v1.5.8

~增加Meta专属sniffer嗅探功能(8-4)
~增加内核完整性检测机制
~优化公网访问本机流量导致回环的问题

bin/version

@@ -2,5 +2,5 @@ clashnet_v=v1.7.6
 clashpre_v=2021.09.15
 clash_v=v1.7.1
 meta_v=alpha
-versionsh=1.5.7
 GeoIP_v=20220426
+versionsh=1.5.8

scripts/clash.sh

@@ -1218,7 +1218,7 @@ tools(){
 	echo -e " 1 ShellClash测试菜单"
 	[ -f /etc/firewall.user ] && echo -e " 2 \033[32m配置\033[0m外网访问SSH"
 	[ -f /etc/config/ddns -a -d "/etc/ddns" ] && echo -e " 3 配置DDNS服务(需下载相关脚本)"
-	echo -e " 4 \033[32m流媒体预解析\033[0m————用于解决DNS解锁在TV应用上失效的问题"
+	echo -e " 4 \033[32m流媒体增强\033[0m————用于解决流媒体解锁在TV应用上失效的问题"
 	[ -x /usr/sbin/otapredownload ] && echo -e " 5 \033[33m$mi_update\033[0m小米系统自动更新"
 	[ -f /usr/sbin/otapredownload ] && echo -e " 6 小米设备软固化SSH ———— \033[$mi_autoSSH_type \033[0m"
 	echo -----------------------------------------------
@@ -1256,20 +1256,40 @@ tools(){
 		tools  
 		
 	elif [ "$num" = 4 ]; then
-		if type nslookup > /dev/null 2>&1;then
-			checkcfg=$(cat $ccfg)
-			streaming
-			if [ -n "$PID" ];then
-				checkcfg_new=$(cat $ccfg)
-				[ "$checkcfg" != "$checkcfg_new" ] && checkrestart
-			fi
-		else
+		checkcfg=$(cat $ccfg)
+		echo -----------------------------------------------
+		echo -e "\033[36m请选择实现方式(不建议同时开启)：\033[0m"
+		echo -e " 1 定时预解析流媒体DNS"
+		echo -e " 2 Meta内核专属tls域名嗅探(推荐) \033[33m$sniffer\033[0m"
+		echo -e " 0 返回上级菜单"
+		read -p "请输入对应数字 > " num
+		if [ -z "$num" ]; then
+			errornum
+		elif [ "$num" = 0 ]; then
+			i=
+		elif [ "$num" = 1 ]; then
+			steaming
+		elif [ "$num" = 2 ]; then
 			echo -----------------------------------------------
-			echo "当前设备缺少nslookup命令，无法启用流媒体预解析功能！"
-			echo "Centos请尝试使用以下命令安装【yum -y install bind-utils】"
-			echo "Debian/Ubuntu等请尝试使用【sudo apt-get install dnsutils -y】"
+			if [ "$sniffer" = "未启用" ];then
+				if [ "$clashcore" != "clash.meta" ];then
+					rm -rf $bindir/clash
+					clashcore=clash.meta
+					setconfig clashcore $clashcore
+					echo "已将clash内核切换为Meta内核！"
+				fi
+				sniffer=已启用
+			else
+				sniffer=未启用
+			fi
+			setconfig sniffer $sniffer
+			echo -e "\033[32m设置成功！\033[0m"
 			sleep 1
 		fi
+		if [ -n "$PID" ];then
+			checkcfg_new=$(cat $ccfg)
+			[ "$checkcfg" != "$checkcfg_new" ] && checkrestart
+		fi
 		tools
 		
 	elif [ -x /usr/sbin/otapredownload ] && [ "$num" = 5 ]; then	

scripts/start.sh

@@ -312,6 +312,10 @@ modify_yaml(){
 	else
 		dns='dns: {enable: true, '$dns_v6', listen: 0.0.0.0:'$dns_port', use-hosts: true, enhanced-mode: redir-host, default-nameserver: ['$dns_default', 127.0.0.1:53], nameserver: ['$dns_nameserver$dns_local'], fallback: ['$dns_fallback'], fallback-filter: {geoip: true}}'
 	fi
+	#meta专属功能
+	if [ "$clashcore" = "clash.meta" -a "$sniffer" = "已启用" ];then
+		sniffer_set="sniffer: {enable: true, force: false, sniffing: [tls]}"
+	fi
 	#设置目录
 	yaml=$clashdir/config.yaml
 	tmpdir=/tmp/clash_$USER
@@ -342,6 +346,7 @@ secret: $secret
 $tun
 $exper
 $dns
+$sniffer_set
 store-selected: $restore
 hosts:
 EOF
@@ -436,7 +441,12 @@ start_redir(){
 		done
 		iptables -t nat -A clash -p tcp $ports -j REDIRECT --to-ports $redir_port
 	fi
-	iptables -t nat -A PREROUTING -p tcp -j clash
+	#获取局域网host地址
+	host_lan=$(ip a 2>&1 | grep -w 'inet' | grep 'global' | grep -oE '\ 1(92|0|72)\.' | grep -oE '1(92|0|72)' | head -n 1)
+	[ -n "$host_lan" ] && host_lan=${host_lan}.0.0.0/8
+	#将PREROUTING链指向clash链
+	iptables -t nat -A PREROUTING -p tcp -s $host_lan -j clash
+	#公网访问功能
 	if [ "$public_support" = "已开启" ];then
 		iptables -I INPUT -p tcp --dport $mix_port -j ACCEPT
 		iptables -I INPUT -p tcp --dport $db_port -j ACCEPT
@@ -478,18 +488,19 @@ start_dns(){
 	if [ "$macfilter_type" = "白名单" -a -n "$(cat $clashdir/mac)" ];then
 		#mac白名单
 		for mac in $(cat $clashdir/mac); do
-			iptables -t nat -A clash_dns -p udp --dport 53 -m mac --mac-source $mac -j REDIRECT --to $dns_port
-			iptables -t nat -A clash_dns -p tcp --dport 53 -m mac --mac-source $mac -j REDIRECT --to $dns_port
+			iptables -t nat -A clash_dns -p udp -m mac --mac-source $mac -j REDIRECT --to $dns_port
+			iptables -t nat -A clash_dns -p tcp -m mac --mac-source $mac -j REDIRECT --to $dns_port
 		done
 	else
 		#mac黑名单
 		for mac in $(cat $clashdir/mac); do
 			iptables -t nat -A clash_dns -m mac --mac-source $mac -j RETURN
 		done	
-		iptables -t nat -A clash_dns -p udp --dport 53 -j REDIRECT --to $dns_port
-		iptables -t nat -A clash_dns -p tcp --dport 53 -j REDIRECT --to $dns_port
+		iptables -t nat -A clash_dns -p udp -j REDIRECT --to $dns_port
+		iptables -t nat -A clash_dns -p tcp -j REDIRECT --to $dns_port
 	fi
-	iptables -t nat -A PREROUTING -p udp -j clash_dns
+	iptables -t nat -A PREROUTING -p udp --dport 53 -j clash_dns
+	iptables -t nat -A PREROUTING -p tcp --dport 53 -j clash_dns
 	#ipv6DNS
 	ip6_nat=$(ip6tables -t nat -L 2>&1 | grep -o 'Chain')
 	if [ -n "$ip6_nat" ];then
@@ -497,18 +508,19 @@ start_dns(){
 		if [ "$macfilter_type" = "白名单" -a -n "$(cat $clashdir/mac)" ];then
 			#mac白名单
 			for mac in $(cat $clashdir/mac); do
-				ip6tables -t nat -A clashv6_dns -p udp --dport 53 -m mac --mac-source $mac -j REDIRECT --to $dns_port
-				ip6tables -t nat -A clashv6_dns -p tcp --dport 53 -m mac --mac-source $mac -j REDIRECT --to $dns_port
+				ip6tables -t nat -A clashv6_dns -p udp -m mac --mac-source $mac -j REDIRECT --to $dns_port
+				ip6tables -t nat -A clashv6_dns -p tcp -m mac --mac-source $mac -j REDIRECT --to $dns_port
 			done
 		else
 			#mac黑名单
 			for mac in $(cat $clashdir/mac); do
 				ip6tables -t nat -A clashv6_dns -m mac --mac-source $mac -j RETURN
 			done	
-			ip6tables -t nat -A clashv6_dns -p udp --dport 53 -j REDIRECT --to $dns_port
-			ip6tables -t nat -A clashv6_dns -p tcp --dport 53 -j REDIRECT --to $dns_port
+			ip6tables -t nat -A clashv6_dns -p udp -j REDIRECT --to $dns_port
+			ip6tables -t nat -A clashv6_dns -p tcp -j REDIRECT --to $dns_port
 		fi
-		ip6tables -t nat -A PREROUTING -p udp -j clashv6_dns
+		ip6tables -t nat -A PREROUTING -p udp --dport 53 -j clashv6_dns
+		ip6tables -t nat -A PREROUTING -p tcp --dport 53 -j clashv6_dns
 	else
 		ip6tables -I INPUT -p tcp --dport 53 -j REJECT > /dev/null 2>&1
 		ip6tables -I INPUT -p udp --dport 53 -j REJECT > /dev/null 2>&1
@@ -694,6 +706,7 @@ web_restore(){
 #启动相关
 catpac(){
 	cat > /tmp/clash_pac <<EOF
+//如看见此处内容，请重新安装本地面板！
 function FindProxyForURL(url, host) {
 	if (
 		isInNet(host, "0.0.0.0", "255.0.0.0")||
@@ -719,6 +732,8 @@ bfstart(){
 	[ ! -d $bindir/ui ] && mkdir -p $bindir/ui
 	update_url=https://ghproxy.com/https://raw.githubusercontent.com/juewuy/ShellClash/master
 	#检查clash核心
+	$bindir/clash -v >/dev/null 2>&1
+	[ "$?" != 0 ] && rm -rf $bindir/clash
 	if [ ! -f $bindir/clash ];then
 		if [ -f $clashdir/clash ];then
 			mv $clashdir/clash $bindir/clash && chmod +x $bindir/clash