🍉 Sync 2025-11-07 00:12:45
This commit is contained in:
actions-user
@@ -35,14 +35,13 @@ EOF
|
||||
|
||||
chmod +x /usr/share/passwall/*.sh
|
||||
|
||||
## 4.77-5 below upgrade to 4.77-6 above
|
||||
[ -e "/etc/config/passwall_show" ] && rm -rf /etc/config/passwall_show
|
||||
|
||||
[ "$(uci -q get passwall.@global_xray[0].sniffing)" == "1" ] && [ "$(uci -q get passwall.@global_xray[0].route_only)" != "1" ] && uci -q set passwall.@global_xray[0].sniffing_override_dest=1
|
||||
uci -q delete passwall.@global_xray[0].sniffing
|
||||
uci -q delete passwall.@global_xray[0].route_only
|
||||
uci -q commit passwall
|
||||
|
||||
sed -i "s#add_from#group#g" /etc/config/passwall 2>/dev/null
|
||||
|
||||
rm -f /tmp/luci-indexcache
|
||||
rm -rf /tmp/luci-modulecache/
|
||||
killall -HUP rpcd 2>/dev/null
|
||||
|
||||
@@ -2114,7 +2114,7 @@ stop() {
|
||||
# 结束 SS 插件进程
|
||||
# kill_all xray-plugin v2ray-plugin obfs-local shadow-tls
|
||||
local pid_file pid
|
||||
find "$TMP_PATH" -type f -name '*_plugin.pid' | while read -r pid_file; do
|
||||
find "$TMP_PATH" -type f -name '*_plugin.pid' 2>/dev/null | while read -r pid_file; do
|
||||
read -r pid < "$pid_file"
|
||||
if [ -n "$pid" ]; then
|
||||
kill -9 "$pid" >/dev/null 2>&1
|
||||
|
||||
@@ -781,7 +781,7 @@ filter_direct_node_list() {
|
||||
}
|
||||
|
||||
add_firewall_rule() {
|
||||
echolog "开始加载防火墙规则..."
|
||||
echolog "开始加载 iptables 防火墙规则..."
|
||||
ipset -! create $IPSET_LOCAL nethash maxelem 1048576
|
||||
ipset -! create $IPSET_LAN nethash maxelem 1048576
|
||||
ipset -! create $IPSET_VPS nethash maxelem 1048576
|
||||
@@ -980,20 +980,17 @@ add_firewall_rule() {
|
||||
$ipt_n -I PREROUTING 1 -j PSW_DNS
|
||||
fi
|
||||
|
||||
$ipt_m -N PSW_DIVERT
|
||||
$ipt_m -A PSW_DIVERT -j MARK --set-mark 1
|
||||
$ipt_m -A PSW_DIVERT -j ACCEPT
|
||||
|
||||
$ipt_m -N PSW_RULE
|
||||
$ipt_m -A PSW_RULE -j CONNMARK --restore-mark
|
||||
$ipt_m -A PSW_RULE -m mark --mark 1 -j RETURN
|
||||
$ipt_m -A PSW_RULE -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j MARK --set-xmark 1
|
||||
$ipt_m -A PSW_RULE -p udp -m conntrack --ctstate NEW -j MARK --set-xmark 1
|
||||
$ipt_m -A PSW_RULE -p tcp -m tcp --syn -j MARK --set-xmark 1
|
||||
$ipt_m -A PSW_RULE -p udp -m conntrack --ctstate NEW,RELATED -j MARK --set-xmark 1
|
||||
$ipt_m -A PSW_RULE -j CONNMARK --save-mark
|
||||
|
||||
$ipt_m -N PSW
|
||||
$ipt_m -A PSW $(dst $IPSET_LAN) -j RETURN
|
||||
$ipt_m -A PSW $(dst $IPSET_VPS) -j RETURN
|
||||
$ipt_m -A PSW -m conntrack --ctdir REPLY -j RETURN
|
||||
|
||||
[ ! -z "${WAN_IP}" ] && {
|
||||
$ipt_m -A PSW $(comment "WAN_IP_RETURN") -d "${WAN_IP}" -j RETURN
|
||||
@@ -1002,11 +999,11 @@ add_firewall_rule() {
|
||||
unset WAN_IP
|
||||
|
||||
insert_rule_before "$ipt_m" "PREROUTING" "mwan3" "-j PSW"
|
||||
insert_rule_before "$ipt_m" "PREROUTING" "PSW" "-p tcp -m socket -j PSW_DIVERT"
|
||||
|
||||
$ipt_m -N PSW_OUTPUT
|
||||
$ipt_m -A PSW_OUTPUT $(dst $IPSET_LAN) -j RETURN
|
||||
$ipt_m -A PSW_OUTPUT $(dst $IPSET_VPS) -j RETURN
|
||||
$ipt_m -A PSW_OUTPUT -m conntrack --ctdir REPLY -j RETURN
|
||||
|
||||
[ -n "$IPT_APPEND_DNS" ] && {
|
||||
local local_dns dns_address dns_port
|
||||
@@ -1053,20 +1050,17 @@ add_firewall_rule() {
|
||||
$ip6t_n -I PREROUTING 1 -j PSW_DNS
|
||||
fi
|
||||
|
||||
$ip6t_m -N PSW_DIVERT
|
||||
$ip6t_m -A PSW_DIVERT -j MARK --set-mark 1
|
||||
$ip6t_m -A PSW_DIVERT -j ACCEPT
|
||||
|
||||
$ip6t_m -N PSW_RULE
|
||||
$ip6t_m -A PSW_RULE -j CONNMARK --restore-mark
|
||||
$ip6t_m -A PSW_RULE -m mark --mark 1 -j RETURN
|
||||
$ip6t_m -A PSW_RULE -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j MARK --set-xmark 1
|
||||
$ip6t_m -A PSW_RULE -p udp -m conntrack --ctstate NEW -j MARK --set-xmark 1
|
||||
$ip6t_m -A PSW_RULE -p tcp -m tcp --syn -j MARK --set-xmark 1
|
||||
$ip6t_m -A PSW_RULE -p udp -m conntrack --ctstate NEW,RELATED -j MARK --set-xmark 1
|
||||
$ip6t_m -A PSW_RULE -j CONNMARK --save-mark
|
||||
|
||||
$ip6t_m -N PSW
|
||||
$ip6t_m -A PSW $(dst $IPSET_LAN6) -j RETURN
|
||||
$ip6t_m -A PSW $(dst $IPSET_VPS6) -j RETURN
|
||||
$ip6t_m -A PSW -m conntrack --ctdir REPLY -j RETURN
|
||||
|
||||
WAN6_IP=$(get_wan6_ip)
|
||||
[ ! -z "${WAN6_IP}" ] && $ip6t_m -A PSW $(comment "WAN6_IP_RETURN") -d ${WAN6_IP} -j RETURN
|
||||
@@ -1079,6 +1073,7 @@ add_firewall_rule() {
|
||||
$ip6t_m -A PSW_OUTPUT -m mark --mark 0xff -j RETURN
|
||||
$ip6t_m -A PSW_OUTPUT $(dst $IPSET_LAN6) -j RETURN
|
||||
$ip6t_m -A PSW_OUTPUT $(dst $IPSET_VPS6) -j RETURN
|
||||
$ip6t_m -A PSW_OUTPUT -m conntrack --ctdir REPLY -j RETURN
|
||||
[ "${USE_BLOCK_LIST}" = "1" ] && $ip6t_m -A PSW_OUTPUT $(dst $IPSET_BLOCK6) -j DROP
|
||||
[ "${USE_DIRECT_LIST}" = "1" ] && $ip6t_m -A PSW_OUTPUT $(dst $IPSET_WHITE6) -j RETURN
|
||||
|
||||
@@ -1315,7 +1310,7 @@ del_firewall_rule() {
|
||||
$ipt -D $chain $index 2>/dev/null
|
||||
done
|
||||
done
|
||||
for chain in "PSW" "PSW_OUTPUT" "PSW_DIVERT" "PSW_DNS" "PSW_RULE"; do
|
||||
for chain in "PSW" "PSW_OUTPUT" "PSW_DNS" "PSW_RULE"; do
|
||||
$ipt -F $chain 2>/dev/null
|
||||
$ipt -X $chain 2>/dev/null
|
||||
done
|
||||
@@ -1369,7 +1364,7 @@ gen_include() {
|
||||
[ -z "${_ipt}" ] && return
|
||||
|
||||
echo "*$2"
|
||||
${_ipt}-save -t $2 | grep "PSW" | grep -v "\-j PSW$" | grep -v "mangle\-OUTPUT\-PSW" | grep -v "socket \-j PSW_DIVERT$" | sed -e "s/^-A \(OUTPUT\|PREROUTING\)/-I \1 1/"
|
||||
${_ipt}-save -t $2 | grep "PSW" | grep -v "\-j PSW$" | sed -e "s/^-A \(OUTPUT\|PREROUTING\)/-I \1 1/"
|
||||
echo 'COMMIT'
|
||||
}
|
||||
local __ipt=""
|
||||
@@ -1390,7 +1385,6 @@ gen_include() {
|
||||
[ -z "${is_tproxy}" ] && \$(${MY_PATH} insert_rule_after "$ipt_n" "PREROUTING" "prerouting_rule" "-p tcp -j PSW")
|
||||
|
||||
\$(${MY_PATH} insert_rule_before "$ipt_m" "PREROUTING" "mwan3" "-j PSW")
|
||||
\$(${MY_PATH} insert_rule_before "$ipt_m" "PREROUTING" "PSW" "-p tcp -m socket -j PSW_DIVERT")
|
||||
|
||||
WAN_IP=\$(${MY_PATH} get_wan_ip)
|
||||
|
||||
@@ -1423,7 +1417,6 @@ gen_include() {
|
||||
[ "$accept_icmpv6" = "1" ] && $ip6t_n -A PREROUTING -p ipv6-icmp -j PSW
|
||||
|
||||
\$(${MY_PATH} insert_rule_before "$ip6t_m" "PREROUTING" "mwan3" "-j PSW")
|
||||
\$(${MY_PATH} insert_rule_before "$ip6t_m" "PREROUTING" "PSW" "-p tcp -m socket -j PSW_DIVERT")
|
||||
|
||||
PR_INDEX=\$(${MY_PATH} RULE_LAST_INDEX "$ip6t_m" PSW WAN6_IP_RETURN -1)
|
||||
if [ \$PR_INDEX -ge 0 ]; then
|
||||
|
||||
@@ -815,7 +815,7 @@ filter_direct_node_list() {
|
||||
}
|
||||
|
||||
add_firewall_rule() {
|
||||
echolog "开始加载防火墙规则..."
|
||||
echolog "开始加载 nftables 防火墙规则..."
|
||||
gen_nft_tables
|
||||
gen_nftset $NFTSET_VPS ipv4_addr 0 0
|
||||
gen_nftset $NFTSET_GFW ipv4_addr "2d" 0
|
||||
@@ -986,10 +986,6 @@ add_firewall_rule() {
|
||||
nft_output_chain="PSW_OUTPUT_MANGLE"
|
||||
fi
|
||||
|
||||
nft "add chain $NFTABLE_NAME PSW_DIVERT"
|
||||
nft "flush chain $NFTABLE_NAME PSW_DIVERT"
|
||||
nft "add rule $NFTABLE_NAME PSW_DIVERT meta l4proto tcp socket transparent 1 mark set 1 counter accept"
|
||||
|
||||
nft "add chain $NFTABLE_NAME PSW_DNS"
|
||||
nft "flush chain $NFTABLE_NAME PSW_DNS"
|
||||
if [ $(config_t_get global dns_redirect "1") = "0" ]; then
|
||||
@@ -1005,8 +1001,8 @@ add_firewall_rule() {
|
||||
nft "flush chain $NFTABLE_NAME PSW_RULE"
|
||||
nft "add rule $NFTABLE_NAME PSW_RULE meta mark set ct mark counter"
|
||||
nft "add rule $NFTABLE_NAME PSW_RULE meta mark 1 counter return"
|
||||
nft "add rule $NFTABLE_NAME PSW_RULE tcp flags &(fin|syn|rst|ack) == syn meta mark set mark and 0x0 xor 0x1 counter"
|
||||
nft "add rule $NFTABLE_NAME PSW_RULE meta l4proto udp ct state new meta mark set mark and 0x0 xor 0x1 counter"
|
||||
nft "add rule $NFTABLE_NAME PSW_RULE tcp flags syn meta mark set mark and 0x0 xor 0x1 counter"
|
||||
nft "add rule $NFTABLE_NAME PSW_RULE meta l4proto udp ct state new,related meta mark set mark and 0x0 xor 0x1 counter"
|
||||
nft "add rule $NFTABLE_NAME PSW_RULE ct mark set mark counter"
|
||||
|
||||
#ipv4 tproxy mode and udp
|
||||
@@ -1014,11 +1010,13 @@ add_firewall_rule() {
|
||||
nft "flush chain $NFTABLE_NAME PSW_MANGLE"
|
||||
nft "add rule $NFTABLE_NAME PSW_MANGLE ip daddr @$NFTSET_LAN counter return"
|
||||
nft "add rule $NFTABLE_NAME PSW_MANGLE ip daddr @$NFTSET_VPS counter return"
|
||||
nft "add rule $NFTABLE_NAME PSW_MANGLE ct direction reply counter return"
|
||||
|
||||
nft "add chain $NFTABLE_NAME PSW_OUTPUT_MANGLE"
|
||||
nft "flush chain $NFTABLE_NAME PSW_OUTPUT_MANGLE"
|
||||
nft "add rule $NFTABLE_NAME PSW_OUTPUT_MANGLE ip daddr @$NFTSET_LAN counter return"
|
||||
nft "add rule $NFTABLE_NAME PSW_OUTPUT_MANGLE ip daddr @$NFTSET_VPS counter return"
|
||||
nft "add rule $NFTABLE_NAME PSW_OUTPUT_MANGLE ct direction reply counter return"
|
||||
|
||||
[ "${USE_BLOCK_LIST}" = "1" ] && nft "add rule $NFTABLE_NAME PSW_OUTPUT_MANGLE ip daddr @$NFTSET_BLOCK counter drop"
|
||||
[ "${USE_DIRECT_LIST}" = "1" ] && nft "add rule $NFTABLE_NAME PSW_OUTPUT_MANGLE ip daddr @$NFTSET_WHITE counter return"
|
||||
@@ -1027,7 +1025,6 @@ add_firewall_rule() {
|
||||
# jump chains
|
||||
nft "add rule $NFTABLE_NAME mangle_prerouting ip protocol udp counter jump PSW_MANGLE"
|
||||
[ -n "${is_tproxy}" ] && nft "add rule $NFTABLE_NAME mangle_prerouting ip protocol tcp counter jump PSW_MANGLE"
|
||||
insert_rule_before "$NFTABLE_NAME" "mangle_prerouting" "PSW_MANGLE" "counter jump PSW_DIVERT"
|
||||
|
||||
#ipv4 tcp redirect mode
|
||||
[ -z "${is_tproxy}" ] && {
|
||||
@@ -1078,11 +1075,13 @@ add_firewall_rule() {
|
||||
nft "flush chain $NFTABLE_NAME PSW_MANGLE_V6"
|
||||
nft "add rule $NFTABLE_NAME PSW_MANGLE_V6 ip6 daddr @$NFTSET_LAN6 counter return"
|
||||
nft "add rule $NFTABLE_NAME PSW_MANGLE_V6 ip6 daddr @$NFTSET_VPS6 counter return"
|
||||
nft "add rule $NFTABLE_NAME PSW_MANGLE_V6 ct direction reply counter return"
|
||||
|
||||
nft "add chain $NFTABLE_NAME PSW_OUTPUT_MANGLE_V6"
|
||||
nft "flush chain $NFTABLE_NAME PSW_OUTPUT_MANGLE_V6"
|
||||
nft "add rule $NFTABLE_NAME PSW_OUTPUT_MANGLE_V6 ip6 daddr @$NFTSET_LAN6 counter return"
|
||||
nft "add rule $NFTABLE_NAME PSW_OUTPUT_MANGLE_V6 ip6 daddr @$NFTSET_VPS6 counter return"
|
||||
nft "add rule $NFTABLE_NAME PSW_OUTPUT_MANGLE_V6 ct direction reply counter return"
|
||||
[ "${USE_BLOCK_LIST}" = "1" ] && nft "add rule $NFTABLE_NAME PSW_OUTPUT_MANGLE_V6 ip6 daddr @$NFTSET_BLOCK6 counter drop"
|
||||
[ "${USE_DIRECT_LIST}" = "1" ] && nft "add rule $NFTABLE_NAME PSW_OUTPUT_MANGLE_V6 ip6 daddr @$NFTSET_WHITE6 counter return"
|
||||
nft "add rule $NFTABLE_NAME PSW_OUTPUT_MANGLE_V6 meta mark 0xff counter return"
|
||||
@@ -1398,7 +1397,7 @@ gen_include() {
|
||||
|
||||
local __nft=" "
|
||||
__nft=$(cat <<- EOF
|
||||
[ -z "\$(nft list chain $NFTABLE_NAME mangle_prerouting | grep PSW_DIVERT)" ] && nft -f ${nft_chain_file}
|
||||
[ -z "\$(nft list chain $NFTABLE_NAME mangle_prerouting | grep PSW)" ] && nft -f ${nft_chain_file}
|
||||
[ -z "${is_tproxy}" ] && {
|
||||
PR_INDEX=\$(sh ${MY_PATH} RULE_LAST_INDEX "$NFTABLE_NAME" PSW_NAT WAN_IP_RETURN -1)
|
||||
if [ \$PR_INDEX -ge 0 ]; then
|
||||
|
||||
@@ -450,12 +450,12 @@ local function get_subscribe_info(cfgid, value)
|
||||
end
|
||||
|
||||
-- 处理数据
|
||||
local function processData(szType, content, add_mode, add_from)
|
||||
--log(content, add_mode, add_from)
|
||||
local function processData(szType, content, add_mode, group)
|
||||
--log(content, add_mode, group)
|
||||
local result = {
|
||||
timeout = 60,
|
||||
add_mode = add_mode, --0为手动配置,1为导入,2为订阅
|
||||
add_from = add_from
|
||||
group = group
|
||||
}
|
||||
--ssr://base64(host:port:protocol:method:obfs:base64pass/?obfsparam=base64param&protoparam=base64param&remarks=base64remarks&group=base64group&udpport=0&uot=0)
|
||||
if szType == 'ssr' then
|
||||
@@ -1539,14 +1539,14 @@ local function curl(url, file, ua, mode)
|
||||
return tonumber(result)
|
||||
end
|
||||
|
||||
local function truncate_nodes(add_from)
|
||||
local function truncate_nodes(group)
|
||||
for _, config in pairs(CONFIG) do
|
||||
if config.currentNodes and #config.currentNodes > 0 then
|
||||
local newNodes = {}
|
||||
local removeNodesSet = {}
|
||||
for k, v in pairs(config.currentNodes) do
|
||||
if v.currentNode and v.currentNode.add_mode == "2" then
|
||||
if (not add_from) or (add_from and add_from == v.currentNode.add_from) then
|
||||
if (not group) or (group and group == v.currentNode.group) then
|
||||
removeNodesSet[v.currentNode[".name"]] = true
|
||||
end
|
||||
end
|
||||
@@ -1561,7 +1561,7 @@ local function truncate_nodes(add_from)
|
||||
end
|
||||
else
|
||||
if config.currentNode and config.currentNode.add_mode == "2" then
|
||||
if (not add_from) or (add_from and add_from == config.currentNode.add_from) then
|
||||
if (not group) or (group and group == config.currentNode.group) then
|
||||
if config.delete then
|
||||
config.delete(config)
|
||||
elseif config.set then
|
||||
@@ -1573,13 +1573,13 @@ local function truncate_nodes(add_from)
|
||||
end
|
||||
uci:foreach(appname, "nodes", function(node)
|
||||
if node.add_mode == "2" then
|
||||
if (not add_from) or (add_from and add_from == node.add_from) then
|
||||
if (not group) or (group and group == node.group) then
|
||||
uci:delete(appname, node['.name'])
|
||||
end
|
||||
end
|
||||
end)
|
||||
uci:foreach(appname, "subscribe_list", function(o)
|
||||
if (not add_from) or add_from == o.remark then
|
||||
if (not group) or group == o.remark then
|
||||
uci:delete(appname, o['.name'], "md5")
|
||||
end
|
||||
end)
|
||||
@@ -1720,7 +1720,7 @@ local function update_node(manual)
|
||||
if manual == 0 and next(group) then
|
||||
uci:foreach(appname, "nodes", function(node)
|
||||
-- 如果未发现新节点或手动导入的节点就不要删除了...
|
||||
if node.add_mode == "2" and (node.add_from and group[node.add_from] == true) then
|
||||
if node.add_mode == "2" and (node.group and group[node.group] == true) then
|
||||
uci:delete(appname, node['.name'])
|
||||
end
|
||||
end)
|
||||
@@ -1797,7 +1797,7 @@ local function update_node(manual)
|
||||
luci.sys.call("/etc/init.d/" .. appname .. " restart > /dev/null 2>&1 &")
|
||||
end
|
||||
|
||||
local function parse_link(raw, add_mode, add_from, cfgid)
|
||||
local function parse_link(raw, add_mode, group, cfgid)
|
||||
if raw and #raw > 0 then
|
||||
local nodes, szType
|
||||
local node_list = {}
|
||||
@@ -1833,17 +1833,17 @@ local function parse_link(raw, add_mode, add_from, cfgid)
|
||||
xpcall(function ()
|
||||
local result
|
||||
if szType == 'ssd' then
|
||||
result = processData(szType, v, add_mode, add_from)
|
||||
result = processData(szType, v, add_mode, group)
|
||||
elseif not szType then
|
||||
local node = api.trim(v)
|
||||
local dat = split(node, "://")
|
||||
if dat and dat[1] and dat[2] then
|
||||
if dat[1] == 'vmess' or dat[1] == 'ssr' then
|
||||
local link = api.trim(dat[2]:gsub("#.*$", ""))
|
||||
result = processData(dat[1], base64Decode(link), add_mode, add_from)
|
||||
result = processData(dat[1], base64Decode(link), add_mode, group)
|
||||
else
|
||||
local link = dat[2]:gsub("&", "&"):gsub("%s*#%s*", "#") -- 一些奇葩的链接用"&"当做"&","#"前后带空格
|
||||
result = processData(dat[1], link, add_mode, add_from)
|
||||
result = processData(dat[1], link, add_mode, group)
|
||||
end
|
||||
end
|
||||
else
|
||||
@@ -1874,14 +1874,14 @@ local function parse_link(raw, add_mode, add_from, cfgid)
|
||||
end
|
||||
if #node_list > 0 then
|
||||
nodeResult[#nodeResult + 1] = {
|
||||
remark = add_from,
|
||||
remark = group,
|
||||
list = node_list
|
||||
}
|
||||
end
|
||||
log('成功解析【' .. add_from .. '】节点数量: ' .. #node_list)
|
||||
log('成功解析【' .. group .. '】节点数量: ' .. #node_list)
|
||||
else
|
||||
if add_mode == "2" then
|
||||
log('获取到的【' .. add_from .. '】订阅内容为空,可能是订阅地址无效,或是网络问题,请诊断!')
|
||||
log('获取到的【' .. group .. '】订阅内容为空,可能是订阅地址无效,或是网络问题,请诊断!')
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
Reference in New Issue
Block a user