重写nftables防火墙

2024-11-16 11:42:18 +08:00 · 2024-03-03 19:12:31 +08:00 · 2024-03-03 19:12:31 +08:00 · a2621a01b8
commit a2621a01b8
parent bbd3ed85c6
4 changed files with 369 additions and 278 deletions
--- a/scripts/getdate.sh
+++ b/scripts/getdate.sh
@ -2142,10 +2142,6 @@ userguide(){
 		elif [ "$num" = 1 ];then
 			#设置运行模式
 			redir_mod="Redir模式"
-			ckcmd nft && {
-				redir_mod="Nft基础"
-				modprobe nft_tproxy >/dev/null 2>&1 && redir_mod="Nft混合"
-			}
 			setconfig redir_mod "$redir_mod"
 			#自动识别IPV6
 			[ -n "$(ip a 2>&1 | grep -w 'inet6' | grep -E 'global' | sed 's/.*inet6.//g' | sed 's/scope.*$//g')" ] && {
@ -2386,7 +2382,7 @@ testcommand(){
 		exit;
 	elif [ "$num" = 4 ]; then

-		if [ -n "$(echo $redir_mod | grep 'Nft')" -o "$local_type" = "nftables增强模式" ];then
+		if [ "$firewall_mod" = "nftables" ];then
 			nft list table inet shellcrash
 		else
 			echo -------------------Redir---------------------
--- a/scripts/init.sh
+++ b/scripts/init.sh
@ -1,7 +1,7 @@
 #!/bin/sh
 # Copyright (C) Juewuy

-version=1.9.0pre13
+version=test

 setdir(){
 	dir_avail(){
@ -201,6 +201,12 @@ else
 	COMMAND='"$TMPDIR/CrashCore -d $BINDIR -f $TMPDIR/config.yaml"'
 fi
 setconfig COMMAND "$COMMAND" ${CRASHDIR}/configs/command.env
+#设置防火墙执行模式
+[ -z "$(grep firewall_mod $CRASHDIR/configs/ShellClash.cfg 2>/dev/null)" ] && {
+	ckcmd iptables && firewall_mod=iptables
+	nft add table inet shellcrash 2>/dev/null && firewall_mod=nftables
+	setconfig firewall_mod $firewall_mod
+}
 #设置更新地址
 [ -n "$url" ] && setconfig update_url $url
 #设置环境变量
@ -307,5 +313,7 @@ sed -i "s/clash_v/core_v/g" $configpath
 sed -i "s/clash.meta/meta/g" $configpath
 sed -i "s/ShellClash/ShellCrash/g" $configpath
 sed -i "s/cpucore=armv8/cpucore=arm64/g" $configpath
+sed -i "s/redir_mod=Nft基础/redir_mod=Redir模式/g" $configpath
+sed -i "s/redir_mod=Nft混合/redir_mod=Tproxy模式/g" $configpath

 echo -e "\033[32m脚本初始化完成,请输入\033[30;47m crash \033[0;33m命令开始使用！\033[0m"
--- a/scripts/menu.sh
+++ b/scripts/menu.sh
@ -1115,110 +1115,164 @@ setboot(){ #启动相关设置
 	esac	

 }
-metacfg(){
-	echo -----------------------------------------------
-	
-}
-normal_set(){ #基础设置
 set_redir_mod(){
 	set_redir_config(){
 		setconfig redir_mod $redir_mod
 		setconfig dns_mod $dns_mod 
-			if [ "$redir_mod" = "混合模式" -o "$redir_mod" = "Tun模式" ] && [ "$crashcore" = "clash" ];then
-				rm -rf ${BINDIR}/clash
-				rm -rf ${CRASHDIR}/clash
-				setconfig crashcore meta
-			fi
 		echo -----------------------------------------------	
 		echo -e "\033[36m已设为 $redir_mod ！！\033[0m"
 	}
-		[ -n "$(iptables -j TPROXY 2>&1 | grep 'on-port')" ] && sup_tp=1
 	[ -n "$(ls /dev/net/tun 2>/dev/null)" ] || ip tuntap >/dev/null 2>&1 && sup_tun=1
-		nft add table inet shellcrash 2>/dev/null && sup_nft=1 && modprobe nft_tproxy >/dev/null 2>&1 && sup_nft=2
+	[ -z "$firewall_area" ] && firewall_area=1
+	firewall_area_dsc=$(echo "仅局域网 仅本机 局域网+本机 已禁用 主-旁转发($bypass_host)" | cut -d' ' -f$firewall_area)
 	echo -----------------------------------------------
 	echo -e "当前代理模式为：\033[47;30m$redir_mod\033[0m；ShellCrash核心为：\033[47;30m $crashcore \033[0m"
 	echo -e "\033[33m切换模式后需要手动重启服务以生效！\033[0m"
 	echo -----------------------------------------------
-		ckcmd iptables && echo -e " 1 \033[32mRedir模式\033[0m：    Redir转发TCP，不转发UDP"
-		[ -n "$sup_tun" ] && echo -e " 2 \033[36m混合模式\033[0m：     Redir转发TCP，Tun转发UDP"
-		[ -n "$sup_tun" ] && echo -e " 4 \033[33mTun模式\033[0m：      使用Tun转发TCP&UDP(占用高)"
-		[ -n "$sup_tp" ] && echo -e " 5 \033[32mTproxy模式\033[0m：   使用Tproxy转发TCP&UDP"
-		[ -n "$sup_nft" ] && echo -e " 6 \033[36mNft基础\033[0m：      使用nftables转发TCP，不转发UDP"
-		[ "$sup_nft" = 2 ] && echo -e " 7 \033[32mNft混合\033[0m：      使用nft_tproxy转发TCP&UDP"
-		echo -e " 8 \033[36m纯净模式\033[0m：     不设置流量转发"
+	[ -n "$firewall_mod" ] && {
+		if [ $firewall_area -le 4 ];then
+			echo -e " 1 \033[32mRedir模式\033[0m：    Redir转发TCP，不转发UDP"
+			echo -e " 2 \033[36m混合模式\033[0m：     Redir转发TCP，Tun转发UDP"
+			echo -e " 3 \033[32mTproxy模式\033[0m：   Tproxy转发TCP&UDP"
+			echo -e " 4 \033[33mTun模式\033[0m：      Tun转发TCP&UDP(占用高不推荐)"
+		else
+			echo -e " 5 \033[32mTCP旁路转发\033[0m：    仅转发TCP流量至旁路由"
+			echo -e " 6 \033[36mT&U旁路转发\033[0m：    转发TCP&UDP流量至旁路由"
+		fi
+		echo -----------------------------------------------
+		echo -e " 7 设置劫持范围：\033[47;30m$firewall_area_dsc\033[0m"
+		echo -e " 8 切换防火墙应用：\033[47;30m$firewall_mod\033[0m"
+	}
+	
 	echo " 0 返回上级菜单"
 	read -p "请输入对应数字 > " num	
-		if [ -z "$num" ]; then
-			errornum
-		elif [ "$num" = 0 ]; then
-			i=
-		elif [ "$num" = 1 ]; then
+	case $num in 
+	0) ;;
+	1)
 		redir_mod=Redir模式
-			dns_mod=redir_host
 		set_redir_config
-
-		elif [ "$num" = 2 ]; then
-			[ -n "$sup_tun" ] || {
-				echo -e "\033[32m设备未检测到Tun内核模块，可能无法代理UDP流量！\033[0m"
-				sleep 1
-			}
+		set_redir_mod
+	;;
+	2)
+		if [ -n "$sup_tun" ];then
 			redir_mod=混合模式
 			set_redir_config
-			
-		elif [ "$num" = 3 ]; then
-			if [ -f /etc/init.d/qca-nss-ecm -a "$systype" = "mi_snapshot" ] ;then
-				read -p "当前设备的QOS服务与本模式冲突，是否禁用相关功能？(1/0) > " res
-				[ "$res" = '1' ] && ${CRASHDIR}/misnap_init.sh tproxyfix && redir_mod=Tproxy混合
 		else
-				redir_mod=Tproxy混合
+			echo -e "\033[31m设备未检测到Tun内核模块，请尝试其他模式或者安装相关依赖！\033[0m"
+			sleep 1
 		fi
+		set_redir_mod
+	;;
+	3)
+		if [ "$firewall_mod" = "iptables" ] ;then
+			if [ -f /etc/init.d/qca-nss-ecm -a "$systype" = "mi_snapshot" ] ;then
+				read -p "xiaomi设备的QOS服务与本模式冲突，是否禁用相关功能？(1/0) > " res
+				[ "$res" = '1' ] && ${CRASHDIR}/misnap_init.sh tproxyfix && redir_mod=Tproxy模式
+			elif [ -n "$(iptables -j TPROXY 2>&1 | grep 'on-port')" ] ;then
+				redir_mod=Tproxy模式
 				set_redir_config
-			
-		elif [ "$num" = 4 ]; then
+			else
+				echo -e "\033[31m设备未检测到iptables-mod-tproxy模块，请尝试其他模式或者安装相关依赖！\033[0m"
+				sleep 1					
+			fi	
+		elif [ "$firewall_mod" = "nftables" ] ;then
+			if modprobe nft_tproxy >/dev/null 2>&1;then
+				redir_mod=Tproxy模式
+				set_redir_config
+			else
+				echo -e "\033[31m设备未检测到nft_tproxy内核模块，请尝试其他模式或者安装相关依赖！\033[0m"
+				sleep 1					
+			fi
+		fi
+		set_redir_mod
+	;;
+	4)
+		if [ -n "$sup_tun" ];then
 			redir_mod=Tun模式
 			set_redir_config
-			
-		elif [ "$num" = 5 ]; then
-			if [ -f /etc/init.d/qca-nss-ecm -a "$systype" = "mi_snapshot" ] ;then
-				read -p "当前设备的QOS服务与本模式冲突，是否禁用相关功能？(1/0) > " res
-				[ "$res" = '1' ] && ${CRASHDIR}/misnap_init.sh tproxyfix && redir_mod=Tproxy模式
 		else
-				redir_mod=Tproxy模式
+			echo -e "\033[31m设备未检测到Tun内核模块，请尝试其他模式或者安装相关依赖！\033[0m"
+			sleep 1
 		fi
+		set_redir_mod
+	;;
+	5)
+		redir_mod=TCP旁路转发
 		set_redir_config
-			
-		elif [ "$num" = 6 ]; then
-			if ckcmd opkg && [ -z "$(opkg list-installed | grep firewall4)" ];then
-				read -p "检测到缺少firewall4依赖，是否自动安装？(1/0) > " res
-				[ "$res" = '1' ] && opkg install firewall4 && redir_mod=Nft基础
-			else
-				redir_mod=Nft基础
-			fi
-			set_redir_config
-			
-		elif [ "$num" = 7 ]; then
-			if ckcmd opkg && [ -z "$(opkg list-installed | grep kmod-nft-tproxy)" ];then
-				read -p "检测到缺少kmod-nft-tproxy依赖，是否自动安装？(1/0) > " res
-				[ "$res" = '1' ] && opkg install kmod-nft-tproxy && redir_mod=Nft混合
-			else
-				redir_mod=Nft混合
-			fi
-			set_redir_config	
-			
-		elif [ "$num" = 8 ]; then
-			redir_mod=纯净模式	
+		set_redir_mod
+	;;
+	6)
+		redir_mod=T&U旁路转发
 		set_redir_config
+		set_redir_mod
+	;;
+	7)
 		echo -----------------------------------------------
-			echo -e "\033[33m当前模式需要手动在设备WiFi或应用中配置HTTP或sock5代理\033[0m"
-			echo -e "HTTP/SOCK5代理服务器地址：\033[30;47m$host\033[0m;端口均为：\033[30;47m$mix_port\033[0m"
-			echo -e "也可以使用更便捷的PAC自动代理，PAC代理链接为："
-			echo -e "\033[30;47m http://$host:$db_port/ui/pac \033[0m"
-			echo -e "PAC的使用教程请参考：\033[4;32mhttps://juewuy.github.io/ehRUeewcv\033[0m"
-			sleep 2
+		echo -e "\033[31m注意：\033[0m基于桥接网卡的Docker/虚拟机流量，请使用1或3！"
+		echo -----------------------------------------------
+		echo -e " 1 \033[32m仅劫持局域网流量\033[0m"
+		echo -e " 2 \033[36m仅劫持本机流量\033[0m"
+		echo -e " 3 \033[32m劫持局域网+本机流量\033[0m"
+		echo -e " 4 不配置流量劫持(纯净模式)\033[0m"
+		echo -e " 5 \033[33m转发局域网流量到旁路由设备\033[0m"
+		echo -----------------------------------------------
+		read -p "请输入对应数字 > " num	
+		case $num in
+		[1-4]) 
+			[ "$firewall_area" = 5 ] && {
+				redir_mod=Redir模式
+				setconfig redir_mod $redir_mod	
+			}
+			firewall_area=$num
+			setconfig firewall_area $firewall_area
+		;;
+		5) 
+			echo -----------------------------------------------
+			echo -e "\033[31m注意：\033[0m此功能存在多种风险如无网络基础请勿尝试！"
+			echo -e "\033[33m说明：\033[0m此功能不启动内核仅配置防火墙转发，且子设备无需额外设置网关DNS"
+			echo -e "\033[33m说明：\033[0支持防火墙分流及设备过滤，支持部分定时任务，但不支持ipv6！"
+			echo -e "\033[31m注意：\033[0如需代理UDP，请确保旁路由运行了支持UDP代理的模式！"
+			echo -----------------------------------------------
+			read -p "请输入旁路由IPV4地址 > " bypass_host
+			[ -n "$bypass_host" ] && {
+				firewall_area=$num
+				setconfig firewall_area $firewall_area
+				setconfig bypass_host $bypass_host
+				redir_mod=TCP旁路转发
+				setconfig redir_mod $redir_mod
+			}
+		;;
+		*) errornum ;;
+		esac
+		sleep 1
+		set_redir_mod
+	;;	
+	8)
+		if [ "$firewall_mod" = 'iptables' ];then
+			if nft add table inet shellcrash 2>/dev/null;then
+				firewall_mod=nftables
+				redir_mod=Redir模式
+				setconfig redir_mod $redir_mod
 			else
-			errornum
+				echo -e "\033[31m当前设备未安装nftables或者nftables版本过低(<1.0.2),无法切换！\033[0m" 
 			fi
-
+		else
+			if ckcmd iptables;then
+				firewall_mod=iptables
+				redir_mod=Redir模式
+				setconfig redir_mod $redir_mod
+			else
+				echo -e "\033[31m当前设备未安装iptables,无法切换！\033[0m" 
+			fi
+		fi
+		sleep 1
+		setconfig firewall_mod $firewall_mod
+		set_redir_mod
+	;;			
+	*)
+		errornum
+	;;
+	esac
 }
 set_dns_mod(){
 	echo -----------------------------------------------
@ -1297,6 +1351,7 @@ normal_set(){ #基础设置
 	;;
 	esac
 }
+normal_set(){ #基础设置
 	#获取设置默认显示
 	[ -z "$skip_cert" ] && skip_cert=已开启
 	[ -z "$common_ports" ] && common_ports=已开启
--- a/scripts/start.sh
+++ b/scripts/start.sh
@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 # Copyright (C) Juewuy

 #初始化目录
@ -1168,107 +1168,110 @@ start_tun(){ #iptables-tun
 	fi
 }
 start_nft(){ #nftables-allinone
-	#获取局域网host地址
-	getlanip
+	table_type=$1
+	[ -n "$2" ] && table=$2 || table=$1
 	[ "$common_ports" = "已开启" ] && PORTS=$(echo $multiport | sed 's/,/, /g')
 	RESERVED_IP=$(echo $reserve_ipv4 | sed 's/ /, /g')
-	LOCAL_IP="127.0.0.0/8, $(echo $local_ipv4 | sed 's/ /, /g')"
+	if [ "$1" = 'output' ];then
+		HOST_IP="127.0.0.0/8, $(echo $local_ipv4 | sed 's/ /, /g')"
+		chain_type=route
+	else
 		HOST_IP=$(echo $host_ipv4 | sed 's/ /, /g')
-	#设置策略路由
-	ip rule add fwmark $fwmark table 100
-	ip route add local default dev lo table 100
-	[ "$redir_mod" = "Nft基础" ] && \
-		nft add chain inet shellcrash prerouting { type nat hook prerouting priority -100 \; }
-	[ "$redir_mod" = "Nft混合" ] && {
+		chain_type=nat
+	fi
+	#不同模式调整
+	[ "$redir_mod" = "Redir模式" ] && \
+		nft add chain inet shellcrash $table { type nat hook $table_type priority -100 \; }
+	[ "$redir_mod" = "Tproxy模式" ] && {
 		modprobe nft_tproxy >/dev/null 2>&1
-		nft add chain inet shellcrash prerouting { type filter hook prerouting priority 0 \; }
+		nft add chain inet shellcrash $table { type $chain_type hook $table_type priority mangle \; }
+	}
+	[ "$redir_mod" = "Tun模式" -o "$redir_mod" = "混合模式" ] && {
+		modprobe tun >/dev/null 2>&1
+		i=1
+		while [ -z "$(ip route list |grep utun)" -a "$i" -le 29 ];do
+			sleep 1
+			i=$((i+1))
+		done
+		if [ -z "$(ip route list |grep utun)" ];then
+			logger "找不到tun模块，放弃启动tun相关防火墙规则！" 31
+			exit 1
+		else
+			nft add chain inet shellcrash $table { type $chain_type hook $table_type priority mangle \; }
+		fi
+	}
+	[ "$firewall_area" = 5 ] && {
+		nft add chain inet shellcrash $table { type $chain_type hook $table_type priority mangle \; }
+		nft add rule inet shellcrash $table ip daddr {$bypass_host} return
 	}
-	[ -n "$(echo $redir_mod|grep Nft)" ] && {
 	#过滤局域网设备
 	[ -n "$(cat ${CRASHDIR}/configs/mac)" ] && {
 		MAC=$(awk '{printf "%s, ",$1}' ${CRASHDIR}/configs/mac)
 		[ "$macfilter_type" = "黑名单" ] && \
-				nft add rule inet shellcrash prerouting ether saddr {$MAC} return || \
-				nft add rule inet shellcrash prerouting ether saddr != {$MAC} return
+			nft add rule inet shellcrash $table ether saddr {$MAC} return || \
+			nft add rule inet shellcrash $table ether saddr != {$MAC} return
 	}
 	#过滤保留地址
-		nft add rule inet shellcrash prerouting ip daddr {$RESERVED_IP} return
+	nft add rule inet shellcrash $table ip daddr {$RESERVED_IP} return
 	#仅代理本机局域网网段流量
-		nft add rule inet shellcrash prerouting ip saddr != {$HOST_IP} return
+	nft add rule inet shellcrash $table ip saddr != {$HOST_IP} return
 	#绕过CN-IP
 	[ "$dns_mod" != "fake-ip" -a "$cn_ip_route" = "已开启" -a -f ${BINDIR}/cn_ip.txt ] && {
 		CN_IP=$(awk '{printf "%s, ",$1}' ${BINDIR}/cn_ip.txt)
-			[ -n "$CN_IP" ] && nft add rule inet shellcrash prerouting ip daddr {$CN_IP} return
+		[ -n "$CN_IP" ] && nft add rule inet shellcrash $table ip daddr {$CN_IP} return
 	}
 	#过滤常用端口
-		[ -n "$PORTS" ] && nft add rule inet shellcrash prerouting tcp dport != {$PORTS} ip daddr != {198.18.0.0/16} return
-		#ipv6支持
-		if [ "$ipv6_redir" = "已开启" ];then
+	[ -n "$PORTS" ] && nft add rule inet shellcrash $table tcp dport != {$PORTS} ip daddr != {198.18.0.0/16} return
+	#局域网ipv6支持
+	if [ "$ipv6_redir" = "已开启" -a "$table_type" = 'prerouting' -a "$firewall_area" != 5 ];then
 		RESERVED_IP6="$(echo "$reserve_ipv6 $host_ipv6" | sed 's/ /, /g')"
 		HOST_IP6="$(echo $host_ipv6 | sed 's/ /, /g')"
 		ip -6 rule add fwmark $fwmark table 101 2> /dev/null
 		ip -6 route add local ::/0 dev lo table 101 2> /dev/null
 		#过滤保留地址及本机地址
-			nft add rule inet shellcrash prerouting ip6 daddr {$RESERVED_IP6} return
+		nft add rule inet shellcrash $table ip6 daddr {$RESERVED_IP6} return
 		#仅代理本机局域网网段流量
-			nft add rule inet shellcrash prerouting ip6 saddr != {$HOST_IP6} return
+		nft add rule inet shellcrash $table ip6 saddr != {$HOST_IP6} return
 		#绕过CN_IPV6
 		[ "$dns_mod" != "fake-ip" -a "$cn_ipv6_route" = "已开启" -a -f ${BINDIR}/cn_ipv6.txt ] && {
 			CN_IP6=$(awk '{printf "%s, ",$1}' ${BINDIR}/cn_ipv6.txt)
-				[ -n "$CN_IP6" ] && nft add rule inet shellcrash prerouting ip6 daddr {$CN_IP6} return
+			[ -n "$CN_IP6" ] && nft add rule inet shellcrash $table ip6 daddr {$CN_IP6} return
 		}
 	else
-			nft add rule inet shellcrash prerouting meta nfproto ipv6 return
+		nft add rule inet shellcrash $table meta nfproto ipv6 return
 	fi
-		#透明路由
-		[ "$redir_mod" = "Nft基础" ] && nft add rule inet shellcrash prerouting meta l4proto tcp mark set $fwmark redirect to $redir_port
-		[ "$redir_mod" = "Nft混合" ] && nft add rule inet shellcrash prerouting meta l4proto {tcp, udp} mark set $fwmark tproxy to :$tproxy_port
-	}
-	#屏蔽QUIC
-	[ "$quic_rj" = 已启用 ] && {
-		nft add chain inet shellcrash input { type filter hook input priority 0 \; }
-		[ -n "$CN_IP" ] && nft add rule inet shellcrash input ip daddr {$CN_IP} return
-		[ -n "$CN_IP6" ] && nft add rule inet shellcrash input ip6 daddr {$CN_IP6} return
-		nft add rule inet shellcrash input udp dport 443 reject comment 'ShellCrash-QUIC-REJECT'
-	}
-	#代理本机(仅TCP)
-	[ "$local_proxy" = "已开启" ] && [ "$local_type" = "nftables增强模式" ] && {
-		#dns
-		[ "$dns_no" != "已禁用" ] && {
-			[ -z "$(grep 'nameserver 127.0.0.1' /etc/resolv.conf 2>/dev/null)" ] && echo 'nameserver 127.0.0.1' >> /etc/resolv.conf #修复部分虚拟机dns查询失败的问题
-			nft add chain inet shellcrash dns_out { type nat hook output priority -100 \; }
-			nft add rule inet shellcrash dns_out meta skgid { 453, 7890 } return && \
-			nft add rule inet shellcrash dns_out udp dport 53 redirect to $dns_port
-		}
-		#output
-		nft add chain inet shellcrash output { type nat hook output priority -100 \; }
-		nft add rule inet shellcrash output meta skgid 7890 return && {
-			[ -n "$PORTS" ] && nft add rule inet shellcrash output tcp dport != {$PORTS} return
-			nft add rule inet shellcrash output ip daddr {$RESERVED_IP} return
-			nft add rule inet shellcrash output ip saddr != {$LOCAL_IP} return
-			nft add rule inet shellcrash output meta l4proto tcp mark set $fwmark redirect to $redir_port
-		}
-		#Docker
-		type docker >/dev/null 2>&1 && {
-			nft add chain inet shellcrash docker { type nat hook prerouting priority -100 \; }
-			nft add rule inet shellcrash docker ip saddr != {172.16.0.0/12} return #进代理docker网段
-			nft add rule inet shellcrash docker ip daddr {$RESERVED_IP} return #过滤保留地址
-			nft add rule inet shellcrash docker udp dport 53 redirect to $dns_port
-			nft add rule inet shellcrash docker meta l4proto tcp mark set $fwmark redirect to $redir_port
+	#	nft add rule inet shellcrash local_tproxy log prefix \"pre\" level debug
+	[ "$table_type" = 'output' ] && nft add rule inet shellcrash $table meta skgid 7890 return #本机流量防回环
+	[ "$redir_mod" = "Redir模式" ] && nft add rule inet shellcrash $table meta l4proto tcp redirect to $redir_port	
+	[ "$redir_mod" = "混合模式" ] && {
+		nft add rule inet shellcrash $table meta l4proto udp mark set $fwmark
+		nft add rule inet shellcrash $table meta l4proto tcp mark set $((fwmark + 1))
+		nft add chain inet shellcrash ${table}_mixtcp { type nat hook $table_type priority -100 \; }
+		nft add rule inet shellcrash ${table}_mixtcp mark == $((fwmark + 1)) meta l4proto tcp redirect to $redir_port
 	}	
+	[ "$redir_mod" = "Tproxy模式" ] && {
+		nft add rule inet shellcrash $table meta l4proto {tcp, udp} mark set $fwmark
+		nft add chain inet shellcrash ${table}_tproxy { type filter hook $table_type priority -100 \; }
+		nft add rule inet shellcrash ${table}_tproxy meta mark == $fwmark meta l4proto {tcp, udp} tproxy to :$tproxy_port
 	}
+	[ "$redir_mod" = "Tun模式" ] && nft add rule inet shellcrash $table meta l4proto {tcp, udp} mark set $fwmark
+	[ "$redir_mod" = "TCP旁路转发" ] && nft add rule inet shellcrash $table meta l4proto tcp mark set $fwmark
+	[ "$redir_mod" = "T&U旁路转发" ] && nft add rule inet shellcrash $table meta l4proto {tcp, udp} mark set $fwmark
 }
 start_nft_dns(){ #nftables-dns
-	nft add chain inet shellcrash dns { type nat hook prerouting priority -100 \; }
+	nft add chain inet shellcrash ${1}_dns { type nat hook $1 priority -100 \; }
 	#过滤局域网设备
 	[ -n "$(cat ${CRASHDIR}/configs/mac)" ] && {
 		MAC=$(awk '{printf "%s, ",$1}' ${CRASHDIR}/configs/mac)
 		[ "$macfilter_type" = "黑名单" ] && \
-			nft add rule inet shellcrash dns ether saddr {$MAC} return || \
-			nft add rule inet shellcrash dns ether saddr != {$MAC} return
+			nft add rule inet shellcrash ${1}_dns ether saddr {$MAC} return || \
+			nft add rule inet shellcrash ${1}_dns ether saddr != {$MAC} return
 	}
-	nft add rule inet shellcrash dns udp dport 53 redirect to ${dns_port}
-	nft add rule inet shellcrash dns tcp dport 53 redirect to ${dns_port}
+	[ "$1" = 'output' ] && {
+		nft add rule inet shellcrash ${1}_dns meta skgid { 453, 7890 } return
+	}
+	nft add rule inet shellcrash ${1}_dns udp dport 53 redirect to ${dns_port}
+	nft add rule inet shellcrash ${1}_dns tcp dport 53 redirect to ${dns_port}
 }
 start_wan(){ #iptables公网访问防火墙
 	#获取局域网host地址
@ -1403,6 +1406,8 @@ stop_firewall(){ #还原防火墙配置
 	}
 	#还原防火墙文件
 	[ -s /etc/init.d/firewall.bak ] && mv -f /etc/init.d/firewall.bak /etc/init.d/firewall
+	#others
+	sed -i '/shellcrash-dns-repair/d' /etc/resolv.conf
 }
 #启动相关
 web_save(){ #最小化保存面板节点选择
@ -1664,6 +1669,7 @@ afstart(){ #启动后

 	#读取配置文件
 	getconfig
+	[ -z "$firewall_area" ] && firewall_area=1
 	#延迟启动
 	[ ! -f ${TMPDIR}/crash_start_time ] && [ -n "$start_delay" ] && [ "$start_delay" -gt 0 ] && {
 		logger "ShellCrash将延迟$start_delay秒启动" 31 pushoff
@ -1686,7 +1692,8 @@ afstart(){ #启动后
 		start_dns(){
 			if [ "$dns_no" != "已禁用" ];then
 				if [ "$dns_redir" != "已开启" ];then
-					[ -n "$(echo $redir_mod|grep Nft)" ] && start_nft_dns || start_ipt_dns
+					[ "$firewall_mod" = 'iptables' ] && start_ipt_dns
+					[ "$firewall_mod" = 'nftables' ] && start_nft_dns prerouting
 				else
 					#openwrt使用dnsmasq转发
 					uci del dhcp.@dnsmasq[-1].server >/dev/null 2>&1
@ -1700,21 +1707,46 @@ afstart(){ #启动后
 			return 0
 		}
 		#设置路由规则
+		[ "$firewall_area" != 4 ] && {
+			getlanip #获取局域网host地址
+			#设置策略路由
+			[ "$redir_mod" = "Tproxy模式" ] && ip route add local default dev lo table 100
+			[ "$redir_mod" = "Tun模式" -o "$redir_mod" = "混合模式" ] && ip route add default dev utun table 100
+			[ "$firewall_area" = 5 ] && ip route add default via $bypass_host table 100
+			[ "$redir_mod" != "纯净模式" -a "$redir_mod" != "Redir模式" ] && ip rule add fwmark $fwmark table 100
+			[ "$firewall_mod" = 'iptables' ] && {
 				[ "$redir_mod" = "Redir模式" ] && start_dns && start_redir 	
 				[ "$redir_mod" = "混合模式" ] && start_dns && start_redir && start_tun udp
-		[ "$redir_mod" = "Tproxy混合" ] && start_dns && start_redir && start_tproxy udp
 				[ "$redir_mod" = "Tun模式" ] && start_dns && start_tun all
 				[ "$redir_mod" = "Tproxy模式" ] && start_dns && start_tproxy all
-		[ -n "$(echo $redir_mod|grep Nft)" -o "$local_type" = "nftables增强模式" ] && {
+				[ "$firewall_area" = 2 -o "$firewall_area" = 3 ] && [ -n "$(grep '0:7890' /etc/passwd)" ] && start_output #设置本机代理
+			}
+			[ "$firewall_mod" = 'nftables' ] && {
 				nft add table inet shellcrash #初始化nftables
 				nft flush table inet shellcrash
+				#局域网代理
+				[ "$firewall_area" = 1 -o "$firewall_area" = 3 -o "$firewall_area" = 5 ] && {
+					start_dns
+					start_nft prerouting
+					#屏蔽QUIC
+					[ "$quic_rj" = 已启用 ] && {
+						nft add chain inet shellcrash input { type filter hook input priority 0 \; }
+						[ -n "$CN_IP" ] && nft add rule inet shellcrash input ip daddr {$CN_IP} return
+						[ -n "$CN_IP6" ] && nft add rule inet shellcrash input ip6 daddr {$CN_IP6} return
+						nft add rule inet shellcrash input udp dport 443 reject comment 'ShellCrash-QUIC-REJECT'
+					}
 				}
-		[ -n "$(echo $redir_mod|grep Nft)" ] && start_dns && start_nft
 				#设置本机代理
-		[ "$local_proxy" = "已开启" ] && {
-			[ "$local_type" = "环境变量" ] && $0 set_proxy $mix_port $db_port
-			[ "$local_type" = "iptables增强模式" ] && [ -n "$(grep '0:7890' /etc/passwd)" ] && start_output
-			[ "$local_type" = "nftables增强模式" ] && [ -n "$(grep '0:7890' /etc/passwd)" ] && [ "$redir_mod" = "纯净模式" ] && start_nft
+				[ "$firewall_area" = 2 -o "$firewall_area" = 3 ] && [ -n "$(grep '0:7890' /etc/passwd)" ] && {
+					start_nft_dns output
+					start_nft output
+					#修复部分虚拟机dns查询失败的问题
+					[ -z "$(grep 'nameserver 127.0.0.1' /etc/resolv.conf 2>/dev/null)" ] && {
+						line=$(grep -n 'nameserver' /etc/resolv.conf | awk -F: 'FNR==1{print $1}')
+						sed -i "$line i\nameserver 127.0.0.1 #shellcrash-dns-repair" /etc/resolv.conf 
+					}
+				}
+			}
 		}
 		ckcmd iptables && start_wan #本地防火墙
 		mark_time #标记启动时间