passwall: sync with upstream source
This commit is contained in:
CN_SZTL
parent
04406ac505
commit
aa56a56191
@ -7,8 +7,8 @@ include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=luci-app-passwall
|
||||
PKG_VERSION:=3.5
|
||||
PKG_RELEASE:=12
|
||||
PKG_DATA:=20200217
|
||||
PKG_RELEASE:=14
|
||||
PKG_DATA:=20200218
|
||||
|
||||
PKG_BUILD_DIR := $(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
|
||||
|
||||
|
||||
@ -691,27 +691,29 @@ start_crontab() {
|
||||
weekupdatesubscribe=$(config_t_get global_subscribe week_update_subscribe)
|
||||
dayupdatesubscribe=$(config_t_get global_subscribe time_update_subscribe)
|
||||
if [ "$autoupdate" = "1" ]; then
|
||||
local t
|
||||
if [ "$weekupdate" = "7" ]; then
|
||||
echo "0 $dayupdate * * * $APP_PATH/rule_update.sh" >>/etc/crontabs/root
|
||||
echolog "设置自动更新规则在每天 $dayupdate 点。"
|
||||
t="0 $dayupdate * * *"
|
||||
else
|
||||
echo "0 $dayupdate * * $weekupdate $APP_PATH/rule_update.sh" >>/etc/crontabs/root
|
||||
echolog "设置自动更新规则在星期 $weekupdate 的 $dayupdate 点。"
|
||||
t="0 $dayupdate * * $weekupdate"
|
||||
fi
|
||||
echo "$t $APP_PATH/rule_update.sh" >>/etc/crontabs/root
|
||||
echolog "配置定时任务:自动更新规则。"
|
||||
else
|
||||
sed -i '/rule_update.sh/d' /etc/crontabs/root >/dev/null 2>&1 &
|
||||
fi
|
||||
|
||||
if [ "$autoupdatesubscribe" = "1" ]; then
|
||||
local t
|
||||
if [ "$weekupdatesubscribe" = "7" ]; then
|
||||
echo "0 $dayupdatesubscribe * * * lua $APP_PATH/subscribe.lua >> /var/log/passwall.log" >>/etc/crontabs/root
|
||||
echolog "设置节点订阅自动更新规则在每天 $dayupdatesubscribe 点。"
|
||||
t="0 $dayupdatesubscribe * * *"
|
||||
else
|
||||
echo "0 $dayupdatesubscribe * * $weekupdate lua $APP_PATH/subscribe.lua >> /var/log/passwall.log" >>/etc/crontabs/root
|
||||
echolog "设置节点订阅自动更新规则在星期 $weekupdate 的 $dayupdatesubscribe 点。"
|
||||
t="0 $dayupdatesubscribe * * $weekupdate"
|
||||
fi
|
||||
echo "$t lua $APP_PATH/subscribe.lua start log > /dev/null 2>&1 &" >>/etc/crontabs/root
|
||||
echolog "配置定时任务:自动更新节点订阅。"
|
||||
else
|
||||
sed -i '/subscription.sh/d' /etc/crontabs/root >/dev/null 2>&1 &
|
||||
sed -i '/subscribe.lua/d' /etc/crontabs/root >/dev/null 2>&1 &
|
||||
fi
|
||||
|
||||
/etc/init.d/cron restart
|
||||
@ -940,6 +942,9 @@ gen_pdnsd_config() {
|
||||
interval = 60;
|
||||
uptest = none;
|
||||
purge_cache = off;
|
||||
reject=::/0;
|
||||
reject_policy=negate;
|
||||
reject_recursively=on;
|
||||
}
|
||||
|
||||
EOF
|
||||
|
||||
@ -150,10 +150,18 @@ load_acl() {
|
||||
$ipt_m -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p udp -m comment --comment "$remarks" -j RETURN
|
||||
else
|
||||
[ "$TCP_NODE" != "nil" ] && {
|
||||
[ "$TCP_NO_REDIR_PORTS" != "disable" ] && $ipt_n -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
|
||||
eval tcp_redir_port=\$TCP_REDIR_PORT$tcp_node
|
||||
$ipt_n -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p tcp $(dst $IPSET_BLACKLIST) -m comment --comment "$remarks" -j REDIRECT --to-ports $tcp_redir_port
|
||||
$ipt_n -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p tcp $(factor $tcp_redir_ports "-m multiport --dport") -m comment --comment "$remarks" -$(get_jump_mode $proxy_mode) $(get_action_chain $proxy_mode)$tcp_node
|
||||
eval TCP_NODE_TYPE=$(echo $(config_get $node type) | tr 'A-Z' 'a-z')
|
||||
if [ "$TCP_NODE_TYPE" == "brook" ]; then
|
||||
[ "$TCP_NO_REDIR_PORTS" != "disable" ] && $ipt_m -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
|
||||
eval tcp_redir_port=\$TCP_REDIR_PORT$tcp_node
|
||||
$ipt_m -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p tcp $(dst $IPSET_BLACKLIST) -m comment --comment "$remarks" -j TPROXY --tproxy-mark 0x1/0x1 --on-port $tcp_redir_port
|
||||
$ipt_m -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p tcp $(factor $tcp_redir_ports "-m multiport --dport") -m comment --comment "$remarks" -$(get_jump_mode $proxy_mode) $(get_action_chain $proxy_mode)$tcp_node
|
||||
else
|
||||
[ "$TCP_NO_REDIR_PORTS" != "disable" ] && $ipt_n -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
|
||||
eval tcp_redir_port=\$TCP_REDIR_PORT$tcp_node
|
||||
$ipt_n -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p tcp $(dst $IPSET_BLACKLIST) -m comment --comment "$remarks" -j REDIRECT --to-ports $tcp_redir_port
|
||||
$ipt_n -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p tcp $(factor $tcp_redir_ports "-m multiport --dport") -m comment --comment "$remarks" -$(get_jump_mode $proxy_mode) $(get_action_chain $proxy_mode)$tcp_node
|
||||
fi
|
||||
}
|
||||
[ "$UDP_NODE" != "nil" ] && {
|
||||
[ "$UDP_NO_REDIR_PORTS" != "disable" ] && $ipt_m -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p udp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
|
||||
@ -289,10 +297,6 @@ add_firewall_rule() {
|
||||
local TCP_NODE_PORT=$(config_get $node port)
|
||||
local TCP_NODE_IP=$(get_node_host_ip $node)
|
||||
local TCP_NODE_TYPE=$(echo $(config_get $node type) | tr 'A-Z' 'a-z')
|
||||
[ -n "$TCP_NODE_IP" -a -n "$TCP_NODE_PORT" ] && {
|
||||
$ipt_n -A PSW -p tcp -d $TCP_NODE_IP --dport $TCP_NODE_PORT -j RETURN
|
||||
$ipt_n -A PSW_OUTPUT -p tcp -d $TCP_NODE_IP --dport $TCP_NODE_PORT -j RETURN
|
||||
}
|
||||
if [ "$TCP_NODE_TYPE" == "brook" ]; then
|
||||
$ipt_m -A PSW_ACL -p tcp -m socket -j MARK --set-mark 1
|
||||
|
||||
@ -312,11 +316,6 @@ add_firewall_rule() {
|
||||
|
||||
# 游戏模式
|
||||
$ipt_m -A PSW_GAME$k -p tcp $(dst $IPSET_CHN) -j RETURN
|
||||
|
||||
# 用于本机流量转发
|
||||
[ "$TCP_NO_REDIR_PORTS" != "disable" ] && $ipt_m -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
|
||||
$ipt_m -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_REDIR_PORTS $(dst $IPSET_ROUTER) -j MARK --set-mark 1
|
||||
$ipt_m -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_REDIR_PORTS $(dst $IPSET_GFW) -j MARK --set-mark 1
|
||||
else
|
||||
# 全局模式
|
||||
$ipt_n -A PSW_GLO$k -p tcp -j REDIRECT --to-ports $local_port
|
||||
@ -335,58 +334,78 @@ add_firewall_rule() {
|
||||
|
||||
# 游戏模式
|
||||
$ipt_n -A PSW_GAME$k -p tcp $(dst $IPSET_CHN) -j RETURN
|
||||
|
||||
[ "$k" == 1 ] && {
|
||||
[ "$use_tcp_node_resolve_dns" == 1 -a -n "$DNS_FORWARD" ] && {
|
||||
for dns in $DNS_FORWARD
|
||||
do
|
||||
local dns_ip=$(echo $dns | awk -F "#" '{print $1}')
|
||||
local dns_port=$(echo $dns | awk -F "#" '{print $2}')
|
||||
[ -z "$dns_port" ] && dns_port=53
|
||||
$ipt_n -I PSW 2 -p tcp -d $dns_ip --dport $dns_port -j REDIRECT --to-ports $local_port
|
||||
done
|
||||
}
|
||||
|
||||
PRE_INDEX=1
|
||||
KP_INDEX=$($ipt_n -L PREROUTING --line-numbers | grep "KOOLPROXY" | sed -n '$p' | awk '{print $1}')
|
||||
ADBYBY_INDEX=$($ipt_n -L PREROUTING --line-numbers | grep "ADBYBY" | sed -n '$p' | awk '{print $1}')
|
||||
if [ -n "$KP_INDEX" -a -z "$ADBYBY_INDEX" ]; then
|
||||
PRE_INDEX=$(expr $KP_INDEX + 1)
|
||||
elif [ -z "$KP_INDEX" -a -n "$ADBYBY_INDEX" ]; then
|
||||
PRE_INDEX=$(expr $ADBYBY_INDEX + 1)
|
||||
elif [ -z "$KP_INDEX" -a -z "$ADBYBY_INDEX" ]; then
|
||||
PR_INDEX=$($ipt_n -L PREROUTING --line-numbers | grep "prerouting_rule" | sed -n '$p' | awk '{print $1}')
|
||||
[ -n "$PR_INDEX" ] && {
|
||||
PRE_INDEX=$(expr $PR_INDEX + 1)
|
||||
}
|
||||
fi
|
||||
$ipt_n -I PREROUTING $PRE_INDEX -j PSW
|
||||
|
||||
# 用于本机流量转发
|
||||
$ipt_n -A OUTPUT -j PSW_OUTPUT
|
||||
$ipt_n -A PSW_OUTPUT $(dst $IPSET_LANIPLIST) -j RETURN
|
||||
[ "$use_tcp_node_resolve_dns" == 1 -a -n "$DNS_FORWARD" ] && {
|
||||
for dns in $DNS_FORWARD
|
||||
do
|
||||
local dns_ip=$(echo $dns | awk -F "#" '{print $1}')
|
||||
local dns_port=$(echo $dns | awk -F "#" '{print $2}')
|
||||
[ -z "$dns_port" ] && dns_port=53
|
||||
$ipt_n -A PSW_OUTPUT -p tcp -d $dns_ip --dport $dns_port -j REDIRECT --to-ports $TCP_REDIR_PORT1
|
||||
done
|
||||
}
|
||||
$ipt_n -A PSW_OUTPUT $(dst $IPSET_VPSIPLIST) -j RETURN
|
||||
$ipt_n -A PSW_OUTPUT $(dst $IPSET_WHITELIST) -j RETURN
|
||||
|
||||
[ "$TCP_NO_REDIR_PORTS" != "disable" ] && $ipt_n -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
|
||||
|
||||
$ipt_n -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_REDIR_PORTS $(dst $IPSET_BLACKLIST) -j REDIRECT --to-ports $TCP_REDIR_PORT1
|
||||
$ipt_n -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_REDIR_PORTS $(dst $IPSET_ROUTER) -j REDIRECT --to-ports $TCP_REDIR_PORT1
|
||||
$ipt_n -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_REDIR_PORTS -j $(get_action_chain $LOCALHOST_PROXY_MODE)1
|
||||
}
|
||||
# 重定所有流量到透明代理端口
|
||||
# $ipt_n -A PSW -p tcp -m ttl --ttl-eq $ttl -j REDIRECT --to $local_port
|
||||
echolog "IPv4 防火墙TCP转发规则加载完成!"
|
||||
fi
|
||||
|
||||
[ "$k" == 1 ] && {
|
||||
if [ "$TCP_NODE_TYPE" == "brook" ]; then
|
||||
[ -n "$TCP_NODE_IP" -a -n "$TCP_NODE_PORT" ] && {
|
||||
$ipt_m -A PSW -p tcp -d $TCP_NODE_IP --dport $TCP_NODE_PORT -j RETURN
|
||||
$ipt_m -A PSW_OUTPUT -p tcp -d $TCP_NODE_IP --dport $TCP_NODE_PORT -j RETURN
|
||||
}
|
||||
|
||||
$ipt_m -A PSW_OUTPUT -p tcp $(dst $IPSET_LANIPLIST) -j RETURN
|
||||
[ "$use_tcp_node_resolve_dns" == 1 -a -n "$DNS_FORWARD" ] && {
|
||||
for dns in $DNS_FORWARD
|
||||
do
|
||||
local dns_ip=$(echo $dns | awk -F "#" '{print $1}')
|
||||
local dns_port=$(echo $dns | awk -F "#" '{print $2}')
|
||||
[ -z "$dns_port" ] && dns_port=53
|
||||
$ipt_m -I PSW 2 -p tcp -d $dns_ip --dport $dns_port -j TPROXY --tproxy-mark 0x1/0x1 --on-port $local_port
|
||||
done
|
||||
}
|
||||
$ipt_m -A PSW_OUTPUT -p tcp $(dst $IPSET_VPSIPLIST) -j RETURN
|
||||
$ipt_m -A PSW_OUTPUT -p tcp $(dst $IPSET_WHITELIST) -j RETURN
|
||||
# 用于本机流量转发
|
||||
[ "$TCP_NO_REDIR_PORTS" != "disable" ] && $ipt_m -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
|
||||
$ipt_m -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_REDIR_PORTS $(dst $IPSET_ROUTER) -j MARK --set-mark 1
|
||||
$ipt_m -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_REDIR_PORTS $(dst $IPSET_GFW) -j MARK --set-mark 1
|
||||
fi
|
||||
|
||||
[ -n "$TCP_NODE_IP" -a -n "$TCP_NODE_PORT" ] && {
|
||||
$ipt_n -A PSW -p tcp -d $TCP_NODE_IP --dport $TCP_NODE_PORT -j RETURN
|
||||
$ipt_n -A PSW_OUTPUT -p tcp -d $TCP_NODE_IP --dport $TCP_NODE_PORT -j RETURN
|
||||
}
|
||||
PRE_INDEX=1
|
||||
KP_INDEX=$($ipt_n -L PREROUTING --line-numbers | grep "KOOLPROXY" | sed -n '$p' | awk '{print $1}')
|
||||
ADBYBY_INDEX=$($ipt_n -L PREROUTING --line-numbers | grep "ADBYBY" | sed -n '$p' | awk '{print $1}')
|
||||
if [ -n "$KP_INDEX" -a -z "$ADBYBY_INDEX" ]; then
|
||||
PRE_INDEX=$(expr $KP_INDEX + 1)
|
||||
elif [ -z "$KP_INDEX" -a -n "$ADBYBY_INDEX" ]; then
|
||||
PRE_INDEX=$(expr $ADBYBY_INDEX + 1)
|
||||
elif [ -z "$KP_INDEX" -a -z "$ADBYBY_INDEX" ]; then
|
||||
PR_INDEX=$($ipt_n -L PREROUTING --line-numbers | grep "prerouting_rule" | sed -n '$p' | awk '{print $1}')
|
||||
[ -n "$PR_INDEX" ] && {
|
||||
PRE_INDEX=$(expr $PR_INDEX + 1)
|
||||
}
|
||||
fi
|
||||
$ipt_n -I PREROUTING $PRE_INDEX -j PSW
|
||||
|
||||
# 用于本机流量转发
|
||||
$ipt_n -A OUTPUT -j PSW_OUTPUT
|
||||
$ipt_n -A PSW_OUTPUT $(dst $IPSET_LANIPLIST) -j RETURN
|
||||
[ "$use_tcp_node_resolve_dns" == 1 -a -n "$DNS_FORWARD" ] && {
|
||||
for dns in $DNS_FORWARD
|
||||
do
|
||||
local dns_ip=$(echo $dns | awk -F "#" '{print $1}')
|
||||
local dns_port=$(echo $dns | awk -F "#" '{print $2}')
|
||||
[ -z "$dns_port" ] && dns_port=53
|
||||
$ipt_n -A PSW_OUTPUT -p tcp -d $dns_ip --dport $dns_port -j REDIRECT --to-ports $TCP_REDIR_PORT1
|
||||
done
|
||||
}
|
||||
$ipt_n -A PSW_OUTPUT $(dst $IPSET_VPSIPLIST) -j RETURN
|
||||
$ipt_n -A PSW_OUTPUT $(dst $IPSET_WHITELIST) -j RETURN
|
||||
|
||||
[ "$TCP_NO_REDIR_PORTS" != "disable" ] && $ipt_n -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
|
||||
|
||||
$ipt_n -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_REDIR_PORTS $(dst $IPSET_BLACKLIST) -j REDIRECT --to-ports $TCP_REDIR_PORT1
|
||||
$ipt_n -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_REDIR_PORTS $(dst $IPSET_ROUTER) -j REDIRECT --to-ports $TCP_REDIR_PORT1
|
||||
$ipt_n -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_REDIR_PORTS -j $(get_action_chain $LOCALHOST_PROXY_MODE)1
|
||||
}
|
||||
|
||||
# 重定所有流量到透明代理端口
|
||||
# $ipt_n -A PSW -p tcp -m ttl --ttl-eq $ttl -j REDIRECT --to $local_port
|
||||
echolog "IPv4 防火墙TCP转发规则加载完成!"
|
||||
|
||||
if [ "$PROXY_IPV6" == "1" ]; then
|
||||
lan_ipv6=$(ip address show br-lan | grep -w "inet6" | awk '{print $2}') #当前LAN IPv6段
|
||||
$ip6t_n -N PSW
|
||||
@ -505,6 +524,12 @@ add_firewall_rule() {
|
||||
[ "$UDP_NODE1" != "nil" ] && $ipt_m -A PSW_ACL -p udp -m comment --comment "Default" -j $(get_action_chain $PROXY_MODE)
|
||||
else
|
||||
[ "$TCP_NODE1" != "nil" ] && {
|
||||
local TCP_NODE_TYPE1=$(echo $(config_get $TCP_NODE1 type) | tr 'A-Z' 'a-z')
|
||||
if [ "$TCP_NODE_TYPE1" == "brook" ]; then
|
||||
[ "$TCP_NO_REDIR_PORTS" != "disable" ] && $ipt_m -A PSW_ACL -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -m comment --comment "Default" -j RETURN
|
||||
$ipt_m -A PSW_ACL -p tcp $(dst $IPSET_BLACKLIST) -m comment --comment "Default" -j TPROXY --tproxy-mark 0x1/0x1 --on-port $local_port
|
||||
$ipt_m -A PSW_ACL -p tcp -m multiport --dport $TCP_REDIR_PORTS -m comment --comment "Default" -j $(get_action_chain $PROXY_MODE)1
|
||||
fi
|
||||
[ "$TCP_NO_REDIR_PORTS" != "disable" ] && $ipt_n -A PSW_ACL -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -m comment --comment "Default" -j RETURN
|
||||
$ipt_n -A PSW_ACL -p tcp $(dst $IPSET_BLACKLIST) -m comment --comment "Default" -j REDIRECT --to-ports $TCP_REDIR_PORT1
|
||||
$ipt_n -A PSW_ACL -p tcp -m multiport --dport $TCP_REDIR_PORTS -m comment --comment "Default" -j $(get_action_chain $PROXY_MODE)1
|
||||
|
||||
@ -222,6 +222,45 @@ local function processData(szType, content, add_mode)
|
||||
end
|
||||
result.ss_encrypt_method = method
|
||||
result.password = password
|
||||
elseif szType == "trojan" then
|
||||
local alias = ""
|
||||
if content:find("#") then
|
||||
local idx_sp = content:find("#")
|
||||
alias = content:sub(idx_sp + 1, -1)
|
||||
content = content:sub(0, idx_sp - 1)
|
||||
end
|
||||
local Info = split(content, "@")
|
||||
if Info then
|
||||
local address, port, peer
|
||||
local password = Info[1]
|
||||
local allowInsecure = 1
|
||||
local params = {}
|
||||
local hostInfo = split(Info[2], ":")
|
||||
if hostInfo then
|
||||
address = hostInfo[1]
|
||||
hostInfo = split(hostInfo[2], "?")
|
||||
if hostInfo then
|
||||
port = hostInfo[1]
|
||||
for _, v in pairs(split(hostInfo[2], '&')) do
|
||||
local t = split(v, '=')
|
||||
params[t[1]] = t[2]
|
||||
end
|
||||
if params.allowInsecure then
|
||||
allowInsecure = params.allowInsecure
|
||||
end
|
||||
if params.peer then
|
||||
peer = params.peer
|
||||
end
|
||||
end
|
||||
end
|
||||
result.type = "Trojan"
|
||||
result.address = address
|
||||
result.port = port
|
||||
result.password = password
|
||||
result.tls_allowInsecure = allowInsecure
|
||||
result.tls_serverName = peer
|
||||
result.remarks = UrlDecode(alias)
|
||||
end
|
||||
elseif szType == "ssd" then
|
||||
result.type = "SS"
|
||||
result.address = content.server
|
||||
@ -395,7 +434,7 @@ local function parse_link(raw, remark, md5_str, manual)
|
||||
local node = trim(v)
|
||||
local dat = split(node, "://")
|
||||
if dat and dat[1] and dat[2] then
|
||||
if dat[1] == 'ss' then
|
||||
if dat[1] == 'ss' or dat[1] == 'trojan' then
|
||||
result = processData(dat[1], dat[2], add_mode)
|
||||
else
|
||||
result = processData(dat[1], base64Decode(dat[2]), add_mode)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user