xm/ShellCrash
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

v1.7.4e

Browse Source 
~尝试修复部分虚拟机环境下Tun或者Tproxy模式无法使用的问题
~修复nft模式运行后出现报错的问题
~尝试修复部分设备无法保存在线节点选择的问题
This commit is contained in:
juewuy
2023-04-11 14:25:09 +08:00
parent 28b6686a74
commit 3c7bcf901b
7 changed files with 169 additions and 178 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
bin/ShellClash.tar.gz
View File

Binary file not shown.

BIN
bin/clashfm.tar.gz
View File

Binary file not shown.

2
bin/version
View File

@@ -2,5 +2,5 @@ clashnet_v=v1.7.6
clashpre_v=2022.11.25 clashpre_v=2022.11.25
clash_v=v1.7.1 clash_v=v1.7.1
meta_v=v1.14.2 meta_v=v1.14.2
versionsh=1.7.4d
GeoIP_v=20230408 GeoIP_v=20230408
versionsh=1.7.4e

13
scripts/clash.sh
View File

@@ -985,7 +985,7 @@ clashcfg(){
echo -e "\033[36m已设为 $redir_mod \033[0m" echo -e "\033[36m已设为 $redir_mod \033[0m"
} }
[ -n "$(iptables -j TPROXY 2>&1 | grep 'on-port')" ] && sup_tp=1 [ -n "$(iptables -j TPROXY 2>&1 | grep 'on-port')" ] && sup_tp=1
#[ -n "$(lsmod | grep '^tun')" ] || ip tuntap &>/dev/null && sup_tun=1 [ -n "$(lsmod | grep '^tun')" ] || ip tuntap &>/dev/null && sup_tun=1
ckcmd nft && sup_nft=1 ckcmd nft && sup_nft=1
#[ -n "$(lsmod | grep 'nft_tproxy')" ] && sup_nft=2 #[ -n "$(lsmod | grep 'nft_tproxy')" ] && sup_nft=2
echo ----------------------------------------------- echo -----------------------------------------------
@@ -995,7 +995,7 @@ clashcfg(){
echo -e " 1 \033[32mRedir模式\033[0m Redir转发TCP不转发UDP" echo -e " 1 \033[32mRedir模式\033[0m Redir转发TCP不转发UDP"
echo -e " 2 \033[36m混合模式\033[0m Redir转发TCPTun转发UDP" echo -e " 2 \033[36m混合模式\033[0m Redir转发TCPTun转发UDP"
[ -n "$sup_tp" ] && echo -e " 3 \033[32mTproxy混合\033[0m Redir转发TCPTproxy转发UDP" [ -n "$sup_tp" ] && echo -e " 3 \033[32mTproxy混合\033[0m Redir转发TCPTproxy转发UDP"
echo -e " 4 \033[33mTun模式\033[0m 使用Tun转发TCP&UDP(占用高)" [ -n "$sup_tun" ] && echo -e " 4 \033[33mTun模式\033[0m 使用Tun转发TCP&UDP(占用高)"
[ -n "$sup_tp" ] && echo -e " 5 \033[32mTproxy模式\033[0m 使用Tproxy转发TCP&UDP" [ -n "$sup_tp" ] && echo -e " 5 \033[32mTproxy模式\033[0m 使用Tproxy转发TCP&UDP"
[ -n "$sup_nft" ] && echo -e " 6 \033[36mNft基础\033[0m 使用nftables转发TCP不转发UDP" [ -n "$sup_nft" ] && echo -e " 6 \033[36mNft基础\033[0m 使用nftables转发TCP不转发UDP"
[ -n "$sup_nft" ] && echo -e " 7 \033[32mNft混合\033[0m 使用nft_tproxy转发TCP&UDP" [ -n "$sup_nft" ] && echo -e " 7 \033[32mNft混合\033[0m 使用nft_tproxy转发TCP&UDP"
@@ -1012,7 +1012,7 @@ clashcfg(){
set_redir_config set_redir_config
elif [ "$num" = 2 ]; then elif [ "$num" = 2 ]; then
modinfo tun &>/dev/null || { [ -n "$sup_tun" ] || {
echo -e "\033[32m设备未检测到Tun内核模块可能无法代理UDP流量\033[0m" echo -e "\033[32m设备未检测到Tun内核模块可能无法代理UDP流量\033[0m"
sleep 1 sleep 1
} }
@@ -1024,12 +1024,7 @@ clashcfg(){
set_redir_config set_redir_config
elif [ "$num" = 4 ]; then elif [ "$num" = 4 ]; then
if modinfo tun &>/dev/null;then redir_mod=Tun模式
redir_mod=Tun模式
else
read -p "设备未检测到Tun内核模块是否强制开启可能导致无法联网(1/0) > " res
[ "$res" = '1' ] && redir_mod=Tun模式
fi
set_redir_config set_redir_config
elif [ "$num" = 5 ]; then elif [ "$num" = 5 ]; then

8
scripts/getdate.sh
View File

@@ -1066,14 +1066,14 @@ userguide(){
testcommand(){ testcommand(){
echo ----------------------------------------------- echo -----------------------------------------------
echo -e "\033[30;47m这里是测试命令菜单\033[0m" echo -e "\033[30;47m这里是测试命令菜单\033[0m"
echo -e "\033[33m如遇问题尽量运行相应命令后截图发群\033[0m" echo -e "\033[33m如遇问题尽量运行相应命令后截图提交issue或TG讨论组\033[0m"
echo ----------------------------------------------- echo -----------------------------------------------
echo " 1 查看Clash运行时的报错信息(会停止clash服务)" echo " 1 查看Clash运行时的报错信息(会停止clash服务)"
echo " 2 查看系统DNS端口(:53)占用 " echo " 2 查看系统DNS端口(:53)占用 "
echo " 3 测试ssl加密(aes-128-gcm)跑分" echo " 3 测试ssl加密(aes-128-gcm)跑分"
echo " 4 查看clash相关路由规则" echo " 4 查看clash相关路由规则"
echo " 5 查看config.yaml前30行" echo " 5 查看config.yaml前40行"
echo " 6 测试代理服务器连通性google.tw)" echo " 6 测试代理服务器连通性(google.tw)"
echo ----------------------------------------------- echo -----------------------------------------------
echo " 0 返回上级目录!" echo " 0 返回上级目录!"
read -p "请输入对应数字 > " num read -p "请输入对应数字 > " num
@@ -1134,7 +1134,7 @@ testcommand(){
exit; exit;
elif [ "$num" = 5 ]; then elif [ "$num" = 5 ]; then
echo ----------------------------------------------- echo -----------------------------------------------
sed -n '1,30p' $yaml sed -n '1,40p' $clashdir/config.yaml
echo ----------------------------------------------- echo -----------------------------------------------
exit; exit;
elif [ "$num" = 6 ]; then elif [ "$num" = 6 ]; then

2
scripts/init.sh
View File

@@ -1,7 +1,7 @@
#!/bin/sh #!/bin/sh
# Copyright (C) Juewuy # Copyright (C) Juewuy
version=1.7.4d version=1.7.4e
setdir(){ setdir(){
dir_avail(){ dir_avail(){

322
scripts/start.sh
View File

@@ -576,84 +576,82 @@ start_ipt_dns(){
} }
start_tproxy(){ start_tproxy(){
modprobe xt_TPROXY &>/dev/null && { #获取局域网host地址
#获取局域网host地址 getlanip
getlanip ip rule add fwmark 1 table 100
ip rule add fwmark 1 table 100 ip route add local default dev lo table 100
ip route add local default dev lo table 100 iptables -t mangle -N clash
iptables -t mangle -N clash iptables -t mangle -A clash -p udp --dport 53 -j RETURN
iptables -t mangle -A clash -p udp --dport 53 -j RETURN for ip in $host_ipv4 $reserve_ipv4;do #跳过目标保留地址及目标本机网段
for ip in $host_ipv4 $reserve_ipv4;do #跳过目标保留地址及目标本机网段 iptables -t mangle -A clash -d $ip -j RETURN
iptables -t mangle -A clash -d $ip -j RETURN done
#绕过CN_IP
[ "$dns_mod" = "redir_host" -a "$cn_ip_route" = "已开启" ] && \
iptables -t mangle -A clash -m set --match-set cn_ip dst -j RETURN 2>/dev/null
#tcp&udp分别进代理链
tproxy_set(){
if [ "$macfilter_type" = "白名单" -a -n "$(cat $clashdir/mac)" ];then
for mac in $(cat $clashdir/mac); do #mac白名单
iptables -t mangle -A clash -p $1 -m mac --mac-source $mac -j TPROXY --on-port $tproxy_port --tproxy-mark 1
done done
#绕过CN_IP else
[ "$dns_mod" = "redir_host" -a "$cn_ip_route" = "已开启" ] && \ for mac in $(cat $clashdir/mac); do #mac黑名单
iptables -t mangle -A clash -m set --match-set cn_ip dst -j RETURN 2>/dev/null iptables -t mangle -A clash -m mac --mac-source $mac -j RETURN
done
#仅代理本机局域网网段流量
for ip in $host_ipv4;do
iptables -t mangle -A clash -p $1 -s $ip -j TPROXY --on-port $tproxy_port --tproxy-mark 1
done
fi
iptables -t mangle -A PREROUTING -p $1 $ports -j clash
}
[ "$1" = "all" ] && tproxy_set tcp
tproxy_set udp
#屏蔽QUIC
[ "$quic_rj" = 已启用 ] && {
[ "$dns_mod" = "redir_host" -a "$cn_ip_route" = "已开启" ] && set_cn_ip='-m set ! --match-set cn_ip dst'
iptables -I INPUT -p udp --dport 443 -m comment --comment "ShellClash-QUIC-REJECT" $set_cn_ip -j REJECT >/dev/null 2>&1
}
#设置ipv6转发
[ "$ipv6_redir" = "已开启" ] && {
ip -6 rule add fwmark 1 table 101
ip -6 route add local ::/0 dev lo table 101
ip6tables -t mangle -N clashv6
ip6tables -t mangle -A clashv6 -p udp --dport 53 -j RETURN
for ip in $host_ipv6 $reserve_ipv6;do #跳过目标保留地址及目标本机网段
ip6tables -t mangle -A clashv6 -d $ip -j RETURN
done
#绕过CN_IPV6
[ "$dns_mod" = "redir_host" -a "$cn_ipv6_route" = "已开启" ] && \
ip6tables -t mangle -A clashv6 -m set --match-set cn_ip6 dst -j RETURN 2>/dev/null
#tcp&udp分别进代理链 #tcp&udp分别进代理链
tproxy_set(){ tproxy_set6(){
if [ "$macfilter_type" = "白名单" -a -n "$(cat $clashdir/mac)" ];then if [ "$macfilter_type" = "白名单" -a -n "$(cat $clashdir/mac)" ];then
for mac in $(cat $clashdir/mac); do #mac白名单 #mac白名单
iptables -t mangle -A clash -p $1 -m mac --mac-source $mac -j TPROXY --on-port $tproxy_port --tproxy-mark 1 for mac in $(cat $clashdir/mac); do
done ip6tables -t mangle -A clashv6 -p $1 -m mac --mac-source $mac -j TPROXY --on-port $tproxy_port --tproxy-mark 1
else done
for mac in $(cat $clashdir/mac); do #mac黑名单 else
iptables -t mangle -A clash -m mac --mac-source $mac -j RETURN #mac黑名单
done for mac in $(cat $clashdir/mac); do
#仅代理本机局域网网段流量 ip6tables -t mangle -A clashv6 -m mac --mac-source $mac -j RETURN
for ip in $host_ipv4;do done
iptables -t mangle -A clash -p $1 -s $ip -j TPROXY --on-port $tproxy_port --tproxy-mark 1 #仅代理本机局域网网段流量
done for ip in $host_ipv6;do
fi ip6tables -t mangle -A clashv6 -p $1 -s $ip -j TPROXY --on-port $tproxy_port --tproxy-mark 1
iptables -t mangle -A PREROUTING -p $1 $ports -j clash done
fi
ip6tables -t mangle -A PREROUTING -p $1 $ports -j clashv6
} }
[ "$1" = "all" ] && tproxy_set tcp [ "$1" = "all" ] && tproxy_set6 tcp
tproxy_set udp tproxy_set6 udp
#屏蔽QUIC #屏蔽QUIC
[ "$quic_rj" = 已启用 ] && { [ "$quic_rj" = 已启用 ] && {
[ "$dns_mod" = "redir_host" -a "$cn_ip_route" = "已开启" ] && set_cn_ip='-m set ! --match-set cn_ip dst' [ "$dns_mod" = "redir_host" -a "$cn_ipv6_route" = "已开启" ] && set_cn_ip6='-m set ! --match-set cn_ip6 dst'
iptables -I INPUT -p udp --dport 443 -m comment --comment "ShellClash-QUIC-REJECT" $set_cn_ip -j REJECT >/dev/null 2>&1 ip6tables -I INPUT -p udp --dport 443 -m comment --comment "ShellClash-QUIC-REJECT" $set_cn_ip6 -j REJECT 2>/dev/null
} }
#设置ipv6转发
[ "$ipv6_redir" = "已开启" ] && {
ip -6 rule add fwmark 1 table 101
ip -6 route add local ::/0 dev lo table 101
ip6tables -t mangle -N clashv6
ip6tables -t mangle -A clashv6 -p udp --dport 53 -j RETURN
for ip in $host_ipv6 $reserve_ipv6;do #跳过目标保留地址及目标本机网段
ip6tables -t mangle -A clashv6 -d $ip -j RETURN
done
#绕过CN_IPV6
[ "$dns_mod" = "redir_host" -a "$cn_ipv6_route" = "已开启" ] && \
ip6tables -t mangle -A clashv6 -m set --match-set cn_ip6 dst -j RETURN 2>/dev/null
#tcp&udp分别进代理链
tproxy_set6(){
if [ "$macfilter_type" = "白名单" -a -n "$(cat $clashdir/mac)" ];then
#mac白名单
for mac in $(cat $clashdir/mac); do
ip6tables -t mangle -A clashv6 -p $1 -m mac --mac-source $mac -j TPROXY --on-port $tproxy_port --tproxy-mark 1
done
else
#mac黑名单
for mac in $(cat $clashdir/mac); do
ip6tables -t mangle -A clashv6 -m mac --mac-source $mac -j RETURN
done
#仅代理本机局域网网段流量
for ip in $host_ipv6;do
ip6tables -t mangle -A clashv6 -p $1 -s $ip -j TPROXY --on-port $tproxy_port --tproxy-mark 1
done
fi
ip6tables -t mangle -A PREROUTING -p $1 $ports -j clashv6
}
[ "$1" = "all" ] && tproxy_set6 tcp
tproxy_set6 udp
#屏蔽QUIC
[ "$quic_rj" = 已启用 ] && {
[ "$dns_mod" = "redir_host" -a "$cn_ipv6_route" = "已开启" ] && set_cn_ip6='-m set ! --match-set cn_ip6 dst'
ip6tables -I INPUT -p udp --dport 443 -m comment --comment "ShellClash-QUIC-REJECT" $set_cn_ip6 -j REJECT 2>/dev/null
}
}
} }
} }
start_output(){ start_output(){
@@ -692,90 +690,88 @@ start_output(){
} }
} }
start_tun(){ start_tun(){
modprobe tun &> /dev/null && { #允许流量
#允许流量 iptables -I FORWARD -o utun -j ACCEPT
iptables -I FORWARD -o utun -j ACCEPT iptables -I FORWARD -s 198.18.0.0/16 -o utun -j RETURN
iptables -I FORWARD -s 198.18.0.0/16 -o utun -j RETURN ip6tables -I FORWARD -o utun -j ACCEPT > /dev/null 2>&1
ip6tables -I FORWARD -o utun -j ACCEPT > /dev/null 2>&1 #屏蔽QUIC
#屏蔽QUIC if [ "$quic_rj" = 已启用 ];then
if [ "$quic_rj" = 已启用 ];then [ "$dns_mod" = "redir_host" -a "$cn_ip_route" = "已开启" ] && set_cn_ip='-m set ! --match-set cn_ip dst'
[ "$dns_mod" = "redir_host" -a "$cn_ip_route" = "已开启" ] && set_cn_ip='-m set ! --match-set cn_ip dst' iptables -I FORWARD -p udp --dport 443 -o utun -m comment --comment "ShellClash-QUIC-REJECT" $set_cn_ip -j REJECT >/dev/null 2>&1
iptables -I FORWARD -p udp --dport 443 -o utun -m comment --comment "ShellClash-QUIC-REJECT" $set_cn_ip -j REJECT >/dev/null 2>&1 #ip6tables -I FORWARD -p udp --dport 443 -o utun -m comment --comment "ShellClash-QUIC-REJECT" -j REJECT >/dev/null 2>&1
#ip6tables -I FORWARD -p udp --dport 443 -o utun -m comment --comment "ShellClash-QUIC-REJECT" -j REJECT >/dev/null 2>&1 fi
modprobe xt_mark &> /dev/null && {
i=1
while [ -z "$(ip route list |grep utun)" -a "$i" -le 29 ];do
sleep 1
i=$((i+1))
done
ip route add default dev utun table 100
ip rule add fwmark 1 table 100
#获取局域网host地址
getlanip
iptables -t mangle -N clash
iptables -t mangle -A clash -p udp --dport 53 -j RETURN
for ip in $host_ipv4 $reserve_ipv4;do #跳过目标保留地址及目标本机网段
iptables -t mangle -A clash -d $ip -j RETURN
done
#绕过CN_IP
[ "$dns_mod" = "redir_host" -a "$cn_ip_route" = "已开启" ] && \
iptables -t mangle -A clash -m set --match-set cn_ip dst -j RETURN 2>/dev/null
#局域网设备过滤
if [ "$macfilter_type" = "白名单" -a -n "$(cat $clashdir/mac)" ];then
for mac in $(cat $clashdir/mac); do #mac白名单
iptables -t mangle -A clash -m mac --mac-source $mac -j MARK --set-mark 1
done
else
for mac in $(cat $clashdir/mac); do #mac黑名单
iptables -t mangle -A clash -m mac --mac-source $mac -j RETURN
done
#仅代理本机局域网网段流量
for ip in $host_ipv4;do
iptables -t mangle -A clash -s $ip -j MARK --set-mark 1
done
fi fi
modprobe xt_mark &> /dev/null && { iptables -t mangle -A PREROUTING -p udp $ports -j clash
i=1 [ "$1" = "all" ] && iptables -t mangle -A PREROUTING -p tcp $ports -j clash
while [ -z "$(ip route list |grep utun)" -a "$i" -le 29 ];do
sleep 1 #设置ipv6转发
i=$((i+1)) [ "$ipv6_redir" = "已开启" -a "$clashcore" = "clash.meta" ] && {
ip -6 route add default dev utun table 101
ip -6 rule add fwmark 1 table 101
ip6tables -t mangle -N clashv6
ip6tables -t mangle -A clashv6 -p udp --dport 53 -j RETURN
for ip in $host_ipv6 $reserve_ipv6;do #跳过目标保留地址及目标本机网段
ip6tables -t mangle -A clashv6 -d $ip -j RETURN
done done
ip route add default dev utun table 100 #绕过CN_IPV6
ip rule add fwmark 1 table 100 [ "$dns_mod" = "redir_host" -a "$cn_ipv6_route" = "已开启" ] && \
#获取局域网host地址 ip6tables -t mangle -A clashv6 -m set --match-set cn_ip6 dst -j RETURN 2>/dev/null
getlanip
iptables -t mangle -N clash
iptables -t mangle -A clash -p udp --dport 53 -j RETURN
for ip in $host_ipv4 $reserve_ipv4;do #跳过目标保留地址及目标本机网段
iptables -t mangle -A clash -d $ip -j RETURN
done
#绕过CN_IP
[ "$dns_mod" = "redir_host" -a "$cn_ip_route" = "已开启" ] && \
iptables -t mangle -A clash -m set --match-set cn_ip dst -j RETURN 2>/dev/null
#局域网设备过滤 #局域网设备过滤
if [ "$macfilter_type" = "白名单" -a -n "$(cat $clashdir/mac)" ];then if [ "$macfilter_type" = "白名单" -a -n "$(cat $clashdir/mac)" ];then
for mac in $(cat $clashdir/mac); do #mac白名单 for mac in $(cat $clashdir/mac); do #mac白名单
iptables -t mangle -A clash -m mac --mac-source $mac -j MARK --set-mark 1 ip6tables -t mangle -A clashv6 -m mac --mac-source $mac -j MARK --set-mark 1
done done
else else
for mac in $(cat $clashdir/mac); do #mac黑名单 for mac in $(cat $clashdir/mac); do #mac黑名单
iptables -t mangle -A clash -m mac --mac-source $mac -j RETURN ip6tables -t mangle -A clashv6 -m mac --mac-source $mac -j RETURN
done done
#仅代理本机局域网网段流量 #仅代理本机局域网网段流量
for ip in $host_ipv4;do for ip in $host_ipv6;do
iptables -t mangle -A clash -s $ip -j MARK --set-mark 1 ip6tables -t mangle -A clashv6 -s $ip -j MARK --set-mark 1
done done
fi fi
iptables -t mangle -A PREROUTING -p udp $ports -j clash ip6tables -t mangle -A PREROUTING -p udp $ports -j clashv6
[ "$1" = "all" ] && iptables -t mangle -A PREROUTING -p tcp $ports -j clash [ "$1" = "all" ] && ip6tables -t mangle -A PREROUTING -p tcp $ports -j clashv6
}
#设置ipv6转发 } &
[ "$ipv6_redir" = "已开启" -a "$clashcore" = "clash.meta" ] && {
ip -6 route add default dev utun table 101
ip -6 rule add fwmark 1 table 101
ip6tables -t mangle -N clashv6
ip6tables -t mangle -A clashv6 -p udp --dport 53 -j RETURN
for ip in $host_ipv6 $reserve_ipv6;do #跳过目标保留地址及目标本机网段
ip6tables -t mangle -A clashv6 -d $ip -j RETURN
done
#绕过CN_IPV6
[ "$dns_mod" = "redir_host" -a "$cn_ipv6_route" = "已开启" ] && \
ip6tables -t mangle -A clashv6 -m set --match-set cn_ip6 dst -j RETURN 2>/dev/null
#局域网设备过滤
if [ "$macfilter_type" = "白名单" -a -n "$(cat $clashdir/mac)" ];then
for mac in $(cat $clashdir/mac); do #mac白名单
ip6tables -t mangle -A clashv6 -m mac --mac-source $mac -j MARK --set-mark 1
done
else
for mac in $(cat $clashdir/mac); do #mac黑名单
ip6tables -t mangle -A clashv6 -m mac --mac-source $mac -j RETURN
done
#仅代理本机局域网网段流量
for ip in $host_ipv6;do
ip6tables -t mangle -A clashv6 -s $ip -j MARK --set-mark 1
done
fi
ip6tables -t mangle -A PREROUTING -p udp $ports -j clashv6
[ "$1" = "all" ] && ip6tables -t mangle -A PREROUTING -p tcp $ports -j clashv6
}
} &
}
} }
start_nft(){ start_nft(){
#获取局域网host地址 #获取局域网host地址
getlanip getlanip
[ "$common_ports" = "已开启" ] && PORTS=$(echo $multiport | sed 's/,/, /g') [ "$common_ports" = "已开启" ] && PORTS=$(echo $multiport | sed 's/,/, /g')
RESERVED_IP="{$(echo $reserve_ipv4 | sed 's/ /, /g')}" RESERVED_IP="$(echo $reserve_ipv4 | sed 's/ /, /g')"
HOST_IP="{$(echo $host_ipv4 | sed 's/ /, /g')}" HOST_IP="$(echo $host_ipv4 | sed 's/ /, /g')"
#设置策略路由 #设置策略路由
ip rule add fwmark 1 table 100 ip rule add fwmark 1 table 100
ip route add local default dev lo table 100 ip route add local default dev lo table 100
@@ -790,34 +786,34 @@ start_nft(){
[ -n "$(cat $clashdir/mac)" ] && { [ -n "$(cat $clashdir/mac)" ] && {
MAC=$(awk '{printf "%s, ",$1}' $clashdir/mac) MAC=$(awk '{printf "%s, ",$1}' $clashdir/mac)
[ "$macfilter_type" = "黑名单" ] && \ [ "$macfilter_type" = "黑名单" ] && \
nft add rule inet shellclash prerouting ether saddr {${MAC}} return || \ nft add rule inet shellclash prerouting ether saddr {$MAC} return || \
nft add rule inet shellclash prerouting ether saddr != {${MAC}} return nft add rule inet shellclash prerouting ether saddr != {$MAC} return
} }
#过滤保留地址 #过滤保留地址
nft add rule inet shellclash prerouting ip daddr {${RESERVED_IP}} return nft add rule inet shellclash prerouting ip daddr {$RESERVED_IP} return
#仅代理本机局域网网段流量 #仅代理本机局域网网段流量
nft add rule inet shellclash prerouting ip saddr != {${HOST_IP}} return nft add rule inet shellclash prerouting ip saddr != {$HOST_IP} return
#绕过CN-IP #绕过CN-IP
[ "$dns_mod" = "redir_host" -a "$cn_ip_route" = "已开启" -a -f $bindir/cn_ip.txt ] && { [ "$dns_mod" = "redir_host" -a "$cn_ip_route" = "已开启" -a -f $bindir/cn_ip.txt ] && {
CN_IP=$(awk '{printf "%s, ",$1}' $bindir/cn_ip.txt) CN_IP=$(awk '{printf "%s, ",$1}' $bindir/cn_ip.txt)
[ -n "$CN_IP" ] && nft add rule inet shellclash prerouting ip daddr {${CN_IP}} return [ -n "$CN_IP" ] && nft add rule inet shellclash prerouting ip daddr {$CN_IP} return
} }
#过滤常用端口 #过滤常用端口
[ -n "$PORTS" ] && nft add rule inet shellclash prerouting tcp dport != {${PORTS}} return [ -n "$PORTS" ] && nft add rule inet shellclash prerouting tcp dport != {$PORTS} return
#ipv6支持 #ipv6支持
if [ "$ipv6_redir" = "已开启" ];then if [ "$ipv6_redir" = "已开启" ];then
RESERVED_IP6="{$(echo "$reserve_ipv6 $host_ipv6" | sed 's/ /, /g')}" RESERVED_IP6="$(echo "$reserve_ipv6 $host_ipv6" | sed 's/ /, /g')"
HOST_IP6="{$(echo $host_ipv6 | sed 's/ /, /g')}" HOST_IP6="$(echo $host_ipv6 | sed 's/ /, /g')"
ip -6 rule add fwmark 1 table 101 2> /dev/null ip -6 rule add fwmark 1 table 101 2> /dev/null
ip -6 route add local ::/0 dev lo table 101 2> /dev/null ip -6 route add local ::/0 dev lo table 101 2> /dev/null
#过滤保留地址及本机地址 #过滤保留地址及本机地址
nft add rule inet shellclash prerouting ip6 daddr {${RESERVED_IP6}} return nft add rule inet shellclash prerouting ip6 daddr {$RESERVED_IP6} return
#仅代理本机局域网网段流量 #仅代理本机局域网网段流量
nft add rule inet shellclash prerouting ip6 saddr != {${HOST_IP6}} return nft add rule inet shellclash prerouting ip6 saddr != {$HOST_IP6} return
#绕过CN_IPV6 #绕过CN_IPV6
[ "$dns_mod" = "redir_host" -a "$cn_ipv6_route" = "已开启" -a -f $bindir/cn_ipv6.txt ] && { [ "$dns_mod" = "redir_host" -a "$cn_ipv6_route" = "已开启" -a -f $bindir/cn_ipv6.txt ] && {
CN_IP6=$(awk '{printf "%s, ",$1}' $bindir/cn_ipv6.txt) CN_IP6=$(awk '{printf "%s, ",$1}' $bindir/cn_ipv6.txt)
[ -n "$CN_IP6" ] && nft add rule inet shellclash prerouting ip6 daddr {${CN_IP6}} return [ -n "$CN_IP6" ] && nft add rule inet shellclash prerouting ip6 daddr {$CN_IP6} return
} }
else else
nft add rule inet shellclash prerouting meta nfproto ipv6 return nft add rule inet shellclash prerouting meta nfproto ipv6 return
@@ -829,8 +825,8 @@ start_nft(){
#屏蔽QUIC #屏蔽QUIC
[ "$quic_rj" = 已启用 ] && { [ "$quic_rj" = 已启用 ] && {
nft add chain inet shellclash input { type filter hook input priority 0 \; } nft add chain inet shellclash input { type filter hook input priority 0 \; }
[ -n "$CN_IP" ] && nft add rule inet shellclash input ip daddr {${CN_IP}} return [ -n "$CN_IP" ] && nft add rule inet shellclash input ip daddr {$CN_IP} return
[ -n "$CN_IP6" ] && nft add rule inet shellclash input ip6 daddr {${CN_IP6}} return [ -n "$CN_IP6" ] && nft add rule inet shellclash input ip6 daddr {$CN_IP6} return
nft add rule inet shellclash input udp dport 443 reject comment 'ShellClash-QUIC-REJECT' nft add rule inet shellclash input udp dport 443 reject comment 'ShellClash-QUIC-REJECT'
} }
#代理本机(仅TCP) #代理本机(仅TCP)
@@ -842,8 +838,8 @@ start_nft(){
#output #output
nft add chain inet shellclash output { type nat hook output priority -100 \; } nft add chain inet shellclash output { type nat hook output priority -100 \; }
nft add rule inet shellclash output meta skgid 7890 return && { nft add rule inet shellclash output meta skgid 7890 return && {
[ -n "$PORTS" ] && nft add rule inet shellclash output tcp dport != {${PORTS}} return [ -n "$PORTS" ] && nft add rule inet shellclash output tcp dport != {$PORTS} return
nft add rule inet shellclash output ip daddr {${RESERVED_IP}} return nft add rule inet shellclash output ip daddr {$RESERVED_IP} return
nft add rule inet shellclash output meta l4proto tcp mark set 1 redirect to ${redir_port} nft add rule inet shellclash output meta l4proto tcp mark set 1 redirect to ${redir_port}
} }
#Docker #Docker
@@ -859,8 +855,8 @@ start_nft_dns(){
[ -n "$(cat $clashdir/mac)" ] && { [ -n "$(cat $clashdir/mac)" ] && {
MAC=$(awk '{printf "%s, ",$1}' $clashdir/mac) MAC=$(awk '{printf "%s, ",$1}' $clashdir/mac)
[ "$macfilter_type" = "黑名单" ] && \ [ "$macfilter_type" = "黑名单" ] && \
nft add rule inet shellclash dns ether saddr {${MAC}} return || \ nft add rule inet shellclash dns ether saddr {$MAC} return || \
nft add rule inet shellclash dns ether saddr != {${MAC}} return nft add rule inet shellclash dns ether saddr != {$MAC} return
} }
nft add rule inet shellclash dns udp dport 53 redirect to ${dns_port} nft add rule inet shellclash dns udp dport 53 redirect to ${dns_port}
nft add rule inet shellclash dns tcp dport 53 redirect to ${dns_port} nft add rule inet shellclash dns tcp dport 53 redirect to ${dns_port}
@@ -1004,7 +1000,7 @@ web_save(){
fi fi
} }
#使用get_save获取面板节点设置 #使用get_save获取面板节点设置
get_save http://localhost:${db_port}/proxies | awk -F "{" '{for(i=1;i<=NF;i++) print $i}' | grep -E '^"all".*"Selector"' > /tmp/clash_web_check_$USER get_save http://127.0.0.1:${db_port}/proxies | awk -F "{" '{for(i=1;i<=NF;i++) print $i}' | grep -E '^"all".*"Selector"' > /tmp/clash_web_check_$USER
while read line ;do while read line ;do
def=$(echo $line | awk -F "[[,]" '{print $2}') def=$(echo $line | awk -F "[[,]" '{print $2}')
now=$(echo $line | grep -oE '"now".*",' | sed 's/"now"://g' | sed 's/"type":.*//g' | sed 's/,//g') now=$(echo $line | grep -oE '"now".*",' | sed 's/"now"://g' | sed 's/"type":.*//g' | sed 's/,//g')
@@ -1024,9 +1020,9 @@ web_restore(){
while [ -z "$test" -a "$i" -lt 60 ];do while [ -z "$test" -a "$i" -lt 60 ];do
sleep 1 sleep 1
if curl --version > /dev/null 2>&1;then if curl --version > /dev/null 2>&1;then
test=$(curl -s http://localhost:${db_port}) test=$(curl -s http://127.0.0.1:${db_port})
else else
test=$(wget -q -O - http://localhost:${db_port}) test=$(wget -q -O - http://127.0.0.1:${db_port})
fi fi
i=$((i+1)) i=$((i+1))
done done
@@ -1036,7 +1032,7 @@ web_restore(){
while [ "$i" -le "$num" ];do while [ "$i" -le "$num" ];do
group_name=$(awk -F ',' 'NR=="'${i}'" {print $1}' $clashdir/web_save | sed 's/ /%20/g') group_name=$(awk -F ',' 'NR=="'${i}'" {print $1}' $clashdir/web_save | sed 's/ /%20/g')
now_name=$(awk -F ',' 'NR=="'${i}'" {print $2}' $clashdir/web_save) now_name=$(awk -F ',' 'NR=="'${i}'" {print $2}' $clashdir/web_save)
put_save http://localhost:${db_port}/proxies/${group_name} "{\"name\":\"${now_name}\"}" put_save http://127.0.0.1:${db_port}/proxies/${group_name} "{\"name\":\"${now_name}\"}"
i=$((i+1)) i=$((i+1))
done done
} }
@@ -1351,7 +1347,7 @@ updateyaml)
getconfig getconfig
getyaml && \ getyaml && \
modify_yaml && \ modify_yaml && \
put_save http://localhost:${db_port}/configs "{\"path\":\"${clashdir}/config.yaml\"}" && \ put_save http://127.0.0.1:${db_port}/configs "{\"path\":\"${clashdir}/config.yaml\"}" && \
logger ShellClash配置文件更新成功 logger ShellClash配置文件更新成功
;; ;;
logger) logger)