Backups/immortalwrt-mt798x
1
0
Fork 0
mirror of https://github.com/hanwckf/immortalwrt-mt798x.git synced 2025-01-10 11:09:57 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

luci-app-passwall: sync with upstream source

Browse Source
This commit is contained in:
CN_SZTL 2020-02-25 18:01:40 +08:00
parent e669edc5e0
commit ee2a035840
No known key found for this signature in database
GPG Key ID: 6850B6345C862176
6 changed files with 6352 additions and 245 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
package/lienol/luci-app-passwall/Makefile
View File

@ -7,8 +7,8 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=luci-app-passwall
PKG_VERSION:=3.6
PKG_RELEASE:=1
PKG_DATE:=20200224
PKG_RELEASE:=2
PKG_DATE:=20200225
PKG_BUILD_DIR := $(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
@ -86,7 +86,7 @@ define Package/$(PKG_NAME)
TITLE:=LuCI support for PassWall By Lienol
PKGARCH:=all
DEPENDS:=+libmbedtls +iptables-mod-tproxy +kmod-ipt-tproxy +iptables-mod-ipopt +kmod-ipt-ipopt +ip +ipset +coreutils +coreutils-base64 +coreutils-nohup +luci-lib-jsonc \
+bash +wget +resolveip +unzip +dnsmasq-full +tcping \
+wget +resolveip +unzip +dnsmasq-full +tcping \
+PACKAGE_$(PKG_NAME)_INCLUDE_ipt2socks:ipt2socks \
+PACKAGE_$(PKG_NAME)_INCLUDE_Shadowsocks:shadowsocks-libev-ss-redir \
+PACKAGE_$(PKG_NAME)_INCLUDE_ShadowsocksR:shadowsocksr-libev-alt \

1
package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/acl.lua
View File

@ -31,6 +31,7 @@ s.addremove = true
---- Enable
o = s:option(Flag, "enabled", translate("Enable"))
o.default = 1
o.rmempty = false
---- Remarks

5
package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/balancing.lua
View File

@ -61,6 +61,11 @@ s.sortable = true
s.anonymous = true
s.addremove = true
---- Enable
o = s:option(Flag, "enabled", translate("Enable"))
o.default = 1
o.rmempty = false
---- Node Address
o = s:option(Value, "lbss", translate("Node Address"))
for _, key in pairs(key_table) do

6105
package/lienol/luci-app-passwall/root/etc/config/passwall_rule/adblock.conf Normal file
View File

File diff suppressed because it is too large Load Diff

193
package/lienol/luci-app-passwall/root/usr/share/passwall/app.sh
View File

@ -116,24 +116,6 @@ get_not_exists_port_after() {
fi
}
set_subscribe_proxy() {
local enabled
local url
config_get enabled $1 enabled
config_get url $1 url
[ "$enabled" == "1" ] && {
[ -n "$url" -a "$url" != "" ] && {
if [ -n "$(echo -n "$url" | grep "//")" ]; then
echo -n "$url" | awk -F'/' '{print $3}' | sed "s/^/server=&\/./g" | sed "s/$/\/127.0.0.1#$DNS_PORT/g" >>$TMP_DNSMASQ_PATH/subscribe.conf
echo -n "$url" | awk -F'/' '{print $3}' | sed "s/^/ipset=&\/./g" | sed "s/$/\/router/g" >>$TMP_DNSMASQ_PATH/subscribe.conf
else
echo -n "$url" | awk -F'/' '{print $1}' | sed "s/^/server=&\/./g" | sed "s/$/\/127.0.0.1#$DNS_PORT/g" >>$TMP_DNSMASQ_PATH/subscribe.conf
echo -n "$url" | awk -F'/' '{print $1}' | sed "s/^/ipset=&\/./g" | sed "s/$/\/router/g" >>$TMP_DNSMASQ_PATH/subscribe.conf
fi
}
}
}
ln_start_bin() {
local file=$1
local bin=$2
@ -228,8 +210,6 @@ load_config() {
SOCKS5_PROXY_PORT3=$(expr $SOCKS5_PROXY_PORT2 + 1)
PROXY_IPV6=$(config_t_get global_forwarding proxy_ipv6 0)
mkdir -p /var/etc $CONFIG_PATH $RUN_BIN_PATH $RUN_ID_PATH
config_load $CONFIG
return 0
}
@ -245,13 +225,11 @@ gen_ss_ssr_config_file() {
encrypt_method=$(config_n_get $node ss_encrypt_method)
[ "$type" == "ssr" ] && encrypt_method=$(config_n_get $node ssr_encrypt_method)
[ "$kcptun" == "1" ] && {
server_ip=127.0.0.1
server_host=127.0.0.1
port=$KCPTUN_REDIR_PORT
}
cat <<-EOF >$configfile
{
"_comment": "$server_ip",
"server": "$server_host",
"server_port": $port,
"local_address": "0.0.0.0",
@ -274,7 +252,7 @@ gen_ss_ssr_config_file() {
}
gen_start_config() {
local node local_port redir_type config_file server_host server_ip port type use_ipv6 network_type
local node local_port redir_type config_file server_host port type
node=$1
local_port=$2
redir_type=$3
@ -283,20 +261,9 @@ gen_start_config() {
remarks=$(config_n_get $node remarks)
server_host=$(config_n_get $node address)
port=$(config_n_get $node port)
[ -n "$server_host" -a -n "$port" ] && {
use_ipv6=$(config_n_get $node use_ipv6)
network_type="ipv4"
[ "$use_ipv6" == "1" ] && network_type="ipv6"
server_ip=$(get_host_ip $network_type $server_host)
echolog "$redir_type节点$remarks,节点:${server_ip}:${port},监听端口:$local_port"
}
[ -n "$server_host" -a -n "$port" ] && echolog "$redir_type节点$remarks,节点:${server_host}:${port},监听端口:$local_port"
if [ "$redir_type" == "SOCKS5" ]; then
if [ "$network_type" == "ipv6" ]; then
eval SOCKS5_NODE${5}_IPV6=$server_ip
else
eval SOCKS5_NODE${5}_IP=$server_ip
fi
eval SOCKS5_NODE${5}_PORT=$port
if [ "$type" == "socks5" ]; then
echolog "Socks5节点不能使用Socks5代理节点"
@ -307,7 +274,7 @@ gen_start_config() {
lua $API_GEN_TROJAN $node client "0.0.0.0" $local_port >$config_file
ln_start_bin $(find_bin trojan) trojan "-c $config_file"
elif [ "$type" == "brook" ]; then
ln_start_bin $(config_t_get global_app brook_file $(find_bin brook)) brook "client -l 0.0.0.0:$local_port -i 0.0.0.0 -s $server_ip:$port -p $(config_n_get $node password)"
ln_start_bin $(config_t_get global_app brook_file $(find_bin brook)) brook "client -l 0.0.0.0:$local_port -i 0.0.0.0 -s $server_host:$port -p $(config_n_get $node password)"
elif [ "$type" == "ssr" ]; then
gen_ss_ssr_config_file ssr $local_port 0 $node $config_file
ln_start_bin $(find_bin ssr-local) ssr-local "-c $config_file -b 0.0.0.0 -u"
@ -326,11 +293,6 @@ gen_start_config() {
fi
if [ "$redir_type" == "UDP" ]; then
if [ "$network_type" == "ipv6" ]; then
eval UDP_NODE${5}_IPV6=$server_ip
else
eval UDP_NODE${5}_IP=$server_ip
fi
eval UDP_NODE${5}_PORT=$port
if [ "$type" == "socks5" ]; then
@ -365,7 +327,7 @@ gen_start_config() {
# gen_redsocks_config $redsocks_config_file udp $port "127.0.0.1" $socks5_port
# ln_start_bin $(find_bin redsocks2) redsocks2 "-c $redsocks_config_file"
elif [ "$type" == "brook" ]; then
ln_start_bin $(config_t_get global_app brook_file $(find_bin brook)) brook "tproxy -l 0.0.0.0:$local_port -s $server_ip:$port -p $(config_n_get $node password)"
ln_start_bin $(config_t_get global_app brook_file $(find_bin brook)) brook "tproxy -l 0.0.0.0:$local_port -s $server_host:$port -p $(config_n_get $node password)"
elif [ "$type" == "ssr" ]; then
gen_ss_ssr_config_file ssr $local_port 0 $node $config_file
ln_start_bin $(find_bin ssr-redir) ssr-redir "-c $config_file -U"
@ -384,11 +346,6 @@ gen_start_config() {
fi
if [ "$redir_type" == "TCP" ]; then
if [ "$network_type" == "ipv6" ]; then
eval TCP_NODE${5}_IPV6=$server_ip
else
eval TCP_NODE${5}_IP=$server_ip
fi
eval TCP_NODE${5}_PORT=$port
if [ "$type" == "socks5" ]; then
@ -397,7 +354,7 @@ gen_start_config() {
local server_username=$(config_n_get $node username)
local server_password=$(config_n_get $node password)
eval port=\$TCP_REDIR_PORT$5
ln_start_bin $(find_bin ipt2socks) ipt2socks "-l $port -b 0.0.0.0 -s $node_address -p $socks5_port -R"
ln_start_bin $(find_bin ipt2socks) ipt2socks "-T -l $port -b 0.0.0.0 -s $node_address -p $node_port -R"
# local redsocks_config_file=$CONFIG_PATH/TCP_$i.conf
# gen_redsocks_config $redsocks_config_file tcp $port $node_address $socks5_port $server_username $server_password
@ -420,16 +377,8 @@ gen_start_config() {
force_stop
fi
if [ -n "$kcptun_port" -a -n "$kcptun_config" -a "$lbenabled" == "0" ]; then
local run_kcptun_ip=$server_ip
if [ -n "$kcptun_server_host" ]; then
kcptun_use_ipv6=$(config_n_get $node kcp_use_ipv6)
network_type="ipv4"
[ "$kcptun_use_ipv6" == "1" ] && network_type="ipv6"
kcptun_server_ip=$(get_host_ip $network_type $kcptun_server_host)
eval TCP_NODE${5}_IP=$kcptun_server_ip
run_kcptun_ip=$kcptun_server_ip
echolog "Kcptun节点IP地址:$kcptun_server_ip"
fi
local run_kcptun_ip=$server_host
[ -n "$kcptun_server_host" ] && run_kcptun_ip=$(get_host_ip $network_type $kcptun_server_host)
KCPTUN_REDIR_PORT=$(get_not_exists_port_after $KCPTUN_REDIR_PORT udp)
ln_start_bin $(config_t_get global_app kcptun_client_file $(find_bin kcptun-client)) kcptun-client "--log $CONFIG_PATH/kcptun_${5}.log -l 0.0.0.0:$KCPTUN_REDIR_PORT -r $run_kcptun_ip:$kcptun_port $kcptun_config"
fi
@ -453,6 +402,7 @@ gen_start_config() {
ln_start_bin $(find_bin ss-redir) ss-redir "-c $config_file $plugin_params"
done
elif [ "$type" == "brook" ]; then
local server_ip=$server_host
[ "$kcptun_use" == "1" ] && {
server_ip=127.0.0.1
port=$KCPTUN_REDIR_PORT
@ -624,7 +574,7 @@ add_dnsmasq() {
mkdir -p $TMP_DNSMASQ_PATH $DNSMASQ_PATH /var/dnsmasq.d
cat $RULE_PATH/whitelist_host | sed -e "/^$/d" | sed "s/^/ipset=&\/./g" | sed "s/$/\/&whitelist/g" | sort | awk '{if ($0!=line) print;line=$0}' > $TMP_DNSMASQ_PATH/whitelist_host.conf
local adblock=$(config_t_get global_rules adblock 0)
local adblock=$(config_t_get global_rules adblock 1)
[ "$adblock" == "1" ] && {
[ -f "$RULE_PATH/adblock.conf" -a -s "$RULE_PATH/adblock.conf" ] && ln -s $RULE_PATH/adblock.conf $TMP_DNSMASQ_PATH/adblock.conf
}
@ -636,7 +586,27 @@ add_dnsmasq() {
subscribe_proxy=$(config_t_get global_subscribe subscribe_proxy 0)
[ "$subscribe_proxy" -eq 1 ] && {
config_foreach set_subscribe_proxy "subscribe_list"
local count=$(uci show $CONFIG | grep "@subscribe_list" | sed -n '$p' | cut -d '[' -f 2 | cut -d ']' -f 1)
[ -n "$count" -a "$count" -ge 0 ] && {
u_get() {
local ret=$(uci -q get $CONFIG.@subscribe_list[$1].$2)
echo ${ret:=$3}
}
for i in $(seq 0 $count); do
local enabled=$(u_get $i enabled 0)
[ "$enabled" == "0" ] && continue
local url=$(u_get $i url)
[ -n "$url" -a "$url" != "" ] && {
if [ -n "$(echo -n "$url" | grep "//")" ]; then
echo -n "$url" | awk -F'/' '{print $3}' | sed "s/^/server=&\/./g" | sed "s/$/\/127.0.0.1#$DNS_PORT/g" >>$TMP_DNSMASQ_PATH/subscribe.conf
echo -n "$url" | awk -F'/' '{print $3}' | sed "s/^/ipset=&\/./g" | sed "s/$/\/router/g" >>$TMP_DNSMASQ_PATH/subscribe.conf
else
echo -n "$url" | awk -F'/' '{print $1}' | sed "s/^/server=&\/./g" | sed "s/$/\/127.0.0.1#$DNS_PORT/g" >>$TMP_DNSMASQ_PATH/subscribe.conf
echo -n "$url" | awk -F'/' '{print $1}' | sed "s/^/ipset=&\/./g" | sed "s/$/\/router/g" >>$TMP_DNSMASQ_PATH/subscribe.conf
fi
}
done
}
}
}
@ -844,53 +814,62 @@ start_haproxy() {
bind 0.0.0.0:$bport
mode tcp
EOF
for i in $(seq 0 50); do
bips=$(config_t_get balancing lbss '' $i)
bports=$(config_t_get balancing lbort '' $i)
if [ -z "$bips" ] || [ -z "$bports" ]; then
break
fi
local bip=$(echo $bips | awk -F ":" '{print $1}')
local bport=$(echo $bips | awk -F ":" '{print $2}')
[ "$bports" != "default" ] && bport=$bports
[ -z "$bport" ] && break
bweight=$(config_t_get balancing lbweight '' $i)
exports=$(config_t_get balancing export '' $i)
bbackup=$(config_t_get balancing backup '' $i)
if [ "$bbackup" = "1" ]; then
bbackup=" backup"
echolog "负载均衡:添加故障转移备节点:$bip"
else
bbackup=""
echolog "负载均衡:添加负载均衡主节点:$bip"
fi
#si=$(echo $bip | grep -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}")
#if [ -z "$si" ]; then
# bip=$(resolveip -4 -t 2 $bip | awk 'NR==1{print}')
# if [ -z "$bip" ]; then
# bip=$(nslookup $bip localhost | sed '1,4d' | awk '{print $3}' | grep -v : | awk 'NR==1{print}')
# fi
# echolog "负载均衡${i} IP为$bip"
#fi
echo " server $bip:$bport $bip:$bport weight $bweight check inter 1500 rise 1 fall 3 $bbackup" >> $HAPROXY_FILE
if [ "$exports" != "0" ]; then
failcount=0
while [ "$failcount" -lt "3" ]; do
interface=$(ifconfig | grep "$exports" | awk '{print $1}')
if [ -z "$interface" ]; then
echolog "找不到出口接口:$exports1分钟后再重试"
let "failcount++"
[ "$failcount" -ge 3 ] && exit 0
sleep 1m
else
route add -host ${bip} dev ${exports}
echo "$bip" >>/tmp/balancing_ip
break
fi
done
fi
done
local count=$(uci show $CONFIG | grep "@balancing" | sed -n '$p' | cut -d '[' -f 2 | cut -d ']' -f 1)
[ -n "$count" -a "$count" -ge 0 ] && {
u_get() {
local ret=$(uci -q get $CONFIG.@balancing[$1].$2)
echo ${ret:=$3}
}
for i in $(seq 0 $count); do
enabled=$(u_get $i enabled 0)
[ "$enabled" == "0" ] && continue
bips=$(u_get $i lbss)
bports=$(u_get $i lbort)
if [ -z "$bips" ] || [ -z "$bports" ]; then
break
fi
local bip=$(echo $bips | awk -F ":" '{print $1}')
local bport=$(echo $bips | awk -F ":" '{print $2}')
[ "$bports" != "default" ] && bport=$bports
[ -z "$bport" ] && break
bweight=$(u_get $i lbweight)
exports=$(u_get $i export)
bbackup=$(u_get $i backup)
if [ "$bbackup" = "1" ]; then
bbackup=" backup"
echolog "负载均衡:添加故障转移备节点:$bip"
else
bbackup=""
echolog "负载均衡:添加负载均衡主节点:$bip"
fi
#si=$(echo $bip | grep -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}")
#if [ -z "$si" ]; then
# bip=$(resolveip -4 -t 2 $bip | awk 'NR==1{print}')
# if [ -z "$bip" ]; then
# bip=$(nslookup $bip localhost | sed '1,4d' | awk '{print $3}' | grep -v : | awk 'NR==1{print}')
# fi
# echolog "负载均衡${i} IP为$bip"
#fi
echo " server $bip:$bport $bip:$bport weight $bweight check inter 1500 rise 1 fall 3 $bbackup" >> $HAPROXY_FILE
if [ "$exports" != "0" ]; then
failcount=0
while [ "$failcount" -lt "3" ]; do
interface=$(ifconfig | grep "$exports" | awk '{print $1}')
if [ -z "$interface" ]; then
echolog "找不到出口接口:$exports1分钟后再重试"
let "failcount++"
[ "$failcount" -ge 3 ] && exit 0
sleep 1m
else
route add -host ${bip} dev ${exports}
echo "$bip" >>/tmp/balancing_ip
break
fi
done
fi
done
}
#生成负载均衡控制台
console_port=$(config_t_get global_haproxy console_port)
console_user=$(config_t_get global_haproxy console_user)

287
package/lienol/luci-app-passwall/root/usr/share/passwall/iptables.sh
View File

@ -40,7 +40,7 @@ get_ip_mark() {
}
dst() {
echo "-m set --match-set $1 dst"
echo "-m set $2 --match-set $1 dst"
}
comment() {
@ -108,126 +108,141 @@ gen_laniplist() {
}
load_acl() {
local enabled
local remarks
local ip
local mac
local proxy_mode
local tcp_node
local udp_node
local tcp_redir_ports
local udp_redir_ports
config_get enabled $1 enabled
config_get remarks $1 remarks
config_get ip $1 ip
config_get mac $1 mac
config_get proxy_mode $1 proxy_mode
config_get tcp_node $1 tcp_node
config_get udp_node $1 udp_node
config_get tcp_no_redir_ports $1 tcp_no_redir_ports
config_get udp_no_redir_ports $1 udp_no_redir_ports
config_get tcp_redir_ports $1 tcp_redir_ports
config_get udp_redir_ports $1 udp_redir_ports
[ -z "$proxy_mode" -o "$proxy_mode" = "default" ] && proxy_mode=$PROXY_MODE
[ -z "$tcp_no_redir_ports" -o "$tcp_no_redir_ports" = "default" ] && tcp_no_redir_ports=$TCP_NO_REDIR_PORTS
[ -z "$udp_no_redir_ports" -o "$udp_no_redir_ports" = "default" ] && udp_no_redir_ports=$UDP_NO_REDIR_PORTS
[ -z "$tcp_redir_ports" -o "$tcp_redir_ports" = "default" ] && tcp_redir_ports=$TCP_REDIR_PORTS
[ -z "$udp_redir_ports" -o "$udp_redir_ports" = "default" ] && udp_redir_ports=$UDP_REDIR_PORTS
[ -z "$tcp_node" -o "$TCP_NODE_NUM" == "1" ] && tcp_node=1
[ -z "$udp_node" -o "$UDP_NODE_NUM" == "1" ] && udp_node=1
eval TCP_NODE=\$TCP_NODE$tcp_node
eval UDP_NODE=\$UDP_NODE$udp_node
local ip_mark=$(get_ip_mark $ip)
[ "$enabled" == "1" -a -n "$proxy_mode" ] && {
if [ -n "$ip" ] || [ -n "$mac" ]; then
if [ -n "$ip" -a -n "$mac" ]; then
echolog "访问控制IP$ipMAC$mac,代理模式:$(get_action_chain_name $proxy_mode)"
else
[ -n "$ip" ] && echolog "访问控制IP$ip,代理模式:$(get_action_chain_name $proxy_mode)"
[ -n "$mac" ] && echolog "访问控制MAC$mac,代理模式:$(get_action_chain_name $proxy_mode)"
fi
if [ "$proxy_mode" == "disable" ]; then
$ipt_n -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p tcp $(comment "$remarks") -j RETURN
$ipt_m -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p udp $(comment "$remarks") -j RETURN
else
[ "$TCP_NODE" != "nil" ] && {
eval TCP_NODE_TYPE=$(echo $(config_get $node type) | tr 'A-Z' 'a-z')
if [ "$TCP_NODE_TYPE" == "brook" ]; then
[ "$TCP_NO_REDIR_PORTS" != "disable" ] && $ipt_m -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
eval tcp_redir_port=\$TCP_REDIR_PORT$tcp_node
$ipt_m -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p tcp $(dst $IPSET_BLACKLIST) $(factor $tcp_redir_ports "-m multiport --dport") $(comment "$remarks") -j TPROXY --tproxy-mark 0x1/0x1 --on-port $tcp_redir_port
$ipt_m -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p tcp $(factor $tcp_redir_ports "-m multiport --dport") $(comment "$remarks") -$(get_jump_mode $proxy_mode) $(get_action_chain $proxy_mode)$tcp_node
$ipt_m -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p tcp $(comment "$remarks") -j RETURN
local count=$(uci show $CONFIG | grep "@acl_rule" | sed -n '$p' | cut -d '[' -f 2 | cut -d ']' -f 1)
[ -n "$count" -a "$count" -ge 0 ] && {
u_get() {
local ret=$(uci -q get $CONFIG.@acl_rule[$1].$2)
echo ${ret:=$3}
}
for i in $(seq 0 $count); do
local enabled=$(u_get $i enabled 0)
[ "$enabled" == "0" ] && continue
local remarks=$(u_get $i remarks)
local ip=$(u_get $i ip)
local mac=$(u_get $i mac)
local proxy_mode=$(u_get $i proxy_mode default)
local tcp_node=$(u_get $i tcp_node 1)
local udp_node=$(u_get $i udp_node 1)
local tcp_no_redir_ports=$(u_get $i tcp_no_redir_ports default)
local udp_no_redir_ports=$(u_get $i udp_no_redir_ports default)
local tcp_redir_ports=$(u_get $i tcp_redir_ports default)
local udp_redir_ports=$(u_get $i udp_redir_ports default)
[ "$proxy_mode" = "default" ] && proxy_mode=$PROXY_MODE
[ "$TCP_NODE_NUM" == "1" ] && tcp_node=1
[ "$UDP_NODE_NUM" == "1" ] && udp_node=1
[ "$tcp_no_redir_ports" = "default" ] && tcp_no_redir_ports=$TCP_NO_REDIR_PORTS
[ "$udp_no_redir_ports" = "default" ] && udp_no_redir_ports=$UDP_NO_REDIR_PORTS
[ "$tcp_redir_ports" = "default" ] && tcp_redir_ports=$TCP_REDIR_PORTS
[ "$udp_redir_ports" = "default" ] && udp_redir_ports=$UDP_REDIR_PORTS
eval TCP_NODE=\$TCP_NODE$tcp_node
eval UDP_NODE=\$UDP_NODE$udp_node
[ -n "$proxy_mode" ] && {
if [ -n "$ip" ] || [ -n "$mac" ]; then
if [ -n "$ip" -a -n "$mac" ]; then
echolog "访问控制IP$ipMAC$mac,代理模式:$(get_action_chain_name $proxy_mode)"
else
[ "$TCP_NO_REDIR_PORTS" != "disable" ] && $ipt_n -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
eval tcp_redir_port=\$TCP_REDIR_PORT$tcp_node
$ipt_n -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p tcp $(dst $IPSET_BLACKLIST) $(factor $tcp_redir_ports "-m multiport --dport") $(comment "$remarks") -j REDIRECT --to-ports $tcp_redir_port
$ipt_n -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p tcp $(factor $tcp_redir_ports "-m multiport --dport") $(comment "$remarks") -$(get_jump_mode $proxy_mode) $(get_action_chain $proxy_mode)$tcp_node
$ipt_n -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p tcp $(comment "$remarks") -j RETURN
[ -n "$ip" ] && echolog "访问控制IP$ip,代理模式:$(get_action_chain_name $proxy_mode)"
[ -n "$mac" ] && echolog "访问控制MAC$mac,代理模式:$(get_action_chain_name $proxy_mode)"
fi
}
[ "$UDP_NODE" != "nil" ] && {
[ "$UDP_NO_REDIR_PORTS" != "disable" ] && $ipt_m -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p udp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
eval udp_redir_port=\$UDP_REDIR_PORT$udp_node
$ipt_m -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p udp $(dst $IPSET_BLACKLIST) $(comment "$remarks") -j TPROXY --on-port $udp_redir_port --tproxy-mark 0x1/0x1
$ipt_m -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p udp $(factor $udp_redir_ports "-m multiport --dport") $(comment "$remarks") -$(get_jump_mode $proxy_mode) $(get_action_chain $proxy_mode)$udp_node
$ipt_m -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p udp $(comment "$remarks") -j RETURN
}
fi
[ -z "$ip" ] && {
lower_mac=$(echo $mac | tr '[A-Z]' '[a-z]')
ip=$(ip neigh show | grep -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | grep $lower_mac | awk '{print $1}')
[ -z "$ip" ] && {
dhcp_index=$(uci show dhcp | grep $lower_mac | awk -F'.' '{print $2}')
ip=$(uci -q get dhcp.$dhcp_index.ip)
}
[ -z "$ip" ] && ip=$(cat /tmp/dhcp.leases | grep -E "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" | grep $lower_mac | awk '{print $3}')
if [ "$proxy_mode" == "disable" ]; then
$ipt_n -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p tcp $(comment "$remarks") -j RETURN
$ipt_m -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p udp $(comment "$remarks") -j RETURN
else
[ "$TCP_NODE" != "nil" ] && {
eval TCP_NODE_TYPE=$(echo $(config_n_get $node type) | tr 'A-Z' 'a-z')
if [ "$TCP_NODE_TYPE" == "brook" ]; then
[ "$TCP_NO_REDIR_PORTS" != "disable" ] && $ipt_m -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
eval tcp_redir_port=\$TCP_REDIR_PORT$tcp_node
$ipt_m -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p tcp $(factor $tcp_redir_ports "-m multiport --dport") $(comment "$remarks") -$(get_jump_mode $proxy_mode) $(get_action_chain $proxy_mode)$tcp_node
$ipt_m -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p tcp $(comment "$remarks") -j RETURN
else
[ "$TCP_NO_REDIR_PORTS" != "disable" ] && $ipt_n -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
eval tcp_redir_port=\$TCP_REDIR_PORT$tcp_node
$ipt_n -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p tcp $(factor $tcp_redir_ports "-m multiport --dport") $(comment "$remarks") -$(get_jump_mode $proxy_mode) $(get_action_chain $proxy_mode)$tcp_node
$ipt_n -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p tcp $(comment "$remarks") -j RETURN
fi
}
[ "$UDP_NODE" != "nil" ] && {
[ "$UDP_NO_REDIR_PORTS" != "disable" ] && $ipt_m -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p udp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
eval udp_redir_port=\$UDP_REDIR_PORT$udp_node
$ipt_m -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p udp $(factor $udp_redir_ports "-m multiport --dport") $(comment "$remarks") -$(get_jump_mode $proxy_mode) $(get_action_chain $proxy_mode)$udp_node
$ipt_m -A PSW_ACL $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p udp $(comment "$remarks") -j RETURN
}
fi
[ -z "$ip" ] && {
lower_mac=$(echo $mac | tr '[A-Z]' '[a-z]')
ip=$(ip neigh show | grep -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | grep $lower_mac | awk '{print $1}')
[ -z "$ip" ] && {
dhcp_index=$(uci show dhcp | grep $lower_mac | awk -F'.' '{print $2}')
ip=$(uci -q get dhcp.$dhcp_index.ip)
}
[ -z "$ip" ] && ip=$(cat /tmp/dhcp.leases | grep -E "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" | grep $lower_mac | awk '{print $3}')
}
fi
}
fi
done
}
}
filter_vpsip() {
local use_ipv6 network_type server
use_ipv6=$(config_get $1 use_ipv6)
network_type="ipv4"
[ "$use_ipv6" == "1" ] && network_type="ipv6"
server=$(config_get $1 address)
[ -n "$server" ] && {
[ "$network_type" == "ipv4" ] && {
isip=$(echo $server | grep -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}")
if [ -n "$isip" ]; then
ipset -! add $IPSET_VPSIPLIST $isip >/dev/null 2>&1 &
else
has=$([ -f "$TMP_DNSMASQ_PATH/vpsiplist_host.conf" ] && cat $TMP_DNSMASQ_PATH/vpsiplist_host.conf | grep "$server")
[ -z "$has" ] && echo "$server" | sed -e "/^$/d" | sed "s/^/ipset=&\//g" | sed "s/$/\/&vpsiplist/g" | sort | awk '{if ($0!=line) print;line=$0}' >> $TMP_DNSMASQ_PATH/vpsiplist_host.conf
fi
local count=$(uci show $CONFIG | grep "@nodes" | sed -n '$p' | cut -d '[' -f 2 | cut -d ']' -f 1)
[ -n "$count" -a "$count" -ge 0 ] && {
u_get() {
local ret=$(uci -q get $CONFIG.@nodes[$1].$2)
echo ${ret:=$3}
}
for i in $(seq 0 $count); do
local use_ipv6=$(u_get $i use_ipv6 0)
local network_type="ipv4"
[ "$use_ipv6" == "1" ] && network_type="ipv6"
local server=$(u_get $i address)
[ -n "$server" ] && {
[ "$network_type" == "ipv4" ] && {
isip=$(echo $server | grep -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}")
if [ -n "$isip" ]; then
ipset -! add $IPSET_VPSIPLIST $isip >/dev/null 2>&1 &
else
has=$([ -f "$TMP_DNSMASQ_PATH/vpsiplist_host.conf" ] && cat $TMP_DNSMASQ_PATH/vpsiplist_host.conf | grep "$server")
[ -z "$has" ] && echo "$server" | sed -e "/^$/d" | sed "s/^/ipset=&\//g" | sed "s/$/\/&vpsiplist/g" | sort | awk '{if ($0!=line) print;line=$0}' >> $TMP_DNSMASQ_PATH/vpsiplist_host.conf
fi
}
}
done
}
}
filter_node() {
filter_rules() {
[ -n "$1" -a "$1" != "nil" ] && {
local type=$(echo $(config_get $1 type) | tr 'A-Z' 'a-z')
local type=$(echo $(config_n_get $1 type) | tr 'A-Z' 'a-z')
local i=$ipt_n
[ "$type" == "brook" ] && i=$ipt_m
local address=$(config_get $1 address)
local port=$(config_get $1 port)
local address=$(config_n_get $1 address)
local port=$(config_n_get $1 port)
is_exist=$($i -L PSW 2>/dev/null | grep -c "$address:$port")
[ "$is_exist" == 0 ] && $i -A PSW -p tcp -d $address --dport $port $(comment "$address:$port") -j RETURN
[ "$is_exist" == 0 ] && {
local ADD_INDEX=2
local INDEX=$($i -L PSW --line-numbers | grep "$IPSET_VPSIPLIST" | sed -n '$p' | awk '{print $1}')
[ -n "$INDEX" ] && ADD_INDEX=$INDEX
$i -I PSW $ADD_INDEX -p tcp -d $address --dport $port $(comment "$address:$port") -j RETURN
}
is_exist=$($i -L PSW_OUTPUT 2>/dev/null | grep -c "$address:$port")
[ "$is_exist" == 0 ] && $i -A PSW_OUTPUT -p tcp -d $address --dport $port $(comment "$address:$port") -j RETURN
[ "$is_exist" == 0 ] && {
local ADD_INDEX=2
local INDEX=$($i -L PSW_OUTPUT --line-numbers | grep "$IPSET_VPSIPLIST" | sed -n '$p' | awk '{print $1}')
[ -n "$INDEX" ] && ADD_INDEX=$INDEX
$i -I PSW_OUTPUT $ADD_INDEX -p tcp -d $address --dport $port $(comment "$address:$port") -j RETURN
}
}
}
local tmp_type=$(echo $(config_get $1 type) | tr 'A-Z' 'a-z')
local tmp_type=$(echo $(config_n_get $1 type) | tr 'A-Z' 'a-z')
if [ "$tmp_type" == "v2ray_shunt" ]; then
filter_rules $(config_get $node youtube_node)
filter_rules $(config_get $node netflix_node)
filter_rules $(config_get $node default_node)
filter_rules $(config_n_get $node youtube_node)
filter_rules $(config_n_get $node netflix_node)
filter_rules $(config_n_get $node default_node)
elif [ "$tmp_type" == "v2ray_balancing" ]; then
local balancing_node=$(config_get $node v2ray_balancing_node)
local balancing_node=$(config_n_get $node v2ray_balancing_node)
for node_id in $balancing_node
do
filter_rules $node_id
@ -308,74 +323,81 @@ add_firewall_rule() {
$ipt_n -N PSW_GFW$i
$ipt_n -N PSW_CHN$i
$ipt_n -N PSW_HOME$i
$ipt_n -N PSW_GAME$i
#$ipt_n -N PSW_GAME$i
$ipt_m -N PSW_GLO$i
$ipt_m -N PSW_GFW$i
$ipt_m -N PSW_CHN$i
$ipt_m -N PSW_HOME$i
$ipt_m -N PSW_GAME$i
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
#$ipt_m -N PSW_GAME$i
done
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
fi
fi
if [ "$SOCKS5_NODE_NUM" -ge 1 ]; then
for i in $(seq 1 $SOCKS5_NODE_NUM); do
local k=$i
for k in $(seq 1 $SOCKS5_NODE_NUM); do
eval node=\$SOCKS5_NODE$k
[ "$node" != "nil" ] && filter_node $node
done
fi
if [ "$TCP_NODE_NUM" -ge 1 ]; then
for i in $(seq 1 $TCP_NODE_NUM); do
local k=$i
local ttl=14$k
for k in $(seq 1 $TCP_NODE_NUM); do
eval node=\$TCP_NODE$k
eval local_port=\$TCP_REDIR_PORT$k
# 生成TCP转发规则
if [ "$node" != "nil" ]; then
filter_node $node
local TCP_NODE_TYPE=$(echo $(config_get $node type) | tr 'A-Z' 'a-z')
local TCP_NODE_TYPE=$(echo $(config_n_get $node type) | tr 'A-Z' 'a-z')
if [ "$TCP_NODE_TYPE" == "brook" ]; then
$ipt_n -X PSW_GLO$k
$ipt_n -X PSW_GFW$k
$ipt_n -X PSW_CHN$k
$ipt_n -X PSW_HOME$k
$ipt_m -A PSW_ACL -p tcp -m socket -j MARK --set-mark 1
# 全局模式
$ipt_m -A PSW_GLO$k -p tcp $(dst $IPSET_BLACKLIST) -j TPROXY --tproxy-mark 0x1/0x1 --on-port $local_port
$ipt_m -A PSW_GLO$k -p tcp -j TPROXY --tproxy-mark 0x1/0x1 --on-port $local_port
# GFWLIST模式
$ipt_m -A PSW_GFW$k -p tcp $(dst $IPSET_BLACKLIST) -j TPROXY --tproxy-mark 0x1/0x1 --on-port $local_port
$ipt_m -A PSW_GFW$k -p tcp $(dst $IPSET_GFW) -j TPROXY --tproxy-mark 0x1/0x1 --on-port $local_port
# 大陆白名单模式
$ipt_m -A PSW_CHN$k -p tcp $(dst $IPSET_CHN) -j RETURN
$ipt_m -A PSW_CHN$k -p tcp -j TPROXY --tproxy-mark 0x1/0x1 --on-port $local_port
$ipt_m -A PSW_CHN$k -p tcp $(dst $IPSET_BLACKLIST) -j TPROXY --tproxy-mark 0x1/0x1 --on-port $local_port
$ipt_m -A PSW_CHN$k -p tcp $(dst $IPSET_CHN !) -j TPROXY --tproxy-mark 0x1/0x1 --on-port $local_port
# 回国模式
$ipt_m -A PSW_HOME$k -p tcp $(dst $IPSET_BLACKLIST) -j TPROXY --tproxy-mark 0x1/0x1 --on-port $local_port
$ipt_m -A PSW_HOME$k -p tcp $(dst $IPSET_CHN) -j TPROXY --tproxy-mark 0x1/0x1 --on-port $local_port
# 游戏模式
$ipt_m -A PSW_GAME$k -p tcp $(dst $IPSET_CHN) -j RETURN
# $ipt_m -A PSW_GAME$k -p tcp $(dst $IPSET_CHN) -j RETURN
else
# 全局模式
$ipt_n -A PSW_GLO$k -p tcp $(dst $IPSET_BLACKLIST) -j REDIRECT --to-ports $local_port
$ipt_n -A PSW_GLO$k -p tcp -j REDIRECT --to-ports $local_port
# GFWLIST模式
$ipt_n -A PSW_GFW$k -p tcp $(dst $IPSET_BLACKLIST) -j REDIRECT --to-ports $local_port
$ipt_n -A PSW_GFW$k -p tcp $(dst $IPSET_GFW) -j REDIRECT --to-ports $local_port
# 大陆白名单模式
$ipt_n -A PSW_CHN$k -p tcp $(dst $IPSET_CHN) -j RETURN
$ipt_n -A PSW_CHN$k -p tcp $(dst $IPSET_BLACKLIST) -j REDIRECT --to-ports $local_port
$ipt_n -A PSW_CHN$k -p tcp $(dst $IPSET_CHN !) -j REDIRECT --to-ports $local_port
#$ipt_n -A PSW_CHN$k -p tcp -m geoip ! --destination-country CN -j REDIRECT --to-ports $local_port
$ipt_n -A PSW_CHN$k -p tcp -j REDIRECT --to-ports $local_port
# 回国模式
#$ipt_n -A PSW_HOME$k -p tcp -m geoip --destination-country CN -j REDIRECT --to-ports $local_port
$ipt_n -A PSW_HOME$k -p tcp $(dst $IPSET_BLACKLIST) -j REDIRECT --to-ports $local_port
$ipt_n -A PSW_HOME$k -p tcp $(dst $IPSET_CHN) -j REDIRECT --to-ports $local_port
#$ipt_n -A PSW_HOME$k -p tcp -m geoip --destination-country CN -j REDIRECT --to-ports $local_port
# 游戏模式
$ipt_n -A PSW_GAME$k -p tcp $(dst $IPSET_CHN) -j RETURN
# $ipt_n -A PSW_GAME$k -p tcp $(dst $IPSET_CHN) -j RETURN
fi
[ "$k" == 1 ] && {
@ -391,7 +413,6 @@ add_firewall_rule() {
}
# 用于本机流量转发
[ "$TCP_NO_REDIR_PORTS" != "disable" ] && $ipt_m -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
$ipt_m -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_REDIR_PORTS $(dst $IPSET_BLACKLIST) $(factor $TCP_REDIR_PORTS "-m multiport --dport") -j MARK --set-mark 1
$ipt_m -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_REDIR_PORTS $(dst $IPSET_ROUTER) $(factor $TCP_REDIR_PORTS "-m multiport --dport") -j MARK --set-mark 1
[ "$LOCALHOST_PROXY_MODE" == "global" ] && $ipt_m -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") -j MARK --set-mark 1
[ "$LOCALHOST_PROXY_MODE" == "gfwlist" ] && $ipt_m -A PSW_OUTPUT -p tcp $(dst $IPSET_GFW) $(factor $TCP_REDIR_PORTS "-m multiport --dport") -j MARK --set-mark 1
@ -423,7 +444,6 @@ add_firewall_rule() {
done
}
[ "$TCP_NO_REDIR_PORTS" != "disable" ] && $ipt_n -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
$ipt_n -A PSW_OUTPUT -p tcp $(dst $IPSET_BLACKLIST) $(factor $TCP_REDIR_PORTS "-m multiport --dport") -j REDIRECT --to-ports $TCP_REDIR_PORT1
$ipt_n -A PSW_OUTPUT -p tcp $(dst $IPSET_ROUTER) $(factor $TCP_REDIR_PORTS "-m multiport --dport") -j REDIRECT --to-ports $TCP_REDIR_PORT1
$ipt_n -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") -j $(get_action_chain $LOCALHOST_PROXY_MODE)1
fi
@ -462,32 +482,33 @@ add_firewall_rule() {
fi
if [ "$UDP_NODE_NUM" -ge 1 ]; then
for i in $(seq 1 $UDP_NODE_NUM); do
local k=$i
for k in $(seq 1 $UDP_NODE_NUM); do
eval node=\$UDP_NODE$k
eval local_port=\$UDP_REDIR_PORT$k
# 生成UDP转发规则
if [ "$node" != "nil" ]; then
filter_node $node
local UDP_NODE_TYPE=$(echo $(config_get $node type) | tr 'A-Z' 'a-z')
local UDP_NODE_TYPE=$(echo $(config_n_get $node type) | tr 'A-Z' 'a-z')
[ "$UDP_NODE_TYPE" == "brook" ] && $ipt_m -A PSW_ACL -p udp -m socket -j MARK --set-mark 1
# 全局模式
$ipt_m -A PSW_GLO$k -p udp $(dst $IPSET_BLACKLIST) -j TPROXY --tproxy-mark 0x1/0x1 --on-port $local_port
$ipt_m -A PSW_GLO$k -p udp -j TPROXY --tproxy-mark 0x1/0x1 --on-port $local_port
# GFWLIST模式
$ipt_m -A PSW_GFW$k -p udp $(dst $IPSET_ROUTER) -j TPROXY --tproxy-mark 0x1/0x1 --on-port $local_port
$ipt_m -A PSW_GFW$k -p udp $(dst $IPSET_BLACKLIST) -j TPROXY --tproxy-mark 0x1/0x1 --on-port $local_port
$ipt_m -A PSW_GFW$k -p udp $(dst $IPSET_GFW) -j TPROXY --tproxy-mark 0x1/0x1 --on-port $local_port
# 大陆白名单模式
$ipt_m -A PSW_CHN$k -p udp $(dst $IPSET_CHN) -j RETURN
$ipt_m -A PSW_CHN$k -p udp -j TPROXY --tproxy-mark 0x1/0x1 --on-port $local_port
$ipt_m -A PSW_CHN$k -p udp $(dst $IPSET_BLACKLIST) -j TPROXY --tproxy-mark 0x1/0x1 --on-port $local_port
$ipt_m -A PSW_CHN$k -p udp $(dst $IPSET_CHN !) -j TPROXY --tproxy-mark 0x1/0x1 --on-port $local_port
# 回国模式
$ipt_m -A PSW_HOME$k -p udp $(dst $IPSET_BLACKLIST) -j TPROXY --tproxy-mark 0x1/0x1 --on-port $local_port
$ipt_m -A PSW_HOME$k -p udp $(dst $IPSET_CHN) -j TPROXY --tproxy-mark 0x1/0x1 --on-port $local_port
# 游戏模式
$ipt_m -A PSW_GAME$k -p udp $(dst $IPSET_CHN) -j RETURN
$ipt_m -A PSW_GAME$k -p udp -j TPROXY --tproxy-mark 0x1/0x1 --on-port $local_port
# $ipt_m -A PSW_GAME$k -p udp $(dst $IPSET_BLACKLIST) -j TPROXY --tproxy-mark 0x1/0x1 --on-port $local_port
# $ipt_m -A PSW_GAME$k -p udp $(dst $IPSET_CHN !) -j TPROXY --tproxy-mark 0x1/0x1 --on-port $local_port
[ "$k" == 1 ] && {
# 用于本机流量转发
@ -504,7 +525,6 @@ add_firewall_rule() {
}
[ "$UDP_NO_REDIR_PORTS" != "disable" ] && $ipt_m -A PSW_OUTPUT -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN
$ipt_m -A PSW_OUTPUT -p udp -m multiport --dport $UDP_REDIR_PORTS $(dst $IPSET_BLACKLIST) -j MARK --set-mark 1
$ipt_m -A PSW_OUTPUT -p udp -m multiport --dport $UDP_REDIR_PORTS $(dst $IPSET_ROUTER) -j MARK --set-mark 1
[ "$LOCALHOST_PROXY_MODE" == "global" ] && $ipt_m -A PSW_OUTPUT -p udp -m multiport --dport $UDP_REDIR_PORTS -j MARK --set-mark 1
[ "$LOCALHOST_PROXY_MODE" == "gfwlist" ] && $ipt_m -A PSW_OUTPUT -p udp -m multiport --dport $UDP_REDIR_PORTS $(dst $IPSET_GFW) -j MARK --set-mark 1
@ -521,7 +541,7 @@ add_firewall_rule() {
fi
# 加载ACLS
config_foreach load_acl "acl_rule"
load_acl
# 加载默认代理模式
if [ "$PROXY_MODE" == "disable" ]; then
@ -529,26 +549,23 @@ add_firewall_rule() {
[ "$UDP_NODE1" != "nil" ] && $ipt_m -A PSW_ACL -p udp $(comment "Default") -j $(get_action_chain $PROXY_MODE)
else
[ "$TCP_NODE1" != "nil" ] && {
local TCP_NODE_TYPE1=$(echo $(config_get $TCP_NODE1 type) | tr 'A-Z' 'a-z')
local TCP_NODE_TYPE1=$(echo $(config_n_get $TCP_NODE1 type) | tr 'A-Z' 'a-z')
if [ "$TCP_NODE_TYPE1" == "brook" ]; then
[ "$TCP_NO_REDIR_PORTS" != "disable" ] && $ipt_m -A PSW_ACL -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS $(comment "Default") -j RETURN
$ipt_m -A PSW_ACL -p tcp $(dst $IPSET_BLACKLIST) $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(comment "Default") -j TPROXY --tproxy-mark 0x1/0x1 --on-port $TCP_REDIR_PORT1
$ipt_m -A PSW_ACL -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(comment "Default") -j $(get_action_chain $PROXY_MODE)1
else
[ "$TCP_NO_REDIR_PORTS" != "disable" ] && $ipt_n -A PSW_ACL -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS $(comment "Default") -j RETURN
$ipt_n -A PSW_ACL -p tcp $(dst $IPSET_BLACKLIST) $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(comment "Default") -j REDIRECT --to-ports $TCP_REDIR_PORT1
$ipt_n -A PSW_ACL -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(comment "Default") -j $(get_action_chain $PROXY_MODE)1
fi
}
[ "$UDP_NODE1" != "nil" ] && {
[ "$UDP_NO_REDIR_PORTS" != "disable" ] && $ipt_m -A PSW_ACL -p udp -m multiport --dport $UDP_NO_REDIR_PORTS $(comment "Default") -j RETURN
$ipt_m -A PSW_ACL -p udp $(dst $IPSET_BLACKLIST) $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(comment "Default") -j TPROXY --on-port $UDP_REDIR_PORT1 --tproxy-mark 0x1/0x1
$ipt_m -A PSW_ACL -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(comment "Default") -j $(get_action_chain $PROXY_MODE)1
}
fi
# 过滤所有节点IP
config_foreach filter_vpsip "nodes"
filter_vpsip
}
del_firewall_rule() {