From d48402a101e6dd7dbe036e02eca7cf105def4558 Mon Sep 17 00:00:00 2001
From: juewuy <juewuy@126.com>
Date: Tue, 8 Nov 2022 22:06:42 +0800
Subject: [PATCH] =?UTF-8?q?v1.6.6=20~=E6=96=B0=E5=A2=9ETproxy=E6=A8=A1?=
 =?UTF-8?q?=E5=BC=8F=20~=E6=96=B0=E5=A2=9ENftables=E6=94=AF=E6=8C=81?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 scripts/clash.sh | 57 +++++++++++++++-------------------
 scripts/start.sh | 79 ++++++++++++++++++++++++++----------------------
 2 files changed, 68 insertions(+), 68 deletions(-)

diff --git a/scripts/clash.sh b/scripts/clash.sh
index 424060c..0305ea3 100644
--- a/scripts/clash.sh
+++ b/scripts/clash.sh
@@ -522,6 +522,7 @@ localproxy(){
 	echo -e " 1 \033[36m$proxy_set本机代理\033[0m"
 	echo -e " 2 使用\033[32m环境变量\033[0m方式配置(部分应用可能无法使用)"
 	echo -e " 3 使用\033[32miptables增强模式\033[0m配置(支持docker)"
+	[ -n "$(type nft)" ] && echo -e " 4 使用\033[32mnftables增强模式\033[0m配置(支持docker)"
 	echo -e " 0 返回上级菜单"
 	echo -----------------------------------------------
 	read -p "请输入对应数字 > " num
@@ -572,7 +573,17 @@ localproxy(){
 			local_type="iptables增强模式"
 			setconfig local_type $local_type
 		else
-			echo -e "\033[31m当前设备无法使用增强模式！\033[0m"
+			echo -e "\033[31m当前设备无法使用iptables增强模式！\033[0m"
+			sleep 1
+		fi
+		localproxy
+		
+	elif [ "$num" = 4 ]; then
+		if [ -n "$(echo $redir_mod|grep Nft)" ];then
+			local_type="nftables增强模式"
+			setconfig local_type $local_type
+		else
+			echo -e "\033[31m请先启用任意nftable相关模式！\033[0m"
 			sleep 1
 		fi
 		localproxy
@@ -594,20 +605,21 @@ clashcfg(){
 			echo -e "\033[36m已设为 $redir_mod ！！\033[0m"
 		}
 		[ -n "$(iptables -j TPROXY 2>&1 | grep 'on-port')" ] && sup_tp=1
-		ip tuntap >/dev/null 2>&1 && sup_tun=1
-		type nftables >/dev/null 2>&1 && sup_nft=1
+		[ -n "$(lsmod | grep '^tun')" ] && sup_tun=1
+		[ -n "$(type nft)" ] && sup_nft=1
+		[ -n "$(type nft)" -a -n "$(lsmod | grep 'nft_tproxy')" ] && sup_nft=2
 		echo -----------------------------------------------
 		echo -e "当前代理模式为：\033[47;30m $redir_mod \033[0m；Clash核心为：\033[47;30m $clashcore \033[0m"
 		echo -e "\033[33m切换模式后需要手动重启clash服务以生效！\033[0m"
 		echo -----------------------------------------------
-		echo -e " 1 Redir模式： Redir转发TCP，不转发UDP"
-		[ -n "$sup_tun" ] && echo -e " 2 混合模式：  Redir转发TCP，Tun转发UDP"
-		[ -n "$sup_tp" ] && echo -e " 3 Tproxy混合： Redir转发TCP，Tproxy转发UDP"
-		[ -n "$sup_tun" ] && echo -e " 4 Tun模式：   使用Tun转发TCP&UDP(占用高)"
-		[ -n "$sup_tp" ] && echo -e " 5 Tproxy模式： 使用Tproxy转发TCP&UDP"
-		[ -n "$sup_nft" ] && echo -e " 6 Nft模式1：   使用nftables转发TCP，不转发UDP"
-		[ -n "$sup_nft" ] && echo -e " 7 Nft模式2：   使用nftables转发TCP&UDP"
-		echo -e " 8 纯净模式：  不设置流量转发"
+		echo -e " 1 \033[32mRedir模式\033[0m：    Redir转发TCP，不转发UDP"
+		[ -n "$sup_tun" ] && echo -e " 2 \033[36m混合模式\033[0m：     Redir转发TCP，Tun转发UDP"
+		[ -n "$sup_tp" ] && echo -e " 3 \033[32mTproxy混合\033[0m：   Redir转发TCP，Tproxy转发UDP"
+		[ -n "$sup_tun" ] && echo -e " 4 \033[33mTun模式\033[0m：      使用Tun转发TCP&UDP(占用高)"
+		[ -n "$sup_tp" ] && echo -e " 5 \033[32mTproxy模式\033[0m：   使用Tproxy转发TCP&UDP"
+		[ -n "$sup_nft" ] && echo -e " 6 \033[36mNft基础\033[0m：      使用nftables转发TCP，不转发UDP"
+		[ "$sup_nft" = '2' ] && echo -e " 7 \033[32mNft混合\033[0m：      使用nft_tproxy转发TCP&UDP"
+		echo -e " 8 \033[36m纯净模式\033[0m：     不设置流量转发"
 		echo " 0 返回上级菜单"
 		read -p "请输入对应数字 > " num	
 		if [ -z "$num" ]; then
@@ -637,11 +649,11 @@ clashcfg(){
 			set_redir_config
 			
 		elif [ "$num" = 6 ]; then
-			redir_mod=Nft模式1	
+			redir_mod=Nft基础
 			set_redir_config
 			
 		elif [ "$num" = 7 ]; then
-			redir_mod=Nft模式2	
+			redir_mod=Nft混合
 			set_redir_config	
 			
 		elif [ "$num" = 8 ]; then
@@ -863,7 +875,6 @@ clashadv(){
 	echo -----------------------------------------------
 	echo -e " 1 使用保守模式启动:	\033[36m$start_old\033[0m	————切换时会停止clash服务"
 	echo -e " 2 启用ipv6支持:	\033[36m$ipv6_support\033[0m	————实验性功能，可能不稳定"
-	echo -e " 3 Redir模式udp转发:	\033[36m$tproxy_mod\033[0m	————依赖iptables-mod-tproxy"
 	echo -e " 4 启用小闪存模式:	\033[36m$mini_clash\033[0m	————不保存核心及数据库文件"
 	echo -e " 5 允许公网访问:	\033[36m$public_support\033[0m	————需要路由拨号+公网IP"
 	echo -e " 6 配置内置DNS服务	\033[36m$dns_no\033[0m"
@@ -915,24 +926,6 @@ clashadv(){
 		setconfig ipv6_support $ipv6_support
 		clashadv   
 		
-	elif [ "$num" = 3 ]; then	
-		echo -----------------------------------------------
-		if [ "$tproxy_mod" = "未开启" ]; then 
-			if [ -n "$(iptables -j TPROXY 2>&1 | grep 'on-port')" ];then
-				tproxy_mod=已开启
-				echo -e "\033[32m已经为Redir模式启用udp转发功能！\033[0m"
-			else
-				tproxy_mod=未开启
-				echo -e "\033[31m您的设备不支持tproxy模式，无法开启！\033[0m"
-			fi
-		else
-			tproxy_mod=未开启
-			echo -e "\033[33m已经停止使用tproxy转发udp流量！！\033[0m"
-		fi
-		setconfig tproxy_mod $tproxy_mod
-		sleep 1
-		clashadv 	
-		
 	elif [ "$num" = 4 ]; then	
 		echo -----------------------------------------------
 		dir_size=$(df $clashdir | awk '{print $4}' | sed 1d)
diff --git a/scripts/start.sh b/scripts/start.sh
index 97bcc73..9622395 100644
--- a/scripts/start.sh
+++ b/scripts/start.sh
@@ -341,6 +341,7 @@ modify_yaml(){
 	cat > $tmpdir/set.yaml <<EOF
 mixed-port: $mix_port
 redir-port: $redir_port
+tproxy-port: 7893
 authentication: ["$authentication"]
 $lan
 mode: $mode
@@ -629,48 +630,50 @@ start_tun(){
 start_nft(){
 	#设置策略路由
 	ip rule add fwmark 1 table 100 
-	ip route add local 0.0.0.0/0 dev lo table 100
-	#IPV6
+	ip route add local default dev lo table 100
 	[ "$ipv6_support" = "已开启" ] && {
 		ip -6 rule add fwmark 1 table 101
 		ip -6 route add local ::/0 dev lo table 101
 	}
+	#初始化nftables
 	nft add table shellclash
-	nft add chain shellclash prerouting { type filter hook prerouting priority 0 \; }
-	#保留地址
-	nft define RESERVED_IP = {0.0.0.0/8, 10.0.0.0/8, 127.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/4, 240.0.0.0/4}
-	#创建nft表和链
-	nft add chain shellclash prerouting { type filter hook prerouting priority 0 \; }
-	nft add rule shellclash prerouting ip daddr $RESERVED_IP return
-	#过滤CN-IP
-	[ "$dns_mod" = "redir_host" -a "$cn_ip_route" = "已开启" -a -f $bindir/cn_ip.txt ] && {
-		CN_IP=$(awk '{printf "%s, ",$1}' $bindir/cn_ip.txt)
-		nft define CN_IP = $CN_IP
-		nft add rule shellclash prerouting ip daddr $CN_IP return
-	}
-	#过滤常用端口
-	[ "$common_ports" = "已开启" ] && {
-		ports=$(echo $multiport | sed 's/,/, /g')
-		nft add rule shellclash prerouting tcp dport != {$ports} return
-	}
+	nft add chain shellclash prerouting { type nat hook prerouting priority -100 \; }
 	#过滤局域网设备 ether saddr
 	[ -n "$(cat $clashdir/mac)" ] && {
 		MAC=$(awk '{printf "%s, ",$1}' $clashdir/mac)
-		nft define MAC = $MAC
-		[ "$macfilter_type" = "黑名单" ] && nft add rule shellclash prerouting ether saddr {$MAC} return
-		[ "$macfilter_type" = "白名单" ] && nft add rule shellclash prerouting ether saddr != {$MAC} return
+		[ "$macfilter_type" = "黑名单" ] && nft add rule shellclash prerouting ether saddr {${MAC}} return
+		[ "$macfilter_type" = "白名单" ] && nft add rule shellclash prerouting ether saddr != {${MAC}} return
+	}	
+	#设置DNS转发
+	nft add rule shellclash prerouting udp dport 53 redirect to ${dns_port}
+	nft add rule shellclash prerouting tcp dport 53 redirect to ${dns_port}
+	#过滤保留地址
+	RESERVED_IP="{0.0.0.0/8, 10.0.0.0/8, 127.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/4, 240.0.0.0/4}"
+	nft add rule shellclash prerouting ip daddr {${RESERVED_IP}} return
+	#过滤CN-IP
+	[ "$dns_mod" = "redir_host" -a "$cn_ip_route" = "已开启" -a -f $bindir/cn_ip.txt ] && {
+		CN_IP=$(awk '{printf "%s, ",$1}' $bindir/cn_ip.txt)
+		[ -n "$CN_IP" ] && nft add rule shellclash prerouting ip daddr {${CN_IP}} return
+	}
+	#过滤常用端口
+	[ "$common_ports" = "已开启" ] && {
+		PORTS=$(echo $multiport | sed 's/,/, /g')
+		nft add rule shellclash prerouting tcp dport != {${PORTS}} return
 	}
 	#代理局域网设备
-	nft add rule shellclash prerouting udp dport 53 redirect to :$dns_port accept
-	nft add rule shellclash prerouting tcp dport 53 redirect to :$dns_port accept
-	nft add rule shellclash prerouting meta l4proto {$1} mark set 1 tproxy to :$redir_port accept
+	if [ "$redir_mod" = "Nft混合" ];then
+		nft add chain shellclash prerouting { type filter hook prerouting priority 0 \; }
+		nft add rule shellclash prerouting meta l4proto {tcp, udp} mark set 1 tproxy to 127.0.0.1:7893
+	else
+		nft add rule shellclash prerouting meta l4proto tcp mark set 1 redirect to ${redir_port}
+	fi
 	#代理本机
 	[ "$local_proxy" = "已开启" ] && [ "$local_type" = "nftables增强模式" ] && {
-	nft add chain shellclash output { type filter hook prerouting priority 0 \; }
+	nft add chain shellclash output { type filter hook output priority 0 \; }
 	nft add rule shellclash output meta skuid clash return
-	[ "$common_ports" = "已开启" ] && nft add rule shellclash output tcp dport != {$ports} return
-	nft add rule shellclash output ip daddr $RESERVED_IP return
-	nft add rule shellclash output meta l4proto {$1} mark set 1 accept # 重路由至 prerouting
+	[ "$common_ports" = "已开启" ] && nft add rule shellclash output tcp dport != {${PORTS}} return
+	nft add rule shellclash output ip daddr {${RESERVED_IP}} return
+	nft add rule shellclash output meta l4proto tcp mark set 1 # 重路由至 prerouting
 	}
 }
 start_wan(){
@@ -691,10 +694,8 @@ start_wan(){
 		type ip6tables >/dev/null 2>&1 && ip6tables -I INPUT -p tcp --dport $db_port -j ACCEPT 2> /dev/null
 	fi
 }
-stop_iptables(){
+stop_firewall(){
     #重置iptables规则
-	ip rule del fwmark 1 table 100  2> /dev/null
-	ip route del local default dev lo table 100 2> /dev/null
 	iptables -t nat -D PREROUTING -p tcp $ports -j clash 2> /dev/null
 	iptables -D INPUT -p tcp --dport $mix_port -j ACCEPT 2> /dev/null
 	iptables -D INPUT -p tcp --dport $db_port -j ACCEPT 2> /dev/null
@@ -756,6 +757,12 @@ stop_iptables(){
 		uci commit dhcp >/dev/null 2>&1
 		/etc/init.d/dnsmasq restart >/dev/null 2>&1
 	}
+	#清理路由
+	ip rule del fwmark 1 table 100  2> /dev/null
+	ip route del local default dev lo table 100 2> /dev/null
+	#重置nftables相关规则
+	nft flush table shellclash >/dev/null 2>&1
+	nft delete table shellclash >/dev/null 2>&1
 }
 #面板配置保存相关
 web_save(){
@@ -951,8 +958,8 @@ afstart(){
 		[ "$redir_mod" = "Tproxy混合" ] && start_dns && start_redir && start_tproxy udp
 		[ "$redir_mod" = "Tun模式" ] && start_dns && start_tun
 		[ "$redir_mod" = "Tproxy模式" ] && start_dns && start_tproxy all
-		[ "$redir_mod" = "Nft模式1" ] && start_nft 'tcp, icmp'
-		[ "$redir_mod" = "Nft模式2" ] && start_nft 'tcp, udp, icmp'
+		[ "$redir_mod" = "Nft基础" ] && start_nft 'tcp'
+		[ "$redir_mod" = "Nft混合" ] && start_nft '{tcp, udp}'
 		[ "$local_proxy" = "已开启" ] && [ "$local_type" = "iptables增强模式" ] && start_output
 		type iptables >/dev/null 2>&1 && start_wan
 		#标记启动时间
@@ -1005,7 +1012,7 @@ start)
 		getconfig
 		#检测必须文件并下载
 		bfstart
-		stop_iptables #清理iptables
+		stop_firewall #清理路由策略
 		#使用内置规则强行覆盖config配置文件
 		[ "$modify_yaml" != "已开启" ] && modify_yaml
 		#使用不同方式启动clash服务
@@ -1033,7 +1040,7 @@ stop)
 			systemctl stop clash.service >/dev/null 2>&1
 		fi
 		PID=$(pidof clash) && [ -n "$PID" ] &&  kill -9 $PID >/dev/null 2>&1
-		stop_iptables #清理iptables
+		stop_firewall #清理路由策略
 		$0 unset_proxy #禁用本机代理
         ;;
 restart)