🐶 Sync 2025-11-02 14:26:26

2025-11-02 14:26:26 +08:00
parent 64bcc56c2a
commit ac011db799
1557 changed files with 746465 additions and 0 deletions
--- a/luci-app-passwall/root/usr/share/passwall/helper_chinadns_add.lua
+++ b/luci-app-passwall/root/usr/share/passwall/helper_chinadns_add.lua
@@ -0,0 +1,525 @@
+local sys = require "luci.sys"
+local api = require "luci.passwall.api"
+local appname = "passwall"
+
+local var = api.get_args(arg)
+local FLAG = var["-FLAG"]
+local LISTEN_PORT = var["-LISTEN_PORT"]
+local DNS_LOCAL = var["-DNS_LOCAL"]
+local DNS_TRUST = var["-DNS_TRUST"]
+local USE_DIRECT_LIST = var["-USE_DIRECT_LIST"]
+local USE_PROXY_LIST = var["-USE_PROXY_LIST"]
+local USE_BLOCK_LIST = var["-USE_BLOCK_LIST"]
+local GFWLIST = var["-GFWLIST"]
+local CHNLIST = var["-CHNLIST"]
+local NO_IPV6_TRUST = var["-NO_IPV6_TRUST"]
+local DEFAULT_MODE = var["-DEFAULT_MODE"]
+local DEFAULT_TAG = var["-DEFAULT_TAG"]
+local NO_LOGIC_LOG = var["-NO_LOGIC_LOG"]
+local TCP_NODE = var["-TCP_NODE"]
+local NFTFLAG = var["-NFTFLAG"]
+local REMOTE_FAKEDNS = var["-REMOTE_FAKEDNS"]
+local LOG_FILE = var["-LOG_FILE"]
+
+local uci = api.uci
+local sys = api.sys
+local fs = api.fs
+local datatypes = api.datatypes
+
+local TMP_PATH = "/tmp/etc/" .. appname
+local TMP_ACL_PATH = TMP_PATH .. "/acl"
+local RULES_PATH = "/usr/share/" .. appname .. "/rules"
+local FLAG_PATH = TMP_ACL_PATH .. "/" .. FLAG
+local config_lines = {}
+local tmp_lines = {}
+local USE_GEOVIEW = uci:get(appname, "@global_rules[0]", "enable_geoview")
+
+local function log(...)
+	if NO_LOGIC_LOG == "1" then
+		return
+	end
+	api.log(...)
+end
+
+local function is_file_nonzero(path)
+	if path and #path > 1 then
+		if sys.exec('[ -s "%s" ] && echo -n 1' % path) == "1" then
+			return true
+		end
+	end
+	return nil
+end
+
+local function insert_unique(dest_table, value, lookup_table)
+	if not lookup_table[value] then
+		table.insert(dest_table, value)
+		lookup_table[value] = true
+	end
+end
+
+local function merge_array(array1, array2)
+	for i, line in ipairs(array2) do
+		table.insert(array1, #array1 + 1, line)
+	end
+end
+
+local function insert_array_before(array1, array2, target) --将array2插入到array1的target前面，target不存在则追加
+	for i, line in ipairs(array1) do
+		if line == target then
+			for j = #array2, 1, -1 do
+				table.insert(array1, i, array2[j])
+			end
+			return
+		end
+	end
+	merge_array(array1, array2)
+end
+
+local function insert_array_after(array1, array2, target) --将array2插入到array1的target后面，target不存在则追加
+	for i, line in ipairs(array1) do
+		if line == target then
+			for j = 1, #array2 do
+				table.insert(array1, i + j, array2[j])
+			end
+			return
+		end
+	end
+	merge_array(array1, array2)
+end
+
+local function get_geosite(list_arg, out_path)
+	local geosite_path = uci:get(appname, "@global_rules[0]", "v2ray_location_asset") or "/usr/share/v2ray/"
+	geosite_path = geosite_path:match("^(.*)/") .. "/geosite.dat"
+	if not is_file_nonzero(geosite_path) then return 1 end
+	if api.is_finded("geoview") and list_arg and out_path then
+		sys.exec("geoview -type geosite -append=true -input " .. geosite_path .. " -list '" .. list_arg .. "' -output " .. out_path)
+		return 0
+	end
+	return 1
+end
+
+if not fs.access(FLAG_PATH) then
+	fs.mkdir(FLAG_PATH)
+end
+
+local setflag = (NFTFLAG == "1") and "inet@passwall@" or ""
+
+local only_global = (DEFAULT_MODE == "proxy" and CHNLIST == "0" and GFWLIST == "0") and 1
+
+local force_https_soa = uci:get(appname, "@global[0]", "force_https_soa") or 1
+
+config_lines = {
+	LOG_FILE ~= "/dev/null" and "verbose" or "",
+	"bind-addr ::",
+	"bind-port " .. LISTEN_PORT,
+	"china-dns " .. DNS_LOCAL,
+	"trust-dns " .. DNS_TRUST,
+	tonumber(force_https_soa) == 1 and "filter-qtype 65" or ""
+}
+
+for i = 1, 6 do
+	table.insert(config_lines, "#--" .. i)
+end
+
+--自定义规则组，后声明的组具有更高优先级
+--屏蔽列表
+local file_block_host = TMP_ACL_PATH .. "/block_host"
+if USE_BLOCK_LIST == "1" and not fs.access(file_block_host) then
+	local block_domain, lookup_block_domain = {}, {}
+	local geosite_arg = ""
+	for line in io.lines(RULES_PATH .. "/block_host") do
+		if not line:find("#") and line:find("geosite:") then
+			line = string.match(line, ":([^:]+)$")
+			geosite_arg = geosite_arg .. (geosite_arg ~= "" and "," or "") .. line
+		else
+			line = api.get_std_domain(line)
+			if line ~= "" and not line:find("#") then
+				insert_unique(block_domain, line, lookup_block_domain)
+			end
+		end
+	end
+	if #block_domain > 0 then
+		local f_out = io.open(file_block_host, "w")
+		for i = 1, #block_domain do
+			f_out:write(block_domain[i] .. "\n")
+		end
+		f_out:close()
+	end
+	if USE_GEOVIEW == "1" and geosite_arg ~= "" and api.is_finded("geoview") then
+		if get_geosite(geosite_arg, file_block_host) == 0 then
+			log("  * 解析[屏蔽列表] Geosite 到屏蔽域名表(blocklist)完成")
+		else
+			log("  * 解析[屏蔽列表] Geosite 到屏蔽域名表(blocklist)失败！")
+		end
+	end
+end
+if USE_BLOCK_LIST == "1" and is_file_nonzero(file_block_host) then
+	tmp_lines = {
+		"group null",
+		"group-dnl " .. file_block_host
+	}
+	insert_array_after(config_lines, tmp_lines, "#--5")
+end
+
+--始终用国内DNS解析节点域名
+local file_vpslist = TMP_ACL_PATH .. "/vpslist"
+if not is_file_nonzero(file_vpslist) then
+	local f_out = io.open(file_vpslist, "w")
+	local written_domains = {}
+	uci:foreach(appname, "nodes", function(t)
+		local function process_address(address)
+			if address == "engage.cloudflareclient.com" then return end
+			if datatypes.hostname(address) and not written_domains[address] then
+				f_out:write(address .. "\n")
+				written_domains[address] = true
+			end
+		end
+		process_address(t.address)
+		process_address(t.download_address)
+	end)
+	f_out:close()
+end
+if is_file_nonzero(file_vpslist) then
+	local sets = {
+		setflag .. "passwall_vps",
+		setflag .. "passwall_vps6"
+	}
+	tmp_lines = {
+		"group vpslist",
+		"group-dnl " .. file_vpslist,
+		"group-upstream " .. DNS_LOCAL,
+		"group-ipset " .. table.concat(sets, ",")
+	}
+	insert_array_after(config_lines, tmp_lines, "#--6")
+	log(string.format("  - 节点列表中的域名(vpslist)：%s", DNS_LOCAL or "默认"))
+end
+
+--直连（白名单）列表
+local file_direct_host = TMP_ACL_PATH .. "/direct_host"
+if USE_DIRECT_LIST == "1" and not fs.access(file_direct_host) then
+	local direct_domain, lookup_direct_domain = {}, {}
+	local geosite_arg = ""
+	for line in io.lines(RULES_PATH .. "/direct_host") do
+		if not line:find("#") and line:find("geosite:") then
+			line = string.match(line, ":([^:]+)$")
+			geosite_arg = geosite_arg .. (geosite_arg ~= "" and "," or "") .. line
+		else
+			line = api.get_std_domain(line)
+			if line ~= "" and not line:find("#") then
+				insert_unique(direct_domain, line, lookup_direct_domain)
+			end
+		end
+	end
+	if #direct_domain > 0 then
+		local f_out = io.open(file_direct_host, "w")
+		for i = 1, #direct_domain do
+			f_out:write(direct_domain[i] .. "\n")
+		end
+		f_out:close()
+	end
+	if USE_GEOVIEW == "1" and geosite_arg ~= "" and api.is_finded("geoview") then
+		if get_geosite(geosite_arg, file_direct_host) == 0 then
+			log("  * 解析[直连列表] Geosite 到域名白名单(whitelist)完成")
+		else
+			log("  * 解析[直连列表] Geosite 到域名白名单(whitelist)失败！")
+		end
+	end
+end
+if USE_DIRECT_LIST == "1" and is_file_nonzero(file_direct_host) then
+	local sets = {
+		setflag .. "passwall_white",
+		setflag .. "passwall_white6"
+	}
+	tmp_lines = {
+		"group directlist",
+		"group-dnl " .. file_direct_host,
+		"group-upstream " .. DNS_LOCAL,
+		"group-ipset " .. table.concat(sets, ",")
+	}
+	insert_array_after(config_lines, tmp_lines, "#--4")
+	log(string.format("  - 域名白名单(whitelist)：%s", DNS_LOCAL or "默认"))
+end
+
+--代理（黑名单）列表
+local file_proxy_host = TMP_ACL_PATH .. "/proxy_host"
+if USE_PROXY_LIST == "1" and not fs.access(file_proxy_host) then
+	local proxy_domain, lookup_proxy_domain = {}, {}
+	local geosite_arg = ""
+	for line in io.lines(RULES_PATH .. "/proxy_host") do
+		if not line:find("#") and line:find("geosite:") then
+			line = string.match(line, ":([^:]+)$")
+			geosite_arg = geosite_arg .. (geosite_arg ~= "" and "," or "") .. line
+		else
+			line = api.get_std_domain(line)
+			if line ~= "" and not line:find("#") then
+				insert_unique(proxy_domain, line, lookup_proxy_domain)
+			end
+		end
+	end
+	if #proxy_domain > 0 then
+		local f_out = io.open(file_proxy_host, "w")
+		for i = 1, #proxy_domain do
+			f_out:write(proxy_domain[i] .. "\n")
+		end
+		f_out:close()
+	end
+	if USE_GEOVIEW == "1" and geosite_arg ~= "" and api.is_finded("geoview") then
+		if get_geosite(geosite_arg, file_proxy_host) == 0 then
+			log("  * 解析[代理列表] Geosite 到代理域名表(blacklist)完成")
+		else
+			log("  * 解析[代理列表] Geosite 到代理域名表(blacklist)失败！")
+		end
+	end
+end
+if USE_PROXY_LIST == "1" and is_file_nonzero(file_proxy_host) then
+	local sets = {
+		setflag .. "passwall_black",
+		setflag .. "passwall_black6"
+	}
+	if FLAG ~= "default" then
+		sets = {
+			setflag .. "passwall_" .. FLAG .. "_black",
+			setflag .. "passwall_" .. FLAG .. "_black6"
+		}
+	end
+	tmp_lines = {
+		"group proxylist",
+		"group-dnl " .. file_proxy_host,
+		"group-upstream " .. DNS_TRUST,
+		REMOTE_FAKEDNS ~= "1" and "group-ipset " .. table.concat(sets, ",") or ""
+	}
+	if NO_IPV6_TRUST == "1" then table.insert(tmp_lines, "no-ipv6 tag:proxylist") end
+	insert_array_after(config_lines, tmp_lines, "#--3")
+	log(string.format("  - 代理域名表(blacklist)：%s", DNS_TRUST or "默认"))
+end
+
+--内置组(chn/gfw)优先级在自定义组后
+--GFW列表
+if GFWLIST == "1" and is_file_nonzero(RULES_PATH .. "/gfwlist") then
+	local sets = {
+		setflag .. "passwall_gfw",
+		setflag .. "passwall_gfw6"
+	}
+	if FLAG ~= "default" then
+		sets = {
+			setflag .. "passwall_" .. FLAG .. "_gfw",
+			setflag .. "passwall_" .. FLAG .. "_gfw6"
+		}
+	end
+	tmp_lines = {
+		"gfwlist-file " .. RULES_PATH .. "/gfwlist",
+		REMOTE_FAKEDNS ~= "1" and "add-taggfw-ip " .. table.concat(sets, ",") or ""
+	}
+	if NO_IPV6_TRUST == "1" then table.insert(tmp_lines, "no-ipv6 tag:gfw") end
+	merge_array(config_lines, tmp_lines)
+	log(string.format("  - 防火墙域名表(gfwlist)：%s", DNS_TRUST or "默认"))
+end
+
+--中国列表
+if CHNLIST ~= "0" and is_file_nonzero(RULES_PATH .. "/chnlist") then
+	if CHNLIST == "direct" then
+		tmp_lines = {
+			"chnlist-file " .. RULES_PATH .. "/chnlist",
+			"ipset-name4 " .. setflag .. "passwall_chn",
+			"ipset-name6 " .. setflag .. "passwall_chn6",
+			"add-tagchn-ip",
+			"chnlist-first"
+		}
+		merge_array(config_lines, tmp_lines)
+		log(string.format("  - 中国域名表(chnroute)：%s", DNS_LOCAL or "默认"))
+	end
+
+	--回中国模式
+	if CHNLIST == "proxy" then
+		local sets = {
+			setflag .. "passwall_chn",
+			setflag .. "passwall_chn6"
+		}
+		tmp_lines = {
+			"group chn_proxy",
+			"group-dnl " .. RULES_PATH .. "/chnlist",
+			"group-upstream " .. DNS_TRUST,
+			REMOTE_FAKEDNS ~= "1" and "group-ipset " .. table.concat(sets, ",") or ""
+		}
+		if NO_IPV6_TRUST == "1" then table.insert(tmp_lines, "no-ipv6 tag:chn_proxy") end
+		insert_array_after(config_lines, tmp_lines, "#--1")
+		log(string.format("  - 中国域名表(chnroute)：%s", DNS_TRUST or "默认"))
+	end
+end
+
+--分流规则
+if uci:get(appname, TCP_NODE, "protocol") == "_shunt" then
+	local white_domain, lookup_white_domain = {}, {}
+	local shunt_domain, lookup_shunt_domain = {}, {}
+	local file_white_host = FLAG_PATH .. "/shunt_direct_host"
+	local file_shunt_host = FLAG_PATH .. "/shunt_proxy_host"
+	local geosite_white_arg, geosite_shunt_arg = "", ""
+
+	local t = uci:get_all(appname, TCP_NODE)
+	local default_node_id = t["default_node"] or "_direct"
+	uci:foreach(appname, "shunt_rules", function(s)
+		local _node_id = t[s[".name"]]
+		if _node_id and _node_id ~= "_blackhole" then
+			if _node_id == "_default" then
+				_node_id = default_node_id
+			end
+
+			local domain_list = s.domain_list or ""
+			for line in string.gmatch(domain_list, "[^\r\n]+") do
+				if line ~= "" and not line:find("#") and not line:find("regexp:") and not line:find("ext:") then
+					if line:find("geosite:") then
+						line = string.match(line, ":([^:]+)$")
+						if _node_id == "_direct" then
+							geosite_white_arg = geosite_white_arg .. (geosite_white_arg ~= "" and "," or "") .. line
+						else
+							geosite_shunt_arg = geosite_shunt_arg .. (geosite_shunt_arg ~= "" and "," or "") .. line
+						end
+					else
+						if line:find("domain:") or line:find("full:") then
+							line = string.match(line, ":([^:]+)$")
+						end
+						line = api.get_std_domain(line)
+						if line ~= "" and not line:find("#") then
+							if _node_id == "_direct" then
+								insert_unique(white_domain, line, lookup_white_domain)
+							else
+								insert_unique(shunt_domain, line, lookup_shunt_domain)
+							end
+						end
+					end
+				end
+			end
+
+			if _node_id ~= "_direct" then
+				log(string.format("  - Sing-Box/Xray分流规则(%s)：%s", s.remarks, DNS_TRUST or "默认"))
+			end
+		end
+	end)
+
+	if is_file_nonzero(file_white_host) == nil then
+		if #white_domain > 0 then
+			local f_out = io.open(file_white_host, "w")
+			for i = 1, #white_domain do
+				f_out:write(white_domain[i] .. "\n")
+			end
+			f_out:close()
+		end
+	end
+
+	if is_file_nonzero(file_shunt_host) == nil then
+		if #shunt_domain > 0 then
+			local f_out = io.open(file_shunt_host, "w")
+			for i = 1, #shunt_domain do
+				f_out:write(shunt_domain[i] .. "\n")
+			end
+			f_out:close()
+		end
+	end
+
+	if GFWLIST == "1" and CHNLIST == "0" and USE_GEOVIEW == "1" and api.is_finded("geoview") then  --仅GFW模式解析geosite
+		local return_white, return_shunt
+		if geosite_white_arg ~= "" then
+			return_white = get_geosite(geosite_white_arg, file_white_host)
+		end
+		if geosite_shunt_arg ~= "" then
+			return_shunt = get_geosite(geosite_shunt_arg, file_shunt_host)
+		end
+		if (return_white == nil or return_white == 0) and (return_shunt == nil or return_shunt == 0) then
+			log("  * 解析[分流节点] Geosite 完成")
+		else
+			log("  * 解析[分流节点] Geosite 失败！")
+		end
+	end
+
+	local sets = {
+		setflag .. "passwall_shunt",
+		setflag .. "passwall_shunt6"
+	}
+	if FLAG ~= "default" then
+		sets = {
+			setflag .. "passwall_" .. FLAG .. "_shunt",
+			setflag .. "passwall_" .. FLAG .. "_shunt6"
+		}
+	end
+
+	if is_file_nonzero(file_white_host) then
+		if USE_DIRECT_LIST == "1" then
+			--当白名单启用时，添加到白名单组一同处理
+			for i, v in ipairs(config_lines) do
+				if v == "group-dnl " .. file_direct_host then
+					config_lines[i] = "group-dnl " .. file_direct_host .. "," .. file_white_host
+					break
+				end
+			end
+		else
+			--当白名单不启用时，创建新组，ipset到shuntlist
+			tmp_lines = {
+				"group whitelist",
+				"group-dnl " .. file_white_host,
+				"group-upstream " .. DNS_LOCAL,
+				"group-ipset " .. table.concat(sets, ",")
+			}
+			insert_array_after(config_lines, tmp_lines, "#--4")
+		end
+		
+	end
+
+	if is_file_nonzero(file_shunt_host) then
+		tmp_lines = {
+			"group shuntlist",
+			"group-dnl " .. file_shunt_host,
+			"group-upstream " .. DNS_TRUST,
+			(not only_global and REMOTE_FAKEDNS == "1") and "" or ("group-ipset " .. table.concat(sets, ","))
+		}
+		if NO_IPV6_TRUST == "1" then table.insert(tmp_lines, "no-ipv6 tag:shuntlist") end
+		insert_array_after(config_lines, tmp_lines, "#--2")
+	end
+
+end
+
+--只使用gfwlist模式，GFW列表以外的域名及默认使用本地DNS
+if GFWLIST == "1" and CHNLIST == "0" then DEFAULT_TAG = "chn" end
+
+--回中国模式，中国列表以外的域名及默认使用本地DNS
+if CHNLIST == "proxy" then DEFAULT_TAG = "chn" end
+
+--全局模式，默认使用远程DNS
+if only_global then
+	DEFAULT_TAG = "gfw"
+	if NO_IPV6_TRUST == "1" and uci:get(appname, TCP_NODE, "protocol") ~= "_shunt" then 
+		table.insert(config_lines, "no-ipv6")
+	end
+end
+
+--是否接受直连 DNS 空响应
+if DEFAULT_TAG == "none_noip" then table.insert(config_lines, "noip-as-chnip") end
+
+if DEFAULT_TAG == nil or DEFAULT_TAG == "smart" or DEFAULT_TAG == "none_noip" then DEFAULT_TAG = "none" end
+
+table.insert(config_lines, "default-tag " .. DEFAULT_TAG)
+
+if DEFAULT_TAG == "none" then
+	table.insert(config_lines, "verdict-cache 5000")
+end
+
+table.insert(config_lines, "hosts")
+
+if DEFAULT_TAG == "chn" then
+	log(string.format("  - 默认 DNS ：%s", DNS_LOCAL))
+elseif  DEFAULT_TAG == "gfw" then
+	log(string.format("  - 默认 DNS ：%s", DNS_TRUST))
+else
+	log(string.format("  - 默认 DNS ：%s", "智能匹配"))
+end
+
+--输出配置文件
+if #config_lines > 0 then
+	for i = 1, #config_lines do
+		line = config_lines[i]
+		if line ~= "" and not line:find("^#--") then
+			print(line)
+		end
+	end
+end
+
+log("  - ChinaDNS-NG已作为Dnsmasq上游，如果你自行配置了错误的DNS流程，将会导致域名(直连/代理域名)分流失效！！！")