🚀 Sync 2025-11-11 00:12:31

dns2socks/Makefile

@@ -9,7 +9,7 @@ PKG_VERSION:=2.1
 PKG_RELEASE:=2
 
 PKG_SOURCE:=SourceCode.zip
-PKG_SOURCE_URL:=@SF/dns2socks
+PKG_SOURCE_URL:=https://github.com/sbwml/openwrt_helloworld/releases/download/dns2socks
 PKG_SOURCE_DATE:=2020-02-18
 PKG_HASH:=406b5003523577d39da66767adfe54f7af9b701374363729386f32f6a3a995f4
 

luci-app-homeproxy/htdocs/luci-static/resources/view/homeproxy/client.js

@@ -949,7 +949,7 @@ return view.extend({
 		so.value('tcp', _('TCP'));
 		so.value('tls', _('TLS'));
 		so.value('https', _('HTTPS'));
-		so.value('http3', _('HTTP3'));
+		so.value('h3', _('HTTP/3'));
 		so.value('quic', _('QUIC'));
 		so.default = 'udp';
 		so.rmempty = false;
@@ -961,26 +961,27 @@ return view.extend({
 
 		so = ss.option(form.Value, 'server_port', _('Port'),
 			_('The port of the DNS server.'));
+		so.placeholder = 'auto';
 		so.datatype = 'port';
 
 		so = ss.option(form.Value, 'path', _('Path'),
 			_('The path of the DNS server.'));
 		so.placeholder = '/dns-query';
 		so.depends('type', 'https');
-		so.depends('type', 'http3');
+		so.depends('type', 'h3');
 		so.modalonly = true;
 
 		so = ss.option(form.DynamicList, 'headers', _('Headers'),
 			_('Additional headers to be sent to the DNS server.'));
 		so.depends('type', 'https');
-		so.depends('type', 'http3');
+		so.depends('type', 'h3');
 		so.modalonly = true;
 
 		so = ss.option(form.Value, 'tls_sni', _('TLS SNI'),
 			_('Used to verify the hostname on the returned certificates.'));
 		so.depends('type', 'tls');
 		so.depends('type', 'https');
-		so.depends('type', 'http3');
+		so.depends('type', 'h3');
 		so.depends('type', 'quic');
 		so.modalonly = true;
 

luci-app-homeproxy/root/etc/homeproxy/resources/china_ip4.txt

@@ -42,8 +42,7 @@
 8.144.0.0/14
 8.148.0.0/19
 8.148.36.0/22
-8.148.40.0/23
+8.148.40.0/22
-8.148.43.0/24
 8.148.64.0/18
 8.148.128.0/17
 8.149.0.0/16
@@ -154,6 +153,7 @@
 40.251.225.0/24
 40.251.227.0/24
 40.251.228.0/24
+42.0.128.0/17
 42.4.0.0/14
 42.48.0.0/15
 42.51.0.0/16
@@ -215,12 +215,14 @@
 43.102.128.0/21
 43.102.136.0/22
 43.102.144.0/20
-43.109.1.0/24
+43.109.0.0/22
-43.109.2.0/23
+43.109.4.0/23
-43.109.4.0/24
 43.109.9.0/24
+43.109.12.0/23
 43.109.15.0/24
 43.109.17.0/24
+43.109.31.0/24
+43.109.32.0/24
 43.109.34.0/24
 43.109.36.0/24
 43.136.0.0/13
@@ -419,6 +421,7 @@
 45.113.24.0/22
 45.113.40.0/22
 45.113.200.0/22
+45.113.206.0/24
 45.114.189.0/24
 45.115.44.0/22
 45.115.144.0/22
@@ -460,6 +463,7 @@
 45.147.6.0/24
 45.151.47.0/24
 45.157.88.0/24
+45.192.21.0/24
 45.195.6.0/24
 45.197.131.0/24
 45.202.64.0/22
@@ -548,7 +552,6 @@
 49.64.0.0/11
 49.112.0.0/13
 49.120.0.0/14
-49.128.203.0/24
 49.128.220.0/24
 49.128.223.0/24
 49.140.0.0/15
@@ -604,7 +607,6 @@
 58.24.0.0/15
 58.30.0.0/15
 58.32.0.0/11
-58.66.192.0/18
 58.67.128.0/17
 58.68.236.0/24
 58.68.247.0/24
@@ -934,7 +936,8 @@
 103.3.136.0/21
 103.3.152.0/21
 103.4.56.0/22
-103.5.192.0/22
+103.5.192.0/23
+103.5.194.0/24
 103.6.220.0/22
 103.7.140.0/23
 103.8.8.0/22
@@ -1087,7 +1090,6 @@
 103.53.211.0/24
 103.55.172.0/22
 103.55.228.0/22
-103.56.32.0/22
 103.56.60.0/22
 103.56.76.0/22
 103.56.100.0/22
@@ -1100,6 +1102,7 @@
 103.59.124.0/22
 103.59.148.0/22
 103.59.164.0/22
+103.59.168.0/23
 103.60.32.0/22
 103.60.164.0/22
 103.60.228.0/23
@@ -1131,6 +1134,7 @@
 103.71.232.0/22
 103.72.113.0/24
 103.72.172.0/24
+103.72.224.0/21
 103.73.48.0/24
 103.73.116.0/22
 103.73.136.0/21
@@ -1154,6 +1158,7 @@
 103.78.228.0/22
 103.79.24.0/22
 103.79.200.0/22
+103.79.228.0/24
 103.81.4.0/22
 103.81.48.0/22
 103.81.72.0/22
@@ -1286,7 +1291,9 @@
 103.133.128.0/23
 103.134.136.0/22
 103.135.160.0/22
-103.135.192.0/21
+103.135.192.0/23
+103.135.195.0/24
+103.135.196.0/22
 103.137.60.0/24
 103.138.156.0/23
 103.139.136.0/23
@@ -1350,7 +1357,6 @@
 103.174.94.0/23
 103.175.197.0/24
 103.177.28.0/23
-103.177.44.0/24
 103.179.78.0/23
 103.180.108.0/23
 103.181.234.0/24
@@ -1541,15 +1547,12 @@
 103.242.130.0/24
 103.242.168.0/23
 103.242.172.0/22
-103.242.200.0/24
-103.242.202.0/24
 103.242.212.0/22
 103.243.136.0/22
 103.243.252.0/22
 103.244.59.0/24
 103.244.64.0/22
 103.244.80.0/22
-103.244.164.0/22
 103.244.232.0/22
 103.245.128.0/22
 103.246.152.0/22
@@ -1820,8 +1823,9 @@
 113.44.0.0/16
 113.45.0.0/18
 113.45.64.0/19
-113.45.96.0/20
+113.45.96.0/22
-113.45.112.0/21
+113.45.104.0/21
+113.45.112.0/22
 113.45.120.0/22
 113.45.128.0/17
 113.46.0.0/16
@@ -1833,7 +1837,7 @@
 113.47.112.0/20
 113.47.128.0/18
 113.47.204.0/22
-113.47.220.0/22
+113.47.216.0/21
 113.47.232.0/21
 113.47.248.0/21
 113.48.48.0/20
@@ -1958,6 +1962,7 @@
 114.135.0.0/16
 114.138.0.0/15
 114.141.128.0/18
+114.142.136.0/21
 114.196.0.0/15
 114.212.0.0/14
 114.216.0.0/13
@@ -1991,6 +1996,7 @@
 115.174.64.0/19
 115.175.0.0/18
 115.175.64.0/19
+115.175.96.0/21
 115.175.104.0/22
 115.175.108.0/23
 115.175.110.0/24
@@ -1998,7 +2004,7 @@
 115.175.128.0/18
 115.175.192.0/19
 115.175.224.0/20
-115.175.248.0/21
+115.175.252.0/22
 115.182.0.0/15
 115.190.0.0/16
 115.191.0.0/18
@@ -2019,6 +2025,7 @@
 116.66.36.0/24
 116.66.48.0/23
 116.66.53.0/24
+116.66.54.0/23
 116.66.98.0/24
 116.66.120.0/24
 116.66.123.0/24
@@ -2053,6 +2060,7 @@
 116.154.0.0/15
 116.162.0.0/16
 116.163.0.0/18
+116.165.0.0/16
 116.167.0.0/16
 116.168.0.0/15
 116.171.0.0/16
@@ -2084,6 +2092,7 @@
 116.198.0.0/18
 116.198.64.0/21
 116.198.72.0/22
+116.198.96.0/19
 116.198.144.0/20
 116.198.160.0/20
 116.198.176.0/21
@@ -2175,7 +2184,7 @@
 117.124.98.0/24
 117.124.231.0/24
 117.124.232.0/22
-117.124.237.0/24
+117.124.236.0/23
 117.124.240.0/23
 117.124.242.0/24
 117.126.0.0/16
@@ -2218,8 +2227,6 @@
 118.126.140.0/23
 118.126.142.0/24
 118.132.0.0/14
-118.143.199.0/24
-118.143.215.0/24
 118.144.0.0/16
 118.145.0.0/19
 118.145.32.0/20
@@ -2656,7 +2663,6 @@
 123.8.0.0/13
 123.49.192.0/23
 123.49.194.0/24
-123.49.224.0/24
 123.49.240.0/24
 123.49.242.0/23
 123.52.0.0/14
@@ -2677,7 +2683,8 @@
 123.58.64.0/24
 123.58.96.0/19
 123.58.160.0/20
-123.58.180.0/22
+123.58.180.0/24
+123.58.182.0/23
 123.58.184.0/24
 123.58.186.0/23
 123.58.188.0/22
@@ -2759,10 +2766,7 @@
 124.112.0.0/13
 124.126.0.0/15
 124.128.0.0/13
-124.151.0.0/17
+124.151.0.0/16
-124.151.128.0/18
-124.151.193.0/24
-124.151.224.0/19
 124.152.0.0/16
 124.160.0.0/13
 124.172.0.0/15
@@ -2920,7 +2924,6 @@
 140.250.0.0/16
 140.255.0.0/16
 143.14.49.0/24
-143.20.66.0/24
 143.20.147.0/24
 143.64.0.0/16
 144.0.0.0/16
@@ -2929,7 +2932,8 @@
 144.36.146.0/23
 144.48.64.0/22
 144.48.180.0/22
-144.48.184.0/24
+144.48.184.0/23
+144.48.186.0/24
 144.48.212.0/22
 144.48.252.0/22
 144.52.0.0/16
@@ -2985,7 +2989,6 @@
 154.8.48.0/20
 154.8.128.0/17
 154.19.43.0/24
-154.38.104.0/22
 154.48.237.0/24
 154.72.42.0/24
 154.72.44.0/24
@@ -2996,12 +2999,11 @@
 154.208.144.0/20
 154.208.160.0/21
 154.208.172.0/23
-154.213.4.0/23
 155.102.0.0/23
 155.102.2.0/24
 155.102.4.0/23
 155.102.9.0/24
-155.102.10.0/23
+155.102.10.0/24
 155.102.12.0/22
 155.102.16.0/22
 155.102.20.0/24
@@ -3012,7 +3014,8 @@
 155.102.32.0/19
 155.102.72.0/24
 155.102.89.0/24
-155.102.98.0/23
+155.102.90.0/24
+155.102.99.0/24
 155.102.100.0/23
 155.102.111.0/24
 155.102.112.0/21
@@ -3028,7 +3031,9 @@
 155.102.171.0/24
 155.102.173.0/24
 155.102.174.0/23
-155.102.176.0/20
+155.102.176.0/22
+155.102.180.0/23
+155.102.184.0/23
 155.102.193.0/24
 155.102.194.0/23
 155.102.196.0/23
@@ -3038,6 +3043,7 @@
 155.102.204.0/22
 155.102.208.0/22
 155.102.212.0/23
+155.102.214.0/24
 155.102.216.0/22
 155.102.220.0/23
 155.102.224.0/19
@@ -3087,6 +3093,7 @@
 160.30.150.0/23
 160.30.230.0/23
 160.83.110.0/24
+160.187.128.0/23
 160.191.0.0/24
 160.202.152.0/22
 160.202.212.0/22
@@ -3110,7 +3117,7 @@
 163.53.128.0/22
 163.53.168.0/22
 163.61.202.0/23
-163.61.214.0/24
+163.61.214.0/23
 163.125.0.0/16
 163.142.0.0/16
 163.177.0.0/16
@@ -3135,8 +3142,7 @@
 163.181.66.0/23
 163.181.69.0/24
 163.181.71.0/24
-163.181.72.0/23
+163.181.72.0/22
-163.181.74.0/24
 163.181.77.0/24
 163.181.78.0/23
 163.181.80.0/22
@@ -3176,7 +3182,7 @@
 163.181.196.0/22
 163.181.200.0/21
 163.181.209.0/24
-163.181.210.0/24
+163.181.210.0/23
 163.181.212.0/22
 163.181.216.0/21
 163.181.224.0/23
@@ -3190,10 +3196,11 @@
 163.181.248.0/21
 163.204.0.0/16
 163.223.178.0/23
+163.227.40.0/24
 163.228.0.0/16
 163.244.246.0/24
 165.99.4.0/24
-165.101.70.0/24
+165.101.70.0/23
 165.101.122.0/23
 166.111.0.0/16
 167.139.0.0/16
@@ -3359,7 +3366,6 @@
 185.75.174.0/24
 185.234.212.0/24
 188.131.128.0/17
-192.55.46.0/24
 192.140.160.0/19
 192.140.208.0/21
 192.144.128.0/17
@@ -3545,11 +3551,9 @@
 203.8.30.0/24
 203.12.91.0/24
 203.12.93.0/24
-203.12.95.0/24
 203.12.204.0/23
 203.13.80.0/23
 203.15.0.0/20
-203.25.48.0/24
 203.25.52.0/24
 203.25.208.0/20
 203.32.48.0/23
@@ -3767,7 +3771,6 @@
 203.156.192.0/18
 203.160.104.0/22
 203.160.109.0/24
-203.160.110.0/23
 203.160.129.0/24
 203.160.192.0/24
 203.160.196.0/24
@@ -3846,7 +3849,6 @@
 206.54.9.0/24
 206.54.10.0/23
 206.54.12.0/22
-207.226.154.0/24
 210.2.0.0/23
 210.2.4.0/24
 210.5.0.0/19
@@ -4163,8 +4165,7 @@
 218.240.128.0/19
 218.240.160.0/21
 218.240.168.0/24
-218.240.176.0/21
+218.240.176.0/20
-218.240.184.0/24
 218.241.16.0/21
 218.241.96.0/20
 218.241.112.0/22
@@ -4270,7 +4271,8 @@
 220.154.0.0/20
 220.154.16.0/22
 220.154.128.0/22
-220.154.132.0/24
+220.154.132.0/23
+220.154.134.0/24
 220.154.140.0/24
 220.154.144.0/24
 220.160.0.0/12

luci-app-homeproxy/root/etc/homeproxy/resources/china_ip4.ver

@@ -1 +1 @@
-20251021033250
+20251109033819

luci-app-homeproxy/root/etc/homeproxy/resources/china_ip6.txt

@@ -87,13 +87,11 @@
 2400:9380:9201::/48
 2400:9380:9202::/48
 2400:9380:9220::/47
-2400:9380:9240::/47
+2400:9380:9240::/48
 2400:9380:9250::/47
 2400:9380:9260::/48
 2400:9380:9271::/48
-2400:9380:9272::/48
 2400:9380:9280::/47
-2400:9380:9282::/48
 2400:9380:92b0::/45
 2400:95e0::/48
 2400:9600:8800::/48
@@ -138,6 +136,7 @@
 2401:5c20:10::/48
 2401:70e0::/32
 2401:71c0::/48
+2401:7660::/48
 2401:7700::/32
 2401:7e00::/32
 2401:8be0::/48
@@ -177,9 +176,7 @@
 2401:ec00::/32
 2401:f860:86::/47
 2401:f860:88::/47
-2401:f860:91::/48
+2401:f860:90::/45
-2401:f860:92::/47
-2401:f860:94::/48
 2401:f860:100::/40
 2401:fa00:40::/43
 2402:840:d000::/46
@@ -368,16 +365,18 @@
 2404:2280:265::/48
 2404:2280:266::/47
 2404:2280:268::/45
-2404:2280:270::/46
+2404:2280:270::/45
-2404:2280:274::/47
-2404:2280:277::/48
 2404:2280:278::/48
 2404:2280:27a::/47
 2404:2280:27c::/47
 2404:2280:27f::/48
 2404:2280:282::/48
-2404:2280:289::/48
+2404:2280:284::/47
+2404:2280:288::/47
 2404:2280:28a::/48
+2404:2280:28c::/48
+2404:2280:296::/47
+2404:2280:298::/48
 2404:3700::/48
 2404:4dc0::/32
 2404:6380::/48
@@ -452,17 +451,19 @@
 2406:280::/32
 2406:840:9000::/44
 2406:840:9961::/48
-2406:840:9962::/47
+2406:840:9963::/48
 2406:840:996c::/48
 2406:840:e080::/44
 2406:840:e0cf::/48
-2406:840:e0e0::/46
+2406:840:e0e1::/48
 2406:840:e0e4::/47
-2406:840:e0e8::/48
 2406:840:e10f::/48
 2406:840:e14f::/48
 2406:840:e201::/48
-2406:840:e230::/44
+2406:840:e231::/48
+2406:840:e233::/48
+2406:840:e234::/48
+2406:840:e23b::/48
 2406:840:e260::/48
 2406:840:e2cf::/48
 2406:840:e620::/47
@@ -476,7 +477,6 @@
 2406:840:eb0f::/48
 2406:840:ee40::/47
 2406:840:ee44::/48
-2406:840:ee4b::/48
 2406:840:ee4d::/48
 2406:840:eee5::/48
 2406:840:f200::/47
@@ -484,6 +484,8 @@
 2406:840:f380::/44
 2406:840:fc80::/44
 2406:840:fcd0::/48
+2406:840:fcf0::/46
+2406:840:fcf4::/47
 2406:840:fd40::/42
 2406:840:fd80::/44
 2406:840:fd9f::/48
@@ -675,83 +677,51 @@
 2408:8374::/30
 2408:8378::/31
 2408:837a::/32
-2408:8406::/42
-2408:8406:40::/43
 2408:8406:c0::/42
 2408:8406:100::/41
 2408:8406:180::/42
-2408:8406:c00::/42
-2408:8406:c40::/43
 2408:8406:cc0::/42
 2408:8406:d00::/41
 2408:8406:d80::/42
-2408:8406:1800::/42
-2408:8406:1840::/43
 2408:8406:18c0::/42
 2408:8406:1900::/41
 2408:8406:1980::/42
-2408:8406:2400::/42
-2408:8406:2440::/43
 2408:8406:24c0::/42
 2408:8406:2500::/41
 2408:8406:2580::/42
-2408:8406:3000::/42
-2408:8406:3040::/43
 2408:8406:30c0::/42
 2408:8406:3100::/41
 2408:8406:3180::/42
-2408:8406:3c00::/42
-2408:8406:3c40::/43
 2408:8406:3cc0::/42
 2408:8406:3d00::/41
 2408:8406:3d80::/42
-2408:8406:4800::/42
-2408:8406:4840::/43
 2408:8406:48c0::/42
 2408:8406:4900::/41
 2408:8406:4980::/42
-2408:8406:5400::/42
-2408:8406:5440::/43
 2408:8406:54c0::/42
 2408:8406:5500::/41
 2408:8406:5580::/42
-2408:8406:6000::/42
-2408:8406:6040::/43
 2408:8406:60c0::/42
 2408:8406:6100::/41
 2408:8406:6180::/42
-2408:8406:6c00::/42
-2408:8406:6c40::/43
 2408:8406:6cc0::/42
 2408:8406:6d00::/41
 2408:8406:6d80::/42
-2408:8406:7800::/42
-2408:8406:7840::/43
 2408:8406:78c0::/42
 2408:8406:7900::/41
 2408:8406:7980::/42
-2408:8406:8400::/42
-2408:8406:8440::/43
 2408:8406:84c0::/42
 2408:8406:8500::/41
 2408:8406:8580::/42
-2408:8406:9000::/42
-2408:8406:9040::/43
 2408:8406:90c0::/42
 2408:8406:9100::/41
 2408:8406:9180::/42
-2408:8406:9c00::/42
-2408:8406:9c40::/43
 2408:8406:9cc0::/42
 2408:8406:9d00::/41
 2408:8406:9d80::/42
-2408:8406:a800::/42
-2408:8406:a840::/43
 2408:8406:a8c0::/42
 2408:8406:a900::/41
 2408:8406:a980::/42
-2408:8406:b400::/42
-2408:8406:b440::/43
 2408:8406:b4c0::/42
 2408:8406:b500::/41
 2408:8406:b580::/42
@@ -1204,12 +1174,15 @@
 240e::/20
 2602:2e0:ff::/48
 2602:f7ee:ee::/48
+2602:f92a:1314::/48
+2602:f92a:a471::/48
 2602:f92a:a478::/48
 2602:f92a:dead::/48
 2602:f92a:e100::/44
 2602:f93b:400::/38
-2602:f9ba:a8::/48
 2602:f9ba:10c::/48
+2602:fab0:11::/48
+2602:fed2:7051::/48
 2602:feda:1bf::/48
 2602:feda:1d1::/48
 2602:feda:1df::/48
@@ -1256,10 +1229,8 @@
 2a04:f580:9270::/48
 2a04:f580:9280::/48
 2a04:f580:9290::/48
-2a06:1180:1000::/48
 2a06:3603::/32
 2a06:3604::/30
-2a06:9f81:4600::/42
 2a06:9f81:4640::/43
 2a06:a005:260::/43
 2a06:a005:280::/43
@@ -1270,10 +1241,9 @@
 2a09:b280:ff81::/48
 2a09:b280:ff83::/48
 2a09:b280:ff84::/47
-2a0a:2840:20::/43
+2a0a:2840::/30
-2a0a:2840:2000::/47
-2a0a:2842::/32
 2a0a:2845:aab8::/46
+2a0a:2845:d647::/48
 2a0a:2846::/48
 2a0a:6040:ec00::/40
 2a0a:6044:6600::/40
@@ -1281,6 +1251,7 @@
 2a0b:4340:a6::/48
 2a0b:4b81:1001::/48
 2a0b:4e07:b8::/47
+2a0c:9a40:84e0::/48
 2a0c:9a40:8fc1::/48
 2a0c:9a40:8fc2::/47
 2a0c:9a40:8fc4::/48
@@ -1307,17 +1278,13 @@
 2a0e:aa07:e15f::/48
 2a0e:aa07:e16a::/48
 2a0e:aa07:e1a0::/44
-2a0e:aa07:e1e1::/48
+2a0e:aa07:e1e0::/44
-2a0e:aa07:e1e2::/48
-2a0e:aa07:e1e5::/48
-2a0e:aa07:e1e6::/48
 2a0e:aa07:e200::/44
 2a0e:aa07:e210::/48
 2a0e:aa07:e21c::/47
 2a0e:aa07:e220::/44
-2a0e:aa07:f0d0::/46
+2a0e:aa07:f0d1::/48
 2a0e:aa07:f0d4::/47
-2a0e:aa07:f0d8::/48
 2a0e:aa07:f0de::/47
 2a0e:b107:12b::/48
 2a0e:b107:272::/48
@@ -1326,29 +1293,27 @@
 2a0e:b107:dce::/48
 2a0e:b107:178d::/48
 2a0e:b107:178e::/48
+2a0f:1cc5:20::/44
+2a0f:1cc5:f00::/46
 2a0f:5707:ac00::/47
+2a0f:6284:300::/40
+2a0f:6284:400::/42
+2a0f:6284:440::/43
 2a0f:6284:4b00::/40
-2a0f:7803:f5d0::/44
+2a0f:6284:4c30::/48
-2a0f:7803:f5e0::/43
+2a0f:6284:4c40::/43
-2a0f:7803:f680::/43
+2a0f:6284:4c60::/44
-2a0f:7803:f6a0::/44
+2a0f:6284:4c80::/43
-2a0f:7803:f7c0::/42
+2a0f:7803:f680::/44
-2a0f:7803:f800::/43
-2a0f:7803:f840::/44
 2a0f:7803:fa21::/48
 2a0f:7803:fa22::/47
 2a0f:7803:fa24::/46
-2a0f:7803:faf3::/48
 2a0f:7803:fe81::/48
 2a0f:7803:fe82::/48
-2a0f:7807::/32
 2a0f:7d07::/32
 2a0f:85c1:ba5::/48
-2a0f:85c1:bfe::/48
-2a0f:85c1:ca0::/44
 2a0f:85c1:ce1::/48
 2a0f:85c1:cf1::/48
-2a0f:85c1:d90::/48
 2a0f:9400:6110::/48
 2a0f:9400:7700::/48
 2a0f:ac00::/29
@@ -1356,8 +1321,7 @@
 2a10:ccc0:d00::/46
 2a10:ccc0:d0a::/47
 2a10:ccc0:d0c::/47
-2a10:ccc6:66c8::/47
+2a10:ccc6:66c8::/48
-2a10:ccc6:66ca::/48
 2a10:ccc6:66cc::/46
 2a12:f8c3::/36
 2a13:1800::/48
@@ -1366,26 +1330,34 @@
 2a13:1800:300::/44
 2a13:1801:180::/43
 2a13:a5c3:ff21::/48
-2a13:a5c3:ff50::/44
 2a13:a5c7:1800::/40
 2a13:a5c7:2100::/48
 2a13:a5c7:2102::/48
 2a13:a5c7:2121::/48
 2a13:a5c7:2801::/48
 2a13:a5c7:3108::/48
-2a13:a5c7:31a0::/43
+2a13:a5c7:31a0::/44
+2a13:a5c7:31b0::/46
+2a13:a5c7:31b4::/47
+2a13:a5c7:31b6::/48
+2a13:a5c7:31b8::/45
 2a13:a5c7:3301::/48
 2a13:a5c7:3304::/48
-2a13:a5c7:3306::/48
+2a13:a5c7:3306::/47
-2a13:aac4:f000::/44
+2a13:aac4:f00d::/48
 2a14:7c0:4a01::/48
+2a14:7c0:5103::/48
 2a14:4c41::/32
 2a14:67c1:20::/44
 2a14:67c1:70::/48
 2a14:67c1:73::/48
 2a14:67c1:74::/48
-2a14:67c1:702::/48
+2a14:67c1:702::/47
 2a14:67c1:704::/48
+2a14:67c1:800::/48
+2a14:67c1:802::/47
+2a14:67c1:804::/48
+2a14:67c1:806::/47
 2a14:67c1:a010::/44
 2a14:67c1:a020::/48
 2a14:67c1:a023::/48
@@ -1394,12 +1366,7 @@
 2a14:67c1:a02f::/48
 2a14:67c1:a040::/47
 2a14:67c1:a064::/48
-2a14:67c1:a091::/48
-2a14:67c1:a093::/48
-2a14:67c1:a094::/46
-2a14:67c1:a098::/47
 2a14:67c1:a100::/43
-2a14:67c1:a125::/48
 2a14:67c1:a144::/48
 2a14:67c1:b000::/48
 2a14:67c1:b065::/48
@@ -1414,10 +1381,10 @@
 2a14:67c1:b140::/48
 2a14:67c1:b4a1::/48
 2a14:67c1:b4a2::/48
-2a14:67c1:b4a8::/48
+2a14:67c1:b4a8::/47
+2a14:67c1:b4aa::/48
 2a14:67c1:b4c0::/45
-2a14:67c1:b4d0::/44
+2a14:67c1:b4e0::/44
-2a14:67c1:b4e0::/43
 2a14:67c1:b500::/47
 2a14:67c1:b549::/48
 2a14:67c1:b561::/48
@@ -1431,10 +1398,10 @@
 2a14:67c1:b599::/48
 2a14:67c1:b5a1::/48
 2a14:67c1:c300::/40
-2a14:7580:740::/44
 2a14:7580:750::/47
-2a14:7580:9200::/40
+2a14:7580:9206::/48
-2a14:7580:9400::/39
+2a14:7580:9208::/48
+2a14:7580:9220::/44
 2a14:7580:d000::/37
 2a14:7580:d800::/39
 2a14:7580:da00::/40
@@ -1444,13 +1411,14 @@
 2a14:7580:fff7::/48
 2a14:7580:fffa::/48
 2a14:7581:ffb::/48
-2a14:7581:30b5::/48
+2a14:7581:30b6::/48
 2a14:7581:3100::/40
 2a14:7581:3401::/48
 2a14:7583:f201::/48
 2a14:7583:f203::/48
+2a14:7583:f204::/48
 2a14:7583:f300::/46
-2a14:7583:f304::/47
+2a14:7583:f305::/48
 2a14:7583:f460::/44
 2a14:7583:f4f1::/48
 2a14:7583:f4fe::/48

luci-app-homeproxy/root/etc/homeproxy/resources/china_ip6.ver

@@ -1 +1 @@
-20251021033250
+20251109033819

luci-app-homeproxy/root/etc/homeproxy/resources/china_list.ver

@@ -1 +1 @@
-202510202212
+202511082212

luci-app-homeproxy/root/etc/homeproxy/resources/gfw_list.txt

@@ -1273,9 +1273,7 @@ deezer.com
 definebabe.com
 deja.com
 delcamp.net
-delicious.com
 demo.unlock-music.dev
-democrats.org
 demosisto.hk
 deno.dev
 depositphotos.com
@@ -1346,6 +1344,7 @@ dnvod.tv
 doc.new
 docker.com
 docker.io
+dockerstatus.com
 docs.deno.com
 docs.new
 doctorvoice.org
@@ -1732,6 +1731,7 @@ flagsonline.it
 flecheinthepeche.fr
 fleshbot.com
 fleursdeslettres.com
+flexclip.com
 flexpool.io
 flgjustice.org
 flickr.com
@@ -2649,6 +2649,7 @@ imagefap.com
 imageflea.com
 imageglass.org
 images-gaytube.com
+images.prismic.io
 imageshack.us
 imagevenue.com
 imagezilla.net
@@ -4752,6 +4753,7 @@ telegraph.co.uk
 telesco.pe
 tellapart.com
 tellme.pw
+temu.com
 tenacy.com
 tenor.com
 tensorflow.org

luci-app-homeproxy/root/etc/homeproxy/resources/gfw_list.ver

@@ -1 +1 @@
-202510202212
+202511082212

luci-app-passwall/luasrc/controller/passwall.lua

@@ -88,6 +88,7 @@ function index()
 	entry({"admin", "services", appname, "subscribe_del_all"}, call("subscribe_del_all")).leaf = true
 	entry({"admin", "services", appname, "subscribe_manual"}, call("subscribe_manual")).leaf = true
 	entry({"admin", "services", appname, "subscribe_manual_all"}, call("subscribe_manual_all")).leaf = true
+	entry({"admin", "services", appname, "flush_set"}, call("flush_set")).leaf = true
 
 	--[[rule_list]]
 	entry({"admin", "services", appname, "read_rulelist"}, call("read_rulelist")).leaf = true
@@ -868,3 +869,17 @@ function subscribe_manual_all()
 	luci.sys.call("lua /usr/share/" .. appname .. "/subscribe.lua start all manual >/dev/null 2>&1 &")
 	http_write_json({ success = true, msg = "Subscribe triggered." })
 end
+
+function flush_set()
+	local redirect = http.formvalue("redirect") or "0"
+	local reload = http.formvalue("reload") or "0"
+	if reload == "1" then
+		uci:set(appname, '@global[0]', "flush_set", "1")
+		api.uci_save(uci, appname, true, true)
+	else
+		api.sh_uci_set(appname, "@global[0]", "flush_set", "1", true)
+	end
+	if redirect == "1" then
+		http.redirect(api.url("log"))
+	end
+end

luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua

@@ -585,16 +585,19 @@ o = s:taboption("DNS", Flag, "dns_redirect", translate("DNS Redirect"), translat
 o.default = "0"
 o.rmempty = false
 
-if (m:get("@global_forwarding[0]", "use_nft") or "0") == "1" then
+local use_nft = m:get("@global_forwarding[0]", "use_nft") == "1"
-	o = s:taboption("DNS", Button, "clear_ipset", translate("Clear NFTSET"), translate("Try this feature if the rule modification does not take effect."))
+local set_title = api.i18n.translate(use_nft and "Clear NFTSET on Reboot" or "Clear IPSET on Reboot")
-else
+o = s:taboption("DNS", Flag, "flush_set_on_reboot", set_title, translate("Clear IPSET/NFTSET on service reboot. This may increase reboot time."))
-	o = s:taboption("DNS", Button, "clear_ipset", translate("Clear IPSET"), translate("Try this feature if the rule modification does not take effect."))
+o.default = "0"
-end
+o.rmempty = false
-o.inputstyle = "remove"
+
-function o.write(e, e)
+set_title = api.i18n.translate(use_nft and "Clear NFTSET" or "Clear IPSET")
-	m:set("@global[0]", "flush_set", "1")
+o = s:taboption("DNS", DummyValue, "clear_ipset", set_title, translate("Try this feature if the rule modification does not take effect."))
-	api.uci_save(m.uci, appname, true, true)
+o.rawhtml = true
-	luci.http.redirect(api.url("log"))
+function o.cfgvalue(self, section)
+	return string.format(
+		[[<button type="button" class="cbi-button cbi-button-remove" onclick="location.href='%s'">%s</button>]],
+		api.url("flush_set") .. "?redirect=1&reload=1", set_title)
 end
 
 s:tab("Proxy", translate("Mode"))

luci-app-passwall/luasrc/model/cbi/passwall/client/rule.lua

@@ -83,6 +83,13 @@ if has_xray or has_singbox then
 			.. "<li>" .. "2." .. translate("Once enabled, the rule list can support GeoIP/Geosite rules.") .. "</li>"
 			.. "<li>" .. translate("Note: Increases resource usage; Geosite analysis is only supported in ChinaDNS-NG and SmartDNS modes.") .. "</li>"
 			.. "</ul>"
+		function o.write(self, section, value)
+			local old = m:get(section, self.option) or "0"
+			if old ~= value then
+				m:set(section, "flush_set", "1")
+			end
+			return Flag.write(self, section, value)
+		end
 	end
 end
 

luci-app-passwall/luasrc/model/cbi/passwall/client/shunt_rules.lua

@@ -9,6 +9,10 @@ if not arg[1] or not m:get(arg[1]) then
 	luci.http.redirect(m.redirect)
 end
 
+function m.on_before_save(self)
+	m:set("@global[0]", "flush_set", "1")
+end
+
 -- Add inline CSS to map description
 m.description = (m.description or "") .. "\n" .. [[
 	<style>

luci-app-passwall/po/zh-cn/passwall.po

@@ -226,6 +226,15 @@ msgstr "DNS 重定向"
 msgid "Force special DNS server to need proxy devices."
 msgstr "强制需要代理的设备使用专用 DNS 服务器。"
 
+msgid "Clear IPSET on Reboot"
+msgstr "重启清空 IPSET"
+
+msgid "Clear NFTSET on Reboot"
+msgstr "重启清空 NFTSET"
+
+msgid "Clear IPSET/NFTSET on service reboot. This may increase reboot time."
+msgstr "重启服务时清空 IPSET/NFTSET，可能会延长重启时间。"
+
 msgid "Clear IPSET"
 msgstr "清空 IPSET"
 

luci-app-passwall/root/usr/share/passwall/iptables.sh

@@ -1330,7 +1330,7 @@ del_firewall_rule() {
 	destroy_ipset $IPSET_LOCAL
 	destroy_ipset $IPSET_LAN
 	destroy_ipset $IPSET_VPS
-	destroy_ipset $IPSET_SHUNT
+	#destroy_ipset $IPSET_SHUNT
 	#destroy_ipset $IPSET_GFW
 	#destroy_ipset $IPSET_CHN
 	#destroy_ipset $IPSET_BLACK
@@ -1340,7 +1340,7 @@ del_firewall_rule() {
 	destroy_ipset $IPSET_LOCAL6
 	destroy_ipset $IPSET_LAN6
 	destroy_ipset $IPSET_VPS6
-	destroy_ipset $IPSET_SHUNT6
+	#destroy_ipset $IPSET_SHUNT6
 	#destroy_ipset $IPSET_GFW6
 	#destroy_ipset $IPSET_CHN6
 	#destroy_ipset $IPSET_BLACK6
@@ -1459,7 +1459,7 @@ start() {
 
 stop() {
 	del_firewall_rule
-	[ $(config_t_get global flush_set "0") = "1" ] && {
+	[ $(config_t_get global flush_set_on_reboot "0") = "1" -o $(config_t_get global flush_set "0") = "1" ] && {
 		uci -q delete ${CONFIG}.@global[0].flush_set
 		uci -q commit ${CONFIG}
 		flush_ipset

luci-app-passwall/root/usr/share/passwall/nftables.sh

@@ -1354,20 +1354,20 @@ del_firewall_rule() {
 	destroy_nftset $NFTSET_LOCAL
 	destroy_nftset $NFTSET_LAN
 	destroy_nftset $NFTSET_VPS
-	destroy_nftset $NFTSET_SHUNT
+	#destroy_nftset $NFTSET_SHUNT
 	#destroy_nftset $NFTSET_GFW
 	#destroy_nftset $NFTSET_CHN
-	destroy_nftset $NFTSET_BLACK
+	#destroy_nftset $NFTSET_BLACK
 	destroy_nftset $NFTSET_BLOCK
 	destroy_nftset $NFTSET_WHITE
 
 	destroy_nftset $NFTSET_LOCAL6
 	destroy_nftset $NFTSET_LAN6
 	destroy_nftset $NFTSET_VPS6
-	destroy_nftset $NFTSET_SHUNT6
+	#destroy_nftset $NFTSET_SHUNT6
 	#destroy_nftset $NFTSET_GFW6
 	#destroy_nftset $NFTSET_CHN6
-	destroy_nftset $NFTSET_BLACK6
+	#destroy_nftset $NFTSET_BLACK6
 	destroy_nftset $NFTSET_BLOCK6
 	destroy_nftset $NFTSET_WHITE6
 
@@ -1439,7 +1439,7 @@ start() {
 
 stop() {
 	del_firewall_rule
-	[ $(config_t_get global flush_set "0") = "1" ] && {
+	[ $(config_t_get global flush_set_on_reboot "0") = "1" -o $(config_t_get global flush_set "0") = "1" ] && {
 		uci -q delete ${CONFIG}.@global[0].flush_set
 		uci -q commit ${CONFIG}
 		#flush_table

luci-app-ssr-plus/Makefile

@@ -43,7 +43,7 @@ LUCI_PKGARCH:=all
 LUCI_DEPENDS:= \
 	+coreutils +coreutils-base64 +dns2tcp +dnsmasq-full \
 	+jq +ip-full +lua +lua-neturl +libuci-lua +microsocks \
-	+tcping +resolveip +curl +nping \
+	+tcping +resolveip +shadowsocksr-libev-ssr-check +curl +nping \
 	+PACKAGE_$(PKG_NAME)_INCLUDE_V2ray:curl \
 	+PACKAGE_$(PKG_NAME)_INCLUDE_V2ray:v2ray-core \
 	+PACKAGE_$(PKG_NAME)_INCLUDE_Xray:curl \
@@ -70,8 +70,7 @@ LUCI_DEPENDS:= \
 	+PACKAGE_$(PKG_NAME)_INCLUDE_Shadowsocks_Xray_Plugin:xray-plugin \
 	+PACKAGE_$(PKG_NAME)_INCLUDE_ShadowsocksR_Libev_Client:shadowsocksr-libev-ssr-local \
 	+PACKAGE_$(PKG_NAME)_INCLUDE_ShadowsocksR_Libev_Client:shadowsocksr-libev-ssr-redir \
-	+PACKAGE_$(PKG_NAME)_INCLUDE_ShadowsocksR_Libev_Client:shadowsocksr-libev-ssr-redir \
+	+PACKAGE_$(PKG_NAME)_INCLUDE_ShadowsocksR_Libev_Server:shadowsocksr-libev-ssr-server \
-	+PACKAGE_$(PKG_NAME)_INCLUDE_ShadowsocksR_Libev_Server:shadowsocksr-libev-ssr-check \
 	+PACKAGE_$(PKG_NAME)_INCLUDE_Trojan:trojan
 
 

luci-app-ssr-plus/root/etc/init.d/shadowsocksr

@@ -1260,9 +1260,14 @@ start_server() {
 		if [ "$server_count" == "1" ]; then
 			if command -v nft >/dev/null 2>&1; then
 				# nftables / fw4
+				if nft list table inet fw4 >/dev/null 2>&1; then
 					if ! nft list chain inet fw4 SSR-SERVER-RULE >/dev/null 2>&1; then
-					nft add chain inet fw4 SSR-SERVER-RULE
+						nft add chain inet fw4 SSR-SERVER-RULE 2>/dev/null
-					nft insert rule inet fw4 input jump SSR-SERVER-RULE
+					fi
+					if ! nft list chain inet fw4 input 2>/dev/null | grep -q "jump SSR-SERVER-RULE"; then
+						nft insert rule inet fw4 input jump SSR-SERVER-RULE comment \"SSR Server Input Hook\" 2>/dev/null
+					fi
+					nft flush chain inet fw4 SSR-SERVER-RULE 2>/dev/null
 				fi
 			else
 				# iptables / fw3
@@ -1317,20 +1322,19 @@ start_server() {
 		fi
 		if command -v nft >/dev/null 2>&1; then
 			# nftables / fw4
-			extract_rules() {
+			cat <<-'EOF' >>"$FWI"
-				nft list chain inet fw4 SSR-SERVER-RULE 2>/dev/null | \
+				# 确保表存在
-					grep -v 'chain SSR-SERVER-RULE' | grep -v '^\s*{' | grep -v '^\s*}' | sed 's/ counter//g'
+				if nft list table inet fw4 >/dev/null 2>&1; then
-			}
+					# 如果不存在 SSR-SERVER-RULE 链，则创建
-			cat <<-EOF >>$FWI
+					if ! nft list chain inet fw4 SSR-SERVER-RULE >/dev/null 2>&1; then
-				nft flush chain inet fw4 SSR-SERVER-RULE 2>/dev/null || true
+						nft add chain inet fw4 SSR-SERVER-RULE 2>/dev/null
-				nft -f - <<-EOT
+					# 从 input 链跳转到 SSR-SERVER-RULE（如果未添加）
-				table inet fw4 {
+					if ! nft list chain inet fw4 input | grep -q 'jump SSR-SERVER-RULE'; then
-					chain SSR-SERVER-RULE {
+						nft insert rule inet fw4 input jump SSR-SERVER-RULE comment \"SSR Server Input Hook\" 2>/dev/null
-						type filter hook input priority 0; policy accept;
+					fi
-						$(extract_rules)
+					# 已存在则清空链
-					}
+					nft flush chain inet fw4 SSR-SERVER-RULE 2>/dev/null
-				}
+				fi
-				EOT
 			EOF
 		else
 			# iptables / fw3
@@ -1483,26 +1487,38 @@ stop() {
 	unlock
 	set_lock
 	/usr/bin/ssr-rules -f
+	local srulecount=0
 	if command -v nft >/dev/null 2>&1; then
 		# nftables / fw4
 		#local srulecount=$(nft list ruleset 2>/dev/null | grep -c 'SSR-SERVER-RULE')
-		#local srulecount=$(nft list chain inet fw4 SSR-SERVER-RULE 2>/dev/null | grep -c 'dport')
+		if nft list chain inet fw4 SSR-SERVER-RULE >/dev/null 2>&1; then
-		local srulecount=$(nft list chain inet fw4 SSR-SERVER-RULE | grep -vE '^\s*(chain|{|})' | wc -l)
+			srulecount=$(nft list chain inet fw4 SSR-SERVER-RULE | grep SSR-SERVER-RULE | wc -l)
+		fi
 	else
 		# iptables / fw3
-		local srulecount=$(iptables -L | grep SSR-SERVER-RULE | wc -l)
+		srulecount=$(iptables -L | grep SSR-SERVER-RULE | wc -l)
 	fi
 	if [ $srulecount -gt 0 ]; then
 		if command -v nft >/dev/null 2>&1; then
 			# nftables / fw4
+			if nft list table inet fw4 >/dev/null 2>&1; then
+				if nft list chain inet fw4 SSR-SERVER-RULE >/dev/null 2>&1; then
+					for handle in $(nft --handle list chain inet fw4 input 2>/dev/null | \
+						grep 'jump SSR-SERVER-RULE' | awk '{for(i=1;i<=NF;i++) if($i=="handle") print $(i+1)}'); do
+						nft delete rule inet fw4 input handle $handle 2>/dev/null || true
+					done
 					nft flush chain inet fw4 SSR-SERVER-RULE 2>/dev/null || true
-			nft delete rule inet fw4 input jump SSR-SERVER-RULE 2>/dev/null || true
 					nft delete chain inet fw4 SSR-SERVER-RULE 2>/dev/null || true
+				fi
+			fi
 		else
 			# iptables / fw3
-			iptables -F SSR-SERVER-RULE
+			if iptables-save -t filter | grep -q "SSR-SERVER-RULE"; then
-			iptables -t filter -D INPUT -j SSR-SERVER-RULE
+				logger -t ssr-rules "Flushing and deleting SSR-SERVER-RULE chain (iptables)"
-			iptables -X SSR-SERVER-RULE 2>/dev/null
+				iptables -F SSR-SERVER-RULE 2>/dev/null || true
+				iptables -t filter -D INPUT -j SSR-SERVER-RULE 2>/dev/null || true
+				iptables -X SSR-SERVER-RULE 2>/dev/null || true
+			fi
 		fi
 	fi
 	if [ -z "$switch_server" ]; then
@@ -1550,4 +1566,3 @@ reset() {
 	cp /usr/share/shadowsocksr/shadowsocksr.config /etc/config/shadowsocksr
 	unset_lock
 }
-

luci-app-ssr-plus/root/usr/bin/ssr-rules

@@ -82,7 +82,7 @@ flush_r() {
 }
 
 flush_nftables() {
-	# Remove nftables rules and sets
+	# Remove nftables rules and sets more carefully
 	$NFT delete table inet ss_spec 2>/dev/null
 	$NFT delete table ip ss_spec 2>/dev/null
 	$NFT delete table ip ss_spec_mangle 2>/dev/null
@@ -91,6 +91,21 @@ flush_nftables() {
 	ip rule del fwmark 0x01/0x01 table 100 2>/dev/null
 	ip route del local 0.0.0.0/0 dev lo table 100 2>/dev/null
 
+	# 删除 nftables 集合
+	$NFT delete set inet ss_spec ss_spec_lan_ac 2>/dev/null
+	$NFT delete set inet ss_spec ss_spec_wan_ac 2>/dev/null
+	$NFT delete set inet ss_spec ssr_gen_router 2>/dev/null
+	$NFT delete set inet ss_spec fplan 2>/dev/null
+	$NFT delete set inet ss_spec bplan 2>/dev/null
+	$NFT delete set inet ss_spec gmlan 2>/dev/null
+	$NFT delete set inet ss_spec oversea 2>/dev/null
+	$NFT delete set inet ss_spec whitelist 2>/dev/null
+	$NFT delete set inet ss_spec blacklist 2>/dev/null
+	$NFT delete set inet ss_spec netflix 2>/dev/null
+	$NFT delete set inet ss_spec gfwlist 2>/dev/null
+	$NFT delete set inet ss_spec china 2>/dev/null
+	$NFT delete set inet ss_spec music 2>/dev/null
+
 	[ -n "$FWI" ] && echo '#!/bin/sh' >"$FWI"
 	
 	return 0
@@ -136,105 +151,126 @@ ipset_nft() {
 	[ -f "$IGNORE_LIST" ] && /usr/share/shadowsocksr/chinaipset.sh "$IGNORE_LIST"
 
 	# Create nftables table and sets
-	$NFT add table inet ss_spec 2>/dev/null
+	$NFT list table inet ss_spec >/dev/null 2>&1 || $NFT add table inet ss_spec
-	$NFT add set inet ss_spec ss_spec_wan_ac '{ type ipv4_addr; flags interval; }' 2>/dev/null
+
-	$NFT add set inet ss_spec gmlan '{ type ipv4_addr; flags interval; }' 2>/dev/null
+	# Create necessary collections
-	$NFT add set inet ss_spec fplan '{ type ipv4_addr; flags interval; }' 2>/dev/null  
+	for setname in ss_spec_wan_ac gmlan fplan bplan whitelist blacklist netflix; do
-	$NFT add set inet ss_spec bplan '{ type ipv4_addr; flags interval; }' 2>/dev/null
+		if ! $NFT list set inet ss_spec $setname >/dev/null 2>&1; then
-	$NFT add set inet ss_spec whitelist '{ type ipv4_addr; flags interval; }' 2>/dev/null
+        	$NFT add set inet ss_spec $setname '{ type ipv4_addr; flags interval; auto-merge; }' 2>/dev/null
-	$NFT add set inet ss_spec blacklist '{ type ipv4_addr; flags interval; }' 2>/dev/null
+		else
-	$NFT add set inet ss_spec netflix '{ type ipv4_addr; flags interval; }' 2>/dev/null
+        	$NFT flush set inet ss_spec $setname 2>/dev/null
+		fi
+    done
 
     # Add IP addresses to sets
     for ip in $LAN_GM_IP; do 
-		$NFT add element inet ss_spec gmlan "{ $ip }"
+		[ -n "$ip" ] && $NFT add element inet ss_spec gmlan "{ $ip }" 2>/dev/null
     done
     for ip in $LAN_FP_IP; do 
-		$NFT add element inet ss_spec fplan "{ $ip }"
+ 		[ -n "$ip" ] && $NFT add element inet ss_spec fplan "{ $ip }" 2>/dev/null
     done
     for ip in $LAN_BP_IP; do 
-		$NFT add element inet ss_spec bplan "{ $ip }"
+		[ -n "$ip" ] && $NFT add element inet ss_spec bplan "{ $ip }" 2>/dev/null
     done
     for ip in $WAN_BP_IP; do 
-		$NFT add element inet ss_spec whitelist "{ $ip }"
+		[ -n "$ip" ] && $NFT add element inet ss_spec whitelist "{ $ip }" 2>/dev/null
     done
     for ip in $WAN_FW_IP; do 
-		$NFT add element inet ss_spec blacklist "{ $ip }"
+		[ -n "$ip" ] && $NFT add element inet ss_spec blacklist "{ $ip }" 2>/dev/null
     done
 
     # Create main chain for WAN access control
-	$NFT add chain inet ss_spec ss_spec_wan_ac '{ type nat hook prerouting priority dstnat; }' 2>/dev/null
+    if ! $NFT list chain inet ss_spec ss_spec_wan_ac >/dev/null 2>&1; then
+		$NFT add chain inet ss_spec ss_spec_wan_ac '{ type nat hook prerouting priority dstnat - 1; policy accept; }' 2>/dev/null
+    fi
+    $NFT flush chain inet ss_spec ss_spec_wan_ac 2>/dev/null
+
+	# Create forward chain with better error handling
+	if ! $NFT list chain inet ss_spec ss_spec_wan_fw >/dev/null 2>&1; then
+		$NFT add chain inet ss_spec ss_spec_wan_fw 2>/dev/null || {
+		loger 3 "Failed to create forward chain"
+		return 1
+		}
+	fi
+	# Clear existing rules
+	$NFT flush chain inet ss_spec ss_spec_wan_fw 2>/dev/null
+    
+    # Add basic rules
     $NFT add rule inet ss_spec ss_spec_wan_ac tcp dport 53 ip daddr 127.0.0.0/8 return
+    $NFT add rule inet ss_spec ss_spec_wan_ac udp dport 53 ip daddr 127.0.0.0/8 return
     $NFT add rule inet ss_spec ss_spec_wan_ac tcp dport != 53 ip daddr "$server" return
+    $NFT add rule inet ss_spec ss_spec_wan_ac udp dport != 53 ip daddr "$server" return
 
     # Add special IP ranges to WAN AC set
     for ip in $(gen_spec_iplist); do
-		$NFT add element inet ss_spec ss_spec_wan_ac "{ $ip }"
+		[ -n "$ip" ] && $NFT add element inet ss_spec ss_spec_wan_ac "{ $ip }" 2>/dev/null
     done
 
     # Set up mode-specific rules
     case "$RUNMODE" in
     router)
-		if command -v ipset >/dev/null 2>&1 && ipset list china -name -quiet >/dev/null 2>&1; then
 		$NFT add rule inet ss_spec ss_spec_wan_ac ip daddr @ss_spec_wan_ac return
-			$NFT add rule inet ss_spec ss_spec_wan_ac ip daddr "@china" return  
+		$NFT add rule inet ss_spec ss_spec_wan_ac ip daddr @china return 2>/dev/null
-			$NFT add rule inet ss_spec ss_spec_wan_ac ip saddr @gmlan ip daddr != "@china" goto ss_spec_wan_fw
+		if $NFT list chain inet ss_spec ss_spec_wan_fw >/dev/null 2>&1; then
-			$NFT add rule inet ss_spec ss_spec_wan_ac goto ss_spec_wan_fw
+			$NFT add rule inet ss_spec ss_spec_wan_ac ip saddr @gmlan ip daddr != @china jump ss_spec_wan_fw
-		else
+			$NFT add rule inet ss_spec ss_spec_wan_ac jump ss_spec_wan_fw
-			$NFT add rule inet ss_spec ss_spec_wan_ac ip daddr @ss_spec_wan_ac return
-			$NFT add rule inet ss_spec ss_spec_wan_ac goto ss_spec_wan_fw
 		fi
 		;;
     gfw)
-		if command -v ipset >/dev/null 2>&1 && ipset list china -name -quiet >/dev/null 2>&1; then
+		$NFT add set inet ss_spec gfwlist '{ type ipv4_addr; flags interval; }' 2>/dev/null
-			$NFT add rule inet ss_spec ss_spec_wan_ac ip daddr "@china" return
+		$NFT add rule inet ss_spec ss_spec_wan_ac ip daddr @china return 2>/dev/null
-			$NFT add rule inet ss_spec ss_spec_wan_ac ip daddr "@gfwlist" goto ss_spec_wan_fw
+		$NFT add rule inet ss_spec ss_spec_wan_ac ip daddr @gfwlist jump ss_spec_wan_fw 2>/dev/null
-			$NFT add rule inet ss_spec ss_spec_wan_ac ip saddr @gmlan ip daddr != "@china" goto ss_spec_wan_fw
+		if $NFT list chain inet ss_spec ss_spec_wan_fw >/dev/null 2>&1; then
+			$NFT add rule inet ss_spec ss_spec_wan_ac ip saddr @gmlan ip daddr != @china jump ss_spec_wan_fw
 		fi
 		;;
     oversea)
-		$NFT add rule inet ss_spec ss_spec_wan_ac ip daddr @oversea goto ss_spec_wan_fw
+		$NFT add set inet ss_spec oversea '{ type ipv4_addr; flags interval; }' 2>/dev/null
-		$NFT add rule inet ss_spec ss_spec_wan_ac ip saddr @gmlan goto ss_spec_wan_fw
+		if $NFT list chain inet ss_spec ss_spec_wan_fw >/dev/null 2>&1; then
-		if command -v ipset >/dev/null 2>&1 && ipset list china -name -quiet >/dev/null 2>&1; then
+			$NFT insert rule inet ss_spec ss_spec_wan_ac ip daddr @oversea jump SS_SPEC_WAN_FW 2>/dev/null
-			$NFT add rule inet ss_spec ss_spec_wan_ac ip daddr "@china" goto ss_spec_wan_fw
+			$NFT add rule inet ss_spec ss_spec_wan_ac ip saddr @gmlan jump ss_spec_wan_fw 2>/dev/null
+			$NFT add rule inet ss_spec ss_spec_wan_ac ip daddr @china jump ss_spec_wan_fw 2>/dev/null
 		fi
 		;;
     all)
-		$NFT add rule inet ss_spec ss_spec_wan_ac goto ss_spec_wan_fw
+		if $NFT list chain inet ss_spec ss_spec_wan_fw >/dev/null 2>&1; then
+			$NFT add rule inet ss_spec ss_spec_wan_ac jump ss_spec_wan_fw
+		fi
 		;;
     esac
 
     # Access control rules
-	$NFT add rule inet ss_spec ss_spec_wan_ac ip saddr @fplan goto ss_spec_wan_fw
+    $NFT add rule inet ss_spec ss_spec_wan_ac ip saddr @fplan jump ss_spec_wan_fw
     $NFT add rule inet ss_spec ss_spec_wan_ac ip saddr @bplan return
-	$NFT add rule inet ss_spec ss_spec_wan_ac ip daddr @blacklist goto ss_spec_wan_fw  
+    $NFT add rule inet ss_spec ss_spec_wan_ac ip daddr @blacklist jump ss_spec_wan_fw  
     $NFT add rule inet ss_spec ss_spec_wan_ac ip daddr @whitelist return
 
     # Music unlocking support
-	if command -v ipset >/dev/null 2>&1 && ipset list music -name -quiet >/dev/null 2>&1; then
+    if $NFT list set inet ss_spec music >/dev/null 2>&1; then
-		$NFT add rule inet ss_spec ss_spec_wan_ac ip daddr "@music" return 2>/dev/null
+		$NFT insert rule inet ss_spec ss_spec_wan_ac ip daddr @music return 2>/dev/null
 	fi
 
     # Shunt/Netflix rules
-	if [ "$SHUNT_PORT" != "0" ]; then
+    if [ "$SHUNT_PORT" != "0" ] && [ -f "$SHUNT_LIST" ]; then
-		for ip in $(cat "${SHUNT_LIST:=/dev/null}" 2>/dev/null); do 
+		for ip in $(cat "$SHUNT_LIST" 2>/dev/null); do 
-			$NFT add element inet ss_spec netflix "{ $ip }"
+			[ -n "$ip" ] && $NFT add element inet ss_spec netflix "{ $ip }" 2>/dev/null
 		done
+		PORTS=$(echo "$PROXY_PORTS" | sed 's/-m multiport --dports //')
 		case "$SHUNT_PORT" in
 		1)
-			$NFT add rule inet ss_spec ss_spec_wan_ac tcp dport "$PROXY_PORTS" ip daddr @netflix redirect to :"$local_port"
+			$NFT insert rule inet ss_spec ss_spec_wan_ac tcp dport { $PORTS } ip daddr @netflix redirect to :"$local_port"
         	;;
 		*)
-			$NFT add rule inet ss_spec ss_spec_wan_ac tcp dport "$PROXY_PORTS" ip daddr @netflix redirect to :"$SHUNT_PORT"
+			$NFT insert rule inet ss_spec ss_spec_wan_ac tcp dport { $PORTS } ip daddr @netflix redirect to :"$SHUNT_PORT"
 			if [ "$SHUNT_PROXY" = "1" ]; then
-				$NFT add rule inet ss_spec ss_spec_wan_ac tcp dport "$PROXY_PORTS" ip daddr "$SHUNT_IP" redirect to :"$local_port"
+				$NFT insert rule inet ss_spec ss_spec_wan_ac tcp dport { $PORTS } ip daddr "$SHUNT_IP" redirect to :"$local_port"
 			else
-				$NFT add element inet ss_spec whitelist "{ $SHUNT_IP }"
+				[ -n "$SHUNT_IP" ] && $NFT add element inet ss_spec whitelist "{ $SHUNT_IP }" 2>/dev/null
 			fi
 			;;
 		esac
     fi
-	return 0
+    return $?
 }
 
 ipset_iptables() {
@@ -281,7 +317,7 @@ ipset_iptables() {
 	ipset -N blacklist hash:net 2>/dev/null
 	$IPT -I SS_SPEC_WAN_AC -m set --match-set blacklist dst -j SS_SPEC_WAN_FW
 	$IPT -I SS_SPEC_WAN_AC -m set --match-set whitelist dst -j RETURN
-	if ipset list music -name -quiet >/dev/null 2>&1; then
+	if [ $(ipset list music -name -quiet | grep music) ]; then
 		$IPT -I SS_SPEC_WAN_AC -m set --match-set music dst -j RETURN 2>/dev/null
 	fi
 	for ip in $WAN_BP_IP; do ipset -! add whitelist "$ip"; done
@@ -317,39 +353,36 @@ fw_rule() {
 }
 
 fw_rule_nft() {
-	# Create forward chain with better error handling
-	if ! $NFT list chain inet ss_spec ss_spec_wan_fw >/dev/null 2>&1; then
-		$NFT add chain inet ss_spec ss_spec_wan_fw 2>/dev/null || {
-			loger 3 "Failed to create forward chain"
-			return 1
-		}
-	fi
-
 	# Exclude special local addresses
-	$NFT add rule inet ss_spec ss_spec_wan_fw ip daddr 0.0.0.0/8 return 2>/dev/null
+	$NFT add rule inet ss_spec ss_spec_wan_fw ip daddr 0.0.0.0/8 return
-	$NFT add rule inet ss_spec ss_spec_wan_fw ip daddr 10.0.0.0/8 return 2>/dev/null
+	$NFT add rule inet ss_spec ss_spec_wan_fw ip daddr 10.0.0.0/8 return
-	$NFT add rule inet ss_spec ss_spec_wan_fw ip daddr 127.0.0.0/8 return 2>/dev/null
+	$NFT add rule inet ss_spec ss_spec_wan_fw ip daddr 127.0.0.0/8 return
-	$NFT add rule inet ss_spec ss_spec_wan_fw ip daddr 169.254.0.0/16 return 2>/dev/null
+	$NFT add rule inet ss_spec ss_spec_wan_fw ip daddr 169.254.0.0/16 return
-	$NFT add rule inet ss_spec ss_spec_wan_fw ip daddr 172.16.0.0/12 return 2>/dev/null
+	$NFT add rule inet ss_spec ss_spec_wan_fw ip daddr 172.16.0.0/12 return
-	$NFT add rule inet ss_spec ss_spec_wan_fw ip daddr 192.168.0.0/16 return 2>/dev/null
+	$NFT add rule inet ss_spec ss_spec_wan_fw ip daddr 192.168.0.0/16 return
-	$NFT add rule inet ss_spec ss_spec_wan_fw ip daddr 224.0.0.0/4 return 2>/dev/null
+	$NFT add rule inet ss_spec ss_spec_wan_fw ip daddr 224.0.0.0/4 return
-	$NFT add rule inet ss_spec ss_spec_wan_fw ip daddr 240.0.0.0/4 return 2>/dev/null
+	$NFT add rule inet ss_spec ss_spec_wan_fw ip daddr 240.0.0.0/4 return
 
 	# redirect/translation: when PROXY_PORTS present, redirect those tcp ports to local_port
 	if [ -n "$PROXY_PORTS" ]; then
-		$NFT add rule inet ss_spec ss_spec_wan_fw tcp dport "$PROXY_PORTS" redirect to :"$local_port" 2>/dev/null || {
+		PORTS=$(echo "$PROXY_PORTS" | sed 's/-m multiport --dports //')
+		if ! $NFT list chain inet ss_spec ss_spec_wan_fw 2>/dev/null | grep -q "tcp dport { $PORTS } redirect to :$local_port"; then
+			if ! $NFT add rule inet ss_spec ss_spec_wan_fw tcp dport { $PORTS } redirect to :"$local_port" 2>/dev/null; then
 				loger 3 "Can't redirect, please check nftables."
-			exit 1
+				return 1
-		}
+			fi
+		fi
 	else
 		# default: redirect everything except ssh(22)
-		$NFT add rule inet ss_spec ss_spec_wan_fw tcp dport != 22 redirect to :"$local_port" 2>/dev/null || {
+		if ! $NFT list chain inet ss_spec ss_spec_wan_fw 2>/dev/null | grep -q "tcp dport != 22 redirect to :$local_port"; then
+			if ! $NFT add rule inet ss_spec ss_spec_wan_fw tcp dport != 22 redirect to :$local_port 2>/dev/null; then
 				loger 3 "Can't redirect, please check nftables."
-			exit 1
+				return 1
-		}
+			fi
+		fi
 	fi
 
-	return 0
+	return $?
 }
 
 fw_rule_iptables() {
@@ -379,7 +412,8 @@ ac_rule() {
 }
 
 ac_rule_nft() {
-	local MATCH_SET_CONDITION=""
+	local MATCH_SET=""
+
 	if [ -n "$LAN_AC_IP" ]; then
 		# Create LAN access control set if needed
 		$NFT add set inet ss_spec ss_spec_lan_ac '{ type ipv4_addr; flags interval; }' 2>/dev/null
@@ -389,10 +423,10 @@ ac_rule_nft() {
 
 		case "${LAN_AC_IP%${LAN_AC_IP#?}}" in
 		w | W)
-			MATCH_SET_CONDITION="ip saddr @ss_spec_lan_ac"
+			MATCH_SET="ip saddr @ss_spec_lan_ac"
 			;;
 		b | B)
-			MATCH_SET_CONDITION="ip saddr != @ss_spec_lan_ac"
+			MATCH_SET="ip saddr != @ss_spec_lan_ac"
 			;;
 		*)
 			loger 3 "Bad argument \`-a $LAN_AC_IP\`."
@@ -401,12 +435,26 @@ ac_rule_nft() {
 		esac
 	fi
 
+	# 创建ss_spec_prerouting链
+	if ! $NFT list chain inet ss_spec_prerouting >/dev/null 2>&1; then
+		$NFT add chain inet ss_spec ss_spec_prerouting '{ type filter hook prerouting priority -1; policy accept; }'
+	fi
+	$NFT flush chain inet ss_spec ss_spec_prerouting 2>/dev/null
+
+	# 创建ss_spec_output链
+	if ! $NFT list chain inet ss_spec ss_spec_output >/dev/null 2>&1; then
+		$NFT add chain inet ss_spec ss_spec_output '{ type nat hook output priority -1; policy accept; }'
+	fi
+	$NFT flush chain inet ss_spec ss_spec_output 2>/dev/null
+
 	# Build a rule in the prerouting hook chain that jumps to business chain with conditions
 	if [ -z "$Interface" ]; then
 		# generic prerouting jump already exists (see ipset_nft), but if we have MATCH_SET_CONDITION we add a more specific rule
-		if [ -n "$MATCH_SET_CONDITION" ]; then
+		if [ -n "$MATCH_SET" ]; then
 			# add a more specific rule at the top of ss_spec_prerouting
-			$NFT insert rule inet ss_spec ss_spec_prerouting tcp $MATCH_SET_CONDITION comment "\"$TAG\"" jump ss_spec_wan_ac 2>/dev/null
+			$NFT insert rule inet ss_spec ss_spec_prerouting tcp dport $EXT_ARGS $MATCH_SET comment "\"$TAG\"" jump ss_spec_wan_ac 2>/dev/null
+		else
+			$NFT insert rule inet ss_spec ss_spec_prerouting tcp dport $EXT_ARGS comment "\"$TAG\"" jump ss_spec_wan_ac
 		fi
 	else
 		# For each Interface, find its actual ifname and add an iifname-limited prerouting rule
@@ -414,10 +462,10 @@ ac_rule_nft() {
 			local IFNAME=$(uci -P /var/state get network."$name".ifname 2>/dev/null)
 			[ -z "$IFNAME" ] && IFNAME=$(uci -P /var/state get network."$name".device 2>/dev/null)
 			if [ -n "$IFNAME" ]; then
-				if [ -n "$MATCH_SET_CONDITION" ]; then
+				if [ -n "$MATCH_SET" ]; then
-					$NFT insert rule inet ss_spec ss_spec_prerouting iifname "$IFNAME" tcp $MATCH_SET_CONDITION comment "\"$TAG\"" jump ss_spec_wan_ac 2>/dev/null
+					$NFT insert rule inet ss_spec ss_spec_prerouting iifname "$IFNAME" tcp dport $EXT_ARGS $MATCH_SET comment "\"$TAG\"" jump ss_spec_wan_ac 2>/dev/null
 				else
-					$NFT insert rule inet ss_spec ss_spec_prerouting iifname "$IFNAME" tcp comment "\"$TAG\"" jump ss_spec_wan_ac 2>/dev/null
+					$NFT insert rule inet ss_spec ss_spec_prerouting iifname "$IFNAME" tcp dport $EXT_ARGS comment "\"$TAG\"" jump ss_spec_wan_ac 2>/dev/null
 				fi
 			fi
 		done
@@ -426,8 +474,7 @@ ac_rule_nft() {
 	case "$OUTPUT" in
 	1)
 		# create output hook chain & route output traffic into router chain
-		$NFT add chain inet ss_spec ss_spec_output '{ type nat hook output priority dstnat; }' 2>/dev/null
+		$NFT add rule inet ss_spec ss_spec_output tcp dport $EXT_ARGS comment "\"$TAG\"" jump ss_spec_wan_ac 2>/dev/null
-		$NFT add rule inet ss_spec ss_spec_output tcp comment "\"$TAG\"" jump ss_spec_wan_ac 2>/dev/null
 		;;
 	2)
 		# router mode output chain: create ssr_gen_router set & router chain
@@ -438,8 +485,7 @@ ac_rule_nft() {
 		$NFT add chain inet ss_spec ss_spec_router 2>/dev/null
 		$NFT add rule inet ss_spec ss_spec_router ip daddr @ssr_gen_router return 2>/dev/null
 		$NFT add rule inet ss_spec ss_spec_router jump ss_spec_wan_fw 2>/dev/null
-		$NFT add chain inet ss_spec ss_spec_output '{ type nat hook output priority dstnat; }' 2>/dev/null
+		$NFT add rule inet ss_spec ss_spec_output tcp dport $EXT_ARGS comment "\"$TAG\"" jump ss_spec_router 2>/dev/null
-		$NFT add rule inet ss_spec ss_spec_output tcp comment "\"$TAG\"" jump ss_spec_router 2>/dev/null
 		;;
 	esac
 	return 0
@@ -525,7 +571,7 @@ tp_rule_nft() {
 	$NFT add rule ip ss_spec_mangle ss_spec_tproxy udp ip daddr 224.0.0.0/4 return 2>/dev/null
 	$NFT add rule ip ss_spec_mangle ss_spec_tproxy udp ip daddr 240.0.0.0/4 return 2>/dev/null
 
-	# avoid redirecting to udp server address - 修正变量名
+	# avoid redirecting to udp server address
 	$NFT add rule ip ss_spec_mangle ss_spec_tproxy udp dport != 53 ip daddr "$server" return 2>/dev/null
 
 	# if server != SERVER add SERVER to whitelist set (so tproxy won't touch it)
@@ -536,7 +582,8 @@ tp_rule_nft() {
 	# access control and tproxy rules
 	$NFT add rule ip ss_spec_mangle ss_spec_tproxy udp ip saddr @bplan return 2>/dev/null
 	if [ -n "$PROXY_PORTS" ]; then
-		$NFT add rule ip ss_spec_mangle ss_spec_tproxy udp dport "$PROXY_PORTS" ip saddr @fplan tproxy to :"$LOCAL_PORT" meta mark set 0x01 2>/dev/null
+		PORTS=$(echo "$PROXY_PORTS" | sed 's/-m multiport --dports //')
+		$NFT add rule ip ss_spec_mangle ss_spec_tproxy udp dport { $PORTS } ip saddr @fplan tproxy to :"$LOCAL_PORT" meta mark set 0x01 2>/dev/null
 	else
 		$NFT add rule ip ss_spec_mangle ss_spec_tproxy udp ip saddr @fplan tproxy to :"$LOCAL_PORT" meta mark set 0x01 2>/dev/null
 	fi
@@ -549,7 +596,8 @@ tp_rule_nft() {
 		$NFT add rule ip ss_spec_mangle ss_spec_tproxy udp dport 80 drop 2>/dev/null
 		$NFT add rule ip ss_spec_mangle ss_spec_tproxy udp ip saddr @gmlan ip daddr != @china tproxy to :"$LOCAL_PORT" meta mark set 0x01 2>/dev/null
 		if [ -n "$PROXY_PORTS" ]; then
-			$NFT add rule ip ss_spec_mangle ss_spec_tproxy udp dport "$PROXY_PORTS" ip daddr != @ss_spec_wan_ac tproxy to :"$LOCAL_PORT" meta mark set 0x01 2>/dev/null
+			PORTS=$(echo "$PROXY_PORTS" | sed 's/-m multiport --dports //')
+			$NFT add rule ip ss_spec_mangle ss_spec_tproxy udp dport { $PORTS } ip daddr != @ss_spec_wan_ac tproxy to :"$LOCAL_PORT" meta mark set 0x01 2>/dev/null
 		else
 			$NFT add rule ip ss_spec_mangle ss_spec_tproxy udp ip daddr != @ss_spec_wan_ac tproxy to :"$LOCAL_PORT" meta mark set 0x01 2>/dev/null
 		fi
@@ -558,20 +606,23 @@ tp_rule_nft() {
 		$NFT add rule ip ss_spec_mangle ss_spec_tproxy udp ip daddr @china return 2>/dev/null
 		$NFT add rule ip ss_spec_mangle ss_spec_tproxy udp dport 80 drop 2>/dev/null
 		if [ -n "$PROXY_PORTS" ]; then
-			$NFT add rule ip ss_spec_mangle ss_spec_tproxy udp dport "$PROXY_PORTS" ip daddr @gfwlist tproxy to :"$LOCAL_PORT" meta mark set 0x01 2>/dev/null
+			PORTS=$(echo "$PROXY_PORTS" | sed 's/-m multiport --dports //')
+			$NFT add rule ip ss_spec_mangle ss_spec_tproxy udp dport { $PORTS } ip daddr @gfwlist tproxy to :"$LOCAL_PORT" meta mark set 0x01 2>/dev/null
 		fi
 		$NFT add rule ip ss_spec_mangle ss_spec_tproxy udp ip saddr @gmlan ip daddr != @china tproxy to :"$LOCAL_PORT" meta mark set 0x01 2>/dev/null
 		;;
 	oversea)
 		if [ -n "$PROXY_PORTS" ]; then
-			$NFT add rule ip ss_spec_mangle ss_spec_tproxy udp dport "$PROXY_PORTS" ip saddr @oversea tproxy to :"$LOCAL_PORT" meta mark set 0x01 2>/dev/null
+			PORTS=$(echo "$PROXY_PORTS" | sed 's/-m multiport --dports //')
-			$NFT add rule ip ss_spec_mangle ss_spec_tproxy udp dport "$PROXY_PORTS" ip daddr @china tproxy to :"$LOCAL_PORT" meta mark set 0x01 2>/dev/null
+			$NFT add rule ip ss_spec_mangle ss_spec_tproxy udp dport { $PORTS } ip saddr @oversea tproxy to :"$LOCAL_PORT" meta mark set 0x01 2>/dev/null
+			$NFT add rule ip ss_spec_mangle ss_spec_tproxy udp dport { $PORTS } ip daddr @china tproxy to :"$LOCAL_PORT" meta mark set 0x01 2>/dev/null
 		fi
 		$NFT add rule ip ss_spec_mangle ss_spec_tproxy udp ip saddr @gmlan tproxy to :"$LOCAL_PORT" meta mark set 0x01 2>/dev/null
 		;;
 	all)
 		if [ -n "$PROXY_PORTS" ]; then
-			$NFT add rule ip ss_spec_mangle ss_spec_tproxy udp dport "$PROXY_PORTS" tproxy to :"$LOCAL_PORT" meta mark set 0x01 2>/dev/null
+			PORTS=$(echo "$PROXY_PORTS" | sed 's/-m multiport --dports //')
+			$NFT add rule ip ss_spec_mangle ss_spec_tproxy udp dport { $PORTS } tproxy to :"$LOCAL_PORT" meta mark set 0x01 2>/dev/null
 		else
 			$NFT add rule ip ss_spec_mangle ss_spec_tproxy udp tproxy to :"$LOCAL_PORT" meta mark set 0x01 2>/dev/null
 		fi
@@ -579,9 +630,10 @@ tp_rule_nft() {
 	esac
 
 	# insert jump from ip prerouting to our tproxy chain
-	$NFT add rule ip ss_spec_mangle prerouting udp comment "\"$TAG\"" jump ss_spec_tproxy 2>/dev/null
+	PORTS=$(echo "$PROXY_PORTS" | sed 's/-m multiport --dports //')
+	$NFT add rule ip ss_spec_mangle prerouting udp dport { $PORTS } comment "\"$TAG\"" jump ss_spec_tproxy 2>/dev/null
 
-	return 0
+	return $?
 }
 
 tp_rule_iptables() {
@@ -682,9 +734,9 @@ gen_include_nft() {
 	[ -n "$FWI" ] && echo '#!/bin/sh' >"$FWI"
 	cat <<-'EOF' >>"$FWI"
 		# Clear existing ss_spec tables
-		nft delete table inet ss_spec 2>/dev/null
+		nft add table inet ss_spec 2>/dev/null
-		nft delete table ip ss_spec 2>/dev/null
+		nft add table ip ss_spec 2>/dev/null
-		nft delete table ip ss_spec_mangle 2>/dev/null
+		nft add table ip ss_spec_mangle 2>/dev/null
 
 		# Restore shadowsocks nftables rules
 		nft list ruleset | awk '/table (inet|ip) ss_spec/{flag=1} flag'
@@ -815,10 +867,30 @@ case "$TPROXY" in
 	;;
 esac
 
-if flush_r && fw_rule && ipset_r && ac_rule && tp_rule && gen_include; then
+# 首先检查nftables是否正常工作
-	loger 5 "Rules applied successfully"
+if [ "$USE_NFT" = "1" ]; then
-	exit 0
+	if ! $NFT list tables 2>/dev/null; then
-else
+		loger 3 "nftables is not working properly, check if nftables is installed and running"
-	loger 3 "Start failed!"
 		exit 1
+	fi
+fi
+
+if [ "$USE_NFT" = "1" ]; then
+	# NFTables
+	if flush_r && ipset_r && fw_rule && ac_rule && tp_rule && gen_include; then
+		loger 5 "NFTables rules applied successfully"
+		exit 0
+	else
+		loger 3 "NFTables setup failed!"
+		exit 1
+	fi
+else
+	# iptables
+	if flush_r && fw_rule && ipset_r && ac_rule && tp_rule && gen_include; then
+		loger 5 "iptables rules applied successfully"
+		exit 0
+	else
+		loger 3 "iptables setup failed!"
+		exit 1
+	fi
 fi

luci-app-ssr-plus/root/usr/share/shadowsocksr/chinaipset.sh

@@ -1,7 +1,22 @@
 #!/bin/sh
 [ -f "$1" ] && china_ip=$1
-ipset -! flush china 2>/dev/null
+
-ipset -! -R <<-EOF || exit 1
+if command -v nft >/dev/null 2>&1; then
+    # 确保表和集合存在
+    nft add table inet ss_spec 2>/dev/null
+    nft add set inet ss_spec china '{ type ipv4_addr; flags interval; auto-merge; }' 2>/dev/null
+    nft flush set inet ss_spec china 2>/dev/null
+
+    # 批量导入
+    if [ -f "${china_ip:=/etc/ssrplus/china_ssr.txt}" ]; then
+        echo "批量导入中国IP列表..."
+        nft add element inet ss_spec china { $(tr '\n' ',' < "${china_ip}" | sed 's/,$//') } 2>/dev/null
+        echo "中国IP集合导入完成"
+    fi
+else
+    ipset -! flush china 2>/dev/null
+    ipset -! -R <<-EOF || exit 1
         create china hash:net
         $(cat ${china_ip:=/etc/ssrplus/china_ssr.txt} | sed -e "s/^/add china /")
 EOF
+fi

luci-app-ssr-plus/root/usr/share/shadowsocksr/gfw2ipset.sh

@@ -7,7 +7,12 @@ netflix() {
 		for line in $(cat /etc/ssrplus/netflix.list); do sed -i "/$line/d" $TMP_DNSMASQ_PATH/gfw_list.conf; done
 		for line in $(cat /etc/ssrplus/netflix.list); do sed -i "/$line/d" $TMP_DNSMASQ_PATH/gfw_base.conf; done
 	fi
+	if command -v nft >/dev/null 2>&1; then
+		# 移除 ipset
+		cat /etc/ssrplus/netflix.list | sed '/^$/d' | sed '/#/d' | sed "/.*/s/.*/server=\/&\/127.0.0.1#$1/" >$TMP_DNSMASQ_PATH/netflix_forward.conf
+	else
 		cat /etc/ssrplus/netflix.list | sed '/^$/d' | sed '/#/d' | sed "/.*/s/.*/server=\/&\/127.0.0.1#$1\nipset=\/&\/netflix/" >$TMP_DNSMASQ_PATH/netflix_forward.conf
+	fi
 }
 mkdir -p $TMP_DNSMASQ_PATH
 if [ "$(uci_get_by_type global run_mode router)" == "oversea" ]; then
@@ -16,6 +21,16 @@ else
 	cp -rf /etc/ssrplus/gfw_list.conf $TMP_DNSMASQ_PATH/
 	cp -rf /etc/ssrplus/gfw_base.conf $TMP_DNSMASQ_PATH/
 fi
+
+if command -v nft >/dev/null 2>&1; then
+    # 移除 ipset 指令
+    for conf_file in gfw_base.conf gfw_list.conf; do
+        if [ -f "$TMP_DNSMASQ_PATH/$conf_file" ]; then
+            sed -i '/ipset=/d' "$TMP_DNSMASQ_PATH/$conf_file"
+        fi
+    done
+fi
+
 if [ "$(uci_get_by_type global netflix_enable 0)" == "1" ]; then
 	# 只有开启 NetFlix分流 才需要取值
 	SHUNT_SERVER=$(uci_get_by_type global netflix_server nil)
@@ -34,6 +49,7 @@ $(uci_get_by_type global global_server nil) | $switch_server | same)
 	netflix $tmp_shunt_dns_port
 	;;
 esac
+
 # 此处使用while方式读取 防止 /etc/ssrplus/ 目录下的 black.list white.list deny.list 等2个或多个文件一行中存在空格 比如:# abc.com 而丢失：server
 while read line; do sed -i "/$line/d" $TMP_DNSMASQ_PATH/gfw_list.conf; done < /etc/ssrplus/black.list
 while read line; do sed -i "/$line/d" $TMP_DNSMASQ_PATH/gfw_base.conf; done < /etc/ssrplus/black.list
@@ -41,10 +57,17 @@ while read line; do sed -i "/$line/d" $TMP_DNSMASQ_PATH/gfw_list.conf; done < /e
 while read line; do sed -i "/$line/d" $TMP_DNSMASQ_PATH/gfw_base.conf; done < /etc/ssrplus/white.list
 while read line; do sed -i "/$line/d" $TMP_DNSMASQ_PATH/gfw_list.conf; done < /etc/ssrplus/deny.list
 while read line; do sed -i "/$line/d" $TMP_DNSMASQ_PATH/gfw_base.conf; done < /etc/ssrplus/deny.list
+
 # 此处直接使用 cat 因为有 sed '/#/d' 删除了 数据
-cat /etc/ssrplus/black.list | sed '/^$/d' | sed '/#/d' | sed "/.*/s/.*/server=\/&\/127.0.0.1#$dns_port\nipset=\/&\/blacklist/" >$TMP_DNSMASQ_PATH/blacklist_forward.conf
+if command -v nft >/dev/null 2>&1; then
-cat /etc/ssrplus/white.list | sed '/^$/d' | sed '/#/d' | sed "/.*/s/.*/server=\/&\/127.0.0.1\nipset=\/&\/whitelist/" >$TMP_DNSMASQ_PATH/whitelist_forward.conf
+	cat /etc/ssrplus/black.list | sed '/^$/d' | sed '/#/d' | sed "/.*/s/.*/server=\/&\/127.0.0.1#$dns_port/" >$TMP_DNSMASQ_PATH/blacklist_forward.conf
+	cat /etc/ssrplus/white.list | sed '/^$/d' | sed '/#/d' | sed "/.*/s/.*/server=\/&\/127.0.0.1/" >$TMP_DNSMASQ_PATH/whitelist_forward.conf
+else
+	cat /etc/ssrplus/black.list | sed '/^$/d' | sed '/#/d' | sed "/.*/s/.*/server=\/&\/127.0.0.1#$dns_port\nipset=\/&\/blacklist/" >$TMP_DNSMASQ_PATH/blacklist_forward.conf
+	cat /etc/ssrplus/white.list | sed '/^$/d' | sed '/#/d' | sed "/.*/s/.*/server=\/&\/127.0.0.1\nipset=\/&\/whitelist/" >$TMP_DNSMASQ_PATH/whitelist_forward.conf
+fi
 cat /etc/ssrplus/deny.list | sed '/^$/d' | sed '/#/d' | sed "/.*/s/.*/address=\/&\//" >$TMP_DNSMASQ_PATH/denylist.conf
+
 if [ "$(uci_get_by_type global adblock 0)" == "1" ]; then
 	cp -f /etc/ssrplus/ad.conf $TMP_DNSMASQ_PATH/
 	if [ -f "$TMP_DNSMASQ_PATH/ad.conf" ]; then
@@ -56,4 +79,3 @@ if [ "$(uci_get_by_type global adblock 0)" == "1" ]; then
 else
 	rm -f $TMP_DNSMASQ_PATH/ad.conf
 fi
-

openlist2/Makefile

@@ -7,13 +7,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=openlist2
-PKG_VERSION:=4.1.6
+PKG_VERSION:=4.1.7
-PKG_WEB_VERSION:=4.1.6
+PKG_WEB_VERSION:=4.1.7
 PKG_RELEASE:=1
 
 PKG_SOURCE:=openlist-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://codeload.github.com/OpenListTeam/OpenList/tar.gz/v$(PKG_VERSION)?
-PKG_HASH:=9cb26d5a41a9df56a6c937bc37a572ff104e2d5a72c0ec8813273f2e67c0a092
+PKG_HASH:=f1b92628be09ba181decc46423c3e0624b78aedfcd28590990a46ba03d75e5e4
 
 PKG_BUILD_DIR:=$(BUILD_DIR)/OpenList-$(PKG_VERSION)
 
@@ -24,7 +24,7 @@ PKG_MAINTAINER:=sbwml <admin@cooluc.com>
 define Download/openlist-frontend
   FILE:=openlist-frontend-dist-lite-v$(PKG_WEB_VERSION).tar.gz
   URL:=https://github.com/OpenListTeam/OpenList-Frontend/releases/download/v$(PKG_WEB_VERSION)/
-  HASH:=b57cfeabd160664478086a952d618f1b5ac022852909d38d7a31924b27067308
+  HASH:=2a365c1ce17904926cf275540680f0f24c0c8c3620fcbb98149d7faf781235aa
 endef
 
 PKG_BUILD_DEPENDS:=golang/host