diff --git a/ShellCrash.tar.gz b/ShellCrash.tar.gz index 10fd930d..9c17607e 100644 Binary files a/ShellCrash.tar.gz and b/ShellCrash.tar.gz differ diff --git a/bin/clashfm.tar.gz b/bin/clashfm.tar.gz index 10fd930d..9c17607e 100644 Binary files a/bin/clashfm.tar.gz and b/bin/clashfm.tar.gz differ diff --git a/bin/version b/bin/version index bd91fc1a..dfb5ec9e 100644 --- a/bin/version +++ b/bin/version @@ -1,4 +1,4 @@ meta_v=v1.19.17 singboxr_v=1.13.0-alpha.27 -versionsh=1.9.3beta7fix +versionsh=1.9.3beta8 GeoIP_v=20251205 diff --git a/scripts/init.sh b/scripts/init.sh index 1730b8e0..4cdb733d 100644 --- a/scripts/init.sh +++ b/scripts/init.sh @@ -1,7 +1,7 @@ #!/bin/sh # Copyright (C) Juewuy -version=1.9.3beta7fix +version=1.9.3beta8 setdir() { dir_avail() { @@ -159,12 +159,12 @@ setconfig() { #脚本配置工具 fi } #特殊固件识别及标记 -[ -f "/etc/storage/started_script.sh" ] && { - systype=Padavan #老毛子固件 +[ -f "/etc/storage/started_script.sh" ] && { #老毛子固件 + systype=Padavan initdir='/etc/storage/started_script.sh' } -[ -d "/jffs" ] && { - systype=asusrouter #华硕固件 +[ -d "/jffs" ] && { #华硕固件 + systype=asusrouter [ -f "/jffs/.asusrouter" ] && initdir='/jffs/.asusrouter' [ -d "/jffs/scripts" ] && initdir='/jffs/scripts/nat-start' #华硕启用jffs @@ -173,7 +173,8 @@ setconfig() { #脚本配置工具 } [ -f "/data/etc/crontabs/root" ] && systype=mi_snapshot #小米设备 [ -w "/var/mnt/cfg/firewall" ] && systype=ng_snapshot #NETGEAR设备 - +#容器内环境 +grep -qE '/(docker|lxc|kubepods|crio|containerd)/' /proc/1/cgroup || [ -f /run/.containerenv ] || [ -f /.dockerenv ] && systype=container #检查环境变量 [ -z "$CRASHDIR" -a -n "$clashdir" ] && CRASHDIR=$clashdir [ -z "$CRASHDIR" -a -d /tmp/SC_tmp ] && setdir @@ -290,7 +291,6 @@ if [ "$systype" = "mi_snapshot" -o "$systype" = "ng_snapshot" ]; then uci set firewall.ShellCrash.path="$CRASHDIR/misnap_init.sh" uci set firewall.ShellCrash.enabled='1' uci commit firewall - setconfig systype $systype else rm -rf ${CRASHDIR}/misnap_init.sh fi @@ -303,6 +303,18 @@ fi #华硕下载大师启动额外设置 [ -f "$dir/asusware.arm/etc/init.d/S50downloadmaster" ] && [ -z "$(grep 'ShellCrash' $dir/asusware.arm/etc/init.d/S50downloadmaster)" ] && sed -i "/^PATH=/a\\$CRASHDIR/start.sh init & #ShellCrash初始化脚本" "$dir/asusware.arm/etc/init.d/S50downloadmaster" +#容器环境额外设置 +[ "$systype" = 'container' ] && { + setconfig userguide '1' + setconfig crashcore 'meta' + setconfig redir_mod "混合模式" + setconfig dns_mod 'mix' + setconfig firewall_area '1' + setconfig firewall_mod 'nftables' + setconfig start_old '已开启' + echo "$CRASHDIR/menu.sh" >> /etc/profile +} +setconfig systype $systype #删除临时文件 rm -rf /tmp/*rash*gz rm -rf /tmp/SC_tmp @@ -360,7 +372,4 @@ sed -i "s/redir_mod=Nft混合/redir_mod=Tproxy模式/g" $configpath sed -i "s/redir_mod=Tproxy混合/redir_mod=Tproxy模式/g" $configpath sed -i "s/redir_mod=纯净模式/firewall_area=4/g" $configpath -#清理路由器空间 -[ -d /data/etc_bak ] && rm -rf /data/etc_bak - echo -e "\033[32m脚本初始化完成,请输入\033[30;47m crash \033[0;33m命令开始使用!\033[0m" diff --git a/scripts/menu.sh b/scripts/menu.sh index 949d15bd..09b4331d 100644 --- a/scripts/menu.sh +++ b/scripts/menu.sh @@ -694,7 +694,7 @@ setport() { #端口设置 esac } setdns() { #DNS详细设置 - [ -z "$dns_nameserver" ] && dns_nameserver='180.184.1.1, 1.2.4.8' + [ -z "$dns_nameserver" ] && dns_nameserver='223.5.5.5, 1.2.4.8' [ -z "$dns_fallback" ] && dns_fallback="1.1.1.1, 8.8.8.8" [ -z "$dns_resolver" ] && dns_resolver="223.5.5.5, 2400:3200::1" [ -z "$hosts_opt" ] && hosts_opt=已启用 @@ -811,7 +811,7 @@ setdns() { #DNS详细设置 openssldir="$(openssl version -d 2>&1 | awk -F '"' '{print $2}')" if [ -s "$openssldir/certs/ca-certificates.crt" ] || [ -s "/etc/ssl/certs/ca-certificates.crt" ] || echo "$crashcore" | grep -qE 'meta|singbox'; then - dns_nameserver='https://doh.360.cn/dns-query, https://dns.alidns.com/dns-query, https://doh.pub/dns-query' + dns_nameserver='https://dns.alidns.com/dns-query, https://doh.pub/dns-query' dns_fallback='https://cloudflare-dns.com/dns-query, https://dns.google/dns-query, https://doh.opendns.com/dns-query' dns_resolver='https://223.5.5.5/dns-query, 2400:3200::1' setconfig dns_nameserver "'$dns_nameserver'" diff --git a/scripts/start.sh b/scripts/start.sh index cba1fc9c..aae1a655 100644 --- a/scripts/start.sh +++ b/scripts/start.sh @@ -3,8 +3,8 @@ #初始化目录 CRASHDIR=$( - cd $(dirname $0) - pwd + cd $(dirname $0) + pwd ) #加载执行目录,失败则初始化 . "$CRASHDIR"/configs/command.env >/dev/null 2>&1 @@ -13,411 +13,464 @@ CRASHDIR=$( #脚本内部工具 getconfig() { #读取配置及全局变量 - #加载配置文件 - . "$CRASHDIR"/configs/ShellCrash.cfg >/dev/null - #缺省值 - [ -z "$redir_mod" ] && [ "$USER" = "root" -o "$USER" = "admin" ] && redir_mod=Redir模式 - [ -z "$redir_mod" ] && redir_mod=纯净模式 - [ -z "$skip_cert" ] && skip_cert=已开启 - [ -z "$dns_mod" ] && dns_mod=fake-ip - [ -z "$ipv6_redir" ] && ipv6_redir=未开启 - [ -z "$ipv6_dns" ] && ipv6_dns=已开启 - [ -z "$cn_ipv6_route" ] && cn_ipv6_route=未开启 - [ -z "$macfilter_type" ] && macfilter_type=黑名单 - [ -z "$mix_port" ] && mix_port=7890 - [ -z "$redir_port" ] && redir_port=7892 - [ -z "$tproxy_port" ] && tproxy_port=7893 - [ -z "$db_port" ] && db_port=9999 - [ -z "$dns_port" ] && dns_port=1053 - [ -z "$fwmark" ] && fwmark=$redir_port - routing_mark=$((fwmark + 2)) - [ -z "$table" ] && table=100 - [ -z "$sniffer" ] && sniffer=已开启 - #是否代理常用端口 - [ -z "$common_ports" ] && common_ports=已开启 - [ -z "$multiport" ] && multiport='22,80,143,194,443,465,587,853,993,995,5222,8080,8443' - [ "$common_ports" = "已开启" ] && ports="-m multiport --dports $multiport" - #内核配置文件 - if echo "$crashcore" | grep -q 'singbox'; then - target=singbox - format=json - core_config="$CRASHDIR"/jsons/config.json - else - target=clash - format=yaml - core_config="$CRASHDIR"/yamls/config.yaml - fi - #检查$iptable命令可用性 - ckcmd iptables && iptables -h | grep -q '\-w' && iptable='iptables -w' || iptable=iptables - ckcmd ip6tables && ip6tables -h | grep -q '\-w' && ip6table='ip6tables -w' || ip6table=ip6tables - #默认dns - [ -z "$dns_nameserver" ] && dns_nameserver='180.184.1.1, 1.2.4.8' - [ -z "$dns_fallback" ] && dns_fallback="1.1.1.1, 8.8.8.8" - [ -z "$dns_resolver" ] && dns_resolver="223.5.5.5, 2400:3200::1" - #自动生成ua - [ -z "$user_agent" -o "$user_agent" = "auto" ] && { - if echo "$crashcore" | grep -q 'singbox';then - user_agent="sing-box/singbox/$core_v" - elif [ "$crashcore" = meta ];then - user_agent="clash.meta/mihomo/$core_v" - else - user_agent="clash" - fi - } - [ "$user_agent" = "none" ] && unset user_agent + #加载配置文件 + . "$CRASHDIR"/configs/ShellCrash.cfg >/dev/null + #缺省值 + [ -z "$redir_mod" ] && [ "$USER" = "root" -o "$USER" = "admin" ] && redir_mod=Redir模式 + [ -z "$redir_mod" ] && redir_mod=纯净模式 + [ -z "$skip_cert" ] && skip_cert=已开启 + [ -z "$dns_mod" ] && dns_mod=fake-ip + [ -z "$ipv6_redir" ] && ipv6_redir=未开启 + [ -z "$ipv6_dns" ] && ipv6_dns=已开启 + [ -z "$cn_ipv6_route" ] && cn_ipv6_route=未开启 + [ -z "$macfilter_type" ] && macfilter_type=黑名单 + [ -z "$mix_port" ] && mix_port=7890 + [ -z "$redir_port" ] && redir_port=7892 + [ -z "$tproxy_port" ] && tproxy_port=7893 + [ -z "$db_port" ] && db_port=9999 + [ -z "$dns_port" ] && dns_port=1053 + [ -z "$fwmark" ] && fwmark=$redir_port + routing_mark=$((fwmark + 2)) + [ -z "$table" ] && table=100 + [ -z "$sniffer" ] && sniffer=已开启 + #是否代理常用端口 + [ -z "$common_ports" ] && common_ports=已开启 + [ -z "$multiport" ] && multiport='22,80,143,194,443,465,587,853,993,995,5222,8080,8443' + [ "$common_ports" = "已开启" ] && ports="-m multiport --dports $multiport" + #内核配置文件 + if echo "$crashcore" | grep -q 'singbox'; then + target=singbox + format=json + core_config="$CRASHDIR"/jsons/config.json + else + target=clash + format=yaml + core_config="$CRASHDIR"/yamls/config.yaml + fi + #检查$iptable命令可用性 + ckcmd iptables && iptables -h | grep -q '\-w' && iptable='iptables -w' || iptable=iptables + ckcmd ip6tables && ip6tables -h | grep -q '\-w' && ip6table='ip6tables -w' || ip6table=ip6tables + #默认dns + [ -z "$dns_nameserver" ] && dns_nameserver='223.5.5.5, 1.2.4.8' + [ -z "$dns_fallback" ] && dns_fallback="1.1.1.1, 8.8.8.8" + [ -z "$dns_resolver" ] && dns_resolver="223.5.5.5, 2400:3200::1" + #自动生成ua + [ -z "$user_agent" -o "$user_agent" = "auto" ] && { + if echo "$crashcore" | grep -q 'singbox'; then + user_agent="sing-box/singbox/$core_v" + elif [ "$crashcore" = meta ]; then + user_agent="clash.meta/mihomo/$core_v" + else + user_agent="clash" + fi + } + [ "$user_agent" = "none" ] && unset user_agent } setconfig() { #脚本配置工具 - #参数1代表变量名,参数2代表变量值,参数3即文件路径 - [ -z "$3" ] && configpath="$CRASHDIR"/configs/ShellCrash.cfg || configpath="${3}" - if grep -q "^${1}=" "$configpath";then - sed -i "s#${1}=.*#${1}=${2}#g" "$configpath" - else - printf '%s=%s\n' "$1" "$2" >> "$configpath" - fi + #参数1代表变量名,参数2代表变量值,参数3即文件路径 + [ -z "$3" ] && configpath="$CRASHDIR"/configs/ShellCrash.cfg || configpath="${3}" + if grep -q "^${1}=" "$configpath"; then + sed -i "s#${1}=.*#${1}=${2}#g" "$configpath" + else + printf '%s=%s\n' "$1" "$2" >>"$configpath" + fi } ckcmd() { #检查命令是否存在 - command -v sh >/dev/null 2>&1 && command -v "$1" >/dev/null 2>&1 || type "$1" >/dev/null 2>&1 + command -v sh >/dev/null 2>&1 && command -v "$1" >/dev/null 2>&1 || type "$1" >/dev/null 2>&1 } ckgeo() { #查找及下载Geo数据文件 - [ ! -d "$BINDIR"/ruleset ] && mkdir -p "$BINDIR"/ruleset - find --help 2>&1 | grep -q size && find_para=' -size +20' #find命令兼容 - [ -z "$(find "$BINDIR"/"$1" "$find_para" 2>/dev/null)" ] && { - if [ -n "$(find "$CRASHDIR"/"$1" "$find_para" 2>/dev/null)" ]; then - mv "$CRASHDIR"/"$1" "$BINDIR"/"$1" #小闪存模式移动文件 - else - logger "未找到${1}文件,正在下载!" 33 - get_bin "$BINDIR"/"$1" bin/geodata/"$2" - [ "$?" = "1" ] && rm -rf "${BINDIR}"/"${1}" && logger "${1}文件下载失败,已退出!请前往更新界面尝试手动下载!" 31 && exit 1 - geo_v="$(echo "$2" | awk -F "." '{print $1}')_v" - setconfig "$geo_v" "$(date +"%Y%m%d")" - fi - } + [ ! -d "$BINDIR"/ruleset ] && mkdir -p "$BINDIR"/ruleset + find --help 2>&1 | grep -q size && find_para=' -size +20' #find命令兼容 + [ -z "$(find "$BINDIR"/"$1" "$find_para" 2>/dev/null)" ] && { + if [ -n "$(find "$CRASHDIR"/"$1" "$find_para" 2>/dev/null)" ]; then + mv "$CRASHDIR"/"$1" "$BINDIR"/"$1" #小闪存模式移动文件 + else + logger "未找到${1}文件,正在下载!" 33 + get_bin "$BINDIR"/"$1" bin/geodata/"$2" + [ "$?" = "1" ] && rm -rf "${BINDIR}"/"${1}" && logger "${1}文件下载失败,已退出!请前往更新界面尝试手动下载!" 31 && exit 1 + geo_v="$(echo "$2" | awk -F "." '{print $1}')_v" + setconfig "$geo_v" "$(date +"%Y%m%d")" + fi + } } compare() { #对比文件 - if [ ! -f "$1" ] || [ ! -f "$2" ]; then - return 1 - elif ckcmd cmp; then - cmp -s "$1" "$2" - else - [ "$(cat "$1")" = "$(cat "$2")" ] && return 0 || return 1 - fi + if [ ! -f "$1" ] || [ ! -f "$2" ]; then + return 1 + elif ckcmd cmp; then + cmp -s "$1" "$2" + else + [ "$(cat "$1")" = "$(cat "$2")" ] && return 0 || return 1 + fi } logger() { #日志工具 - #$1日志内容$2显示颜色$3是否推送 - [ -n "$2" -a "$2" != 0 ] && echo -e "\033[$2m$1\033[0m" - log_text="$(date "+%G-%m-%d_%H:%M:%S")~$1" - echo "$log_text" >>"$TMPDIR"/ShellCrash.log - [ "$(wc -l "$TMPDIR"/ShellCrash.log | awk '{print $1}')" -gt 99 ] && sed -i '1,50d' "$TMPDIR"/ShellCrash.log - #推送工具 - webpush() { - [ -n "$(pidof CrashCore)" ] && { - [ -n "$authentication" ] && auth="$authentication@" - export https_proxy="http://${auth}127.0.0.1:$mix_port" - } - if curl --version >/dev/null 2>&1; then - curl -kfsSl -X POST --connect-timeout 3 -H "Content-Type: application/json; charset=utf-8" "$1" -d "$2" >/dev/null 2>&1 - elif wget --version >/dev/null 2>&1; then - wget -Y on -q --timeout=3 -O - --method=POST --header="Content-Type: application/json; charset=utf-8" --body-data="$2" "$1" >/dev/null 2>&1 - else - echo "找不到有效的curl或wget应用,请先安装!" - fi - } - [ -z "$3" ] && { - [ -n "$device_name" ] && log_text="$log_text($device_name)" - [ -n "$push_TG" ] && { - url="https://api.telegram.org/bot${push_TG}/sendMessage" - [ "$push_TG" = 'publictoken' ] && url='https://tgbot.jwsc.eu.org/publictoken/sendMessage' - content="{\"chat_id\":\"${chat_ID}\",\"text\":\"$log_text\"}" - webpush "$url" "$content" & - } - [ -n "$push_bark" ] && { - url="${push_bark}" - content="{\"body\":\"${log_text}\",\"title\":\"ShellCrash日志推送\",\"level\":\"passive\",\"badge\":\"1\"}" - webpush "$url" "$content" & - } - [ -n "$push_Deer" ] && { - url="https://api2.pushdeer.com/message/push" - content="{\"pushkey\":\"${push_Deer}\",\"text\":\"$log_text\"}" - webpush "$url" "$content" & - } - [ -n "$push_Po" ] && { - url="https://api.pushover.net/1/messages.json" - content="{\"token\":\"${push_Po}\",\"user\":\"${push_Po_key}\",\"title\":\"ShellCrash日志推送\",\"message\":\"$log_text\"}" - webpush "$url" "$content" & - } - [ -n "$push_PP" ] && { - url="http://www.pushplus.plus/send" - content="{\"token\":\"${push_PP}\",\"title\":\"ShellCrash日志推送\",\"content\":\"$log_text\"}" - webpush "$url" "$content" & - } - # 新增Gotify推送 - [ -n "$push_Gotify" ] && { - url="${push_Gotify}" - content="{\"title\":\"ShellCrash日志推送\",\"message\":\"$log_text\",\"priority\":5}" - webpush "$url" "$content" & - } - [ -n "$push_SynoChat" ] && { - url="${push_ChatURL}/webapi/entry.cgi?api=SYNO.Chat.External&method=chatbot&version=2&token=${push_ChatTOKEN}" - content="payload={\"text\":\"${log_text}\", \"user_ids\":[${push_ChatUSERID}]}" - webpush "$url" "$content" & - #curl -X POST "${push_ChatURL}/webapi/entry.cgi?api=SYNO.Chat.External&method=chatbot&version=2&token=${push_ChatTOKEN}" -H 'content-Type: application/json' -d "payload={\"text\":\"${log_text}\", \"user_ids\":[${push_ChatUSERID}]}" >/dev/null 2>&1 - } - } & + #$1日志内容$2显示颜色$3是否推送 + [ -n "$2" -a "$2" != 0 ] && echo -e "\033[$2m$1\033[0m" + log_text="$(date "+%G-%m-%d_%H:%M:%S")~$1" + echo "$log_text" >>"$TMPDIR"/ShellCrash.log + [ "$(wc -l "$TMPDIR"/ShellCrash.log | awk '{print $1}')" -gt 99 ] && sed -i '1,50d' "$TMPDIR"/ShellCrash.log + #推送工具 + webpush() { + [ -n "$(pidof CrashCore)" ] && { + [ -n "$authentication" ] && auth="$authentication@" + export https_proxy="http://${auth}127.0.0.1:$mix_port" + } + if curl --version >/dev/null 2>&1; then + curl -kfsSl -X POST --connect-timeout 3 -H "Content-Type: application/json; charset=utf-8" "$1" -d "$2" >/dev/null 2>&1 + elif wget --version >/dev/null 2>&1; then + wget -Y on -q --timeout=3 -O - --method=POST --header="Content-Type: application/json; charset=utf-8" --body-data="$2" "$1" >/dev/null 2>&1 + else + echo "找不到有效的curl或wget应用,请先安装!" + fi + } + [ -z "$3" ] && { + [ -n "$device_name" ] && log_text="$log_text($device_name)" + [ -n "$push_TG" ] && { + url="https://api.telegram.org/bot${push_TG}/sendMessage" + [ "$push_TG" = 'publictoken' ] && url='https://tgbot.jwsc.eu.org/publictoken/sendMessage' + content="{\"chat_id\":\"${chat_ID}\",\"text\":\"$log_text\"}" + webpush "$url" "$content" & + } + [ -n "$push_bark" ] && { + url="${push_bark}" + content="{\"body\":\"${log_text}\",\"title\":\"ShellCrash日志推送\",\"level\":\"passive\",\"badge\":\"1\"}" + webpush "$url" "$content" & + } + [ -n "$push_Deer" ] && { + url="https://api2.pushdeer.com/message/push" + content="{\"pushkey\":\"${push_Deer}\",\"text\":\"$log_text\"}" + webpush "$url" "$content" & + } + [ -n "$push_Po" ] && { + url="https://api.pushover.net/1/messages.json" + content="{\"token\":\"${push_Po}\",\"user\":\"${push_Po_key}\",\"title\":\"ShellCrash日志推送\",\"message\":\"$log_text\"}" + webpush "$url" "$content" & + } + [ -n "$push_PP" ] && { + url="http://www.pushplus.plus/send" + content="{\"token\":\"${push_PP}\",\"title\":\"ShellCrash日志推送\",\"content\":\"$log_text\"}" + webpush "$url" "$content" & + } + # 新增Gotify推送 + [ -n "$push_Gotify" ] && { + url="${push_Gotify}" + content="{\"title\":\"ShellCrash日志推送\",\"message\":\"$log_text\",\"priority\":5}" + webpush "$url" "$content" & + } + [ -n "$push_SynoChat" ] && { + url="${push_ChatURL}/webapi/entry.cgi?api=SYNO.Chat.External&method=chatbot&version=2&token=${push_ChatTOKEN}" + content="payload={\"text\":\"${log_text}\", \"user_ids\":[${push_ChatUSERID}]}" + webpush "$url" "$content" & + #curl -X POST "${push_ChatURL}/webapi/entry.cgi?api=SYNO.Chat.External&method=chatbot&version=2&token=${push_ChatTOKEN}" -H 'content-Type: application/json' -d "payload={\"text\":\"${log_text}\", \"user_ids\":[${push_ChatUSERID}]}" >/dev/null 2>&1 + } + } & } croncmd() { #定时任务工具 - if [ -n "$(crontab -h 2>&1 | grep '\-l')" ]; then - crontab "$1" - else - crondir="$(crond -h 2>&1 | grep -oE 'Default:.*' | awk -F ":" '{print $2}')" - [ ! -w "$crondir" ] && crondir="/etc/storage/cron/crontabs" - [ ! -w "$crondir" ] && crondir="/var/spool/cron/crontabs" - [ ! -w "$crondir" ] && crondir="/var/spool/cron" - if [ -w "$crondir" ]; then - [ "$1" = "-l" ] && cat "$crondir"/"$USER" 2>/dev/null - [ -f "$1" ] && cat "$1" >"$crondir"/"$USER" - else - echo "你的设备不支持定时任务配置,脚本大量功能无法启用,请尝试使用搜索引擎查找安装方式!" - fi - fi + if [ -n "$(crontab -h 2>&1 | grep '\-l')" ]; then + crontab "$1" + else + crondir="$(crond -h 2>&1 | grep -oE 'Default:.*' | awk -F ":" '{print $2}')" + [ ! -w "$crondir" ] && crondir="/etc/storage/cron/crontabs" + [ ! -w "$crondir" ] && crondir="/var/spool/cron/crontabs" + [ ! -w "$crondir" ] && crondir="/var/spool/cron" + if [ -w "$crondir" ]; then + [ "$1" = "-l" ] && cat "$crondir"/"$USER" 2>/dev/null + [ -f "$1" ] && cat "$1" >"$crondir"/"$USER" + else + echo "你的设备不支持定时任务配置,脚本大量功能无法启用,请尝试使用搜索引擎查找安装方式!" + fi + fi } cronset() { #定时任务设置 - # 参数1代表要移除的关键字,参数2代表要添加的任务语句 - tmpcron="$TMPDIR"/cron_$USER - croncmd -l >"$tmpcron" 2>/dev/null - sed -i "/$1/d" "$tmpcron" - sed -i '/^$/d' "$tmpcron" - echo "$2" >>"$tmpcron" - croncmd "$tmpcron" - rm -f "$tmpcron" + # 参数1代表要移除的关键字,参数2代表要添加的任务语句 + tmpcron="$TMPDIR"/cron_tmp + croncmd -l >"$tmpcron" 2>/dev/null + sed -i "/$1/d" "$tmpcron" + sed -i '/^$/d' "$tmpcron" + echo "$2" >>"$tmpcron" + croncmd "$tmpcron" + rm -f "$tmpcron" } get_save() { #获取面板信息 - if curl --version >/dev/null 2>&1; then - curl -s -H "Authorization: Bearer ${secret}" -H "Content-Type:application/json" "$1" - elif [ -n "$(wget --help 2>&1 | grep '\-\-method')" ]; then - wget -q --header="Authorization: Bearer ${secret}" --header="Content-Type:application/json" -O - "$1" - fi + if curl --version >/dev/null 2>&1; then + curl -s -H "Authorization: Bearer ${secret}" -H "Content-Type:application/json" "$1" + elif [ -n "$(wget --help 2>&1 | grep '\-\-method')" ]; then + wget -q --header="Authorization: Bearer ${secret}" --header="Content-Type:application/json" -O - "$1" + fi } put_save() { #推送面板选择 - [ -z "$3" ] && request_type=PUT || request_type=$3 - if curl --version >/dev/null 2>&1; then - curl -sS -X "$request_type" -H "Authorization: Bearer $secret" -H "Content-Type:application/json" "$1" -d "$2" >/dev/null - elif wget --version >/dev/null 2>&1; then - wget -q --method="$request_type" --header="Authorization: Bearer $secret" --header="Content-Type:application/json" --body-data="$2" "$1" >/dev/null - fi + [ -z "$3" ] && request_type=PUT || request_type=$3 + if curl --version >/dev/null 2>&1; then + curl -sS -X "$request_type" -H "Authorization: Bearer $secret" -H "Content-Type:application/json" "$1" -d "$2" >/dev/null + elif wget --version >/dev/null 2>&1; then + wget -q --method="$request_type" --header="Authorization: Bearer $secret" --header="Content-Type:application/json" --body-data="$2" "$1" >/dev/null + fi } get_bin() { #专用于项目内部文件的下载 - [ -z "$update_url" ] && update_url=https://testingcf.jsdelivr.net/gh/juewuy/ShellCrash@master - if [ -n "$url_id" ]; then - echo "$2" | grep -q '^bin/' && release_type=update #/bin文件改为在update分支下载 - echo "$2" | grep -q '^public/' && release_type=dev #/public文件改为在dev分支下载 - [ -z "$release_type" ] && release_type=master - if [ "$url_id" = 101 -o "$url_id" = 104 ]; then - url="$(grep "$url_id" "$CRASHDIR"/configs/servers.list | awk '{print $3}')@$release_type/$2" #jsdelivr特殊处理 - else - url="$(grep "$url_id" "$CRASHDIR"/configs/servers.list | awk '{print $3}')/$release_type/$2" - fi - else - url="$update_url/$2" - fi - $0 webget "$1" "$url" "$3" "$4" "$5" "$6" + [ -z "$update_url" ] && update_url=https://testingcf.jsdelivr.net/gh/juewuy/ShellCrash@master + if [ -n "$url_id" ]; then + echo "$2" | grep -q '^bin/' && release_type=update #/bin文件改为在update分支下载 + echo "$2" | grep -q '^public/' && release_type=dev #/public文件改为在dev分支下载 + [ -z "$release_type" ] && release_type=master + if [ "$url_id" = 101 -o "$url_id" = 104 ]; then + url="$(grep "$url_id" "$CRASHDIR"/configs/servers.list | awk '{print $3}')@$release_type/$2" #jsdelivr特殊处理 + else + url="$(grep "$url_id" "$CRASHDIR"/configs/servers.list | awk '{print $3}')/$release_type/$2" + fi + else + url="$update_url/$2" + fi + $0 webget "$1" "$url" "$3" "$4" "$5" "$6" } mark_time() { #时间戳 - date +%s >"$TMPDIR"/crash_start_time + date +%s >"$TMPDIR"/crash_start_time } getlanip() { #获取局域网host地址 - i=1 - while [ "$i" -le "20" ]; do - host_ipv4=$(ip a 2>&1 | grep -w 'inet' | grep 'global' | grep 'brd' | grep -Ev 'utun|iot|peer|docker|podman|virbr|vnet|ovs|vmbr|veth|vmnic|vboxnet|lxcbr|xenbr|vEthernet' | grep -E ' 1(92|0|72)\.' | sed 's/.*inet.//g' | sed 's/br.*$//g' | sed 's/metric.*$//g') #ipv4局域网网段 - [ "$ipv6_redir" = "已开启" ] && host_ipv6=$(ip a 2>&1 | grep -w 'inet6' | grep -E 'global' | sed 's/.*inet6.//g' | sed 's/scope.*$//g') #ipv6公网地址段 - [ -f "$TMPDIR"/ShellCrash.log ] && break - [ -n "$host_ipv4" -a "$ipv6_redir" != "已开启" ] && break - [ -n "$host_ipv4" -a -n "$host_ipv6" ] && break - sleep 1 && i=$((i + 1)) - done - #添加自定义ipv4局域网网段 - if [ "$replace_default_host_ipv4" == "已启用" ]; then - host_ipv4="$cust_host_ipv4" - else - host_ipv4="$host_ipv4$cust_host_ipv4" - fi - #缺省配置 - [ -z "$host_ipv4" ] && host_ipv4='192.168.0.0/16 10.0.0.0/12 172.16.0.0/12' - host_ipv6="fe80::/10 fd00::/8 $host_ipv6" - #获取本机出口IP地址 - local_ipv4=$(ip route 2>&1 | grep -Ev 'utun|iot|docker|linkdown' | grep -Eo 'src.*' | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | sort -u) - [ -z "$local_ipv4" ] && local_ipv4=$(ip route 2>&1 | grep -Eo 'src.*' | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | sort -u) - #保留地址 - [ -z "$reserve_ipv4" ] && reserve_ipv4="0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 100.64.0.0/10 169.254.0.0/16 172.16.0.0/12 192.168.0.0/16 224.0.0.0/4 240.0.0.0/4" - [ -z "$reserve_ipv6" ] && reserve_ipv6="::/128 ::1/128 ::ffff:0:0/96 64:ff9b::/96 100::/64 2001::/32 2001:20::/28 2001:db8::/32 2002::/16 fe80::/10 ff00::/8" + i=1 + while [ "$i" -le "20" ]; do + host_ipv4=$(ip a 2>&1 | grep -w 'inet' | grep 'global' | grep 'brd' | grep -Ev 'utun|iot|peer|docker|podman|virbr|vnet|ovs|vmbr|veth|vmnic|vboxnet|lxcbr|xenbr|vEthernet' | grep -E ' 1(92|0|72)\.' | sed 's/.*inet.//g' | sed 's/br.*$//g' | sed 's/metric.*$//g') #ipv4局域网网段 + [ "$ipv6_redir" = "已开启" ] && host_ipv6=$(ip a 2>&1 | grep -w 'inet6' | grep -E 'global' | sed 's/.*inet6.//g' | sed 's/scope.*$//g') #ipv6公网地址段 + [ -f "$TMPDIR"/ShellCrash.log ] && break + [ -n "$host_ipv4" -a "$ipv6_redir" != "已开启" ] && break + [ -n "$host_ipv4" -a -n "$host_ipv6" ] && break + sleep 1 && i=$((i + 1)) + done + #添加自定义ipv4局域网网段 + if [ "$replace_default_host_ipv4" == "已启用" ]; then + host_ipv4="$cust_host_ipv4" + else + host_ipv4="$host_ipv4$cust_host_ipv4" + fi + #缺省配置 + [ -z "$host_ipv4" ] && host_ipv4='192.168.0.0/16 10.0.0.0/12 172.16.0.0/12' + host_ipv6="fe80::/10 fd00::/8 $host_ipv6" + #获取本机出口IP地址 + local_ipv4=$(ip route 2>&1 | grep -Ev 'utun|iot|docker|linkdown' | grep -Eo 'src.*' | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | sort -u) + [ -z "$local_ipv4" ] && local_ipv4=$(ip route 2>&1 | grep -Eo 'src.*' | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | sort -u) + #保留地址 + [ -z "$reserve_ipv4" ] && reserve_ipv4="0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 100.64.0.0/10 169.254.0.0/16 172.16.0.0/12 192.168.0.0/16 224.0.0.0/4 240.0.0.0/4" + [ -z "$reserve_ipv6" ] && reserve_ipv6="::/128 ::1/128 ::ffff:0:0/96 64:ff9b::/96 100::/64 2001::/32 2001:20::/28 2001:db8::/32 2002::/16 fe80::/10 ff00::/8" +} +parse_singbox_dns() { #singbox的dns分割工具 + first_dns=$(echo "$1" | cut -d',' -f1 | cut -d' ' -f1) + type="" + server="" + port="" + case "$first_dns" in + *://*) + type="${first_dns%%://*}" + tmp="${first_dns#*://}" + ;; + *) + type="udp" + tmp="$first_dns" + ;; + esac + case "$tmp" in + \[*\]*) + server="${tmp%%]*}" + server="${server#[}" + port="${tmp#*\]}" + port="${port#:}" + ;; + *) + server="${tmp%%[:/]*}" + port="${tmp#*:}" + [ "$port" = "$tmp" ] && port="" + ;; + esac + if [ -z "$port" ]; then + case "$type" in + udp|tcp) port=53 ;; + doh|https) port=443 ;; + dot|tls) port=853 ;; + *) port=53 ;; + esac + fi + # 输出 + echo '"type": "'"$type"'", "server": "'"$server"'", "server_port": '"$port"',' +} +urlencode() { + local i c hex + LC_ALL=C + for i in $(printf '%s' "$1" | od -An -tx1); do + case "$i" in + 2d|2e|5f|7e|3[0-9]|4[1-9A-Fa-f]|5[A-Fa-f]|6[1-9A-Fa-f]|7[0-9A-Ea-e]) + printf "\\$(printf '%03o' "0x$i")" + ;; + *) + printf '%%%02X' "0x$i" + ;; + esac + done } #配置文件相关 check_clash_config() { #检查clash配置文件 - #检测节点或providers - sed -n "/^proxies:/,/^[a-z]/ { /^[a-z]/d; p; }" "$core_config_new" >"$TMPDIR"/proxies.yaml - if ! grep -Eq 'server:|server":|server'\'':' "$TMPDIR"/proxies.yaml && ! grep -q 'proxy-providers:' "$core_config_new"; then + #检测节点或providers + sed -n "/^proxies:/,/^[a-z]/ { /^[a-z]/d; p; }" "$core_config_new" >"$TMPDIR"/proxies.yaml + if ! grep -Eq 'server:|server":|server'\'':' "$TMPDIR"/proxies.yaml && ! grep -q 'proxy-providers:' "$core_config_new"; then echo "-----------------------------------------------" - logger "获取到了配置文件【$core_config_new】,但似乎并不包含正确的节点信息!" 31 - cat "$TMPDIR"/proxies.yaml - sleep 1 + logger "获取到了配置文件【$core_config_new】,但似乎并不包含正确的节点信息!" 31 + cat "$TMPDIR"/proxies.yaml + sleep 1 echo "-----------------------------------------------" - echo "请尝试使用6-2或者6-3的方式生成配置文件!" - exit 1 - fi - rm -rf "$TMPDIR"/proxies.yaml - #检测旧格式 - if cat "$core_config_new" | grep 'Proxy Group:' >/dev/null; then + echo "请尝试使用6-2或者6-3的方式生成配置文件!" + exit 1 + fi + rm -rf "$TMPDIR"/proxies.yaml + #检测旧格式 + if cat "$core_config_new" | grep 'Proxy Group:' >/dev/null; then echo "-----------------------------------------------" - logger "已经停止对旧格式配置文件的支持!!!" 31 - echo -e "请使用新格式或者使用【在线生成配置文件】功能!" + logger "已经停止对旧格式配置文件的支持!!!" 31 + echo -e "请使用新格式或者使用【在线生成配置文件】功能!" echo "-----------------------------------------------" - exit 1 - fi - #检测不支持的加密协议 - if cat "$core_config_new" | grep 'cipher: chacha20,' >/dev/null; then + exit 1 + fi + #检测不支持的加密协议 + if cat "$core_config_new" | grep 'cipher: chacha20,' >/dev/null; then echo "-----------------------------------------------" - logger "已停止支持chacha20加密,请更换更安全的节点加密协议!" 31 + logger "已停止支持chacha20加密,请更换更安全的节点加密协议!" 31 echo "-----------------------------------------------" - exit 1 - fi - #检测并去除无效策略组 - [ -n "$url_type" ] && ckcmd xargs && { - cat "$core_config_new" | sed '/^rules:/,$d' | grep -A 15 "\- name:" | xargs | sed 's/- name: /\n/g' | sed 's/ type: .*proxies: /#/g' | sed 's/- //g' | grep -E '#DIRECT $|#DIRECT$' | grep -Ev '全球直连|direct|Direct' | awk -F '#' '{print $1}' >"$TMPDIR"/clash_proxies_$USER - while read line; do - sed -i "/- $line/d" "$core_config_new" - sed -i "/- name: $line/,/- DIRECT/d" "$core_config_new" - done <"$TMPDIR"/clash_proxies_$USER - rm -rf "$TMPDIR"/clash_proxies_$USER - } + exit 1 + fi + #检测并去除无效策略组 + [ -n "$url_type" ] && ckcmd xargs && { + cat "$core_config_new" | sed '/^rules:/,$d' | grep -A 15 "\- name:" | xargs | sed 's/- name: /\n/g' | sed 's/ type: .*proxies: /#/g' | sed 's/- //g' | grep -E '#DIRECT $|#DIRECT$' | grep -Ev '全球直连|direct|Direct' | awk -F '#' '{print $1}' >"$TMPDIR"/clash_proxies_$USER + while read line; do + sed -i "/- $line/d" "$core_config_new" + sed -i "/- name: $line/,/- DIRECT/d" "$core_config_new" + done <"$TMPDIR"/clash_proxies_$USER + rm -rf "$TMPDIR"/clash_proxies_$USER + } } check_singbox_config() { #检查singbox配置文件 - #检测节点或providers - if ! grep -qE '"(socks|http|shadowsocks(r)?|vmess|trojan|wireguard|hysteria(2)?|vless|shadowtls|tuic|ssh|tor|providers|anytls|soduku)"' "$core_config_new"; then + #检测节点或providers + if ! grep -qE '"(socks|http|shadowsocks(r)?|vmess|trojan|wireguard|hysteria(2)?|vless|shadowtls|tuic|ssh|tor|providers|anytls|soduku)"' "$core_config_new"; then echo "-----------------------------------------------" - logger "获取到了配置文件【$core_config_new】,但似乎并不包含正确的节点信息!" 31 - echo "请尝试使用6-2或者6-3的方式生成配置文件!" - exit 1 - fi - #删除不兼容的旧版内容 - [ "$(wc -l < "$core_config_new")" -lt 3 ] && { - sed -i 's/^.*"inbounds":/{"inbounds":/' "$core_config_new" - sed -i 's/{[^{}]*"dns-out"[^{}]*}//g' "$core_config_new" - } + logger "获取到了配置文件【$core_config_new】,但似乎并不包含正确的节点信息!" 31 + echo "请尝试使用6-2或者6-3的方式生成配置文件!" + exit 1 + fi + #删除不兼容的旧版内容 + [ "$(wc -l <"$core_config_new")" -lt 3 ] && { + sed -i 's/^.*"inbounds":/{"inbounds":/' "$core_config_new" + sed -i 's/{[^{}]*"dns-out"[^{}]*}//g' "$core_config_new" + } #检查不支持的旧版内容 - grep -q '"sni"' "$core_config_new" && { - logger "获取到了不支持的旧版(<1.12)配置文件【$core_config_new】!" 31 - echo "请尝试使用支持1.12以上版本内核的方式生成配置文件!" - exit 1 - } - #检测并去除无效策略组 - [ -n "$url_type" ] && { - #获得无效策略组名称 - grep -oE '\{"type":"urltest","tag":"[^"]*","outbounds":\["DIRECT"\]' "$core_config_new" | sed -n 's/.*"tag":"\([^"]*\)".*/\1/p' >"$TMPDIR"/singbox_tags - #删除策略组 - sed -i 's/{"type":"urltest","tag":"[^"]*","outbounds":\["DIRECT"\]}//g; s/{"type":"[^"]*","tag":"[^"]*","outbounds":\["DIRECT"\],"url":"[^"]*","interval":"[^"]*","tolerance":[^}]*}//g' "$core_config_new" - #删除全部包含策略组名称的规则 - while read line; do - sed -i "s/\"$line\"//g" "$core_config_new" - done <"$TMPDIR"/singbox_tags - rm -rf "$TMPDIR"/singbox_tags - } - #清理多余逗号 - sed -i 's/,\+/,/g; s/\[,/\[/g; s/,]/]/g' "$core_config_new" + grep -q '"sni"' "$core_config_new" && { + logger "获取到了不支持的旧版(<1.12)配置文件【$core_config_new】!" 31 + echo "请尝试使用支持1.12以上版本内核的方式生成配置文件!" + exit 1 + } + #检测并去除无效策略组 + [ -n "$url_type" ] && { + #获得无效策略组名称 + grep -oE '\{"type":"urltest","tag":"[^"]*","outbounds":\["DIRECT"\]' "$core_config_new" | sed -n 's/.*"tag":"\([^"]*\)".*/\1/p' >"$TMPDIR"/singbox_tags + #删除策略组 + sed -i 's/{"type":"urltest","tag":"[^"]*","outbounds":\["DIRECT"\]}//g; s/{"type":"[^"]*","tag":"[^"]*","outbounds":\["DIRECT"\],"url":"[^"]*","interval":"[^"]*","tolerance":[^}]*}//g' "$core_config_new" + #删除全部包含策略组名称的规则 + while read line; do + sed -i "s/\"$line\"//g" "$core_config_new" + done <"$TMPDIR"/singbox_tags + rm -rf "$TMPDIR"/singbox_tags + } + #清理多余逗号 + sed -i 's/,\+/,/g; s/\[,/\[/g; s/,]/]/g' "$core_config_new" } -update_servers(){ #更新servers.list - get_bin "$TMPDIR"/servers.list public/servers.list - [ "$?" = 0 ] && mv -f "$TMPDIR"/servers.list "$CRASHDIR"/configs/servers.list +update_servers() { #更新servers.list + get_bin "$TMPDIR"/servers.list public/servers.list + [ "$?" = 0 ] && mv -f "$TMPDIR"/servers.list "$CRASHDIR"/configs/servers.list } get_core_config() { #下载内核配置文件 - [ -z "$rule_link" ] && rule_link=1 - [ -z "$server_link" ] || [ $server_link -gt $(grep -aE '^4' "$CRASHDIR"/configs/servers.list | wc -l) ] && server_link=1 - Server=$(grep -aE '^3|^4' "$CRASHDIR"/configs/servers.list | sed -n ""$server_link"p" | awk '{print $3}') - Server_ua=$(grep -aE '^4' "$CRASHDIR"/configs/servers.list | sed -n ""$server_link"p" | awk '{print $4}') - Config=$(grep -aE '^5' "$CRASHDIR"/configs/servers.list | sed -n ""$rule_link"p" | awk '{print $3}') - #如果传来的是Url链接则合成Https链接,否则直接使用Https链接 - if [ -z "$Https" ]; then - #Urlencord转码处理保留字符 - Url=$(echo $Url | sed 's/;/\%3B/g; s|/|\%2F|g; s/?/\%3F/g; s/:/\%3A/g; s/@/\%40/g; s/=/\%3D/g; s/&/\%26/g') - Https="${Server}/sub?target=${target}&${Server_ua}=${user_agent}&insert=true&new_name=true&scv=true&udp=true&exclude=${exclude}&include=${include}&url=${Url}&config=${Config}" - url_type=true - fi - #输出 + [ -z "$rule_link" ] && rule_link=1 + [ -z "$server_link" ] || [ $server_link -gt $(grep -aE '^4' "$CRASHDIR"/configs/servers.list | wc -l) ] && server_link=1 + Server=$(grep -aE '^3|^4' "$CRASHDIR"/configs/servers.list | sed -n ""$server_link"p" | awk '{print $3}') + Server_ua=$(grep -aE '^4' "$CRASHDIR"/configs/servers.list | sed -n ""$server_link"p" | awk '{print $4}') + Config=$(grep -aE '^5' "$CRASHDIR"/configs/servers.list | sed -n ""$rule_link"p" | awk '{print $3}') + #如果传来的是Url链接则合成Https链接,否则直接使用Https链接 + if [ -z "$Https" ]; then + #Urlencord转码处理保留字符 + urlencodeUrl="exclude=$(urlencode "$exclude")&include=$(urlencode "$include")&url=$(urlencode "$Url")&config=$(urlencode "$Config")" + Https="${Server}/sub?target=${target}&${Server_ua}=${user_agent}&insert=true&new_name=true&scv=true&udp=true&${urlencodeUrl}" + url_type=true + fi + #输出 echo "-----------------------------------------------" - logger 正在连接服务器获取【${target}】配置文件………… - echo -e "链接地址为:\033[4;32m$Https\033[0m" - echo 可以手动复制该链接到浏览器打开并查看数据是否正常! - #获取在线config文件 - core_config_new="$TMPDIR"/${target}_config.${format} - rm -rf ${core_config_new} - $0 webget "$core_config_new" "$Https" echoon rediron skipceron "$user_agent" - if [ "$?" = "1" ]; then - if [ -z "$url_type" ]; then + logger 正在连接服务器获取【${target}】配置文件………… + echo -e "链接地址为:\033[4;32m$Https\033[0m" + echo 可以手动复制该链接到浏览器打开并查看数据是否正常! + #获取在线config文件 + core_config_new="$TMPDIR"/${target}_config.${format} + rm -rf ${core_config_new} + $0 webget "$core_config_new" "$Https" echoon rediron skipceron "$user_agent" + if [ "$?" = "1" ]; then + if [ -z "$url_type" ]; then echo "-----------------------------------------------" - logger "配置文件获取失败!" 31 - echo -e "\033[31m请尝试使用【在线生成配置文件】功能!\033[0m" + logger "配置文件获取失败!" 31 + echo -e "\033[31m请尝试使用【在线生成配置文件】功能!\033[0m" echo "-----------------------------------------------" - exit 1 - else - if [ "$retry" -ge 3 ]; then - logger "无法获取配置文件,请检查链接格式以及网络连接状态!" 31 - echo -e "\033[32m也可用浏览器下载以上链接后,使用WinSCP手动上传到/tmp目录后执行crash命令本地导入!\033[0m" - exit 1 - else - retry=$((retry + 1)) - logger "配置文件获取失败!" 31 - if [ "$retry" = 1 ];then - echo -e "\033[32m尝试更新服务器列表并使用其他服务器获取配置!\033[0m" - update_servers - else - echo -e "\033[32m尝试使用其他服务器获取配置!\033[0m" - fi - echo -e "正在重试\033[33m第$retry次/共3次!\033[0m" - if [ "$server_link" -ge 4 ]; then - server_link=0 - fi - server_link=$((server_link + 1)) - setconfig server_link $server_link - Https="" - get_core_config - fi - fi - else - Https="" - if echo "$crashcore" | grep -q 'singbox'; then - check_singbox_config - else - check_clash_config - fi - #如果不同则备份并替换文件 - if [ -s $core_config ]; then - compare $core_config_new $core_config - [ "$?" = 0 ] || mv -f $core_config $core_config.bak && mv -f $core_config_new $core_config - else - mv -f $core_config_new $core_config - fi - echo -e "\033[32m已成功获取配置文件!\033[0m" - fi - return 0 + exit 1 + else + if [ "$retry" -ge 3 ]; then + logger "无法获取配置文件,请检查链接格式以及网络连接状态!" 31 + echo -e "\033[32m也可用浏览器下载以上链接后,使用WinSCP手动上传到/tmp目录后执行crash命令本地导入!\033[0m" + exit 1 + else + retry=$((retry + 1)) + logger "配置文件获取失败!" 31 + if [ "$retry" = 1 ]; then + echo -e "\033[32m尝试更新服务器列表并使用其他服务器获取配置!\033[0m" + update_servers + else + echo -e "\033[32m尝试使用其他服务器获取配置!\033[0m" + fi + echo -e "正在重试\033[33m第$retry次/共3次!\033[0m" + if [ "$server_link" -ge 4 ]; then + server_link=0 + fi + server_link=$((server_link + 1)) + setconfig server_link $server_link + Https="" + get_core_config + fi + fi + else + Https="" + if echo "$crashcore" | grep -q 'singbox'; then + check_singbox_config + else + check_clash_config + fi + #如果不同则备份并替换文件 + if [ -s $core_config ]; then + compare $core_config_new $core_config + [ "$?" = 0 ] || mv -f $core_config $core_config.bak && mv -f $core_config_new $core_config + else + mv -f $core_config_new $core_config + fi + echo -e "\033[32m已成功获取配置文件!\033[0m" + fi + return 0 } modify_yaml() { #修饰clash配置文件 - ##########需要变更的配置########### - [ -z "$skip_cert" ] && skip_cert=已开启 - [ "$ipv6_dns" = "已开启" ] && dns_v6='true' || dns_v6='false' - external="external-controller: 0.0.0.0:$db_port" - if [ "$redir_mod" = "混合模式" -o "$redir_mod" = "Tun模式" ]; then - [ "$crashcore" = 'meta' ] && tun_meta=', device: utun, auto-route: false, auto-detect-interface: false' - tun="tun: {enable: true, stack: system$tun_meta}" - else - tun='tun: {enable: false}' - fi - exper='experimental: {ignore-resolve-fail: true, interface-name: en0}' - #Meta内核专属配置 - [ "$crashcore" = 'meta' ] && { - [ "$redir_mod" != "纯净模式" ] && [ -z "$(grep 'PROCESS' "$CRASHDIR"/yamls/*.yaml)" ] && find_process='find-process-mode: "off"' - } - #dns配置 - [ -z "$(cat "$CRASHDIR"/yamls/user.yaml 2>/dev/null | grep '^dns:')" ] && { - [ "$crashcore" != meta ] && dns_resolver='223.5.5.5' - cat >"$TMPDIR"/dns.yaml </dev/null | grep '^dns:')" ] && { + [ "$crashcore" != meta ] && dns_resolver='223.5.5.5' + cat >"$TMPDIR"/dns.yaml </dev/null | grep -v '#' | sed "s/^/ - '/" | sed "s/$/'/" >>"$TMPDIR"/dns.yaml - else - echo " - '+.*'" >>"$TMPDIR"/dns.yaml #使用fake-ip模拟redir_host - fi - #mix模式fakeip绕过cn - [ "$dns_mod" = "mix" ] && echo ' - "rule-set:cn"' >>"$TMPDIR"/dns.yaml - #mix模式和route模式插入分流设置 - if [ "$dns_mod" = "mix" ] || [ "$dns_mod" = "route" ];then - [ "$dns_protect" = "OFF" ] && dns_final="$dns_fallback" || dns_final="$dns_nameserver" - cat >>"$TMPDIR"/dns.yaml </dev/null | grep -v '#' | sed "s/^/ - '/" | sed "s/$/'/" >>"$TMPDIR"/dns.yaml + else + echo " - '+.*'" >>"$TMPDIR"/dns.yaml #使用fake-ip模拟redir_host + fi + #mix模式fakeip绕过cn + [ "$dns_mod" = "mix" ] && echo ' - "rule-set:cn"' >>"$TMPDIR"/dns.yaml + #mix模式和route模式插入分流设置 + if [ "$dns_mod" = "mix" ] || [ "$dns_mod" = "route" ]; then + [ "$dns_protect" != "OFF" ] && dns_final="$dns_fallback" || dns_final="$dns_nameserver" + cat >>"$TMPDIR"/dns.yaml <>"$TMPDIR"/dns.yaml <>"$TMPDIR"/dns.yaml <"$TMPDIR"/set.yaml <"$TMPDIR"/set.yaml </dev/null)" ]; then - #NTP劫持 - cat >"$TMPDIR"/hosts.yaml </dev/null)" ]; then + #NTP劫持 + cat >"$TMPDIR"/hosts.yaml <>"$TMPDIR"/hosts.yaml - else - #加载本机hosts - sys_hosts=/etc/hosts - [ -f /data/etc/custom_hosts ] && sys_hosts=/data/etc/custom_hosts - while read line; do - [ -n "$(echo "$line" | grep -oE "([0-9]{1,3}[\.]){3}")" ] && - [ -z "$(echo "$line" | grep -oE '^#')" ] && - hosts_ip=$(echo $line | awk '{print $1}') && - hosts_domain=$(echo $line | awk '{print $2}') && - [ -z "$(cat "$TMPDIR"/hosts.yaml | grep -oE "$hosts_domain")" ] && - echo " '$hosts_domain': $hosts_ip" >>"$TMPDIR"/hosts.yaml - done <$sys_hosts - fi - fi - #分割配置文件 - yaml_char='proxies proxy-groups proxy-providers rules rule-providers' - for char in $yaml_char; do - sed -n "/^$char:/,/^[a-z]/ { /^[a-z]/d; p; }" $core_config >"$TMPDIR"/${char}.yaml - done - #跳过本地tls证书验证 - [ "$skip_cert" = "已开启" ] && sed -i 's/skip-cert-verify: false/skip-cert-verify: true/' "$TMPDIR"/proxies.yaml || - sed -i 's/skip-cert-verify: true/skip-cert-verify: false/' "$TMPDIR"/proxies.yaml - #插入自定义策略组 - sed -i "/#自定义策略组开始/,/#自定义策略组结束/d" "$TMPDIR"/proxy-groups.yaml - sed -i "/#自定义策略组/d" "$TMPDIR"/proxy-groups.yaml - [ -n "$(grep -Ev '^#' "$CRASHDIR"/yamls/proxy-groups.yaml 2>/dev/null)" ] && { - #获取空格数 - space_name=$(grep -aE '^ *- name: ' "$TMPDIR"/proxy-groups.yaml | head -n 1 | grep -oE '^ *') - space_proxy=$(grep -A 1 'proxies:$' "$TMPDIR"/proxy-groups.yaml | grep -aE '^ *- ' | head -n 1 | grep -oE '^ *') - #合并自定义策略组到proxy-groups.yaml - cat "$CRASHDIR"/yamls/proxy-groups.yaml | sed "/^#/d" | sed "s/#.*//g" | sed '1i\ #自定义策略组开始' | sed '$a\ #自定义策略组结束' | sed "s/^ */${space_name} /g" | sed "s/^ *- /${space_proxy}- /g" | sed "s/^ *- name: /${space_name}- name: /g" >"$TMPDIR"/proxy-groups_add.yaml - cat "$TMPDIR"/proxy-groups.yaml >>"$TMPDIR"/proxy-groups_add.yaml - mv -f "$TMPDIR"/proxy-groups_add.yaml "$TMPDIR"/proxy-groups.yaml - oldIFS="$IFS" - grep "\- name: " "$CRASHDIR"/yamls/proxy-groups.yaml | sed "/^#/d" | while read line; do #将自定义策略组插入现有的proxy-group - new_group=$(echo $line | grep -Eo '^ *- name:.*#' | cut -d'#' -f1 | sed 's/.*name: //g') - proxy_groups=$(echo $line | grep -Eo '#.*' | sed "s/#//") - IFS="#" - for name in $proxy_groups; do - line_a=$(grep -n "\- name: $name" "$TMPDIR"/proxy-groups.yaml | head -n 1 | awk -F: '{print $1}') #获取group行号 - [ -n "$line_a" ] && { - line_b=$(grep -A 8 "\- name: $name" "$TMPDIR"/proxy-groups.yaml | grep -n "proxies:$" | head -n 1 | awk -F: '{print $1}') #获取proxies行号 - line_c=$((line_a + line_b - 1)) #计算需要插入的行号 - space=$(sed -n "$((line_c + 1))p" "$TMPDIR"/proxy-groups.yaml | grep -oE '^ *') #获取空格数 - [ "$line_c" -gt 2 ] && sed -i "${line_c}a\\${space}- ${new_group} #自定义策略组" "$TMPDIR"/proxy-groups.yaml - } - done - IFS="$oldIFS" - done - } - #插入自定义代理 - sed -i "/#自定义代理/d" "$TMPDIR"/proxies.yaml - sed -i "/#自定义代理/d" "$TMPDIR"/proxy-groups.yaml - [ -n "$(grep -Ev '^#' "$CRASHDIR"/yamls/proxies.yaml 2>/dev/null)" ] && { - space_proxy=$(cat "$TMPDIR"/proxies.yaml | grep -aE '^ *- ' | head -n 1 | grep -oE '^ *') #获取空格数 - cat "$CRASHDIR"/yamls/proxies.yaml | sed "s/^ *- /${space_proxy}- /g" | sed "/^#/d" | sed "/^ *$/d" | sed 's/#.*/ #自定义代理/g' >>"$TMPDIR"/proxies.yaml #插入节点 - oldIFS="$IFS" - cat "$CRASHDIR"/yamls/proxies.yaml | sed "/^#/d" | while read line; do #将节点插入proxy-group - proxy_name=$(echo $line | grep -Eo 'name: .+, ' | cut -d',' -f1 | sed 's/name: //g') - proxy_groups=$(echo $line | grep -Eo '#.*' | sed "s/#//") - IFS="#" - for name in $proxy_groups; do - line_a=$(grep -n "\- name: $name" "$TMPDIR"/proxy-groups.yaml | head -n 1 | awk -F: '{print $1}') #获取group行号 - [ -n "$line_a" ] && { - line_b=$(grep -A 8 "\- name: $name" "$TMPDIR"/proxy-groups.yaml | grep -n "proxies:$" | head -n 1 | awk -F: '{print $1}') #获取proxies行号 - line_c=$((line_a + line_b - 1)) #计算需要插入的行号 - space=$(sed -n "$((line_c + 1))p" "$TMPDIR"/proxy-groups.yaml | grep -oE '^ *') #获取空格数 - [ "$line_c" -gt 2 ] && sed -i "${line_c}a\\${space}- ${proxy_name} #自定义代理" "$TMPDIR"/proxy-groups.yaml - } - done - IFS="$oldIFS" - done - } - #节点绕过功能支持 - sed -i "/#节点绕过/d" "$TMPDIR"/rules.yaml - [ "$proxies_bypass" = "已启用" ] && { - cat "$TMPDIR"/proxies.yaml | sed '/^proxy-/,$d' | sed '/^rule-/,$d' | grep -v '^\s*#' | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | awk '!a[$0]++' | sed 's/^/\ -\ IP-CIDR,/g' | sed 's|$|/32,DIRECT,no-resolve #节点绕过|g' >>"$TMPDIR"/proxies_bypass - cat "$TMPDIR"/proxies.yaml | sed '/^proxy-/,$d' | sed '/^rule-/,$d' | grep -v '^\s*#' | grep -vE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -oE '[a-zA-Z0-9][-a-zA-Z0-9]{0,62}(\.[a-zA-Z0-9][-a-zA-Z0-9]{0,62})+\.?' | awk '!a[$0]++' | sed 's/^/\ -\ DOMAIN,/g' | sed 's/$/,DIRECT #节点绕过/g' >>"$TMPDIR"/proxies_bypass - cat "$TMPDIR"/rules.yaml >>"$TMPDIR"/proxies_bypass - mv -f "$TMPDIR"/proxies_bypass "$TMPDIR"/rules.yaml - } - #插入自定义规则 - sed -i "/#自定义规则/d" "$TMPDIR"/rules.yaml - [ -s "$CRASHDIR"/yamls/rules.yaml ] && { - cat "$CRASHDIR"/yamls/rules.yaml | sed "/^#/d" | sed '$a\' | sed 's/$/ #自定义规则/g' >"$TMPDIR"/rules.add - cat "$TMPDIR"/rules.yaml >>"$TMPDIR"/rules.add - mv -f "$TMPDIR"/rules.add "$TMPDIR"/rules.yaml - } - #mix模式生成rule-providers - [ "$dns_mod" = "mix" ] && ! grep -q 'cn:' "$TMPDIR"/rule-providers.yaml && ! grep -q '^rule-providers' "$CRASHDIR"/yamls/others.yaml 2>/dev/null && { - space=$(sed -n "1p" "$TMPDIR"/rule-providers.yaml | grep -oE '^ *') #获取空格数 - [ -z "$space" ] && space=' ' - echo "${space}cn: {type: http, behavior: domain, format: mrs, path: ./ruleset/cn.mrs, url: https://testingcf.jsdelivr.net/gh/juewuy/ShellCrash@update/bin/geodata/mrs_geosite_cn.mrs}" >> "$TMPDIR"/rule-providers.yaml -} - #对齐rules中的空格 - sed -i 's/^ *-/ -/g' "$TMPDIR"/rules.yaml - #合并文件 - [ -s "$CRASHDIR"/yamls/user.yaml ] && { - yaml_user="$CRASHDIR"/yamls/user.yaml - #set和user去重,且优先使用user.yaml - cp -f "$TMPDIR"/set.yaml "$TMPDIR"/set_bak.yaml - for char in mode allow-lan log-level tun experimental external-ui-url interface-name dns store-selected; do - [ -n "$(grep -E "^$char" $yaml_user)" ] && sed -i "/^$char/d" "$TMPDIR"/set.yaml - done - } - [ -s "$TMPDIR"/dns.yaml ] && yaml_dns="$TMPDIR"/dns.yaml - [ -s "$TMPDIR"/hosts.yaml ] && yaml_hosts="$TMPDIR"/hosts.yaml - [ -s "$CRASHDIR"/yamls/others.yaml ] && yaml_others="$CRASHDIR"/yamls/others.yaml - yaml_add= - for char in $yaml_char; do #将额外配置文件合并 - [ -s "$TMPDIR"/${char}.yaml ] && { - sed -i "1i\\${char}:" "$TMPDIR"/${char}.yaml - yaml_add="$yaml_add "$TMPDIR"/${char}.yaml" - } - done - #合并完整配置文件 - cut -c 1- "$TMPDIR"/set.yaml $yaml_dns $yaml_hosts $yaml_user $yaml_others $yaml_add >"$TMPDIR"/config.yaml - #测试自定义配置文件 - "$TMPDIR"/CrashCore -t -d "$BINDIR" -f "$TMPDIR"/config.yaml >/dev/null - if [ "$?" != 0 ]; then - logger "$("$TMPDIR"/CrashCore -t -d "$BINDIR" -f "$TMPDIR"/config.yaml | grep -Eo 'error.*=.*')" 31 - logger "自定义配置文件校验失败!将使用基础配置文件启动!" 33 - logger "错误详情请参考 "$TMPDIR"/error.yaml 文件!" 33 - mv -f "$TMPDIR"/config.yaml "$TMPDIR"/error.yaml >/dev/null 2>&1 - sed -i "/#自定义策略组开始/,/#自定义策略组结束/d" "$TMPDIR"/proxy-groups.yaml - mv -f "$TMPDIR"/set_bak.yaml "$TMPDIR"/set.yaml >/dev/null 2>&1 - #合并基础配置文件 - cut -c 1- "$TMPDIR"/set.yaml $yaml_dns $yaml_add >"$TMPDIR"/config.yaml - sed -i "/#自定义/d" "$TMPDIR"/config.yaml - fi - #建立软连接 - [ ""$TMPDIR"" = ""$BINDIR"" ] || ln -sf "$TMPDIR"/config.yaml "$BINDIR"/config.yaml 2>/dev/null || cp -f "$TMPDIR"/config.yaml "$BINDIR"/config.yaml - #清理缓存 - for char in $yaml_char set set_bak dns hosts; do - rm -f "$TMPDIR"/${char}.yaml - done + if [ "$crashcore" = "meta" ]; then + echo " 'services.googleapis.cn': services.googleapis.com" >>"$TMPDIR"/hosts.yaml + else + #加载本机hosts + sys_hosts=/etc/hosts + [ -f /data/etc/custom_hosts ] && sys_hosts=/data/etc/custom_hosts + while read line; do + [ -n "$(echo "$line" | grep -oE "([0-9]{1,3}[\.]){3}")" ] && + [ -z "$(echo "$line" | grep -oE '^#')" ] && + hosts_ip=$(echo $line | awk '{print $1}') && + hosts_domain=$(echo $line | awk '{print $2}') && + [ -z "$(cat "$TMPDIR"/hosts.yaml | grep -oE "$hosts_domain")" ] && + echo " '$hosts_domain': $hosts_ip" >>"$TMPDIR"/hosts.yaml + done <$sys_hosts + fi + fi + #分割配置文件 + yaml_char='proxies proxy-groups proxy-providers rules rule-providers' + for char in $yaml_char; do + sed -n "/^$char:/,/^[a-z]/ { /^[a-z]/d; p; }" $core_config >"$TMPDIR"/${char}.yaml + done + #跳过本地tls证书验证 + [ "$skip_cert" = "已开启" ] && sed -i 's/skip-cert-verify: false/skip-cert-verify: true/' "$TMPDIR"/proxies.yaml || + sed -i 's/skip-cert-verify: true/skip-cert-verify: false/' "$TMPDIR"/proxies.yaml + #插入自定义策略组 + sed -i "/#自定义策略组开始/,/#自定义策略组结束/d" "$TMPDIR"/proxy-groups.yaml + sed -i "/#自定义策略组/d" "$TMPDIR"/proxy-groups.yaml + [ -n "$(grep -Ev '^#' "$CRASHDIR"/yamls/proxy-groups.yaml 2>/dev/null)" ] && { + #获取空格数 + space_name=$(grep -aE '^ *- name: ' "$TMPDIR"/proxy-groups.yaml | head -n 1 | grep -oE '^ *') + space_proxy=$(grep -A 1 'proxies:$' "$TMPDIR"/proxy-groups.yaml | grep -aE '^ *- ' | head -n 1 | grep -oE '^ *') + #合并自定义策略组到proxy-groups.yaml + cat "$CRASHDIR"/yamls/proxy-groups.yaml | sed "/^#/d" | sed "s/#.*//g" | sed '1i\ #自定义策略组开始' | sed '$a\ #自定义策略组结束' | sed "s/^ */${space_name} /g" | sed "s/^ *- /${space_proxy}- /g" | sed "s/^ *- name: /${space_name}- name: /g" >"$TMPDIR"/proxy-groups_add.yaml + cat "$TMPDIR"/proxy-groups.yaml >>"$TMPDIR"/proxy-groups_add.yaml + mv -f "$TMPDIR"/proxy-groups_add.yaml "$TMPDIR"/proxy-groups.yaml + oldIFS="$IFS" + grep "\- name: " "$CRASHDIR"/yamls/proxy-groups.yaml | sed "/^#/d" | while read line; do #将自定义策略组插入现有的proxy-group + new_group=$(echo $line | grep -Eo '^ *- name:.*#' | cut -d'#' -f1 | sed 's/.*name: //g') + proxy_groups=$(echo $line | grep -Eo '#.*' | sed "s/#//") + IFS="#" + for name in $proxy_groups; do + line_a=$(grep -n "\- name: $name" "$TMPDIR"/proxy-groups.yaml | head -n 1 | awk -F: '{print $1}') #获取group行号 + [ -n "$line_a" ] && { + line_b=$(grep -A 8 "\- name: $name" "$TMPDIR"/proxy-groups.yaml | grep -n "proxies:$" | head -n 1 | awk -F: '{print $1}') #获取proxies行号 + line_c=$((line_a + line_b - 1)) #计算需要插入的行号 + space=$(sed -n "$((line_c + 1))p" "$TMPDIR"/proxy-groups.yaml | grep -oE '^ *') #获取空格数 + [ "$line_c" -gt 2 ] && sed -i "${line_c}a\\${space}- ${new_group} #自定义策略组" "$TMPDIR"/proxy-groups.yaml + } + done + IFS="$oldIFS" + done + } + #插入自定义代理 + sed -i "/#自定义代理/d" "$TMPDIR"/proxies.yaml + sed -i "/#自定义代理/d" "$TMPDIR"/proxy-groups.yaml + [ -n "$(grep -Ev '^#' "$CRASHDIR"/yamls/proxies.yaml 2>/dev/null)" ] && { + space_proxy=$(cat "$TMPDIR"/proxies.yaml | grep -aE '^ *- ' | head -n 1 | grep -oE '^ *') #获取空格数 + cat "$CRASHDIR"/yamls/proxies.yaml | sed "s/^ *- /${space_proxy}- /g" | sed "/^#/d" | sed "/^ *$/d" | sed 's/#.*/ #自定义代理/g' >>"$TMPDIR"/proxies.yaml #插入节点 + oldIFS="$IFS" + cat "$CRASHDIR"/yamls/proxies.yaml | sed "/^#/d" | while read line; do #将节点插入proxy-group + proxy_name=$(echo $line | grep -Eo 'name: .+, ' | cut -d',' -f1 | sed 's/name: //g') + proxy_groups=$(echo $line | grep -Eo '#.*' | sed "s/#//") + IFS="#" + for name in $proxy_groups; do + line_a=$(grep -n "\- name: $name" "$TMPDIR"/proxy-groups.yaml | head -n 1 | awk -F: '{print $1}') #获取group行号 + [ -n "$line_a" ] && { + line_b=$(grep -A 8 "\- name: $name" "$TMPDIR"/proxy-groups.yaml | grep -n "proxies:$" | head -n 1 | awk -F: '{print $1}') #获取proxies行号 + line_c=$((line_a + line_b - 1)) #计算需要插入的行号 + space=$(sed -n "$((line_c + 1))p" "$TMPDIR"/proxy-groups.yaml | grep -oE '^ *') #获取空格数 + [ "$line_c" -gt 2 ] && sed -i "${line_c}a\\${space}- ${proxy_name} #自定义代理" "$TMPDIR"/proxy-groups.yaml + } + done + IFS="$oldIFS" + done + } + #节点绕过功能支持 + sed -i "/#节点绕过/d" "$TMPDIR"/rules.yaml + [ "$proxies_bypass" = "已启用" ] && { + cat "$TMPDIR"/proxies.yaml | sed '/^proxy-/,$d' | sed '/^rule-/,$d' | grep -v '^\s*#' | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | awk '!a[$0]++' | sed 's/^/\ -\ IP-CIDR,/g' | sed 's|$|/32,DIRECT,no-resolve #节点绕过|g' >>"$TMPDIR"/proxies_bypass + cat "$TMPDIR"/proxies.yaml | sed '/^proxy-/,$d' | sed '/^rule-/,$d' | grep -v '^\s*#' | grep -vE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -oE '[a-zA-Z0-9][-a-zA-Z0-9]{0,62}(\.[a-zA-Z0-9][-a-zA-Z0-9]{0,62})+\.?' | awk '!a[$0]++' | sed 's/^/\ -\ DOMAIN,/g' | sed 's/$/,DIRECT #节点绕过/g' >>"$TMPDIR"/proxies_bypass + cat "$TMPDIR"/rules.yaml >>"$TMPDIR"/proxies_bypass + mv -f "$TMPDIR"/proxies_bypass "$TMPDIR"/rules.yaml + } + #插入自定义规则 + sed -i "/#自定义规则/d" "$TMPDIR"/rules.yaml + [ -s "$CRASHDIR"/yamls/rules.yaml ] && { + cat "$CRASHDIR"/yamls/rules.yaml | sed "/^#/d" | sed '$a\' | sed 's/$/ #自定义规则/g' >"$TMPDIR"/rules.add + cat "$TMPDIR"/rules.yaml >>"$TMPDIR"/rules.add + mv -f "$TMPDIR"/rules.add "$TMPDIR"/rules.yaml + } + #mix模式生成rule-providers + [ "$dns_mod" = "mix" ] && ! grep -q 'cn:' "$TMPDIR"/rule-providers.yaml && ! grep -q '^rule-providers' "$CRASHDIR"/yamls/others.yaml 2>/dev/null && { + space=$(sed -n "1p" "$TMPDIR"/rule-providers.yaml | grep -oE '^ *') #获取空格数 + [ -z "$space" ] && space=' ' + echo "${space}cn: {type: http, behavior: domain, format: mrs, path: ./ruleset/cn.mrs, url: https://testingcf.jsdelivr.net/gh/juewuy/ShellCrash@update/bin/geodata/mrs_geosite_cn.mrs}" >>"$TMPDIR"/rule-providers.yaml + } + #对齐rules中的空格 + sed -i 's/^ *-/ -/g' "$TMPDIR"/rules.yaml + #合并文件 + [ -s "$CRASHDIR"/yamls/user.yaml ] && { + yaml_user="$CRASHDIR"/yamls/user.yaml + #set和user去重,且优先使用user.yaml + cp -f "$TMPDIR"/set.yaml "$TMPDIR"/set_bak.yaml + for char in mode allow-lan log-level tun experimental external-ui-url interface-name dns store-selected; do + [ -n "$(grep -E "^$char" $yaml_user)" ] && sed -i "/^$char/d" "$TMPDIR"/set.yaml + done + } + [ -s "$TMPDIR"/dns.yaml ] && yaml_dns="$TMPDIR"/dns.yaml + [ -s "$TMPDIR"/hosts.yaml ] && yaml_hosts="$TMPDIR"/hosts.yaml + [ -s "$CRASHDIR"/yamls/others.yaml ] && yaml_others="$CRASHDIR"/yamls/others.yaml + yaml_add= + for char in $yaml_char; do #将额外配置文件合并 + [ -s "$TMPDIR"/${char}.yaml ] && { + sed -i "1i\\${char}:" "$TMPDIR"/${char}.yaml + yaml_add="$yaml_add "$TMPDIR"/${char}.yaml" + } + done + #合并完整配置文件 + cut -c 1- "$TMPDIR"/set.yaml $yaml_dns $yaml_hosts $yaml_user $yaml_others $yaml_add >"$TMPDIR"/config.yaml + #测试自定义配置文件 + "$TMPDIR"/CrashCore -t -d "$BINDIR" -f "$TMPDIR"/config.yaml >/dev/null + if [ "$?" != 0 ]; then + logger "$("$TMPDIR"/CrashCore -t -d "$BINDIR" -f "$TMPDIR"/config.yaml | grep -Eo 'error.*=.*')" 31 + logger "自定义配置文件校验失败!将使用基础配置文件启动!" 33 + logger "错误详情请参考 "$TMPDIR"/error.yaml 文件!" 33 + mv -f "$TMPDIR"/config.yaml "$TMPDIR"/error.yaml >/dev/null 2>&1 + sed -i "/#自定义策略组开始/,/#自定义策略组结束/d" "$TMPDIR"/proxy-groups.yaml + mv -f "$TMPDIR"/set_bak.yaml "$TMPDIR"/set.yaml >/dev/null 2>&1 + #合并基础配置文件 + cut -c 1- "$TMPDIR"/set.yaml $yaml_dns $yaml_add >"$TMPDIR"/config.yaml + sed -i "/#自定义/d" "$TMPDIR"/config.yaml + fi + #建立软连接 + [ ""$TMPDIR"" = ""$BINDIR"" ] || ln -sf "$TMPDIR"/config.yaml "$BINDIR"/config.yaml 2>/dev/null || cp -f "$TMPDIR"/config.yaml "$BINDIR"/config.yaml + #清理缓存 + for char in $yaml_char set set_bak dns hosts; do + rm -f "$TMPDIR"/${char}.yaml + done } modify_json() { #修饰singbox1.13配置文件 - #提取配置文件以获得outbounds.json,providers.json及route.json - "$TMPDIR"/CrashCore format -c $core_config >"$TMPDIR"/format.json - echo '{' >"$TMPDIR"/jsons/outbounds.json - echo '{' >"$TMPDIR"/jsons/route.json - cat "$TMPDIR"/format.json | sed -n '/"outbounds":/,/^ "[a-z]/p' | sed '$d' >>"$TMPDIR"/jsons/outbounds.json - [ "$crashcore" = "singboxr" ] && { - echo '{' >"$TMPDIR"/jsons/providers.json - cat "$TMPDIR"/format.json | sed -n '/^ "providers":/,/^ "[a-z]/p' | sed '$d' >>"$TMPDIR"/jsons/providers.json - } - cat "$TMPDIR"/format.json | sed -n '/"route":/,/^\( "[a-z]\|}\)/p' | sed '$d' >>"$TMPDIR"/jsons/route.json - #加载端点配置文件并生成 + #提取配置文件以获得outbounds.json,providers.json及route.json + "$TMPDIR"/CrashCore format -c $core_config >"$TMPDIR"/format.json + echo '{' >"$TMPDIR"/jsons/outbounds.json + echo '{' >"$TMPDIR"/jsons/route.json + cat "$TMPDIR"/format.json | sed -n '/"outbounds":/,/^ "[a-z]/p' | sed '$d' >>"$TMPDIR"/jsons/outbounds.json + [ "$crashcore" = "singboxr" ] && { + echo '{' >"$TMPDIR"/jsons/providers.json + cat "$TMPDIR"/format.json | sed -n '/^ "providers":/,/^ "[a-z]/p' | sed '$d' >>"$TMPDIR"/jsons/providers.json + } + cat "$TMPDIR"/format.json | sed -n '/"route":/,/^\( "[a-z]\|}\)/p' | sed '$d' >>"$TMPDIR"/jsons/route.json + #生成log.json [ "$ts_service" = ON ] || [ "$wg_service" = ON ] && { . "$CRASHDIR"/configs/gateway.cfg . "$CRASHDIR"/components/endpoints.sh } #生成log.json - cat >"$TMPDIR"/jsons/log.json <"$TMPDIR"/jsons/log.json <"$TMPDIR"/jsons/add_hosts.json <"$TMPDIR"/jsons/add_hosts.json </dev/null | grep -Ev '#|\*|\+|Mijia' | sed '/^\s*$/d' | awk '{printf "\"%s\", ",$1}' | sed 's/, $//') - fake_ip_filter_suffix=$(cat ${CRASHDIR}/configs/fake_ip_filter ${CRASHDIR}/configs/fake_ip_filter.list 2>/dev/null | grep -v '.\*' | grep -E '\*|\+' | sed 's/^[*+]\.//' | awk '{printf "\"%s\", ",$1}' | sed 's/, $//') - fake_ip_filter_regex=$(cat ${CRASHDIR}/configs/fake_ip_filter ${CRASHDIR}/configs/fake_ip_filter.list 2>/dev/null | grep '.\*' | sed 's/\./\\\\./g' | sed 's/\*/.\*/' | sed 's/^+/.\+/' | awk '{printf "\"%s\", ",$1}' | sed 's/, $//') - [ -n "$fake_ip_filter_domain" ] && fake_ip_filter_domain="{ \"domain\": [$fake_ip_filter_domain], \"server\": \"dns_direct\" }," - [ -n "$fake_ip_filter_suffix" ] && fake_ip_filter_suffix="{ \"domain_suffix\": [$fake_ip_filter_suffix], \"server\": \"dns_direct\" }," - [ -n "$fake_ip_filter_regex" ] && fake_ip_filter_regex="{ \"domain_regex\": [$fake_ip_filter_regex], \"server\": \"dns_direct\" }," - proxy_dns='{ "query_type": ["A", "AAAA"], "server": "dns_fakeip", "strategy": "'"$strategy"'", "rewrite_ttl": 1 }' - #mix模式插入fakeip过滤规则 - [ "$dns_mod" = "mix" ] && direct_dns='{ "rule_set": ["cn"], "server": "dns_direct" },' - } - [ "$dns_mod" = "route" ] && { - global_dns=dns_proxy - direct_dns='{ "rule_set": ["cn"], "server": "dns_direct" }' - } + fi + #生成dns.json + [ "$ipv6_dns" = "已开启" ] && strategy='prefer_ipv4' || strategy='ipv4_only' + #获取detour出口 + auto_detour=$(grep -E '"type": "urltest"' -A 1 "$TMPDIR"/jsons/outbounds.json | grep '"tag":' | head -n 1 | sed 's/^[[:space:]]*"tag": //;s/,$//') + [ -z "$auto_detour" ] && auto_detour=$(grep -E '"type": "selector"' -A 1 "$TMPDIR"/jsons/outbounds.json | grep '"tag":' | head -n 1 | sed 's/^[[:space:]]*"tag": //;s/,$//') + [ -z "$auto_detour" ] && auto_detour='"DIRECT"' + #根据dns模式生成 + [ "$dns_mod" = "redir_host" ] && { + global_dns=dns_proxy + direct_dns='{ "inbound": [ "dns-in" ], "server": "dns_direct" }' + } + [ "$dns_mod" = "fake-ip" ] || [ "$dns_mod" = "mix" ] && { + global_dns=dns_fakeip + fake_ip_filter_domain=$(cat ${CRASHDIR}/configs/fake_ip_filter ${CRASHDIR}/configs/fake_ip_filter.list 2>/dev/null | grep -Ev '#|\*|\+|Mijia' | sed '/^\s*$/d' | awk '{printf "\"%s\", ",$1}' | sed 's/, $//') + fake_ip_filter_suffix=$(cat ${CRASHDIR}/configs/fake_ip_filter ${CRASHDIR}/configs/fake_ip_filter.list 2>/dev/null | grep -v '.\*' | grep -E '\*|\+' | sed 's/^[*+]\.//' | awk '{printf "\"%s\", ",$1}' | sed 's/, $//') + fake_ip_filter_regex=$(cat ${CRASHDIR}/configs/fake_ip_filter ${CRASHDIR}/configs/fake_ip_filter.list 2>/dev/null | grep '.\*' | sed 's/\./\\\\./g' | sed 's/\*/.\*/' | sed 's/^+/.\+/' | awk '{printf "\"%s\", ",$1}' | sed 's/, $//') + [ -n "$fake_ip_filter_domain" ] && fake_ip_filter_domain="{ \"domain\": [$fake_ip_filter_domain], \"server\": \"dns_direct\" }," + [ -n "$fake_ip_filter_suffix" ] && fake_ip_filter_suffix="{ \"domain_suffix\": [$fake_ip_filter_suffix], \"server\": \"dns_direct\" }," + [ -n "$fake_ip_filter_regex" ] && fake_ip_filter_regex="{ \"domain_regex\": [$fake_ip_filter_regex], \"server\": \"dns_direct\" }," + proxy_dns='{ "query_type": ["A", "AAAA"], "server": "dns_fakeip", "strategy": "'"$strategy"'", "rewrite_ttl": 1 }' + #mix模式插入fakeip过滤规则 + [ "$dns_mod" = "mix" ] && direct_dns='{ "rule_set": ["cn"], "server": "dns_direct" },' + } + [ "$dns_mod" = "route" ] && { + global_dns=dns_proxy + direct_dns='{ "rule_set": ["cn"], "server": "dns_direct" }' + } #防泄露设置 - [ "$dns_protect" = "OFF" ] && sed -i 's/"server": "dns_proxy"/"server": "dns_direct"/g' "$TMPDIR"/jsons/route.json - #生成add_rule_set.json + [ "$dns_protect" = "OFF" ] && sed -i 's/"server": "dns_proxy"/"server": "dns_direct"/g' "$TMPDIR"/jsons/route.json + #生成add_rule_set.json [ "$dns_mod" = "mix" ] || [ "$dns_mod" = "route" ] && [ -z "$(cat "$CRASHDIR"/jsons/*.json | grep -Ei '"tag" *: *"cn"')" ] && cat >"$TMPDIR"/jsons/add_rule_set.json <"$TMPDIR"/jsons/dns.json <"$TMPDIR"/jsons/dns.json <"$TMPDIR"/jsons/add_route.json <"$TMPDIR"/jsons/add_route.json <"$TMPDIR"/jsons/certificate.json <"$TMPDIR"/jsons/certificate.json <"$TMPDIR"/jsons/inbounds.json <"$TMPDIR"/jsons/inbounds.json <>"$TMPDIR"/jsons/tun.json <>"$TMPDIR"/jsons/tun.json <"$TMPDIR"/jsons/add_outbounds.json <"$TMPDIR"/jsons/add_outbounds.json <"$TMPDIR"/jsons/experimental.json <"$TMPDIR"/jsons/experimental.json </dev/null)" ] && { - cat "$CRASHDIR"/yamls/rules.yaml | - sed '/#.*/d' | - sed 's/,no-resolve//g' | - grep -oE '\-.*,.*,.*' | - sed 's/- DOMAIN-SUFFIX,/{ "domain_suffix": [ "/g' | - sed 's/- DOMAIN-KEYWORD,/{ "domain_keyword": [ "/g' | - sed 's/- IP-CIDR,/{ "ip_cidr": [ "/g' | - sed 's/- SRC-IP-CIDR,/{ "._ip_cidr": [ "/g' | - sed 's/- DST-PORT,/{ "port": [ "/g' | - sed 's/- SRC-PORT,/{ "._port": [ "/g' | - sed 's/- GEOIP,/{ "geoip": [ "/g' | - sed 's/- GEOSITE,/{ "geosite": [ "/g' | - sed 's/- IP-CIDR6,/{ "ip_cidr": [ "/g' | - sed 's/- DOMAIN,/{ "domain": [ "/g' | - sed 's/- PROCESS-NAME,/{ "process_name": [ "/g' | - sed 's/,/" ], "outbound": "/g' | - sed 's/$/" },/g' | - sed '1i\{ "route": { "rules": [ ' | - sed '$s/,$/ ] } }/' >"$TMPDIR"/jsons/cust_add_rules.json - [ ! -s "$TMPDIR"/jsons/cust_add_rules.json ] && rm -rf "$TMPDIR"/jsons/cust_add_rules.json - } - #清理route.json中的process_name规则以及"auto_detect_interface" - sed -i '/"process_name": \[/,/],$/d' "$TMPDIR"/jsons/route.json - sed -i '/"process_name": "[^"]*",/d' "$TMPDIR"/jsons/route.json - sed -i 's/"auto_detect_interface": true/"auto_detect_interface": false/g' "$TMPDIR"/jsons/route.json - #跳过本地tls证书验证 - if [ -z "$skip_cert" -o "$skip_cert" = "已开启" ]; then - sed -i 's/"insecure": false/"insecure": true/' "$TMPDIR"/jsons/outbounds.json "$TMPDIR"/jsons/providers.json 2>/dev/null - else - sed -i 's/"insecure": true/"insecure": false/' "$TMPDIR"/jsons/outbounds.json "$TMPDIR"/jsons/providers.json 2>/dev/null - fi - #判断可用并修饰outbounds&providers&route.json结尾 - for file in outbounds providers route; do - if [ -n "$(grep ${file} "$TMPDIR"/jsons/${file}.json 2>/dev/null)" ]; then - sed -i 's/^ },$/ }/; s/^ ],$/ ]/' "$TMPDIR"/jsons/${file}.json - echo '}' >>"$TMPDIR"/jsons/${file}.json - else - rm -rf "$TMPDIR"/jsons/${file}.json - fi - done - #加载自定义配置文件 - mkdir -p "$TMPDIR"/jsons_base - #以下为覆盖脚本的自定义文件 - for char in log dns ntp certificate experimental; do - [ -s "$CRASHDIR"/jsons/${char}.json ] && { - ln -sf "$CRASHDIR"/jsons/${char}.json "$TMPDIR"/jsons/cust_${char}.json - mv -f "$TMPDIR"/jsons/${char}.json "$TMPDIR"/jsons_base #如果重复则临时备份 - } - done - #以下为增量添加的自定义文件 - for char in others endpoints inbounds outbounds providers route services; do - [ -s "$CRASHDIR"/jsons/${char}.json ] && { - ln -sf "$CRASHDIR"/jsons/${char}.json "$TMPDIR"/jsons/cust_${char}.json - } - done - #测试自定义配置文件 - if ! error=$("$TMPDIR"/CrashCore check -D "$BINDIR" -C "$TMPDIR"/jsons 2>&1); then - echo $error - error_file=$(echo $error | grep -Eo 'cust.*\.json' | sed 's/cust_//g') - [ "$error_file" = 'add_rules.json' ] && error_file="$CRASHDIR"/yamls/rules.yaml自定义规则 || error_file="$CRASHDIR"/jsons/$error_file - logger "自定义配置文件校验失败,请检查【${error_file}】文件!" 31 - logger "尝试使用基础配置文件启动~" 33 - #清理自定义配置文件并还原基础配置 - rm -rf "$TMPDIR"/jsons/cust_* - mv -f "$TMPDIR"/jsons_base/* "$TMPDIR"/jsons 2>/dev/null - fi - #清理缓存 - rm -rf "$TMPDIR"/*.json - rm -rf "$TMPDIR"/jsons_base - return 0 + #生成自定义规则文件 + [ -n "$(grep -Ev ^# "$CRASHDIR"/yamls/rules.yaml 2>/dev/null)" ] && { + cat "$CRASHDIR"/yamls/rules.yaml | + sed '/#.*/d' | + sed 's/,no-resolve//g' | + grep -oE '\-.*,.*,.*' | + sed 's/- DOMAIN-SUFFIX,/{ "domain_suffix": [ "/g' | + sed 's/- DOMAIN-KEYWORD,/{ "domain_keyword": [ "/g' | + sed 's/- IP-CIDR,/{ "ip_cidr": [ "/g' | + sed 's/- SRC-IP-CIDR,/{ "._ip_cidr": [ "/g' | + sed 's/- DST-PORT,/{ "port": [ "/g' | + sed 's/- SRC-PORT,/{ "._port": [ "/g' | + sed 's/- GEOIP,/{ "geoip": [ "/g' | + sed 's/- GEOSITE,/{ "geosite": [ "/g' | + sed 's/- IP-CIDR6,/{ "ip_cidr": [ "/g' | + sed 's/- DOMAIN,/{ "domain": [ "/g' | + sed 's/- PROCESS-NAME,/{ "process_name": [ "/g' | + sed 's/,/" ], "outbound": "/g' | + sed 's/$/" },/g' | + sed '1i\{ "route": { "rules": [ ' | + sed '$s/,$/ ] } }/' >"$TMPDIR"/jsons/cust_add_rules.json + [ ! -s "$TMPDIR"/jsons/cust_add_rules.json ] && rm -rf "$TMPDIR"/jsons/cust_add_rules.json + } + #清理route.json中的process_name规则以及"auto_detect_interface" + sed -i '/"process_name": \[/,/],$/d' "$TMPDIR"/jsons/route.json + sed -i '/"process_name": "[^"]*",/d' "$TMPDIR"/jsons/route.json + sed -i 's/"auto_detect_interface": true/"auto_detect_interface": false/g' "$TMPDIR"/jsons/route.json + #跳过本地tls证书验证 + if [ -z "$skip_cert" -o "$skip_cert" = "已开启" ]; then + sed -i 's/"insecure": false/"insecure": true/' "$TMPDIR"/jsons/outbounds.json "$TMPDIR"/jsons/providers.json 2>/dev/null + else + sed -i 's/"insecure": true/"insecure": false/' "$TMPDIR"/jsons/outbounds.json "$TMPDIR"/jsons/providers.json 2>/dev/null + fi + #判断可用并修饰outbounds&providers&route.json结尾 + for file in outbounds providers route; do + if [ -n "$(grep ${file} "$TMPDIR"/jsons/${file}.json 2>/dev/null)" ]; then + sed -i 's/^ },$/ }/; s/^ ],$/ ]/' "$TMPDIR"/jsons/${file}.json + echo '}' >>"$TMPDIR"/jsons/${file}.json + else + rm -rf "$TMPDIR"/jsons/${file}.json + fi + done + #加载自定义配置文件 + mkdir -p "$TMPDIR"/jsons_base + #以下为覆盖脚本的自定义文件 + for char in log dns ntp certificate experimental; do + [ -s "$CRASHDIR"/jsons/${char}.json ] && { + ln -sf "$CRASHDIR"/jsons/${char}.json "$TMPDIR"/jsons/cust_${char}.json + mv -f "$TMPDIR"/jsons/${char}.json "$TMPDIR"/jsons_base #如果重复则临时备份 + } + done + #以下为增量添加的自定义文件 + for char in others endpoints inbounds outbounds providers route services; do + [ -s "$CRASHDIR"/jsons/${char}.json ] && { + ln -sf "$CRASHDIR"/jsons/${char}.json "$TMPDIR"/jsons/cust_${char}.json + } + done + #测试自定义配置文件 + if ! error=$("$TMPDIR"/CrashCore check -D "$BINDIR" -C "$TMPDIR"/jsons 2>&1); then + echo $error + error_file=$(echo $error | grep -Eo 'cust.*\.json' | sed 's/cust_//g') + [ "$error_file" = 'add_rules.json' ] && error_file="$CRASHDIR"/yamls/rules.yaml自定义规则 || error_file="$CRASHDIR"/jsons/$error_file + logger "自定义配置文件校验失败,请检查【${error_file}】文件!" 31 + logger "尝试使用基础配置文件启动~" 33 + #清理自定义配置文件并还原基础配置 + rm -rf "$TMPDIR"/jsons/cust_* + mv -f "$TMPDIR"/jsons_base/* "$TMPDIR"/jsons 2>/dev/null + fi + #清理缓存 + rm -rf "$TMPDIR"/*.json + rm -rf "$TMPDIR"/jsons_base + return 0 } #设置路由规则 cn_ip_route() { #CN-IP绕过 - ckgeo cn_ip.txt china_ip_list.txt - [ -f "$BINDIR"/cn_ip.txt ] && [ "$firewall_mod" = iptables ] && { - # see https://raw.githubusercontent.com/Hackl0us/GeoIP2-CN/release/CN-ip-cidr.txt - echo "create cn_ip hash:net family inet hashsize 10240 maxelem 10240" >"$TMPDIR"/cn_ip.ipset - awk '!/^$/&&!/^#/{printf("add cn_ip %s'" "'\n",$0)}' "$BINDIR"/cn_ip.txt >>"$TMPDIR"/cn_ip.ipset - ipset destroy cn_ip >/dev/null 2>&1 - ipset -! restore <"$TMPDIR"/cn_ip.ipset - rm -rf "$TMPDIR"/cn_ip.ipset - } + ckgeo cn_ip.txt china_ip_list.txt + [ -f "$BINDIR"/cn_ip.txt ] && [ "$firewall_mod" = iptables ] && { + # see https://raw.githubusercontent.com/Hackl0us/GeoIP2-CN/release/CN-ip-cidr.txt + echo "create cn_ip hash:net family inet hashsize 10240 maxelem 10240" >"$TMPDIR"/cn_ip.ipset + awk '!/^$/&&!/^#/{printf("add cn_ip %s'" "'\n",$0)}' "$BINDIR"/cn_ip.txt >>"$TMPDIR"/cn_ip.ipset + ipset destroy cn_ip >/dev/null 2>&1 + ipset -! restore <"$TMPDIR"/cn_ip.ipset + rm -rf "$TMPDIR"/cn_ip.ipset + } } cn_ipv6_route() { #CN-IPV6绕过 - ckgeo cn_ipv6.txt china_ipv6_list.txt - [ -f "$BINDIR"/cn_ipv6.txt ] && [ "$firewall_mod" = iptables ] && { - #ipv6 - #see https://ispip.clang.cn/all_cn_ipv6.txt - echo "create cn_ip6 hash:net family inet6 hashsize 5120 maxelem 5120" >"$TMPDIR"/cn_ipv6.ipset - awk '!/^$/&&!/^#/{printf("add cn_ip6 %s'" "'\n",$0)}' "$BINDIR"/cn_ipv6.txt >>"$TMPDIR"/cn_ipv6.ipset - ipset destroy cn_ip6 >/dev/null 2>&1 - ipset -! restore <"$TMPDIR"/cn_ipv6.ipset - rm -rf "$TMPDIR"/cn_ipv6.ipset - } + ckgeo cn_ipv6.txt china_ipv6_list.txt + [ -f "$BINDIR"/cn_ipv6.txt ] && [ "$firewall_mod" = iptables ] && { + #ipv6 + #see https://ispip.clang.cn/all_cn_ipv6.txt + echo "create cn_ip6 hash:net family inet6 hashsize 5120 maxelem 5120" >"$TMPDIR"/cn_ipv6.ipset + awk '!/^$/&&!/^#/{printf("add cn_ip6 %s'" "'\n",$0)}' "$BINDIR"/cn_ipv6.txt >>"$TMPDIR"/cn_ipv6.ipset + ipset destroy cn_ip6 >/dev/null 2>&1 + ipset -! restore <"$TMPDIR"/cn_ipv6.ipset + rm -rf "$TMPDIR"/cn_ipv6.ipset + } } start_ipt_route() { #iptables-route通用工具 - #$1:iptables/ip6tables $2:所在的表(nat/mangle) $3:所在的链(OUTPUT/PREROUTING) $4:新创建的shellcrash链表 $5:tcp/udp/all - #区分ipv4/ipv6 - [ "$1" = 'iptables' ] && { - RESERVED_IP=$reserve_ipv4 - HOST_IP=$host_ipv4 - [ "$3" = 'OUTPUT' ] && HOST_IP="127.0.0.0/8 $local_ipv4" - [ "$4" = 'shellcrash_vm' ] && HOST_IP="$vm_ipv4" - iptables -h | grep -q '\-w' && w='-w' || w='' - } - [ "$1" = 'ip6tables' ] && { - RESERVED_IP=$reserve_ipv6 - HOST_IP=$host_ipv6 - [ "$3" = 'OUTPUT' ] && HOST_IP="::1 $host_ipv6" - ip6tables -h | grep -q '\-w' && w='-w' || w='' - } - #创建新的shellcrash链表 - $1 $w -t $2 -N $4 - #过滤dns - $1 $w -t $2 -A $4 -p tcp --dport 53 -j RETURN - $1 $w -t $2 -A $4 -p udp --dport 53 -j RETURN - #防回环 - $1 $w -t $2 -A $4 -m mark --mark $routing_mark -j RETURN - [ "$3" = 'OUTPUT' ] && for gid in 453 7890; do - $1 $w -t $2 -A $4 -m owner --gid-owner $gid -j RETURN - done - [ "$firewall_area" = 5 ] && $1 $w -t $2 -A $4 -s $bypass_host -j RETURN - [ -z "$ports" ] && $1 $w -t $2 -A $4 -p tcp -m multiport --dports "$mix_port,$redir_port,$tproxy_port" -j RETURN - #跳过目标保留地址及目标本机网段 - for ip in $HOST_IP $RESERVED_IP; do - $1 $w -t $2 -A $4 -d $ip -j RETURN - done - #绕过CN_IP - [ "$1" = iptables ] && [ "$dns_mod" != "fake-ip" ] && [ "$cn_ip_route" = "已开启" ] && [ -f "$BINDIR"/cn_ip.txt ] && $1 $w -t $2 -A $4 -m set --match-set cn_ip dst -j RETURN 2>/dev/null - [ "$1" = ip6tables ] && [ "$dns_mod" != "fake-ip" ] && [ "$cn_ipv6_route" = "已开启" ] && [ -f "$BINDIR"/cn_ipv6.txt ] && $1 $w -t $2 -A $4 -m set --match-set cn_ip6 dst -j RETURN 2>/dev/null - #局域网mac地址黑名单过滤 - [ "$3" = 'PREROUTING' ] && [ "$macfilter_type" != "白名单" ] && { - [ -s "$CRASHDIR"/configs/mac ] && - for mac in $(cat "$CRASHDIR"/configs/mac); do - $1 $w -t $2 -A $4 -m mac --mac-source $mac -j RETURN - done - [ -s "$CRASHDIR"/configs/ip_filter ] && [ "$1" = 'iptables' ] && - for ip in $(cat "$CRASHDIR"/configs/ip_filter); do - $1 $w -t $2 -A $4 -s $ip -j RETURN - done - } - #tcp&udp分别进代理链 - proxy_set() { - if [ "$3" = 'PREROUTING' ] && [ "$4" != 'shellcrash_vm' ] && [ "$macfilter_type" = "白名单" ] && [ -n "$(cat $CRASHDIR/configs/mac $CRASHDIR/configs/ip_filter 2>/dev/null)" ]; then - [ -s "$CRASHDIR"/configs/mac ] && - for mac in $(cat "$CRASHDIR"/configs/mac); do - $1 $w -t $2 -A $4 -p $5 -m mac --mac-source $mac -j $JUMP - done - [ -s "$CRASHDIR"/configs/ip_filter ] && [ "$1" = 'iptables' ] && - for ip in $(cat "$CRASHDIR"/configs/ip_filter); do - $1 $w -t $2 -A $4 -p $5 -s $ip -j $JUMP - done - else - for ip in $HOST_IP; do #仅限指定网段流量 - $1 $w -t $2 -A $4 -p $5 -s $ip -j $JUMP - done - fi - #将所在链指定流量指向shellcrash表 - $1 $w -t $2 -I $3 -p $5 $ports -j $4 - [ "$dns_mod" = "mix" -o "$dns_mod" = "fake-ip" ] && [ "$common_ports" = "已开启" ] && [ "$1" = iptables ] && $1 $w -t $2 -I $3 -p $5 -d 28.0.0.1/8 -j $4 - [ "$dns_mod" = "mix" -o "$dns_mod" = "fake-ip" ] && [ "$common_ports" = "已开启" ] && [ "$1" = ip6tables ] && $1 $w -t $2 -I $3 -p $5 -d fc00::/16 -j $4 - } - [ "$5" = "tcp" -o "$5" = "all" ] && proxy_set $1 $2 $3 $4 tcp - [ "$5" = "udp" -o "$5" = "all" ] && proxy_set $1 $2 $3 $4 udp + #$1:iptables/ip6tables $2:所在的表(nat/mangle) $3:所在的链(OUTPUT/PREROUTING) $4:新创建的shellcrash链表 $5:tcp/udp/all + #区分ipv4/ipv6 + [ "$1" = 'iptables' ] && { + RESERVED_IP=$reserve_ipv4 + HOST_IP=$host_ipv4 + [ "$3" = 'OUTPUT' ] && HOST_IP="127.0.0.0/8 $local_ipv4" + [ "$4" = 'shellcrash_vm' ] && HOST_IP="$vm_ipv4" + iptables -h | grep -q '\-w' && w='-w' || w='' + } + [ "$1" = 'ip6tables' ] && { + RESERVED_IP=$reserve_ipv6 + HOST_IP=$host_ipv6 + [ "$3" = 'OUTPUT' ] && HOST_IP="::1 $host_ipv6" + ip6tables -h | grep -q '\-w' && w='-w' || w='' + } + #创建新的shellcrash链表 + $1 $w -t $2 -N $4 + #过滤dns + $1 $w -t $2 -A $4 -p tcp --dport 53 -j RETURN + $1 $w -t $2 -A $4 -p udp --dport 53 -j RETURN + #防回环 + $1 $w -t $2 -A $4 -m mark --mark $routing_mark -j RETURN + [ "$3" = 'OUTPUT' ] && for gid in 453 7890; do + $1 $w -t $2 -A $4 -m owner --gid-owner $gid -j RETURN + done + [ "$firewall_area" = 5 ] && $1 $w -t $2 -A $4 -s $bypass_host -j RETURN + [ -z "$ports" ] && $1 $w -t $2 -A $4 -p tcp -m multiport --dports "$mix_port,$redir_port,$tproxy_port" -j RETURN + #跳过目标保留地址及目标本机网段 + for ip in $HOST_IP $RESERVED_IP; do + $1 $w -t $2 -A $4 -d $ip -j RETURN + done + #绕过CN_IP + [ "$1" = iptables ] && [ "$dns_mod" != "fake-ip" ] && [ "$cn_ip_route" = "已开启" ] && [ -f "$BINDIR"/cn_ip.txt ] && $1 $w -t $2 -A $4 -m set --match-set cn_ip dst -j RETURN 2>/dev/null + [ "$1" = ip6tables ] && [ "$dns_mod" != "fake-ip" ] && [ "$cn_ipv6_route" = "已开启" ] && [ -f "$BINDIR"/cn_ipv6.txt ] && $1 $w -t $2 -A $4 -m set --match-set cn_ip6 dst -j RETURN 2>/dev/null + #局域网mac地址黑名单过滤 + [ "$3" = 'PREROUTING' ] && [ "$macfilter_type" != "白名单" ] && { + [ -s "$CRASHDIR"/configs/mac ] && + for mac in $(cat "$CRASHDIR"/configs/mac); do + $1 $w -t $2 -A $4 -m mac --mac-source $mac -j RETURN + done + [ -s "$CRASHDIR"/configs/ip_filter ] && [ "$1" = 'iptables' ] && + for ip in $(cat "$CRASHDIR"/configs/ip_filter); do + $1 $w -t $2 -A $4 -s $ip -j RETURN + done + } + #tcp&udp分别进代理链 + proxy_set() { + if [ "$3" = 'PREROUTING' ] && [ "$4" != 'shellcrash_vm' ] && [ "$macfilter_type" = "白名单" ] && [ -n "$(cat $CRASHDIR/configs/mac $CRASHDIR/configs/ip_filter 2>/dev/null)" ]; then + [ -s "$CRASHDIR"/configs/mac ] && + for mac in $(cat "$CRASHDIR"/configs/mac); do + $1 $w -t $2 -A $4 -p $5 -m mac --mac-source $mac -j $JUMP + done + [ -s "$CRASHDIR"/configs/ip_filter ] && [ "$1" = 'iptables' ] && + for ip in $(cat "$CRASHDIR"/configs/ip_filter); do + $1 $w -t $2 -A $4 -p $5 -s $ip -j $JUMP + done + else + for ip in $HOST_IP; do #仅限指定网段流量 + $1 $w -t $2 -A $4 -p $5 -s $ip -j $JUMP + done + fi + #将所在链指定流量指向shellcrash表 + $1 $w -t $2 -I $3 -p $5 $ports -j $4 + [ "$dns_mod" = "mix" -o "$dns_mod" = "fake-ip" ] && [ "$common_ports" = "已开启" ] && [ "$1" = iptables ] && $1 $w -t $2 -I $3 -p $5 -d 28.0.0.0/8 -j $4 + [ "$dns_mod" = "mix" -o "$dns_mod" = "fake-ip" ] && [ "$common_ports" = "已开启" ] && [ "$1" = ip6tables ] && $1 $w -t $2 -I $3 -p $5 -d fc00::/16 -j $4 + } + [ "$5" = "tcp" -o "$5" = "all" ] && proxy_set $1 $2 $3 $4 tcp + [ "$5" = "udp" -o "$5" = "all" ] && proxy_set $1 $2 $3 $4 udp } start_ipt_dns() { #iptables-dns通用工具 - #$1:iptables/ip6tables $2:所在的表(OUTPUT/PREROUTING) $3:新创建的shellcrash表 - #区分ipv4/ipv6 - [ "$1" = 'iptables' ] && { - HOST_IP="$host_ipv4" - [ "$2" = 'OUTPUT' ] && HOST_IP="127.0.0.0/8 $local_ipv4" - [ "$3" = 'shellcrash_vm_dns' ] && HOST_IP="$vm_ipv4" - iptables -h | grep -q '\-w' && w='-w' || w='' - } - [ "$1" = 'ip6tables' ] && { - HOST_IP=$host_ipv6 - ip6tables -h | grep -q '\-w' && w='-w' || w='' - } - $1 $w -t nat -N $3 - #防回环 - $1 $w -t nat -A $3 -m mark --mark $routing_mark -j RETURN - [ "$2" = 'OUTPUT' ] && for gid in 453 7890; do - $1 $w -t nat -A $3 -m owner --gid-owner $gid -j RETURN - done - [ "$firewall_area" = 5 ] && { - $1 $w -t nat -A $3 -p tcp -s $bypass_host -j RETURN - $1 $w -t nat -A $3 -p udp -s $bypass_host -j RETURN - } - #局域网mac地址黑名单过滤 - [ "$2" = 'PREROUTING' ] && [ "$macfilter_type" != "白名单" ] && { - [ -s "$CRASHDIR"/configs/mac ] && - for mac in $(cat "$CRASHDIR"/configs/mac); do - $1 $w -t nat -A $3 -m mac --mac-source $mac -j RETURN - done - [ -s "$CRASHDIR"/configs/ip_filter ] && [ "$1" = 'iptables' ] && - for ip in $(cat "$CRASHDIR"/configs/ip_filter); do - $1 $w -t nat -A $3 -s $ip -j RETURN - done - } - if [ "$2" = 'PREROUTING' ] && [ "$3" != 'shellcrash_vm_dns' ] && [ "$macfilter_type" = "白名单" ] && [ -n "$(cat $CRASHDIR/configs/mac $CRASHDIR/configs/ip_filter 2>/dev/null)" ]; then - [ -s "$CRASHDIR"/configs/mac ] && - for mac in $(cat "$CRASHDIR"/configs/mac); do - $1 $w -t nat -A $3 -p tcp -m mac --mac-source $mac -j REDIRECT --to-ports $dns_port - $1 $w -t nat -A $3 -p udp -m mac --mac-source $mac -j REDIRECT --to-ports $dns_port - done - [ -s "$CRASHDIR"/configs/ip_filter ] && [ "$1" = 'iptables' ] && - for ip in $(cat "$CRASHDIR"/configs/ip_filter); do - $1 $w -t nat -A $3 -p tcp -s $ip -j REDIRECT --to-ports $dns_port - $1 $w -t nat -A $3 -p udp -s $ip -j REDIRECT --to-ports $dns_port - done - else - for ip in $HOST_IP; do #仅限指定网段流量 - $1 $w -t nat -A $3 -p tcp -s $ip -j REDIRECT --to-ports $dns_port - $1 $w -t nat -A $3 -p udp -s $ip -j REDIRECT --to-ports $dns_port - done - fi - [ "$1" = 'ip6tables' ] && { #屏蔽外部请求 - $1 $w -t nat -A $3 -p tcp -j RETURN - $1 $w -t nat -A $3 -p udp -j RETURN - } - $1 $w -t nat -I $2 -p tcp --dport 53 -j $3 - $1 $w -t nat -I $2 -p udp --dport 53 -j $3 + #$1:iptables/ip6tables $2:所在的表(OUTPUT/PREROUTING) $3:新创建的shellcrash表 + #区分ipv4/ipv6 + [ "$1" = 'iptables' ] && { + HOST_IP="$host_ipv4" + [ "$2" = 'OUTPUT' ] && HOST_IP="127.0.0.0/8 $local_ipv4" + [ "$3" = 'shellcrash_vm_dns' ] && HOST_IP="$vm_ipv4" + iptables -h | grep -q '\-w' && w='-w' || w='' + } + [ "$1" = 'ip6tables' ] && { + HOST_IP=$host_ipv6 + ip6tables -h | grep -q '\-w' && w='-w' || w='' + } + $1 $w -t nat -N $3 + #防回环 + $1 $w -t nat -A $3 -m mark --mark $routing_mark -j RETURN + [ "$2" = 'OUTPUT' ] && for gid in 453 7890; do + $1 $w -t nat -A $3 -m owner --gid-owner $gid -j RETURN + done + [ "$firewall_area" = 5 ] && { + $1 $w -t nat -A $3 -p tcp -s $bypass_host -j RETURN + $1 $w -t nat -A $3 -p udp -s $bypass_host -j RETURN + } + #局域网mac地址黑名单过滤 + [ "$2" = 'PREROUTING' ] && [ "$macfilter_type" != "白名单" ] && { + [ -s "$CRASHDIR"/configs/mac ] && + for mac in $(cat "$CRASHDIR"/configs/mac); do + $1 $w -t nat -A $3 -m mac --mac-source $mac -j RETURN + done + [ -s "$CRASHDIR"/configs/ip_filter ] && [ "$1" = 'iptables' ] && + for ip in $(cat "$CRASHDIR"/configs/ip_filter); do + $1 $w -t nat -A $3 -s $ip -j RETURN + done + } + if [ "$2" = 'PREROUTING' ] && [ "$3" != 'shellcrash_vm_dns' ] && [ "$macfilter_type" = "白名单" ] && [ -n "$(cat $CRASHDIR/configs/mac $CRASHDIR/configs/ip_filter 2>/dev/null)" ]; then + [ -s "$CRASHDIR"/configs/mac ] && + for mac in $(cat "$CRASHDIR"/configs/mac); do + $1 $w -t nat -A $3 -p tcp -m mac --mac-source $mac -j REDIRECT --to-ports $dns_port + $1 $w -t nat -A $3 -p udp -m mac --mac-source $mac -j REDIRECT --to-ports $dns_port + done + [ -s "$CRASHDIR"/configs/ip_filter ] && [ "$1" = 'iptables' ] && + for ip in $(cat "$CRASHDIR"/configs/ip_filter); do + $1 $w -t nat -A $3 -p tcp -s $ip -j REDIRECT --to-ports $dns_port + $1 $w -t nat -A $3 -p udp -s $ip -j REDIRECT --to-ports $dns_port + done + else + for ip in $HOST_IP; do #仅限指定网段流量 + $1 $w -t nat -A $3 -p tcp -s $ip -j REDIRECT --to-ports $dns_port + $1 $w -t nat -A $3 -p udp -s $ip -j REDIRECT --to-ports $dns_port + done + fi + [ "$1" = 'ip6tables' ] && { #屏蔽外部请求 + $1 $w -t nat -A $3 -p tcp -j RETURN + $1 $w -t nat -A $3 -p udp -j RETURN + } + $1 $w -t nat -I $2 -p tcp --dport 53 -j $3 + $1 $w -t nat -I $2 -p udp --dport 53 -j $3 } start_ipt_wan() { #iptables公网防火墙 - #获取局域网host地址 - getlanip - if [ "$public_support" = "已开启" ]; then - $iptable -I INPUT -p tcp --dport $db_port -j ACCEPT - ckcmd ip6tables && $ip6table -I INPUT -p tcp --dport $db_port -j ACCEPT - else - #仅允许非公网设备访问面板 - for ip in $reserve_ipv4; do - $iptable -A INPUT -p tcp -s $ip --dport $db_port -j ACCEPT - done - $iptable -A INPUT -p tcp --dport $db_port -j REJECT - ckcmd ip6tables && $ip6table -A INPUT -p tcp --dport $db_port -j REJECT - fi - if [ "$public_mixport" = "已开启" ]; then - $iptable -I INPUT -p tcp --dport $mix_port -j ACCEPT - ckcmd ip6tables && $ip6table -I INPUT -p tcp --dport $mix_port -j ACCEPT - else - #仅允许局域网设备访问混合端口 - for ip in $reserve_ipv4; do - $iptable -A INPUT -p tcp -s $ip --dport $mix_port -j ACCEPT - done - $iptable -A INPUT -p tcp --dport $mix_port -j REJECT - ckcmd ip6tables && $ip6table -A INPUT -p tcp --dport $mix_port -j REJECT - fi - $iptable -I INPUT -p tcp -d 127.0.0.1 -j ACCEPT #本机请求全放行 + #获取局域网host地址 + getlanip + if [ "$public_support" = "已开启" ]; then + $iptable -I INPUT -p tcp --dport $db_port -j ACCEPT + ckcmd ip6tables && $ip6table -I INPUT -p tcp --dport $db_port -j ACCEPT + else + #仅允许非公网设备访问面板 + for ip in $reserve_ipv4; do + $iptable -A INPUT -p tcp -s $ip --dport $db_port -j ACCEPT + done + $iptable -A INPUT -p tcp --dport $db_port -j REJECT + ckcmd ip6tables && $ip6table -A INPUT -p tcp --dport $db_port -j REJECT + fi + if [ "$public_mixport" = "已开启" ]; then + $iptable -I INPUT -p tcp --dport $mix_port -j ACCEPT + ckcmd ip6tables && $ip6table -I INPUT -p tcp --dport $mix_port -j ACCEPT + else + #仅允许局域网设备访问混合端口 + for ip in $reserve_ipv4; do + $iptable -A INPUT -p tcp -s $ip --dport $mix_port -j ACCEPT + done + $iptable -A INPUT -p tcp --dport $mix_port -j REJECT + ckcmd ip6tables && $ip6table -A INPUT -p tcp --dport $mix_port -j REJECT + fi + $iptable -I INPUT -p tcp -d 127.0.0.1 -j ACCEPT #本机请求全放行 } start_iptables() { #iptables配置总入口 - #启动公网访问防火墙 - start_ipt_wan - #分模式设置流量劫持 - [ "$redir_mod" = "Redir模式" -o "$redir_mod" = "混合模式" ] && { - JUMP="REDIRECT --to-ports $redir_port" #跳转劫持的具体命令 - [ "$lan_proxy" = true ] && { - start_ipt_route iptables nat PREROUTING shellcrash tcp #ipv4-局域网tcp转发 - [ "$ipv6_redir" = "已开启" ] && { - if $ip6table -j REDIRECT -h 2>/dev/null | grep -q '\--to-ports'; then - start_ipt_route ip6tables nat PREROUTING shellcrashv6 tcp #ipv6-局域网tcp转发 - else - logger "当前设备内核缺少ip6tables_REDIRECT模块支持,已放弃启动相关规则!" 31 - fi - } - } - [ "$local_proxy" = true ] && { - start_ipt_route iptables nat OUTPUT shellcrash_out tcp #ipv4-本机tcp转发 - [ "$ipv6_redir" = "已开启" ] && { - if $ip6table -j REDIRECT -h 2>/dev/null | grep -q '\--to-ports'; then - start_ipt_route ip6tables nat OUTPUT shellcrashv6_out tcp #ipv6-本机tcp转发 - else - logger "当前设备内核缺少ip6tables_REDIRECT模块支持,已放弃启动相关规则!" 31 - fi - } - } - } - [ "$redir_mod" = "Tproxy模式" ] && { - modprobe xt_TPROXY >/dev/null 2>&1 - JUMP="TPROXY --on-port $tproxy_port --tproxy-mark $fwmark" #跳转劫持的具体命令 - if $iptable -j TPROXY -h 2>/dev/null | grep -q '\--on-port'; then - [ "$lan_proxy" = true ] && start_ipt_route iptables mangle PREROUTING shellcrash_mark all - [ "$local_proxy" = true ] && { - if [ -n "$(grep -E '^MARK$' /proc/net/ip_tables_targets)" ]; then - JUMP="MARK --set-mark $fwmark" #跳转劫持的具体命令 - start_ipt_route iptables mangle OUTPUT shellcrash_mark_out all - $iptable -t mangle -A PREROUTING -m mark --mark $fwmark -p tcp -j TPROXY --on-port $tproxy_port - $iptable -t mangle -A PREROUTING -m mark --mark $fwmark -p udp -j TPROXY --on-port $tproxy_port - else - logger "当前设备内核可能缺少xt_mark模块支持,已放弃启动本机代理相关规则!" 31 - fi - } - else - logger "当前设备内核可能缺少kmod_ipt_tproxy模块支持,已放弃启动相关规则!" 31 - fi - [ "$ipv6_redir" = "已开启" ] && { - if $ip6table -j TPROXY -h 2>/dev/null | grep -q '\--on-port'; then - JUMP="TPROXY --on-port $tproxy_port --tproxy-mark $fwmark" #跳转劫持的具体命令 - [ "$lan_proxy" = true ] && start_ipt_route ip6tables mangle PREROUTING shellcrashv6_mark all - [ "$local_proxy" = true ] && { - if [ -n "$(grep -E '^MARK$' /proc/net/ip6_tables_targets)" ]; then - JUMP="MARK --set-mark $fwmark" #跳转劫持的具体命令 - start_ipt_route ip6tables mangle OUTPUT shellcrashv6_mark_out all - $ip6table -t mangle -A PREROUTING -m mark --mark $fwmark -p tcp -j TPROXY --on-port $tproxy_port - $ip6table -t mangle -A PREROUTING -m mark --mark $fwmark -p udp -j TPROXY --on-port $tproxy_port - else - logger "当前设备内核可能缺少xt_mark模块支持,已放弃启动本机代理相关规则!" 31 - fi - } - else - logger "当前设备内核可能缺少kmod_ipt_tproxy或者xt_mark模块支持,已放弃启动相关规则!" 31 - fi - } - } - [ "$redir_mod" = "Tun模式" -o "$redir_mod" = "混合模式" -o "$redir_mod" = "T&U旁路转发" -o "$redir_mod" = "TCP旁路转发" ] && { - JUMP="MARK --set-mark $fwmark" #跳转劫持的具体命令 - [ "$redir_mod" = "Tun模式" -o "$redir_mod" = "T&U旁路转发" ] && protocol=all - [ "$redir_mod" = "混合模式" ] && protocol=udp - [ "$redir_mod" = "TCP旁路转发" ] && protocol=tcp - if $iptable -j MARK -h 2>/dev/null | grep -q '\--set-mark'; then - [ "$lan_proxy" = true ] && { - [ "$redir_mod" = "Tun模式" -o "$redir_mod" = "混合模式" ] && $iptable -I FORWARD -o utun -j ACCEPT - start_ipt_route iptables mangle PREROUTING shellcrash_mark $protocol - } - [ "$local_proxy" = true ] && start_ipt_route iptables mangle OUTPUT shellcrash_mark_out $protocol - else - logger "当前设备内核可能缺少x_mark模块支持,已放弃启动相关规则!" 31 - fi - [ "$ipv6_redir" = "已开启" ] && [ "$crashcore" != clashpre ] && { - if $ip6table -j MARK -h 2>/dev/null | grep -q '\--set-mark'; then - [ "$lan_proxy" = true ] && { - [ "$redir_mod" = "Tun模式" -o "$redir_mod" = "混合模式" ] && $ip6table -I FORWARD -o utun -j ACCEPT - start_ipt_route ip6tables mangle PREROUTING shellcrashv6_mark $protocol - } - [ "$local_proxy" = true ] && start_ipt_route ip6tables mangle OUTPUT shellcrashv6_mark_out $protocol - else - logger "当前设备内核可能缺少xt_mark模块支持,已放弃启动相关规则!" 31 - fi - } - } - [ "$vm_redir" = "已开启" ] && [ -n "$$vm_ipv4" ] && { - JUMP="REDIRECT --to-ports $redir_port" #跳转劫持的具体命令 - start_ipt_dns iptables PREROUTING shellcrash_vm_dns #ipv4-局域网dns转发 - start_ipt_route iptables nat PREROUTING shellcrash_vm tcp #ipv4-局域网tcp转发 - } - #启动DNS劫持 - [ "$dns_no" != "已禁用" -a "$dns_redir" != "已开启" -a "$firewall_area" -le 3 ] && { - [ "$lan_proxy" = true ] && { - start_ipt_dns iptables PREROUTING shellcrash_dns #ipv4-局域网dns转发 - if $ip6table -j REDIRECT -h 2>/dev/null | grep -q '\--to-ports'; then - start_ipt_dns ip6tables PREROUTING shellcrashv6_dns #ipv6-局域网dns转发 - else - $ip6table -I INPUT -p tcp --dport 53 -j REJECT >/dev/null 2>&1 - $ip6table -I INPUT -p udp --dport 53 -j REJECT >/dev/null 2>&1 - fi - } - [ "$local_proxy" = true ] && start_ipt_dns iptables OUTPUT shellcrash_dns_out #ipv4-本机dns转发 - } - #屏蔽QUIC - [ "$quic_rj" = '已启用' -a "$lan_proxy" = true -a "$redir_mod" != "Redir模式" ] && { - [ "$dns_mod" != "fake-ip" -a "$cn_ip_route" = "已开启" ] && { - set_cn_ip='-m set ! --match-set cn_ip dst' - set_cn_ip6='-m set ! --match-set cn_ip6 dst' - } - [ "$redir_mod" = "Tun模式" -o "$redir_mod" = "混合模式" ] && { - $iptable -I FORWARD -p udp --dport 443 -o utun $set_cn_ip -j REJECT >/dev/null 2>&1 - $ip6table -I FORWARD -p udp --dport 443 -o utun $set_cn_ip6 -j REJECT >/dev/null 2>&1 - } - [ "$redir_mod" = "Tproxy模式" ] && { - $iptable -I INPUT -p udp --dport 443 $set_cn_ip -j REJECT >/dev/null 2>&1 - $ip6table -I INPUT -p udp --dport 443 $set_cn_ip6 -j REJECT >/dev/null 2>&1 - } - } + #启动公网访问防火墙 + start_ipt_wan + #分模式设置流量劫持 + [ "$redir_mod" = "Redir模式" -o "$redir_mod" = "混合模式" ] && { + JUMP="REDIRECT --to-ports $redir_port" #跳转劫持的具体命令 + [ "$lan_proxy" = true ] && { + start_ipt_route iptables nat PREROUTING shellcrash tcp #ipv4-局域网tcp转发 + [ "$ipv6_redir" = "已开启" ] && { + if $ip6table -j REDIRECT -h 2>/dev/null | grep -q '\--to-ports'; then + start_ipt_route ip6tables nat PREROUTING shellcrashv6 tcp #ipv6-局域网tcp转发 + else + logger "当前设备内核缺少ip6tables_REDIRECT模块支持,已放弃启动相关规则!" 31 + fi + } + } + [ "$local_proxy" = true ] && { + start_ipt_route iptables nat OUTPUT shellcrash_out tcp #ipv4-本机tcp转发 + [ "$ipv6_redir" = "已开启" ] && { + if $ip6table -j REDIRECT -h 2>/dev/null | grep -q '\--to-ports'; then + start_ipt_route ip6tables nat OUTPUT shellcrashv6_out tcp #ipv6-本机tcp转发 + else + logger "当前设备内核缺少ip6tables_REDIRECT模块支持,已放弃启动相关规则!" 31 + fi + } + } + } + [ "$redir_mod" = "Tproxy模式" ] && { + modprobe xt_TPROXY >/dev/null 2>&1 + JUMP="TPROXY --on-port $tproxy_port --tproxy-mark $fwmark" #跳转劫持的具体命令 + if $iptable -j TPROXY -h 2>/dev/null | grep -q '\--on-port'; then + [ "$lan_proxy" = true ] && start_ipt_route iptables mangle PREROUTING shellcrash_mark all + [ "$local_proxy" = true ] && { + if [ -n "$(grep -E '^MARK$' /proc/net/ip_tables_targets)" ]; then + JUMP="MARK --set-mark $fwmark" #跳转劫持的具体命令 + start_ipt_route iptables mangle OUTPUT shellcrash_mark_out all + $iptable -t mangle -A PREROUTING -m mark --mark $fwmark -p tcp -j TPROXY --on-port $tproxy_port + $iptable -t mangle -A PREROUTING -m mark --mark $fwmark -p udp -j TPROXY --on-port $tproxy_port + else + logger "当前设备内核可能缺少xt_mark模块支持,已放弃启动本机代理相关规则!" 31 + fi + } + else + logger "当前设备内核可能缺少kmod_ipt_tproxy模块支持,已放弃启动相关规则!" 31 + fi + [ "$ipv6_redir" = "已开启" ] && { + if $ip6table -j TPROXY -h 2>/dev/null | grep -q '\--on-port'; then + JUMP="TPROXY --on-port $tproxy_port --tproxy-mark $fwmark" #跳转劫持的具体命令 + [ "$lan_proxy" = true ] && start_ipt_route ip6tables mangle PREROUTING shellcrashv6_mark all + [ "$local_proxy" = true ] && { + if [ -n "$(grep -E '^MARK$' /proc/net/ip6_tables_targets)" ]; then + JUMP="MARK --set-mark $fwmark" #跳转劫持的具体命令 + start_ipt_route ip6tables mangle OUTPUT shellcrashv6_mark_out all + $ip6table -t mangle -A PREROUTING -m mark --mark $fwmark -p tcp -j TPROXY --on-port $tproxy_port + $ip6table -t mangle -A PREROUTING -m mark --mark $fwmark -p udp -j TPROXY --on-port $tproxy_port + else + logger "当前设备内核可能缺少xt_mark模块支持,已放弃启动本机代理相关规则!" 31 + fi + } + else + logger "当前设备内核可能缺少kmod_ipt_tproxy或者xt_mark模块支持,已放弃启动相关规则!" 31 + fi + } + } + [ "$redir_mod" = "Tun模式" -o "$redir_mod" = "混合模式" -o "$redir_mod" = "T&U旁路转发" -o "$redir_mod" = "TCP旁路转发" ] && { + JUMP="MARK --set-mark $fwmark" #跳转劫持的具体命令 + [ "$redir_mod" = "Tun模式" -o "$redir_mod" = "T&U旁路转发" ] && protocol=all + [ "$redir_mod" = "混合模式" ] && protocol=udp + [ "$redir_mod" = "TCP旁路转发" ] && protocol=tcp + if $iptable -j MARK -h 2>/dev/null | grep -q '\--set-mark'; then + [ "$lan_proxy" = true ] && { + [ "$redir_mod" = "Tun模式" -o "$redir_mod" = "混合模式" ] && $iptable -I FORWARD -o utun -j ACCEPT + start_ipt_route iptables mangle PREROUTING shellcrash_mark $protocol + } + [ "$local_proxy" = true ] && start_ipt_route iptables mangle OUTPUT shellcrash_mark_out $protocol + else + logger "当前设备内核可能缺少x_mark模块支持,已放弃启动相关规则!" 31 + fi + [ "$ipv6_redir" = "已开启" ] && [ "$crashcore" != clashpre ] && { + if $ip6table -j MARK -h 2>/dev/null | grep -q '\--set-mark'; then + [ "$lan_proxy" = true ] && { + [ "$redir_mod" = "Tun模式" -o "$redir_mod" = "混合模式" ] && $ip6table -I FORWARD -o utun -j ACCEPT + start_ipt_route ip6tables mangle PREROUTING shellcrashv6_mark $protocol + } + [ "$local_proxy" = true ] && start_ipt_route ip6tables mangle OUTPUT shellcrashv6_mark_out $protocol + else + logger "当前设备内核可能缺少xt_mark模块支持,已放弃启动相关规则!" 31 + fi + } + } + [ "$vm_redir" = "已开启" ] && [ -n "$$vm_ipv4" ] && { + JUMP="REDIRECT --to-ports $redir_port" #跳转劫持的具体命令 + start_ipt_dns iptables PREROUTING shellcrash_vm_dns #ipv4-局域网dns转发 + start_ipt_route iptables nat PREROUTING shellcrash_vm tcp #ipv4-局域网tcp转发 + } + #启动DNS劫持 + [ "$dns_no" != "已禁用" -a "$dns_redir" != "已开启" -a "$firewall_area" -le 3 ] && { + [ "$lan_proxy" = true ] && { + start_ipt_dns iptables PREROUTING shellcrash_dns #ipv4-局域网dns转发 + if $ip6table -j REDIRECT -h 2>/dev/null | grep -q '\--to-ports'; then + start_ipt_dns ip6tables PREROUTING shellcrashv6_dns #ipv6-局域网dns转发 + else + $ip6table -I INPUT -p tcp --dport 53 -j REJECT >/dev/null 2>&1 + $ip6table -I INPUT -p udp --dport 53 -j REJECT >/dev/null 2>&1 + fi + } + [ "$local_proxy" = true ] && start_ipt_dns iptables OUTPUT shellcrash_dns_out #ipv4-本机dns转发 + } + #屏蔽QUIC + [ "$quic_rj" = '已启用' -a "$lan_proxy" = true -a "$redir_mod" != "Redir模式" ] && { + [ "$dns_mod" != "fake-ip" -a "$cn_ip_route" = "已开启" ] && { + set_cn_ip='-m set ! --match-set cn_ip dst' + set_cn_ip6='-m set ! --match-set cn_ip6 dst' + } + [ "$redir_mod" = "Tun模式" -o "$redir_mod" = "混合模式" ] && { + $iptable -I FORWARD -p udp --dport 443 -o utun $set_cn_ip -j REJECT >/dev/null 2>&1 + $ip6table -I FORWARD -p udp --dport 443 -o utun $set_cn_ip6 -j REJECT >/dev/null 2>&1 + } + [ "$redir_mod" = "Tproxy模式" ] && { + $iptable -I INPUT -p udp --dport 443 $set_cn_ip -j REJECT >/dev/null 2>&1 + $ip6table -I INPUT -p udp --dport 443 $set_cn_ip6 -j REJECT >/dev/null 2>&1 + } + } } start_nft_route() { #nftables-route通用工具 - #$1:name $2:hook(prerouting/output) $3:type(nat/mangle/filter) $4:priority(-100/-150) - [ "$common_ports" = "已开启" ] && PORTS=$(echo $multiport | sed 's/,/, /g') - RESERVED_IP=$(echo $reserve_ipv4 | sed 's/ /, /g') - HOST_IP=$(echo $host_ipv4 | sed 's/ /, /g') - [ "$1" = 'output' ] && HOST_IP="127.0.0.0/8, $(echo $local_ipv4 | sed 's/ /, /g')" - [ "$1" = 'prerouting_vm' ] && HOST_IP="$(echo $vm_ipv4 | sed 's/ /, /g')" - #添加新链 - nft add chain inet shellcrash $1 { type $3 hook $2 priority $4 \; } - [ "$1" = 'prerouting_vm' ] && nft add rule inet shellcrash $1 ip saddr != {$HOST_IP} return #仅代理虚拟机流量 - #过滤dns - nft add rule inet shellcrash $1 tcp dport 53 return - nft add rule inet shellcrash $1 udp dport 53 return - #防回环 - nft add rule inet shellcrash $1 meta mark $routing_mark return - nft add rule inet shellcrash $1 meta skgid 7890 return - [ "$firewall_area" = 5 ] && nft add rule inet shellcrash $1 ip saddr $bypass_host return - [ -z "$ports" ] && nft add rule inet shellcrash $1 tcp dport {"$mix_port, $redir_port, $tproxy_port"} return - #过滤常用端口 - [ -n "$PORTS" ] && { - nft add rule inet shellcrash $1 ip daddr != {28.0.0.1/8} tcp dport != {$PORTS} return - nft add rule inet shellcrash $1 ip6 daddr != {fc00::/16} tcp dport != {$PORTS} return - } - #nft add rule inet shellcrash $1 ip saddr 28.0.0.1/8 return - nft add rule inet shellcrash $1 ip daddr {$RESERVED_IP} return #过滤保留地址 - #过滤局域网设备 - [ "$1" = 'prerouting' ] && { - [ "$macfilter_type" != "白名单" ] && { - [ -s "$CRASHDIR"/configs/mac ] && { - MAC=$(awk '{printf "%s, ",$1}' "$CRASHDIR"/configs/mac) - nft add rule inet shellcrash $1 ether saddr {$MAC} return - } - [ -s "$CRASHDIR"/configs/ip_filter ] && { - FL_IP=$(awk '{printf "%s, ",$1}' "$CRASHDIR"/configs/ip_filter) - nft add rule inet shellcrash $1 ip saddr {$FL_IP} return - } - nft add rule inet shellcrash $1 ip saddr != {$HOST_IP} return #仅代理本机局域网网段流量 - } - [ "$macfilter_type" = "白名单" ] && { - [ -s "$CRASHDIR"/configs/mac ] && MAC=$(awk '{printf "%s, ",$1}' "$CRASHDIR"/configs/mac) - [ -s "$CRASHDIR"/configs/ip_filter ] && FL_IP=$(awk '{printf "%s, ",$1}' "$CRASHDIR"/configs/ip_filter) - if [ -n "$MAC" ] && [ -n "$FL_IP" ]; then - nft add rule inet shellcrash $1 ether saddr != {$MAC} ip saddr != {$FL_IP} return - elif [ -n "$MAC" ]; then - nft add rule inet shellcrash $1 ether saddr != {$MAC} return - elif [ -n "$FL_IP" ]; then - nft add rule inet shellcrash $1 ip saddr != {$FL_IP} return - else - nft add rule inet shellcrash $1 ip saddr != {$HOST_IP} return #仅代理本机局域网网段流量 - fi - } - } - #绕过CN-IP - [ "$dns_mod" != "fake-ip" -a "$cn_ip_route" = "已开启" -a -f "$BINDIR"/cn_ip.txt ] && { - CN_IP=$(awk '{printf "%s, ",$1}' "$BINDIR"/cn_ip.txt) - [ -n "$CN_IP" ] && nft add rule inet shellcrash $1 ip daddr {$CN_IP} return - } - #局域网ipv6支持 - if [ "$ipv6_redir" = "已开启" -a "$1" = 'prerouting' -a "$firewall_area" != 5 ]; then - RESERVED_IP6="$(echo "$reserve_ipv6 $host_ipv6" | sed 's/ /, /g')" - HOST_IP6="$(echo $host_ipv6 | sed 's/ /, /g')" - #过滤保留地址及本机地址 - nft add rule inet shellcrash $1 ip6 daddr {$RESERVED_IP6} return - #仅代理本机局域网网段流量 - nft add rule inet shellcrash $1 ip6 saddr != {$HOST_IP6} return - #绕过CN_IPV6 - [ "$dns_mod" != "fake-ip" -a "$cn_ipv6_route" = "已开启" -a -f "$BINDIR"/cn_ipv6.txt ] && { - CN_IP6=$(awk '{printf "%s, ",$1}' "$BINDIR"/cn_ipv6.txt) - [ -n "$CN_IP6" ] && nft add rule inet shellcrash $1 ip6 daddr {$CN_IP6} return - } - elif [ "$ipv6_redir" = "已开启" -a "$1" = 'output' -a \( "$firewall_area" = 2 -o "$firewall_area" = 3 \) ]; then - RESERVED_IP6="$(echo "$reserve_ipv6 $host_ipv6" | sed 's/ /, /g')" - HOST_IP6="::1, $(echo $host_ipv6 | sed 's/ /, /g')" - #过滤保留地址及本机地址 - nft add rule inet shellcrash $1 ip6 daddr {$RESERVED_IP6} return - #仅代理本机局域网网段流量 - nft add rule inet shellcrash $1 ip6 saddr != {$HOST_IP6} return - #绕过CN_IPV6 - [ "$dns_mod" != "fake-ip" -a "$cn_ipv6_route" = "已开启" -a -f "$BINDIR"/cn_ipv6.txt ] && { - CN_IP6=$(awk '{printf "%s, ",$1}' "$BINDIR"/cn_ipv6.txt) - [ -n "$CN_IP6" ] && nft add rule inet shellcrash $1 ip6 daddr {$CN_IP6} return - } - else - nft add rule inet shellcrash $1 meta nfproto ipv6 return - fi - #添加通用路由 - nft add rule inet shellcrash "$1" "$JUMP" - #处理特殊路由 - [ "$redir_mod" = "混合模式" ] && { - nft add rule inet shellcrash $1 meta l4proto tcp mark set $((fwmark + 1)) - nft add chain inet shellcrash "$1"_mixtcp { type nat hook $2 priority -100 \; } - nft add rule inet shellcrash "$1"_mixtcp mark $((fwmark + 1)) meta l4proto tcp redirect to $redir_port - } - #nft add rule inet shellcrash local_tproxy log prefix \"pre\" level debug + #$1:name $2:hook(prerouting/output) $3:type(nat/mangle/filter) $4:priority(-100/-150) + [ "$common_ports" = "已开启" ] && PORTS=$(echo $multiport | sed 's/,/, /g') + RESERVED_IP=$(echo $reserve_ipv4 | sed 's/ /, /g') + HOST_IP=$(echo $host_ipv4 | sed 's/ /, /g') + [ "$1" = 'output' ] && HOST_IP="127.0.0.0/8, $(echo $local_ipv4 | sed 's/ /, /g')" + [ "$1" = 'prerouting_vm' ] && HOST_IP="$(echo $vm_ipv4 | sed 's/ /, /g')" + #添加新链 + nft add chain inet shellcrash $1 { type $3 hook $2 priority $4 \; } + [ "$1" = 'prerouting_vm' ] && nft add rule inet shellcrash $1 ip saddr != {$HOST_IP} return #仅代理虚拟机流量 + #过滤dns + nft add rule inet shellcrash $1 tcp dport 53 return + nft add rule inet shellcrash $1 udp dport 53 return + #防回环 + nft add rule inet shellcrash $1 meta mark $routing_mark return + nft add rule inet shellcrash $1 meta skgid 7890 return + [ "$firewall_area" = 5 ] && nft add rule inet shellcrash $1 ip saddr $bypass_host return + [ -z "$ports" ] && nft add rule inet shellcrash $1 tcp dport {"$mix_port, $redir_port, $tproxy_port"} return + #过滤常用端口 + [ -n "$PORTS" ] && { + nft add rule inet shellcrash $1 ip daddr != {28.0.0.0/8} tcp dport != {$PORTS} return + nft add rule inet shellcrash $1 ip daddr != {28.0.0.0/8} udp dport != {$PORTS} return + nft add rule inet shellcrash $1 ip6 daddr != {fc00::/16} tcp dport != {$PORTS} return + nft add rule inet shellcrash $1 ip6 daddr != {fc00::/16} udp dport != {$PORTS} return + } + #nft add rule inet shellcrash $1 ip saddr 28.0.0.0/8 return + nft add rule inet shellcrash $1 ip daddr {$RESERVED_IP} return #过滤保留地址 + #过滤局域网设备 + [ "$1" = 'prerouting' ] && { + [ "$macfilter_type" != "白名单" ] && { + [ -s "$CRASHDIR"/configs/mac ] && { + MAC=$(awk '{printf "%s, ",$1}' "$CRASHDIR"/configs/mac) + nft add rule inet shellcrash $1 ether saddr {$MAC} return + } + [ -s "$CRASHDIR"/configs/ip_filter ] && { + FL_IP=$(awk '{printf "%s, ",$1}' "$CRASHDIR"/configs/ip_filter) + nft add rule inet shellcrash $1 ip saddr {$FL_IP} return + } + nft add rule inet shellcrash $1 ip saddr != {$HOST_IP} return #仅代理本机局域网网段流量 + } + [ "$macfilter_type" = "白名单" ] && { + [ -s "$CRASHDIR"/configs/mac ] && MAC=$(awk '{printf "%s, ",$1}' "$CRASHDIR"/configs/mac) + [ -s "$CRASHDIR"/configs/ip_filter ] && FL_IP=$(awk '{printf "%s, ",$1}' "$CRASHDIR"/configs/ip_filter) + if [ -n "$MAC" ] && [ -n "$FL_IP" ]; then + nft add rule inet shellcrash $1 ether saddr != {$MAC} ip saddr != {$FL_IP} return + elif [ -n "$MAC" ]; then + nft add rule inet shellcrash $1 ether saddr != {$MAC} return + elif [ -n "$FL_IP" ]; then + nft add rule inet shellcrash $1 ip saddr != {$FL_IP} return + else + nft add rule inet shellcrash $1 ip saddr != {$HOST_IP} return #仅代理本机局域网网段流量 + fi + } + } + #绕过CN-IP + [ "$dns_mod" != "fake-ip" -a "$cn_ip_route" = "已开启" -a -f "$BINDIR"/cn_ip.txt ] && { + CN_IP=$(awk '{printf "%s, ",$1}' "$BINDIR"/cn_ip.txt) + [ -n "$CN_IP" ] && nft add rule inet shellcrash $1 ip daddr {$CN_IP} return + } + #局域网ipv6支持 + if [ "$ipv6_redir" = "已开启" -a "$1" = 'prerouting' -a "$firewall_area" != 5 ]; then + RESERVED_IP6="$(echo "$reserve_ipv6 $host_ipv6" | sed 's/ /, /g')" + HOST_IP6="$(echo $host_ipv6 | sed 's/ /, /g')" + #过滤保留地址及本机地址 + nft add rule inet shellcrash $1 ip6 daddr {$RESERVED_IP6} return + #仅代理本机局域网网段流量 + nft add rule inet shellcrash $1 ip6 saddr != {$HOST_IP6} return + #绕过CN_IPV6 + [ "$dns_mod" != "fake-ip" -a "$cn_ipv6_route" = "已开启" -a -f "$BINDIR"/cn_ipv6.txt ] && { + CN_IP6=$(awk '{printf "%s, ",$1}' "$BINDIR"/cn_ipv6.txt) + [ -n "$CN_IP6" ] && nft add rule inet shellcrash $1 ip6 daddr {$CN_IP6} return + } + elif [ "$ipv6_redir" = "已开启" -a "$1" = 'output' -a \( "$firewall_area" = 2 -o "$firewall_area" = 3 \) ]; then + RESERVED_IP6="$(echo "$reserve_ipv6 $host_ipv6" | sed 's/ /, /g')" + HOST_IP6="::1, $(echo $host_ipv6 | sed 's/ /, /g')" + #过滤保留地址及本机地址 + nft add rule inet shellcrash $1 ip6 daddr {$RESERVED_IP6} return + #仅代理本机局域网网段流量 + nft add rule inet shellcrash $1 ip6 saddr != {$HOST_IP6} return + #绕过CN_IPV6 + [ "$dns_mod" != "fake-ip" -a "$cn_ipv6_route" = "已开启" -a -f "$BINDIR"/cn_ipv6.txt ] && { + CN_IP6=$(awk '{printf "%s, ",$1}' "$BINDIR"/cn_ipv6.txt) + [ -n "$CN_IP6" ] && nft add rule inet shellcrash $1 ip6 daddr {$CN_IP6} return + } + else + nft add rule inet shellcrash $1 meta nfproto ipv6 return + fi + #添加通用路由 + nft add rule inet shellcrash "$1" "$JUMP" + #处理特殊路由 + [ "$redir_mod" = "混合模式" ] && { + nft add rule inet shellcrash $1 meta l4proto tcp mark set $((fwmark + 1)) + nft add chain inet shellcrash "$1"_mixtcp { type nat hook $2 priority -100 \; } + nft add rule inet shellcrash "$1"_mixtcp mark $((fwmark + 1)) meta l4proto tcp redirect to $redir_port + } + #nft add rule inet shellcrash local_tproxy log prefix \"pre\" level debug } start_nft_dns() { #nftables-dns - HOST_IP=$(echo $host_ipv4 | sed 's/ /, /g') - HOST_IP6=$(echo $host_ipv6 | sed 's/ /, /g') - [ "$1" = 'output' ] && HOST_IP="127.0.0.0/8, $(echo $local_ipv4 | sed 's/ /, /g')" - [ "$1" = 'prerouting_vm' ] && HOST_IP="$(echo $vm_ipv4 | sed 's/ /, /g')" - nft add chain inet shellcrash "$1"_dns { type nat hook $2 priority -100 \; } - #过滤非dns请求 - nft add rule inet shellcrash "$1"_dns udp dport != 53 return - nft add rule inet shellcrash "$1"_dns tcp dport != 53 return - #防回环 - nft add rule inet shellcrash "$1"_dns meta mark $routing_mark return - nft add rule inet shellcrash "$1"_dns meta skgid { 453, 7890 } return - [ "$firewall_area" = 5 ] && nft add rule inet shellcrash "$1"_dns ip saddr $bypass_host return - nft add rule inet shellcrash "$1"_dns ip saddr != {$HOST_IP} return #屏蔽外部请求 - [ "$1" = 'prerouting' ] && nft add rule inet shellcrash "$1"_dns ip6 saddr != {$HOST_IP6} return #屏蔽外部请求 - #过滤局域网设备 - [ "$1" = 'prerouting' ] && [ -s "$CRASHDIR"/configs/mac ] && { - MAC=$(awk '{printf "%s, ",$1}' "$CRASHDIR"/configs/mac) - if [ "$macfilter_type" = "黑名单" ]; then - nft add rule inet shellcrash "$1"_dns ether saddr {$MAC} return - else - nft add rule inet shellcrash "$1"_dns ether saddr != {$MAC} return - fi - } - nft add rule inet shellcrash "$1"_dns udp dport 53 redirect to ${dns_port} - nft add rule inet shellcrash "$1"_dns tcp dport 53 redirect to ${dns_port} + HOST_IP=$(echo $host_ipv4 | sed 's/ /, /g') + HOST_IP6=$(echo $host_ipv6 | sed 's/ /, /g') + [ "$1" = 'output' ] && HOST_IP="127.0.0.0/8, $(echo $local_ipv4 | sed 's/ /, /g')" + [ "$1" = 'prerouting_vm' ] && HOST_IP="$(echo $vm_ipv4 | sed 's/ /, /g')" + nft add chain inet shellcrash "$1"_dns { type nat hook $2 priority -100 \; } + #过滤非dns请求 + nft add rule inet shellcrash "$1"_dns udp dport != 53 return + nft add rule inet shellcrash "$1"_dns tcp dport != 53 return + #防回环 + nft add rule inet shellcrash "$1"_dns meta mark $routing_mark return + nft add rule inet shellcrash "$1"_dns meta skgid { 453, 7890 } return + [ "$firewall_area" = 5 ] && nft add rule inet shellcrash "$1"_dns ip saddr $bypass_host return + nft add rule inet shellcrash "$1"_dns ip saddr != {$HOST_IP} return #屏蔽外部请求 + [ "$1" = 'prerouting' ] && nft add rule inet shellcrash "$1"_dns ip6 saddr != {$HOST_IP6} return #屏蔽外部请求 + #过滤局域网设备 + [ "$1" = 'prerouting' ] && [ -s "$CRASHDIR"/configs/mac ] && { + MAC=$(awk '{printf "%s, ",$1}' "$CRASHDIR"/configs/mac) + if [ "$macfilter_type" = "黑名单" ]; then + nft add rule inet shellcrash "$1"_dns ether saddr {$MAC} return + else + nft add rule inet shellcrash "$1"_dns ether saddr != {$MAC} return + fi + } + nft add rule inet shellcrash "$1"_dns udp dport 53 redirect to ${dns_port} + nft add rule inet shellcrash "$1"_dns tcp dport 53 redirect to ${dns_port} } start_nft_wan() { #nftables公网防火墙 - #获取局域网host地址 - getlanip - HOST_IP=$(echo $host_ipv4 | sed 's/ /, /g') - nft add chain inet shellcrash input { type filter hook input priority -100 \; } - nft add rule inet shellcrash input ip daddr 127.0.0.1 accept - if [ "$public_support" = "已开启" ]; then - nft add rule inet shellcrash input tcp dport $db_port accept - else - #仅允许非公网设备访问面板 - nft add rule inet shellcrash input tcp dport $db_port ip saddr {$HOST_IP} accept - nft add rule inet shellcrash input tcp dport $db_port reject - fi - if [ "$public_mixport" = "已开启" ]; then - nft add rule inet shellcrash input tcp dport $mix_port accept - else - #仅允许局域网设备访问混合端口 - nft add rule inet shellcrash input tcp dport $mix_port ip saddr {$HOST_IP} accept - nft add rule inet shellcrash input tcp dport $mix_port reject - fi + #获取局域网host地址 + getlanip + HOST_IP=$(echo $host_ipv4 | sed 's/ /, /g') + nft add chain inet shellcrash input { type filter hook input priority -100 \; } + nft add rule inet shellcrash input ip daddr 127.0.0.1 accept + if [ "$public_support" = "已开启" ]; then + nft add rule inet shellcrash input tcp dport $db_port accept + else + #仅允许非公网设备访问面板 + nft add rule inet shellcrash input tcp dport $db_port ip saddr {$HOST_IP} accept + nft add rule inet shellcrash input tcp dport $db_port reject + fi + if [ "$public_mixport" = "已开启" ]; then + nft add rule inet shellcrash input tcp dport $mix_port accept + else + #仅允许局域网设备访问混合端口 + nft add rule inet shellcrash input tcp dport $mix_port ip saddr {$HOST_IP} accept + nft add rule inet shellcrash input tcp dport $mix_port reject + fi } start_nftables() { #nftables配置总入口 - #初始化nftables - nft add table inet shellcrash - nft flush table inet shellcrash - #公网访问防火墙 - start_nft_wan - #启动DNS劫持 - [ "$dns_no" != "已禁用" -a "$dns_redir" != "已开启" -a "$firewall_area" -le 3 ] && { - [ "$lan_proxy" = true ] && start_nft_dns prerouting prerouting #局域网dns转发 - [ "$local_proxy" = true ] && start_nft_dns output output #本机dns转发 - } - #分模式设置流量劫持 - [ "$redir_mod" = "Redir模式" ] && { - JUMP="meta l4proto tcp redirect to $redir_port" #跳转劫持的具体命令 - [ "$lan_proxy" = true ] && start_nft_route prerouting prerouting nat -100 - [ "$local_proxy" = true ] && start_nft_route output output nat -100 - } - [ "$redir_mod" = "Tproxy模式" ] && (modprobe nft_tproxy >/dev/null 2>&1 || lsmod 2>/dev/null | grep -q nft_tproxy) && { - JUMP="meta l4proto {tcp, udp} mark set $fwmark tproxy to :$tproxy_port" #跳转劫持的具体命令 - [ "$lan_proxy" = true ] && start_nft_route prerouting prerouting filter -150 - [ "$local_proxy" = true ] && { - JUMP="meta l4proto {tcp, udp} mark set $fwmark" #跳转劫持的具体命令 - start_nft_route output output route -150 - nft add chain inet shellcrash mark_out { type filter hook prerouting priority -100 \; } - nft add rule inet shellcrash mark_out meta mark $fwmark meta l4proto {tcp, udp} tproxy to :$tproxy_port - } - } - [ "$tun_statu" = true ] && { - [ "$redir_mod" = "Tun模式" ] && JUMP="meta l4proto {tcp, udp} mark set $fwmark" #跳转劫持的具体命令 - [ "$redir_mod" = "混合模式" ] && JUMP="meta l4proto udp mark set $fwmark" #跳转劫持的具体命令 - [ "$lan_proxy" = true ] && { - start_nft_route prerouting prerouting filter -150 - #放行流量 - nft list table inet fw4 >/dev/null 2>&1 || nft add table inet fw4 - nft list chain inet fw4 forward >/dev/null 2>&1 || nft add chain inet fw4 forward { type filter hook forward priority filter \; } 2>/dev/null - nft list chain inet fw4 input >/dev/null 2>&1 || nft add chain inet fw4 input { type filter hook input priority filter \; } 2>/dev/null - nft list chain inet fw4 forward | grep -q 'oifname "utun" accept' || nft insert rule inet fw4 forward oifname "utun" accept - nft list chain inet fw4 input | grep -q 'iifname "utun" accept' || nft insert rule inet fw4 input iifname "utun" accept - } - [ "$local_proxy" = true ] && start_nft_route output output route -150 - } - [ "$firewall_area" = 5 ] && { - [ "$redir_mod" = "T&U旁路转发" ] && JUMP="meta l4proto {tcp, udp} mark set $fwmark" #跳转劫持的具体命令 - [ "$redir_mod" = "TCP旁路转发" ] && JUMP="meta l4proto tcp mark set $fwmark" #跳转劫持的具体命令 - [ "$lan_proxy" = true ] && start_nft_route prerouting prerouting filter -150 - [ "$local_proxy" = true ] && start_nft_route output output route -150 - } - [ "$vm_redir" = "已开启" ] && [ -n "$$vm_ipv4" ] && { - start_nft_dns prerouting_vm prerouting - JUMP="meta l4proto tcp redirect to $redir_port" #跳转劫持的具体命令 - start_nft_route prerouting_vm prerouting nat -100 - } - #屏蔽QUIC - [ "$quic_rj" = '已启用' -a "$lan_proxy" = true ] && { - [ "$redir_mod" = "Tproxy模式" ] && { - nft add chain inet shellcrash quic_rj { type filter hook input priority 0 \; } - [ -n "$CN_IP" ] && nft add rule inet shellcrash quic_rj ip daddr {$CN_IP} return - [ -n "$CN_IP6" ] && nft add rule inet shellcrash quic_rj ip6 daddr {$CN_IP6} return - nft add rule inet shellcrash quic_rj udp dport {443, 8443} reject comment 'ShellCrash-QUIC-REJECT' - } - [ "$redir_mod" = "Tun模式" -o "$redir_mod" = "混合模式" ] && { - nft insert rule inet fw4 forward oifname "utun" udp dport {443, 8443} reject comment 'ShellCrash-QUIC-REJECT' - [ -n "$CN_IP" ] && nft insert rule inet fw4 forward oifname "utun" ip daddr {$CN_IP} return - [ -n "$CN_IP6" ] && nft insert rule inet fw4 forward oifname "utun" ip6 daddr {$CN_IP6} return - } - } + #初始化nftables + nft add table inet shellcrash + nft flush table inet shellcrash + #公网访问防火墙 + start_nft_wan + #启动DNS劫持 + [ "$dns_no" != "已禁用" -a "$dns_redir" != "已开启" -a "$firewall_area" -le 3 ] && { + [ "$lan_proxy" = true ] && start_nft_dns prerouting prerouting #局域网dns转发 + [ "$local_proxy" = true ] && start_nft_dns output output #本机dns转发 + } + #分模式设置流量劫持 + [ "$redir_mod" = "Redir模式" ] && { + JUMP="meta l4proto tcp redirect to $redir_port" #跳转劫持的具体命令 + [ "$lan_proxy" = true ] && start_nft_route prerouting prerouting nat -100 + [ "$local_proxy" = true ] && start_nft_route output output nat -100 + } + [ "$redir_mod" = "Tproxy模式" ] && (modprobe nft_tproxy >/dev/null 2>&1 || lsmod 2>/dev/null | grep -q nft_tproxy) && { + JUMP="meta l4proto {tcp, udp} mark set $fwmark tproxy to :$tproxy_port" #跳转劫持的具体命令 + [ "$lan_proxy" = true ] && start_nft_route prerouting prerouting filter -150 + [ "$local_proxy" = true ] && { + JUMP="meta l4proto {tcp, udp} mark set $fwmark" #跳转劫持的具体命令 + start_nft_route output output route -150 + nft add chain inet shellcrash mark_out { type filter hook prerouting priority -100 \; } + nft add rule inet shellcrash mark_out meta mark $fwmark meta l4proto {tcp, udp} tproxy to :$tproxy_port + } + } + [ "$tun_statu" = true ] && { + [ "$redir_mod" = "Tun模式" ] && JUMP="meta l4proto {tcp, udp} mark set $fwmark" #跳转劫持的具体命令 + [ "$redir_mod" = "混合模式" ] && JUMP="meta l4proto udp mark set $fwmark" #跳转劫持的具体命令 + [ "$lan_proxy" = true ] && { + start_nft_route prerouting prerouting filter -150 + #放行流量 + nft list table inet fw4 >/dev/null 2>&1 || nft add table inet fw4 + nft list chain inet fw4 forward >/dev/null 2>&1 || nft add chain inet fw4 forward { type filter hook forward priority filter \; } 2>/dev/null + nft list chain inet fw4 input >/dev/null 2>&1 || nft add chain inet fw4 input { type filter hook input priority filter \; } 2>/dev/null + nft list chain inet fw4 forward | grep -q 'oifname "utun" accept' || nft insert rule inet fw4 forward oifname "utun" accept + nft list chain inet fw4 input | grep -q 'iifname "utun" accept' || nft insert rule inet fw4 input iifname "utun" accept + } + [ "$local_proxy" = true ] && start_nft_route output output route -150 + } + [ "$firewall_area" = 5 ] && { + [ "$redir_mod" = "T&U旁路转发" ] && JUMP="meta l4proto {tcp, udp} mark set $fwmark" #跳转劫持的具体命令 + [ "$redir_mod" = "TCP旁路转发" ] && JUMP="meta l4proto tcp mark set $fwmark" #跳转劫持的具体命令 + [ "$lan_proxy" = true ] && start_nft_route prerouting prerouting filter -150 + [ "$local_proxy" = true ] && start_nft_route output output route -150 + } + [ "$vm_redir" = "已开启" ] && [ -n "$$vm_ipv4" ] && { + start_nft_dns prerouting_vm prerouting + JUMP="meta l4proto tcp redirect to $redir_port" #跳转劫持的具体命令 + start_nft_route prerouting_vm prerouting nat -100 + } + #屏蔽QUIC + [ "$quic_rj" = '已启用' -a "$lan_proxy" = true ] && { + [ "$redir_mod" = "Tproxy模式" ] && { + nft add chain inet shellcrash quic_rj { type filter hook input priority 0 \; } + [ -n "$CN_IP" ] && nft add rule inet shellcrash quic_rj ip daddr {$CN_IP} return + [ -n "$CN_IP6" ] && nft add rule inet shellcrash quic_rj ip6 daddr {$CN_IP6} return + nft add rule inet shellcrash quic_rj udp dport {443, 8443} reject comment 'ShellCrash-QUIC-REJECT' + } + [ "$redir_mod" = "Tun模式" -o "$redir_mod" = "混合模式" ] && { + nft insert rule inet fw4 forward oifname "utun" udp dport {443, 8443} reject comment 'ShellCrash-QUIC-REJECT' + [ -n "$CN_IP" ] && nft insert rule inet fw4 forward oifname "utun" ip daddr {$CN_IP} return + [ -n "$CN_IP6" ] && nft insert rule inet fw4 forward oifname "utun" ip6 daddr {$CN_IP6} return + } + } } start_firewall() { #路由规则总入口 - getlanip #获取局域网host地址 - #设置策略路由 - [ "$firewall_area" != 4 ] && { - [ "$redir_mod" = "Tproxy模式" ] && ip route add local default dev lo table $table 2>/dev/null - [ "$redir_mod" = "Tun模式" -o "$redir_mod" = "混合模式" ] && { - i=1 - while [ -z "$(ip route list | grep utun)" -a "$i" -le 29 ]; do - sleep 1 - i=$((i + 1)) - done - if [ -z "$(ip route list | grep utun)" ]; then - logger "找不到tun模块,放弃启动tun相关防火墙规则!" 31 - else - ip route add default dev utun table $table && tun_statu=true - fi - } - [ "$firewall_area" = 5 ] && ip route add default via $bypass_host table $table 2>/dev/null - [ "$redir_mod" != "Redir模式" ] && ip rule add fwmark $fwmark table $table 2>/dev/null - } - #添加ipv6路由 - [ "$ipv6_redir" = "已开启" -a "$firewall_area" -le 3 ] && { - [ "$redir_mod" = "Tproxy模式" ] && ip -6 route add local default dev lo table $((table + 1)) 2>/dev/null - [ -n "$(ip route list | grep utun)" ] && ip -6 route add default dev utun table $((table + 1)) 2>/dev/null - [ "$redir_mod" != "Redir模式" ] && ip -6 rule add fwmark $fwmark table $((table + 1)) 2>/dev/null - } - #判断代理用途 - [ "$firewall_area" = 2 -o "$firewall_area" = 3 ] && local_proxy=true - [ "$firewall_area" = 1 -o "$firewall_area" = 3 -o "$firewall_area" = 5 ] && lan_proxy=true - #防火墙配置 - [ "$firewall_mod" = 'iptables' ] && start_iptables - [ "$firewall_mod" = 'nftables' ] && start_nftables - #修复部分虚拟机dns查询失败的问题 - [ "$firewall_area" = 2 -o "$firewall_area" = 3 ] && [ -z "$(grep '127.0.0.1' /etc/resolv.conf 2>/dev/null)" ] && [ -w /etc/resolv.conf ] && { - line=$(grep -n 'nameserver' /etc/resolv.conf | awk -F: 'FNR==1{print $1}') - sed -i "$line i\nameserver 127.0.0.1 #shellcrash-dns-repair" /etc/resolv.conf >/dev/null 2>&1 - } - #openwrt使用dnsmasq转发DNS - if [ "$dns_redir" = "已开启" -a "$firewall_area" -le 3 -a "$dns_no" != "已禁用" ]; then - uci del dhcp.@dnsmasq[-1].server >/dev/null 2>&1 - uci delete dhcp.@dnsmasq[0].resolvfile 2>/dev/null - uci add_list dhcp.@dnsmasq[0].server=127.0.0.1#$dns_port >/dev/null 2>&1 - uci set dhcp.@dnsmasq[0].noresolv=1 2>/dev/null - uci commit dhcp >/dev/null 2>&1 - /etc/init.d/dnsmasq restart >/dev/null 2>&1 - elif [ "$(uci get dhcp.@dnsmasq[0].dns_redirect 2>/dev/null)" = 1 ]; then - uci del dhcp.@dnsmasq[0].dns_redirect - uci commit dhcp.@dnsmasq[0] - fi + getlanip #获取局域网host地址 + #设置策略路由 + [ "$firewall_area" != 4 ] && { + [ "$redir_mod" = "Tproxy模式" ] && ip route add local default dev lo table $table 2>/dev/null + [ "$redir_mod" = "Tun模式" -o "$redir_mod" = "混合模式" ] && { + i=1 + while [ -z "$(ip route list | grep utun)" -a "$i" -le 29 ]; do + sleep 1 + i=$((i + 1)) + done + if [ -z "$(ip route list | grep utun)" ]; then + logger "找不到tun模块,放弃启动tun相关防火墙规则!" 31 + else + ip route add default dev utun table $table && tun_statu=true + fi + } + [ "$firewall_area" = 5 ] && ip route add default via $bypass_host table $table 2>/dev/null + [ "$redir_mod" != "Redir模式" ] && ip rule add fwmark $fwmark table $table 2>/dev/null + } + #添加ipv6路由 + [ "$ipv6_redir" = "已开启" -a "$firewall_area" -le 3 ] && { + [ "$redir_mod" = "Tproxy模式" ] && ip -6 route add local default dev lo table $((table + 1)) 2>/dev/null + [ -n "$(ip route list | grep utun)" ] && ip -6 route add default dev utun table $((table + 1)) 2>/dev/null + [ "$redir_mod" != "Redir模式" ] && ip -6 rule add fwmark $fwmark table $((table + 1)) 2>/dev/null + } + #判断代理用途 + [ "$firewall_area" = 2 -o "$firewall_area" = 3 ] && local_proxy=true + [ "$firewall_area" = 1 -o "$firewall_area" = 3 -o "$firewall_area" = 5 ] && lan_proxy=true + #防火墙配置 + [ "$firewall_mod" = 'iptables' ] && start_iptables + [ "$firewall_mod" = 'nftables' ] && start_nftables + #修复部分虚拟机dns查询失败的问题 + [ "$firewall_area" = 2 -o "$firewall_area" = 3 ] && [ -z "$(grep '127.0.0.1' /etc/resolv.conf 2>/dev/null)" ] && [ "$systype" != 'container' ] && { + line=$(grep -n 'nameserver' /etc/resolv.conf | awk -F: 'FNR==1{print $1}') + sed -i "$line i\nameserver 127.0.0.1 #shellcrash-dns-repair" /etc/resolv.conf >/dev/null 2>&1 + } + #openwrt使用dnsmasq转发DNS + if [ "$dns_redir" = "已开启" -a "$firewall_area" -le 3 -a "$dns_no" != "已禁用" ]; then + uci del dhcp.@dnsmasq[-1].server >/dev/null 2>&1 + uci delete dhcp.@dnsmasq[0].resolvfile 2>/dev/null + uci add_list dhcp.@dnsmasq[0].server=127.0.0.1#$dns_port >/dev/null 2>&1 + uci set dhcp.@dnsmasq[0].noresolv=1 2>/dev/null + uci commit dhcp >/dev/null 2>&1 + /etc/init.d/dnsmasq restart >/dev/null 2>&1 + elif [ "$(uci get dhcp.@dnsmasq[0].dns_redirect 2>/dev/null)" = 1 ]; then + uci del dhcp.@dnsmasq[0].dns_redirect + uci commit dhcp.@dnsmasq[0] + fi } stop_firewall() { #还原防火墙配置 - #获取局域网host地址 - getlanip - #重置iptables相关规则 - ckcmd iptables && { - #dns - $iptable -t nat -D PREROUTING -p tcp --dport 53 -j shellcrash_dns 2>/dev/null - $iptable -t nat -D PREROUTING -p udp --dport 53 -j shellcrash_dns 2>/dev/null - $iptable -t nat -D OUTPUT -p udp --dport 53 -j shellcrash_dns_out 2>/dev/null - $iptable -t nat -D OUTPUT -p tcp --dport 53 -j shellcrash_dns_out 2>/dev/null - #redir - $iptable -t nat -D PREROUTING -p tcp $ports -j shellcrash 2>/dev/null - $iptable -t nat -D PREROUTING -p tcp -d 28.0.0.1/8 -j shellcrash 2>/dev/null - $iptable -t nat -D OUTPUT -p tcp $ports -j shellcrash_out 2>/dev/null - $iptable -t nat -D OUTPUT -p tcp -d 28.0.0.1/8 -j shellcrash_out 2>/dev/null - #vm_dns - $iptable -t nat -D PREROUTING -p tcp --dport 53 -j shellcrash_vm_dns 2>/dev/null - $iptable -t nat -D PREROUTING -p udp --dport 53 -j shellcrash_vm_dns 2>/dev/null - #vm_redir - $iptable -t nat -D PREROUTING -p tcp $ports -j shellcrash_vm 2>/dev/null - $iptable -t nat -D PREROUTING -p tcp -d 28.0.0.1/8 -j shellcrash_vm 2>/dev/null - #TPROXY&tun - $iptable -t mangle -D PREROUTING -p tcp $ports -j shellcrash_mark 2>/dev/null - $iptable -t mangle -D PREROUTING -p udp $ports -j shellcrash_mark 2>/dev/null - $iptable -t mangle -D PREROUTING -p tcp -d 28.0.0.1/8 -j shellcrash_mark 2>/dev/null - $iptable -t mangle -D PREROUTING -p udp -d 28.0.0.1/8 -j shellcrash_mark 2>/dev/null - $iptable -t mangle -D OUTPUT -p tcp $ports -j shellcrash_mark_out 2>/dev/null - $iptable -t mangle -D OUTPUT -p udp $ports -j shellcrash_mark_out 2>/dev/null - $iptable -t mangle -D OUTPUT -p tcp -d 28.0.0.1/8 -j shellcrash_mark_out 2>/dev/null - $iptable -t mangle -D OUTPUT -p udp -d 28.0.0.1/8 -j shellcrash_mark_out 2>/dev/null - $iptable -t mangle -D PREROUTING -m mark --mark $fwmark -p tcp -j TPROXY --on-port $tproxy_port 2>/dev/null - $iptable -t mangle -D PREROUTING -m mark --mark $fwmark -p udp -j TPROXY --on-port $tproxy_port 2>/dev/null - #tun - $iptable -D FORWARD -o utun -j ACCEPT 2>/dev/null - #屏蔽QUIC - [ "$dns_mod" != "fake-ip" -a "$cn_ip_route" = "已开启" ] && set_cn_ip='-m set ! --match-set cn_ip dst' - $iptable -D INPUT -p udp --dport 443 $set_cn_ip -j REJECT 2>/dev/null - $iptable -D FORWARD -p udp --dport 443 -o utun $set_cn_ip -j REJECT 2>/dev/null - #公网访问 - for ip in $host_ipv4 $local_ipv4 $reserve_ipv4; do - $iptable -D INPUT -p tcp -s $ip --dport $mix_port -j ACCEPT 2>/dev/null - $iptable -D INPUT -p tcp -s $ip --dport $db_port -j ACCEPT 2>/dev/null - done - $iptable -D INPUT -p tcp -d 127.0.0.1 -j ACCEPT 2>/dev/null - $iptable -D INPUT -p tcp --dport $mix_port -j REJECT 2>/dev/null - $iptable -D INPUT -p tcp --dport $mix_port -j ACCEPT 2>/dev/null - $iptable -D INPUT -p tcp --dport $db_port -j REJECT 2>/dev/null - $iptable -D INPUT -p tcp --dport $db_port -j ACCEPT 2>/dev/null - #清理shellcrash自建表 - for words in shellcrash_dns shellcrash shellcrash_out shellcrash_dns_out shellcrash_vm shellcrash_vm_dns; do - $iptable -t nat -F $words 2>/dev/null - $iptable -t nat -X $words 2>/dev/null - done - for words in shellcrash_mark shellcrash_mark_out; do - $iptable -t mangle -F $words 2>/dev/null - $iptable -t mangle -X $words 2>/dev/null - done - } - #重置ipv6规则 - ckcmd ip6tables && { - #dns - $ip6table -t nat -D PREROUTING -p tcp --dport 53 -j shellcrashv6_dns 2>/dev/null - $ip6table -t nat -D PREROUTING -p udp --dport 53 -j shellcrashv6_dns 2>/dev/null - #redir - $ip6table -t nat -D PREROUTING -p tcp $ports -j shellcrashv6 2>/dev/null - $ip6table -t nat -D PREROUTING -p tcp -d fc00::/16 -j shellcrashv6 2>/dev/null - $ip6table -t nat -D OUTPUT -p tcp $ports -j shellcrashv6_out 2>/dev/null - $ip6table -t nat -D OUTPUT -p tcp -d fc00::/16 -j shellcrashv6_out 2>/dev/null - $ip6table -D INPUT -p tcp --dport 53 -j REJECT 2>/dev/null - $ip6table -D INPUT -p udp --dport 53 -j REJECT 2>/dev/null - #mark - $ip6table -t mangle -D PREROUTING -p tcp $ports -j shellcrashv6_mark 2>/dev/null - $ip6table -t mangle -D PREROUTING -p udp $ports -j shellcrashv6_mark 2>/dev/null - $ip6table -t mangle -D PREROUTING -p tcp -d fc00::/16 -j shellcrashv6_mark 2>/dev/null - $ip6table -t mangle -D PREROUTING -p udp -d fc00::/16 -j shellcrashv6_mark 2>/dev/null - $ip6table -t mangle -D OUTPUT -p tcp $ports -j shellcrashv6_mark_out 2>/dev/null - $ip6table -t mangle -D OUTPUT -p udp $ports -j shellcrashv6_mark_out 2>/dev/null - $ip6table -t mangle -D OUTPUT -p tcp -d fc00::/16 -j shellcrashv6_mark_out 2>/dev/null - $ip6table -t mangle -D OUTPUT -p udp -d fc00::/16 -j shellcrashv6_mark_out 2>/dev/null - $ip6table -D INPUT -p udp --dport 443 $set_cn_ip -j REJECT 2>/dev/null - $ip6table -t mangle -D PREROUTING -m mark --mark $fwmark -p tcp -j TPROXY --on-port $tproxy_port 2>/dev/null - $ip6table -t mangle -D PREROUTING -m mark --mark $fwmark -p udp -j TPROXY --on-port $tproxy_port 2>/dev/null - #tun - $ip6table -D FORWARD -o utun -j ACCEPT 2>/dev/null - #屏蔽QUIC - [ "$dns_mod" != "fake-ip" -a "$cn_ipv6_route" = "已开启" ] && set_cn_ip6='-m set ! --match-set cn_ip6 dst' - $ip6table -D INPUT -p udp --dport 443 $set_cn_ip6 -j REJECT 2>/dev/null - $ip6table -D FORWARD -p udp --dport 443 -o utun $set_cn_ip6 -j REJECT 2>/dev/null - #公网访问 - $ip6table -D INPUT -p tcp --dport $mix_port -j REJECT 2>/dev/null - $ip6table -D INPUT -p tcp --dport $mix_port -j ACCEPT 2>/dev/null - $ip6table -D INPUT -p tcp --dport $db_port -j REJECT 2>/dev/null - $ip6table -D INPUT -p tcp --dport $db_port -j ACCEPT 2>/dev/null - #清理shellcrash自建表 - for words in shellcrashv6_dns shellcrashv6 shellcrashv6_out; do - $ip6table -t nat -F $words 2>/dev/null - $ip6table -t nat -X $words 2>/dev/null - done - for words in shellcrashv6_mark shellcrashv6_mark_out; do - $ip6table -t mangle -F $words 2>/dev/null - $ip6table -t mangle -X $words 2>/dev/null - done - $ip6table -t mangle -F shellcrashv6_mark 2>/dev/null - $ip6table -t mangle -X shellcrashv6_mark 2>/dev/null - } - #清理ipset规则 - ipset destroy cn_ip >/dev/null 2>&1 - ipset destroy cn_ip6 >/dev/null 2>&1 - #移除dnsmasq转发规则 - [ "$dns_redir" = "已开启" ] && { - uci del dhcp.@dnsmasq[-1].server >/dev/null 2>&1 - uci set dhcp.@dnsmasq[0].noresolv=0 2>/dev/null - uci commit dhcp >/dev/null 2>&1 - /etc/init.d/dnsmasq restart >/dev/null 2>&1 - } - #清理路由规则 - ip rule del fwmark $fwmark table $table 2>/dev/null - ip route flush table $table 2>/dev/null - ip -6 rule del fwmark $fwmark table $((table + 1)) 2>/dev/null - ip -6 route flush table $((table + 1)) 2>/dev/null - #重置nftables相关规则 - ckcmd nft && { - nft flush table inet shellcrash >/dev/null 2>&1 - nft delete table inet shellcrash >/dev/null 2>&1 - } - #还原防火墙文件 - [ -s /etc/init.d/firewall.bak ] && mv -f /etc/init.d/firewall.bak /etc/init.d/firewall - #others - sed -i '/shellcrash-dns-repair/d' /etc/resolv.conf + #获取局域网host地址 + getlanip + #重置iptables相关规则 + ckcmd iptables && { + #dns + $iptable -t nat -D PREROUTING -p tcp --dport 53 -j shellcrash_dns 2>/dev/null + $iptable -t nat -D PREROUTING -p udp --dport 53 -j shellcrash_dns 2>/dev/null + $iptable -t nat -D OUTPUT -p udp --dport 53 -j shellcrash_dns_out 2>/dev/null + $iptable -t nat -D OUTPUT -p tcp --dport 53 -j shellcrash_dns_out 2>/dev/null + #redir + $iptable -t nat -D PREROUTING -p tcp $ports -j shellcrash 2>/dev/null + $iptable -t nat -D PREROUTING -p tcp -d 28.0.0.0/8 -j shellcrash 2>/dev/null + $iptable -t nat -D OUTPUT -p tcp $ports -j shellcrash_out 2>/dev/null + $iptable -t nat -D OUTPUT -p tcp -d 28.0.0.0/8 -j shellcrash_out 2>/dev/null + #vm_dns + $iptable -t nat -D PREROUTING -p tcp --dport 53 -j shellcrash_vm_dns 2>/dev/null + $iptable -t nat -D PREROUTING -p udp --dport 53 -j shellcrash_vm_dns 2>/dev/null + #vm_redir + $iptable -t nat -D PREROUTING -p tcp $ports -j shellcrash_vm 2>/dev/null + $iptable -t nat -D PREROUTING -p tcp -d 28.0.0.0/8 -j shellcrash_vm 2>/dev/null + #TPROXY&tun + $iptable -t mangle -D PREROUTING -p tcp $ports -j shellcrash_mark 2>/dev/null + $iptable -t mangle -D PREROUTING -p udp $ports -j shellcrash_mark 2>/dev/null + $iptable -t mangle -D PREROUTING -p tcp -d 28.0.0.0/8 -j shellcrash_mark 2>/dev/null + $iptable -t mangle -D PREROUTING -p udp -d 28.0.0.0/8 -j shellcrash_mark 2>/dev/null + $iptable -t mangle -D OUTPUT -p tcp $ports -j shellcrash_mark_out 2>/dev/null + $iptable -t mangle -D OUTPUT -p udp $ports -j shellcrash_mark_out 2>/dev/null + $iptable -t mangle -D OUTPUT -p tcp -d 28.0.0.0/8 -j shellcrash_mark_out 2>/dev/null + $iptable -t mangle -D OUTPUT -p udp -d 28.0.0.0/8 -j shellcrash_mark_out 2>/dev/null + $iptable -t mangle -D PREROUTING -m mark --mark $fwmark -p tcp -j TPROXY --on-port $tproxy_port 2>/dev/null + $iptable -t mangle -D PREROUTING -m mark --mark $fwmark -p udp -j TPROXY --on-port $tproxy_port 2>/dev/null + #tun + $iptable -D FORWARD -o utun -j ACCEPT 2>/dev/null + #屏蔽QUIC + [ "$dns_mod" != "fake-ip" -a "$cn_ip_route" = "已开启" ] && set_cn_ip='-m set ! --match-set cn_ip dst' + $iptable -D INPUT -p udp --dport 443 $set_cn_ip -j REJECT 2>/dev/null + $iptable -D FORWARD -p udp --dport 443 -o utun $set_cn_ip -j REJECT 2>/dev/null + #公网访问 + for ip in $host_ipv4 $local_ipv4 $reserve_ipv4; do + $iptable -D INPUT -p tcp -s $ip --dport $mix_port -j ACCEPT 2>/dev/null + $iptable -D INPUT -p tcp -s $ip --dport $db_port -j ACCEPT 2>/dev/null + done + $iptable -D INPUT -p tcp -d 127.0.0.1 -j ACCEPT 2>/dev/null + $iptable -D INPUT -p tcp --dport $mix_port -j REJECT 2>/dev/null + $iptable -D INPUT -p tcp --dport $mix_port -j ACCEPT 2>/dev/null + $iptable -D INPUT -p tcp --dport $db_port -j REJECT 2>/dev/null + $iptable -D INPUT -p tcp --dport $db_port -j ACCEPT 2>/dev/null + #清理shellcrash自建表 + for words in shellcrash_dns shellcrash shellcrash_out shellcrash_dns_out shellcrash_vm shellcrash_vm_dns; do + $iptable -t nat -F $words 2>/dev/null + $iptable -t nat -X $words 2>/dev/null + done + for words in shellcrash_mark shellcrash_mark_out; do + $iptable -t mangle -F $words 2>/dev/null + $iptable -t mangle -X $words 2>/dev/null + done + } + #重置ipv6规则 + ckcmd ip6tables && { + #dns + $ip6table -t nat -D PREROUTING -p tcp --dport 53 -j shellcrashv6_dns 2>/dev/null + $ip6table -t nat -D PREROUTING -p udp --dport 53 -j shellcrashv6_dns 2>/dev/null + #redir + $ip6table -t nat -D PREROUTING -p tcp $ports -j shellcrashv6 2>/dev/null + $ip6table -t nat -D PREROUTING -p tcp -d fc00::/16 -j shellcrashv6 2>/dev/null + $ip6table -t nat -D OUTPUT -p tcp $ports -j shellcrashv6_out 2>/dev/null + $ip6table -t nat -D OUTPUT -p tcp -d fc00::/16 -j shellcrashv6_out 2>/dev/null + $ip6table -D INPUT -p tcp --dport 53 -j REJECT 2>/dev/null + $ip6table -D INPUT -p udp --dport 53 -j REJECT 2>/dev/null + #mark + $ip6table -t mangle -D PREROUTING -p tcp $ports -j shellcrashv6_mark 2>/dev/null + $ip6table -t mangle -D PREROUTING -p udp $ports -j shellcrashv6_mark 2>/dev/null + $ip6table -t mangle -D PREROUTING -p tcp -d fc00::/16 -j shellcrashv6_mark 2>/dev/null + $ip6table -t mangle -D PREROUTING -p udp -d fc00::/16 -j shellcrashv6_mark 2>/dev/null + $ip6table -t mangle -D OUTPUT -p tcp $ports -j shellcrashv6_mark_out 2>/dev/null + $ip6table -t mangle -D OUTPUT -p udp $ports -j shellcrashv6_mark_out 2>/dev/null + $ip6table -t mangle -D OUTPUT -p tcp -d fc00::/16 -j shellcrashv6_mark_out 2>/dev/null + $ip6table -t mangle -D OUTPUT -p udp -d fc00::/16 -j shellcrashv6_mark_out 2>/dev/null + $ip6table -D INPUT -p udp --dport 443 $set_cn_ip -j REJECT 2>/dev/null + $ip6table -t mangle -D PREROUTING -m mark --mark $fwmark -p tcp -j TPROXY --on-port $tproxy_port 2>/dev/null + $ip6table -t mangle -D PREROUTING -m mark --mark $fwmark -p udp -j TPROXY --on-port $tproxy_port 2>/dev/null + #tun + $ip6table -D FORWARD -o utun -j ACCEPT 2>/dev/null + #屏蔽QUIC + [ "$dns_mod" != "fake-ip" -a "$cn_ipv6_route" = "已开启" ] && set_cn_ip6='-m set ! --match-set cn_ip6 dst' + $ip6table -D INPUT -p udp --dport 443 $set_cn_ip6 -j REJECT 2>/dev/null + $ip6table -D FORWARD -p udp --dport 443 -o utun $set_cn_ip6 -j REJECT 2>/dev/null + #公网访问 + $ip6table -D INPUT -p tcp --dport $mix_port -j REJECT 2>/dev/null + $ip6table -D INPUT -p tcp --dport $mix_port -j ACCEPT 2>/dev/null + $ip6table -D INPUT -p tcp --dport $db_port -j REJECT 2>/dev/null + $ip6table -D INPUT -p tcp --dport $db_port -j ACCEPT 2>/dev/null + #清理shellcrash自建表 + for words in shellcrashv6_dns shellcrashv6 shellcrashv6_out; do + $ip6table -t nat -F $words 2>/dev/null + $ip6table -t nat -X $words 2>/dev/null + done + for words in shellcrashv6_mark shellcrashv6_mark_out; do + $ip6table -t mangle -F $words 2>/dev/null + $ip6table -t mangle -X $words 2>/dev/null + done + $ip6table -t mangle -F shellcrashv6_mark 2>/dev/null + $ip6table -t mangle -X shellcrashv6_mark 2>/dev/null + } + #清理ipset规则 + ipset destroy cn_ip >/dev/null 2>&1 + ipset destroy cn_ip6 >/dev/null 2>&1 + #移除dnsmasq转发规则 + [ "$dns_redir" = "已开启" ] && { + uci del dhcp.@dnsmasq[-1].server >/dev/null 2>&1 + uci set dhcp.@dnsmasq[0].noresolv=0 2>/dev/null + uci commit dhcp >/dev/null 2>&1 + /etc/init.d/dnsmasq restart >/dev/null 2>&1 + } + #清理路由规则 + ip rule del fwmark $fwmark table $table 2>/dev/null + ip route flush table $table 2>/dev/null + ip -6 rule del fwmark $fwmark table $((table + 1)) 2>/dev/null + ip -6 route flush table $((table + 1)) 2>/dev/null + #重置nftables相关规则 + ckcmd nft && { + nft flush table inet shellcrash >/dev/null 2>&1 + nft delete table inet shellcrash >/dev/null 2>&1 + } + #还原防火墙文件 + [ -s /etc/init.d/firewall.bak ] && mv -f /etc/init.d/firewall.bak /etc/init.d/firewall + #others + sed -i '/shellcrash-dns-repair/d' /etc/resolv.conf } #启动相关 web_save() { #最小化保存面板节点选择 - #使用get_save获取面板节点设置 - get_save http://127.0.0.1:${db_port}/proxies | sed 's/:{/!/g' | awk -F '!' '{for(i=1;i<=NF;i++) print $i}' | grep -aE '"Selector"' | grep -aoE '"name":.*"now":".*",' >"$TMPDIR"/web_proxies - [ -s "$TMPDIR"/web_proxies ] && while read line; do - def=$(echo $line | grep -oE '"all".*",' | awk -F "[\"]" '{print $4}') - now=$(echo $line | grep -oE '"now".*",' | awk -F "[\"]" '{print $4}') - [ "$def" != "$now" ] && { - name=$(echo $line | grep -oE '"name".*",' | awk -F "[\"]" '{print $4}') - echo "${name},${now}" >>"$TMPDIR"/web_save - } - done <"$TMPDIR"/web_proxies - rm -rf "$TMPDIR"/web_proxies - #获取面板设置 - #[ "$crashcore" != singbox ] && get_save http://127.0.0.1:${db_port}/configs > "$TMPDIR"/web_configs - #对比文件,如果有变动且不为空则写入磁盘,否则清除缓存 - for file in web_save web_configs; do - if [ -s "$TMPDIR"/${file} ]; then - compare "$TMPDIR"/${file} "$CRASHDIR"/configs/${file} - [ "$?" = 0 ] && rm -rf "$TMPDIR"/${file} || mv -f "$TMPDIR"/${file} "$CRASHDIR"/configs/${file} - fi - done + #使用get_save获取面板节点设置 + get_save http://127.0.0.1:${db_port}/proxies | sed 's/:{/!/g' | awk -F '!' '{for(i=1;i<=NF;i++) print $i}' | grep -aE '"Selector"' | grep -aoE '"name":.*"now":".*",' >"$TMPDIR"/web_proxies + [ -s "$TMPDIR"/web_proxies ] && while read line; do + def=$(echo $line | grep -oE '"all".*",' | awk -F "[\"]" '{print $4}') + now=$(echo $line | grep -oE '"now".*",' | awk -F "[\"]" '{print $4}') + [ "$def" != "$now" ] && { + name=$(echo $line | grep -oE '"name".*",' | awk -F "[\"]" '{print $4}') + echo "${name},${now}" >>"$TMPDIR"/web_save + } + done <"$TMPDIR"/web_proxies + rm -rf "$TMPDIR"/web_proxies + #获取面板设置 + #[ "$crashcore" != singbox ] && get_save http://127.0.0.1:${db_port}/configs > "$TMPDIR"/web_configs + #对比文件,如果有变动且不为空则写入磁盘,否则清除缓存 + for file in web_save web_configs; do + if [ -s "$TMPDIR"/${file} ]; then + compare "$TMPDIR"/${file} "$CRASHDIR"/configs/${file} + [ "$?" = 0 ] && rm -rf "$TMPDIR"/${file} || mv -f "$TMPDIR"/${file} "$CRASHDIR"/configs/${file} + fi + done } web_restore() { #还原面板选择 - #设置循环检测面板端口以判定服务启动是否成功 - test="" - i=1 - while [ -z "$test" -a "$i" -lt 30 ]; do - test=$(get_save http://127.0.0.1:${db_port}/proxies | grep -o proxies) - i=$((i + 1)) - sleep 2 - done - [ -n "$test" ] && { - #发送节点选择数据 - [ -s "$CRASHDIR"/configs/web_save ] && { - num=$(cat "$CRASHDIR"/configs/web_save | wc -l) - i=1 - while [ "$i" -le "$num" ]; do - group_name=$(awk -F ',' 'NR=="'${i}'" {print $1}' "$CRASHDIR"/configs/web_save | sed 's/ /%20/g') - now_name=$(awk -F ',' 'NR=="'${i}'" {print $2}' "$CRASHDIR"/configs/web_save) - put_save http://127.0.0.1:${db_port}/proxies/${group_name} "{\"name\":\"${now_name}\"}" - i=$((i + 1)) - done - } - #还原面板设置 - #[ "$crashcore" != singbox ] && [ -s "$CRASHDIR"/configs/web_configs ] && { - #sleep 5 - #put_save http://127.0.0.1:${db_port}/configs "$(cat "$CRASHDIR"/configs/web_configs)" PATCH - #} - } + #设置循环检测面板端口以判定服务启动是否成功 + test="" + i=1 + while [ -z "$test" -a "$i" -lt 30 ]; do + test=$(get_save http://127.0.0.1:${db_port}/proxies | grep -o proxies) + i=$((i + 1)) + sleep 2 + done + [ -n "$test" ] && { + #发送节点选择数据 + [ -s "$CRASHDIR"/configs/web_save ] && { + num=$(cat "$CRASHDIR"/configs/web_save | wc -l) + i=1 + while [ "$i" -le "$num" ]; do + group_name=$(awk -F ',' 'NR=="'${i}'" {print $1}' "$CRASHDIR"/configs/web_save | sed 's/ /%20/g') + now_name=$(awk -F ',' 'NR=="'${i}'" {print $2}' "$CRASHDIR"/configs/web_save) + put_save http://127.0.0.1:${db_port}/proxies/${group_name} "{\"name\":\"${now_name}\"}" + i=$((i + 1)) + done + } + #还原面板设置 + #[ "$crashcore" != singbox ] && [ -s "$CRASHDIR"/configs/web_configs ] && { + #sleep 5 + #put_save http://127.0.0.1:${db_port}/configs "$(cat "$CRASHDIR"/configs/web_configs)" PATCH + #} + } } makehtml() { #生成面板跳转文件 - cat >"$BINDIR"/ui/index.html <"$BINDIR"/ui/index.html < @@ -1736,10 +1776,7 @@ makehtml() { #生成面板跳转文件

您还未安装本地面板

请在脚本更新功能中(9-4)安装
或者使用在线面板:

请复制当前地址/ui(不包括)前面的内容,填入url位置即可连接

- Meta XD面板(推荐)
 - zashboard面板
 - Meta YACD面板(推荐)
 - Clash YACD面板
 + Zashboard面板(推荐)
如已安装,请使用Ctrl+F5强制刷新此页面!
 @@ -1747,11 +1784,11 @@ makehtml() { #生成面板跳转文件 EOF } catpac() { #生成pac文件 - #获取本机host地址 - [ -n "$host" ] && host_pac=$host - [ -z "$host_pac" ] && host_pac=$(ubus call network.interface.lan status 2>&1 | grep \"address\" | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}') - [ -z "$host_pac" ] && host_pac=$(ip a 2>&1 | grep -w 'inet' | grep 'global' | grep -E ' 1(92|0|72)\.' | sed 's/.*inet.//g' | sed 's/\/[0-9][0-9].*$//g' | head -n 1) - cat >"$TMPDIR"/shellcrash_pac <&1 | grep \"address\" | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}') + [ -z "$host_pac" ] && host_pac=$(ip a 2>&1 | grep -w 'inet' | grep 'global' | grep -E ' 1(92|0|72)\.' | sed 's/.*inet.//g' | sed 's/\/[0-9][0-9].*$//g' | head -n 1) + cat >"$TMPDIR"/shellcrash_pac <&1 | grep -o 'no-same-owner')" ] && tar_para='--no-same-owner' #tar命令兼容 - [ -n "$(find --help 2>&1 | grep -o size)" ] && find_para=' -size +2000' #find命令兼容 - tar_core() { - mkdir -p "$TMPDIR"/core_tmp - tar -zxf "$1" ${tar_para} -C "$TMPDIR"/core_tmp/ - for file in $(find "$TMPDIR"/core_tmp $find_para 2>/dev/null); do - [ -f $file ] && [ -n "$(echo $file | sed 's#.*/##' | grep -iE '(CrashCore|sing|meta|mihomo|clash|pre)')" ] && mv -f $file "$TMPDIR"/"$2" - done - rm -rf "$TMPDIR"/core_tmp - } - [ -z "$(find "$TMPDIR"/CrashCore $find_para 2>/dev/null)" ] && [ -n "$(find "$BINDIR"/CrashCore $find_para 2>/dev/null)" ] && mv "$BINDIR"/CrashCore "$TMPDIR"/CrashCore - [ -z "$(find "$TMPDIR"/CrashCore $find_para 2>/dev/null)" ] && [ -n "$(find "$BINDIR"/CrashCore.tar.gz $find_para 2>/dev/null)" ] && - tar_core "$BINDIR"/CrashCore.tar.gz CrashCore - [ -z "$(find "$TMPDIR"/CrashCore $find_para 2>/dev/null)" ] && { - logger "未找到【$crashcore】核心,正在下载!" 33 - [ -z "$cpucore" ] && . "$CRASHDIR"/webget.sh && getcpucore - [ -z "$cpucore" ] && logger 找不到设备的CPU信息,请手动指定处理器架构类型! 31 && exit 1 - get_bin "$TMPDIR"/CrashCore.tar.gz "bin/$crashcore/${target}-linux-${cpucore}.tar.gz" - #校验内核 - tar_core "$TMPDIR"/CrashCore.tar.gz core_new - chmod +x "$TMPDIR"/core_new - if echo "$crashcore" | grep -q 'singbox'; then - core_v=$("$TMPDIR"/core_new version 2>/dev/null | grep version | awk '{print $3}') - COMMAND='"$TMPDIR/CrashCore run -D $BINDIR -C $TMPDIR/jsons"' - else - core_v=$("$TMPDIR"/core_new -v 2>/dev/null | head -n 1 | sed 's/ linux.*//;s/.* //') - COMMAND='"$TMPDIR/CrashCore -d $BINDIR -f $TMPDIR/config.yaml"' - fi - if [ -z "$core_v" ]; then - rm -rf "$TMPDIR"/CrashCore - logger "核心下载失败,请重新运行或更换安装源!" 31 - exit 1 - else - mv -f "$TMPDIR"/core_new "$TMPDIR"/CrashCore - mv -f "$TMPDIR"/CrashCore.tar.gz "$BINDIR"/CrashCore.tar.gz - setconfig COMMAND "$COMMAND" "$CRASHDIR"/configs/command.env && . "$CRASHDIR"/configs/command.env - setconfig crashcore $crashcore - setconfig core_v $core_v - fi - } - [ ! -x "$TMPDIR"/CrashCore ] && chmod +x "$TMPDIR"/CrashCore 2>/dev/null #自动授权 - [ "$start_old" != "已开启" -a "$(cat /proc/1/comm)" = "systemd" ] && restorecon -RF $CRASHDIR 2>/dev/null #修复SELinux权限问题 - return 0 + [ -n "$(tar --help 2>&1 | grep -o 'no-same-owner')" ] && tar_para='--no-same-owner' #tar命令兼容 + [ -n "$(find --help 2>&1 | grep -o size)" ] && find_para=' -size +2000' #find命令兼容 + tar_core() { + mkdir -p "$TMPDIR"/core_tmp + tar -zxf "$1" ${tar_para} -C "$TMPDIR"/core_tmp/ + for file in $(find "$TMPDIR"/core_tmp $find_para 2>/dev/null); do + [ -f $file ] && [ -n "$(echo $file | sed 's#.*/##' | grep -iE '(CrashCore|sing|meta|mihomo|clash|pre)')" ] && mv -f $file "$TMPDIR"/"$2" + done + rm -rf "$TMPDIR"/core_tmp + } + [ -z "$(find "$TMPDIR"/CrashCore $find_para 2>/dev/null)" ] && [ -n "$(find "$BINDIR"/CrashCore $find_para 2>/dev/null)" ] && mv "$BINDIR"/CrashCore "$TMPDIR"/CrashCore + [ -z "$(find "$TMPDIR"/CrashCore $find_para 2>/dev/null)" ] && [ -n "$(find "$BINDIR"/CrashCore.tar.gz $find_para 2>/dev/null)" ] && + tar_core "$BINDIR"/CrashCore.tar.gz CrashCore + [ -z "$(find "$TMPDIR"/CrashCore $find_para 2>/dev/null)" ] && { + logger "未找到【$crashcore】核心,正在下载!" 33 + [ -z "$cpucore" ] && . "$CRASHDIR"/webget.sh && getcpucore + [ -z "$cpucore" ] && logger 找不到设备的CPU信息,请手动指定处理器架构类型! 31 && exit 1 + get_bin "$TMPDIR"/CrashCore.tar.gz "bin/$crashcore/${target}-linux-${cpucore}.tar.gz" + #校验内核 + tar_core "$TMPDIR"/CrashCore.tar.gz core_new + chmod +x "$TMPDIR"/core_new + if echo "$crashcore" | grep -q 'singbox'; then + core_v=$("$TMPDIR"/core_new version 2>/dev/null | grep version | awk '{print $3}') + COMMAND='"$TMPDIR/CrashCore run -D $BINDIR -C $TMPDIR/jsons"' + else + core_v=$("$TMPDIR"/core_new -v 2>/dev/null | head -n 1 | sed 's/ linux.*//;s/.* //') + COMMAND='"$TMPDIR/CrashCore -d $BINDIR -f $TMPDIR/config.yaml"' + fi + if [ -z "$core_v" ]; then + rm -rf "$TMPDIR"/CrashCore + logger "核心下载失败,请重新运行或更换安装源!" 31 + exit 1 + else + mv -f "$TMPDIR"/core_new "$TMPDIR"/CrashCore + mv -f "$TMPDIR"/CrashCore.tar.gz "$BINDIR"/CrashCore.tar.gz + setconfig COMMAND "$COMMAND" "$CRASHDIR"/configs/command.env && . "$CRASHDIR"/configs/command.env + setconfig crashcore $crashcore + setconfig core_v $core_v + fi + } + [ ! -x "$TMPDIR"/CrashCore ] && chmod +x "$TMPDIR"/CrashCore 2>/dev/null #自动授权 + [ "$start_old" != "已开启" -a "$(cat /proc/1/comm)" = "systemd" ] && restorecon -RF $CRASHDIR 2>/dev/null #修复SELinux权限问题 + return 0 } core_exchange() { #升级为高级内核 - #$1:目标内核 $2:提示语句 - logger "检测到${2}!将改为使用${1}核心启动!" 33 - rm -rf "$TMPDIR"/CrashCore - rm -rf "$BINDIR"/CrashCore - rm -rf "$BINDIR"/CrashCore.tar.gz - crashcore="$1" - setconfig crashcore "$1" + #$1:目标内核 $2:提示语句 + logger "检测到${2}!将改为使用${1}核心启动!" 33 + rm -rf "$TMPDIR"/CrashCore + rm -rf "$BINDIR"/CrashCore + rm -rf "$BINDIR"/CrashCore.tar.gz + crashcore="$1" + setconfig crashcore "$1" echo "-----------------------------------------------" } clash_check() { #clash启动前检查 - #检测vless/hysteria协议 - [ "$crashcore" != "meta" ] && [ -n "$(cat $core_config | grep -oE 'type: vless|type: hysteria')" ] && core_exchange meta 'vless/hy协议' - #检测是否存在高级版规则或者tun模式 - if [ "$crashcore" = "clash" ]; then - [ -n "$(cat $core_config | grep -aiE '^script:|proxy-providers|rule-providers|rule-set')" ] || - [ "$redir_mod" = "混合模式" ] || - [ "$redir_mod" = "Tun模式" ] && core_exchange meta '当前内核不支持的配置' - fi - [ "$crashcore" = "clash" ] && [ "$firewall_area" = 2 -o "$firewall_area" = 3 ] && [ -z "$(grep '0:7890' /etc/passwd)" ] && - core_exchange meta '当前内核不支持非root用户启用本机代理' - core_check - #预下载GeoIP数据库并排除存在自定义数据库链接的情况 - [ -n "$(grep -oEi 'geoip' "$CRASHDIR"/yamls/*.yaml)" ] && [ -z "$(grep -oEi 'geoip:|mmdb:' "$CRASHDIR"/yamls/*.yaml)" ] && ckgeo Country.mmdb cn_mini.mmdb - #预下载GeoSite数据库并排除存在自定义数据库链接的情况 - [ -n "$(grep -oEi 'geosite' "$CRASHDIR"/yamls/*.yaml)" ] && [ -z "$(grep -oEi 'geosite:' "$CRASHDIR"/yamls/*.yaml)" ] && ckgeo GeoSite.dat geosite.dat - #预下载cn.mrs数据库 - [ -n "$(cat "$CRASHDIR"/yamls/*.yaml | grep -oEi 'rule_set.*cn')" -o "$dns_mod" = "mix" ] && ckgeo ruleset/cn.mrs mrs_geosite_cn.mrs - return 0 + #检测vless/hysteria协议 + [ "$crashcore" != "meta" ] && [ -n "$(cat $core_config | grep -oE 'type: vless|type: hysteria')" ] && core_exchange meta 'vless/hy协议' + #检测是否存在高级版规则或者tun模式 + if [ "$crashcore" = "clash" ]; then + [ -n "$(cat $core_config | grep -aiE '^script:|proxy-providers|rule-providers|rule-set')" ] || + [ "$redir_mod" = "混合模式" ] || + [ "$redir_mod" = "Tun模式" ] && core_exchange meta '当前内核不支持的配置' + fi + [ "$crashcore" = "clash" ] && [ "$firewall_area" = 2 -o "$firewall_area" = 3 ] && [ -z "$(grep '0:7890' /etc/passwd)" ] && + core_exchange meta '当前内核不支持非root用户启用本机代理' + core_check + #预下载GeoIP数据库并排除存在自定义数据库链接的情况 + [ -n "$(grep -oEi 'geoip' "$CRASHDIR"/yamls/*.yaml)" ] && [ -z "$(grep -oEi 'geoip:|mmdb:' "$CRASHDIR"/yamls/*.yaml)" ] && ckgeo Country.mmdb cn_mini.mmdb + #预下载GeoSite数据库并排除存在自定义数据库链接的情况 + [ -n "$(grep -oEi 'geosite' "$CRASHDIR"/yamls/*.yaml)" ] && [ -z "$(grep -oEi 'geosite:' "$CRASHDIR"/yamls/*.yaml)" ] && ckgeo GeoSite.dat geosite.dat + #预下载cn.mrs数据库 + [ -n "$(cat "$CRASHDIR"/yamls/*.yaml | grep -oEi 'rule_set.*cn')" -o "$dns_mod" = "mix" ] && ckgeo ruleset/cn.mrs mrs_geosite_cn.mrs + return 0 } singbox_check() { #singbox启动前检查 - #检测singboxr专属功能 - [ "$crashcore" != "singboxr" ] && [ -n "$(cat "$CRASHDIR"/jsons/*.json | grep -oE '"shadowsocksr"|"providers"')" ] && core_exchange singboxr 'singboxr内核专属功能' - core_check - #预下载geoip-cn.srs数据库 - [ -n "$(cat "$CRASHDIR"/jsons/*.json | grep -oEi '"rule_set" *: *"geoip-cn"')" ] && ckgeo ruleset/geoip-cn.srs srs_geoip_cn.srs - #预下载cn.srs数据库 - [ -n "$(cat "$CRASHDIR"/jsons/*.json | grep -oEi '"rule_set" *: *"cn"')" -o "$dns_mod" = "mix" ] && ckgeo ruleset/cn.srs srs_geosite_cn.srs - return 0 + #检测singboxr专属功能 + [ "$crashcore" != "singboxr" ] && [ -n "$(cat "$CRASHDIR"/jsons/*.json | grep -oE '"shadowsocksr"|"providers"')" ] && core_exchange singboxr 'singboxr内核专属功能' + core_check + #预下载geoip-cn.srs数据库 + [ -n "$(cat "$CRASHDIR"/jsons/*.json | grep -oEi '"rule_set" *: *"geoip-cn"')" ] && ckgeo ruleset/geoip-cn.srs srs_geoip_cn.srs + #预下载cn.srs数据库 + [ -n "$(cat "$CRASHDIR"/jsons/*.json | grep -oEi '"rule_set" *: *"cn"')" -o "$dns_mod" = "mix" ] && ckgeo ruleset/cn.srs srs_geosite_cn.srs + return 0 } network_check() { #检查是否联网 - for text in 223.5.5.5 dns.alidns.com doh.pub doh.360.cn; do - ping -c 3 $text >/dev/null 2>&1 && return 0 - sleep 5 - done - logger "当前设备无法连接网络,已停止启动!" 33 - exit 1 + for text in 223.5.5.5 dns.alidns.com doh.pub doh.360.cn; do + ping -c 3 $text >/dev/null 2>&1 && return 0 + sleep 5 + done + logger "当前设备无法连接网络,已停止启动!" 33 + exit 1 } bfstart() { #启动前 - routing_mark=$((fwmark + 2)) - #检测网络连接 - [ "$network_check" != "已禁用" ] && [ ! -f "$TMPDIR"/crash_start_time ] && ckcmd ping && network_check - [ ! -d "$BINDIR"/ui ] && mkdir -p "$BINDIR"/ui - [ -z "$crashcore" ] && crashcore=meta - #执行条件任务 - [ -s "$CRASHDIR"/task/bfstart ] && . "$CRASHDIR"/task/bfstart - #检查内核配置文件 - if [ ! -f $core_config ]; then - if [ -n "$Url" -o -n "$Https" ]; then - logger "未找到配置文件,正在下载!" 33 - get_core_config - else - logger "未找到配置文件链接,请先导入配置文件!" 31 - exit 1 - fi - fi - #检查dashboard文件 - if [ -f "$CRASHDIR"/ui/CNAME -a ! -f "$BINDIR"/ui/CNAME ]; then - cp -rf "$CRASHDIR"/ui "$BINDIR" - fi - [ ! -s "$BINDIR"/ui/index.html ] && makehtml #如没有面板则创建跳转界面 - catpac #生成pac文件 - #内核及内核配置文件检查 - if echo "$crashcore" | grep -q 'singbox'; then - singbox_check - [ -d "$TMPDIR"/jsons ] && rm -rf "$TMPDIR"/jsons/* || mkdir -p "$TMPDIR"/jsons #准备目录 - [ "$disoverride" != "1" ] && modify_json || ln -sf $core_config "$TMPDIR"/jsons/config.json - else - clash_check - [ "$disoverride" != "1" ] && modify_yaml || ln -sf $core_config "$TMPDIR"/config.yaml - fi - #检查下载cnip绕过相关文件 - [ "$firewall_mod" = nftables ] || ckcmd ipset && [ "$dns_mod" != "fake-ip" ] && { - [ "$cn_ip_route" = "已开启" ] && cn_ip_route - [ "$ipv6_redir" = "已开启" ] && [ "$cn_ipv6_route" = "已开启" ] && cn_ipv6_route - } - #添加shellcrash用户 - [ "$firewall_area" = 2 ] || [ "$firewall_area" = 3 ] || [ "$(cat /proc/1/comm)" = "systemd" ] && - [ -z "$(id shellcrash 2>/dev/null | grep 'root')" ] && { - ckcmd userdel && userdel shellcrash 2>/dev/null - sed -i '/0:7890/d' /etc/passwd - sed -i '/x:7890/d' /etc/group - if ckcmd useradd; then - useradd shellcrash -u 7890 - sed -Ei s/7890:7890/0:7890/g /etc/passwd - else - echo "shellcrash:x:0:7890:::" >>/etc/passwd - fi - } - #清理debug日志 - rm -rf "$TMPDIR"/debug.log - rm -rf "$CRASHDIR"/debug.log - return 0 + routing_mark=$((fwmark + 2)) + #检测网络连接 + [ "$network_check" != "已禁用" ] && [ ! -f "$TMPDIR"/crash_start_time ] && ckcmd ping && network_check + [ ! -d "$BINDIR"/ui ] && mkdir -p "$BINDIR"/ui + [ -z "$crashcore" ] && crashcore=meta + #执行条件任务 + [ -s "$CRASHDIR"/task/bfstart ] && . "$CRASHDIR"/task/bfstart + #检查内核配置文件 + if [ ! -f $core_config ]; then + if [ -n "$Url" -o -n "$Https" ]; then + logger "未找到配置文件,正在下载!" 33 + get_core_config + else + logger "未找到配置文件链接,请先导入配置文件!" 31 + exit 1 + fi + fi + #检查dashboard文件 + if [ -f "$CRASHDIR"/ui/CNAME -a ! -f "$BINDIR"/ui/CNAME ]; then + cp -rf "$CRASHDIR"/ui "$BINDIR" + fi + [ ! -s "$BINDIR"/ui/index.html ] && makehtml #如没有面板则创建跳转界面 + catpac #生成pac文件 + #内核及内核配置文件检查 + if echo "$crashcore" | grep -q 'singbox'; then + singbox_check + [ -d "$TMPDIR"/jsons ] && rm -rf "$TMPDIR"/jsons/* || mkdir -p "$TMPDIR"/jsons #准备目录 + [ "$disoverride" != "1" ] && modify_json || ln -sf $core_config "$TMPDIR"/jsons/config.json + else + clash_check + [ "$disoverride" != "1" ] && modify_yaml || ln -sf $core_config "$TMPDIR"/config.yaml + fi + #检查下载cnip绕过相关文件 + [ "$firewall_mod" = nftables ] || ckcmd ipset && [ "$dns_mod" != "fake-ip" ] && { + [ "$cn_ip_route" = "已开启" ] && cn_ip_route + [ "$ipv6_redir" = "已开启" ] && [ "$cn_ipv6_route" = "已开启" ] && cn_ipv6_route + } + #添加shellcrash用户 + [ "$firewall_area" = 2 ] || [ "$firewall_area" = 3 ] || [ "$(cat /proc/1/comm)" = "systemd" ] && + [ -z "$(id shellcrash 2>/dev/null | grep 'root')" ] && { + ckcmd userdel && userdel shellcrash 2>/dev/null + sed -i '/0:7890/d' /etc/passwd + sed -i '/x:7890/d' /etc/group + if ckcmd useradd; then + useradd shellcrash -u 7890 + sed -Ei s/7890:7890/0:7890/g /etc/passwd + else + echo "shellcrash:x:0:7890:::" >>/etc/passwd + fi + } + #清理debug日志 + rm -rf "$TMPDIR"/debug.log + rm -rf "$CRASHDIR"/debug.log + return 0 } afstart() { #启动后 - [ -z "$firewall_area" ] && firewall_area=1 - #延迟启动 - [ ! -f "$TMPDIR"/crash_start_time ] && [ -n "$start_delay" ] && [ "$start_delay" -gt 0 ] && { - logger "ShellCrash将延迟$start_delay秒启动" 31 - sleep $start_delay - } - #设置循环检测面板端口以判定服务启动是否成功 - i=1 - while [ -z "$test" -a "$i" -lt 30 ]; do - echo "$i" | grep -q '10' && echo -ne "服务正在启动,请耐心等待!\r" - sleep 1 - if curl --version >/dev/null 2>&1; then - test=$(curl -s -H "Authorization: Bearer $secret" http://127.0.0.1:${db_port}/configs | grep -o port) - else - test=$(wget -q --header="Authorization: Bearer $secret" -O - http://127.0.0.1:${db_port}/configs | grep -o port) - fi - i=$((i + 1)) - done - if [ -n "$test" -o -n "$(pidof CrashCore)" ]; then - [ "$start_old" = "已开启" ] && rm -rf "$TMPDIR"/CrashCore #删除缓存目录内核文件 - start_firewall #配置防火墙流量劫持 - mark_time #标记启动时间 - [ -s "$CRASHDIR"/configs/web_save ] && web_restore >/dev/null 2>&1 & #后台还原面板配置 - { - sleep 5 - logger ShellCrash服务已启动! - } & #推送日志 - ckcmd mtd_storage.sh && mtd_storage.sh save >/dev/null 2>&1 & #Padavan保存/etc/storage - #加载定时任务 - [ -s "$CRASHDIR"/task/cron ] && croncmd "$CRASHDIR"/task/cron - [ -s "$CRASHDIR"/task/running ] && { - cronset '运行时每' - while read line; do - cronset '2fjdi124dd12s' "$line" - done <"$CRASHDIR"/task/running - } - [ "$start_old" = "已开启" ] && cronset '保守模式守护进程' "* * * * * test -z \"\$(pidof CrashCore)\" && "$CRASHDIR"/start.sh daemon #ShellCrash保守模式守护进程" - #加载条件任务 - [ -s "$CRASHDIR"/task/afstart ] && { . "$CRASHDIR"/task/afstart; } & - [ -s "$CRASHDIR"/task/affirewall -a -s /etc/init.d/firewall -a ! -f /etc/init.d/firewall.bak ] && { - #注入防火墙 - line=$(grep -En "fw.* restart" /etc/init.d/firewall | cut -d ":" -f 1) - sed -i.bak "${line}a\\. "$CRASHDIR"/task/affirewall" /etc/init.d/firewall - line=$(grep -En "fw.* start" /etc/init.d/firewall | cut -d ":" -f 1) - sed -i "${line}a\\. "$CRASHDIR"/task/affirewall" /etc/init.d/firewall - } & - else - start_error - $0 stop - fi + [ -z "$firewall_area" ] && firewall_area=1 + #延迟启动 + [ ! -f "$TMPDIR"/crash_start_time ] && [ -n "$start_delay" ] && [ "$start_delay" -gt 0 ] && { + logger "ShellCrash将延迟$start_delay秒启动" 31 + sleep $start_delay + } + #设置循环检测面板端口以判定服务启动是否成功 + i=1 + while [ -z "$test" -a "$i" -lt 30 ]; do + echo "$i" | grep -q '10' && echo -ne "服务正在启动,请耐心等待!\r" + sleep 1 + if curl --version >/dev/null 2>&1; then + test=$(curl -s -H "Authorization: Bearer $secret" http://127.0.0.1:${db_port}/configs | grep -o port) + else + test=$(wget -q --header="Authorization: Bearer $secret" -O - http://127.0.0.1:${db_port}/configs | grep -o port) + fi + i=$((i + 1)) + done + if [ -n "$test" -o -n "$(pidof CrashCore)" ]; then + [ "$start_old" = "已开启" ] && rm -rf "$TMPDIR"/CrashCore #删除缓存目录内核文件 + start_firewall #配置防火墙流量劫持 + mark_time #标记启动时间 + [ -s "$CRASHDIR"/configs/web_save ] && web_restore >/dev/null 2>&1 & #后台还原面板配置 + { + sleep 5 + logger ShellCrash服务已启动! + } & #推送日志 + ckcmd mtd_storage.sh && mtd_storage.sh save >/dev/null 2>&1 & #Padavan保存/etc/storage + #加载定时任务 + [ -s "$CRASHDIR"/task/cron ] && croncmd "$CRASHDIR"/task/cron + [ -s "$CRASHDIR"/task/running ] && { + cronset '运行时每' + while read line; do + cronset '2fjdi124dd12s' "$line" + done <"$CRASHDIR"/task/running + } + [ "$start_old" = "已开启" ] && cronset '保守模式守护进程' "* * * * * test -z \"\$(pidof CrashCore)\" && "$CRASHDIR"/start.sh daemon #ShellCrash保守模式守护进程" + #加载条件任务 + [ -s "$CRASHDIR"/task/afstart ] && { . "$CRASHDIR"/task/afstart; } & + [ -s "$CRASHDIR"/task/affirewall -a -s /etc/init.d/firewall -a ! -f /etc/init.d/firewall.bak ] && { + #注入防火墙 + line=$(grep -En "fw.* restart" /etc/init.d/firewall | cut -d ":" -f 1) + sed -i.bak "${line}a\\. "$CRASHDIR"/task/affirewall" /etc/init.d/firewall + line=$(grep -En "fw.* start" /etc/init.d/firewall | cut -d ":" -f 1) + sed -i "${line}a\\. "$CRASHDIR"/task/affirewall" /etc/init.d/firewall + } & + else + start_error + $0 stop + fi } start_error() { #启动报错 - if [ "$start_old" != "已开启" ] && ckcmd journalctl; then - journalctl -u shellcrash >$TMPDIR/core_test.log - else - PID=$(pidof CrashCore) && [ -n "$PID" ] && kill -9 $PID >/dev/null 2>&1 - ${COMMAND} >"$TMPDIR"/core_test.log 2>&1 & - sleep 2 - kill $! >/dev/null 2>&1 - fi - error=$(cat $TMPDIR/core_test.log | grep -iEo 'error.*=.*|.*ERROR.*|.*FATAL.*') - logger "服务启动失败!请查看报错信息!详细信息请查看$TMPDIR/core_test.log" 33 - logger "$error" 31 - exit 1 + if [ "$start_old" != "已开启" ] && ckcmd journalctl; then + journalctl -u shellcrash >$TMPDIR/core_test.log + else + PID=$(pidof CrashCore) && [ -n "$PID" ] && kill -9 $PID >/dev/null 2>&1 + ${COMMAND} >"$TMPDIR"/core_test.log 2>&1 & + sleep 2 + kill $! >/dev/null 2>&1 + fi + error=$(cat $TMPDIR/core_test.log | grep -iEo 'error.*=.*|.*ERROR.*|.*FATAL.*') + logger "服务启动失败!请查看报错信息!详细信息请查看$TMPDIR/core_test.log" 33 + logger "$error" 31 + exit 1 } start_old() { #保守模式 - #使用传统后台执行二进制文件的方式执行 - if ckcmd su && [ -n "$(grep 'shellcrash:x:0:7890' /etc/passwd)" ]; then - su shellcrash -c "$COMMAND >/dev/null 2>&1" & - else - ckcmd nohup && local nohup=nohup - $nohup $COMMAND >/dev/null 2>&1 & - fi - afstart & + #使用传统后台执行二进制文件的方式执行 + if ckcmd su && [ -n "$(grep 'shellcrash:x:0:7890' /etc/passwd)" ]; then + su shellcrash -c "$COMMAND >/dev/null 2>&1" & + else + ckcmd nohup && local nohup=nohup + $nohup $COMMAND >/dev/null 2>&1 & + fi + afstart & } #杂项 update_config() { #更新订阅并重启 - get_core_config && - $0 restart + get_core_config && + $0 restart } hotupdate() { #热更新订阅 - get_core_config - core_check - modify_$format && - put_save http://127.0.0.1:${db_port}/configs "{\"path\":\""$CRASHDIR"/config.$format\"}" - rm -rf "$TMPDIR"/CrashCore + get_core_config + core_check + modify_$format && + put_save http://127.0.0.1:${db_port}/configs "{\"path\":\""$CRASHDIR"/config.$format\"}" + rm -rf "$TMPDIR"/CrashCore } set_proxy() { #设置环境变量 - if [ "$local_type" = "环境变量" ]; then - [ -w ~/.bashrc ] && profile=~/.bashrc - [ -w /etc/profile ] && profile=/etc/profile - echo 'export all_proxy=http://127.0.0.1:'"$mix_port" >>$profile - echo 'export ALL_PROXY=$all_proxy' >>$profile - fi + if [ "$local_type" = "环境变量" ]; then + [ -w ~/.bashrc ] && profile=~/.bashrc + [ -w /etc/profile ] && profile=/etc/profile + echo 'export all_proxy=http://127.0.0.1:'"$mix_port" >>$profile + echo 'export ALL_PROXY=$all_proxy' >>$profile + fi } unset_proxy() { #卸载环境变量 - [ -w ~/.bashrc ] && profile=~/.bashrc - [ -w /etc/profile ] && profile=/etc/profile - sed -i '/all_proxy/'d $profile - sed -i '/ALL_PROXY/'d $profile + [ -w ~/.bashrc ] && profile=~/.bashrc + [ -w /etc/profile ] && profile=/etc/profile + sed -i '/all_proxy/'d $profile + sed -i '/ALL_PROXY/'d $profile } getconfig #读取配置及全局变量 @@ -2028,157 +2065,157 @@ getconfig #读取配置及全局变量 case "$1" in start) - [ -n "$(pidof CrashCore)" ] && $0 stop #禁止多实例 - stop_firewall #清理路由策略 - #使用不同方式启动服务 - if [ "$firewall_area" = "5" ]; then #主旁转发 - start_firewall - elif [ "$start_old" = "已开启" ]; then - bfstart && start_old - elif [ -f /etc/rc.common -a "$(cat /proc/1/comm)" = "procd" ]; then - /etc/init.d/shellcrash start - elif [ "$USER" = "root" -a "$(cat /proc/1/comm)" = "systemd" ]; then - bfstart && { - FragmentPath=$(systemctl show -p FragmentPath shellcrash | sed 's/FragmentPath=//') - [ -f $FragmentPath ] && setconfig ExecStart "$COMMAND >/dev/null" "$FragmentPath" - systemctl daemon-reload - systemctl start shellcrash.service || start_error - } - elif rc-status -r >/dev/null 2>&1; then - rc-service shellcrash stop >/dev/null 2>&1 - rc-service shellcrash start - else - bfstart && start_old - fi - if [ "$2" = "infinity" ]; then #增加容器自启方式,请将CMD设置为"$CRASHDIR"/start.sh start infinity - sleep infinity - fi - ;; + [ -n "$(pidof CrashCore)" ] && $0 stop #禁止多实例 + stop_firewall #清理路由策略 + #使用不同方式启动服务 + if [ "$firewall_area" = "5" ]; then #主旁转发 + start_firewall + elif [ "$start_old" = "已开启" ]; then + bfstart && start_old + elif [ -f /etc/rc.common -a "$(cat /proc/1/comm)" = "procd" ]; then + /etc/init.d/shellcrash start + elif [ "$USER" = "root" -a "$(cat /proc/1/comm)" = "systemd" ]; then + bfstart && { + FragmentPath=$(systemctl show -p FragmentPath shellcrash | sed 's/FragmentPath=//') + [ -f $FragmentPath ] && setconfig ExecStart "$COMMAND >/dev/null" "$FragmentPath" + systemctl daemon-reload + systemctl start shellcrash.service || start_error + } + elif rc-status -r >/dev/null 2>&1; then + rc-service shellcrash stop >/dev/null 2>&1 + rc-service shellcrash start + else + bfstart && start_old + fi + if [ "$2" = "infinity" ]; then #增加容器自启方式,请将CMD设置为"$CRASHDIR"/start.sh start infinity + sleep infinity + fi + ;; stop) - logger ShellCrash服务即将关闭…… - [ -n "$(pidof CrashCore)" ] && web_save #保存面板配置 - #删除守护进程&面板配置自动保存 - cronset '保守模式守护进程' - cronset '运行时每' - cronset '流媒体预解析' - #多种方式结束进程 + logger ShellCrash服务即将关闭…… + [ -n "$(pidof CrashCore)" ] && web_save #保存面板配置 + #删除守护进程&面板配置自动保存 + cronset '保守模式守护进程' + cronset '运行时每' + cronset '流媒体预解析' + #多种方式结束进程 - if [ "$start_old" != "已开启" -a "$USER" = "root" -a "$(cat /proc/1/comm)" = "systemd" ]; then - systemctl stop shellcrash.service >/dev/null 2>&1 - elif [ -f /etc/rc.common -a "$(cat /proc/1/comm)" = "procd" ]; then - /etc/init.d/shellcrash stop >/dev/null 2>&1 - elif rc-status -r >/dev/null 2>&1; then - rc-service shellcrash stop >/dev/null 2>&1 - else - stop_firewall #清理路由策略 - unset_proxy #禁用本机代理 - fi - PID=$(pidof CrashCore) && [ -n "$PID" ] && kill -9 $PID >/dev/null 2>&1 - #清理缓存目录 - rm -rf "$TMPDIR"/CrashCore - ;; + if [ "$start_old" != "已开启" -a "$USER" = "root" -a "$(cat /proc/1/comm)" = "systemd" ]; then + systemctl stop shellcrash.service >/dev/null 2>&1 + elif [ -f /etc/rc.common -a "$(cat /proc/1/comm)" = "procd" ]; then + /etc/init.d/shellcrash stop >/dev/null 2>&1 + elif rc-status -r >/dev/null 2>&1; then + rc-service shellcrash stop >/dev/null 2>&1 + else + stop_firewall #清理路由策略 + unset_proxy #禁用本机代理 + fi + PID=$(pidof CrashCore) && [ -n "$PID" ] && kill -9 $PID >/dev/null 2>&1 + #清理缓存目录 + rm -rf "$TMPDIR"/CrashCore + ;; restart) - $0 stop - $0 start - ;; + $0 stop + $0 start + ;; daemon) - if [ -f $TMPDIR/crash_start_time ]; then - $0 start - else - sleep 60 && touch $TMPDIR/crash_start_time - fi - ;; + if [ -f $TMPDIR/crash_start_time ]; then + $0 start + else + sleep 60 && touch $TMPDIR/crash_start_time + fi + ;; debug) - [ -n "$(pidof CrashCore)" ] && $0 stop >/dev/null #禁止多实例 - stop_firewall >/dev/null #清理路由策略 - bfstart - if [ -n "$2" ]; then - if echo "$crashcore" | grep -q 'singbox'; then - sed -i "s/\"level\": \"info\"/\"level\": \"$2\"/" "$TMPDIR"/jsons/log.json 2>/dev/null - else - sed -i "s/log-level: info/log-level: $2/" "$TMPDIR"/config.yaml - fi - [ "$3" = flash ] && dir=$CRASHDIR || dir=$TMPDIR - $COMMAND >${dir}/debug.log 2>&1 & - sleep 2 - logger "已运行debug模式!如需停止,请使用重启/停止服务功能!" 33 - else - $COMMAND >/dev/null 2>&1 & - fi - afstart - ;; + [ -n "$(pidof CrashCore)" ] && $0 stop >/dev/null #禁止多实例 + stop_firewall >/dev/null #清理路由策略 + bfstart + if [ -n "$2" ]; then + if echo "$crashcore" | grep -q 'singbox'; then + sed -i "s/\"level\": \"info\"/\"level\": \"$2\"/" "$TMPDIR"/jsons/log.json 2>/dev/null + else + sed -i "s/log-level: info/log-level: $2/" "$TMPDIR"/config.yaml + fi + [ "$3" = flash ] && dir=$CRASHDIR || dir=$TMPDIR + $COMMAND >${dir}/debug.log 2>&1 & + sleep 2 + logger "已运行debug模式!如需停止,请使用重启/停止服务功能!" 33 + else + $COMMAND >/dev/null 2>&1 & + fi + afstart + ;; init) - if [ -d "/etc/storage/clash" -o -d "/etc/storage/ShellCrash" ]; then - i=1 - while [ ! -w /etc/profile -a "$i" -lt 10 ]; do - sleep 3 && i=$((i + 1)) - done - [ -w /etc/profile ] && profile=/etc/profile || profile=/etc_ro/profile - mount -t tmpfs -o remount,rw,size=45M tmpfs /tmp #增加/tmp空间以适配新的内核压缩方式 - sed -i '' $profile #将软链接转化为一般文件 - elif [ -d "/jffs" ]; then - sleep 60 - if [ -w /etc/profile ]; then - profile=/etc/profile - else - profile=$(cat /etc/profile | grep -oE '\-f.*jffs.*profile' | awk '{print $2}') - fi - fi - sed -i "/alias crash/d" $profile - sed -i "/alias clash/d" $profile - sed -i "/export CRASHDIR/d" $profile - echo "alias crash=\"$CRASHDIR/menu.sh\"" >>$profile - echo "alias clash=\"$CRASHDIR/menu.sh\"" >>$profile - echo "export CRASHDIR=\"$CRASHDIR\"" >>$profile - [ -f "$CRASHDIR"/.dis_startup ] && cronset "保守模式守护进程" || $0 start - ;; + if [ -d "/etc/storage/clash" -o -d "/etc/storage/ShellCrash" ]; then + i=1 + while [ ! -w /etc/profile -a "$i" -lt 10 ]; do + sleep 3 && i=$((i + 1)) + done + [ -w /etc/profile ] && profile=/etc/profile || profile=/etc_ro/profile + mount -t tmpfs -o remount,rw,size=45M tmpfs /tmp #增加/tmp空间以适配新的内核压缩方式 + sed -i '' $profile #将软链接转化为一般文件 + elif [ -d "/jffs" ]; then + sleep 60 + if [ -w /etc/profile ]; then + profile=/etc/profile + else + profile=$(cat /etc/profile | grep -oE '\-f.*jffs.*profile' | awk '{print $2}') + fi + fi + sed -i "/alias crash/d" $profile + sed -i "/alias clash/d" $profile + sed -i "/export CRASHDIR/d" $profile + echo "alias crash=\"$CRASHDIR/menu.sh\"" >>$profile + echo "alias clash=\"$CRASHDIR/menu.sh\"" >>$profile + echo "export CRASHDIR=\"$CRASHDIR\"" >>$profile + [ -f "$CRASHDIR"/.dis_startup ] && cronset "保守模式守护进程" || $0 start + ;; webget) - #设置临时代理 - if [ -n "$(pidof CrashCore)" ]; then - [ -n "$authentication" ] && auth="$authentication@" - export all_proxy="http://${auth}127.0.0.1:$mix_port" - url=$(echo $3 | sed 's#https://.*jsdelivr.net/gh/juewuy/ShellCrash[@|/]#https://raw.githubusercontent.com/juewuy/ShellCrash/#' | sed 's#https://gh.jwsc.eu.org/#https://raw.githubusercontent.com/juewuy/ShellCrash/#') - else - url=$(echo $3 | sed 's#https://raw.githubusercontent.com/juewuy/ShellCrash/#https://testingcf.jsdelivr.net/gh/juewuy/ShellCrash@#') - fi - #参数【$2】代表下载目录,【$3】代表在线地址 - #参数【$4】代表输出显示,【$5】不启用重定向 - #参数【$6】代表验证证书,【$7】使用自定义UA - [ -n "$7" ] && agent="--user-agent \"$7\"" - if curl --version >/dev/null 2>&1; then - [ "$4" = "echooff" ] && progress='-s' || progress='-#' - [ "$5" = "rediroff" ] && redirect='' || redirect='-L' - [ "$6" = "skipceroff" ] && certificate='' || certificate='-k' - [ -n "$7" ] && agent="--user-agent \"$7\"" - if curl --version | grep -q '^curl 8.' && ckcmd base64;then - auth_b64=$(echo -n "$authentication" | base64) - result=$(curl $agent -w %{http_code} --connect-timeout 3 --proxy-header "Proxy-Authorization: Basic $auth_b64" $progress $redirect $certificate -o "$2" "$url") - else - result=$(curl $agent -w %{http_code} --connect-timeout 3 $progress $redirect $certificate -o "$2" "$url") - fi - [ "$result" != "200" ] && export all_proxy="" && result=$(curl $agent -w %{http_code} --connect-timeout 5 $progress $redirect $certificate -o "$2" "$3") - else - if wget --version >/dev/null 2>&1; then - [ "$4" = "echooff" ] && progress='-q' || progress='-q --show-progress' - [ "$5" = "rediroff" ] && redirect='--max-redirect=0' || redirect='' - [ "$6" = "skipceroff" ] && certificate='' || certificate='--no-check-certificate' - [ -n "$7" ] && agent="--user-agent=\"$7\"" - timeout='--timeout=5' - fi - [ "$4" = "echoon" ] && progress='' - [ "$4" = "echooff" ] && progress='-q' - wget -Y on $agent $progress $redirect $certificate $timeout -O "$2" "$url" - if [ "$?" != "0" ]; then - wget -Y off $agent $progress $redirect $certificate $timeout -O "$2" "$3" - [ "$?" = "0" ] && result="200" - else - result="200" - fi - fi - [ "$result" = "200" ] && exit 0 || exit 1 - ;; + #设置临时代理 + if [ -n "$(pidof CrashCore)" ]; then + [ -n "$authentication" ] && auth="$authentication@" + export all_proxy="http://${auth}127.0.0.1:$mix_port" + url=$(echo $3 | sed 's#https://.*jsdelivr.net/gh/juewuy/ShellCrash[@|/]#https://raw.githubusercontent.com/juewuy/ShellCrash/#' | sed 's#https://gh.jwsc.eu.org/#https://raw.githubusercontent.com/juewuy/ShellCrash/#') + else + url=$(echo $3 | sed 's#https://raw.githubusercontent.com/juewuy/ShellCrash/#https://testingcf.jsdelivr.net/gh/juewuy/ShellCrash@#') + fi + #参数【$2】代表下载目录,【$3】代表在线地址 + #参数【$4】代表输出显示,【$5】不启用重定向 + #参数【$6】代表验证证书,【$7】使用自定义UA + [ -n "$7" ] && agent="--user-agent \"$7\"" + if curl --version >/dev/null 2>&1; then + [ "$4" = "echooff" ] && progress='-s' || progress='-#' + [ "$5" = "rediroff" ] && redirect='' || redirect='-L' + [ "$6" = "skipceroff" ] && certificate='' || certificate='-k' + [ -n "$7" ] && agent="--user-agent \"$7\"" + if curl --version | grep -q '^curl 8.' && ckcmd base64; then + auth_b64=$(echo -n "$authentication" | base64) + result=$(curl $agent -w %{http_code} --connect-timeout 3 --proxy-header "Proxy-Authorization: Basic $auth_b64" $progress $redirect $certificate -o "$2" "$url") + else + result=$(curl $agent -w %{http_code} --connect-timeout 3 $progress $redirect $certificate -o "$2" "$url") + fi + [ "$result" != "200" ] && export all_proxy="" && result=$(curl $agent -w %{http_code} --connect-timeout 5 $progress $redirect $certificate -o "$2" "$3") + else + if wget --version >/dev/null 2>&1; then + [ "$4" = "echooff" ] && progress='-q' || progress='-q --show-progress' + [ "$5" = "rediroff" ] && redirect='--max-redirect=0' || redirect='' + [ "$6" = "skipceroff" ] && certificate='' || certificate='--no-check-certificate' + [ -n "$7" ] && agent="--user-agent=\"$7\"" + timeout='--timeout=5' + fi + [ "$4" = "echoon" ] && progress='' + [ "$4" = "echooff" ] && progress='-q' + wget -Y on $agent $progress $redirect $certificate $timeout -O "$2" "$url" + if [ "$?" != "0" ]; then + wget -Y off $agent $progress $redirect $certificate $timeout -O "$2" "$3" + [ "$?" = "0" ] && result="200" + else + result="200" + fi + fi + [ "$result" = "200" ] && exit 0 || exit 1 + ;; *) - "$1" "$2" "$3" "$4" "$5" "$6" "$7" - ;; + "$1" "$2" "$3" "$4" "$5" "$6" "$7" + ;; esac diff --git a/scripts/webget.sh b/scripts/webget.sh index 1824f763..8ea527f4 100644 --- a/scripts/webget.sh +++ b/scripts/webget.sh @@ -452,7 +452,7 @@ EOF "url": "${2}", "path": "./providers/${1}.yaml", "user_agent": "clash.meta;mihomo", - "update_interval": "24h", + "update_interval": "12h", EOF fi #通用部分生成 @@ -2352,7 +2352,7 @@ userguide(){ fi #设置加密DNS if [ -s $openssldir/certs/ca-certificates.crt ];then - dns_nameserver='https://doh.360.cn/dns-query, https://dns.alidns.com/dns-query, https://doh.pub/dns-query' + dns_nameserver='https://dns.alidns.com/dns-query, https://doh.pub/dns-query' dns_fallback='https://cloudflare-dns.com/dns-query, https://dns.google/dns-query, https://doh.opendns.com/dns-query' dns_resolver='https://223.5.5.5/dns-query, 2400:3200::1' setconfig dns_nameserver "'$dns_nameserver'" diff --git a/version b/version index 9b5af72f..5620eef7 100644 --- a/version +++ b/version @@ -1 +1 @@ -1.9.3beta7fix +1.9.3beta8