@@ -249,9 +249,8 @@ https://github.com/pure-css/pure/blob/master/LICENSE.md
url : url
},
function(x, rv) {
- if (rv.ping_type) {
+ if (rv.ping_type && rv.ping_type == "curl") {
var use_time = rv.use_time;
- var ping_type = rv.ping_type;
if (use_time < 1000) {
s.className="green";
} else if (use_time < 2000) {
@@ -259,7 +258,7 @@ https://github.com/pure-css/pure/blob/master/LICENSE.md
} else {
s.className="red";
}
- s.innerHTML = ping_type+ " " + use_time + " ms";
+ s.innerHTML = use_time + " ms";
} else if (rv.status) {
s.className="green";
s.innerHTML = "<%:Working...%>";
diff --git a/luci-app-passwall/luasrc/view/passwall/node_list/link_share_man.htm b/luci-app-passwall/luasrc/view/passwall/node_list/link_share_man.htm
index 762bb6e3..2540f664 100644
--- a/luci-app-passwall/luasrc/view/passwall/node_list/link_share_man.htm
+++ b/luci-app-passwall/luasrc/view/passwall/node_list/link_share_man.htm
@@ -140,12 +140,6 @@ local api = require "luci.passwall.api"
} else if (v_type === "Trojan-Plus") {
dom_prefix = "trojan_plus_"
protocol = "trojan"
- } else if (v_type === "Trojan-Go") {
- dom_prefix = "trojan_go_"
- protocol = "trojan-go"
- } else if (v_type === "Brook") {
- dom_prefix = "brook_"
- protocol = "brook"
} else if (v_type === "Hysteria2") {
dom_prefix = "hysteria2_"
protocol = "hysteria2"
@@ -346,74 +340,6 @@ local api = require "luci.passwall.api"
params = params.substring(1);
}
url += params;
- } else if (v_type === "Trojan-Go") {
- var v_password = opt.get(dom_prefix + "password");
- var v_port = opt.get(dom_prefix + "port");
- url = encodeURIComponent(v_password.value) +
- "@" + _address +
- ":" + v_port.value + "/?";
- var params = "";
- if (opt.get(dom_prefix + "tls").checked) {
- params += opt.query("sni", dom_prefix + "tls_serverName");
- } else {
- if (opt.get(dom_prefix + "transport").value === "original") {
- var plugin = {};
- plugin.type = opt.get(dom_prefix + "plugin_type").value;
- if (plugin.type !== "plaintext") {
- plugin.command = opt.get(dom_prefix + "plugin_cmd").value;
- plugin.option = opt.get(dom_prefix + "plugin_option").value;
- plugin.arg = opt.getlist(dom_prefix + "plugin_arg");
- }
- params += "&plugin=" + encodeURIComponent(JSON.stringify(plugin));
- }
- }
- params += opt.query("type", dom_prefix + "transport");
- var ws = (opt.get(dom_prefix + "transport").value.indexOf("ws") !== -1);
- var h2 = (opt.get(dom_prefix + "transport").value.indexOf("h2") !== -1);
- if (ws) {
- params += opt.query("host", dom_prefix + "ws_host");
- params += opt.query("path", dom_prefix + "ws_path");
- }
- var enc = "none";
- if (opt.get(dom_prefix + "ss_aead").checked === true) {
- enc = "ss;" +
- opt.get(dom_prefix + "ss_aead_method").value +
- ":" + opt.get(dom_prefix + "ss_aead_pwd").value;
- }
- params += "&encryption=" + encodeURIComponent(enc);
- params += "#" + encodeURI(v_alias.value);
- if (params[0] == "&") {
- params = params.substring(1);
- }
- url += params;
- } else if (v_type === "Brook") {
- var url = "";
- var params = "?";
- var v_protocol = opt.get(dom_prefix + "protocol");
- var v_port = opt.get(dom_prefix + "port");
- var v_password = opt.get(dom_prefix + "password");
- var b_protocol_value = v_protocol.value.split('client').join('server');
-
- var url_protocol = b_protocol_value;
- params += opt.query("password", dom_prefix + "password");
- if (b_protocol_value == "wsserver") {
- var server = '';
- var prefix = "ws://";
- if (opt.get(dom_prefix + "tls").checked) {
- prefix = "wss://";
- url_protocol = 'wssserver';
- }
- var v_path = opt.get(dom_prefix + "ws_path");
- var v_path_value = v_path.value || '/ws';
- if (v_path_value.length > 1 && v_path_value.indexOf('/') < 0) {
- v_path_value = '/' + v_path_value;
- }
- params += "&" + url_protocol + "=" + encodeURIComponent(prefix + _address + ":" + v_port.value + v_path_value);
- } else {
- params += "&" + url_protocol + "=" + encodeURIComponent(_address + ":" + v_port.value);
- }
- url += url_protocol;
- url += params;
} else if ((v_type === "Hysteria2") || (v_type === "sing-box" && opt.get(dom_prefix + "protocol").value === "hysteria2")) {
protocol = "hysteria2"
var v_port = opt.get(dom_prefix + "port");
@@ -725,9 +651,6 @@ local api = require "luci.passwall.api"
queryParam[decodeURIComponent(params[0]).toLowerCase()] = decodeURIComponent(params[1] || '');
}
}
- if (queryParam.mux || queryParam.ws || queryParam.h2 || queryParam.ss || queryParam.plugin) {
- ssu[0] = "trojan-go"
- }
opt.set(dom_prefix + 'address', m.hostname);
opt.set(dom_prefix + 'port', m.port || "443");
opt.set(dom_prefix + 'password', decodeURIComponent(password));
@@ -737,80 +660,6 @@ local api = require "luci.passwall.api"
if (m.hash) {
opt.set('remarks', decodeURI(m.hash.substr(1)));
}
- } if (ssu[0] === "trojan-go") {
- dom_prefix = "trojan_go_"
- var m = parseNodeUrl(ssrurl);
- var password = m.passwd;
- if (password === "") {
- s.innerHTML = "<%:Invalid Share URL Format%>";
- return false;
- }
- var queryParam = {};
- if (m.search.length > 1) {
- var query = m.search.split('?');
- var queryParams = query[1];
- var queryArray = queryParams.split('&');
- for (i = 0; i < queryArray.length; i++) {
- var params = queryArray[i].split('=');
- queryParam[decodeURIComponent(params[0]).toLowerCase()] = decodeURIComponent(params[1] || '');
- }
- }
- opt.set('type', 'Trojan-Go');
- opt.set(dom_prefix + 'address', m.hostname);
- opt.set(dom_prefix + 'port', m.port || "443");
- opt.set(dom_prefix + 'password', decodeURIComponent(password));
- opt.set(dom_prefix + 'tls', true);
- opt.set(dom_prefix + 'tls_allowInsecure', '0');
- opt.set(dom_prefix + 'tls_serverName', queryParam.peer || queryParam.sni || '');
- var plugin = queryParam.plugin !== undefined;
- if (plugin) {
- opt.set(dom_prefix + 'transport', 'original');
- var plugin = JSON.parse(queryParam.plugin);
- if (plugin) {
- opt.set(dom_prefix + 'plugin_type', plugin.type);
- if (plugin.type !== "plaintext") {
- opt.set(dom_prefix + 'plugin_cmd', plugin.command);
- opt.set(dom_prefix + 'plugin_option', plugin.option);
- opt.setlist(dom_prefix + 'plugin_arg', plugin.arg);
- }
- } else
- alert(queryParam.plugin);
- }
- var tran = 'original';
- var or = queryParam.type === undefined || queryParam.type === 'original';
- var ws = null;
- var h2 = null;
- if (queryParam.type) {
- ws = queryParam.type.indexOf('ws') !== -1;
- h2 = queryParam.type.indexOf('h2') !== -1;
- }
- if (ws && h2) {
- tran = 'h2+ws'
- } else {
- if (ws) tran = 'ws';
- if (h2) tran = 'h2';
- }
- opt.set(dom_prefix + 'transport', tran);
- if (ws) {
- opt.set(dom_prefix + 'ws_host', queryParam.host || '');
- opt.set(dom_prefix + 'ws_path', queryParam.path || '/');
- }
- var enc = {};
- var ss = false;
- if (queryParam.encryption) {
- var r = queryParam.encryption.match(/^(ss);([^;:]*)[;:](.*)$/),
- enc = { type: r[1], method: r[2], password: r[3] };
- }
- ss = enc.type === 'ss';
- opt.set(dom_prefix + 'ss_aead', ss);
- if (ss) {
- opt.set(dom_prefix + 'ss_aead_method', enc.method.toLowerCase() || '');
- opt.set(dom_prefix + 'ss_aead_pwd', enc.password || '');
- }
- opt.set(dom_prefix + 'smux', '1');
- if (m.hash) {
- opt.set('remarks', decodeURI(m.hash.substr(1)));
- }
}
if (ssu[0] === "vmess") {
var sstr = b64DecodeUnicode(ssu[1]);
@@ -962,62 +811,6 @@ local api = require "luci.passwall.api"
opt.set('remarks', decodeURI(m.hash.substr(1)));
}
}
- if (ssu[0] === "brook") {
- dom_prefix = "brook_"
- var stype = "Brook";
- var m = parseNodeUrl(ssrurl);
-
- var from_protocol = m.host;
- var protocol = from_protocol.split('server').join('client');
-
- var queryParam = {};
- if (m.search.length > 1) {
- var query = m.search.split('?');
- var queryParams = query[1];
- var queryArray = queryParams.split('&');
- var params;
- for (i = 0; i < queryArray.length; i++) {
- params = queryArray[i].split('=');
- queryParam[decodeURIComponent(params[0])] = decodeURIComponent(params[1] || '');
- }
- }
-
- var password = queryParam.password;
- if (password === "") {
- s.innerHTML = "<%:Invalid Share URL Format%>";
- return false;
- }
-
- opt.set('type', stype);
- opt.set(dom_prefix + 'protocol', protocol);
- opt.set(dom_prefix + 'password', password);
-
- if (protocol == 'wsclient' || protocol == 'wssclient') {
- opt.set(dom_prefix + 'protocol', 'wsclient');
- var wsserver = queryParam[from_protocol].split('://');
- wsserver = wsserver[1].split('/');
- var path = wsserver[1] && '/' + wsserver[1] || '/ws';
- var server = wsserver[0].split(':');
- opt.set(dom_prefix + 'address', server[0]);
- opt.set(dom_prefix + 'port', server[1]);
- opt.set(dom_prefix + 'ws_path', path);
- if (protocol == 'wssclient') {
- opt.set(dom_prefix + 'tls', true);
- }
- } else {
- var server = queryParam[from_protocol].split(':');
- if (server.length < 2) {
- s.innerHTML = "<%:Invalid Share URL Format%>";
- return false;
- }
- opt.set(dom_prefix + 'address', server[0]);
- opt.set(dom_prefix + 'port', server[1]);
- }
-
- if (m.hash) {
- opt.set('remarks', decodeURI(m.hash.substr(1)));
- }
- }
if (ssu[0] === "hysteria2" || ssu[0] === "hy2") {
var m = parseNodeUrl(ssrurl);
var password = m.passwd;
diff --git a/luci-app-passwall/po/zh-cn/passwall.po b/luci-app-passwall/po/zh-cn/passwall.po
index 6ef2aa8b..1a59200a 100644
--- a/luci-app-passwall/po/zh-cn/passwall.po
+++ b/luci-app-passwall/po/zh-cn/passwall.po
@@ -160,8 +160,11 @@ msgstr "此功能需要 DNS 服务器支持 EDNS Client Subnet(RFC7871)。"
msgid "The effect is better, but will increase the memory."
msgstr "效果更好,但会增加内存使用。"
-msgid "When using the chnroute list the default DNS"
-msgstr "当使用中国列表外时的默认DNS"
+msgid "Default DNS"
+msgstr "默认DNS"
+
+msgid "The default DNS used when not in the domain name rules list."
+msgstr "当域名不在规则列表中时使用的默认DNS。"
msgid "Remote DNS can avoid more DNS leaks, but some domestic domain names maybe to proxy!"
msgstr "远程DNS可以避免更多的DNS泄露,但会导致规则列表外的某些国内域名可能会走代理!"
@@ -247,6 +250,12 @@ msgstr "进程"
msgid "1 Process"
msgstr "单进程"
+msgid "Use %s"
+msgstr "使用 %s"
+
+msgid "Close(Not use)"
+msgstr "关闭(不使用)"
+
msgid "Proxy Mode"
msgstr "代理模式"
@@ -271,9 +280,6 @@ msgstr "游戏模式"
msgid "China List"
msgstr "中国列表"
-msgid "Only use direct/proxy list"
-msgstr "仅使用直连/代理列表"
-
msgid "Localhost"
msgstr "本机"
@@ -892,9 +898,6 @@ msgstr "%s 程序路径"
msgid "%s Client App Path"
msgstr "%s 客户端程序路径"
-msgid "Trojan-Go Version API"
-msgstr "Trojan-Go 版本 API"
-
msgid "alternate API URL for version checking"
msgstr "用于版本检查的 API URL"
@@ -1114,12 +1117,6 @@ msgstr "插件名称"
msgid "Plugin Arguments"
msgstr "插件参数"
-msgid "Brook Protocol"
-msgstr "Brook协议"
-
-msgid "Use TLS"
-msgstr "使用TLS"
-
msgid "Naiveproxy Protocol"
msgstr "Naiveproxy协议"
diff --git a/luci-app-passwall/root/usr/share/passwall/0_default_config b/luci-app-passwall/root/usr/share/passwall/0_default_config
index feeb5f78..c53fe206 100644
--- a/luci-app-passwall/root/usr/share/passwall/0_default_config
+++ b/luci-app-passwall/root/usr/share/passwall/0_default_config
@@ -5,13 +5,13 @@ config global
option tcp_node 'nil'
option udp_node 'nil'
option tcp_node_socks_port '1070'
+ option filter_proxy_ipv6 '0'
option dns_mode 'dns2tcp'
option remote_dns '1.1.1.1'
- option filter_proxy_ipv6 '0'
- option when_chnroute_default_dns 'direct'
- option tcp_proxy_mode 'chnroute'
- option udp_proxy_mode 'chnroute'
- option chinadns_ng_default_tag 'smart'
+ option use_default_dns 'direct'
+ option chn_list 'direct'
+ option tcp_proxy_mode 'proxy'
+ option udp_proxy_mode 'proxy'
option localhost_tcp_proxy_mode 'default'
option localhost_udp_proxy_mode 'default'
option acl_enable '0'
@@ -75,8 +75,6 @@ config global_rules
config global_app
option singbox_file '/usr/bin/sing-box'
option xray_file '/usr/bin/xray'
- option trojan_go_file '/usr/bin/trojan-go'
- option brook_file '/usr/bin/brook'
option hysteria_file '/usr/bin/hysteria'
option chinadns_ng '/usr/bin/chinadns-ng'
diff --git a/luci-app-passwall/root/usr/share/passwall/app.sh b/luci-app-passwall/root/usr/share/passwall/app.sh
index fb13e91e..8f016d8b 100755
--- a/luci-app-passwall/root/usr/share/passwall/app.sh
+++ b/luci-app-passwall/root/usr/share/passwall/app.sh
@@ -487,7 +487,7 @@ run_chinadns_ng() {
local _default_tag=$(config_t_get global chinadns_ng_default_tag smart)
local _extra_param=""
- [ -n "$_chnlist" ] && {
+ [ "${_chnlist}" = "direct" ] && {
[ -s "${RULES_PATH}/chnlist" ] && {
local _chnlist_file="${TMP_PATH}/chinadns_chnlist"
cp -a "${RULES_PATH}/chnlist" "${_chnlist_file}"
@@ -500,16 +500,18 @@ run_chinadns_ng() {
_extra_param="${_extra_param} -4 ${chnroute4_set} -6 ${chnroute6_set} -m ${_chnlist_file} -M -a"
}
}
-
- ([ -n "$_chnlist" ] || [ -n "$_gfwlist" ]) && [ -s "${RULES_PATH}/gfwlist" ] && {
- local _gfwlist_file="${TMP_PATH}/chinadns_gfwlist"
- cp -a "${RULES_PATH}/gfwlist" "${_gfwlist_file}"
- local gfwlist_set="passwall_gfwlist,passwall_gfwlist6"
- [ "$nftflag" = "1" ] && gfwlist_set="inet@fw4@passwall_gfwlist,inet@fw4@passwall_gfwlist6"
- _extra_param="${_extra_param} -g ${_gfwlist_file} -A ${gfwlist_set}"
- #当只有使用gfwlist模式时设置默认DNS为本地直连
- [ -n "$_gfwlist" ] && [ -z "$_chnlist" ] && _default_tag="chn"
+ [ "${_gfwlist}" = "1" ] && {
+ [ -s "${RULES_PATH}/gfwlist" ] && {
+ local _gfwlist_file="${TMP_PATH}/chinadns_gfwlist"
+ cp -a "${RULES_PATH}/gfwlist" "${_gfwlist_file}"
+ local gfwlist_set="passwall_gfwlist,passwall_gfwlist6"
+ [ "$nftflag" = "1" ] && gfwlist_set="inet@fw4@passwall_gfwlist,inet@fw4@passwall_gfwlist6"
+ _extra_param="${_extra_param} -g ${_gfwlist_file} -A ${gfwlist_set}"
+ #当只有使用gfwlist模式时设置默认DNS为本地直连
+ [ "${_gfwlist}" = "1" ] && [ "${_chnlist}" = "0" ] && _default_tag="chn"
+ }
}
+
[ -n "$_default_tag" ] && [ "$_default_tag" != "smart" ] && _extra_param="${_extra_param} -d ${_default_tag}"
_log_path="/dev/null"
@@ -606,10 +608,6 @@ run_socks() {
[ -n "$relay_port" ] && _args="${_args} -server_host $server_host -server_port $port"
run_xray flag=$flag node=$node socks_port=$socks_port config_file=$config_file log_file=$log_file ${_args}
;;
- trojan-go)
- lua $UTIL_TROJAN gen_config -node $node -run_type client -local_addr $bind -local_port $socks_port -server_host $server_host -server_port $port > $config_file
- ln_run "$(first_type $(config_t_get global_app trojan_go_file) trojan-go)" trojan-go $log_file -config "$config_file"
- ;;
trojan*)
lua $UTIL_TROJAN gen_config -node $node -run_type client -local_addr $bind -local_port $socks_port -server_host $server_host -server_port $port > $config_file
ln_run "$(first_type ${type})" "${type}" $log_file -c "$config_file"
@@ -618,21 +616,6 @@ run_socks() {
lua $UTIL_NAIVE gen_config -node $node -run_type socks -local_addr $bind -local_port $socks_port -server_host $server_host -server_port $port > $config_file
ln_run "$(first_type naive)" naive $log_file "$config_file"
;;
- brook)
- local protocol=$(config_n_get $node protocol client)
- local prefix=""
- [ "$protocol" == "wsclient" ] && {
- prefix="ws://"
- local brook_tls=$(config_n_get $node brook_tls 0)
- [ "$brook_tls" == "1" ] && {
- prefix="wss://"
- protocol="wssclient"
- }
- local ws_path=$(config_n_get $node ws_path "/ws")
- }
- server_host=${prefix}${server_host}
- ln_run "$(first_type $(config_t_get global_app brook_file) brook)" "brook_SOCKS_${flag}" $log_file "$protocol" --socks5 "$bind:$socks_port" -s "${server_host}:${port}${ws_path}" -p "$(config_n_get $node password)"
- ;;
ssr)
lua $UTIL_SS gen_config -node $node -local_addr "0.0.0.0" -local_port $socks_port -server_host $server_host -server_port $port > $config_file
ln_run "$(first_type ssr-local)" "ssr-local" $log_file -c "$config_file" -v -u
@@ -664,6 +647,8 @@ run_socks() {
ln_run "$(first_type tuic-client)" "tuic-client" $log_file -c "$config_file"
;;
esac
+
+ eval node_${node}_socks_port=$socks_port
# http to socks
[ -z "$http_flag" ] && [ "$http_port" != "0" ] && [ -n "$http_config_file" ] && [ "$type" != "sing-box" ] && [ "$type" != "xray" ] && [ "$type" != "socks" ] && {
@@ -729,11 +714,6 @@ run_redir() {
xray)
run_xray flag=UDP node=$node udp_redir_port=$local_port config_file=$config_file log_file=$log_file
;;
- trojan-go)
- local loglevel=$(config_t_get global trojan_loglevel "2")
- lua $UTIL_TROJAN gen_config -node $node -run_type nat -local_addr "0.0.0.0" -local_port $local_port -loglevel $loglevel > $config_file
- ln_run "$(first_type $(config_t_get global_app trojan_go_file) trojan-go)" trojan-go $log_file -config "$config_file"
- ;;
trojan*)
local loglevel=$(config_t_get global trojan_loglevel "2")
lua $UTIL_TROJAN gen_config -node $node -run_type nat -local_addr "0.0.0.0" -local_port $local_port -loglevel $loglevel > $config_file
@@ -742,14 +722,6 @@ run_redir() {
naiveproxy)
echolog "Naiveproxy不支持UDP转发!"
;;
- brook)
- local protocol=$(config_n_get $node protocol client)
- if [ "$protocol" == "wsclient" ]; then
- echolog "Brook的WebSocket不支持UDP转发!"
- else
- ln_run "$(first_type $(config_t_get global_app brook_file) brook)" "brook_UDP" $log_file tproxy -l ":$local_port" -s "$server_host:$port" -p "$(config_n_get $node password)" --doNotRunScripts
- fi
- ;;
ssr)
lua $UTIL_SS gen_config -node $node -local_addr "0.0.0.0" -local_port $local_port > $config_file
ln_run "$(first_type ssr-redir)" "ssr-redir" $log_file -c "$config_file" -v -U
@@ -894,16 +866,6 @@ run_redir() {
}
run_xray flag=$_flag node=$node tcp_redir_port=$local_port config_file=$config_file log_file=$log_file ${_args}
;;
- trojan-go)
- [ "$TCP_UDP" = "1" ] && {
- config_file=$(echo $config_file | sed "s/TCP/TCP_UDP/g")
- UDP_REDIR_PORT=$TCP_REDIR_PORT
- UDP_NODE="nil"
- }
- local loglevel=$(config_t_get global trojan_loglevel "2")
- lua $UTIL_TROJAN gen_config -node $node -run_type nat -local_addr "0.0.0.0" -local_port $local_port -loglevel $loglevel > $config_file
- ln_run "$(first_type $(config_t_get global_app trojan_go_file) trojan-go)" trojan-go $log_file -config "$config_file"
- ;;
trojan*)
[ "$tcp_proxy_way" = "tproxy" ] && lua_tproxy_arg="-use_tproxy true"
[ "$TCP_UDP" = "1" ] && {
@@ -919,19 +881,6 @@ run_redir() {
lua $UTIL_NAIVE gen_config -node $node -run_type redir -local_addr "0.0.0.0" -local_port $local_port > $config_file
ln_run "$(first_type naive)" naive $log_file "$config_file"
;;
- brook)
- local server_ip=$server_host
- local protocol=$(config_n_get $node protocol client)
- local prefix=""
- [ "$protocol" == "wsclient" ] && {
- prefix="ws://"
- local brook_tls=$(config_n_get $node brook_tls 0)
- [ "$brook_tls" == "1" ] && prefix="wss://"
- local ws_path=$(config_n_get $node ws_path "/ws")
- }
- server_ip=${prefix}${server_ip}
- ln_run "$(first_type $(config_t_get global_app brook_file) brook)" "brook_TCP" $log_file tproxy -l ":$local_port" -s "${server_ip}:${port}${ws_path}" -p "$(config_n_get $node password)" --doNotRunScripts
- ;;
ssr)
[ "$tcp_proxy_way" = "tproxy" ] && lua_tproxy_arg="-tcp_tproxy true"
[ "$TCP_UDP" = "1" ] && {
@@ -1215,24 +1164,6 @@ start_dns() {
[ -n "$items" ] && {
for item in $items; do
[ "$(config_n_get $item enabled)" = "1" ] || continue
- [ "$(config_n_get $item tcp_node)" = "default" ] && [ "$TCP_NODE" != "nil" ] && {
- local item_tcp_proxy_mode=$(config_n_get $item tcp_proxy_mode default)
- [ "$item_tcp_proxy_mode" = "default" ] && item_tcp_proxy_mode=$TCP_PROXY_MODE
- global=$(echo "${global}${item_tcp_proxy_mode}" | grep "global")
- returnhome=$(echo "${returnhome}${item_tcp_proxy_mode}" | grep "returnhome")
- chnlist=$(echo "${chnlist}${item_tcp_proxy_mode}" | grep "chnroute")
- gfwlist=$(echo "${gfwlist}${item_tcp_proxy_mode}" | grep "gfwlist")
- ACL_TCP_PROXY_MODE=${ACL_TCP_PROXY_MODE}${item_tcp_proxy_mode}
- }
- [ "$(config_n_get $item udp_node)" = "default" ] && [ "$UDP_NODE" != "nil" ] && {
- local item_udp_proxy_mode=$(config_n_get $item udp_proxy_mode default)
- [ "$item_udp_proxy_mode" = "default" ] && item_udp_proxy_mode=$UDP_PROXY_MODE
- global=$(echo "${global}${item_udp_proxy_mode}" | grep "global")
- returnhome=$(echo "${returnhome}${item_udp_proxy_mode}" | grep "returnhome")
- chnlist=$(echo "${chnlist}${item_udp_proxy_mode}" | grep "chnroute")
- gfwlist=$(echo "${gfwlist}${item_udp_proxy_mode}" | grep "gfwlist")
- ACL_UDP_PROXY_MODE=${ACL_UDP_PROXY_MODE}${item_udp_proxy_mode}
- }
done
}
}
@@ -1319,7 +1250,7 @@ start_dns() {
[ "${use_tcp_node_resolve_dns}" = "1" ] && echolog " * 请确认上游 DNS 支持 TCP 查询,如非直连地址,确保 TCP 代理打开,并且已经正确转发!"
[ "${use_udp_node_resolve_dns}" = "1" ] && echolog " * 要求代理 DNS 请求,如上游 DNS 非直连地址,确保 UDP 代理打开,并且已经正确转发!"
- [ "$CHINADNS_NG" = "1" ] && [ -n "$(first_type chinadns-ng)" ] && ([ -n "$chnlist" ] || [ -n "$gfwlist" ]) && {
+ [ "$CHINADNS_NG" = "1" ] && [ -n "$(first_type chinadns-ng)" ] && ([ "${CHN_LIST}" = "direct" ] || [ "${USE_GFW_LIST}" = "1" ]) && {
[ "$FILTER_PROXY_IPV6" = "1" ] && {
local _no_ipv6_rules="gt"
}
@@ -1329,24 +1260,25 @@ start_dns() {
_listen_port=${china_ng_listen_port} \
_dns_china=$(echo -n $(echo "${LOCAL_DNS}" | sed "s/,/\n/g" | head -n2) | tr " " ",") \
_dns_trust="${TUN_DNS}" \
- _chnlist="${chnlist}" \
- _gfwlist="${gfwlist}" \
+ _chnlist="${CHN_LIST}" \
+ _gfwlist="${USE_GFW_LIST}" \
_no_ipv6_rules="${_no_ipv6_rules}" \
_log_path="${TMP_PATH}/chinadns-ng.log"
- WHEN_CHNROUTE_DEFAULT_DNS="chinadns_ng"
+ USE_DEFAULT_DNS="chinadns_ng"
}
[ "$DNS_SHUNT" = "dnsmasq" ] && {
- [ "$WHEN_CHNROUTE_DEFAULT_DNS" = "remote" ] && {
+ [ "$USE_DEFAULT_DNS" = "remote" ] && {
dnsmasq_version=$(dnsmasq -v | grep -i "Dnsmasq version " | awk '{print $3}')
[ "$(expr $dnsmasq_version \>= 2.87)" == 0 ] && echolog "Dnsmasq版本低于2.87,有可能无法正常使用!!!"
}
source $APP_PATH/helper_dnsmasq.sh stretch
lua $APP_PATH/helper_dnsmasq_add.lua -FLAG "default" -TMP_DNSMASQ_PATH ${TMP_DNSMASQ_PATH} \
-DNSMASQ_CONF_FILE "/tmp/dnsmasq.d/dnsmasq-passwall.conf" -DEFAULT_DNS ${DEFAULT_DNS} -LOCAL_DNS ${LOCAL_DNS} \
- -TUN_DNS ${TUN_DNS} -REMOTE_FAKEDNS ${fakedns:-0} -CHNROUTE_MODE_DEFAULT_DNS "${WHEN_CHNROUTE_DEFAULT_DNS:-direct}" -CHINADNS_DNS ${china_ng_listen:-0} \
- -TCP_NODE ${TCP_NODE} -PROXY_MODE "${TCP_PROXY_MODE}${LOCALHOST_TCP_PROXY_MODE}${ACL_TCP_PROXY_MODE}" -NO_PROXY_IPV6 ${FILTER_PROXY_IPV6:-0} -NFTFLAG ${nftflag:-0} \
+ -TUN_DNS ${TUN_DNS} -REMOTE_FAKEDNS ${fakedns:-0} -USE_DEFAULT_DNS "${USE_DEFAULT_DNS:-direct}" -CHINADNS_DNS ${china_ng_listen:-0} \
+ -USE_DIRECT_LIST "${USE_BLOCK_LIST}" -USE_PROXY_LIST "${USE_PROXY_LIST}" -USE_BLOCK_LIST "${USE_BLOCK_LIST}" -USE_GFW_LIST "${USE_GFW_LIST}" -CHN_LIST "${CHN_LIST}" \
+ -TCP_NODE ${TCP_NODE} -DEFAULT_PROXY_MODE "${TCP_PROXY_MODE}" -NO_PROXY_IPV6 ${FILTER_PROXY_IPV6:-0} -NFTFLAG ${nftflag:-0} \
-NO_LOGIC_LOG ${NO_LOGIC_LOG:-0}
}
}
@@ -1435,15 +1367,20 @@ acl_app() {
mkdir -p $TMP_ACL_PATH/$sid
echo -e "${rule_list}" | sed '/^$/d' > $TMP_ACL_PATH/$sid/rule_list
- tcp_proxy_mode=${tcp_proxy_mode:-default}
- udp_proxy_mode=${udp_proxy_mode:-default}
tcp_node=${tcp_node:-default}
udp_node=${udp_node:-default}
+ use_direct_list=${use_direct_list:-1}
+ use_proxy_list=${use_proxy_list:-1}
+ use_block_list=${use_block_list:-1}
+ use_gfw_list=${use_gfw_list:-1}
+ chn_list=${chn_list:-direct}
+ tcp_proxy_mode=${tcp_proxy_mode:-proxy}
+ udp_proxy_mode=${udp_proxy_mode:-proxy}
filter_proxy_ipv6=${filter_proxy_ipv6:-0}
dns_mode=${dns_mode:-dns2socks}
remote_dns=${remote_dns:-1.1.1.1}
chinadns_ng=${chinadns_ng:-0}
- when_chnroute_default_dns=${when_chnroute_default_dns:-direct}
+ use_default_dns=${use_default_dns:-direct}
[ "$dns_mode" = "sing-box" ] && {
[ "$v2ray_dns_mode" = "doh" ] && remote_dns=${remote_dns_doh:-https://1.1.1.1/dns-query}
}
@@ -1474,7 +1411,7 @@ acl_app() {
eval node_${tcp_node}_$(echo -n "${remote_dns}" | md5sum | cut -d " " -f1)=${_dns_port}
}
- [ "$chinadns_ng" = "1" ] && [ -n "$(first_type chinadns-ng)" ] && ([ "$tcp_proxy_mode" = "chnroute" ] || [ "$tcp_proxy_mode" = "gfwlist" ]) && {
+ [ "$chinadns_ng" = "1" ] && [ -n "$(first_type chinadns-ng)" ] && ([ "${chn_list}" = "direct" ] || [ "${use_gfw_list}" = "1" ]) && {
[ "$filter_proxy_ipv6" = "1" ] && {
local _no_ipv6_rules="gt"
}
@@ -1485,13 +1422,13 @@ acl_app() {
_listen_port=${chinadns_port} \
_dns_china=$(echo -n $(echo "${LOCAL_DNS}" | sed "s/,/\n/g" | head -n2) | tr " " ",") \
_dns_trust="127.0.0.1#${_dns_port}" \
- _chnlist=$(echo "${tcp_proxy_mode}" | grep "chnroute") \
- _gfwlist=$(echo "${tcp_proxy_mode}" | grep "gfwlist") \
+ _chnlist=${chn_list} \
+ _gfwlist=${use_gfw_list} \
_no_ipv6_rules="${_no_ipv6_rules}" \
_log_path="${TMP_ACL_PATH}/${sid}/chinadns-ng.log" \
_no_logic_log=1
- when_chnroute_default_dns="chinadns_ng"
+ use_default_dns="chinadns_ng"
}
dnsmasq_port=$(get_new_port $(expr $dnsmasq_port + 1))
@@ -1504,81 +1441,70 @@ acl_app() {
sed -i "/dhcp/d" $TMP_ACL_PATH/$sid/dnsmasq.conf
sed -i "/port=/d" $TMP_ACL_PATH/$sid/dnsmasq.conf
sed -i "/conf-dir/d" $TMP_ACL_PATH/$sid/dnsmasq.conf
+ sed -i "/server/d" $TMP_ACL_PATH/$sid/dnsmasq.conf
}
echo "port=${dnsmasq_port}" >> $TMP_ACL_PATH/$sid/dnsmasq.conf
- d_server=127.0.0.1
- [ "$tcp_proxy_mode" = "global" ] && {
- d_server=${d_server}#${_dns_port}
- sed -i "/no-poll/d" $TMP_ACL_PATH/$sid/dnsmasq.conf
- sed -i "/no-resolv/d" $TMP_ACL_PATH/$sid/dnsmasq.conf
- echo "server=${d_server}" >> $TMP_ACL_PATH/$sid/dnsmasq.conf
- echo "no-poll" >> $TMP_ACL_PATH/$sid/dnsmasq.conf
- echo "no-resolv" >> $TMP_ACL_PATH/$sid/dnsmasq.conf
- }
- [ "$when_chnroute_default_dns" = "remote" ] && {
+ [ "$use_default_dns" = "remote" ] && {
dnsmasq_version=$(dnsmasq -v | grep -i "Dnsmasq version " | awk '{print $3}')
[ "$(expr $dnsmasq_version \>= 2.87)" == 0 ] && echolog "Dnsmasq版本低于2.87,有可能无法正常使用!!!"
}
lua $APP_PATH/helper_dnsmasq_add.lua -FLAG ${sid} -TMP_DNSMASQ_PATH $TMP_ACL_PATH/$sid/dnsmasq.d \
-DNSMASQ_CONF_FILE $TMP_ACL_PATH/$sid/dnsmasq.conf -DEFAULT_DNS $DEFAULT_DNS -LOCAL_DNS $LOCAL_DNS \
- -TUN_DNS "127.0.0.1#${_dns_port}" -REMOTE_FAKEDNS 0 -CHNROUTE_MODE_DEFAULT_DNS "${when_chnroute_default_dns:-direct}" -CHINADNS_DNS ${_china_ng_listen:-0} \
- -TCP_NODE $tcp_node -PROXY_MODE ${tcp_proxy_mode} -NO_PROXY_IPV6 ${filter_proxy_ipv6:-0} -NFTFLAG ${nftflag:-0} \
+ -USE_DIRECT_LIST "${use_direct_list}" -USE_PROXY_LIST "${use_proxy_list}" -USE_BLOCK_LIST "${use_block_list}" -USE_GFW_LIST "${use_gfw_list}" -CHN_LIST "${CHN_LIST}" \
+ -TUN_DNS "127.0.0.1#${_dns_port}" -REMOTE_FAKEDNS 0 -USE_DEFAULT_DNS "${use_default_dns:-direct}" -CHINADNS_DNS ${_china_ng_listen:-0} \
+ -TCP_NODE $tcp_node -DEFAULT_PROXY_MODE ${tcp_proxy_mode} -NO_PROXY_IPV6 ${filter_proxy_ipv6:-0} -NFTFLAG ${nftflag:-0} \
-NO_LOGIC_LOG 1
ln_run "$(first_type dnsmasq)" "dnsmasq_${sid}" "/dev/null" -C $TMP_ACL_PATH/$sid/dnsmasq.conf -x $TMP_ACL_PATH/$sid/dnsmasq.pid
eval node_${tcp_node}_$(echo -n "${tcp_proxy_mode}${remote_dns}" | md5sum | cut -d " " -f1)=${dnsmasq_port}
}
- if [ "$tcp_node" = "$TCP_NODE" ]; then
- tcp_port=$TCP_REDIR_PORT
- else
- _redir_port=$(eval echo \${node_${tcp_node}_redir_port})
- _socks_port=$(eval echo \${node_${tcp_node}_socks_port})
- if [ -n "${_socks_port}" ] && [ -n "${_redir_port}" ]; then
- socks_port=${_socks_port}
- tcp_port=${_redir_port}
- _dnsmasq_port=$(eval echo \${node_${tcp_node}_$(echo -n "${tcp_proxy_mode}${remote_dns}" | md5sum | cut -d " " -f1)})
- if [ -z "${_dnsmasq_port}" ]; then
- _dns_port=$(eval echo \${node_${tcp_node}_$(echo -n "${remote_dns}" | md5sum | cut -d " " -f1)})
- run_dns ${_dns_port}
- else
- redirect_dns_port=${_dnsmasq_port}
- fi
- else
- socks_port=$(get_new_port $(expr $socks_port + 1))
- eval node_${tcp_node}_socks_port=$socks_port
- redir_port=$(get_new_port $(expr $redir_port + 1))
- eval node_${tcp_node}_redir_port=$redir_port
- tcp_port=$redir_port
-
- local type=$(echo $(config_n_get $tcp_node type) | tr 'A-Z' 'a-z')
- if [ -n "${type}" ] && ([ "${type}" = "sing-box" ] || [ "${type}" = "xray" ]); then
- config_file="acl/${tcp_node}_TCP_${redir_port}.json"
- _extra_param="socks_address=127.0.0.1 socks_port=$socks_port"
- if [ "$dns_mode" = "sing-box" ] || [ "$dns_mode" = "xray" ]; then
- dns_port=$(get_new_port $(expr $dns_port + 1))
- _dns_port=$dns_port
- config_file=$(echo $config_file | sed "s/TCP_/DNS_${_dns_port}_TCP_/g")
- remote_dns_doh=${remote_dns}
- [ "$dns_mode" = "xray" ] && [ "$v2ray_dns_mode" = "tcp+doh" ] && remote_dns_doh=${remote_dns_doh:-https://1.1.1.1/dns-query}
- _extra_param="dns_listen_port=${_dns_port} remote_dns_protocol=${v2ray_dns_mode} remote_dns_tcp_server=${remote_dns} remote_dns_doh=${remote_dns_doh} remote_dns_query_strategy=${DNS_QUERY_STRATEGY} dns_client_ip=${dns_client_ip} dns_query_strategy=${DNS_QUERY_STRATEGY}"
- fi
- [ "$udp_node" != "nil" ] && ([ "$udp_node" = "tcp" ] || [ "$udp_node" = "$tcp_node" ]) && {
- config_file=$(echo $config_file | sed "s/TCP_/TCP_UDP_/g")
- _extra_param="${_extra_param} udp_redir_port=$redir_port"
- }
- config_file="$TMP_PATH/$config_file"
- [ "${type}" = "sing-box" ] && type="singbox"
- run_${type} flag=$tcp_node node=$tcp_node tcp_redir_port=$redir_port ${_extra_param} config_file=$config_file
- else
- config_file="acl/${tcp_node}_SOCKS_${socks_port}.json"
- run_socks flag=$tcp_node node=$tcp_node bind=127.0.0.1 socks_port=$socks_port config_file=$config_file
- local log_file=$TMP_ACL_PATH/ipt2socks_${tcp_node}_${redir_port}.log
- log_file="/dev/null"
- run_ipt2socks flag=acl_${tcp_node} tcp_tproxy=${is_tproxy} local_port=$redir_port socks_address=127.0.0.1 socks_port=$socks_port log_file=$log_file
- fi
+ _redir_port=$(eval echo \${node_${tcp_node}_redir_port})
+ _socks_port=$(eval echo \${node_${tcp_node}_socks_port})
+ if [ -n "${_socks_port}" ] && [ -n "${_redir_port}" ]; then
+ socks_port=${_socks_port}
+ tcp_port=${_redir_port}
+ _dnsmasq_port=$(eval echo \${node_${tcp_node}_$(echo -n "${tcp_proxy_mode}${remote_dns}" | md5sum | cut -d " " -f1)})
+ if [ -z "${_dnsmasq_port}" ]; then
+ _dns_port=$(eval echo \${node_${tcp_node}_$(echo -n "${remote_dns}" | md5sum | cut -d " " -f1)})
run_dns ${_dns_port}
+ else
+ redirect_dns_port=${_dnsmasq_port}
fi
- echo "${tcp_node}" > $TMP_ACL_PATH/$sid/var_tcp_node
+ else
+ socks_port=$(get_new_port $(expr $socks_port + 1))
+ eval node_${tcp_node}_socks_port=$socks_port
+ redir_port=$(get_new_port $(expr $redir_port + 1))
+ eval node_${tcp_node}_redir_port=$redir_port
+ tcp_port=$redir_port
+
+ local type=$(echo $(config_n_get $tcp_node type) | tr 'A-Z' 'a-z')
+ if [ -n "${type}" ] && ([ "${type}" = "sing-box" ] || [ "${type}" = "xray" ]); then
+ config_file="acl/${tcp_node}_TCP_${redir_port}.json"
+ _extra_param="socks_address=127.0.0.1 socks_port=$socks_port"
+ if [ "$dns_mode" = "sing-box" ] || [ "$dns_mode" = "xray" ]; then
+ dns_port=$(get_new_port $(expr $dns_port + 1))
+ _dns_port=$dns_port
+ config_file=$(echo $config_file | sed "s/TCP_/DNS_${_dns_port}_TCP_/g")
+ remote_dns_doh=${remote_dns}
+ [ "$dns_mode" = "xray" ] && [ "$v2ray_dns_mode" = "tcp+doh" ] && remote_dns_doh=${remote_dns_doh:-https://1.1.1.1/dns-query}
+ _extra_param="dns_listen_port=${_dns_port} remote_dns_protocol=${v2ray_dns_mode} remote_dns_tcp_server=${remote_dns} remote_dns_doh=${remote_dns_doh} remote_dns_query_strategy=${DNS_QUERY_STRATEGY} dns_client_ip=${dns_client_ip} dns_query_strategy=${DNS_QUERY_STRATEGY}"
+ fi
+ [ "$udp_node" != "nil" ] && ([ "$udp_node" = "tcp" ] || [ "$udp_node" = "$tcp_node" ]) && {
+ config_file=$(echo $config_file | sed "s/TCP_/TCP_UDP_/g")
+ _extra_param="${_extra_param} udp_redir_port=$redir_port"
+ }
+ config_file="$TMP_PATH/$config_file"
+ [ "${type}" = "sing-box" ] && type="singbox"
+ run_${type} flag=$tcp_node node=$tcp_node tcp_redir_port=$redir_port ${_extra_param} config_file=$config_file
+ else
+ config_file="acl/${tcp_node}_SOCKS_${socks_port}.json"
+ run_socks flag=$tcp_node node=$tcp_node bind=127.0.0.1 socks_port=$socks_port config_file=$config_file
+ local log_file=$TMP_ACL_PATH/ipt2socks_${tcp_node}_${redir_port}.log
+ log_file="/dev/null"
+ run_ipt2socks flag=acl_${tcp_node} tcp_tproxy=${is_tproxy} local_port=$redir_port socks_address=127.0.0.1 socks_port=$socks_port log_file=$log_file
+ fi
+ run_dns ${_dns_port}
fi
+ echo "${tcp_node}" > $TMP_ACL_PATH/$sid/var_tcp_node
}
fi
echo "${tcp_port}" > $TMP_ACL_PATH/$sid/var_tcp_port
@@ -1738,27 +1664,32 @@ TCP_NO_REDIR_PORTS=$(config_t_get global_forwarding tcp_no_redir_ports 'disable'
UDP_NO_REDIR_PORTS=$(config_t_get global_forwarding udp_no_redir_ports 'disable')
TCP_PROXY_DROP_PORTS=$(config_t_get global_forwarding tcp_proxy_drop_ports 'disable')
UDP_PROXY_DROP_PORTS=$(config_t_get global_forwarding udp_proxy_drop_ports '80,443')
-TCP_PROXY_MODE=$(config_t_get global tcp_proxy_mode chnroute)
-UDP_PROXY_MODE=$(config_t_get global udp_proxy_mode chnroute)
+USE_DIRECT_LIST=$(config_t_get global use_direct_list 1)
+USE_PROXY_LIST=$(config_t_get global use_proxy_list 1)
+USE_BLOCK_LIST=$(config_t_get global use_block_list 1)
+USE_GFW_LIST=$(config_t_get global use_gfw_list 1)
+CHN_LIST=$(config_t_get global chn_list direct)
+TCP_PROXY_MODE=$(config_t_get global tcp_proxy_mode proxy)
+UDP_PROXY_MODE=$(config_t_get global udp_proxy_mode proxy)
+[ "${TCP_PROXY_MODE}" != "disable" ] && TCP_PROXY_MODE="proxy"
+[ "${UDP_PROXY_MODE}" != "disable" ] && UDP_PROXY_MODE="proxy"
LOCALHOST_TCP_PROXY_MODE=$(config_t_get global localhost_tcp_proxy_mode default)
LOCALHOST_UDP_PROXY_MODE=$(config_t_get global localhost_udp_proxy_mode default)
+[ "${LOCALHOST_TCP_PROXY_MODE}" != "disable" ] && LOCALHOST_TCP_PROXY_MODE="proxy"
+[ "${LOCALHOST_UDP_PROXY_MODE}" != "disable" ] && LOCALHOST_UDP_PROXY_MODE="proxy"
[ "$LOCALHOST_TCP_PROXY_MODE" == "default" ] && LOCALHOST_TCP_PROXY_MODE=$TCP_PROXY_MODE
[ "$LOCALHOST_UDP_PROXY_MODE" == "default" ] && LOCALHOST_UDP_PROXY_MODE=$UDP_PROXY_MODE
-global=$(echo "${TCP_PROXY_MODE}${LOCALHOST_TCP_PROXY_MODE}${UDP_PROXY_MODE}${LOCALHOST_UDP_PROXY_MODE}" | grep "global")
-returnhome=$(echo "${TCP_PROXY_MODE}${LOCALHOST_TCP_PROXY_MODE}${UDP_PROXY_MODE}${LOCALHOST_UDP_PROXY_MODE}" | grep "returnhome")
-chnlist=$(echo "${TCP_PROXY_MODE}${LOCALHOST_TCP_PROXY_MODE}${UDP_PROXY_MODE}${LOCALHOST_UDP_PROXY_MODE}" | grep "chnroute")
-gfwlist=$(echo "${TCP_PROXY_MODE}${LOCALHOST_TCP_PROXY_MODE}${UDP_PROXY_MODE}${LOCALHOST_UDP_PROXY_MODE}" | grep "gfwlist")
DNS_SHUNT="dnsmasq"
DNS_MODE=$(config_t_get global dns_mode dns2tcp)
DNS_CACHE=$(config_t_get global dns_cache 0)
REMOTE_DNS=$(config_t_get global remote_dns 1.1.1.1:53 | sed 's/#/:/g' | sed -E 's/\:([^:]+)$/#\1/g')
CHINADNS_NG=$(config_t_get global chinadns_ng 0)
-WHEN_CHNROUTE_DEFAULT_DNS=$(config_t_get global when_chnroute_default_dns direct)
+USE_DEFAULT_DNS=$(config_t_get global use_default_dns direct)
FILTER_PROXY_IPV6=$(config_t_get global filter_proxy_ipv6 0)
dns_listen_port=${DNS_PORT}
-REDIRECT_LIST="socks ss ss-rust ssr sing-box xray trojan-go trojan-plus naiveproxy hysteria2"
-TPROXY_LIST="brook socks ss ss-rust ssr sing-box xray trojan-go trojan-plus hysteria2"
+REDIRECT_LIST="socks ss ss-rust ssr sing-box xray trojan-plus naiveproxy hysteria2"
+TPROXY_LIST="socks ss ss-rust ssr sing-box xray trojan-plus hysteria2"
RESOLVFILE=/tmp/resolv.conf.d/resolv.conf.auto
[ -f "${RESOLVFILE}" ] && [ -s "${RESOLVFILE}" ] || RESOLVFILE=/tmp/resolv.conf.auto
diff --git a/luci-app-passwall/root/usr/share/passwall/helper_dnsmasq_add.lua b/luci-app-passwall/root/usr/share/passwall/helper_dnsmasq_add.lua
index 9b12fca3..1e1f7824 100644
--- a/luci-app-passwall/root/usr/share/passwall/helper_dnsmasq_add.lua
+++ b/luci-app-passwall/root/usr/share/passwall/helper_dnsmasq_add.lua
@@ -9,10 +9,15 @@ local DEFAULT_DNS = var["-DEFAULT_DNS"]
local LOCAL_DNS = var["-LOCAL_DNS"]
local TUN_DNS = var["-TUN_DNS"]
local REMOTE_FAKEDNS = var["-REMOTE_FAKEDNS"]
-local CHNROUTE_MODE_DEFAULT_DNS = var["-CHNROUTE_MODE_DEFAULT_DNS"]
+local USE_DEFAULT_DNS = var["-USE_DEFAULT_DNS"]
local CHINADNS_DNS = var["-CHINADNS_DNS"]
local TCP_NODE = var["-TCP_NODE"]
-local PROXY_MODE = var["-PROXY_MODE"]
+local USE_DIRECT_LIST = var["-USE_DIRECT_LIST"]
+local USE_PROXY_LIST = var["-USE_PROXY_LIST"]
+local USE_BLOCK_LIST = var["-USE_BLOCK_LIST"]
+local USE_GFW_LIST = var["-USE_GFW_LIST"]
+local CHN_LIST = var["-CHN_LIST"]
+local DEFAULT_PROXY_MODE = var["-DEFAULT_PROXY_MODE"]
local NO_PROXY_IPV6 = var["-NO_PROXY_IPV6"]
local NO_LOGIC_LOG = var["-NO_LOGIC_LOG"]
local NFTFLAG = var["-NFTFLAG"]
@@ -145,7 +150,7 @@ end
local cache_text = ""
local new_rules = luci.sys.exec("echo -n $(find /usr/share/passwall/rules -type f | xargs md5sum)")
-local new_text = TMP_DNSMASQ_PATH .. DNSMASQ_CONF_FILE .. DEFAULT_DNS .. LOCAL_DNS .. TUN_DNS .. REMOTE_FAKEDNS .. CHNROUTE_MODE_DEFAULT_DNS .. CHINADNS_DNS .. PROXY_MODE .. NO_PROXY_IPV6 .. new_rules .. NFTFLAG
+local new_text = TMP_DNSMASQ_PATH .. DNSMASQ_CONF_FILE .. DEFAULT_DNS .. LOCAL_DNS .. TUN_DNS .. REMOTE_FAKEDNS .. USE_DEFAULT_DNS .. CHINADNS_DNS .. USE_DIRECT_LIST .. USE_PROXY_LIST .. USE_BLOCK_LIST .. USE_GFW_LIST .. CHN_LIST .. DEFAULT_PROXY_MODE .. NO_PROXY_IPV6 .. new_rules .. NFTFLAG
if fs.access(CACHE_TEXT_FILE) then
for line in io.lines(CACHE_TEXT_FILE) do
cache_text = line
@@ -156,24 +161,26 @@ if cache_text ~= new_text then
api.remove(CACHE_DNS_PATH .. "*")
end
-local global = PROXY_MODE:find("global")
-local returnhome = PROXY_MODE:find("returnhome")
-local chnlist = PROXY_MODE:find("chnroute")
-local gfwlist = PROXY_MODE:find("gfwlist")
local only_global
local dnsmasq_default_dns
-if CHNROUTE_MODE_DEFAULT_DNS ~= "nil" then
- if chnlist and CHNROUTE_MODE_DEFAULT_DNS == "remote" then
+if USE_DEFAULT_DNS ~= "nil" then
+ if USE_DEFAULT_DNS == "direct" then
+ dnsmasq_default_dns = LOCAL_DNS
+ end
+ if USE_DEFAULT_DNS == "remote" then
dnsmasq_default_dns = TUN_DNS
end
- if (chnlist or gfwlist) and CHNROUTE_MODE_DEFAULT_DNS == "chinadns_ng" and CHINADNS_DNS ~= "0" then
+ if USE_DEFAULT_DNS == "remote" and CHN_LIST == "direct" then
+ dnsmasq_default_dns = TUN_DNS
+ end
+ if USE_DEFAULT_DNS == "chinadns_ng" and CHINADNS_DNS ~= "0" and (CHN_LIST == "direct" or USE_GFW_LIST == "1") then
dnsmasq_default_dns = CHINADNS_DNS
end
end
-if global and (not returnhome and not chnlist and not gfwlist) then
- --只有全局模式时
+if DEFAULT_PROXY_MODE == "proxy" and CHN_LIST == "0" and USE_GFW_LIST == "0" then
+ --没有启用中国列表和GFW列表时
dnsmasq_default_dns = TUN_DNS
only_global = 1
end
@@ -186,9 +193,11 @@ if not fs.access(CACHE_DNS_PATH) then
fs.mkdir(CACHE_DNS_PATH)
--屏蔽列表
- for line in io.lines("/usr/share/passwall/rules/block_host") do
- if line ~= "" and not line:find("#") then
- set_domain_address(line, "")
+ if USE_BLOCK_LIST == "1" then
+ for line in io.lines("/usr/share/passwall/rules/block_host") do
+ if line ~= "" and not line:find("#") then
+ set_domain_address(line, "")
+ end
end
end
@@ -202,37 +211,106 @@ if not fs.access(CACHE_DNS_PATH) then
end)
log(string.format(" - 节点列表中的域名(vpslist):%s", LOCAL_DNS or "默认"))
- --始终用国内DNS解析直连(白名单)列表
- for line in io.lines("/usr/share/passwall/rules/direct_host") do
- if line ~= "" and not line:find("#") then
- add_excluded_domain(line)
- set_domain_dns(line, LOCAL_DNS)
- set_domain_ipset(line, setflag_4 .. "passwall_whitelist," .. setflag_6 .. "passwall_whitelist6")
+ --直连(白名单)列表
+ if USE_DIRECT_LIST == "1" then
+ --始终用国内DNS解析直连(白名单)列表
+ for line in io.lines("/usr/share/passwall/rules/direct_host") do
+ if line ~= "" and not line:find("#") then
+ add_excluded_domain(line)
+ set_domain_dns(line, LOCAL_DNS)
+ set_domain_ipset(line, setflag_4 .. "passwall_whitelist," .. setflag_6 .. "passwall_whitelist6")
+ end
end
+ log(string.format(" - 域名白名单(whitelist):%s", LOCAL_DNS or "默认"))
end
- log(string.format(" - 域名白名单(whitelist):%s", LOCAL_DNS or "默认"))
local fwd_dns
local ipset_flag
local no_ipv6
- --始终使用远程DNS解析代理(黑名单)列表
- for line in io.lines("/usr/share/passwall/rules/proxy_host") do
- if line ~= "" and not line:find("#") then
- add_excluded_domain(line)
- local ipset_flag = setflag_4 .. "passwall_blacklist," .. setflag_6 .. "passwall_blacklist6"
- if NO_PROXY_IPV6 == "1" then
- set_domain_address(line, "::")
- ipset_flag = setflag_4 .. "passwall_blacklist"
+ --代理(黑名单)列表
+ if USE_PROXY_LIST == "1" then
+ --始终使用远程DNS解析代理(黑名单)列表
+ for line in io.lines("/usr/share/passwall/rules/proxy_host") do
+ if line ~= "" and not line:find("#") then
+ add_excluded_domain(line)
+ local ipset_flag = setflag_4 .. "passwall_blacklist," .. setflag_6 .. "passwall_blacklist6"
+ if NO_PROXY_IPV6 == "1" then
+ set_domain_address(line, "::")
+ ipset_flag = setflag_4 .. "passwall_blacklist"
+ end
+ if REMOTE_FAKEDNS == "1" then
+ ipset_flag = nil
+ end
+ set_domain_dns(line, TUN_DNS)
+ set_domain_ipset(line, ipset_flag)
end
- if REMOTE_FAKEDNS == "1" then
- ipset_flag = nil
+ end
+ log(string.format(" - 代理域名表(blacklist):%s", TUN_DNS or "默认"))
+ end
+
+ --GFW列表
+ if USE_GFW_LIST == "1" then
+ if fs.access("/usr/share/passwall/rules/gfwlist") then
+ fwd_dns = TUN_DNS
+ if USE_DEFAULT_DNS == "chinadns_ng" and CHINADNS_DNS ~= "0" then
+ fwd_dns = nil
+ else
+ local ipset_flag = setflag_4 .. "passwall_gfwlist," .. setflag_6 .. "passwall_gfwlist6"
+ if NO_PROXY_IPV6 == "1" then
+ ipset_flag = setflag_4 .. "passwall_gfwlist"
+ end
+ if REMOTE_FAKEDNS == "1" then
+ ipset_flag = nil
+ end
+ local gfwlist_str = sys.exec('cat /usr/share/passwall/rules/gfwlist | grep -v -E "^#" | grep -v -E "' .. excluded_domain_str .. '"')
+ for line in string.gmatch(gfwlist_str, "[^\r\n]+") do
+ if line ~= "" then
+ if NO_PROXY_IPV6 == "1" then
+ set_domain_address(line, "::")
+ end
+ set_domain_dns(line, fwd_dns)
+ set_domain_ipset(line, ipset_flag)
+ end
+ end
end
- set_domain_dns(line, TUN_DNS)
- set_domain_ipset(line, ipset_flag)
+ log(string.format(" - 防火墙域名表(gfwlist):%s", fwd_dns or "默认"))
+ end
+ end
+
+ --中国列表
+ if CHN_LIST ~= "0" then
+ if fs.access("/usr/share/passwall/rules/chnlist") then
+ fwd_dns = LOCAL_DNS
+ if CHN_LIST == "proxy" then
+ fwd_dns = TUN_DNS
+ end
+ if CHN_LIST == "direct" and USE_DEFAULT_DNS == "chinadns_ng" and CHINADNS_DNS ~= "0" then
+ fwd_dns = nil
+ else
+ local ipset_flag = setflag_4 .. "passwall_chnroute," .. setflag_6 .. "passwall_chnroute6"
+ if CHN_LIST == "proxy" then
+ if NO_PROXY_IPV6 == "1" then
+ ipset_flag = setflag_4 .. "passwall_chnroute"
+ end
+ if REMOTE_FAKEDNS == "1" then
+ ipset_flag = nil
+ end
+ end
+ local chnlist_str = sys.exec('cat /usr/share/passwall/rules/chnlist | grep -v -E "^#" | grep -v -E "' .. excluded_domain_str .. '"')
+ for line in string.gmatch(chnlist_str, "[^\r\n]+") do
+ if line ~= "" then
+ if CHN_LIST == "proxy" and NO_PROXY_IPV6 == "1" then
+ set_domain_address(line, "::")
+ end
+ set_domain_dns(line, fwd_dns)
+ set_domain_ipset(line, ipset_flag)
+ end
+ end
+ end
+ log(string.format(" - 中国域名表(chnroute):%s", fwd_dns or "默认"))
end
end
- log(string.format(" - 代理域名表(blacklist):%s", TUN_DNS or "默认"))
--分流规则
if uci:get(appname, TCP_NODE, "protocol") == "_shunt" then
@@ -298,72 +376,6 @@ if not fs.access(CACHE_DNS_PATH) then
}
end
- if not only_global then
- --如果没有使用回国模式
- if not returnhome then
- if fs.access("/usr/share/passwall/rules/gfwlist") then
- fwd_dns = TUN_DNS
- if CHNROUTE_MODE_DEFAULT_DNS == "chinadns_ng" and CHINADNS_DNS ~= "0" then
- fwd_dns = nil
- else
- local ipset_flag = setflag_4 .. "passwall_gfwlist," .. setflag_6 .. "passwall_gfwlist6"
- if NO_PROXY_IPV6 == "1" then
- ipset_flag = setflag_4 .. "passwall_gfwlist"
- end
- if REMOTE_FAKEDNS == "1" then
- ipset_flag = nil
- end
- local gfwlist_str = sys.exec('cat /usr/share/passwall/rules/gfwlist | grep -v -E "^#" | grep -v -E "' .. excluded_domain_str .. '"')
- for line in string.gmatch(gfwlist_str, "[^\r\n]+") do
- if line ~= "" then
- if NO_PROXY_IPV6 == "1" then
- set_domain_address(line, "::")
- end
- set_domain_dns(line, fwd_dns)
- set_domain_ipset(line, ipset_flag)
- end
- end
- end
- log(string.format(" - 防火墙域名表(gfwlist):%s", fwd_dns or "默认"))
- end
-
- if chnlist and fs.access("/usr/share/passwall/rules/chnlist") and (CHNROUTE_MODE_DEFAULT_DNS == "remote" or (CHNROUTE_MODE_DEFAULT_DNS == "chinadns_ng" and CHINADNS_DNS ~= "0")) then
- fwd_dns = LOCAL_DNS
- if CHNROUTE_MODE_DEFAULT_DNS == "chinadns_ng" and CHINADNS_DNS ~= "0" then
- fwd_dns = nil
- else
- local chnlist_str = sys.exec('cat /usr/share/passwall/rules/chnlist | grep -v -E "^#" | grep -v -E "' .. excluded_domain_str .. '"')
- for line in string.gmatch(chnlist_str, "[^\r\n]+") do
- if line ~= "" then
- set_domain_dns(line, fwd_dns)
- set_domain_ipset(line, setflag_4 .. "passwall_chnroute," .. setflag_6 .. "passwall_chnroute6")
- end
- end
- end
- log(string.format(" - 中国域名表(chnroute):%s", fwd_dns or "默认"))
- end
- else
- if fs.access("/usr/share/passwall/rules/chnlist") then
- local chnlist_str = sys.exec('cat /usr/share/passwall/rules/chnlist | grep -v -E "^#" | grep -v -E "' .. excluded_domain_str .. '"')
- for line in string.gmatch(chnlist_str, "[^\r\n]+") do
- if line ~= "" then
- local ipset_flag = setflag_4 .. "passwall_chnroute," .. setflag_6 .. "passwall_chnroute6"
- if NO_PROXY_IPV6 == "1" then
- ipset_flag = setflag_4 .. "passwall_chnroute"
- set_domain_address(line, "::")
- end
- set_domain_dns(line, TUN_DNS)
- if REMOTE_FAKEDNS == "1" then
- ipset_flag = nil
- end
- set_domain_ipset(line, ipset_flag)
- end
- end
- log(string.format(" - 中国域名表(chnroute):%s", TUN_DNS or "默认"))
- end
- end
- end
-
local address_out = io.open(CACHE_DNS_PATH .. "/000-address.conf", "a")
local server_out = io.open(CACHE_DNS_PATH .. "/001-server.conf", "a")
local ipset_out = io.open(CACHE_DNS_PATH .. "/ipset.conf", "a")
@@ -413,7 +425,9 @@ if DNSMASQ_CONF_FILE ~= "nil" then
local conf_out = io.open(DNSMASQ_CONF_FILE, "a")
conf_out:write(string.format("conf-dir=%s\n", TMP_DNSMASQ_PATH))
if dnsmasq_default_dns then
- conf_out:write(string.format("server=%s\n", dnsmasq_default_dns))
+ for s in string.gmatch(dnsmasq_default_dns, '[^' .. "," .. ']+') do
+ conf_out:write(string.format("server=%s\n", s))
+ end
conf_out:write("all-servers\n")
conf_out:write("no-poll\n")
conf_out:write("no-resolv\n")
diff --git a/luci-app-passwall/root/usr/share/passwall/iptables.sh b/luci-app-passwall/root/usr/share/passwall/iptables.sh
index 7ca81858..d6a2a471 100755
--- a/luci-app-passwall/root/usr/share/passwall/iptables.sh
+++ b/luci-app-passwall/root/usr/share/passwall/iptables.sh
@@ -132,93 +132,28 @@ REDIRECT() {
echo $s
}
-get_ipset_ipt() {
- case "$1" in
- gfwlist)
- echo "$(dst $IPSET_GFW)"
- ;;
- chnroute)
- echo "$(dst $IPSET_CHN !)"
- ;;
- returnhome)
- echo "$(dst $IPSET_CHN)"
- ;;
- esac
-}
-
-get_ipset_ip6t() {
- case "$1" in
- gfwlist)
- echo "$(dst $IPSET_GFW6)"
- ;;
- chnroute)
- echo "$(dst $IPSET_CHN6 !)"
- ;;
- returnhome)
- echo "$(dst $IPSET_CHN6)"
- ;;
- esac
-}
-
-get_redirect_ipt() {
- case "$1" in
- disable)
- echo "-j RETURN"
- ;;
- global)
- echo "$(REDIRECT $2 $3)"
- ;;
- gfwlist)
- echo "$(dst $IPSET_GFW) $(REDIRECT $2 $3)"
- ;;
- chnroute)
- echo "$(dst $IPSET_CHN !) $(REDIRECT $2 $3)"
- ;;
- returnhome)
- echo "$(dst $IPSET_CHN) $(REDIRECT $2 $3)"
- ;;
- esac
-}
-
-get_redirect_ip6t() {
- case "$1" in
- disable)
- echo "-j RETURN"
- ;;
- global)
- echo "$(REDIRECT $2 $3)"
- ;;
- gfwlist)
- echo "$(dst $IPSET_GFW6) $(REDIRECT $2 $3)"
- ;;
- chnroute)
- echo "$(dst $IPSET_CHN6 !) $(REDIRECT $2 $3)"
- ;;
- returnhome)
- echo "$(dst $IPSET_CHN6) $(REDIRECT $2 $3)"
- ;;
- esac
-}
-
get_action_chain_name() {
case "$1" in
disable)
echo "不代理"
;;
- global)
- echo "全局代理"
+ proxy)
+ echo "代理"
;;
- gfwlist)
- echo "防火墙列表"
+ esac
+}
+
+get_jump_ipt() {
+ case "$1" in
+ direct)
+ echo "-j RETURN"
;;
- chnroute)
- echo "中国列表以外"
- ;;
- returnhome)
- echo "中国列表"
- ;;
- direct/proxy)
- echo "仅使用直连/代理列表"
+ proxy)
+ if [ -n "$2" ] && [ -n "$(echo $2 | grep "^-")" ]; then
+ echo "$2"
+ else
+ echo "$(REDIRECT $2 $3)"
+ fi
;;
esac
}
@@ -259,9 +194,7 @@ load_acl() {
echolog "访问控制:"
for sid in $(ls -F ${TMP_ACL_PATH} | grep '/$' | awk -F '/' '{print $1}'); do
eval $(uci -q show "${CONFIG}.${sid}" | cut -d'.' -sf 3-)
-
- tcp_proxy_mode=${tcp_proxy_mode:-default}
- udp_proxy_mode=${udp_proxy_mode:-default}
+
tcp_no_redir_ports=${tcp_no_redir_ports:-default}
udp_no_redir_ports=${udp_no_redir_ports:-default}
tcp_proxy_drop_ports=${tcp_proxy_drop_ports:-default}
@@ -270,8 +203,13 @@ load_acl() {
udp_redir_ports=${udp_redir_ports:-default}
tcp_node=${tcp_node:-default}
udp_node=${udp_node:-default}
- [ "$tcp_proxy_mode" = "default" ] && tcp_proxy_mode=$TCP_PROXY_MODE
- [ "$udp_proxy_mode" = "default" ] && udp_proxy_mode=$UDP_PROXY_MODE
+ use_direct_list=${use_direct_list:-1}
+ use_proxy_list=${use_proxy_list:-1}
+ use_block_list=${use_block_list:-1}
+ use_gfw_list=${use_gfw_list:-1}
+ chn_list=${chn_list:-direct}
+ tcp_proxy_mode=${tcp_proxy_mode:-proxy}
+ udp_proxy_mode=${udp_proxy_mode:-proxy}
[ "$tcp_no_redir_ports" = "default" ] && tcp_no_redir_ports=$TCP_NO_REDIR_PORTS
[ "$udp_no_redir_ports" = "default" ] && udp_no_redir_ports=$UDP_NO_REDIR_PORTS
[ "$tcp_proxy_drop_ports" = "default" ] && tcp_proxy_drop_ports=$TCP_PROXY_DROP_PORTS
@@ -313,9 +251,17 @@ load_acl() {
ipt_tmp=$ipt_n
[ -n "${is_tproxy}" ] && ipt_tmp=$ipt_m
+ [ "${use_direct_list}" = "1" ] && $ipt_n -A PSW $(comment "$remarks") ${_ipt_source} $(dst $IPSET_WHITELIST) -j RETURN
+ [ "${use_direct_list}" = "1" ] && $ipt_m -A PSW $(comment "$remarks") ${_ipt_source} $(dst $IPSET_WHITELIST) -j RETURN
+ [ "${use_block_list}" = "1" ] && $ipt_m -A PSW $(comment "$remarks") ${_ipt_source} $(dst $IPSET_BLOCKLIST) -j DROP
+ [ "$PROXY_IPV6" == "1" ] && {
+ [ "${use_direct_list}" = "1" ] && $ipt6_n -A PSW $(comment "$remarks") ${_ipt_source} $(dst $IPSET_WHITELIST6) -j RETURN
+ [ "${use_direct_list}" = "1" ] && $ipt6_m -A PSW $(comment "$remarks") ${_ipt_source} $(dst $IPSET_WHITELIST6) -j RETURN
+ [ "${use_block_list}" = "1" ] && $ipt6_m -A PSW $(comment "$remarks") ${_ipt_source} $(dst $IPSET_BLOCKLIST6) -j DROP
+ }
[ -n "$tcp_port" ] && {
- if [ "$tcp_proxy_mode" != "disable" ]; then
+ if [ -n "${tcp_proxy_mode}" ]; then
[ -s "${TMP_ACL_PATH}/${sid}/var_redirect_dns_port" ] && $ipt_n -A PSW_REDIRECT $(comment "$remarks") -p udp ${_ipt_source} --dport 53 -j REDIRECT --to-ports $(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port)
msg2="${msg}使用TCP节点[$tcp_node_remark] [$(get_action_chain_name $tcp_proxy_mode)]"
if [ -n "${is_tproxy}" ]; then
@@ -328,14 +274,18 @@ load_acl() {
[ "$accept_icmp" = "1" ] && {
$ipt_n -A PSW $(comment "$remarks") -p icmp ${_ipt_source} -d $FAKE_IP $(REDIRECT)
$ipt_n -A PSW $(comment "$remarks") -p icmp ${_ipt_source} $(dst $IPSET_SHUNTLIST) $(REDIRECT)
- $ipt_n -A PSW $(comment "$remarks") -p icmp ${_ipt_source} $(dst $IPSET_BLACKLIST) $(REDIRECT)
- [ "$tcp_proxy_mode" != "direct/proxy" ] && $ipt_n -A PSW $(comment "$remarks") -p icmp ${_ipt_source} $(get_redirect_ipt $tcp_proxy_mode)
+ [ "${use_proxy_list}" = "1" ] && $ipt_n -A PSW $(comment "$remarks") -p icmp ${_ipt_source} $(dst $IPSET_BLACKLIST) $(REDIRECT)
+ [ "${use_gfw_list}" = "1" ] && $ipt_n -A PSW $(comment "$remarks") -p icmp ${_ipt_source} $(dst $IPSET_GFW) $(REDIRECT)
+ [ "${chn_list}" != "0" ] && $ipt_n -A PSW $(comment "$remarks") -p icmp ${_ipt_source} $(dst $IPSET_CHN) $(get_jump_ipt ${chn_list})
+ [ "${tcp_proxy_mode}" != "disable" ] && $ipt_n -A PSW $(comment "$remarks") -p icmp ${_ipt_source} $(REDIRECT)
}
[ "$accept_icmpv6" = "1" ] && [ "$PROXY_IPV6" == "1" ] && {
$ip6t_n -A PSW $(comment "$remarks") -p ipv6-icmp ${_ipt_source} $(dst $IPSET_SHUNTLIST6) $(REDIRECT) 2>/dev/null
- $ip6t_n -A PSW $(comment "$remarks") -p ipv6-icmp ${_ipt_source} $(dst $IPSET_BLACKLIST6) $(REDIRECT) 2>/dev/null
- [ "$tcp_proxy_mode" != "direct/proxy" ] && $ip6t_n -A PSW $(comment "$remarks") -p ipv6-icmp ${_ipt_source} $(get_redirect_ip6t $tcp_proxy_mode) 2>/dev/null
+ [ "${use_proxy_list}" = "1" ] && $ip6t_n -A PSW $(comment "$remarks") -p ipv6-icmp ${_ipt_source} $(dst $IPSET_BLACKLIST6) $(REDIRECT) 2>/dev/null
+ [ "${use_gfw_list}" = "1" ] && $ip6t_n -A PSW $(comment "$remarks") -p ipv6-icmp ${_ipt_source} $(dst $IPSET_GFW6) $(REDIRECT) 2>/dev/null
+ [ "${chn_list}" != "0" ] && $ip6t_n -A PSW $(comment "$remarks") -p ipv6-icmp ${_ipt_source} $(dst $IPSET_CHN6) $(get_jump_ipt ${chn_list}) 2>/dev/null
+ [ "${tcp_proxy_mode}" != "disable" ] && $ip6t_n -A PSW $(comment "$remarks") -p ipv6-icmp ${_ipt_source} $(REDIRECT) 2>/dev/null
}
[ "$tcp_no_redir_ports" != "disable" ] && {
@@ -348,32 +298,42 @@ load_acl() {
[ "$tcp_proxy_drop_ports" != "disable" ] && {
[ "$PROXY_IPV6" == "1" ] && {
$ip6t_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) -j DROP 2>/dev/null
- $ip6t_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST6) -j DROP 2>/dev/null
- [ "$tcp_proxy_mode" != "direct/proxy" ] && $ip6t_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "-m multiport --dport") $(get_ipset_ip6t $tcp_proxy_mode) -j DROP 2>/dev/null
+ [ "${use_proxy_list}" = "1" ] && $ip6t_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST6) -j DROP 2>/dev/null
+ [ "${use_gfw_list}" = "1" ] && $ip6t_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "-m multiport --dport") $(dst $IPSET_GFW6) -j DROP 2>/dev/null
+ [ "${chn_list}" != "0" ] && $ip6t_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "-m multiport --dport") $(dst $IPSET_CHN6) $(get_jump_ipt ${chn_list} "-j DROP") 2>/dev/null
+ [ "${tcp_proxy_mode}" != "disable" ] && $ip6t_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "-m multiport --dport") -j DROP 2>/dev/null
}
$ipt_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "-m multiport --dport") -d $FAKE_IP -j DROP
$ipt_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "-m multiport --dport") $(dst $IPSET_SHUNTLIST) -j DROP
- $ipt_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j DROP
- [ "$tcp_proxy_mode" != "direct/proxy" ] && $ipt_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "-m multiport --dport") $(get_ipset_ipt $tcp_proxy_mode) -j DROP
+ [ "${use_proxy_list}" = "1" ] && $ipt_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j DROP
+ [ "${use_gfw_list}" = "1" ] && $ipt_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "-m multiport --dport") $(dst $IPSET_GFW) -j DROP
+ [ "${chn_list}" != "0" ] && $ipt_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "-m multiport --dport") $(dst $IPSET_CHN) $(get_jump_ipt ${chn_list} "-j DROP")
+ [ "${tcp_proxy_mode}" != "disable" ] && $ipt_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "-m multiport --dport") -j DROP
msg2="${msg2}[$?],屏蔽代理TCP 端口:${tcp_proxy_drop_ports}"
}
if [ "${ipt_tmp}" = "${ipt_n}" ]; then
$ipt_n -A PSW $(comment "$remarks") -p tcp ${_ipt_source} -d $FAKE_IP $(REDIRECT $tcp_port)
$ipt_n -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(dst $IPSET_SHUNTLIST) $(REDIRECT $tcp_port)
- $ipt_n -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST) $(REDIRECT $tcp_port)
- [ "$tcp_proxy_mode" != "direct/proxy" ] && $ipt_n -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(get_redirect_ipt $tcp_proxy_mode $tcp_port)
+ [ "${use_proxy_list}" = "1" ] && $ipt_n -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST) $(REDIRECT $tcp_port)
+ [ "${use_gfw_list}" = "1" ] && $ipt_n -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(dst $IPSET_GFW) $(REDIRECT $tcp_port)
+ [ "${chn_list}" != "0" ] && $ipt_n -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(dst $IPSET_CHN) $(get_jump_ipt ${chn_list} $tcp_port)
+ [ "${tcp_proxy_mode}" != "disable" ] && $ipt_n -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(REDIRECT $tcp_port)
else
$ipt_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} -d $FAKE_IP -j PSW_RULE
$ipt_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(dst $IPSET_SHUNTLIST) -j PSW_RULE
- $ipt_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j PSW_RULE
- [ "$tcp_proxy_mode" != "direct/proxy" ] && $ipt_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(get_ipset_ipt $tcp_proxy_mode) -j PSW_RULE
+ [ "${use_proxy_list}" = "1" ] && $ipt_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j PSW_RULE
+ [ "${use_gfw_list}" = "1" ] && $ipt_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(dst $IPSET_GFW) -j PSW_RULE
+ [ "${chn_list}" != "0" ] && $ipt_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(dst $IPSET_CHN) $(get_jump_ipt ${chn_list} "-j PSW_RULE")
+ [ "${tcp_proxy_mode}" != "disable" ] && $ipt_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") -j PSW_RULE
$ipt_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(REDIRECT $tcp_port TPROXY)
fi
[ "$PROXY_IPV6" == "1" ] && {
$ip6t_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) -j PSW_RULE 2>/dev/null
- $ip6t_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST6) -j PSW_RULE 2>/dev/null
- [ "$tcp_proxy_mode" != "direct/proxy" ] && $ip6t_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(get_ipset_ip6t $tcp_proxy_mode) -j PSW_RULE 2>/dev/null
+ [ "${use_proxy_list}" = "1" ] && $ip6t_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST6) -j PSW_RULE 2>/dev/null
+ [ "${use_gfw_list}" = "1" ] && $ip6t_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(dst $IPSET_GFW6) -j PSW_RULE 2>/dev/null
+ [ "${chn_list}" != "0" ] && $ip6t_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") $(dst $IPSET_CHN6) $(get_jump_ipt ${chn_list} "-j PSW_RULE") 2>/dev/null
+ [ "${tcp_proxy_mode}" != "disable" ] && $ip6t_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(factor $tcp_redir_ports "-m multiport --dport") -j PSW_RULE 2>/dev/null
$ip6t_m -A PSW $(comment "$remarks") -p tcp ${_ipt_source} $(REDIRECT $tcp_port TPROXY) 2>/dev/null
}
else
@@ -388,18 +348,22 @@ load_acl() {
[ "$udp_proxy_drop_ports" != "disable" ] && {
[ "$PROXY_IPV6" == "1" ] && {
$ip6t_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_proxy_drop_ports "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) -j DROP 2>/dev/null
- $ip6t_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_proxy_drop_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST6) -j DROP 2>/dev/null
- [ "$udp_proxy_mode" != "direct/proxy" ] && $ip6t_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_proxy_drop_ports "-m multiport --dport") $(get_ipset_ip6t $udp_proxy_mode) -j DROP 2>/dev/null
+ [ "${use_proxy_list}" = "1" ] && $ip6t_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_proxy_drop_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST6) -j DROP 2>/dev/null
+ [ "${use_gfw_list}" = "1" ] && $ip6t_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_proxy_drop_ports "-m multiport --dport") $(dst $IPSET_GFW6) -j DROP 2>/dev/null
+ [ "${chn_list}" != "0" ] && $ip6t_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_proxy_drop_ports "-m multiport --dport") $(dst $IPSET_CHN6) $(get_jump_ipt ${chn_list} "-j DROP") 2>/dev/null
+ [ "${udp_proxy_mode}" != "disable" ] && $ip6t_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_proxy_drop_ports "-m multiport --dport") -j DROP 2>/dev/null
}
$ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_proxy_drop_ports "-m multiport --dport") -d $FAKE_IP -j DROP
$ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_proxy_drop_ports "-m multiport --dport") $(dst $IPSET_SHUNTLIST) -j DROP
- $ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_proxy_drop_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j DROP
- [ "$udp_proxy_mode" != "direct/proxy" ] && $ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_proxy_drop_ports "-m multiport --dport") $(get_ipset_ipt $udp_proxy_mode) -j DROP
+ [ "${use_proxy_list}" = "1" ] && $ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_proxy_drop_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j DROP
+ [ "${use_gfw_list}" = "1" ] && $ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_proxy_drop_ports "-m multiport --dport") $(dst $IPSET_GFW) -j DROP
+ [ "${chn_list}" != "0" ] && $ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_proxy_drop_ports "-m multiport --dport") $(dst $IPSET_CHN) $(get_jump_ipt ${chn_list} "-j DROP")
+ [ "${udp_proxy_mode}" != "disable" ] && $ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_proxy_drop_ports "-m multiport --dport") -j DROP
msg2="${msg2}[$?],屏蔽代理UDP 端口:${udp_proxy_drop_ports}"
}
[ -n "$udp_port" ] && {
- if [ "$udp_proxy_mode" != "disable" ]; then
+ if [ -n "${udp_proxy_mode}" ]; then
msg2="${msg}使用UDP节点[$udp_node_remark] [$(get_action_chain_name $udp_proxy_mode)]"
msg2="${msg2}(TPROXY:${udp_port})代理"
[ "$udp_no_redir_ports" != "disable" ] && {
@@ -411,14 +375,18 @@ load_acl() {
$ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} -d $FAKE_IP -j PSW_RULE
$ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") $(dst $IPSET_SHUNTLIST) -j PSW_RULE
- $ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j PSW_RULE
- [ "$udp_proxy_mode" != "direct/proxy" ] && $ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") $(get_ipset_ipt $udp_proxy_mode) -j PSW_RULE
+ [ "${use_proxy_list}" = "1" ] && $ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j PSW_RULE
+ [ "${use_gfw_list}" = "1" ] && $ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") $(dst $IPSET_GFW) -j PSW_RULE
+ [ "${chn_list}" != "0" ] && $ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") $(dst $IPSET_CHN) $(get_jump_ipt ${chn_list} "-j PSW_RULE")
+ [ "${udp_proxy_mode}" != "disable" ] && $ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") -j PSW_RULE
$ipt_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(REDIRECT $udp_port TPROXY)
[ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && {
$ip6t_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) -j PSW_RULE 2>/dev/null
- $ip6t_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST6) -j PSW_RULE 2>/dev/null
- [ "$udp_proxy_mode" != "direct/proxy" ] && $ip6t_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") $(get_ipset_ip6t $udp_proxy_mode) -j PSW_RULE 2>/dev/null
+ [ "${use_proxy_list}" = "1" ] && $ip6t_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST6) -j PSW_RULE 2>/dev/null
+ [ "${use_gfw_list}" = "1" ] && $ip6t_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") $(dst $IPSET_GFW6) -j PSW_RULE 2>/dev/null
+ [ "${chn_list}" != "0" ] && $ip6t_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") $(dst $IPSET_CHN6) $(get_jump_ipt ${chn_list} "-j PSW_RULE") 2>/dev/null
+ [ "${udp_proxy_mode}" != "disable" ] && $ip6t_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(factor $udp_redir_ports "-m multiport --dport") -j PSW_RULE 2>/dev/null
$ip6t_m -A PSW $(comment "$remarks") -p udp ${_ipt_source} $(REDIRECT $udp_port TPROXY) 2>/dev/null
}
else
@@ -429,27 +397,39 @@ load_acl() {
$ip6t_m -A PSW $(comment "$remarks") ${_ipt_source} -p udp -j RETURN 2>/dev/null
$ipt_m -A PSW $(comment "$remarks") ${_ipt_source} -p udp -j RETURN
done
- unset enabled sid remarks sources tcp_proxy_mode udp_proxy_mode tcp_no_redir_ports udp_no_redir_ports tcp_proxy_drop_ports udp_proxy_drop_ports tcp_redir_ports udp_redir_ports tcp_node udp_node
+ unset enabled sid remarks sources use_direct_list use_proxy_list use_block_list use_gfw_list chn_list tcp_proxy_mode udp_proxy_mode tcp_no_redir_ports udp_no_redir_ports tcp_proxy_drop_ports udp_proxy_drop_ports tcp_redir_ports udp_redir_ports tcp_node udp_node
unset _ip _mac _iprange _ipset _ip_or_mac rule_list tcp_port udp_port tcp_node_remark udp_node_remark
unset ipt_tmp msg msg2
done
}
[ "$ENABLED_DEFAULT_ACL" == 1 ] && {
+ [ "${USE_DIRECT_LIST}" = "1" ] && $ipt_n -A PSW $(comment "默认") $(dst $IPSET_WHITELIST) -j RETURN
+ [ "${USE_DIRECT_LIST}" = "1" ] && $ipt_m -A PSW $(comment "默认") $(dst $IPSET_WHITELIST) -j RETURN
+ [ "${USE_BLOCK_LIST}" = "1" ] && $ipt_m -A PSW $(comment "默认") $(dst $IPSET_BLOCKLIST) -j DROP
+ [ "$PROXY_IPV6" == "1" ] && {
+ [ "${USE_DIRECT_LIST}" = "1" ] && $ipt6_n -A PSW $(comment "默认") $(dst $IPSET_WHITELIST6) -j RETURN
+ [ "${USE_DIRECT_LIST}" = "1" ] && $ipt6_m -A PSW $(comment "默认") $(dst $IPSET_WHITELIST6) -j RETURN
+ [ "${USE_BLOCK_LIST}" = "1" ] && $ipt6_m -A PSW $(comment "默认") $(dst $IPSET_BLOCKLIST6) -j DROP
+ }
# 加载TCP默认代理模式
[ "$TCP_PROXY_DROP_PORTS" != "disable" ] && {
[ "$PROXY_IPV6" == "1" ] && {
$ip6t_m -A PSW $(comment "默认") -p tcp $(factor $TCP_PROXY_DROP_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) -j DROP
- $ip6t_m -A PSW $(comment "默认") -p tcp $(factor $TCP_PROXY_DROP_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST6) -j DROP
- [ "$TCP_PROXY_MODE" != "direct/proxy" ] && $ip6t_m -A PSW $(comment "默认") -p tcp $(factor $TCP_PROXY_DROP_PORTS "-m multiport --dport") $(get_ipset_ip6t $TCP_PROXY_MODE) -j DROP
+ [ "${USE_PROXY_LIST}" = "1" ] && $ip6t_m -A PSW $(comment "默认") -p tcp $(factor $TCP_PROXY_DROP_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST6) -j DROP
+ [ "${USE_GFW_LIST}" = "1" ] && $ip6t_m -A PSW $(comment "默认") -p tcp $(factor $TCP_PROXY_DROP_PORTS "-m multiport --dport") $(dst $IPSET_GFW6) -j DROP
+ [ "${CHN_LIST}" != "0" ] && $ip6t_m -A PSW $(comment "默认") -p tcp $(factor $TCP_PROXY_DROP_PORTS "-m multiport --dport") $(dst $IPSET_CHN6) $(get_jump_ipt ${CHN_LIST} "-j DROP")
+ [ "${TCP_PROXY_MODE}" != "disable" ] && $ip6t_m -A PSW $(comment "默认") -p tcp $(factor $TCP_PROXY_DROP_PORTS "-m multiport --dport") -j DROP
}
$ipt_m -A PSW $(comment "默认") -p tcp $(factor $TCP_PROXY_DROP_PORTS "-m multiport --dport") -d $FAKE_IP -j DROP
$ipt_m -A PSW $(comment "默认") -p tcp $(factor $TCP_PROXY_DROP_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST) -j DROP
- $ipt_m -A PSW $(comment "默认") -p tcp $(factor $TCP_PROXY_DROP_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j DROP
- [ "$TCP_PROXY_MODE" != "direct/proxy" ] && $ipt_m -A PSW $(comment "默认") -p tcp $(factor $TCP_PROXY_DROP_PORTS "-m multiport --dport") $(get_ipset_ipt $TCP_PROXY_MODE) -j DROP
+ [ "${USE_PROXY_LIST}" = "1" ] && $ipt_m -A PSW $(comment "默认") -p tcp $(factor $TCP_PROXY_DROP_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j DROP
+ [ "${USE_GFW_LIST}" = "1" ] && $ipt_m -A PSW $(comment "默认") -p tcp $(factor $TCP_PROXY_DROP_PORTS "-m multiport --dport") $(dst $IPSET_GFW) -j DROP
+ [ "${CHN_LIST}" != "0" ] && $ipt_m -A PSW $(comment "默认") -p tcp $(factor $TCP_PROXY_DROP_PORTS "-m multiport --dport") $(dst $IPSET_CHN) $(get_jump_ipt ${CHN_LIST} "-j DROP")
+ [ "${TCP_PROXY_MODE}" != "disable" ] && $ipt_m -A PSW $(comment "默认") -p tcp $(factor $TCP_PROXY_DROP_PORTS "-m multiport --dport") -j DROP
}
- if [ "$TCP_PROXY_MODE" != "disable" ]; then
+ if [ -n "${TCP_PROXY_MODE}" ]; then
local ipt_tmp=$ipt_n
[ -n "${is_tproxy}" ] && ipt_tmp=$ipt_m
[ "$TCP_NO_REDIR_PORTS" != "disable" ] && {
@@ -470,33 +450,43 @@ load_acl() {
[ "$accept_icmp" = "1" ] && {
$ipt_n -A PSW $(comment "默认") -p icmp -d $FAKE_IP $(REDIRECT)
$ipt_n -A PSW $(comment "默认") -p icmp $(dst $IPSET_SHUNTLIST) $(REDIRECT)
- $ipt_n -A PSW $(comment "默认") -p icmp $(dst $IPSET_BLACKLIST) $(REDIRECT)
- [ "$TCP_PROXY_MODE" != "direct/proxy" ] && $ipt_n -A PSW $(comment "默认") -p icmp $(get_redirect_ipt $TCP_PROXY_MODE)
+ [ "${USE_PROXY_LIST}" = "1" ] && $ipt_n -A PSW $(comment "默认") -p icmp $(dst $IPSET_BLACKLIST) $(REDIRECT)
+ [ "${USE_GFW_LIST}" = "1" ] && $ipt_n -A PSW $(comment "默认") -p icmp $(dst $IPSET_GFW) $(REDIRECT)
+ [ "${CHN_LIST}" != "0" ] && $ipt_n -A PSW $(comment "默认") -p icmp $(dst $IPSET_CHN) $(get_jump_ipt ${CHN_LIST})
+ [ "${TCP_PROXY_MODE}" != "disable" ] && $ipt_n -A PSW $(comment "默认") -p icmp $(REDIRECT)
}
[ "$accept_icmpv6" = "1" ] && [ "$PROXY_IPV6" == "1" ] && {
$ip6t_n -A PSW $(comment "默认") -p ipv6-icmp $(dst $IPSET_SHUNTLIST6) $(REDIRECT)
- $ip6t_n -A PSW $(comment "默认") -p ipv6-icmp $(dst $IPSET_BLACKLIST6) $(REDIRECT)
- [ "$TCP_PROXY_MODE" != "direct/proxy" ] && $ip6t_n -A PSW $(comment "默认") -p ipv6-icmp $(get_redirect_ip6t $TCP_PROXY_MODE)
+ [ "${USE_PROXY_LIST}" = "1" ] && $ip6t_n -A PSW $(comment "默认") -p ipv6-icmp $(dst $IPSET_BLACKLIST6) $(REDIRECT)
+ [ "${USE_GFW_LIST}" = "1" ] && $ip6t_n -A PSW $(comment "默认") -p ipv6-icmp $(dst $IPSET_GFW6) $(REDIRECT)
+ [ "${CHN_LIST}" != "0" ] && $ip6t_n -A PSW $(comment "默认") -p ipv6-icmp $(dst $IPSET_CHN6) $(get_jump_ipt ${CHN_LIST})
+ [ "${TCP_PROXY_MODE}" != "disable" ] && $ip6t_n -A PSW $(comment "默认") -p ipv6-icmp $(REDIRECT)
}
if [ "${ipt_tmp}" = "${ipt_n}" ]; then
$ipt_n -A PSW $(comment "默认") -p tcp -d $FAKE_IP $(REDIRECT $TCP_REDIR_PORT)
$ipt_n -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST) $(REDIRECT $TCP_REDIR_PORT)
- $ipt_n -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) $(REDIRECT $TCP_REDIR_PORT)
- [ "$TCP_PROXY_MODE" != "direct/proxy" ] && $ipt_n -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(get_redirect_ipt $TCP_PROXY_MODE $TCP_REDIR_PORT)
+ [ "${USE_PROXY_LIST}" = "1" ] && $ipt_n -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) $(REDIRECT $TCP_REDIR_PORT)
+ [ "${USE_GFW_LIST}" = "1" ] && $ipt_n -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_GFW) $(REDIRECT $TCP_REDIR_PORT)
+ [ "${CHN_LIST}" != "0" ] && $ipt_n -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_CHN) $(get_jump_ipt ${CHN_LIST} $TCP_REDIR_PORT)
+ [ "${TCP_PROXY_MODE}" != "disable" ] && $ipt_n -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(REDIRECT $TCP_REDIR_PORT)
else
$ipt_m -A PSW $(comment "默认") -p tcp -d $FAKE_IP -j PSW_RULE
$ipt_m -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST) -j PSW_RULE
- $ipt_m -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j PSW_RULE
- [ "$TCP_PROXY_MODE" != "direct/proxy" ] && $ipt_m -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(get_ipset_ipt $TCP_PROXY_MODE) -j PSW_RULE
+ [ "${USE_PROXY_LIST}" = "1" ] && $ipt_m -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j PSW_RULE
+ [ "${USE_GFW_LIST}" = "1" ] && $ipt_m -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_GFW) -j PSW_RULE
+ [ "${CHN_LIST}" != "0" ] && $ipt_m -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_CHN) $(get_jump_ipt ${CHN_LIST} "-j PSW_RULE")
+ [ "${TCP_PROXY_MODE}" != "disable" ] && $ipt_m -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") -j PSW_RULE
$ipt_m -A PSW $(comment "默认") -p tcp $(REDIRECT $TCP_REDIR_PORT TPROXY)
fi
[ "$PROXY_IPV6" == "1" ] && {
$ip6t_m -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) -j PSW_RULE
- $ip6t_m -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST6) -j PSW_RULE
- [ "$TCP_PROXY_MODE" != "direct/proxy" ] && $ip6t_m -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(get_ipset_ip6t $TCP_PROXY_MODE) -j PSW_RULE
+ [ "${USE_PROXY_LIST}" = "1" ] && $ip6t_m -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST6) -j PSW_RULE
+ [ "${USE_GFW_LIST}" = "1" ] && $ip6t_m -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_GFW6) -j PSW_RULE
+ [ "${CHN_LIST}" != "0" ] && $ip6t_m -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_CHN6) $(get_jump_ipt ${CHN_LIST} "-j PSW_RULE")
+ [ "${TCP_PROXY_MODE}" != "disable" ] && $ip6t_m -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") -j PSW_RULE
$ip6t_m -A PSW $(comment "默认") -p tcp $(REDIRECT $TCP_REDIR_PORT TPROXY)
}
@@ -511,15 +501,19 @@ load_acl() {
[ "$UDP_PROXY_DROP_PORTS" != "disable" ] && {
[ "$PROXY_IPV6" == "1" ] && {
$ip6t_m -A PSW $(comment "默认") -p udp $(factor $UDP_PROXY_DROP_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) -j DROP
- $ip6t_m -A PSW $(comment "默认") -p udp $(factor $UDP_PROXY_DROP_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST6) -j DROP
- [ "$UDP_PROXY_MODE" != "direct/proxy" ] && $ip6t_m -A PSW $(comment "默认") -p udp $(factor $UDP_PROXY_DROP_PORTS "-m multiport --dport") $(get_ipset_ip6t $UDP_PROXY_MODE) -j DROP
+ [ "${USE_PROXY_LIST}" = "1" ] && $ip6t_m -A PSW $(comment "默认") -p udp $(factor $UDP_PROXY_DROP_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST6) -j DROP
+ [ "${USE_GFW_LIST}" = "1" ] && $ip6t_m -A PSW $(comment "默认") -p udp $(factor $UDP_PROXY_DROP_PORTS "-m multiport --dport") $(dst $IPSET_GFW6) -j DROP
+ [ "${CHN_LIST}" != "0" ] && $ip6t_m -A PSW $(comment "默认") -p udp $(factor $UDP_PROXY_DROP_PORTS "-m multiport --dport") $(dst $IPSET_CHN6) $(get_jump_ipt ${CHN_LIST} "-j DROP")
+ [ "${UDP_PROXY_MODE}" != "disable" ] && $ip6t_m -A PSW $(comment "默认") -p udp $(factor $UDP_PROXY_DROP_PORTS "-m multiport --dport") -j DROP
}
$ipt_m -A PSW $(comment "默认") -p udp $(factor $UDP_PROXY_DROP_PORTS "-m multiport --dport") -d $FAKE_IP -j DROP
$ipt_m -A PSW $(comment "默认") -p udp $(factor $UDP_PROXY_DROP_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST) -j DROP
- $ipt_m -A PSW $(comment "默认") -p udp $(factor $UDP_PROXY_DROP_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j DROP
- [ "$UDP_PROXY_MODE" != "direct/proxy" ] && $ipt_m -A PSW $(comment "默认") -p udp $(factor $UDP_PROXY_DROP_PORTS "-m multiport --dport") $(get_ipset_ipt $UDP_PROXY_MODE) -j DROP
+ [ "${USE_PROXY_LIST}" = "1" ] && $ipt_m -A PSW $(comment "默认") -p udp $(factor $UDP_PROXY_DROP_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j DROP
+ [ "${USE_GFW_LIST}" = "1" ] && $ipt_m -A PSW $(comment "默认") -p udp $(factor $UDP_PROXY_DROP_PORTS "-m multiport --dport") $(dst $IPSET_GFW) -j DROP
+ [ "${CHN_LIST}" != "0" ] && $ipt_m -A PSW $(comment "默认") -p udp $(factor $UDP_PROXY_DROP_PORTS "-m multiport --dport") $(dst $IPSET_CHN) $(get_jump_ipt ${CHN_LIST} "-j DROP")
+ [ "${UDP_PROXY_MODE}" != "disable" ] && $ipt_m -A PSW $(comment "默认") -p udp $(factor $UDP_PROXY_DROP_PORTS "-m multiport --dport") -j DROP
}
- if [ "$UDP_PROXY_MODE" != "disable" ]; then
+ if [ -n "${UDP_PROXY_MODE}" ]; then
[ "$UDP_NO_REDIR_PORTS" != "disable" ] && {
$ip6t_m -A PSW $(comment "默认") -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN
$ipt_m -A PSW $(comment "默认") -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN
@@ -534,14 +528,18 @@ load_acl() {
$ipt_m -A PSW $(comment "默认") -p udp -d $FAKE_IP -j PSW_RULE
$ipt_m -A PSW $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST) -j PSW_RULE
- $ipt_m -A PSW $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j PSW_RULE
- [ "$UDP_PROXY_MODE" != "direct/proxy" ] && $ipt_m -A PSW $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(get_ipset_ipt $UDP_PROXY_MODE) -j PSW_RULE
+ [ "${USE_PROXY_LIST}" = "1" ] && $ipt_m -A PSW $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j PSW_RULE
+ [ "${USE_GFW_LIST}" = "1" ] && $ipt_m -A PSW $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_GFW) -j PSW_RULE
+ [ "${CHN_LIST}" != "0" ] && $ipt_m -A PSW $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_CHN) $(get_jump_ipt ${CHN_LIST} "-j PSW_RULE")
+ [ "${UDP_PROXY_MODE}" != "disable" ] && $ipt_m -A PSW $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") -j PSW_RULE
$ipt_m -A PSW $(comment "默认") -p udp $(REDIRECT $UDP_REDIR_PORT TPROXY)
[ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && {
$ip6t_m -A PSW $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) -j PSW_RULE
- $ip6t_m -A PSW $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST6) -j PSW_RULE
- [ "$UDP_PROXY_MODE" != "direct/proxy" ] && $ip6t_m -A PSW $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(get_ipset_ip6t $UDP_PROXY_MODE) -j PSW_RULE
+ [ "${USE_PROXY_LIST}" = "1" ] && $ip6t_m -A PSW $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST6) -j PSW_RULE
+ [ "${USE_GFW_LIST}" = "1" ] && $ip6t_m -A PSW $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_GFW6) -j PSW_RULE
+ [ "${CHN_LIST}" != "0" ] && $ip6t_m -A PSW $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_CHN6) $(get_jump_ipt ${CHN_LIST} "-j PSW_RULE")
+ [ "${UDP_PROXY_MODE}" != "disable" ] && $ip6t_m -A PSW $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") -j PSW_RULE
$ip6t_m -A PSW $(comment "默认") -p udp $(REDIRECT $UDP_REDIR_PORT TPROXY)
}
@@ -776,7 +774,6 @@ add_firewall_rule() {
$ipt_n -N PSW
$ipt_n -A PSW $(dst $IPSET_LANLIST) -j RETURN
$ipt_n -A PSW $(dst $IPSET_VPSLIST) -j RETURN
- $ipt_n -A PSW $(dst $IPSET_WHITELIST) -j RETURN
WAN_IP=$(get_wan_ip)
[ ! -z "${WAN_IP}" ] && $ipt_n -A PSW $(comment "WAN_IP_RETURN") -d "${WAN_IP}" -j RETURN
@@ -787,7 +784,7 @@ add_firewall_rule() {
$ipt_n -N PSW_OUTPUT
$ipt_n -A PSW_OUTPUT $(dst $IPSET_LANLIST) -j RETURN
$ipt_n -A PSW_OUTPUT $(dst $IPSET_VPSLIST) -j RETURN
- $ipt_n -A PSW_OUTPUT $(dst $IPSET_WHITELIST) -j RETURN
+ [ "${USE_DIRECT_LIST}" = "1" ] && $ipt_n -A PSW_OUTPUT $(dst $IPSET_WHITELIST) -j RETURN
$ipt_n -A PSW_OUTPUT -m mark --mark 0xff -j RETURN
$ipt_n -N PSW_REDIRECT
@@ -807,8 +804,6 @@ add_firewall_rule() {
$ipt_m -N PSW
$ipt_m -A PSW $(dst $IPSET_LANLIST) -j RETURN
$ipt_m -A PSW $(dst $IPSET_VPSLIST) -j RETURN
- $ipt_m -A PSW $(dst $IPSET_WHITELIST) -j RETURN
- $ipt_m -A PSW $(dst $IPSET_BLOCKLIST) -j DROP
[ ! -z "${WAN_IP}" ] && $ipt_m -A PSW $(comment "WAN_IP_RETURN") -d "${WAN_IP}" -j RETURN
unset WAN_IP
@@ -819,9 +814,9 @@ add_firewall_rule() {
$ipt_m -N PSW_OUTPUT
$ipt_m -A PSW_OUTPUT $(dst $IPSET_LANLIST) -j RETURN
$ipt_m -A PSW_OUTPUT $(dst $IPSET_VPSLIST) -j RETURN
- $ipt_m -A PSW_OUTPUT $(dst $IPSET_WHITELIST) -j RETURN
+ [ "${USE_DIRECT_LIST}" = "1" ] && $ipt_m -A PSW_OUTPUT $(dst $IPSET_WHITELIST) -j RETURN
$ipt_m -A PSW_OUTPUT -m mark --mark 0xff -j RETURN
- $ipt_m -A PSW_OUTPUT $(dst $IPSET_BLOCKLIST) -j DROP
+ [ "${USE_BLOCK_LIST}" = "1" ] && $ipt_m -A PSW_OUTPUT $(dst $IPSET_BLOCKLIST) -j DROP
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
@@ -830,13 +825,12 @@ add_firewall_rule() {
$ip6t_n -N PSW
$ip6t_n -A PSW $(dst $IPSET_LANLIST6) -j RETURN
$ip6t_n -A PSW $(dst $IPSET_VPSLIST6) -j RETURN
- $ip6t_n -A PSW $(dst $IPSET_WHITELIST6) -j RETURN
$ip6t_n -A PREROUTING -p ipv6-icmp -j PSW
$ip6t_n -N PSW_OUTPUT
$ip6t_n -A PSW_OUTPUT $(dst $IPSET_LANLIST6) -j RETURN
$ip6t_n -A PSW_OUTPUT $(dst $IPSET_VPSLIST6) -j RETURN
- $ip6t_n -A PSW_OUTPUT $(dst $IPSET_WHITELIST6) -j RETURN
+ [ "${USE_DIRECT_LIST}" = "1" ] && $ip6t_n -A PSW_OUTPUT $(dst $IPSET_WHITELIST6) -j RETURN
$ip6t_n -A PSW_OUTPUT -m mark --mark 0xff -j RETURN
}
@@ -854,8 +848,6 @@ add_firewall_rule() {
$ip6t_m -N PSW
$ip6t_m -A PSW $(dst $IPSET_LANLIST6) -j RETURN
$ip6t_m -A PSW $(dst $IPSET_VPSLIST6) -j RETURN
- $ip6t_m -A PSW $(dst $IPSET_WHITELIST6) -j RETURN
- $ip6t_m -A PSW $(dst $IPSET_BLOCKLIST6) -j DROP
WAN6_IP=$(get_wan6_ip)
[ ! -z "${WAN6_IP}" ] && $ip6t_m -A PSW $(comment "WAN6_IP_RETURN") -d ${WAN6_IP} -j RETURN
@@ -868,8 +860,8 @@ add_firewall_rule() {
$ip6t_m -A PSW_OUTPUT -m mark --mark 0xff -j RETURN
$ip6t_m -A PSW_OUTPUT $(dst $IPSET_LANLIST6) -j RETURN
$ip6t_m -A PSW_OUTPUT $(dst $IPSET_VPSLIST6) -j RETURN
- $ip6t_m -A PSW_OUTPUT $(dst $IPSET_WHITELIST6) -j RETURN
- $ip6t_m -A PSW_OUTPUT $(dst $IPSET_BLOCKLIST6) -j DROP
+ [ "${USE_DIRECT_LIST}" = "1" ] && $ip6t_m -A PSW_OUTPUT $(dst $IPSET_WHITELIST6) -j RETURN
+ [ "${USE_BLOCK_LIST}" = "1" ] && $ip6t_m -A PSW_OUTPUT $(dst $IPSET_BLOCKLIST6) -j DROP
ip -6 rule add fwmark 1 table 100
ip -6 route add local ::/0 dev lo table 100
@@ -919,15 +911,19 @@ add_firewall_rule() {
$ipt_n -A OUTPUT -p icmp -j PSW_OUTPUT
$ipt_n -A PSW_OUTPUT -p icmp -d $FAKE_IP $(REDIRECT)
$ipt_n -A PSW_OUTPUT -p icmp $(dst $IPSET_SHUNTLIST) $(REDIRECT)
- $ipt_n -A PSW_OUTPUT -p icmp $(dst $IPSET_BLACKLIST) $(REDIRECT)
- [ "$LOCALHOST_TCP_PROXY_MODE" != "direct/proxy" ] && $ipt_n -A PSW_OUTPUT -p icmp $(get_redirect_ipt $LOCALHOST_TCP_PROXY_MODE)
+ [ "${USE_PROXY_LIST}" = "1" ] && $ipt_n -A PSW_OUTPUT -p icmp $(dst $IPSET_BLACKLIST) $(REDIRECT)
+ [ "${USE_GFW_LIST}" = "1" ] && $ipt_n -A PSW_OUTPUT -p icmp $(dst $IPSET_GFW) $(REDIRECT)
+ [ "${CHN_LIST}" != "0" ] && $ipt_n -A PSW_OUTPUT -p icmp $(dst $IPSET_CHN) $(get_jump_ipt ${CHN_LIST})
+ [ "${LOCALHOST_TCP_PROXY_MODE}" != "disable" ] && $ipt_n -A PSW_OUTPUT -p icmp $(REDIRECT)
}
[ "$accept_icmpv6" = "1" ] && {
$ip6t_n -A OUTPUT -p ipv6-icmp -j PSW_OUTPUT
$ip6t_n -A PSW_OUTPUT -p ipv6-icmp $(dst $IPSET_SHUNTLIST6) $(REDIRECT)
- $ip6t_n -A PSW_OUTPUT -p ipv6-icmp $(dst $IPSET_BLACKLIST6) $(REDIRECT)
- [ "$LOCALHOST_TCP_PROXY_MODE" != "direct/proxy" ] && $ip6t_n -A PSW_OUTPUT -p ipv6-icmp $(get_redirect_ip6t $LOCALHOST_TCP_PROXY_MODE)
+ [ "${USE_PROXY_LIST}" = "1" ] && $ip6t_n -A PSW_OUTPUT -p ipv6-icmp $(dst $IPSET_BLACKLIST6) $(REDIRECT)
+ [ "${USE_GFW_LIST}" = "1" ] && $ip6t_n -A PSW_OUTPUT -p ipv6-icmp $(dst $IPSET_GFW6) $(REDIRECT)
+ [ "${CHN_LIST}" != "0" ] && $ip6t_n -A PSW_OUTPUT -p ipv6-icmp $(dst $IPSET_CHN6) $(get_jump_ipt ${CHN_LIST})
+ [ "${LOCALHOST_TCP_PROXY_MODE}" != "disable" ] && $ip6t_n -A PSW_OUTPUT -p ipv6-icmp $(REDIRECT)
}
local ipt_tmp=$ipt_n
@@ -958,28 +954,34 @@ add_firewall_rule() {
$ip6t_m -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
echolog " - [$?]不代理TCP 端口:$TCP_NO_REDIR_PORTS"
}
- [ "$TCP_PROXY_DROP_PORTS" != "disable" ] && [ "$LOCALHOST_TCP_PROXY_MODE" != "disable" ] && {
+ [ "$TCP_PROXY_DROP_PORTS" != "disable" ] && [ -n "${LOCALHOST_TCP_PROXY_MODE}" ] && {
$ipt_m -A PSW_OUTPUT -p tcp $(factor $TCP_PROXY_DROP_PORTS "-m multiport --dport") -d $FAKE_IP -j DROP
$ipt_m -A PSW_OUTPUT -p tcp $(factor $TCP_PROXY_DROP_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST) -j DROP
- $ipt_m -A PSW_OUTPUT -p tcp $(factor $TCP_PROXY_DROP_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j DROP
- [ "$LOCALHOST_TCP_PROXY_MODE" != "direct/proxy" ] && $ipt_m -A PSW_OUTPUT -p tcp $(factor $TCP_PROXY_DROP_PORTS "-m multiport --dport") $(get_ipset_ipt $LOCALHOST_TCP_PROXY_MODE) -j DROP
+ [ "${USE_PROXY_LIST}" = "1" ] && $ipt_m -A PSW_OUTPUT -p tcp $(factor $TCP_PROXY_DROP_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j DROP
+ [ "${USE_GFW_LIST}" = "1" ] && $ipt_m -A PSW_OUTPUT -p tcp $(factor $TCP_PROXY_DROP_PORTS "-m multiport --dport") $(dst $IPSET_GFW) -j DROP
+ [ "${CHN_LIST}" != "0" ] && $ipt_m -A PSW_OUTPUT -p tcp $(factor $TCP_PROXY_DROP_PORTS "-m multiport --dport") $(dst $IPSET_CHN) $(get_jump_ipt ${CHN_LIST} "-j DROP")
+ [ "${LOCALHOST_TCP_PROXY_MODE}" != "disable" ] && $ipt_m -A PSW_OUTPUT -p tcp $(factor $TCP_PROXY_DROP_PORTS "-m multiport --dport") -j DROP
echolog " - [$?],屏蔽代理TCP 端口:$TCP_PROXY_DROP_PORTS"
}
if [ "${ipt_tmp}" = "${ipt_n}" ]; then
- [ "$LOCALHOST_TCP_PROXY_MODE" != "disable" ] && {
+ [ -n "${LOCALHOST_TCP_PROXY_MODE}" ] && {
$ipt_n -A PSW_OUTPUT -p tcp -d $FAKE_IP $(REDIRECT $TCP_REDIR_PORT)
$ipt_n -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST) $(REDIRECT $TCP_REDIR_PORT)
- $ipt_n -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) $(REDIRECT $TCP_REDIR_PORT)
- [ "$LOCALHOST_TCP_PROXY_MODE" != "direct/proxy" ] && $ipt_n -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(get_redirect_ipt $LOCALHOST_TCP_PROXY_MODE $TCP_REDIR_PORT)
+ [ "${USE_PROXY_LIST}" = "1" ] && $ipt_n -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) $(REDIRECT $TCP_REDIR_PORT)
+ [ "${USE_GFW_LIST}" = "1" ] && $ipt_n -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_GFW) $(REDIRECT $TCP_REDIR_PORT)
+ [ "${CHN_LIST}" != "0" ] && $ipt_n -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_CHN) $(get_jump_ipt ${CHN_LIST} $TCP_REDIR_PORT)
+ [ "${LOCALHOST_TCP_PROXY_MODE}" != "disable" ] && $ipt_n -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(REDIRECT $TCP_REDIR_PORT)
}
$ipt_n -A OUTPUT -p tcp -j PSW_OUTPUT
else
- [ "$LOCALHOST_TCP_PROXY_MODE" != "disable" ] && {
+ [ -n "${LOCALHOST_TCP_PROXY_MODE}" ] && {
$ipt_m -A PSW_OUTPUT -p tcp -d $FAKE_IP -j PSW_RULE
$ipt_m -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST) -j PSW_RULE
- $ipt_m -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j PSW_RULE
- [ "$LOCALHOST_TCP_PROXY_MODE" != "direct/proxy" ] && $ipt_m -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(get_ipset_ipt $LOCALHOST_TCP_PROXY_MODE) -j PSW_RULE
+ [ "${USE_PROXY_LIST}" = "1" ] && $ipt_m -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j PSW_RULE
+ [ "${USE_GFW_LIST}" = "1" ] && $ipt_m -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_GFW) -j PSW_RULE
+ [ "${CHN_LIST}" != "0" ] && $ipt_m -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_CHN) $(get_jump_ipt ${CHN_LIST} "-j PSW_RULE")
+ [ "${LOCALHOST_TCP_PROXY_MODE}" != "disable" ] && $ipt_m -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") -j PSW_RULE
$ipt_m -A PSW $(comment "本机") -p tcp -i lo $(REDIRECT $TCP_REDIR_PORT TPROXY)
}
$ipt_m -A PSW $(comment "本机") -p tcp -i lo -j RETURN
@@ -987,10 +989,12 @@ add_firewall_rule() {
fi
[ "$PROXY_IPV6" == "1" ] && {
- [ "$LOCALHOST_TCP_PROXY_MODE" != "disable" ] && {
+ [ -n "${LOCALHOST_TCP_PROXY_MODE}" ] && {
$ip6t_m -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) -j PSW_RULE
- $ip6t_m -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST6) -j PSW_RULE
- [ "$LOCALHOST_TCP_PROXY_MODE" != "direct/proxy" ] && $ip6t_m -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(get_ipset_ip6t $LOCALHOST_TCP_PROXY_MODE) -j PSW_RULE
+ [ "${USE_PROXY_LIST}" = "1" ] && $ip6t_m -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST6) -j PSW_RULE
+ [ "${USE_GFW_LIST}" = "1" ] && $ip6t_m -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_GFW6) -j PSW_RULE
+ [ "${CHN_LIST}" != "0" ] && $ip6t_m -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_CHN6) $(get_jump_ipt ${CHN_LIST} "-j PSW_RULE")
+ [ "${LOCALHOST_TCP_PROXY_MODE}" != "disable" ] && $ip6t_m -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") -j PSW_RULE
$ip6t_m -A PSW $(comment "本机") -p tcp -i lo $(REDIRECT $TCP_REDIR_PORT TPROXY)
}
$ip6t_m -A PSW $(comment "本机") -p tcp -i lo -j RETURN
@@ -999,11 +1003,13 @@ add_firewall_rule() {
fi
# 加载路由器自身代理 UDP
- [ "$UDP_PROXY_DROP_PORTS" != "disable" ] && [ "$LOCALHOST_UDP_PROXY_MODE" != "disable" ] && {
+ [ "$UDP_PROXY_DROP_PORTS" != "disable" ] && [ -n "$LOCALHOST_UDP_PROXY_MODE" ] && {
$ipt_m -A PSW_OUTPUT -p udp $(factor $UDP_PROXY_DROP_PORTS "-m multiport --dport") -d $FAKE_IP -j DROP
$ipt_m -A PSW_OUTPUT -p udp $(factor $UDP_PROXY_DROP_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST) -j DROP
- $ipt_m -A PSW_OUTPUT -p udp $(factor $UDP_PROXY_DROP_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j DROP
- [ "$LOCALHOST_UDP_PROXY_MODE" != "direct/proxy" ] && $ipt_m -A PSW_OUTPUT -p udp $(factor $UDP_PROXY_DROP_PORTS "-m multiport --dport") $(get_ipset_ipt $LOCALHOST_UDP_PROXY_MODE) -j DROP
+ [ "${USE_PROXY_LIST}" = "1" ] && $ipt_m -A PSW_OUTPUT -p udp $(factor $UDP_PROXY_DROP_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j DROP
+ [ "${USE_GFW_LIST}" = "1" ] && $ipt_m -A PSW_OUTPUT -p udp $(factor $UDP_PROXY_DROP_PORTS "-m multiport --dport") $(dst $IPSET_GFW) -j DROP
+ [ "${CHN_LIST}" != "0" ] && $ipt_m -A PSW_OUTPUT -p udp $(factor $UDP_PROXY_DROP_PORTS "-m multiport --dport") $(dst $IPSET_CHN) $(get_jump_ipt ${CHN_LIST} "-j DROP")
+ [ "${LOCALHOST_UDP_PROXY_MODE}" != "disable" ] && $ipt_m -A PSW_OUTPUT -p udp $(factor $UDP_PROXY_DROP_PORTS "-m multiport --dport") -j DROP
echolog " - [$?],屏蔽代理UDP 端口:$UDP_PROXY_DROP_PORTS"
}
if [ "$UDP_NODE" != "nil" -o "$TCP_UDP" = "1" ]; then
@@ -1026,21 +1032,25 @@ add_firewall_rule() {
echolog " - [$?]不代理 UDP 端口:$UDP_NO_REDIR_PORTS"
}
- [ "$LOCALHOST_UDP_PROXY_MODE" != "disable" ] && {
+ [ -n "${LOCALHOST_UDP_PROXY_MODE}" ] && {
$ipt_m -A PSW_OUTPUT -p udp -d $FAKE_IP -j PSW_RULE
$ipt_m -A PSW_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST) -j PSW_RULE
- $ipt_m -A PSW_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j PSW_RULE
- [ "$LOCALHOST_UDP_PROXY_MODE" != "direct/proxy" ] && $ipt_m -A PSW_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(get_ipset_ipt $LOCALHOST_UDP_PROXY_MODE) -j PSW_RULE
+ [ "${USE_PROXY_LIST}" = "1" ] && $ipt_m -A PSW_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) -j PSW_RULE
+ [ "${USE_GFW_LIST}" = "1" ] && $ipt_m -A PSW_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_GFW) -j PSW_RULE
+ [ "${CHN_LIST}" != "0" ] && $ipt_m -A PSW_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_CHN)$(get_jump_ipt ${CHN_LIST} "-j PSW_RULE")
+ [ "${LOCALHOST_UDP_PROXY_MODE}" != "disable" ] && $ipt_m -A PSW_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") -j PSW_RULE
$ipt_m -A PSW $(comment "本机") -p udp -i lo $(REDIRECT $UDP_REDIR_PORT TPROXY)
}
$ipt_m -A PSW $(comment "本机") -p udp -i lo -j RETURN
insert_rule_before "$ipt_m" "OUTPUT" "mwan3" "$(comment mangle-OUTPUT-PSW) -p udp -j PSW_OUTPUT"
[ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && {
- [ "$LOCALHOST_UDP_PROXY_MODE" != "disable" ] && {
+ [ -n "$LOCALHOST_UDP_PROXY_MODE" ] && {
$ip6t_m -A PSW_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) -j PSW_RULE
- $ip6t_m -A PSW_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST6) -j PSW_RULE
- [ "$LOCALHOST_UDP_PROXY_MODE" != "direct/proxy" ] && $ip6t_m -A PSW_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(get_ipset_ip6t $LOCALHOST_UDP_PROXY_MODE) -j PSW_RULE
+ [ "${USE_PROXY_LIST}" = "1" ] && $ip6t_m -A PSW_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST6) -j PSW_RULE
+ [ "${USE_GFW_LIST}" = "1" ] && $ip6t_m -A PSW_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_GFW6) -j PSW_RULE
+ [ "${CHN_LIST}" != "0" ] && $ip6t_m -A PSW_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_CHN6) $(get_jump_ipt ${CHN_LIST} "-j PSW_RULE")
+ [ "${LOCALHOST_UDP_PROXY_MODE}" != "disable" ] && $ip6t_m -A PSW_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") -j PSW_RULE
$ip6t_m -A PSW $(comment "本机") -p udp -i lo $(REDIRECT $UDP_REDIR_PORT TPROXY)
}
$ip6t_m -A PSW $(comment "本机") -p udp -i lo -j RETURN
diff --git a/luci-app-passwall/root/usr/share/passwall/nftables.sh b/luci-app-passwall/root/usr/share/passwall/nftables.sh
index 445da3d1..00ef3d7d 100755
--- a/luci-app-passwall/root/usr/share/passwall/nftables.sh
+++ b/luci-app-passwall/root/usr/share/passwall/nftables.sh
@@ -164,93 +164,28 @@ gen_nftset() {
[ -n "${1}" ] && insert_nftset $nftset_name $timeout_argument_element $@
}
-get_redirect_ipv4() {
- case "$1" in
- disable)
- echo "counter return"
- ;;
- global)
- echo "$(REDIRECT $2 $3)"
- ;;
- gfwlist)
- echo "ip daddr @$NFTSET_GFW $(REDIRECT $2 $3)"
- ;;
- chnroute)
- echo "ip daddr != @$NFTSET_CHN $(REDIRECT $2 $3)"
- ;;
- returnhome)
- echo "ip daddr @$NFTSET_CHN $(REDIRECT $2 $3)"
- ;;
- esac
-}
-
-get_redirect_ipv6() {
- case "$1" in
- disable)
- echo "counter return"
- ;;
- global)
- echo "$(REDIRECT $2 $3)"
- ;;
- gfwlist)
- echo "ip6 daddr @$NFTSET_GFW6 $(REDIRECT $2 $3)"
- ;;
- chnroute)
- echo "ip6 daddr != @$NFTSET_CHN6 $(REDIRECT $2 $3)"
- ;;
- returnhome)
- echo "ip6 daddr @$NFTSET_CHN6 $(REDIRECT $2 $3)"
- ;;
- esac
-}
-
-get_nftset_ipv4() {
- case "$1" in
- gfwlist)
- echo "ip daddr @$NFTSET_GFW counter"
- ;;
- chnroute)
- echo "ip daddr != @$NFTSET_CHN counter"
- ;;
- returnhome)
- echo "$ip daddr @$NFTSET_CHN counter"
- ;;
- esac
-}
-
-get_nftset_ipv6() {
- case "$1" in
- gfwlist)
- echo "ip6 daddr @$NFTSET_GFW6 counter"
- ;;
- chnroute)
- echo "ip6 daddr != @$NFTSET_CHN6 counter"
- ;;
- returnhome)
- echo "$ip6 daddr @$NFTSET_CHN6 counter"
- ;;
- esac
-}
-
get_action_chain_name() {
case "$1" in
disable)
echo "不代理"
;;
- global)
- echo "全局代理"
+ proxy)
+ echo "代理"
;;
- gfwlist)
- echo "防火墙列表"
+ esac
+}
+
+get_jump_ipt() {
+ case "$1" in
+ direct)
+ echo "counter return"
;;
- chnroute)
- echo "中国列表以外"
- ;;
- returnhome)
- echo "中国列表"
- ;;
- direct/proxy)
- echo "仅使用直连/代理列表"
+ proxy)
+ if [ -n "$2" ] && [ -n "$(echo $2 | grep "^counter")" ]; then
+ echo "$2"
+ else
+ echo "$(REDIRECT $2 $3)"
+ fi
;;
esac
}
@@ -291,9 +226,7 @@ load_acl() {
echolog "访问控制:"
for sid in $(ls -F ${TMP_ACL_PATH} | grep '/$' | awk -F '/' '{print $1}'); do
eval $(uci -q show "${CONFIG}.${sid}" | cut -d'.' -sf 3-)
-
- tcp_proxy_mode=${tcp_proxy_mode:-default}
- udp_proxy_mode=${udp_proxy_mode:-default}
+
tcp_no_redir_ports=${tcp_no_redir_ports:-default}
udp_no_redir_ports=${udp_no_redir_ports:-default}
tcp_proxy_drop_ports=${tcp_proxy_drop_ports:-default}
@@ -302,8 +235,13 @@ load_acl() {
udp_redir_ports=${udp_redir_ports:-default}
tcp_node=${tcp_node:-default}
udp_node=${udp_node:-default}
- [ "$tcp_proxy_mode" = "default" ] && tcp_proxy_mode=$TCP_PROXY_MODE
- [ "$udp_proxy_mode" = "default" ] && udp_proxy_mode=$UDP_PROXY_MODE
+ use_direct_list=${use_direct_list:-1}
+ use_proxy_list=${use_proxy_list:-1}
+ use_block_list=${use_block_list:-1}
+ use_gfw_list=${use_gfw_list:-1}
+ chn_list=${chn_list:-direct}
+ tcp_proxy_mode=${tcp_proxy_mode:-proxy}
+ udp_proxy_mode=${udp_proxy_mode:-proxy}
[ "$tcp_no_redir_ports" = "default" ] && tcp_no_redir_ports=$TCP_NO_REDIR_PORTS
[ "$udp_no_redir_ports" = "default" ] && udp_no_redir_ports=$UDP_NO_REDIR_PORTS
[ "$tcp_proxy_drop_ports" = "default" ] && tcp_proxy_drop_ports=$TCP_PROXY_DROP_PORTS
@@ -344,9 +282,18 @@ load_acl() {
else
continue
fi
+
+ [ "${use_direct_list}" = "1" ] && nft "add rule inet fw4 PSW_MANGLE ${_ipt_source} ip daddr @$NFTSET_WHITELIST counter return comment \"$remarks\""
+ [ "${use_direct_list}" = "1" ] && [ -z "${is_tproxy}" ] && nft "add rule inet fw4 PSW_NAT ${_ipt_source} ip daddr @$NFTSET_WHITELIST counter return comment \"$remarks\""
+ [ "${use_block_list}" = "1" ] && nft "add rule inet fw4 PSW_MANGLE ${_ipt_source} ip daddr @$NFTSET_BLOCKLIST counter drop comment \"$remarks\""
+ [ "${use_block_list}" = "1" ] && [ -z "${is_tproxy}" ] && nft "add rule inet fw4 PSW_NAT ${_ipt_source} ip daddr @$NFTSET_BLOCKLIST counter drop comment \"$remarks\""
+ [ "$PROXY_IPV6" == "1" ] && {
+ [ "${use_direct_list}" = "1" ] && nft "add rule inet fw4 PSW_MANGLE_V6 ${_ipt_source} ip6 daddr @$NFTSET_WHITELIST6 counter return comment \"$remarks\""
+ [ "${use_block_list}" = "1" ] && nft "add rule inet fw4 PSW_MANGLE_V6 ${_ipt_source} ip6 daddr @$NFTSET_BLOCKLIST6 counter drop comment \"$remarks\""
+ }
[ -n "$tcp_port" ] && {
- if [ "$tcp_proxy_mode" != "disable" ]; then
+ if [ -n "${tcp_proxy_mode}" ]; then
[ -s "${TMP_ACL_PATH}/${sid}/var_redirect_dns_port" ] && nft "add rule inet fw4 PSW_REDIRECT ip protocol udp ${_ipt_source} udp dport 53 counter redirect to $(cat ${TMP_ACL_PATH}/${sid}/var_redirect_dns_port) comment \"$remarks\""
msg2="${msg}使用TCP节点[$tcp_node_remark] [$(get_action_chain_name $tcp_proxy_mode)]"
if [ -n "${is_tproxy}" ]; then
@@ -356,17 +303,23 @@ load_acl() {
fi
[ "$accept_icmp" = "1" ] && {
+ [ "${use_direct_list}" = "1" ] && nft "add rule inet fw4 PSW_ICMP_REDIRECT ip protocol icmp ${_ipt_source} ip daddr @$NFTSET_WHITELIST counter return comment \"默认\""
nft "add rule inet fw4 PSW_ICMP_REDIRECT ip protocol icmp ${_ipt_source} ip daddr $FAKE_IP $(REDIRECT) comment \"$remarks\""
nft "add rule inet fw4 PSW_ICMP_REDIRECT ip protocol icmp ${_ipt_source} ip daddr @$NFTSET_SHUNTLIST $(REDIRECT) comment \"$remarks\""
- nft "add rule inet fw4 PSW_ICMP_REDIRECT ip protocol icmp ${_ipt_source} ip daddr @$NFTSET_BLACKLIST $(REDIRECT) comment \"$remarks\""
- [ "$tcp_proxy_mode" != "direct/proxy" ] && nft "add rule inet fw4 PSW_ICMP_REDIRECT ip protocol icmp ${_ipt_source} $(get_redirect_ipv4 $tcp_proxy_mode) comment \"$remarks\""
+ [ "${use_proxy_list}" = "1" ] && nft "add rule inet fw4 PSW_ICMP_REDIRECT ip protocol icmp ${_ipt_source} ip daddr @$NFTSET_BLACKLIST $(REDIRECT) comment \"$remarks\""
+ [ "${use_gfw_list}" = "1" ] && nft "add rule inet fw4 PSW_ICMP_REDIRECT ip protocol icmp ${_ipt_source} ip daddr @$NFTSET_GFW $(REDIRECT) comment \"$remarks\""
+ [ "${chn_list}" != "0" ] && nft "add rule inet fw4 PSW_ICMP_REDIRECT ip protocol icmp ${_ipt_source} ip daddr @$NFTSET_CHN $(get_jump_ipt ${chn_list}) comment \"$remarks\""
+ [ "${tcp_proxy_mode}" != "disable" ] && nft "add rule inet fw4 PSW_ICMP_REDIRECT ip protocol icmp ${_ipt_source} $(REDIRECT) comment \"$remarks\""
nft "add rule inet fw4 PSW_ICMP_REDIRECT ip protocol icmp ${_ipt_source} return comment \"$remarks\""
}
[ "$accept_icmpv6" = "1" ] && [ "$PROXY_IPV6" == "1" ] && {
+ [ "${use_direct_list}" = "1" ] && nft "add rule inet fw4 PSW_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} ip6 daddr @$NFTSET_WHITELIST6 counter return comment \"默认\"" 2>/dev/null
nft "add rule inet fw4 PSW_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} ip6 daddr @$NFTSET_SHUNTLIST6 $(REDIRECT) comment \"$remarks\"" 2>/dev/null
- nft "add rule inet fw4 PSW_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} ip6 daddr @$NFTSET_BLACKLIST6 $(REDIRECT) comment \"$remarks\"" 2>/dev/null
- [ "$tcp_proxy_mode" != "direct/proxy" ] && nft "add rule inet fw4 PSW_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} $(get_redirect_ipv6 $tcp_proxy_mode) comment \"$remarks\"" 2>/dev/null
+ [ "${use_proxy_list}" = "1" ] && nft "add rule inet fw4 PSW_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} ip6 daddr @$NFTSET_BLACKLIST6 $(REDIRECT) comment \"$remarks\"" 2>/dev/null
+ [ "${use_gfw_list}" = "1" ] && nft "add rule inet fw4 PSW_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} ip6 daddr @$NFTSET_GFW6 $(REDIRECT) comment \"$remarks\"" 2>/dev/null
+ [ "${chn_list}" != "0" ] && nft "add rule inet fw4 PSW_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} ip6 daddr @$NFTSET_CHN6 $(get_jump_ipt ${chn_list}) comment \"$remarks\"" 2>/dev/null
+ [ "${tcp_proxy_mode}" != "disable" ] && nft "add rule inet fw4 PSW_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} $(REDIRECT) comment \"$remarks\"" 2>/dev/null
nft "add rule inet fw4 PSW_ICMP_REDIRECT meta l4proto icmpv6 ${_ipt_source} return comment \"$remarks\"" 2>/dev/null
}
@@ -380,33 +333,43 @@ load_acl() {
[ "$tcp_proxy_drop_ports" != "disable" ] && {
[ "$PROXY_IPV6" == "1" ] && {
nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "tcp dport") ip6 daddr @$NFTSET_SHUNTLIST6 counter drop comment \"$remarks\"" 2>/dev/null
- nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "tcp dport") ip6 daddr @$NFTSET_BLACKLIST6 counter drop comment \"$remarks\"" 2>/dev/null
- [ "$tcp_proxy_mode" != "direct/proxy" ] && nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "tcp dport") $(get_nftset_ipv6 $tcp_proxy_mode) counter drop comment \"$remarks\"" 2>/dev/null
+ [ "${use_proxy_list}" = "1" ] && nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "tcp dport") ip6 daddr @$NFTSET_BLACKLIST6 counter drop comment \"$remarks\"" 2>/dev/null
+ [ "${use_gfw_list}" = "1" ] && nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "tcp dport") ip6 daddr @$NFTSET_GFW6 counter drop comment \"$remarks\"" 2>/dev/null
+ [ "${chn_list}" != "0" ] && nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "tcp dport") ip6 daddr @$NFTSET_CHN6 $(get_jump_ipt ${chn_list} "counter drop") comment \"$remarks\"" 2>/dev/null
+ [ "${tcp_proxy_mode}" != "disable" ] && nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "tcp dport") counter drop comment \"$remarks\"" 2>/dev/null
}
nft "add rule inet fw4 $nft_prerouting_chain ip protocol tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "tcp dport") ip daddr $FAKE_IP counter drop comment \"$remarks\""
nft "add rule inet fw4 $nft_prerouting_chain ip protocol tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "tcp dport") ip daddr @$NFTSET_SHUNTLIST counter drop comment \"$remarks\""
- nft "add rule inet fw4 $nft_prerouting_chain ip protocol tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "tcp dport") ip daddr @$NFTSET_BLACKLIST counter drop comment \"$remarks\""
- [ "$tcp_proxy_mode" != "direct/proxy" ] && nft "add rule inet fw4 $nft_prerouting_chain ip protocol tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "tcp dport") $(get_nftset_ipv4 $tcp_proxy_mode) counter drop comment \"$remarks\""
+ [ "${use_proxy_list}" = "1" ] && nft "add rule inet fw4 $nft_prerouting_chain ip protocol tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "tcp dport") ip daddr @$NFTSET_BLACKLIST counter drop comment \"$remarks\""
+ [ "${use_gfw_list}" = "1" ] && nft "add rule inet fw4 $nft_prerouting_chain ip protocol tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "tcp dport") ip daddr @$NFTSET_GFW counter drop comment \"$remarks\""
+ [ "${chn_list}" != "0" ] && nft "add rule inet fw4 $nft_prerouting_chain ip protocol tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "tcp dport") ip daddr @$NFTSET_CHN $(get_jump_ipt ${chn_list} "counter drop") comment \"$remarks\""
+ [ "${tcp_proxy_mode}" != "disable" ] && nft "add rule inet fw4 $nft_prerouting_chain ip protocol tcp ${_ipt_source} $(factor $tcp_proxy_drop_ports "tcp dport") counter drop comment \"$remarks\""
msg2="${msg2}[$?],屏蔽代理TCP 端口:${tcp_proxy_drop_ports}"
}
if [ -z "${is_tproxy}" ]; then
nft "add rule inet fw4 PSW_NAT ${_ipt_source} ip daddr $FAKE_IP $(REDIRECT $tcp_port) comment \"$remarks\""
nft "add rule inet fw4 PSW_NAT ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ip daddr @$NFTSET_SHUNTLIST $(REDIRECT $tcp_port) comment \"$remarks\""
- nft "add rule inet fw4 PSW_NAT ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ip daddr @$NFTSET_BLACKLIST $(REDIRECT $tcp_port) comment \"$remarks\""
- [ "$tcp_proxy_mode" != "direct/proxy" ] && nft "add rule inet fw4 PSW_NAT ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") $(get_redirect_ipv4 $tcp_proxy_mode $tcp_port) comment \"$remarks\""
+ [ "${use_proxy_list}" = "1" ] && nft "add rule inet fw4 PSW_NAT ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ip daddr @$NFTSET_BLACKLIST $(REDIRECT $tcp_port) comment \"$remarks\""
+ [ "${use_gfw_list}" = "1" ] && nft "add rule inet fw4 PSW_NAT ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ip daddr @$NFTSET_GFW $(REDIRECT $tcp_port) comment \"$remarks\""
+ [ "${chn_list}" != "0" ] && nft "add rule inet fw4 PSW_NAT ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ip daddr @$NFTSET_CHN $(get_jump_ipt ${chn_list} $tcp_port) comment \"$remarks\""
+ [ "${tcp_proxy_mode}" != "disable" ] && nft "add rule inet fw4 PSW_NAT ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") $(REDIRECT $tcp_port) comment \"$remarks\""
else
nft "add rule inet fw4 PSW_MANGLE ip protocol tcp ${_ipt_source} ip daddr $FAKE_IP counter jump PSW_RULE comment \"$remarks\""
nft "add rule inet fw4 PSW_MANGLE ip protocol tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ip daddr @$NFTSET_SHUNTLIST counter jump PSW_RULE comment \"$remarks\""
- nft "add rule inet fw4 PSW_MANGLE ip protocol tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ip daddr @$NFTSET_BLACKLIST counter jump PSW_RULE comment \"$remarks\" "
- [ "$tcp_proxy_mode" != "direct/proxy" ] && nft "add rule inet fw4 PSW_MANGLE ip protocol tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") $(get_nftset_ipv4 $tcp_proxy_mode) counter jump PSW_RULE comment \"$remarks\""
+ [ "${use_proxy_list}" = "1" ] && nft "add rule inet fw4 PSW_MANGLE ip protocol tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ip daddr @$NFTSET_BLACKLIST counter jump PSW_RULE comment \"$remarks\" "
+ [ "${use_gfw_list}" = "1" ] && nft "add rule inet fw4 PSW_MANGLE ip protocol tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ip daddr @$NFTSET_GFW counter jump PSW_RULE comment \"$remarks\" "
+ [ "${chn_list}" != "0" ] && nft "add rule inet fw4 PSW_MANGLE ip protocol tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ip daddr @$NFTSET_CHN $(get_jump_ipt ${chn_list} "counter jump PSW_RULE") comment \"$remarks\" "
+ [ "${tcp_proxy_mode}" != "disable" ] && nft "add rule inet fw4 PSW_MANGLE ip protocol tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") counter jump PSW_RULE comment \"$remarks\""
nft "add rule inet fw4 PSW_MANGLE meta nfproto {ipv4} meta l4proto tcp ${_ipt_source} $(REDIRECT $tcp_port TPROXY4) comment \"$remarks\""
fi
[ "$PROXY_IPV6" == "1" ] && {
nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ip6 daddr @$NFTSET_SHUNTLIST6 counter jump PSW_RULE comment \"$remarks\"" 2>/dev/null
- nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ip6 daddr @$NFTSET_BLACKLIST6 counter jump PSW_RULE comment \"$remarks\"" 2>/dev/null
- [ "$tcp_proxy_mode" != "direct/proxy" ] && nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") $(get_nftset_ipv6 $tcp_proxy_mode) jump PSW_RULE comment \"$remarks\"" 2>/dev/null
+ [ "${use_proxy_list}" = "1" ] && nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ip6 daddr @$NFTSET_BLACKLIST6 counter jump PSW_RULE comment \"$remarks\"" 2>/dev/null
+ [ "${use_gfw_list}" = "1" ] && nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ip6 daddr @$NFTSET_GFW6 counter jump PSW_RULE comment \"$remarks\"" 2>/dev/null
+ [ "${chn_list}" != "0" ] && nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") ip6 daddr @$NFTSET_CHN6 $(get_jump_ipt ${chn_list} "counter jump PSW_RULE") comment \"$remarks\" "
+ [ "${tcp_proxy_mode}" != "disable" ] && nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(factor $tcp_redir_ports "tcp dport") counter jump PSW_RULE comment \"$remarks\"" 2>/dev/null
nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp ${_ipt_source} $(REDIRECT $tcp_port TPROXY) comment \"$remarks\"" 2>/dev/null
}
else
@@ -421,18 +384,22 @@ load_acl() {
[ "$udp_proxy_drop_ports" != "disable" ] && {
[ "$PROXY_IPV6" == "1" ] && {
nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_proxy_drop_ports "udp dport") ip6 daddr @$NFTSET_SHUNTLIST6 counter drop comment \"$remarks\"" 2>/dev/null
- nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_proxy_drop_ports "udp dport") ip6 daddr @$NFTSET_BLACKLIST6 counter drop comment \"$remarks\"" 2>/dev/null
- [ "$udp_proxy_mode" != "direct/proxy" ] && nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_proxy_drop_ports "udp dport") $(get_nftset_ipv6 $udp_proxy_mode) counter drop comment \"$remarks\"" 2>/dev/null
+ [ "${use_proxy_list}" = "1" ] && nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_proxy_drop_ports "udp dport") ip6 daddr @$NFTSET_BLACKLIST6 counter drop comment \"$remarks\"" 2>/dev/null
+ [ "${use_gfw_list}" = "1" ] && nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_proxy_drop_ports "udp dport") ip6 daddr @$NFTSET_GFW6 counter drop comment \"$remarks\"" 2>/dev/null
+ [ "${chn_list}" != "0" ] && nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_proxy_drop_ports "udp dport") ip6 daddr @$NFTSET_CHN6 $(get_jump_ipt ${chn_list} "counter drop") comment \"$remarks\"" 2>/dev/null
+ [ "${udp_proxy_mode}" != "disable" ] && nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_proxy_drop_ports "udp dport") counter drop comment \"$remarks\"" 2>/dev/null
}
nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_proxy_drop_ports "udp dport") ip daddr $FAKE_IP counter drop comment \"$remarks\"" 2>/dev/null
nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_proxy_drop_ports "udp dport") ip daddr @$NFTSET_SHUNTLIST counter drop comment \"$remarks\"" 2>/dev/null
- nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_proxy_drop_ports "udp dport") ip daddr @$NFTSET_BLACKLIST counter drop comment \"$remarks\"" 2>/dev/null
- [ "$udp_proxy_mode" != "direct/proxy" ] && nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_proxy_drop_ports "udp dport") $(get_nftset_ipv4 $udp_proxy_mode) counter drop comment \"$remarks\"" 2>/dev/null
+ [ "${use_proxy_list}" = "1" ] && nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_proxy_drop_ports "udp dport") ip daddr @$NFTSET_BLACKLIST counter drop comment \"$remarks\"" 2>/dev/null
+ [ "${use_gfw_list}" = "1" ] && nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_proxy_drop_ports "udp dport") ip daddr @$NFTSET_GFW counter drop comment \"$remarks\"" 2>/dev/null
+ [ "${chn_list}" != "0" ] && nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_proxy_drop_ports "udp dport") ip daddr @$NFTSET_CHN $(get_jump_ipt ${chn_list} "counter drop") comment \"$remarks\"" 2>/dev/null
+ [ "${udp_proxy_mode}" != "disable" ] && nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_proxy_drop_ports "udp dport") counter drop comment \"$remarks\"" 2>/dev/null
msg2="${msg2}[$?],屏蔽代理UDP 端口:${udp_proxy_drop_ports}"
}
[ -n "$udp_port" ] && {
- if [ "$udp_proxy_mode" != "disable" ]; then
+ if [ -n "${udp_proxy_mode}" ]; then
msg2="${msg}使用UDP节点[$udp_node_remark] [$(get_action_chain_name $udp_proxy_mode)]"
msg2="${msg2}(TPROXY:${udp_port})代理"
[ "$udp_no_redir_ports" != "disable" ] && {
@@ -444,14 +411,18 @@ load_acl() {
nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} ip daddr $FAKE_IP counter jump PSW_RULE comment \"$remarks\""
nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_redir_ports "udp dport") ip daddr @$NFTSET_SHUNTLIST counter jump PSW_RULE comment \"$remarks\""
- nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_redir_ports "udp dport") ip daddr @$NFTSET_BLACKLIST counter jump PSW_RULE comment \"$remarks\""
- [ "$udp_proxy_mode" != "direct/proxy" ] && nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_redir_ports "udp dport") $(get_nftset_ipv4 $udp_proxy_mode) jump PSW_RULE comment \"$remarks\""
+ [ "${use_proxy_list}" = "1" ] && nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_redir_ports "udp dport") ip daddr @$NFTSET_BLACKLIST counter jump PSW_RULE comment \"$remarks\""
+ [ "${use_gfw_list}" = "1" ] && nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_redir_ports "udp dport") ip daddr @$NFTSET_GFW counter jump PSW_RULE comment \"$remarks\""
+ [ "${chn_list}" != "0" ] && nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_redir_ports "udp dport") ip daddr @$NFTSET_CHN $(get_jump_ipt ${chn_list} "counter jump PSW_RULE") comment \"$remarks\""
+ [ "${udp_proxy_mode}" != "disable" ] && nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} $(factor $udp_redir_ports "udp dport") counter jump PSW_RULE comment \"$remarks\""
nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} $(REDIRECT $udp_port TPROXY4) comment \"$remarks\""
[ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && {
nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_redir_ports "udp dport") ip6 daddr @$NFTSET_SHUNTLIST6 counter jump PSW_RULE comment \"$remarks\"" 2>/dev/null
- nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_redir_ports "udp dport") ip6 daddr @$NFTSET_BLACKLIST6 counter jump PSW_RULE comment \"$remarks\"" 2>/dev/null
- [ "$udp_proxy_mode" != "direct/proxy" ] && nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_redir_ports "udp dport") $(get_nftset_ipv6 $udp_proxy_mode) counter jump PSW_RULE comment \"$remarks\"" 2>/dev/null
+ [ "${use_proxy_list}" = "1" ] && nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_redir_ports "udp dport") ip6 daddr @$NFTSET_BLACKLIST6 counter jump PSW_RULE comment \"$remarks\"" 2>/dev/null
+ [ "${use_gfw_list}" = "1" ] && nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_redir_ports "udp dport") ip6 daddr @$NFTSET_GFW6 counter jump PSW_RULE comment \"$remarks\"" 2>/dev/null
+ [ "${chn_list}" != "0" ] && nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_redir_ports "udp dport") ip6 daddr @$NFTSET_CHN6 $(get_jump_ipt ${chn_list} "counter jump PSW_RULE") comment \"$remarks\"" 2>/dev/null
+ [ "${udp_proxy_mode}" != "disable" ] && nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(factor $udp_redir_ports "udp dport") counter jump PSW_RULE comment \"$remarks\"" 2>/dev/null
nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} $(REDIRECT $udp_port TPROXY) comment \"$remarks\"" 2>/dev/null
}
else
@@ -462,28 +433,40 @@ load_acl() {
nft "add rule inet fw4 PSW_MANGLE ip protocol udp ${_ipt_source} counter return comment \"$remarks\""
nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp ${_ipt_source} counter return comment \"$remarks\"" 2>/dev/null
done
- unset enabled sid remarks sources tcp_proxy_mode udp_proxy_mode tcp_no_redir_ports udp_no_redir_ports tcp_proxy_drop_ports udp_proxy_drop_ports tcp_redir_ports udp_redir_ports tcp_node udp_node
+ unset enabled sid remarks sources use_direct_list use_proxy_list use_block_list use_gfw_list chn_list tcp_proxy_mode udp_proxy_mode tcp_no_redir_ports udp_no_redir_ports tcp_proxy_drop_ports udp_proxy_drop_ports tcp_redir_ports udp_redir_ports tcp_node udp_node
unset _ip _mac _iprange _ipset _ip_or_mac rule_list tcp_port udp_port tcp_node_remark udp_node_remark
unset msg msg2
done
}
[ "$ENABLED_DEFAULT_ACL" == 1 ] && {
+ [ "${USE_DIRECT_LIST}" = "1" ] && nft "add rule inet fw4 PSW_MANGLE ip daddr @$NFTSET_WHITELIST counter return comment \"$remarks\""
+ [ "${USE_DIRECT_LIST}" = "1" ] && [ -z "${is_tproxy}" ] && nft "add rule inet fw4 PSW_NAT ip daddr @$NFTSET_WHITELIST counter return comment \"$remarks\""
+ [ "${USE_BLOCK_LIST}" = "1" ] && nft "add rule inet fw4 PSW_MANGLE ip daddr @$NFTSET_BLOCKLIST counter drop comment \"$remarks\""
+ [ "${USE_BLOCK_LIST}" = "1" ] && [ -z "${is_tproxy}" ] && nft "add rule inet fw4 PSW_NAT ip daddr @$NFTSET_BLOCKLIST counter drop comment \"$remarks\""
+ [ "$PROXY_IPV6" == "1" ] && {
+ [ "${USE_DIRECT_LIST}" = "1" ] && nft "add rule inet fw4 PSW_MANGLE_V6 ip6 daddr @$NFTSET_WHITELIST6 counter return comment \"$remarks\""
+ [ "${USE_BLOCK_LIST}" = "1" ] && nft "add rule inet fw4 PSW_MANGLE_V6 ip6 daddr @$NFTSET_BLOCKLIST6 counter drop comment \"$remarks\""
+ }
# 加载TCP默认代理模式
[ "$TCP_PROXY_DROP_PORTS" != "disable" ] && {
[ "$PROXY_IPV6" == "1" ] && {
nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp $(factor $TCP_PROXY_DROP_PORTS "tcp dport") ip6 daddr @$NFTSET_SHUNTLIST6 counter drop comment \"默认\""
- nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp $(factor $TCP_PROXY_DROP_PORTS "tcp dport") ip6 daddr @$NFTSET_BLACKLIST6 counter drop comment \"默认\""
- [ "$TCP_PROXY_MODE" != "direct/proxy" ] && nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp $(factor $TCP_PROXY_DROP_PORTS "tcp dport") $(get_nftset_ipv6 $TCP_PROXY_MODE) counter drop comment \"默认\""
+ [ "${USE_PROXY_LIST}" = "1" ] && nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp $(factor $TCP_PROXY_DROP_PORTS "tcp dport") ip6 daddr @$NFTSET_BLACKLIST6 counter drop comment \"默认\""
+ [ "${USE_GFW_LIST}" = "1" ] && nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp $(factor $TCP_PROXY_DROP_PORTS "tcp dport") ip6 daddr @$NFTSET_GFW6 counter drop comment \"默认\""
+ [ "${CHN_LIST}" != "0" ] && nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp $(factor $TCP_PROXY_DROP_PORTS "tcp dport") ip6 daddr @$NFTSET_CHN6 $(get_jump_ipt ${CHN_LIST} "counter drop") comment \"默认\""
+ [ "${TCP_PROXY_MODE}" != "disable" ] && nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp $(factor $TCP_PROXY_DROP_PORTS "tcp dport") counter drop comment \"默认\""
}
nft "add inet fw4 $nft_prerouting_chain ip protocol tcp $(factor $TCP_PROXY_DROP_PORTS "tcp dport") ip daddr $FAKE_IP counter drop comment \"默认\""
nft "add inet fw4 $nft_prerouting_chain ip protocol tcp $(factor $TCP_PROXY_DROP_PORTS "tcp dport") ip daddr @$NFTSET_SHUNTLIST counter drop comment \"默认\""
- nft "add inet fw4 $nft_prerouting_chain ip protocol tcp $(factor $TCP_PROXY_DROP_PORTS "tcp dport") ip daddr @$NFTSET_BLACKLIST counter drop comment \"默认\""
- [ "$TCP_PROXY_MODE" != "direct/proxy" ] && nft "add inet fw4 $nft_prerouting_chain ip protocol tcp $(factor $TCP_PROXY_DROP_PORTS "tcp dport") $(get_nftset_ipv4 $TCP_PROXY_MODE) counter drop comment \"默认\""
+ [ "${USE_PROXY_LIST}" = "1" ] && nft "add inet fw4 $nft_prerouting_chain ip protocol tcp $(factor $TCP_PROXY_DROP_PORTS "tcp dport") ip daddr @$NFTSET_BLACKLIST counter drop comment \"默认\""
+ [ "${USE_GFW_LIST}" = "1" ] && nft "add inet fw4 $nft_prerouting_chain ip protocol tcp $(factor $TCP_PROXY_DROP_PORTS "tcp dport") ip daddr @$NFTSET_GFW counter drop comment \"默认\""
+ [ "${CHN_LIST}" != "0" ] && nft "add inet fw4 $nft_prerouting_chain ip protocol tcp $(factor $TCP_PROXY_DROP_PORTS "tcp dport") ip daddr @$NFTSET_CHN $(get_jump_ipt ${CHN_LIST} "counter drop") comment \"默认\""
+ [ "${TCP_PROXY_MODE}" != "disable" ] && nft "add inet fw4 $nft_prerouting_chain ip protocol tcp $(factor $TCP_PROXY_DROP_PORTS "tcp dport") counter drop comment \"默认\""
}
- if [ "$TCP_PROXY_MODE" != "disable" ]; then
+ if [ -n "${TCP_PROXY_MODE}" ]; then
[ "$TCP_NO_REDIR_PORTS" != "disable" ] && {
nft add rule inet fw4 $nft_prerouting_chain ip protocol tcp $(factor $TCP_NO_REDIR_PORTS "tcp dport") counter return comment \"默认\"
nft add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp $(factor $TCP_NO_REDIR_PORTS "tcp dport") counter return comment \"默认\"
@@ -500,39 +483,51 @@ load_acl() {
msg="${msg}所有端口"
[ "$accept_icmp" = "1" ] && {
+ [ "${USE_DIRECT_LIST}" = "1" ] && nft "add rule inet fw4 PSW_ICMP_REDIRECT ip daddr @$NFTSET_WHITELIST counter return comment \"默认\""
nft "add rule inet fw4 PSW_ICMP_REDIRECT ip protocol icmp ip daddr $FAKE_IP $(REDIRECT) comment \"默认\""
nft "add rule inet fw4 PSW_ICMP_REDIRECT ip protocol icmp ip daddr @$NFTSET_SHUNTLIST $(REDIRECT) comment \"默认\""
- nft "add rule inet fw4 PSW_ICMP_REDIRECT ip protocol icmp ip daddr @$NFTSET_BLACKLIST $(REDIRECT) comment \"默认\""
- [ "$TCP_PROXY_MODE" != "direct/proxy" ] && nft "add rule inet fw4 PSW_ICMP_REDIRECT ip protocol icmp $(get_redirect_ipv4 $TCP_PROXY_MODE) comment \"默认\""
+ [ "${USE_PROXY_LIST}" = "1" ] && nft "add rule inet fw4 PSW_ICMP_REDIRECT ip protocol icmp ip daddr @$NFTSET_BLACKLIST $(REDIRECT) comment \"默认\""
+ [ "${USE_GFW_LIST}" = "1" ] && nft "add rule inet fw4 PSW_ICMP_REDIRECT ip protocol icmp ip daddr @$NFTSET_GFW $(REDIRECT) comment \"默认\""
+ [ "${CHN_LIST}" != "0" ] && nft "add rule inet fw4 PSW_ICMP_REDIRECT ip protocol icmp ip daddr @$NFTSET_CHN $(get_jump_ipt ${CHN_LIST}) comment \"默认\""
+ [ "${TCP_PROXY_MODE}" != "disable" ] && nft "add rule inet fw4 PSW_ICMP_REDIRECT ip protocol icmp $(REDIRECT) comment \"默认\""
nft "add rule inet fw4 PSW_ICMP_REDIRECT ip protocol icmp return comment \"默认\""
}
[ "$accept_icmpv6" = "1" ] && [ "$PROXY_IPV6" == "1" ] && {
+ [ "${USE_DIRECT_LIST}" = "1" ] && nft "add rule inet fw4 PSW_ICMP_REDIRECT ip6 daddr @$NFTSET_WHITELIST6 counter return comment \"默认\""
nft "add rule inet fw4 PSW_ICMP_REDIRECT meta l4proto icmpv6 ip6 daddr @$NFTSET_SHUNTLIST6 $(REDIRECT) comment \"默认\""
- nft "add rule inet fw4 PSW_ICMP_REDIRECT meta l4proto icmpv6 ip6 daddr @$NFTSET_BLACKLIST6 $(REDIRECT) comment \"默认\""
- [ "$TCP_PROXY_MODE" != "direct/proxy" ] && nft "add rule inet fw4 PSW_ICMP_REDIRECT meta l4proto icmpv6 $(get_redirect_ipv6 $TCP_PROXY_MODE) comment \"默认\""
+ [ "${USE_PROXY_LIST}" = "1" ] && nft "add rule inet fw4 PSW_ICMP_REDIRECT meta l4proto icmpv6 ip6 daddr @$NFTSET_BLACKLIST6 $(REDIRECT) comment \"默认\""
+ [ "${USE_GFW_LIST}" = "1" ] && nft "add rule inet fw4 PSW_ICMP_REDIRECT meta l4proto icmpv6 ip6 daddr @$NFTSET_GFW6 $(REDIRECT) comment \"默认\""
+ [ "${CHN_LIST}" != "0" ] && nft "add rule inet fw4 PSW_ICMP_REDIRECT meta l4proto icmpv6 ip6 daddr @$NFTSET_CHN6 $(get_jump_ipt ${CHN_LIST}) comment \"默认\""
+ [ "${TCP_PROXY_MODE}" != "disable" ] && nft "add rule inet fw4 PSW_ICMP_REDIRECT meta l4proto icmpv6 $(REDIRECT) comment \"默认\""
nft "add rule inet fw4 PSW_ICMP_REDIRECT meta l4proto icmpv6 return comment \"默认\""
}
if [ -z "${is_tproxy}" ]; then
nft "add rule inet fw4 PSW_NAT ip protocol tcp ip daddr $FAKE_IP $(REDIRECT $TCP_REDIR_PORT) comment \"默认\""
nft "add rule inet fw4 PSW_NAT ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip daddr @$NFTSET_SHUNTLIST $(REDIRECT $TCP_REDIR_PORT) comment \"默认\""
- nft "add rule inet fw4 PSW_NAT ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip daddr @$NFTSET_BLACKLIST $(REDIRECT $TCP_REDIR_PORT) comment \"默认\""
- [ "$TCP_PROXY_MODE" != "direct/proxy" ] && nft "add rule inet fw4 PSW_NAT ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") $(get_redirect_ipv4 $TCP_PROXY_MODE $TCP_REDIR_PORT) comment \"默认\""
+ [ "${USE_PROXY_LIST}" = "1" ] && nft "add rule inet fw4 PSW_NAT ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip daddr @$NFTSET_BLACKLIST $(REDIRECT $TCP_REDIR_PORT) comment \"默认\""
+ [ "${USE_GFW_LIST}" = "1" ] && nft "add rule inet fw4 PSW_NAT ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip daddr @$NFTSET_GFW $(REDIRECT $TCP_REDIR_PORT) comment \"默认\""
+ [ "${CHN_LIST}" != "0" ] && nft "add rule inet fw4 PSW_NAT ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip daddr @$NFTSET_CHN $(get_jump_ipt ${CHN_LIST} $TCP_REDIR_PORT) comment \"默认\""
+ [ "${TCP_PROXY_MODE}" != "disable" ] && nft "add rule inet fw4 PSW_NAT ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") $(REDIRECT $TCP_REDIR_PORT) comment \"默认\""
nft "add rule inet fw4 PSW_NAT ip protocol tcp counter return comment \"默认\""
else
nft "add rule inet fw4 PSW_MANGLE ip protocol tcp ip daddr $FAKE_IP counter jump PSW_RULE comment \"默认\""
nft "add rule inet fw4 PSW_MANGLE ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip daddr @$NFTSET_SHUNTLIST counter jump PSW_RULE comment \"默认\""
- nft "add rule inet fw4 PSW_MANGLE ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip daddr @$NFTSET_BLACKLIST counter jump PSW_RULE comment \"默认\""
- [ "$TCP_PROXY_MODE" != "direct/proxy" ] && nft "add rule inet fw4 PSW_MANGLE ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") $(get_nftset_ipv4 $TCP_PROXY_MODE) jump PSW_RULE comment \"默认\""
+ [ "${USE_PROXY_LIST}" = "1" ] && nft "add rule inet fw4 PSW_MANGLE ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip daddr @$NFTSET_BLACKLIST counter jump PSW_RULE comment \"默认\""
+ [ "${USE_GFW_LIST}" = "1" ] && nft "add rule inet fw4 PSW_MANGLE ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip daddr @$NFTSET_GFW counter jump PSW_RULE comment \"默认\""
+ [ "${CHN_LIST}" != "0" ] && nft "add rule inet fw4 PSW_MANGLE ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip daddr @$NFTSET_CHN $(get_jump_ipt ${CHN_LIST} "counter jump PSW_RULE") comment \"默认\""
+ [ "${TCP_PROXY_MODE}" != "disable" ] && nft "add rule inet fw4 PSW_MANGLE ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") counter jump PSW_RULE comment \"默认\""
nft "add rule inet fw4 PSW_MANGLE meta l4proto tcp $(REDIRECT $TCP_REDIR_PORT TPROXY) comment \"默认\""
nft "add rule inet fw4 PSW_MANGLE ip protocol tcp counter return comment \"默认\""
fi
[ "$PROXY_IPV6" == "1" ] && {
nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip6 daddr @$NFTSET_SHUNTLIST6 counter jump PSW_RULE comment \"默认\""
- nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip6 daddr @$NFTSET_BLACKLIST6 counter jump PSW_RULE comment \"默认\""
- [ "$TCP_PROXY_MODE" != "direct/proxy" ] && nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp $(factor $TCP_REDIR_PORTS "tcp dport") $(get_nftset_ipv6 $TCP_PROXY_MODE) jump PSW_RULE comment \"默认\""
+ [ "${USE_PROXY_LIST}" = "1" ] && nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip6 daddr @$NFTSET_BLACKLIST6 counter jump PSW_RULE comment \"默认\""
+ [ "${USE_GFW_LIST}" = "1" ] && nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip6 daddr @$NFTSET_GFW6 counter jump PSW_RULE comment \"默认\""
+ [ "${CHN_LIST}" != "0" ] && nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip6 daddr @$NFTSET_CHN6 $(get_jump_ipt ${CHN_LIST} "counter jump PSW_RULE") comment \"默认\""
+ [ "${TCP_PROXY_MODE}" != "disable" ] && nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp $(factor $TCP_REDIR_PORTS "tcp dport") counter jump PSW_RULE comment \"默认\""
nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp $(REDIRECT $TCP_REDIR_PORT TPROXY) comment \"默认\""
nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp counter return comment \"默认\""
}
@@ -545,15 +540,19 @@ load_acl() {
[ "$UDP_PROXY_DROP_PORTS" != "disable" ] && {
[ "$PROXY_IPV6" == "1" ] && {
nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp $(factor $UDP_PROXY_DROP_PORTS "udp dport") ip6 daddr @$NFTSET_SHUNTLIST6 counter drop comment \"默认\""
- nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp $(factor $UDP_PROXY_DROP_PORTS "udp dport") ip6 daddr @$NFTSET_BLACKLIST6 counter drop comment \"默认\""
- [ "$UDP_PROXY_MODE" != "direct/proxy" ] && nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp $(factor $UDP_PROXY_DROP_PORTS "udp dport") $(get_nftset_ipv6 $UDP_PROXY_MODE) counter drop comment \"默认\""
+ [ "${USE_PROXY_LIST}" = "1" ] && nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp $(factor $UDP_PROXY_DROP_PORTS "udp dport") ip6 daddr @$NFTSET_BLACKLIST6 counter drop comment \"默认\""
+ [ "${USE_GFW_LIST}" = "1" ] && nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp $(factor $UDP_PROXY_DROP_PORTS "udp dport") ip6 daddr @$NFTSET_GFW6 counter drop comment \"默认\""
+ [ "${CHN_LIST}" != "0" ] && nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp $(factor $UDP_PROXY_DROP_PORTS "udp dport") ip6 daddr @$NFTSET_CHN6 $(get_jump_ipt ${CHN_LIST} "counter drop") comment \"默认\""
+ [ "${UDP_PROXY_MODE}" != "disable" ] && nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp $(factor $UDP_PROXY_DROP_PORTS "udp dport") counter drop comment \"默认\""
}
nft "add rule inet fw4 PSW_MANGLE $(factor $UDP_PROXY_DROP_PORTS "udp dport") ip daddr $FAKE_IP counter drop comment \"默认\""
nft "add rule inet fw4 PSW_MANGLE $(factor $UDP_PROXY_DROP_PORTS "udp dport") ip daddr @$NFTSET_SHUNTLIST counter drop comment \"默认\""
- nft "add rule inet fw4 PSW_MANGLE $(factor $UDP_PROXY_DROP_PORTS "udp dport") ip daddr @$NFTSET_BLACKLIST counter drop comment \"默认\""
- [ "$UDP_PROXY_MODE" != "direct/proxy" ] && nft "add inet fw4 PSW_MANGLE ip protocol udp $(factor $UDP_PROXY_DROP_PORTS "udp dport") $(get_nftset_ipv4 $UDP_PROXY_MODE) counter drop comment \"默认\""
+ [ "${USE_PROXY_LIST}" = "1" ] && nft "add rule inet fw4 PSW_MANGLE $(factor $UDP_PROXY_DROP_PORTS "udp dport") ip daddr @$NFTSET_BLACKLIST counter drop comment \"默认\""
+ [ "${USE_GFW_LIST}" = "1" ] && nft "add rule inet fw4 PSW_MANGLE $(factor $UDP_PROXY_DROP_PORTS "udp dport") ip daddr @$NFTSET_GFW counter drop comment \"默认\""
+ [ "${CHN_LIST}" != "0" ] && nft "add rule inet fw4 PSW_MANGLE $(factor $UDP_PROXY_DROP_PORTS "udp dport") ip daddr @$NFTSET_CHN $(get_jump_ipt ${CHN_LIST} "counter drop") comment \"默认\""
+ [ "${UDP_PROXY_MODE}" != "disable" ] && nft "add inet fw4 PSW_MANGLE ip protocol udp $(factor $UDP_PROXY_DROP_PORTS "udp dport") counter drop comment \"默认\""
}
- if [ "$UDP_PROXY_MODE" != "disable" ]; then
+ if [ -n "${UDP_PROXY_MODE}" ]; then
[ "$UDP_NO_REDIR_PORTS" != "disable" ] && {
nft "add inet fw4 PSW_MANGLE ip protocol udp $(factor $UDP_NO_REDIR_PORTS "udp dport") counter return comment \"默认\""
nft "add inet fw4 PSW_MANGLE_V6 counter meta l4proto udp $(factor $UDP_NO_REDIR_PORTS "udp dport") counter return comment \"默认\""
@@ -568,15 +567,19 @@ load_acl() {
nft "add rule inet fw4 PSW_MANGLE ip protocol udp ip daddr $FAKE_IP counter jump PSW_RULE comment \"默认\""
nft "add rule inet fw4 PSW_MANGLE ip protocol udp $(factor $UDP_REDIR_PORTS "udp dport") ip daddr @$NFTSET_SHUNTLIST counter jump PSW_RULE comment \"默认\""
- nft "add rule inet fw4 PSW_MANGLE ip protocol udp $(factor $UDP_REDIR_PORTS "udp dport") ip daddr @$NFTSET_BLACKLIST counter jump PSW_RULE comment \"默认\""
- [ "$UDP_PROXY_MODE" != "direct/proxy" ] && nft "add rule inet fw4 PSW_MANGLE ip protocol udp $(factor $UDP_REDIR_PORTS "udp dport") $(get_nftset_ipv4 $UDP_PROXY_MODE) jump PSW_RULE comment \"默认\""
+ [ "${USE_PROXY_LIST}" = "1" ] && nft "add rule inet fw4 PSW_MANGLE ip protocol udp $(factor $UDP_REDIR_PORTS "udp dport") ip daddr @$NFTSET_BLACKLIST counter jump PSW_RULE comment \"默认\""
+ [ "${USE_GFW_LIST}" = "1" ] && nft "add rule inet fw4 PSW_MANGLE ip protocol udp $(factor $UDP_REDIR_PORTS "udp dport") ip daddr @$NFTSET_GFW counter jump PSW_RULE comment \"默认\""
+ [ "${CHN_LIST}" != "0" ] && nft "add rule inet fw4 PSW_MANGLE ip protocol udp $(factor $UDP_REDIR_PORTS "udp dport") ip daddr @$NFTSET_CHN $(get_jump_ipt ${CHN_LIST} "counter jump PSW_RULE") comment \"默认\""
+ [ "${UDP_PROXY_MODE}" != "disable" ] && nft "add rule inet fw4 PSW_MANGLE ip protocol udp $(factor $UDP_REDIR_PORTS "udp dport") counter jump PSW_RULE comment \"默认\""
nft "add rule inet fw4 PSW_MANGLE meta l4proto udp $(REDIRECT $UDP_REDIR_PORT TPROXY) comment \"默认\""
nft "add rule inet fw4 PSW_MANGLE ip protocol udp counter return comment \"默认\""
[ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && {
nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp $(factor $UDP_REDIR_PORTS "udp dport") ip6 daddr @$NFTSET_SHUNTLIST6 counter jump PSW_RULE comment \"默认\""
- nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp $(factor $UDP_REDIR_PORTS "udp dport") ip6 daddr @$NFTSET_BLACKLIST6 counter jump PSW_RULE comment \"默认\""
- [ "$UDP_PROXY_MODE" != "direct/proxy" ] && nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp $(factor $UDP_REDIR_PORTS "udp dport") $(get_nftset_ipv6 $UDP_PROXY_MODE) jump PSW_RULE comment \"默认\""
+ [ "${USE_PROXY_LIST}" = "1" ] && nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp $(factor $UDP_REDIR_PORTS "udp dport") ip6 daddr @$NFTSET_BLACKLIST6 counter jump PSW_RULE comment \"默认\""
+ [ "${USE_GFW_LIST}" = "1" ] && nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp $(factor $UDP_REDIR_PORTS "udp dport") ip6 daddr @$NFTSET_GFW6 counter jump PSW_RULE comment \"默认\""
+ [ "${CHN_LIST}" != "0" ] && nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp $(factor $UDP_REDIR_PORTS "udp dport") ip6 daddr @$NFTSET_CHN6 $(get_jump_ipt ${CHN_LIST} "counter jump PSW_RULE") comment \"默认\""
+ [ "${UDP_PROXY_MODE}" != "disable" ] && nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp $(factor $UDP_REDIR_PORTS "udp dport") counter jump PSW_RULE comment \"默认\""
nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp $(REDIRECT $UDP_REDIR_PORT TPROXY) comment \"默认\""
nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp counter return comment \"默认\""
}
@@ -831,16 +834,14 @@ add_firewall_rule() {
nft "flush chain inet fw4 PSW_MANGLE"
nft "add rule inet fw4 PSW_MANGLE ip daddr @$NFTSET_LANLIST counter return"
nft "add rule inet fw4 PSW_MANGLE ip daddr @$NFTSET_VPSLIST counter return"
- nft "add rule inet fw4 PSW_MANGLE ip daddr @$NFTSET_WHITELIST counter return"
- nft "add rule inet fw4 PSW_MANGLE ip daddr @$NFTSET_BLOCKLIST counter drop"
nft "add chain inet fw4 PSW_OUTPUT_MANGLE"
nft "flush chain inet fw4 PSW_OUTPUT_MANGLE"
nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip daddr @$NFTSET_LANLIST counter return"
nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip daddr @$NFTSET_VPSLIST counter return"
- nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip daddr @$NFTSET_WHITELIST counter return"
+ [ "${USE_DIRECT_LIST}" = "1" ] && nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip daddr @$NFTSET_WHITELIST counter return"
nft "add rule inet fw4 PSW_OUTPUT_MANGLE meta mark 0xff counter return"
- nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip daddr @$NFTSET_BLOCKLIST counter drop"
+ [ "${USE_BLOCK_LIST}" = "1" ] && nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip daddr @$NFTSET_BLOCKLIST counter drop"
# jump chains
nft "add rule inet fw4 mangle_prerouting meta nfproto {ipv4} counter jump PSW_MANGLE"
@@ -852,17 +853,15 @@ add_firewall_rule() {
nft "flush chain inet fw4 PSW_NAT"
nft "add rule inet fw4 PSW_NAT ip daddr @$NFTSET_LANLIST counter return"
nft "add rule inet fw4 PSW_NAT ip daddr @$NFTSET_VPSLIST counter return"
- nft "add rule inet fw4 PSW_NAT ip daddr @$NFTSET_WHITELIST counter return"
- nft "add rule inet fw4 PSW_NAT ip daddr @$NFTSET_BLOCKLIST counter drop"
nft "add rule inet fw4 dstnat ip protocol tcp counter jump PSW_NAT"
nft "add chain inet fw4 PSW_OUTPUT_NAT"
nft "flush chain inet fw4 PSW_OUTPUT_NAT"
nft "add rule inet fw4 PSW_OUTPUT_NAT ip daddr @$NFTSET_LANLIST counter return"
nft "add rule inet fw4 PSW_OUTPUT_NAT ip daddr @$NFTSET_VPSLIST counter return"
- nft "add rule inet fw4 PSW_OUTPUT_NAT ip daddr @$NFTSET_WHITELIST counter return"
+ [ "${USE_DIRECT_LIST}" = "1" ] && nft "add rule inet fw4 PSW_OUTPUT_NAT ip daddr @$NFTSET_WHITELIST counter return"
nft "add rule inet fw4 PSW_OUTPUT_NAT meta mark 0xff counter return"
- nft "add rule inet fw4 PSW_OUTPUT_NAT ip daddr @$NFTSET_BLOCKLIST counter drop"
+ [ "${USE_BLOCK_LIST}" = "1" ] && nft "add rule inet fw4 PSW_OUTPUT_NAT ip daddr @$NFTSET_BLOCKLIST counter drop"
}
#icmp ipv6-icmp redirect
@@ -871,12 +870,10 @@ add_firewall_rule() {
nft "flush chain inet fw4 PSW_ICMP_REDIRECT"
nft "add rule inet fw4 PSW_ICMP_REDIRECT ip daddr @$NFTSET_LANLIST counter return"
nft "add rule inet fw4 PSW_ICMP_REDIRECT ip daddr @$NFTSET_VPSLIST counter return"
- nft "add rule inet fw4 PSW_ICMP_REDIRECT ip daddr @$NFTSET_WHITELIST counter return"
[ "$accept_icmpv6" = "1" ] && {
nft "add rule inet fw4 PSW_ICMP_REDIRECT ip6 daddr @$NFTSET_LANLIST6 counter return"
nft "add rule inet fw4 PSW_ICMP_REDIRECT ip6 daddr @$NFTSET_VPSLIST6 counter return"
- nft "add rule inet fw4 PSW_ICMP_REDIRECT ip6 daddr @$NFTSET_WHITELIST6 counter return"
}
nft "add rule inet fw4 dstnat meta l4proto {icmp,icmpv6} counter jump PSW_ICMP_REDIRECT"
@@ -897,16 +894,14 @@ add_firewall_rule() {
nft "flush chain inet fw4 PSW_MANGLE_V6"
nft "add rule inet fw4 PSW_MANGLE_V6 ip6 daddr @$NFTSET_LANLIST6 counter return"
nft "add rule inet fw4 PSW_MANGLE_V6 ip6 daddr @$NFTSET_VPSLIST6 counter return"
- nft "add rule inet fw4 PSW_MANGLE_V6 ip6 daddr @$NFTSET_WHITELIST6 counter return"
- nft "add rule inet fw4 PSW_MANGLE_V6 ip6 daddr @$NFTSET_BLOCKLIST6 counter drop"
nft "add chain inet fw4 PSW_OUTPUT_MANGLE_V6"
nft "flush chain inet fw4 PSW_OUTPUT_MANGLE_V6"
nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 ip6 daddr @$NFTSET_LANLIST6 counter return"
nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 ip6 daddr @$NFTSET_VPSLIST6 counter return"
- nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 ip6 daddr @$NFTSET_WHITELIST6 counter return"
+ [ "${USE_DIRECT_LIST}" = "1" ] && nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 ip6 daddr @$NFTSET_WHITELIST6 counter return"
nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta mark 0xff counter return"
- nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 ip6 daddr @$NFTSET_BLOCKLIST6 counter drop"
+ [ "${USE_BLOCK_LIST}" = "1" ] && nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 ip6 daddr @$NFTSET_BLOCKLIST6 counter drop"
# jump chains
[ "$PROXY_IPV6" == "1" ] && {
@@ -965,15 +960,19 @@ add_firewall_rule() {
[ "$accept_icmp" = "1" ] && {
nft "add rule inet fw4 PSW_ICMP_REDIRECT oif lo ip protocol icmp ip daddr $FAKE_IP counter redirect"
nft "add rule inet fw4 PSW_ICMP_REDIRECT oif lo ip protocol icmp ip daddr @$NFTSET_SHUNTLIST counter redirect"
- nft "add rule inet fw4 PSW_ICMP_REDIRECT oif lo ip protocol icmp ip daddr @$NFTSET_BLACKLIST counter redirect"
- [ "$LOCALHOST_TCP_PROXY_MODE" != "direct/proxy" ] && nft "add rule inet fw4 PSW_ICMP_REDIRECT oif lo ip protocol icmp $(get_nftset_ipv4 $LOCALHOST_TCP_PROXY_MODE) counter redirect"
+ [ "${USE_PROXY_LIST}" = "1" ] && nft "add rule inet fw4 PSW_ICMP_REDIRECT oif lo ip protocol icmp ip daddr @$NFTSET_BLACKLIST counter redirect"
+ [ "${USE_GFW_LIST}" = "1" ] && nft "add rule inet fw4 PSW_ICMP_REDIRECT oif lo ip protocol icmp ip daddr @$NFTSET_GFW counter redirect"
+ [ "${CHN_LIST}" != "0" ] && nft "add rule inet fw4 PSW_ICMP_REDIRECT oif lo ip protocol icmp ip daddr @$NFTSET_CHN $(get_jump_ipt ${CHN_LIST})"
+ [ "${LOCALHOST_TCP_PROXY_MODE}" != "disable" ] && nft "add rule inet fw4 PSW_ICMP_REDIRECT oif lo ip protocol icmp counter redirect"
nft "add rule inet fw4 PSW_ICMP_REDIRECT oif lo ip protocol icmp counter return"
}
[ "$accept_icmpv6" = "1" ] && {
nft "add rule inet fw4 PSW_ICMP_REDIRECT oif lo meta l4proto icmpv6 ip6 daddr @$NFTSET_SHUNTLIST6 counter redirect"
- nft "add rule inet fw4 PSW_ICMP_REDIRECT oif lo meta l4proto icmpv6 ip6 daddr @$NFTSET_BLACKLIST6 counter redirect"
- [ "$LOCALHOST_TCP_PROXY_MODE" != "direct/proxy" ] && nft "add rule inet fw4 PSW_ICMP_REDIRECT oif lo meta l4proto icmpv6 $(get_nftset_ipv6 $LOCALHOST_TCP_PROXY_MODE) counter redirect"
+ [ "${USE_PROXY_LIST}" = "1" ] && nft "add rule inet fw4 PSW_ICMP_REDIRECT oif lo meta l4proto icmpv6 ip6 daddr @$NFTSET_BLACKLIST6 counter redirect"
+ [ "${USE_GFW_LIST}" = "1" ] && nft "add rule inet fw4 PSW_ICMP_REDIRECT oif lo meta l4proto icmpv6 ip6 daddr @$NFTSET_GFW6 counter redirect"
+ [ "${CHN_LIST}" != "0" ] && nft "add rule inet fw4 PSW_ICMP_REDIRECT oif lo meta l4proto icmpv6 ip6 daddr @$NFTSET_CHN6 $(get_jump_ipt ${CHN_LIST})"
+ [ "${LOCALHOST_TCP_PROXY_MODE}" != "disable" ] && nft "add rule inet fw4 PSW_ICMP_REDIRECT oif lo meta l4proto icmpv6 counter redirect"
nft "add rule inet fw4 PSW_ICMP_REDIRECT oif lo meta l4proto icmpv6 counter return"
}
@@ -1003,28 +1002,34 @@ add_firewall_rule() {
nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta l4proto tcp $(factor $TCP_NO_REDIR_PORTS "tcp dport") counter return"
echolog " - [$?]不代理TCP 端口:$TCP_NO_REDIR_PORTS"
}
- [ "$TCP_PROXY_DROP_PORTS" != "disable" ] && [ "$LOCALHOST_TCP_PROXY_MODE" != "disable" ] && {
+ [ "$TCP_PROXY_DROP_PORTS" != "disable" ] && [ -n "$LOCALHOST_TCP_PROXY_MODE" ] && {
nft add rule inet fw4 $nft_output_chain ip protocol tcp ip daddr $FAKE_IP $(factor $TCP_PROXY_DROP_PORTS "tcp dport") counter drop
nft add rule inet fw4 $nft_output_chain ip protocol tcp ip daddr @$NFTSET_SHUNTLIST $(factor $TCP_PROXY_DROP_PORTS "tcp dport") counter drop
- nft add rule inet fw4 $nft_output_chain ip protocol tcp ip daddr @$NFTSET_BLACKLIST $(factor $TCP_PROXY_DROP_PORTS "tcp dport") counter drop
- [ "$LOCALHOST_TCP_PROXY_MODE" != "direct/proxy" ] && nft add rule inet fw4 $nft_output_chain ip protocol tcp $(factor $TCP_PROXY_DROP_PORTS "tcp dport") $(get_nftset_ipv4 $LOCALHOST_TCP_PROXY_MODE) counter drop
+ [ "${USE_PROXY_LIST}" = "1" ] && nft add rule inet fw4 $nft_output_chain ip protocol tcp ip daddr @$NFTSET_BLACKLIST $(factor $TCP_PROXY_DROP_PORTS "tcp dport") counter drop
+ [ "${USE_GFW_LIST}" = "1" ] && nft add rule inet fw4 $nft_output_chain ip protocol tcp ip daddr @$NFTSET_GFW $(factor $TCP_PROXY_DROP_PORTS "tcp dport") counter drop
+ [ "${CHN_LIST}" != "0" ] && nft add rule inet fw4 $nft_output_chain ip protocol tcp ip daddr @$NFTSET_CHN $(factor $TCP_PROXY_DROP_PORTS "tcp dport") $(get_jump_ipt ${CHN_LIST} "counter drop")
+ [ "${LOCALHOST_TCP_PROXY_MODE}" != "disable" ] && nft add rule inet fw4 $nft_output_chain ip protocol tcp $(factor $TCP_PROXY_DROP_PORTS "tcp dport") counter drop
echolog " - [$?],屏蔽代理TCP 端口:$TCP_PROXY_DROP_PORTS"
}
if [ -z "${is_tproxy}" ]; then
- [ "$LOCALHOST_TCP_PROXY_MODE" != "disable" ] && {
+ [ -n "${LOCALHOST_TCP_PROXY_MODE}" ] && {
nft "add rule inet fw4 PSW_OUTPUT_NAT ip protocol tcp ip daddr $FAKE_IP $(REDIRECT $TCP_REDIR_PORT)"
nft "add rule inet fw4 PSW_OUTPUT_NAT ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip daddr @$NFTSET_SHUNTLIST counter $(REDIRECT $TCP_REDIR_PORT)"
- nft "add rule inet fw4 PSW_OUTPUT_NAT ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip daddr @$NFTSET_BLACKLIST counter $(REDIRECT $TCP_REDIR_PORT)"
- [ "$LOCALHOST_TCP_PROXY_MODE" != "direct/proxy" ] && nft "add rule inet fw4 PSW_OUTPUT_NAT ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") $(get_redirect_ipv4 $LOCALHOST_TCP_PROXY_MODE $TCP_REDIR_PORT)"
+ [ "${USE_PROXY_LIST}" = "1" ] && nft "add rule inet fw4 PSW_OUTPUT_NAT ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip daddr @$NFTSET_BLACKLIST counter $(REDIRECT $TCP_REDIR_PORT)"
+ [ "${USE_GFW_LIST}" = "1" ] && nft "add rule inet fw4 PSW_OUTPUT_NAT ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip daddr @$NFTSET_GFW counter $(REDIRECT $TCP_REDIR_PORT)"
+ [ "${CHN_LIST}" != "0" ] && nft "add rule inet fw4 PSW_OUTPUT_NAT ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") ip daddr @$NFTSET_CHN $(get_jump_ipt ${CHN_LIST} $TCP_REDIR_PORT)"
+ [ "${LOCALHOST_TCP_PROXY_MODE}" != "disable" ] && nft "add rule inet fw4 PSW_OUTPUT_NAT ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") counter $(REDIRECT $TCP_REDIR_PORT)"
}
nft "add rule inet fw4 nat_output ip protocol tcp counter jump PSW_OUTPUT_NAT"
else
- [ "$LOCALHOST_TCP_PROXY_MODE" != "disable" ] && {
+ [ -n "${LOCALHOST_TCP_PROXY_MODE}" ] && {
nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol tcp ip daddr $FAKE_IP counter jump PSW_RULE"
nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol tcp ip daddr @$NFTSET_SHUNTLIST $(factor $TCP_REDIR_PORTS "tcp dport") counter jump PSW_RULE"
- nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol tcp ip daddr @$NFTSET_BLACKLIST $(factor $TCP_REDIR_PORTS "tcp dport") counter jump PSW_RULE"
- [ "$LOCALHOST_TCP_PROXY_MODE" != "direct/proxy" ] && nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") $(get_nftset_ipv4 $LOCALHOST_TCP_PROXY_MODE) jump PSW_RULE"
+ [ "${USE_PROXY_LIST}" = "1" ] && nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol tcp ip daddr @$NFTSET_BLACKLIST $(factor $TCP_REDIR_PORTS "tcp dport") counter jump PSW_RULE"
+ [ "${USE_GFW_LIST}" = "1" ] && nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol tcp ip daddr @$NFTSET_GFW $(factor $TCP_REDIR_PORTS "tcp dport") counter jump PSW_RULE"
+ [ "${CHN_LIST}" != "0" ] && nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol tcp ip daddr @$NFTSET_CHN $(factor $TCP_REDIR_PORTS "tcp dport") $(get_jump_ipt ${CHN_LIST} "counter jump PSW_RULE")"
+ [ "${LOCALHOST_TCP_PROXY_MODE}" != "disable" ] && nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol tcp $(factor $TCP_REDIR_PORTS "tcp dport") counter jump PSW_RULE"
nft "add rule inet fw4 PSW_MANGLE meta l4proto tcp iif lo $(REDIRECT $TCP_REDIR_PORT TPROXY) comment \"本机\""
}
nft "add rule inet fw4 PSW_MANGLE ip protocol tcp iif lo counter return comment \"本机\""
@@ -1032,10 +1037,12 @@ add_firewall_rule() {
fi
[ "$PROXY_IPV6" == "1" ] && {
- [ "$LOCALHOST_TCP_PROXY_MODE" != "disable" ] && {
+ [ -n "${LOCALHOST_TCP_PROXY_MODE}" ] && {
nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta l4proto tcp ip6 daddr @$NFTSET_SHUNTLIST6 $(factor $TCP_REDIR_PORTS "tcp dport") counter jump PSW_RULE"
- nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta l4proto tcp ip6 daddr @$NFTSET_BLACKLIST6 $(factor $TCP_REDIR_PORTS "tcp dport") counter jump PSW_RULE"
- [ "$LOCALHOST_TCP_PROXY_MODE" != "direct/proxy" ] && nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta l4proto tcp $(factor $TCP_REDIR_PORTS "tcp dport") $(get_nftset_ipv6 $LOCALHOST_TCP_PROXY_MODE) jump PSW_RULE"
+ [ "${USE_PROXY_LIST}" = "1" ] && nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta l4proto tcp ip6 daddr @$NFTSET_BLACKLIST6 $(factor $TCP_REDIR_PORTS "tcp dport") counter jump PSW_RULE"
+ [ "${USE_GFW_LIST}" = "1" ] && nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta l4proto tcp ip6 daddr @$NFTSET_GFW6 $(factor $TCP_REDIR_PORTS "tcp dport") counter jump PSW_RULE"
+ [ "${CHN_LIST}" != "0" ] && nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta l4proto tcp ip6 daddr @$NFTSET_CHN6 $(factor $TCP_REDIR_PORTS "tcp dport") $(get_jump_ipt ${CHN_LIST} "counter jump PSW_RULE")"
+ [ "${LOCALHOST_TCP_PROXY_MODE}" != "disable" ] && nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta l4proto tcp $(factor $TCP_REDIR_PORTS "tcp dport") counter jump PSW_RULE"
nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp iif lo $(REDIRECT $TCP_REDIR_PORT TPROXY) comment \"本机\""
}
nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto tcp iif lo counter return comment \"本机\""
@@ -1043,11 +1050,13 @@ add_firewall_rule() {
fi
# 加载路由器自身代理 UDP
- [ "$UDP_PROXY_DROP_PORTS" != "disable" ] && [ "$LOCALHOST_UDP_PROXY_MODE" != "disable" ] && {
+ [ "$UDP_PROXY_DROP_PORTS" != "disable" ] && [ -n "${LOCALHOST_UDP_PROXY_MODE}" ] && {
nft add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol udp ip daddr $FAKE_IP $(factor $UDP_PROXY_DROP_PORTS "udp dport") counter drop
nft add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol udp ip daddr @$NFTSET_SHUNTLIST $(factor $UDP_PROXY_DROP_PORTS "udp dport") counter drop
- nft add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol udp ip daddr @$NFTSET_BLACKLIST $(factor $UDP_PROXY_DROP_PORTS "udp dport") counter drop
- [ "$LOCALHOST_UDP_PROXY_MODE" != "direct/proxy" ] && nft add rule inet fw4 PSW_OUTPUT_MANGLE counter ip protocol udp $(factor $UDP_PROXY_DROP_PORTS "udp dport") $(get_nftset_ipv4 $LOCALHOST_UDP_PROXY_MODE) counter drop
+ [ "${USE_PROXY_LIST}" = "1" ] && nft add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol udp ip daddr @$NFTSET_BLACKLIST $(factor $UDP_PROXY_DROP_PORTS "udp dport") counter drop
+ [ "${USE_GFW_LIST}" = "1" ] && nft add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol udp ip daddr @$NFTSET_GFW $(factor $UDP_PROXY_DROP_PORTS "udp dport") counter drop
+ [ "${CHN_LIST}" != "0" ] && nft add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol udp ip daddr @$NFTSET_CHN $(factor $UDP_PROXY_DROP_PORTS "udp dport") $(get_jump_ipt ${CHN_LIST} "counter drop")
+ [ "${LOCALHOST_UDP_PROXY_MODE}" != "disable" ] && nft add rule inet fw4 PSW_OUTPUT_MANGLE counter ip protocol udp $(factor $UDP_PROXY_DROP_PORTS "udp dport") counter drop
echolog " - [$?],屏蔽代理UDP 端口:$UDP_PROXY_DROP_PORTS"
}
if [ "$UDP_NODE" != "nil" -o "$TCP_UDP" = "1" ]; then
@@ -1070,21 +1079,25 @@ add_firewall_rule() {
echolog " - [$?]不代理 UDP 端口:$UDP_NO_REDIR_PORTS"
}
- [ "$LOCALHOST_UDP_PROXY_MODE" != "disable" ] && {
+ [ -n "${LOCALHOST_UDP_PROXY_MODE}" ] && {
nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol udp ip daddr $FAKE_IP counter jump PSW_RULE"
nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol udp ip daddr @$NFTSET_SHUNTLIST $(factor $UDP_REDIR_PORTS "udp dport") counter jump PSW_RULE"
- nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol udp ip daddr @$NFTSET_BLACKLIST $(factor $UDP_REDIR_PORTS "udp dport") counter jump PSW_RULE"
- [ "$LOCALHOST_UDP_PROXY_MODE" != "direct/proxy" ] && nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol udp $(factor $UDP_REDIR_PORTS "udp dport") $(get_nftset_ipv4 $LOCALHOST_UDP_PROXY_MODE) jump PSW_RULE"
+ [ "${USE_PROXY_LIST}" = "1" ] && nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol udp ip daddr @$NFTSET_BLACKLIST $(factor $UDP_REDIR_PORTS "udp dport") counter jump PSW_RULE"
+ [ "${USE_GFW_LIST}" = "1" ] && nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol udp ip daddr @$NFTSET_GFW $(factor $UDP_REDIR_PORTS "udp dport") counter jump PSW_RULE"
+ [ "${CHN_LIST}" != "0" ] && nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol udp ip daddr @$NFTSET_CHN $(factor $UDP_REDIR_PORTS "udp dport") $(get_jump_ipt ${CHN_LIST} "counter jump PSW_RULE")"
+ [ "${LOCALHOST_UDP_PROXY_MODE}" != "disable" ] && nft "add rule inet fw4 PSW_OUTPUT_MANGLE ip protocol udp $(factor $UDP_REDIR_PORTS "udp dport") counter jump PSW_RULE"
nft "add rule inet fw4 PSW_MANGLE meta l4proto udp iif lo $(REDIRECT $UDP_REDIR_PORT TPROXY) comment \"本机\""
}
nft "add rule inet fw4 PSW_MANGLE ip protocol udp iif lo counter return comment \"本机\""
nft "add rule inet fw4 mangle_output meta nfproto {ipv4} meta l4proto udp counter jump PSW_OUTPUT_MANGLE comment \"PSW_OUTPUT_MANGLE\""
[ "$PROXY_IPV6" == "1" ] && [ "$PROXY_IPV6_UDP" == "1" ] && {
- [ "$LOCALHOST_UDP_PROXY_MODE" != "disable" ] && {
+ [ -n "${LOCALHOST_UDP_PROXY_MODE}" ] && {
nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta l4proto udp ip6 daddr @$NFTSET_SHUNTLIST6 $(factor $UDP_REDIR_PORTS "udp dport") counter jump PSW_RULE"
- nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta l4proto udp ip6 daddr @$NFTSET_BLACKLIST6 $(factor $UDP_REDIR_PORTS "udp dport") counter jump PSW_RULE"
- [ "$LOCALHOST_UDP_PROXY_MODE" != "direct/proxy" ] && nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta l4proto udp $(factor $UDP_REDIR_PORTS "udp dport") $(get_nftset_ipv6 $LOCALHOST_UDP_PROXY_MODE) jump PSW_RULE"
+ [ "${USE_PROXY_LIST}" = "1" ] && nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta l4proto udp ip6 daddr @$NFTSET_BLACKLIST6 $(factor $UDP_REDIR_PORTS "udp dport") counter jump PSW_RULE"
+ [ "${USE_GFW_LIST}" = "1" ] && nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta l4proto udp ip6 daddr @$NFTSET_GFW6 $(factor $UDP_REDIR_PORTS "udp dport") counter jump PSW_RULE"
+ [ "${CHN_LIST}" != "0" ] && nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta l4proto udp ip6 daddr @$NFTSET_CHN6 $(factor $UDP_REDIR_PORTS "udp dport") $(get_jump_ipt ${CHN_LIST} "counter jump PSW_RULE")"
+ [ "${LOCALHOST_UDP_PROXY_MODE}" != "disable" ] && nft "add rule inet fw4 PSW_OUTPUT_MANGLE_V6 meta l4proto udp $(factor $UDP_REDIR_PORTS "udp dport") counter jump PSW_RULE"
nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp iif lo $(REDIRECT $UDP_REDIR_PORT TPROXY) comment \"本机\""
}
nft "add rule inet fw4 PSW_MANGLE_V6 meta l4proto udp iif lo counter return comment \"本机\""
diff --git a/luci-app-passwall/root/usr/share/passwall/rules/proxy_host b/luci-app-passwall/root/usr/share/passwall/rules/proxy_host
index 14f6e8f5..e9a2bd78 100644
--- a/luci-app-passwall/root/usr/share/passwall/rules/proxy_host
+++ b/luci-app-passwall/root/usr/share/passwall/rules/proxy_host
@@ -1,6 +1,7 @@
bing.com
sspanel.net
v2ex.com
+c.mi.com
#google
googleapis.cn
diff --git a/luci-app-passwall/root/usr/share/passwall/subscribe.lua b/luci-app-passwall/root/usr/share/passwall/subscribe.lua
index cad9894c..bb28e713 100755
--- a/luci-app-passwall/root/usr/share/passwall/subscribe.lua
+++ b/luci-app-passwall/root/usr/share/passwall/subscribe.lua
@@ -27,7 +27,6 @@ local has_ss_rust = api.is_finded("sslocal")
local has_trojan_plus = api.is_finded("trojan-plus")
local has_singbox = api.finded_com("singbox")
local has_xray = api.finded_com("xray")
-local has_trojan_go = api.finded_com("trojan-go")
local has_hysteria2 = api.finded_com("hysteria")
local allowInsecure_default = nil
local ss_aead_type_default = uci:get(appname, "@global_subscribe[0]", "ss_aead_type") or "shadowsocks-libev"
@@ -606,23 +605,7 @@ local function processData(szType, content, add_mode, add_from)
local peer, sni = nil, ""
if params.peer then peer = params.peer end
sni = params.sni and params.sni or ""
- if params.ws and params.ws == "1" then
- result.trojan_transport = "ws"
- if params.wshost then result.ws_host = params.wshost end
- if params.wspath then result.ws_path = params.wspath end
- if sni == "" and params.wshost then sni = params.wshost end
- end
- if params.ss and params.ss == "1" then
- result.ss_aead = "1"
- if params.ssmethod then result.ss_aead_method = string.lower(params.ssmethod) end
- if params.sspasswd then result.ss_aead_pwd = params.sspasswd end
- end
result.port = port
- if result.trojan_transport == "ws" or result.ss_aead then
- result.type = "Trojan-Go"
- result.fingerprint = "firefox"
- result.mux = "1"
- end
result.tls = '1'
result.tls_serverName = peer and peer or sni
if params.allowinsecure then
@@ -644,65 +627,6 @@ local function processData(szType, content, add_mode, add_from)
elseif trojan_type_default == "xray" and has_xray then
result.type = 'Xray'
result.protocol = 'trojan'
- elseif trojan_type_default == "trojan-go" and has_trojan_go then
- result.type = 'Trojan-Go'
- end
- elseif szType == "trojan-go" then
- local alias = ""
- if content:find("#") then
- local idx_sp = content:find("#")
- alias = content:sub(idx_sp + 1, -1)
- content = content:sub(0, idx_sp - 1)
- end
- result.remarks = UrlDecode(alias)
- if has_trojan_go then
- result.type = "Trojan-Go"
- end
- if content:find("@") then
- local Info = split(content, "@")
- result.password = UrlDecode(Info[1])
- local port = "443"
- Info[2] = (Info[2] or ""):gsub("/%?", "?")
- local query = split(Info[2], "?")
- local host_port = query[1]
- local params = {}
- for _, v in pairs(split(query[2], '&')) do
- local t = split(v, '=')
- params[string.lower(t[1])] = UrlDecode(t[2])
- end
- -- [2001:4860:4860::8888]:443
- -- 8.8.8.8:443
- if host_port:find(":") then
- local sp = split(host_port, ":")
- port = sp[#sp]
- if api.is_ipv6addrport(host_port) then
- result.address = api.get_ipv6_only(host_port)
- else
- result.address = sp[1]
- end
- else
- result.address = host_port
- end
- local peer, sni = nil, ""
- if params.peer then peer = params.peer end
- sni = params.sni and params.sni or ""
- if params.type and params.type == "ws" then
- result.trojan_transport = "ws"
- if params.host then result.ws_host = params.host end
- if params.path then result.ws_path = params.path end
- if sni == "" and params.host then sni = params.host end
- end
- if params.encryption and params.encryption:match('^ss;[^;:]*[;:].*$') then
- result.ss_aead = "1"
- result.ss_aead_method, result.ss_aead_pwd = params.encryption:match('^ss;([^;:]*)[;:](.*)$')
- result.ss_aead_method = string.lower(result.ss_aead_method)
- end
- result.port = port
- result.fingerprint = "firefox"
- result.tls = "1"
- result.tls_serverName = peer and peer or sni
- result.tls_allowInsecure = "0"
- result.mux = "1"
end
elseif szType == "ssd" then
result.type = "SS"
@@ -1218,7 +1142,7 @@ local function parse_link(raw, add_mode, add_from)
local node = trim(v)
local dat = split(node, "://")
if dat and dat[1] and dat[2] then
- if dat[1] == 'ss' or dat[1] == 'trojan' or dat[1] == 'trojan-go' then
+ if dat[1] == 'ss' or dat[1] == 'trojan' then
result = processData(dat[1], dat[2], add_mode, add_from)
else
result = processData(dat[1], base64Decode(dat[2]), add_mode, add_from)