From 5ec0b9c2386fed1934452982ae0b9a66f88d3159 Mon Sep 17 00:00:00 2001
From: juewuy <juewuy@gmail.com>
Date: Sun, 15 Sep 2024 15:33:10 +0800
Subject: [PATCH] =?UTF-8?q?~=E4=BF=AE=E5=A4=8Dtun=E6=88=96=E6=B7=B7?=
 =?UTF-8?q?=E5=90=88=E6=A8=A1=E5=BC=8F=E4=B8=8B=EF=BC=8C=E5=B1=8F=E8=94=BD?=
 =?UTF-8?q?quic=E5=8A=9F=E8=83=BD=E6=9C=AA=E8=83=BD=E5=AE=9E=E9=99=85?=
 =?UTF-8?q?=E7=94=9F=E6=95=88=E7=9A=84bug=20~=E4=BC=98=E5=8C=96=E4=BA=86?=
 =?UTF-8?q?=E4=B8=80=E4=B8=8B=E5=88=9D=E5=A7=8B=E5=8C=96=E8=84=9A=E6=9C=AC?=
 =?UTF-8?q?=E4=B8=AD=E5=AF=B9nftables=E5=92=8Ciptables=E7=9A=84=E4=BD=BF?=
 =?UTF-8?q?=E7=94=A8=E5=88=A4=E6=96=AD=20~=E9=BB=98=E8=AE=A4=E7=9A=84?=
 =?UTF-8?q?=E5=B8=B8=E7=94=A8=E7=AB=AF=E5=8F=A3=E8=BF=87=E6=BB=A4=E5=88=97?=
 =?UTF-8?q?=E8=A1=A8=E4=B8=AD=EF=BC=8C=E7=A7=BB=E9=99=A4=E4=BA=86=E5=AF=B9?=
 =?UTF-8?q?53=E5=92=8C123=E7=AB=AF=E5=8F=A3=E7=9A=84=E6=94=AF=E6=8C=81=20~?=
 =?UTF-8?q?=E4=BF=AE=E5=A4=8D=E9=83=A8=E5=88=86=E6=83=85=E5=86=B5=E4=B8=8B?=
 =?UTF-8?q?=E5=9B=A0ipv6dns=E6=9C=AA=E8=83=BD=E6=AD=A3=E7=A1=AE=E5=8A=AB?=
 =?UTF-8?q?=E6=8C=81=E6=88=96=E6=8B=A6=E6=88=AA=E5=AF=BC=E8=87=B4=E7=9A=84?=
 =?UTF-8?q?dns=E5=8A=AB=E6=8C=81=E5=A4=B1=E8=B4=A5=E7=9A=84=E9=97=AE?=
 =?UTF-8?q?=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 scripts/init.sh  |  4 ++--
 scripts/menu.sh  |  2 +-
 scripts/start.sh | 35 +++++++++++++++++++++++++----------
 3 files changed, 28 insertions(+), 13 deletions(-)

diff --git a/scripts/init.sh b/scripts/init.sh
index ab9b189..85ce65c 100644
--- a/scripts/init.sh
+++ b/scripts/init.sh
@@ -206,9 +206,9 @@ else
 fi
 setconfig COMMAND "$COMMAND" ${CRASHDIR}/configs/command.env
 #设置防火墙执行模式
-[ -z "$(grep firewall_mod $CRASHDIR/configs/ShellClash.cfg 2>/dev/null)" ] && {
+grep -q 'firewall_mod' "$CRASHDIR/configs/ShellClash.cfg" 2>/dev/null || {
 	iptables -j REDIRECT -h >/dev/null 2>&1 && firewall_mod=iptables
-	nft add table inet shellcrash 2>/dev/null && firewall_mod=nftables
+	nft add table inet test4532 2>/dev/null && firewall_mod=nftables && nft delete table inet test4532
 	setconfig firewall_mod $firewall_mod
 }
 #设置更新地址
diff --git a/scripts/menu.sh b/scripts/menu.sh
index cafa120..b7aae9e 100644
--- a/scripts/menu.sh
+++ b/scripts/menu.sh
@@ -38,7 +38,7 @@ ckstatus(){
 	[ -z "$fwmark" ] && fwmark=$redir_port
 	[ -z "$db_port" ] && db_port=9999
 	[ -z "$dns_port" ] && dns_port=1053
-	[ -z "$multiport" ] && multiport='22,53,80,123,143,194,443,465,587,853,993,995,5222,8080,8443'
+	[ -z "$multiport" ] && multiport='22,80,143,194,443,465,587,853,993,995,5222,8080,8443'
 	[ -z "$redir_mod" ] && redir_mod=纯净模式
 	#检查mac地址记录
 	[ ! -f ${CRASHDIR}/configs/mac ] && touch ${CRASHDIR}/configs/mac
diff --git a/scripts/start.sh b/scripts/start.sh
index 220f31e..c49a4a2 100644
--- a/scripts/start.sh
+++ b/scripts/start.sh
@@ -31,7 +31,7 @@ getconfig() { #读取配置及全局变量
 	[ -z "$sniffer" ] && sniffer=已开启
 	#是否代理常用端口
 	[ -z "$common_ports" ] && common_ports=已开启
-	[ -z "$multiport" ] && multiport='22,53,80,123,143,194,443,465,587,853,993,995,5222,8080,8443'
+	[ -z "$multiport" ] && multiport='22,80,143,194,443,465,587,853,993,995,5222,8080,8443'
 	[ "$common_ports" = "已开启" ] && ports="-m multiport --dports $multiport"
 	#内核配置文件
 	if [ "$crashcore" = singbox -o "$crashcore" = singboxp ]; then
@@ -1008,7 +1008,7 @@ start_ipt_dns() { #iptables-dns通用工具
 			$1 $w -t nat -A $3 -p udp -s $ip -j REDIRECT --to-ports $dns_port
 		done
 	fi
-	[ "$1" = 'ip6tables' ] && {
+	[ "$1" = 'ip6tables' ] && { #屏蔽外部请求
 		$1 $w -t nat -A $3 -p tcp -j RETURN
 		$1 $w -t nat -A $3 -p udp -j RETURN
 	}
@@ -1154,8 +1154,14 @@ start_iptables() { #iptables配置总入口
 			set_cn_ip='-m set ! --match-set cn_ip dst'
 			set_cn_ip6='-m set ! --match-set cn_ip6 dst'
 		}
-		$iptable -I INPUT -p udp --dport 443 $set_cn_ip -j REJECT >/dev/null 2>&1
-		$ip6table -I INPUT -p udp --dport 443 $set_cn_ip6 -j REJECT >/dev/null 2>&1
+		[ "$redir_mod" = "Tun模式" -o "$redir_mod" = "混合模式" ] && {
+			$iptable -I FORWARD -p udp --dport 443 -o utun $set_cn_ip -j REJECT >/dev/null 2>&1
+			$ip6table -I FORWARD -p udp --dport 443 -o utun $set_cn_ip6 -j REJECT >/dev/null 2>&1
+		}
+		[ "$redir_mod" = "Tproxy模式" ] && {
+			$iptable -I INPUT -p udp --dport 443 $set_cn_ip -j REJECT >/dev/null 2>&1
+			$ip6table -I INPUT -p udp --dport 443 $set_cn_ip6 -j REJECT >/dev/null 2>&1
+		}
 	}
 }
 start_nft_route() { #nftables-route通用工具
@@ -1254,7 +1260,7 @@ start_nft_dns() { #nftables-dns
 	nft add rule inet shellcrash "$1"_dns meta skgid { 453, 7890 } return
 	[ "$firewall_area" = 5 ] && nft add rule inet shellcrash "$1"_dns ip saddr $bypass_host return
 	nft add rule inet shellcrash "$1"_dns ip saddr != {$HOST_IP} return #屏蔽外部请求
-	[ "$1" = 'prerouting' ] && nft add rule inet shellcrash "$1"_dns ip6 saddr != {$HOST_IP6} return #屏蔽外部请求
+	[ "$1" = 'prerouting' ] && nft add rule inet shellcrash "$1"_dns ip6 saddr != {$HOST_IP6} reject #屏蔽外部请求
 	#过滤局域网设备
 	[ "$1" = 'prerouting' ] && [ -s "$CRASHDIR"/configs/mac ] && {
 		MAC=$(awk '{printf "%s, ",$1}' "$CRASHDIR"/configs/mac)
@@ -1341,11 +1347,18 @@ start_nftables() { #nftables配置总入口
 		start_nft_route prerouting_vm prerouting nat -100
 	}
 	#屏蔽QUIC
-	[ "$quic_rj" = '已启用' -a "$lan_proxy" = true -a "$redir_mod" != "Redir模式" ] && {
-		nft add chain inet shellcrash quic_rj { type filter hook input priority 0 \; }
-		[ -n "$CN_IP" ] && nft add rule inet shellcrash quic_rj ip daddr {$CN_IP} return
-		[ -n "$CN_IP6" ] && nft add rule inet shellcrash quic_rj ip6 daddr {$CN_IP6} return
-		nft add rule inet shellcrash quic_rj udp dport {443, 8443} reject comment 'ShellCrash-QUIC-REJECT'
+	[ "$quic_rj" = '已启用' -a "$lan_proxy" = true && {
+		[ "$redir_mod" = "Tproxy模式" ] && {
+			nft add chain inet shellcrash quic_rj { type filter hook input priority 0 \; }
+			[ -n "$CN_IP" ] && nft add rule inet shellcrash quic_rj ip daddr {$CN_IP} return
+			[ -n "$CN_IP6" ] && nft add rule inet shellcrash quic_rj ip6 daddr {$CN_IP6} return
+			nft add rule inet shellcrash quic_rj udp dport {443, 8443} reject comment 'ShellCrash-QUIC-REJECT'
+		}
+		[ "$redir_mod" = "Tun模式" -o "$redir_mod" = "混合模式" ] && {
+			nft insert rule inet fw4 forward oifname "utun" udp dport {443, 8443} reject comment 'ShellCrash-QUIC-REJECT'
+			[ -n "$CN_IP" ] && nft insert rule inet fw4 forward oifname "utun" ip daddr {$CN_IP} return
+			[ -n "$CN_IP6" ] && nft insert rule inet fw4 forward oifname "utun" ip6 daddr {$CN_IP6} return
+		}
 	}
 }
 start_firewall() { #路由规则总入口
@@ -1436,6 +1449,7 @@ stop_firewall() { #还原防火墙配置
 		#屏蔽QUIC
 		[ "$dns_mod" != "fake-ip" -a "$cn_ip_route" = "已开启" ] && set_cn_ip='-m set ! --match-set cn_ip dst'
 		$iptable -D INPUT -p udp --dport 443 $set_cn_ip -j REJECT 2>/dev/null
+		$iptable -D FORWARD -p udp --dport 443 -o utun $set_cn_ip -j REJECT 2>/dev/null
 		#公网访问
 		for ip in $host_ipv4 $local_ipv4 $reserve_ipv4; do
 			$iptable -D INPUT -p tcp -s $ip --dport $mix_port -j ACCEPT 2>/dev/null
@@ -1477,6 +1491,7 @@ stop_firewall() { #还原防火墙配置
 		#屏蔽QUIC
 		[ "$dns_mod" != "fake-ip" -a "$cn_ipv6_route" = "已开启" ] && set_cn_ip6='-m set ! --match-set cn_ip6 dst'
 		$ip6table -D INPUT -p udp --dport 443 $set_cn_ip6 -j REJECT 2>/dev/null
+		$ip6table -D FORWARD -p udp --dport 443 -o utun $set_cn_ip -j REJECT 2>/dev/null
 		#公网访问
 		$ip6table -D INPUT -p tcp --dport $mix_port -j REJECT 2>/dev/null
 		$ip6table -D INPUT -p tcp --dport $mix_port -j ACCEPT 2>/dev/null