~修复ipv6-fakeip地址被错误屏蔽的bug

~将final-dns改为proxydns以解决部分dns泄露问题 ~修复nftables模式在白名单为空时会错误路由外部流量的bug ~修复ipv6-tporxy模式下部分iptables内容无法正确注销的bug
2024-11-16 03:32:34 +08:00 · 2024-10-19 14:43:54 +08:00 · 2024-10-19 14:43:54 +08:00 · c98e50bf01
commit c98e50bf01
parent 8939ef4241
1 changed files with 28 additions and 22 deletions
--- a/scripts/start.sh
+++ b/scripts/start.sh
@ -210,7 +210,7 @@ getlanip() { #获取局域网host地址
 	[ -z "$local_ipv4" ] && local_ipv4=$(ip route 2>&1 | grep -Eo 'src.*' | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | sort -u)
 	#保留地址
 	[ -z "$reserve_ipv4" ] && reserve_ipv4="0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 100.64.0.0/10 169.254.0.0/16 172.16.0.0/12 192.168.0.0/16 224.0.0.0/4 240.0.0.0/4"
-	[ -z "$reserve_ipv6" ] && reserve_ipv6="::/128 ::1/128 ::ffff:0:0/96 64:ff9b::/96 100::/64 2001::/32 2001:20::/28 2001:db8::/32 2002::/16 fc00::/7 fe80::/10 ff00::/8"
+	[ -z "$reserve_ipv6" ] && reserve_ipv6="::/128 ::1/128 ::ffff:0:0/96 64:ff9b::/96 100::/64 2001::/32 2001:20::/28 2001:db8::/32 2002::/16 fe80::/10 ff00::/8"
 }
 #配置文件相关
 check_clash_config() { #检查clash配置文件
@ -669,7 +669,7 @@ EOF
 	  $direct_dns
 	  { "query_type": [ "A", "AAAA" ], "server": "dns_fakeip", "rewrite_ttl": 1 }
 	],
-    "final": "dns_direct",
+    "final": "dns_proxy",
    "independent_cache": true,
    "reverse_mapping": true,
    "fakeip": { "enabled": true, "inet4_range": "198.18.0.0/16", "inet6_range": "fc00::/16" }
@ -1191,28 +1191,32 @@ start_nft_route() { #nftables-route通用工具
 	[ "$firewall_area" = 5 ] && nft add rule inet shellcrash $1 ip saddr $bypass_host return
 	nft add rule inet shellcrash $1 ip daddr {$RESERVED_IP} return #过滤保留地址
 	#过滤局域网设备
-	if [ "$1" = 'prerouting' ] && [ "$macfilter_type" != "白名单" ];then
-		[ -s "$CRASHDIR"/configs/mac ] && {
-		MAC=$(awk '{printf "%s, ",$1}' "$CRASHDIR"/configs/mac)
-		nft add rule inet shellcrash $1 ether saddr {$MAC} return
+	[ "$1" = 'prerouting' ] && {
+		[ "$macfilter_type" != "白名单" ] && {
+			[ -s "$CRASHDIR"/configs/mac ] && {
+				MAC=$(awk '{printf "%s, ",$1}' "$CRASHDIR"/configs/mac)
+				nft add rule inet shellcrash $1 ether saddr {$MAC} return
+			}
+			[ -s "$CRASHDIR"/configs/ip_filter ] && {
+				FL_IP=$(awk '{printf "%s, ",$1}' "$CRASHDIR"/configs/ip_filter)
+				nft add rule inet shellcrash $1 ip saddr {$FL_IP} return
+			}
+			nft add rule inet shellcrash $1 ip saddr != {$HOST_IP} return  #仅代理本机局域网网段流量
 		}
-		[ -s "$CRASHDIR"/configs/ip_filter ] && {
-		FL_IP=$(awk '{printf "%s, ",$1}' "$CRASHDIR"/configs/ip_filter)
-		nft add rule inet shellcrash $1 ip saddr {$FL_IP} return
+		[ "$macfilter_type" = "白名单" ] && {
+			[ -s "$CRASHDIR"/configs/mac ] && MAC=$(awk '{printf "%s, ",$1}' "$CRASHDIR"/configs/mac)
+			[ -s "$CRASHDIR"/configs/ip_filter ] && FL_IP=$(awk '{printf "%s, ",$1}' "$CRASHDIR"/configs/ip_filter)
+			if [ -n "$MAC" ] && [ -n "$FL_IP" ];then
+				nft add rule inet shellcrash $1 ether saddr != {$MAC} ip saddr != {$FL_IP} return
+			elif [ -n "$MAC" ];then
+				nft add rule inet shellcrash $1 ether saddr != {$MAC} return
+			elif [ -n "$FL_IP" ];then
+				nft add rule inet shellcrash $1 ip saddr != {$FL_IP} return
+			else
+				nft add rule inet shellcrash $1 ip saddr != {$HOST_IP} return  #仅代理本机局域网网段流量
+			fi
 		}
-		nft add rule inet shellcrash $1 ip saddr != {$HOST_IP} return  #仅代理本机局域网网段流量
-	fi
-	if [ "$1" = 'prerouting' ] && [ "$macfilter_type" = "白名单" ];then
-		[ -s "$CRASHDIR"/configs/mac ] && MAC=$(awk '{printf "%s, ",$1}' "$CRASHDIR"/configs/mac)
-		[ -s "$CRASHDIR"/configs/ip_filter ] && FL_IP=$(awk '{printf "%s, ",$1}' "$CRASHDIR"/configs/ip_filter)
-		if [ -n "$MAC" ] && [ -n "$FL_IP" ];then
-			nft add rule inet shellcrash $1 ether saddr != {$MAC} ip saddr != {$FL_IP} return
-		elif [ -n "$MAC" ];then
-			nft add rule inet shellcrash $1 ether saddr != {$MAC} return
-		elif [ -n "$FL_IP" ];then
-			nft add rule inet shellcrash $1 ip saddr != {$FL_IP} return
-		fi
-	fi
+	}
 	#绕过CN-IP
 	[ "$dns_mod" != "fake-ip" -a "$cn_ip_route" = "已开启" -a -f "$BINDIR"/cn_ip.txt ] && {
 		CN_IP=$(awk '{printf "%s, ",$1}' "$BINDIR"/cn_ip.txt)
@ -1496,6 +1500,8 @@ stop_firewall() { #还原防火墙配置
 		$ip6table -t mangle -D OUTPUT -p tcp $ports -j shellcrashv6_mark_out 2>/dev/null
 		$ip6table -t mangle -D OUTPUT -p udp $ports -j shellcrashv6_mark_out 2>/dev/null
 		$ip6table -D INPUT -p udp --dport 443 $set_cn_ip -j REJECT 2>/dev/null
+		$ip6table -t mangle -D PREROUTING -m mark --mark $fwmark -p tcp -j TPROXY --on-port $tproxy_port 2>/dev/null
+		$ip6table -t mangle -D PREROUTING -m mark --mark $fwmark -p udp -j TPROXY --on-port $tproxy_port 2>/dev/null
 		#tun
 		$ip6table -D FORWARD -o utun -j ACCEPT 2>/dev/null
 		#屏蔽QUIC