From aa56a56191bb044b59278bf4b34acbc4cb6b44fb Mon Sep 17 00:00:00 2001 From: CN_SZTL Date: Tue, 18 Feb 2020 16:49:28 +0800 Subject: [PATCH] passwall: sync with upstream source --- package/lienol/luci-app-passwall/Makefile | 4 +- .../root/usr/share/passwall/app.sh | 23 +-- .../root/usr/share/passwall/iptables.sh | 153 ++++++++++-------- .../root/usr/share/passwall/subscribe.lua | 41 ++++- 4 files changed, 145 insertions(+), 76 deletions(-) diff --git a/package/lienol/luci-app-passwall/Makefile b/package/lienol/luci-app-passwall/Makefile index 5104be1b1a..102a03a05c 100644 --- a/package/lienol/luci-app-passwall/Makefile +++ b/package/lienol/luci-app-passwall/Makefile @@ -7,8 +7,8 @@ include $(TOPDIR)/rules.mk PKG_NAME:=luci-app-passwall PKG_VERSION:=3.5 -PKG_RELEASE:=12 -PKG_DATA:=20200217 +PKG_RELEASE:=14 +PKG_DATA:=20200218 PKG_BUILD_DIR := $(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION) diff --git a/package/lienol/luci-app-passwall/root/usr/share/passwall/app.sh b/package/lienol/luci-app-passwall/root/usr/share/passwall/app.sh index 2e7e99c7be..79dadf0e1d 100755 --- a/package/lienol/luci-app-passwall/root/usr/share/passwall/app.sh +++ b/package/lienol/luci-app-passwall/root/usr/share/passwall/app.sh @@ -691,27 +691,29 @@ start_crontab() { weekupdatesubscribe=$(config_t_get global_subscribe week_update_subscribe) dayupdatesubscribe=$(config_t_get global_subscribe time_update_subscribe) if [ "$autoupdate" = "1" ]; then + local t if [ "$weekupdate" = "7" ]; then - echo "0 $dayupdate * * * $APP_PATH/rule_update.sh" >>/etc/crontabs/root - echolog "设置自动更新规则在每天 $dayupdate 点。" + t="0 $dayupdate * * *" else - echo "0 $dayupdate * * $weekupdate $APP_PATH/rule_update.sh" >>/etc/crontabs/root - echolog "设置自动更新规则在星期 $weekupdate 的 $dayupdate 点。" + t="0 $dayupdate * * $weekupdate" fi + echo "$t $APP_PATH/rule_update.sh" >>/etc/crontabs/root + echolog "配置定时任务:自动更新规则。" else sed -i '/rule_update.sh/d' /etc/crontabs/root >/dev/null 2>&1 & fi if [ "$autoupdatesubscribe" = "1" ]; then + local t if [ "$weekupdatesubscribe" = "7" ]; then - echo "0 $dayupdatesubscribe * * * lua $APP_PATH/subscribe.lua >> /var/log/passwall.log" >>/etc/crontabs/root - echolog "设置节点订阅自动更新规则在每天 $dayupdatesubscribe 点。" + t="0 $dayupdatesubscribe * * *" else - echo "0 $dayupdatesubscribe * * $weekupdate lua $APP_PATH/subscribe.lua >> /var/log/passwall.log" >>/etc/crontabs/root - echolog "设置节点订阅自动更新规则在星期 $weekupdate 的 $dayupdatesubscribe 点。" + t="0 $dayupdatesubscribe * * $weekupdate" fi + echo "$t lua $APP_PATH/subscribe.lua start log > /dev/null 2>&1 &" >>/etc/crontabs/root + echolog "配置定时任务:自动更新节点订阅。" else - sed -i '/subscription.sh/d' /etc/crontabs/root >/dev/null 2>&1 & + sed -i '/subscribe.lua/d' /etc/crontabs/root >/dev/null 2>&1 & fi /etc/init.d/cron restart @@ -940,6 +942,9 @@ gen_pdnsd_config() { interval = 60; uptest = none; purge_cache = off; + reject=::/0; + reject_policy=negate; + reject_recursively=on; } EOF diff --git a/package/lienol/luci-app-passwall/root/usr/share/passwall/iptables.sh b/package/lienol/luci-app-passwall/root/usr/share/passwall/iptables.sh index f7afc1e2ca..58e3ac098a 100755 --- a/package/lienol/luci-app-passwall/root/usr/share/passwall/iptables.sh +++ b/package/lienol/luci-app-passwall/root/usr/share/passwall/iptables.sh @@ -150,10 +150,18 @@ load_acl() { $ipt_m -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p udp -m comment --comment "$remarks" -j RETURN else [ "$TCP_NODE" != "nil" ] && { - [ "$TCP_NO_REDIR_PORTS" != "disable" ] && $ipt_n -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN - eval tcp_redir_port=\$TCP_REDIR_PORT$tcp_node - $ipt_n -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p tcp $(dst $IPSET_BLACKLIST) -m comment --comment "$remarks" -j REDIRECT --to-ports $tcp_redir_port - $ipt_n -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p tcp $(factor $tcp_redir_ports "-m multiport --dport") -m comment --comment "$remarks" -$(get_jump_mode $proxy_mode) $(get_action_chain $proxy_mode)$tcp_node + eval TCP_NODE_TYPE=$(echo $(config_get $node type) | tr 'A-Z' 'a-z') + if [ "$TCP_NODE_TYPE" == "brook" ]; then + [ "$TCP_NO_REDIR_PORTS" != "disable" ] && $ipt_m -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN + eval tcp_redir_port=\$TCP_REDIR_PORT$tcp_node + $ipt_m -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p tcp $(dst $IPSET_BLACKLIST) -m comment --comment "$remarks" -j TPROXY --tproxy-mark 0x1/0x1 --on-port $tcp_redir_port + $ipt_m -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p tcp $(factor $tcp_redir_ports "-m multiport --dport") -m comment --comment "$remarks" -$(get_jump_mode $proxy_mode) $(get_action_chain $proxy_mode)$tcp_node + else + [ "$TCP_NO_REDIR_PORTS" != "disable" ] && $ipt_n -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN + eval tcp_redir_port=\$TCP_REDIR_PORT$tcp_node + $ipt_n -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p tcp $(dst $IPSET_BLACKLIST) -m comment --comment "$remarks" -j REDIRECT --to-ports $tcp_redir_port + $ipt_n -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p tcp $(factor $tcp_redir_ports "-m multiport --dport") -m comment --comment "$remarks" -$(get_jump_mode $proxy_mode) $(get_action_chain $proxy_mode)$tcp_node + fi } [ "$UDP_NODE" != "nil" ] && { [ "$UDP_NO_REDIR_PORTS" != "disable" ] && $ipt_m -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p udp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN @@ -289,10 +297,6 @@ add_firewall_rule() { local TCP_NODE_PORT=$(config_get $node port) local TCP_NODE_IP=$(get_node_host_ip $node) local TCP_NODE_TYPE=$(echo $(config_get $node type) | tr 'A-Z' 'a-z') - [ -n "$TCP_NODE_IP" -a -n "$TCP_NODE_PORT" ] && { - $ipt_n -A PSW -p tcp -d $TCP_NODE_IP --dport $TCP_NODE_PORT -j RETURN - $ipt_n -A PSW_OUTPUT -p tcp -d $TCP_NODE_IP --dport $TCP_NODE_PORT -j RETURN - } if [ "$TCP_NODE_TYPE" == "brook" ]; then $ipt_m -A PSW_ACL -p tcp -m socket -j MARK --set-mark 1 @@ -312,11 +316,6 @@ add_firewall_rule() { # 游戏模式 $ipt_m -A PSW_GAME$k -p tcp $(dst $IPSET_CHN) -j RETURN - - # 用于本机流量转发 - [ "$TCP_NO_REDIR_PORTS" != "disable" ] && $ipt_m -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN - $ipt_m -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_REDIR_PORTS $(dst $IPSET_ROUTER) -j MARK --set-mark 1 - $ipt_m -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_REDIR_PORTS $(dst $IPSET_GFW) -j MARK --set-mark 1 else # 全局模式 $ipt_n -A PSW_GLO$k -p tcp -j REDIRECT --to-ports $local_port @@ -335,58 +334,78 @@ add_firewall_rule() { # 游戏模式 $ipt_n -A PSW_GAME$k -p tcp $(dst $IPSET_CHN) -j RETURN - - [ "$k" == 1 ] && { - [ "$use_tcp_node_resolve_dns" == 1 -a -n "$DNS_FORWARD" ] && { - for dns in $DNS_FORWARD - do - local dns_ip=$(echo $dns | awk -F "#" '{print $1}') - local dns_port=$(echo $dns | awk -F "#" '{print $2}') - [ -z "$dns_port" ] && dns_port=53 - $ipt_n -I PSW 2 -p tcp -d $dns_ip --dport $dns_port -j REDIRECT --to-ports $local_port - done - } - - PRE_INDEX=1 - KP_INDEX=$($ipt_n -L PREROUTING --line-numbers | grep "KOOLPROXY" | sed -n '$p' | awk '{print $1}') - ADBYBY_INDEX=$($ipt_n -L PREROUTING --line-numbers | grep "ADBYBY" | sed -n '$p' | awk '{print $1}') - if [ -n "$KP_INDEX" -a -z "$ADBYBY_INDEX" ]; then - PRE_INDEX=$(expr $KP_INDEX + 1) - elif [ -z "$KP_INDEX" -a -n "$ADBYBY_INDEX" ]; then - PRE_INDEX=$(expr $ADBYBY_INDEX + 1) - elif [ -z "$KP_INDEX" -a -z "$ADBYBY_INDEX" ]; then - PR_INDEX=$($ipt_n -L PREROUTING --line-numbers | grep "prerouting_rule" | sed -n '$p' | awk '{print $1}') - [ -n "$PR_INDEX" ] && { - PRE_INDEX=$(expr $PR_INDEX + 1) - } - fi - $ipt_n -I PREROUTING $PRE_INDEX -j PSW - - # 用于本机流量转发 - $ipt_n -A OUTPUT -j PSW_OUTPUT - $ipt_n -A PSW_OUTPUT $(dst $IPSET_LANIPLIST) -j RETURN - [ "$use_tcp_node_resolve_dns" == 1 -a -n "$DNS_FORWARD" ] && { - for dns in $DNS_FORWARD - do - local dns_ip=$(echo $dns | awk -F "#" '{print $1}') - local dns_port=$(echo $dns | awk -F "#" '{print $2}') - [ -z "$dns_port" ] && dns_port=53 - $ipt_n -A PSW_OUTPUT -p tcp -d $dns_ip --dport $dns_port -j REDIRECT --to-ports $TCP_REDIR_PORT1 - done - } - $ipt_n -A PSW_OUTPUT $(dst $IPSET_VPSIPLIST) -j RETURN - $ipt_n -A PSW_OUTPUT $(dst $IPSET_WHITELIST) -j RETURN - - [ "$TCP_NO_REDIR_PORTS" != "disable" ] && $ipt_n -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN - - $ipt_n -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_REDIR_PORTS $(dst $IPSET_BLACKLIST) -j REDIRECT --to-ports $TCP_REDIR_PORT1 - $ipt_n -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_REDIR_PORTS $(dst $IPSET_ROUTER) -j REDIRECT --to-ports $TCP_REDIR_PORT1 - $ipt_n -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_REDIR_PORTS -j $(get_action_chain $LOCALHOST_PROXY_MODE)1 - } - # 重定所有流量到透明代理端口 - # $ipt_n -A PSW -p tcp -m ttl --ttl-eq $ttl -j REDIRECT --to $local_port - echolog "IPv4 防火墙TCP转发规则加载完成!" fi + + [ "$k" == 1 ] && { + if [ "$TCP_NODE_TYPE" == "brook" ]; then + [ -n "$TCP_NODE_IP" -a -n "$TCP_NODE_PORT" ] && { + $ipt_m -A PSW -p tcp -d $TCP_NODE_IP --dport $TCP_NODE_PORT -j RETURN + $ipt_m -A PSW_OUTPUT -p tcp -d $TCP_NODE_IP --dport $TCP_NODE_PORT -j RETURN + } + + $ipt_m -A PSW_OUTPUT -p tcp $(dst $IPSET_LANIPLIST) -j RETURN + [ "$use_tcp_node_resolve_dns" == 1 -a -n "$DNS_FORWARD" ] && { + for dns in $DNS_FORWARD + do + local dns_ip=$(echo $dns | awk -F "#" '{print $1}') + local dns_port=$(echo $dns | awk -F "#" '{print $2}') + [ -z "$dns_port" ] && dns_port=53 + $ipt_m -I PSW 2 -p tcp -d $dns_ip --dport $dns_port -j TPROXY --tproxy-mark 0x1/0x1 --on-port $local_port + done + } + $ipt_m -A PSW_OUTPUT -p tcp $(dst $IPSET_VPSIPLIST) -j RETURN + $ipt_m -A PSW_OUTPUT -p tcp $(dst $IPSET_WHITELIST) -j RETURN + # 用于本机流量转发 + [ "$TCP_NO_REDIR_PORTS" != "disable" ] && $ipt_m -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN + $ipt_m -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_REDIR_PORTS $(dst $IPSET_ROUTER) -j MARK --set-mark 1 + $ipt_m -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_REDIR_PORTS $(dst $IPSET_GFW) -j MARK --set-mark 1 + fi + + [ -n "$TCP_NODE_IP" -a -n "$TCP_NODE_PORT" ] && { + $ipt_n -A PSW -p tcp -d $TCP_NODE_IP --dport $TCP_NODE_PORT -j RETURN + $ipt_n -A PSW_OUTPUT -p tcp -d $TCP_NODE_IP --dport $TCP_NODE_PORT -j RETURN + } + PRE_INDEX=1 + KP_INDEX=$($ipt_n -L PREROUTING --line-numbers | grep "KOOLPROXY" | sed -n '$p' | awk '{print $1}') + ADBYBY_INDEX=$($ipt_n -L PREROUTING --line-numbers | grep "ADBYBY" | sed -n '$p' | awk '{print $1}') + if [ -n "$KP_INDEX" -a -z "$ADBYBY_INDEX" ]; then + PRE_INDEX=$(expr $KP_INDEX + 1) + elif [ -z "$KP_INDEX" -a -n "$ADBYBY_INDEX" ]; then + PRE_INDEX=$(expr $ADBYBY_INDEX + 1) + elif [ -z "$KP_INDEX" -a -z "$ADBYBY_INDEX" ]; then + PR_INDEX=$($ipt_n -L PREROUTING --line-numbers | grep "prerouting_rule" | sed -n '$p' | awk '{print $1}') + [ -n "$PR_INDEX" ] && { + PRE_INDEX=$(expr $PR_INDEX + 1) + } + fi + $ipt_n -I PREROUTING $PRE_INDEX -j PSW + + # 用于本机流量转发 + $ipt_n -A OUTPUT -j PSW_OUTPUT + $ipt_n -A PSW_OUTPUT $(dst $IPSET_LANIPLIST) -j RETURN + [ "$use_tcp_node_resolve_dns" == 1 -a -n "$DNS_FORWARD" ] && { + for dns in $DNS_FORWARD + do + local dns_ip=$(echo $dns | awk -F "#" '{print $1}') + local dns_port=$(echo $dns | awk -F "#" '{print $2}') + [ -z "$dns_port" ] && dns_port=53 + $ipt_n -A PSW_OUTPUT -p tcp -d $dns_ip --dport $dns_port -j REDIRECT --to-ports $TCP_REDIR_PORT1 + done + } + $ipt_n -A PSW_OUTPUT $(dst $IPSET_VPSIPLIST) -j RETURN + $ipt_n -A PSW_OUTPUT $(dst $IPSET_WHITELIST) -j RETURN + + [ "$TCP_NO_REDIR_PORTS" != "disable" ] && $ipt_n -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN + + $ipt_n -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_REDIR_PORTS $(dst $IPSET_BLACKLIST) -j REDIRECT --to-ports $TCP_REDIR_PORT1 + $ipt_n -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_REDIR_PORTS $(dst $IPSET_ROUTER) -j REDIRECT --to-ports $TCP_REDIR_PORT1 + $ipt_n -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_REDIR_PORTS -j $(get_action_chain $LOCALHOST_PROXY_MODE)1 + } + + # 重定所有流量到透明代理端口 + # $ipt_n -A PSW -p tcp -m ttl --ttl-eq $ttl -j REDIRECT --to $local_port + echolog "IPv4 防火墙TCP转发规则加载完成!" + if [ "$PROXY_IPV6" == "1" ]; then lan_ipv6=$(ip address show br-lan | grep -w "inet6" | awk '{print $2}') #当前LAN IPv6段 $ip6t_n -N PSW @@ -505,6 +524,12 @@ add_firewall_rule() { [ "$UDP_NODE1" != "nil" ] && $ipt_m -A PSW_ACL -p udp -m comment --comment "Default" -j $(get_action_chain $PROXY_MODE) else [ "$TCP_NODE1" != "nil" ] && { + local TCP_NODE_TYPE1=$(echo $(config_get $TCP_NODE1 type) | tr 'A-Z' 'a-z') + if [ "$TCP_NODE_TYPE1" == "brook" ]; then + [ "$TCP_NO_REDIR_PORTS" != "disable" ] && $ipt_m -A PSW_ACL -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -m comment --comment "Default" -j RETURN + $ipt_m -A PSW_ACL -p tcp $(dst $IPSET_BLACKLIST) -m comment --comment "Default" -j TPROXY --tproxy-mark 0x1/0x1 --on-port $local_port + $ipt_m -A PSW_ACL -p tcp -m multiport --dport $TCP_REDIR_PORTS -m comment --comment "Default" -j $(get_action_chain $PROXY_MODE)1 + fi [ "$TCP_NO_REDIR_PORTS" != "disable" ] && $ipt_n -A PSW_ACL -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -m comment --comment "Default" -j RETURN $ipt_n -A PSW_ACL -p tcp $(dst $IPSET_BLACKLIST) -m comment --comment "Default" -j REDIRECT --to-ports $TCP_REDIR_PORT1 $ipt_n -A PSW_ACL -p tcp -m multiport --dport $TCP_REDIR_PORTS -m comment --comment "Default" -j $(get_action_chain $PROXY_MODE)1 diff --git a/package/lienol/luci-app-passwall/root/usr/share/passwall/subscribe.lua b/package/lienol/luci-app-passwall/root/usr/share/passwall/subscribe.lua index b4ed91523c..3fb6d729fc 100644 --- a/package/lienol/luci-app-passwall/root/usr/share/passwall/subscribe.lua +++ b/package/lienol/luci-app-passwall/root/usr/share/passwall/subscribe.lua @@ -222,6 +222,45 @@ local function processData(szType, content, add_mode) end result.ss_encrypt_method = method result.password = password + elseif szType == "trojan" then + local alias = "" + if content:find("#") then + local idx_sp = content:find("#") + alias = content:sub(idx_sp + 1, -1) + content = content:sub(0, idx_sp - 1) + end + local Info = split(content, "@") + if Info then + local address, port, peer + local password = Info[1] + local allowInsecure = 1 + local params = {} + local hostInfo = split(Info[2], ":") + if hostInfo then + address = hostInfo[1] + hostInfo = split(hostInfo[2], "?") + if hostInfo then + port = hostInfo[1] + for _, v in pairs(split(hostInfo[2], '&')) do + local t = split(v, '=') + params[t[1]] = t[2] + end + if params.allowInsecure then + allowInsecure = params.allowInsecure + end + if params.peer then + peer = params.peer + end + end + end + result.type = "Trojan" + result.address = address + result.port = port + result.password = password + result.tls_allowInsecure = allowInsecure + result.tls_serverName = peer + result.remarks = UrlDecode(alias) + end elseif szType == "ssd" then result.type = "SS" result.address = content.server @@ -395,7 +434,7 @@ local function parse_link(raw, remark, md5_str, manual) local node = trim(v) local dat = split(node, "://") if dat and dat[1] and dat[2] then - if dat[1] == 'ss' then + if dat[1] == 'ss' or dat[1] == 'trojan' then result = processData(dat[1], dat[2], add_mode) else result = processData(dat[1], base64Decode(dat[2]), add_mode)