diff --git a/brook/Makefile b/brook/Makefile index d15ecf3fd..20b608305 100644 --- a/brook/Makefile +++ b/brook/Makefile @@ -5,12 +5,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=brook -PKG_VERSION:=20220707 +PKG_VERSION:=20221010 PKG_RELEASE:=$(AUTORELEASE) PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/txthinking/brook/tar.gz/v$(PKG_VERSION)? -PKG_HASH:=377d6be82a8e122cc2e1c87ea10d2f404be6e4cf85304f329b01654e8f551753 +PKG_HASH:=987b2ddac349e5ac2b91b40b06f7686dcf316c37bfe82c566fdc7503f0b4d97d PKG_MAINTAINER:=Tianling Shen PKG_LICENSE:=GPL-3.0 diff --git a/luci-app-mosdns/luasrc/controller/mosdns.lua b/luci-app-mosdns/luasrc/controller/mosdns.lua index 7c87b9f2d..283e87cef 100644 --- a/luci-app-mosdns/luasrc/controller/mosdns.lua +++ b/luci-app-mosdns/luasrc/controller/mosdns.lua @@ -26,9 +26,9 @@ function act_status() end function get_log() - luci.http.write(luci.sys.exec("[ -f $(uci -q get mosdns.mosdns.logfile) ] && cat $(uci -q get mosdns.mosdns.logfile)")) + luci.http.write(luci.sys.exec("cat $(/etc/mosdns/library.sh logfile)")) end function clear_log() - luci.sys.call("cat /dev/null > $(uci -q get mosdns.mosdns.logfile)") + luci.sys.call("cat /dev/null > $(/etc/mosdns/library.sh logfile)") end diff --git a/luci-app-mosdns/po/zh-cn/mosdns.po b/luci-app-mosdns/po/zh-cn/mosdns.po index fd0b88c01..ce9c9fc79 100644 --- a/luci-app-mosdns/po/zh-cn/mosdns.po +++ b/luci-app-mosdns/po/zh-cn/mosdns.po @@ -100,6 +100,9 @@ msgstr "内置预设" msgid "Cus Config" msgstr "自定义配置" +msgid "Log Level" +msgstr "日志级别" + msgid "MosDNS Log File" msgstr "日志文件" diff --git a/luci-app-mosdns/root/etc/init.d/mosdns b/luci-app-mosdns/root/etc/init.d/mosdns index f1e50976d..2c0d2d71c 100755 --- a/luci-app-mosdns/root/etc/init.d/mosdns +++ b/luci-app-mosdns/root/etc/init.d/mosdns @@ -106,7 +106,7 @@ start_service() { delcron setcron adblock - cat /dev/null > $(uci -q get mosdns.mosdns.logfile) + cat /dev/null > $(/etc/mosdns/library.sh logfile) sysctl -w net.core.rmem_max=2500000 v4config procd_open_instance mosdns diff --git a/luci-app-mosdns/root/etc/mosdns/library.sh b/luci-app-mosdns/root/etc/mosdns/library.sh index e9c66eefd..0ec41f5dd 100755 --- a/luci-app-mosdns/root/etc/mosdns/library.sh +++ b/luci-app-mosdns/root/etc/mosdns/library.sh @@ -1,4 +1,15 @@ #!/bin/bash + +logfile_path() ( + configfile=$(uci -q get mosdns.mosdns.configfile) + if [ "$configfile" = "./def_config.yaml" ]; then + uci -q get mosdns.mosdns.logfile + else + [ ! -f /etc/mosdns/cus_config.yaml ] && exit 1 + cat /etc/mosdns/cus_config.yaml | grep -A 4 log | grep file | awk -F ":" '{print $2}' | sed 's/\"//g;s/ //g' + fi +) + bakdns() { if [ "$1" == "0" ]; then echo "119.29.29.29" @@ -43,3 +54,7 @@ L_exist() { uci get vssr.@global[0].global_server &>/dev/null fi } + +if [ "$1" == "logfile" ]; then + logfile_path +fi diff --git a/luci-app-mosdns/root/etc/mosdns/rule/serverlist.txt b/luci-app-mosdns/root/etc/mosdns/rule/serverlist.txt index 3bf2a67b9..da8f18107 100644 --- a/luci-app-mosdns/root/etc/mosdns/rule/serverlist.txt +++ b/luci-app-mosdns/root/etc/mosdns/rule/serverlist.txt @@ -2367,6 +2367,7 @@ 3648599.notifysrv.com 364a426c46.com 364pro.com +365-workforce.co.uk 36500.com 36500.net 3650365voicemailplay.blob.core.windows.net @@ -2916,6 +2917,7 @@ 500008246.collect.igodigital.com 50039tk.com 500img.com +502radiotv.com 504404862721761.windows-display-service.com 504pk.com 505937246577336.best-system-tools.com @@ -4383,6 +4385,7 @@ 8ox.cn 8pay.wang 8po6fdwjsym3.com +8promedia.pt 8s32e590un.com 8s8.eu 8t100.cn @@ -6510,6 +6513,7 @@ aahqiyum.com aaid.umeng.com aainfo.anz.co.nz aajjruieiu.xyz +aak-ngo.org aak7.cn aalocine.fr aalog.umengcloud.com @@ -11513,6 +11517,7 @@ adventori.com adventory.com adventurefeeds.com adventurelab.page.link +adventuremadnessbd.com adventurouscomprehendhold.com adver.qq.com adver10.clickmon.co.kr @@ -11923,6 +11928,7 @@ aeros02.tk aeros08.tk aeros11.tk aeros12.tk +aerowaredesigns.com aerserv-east.brealtime.com aerserv.com aerugosspritz.com @@ -12005,6 +12011,7 @@ affecteddetectrome.com affectincentiveyelp.com affectionatelypartiesdependant.com affectionmimic.com +affectionsexterminate.com affelseaeineral.xyz affex.org affforce.com @@ -12371,6 +12378,7 @@ ah808.com ahacdn.me ahadsply.com ahalogy.com +aharshakti.com ahashpool.com ahaumplab.com ahbdsply.com @@ -12443,6 +12451,7 @@ ahuang.site ahuano.com ahuhfljg.com ahuitg.teufel.de +ahujaconcrete.com ahurewacordax.website ahurmtx9dnwwxa.ru ahuygpusfbywl.xyz @@ -12631,6 +12640,7 @@ aishangcan.com aishowbger.com aisouk.cn aistat.net +aistechnolabs.biz aistolsu.net aistthatheha.xyz ait-service.com @@ -13178,6 +13188,7 @@ alpha.telemetry.microsoft.com alpha.tracedock.com alphabird.com alphagodaddy.com +alphaomegasp.com alphardgolf.fr alphatransus.com alphlauren.fr @@ -13395,6 +13406,10 @@ amalgullish.com amandacoimbranails.com.br amandadecardy.com amandajuliett.com +amandavettorazzo.com.br +amanet-militari.ro +amanet-telefoane-gorjului.ro +amanetgiurgiunonstop.ro amao.mobi amao5ne8xjqdgumgl.ay.delivery amap-aos-info-nogw.amap.com @@ -13427,6 +13442,7 @@ amazingchang.com amazingcounters.com amazingdomain.sbs amazingjokes.com +amazingparadiselandscapingllc.com amazon-adsystem.com amazon-cornerstone.com amazon.partners.tremorhub.com @@ -13449,6 +13465,7 @@ ambiguousanger.com ambiguousincome.com ambiguousquilt.com ambitiousagreement.com +ambitona.com ambra.com ambuizeler.com ambushdonut.com @@ -13470,6 +13487,7 @@ amenddroopingpharmacy.com amenityleisurelydays.com amenitypassenger.com amensatisfactorybrook.com +amenterprisespune.in amerallyluke.club ameri-flora.com ameri-hvac.com @@ -13575,6 +13593,8 @@ ampxchange.com amradmin.5173.com amrbvabey.com amre.work +amritnathcollege.com +amritvidyaashram.com amrtbbnr.com ams-1-apex.go.sonobi.com ams-1-sync.go.sonobi.com @@ -14778,6 +14798,7 @@ animits.com animosityknockedgorgeous.com aninding-branship.com aningronbedint.pro +anisbenchekha.fr aniview.com aniview.technoratimedia.com anizedglittledisco.info @@ -16363,6 +16384,7 @@ appwebview.com appxcore.page.link appyhorsey.com apqmxf.curama.jp +aprendanoruegues.com apricotaimless.com aprilineffective.com apromoweb.com @@ -16589,6 +16611,7 @@ ariseboundary.com arisedammiral.com ariseinfoway.com arisonoping.club +aristatraders.com arithmeticadjustment.com arithmeticshovel.com arizona-golf-vacations.com @@ -16901,6 +16924,7 @@ asia.adform.net asia.marketo.com asia.seadform.net asiadiscoversolutions.azureedge.net +asiaexpatguides.com asiafriendfinder.com asiamiles.demdex.net asiancli.com @@ -17123,6 +17147,7 @@ assumptivestation.com assuranceapprobationblackbird.com assurancecounselling.com assurancelocusmat.com +assurednesssalesmanmaud.com assuremath.com assurland.speedera.net ast-grouope.fr @@ -17338,6 +17363,7 @@ atokefissure.com atom-log.3.cn atombearable.com atomex.net +atomheal.live atomic-soft.com atomicfile.cn atomlines.top @@ -17686,6 +17712,7 @@ autoaffiliatenetwork.com autoat.mx autoaudience.com autobedo.com.cn +autoberles-budapest.hu autobild.adsame.com autobytel.112.2o7.net autocomplete.demandbase.com @@ -18130,6 +18157,7 @@ avenseo.com avenuea.com avenuebrasil.com avenuescrupuloustheological.com +average-champion.pro averageamusement.com averaladmi.info averalzaedsk.xyz @@ -18547,6 +18575,7 @@ b.criteo.com b.de.inmobi.com b.dl.redcrossblood.org b.domob.cn +b.dowgmeb.com b.dxyzgame.com b.epinv.com b.escardio.org @@ -18908,6 +18937,7 @@ badlybouncing.com badlymaggot.com badmakeup.biz badmniop.top +badrvet.com badsabs.com badsans.com badsats.com @@ -19657,6 +19687,7 @@ bckrono.cn bclheggx.com bclicks.lyst.com bcloudhost.com +bclstore.net bcmediagroup.com bcmonster.com bcnewltd.club @@ -19672,6 +19703,7 @@ bcqetjlb.com bcrdyev.cn bcsjcj.nasdaq.com bctbtygnb.com +bctngo.org bcuh.tinwong.cn bcuuipewdz.com bcvcmedia.com @@ -20010,6 +20042,7 @@ beaverads.com beavertron.com beaxewr.com beb2644a65.com +bebabybridal.com bebadu.com bebasads.com bebaytowns.com @@ -20095,6 +20128,7 @@ beeslandkerman.ir beestsiskins.com beeswaxdisplay108801632049.s.moatpixel.com beetechcom.vn +beetox.cl beetrootpsychicgrim.com beetv.net beevakum.net @@ -20456,6 +20490,7 @@ bestservicehelper.com bestsolutions.anuncio-ads.cl bestsrv.de bestssn.com +bestsydneychauffeurs.com.au bestwatersystems.net bestwebpillplace.com bestwesterne.fr @@ -20594,6 +20629,7 @@ bewvgekx.com bexakezi.com bextra-store.shengen.ru beyanmaan.com +beylikduzubigmamas.com beyondcompare.cc beyondmeasure.rigoltech.com beyondsecurity.com @@ -20682,6 +20718,7 @@ bhabgrqjjhn.com bhandariclub.com bharathibookhouse.in bharatiyasindhusahakaripatsanstha.com +bharattechnochem.com bharattimeslive.com bhcdgfuivlgjobyl.me bhcumsc.com @@ -20733,6 +20770,7 @@ bibi100.com biblelite.page.link bibleresearchtools.net biblesausage.com +bibliasacco.com bibo.api.swiftkey.com bibotsays.com bicacxo5go.com @@ -20850,6 +20888,7 @@ bigfreelotto.com biggerluck.com biggersplinterrattle.com biggestplayer.cachefly.net +bigheartedresentfulailment.com bighot.ru bighow.net bighticeate.com @@ -20961,6 +21000,7 @@ binsaiwo.net bintds.com biohailijie.cn bional-dested.icu +bionatural.in bionicclick.com bionicskamsins.com biorays.com.pk @@ -21220,6 +21260,7 @@ bkfntjskmkcyhpy.com bkg.page.link bkl72.com bkojgwewp.com +bkonnect.co.za bkprmw.ironyporno.com bkps.ac.th bkptharsni.com @@ -21472,6 +21513,7 @@ blotcreepy.com blouseridge.com blowerindian.com blowlanternradical.com +blox.com.br blox.minexmr.com blpdgpwletumd.xyz blrvpn.inmobi.com @@ -22000,6 +22042,7 @@ boredomsidion.com boremgmxebra.com borgach.com borgelin.org +borgesodontologia.com boringberry.com boringcoat.com boringlying.com @@ -26279,6 +26322,7 @@ cherry.le.com cherryblossoms.top cherryemoore.com ches5sort.com +cheshmeh-ae.ir chesscherry.com chesscolor.com chestors.com @@ -26528,6 +26572,7 @@ chunkycactus.com chuntian.buzz chunyuqiufeng.com church.ktc-center.net +churchalexis.com churchatsouthcreek.com churchdwightsizmek22033498.s.moatpixel.com churchyardalludeaccumulate.com @@ -26614,6 +26659,7 @@ cinemensenoy.xyz cinestarr.com cinforama.fr cinglecitrals.com +cinho.shop cintent.streanplay.cc cintnetworks.com ciorsrl.com.ar @@ -27911,6 +27957,7 @@ cnbole.net cnc.cyberproperty.us cnc.ecstasycode.de cnc.fearfulcats.tk +cnc.hyenas.us cnc.krakenbit.net cnc.pinklander.com cncflpfw.com @@ -29334,6 +29381,7 @@ conflictslashact.com conflictwhatcrew.com confluence.outbrain.com conforama-push.com +conformityhedgehog.com conformityserveexpensive.com confoundcoinghosts.com confrontationdrunk.com @@ -31015,6 +31063,7 @@ cruery.com cruiseeagle.hk cruiserrocks.org cruisingsmallship.com +crumamx.com crumberccitt.com crumbrationally.com crumbs.robinhood.com @@ -31288,6 +31337,7 @@ ctr.nmg.de ctrack.trafficjunky.net ctrhfd.top ctrhub.com +ctrineindustry.com ctrip.com ctripcorp.com ctrlaltdel99.com @@ -32618,6 +32668,7 @@ d9f5b6bb.rtc.youme.im d9kvn70l4ogn.com d9w.fl1c.com da-ads.com +da-canc.gov.kh da-cdn.amazon-adsystem.com da.alibuf.com da.bodenhaus.de @@ -32887,6 +32938,7 @@ dark-utilities.pw dark-utilities.xyz darkchemical.com darkenedshrine.com +darkerillegimateillegimateshade.com darkfailllnkf4vf.onion.pet darking01.tk darking02.tk @@ -33169,6 +33221,7 @@ data2.ad-score.com data2.doodlemobile.com data2.ero-advertising.com data2.gosquared.com +data360.ai data4i.com dataapi.ktplay.com databank.air.yoyi.com.cn @@ -33786,6 +33839,7 @@ decoycreation.com decreedie.com decreelawsuit.com dectionalfiletants.com +dedassessoriacontabil.com.br dedating.online dedica2.es dedicatedfraudulent.com @@ -33990,6 +34044,7 @@ deliverysapgoblet.com deliverytrafficnews.com deliverytraffnews.com deljardim.com.br +deljoms.com.ng dellinc.tt.omtrdc.net dellswhinyrank.com delmaestro.cl @@ -34584,6 +34639,8 @@ dhillonbrotherstrucking.com dhilloncarrier.com dhillonexpress.com dhillonfreight.com +dhillonlogistics.com +dhillontransport.com dhillontrucking.com dhilyjdw.com dhjrjqgclb.com @@ -36467,6 +36524,7 @@ drious.com dripappliance.com drippeddossers.casa drippingbornegasp.com +drishya.org drishyamtech.co.in driv-analytics.com drive-dwn.com @@ -36534,6 +36592,7 @@ drrzzl.cn drsha.innovativesolutions.mobi drsw.m.yuyouge.com drtbn.com +drtladv.com drtuproft.com druadirjfviwn.xyz drufhfueg.com @@ -38272,6 +38331,7 @@ eb3c3aac94.com eb948.bemobtrk.com eba-amadeus.netdna-ssl.com ebannertraffic.com +ebanoapartments.com ebanohoteles.com ebawpxspoyjkshq.com ebay1.112.2o7.net @@ -38817,6 +38877,7 @@ eeng.ir eengaums.com eengbalu.fun eensoans.com +eentent.streampiay.me eeoniavjc.com eeopreessykt.xyz eeoqsr.cn @@ -40328,6 +40389,7 @@ essdhn.makuake.com essedaccur.info essencewidow.com essentiallyitemoutrageous.com +essentiallyscramble.com esser-promotion.de essiveowing.com est.pornleech.ch @@ -40828,6 +40890,7 @@ ever-track-51.com everalwerf.xyz everestads.net everestjs.net +everesttandoori.com.au everesttech.net evergage.com evergreencounty.com @@ -40870,6 +40933,7 @@ evm1.stackadapt.com evm2.stackadapt.com evnt.iol.it evnwexar.com +evoapp.cae.ge evokeseverextremity.com evolutioncolombia.com evolve.technoratimedia.com @@ -41049,6 +41113,7 @@ exi8ef83z9.com exileexams.com exileinstinct.com exilum.com +eximdoc.in existencethrough.com existingpass.com exists-mazard.icu @@ -41115,6 +41180,7 @@ experimental.com.co experimentmelting.com expert-pb.adriver.ru expertcamomile.com +expertgracecastillo.com expertisesweetnessforesight.com expertist.xyz expertistofficular.xyz @@ -41581,6 +41647,7 @@ factoryraces.com facts-jo.com faculaekrapina.com facultativecheating.com +facultativepredictoxbow.com facultymoney.com facyptythu.com fadacaitp.com @@ -42358,6 +42425,7 @@ fetiseovisac.com fetishpartner.com fetm.xin fetsvvo.com +feudalspelter.life feuingcrche.com fev.fyber.com feverfreeman.com @@ -42495,6 +42563,7 @@ fidelityptrust.com fidelitywi.tt.omtrdc.net fideuippmdhkj.com fidgetsnovena.com +fieldbeseech.com fieldbilly.com fieldofbachus.com fiendbenevolencemaker.com @@ -43012,6 +43081,7 @@ flexgrafica.com flexibleplan.actonservice.com flexlinks.com flexlinkspro.com +flexmedicao.com.br flexnoseassist.com flexytalk.net flfnlvwlmp.xyz @@ -43321,6 +43391,7 @@ fondlecokecombination.com fondledcarnose.casa fondnatural.com fondtinkler.com +fonestech.co.uk fontainsuny.club fontecmobile.com fontenlargemonopoly.com @@ -43355,6 +43426,7 @@ footprintdns.com footprintlive.com footprintllc.net footprints-pa.googleapis.com +footprintswarming.com footwearheartedswig.com foowafoa.com foowhauh.net @@ -44016,6 +44088,7 @@ friendwool.com frientialfinge.xyz fries.ddns.net friesel-mustin.com +friezesrumps.digital frigatetubulars.com frightenedpotato.com frightfuljourney.com @@ -44224,6 +44297,7 @@ fudmegnulpjf.com fudrouto.net fuegodevida.com fuelbuck.com +fuelcompatibleblaspheme.com fueldeck.com fuelx.com fuerza99fm.com @@ -47635,6 +47709,7 @@ grumpyincreasingpicket.com grumrt.com grunoaph.net gruphunawhe.com +grupoaltempo.com grupobatistella.com.br grupoburgos.com grupocampoflor.com @@ -47724,6 +47799,7 @@ gtcc1.acecounter.com gtchong.com gtcqbnu.cn gtcslt-di2.com +gtegroundtransportation.com gtgvze.chintai.net gtherequ.club gtifund.cn @@ -48398,6 +48474,7 @@ halo.ad.gt haloapps.com halogeniserions.site halogennetwork.com +halogenrecords.com haloscan.com haltedpredicament.com haltingbadge.com @@ -48634,6 +48711,7 @@ hastejuggle.com hastilyantiterrorist.com hastilyguide.com hastrenmon.xyz +hastymaillot.tech hata.ero-advertising.com hatagashira.com hatbenchmajestic.com @@ -48682,6 +48760,7 @@ haveamint.com havemosts.com havenattackedevolve.com havenbmedia.com +havenlycaresolutions.com havenwrite.com havetohave.com haviol.com @@ -48931,6 +49010,7 @@ headerporkfloral.com headinhabitedoats.com headlight.xaxis.com headlightbailey.com +headlightrestoration.in headlinemoment.com headlines.sharethrough.com headlinesnetwork.com @@ -49353,6 +49433,7 @@ hh6666.com hhb123.tk hhbekxxw5d9e.pflexads.com hhbxcs.tylko.com +hhc.com.sa hhcj.co.uk hhcskj.com hhfhgf.cc @@ -49865,6 +49946,7 @@ hk567rsda.appspot.com hk9600.com hkabyelttwp.xyz hkbmsb.fun +hkbookkeeping.com hkbrrwxnijhnfg.com hkdaebccxtbls.xyz hkdbldfgngojbgg.xyz @@ -49988,6 +50070,7 @@ hmuxsxuqhnptfq.com hmw42.host-my-website.com hmwebs.top hmyangshengji.com +hmychtanrj.com hmyjoj.5-fifth.com hmyjpt.com hn-button.herokuapp.com @@ -50157,6 +50240,7 @@ homelessfunkenclose.com homelessstatuepersonal.com homelycrown.com homemadebarricadedialogue.com +homeneedsind.com homepaintingdxb.com homeroomab.tt.omtrdc.net homerunre.imageshack.host @@ -50168,6 +50252,7 @@ homestay.report-uri.io hometownlow.com homewares.org homeworkgypsyencode.com +homexperimenter.com homeyloanedmes.work homfen.me homi-egypt.com @@ -50256,6 +50341,7 @@ hootersavour.com hootersgiron.com hoowooze.net hop.clickbank.net +hopecityng.org hopectorriction.com hopedwishfulpercent.com hopeforhealth.com.ph @@ -51570,6 +51656,7 @@ ibpxl.net ibrand-peru.com ibrra.com.br ibryte.com +ibveindia.ac.in ibzgcrusher.com ic-live.com ic.de.inmobi.com @@ -52911,6 +52998,7 @@ inad.com inadequateinadmissibleoblige.com inadmissibleinsensitive.com inaeghndkmknf.com +inaesthetics.pe inaftracker.com inaltariaon.com inampharosa.com @@ -52959,6 +53047,7 @@ includedcoherentteaching.com includemodal.com includepurple.com inco.com.sg +incobyannapoorna.com incomethoroughabjure.com incoming-data-sense360.s3.amazonaws.com incoming.bm23.com @@ -53096,6 +53185,7 @@ inewcontentdelivery.info inexhaustiblepatient.com inexorabledemocracycurly.com inexplicableprayer.com +inextricableaugmentcompelling.com inf5.uae2grp.ucweb.com infamousstream.com infamylists.com @@ -53342,6 +53432,7 @@ infosales.duckdns.org infospace.com.112.2o7.net infospress.com infostroy.nnov.ru +infotown.co.in infox.sg infra-api.newrelic.com infra.systems @@ -53468,6 +53559,7 @@ innoveox.fr innoveredmonate.com innovid.com innovins.co.in +innovisioninstitutes.com innumerablecaw.com innvitor.com innyweakela.co @@ -53642,6 +53734,7 @@ installtracker.cfd instameet-match4.com instana.io instanceimprovedhew.com +instancetonsil.com instancetour.info instant.page instantbannercreator.com @@ -53814,6 +53907,7 @@ interiorcrossalluded.com interioresenorden.com interiornoisyhubby.com interiorsbyduprez.com +interlog-ng.com intermarkets.net intermediarymarkswe.com intermediarypurchaser.com @@ -54331,6 +54425,7 @@ ir.mail.yeah.net iraithiz.com iranparsa-novin.com iranregal.ir +iraqcv.com irardijjyawmool.xyz iratelyveinlet.com irc.service-exec.net @@ -54935,6 +55030,7 @@ jadcenter.com jadedjoke.com jadeepso.net jadeitite.com +jadevents.com.ng jadid95.ir jadout.com jads.co @@ -55032,6 +55128,7 @@ jasmin-cams-live.com jasmin.com jasmotors.co.za jason.net.br +jasonpaints.xyz jatmusic.in jatpap.cn jatsekse.net @@ -57134,6 +57231,7 @@ kartikeya-ram.com kas.keydot.net kasdwergv.com kasheglesy.pro +kashmirhikes.com kaspervandenberg.net kastafor.com kastamonulezzetrehberi.com @@ -57224,6 +57322,7 @@ kcepcfmoonirfqe.xyz kcfuzhj.cn kcgcjiag.com kcgkxha.cn +kcgpwamb002.edu.in kcogjewebvtbk.com kcolbda.com kcpwcrcjewal.com @@ -57989,6 +58088,7 @@ koifrz.tvc-mall.com koilabumpoff.casa koiluhrlinsdaga.tk koindut.com +koionrekber.com koitushinterneinnehmen.s3.eu-central-1.amazonaws.com kojfsbehrvdui.xyz koji-analytics.com @@ -58002,6 +58102,7 @@ kolanx.com kolejleri.com kolerprivals.pro kolibri-fabrika.ru +kolikataherbaldhaka.com kolinay.com kolkwi4tzicraamabilis.com kolobif.com @@ -58915,6 +59016,7 @@ lashsketch.com lasinka.000webhostapp.com lassampy.com lassue.com +lastedriblets.life lasteventf.tubemogul.com lasticalsdeb.xyz lastminutehotelbooking.com @@ -58947,6 +59049,7 @@ latrubune.fr latterinconvenient.com latticescience.com latticescipub.com +lattor.com latuga.com latury.com latvianswived.com @@ -58975,6 +59078,7 @@ launchreliantcleaver.com laundrydesert.com laundryrespond.com laura.fun +laurateixeiraadvocacia.com.br laurel.macrovision.com laurel.rovicorp.com laurentprotector.com @@ -59102,8 +59206,10 @@ lbnyj2.bidder.owneriq.net lbouyguestelecom.fr lbrtry.com lbs.ucnews.ucweb.com +lbscollege.com lbsindigo.sharemasala.com lbsjc.bidder.owneriq.net +lbsmttcollege.com lbsrwhqbp.com lbstatic-a.akamaihd.net lbstcvmour.com @@ -59317,6 +59423,7 @@ learning.fawe.org learningaware.com learningc.website learningproportion.com +learnmedia.in learnnow.page.link learnshaw.info learnskill.page.link @@ -60244,6 +60351,7 @@ lipemicgears.com lipidicsoli.cam lipinstott.com lippieramman.com +lipsgig.com lipstickearlier.com liqpvvxngdbo.xyz liquidfile.nocoshop.ru @@ -60307,6 +60415,7 @@ litrewiggle.com littercipher.com littertradition.com littlebee.site +littlebirdpoolservices.com littlecdn.com littlecutecats.com littlecutedogs.com @@ -61428,6 +61537,7 @@ los.2hisnd.com losecounter.de loshabitantesdegaia.com loshouck.net +loshrhaphae.com losingfoundation.com losingoldfry.com losital.ru @@ -61470,6 +61580,7 @@ loukoost.net louloapi.com loulouladune.com loulouly.net +loungesfestas.com.br louojxgcvsua.com loupan99.com lourdoueisienne.website @@ -63448,6 +63559,7 @@ maccleanersecurity.com maccms.com maccms.info maccms.tan5858.com +macedonjesse.life macfs.fr macgigo.cn machieved.com @@ -63615,6 +63727,7 @@ magyarokvagyunk.com mahaalaxmi.com mahad.iain-padangsidimpuan.ac.id mahalowood.com +mahamkabani.com mahao.xyz mahartyeg.com mahdicrofter.com @@ -63759,6 +63872,7 @@ makmoney.club maknsons.com maksi.feb.unib.ac.id maktabahjafariyah.in +malabarmultimedia.com malacca.inveno.com malahitkmv.ru malakasonline.com @@ -63797,6 +63911,7 @@ mam.netease.com mam6.netease.com mama.pipi.ne.jp mamababu.cn +mamamiya137.ru mamamiyu.com mamaspresence.com mambkooocango.com @@ -63916,6 +64031,7 @@ mappyt.fr maps.newrelic.com mapuchesystem.com mapupdatezone.com +mapyourcareer.co.in maqiang520.online maquiags.com maquimport.cf @@ -64440,6 +64556,7 @@ martingrant.com martiniadnetwork.com martinipicnic.com martinsmith.nl +martonbb.com martuconfuse.com martyappear.pro martyrwashedbarber.com @@ -64508,6 +64625,7 @@ master-sad.ru master-shopify-tracker.s3.amazonaws.com master.ads.contentabc.com master.wap.dphub.sandai.net +masterautocar.com masterbate.pro mastercenter.livejasmin.com masterfornews.com @@ -64909,6 +65027,7 @@ mdgxjpsqarq.com mdgzg.com mdhv.io mdialog.com +mdiraq.com mdjacksonville.112.2o7.net mdjdg.girlssohorny.net mdjf9vh9.xyz @@ -64972,6 +65091,7 @@ meade.pro meadigital.com meadowleader.com meagplin.com +meajandekbolt.hu meakam.com mealassistants.com mealparameter.com @@ -65126,6 +65246,7 @@ mediacpm.com mediacpm.pl mediad2.jp mediaedge-info.com +mediaequalizer.com mediaf.media mediaffiliation.com mediafiles.adriver.ru @@ -65168,6 +65289,7 @@ mediaplex.com mediapro.pro.cn mediapush1.com mediapxv.com +mediaresearchfoundation.com mediarithmics.com medias.cloud.ogury.io medias.presage.io @@ -66479,6 +66601,7 @@ minecraftr.fr minecraftt.fr minecrunch.co minefieald.fr +minefieldallegiance.com minefieldwanderinghelped.com minekitten.io minemoney.co @@ -66931,6 +67054,7 @@ mmadsgadget.com mmafwcrqcqqmx.com mmaglobal.com mmalrek.cn +mmassociates.in mmatiybntjtq.com mmc.center mmcc.yxlady.com @@ -67570,6 +67694,7 @@ monsy.com montafp.top montangop.top montelena-rcv.gmarket.co.kr +montentech.co.ke monthlydespise.com monthlyindirectelsewhere.com monthlylibrary.com @@ -67700,6 +67825,7 @@ mosaiclantern.com mosaiq.io mosbiresources.com mosece.com +moseltrabeae.space moserver.clktr4ck.com mosflower.cn moshimo.com @@ -68229,10 +68355,12 @@ muapppawvbqpod.xyz muchmiller.com muchotrust.com mucinshasht.com +mucua.ao mucums.com mudcxq.cn muddiedbubales.com muddishcachrys.website +muddleart.com muddledaftermath.com muddyjustify.com mudezs.com @@ -68253,6 +68381,7 @@ mugaskems.com muggedlancemutilate.com mughaymil.site mugleafly.com +mugnumcrete.com mugogfy.cn mugpothop.com mugrikees.com @@ -68696,6 +68825,7 @@ mygtmn.com mygummyjelly.com myhard.com myheartbuild.com +myhelmethoodie.com myhg.healthgrades.com myhobbyjapan.com myhome.usg.com @@ -68808,6 +68938,7 @@ mystats.nl mysteriousmonth.com mysticalpercussive.com mystighty.info +mystoragebill.com mystore.bttn.io mysty.com.cn mysura.it @@ -68934,6 +69065,7 @@ n258.cc n26-trusted.n26.com n2s.co.kr n339.asp-cc.com +n33d0nem0re.com n38chz7m.site n4403ad.doubleclick.net n479ad.doubleclick.net @@ -69068,6 +69200,7 @@ nanfallenconvicted.com nanigans.com nanjian.ink nankuan.xin +nano-cms.ir nanoadexchange.com nanofine.cn nanoresort.com @@ -69206,6 +69339,7 @@ nav-a.com nav.browser.miui.com nav.telematicsdirect.com nav.winasdaq.com +navalhazard.com navalresort.com navalsuedehybrids.com navaltophes.com @@ -69428,6 +69562,7 @@ neechuce.net needadvertising.com needfulforesightharness.com needlefoliagemoan.com +needlemaster.pk needlepoint.fr needlerecede.com needleworkemmaapostrophe.com @@ -69456,6 +69591,7 @@ negociacioncolectiva.cl negolist.com negotiatetime.com negotiationmajestic.com +negoziofiscale.it negrrahston.xyz negusnozzles.com negyuk.com @@ -69685,6 +69821,7 @@ never.ovh never2date.com never2never.com nevermiss.su +neverstopit.com neverthelessdepression.com neverthelessgrandchildren.com neverythin.club @@ -69757,6 +69894,7 @@ newip427.changeip.net newjulads.com newkano.com newlady-here.com +newlifecleanerservices.com newlog.overwolf.com newlog.reader.qq.com newlove.life @@ -69985,6 +70123,7 @@ nextlyrumbo.cam nextmedia.com.uy nextmillennium.io nextoptim.com +nextprotech.com nextpsh.top nextstat.com nexttime.ovh @@ -70213,6 +70352,7 @@ nikkiexxxads.com nikkiscash.com nikugrawe.pro nil.naver.com +nilecorporation.co.ke nilinkeji.com nilreels.com niltibse.net @@ -70689,6 +70829,7 @@ normandie-accueil-paysan.fr normandyabbreviate.com normandydeclare.com normanstaximan.com +normasnyc.com normkela.com normugtog.com noronhalanches.com.br @@ -70703,6 +70844,7 @@ northbase.club northeastbulletinnews.in northeregikgf.club northernintimate.com +northlub.com.br northmay.com northokaydesert.com northshorehouseprices.com @@ -70843,6 +70985,7 @@ novemberassimilate.com novembershopsconvene.com novembersightsoverhear.com noviceavengeclemency.com +novistasteel.com novosti247.com novostisporta.info now-online.net @@ -72188,6 +72331,7 @@ ogb2.biovie.com ogb2.eauthermalejonzac.com ogb2.leanatureboutique.com ogb2.natessance.com +ogbonaelites.org ogcyshr.cn ogeemolt.net ogenhukuk.com @@ -72275,6 +72419,7 @@ oimg.m.calltheclose.cnbc.com oimg.nbcuni.com oiniao.com ointmentaloofpincers.com +ointmentapathetic.com oioiio.top oiqpgawl.com oircjournals.org @@ -72917,6 +73062,7 @@ oomsoapt.net oomtexoa.com oomyv.com ooo.0o0.ooo +ooolowokureandco.com ooop.zqwlkj.cn oopsowhi.com oopt.fr @@ -73329,6 +73475,7 @@ orgpcxyohrd.com orgrqmaktlg.xyz orgxts.com orhyhgjyjjmofy.com +oribat.ci oribi.io oridst.com oriel.io @@ -73642,6 +73789,7 @@ ournewsafte.biz ouroborosx.com ouropenin.club ourorder.info +ourosfilmes.com ourot.com ourroyalfamily.com ourseismol.biz @@ -73705,6 +73853,7 @@ outlookabsorb.com outloud.outbrain.com outmatchtaughtdeparture.com outoctillerytor.com +outofprintmagazine.co.in outovenmusths.com outpacetochers.com outpushcutworm.cam @@ -75000,6 +75149,7 @@ pass-1234.com pass1.soogif.com pass2.soogif.com pass8heal.com +passablejeepparliament.com passagefacingdime.com passagesgirliecalculation.com passback.ads.justpremium.com @@ -75685,6 +75835,7 @@ personalcredit-cardscreditjourney-com.stackstaging.com personalicanvas.com personalization.bloomberg.com personalized-tee-shirts.com +personalloansforbadcredit.net personallychar.com personallydf.com personalservice.vip @@ -75826,6 +75977,7 @@ pg2.solution.weborama.fr pg88cdn.com pgames.club pgatourinc.tt.omtrdc.net +pgbcblanchard.com pgbxrigvbmdz.com pgcerwsfp.com pgdbkorisfr.com @@ -75974,6 +76126,7 @@ philbardre.com philipblemishaccessory.com philipdattilo.com philippezogglegal.eu +philippinepatrioticmovement.com.ph philippschoch.ch philipselectronicsne.tt.omtrdc.net philipslighting.d3.sc.omtrdc.net @@ -78957,6 +79110,7 @@ plantpreventioncrab.com plantrelation.com plantronics.tt.omtrdc.net plants.ink +plantscosmeticos.com.br plardi.com plasfan.ind.br plashcashierbleach.com @@ -79629,6 +79783,7 @@ poole-collector-prod.bnsqc3zmvt.us-east-1.elasticbeanstalk.com poolgmsd.com poolhost.com poolin.fr +poolinspectionapps.com poolmin.com pools.e-scavo.net.ar poolunbelievably.com @@ -80072,6 +80227,7 @@ pptv.m.cn.miaozhen.com ppunion.com ppurifier.game.xiaomi.com ppvabs.pplive.com +ppwbags.com ppxldikxksuo.com ppyibei.com ppz.devel.gns.com.br @@ -80115,6 +80271,7 @@ practthreat.club praddpro.de praganytu.club praght.tech +pragmatix.org prague-ad.adtdp.com prague-cdn.adtdp.com prague-mark.adtdp.com @@ -80238,6 +80395,7 @@ predirect.net predominantaugustchapter.com predominantleave.com predskolaci.cz +preeclampsiapromisewalk.org preeditpastes.website preemiesurnap.com preerrlog.umeng.com @@ -80438,6 +80596,7 @@ priority.appsflyer.com priosante.fr priry.com prisacom.tt.omtrdc.net +prisageshingle.uno prisedeluge.com priseloos.com prism.app-us1.com @@ -80995,6 +81154,7 @@ prpbnsp.com prpbnt.com prpdudilosq.com prpedjlp.com +prpinteriors.com prpops.com prpopss.com prpqvjiygoslxo.me @@ -81005,6 +81165,7 @@ prscripts.com prsecpxvvyhwe.xyz prsitecheck.com prsmvengineers.com +prsolutionscabo.com prssifu.cn prt-or-067.com prt-stsdk.vivo.com.cn @@ -83406,6 +83567,7 @@ radarproposalunfortunately.com radarstats.com radarurl.com radarwitch.com +radbusiness.ca raddus.bayescom.com radeant.com radiancethedevice.com @@ -83465,6 +83627,7 @@ rainbending.com rainbowisp.info rainbowkeyboard.r.xoxknct.com rainbowkeyboard.s.xoxknct.com +rainbowkidsinternational.com rainbownine.net rainingvital.com rainpool.io @@ -83478,6 +83641,7 @@ raiphupi.com raiscvwa.xyz raisedirectionsaccede.com raisedmanatee.com +raishee.com raisinghappy.org raisingnegligencemanages.com raivikod.net @@ -83682,6 +83846,7 @@ razorthereforeargon.com razuphyju.com rb.adnxs.com rb.gy +rbanglam.org rbbf.07kfh.cn rbc.magna.ru rbc.medialand.ru @@ -83925,6 +84090,7 @@ readingopera.com readingreflect.com readiong.net readly-renterval.icu +readmehow.com readnos.com readnotify.com readnow.central-messages.com @@ -83934,6 +84100,7 @@ readserv.com readserver.net readwithyasmineandyassin.com ready-to-download.com +readybazar.com readydolphinpoverty.com readymoon.com readysnails.com @@ -83992,6 +84159,7 @@ realtime-metrics.flurry.com realtime.clinch.co realtime.dewacrm.com realtime.services.disqus.com +realtimefantasywrestling.com realtimewebstats.net realtracker.com realtracking.ninja @@ -84120,6 +84288,7 @@ recosenselabs.com recoset.com recover.adriver.ru recoverhatred.com +recovermypc.com recoveryflame.com recoveryyielded.com recreationhiddenmosque.com @@ -84796,6 +84965,7 @@ res2.applovin.com res3.applovin.com resadvantco.info resalag.com +resalesruths.tech resavethyme.com resawsmas.com reschedulewizards.com @@ -84995,6 +85165,7 @@ retono42.us retoxo.com retrack.q-divisioncdn.de retrak.co.ke +retratosalcarboncillo.com retreatregular.com retrieval-bd.duote.com retrofuture.fr @@ -85028,6 +85199,7 @@ reveal.clearbit.com revealedsolid.com revealingserious.com revealoverheadearth.com +revebat.com revee.outbrain.com revelationneighbourly.com revelationschemes.com @@ -85149,6 +85321,7 @@ rfnsbhcda.xyz rfpx1.com rfr-69.com rfr.lt +rfstechnologies.com.bd rftccqlbonj.xyz rftqvbgisqke.com rftslb.com @@ -85239,6 +85412,7 @@ ribbonchinesehustle.com ribbonhappenedmountain.com ribbonslopeexcessively.com ribbumuse.com +ribis.com.br ribsaiji.com ribunews.com ric-ric-rum.com @@ -85291,6 +85465,7 @@ ridsaich.com riductingpayeupled.com riencesco.biz rifsjest.com +riftingflunker.store rigel.baidustatic.com rigfoxcup.site rightcombat.com @@ -85379,6 +85554,7 @@ rischyo.cf risfpvbt.com rishcuanr.com rishenglaw.cn +rishipriyansh.com risingexams.com risingfalcons.com risk8belt.com @@ -85416,6 +85592,7 @@ riy9qqfu.club riy9qqfu.xyz riy9qqfushop.xyz riycecerfpjreyx.xyz +riyoadvertising.com rizalone.com.ph riziftoo.com rizlhvb.cn @@ -85654,6 +85831,7 @@ rodeopolice.com rodirgix.com rodneysjones.com rodo.agora.pl +rodosalles.com.br rodoserv.pt rodplxlpc.com roduster.com @@ -87519,6 +87697,8 @@ safetrck.com safety-system.club safety1connection.com safeurl.maxthon.cn +safewaydriveways.com +safewayroofingyorkshire.com saffivkmnuyk.com saffronflourmill.com saffrontheindiankitchen.com @@ -87557,6 +87737,7 @@ saintpaulschool.in sainzim.co.za saipel.com saishait.net +saitech.com.np saitef.cn saithaiy.com saiveewe.net @@ -87633,6 +87814,7 @@ sam4m.com samage-bility.icu samane-sana.com samanthyean.com +samarthhospitals.com samazd.com samba.adsame.com samba.tv @@ -87868,6 +88050,7 @@ sanqian.press sanqianxingxuan.icu santabarbaraarapiraca.com.br santacruzsentinel.112.2o7.net +santamuerteoraciones.com santanderbank.fr sante221.com santemedicalcollege.edu.et @@ -87875,6 +88058,7 @@ santeria.com.ua santokatrin.com santonpardal.com santos.rs +santoshpolymers.com santosseorita.com santstipule.com sanufvuhaf.com @@ -87908,6 +88092,7 @@ sarcasmcomparison.com sarcasmhickbits.com sarcasticlinezomby.com sarcasticnotarycontrived.com +sardarrestoration.com sardinegoodnight.com sare25.com sargas.iad-03.braze.com @@ -88068,6 +88253,7 @@ sbenx.com sber-host.000webhostapp.com sbfsdvc.com sbgjnnvbhlyhfl.xyz +sbgranites.com sbgsodufuosmmvsdf.info sbhbkiqnfoc.xyz sbhc.portalhc.com @@ -88150,6 +88336,7 @@ scadobe.vpay.co.kr scadxrtb.lfstmedia.com scalaproject.io scaledb.com +scaleforengineering.com scalemonk.com scalesmothforget.com scaleway.ovh @@ -88335,6 +88522,7 @@ scorecardresearch.com scoreheadingbabysitting.com scorespro.com scornamentum.com +scotlandmoto.com scotlandon.club scottbyscott.com scotthelme.report-uri.io @@ -89485,6 +89673,7 @@ sej.moatads.com sejabreezy.com.br sejlfe.cn sejs.moatads.com +sekatgroup.com sekeraly.com sekikyurlnsgc.com sekindo.com @@ -89953,6 +90142,7 @@ servingcdn.net servingnotice.com servisverf.com servpro.fr +servproviders.com.br servsave.com servt.modoro360.com servtraff97.com @@ -90032,6 +90222,7 @@ severalrespondlucidly.com severn.viessmann.co.uk sevokop.com sevwhetheles.club +sewabelikantordijakarta.com seward.net sewhethelesee.info sewingdoubtlessperch.com @@ -90147,6 +90338,7 @@ sfgysl.ezday.co.kr sfgysl.ppomppu.co.kr sfhyojoctcry.com sfilm.com +sfisas.com sfixretarum.com sfjmj.com sfl-engin.surge.systems @@ -90321,6 +90513,7 @@ shalseey.com shama5.com shamelesseagleheadstone.com shamelessnullneutrality.com +shamipay.com shammarfinew.com shamodesha.com shampooattackalways.com @@ -90926,6 +91119,7 @@ sicklefinding.com sickmakes.com sickrage.ca sicksmash.com +sicma.mg sicurity.info sid.nordstrom.com sidanarchy.com @@ -91100,6 +91294,8 @@ simplyjmp.com simplyjoy.de simplymeasured.com simplysemblance.com +simplysmartercommunities.com +simplysmartertv.com simpunok.com simrubwan.com simsbulksms.com @@ -91202,12 +91398,14 @@ siparisler.github.io sipibowartern.com sippansy.com sippingsunned.com +sipsoft.in sipulo.katies.com.au siqwfy.cn siqwqjza.m.yikanxiaoshuo.net sirdata.io siredonlacs.com sirepisode.com +siresips.com sireundermineoperative.com sirgroup.in sirius.iad-03.braze.com @@ -91424,6 +91622,7 @@ skbwlqnnaspxa.com skcyber.xyz skdbarh.cn skdev.io +skdiagnostics.us skeettools.com skellbillard.com skencituer.com @@ -91492,6 +91691,7 @@ skycheats.com skye6oner.com skyexegypt.com skyglue.com +skyinfogroup.com skyit.demdex.net skyjh.cn skylink.vn @@ -93184,6 +93384,7 @@ socialbirth.com socialcanvas-cdn.kargo.com socialelective.com socialhoney.co +sociallinkaccelerator.com sociallist.org sociallycontend.com sociallypublish.com @@ -93245,6 +93446,7 @@ sofire.bdstatic.com soflopxl.com sofseo.cn soft-com.biz +soft-little.com soft-plus.ru soft-you.com soft.110route.com @@ -93329,6 +93531,7 @@ solarwindow.fr solarwinds.tt.omtrdc.net solderforgetlove.com solderplumboverreact.com +soldimixprofesional.pe soleaparra.com solelylounge.com solemik.com @@ -93565,6 +93768,7 @@ sosrom.cn soswebservicos.com.br sotchoft.net sotetahe.pro +sotibat.fr sottraining.com sotuktraffic.com sou.dkdlsj.com @@ -93793,6 +93997,7 @@ spadelack.com spadelocket.com spaderonium.com spadework.org +spaic.com.mx spainu.page.link spaleswairsh.com spamanalyst.com @@ -94010,6 +94215,8 @@ spire.aarki.net spirebaboon.com spiritedirreparablemiscarriage.com spiritualbrakes.com +spiritualdiscussing.com +spirketgeraty.space spirliesalse.com spirub.com spitefulstop.com @@ -94468,6 +94675,7 @@ ssa.oprah.com ssa.stepstone.com ssaa.cc ssac.suning.com +ssassociates.in ssb-sgp.smartadserver.com ssb-us.smartadserver.com ssb.ah499.com @@ -94539,6 +94747,7 @@ sshopee.beauty sshowads.pubmatic.com sshsnahw.com ssiapawz.com +ssinsez.com ssite.johnlewis.com ssite.johnlewisfinance.com ssite.waitrose.com @@ -94546,6 +94755,7 @@ ssjpx.com ssjxwlkj.com ssjy.shop sskc.edu.bd +sskdexpress.in sskmnews.pro ssl-avd.innity.net ssl-cdn.media.innity.net @@ -96402,6 +96612,7 @@ stetic.com steuartpadwick.co.uk steveackton.com steveberry.fr +stevequickmarketing.com stevoglutu.com stewclove.com stewerdu.net @@ -96653,6 +96864,7 @@ strands.com strangelyfaintestgreenhouse.com strangersincentive.com strangesink.com +stransact.com strapnetdisk.com strarwars.zzz.com.ua strategiccontroller.info @@ -96793,12 +97005,14 @@ studio.yieldbird.com studio4thdimension.com studiobeta.seedtag.com studiocustomers.com +studiodentisticolambiase.it studiokrishnaproduction.com studiomugnaini.eu studiospa.com.pl studiostack.com studsuitprolong.com study.snapads.com +studyberg.com studytest.icu stuff.202m.com stuff.cdn.biddingx.com @@ -96839,6 +97053,7 @@ style.onvz.nl styleduring.com styleguide.outbrain.com stylehardy.com +styleresumes.com stylesheet.faseaegasdfase.com styleui.ru stypaphupse.com @@ -96986,6 +97201,8 @@ sufficient.cn sufficientretiredbunker.com suffocatepremise.com sufmxhvodtg.com +suftanzine.com +sugamphotoalbum.com sugarcurtain.com suggestionwallpaperhump.com sugh8yami.com @@ -97109,6 +97326,8 @@ sunsekrious.com sunsetencyclopaedia.com sunsetjuxtapositioninvoke.com sunsetpersuadeaffectionately.com +sunshinetomob.com +sunspa.ro sunstrokeload.com suntcontent.se suntechauto.com.cn @@ -97795,6 +98014,7 @@ synad.nuffnang.com.sg synad3.nuffnang.com.my synapse-archive.com synapsys.us +synaty.ae sync-apsg.tidaltv.com.akadns.net sync-ayl.adotmob.com sync-criteo.ads.yieldmo.com @@ -98741,6 +98961,7 @@ talterfortmarob.info taltus.co.uk tam.outbrain.com tam.trkn1.com +tamarapaint.com tamedia.ch tamedia.com.tw tamgrt.com @@ -98771,6 +98992,7 @@ taniq.am tanjs.com tankeuro.com tanky.vip +tano-logistics.com tanshan.site tansuotv.com tantan4u.com @@ -99281,7 +99503,9 @@ technicallyambition.com techniciansyllabuspersistent.com technis.org technocite.fr +technocolourindia.com technoit.fr +technolinkplastic.com technologia.com.pk technology.inmobi.com technolore.com @@ -99289,6 +99513,7 @@ technoob.info technorati.com technoratimedia.com technoshadows.com +technosysgroup.com technotology.com techoykd.com techques.com @@ -99304,6 +99529,7 @@ tecingenieria.cl tecni-soft.com tecnikalsense.com tecnobella.cl +tecnocor.com tecnologicojuanjui.edu.pe tecors.com tecuil.com @@ -100022,8 +100248,10 @@ thenagesnide.com thenceafeard.com thenceextremeeyewitness.com thench.net +thenewcapital-eg.com thenewswire.fr theninechicago.com +theologycicu.us theolympic.co.nz theonecdn.com theonechancemodels.com @@ -100054,6 +100282,7 @@ therapistpopulationcommentary.com therapistpresumegooseberry.com theraprecramp.com therealestate.vip +thereclinerrepairkenya.co.ke therecyclingmachine.com theredirect.net thereforetreadvoluntarily.com @@ -100098,6 +100327,7 @@ thetaweblink.com thetestpage.39.net thethandarinhec.info thethriftstoreonline.com +thetipsiebaker.co.uk thetorrentz.fr thetradedeskinnovidmaster582779829774.s.moatpixel.com thetradedeskv275874568748.s.moatpixel.com @@ -100179,6 +100409,7 @@ thirstytwig.com thirteenthservicehelper.com thirtmarie.website thirtydaychange.com +thirumularresearch.com this-is-living.cn thisav.54647.global thisav.54647.website @@ -100427,6 +100658,7 @@ tierpuborb.com tierzf.xyz tiesmaritalkidnap.com tiexing.com +tifan.ae tiffybetween.website tigeehan.com tigerhub.net @@ -100464,6 +100696,7 @@ tiltleaden.com tiltwmxtghnngw.xyz tim.nextinpact.com timamollo.co.za +timauken.cl timber.sendtonews.com timbercooling.com timberlande.fr @@ -100573,6 +100806,7 @@ tippcom01.tipp24.com tippledtalmud.com tippola.com tips.logger.baofeng.com +tipsbyexperts.com tipstats.onepagelove.com tipsurf.com tiqcdn.com @@ -100654,6 +100888,7 @@ tj3rql9siwef.www.freecodecamp.org tjafpuuhsbs.xyz tjajblcfrg.xyz tjborwufwgfjso.xyz +tjclimatizacao.com.br tjcttxdfelb.com tjdelivery20.trafficjunky.net tjdelivery50.trafficjunky.net @@ -101300,6 +101535,7 @@ topfreenewsfeed.com topgamesites.net topgirls-here.com topgirls-here1.com +tophatrealtygroup.com tophatstudio.com.au tophelio.com tophirek.hu @@ -101448,6 +101684,7 @@ totfrvpotdp.com tothisimpo.biz totlnkbn.com totlnkcl.com +totoelectronics.ca totogetica.com totoro.link totoroclair.com @@ -104087,6 +104324,7 @@ tripsthorpelemonade.com triptease.io triptease.net tripthaithai.com +tripvrip.in trisn.top trisxisys.com tritingveroffair.com @@ -104095,6 +104333,7 @@ triton.companyegg.com triumphalconcentrateconfess.com triumphantplace.com triumphgeorgianaselfcontrol.com +trivenidigital.in triver.jp trivet.co.jp trix.net @@ -104318,6 +104557,7 @@ try.newrelic.com try.tapad.com try1.studynerdz.com try2.studynerdz.com +try2ascend.com try3.studynerdz.com try9.com trybulgingcoefficient.com @@ -104804,6 +105044,7 @@ twentyalight.com twentycolander.com twentycustomimprovement.com twentyhandful.com +twentyhotel.com.ng twentypassengerdiagram.com twfaebgpngpx.xyz twh5.com @@ -104828,6 +105069,7 @@ twirlunsight.cam twistads.com twistercasino.nl twistneedylever.com +twistsweet.com twistyscash.com twitbuttons.com twitcker.com @@ -105179,6 +105421,7 @@ ubcpm.com ubdc2016.umeng.com ubdjfy.maje.com ubdoowdobjtbnu.xyz +ubeil.mx uberads.com ubercpm.com uberm.bttn.io @@ -105328,6 +105571,7 @@ udrig.com udsagemylyqkrew.com udsgty.alkosto.com udsurfdecv.com +udupirestaurant.qa udwjjxnexs.xyz udyitybebik.xyz udzsg.premiata.it @@ -105890,6 +106134,7 @@ unifyaddition.com uniguide.fr unilife.top unilog.wostore.cn +unimarkme.com unimed-corporated.com unimhk.com unimining.net @@ -106106,6 +106351,7 @@ unwroteorcinus.com unyhllrctudfja.com unykxgbla.com unypud.cn +unzipbechic.store uo.jstaogu.com uo12.com uod2quk646.com @@ -106394,6 +106640,7 @@ urielcoffee.com urimteku.com uriren.pw urjweohcuaigmi.xyz +urkapasteis.com.br url-redirect.com url.222bz.com url.3400.org @@ -106580,6 +106827,7 @@ usebutton.com usecatoutlet.com.br usedexample.com usedirect.adsrvr.org +usedunderstood.com usefavour.xyz usefirst.xyz usefomo.com @@ -107498,6 +107746,7 @@ vecturequotes.com vecukb.com vedeh.com vedepmhmdeanoh.xyz +vedfavor-ua.net veduy.com vedvvik.cn veeam.demdex.net @@ -107819,6 +108068,7 @@ vice.demdex.net vichycobourg.com viciousdepartment.com vickovules.com +vickychaudhry.com vicodin-store.shengen.ru vicomi.com vicssa.us @@ -108067,6 +108317,7 @@ vignerez.net vigoroussolidjitter.com vigpsypoyta.com vigraghe.net +vihaaneducation.com vihit.gotrackier.com vihootch.casa vihtori-analytics.fi @@ -108097,13 +108348,16 @@ vilinswell.com vilith.com vilkodsare.top villa-lotta.de +villadourados.com.br villagarden.pl villageeatable.com villagerfertilityadversity.com villalonavala.in +villamove.com villaquiranasociados.com villatera.com villaxl.adform.net +villea.com villepariis.fr villette45.com vilynx.com @@ -108376,6 +108630,7 @@ vitcxwlapa.com vitemadose.fr vitrifrig0.com vitritehelves.com +vittaflora.com.br viuspbkmn.bar vivachina.co vivaciousveil.com @@ -108421,6 +108676,7 @@ vjptye.cn vjpwe.comfortykive.xyz vjqepxxkjmgbo.com vjrnnvinerovn24.club +vjsoftwaresolutions.com vjunvabdtpwo.com vjzlgtnaov.com vk77lnizckm6.com @@ -108521,6 +108777,7 @@ vn.grab-credit4u.com vn543.com vn6e8w2w92.com vnacdnryl.com +vnameu.com vnaujncaeoygdw.com vncegyditx.xyz vncgatvelmf.xyz @@ -108887,6 +109144,7 @@ vsddtr.cn vseenmtdmcqssv.com vserv.mobi vsexshop.ru +vshine.co vshorts.in vsjujsgirbjffgc.com vsjxqhfkccx.xyz @@ -110244,6 +110502,7 @@ weedazou.net weedminderwhack.com weedprolific.com weefy.me +week-tale.xyz weekendopholdogkroophold.dk weekhostedmoo.com weeklideals.com @@ -110346,6 +110605,7 @@ wemsacker.com wencollection.com wenda.io wengesog.net +wengservice.com.br wenhaikj.xyz wenhua.jiaoshou.com wenku-cms.bj.bcebos.com @@ -110386,6 +110646,7 @@ weshuhori.com wesicuros.com wesiedu.com wesplite.com +wesscorporate.com west.ads.simpli.fi west.bidtellect.com west001.com @@ -110580,6 +110841,7 @@ whicki.com whihauve.net whikgcnxuulyr.xyz whilefitsaltered.com +whillfortis.life whilot.com whimsoplynx.com whineattempt.com @@ -110950,6 +111212,7 @@ windsasleep.com windsattributeron.com windscreenimplacable.com windscreenregimepros.com +windsorproroofing.com windsplay.com windsurfingthailand.org windsystem.hu @@ -110957,6 +111220,7 @@ windteam.xyz windup.net.br windychinese.com windzq.com +wineterritory.ro winewiden.com winfreeprize.online wingads.com @@ -110984,6 +111248,7 @@ winprizes926.fun winr.online winrarsolutions.com winsistakesme.site +winspert.com winternewsnow.name wintertongarvey.com winzevrocht.com @@ -111333,6 +111598,7 @@ wonderlandads.com wondermart.vn wonderpush.com wonderresponsive.in +wondervisionpackages.co.in wonfigfig.com woningverhuren.growise.pro woniu1314520.vip @@ -111495,6 +111761,7 @@ wosade.xyz woshiyunying.com wosork.com wotmyjkdit.com +wotssawlog.digital wotto.cn wotythowe.pro woudepib.net @@ -111812,6 +112079,7 @@ ws2.cootekservice.com ws2.datouniao.com ws2.hbssjd.cn ws38.watashinonegai.ru +wsalive.com wsapi-global.master.live wsapi.master.live wsapptrk.a4.tl @@ -113392,6 +113660,7 @@ www.displaycontentprofit.com www.displayformatcontent.com www.displaynetworkprofit.com www.displayvertising.com +www.disreputablegenuinelyhonorary.com www.disruptorgan.com www.dissolveddittoteaspoon.com www.distinctlynobleprosecute.com @@ -113532,6 +113801,7 @@ www.enc-tech.com www.enchantmenthopeless.com www.encloseddealing.com www.enclosedhelium.com +www.encodehelped.com www.encogcfklrcpqw.com www.encuentroagromatrisoja.com www.energymaster.com.br @@ -115242,6 +115512,7 @@ www.puppetgrow.com www.purchaserteddy.com www.pureadexchange.com www.purplepatch.online +www.pursuitnauseousinvalid.com www.push-services.com www.pushcfg.com www.pushosub.com @@ -115462,6 +115733,7 @@ www.saucepanshakymemorial.com www.saucerharmlessinternational.com www.saunaloathe.com www.saunasupposedly.com +www.savesucpnys.xyz www.sb88b.com www.sbobet-info.com www.scallionlaziness.com @@ -115735,6 +116007,7 @@ www.stats.ero-advertising.com www.stats.speedclicks.ero-advertising.com www.stattrax.com www.steakeffort.com +www.steamlargelyjustified.com www.steenbergen.web.ero-advertising.com www.steepto.com www.steiner-baukunst.at @@ -116192,6 +116465,7 @@ www.vbnm888.com www.vegaschina.cn www.velior.ru www.velocitycdn.com +www.veneeringimpenetrable.com www.venessori.com www.vengence.org www.venisonchemistrydeclared.com @@ -117096,6 +117370,7 @@ xcdzsw.com xcellerate.xaxis.com xcelltech.com xcelsiusadserver.com +xcelvations.com xcelvationsjr.com xcgcwfc.cn xcggpt.com @@ -117197,6 +117472,7 @@ xepkfd.com xerhibx.cn xerox.demdex.net xertive.com +xerxyeprhbe.com xesigyno.pro xev2o.com xevis.net @@ -118405,6 +118681,7 @@ yanliang.vip yanping521.vip yanpoly.com yantairuide.com +yantrait.com yantrasbarges.com yanuvv.cn yanyanbiji.com @@ -119051,6 +119328,7 @@ yoc.younited-credit.com yodr.net yofdifferents.biz yofiryptlfhvke.xyz +yogaandrini.org yogamagazine.fr yogar2ti8nf09.com yogaworkout.page.link @@ -119258,6 +119536,7 @@ youtube.adlook.me youtube.cleverads.vn youtubecenter.net youtubem.shop +youtuberbrasil.com.br youtubetofb.me youtui.net youvisit.com @@ -119613,6 +119892,7 @@ yvzgazds6d.com yw78.cn ywadf.cn ywak.com.cn +ywammazatlan.com ywbcdeyqgfzx.com ywbmed.cn ywbwsm.com @@ -119635,6 +119915,7 @@ yxajqsrsij.com yxaxputilmfpyke.com yxcblckd.com yxcpm.com +yxe.com.br yxedahltbcuyyh.com yxgfcj.com yxhjt.com @@ -119878,6 +120159,7 @@ zampad.com zampda.net zampdsp.com zamplus.com +zamzampharma.com zangocash.com zangtui.com zannatinternational.com @@ -119933,6 +120215,7 @@ zbest.in zbnfhsk.com zbqmsc.com zbrushcn.com +zbsuae.com zbsybh.cn zbuilder-bim.com zbwkapoit.com @@ -120079,6 +120362,7 @@ zeroclampentice.com zerodestructive.com zeroethgipsy.com zeroidtech.com +zerolecture.com zeropark.com zeropool.org zeroredirect1.com @@ -120371,6 +120655,7 @@ zipservice.adalliance.io zipstat.dk ziraskunked.com zirdrax.com +zirene.com.mx zirve100.com zisafniq.space zisboombah.net diff --git a/luci-app-passwall/Makefile b/luci-app-passwall/Makefile index a2d0feec7..59c68db19 100644 --- a/luci-app-passwall/Makefile +++ b/luci-app-passwall/Makefile @@ -10,12 +10,12 @@ PKG_VERSION:=4.55 PKG_RELEASE:=1 PKG_CONFIG_DEPENDS:= \ - CONFIG_PACKAGE_$(PKG_NAME)_Transparent_Proxy \ + CONFIG_PACKAGE_$(PKG_NAME)_Iptables_Transparent_Proxy \ + CONFIG_PACKAGE_$(PKG_NAME)_Nftables_Transparent_Proxy \ CONFIG_PACKAGE_$(PKG_NAME)_INCLUDE_Brook \ CONFIG_PACKAGE_$(PKG_NAME)_INCLUDE_ChinaDNS_NG \ CONFIG_PACKAGE_$(PKG_NAME)_INCLUDE_Haproxy \ CONFIG_PACKAGE_$(PKG_NAME)_INCLUDE_Hysteria \ - CONFIG_PACKAGE_$(PKG_NAME)_INCLUDE_IPv6_Nat \ CONFIG_PACKAGE_$(PKG_NAME)_INCLUDE_NaiveProxy \ CONFIG_PACKAGE_$(PKG_NAME)_INCLUDE_Shadowsocks_Libev_Client \ CONFIG_PACKAGE_$(PKG_NAME)_INCLUDE_Shadowsocks_Libev_Server \ @@ -40,7 +40,6 @@ LUCI_DEPENDS:=+coreutils +coreutils-base64 +coreutils-nohup +curl \ +PACKAGE_$(PKG_NAME)_INCLUDE_ChinaDNS_NG:chinadns-ng \ +PACKAGE_$(PKG_NAME)_INCLUDE_Haproxy:haproxy \ +PACKAGE_$(PKG_NAME)_INCLUDE_Hysteria:hysteria \ - +PACKAGE_$(PKG_NAME)_INCLUDE_IPv6_Nat:ip6tables-mod-nat \ +PACKAGE_$(PKG_NAME)_INCLUDE_NaiveProxy:naiveproxy \ +PACKAGE_$(PKG_NAME)_INCLUDE_Shadowsocks_Libev_Client:shadowsocks-libev-ss-local \ +PACKAGE_$(PKG_NAME)_INCLUDE_Shadowsocks_Libev_Client:shadowsocks-libev-ss-redir \ @@ -61,8 +60,8 @@ LUCI_DEPENDS:=+coreutils +coreutils-base64 +coreutils-nohup +curl \ define Package/$(PKG_NAME)/config menu "Configuration" -config PACKAGE_$(PKG_NAME)_Transparent_Proxy - bool "Transparent Proxy" +config PACKAGE_$(PKG_NAME)_Iptables_Transparent_Proxy + bool "Iptables Transparent Proxy" select PACKAGE_dnsmasq-full select PACKAGE_ipset select PACKAGE_ipt2socks @@ -73,7 +72,16 @@ config PACKAGE_$(PKG_NAME)_Transparent_Proxy select PACKAGE_iptables-mod-socket select PACKAGE_iptables-mod-tproxy select PACKAGE_kmod-ipt-nat - default y + default y if ! PACKAGE_firewall4 + +config PACKAGE_$(PKG_NAME)_Nftables_Transparent_Proxy + bool "Nftables Transparent Proxy" + select PACKAGE_dnsmasq-full + select PACKAGE_nftables + select PACKAGE_kmod-nft-socket + select PACKAGE_kmod-nft-tproxy + select PACKAGE_kmod-nft-nat + default y if PACKAGE_firewall4 config PACKAGE_$(PKG_NAME)_INCLUDE_Brook bool "Include Brook" @@ -81,7 +89,8 @@ config PACKAGE_$(PKG_NAME)_INCLUDE_Brook config PACKAGE_$(PKG_NAME)_INCLUDE_ChinaDNS_NG bool "Include ChinaDNS-NG" - default y + select PACKAGE_ipset + default n config PACKAGE_$(PKG_NAME)_INCLUDE_Haproxy bool "Include Haproxy" @@ -91,11 +100,6 @@ config PACKAGE_$(PKG_NAME)_INCLUDE_Hysteria bool "Include Hysteria" default n -config PACKAGE_$(PKG_NAME)_INCLUDE_IPv6_Nat - depends on PACKAGE_ip6tables - bool "Include IPv6 Nat" - default n - config PACKAGE_$(PKG_NAME)_INCLUDE_NaiveProxy bool "Include NaiveProxy" depends on !(arc||(arm&&TARGET_gemini)||armeb||mips||mips64||powerpc) diff --git a/luci-app-passwall/luasrc/model/cbi/passwall/client/other.lua b/luci-app-passwall/luasrc/model/cbi/passwall/client/other.lua index 27cbd4c59..3858b016a 100644 --- a/luci-app-passwall/luasrc/model/cbi/passwall/client/other.lua +++ b/luci-app-passwall/luasrc/model/cbi/passwall/client/other.lua @@ -95,7 +95,7 @@ o.default = "1:65535" o:value("1:65535", translate("All")) o:value("53", "DNS") -if os.execute("lsmod | grep -i REDIRECT >/dev/null") == 0 and os.execute("lsmod | grep -i TPROXY >/dev/null") == 0 then +if (os.execute("lsmod | grep -i REDIRECT >/dev/null") == 0 and os.execute("lsmod | grep -i TPROXY >/dev/null") == 0) or (os.execute("lsmod | grep -i nft_redir >/dev/null") == 0 and os.execute("lsmod | grep -i nft_tproxy >/dev/null") == 0) then o = s:option(ListValue, "tcp_proxy_way", translate("TCP Proxy Way")) o.default = "redirect" o:value("redirect", "REDIRECT") @@ -110,7 +110,7 @@ if os.execute("lsmod | grep -i REDIRECT >/dev/null") == 0 and os.execute("lsmod return self.map:set(section, "tcp_proxy_way", value) end - if os.execute("lsmod | grep -i ip6table_mangle >/dev/null") == 0 then + if os.execute("lsmod | grep -i ip6table_mangle >/dev/null") == 0 or os.execute("lsmod | grep -i nft_tproxy >/dev/null") == 0 then ---- IPv6 TProxy o = s:option(Flag, "ipv6_tproxy", translate("IPv6 TProxy"), "" .. translate( diff --git a/luci-app-passwall/root/usr/share/passwall/app.sh b/luci-app-passwall/root/usr/share/passwall/app.sh index 6e63a53d8..ab611dd7f 100755 --- a/luci-app-passwall/root/usr/share/passwall/app.sh +++ b/luci-app-passwall/root/usr/share/passwall/app.sh @@ -1149,7 +1149,7 @@ start_dns() { smartdns) local group_domestic=$(config_t_get global group_domestic) CHINADNS_NG=0 - source $APP_PATH/helper_smartdns.sh add FLAG="default" DNS_MODE=$DNS_MODE SMARTDNS_CONF=/tmp/etc/smartdns/$CONFIG.conf REMOTE_FAKEDNS=$fakedns DEFAULT_DNS=$DEFAULT_DNS LOCAL_GROUP=$group_domestic TUN_DNS=$TUN_DNS TCP_NODE=$TCP_NODE PROXY_MODE=${TCP_PROXY_MODE}${LOCALHOST_TCP_PROXY_MODE}${ACL_TCP_PROXY_MODE} NO_PROXY_IPV6=${filter_proxy_ipv6} + source $APP_PATH/helper_smartdns.sh add FLAG="default" DNS_MODE=$DNS_MODE SMARTDNS_CONF=/tmp/etc/smartdns/$CONFIG.conf REMOTE_FAKEDNS=$fakedns DEFAULT_DNS=$DEFAULT_DNS LOCAL_GROUP=$group_domestic TUN_DNS=$TUN_DNS TCP_NODE=$TCP_NODE PROXY_MODE=${TCP_PROXY_MODE}${LOCALHOST_TCP_PROXY_MODE}${ACL_TCP_PROXY_MODE} NO_PROXY_IPV6=${filter_proxy_ipv6} NFTFLAG=${nftflag} source $APP_PATH/helper_smartdns.sh restart echolog " - 域名解析:使用SmartDNS,请确保配置正常。" ;; @@ -1184,7 +1184,7 @@ start_dns() { [ "$DNS_SHUNT" = "dnsmasq" ] && { source $APP_PATH/helper_dnsmasq.sh stretch - source $APP_PATH/helper_dnsmasq.sh add FLAG="default" DNS_MODE=$DNS_MODE TMP_DNSMASQ_PATH=$TMP_DNSMASQ_PATH DNSMASQ_CONF_FILE=/tmp/dnsmasq.d/dnsmasq-passwall.conf REMOTE_FAKEDNS=$fakedns DEFAULT_DNS=$DEFAULT_DNS LOCAL_DNS=$LOCAL_DNS TUN_DNS=$TUN_DNS CHINADNS_DNS=$china_ng_listen TCP_NODE=$TCP_NODE PROXY_MODE=${TCP_PROXY_MODE}${LOCALHOST_TCP_PROXY_MODE}${ACL_TCP_PROXY_MODE} NO_PROXY_IPV6=${filter_proxy_ipv6} + source $APP_PATH/helper_dnsmasq.sh add FLAG="default" DNS_MODE=$DNS_MODE TMP_DNSMASQ_PATH=$TMP_DNSMASQ_PATH DNSMASQ_CONF_FILE=/tmp/dnsmasq.d/dnsmasq-passwall.conf REMOTE_FAKEDNS=$fakedns DEFAULT_DNS=$DEFAULT_DNS LOCAL_DNS=$LOCAL_DNS TUN_DNS=$TUN_DNS CHINADNS_DNS=$china_ng_listen TCP_NODE=$TCP_NODE PROXY_MODE=${TCP_PROXY_MODE}${LOCALHOST_TCP_PROXY_MODE}${ACL_TCP_PROXY_MODE} NO_PROXY_IPV6=${filter_proxy_ipv6} NFTFLAG=${nftflag} } } @@ -1348,9 +1348,22 @@ start() { ulimit -n 65535 start_haproxy start_socks + nftflag=0 [ "$NO_PROXY" == 1 ] || { - if [ -z "$(command -v iptables-legacy || command -v iptables)" ] || [ -z "$(command -v ipset)" ]; then + if [ -n "$(command -v fw4)" ] && [ -z "$(dnsmasq --version | grep 'nftset')" ]; then + echolog "检测到fw4防火墙,但Dnsmasq软件包不满足nftables透明代理要求,如需使用请确保dnsmasq版本在2.87以上并开启nftset支持。" + fi + + if [ -n "$(command -v fw4)" ] && [ -n "$(dnsmasq --version | grep 'nftset')" ]; then + echolog "检测fw4防火墙,使用nftables进行透明代理,一些不支持nftables的组件如smartdns分流等将不可用。" + nftflag=1 + start_redir TCP + start_redir UDP + start_dns + source $APP_PATH/nftables.sh start + source $APP_PATH/helper_${DNS_N}.sh logic_restart + elif [ -z "$(command -v iptables-legacy || command -v iptables)" ] || [ -z "$(command -v ipset)" ]; then echolog "系统未安装iptables或ipset,无法透明代理!" else start_redir TCP @@ -1366,7 +1379,7 @@ start() { stop() { clean_log - source $APP_PATH/iptables.sh stop + [ -n "$(command -v fw4)" ] && [ -n "$(dnsmasq --version | grep 'nftset')" ] && source $APP_PATH/nftables.sh stop || source $APP_PATH/iptables.sh stop delete_ip2route kill_all v2ray-plugin obfs-local pgrep -f "sleep.*(6s|9s|58s)" | xargs kill -9 >/dev/null 2>&1 diff --git a/luci-app-passwall/root/usr/share/passwall/helper_dnsmasq.sh b/luci-app-passwall/root/usr/share/passwall/helper_dnsmasq.sh index 0d53dc2c9..c82ae336a 100755 --- a/luci-app-passwall/root/usr/share/passwall/helper_dnsmasq.sh +++ b/luci-app-passwall/root/usr/share/passwall/helper_dnsmasq.sh @@ -65,9 +65,9 @@ restart() { } add() { - local FLAG TMP_DNSMASQ_PATH DNSMASQ_CONF_FILE DEFAULT_DNS LOCAL_DNS TUN_DNS REMOTE_FAKEDNS CHINADNS_DNS TCP_NODE PROXY_MODE NO_PROXY_IPV6 NO_LOGIC_LOG + local FLAG TMP_DNSMASQ_PATH DNSMASQ_CONF_FILE DEFAULT_DNS LOCAL_DNS TUN_DNS REMOTE_FAKEDNS CHINADNS_DNS TCP_NODE PROXY_MODE NO_PROXY_IPV6 NO_LOGIC_LOG NFTFLAG eval_set_val $@ - lua $APP_PATH/helper_dnsmasq_add.lua -FLAG $FLAG -TMP_DNSMASQ_PATH $TMP_DNSMASQ_PATH -DNSMASQ_CONF_FILE $DNSMASQ_CONF_FILE -DEFAULT_DNS $DEFAULT_DNS -LOCAL_DNS $LOCAL_DNS -TUN_DNS $TUN_DNS -REMOTE_FAKEDNS ${REMOTE_FAKEDNS:-0} -CHINADNS_DNS ${CHINADNS_DNS:-0} -TCP_NODE $TCP_NODE -PROXY_MODE $PROXY_MODE -NO_PROXY_IPV6 ${NO_PROXY_IPV6:-0} -NO_LOGIC_LOG ${NO_LOGIC_LOG:-0} + lua $APP_PATH/helper_dnsmasq_add.lua -FLAG $FLAG -TMP_DNSMASQ_PATH $TMP_DNSMASQ_PATH -DNSMASQ_CONF_FILE $DNSMASQ_CONF_FILE -DEFAULT_DNS $DEFAULT_DNS -LOCAL_DNS $LOCAL_DNS -TUN_DNS $TUN_DNS -REMOTE_FAKEDNS ${REMOTE_FAKEDNS:-0} -CHINADNS_DNS ${CHINADNS_DNS:-0} -TCP_NODE $TCP_NODE -PROXY_MODE $PROXY_MODE -NO_PROXY_IPV6 ${NO_PROXY_IPV6:-0} -NO_LOGIC_LOG ${NO_LOGIC_LOG:-0} -NFTFLAG ${NFTFLAG} } del() { diff --git a/luci-app-passwall/root/usr/share/passwall/helper_dnsmasq_add.lua b/luci-app-passwall/root/usr/share/passwall/helper_dnsmasq_add.lua index 3c61de030..e412fe5f7 100644 --- a/luci-app-passwall/root/usr/share/passwall/helper_dnsmasq_add.lua +++ b/luci-app-passwall/root/usr/share/passwall/helper_dnsmasq_add.lua @@ -14,6 +14,7 @@ local TCP_NODE = var["-TCP_NODE"] local PROXY_MODE = var["-PROXY_MODE"] local NO_PROXY_IPV6 = var["-NO_PROXY_IPV6"] local NO_LOGIC_LOG = var["-NO_LOGIC_LOG"] +local NFTFLAG = var["-NFTFLAG"] local LOG_FILE = api.LOG_FILE local CACHE_PATH = api.CACHE_PATH local CACHE_FLAG = "dns_" .. FLAG @@ -165,8 +166,9 @@ end local dnsmasq_default_dns local cache_text = "" +local subscribe_proxy=uci:get(appname, "@global_subscribe[0]", "subscribe_proxy") or "0" local new_rules = luci.sys.exec("echo -n $(find /usr/share/passwall/rules -type f | xargs md5sum)") -local new_text = TMP_DNSMASQ_PATH .. DNSMASQ_CONF_FILE .. DEFAULT_DNS .. LOCAL_DNS .. TUN_DNS .. REMOTE_FAKEDNS .. CHINADNS_DNS .. PROXY_MODE .. NO_PROXY_IPV6 .. new_rules +local new_text = TMP_DNSMASQ_PATH .. DNSMASQ_CONF_FILE .. DEFAULT_DNS .. LOCAL_DNS .. TUN_DNS .. REMOTE_FAKEDNS .. CHINADNS_DNS .. PROXY_MODE .. NO_PROXY_IPV6 .. subscribe_proxy .. new_rules if fs.access(CACHE_TEXT_FILE) then for line in io.lines(CACHE_TEXT_FILE) do cache_text = line @@ -191,6 +193,8 @@ if global and (not returnhome and not chnlist and not gfwlist) then only_global = 1 end +local setflag= (NFTFLAG == "1") and "inet#fw4#" or "" + if not fs.access(CACHE_DNS_PATH) then fs.mkdir("/tmp/dnsmasq.d") fs.mkdir(CACHE_DNS_PATH) @@ -223,13 +227,13 @@ if not fs.access(CACHE_DNS_PATH) then log(string.format(" - 域名白名单(whitelist):%s", LOCAL_DNS or "默认")) local fwd_dns = LOCAL_DNS - local ipset_flag = "whitelist,whitelist6" + local ipset_flag = setflag.."whitelist,"..setflag.."whitelist6" local no_ipv6 - if uci:get(appname, "@global_subscribe[0]", "subscribe_proxy") or "0" == "1" then + if subscribe_proxy == "1" then fwd_dns = TUN_DNS - ipset_flag = "blacklist,blacklist6" + ipset_flag = setflag.."blacklist,"..setflag.."blacklist6" if NO_PROXY_IPV6 == "1" then - ipset_flag = "blacklist" + ipset_flag = setflag.."blacklist" no_ipv6 = true end if not only_global then @@ -254,10 +258,10 @@ if not fs.access(CACHE_DNS_PATH) then for line in io.lines("/usr/share/passwall/rules/proxy_host") do if line ~= "" and not line:find("#") then add_excluded_domain(line) - local ipset_flag = "blacklist,blacklist6" + local ipset_flag = setflag.."blacklist,"..setflag.."blacklist6" if NO_PROXY_IPV6 == "1" then set_domain_address(line, "::") - ipset_flag = "blacklist" + ipset_flag = setflag.."blacklist" end if REMOTE_FAKEDNS == "1" then ipset_flag = nil @@ -285,12 +289,12 @@ if not fs.access(CACHE_DNS_PATH) then if _node_id == "_direct" then fwd_dns = LOCAL_DNS - ipset_flag = "whitelist,whitelist6" + ipset_flag = setflag.."whitelist,"..setflag.."whitelist6" else fwd_dns = TUN_DNS - ipset_flag = "shuntlist,shuntlist6" + ipset_flag = setflag.."shuntlist,"..setflag.."shuntlist6" if NO_PROXY_IPV6 == "1" then - ipset_flag = "shuntlist" + ipset_flag = setflag.."shuntlist" no_ipv6 = true end if not only_global then @@ -328,9 +332,9 @@ if not fs.access(CACHE_DNS_PATH) then local gfwlist_str = sys.exec('cat /usr/share/passwall/rules/gfwlist | grep -v -E "^#" | grep -v -E "' .. excluded_domain_str .. '"') for line in string.gmatch(gfwlist_str, "[^\r\n]+") do if line ~= "" then - local ipset_flag = "gfwlist,gfwlist6" + local ipset_flag = setflag.."gfwlist,"..setflag.."gfwlist6" if NO_PROXY_IPV6 == "1" then - ipset_flag = "gfwlist" + ipset_flag = setflag.."gfwlist" set_domain_address(line, "::") end if not only_global then @@ -367,9 +371,9 @@ if not fs.access(CACHE_DNS_PATH) then local chnlist_str = sys.exec('cat /usr/share/passwall/rules/chnlist | grep -v -E "^#" | grep -v -E "' .. excluded_domain_str .. '"') for line in string.gmatch(chnlist_str, "[^\r\n]+") do if line ~= "" then - local ipset_flag = "chnroute,chnroute6" + local ipset_flag = setflag.."chnroute,"..setflag.."chnroute6" if NO_PROXY_IPV6 == "1" then - ipset_flag = "chnroute" + ipset_flag = setflag.."chnroute" set_domain_address(line, "::") end if not only_global then @@ -388,6 +392,10 @@ if not fs.access(CACHE_DNS_PATH) then local address_out = io.open(CACHE_DNS_PATH .. "/000-address.conf", "a") local server_out = io.open(CACHE_DNS_PATH .. "/001-server.conf", "a") local ipset_out = io.open(CACHE_DNS_PATH .. "/ipset.conf", "a") + local set_name = "ipset" + if NFTFLAG == "1" then + set_name = "nftset" + end for key, value in pairs(list1) do if value.address and #value.address > 0 then address_out:write(string.format("address=/.%s/%s\n", key, value.address)) @@ -403,7 +411,7 @@ if not fs.access(CACHE_DNS_PATH) then ipsets_str = ipsets_str .. ipset .. "," end ipsets_str = ipsets_str:sub(1, #ipsets_str - 1) - ipset_out:write(string.format("ipset=/.%s/%s\n", key, ipsets_str)) + ipset_out:write(string.format("%s=/.%s/%s\n", set_name, key, ipsets_str)) end end address_out:close() diff --git a/luci-app-passwall/root/usr/share/passwall/helper_smartdns_add.lua b/luci-app-passwall/root/usr/share/passwall/helper_smartdns_add.lua index 615268633..1226c40b6 100644 --- a/luci-app-passwall/root/usr/share/passwall/helper_smartdns_add.lua +++ b/luci-app-passwall/root/usr/share/passwall/helper_smartdns_add.lua @@ -146,8 +146,9 @@ local function check_excluded_domain(domain) end local cache_text = "" +local subscribe_proxy=uci:get(appname, "@global_subscribe[0]", "subscribe_proxy") or "0" local new_rules = luci.sys.exec("echo -n $(find /usr/share/passwall/rules -type f | xargs md5sum)") -local new_text = SMARTDNS_CONF .. LOCAL_GROUP .. REMOTE_GROUP .. REMOTE_FAKEDNS .. TUN_DNS .. PROXY_MODE .. NO_PROXY_IPV6 ..new_rules +local new_text = SMARTDNS_CONF .. LOCAL_GROUP .. REMOTE_GROUP .. REMOTE_FAKEDNS .. TUN_DNS .. PROXY_MODE .. NO_PROXY_IPV6 .. subscribe_proxy .. new_rules if fs.access(CACHE_TEXT_FILE) then for line in io.lines(CACHE_TEXT_FILE) do cache_text = line @@ -203,7 +204,7 @@ if not fs.access(CACHE_DNS_FILE) then local fwd_group = LOCAL_GROUP local ipset_flag = "#4:whitelist,#6:whitelist6" local no_ipv6 - if uci:get(appname, "@global_subscribe[0]", "subscribe_proxy") or "0" == "1" then + if subscribe_proxy == "1" then fwd_group = REMOTE_GROUP ipset_flag = "#4:blacklist,#6:blacklist6" if NO_PROXY_IPV6 == "1" then diff --git a/luci-app-passwall/root/usr/share/passwall/nftables.sh b/luci-app-passwall/root/usr/share/passwall/nftables.sh new file mode 100755 index 000000000..887842381 --- /dev/null +++ b/luci-app-passwall/root/usr/share/passwall/nftables.sh @@ -0,0 +1,1344 @@ +#!/bin/bash + +DIR="$(cd "$(dirname "$0")" && pwd)" +MY_PATH=$DIR/nftables.sh +NFTSET_LANIPLIST="laniplist" +NFTSET_VPSIPLIST="vpsiplist" +NFTSET_SHUNTLIST="shuntlist" +NFTSET_GFW="gfwlist" +NFTSET_CHN="chnroute" +NFTSET_BLACKLIST="blacklist" +NFTSET_WHITELIST="whitelist" +NFTSET_BLOCKLIST="blocklist" + +NFTSET_LANIPLIST6="laniplist6" +NFTSET_VPSIPLIST6="vpsiplist6" +NFTSET_SHUNTLIST6="shuntlist6" +NFTSET_GFW6="gfwlist6" +NFTSET_CHN6="chnroute6" +NFTSET_BLACKLIST6="blacklist6" +NFTSET_WHITELIST6="whitelist6" +NFTSET_BLOCKLIST6="blocklist6" + +FORCE_INDEX=2 + +. /lib/functions/network.sh + +FWI=$(uci -q get firewall.passwall.path 2>/dev/null) +FAKE_IP="198.18.0.0/16" + +factor() { + if [ -z "$1" ] || [ -z "$2" ]; then + echo "" + elif [ "$1" == "1:65535" ]; then + echo "" + else + echo "$2 {$1}" + fi +} + +insert_rule_before() { + [ $# -ge 3 ] || { + return 1 + } + local table="${1}"; shift + local chain="${1}"; shift + local keyword="${1}"; shift + local rule="${1}"; shift + local default_index="${1}"; shift + default_index=${default_index:-0} + local _index=$(nft -a list chain $table $chain 2>/dev/null | grep "$keyword" | awk -F '# handle ' '{print$2}' | head -n 1 | awk '{print $1}') + if [ -z "${_index}" ] && [ "${default_index}" = "0" ]; then + nft "add rule $table $chain $rule" + else + if [ -z "${_index}" ]; then + _index=${default_index} + fi + nft "insert rule $table $chain position $_index $rule" + fi +} + +insert_rule_after() { + [ $# -ge 3 ] || { + return 1 + } + local table="${1}"; shift + local chain="${1}"; shift + local keyword="${1}"; shift + local rule="${1}"; shift + local default_index="${1}"; shift + default_index=${default_index:-0} + local _index=$(nft -a list chain $table $chain 2>/dev/null | grep "$keyword" | awk -F '# handle ' '{print$2}' | head -n 1 | awk '{print $1}') + if [ -z "${_index}" ] && [ "${default_index}" = "0" ]; then + $ipt_tmp -A $chain $rule + else + if [ -z "${_index}" ]; then + _index=${default_index} + fi + nft "add rule $table $chain position $_index $rule" + fi +} + +RULE_LAST_INDEX() { + [ $# -ge 3 ] || { + echolog "索引列举方式不正确(nftables),终止执行!" + return 1 + } + local ipt_tmp="${1}"; shift + local chain="${1}"; shift + local list="${1}"; shift + local default="${1:-0}"; shift + local _index=$(nft -a list chain inet fw4 $chain 2>/dev/null | grep "$keyword" | awk -F '# handle ' '{print$2}' | head -n 1 | awk '{print $1}') + echo "${_index:-${default}}" +} + +REDIRECT() { + local s="counter redirect" + [ -n "$1" ] && { + local s="$s to :$1" + [ "$2" == "MARK" ] && s="counter meta mark set $1" + [ "$2" == "TPROXY" ] && { + s="counter meta mark 1 tproxy to :$1" + } + [ "$2" == "TPROXY4" ] && { + s="counter meta mark 1 tproxy ip to :$1" + } + [ "$2" == "TPROXY6" ] && { + s="counter meta mark 1 tproxy ip6 to :$1" + } + + } + echo $s +} + +destroy_nftset() { + for i in "$@"; do + nft flush set inet fw4 $i 2>/dev/null + nft delete set inet fw4 $i 2>/dev/null + done +} + +insert_nftset() { + local nftset_name="${1}"; shift + for nft_element in $@ + do + nft add element inet fw4 $nftset_name { $nft_element } + done +} + +gen_nftset() { + local nftset_name="${1}"; shift + local ip_type="${1}"; shift + mkdir -p $TMP_PATH2/nftset + + cat > "$TMP_PATH2/nftset/$nftset_name" <<-EOF + define $nftset_name = {$@} + add set inet fw4 $nftset_name { type $ip_type; flags interval; auto-merge; } + add element inet fw4 $nftset_name \$$nftset_name + EOF + nft -f "$TMP_PATH2/nftset/$nftset_name" + rm "$TMP_PATH2/nftset/$nftset_name" +} + +get_redirect_ipv4() { + case "$1" in + disable) + echo "counter return" + ;; + global) + echo "$(REDIRECT $2 $3)" + ;; + gfwlist) + echo "ip daddr @$NFTSET_GFW $(REDIRECT $2 $3)" + ;; + chnroute) + echo "ip daddr != @$NFTSET_CHN $(REDIRECT $2 $3)" + ;; + returnhome) + echo "ip daddr @$NFTSET_CHN $(REDIRECT $2 $3)" + ;; + direct/proxy) + echo "counter return" + ;; + esac +} + +get_redirect_ipv6() { + case "$1" in + disable) + echo "counter return" + ;; + global) + echo "$(REDIRECT $2 $3)" + ;; + gfwlist) + echo "ip6 daddr @$NFTSET_GFW6 $(REDIRECT $2 $3)" + ;; + chnroute) + echo "ip6 daddr != $NFTSET_CHN6 $(REDIRECT $2 $3)" + ;; + returnhome) + echo "ip6 daddr $NFTSET_CHN6 $(REDIRECT $2 $3)" + ;; + direct/proxy) + echo "counter return" + ;; + esac +} + +get_nftset_ipv4() { + case "$1" in + gfwlist) + echo "ip daddr @$NFTSET_GFW counter" + ;; + chnroute) + echo "ip daddr != @$NFTSET_CHN counter" + ;; + returnhome) + echo "$ip daddr @$NFTSET_CHN counter" + ;; + esac +} + +get_nftset_ipv6() { + case "$1" in + gfwlist) + echo "ip6 daddr @$NFTSET_GFW6 counter" + ;; + chnroute) + echo "ip6 daddr != @$NFTSET_CHN6 counter" + ;; + returnhome) + echo "$ip6 daddr @$NFTSET_CHN6 counter" + ;; + esac +} + +get_action_chain_name() { + case "$1" in + disable) + echo "不代理" + ;; + global) + echo "全局代理" + ;; + gfwlist) + echo "防火墙列表" + ;; + chnroute) + echo "中国列表以外" + ;; + returnhome) + echo "中国列表" + ;; + direct/proxy) + echo "仅使用直连/代理列表" + ;; + esac +} + +gen_laniplist() { + cat $RULES_PATH/lanlist_ipv4 | tr -s '\n' | grep -v "^#" +} + +gen_laniplist_6() { + cat $RULES_PATH/lanlist_ipv6 | tr -s '\n' | grep -v "^#" +} + +get_wan_ip() { + local NET_IF + local NET_ADDR + + network_flush_cache + network_find_wan NET_IF + network_get_ipaddr NET_ADDR "${NET_IF}" + + echo $NET_ADDR +} + +get_wan6_ip() { + local NET_IF + local NET_ADDR + + network_flush_cache + network_find_wan6 NET_IF + network_get_ipaddr6 NET_ADDR "${NET_IF}" + + echo $NET_ADDR +} + +load_acl() { + local items=$(uci show ${CONFIG} | grep "=acl_rule" | cut -d '.' -sf 2 | cut -d '=' -sf 1) + [ -n "$items" ] && { + local item + local socks_port redir_port dns_port dnsmasq_port + local ipt_tmp msg msg2 + socks_port=11100 + redir_port=11200 + dns_port=11300 + dnsmasq_port=11400 + echolog "访问控制:" + for item in $items; do + local enabled sid remarks sources tcp_proxy_mode udp_proxy_mode tcp_no_redir_ports udp_no_redir_ports tcp_proxy_drop_ports udp_proxy_drop_ports tcp_redir_ports udp_redir_ports tcp_node udp_node dns_mode remote_dns v2ray_dns_mode remote_dns_doh dns_client_ip + local _ip _mac _iprange _ipset _ip_or_mac rule_list tcp_port udp_port tcp_node_remark udp_node_remark config_file _extra_param + sid=$(uci -q show "${CONFIG}.${item}" | grep "=acl_rule" | awk -F '=' '{print $1}' | awk -F '.' '{print $2}') + eval $(uci -q show "${CONFIG}.${item}" | cut -d'.' -sf 3-) + [ "$enabled" = "1" ] || continue + + [ -z "${sources}" ] && continue + for s in $sources; do + is_iprange=$(lua_api "iprange(\"${s}\")") + if [ "${is_iprange}" = "true" ]; then + rule_list="${rule_list}\niprange:${s}" + elif [ -n "$(echo ${s} | grep '^ipset:')" ]; then + rule_list="${rule_list}\nipset:${s}" + else + _ip_or_mac=$(lua_api "ip_or_mac(\"${s}\")") + if [ "${_ip_or_mac}" = "ip" ]; then + rule_list="${rule_list}\nip:${s}" + elif [ "${_ip_or_mac}" = "mac" ]; then + rule_list="${rule_list}\nmac:${s}" + fi + fi + done + [ -z "${rule_list}" ] && continue + + tcp_proxy_mode=${tcp_proxy_mode:-default} + udp_proxy_mode=${udp_proxy_mode:-default} + tcp_no_redir_ports=${tcp_no_redir_ports:-default} + udp_no_redir_ports=${udp_no_redir_ports:-default} + tcp_proxy_drop_ports=${tcp_proxy_drop_ports:-default} + udp_proxy_drop_ports=${udp_proxy_drop_ports:-default} + tcp_redir_ports=${tcp_redir_ports:-default} + udp_redir_ports=${udp_redir_ports:-default} + tcp_node=${tcp_node:-default} + udp_node=${udp_node:-default} + dns_mode=${dns_mode:-dns2socks} + remote_dns=${remote_dns:-1.1.1.1} + [ "$dns_mode" = "v2ray" -o "$dns_mode" = "xray" ] && { + [ "$v2ray_dns_mode" = "doh" ] && remote_dns=${remote_dns_doh:-https://1.1.1.1/dns-query} + } + [ "$tcp_proxy_mode" = "default" ] && tcp_proxy_mode=$TCP_PROXY_MODE + [ "$udp_proxy_mode" = "default" ] && udp_proxy_mode=$UDP_PROXY_MODE + [ "$tcp_no_redir_ports" = "default" ] && tcp_no_redir_ports=$TCP_NO_REDIR_PORTS + [ "$udp_no_redir_ports" = "default" ] && udp_no_redir_ports=$UDP_NO_REDIR_PORTS + [ "$tcp_proxy_drop_ports" = "default" ] && tcp_proxy_drop_ports=$TCP_PROXY_DROP_PORTS + [ "$udp_proxy_drop_ports" = "default" ] && udp_proxy_drop_ports=$UDP_PROXY_DROP_PORTS + [ "$tcp_redir_ports" = "default" ] && tcp_redir_ports=$TCP_REDIR_PORTS + [ "$udp_redir_ports" = "default" ] && udp_redir_ports=$UDP_REDIR_PORTS + [ "$tcp_node" != "nil" ] && { + if [ "$tcp_node" = "default" ]; then + tcp_node=$TCP_NODE + tcp_port=$TCP_REDIR_PORT + else + [ "$(config_get_type $tcp_node nil)" = "nodes" ] && { + run_dns() { + local _dns_port + [ -n $1 ] && _dns_port=$1 + [ -z ${_dns_port} ] && { + dns_port=$(get_new_port $(expr $dns_port + 1)) + _dns_port=$dns_port + if [ "$dns_mode" = "dns2socks" ]; then + run_dns2socks flag=acl_${sid} socks_address=127.0.0.1 socks_port=$socks_port listen_address=0.0.0.0 listen_port=${_dns_port} dns=$remote_dns cache=1 + elif [ "$dns_mode" = "v2ray" -o "$dns_mode" = "xray" ]; then + config_file=$TMP_ACL_PATH/${tcp_node}_SOCKS_${socks_port}_DNS.json + run_v2ray flag=acl_${sid} type=$dns_mode dns_socks_address=127.0.0.1 dns_socks_port=$socks_port dns_listen_port=${_dns_port} remote_dns_protocol=${v2ray_dns_mode} remote_dns_tcp_server=${remote_dns} remote_dns_doh="${remote_dns}" dns_client_ip=${dns_client_ip} dns_query_strategy=${DNS_QUERY_STRATEGY} config_file=$config_file + fi + eval node_${tcp_node}_$(echo -n "${remote_dns}" | md5sum | cut -d " " -f1)=${_dns_port} + } + + dnsmasq_port=$(get_new_port $(expr $dnsmasq_port + 1)) + redirect_dns_port=$dnsmasq_port + mkdir -p $TMP_ACL_PATH/$sid + echo "port=${dnsmasq_port}" >> $TMP_ACL_PATH/$sid/dnsmasq.conf + echo "conf-dir=${TMP_ACL_PATH}/${sid}/dnsmasq.d" >> $TMP_ACL_PATH/$sid/dnsmasq.conf + d_server=127.0.0.1 + [ "$tcp_proxy_mode" = "global" ] && d_server=${d_server}#${_dns_port} + echo "server=${d_server}" >> $TMP_ACL_PATH/$sid/dnsmasq.conf + source $APP_PATH/helper_${DNS_N}.sh add FLAG=${sid} DNS_MODE=$dns_mode TMP_DNSMASQ_PATH=$TMP_ACL_PATH/$sid/dnsmasq.d DNSMASQ_CONF_FILE=/dev/null LOCAL_DNS=$LOCAL_DNS TUN_DNS=127.0.0.1#${_dns_port} TCP_NODE=$tcp_node PROXY_MODE=${tcp_proxy_mode} NO_LOGIC_LOG=1 NO_PROXY_IPV6=${filter_proxy_ipv6} NFTFLAG=${nftflag} + ln_run "$(first_type dnsmasq)" "dnsmasq_${sid}" "/dev/null" -C $TMP_ACL_PATH/$sid/dnsmasq.conf -x $TMP_ACL_PATH/$sid/dnsmasq.pid + eval node_${tcp_node}_$(echo -n "${tcp_proxy_mode}${remote_dns}" | md5sum | cut -d " " -f1)=${dnsmasq_port} + } + if [ "$tcp_node" = "$TCP_NODE" ]; then + tcp_port=$TCP_REDIR_PORT + else + _redir_port=$(eval echo \${node_${tcp_node}_redir_port}) + _socks_port=$(eval echo \${node_${tcp_node}_socks_port}) + if [ -n "${_socks_port}" ] && [ -n "${_redir_port}" ]; then + socks_port=${_socks_port} + tcp_port=${_redir_port} + _dnsmasq_port=$(eval echo \${node_${tcp_node}_$(echo -n "${tcp_proxy_mode}${remote_dns}" | md5sum | cut -d " " -f1)}) + if [ -z "${_dnsmasq_port}" ]; then + _dns_port=$(eval echo \${node_${tcp_node}_$(echo -n "${remote_dns}" | md5sum | cut -d " " -f1)}) + run_dns ${_dns_port} + else + redirect_dns_port=${_dnsmasq_port} + fi + else + socks_port=$(get_new_port $(expr $socks_port + 1)) + eval node_${tcp_node}_socks_port=$socks_port + redir_port=$(get_new_port $(expr $redir_port + 1)) + eval node_${tcp_node}_redir_port=$redir_port + tcp_port=$redir_port + config_file="acl/${tcp_node}_SOCKS_${socks_port}.json" + + local type=$(echo $(config_n_get $tcp_node type) | tr 'A-Z' 'a-z') + if [ -n "${type}" ] && ([ "${type}" = "v2ray" ] || [ "${type}" = "xray" ]); then + config_file=$(echo $config_file | sed "s/SOCKS/TCP_UDP_SOCKS/g") + _extra_param="socks_address=127.0.0.1 socks_port=$socks_port" + if [ "$dns_mode" = "v2ray" -o "$dns_mode" = "xray" ]; then + config_file=$(echo $config_file | sed "s/SOCKS_${socks_port}/DNS/g") + dns_port=$(get_new_port $(expr $dns_port + 1)) + _dns_port=$dns_port + _extra_param="dns_listen_port=${_dns_port} remote_dns_protocol=${v2ray_dns_mode} remote_dns_tcp_server=${remote_dns} remote_dns_doh=${remote_dns} dns_client_ip=${dns_client_ip} dns_query_strategy=${DNS_QUERY_STRATEGY}" + fi + config_file="$TMP_PATH/$config_file" + run_v2ray flag=$tcp_node node=$tcp_node tcp_redir_port=$redir_port ${_extra_param} config_file=$config_file + else + run_socks flag=$tcp_node node=$tcp_node bind=127.0.0.1 socks_port=$socks_port config_file=$config_file + local log_file=$TMP_ACL_PATH/ipt2socks_${tcp_node}_${redir_port}.log + log_file="/dev/null" + run_ipt2socks flag=acl_${tcp_node} tcp_tproxy=${is_tproxy} local_port=$redir_port socks_address=127.0.0.1 socks_port=$socks_port log_file=$log_file + fi + run_dns ${_dns_port} + fi + filter_node $tcp_node TCP > /dev/null 2>&1 & + filter_node $tcp_node UDP > /dev/null 2>&1 & + fi + } + fi + tcp_node_remark=$(config_n_get $tcp_node remarks) + } + [ "$udp_node" != "nil" ] && { + [ "$udp_node" = "tcp" ] && udp_node=$tcp_node + if [ "$udp_node" = "default" ]; then + udp_node=$UDP_NODE + [ "$TCP_UDP" = "1" ] && [ "$udp_node" = "nil" ] && udp_node=$TCP_NODE + udp_port=$UDP_REDIR_PORT + else + [ "$(config_get_type $udp_node nil)" = "nodes" ] && { + if [ "$udp_node" = "$UDP_NODE" ]; then + udp_port=$UDP_REDIR_PORT + else + _redir_port=$(eval echo \${node_${udp_node}_redir_port}) + _socks_port=$(eval echo \${node_${udp_node}_socks_port}) + if [ -n "${_socks_port}" ] && [ -n "${_redir_port}" ]; then + socks_port=${_socks_port} + udp_port=${_redir_port} + else + socks_port=$(get_new_port $(expr $socks_port + 1)) + eval node_${udp_node}_socks_port=$socks_port + redir_port=$(get_new_port $(expr $redir_port + 1)) + eval node_${udp_node}_redir_port=$redir_port + udp_port=$redir_port + config_file="acl/${udp_node}_SOCKS_${socks_port}.json" + + local type=$(echo $(config_n_get $udp_node type) | tr 'A-Z' 'a-z') + if [ -n "${type}" ] && ([ "${type}" = "v2ray" ] || [ "${type}" = "xray" ]); then + config_file=$(echo $config_file | sed "s/SOCKS/TCP_UDP_SOCKS/g") + config_file="$TMP_PATH/$config_file" + run_v2ray flag=$udp_node node=$udp_node udp_redir_port=$redir_port config_file=$config_file + else + run_socks flag=$udp_node node=$udp_node bind=127.0.0.1 socks_port=$socks_port config_file=$config_file + local log_file=$TMP_ACL_PATH/ipt2socks_${udp_node}_${redir_port}.log + log_file="/dev/null" + run_ipt2socks flag=acl_${udp_node} local_port=$redir_port socks_address=127.0.0.1 socks_port=$socks_port log_file=$log_file + fi + fi + filter_node $udp_node TCP > /dev/null 2>&1 & + filter_node $udp_node UDP > /dev/null 2>&1 & + fi + } + fi + udp_node_remark=$(config_n_get $udp_node remarks) + } + + for i in $(echo -e ${rule_list}); do + if [ -n "$(echo ${i} | grep '^iprange:')" ]; then + _iprange=$(echo ${i} | sed 's#iprange:##g') + _ipt_source=$(factor ${_iprange} "ip saddr") + msg="备注【$remarks】,IP range【${_iprange}】," + elif [ -n "$(echo ${i} | grep '^ipset:')" ]; then + _ipset=$(echo ${i} | sed 's#ipset:##g') + _ipt_source="ip daddr @${_ipset}" + msg="备注【$remarks】,IPset【${_ipset}】," + elif [ -n "$(echo ${i} | grep '^ip:')" ]; then + _ip=$(echo ${i} | sed 's#ip:##g') + _ipt_source=$(factor ${_ip} "ip saddr") + msg="备注【$remarks】,IP【${_ip}】," + elif [ -n "$(echo ${i} | grep '^mac:')" ]; then + _mac=$(echo ${i} | sed 's#mac:##g') + _ipt_source=$(factor ${_mac} "ether saddr") + msg="备注【$remarks】,MAC【${_mac}】," + else + continue + fi + + [ -n "$tcp_port" ] && { + if [ "$tcp_proxy_mode" != "disable" ]; then + [ -n "$redirect_dns_port" ] && nft "add rule inet fw4 PSW_REDIRECT ip protocol udp ${_ipt_source} udp dport 53 counter redirect to $redirect_dns_port comment \"$remarks\"" + msg2="${msg}使用TCP节点[$tcp_node_remark] [$(get_action_chain_name $tcp_proxy_mode)]" + if [ -n "${is_tproxy}" ]; then + msg2="${msg2}(TPROXY:${tcp_port})代理" + else + msg2="${msg2}(REDIRECT:${tcp_port})代理" + fi + + [ "$accept_icmp" = "1" ] && { + nft "add rule inet fw4 PSW_ICMP_REDIRECT ip protocol icmp ${_ipt_source} ip daddr $FAKE_IP $(REDIRECT) comment \"$remarks\"" + nft "add rule inet fw4 PSW_ICMP_REDIRECT ip protocol icmp ${_ipt_source} ip daddr @$NFTSET_SHUNTLIST $(REDIRECT) comment \"$remarks\"" + nft "add rule inet fw4 PSW_ICMP_REDIRECT ip protocol icmp ${_ipt_source} ip daddr @$NFTSET_BLACKLIST $(REDIRECT) comment \"$remarks\"" + nft "add rule inet fw4 PSW_ICMP_REDIRECT ip protocol icmp ${_ipt_source} $(get_redirect_ipv4 $tcp_proxy_mode) comment \"$remarks\"" + } + + [ "$accept_icmpv6" = "1" ] && [ "$PROXY_IPV6" == "1" ] && { + nft "add rule inet fw4 PSW_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} ip6 daddr @$NFTSET_SHUNTLIST6 $(REDIRECT) comment \"$remarks\"" + nft "add rule inet fw4 PSW_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} ip6 daddr @$NFTSET_BLACKLIST6 $(REDIRECT) comment \"$remarks\"" + nft "add rule inet fw4 PSW_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} $(get_redirect_ipv6 $tcp_proxy_mode) comment \"$remarks\"" + } + + [ "$tcp_no_redir_ports" != "disable" ] && { + nft "add rule inet fw4 $nft_prerouting_chain ${_ipt_source} ip protocol tcp tcp dport {$tcp_no_redir_ports} counter return comment \"$remarks\"" + nft "add rule inet fw4 PSW_MANGLE_V6 comment ${_ipt_source} meta l4proto tcp tcp dport {$tcp_no_redir_ports} counter return comment \"$remarks\"" + msg2="${msg2}[$?]除${tcp_no_redir_ports}外的" + } + msg2="${msg2}所有端口" + + [ "$tcp_proxy_drop_ports" != "disable" ] && { + [ "$PROXY_IPV6" == "1" ] && { + nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "tcp dport") ip6 daddr @$NFTSET_SHUNTLIST6 counter drop comment \"$remarks\"" + nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "tcp dport") ip6 daddr @$NFTSET_BLACKLIST6 counter drop comment \"$remarks\"" + [ "$tcp_proxy_mode" != "direct/proxy" ] && nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp $(factor $tcp_proxy_drop_ports "tcp dport") $(get_nftset_ipv6 $tcp_proxy_mode) counter drop comment \"$remarks\"" + } + nft "add rule inet fw4 $nft_prerouting_chain ip protocol tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "tcp dport") ip daddr $FAKE_IP counter drop comment \"$remarks\"" + nft "add rule inet fw4 $nft_prerouting_chain ip protocol tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "tcp dport") ip daddr @$NFTSET_SHUNTLIST counter drop comment \"$remarks\"" + nft "add rule inet fw4 $nft_prerouting_chain ip protocol tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "tcp dport") ip daddr @$NFTSET_BLACKLIST counter drop comment \"$remarks\"" + [ "$tcp_proxy_mode" != "direct/proxy" ] && nft "add rule inet fw4 $nft_prerouting_chain ip protocol tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "tcp dport") $(get_nftset_ipv4 $tcp_proxy_mode) counter drop comment \"$remarks\"" + msg2="${msg2}[$?],屏蔽代理TCP 端口:${tcp_proxy_drop_ports}" + } + + if [ -z "${is_tproxy}" ]; then + nft "add rule inet fw4 PSW ${_ipt_source} ip daddr $FAKE_IP $(REDIRECT $tcp_port) comment \"$remarks\"" + nft "add rule inet fw4 PSW ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ip daddr @$NFTSET_SHUNTLIST $(REDIRECT $tcp_port) comment \"$remarks\"" + nft "add rule inet fw4 PSW ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ip daddr @$NFTSET_BLACKLIST $(REDIRECT $tcp_port) comment \"$remarks\"" + nft "add rule inet fw4 PSW ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") $(get_redirect_ipv4 $tcp_proxy_mode $tcp_port) comment \"$remarks\"" + else + nft "add rule inet fw4 PSW_MANGLE ip protocol tcp ${_ipt_source} ip daddr $FAKE_IP counter jump PSW_RULE comment \"$remarks\"" + nft "add rule inet fw4 PSW_MANGLE ip protocol tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ip daddr @$NFTSET_SHUNTLIST counter jump PSW_RULE comment \"$remarks\"" + nft "add rule inet fw4 PSW_MANGLE ip protocol tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ip daddr @$NFTSET_BLACKLIST counter jump PSW_RULE comment \"$remarks\" " + nft "add rule inet fw4 PSW_MANGLE ip protocol tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") $(get_nftset_ipv4 $tcp_proxy_mode) counter jump PSW_RULE comment \"$remarks\"" + nft "add rule inet fw4 PSW_MANGLE meta nfproto {ipv4} meta l4proto tcp ${_ipt_source} $(REDIRECT $tcp_port TPROXY4) comment \"$remarks\"" + fi + nft "add rule inet fw4 $nft_prerouting_chain ip protocol tcp ${_ipt_source} counter return comment \"$remarks\"" + + [ "$PROXY_IPV6" == "1" ] && { + nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ip6 daddr @$NFTSET_SHUNTLIST6 counter jump PSW_RULE comment \"$remarks\"" + nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ip6 daddr @$NFTSET_BLACKLIST6 counter jump PSW_RULE comment \"$remarks\"" + nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") $(get_nftset_ipv6 $tcp_proxy_mode) jump PSW_RULE comment \"$remarks\"" + nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(REDIRECT $tcp_port TPROXY) comment \"$remarks\"" + nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} return comment \"$remarks\"" + } + else + msg2="${msg}不代理TCP" + fi + echolog " - ${msg2}" + } + + [ "$udp_proxy_drop_ports" != "disable" ] && { + [ "$PROXY_IPV6" == "1" ] && { + nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_proxy_drop_ports "udp dport") ip6 daddr @$NFTSET_SHUNTLIST6 counter drop comment \"$remarks\"" + nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_proxy_drop_ports "udp dport") ip6 daddr @$NFTSET_BLACKLIST6 counter drop comment \"$remarks\"" + [ "$udp_proxy_mode" != "direct/proxy" ] && nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp $(factor $udp_proxy_drop_ports "udp dport") $(get_nftset_ipv6 $udp_proxy_mode) counter drop comment \"$remarks\"" + } + nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_proxy_drop_ports "udp dport") ip daddr $FAKE_IP counter drop comment \"$remarks\"" + nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_proxy_drop_ports "udp dport") ip daddr @$NFTSET_SHUNTLIST counter drop comment \"$remarks\"" + nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_proxy_drop_ports "udp dport") ip daddr @$NFTSET_BLACKLIST counter drop comment \"$remarks\"" + [ "$udp_proxy_mode" != "direct/proxy" ] && nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_proxy_drop_ports "udp dport") $(get_nftset_ipv4 $udp_proxy_mode) counter drop comment \"$remarks\"" + msg2="${msg2}[$?],屏蔽代理UDP 端口:${udp_proxy_drop_ports}" + } + + [ -n "$udp_port" ] && { + if [ "$udp_proxy_mode" != "disable" ]; then + msg2="${msg}使用UDP节点[$udp_node_remark] [$(get_action_chain_name $udp_proxy_mode)]" + msg2="${msg2}(TPROXY:${udp_port})代理" + [ "$udp_no_redir_ports" != "disable" ] && { + nft add rule inet fw4 PSW_MANGLE meta l4proto udp ${_ipt_source} $(factor $udp_no_redir_ports "udp dport") counter return + nft add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_no_redir_ports "udp dport") counter return + msg2="${msg2}[$?]除${udp_no_redir_ports}外的" + } + msg2="${msg2}所有端口" + + nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} ip daddr $FAKE_IP counter jump PSW_RULE comment \"$remarks\"" + nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_redir_ports "udp dport") ip daddr @$NFTSET_SHUNTLIST counter jump PSW_RULE comment \"$remarks\"" + nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_redir_ports "udp dport") ip daddr @$NFTSET_BLACKLIST counter jump PSW_RULE comment \"$remarks\"" + nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_redir_ports "udp dport") $(get_nftset_ipv4 $udp_proxy_mode) jump PSW_RULE comment \"$remarks\"" + nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} $(REDIRECT $udp_port TPROXY4) comment \"$remarks\"" + nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} return comment \"$remarks\"" + + [ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && { + nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_redir_ports "tcp dport") ip6 daddr @$NFTSET_SHUNTLIST6 counter jump PSW_RULE comment \"$remarks\"" + nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_redir_ports "tcp dport") ip6 daddr @$NFTSET_BLACKLIST6 counter jump PSW_RULE comment \"$remarks\"" + nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_redir_ports "tcp dport") $(get_nftset_ipv6 $udp_proxy_mode) counter jump PSW_RULE comment \"$remarks\"" + nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(REDIRECT $udp_port TPROXY) comment \"$remarks\"" + nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} counter return comment \"$remarks\"" + } + else + msg2="${msg}不代理UDP" + fi + echolog " - ${msg2}" + } + done + unset enabled sid remarks sources tcp_proxy_mode udp_proxy_mode tcp_no_redir_ports udp_no_redir_ports tcp_proxy_drop_ports udp_proxy_drop_ports tcp_redir_ports udp_redir_ports tcp_node udp_node dns_mode remote_dns v2ray_dns_mode remote_dns_doh dns_client_ip + unset _ip _mac _iprange _ipset _ip_or_mac rule_list tcp_port udp_port tcp_node_remark udp_node_remark config_file _extra_param + unset ipt_tmp msg msg2 + unset redirect_dns_port + done + unset socks_port redir_port dns_port dnsmasq_port + unset ipt_tmp msg msg2 + } + + # 加载TCP默认代理模式 + [ "$TCP_PROXY_DROP_PORTS" != "disable" ] && { + [ "$PROXY_IPV6" == "1" ] && { + nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp $(factor $TCP_PROXY_DROP_PORTS "tcp dport") ip6 daddr @$NFTSET_SHUNTLIST6 counter drop comment \"默认\"" + nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp $(factor $TCP_PROXY_DROP_PORTS "tcp dport") ip6 daddr @$NFTSET_BLACKLIST6 counter drop comment \"默认\"" + [ "$TCP_PROXY_MODE" != "direct/proxy" ] && nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp $(factor $TCP_PROXY_DROP_PORTS "tcp dport") $(get_nftset_ipv6 $TCP_PROXY_MODE) counter drop comment \"默认\"" + } + + nft "add inet fw4 $nft_prerouting_chain ip protocol tcp $(factor $TCP_PROXY_DROP_PORTS "tcp dport") ip daddr $FAKE_IP counter drop comment \"默认\"" + nft "add inet fw4 $nft_prerouting_chain ip protocol tcp $(factor $TCP_PROXY_DROP_PORTS "tcp dport") ip daddr @$NFTSET_SHUNTLIST counter drop comment \"默认\"" + nft "add inet fw4 $nft_prerouting_chain ip protocol tcp $(factor $TCP_PROXY_DROP_PORTS "tcp dport") ip daddr @$NFTSET_BLACKLIST counter drop comment \"默认\"" + [ "$TCP_PROXY_MODE" != "direct/proxy" ] && nft "add inet fw4 $nft_prerouting_chain ip protocol tcp $(factor $TCP_PROXY_DROP_PORTS "tcp dport") $(get_nftset_ipv4 $TCP_PROXY_MODE) counter drop comment \"默认\"" + } + + if [ "$TCP_PROXY_MODE" != "disable" ]; then + [ "$TCP_NO_REDIR_PORTS" != "disable" ] && { + nft add rule inet fw4 $nft_prerouting_chain ip protocol tcp $(factor $TCP_NO_REDIR_PORTS "tcp dport") counter return comment \"默认\" + nft add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp $(factor $TCP_NO_REDIR_PORTS "tcp dport") counter return comment \"默认\" + } + [ "$TCP_NODE" != "nil" ] && { + msg="TCP默认代理:使用TCP节点[$(config_n_get $TCP_NODE remarks)] [$(get_action_chain_name $TCP_PROXY_MODE)]" + if [ -n "${is_tproxy}" ]; then + msg="${msg}(TPROXY:${TCP_REDIR_PORT})代理" + else + msg="${msg}(REDIRECT:${TCP_REDIR_PORT})代理" + fi + + [ "$TCP_NO_REDIR_PORTS" != "disable" ] && msg="${msg}除${TCP_NO_REDIR_PORTS}外的" + msg="${msg}所有端口" + + [ "$accept_icmp" = "1" ] && { + nft "add rule inet fw4 PSW_ICMP_REDIRECT ip protocol icmp ip daddr $FAKE_IP $(REDIRECT) comment \"默认\"" + nft "add rule inet fw4 PSW_ICMP_REDIRECT ip protocol icmp ip daddr @$NFTSET_SHUNTLIST $(REDIRECT) comment \"默认\"" + nft "add rule inet fw4 PSW_ICMP_REDIRECT ip protocol icmp ip daddr @$NFTSET_BLACKLIST $(REDIRECT) comment \"默认\"" + nft "add rule inet fw4 PSW_ICMP_REDIRECT ip protocol icmp $(get_redirect_ipv4 $TCP_PROXY_MODE) comment \"默认\"" + } + + [ "$accept_icmpv6" = "1" ] && [ "$PROXY_IPV6" == "1" ] && { + nft "add rule inet fw4 PSW_ICMP_REDIRECT meta l4proto icmpv6 ip6 daddr @$NFTSET_SHUNTLIST6 $(REDIRECT) comment \"默认\"" + nft "add rule inet fw4 PSW_ICMP_REDIRECT meta l4proto icmpv6 ip6 daddr @$NFTSET_BLACKLIST6 $(REDIRECT) comment \"默认\"" + nft "add rule inet fw4 PSW_ICMP_REDIRECT meta l4proto icmpv6 $(get_redirect_ipv6 $TCP_PROXY_MODE) comment \"默认\"" + } + + if [ -z "${is_tproxy}" ]; then + nft "add rule inet fw4 PSW ip protocol tcp ip daddr $FAKE_IP $(REDIRECT $TCP_REDIR_PORT) comment \"默认\"" + nft "add rule inet fw4 PSW ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip daddr @$NFTSET_SHUNTLIST $(REDIRECT $TCP_REDIR_PORT) comment \"默认\"" + nft "add rule inet fw4 PSW ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip daddr @$NFTSET_BLACKLIST $(REDIRECT $TCP_REDIR_PORT) comment \"默认\"" + nft "add rule inet fw4 PSW ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") $(get_redirect_ipv4 $TCP_PROXY_MODE $TCP_REDIR_PORT) comment \"默认\"" + nft "add rule inet fw4 PSW ip protocol tcp counter return comment \"默认\"" + else + nft "add rule inet fw4 PSW_MANGLE ip protocol tcp ip daddr $FAKE_IP counter jump PSW_RULE comment \"默认\"" + nft "add rule inet fw4 PSW_MANGLE ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip daddr @$NFTSET_SHUNTLIST counter jump PSW_RULE comment \"默认\"" + nft "add rule inet fw4 PSW_MANGLE ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip daddr @$NFTSET_BLACKLIST counter jump PSW_RULE comment \"默认\"" + nft "add rule inet fw4 PSW_MANGLE ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") $(get_nftset_ipv4 $TCP_PROXY_MODE) jump PSW_RULE comment \"默认\"" + nft "add rule inet fw4 PSW_MANGLE meta l4proto tcp $(REDIRECT $TCP_REDIR_PORT TPROXY) comment \"默认\"" + nft "add rule inet fw4 PSW_MANGLE ip protocol tcp counter return comment \"默认\"" + fi + + [ "$PROXY_IPV6" == "1" ] && { + nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip6 daddr @$NFTSET_SHUNTLIST6 counter jump PSW_RULE comment \"默认\"" + nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip6 daddr @$NFTSET_BLACKLIST6 counter jump PSW_RULE comment \"默认\"" + nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp $(factor $TCP_REDIR_PORTS "tcp dport") $(get_nftset_ipv6 $TCP_PROXY_MODE) jump PSW_RULE comment \"默认\"" + nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp $(REDIRECT $TCP_REDIR_PORT TPROXY) comment \"默认\"" + nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp counter return comment \"默认\"" + } + + echolog "${msg}" + } + fi + + # 加载UDP默认代理模式 + [ "$UDP_PROXY_DROP_PORTS" != "disable" ] && { + [ "$PROXY_IPV6" == "1" ] && { + nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp $(factor $UDP_PROXY_DROP_PORTS "udp dport") ip6 daddr @$NFTSET_SHUNTLIST6 counter drop comment \"默认\"" + nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp $(factor $UDP_PROXY_DROP_PORTS "udp dport") ip6 daddr @$NFTSET_BLACKLIST6 counter drop comment \"默认\"" + [ "$UDP_PROXY_MODE" != "direct/proxy" ] && nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp $(factor $UDP_PROXY_DROP_PORTS "udp dport") $(get_nftset_ipv6 $UDP_PROXY_MODE) counter drop comment \"默认\"" + } + nft "add rule inet fw4 PSW_MANGLE $(factor $UDP_PROXY_DROP_PORTS "udp dport") ip daddr $FAKE_IP counter drop comment \"默认\"" + nft "add rule inet fw4 PSW_MANGLE $(factor $UDP_PROXY_DROP_PORTS "udp dport") ip daddr @$NFTSET_SHUNTLIST counter drop comment \"默认\"" + nft "add rule inet fw4 PSW_MANGLE $(factor $UDP_PROXY_DROP_PORTS "udp dport") ip daddr @$NFTSET_BLACKLIST counter drop comment \"默认\"" + [ "$UDP_PROXY_MODE" != "direct/proxy" ] && nft "add inet fw4 PSW_MANGLE ip protocol udp $(factor $UDP_PROXY_DROP_PORTS "udp dport") $(get_nftset_ipv4 $UDP_PROXY_MODE) counter drop comment \"默认\"" + } + if [ "$UDP_PROXY_MODE" != "disable" ]; then + [ "$UDP_NO_REDIR_PORTS" != "disable" ] && { + nft "add inet fw4 PSW_MANGLE ip protocol udp $(factor $UDP_NO_REDIR_PORTS "udp dport") counter return comment \"默认\"" + nft "add inet fw4 PSW_MANGLE_V6 counter meta l4proto udp $(factor $UDP_NO_REDIR_PORTS "udp dport") counter return comment \"默认\"" + } + + [ "$UDP_NODE" != "nil" -o "$TCP_UDP" = "1" ] && { + [ "$TCP_UDP" = "1" ] && [ "$UDP_NODE" = "nil" ] && UDP_NODE=$TCP_NODE + msg="UDP默认代理:使用UDP节点[$(config_n_get $UDP_NODE remarks)] [$(get_action_chain_name $UDP_PROXY_MODE)](TPROXY:${UDP_REDIR_PORT})代理" + + [ "$UDP_NO_REDIR_PORTS" != "disable" ] && msg="${msg}除${UDP_NO_REDIR_PORTS}外的" + msg="${msg}所有端口" + + nft "add rule inet fw4 PSW_MANGLE ip protocol udp ip daddr $FAKE_IP counter jump PSW_RULE comment \"默认\"" + nft "add rule inet fw4 PSW_MANGLE ip protocol udp $(factor $UDP_REDIR_PORTS "udp dport") ip daddr @$NFTSET_SHUNTLIST counter jump PSW_RULE comment \"默认\"" + nft "add rule inet fw4 PSW_MANGLE ip protocol udp $(factor $UDP_REDIR_PORTS "udp dport") ip daddr @$NFTSET_BLACKLIST counter jump PSW_RULE comment \"默认\"" + nft "add rule inet fw4 PSW_MANGLE ip protocol udp $(factor $UDP_REDIR_PORTS "udp dport") $(get_nftset_ipv4 $TCP_PROXY_MODE) jump PSW_RULE comment \"默认\"" + nft "add rule inet fw4 PSW_MANGLE meta l4proto udp $(REDIRECT $UDP_REDIR_PORT TPROXY) comment \"默认\"" + nft "add rule inet fw4 PSW_MANGLE ip protocol udp counter return comment \"默认\"" + + [ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && { + nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp $(factor $UDP_REDIR_PORTS "udp dport") ip6 daddr @$NFTSET_SHUNTLIST6 counter jump PSW_RULE comment \"默认\"" + nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp $(factor $UDP_REDIR_PORTS "udp dport") ip6 daddr @$NFTSET_BLACKLIST6 counter jump PSW_RULE comment \"默认\"" + nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp $(factor $UDP_REDIR_PORTS "udp dport") $(get_nftset_ipv6 $UDP_PROXY_MODE) jump PSW_RULE comment \"默认\"" + nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp $(REDIRECT $UDP_REDIR_PORT TPROXY) comment \"默认\"" + nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp counter return comment \"默认\"" + } + + echolog "${msg}" + } + fi +} + +filter_haproxy() { + for item in ${haproxy_items}; do + local ip=$(get_host_ip ipv4 $(echo $item | awk -F ":" '{print $1}') 1) + insert_nftset $NFTSET_VPSIPLIST $ip + done + echolog "加入负载均衡的节点到ipset[$NFTSET_VPSIPLIST]直连完成" +} + +filter_vpsip() { + insert_nftset $NFTSET_VPSIPLIST $(uci show $CONFIG | grep ".address=" | cut -d "'" -f 2 | grep -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | sed -e "/^$/d" | sed -e 's/$/,/' ) + insert_nftset $NFTSET_VPSIPLIST6 $(uci show $CONFIG | grep ".address=" | cut -d "'" -f 2 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "/^$/d" | sed -e 's/$/,/' ) + echolog "加入所有节点到ipset[$NFTSET_VPSIPLIST]直连完成" +} + +filter_node() { + local proxy_node=${1} + local stream=$(echo ${2} | tr 'A-Z' 'a-z') + local proxy_port=${3} + + filter_rules() { + local node=${1} + local stream=${2} + local _proxy=${3} + local _port=${4} + local _is_tproxy ipt_tmp msg msg2 + + if [ -n "$node" ] && [ "$node" != "nil" ]; then + local type=$(echo $(config_n_get $node type) | tr 'A-Z' 'a-z') + local address=$(config_n_get $node address) + local port=$(config_n_get $node port) + _is_tproxy=${is_tproxy} + [ "$stream" == "udp" ] && _is_tproxy="TPROXY" + if [ -n "${_is_tproxy}" ]; then + msg="TPROXY" + else + msg="REDIRECT" + fi + else + echolog " - 节点配置不正常,略过" + return 0 + fi + + local ADD_INDEX=$FORCE_INDEX + for _ipt in 4 6; do + [ "$_ipt" == "4" ] && _ip_type=ip6 + [ "$_ipt" == "6" ] && _ip_type=ip + nft "list chain inet fw4 PSW_OUTPUT" | grep -q "${address}:${port}" + if [ $? -ne 0 ]; then + unset dst_rule + local dst_rule="jump PSW_RULE" + msg2="按规则路由(${msg})" + [ -n "${is_tproxy}" ] || { + dst_rule=$(REDIRECT $_port) + msg2="套娃使用(${msg}:${port} -> ${_port})" + } + [ -n "$_proxy" ] && [ "$_proxy" == "1" ] && [ -n "$_port" ] || { + ADD_INDEX=$(RULE_LAST_INDEX "inet fw4" PSW_OUTPUT "$NFTSET_VPSIPLIST" $FORCE_INDEX) + dst_rule="return" + msg2="直连代理" + } + nft "insert rule inet fw4 PSW_OUTPUT position $ADD_INDEX comment \"${address}:${port}\" meta l4proto $stream $_ip_type daddr $address tcp dport $port $dst_rule" 2>/dev/null + nft "insert rule inet fw4 PSW_OUTPUT position $ADD_INDEX comment \"${address}:${port}\" meta l4proto $stream $_ip_type daddr $address udp dport $port $dst_rule" 2>/dev/null + else + msg2="已配置过的节点," + fi + done + msg="[$?]$(echo ${2} | tr 'a-z' 'A-Z')${msg2}使用链${ADD_INDEX},节点(${type}):${address}:${port}" + #echolog " - ${msg}" + } + + local proxy_protocol=$(config_n_get $proxy_node protocol) + local proxy_type=$(echo $(config_n_get $proxy_node type nil) | tr 'A-Z' 'a-z') + [ "$proxy_type" == "nil" ] && echolog " - 节点配置不正常,略过!:${proxy_node}" && return 0 + if [ "$proxy_protocol" == "_balancing" ]; then + #echolog " - 多节点负载均衡(${proxy_type})..." + proxy_node=$(config_n_get $proxy_node balancing_node) + for _node in $proxy_node; do + filter_rules "$_node" "$stream" + done + elif [ "$proxy_protocol" == "_shunt" ]; then + #echolog " - 按请求目的地址分流(${proxy_type})..." + local default_node=$(config_n_get $proxy_node default_node _direct) + local main_node=$(config_n_get $proxy_node main_node nil) + if [ "$main_node" != "nil" ]; then + filter_rules $main_node $stream + else + if [ "$default_node" != "_direct" ] && [ "$default_node" != "_blackhole" ]; then + filter_rules $default_node $stream + fi + fi +:</dev/null | grep -E -o "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" | sort -u | grep -v 0.0.0.0 | grep -v 127.0.0.1) + [ -n "$ISP_DNS" ] && { + #echolog "处理 ISP DNS 例外..." + for ispip in $ISP_DNS; do + insert_nftset $NFTSET_WHITELIST $ispip >/dev/null 2>&1 & + #echolog " - 追加到白名单:${ispip}" + done + } + + local ISP_DNS6=$(cat $RESOLVFILE 2>/dev/null | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | awk -F % '{print $1}' | awk -F " " '{print $2}'| sort -u | grep -v -Fx ::1 | grep -v -Fx ::) + [ -n "$ISP_DNS" ] && { + #echolog "处理 ISP IPv6 DNS 例外..." + for ispip6 in $ISP_DNS; do + insert_nftset $NFTSET_WHITELIST6 $ispip6 >/dev/null 2>&1 & + #echolog " - 追加到白名单:${ispip6}" + done + } + + # 过滤所有节点IP + filter_vpsip > /dev/null 2>&1 & + filter_haproxy > /dev/null 2>&1 & + + accept_icmp=$(config_t_get global_forwarding accept_icmp 0) + accept_icmpv6=$(config_t_get global_forwarding accept_icmpv6 0) + + local tcp_proxy_way=$(config_t_get global_forwarding tcp_proxy_way redirect) + if [ "$tcp_proxy_way" = "redirect" ]; then + unset is_tproxy + nft_prerouting_chain="PSW" + nft_output_chain="PSW_OUTPUT" + elif [ "$tcp_proxy_way" = "tproxy" ]; then + is_tproxy="TPROXY" + nft_prerouting_chain="PSW_MANGLE" + nft_output_chain="PSW_OUTPUT_MANGLE" + fi + + nft "add chain inet fw4 nat_output { type nat hook output priority -1; }" + + nft "add chain inet fw4 PSW_DIVERT" + nft "flush chain inet fw4 PSW_DIVERT" + nft "add rule inet fw4 PSW_DIVERT meta l4proto tcp socket transparent 1 mark set 1 counter accept" + + nft "add chain inet fw4 PSW_REDIRECT" + nft "flush chain inet fw4 PSW_REDIRECT" + nft "add rule inet fw4 dstnat jump PSW_REDIRECT" + + # for ipv4 ipv6 tproxy mark + nft "add chain inet fw4 PSW_RULE" + nft "flush chain inet fw4 PSW_RULE" + nft "add rule inet fw4 PSW_RULE meta mark set ct mark counter" + nft "add rule inet fw4 PSW_RULE meta mark 1 counter return" + nft "add rule inet fw4 PSW_RULE tcp flags &(fin|syn|rst|ack) == syn meta mark set 1 counter" + nft "add rule inet fw4 PSW_RULE meta l4proto udp ct state new meta mark set 1 counter" + nft "add rule inet fw4 PSW_RULE ct mark set mark counter" + + #ipv4 tproxy mode and udp + nft "add chain inet fw4 PSW_MANGLE" + nft "flush chain inet fw4 PSW_MANGLE" + nft "add rule inet fw4 PSW_MANGLE meta mark 0xff counter return" + nft "add rule inet fw4 PSW_MANGLE ip daddr @$NFTSET_LANIPLIST counter return" + nft "add rule inet fw4 PSW_MANGLE ip daddr @$NFTSET_VPSIPLIST counter return" + nft "add rule inet fw4 PSW_MANGLE ip daddr @$NFTSET_WHITELIST counter return" + nft "add rule inet fw4 PSW_MANGLE ip daddr @$NFTSET_BLOCKLIST counter drop" + + nft "add chain inet fw4 PSW_OUTPUT_MANGLE" + nft "flush chain inet fw4 PSW_OUTPUT_MANGLE" + nft "add rule inet fw4 PSW_OUTPUT_MANGLE meta mark 0xff counter return" + nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip daddr @$NFTSET_LANIPLIST counter return" + nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip daddr @$NFTSET_VPSIPLIST counter return" + nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip daddr @$NFTSET_WHITELIST counter return" + nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip daddr @$NFTSET_BLOCKLIST counter drop" + + # jump chains + nft "add rule inet fw4 mangle_prerouting counter jump PSW_MANGLE" + insert_rule_before "inet fw4" "mangle_prerouting" "PSW_MANGLE" "counter jump PSW_DIVERT" + + #ipv4 tcp redirect mode + [ -z "${is_tproxy}" ] && { + nft "add chain inet fw4 PSW" + nft "flush chain inet fw4 PSW" + nft "add rule inet fw4 PSW ip daddr @$NFTSET_LANIPLIST counter return" + nft "add rule inet fw4 PSW ip daddr @$NFTSET_VPSIPLIST counter return" + nft "add rule inet fw4 PSW ip daddr @$NFTSET_WHITELIST counter return" + nft "add rule inet fw4 PSW ip daddr @$NFTSET_BLOCKLIST counter drop" + nft "add rule inet fw4 dstnat ip protocol tcp counter jump PSW" + + nft "add chain inet fw4 PSW_OUTPUT" + nft "flush chain inet fw4 PSW_OUTPUT" + nft "add rule inet fw4 PSW_OUTPUT ip daddr @$NFTSET_LANIPLIST counter return" + nft "add rule inet fw4 PSW_OUTPUT ip daddr @$NFTSET_VPSIPLIST counter return" + nft "add rule inet fw4 PSW_OUTPUT ip daddr @$NFTSET_WHITELIST counter return" + nft "add rule inet fw4 PSW_OUTPUT ip daddr @$NFTSET_BLOCKLIST counter drop" + } + + #icmp ipv6-icmp redirect + if [ "$accept_icmp" = "1" ]; then + nft "add chain inet fw4 PSW_ICMP_REDIRECT" + nft "flush chain inet fw4 PSW_ICMP_REDIRECT" + nft "add rule inet fw4 PSW_ICMP_REDIRECT ip daddr @$NFTSET_LANIPLIST counter return" + nft "add rule inet fw4 PSW_ICMP_REDIRECT ip daddr @$NFTSET_VPSIPLIST counter return" + nft "add rule inet fw4 PSW_ICMP_REDIRECT ip daddr @$NFTSET_WHITELIST counter return" + + [ "$accept_icmpv6" = "1" ] && { + nft "add rule inet fw4 PSW_ICMP_REDIRECT ip6 daddr @$NFTSET_LANIPLIST6 counter return" + nft "add rule inet fw4 PSW_ICMP_REDIRECT ip6 daddr @$NFTSET_VPSIPLIST6 counter return" + nft "add rule inet fw4 PSW_ICMP_REDIRECT ip6 daddr @$NFTSET_WHITELIST6 counter return" + } + + nft "add rule inet fw4 dstnat meta l4proto {icmp,icmpv6} counter jump PSW_ICMP_REDIRECT" + nft "add rule inet fw4 nat_output meta l4proto {icmp,icmpv6} counter jump PSW_ICMP_REDIRECT" + fi + + WAN_IP=$(get_wan_ip) + [ -n "${WAN_IP}" ] && nft "add rule inet fw4 PSW_MANGLE ip daddr ${WAN_IP} counter return comment \"WAN_IP_RETURN\"" || nft "add rule inet fw4 PSW ip daddr ${WAN_IP} counter return comment \"WAN_IP_RETURN\"" + unset WAN_IP + + ip rule add fwmark 1 lookup 100 + ip route add local 0.0.0.0/0 dev lo table 100 + + #ipv6 tproxy mode and udp + nft "add chain inet fw4 PSW_MANGLE_V6" + nft "flush chain inet fw4 PSW_MANGLE_V6" + nft "add rule inet fw4 PSW_MANGLE_V6 ip6 daddr @$NFTSET_LANIPLIST6 counter return" + nft "add rule inet fw4 PSW_MANGLE_V6 ip6 daddr @$NFTSET_VPSIPLIST6 counter return" + nft "add rule inet fw4 PSW_MANGLE_V6 ip6 daddr @$NFTSET_WHITELIST6 counter return" + nft "add rule inet fw4 PSW_MANGLE_V6 ip6 daddr @$NFTSET_BLOCKLIST6 counter drop" + + nft "add chain inet fw4 PSW_OUTPUT_MANGLE_V6" + nft "flush chain inet fw4 PSW_OUTPUT_MANGLE_V6" + nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta mark 0xff return" + nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 ip6 daddr @$NFTSET_LANIPLIST6 counter return" + nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 ip6 daddr @$NFTSET_VPSIPLIST6 counter return" + nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 ip6 daddr @$NFTSET_WHITELIST6 counter return" + nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 ip6 daddr @$NFTSET_BLOCKLIST6 counter drop" + + # jump chains + [ "$PROXY_IPV6" == "1" ] && { + nft "add rule inet fw4 mangle_prerouting meta nfproto {ipv6} counter jump PSW_MANGLE_V6" + nft "add rule inet fw4 mangle_output meta nfproto {ipv6} counter jump PSW_OUTPUT_MANGLE_V6 comment \"mangle-OUTPUT-PSW\"" + + WAN6_IP=$(get_wan6_ip) + [ -n "${WAN6_IP}" ] && nft "add rule inet fw4 PSW_MANGLE_V6 ip6 daddr ${WAN6_IP} counter return comment \"WAN6_IP_RETURN\"" + unset WAN6_IP + + ip -6 rule add fwmark 1 table 100 + ip -6 route add local ::/0 dev lo table 100 + } + + # 加载路由器自身代理 TCP + if [ "$TCP_NODE" != "nil" ]; then + echolog "加载路由器自身 TCP 代理..." + + [ "$accept_icmp" = "1" ] && { + nft "add rule inet fw4 PSW_ICMP_REDIRECT meta l4proto icmp ip daddr 198.18.0.0/16 counter redirect" + nft "add rule inet fw4 PSW_ICMP_REDIRECT meta l4proto icmp ip daddr @$NFTSET_SHUNTLIST counter redirect" + nft "add rule inet fw4 PSW_ICMP_REDIRECT meta l4proto icmp ip daddr @$NFTSET_BLACKLIST counter redirect" + nft "add rule inet fw4 PSW_ICMP_REDIRECT meta l4proto icmp $(get_nftset_ipv4 $LOCALHOST_TCP_PROXY_MODE) counter redirect" + } + + [ "$accept_icmpv6" = "1" ] && { + nft "add rule inet fw4 PSW_ICMP_REDIRECT meta l4proto icmpv6 ip6 daddr @$NFTSET_SHUNTLIST6 counter redirect" + nft "add rule inet fw4 PSW_ICMP_REDIRECT meta l4proto icmpv6 ip6 daddr @$NFTSET_BLACKLIST6 counter redirect" + nft "add rule inet fw4 PSW_ICMP_REDIRECT meta l4proto icmpv6 $(get_nftset_ipv6 $LOCALHOST_TCP_PROXY_MODE) counter redirect" + } + + [ -n "${is_tproxy}" ] && { + echolog " - 启用 TPROXY 模式" + } + + _proxy_tcp_access() { + [ -n "${2}" ] || return 0 + nft "get element inet fw4 $NFTSET_LANIPLIST {${2}}" &>/dev/null + [ $? -eq 0 ] && { + echolog " - 上游 DNS 服务器 ${2} 已在直接访问的列表中,不强制向 TCP 代理转发对该服务器 TCP/${3} 端口的访问" + return 0 + } + if [ -z "${is_tproxy}" ]; then + nft add rule inet fw4 PSW_OUTPUT ip protocol tcp ip daddr ${2} tcp dport ${3} $(REDIRECT $TCP_REDIR_PORT) + else + nft add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol tcp ip daddr ${2} tcp dport ${3} counter jump PSW_RULE + nft add rule inet fw4 PSW_MANGLE iifname lo tcp dport ${3} ip daddr ${2} $(REDIRECT $TCP_REDIR_PORT TPROXY4) comment \"本机\" + fi + echolog " - [$?]将上游 DNS 服务器 ${2}:${3} 加入到路由器自身代理的 TCP 转发链" + } + + [ "$use_tcp_node_resolve_dns" == 1 ] && hosts_foreach REMOTE_DNS _proxy_tcp_access 53 + [ "$TCP_NO_REDIR_PORTS" != "disable" ] && { + nft "add rule inet fw4 $nft_output_chain ip protocol tcp $(factor $TCP_PROXY_DROP_PORTS "tcp dport") counter return" + nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta l4proto tcp $(factor $TCP_PROXY_DROP_PORTS "tcp dport") counter return" + echolog " - [$?]不代理TCP 端口:$TCP_NO_REDIR_PORTS" + } + [ "$TCP_PROXY_DROP_PORTS" != "disable" ] && { + nft add rule inet fw4 $nft_output_chain ip protocol tcp ip daddr $FAKE_IP $(factor $TCP_PROXY_DROP_PORTS "tcp dport") counter drop + nft add rule inet fw4 $nft_output_chain ip protocol tcp ip daddr @$NFTSET_SHUNTLIST $(factor $TCP_PROXY_DROP_PORTS "tcp dport") counter drop + nft add rule inet fw4 $nft_output_chain ip protocol tcp ip daddr @$NFTSET_BLACKLIST $(factor $TCP_PROXY_DROP_PORTS "tcp dport") counter drop + [ "$LOCALHOST_TCP_PROXY_MODE" != "direct/proxy" ] && nft add rule inet fw4 $nft_output_chain ip protocol tcp $(factor $TCP_PROXY_DROP_PORTS "tcp dport") $(get_nftset_ipv4 $LOCALHOST_TCP_PROXY_MODE) counter drop + echolog " - [$?],屏蔽代理TCP 端口:$TCP_PROXY_DROP_PORTS" + } + + if [ -z "${is_tproxy}" ]; then + nft "add rule inet fw4 PSW_OUTPUT ip protocol tcp ip daddr $FAKE_IP $(REDIRECT $TCP_REDIR_PORT)" + nft "add rule inet fw4 PSW_OUTPUT ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip daddr @$NFTSET_SHUNTLIST counter $(REDIRECT $TCP_REDIR_PORT)" + nft "add rule inet fw4 PSW_OUTPUT ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip daddr @$NFTSET_BLACKLIST counter $(REDIRECT $TCP_REDIR_PORT)" + nft "add rule inet fw4 PSW_OUTPUT ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") $(get_redirect_ipv4 $LOCALHOST_TCP_PROXY_MODE $TCP_REDIR_PORT)" + nft "add rule inet fw4 nat_output ip protocol tcp counter jump PSW_OUTPUT" + else + nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol tcp ip daddr $FAKE_IP counter jump PSW_RULE" + nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol tcp ip daddr @$NFTSET_SHUNTLIST $(factor $TCP_REDIR_PORTS "tcp dport") counter jump PSW_RULE" + nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol tcp ip daddr @$NFTSET_BLACKLIST $(factor $TCP_REDIR_PORTS "tcp dport") counter jump PSW_RULE" + nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") $(get_nftset_ipv4 $LOCALHOST_TCP_PROXY_MODE) jump PSW_RULE" + nft "add rule inet fw4 PSW_OUTPUT_MANGLE meta l4proto tcp iifname lo $(REDIRECT $TCP_REDIR_PORT TPROXY) comment \"本机\"" + nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol tcp iifname lo counter return comment \"本机\"" + nft "add rule inet fw4 mangle_output meta nfproto {ipv4} meta l4proto tcp counter jump PSW_OUTPUT_MANGLE comment \"mangle-OUTPUT-PSW\"" + fi + + [ "$PROXY_IPV6" == "1" ] && { + nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta l4proto tcp ip6 daddr @$NFTSET_SHUNTLIST6 $(factor $TCP_REDIR_PORTS "tcp dport") counter jump PSW_RULE" + nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta l4proto tcp ip6 daddr @$NFTSET_BLACKLIST6 $(factor $TCP_REDIR_PORTS "tcp dport") counter jump PSW_RULE" + nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta l4proto tcp $(factor $TCP_REDIR_PORTS "tcp dport") $(get_nftset_ipv6 $LOCALHOST_TCP_PROXY_MODE) jump PSW_RULE" + nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp iifname lo $(REDIRECT $TCP_REDIR_PORT TPROXY) comment \"本机\"" + nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp iifname lo counter return comment \"本机\"" + } + fi + + # 过滤Socks节点 + [ "$SOCKS_ENABLED" = "1" ] && { + local ids=$(uci show $CONFIG | grep "=socks" | awk -F '.' '{print $2}' | awk -F '=' '{print $1}') + #echolog "分析 Socks 服务所使用节点..." + local id enabled node port msg num + for id in $ids; do + enabled=$(config_n_get $id enabled 0) + [ "$enabled" == "1" ] || continue + node=$(config_n_get $id node nil) + port=$(config_n_get $id port 0) + msg="Socks 服务 [:${port}]" + if [ "$node" == "nil" ] || [ "$port" == "0" ]; then + msg="${msg} 未配置完全,略过" + elif [ "$(echo $node | grep ^tcp)" ]; then + #eval "node=\${TCP_NODE}" + #msg="${msg} 使用与 TCP 代理自动切换${num} 相同的节点,延后处理" + continue + else + filter_node $node TCP > /dev/null 2>&1 & + filter_node $node UDP > /dev/null 2>&1 & + fi + #echolog " - ${msg}" + done + } + + # 处理轮换节点的分流或套娃 + local node port stream switch + for stream in TCP UDP; do + eval "node=\${${stream}_NODE}" + eval "port=\${${stream}_REDIR_PORT}" + #echolog "分析 $stream 代理自动切换..." + [ "$node" == "tcp" ] && [ "$stream" == "UDP" ] && { + eval "node=\${TCP_NODE}" + eval "port=\${TCP_REDIR_PORT}" + } + if [ "$node" != "nil" ]; then + filter_node $node $stream $port > /dev/null 2>&1 & + fi + done + + # 加载路由器自身代理 UDP + [ "$UDP_PROXY_DROP_PORTS" != "disable" ] && { + nft add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol udp ip daddr $FAKE_IP $(factor $UDP_PROXY_DROP_PORTS "udp dport") counter drop + nft add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol udp ip daddr @$NFTSET_SHUNTLIST $(factor $UDP_PROXY_DROP_PORTS "udp dport") counter drop + nft add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol udp ip daddr @$NFTSET_BLACKLIST $(factor $UDP_PROXY_DROP_PORTS "udp dport") counter drop + [ "$LOCALHOST_UDP_PROXY_MODE" != "direct/proxy" ] && nft add rule inet fw4 PSW_OUTPUT_MANGLE counter ip protocol udp $(factor $UDP_PROXY_DROP_PORTS "udp dport") $(get_nftset_ipv4 $LOCALHOST_UDP_PROXY_MODE) counter drop + echolog " - [$?],屏蔽代理UDP 端口:$UDP_PROXY_DROP_PORTS" + } + if [ "$UDP_NODE" != "nil" -o "$TCP_UDP" = "1" ]; then + echolog "加载路由器自身 UDP 代理..." + _proxy_udp_access() { + [ -n "${2}" ] || return 0 + nft "get element inet fw4 $NFTSET_LANIPLIST {${2}}" &>/dev/null + [ $? == 0 ] && { + echolog " - 上游 DNS 服务器 ${2} 已在直接访问的列表中,不强制向 UDP 代理转发对该服务器 UDP/${3} 端口的访问" + return 0 + } + nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol udp ip daddr ${2} udp dport ${3} counter jump PSW_RULE" + nft "add rule inet fw4 PSW_MANGLE iifname lo meta l4proto udp ip daddr ${2} $(REDIRECT $UDP_REDIR_PORT TPROXY4) comment \"本机\"" + echolog " - [$?]将上游 DNS 服务器 ${2}:${3} 加入到路由器自身代理的 UDP 转发链" + } + [ "$use_udp_node_resolve_dns" == 1 ] && hosts_foreach REMOTE_DNS _proxy_udp_access 53 + [ "$UDP_NO_REDIR_PORTS" != "disable" ] && { + nft add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol udp $(factor $UDP_NO_REDIR_PORTS "udp dport") counter return + nft add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta l4proto udp $(factor $UDP_NO_REDIR_PORTS "udp dport") counter return + echolog " - [$?]不代理 UDP 端口:$UDP_NO_REDIR_PORTS" + } + + nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol udp ip daddr $FAKE_IP counter jump PSW_RULE" + nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol udp ip daddr @$NFTSET_SHUNTLIST $(factor $UDP_REDIR_PORTS "udp dport") counter jump PSW_RULE" + nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol udp ip daddr @$NFTSET_BLACKLIST $(factor $UDP_REDIR_PORTS "udp dport") counter jump PSW_RULE" + nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol udp $(factor $UDP_REDIR_PORTS "udp dport") $(get_nftset_ipv4 $LOCALHOST_UDP_PROXY_MODE) jump PSW_RULE" + nft "add rule inet fw4 PSW_MANGLE meta l4proto udp iifname lo $(REDIRECT $UDP_REDIR_PORT TPROXY) comment \"本机\"" + nft "add rule inet fw4 PSW_MANGLE ip protocol udp iifname lo counter return comment \"本机\"" + nft "add rule inet fw4 mangle_output meta nfproto {ipv4} meta l4proto udp counter jump PSW_OUTPUT_MANGLE" + + [ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && { + nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta l4proto udp ip6 daddr @$NFTSET_SHUNTLIST6 $(factor $UDP_REDIR_PORTS "udp dport") counter jump PSW_RULE" + nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta l4proto udp ip6 daddr @$NFTSET_BLACKLIST6 $(factor $UDP_REDIR_PORTS "udp dport") counter jump PSW_RULE" + nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta l4proto udp $(factor $UDP_REDIR_PORTS "udp dport") $(get_nftset_ipv6 $LOCALHOST_PROXY_MODE) jump PSW_RULE" + nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp iifname lo $(REDIRECT $UDP_REDIR_PORT TPROXY) comment \"本机\"" + nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp iifname lo counter return comment \"本机\"" + } + fi + + nft "add rule inet fw4 mangle_output oifname lo counter return comment \"mangle-OUTPUT-PSW\"" + nft "add rule inet fw4 mangle_output meta mark 1 counter return comment \"mangle-OUTPUT-PSW\"" + + nft "add rule inet fw4 PSW_MANGLE counter ip protocol udp udp dport 53 counter return" + nft "add rule inet fw4 PSW_MANGLE_V6 counter meta l4proto udp udp dport 53 counter return" + # 加载ACLS + load_acl + + # dns_hijack "force" + + echolog "防火墙规则加载完成!" +} + +del_firewall_rule() { + for nft in "input" "forward" "dstnat" "srcnat" "nat_output" "mangle_prerouting" "mangle_output"; do + local handles=$(nft -a list chain inet fw4 ${nft} | grep -E "PSW" | awk -F '# handle ' '{print$2}') + for handle in $handles; do + nft delete rule inet fw4 ${nft} handle ${handle} 2>/dev/null + done + done + + for handle in $(nft -a list chains |grep -E "chain PSW" |awk -F '# handle ' '{print$2}'); do + nft delete chain inet fw4 handle ${handle} 2>/dev/null + done + + ip rule del fwmark 1 lookup 100 2>/dev/null + ip route del local 0.0.0.0/0 dev lo table 100 2>/dev/null + + ip -6 rule del fwmark 1 table 100 2>/dev/null + ip -6 route del local ::/0 dev lo table 100 2>/dev/null + + destroy_nftset $NFTSET_LANIPLIST + destroy_nftset $NFTSET_VPSIPLIST + #destroy_nftset $NFTSET_SHUNTLIST + #destroy_nftset $NFTSET_GFW + #destroy_nftset $NFTSET_CHN + #destroy_nftset $NFTSET_BLACKLIST + destroy_nftset $NFTSET_BLOCKLIST + destroy_nftset $NFTSET_WHITELIST + + destroy_nftset $NFTSET_LANIPLIST6 + destroy_nftset $NFTSET_VPSIPLIST6 + #destroy_nftset $NFTSET_SHUNTLIST6 + #destroy_nftset $NFTSET_GFW6 + #destroy_nftset $NFTSET_CHN6 + #destroy_nftset $NFTSET_BLACKLIST6 + destroy_nftset $NFTSET_BLOCKLIST6 + destroy_nftset $NFTSET_WHITELIST6 + + echolog "删除相关防火墙规则完成。" +} + +flush_nftset() { + del_firewall_rule + destroy_nftset $NFTSET_VPSIPLIST $NFTSET_SHUNTLIST $NFTSET_GFW $NFTSET_CHN $NFTSET_BLACKLIST $NFTSET_BLOCKLIST $NFTSET_WHITELIST $NFTSET_LANIPLIST + destroy_nftset $NFTSET_VPSIPLIST6 $NFTSET_SHUNTLIST6 $NFTSET_GFW6 $NFTSET_CHN6 $NFTSET_BLACKLIST6 $NFTSET_BLOCKLIST6 $NFTSET_WHITELIST6 $NFTSET_LANIPLIST6 + rm -rf /tmp/etc/passwall_tmp/smartdns* + rm -rf /tmp/etc/passwall_tmp/dnsmasq* + /etc/init.d/passwall reload +} + +flush_include() { + echo '#!/bin/sh' >$FWI +} + +gen_include() { + echo "" > $TMP_PATH2/passwall.nft + for chain in $(nft -a list chains |grep -E "chain PSW" |awk -F ' ' '{print$2}'); do + nft list chain inet fw4 ${chain} >> $TMP_PATH2/passwall.nft + done + + local __nft=" " + [ -z "${nft}" ] && { + __nft=$(cat <<- EOF + nft -f ${TMP_PATH2}/passwall.nft + + nft "add rule inet fw4 dstnat jump PSW_REDIRECT" + + [ "$accept_icmp" == "1" ] && { + nft "add rule inet fw4 dstnat meta l4proto {icmp,icmpv6} counter jump PSW_ICMP_REDIRECT" + nft "add rule inet fw4 nat_output meta l4proto {icmp,icmpv6} counter jump PSW_ICMP_REDIRECT" + } + + [ -z "${is_tproxy}" ] && { + nft "add rule inet fw4 dstnat ip protocol tcp counter jump PSW" + nft "add rule inet fw4 nat_output ip protocol tcp counter jump PSW_OUTPUT" + } + + nft "add rule inet fw4 mangle_prerouting counter jump PSW_MANGLE" + [ -n "${is_tproxy}" ] && nft "add rule inet fw4 mangle_output meta nfproto {ipv4} meta l4proto tcp counter jump PSW_OUTPUT_MANGLE comment \"mangle-OUTPUT-PSW\"" + nft "add rule inet fw4 mangle_output meta nfproto {ipv4} meta l4proto udp counter jump PSW_OUTPUT_MANGLE" + \$(${MY_PATH} insert_rule_before "inet fw4" "mangle_prerouting" "PSW_MANGLE" "counter jump PSW_DIVERT") + + [ "$PROXY_IPV6" == "1" ] && { + nft "add rule inet fw4 mangle_prerouting meta nfproto {ipv6} counter jump PSW_MANGLE_V6" + nft "add rule inet fw4 mangle_output meta nfproto {ipv6} counter jump PSW_OUTPUT_MANGLE_V6 comment \"mangle-OUTPUT-PSW\"" + } + + nft "add rule inet fw4 mangle_output oifname lo counter return comment \"mangle-OUTPUT-PSW\"" + nft "add rule inet fw4 mangle_output meta mark 1 counter return comment \"mangle-OUTPUT-PSW\"" + EOF + ) + } + cat <<-EOF >> $FWI + ${__nft} + EOF + return 0 +} + +get_ipt_bin() { + echo $ipt +} + +get_ip6t_bin() { + echo $ip6t +} + +start() { + add_firewall_rule + gen_include +} + +stop() { + del_firewall_rule + flush_include +} + +arg1=$1 +shift +case $arg1 in +RULE_LAST_INDEX) + RULE_LAST_INDEX "$@" + ;; +insert_rule_before) + insert_rule_before "$@" + ;; +insert_rule_after) + insert_rule_after "$@" + ;; +flush_ipset) + flush_nftset + ;; +get_wan_ip) + get_wan_ip + ;; +get_wan6_ip) + get_wan6_ip + ;; +stop) + stop + ;; +start) + start + ;; +*) ;; +esac diff --git a/natflow/Makefile b/natflow/Makefile index 96a65682f..946050100 100644 --- a/natflow/Makefile +++ b/natflow/Makefile @@ -9,10 +9,10 @@ include $(TOPDIR)/rules.mk include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=natflow -PKG_VERSION:=20221008 +PKG_VERSION:=20221013 PKG_SOURCE_URL:=https://codeload.github.com/ptpt52/natflow/tar.gz/$(PKG_VERSION)? -PKG_HASH:=c3911f8078ca138456751d53d1fd661228ab4d25a810b8808bdd8059912250b2 +PKG_HASH:=fd9010e21ba6536c37d061e9f4fcc7bdb542f537e5e0e5aaa1a1e8914afc9b9e PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_MAINTAINER:=Chen Minqiang diff --git a/shadowsocks-libev/Makefile b/shadowsocks-libev/Makefile deleted file mode 100644 index d5072e51e..000000000 --- a/shadowsocks-libev/Makefile +++ /dev/null @@ -1,130 +0,0 @@ -# -# Copyright (C) 2017-2020 Yousong Zhou -# -# This is free software, licensed under the GNU General Public License v2. -# See /LICENSE for more information. -# - -include $(TOPDIR)/rules.mk - -# Checklist when bumping versions -# -# - update cipher list by checking src/crypto.c:crypto_init() -# - check if default mode has changed from being tcp_only -# -PKG_NAME:=shadowsocks-libev -PKG_VERSION:=3.3.5 -PKG_RELEASE:=7 - -PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz -PKG_SOURCE_URL:=https://github.com/shadowsocks/shadowsocks-libev/releases/download/v$(PKG_VERSION) -PKG_HASH:=cfc8eded35360f4b67e18dc447b0c00cddb29cc57a3cec48b135e5fb87433488 - -PKG_MAINTAINER:=Yousong Zhou - -PKG_LICENSE:=GPL-3.0-or-later -PKG_LICENSE_FILES:=LICENSE - -PKG_FIXUP:=autoreconf -PKG_INSTALL:=1 -PKG_USE_MIPS16:=0 -PKG_BUILD_PARALLEL:=1 -PKG_BUILD_DEPENDS:=c-ares pcre - -include $(INCLUDE_DIR)/package.mk - - -define Package/shadowsocks-libev-config - SECTION:=net - CATEGORY:=Network - SUBMENU:=Web Servers/Proxies - TITLE:=shadowsocks-libev config scripts - URL:=https://github.com/shadowsocks/shadowsocks-libev -endef - -define Package/shadowsocks-libev-config/conffiles -/etc/config/shadowsocks-libev -endef - -define Package/shadowsocks-libev-config/install - $(INSTALL_DIR) $(1)/etc/config - $(INSTALL_DATA) ./files/shadowsocks-libev.config $(1)/etc/config/shadowsocks-libev - $(INSTALL_DIR) $(1)/etc/init.d - $(INSTALL_BIN) ./files/shadowsocks-libev.init $(1)/etc/init.d/shadowsocks-libev -endef - - -define Package/shadowsocks-libev/Default - define Package/shadowsocks-libev-$(1) - SECTION:=net - CATEGORY:=Network - SUBMENU:=Web Servers/Proxies - TITLE:=shadowsocks-libev $(1) - URL:=https://github.com/shadowsocks/shadowsocks-libev - DEPENDS:=+libev +libmbedtls +libpthread +libsodium +shadowsocks-libev-config $(DEPENDS_$(1)) - endef - - define Package/shadowsocks-libev-$(1)/install - $$(INSTALL_DIR) $$(1)/usr/bin - $$(INSTALL_BIN) $$(PKG_INSTALL_DIR)/usr/bin/$(1) $$(1)/usr/bin - endef - -endef - -DEPENDS_ss-local = +libpcre -DEPENDS_ss-server = +libcares +libpcre - -SHADOWSOCKS_COMPONENTS:=ss-local ss-redir ss-tunnel ss-server -define shadowsocks-libev/templates - $(foreach component,$(SHADOWSOCKS_COMPONENTS), - $(call Package/shadowsocks-libev/Default,$(component)) - ) -endef -$(eval $(call shadowsocks-libev/templates)) - - -define Package/shadowsocks-libev-ss-rules - SECTION:=net - CATEGORY:=Network - SUBMENU:=Web Servers/Proxies - TITLE:=shadowsocks-libev ss-rules - URL:=https://github.com/shadowsocks/shadowsocks-libev - DEPENDS:=+firewall4 \ - +ip \ - +resolveip \ - +ucode \ - +ucode-mod-fs \ - +shadowsocks-libev-ss-redir \ - +shadowsocks-libev-config \ - +kmod-nft-tproxy -endef - -define Package/shadowsocks-libev-ss-rules/install - $(INSTALL_DIR) $(1)/usr/share/ss-rules - $(INSTALL_DATA) ./files/ss-rules/* $(1)/usr/share/ss-rules/ -endef - -define Build/Prepare - $(call Build/Prepare/Default) - $(FIND) $(PKG_BUILD_DIR) \ - -name '*.o' \ - -o -name '*.lo' \ - -o -name '.deps' \ - -o -name '.libs' \ - | $(XARGS) rm -rvf -endef - -CONFIGURE_ARGS += \ - --disable-documentation \ - --disable-silent-rules \ - --disable-assert \ - --disable-ssp \ - -TARGET_CFLAGS += -flto -TARGET_LDFLAGS += -Wl,--gc-sections,--as-needed - -$(eval $(call BuildPackage,shadowsocks-libev-config)) -$(eval $(call BuildPackage,shadowsocks-libev-ss-rules)) -$(foreach component,$(SHADOWSOCKS_COMPONENTS), \ - $(eval $(call BuildPackage,shadowsocks-libev-$(component))) \ -) diff --git a/shadowsocks-libev/README.md b/shadowsocks-libev/README.md deleted file mode 100644 index c4a882540..000000000 --- a/shadowsocks-libev/README.md +++ /dev/null @@ -1,185 +0,0 @@ -Skip to [recipes](#recipes) for quick setup instructions - -# components - -`ss-local` provides SOCKS5 proxy with UDP associate support. - - socks5 ss plain - --------> tcp:local_address:local_port ----> ss server -------> dest - -`ss-redir`. The REDIRECT and TPROXY part are to be provided by `ss-rules` script. REDIRECT is for tcp traffic (`SO_ORIGINAL_DST` only supports TCP). TPROXY is for udp messages, but it's only available in the PREROUTING chain and as such cannot proxy local out traffic. - - plain plain ss plain - ---------> REDIRECT ------> tcp:local_address:local_port ----> ss server -----> original dest - - plain plain ss plain - ---------> TPROXY -------> udp:local_address:local_port -----> ss server -----> original dest - -`ss-tunnel` provides ssh `-L` local-forwarding-like tunnel. Typically it's used to tunnel DNS traffic to the remote. - - plain ss plain - ---------> tcp|udp:local_address:local_port ------> ss server -------> tunnel_address - -`ss-server`, the "ss server" in the above diagram - -# uci - -Option names are the same as those used in json config files. Check `validate_xxx` func definition of the [service script](files/shadowsocks-libev.init) and shadowsocks-libev's own documentation for supported options and expected value types. A [sample config file](files/shadowsocks-libev.config) is also provided for reference. - -Every section have a `disabled` option to temporarily turn off the component instance or component instances referring to it. - -Section type `server` is for definition of remote shadowsocks servers. They will be referred to from other component sections and as such should be named (as compared to anonymous section). - -Section type `ss_local`, `ss_redir`, `ss_tunnel` are for specification of shadowsocks-libev components. They share mostly a common set of options like `local_port`, `verbose`, `fast_open`, `timeout`, etc. - -Plugin options should be specified in `server` section and will be inherited by other compoenents referring to it. - -We can have multiple instances of component and `server` sections. The relationship between them is many-to-one. This will have the following implications - - - It's possible to have both `ss_local` and `ss_redir` referring to the same `server` definition - - It's possible to have multiple instances of `ss_redir` listening on the same address:port with `reuse_port` enabled referring to the same or different `server` sections - -`ss_rules` section is for configuring the behaviour of `ss-rules` script. There can only exist at most one such section with the name also being `ss_rules` - - redir_tcp name of ss_redir section with mode tcp_only or tcp_and_udp - redir_udp name of ss_redir section with mode udp_only or tcp_and_udp - ifnames only apply rules on packets from these ifnames - - --- for incoming packets having source address in - - src_ips_bypass will bypass the redir chain - src_ips_forward will always go through the redir chain - src_ips_checkdst will continue to have their destination addresses checked - - --- otherwise, the default action can be specified with - - src_default bypass, forward, [checkdst] - - --- if the previous check result is checkdst, - --- then packets having destination address in - - dst_ips_bypass_file - dst_ips_bypass will bypass the redir chain - dst_ips_forward_file - dst_ips_forward will go through the redir chain - - --- otherwise, the default action can be specified with - - dst_default [bypass], forward - - --- for local out tcp packets, the default action can be specified with - - local_default [bypass], forward, checkdst - -ss-rules now uses nft set for storing addresses/networks. Those set names are also part of the API and can be populated by other programs, e.g. dnsmasq with builtin nft set support. Note that while nftables set supports storing cidr networks when `interval` flag is on, it rejects elements with overlaping intervals. - -Extra nftables expressions can be specified with `nft_tcp_extra` and `nft_udp_extra` to apply ss_rules only to selected tcp/udp traffics. E.g. `tcp dport { 80, 443 }`, `udp dport 53`, etc. - -# incompatible changes - -| Commit date | Commit ID | Subject | Comment | -| ----------- | --------- | ------- | ------- | -| 2022-03-01 | fdaf2de2a | shadowsocks-libev: ss-rules: convert to using nft | ss-rules now uses nftables. UCI option ipt_args and dst_forward_recentrst are now deprecated and removed | -| 2020-08-03 | 7d7cbae75 | shadowsocks-libev: support ss-server option local_address_{v4,v6} | ss_server bind_address now deprecated, use local_address | -| 2019-05-09 | afe7d3424 | shadowsocks-libev: move plugin options to server section | This is a revision against c19e949 committed 2019-05-06 | -| 2017-07-02 | b61af9703 | shadowsocks-libev: rewrite | Packaging of shadowsocks-libev was rewritten from scratch | - -# notes and faq - -Useful paths and commands for debugging - - # check current running status - ubus call service list '{"name": "shadowsocks-libev"}' - ubus call service list '{"name": "shadowsocks-libev", "verbose": true}' - - # dump validate definition - ubus call service validate '{"package": "shadowsocks-libev"}' - ubus call service validate '{"package": "shadowsocks-libev"}' \ - | jsonfilter -e '$["shadowsocks-libev"]["ss_tunnel"]' - - # check json config - ls -l /var/etc/shadowsocks-libev/ - - # set uci config option verbose to 1, restart the service and follow the log - logread -f - -ss-redir needs to open a new socket and setsockopt IP_TRANSPARENT when sending udp reply to client. This requires `CAP_NET_ADMIN` and as such the process cannot run as `nobody` - -ss-local, ss-redir, etc. supports specifying an array of remote ss server, but supporting this in uci seems to be overkill. The workaround can be defining multiple `server` sections and multiple `ss-redir` instances with `reuse_port` enabled - -# recipes - -## forward all - -This will setup firewall rules to forward almost all incoming tcp/udp and locally generated tcp traffic (excluding those to private addresses like 192.168.0.0/16 etc.) through remote shadowsocks server - -Install components. -Retry each command till it succeed - - opkg install shadowsocks-libev-ss-redir - opkg install shadowsocks-libev-ss-rules - opkg install shadowsocks-libev-ss-tunnel - -Edit uci config `/etc/config/shadowsocks-libev`. -Replace `config server 'sss0'` section with parameters of your own remote shadowsocks server. -As for other options, change them only when you know the effect. - - config server 'sss0' - option disabled 0 - option server '_sss_addr_' - option server_port '_sss_port_' - option password '********' - option method 'aes-256-cfb' - - config ss_tunnel - option disabled 0 - option server 'sss0' - option local_address '0.0.0.0' - option local_port '8053' - option tunnel_address '8.8.8.8:53' - option mode 'tcp_and_udp' - - config ss_redir ssr0 - option disabled 0 - option server 'sss0' - option local_address '0.0.0.0' - option local_port '1100' - option mode 'tcp_and_udp' - option reuse_port 1 - - config ss_rules 'ss_rules' - option disabled 0 - option redir_tcp 'ssr0' - option redir_udp 'ssr0' - option src_default 'checkdst' - option dst_default 'forward' - option local_default 'forward' - -Restart shadowsocks-libev components - - /etc/init.d/shadowsocks-libev restart - -Check if things are in place - - nft list ruleset | sed -r -n '/^\t[a-z]+ ss_rules[^ ]+ \{/,/^\t\}/p' - netstat -lntp | grep -E '8053|1100' - ps ww | grep ss- - -Edit `/etc/config/dhcp`, making sure options are present in the first dnsmasq section like the following to let it use local tunnel endpoint for upstream dns query. -Option `noresolv` instructs dnsmasq to not use other dns servers like advertised by local isp. -Option `localuse` intends to make sure the device you are configuring also uses this dnsmasq instance as the resolver, not the ones from other sources. - - config dnsmasq - ... - list server '127.0.0.1#8053' - option noresolv 1 - option localuse 1 - -Restart dnsmasq - - /etc/init.d/dnsmasq restart - -Check network on your computer - - nslookup www.google.com - curl -vv https://www.google.com diff --git a/shadowsocks-libev/files/shadowsocks-libev.config b/shadowsocks-libev/files/shadowsocks-libev.config deleted file mode 100644 index 1d41127b6..000000000 --- a/shadowsocks-libev/files/shadowsocks-libev.config +++ /dev/null @@ -1,60 +0,0 @@ -config ss_local - option disabled 1 - option server 'sss0' - option local_address '0.0.0.0' - option local_port '1080' - option timeout '30' - -config ss_tunnel - option disabled 1 - option server 'sss0' - option local_address '0.0.0.0' - option local_port '1090' - option tunnel_address 'example.com:80' - option mode 'tcp_and_udp' - option timeout '60' - -config ss_redir hi - option disabled 1 - option server 'sss0' - option local_address '0.0.0.0' - option local_port '1100' - option mode 'tcp_and_udp' - option timeout '60' - option fast_open 1 - option verbose 1 - option reuse_port 1 - -config ss_redir hj - option disabled 1 - option server 'sss0' - option local_address '0.0.0.0' - option local_port '1100' - option mode 'tcp_and_udp' - option timeout '60' - option fast_open 1 - option verbose 1 - option reuse_port 1 - -config ss_rules 'ss_rules' - option disabled 1 - option redir_tcp 'hi' - option redir_udp 'hi' - option src_default 'checkdst' - option dst_default 'bypass' - option local_default 'checkdst' - list src_ips_forward '192.168.1.4' - list dst_ips_forward '8.8.8.8' - -config server 'sss0' - option disabled 1 - option server '192.168.1.3' - option server_port '9001' - option password '********' - option method 'aes-256-cfb' - -config ss_server - option disabled 1 - option server_port '9001' - option password '********' - option method 'aes-256-cfb' diff --git a/shadowsocks-libev/files/shadowsocks-libev.init b/shadowsocks-libev/files/shadowsocks-libev.init deleted file mode 100644 index f9aee76a7..000000000 --- a/shadowsocks-libev/files/shadowsocks-libev.init +++ /dev/null @@ -1,317 +0,0 @@ -#!/bin/sh /etc/rc.common -# -# Copyright (C) 2017-2019 Yousong Zhou -# -# This is free software, licensed under the GNU General Public License v3. -# See /LICENSE for more information. -# - -USE_PROCD=1 -START=99 - -ss_confdir=/var/etc/shadowsocks-libev -ss_bindir=/usr/bin - -ssrules_uc="/usr/share/ss-rules/ss-rules.uc" -ssrules_nft="/etc/nftables.d/90-ss-rules.nft" - -ss_mkjson_server_conf() { - local cfgserver - - config_get cfgserver "$cfg" server - [ -n "$cfgserver" ] || return 1 - eval "$(validate_server_section "$cfg" ss_validate_mklocal)" - validate_server_section "$cfgserver" || return 1 - [ "$disabled" = 0 ] || return 1 - ss_mkjson_server_conf_ "$cfgserver" -} - -ss_mkjson_server_conf_() { - [ -n "$server_port" ] || return 1 - [ -z "$server" ] || json_add_string server "$server" - json_add_int server_port "$server_port" - [ -z "$method" ] || json_add_string method "$method" - [ -z "$key" ] || json_add_string key "$key" - [ -z "$password" ] || json_add_string password "$password" - [ -z "$plugin" ] || json_add_string plugin "$plugin" - [ -z "$plugin_opts" ] || json_add_string plugin_opts "$plugin_opts" -} - -ss_mkjson_ss_local_conf() { - ss_mkjson_server_conf -} - -ss_mkjson_ss_redir_conf() { - ss_mkjson_server_conf -} - -ss_mkjson_ss_server_conf() { - ss_mkjson_server_conf_ -} - -ss_mkjson_ss_tunnel_conf() { - ss_mkjson_server_conf || return 1 - [ -n "$tunnel_address" ] || return 1 - json_add_string tunnel_address "$tunnel_address" -} - -ss_xxx() { - local cfg="$1" - local cfgtype="$2" - local bin="$ss_bindir/${cfgtype/_/-}" - local confjson="$ss_confdir/$cfgtype.$cfg.json" - - [ -x "$bin" ] || return - eval "$("validate_${cfgtype}_section" "$cfg" ss_validate_mklocal)" - "validate_${cfgtype}_section" "$cfg" || return - [ "$disabled" = 0 ] || return - - json_init - ss_mkjson_${cfgtype}_conf || return - json_add_boolean use_syslog 1 - json_add_boolean ipv6_first "$ipv6_first" - json_add_boolean fast_open "$fast_open" - json_add_boolean reuse_port "$reuse_port" - json_add_boolean no_delay "$no_delay" - [ -z "$local_address" ] || json_add_string local_address "$local_address" - [ -z "$local_port" ] || json_add_int local_port "$local_port" - [ -z "$local_ipv4_address" ] || json_add_string local_ipv4_address "$local_ipv4_address" - [ -z "$local_ipv6_address" ] || json_add_string local_ipv6_address "$local_ipv6_address" - [ -z "$mode" ] || json_add_string mode "$mode" - [ -z "$mtu" ] || json_add_int mtu "$mtu" - [ -z "$timeout" ] || json_add_int timeout "$timeout" - [ -z "$user" ] || json_add_string user "$user" - json_dump -i >"$confjson" - - procd_open_instance "$cfgtype.$cfg" - procd_set_param command "$bin" -c "$confjson" - [ "$verbose" = 0 ] || procd_append_param command -v - if [ -n "$bind_address" ]; then - echo "$cfgtype $cfg: uci option bind_address deprecated, please switch to local_address" >&2 - procd_append_param command -b "$bind_address" - fi - procd_set_param file "$confjson" - procd_set_param respawn - procd_close_instance - ss_rules_cb -} - -ss_rules_cb() { - local cfgserver server - - if [ "$cfgtype" = ss_redir ]; then - config_get cfgserver "$cfg" server - config_get server "$cfgserver" server - ss_redir_servers="$ss_redir_servers $server" - if [ "$mode" = tcp_only -o "$mode" = "tcp_and_udp" ]; then - eval "ss_rules_redir_tcp_$cfg=$local_port" - fi - if [ "$mode" = udp_only -o "$mode" = "tcp_and_udp" ]; then - eval "ss_rules_redir_udp_$cfg=$local_port" - fi - fi -} - -ss_rules_nft_gen() { - local cfg="ss_rules" - local cfgtype - local local_port_tcp local_port_udp - local remote_servers - - [ -s "$ssrules_uc" ] || return 1 - - config_get cfgtype "$cfg" TYPE - [ "$cfgtype" = ss_rules ] || return 1 - - eval "$(validate_ss_rules_section "$cfg" ss_validate_mklocal)" - validate_ss_rules_section "$cfg" || return 1 - [ "$disabled" = 0 ] || return 2 - - eval local_port_tcp="\$ss_rules_redir_tcp_$redir_tcp" - eval local_port_udp="\$ss_rules_redir_udp_$redir_udp" - [ -n "$local_port_tcp" -o -n "$local_port_udp" ] || return 1 - remote_servers="$(echo $ss_redir_servers \ - | tr ' ' '\n' \ - | sort -u \ - | xargs -n 1 resolveip \ - | sort -u)" - - local tmp="/tmp/ssrules" - json_init - json_add_string o_remote_servers "$remote_servers" - json_add_int o_redir_tcp_port "$local_port_tcp" - json_add_int o_redir_udp_port "$local_port_udp" - json_add_string o_ifnames "$ifnames" - json_add_string o_local_default "$local_default" - json_add_string o_src_bypass "$src_ips_bypass" - json_add_string o_src_forward "$src_ips_forward" - json_add_string o_src_checkdst "$src_ips_checkdst" - json_add_string o_src_default "$src_default" - json_add_string o_dst_bypass "$dst_ips_bypass" - json_add_string o_dst_forward "$dst_ips_forward" - json_add_string o_dst_bypass_file "$dst_ips_bypass_file" - json_add_string o_dst_forward_file "$dst_ips_forward_file" - json_add_string o_dst_default "$dst_default" - json_add_string o_nft_tcp_extra "$nft_tcp_extra" - json_add_string o_nft_udp_extra "$nft_udp_extra" - json_dump -i >"$tmp.json" - - if utpl -S -F "$tmp.json" "$ssrules_uc" >"$tmp.nft" \ - && ! cmp -s "$tmp.nft" "$ssrules_nft"; then - echo "table inet chk {include \"$tmp.nft\";}" >"$tmp.nft.chk" - if nft -f "$tmp.nft.chk" -c; then - mv "$tmp.nft" "$ssrules_nft" - fw4 restart - fi - rm -f "$tmp.nft.chk" - fi - rm -f "$tmp.json" - rm -f "$tmp.nft" -} - -ss_rules_nft_reset() { - if [ -f "$ssrules_nft" ]; then - rm -f "$ssrules_nft" - fw4 restart - fi -} - -ss_rules() { - if ! ss_rules_nft_gen; then - ss_rules_nft_reset - fi -} - -start_service() { - local cfgtype - - mkdir -p "$ss_confdir" - config_load shadowsocks-libev - for cfgtype in ss_local ss_redir ss_server ss_tunnel; do - config_foreach ss_xxx "$cfgtype" "$cfgtype" - done - ss_rules -} - -stop_service() { - ss_rules_nft_reset - rm -rf "$ss_confdir" -} - -service_triggers() { - procd_add_reload_interface_trigger wan - procd_add_reload_trigger shadowsocks-libev - procd_open_validate - validate_server_section - validate_ss_local_section - validate_ss_redir_section - validate_ss_rules_section - validate_ss_server_section - validate_ss_tunnel_section - procd_close_validate -} - -ss_validate_mklocal() { - local tuple opts - - shift 2 - for tuple in "$@"; do - opts="${tuple%%:*} $opts" - done - [ -z "$opts" ] || echo "local $opts" -} - -ss_validate() { - uci_validate_section shadowsocks-libev "$@" -} - -validate_common_server_options_() { - local cfgtype="$1"; shift - local cfg="$1"; shift - local func="$1"; shift - local stream_methods='"table", "rc4", "rc4-md5", "aes-128-cfb", "aes-192-cfb", "aes-256-cfb", "aes-128-ctr", "aes-192-ctr", "aes-256-ctr", "bf-cfb", "camellia-128-cfb", "camellia-192-cfb", "camellia-256-cfb", "salsa20", "chacha20", "chacha20-ietf"' - local aead_methods='"aes-128-gcm", "aes-192-gcm", "aes-256-gcm", "chacha20-ietf-poly1305", "xchacha20-ietf-poly1305"' - - "${func:-ss_validate}" "$cfgtype" "$cfg" "$@" \ - 'disabled:bool:0' \ - 'server:host' \ - 'server_port:port' \ - 'password:string' \ - 'key:string' \ - "method:or($stream_methods, $aead_methods)" \ - 'plugin:string' \ - 'plugin_opts:string' -} - -validate_common_client_options_() { - validate_common_options_ "$@" \ - 'server:uci("shadowsocks-libev", "@server")' \ - 'local_address:ipaddr:0.0.0.0' \ - 'local_port:port' -} - -validate_common_options_() { - local cfgtype="$1"; shift - local cfg="$1"; shift - local func="$1"; shift - - "${func:-ss_validate}" "$cfgtype" "$cfg" "$@" \ - 'disabled:bool:0' \ - 'fast_open:bool:0' \ - 'ipv6_first:bool:0' \ - 'no_delay:bool:0' \ - 'reuse_port:bool:0' \ - 'verbose:bool:0' \ - 'mode:or("tcp_only", "udp_only", "tcp_and_udp"):tcp_only' \ - 'mtu:uinteger' \ - 'timeout:uinteger' \ - 'user:string' -} - -validate_server_section() { - validate_common_server_options_ server "$1" "$2" -} - -validate_ss_local_section() { - validate_common_client_options_ ss_local "$1" "$2" -} - -validate_ss_redir_section() { - validate_common_client_options_ ss_redir "$1" "$2" -} - -validate_ss_rules_section() { - "${2:-ss_validate}" ss_rules "$1" \ - 'disabled:bool:0' \ - 'redir_tcp:uci("shadowsocks-libev", "@ss_redir")' \ - 'redir_udp:uci("shadowsocks-libev", "@ss_redir")' \ - 'src_ips_bypass:or(ipaddr,cidr)' \ - 'src_ips_forward:or(ipaddr,cidr)' \ - 'src_ips_checkdst:or(ipaddr,cidr)' \ - 'dst_ips_bypass_file:file' \ - 'dst_ips_bypass:or(ipaddr,cidr)' \ - 'dst_ips_forward_file:file' \ - 'dst_ips_forward:or(ipaddr,cidr)' \ - 'src_default:or("bypass", "forward", "checkdst"):checkdst' \ - 'dst_default:or("bypass", "forward"):bypass' \ - 'local_default:or("bypass", "forward", "checkdst"):bypass' \ - 'nft_tcp_extra:string' \ - 'nft_udp_extra:string' \ - 'ifnames:maxlength(15)' -} - -validate_ss_server_section() { - validate_common_server_options_ ss_server "$1" \ - validate_common_options_ \ - "$2" \ - 'local_address:ipaddr' \ - 'local_ipv4_address:ip4addr' \ - 'local_ipv6_address:ip6addr' \ - 'bind_address:ipaddr' -} - -validate_ss_tunnel_section() { - validate_common_client_options_ ss_tunnel "$1" \ - "$2" \ - 'tunnel_address:regex(".+\:[0-9]+")' -} diff --git a/shadowsocks-libev/files/ss-rules/chain.uc b/shadowsocks-libev/files/ss-rules/chain.uc deleted file mode 100644 index 3047f1663..000000000 --- a/shadowsocks-libev/files/ss-rules/chain.uc +++ /dev/null @@ -1,122 +0,0 @@ -{% -function get_local_verdict() { - let v = o_local_default; - if (v == "checkdst") { - return "goto ss_rules_dst_" + proto; - } else if (v == "forward") { - return "goto ss_rules_forward_" + proto; - } else { - return null; - } -} - -function get_src_default_verdict() { - let v = o_src_default; - if (v == "checkdst") { - return "goto ss_rules_dst_" + proto; - } else if (v == "forward") { - return "goto ss_rules_forward_" + proto; - } else { - return "accept"; - } -} - -function get_dst_default_verdict() { - let v = o_dst_default; - if (v == "forward") { - return "goto ss_rules_forward_" + proto; - } else { - return "accept"; - } -} - -function get_ifnames() { - let res = []; - for (let ifname in split(o_ifnames, /[ \t\n]/)) { - ifname = trim(ifname); - if (ifname) push(res, ifname); - } - return res; -} - -let type, hook, priority, redir_port; -if (proto == "tcp") { - type = "nat"; - hook = "prerouting"; - priority = -1; - redir_port = o_redir_tcp_port; -} else if (proto == "udp") { - type = "filter"; - hook = "prerouting"; - priority = "mangle"; - redir_port = o_redir_udp_port; - if (system(" - set -o errexit - iprr() { - while ip $1 rule del fwmark 1 lookup 100 2>/dev/null; do true; done - ip $1 rule add fwmark 1 lookup 100 - ip $1 route flush table 100 2>/dev/null || true - ip $1 route add local default dev lo table 100 - } - iprr -4 - iprr -6 - ") != 0) { - return ; - } -} else { - return; -} - -%} -{% if (redir_port): %} - -chain ss_rules_pre_{{ proto }} { - type {{ type }} hook {{ hook }} priority {{ priority }}; - meta l4proto {{ proto }}{%- let ifnames=get_ifnames(); if (length(ifnames)): %} iifname { {{join(", ", ifnames)}} }{% endif %} goto ss_rules_pre_src_{{ proto }}; -} - -chain ss_rules_pre_src_{{ proto }} { - ip daddr @ss_rules_dst_bypass_ accept; - ip6 daddr @ss_rules6_dst_bypass_ accept; - goto ss_rules_src_{{ proto }}; -} - -chain ss_rules_src_{{ proto }} { - ip saddr @ss_rules_src_bypass accept; - ip saddr @ss_rules_src_forward goto ss_rules_forward_{{ proto }}; - ip saddr @ss_rules_src_checkdst goto ss_rules_dst_{{ proto }}; - ip6 saddr @ss_rules6_src_bypass accept; - ip6 saddr @ss_rules6_src_forward goto ss_rules_forward_{{ proto }}; - ip6 saddr @ss_rules6_src_checkdst goto ss_rules_dst_{{ proto }}; - {{ get_src_default_verdict() }}; -} - -chain ss_rules_dst_{{ proto }} { - ip daddr @ss_rules_dst_bypass accept; - ip daddr @ss_rules_dst_forward goto ss_rules_forward_{{ proto }}; - ip6 daddr @ss_rules6_dst_bypass accept; - ip6 daddr @ss_rules6_dst_forward goto ss_rules_forward_{{ proto }}; - {{ get_dst_default_verdict() }}; -} - -{% if (proto == "tcp"): %} -chain ss_rules_forward_{{ proto }} { - meta l4proto tcp {{ o_nft_tcp_extra }} redirect to :{{ redir_port }}; -} -{% let local_verdict = get_local_verdict(); if (local_verdict): %} -chain ss_rules_local_out { - type {{ type }} hook output priority -1; - meta l4proto != tcp accept; - ip daddr @ss_rules_dst_bypass_ accept; - ip daddr @ss_rules_dst_bypass accept; - ip6 daddr @ss_rules6_dst_bypass_ accept; - ip6 daddr @ss_rules6_dst_bypass accept; - {{ local_verdict }}; -} -{% endif %} -{% elif (proto == "udp"): %} -chain ss_rules_forward_{{ proto }} { - meta l4proto udp {{ o_nft_udp_extra }} meta mark set 1 tproxy to :{{ redir_port }}; -} -{% endif %} -{% endif %} diff --git a/shadowsocks-libev/files/ss-rules/set.uc b/shadowsocks-libev/files/ss-rules/set.uc deleted file mode 100644 index 5947f6ccd..000000000 --- a/shadowsocks-libev/files/ss-rules/set.uc +++ /dev/null @@ -1,113 +0,0 @@ -{% -let fs = require("fs"); - -let o_dst_bypass4_ = " - 0.0.0.0/8 - 10.0.0.0/8 - 100.64.0.0/10 - 127.0.0.0/8 - 169.254.0.0/16 - 172.16.0.0/12 - 192.0.0.0/24 - 192.0.2.0/24 - 192.31.196.0/24 - 192.52.193.0/24 - 192.88.99.0/24 - 192.168.0.0/16 - 192.175.48.0/24 - 198.18.0.0/15 - 198.51.100.0/24 - 203.0.113.0/24 - 224.0.0.0/4 - 240.0.0.0/4 -"; -let o_dst_bypass6_ = " - ::1/128 - ::/128 - ::ffff:0:0/96 - 64:ff9b:1::/48 - 100::/64 - fe80::/10 - 2001::/23 - fc00::/7 -"; -let o_dst_bypass_ = o_dst_bypass4_ + " " + o_dst_bypass6_; - -let set_suffix = { - "src_bypass": { - str: o_src_bypass, - }, - "src_forward": { - str: o_src_forward, - }, - "src_checkdst": { - str: o_src_checkdst, - }, - "dst_bypass": { - str: o_dst_bypass, - file: o_dst_bypass_file, - }, - "dst_bypass_": { - str: o_dst_bypass_, - }, - "dst_forward": { - str: o_dst_forward, - file: o_dst_forward_file, - }, - "dst_forward_rrst_": {}, -}; - -function set_name(suf, af) { - if (af == 4) { - return "ss_rules_"+suf; - } else { - return "ss_rules6_"+suf; - } -} - -function set_elements_parse(res, str, af) { - for (let addr in split(str, /[ \t\n]/)) { - addr = trim(addr); - if (!addr) continue; - if (af == 4 && index(addr, ":") != -1) continue; - if (af == 6 && index(addr, ":") == -1) continue; - push(res, addr); - } -} - -function set_elements(suf, af) { - let obj = set_suffix[suf]; - let res = []; - let addr; - - let str = obj["str"]; - if (str) { - set_elements_parse(res, str, af); - } - - let file = obj["file"]; - if (file) { - let fd = fs.open(file); - if (fd) { - str = fd.read("all"); - set_elements_parse(res, str, af); - } - } - - return res; -} -%} - -{% for (let suf in set_suffix): for (let af in [4, 6]): %} -set {{ set_name(suf, af) }} { - type ipv{{af}}_addr; - flags interval; -{% let elems = set_elements(suf, af); if (length(elems)): %} - elements = { -{% for (let i = 0; i < length(elems); i++): %} - {{ elems[i] }}{% if (i < length(elems) - 1): %},{% endif %}{% print("\n") %} -{% endfor %} - } -{% endif %} -} -{% endfor; endfor %} diff --git a/shadowsocks-libev/files/ss-rules/ss-rules.uc b/shadowsocks-libev/files/ss-rules/ss-rules.uc deleted file mode 100644 index f3955b2ef..000000000 --- a/shadowsocks-libev/files/ss-rules/ss-rules.uc +++ /dev/null @@ -1,8 +0,0 @@ -{% - -include("set.uc"); -include("chain.uc", {proto: "tcp"}); -include("chain.uc", {proto: "udp"}); - -%} -