From 0d9831adc1f7d117a47e1da629ffb01efbc742eb Mon Sep 17 00:00:00 2001 From: CN_SZTL Date: Fri, 14 Feb 2020 01:23:50 +0800 Subject: [PATCH] luci-app-passwall: sync with upstream source --- package/lienol/luci-app-passwall/Makefile | 4 +- .../luasrc/model/cbi/passwall/acl.lua | 18 +- .../luasrc/model/cbi/passwall/global.lua | 11 +- .../luasrc/model/cbi/passwall/other.lua | 18 +- .../luci-app-passwall/po/zh-cn/passwall.po | 17 +- .../root/etc/config/passwall | 2 + .../etc/config/passwall_rule/blacklist_host | 7 +- .../etc/config/passwall_rule/blacklist_ip | 4 +- .../root/etc/config/passwall_rule/router | 10 - .../root/usr/share/passwall/app.sh | 199 +++++++++--------- .../root/usr/share/passwall/config.default | 2 + .../root/usr/share/passwall/iptables.sh | 146 ++++++------- 12 files changed, 226 insertions(+), 212 deletions(-) diff --git a/package/lienol/luci-app-passwall/Makefile b/package/lienol/luci-app-passwall/Makefile index 75713d6219..3fe1d9daee 100644 --- a/package/lienol/luci-app-passwall/Makefile +++ b/package/lienol/luci-app-passwall/Makefile @@ -6,8 +6,8 @@ include $(TOPDIR)/rules.mk PKG_NAME:=luci-app-passwall -PKG_VERSION:=3.5.4 -PKG_RELEASE:=20200212 +PKG_VERSION:=3.5.6 +PKG_RELEASE:=20200213 PKG_BUILD_DIR := $(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION) diff --git a/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/acl.lua b/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/acl.lua index 71d9534629..c31284cadb 100644 --- a/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/acl.lua +++ b/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/acl.lua @@ -81,14 +81,27 @@ o:value("disable", translate("No Proxy")) o:value("global", translate("Global Proxy")) o:value("gfwlist", translate("GFW List")) o:value("chnroute", translate("China WhiteList")) ---o:value("gamemode", translate("Game Mode")) +-- o:value("gamemode", translate("Game Mode")) o:value("returnhome", translate("Return Home")) +---- TCP No Redir Ports +o = s:option(Value, "tcp_no_redir_ports", translate("TCP No Redir Ports")) +o.default = "default" +o:value("disable", translate("No patterns are used")) +o:value("default", translate("Default")) +o:value("1:65535", translate("All")) + +---- UDP No Redir Ports +o = s:option(Value, "udp_no_redir_ports", translate("UDP No Redir Ports")) +o.default = "default" +o:value("disable", translate("No patterns are used")) +o:value("default", translate("Default")) +o:value("1:65535", translate("All")) + ---- TCP Redir Ports o = s:option(Value, "tcp_redir_ports", translate("TCP Redir Ports")) o.default = "default" o:value("default", translate("Default")) -o:value("disable", translate("No Proxy")) o:value("1:65535", translate("All")) o:value("80,443", "80,443") o:value("80:", "80 " .. translate("or more")) @@ -98,7 +111,6 @@ o:value(":443", "443 " .. translate("or less")) o = s:option(Value, "udp_redir_ports", translate("UDP Redir Ports")) o.default = "default" o:value("default", translate("Default")) -o:value("disable", translate("No Proxy")) o:value("1:65535", translate("All")) o:value("53", "53") diff --git a/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/global.lua b/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/global.lua index 37cb3b83c3..d062f12e8d 100644 --- a/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/global.lua +++ b/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/global.lua @@ -186,26 +186,25 @@ o.rmempty = false ---- Default Proxy Mode o = s:option(ListValue, "proxy_mode", - translate("Default") .. translate("Proxy Mode"), translate( - "If using GFW mode is not available, try clearing the native cache.")) + translate("Default") .. translate("Proxy Mode"), + translate("If not available, try clearing the cache.")) o.default = "chnroute" o.rmempty = false o:value("disable", translate("No Proxy")) o:value("global", translate("Global Proxy")) o:value("gfwlist", translate("GFW List")) o:value("chnroute", translate("China WhiteList")) ---o:value("gamemode", translate("Game Mode")) +-- o:value("gamemode", translate("Game Mode")) o:value("returnhome", translate("Return Home")) ---- Localhost Proxy Mode o = s:option(ListValue, "localhost_proxy_mode", translate("Localhost") .. translate("Proxy Mode"), translate( - "The server client can also use this rule to scientifically surf the Internet.
Global and continental whitelist are not recommended for non-special cases!")) + "The server client can also use this rule to scientifically surf the Internet.")) o:value("default", translate("Default")) -o:value("global", - translate("Global Proxy") .. "(" .. translate("Danger") .. ")") o:value("gfwlist", translate("GFW List")) o:value("chnroute", translate("China WhiteList")) +o:value("global", translate("Global Proxy")) o.default = "default" o.rmempty = false diff --git a/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/other.lua b/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/other.lua index 8dd494c2b7..867849ae45 100644 --- a/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/other.lua +++ b/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/other.lua @@ -54,10 +54,25 @@ s = m:section(TypedSection, "global_forwarding", s.anonymous = true s.addremove = false +---- TCP No Redir Ports +o = s:option(Value, "tcp_no_redir_ports", translate("TCP No Redir Ports"), + translate( + "Fill in the ports you don't want to be forwarded by the agent, with the highest priority.")) +o.default = "disable" +o:value("disable", translate("No patterns are used")) +o:value("1:65535", translate("All")) + +---- UDP No Redir Ports +o = s:option(Value, "udp_no_redir_ports", translate("UDP No Redir Ports"), + translate( + "Fill in the ports you don't want to be forwarded by the agent, with the highest priority.")) +o.default = "disable" +o:value("disable", translate("No patterns are used")) +o:value("1:65535", translate("All")) + ---- TCP Redir Ports o = s:option(Value, "tcp_redir_ports", translate("TCP Redir Ports")) o.default = "80,443" -o:value("disable", translate("No Proxy")) o:value("1:65535", translate("All")) o:value("80,443", "80,443") o:value("80:", "80 " .. translate("or more")) @@ -66,7 +81,6 @@ o:value(":443", "443 " .. translate("or less")) ---- UDP Redir Ports o = s:option(Value, "udp_redir_ports", translate("UDP Redir Ports")) o.default = "1:65535" -o:value("disable", translate("No Proxy")) o:value("1:65535", translate("All")) o:value("53", "53") diff --git a/package/lienol/luci-app-passwall/po/zh-cn/passwall.po b/package/lienol/luci-app-passwall/po/zh-cn/passwall.po index 714f98d234..b852a35f4c 100644 --- a/package/lienol/luci-app-passwall/po/zh-cn/passwall.po +++ b/package/lienol/luci-app-passwall/po/zh-cn/passwall.po @@ -166,8 +166,8 @@ msgstr "ChinaDNS-NG可信DNS" msgid "You can use other resolving DNS services as trusted DNS, Example: dns2socks, dns-forwarder... 127.0.0.1#5353
Only use two at most, english comma separation, If you do not fill in the # and the following port, you are using port 53." msgstr "你可以使用其他解决污染DNS服务作为可信DNS,例:dns2socks,dns-forwarder等等。127.0.0.1#5353
最多使用2个DNS服务器,英文逗号分隔,如果没有填#和后面的端口,则使用53端口。" -msgid "The server client can also use this rule to scientifically surf the Internet.
Global and continental whitelist are not recommended for non-special cases!" -msgstr "本机服务器的客户端也可以使用这个代理模式上网。
非特殊情况不推荐使用全局和大陆白名单!" +msgid "The server client can also use this rule to scientifically surf the Internet." +msgstr "本机服务器的客户端也可以使用这个代理模式上网。" msgid "Tips" msgstr "小提示" @@ -226,8 +226,8 @@ msgstr "单进程" msgid "Proxy Mode" msgstr "代理模式" -msgid "If using GFW mode is not available, try clearing the native cache." -msgstr "如果使用GFW模式无法使用,请尝试清除本机缓存。" +msgid "If not available, try clearing the cache." +msgstr "如果无法使用,请尝试清除缓存。" msgid "No Proxy" msgstr "不代理" @@ -382,6 +382,15 @@ msgstr "自动重启时间" msgid "Forwarding Settings" msgstr "转发配置" +msgid "TCP No Redir Ports" +msgstr "TCP不转发端口" + +msgid "UDP No Redir Ports" +msgstr "UDP不转发端口" + +msgid "Fill in the ports you don't want to be forwarded by the agent, with the highest priority." +msgstr "填写你不希望被代理转发的端口,优先级最高。" + msgid "TCP Redir Ports" msgstr "TCP转发端口" diff --git a/package/lienol/luci-app-passwall/root/etc/config/passwall b/package/lienol/luci-app-passwall/root/etc/config/passwall index a86a5ccca9..31805a86d7 100644 --- a/package/lienol/luci-app-passwall/root/etc/config/passwall +++ b/package/lienol/luci-app-passwall/root/etc/config/passwall @@ -22,6 +22,8 @@ config global_delay config global_forwarding option process '1' + option tcp_no_redir_ports 'disable' + option udp_no_redir_ports 'disable' option tcp_redir_ports '1:65535' option udp_redir_ports '1:65535' option socks5_proxy_port '1081' diff --git a/package/lienol/luci-app-passwall/root/etc/config/passwall_rule/blacklist_host b/package/lienol/luci-app-passwall/root/etc/config/passwall_rule/blacklist_host index f40e9d7c67..50c4253470 100644 --- a/package/lienol/luci-app-passwall/root/etc/config/passwall_rule/blacklist_host +++ b/package/lienol/luci-app-passwall/root/etc/config/passwall_rule/blacklist_host @@ -2,4 +2,9 @@ formyip.com msi.com github.com github.io -githubusercontent.com \ No newline at end of file +githubusercontent.com +github-production-release-asset-2e65be.s3.amazonaws.com +openwrt.proxy.ustclug.org +easylist-downloads.adblockplus.org +adblockplus.org +caddyserver.com \ No newline at end of file diff --git a/package/lienol/luci-app-passwall/root/etc/config/passwall_rule/blacklist_ip b/package/lienol/luci-app-passwall/root/etc/config/passwall_rule/blacklist_ip index 78e3fcfde8..0938095ef5 100644 --- a/package/lienol/luci-app-passwall/root/etc/config/passwall_rule/blacklist_ip +++ b/package/lienol/luci-app-passwall/root/etc/config/passwall_rule/blacklist_ip @@ -2,4 +2,6 @@ 91.108.4.0/22 91.108.56.0/24 109.239.140.0/24 -67.198.55.0/24 \ No newline at end of file +67.198.55.0/24 +8.8.4.4 +8.8.8.8 \ No newline at end of file diff --git a/package/lienol/luci-app-passwall/root/etc/config/passwall_rule/router b/package/lienol/luci-app-passwall/root/etc/config/passwall_rule/router index 75d07845c0..e69de29bb2 100644 --- a/package/lienol/luci-app-passwall/root/etc/config/passwall_rule/router +++ b/package/lienol/luci-app-passwall/root/etc/config/passwall_rule/router @@ -1,10 +0,0 @@ -google.com -youtube.com -github.com -github.io -githubusercontent.com -github-production-release-asset-2e65be.s3.amazonaws.com -openwrt.proxy.ustclug.org -easylist-downloads.adblockplus.org -adblockplus.org -caddyserver.com \ No newline at end of file diff --git a/package/lienol/luci-app-passwall/root/usr/share/passwall/app.sh b/package/lienol/luci-app-passwall/root/usr/share/passwall/app.sh index 2039162524..2e696da29f 100755 --- a/package/lienol/luci-app-passwall/root/usr/share/passwall/app.sh +++ b/package/lienol/luci-app-passwall/root/usr/share/passwall/app.sh @@ -89,6 +89,18 @@ get_host_ip() { echo $ip } +get_node_host_ip() { + local ip + local address=$(config_n_get $1 address) + [ -n "$address" ] && { + local use_ipv6=$(config_n_get $1 use_ipv6) + local network_type="ipv4" + [ "$use_ipv6" == "1" ] && network_type="ipv6" + ip=$(get_host_ip $network_type $address) + } + echo $ip +} + check_port_exists() { port=$1 protocol=$2 @@ -178,6 +190,8 @@ BROOK_TCP_CMD="" BROOK_UDP_CMD="" TCP_REDIR_PORTS=$(config_t_get global_forwarding tcp_redir_ports '80,443') UDP_REDIR_PORTS=$(config_t_get global_forwarding udp_redir_ports '1:65535') +TCP_NO_REDIR_PORTS=$(config_t_get global_forwarding tcp_no_redir_ports 'disable') +UDP_NO_REDIR_PORTS=$(config_t_get global_forwarding udp_no_redir_ports 'disable') KCPTUN_REDIR_PORT=$(config_t_get global_forwarding kcptun_port 12948) PROXY_MODE=$(config_t_get global proxy_mode chnroute) @@ -198,6 +212,7 @@ load_config() { process=$(config_t_get global_forwarding process) fi LOCALHOST_PROXY_MODE=$(config_t_get global localhost_proxy_mode default) + [ "$LOCALHOST_PROXY_MODE" == "default" ] && LOCALHOST_PROXY_MODE=$PROXY_MODE UP_CHINA_DNS=$(config_t_get global up_china_dns dnsbyisp) [ "$UP_CHINA_DNS" == "default" ] && IS_DEFAULT_CHINA_DNS=1 [ ! -f "$RESOLVFILE" -o ! -s "$RESOLVFILE" ] && RESOLVFILE=/tmp/resolv.conf.auto @@ -621,38 +636,6 @@ clean_log() { fi } -set_cru() { - autoupdate=$(config_t_get global_rules auto_update) - weekupdate=$(config_t_get global_rules week_update) - dayupdate=$(config_t_get global_rules time_update) - autoupdatesubscribe=$(config_t_get global_subscribe auto_update_subscribe) - weekupdatesubscribe=$(config_t_get global_subscribe week_update_subscribe) - dayupdatesubscribe=$(config_t_get global_subscribe time_update_subscribe) - if [ "$autoupdate" = "1" ]; then - if [ "$weekupdate" = "7" ]; then - echo "0 $dayupdate * * * $APP_PATH/rule_update.sh" >>/etc/crontabs/root - echolog "设置自动更新规则在每天 $dayupdate 点。" - else - echo "0 $dayupdate * * $weekupdate $APP_PATH/rule_update.sh" >>/etc/crontabs/root - echolog "设置自动更新规则在星期 $weekupdate 的 $dayupdate 点。" - fi - else - sed -i '/rule_update.sh/d' /etc/crontabs/root >/dev/null 2>&1 & - fi - - if [ "$autoupdatesubscribe" = "1" ]; then - if [ "$weekupdatesubscribe" = "7" ]; then - echo "0 $dayupdatesubscribe * * * $APP_PATH/subscription.sh" >>/etc/crontabs/root - echolog "设置节点订阅自动更新规则在每天 $dayupdatesubscribe 点。" - else - echo "0 $dayupdatesubscribe * * $weekupdate $APP_PATH/subscription.sh" >>/etc/crontabs/root - echolog "设置节点订阅自动更新规则在星期 $weekupdate 的 $dayupdatesubscribe 点。" - fi - else - sed -i '/subscription.sh/d' /etc/crontabs/root >/dev/null 2>&1 & - fi -} - start_crontab() { sed -i '/$CONFIG/d' /etc/crontabs/root >/dev/null 2>&1 & start_daemon=$(config_t_get global_delay start_daemon) @@ -688,6 +671,37 @@ start_crontab() { echolog "设置每$testing_time分钟执行检测脚本。" } } + + autoupdate=$(config_t_get global_rules auto_update) + weekupdate=$(config_t_get global_rules week_update) + dayupdate=$(config_t_get global_rules time_update) + autoupdatesubscribe=$(config_t_get global_subscribe auto_update_subscribe) + weekupdatesubscribe=$(config_t_get global_subscribe week_update_subscribe) + dayupdatesubscribe=$(config_t_get global_subscribe time_update_subscribe) + if [ "$autoupdate" = "1" ]; then + if [ "$weekupdate" = "7" ]; then + echo "0 $dayupdate * * * $APP_PATH/rule_update.sh" >>/etc/crontabs/root + echolog "设置自动更新规则在每天 $dayupdate 点。" + else + echo "0 $dayupdate * * $weekupdate $APP_PATH/rule_update.sh" >>/etc/crontabs/root + echolog "设置自动更新规则在星期 $weekupdate 的 $dayupdate 点。" + fi + else + sed -i '/rule_update.sh/d' /etc/crontabs/root >/dev/null 2>&1 & + fi + + if [ "$autoupdatesubscribe" = "1" ]; then + if [ "$weekupdatesubscribe" = "7" ]; then + echo "0 $dayupdatesubscribe * * * $APP_PATH/subscription.sh" >>/etc/crontabs/root + echolog "设置节点订阅自动更新规则在每天 $dayupdatesubscribe 点。" + else + echo "0 $dayupdatesubscribe * * $weekupdate $APP_PATH/subscription.sh" >>/etc/crontabs/root + echolog "设置节点订阅自动更新规则在星期 $weekupdate 的 $dayupdatesubscribe 点。" + fi + else + sed -i '/subscription.sh/d' /etc/crontabs/root >/dev/null 2>&1 & + fi + /etc/init.d/cron restart } @@ -724,7 +738,7 @@ start_dns() { pdnsd_bin=$(find_bin pdnsd) [ -n "$pdnsd_bin" ] && { use_tcp_node_resolve_dns=1 - gen_pdnsd_config $DNS_PORT "cache" + gen_pdnsd_config $DNS_PORT 10240 DNS_FORWARD=$(echo $DNS_FORWARD | sed 's/,/ /g') nohup $pdnsd_bin --daemon -c $pdnsd_dir/pdnsd.conf -d >/dev/null 2>&1 & echolog "DNS:pdnsd..." @@ -734,8 +748,8 @@ start_dns() { chinadns_ng_bin=$(find_bin chinadns-ng) [ -n "$chinadns_ng_bin" ] && { other_port=$(expr $DNS_PORT + 1) - cat $RULE_PATH/gfwlist.conf | sort | uniq | sed -e '/127.0.0.1/d' | sed 's/ipset=\/.//g' | sed 's/\/gfwlist//g' > $CONFIG_PATH/gfwlist_chinadns_ng.txt - [ -f "$CONFIG_PATH/gfwlist_chinadns_ng.txt" ] && local gfwlist_param="-g $CONFIG_PATH/gfwlist_chinadns_ng.txt" + cat $RULE_PATH/gfwlist.conf | sort | uniq | sed -e '/127.0.0.1/d' | sed 's/ipset=\/.//g' | sed 's/\/gfwlist//g' > $CONFIG_PATH/gfwlist.txt + [ -f "$CONFIG_PATH/gfwlist.txt" ] && local gfwlist_param="-g $CONFIG_PATH/gfwlist.txt" [ -f "$RULE_PATH/chnlist" ] && local chnlist_param="-m $RULE_PATH/chnlist" up_trust_chinadns_ng_dns=$(config_t_get global up_trust_chinadns_ng_dns "pdnsd") @@ -745,7 +759,7 @@ start_dns() { force_stop else use_tcp_node_resolve_dns=1 - gen_pdnsd_config $other_port + gen_pdnsd_config $other_port 0 pdnsd_bin=$(find_bin pdnsd) [ -n "$pdnsd_bin" ] && { DNS_FORWARD=$(echo $DNS_FORWARD | sed 's/,/ /g') @@ -780,51 +794,34 @@ start_dns() { add_dnsmasq() { mkdir -p $TMP_DNSMASQ_PATH $DNSMASQ_PATH /var/dnsmasq.d - - # if [ -n "cat /var/state/network |grep pppoe|awk -F '.' '{print $2}'" ]; then - # sed -i '/except-interface/d' /etc/dnsmasq.conf >/dev/null 2>&1 & - # for wanname in $(cat /var/state/network |grep pppoe|awk -F '.' '{print $2}') - # do - # echo "except-interface=$(uci -q get network.$wanname.ifname)" >>/etc/dnsmasq.conf - # done - # fi + cat $RULE_PATH/whitelist_host | sed "s/^/ipset=&\/./g" | sed "s/$/\/&whitelist/g" | sort | awk '{if ($0!=line) print;line=$0}' > $TMP_DNSMASQ_PATH/whitelist_host.conf - subscribe_proxy=$(config_t_get global_subscribe subscribe_proxy 0) - [ "$subscribe_proxy" -eq 1 ] && { - config_foreach set_subscribe_proxy "subscribe_list" + [ "$DNS_MODE" != "nonuse" ] && { + [ -f "$RULE_PATH/blacklist_host" -a -s "$RULE_PATH/blacklist_host" ] && cat $RULE_PATH/blacklist_host | awk '{print "server=/."$1"/127.0.0.1#'$DNS_PORT'\nipset=/."$1"/blacklist"}' > $TMP_DNSMASQ_PATH/blacklist_host.conf + [ -f "$RULE_PATH/router" -a -s "$RULE_PATH/router" ] && cat $RULE_PATH/router | awk '{print "server=/."$1"/127.0.0.1#'$DNS_PORT'\nipset=/."$1"/router"}' > $TMP_DNSMASQ_PATH/router.conf + [ -f "$RULE_PATH/gfwlist.conf" -a -s "$RULE_PATH/gfwlist.conf" ] && ln -s $RULE_PATH/gfwlist.conf $TMP_DNSMASQ_PATH/gfwlist.conf + + subscribe_proxy=$(config_t_get global_subscribe subscribe_proxy 0) + [ "$subscribe_proxy" -eq 1 ] && { + config_foreach set_subscribe_proxy "subscribe_list" + } } - - if [ ! -f "$TMP_DNSMASQ_PATH/gfwlist.conf" -a "$DNS_MODE" != "nonuse" ]; then - ln -s $RULE_PATH/gfwlist.conf $TMP_DNSMASQ_PATH/gfwlist.conf - fi - - if [ ! -f "$TMP_DNSMASQ_PATH/blacklist_host.conf" -a "$DNS_MODE" != "nonuse" ]; then - cat $RULE_PATH/blacklist_host | awk '{print "server=/."$1"/127.0.0.1#'$DNS_PORT'\nipset=/."$1"/blacklist"}' >>$TMP_DNSMASQ_PATH/blacklist_host.conf - fi - - if [ ! -f "$TMP_DNSMASQ_PATH/whitelist_host.conf" ]; then - cat $RULE_PATH/whitelist_host | sed "s/^/ipset=&\/./g" | sed "s/$/\/&whitelist/g" | sort | awk '{if ($0!=line) print;line=$0}' >$TMP_DNSMASQ_PATH/whitelist_host.conf - fi - - if [ ! -f "$TMP_DNSMASQ_PATH/router.conf" -a "$DNS_MODE" != "nonuse" ]; then - cat $RULE_PATH/router | awk '{print "server=/."$1"/127.0.0.1#'$DNS_PORT'\nipset=/."$1"/router"}' >>$TMP_DNSMASQ_PATH/router.conf - fi - - if [ -z "$IS_DEFAULT_CHINA_DNS" -o "$IS_DEFAULT_CHINA_DNS" == 0 ]; then + + [ -z "$IS_DEFAULT_CHINA_DNS" -o "$IS_DEFAULT_CHINA_DNS" == 0 ] && { server="server=127.0.0.1#$DNS_PORT" [ "$DNS_MODE" != "chinadns-ng" ] && { local china_dns1=$(echo $UP_CHINA_DNS | awk -F "," '{print $1}') local china_dns2=$(echo $UP_CHINA_DNS | awk -F "," '{print $2}') [ -n "$china_dns1" ] && server="server=$china_dns1" [ -n "$china_dns2" ] && server="${server}\n${server_2}" + server="${server}\nno-resolv" } cat <<-EOF > /var/dnsmasq.d/dnsmasq-$CONFIG.conf $(echo -e $server) all-servers no-poll - no-resolv EOF - fi + } cat <<-EOF >> /var/dnsmasq.d/dnsmasq-$CONFIG.conf conf-dir=$TMP_DNSMASQ_PATH @@ -902,11 +899,12 @@ gen_redsocks_config() { gen_pdnsd_config() { pdnsd_dir=$CONFIG_PATH/pdnsd mkdir -p $pdnsd_dir + touch $pdnsd_dir/pdnsd.cache chown -R root.nogroup $pdnsd_dir - [ "$2" == "cache" ] && cache_param="perm_cache = 1024;\ncache_dir = \"$pdnsd_dir\";" cat > $pdnsd_dir/pdnsd.conf <<-EOF global { - $(echo -e $cache_param) + perm_cache = $2; + cache_dir = "$pdnsd_dir"; pid_file = "$RUN_PID_PATH/pdnsd.pid"; run_as = "root"; server_ip = 127.0.0.1; @@ -940,36 +938,34 @@ gen_pdnsd_config() { EOF } - [ "$DNS_MODE" != "chinadns-ng" ] && { - cat >> $pdnsd_dir/pdnsd.conf <<-EOF - server { - label = "opendns"; - ip = 208.67.222.222, 208.67.220.220; - edns_query = on; - port = 443; - timeout = 4; - interval = 60; - uptest = none; - purge_cache = off; - } - server { - label = "opendns"; - ip = 208.67.222.222, 208.67.220.220; - edns_query = on; - port = 5353; - timeout = 4; - interval = 60; - uptest = none; - purge_cache = off; - } - source { - ttl = 86400; - owner = "localhost."; - serve_aliases = on; - file = "/etc/hosts"; - } - EOF - } + cat >> $pdnsd_dir/pdnsd.conf <<-EOF + server { + label = "opendns"; + ip = 208.67.222.222, 208.67.220.220; + edns_query = on; + port = 443; + timeout = 4; + interval = 60; + uptest = none; + purge_cache = off; + } + server { + label = "opendns"; + ip = 208.67.222.222, 208.67.220.220; + edns_query = on; + port = 5353; + timeout = 4; + interval = 60; + uptest = none; + purge_cache = off; + } + source { + ttl = 86400; + owner = "localhost."; + serve_aliases = on; + file = "/etc/hosts"; + } + EOF } stop_dnsmasq() { @@ -1111,15 +1107,14 @@ start() { ! load_config && return 1 [ -f "$LOCK_FILE" ] && return 3 touch "$LOCK_FILE" - start_dns - add_dnsmasq start_haproxy start_redir SOCKS5 PROXY tcp start_redir TCP REDIR tcp start_redir UDP REDIR udp + start_dns source $APP_PATH/iptables.sh start + add_dnsmasq start_crontab - set_cru rm -f "$LOCK_FILE" echolog "运行完成!\n" return 0 diff --git a/package/lienol/luci-app-passwall/root/usr/share/passwall/config.default b/package/lienol/luci-app-passwall/root/usr/share/passwall/config.default index a86a5ccca9..31805a86d7 100644 --- a/package/lienol/luci-app-passwall/root/usr/share/passwall/config.default +++ b/package/lienol/luci-app-passwall/root/usr/share/passwall/config.default @@ -22,6 +22,8 @@ config global_delay config global_forwarding option process '1' + option tcp_no_redir_ports 'disable' + option udp_no_redir_ports 'disable' option tcp_redir_ports '1:65535' option udp_redir_ports '1:65535' option socks5_proxy_port '1081' diff --git a/package/lienol/luci-app-passwall/root/usr/share/passwall/iptables.sh b/package/lienol/luci-app-passwall/root/usr/share/passwall/iptables.sh index 1cd50ba867..b81ba285e6 100755 --- a/package/lienol/luci-app-passwall/root/usr/share/passwall/iptables.sh +++ b/package/lienol/luci-app-passwall/root/usr/share/passwall/iptables.sh @@ -122,9 +122,13 @@ load_acl() { config_get proxy_mode $1 proxy_mode config_get tcp_node $1 tcp_node config_get udp_node $1 udp_node + config_get tcp_no_redir_ports $1 tcp_no_redir_ports + config_get udp_no_redir_ports $1 udp_no_redir_ports config_get tcp_redir_ports $1 tcp_redir_ports config_get udp_redir_ports $1 udp_redir_ports [ -z "$proxy_mode" -o "$proxy_mode" = "default" ] && proxy_mode=$PROXY_MODE + [ -z "$tcp_no_redir_ports" -o "$tcp_no_redir_ports" = "default" ] && tcp_no_redir_ports=$TCP_NO_REDIR_PORTS + [ -z "$udp_no_redir_ports" -o "$udp_no_redir_ports" = "default" ] && udp_no_redir_ports=$UDP_NO_REDIR_PORTS [ -z "$tcp_redir_ports" -o "$tcp_redir_ports" = "default" ] && tcp_redir_ports=$TCP_REDIR_PORTS [ -z "$udp_redir_ports" -o "$udp_redir_ports" = "default" ] && udp_redir_ports=$UDP_REDIR_PORTS [ -z "$tcp_node" -o "$TCP_NODE_NUM" == "1" ] && tcp_node=1 @@ -146,24 +150,16 @@ load_acl() { $ipt_m -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p udp -m comment --comment "$remarks" -j RETURN else [ "$TCP_NODE" != "nil" ] && { - #local TCP_NODE_TYPE=$(echo $(config_get $TCP_NODE type) | tr 'A-Z' 'a-z') - if [ "$tcp_redir_ports" != "disable" ]; then - eval tcp_redir_port=\$TCP_REDIR_PORT$tcp_node - $ipt_n -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p tcp $(dst $IPSET_BLACKLIST) -m comment --comment "$remarks" -j REDIRECT --to-ports $tcp_redir_port - $ipt_n -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p tcp $(factor $tcp_redir_ports "-m multiport --dport") -m comment --comment "$remarks" -$(get_jump_mode $proxy_mode) $(get_action_chain $proxy_mode)$tcp_node - else - $ipt_n -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p tcp -m comment --comment "$remarks" -j RETURN - fi + [ "$TCP_NO_REDIR_PORTS" != "disable" ] && $ipt_n -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN + eval tcp_redir_port=\$TCP_REDIR_PORT$tcp_node + $ipt_n -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p tcp $(dst $IPSET_BLACKLIST) -m comment --comment "$remarks" -j REDIRECT --to-ports $tcp_redir_port + $ipt_n -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p tcp $(factor $tcp_redir_ports "-m multiport --dport") -m comment --comment "$remarks" -$(get_jump_mode $proxy_mode) $(get_action_chain $proxy_mode)$tcp_node } [ "$UDP_NODE" != "nil" ] && { - #local UDP_NODE_TYPE=$(echo $(config_get $UDP_NODE type) | tr 'A-Z' 'a-z') - if [ "$udp_redir_ports" != "disable" ]; then - eval udp_redir_port=\$UDP_REDIR_PORT$udp_node - $ipt_m -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p udp $(dst $IPSET_BLACKLIST) -m comment --comment "$remarks" -j TPROXY --on-port $udp_redir_port --tproxy-mark 0x1/0x1 - $ipt_m -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p udp $(factor $udp_redir_ports "-m multiport --dport") -m comment --comment "$remarks" -$(get_jump_mode $proxy_mode) $(get_action_chain $proxy_mode)$udp_node - else - $ipt_m -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p udp -m comment --comment "$remarks" -j RETURN - fi + [ "$UDP_NO_REDIR_PORTS" != "disable" ] && $ipt_m -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p udp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN + eval udp_redir_port=\$UDP_REDIR_PORT$udp_node + $ipt_m -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p udp $(dst $IPSET_BLACKLIST) -m comment --comment "$remarks" -j TPROXY --on-port $udp_redir_port --tproxy-mark 0x1/0x1 + $ipt_m -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p udp $(factor $udp_redir_ports "-m multiport --dport") -m comment --comment "$remarks" -$(get_jump_mode $proxy_mode) $(get_action_chain $proxy_mode)$udp_node } fi [ -z "$ip" ] && { @@ -180,15 +176,13 @@ load_acl() { } filter_vpsip() { - local address server_ip use_ipv6 network_type - address=$(config_get $1 address) + local server_ip use_ipv6 network_type use_ipv6=$(config_get $1 use_ipv6) network_type="ipv4" [ "$use_ipv6" == "1" ] && network_type="ipv6" - server_ip=$(get_host_ip $network_type $address) - - [ -n "$server_ip" -a "$server_ip" != "$TCP_NODE_IP" ] && { - [ "$network_type" == "ipv4" ] && ipset add $IPSET_VPSIPLIST $server_ip >/dev/null 2>&1 & + server_ip=$(get_node_host_ip $1) + [ -n "$server_ip" ] && { + [ "$network_type" == "ipv4" ] && ipset -! add $IPSET_VPSIPLIST $server_ip >/dev/null 2>&1 & } } @@ -204,18 +198,17 @@ dns_hijack() { add_firewall_rule() { echolog "开始加载防火墙规则..." echolog "默认代理模式:$(get_action_chain_name $PROXY_MODE)" - ipset -! create $IPSET_LANIPLIST nethash && ipset flush $IPSET_LANIPLIST - ipset -! create $IPSET_VPSIPLIST nethash && ipset flush $IPSET_VPSIPLIST - ipset -! create $IPSET_ROUTER nethash && ipset flush $IPSET_ROUTER - #ipset -! create $IPSET_GFW nethash && ipset flush $IPSET_GFW + ipset -! create $IPSET_LANIPLIST nethash + ipset -! create $IPSET_VPSIPLIST nethash + ipset -! create $IPSET_ROUTER nethash ipset -! create $IPSET_GFW nethash - ipset -! create $IPSET_CHN nethash && ipset flush $IPSET_CHN + ipset -! create $IPSET_CHN nethash ipset -! create $IPSET_BLACKLIST nethash && ipset flush $IPSET_BLACKLIST ipset -! create $IPSET_WHITELIST nethash && ipset flush $IPSET_WHITELIST - sed -e "s/^/add $IPSET_CHN &/g" $RULE_PATH/chnroute | awk '{print $0} END{print "COMMIT"}' | ipset -R - sed -e "s/^/add $IPSET_BLACKLIST &/g" $RULE_PATH/blacklist_ip | awk '{print $0} END{print "COMMIT"}' | ipset -R - sed -e "s/^/add $IPSET_WHITELIST &/g" $RULE_PATH/whitelist_ip | awk '{print $0} END{print "COMMIT"}' | ipset -R + sed -e "s/^/add $IPSET_CHN &/g" $RULE_PATH/chnroute | awk '{print $0} END{print "COMMIT"}' | ipset -! -R + sed -e "s/^/add $IPSET_BLACKLIST &/g" $RULE_PATH/blacklist_ip | awk '{print $0} END{print "COMMIT"}' | ipset -! -R + sed -e "s/^/add $IPSET_WHITELIST &/g" $RULE_PATH/whitelist_ip | awk '{print $0} END{print "COMMIT"}' | ipset -! -R ipset -! -R <<-EOF || return 1 $(gen_laniplist | sed -e "s/^/add $IPSET_LANIPLIST /") @@ -231,7 +224,7 @@ add_firewall_rule() { # 忽略特殊IP段 lan_ip=$(ifconfig br-lan | grep "inet addr" | awk '{print $2}' | awk -F : '{print $2}') #路由器lan IP lan_ipv4=$(ip address show br-lan | grep -w "inet" | awk '{print $2}') #当前LAN IPv4段 - [ -n "$lan_ipv4" ] && ipset add $IPSET_LANIPLIST $lan_ipv4 >/dev/null 2>&1 & + [ -n "$lan_ipv4" ] && ipset -! add $IPSET_LANIPLIST $lan_ipv4 >/dev/null 2>&1 & # 过滤所有节点IP config_foreach filter_vpsip "nodes" @@ -278,9 +271,8 @@ add_firewall_rule() { local k=$i eval node=\$SOCKS5_NODE$k if [ "$node" != "nil" ]; then - local address=$(config_get $node address) local SOCKS5_NODE_PORT=$(config_get $node port) - local SOCKS5_NODE_IP=$(get_host_ip "ipv4" $address) + local SOCKS5_NODE_IP=$(get_node_host_ip $node) [ -n "$SOCKS5_NODE_IP" -a -n "$SOCKS5_NODE_PORT" ] && $ipt_n -A PSW -p tcp -d $SOCKS5_NODE_IP -m multiport --dports $SOCKS5_NODE_PORT -j RETURN fi done @@ -294,9 +286,8 @@ add_firewall_rule() { eval local_port=\$TCP_REDIR_PORT$k # 生成TCP转发规则 if [ "$node" != "nil" ]; then - local address=$(config_get $node address) local TCP_NODE_PORT=$(config_get $node port) - local TCP_NODE_IP=$(get_host_ip "ipv4" $address) + local TCP_NODE_IP=$(get_node_host_ip $node) local TCP_NODE_TYPE=$(echo $(config_get $node type) | tr 'A-Z' 'a-z') [ -n "$TCP_NODE_IP" -a -n "$TCP_NODE_PORT" ] && $ipt_n -A PSW -p tcp -d $TCP_NODE_IP -m multiport --dports $TCP_NODE_PORT -j RETURN if [ "$TCP_NODE_TYPE" == "brook" ]; then @@ -319,17 +310,15 @@ add_firewall_rule() { # 游戏模式 $ipt_m -A PSW_GAME$k -p tcp $(dst $IPSET_CHN) -j RETURN - # 用于本机流量转发,默认只走router - $ipt_m -A PSW -s $lan_ip -p tcp $(dst $IPSET_ROUTER) -j TPROXY --tproxy-mark 0x1/0x1 --on-port $local_port - if [ "$TCP_REDIR_PORTS" != "disable" ]; then - $ipt_m -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_REDIR_PORTS $(dst $IPSET_ROUTER) -j MARK --set-mark 1 - fi + # 用于本机流量转发 + [ "$TCP_NO_REDIR_PORTS" != "disable" ] && $ipt_m -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN + $ipt_m -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_REDIR_PORTS $(dst $IPSET_ROUTER) -j MARK --set-mark 1 + $ipt_m -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_REDIR_PORTS $(dst $IPSET_GFW) -j MARK --set-mark 1 else # 全局模式 $ipt_n -A PSW_GLO$k -p tcp -j REDIRECT --to-ports $local_port # GFWLIST模式 - $ipt_n -A PSW_GFW$k -p tcp $(dst $IPSET_ROUTER) -j REDIRECT --to-ports $local_port $ipt_n -A PSW_GFW$k -p tcp $(dst $IPSET_GFW) -j REDIRECT --to-ports $local_port # 大陆白名单模式 @@ -385,19 +374,13 @@ add_firewall_rule() { $ipt_n -A PSW_OUTPUT $(dst $IPSET_VPSIPLIST) -j RETURN $ipt_n -A PSW_OUTPUT $(dst $IPSET_WHITELIST) -j RETURN - if [ "$TCP_REDIR_PORTS" != "disable" ]; then - $ipt_n -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_REDIR_PORTS $(dst $IPSET_ROUTER) -j REDIRECT --to-ports $TCP_REDIR_PORT1 - $ipt_n -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_REDIR_PORTS $(dst $IPSET_BLACKLIST) -j REDIRECT --to-ports $TCP_REDIR_PORT1 - - [ "$LOCALHOST_PROXY_MODE" == "global" ] && $ipt_n -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_REDIR_PORTS -j REDIRECT --to-ports $TCP_REDIR_PORT1 - [ "$LOCALHOST_PROXY_MODE" == "gfwlist" ] && $ipt_n -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_REDIR_PORTS $(dst $IPSET_GFW) -j REDIRECT --to-ports $TCP_REDIR_PORT1 - [ "$LOCALHOST_PROXY_MODE" == "chnroute" ] && { - $ipt_n -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_REDIR_PORTS -m set ! --match-set $IPSET_CHN dst -j REDIRECT --to-ports $TCP_REDIR_PORT1 - } - else - $ipt_n -A PSW_OUTPUT -p tcp $(dst $IPSET_ROUTER) -j RETURN - $ipt_n -A PSW_OUTPUT -p tcp $(dst $IPSET_BLACKLIST) -j RETURN - fi + [ "$TCP_NO_REDIR_PORTS" != "disable" ] && $ipt_n -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN + + $ipt_n -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_REDIR_PORTS $(dst $IPSET_BLACKLIST) -j REDIRECT --to-ports $TCP_REDIR_PORT1 + $ipt_n -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_REDIR_PORTS $(dst $IPSET_ROUTER) -j REDIRECT --to-ports $TCP_REDIR_PORT1 + [ "$LOCALHOST_PROXY_MODE" == "global" ] && $ipt_n -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_REDIR_PORTS -j REDIRECT --to-ports $TCP_REDIR_PORT1 + [ "$LOCALHOST_PROXY_MODE" == "gfwlist" ] && $ipt_n -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_REDIR_PORTS $(dst $IPSET_GFW) -j REDIRECT --to-ports $TCP_REDIR_PORT1 + [ "$LOCALHOST_PROXY_MODE" == "chnroute" ] && $ipt_n -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_REDIR_PORTS -m set ! --match-set $IPSET_CHN dst -j REDIRECT --to-ports $TCP_REDIR_PORT1 } # 重定所有流量到透明代理端口 # $ipt_n -A PSW -p tcp -m ttl --ttl-eq $ttl -j REDIRECT --to $local_port @@ -437,9 +420,8 @@ add_firewall_rule() { eval local_port=\$UDP_REDIR_PORT$k # 生成UDP转发规则 if [ "$node" != "nil" ]; then - local address=$(config_get $node address) local UDP_NODE_PORT=$(config_get $node port) - local UDP_NODE_IP=$(get_host_ip "ipv4" $address) + local UDP_NODE_IP=$(get_node_host_ip $node) local UDP_NODE_TYPE=$(echo $(config_get $node type) | tr 'A-Z' 'a-z') [ -n "$UDP_NODE_IP" -a -n "$UDP_NODE_PORT" ] && $ipt_m -A PSW -p udp -d $UDP_NODE_IP -m multiport --dports $UDP_NODE_PORT -j RETURN [ "$UDP_NODE_TYPE" == "brook" ] && $ipt_m -A PSW_ACL -p udp -m socket -j MARK --set-mark 1 @@ -478,18 +460,13 @@ add_firewall_rule() { $ipt_m -A PSW_OUTPUT -p udp $(dst $IPSET_VPSIPLIST) -j RETURN $ipt_m -A PSW_OUTPUT -p udp $(dst $IPSET_WHITELIST) -j RETURN - if [ "$UDP_REDIR_PORTS" != "disable" ]; then - $ipt_m -A PSW_OUTPUT -p udp -m multiport --dport $UDP_REDIR_PORTS $(dst $IPSET_ROUTER) -j MARK --set-mark 1 - $ipt_m -A PSW_OUTPUT -p udp -m multiport --dport $UDP_REDIR_PORTS $(dst $IPSET_BLACKLIST) -j MARK --set-mark 1 - [ "$LOCALHOST_PROXY_MODE" == "global" ] && $ipt_m -A PSW_OUTPUT -p udp -m multiport --dport $UDP_REDIR_PORTS -j MARK --set-mark 1 - [ "$LOCALHOST_PROXY_MODE" == "gfwlist" ] && $ipt_m -A PSW_OUTPUT -p udp -m multiport --dport $UDP_REDIR_PORTS $(dst $IPSET_GFW) -j MARK --set-mark 1 - [ "$LOCALHOST_PROXY_MODE" == "chnroute" ] && { - $ipt_m -A PSW_OUTPUT -p udp -m multiport --dport $UDP_REDIR_PORTS -m set ! --match-set $IPSET_CHN dst -j MARK --set-mark 1 - } - else - $ipt_m -A PSW_OUTPUT -p udp $(dst $IPSET_ROUTER) -j RETURN - $ipt_m -A PSW_OUTPUT -p udp $(dst $IPSET_BLACKLIST) -j RETURN - fi + [ "$UDP_NO_REDIR_PORTS" != "disable" ] && $ipt_m -A PSW_OUTPUT -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN + + $ipt_m -A PSW_OUTPUT -p udp -m multiport --dport $UDP_REDIR_PORTS $(dst $IPSET_BLACKLIST) -j MARK --set-mark 1 + $ipt_m -A PSW_OUTPUT -p udp -m multiport --dport $UDP_REDIR_PORTS $(dst $IPSET_ROUTER) -j MARK --set-mark 1 + [ "$LOCALHOST_PROXY_MODE" == "global" ] && $ipt_m -A PSW_OUTPUT -p udp -m multiport --dport $UDP_REDIR_PORTS -j MARK --set-mark 1 + [ "$LOCALHOST_PROXY_MODE" == "gfwlist" ] && $ipt_m -A PSW_OUTPUT -p udp -m multiport --dport $UDP_REDIR_PORTS $(dst $IPSET_GFW) -j MARK --set-mark 1 + [ "$LOCALHOST_PROXY_MODE" == "chnroute" ] && $ipt_m -A PSW_OUTPUT -p udp -m multiport --dport $UDP_REDIR_PORTS -m set ! --match-set $IPSET_CHN dst -j MARK --set-mark 1 } echolog "IPv4 防火墙UDP转发规则加载完成!" @@ -524,20 +501,14 @@ add_firewall_rule() { [ "$UDP_NODE1" != "nil" ] && $ipt_m -A PSW_ACL -p udp -m comment --comment "Default" -j $(get_action_chain $PROXY_MODE) else [ "$TCP_NODE1" != "nil" ] && { - if [ "$UDP_REDIR_PORTS" != "disable" ]; then - $ipt_n -A PSW_ACL -p tcp $(dst $IPSET_BLACKLIST) -m comment --comment "Default" -j REDIRECT --to-ports $TCP_REDIR_PORT1 - $ipt_n -A PSW_ACL -p tcp -m multiport --dport $TCP_REDIR_PORTS -m comment --comment "Default" -j $(get_action_chain $PROXY_MODE)1 - else - $ipt_n -A PSW_ACL -p tcp -m comment --comment "$remarks" -j RETURN - fi + [ "$TCP_NO_REDIR_PORTS" != "disable" ] && $ipt_n -A PSW_ACL -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -m comment --comment "Default" -j RETURN + $ipt_n -A PSW_ACL -p tcp $(dst $IPSET_BLACKLIST) -m comment --comment "Default" -j REDIRECT --to-ports $TCP_REDIR_PORT1 + $ipt_n -A PSW_ACL -p tcp -m multiport --dport $TCP_REDIR_PORTS -m comment --comment "Default" -j $(get_action_chain $PROXY_MODE)1 } [ "$UDP_NODE1" != "nil" ] && { - if [ "$UDP_REDIR_PORTS" != "disable" ]; then - $ipt_m -A PSW_ACL -p udp $(dst $IPSET_BLACKLIST) -m comment --comment "Default" -j TPROXY --on-port $UDP_REDIR_PORT1 --tproxy-mark 0x1/0x1 - $ipt_m -A PSW_ACL -p udp -m multiport --dport $UDP_REDIR_PORTS -m comment --comment "Default" -j $(get_action_chain $PROXY_MODE)1 - else - $ipt_m -A PSW_ACL -p udp -m comment --comment "$remarks" -j RETURN - fi + [ "$UDP_NO_REDIR_PORTS" != "disable" ] && $ipt_m -A PSW_ACL -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -m comment --comment "Default" -j RETURN + $ipt_m -A PSW_ACL -p udp $(dst $IPSET_BLACKLIST) -m comment --comment "Default" -j TPROXY --on-port $UDP_REDIR_PORT1 --tproxy-mark 0x1/0x1 + $ipt_m -A PSW_ACL -p udp -m multiport --dport $UDP_REDIR_PORTS -m comment --comment "Default" -j $(get_action_chain $PROXY_MODE)1 } fi } @@ -606,13 +577,23 @@ del_firewall_rule() { done fi + ipset -F $IPSET_LANIPLIST >/dev/null 2>&1 && ipset -X $IPSET_LANIPLIST >/dev/null 2>&1 & + ipset -F $IPSET_VPSIPLIST >/dev/null 2>&1 && ipset -X $IPSET_VPSIPLIST >/dev/null 2>&1 & ipset -F $IPSET_ROUTER >/dev/null 2>&1 && ipset -X $IPSET_ROUTER >/dev/null 2>&1 & #ipset -F $IPSET_GFW >/dev/null 2>&1 && ipset -X $IPSET_GFW >/dev/null 2>&1 & #ipset -F $IPSET_CHN >/dev/null 2>&1 && ipset -X $IPSET_CHN >/dev/null 2>&1 & ipset -F $IPSET_BLACKLIST >/dev/null 2>&1 && ipset -X $IPSET_BLACKLIST >/dev/null 2>&1 & ipset -F $IPSET_WHITELIST >/dev/null 2>&1 && ipset -X $IPSET_WHITELIST >/dev/null 2>&1 & - ipset -F $IPSET_VPSIPLIST >/dev/null 2>&1 && ipset -X $IPSET_VPSIPLIST >/dev/null 2>&1 & +} + +flush_ipset() { ipset -F $IPSET_LANIPLIST >/dev/null 2>&1 && ipset -X $IPSET_LANIPLIST >/dev/null 2>&1 & + ipset -F $IPSET_VPSIPLIST >/dev/null 2>&1 && ipset -X $IPSET_VPSIPLIST >/dev/null 2>&1 & + ipset -F $IPSET_ROUTER >/dev/null 2>&1 && ipset -X $IPSET_ROUTER >/dev/null 2>&1 & + ipset -F $IPSET_GFW >/dev/null 2>&1 && ipset -X $IPSET_GFW >/dev/null 2>&1 & + ipset -F $IPSET_CHN >/dev/null 2>&1 && ipset -X $IPSET_CHN >/dev/null 2>&1 & + ipset -F $IPSET_BLACKLIST >/dev/null 2>&1 && ipset -X $IPSET_BLACKLIST >/dev/null 2>&1 & + ipset -F $IPSET_WHITELIST >/dev/null 2>&1 && ipset -X $IPSET_WHITELIST >/dev/null 2>&1 & } start() { @@ -625,6 +606,9 @@ stop() { } case $1 in +flush_ipset) + flush_ipset + ;; stop) stop ;;