Merge branch 'master' of https://github.com/juewuy/ShellClash into master

2024-11-16 19:55:57 +08:00 · 2023-01-01 20:26:33 +08:00 · 2023-01-01 20:26:33 +08:00 · 39c93ef417
commit 39c93ef417
parent 862af13667 31873d25bf
11 changed files with 38109 additions and 36278 deletions
--- a/bin/Country.mmdb
+++ b/bin/Country.mmdb
--- a/bin/china_ipv6_list.txt
+++ b/bin/china_ipv6_list.txt
--- a/bin/clashdb.tar.gz
+++ b/bin/clashdb.tar.gz
--- a/bin/cn_mini.mmdb
+++ b/bin/cn_mini.mmdb
--- a/bin/geosite.dat
+++ b/bin/geosite.dat
--- a/bin/meta_db.tar.gz
+++ b/bin/meta_db.tar.gz
--- a/bin/meta_yacd.tar.gz
+++ b/bin/meta_yacd.tar.gz
--- a/bin/version
+++ b/bin/version
@ -2,5 +2,5 @@ clashnet_v=v1.7.6
 clashpre_v=2022.11.25
 clash_v=v1.7.1
 meta_v=v1.13.2
-GeoIP_v=20221210
 versionsh=1.6.13d
+GeoIP_v=20221231
--- a/bin/yacd.tar.gz
+++ b/bin/yacd.tar.gz
--- a/scripts/clash.sh
+++ b/scripts/clash.sh
@ -516,10 +516,12 @@ setipv6(){
 	[ -z "$ipv6_support" ] && ipv6_support=已开启
 	[ -z "$ipv6_redir" ] && ipv6_redir=未开启
 	[ -z "$ipv6_dns" ] && ipv6_dns=已开启
+	[ -z "$cn_ipv6_route" ] && cn_ipv6_route=未开启
 	echo -----------------------------------------------
 	echo -e " 1 ipv6内核支持:  \033[36m$ipv6_support\033[0m  ——用于ipv6节点及规则支持"
-	echo -e " 2 ipv6透明代理:  \033[36m$ipv6_redir\033[0m  ——代理ipv6流量且不支持绕过CN"
-	echo -e " 3 ipv6-DNS解析:  \033[36m$ipv6_dns\033[0m  ——决定内置DNS是否返回ipv6地址"		
+	echo -e " 2 ipv6透明代理:  \033[36m$ipv6_redir\033[0m  ——代理ipv6流量"
+	echo -e " 3 ipv6-DNS解析:  \033[36m$ipv6_dns\033[0m  ——决定内置DNS是否返回ipv6地址"	
+	echo -e " 4 CN-ipv6绕过内核:   \033[36m$cn_ipv6_route\033[0m  ——优化性能，不兼容fake-ip"	
 	echo -----------------------------------------------
 	read -p "请输入对应数字 > " num		
 	case $num in
@ -547,6 +549,22 @@ setipv6(){
 		setconfig ipv6_dns $ipv6_dns
 		setipv6
 	;;
+	4)
+		if [ "$ipv6_redir" = "未开启" ]; then
+			ipv6_support=已开启
+			ipv6_redir=已开启
+			setconfig ipv6_redir $ipv6_redir
+			setconfig ipv6_support $ipv6_support
+		fi
+		if [ -n "$(ipset -v 2>/dev/null)" -o -n "$(echo $redir_mod | grep Nft)" ];then
+			[ "$cn_ipv6_route" = "未开启" ] && cn_ipv6_route=已开启 || cn_ipv6_route=未开启
+			setconfig cn_ipv6_route $cn_ipv6_route
+		else
+			echo -e "\033[31m当前设备缺少ipset模块或未使用Nft模式，无法启用绕过功能！！\033[0m"
+			sleep 1
+		fi
+		setipv6
+	;;
 	*)
 		errornum
 	;;
@ -1153,7 +1171,7 @@ clashcfg(){
 		echo -----------------------------------------------
 		if [ -n "$(echo "$redir_mod" | grep -oE '混合|Tproxy|Tun')" ];then
 			if [ "$quic_rj" = "未开启" ]; then 
-				echo -e "\033[33m已禁止QUCI流量通过clash内核！！\033[0m"
+				echo -e "\033[33m已禁止QUIC流量通过clash内核！！\033[0m"
 				quic_rj=已启用
 			else
 				echo -e "\033[33m已取消禁止QUIC协议流量！！\033[0m"
--- a/scripts/start.sh
+++ b/scripts/start.sh
@ -19,6 +19,7 @@ getconfig(){
 	[ -z "$ipv6_support" ] && ipv6_support=已开启
 	[ -z "$ipv6_redir" ] && ipv6_redir=未开启
 	[ -z "$ipv6_dns" ] && ipv6_dns=已开启
+	[ -z "$cn_ipv6_route" ] && cn_ipv6_route=未开启
 	[ -z "$mix_port" ] && mix_port=7890
 	[ -z "$redir_port" ] && redir_port=7892
 	[ -z "$tproxy_port" ] && tproxy_port=7893
@ -454,6 +455,25 @@ cn_ip_route(){
 			rm -rf cn_$USER.ipset
 	}
 }
+cn_ipv6_route(){
+	[ ! -f $bindir/china_ipv6_list.txt ] && {
+		if [ -f $clashdir/china_ipv6_list.txt ];then
+			mv $clashdir/china_ipv6_list.txt $bindir/china_ipv6_list.txt
+		else
+			logger "未找到cn_ipv6列表，正在下载！" 33
+			$0 webget $bindir/china_ipv6_list.txt "$update_url/bin/china_ipv6_list.txt"
+			[ "$?" = "1" ] && rm -rf $bindir/china_ipv6_list.txt && logger "列表下载失败！" 31 
+		fi
+	}
+	[ -f $bindir/china_ipv6_list.txt -a -z "$(echo $redir_mod|grep 'Nft')" ] && {
+			#ipv6
+			echo "create cn_ip6 hash:net family inet6 hashsize 1024 maxelem 65536" > /tmp/cn6_$USER.ipset
+			awk '!/^$/&&!/^#/{printf("add cn_ip6 %s'" "'\n",$0)}' $bindir/china_ipv6_list.txt >> /tmp/cn6_$USER.ipset
+			ipset -! flush cn_ip6 2>/dev/null
+			ipset -! restore < /tmp/cn6_$USER.ipset 
+			rm -rf cn6_$USER.ipset
+	}
+}
 start_redir(){
 	#获取局域网host地址
 	host_lan
@ -495,6 +515,7 @@ start_redir(){
 		ip6tables -t nat -A clashv6 -d ::1/128 -j RETURN
 		ip6tables -t nat -A clashv6 -d fc00::/7 -j RETURN
 		ip6tables -t nat -A clashv6 -d fe80::/10 -j RETURN
+		[ "$dns_mod" = "redir_host" -a "$cn_ipv6_route" = "已开启" ] && ip6tables -t nat -A clashv6 -m set --match-set cn_ip6 dst -j RETURN 2>/dev/null
 		if [ "$macfilter_type" = "白名单" -a -n "$(cat $clashdir/mac)" ];then
 			#mac白名单
 			for mac in $(cat $clashdir/mac); do
@ -611,6 +632,7 @@ start_tproxy(){
 			ip6tables -t mangle -A clashv6 -d ::1/128 -j RETURN
 			ip6tables -t mangle -A clashv6 -d fc00::/7 -j RETURN
 			ip6tables -t mangle -A clashv6 -d fe80::/10 -j RETURN
+			[ "$dns_mod" = "redir_host" -a "$cn_ipv6_route" = "已开启" ] && ip6tables -t mangle -A clashv6 -m set --match-set cn_ip6 dst -j RETURN 2>/dev/null
 			tproxy_set6(){
 				if [ "$macfilter_type" = "白名单" -a -n "$(cat $clashdir/mac)" ];then
 					#mac白名单
@ -737,6 +759,7 @@ start_tun(){
 				ip6tables -t mangle -A clashv6 -d ::1/128 -j RETURN
 				ip6tables -t mangle -A clashv6 -d fc00::/7 -j RETURN
 				ip6tables -t mangle -A clashv6 -d fe80::/10 -j RETURN
+				[ "$dns_mod" = "redir_host" -a "$cn_ipv6_route" = "已开启" ] && ip6tables -t mangle -A clashv6 -m set --match-set cn_ip6 dst -j RETURN 2>/dev/null
 				if [ "$macfilter_type" = "白名单" -a -n "$(cat $clashdir/mac)" ];then
 					#mac白名单
 					for mac in $(cat $clashdir/mac); do
@ -793,6 +816,10 @@ start_nft(){
 			ip -6 rule add fwmark 1 table 101 2> /dev/null
 			ip -6 route add local ::/0 dev lo table 101 2> /dev/null
 			nft add rule inet shellclash prerouting ip6 daddr {${RESERVED_IP6}} return
+			[ "$dns_mod" = "redir_host" -a "$cn_ipv6_route" = "已开启" -a -f $bindir/china_ipv6_list.txt ] && {
+				CN_IP6=$(awk '{printf "%s, ",$1}' $bindir/china_ipv6_list.txt)
+				[ -n "$CN_IP6" ] && nft add rule inet shellclash prerouting ip6 daddr {${CN_IP6}} return
+			}
 			[ -n "$ipv6_wan" ] && {
 				LOCAL_IP6="{$(echo $ipv6_wan | sed s/\ /\,\ /g)}"
 				nft add rule inet shellclash prerouting ip6 daddr {${LOCAL_IP6}} return #屏蔽本机ipv6地址
@ -808,6 +835,7 @@ start_nft(){
 	[ "$quic_rj" = 已启用 ] && {
 		nft add chain inet shellclash input { type filter hook input priority 0 \; }
 		[ -n "$CN_IP" ] && nft add rule inet shellclash input ip daddr {${CN_IP}} return
+		[ -n "$CN_IP6" ] && nft add rule inet shellclash input ip6 daddr {${CN_IP6}} return
 		nft add rule inet shellclash input udp dport 443 reject comment 'ShellClash-QUIC-REJECT'
 	}
 	#代理本机(仅TCP)
@ -917,6 +945,10 @@ stop_firewall(){
 		#tun
 		ip6tables -D FORWARD -o utun -j ACCEPT 2> /dev/null
 		ip6tables -I FORWARD -p udp --dport 443 -o utun -m comment --comment "ShellClash-QUIC-REJECT" -j REJECT >/dev/null 2>&1
+		#屏蔽QUIC
+		[ "$dns_mod" = "redir_host" -a "$cn_ipv6_route" = "已开启" ] && set_cn_ip6='-m set ! --match-set cn_ip6 dst'
+		iptables -D INPUT -p udp --dport 443 -m comment --comment "ShellClash-QUIC-REJECT" $set_cn_ip6 -j REJECT 2> /dev/null
+		iptables -D FORWARD -p udp --dport 443 -o utun -m comment --comment "ShellClash-QUIC-REJECT" $set_cn_ip6 -j REJECT 2> /dev/null
 		#公网访问
 		ip6tables -D INPUT -p tcp --dport $mix_port -j REJECT 2> /dev/null
 		ip6tables -D INPUT -p tcp --dport $mix_port -j ACCEPT 2> /dev/null
@ -930,6 +962,7 @@ stop_firewall(){
 	}
 	#清理ipset规则
 	ipset destroy cn_ip >/dev/null 2>&1
+	ipset destroy cn_ip6 >/dev/null 2>&1
 	#移除dnsmasq转发规则
 	[ "$dns_redir" = "已开启" ] && {
 		uci del dhcp.@dnsmasq[-1].server >/dev/null 2>&1
@ -1148,6 +1181,7 @@ afstart(){
 		#设置DNS转发
 		start_dns(){
 			[ "$dns_mod" = "redir_host" ] && [ "$cn_ip_route" = "已开启" ] && cn_ip_route
+			[ "$ipv6_redir" = "已开启" ] && [ "$dns_mod" = "redir_host" ] && [ "$cn_ipv6_route" = "已开启" ] && cn_ipv6_route
 			if [ "$dns_no" != "已禁用" ];then
 				if [ "$dns_redir" != "已开启" ];then
 					[ -n "$(echo $redir_mod|grep Nft)" ] && start_nft_dns || start_ipt_dns