDIRECT --to-ports $TCP_REDIR_PORT1
+ $ipt_n -A PSW_ACL -p tcp -m multiport --dport $TCP_REDIR_PORTS -m comment --comment "Default" -j $(get_action_chain $PROXY_MODE)1
}
[ "$UDP_NODE1" != "nil" ] && {
- if [ "$UDP_REDIR_PORTS" != "disable" ]; then
- $ipt_m -A PSW_ACL -p udp $(dst $IPSET_BLACKLIST) -m comment --comment "Default" -j TPROXY --on-port $UDP_REDIR_PORT1 --tproxy-mark 0x1/0x1
- $ipt_m -A PSW_ACL -p udp -m multiport --dport $UDP_REDIR_PORTS -m comment --comment "Default" -j $(get_action_chain $PROXY_MODE)1
- else
- $ipt_m -A PSW_ACL -p udp -m comment --comment "$remarks" -j RETURN
- fi
+ [ "$UDP_NO_REDIR_PORTS" != "disable" ] && $ipt_m -A PSW_ACL -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -m comment --comment "Default" -j RETURN
+ $ipt_m -A PSW_ACL -p udp $(dst $IPSET_BLACKLIST) -m comment --comment "Default" -j TPROXY --on-port $UDP_REDIR_PORT1 --tproxy-mark 0x1/0x1
+ $ipt_m -A PSW_ACL -p udp -m multiport --dport $UDP_REDIR_PORTS -m comment --comment "Default" -j $(get_action_chain $PROXY_MODE)1
}
fi
}
@@ -606,13 +577,23 @@ del_firewall_rule() {
done
fi
+ ipset -F $IPSET_LANIPLIST >/dev/null 2>&1 && ipset -X $IPSET_LANIPLIST >/dev/null 2>&1 &
+ ipset -F $IPSET_VPSIPLIST >/dev/null 2>&1 && ipset -X $IPSET_VPSIPLIST >/dev/null 2>&1 &
ipset -F $IPSET_ROUTER >/dev/null 2>&1 && ipset -X $IPSET_ROUTER >/dev/null 2>&1 &
#ipset -F $IPSET_GFW >/dev/null 2>&1 && ipset -X $IPSET_GFW >/dev/null 2>&1 &
#ipset -F $IPSET_CHN >/dev/null 2>&1 && ipset -X $IPSET_CHN >/dev/null 2>&1 &
ipset -F $IPSET_BLACKLIST >/dev/null 2>&1 && ipset -X $IPSET_BLACKLIST >/dev/null 2>&1 &
ipset -F $IPSET_WHITELIST >/dev/null 2>&1 && ipset -X $IPSET_WHITELIST >/dev/null 2>&1 &
- ipset -F $IPSET_VPSIPLIST >/dev/null 2>&1 && ipset -X $IPSET_VPSIPLIST >/dev/null 2>&1 &
+}
+
+flush_ipset() {
ipset -F $IPSET_LANIPLIST >/dev/null 2>&1 && ipset -X $IPSET_LANIPLIST >/dev/null 2>&1 &
+ ipset -F $IPSET_VPSIPLIST >/dev/null 2>&1 && ipset -X $IPSET_VPSIPLIST >/dev/null 2>&1 &
+ ipset -F $IPSET_ROUTER >/dev/null 2>&1 && ipset -X $IPSET_ROUTER >/dev/null 2>&1 &
+ ipset -F $IPSET_GFW >/dev/null 2>&1 && ipset -X $IPSET_GFW >/dev/null 2>&1 &
+ ipset -F $IPSET_CHN >/dev/null 2>&1 && ipset -X $IPSET_CHN >/dev/null 2>&1 &
+ ipset -F $IPSET_BLACKLIST >/dev/null 2>&1 && ipset -X $IPSET_BLACKLIST >/dev/null 2>&1 &
+ ipset -F $IPSET_WHITELIST >/dev/null 2>&1 && ipset -X $IPSET_WHITELIST >/dev/null 2>&1 &
}
start() {
@@ -625,6 +606,9 @@ stop() {
}
case $1 in
+flush_ipset)
+ flush_ipset
+ ;;
stop)
stop
;;