xm/ShellCrash
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

v1.7.4e

Browse Source 
~尝试修复部分虚拟机环境下Tun或者Tproxy模式无法使用的问题
~修复nft模式运行后出现报错的问题
~尝试修复部分设备无法保存在线节点选择的问题
This commit is contained in:
juewuy
2023-04-11 14:25:09 +08:00
parent 28b6686a74
commit 3c7bcf901b
7 changed files with 169 additions and 178 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
bin/ShellClash.tar.gz
View File

Binary file not shown.

BIN
bin/clashfm.tar.gz
View File

Binary file not shown.

2
bin/version
View File

@@ -2,5 +2,5 @@ clashnet_v=v1.7.6
clashpre_v=2022.11.25
clash_v=v1.7.1
meta_v=v1.14.2
versionsh=1.7.4d
GeoIP_v=20230408
versionsh=1.7.4e

13
scripts/clash.sh
View File

@@ -985,7 +985,7 @@ clashcfg(){
echo -e "\033[36m已设为 $redir_mod \033[0m"
}
[ -n "$(iptables -j TPROXY 2>&1 | grep 'on-port')" ] && sup_tp=1
#[ -n "$(lsmod | grep '^tun')" ] || ip tuntap &>/dev/null && sup_tun=1
[ -n "$(lsmod | grep '^tun')" ] || ip tuntap &>/dev/null && sup_tun=1
ckcmd nft && sup_nft=1
#[ -n "$(lsmod | grep 'nft_tproxy')" ] && sup_nft=2
echo -----------------------------------------------
@@ -995,7 +995,7 @@ clashcfg(){
echo -e " 1 \033[32mRedir模式\033[0m Redir转发TCP不转发UDP"
echo -e " 2 \033[36m混合模式\033[0m Redir转发TCPTun转发UDP"
[ -n "$sup_tp" ] && echo -e " 3 \033[32mTproxy混合\033[0m Redir转发TCPTproxy转发UDP"
echo -e " 4 \033[33mTun模式\033[0m 使用Tun转发TCP&UDP(占用高)"
[ -n "$sup_tun" ] && echo -e " 4 \033[33mTun模式\033[0m 使用Tun转发TCP&UDP(占用高)"
[ -n "$sup_tp" ] && echo -e " 5 \033[32mTproxy模式\033[0m 使用Tproxy转发TCP&UDP"
[ -n "$sup_nft" ] && echo -e " 6 \033[36mNft基础\033[0m 使用nftables转发TCP不转发UDP"
[ -n "$sup_nft" ] && echo -e " 7 \033[32mNft混合\033[0m 使用nft_tproxy转发TCP&UDP"
@@ -1012,7 +1012,7 @@ clashcfg(){
set_redir_config
elif [ "$num" = 2 ]; then
modinfo tun &>/dev/null || {
[ -n "$sup_tun" ] || {
echo -e "\033[32m设备未检测到Tun内核模块可能无法代理UDP流量\033[0m"
sleep 1
}
@@ -1024,12 +1024,7 @@ clashcfg(){
set_redir_config
elif [ "$num" = 4 ]; then
if modinfo tun &>/dev/null;then
redir_mod=Tun模式
else
read -p "设备未检测到Tun内核模块是否强制开启可能导致无法联网(1/0) > " res
[ "$res" = '1' ] && redir_mod=Tun模式
fi
redir_mod=Tun模式
set_redir_config
elif [ "$num" = 5 ]; then

8
scripts/getdate.sh
View File

@@ -1066,14 +1066,14 @@ userguide(){
testcommand(){
echo -----------------------------------------------
echo -e "\033[30;47m这里是测试命令菜单\033[0m"
echo -e "\033[33m如遇问题尽量运行相应命令后截图发群\033[0m"
echo -e "\033[33m如遇问题尽量运行相应命令后截图提交issue或TG讨论组\033[0m"
echo -----------------------------------------------
echo " 1 查看Clash运行时的报错信息(会停止clash服务)"
echo " 2 查看系统DNS端口(:53)占用 "
echo " 3 测试ssl加密(aes-128-gcm)跑分"
echo " 4 查看clash相关路由规则"
echo " 5 查看config.yaml前30行"
echo " 6 测试代理服务器连通性google.tw)"
echo " 5 查看config.yaml前40行"
echo " 6 测试代理服务器连通性(google.tw)"
echo -----------------------------------------------
echo " 0 返回上级目录!"
read -p "请输入对应数字 > " num
@@ -1134,7 +1134,7 @@ testcommand(){
exit;
elif [ "$num" = 5 ]; then
echo -----------------------------------------------
sed -n '1,30p' $yaml
sed -n '1,40p' $clashdir/config.yaml
echo -----------------------------------------------
exit;
elif [ "$num" = 6 ]; then

2
scripts/init.sh
View File

@@ -1,7 +1,7 @@
#!/bin/sh
# Copyright (C) Juewuy
version=1.7.4d
version=1.7.4e
setdir(){
dir_avail(){

322
scripts/start.sh
View File

@@ -576,84 +576,82 @@ start_ipt_dns(){
}
start_tproxy(){
modprobe xt_TPROXY &>/dev/null && {
#获取局域网host地址
getlanip
ip rule add fwmark 1 table 100
ip route add local default dev lo table 100
iptables -t mangle -N clash
iptables -t mangle -A clash -p udp --dport 53 -j RETURN
for ip in $host_ipv4 $reserve_ipv4;do #跳过目标保留地址及目标本机网段
iptables -t mangle -A clash -d $ip -j RETURN
#获取局域网host地址
getlanip
ip rule add fwmark 1 table 100
ip route add local default dev lo table 100
iptables -t mangle -N clash
iptables -t mangle -A clash -p udp --dport 53 -j RETURN
for ip in $host_ipv4 $reserve_ipv4;do #跳过目标保留地址及目标本机网段
iptables -t mangle -A clash -d $ip -j RETURN
done
#绕过CN_IP
[ "$dns_mod" = "redir_host" -a "$cn_ip_route" = "已开启" ] && \
iptables -t mangle -A clash -m set --match-set cn_ip dst -j RETURN 2>/dev/null
#tcp&udp分别进代理链
tproxy_set(){
if [ "$macfilter_type" = "白名单" -a -n "$(cat $clashdir/mac)" ];then
for mac in $(cat $clashdir/mac); do #mac白名单
iptables -t mangle -A clash -p $1 -m mac --mac-source $mac -j TPROXY --on-port $tproxy_port --tproxy-mark 1
done
#绕过CN_IP
[ "$dns_mod" = "redir_host" -a "$cn_ip_route" = "已开启" ] && \
iptables -t mangle -A clash -m set --match-set cn_ip dst -j RETURN 2>/dev/null
else
for mac in $(cat $clashdir/mac); do #mac黑名单
iptables -t mangle -A clash -m mac --mac-source $mac -j RETURN
done
#仅代理本机局域网网段流量
for ip in $host_ipv4;do
iptables -t mangle -A clash -p $1 -s $ip -j TPROXY --on-port $tproxy_port --tproxy-mark 1
done
fi
iptables -t mangle -A PREROUTING -p $1 $ports -j clash
}
[ "$1" = "all" ] && tproxy_set tcp
tproxy_set udp
#屏蔽QUIC
[ "$quic_rj" = 已启用 ] && {
[ "$dns_mod" = "redir_host" -a "$cn_ip_route" = "已开启" ] && set_cn_ip='-m set ! --match-set cn_ip dst'
iptables -I INPUT -p udp --dport 443 -m comment --comment "ShellClash-QUIC-REJECT" $set_cn_ip -j REJECT >/dev/null 2>&1
}
#设置ipv6转发
[ "$ipv6_redir" = "已开启" ] && {
ip -6 rule add fwmark 1 table 101
ip -6 route add local ::/0 dev lo table 101
ip6tables -t mangle -N clashv6
ip6tables -t mangle -A clashv6 -p udp --dport 53 -j RETURN
for ip in $host_ipv6 $reserve_ipv6;do #跳过目标保留地址及目标本机网段
ip6tables -t mangle -A clashv6 -d $ip -j RETURN
done
#绕过CN_IPV6
[ "$dns_mod" = "redir_host" -a "$cn_ipv6_route" = "已开启" ] && \
ip6tables -t mangle -A clashv6 -m set --match-set cn_ip6 dst -j RETURN 2>/dev/null
#tcp&udp分别进代理链
tproxy_set(){
if [ "$macfilter_type" = "白名单" -a -n "$(cat $clashdir/mac)" ];then
for mac in $(cat $clashdir/mac); do #mac白名单
iptables -t mangle -A clash -p $1 -m mac --mac-source $mac -j TPROXY --on-port $tproxy_port --tproxy-mark 1
done
else
for mac in $(cat $clashdir/mac); do #mac黑名单
iptables -t mangle -A clash -m mac --mac-source $mac -j RETURN
done
#仅代理本机局域网网段流量
for ip in $host_ipv4;do
iptables -t mangle -A clash -p $1 -s $ip -j TPROXY --on-port $tproxy_port --tproxy-mark 1
done
fi
iptables -t mangle -A PREROUTING -p $1 $ports -j clash
tproxy_set6(){
if [ "$macfilter_type" = "白名单" -a -n "$(cat $clashdir/mac)" ];then
#mac白名单
for mac in $(cat $clashdir/mac); do
ip6tables -t mangle -A clashv6 -p $1 -m mac --mac-source $mac -j TPROXY --on-port $tproxy_port --tproxy-mark 1
done
else
#mac黑名单
for mac in $(cat $clashdir/mac); do
ip6tables -t mangle -A clashv6 -m mac --mac-source $mac -j RETURN
done
#仅代理本机局域网网段流量
for ip in $host_ipv6;do
ip6tables -t mangle -A clashv6 -p $1 -s $ip -j TPROXY --on-port $tproxy_port --tproxy-mark 1
done
fi
ip6tables -t mangle -A PREROUTING -p $1 $ports -j clashv6
}
[ "$1" = "all" ] && tproxy_set tcp
tproxy_set udp
[ "$1" = "all" ] && tproxy_set6 tcp
tproxy_set6 udp
#屏蔽QUIC
[ "$quic_rj" = 已启用 ] && {
[ "$dns_mod" = "redir_host" -a "$cn_ip_route" = "已开启" ] && set_cn_ip='-m set ! --match-set cn_ip dst'
iptables -I INPUT -p udp --dport 443 -m comment --comment "ShellClash-QUIC-REJECT" $set_cn_ip -j REJECT >/dev/null 2>&1
}
#设置ipv6转发
[ "$ipv6_redir" = "已开启" ] && {
ip -6 rule add fwmark 1 table 101
ip -6 route add local ::/0 dev lo table 101
ip6tables -t mangle -N clashv6
ip6tables -t mangle -A clashv6 -p udp --dport 53 -j RETURN
for ip in $host_ipv6 $reserve_ipv6;do #跳过目标保留地址及目标本机网段
ip6tables -t mangle -A clashv6 -d $ip -j RETURN
done
#绕过CN_IPV6
[ "$dns_mod" = "redir_host" -a "$cn_ipv6_route" = "已开启" ] && \
ip6tables -t mangle -A clashv6 -m set --match-set cn_ip6 dst -j RETURN 2>/dev/null
#tcp&udp分别进代理链
tproxy_set6(){
if [ "$macfilter_type" = "白名单" -a -n "$(cat $clashdir/mac)" ];then
#mac白名单
for mac in $(cat $clashdir/mac); do
ip6tables -t mangle -A clashv6 -p $1 -m mac --mac-source $mac -j TPROXY --on-port $tproxy_port --tproxy-mark 1
done
else
#mac黑名单
for mac in $(cat $clashdir/mac); do
ip6tables -t mangle -A clashv6 -m mac --mac-source $mac -j RETURN
done
#仅代理本机局域网网段流量
for ip in $host_ipv6;do
ip6tables -t mangle -A clashv6 -p $1 -s $ip -j TPROXY --on-port $tproxy_port --tproxy-mark 1
done
fi
ip6tables -t mangle -A PREROUTING -p $1 $ports -j clashv6
}
[ "$1" = "all" ] && tproxy_set6 tcp
tproxy_set6 udp
#屏蔽QUIC
[ "$quic_rj" = 已启用 ] && {
[ "$dns_mod" = "redir_host" -a "$cn_ipv6_route" = "已开启" ] && set_cn_ip6='-m set ! --match-set cn_ip6 dst'
ip6tables -I INPUT -p udp --dport 443 -m comment --comment "ShellClash-QUIC-REJECT" $set_cn_ip6 -j REJECT 2>/dev/null
}
}
[ "$dns_mod" = "redir_host" -a "$cn_ipv6_route" = "已开启" ] && set_cn_ip6='-m set ! --match-set cn_ip6 dst'
ip6tables -I INPUT -p udp --dport 443 -m comment --comment "ShellClash-QUIC-REJECT" $set_cn_ip6 -j REJECT 2>/dev/null
}
}
}
start_output(){
@@ -692,90 +690,88 @@ start_output(){
}
}
start_tun(){
modprobe tun &> /dev/null && {
#允许流量
iptables -I FORWARD -o utun -j ACCEPT
iptables -I FORWARD -s 198.18.0.0/16 -o utun -j RETURN
ip6tables -I FORWARD -o utun -j ACCEPT > /dev/null 2>&1
#屏蔽QUIC
if [ "$quic_rj" = 已启用 ];then
[ "$dns_mod" = "redir_host" -a "$cn_ip_route" = "已开启" ] && set_cn_ip='-m set ! --match-set cn_ip dst'
iptables -I FORWARD -p udp --dport 443 -o utun -m comment --comment "ShellClash-QUIC-REJECT" $set_cn_ip -j REJECT >/dev/null 2>&1
#ip6tables -I FORWARD -p udp --dport 443 -o utun -m comment --comment "ShellClash-QUIC-REJECT" -j REJECT >/dev/null 2>&1
#允许流量
iptables -I FORWARD -o utun -j ACCEPT
iptables -I FORWARD -s 198.18.0.0/16 -o utun -j RETURN
ip6tables -I FORWARD -o utun -j ACCEPT > /dev/null 2>&1
#屏蔽QUIC
if [ "$quic_rj" = 已启用 ];then
[ "$dns_mod" = "redir_host" -a "$cn_ip_route" = "已开启" ] && set_cn_ip='-m set ! --match-set cn_ip dst'
iptables -I FORWARD -p udp --dport 443 -o utun -m comment --comment "ShellClash-QUIC-REJECT" $set_cn_ip -j REJECT >/dev/null 2>&1
#ip6tables -I FORWARD -p udp --dport 443 -o utun -m comment --comment "ShellClash-QUIC-REJECT" -j REJECT >/dev/null 2>&1
fi
modprobe xt_mark &> /dev/null && {
i=1
while [ -z "$(ip route list |grep utun)" -a "$i" -le 29 ];do
sleep 1
i=$((i+1))
done
ip route add default dev utun table 100
ip rule add fwmark 1 table 100
#获取局域网host地址
getlanip
iptables -t mangle -N clash
iptables -t mangle -A clash -p udp --dport 53 -j RETURN
for ip in $host_ipv4 $reserve_ipv4;do #跳过目标保留地址及目标本机网段
iptables -t mangle -A clash -d $ip -j RETURN
done
#绕过CN_IP
[ "$dns_mod" = "redir_host" -a "$cn_ip_route" = "已开启" ] && \
iptables -t mangle -A clash -m set --match-set cn_ip dst -j RETURN 2>/dev/null
#局域网设备过滤
if [ "$macfilter_type" = "白名单" -a -n "$(cat $clashdir/mac)" ];then
for mac in $(cat $clashdir/mac); do #mac白名单
iptables -t mangle -A clash -m mac --mac-source $mac -j MARK --set-mark 1
done
else
for mac in $(cat $clashdir/mac); do #mac黑名单
iptables -t mangle -A clash -m mac --mac-source $mac -j RETURN
done
#仅代理本机局域网网段流量
for ip in $host_ipv4;do
iptables -t mangle -A clash -s $ip -j MARK --set-mark 1
done
fi
modprobe xt_mark &> /dev/null && {
i=1
while [ -z "$(ip route list |grep utun)" -a "$i" -le 29 ];do
sleep 1
i=$((i+1))
iptables -t mangle -A PREROUTING -p udp $ports -j clash
[ "$1" = "all" ] && iptables -t mangle -A PREROUTING -p tcp $ports -j clash
#设置ipv6转发
[ "$ipv6_redir" = "已开启" -a "$clashcore" = "clash.meta" ] && {
ip -6 route add default dev utun table 101
ip -6 rule add fwmark 1 table 101
ip6tables -t mangle -N clashv6
ip6tables -t mangle -A clashv6 -p udp --dport 53 -j RETURN
for ip in $host_ipv6 $reserve_ipv6;do #跳过目标保留地址及目标本机网段
ip6tables -t mangle -A clashv6 -d $ip -j RETURN
done
ip route add default dev utun table 100
ip rule add fwmark 1 table 100
#获取局域网host地址
getlanip
iptables -t mangle -N clash
iptables -t mangle -A clash -p udp --dport 53 -j RETURN
for ip in $host_ipv4 $reserve_ipv4;do #跳过目标保留地址及目标本机网段
iptables -t mangle -A clash -d $ip -j RETURN
done
#绕过CN_IP
[ "$dns_mod" = "redir_host" -a "$cn_ip_route" = "已开启" ] && \
iptables -t mangle -A clash -m set --match-set cn_ip dst -j RETURN 2>/dev/null
#绕过CN_IPV6
[ "$dns_mod" = "redir_host" -a "$cn_ipv6_route" = "已开启" ] && \
ip6tables -t mangle -A clashv6 -m set --match-set cn_ip6 dst -j RETURN 2>/dev/null
#局域网设备过滤
if [ "$macfilter_type" = "白名单" -a -n "$(cat $clashdir/mac)" ];then
for mac in $(cat $clashdir/mac); do #mac白名单
iptables -t mangle -A clash -m mac --mac-source $mac -j MARK --set-mark 1
ip6tables -t mangle -A clashv6 -m mac --mac-source $mac -j MARK --set-mark 1
done
else
for mac in $(cat $clashdir/mac); do #mac黑名单
iptables -t mangle -A clash -m mac --mac-source $mac -j RETURN
ip6tables -t mangle -A clashv6 -m mac --mac-source $mac -j RETURN
done
#仅代理本机局域网网段流量
for ip in $host_ipv4;do
iptables -t mangle -A clash -s $ip -j MARK --set-mark 1
done
fi
iptables -t mangle -A PREROUTING -p udp $ports -j clash
[ "$1" = "all" ] && iptables -t mangle -A PREROUTING -p tcp $ports -j clash
#设置ipv6转发
[ "$ipv6_redir" = "已开启" -a "$clashcore" = "clash.meta" ] && {
ip -6 route add default dev utun table 101
ip -6 rule add fwmark 1 table 101
ip6tables -t mangle -N clashv6
ip6tables -t mangle -A clashv6 -p udp --dport 53 -j RETURN
for ip in $host_ipv6 $reserve_ipv6;do #跳过目标保留地址及目标本机网段
ip6tables -t mangle -A clashv6 -d $ip -j RETURN
done
#绕过CN_IPV6
[ "$dns_mod" = "redir_host" -a "$cn_ipv6_route" = "已开启" ] && \
ip6tables -t mangle -A clashv6 -m set --match-set cn_ip6 dst -j RETURN 2>/dev/null
#局域网设备过滤
if [ "$macfilter_type" = "白名单" -a -n "$(cat $clashdir/mac)" ];then
for mac in $(cat $clashdir/mac); do #mac白名单
ip6tables -t mangle -A clashv6 -m mac --mac-source $mac -j MARK --set-mark 1
done
else
for mac in $(cat $clashdir/mac); do #mac黑名单
ip6tables -t mangle -A clashv6 -m mac --mac-source $mac -j RETURN
done
#仅代理本机局域网网段流量
for ip in $host_ipv6;do
ip6tables -t mangle -A clashv6 -s $ip -j MARK --set-mark 1
done
fi
ip6tables -t mangle -A PREROUTING -p udp $ports -j clashv6
[ "$1" = "all" ] && ip6tables -t mangle -A PREROUTING -p tcp $ports -j clashv6
}
} &
}
for ip in $host_ipv6;do
ip6tables -t mangle -A clashv6 -s $ip -j MARK --set-mark 1
done
fi
ip6tables -t mangle -A PREROUTING -p udp $ports -j clashv6
[ "$1" = "all" ] && ip6tables -t mangle -A PREROUTING -p tcp $ports -j clashv6
}
} &
}
start_nft(){
#获取局域网host地址
getlanip
[ "$common_ports" = "已开启" ] && PORTS=$(echo $multiport | sed 's/,/, /g')
RESERVED_IP="{$(echo $reserve_ipv4 | sed 's/ /, /g')}"
HOST_IP="{$(echo $host_ipv4 | sed 's/ /, /g')}"
RESERVED_IP="$(echo $reserve_ipv4 | sed 's/ /, /g')"
HOST_IP="$(echo $host_ipv4 | sed 's/ /, /g')"
#设置策略路由
ip rule add fwmark 1 table 100
ip route add local default dev lo table 100
@@ -790,34 +786,34 @@ start_nft(){
[ -n "$(cat $clashdir/mac)" ] && {
MAC=$(awk '{printf "%s, ",$1}' $clashdir/mac)
[ "$macfilter_type" = "黑名单" ] && \
nft add rule inet shellclash prerouting ether saddr {${MAC}} return || \
nft add rule inet shellclash prerouting ether saddr != {${MAC}} return
nft add rule inet shellclash prerouting ether saddr {$MAC} return || \
nft add rule inet shellclash prerouting ether saddr != {$MAC} return
}
#过滤保留地址
nft add rule inet shellclash prerouting ip daddr {${RESERVED_IP}} return
nft add rule inet shellclash prerouting ip daddr {$RESERVED_IP} return
#仅代理本机局域网网段流量
nft add rule inet shellclash prerouting ip saddr != {${HOST_IP}} return
nft add rule inet shellclash prerouting ip saddr != {$HOST_IP} return
#绕过CN-IP
[ "$dns_mod" = "redir_host" -a "$cn_ip_route" = "已开启" -a -f $bindir/cn_ip.txt ] && {
CN_IP=$(awk '{printf "%s, ",$1}' $bindir/cn_ip.txt)
[ -n "$CN_IP" ] && nft add rule inet shellclash prerouting ip daddr {${CN_IP}} return
[ -n "$CN_IP" ] && nft add rule inet shellclash prerouting ip daddr {$CN_IP} return
}
#过滤常用端口
[ -n "$PORTS" ] && nft add rule inet shellclash prerouting tcp dport != {${PORTS}} return
[ -n "$PORTS" ] && nft add rule inet shellclash prerouting tcp dport != {$PORTS} return
#ipv6支持
if [ "$ipv6_redir" = "已开启" ];then
RESERVED_IP6="{$(echo "$reserve_ipv6 $host_ipv6" | sed 's/ /, /g')}"
HOST_IP6="{$(echo $host_ipv6 | sed 's/ /, /g')}"
RESERVED_IP6="$(echo "$reserve_ipv6 $host_ipv6" | sed 's/ /, /g')"
HOST_IP6="$(echo $host_ipv6 | sed 's/ /, /g')"
ip -6 rule add fwmark 1 table 101 2> /dev/null
ip -6 route add local ::/0 dev lo table 101 2> /dev/null
#过滤保留地址及本机地址
nft add rule inet shellclash prerouting ip6 daddr {${RESERVED_IP6}} return
nft add rule inet shellclash prerouting ip6 daddr {$RESERVED_IP6} return
#仅代理本机局域网网段流量
nft add rule inet shellclash prerouting ip6 saddr != {${HOST_IP6}} return
nft add rule inet shellclash prerouting ip6 saddr != {$HOST_IP6} return
#绕过CN_IPV6
[ "$dns_mod" = "redir_host" -a "$cn_ipv6_route" = "已开启" -a -f $bindir/cn_ipv6.txt ] && {
CN_IP6=$(awk '{printf "%s, ",$1}' $bindir/cn_ipv6.txt)
[ -n "$CN_IP6" ] && nft add rule inet shellclash prerouting ip6 daddr {${CN_IP6}} return
[ -n "$CN_IP6" ] && nft add rule inet shellclash prerouting ip6 daddr {$CN_IP6} return
}
else
nft add rule inet shellclash prerouting meta nfproto ipv6 return
@@ -829,8 +825,8 @@ start_nft(){
#屏蔽QUIC
[ "$quic_rj" = 已启用 ] && {
nft add chain inet shellclash input { type filter hook input priority 0 \; }
[ -n "$CN_IP" ] && nft add rule inet shellclash input ip daddr {${CN_IP}} return
[ -n "$CN_IP6" ] && nft add rule inet shellclash input ip6 daddr {${CN_IP6}} return
[ -n "$CN_IP" ] && nft add rule inet shellclash input ip daddr {$CN_IP} return
[ -n "$CN_IP6" ] && nft add rule inet shellclash input ip6 daddr {$CN_IP6} return
nft add rule inet shellclash input udp dport 443 reject comment 'ShellClash-QUIC-REJECT'
}
#代理本机(仅TCP)
@@ -842,8 +838,8 @@ start_nft(){
#output
nft add chain inet shellclash output { type nat hook output priority -100 \; }
nft add rule inet shellclash output meta skgid 7890 return && {
[ -n "$PORTS" ] && nft add rule inet shellclash output tcp dport != {${PORTS}} return
nft add rule inet shellclash output ip daddr {${RESERVED_IP}} return
[ -n "$PORTS" ] && nft add rule inet shellclash output tcp dport != {$PORTS} return
nft add rule inet shellclash output ip daddr {$RESERVED_IP} return
nft add rule inet shellclash output meta l4proto tcp mark set 1 redirect to ${redir_port}
}
#Docker
@@ -859,8 +855,8 @@ start_nft_dns(){
[ -n "$(cat $clashdir/mac)" ] && {
MAC=$(awk '{printf "%s, ",$1}' $clashdir/mac)
[ "$macfilter_type" = "黑名单" ] && \
nft add rule inet shellclash dns ether saddr {${MAC}} return || \
nft add rule inet shellclash dns ether saddr != {${MAC}} return
nft add rule inet shellclash dns ether saddr {$MAC} return || \
nft add rule inet shellclash dns ether saddr != {$MAC} return
}
nft add rule inet shellclash dns udp dport 53 redirect to ${dns_port}
nft add rule inet shellclash dns tcp dport 53 redirect to ${dns_port}
@@ -1004,7 +1000,7 @@ web_save(){
fi
}
#使用get_save获取面板节点设置
get_save http://localhost:${db_port}/proxies | awk -F "{" '{for(i=1;i<=NF;i++) print $i}' | grep -E '^"all".*"Selector"' > /tmp/clash_web_check_$USER
get_save http://127.0.0.1:${db_port}/proxies | awk -F "{" '{for(i=1;i<=NF;i++) print $i}' | grep -E '^"all".*"Selector"' > /tmp/clash_web_check_$USER
while read line ;do
def=$(echo $line | awk -F "[[,]" '{print $2}')
now=$(echo $line | grep -oE '"now".*",' | sed 's/"now"://g' | sed 's/"type":.*//g' | sed 's/,//g')
@@ -1024,9 +1020,9 @@ web_restore(){
while [ -z "$test" -a "$i" -lt 60 ];do
sleep 1
if curl --version > /dev/null 2>&1;then
test=$(curl -s http://localhost:${db_port})
test=$(curl -s http://127.0.0.1:${db_port})
else
test=$(wget -q -O - http://localhost:${db_port})
test=$(wget -q -O - http://127.0.0.1:${db_port})
fi
i=$((i+1))
done
@@ -1036,7 +1032,7 @@ web_restore(){
while [ "$i" -le "$num" ];do
group_name=$(awk -F ',' 'NR=="'${i}'" {print $1}' $clashdir/web_save | sed 's/ /%20/g')
now_name=$(awk -F ',' 'NR=="'${i}'" {print $2}' $clashdir/web_save)
put_save http://localhost:${db_port}/proxies/${group_name} "{\"name\":\"${now_name}\"}"
put_save http://127.0.0.1:${db_port}/proxies/${group_name} "{\"name\":\"${now_name}\"}"
i=$((i+1))
done
}
@@ -1351,7 +1347,7 @@ updateyaml)
getconfig
getyaml && \
modify_yaml && \
put_save http://localhost:${db_port}/configs "{\"path\":\"${clashdir}/config.yaml\"}" && \
put_save http://127.0.0.1:${db_port}/configs "{\"path\":\"${clashdir}/config.yaml\"}" && \
logger ShellClash配置文件更新成功
;;
logger)