From ebb75591374cef64f755b3c8a2aa77287ac1cb71 Mon Sep 17 00:00:00 2001 From: CN_SZTL Date: Wed, 29 Jul 2020 17:39:30 +0800 Subject: [PATCH] luci-app-passwall: sync with upstream source --- package/lienol/luci-app-passwall/Makefile | 4 +- .../luasrc/controller/passwall.lua | 2 +- .../model/cbi/passwall/server/api/trojan.lua | 4 +- .../model/cbi/passwall/server/api/v2ray.lua | 4 +- .../luci-app-passwall/po/zh-cn/passwall.po | 6 +- .../root/usr/share/passwall/app.sh | 171 +++++++------- .../root/usr/share/passwall/iptables.sh | 214 ++++++++++-------- 7 files changed, 222 insertions(+), 183 deletions(-) diff --git a/package/lienol/luci-app-passwall/Makefile b/package/lienol/luci-app-passwall/Makefile index aaaf97f432..da6074993c 100644 --- a/package/lienol/luci-app-passwall/Makefile +++ b/package/lienol/luci-app-passwall/Makefile @@ -7,8 +7,8 @@ include $(TOPDIR)/rules.mk PKG_NAME:=luci-app-passwall PKG_VERSION:=3.9 -PKG_RELEASE:=23 -PKG_DATE:=20200727 +PKG_RELEASE:=26 +PKG_DATE:=20200729 PKG_BUILD_DIR := $(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION) diff --git a/package/lienol/luci-app-passwall/luasrc/controller/passwall.lua b/package/lienol/luci-app-passwall/luasrc/controller/passwall.lua index 997ec88a7b..3e63d6a4a5 100644 --- a/package/lienol/luci-app-passwall/luasrc/controller/passwall.lua +++ b/package/lienol/luci-app-passwall/luasrc/controller/passwall.lua @@ -26,7 +26,7 @@ function index() entry({"admin", "services", appname, "haproxy"}, cbi("passwall/haproxy"), _("Load Balancing"), 94).leaf = true end entry({"admin", "services", appname, "node_subscribe"}, cbi("passwall/node_subscribe"), _("Node Subscribe"), 95).dependent = true - entry({"admin", "services", appname, "rule"}, cbi("passwall/rule"), _("Rule"), 96).leaf = true + entry({"admin", "services", appname, "rule"}, cbi("passwall/rule"), _("Rule Manage"), 96).leaf = true entry({"admin", "services", appname, "app_update"}, cbi("passwall/app_update"), _("App Update"), 97).leaf = true entry({"admin", "services", appname, "node_config"}, cbi("passwall/node_config")).leaf = true entry({"admin", "services", appname, "shunt_rules"}, cbi("passwall/shunt_rules")).leaf = true diff --git a/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/server/api/trojan.lua b/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/server/api/trojan.lua index 144ea8fa6b..1f8df594af 100644 --- a/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/server/api/trojan.lua +++ b/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/server/api/trojan.lua @@ -4,10 +4,10 @@ function gen_config(user) local cipher13 = "TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384" local config = { run_type = "server", - local_addr = "0.0.0.0", + local_addr = "::", local_port = tonumber(user.port), remote_addr = (user.remote_enable == "1" and user.remote_address) and user.remote_address or nil, - remote_port = (user.remote_enable == "1" and user.remote_port) and user.remote_port or nil, + remote_port = (user.remote_enable == "1" and user.remote_port) and tonumber(user.remote_port) or nil, password = user.type == "Trojan-Go" and user.passwords or { user.password }, log_level = 1, ssl = (user.stream_security == nil or user.stream_security == "tls") and { diff --git a/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/server/api/v2ray.lua b/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/server/api/v2ray.lua index 27dac1d5b6..1b9dbc77be 100644 --- a/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/server/api/v2ray.lua +++ b/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/server/api/v2ray.lua @@ -244,8 +244,8 @@ function gen_config(user) } if user.transport == "mkcp" or user.transport == "ds" or user.transport == "quic" then - user.streamSettings.security = "none" - user.streamSettings.tlsSettings = nil + config.inbounds[1].streamSettings.security = "none" + config.inbounds[1].streamSettings.tlsSettings = nil end return config diff --git a/package/lienol/luci-app-passwall/po/zh-cn/passwall.po b/package/lienol/luci-app-passwall/po/zh-cn/passwall.po index 097283d997..c8ca0f4c9a 100644 --- a/package/lienol/luci-app-passwall/po/zh-cn/passwall.po +++ b/package/lienol/luci-app-passwall/po/zh-cn/passwall.po @@ -67,8 +67,8 @@ msgstr "负载均衡" msgid "Enter interface" msgstr "进入界面" -msgid "Rule" -msgstr "规则" +msgid "Rule Manage" +msgstr "规则管理" msgid "Access control" msgstr "访问控制" @@ -680,7 +680,7 @@ msgid "Moving..." msgstr "移动中" msgid "App Update" -msgstr "更新主程序" +msgstr "组件更新" msgid "Please confirm that your firmware supports FPU." msgstr "请确认你的固件支持FPU。" diff --git a/package/lienol/luci-app-passwall/root/usr/share/passwall/app.sh b/package/lienol/luci-app-passwall/root/usr/share/passwall/app.sh index d10b86f09e..bbbe6420a7 100755 --- a/package/lienol/luci-app-passwall/root/usr/share/passwall/app.sh +++ b/package/lienol/luci-app-passwall/root/usr/share/passwall/app.sh @@ -48,6 +48,10 @@ config_t_get() { echo ${ret:=$3} } +get_enabled_anonymous_secs() { + uci -q show $CONFIG | grep "${1}\[.*\.enabled='1'" | cut -d'.' -sf2 +} + get_host_ip() { local host=$2 local count=$3 @@ -85,6 +89,17 @@ get_node_host_ip() { echo $ip } +get_ip_port_from() { + local __host=${1}; shift 1 + local __ipv=${1}; shift 1 + local __portv=${1}; shift 1 + + local val1 val2 + val2=$(echo $__host | sed -n 's/^.*[:#]\([0-9]*\)$/\1/p') + val1="${__host%%${val2:+[:#]${val2}*}}" + eval "${__ipv}=\"$val1\"; ${__portv}=\"$val2\"" +} + hosts_foreach() { local __hosts eval "__hosts=\$${1}"; shift 1 @@ -95,8 +110,7 @@ hosts_foreach() { [ -z "${__hosts}" ] && return 0 local __ip __port for __host in $(echo $__hosts | sed 's/[ ,]/\n/g'); do - __port=$(echo $__host | sed -n 's/^.*[:#]\(^[0-9]*\)$/\1/p') - __ip="${__host%%${__port:+[:#]${__port}*}}" + get_ip_port_from "$__host" "__ip" "__port" eval "$__func \"${__host}\" \"\${__ip}\" \"\${__port:-${__default_port}}\" $@" __ret=$? [ ${__ret} -ge ${ERROR_NO_CATCH:-1} ] && return ${__ret} @@ -278,7 +292,7 @@ run_socks() { local port=$(config_n_get $node port) local msg - echolog " 启用 ${bind}:${local_port}" + echolog " - 启用 ${bind}:${local_port}" if [ -n "$server_host" ] && [ -n "$port" ]; then server_host=$(echo $server_host | sed 's/^\(https:\/\/\|http:\/\/\)//g' | awk -F '/' '{print $1}') [ -n "$(echo -n $server_host | awk '{print gensub(/[!-~]/,"","g",$0)}')" ] && msg="$remarks,非法的代理服务器地址,无法启动 !" @@ -287,13 +301,13 @@ run_socks() { fi [ -n "${msg}" ] && { - echolog " ${msg}" + echolog " - ${msg}" return 1 } - echolog " 节点:$remarks,${server_host}:${port}" + echolog " - 节点:$remarks,${server_host}:${port}" if [ "$type" == "socks" ]; then - echolog " 不能使用 Socks 类型的代理节点" + echolog " - 不能使用 Socks 类型的代理节点" elif [ "$type" == "v2ray" ]; then lua $API_GEN_V2RAY $node nil nil $local_port > $config_file ln_start_bin $(config_t_get global_app v2ray_file $(find_bin v2ray))/v2ray v2ray "-config=$config_file" @@ -584,7 +598,7 @@ start_dns() { dns2socks) [ "$DNS_CACHE" == "0" ] && local _cache="/d" ln_start_bin $(find_bin dns2socks) dns2socks "$DNS2SOCKS_SOCKS_SERVER $DNS2SOCKS_FORWARD 127.0.0.1:$DNS_PORT $_cache" - echolog "DNS:dns2socks(${DNS2SOCKS_FORWARD-D46.182.19.48:53})..." + echolog "DNS:dns2socks,${DNS2SOCKS_FORWARD-D46.182.19.48:53}" ;; pdnsd) if [ -z "$TCP_NODE1" -o "$TCP_NODE1" == "nil" ]; then @@ -593,7 +607,7 @@ start_dns() { else gen_pdnsd_config $DNS_PORT ln_start_bin $(find_bin pdnsd) pdnsd "--daemon -c $pdnsd_dir/pdnsd.conf -d" - echolog "DNS:pdnsd + 使用TCP节点解析DNS..." + echolog "DNS:pdnsd + 使用TCP节点解析DNS" fi ;; chinadns-ng) @@ -627,32 +641,37 @@ start_dns() { gen_pdnsd_config $other_port ln_start_bin $(find_bin pdnsd) pdnsd "--daemon -c $pdnsd_dir/pdnsd.conf -d" ln_start_bin $(find_bin chinadns-ng) chinadns-ng "-l $DNS_PORT -c $china_ng_chn -t 127.0.0.1#$other_port $gfwlist_param $chnlist_param $fair_mode" - echolog "DNS:ChinaDNS-NG + pdnsd($china_ng_gfw),国内DNS:$china_ng_chn" + echolog "DNS:ChinaDNS-NG + pdnsd,$china_ng_gfw,国内DNS:$china_ng_chn" fi elif [ "$up_trust_chinadns_ng_dns" == "dns2socks" ]; then [ "$DNS_CACHE" == "0" ] && local _cache="/d" ln_start_bin $(find_bin dns2socks) dns2socks "$DNS2SOCKS_SOCKS_SERVER $DNS2SOCKS_FORWARD 127.0.0.1:$other_port $_cache" ln_start_bin $(find_bin chinadns-ng) chinadns-ng "-l $DNS_PORT -c $china_ng_chn -t 127.0.0.1#$other_port $gfwlist_param $chnlist_param $fair_mode" - echolog "DNS:ChinaDNS-NG + dns2socks(${DNS2SOCKS_FORWARD:-D46.182.19.48:53}),国内DNS:$china_ng_chn" + echolog "DNS:ChinaDNS-NG + dns2socks,${DNS2SOCKS_FORWARD:-D46.182.19.48:53},国内DNS:$china_ng_chn" elif [ "$up_trust_chinadns_ng_dns" == "udp" ]; then use_udp_node_resolve_dns=1 ln_start_bin $(find_bin chinadns-ng) chinadns-ng "-l $DNS_PORT -c $china_ng_chn -t $china_ng_gfw $gfwlist_param $chnlist_param $fair_mode" - echolog "DNS:ChinaDNS-NG,国内DNS:$china_ng_chn,可信DNS:$up_trust_chinadns_ng_dns[$china_ng_gfw],如果不能使用,请确保UDP节点已打开并且支持UDP转发。" + echolog "DNS:ChinaDNS-NG,国内DNS:$china_ng_chn,可信DNS:$up_trust_chinadns_ng_dns,$china_ng_gfw" + echolog " - 如非直连地址,请确保UDP节点已打开并且支持UDP转发。" fi ;; esac } add_dnsmasq() { + local msg + echolog "准备 dnsmasq 配置文件..." mkdir -p $TMP_DNSMASQ_PATH $DNSMASQ_PATH /var/dnsmasq.d local adblock=$(config_t_get global_rules adblock 0) local chinadns_mode=0 - [ "$DNS_MODE" == "chinadns-ng" ] && [ "$IS_DEFAULT_CHINA_DNS" != 1 ] && chinadns_mode=1 + [ "$DNS_MODE" == "chinadns-ng" ] && [ "$IS_DEFAULT_CHINA_DNS" != 1 ] && chinadns_mode=1 && msg="chinadns-ng" [ "$adblock" == "1" ] && { + msg="${msg},adblock" [ -f "$RULES_PATH/adblock.conf" -a -s "$RULES_PATH/adblock.conf" ] && ln -s $RULES_PATH/adblock.conf $TMP_DNSMASQ_PATH/adblock.conf } [ "$DNS_MODE" != "nonuse" ] && { + msg="${msg}:$UP_CHINA_DNS1,$UP_CHINA_DNS2" [ -f "$RULES_PATH/direct_host" -a -s "$RULES_PATH/direct_host" ] && cat $RULES_PATH/direct_host | sed -e "/^$/d" | sort -u | awk '{if (mode == 0 && dns1 != "") print "server=/."$1"/'$UP_CHINA_DNS1'"; if (mode == 0 && dns2 != "") print "server=/."$1"/'$UP_CHINA_DNS2'"; print "ipset=/."$1"/whitelist"}' mode=$chinadns_mode dns1=$UP_CHINA_DNS1 dns2=$UP_CHINA_DNS2 > $TMP_DNSMASQ_PATH/direct_host.conf uci show $CONFIG | grep ".address=" | cut -d "'" -f 2 | sed 's/^\(https:\/\/\|http:\/\/\)//g' | awk -F '/' '{print $1}' | grep -v "google.c" | grep -E '.*\..*$' | grep '[a-zA-Z]$' | sort -u | awk '{if (dns1 != "") print "server=/."$1"/'$UP_CHINA_DNS1'"; if (dns2 != "") print "server=/."$1"/'$UP_CHINA_DNS2'"; print "ipset=/."$1"/vpsiplist"}' dns1=$UP_CHINA_DNS1 dns2=$UP_CHINA_DNS2 > $TMP_DNSMASQ_PATH/vpsiplist_host.conf [ -f "$RULES_PATH/proxy_host" -a -s "$RULES_PATH/proxy_host" ] && cat $RULES_PATH/proxy_host | sed -e "/^$/d" | sort -u | awk '{if (mode == 0) print "server=/."$1"/127.0.0.1#'$DNS_PORT'"; print "ipset=/."$1"/blacklist"}' mode=$chinadns_mode > $TMP_DNSMASQ_PATH/proxy_host.conf @@ -663,18 +682,12 @@ add_dnsmasq() { fi subscribe_proxy=$(config_t_get global_subscribe subscribe_proxy 0) - [ "$subscribe_proxy" -eq 1 ] && { - local count=$(uci show $CONFIG | grep "@subscribe_list" | sed -n '$p' | cut -d '[' -f 2 | cut -d ']' -f 1) - [ -n "$count" ] && [ "$count" -ge 0 ] && { - u_get() { - local ret=$(uci -q get $CONFIG.@subscribe_list[$1].$2) - echo ${ret:=$3} - } - for i in $(seq 0 $count); do - local enabled=$(u_get $i enabled 0) - [ "$enabled" == "0" ] && continue - local url=$(u_get $i url) - [ -n "$url" -a "$url" != "" ] && { + [ "$subscribe_proxy" == "1" ] && { + local items=$(get_enabled_anonymous_secs "@subscribe_list") + [ -n "$items" ] && { + for item in ${items}; do + local url=$(config_n_get ${item} url) + [ -n "$url" ] && [ "$url" != "" ] && { if [ -n "$(echo -n "$url" | grep "//")" ]; then [ "$chinadns_mode" == 0 ] && echo -n "$url" | awk -F '/' '{print $3}' | sed "s/^/server=&\/./g" | sed "s/$/\/127.0.0.1#$DNS_PORT/g" >>$TMP_DNSMASQ_PATH/subscribe.conf echo -n "$url" | awk -F '/' '{print $3}' | sed "s/^/ipset=&\/./g" | sed "s/$/\/blacklist/g" >>$TMP_DNSMASQ_PATH/subscribe.conf @@ -687,8 +700,9 @@ add_dnsmasq() { } } } + echolog " - ${msg}" - if [ -z "$IS_DEFAULT_CHINA_DNS" -o "$IS_DEFAULT_CHINA_DNS" == 0 ]; then + if [ -z "$IS_DEFAULT_CHINA_DNS" ] || [ "$IS_DEFAULT_CHINA_DNS" == 0 ]; then server="server=127.0.0.1#$DNS_PORT" [ "$DNS_MODE" != "chinadns-ng" ] && { [ -n "$UP_CHINA_DNS1" ] && server="server=$UP_CHINA_DNS1" @@ -700,6 +714,7 @@ add_dnsmasq() { no-poll no-resolv EOF + echolog " - 默认DNS:${server}" else [ -z "$DEFAULT_DNS1" ] && { local tmp=$(get_host_ip ipv4 www.baidu.com 1) @@ -709,7 +724,7 @@ add_dnsmasq() { no-poll no-resolv EOF - echolog "你没有设置接口DNS,请前往设置!" + echolog " - 你没有设置接口DNS,请前往设置!" /etc/init.d/dnsmasq restart >/dev/null 2>&1 } } @@ -717,7 +732,6 @@ add_dnsmasq() { echo "conf-dir=$TMP_DNSMASQ_PATH" >> /var/dnsmasq.d/dnsmasq-$CONFIG.conf cp -rf /var/dnsmasq.d/dnsmasq-$CONFIG.conf $DNSMASQ_PATH/dnsmasq-$CONFIG.conf - echolog "dnsmasq:生成配置文件。" } gen_pdnsd_config() { @@ -751,8 +765,8 @@ gen_pdnsd_config() { EOF append_pdnsd_updns() { - [ -z "${2}" ] && echolog " 略过错误 : [${1}]" && return 0 - echolog " 上游DNS[${2}:${3}]" + [ -z "${2}" ] && echolog " - 略过错误 : ${1}" && return 0 + echolog " - 上游DNS:${2}:${3}" cat >> $pdnsd_dir/pdnsd.conf <<-EOF server { label = "node-${2}_${3}"; @@ -780,14 +794,14 @@ del_dnsmasq() { } start_haproxy() { - enabled=$(config_t_get global_haproxy balancing_enable 0) - [ "$enabled" = "1" ] && { + local haproxy_bin HAPROXY_PATH HAPROXY_FILE item lport sorted_items + [ "$(config_t_get global_haproxy balancing_enable 0)" == "1" ] && { + echolog "HAPROXY 负载均衡..." haproxy_bin=$(find_bin haproxy) [ -f "$haproxy_bin" ] && { - local HAPROXY_PATH=$TMP_PATH/haproxy + HAPROXY_PATH=$TMP_PATH/haproxy mkdir -p $HAPROXY_PATH - local HAPROXY_FILE=$HAPROXY_PATH/config.cfg - bport=$(config_t_get global_haproxy haproxy_port) + HAPROXY_FILE=$HAPROXY_PATH/config.cfg cat <<-EOF > $HAPROXY_FILE global log 127.0.0.1 local2 @@ -817,65 +831,62 @@ start_haproxy() { EOF - local ports=$(uci show $CONFIG | grep "@haproxy_config" | grep haproxy_port | cut -d "'" -f 2 | sort -u) - for p in $ports; do - cat <<-EOF >> $HAPROXY_FILE - listen $p - mode tcp - bind 0.0.0.0:$p - - EOF + items=$(get_enabled_anonymous_secs "@haproxy_config") + for item in $items; do + lport=$(config_n_get ${item} haproxy_port 0) + [ "${lport}" == "0" ] && echolog " - 丢弃1个明显无效的节点" && continue + sorted_items="${sorted_items}${IFS}${lport} ${item}" done + + items=$(echo "${sorted_items}" | sort -n | cut -d' ' -sf 2) - local count=$(uci show $CONFIG | grep "@haproxy_config" | sed -n '$p' | cut -d '[' -f 2 | cut -d ']' -f 1) - [ -n "$count" ] && [ "$count" -ge 0 ] && { - u_get() { - local ret=$(uci -q get $CONFIG.@haproxy_config[$1].$2) - echo ${ret:=$3} - } - for i in $(seq 0 $count); do - local enabled=$(u_get $i enabled 0) - [ -z "$enabled" -o "$enabled" == "0" ] && continue + unset lport + [ -n "$items" ] && { + local haproxy_port lbss lbort lbweight export backup + local msg bip bport bline bbackup failcount interface + for item in ${items}; do + unset haproxy_port lbort bbackup + + eval $(uci -q show $CONFIG.${item} | cut -d'.' -sf 3- | grep -v '^$') + get_ip_port_from "$lbss" bip bport - local haproxy_port=$(u_get $i haproxy_port) - [ -z "$haproxy_port" ] && continue - - local bips=$(u_get $i lbss) - local bports=$(u_get $i lbort) - if [ -z "$bips" ] || [ -z "$bports" ]; then - continue - fi - - local bip=$(echo $bips | awk -F ":" '{print $1}') - local bport=$(echo $bips | awk -F ":" '{print $2}') - [ "$bports" != "default" ] && bport=$bports - [ -z "$bport" ] && continue - - local line=$(cat $HAPROXY_FILE | grep -n "bind 0.0.0.0:$haproxy_port" | awk -F ":" '{print $1}') - [ -z "$line" ] && continue - - local bweight=$(u_get $i lbweight) - local exports=$(u_get $i export) - local backup=$(u_get $i backup) - local bbackup="" + [ "$lbort" == "default" ] && lbort=$bport || bport=$lbort + [ -z "$haproxy_port" ] || [ -z "$bip" ] || [ -z "$lbort" ] && echolog " - 丢弃1个明显无效的节点" && continue [ "$backup" = "1" ] && bbackup="backup" - sed -i "${line}i \ \ \ \ server $bip:$bport $bip:$bport weight $bweight check inter 1500 rise 1 fall 3 $bbackup" $HAPROXY_FILE - if [ "$exports" != "0" ]; then + + [ "$lport" == "${haproxy_port}" ] || { + lport=${haproxy_port} + echolog " - 入口 0.0.0.0:${lport}..." + cat <<-EOF >> $HAPROXY_FILE + listen $lport + mode tcp + bind 0.0.0.0:$lport + EOF + } + + cat <<-EOF >> $HAPROXY_FILE + server $bip:$bport $bip:$bport weight $lbweight check inter 1500 rise 1 fall 3 $bbackup + EOF + + if [ "$export" != "0" ]; then + unset msg failcount=0 while [ "$failcount" -lt "3" ]; do - interface=$(ifconfig | grep "$exports" | awk '{print $1}') - if [ -z "$interface" ]; then - echolog "找不到出口接口:$exports,1分钟后再重试" + ubus list network.interface.${export} >/dev/null 2>&1 + if [ $? -ne 0 ]; then + echolog " - 找不到出口接口:$export,1分钟后再重试(${failcount}/3),${bip}" let "failcount++" [ "$failcount" -ge 3 ] && exit 0 sleep 1m else - route add -host ${bip} dev ${exports} + route add -host ${bip} dev ${export} + msg="[$?] 从 ${export} 接口路由," echo "$bip" >>/tmp/balancing_ip break fi done fi + echolog " - ${msg}出口节点:${bip}:${bport},权重:${lbweight}" done } @@ -886,6 +897,7 @@ start_haproxy() { local auth="" [ -n "$console_user" -a -n "console_password" ] && auth="stats auth $console_user:$console_password" cat <<-EOF >> $HAPROXY_FILE + listen console bind 0.0.0.0:$console_port mode http @@ -896,6 +908,7 @@ start_haproxy() { EOF ln_start_bin $haproxy_bin haproxy "-f $HAPROXY_FILE" + echolog " - 控制台端口:${console_port}/,${auth:-公开}" } } } @@ -978,4 +991,4 @@ start) boot) boot ;; -esac +esac \ No newline at end of file diff --git a/package/lienol/luci-app-passwall/root/usr/share/passwall/iptables.sh b/package/lienol/luci-app-passwall/root/usr/share/passwall/iptables.sh index 81218b16cf..d33fe66818 100755 --- a/package/lienol/luci-app-passwall/root/usr/share/passwall/iptables.sh +++ b/package/lienol/luci-app-passwall/root/usr/share/passwall/iptables.sh @@ -7,6 +7,8 @@ IPSET_CHN="chnroute" IPSET_BLACKLIST="blacklist" IPSET_WHITELIST="whitelist" +FORCE_INDEX=2 + ipt_n="iptables -t nat" ipt_m="iptables -t mangle" ip6t_n="ip6tables -t nat" @@ -105,27 +107,23 @@ gen_laniplist() { } load_acl() { - local count=$(uci show $CONFIG | grep "@acl_rule" | sed -n '$p' | cut -d '[' -f 2 | cut -d ']' -f 1) - [ -n "$count" ] && [ "$count" -ge 0 ] && { - u_get() { - local ret=$(uci -q get $CONFIG.@acl_rule[$1].$2) - echo ${ret:=$3} - } - for i in $(seq 0 $count); do - local enabled=$(u_get $i enabled 0) - [ "$enabled" == "0" ] && continue - local remarks=$(u_get $i remarks) - local ip=$(u_get $i ip) - local mac=$(u_get $i mac) - [ -z "$ip" -a -z "$mac" ] && continue - local tcp_proxy_mode=$(u_get $i tcp_proxy_mode default) - local udp_proxy_mode=$(u_get $i udp_proxy_mode default) - local tcp_node=$(u_get $i tcp_node 1) - local udp_node=$(u_get $i udp_node 1) - local tcp_no_redir_ports=$(u_get $i tcp_no_redir_ports default) - local udp_no_redir_ports=$(u_get $i udp_no_redir_ports default) - local tcp_redir_ports=$(u_get $i tcp_redir_ports default) - local udp_redir_ports=$(u_get $i udp_redir_ports default) + local items=$(get_enabled_anonymous_secs "@acl_rule") + [ -n "$items" ] && { + local item enabled remarks ip mac tcp_proxy_mode udp_proxy_mod + local tcp_node udp_node tcp_no_redir_ports udp_no_redir_ports tcp_redir_ports udp_redir_ports + local TCP_NODE UDP_NODE TCP_NODE_TYPE UDP_NODE_TYPE ipt_tmp is_tproxy tcp_port udp_port msg msg2 + for item in $items; do + unset ip mac tcp_port udp_port is_tproxy msg + eval $(uci -q show $CONFIG.${item} | cut -d'.' -sf 3- | grep -v '^$') + [ -z "${ip}${mac}" ] && continue + tcp_proxy_mode=${tcp_proxy_mode:-default} + udp_proxy_mode=${udp_proxy_mode:-default} + tcp_node=${tcp_node:-1} + udp_node=${udp_node:-1} + tcp_no_redir_ports=${tcp_no_redir_ports:-default} + udp_no_redir_ports=${udp_no_redir_ports:-default} + tcp_redir_ports=${tcp_redir_ports:-default} + udp_redir_ports=${udp_redir_ports:-default} [ "$tcp_proxy_mode" = "default" ] && tcp_proxy_mode=$TCP_PROXY_MODE [ "$udp_proxy_mode" = "default" ] && udp_proxy_mode=$UDP_PROXY_MODE [ "$TCP_NODE_NUM" == "1" ] && tcp_node=1 @@ -136,130 +134,153 @@ load_acl() { [ "$udp_redir_ports" = "default" ] && udp_redir_ports=$UDP_REDIR_PORTS eval TCP_NODE=\$TCP_NODE$tcp_node eval UDP_NODE=\$UDP_NODE$udp_node - - if [ -n "$ip" -a -n "$mac" ]; then - echolog "访问控制:IP:$ip,MAC:$mac,使用TCP_${tcp_node}节点,UDP_${udp_node}节点,TCP模式:$(get_action_chain_name $tcp_proxy_mode),UDP模式:$(get_action_chain_name $udp_proxy_mode)" - else - [ -n "$ip" ] && echolog "访问控制:IP:$ip,使用TCP_${tcp_node}节点,UDP_${udp_node}节点,TCP模式:$(get_action_chain_name $tcp_proxy_mode),UDP模式:$(get_action_chain_name $udp_proxy_mode)" - [ -n "$mac" ] && echolog "访问控制:MAC:$mac,使用TCP_${tcp_node}节点,UDP_${udp_node}节点,TCP模式:$(get_action_chain_name $tcp_proxy_mode),UDP模式:$(get_action_chain_name $udp_proxy_mode)" - fi - - local ipt_tmp=$ipt_n + + echolog "访问控制:${item}..." + [ -n "$ip" ] && msg="IP:$ip," + [ -n "$mac" ] && msg="${msg:+${msg}和}MAC:$mac," + ipt_tmp=$ipt_n [ "$tcp_proxy_mode" != "disable" ] && { [ "$TCP_NODE" != "nil" ] && { + eval tcp_port=\$TCP_REDIR_PORT$tcp_node eval TCP_NODE_TYPE=$(echo $(config_n_get $TCP_NODE type) | tr 'A-Z' 'a-z') - local is_tproxy - if [ "$TCP_NODE_TYPE" == "brook" ] && [ "$(config_n_get $TCP_NODE brook_protocol client)" == "client" ]; then - echolog "为 brook 启用 TCP TPROXY 模式" + [ "$TCP_NODE_TYPE" == "brook" ] && [ "$(config_n_get $TCP_NODE brook_protocol client)" == "client" ] && is_tproxy=1 + [ "$TCP_NODE_TYPE" == "trojan-go" ] && is_tproxy=1 + msg2="${msg}使用TCP节点${tcp_node} [$(get_action_chain_name $tcp_proxy_mode)]" + if [ -n "${is_tproxy}" ]; then + msg2="${msg2}(TPROXY:${tcp_port})代理" ipt_tmp=$ipt_m && is_tproxy="TPROXY" else - echolog "使用 TCP FORWARD 模式" + msg2="${msg2}(REDIRECT:${tcp_port})代理" fi - [ "$tcp_no_redir_ports" != "disable" ] && $ipt_tmp -A PSW $(comment "$remarks") $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p tcp -m multiport --dport $tcp_no_redir_ports -j RETURN - eval tcp_port=\$TCP_REDIR_PORT$tcp_node + [ "$tcp_no_redir_ports" != "disable" ] && { + $ipt_tmp -A PSW $(comment "$remarks") $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p tcp -m multiport --dport $tcp_no_redir_ports -j RETURN + msg2="${msg2}[$?]除${tcp_no_redir_ports}外的" + } + msg2="${msg2}所有端口" $ipt_tmp -A PSW $(comment "$remarks") -p tcp $(factor $ip "-s") $(factor $mac "-m mac --mac-source") $(factor $tcp_redir_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST) $(REDIRECT $tcp_port $is_tproxy) $ipt_tmp -A PSW $(comment "$remarks") -p tcp $(factor $ip "-s") $(factor $mac "-m mac --mac-source") $(factor $tcp_redir_ports "-m multiport --dport") $(get_redirect_ipt $tcp_proxy_mode $tcp_port $is_tproxy) - unset is_tproxy - unset tcp_port } + echolog " - ${msg2}" } $ipt_tmp -A PSW $(comment "$remarks") $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p tcp -j RETURN [ "$udp_proxy_mode" != "disable" ] && { + msg2="${msg}使用UDP节点${udp_node} [$(get_action_chain_name $udp_proxy_mode)]" [ "$UDP_NODE" != "nil" ] && { - echolog "UDP 代理启用 TPROXY 模式" eval udp_port=\$UDP_REDIR_PORT$udp_node - [ "$udp_no_redir_ports" != "disable" ] && $ipt_m -A PSW $(comment "$remarks") $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p udp -m multiport --dport $udp_no_redir_ports -j RETURN + msg2="${msg2}(TPROXY:${udp_port})代理" + [ "$udp_no_redir_ports" != "disable" ] && { + $ipt_m -A PSW $(comment "$remarks") $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p udp -m multiport --dport $udp_no_redir_ports -j RETURN + msg2="${msg2}[$?]除${udp_no_redir_ports}外的" + } + msg2="${msg2}所有端口" $ipt_m -A PSW $(comment "$remarks") -p udp $(factor $ip "-s") $(factor $mac "-m mac --mac-source") $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) $(REDIRECT $udp_port TPROXY) $ipt_m -A PSW $(comment "$remarks") -p udp $(factor $ip "-s") $(factor $mac "-m mac --mac-source") $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(get_redirect_ipt $udp_proxy_mode $udp_port TPROXY) - unset udp_port } + echolog " - ${msg2}" } $ipt_m -A PSW $(comment "$remarks") $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p udp -j RETURN done } - + # 加载TCP默认代理模式 local ipt_tmp=$ipt_n - [ "$TCP_NODE1" != "nil" -a "$TCP_PROXY_MODE" != "disable" ] && { + local is_tproxy msg + [ "$TCP_NODE1" != "nil" ] && [ "$TCP_PROXY_MODE" != "disable" ] && { local TCP_NODE1_TYPE=$(echo $(config_n_get $TCP_NODE1 type) | tr 'A-Z' 'a-z') - local is_tproxy - if [ "$TCP_NODE1_TYPE" == "brook" ] && [ "$(config_n_get $TCP_NODE1 brook_protocol client)" == "client" ]; then + unset is_tproxy + [ "$TCP_NODE1_TYPE" == "brook" ] && [ "$(config_n_get $TCP_NODE1 brook_protocol client)" == "client" ] && is_tproxy=1 + [ "$TCP_NODE1_TYPE" == "trojan-go" ] && is_tproxy=1 + msg="TCP默认代理:使用TCP节点1 [$(get_action_chain_name $TCP_PROXY_MODE)]" + if [ -n "$is_tproxy" ]; then ipt_tmp=$ipt_m && is_tproxy="TPROXY" - echolog "为 brook TCP默认代理启用 TPROXY 模式!" + msg="${msg}(TPROXY:${TCP_REDIR_PORT1})代理" else - echolog "TCP默认代理使用 FORWARD 模式" + msg="${msg}(REDIRECT:${TCP_REDIR_PORT1})代理" fi - [ "$TCP_NO_REDIR_PORTS" != "disable" ] && $ipt_tmp -A PSW $(comment "默认") -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN + [ "$TCP_NO_REDIR_PORTS" != "disable" ] && $ipt_tmp -A PSW $(comment "默认") -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN && msg="除${TCP_NO_REDIR_PORTS}外的" + msg="${msg}所有端口" $ipt_tmp -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) $(REDIRECT $TCP_REDIR_PORT1 $is_tproxy) $ipt_tmp -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(get_redirect_ipt $TCP_PROXY_MODE $TCP_REDIR_PORT1 $is_tproxy) } $ipt_tmp -A PSW $(comment "默认") -p tcp -j RETURN - echolog "TCP默认代理模式:$(get_action_chain_name $TCP_PROXY_MODE)" + echolog "${msg}" # 加载UDP默认代理模式 if [ "$UDP_NODE1" != "nil" ] && [ "$UDP_PROXY_MODE" != "disable" ]; then - echolog "UDP默认代理使用 TPROXY 模式" - [ "$UDP_NO_REDIR_PORTS" != "disable" ] && $ipt_m -A PSW $(comment "默认") -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN + msg="UDP默认代理:使用UDP节点1 [$(get_action_chain_name $UDP_PROXY_MODE)](TPROXY:${UDP_REDIR_PORT1})代理" + [ "$UDP_NO_REDIR_PORTS" != "disable" ] && $ipt_m -A PSW $(comment "默认") -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN && msg="除${TCP_NO_REDIR_PORTS}外的" + msg="${msg}所有端口" $ipt_m -A PSW $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) $(REDIRECT $UDP_REDIR_PORT1 TPROXY) $ipt_m -A PSW $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(get_redirect_ipt $UDP_PROXY_MODE $UDP_REDIR_PORT1 TPROXY) fi $ipt_m -A PSW $(comment "默认") -p udp -j RETURN - echolog "UDP默认代理模式:$(get_action_chain_name $UDP_PROXY_MODE)" + echolog "${msg}" } filter_vpsip() { - echolog "开始过滤所有节点到白名单" uci show $CONFIG | grep ".address=" | cut -d "'" -f 2 | grep -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | sed -e "/^$/d" | sed -e "s/^/add $IPSET_VPSIPLIST &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R #uci show $CONFIG | grep ".address=" | cut -d "'" -f 2 | grep -E "([[a-f0-9]{1,4}(:[a-f0-9]{1,4}){7}|[a-f0-9]{1,4}(:[a-f0-9]{1,4}){0,7}::[a-f0-9]{0,4}(:[a-f0-9]{1,4}){0,7}])" | sed -e "/^$/d" | sed -e "s/^/add $IPSET_VPSIP6LIST &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R - echolog "过滤所有节点直接 IP 地址完成" + echolog "过滤所有节点直接 IP 地址完成[$?]" } filter_node() { - local proxy_node=${1} stream=$(echo ${2} | tr 'A-Z' 'a-z') + local proxy_node=${1} + local stream=$(echo ${2} | tr 'A-Z' 'a-z') local proxy_port=${3} + filter_rules() { - local msg node=${1} stream=${2} - local _proxy=${3} _port=${4} + local node=${1} + local stream=${2} + local _proxy=${3} + local _port=${4} + local is_tproxy ipt_tmp msg msg2 + if [ -n "$node" ] && [ "$node" != "nil" ]; then local type=$(echo $(config_n_get $node type) | tr 'A-Z' 'a-z') local address=$(config_n_get $node address) local port=$(config_n_get $node port) - local ipt_tmp=$ipt_n - if [ "$stream" == "udp" ] || [ "$type" == "brook" -a "$(config_n_get $node brook_protocol client)" == "client" ]; then + ipt_tmp=$ipt_n + [ "$stream" == "udp" ] && is_tproxy=1 + [ "$type" == "brook" ] && [ "$(config_n_get $node brook_protocol client)" == "client" ] && is_tproxy=1 + [ "$type" == "trojan-go" ] && is_tproxy=1 + if [ -n "$is_tproxy" ]; then ipt_tmp=$ipt_m - echolog " 为 udp 或 brook 启用 TPROXY 模式" + msg="TPROXY" + else + msg="REDIRECT" fi else - echolog " 节点配置不正常,略过" - return 0 + echolog " - 节点配置不正常,略过" + return 0 fi - local ADD_INDEX=$(RULE_LAST_INDEX "$ipt_tmp" PSW_OUT_PUT "$IPSET_VPSIPLIST" 2) + local ADD_INDEX=$FORCE_INDEX $ipt_tmp -n -L PSW_OUTPUT | grep -q "${address}:${port}" if [ $? -ne 0 ]; then local dst_rule=$(REDIRECT 1 MARK) - msg="按规则路由" + msg2="按规则路由(${msg})" [ "$ipt_tmp" == "$ipt_m" ] || { dst_rule=$(REDIRECT $_port) - msg="套娃使用" + msg2="套娃使用(${msg}:${port}>>${_port})" } [ -n "$_proxy" ] && [ "$_proxy" == "1" ] && [ -n "$_port" ] || { + ADD_INDEX=$(RULE_LAST_INDEX "$ipt_tmp" PSW_OUT_PUT "$IPSET_VPSIPLIST" $FORCE_INDEX) dst_rule=" -j RETURN" - msg="直连代理" + msg2="直连代理(${msg})" } $ipt_tmp -I PSW_OUTPUT $ADD_INDEX $(comment "${address}:${port}") -p $stream -d $address --dport $port $dst_rule else - msg="转发条目已存在,略过" + msg2="已配置过的节点," fi - msg="${msg}[$?],节点(${type}):${address}:${port}" - echolog " $msg" + msg="[$?]${msg2}使用链${ADD_INDEX},节点(${type}):${address}:${port}" + echolog " - ${msg}" } local proxy_protocol=$(config_n_get $proxy_node protocol) local proxy_type=$(echo $(config_n_get $proxy_node type nil) | tr 'A-Z' 'a-z') - [ "$proxy_type" == "nil" ] && echolog " 节点配置不正常,略过!:${proxy_node}" && return 0 + [ "$proxy_type" == "nil" ] && echolog " - 节点配置不正常,略过!:${proxy_node}" && return 0 if [ "$proxy_protocol" == "_shunt" ]; then - echolog " 按请求目的地址分流(${proxy_type})..." + echolog " - 按请求目的地址分流(${proxy_type})..." local default_node=$(config_n_get $proxy_node default_node nil) filter_rules $default_node $stream local default_node_address=$(get_host_ip ipv4 $(config_n_get $default_node address) 1) @@ -279,13 +300,13 @@ filter_node() { filter_rules "$(config_n_get $proxy_node $shunt_id)" "$stream" "$shunt_proxy" "$proxy_port" done elif [ "$proxy_protocol" == "_balancing" ]; then - echolog " 多节点负载均衡(${proxy_type})..." + echolog " - 多节点负载均衡(${proxy_type})..." proxy_node=$(config_n_get $proxy_node balancing_node) for _node in $proxy_node; do filter_rules "$_node" "$stream" done else - echolog " 普通节点(${proxy_type})..." + echolog " - 普通节点(${proxy_type})..." filter_rules "$proxy_node" "$stream" fi } @@ -308,9 +329,13 @@ add_firewall_rule() { cat $RULES_PATH/proxy_ip | sed -e "/^$/d" | sed -e "s/^/add $IPSET_BLACKLIST &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R cat $RULES_PATH/direct_ip | sed -e "/^$/d" | sed -e "s/^/add $IPSET_WHITELIST &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R - ipset -! -R <<-EOF || return 1 + ipset -! -R <<-EOF $(gen_laniplist | sed -e "s/^/add $IPSET_LANIPLIST /") EOF + [ $? -eq 0 ] || { + echolog "系统不兼容,终止执行!" + return 1 + } # 忽略特殊IP段 local lan_ifname lan_ip @@ -326,7 +351,7 @@ add_firewall_rule() { echolog "处理 ISP DNS 例外..." for ispip in $ISP_DNS; do ipset -! add $IPSET_WHITELIST $ispip >/dev/null 2>&1 & - echolog " 追加到白名单:${ispip}" + echolog " - 追加到白名单:${ispip}" done } @@ -366,7 +391,7 @@ add_firewall_rule() { TCP_NODE1_TYPE=$(echo $(config_n_get $TCP_NODE1 type) | tr 'A-Z' 'a-z') echolog "加载路由器自身 TCP 代理..." if [ "$TCP_NODE1_TYPE" == "brook" ] && [ "$(config_n_get $TCP_NODE1 brook_protocol client)" == "client" ]; then - echolog " 为 brook 启用 TCP TPROXY 模式" + echolog " - 启用 TPROXY 模式" ipt_tmp=$ipt_m dns_l="PSW" dns_r="$(REDIRECT $TCP_REDIR_PORT1 TPROXY)" @@ -377,19 +402,19 @@ add_firewall_rule() { [ -n "${2}" ] || return 0 ipset test $IPSET_LANIPLIST ${2} 2>/dev/null [ $? -eq 0 ] && { - echolog " 上游 DNS 服务器 ${2} 已在直接访问的列表中,不强制向 TCP 代理转发对该服务器 TCP/${3} 端口的访问" + echolog " - 上游 DNS 服务器 ${2} 已在直接访问的列表中,不强制向 TCP 代理转发对该服务器 TCP/${3} 端口的访问" return 0 } - local ADD_INDEX=$(RULE_LAST_INDEX "$ipt_tmp" "$dns_l" "$IPSET_VPSIPLIST" 2) + local ADD_INDEX=$FORCE_INDEX $ipt_tmp -I $dns_l $ADD_INDEX -p tcp -d ${2} --dport ${3} $dns_r [ "$ipt_tmp" == "$ipt_m" ] && $ipt_tmp -I PSW_OUTPUT $ADD_INDEX -p tcp -d ${2} --dport ${3} $(REDIRECT 1 MARK) - echolog " 将上游 DNS 服务器 ${2}:${3} 加入到路由器自身代理的 TCP 转发链${ADD_INDEX}[$?]" + echolog " - [$?]将上游 DNS 服务器 ${2}:${3} 加入到路由器自身代理的 TCP 转发链${ADD_INDEX}" } [ "$use_tcp_node_resolve_dns" == 1 ] && hosts_foreach DNS_FORWARD _proxy_tcp_access 53 $ipt_tmp -A OUTPUT -p tcp -j PSW_OUTPUT [ "$TCP_NO_REDIR_PORTS" != "disable" ] && { $ipt_tmp -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN - echolog " 按要求设置全局例外 TCP 端口[$?]:$TCP_NO_REDIR_PORTS" + echolog " - [$?]不代理TCP 端口:$TCP_NO_REDIR_PORTS" } $ipt_tmp -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) $blist_r $ipt_tmp -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $p_r @@ -430,27 +455,28 @@ add_firewall_rule() { # 过滤Socks节点 local ids=$(uci show $CONFIG | grep "=socks" | awk -F '.' '{print $2}' | awk -F '=' '{print $1}') echolog "分析 Socks 服务所使用节点..." + local id enabled node port msg num for id in $ids; do - local enabled=$(config_n_get $id enabled 0) + enabled=$(config_n_get $id enabled 0) [ "$enabled" == "1" ] || continue - local node=$(config_n_get $id node nil) - local port=$(config_n_get $id port 0) - local msg="Socks 服务 [:${port}]" + node=$(config_n_get $id node nil) + port=$(config_n_get $id port 0) + msg="Socks 服务 [:${port}]" if [ "$node" == "nil" ] || [ "$port" == "0" ]; then msg="${msg} 未配置完全,略过" elif [ "$(echo $node | grep ^tcp)" ]; then - local num=$(echo $node | sed "s/tcp//g") + num=$(echo $node | sed "s/tcp//g") eval "node=\${TCP_NODE$num}" msg="${msg} 使用与 TCP 代理自动切换${num} 相同的节点,延后处理" else filter_node $node tcp filter_node $node udp fi - echolog " $msg[$?]" + echolog " - ${msg}" done # 处理轮换节点的分流或套娃 - local node port stream + local node port stream switch for stream in TCP UDP; do for switch in $(eval "seq 1 \${${stream}_NODE_NUM}"); do eval "node=\${${stream}_NODE$switch}" @@ -459,13 +485,13 @@ add_firewall_rule() { [ "$node" == "tcp" ] && [ "$stream" == "UDP" ] && { eval "node=\${TCP_NODE$switch}" eval "port=\${TCP_REDIR_PORT$switch}" - echolog " 采用 TCP 代理的配置" + echolog " - 采用 TCP 代理的配置" } if [ "$node" != "nil" ]; then filter_node $node $stream $port else - echolog " 忽略无效的 $stream 代理自动切换$switch" + echolog " - 忽略无效的 $stream 代理自动切换$switch" fi done done @@ -474,23 +500,23 @@ add_firewall_rule() { if [ "$UDP_NODE1" != "nil" ]; then echolog "加载路由器自身 UDP 代理..." local UDP_NODE1_TYPE=$(echo $(config_n_get $UDP_NODE1 type) | tr 'A-Z' 'a-z') + local ADD_INDEX=$FORCE_INDEX _proxy_udp_access() { [ -n "${2}" ] || return 0 ipset test $IPSET_LANIPLIST ${2} 2>/dev/null [ $? == 0 ] && { - echolog " 上游 DNS 服务器 ${2} 已在直接访问的列表中,不强制向 UDP 代理转发对该服务器 UDP/${3} 端口的访问" + echolog " - 上游 DNS 服务器 ${2} 已在直接访问的列表中,不强制向 UDP 代理转发对该服务器 UDP/${3} 端口的访问" return 0 } - local ADD_INDEX=$(RULE_LAST_INDEX "$ipt_tmp" "$dns_l" "$IPSET_VPSIPLIST" 2) $ipt_m -I PSW $ADD_INDEX -p udp -d ${2} --dport ${3} $(REDIRECT $UDP_REDIR_PORT1 TPROXY) $ipt_m -I PSW_OUTPUT $ADD_INDEX -p udp -d ${2} --dport ${3} $(REDIRECT 1 MARK) - echolog " 将上游 DNS 服务器 ${2}:${3} 加入到路由器自身代理的 UDP 转发链${ADD_INDEX}[$?]" + echolog " - [$?]将上游 DNS 服务器 ${2}:${3} 加入到路由器自身代理的 UDP 转发链${ADD_INDEX}" } [ "$use_udp_node_resolve_dns" == 1 ] && hosts_foreach DNS_FORWARD _proxy_udp_access 53 $ipt_m -A OUTPUT -p udp -j PSW_OUTPUT [ "$UDP_NO_REDIR_PORTS" != "disable" ] && { $ipt_m -A PSW_OUTPUT -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN - echolog " 按要求配置例外 UDP 端口[$?]:$UDP_NO_REDIR_PORTS" + echolog " - [$?]不代理 UDP 端口:$UDP_NO_REDIR_PORTS" } $ipt_m -A PSW_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) $(REDIRECT 1 MARK) $ipt_m -A PSW_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(get_redirect_ipt $LOCALHOST_UDP_PROXY_MODE 1 MARK) @@ -587,4 +613,4 @@ start) start ;; *) ;; -esac +esac \ No newline at end of file