💐 Sync 2025-11-05 00:13:10

luci-app-ssr-plus/root/etc/init.d/shadowsocksr

@@ -1258,8 +1258,18 @@ start_server() {
 		[ "$(uci_get_by_name $1 enable 0)" == "0" ] && return 1
 		let server_count=server_count+1
 		if [ "$server_count" == "1" ]; then
-			if ! (iptables-save -t filter | grep SSR-SERVER-RULE >/dev/null); then
-				iptables -N SSR-SERVER-RULE && iptables -t filter -I INPUT -j SSR-SERVER-RULE
+			if command -v nft >/dev/null 2>&1; then
+				# nftables / fw4
+				if ! nft list chain inet fw4 SSR-SERVER-RULE >/dev/null 2>&1; then
+					nft add chain inet fw4 SSR-SERVER-RULE
+					nft insert rule inet fw4 input jump SSR-SERVER-RULE
+				fi
+			else
+				# iptables / fw3
+				if ! (iptables-save -t filter | grep -q "SSR-SERVER-RULE"); then
+					iptables -N SSR-SERVER-RULE
+					iptables -t filter -I INPUT -j SSR-SERVER-RULE
+				fi
 			fi
 		fi
 		local type=$(uci_get_by_name $1 type)
@@ -1287,17 +1297,15 @@ start_server() {
 			echolog "Server:Socks5 Server$server_count Started!"
 			;;
 		esac
-		ssr_server_port=$(uci show shadowsocksr | grep 'server_config.*server_port' | awk -F"'" '{print $2}' | tr "\n" " ")
-		if [ -n "$ssr_server_port" ]; then
-			uci -q delete firewall.shadowsocksr_server
-			uci set firewall.shadowsocksr_server=rule
-			uci set firewall.shadowsocksr_server.name="shadowsocksr_server"
-			uci set firewall.shadowsocksr_server.target="ACCEPT"
-			uci set firewall.shadowsocksr_server.src="wan"
-			uci set firewall.shadowsocksr_server.dest_port="$ssr_server_port"
-			uci set firewall.shadowsocksr_server.enabled="1"
-			uci commit firewall
-			/etc/init.d/firewall reload >/dev/null 2>&1
+		server_port=$(uci_get_by_name $1 server_port)
+		if command -v nft >/dev/null 2>&1; then
+			# nftables / fw4
+			nft add rule inet fw4 SSR-SERVER-RULE tcp dport $server_port accept
+			nft add rule inet fw4 SSR-SERVER-RULE udp dport $server_port accept
+		else
+			# iptables / fw3
+			iptables -t filter -A SSR-SERVER-RULE -p tcp --dport $server_port -j ACCEPT
+			iptables -t filter -A SSR-SERVER-RULE -p udp --dport $server_port -j ACCEPT
 		fi
 		return 0
 	}
@@ -1307,17 +1315,37 @@ start_server() {
 		if [ ! -f $FWI ]; then
 			echo '#!/bin/sh' >$FWI
 		fi
-		extract_rules() {
-			echo "*filter"
-			iptables-save -t filter | grep SSR-SERVER-RULE | sed -e "s/^-A INPUT/-I INPUT/"
-			echo 'COMMIT'
-		}
-		cat <<-EOF >>$FWI
-			iptables-save -c | grep -v "SSR-SERVER" | iptables-restore -c
-			iptables-restore -n <<-EOT
-			$(extract_rules)
-			EOT
-		EOF
+		if command -v nft >/dev/null 2>&1; then
+			# nftables / fw4
+			extract_rules() {
+				nft list chain inet fw4 SSR-SERVER-RULE 2>/dev/null | \
+					grep -v 'chain SSR-SERVER-RULE' | grep -v '^\s*{' | grep -v '^\s*}' | sed 's/ counter//g'
+			}
+			cat <<-EOF >>$FWI
+				nft flush chain inet fw4 SSR-SERVER-RULE 2>/dev/null || true
+				nft -f - <<-EOT
+				table inet fw4 {
+					chain SSR-SERVER-RULE {
+						type filter hook input priority 0; policy accept;
+						$(extract_rules)
+					}
+				}
+				EOT
+			EOF
+		else
+			# iptables / fw3
+			extract_rules() {
+				echo "*filter"
+				iptables-save -t filter | grep SSR-SERVER-RULE | sed -e "s/^-A INPUT/-I INPUT/"
+				echo 'COMMIT'
+			}
+			cat <<-EOF >>$FWI
+				iptables-save -c | grep -v "SSR-SERVER" | iptables-restore -c
+				iptables-restore -n <<-EOT
+				$(extract_rules)
+				EOT
+			EOF
+		fi
 	}
 
 	config_load $NAME
@@ -1455,6 +1483,28 @@ stop() {
 	unlock
 	set_lock
 	/usr/bin/ssr-rules -f
+	if command -v nft >/dev/null 2>&1; then
+		# nftables / fw4
+		#local srulecount=$(nft list ruleset 2>/dev/null | grep -c 'SSR-SERVER-RULE')
+		#local srulecount=$(nft list chain inet fw4 SSR-SERVER-RULE 2>/dev/null | grep -c 'dport')
+		local srulecount=$(nft list chain inet fw4 SSR-SERVER-RULE | grep -vE '^\s*(chain|{|})' | wc -l)
+	else
+		# iptables / fw3
+		local srulecount=$(iptables -L | grep SSR-SERVER-RULE | wc -l)
+	fi
+	if [ $srulecount -gt 0 ]; then
+		if command -v nft >/dev/null 2>&1; then
+			# nftables / fw4
+			nft flush chain inet fw4 SSR-SERVER-RULE 2>/dev/null || true
+			nft delete rule inet fw4 input jump SSR-SERVER-RULE 2>/dev/null || true
+			nft delete chain inet fw4 SSR-SERVER-RULE 2>/dev/null || true
+		else
+			# iptables / fw3
+			iptables -F SSR-SERVER-RULE
+			iptables -t filter -D INPUT -j SSR-SERVER-RULE
+			iptables -X SSR-SERVER-RULE 2>/dev/null
+		fi
+	fi
 	if [ -z "$switch_server" ]; then
 		$PS -w | grep -v "grep" | grep ssr-switch | awk '{print $1}' | xargs kill -9 >/dev/null 2>&1 &
 		rm -f /var/lock/ssr-switch.lock
@@ -1465,7 +1515,7 @@ stop() {
 	( \
 		# Graceful kill first, so programs have the chance to stop its subprocesses
 		$PS -w | grep -v "grep" | grep "$TMP_PATH" | awk '{print $1}' | xargs kill >/dev/null 2>&1 ; \
-		sleep 1s; \
+		sleep 3s; \
 		# Force kill hanged programs
 		$PS -w | grep -v "grep" | grep "$TMP_PATH" | awk '{print $1}' | xargs kill -9 >/dev/null 2>&1 ; \
 	)
@@ -1488,9 +1538,6 @@ stop() {
 
 		/etc/init.d/dnsmasq restart >/dev/null 2>&1
 	fi
-	uci -q delete firewall.shadowsocksr_server
-	uci commit firewall
-	/etc/init.d/firewall reload >/dev/null 2>&1
 	del_cron
 	unset_lock
 }

luci-app-ssr-plus/root/etc/ssrplus/white.list

@@ -1,37 +1,7 @@
-aaplimg.com
-account.synology.com
-apple-cloudkit.com
-apple.co
-apple.com
-apple.com.cn
-appstore.com
+bilibili.com
+bilibili.cn
+bilivideo.com
+bilivideo.cn
 biliapi.com
 biliapi.net
-bilibili.cn
-bilibili.com
-bilivideo.cn
-bilivideo.com
-bing.com
-cdn-apple.com
-checkip.dyndns.org
-checkip.synology.com
-checkipv6.synology.com
-checkport.synology.com
-crashlytics.com
-ddns.synology.com
-gitmirror.com
-icloud-content.com
-icloud.com
-icloud.com.cn
-images-cn.ssl-images-amazon.com
-mirrorlist.centos.org
-mzstatic.com
-office365.com
-officecdn-microsoft-com.akamaized.net
-teamviewer.com
-whatismyip.akamai.com
-windows.com
-windowsupdate.com
-worldbank.org
-worldscientific.com
-www-cdn.icloud.com.akadns.net
+apple.com