From 024764577052222327c595f1909562d283a35f23 Mon Sep 17 00:00:00 2001
From: juewuy <juewuy@gmail.com>
Date: Sun, 1 Sep 2024 14:53:35 +0800
Subject: [PATCH] =?UTF-8?q?~=E5=A2=9E=E5=8A=A0=E5=9F=BA=E4=BA=8EIP?=
 =?UTF-8?q?=E5=92=8CIP=E5=9C=B0=E5=9D=80=E6=AE=B5=E7=9A=84=E5=B1=80?=
 =?UTF-8?q?=E5=9F=9F=E7=BD=91=E8=BF=87=E6=BB=A4=E5=8A=9F=E8=83=BD?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 scripts/menu.sh  | 130 ++++++++++++++++++++++++++++++++++-------------
 scripts/start.sh |  62 +++++++++++++++++-----
 2 files changed, 144 insertions(+), 48 deletions(-)

diff --git a/scripts/menu.sh b/scripts/menu.sh
index f84c0fb..cafa120 100644
--- a/scripts/menu.sh
+++ b/scripts/menu.sh
@@ -824,10 +824,15 @@ checkport(){ #自动检查端口冲突
 	done
 }
 macfilter(){ #局域网设备过滤
+	get_devinfo(){
+		dev_ip=$(cat $dhcpdir | grep $dev | awk '{print $3}') && [ -z "$dev_ip" ] && dev_ip=$dev
+		dev_mac=$(cat $dhcpdir | grep $dev | awk '{print $2}') && [ -z "$dev_mac" ] && dev_mac=$dev
+		dev_name=$(cat $dhcpdir | grep $dev | awk '{print $4}') && [ -z "$dev_name" ] && dev_name='未知设备'	
+	}
 	add_mac(){
 		echo -----------------------------------------------
 		echo 已添加的mac地址：
-		cat ${CRASHDIR}/configs/mac
+		cat ${CRASHDIR}/configs/mac 2>/dev/null
 		echo -----------------------------------------------
 		echo -e "\033[33m序号   设备IP       设备mac地址       设备名称\033[32m"
 		cat $dhcpdir | awk '{print " "NR" "$3,$2,$4}'
@@ -861,34 +866,80 @@ macfilter(){ #局域网设备过滤
 			add_mac
 		fi
 	}
-	del_mac(){
+	add_ip(){
 		echo -----------------------------------------------
-		if [ -z "$(cat ${CRASHDIR}/configs/mac)" ];then
-			echo -e "\033[31m列表中没有需要移除的设备！\033[0m"
+		echo "已添加的IP地址(段)："
+		cat ${CRASHDIR}/configs/ip_filter 2>/dev/null
+		echo -----------------------------------------------
+		echo -e "\033[33m序号   设备IP     设备名称\033[32m"
+		cat $dhcpdir | awk '{print " "NR" "$3,$4}'
+		echo -e "\033[0m-----------------------------------------------"
+		echo -e "手动输入时仅支持\033[32m 192.168.1.0/24\033[0m 或 \033[32m192.168.1.0\033[0m 的形式"
+		echo -e "不支持ipv6地址过滤，如有需求请使用mac地址过滤"
+		echo -e " 0 或回车 结束添加"
+		echo -----------------------------------------------
+		read -p "请输入对应序号或直接输入IP地址段 > " num
+		if [ -z "$num" -o "$num" = 0 ]; then
+			i=
+		elif [ -n "$(echo $num | grep -aE '^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(/(3[0-2]|[12]?[0-9]))?$')" ];then
+			if [ -z "$(cat ${CRASHDIR}/configs/ip_filter | grep -E "$num")" ];then
+				echo $num | grep -oE '^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(/(3[0-2]|[12]?[0-9]))?$' >> ${CRASHDIR}/configs/ip_filter
+			else
+				echo -----------------------------------------------
+				echo -e "\033[31m已添加的地址，请勿重复添加！\033[0m"
+			fi
+			add_ip
+		elif [ $num -le $(cat $dhcpdir 2>/dev/null | awk 'END{print NR}') ]; then
+			ipadd=$(cat $dhcpdir | awk '{print $3}' | sed -n "$num"p)
+			if [ -z "$(cat ${CRASHDIR}/configs/mac | grep -E "$ipadd")" ];then
+				echo $ipadd >> ${CRASHDIR}/configs/ip_filter
+			else
+				echo -----------------------------------------------
+				echo -e "\033[31m已添加的地址，请勿重复添加！\033[0m"
+			fi
+			add_ip
 		else
-			echo -e "\033[33m序号   设备IP       设备mac地址       设备名称\033[0m"
+			echo -----------------------------------------------
+			echo -e "\033[31m输入有误，请重新输入！\033[0m"
+			add_ip
+		fi
+	}
+	del_all(){
+		echo -----------------------------------------------
+		if [ -z "$(cat ${CRASHDIR}/configs/mac ${CRASHDIR}/configs/ip_filter 2>/dev/null)" ];then
+			echo -e "\033[31m列表中没有需要移除的设备！\033[0m"
+			sleep 1
+		else
+			echo -e "请选择需要移除的设备：\033[36m"
+			echo -e "\033[33m      设备IP       设备mac地址       设备名称\033[0m"
 			i=1
-			for mac in $(cat ${CRASHDIR}/configs/mac); do
-				dev_ip=$(cat $dhcpdir | grep $mac | awk '{print $3}') && [ -z "$dev_ip" ] && dev_ip='000.000.00.00'
-				dev_mac=$(cat $dhcpdir | grep $mac | awk '{print $2}') && [ -z "$dev_mac" ] && dev_mac=$mac
-				dev_name=$(cat $dhcpdir | grep $mac | awk '{print $4}') && [ -z "$dev_name" ] && dev_name='未知设备'
+			for dev in $(cat ${CRASHDIR}/configs/mac ${CRASHDIR}/configs/ip_filter 2>/dev/null); do
+				get_devinfo
 				echo -e " $i \033[32m$dev_ip \033[36m$dev_mac \033[32m$dev_name\033[0m"
-				i=$((i+1))
+				i=$((i + 1))
 			done
 			echo -----------------------------------------------
 			echo -e "\033[0m 0 或回车 结束删除"
 			read -p "请输入需要移除的设备的对应序号 > " num
+			mac_filter_rows=$(cat ${CRASHDIR}/configs/mac 2>/dev/null | wc -l)
+			ip_filter_rows=$(cat ${CRASHDIR}/configs/ip_filter 2>/dev/null | wc -l)
 			if [ -z "$num" ]||[ "$num" -le 0 ]; then
 				n=
-			elif [ $num -le $(cat ${CRASHDIR}/configs/mac | wc -l) ];then
+			elif [ $num -le $mac_filter_rows ];then
 				sed -i "${num}d" ${CRASHDIR}/configs/mac
 				echo -----------------------------------------------
 				echo -e "\033[32m对应设备已移除！\033[0m"
-				del_mac
+				del_all
+			elif [ $num -le $((mac_filter_rows + ip_filter_rows)) ];then
+				num=$((num - mac_filter_rows))
+				sed -i "${num}d" ${CRASHDIR}/configs/ip_filter
+				echo -----------------------------------------------
+				echo -e "\033[32m对应设备已移除！\033[0m"
+				del_all
 			else
 				echo -----------------------------------------------
 				echo -e "\033[31m输入有误，请重新输入！\033[0m"
-				del_mac
+				del_all
 			fi
 		fi
 	}
@@ -913,46 +964,57 @@ macfilter(){ #局域网设备过滤
 	if [ -n "$(cat ${CRASHDIR}/configs/mac)" ]; then
 		echo -----------------------------------------------
 		echo -e "当前已过滤设备为：\033[36m"
-		echo -e "\033[33m   设备IP       设备mac地址       设备名称\033[0m"
-		for mac in $(cat ${CRASHDIR}/configs/mac); do
-			dev_ip=$(cat $dhcpdir | grep $mac | awk '{print $3}') && [ -z "$dev_ip" ] && dev_ip='000.000.00.00'
-			dev_mac=$(cat $dhcpdir | grep $mac | awk '{print $2}') && [ -z "$dev_mac" ] && dev_mac=$mac
-			dev_name=$(cat $dhcpdir | grep $mac | awk '{print $4}') && [ -z "$dev_name" ] && dev_name='未知设备'
-			echo -e "\033[32m$dev_ip \033[36m$dev_mac \033[32m$dev_name\033[0m"
+		echo -e "\033[33m 设备mac/ip地址       设备名称\033[0m"
+		for dev in $(cat ${CRASHDIR}/configs/mac 2>/dev/null); do
+			get_devinfo
+			echo -e "\033[36m$dev_mac \033[0m$dev_name"
+		done
+		for dev in $(cat ${CRASHDIR}/configs/ip_filter 2>/dev/null); do
+			get_devinfo
+			echo -e "\033[32m$dev_ip  \033[0m$dev_name"
 		done
 		echo -----------------------------------------------
 	fi
 	echo -e " 1 切换为\033[33m$macfilter_over模式\033[0m"
-	echo -e " 2 \033[32m添加指定设备\033[0m"
-	echo -e " 3 \033[36m移除指定设备\033[0m"
-	echo -e " 4 \033[31m清空整个列表\033[0m"
+	echo -e " 2 \033[32m添加指定设备(mac地址)\033[0m"
+	echo -e " 3 \033[32m添加指定设备(IP地址/网段)\033[0m"
+	echo -e " 4 \033[36m移除指定设备\033[0m"
+	echo -e " 9 \033[31m清空整个列表\033[0m"
 	echo -e " 0 返回上级菜单"
 	read -p "请输入对应数字 > " num
-	if [ -z "$num" ]; then
-		errornum
-	elif [ "$num" = 0 ]; then
-		i=
-	elif [ "$num" = 1 ]; then
+	case "$num" in
+	0)
+	;;
+	1)
 		macfilter_type=$macfilter_over
 		setconfig macfilter_type $macfilter_type
 		echo -----------------------------------------------
 		echo -e "\033[32m已切换为$macfilter_type模式！\033[0m"
 		macfilter
-	elif [ "$num" = 2 ]; then	
+	;;
+	2)
 		add_mac
 		macfilter
-	elif [ "$num" = 3 ]; then	
-		del_mac
+	;;
+	3)
+		add_ip
 		macfilter
-	elif [ "$num" = 4 ]; then
+	;;
+	4)
+		del_all
+		macfilter
+	;;
+	9)
 		:>${CRASHDIR}/configs/mac
+		:>${CRASHDIR}/configs/ip_filter
 		echo -----------------------------------------------
 		echo -e "\033[31m设备列表已清空！\033[0m"
 		macfilter
-	else
+	;;
+	*)
 		errornum
-		macfilter
-	fi
+	;;
+	esac
 }
 setboot(){ #启动相关设置
 	[ -z "$start_old" ] && start_old=未开启
diff --git a/scripts/start.sh b/scripts/start.sh
index 900da76..ac8497d 100644
--- a/scripts/start.sh
+++ b/scripts/start.sh
@@ -919,17 +919,27 @@ start_ipt_route() { #iptables-route通用工具
 	[ "$1" = iptables ] && [ "$dns_mod" != "fake-ip" ] && [ "$cn_ip_route" = "已开启" ] && [ -f "$BINDIR"/cn_ip.txt ] && $1 -w -t $2 -A $4 -m set --match-set cn_ip dst -j RETURN 2>/dev/null
 	[ "$1" = ip6tables ] && [ "$dns_mod" != "fake-ip" ] && [ "$cn_ipv6_route" = "已开启" ] && [ -f "$BINDIR"/cn_ipv6.txt ] && $1 -w -t $2 -A $4 -m set --match-set cn_ip6 dst -j RETURN 2>/dev/null
 	#局域网mac地址黑名单过滤
-	[ "$3" = 'PREROUTING' ] && [ -s "$CRASHDIR"/configs/mac ] && [ "$macfilter_type" != "白名单" ] && {
+	[ "$3" = 'PREROUTING' ] && [ "$macfilter_type" != "白名单" ] && {
+		[ -s "$CRASHDIR"/configs/mac ] && \
 		for mac in $(cat "$CRASHDIR"/configs/mac); do
 			$1 -w -t $2 -A $4 -m mac --mac-source $mac -j RETURN
 		done
+		[ -s "$CRASHDIR"/configs/ip_filter ] && [ "$1" = 'iptables' ] && \
+		for ip in $(cat "$CRASHDIR"/configs/ip_filter); do
+			$1 -w -t $2 -A $4 -s $ip -j RETURN
+		done
 	}
 	#tcp&udp分别进代理链
 	proxy_set() {
-		if [ "$3" = 'PREROUTING' ] && [ "$4" != 'shellcrash_vm' ] && [ "$macfilter_type" = "白名单" ] && [ -s "$CRASHDIR"/configs/mac ];then
+		if [ "$3" = 'PREROUTING' ] && [ "$4" != 'shellcrash_vm' ] && [ "$macfilter_type" = "白名单" ] && [ -n "$(cat $CRASHDIR/configs/mac $CRASHDIR/configs/ip_filter 2>/dev/null)" ];then
+			[ -s "$CRASHDIR"/configs/mac ] && \
 			for mac in $(cat "$CRASHDIR"/configs/mac); do
 				$1 -w -t $2 -A $4 -p $5 -m mac --mac-source $mac -j $JUMP
 			done
+			[ -s "$CRASHDIR"/configs/ip_filter ] && [ "$1" = 'iptables' ] && \
+			for ip in $(cat "$CRASHDIR"/configs/ip_filter); do
+				$1 -w -t $2 -A $4 -p $5 -s $ip -j $JUMP
+			done
 		else
 			for ip in $HOST_IP; do #仅限指定网段流量
 				$1 -w -t $2 -A $4 -p $5 -s $ip -j $JUMP
@@ -962,16 +972,27 @@ start_ipt_dns() { #iptables-dns通用工具
 		$1 -w -t nat -A $3 -p udp -s $bypass_host -j RETURN
 	}
 	#局域网mac地址黑名单过滤
-	[ "$2" = 'PREROUTING' ] && [ -s "$CRASHDIR"/configs/mac ] && [ "$macfilter_type" != "白名单" ] && {
+	[ "$2" = 'PREROUTING' ] && [ "$macfilter_type" != "白名单" ] && {
+		[ -s "$CRASHDIR"/configs/mac ] && \
 		for mac in $(cat "$CRASHDIR"/configs/mac); do
 			$1 -w -t nat -A $3 -m mac --mac-source $mac -j RETURN
 		done
+		[ -s "$CRASHDIR"/configs/ip_filter ] && [ "$1" = 'iptables' ] && \
+		for ip in $(cat "$CRASHDIR"/configs/ip_filter); do
+			$1 -w -t nat -A $3 -s $ip -j RETURN
+		done
 	}
-	if [ "$2" = 'PREROUTING' ] && [ "$3" != 'shellcrash_vm_dns' ] && [ -s "$CRASHDIR"/configs/mac ] && [ "$macfilter_type" = "白名单" ]; then
+	if [ "$2" = 'PREROUTING' ] && [ "$3" != 'shellcrash_vm_dns' ] && [ "$macfilter_type" = "白名单" ] && [ -n "$(cat $CRASHDIR/configs/mac $CRASHDIR/configs/ip_filter 2>/dev/null)" ];then
+		[ -s "$CRASHDIR"/configs/mac ] && \
 		for mac in $(cat "$CRASHDIR"/configs/mac); do
 			$1 -w -t nat -A $3 -p tcp -m mac --mac-source $mac -j REDIRECT --to-ports $dns_port
 			$1 -w -t nat -A $3 -p udp -m mac --mac-source $mac -j REDIRECT --to-ports $dns_port
 		done
+		[ -s "$CRASHDIR"/configs/ip_filter ] && [ "$1" = 'iptables' ] && \
+		for ip in $(cat "$CRASHDIR"/configs/ip_filter); do
+			$1 -w -t nat -A $3 -p tcp -s $ip -j REDIRECT --to-ports $dns_port
+			$1 -w -t nat -A $3 -p udp -s $ip -j REDIRECT --to-ports $dns_port
+		done		
 	else
 		for ip in $HOST_IP; do #仅限指定网段流量
 			$1 -w -t nat -A $3 -p tcp -s $ip -j REDIRECT --to-ports $dns_port
@@ -1145,17 +1166,30 @@ start_nft_route() { #nftables-route通用工具
 	nft add rule inet shellcrash $1 meta skgid 7890 return
 	#nft add rule inet shellcrash $1 ip saddr 198.18.0.0/16 return
 	[ "$firewall_area" = 5 ] && nft add rule inet shellcrash $1 ip saddr $bypass_host return
-	#过滤局域网设备
-	[ "$1" = 'prerouting' ] && [ -s "$CRASHDIR"/configs/mac ] && {
-		MAC=$(awk '{printf "%s, ",$1}' "$CRASHDIR"/configs/mac)
-		if [ "$macfilter_type" = "黑名单" ]; then
-			nft add rule inet shellcrash $1 ether saddr {$MAC} return
-		else
-			nft add rule inet shellcrash $1 ether saddr != {$MAC} return
-		fi
-	}
 	nft add rule inet shellcrash $1 ip daddr {$RESERVED_IP} return #过滤保留地址
-	nft add rule inet shellcrash $1 ip saddr != {$HOST_IP} return  #仅代理本机局域网网段流量
+	#过滤局域网设备
+	if [ "$1" = 'prerouting' ] && [ "$macfilter_type" != "白名单" ];then
+		[ -s "$CRASHDIR"/configs/mac ] && {
+		MAC=$(awk '{printf "%s, ",$1}' "$CRASHDIR"/configs/mac)
+		nft add rule inet shellcrash $1 ether saddr {$MAC} return
+		}
+		[ -s "$CRASHDIR"/configs/ip_filter ] && {
+		FL_IP=$(awk '{printf "%s, ",$1}' "$CRASHDIR"/configs/ip_filter)
+		nft add rule inet shellcrash $1 ip saddr {$FL_IP} return
+		}
+		nft add rule inet shellcrash $1 ip saddr != {$HOST_IP} return  #仅代理本机局域网网段流量
+	fi
+	if [ "$1" = 'prerouting' ] && [ "$macfilter_type" = "白名单" ];then
+		[ -s "$CRASHDIR"/configs/mac ] && MAC=$(awk '{printf "%s, ",$1}' "$CRASHDIR"/configs/mac)
+		[ -s "$CRASHDIR"/configs/ip_filter ] && FL_IP=$(awk '{printf "%s, ",$1}' "$CRASHDIR"/configs/ip_filter)
+		if [ -n "$MAC" ] && [ -n "$FL_IP" ];then
+			nft add rule inet shellcrash $1 ether saddr != {$MAC} ip saddr != {$FL_IP} return
+		elif [ -n "$MAC" ];then
+			nft add rule inet shellcrash $1 ether saddr != {$MAC} return
+		elif [ -n "$FL_IP" ];then
+			nft add rule inet shellcrash $1 ip saddr != {$FL_IP} return
+		fi
+	fi
 	#绕过CN-IP
 	[ "$dns_mod" != "fake-ip" -a "$cn_ip_route" = "已开启" -a -f "$BINDIR"/cn_ip.txt ] && {
 		CN_IP=$(awk '{printf "%s, ",$1}' "$BINDIR"/cn_ip.txt)