luci-app-passwall: sync with upstream source
This commit is contained in:
CN_SZTL
parent
40b4de8f44
commit
ebb7559137
@ -7,8 +7,8 @@ include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=luci-app-passwall
|
||||
PKG_VERSION:=3.9
|
||||
PKG_RELEASE:=23
|
||||
PKG_DATE:=20200727
|
||||
PKG_RELEASE:=26
|
||||
PKG_DATE:=20200729
|
||||
|
||||
PKG_BUILD_DIR := $(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
|
||||
|
||||
|
||||
@ -26,7 +26,7 @@ function index()
|
||||
entry({"admin", "services", appname, "haproxy"}, cbi("passwall/haproxy"), _("Load Balancing"), 94).leaf = true
|
||||
end
|
||||
entry({"admin", "services", appname, "node_subscribe"}, cbi("passwall/node_subscribe"), _("Node Subscribe"), 95).dependent = true
|
||||
entry({"admin", "services", appname, "rule"}, cbi("passwall/rule"), _("Rule"), 96).leaf = true
|
||||
entry({"admin", "services", appname, "rule"}, cbi("passwall/rule"), _("Rule Manage"), 96).leaf = true
|
||||
entry({"admin", "services", appname, "app_update"}, cbi("passwall/app_update"), _("App Update"), 97).leaf = true
|
||||
entry({"admin", "services", appname, "node_config"}, cbi("passwall/node_config")).leaf = true
|
||||
entry({"admin", "services", appname, "shunt_rules"}, cbi("passwall/shunt_rules")).leaf = true
|
||||
|
||||
@ -4,10 +4,10 @@ function gen_config(user)
|
||||
local cipher13 = "TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384"
|
||||
local config = {
|
||||
run_type = "server",
|
||||
local_addr = "0.0.0.0",
|
||||
local_addr = "::",
|
||||
local_port = tonumber(user.port),
|
||||
remote_addr = (user.remote_enable == "1" and user.remote_address) and user.remote_address or nil,
|
||||
remote_port = (user.remote_enable == "1" and user.remote_port) and user.remote_port or nil,
|
||||
remote_port = (user.remote_enable == "1" and user.remote_port) and tonumber(user.remote_port) or nil,
|
||||
password = user.type == "Trojan-Go" and user.passwords or { user.password },
|
||||
log_level = 1,
|
||||
ssl = (user.stream_security == nil or user.stream_security == "tls") and {
|
||||
|
||||
@ -244,8 +244,8 @@ function gen_config(user)
|
||||
}
|
||||
|
||||
if user.transport == "mkcp" or user.transport == "ds" or user.transport == "quic" then
|
||||
user.streamSettings.security = "none"
|
||||
user.streamSettings.tlsSettings = nil
|
||||
config.inbounds[1].streamSettings.security = "none"
|
||||
config.inbounds[1].streamSettings.tlsSettings = nil
|
||||
end
|
||||
|
||||
return config
|
||||
|
||||
@ -67,8 +67,8 @@ msgstr "负载均衡"
|
||||
msgid "Enter interface"
|
||||
msgstr "进入界面"
|
||||
|
||||
msgid "Rule"
|
||||
msgstr "规则"
|
||||
msgid "Rule Manage"
|
||||
msgstr "规则管理"
|
||||
|
||||
msgid "Access control"
|
||||
msgstr "访问控制"
|
||||
@ -680,7 +680,7 @@ msgid "Moving..."
|
||||
msgstr "移动中"
|
||||
|
||||
msgid "App Update"
|
||||
msgstr "更新主程序"
|
||||
msgstr "组件更新"
|
||||
|
||||
msgid "Please confirm that your firmware supports FPU."
|
||||
msgstr "请确认你的固件支持FPU。"
|
||||
|
||||
@ -48,6 +48,10 @@ config_t_get() {
|
||||
echo ${ret:=$3}
|
||||
}
|
||||
|
||||
get_enabled_anonymous_secs() {
|
||||
uci -q show $CONFIG | grep "${1}\[.*\.enabled='1'" | cut -d'.' -sf2
|
||||
}
|
||||
|
||||
get_host_ip() {
|
||||
local host=$2
|
||||
local count=$3
|
||||
@ -85,6 +89,17 @@ get_node_host_ip() {
|
||||
echo $ip
|
||||
}
|
||||
|
||||
get_ip_port_from() {
|
||||
local __host=${1}; shift 1
|
||||
local __ipv=${1}; shift 1
|
||||
local __portv=${1}; shift 1
|
||||
|
||||
local val1 val2
|
||||
val2=$(echo $__host | sed -n 's/^.*[:#]\([0-9]*\)$/\1/p')
|
||||
val1="${__host%%${val2:+[:#]${val2}*}}"
|
||||
eval "${__ipv}=\"$val1\"; ${__portv}=\"$val2\""
|
||||
}
|
||||
|
||||
hosts_foreach() {
|
||||
local __hosts
|
||||
eval "__hosts=\$${1}"; shift 1
|
||||
@ -95,8 +110,7 @@ hosts_foreach() {
|
||||
[ -z "${__hosts}" ] && return 0
|
||||
local __ip __port
|
||||
for __host in $(echo $__hosts | sed 's/[ ,]/\n/g'); do
|
||||
__port=$(echo $__host | sed -n 's/^.*[:#]\(^[0-9]*\)$/\1/p')
|
||||
__ip="${__host%%${__port:+[:#]${__port}*}}"
|
||||
get_ip_port_from "$__host" "__ip" "__port"
|
||||
eval "$__func \"${__host}\" \"\${__ip}\" \"\${__port:-${__default_port}}\" $@"
|
||||
__ret=$?
|
||||
[ ${__ret} -ge ${ERROR_NO_CATCH:-1} ] && return ${__ret}
|
||||
@ -278,7 +292,7 @@ run_socks() {
|
||||
local port=$(config_n_get $node port)
|
||||
local msg
|
||||
|
||||
echolog " 启用 ${bind}:${local_port}"
|
||||
echolog " - 启用 ${bind}:${local_port}"
|
||||
if [ -n "$server_host" ] && [ -n "$port" ]; then
|
||||
server_host=$(echo $server_host | sed 's/^\(https:\/\/\|http:\/\/\)//g' | awk -F '/' '{print $1}')
|
||||
[ -n "$(echo -n $server_host | awk '{print gensub(/[!-~]/,"","g",$0)}')" ] && msg="$remarks,非法的代理服务器地址,无法启动 !"
|
||||
@ -287,13 +301,13 @@ run_socks() {
|
||||
fi
|
||||
|
||||
[ -n "${msg}" ] && {
|
||||
echolog " ${msg}"
|
||||
echolog " - ${msg}"
|
||||
return 1
|
||||
}
|
||||
echolog " 节点:$remarks,${server_host}:${port}"
|
||||
echolog " - 节点:$remarks,${server_host}:${port}"
|
||||
|
||||
if [ "$type" == "socks" ]; then
|
||||
echolog " 不能使用 Socks 类型的代理节点"
|
||||
echolog " - 不能使用 Socks 类型的代理节点"
|
||||
elif [ "$type" == "v2ray" ]; then
|
||||
lua $API_GEN_V2RAY $node nil nil $local_port > $config_file
|
||||
ln_start_bin $(config_t_get global_app v2ray_file $(find_bin v2ray))/v2ray v2ray "-config=$config_file"
|
||||
@ -584,7 +598,7 @@ start_dns() {
|
||||
dns2socks)
|
||||
[ "$DNS_CACHE" == "0" ] && local _cache="/d"
|
||||
ln_start_bin $(find_bin dns2socks) dns2socks "$DNS2SOCKS_SOCKS_SERVER $DNS2SOCKS_FORWARD 127.0.0.1:$DNS_PORT $_cache"
|
||||
echolog "DNS:dns2socks(${DNS2SOCKS_FORWARD-D46.182.19.48:53})..."
|
||||
echolog "DNS:dns2socks,${DNS2SOCKS_FORWARD-D46.182.19.48:53}"
|
||||
;;
|
||||
pdnsd)
|
||||
if [ -z "$TCP_NODE1" -o "$TCP_NODE1" == "nil" ]; then
|
||||
@ -593,7 +607,7 @@ start_dns() {
|
||||
else
|
||||
gen_pdnsd_config $DNS_PORT
|
||||
ln_start_bin $(find_bin pdnsd) pdnsd "--daemon -c $pdnsd_dir/pdnsd.conf -d"
|
||||
echolog "DNS:pdnsd + 使用TCP节点解析DNS..."
|
||||
echolog "DNS:pdnsd + 使用TCP节点解析DNS"
|
||||
fi
|
||||
;;
|
||||
chinadns-ng)
|
||||
@ -627,32 +641,37 @@ start_dns() {
|
||||
gen_pdnsd_config $other_port
|
||||
ln_start_bin $(find_bin pdnsd) pdnsd "--daemon -c $pdnsd_dir/pdnsd.conf -d"
|
||||
ln_start_bin $(find_bin chinadns-ng) chinadns-ng "-l $DNS_PORT -c $china_ng_chn -t 127.0.0.1#$other_port $gfwlist_param $chnlist_param $fair_mode"
|
||||
echolog "DNS:ChinaDNS-NG + pdnsd($china_ng_gfw),国内DNS:$china_ng_chn"
|
||||
echolog "DNS:ChinaDNS-NG + pdnsd,$china_ng_gfw,国内DNS:$china_ng_chn"
|
||||
fi
|
||||
elif [ "$up_trust_chinadns_ng_dns" == "dns2socks" ]; then
|
||||
[ "$DNS_CACHE" == "0" ] && local _cache="/d"
|
||||
ln_start_bin $(find_bin dns2socks) dns2socks "$DNS2SOCKS_SOCKS_SERVER $DNS2SOCKS_FORWARD 127.0.0.1:$other_port $_cache"
|
||||
ln_start_bin $(find_bin chinadns-ng) chinadns-ng "-l $DNS_PORT -c $china_ng_chn -t 127.0.0.1#$other_port $gfwlist_param $chnlist_param $fair_mode"
|
||||
echolog "DNS:ChinaDNS-NG + dns2socks(${DNS2SOCKS_FORWARD:-D46.182.19.48:53}),国内DNS:$china_ng_chn"
|
||||
echolog "DNS:ChinaDNS-NG + dns2socks,${DNS2SOCKS_FORWARD:-D46.182.19.48:53},国内DNS:$china_ng_chn"
|
||||
elif [ "$up_trust_chinadns_ng_dns" == "udp" ]; then
|
||||
use_udp_node_resolve_dns=1
|
||||
ln_start_bin $(find_bin chinadns-ng) chinadns-ng "-l $DNS_PORT -c $china_ng_chn -t $china_ng_gfw $gfwlist_param $chnlist_param $fair_mode"
|
||||
echolog "DNS:ChinaDNS-NG,国内DNS:$china_ng_chn,可信DNS:$up_trust_chinadns_ng_dns[$china_ng_gfw],如果不能使用,请确保UDP节点已打开并且支持UDP转发。"
|
||||
echolog "DNS:ChinaDNS-NG,国内DNS:$china_ng_chn,可信DNS:$up_trust_chinadns_ng_dns,$china_ng_gfw"
|
||||
echolog " - 如非直连地址,请确保UDP节点已打开并且支持UDP转发。"
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
add_dnsmasq() {
|
||||
local msg
|
||||
echolog "准备 dnsmasq 配置文件..."
|
||||
mkdir -p $TMP_DNSMASQ_PATH $DNSMASQ_PATH /var/dnsmasq.d
|
||||
local adblock=$(config_t_get global_rules adblock 0)
|
||||
local chinadns_mode=0
|
||||
[ "$DNS_MODE" == "chinadns-ng" ] && [ "$IS_DEFAULT_CHINA_DNS" != 1 ] && chinadns_mode=1
|
||||
[ "$DNS_MODE" == "chinadns-ng" ] && [ "$IS_DEFAULT_CHINA_DNS" != 1 ] && chinadns_mode=1 && msg="chinadns-ng"
|
||||
[ "$adblock" == "1" ] && {
|
||||
msg="${msg},adblock"
|
||||
[ -f "$RULES_PATH/adblock.conf" -a -s "$RULES_PATH/adblock.conf" ] && ln -s $RULES_PATH/adblock.conf $TMP_DNSMASQ_PATH/adblock.conf
|
||||
}
|
||||
|
||||
[ "$DNS_MODE" != "nonuse" ] && {
|
||||
msg="${msg}:$UP_CHINA_DNS1,$UP_CHINA_DNS2"
|
||||
[ -f "$RULES_PATH/direct_host" -a -s "$RULES_PATH/direct_host" ] && cat $RULES_PATH/direct_host | sed -e "/^$/d" | sort -u | awk '{if (mode == 0 && dns1 != "") print "server=/."$1"/'$UP_CHINA_DNS1'"; if (mode == 0 && dns2 != "") print "server=/."$1"/'$UP_CHINA_DNS2'"; print "ipset=/."$1"/whitelist"}' mode=$chinadns_mode dns1=$UP_CHINA_DNS1 dns2=$UP_CHINA_DNS2 > $TMP_DNSMASQ_PATH/direct_host.conf
|
||||
uci show $CONFIG | grep ".address=" | cut -d "'" -f 2 | sed 's/^\(https:\/\/\|http:\/\/\)//g' | awk -F '/' '{print $1}' | grep -v "google.c" | grep -E '.*\..*$' | grep '[a-zA-Z]$' | sort -u | awk '{if (dns1 != "") print "server=/."$1"/'$UP_CHINA_DNS1'"; if (dns2 != "") print "server=/."$1"/'$UP_CHINA_DNS2'"; print "ipset=/."$1"/vpsiplist"}' dns1=$UP_CHINA_DNS1 dns2=$UP_CHINA_DNS2 > $TMP_DNSMASQ_PATH/vpsiplist_host.conf
|
||||
[ -f "$RULES_PATH/proxy_host" -a -s "$RULES_PATH/proxy_host" ] && cat $RULES_PATH/proxy_host | sed -e "/^$/d" | sort -u | awk '{if (mode == 0) print "server=/."$1"/127.0.0.1#'$DNS_PORT'"; print "ipset=/."$1"/blacklist"}' mode=$chinadns_mode > $TMP_DNSMASQ_PATH/proxy_host.conf
|
||||
@ -663,18 +682,12 @@ add_dnsmasq() {
|
||||
fi
|
||||
|
||||
subscribe_proxy=$(config_t_get global_subscribe subscribe_proxy 0)
|
||||
[ "$subscribe_proxy" -eq 1 ] && {
|
||||
local count=$(uci show $CONFIG | grep "@subscribe_list" | sed -n '$p' | cut -d '[' -f 2 | cut -d ']' -f 1)
|
||||
[ -n "$count" ] && [ "$count" -ge 0 ] && {
|
||||
u_get() {
|
||||
local ret=$(uci -q get $CONFIG.@subscribe_list[$1].$2)
|
||||
echo ${ret:=$3}
|
||||
}
|
||||
for i in $(seq 0 $count); do
|
||||
local enabled=$(u_get $i enabled 0)
|
||||
[ "$enabled" == "0" ] && continue
|
||||
local url=$(u_get $i url)
|
||||
[ -n "$url" -a "$url" != "" ] && {
|
||||
[ "$subscribe_proxy" == "1" ] && {
|
||||
local items=$(get_enabled_anonymous_secs "@subscribe_list")
|
||||
[ -n "$items" ] && {
|
||||
for item in ${items}; do
|
||||
local url=$(config_n_get ${item} url)
|
||||
[ -n "$url" ] && [ "$url" != "" ] && {
|
||||
if [ -n "$(echo -n "$url" | grep "//")" ]; then
|
||||
[ "$chinadns_mode" == 0 ] && echo -n "$url" | awk -F '/' '{print $3}' | sed "s/^/server=&\/./g" | sed "s/$/\/127.0.0.1#$DNS_PORT/g" >>$TMP_DNSMASQ_PATH/subscribe.conf
|
||||
echo -n "$url" | awk -F '/' '{print $3}' | sed "s/^/ipset=&\/./g" | sed "s/$/\/blacklist/g" >>$TMP_DNSMASQ_PATH/subscribe.conf
|
||||
@ -687,8 +700,9 @@ add_dnsmasq() {
|
||||
}
|
||||
}
|
||||
}
|
||||
echolog " - ${msg}"
|
||||
|
||||
if [ -z "$IS_DEFAULT_CHINA_DNS" -o "$IS_DEFAULT_CHINA_DNS" == 0 ]; then
|
||||
if [ -z "$IS_DEFAULT_CHINA_DNS" ] || [ "$IS_DEFAULT_CHINA_DNS" == 0 ]; then
|
||||
server="server=127.0.0.1#$DNS_PORT"
|
||||
[ "$DNS_MODE" != "chinadns-ng" ] && {
|
||||
[ -n "$UP_CHINA_DNS1" ] && server="server=$UP_CHINA_DNS1"
|
||||
@ -700,6 +714,7 @@ add_dnsmasq() {
|
||||
no-poll
|
||||
no-resolv
|
||||
EOF
|
||||
echolog " - 默认DNS:${server}"
|
||||
else
|
||||
[ -z "$DEFAULT_DNS1" ] && {
|
||||
local tmp=$(get_host_ip ipv4 www.baidu.com 1)
|
||||
@ -709,7 +724,7 @@ add_dnsmasq() {
|
||||
no-poll
|
||||
no-resolv
|
||||
EOF
|
||||
echolog "你没有设置接口DNS,请前往设置!"
|
||||
echolog " - 你没有设置接口DNS,请前往设置!"
|
||||
/etc/init.d/dnsmasq restart >/dev/null 2>&1
|
||||
}
|
||||
}
|
||||
@ -717,7 +732,6 @@ add_dnsmasq() {
|
||||
|
||||
echo "conf-dir=$TMP_DNSMASQ_PATH" >> /var/dnsmasq.d/dnsmasq-$CONFIG.conf
|
||||
cp -rf /var/dnsmasq.d/dnsmasq-$CONFIG.conf $DNSMASQ_PATH/dnsmasq-$CONFIG.conf
|
||||
echolog "dnsmasq:生成配置文件。"
|
||||
}
|
||||
|
||||
gen_pdnsd_config() {
|
||||
@ -751,8 +765,8 @@ gen_pdnsd_config() {
|
||||
EOF
|
||||
|
||||
append_pdnsd_updns() {
|
||||
[ -z "${2}" ] && echolog " 略过错误 : [${1}]" && return 0
|
||||
echolog " 上游DNS[${2}:${3}]"
|
||||
[ -z "${2}" ] && echolog " - 略过错误 : ${1}" && return 0
|
||||
echolog " - 上游DNS:${2}:${3}"
|
||||
cat >> $pdnsd_dir/pdnsd.conf <<-EOF
|
||||
server {
|
||||
label = "node-${2}_${3}";
|
||||
@ -780,14 +794,14 @@ del_dnsmasq() {
|
||||
}
|
||||
|
||||
start_haproxy() {
|
||||
enabled=$(config_t_get global_haproxy balancing_enable 0)
|
||||
[ "$enabled" = "1" ] && {
|
||||
local haproxy_bin HAPROXY_PATH HAPROXY_FILE item lport sorted_items
|
||||
[ "$(config_t_get global_haproxy balancing_enable 0)" == "1" ] && {
|
||||
echolog "HAPROXY 负载均衡..."
|
||||
haproxy_bin=$(find_bin haproxy)
|
||||
[ -f "$haproxy_bin" ] && {
|
||||
local HAPROXY_PATH=$TMP_PATH/haproxy
|
||||
HAPROXY_PATH=$TMP_PATH/haproxy
|
||||
mkdir -p $HAPROXY_PATH
|
||||
local HAPROXY_FILE=$HAPROXY_PATH/config.cfg
|
||||
bport=$(config_t_get global_haproxy haproxy_port)
|
||||
HAPROXY_FILE=$HAPROXY_PATH/config.cfg
|
||||
cat <<-EOF > $HAPROXY_FILE
|
||||
global
|
||||
log 127.0.0.1 local2
|
||||
@ -817,65 +831,62 @@ start_haproxy() {
|
||||
|
||||
EOF
|
||||
|
||||
local ports=$(uci show $CONFIG | grep "@haproxy_config" | grep haproxy_port | cut -d "'" -f 2 | sort -u)
|
||||
for p in $ports; do
|
||||
cat <<-EOF >> $HAPROXY_FILE
|
||||
listen $p
|
||||
mode tcp
|
||||
bind 0.0.0.0:$p
|
||||
|
||||
EOF
|
||||
items=$(get_enabled_anonymous_secs "@haproxy_config")
|
||||
for item in $items; do
|
||||
lport=$(config_n_get ${item} haproxy_port 0)
|
||||
[ "${lport}" == "0" ] && echolog " - 丢弃1个明显无效的节点" && continue
|
||||
sorted_items="${sorted_items}${IFS}${lport} ${item}"
|
||||
done
|
||||
|
||||
items=$(echo "${sorted_items}" | sort -n | cut -d' ' -sf 2)
|
||||
|
||||
local count=$(uci show $CONFIG | grep "@haproxy_config" | sed -n '$p' | cut -d '[' -f 2 | cut -d ']' -f 1)
|
||||
[ -n "$count" ] && [ "$count" -ge 0 ] && {
|
||||
u_get() {
|
||||
local ret=$(uci -q get $CONFIG.@haproxy_config[$1].$2)
|
||||
echo ${ret:=$3}
|
||||
}
|
||||
for i in $(seq 0 $count); do
|
||||
local enabled=$(u_get $i enabled 0)
|
||||
[ -z "$enabled" -o "$enabled" == "0" ] && continue
|
||||
unset lport
|
||||
[ -n "$items" ] && {
|
||||
local haproxy_port lbss lbort lbweight export backup
|
||||
local msg bip bport bline bbackup failcount interface
|
||||
for item in ${items}; do
|
||||
unset haproxy_port lbort bbackup
|
||||
|
||||
eval $(uci -q show $CONFIG.${item} | cut -d'.' -sf 3- | grep -v '^$')
|
||||
get_ip_port_from "$lbss" bip bport
|
||||
|
||||
local haproxy_port=$(u_get $i haproxy_port)
|
||||
[ -z "$haproxy_port" ] && continue
|
||||
|
||||
local bips=$(u_get $i lbss)
|
||||
local bports=$(u_get $i lbort)
|
||||
if [ -z "$bips" ] || [ -z "$bports" ]; then
|
||||
continue
|
||||
fi
|
||||
|
||||
local bip=$(echo $bips | awk -F ":" '{print $1}')
|
||||
local bport=$(echo $bips | awk -F ":" '{print $2}')
|
||||
[ "$bports" != "default" ] && bport=$bports
|
||||
[ -z "$bport" ] && continue
|
||||
|
||||
local line=$(cat $HAPROXY_FILE | grep -n "bind 0.0.0.0:$haproxy_port" | awk -F ":" '{print $1}')
|
||||
[ -z "$line" ] && continue
|
||||
|
||||
local bweight=$(u_get $i lbweight)
|
||||
local exports=$(u_get $i export)
|
||||
local backup=$(u_get $i backup)
|
||||
local bbackup=""
|
||||
[ "$lbort" == "default" ] && lbort=$bport || bport=$lbort
|
||||
[ -z "$haproxy_port" ] || [ -z "$bip" ] || [ -z "$lbort" ] && echolog " - 丢弃1个明显无效的节点" && continue
|
||||
[ "$backup" = "1" ] && bbackup="backup"
|
||||
sed -i "${line}i \ \ \ \ server $bip:$bport $bip:$bport weight $bweight check inter 1500 rise 1 fall 3 $bbackup" $HAPROXY_FILE
|
||||
if [ "$exports" != "0" ]; then
|
||||
|
||||
[ "$lport" == "${haproxy_port}" ] || {
|
||||
lport=${haproxy_port}
|
||||
echolog " - 入口 0.0.0.0:${lport}..."
|
||||
cat <<-EOF >> $HAPROXY_FILE
|
||||
listen $lport
|
||||
mode tcp
|
||||
bind 0.0.0.0:$lport
|
||||
EOF
|
||||
}
|
||||
|
||||
cat <<-EOF >> $HAPROXY_FILE
|
||||
server $bip:$bport $bip:$bport weight $lbweight check inter 1500 rise 1 fall 3 $bbackup
|
||||
EOF
|
||||
|
||||
if [ "$export" != "0" ]; then
|
||||
unset msg
|
||||
failcount=0
|
||||
while [ "$failcount" -lt "3" ]; do
|
||||
interface=$(ifconfig | grep "$exports" | awk '{print $1}')
|
||||
if [ -z "$interface" ]; then
|
||||
echolog "找不到出口接口:$exports,1分钟后再重试"
|
||||
ubus list network.interface.${export} >/dev/null 2>&1
|
||||
if [ $? -ne 0 ]; then
|
||||
echolog " - 找不到出口接口:$export,1分钟后再重试(${failcount}/3),${bip}"
|
||||
let "failcount++"
|
||||
[ "$failcount" -ge 3 ] && exit 0
|
||||
sleep 1m
|
||||
else
|
||||
route add -host ${bip} dev ${exports}
|
||||
route add -host ${bip} dev ${export}
|
||||
msg="[$?] 从 ${export} 接口路由,"
|
||||
echo "$bip" >>/tmp/balancing_ip
|
||||
break
|
||||
fi
|
||||
done
|
||||
fi
|
||||
echolog " - ${msg}出口节点:${bip}:${bport},权重:${lbweight}"
|
||||
done
|
||||
}
|
||||
|
||||
@ -886,6 +897,7 @@ start_haproxy() {
|
||||
local auth=""
|
||||
[ -n "$console_user" -a -n "console_password" ] && auth="stats auth $console_user:$console_password"
|
||||
cat <<-EOF >> $HAPROXY_FILE
|
||||
|
||||
listen console
|
||||
bind 0.0.0.0:$console_port
|
||||
mode http
|
||||
@ -896,6 +908,7 @@ start_haproxy() {
|
||||
EOF
|
||||
|
||||
ln_start_bin $haproxy_bin haproxy "-f $HAPROXY_FILE"
|
||||
echolog " - 控制台端口:${console_port}/,${auth:-公开}"
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -978,4 +991,4 @@ start)
|
||||
boot)
|
||||
boot
|
||||
;;
|
||||
esac
|
||||
esac
|
||||
@ -7,6 +7,8 @@ IPSET_CHN="chnroute"
|
||||
IPSET_BLACKLIST="blacklist"
|
||||
IPSET_WHITELIST="whitelist"
|
||||
|
||||
FORCE_INDEX=2
|
||||
|
||||
ipt_n="iptables -t nat"
|
||||
ipt_m="iptables -t mangle"
|
||||
ip6t_n="ip6tables -t nat"
|
||||
@ -105,27 +107,23 @@ gen_laniplist() {
|
||||
}
|
||||
|
||||
load_acl() {
|
||||
local count=$(uci show $CONFIG | grep "@acl_rule" | sed -n '$p' | cut -d '[' -f 2 | cut -d ']' -f 1)
|
||||
[ -n "$count" ] && [ "$count" -ge 0 ] && {
|
||||
u_get() {
|
||||
local ret=$(uci -q get $CONFIG.@acl_rule[$1].$2)
|
||||
echo ${ret:=$3}
|
||||
}
|
||||
for i in $(seq 0 $count); do
|
||||
local enabled=$(u_get $i enabled 0)
|
||||
[ "$enabled" == "0" ] && continue
|
||||
local remarks=$(u_get $i remarks)
|
||||
local ip=$(u_get $i ip)
|
||||
local mac=$(u_get $i mac)
|
||||
[ -z "$ip" -a -z "$mac" ] && continue
|
||||
local tcp_proxy_mode=$(u_get $i tcp_proxy_mode default)
|
||||
local udp_proxy_mode=$(u_get $i udp_proxy_mode default)
|
||||
local tcp_node=$(u_get $i tcp_node 1)
|
||||
local udp_node=$(u_get $i udp_node 1)
|
||||
local tcp_no_redir_ports=$(u_get $i tcp_no_redir_ports default)
|
||||
local udp_no_redir_ports=$(u_get $i udp_no_redir_ports default)
|
||||
local tcp_redir_ports=$(u_get $i tcp_redir_ports default)
|
||||
local udp_redir_ports=$(u_get $i udp_redir_ports default)
|
||||
local items=$(get_enabled_anonymous_secs "@acl_rule")
|
||||
[ -n "$items" ] && {
|
||||
local item enabled remarks ip mac tcp_proxy_mode udp_proxy_mod
|
||||
local tcp_node udp_node tcp_no_redir_ports udp_no_redir_ports tcp_redir_ports udp_redir_ports
|
||||
local TCP_NODE UDP_NODE TCP_NODE_TYPE UDP_NODE_TYPE ipt_tmp is_tproxy tcp_port udp_port msg msg2
|
||||
for item in $items; do
|
||||
unset ip mac tcp_port udp_port is_tproxy msg
|
||||
eval $(uci -q show $CONFIG.${item} | cut -d'.' -sf 3- | grep -v '^$')
|
||||
[ -z "${ip}${mac}" ] && continue
|
||||
tcp_proxy_mode=${tcp_proxy_mode:-default}
|
||||
udp_proxy_mode=${udp_proxy_mode:-default}
|
||||
tcp_node=${tcp_node:-1}
|
||||
udp_node=${udp_node:-1}
|
||||
tcp_no_redir_ports=${tcp_no_redir_ports:-default}
|
||||
udp_no_redir_ports=${udp_no_redir_ports:-default}
|
||||
tcp_redir_ports=${tcp_redir_ports:-default}
|
||||
udp_redir_ports=${udp_redir_ports:-default}
|
||||
[ "$tcp_proxy_mode" = "default" ] && tcp_proxy_mode=$TCP_PROXY_MODE
|
||||
[ "$udp_proxy_mode" = "default" ] && udp_proxy_mode=$UDP_PROXY_MODE
|
||||
[ "$TCP_NODE_NUM" == "1" ] && tcp_node=1
|
||||
@ -136,130 +134,153 @@ load_acl() {
|
||||
[ "$udp_redir_ports" = "default" ] && udp_redir_ports=$UDP_REDIR_PORTS
|
||||
eval TCP_NODE=\$TCP_NODE$tcp_node
|
||||
eval UDP_NODE=\$UDP_NODE$udp_node
|
||||
|
||||
if [ -n "$ip" -a -n "$mac" ]; then
|
||||
echolog "访问控制:IP:$ip,MAC:$mac,使用TCP_${tcp_node}节点,UDP_${udp_node}节点,TCP模式:$(get_action_chain_name $tcp_proxy_mode),UDP模式:$(get_action_chain_name $udp_proxy_mode)"
|
||||
else
|
||||
[ -n "$ip" ] && echolog "访问控制:IP:$ip,使用TCP_${tcp_node}节点,UDP_${udp_node}节点,TCP模式:$(get_action_chain_name $tcp_proxy_mode),UDP模式:$(get_action_chain_name $udp_proxy_mode)"
|
||||
[ -n "$mac" ] && echolog "访问控制:MAC:$mac,使用TCP_${tcp_node}节点,UDP_${udp_node}节点,TCP模式:$(get_action_chain_name $tcp_proxy_mode),UDP模式:$(get_action_chain_name $udp_proxy_mode)"
|
||||
fi
|
||||
|
||||
local ipt_tmp=$ipt_n
|
||||
|
||||
echolog "访问控制:${item}..."
|
||||
[ -n "$ip" ] && msg="IP:$ip,"
|
||||
[ -n "$mac" ] && msg="${msg:+${msg}和}MAC:$mac,"
|
||||
ipt_tmp=$ipt_n
|
||||
[ "$tcp_proxy_mode" != "disable" ] && {
|
||||
[ "$TCP_NODE" != "nil" ] && {
|
||||
eval tcp_port=\$TCP_REDIR_PORT$tcp_node
|
||||
eval TCP_NODE_TYPE=$(echo $(config_n_get $TCP_NODE type) | tr 'A-Z' 'a-z')
|
||||
local is_tproxy
|
||||
if [ "$TCP_NODE_TYPE" == "brook" ] && [ "$(config_n_get $TCP_NODE brook_protocol client)" == "client" ]; then
|
||||
echolog "为 brook 启用 TCP TPROXY 模式"
|
||||
[ "$TCP_NODE_TYPE" == "brook" ] && [ "$(config_n_get $TCP_NODE brook_protocol client)" == "client" ] && is_tproxy=1
|
||||
[ "$TCP_NODE_TYPE" == "trojan-go" ] && is_tproxy=1
|
||||
msg2="${msg}使用TCP节点${tcp_node} [$(get_action_chain_name $tcp_proxy_mode)]"
|
||||
if [ -n "${is_tproxy}" ]; then
|
||||
msg2="${msg2}(TPROXY:${tcp_port})代理"
|
||||
ipt_tmp=$ipt_m && is_tproxy="TPROXY"
|
||||
else
|
||||
echolog "使用 TCP FORWARD 模式"
|
||||
msg2="${msg2}(REDIRECT:${tcp_port})代理"
|
||||
fi
|
||||
[ "$tcp_no_redir_ports" != "disable" ] && $ipt_tmp -A PSW $(comment "$remarks") $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p tcp -m multiport --dport $tcp_no_redir_ports -j RETURN
|
||||
eval tcp_port=\$TCP_REDIR_PORT$tcp_node
|
||||
[ "$tcp_no_redir_ports" != "disable" ] && {
|
||||
$ipt_tmp -A PSW $(comment "$remarks") $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p tcp -m multiport --dport $tcp_no_redir_ports -j RETURN
|
||||
msg2="${msg2}[$?]除${tcp_no_redir_ports}外的"
|
||||
}
|
||||
msg2="${msg2}所有端口"
|
||||
$ipt_tmp -A PSW $(comment "$remarks") -p tcp $(factor $ip "-s") $(factor $mac "-m mac --mac-source") $(factor $tcp_redir_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST) $(REDIRECT $tcp_port $is_tproxy)
|
||||
$ipt_tmp -A PSW $(comment "$remarks") -p tcp $(factor $ip "-s") $(factor $mac "-m mac --mac-source") $(factor $tcp_redir_ports "-m multiport --dport") $(get_redirect_ipt $tcp_proxy_mode $tcp_port $is_tproxy)
|
||||
unset is_tproxy
|
||||
unset tcp_port
|
||||
}
|
||||
echolog " - ${msg2}"
|
||||
}
|
||||
$ipt_tmp -A PSW $(comment "$remarks") $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p tcp -j RETURN
|
||||
|
||||
[ "$udp_proxy_mode" != "disable" ] && {
|
||||
msg2="${msg}使用UDP节点${udp_node} [$(get_action_chain_name $udp_proxy_mode)]"
|
||||
[ "$UDP_NODE" != "nil" ] && {
|
||||
echolog "UDP 代理启用 TPROXY 模式"
|
||||
eval udp_port=\$UDP_REDIR_PORT$udp_node
|
||||
[ "$udp_no_redir_ports" != "disable" ] && $ipt_m -A PSW $(comment "$remarks") $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p udp -m multiport --dport $udp_no_redir_ports -j RETURN
|
||||
msg2="${msg2}(TPROXY:${udp_port})代理"
|
||||
[ "$udp_no_redir_ports" != "disable" ] && {
|
||||
$ipt_m -A PSW $(comment "$remarks") $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p udp -m multiport --dport $udp_no_redir_ports -j RETURN
|
||||
msg2="${msg2}[$?]除${udp_no_redir_ports}外的"
|
||||
}
|
||||
msg2="${msg2}所有端口"
|
||||
$ipt_m -A PSW $(comment "$remarks") -p udp $(factor $ip "-s") $(factor $mac "-m mac --mac-source") $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) $(REDIRECT $udp_port TPROXY)
|
||||
$ipt_m -A PSW $(comment "$remarks") -p udp $(factor $ip "-s") $(factor $mac "-m mac --mac-source") $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(get_redirect_ipt $udp_proxy_mode $udp_port TPROXY)
|
||||
unset udp_port
|
||||
}
|
||||
echolog " - ${msg2}"
|
||||
}
|
||||
$ipt_m -A PSW $(comment "$remarks") $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p udp -j RETURN
|
||||
done
|
||||
}
|
||||
|
||||
|
||||
# 加载TCP默认代理模式
|
||||
local ipt_tmp=$ipt_n
|
||||
[ "$TCP_NODE1" != "nil" -a "$TCP_PROXY_MODE" != "disable" ] && {
|
||||
local is_tproxy msg
|
||||
[ "$TCP_NODE1" != "nil" ] && [ "$TCP_PROXY_MODE" != "disable" ] && {
|
||||
local TCP_NODE1_TYPE=$(echo $(config_n_get $TCP_NODE1 type) | tr 'A-Z' 'a-z')
|
||||
local is_tproxy
|
||||
if [ "$TCP_NODE1_TYPE" == "brook" ] && [ "$(config_n_get $TCP_NODE1 brook_protocol client)" == "client" ]; then
|
||||
unset is_tproxy
|
||||
[ "$TCP_NODE1_TYPE" == "brook" ] && [ "$(config_n_get $TCP_NODE1 brook_protocol client)" == "client" ] && is_tproxy=1
|
||||
[ "$TCP_NODE1_TYPE" == "trojan-go" ] && is_tproxy=1
|
||||
msg="TCP默认代理:使用TCP节点1 [$(get_action_chain_name $TCP_PROXY_MODE)]"
|
||||
if [ -n "$is_tproxy" ]; then
|
||||
ipt_tmp=$ipt_m && is_tproxy="TPROXY"
|
||||
echolog "为 brook TCP默认代理启用 TPROXY 模式!"
|
||||
msg="${msg}(TPROXY:${TCP_REDIR_PORT1})代理"
|
||||
else
|
||||
echolog "TCP默认代理使用 FORWARD 模式"
|
||||
msg="${msg}(REDIRECT:${TCP_REDIR_PORT1})代理"
|
||||
fi
|
||||
[ "$TCP_NO_REDIR_PORTS" != "disable" ] && $ipt_tmp -A PSW $(comment "默认") -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
|
||||
[ "$TCP_NO_REDIR_PORTS" != "disable" ] && $ipt_tmp -A PSW $(comment "默认") -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN && msg="除${TCP_NO_REDIR_PORTS}外的"
|
||||
msg="${msg}所有端口"
|
||||
$ipt_tmp -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) $(REDIRECT $TCP_REDIR_PORT1 $is_tproxy)
|
||||
$ipt_tmp -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(get_redirect_ipt $TCP_PROXY_MODE $TCP_REDIR_PORT1 $is_tproxy)
|
||||
}
|
||||
$ipt_tmp -A PSW $(comment "默认") -p tcp -j RETURN
|
||||
echolog "TCP默认代理模式:$(get_action_chain_name $TCP_PROXY_MODE)"
|
||||
echolog "${msg}"
|
||||
|
||||
# 加载UDP默认代理模式
|
||||
if [ "$UDP_NODE1" != "nil" ] && [ "$UDP_PROXY_MODE" != "disable" ]; then
|
||||
echolog "UDP默认代理使用 TPROXY 模式"
|
||||
[ "$UDP_NO_REDIR_PORTS" != "disable" ] && $ipt_m -A PSW $(comment "默认") -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN
|
||||
msg="UDP默认代理:使用UDP节点1 [$(get_action_chain_name $UDP_PROXY_MODE)](TPROXY:${UDP_REDIR_PORT1})代理"
|
||||
[ "$UDP_NO_REDIR_PORTS" != "disable" ] && $ipt_m -A PSW $(comment "默认") -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN && msg="除${TCP_NO_REDIR_PORTS}外的"
|
||||
msg="${msg}所有端口"
|
||||
$ipt_m -A PSW $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) $(REDIRECT $UDP_REDIR_PORT1 TPROXY)
|
||||
$ipt_m -A PSW $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(get_redirect_ipt $UDP_PROXY_MODE $UDP_REDIR_PORT1 TPROXY)
|
||||
fi
|
||||
$ipt_m -A PSW $(comment "默认") -p udp -j RETURN
|
||||
echolog "UDP默认代理模式:$(get_action_chain_name $UDP_PROXY_MODE)"
|
||||
echolog "${msg}"
|
||||
}
|
||||
|
||||
filter_vpsip() {
|
||||
echolog "开始过滤所有节点到白名单"
|
||||
uci show $CONFIG | grep ".address=" | cut -d "'" -f 2 | grep -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | sed -e "/^$/d" | sed -e "s/^/add $IPSET_VPSIPLIST &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
|
||||
#uci show $CONFIG | grep ".address=" | cut -d "'" -f 2 | grep -E "([[a-f0-9]{1,4}(:[a-f0-9]{1,4}){7}|[a-f0-9]{1,4}(:[a-f0-9]{1,4}){0,7}::[a-f0-9]{0,4}(:[a-f0-9]{1,4}){0,7}])" | sed -e "/^$/d" | sed -e "s/^/add $IPSET_VPSIP6LIST &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
|
||||
echolog "过滤所有节点直接 IP 地址完成"
|
||||
echolog "过滤所有节点直接 IP 地址完成[$?]"
|
||||
}
|
||||
|
||||
filter_node() {
|
||||
local proxy_node=${1} stream=$(echo ${2} | tr 'A-Z' 'a-z')
|
||||
local proxy_node=${1}
|
||||
local stream=$(echo ${2} | tr 'A-Z' 'a-z')
|
||||
local proxy_port=${3}
|
||||
|
||||
filter_rules() {
|
||||
local msg node=${1} stream=${2}
|
||||
local _proxy=${3} _port=${4}
|
||||
local node=${1}
|
||||
local stream=${2}
|
||||
local _proxy=${3}
|
||||
local _port=${4}
|
||||
local is_tproxy ipt_tmp msg msg2
|
||||
|
||||
if [ -n "$node" ] && [ "$node" != "nil" ]; then
|
||||
local type=$(echo $(config_n_get $node type) | tr 'A-Z' 'a-z')
|
||||
local address=$(config_n_get $node address)
|
||||
local port=$(config_n_get $node port)
|
||||
local ipt_tmp=$ipt_n
|
||||
if [ "$stream" == "udp" ] || [ "$type" == "brook" -a "$(config_n_get $node brook_protocol client)" == "client" ]; then
|
||||
ipt_tmp=$ipt_n
|
||||
[ "$stream" == "udp" ] && is_tproxy=1
|
||||
[ "$type" == "brook" ] && [ "$(config_n_get $node brook_protocol client)" == "client" ] && is_tproxy=1
|
||||
[ "$type" == "trojan-go" ] && is_tproxy=1
|
||||
if [ -n "$is_tproxy" ]; then
|
||||
ipt_tmp=$ipt_m
|
||||
echolog " 为 udp 或 brook 启用 TPROXY 模式"
|
||||
msg="TPROXY"
|
||||
else
|
||||
msg="REDIRECT"
|
||||
fi
|
||||
else
|
||||
echolog " 节点配置不正常,略过"
|
||||
return 0
|
||||
echolog " - 节点配置不正常,略过"
|
||||
return 0
|
||||
fi
|
||||
|
||||
local ADD_INDEX=$(RULE_LAST_INDEX "$ipt_tmp" PSW_OUT_PUT "$IPSET_VPSIPLIST" 2)
|
||||
local ADD_INDEX=$FORCE_INDEX
|
||||
$ipt_tmp -n -L PSW_OUTPUT | grep -q "${address}:${port}"
|
||||
if [ $? -ne 0 ]; then
|
||||
local dst_rule=$(REDIRECT 1 MARK)
|
||||
msg="按规则路由"
|
||||
msg2="按规则路由(${msg})"
|
||||
[ "$ipt_tmp" == "$ipt_m" ] || {
|
||||
dst_rule=$(REDIRECT $_port)
|
||||
msg="套娃使用"
|
||||
msg2="套娃使用(${msg}:${port}>>${_port})"
|
||||
}
|
||||
[ -n "$_proxy" ] && [ "$_proxy" == "1" ] && [ -n "$_port" ] || {
|
||||
ADD_INDEX=$(RULE_LAST_INDEX "$ipt_tmp" PSW_OUT_PUT "$IPSET_VPSIPLIST" $FORCE_INDEX)
|
||||
dst_rule=" -j RETURN"
|
||||
msg="直连代理"
|
||||
msg2="直连代理(${msg})"
|
||||
}
|
||||
$ipt_tmp -I PSW_OUTPUT $ADD_INDEX $(comment "${address}:${port}") -p $stream -d $address --dport $port $dst_rule
|
||||
else
|
||||
msg="转发条目已存在,略过"
|
||||
msg2="已配置过的节点,"
|
||||
fi
|
||||
msg="${msg}[$?],节点(${type}):${address}:${port}"
|
||||
echolog " $msg"
|
||||
msg="[$?]${msg2}使用链${ADD_INDEX},节点(${type}):${address}:${port}"
|
||||
echolog " - ${msg}"
|
||||
}
|
||||
local proxy_protocol=$(config_n_get $proxy_node protocol)
|
||||
local proxy_type=$(echo $(config_n_get $proxy_node type nil) | tr 'A-Z' 'a-z')
|
||||
[ "$proxy_type" == "nil" ] && echolog " 节点配置不正常,略过!:${proxy_node}" && return 0
|
||||
[ "$proxy_type" == "nil" ] && echolog " - 节点配置不正常,略过!:${proxy_node}" && return 0
|
||||
if [ "$proxy_protocol" == "_shunt" ]; then
|
||||
echolog " 按请求目的地址分流(${proxy_type})..."
|
||||
echolog " - 按请求目的地址分流(${proxy_type})..."
|
||||
local default_node=$(config_n_get $proxy_node default_node nil)
|
||||
filter_rules $default_node $stream
|
||||
local default_node_address=$(get_host_ip ipv4 $(config_n_get $default_node address) 1)
|
||||
@ -279,13 +300,13 @@ filter_node() {
|
||||
filter_rules "$(config_n_get $proxy_node $shunt_id)" "$stream" "$shunt_proxy" "$proxy_port"
|
||||
done
|
||||
elif [ "$proxy_protocol" == "_balancing" ]; then
|
||||
echolog " 多节点负载均衡(${proxy_type})..."
|
||||
echolog " - 多节点负载均衡(${proxy_type})..."
|
||||
proxy_node=$(config_n_get $proxy_node balancing_node)
|
||||
for _node in $proxy_node; do
|
||||
filter_rules "$_node" "$stream"
|
||||
done
|
||||
else
|
||||
echolog " 普通节点(${proxy_type})..."
|
||||
echolog " - 普通节点(${proxy_type})..."
|
||||
filter_rules "$proxy_node" "$stream"
|
||||
fi
|
||||
}
|
||||
@ -308,9 +329,13 @@ add_firewall_rule() {
|
||||
cat $RULES_PATH/proxy_ip | sed -e "/^$/d" | sed -e "s/^/add $IPSET_BLACKLIST &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
|
||||
cat $RULES_PATH/direct_ip | sed -e "/^$/d" | sed -e "s/^/add $IPSET_WHITELIST &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
|
||||
|
||||
ipset -! -R <<-EOF || return 1
|
||||
ipset -! -R <<-EOF
|
||||
$(gen_laniplist | sed -e "s/^/add $IPSET_LANIPLIST /")
|
||||
EOF
|
||||
[ $? -eq 0 ] || {
|
||||
echolog "系统不兼容,终止执行!"
|
||||
return 1
|
||||
}
|
||||
|
||||
# 忽略特殊IP段
|
||||
local lan_ifname lan_ip
|
||||
@ -326,7 +351,7 @@ add_firewall_rule() {
|
||||
echolog "处理 ISP DNS 例外..."
|
||||
for ispip in $ISP_DNS; do
|
||||
ipset -! add $IPSET_WHITELIST $ispip >/dev/null 2>&1 &
|
||||
echolog " 追加到白名单:${ispip}"
|
||||
echolog " - 追加到白名单:${ispip}"
|
||||
done
|
||||
}
|
||||
|
||||
@ -366,7 +391,7 @@ add_firewall_rule() {
|
||||
TCP_NODE1_TYPE=$(echo $(config_n_get $TCP_NODE1 type) | tr 'A-Z' 'a-z')
|
||||
echolog "加载路由器自身 TCP 代理..."
|
||||
if [ "$TCP_NODE1_TYPE" == "brook" ] && [ "$(config_n_get $TCP_NODE1 brook_protocol client)" == "client" ]; then
|
||||
echolog " 为 brook 启用 TCP TPROXY 模式"
|
||||
echolog " - 启用 TPROXY 模式"
|
||||
ipt_tmp=$ipt_m
|
||||
dns_l="PSW"
|
||||
dns_r="$(REDIRECT $TCP_REDIR_PORT1 TPROXY)"
|
||||
@ -377,19 +402,19 @@ add_firewall_rule() {
|
||||
[ -n "${2}" ] || return 0
|
||||
ipset test $IPSET_LANIPLIST ${2} 2>/dev/null
|
||||
[ $? -eq 0 ] && {
|
||||
echolog " 上游 DNS 服务器 ${2} 已在直接访问的列表中,不强制向 TCP 代理转发对该服务器 TCP/${3} 端口的访问"
|
||||
echolog " - 上游 DNS 服务器 ${2} 已在直接访问的列表中,不强制向 TCP 代理转发对该服务器 TCP/${3} 端口的访问"
|
||||
return 0
|
||||
}
|
||||
local ADD_INDEX=$(RULE_LAST_INDEX "$ipt_tmp" "$dns_l" "$IPSET_VPSIPLIST" 2)
|
||||
local ADD_INDEX=$FORCE_INDEX
|
||||
$ipt_tmp -I $dns_l $ADD_INDEX -p tcp -d ${2} --dport ${3} $dns_r
|
||||
[ "$ipt_tmp" == "$ipt_m" ] && $ipt_tmp -I PSW_OUTPUT $ADD_INDEX -p tcp -d ${2} --dport ${3} $(REDIRECT 1 MARK)
|
||||
echolog " 将上游 DNS 服务器 ${2}:${3} 加入到路由器自身代理的 TCP 转发链${ADD_INDEX}[$?]"
|
||||
echolog " - [$?]将上游 DNS 服务器 ${2}:${3} 加入到路由器自身代理的 TCP 转发链${ADD_INDEX}"
|
||||
}
|
||||
[ "$use_tcp_node_resolve_dns" == 1 ] && hosts_foreach DNS_FORWARD _proxy_tcp_access 53
|
||||
$ipt_tmp -A OUTPUT -p tcp -j PSW_OUTPUT
|
||||
[ "$TCP_NO_REDIR_PORTS" != "disable" ] && {
|
||||
$ipt_tmp -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
|
||||
echolog " 按要求设置全局例外 TCP 端口[$?]:$TCP_NO_REDIR_PORTS"
|
||||
echolog " - [$?]不代理TCP 端口:$TCP_NO_REDIR_PORTS"
|
||||
}
|
||||
$ipt_tmp -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) $blist_r
|
||||
$ipt_tmp -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $p_r
|
||||
@ -430,27 +455,28 @@ add_firewall_rule() {
|
||||
# 过滤Socks节点
|
||||
local ids=$(uci show $CONFIG | grep "=socks" | awk -F '.' '{print $2}' | awk -F '=' '{print $1}')
|
||||
echolog "分析 Socks 服务所使用节点..."
|
||||
local id enabled node port msg num
|
||||
for id in $ids; do
|
||||
local enabled=$(config_n_get $id enabled 0)
|
||||
enabled=$(config_n_get $id enabled 0)
|
||||
[ "$enabled" == "1" ] || continue
|
||||
local node=$(config_n_get $id node nil)
|
||||
local port=$(config_n_get $id port 0)
|
||||
local msg="Socks 服务 [:${port}]"
|
||||
node=$(config_n_get $id node nil)
|
||||
port=$(config_n_get $id port 0)
|
||||
msg="Socks 服务 [:${port}]"
|
||||
if [ "$node" == "nil" ] || [ "$port" == "0" ]; then
|
||||
msg="${msg} 未配置完全,略过"
|
||||
elif [ "$(echo $node | grep ^tcp)" ]; then
|
||||
local num=$(echo $node | sed "s/tcp//g")
|
||||
num=$(echo $node | sed "s/tcp//g")
|
||||
eval "node=\${TCP_NODE$num}"
|
||||
msg="${msg} 使用与 TCP 代理自动切换${num} 相同的节点,延后处理"
|
||||
else
|
||||
filter_node $node tcp
|
||||
filter_node $node udp
|
||||
fi
|
||||
echolog " $msg[$?]"
|
||||
echolog " - ${msg}"
|
||||
done
|
||||
|
||||
# 处理轮换节点的分流或套娃
|
||||
local node port stream
|
||||
local node port stream switch
|
||||
for stream in TCP UDP; do
|
||||
for switch in $(eval "seq 1 \${${stream}_NODE_NUM}"); do
|
||||
eval "node=\${${stream}_NODE$switch}"
|
||||
@ -459,13 +485,13 @@ add_firewall_rule() {
|
||||
[ "$node" == "tcp" ] && [ "$stream" == "UDP" ] && {
|
||||
eval "node=\${TCP_NODE$switch}"
|
||||
eval "port=\${TCP_REDIR_PORT$switch}"
|
||||
echolog " 采用 TCP 代理的配置"
|
||||
echolog " - 采用 TCP 代理的配置"
|
||||
}
|
||||
|
||||
if [ "$node" != "nil" ]; then
|
||||
filter_node $node $stream $port
|
||||
else
|
||||
echolog " 忽略无效的 $stream 代理自动切换$switch"
|
||||
echolog " - 忽略无效的 $stream 代理自动切换$switch"
|
||||
fi
|
||||
done
|
||||
done
|
||||
@ -474,23 +500,23 @@ add_firewall_rule() {
|
||||
if [ "$UDP_NODE1" != "nil" ]; then
|
||||
echolog "加载路由器自身 UDP 代理..."
|
||||
local UDP_NODE1_TYPE=$(echo $(config_n_get $UDP_NODE1 type) | tr 'A-Z' 'a-z')
|
||||
local ADD_INDEX=$FORCE_INDEX
|
||||
_proxy_udp_access() {
|
||||
[ -n "${2}" ] || return 0
|
||||
ipset test $IPSET_LANIPLIST ${2} 2>/dev/null
|
||||
[ $? == 0 ] && {
|
||||
echolog " 上游 DNS 服务器 ${2} 已在直接访问的列表中,不强制向 UDP 代理转发对该服务器 UDP/${3} 端口的访问"
|
||||
echolog " - 上游 DNS 服务器 ${2} 已在直接访问的列表中,不强制向 UDP 代理转发对该服务器 UDP/${3} 端口的访问"
|
||||
return 0
|
||||
}
|
||||
local ADD_INDEX=$(RULE_LAST_INDEX "$ipt_tmp" "$dns_l" "$IPSET_VPSIPLIST" 2)
|
||||
$ipt_m -I PSW $ADD_INDEX -p udp -d ${2} --dport ${3} $(REDIRECT $UDP_REDIR_PORT1 TPROXY)
|
||||
$ipt_m -I PSW_OUTPUT $ADD_INDEX -p udp -d ${2} --dport ${3} $(REDIRECT 1 MARK)
|
||||
echolog " 将上游 DNS 服务器 ${2}:${3} 加入到路由器自身代理的 UDP 转发链${ADD_INDEX}[$?]"
|
||||
echolog " - [$?]将上游 DNS 服务器 ${2}:${3} 加入到路由器自身代理的 UDP 转发链${ADD_INDEX}"
|
||||
}
|
||||
[ "$use_udp_node_resolve_dns" == 1 ] && hosts_foreach DNS_FORWARD _proxy_udp_access 53
|
||||
$ipt_m -A OUTPUT -p udp -j PSW_OUTPUT
|
||||
[ "$UDP_NO_REDIR_PORTS" != "disable" ] && {
|
||||
$ipt_m -A PSW_OUTPUT -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN
|
||||
echolog " 按要求配置例外 UDP 端口[$?]:$UDP_NO_REDIR_PORTS"
|
||||
echolog " - [$?]不代理 UDP 端口:$UDP_NO_REDIR_PORTS"
|
||||
}
|
||||
$ipt_m -A PSW_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) $(REDIRECT 1 MARK)
|
||||
$ipt_m -A PSW_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(get_redirect_ipt $LOCALHOST_UDP_PROXY_MODE 1 MARK)
|
||||
@ -587,4 +613,4 @@ start)
|
||||
start
|
||||
;;
|
||||
*) ;;
|
||||
esac
|
||||
esac
|
||||
Loading…
Reference in New Issue
Block a user