tqcq/small-package
0
0
Fork 0
mirror of https://github.com/kenzok8/small-package.git synced 2026-02-05 14:26:24 +08:00
Code Issues Packages Projects Releases Wiki Activity

update 2026-01-31 12:00:52

Browse Source
This commit is contained in:
kenzok8
2026-01-31 12:00:52 +08:00
parent b44812c5be
commit bd5388e744
3 changed files with 212 additions and 326 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
luci-app-ssr-plus/root/etc/init.d/shadowsocksr
View File

@@ -1590,15 +1590,16 @@ start() {
Start_Run Start_Run
start_xhttp_addr start_xhttp_addr
start_rules start_rules
start_dns
# Restore ipsets after rules creation # Restore ipsets after rules creation
if [ "$HAS_IPSET" -eq 1 ]; then if [ "$HAS_IPSET" -eq 1 ]; then
for setname in gfwlist china blacklist whitelist netflix; do for setname in gfwlist china blacklist whitelist netflix; do
[ "$setname" = "gfwlist" ] && [ "$run_mode" != "gfw" ] && continue
if [ -f "/tmp/ssrplus_save/${setname}.save" ]; then if [ -f "/tmp/ssrplus_save/${setname}.save" ]; then
ipset restore -! < "/tmp/ssrplus_save/${setname}.save" 2>/dev/null ipset restore -! < "/tmp/ssrplus_save/${setname}.save" 2>/dev/null
fi fi
done done
fi fi
start_dns
add_cron add_cron
start_switch start_switch
else else
@@ -1652,11 +1653,13 @@ stop() {
# Save ipsets before stopping to persist transparent proxy state # Save ipsets before stopping to persist transparent proxy state
if [ "$HAS_IPSET" -eq 1 ]; then if [ "$HAS_IPSET" -eq 1 ]; then
mkdir -p /tmp/ssrplus_save mkdir -p /tmp/ssrplus_save
local run_mode="$(uci_get_by_type global run_mode)"
if [ "$run_mode" = "gfw" ]; then
ipset save gfwlist > /tmp/ssrplus_save/gfwlist.save 2>/dev/null ipset save gfwlist > /tmp/ssrplus_save/gfwlist.save 2>/dev/null
ipset save china > /tmp/ssrplus_save/china.save 2>/dev/null fi
ipset save blacklist > /tmp/ssrplus_save/blacklist.save 2>/dev/null for setname in china blacklist whitelist netflix; do
ipset save whitelist > /tmp/ssrplus_save/whitelist.save 2>/dev/null ipset save $setname > /tmp/ssrplus_save/$setname.save 2>/dev/null
ipset save netflix > /tmp/ssrplus_save/netflix.save 2>/dev/null done
fi fi
unlock unlock
set_lock set_lock

110
luci-app-ssr-plus/root/etc/ssrplus/gfw_base.conf
View File

@@ -1,108 +1,110 @@
ipset=/91smartyun.pt/gfwlist
ipset=/adobe.com/gfwlist
ipset=/amazonaws.com/gfwlist
ipset=/ampproject.org/gfwlist
ipset=/apple.news/gfwlist
ipset=/aws.amazon.com/gfwlist
ipset=/azureedge.net/gfwlist
ipset=/backpackers.com.tw/gfwlist
ipset=/bitfinex.com/gfwlist
ipset=/buzzfeed.com/gfwlist
ipset=/clockwise.ee/gfwlist
ipset=/cloudfront.net/gfwlist
ipset=/coindesk.com/gfwlist
ipset=/coinsquare.io/gfwlist
ipset=/cryptocompare.com/gfwlist
ipset=/dropboxstatic.com/gfwlist
ipset=/eurecom.fr/gfwlist
ipset=/gdax.com/gfwlist
ipset=/github.com/gfwlist
ipset=/kknews.cc/gfwlist
ipset=/nutaq.com/gfwlist
ipset=/openairinterface.org/gfwlist
ipset=/skype.com/gfwlist
ipset=/sublimetext.com/gfwlist
ipset=/textnow.com/gfwlist
ipset=/textnow.me/gfwlist
ipset=/trouter.io/gfwlist
ipset=/t66y.com/gfwlist
ipset=/uploaded.net/gfwlist
ipset=/whatsapp.com/gfwlist
ipset=/whatsapp.net/gfwlist
ipset=/wsj.net/gfwlist
ipset=/google.com/gfwlist
ipset=/google.com.hk/gfwlist
ipset=/gstatic.com/gfwlist
ipset=/googleusercontent.com/gfwlist
ipset=/googlepages.com/gfwlist
ipset=/googlevideo.com/gfwlist
ipset=/googlecode.com/gfwlist
ipset=/googleapis.com/gfwlist
ipset=/googlesource.com/gfwlist
ipset=/googledrive.com/gfwlist
ipset=/ggpht.com/gfwlist
ipset=/youtube.com/gfwlist
ipset=/youtu.be/gfwlist
ipset=/ytimg.com/gfwlist
ipset=/twitter.com/gfwlist
ipset=/facebook.com/gfwlist
ipset=/fastly.net/gfwlist
ipset=/akamai.net/gfwlist
ipset=/akamaiedge.net/gfwlist
ipset=/akamaihd.net/gfwlist
ipset=/edgesuite.net/gfwlist
ipset=/edgekey.net/gfwlist
server=/91smartyun.pt/127.0.0.1#5335 server=/91smartyun.pt/127.0.0.1#5335
ipset=/91smartyun.pt/gfwlist
server=/adobe.com/127.0.0.1#5335 server=/adobe.com/127.0.0.1#5335
ipset=/adobe.com/gfwlist
server=/amazonaws.com/127.0.0.1#5335 server=/amazonaws.com/127.0.0.1#5335
ipset=/amazonaws.com/gfwlist
server=/ampproject.org/127.0.0.1#5335 server=/ampproject.org/127.0.0.1#5335
ipset=/ampproject.org/gfwlist
server=/apple.news/127.0.0.1#5335 server=/apple.news/127.0.0.1#5335
ipset=/apple.news/gfwlist
server=/aws.amazon.com/127.0.0.1#5335 server=/aws.amazon.com/127.0.0.1#5335
ipset=/aws.amazon.com/gfwlist
server=/azureedge.net/127.0.0.1#5335 server=/azureedge.net/127.0.0.1#5335
ipset=/azureedge.net/gfwlist
server=/backpackers.com.tw/127.0.0.1#5335 server=/backpackers.com.tw/127.0.0.1#5335
ipset=/backpackers.com.tw/gfwlist
server=/bitfinex.com/127.0.0.1#5335 server=/bitfinex.com/127.0.0.1#5335
ipset=/bitfinex.com/gfwlist
server=/buzzfeed.com/127.0.0.1#5335 server=/buzzfeed.com/127.0.0.1#5335
ipset=/buzzfeed.com/gfwlist
server=/clockwise.ee/127.0.0.1#5335 server=/clockwise.ee/127.0.0.1#5335
ipset=/clockwise.ee/gfwlist
server=/cloudfront.net/127.0.0.1#5335 server=/cloudfront.net/127.0.0.1#5335
ipset=/cloudfront.net/gfwlist
server=/coindesk.com/127.0.0.1#5335 server=/coindesk.com/127.0.0.1#5335
ipset=/coindesk.com/gfwlist
server=/coinsquare.io/127.0.0.1#5335 server=/coinsquare.io/127.0.0.1#5335
ipset=/coinsquare.io/gfwlist
server=/cryptocompare.com/127.0.0.1#5335 server=/cryptocompare.com/127.0.0.1#5335
ipset=/cryptocompare.com/gfwlist
server=/dropboxstatic.com/127.0.0.1#5335 server=/dropboxstatic.com/127.0.0.1#5335
ipset=/dropboxstatic.com/gfwlist
server=/eurecom.fr/127.0.0.1#5335 server=/eurecom.fr/127.0.0.1#5335
ipset=/eurecom.fr/gfwlist
server=/gdax.com/127.0.0.1#5335 server=/gdax.com/127.0.0.1#5335
ipset=/gdax.com/gfwlist
server=/github.com/127.0.0.1#5335 server=/github.com/127.0.0.1#5335
ipset=/github.com/gfwlist
server=/kknews.cc/127.0.0.1#5335 server=/kknews.cc/127.0.0.1#5335
ipset=/kknews.cc/gfwlist
server=/nutaq.com/127.0.0.1#5335 server=/nutaq.com/127.0.0.1#5335
ipset=/nutaq.com/gfwlist
server=/openairinterface.org/127.0.0.1#5335 server=/openairinterface.org/127.0.0.1#5335
ipset=/openairinterface.org/gfwlist
server=/skype.com/127.0.0.1#5335 server=/skype.com/127.0.0.1#5335
ipset=/skype.com/gfwlist
server=/sublimetext.com/127.0.0.1#5335 server=/sublimetext.com/127.0.0.1#5335
ipset=/sublimetext.com/gfwlist
server=/textnow.com/127.0.0.1#5335 server=/textnow.com/127.0.0.1#5335
ipset=/textnow.com/gfwlist
server=/textnow.me/127.0.0.1#5335 server=/textnow.me/127.0.0.1#5335
ipset=/textnow.me/gfwlist
server=/trouter.io/127.0.0.1#5335 server=/trouter.io/127.0.0.1#5335
ipset=/trouter.io/gfwlist
server=/t66y.com/127.0.0.1#5335 server=/t66y.com/127.0.0.1#5335
ipset=/t66y.com/gfwlist
server=/uploaded.net/127.0.0.1#5335 server=/uploaded.net/127.0.0.1#5335
ipset=/uploaded.net/gfwlist
server=/v2rayssr.com/127.0.0.1#5335
ipset=/v2rayssr.com/gfwlist
server=/whatsapp.com/127.0.0.1#5335 server=/whatsapp.com/127.0.0.1#5335
ipset=/whatsapp.com/gfwlist
server=/whatsapp.net/127.0.0.1#5335 server=/whatsapp.net/127.0.0.1#5335
ipset=/whatsapp.net/gfwlist
server=/wsj.net/127.0.0.1#5335 server=/wsj.net/127.0.0.1#5335
ipset=/wsj.net/gfwlist
server=/google.com/127.0.0.1#5335 server=/google.com/127.0.0.1#5335
ipset=/google.com/gfwlist
server=/google.com.hk/127.0.0.1#5335 server=/google.com.hk/127.0.0.1#5335
ipset=/google.com.hk/gfwlist
server=/gstatic.com/127.0.0.1#5335 server=/gstatic.com/127.0.0.1#5335
ipset=/gstatic.com/gfwlist
server=/googleusercontent.com/127.0.0.1#5335 server=/googleusercontent.com/127.0.0.1#5335
ipset=/googleusercontent.com/gfwlist
server=/googlepages.com/127.0.0.1#5335 server=/googlepages.com/127.0.0.1#5335
ipset=/googlepages.com/gfwlist
server=/googlevideo.com/127.0.0.1#5335 server=/googlevideo.com/127.0.0.1#5335
ipset=/googlevideo.com/gfwlist
server=/googlecode.com/127.0.0.1#5335 server=/googlecode.com/127.0.0.1#5335
ipset=/googlecode.com/gfwlist
server=/googleapis.com/127.0.0.1#5335 server=/googleapis.com/127.0.0.1#5335
ipset=/googleapis.com/gfwlist
server=/googlesource.com/127.0.0.1#5335 server=/googlesource.com/127.0.0.1#5335
ipset=/googlesource.com/gfwlist
server=/googledrive.com/127.0.0.1#5335 server=/googledrive.com/127.0.0.1#5335
ipset=/googledrive.com/gfwlist
server=/ggpht.com/127.0.0.1#5335 server=/ggpht.com/127.0.0.1#5335
ipset=/ggpht.com/gfwlist
server=/youtube.com/127.0.0.1#5335 server=/youtube.com/127.0.0.1#5335
ipset=/youtube.com/gfwlist
server=/youtu.be/127.0.0.1#5335 server=/youtu.be/127.0.0.1#5335
ipset=/youtu.be/gfwlist
server=/ytimg.com/127.0.0.1#5335 server=/ytimg.com/127.0.0.1#5335
ipset=/ytimg.com/gfwlist
server=/twitter.com/127.0.0.1#5335 server=/twitter.com/127.0.0.1#5335
ipset=/twitter.com/gfwlist
server=/facebook.com/127.0.0.1#5335 server=/facebook.com/127.0.0.1#5335
ipset=/facebook.com/gfwlist
server=/fastly.net/127.0.0.1#5335 server=/fastly.net/127.0.0.1#5335
ipset=/fastly.net/gfwlist
server=/akamai.net/127.0.0.1#5335 server=/akamai.net/127.0.0.1#5335
ipset=/akamai.net/gfwlist
server=/akamaiedge.net/127.0.0.1#5335 server=/akamaiedge.net/127.0.0.1#5335
ipset=/akamaiedge.net/gfwlist
server=/akamaihd.net/127.0.0.1#5335 server=/akamaihd.net/127.0.0.1#5335
ipset=/akamaihd.net/gfwlist
server=/edgesuite.net/127.0.0.1#5335 server=/edgesuite.net/127.0.0.1#5335
ipset=/edgesuite.net/gfwlist
server=/edgekey.net/127.0.0.1#5335 server=/edgekey.net/127.0.0.1#5335
ipset=/edgekey.net/gfwlist

411
luci-app-ssr-plus/root/usr/bin/ssr-rules
View File

@@ -258,7 +258,6 @@ flush_nftables() {
$NFT flush set ip ss_spec_mangle $setname 2>/dev/null $NFT flush set ip ss_spec_mangle $setname 2>/dev/null
$NFT delete set ip ss_spec_mangle $setname 2>/dev/null $NFT delete set ip ss_spec_mangle $setname 2>/dev/null
done done
# Delete entire table # Delete entire table
$NFT delete table ip ss_spec_mangle 2>/dev/null $NFT delete table ip ss_spec_mangle 2>/dev/null
fi fi
@@ -268,7 +267,8 @@ flush_nftables() {
ip route del local 0.0.0.0/0 dev lo table 100 2>/dev/null ip route del local 0.0.0.0/0 dev lo table 100 2>/dev/null
# Optional: force delete all ss_spec related sets (even if table was accidentally deleted) # Optional: force delete all ss_spec related sets (even if table was accidentally deleted)
for setname in ss_spec_lan_ac ss_spec_wan_ac ssr_gen_router fplan bplan gmlan oversea whitelist blacklist netflix gfwlist china music; do for setname in ss_spec_lan_ac ss_spec_wan_ac ssr_gen_router \
china fplan bplan gmlan oversea whitelist blacklist netflix gfwlist music; do
$NFT delete set inet ss_spec $setname 2>/dev/null $NFT delete set inet ss_spec $setname 2>/dev/null
$NFT delete set ip ss_spec_mangle $setname 2>/dev/null $NFT delete set ip ss_spec_mangle $setname 2>/dev/null
done done
@@ -299,8 +299,8 @@ flush_iptables_legacy() {
flush_iptables mangle flush_iptables mangle
ip rule del fwmark 0x01/0x01 table 100 2>/dev/null ip rule del fwmark 0x01/0x01 table 100 2>/dev/null
ip route del local 0.0.0.0/0 dev lo table 100 2>/dev/null ip route del local 0.0.0.0/0 dev lo table 100 2>/dev/null
for setname in ss_spec_lan_ac ss_spec_lan_ac_udp ss_spec_wan_ac ss_spec_wan_ac_tcp ss_spec_wan_ac_udp ssr_gen_router \ for setname in ss_spec_lan_ac ss_spec_wan_ac ssr_gen_router \
china fplan bplan gmlan oversea whitelist blacklist netflix; do china fplan bplan gmlan oversea whitelist blacklist netflix gfwlist music; do
ipset -X $setname 2>/dev/null ipset -X $setname 2>/dev/null
done done
[ -n "$FWI" ] && echo '#!/bin/sh' >$FWI [ -n "$FWI" ] && echo '#!/bin/sh' >$FWI
@@ -359,7 +359,7 @@ ipset_nft() {
done done
# Create main chains for WAN access control # Create main chains for WAN access control
for chain in ss_spec_wan_fw_tcp ss_spec_wan_fw_udp ss_spec_wan_ac_tcp ss_spec_wan_ac_udp; do for chain in ss_spec_wan_fw ss_spec_wan_ac; do
if ! $NFT list chain inet ss_spec $chain >/dev/null 2>&1; then if ! $NFT list chain inet ss_spec $chain >/dev/null 2>&1; then
$NFT add chain inet ss_spec $chain $NFT add chain inet ss_spec $chain
fi fi
@@ -368,29 +368,18 @@ ipset_nft() {
# Add basic rules # Add basic rules
# BASIC RULES (exceptions first) — TCP # BASIC RULES (exceptions first) — TCP
$NFT add rule inet ss_spec ss_spec_wan_ac_tcp meta l4proto tcp tcp dport 53 ip daddr 127.0.0.0/8 return $NFT add rule inet ss_spec ss_spec_wan_ac meta l4proto tcp tcp dport 53 ip daddr 127.0.0.0/8 return
[ -n "$server" ] && $NFT add rule inet ss_spec ss_spec_wan_ac_tcp meta l4proto tcp tcp dport != 53 ip daddr "$server" return [ -n "$server" ] && $NFT add rule inet ss_spec ss_spec_wan_ac meta l4proto tcp tcp dport != 53 ip daddr "$server" return
# Access control: blacklist -> whitelist -> fplan/bplan — TCP # Access control: blacklist -> whitelist -> fplan/bplan — TCP
$NFT add rule inet ss_spec ss_spec_wan_ac_tcp ip daddr @blacklist jump ss_spec_wan_fw_tcp $NFT add rule inet ss_spec ss_spec_wan_ac ip daddr @blacklist jump ss_spec_wan_fw
$NFT add rule inet ss_spec ss_spec_wan_ac_tcp ip daddr @whitelist return $NFT add rule inet ss_spec ss_spec_wan_ac ip daddr @whitelist return
$NFT add rule inet ss_spec ss_spec_wan_ac_tcp ip saddr @fplan jump ss_spec_wan_fw_tcp $NFT add rule inet ss_spec ss_spec_wan_ac ip saddr @fplan jump ss_spec_wan_fw
$NFT add rule inet ss_spec ss_spec_wan_ac_tcp ip saddr @bplan return $NFT add rule inet ss_spec ss_spec_wan_ac ip saddr @bplan return
# BASIC RULES (exceptions first) — UDP
$NFT add rule inet ss_spec ss_spec_wan_ac_udp meta l4proto udp udp dport 53 ip daddr 127.0.0.0/8 return
[ -n "$server" ] && $NFT add rule inet ss_spec ss_spec_wan_ac_udp meta l4proto udp udp dport != 53 ip daddr "$server" return
# Access control: blacklist -> whitelist -> fplan/bplan — UDP
$NFT add rule inet ss_spec ss_spec_wan_ac_udp ip daddr @blacklist jump ss_spec_wan_fw_udp
$NFT add rule inet ss_spec ss_spec_wan_ac_udp ip daddr @whitelist return
$NFT add rule inet ss_spec ss_spec_wan_ac_udp ip saddr @fplan jump ss_spec_wan_fw_udp
$NFT add rule inet ss_spec ss_spec_wan_ac_udp ip saddr @bplan return
# Music unlocking support # Music unlocking support
if $NFT list set inet ss_spec music >/dev/null 2>&1; then if $NFT list set inet ss_spec music >/dev/null 2>&1; then
$NFT add rule inet ss_spec ss_spec_wan_ac_tcp meta l4proto tcp ip daddr @music return $NFT add rule inet ss_spec ss_spec_wan_ac meta l4proto tcp ip daddr @music return
$NFT add rule inet ss_spec ss_spec_wan_ac_udp meta l4proto udp ip daddr @music return
fi fi
# Shunt/Netflix rules # Shunt/Netflix rules
@@ -403,66 +392,42 @@ ipset_nft() {
# Set up mode-specific rules # Set up mode-specific rules
case "$RUNMODE" in case "$RUNMODE" in
router) router)
if ! $NFT list set inet ss_spec ss_spec_wan_ac_tcp >/dev/null 2>&1; then if ! $NFT list set inet ss_spec ss_spec_wan_ac >/dev/null 2>&1; then
$NFT add set inet ss_spec ss_spec_wan_ac_tcp '{ type ipv4_addr; flags interval; auto-merge; }' $NFT add set inet ss_spec ss_spec_wan_ac '{ type ipv4_addr; flags interval; auto-merge; }'
else else
$NFT flush set inet ss_spec ss_spec_wan_ac_tcp 2>/dev/null $NFT flush set inet ss_spec ss_spec_wan_ac 2>/dev/null
fi fi
# Add special IP ranges to WAN AC set # Add special IP ranges to WAN AC set
for ip in $(gen_spec_iplist); do for ip in $(gen_spec_iplist); do
[ -n "$ip" ] && $NFT add element inet ss_spec ss_spec_wan_ac_tcp "{ $ip }" 2>/dev/null [ -n "$ip" ] && $NFT add element inet ss_spec ss_spec_wan_ac "{ $ip }" 2>/dev/null
done done
$NFT add rule inet ss_spec ss_spec_wan_ac_tcp ip daddr @ss_spec_wan_ac_tcp return $NFT add rule inet ss_spec ss_spec_wan_ac ip daddr @ss_spec_wan_ac return
$NFT add rule inet ss_spec ss_spec_wan_ac_tcp ip daddr @china return $NFT add rule inet ss_spec ss_spec_wan_ac ip daddr @china return
if $NFT list chain inet ss_spec ss_spec_wan_ac_tcp >/dev/null 2>&1; then if $NFT list chain inet ss_spec ss_spec_wan_ac >/dev/null 2>&1; then
$NFT add rule inet ss_spec ss_spec_wan_ac_tcp ip saddr @gmlan ip daddr != @china jump ss_spec_wan_fw_tcp $NFT add rule inet ss_spec ss_spec_wan_ac ip saddr @gmlan ip daddr != @china jump ss_spec_wan_fw
$NFT add rule inet ss_spec ss_spec_wan_ac_tcp jump ss_spec_wan_fw_tcp $NFT add rule inet ss_spec ss_spec_wan_ac jump ss_spec_wan_fw
fi
if ! $NFT list set inet ss_spec ss_spec_wan_ac_udp >/dev/null 2>&1; then
$NFT add set inet ss_spec ss_spec_wan_ac_udp '{ type ipv4_addr; flags interval; auto-merge; }'
else
$NFT flush set inet ss_spec ss_spec_wan_ac_udp 2>/dev/null
fi
# Add special IP ranges to WAN AC set
for ip in $(gen_spec_iplist); do
[ -n "$ip" ] && $NFT add element inet ss_spec ss_spec_wan_ac_udp "{ $ip }" 2>/dev/null
done
$NFT add rule inet ss_spec ss_spec_wan_ac_udp ip daddr @ss_spec_wan_ac_udp return
$NFT add rule inet ss_spec ss_spec_wan_ac_udp ip daddr @china return
if $NFT list chain inet ss_spec ss_spec_wan_fw_udp >/dev/null 2>&1; then
$NFT add rule inet ss_spec ss_spec_wan_ac_udp ip saddr @gmlan ip daddr != @china jump ss_spec_wan_fw_udp
$NFT add rule inet ss_spec ss_spec_wan_ac_udp jump ss_spec_wan_fw_udp
fi fi
;; ;;
gfw) gfw)
if ! $NFT list set inet ss_spec gfwlist >/dev/null 2>&1; then if ! $NFT list set inet ss_spec gfwlist >/dev/null 2>&1; then
$NFT add set inet ss_spec gfwlist '{ type ipv4_addr; flags interval; auto-merge; }' 2>/dev/null $NFT add set inet ss_spec gfwlist '{ type ipv4_addr; flags interval; auto-merge; }' 2>/dev/null
fi fi
$NFT add rule inet ss_spec ss_spec_wan_ac_tcp ip daddr @china return $NFT add rule inet ss_spec ss_spec_wan_ac ip daddr @china return
$NFT add rule inet ss_spec ss_spec_wan_ac_tcp ip daddr @gfwlist jump ss_spec_wan_fw_tcp $NFT add rule inet ss_spec ss_spec_wan_ac ip daddr @gfwlist jump ss_spec_wan_fw
$NFT add rule inet ss_spec ss_spec_wan_ac_tcp ip saddr @gmlan ip daddr != @china jump ss_spec_wan_fw_tcp $NFT add rule inet ss_spec ss_spec_wan_ac ip saddr @gmlan ip daddr != @china jump ss_spec_wan_fw
$NFT add rule inet ss_spec ss_spec_wan_ac_udp ip daddr @china return
$NFT add rule inet ss_spec ss_spec_wan_ac_udp ip daddr @gfwlist jump ss_spec_wan_fw_udp
$NFT add rule inet ss_spec ss_spec_wan_ac_udp ip saddr @gmlan ip daddr != @china jump ss_spec_wan_fw_udp
;; ;;
oversea) oversea)
if ! $NFT list set inet ss_spec oversea >/dev/null 2>&1; then if ! $NFT list set inet ss_spec oversea >/dev/null 2>&1; then
$NFT add set inet ss_spec oversea '{ type ipv4_addr; flags interval; auto-merge; }' 2>/dev/null $NFT add set inet ss_spec oversea '{ type ipv4_addr; flags interval; auto-merge; }' 2>/dev/null
fi fi
$NFT add rule inet ss_spec ss_spec_wan_ac_tcp ip daddr @oversea jump ss_spec_wan_fw_tcp $NFT add rule inet ss_spec ss_spec_wan_ac ip daddr @oversea jump ss_spec_wan_fw
$NFT add rule inet ss_spec ss_spec_wan_ac_tcp ip saddr @gmlan jump ss_spec_wan_fw_tcp $NFT add rule inet ss_spec ss_spec_wan_ac ip saddr @gmlan jump ss_spec_wan_fw
$NFT add rule inet ss_spec ss_spec_wan_ac_tcp ip daddr @china jump ss_spec_wan_fw_tcp $NFT add rule inet ss_spec ss_spec_wan_ac ip daddr @china jump ss_spec_wan_fw
$NFT add rule inet ss_spec ss_spec_wan_ac_udp ip daddr @oversea jump ss_spec_wan_fw_udp
$NFT add rule inet ss_spec ss_spec_wan_ac_udp ip saddr @gmlan jump ss_spec_wan_fw_udp
$NFT add rule inet ss_spec ss_spec_wan_ac_udp ip daddr @china jump ss_spec_wan_fw_udp
;; ;;
all) all)
if $NFT list chain inet ss_spec ss_spec_wan_fw_tcp >/dev/null 2>&1; then if $NFT list chain inet ss_spec ss_spec_wan_fw >/dev/null 2>&1; then
$NFT add rule inet ss_spec ss_spec_wan_ac_tcp jump ss_spec_wan_fw_tcp $NFT add rule inet ss_spec ss_spec_wan_ac jump ss_spec_wan_fw
fi
if $NFT list chain inet ss_spec ss_spec_wan_fw_udp >/dev/null 2>&1; then
$NFT add rule inet ss_spec ss_spec_wan_ac_udp jump ss_spec_wan_fw_udp
fi fi
;; ;;
esac esac
@@ -473,17 +438,11 @@ ipset_nft() {
ipset_iptables() { ipset_iptables() {
[ -f "$IGNORE_LIST" ] && /usr/share/shadowsocksr/chinaipset.sh "$IGNORE_LIST" [ -f "$IGNORE_LIST" ] && /usr/share/shadowsocksr/chinaipset.sh "$IGNORE_LIST"
$IPT -N SS_SPEC_WAN_AC_TCP 2>/dev/null $IPT -N SS_SPEC_WAN_AC 2>/dev/null
$ipt -N SS_SPEC_WAN_AC_UDP 2>/dev/null $IPT -F SS_SPEC_WAN_AC
$IPT -F SS_SPEC_WAN_AC_TCP $IPT -I SS_SPEC_WAN_AC -p tcp --dport 53 -d 127.0.0.0/8 -j RETURN
$ipt -F SS_SPEC_WAN_AC_UDP $IPT -I SS_SPEC_WAN_AC -p tcp ! --dport 53 -d "$server" -j RETURN
$IPT -I SS_SPEC_WAN_AC_TCP -p tcp --dport 53 -d 127.0.0.0/8 -j RETURN
$IPT -I SS_SPEC_WAN_AC_TCP -p tcp ! --dport 53 -d "$server" -j RETURN
$ipt -I SS_SPEC_WAN_AC_UDP -p udp --dport 53 -d 127.0.0.0/8 -j RETURN
$ipt -I SS_SPEC_WAN_AC_UDP -p udp ! --dport 53 -d "$server" -j RETURN
ipset -N gmlan hash:net 2>/dev/null ipset -N gmlan hash:net 2>/dev/null
for ip in $LAN_GM_IP; do ipset -! add gmlan "$ip"; done for ip in $LAN_GM_IP; do ipset -! add gmlan "$ip"; done
@@ -491,58 +450,38 @@ ipset_iptables() {
case "$RUNMODE" in case "$RUNMODE" in
router) router)
ipset -! -R <<-EOF || return 1 ipset -! -R <<-EOF || return 1
create ss_spec_wan_ac_tcp hash:net create ss_spec_wan_ac hash:net
$(gen_spec_iplist | sed -e "s/^/add ss_spec_wan_ac_tcp /") $(gen_spec_iplist | sed -e "s/^/add ss_spec_wan_ac /")
EOF EOF
ipset -! -R <<-EOF || return 1 $IPT -A SS_SPEC_WAN_AC -m set --match-set ss_spec_wan_ac dst -j RETURN
create ss_spec_wan_ac_udp hash:net $IPT -A SS_SPEC_WAN_AC -m set --match-set china dst -j RETURN
$(gen_spec_iplist | sed -e "s/^/add ss_spec_wan_ac_udp /") $IPT -A SS_SPEC_WAN_AC -m set --match-set gmlan src -m set ! --match-set china dst -j SS_SPEC_WAN_FW
EOF $IPT -A SS_SPEC_WAN_AC -j SS_SPEC_WAN_FW
$IPT -A SS_SPEC_WAN_AC_TCP -m set --match-set ss_spec_wan_ac_tcp dst -j RETURN
$IPT -A SS_SPEC_WAN_AC_TCP -m set --match-set china dst -j RETURN
$IPT -A SS_SPEC_WAN_AC_TCP -m set --match-set gmlan src -m set ! --match-set china dst -j SS_SPEC_WAN_FW_TCP
$IPT -A SS_SPEC_WAN_AC_TCP -j SS_SPEC_WAN_FW_TCP
$ipt -A SS_SPEC_WAN_AC_UDP -m set --match-set ss_spec_wan_ac_udp dst -j RETURN
$ipt -A SS_SPEC_WAN_AC_UDP -m set --match-set china dst -j RETURN
$ipt -A SS_SPEC_WAN_AC_UDP -m set --match-set gmlan src -m set ! --match-set china dst -j SS_SPEC_WAN_FW_UDP
$ipt -A SS_SPEC_WAN_AC_UDP -j SS_SPEC_WAN_FW_UDP
;; ;;
gfw) gfw)
ipset -N gfwlist hash:net 2>/dev/null ipset -N gfwlist hash:net 2>/dev/null
$IPT -A SS_SPEC_WAN_AC_TCP -m set --match-set china dst -j RETURN $IPT -A SS_SPEC_WAN_AC -m set --match-set china dst -j RETURN
$IPT -A SS_SPEC_WAN_AC_TCP -m set --match-set gfwlist dst -j SS_SPEC_WAN_FW_TCP $IPT -A SS_SPEC_WAN_AC -m set --match-set gfwlist dst -j SS_SPEC_WAN_FW
$IPT -A SS_SPEC_WAN_AC_TCP -m set --match-set gmlan src -m set ! --match-set china dst -j SS_SPEC_WAN_FW_TCP $IPT -A SS_SPEC_WAN_AC -m set --match-set gmlan src -m set ! --match-set china dst -j SS_SPEC_WAN_FW
$ipt -A SS_SPEC_WAN_AC_UDP -m set --match-set china dst -j RETURN
$ipt -A SS_SPEC_WAN_AC_UDP -m set --match-set gfwlist dst -j SS_SPEC_WAN_FW_UDP
$ipt -A SS_SPEC_WAN_AC_UDP -m set --match-set gmlan src -m set ! --match-set china dst -j SS_SPEC_WAN_FW_UDP
;; ;;
oversea) oversea)
ipset -N oversea hash:net 2>/dev/null ipset -N oversea hash:net 2>/dev/null
$IPT -I SS_SPEC_WAN_AC_TCP -m set --match-set oversea dst -j SS_SPEC_WAN_FW_TCP $IPT -I SS_SPEC_WAN_AC -m set --match-set oversea dst -j SS_SPEC_WAN_FW
$IPT -A SS_SPEC_WAN_AC_TCP -m set --match-set gmlan src -j SS_SPEC_WAN_FW_TCP $IPT -A SS_SPEC_WAN_AC -m set --match-set gmlan src -j SS_SPEC_WAN_FW
$IPT -A SS_SPEC_WAN_AC_TCP -m set --match-set china dst -j SS_SPEC_WAN_FW_TCP $IPT -A SS_SPEC_WAN_AC -m set --match-set china dst -j SS_SPEC_WAN_FW
$ipt -I SS_SPEC_WAN_AC_UDP -m set --match-set oversea dst -j SS_SPEC_WAN_FW_UDP
$ipt -A SS_SPEC_WAN_AC_UDP -m set --match-set gmlan src -j SS_SPEC_WAN_FW_UDP
$ipt -A SS_SPEC_WAN_AC_UDP -m set --match-set china dst -j SS_SPEC_WAN_FW_UDP
;; ;;
all) all)
$IPT -A SS_SPEC_WAN_AC_TCP -j SS_SPEC_WAN_FW_TCP $IPT -A SS_SPEC_WAN_AC -j SS_SPEC_WAN_FW
$ipt -A SS_SPEC_WAN_AC_UDP -j SS_SPEC_WAN_FW_UDP
;; ;;
esac esac
ipset -N fplan hash:net 2>/dev/null ipset -N fplan hash:net 2>/dev/null
for ip in $LAN_FP_IP; do ipset -! add fplan "$ip"; done for ip in $LAN_FP_IP; do ipset -! add fplan "$ip"; done
$IPT -I SS_SPEC_WAN_AC_TCP -m set --match-set fplan src -j SS_SPEC_WAN_FW_TCP $IPT -I SS_SPEC_WAN_AC -m set --match-set fplan src -j SS_SPEC_WAN_FW
$ipt -I SS_SPEC_WAN_AC_UDP -m set --match-set fplan src -j SS_SPEC_WAN_FW_UDP
ipset -N bplan hash:net 2>/dev/null ipset -N bplan hash:net 2>/dev/null
for ip in $LAN_BP_IP; do ipset -! add bplan "$ip"; done for ip in $LAN_BP_IP; do ipset -! add bplan "$ip"; done
$IPT -I SS_SPEC_WAN_AC_TCP -m set --match-set bplan src -j RETURN $IPT -I SS_SPEC_WAN_AC -m set --match-set bplan src -j RETURN
$ipt -I SS_SPEC_WAN_AC_UDP -m set --match-set bplan src -j RETURN
ipset -N whitelist hash:net 2>/dev/null ipset -N whitelist hash:net 2>/dev/null
if [ -f "${xhttp_ip:=/etc/ssrplus/xhttp_address.txt}" ]; then if [ -f "${xhttp_ip:=/etc/ssrplus/xhttp_address.txt}" ]; then
@@ -552,15 +491,11 @@ ipset_iptables() {
fi fi
ipset -N blacklist hash:net 2>/dev/null ipset -N blacklist hash:net 2>/dev/null
$IPT -I SS_SPEC_WAN_AC_TCP -m set --match-set blacklist dst -j SS_SPEC_WAN_FW_TCP $IPT -I SS_SPEC_WAN_AC -m set --match-set blacklist dst -j SS_SPEC_WAN_FW
$IPT -I SS_SPEC_WAN_AC_TCP -m set --match-set whitelist dst -j RETURN $IPT -I SS_SPEC_WAN_AC -m set --match-set whitelist dst -j RETURN
$ipt -I SS_SPEC_WAN_AC_UDP -m set --match-set blacklist dst -j SS_SPEC_WAN_FW_UDP
$ipt -I SS_SPEC_WAN_AC_UDP -m set --match-set whitelist dst -j RETURN
if [ $(ipset list music -name -quiet | grep music) ]; then if [ $(ipset list music -name -quiet | grep music) ]; then
$IPT -I SS_SPEC_WAN_AC_TCP -m set --match-set music dst -j RETURN 2>/dev/null $IPT -I SS_SPEC_WAN_AC -m set --match-set music dst -j RETURN 2>/dev/null
$ipt -I SS_SPEC_WAN_AC_UDP -m set --match-set music dst -j RETURN 2>/dev/null
fi fi
for ip in $WAN_BP_IP; do ipset -! add whitelist "$ip"; done for ip in $WAN_BP_IP; do ipset -! add whitelist "$ip"; done
@@ -572,15 +507,12 @@ ipset_iptables() {
case "$SHUNT_PORT" in case "$SHUNT_PORT" in
0) ;; 0) ;;
1) 1)
$IPT -I SS_SPEC_WAN_AC_TCP -p tcp -m set --match-set netflix dst -j REDIRECT --to-ports "$local_port" $IPT -I SS_SPEC_WAN_AC -p tcp -m set --match-set netflix dst -j REDIRECT --to-ports "$local_port"
$ipt -I SS_SPEC_WAN_AC_UDP -p udp -m set --match-set netflix dst -j TPROXY --on-port "$local_port" --tproxy-mark 0x01/0x01
;; ;;
*) *)
$IPT -I SS_SPEC_WAN_AC_TCP -p tcp -m set --match-set netflix dst -j REDIRECT --to-ports "$SHUNT_PORT" $IPT -I SS_SPEC_WAN_AC -p tcp -m set --match-set netflix dst -j REDIRECT --to-ports "$SHUNT_PORT"
$ipt -I SS_SPEC_WAN_AC_UDP -p udp -m set --match-set netflix dst -j TPROXY --on-port "$SHUNT_PORT" --tproxy-mark 0x01/0x01
if [ "$SHUNT_PROXY" = "1" ]; then if [ "$SHUNT_PROXY" = "1" ]; then
$IPT -I SS_SPEC_WAN_AC_TCP -p tcp -d "$SHUNT_IP" -j REDIRECT --to-ports "$local_port" $IPT -I SS_SPEC_WAN_AC -p tcp -d "$SHUNT_IP" -j REDIRECT --to-ports "$local_port"
$ipt -I SS_SPEC_WAN_AC_UDP -p udp -d "$SHUNT_IP" -j TPROXY --on-port "$local_port" --tproxy-mark 0x01/0x01
else else
ipset -! add whitelist "$SHUNT_IP" ipset -! add whitelist "$SHUNT_IP"
fi fi
@@ -614,47 +546,30 @@ fw_rule_nft() {
PORTS_ARGS=$(echo "$PROXY_PORTS" | sed 's/-m multiport --dports //') PORTS_ARGS=$(echo "$PROXY_PORTS" | sed 's/-m multiport --dports //')
if [ -n "$PORTS_ARGS" ]; then if [ -n "$PORTS_ARGS" ]; then
TCP_EXT_ARGS="meta l4proto tcp tcp dport { $PORTS_ARGS }" TCP_EXT_ARGS="meta l4proto tcp tcp dport { $PORTS_ARGS }"
UDP_EXT_ARGS="meta l4proto udp udp dport { $PORTS_ARGS }"
TCP_RULE="meta l4proto tcp tcp dport { $PORTS_ARGS } counter redirect to :$local_port" TCP_RULE="meta l4proto tcp tcp dport { $PORTS_ARGS } counter redirect to :$local_port"
UDP_RULE="meta l4proto udp udp dport { $PORTS_ARGS } counter tproxy ip to :$local_port meta mark set 0x01"
fi fi
else else
TCP_EXT_ARGS="meta l4proto tcp" TCP_EXT_ARGS="meta l4proto tcp"
UDP_EXT_ARGS="meta l4proto udp"
# default: redirect everything except ssh(22) # default: redirect everything except ssh(22)
TCP_RULE="meta l4proto tcp tcp dport != 22 counter redirect to :$local_port" TCP_RULE="meta l4proto tcp tcp dport != 22 counter redirect to :$local_port"
# default: when PROXY_PORTS present, redirect those udp ports to local_port
UDP_RULE="meta l4proto udp counter tproxy ip to :$local_port meta mark set 0x01"
fi fi
# add TCP rule to fw chain if not exists (use -F exact match) # add TCP rule to fw chain if not exists (use -F exact match)
if ! $NFT list chain inet ss_spec ss_spec_wan_fw_tcp 2>/dev/null | grep -F -- "$TCP_RULE" >/dev/null 2>&1; then if ! $NFT list chain inet ss_spec ss_spec_wan_fw 2>/dev/null | grep -F -- "$TCP_RULE" >/dev/null 2>&1; then
if ! $NFT add rule inet ss_spec ss_spec_wan_fw_tcp $TCP_RULE 2>/dev/null; then if ! $NFT add rule inet ss_spec ss_spec_wan_fw $TCP_RULE 2>/dev/null; then
loger 3 "Can't redirect TCP, please check nftables." loger 3 "Can't redirect TCP, please check nftables."
return 1 return 1
fi fi
fi fi
if ! $NFT list chain inet ss_spec ss_spec_wan_fw_udp 2>/dev/null | grep -F -- "$UDP_RULE" >/dev/null 2>&1; then
if ! $NFT add rule inet ss_spec ss_spec_wan_fw_udp $UDP_RULE 2>/dev/null; then
loger 3 "Can't tproxy UDP, please check nftables."
return 1
fi
fi
if [ "$SHUNT_PORT" != "0" ] && [ -f "$SHUNT_LIST" ]; then if [ "$SHUNT_PORT" != "0" ] && [ -f "$SHUNT_LIST" ]; then
case "$SHUNT_PORT" in case "$SHUNT_PORT" in
1) 1)
$NFT add rule inet ss_spec ss_spec_wan_ac_tcp $TCP_EXT_ARGS ip daddr @netflix counter redirect to :$local_port $NFT add rule inet ss_spec ss_spec_wan_ac $TCP_EXT_ARGS ip daddr @netflix counter redirect to :$local_port
$NFT add rule inet ss_spec ss_spec_wan_ac_udp $UDP_EXT_ARGS ip daddr @netflix counter tproxy ip to :$local_port meta mark set 0x01
;; ;;
*) *)
$NFT add rule inet ss_spec ss_spec_wan_ac_tcp $TCP_EXT_ARGS ip daddr @netflix counter redirect to :$SHUNT_PORT $NFT add rule inet ss_spec ss_spec_wan_ac $TCP_EXT_ARGS ip daddr @netflix counter redirect to :$SHUNT_PORT
$NFT add rule inet ss_spec ss_spec_wan_ac_udp $UDP_EXT_ARGS ip daddr @netflix counter tproxy ip to :$SHUNT_PORT meta mark set 0x01
if [ "$SHUNT_PROXY" = "1" ]; then if [ "$SHUNT_PROXY" = "1" ]; then
$NFT add rule inet ss_spec ss_spec_wan_ac_tcp $TCP_EXT_ARGS ip daddr $SHUNT_IP counter redirect to :$local_port $NFT add rule inet ss_spec ss_spec_wan_ac $TCP_EXT_ARGS ip daddr $SHUNT_IP counter redirect to :$local_port
$NFT add rule inet ss_spec ss_spec_wan_ac_udp $UDP_EXT_ARGS ip daddr $SHUNT_IP counter tproxy ip to :$local_port meta mark set 0x01
else else
[ -n "$SHUNT_IP" ] && $NFT add element inet ss_spec whitelist "{ $SHUNT_IP }" 2>/dev/null [ -n "$SHUNT_IP" ] && $NFT add element inet ss_spec whitelist "{ $SHUNT_IP }" 2>/dev/null
fi fi
@@ -675,39 +590,22 @@ fw_rule_iptables() {
ip route add local 0.0.0.0/0 dev lo table 100 2>/dev/null ip route add local 0.0.0.0/0 dev lo table 100 2>/dev/null
fi fi
# 创建TCP链 (在nat表中) # Create TCP chain in NAT table
$IPT -N SS_SPEC_WAN_FW_TCP 2>/dev/null $IPT -N SS_SPEC_WAN_FW 2>/dev/null
$IPT -F SS_SPEC_WAN_FW_TCP $IPT -F SS_SPEC_WAN_FW
for net in \ for net in \
0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \ 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \
172.16.0.0/12 192.168.0.0/16 224.0.0.0/4 240.0.0.0/4 172.16.0.0/12 192.168.0.0/16 224.0.0.0/4 240.0.0.0/4
do do
$IPT -A SS_SPEC_WAN_FW_TCP -d "$net" -j RETURN $IPT -A SS_SPEC_WAN_FW -d "$net" -j RETURN
done done
$IPT -A SS_SPEC_WAN_FW_TCP -p tcp $PROXY_PORTS -j REDIRECT --to-ports "$local_port" 2>/dev/null || { $IPT -A SS_SPEC_WAN_FW -p tcp $PROXY_PORTS -j REDIRECT --to-ports "$local_port" 2>/dev/null || {
loger 3 "Can't redirect TCP, please check the iptables." loger 3 "Can't redirect TCP, please check the iptables."
exit 1 exit 1
} }
# 创建UDP链 (在mangle表中)
$ipt -N SS_SPEC_WAN_FW_UDP 2>/dev/null
$ipt -F SS_SPEC_WAN_FW_UDP
for net in \
0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \
172.16.0.0/12 192.168.0.0/16 224.0.0.0/4 240.0.0.0/4
do
$ipt -A SS_SPEC_WAN_FW_UDP -p udp -d "$net" -j RETURN
done
# UDP TPROXY规则 (必须在mangle表中)
$ipt -A SS_SPEC_WAN_FW_UDP -p udp $PROXY_PORTS -j TPROXY --on-port "$local_port" --tproxy-mark 0x01/0x01 2>/dev/null || {
loger 3 "Can't set UDP TPROXY, please check the iptables."
exit 1
}
return $? return $?
} }
@@ -750,42 +648,22 @@ ac_rule_nft() {
fi fi
# Create ss_spec_prerouting tcp chain # Create ss_spec_prerouting tcp chain
if ! $NFT list chain inet ss_spec ss_spec_prerouting_tcp >/dev/null 2>&1; then if ! $NFT list chain inet ss_spec ss_spec_prerouting >/dev/null 2>&1; then
$NFT add chain inet ss_spec ss_spec_prerouting_tcp '{ type nat hook prerouting priority 0; policy accept; }' $NFT add chain inet ss_spec ss_spec_prerouting '{ type nat hook prerouting priority 0; policy accept; }'
fi fi
$NFT flush chain inet ss_spec ss_spec_prerouting_tcp 2>/dev/null $NFT flush chain inet ss_spec ss_spec_prerouting 2>/dev/null
# Exclude special local addresses # Exclude special local addresses
if $NFT list chain inet ss_spec ss_spec_prerouting_tcp >/dev/null 2>&1; then if $NFT list chain inet ss_spec ss_spec_prerouting >/dev/null 2>&1; then
for net in 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 192.168.0.0/16 224.0.0.0/4 240.0.0.0/4; do for net in 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 192.168.0.0/16 224.0.0.0/4 240.0.0.0/4; do
$NFT add rule inet ss_spec ss_spec_prerouting_tcp ip daddr $net return 2>/dev/null $NFT add rule inet ss_spec ss_spec_prerouting ip daddr $net return 2>/dev/null
done done
fi fi
# Temporarily comment IPV6 for future enablement # Temporarily comment IPV6 for future enablement
#if $NFT list chain inet ss_spec ss_spec_prerouting_tcp >/dev/null 2>&1; then #if $NFT list chain inet ss_spec ss_spec_prerouting >/dev/null 2>&1; then
# for net in ::1/128 fe80::/10 fc00::/7 ff00::/8 ::/128 ::ffff:0:0/96; do # for net in ::1/128 fe80::/10 fc00::/7 ff00::/8 ::/128 ::ffff:0:0/96; do
# $NFT add rule inet ss_spec ss_spec_prerouting_tcp ip6 daddr $net return 2>/dev/null # $NFT add rule inet ss_spec ss_spec_prerouting ip6 daddr $net return 2>/dev/null
# done
#fi
# Create ss_spec_prerouting udp chain
if ! $NFT list chain inet ss_spec ss_spec_prerouting_udp >/dev/null 2>&1; then
$NFT add chain inet ss_spec ss_spec_prerouting_udp '{ type filter hook prerouting priority -150; policy accept; }'
fi
$NFT flush chain inet ss_spec ss_spec_prerouting_udp 2>/dev/null
# Exclude special local addresses
if $NFT list chain inet ss_spec ss_spec_prerouting_udp >/dev/null 2>&1; then
for net in 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 192.168.0.0/16 224.0.0.0/4 240.0.0.0/4; do
$NFT add rule inet ss_spec ss_spec_prerouting_udp ip daddr $net return 2>/dev/null
done
fi
# Temporarily comment IPV6 for future enablement
#if $NFT list chain inet ss_spec ss_spec_prerouting_udp >/dev/null 2>&1; then
# for net in ::1/128 fe80::/10 fc00::/7 ff00::/8 ::/128 ::ffff:0:0/96; do
# $NFT add rule inet ss_spec ss_spec_prerouting_udp ip6 daddr $net return 2>/dev/null
# done # done
#fi #fi
@@ -794,22 +672,41 @@ ac_rule_nft() {
PORTS_ARGS=$(echo "$PROXY_PORTS" | sed 's/-m multiport --dports //') PORTS_ARGS=$(echo "$PROXY_PORTS" | sed 's/-m multiport --dports //')
if [ -n "$PORTS_ARGS" ]; then if [ -n "$PORTS_ARGS" ]; then
TCP_EXT_ARGS="meta l4proto tcp tcp dport { $PORTS_ARGS }" TCP_EXT_ARGS="meta l4proto tcp tcp dport { $PORTS_ARGS }"
UDP_EXT_ARGS="meta l4proto udp udp dport { $PORTS_ARGS }"
fi fi
else else
TCP_EXT_ARGS="meta l4proto tcp" TCP_EXT_ARGS="meta l4proto tcp"
UDP_EXT_ARGS="meta l4proto udp"
fi fi
# Block UDP port 443 when TPROXY not Enable
if [ -z "$TPROXY" ]; then
# Add UDP 443 block rule
if [ -z "$Interface" ]; then
if [ -n "$MATCH_SET" ]; then
$NFT add rule inet ss_spec ss_spec_prerouting meta l4proto udp $MATCH_SET udp dport 443 drop comment "\"$TAG\"" 2>/dev/null
else
$NFT add rule inet ss_spec ss_spec_prerouting meta l4proto udp udp dport 443 drop comment "\"$TAG\"" 2>/dev/null
fi
else
for name in $Interface; do
local IFNAME=$(uci -P /var/state get network."$name".ifname 2>/dev/null)
[ -z "$IFNAME" ] && IFNAME=$(uci -P /var/state get network."$name".device 2>/dev/null)
if [ -n "$IFNAME" ]; then
if [ -n "$MATCH_SET" ]; then
$NFT add rule inet ss_spec ss_spec_prerouting meta iifname "$IFNAME" meta l4proto udp $MATCH_SET udp dport 443 drop comment "\"$TAG\"" 2>/dev/null
else
$NFT add rule inet ss_spec ss_spec_prerouting meta iifname "$IFNAME" meta l4proto udp udp dport 443 drop comment "\"$TAG\"" 2>/dev/null
fi
fi
done
fi
fi
if [ -z "$Interface" ]; then if [ -z "$Interface" ]; then
# generic prerouting jump already exists (see ipset_nft), but if we have MATCH_SET_CONDITION we add a more specific rule # generic prerouting jump already exists (see ipset_nft), but if we have MATCH_SET_CONDITION we add a more specific rule
if [ -n "$MATCH_SET" ]; then if [ -n "$MATCH_SET" ]; then
# add a more specific rule at the top of ss_spec_prerouting # add a more specific rule at the top of ss_spec_prerouting
$NFT add rule inet ss_spec ss_spec_prerouting_tcp $TCP_EXT_ARGS $MATCH_SET jump ss_spec_wan_ac_tcp comment "\"$TAG\"" 2>/dev/null $NFT add rule inet ss_spec ss_spec_prerouting $TCP_EXT_ARGS $MATCH_SET jump ss_spec_wan_ac comment "\"$TAG\"" 2>/dev/null
$NFT add rule inet ss_spec ss_spec_prerouting_udp $UDP_EXT_ARGS $MATCH_SET jump ss_spec_wan_ac_udp comment "\"$TAG\"" 2>/dev/null
else else
$NFT add rule inet ss_spec ss_spec_prerouting_tcp $TCP_EXT_ARGS jump ss_spec_wan_ac_tcp comment "\"$TAG\"" 2>/dev/null $NFT add rule inet ss_spec ss_spec_prerouting $TCP_EXT_ARGS jump ss_spec_wan_ac comment "\"$TAG\"" 2>/dev/null
$NFT add rule inet ss_spec ss_spec_prerouting_udp $UDP_EXT_ARGS jump ss_spec_wan_ac_udp comment "\"$TAG\"" 2>/dev/null
fi fi
else else
# For each Interface, find its actual ifname and add an iifname-limited prerouting rule # For each Interface, find its actual ifname and add an iifname-limited prerouting rule
@@ -818,63 +715,37 @@ ac_rule_nft() {
[ -z "$IFNAME" ] && IFNAME=$(uci -P /var/state get network."$name".device 2>/dev/null) [ -z "$IFNAME" ] && IFNAME=$(uci -P /var/state get network."$name".device 2>/dev/null)
if [ -n "$IFNAME" ]; then if [ -n "$IFNAME" ]; then
if [ -n "$MATCH_SET" ]; then if [ -n "$MATCH_SET" ]; then
$NFT add rule inet ss_spec ss_spec_prerouting_tcp meta iifname "$IFNAME" $TCP_EXT_ARGS $MATCH_SET jump ss_spec_wan_ac_tcp comment "\"$TAG\"" 2>/dev/null $NFT add rule inet ss_spec ss_spec_prerouting meta iifname "$IFNAME" $TCP_EXT_ARGS $MATCH_SET jump ss_spec_wan_ac comment "\"$TAG\"" 2>/dev/null
$NFT add rule inet ss_spec ss_spec_prerouting_udp meta iifname "$IFNAME" $UDP_EXT_ARGS $MATCH_SET jump ss_spec_wan_ac_udp comment "\"$TAG\"" 2>/dev/null
else else
$NFT add rule inet ss_spec ss_spec_prerouting_tcp meta iifname "$IFNAME" $TCP_EXT_ARGS jump ss_spec_wan_ac_tcp comment "\"$TAG\"" 2>/dev/null $NFT add rule inet ss_spec ss_spec_prerouting meta iifname "$IFNAME" $TCP_EXT_ARGS jump ss_spec_wan_ac comment "\"$TAG\"" 2>/dev/null
$NFT add rule inet ss_spec ss_spec_prerouting_udp meta iifname "$IFNAME" $UDP_EXT_ARGS jump ss_spec_wan_ac_udp comment "\"$TAG\"" 2>/dev/null
fi fi
fi fi
done done
fi fi
case "$OUTPUT" in case "$OUTPUT" in
1) 1)
# Create ss_spec_output tcp chain # Create ss_spec_output tcp chain
if ! $NFT list chain inet ss_spec ss_spec_output_tcp >/dev/null 2>&1; then if ! $NFT list chain inet ss_spec ss_spec_output >/dev/null 2>&1; then
$NFT add chain inet ss_spec ss_spec_output_tcp '{ type nat hook output priority 0; policy accept; }' $NFT add chain inet ss_spec ss_spec_output '{ type nat hook output priority 0; policy accept; }'
fi fi
$NFT flush chain inet ss_spec ss_spec_output_tcp 2>/dev/null $NFT flush chain inet ss_spec ss_spec_output 2>/dev/null
# Exclude special local addresses # Exclude special local addresses
if $NFT list chain inet ss_spec ss_spec_output_tcp >/dev/null 2>&1; then if $NFT list chain inet ss_spec ss_spec_output >/dev/null 2>&1; then
for net in 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 192.168.0.0/16 224.0.0.0/4 240.0.0.0/4; do for net in 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 192.168.0.0/16 224.0.0.0/4 240.0.0.0/4; do
$NFT add rule inet ss_spec ss_spec_output_tcp ip daddr $net return 2>/dev/null $NFT add rule inet ss_spec ss_spec_output ip daddr $net return 2>/dev/null
done done
fi fi
# Temporarily comment IPV6 for future enablement # Temporarily comment IPV6 for future enablement
#if $NFT list chain inet ss_spec ss_spec_output_tcp >/dev/null 2>&1; then #if $NFT list chain inet ss_spec ss_spec_output >/dev/null 2>&1; then
# for net in ::1/128 fe80::/10 fc00::/7 ff00::/8 ::/128 ::ffff:0:0/96; do # for net in ::1/128 fe80::/10 fc00::/7 ff00::/8 ::/128 ::ffff:0:0/96; do
# $NFT add rule inet ss_spec ss_spec_output_tcp ip6 daddr $net return 2>/dev/null # $NFT add rule inet ss_spec ss_spec_output ip6 daddr $net return 2>/dev/null
# done # done
#fi #fi
# create output hook chain & route output traffic into router chain # create output hook chain & route output traffic into router chain
$NFT add rule inet ss_spec ss_spec_output_tcp $TCP_EXT_ARGS jump ss_spec_wan_ac_tcp comment "\"$TAG\"" 2>/dev/null $NFT add rule inet ss_spec ss_spec_output $TCP_EXT_ARGS jump ss_spec_wan_ac comment "\"$TAG\"" 2>/dev/null
# Create ss_spec_output udp chain
if ! $NFT list chain inet ss_spec ss_spec_output_udp >/dev/null 2>&1; then
$NFT add chain inet ss_spec ss_spec_output_udp '{ type filter hook output priority -150; policy accept; }'
fi
$NFT flush chain inet ss_spec ss_spec_output_udp 2>/dev/null
# Exclude special local addresses
if $NFT list chain inet ss_spec ss_spec_output_udp >/dev/null 2>&1; then
for net in 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 192.168.0.0/16 224.0.0.0/4 240.0.0.0/4; do
$NFT add rule inet ss_spec ss_spec_output_udp ip daddr $net return 2>/dev/null
done
fi
# Temporarily comment IPV6 for future enablement
#if $NFT list chain inet ss_spec ss_spec_output_udp >/dev/null 2>&1; then
# for net in ::1/128 fe80::/10 fc00::/7 ff00::/8 ::/128 ::ffff:0:0/96; do
# $NFT add rule inet ss_spec ss_spec_output_udp ip6 daddr $net return 2>/dev/null
# done
#fi
# create output hook chain & route output traffic into router chain
$NFT add rule inet ss_spec ss_spec_output_udp $UDP_EXT_ARGS meta mark set 0x01 comment "\"$TAG\"" 2>/dev/null
;; ;;
2) 2)
# Create ss_spec_output tcp chain # Create ss_spec_output tcp chain
@@ -895,13 +766,13 @@ ac_rule_nft() {
for ip in $(gen_spec_iplist); do for ip in $(gen_spec_iplist); do
[ -n "$ip" ] && $NFT add element inet ss_spec ssr_gen_router "{ $ip }" 2>/dev/null [ -n "$ip" ] && $NFT add element inet ss_spec ssr_gen_router "{ $ip }" 2>/dev/null
done done
if ! $NFT list chain inet ss_spec ss_spec_router >/dev/null 2>&1; then
$NFT add chain inet ss_spec ss_spec_router 2>/dev/null $NFT add chain inet ss_spec ss_spec_router 2>/dev/null
fi
$NFT flush chain inet ss_spec ss_spec_router 2>/dev/null $NFT flush chain inet ss_spec ss_spec_router 2>/dev/null
$NFT add rule inet ss_spec ss_spec_router ip daddr @ssr_gen_router return 2>/dev/null $NFT add rule inet ss_spec ss_spec_router ip daddr @ssr_gen_router return 2>/dev/null
$NFT add rule inet ss_spec ss_spec_router jump ss_spec_wan_fw_tcp 2>/dev/null $NFT add rule inet ss_spec ss_spec_router jump ss_spec_wan_fw 2>/dev/null
$NFT add rule inet ss_spec ss_spec_router jump ss_spec_wan_fw_udp 2>/dev/null
$NFT add rule inet ss_spec ss_spec_output $TCP_EXT_ARGS jump ss_spec_router comment "\"$TAG\"" 2>/dev/null $NFT add rule inet ss_spec ss_spec_output $TCP_EXT_ARGS jump ss_spec_router comment "\"$TAG\"" 2>/dev/null
$NFT add rule inet ss_spec ss_spec_output $UDP_EXT_ARGS meta mark set 0x01 comment "\"$TAG\"" 2>/dev/null
;; ;;
esac esac
return 0 return 0
@@ -927,40 +798,48 @@ ac_rule_iptables() {
create ss_spec_lan_ac hash:net create ss_spec_lan_ac hash:net
$(for ip in ${LAN_AC_IP#?}; do echo "add ss_spec_lan_ac $ip"; done) $(for ip in ${LAN_AC_IP#?}; do echo "add ss_spec_lan_ac $ip"; done)
EOF EOF
# Block UDP port 443 when TPROXY not Enable
if [ -z "$TPROXY" ]; then
# Add UDP 443 block rule
if [ -z "$Interface" ]; then if [ -z "$Interface" ]; then
$IPT -I PREROUTING 1 -p tcp $EXT_ARGS $MATCH_SET -m comment --comment "$TAG" -j SS_SPEC_WAN_AC_TCP $ipt -I PREROUTING 1 -p udp $EXT_ARGS $MATCH_SET --dport 443 -j DROP -m comment --comment "$TAG"
$ipt -I PREROUTING 1 -p udp $EXT_ARGS $MATCH_SET -m comment --comment "$TAG" -j SS_SPEC_WAN_AC_UDP
else else
for name in $Interface; do for name in $Interface; do
local IFNAME=$(uci -P /var/state get network."$name".ifname 2>/dev/null) local IFNAME=$(uci -P /var/state get network."$name".ifname 2>/dev/null)
[ -z "$IFNAME" ] && IFNAME=$(uci -P /var/state get network."$name".device 2>/dev/null) [ -z "$IFNAME" ] && IFNAME=$(uci -P /var/state get network."$name".device 2>/dev/null)
if [ -n "$IFNAME" ]; then if [ -n "$IFNAME" ]; then
$IPT -I PREROUTING 1 ${IFNAME:+-i $IFNAME} -p tcp $EXT_ARGS $MATCH_SET -m comment --comment "$TAG" -j SS_SPEC_WAN_AC_TCP $ipt -I PREROUTING 1 ${IFNAME:+-i $IFNAME} -p udp $EXT_ARGS $MATCH_SET --dport 443 -j DROP -m comment --comment "$TAG"
$ipt -I PREROUTING 1 ${IFNAME:+-i $IFNAME} -p udp $EXT_ARGS $MATCH_SET -m comment --comment "$TAG" -j SS_SPEC_WAN_AC_UDP fi
done
fi
fi
if [ -z "$Interface" ]; then
$IPT -I PREROUTING 1 -p tcp $EXT_ARGS $MATCH_SET -m comment --comment "$TAG" -j SS_SPEC_WAN_AC
else
for name in $Interface; do
local IFNAME=$(uci -P /var/state get network."$name".ifname 2>/dev/null)
[ -z "$IFNAME" ] && IFNAME=$(uci -P /var/state get network."$name".device 2>/dev/null)
if [ -n "$IFNAME" ]; then
$IPT -I PREROUTING 1 ${IFNAME:+-i $IFNAME} -p tcp $EXT_ARGS $MATCH_SET -m comment --comment "$TAG" -j SS_SPEC_WAN_AC
fi fi
done done
fi fi
case "$OUTPUT" in case "$OUTPUT" in
1) 1)
$IPT -I OUTPUT 1 -p tcp $EXT_ARGS -m comment --comment "$TAG" -j SS_SPEC_WAN_AC_TCP $IPT -I OUTPUT 1 -p tcp $EXT_ARGS -m comment --comment "$TAG" -j SS_SPEC_WAN_AC
#$ipt -I OUTPUT 1 -p udp $EXT_ARGS -m comment --comment "$TAG" -j MARK --set-xmark 0x01/0x01
;; ;;
2) 2)
ipset -! -R <<-EOF || return 1 ipset -! -R <<-EOF || return 1
create ssr_gen_router hash:net create ssr_gen_router hash:net
$(gen_spec_iplist | sed -e "s/^/add ssr_gen_router /") $(gen_spec_iplist | sed -e "s/^/add ssr_gen_router /")
EOF EOF
$IPT -N SS_SPEC_ROUTER_TCP 2>/dev/null $IPT -N SS_SPEC_ROUTER 2>/dev/null
$IPT -F SS_SPEC_ROUTER_TCP 2>/dev/null $IPT -F SS_SPEC_ROUTER 2>/dev/null
$IPT -A SS_SPEC_ROUTER_TCP -m set --match-set ssr_gen_router dst -j RETURN && \ $IPT -A SS_SPEC_ROUTER -m set --match-set ssr_gen_router dst -j RETURN && \
$IPT -A SS_SPEC_ROUTER_TCP -j SS_SPEC_WAN_FW_TCP $IPT -A SS_SPEC_ROUTER -j SS_SPEC_WAN_FW
$IPT -I OUTPUT 1 -p tcp -m comment --comment "$TAG" -j SS_SPEC_ROUTER_TCP $IPT -I OUTPUT 1 -p tcp -m comment --comment "$TAG" -j SS_SPEC_ROUTER
$ipt -N SS_SPEC_ROUTER_UDP 2>/dev/null
$ipt -F SS_SPEC_ROUTER_UDP 2>/dev/null
$ipt -A SS_SPEC_ROUTER_UDP -m set --match-set ssr_gen_router dst -j RETURN && \
$ipt -A SS_SPEC_ROUTER_UDP -j SS_SPEC_WAN_FW_UDP
#$ipt -I OUTPUT 1 -p udp -m comment --comment "$TAG" -j SS_SPEC_ROUTER_UDP
;; ;;
esac esac
return $? return $?
@@ -1102,7 +981,8 @@ tp_rule_nft() {
$NFT add rule ip ss_spec_mangle ss_spec_tproxy meta l4proto udp ip daddr @ss_spec_wan_ac return 2>/dev/null $NFT add rule ip ss_spec_mangle ss_spec_tproxy meta l4proto udp ip daddr @ss_spec_wan_ac return 2>/dev/null
$NFT add rule ip ss_spec_mangle ss_spec_tproxy meta l4proto udp ip daddr @china return 2>/dev/null $NFT add rule ip ss_spec_mangle ss_spec_tproxy meta l4proto udp ip daddr @china return 2>/dev/null
$NFT add rule ip ss_spec_mangle ss_spec_tproxy meta l4proto udp udp dport 80 drop 2>/dev/null $NFT add rule ip ss_spec_mangle ss_spec_tproxy meta l4proto udp udp dport 80 counter drop comment "\"$TAG\"" 2>/dev/null
$NFT add rule ip ss_spec_mangle ss_spec_tproxy meta l4proto udp udp dport 443 counter drop comment "\"$TAG\"" 2>/dev/null
$NFT add rule ip ss_spec_mangle ss_spec_tproxy meta l4proto udp ip saddr @gmlan ip daddr != @china counter tproxy ip to :"$LOCAL_PORT" meta mark set 0x01 2>/dev/null $NFT add rule ip ss_spec_mangle ss_spec_tproxy meta l4proto udp ip saddr @gmlan ip daddr != @china counter tproxy ip to :"$LOCAL_PORT" meta mark set 0x01 2>/dev/null
$NFT add rule ip ss_spec_mangle ss_spec_tproxy meta l4proto udp $EXT_ARGS ip daddr != @ss_spec_wan_ac counter tproxy ip to :"$LOCAL_PORT" meta mark set 0x01 2>/dev/null $NFT add rule ip ss_spec_mangle ss_spec_tproxy meta l4proto udp $EXT_ARGS ip daddr != @ss_spec_wan_ac counter tproxy ip to :"$LOCAL_PORT" meta mark set 0x01 2>/dev/null
;; ;;
@@ -1111,7 +991,8 @@ tp_rule_nft() {
$NFT add set ip ss_spec_mangle gfwlist '{ type ipv4_addr; flags interval; auto-merge; }' 2>/dev/null $NFT add set ip ss_spec_mangle gfwlist '{ type ipv4_addr; flags interval; auto-merge; }' 2>/dev/null
fi fi
$NFT add rule ip ss_spec_mangle ss_spec_tproxy meta l4proto udp ip daddr @china return 2>/dev/null $NFT add rule ip ss_spec_mangle ss_spec_tproxy meta l4proto udp ip daddr @china return 2>/dev/null
$NFT add rule ip ss_spec_mangle ss_spec_tproxy meta l4proto udp udp dport 80 drop 2>/dev/null $NFT add rule ip ss_spec_mangle ss_spec_tproxy meta l4proto udp udp dport 80 counter drop comment "\"$TAG\"" 2>/dev/null
$NFT add rule ip ss_spec_mangle ss_spec_tproxy meta l4proto udp udp dport 443 counter drop comment "\"$TAG\"" 2>/dev/null
$NFT add rule ip ss_spec_mangle ss_spec_tproxy meta l4proto udp $EXT_ARGS ip daddr @gfwlist counter tproxy ip to :"$LOCAL_PORT" meta mark set 0x01 2>/dev/null $NFT add rule ip ss_spec_mangle ss_spec_tproxy meta l4proto udp $EXT_ARGS ip daddr @gfwlist counter tproxy ip to :"$LOCAL_PORT" meta mark set 0x01 2>/dev/null
$NFT add rule ip ss_spec_mangle ss_spec_tproxy meta l4proto udp ip saddr @gmlan ip daddr != @china counter tproxy ip to :"$LOCAL_PORT" meta mark set 0x01 2>/dev/null $NFT add rule ip ss_spec_mangle ss_spec_tproxy meta l4proto udp ip saddr @gmlan ip daddr != @china counter tproxy ip to :"$LOCAL_PORT" meta mark set 0x01 2>/dev/null
;; ;;
@@ -1170,19 +1051,17 @@ tp_rule_iptables() {
fi fi
$ipt -N SS_SPEC_TPROXY 2>/dev/null $ipt -N SS_SPEC_TPROXY 2>/dev/null
$ipt -F SS_SPEC_TPROXY $ipt -F SS_SPEC_TPROXY
$ipt -N PREROUTING_UDP 2>/dev/null
$ipt -F PREROUTING_UDP
$ipt -A SS_SPEC_TPROXY -p udp --dport 53 -j RETURN $ipt -A SS_SPEC_TPROXY -p udp --dport 53 -j RETURN
local MATCH_SET_UDP="" local MATCH_SET=""
if [ -n "$LAN_AC_IP" ]; then if [ -n "$LAN_AC_IP" ]; then
case "${LAN_AC_IP%${LAN_AC_IP#?}}" in case "${LAN_AC_IP%${LAN_AC_IP#?}}" in
w | W) w | W)
MATCH_SET_UDP="-m set --match-set ss_spec_lan_ac_udp src" MATCH_SET_UDP="-m set --match-set ss_spec_lan_ac src"
;; ;;
b | B) b | B)
MATCH_SET_UDP="-m set ! --match-set ss_spec_lan_ac_udp src" MATCH_SET_UDP="-m set ! --match-set ss_spec_lan_ac src"
;; ;;
*) *)
loger 3 "Bad argument \`-a $LAN_AC_IP\`." loger 3 "Bad argument \`-a $LAN_AC_IP\`."
@@ -1191,8 +1070,8 @@ tp_rule_iptables() {
esac esac
fi fi
ipset -! -R <<-EOF || return 1 ipset -! -R <<-EOF || return 1
create ss_spec_lan_ac_udp hash:net create ss_spec_lan_ac hash:net
$(for ip in ${LAN_AC_IP#?}; do echo "add ss_spec_lan_ac_udp $ip"; done) $(for ip in ${LAN_AC_IP#?}; do echo "add ss_spec_lan_ac $ip"; done)
EOF EOF
for net in \ for net in \
@@ -1219,12 +1098,14 @@ tp_rule_iptables() {
$ipt -A SS_SPEC_TPROXY -p udp -m set --match-set ss_spec_wan_ac dst -j RETURN $ipt -A SS_SPEC_TPROXY -p udp -m set --match-set ss_spec_wan_ac dst -j RETURN
$ipt -A SS_SPEC_TPROXY -p udp -m set --match-set china dst -j RETURN $ipt -A SS_SPEC_TPROXY -p udp -m set --match-set china dst -j RETURN
$ipt -A SS_SPEC_TPROXY -p udp --dport 80 -j DROP $ipt -A SS_SPEC_TPROXY -p udp --dport 80 -j DROP
$ipt -A SS_SPEC_TPROXY -p udp --dport 443 -j DROP
$ipt -A SS_SPEC_TPROXY -p udp -m set --match-set gmlan src -m set ! --match-set china dst -j TPROXY --on-port "$LOCAL_PORT" --tproxy-mark 0x01/0x01 $ipt -A SS_SPEC_TPROXY -p udp -m set --match-set gmlan src -m set ! --match-set china dst -j TPROXY --on-port "$LOCAL_PORT" --tproxy-mark 0x01/0x01
$ipt -A SS_SPEC_TPROXY -p udp $PROXY_PORTS -m set ! --match-set ss_spec_wan_ac dst -j TPROXY --on-port "$LOCAL_PORT" --tproxy-mark 0x01/0x01 $ipt -A SS_SPEC_TPROXY -p udp $PROXY_PORTS -m set ! --match-set ss_spec_wan_ac dst -j TPROXY --on-port "$LOCAL_PORT" --tproxy-mark 0x01/0x01
;; ;;
gfw) gfw)
$ipt -A SS_SPEC_TPROXY -p udp -m set --match-set china dst -j RETURN $ipt -A SS_SPEC_TPROXY -p udp -m set --match-set china dst -j RETURN
$ipt -A SS_SPEC_TPROXY -p udp --dport 80 -j DROP $ipt -A SS_SPEC_TPROXY -p udp --dport 80 -j DROP
$ipt -A SS_SPEC_TPROXY -p udp --dport 443 -j DROP
$ipt -A SS_SPEC_TPROXY -p udp $PROXY_PORTS -m set --match-set gfwlist dst -j TPROXY --on-port "$LOCAL_PORT" --tproxy-mark 0x01/0x01 $ipt -A SS_SPEC_TPROXY -p udp $PROXY_PORTS -m set --match-set gfwlist dst -j TPROXY --on-port "$LOCAL_PORT" --tproxy-mark 0x01/0x01
$ipt -A SS_SPEC_TPROXY -p udp -m set --match-set gmlan src -m set ! --match-set china dst -j TPROXY --on-port "$LOCAL_PORT" --tproxy-mark 0x01/0x01 $ipt -A SS_SPEC_TPROXY -p udp -m set --match-set gmlan src -m set ! --match-set china dst -j TPROXY --on-port "$LOCAL_PORT" --tproxy-mark 0x01/0x01
;; ;;
@@ -1238,12 +1119,12 @@ tp_rule_iptables() {
;; ;;
esac esac
if [ -z "$Interface" ]; then if [ -z "$Interface" ]; then
$ipt -I PREROUTING_UDP 1 -p udp $EXT_ARGS $MATCH_SET_UDP -m comment --comment "$TAG" -j SS_SPEC_TPROXY $ipt -I PREROUTING 1 -p udp $EXT_ARGS $MATCH_SET -m comment --comment "$TAG" -j SS_SPEC_TPROXY
else else
for name in $Interface; do for name in $Interface; do
local IFNAME=$(uci -P /var/state get network."$name".ifname 2>/dev/null) local IFNAME=$(uci -P /var/state get network."$name".ifname 2>/dev/null)
[ -z "$IFNAME" ] && IFNAME=$(uci -P /var/state get network."$name".device 2>/dev/null) [ -z "$IFNAME" ] && IFNAME=$(uci -P /var/state get network."$name".device 2>/dev/null)
[ -n "$IFNAME" ] && $ipt -I PREROUTING_UDP 1 ${IFNAME:+-i $IFNAME} -p udp $EXT_ARGS $MATCH_SET_UDP -m comment --comment "$TAG" -j SS_SPEC_TPROXY [ -n "$IFNAME" ] && $ipt -I PREROUTING 1 ${IFNAME:+-i $IFNAME} -p udp $EXT_ARGS $MATCH_SET -m comment --comment "$TAG" -j SS_SPEC_TPROXY
done done
fi fi
return $? return $?