From 6c6f6049eb6a27948be27f77fed20dac309f5830 Mon Sep 17 00:00:00 2001 From: ShanStone <31815718+ShanStone@users.noreply.github.com> Date: Tue, 16 Feb 2021 14:33:44 +0800 Subject: [PATCH] luci-app-passwall: sync with upstream source Co-authored-by: xiaorouji <60100640+xiaorouji@users.noreply.github.com> Signed-off-by: CN_SZTL --- .../model/cbi/passwall/client/global.lua | 1 + .../root/usr/share/passwall/app.sh | 90 ++++++++++++++----- .../root/usr/share/passwall/iptables.sh | 14 +-- .../root/usr/share/passwall/monitor.sh | 2 +- .../root/usr/share/passwall/rule_update.lua | 1 + 5 files changed, 77 insertions(+), 31 deletions(-) diff --git a/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua b/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua index 3e7b721cbf..2cfab4bd10 100644 --- a/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua +++ b/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua @@ -198,6 +198,7 @@ o:depends("up_china_dns", "xray_doh") o = s:taboption("DNS", ListValue, "dns_mode", translate("Filter Mode")) o.rmempty = false o:reset_values() +o:value("fake_ip", translatef("Fake IP")) if api.is_finded("pdnsd") then o:value("pdnsd", "pdnsd " .. translatef("Requery DNS By %s", translate("TCP Node"))) end diff --git a/package/lienol/luci-app-passwall/root/usr/share/passwall/app.sh b/package/lienol/luci-app-passwall/root/usr/share/passwall/app.sh index 607a584b19..9cfca3ff48 100755 --- a/package/lienol/luci-app-passwall/root/usr/share/passwall/app.sh +++ b/package/lienol/luci-app-passwall/root/usr/share/passwall/app.sh @@ -211,6 +211,26 @@ gen_dnsmasq_items() { ' } +gen_dnsmasq_fake_items() { + local fwd_dns="1.2.3.4" + local outf=${1}; shift 1 + + awk -v fwd_dns="${fwd_dns}" -v outf="${outf}" ' + BEGIN { + if(outf == "") outf="/dev/stdout"; + split(fwd_dns, dns, ","); setdns=length(dns)>0; + if(setdns) for(i in dns) if(length(dns[i])==0) delete dns[i]; + fail=1; + } + ! /^$/&&!/^#/ { + fail=0 + if(! setdns) {printf("address=%s\n", $0) >>outf; next;} + if(setdns) for(i in dns) printf("address=/.%s/%s\n", $0, dns[i]) >>outf; + } + END {fflush(outf); close(outf); exit(fail);} + ' +} + check_port_exists() { port=$1 protocol=$2 @@ -841,14 +861,18 @@ start_dns() { TUN_DNS=${DNS_FORWARD} echolog " - 域名解析:直接使用UDP节点请求DNS($TUN_DNS)" ;; + fake_ip) + TUN_DNS="1.2.3.4" + echolog " - 域名解析:使用FakeIP方案..." + ;; custom) custom_dns=$(config_t_get global custom_dns) TUN_DNS="$(echo ${custom_dns} | sed 's/:/#/g')" - echolog " - 域名解析:直接使用UDP协议自定义DNS($TUN_DNS)解析..." + echolog " - 域名解析:使用UDP协议自定义DNS($TUN_DNS)解析..." ;; esac - [ -n "$chnlist" ] && [ "$DNS_MODE" != "custom" ] && { + [ -n "$chnlist" ] && [ "$DNS_MODE" != "custom" ] && [ "$DNS_MODE" != "fake_ip" ] && { [ -f "${RULES_PATH}/chnlist" ] && cp -a "${RULES_PATH}/chnlist" "${TMP_PATH}/chnlist" [ -n "$(first_type chinadns-ng)" ] && { echolog "发现ChinaDNS-NG,将启动。" @@ -909,31 +933,38 @@ add_dnsmasq() { #始终用国内DNS解析节点域名 fwd_dns="${LOCAL_DNS}" servers=$(uci show "${CONFIG}" | grep ".address=" | cut -d "'" -f 2) - hosts_foreach "servers" host_from_url | grep -v "google.c" | grep '[a-zA-Z]$' | sort -u | gen_dnsmasq_items "vpsiplist" "${fwd_dns}" "${TMP_DNSMASQ_PATH}/00-vpsiplist_host.conf" + hosts_foreach "servers" host_from_url | grep -v "google.c" | grep '[a-zA-Z]$' | sort -u | gen_dnsmasq_items "vpsiplist,vpsiplist6" "${fwd_dns}" "${TMP_DNSMASQ_PATH}/00-vpsiplist_host.conf" echolog " - [$?]节点列表中的域名(vpsiplist):${fwd_dns:-默认}" #始终用国内DNS解析直连(白名单)列表 fwd_dns="${LOCAL_DNS}" [ -n "$CHINADNS_NG" ] && unset fwd_dns - sort -u "${RULES_PATH}/direct_host" | gen_dnsmasq_items "whitelist" "${fwd_dns}" "${TMP_DNSMASQ_PATH}/01-direct_host.conf" + sort -u "${RULES_PATH}/direct_host" | gen_dnsmasq_items "whitelist,whitelist_6" "${fwd_dns}" "${TMP_DNSMASQ_PATH}/01-direct_host.conf" echolog " - [$?]域名白名单(whitelist):${fwd_dns:-默认}" #始终使用远程DNS解析代理(黑名单)列表 - fwd_dns="${TUN_DNS}" - [ -n "$CHINADNS_NG" ] && fwd_dns="${china_ng_gfw}" - [ -n "$CHINADNS_NG" ] && unset fwd_dns - sort -u "${RULES_PATH}/proxy_host" | gen_dnsmasq_items "blacklist" "${fwd_dns}" "${TMP_DNSMASQ_PATH}/99-proxy_host.conf" - echolog " - [$?]代理域名表(blacklist):${fwd_dns:-默认}" + if [ "${DNS_MODE}" = "fake_ip" ]; then + sort -u "${RULES_PATH}/proxy_host" | gen_dnsmasq_fake_items "${TMP_DNSMASQ_PATH}/99-proxy_host.conf" + else + fwd_dns="${TUN_DNS}" + [ -n "$CHINADNS_NG" ] && fwd_dns="${china_ng_gfw}" + [ -n "$CHINADNS_NG" ] && unset fwd_dns + sort -u "${RULES_PATH}/proxy_host" | gen_dnsmasq_items "blacklist,blacklist_6" "${fwd_dns}" "${TMP_DNSMASQ_PATH}/99-proxy_host.conf" + echolog " - [$?]代理域名表(blacklist):${fwd_dns:-默认}" + fi #如果开启了通过代理订阅 [ "$(config_t_get global_subscribe subscribe_proxy 0)" = "1" ] && { fwd_dns="${TUN_DNS}" [ -n "$CHINADNS_NG" ] && fwd_dns="${china_ng_gfw}" - items=$(get_enabled_anonymous_secs "@subscribe_list") - for item in ${items}; do - host_from_url "$(config_n_get ${item} url)" | gen_dnsmasq_items "blacklist" "${fwd_dns}" "${TMP_DNSMASQ_PATH}/99-subscribe.conf" + for item in $(get_enabled_anonymous_secs "@subscribe_list"); do + if [ "${DNS_MODE}" = "fake_ip" ]; then + host_from_url "$(config_n_get ${item} url)" | gen_dnsmasq_fake_items "${TMP_DNSMASQ_PATH}/99-subscribe.conf" + else + host_from_url "$(config_n_get ${item} url)" | gen_dnsmasq_items "blacklist,blacklist_6" "${fwd_dns}" "${TMP_DNSMASQ_PATH}/99-subscribe.conf" + fi done - echolog " - [$?]节点订阅域名(blacklist):${fwd_dns:-默认}" + [ "${DNS_MODE}" != "fake_ip" ] && echolog " - [$?]节点订阅域名(blacklist):${fwd_dns:-默认}" } #分流规则 @@ -948,25 +979,36 @@ add_dnsmasq() { fi local shunt_node=$(config_n_get $shunt_node_id address nil) [ "$shunt_node" = "nil" ] && continue - config_n_get $shunt_id domain_list | grep -v 'regexp:\|geosite:\|ext:' | sed 's/domain:\|full:\|//g' | tr -s "\r\n" "\n" | sort -u | gen_dnsmasq_items "shuntlist" "${fwd_dns}" "${TMP_DNSMASQ_PATH}/998-shunt_host.conf" + if [ "${DNS_MODE}" = "fake_ip" ]; then + config_n_get $shunt_id domain_list | grep -v 'regexp:\|geosite:\|ext:' | sed 's/domain:\|full:\|//g' | tr -s "\r\n" "\n" | sort -u | gen_dnsmasq_fake_items "${TMP_DNSMASQ_PATH}/998-shunt_host.conf" + else + config_n_get $shunt_id domain_list | grep -v 'regexp:\|geosite:\|ext:' | sed 's/domain:\|full:\|//g' | tr -s "\r\n" "\n" | sort -u | gen_dnsmasq_items "shuntlist,shuntlist6" "${fwd_dns}" "${TMP_DNSMASQ_PATH}/998-shunt_host.conf" + fi done - echolog " - [$?]Xray分流规则(shuntlist):${fwd_dns:-默认}" + [ "${DNS_MODE}" != "fake_ip" ] && echolog " - [$?]Xray分流规则(shuntlist):${fwd_dns:-默认}" } #如果没有使用回国模式 if [ -z "${returnhome}" ]; then - fwd_dns="${TUN_DNS}" - [ -n "$CHINADNS_NG" ] && fwd_dns="${china_ng_gfw}" - [ -n "$CHINADNS_NG" ] && unset fwd_dns [ ! -f "${TMP_PATH}/gfwlist.txt" ] && sed -n 's/^ipset=\/\.\?\([^/]*\).*$/\1/p' "${RULES_PATH}/gfwlist.conf" | sort -u > "${TMP_PATH}/gfwlist.txt" - #sort -u "${TMP_PATH}/gfwlist.txt" | gen_dnsmasq_items "gfwlist" "${fwd_dns}" "${TMP_DNSMASQ_PATH}/999-gfwlist.conf" - sort -u "${TMP_PATH}/gfwlist.txt" | gen_dnsmasq_items "gfwlist,gfwlist6" "${fwd_dns}" "${TMP_DNSMASQ_PATH}/999-gfwlist.conf" - echolog " - [$?]防火墙域名表(gfwlist):${fwd_dns:-默认}" + if [ "${DNS_MODE}" = "fake_ip" ]; then + sort -u "${TMP_PATH}/gfwlist.txt" | gen_dnsmasq_fake_items "${TMP_DNSMASQ_PATH}/999-gfwlist.conf" + else + fwd_dns="${TUN_DNS}" + [ -n "$CHINADNS_NG" ] && fwd_dns="${china_ng_gfw}" + [ -n "$CHINADNS_NG" ] && unset fwd_dns + sort -u "${TMP_PATH}/gfwlist.txt" | gen_dnsmasq_items "gfwlist,gfwlist6" "${fwd_dns}" "${TMP_DNSMASQ_PATH}/999-gfwlist.conf" + echolog " - [$?]防火墙域名表(gfwlist):${fwd_dns:-默认}" + fi else #回国模式 - fwd_dns="${TUN_DNS}" - sort -u "${RULES_PATH}/chnlist" | gen_dnsmasq_items "chnroute" "${fwd_dns}" "${TMP_DNSMASQ_PATH}/02-chinalist_host.conf" - echolog " - [$?]中国域名表(chnroute):${fwd_dns:-默认}" + if [ "${DNS_MODE}" = "fake_ip" ]; then + sort -u "${RULES_PATH}/chnlist" | gen_dnsmasq_fake_items "${TMP_DNSMASQ_PATH}/02-chinalist_host.conf" + else + fwd_dns="${TUN_DNS}" + sort -u "${RULES_PATH}/chnlist" | gen_dnsmasq_items "chnroute,chnroute6" "${fwd_dns}" "${TMP_DNSMASQ_PATH}/02-chinalist_host.conf" + echolog " - [$?]中国域名表(chnroute):${fwd_dns:-默认}" + fi fi fi diff --git a/package/lienol/luci-app-passwall/root/usr/share/passwall/iptables.sh b/package/lienol/luci-app-passwall/root/usr/share/passwall/iptables.sh index b500628a8d..c14fd0826c 100755 --- a/package/lienol/luci-app-passwall/root/usr/share/passwall/iptables.sh +++ b/package/lienol/luci-app-passwall/root/usr/share/passwall/iptables.sh @@ -476,7 +476,7 @@ add_firewall_rule() { done for shunt_id in $shunt_ids; do - config_n_get $shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "([A-Fa-f0-9]{0,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "s/^/add $IPSET_SHUNTLIST_6 &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R + config_n_get $shunt_id ip_list | tr -s "\r\n" "\n" | sed -e "/^$/d" | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "s/^/add $IPSET_SHUNTLIST_6 &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R done cat $RULES_PATH/chnroute | sed -e "/^$/d" | sed -e "s/^/add $IPSET_CHN &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R @@ -486,10 +486,10 @@ add_firewall_rule() { cat $RULES_PATH/direct_ip | sed -e "/^$/d" | grep -E "(\.((2(5[0-5]|[0-4]\d))|[0-1]?\d{1,2})){3}" | sed -e "s/^/add $IPSET_WHITELIST &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R cat $RULES_PATH/chnroute6 | sed -e "/^$/d" | sed -e "s/^/add $IPSET_CHN6 &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R - cat $RULES_PATH/proxy_ip | grep -E "([A-Fa-f0-9]{0,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "/^$/d" | sed -e "s/^/add $IPSET_BLACKLIST_6 &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R - [ -f "$RULES_PATH/proxy_ip2" ] && cat $RULES_PATH/proxy_ip2 | grep -E "([A-Fa-f0-9]{0,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "/^$/d" | sed -e "s/^/add $IPSET_BLACKLIST2_6 &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R - [ -f "$RULES_PATH/proxy_ip3" ] && cat $RULES_PATH/proxy_ip3 | grep -E "([A-Fa-f0-9]{0,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "/^$/d" | sed -e "s/^/add $IPSET_BLACKLIST3_6 &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R - cat $RULES_PATH/direct_ip | grep -E "([A-Fa-f0-9]{0,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "/^$/d" | sed -e "s/^/add $IPSET_WHITELIST_6 &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R + cat $RULES_PATH/proxy_ip | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "/^$/d" | sed -e "s/^/add $IPSET_BLACKLIST_6 &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R + [ -f "$RULES_PATH/proxy_ip2" ] && cat $RULES_PATH/proxy_ip2 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "/^$/d" | sed -e "s/^/add $IPSET_BLACKLIST2_6 &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R + [ -f "$RULES_PATH/proxy_ip3" ] && cat $RULES_PATH/proxy_ip3 | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "/^$/d" | sed -e "s/^/add $IPSET_BLACKLIST3_6 &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R + cat $RULES_PATH/direct_ip | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | sed -e "/^$/d" | sed -e "s/^/add $IPSET_WHITELIST_6 &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R ipset -! -R <<-EOF $(gen_laniplist | sed -e "s/^/add $IPSET_LANIPLIST /") @@ -534,7 +534,7 @@ add_firewall_rule() { done } - local ISP_DNS6=$(cat $RESOLVFILE 2>/dev/null | grep -E "([A-Fa-f0-9]{0,4}::?){1,7}[A-Fa-f0-9]{1,4}" | awk -F % '{print $1}' | awk -F " " '{print $2}'| sort -u ) + local ISP_DNS6=$(cat $RESOLVFILE 2>/dev/null | grep -E "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | awk -F % '{print $1}' | awk -F " " '{print $2}'| sort -u ) [ -n "$ISP_DNS" ] && { #echolog "处理 ISP IPv6 DNS 例外..." for ispip6 in $ISP_DNS; do @@ -638,6 +638,7 @@ add_firewall_rule() { } [ "$use_tcp_node_resolve_dns" == 1 ] && hosts_foreach DNS_FORWARD _proxy_tcp_access 53 $ipt_tmp -A OUTPUT -p tcp -j PSW_OUTPUT + $ipt_tmp -I PSW_OUTPUT -p tcp -d 1.2.3.4 $blist_r [ "$TCP_NO_REDIR_PORTS" != "disable" ] && { $ipt_tmp -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN $ip6t_m -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN @@ -730,6 +731,7 @@ add_firewall_rule() { } [ "$use_udp_node_resolve_dns" == 1 ] && hosts_foreach DNS_FORWARD _proxy_udp_access 53 $ipt_m -A OUTPUT -p udp -j PSW_OUTPUT + $ipt_m -I PSW_OUTPUT -p udp -d 1.2.3.4 $(REDIRECT 1 MARK) [ "$UDP_NO_REDIR_PORTS" != "disable" ] && { $ipt_m -A PSW_OUTPUT -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN $ip6t_m -A PSW_OUTPUT -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN diff --git a/package/lienol/luci-app-passwall/root/usr/share/passwall/monitor.sh b/package/lienol/luci-app-passwall/root/usr/share/passwall/monitor.sh index 991dc28752..d5499a9d95 100755 --- a/package/lienol/luci-app-passwall/root/usr/share/passwall/monitor.sh +++ b/package/lienol/luci-app-passwall/root/usr/share/passwall/monitor.sh @@ -65,7 +65,7 @@ do #dns dns_mode=$(config_t_get global dns_mode) - if [ "$dns_mode" != "nonuse" ] && [ "$dns_mode" != "custom" ]; then + if [ "$dns_mode" != "nonuse" ] && [ "$dns_mode" != "custom" ] && [ "$dns_mode" != "fake_ip" ]; then icount=$(netstat -apn | grep 7913 | wc -l) if [ $icount = 0 ]; then /etc/init.d/$CONFIG restart diff --git a/package/lienol/luci-app-passwall/root/usr/share/passwall/rule_update.lua b/package/lienol/luci-app-passwall/root/usr/share/passwall/rule_update.lua index 5f671bdcee..977fd0b65d 100755 --- a/package/lienol/luci-app-passwall/root/usr/share/passwall/rule_update.lua +++ b/package/lienol/luci-app-passwall/root/usr/share/passwall/rule_update.lua @@ -195,6 +195,7 @@ local function fetch_chnlist() end else sret = 0 + log("chnlist 第"..k.."条规则:"..v.."下载失败!") end os.remove("/tmp/chnlist_dl"..k) end