From ccf007d41f5e5dc59fdb69a9e80ff88b58f0efd8 Mon Sep 17 00:00:00 2001
From: CN_SZTL <cnsztl@project-openwrt.eu.org>
Date: Mon, 3 Aug 2020 00:53:12 +0800
Subject: [PATCH] luci-app-passwall: sync with upstream source

---
 package/lienol/luci-app-passwall/Makefile     |  12 +-
 .../model/cbi/passwall/api/gen_v2ray.lua      |   3 +-
 .../model/cbi/passwall/server/api/v2ray.lua   |  20 ++--
 .../root/usr/share/passwall/iptables.sh       | 110 +++++++++++-------
 4 files changed, 87 insertions(+), 58 deletions(-)

diff --git a/package/lienol/luci-app-passwall/Makefile b/package/lienol/luci-app-passwall/Makefile
index daa176f1dd..ca040073f8 100644
--- a/package/lienol/luci-app-passwall/Makefile
+++ b/package/lienol/luci-app-passwall/Makefile
@@ -7,8 +7,8 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=luci-app-passwall
 PKG_VERSION:=3.9
-PKG_RELEASE:=28
-PKG_DATE:=20200801
+PKG_RELEASE:=29
+PKG_DATE:=20200802
 
 PKG_BUILD_DIR := $(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
 
@@ -37,9 +37,9 @@ config PACKAGE_$(PKG_NAME)_INCLUDE_V2ray
 	bool "Include V2ray"
 	default y
 
-config PACKAGE_$(PKG_NAME)_INCLUDE_Trojan
-	bool "Include Trojan"
-	default n
+config PACKAGE_$(PKG_NAME)_INCLUDE_Trojan_Plus
+	bool "Include Trojan_Plus"
+	default y
 	
 config PACKAGE_$(PKG_NAME)_INCLUDE_Trojan_GO
 	bool "Include Trojan_GO"
@@ -94,7 +94,7 @@ define Package/$(PKG_NAME)
   +PACKAGE_$(PKG_NAME)_INCLUDE_ShadowsocksR:shadowsocksr-libev-ssr-local \
   +PACKAGE_$(PKG_NAME)_INCLUDE_ShadowsocksR_Server:shadowsocksr-libev-server \
   +PACKAGE_$(PKG_NAME)_INCLUDE_V2ray:v2ray \
-  +PACKAGE_$(PKG_NAME)_INCLUDE_Trojan:trojan-plus \
+  +PACKAGE_$(PKG_NAME)_INCLUDE_Trojan_Plus:trojan-plus \
   +PACKAGE_$(PKG_NAME)_INCLUDE_Trojan_GO:trojan-go \
   +PACKAGE_$(PKG_NAME)_INCLUDE_Brook:brook \
   +PACKAGE_$(PKG_NAME)_INCLUDE_kcptun:kcptun-client \
diff --git a/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/api/gen_v2ray.lua b/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/api/gen_v2ray.lua
index 4af3ee8621..90c2f8d3a4 100644
--- a/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/api/gen_v2ray.lua
+++ b/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/api/gen_v2ray.lua
@@ -39,6 +39,7 @@ local function gen_outbound(node, tag)
                 node.transport = "tcp"
                 node.address = "127.0.0.1"
             end
+            node.stream_security = "none"
         end
         result = {
             tag = tag,
@@ -248,7 +249,7 @@ table.insert(outbounds, {protocol = "freedom", tag = "direct", settings = {keep
 
 local v2ray = {
     log = {
-        -- error = "/var/log/v2ray.log",
+        -- error = string.format("/var/etc/passwall/%s.log", node[".name"]),
         loglevel = "warning"
     },
     -- 传入连接
diff --git a/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/server/api/v2ray.lua b/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/server/api/v2ray.lua
index 1b9dbc77be..73bad155a7 100644
--- a/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/server/api/v2ray.lua
+++ b/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/server/api/v2ray.lua
@@ -5,7 +5,7 @@ function gen_config(user)
     local settings = nil
     local routing = nil
     local outbounds = {
-        {protocol = "freedom"}, {protocol = "blackhole", tag = "blocked"}
+        {protocol = "freedom", tag = "direct"}, {protocol = "blackhole", tag = "blocked"}
     }
 
     if user.protocol == "vmess" then
@@ -59,18 +59,16 @@ function gen_config(user)
         }
     end
 
-    if user.accept_lan == nil or user.accept_lan == "0" then
-        routing = {
-            domainStrategy = "IPOnDemand",
-            rules = {
-                {
-                    type = "field",
-                    ip = {"10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"},
-                    outboundTag = "blocked"
-                }
+    routing = {
+        domainStrategy = "IPOnDemand",
+        rules = {
+            {
+                type = "field",
+                ip = {"10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"},
+                outboundTag = (user.accept_lan == nil or user.accept_lan == "0") and "blocked" or "direct"
             }
         }
-    end
+    }
 
     if user.transit_node and user.transit_node ~= "nil" then
         local node = ucic:get_all("passwall", user.transit_node)
diff --git a/package/lienol/luci-app-passwall/root/usr/share/passwall/iptables.sh b/package/lienol/luci-app-passwall/root/usr/share/passwall/iptables.sh
index 7c3647f015..9f0c8bb5d9 100755
--- a/package/lienol/luci-app-passwall/root/usr/share/passwall/iptables.sh
+++ b/package/lienol/luci-app-passwall/root/usr/share/passwall/iptables.sh
@@ -12,6 +12,7 @@ FORCE_INDEX=2
 ipt_n="iptables -t nat"
 ipt_m="iptables -t mangle"
 ip6t_n="ip6tables -t nat"
+ip6t_m="ip6tables -t mangle"
 FWI=$(uci -q get firewall.passwall.path 2>/dev/null)
 
 factor() {
@@ -234,18 +235,20 @@ filter_node() {
 		local stream=${2}
 		local _proxy=${3}
 		local _port=${4}
-		local is_tproxy ipt_tmp msg msg2
+		local is_tproxy ipt_tmp ip6t_tmp msg msg2
 
 		if [ -n "$node" ] && [ "$node" != "nil" ]; then
 			local type=$(echo $(config_n_get $node type) | tr 'A-Z' 'a-z')
 			local address=$(config_n_get $node address)
 			local port=$(config_n_get $node port)
 			ipt_tmp=$ipt_n
+			ip6t_tmp=$ip6t_n
 			[ "$stream" == "udp" ] && is_tproxy=1
 			[ "$type" == "brook" ] && [ "$(config_n_get $node brook_protocol client)" == "client" ] && is_tproxy=1
 			[ "$type" == "trojan-go" ] && is_tproxy=1
 			if [ -n "$is_tproxy" ]; then
 				ipt_tmp=$ipt_m
+				ip6t_tmp=$ip6t_m
 				msg="TPROXY"
 			else
 				msg="REDIRECT"
@@ -256,26 +259,35 @@ filter_node() {
 		fi
 
 		local ADD_INDEX=$FORCE_INDEX
-		$ipt_tmp -n -L PSW_OUTPUT | grep -q "${address}:${port}"
-		if [ $? -ne 0 ]; then
-			local dst_rule=$(REDIRECT 1 MARK)
-			msg2="按规则路由(${msg})"
-			[ "$ipt_tmp" == "$ipt_m" ] || {
-				dst_rule=$(REDIRECT $_port)
-				msg2="套娃使用(${msg}:${port}>>${_port})"
-			}
-			[ -n "$_proxy" ] && [ "$_proxy" == "1" ] && [ -n "$_port" ] || {
-				ADD_INDEX=$(RULE_LAST_INDEX "$ipt_tmp" PSW_OUT_PUT "$IPSET_VPSIPLIST" $FORCE_INDEX)
-				dst_rule=" -j RETURN"
-				msg2="直连代理(${msg})"
-			}
-			$ipt_tmp -I PSW_OUTPUT $ADD_INDEX $(comment "${address}:${port}") -p $stream -d $address --dport $port $dst_rule
-		else
-			msg2="已配置过的节点，"
-		fi
+		for _ipt in 4 6; do
+			[ "$_ipt" == "4" ] && _ipt=$ipt_tmp
+			[ "$_ipt" == "6" ] && _ipt=$ip6t_tmp
+			$_ipt -n -L PSW_OUTPUT | grep -q "${address}:${port}"
+			if [ $? -ne 0 ]; then
+				local dst_rule=$(REDIRECT 1 MARK)
+				msg2="按规则路由(${msg})"
+				[ "$_ipt" == "$ipt_m" ] || {
+					dst_rule=$(REDIRECT $_port)
+					msg2="套娃使用(${msg}:${port}>>${_port})"
+				}
+				[ "$_ipt" == "$ip6t_tmp" ] || {
+					dst_rule=$(REDIRECT $_port)
+					msg2="套娃使用(${msg}:${port}>>${_port})"
+				}
+				[ -n "$_proxy" ] && [ "$_proxy" == "1" ] && [ -n "$_port" ] || {
+					ADD_INDEX=$(RULE_LAST_INDEX "$_ipt" PSW_OUT_PUT "$IPSET_VPSIPLIST" $FORCE_INDEX)
+					dst_rule=" -j RETURN"
+					msg2="直连代理(${msg})"
+				}
+				$_ipt -I PSW_OUTPUT $ADD_INDEX $(comment "${address}:${port}") -p $stream -d $address --dport $port $dst_rule 2>/dev/null
+			else
+				msg2="已配置过的节点，"
+			fi
+		done
 		msg="[$?]${msg2}使用链${ADD_INDEX}，节点（${type}）：${address}:${port}"
 		echolog "  - ${msg}"
 	}
+	
 	local proxy_protocol=$(config_n_get $proxy_node protocol)
 	local proxy_type=$(echo $(config_n_get $proxy_node type nil) | tr 'A-Z' 'a-z')
 	[ "$proxy_type" == "nil" ] && echolog "  - 节点配置不正常，略过！：${proxy_node}" && return 0
@@ -430,25 +442,30 @@ add_firewall_rule() {
 	$ipt_n -I PREROUTING $PR_INDEX -p tcp -j PSW
 	echolog "使用链表 PREROUTING 排列索引${PR_INDEX}[$?]"
 	
+	$ip6t_n -N PSW
+	$ip6t_n -A PREROUTING -j PSW
+	$ip6t_n -N PSW_OUTPUT
+	$ip6t_n -A OUTPUT -p tcp -j PSW_OUTPUT
+	
+	$ip6t_m -N PSW
+	$ip6t_m -A PREROUTING -j PSW
+	$ip6t_m -N PSW_OUTPUT
+	$ip6t_m -A OUTPUT -p tcp -j PSW_OUTPUT
+	[ -n "$lan_ifname" ] && {
+		lan_ipv6=$(ip address show $lan_ifname | grep -w "inet6" | awk '{print $2}') #当前LAN IPv6段
+		[ -n "$lan_ipv6" ] && {
+			for ip in $lan_ipv6; do
+				$ip6t_n -A PSW -d $ip -j RETURN
+				$ip6t_n -A PSW_OUTPUT -d $ip -j RETURN
+			done
+		}
+	}
+	
 	if [ "$PROXY_IPV6" == "1" ]; then
 		local msg="IPv6 配置不当，无法代理"
-		[ -n "$lan_ifname" ] && {
-			lan_ipv6=$(ip address show $lan_ifname | grep -w "inet6" | awk '{print $2}') #当前LAN IPv6段
-			[ -n "$lan_ipv6" ] && {
-				$ip6t_n -N PSW
-				$ip6t_n -A PREROUTING -j PSW
-				msg="接管 IPv6 流量[$?]"
-				[ -n "$lan_ipv6" ] && {
-					for ip in $lan_ipv6; do
-						$ip6t_n -A PSW -d $ip -j RETURN
-					done
-				}
-				[ "$use_ipv6" == "1" ] && [ -n "$server_ip" ] && $ip6t_n -A PSW -d $server_ip -j RETURN
-				$ip6t_n -A PSW -p tcp $(REDIRECT $TCP_REDIR_PORT1)
-				#$ip6t_n -I OUTPUT -p tcp -j PSW
-				msg="${msg}，转发 IPv6 TCP 流量到节点1[$?]"
-			}
-		}
+		$ip6t_n -A PSW -p tcp $(REDIRECT $TCP_REDIR_PORT1)
+		$ip6t_n -A PSW_OUTPUT -p tcp $(REDIRECT $TCP_REDIR_PORT1)
+		msg="${msg}，转发 IPv6 TCP 流量到节点1[$?]"
 		echolog "$msg"
 	fi
 
@@ -545,10 +562,15 @@ del_firewall_rule() {
 	$ipt_m -F PSW_OUTPUT 2>/dev/null && $ipt_m -X PSW_OUTPUT 2>/dev/null
 
 	$ip6t_n -D PREROUTING -j PSW 2>/dev/null
-	$ip6t_n -D OUTPUT -j PSW_OUTPUT 2>/dev/null
+	$ip6t_n -D OUTPUT -p tcp -j PSW_OUTPUT 2>/dev/null
 	$ip6t_n -F PSW 2>/dev/null && $ip6t_n -X PSW 2>/dev/null
 	$ip6t_n -F PSW_OUTPUT 2>/dev/null && $ip6t_n -X PSW_OUTPUT 2>/dev/null
 	
+	$ip6t_m -D PREROUTING -j PSW 2>/dev/null
+	$ip6t_m -D OUTPUT -p tcp -j PSW_OUTPUT 2>/dev/null
+	$ip6t_m -F PSW 2>/dev/null && $ip6t_m -X PSW 2>/dev/null
+	$ip6t_m -F PSW_OUTPUT 2>/dev/null && $ip6t_m -X PSW_OUTPUT 2>/dev/null
+	
 	ip rule del fwmark 1 lookup 100 2>/dev/null
 	ip route del local 0.0.0.0/0 dev lo table 100 2>/dev/null
 
@@ -577,16 +599,24 @@ flush_include() {
 gen_include() {
 	flush_include
 	extract_rules() {
-		echo "*$1"
-		iptables-save -t $1 | grep PSW | \
+		local _ipt="iptables"
+		[ "$1" == "6" ] && _ipt="ip6tables"
+	
+		echo "*$2"
+		${_ipt}-save -t $2 | grep PSW | \
 		sed -e "s/^-A \(OUTPUT\|PREROUTING\)/-I \1 1/"
 		echo 'COMMIT'
 	}
 	cat <<-EOF >>$FWI
 		iptables-save -c | grep -v "PSW" | iptables-restore -c
 		iptables-restore -n <<-EOT
-		$(extract_rules nat)
-		$(extract_rules mangle)
+		$(extract_rules 4 nat)
+		$(extract_rules 4 mangle)
+		EOT
+		ip6tables-save -c | grep -v "PSW" | ip6tables-restore -c
+		ip6tables-restore -n <<-EOT
+		$(extract_rules 6 nat)
+		$(extract_rules 6 mangle)
 		EOT
 	EOF
 	return 0