From db0836e9e0ee8154a15417bad13197bf9bca1ef8 Mon Sep 17 00:00:00 2001
From: juewuy <juewuy@gmail.com>
Date: Sun, 19 Jan 2025 17:09:37 +0800
Subject: [PATCH] =?UTF-8?q?~=E4=BC=98=E5=8C=96=E4=BA=86nftables=E5=A4=84?=
 =?UTF-8?q?=E7=90=86=E6=B5=81=E7=A8=8B=20~=E4=BC=98=E5=8C=96=E4=BA=86?=
 =?UTF-8?q?=E8=87=AA=E5=8A=A8=E4=B8=8B=E8=BD=BD=E6=95=B0=E6=8D=AE=E5=BA=93?=
 =?UTF-8?q?=E5=8A=9F=E8=83=BD=EF=BC=8C=E7=8E=B0=E5=9C=A8=E4=BC=9A=E8=87=AA?=
 =?UTF-8?q?=E5=8A=A8=E8=AF=86=E5=88=AB=E9=85=8D=E7=BD=AE=E6=96=87=E4=BB=B6?=
 =?UTF-8?q?=E4=B8=AD=E6=98=AF=E5=90=A6=E5=AD=98=E5=9C=A8=E7=9B=B8=E5=85=B3?=
 =?UTF-8?q?=E9=93=BE=E6=8E=A5=EF=BC=8C=E5=A6=82=E6=98=AF=E5=88=99=E4=B8=8D?=
 =?UTF-8?q?=E8=A7=A6=E5=8F=91=20~=E4=BC=98=E5=8C=96=E6=96=B0=E6=89=8B?=
 =?UTF-8?q?=E5=BC=95=E5=AF=BC=E9=BB=98=E8=AE=A4=E5=8F=82=E6=95=B0=EF=BC=8C?=
 =?UTF-8?q?=E7=8E=B0=E5=9C=A8=E9=BB=98=E8=AE=A4=E5=90=AF=E7=94=A8=E7=BB=95?=
 =?UTF-8?q?=E8=BF=87cnip=E5=8A=9F=E8=83=BD=EF=BC=8C=E9=9D=9Emips=E8=AE=BE?=
 =?UTF-8?q?=E5=A4=87=E9=BB=98=E8=AE=A4=E5=90=AF=E7=94=A8=E6=B7=B7=E5=90=88?=
 =?UTF-8?q?=E6=A8=A1=E5=BC=8F=20~=E6=96=B0=E6=89=8B=E5=BC=95=E5=AF=BC?=
 =?UTF-8?q?=E9=80=89=E6=8B=A9=E5=B1=80=E5=9F=9F=E7=BD=91=E8=AE=BE=E5=A4=87?=
 =?UTF-8?q?=E6=97=B6=EF=BC=8C=E5=A2=9E=E5=8A=A0=E4=BA=86net.bridge.bridge-?=
 =?UTF-8?q?nf-call-iptables=E7=A6=81=E7=94=A8=EF=BC=8C=E4=BB=A5=E4=BF=AE?=
 =?UTF-8?q?=E5=A4=8D=E9=83=A8=E5=88=86=E8=AE=BE=E5=A4=87=E5=9B=A0docker?=
 =?UTF-8?q?=E5=86=B2=E7=AA=81=E8=80=8C=E5=AF=BC=E8=87=B4=E4=BB=A3=E7=90=86?=
 =?UTF-8?q?=E5=BC=82=E5=B8=B8=E7=9A=84=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 scripts/start.sh  | 37 ++++++++++++++++---------------------
 scripts/webget.sh | 17 +++++++++++++++--
 2 files changed, 31 insertions(+), 23 deletions(-)

diff --git a/scripts/start.sh b/scripts/start.sh
index d8dd643..a0063ab 100644
--- a/scripts/start.sh
+++ b/scripts/start.sh
@@ -453,7 +453,7 @@ EOF
 				hosts_ip=$(echo $line | awk '{print $1}') &&
 				hosts_domain=$(echo $line | awk '{print $2}') &&
 				[ -z "$(cat "$TMPDIR"/hosts.yaml | grep -oE "$hosts_domain")" ] &&
-				echo "   '$hosts_domain': $hosts_ip" >>"$TMPDIR"/hosts.yaml
+				echo "  '$hosts_domain': $hosts_ip" >>"$TMPDIR"/hosts.yaml
 		done <$sys_hosts
 	fi
 	#分割配置文件
@@ -533,11 +533,11 @@ EOF
 	#mix模式生成rule-providers
 	[ "$dns_mod" = "mix" ] && ! grep -q 'geosite-cn:' "$TMPDIR"/rule-providers.yaml && ! grep -q 'rule-providers' "$CRASHDIR"/yamls/others.yaml 2>/dev/null && \
 	cat >>"$TMPDIR"/rule-providers.yaml <<EOF
-geosite-cn:
-  type: file
-  behavior: domain
-  format: mrs
-  path: geosite-cn.mrs
+  geosite-cn:
+    type: file
+    behavior: domain
+    format: mrs
+    path: geosite-cn.mrs
 EOF
 	#对齐rules中的空格
 	sed -i 's/^ *-/ -/g' "$TMPDIR"/rules.yaml
@@ -1217,17 +1217,17 @@ start_nft_route() { #nftables-route通用工具
 	#过滤dns
 	nft add rule inet shellcrash $1 tcp dport 53 return
 	nft add rule inet shellcrash $1 udp dport 53 return
+	#防回环
+	nft add rule inet shellcrash $1 meta mark $routing_mark return
+	nft add rule inet shellcrash $1 meta skgid 7890 return
+	[ "$firewall_area" = 5 ] && nft add rule inet shellcrash $1 ip saddr $bypass_host return
+	[ -z "$ports" ] && nft add rule inet shellcrash $1 tcp dport {"$mix_port, $redir_port, $tproxy_port"} return
 	#过滤常用端口
 	[ -n "$PORTS" ] && {
 		nft add rule inet shellcrash $1 ip daddr != {198.18.0.0/16} tcp dport != {$PORTS} return
 		nft add rule inet shellcrash $1 ip6 daddr != {fc00::/16} tcp dport != {$PORTS} return
 	}
-	#防回环
-	nft add rule inet shellcrash $1 meta mark $routing_mark return
-	nft add rule inet shellcrash $1 meta skgid 7890 return
-	[ -z "$ports" ] && nft add rule inet shellcrash $1 tcp dport {"$mix_port, $redir_port, $tproxy_port"} return
 	#nft add rule inet shellcrash $1 ip saddr 198.18.0.0/16 return
-	[ "$firewall_area" = 5 ] && nft add rule inet shellcrash $1 ip saddr $bypass_host return
 	nft add rule inet shellcrash $1 ip daddr {$RESERVED_IP} return #过滤保留地址
 	#过滤局域网设备
 	[ "$1" = 'prerouting' ] && {
@@ -1313,7 +1313,7 @@ start_nft_dns() { #nftables-dns
 	nft add rule inet shellcrash "$1"_dns meta skgid { 453, 7890 } return
 	[ "$firewall_area" = 5 ] && nft add rule inet shellcrash "$1"_dns ip saddr $bypass_host return
 	nft add rule inet shellcrash "$1"_dns ip saddr != {$HOST_IP} return                              #屏蔽外部请求
-	[ "$1" = 'prerouting' ] && nft add rule inet shellcrash "$1"_dns ip6 saddr != {$HOST_IP6} reject #屏蔽外部请求
+	[ "$1" = 'prerouting' ] && nft add rule inet shellcrash "$1"_dns ip6 saddr != {$HOST_IP6} return #屏蔽外部请求
 	#过滤局域网设备
 	[ "$1" = 'prerouting' ] && [ -s "$CRASHDIR"/configs/mac ] && {
 		MAC=$(awk '{printf "%s, ",$1}' "$CRASHDIR"/configs/mac)
@@ -1766,15 +1766,10 @@ clash_check() { #clash启动前检查
 	[ "$crashcore" = "clash" ] && [ "$firewall_area" = 2 -o "$firewall_area" = 3 ] && [ -z "$(grep '0:7890' /etc/passwd)" ] &&
 		core_exchange meta '当前内核不支持非root用户启用本机代理'
 	core_check
-	#预下载GeoIP数据库
-	#排除others.yaml（可能是rule-providers的url里有“geoip”关键词）
-	[ -n "$(grep -oEi 'geoip' "$CRASHDIR"/yamls/*.yaml | grep -v 'others.yaml')" ] && ckgeo Country.mmdb cn_mini.mmdb
-	#预下载GeoSite数据库
-	#geodata-mode默认为false，只有geodata-mode: true才会需要GeoSite
-	if [ -n "$(grep -oEi 'geosite' "$CRASHDIR"/yamls/*.yaml | grep -v 'others.yaml')" ] && \
-		[ -n "$(grep -E 'geodata-mode: true' "$CRASHDIR"/yamls/*.yaml)" ]; then
-		ckgeo GeoSite.dat geosite.dat
-	fi
+	#预下载GeoIP数据库并排除存在自定义数据库链接的情况
+	[ -n "$(grep -oEi 'geoip' "$CRASHDIR"/yamls/*.yaml)" ] && [ -z "$(grep -oEi 'geoip:|mmdb:' "$CRASHDIR"/yamls/*.yaml)" ] && ckgeo Country.mmdb cn_mini.mmdb
+	#预下载GeoSite数据库并排除存在自定义数据库链接的情况
+	[ -n "$(grep -oEi 'geosite' "$CRASHDIR"/yamls/*.yaml)" ] && [ -z "$(grep -oEi 'geosite:' "$CRASHDIR"/yamls/*.yaml)" ] && ckgeo GeoSite.dat geosite.dat
 	#预下载geosite-cn.mrs数据库
 	[ -n "$(cat "$CRASHDIR"/yamls/*.yaml | grep -oEi 'rule_set.*geosite-cn')" -o "$dns_mod" = "mix" ] && ckgeo geosite-cn.mrs mrs_geosite_cn.mrs
 	return 0
diff --git a/scripts/webget.sh b/scripts/webget.sh
index 1d1a559..f4ba4e7 100644
--- a/scripts/webget.sh
+++ b/scripts/webget.sh
@@ -2238,14 +2238,24 @@ userguide(){
 			forwhat
 		elif [ "$num" = 1 ];then
 			#设置运行模式
-			redir_mod="Redir模式"
+			redir_mod="混合模式"
+			[ -n "$(echo $cputype | grep -E "linux.*mips.*")" ] && {
+				if grep -qE '^TPROXY$' /proc/net/ip_tables_targets || modprobe xt_TPROXY >/dev/null 2>&1; then
+					redir_mod="Tproxy模式"
+				else
+					redir_mod="Redir模式"
+				fi
+				setconfig crashcore "clash"
+			}
 			setconfig redir_mod "$redir_mod"
-			[ -n "$(echo $cputype | grep -E "linux.*mips.*")" ] && setconfig crashcore "clash"
+			#默认启用绕过CN-IP
+			setconfig cn_ip_route 已开启
 			#自动识别IPV6
 			[ -n "$(ip a 2>&1 | grep -w 'inet6' | grep -E 'global' | sed 's/.*inet6.//g' | sed 's/scope.*$//g')" ] && {
 				setconfig ipv6_redir 已开启
 				setconfig ipv6_support 已开启
 				setconfig ipv6_dns 已开启
+				setconfig cn_ipv6_route 已开启
 			}
 			#设置开机启动
 			[ -f /etc/rc.common -a "$(cat /proc/1/comm)" = "procd" ] && /etc/init.d/shellcrash enable
@@ -2262,6 +2272,9 @@ userguide(){
 					sysctl -w net.ipv4.ip_forward=1
 				} && echo "已成功开启ipv4转发，如未正常开启，请手动重启设备！" || echo "开启失败！请自行谷歌查找当前设备的开启方法！"
 			fi
+			#禁止docker启用的net.bridge.bridge-nf-call-iptables
+			sysctl -w net.bridge.bridge-nf-call-iptables=0
+			sysctl -w net.bridge.bridge-nf-call-ip6tables=0
 		elif [ "$num" = 2 ];then
 			setconfig redir_mod "Redir模式"
 			[ -n "$(echo $cputype | grep -E "linux.*mips.*")" ] && setconfig crashcore "clash"