luci-app-passwall: sync with upstream source
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
This commit is contained in:
xiaorouji
Tianling Shen
parent
164947845e
commit
fd73004369
@ -37,10 +37,6 @@ config PACKAGE_$(PKG_NAME)_INCLUDE_Xray
|
||||
bool "Include Xray"
|
||||
default y if i386||x86_64||arm||aarch64
|
||||
|
||||
config PACKAGE_$(PKG_NAME)_INCLUDE_V2ray
|
||||
bool "Include V2ray"
|
||||
default n
|
||||
|
||||
config PACKAGE_$(PKG_NAME)_INCLUDE_Trojan_Plus
|
||||
bool "Include Trojan_Plus"
|
||||
default y
|
||||
@ -71,7 +67,7 @@ config PACKAGE_$(PKG_NAME)_INCLUDE_ChinaDNS_NG
|
||||
|
||||
config PACKAGE_$(PKG_NAME)_INCLUDE_dns2socks
|
||||
bool "Include dns2socks"
|
||||
default n
|
||||
default y
|
||||
|
||||
config PACKAGE_$(PKG_NAME)_INCLUDE_v2ray-plugin
|
||||
bool "Include v2ray-plugin (Shadowsocks plugin)"
|
||||
|
||||
@ -257,9 +257,7 @@ o:depends({dns_mode = "pdnsd"})
|
||||
o = s:taboption("DNS", Button, "clear_ipset", translate("Clear IPSET"), translate("Try this feature if the rule modification does not take effect."))
|
||||
o.inputstyle = "remove"
|
||||
function o.write(e, e)
|
||||
luci.sys.call("/etc/init.d/" .. appname .. " stop")
|
||||
luci.sys.call("/usr/share/" .. appname .. "/iptables.sh flush_ipset")
|
||||
luci.sys.call("/etc/init.d/" .. appname .. " restart")
|
||||
luci.sys.call("/usr/share/" .. appname .. "/iptables.sh flush_ipset > /dev/null 2>&1 &")
|
||||
end
|
||||
|
||||
s:tab("Proxy", translate("Mode"))
|
||||
|
||||
@ -1,6 +1,7 @@
|
||||
local fs = require "nixio.fs"
|
||||
local api = require "luci.model.cbi.passwall.api.api"
|
||||
local appname = api.appname
|
||||
local path = string.format("/usr/share/%s/rules/", appname)
|
||||
|
||||
m = Map(appname)
|
||||
m.apply_on_parse=true
|
||||
@ -13,9 +14,10 @@ s.anonymous = true
|
||||
|
||||
s:tab("direct_list", translate("Direct List"))
|
||||
s:tab("proxy_list", translate("Proxy List"))
|
||||
s:tab("block_list", translate("Block List"))
|
||||
|
||||
---- Direct Hosts
|
||||
local direct_host = string.format("/usr/share/%s/rules/direct_host", appname)
|
||||
local direct_host = path .. "direct_host"
|
||||
o = s:taboption("direct_list", TextValue, "direct_host", "", "<font color='red'>" .. translate("Join the direct hosts list of domain names will not proxy.") .. "</font>")
|
||||
o.rows = 15
|
||||
o.wrap = "off"
|
||||
@ -34,7 +36,7 @@ o.validate = function(self, value)
|
||||
end
|
||||
|
||||
---- Direct IP
|
||||
local direct_ip = string.format("/usr/share/%s/rules/direct_ip", appname)
|
||||
local direct_ip = path .. "direct_ip"
|
||||
o = s:taboption("direct_list", TextValue, "direct_ip", "", "<font color='red'>" .. translate("These had been joined ip addresses will not proxy. Please input the ip address or ip address segment,every line can input only one ip address. For example: 192.168.0.0/24 or 223.5.5.5.") .. "</font>")
|
||||
o.rows = 15
|
||||
o.wrap = "off"
|
||||
@ -53,8 +55,8 @@ o.validate = function(self, value)
|
||||
end
|
||||
|
||||
---- Proxy Hosts
|
||||
local proxy_host = string.format("/usr/share/%s/rules/proxy_host", appname)
|
||||
o = s:taboption("proxy_list", TextValue, "proxy_host", "", "<font color='red'>" .. translate("These had been joined websites will use proxy. Please input the domain names of websites,every line can input only one website domain. For example: google.com.") .. "</font>")
|
||||
local proxy_host = path .. "proxy_host"
|
||||
o = s:taboption("proxy_list", TextValue, "proxy_host", "", "<font color='red'>" .. translate("These had been joined websites will use proxy. Please input the domain names of websites, every line can input only one website domain. For example: google.com.") .. "</font>")
|
||||
o.rows = 15
|
||||
o.wrap = "off"
|
||||
o.cfgvalue = function(self, section) return fs.readfile(proxy_host) or "" end
|
||||
@ -72,8 +74,8 @@ o.validate = function(self, value)
|
||||
end
|
||||
|
||||
---- Proxy IP
|
||||
local proxy_ip = string.format("/usr/share/%s/rules/proxy_ip", appname)
|
||||
o = s:taboption("proxy_list", TextValue, "blacklist_ip", "", "<font color='red'>" .. translate("These had been joined ip addresses will use proxy.Please input the ip address or ip address segment,every line can input only one ip address.For example: 35.24.0.0/24 or 8.8.4.4.") .. "</font>")
|
||||
local proxy_ip = path .. "proxy_ip"
|
||||
o = s:taboption("proxy_list", TextValue, "proxy_ip", "", "<font color='red'>" .. translate("These had been joined ip addresses will use proxy. Please input the ip address or ip address segment, every line can input only one ip address. For example: 35.24.0.0/24 or 8.8.4.4.") .. "</font>")
|
||||
o.rows = 15
|
||||
o.wrap = "off"
|
||||
o.cfgvalue = function(self, section) return fs.readfile(proxy_ip) or "" end
|
||||
@ -90,4 +92,42 @@ o.validate = function(self, value)
|
||||
return value
|
||||
end
|
||||
|
||||
---- Block Hosts
|
||||
local block_host = path .. "block_host"
|
||||
o = s:taboption("block_list", TextValue, "block_host", "", "<font color='red'>" .. translate("These had been joined websites will be block. Please input the domain names of websites, every line can input only one website domain. For example: twitter.com.") .. "</font>")
|
||||
o.rows = 15
|
||||
o.wrap = "off"
|
||||
o.cfgvalue = function(self, section) return fs.readfile(block_host) or "" end
|
||||
o.write = function(self, section, value) fs.writefile(block_host, value:gsub("\r\n", "\n")) end
|
||||
o.remove = function(self, section, value) fs.writefile(block_host, "") end
|
||||
o.validate = function(self, value)
|
||||
local hosts= {}
|
||||
string.gsub(value, '[^' .. "\r\n" .. ']+', function(w) table.insert(hosts, w) end)
|
||||
for index, host in ipairs(hosts) do
|
||||
if not datatypes.hostname(host) then
|
||||
return nil, host .. " " .. translate("Not valid domain name, please re-enter!")
|
||||
end
|
||||
end
|
||||
return value
|
||||
end
|
||||
|
||||
---- Block IP
|
||||
local block_ip = path .. "block_ip"
|
||||
o = s:taboption("block_list", TextValue, "block_ip", "", "<font color='red'>" .. translate("These had been joined ip addresses will be block. Please input the ip address or ip address segment, every line can input only one ip address.") .. "</font>")
|
||||
o.rows = 15
|
||||
o.wrap = "off"
|
||||
o.cfgvalue = function(self, section) return fs.readfile(block_ip) or "" end
|
||||
o.write = function(self, section, value) fs.writefile(block_ip, value:gsub("\r\n", "\n")) end
|
||||
o.remove = function(self, section, value) fs.writefile(block_ip, "") end
|
||||
o.validate = function(self, value)
|
||||
local ipmasks= {}
|
||||
string.gsub(value, '[^' .. "\r\n" .. ']+', function(w) table.insert(ipmasks, w) end)
|
||||
for index, ipmask in ipairs(ipmasks) do
|
||||
if not ( datatypes.ipmask4(ipmask) or datatypes.ipmask6(ipmask) ) then
|
||||
return nil, ipmask .. " " .. translate("Not valid IP format, please re-enter!")
|
||||
end
|
||||
end
|
||||
return value
|
||||
end
|
||||
|
||||
return m
|
||||
|
||||
@ -868,18 +868,27 @@ msgstr "直连列表"
|
||||
msgid "Proxy List"
|
||||
msgstr "代理列表"
|
||||
|
||||
msgid "Block List"
|
||||
msgstr "屏蔽列表"
|
||||
|
||||
msgid "Join the direct hosts list of domain names will not proxy."
|
||||
msgstr "加入的域名不走代理,对所有模式有效。且优先级最高。"
|
||||
|
||||
msgid "These had been joined ip addresses will not proxy. Please input the ip address or ip address segment,every line can input only one ip address. For example: 192.168.0.0/24 or 223.5.5.5."
|
||||
msgstr "加入的IP段不走代理,对所有模式有效。且优先级最高。可输入IP地址或地址段,如:192.168.0.0/24或223.5.5.5,每个地址段一行。"
|
||||
|
||||
msgid "These had been joined websites will use proxy. Please input the domain names of websites,every line can input only one website domain. For example: google.com."
|
||||
msgid "These had been joined websites will use proxy. Please input the domain names of websites, every line can input only one website domain. For example: google.com."
|
||||
msgstr "加入的域名将走代理。输入网站域名,如:google.com,每个地址段一行。"
|
||||
|
||||
msgid "These had been joined ip addresses will use proxy.Please input the ip address or ip address segment,every line can input only one ip address.For example: 35.24.0.0/24 or 8.8.4.4."
|
||||
msgid "These had been joined ip addresses will use proxy. Please input the ip address or ip address segment, every line can input only one ip address. For example: 35.24.0.0/24 or 8.8.4.4."
|
||||
msgstr "加入的IP段将走代理。可输入IP地址或地址段,如:35.24.0.0/24或8.8.4.4,每个地址段一行。"
|
||||
|
||||
msgid "These had been joined websites will be block. Please input the domain names of websites, every line can input only one website domain. For example: twitter.com."
|
||||
msgstr "加入的域名将屏蔽。输入网站域名,如:twitter.com,每个地址段一行。"
|
||||
|
||||
msgid "These had been joined ip addresses will be block. Please input the ip address or ip address segment, every line can input only one ip address."
|
||||
msgstr "加入的IP段将屏蔽。可输入IP地址或地址段,每个地址段一行。"
|
||||
|
||||
msgid "Not valid domain name, please re-enter!"
|
||||
msgstr "不是有效域名,请重新输入!"
|
||||
|
||||
|
||||
@ -9,9 +9,9 @@ config global
|
||||
option dns_forward '8.8.8.8'
|
||||
option tcp_proxy_mode 'chnroute'
|
||||
option udp_proxy_mode 'chnroute'
|
||||
option localhost_tcp_proxy_mode 'chnroute'
|
||||
option localhost_udp_proxy_mode 'chnroute'
|
||||
option socks_server '127.0.0.1:9050'
|
||||
option localhost_tcp_proxy_mode 'default'
|
||||
option localhost_udp_proxy_mode 'default'
|
||||
option socks_server '127.0.0.1:1080'
|
||||
option close_log_tcp '0'
|
||||
option close_log_udp '0'
|
||||
option loglevel 'warning'
|
||||
|
||||
@ -212,7 +212,7 @@ gen_dnsmasq_items() {
|
||||
}
|
||||
|
||||
gen_dnsmasq_fake_items() {
|
||||
local fwd_dns="1.2.3.4"
|
||||
local fwd_dns=${1}; shift 1
|
||||
local outf=${1}; shift 1
|
||||
|
||||
awk -v fwd_dns="${fwd_dns}" -v outf="${outf}" '
|
||||
@ -786,11 +786,11 @@ start_dns() {
|
||||
china_ng_gfw="127.0.0.1#${dns_listen_port}"
|
||||
[ -n "${returnhome}" ] && china_ng_chn="${china_ng_gfw}" && china_ng_gfw="${LOCAL_DNS}"
|
||||
|
||||
echolog "过滤服务配置:准备接管域名解析[$?]..."
|
||||
echolog "过滤服务配置:准备接管域名解析..."
|
||||
|
||||
case "$DNS_MODE" in
|
||||
nonuse)
|
||||
echolog " - 被禁用,设置为非 '默认DNS' 并开启广告过滤可以按本插件内置的广告域名表进行过滤..."
|
||||
echolog " - 不过滤DNS..."
|
||||
TUN_DNS=""
|
||||
;;
|
||||
dns2socks)
|
||||
@ -849,7 +849,7 @@ start_dns() {
|
||||
echolog " - 域名解析:直接使用UDP节点请求DNS($TUN_DNS)"
|
||||
;;
|
||||
fake_ip)
|
||||
TUN_DNS="1.2.3.4"
|
||||
TUN_DNS="11.1.1.1"
|
||||
echolog " - 域名解析:使用FakeIP方案..."
|
||||
;;
|
||||
custom)
|
||||
@ -917,26 +917,29 @@ add_dnsmasq() {
|
||||
if [ "${DNS_MODE}" = "nonuse" ]; then
|
||||
echolog " - 不对域名进行分流解析"
|
||||
else
|
||||
#屏蔽列表
|
||||
sort -u "${RULES_PATH}/block_host" | gen_dnsmasq_fake_items "0.0.0.0" "${TMP_DNSMASQ_PATH}/00-block_host.conf"
|
||||
|
||||
#始终用国内DNS解析节点域名
|
||||
fwd_dns="${LOCAL_DNS}"
|
||||
servers=$(uci show "${CONFIG}" | grep ".address=" | cut -d "'" -f 2)
|
||||
hosts_foreach "servers" host_from_url | grep -v "google.c" | grep '[a-zA-Z]$' | sort -u | gen_dnsmasq_items "vpsiplist,vpsiplist6" "${fwd_dns}" "${TMP_DNSMASQ_PATH}/00-vpsiplist_host.conf"
|
||||
hosts_foreach "servers" host_from_url | grep -v "google.c" | grep '[a-zA-Z]$' | sort -u | gen_dnsmasq_items "vpsiplist,vpsiplist6" "${fwd_dns}" "${TMP_DNSMASQ_PATH}/10-vpsiplist_host.conf"
|
||||
echolog " - [$?]节点列表中的域名(vpsiplist):${fwd_dns:-默认}"
|
||||
|
||||
#始终用国内DNS解析直连(白名单)列表
|
||||
fwd_dns="${LOCAL_DNS}"
|
||||
[ -n "$CHINADNS_NG" ] && unset fwd_dns
|
||||
sort -u "${RULES_PATH}/direct_host" | gen_dnsmasq_items "whitelist,whitelist_6" "${fwd_dns}" "${TMP_DNSMASQ_PATH}/01-direct_host.conf"
|
||||
sort -u "${RULES_PATH}/direct_host" | gen_dnsmasq_items "whitelist,whitelist6" "${fwd_dns}" "${TMP_DNSMASQ_PATH}/11-direct_host.conf"
|
||||
echolog " - [$?]域名白名单(whitelist):${fwd_dns:-默认}"
|
||||
|
||||
#始终使用远程DNS解析代理(黑名单)列表
|
||||
if [ "${DNS_MODE}" = "fake_ip" ]; then
|
||||
sort -u "${RULES_PATH}/proxy_host" | gen_dnsmasq_fake_items "${TMP_DNSMASQ_PATH}/99-proxy_host.conf"
|
||||
sort -u "${RULES_PATH}/proxy_host" | gen_dnsmasq_fake_items "11.1.1.1" "${TMP_DNSMASQ_PATH}/90-proxy_host.conf"
|
||||
else
|
||||
fwd_dns="${TUN_DNS}"
|
||||
[ -n "$CHINADNS_NG" ] && fwd_dns="${china_ng_gfw}"
|
||||
[ -n "$CHINADNS_NG" ] && unset fwd_dns
|
||||
sort -u "${RULES_PATH}/proxy_host" | gen_dnsmasq_items "blacklist,blacklist_6" "${fwd_dns}" "${TMP_DNSMASQ_PATH}/99-proxy_host.conf"
|
||||
sort -u "${RULES_PATH}/proxy_host" | gen_dnsmasq_items "blacklist,blacklist6" "${fwd_dns}" "${TMP_DNSMASQ_PATH}/90-proxy_host.conf"
|
||||
echolog " - [$?]代理域名表(blacklist):${fwd_dns:-默认}"
|
||||
fi
|
||||
|
||||
@ -946,9 +949,9 @@ add_dnsmasq() {
|
||||
[ -n "$CHINADNS_NG" ] && fwd_dns="${china_ng_gfw}"
|
||||
for item in $(get_enabled_anonymous_secs "@subscribe_list"); do
|
||||
if [ "${DNS_MODE}" = "fake_ip" ]; then
|
||||
host_from_url "$(config_n_get ${item} url)" | gen_dnsmasq_fake_items "${TMP_DNSMASQ_PATH}/99-subscribe.conf"
|
||||
host_from_url "$(config_n_get ${item} url)" | gen_dnsmasq_fake_items "11.1.1.1" "${TMP_DNSMASQ_PATH}/91-subscribe.conf"
|
||||
else
|
||||
host_from_url "$(config_n_get ${item} url)" | gen_dnsmasq_items "blacklist,blacklist_6" "${fwd_dns}" "${TMP_DNSMASQ_PATH}/99-subscribe.conf"
|
||||
host_from_url "$(config_n_get ${item} url)" | gen_dnsmasq_items "blacklist,blacklist6" "${fwd_dns}" "${TMP_DNSMASQ_PATH}/91-subscribe.conf"
|
||||
fi
|
||||
done
|
||||
[ "${DNS_MODE}" != "fake_ip" ] && echolog " - [$?]节点订阅域名(blacklist):${fwd_dns:-默认}"
|
||||
@ -967,9 +970,9 @@ add_dnsmasq() {
|
||||
local shunt_node=$(config_n_get $shunt_node_id address nil)
|
||||
[ "$shunt_node" = "nil" ] && continue
|
||||
if [ "${DNS_MODE}" = "fake_ip" ]; then
|
||||
config_n_get $shunt_id domain_list | grep -v 'regexp:\|geosite:\|ext:' | sed 's/domain:\|full:\|//g' | tr -s "\r\n" "\n" | sort -u | gen_dnsmasq_fake_items "${TMP_DNSMASQ_PATH}/998-shunt_host.conf"
|
||||
config_n_get $shunt_id domain_list | grep -v 'regexp:\|geosite:\|ext:' | sed 's/domain:\|full:\|//g' | tr -s "\r\n" "\n" | sort -u | gen_dnsmasq_fake_items "11.1.1.1" "${TMP_DNSMASQ_PATH}/98-shunt_host.conf"
|
||||
else
|
||||
config_n_get $shunt_id domain_list | grep -v 'regexp:\|geosite:\|ext:' | sed 's/domain:\|full:\|//g' | tr -s "\r\n" "\n" | sort -u | gen_dnsmasq_items "shuntlist,shuntlist6" "${fwd_dns}" "${TMP_DNSMASQ_PATH}/998-shunt_host.conf"
|
||||
config_n_get $shunt_id domain_list | grep -v 'regexp:\|geosite:\|ext:' | sed 's/domain:\|full:\|//g' | tr -s "\r\n" "\n" | sort -u | gen_dnsmasq_items "shuntlist,shuntlist6" "${fwd_dns}" "${TMP_DNSMASQ_PATH}/98-shunt_host.conf"
|
||||
fi
|
||||
done
|
||||
[ "${DNS_MODE}" != "fake_ip" ] && echolog " - [$?]Xray分流规则(shuntlist):${fwd_dns:-默认}"
|
||||
@ -979,21 +982,21 @@ add_dnsmasq() {
|
||||
if [ -z "${returnhome}" ]; then
|
||||
[ ! -f "${TMP_PATH}/gfwlist.txt" ] && sed -n 's/^ipset=\/\.\?\([^/]*\).*$/\1/p' "${RULES_PATH}/gfwlist.conf" | sort -u > "${TMP_PATH}/gfwlist.txt"
|
||||
if [ "${DNS_MODE}" = "fake_ip" ]; then
|
||||
sort -u "${TMP_PATH}/gfwlist.txt" | gen_dnsmasq_fake_items "${TMP_DNSMASQ_PATH}/999-gfwlist.conf"
|
||||
sort -u "${TMP_PATH}/gfwlist.txt" | gen_dnsmasq_fake_items "11.1.1.1" "${TMP_DNSMASQ_PATH}/99-gfwlist.conf"
|
||||
else
|
||||
fwd_dns="${TUN_DNS}"
|
||||
[ -n "$CHINADNS_NG" ] && fwd_dns="${china_ng_gfw}"
|
||||
[ -n "$CHINADNS_NG" ] && unset fwd_dns
|
||||
sort -u "${TMP_PATH}/gfwlist.txt" | gen_dnsmasq_items "gfwlist,gfwlist6" "${fwd_dns}" "${TMP_DNSMASQ_PATH}/999-gfwlist.conf"
|
||||
sort -u "${TMP_PATH}/gfwlist.txt" | gen_dnsmasq_items "gfwlist,gfwlist6" "${fwd_dns}" "${TMP_DNSMASQ_PATH}/99-gfwlist.conf"
|
||||
echolog " - [$?]防火墙域名表(gfwlist):${fwd_dns:-默认}"
|
||||
fi
|
||||
else
|
||||
#回国模式
|
||||
if [ "${DNS_MODE}" = "fake_ip" ]; then
|
||||
sort -u "${RULES_PATH}/chnlist" | gen_dnsmasq_fake_items "${TMP_DNSMASQ_PATH}/02-chinalist_host.conf"
|
||||
sort -u "${RULES_PATH}/chnlist" | gen_dnsmasq_fake_items "11.1.1.1" "${TMP_DNSMASQ_PATH}/10-chinalist_host.conf"
|
||||
else
|
||||
fwd_dns="${TUN_DNS}"
|
||||
sort -u "${RULES_PATH}/chnlist" | gen_dnsmasq_items "chnroute,chnroute6" "${fwd_dns}" "${TMP_DNSMASQ_PATH}/02-chinalist_host.conf"
|
||||
sort -u "${RULES_PATH}/chnlist" | gen_dnsmasq_items "chnroute,chnroute6" "${fwd_dns}" "${TMP_DNSMASQ_PATH}/10-chinalist_host.conf"
|
||||
echolog " - [$?]中国域名表(chnroute):${fwd_dns:-默认}"
|
||||
fi
|
||||
fi
|
||||
|
||||
@ -6,19 +6,17 @@ IPSET_SHUNTLIST="shuntlist"
|
||||
IPSET_GFW="gfwlist"
|
||||
IPSET_CHN="chnroute"
|
||||
IPSET_BLACKLIST="blacklist"
|
||||
IPSET_BLACKLIST2="blacklist2"
|
||||
IPSET_BLACKLIST3="blacklist3"
|
||||
IPSET_WHITELIST="whitelist"
|
||||
IPSET_BLOCKLIST="blocklist"
|
||||
|
||||
IPSET_LANIPLIST_6="laniplist6"
|
||||
IPSET_VPSIPLIST_6="vpsiplist6"
|
||||
IPSET_SHUNTLIST_6="shuntlist6"
|
||||
IPSET_LANIPLIST6="laniplist6"
|
||||
IPSET_VPSIPLIST6="vpsiplist6"
|
||||
IPSET_SHUNTLIST6="shuntlist6"
|
||||
IPSET_GFW6="gfwlist6"
|
||||
IPSET_CHN6="chnroute6"
|
||||
IPSET_BLACKLIST_6="blacklist_6"
|
||||
IPSET_BLACKLIST2_6="blacklist2_6"
|
||||
IPSET_BLACKLIST3_6="blacklist3_6"
|
||||
IPSET_WHITELIST_6="whitelist_6"
|
||||
IPSET_BLACKLIST6="blacklist6"
|
||||
IPSET_WHITELIST6="whitelist6"
|
||||
IPSET_BLOCKLIST6="blocklist6"
|
||||
|
||||
PROXY_IPV6=0
|
||||
|
||||
@ -49,6 +47,11 @@ comment() {
|
||||
echo "-m comment --comment '$name'"
|
||||
}
|
||||
|
||||
destroy_ipset() {
|
||||
#ipset -q -F $1
|
||||
ipset -q -X $1
|
||||
}
|
||||
|
||||
RULE_LAST_INDEX() {
|
||||
[ $# -ge 3 ] || {
|
||||
echolog "索引列举方式不正确(iptables),终止执行!"
|
||||
@ -208,14 +211,14 @@ load_acl() {
|
||||
msg2="${msg2}[$?]除${tcp_no_redir_ports}外的"
|
||||
}
|
||||
msg2="${msg2}所有端口"
|
||||
$ipt_tmp -A PSW $(comment "$remarks") -p tcp $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -d 1.2.3.4 $(REDIRECT $tcp_port $is_tproxy)
|
||||
$ipt_tmp -A PSW $(comment "$remarks") -p tcp $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -d 11.1.1.1 $(REDIRECT $tcp_port $is_tproxy)
|
||||
$ipt_tmp -A PSW $(comment "$remarks") -p tcp $(factor $ip "-s") $(factor $mac "-m mac --mac-source") $(factor $tcp_redir_ports "-m multiport --dport") $(dst $IPSET_SHUNTLIST) $(REDIRECT $tcp_port $is_tproxy)
|
||||
$ipt_tmp -A PSW $(comment "$remarks") -p tcp $(factor $ip "-s") $(factor $mac "-m mac --mac-source") $(factor $tcp_redir_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST) $(REDIRECT $tcp_port $is_tproxy)
|
||||
$ipt_tmp -A PSW $(comment "$remarks") -p tcp $(factor $ip "-s") $(factor $mac "-m mac --mac-source") $(factor $tcp_redir_ports "-m multiport --dport") $(get_redirect_ipt $tcp_proxy_mode $tcp_port $is_tproxy)
|
||||
|
||||
if [ "$PROXY_IPV6" == "1" ]; then
|
||||
$ip6t_m -A PSW $(comment "$remarks") -p tcp $(factor $ip "-s") $(factor $mac "-m mac --mac-source") $(factor $tcp_redir_ports "-m multiport --dport") $(dst $IPSET_SHUNTLIST_6) $(REDIRECT $tcp_port TPROXY)
|
||||
$ip6t_m -A PSW $(comment "$remarks") -p tcp $(factor $ip "-s") $(factor $mac "-m mac --mac-source") $(factor $tcp_redir_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST_6) $(REDIRECT $tcp_port TPROXY)
|
||||
$ip6t_m -A PSW $(comment "$remarks") -p tcp $(factor $ip "-s") $(factor $mac "-m mac --mac-source") $(factor $tcp_redir_ports "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) $(REDIRECT $tcp_port TPROXY)
|
||||
$ip6t_m -A PSW $(comment "$remarks") -p tcp $(factor $ip "-s") $(factor $mac "-m mac --mac-source") $(factor $tcp_redir_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST6) $(REDIRECT $tcp_port TPROXY)
|
||||
$ip6t_m -A PSW $(comment "$remarks") -p tcp $(factor $ip "-s") $(factor $mac "-m mac --mac-source") $(factor $tcp_redir_ports "-m multiport --dport") $(get_redirect_ip6t $tcp_proxy_mode $tcp_port TPROXY)
|
||||
fi
|
||||
}
|
||||
@ -235,14 +238,14 @@ load_acl() {
|
||||
msg2="${msg2}[$?]除${udp_no_redir_ports}外的"
|
||||
}
|
||||
msg2="${msg2}所有端口"
|
||||
$ipt_m -A PSW $(comment "$remarks") -p tcp $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -d 1.2.3.4 $(REDIRECT $udp_port TPROXY)
|
||||
$ipt_m -A PSW $(comment "$remarks") -p udp $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -d 11.1.1.1 $(REDIRECT $udp_port TPROXY)
|
||||
$ipt_m -A PSW $(comment "$remarks") -p udp $(factor $ip "-s") $(factor $mac "-m mac --mac-source") $(factor $udp_redir_ports "-m multiport --dport") $(dst $IPSET_SHUNTLIST) $(REDIRECT $udp_port TPROXY)
|
||||
$ipt_m -A PSW $(comment "$remarks") -p udp $(factor $ip "-s") $(factor $mac "-m mac --mac-source") $(factor $udp_redir_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST) $(REDIRECT $udp_port TPROXY)
|
||||
$ipt_m -A PSW $(comment "$remarks") -p udp $(factor $ip "-s") $(factor $mac "-m mac --mac-source") $(factor $udp_redir_ports "-m multiport --dport") $(get_redirect_ipt $udp_proxy_mode $udp_port TPROXY)
|
||||
|
||||
if [ "$PROXY_IPV6" == "1" ]; then
|
||||
$ip6t_m -A PSW $(comment "$remarks") -p udp $(factor $ip "-s") $(factor $mac "-m mac --mac-source") $(factor $udp_redir_ports "-m multiport --dport") $(dst $IPSET_SHUNTLIST_6) $(REDIRECT $udp_port TPROXY)
|
||||
$ip6t_m -A PSW $(comment "$remarks") -p udp $(factor $ip "-s") $(factor $mac "-m mac --mac-source") $(factor $udp_redir_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST_6) $(REDIRECT $udp_port TPROXY)
|
||||
$ip6t_m -A PSW $(comment "$remarks") -p udp $(factor $ip "-s") $(factor $mac "-m mac --mac-source") $(factor $udp_redir_ports "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) $(REDIRECT $udp_port TPROXY)
|
||||
$ip6t_m -A PSW $(comment "$remarks") -p udp $(factor $ip "-s") $(factor $mac "-m mac --mac-source") $(factor $udp_redir_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST6) $(REDIRECT $udp_port TPROXY)
|
||||
$ip6t_m -A PSW $(comment "$remarks") -p udp $(factor $ip "-s") $(factor $mac "-m mac --mac-source") $(factor $udp_redir_ports "-m multiport --dport") $(get_redirect_ip6t $udp_proxy_mode $udp_port TPROXY)
|
||||
fi
|
||||
}
|
||||
@ -277,14 +280,14 @@ load_acl() {
|
||||
fi
|
||||
[ "$TCP_NO_REDIR_PORTS" != "disable" ] && msg="${msg}除${TCP_NO_REDIR_PORTS}外的"
|
||||
msg="${msg}所有端口"
|
||||
$ipt_tmp -A PSW $(comment "默认") -p tcp -d 1.2.3.4 $(REDIRECT $TCP_REDIR_PORT $is_tproxy)
|
||||
$ipt_tmp -A PSW $(comment "默认") -p tcp -d 11.1.1.1 $(REDIRECT $TCP_REDIR_PORT $is_tproxy)
|
||||
$ipt_tmp -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST) $(REDIRECT $TCP_REDIR_PORT $is_tproxy)
|
||||
$ipt_tmp -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) $(REDIRECT $TCP_REDIR_PORT $is_tproxy)
|
||||
$ipt_tmp -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(get_redirect_ipt $TCP_PROXY_MODE $TCP_REDIR_PORT $is_tproxy)
|
||||
|
||||
if [ "$PROXY_IPV6" == "1" ]; then
|
||||
$ip6t_m -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST_6) $(REDIRECT $TCP_REDIR_PORT TPROXY)
|
||||
$ip6t_m -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST_6) $(REDIRECT $TCP_REDIR_PORT TPROXY)
|
||||
$ip6t_m -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) $(REDIRECT $TCP_REDIR_PORT TPROXY)
|
||||
$ip6t_m -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST6) $(REDIRECT $TCP_REDIR_PORT TPROXY)
|
||||
$ip6t_m -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(get_redirect_ip6t $TCP_PROXY_MODE $TCP_REDIR_PORT TPROXY)
|
||||
fi
|
||||
|
||||
@ -306,14 +309,14 @@ load_acl() {
|
||||
msg="UDP默认代理:使用UDP节点 [$(get_action_chain_name $UDP_PROXY_MODE)](TPROXY:${UDP_REDIR_PORT})代理"
|
||||
[ "$UDP_NO_REDIR_PORTS" != "disable" ] && msg="${msg}除${UDP_NO_REDIR_PORTS}外的"
|
||||
msg="${msg}所有端口"
|
||||
$ipt_m -A PSW $(comment "默认") -p udp -d 1.2.3.4 $(REDIRECT $UDP_REDIR_PORT TPROXY)
|
||||
$ipt_m -A PSW $(comment "默认") -p udp -d 11.1.1.1 $(REDIRECT $UDP_REDIR_PORT TPROXY)
|
||||
$ipt_m -A PSW $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST) $(REDIRECT $UDP_REDIR_PORT TPROXY)
|
||||
$ipt_m -A PSW $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) $(REDIRECT $UDP_REDIR_PORT TPROXY)
|
||||
$ipt_m -A PSW $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(get_redirect_ipt $UDP_PROXY_MODE $UDP_REDIR_PORT TPROXY)
|
||||
|
||||
if [ "$PROXY_IPV6" == "1" ]; then
|
||||
$ip6t_m -A PSW $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST_6) $(REDIRECT $UDP_REDIR_PORT TPROXY)
|
||||
$ip6t_m -A PSW $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST_6) $(REDIRECT $UDP_REDIR_PORT TPROXY)
|
||||
$ip6t_m -A PSW $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) $(REDIRECT $UDP_REDIR_PORT TPROXY)
|
||||
$ip6t_m -A PSW $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST6) $(REDIRECT $UDP_REDIR_PORT TPROXY)
|
||||
$ip6t_m -A PSW $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(get_redirect_ip6t $UDP_PROXY_MODE $UDP_REDIR_PORT TPROXY)
|
||||
fi
|
||||
|
||||
@ -335,7 +338,7 @@ filter_haproxy() {
|
||||
|
||||
filter_vpsip() {
|
||||
uci show $CONFIG | grep ".address=" | cut -d "'" -f 2 | grep -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | sed -e "/^$/d" | sed -e "s/^/add $IPSET_VPSIPLIST &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
|
||||
uci show $CONFIG | grep ".address=" | cut -d "'" -f 2 | grep -E "([[a-f0-9]{1,4}(:[a-f0-9]{1,4}){7}|[a-f0-9]{1,4}(:[a-f0-9]{1,4}){0,7}::[a-f0-9]{0,4}(:[a-f0-9]{1,4}){0,7}])" | sed -e "/^$/d" | sed -e "s/^/add $IPSET_VPSIPLIST_6 &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
|
||||
uci show $CONFIG | grep ".address=" | cut -d "'" -f 2 | grep -E "([[a-f0-9]{1,4}(:[a-f0-9]{1,4}){7}|[a-f0-9]{1,4}(:[a-f0-9]{1,4}){0,7}::[a-f0-9]{0,4}(:[a-f0-9]{1,4}){0,7}])" | sed -e "/^$/d" | sed -e "s/^/add $IPSET_VPSIPLIST6 &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
|
||||
echolog "加入所有节点到ipset[$IPSET_VPSIPLIST]直连完成"
|
||||
}
|
||||
|
||||
@ -459,19 +462,17 @@ add_firewall_rule() {
|
||||
ipset -! create $IPSET_GFW nethash
|
||||
ipset -! create $IPSET_CHN nethash
|
||||
ipset -! create $IPSET_BLACKLIST nethash
|
||||
ipset -! create $IPSET_BLACKLIST2 nethash
|
||||
ipset -! create $IPSET_BLACKLIST3 nethash
|
||||
ipset -! create $IPSET_WHITELIST nethash
|
||||
ipset -! create $IPSET_BLOCKLIST nethash
|
||||
|
||||
ipset -! create $IPSET_LANIPLIST_6 nethash family inet6
|
||||
ipset -! create $IPSET_VPSIPLIST_6 nethash family inet6
|
||||
ipset -! create $IPSET_SHUNTLIST_6 nethash family inet6
|
||||
ipset -! create $IPSET_LANIPLIST6 nethash family inet6
|
||||
ipset -! create $IPSET_VPSIPLIST6 nethash family inet6
|
||||
ipset -! create $IPSET_SHUNTLIST6 nethash family inet6
|
||||
ipset -! create $IPSET_GFW6 nethash family inet6
|
||||
ipset -! create $IPSET_CHN6 nethash family inet6
|
||||
ipset -! create $IPSET_BLACKLIST_6 nethash family inet6
|
||||
ipset -! create $IPSET_BLACKLIST2_6 nethash family inet6
|
||||
ipset -! create $IPSET_BLACKLIST3_6 nethash family inet6
|
||||
ipset -! create $IPSET_WHITELIST_6 nethash family inet6
|
||||
ipset -! create $IPSET_BLACKLIST6 nethash family inet6
|
||||
ipset -! create $IPSET_WHITELIST6 nethash family inet6
|
||||
ipset -! create $IPSET_BLOCKLIST6 nethash family inet6
|
||||
|
||||
local shunt_ids=$(uci show $CONFIG | grep "=shunt_rules" | awk -F '.' '{print $2}' | awk -F '=' '{print $1}')
|
||||
|
||||
@ -480,20 +481,18 @@ add_firewall_rule() {
|
||||
done
|
||||
|
||||
for shunt_id in $shunt_ids; do
|
||||
config_n_get $shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "s/^/add $IPSET_SHUNTLIST_6 &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
|
||||
config_n_get $shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "s/^/add $IPSET_SHUNTLIST6 &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
|
||||
done
|
||||
|
||||
cat $RULES_PATH/chnroute | sed -e "/^$/d" | sed -e "s/^/add $IPSET_CHN &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
|
||||
cat $RULES_PATH/proxy_ip | sed -e "/^$/d" | grep -E "(\.((2(5[0-5]|[0-4]\d))|[0-1]?\d{1,2})){3}" | sed -e "s/^/add $IPSET_BLACKLIST &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
|
||||
[ -f "$RULES_PATH/proxy_ip2" ] && cat $RULES_PATH/proxy_ip2 | grep -E "(\.((2(5[0-5]|[0-4]\d))|[0-1]?\d{1,2})){3}" | sed -e "/^$/d" | sed -e "s/^/add $IPSET_BLACKLIST2 &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
|
||||
[ -f "$RULES_PATH/proxy_ip3" ] && cat $RULES_PATH/proxy_ip3 | grep -E "(\.((2(5[0-5]|[0-4]\d))|[0-1]?\d{1,2})){3}" | sed -e "/^$/d" | sed -e "s/^/add $IPSET_BLACKLIST3 &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
|
||||
cat $RULES_PATH/direct_ip | sed -e "/^$/d" | grep -E "(\.((2(5[0-5]|[0-4]\d))|[0-1]?\d{1,2})){3}" | sed -e "s/^/add $IPSET_WHITELIST &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
|
||||
cat $RULES_PATH/block_ip | sed -e "/^$/d" | grep -E "(\.((2(5[0-5]|[0-4]\d))|[0-1]?\d{1,2})){3}" | sed -e "s/^/add $IPSET_BLOCKLIST &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
|
||||
|
||||
cat $RULES_PATH/chnroute6 | sed -e "/^$/d" | sed -e "s/^/add $IPSET_CHN6 &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
|
||||
cat $RULES_PATH/proxy_ip | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "/^$/d" | sed -e "s/^/add $IPSET_BLACKLIST_6 &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
|
||||
[ -f "$RULES_PATH/proxy_ip2" ] && cat $RULES_PATH/proxy_ip2 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "/^$/d" | sed -e "s/^/add $IPSET_BLACKLIST2_6 &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
|
||||
[ -f "$RULES_PATH/proxy_ip3" ] && cat $RULES_PATH/proxy_ip3 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "/^$/d" | sed -e "s/^/add $IPSET_BLACKLIST3_6 &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
|
||||
cat $RULES_PATH/direct_ip | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "/^$/d" | sed -e "s/^/add $IPSET_WHITELIST_6 &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
|
||||
cat $RULES_PATH/proxy_ip | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "/^$/d" | sed -e "s/^/add $IPSET_BLACKLIST6 &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
|
||||
cat $RULES_PATH/direct_ip | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "/^$/d" | sed -e "s/^/add $IPSET_WHITELIST6 &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
|
||||
cat $RULES_PATH/block_ip | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "/^$/d" | sed -e "s/^/add $IPSET_BLOCKLIST6 &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
|
||||
|
||||
ipset -! -R <<-EOF
|
||||
$(gen_laniplist | sed -e "s/^/add $IPSET_LANIPLIST /")
|
||||
@ -504,7 +503,7 @@ add_firewall_rule() {
|
||||
}
|
||||
|
||||
ipset -! -R <<-EOF
|
||||
$(gen_laniplist_6 | sed -e "s/^/add $IPSET_LANIPLIST_6 /")
|
||||
$(gen_laniplist_6 | sed -e "s/^/add $IPSET_LANIPLIST6 /")
|
||||
EOF
|
||||
# [ $? -eq 0 ] || {
|
||||
# echolog "系统不兼容IPv6,终止执行!"
|
||||
@ -525,7 +524,7 @@ add_firewall_rule() {
|
||||
EOF
|
||||
|
||||
[ -n "$lan_ip6" ] && ipset -! -R <<-EOF
|
||||
$(echo $lan_ip6 | sed -e "s/ /\n/g" | sed -e "s/^/add $IPSET_LANIPLIST_6 /")
|
||||
$(echo $lan_ip6 | sed -e "s/ /\n/g" | sed -e "s/^/add $IPSET_LANIPLIST6 /")
|
||||
EOF
|
||||
}
|
||||
|
||||
@ -542,7 +541,7 @@ add_firewall_rule() {
|
||||
[ -n "$ISP_DNS" ] && {
|
||||
#echolog "处理 ISP IPv6 DNS 例外..."
|
||||
for ispip6 in $ISP_DNS; do
|
||||
ipset -! add $IPSET_WHITELIST_6 $ispip6 >/dev/null 2>&1 &
|
||||
ipset -! add $IPSET_WHITELIST6 $ispip6 >/dev/null 2>&1 &
|
||||
#echolog " - 追加到白名单:${ispip6}"
|
||||
done
|
||||
}
|
||||
@ -568,12 +567,14 @@ add_firewall_rule() {
|
||||
$ipt_m -A PSW $(dst $IPSET_VPSIPLIST) -j RETURN
|
||||
$ipt_m -A PSW $(dst $IPSET_WHITELIST) -j RETURN
|
||||
$ipt_m -A PSW -m mark --mark 0xff -j RETURN
|
||||
$ipt_m -A PSW $(dst $IPSET_BLOCKLIST) -j DROP
|
||||
|
||||
$ipt_m -N PSW_OUTPUT
|
||||
$ipt_m -A PSW_OUTPUT $(dst $IPSET_LANIPLIST) -j RETURN
|
||||
$ipt_m -A PSW_OUTPUT $(dst $IPSET_VPSIPLIST) -j RETURN
|
||||
$ipt_m -A PSW_OUTPUT $(dst $IPSET_WHITELIST) -j RETURN
|
||||
$ipt_m -A PSW_OUTPUT -m mark --mark 0xff -j RETURN
|
||||
$ipt_m -A PSW_OUTPUT $(dst $IPSET_BLOCKLIST) -j DROP
|
||||
|
||||
ip rule add fwmark 1 lookup 100
|
||||
ip route add local 0.0.0.0/0 dev lo table 100
|
||||
@ -595,17 +596,19 @@ add_firewall_rule() {
|
||||
#$ip6t_n -A OUTPUT -p tcp -j PSW_OUTPUT
|
||||
|
||||
$ip6t_m -N PSW
|
||||
$ip6t_m -A PSW $(dst $IPSET_LANIPLIST_6) -j RETURN
|
||||
$ip6t_m -A PSW $(dst $IPSET_VPSIPLIST_6) -j RETURN
|
||||
$ip6t_m -A PSW $(dst $IPSET_WHITELIST_6) -j RETURN
|
||||
$ip6t_m -A PSW $(dst $IPSET_LANIPLIST6) -j RETURN
|
||||
$ip6t_m -A PSW $(dst $IPSET_VPSIPLIST6) -j RETURN
|
||||
$ip6t_m -A PSW $(dst $IPSET_WHITELIST6) -j RETURN
|
||||
$ip6t_m -A PSW -m mark --mark 0xff -j RETURN
|
||||
$ip6t_m -A PSW $(dst $IPSET_BLOCKLIST6) -j DROP
|
||||
$ip6t_m -A PREROUTING -j PSW
|
||||
|
||||
$ip6t_m -N PSW_OUTPUT
|
||||
$ip6t_m -A PSW_OUTPUT $(dst $IPSET_LANIPLIST_6) -j RETURN
|
||||
$ip6t_m -A PSW_OUTPUT $(dst $IPSET_VPSIPLIST_6) -j RETURN
|
||||
$ip6t_m -A PSW_OUTPUT $(dst $IPSET_WHITELIST_6) -j RETURN
|
||||
$ip6t_m -A PSW_OUTPUT $(dst $IPSET_LANIPLIST6) -j RETURN
|
||||
$ip6t_m -A PSW_OUTPUT $(dst $IPSET_VPSIPLIST6) -j RETURN
|
||||
$ip6t_m -A PSW_OUTPUT $(dst $IPSET_WHITELIST6) -j RETURN
|
||||
$ip6t_m -A PSW_OUTPUT -m mark --mark 0xff -j RETURN
|
||||
$ip6t_m -A PSW_OUTPUT $(dst $IPSET_BLOCKLIST6) -j DROP
|
||||
$ip6t_m -A OUTPUT -j PSW_OUTPUT
|
||||
|
||||
ip -6 rule add fwmark 1 table 100
|
||||
@ -644,17 +647,19 @@ add_firewall_rule() {
|
||||
$ipt_tmp -A OUTPUT -p tcp -j PSW_OUTPUT
|
||||
[ "$TCP_NO_REDIR_PORTS" != "disable" ] && {
|
||||
$ipt_tmp -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
|
||||
$ipt_tmp -A PSW_OUTPUT -p tcp -m multiport --sport $TCP_NO_REDIR_PORTS -j RETURN
|
||||
$ip6t_m -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
|
||||
$ip6t_m -A PSW_OUTPUT -p tcp -m multiport --sport $TCP_NO_REDIR_PORTS -j RETURN
|
||||
echolog " - [$?]不代理TCP 端口:$TCP_NO_REDIR_PORTS"
|
||||
}
|
||||
$ipt_tmp -A PSW_OUTPUT -p tcp -d 1.2.3.4 $blist_r
|
||||
$ipt_tmp -A PSW_OUTPUT -p tcp -d 11.1.1.1 $blist_r
|
||||
$ipt_tmp -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST) $blist_r
|
||||
$ipt_tmp -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) $blist_r
|
||||
$ipt_tmp -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $p_r
|
||||
|
||||
if [ "$PROXY_IPV6" == "1" ]; then
|
||||
$ip6t_m -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST_6) $(REDIRECT 1 MARK)
|
||||
$ip6t_m -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST_6) $(REDIRECT 1 MARK)
|
||||
$ip6t_m -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) $(REDIRECT 1 MARK)
|
||||
$ip6t_m -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST6) $(REDIRECT 1 MARK)
|
||||
$ip6t_m -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(get_redirect_ip6t $LOCALHOST_TCP_PROXY_MODE 1 MARK)
|
||||
fi
|
||||
fi
|
||||
@ -737,17 +742,19 @@ add_firewall_rule() {
|
||||
$ipt_m -A OUTPUT -p udp -j PSW_OUTPUT
|
||||
[ "$UDP_NO_REDIR_PORTS" != "disable" ] && {
|
||||
$ipt_m -A PSW_OUTPUT -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN
|
||||
$ipt_m -A PSW_OUTPUT -p udp -m multiport --sport $UDP_NO_REDIR_PORTS -j RETURN
|
||||
$ip6t_m -A PSW_OUTPUT -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN
|
||||
$ip6t_m -A PSW_OUTPUT -p udp -m multiport --sport $UDP_NO_REDIR_PORTS -j RETURN
|
||||
echolog " - [$?]不代理 UDP 端口:$UDP_NO_REDIR_PORTS"
|
||||
}
|
||||
$ipt_m -A PSW_OUTPUT -p udp -d 1.2.3.4 $(REDIRECT 1 MARK)
|
||||
$ipt_m -A PSW_OUTPUT -p udp -d 11.1.1.1 $(REDIRECT 1 MARK)
|
||||
$ipt_m -A PSW_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST) $(REDIRECT 1 MARK)
|
||||
$ipt_m -A PSW_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) $(REDIRECT 1 MARK)
|
||||
$ipt_m -A PSW_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(get_redirect_ipt $LOCALHOST_UDP_PROXY_MODE 1 MARK)
|
||||
|
||||
if [ "$PROXY_IPV6" == "1" ]; then
|
||||
$ip6t_m -A PSW_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST_6) $(REDIRECT 1 MARK)
|
||||
$ip6t_m -A PSW_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST_6) $(REDIRECT 1 MARK)
|
||||
$ip6t_m -A PSW_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_SHUNTLIST6) $(REDIRECT 1 MARK)
|
||||
$ip6t_m -A PSW_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST6) $(REDIRECT 1 MARK)
|
||||
$ip6t_m -A PSW_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(get_redirect_ip6t $LOCALHOST_UDP_PROXY_MODE 1 MARK)
|
||||
fi
|
||||
fi
|
||||
@ -774,12 +781,11 @@ del_firewall_rule() {
|
||||
$ipt_m -D OUTPUT -p tcp -j PSW_OUTPUT 2>/dev/null
|
||||
$ipt_m -D OUTPUT -p udp -j PSW_OUTPUT 2>/dev/null
|
||||
|
||||
$ip6t_n -D PREROUTING -j PSW 2>/dev/null
|
||||
$ip6t_n -D OUTPUT -p tcp -j PSW_OUTPUT 2>/dev/null
|
||||
#$ip6t_n -D PREROUTING -j PSW 2>/dev/null
|
||||
#$ip6t_n -D OUTPUT -p tcp -j PSW_OUTPUT 2>/dev/null
|
||||
|
||||
$ip6t_m -D PREROUTING -j PSW 2>/dev/null
|
||||
$ip6t_m -D OUTPUT -p tcp -j PSW_OUTPUT 2>/dev/null
|
||||
$ip6t_m -D OUTPUT -p udp -j PSW_OUTPUT 2>/dev/null
|
||||
$ip6t_m -D OUTPUT -j PSW_OUTPUT 2>/dev/null
|
||||
|
||||
ib_nat_exist=$(expr $ib_nat_exist - 1)
|
||||
done
|
||||
@ -789,8 +795,8 @@ del_firewall_rule() {
|
||||
$ipt_n -F PSW_OUTPUT 2>/dev/null && $ipt_n -X PSW_OUTPUT 2>/dev/null
|
||||
$ipt_m -F PSW 2>/dev/null && $ipt_m -X PSW 2>/dev/null
|
||||
$ipt_m -F PSW_OUTPUT 2>/dev/null && $ipt_m -X PSW_OUTPUT 2>/dev/null
|
||||
$ip6t_n -F PSW 2>/dev/null && $ip6t_n -X PSW 2>/dev/null
|
||||
$ip6t_n -F PSW_OUTPUT 2>/dev/null && $ip6t_n -X PSW_OUTPUT 2>/dev/null
|
||||
#$ip6t_n -F PSW 2>/dev/null && $ip6t_n -X PSW 2>/dev/null
|
||||
#$ip6t_n -F PSW_OUTPUT 2>/dev/null && $ip6t_n -X PSW_OUTPUT 2>/dev/null
|
||||
$ip6t_m -F PSW 2>/dev/null && $ip6t_m -X PSW 2>/dev/null
|
||||
$ip6t_m -F PSW_OUTPUT 2>/dev/null && $ip6t_m -X PSW_OUTPUT 2>/dev/null
|
||||
|
||||
@ -799,50 +805,47 @@ del_firewall_rule() {
|
||||
|
||||
ip -6 rule del fwmark 1 table 100 2>/dev/null
|
||||
ip -6 route del local ::/0 dev lo table 100 2>/dev/null
|
||||
|
||||
ipset -F $IPSET_LANIPLIST >/dev/null 2>&1 && ipset -X $IPSET_LANIPLIST >/dev/null 2>&1 &
|
||||
ipset -F $IPSET_VPSIPLIST >/dev/null 2>&1 && ipset -X $IPSET_VPSIPLIST >/dev/null 2>&1 &
|
||||
#ipset -F $IPSET_SHUNTLIST >/dev/null 2>&1 && ipset -X $IPSET_SHUNTLIST >/dev/null 2>&1 &
|
||||
#ipset -F $IPSET_GFW >/dev/null 2>&1 && ipset -X $IPSET_GFW >/dev/null 2>&1 &
|
||||
#ipset -F $IPSET_CHN >/dev/null 2>&1 && ipset -X $IPSET_CHN >/dev/null 2>&1 &
|
||||
#ipset -F $IPSET_BLACKLIST >/dev/null 2>&1 && ipset -X $IPSET_BLACKLIST >/dev/null 2>&1 &
|
||||
#ipset -F $IPSET_BLACKLIST2 >/dev/null 2>&1 && ipset -X $IPSET_BLACKLIST2 >/dev/null 2>&1 &
|
||||
#ipset -F $IPSET_BLACKLIST3 >/dev/null 2>&1 && ipset -X $IPSET_BLACKLIST3 >/dev/null 2>&1 &
|
||||
ipset -F $IPSET_WHITELIST >/dev/null 2>&1 && ipset -X $IPSET_WHITELIST >/dev/null 2>&1 &
|
||||
|
||||
ipset -F $IPSET_LANIPLIST_6 >/dev/null 2>&1 && ipset -X $IPSET_LANIPLIST_6 >/dev/null 2>&1 &
|
||||
ipset -F $IPSET_VPSIPLIST_6 >/dev/null 2>&1 && ipset -X $IPSET_VPSIPLIST_6 >/dev/null 2>&1 &
|
||||
#ipset -F $IPSET_SHUNTLIST_6 >/dev/null 2>&1 && ipset -X $IPSET_SHUNTLIST_6 >/dev/null 2>&1 &
|
||||
#ipset -F $IPSET_GFW6 >/dev/null 2>&1 && ipset -X $IPSET_GFW6 >/dev/null 2>&1 &
|
||||
#ipset -F $IPSET_CHN6 >/dev/null 2>&1 && ipset -X $IPSET_CHN6 >/dev/null 2>&1 &
|
||||
#ipset -F $IPSET_BLACKLIST_6 >/dev/null 2>&1 && ipset -X $IPSET_BLACKLIST_6 >/dev/null 2>&1 &
|
||||
#ipset -F $IPSET_BLACKLIST2_6 >/dev/null 2>&1 && ipset -X $IPSET_BLACKLIST2_6 >/dev/null 2>&1 &
|
||||
#ipset -F $IPSET_BLACKLIST3_6 >/dev/null 2>&1 && ipset -X $IPSET_BLACKLIST3_6 >/dev/null 2>&1 &
|
||||
ipset -F $IPSET_WHITELIST_6 >/dev/null 2>&1 && ipset -X $IPSET_WHITELIST_6 >/dev/null 2>&1 &
|
||||
|
||||
|
||||
destroy_ipset $IPSET_LANIPLIST
|
||||
destroy_ipset $IPSET_VPSIPLIST
|
||||
#destroy_ipset $IPSET_SHUNTLIST
|
||||
#destroy_ipset $IPSET_GFW
|
||||
#destroy_ipset $IPSET_CHN
|
||||
#destroy_ipset $IPSET_BLACKLIST
|
||||
destroy_ipset $IPSET_BLOCKLIST
|
||||
destroy_ipset $IPSET_WHITELIST
|
||||
|
||||
destroy_ipset $IPSET_LANIPLIST6
|
||||
destroy_ipset $IPSET_VPSIPLIST6
|
||||
#destroy_ipset $IPSET_SHUNTLIST6
|
||||
#destroy_ipset $IPSET_GFW6
|
||||
#destroy_ipset $IPSET_CHN6
|
||||
#destroy_ipset $IPSET_BLACKLIST6
|
||||
destroy_ipset $IPSET_BLOCKLIST6
|
||||
destroy_ipset $IPSET_WHITELIST6
|
||||
|
||||
echolog "删除相关防火墙规则完成。"
|
||||
}
|
||||
|
||||
flush_ipset() {
|
||||
ipset -F $IPSET_LANIPLIST >/dev/null 2>&1 && ipset -X $IPSET_LANIPLIST >/dev/null 2>&1 &
|
||||
ipset -F $IPSET_VPSIPLIST >/dev/null 2>&1 && ipset -X $IPSET_VPSIPLIST >/dev/null 2>&1 &
|
||||
ipset -F $IPSET_SHUNTLIST >/dev/null 2>&1 && ipset -X $IPSET_SHUNTLIST >/dev/null 2>&1 &
|
||||
ipset -F $IPSET_GFW >/dev/null 2>&1 && ipset -X $IPSET_GFW >/dev/null 2>&1 &
|
||||
ipset -F $IPSET_CHN >/dev/null 2>&1 && ipset -X $IPSET_CHN >/dev/null 2>&1 &
|
||||
ipset -F $IPSET_BLACKLIST >/dev/null 2>&1 && ipset -X $IPSET_BLACKLIST >/dev/null 2>&1 &
|
||||
ipset -F $IPSET_BLACKLIST2 >/dev/null 2>&1 && ipset -X $IPSET_BLACKLIST2 >/dev/null 2>&1 &
|
||||
ipset -F $IPSET_BLACKLIST3 >/dev/null 2>&1 && ipset -X $IPSET_BLACKLIST3 >/dev/null 2>&1 &
|
||||
ipset -F $IPSET_WHITELIST >/dev/null 2>&1 && ipset -X $IPSET_WHITELIST >/dev/null 2>&1 &
|
||||
|
||||
ipset -F $IPSET_LANIPLIST_6 >/dev/null 2>&1 && ipset -X $IPSET_LANIPLIST_6 >/dev/null 2>&1 &
|
||||
ipset -F $IPSET_VPSIPLIST_6 >/dev/null 2>&1 && ipset -X $IPSET_VPSIPLIST_6 >/dev/null 2>&1 &
|
||||
ipset -F $IPSET_SHUNTLIST_6 >/dev/null 2>&1 && ipset -X $IPSET_SHUNTLIST_6 >/dev/null 2>&1 &
|
||||
ipset -F $IPSET_GFW6 >/dev/null 2>&1 && ipset -X $IPSET_GFW6 >/dev/null 2>&1 &
|
||||
ipset -F $IPSET_CHN6 >/dev/null 2>&1 && ipset -X $IPSET_CHN6 >/dev/null 2>&1 &
|
||||
ipset -F $IPSET_BLACKLIST_6 >/dev/null 2>&1 && ipset -X $IPSET_BLACKLIST_6 >/dev/null 2>&1 &
|
||||
ipset -F $IPSET_BLACKLIST2_6 >/dev/null 2>&1 && ipset -X $IPSET_BLACKLIST2_6 >/dev/null 2>&1 &
|
||||
ipset -F $IPSET_BLACKLIST3_6 >/dev/null 2>&1 && ipset -X $IPSET_BLACKLIST3_6 >/dev/null 2>&1 &
|
||||
ipset -F $IPSET_WHITELIST_6 >/dev/null 2>&1 && ipset -X $IPSET_WHITELIST_6 >/dev/null 2>&1 &
|
||||
destroy_ipset $IPSET_LANIPLIST
|
||||
destroy_ipset $IPSET_VPSIPLIST
|
||||
destroy_ipset $IPSET_SHUNTLIST
|
||||
destroy_ipset $IPSET_GFW
|
||||
destroy_ipset $IPSET_CHN
|
||||
destroy_ipset $IPSET_BLACKLIST
|
||||
destroy_ipset $IPSET_BLOCKLIST
|
||||
destroy_ipset $IPSET_WHITELIST
|
||||
|
||||
destroy_ipset $IPSET_LANIPLIST6
|
||||
destroy_ipset $IPSET_VPSIPLIST6
|
||||
destroy_ipset $IPSET_SHUNTLIST6
|
||||
destroy_ipset $IPSET_GFW6
|
||||
destroy_ipset $IPSET_CHN6
|
||||
destroy_ipset $IPSET_BLACKLIST6
|
||||
destroy_ipset $IPSET_BLOCKLIST6
|
||||
destroy_ipset $IPSET_WHITELIST6
|
||||
/etc/init.d/passwall reload
|
||||
}
|
||||
|
||||
flush_include() {
|
||||
|
||||
@ -65,7 +65,7 @@ do
|
||||
|
||||
#dns
|
||||
dns_mode=$(config_t_get global dns_mode)
|
||||
if [ "$dns_mode" != "nonuse" ] && [ "$dns_mode" != "custom" ] && [ "$dns_mode" != "fake_ip" ]; then
|
||||
if [ "$dns_mode" == "pdnsd" ] || [ "$dns_mode" == "dns2socks" ] || [ "$dns_mode" == "xray_doh" ]; then
|
||||
icount=$(netstat -apn | grep 7913 | wc -l)
|
||||
if [ $icount = 0 ]; then
|
||||
/etc/init.d/$CONFIG restart
|
||||
|
||||
@ -451,6 +451,6 @@ luci.sys.call("uci commit " .. name)
|
||||
|
||||
if reboot == 1 then
|
||||
log("重启服务,应用新的规则。")
|
||||
luci.sys.call("/usr/share/" .. name .. "/iptables.sh flush_ipset && /etc/init.d/" .. name .. " restart")
|
||||
luci.sys.call("/usr/share/" .. name .. "/iptables.sh flush_ipset > /dev/null 2>&1 &")
|
||||
end
|
||||
log("规则更新完毕...")
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
@ -3951,7 +3951,6 @@
|
||||
103.144.66.0/23
|
||||
103.144.70.0/23
|
||||
103.144.72.0/23
|
||||
103.144.88.0/24
|
||||
103.144.108.0/23
|
||||
103.144.136.0/23
|
||||
103.144.148.0/23
|
||||
@ -3986,7 +3985,6 @@
|
||||
103.147.124.0/23
|
||||
103.147.198.0/23
|
||||
103.147.206.0/23
|
||||
103.147.211.0/24
|
||||
103.148.174.0/23
|
||||
103.149.6.0/23
|
||||
103.149.17.0/24
|
||||
@ -4129,6 +4127,10 @@
|
||||
103.162.32.0/23
|
||||
103.162.38.0/23
|
||||
103.162.116.0/23
|
||||
103.163.28.0/23
|
||||
103.163.32.0/23
|
||||
103.163.46.0/23
|
||||
103.163.74.0/23
|
||||
103.192.0.0/22
|
||||
103.192.4.0/22
|
||||
103.192.8.0/22
|
||||
|
||||
@ -27,7 +27,6 @@
|
||||
2001:df0:4500::/48
|
||||
2001:df0:5d00::/48
|
||||
2001:df0:5d01::/48
|
||||
2001:df0:5d80::/48
|
||||
2001:df0:9a00::/48
|
||||
2001:df0:b180::/48
|
||||
2001:df0:bf80::/48
|
||||
@ -41,7 +40,6 @@
|
||||
2001:df1:6b80::/48
|
||||
2001:df1:8b00::/48
|
||||
2001:df1:a100::/48
|
||||
2001:df1:b980::/48
|
||||
2001:df1:bd80::/48
|
||||
2001:df1:c900::/48
|
||||
2001:df1:d100::/48
|
||||
@ -1775,6 +1773,8 @@
|
||||
2407:1e80::/32
|
||||
2407:2280::/32
|
||||
2407:2380::/32
|
||||
2407:23c0::/32
|
||||
2407:2440::/32
|
||||
2407:2780::/32
|
||||
2407:3700::/32
|
||||
2407:3900::/32
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,8 @@
|
||||
googleapis.cn
|
||||
googleapis.com
|
||||
xn--ngstr-lra8j.com
|
||||
v2ex.com
|
||||
gstatic.com
|
||||
google.com.tw
|
||||
google.com.hk
|
||||
github.com
|
||||
Loading…
x
Reference in New Issue
Block a user