luci-app-passwall: bump tp 3.9-51

2025-01-10 11:09:57 +08:00 · 2020-09-04 14:53:17 +08:00 · 2020-09-04 14:53:17 +08:00 · bcf99f9b8a
commit bcf99f9b8a
parent 161ba3115f
9 changed files with 240 additions and 69 deletions
--- a/package/lienol/luci-app-passwall/Makefile
+++ b/package/lienol/luci-app-passwall/Makefile
@ -7,8 +7,8 @@ include $(TOPDIR)/rules.mk

 PKG_NAME:=luci-app-passwall
 PKG_VERSION:=3.9
-PKG_RELEASE:=43
-PKG_DATE:=20200825
+PKG_RELEASE:=51
+PKG_DATE:=20200903

 PKG_BUILD_DIR := $(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)

@ -65,6 +65,10 @@ config PACKAGE_$(PKG_NAME)_INCLUDE_pdnsd
 	bool "Include pdnsd"
 	default y
 	
+config PACKAGE_$(PKG_NAME)_INCLUDE_https_dns_proxy
+	bool "Include Https DNS Proxy(DoH)"
+	default y
+	
 config PACKAGE_$(PKG_NAME)_INCLUDE_dns2socks
 	bool "Include dns2socks"
 	default y
@ -101,6 +105,7 @@ define Package/$(PKG_NAME)
  +PACKAGE_$(PKG_NAME)_INCLUDE_haproxy:haproxy \
  +PACKAGE_$(PKG_NAME)_INCLUDE_ChinaDNS_NG:chinadns-ng \
  +PACKAGE_$(PKG_NAME)_INCLUDE_pdnsd:pdnsd-alt \
+  +PACKAGE_$(PKG_NAME)_INCLUDE_https_dns_proxy:https-dns-proxy \
  +PACKAGE_$(PKG_NAME)_INCLUDE_dns2socks:dns2socks \
  +PACKAGE_$(PKG_NAME)_INCLUDE_v2ray-plugin:v2ray-plugin \
  +PACKAGE_$(PKG_NAME)_INCLUDE_simple-obfs:simple-obfs
--- a/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/api/gen_naiveproxy.lua
+++ b/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/api/gen_naiveproxy.lua
@ -0,0 +1,14 @@
+local ucursor = require "luci.model.uci".cursor()
+local jsonc = require "luci.jsonc"
+local node_section = arg[1]
+local run_type = arg[2]
+local local_addr = arg[3]
+local local_port = arg[4]
+local node = ucursor:get_all("passwall", node_section)
+
+local config = {
+    listen = run_type .. "://" .. local_addr .. ":" .. local_port,
+    proxy = node.protocol .. "://" .. node.username .. ":" .. node.password .. "@" .. node.address .. ":" .. node.port
+}
+
+print(jsonc.stringify(config, 1))
--- a/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua
+++ b/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua
@ -88,8 +88,9 @@ for i = 1, udp_node_num, 1 do
        o = s:taboption("Main", ListValue, "udp_node" .. i, translate("UDP Node"))
        o.description = translate("For proxy game network, DNS hijack etc.") .. translate(" The selected server will not use Kcptun.")
        o:value("nil", translate("Close"))
-        o:value("tcp", translate("Same as the tcp node"))
-        o:value("tcp_", translate("Same as the tcp node") .. "（" .. translate("New process") .. "）")
+        o:value("tcp_", translate("Same as the tcp node"))
+        --o:value("tcp", translate("Same as the tcp node"))
+        --o:value("tcp_", translate("Same as the tcp node") .. "（" .. translate("New process") .. "）")
    else
        o = s:taboption("Main", ListValue, "udp_node" .. i,
                     translate("UDP Node") .. " " .. i)
@ -101,9 +102,12 @@ end
 s:tab("DNS", translate("DNS"))

 o = s:taboption("DNS", Value, "up_china_dns", translate("Resolver For Local/WhiteList Domains") .. "(UDP)")
-o.description = translate("IP:Port mode acceptable, multi value split with english comma.")
+o.description = translate("IP:Port mode acceptable, multi value split with english comma.") .. "<br />" .. translate("When the selection is not the default, this DNS is forced to be set to dnsmasq upstream DNS.")
 o.default = "default"
 o:value("default", translate("Default"))
+if api.is_finded("https-dns-proxy") then
+    o:value("https-dns-proxy", "https-dns-proxy(DoH)")
+end
 o:value("223.5.5.5", "223.5.5.5 (" .. translate("Ali") .. "DNS)")
 o:value("223.6.6.6", "223.6.6.6 (" .. translate("Ali") .. "DNS)")
 o:value("114.114.114.114", "114.114.114.114 (114DNS)")
@ -114,8 +118,19 @@ o:value("1.2.4.8", "1.2.4.8 (CNNIC DNS)")
 o:value("210.2.4.8", "210.2.4.8 (CNNIC DNS)")
 o:value("180.76.76.76", "180.76.76.76 (" .. translate("Baidu") .. "DNS)")

+---- DoH URL
+o = s:taboption("DNS", Value, "up_china_dns_doh_url", translate("DoH request address"))
+o.default = "https://dns.alidns.com/dns-query"
+o:depends("up_china_dns", "https-dns-proxy")
+
+---- DoH Bootstrap
+o = s:taboption("DNS", Value, "up_china_dns_doh_bootstrap", translate("DoH bootstrap DNS"), translate("The Bootstrap DNS server is used to resolve the IP address of the DoH resolver you specify as the upstream."))
+o.default = "223.5.5.5,223.6.6.6"
+o:depends("up_china_dns", "https-dns-proxy")
+
 ---- DNS Forward Mode
 o = s:taboption("DNS", Value, "dns_mode", translate("Filter Mode"))
+o.description = translate("When the selection is chinadns-ng, forced to be set to dnsmasq upstream DNS.")
 o.rmempty = false
 o:reset_values()
 if api.is_finded("chinadns-ng") then
@ -127,6 +142,9 @@ end
 if api.is_finded("dns2socks") then
    o:value("dns2socks", "dns2socks")
 end
+if api.is_finded("https-dns-proxy") then
+    o:value("https-dns-proxy", "https-dns-proxy(DoH)")
+end
 o:value("nonuse", translate("No Filter"))

 o = s:taboption("DNS", ListValue, "up_trust_pdnsd_dns", translate("Resolver For The List Proxied"))
@ -150,20 +168,47 @@ o:value("udp", translate("Access Filtered DNS By ") .. translate("UDP Node"))
 if api.is_finded("dns2socks") then
    o:value("dns2socks", "dns2socks")
 end
+if api.is_finded("https-dns-proxy") then
+    o:value("https-dns-proxy", "https-dns-proxy(DoH)")
+end
 o:depends("dns_mode", "chinadns-ng")

+o = s:taboption("DNS", ListValue, "up_trust_doh_dns", translate("Resolver For The List Proxied"))
+o:value("tcp", translate("Access Filtered DNS By ") .. translate("TCP Node"))
+o:value("socks", translate("Access Filtered DNS By ") .. translate("Socks Node"))
+o:depends("dns_mode", "https-dns-proxy")
+o:depends({dns_mode = "chinadns-ng", up_trust_chinadns_ng_dns = "https-dns-proxy"})
+
 ---- Upstream trust DNS Mode for ChinaDNS-NG
 o = s:taboption("DNS", Value, "socks_server", translate("Socks Server"), translate("Make sure socks service is available on this address if 'dns2socks' selected."))
 o.default = ""
 for k, v in pairs(socks_table) do o:value(v.id, v.remarks) end
+o:depends({dns_mode = "pdnsd", up_trust_pdnsd_dns = "dns2socks"})
 o:depends({dns_mode = "dns2socks"})
 o:depends({dns_mode = "chinadns-ng", up_trust_chinadns_ng_dns = "dns2socks"})
-o:depends({dns_mode = "pdnsd", up_trust_pdnsd_dns = "dns2socks"})
+o:depends({dns_mode = "https-dns-proxy", up_trust_doh_dns = "socks"})
+o:depends({dns_mode = "chinadns-ng", up_trust_chinadns_ng_dns = "https-dns-proxy", up_trust_doh_dns = "socks"})

 o = s:taboption("DNS", Flag, "fair_mode", translate("ChinaDNS-NG Fair Mode"))
 o.default = "1"
 o:depends({dns_mode = "chinadns-ng"})

+---- DoH URL
+o = s:taboption("DNS", Value, "doh_url", translate("DoH request address"))
+o.default = "https://dns.google/dns-query"
+o:depends({dns_mode = "https-dns-proxy"})
+o:depends({dns_mode = "chinadns-ng", up_trust_chinadns_ng_dns = "https-dns-proxy"})
+
+---- DoH Bootstrap
+o = s:taboption("DNS", Value, "doh_bootstrap", translate("DoH bootstrap DNS"), translate("The Bootstrap DNS server is used to resolve the IP address of the DoH resolver you specify as the upstream."))
+o.default = "8.8.4.4"
+o:value("8.8.4.4", "8.8.4.4 (Google DNS)")
+o:value("8.8.8.8", "8.8.8.8 (Google DNS)")
+o:value("208.67.222.222", "208.67.222.222 (Open DNS)")
+o:value("208.67.220.220", "208.67.220.220 (Open DNS)")
+o:depends({dns_mode = "https-dns-proxy"})
+o:depends({dns_mode = "chinadns-ng", up_trust_chinadns_ng_dns = "https-dns-proxy"})
+
 ---- DNS Forward
 o = s:taboption("DNS", Value, "dns_forward", translate("Filtered DNS(For Proxied Domains)"), translate("IP:Port mode acceptable, the 1st for 'dns2socks' if split with english comma."))
 o.default = "8.8.4.4"
@ -171,9 +216,11 @@ o:value("8.8.4.4", "8.8.4.4 (Google DNS)")
 o:value("8.8.8.8", "8.8.8.8 (Google DNS)")
 o:value("208.67.222.222", "208.67.222.222 (Open DNS)")
 o:value("208.67.220.220", "208.67.220.220 (Open DNS)")
-o:depends({dns_mode = "chinadns-ng"})
 o:depends({dns_mode = "dns2socks"})
 o:depends({dns_mode = "pdnsd"})
+o:depends({dns_mode = "chinadns-ng", up_trust_chinadns_ng_dns = "pdnsd"})
+o:depends({dns_mode = "chinadns-ng", up_trust_chinadns_ng_dns = "udp"})
+o:depends({dns_mode = "chinadns-ng", up_trust_chinadns_ng_dns = "dns2socks"})

 o = s:taboption("DNS", Flag, "dns_cache", translate("Cache Resolved"))
 o.default = "1"
@ -182,10 +229,8 @@ o:depends({dns_mode = "chinadns-ng", up_trust_chinadns_ng_dns = "dns2socks"})
 o:depends({dns_mode = "dns2socks"})
 o:depends({dns_mode = "pdnsd"})

-o = s:taboption("DNS", ListValue, "dns_default", translate("Dnsmasq default dns"), translate("When the accessed domain name does not exist in the rule list, the default DNS used."))
-o.default = "china"
-o:value("china", translate("China"))
-o:value("remote", translate("Remote"))
+o = s:taboption("DNS", Flag, "use_chnlist", translate("Use ChinaList"), translate("Only useful in non-gfwlist mode.") .. "<br />" .. translate("When used, the domestic DNS will be used only when the chnlist rule is hit, and the domain name that misses the rule will be resolved by remote DNS."))
+o.default = "0"

 o = s:taboption("DNS", Button, "clear_ipset", translate("Clear IPSET"), translate("Try this feature if the rule modification does not take effect."))
 o.inputstyle = "remove"
--- a/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/client/node_config.lua
+++ b/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/client/node_config.lua
@ -96,6 +96,9 @@ end
 if api.is_finded("trojan-go") then
    type:value("Trojan-Go", translate("Trojan-Go"))
 end
+if api.is_finded("naive") then
+    type:value("Naiveproxy", translate("NaiveProxy"))
+end

 protocol = s:option(ListValue, "protocol", translate("Protocol"))
 protocol:value("vmess", translate("Vmess"))
@ -142,7 +145,7 @@ for k, v in pairs(nodes_table) do default_node:value(v.id, v.remarks) end
 default_node:depends("protocol", "_shunt")

 -- Brook协议
-brook_protocol = s:option(ListValue, "brook_protocol", translate("Brook Protocol"))
+brook_protocol = s:option(ListValue, "brook_protocol", translate("Protocol"))
 brook_protocol:value("client", translate("Brook"))
 brook_protocol:value("wsclient", translate("WebSocket"))
 brook_protocol:depends("type", "Brook")
@ -156,6 +159,18 @@ end
 brook_tls = s:option(Flag, "brook_tls", translate("Use TLS"))
 brook_tls:depends("brook_protocol", "wsclient")

+-- Naiveproxy协议
+naiveproxy_protocol = s:option(ListValue, "naiveproxy_protocol", translate("Protocol"))
+naiveproxy_protocol:value("https", translate("HTTPS"))
+naiveproxy_protocol:value("quic", translate("QUIC"))
+naiveproxy_protocol:depends("type", "Naiveproxy")
+function naiveproxy_protocol.cfgvalue(self, section)
+	return m:get(section, "protocol")
+end
+function naiveproxy_protocol.write(self, section, value)
+	m:set(section, "protocol", value)
+end
+
 address = s:option(Value, "address", translate("Address (Support Domain Name)"))
 address.rmempty = false
 address:depends("type", "Socks")
@ -170,6 +185,7 @@ address:depends("type", "Brook")
 address:depends("type", "Trojan")
 address:depends("type", "Trojan-Plus")
 address:depends("type", "Trojan-Go")
+address:depends("type", "Naiveproxy")

 --[[
 use_ipv6 = s:option(Flag, "use_ipv6", translate("Use IPv6"))
@ -203,9 +219,11 @@ port:depends("type", "Brook")
 port:depends("type", "Trojan")
 port:depends("type", "Trojan-Plus")
 port:depends("type", "Trojan-Go")
+port:depends("type", "Naiveproxy")

 username = s:option(Value, "username", translate("Username"))
 username:depends("type", "Socks")
+username:depends("type", "Naiveproxy")
 username:depends("protocol", "http")
 username:depends("protocol", "socks")

@ -218,6 +236,7 @@ password:depends("type", "Brook")
 password:depends("type", "Trojan")
 password:depends("type", "Trojan-Plus")
 password:depends("type", "Trojan-Go")
+password:depends("type", "Naiveproxy")
 password:depends("protocol", "http")
 password:depends("protocol", "socks")
 password:depends("protocol", "shadowsocks")
@ -405,7 +424,7 @@ trojan_transport:value("original", "Original")
 trojan_transport:value("ws", "WebSocket")
 trojan_transport:value("h2", "HTTP/2")
 trojan_transport:value("h2+ws", "HTTP/2 & WebSocket")
-trojan_transport.default = "ws"
+trojan_transport.default = "original"
 trojan_transport:depends("type", "Trojan-Go")

 trojan_plugin = s:option(ListValue, "plugin_type", translate("Plugin Type"))
--- a/package/lienol/luci-app-passwall/luasrc/view/passwall/node_list/link_share_man.htm
+++ b/package/lienol/luci-app-passwall/luasrc/view/passwall/node_list/link_share_man.htm
@ -400,7 +400,7 @@ local dsp = require "luci.dispatcher"
 				}
 			}
 		} else if (ssu[0] === "trojan") {
-			var stype = "Trojan";
+			var stype = "Trojan-Plus";
 			var m = parseNodeUrl(ssrurl);
 			console.log(m.search);
 			var password = m.passwd;
--- a/package/lienol/luci-app-passwall/po/zh_Hans/passwall.po
+++ b/package/lienol/luci-app-passwall/po/zh_Hans/passwall.po
@ -154,6 +154,21 @@ msgstr "解析本地和白名单域名"
 msgid "IP:Port mode acceptable, multi value split with english comma."
 msgstr "接受 IP:Port 形式的输入，多个以英文逗号分隔。"

+msgid "When the selection is not the default, this DNS is forced to be set to dnsmasq upstream DNS."
+msgstr "当选择的不是默认，则将此DNS强制设置为dnsmasq上游DNS。"
+
+msgid "When the selection is chinadns-ng, forced to be set to dnsmasq upstream DNS."
+msgstr "当选择的是ChinaDNS-NG，则将强制设置为dnsmasq上游DNS。"
+
+msgid "Use ChinaList"
+msgstr "使用chnlist"
+
+msgid "Only useful in non-gfwlist mode."
+msgstr "仅可用于非防火墙表。"
+
+msgid "When used, the domestic DNS will be used only when the chnlist rule is hit, and the domain name that misses the rule will be resolved by remote DNS."
+msgstr "当使用时，只有当命中chnlist规则时，才会使用国内DNS，未命中规则的域名将会使用远程DNS解析。"
+
 msgid "Ali"
 msgstr "阿里"

@ -184,6 +199,15 @@ msgstr "ChinaDNS-NG 公平模式"
 msgid "Filtered DNS(For Proxied Domains)"
 msgstr "域名过滤服务(用于被代理的域名)"

+msgid "DoH request address"
+msgstr "DoH 请求地址"
+
+msgid "DoH bootstrap DNS"
+msgstr "DoH Bootstrap DNS"
+
+msgid "The Bootstrap DNS server is used to resolve the IP address of the DoH resolver you specify as the upstream."
+msgstr "Bootstrap DNS 服务器用于解析您指定为上游的 DoH 解析器的 IP 地址。"
+
 msgid "IP:Port mode acceptable, the 1st for 'dns2socks' if split with english comma."
 msgstr "接受 IP:Port 形式的输入，多个以英文逗号分隔 ，'dns2socks' 模式下仅首个有效。"

@ -871,6 +895,9 @@ msgstr "Brook协议"
 msgid "Use TLS"
 msgstr "使用TLS"

+msgid "Naiveproxy Protocol"
+msgstr "Naiveproxy协议"
+
 msgid "V2ray Protocol"
 msgstr "V2ray协议"

--- a/package/lienol/luci-app-passwall/root/etc/config/passwall
+++ b/package/lienol/luci-app-passwall/root/etc/config/passwall
@ -6,7 +6,7 @@ config global
 	option dns_mode 'pdnsd'
 	option up_china_dns 'default'
 	option dns_forward '8.8.4.4'
-	option dns_default 'china'
+	option use_chnlist '1'
 	option use_tcp_node_resolve_dns '1'
 	option tcp_proxy_mode 'chnroute'
 	option udp_proxy_mode 'chnroute'
--- a/package/lienol/luci-app-passwall/root/usr/share/passwall/app.sh
+++ b/package/lienol/luci-app-passwall/root/usr/share/passwall/app.sh
@ -15,6 +15,7 @@ RULES_PATH=/usr/share/${CONFIG}/rules
 TMP_DNSMASQ_PATH=/var/etc/dnsmasq-passwall.d
 DNSMASQ_PATH=/etc/dnsmasq.d
 RESOLVFILE=/tmp/resolv.conf.d/resolv.conf.auto
+LOCAL_DOH_PORT=7912
 DNS_PORT=7913
 TUN_DNS="127.0.0.1#${DNS_PORT}"
 IS_DEFAULT_DNS=
@ -27,6 +28,7 @@ LUA_API_PATH=/usr/lib/lua/luci/model/cbi/$CONFIG/api
 API_GEN_SS=$LUA_API_PATH/gen_shadowsocks.lua
 API_GEN_V2RAY=$LUA_API_PATH/gen_v2ray.lua
 API_GEN_TROJAN=$LUA_API_PATH/gen_trojan.lua
+API_GEN_NAIVE=$LUA_API_PATH/gen_naiveproxy.lua
 echolog() {
 	local d="$(date "+%Y-%m-%d %H:%M:%S")"
 	echo -e "$d: $*" >>$LOG_FILE
@ -283,7 +285,7 @@ load_config() {
 	DNS_MODE=$(config_t_get global dns_mode pdnsd)
 	DNS_FORWARD=$(config_t_get global dns_forward 8.8.4.4:53 | sed 's/:/#/g')
 	DNS_CACHE=$(config_t_get global dns_cache 1)
-	DNS_DEFAULT=$(config_t_get global dns_default china)
+	USE_CHNLIST=$(config_t_get global use_chnlist 0)
 	process=1
 	if [ "$(config_t_get global_forwarding process 0)" = "0" ]; then
 		process=$(cat /proc/cpuinfo | grep 'processor' | wc -l)
@ -341,6 +343,9 @@ run_socks() {
 	elif [ "$type" == "trojan-go" ]; then
 		lua $API_GEN_TROJAN $node client $bind $local_port > $config_file
 		ln_start_bin "$(first_type $(config_t_get global_app trojan_go_file notset) trojan-go)" trojan-go -config "$config_file"
+	elif [ "$type" == "naiveproxy" ]; then
+		lua $API_GEN_NAIVE $node socks $bind $local_port > $config_file
+		ln_start_bin "$(first_type naive)" naive "$config_file"
 	elif [ "$type" == "brook" ]; then
 		local protocol=$(config_n_get $node protocol client)
 		local brook_tls=$(config_n_get $node brook_tls 0)
@ -397,6 +402,8 @@ run_redir() {
 		elif [ "$type" == "trojan-go" ]; then
 			lua $API_GEN_TROJAN $node nat "0.0.0.0" $local_port >$config_file
 			ln_start_bin "$(first_type $(config_t_get global_app trojan_go_file notset) trojan-go)" trojan-go -config "$config_file"
+		elif [ "$type" == "naiveproxy" ]; then
+			echolog "Naiveproxy不支持UDP转发！"
 		elif [ "$type" == "brook" ]; then
 			local protocol=$(config_n_get $node protocol client)
 			if [ "$protocol" == "wsclient" ]; then
@ -438,6 +445,9 @@ run_redir() {
 		elif [ "$type" == "trojan-go" ]; then
 			lua $API_GEN_TROJAN $node nat "0.0.0.0" $local_port > $config_file
 			ln_start_bin "$(first_type $(config_t_get global_app trojan_go_file notset) trojan-go)" trojan-go -config "$config_file"
+		elif [ "$type" == "naiveproxy" ]; then
+			lua $API_GEN_NAIVE $node redir "0.0.0.0" $local_port > $config_file
+			ln_start_bin "$(first_type naive)" naive "$config_file"
 		else
 			local kcptun_use=$(config_n_get $node use_kcp 0)
 			if [ "$kcptun_use" == "1" ]; then
@ -619,12 +629,20 @@ stop_crontab() {
 }

 start_dns() {
-	local dns2socks_socks_server dns2socks_forward dns2sock_cache pdnsd_port pdnsd_forward other_port up_trust_pdnsd_dns msg
+	if [ "${LOCAL_DNS}" = "https-dns-proxy" ]; then
+		up_china_dns_doh_url=$(config_t_get global up_china_dns_doh_url "https://dns.alidns.com/dns-query")
+		up_china_dns_doh_bootstrap=$(config_t_get global up_china_dns_doh_bootstrap "223.5.5.5,223.6.6.6")
+		ln_start_bin "$(first_type https-dns-proxy)" https-dns-proxy -a 127.0.0.1 -p "${LOCAL_DOH_PORT}" -b "${up_china_dns_doh_bootstrap}" -r "${up_china_dns_doh_url}" -4
+		LOCAL_DNS="127.0.0.1#${LOCAL_DOH_PORT}"
+	fi
+
+	local dns2socks_socks_server dns2socks_forward dns2sock_cache doh_port pdnsd_port pdnsd_forward other_port up_trust_pdnsd_dns msg
 	local global chnlist returnhome china_ng_chn china_ng_gfw chnlist_param gfwlist_param extra_mode up_trust_chinadns_ng_dns
 	dns2socks_socks_server=$(echo $(config_t_get global socks_server 127.0.0.1:9050) | sed "s/#/:/g")
 	dns2socks_forward=$(get_first_dns DNS_FORWARD 53 | sed 's/#/:/g')
 	dns2socks_listen="127.0.0.1:${DNS_PORT}"
 	[ "$DNS_CACHE" == "0" ] && dns2sock_cache="/d"
+	doh_port=${DNS_PORT}
 	pdnsd_port=${DNS_PORT}
 	pdnsd_forward=${DNS_FORWARD}
 	china_ng_chn="${LOCAL_DNS}"
@ -644,10 +662,21 @@ start_dns() {
 	dns2socks)
 		echolog "  - 域名解析 dns2socks..."
 	;;
+	https-dns-proxy)
+		up_trust_doh_dns=$(config_t_get global up_trust_doh_dns "tcp")
+		if [ "$up_trust_doh_dns" = "socks" ]; then
+			use_tcp_node_resolve_dns=0
+			msg="Socks节点"
+		elif [ "${up_trust_doh_dns}" = "tcp" ]; then
+			use_tcp_node_resolve_dns=1
+			msg="TCP节点"
+		fi
+		echolog "  - 域名解析 https-dns-proxy(DOH)..."
+	;;
 	pdnsd)
 		up_trust_pdnsd_dns=$(config_t_get global up_trust_pdnsd_dns "nil")
 		if [ "$up_trust_pdnsd_dns" = "dns2socks" ]; then
-			[ -n "${returnhome}" ] && pdnsd_forward=${china_ng_chn} ||  pdnsd_forward=${china_ng_gfw}
+			[ -n "${returnhome}" ] && pdnsd_forward=${china_ng_chn} || pdnsd_forward=${china_ng_gfw}
 			dns2socks_listen=${pdnsd_forward}
 			msg="dns2socks"
 		elif [ "$up_trust_pdnsd_dns" = "udp" ]; then
@ -670,8 +699,11 @@ start_dns() {
 			msg="pdnsd"
 		elif [ "$up_trust_chinadns_ng_dns" = "dns2socks" ]; then
 			dns2socks_listen=${china_ng_gfw}
-			[ -n "${global}${chnlist}" ] && TUN_DNS="${dns2socks_listen}"
+			#[ -n "${global}${chnlist}" ] && TUN_DNS="${dns2socks_listen}"
 			msg="dns2socks"
+		elif [ "$up_trust_chinadns_ng_dns" = "https-dns-proxy" ]; then
+			doh_port=${other_port}
+			msg="https-dns-proxy(DoH)"
 		elif [ "$up_trust_chinadns_ng_dns" = "udp" ]; then
 			use_udp_node_resolve_dns=1
 			if [ -z "${returnhome}" ]; then
@ -681,21 +713,25 @@ start_dns() {
 			fi
 			msg="udp"
 		fi
-		cp -a "${RULES_PATH}/chnlist" "${TMP_PATH}/chnlist"
-		if [ -z "${returnhome}" ]; then
-			cat "${RULES_PATH}/direct_host" >> "${TMP_PATH}/chnlist"
-			echolog "  | - [$?](chinadns-ng) 域名白名单合并到中国域名表"
-			cat "${RULES_PATH}/proxy_host" >> "${TMP_PATH}/gfwlist.txt"
-			echolog "  | - [$?](chinadns-ng) 代理域名表合并到防火墙域名表"
-			gfwlist_param="${TMP_PATH}/gfwlist.txt"
-		else
-			echolog "  | - (chinadns-ng) 白名单不与中国域名表合并"
-			cat "${RULES_PATH}/proxy_host" >> "${TMP_PATH}/chnlist"
-			echolog "  | - [$?](chinadns-ng) 忽略防火墙域名表，代理域名表合并到中国域名表"
-		fi
-		chnlist_param="${TMP_PATH}/chnlist"
+		chnlist_param=
+		[ "$USE_CHNLIST" = "1" ] && {
+			cp -a "${RULES_PATH}/chnlist" "${TMP_PATH}/chnlist"
+			if [ -z "${returnhome}" ]; then
+				cat "${RULES_PATH}/direct_host" >> "${TMP_PATH}/chnlist"
+				echolog "  | - [$?](chinadns-ng) 域名白名单合并到中国域名表"
+				cat "${RULES_PATH}/proxy_host" >> "${TMP_PATH}/gfwlist.txt"
+				echolog "  | - [$?](chinadns-ng) 代理域名表合并到防火墙域名表"
+				gfwlist_param="${TMP_PATH}/gfwlist.txt"
+			else
+				echolog "  | - (chinadns-ng) 白名单不与中国域名表合并"
+				cat "${RULES_PATH}/proxy_host" >> "${TMP_PATH}/chnlist"
+				echolog "  | - [$?](chinadns-ng) 忽略防火墙域名表，代理域名表合并到中国域名表"
+			fi
+			chnlist_param="${TMP_PATH}/chnlist"
+			chnlist_param=${chnlist_param:+-m "${chnlist_param}" -M}
+		}
 		[ "$(config_t_get global fair_mode 1)" = "1" ] && extra_mode="-f"
-		ln_start_bin "$(first_type chinadns-ng)" chinadns-ng -l "${DNS_PORT}" ${china_ng_chn:+-c "${china_ng_chn}"} ${chnlist_param:+-m "${chnlist_param}" -M} ${china_ng_gfw:+-t "${china_ng_gfw}"} ${gfwlist_param:+-g "${gfwlist_param}"} $extra_mode
+		ln_start_bin "$(first_type chinadns-ng)" chinadns-ng -l "${DNS_PORT}" ${china_ng_chn:+-c "${china_ng_chn}"} ${chnlist_param} ${china_ng_gfw:+-t "${china_ng_gfw}"} ${gfwlist_param:+-g "${gfwlist_param}"} $extra_mode
 		echolog "  + 过滤服务：ChinaDNS-NG(:${DNS_PORT}${extra_mode}) + ${msg}：中国域名列表：${china_ng_chn:-D114.114.114.114}，防火墙域名列表：${china_ng_gfw:-D8.8.8.8}"
 		#[ -n "${global}${chnlist}" ] && [ -z "${returnhome}" ] && TUN_DNS="${china_ng_gfw}"
 	;;
@ -709,18 +745,31 @@ start_dns() {
 		gen_pdnsd_config "${pdnsd_port}" "${pdnsd_forward}"
 		ln_start_bin "$(first_type pdnsd)" pdnsd --daemon -c "${TMP_PATH}/pdnsd/pdnsd.conf" -d
 	fi
+	if [ -n "$(echo ${DNS_MODE}${up_trust_chinadns_ng_dns} | grep 'https-dns-proxy')" ]; then
+		doh_url=$(config_t_get global doh_url "https://dns.google/dns-query")
+		doh_bootstrap=$(config_t_get global doh_bootstrap "8.8.4.4")
+		
+		up_trust_doh_dns=$(config_t_get global up_trust_doh_dns "tcp")
+		if [ "$up_trust_doh_dns" = "socks" ]; then
+			socks_server=$(echo $(config_t_get global socks_server 127.0.0.1:9050) | sed "s/#/:/g")
+			ln_start_bin "$(first_type https-dns-proxy)" https-dns-proxy -a 127.0.0.1 -p "${doh_port}" -b "${doh_bootstrap}" -r "${doh_url}" -4 -t socks5h://${socks_server}
+		elif [ "${up_trust_doh_dns}" = "tcp" ]; then
+			DNS_FORWARD=${doh_bootstrap}:443
+			ln_start_bin "$(first_type https-dns-proxy)" https-dns-proxy -a 127.0.0.1 -p "${doh_port}" -b "${doh_bootstrap}" -r "${doh_url}" -4
+		fi
+	fi
 	if [ -n "$(echo ${DNS_MODE}${up_trust_chinadns_ng_dns}${up_trust_pdnsd_dns} | grep dns2socks)" ]; then
 		dns2socks_listen=$(echo "${dns2socks_listen}" | sed 's/#/:/g')
 		ln_start_bin "$(first_type dns2socks)" dns2socks "$dns2socks_socks_server" "$dns2socks_forward" "$dns2socks_listen" $dns2sock_cache
 		echolog "  - dns2sock(${dns2socks_listen}${dns2sock_cache})，${dns2socks_socks_server:-127.0.0.1:9050} -> ${dns2socks_forward-D46.182.19.48:53}"
-		[ "${DNS_MODE}" = "chinadns-ng" ] && [ -n "${global}${chnlist}" ] && [ -z "${returnhome}" ] && TUN_DNS="${dns2socks_listen}"
+		#[ "${DNS_MODE}" = "chinadns-ng" ] && [ -n "${global}${chnlist}" ] && [ -z "${returnhome}" ] && TUN_DNS=$(echo "${dns2socks_listen}" | sed 's/:/#/g')
 	fi
 	[ "${use_udp_node_resolve_dns}" = "1" ] && echolog "  * 要求代理 DNS 请求，如上游 DNS 非直连地址，确保 UDP 代理打开，并且已经正确转发"
 	[ "${use_tcp_node_resolve_dns}" = "1" ] && echolog "  * 请确认上游 DNS 支持 TCP 查询，如非直连地址，确保 TCP 代理打开，并且已经正确转发"
 }

 add_dnsmasq() {
-	local global returnhome chnlist gfwlist force_local filtered_dns fwd_dns items item servers msg
+	local global returnhome chnlist gfwlist fwd_dns items item servers msg

 	mkdir -p "${TMP_DNSMASQ_PATH}" "${DNSMASQ_PATH}" "/var/dnsmasq.d"
 	[ "$(config_t_get global_rules adblock 0)" = "1" ] && {
@ -735,13 +784,10 @@ add_dnsmasq() {
 		returnhome=$(echo "${TCP_PROXY_MODE}${LOCALHOST_TCP_PROXY_MODE}${UDP_PROXY_MODE}${LOCALHOST_UDP_PROXY_MODE}" | grep "returnhome")
 		chnlist=$(echo "${TCP_PROXY_MODE}${LOCALHOST_TCP_PROXY_MODE}${UDP_PROXY_MODE}${LOCALHOST_UDP_PROXY_MODE}" | grep "chnroute")
 		gfwlist=$(echo "${TCP_PROXY_MODE}${LOCALHOST_TCP_PROXY_MODE}${UDP_PROXY_MODE}${LOCALHOST_UDP_PROXY_MODE}" | grep "gfwlist")
-		if [ "${IS_DEFAULT_DNS}" = "1" ]; then
-			force_local=1
-			[ -n "${chnlist}" ] && force_local=2
-			[ "${DNS_MODE}" = "other_dns" ] || [ "${DNS_MODE}" = "chinadns-ng" ] && force_local=3
+		
+		if [ "${USE_CHNLIST}" = "1" ] && [ -n "${gfwlist}" ]; then
+			USE_CHNLIST=0
 		fi
-		[ "${DNS_MODE}" = "other_dns" ] || [ "${DNS_MODE}" = "chinadns-ng" ] || [ -n "${global}${chnlist}" ] && filtered_dns=1
-		[ "${DNS_DEFAULT}" = "china" ] && unset filtered_dns
 		
 		#始终用国内DNS解析节点域名
 		fwd_dns="${LOCAL_DNS}"
@ -749,40 +795,57 @@ add_dnsmasq() {
 		hosts_foreach "servers" host_from_url | grep -v "google.c" | grep '[a-zA-Z]$' | sort -u | gen_dnsmasq_items "vpsiplist" "${fwd_dns}" "${TMP_DNSMASQ_PATH}/vpsiplist_host.conf"
 		echolog "  - [$?]节点列表中的域名(vpsiplist)：${fwd_dns:-默认}"

+		#始终用国内DNS解析直连（白名单）列表		
 		fwd_dns="${LOCAL_DNS}"
-		[ -z "${global}" ] && {
-			[ -z "${chnlist}" ] || [ -n "${returnhome}" ] && [ -n "${force_local}" ] && unset fwd_dns
-			[ "${DNS_DEFAULT}" = "china" ] && unset fwd_dns
-			[ "${DNS_MODE}" = "chinadns-ng" ] && unset fwd_dns
-			[ "${DNS_MODE}" = "other_dns" ] && fwd_dns="${TUN_DNS}"
-			sort -u "${RULES_PATH}/direct_host" | gen_dnsmasq_items "whitelist" "${fwd_dns}" "${TMP_DNSMASQ_PATH}/direct_host.conf"
-			echolog "  - [$?]域名白名单(whitelist)：${fwd_dns:-默认}"
-		}
-
-		[ -n "${returnhome}" ] || [ "${filtered_dns}" = "1" ] && {
-			[ -n "${gfwlist}" ] && fwd_dns="${LOCAL_DNS}"
-			[ -n "${returnhome}" ] && fwd_dns="${TUN_DNS}"
-			[ "${filtered_dns}" = "1" ] && [ -z "${chnlist}" ] && unset fwd_dns
-			[ "${DNS_DEFAULT}" = "china" ] && unset fwd_dns
-			[ -n "${global}" ] && unset fwd_dns
-			sort -u "${RULES_PATH}/chnlist" | gen_dnsmasq_items "chnroute" "${fwd_dns}" "${TMP_DNSMASQ_PATH}/chinalist_host.conf"
-			echolog "  - [$?]中国域名表(chnroute)：${fwd_dns:-默认}"
+		#如果使用Chinadns-NG直接交给Chinadns-NG处理
+		[ "${DNS_MODE}" = "chinadns-ng" ] && unset fwd_dns
+		#如果没使用chnlist直接使用默认DNS
+		[ "${USE_CHNLIST}" = "0" ] && unset fwd_dns
+		sort -u "${RULES_PATH}/direct_host" | gen_dnsmasq_items "whitelist" "${fwd_dns}" "${TMP_DNSMASQ_PATH}/direct_host.conf"
+		echolog "  - [$?]域名白名单(whitelist)：${fwd_dns:-默认}"
+
+		#当勾选使用chnlist，仅当使用大陆白名单或回国模式
+		[ "${USE_CHNLIST}" = "1" ] && {
+			fwd_dns="${LOCAL_DNS}"
+			[ -n "${returnhome}" ] || [ -n "${chnlist}" ] && {
+				[ -n "${global}" ] && unset fwd_dns
+				#如果使用Chinadns-NG直接交给Chinadns-NG处理
+				[ "${DNS_MODE}" = "chinadns-ng" ] && unset fwd_dns
+				#如果使用回国模式，设置dns为远程DNS。
+				[ -n "${returnhome}" ] && fwd_dns="${TUN_DNS}"
+				sort -u "${RULES_PATH}/chnlist" | gen_dnsmasq_items "chnroute" "${fwd_dns}" "${TMP_DNSMASQ_PATH}/chinalist_host.conf"
+				echolog "  - [$?]中国域名表(chnroute)：${fwd_dns:-默认}"
+			}
 		}

+		#始终使用远程DNS解析代理（黑名单）列表
 		fwd_dns="${TUN_DNS}"
-		[ "${filtered_dns}" = "1" ] && [ -z "${returnhome}" ] && unset fwd_dns
-		[ "${DNS_MODE}" = "chinadns-ng" ] || [ -n "${global}" ] && [ -z "${returnhome}" ] && unset fwd_dns
+		#如果使用Chinadns-NG直接交给Chinadns-NG处理
+		[ "${DNS_MODE}" = "chinadns-ng" ] && unset fwd_dns
+		#如果使用chnlist直接使用默认DNS
+		[ "${USE_CHNLIST}" = "1" ] && unset fwd_dns
 		sort -u "${RULES_PATH}/proxy_host" | gen_dnsmasq_items "blacklist" "${fwd_dns}" "${TMP_DNSMASQ_PATH}/proxy_host.conf"
 		echolog "  - [$?]代理域名表(blacklist)：${fwd_dns:-默认}"

+		#如果没有使用回国模式
 		[ -z "${returnhome}" ] && {
-			[ "${filtered_dns}" = "1" ] && [ "${DNS_MODE}" != "chinadns-ng" ] && unset fwd_dns
+			fwd_dns="${TUN_DNS}"
+			#如果使用Chinadns-NG直接交给Chinadns-NG处理
+			[ "${DNS_MODE}" = "chinadns-ng" ] && unset fwd_dns
+			#如果使用chnlist直接使用默认DNS
+			[ "${USE_CHNLIST}" = "1" ] && unset fwd_dns
 			sort -u "${TMP_PATH}/gfwlist.txt" | gen_dnsmasq_items "gfwlist" "${fwd_dns}" "${TMP_DNSMASQ_PATH}/gfwlist.conf"
 			#sort -u "${TMP_PATH}/gfwlist.txt" | gen_dnsmasq_items "gfwlist,gfwlist6" "${fwd_dns}" "${TMP_DNSMASQ_PATH}/gfwlist.conf"
 			echolog "  - [$?]防火墙域名表(gfwlist)：${fwd_dns:-默认}"
 		}

+		#如果开启了通过代理订阅
 		[ "$(config_t_get global_subscribe subscribe_proxy 0)" = "1" ] && {
+			fwd_dns="${TUN_DNS}"
+			#如果使用Chinadns-NG直接交给Chinadns-NG处理
+			[ "${DNS_MODE}" = "chinadns-ng" ] && unset fwd_dns
+			#如果使用chnlist直接使用默认DNS
+			[ "${USE_CHNLIST}" = "1" ] && unset fwd_dns
 			items=$(get_enabled_anonymous_secs "@subscribe_list")
 			for item in ${items}; do
 				host_from_url "$(config_n_get ${item} url)" | gen_dnsmasq_items "blacklist" "${fwd_dns}" "${TMP_DNSMASQ_PATH}/subscribe.conf"
@ -795,20 +858,18 @@ add_dnsmasq() {
 		msg="ISP"
 		servers="${LOCAL_DNS}"
 		echo "conf-dir=${TMP_DNSMASQ_PATH}" > "/var/dnsmasq.d/dnsmasq-${CONFIG}.conf"
+		#兼容旧版dnsmasq
 		echo "conf-dir=${TMP_DNSMASQ_PATH}" > "${DNSMASQ_PATH}/dnsmasq-${CONFIG}.conf"

-		[ "${filtered_dns}" = "1" ] && [ -z "${returnhome}" ] && servers="${TUN_DNS}"
+		[ "${USE_CHNLIST}" = "1" ] && servers="${TUN_DNS}"
 		[ -n "${chnlist}" ] && msg="中国列表以外"
 		[ -n "${returnhome}" ] && msg="中国列表"
 		[ -n "${global}" ] && msg="全局"
-		if [ "${DNS_MODE}" = "other_dns" ]; then
-			msg="指定DNS"
-		elif [ "${DNS_MODE}" = "chinadns-ng" ]; then
-			#[ -z "${global}${chnlist}" ] && servers="127.0.0.1#${DNS_PORT}" && msg="chinadns-ng"
+		if [ "${DNS_MODE}" = "chinadns-ng" ]; then
 			#直接交给Chinadns-ng处理
 			servers="${TUN_DNS}" && msg="chinadns-ng"
 		else
-			[ "${IS_DEFAULT_DNS}" = "1" ] && [ "${filtered_dns}" != "1" ] && {
+			[ "${IS_DEFAULT_DNS}" = "1" ] && [ "${USE_CHNLIST}" = "0" ] && {
 				echolog "  - 不强制设置默认DNS(上级分配)！"
 				return
 			}
--- a/package/lienol/luci-app-passwall/root/usr/share/passwall/subscribe.lua
+++ b/package/lienol/luci-app-passwall/root/usr/share/passwall/subscribe.lua
@ -575,7 +575,7 @@ local function processData(szType, content, add_mode)
 		log('暂时不支持' .. szType .. "类型的节点订阅，跳过此节点。")
 		return nil
 	end
-	if not result.remarks then
+	if not result.remarks or result.remarks == "" then
 		if result.address and result.port then
 			result.remarks = result.address .. ':' .. result.port
 		else
@ -841,7 +841,7 @@ local function parse_link(raw, remark, manual)
 				end
 				-- log(result)
 				if result then
-					if is_filter_keyword(result.remarks) or
+					if (not manual and is_filter_keyword(result.remarks)) or
 						not result.address or
 						result.remarks == "NULL" or
 						result.address:match("[^0-9a-zA-Z%-%_%.%s]") or -- 中文做地址的 也没有人拿中文域名搞，就算中文域也有Puny Code SB 机场