zhao/openwrt_packages
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

🍉 Sync 2025-11-07 00:12:45

Browse Source
This commit is contained in:
actions-user
2025-11-07 00:12:45 +08:00
parent dbd5a80522
commit 3abe250372
14 changed files with 575 additions and 454 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
luci-app-passwall/root/usr/share/passwall/nftables.sh
View File

@@ -815,7 +815,7 @@ filter_direct_node_list() {
}
add_firewall_rule() {
echolog "开始加载防火墙规则..."
echolog "开始加载 nftables 防火墙规则..."
gen_nft_tables
gen_nftset $NFTSET_VPS ipv4_addr 0 0
gen_nftset $NFTSET_GFW ipv4_addr "2d" 0
@@ -986,10 +986,6 @@ add_firewall_rule() {
nft_output_chain="PSW_OUTPUT_MANGLE"
fi
nft "add chain $NFTABLE_NAME PSW_DIVERT"
nft "flush chain $NFTABLE_NAME PSW_DIVERT"
nft "add rule $NFTABLE_NAME PSW_DIVERT meta l4proto tcp socket transparent 1 mark set 1 counter accept"
nft "add chain $NFTABLE_NAME PSW_DNS"
nft "flush chain $NFTABLE_NAME PSW_DNS"
if [ $(config_t_get global dns_redirect "1") = "0" ]; then
@@ -1005,8 +1001,8 @@ add_firewall_rule() {
nft "flush chain $NFTABLE_NAME PSW_RULE"
nft "add rule $NFTABLE_NAME PSW_RULE meta mark set ct mark counter"
nft "add rule $NFTABLE_NAME PSW_RULE meta mark 1 counter return"
nft "add rule $NFTABLE_NAME PSW_RULE tcp flags &(fin|syn|rst|ack) == syn meta mark set mark and 0x0 xor 0x1 counter"
nft "add rule $NFTABLE_NAME PSW_RULE meta l4proto udp ct state new meta mark set mark and 0x0 xor 0x1 counter"
nft "add rule $NFTABLE_NAME PSW_RULE tcp flags syn meta mark set mark and 0x0 xor 0x1 counter"
nft "add rule $NFTABLE_NAME PSW_RULE meta l4proto udp ct state new,related meta mark set mark and 0x0 xor 0x1 counter"
nft "add rule $NFTABLE_NAME PSW_RULE ct mark set mark counter"
#ipv4 tproxy mode and udp
@@ -1014,11 +1010,13 @@ add_firewall_rule() {
nft "flush chain $NFTABLE_NAME PSW_MANGLE"
nft "add rule $NFTABLE_NAME PSW_MANGLE ip daddr @$NFTSET_LAN counter return"
nft "add rule $NFTABLE_NAME PSW_MANGLE ip daddr @$NFTSET_VPS counter return"
nft "add rule $NFTABLE_NAME PSW_MANGLE ct direction reply counter return"
nft "add chain $NFTABLE_NAME PSW_OUTPUT_MANGLE"
nft "flush chain $NFTABLE_NAME PSW_OUTPUT_MANGLE"
nft "add rule $NFTABLE_NAME PSW_OUTPUT_MANGLE ip daddr @$NFTSET_LAN counter return"
nft "add rule $NFTABLE_NAME PSW_OUTPUT_MANGLE ip daddr @$NFTSET_VPS counter return"
nft "add rule $NFTABLE_NAME PSW_OUTPUT_MANGLE ct direction reply counter return"
[ "${USE_BLOCK_LIST}" = "1" ] && nft "add rule $NFTABLE_NAME PSW_OUTPUT_MANGLE ip daddr @$NFTSET_BLOCK counter drop"
[ "${USE_DIRECT_LIST}" = "1" ] && nft "add rule $NFTABLE_NAME PSW_OUTPUT_MANGLE ip daddr @$NFTSET_WHITE counter return"
@@ -1027,7 +1025,6 @@ add_firewall_rule() {
# jump chains
nft "add rule $NFTABLE_NAME mangle_prerouting ip protocol udp counter jump PSW_MANGLE"
[ -n "${is_tproxy}" ] && nft "add rule $NFTABLE_NAME mangle_prerouting ip protocol tcp counter jump PSW_MANGLE"
insert_rule_before "$NFTABLE_NAME" "mangle_prerouting" "PSW_MANGLE" "counter jump PSW_DIVERT"
#ipv4 tcp redirect mode
[ -z "${is_tproxy}" ] && {
@@ -1078,11 +1075,13 @@ add_firewall_rule() {
nft "flush chain $NFTABLE_NAME PSW_MANGLE_V6"
nft "add rule $NFTABLE_NAME PSW_MANGLE_V6 ip6 daddr @$NFTSET_LAN6 counter return"
nft "add rule $NFTABLE_NAME PSW_MANGLE_V6 ip6 daddr @$NFTSET_VPS6 counter return"
nft "add rule $NFTABLE_NAME PSW_MANGLE_V6 ct direction reply counter return"
nft "add chain $NFTABLE_NAME PSW_OUTPUT_MANGLE_V6"
nft "flush chain $NFTABLE_NAME PSW_OUTPUT_MANGLE_V6"
nft "add rule $NFTABLE_NAME PSW_OUTPUT_MANGLE_V6 ip6 daddr @$NFTSET_LAN6 counter return"
nft "add rule $NFTABLE_NAME PSW_OUTPUT_MANGLE_V6 ip6 daddr @$NFTSET_VPS6 counter return"
nft "add rule $NFTABLE_NAME PSW_OUTPUT_MANGLE_V6 ct direction reply counter return"
[ "${USE_BLOCK_LIST}" = "1" ] && nft "add rule $NFTABLE_NAME PSW_OUTPUT_MANGLE_V6 ip6 daddr @$NFTSET_BLOCK6 counter drop"
[ "${USE_DIRECT_LIST}" = "1" ] && nft "add rule $NFTABLE_NAME PSW_OUTPUT_MANGLE_V6 ip6 daddr @$NFTSET_WHITE6 counter return"
nft "add rule $NFTABLE_NAME PSW_OUTPUT_MANGLE_V6 meta mark 0xff counter return"
@@ -1398,7 +1397,7 @@ gen_include() {
local __nft=" "
__nft=$(cat <<- EOF
[ -z "\$(nft list chain $NFTABLE_NAME mangle_prerouting | grep PSW_DIVERT)" ] && nft -f ${nft_chain_file}
[ -z "\$(nft list chain $NFTABLE_NAME mangle_prerouting | grep PSW)" ] && nft -f ${nft_chain_file}
[ -z "${is_tproxy}" ] && {
PR_INDEX=\$(sh ${MY_PATH} RULE_LAST_INDEX "$NFTABLE_NAME" PSW_NAT WAN_IP_RETURN -1)
if [ \$PR_INDEX -ge 0 ]; then