From ef0522cdf1a35d3c639b4e95382072827ef819e4 Mon Sep 17 00:00:00 2001 From: actions-user Date: Tue, 18 Nov 2025 00:14:08 +0800 Subject: [PATCH] =?UTF-8?q?=F0=9F=8E=84=20Sync=202025-11-18=2000:14:08?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../model/cbi/passwall/client/acl_config.lua | 82 ++++++------ .../model/cbi/passwall/client/global.lua | 6 + .../luasrc/passwall/util_sing-box.lua | 7 +- .../luasrc/passwall/util_xray.lua | 21 ++-- .../root/usr/share/passwall/app.sh | 117 +++++++++++------- luci-app-ssr-plus/root/usr/bin/ssr-rules | 52 +++++--- openwrt-bandix/Makefile | 4 +- 7 files changed, 175 insertions(+), 114 deletions(-) diff --git a/luci-app-passwall/luasrc/model/cbi/passwall/client/acl_config.lua b/luci-app-passwall/luasrc/model/cbi/passwall/client/acl_config.lua index fda92a8..07970ce 100644 --- a/luci-app-passwall/luasrc/model/cbi/passwall/client/acl_config.lua +++ b/luci-app-passwall/luasrc/model/cbi/passwall/client/acl_config.lua @@ -336,7 +336,7 @@ o.remove = function(self, section) local new_val = (v.type == "Xray") and "xray" or "sing-box" m:set(section, self.option, new_val) - local dns_field = s.fields[new_val .. "_dns_mode"] + local dns_field = s.fields[v.type == "Xray" and "xray_dns_mode" or "singbox_dns_mode"] local v2ray_dns_mode = dns_field and dns_field:formvalue(section) if v2ray_dns_mode then m:set(section, "v2ray_dns_mode", v2ray_dns_mode) @@ -348,6 +348,8 @@ o.remove = function(self, section) end o = s:option(ListValue, "xray_dns_mode", translate("Request protocol")) +o.default = "tcp" +o:value("udp", "UDP") o:value("tcp", "TCP") o:value("tcp+doh", "TCP + DoH (" .. translate("A/AAAA type") .. ")") o:depends("dns_mode", "xray") @@ -361,6 +363,8 @@ o.write = function(self, section, value) end o = s:option(ListValue, "singbox_dns_mode", translate("Request protocol")) +o.default = "tcp" +o:value("udp", "UDP") o:value("tcp", "TCP") o:value("doh", "DoH") o:depends("dns_mode", "sing-box") @@ -385,53 +389,53 @@ o:value("149.112.112.112", "149.112.112.112 (Quad9-Recommended)") o:value("208.67.220.220", "208.67.220.220 (OpenDNS)") o:value("208.67.222.222", "208.67.222.222 (OpenDNS)") o:depends({dns_mode = "dns2socks"}) +o:depends({xray_dns_mode = "udp"}) o:depends({xray_dns_mode = "tcp"}) o:depends({xray_dns_mode = "tcp+doh"}) +o:depends({singbox_dns_mode = "udp"}) o:depends({singbox_dns_mode = "tcp"}) -if has_singbox or has_xray then - o = s:option(Value, "remote_dns_doh", translate("Remote DNS DoH")) - o:value("https://1.1.1.1/dns-query", "CloudFlare") - o:value("https://1.1.1.2/dns-query", "CloudFlare-Security") - o:value("https://8.8.4.4/dns-query", "Google 8844") - o:value("https://8.8.8.8/dns-query", "Google 8888") - o:value("https://9.9.9.9/dns-query", "Quad9-Recommended 9.9.9.9") - o:value("https://149.112.112.112/dns-query", "Quad9-Recommended 149.112.112.112") - o:value("https://208.67.222.222/dns-query", "OpenDNS") - o:value("https://dns.adguard.com/dns-query,176.103.130.130", "AdGuard") - o:value("https://doh.libredns.gr/dns-query,116.202.176.26", "LibreDNS") - o:value("https://doh.libredns.gr/ads,116.202.176.26", "LibreDNS (No Ads)") - o.default = "https://1.1.1.1/dns-query" - o.validate = function(self, value, t) - if value ~= "" then - value = api.trim(value) - local flag = 0 - local util = require "luci.util" - local val = util.split(value, ",") - local url = val[1] - val[1] = nil - for i = 1, #val do - local v = val[i] - if v then - if not api.datatypes.ipmask4(v) then - flag = 1 - end +o = s:option(Value, "remote_dns_doh", translate("Remote DNS DoH")) +o:value("https://1.1.1.1/dns-query", "1.1.1.1 (CloudFlare)") +o:value("https://1.1.1.2/dns-query", "1.1.1.2 (CloudFlare-Security)") +o:value("https://8.8.4.4/dns-query", "8.8.4.4 (Google)") +o:value("https://8.8.8.8/dns-query", "8.8.8.8 (Google)") +o:value("https://9.9.9.9/dns-query", "9.9.9.9 (Quad9)") +o:value("https://149.112.112.112/dns-query", "149.112.112.112 (Quad9)") +o:value("https://208.67.222.222/dns-query", "208.67.222.222 (OpenDNS)") +o:value("https://dns.adguard.com/dns-query,94.140.14.14", "94.140.14.14 (AdGuard)") +o:value("https://doh.libredns.gr/dns-query,116.202.176.26", "116.202.176.26 (LibreDNS)") +o:value("https://doh.libredns.gr/ads,116.202.176.26", "116.202.176.26 (LibreDNS-NoAds)") +o.default = "https://1.1.1.1/dns-query" +o.validate = function(self, value, t) + if value ~= "" then + value = api.trim(value) + local flag = 0 + local util = require "luci.util" + local val = util.split(value, ",") + local url = val[1] + val[1] = nil + for i = 1, #val do + local v = val[i] + if v then + if not api.datatypes.ipmask4(v) then + flag = 1 end end - if flag == 0 then - return value - end end - return nil, translate("DoH request address") .. " " .. translate("Format must be:") .. " URL,IP" + if flag == 0 then + return value + end end - o:depends({xray_dns_mode = "tcp+doh"}) - o:depends({singbox_dns_mode = "doh"}) - - o = s:option(Value, "remote_dns_client_ip", translate("EDNS Client Subnet")) - o.datatype = "ipaddr" - o:depends({dns_mode = "sing-box"}) - o:depends({dns_mode = "xray"}) + return nil, translate("DoH request address") .. " " .. translate("Format must be:") .. " URL,IP" end +o:depends({xray_dns_mode = "tcp+doh"}) +o:depends({singbox_dns_mode = "doh"}) + +o = s:option(Value, "remote_dns_client_ip", translate("EDNS Client Subnet")) +o.datatype = "ipaddr" +o:depends({dns_mode = "sing-box"}) +o:depends({dns_mode = "xray"}) o = s:option(ListValue, "chinadns_ng_default_tag", translate("Default DNS")) o.default = "none" diff --git a/luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua b/luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua index cd0f0cd..86081f9 100644 --- a/luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua +++ b/luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua @@ -431,6 +431,8 @@ if api.is_finded("smartdns") then end o = s:taboption("DNS", ListValue, "xray_dns_mode", translate("Remote DNS") .. " " .. translate("Request protocol")) +o.default = "tcp" +o:value("udp", "UDP") o:value("tcp", "TCP") o:value("tcp+doh", "TCP + DoH (" .. translate("A/AAAA type") .. ")") o:depends("dns_mode", "xray") @@ -445,6 +447,8 @@ o.write = function(self, section, value) end o = s:taboption("DNS", ListValue, "singbox_dns_mode", translate("Remote DNS") .. " " .. translate("Request protocol")) +o.default = "tcp" +o:value("udp", "UDP") o:value("tcp", "TCP") o:value("doh", "DoH") o:depends("dns_mode", "sing-box") @@ -490,8 +494,10 @@ end o:depends({dns_mode = "dns2socks"}) o:depends({dns_mode = "tcp"}) o:depends({dns_mode = "udp"}) +o:depends({xray_dns_mode = "udp"}) o:depends({xray_dns_mode = "tcp"}) o:depends({xray_dns_mode = "tcp+doh"}) +o:depends({singbox_dns_mode = "udp"}) o:depends({singbox_dns_mode = "tcp"}) ---- DoH diff --git a/luci-app-passwall/luasrc/passwall/util_sing-box.lua b/luci-app-passwall/luasrc/passwall/util_sing-box.lua index ed69645..6ea08be 100644 --- a/luci-app-passwall/luasrc/passwall/util_sing-box.lua +++ b/luci-app-passwall/luasrc/passwall/util_sing-box.lua @@ -1544,8 +1544,7 @@ function gen_config(var) } if remote_dns_udp_server then - local server_port = tonumber(remote_dns_port) or 53 - remote_server.address = "udp://" .. remote_dns_udp_server .. ":" .. server_port + remote_server.address = remote_dns_udp_server end if remote_dns_tcp_server then @@ -1597,9 +1596,9 @@ function gen_config(var) if remote_dns_udp_server then local server_port = tonumber(remote_dns_port) or 53 remote_server.type = "udp" - remote_server.server = remote_dns_udp_server + remote_server.server = remote_dns_server remote_server.server_port = server_port - tmp_address = remote_dns_udp_server + tmp_address = remote_dns_server end if remote_dns_tcp_server then diff --git a/luci-app-passwall/luasrc/passwall/util_xray.lua b/luci-app-passwall/luasrc/passwall/util_xray.lua index 22b18b1..a55d3a8 100644 --- a/luci-app-passwall/luasrc/passwall/util_xray.lua +++ b/luci-app-passwall/luasrc/passwall/util_xray.lua @@ -580,6 +580,8 @@ function gen_config(var) local direct_dns_udp_server = var["-direct_dns_udp_server"] local direct_dns_tcp_server = var["-direct_dns_tcp_server"] local direct_dns_query_strategy = var["-direct_dns_query_strategy"] + local remote_dns_udp_server = var["-remote_dns_udp_server"] + local remote_dns_udp_port = var["-remote_dns_udp_port"] local remote_dns_tcp_server = var["-remote_dns_tcp_server"] local remote_dns_tcp_port = var["-remote_dns_tcp_port"] local remote_dns_doh_url = var["-remote_dns_doh_url"] @@ -1175,7 +1177,7 @@ function gen_config(var) end end - if remote_dns_tcp_server and remote_dns_tcp_port then + if (remote_dns_udp_server and remote_dns_udp_port) or (remote_dns_tcp_server and remote_dns_tcp_port) then if not routing then routing = { domainStrategy = "IPOnDemand", @@ -1230,8 +1232,13 @@ function gen_config(var) local _remote_dns = { --tag = "dns-global-remote", queryStrategy = (remote_dns_query_strategy and remote_dns_query_strategy ~= "") and remote_dns_query_strategy or "UseIPv4", - address = "tcp://" .. remote_dns_tcp_server .. ":" .. tonumber(remote_dns_tcp_port) or 53 } + if remote_dns_udp_server then + _remote_dns.address = remote_dns_udp_server + _remote_dns.port = tonumber(remote_dns_udp_port) or 53 + else + address = "tcp://" .. remote_dns_tcp_server .. ":" .. tonumber(remote_dns_tcp_port) or 53 + end local _remote_dns_host if remote_dns_doh_url and remote_dns_doh_host then @@ -1309,8 +1316,8 @@ function gen_config(var) protocol = "dokodemo-door", tag = "dns-in", settings = { - address = remote_dns_tcp_server, - port = tonumber(remote_dns_tcp_port), + address = remote_dns_udp_server or remote_dns_tcp_server, + port = tonumber(remote_dns_udp_port) or tonumber(remote_dns_tcp_port), network = "tcp,udp" } }) @@ -1322,9 +1329,9 @@ function gen_config(var) tag = dns_outbound_tag } or nil, settings = { - address = remote_dns_tcp_server, - port = tonumber(remote_dns_tcp_port), - network = "tcp", + address = remote_dns_udp_server or remote_dns_tcp_server, + port = tonumber(remote_dns_udp_port) or tonumber(remote_dns_tcp_port), + network = remote_dns_udp_server and "udp" or "tcp", nonIPQuery = "drop" } }) diff --git a/luci-app-passwall/root/usr/share/passwall/app.sh b/luci-app-passwall/root/usr/share/passwall/app.sh index 0d863e9..eecfeb0 100755 --- a/luci-app-passwall/root/usr/share/passwall/app.sh +++ b/luci-app-passwall/root/usr/share/passwall/app.sh @@ -486,11 +486,12 @@ run_singbox() { [ -n "$remote_dns_query_strategy" ] && _extra_param="${_extra_param} -remote_dns_query_strategy ${remote_dns_query_strategy}" case "$remote_dns_protocol" in - tcp) - local _dns=$(get_first_dns remote_dns_tcp_server 53 | sed 's/#/:/g') + udp|tcp) + local _proto="$remote_dns_protocol" + local _dns=$(get_first_dns remote_dns_${_proto}_server 53 | sed 's/#/:/g') local _dns_address=$(echo ${_dns} | awk -F ':' '{print $1}') local _dns_port=$(echo ${_dns} | awk -F ':' '{print $2}') - _extra_param="${_extra_param} -remote_dns_server ${_dns_address} -remote_dns_port ${_dns_port} -remote_dns_tcp_server tcp://${_dns}" + _extra_param="${_extra_param} -remote_dns_server ${_dns_address} -remote_dns_port ${_dns_port} -remote_dns_${_proto}_server ${_proto}://${_dns}" ;; doh) local _doh_url _doh_host _doh_port _doh_bootstrap @@ -508,7 +509,7 @@ run_singbox() { run_xray() { local flag type node tcp_redir_port tcp_proxy_way udp_redir_port socks_address socks_port socks_username socks_password http_address http_port http_username http_password - local dns_listen_port direct_dns_query_strategy direct_dns_port direct_dns_udp_server direct_dns_tcp_server remote_dns_udp_server remote_dns_tcp_server remote_dns_doh remote_dns_client_ip remote_fakedns remote_dns_query_strategy dns_cache dns_socks_address dns_socks_port + local dns_listen_port direct_dns_query_strategy direct_dns_port direct_dns_udp_server direct_dns_tcp_server remote_dns_protocol remote_dns_udp_server remote_dns_tcp_server remote_dns_doh remote_dns_client_ip remote_fakedns remote_dns_query_strategy dns_cache dns_socks_address dns_socks_port local loglevel log_file config_file server_host server_port no_run local _extra_param="" eval_set_val $@ @@ -557,18 +558,27 @@ run_xray() { [ -n "$remote_dns_client_ip" ] && _extra_param="${_extra_param} -remote_dns_client_ip ${remote_dns_client_ip}" [ "$remote_fakedns" = "1" ] && _extra_param="${_extra_param} -remote_dns_fake 1" [ -n "$dns_cache" ] && _extra_param="${_extra_param} -dns_cache ${dns_cache}" - [ -n "${remote_dns_tcp_server}" ] && { - local _dns=$(get_first_dns remote_dns_tcp_server 53 | sed 's/#/:/g') - local _dns_address=$(echo ${_dns} | awk -F ':' '{print $1}') - local _dns_port=$(echo ${_dns} | awk -F ':' '{print $2}') - _extra_param="${_extra_param} -remote_dns_tcp_server ${_dns_address} -remote_dns_tcp_port ${_dns_port}" - } - [ -n "${remote_dns_doh}" ] && { - local _doh_url _doh_host _doh_port _doh_bootstrap - parse_doh "$remote_dns_doh" _doh_url _doh_host _doh_port _doh_bootstrap - [ -n "$_doh_bootstrap" ] && _extra_param="${_extra_param} -remote_dns_doh_ip ${_doh_bootstrap}" - _extra_param="${_extra_param} -remote_dns_doh_port ${_doh_port} -remote_dns_doh_url ${_doh_url} -remote_dns_doh_host ${_doh_host}" - } + + case "$remote_dns_protocol" in + udp) + local _dns=$(get_first_dns remote_dns_udp_server 53 | sed 's/#/:/g') + local _dns_address=$(echo ${_dns} | awk -F ':' '{print $1}') + local _dns_port=$(echo ${_dns} | awk -F ':' '{print $2}') + _extra_param="${_extra_param} -remote_dns_udp_server ${_dns_address} -remote_dns_udp_port ${_dns_port}" + ;; + tcp|tcp+doh) + local _dns=$(get_first_dns remote_dns_tcp_server 53 | sed 's/#/:/g') + local _dns_address=$(echo ${_dns} | awk -F ':' '{print $1}') + local _dns_port=$(echo ${_dns} | awk -F ':' '{print $2}') + _extra_param="${_extra_param} -remote_dns_tcp_server ${_dns_address} -remote_dns_tcp_port ${_dns_port}" + [ "$remote_dns_protocol" = "tcp+doh" ] && { + local _doh_url _doh_host _doh_port _doh_bootstrap + parse_doh "$remote_dns_doh" _doh_url _doh_host _doh_port _doh_bootstrap + [ -n "$_doh_bootstrap" ] && _extra_param="${_extra_param} -remote_dns_doh_ip ${_doh_bootstrap}" + _extra_param="${_extra_param} -remote_dns_doh_port ${_doh_port} -remote_dns_doh_url ${_doh_url} -remote_dns_doh_host ${_doh_host}" + } + ;; + esac _extra_param="${_extra_param} -loglevel $loglevel" [ -n "$no_run" ] && _extra_param="${_extra_param} -no_run 1" lua $UTIL_XRAY gen_config ${_extra_param} > $config_file @@ -963,9 +973,10 @@ run_redir() { _args="${_args} remote_dns_protocol=${v2ray_dns_mode}" case "$v2ray_dns_mode" in - tcp) - _args="${_args} remote_dns_tcp_server=${REMOTE_DNS}" - resolve_dns_log="Sing-Box DNS(127.0.0.1#${resolve_dns_port}) -> tcp://${REMOTE_DNS}" + udp|tcp) + local _proto="$v2ray_dns_mode" + _args="${_args} remote_dns_${_proto}_server=${REMOTE_DNS}" + resolve_dns_log="Sing-Box DNS(127.0.0.1#${resolve_dns_port}) -> ${_proto}://${REMOTE_DNS}" ;; doh) remote_dns_doh=$(config_t_get global remote_dns_doh "https://1.1.1.1/dns-query") @@ -1041,14 +1052,23 @@ run_redir() { ;; esac - _args="${_args} remote_dns_tcp_server=${REMOTE_DNS}" - if [ "$v2ray_dns_mode" = "tcp+doh" ]; then - remote_dns_doh=$(config_t_get global remote_dns_doh "https://1.1.1.1/dns-query") - _args="${_args} remote_dns_doh=${remote_dns_doh}" - resolve_dns_log="Xray DNS(127.0.0.1#${resolve_dns_port}) -> (${remote_dns_doh})(A/AAAA) + tcp://${REMOTE_DNS}" - else - resolve_dns_log="Xray DNS(127.0.0.1#${resolve_dns_port}) -> tcp://${REMOTE_DNS}" - fi + _args="${_args} remote_dns_protocol=${v2ray_dns_mode}" + case "$v2ray_dns_mode" in + udp) + _args="${_args} remote_dns_udp_server=${REMOTE_DNS}" + resolve_dns_log="Xray DNS(127.0.0.1#${resolve_dns_port}) -> udp://${REMOTE_DNS}" + ;; + tcp|tcp+doh) + _args="${_args} remote_dns_tcp_server=${REMOTE_DNS}" + if [ "$v2ray_dns_mode" = "tcp+doh" ]; then + remote_dns_doh=$(config_t_get global remote_dns_doh "https://1.1.1.1/dns-query") + _args="${_args} remote_dns_doh=${remote_dns_doh}" + resolve_dns_log="Xray DNS(127.0.0.1#${resolve_dns_port}) -> (${remote_dns_doh})(A/AAAA) + tcp://${REMOTE_DNS}" + else + resolve_dns_log="Xray DNS(127.0.0.1#${resolve_dns_port}) -> tcp://${REMOTE_DNS}" + fi + ;; + esac local remote_fakedns=$(config_t_get global remote_fakedns 0) [ "${remote_fakedns}" = "1" ] && { fakedns=1 @@ -1498,9 +1518,10 @@ start_dns() { _args="${_args} dns_listen_port=${NEXT_DNS_LISTEN_PORT}" _args="${_args} remote_dns_protocol=${v2ray_dns_mode}" case "$v2ray_dns_mode" in - tcp) - _args="${_args} remote_dns_tcp_server=${REMOTE_DNS}" - echolog " - Sing-Box DNS(${TUN_DNS}) -> tcp://${REMOTE_DNS}" + udp|tcp) + local _proto="$v2ray_dns_mode" + _args="${_args} remote_dns_${_proto}_server=${REMOTE_DNS}" + echolog " - Sing-Box DNS(${TUN_DNS}) -> ${_proto}://${REMOTE_DNS}" ;; doh) remote_dns_doh=$(config_t_get global remote_dns_doh "https://1.1.1.1/dns-query") @@ -1531,19 +1552,27 @@ start_dns() { [ -n "${_remote_dns_client_ip}" ] && _args="${_args} remote_dns_client_ip=${_remote_dns_client_ip}" TCP_PROXY_DNS=1 _args="${_args} dns_listen_port=${NEXT_DNS_LISTEN_PORT}" - _args="${_args} remote_dns_tcp_server=${REMOTE_DNS}" - local v2ray_dns_mode=$(config_t_get global v2ray_dns_mode tcp) - if [ "$v2ray_dns_mode" = "tcp+doh" ]; then - remote_dns_doh=$(config_t_get global remote_dns_doh "https://1.1.1.1/dns-query") - _args="${_args} remote_dns_doh=${remote_dns_doh}" - echolog " - Xray DNS(${TUN_DNS}) -> (${remote_dns_doh})(A/AAAA) + tcp://${REMOTE_DNS}" + case "$v2ray_dns_mode" in + udp) + _args="${_args} remote_dns_udp_server=${REMOTE_DNS}" + echolog " - Xray DNS(${TUN_DNS}) -> udp://${REMOTE_DNS}" + ;; + tcp|tcp+doh) + _args="${_args} remote_dns_tcp_server=${REMOTE_DNS}" + local v2ray_dns_mode=$(config_t_get global v2ray_dns_mode tcp) + if [ "$v2ray_dns_mode" = "tcp+doh" ]; then + remote_dns_doh=$(config_t_get global remote_dns_doh "https://1.1.1.1/dns-query") + _args="${_args} remote_dns_doh=${remote_dns_doh}" + echolog " - Xray DNS(${TUN_DNS}) -> (${remote_dns_doh})(A/AAAA) + tcp://${REMOTE_DNS}" - local _doh_url _doh_host _doh_port _doh_bootstrap - parse_doh "$remote_dns_doh" _doh_url _doh_host _doh_port _doh_bootstrap - [ -n "${_doh_bootstrap}" ] && REMOTE_DNS="${REMOTE_DNS},${_doh_bootstrap}#${_doh_port}" - else - echolog " - Xray DNS(${TUN_DNS}) -> tcp://${REMOTE_DNS}" - fi + local _doh_url _doh_host _doh_port _doh_bootstrap + parse_doh "$remote_dns_doh" _doh_url _doh_host _doh_port _doh_bootstrap + [ -n "${_doh_bootstrap}" ] && REMOTE_DNS="${REMOTE_DNS},${_doh_bootstrap}#${_doh_port}" + else + echolog " - Xray DNS(${TUN_DNS}) -> tcp://${REMOTE_DNS}" + fi + ;; + esac _args="${_args} dns_socks_address=127.0.0.1 dns_socks_port=${tcp_node_socks_port}" run_xray ${_args} } @@ -1849,7 +1878,7 @@ acl_app() { dnsmasq_filter_proxy_ipv6=0 remote_dns_query_strategy="UseIP" [ "$filter_proxy_ipv6" = "1" ] && remote_dns_query_strategy="UseIPv4" - run_${type} flag=acl_${sid} type=$dns_mode dns_socks_address=127.0.0.1 dns_socks_port=$socks_port dns_listen_port=${_dns_port} remote_dns_protocol=${v2ray_dns_mode} remote_dns_tcp_server=${remote_dns} remote_dns_doh="${remote_dns_doh}" remote_dns_query_strategy=${remote_dns_query_strategy} remote_dns_client_ip=${remote_dns_client_ip} config_file=$config_file + run_${type} flag=acl_${sid} type=$dns_mode dns_socks_address=127.0.0.1 dns_socks_port=$socks_port dns_listen_port=${_dns_port} remote_dns_protocol=${v2ray_dns_mode} remote_dns_udp_server=${remote_dns} remote_dns_tcp_server=${remote_dns} remote_dns_doh="${remote_dns_doh}" remote_dns_query_strategy=${remote_dns_query_strategy} remote_dns_client_ip=${remote_dns_client_ip} config_file=$config_file fi set_cache_var "node_${tcp_node}_$(echo -n "${remote_dns}" | md5sum | cut -d " " -f1)" "${_dns_port}" } @@ -1944,7 +1973,7 @@ acl_app() { remote_dns_query_strategy="UseIP" [ "$filter_proxy_ipv6" = "1" ] && remote_dns_query_strategy="UseIPv4" [ "$dns_mode" = "xray" ] && [ "$v2ray_dns_mode" = "tcp+doh" ] && remote_dns_doh=${remote_dns_doh:-https://1.1.1.1/dns-query} - _extra_param="dns_listen_port=${_dns_port} remote_dns_protocol=${v2ray_dns_mode} remote_dns_tcp_server=${remote_dns} remote_dns_doh=${remote_dns_doh} remote_dns_query_strategy=${remote_dns_query_strategy} remote_dns_client_ip=${remote_dns_client_ip}" + _extra_param="dns_listen_port=${_dns_port} remote_dns_protocol=${v2ray_dns_mode} remote_dns_udp_server=${remote_dns} remote_dns_tcp_server=${remote_dns} remote_dns_doh=${remote_dns_doh} remote_dns_query_strategy=${remote_dns_query_strategy} remote_dns_client_ip=${remote_dns_client_ip}" fi [ -n "$udp_node" ] && ([ "$udp_node" = "tcp" ] || [ "$udp_node" = "$tcp_node" ]) && { config_file="${config_file//TCP_/TCP_UDP_}" diff --git a/luci-app-ssr-plus/root/usr/bin/ssr-rules b/luci-app-ssr-plus/root/usr/bin/ssr-rules index 75b8471..b3f9079 100755 --- a/luci-app-ssr-plus/root/usr/bin/ssr-rules +++ b/luci-app-ssr-plus/root/usr/bin/ssr-rules @@ -10,7 +10,8 @@ # Detect firewall version and set appropriate tools detect_firewall() { if command -v nft >/dev/null 2>&1 && \ - [ -n "$(uci get firewall.@defaults[0].syn_flood 2>/dev/null)" ] && \ + { [ -n "$(uci get firewall.@defaults[0].syn_flood 2>/dev/null)" ] || \ + [ -n "$(uci get firewall.@defaults[0].synflood_protect 2>/dev/null)" ]; } && \ ! grep -q "fw3" /etc/init.d/firewall 2>/dev/null; then USE_NFT=1 NFT="nft" @@ -181,7 +182,7 @@ ipset_nft() { fi # Create necessary collections - for setname in ss_spec_wan_ac china gmlan fplan bplan whitelist blacklist netflix; do + for setname in china gmlan fplan bplan whitelist blacklist netflix; do if ! $NFT list set inet ss_spec $setname >/dev/null 2>&1; then $NFT add set inet ss_spec $setname '{ type ipv4_addr; flags interval; auto-merge; }' 2>/dev/null else @@ -191,7 +192,7 @@ ipset_nft() { # 批量导入中国IP列表 if [ -f "${china_ip:=/etc/ssrplus/china_ssr.txt}" ]; then - $NFT add element inet ss_spec china { $(tr '\n' ',' < "${china_ip}" | sed 's/,$//') } 2>/dev/null + $NFT add element inet ss_spec china "{ $(tr '\n' ',' < "${china_ip}" | sed 's/,$//') }" 2>/dev/null fi # Add IP addresses to sets @@ -231,14 +232,19 @@ ipset_nft() { $NFT add rule inet ss_spec ss_spec_wan_ac tcp dport 53 ip daddr 127.0.0.0/8 return $NFT add rule inet ss_spec ss_spec_wan_ac tcp dport != 53 ip daddr "$server" return - # Add special IP ranges to WAN AC set - for ip in $(gen_spec_iplist); do - [ -n "$ip" ] && $NFT add element inet ss_spec ss_spec_wan_ac "{ $ip }" 2>/dev/null - done - # Set up mode-specific rules case "$RUNMODE" in router) + if ! $NFT list set inet ss_spec ss_spec_wan_ac >/dev/null 2>&1; then + $NFT add set inet ss_spec ss_spec_wan_ac '{ type ipv4_addr; flags interval; auto-merge; }' + else + $NFT flush set inet ss_spec ss_spec_wan_ac 2>/dev/null + fi + # Add special IP ranges to WAN AC set + for ip in $(gen_spec_iplist); do + [ -n "$ip" ] && $NFT add element inet ss_spec ss_spec_wan_ac "{ $ip }" 2>/dev/null + done + $NFT add rule inet ss_spec ss_spec_wan_ac ip daddr @ss_spec_wan_ac return $NFT add rule inet ss_spec ss_spec_wan_ac ip daddr @china return 2>/dev/null if $NFT list chain inet ss_spec ss_spec_wan_fw >/dev/null 2>&1; then @@ -261,7 +267,7 @@ ipset_nft() { $NFT add set inet ss_spec oversea '{ type ipv4_addr; flags interval; auto-merge; }' 2>/dev/null fi if $NFT list chain inet ss_spec ss_spec_wan_fw >/dev/null 2>&1; then - $NFT insert rule inet ss_spec ss_spec_wan_ac ip daddr @oversea jump SS_SPEC_WAN_FW 2>/dev/null + $NFT insert rule inet ss_spec ss_spec_wan_ac ip daddr @oversea jump ss_spec_wan_fw 2>/dev/null $NFT add rule inet ss_spec ss_spec_wan_ac ip saddr @gmlan jump ss_spec_wan_fw 2>/dev/null $NFT add rule inet ss_spec ss_spec_wan_ac ip daddr @china jump ss_spec_wan_fw 2>/dev/null fi @@ -289,21 +295,21 @@ ipset_nft() { for ip in $(cat "$SHUNT_LIST" 2>/dev/null); do [ -n "$ip" ] && $NFT add element inet ss_spec netflix "{ $ip }" 2>/dev/null done - PORTS=$(echo "$PROXY_PORTS" | sed 's/-m multiport --dports //') case "$SHUNT_PORT" in 1) - $NFT insert rule inet ss_spec ss_spec_wan_ac tcp dport { $PORTS } ip daddr @netflix redirect to :"$local_port" + $NFT insert rule inet ss_spec ss_spec_wan_ac ip daddr @netflix meta l4proto tcp redirect to :"$local_port" ;; *) - $NFT insert rule inet ss_spec ss_spec_wan_ac tcp dport { $PORTS } ip daddr @netflix redirect to :"$SHUNT_PORT" + $NFT insert rule inet ss_spec ss_spec_wan_ac ip daddr @netflix meta l4proto tcp redirect to :"$SHUNT_PORT" if [ "$SHUNT_PROXY" = "1" ]; then - $NFT insert rule inet ss_spec ss_spec_wan_ac tcp dport { $PORTS } ip daddr "$SHUNT_IP" redirect to :"$local_port" + $NFT insert rule inet ss_spec ss_spec_wan_ac ip daddr "$SHUNT_IP" meta l4proto tcp redirect to :"$local_port" else [ -n "$SHUNT_IP" ] && $NFT add element inet ss_spec whitelist "{ $SHUNT_IP }" 2>/dev/null fi ;; esac fi + return $? } @@ -397,10 +403,10 @@ fw_rule_nft() { # redirect/translation: when PROXY_PORTS present, redirect those tcp ports to local_port if [ -n "$PROXY_PORTS" ]; then PORTS=$(echo "$PROXY_PORTS" | sed 's/-m multiport --dports //') - RULE="tcp dport { $PORTS } redirect to :$local_port" + RULE="tcp dport { $PORTS } redirect to :"$local_port"" else # default: redirect everything except ssh(22) - RULE="tcp dport != 22 redirect to :$local_port" + RULE="tcp dport != 22 redirect to :"$local_port"" fi if ! $NFT list chain inet ss_spec ss_spec_wan_fw 2>/dev/null | grep -q "$RULE"; then if ! $NFT add rule inet ss_spec ss_spec_wan_fw $RULE 2>/dev/null; then @@ -628,7 +634,7 @@ tp_rule_nft() { fi # Create necessary collections - for setname in ss_spec_wan_ac china gmlan fplan bplan whitelist; do + for setname in china gmlan fplan bplan whitelist; do if ! $NFT list set ip ss_spec_mangle $setname >/dev/null 2>&1; then $NFT add set ip ss_spec_mangle $setname '{ type ipv4_addr; flags interval; auto-merge; }' else @@ -638,7 +644,7 @@ tp_rule_nft() { # 批量导入中国IP列表 if [ -f "${china_ip:=/etc/ssrplus/china_ssr.txt}" ]; then - $NFT add element ip ss_spec_mangle china { $(tr '\n' ',' < "${china_ip}" | sed 's/,$//') } 2>/dev/null + $NFT add element ip ss_spec_mangle china "{ $(tr '\n' ',' < "${china_ip}" | sed 's/,$//') }" 2>/dev/null fi # use priority mangle for compatibility with other rules @@ -682,6 +688,16 @@ tp_rule_nft() { # Handle different run modes for nftables case "$RUNMODE" in router) + if ! $NFT list set ip ss_spec_mangle ss_spec_wan_ac >/dev/null 2>&1; then + $NFT add set ip ss_spec_mangle ss_spec_wan_ac '{ type ipv4_addr; flags interval; auto-merge; }' + else + $NFT flush set ip ss_spec_mangle ss_spec_wan_ac 2>/dev/null + fi + # Add special IP ranges to WAN AC set + for ip in $(gen_spec_iplist); do + [ -n "$ip" ] && $NFT add element ip ss_spec_mangle ss_spec_wan_ac "{ $ip }" 2>/dev/null + done + $NFT add rule ip ss_spec_mangle ss_spec_tproxy meta l4proto udp ip daddr @ss_spec_wan_ac return 2>/dev/null $NFT add rule ip ss_spec_mangle ss_spec_tproxy meta l4proto udp ip daddr @china return 2>/dev/null $NFT add rule ip ss_spec_mangle ss_spec_tproxy udp dport 80 drop 2>/dev/null @@ -717,7 +733,7 @@ tp_rule_nft() { if [ -n "$EXT_ARGS" ]; then $NFT add rule ip ss_spec_mangle ss_spec_tproxy udp dport { $EXT_ARGS } tproxy to :"$LOCAL_PORT" meta mark set 0x01 2>/dev/null else - $NFT add rule ip ss_spec_mangle ss_spec_tproxy udp tproxy to :"$LOCAL_PORT" meta mark set 0x01 2>/dev/null + $NFT add rule ip ss_spec_mangle ss_spec_tproxy meta l4proto udp tproxy to :"$LOCAL_PORT" meta mark set 0x01 2>/dev/null fi ;; esac diff --git a/openwrt-bandix/Makefile b/openwrt-bandix/Makefile index 3c10621..725f200 100644 --- a/openwrt-bandix/Makefile +++ b/openwrt-bandix/Makefile @@ -1,7 +1,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=bandix -PKG_VERSION:=0.8.2 +PKG_VERSION:=0.8.3 PKG_RELEASE:=1 PKG_LICENSE:=Apache-2.0 @@ -13,7 +13,7 @@ include $(INCLUDE_DIR)/package.mk include $(TOPDIR)/feeds/packages/lang/rust/rust-values.mk # 二进制文件的文件名和URL -RUST_BANDIX_VERSION:=0.8.2 +RUST_BANDIX_VERSION:=0.8.3 RUST_BINARY_FILENAME:=bandix-$(RUST_BANDIX_VERSION)-$(RUSTC_TARGET_ARCH).tar.gz