0.2.4

Вкладки + cron + перевод + ci

.github/workflows/build.yml

@@ -1,5 +1,4 @@
 name: Build packages
-
 on:
   push:
     tags:
@@ -9,7 +8,6 @@ jobs:
   build:
     name: Build podkop and luci-app-podkop
     runs-on: ubuntu-latest
-
     steps:
       - uses: actions/checkout@v4.2.1
 
@@ -27,10 +25,20 @@ jobs:
           docker cp podkop:/builder/bin/packages/x86_64/utilites/. ./bin/
           docker cp podkop:/builder/bin/packages/x86_64/luci/. ./bin/
 
+      - name: Filter IPK files
+        run: |
+          # Извлекаем версию из тега, убирая префикс 'v'
+          VERSION=${GITHUB_REF#refs/tags/v}
+
+          mkdir -p ./filtered-bin
+          cp ./bin/luci-i18n-podkop-ru_*.ipk "./filtered-bin/luci-i18n-podkop-ru_${VERSION}.ipk"
+          cp ./bin/podkop_*.ipk ./filtered-bin/
+          cp ./bin/luci-app-podkop_*.ipk ./filtered-bin/
+
       - name: Remove Docker container
         run: docker rm podkop
 
       - name: Release
         uses: softprops/action-gh-release@v2.0.8
         with:
-          files: ./bin/*.ipk
+          files: ./filtered-bin/*.ipk

Dockerfile

@@ -1,6 +1,6 @@
 FROM openwrt/sdk:x86_64-v23.05.5
 
-RUN ./scripts/feeds update -a && mkdir -p /builder/package/feeds/utilites/ && mkdir -p /builder/package/feeds/luci/
+RUN ./scripts/feeds update -a && ./scripts/feeds install luci-base && mkdir -p /builder/package/feeds/utilites/ && mkdir -p /builder/package/feeds/luci/
 
 COPY ./podkop /builder/package/feeds/utilites/podkop
 COPY ./luci-app-podkop /builder/package/feeds/luci/luci-app-podkop

README.md

@@ -1,42 +1,43 @@
 Это альфа версия, может не работать. Обсуждение https://t.me/itdogchat - топик Podkop dev
 
-# Выпил getdomains
-По минимуму
+Если у вас установлен Getdomains, то его следует удалить.
+
+# Удаление GetDomains скриптом
 ```
-rm /etc/hotplug.d/iface/30-vpnroute
-sed -i '/getdomains start/d' /etc/crontabs/root
-rm /tmp/dnsmasq.d/domains.lst
-service getdomains disable
-rm /etc/init.d/getdomains
-ip route del default scope link table vpn
+sh <(wget -O - https://raw.githubusercontent.com/itdoginfo/domain-routing-openwrt/refs/heads/master/getdomains-uninstall.sh)
 ```
 
-Может потребоваться удалить правила фаервола касающиеся vpn_subnet, internal итд.
+Оставляет туннели, зоны, forwarding. А также stubby и dnscrypt. Они не помешают. Конфиг sing-box будет перезаписан в podkop.
 
-# Установка
+# Установка Podkop
 Пакет работает на всех архитектурах.
 Будет точно работать только на OpenWrt 23.05.
 
 Нужен dnsmasq-full. В автоматическом режиме ставится сам. Вручную надо поставить [самостоятельно](https://github.com/itdoginfo/podkop/blob/952dd6215a2a83d65937cf9e33534c42809091ed/install.sh#L20).
 
-## Вручную
-Сделать `opkg update`, чтоб установились зависимости.
-Скачать пакеты `podkop_*.ipk` и `luci-app-podkop_*.ipk` из релиза. `opkg install` сначала первый, потом второй.
-
-```
-/etc/init.d/ucitrack restart
-```
-
 ## Автоматическая
 ```
 sh <(wget -O - https://raw.githubusercontent.com/itdoginfo/podkop/refs/heads/main/install.sh)
 ```
 
+Скрипт также предложит выбрать, какой туннель будет использоваться. Для выбранного туннеля будут установлены нужные пакеты, а для Wireguard и AmneziaWG также будет предложена автоматическая настройка - прямо в консоли скрипт запросит данные конфига. Для AmneziaWG можно также выбрать вариант с использованием конфига обычного Wireguard и автоматической обфускацией до AmneziaWG.
+
+Для AmneziaWG скрипт проверяет наличие пакетов под вашу платформу в [стороннем репозитории](https://github.com/Slava-Shchipunov/awg-openwrt/releases), так как в официальном репозитории OpenWRT они отсутствуют, и автоматически их устанавливает.
+
+## Вручную
+Сделать `opkg update`, чтоб установились зависимости.
+Скачать пакеты `podkop_*.ipk` и `luci-app-podkop_*.ipk` из релиза. `opkg install` сначала первый, потом второй.
+
 # Удаление
 ```
 opkg remove luci-app-podkop podkop
 ```
 
+Если был установлен русский язык
+```
+opkg remove luci-i18n-podkop-ru
+```
+
 # Использование
 Конфиг: /etc/config/podkop
 
@@ -70,31 +71,71 @@ opkg update && opkg install sing-box
 **Custom subnets enable** - Добавить подсети или IP-адреса. Для подсетей задать маску.
 
 # Известные баги
-1. Не работает proxy при режимах main vpn, second proxy
-2. Не всегда отрабатывает ucitrack (применение настроек из luci)
+- [x] Не работает proxy при режимах main vpn, second proxy
+- [x] Не всегда отрабатывает ucitrack (применение настроек из luci). Не удаётся повторить
+- [x] All traffic for IP ломает инет на клиенте. Proxy mode
+- [x] Не отрабатывает рестарт, при awg и не применяются изменения при awg
+- [x] awg работает не стабильно
+- [ ] Сеть рестартится при любом раскладе
+- [ ] Выкл-вкл wg через luci не отрабатывает поднятие маршрута
 
 # ToDo
+Сделано
 - [x] Скрипт для автоматической установки.
 - [x] Подсети дискорда.
-- [ ] Удаление getdomains через скрипт. Кроме туннеля и sing-box.
-- [х] Дополнительная вкладка для ещё одного туннеля. Домены, подсети.
-- [ ] Зависимость от dnsmasq-full
-- [ ] Wiki
-- [ ] IPv6
-- [ ] Весь трафик для устойства пускать в туннель\прокси
-- [ ] Исключение для IP, не ходить в туннель\прокси совсем 0x0
-- [ ] Придумать автонастройку DNS через stubby итд. Как лучше это реализовать.
+- [x] Удаление getdomains через скрипт. Кроме туннеля и sing-box.
+- [x] Дополнительная вкладка для ещё одного туннеля. Домены, подсети.
+- [x] Улучшение скрипта автоматической установки. Спрашивать про туннели.
+- [x] Зависимость от dnsmasq-full
+- [x] Весь трафик для устойства пускать в туннель\прокси
+- [x] Исключение для IP, не ходить в туннель\прокси совсем 0x0
+- [x] Врубать галочкой yacd в sing-box
+- [x] Свои списки. Просто список доменов с переносом строки 
+- [x] Свои списки ipv4
+- [x] В nft разделить правило tproxy на маркировку и tproxy
+- [x] Вернуть две цепочки nft
+- [x] Ntp (порт 123) делать маркировку 0x0. По галке
+- [x] Открытый прокси порт на роутере для браузеров
+- [x] Автонастройка wireguard по примеру getdomains
+- [x] Автонастройка awg по примеру getdomains
+- [x] RU перевод
+- [x] Переделать на PROCD и выкинуть ucitrack.
+- [x] Нужен дебаг. Restart ucitrack в отдельный скрипт postinst, не отрабатывает.
+- [x] Закомментировать дефолтные значения у list. interface поставить в пустое.
+- [x] Скрипт установки: проверка установлен ли уже podkop. Если да, то просто предлагать обновится без установки тунелей и прокси.
+
+Приоритет 1
+- [x] Изменить название "Alternative Config"
+- [x] "domain_service_enabled" Добавить _second
+- [ ] Установка Ru пакета в install.sh
+- [x] Правка nft mark, tproxy
+- [x] Правка перевода минимальная
+
+Приоритет 2
+- [ ] Списки доменов и подсетей с роутера
 - [ ] Кнопка обновления списка доменов и подсетей
+- [ ] IPv6
+- [ ] Придумать автонастройку DNS через stubby итд. Как лучше это реализовать.
+- [ ] Удаление подсетей CF из domain sets раз в N часов
+
+Wiki
+- [x] Тема
+- [x] Изначальное наполнение
+
+Низкий приоритет
+- [x] Переменная, раз во сколько часов обновлять списки
+- [ ] Галочка, которая режет доступ к doh серверам
+- [ ] Свой конфиг sing-box
+
+Рефактор
+- [ ] Handle для sing-box
+- [ ] Handle для dnsmasq
+- [ ] Формирование json для sing-box на уровне jq, а не шаблонов
 - [ ] Unit тесты (BATS)
 - [ ] Интеграционые тесты бекенда (OpenWrt rootfs + BATS)
-- [ ] Добавить label от конфига vless\ss\etc в luci. Хз как
-- [ ] Удаление подсетей CF из domain sets раз в N часов
-- [ ] Врубать галочкой yacd в sing-box
-- [ ] Свои списки. Вопрос форматирования
-- [ ] В скрипт автоустановки добавить установку AWG по примеру getdomains
-- [ ] Галочка, которая режет доступ к doh серверам
-- [ ] Рефактор dnsmasq restart
-- [ ] Открытый прокси порт на роутере для браузеров
+
+Хз как сделать
+- [ ] Добавить label от конфига vless\ss\etc в luci.
 
 # Разработка
 Есть два варианта:

install.sh

@@ -2,9 +2,11 @@
 
 REPO="https://api.github.com/repos/itdoginfo/podkop/releases/latest"
 
+IS_SHOULD_RESTART_NETWORK=
 DOWNLOAD_DIR="/tmp/podkop"
 mkdir -p "$DOWNLOAD_DIR"
 
+main() {
 wget -qO- "$REPO" | grep -o 'https://[^"]*\.ipk' | while read -r url; do
     filename=$(basename "$url")
     echo "Download $filename..."
@@ -24,12 +26,344 @@ else
     [ -f /etc/config/dhcp-opkg ] && cp /etc/config/dhcp /etc/config/dhcp-old && mv /etc/config/dhcp-opkg /etc/config/dhcp
 fi
 
-echo "Installed..."
+if [ -f "/etc/init.d/podkop" ]; then
+    printf "\033[32;1mPodkop is already installed. Just upgrade it? (y/n)\033[0m\n"
+    printf "\033[32;1my - Only upgrade podkop\033[0m\n"
+    printf "\033[32;1mn - Upgrade and install proxy or tunnels\033[0m\n"
+
+    while true; do
+        read -r -p '' UPDATE
+        case $UPDATE in
+
+        y)
+            echo "Upgraded podkop..."
+            break
+            ;;
+
+        n)
+            add_tunnel
+            break
+            ;;
+    esac
+    done
+else
+    echo "Installed podkop..."
+    add_tunnel
+fi
+
 opkg install $DOWNLOAD_DIR/podkop*.ipk
 opkg install $DOWNLOAD_DIR/luci-app-podkop*.ipk
 
-rm -f $DOWNLOAD_DIR/podkop*.ipk $DOWNLOAD_DIR/luci-app-podkop*.ipk
+echo "Русский язык интерфейса ставим? y/n (Need a Russian translation?)
+while true; do
+    read -r -p '' RUS
+    case $RUS in
 
-#/etc/init.d/ucitrack restart
+    y)
+        opkg install $DOWNLOAD_DIR/luci-i18n-podkop-ru*.ipk
 
-echo "Install sing-box for proxy, or install and configure WG/OpenVPN/AWG/etc for VPN mode"
+        break
+        ;;
+    esac
+done
+
+rm -f $DOWNLOAD_DIR/podkop*.ipk $DOWNLOAD_DIR/luci-app-podkop*.ipk $DOWNLOAD_DIR/luci-i18n-podkop-ru*.ipk
+
+if [ "$IS_SHOULD_RESTART_NETWORK" ]; then
+    printf "\033[32;1mRestart network\033[0m\n"
+    /etc/init.d/network restart
+fi
+}
+
+add_tunnel() {
+    echo "What type of VPN or proxy will be used? We also can automatically configure Wireguard and Amnezia WireGuard."
+    echo "1) VLESS, Shadowsocks (A sing-box will be installed)"
+    echo "2) Wireguard"
+    echo "3) AmneziaWG"
+    echo "4) OpenVPN"
+    echo "5) OpenConnect"
+    echo "6) Skip this step"
+
+    while true; do
+        read -r -p '' TUNNEL
+        case $TUNNEL in
+
+        1)
+            opkg install sing-box
+            break
+            ;;
+
+        2)
+            opkg install wireguard-tools luci-proto-wireguard luci-app-wireguard
+
+            printf "\033[32;1mDo you want to configure the wireguard interface? (y/n): \033[0m\n"
+            read IS_SHOULD_CONFIGURE_WG_INTERFACE
+
+            if [ "$IS_SHOULD_CONFIGURE_WG_INTERFACE" = "y" ] || [ "$IS_SHOULD_CONFIGURE_WG_INTERFACE" = "Y" ]; then
+                wg_awg_setup Wireguard
+            else
+            printf "\e[1;32mUse these instructions to manual configure https://itdog.info/nastrojka-klienta-wireguard-na-openwrt/\e[0m\n"
+            fi
+
+            break
+            ;;
+
+        3)
+            install_awg_packages
+
+            printf "\033[32;1mThere are no instructions for manual configure yet. Do you want to configure the amneziawg interface? (y/n): \033[0m\n"
+            read IS_SHOULD_CONFIGURE_WG_INTERFACE
+
+            if [ "$IS_SHOULD_CONFIGURE_WG_INTERFACE" = "y" ] || [ "$IS_SHOULD_CONFIGURE_WG_INTERFACE" = "Y" ]; then
+                wg_awg_setup AmneziaWG
+            fi
+
+            break
+            ;;
+
+        4)
+            opkg install opkg install openvpn-openssl luci-app-openvpn
+            printf "\e[1;32mUse these instructions to configure https://itdog.info/nastrojka-klienta-openvpn-na-openwrt/\e[0m\n"
+            break
+            ;;
+
+        5)
+            opkg install opkg install openconnect luci-proto-openconnect
+            printf "\e[1;32mUse these instructions to configure https://itdog.info/nastrojka-klienta-openconnect-na-openwrt/\e[0m\n"
+            break
+            ;;
+
+        6)
+            echo "Skip. Use this if you're installing an upgrade."
+            break
+            ;;
+
+        *)
+            echo "Choose from the following options"
+            ;;
+        esac
+    done
+}
+
+handler_network_restart() {
+    IS_SHOULD_RESTART_NETWORK=true
+}
+
+install_awg_packages() {
+    # Получение pkgarch с наибольшим приоритетом
+    PKGARCH=$(opkg print-architecture | awk 'BEGIN {max=0} {if ($3 > max) {max = $3; arch = $2}} END {print arch}')
+
+    TARGET=$(ubus call system board | jsonfilter -e '@.release.target' | cut -d '/' -f 1)
+    SUBTARGET=$(ubus call system board | jsonfilter -e '@.release.target' | cut -d '/' -f 2)
+    VERSION=$(ubus call system board | jsonfilter -e '@.release.version')
+    PKGPOSTFIX="_v${VERSION}_${PKGARCH}_${TARGET}_${SUBTARGET}.ipk"
+    BASE_URL="https://github.com/Slava-Shchipunov/awg-openwrt/releases/download/"
+
+    AWG_DIR="/tmp/amneziawg"
+    mkdir -p "$AWG_DIR"
+    
+    if opkg list-installed | grep -q kmod-amneziawg; then
+        echo "kmod-amneziawg already installed"
+    else
+        KMOD_AMNEZIAWG_FILENAME="kmod-amneziawg${PKGPOSTFIX}"
+        DOWNLOAD_URL="${BASE_URL}v${VERSION}/${KMOD_AMNEZIAWG_FILENAME}"
+        wget -O "$AWG_DIR/$KMOD_AMNEZIAWG_FILENAME" "$DOWNLOAD_URL"
+
+        if [ $? -eq 0 ]; then
+            echo "kmod-amneziawg file downloaded successfully"
+        else
+            echo "Error downloading kmod-amneziawg. Please, install kmod-amneziawg manually and run the script again"
+            exit 1
+        fi
+        
+        opkg install "$AWG_DIR/$KMOD_AMNEZIAWG_FILENAME"
+
+        if [ $? -eq 0 ]; then
+            echo "kmod-amneziawg file downloaded successfully"
+        else
+            echo "Error installing kmod-amneziawg. Please, install kmod-amneziawg manually and run the script again"
+            exit 1
+        fi
+    fi
+
+    if opkg list-installed | grep -q amneziawg-tools; then
+        echo "amneziawg-tools already installed"
+    else
+        AMNEZIAWG_TOOLS_FILENAME="amneziawg-tools${PKGPOSTFIX}"
+        DOWNLOAD_URL="${BASE_URL}v${VERSION}/${AMNEZIAWG_TOOLS_FILENAME}"
+        wget -O "$AWG_DIR/$AMNEZIAWG_TOOLS_FILENAME" "$DOWNLOAD_URL"
+
+        if [ $? -eq 0 ]; then
+            echo "amneziawg-tools file downloaded successfully"
+        else
+            echo "Error downloading amneziawg-tools. Please, install amneziawg-tools manually and run the script again"
+            exit 1
+        fi
+
+        opkg install "$AWG_DIR/$AMNEZIAWG_TOOLS_FILENAME"
+
+        if [ $? -eq 0 ]; then
+            echo "amneziawg-tools file downloaded successfully"
+        else
+            echo "Error installing amneziawg-tools. Please, install amneziawg-tools manually and run the script again"
+            exit 1
+        fi
+    fi
+    
+    if opkg list-installed | grep -q luci-app-amneziawg; then
+        echo "luci-app-amneziawg already installed"
+    else
+        LUCI_APP_AMNEZIAWG_FILENAME="luci-app-amneziawg${PKGPOSTFIX}"
+        DOWNLOAD_URL="${BASE_URL}v${VERSION}/${LUCI_APP_AMNEZIAWG_FILENAME}"
+        wget -O "$AWG_DIR/$LUCI_APP_AMNEZIAWG_FILENAME" "$DOWNLOAD_URL"
+
+        if [ $? -eq 0 ]; then
+            echo "luci-app-amneziawg file downloaded successfully"
+        else
+            echo "Error downloading luci-app-amneziawg. Please, install luci-app-amneziawg manually and run the script again"
+            exit 1
+        fi
+
+        opkg install "$AWG_DIR/$LUCI_APP_AMNEZIAWG_FILENAME"
+
+        if [ $? -eq 0 ]; then
+            echo "luci-app-amneziawg file downloaded successfully"
+        else
+            echo "Error installing luci-app-amneziawg. Please, install luci-app-amneziawg manually and run the script again"
+            exit 1
+        fi
+    fi
+
+    rm -rf "$AWG_DIR"
+}
+
+wg_awg_setup() {
+    PROTOCOL_NAME=$1
+    printf "\033[32;1mConfigure ${PROTOCOL_NAME}\033[0m\n"
+    if [ "$PROTOCOL_NAME" = 'Wireguard' ]; then
+        INTERFACE_NAME="wg0"
+        CONFIG_NAME="wireguard_wg0"
+        PROTO="wireguard"
+        ZONE_NAME="wg"
+    fi
+
+    if [ "$PROTOCOL_NAME" = 'AmneziaWG' ]; then
+        INTERFACE_NAME="awg0"
+        CONFIG_NAME="amneziawg_awg0"
+        PROTO="amneziawg"
+        ZONE_NAME="awg"
+        
+        echo "Do you want to use AmneziaWG config or basic Wireguard config + automatic obfuscation?"
+        echo "1) AmneziaWG"
+        echo "2) Wireguard + automatic obfuscation"
+        read CONFIG_TYPE
+    fi
+
+    read -r -p "Enter the private key (from [Interface]):"$'\n' WG_PRIVATE_KEY_INT
+
+    while true; do
+        read -r -p "Enter internal IP address with subnet, example 192.168.100.5/24 (from [Interface]):"$'\n' WG_IP
+        if echo "$WG_IP" | egrep -oq '^([0-9]{1,3}\.){3}[0-9]{1,3}/[0-9]+$'; then
+            break
+        else
+            echo "This IP is not valid. Please repeat"
+        fi
+    done
+
+    read -r -p "Enter the public key (from [Peer]):"$'\n' WG_PUBLIC_KEY_INT
+    read -r -p "If use PresharedKey, Enter this (from [Peer]). If your don't use leave blank:"$'\n' WG_PRESHARED_KEY_INT
+    read -r -p "Enter Endpoint host without port (Domain or IP) (from [Peer]):"$'\n' WG_ENDPOINT_INT
+
+    read -r -p "Enter Endpoint host port (from [Peer]) [51820]:"$'\n' WG_ENDPOINT_PORT_INT
+    WG_ENDPOINT_PORT_INT=${WG_ENDPOINT_PORT_INT:-51820}
+    if [ "$WG_ENDPOINT_PORT_INT" = '51820' ]; then
+        echo $WG_ENDPOINT_PORT_INT
+    fi
+
+    if [ "$PROTOCOL_NAME" = 'AmneziaWG' ]; then
+        if [ "$CONFIG_TYPE" = '1' ]; then
+            read -r -p "Enter Jc value (from [Interface]):"$'\n' AWG_JC
+            read -r -p "Enter Jmin value (from [Interface]):"$'\n' AWG_JMIN
+            read -r -p "Enter Jmax value (from [Interface]):"$'\n' AWG_JMAX
+            read -r -p "Enter S1 value (from [Interface]):"$'\n' AWG_S1
+            read -r -p "Enter S2 value (from [Interface]):"$'\n' AWG_S2
+            read -r -p "Enter H1 value (from [Interface]):"$'\n' AWG_H1
+            read -r -p "Enter H2 value (from [Interface]):"$'\n' AWG_H2
+            read -r -p "Enter H3 value (from [Interface]):"$'\n' AWG_H3
+            read -r -p "Enter H4 value (from [Interface]):"$'\n' AWG_H4
+        elif [ "$CONFIG_TYPE" = '2' ]; then
+            #Default values to wg automatic obfuscation
+            AWG_JC=4
+            AWG_JMIN=40
+            AWG_JMAX=70
+            AWG_S1=0
+            AWG_S2=0
+            AWG_H1=1
+            AWG_H2=2
+            AWG_H3=3
+            AWG_H4=4
+        fi
+    fi
+    
+    uci set network.${INTERFACE_NAME}=interface
+    uci set network.${INTERFACE_NAME}.proto=$PROTO
+    uci set network.${INTERFACE_NAME}.private_key=$WG_PRIVATE_KEY_INT
+    uci set network.${INTERFACE_NAME}.listen_port='51821'
+    uci set network.${INTERFACE_NAME}.addresses=$WG_IP
+
+    if [ "$PROTOCOL_NAME" = 'AmneziaWG' ]; then
+        uci set network.${INTERFACE_NAME}.awg_jc=$AWG_JC
+        uci set network.${INTERFACE_NAME}.awg_jmin=$AWG_JMIN
+        uci set network.${INTERFACE_NAME}.awg_jmax=$AWG_JMAX
+        uci set network.${INTERFACE_NAME}.awg_s1=$AWG_S1
+        uci set network.${INTERFACE_NAME}.awg_s2=$AWG_S2
+        uci set network.${INTERFACE_NAME}.awg_h1=$AWG_H1
+        uci set network.${INTERFACE_NAME}.awg_h2=$AWG_H2
+        uci set network.${INTERFACE_NAME}.awg_h3=$AWG_H3
+        uci set network.${INTERFACE_NAME}.awg_h4=$AWG_H4
+    fi
+
+    if ! uci show network | grep -q ${CONFIG_NAME}; then
+        uci add network ${CONFIG_NAME}
+    fi
+
+    uci set network.@${CONFIG_NAME}[0]=$CONFIG_NAME
+    uci set network.@${CONFIG_NAME}[0].name="${INTERFACE_NAME}_client"
+    uci set network.@${CONFIG_NAME}[0].public_key=$WG_PUBLIC_KEY_INT
+    uci set network.@${CONFIG_NAME}[0].preshared_key=$WG_PRESHARED_KEY_INT
+    uci set network.@${CONFIG_NAME}[0].route_allowed_ips='0'
+    uci set network.@${CONFIG_NAME}[0].persistent_keepalive='25'
+    uci set network.@${CONFIG_NAME}[0].endpoint_host=$WG_ENDPOINT_INT
+    uci set network.@${CONFIG_NAME}[0].allowed_ips='0.0.0.0/0'
+    uci set network.@${CONFIG_NAME}[0].endpoint_port=$WG_ENDPOINT_PORT_INT
+    uci commit network
+
+    if ! uci show firewall | grep -q "@zone.*name='${ZONE_NAME}'"; then
+        printf "\033[32;1mZone Create\033[0m\n"
+        uci add firewall zone
+        uci set firewall.@zone[-1].name=$ZONE_NAME
+        uci set firewall.@zone[-1].network=$INTERFACE_NAME
+        uci set firewall.@zone[-1].forward='REJECT'
+        uci set firewall.@zone[-1].output='ACCEPT'
+        uci set firewall.@zone[-1].input='REJECT'
+        uci set firewall.@zone[-1].masq='1'
+        uci set firewall.@zone[-1].mtu_fix='1'
+        uci set firewall.@zone[-1].family='ipv4'
+        uci commit firewall
+    fi
+
+    if ! uci show firewall | grep -q "@forwarding.*name='${ZONE_NAME}'"; then
+        printf "\033[32;1mConfigured forwarding\033[0m\n"
+        uci add firewall forwarding
+        uci set firewall.@forwarding[-1]=forwarding
+        uci set firewall.@forwarding[-1].name="${ZONE_NAME}-lan"
+        uci set firewall.@forwarding[-1].dest=${ZONE_NAME}
+        uci set firewall.@forwarding[-1].src='lan'
+        uci set firewall.@forwarding[-1].family='ipv4'
+        uci commit firewall
+    fi
+
+    handler_network_restart
+}
+
+main

luci-app-podkop/Makefile

@@ -1,19 +1,20 @@
-# See /LICENSE for more information.
-# This is free software, licensed under the GNU General Public License v2.
-
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=luci-app-podkop
-PKG_VERSION:=0.1.7
+PKG_VERSION:=0.2.4
 PKG_RELEASE:=1
 
 LUCI_TITLE:=LuCI podkop app
 LUCI_DEPENDS:=+luci-base +podkop
 LUCI_PKGARCH:=all
+LUCI_LANG.ru:=Русский (Russian)
+LUCI_LANG.en:=English
 
 PKG_LICENSE:=GPL-2.0-or-later
 PKG_MAINTAINER:=ITDog <podkop@itdog.info>
 
+LUCI_LANGUAGES:=en ru
+
 include $(TOPDIR)/feeds/luci/luci.mk
 
 # call BuildPackage - OpenWrt buildroot signature

luci-app-podkop/htdocs/luci-static/resources/view/podkop/podkop.js

@@ -8,28 +8,30 @@ return view.extend({
     async render() {
         var m, s, o;
 
-        m = new form.Map('podkop', _('Podkop configuration'));
-
+        m = new form.Map('podkop', _('Podkop configuration'), null, ['main', 'second']);
 
         s = m.section(form.TypedSection, 'main');
         s.anonymous = true;
 
-        o = s.tab('main', _('Main'));
+        // Basic Settings Tab
+        o = s.tab('basic', _('Basic Settings'));
 
-        o = s.taboption('main', form.ListValue, 'mode', _('Mode'), _('Select VPN or Proxy'));
+        o = s.taboption('basic', form.ListValue, 'mode', _('Connection Type'), _('Select between VPN and Proxy connection methods for traffic routing'));
         o.value('vpn', ('VPN'));
         o.value('proxy', ('Proxy'));
+        o.ucisection = 'main';
 
-        o = s.taboption('main', form.Value, 'proxy_string', _('Proxy String'), _('String vless:// or ss://'));
+        o = s.taboption('basic', form.TextValue, 'proxy_string', _('Proxy Configuration URL'), _('Enter connection string starting with vless:// or ss:// for proxy configuration'));
         o.depends('mode', 'proxy');
+        o.rows = 5;
+        o.ucisection = 'main';
 
-        // Get all interface
-        o = s.taboption('main', form.ListValue, 'interface', _('Interface'), _('Specify the interface'));
+        o = s.taboption('basic', form.ListValue, 'interface', _('Network Interface'), _('Select network interface for VPN connection'));
         o.depends('mode', 'vpn');
+        o.ucisection = 'main';
 
         try {
             const devices = await network.getDevices();
-
             const excludeInterfaces = ['br-lan', 'eth0', 'eth1', 'wan', 'phy0-ap0', 'phy1-ap0'];
 
             devices.forEach(function (device) {
@@ -40,89 +42,289 @@ return view.extend({
                     if (!isExcluded) {
                         o.value(deviceName, deviceName);
                     }
-                } else {
-                    console.warn('Device name is undefined or empty');
                 }
             });
         } catch (error) {
             console.error('Error fetching devices:', error);
         }
 
-        o = s.taboption('main', form.Flag, 'domain_list_enabled', _('Domain list enable'), _('<a href="https://github.com/itdoginfo/allow-domains" target="_blank">github.com/itdoginfo/allow-domains</a>'));
+        o = s.taboption('basic', form.Flag, 'domain_list_enabled', _('Community Domain Lists'));
         o.default = '0';
         o.rmempty = false;
+        o.ucisection = 'main';
 
-        o = s.taboption('main', form.ListValue, 'domain_list', _('Domain list'), _('Select a list'));
+        o = s.taboption('basic', form.ListValue, 'domain_list', _('Domain List'), _('Select a list') + ' <a href="https://github.com/itdoginfo/allow-domains" target="_blank">github.com/itdoginfo/allow-domains</a>');
         o.placeholder = 'placeholder';
         o.value('ru_inside', 'Russia inside');
         o.value('ru_outside', 'Russia outside');
         o.value('ua', 'Ukraine');
         o.depends('domain_list_enabled', '1');
         o.rmempty = false;
+        o.ucisection = 'main';
 
-        o = s.taboption('main', form.Flag, 'delist_domains_enabled', _('Delist domains from main list enable'));
+        o = s.taboption('basic', form.Flag, 'delist_domains_enabled', _('Domain Exclusions'), _('Exclude specific domains from routing rules'));
         o.default = '0';
         o.rmempty = false;
+        o.ucisection = 'main';
+        o.depends('domain_list_enabled', '1');
 
-        o = s.taboption('main', form.DynamicList, 'delist_domains', _('Delist domains'), _('Domains to be excluded'));
+        o = s.taboption('basic', form.DynamicList, 'delist_domains', _('Excluded Domains'), _('Domains to be excluded from routing'));
         o.placeholder = 'Delist domains';
         o.depends('delist_domains_enabled', '1');
         o.rmempty = false;
+        o.ucisection = 'main';
 
-        o = s.taboption('main', form.Flag, 'subnets_list_enabled', _('Subnets list enable'));
+        o = s.taboption('basic', form.Flag, 'subnets_list_enabled', _('Community Subnet Lists'), _('Enable routing for popular services like Twitter, Meta, and Discord'));
         o.default = '0';
         o.rmempty = false;
+        o.ucisection = 'main';
 
-        o = s.taboption('main', form.DynamicList, 'subnets', _('Subnets specify option'));
-        o.placeholder = 'Subnet list';
+        o = s.taboption('basic', form.DynamicList, 'subnets', _('Service Networks'), _('Select predefined service networks for routing'));
+        o.placeholder = 'Service network list';
         o.value('twitter', 'Twitter(x.com)');
         o.value('meta', 'Meta');
         o.value('discord', 'Discord(voice)');
         o.depends('subnets_list_enabled', '1');
         o.rmempty = false;
+        o.ucisection = 'main';
 
-        o = s.taboption('main', form.Flag, 'custom_domains_list_enabled', _('Custom domains enable'));
+        o = s.taboption('basic', form.Flag, 'custom_domains_list_enabled', _('User Domain List'), _('Enable and manage your custom list of domains for selective routing'));
         o.default = '0';
         o.rmempty = false;
+        o.ucisection = 'main';
 
-        o = s.taboption('main', form.DynamicList, 'custom_domains', _('Your domains'));
+        o = s.taboption('basic', form.DynamicList, 'custom_domains', _('User Domains'), _('Enter domain names without protocols (example: sub.example.com or example.com)'));
         o.placeholder = 'Domains list';
         o.depends('custom_domains_list_enabled', '1');
         o.rmempty = false;
+        o.ucisection = 'main';
+        o.validate = function (section_id, value) {
+            if (!value || value.length === 0) {
+                return true;
+            }
 
-        o = s.taboption('main', form.Flag, 'custom_subnets_list_enabled', _('Custom subnets enable'));
+            const domainRegex = /^(?!-)[A-Za-z0-9-]+([-.][A-Za-z0-9-]+)*\.[A-Za-z]{2,}$/;
+
+            if (!domainRegex.test(value)) {
+                return _('Invalid domain format. Enter domain without protocol (example: sub.example.com)');
+            }
+            return true;
+        };
+
+        o = s.taboption('basic', form.Flag, 'custom_download_domains_list_enabled', _('Remote Domain Lists'), _('Download and use domain lists from remote URLs'));
         o.default = '0';
         o.rmempty = false;
+        o.ucisection = 'main';
 
-        o = s.taboption('main', form.DynamicList, 'custom_subnets', _('Your subnet'));
+        o = s.taboption('basic', form.DynamicList, 'custom_download_domains', _('Remote Domain URLs'), _('Enter full URLs starting with http:// or https://'));
+        o.placeholder = 'URL';
+        o.depends('custom_download_domains_list_enabled', '1');
+        o.rmempty = false;
+        o.ucisection = 'main';
+        o.validate = function (section_id, value) {
+            if (!value || value.length === 0) {
+                return true;
+            }
+
+            try {
+                const url = new URL(value);
+                if (!['http:', 'https:'].includes(url.protocol)) {
+                    return _('URL must use http:// or https:// protocol');
+                }
+                return true;
+            } catch (e) {
+                return _('Invalid URL format. URL must start with http:// or https://');
+            }
+        };
+
+        o = s.taboption('basic', form.Flag, 'custom_subnets_list_enabled', _('User Subnet List'), _('Enable and manage your custom list of IP subnets for selective routing'));
+        o.default = '0';
+        o.rmempty = false;
+        o.ucisection = 'main';
+
+        o = s.taboption('basic', form.DynamicList, 'custom_subnets', _('User Subnets'), _('Enter subnet in CIDR notation (example: 103.21.244.0/22)'));
         o.placeholder = 'Subnets list';
         o.depends('custom_subnets_list_enabled', '1');
         o.rmempty = false;
+        o.ucisection = 'main';
+        o.validate = function (section_id, value) {
+            if (!value || value.length === 0) {
+                return true;
+            }
 
-        s = m.section(form.TypedSection, 'second');
-        s.anonymous = true;
+            const subnetRegex = /^(\d{1,3}\.){3}\d{1,3}\/\d{1,2}$/;
 
-        o = s.tab('second', _('Second'));
+            if (!subnetRegex.test(value)) {
+                return _('Invalid subnet format. Use format: X.X.X.X/Y (like 103.21.244.0/22)');
+            }
 
-        o = s.taboption('second', form.Flag, 'second_enable', _('Second enable'));
+            const [ip, cidr] = value.split('/');
+            const ipParts = ip.split('.');
+            const cidrNum = parseInt(cidr);
+
+            for (const part of ipParts) {
+                const num = parseInt(part);
+                if (num < 0 || num > 255) {
+                    return _('IP address parts must be between 0 and 255');
+                }
+            }
+
+            if (cidrNum < 0 || cidrNum > 32) {
+                return _('CIDR must be between 0 and 32');
+            }
+
+            return true;
+        };
+
+        o = s.taboption('basic', form.Flag, 'custom_download_subnets_list_enabled', _('Remote Subnet Lists'), _('Download and use subnet lists from remote URLs'));
         o.default = '0';
         o.rmempty = false;
+        o.ucisection = 'main';
 
-        o = s.taboption('second', form.ListValue, 'mode', _('Mode'), _('Select VPN or Proxy'));
+        o = s.taboption('basic', form.DynamicList, 'custom_download_subnets', _('Remote Subnet URLs'), _('Enter full URLs starting with http:// or https://'));
+        o.placeholder = 'URL';
+        o.depends('custom_download_subnets_list_enabled', '1');
+        o.rmempty = false;
+        o.ucisection = 'main';
+        o.validate = function (section_id, value) {
+            if (!value || value.length === 0) {
+                return true;
+            }
+
+            try {
+                const url = new URL(value);
+                if (!['http:', 'https:'].includes(url.protocol)) {
+                    return _('URL must use http:// or https:// protocol');
+                }
+                return true;
+            } catch (e) {
+                return _('Invalid URL format. URL must start with http:// or https://');
+            }
+        };
+
+        o = s.taboption('basic', form.Flag, 'all_traffic_from_ip_enabled', _('IP for full redirection'), _('Specify local IP addresses whose traffic will always use the configured route'));
+        o.default = '0';
+        o.rmempty = false;
+        o.ucisection = 'main';
+
+        o = s.taboption('basic', form.DynamicList, 'all_traffic_ip', _('Local IPs'), _('Enter valid IPv4 addresses'));
+        o.placeholder = 'IP';
+        o.depends('all_traffic_from_ip_enabled', '1');
+        o.rmempty = false;
+        o.ucisection = 'main';
+        o.validate = function (section_id, value) {
+            if (!value || value.length === 0) {
+                return true;
+            }
+
+            const ipRegex = /^(\d{1,3}\.){3}\d{1,3}$/;
+
+            if (!ipRegex.test(value)) {
+                return _('Invalid IP format. Use format: X.X.X.X (like 192.168.1.1)');
+            }
+
+            const ipParts = value.split('.');
+            for (const part of ipParts) {
+                const num = parseInt(part);
+                if (num < 0 || num > 255) {
+                    return _('IP address parts must be between 0 and 255');
+                }
+            }
+
+            return true;
+        };
+
+        o = s.taboption('basic', form.Flag, 'exclude_from_ip_enabled', _('IP for exclusion'), _('Specify local IP addresses that will never use the configured route'));
+        o.default = '0';
+        o.rmempty = false;
+        o.ucisection = 'main';
+
+        o = s.taboption('basic', form.DynamicList, 'exclude_traffic_ip', _('Local IPs'), _('Enter valid IPv4 addresses'));
+        o.placeholder = 'IP';
+        o.depends('exclude_from_ip_enabled', '1');
+        o.rmempty = false;
+        o.ucisection = 'main';
+        o.validate = function (section_id, value) {
+            if (!value || value.length === 0) {
+                return true;
+            }
+
+            const ipRegex = /^(\d{1,3}\.){3}\d{1,3}$/;
+
+            if (!ipRegex.test(value)) {
+                return _('Invalid IP format. Use format: X.X.X.X (like 192.168.1.1)');
+            }
+
+            const ipParts = value.split('.');
+            for (const part of ipParts) {
+                const num = parseInt(part);
+                if (num < 0 || num > 255) {
+                    return _('IP address parts must be between 0 and 255');
+                }
+            }
+
+            return true;
+        };
+
+        // Additional Settings Tab
+
+        o = s.tab('additional', _('Additional Settings'));
+
+        o = s.taboption('additional', form.Flag, 'yacd', _('Yacd enable'), _('http://openwrt.lan:9090/ui'));
+        o.default = '0';
+        o.depends('mode', 'proxy');
+        o.rmempty = false;
+        o.ucisection = 'main';
+
+        o = s.taboption('additional', form.Flag, 'socks5', _('Mixed enable'), _('Browser port: 2080'));
+        o.default = '0';
+        o.depends('mode', 'proxy');
+        o.rmempty = false;
+        o.ucisection = 'main';
+
+        o = s.taboption('additional', form.Flag, 'exclude_ntp', _('Exclude NTP'), _('For issues with open connections sing-box'));
+        o.default = '0';
+        o.depends('mode', 'proxy');
+        o.rmempty = false;
+        o.ucisection = 'main';
+
+        o = s.taboption('additional', form.ListValue, 'update_interval', _('List Update Frequency'), _('Select how often the lists will be updated'));
+        o.value('0 */1 * * *', _('Every hour'));
+        o.value('0 */2 * * *', _('Every 2 hours'));
+        o.value('0 */4 * * *', _('Every 4 hours'));
+        o.value('0 */6 * * *', _('Every 6 hours'));
+        o.value('0 */12 * * *', _('Every 12 hours'));
+        o.value('0 4 * * *', _('Once a day at 04:00'));
+        o.value('0 4 * * 0', _('Once a week on Sunday at 04:00'));
+        o.default = '0 4 * * *';
+        o.rmempty = false;
+        o.ucisection = 'main';
+
+        // Secondary Settings Tab
+
+        o = s.tab('secondary_config', _('Secondary Config'));
+
+        o = s.taboption('secondary_config', form.Flag, 'second_enable', _('Secondary VPN/Proxy Enable'), _('Enable secondary VPN/Proxy configuration'));
+        o.default = '0';
+        o.rmempty = false;
+        o.ucisection = 'second';
+
+        o = s.taboption('secondary_config', form.ListValue, 'second_mode', _('Connection Type'), _('Select between VPN and Proxy connection methods for traffic routing'));
         o.value('vpn', ('VPN'));
         o.value('proxy', ('Proxy'));
         o.depends('second_enable', '1');
+        o.ucisection = 'second';
 
-        o = s.taboption('second', form.Value, 'proxy_string', _('Proxy String'), _('String vless:// or ss://'));
-        o.depends('mode', 'proxy');
+        o = s.taboption('secondary_config', form.TextValue, 'second_proxy_string', _('Proxy Configuration URL'), _('Enter connection string starting with vless:// or ss:// for proxy configuration'));
+        o.depends('second_mode', 'proxy');
+        o.ucisection = 'second';
 
-        // Get all interface
-        o = s.taboption('second', form.ListValue, 'interface', _('Interface'), _('Specify the interface'));
-        o.depends('mode', 'vpn');
+        o = s.taboption('secondary_config', form.ListValue, 'second_interface', _('Network Interface'), _('Select network interface for VPN connection'));
+        o.depends('second_mode', 'vpn');
+        o.ucisection = 'second';
 
         try {
             const devices = await network.getDevices();
-
             const excludeInterfaces = ['br-lan', 'eth0', 'eth1', 'wan', 'phy0-ap0', 'phy1-ap0'];
 
             devices.forEach(function (device) {
@@ -133,44 +335,88 @@ return view.extend({
                     if (!isExcluded) {
                         o.value(deviceName, deviceName);
                     }
-                } else {
-                    console.warn('Device name is undefined or empty');
                 }
             });
         } catch (error) {
             console.error('Error fetching devices:', error);
         }
 
-        o = s.taboption('second', form.Flag, 'domain_service_enabled', _('Domain service enable'));
+        o = s.taboption('secondary_config', form.Flag, 'second_domain_service_enabled', _('Service Domain List Enable'), _('Enable predefined service domain lists for routing'));
         o.default = '0';
         o.rmempty = false;
         o.depends('second_enable', '1');
+        o.ucisection = 'second';
 
-        o = s.taboption('second', form.ListValue, 'service_list', _('Service list'), _('Select a list'));
+        o = s.taboption('secondary_config', form.ListValue, 'second_service_list', _('Service List'), _('Select predefined services for routing'));
         o.placeholder = 'placeholder';
         o.value('youtube', 'Youtube');
-        o.depends('domain_service_enabled', '1');
+        o.depends('second_domain_service_enabled', '1');
         o.rmempty = false;
+        o.ucisection = 'second';
 
-        o = s.taboption('second', form.Flag, 'custom_domains_list_enabled', _('Custom domains enable'));
+        o = s.taboption('secondary_config', form.Flag, 'second_custom_domains_list_enabled', _('User Domain List'), _('Enable and manage your custom list of domains for selective routing'));
         o.default = '0';
         o.rmempty = false;
         o.depends('second_enable', '1');
+        o.ucisection = 'second';
 
-        o = s.taboption('second', form.DynamicList, 'custom_domains', _('Your domains'));
+        o = s.taboption('secondary_config', form.DynamicList, 'second_custom_domains', _('User Domains'), _('Enter domain names without protocols (example: sub.example.com or example.com)'));
         o.placeholder = 'Domains list';
-        o.depends('custom_domains_list_enabled', '1');
+        o.depends('second_custom_domains_list_enabled', '1');
         o.rmempty = false;
+        o.ucisection = 'second';
+        o.validate = function (section_id, value) {
+            if (!value || value.length === 0) {
+                return true;
+            }
 
-        o = s.taboption('second', form.Flag, 'custom_subnets_list_enabled', _('Custom subnets enable'));
+            const domainRegex = /^(?!-)[A-Za-z0-9-]+([-.][A-Za-z0-9-]+)*\.[A-Za-z]{2,}$/;
+
+            if (!domainRegex.test(value)) {
+                return _('Invalid domain format. Enter domain without protocol (example: sub.example.com)');
+            }
+            return true;
+        };
+
+        o = s.taboption('secondary_config', form.Flag, 'second_custom_subnets_list_enabled', _('User Subnet List'), _('Enable and manage your custom list of IP subnets for selective routing'));
         o.default = '0';
         o.rmempty = false;
         o.depends('second_enable', '1');
+        o.ucisection = 'second';
 
-        o = s.taboption('second', form.DynamicList, 'custom_subnets', _('Your subnet'));
+        o = s.taboption('secondary_config', form.DynamicList, 'second_custom_subnets', _('User Subnets'), _('Enter subnet in CIDR notation (example: 103.21.244.0/22)'));
         o.placeholder = 'Subnets list';
-        o.depends('custom_subnets_list_enabled', '1');
+        o.depends('second_custom_subnets_list_enabled', '1');
         o.rmempty = false;
+        o.ucisection = 'second';
+        o.validate = function (section_id, value) {
+            if (!value || value.length === 0) {
+                return true;
+            }
+
+            const subnetRegex = /^(\d{1,3}\.){3}\d{1,3}\/\d{1,2}$/;
+
+            if (!subnetRegex.test(value)) {
+                return _('Invalid subnet format. Use format: X.X.X.X/Y (like 103.21.244.0/22)');
+            }
+
+            const [ip, cidr] = value.split('/');
+            const ipParts = ip.split('.');
+            const cidrNum = parseInt(cidr);
+
+            for (const part of ipParts) {
+                const num = parseInt(part);
+                if (num < 0 || num > 255) {
+                    return _('IP address parts must be between 0 and 255');
+                }
+            }
+
+            if (cidrNum < 0 || cidrNum > 32) {
+                return _('CIDR must be between 0 and 32');
+            }
+
+            return true;
+        };
 
         return m.render();
     }

luci-app-podkop/po/ru/podkop.po

@@ -0,0 +1,221 @@
+msgid ""
+msgstr "Content-Type: text/plain; charset=UTF-8"
+
+msgid "Podkop configuration"
+msgstr "Настройка Podkop"
+
+msgid "Basic Settings"
+msgstr "Основные настройки"
+
+msgid "Additional Settings"
+msgstr "Дополнительные настройки"
+
+msgid "Secondary Config"
+msgstr "Второй маршрут"
+
+msgid "Secondary VPN/Proxy Enable"
+msgstr "Включить второй VPN/Proxy"
+
+msgid "Enable secondary VPN/Proxy configuration"
+msgstr "Включить конфигурацию второго VPN/Proxy"
+
+msgid "Connection Type"
+msgstr "Тип подключения"
+
+msgid "Select between VPN and Proxy connection methods for traffic routing"
+msgstr "Выберите между VPN и Proxy методами для маршрутизации трафика"
+
+msgid "Proxy Configuration URL"
+msgstr "URL конфигурации прокси"
+
+msgid "Enter connection string starting with vless:// or ss:// for proxy configuration"
+msgstr "Введите строку подключения, начинающуюся с vless:// или ss:// для настройки прокси"
+
+msgid "Network Interface"
+msgstr "Сетевой интерфейс"
+
+msgid "Select network interface for VPN connection"
+msgstr "Выберите сетевой интерфейс для VPN подключения"
+
+msgid "Community Domain Lists"
+msgstr "Предустановленные списки доменов"
+
+msgid "Domain List"
+msgstr "Список доменов"
+
+msgid "Select a list"
+msgstr "Выберите список доменов"
+
+msgid "Community Subnet Lists"
+msgstr "Предустановленные сети сервисов"
+
+msgid "Enable routing for popular services like Twitter, Meta, and Discord"
+msgstr "Включить маршрутизацию для популярных сервисов, таких как Twitter, Meta и Discord"
+
+msgid "Service Networks"
+msgstr "Сети сервисов"
+
+msgid "Select predefined service networks for routing"
+msgstr "Выберите предустановленные сети сервисов для маршрутизации"
+
+msgid "User Domain List"
+msgstr "Пользовательский список доменов"
+
+msgid "Enable and manage your custom list of domains for selective routing"
+msgstr "Включить и управлять пользовательским списком доменов для выборочной маршрутизации"
+
+msgid "User Domains"
+msgstr "Пользовательские домены"
+
+msgid "Enter domain names without protocols (example: sub.example.com or example.com)"
+msgstr "Введите имена доменов без протоколов (пример: sub.example.com или example.com)"
+
+msgid "Remote Domain Lists"
+msgstr "Удаленные списки доменов"
+
+msgid "Download and use domain lists from remote URLs"
+msgstr "Загрузка и использование списков доменов с удаленных URL"
+
+msgid "Remote Domain URLs"
+msgstr "URL удаленных доменов"
+
+msgid "Enter full URLs starting with http:// or https://"
+msgstr "Введите полные URL, начинающиеся с http:// или https://"
+
+msgid "User Subnet List"
+msgstr "Пользовательский список подсетей"
+
+msgid "Enable and manage your custom list of IP subnets for selective routing"
+msgstr "Включить и управлять пользовательским списком IP-подсетей для выборочной маршрутизации"
+
+msgid "User Subnets"
+msgstr "Пользовательские подсети"
+
+msgid "Enter subnet in CIDR notation (example: 103.21.244.0/22)"
+msgstr "Введите подсеть в нотации CIDR (пример: 103.21.244.0/22)"
+
+msgid "Remote Subnet Lists"
+msgstr "Удаленные списки подсетей"
+
+msgid "Download and use subnet lists from remote URLs"
+msgstr "Загрузка и использование списков подсетей с удаленных URL"
+
+msgid "Remote Subnet URLs"
+msgstr "URL удаленных подсетей"
+
+msgid "Domain Exclusions"
+msgstr "Исключения доменов"
+
+msgid "Exclude specific domains from routing rules"
+msgstr "Исключить определенные домены из правил маршрутизации"
+
+msgid "Excluded Domains"
+msgstr "Исключенные домены"
+
+msgid "Domains to be excluded from routing"
+msgstr "Домены, которые будут исключены из маршрутизации"
+
+msgid "IP for full redirection"
+msgstr "Принудительные прокси IP"
+
+msgid "Specify local IP addresses whose traffic will always use the configured route"
+msgstr "Укажите локальные IP-адреса, трафик которых всегда будет использовать настроенный маршрут"
+
+msgid "Local IPs"
+msgstr "Локальные IP"
+
+msgid "Enter valid IPv4 addresses"
+msgstr "Введите действительные IPv4 адреса"
+
+msgid "IP for exclusion"
+msgstr "Исключения прокси IP"
+
+msgid "Specify local IP addresses that will never use the configured route"
+msgstr "Укажите локальные IP-адреса, которые никогда не будут использовать настроенный маршрут"
+
+msgid "List Update Frequency"
+msgstr "Частота обновления списков"
+
+msgid "Select how often the lists will be updated"
+msgstr "Выберите, как часто будут обновляться списки"
+
+msgid "Every hour"
+msgstr "Каждый час"
+
+msgid "Every 2 hours"
+msgstr "Каждые 2 часа"
+
+msgid "Every 4 hours"
+msgstr "Каждые 4 часа"
+
+msgid "Every 6 hours"
+msgstr "Каждые 6 часов"
+
+msgid "Every 12 hours"
+msgstr "Каждые 12 часов"
+
+msgid "Once a day at 04:00"
+msgstr "Раз в день в 04:00"
+
+msgid "Once a week on Sunday at 04:00"
+msgstr "Раз в неделю в воскресенье в 04:00"
+
+msgid "Yacd enable"
+msgstr "Включить Yacd"
+
+msgid "Mixed enable"
+msgstr "Включить смешанный режим"
+
+msgid "Browser port: 2080"
+msgstr "Порт браузера: 2080"
+
+msgid "Exclude NTP"
+msgstr "Исключить NTP"
+
+msgid "For issues with open connections sing-box"
+msgstr "Для проблем с открытыми соединениями sing-box"
+
+msgid "Service Domain List Enable"
+msgstr "Включить список доменов сервисов"
+
+msgid "Enable predefined service domain lists for routing"
+msgstr "Включить предустановленные списки доменов для маршрутизации"
+
+msgid "Service List"
+msgstr "Список сервисов"
+
+msgid "Select predefined services for routing"
+msgstr "Выберите предустановленные сервисы для маршрутизации"
+
+msgid "Domains"
+msgstr "Домены"
+
+msgid "Subnet List"
+msgstr "Список подсетей"
+
+msgid "Configure custom subnets for routing"
+msgstr "Настройка пользовательских подсетей для маршрутизации"
+
+msgid "Subnets"
+msgstr "Подсети"
+
+msgid "Invalid domain format. Enter domain without protocol (example: sub.example.com)"
+msgstr "Неверный формат домена. Введите домен без протокола (пример: sub.example.com)"
+
+msgid "URL must use http:// or https:// protocol"
+msgstr "URL должен использовать протокол http:// или https://"
+
+msgid "Invalid URL format. URL must start with http:// or https://"
+msgstr "Неверный формат URL. URL должен начинаться с http:// или https://"
+
+msgid "Invalid subnet format. Use format: X.X.X.X/Y (like 192.168.1.0/24)"
+msgstr "Неверный формат подсети. Используйте формат: X.X.X.X/Y (например: 192.168.1.0/24)"
+
+msgid "IP address parts must be between 0 and 255"
+msgstr "Части IP-адреса должны быть между 0 и 255"
+
+msgid "CIDR must be between 0 and 32"
+msgstr "CIDR должен быть между 0 и 32"
+
+msgid "Invalid IP format. Use format: X.X.X.X (like 192.168.1.1)"
+msgstr "Неверный формат IP. Используйте формат: X.X.X.X (например: 192.168.1.1)"

luci-app-podkop/po/templates/podkop.pot

@@ -0,0 +1,221 @@
+msgid ""
+msgstr "Content-Type: text/plain; charset=UTF-8"
+
+msgid "Podkop configuration"
+msgstr ""
+
+msgid "Basic Settings"
+msgstr ""
+
+msgid "Additional Settings"
+msgstr ""
+
+msgid "Secondary Config"
+msgstr ""
+
+msgid "Secondary VPN/Proxy Enable"
+msgstr ""
+
+msgid "Enable secondary VPN/Proxy configuration"
+msgstr ""
+
+msgid "Connection Type"
+msgstr ""
+
+msgid "Select between VPN and Proxy connection methods for traffic routing"
+msgstr ""
+
+msgid "Proxy Configuration URL"
+msgstr ""
+
+msgid "Enter connection string starting with vless:// or ss:// for proxy configuration"
+msgstr ""
+
+msgid "Network Interface"
+msgstr ""
+
+msgid "Select network interface for VPN connection"
+msgstr ""
+
+msgid "Community Domain Lists"
+msgstr ""
+
+msgid "Domain List"
+msgstr ""
+
+msgid "Select a list"
+msgstr ""
+
+msgid "Community Subnet Lists"
+msgstr ""
+
+msgid "Enable routing for popular services like Twitter, Meta, and Discord"
+msgstr ""
+
+msgid "Service Networks"
+msgstr ""
+
+msgid "Select predefined service networks for routing"
+msgstr ""
+
+msgid "User Domain List"
+msgstr ""
+
+msgid "Enable and manage your custom list of domains for selective routing"
+msgstr ""
+
+msgid "User Domains"
+msgstr ""
+
+msgid "Enter domain names without protocols (example: sub.example.com or example.com)"
+msgstr ""
+
+msgid "Remote Domain Lists"
+msgstr ""
+
+msgid "Download and use domain lists from remote URLs"
+msgstr ""
+
+msgid "Remote Domain URLs"
+msgstr ""
+
+msgid "Enter full URLs starting with http:// or https://"
+msgstr ""
+
+msgid "User Subnet List"
+msgstr ""
+
+msgid "Enable and manage your custom list of IP subnets for selective routing"
+msgstr ""
+
+msgid "User Subnets"
+msgstr ""
+
+msgid "Enter subnet in CIDR notation (example: 103.21.244.0/22)"
+msgstr ""
+
+msgid "Remote Subnet Lists"
+msgstr ""
+
+msgid "Download and use subnet lists from remote URLs"
+msgstr ""
+
+msgid "Remote Subnet URLs"
+msgstr ""
+
+msgid "Domain Exclusions"
+msgstr ""
+
+msgid "Exclude specific domains from routing rules"
+msgstr ""
+
+msgid "Excluded Domains"
+msgstr ""
+
+msgid "Domains to be excluded from routing"
+msgstr ""
+
+msgid "IP for full redirection"
+msgstr ""
+
+msgid "Specify local IP addresses whose traffic will always use the configured route"
+msgstr ""
+
+msgid "Local IPs"
+msgstr ""
+
+msgid "Enter valid IPv4 addresses"
+msgstr ""
+
+msgid "IP for exclusion"
+msgstr ""
+
+msgid "Specify local IP addresses that will never use the configured route"
+msgstr ""
+
+msgid "List Update Frequency"
+msgstr ""
+
+msgid "Select how often the lists will be updated"
+msgstr ""
+
+msgid "Every hour"
+msgstr ""
+
+msgid "Every 2 hours"
+msgstr ""
+
+msgid "Every 4 hours"
+msgstr ""
+
+msgid "Every 6 hours"
+msgstr ""
+
+msgid "Every 12 hours"
+msgstr ""
+
+msgid "Once a day at 04:00"
+msgstr ""
+
+msgid "Once a week on Sunday at 04:00"
+msgstr ""
+
+msgid "Yacd enable"
+msgstr ""
+
+msgid "Mixed enable"
+msgstr ""
+
+msgid "Browser port: 2080"
+msgstr ""
+
+msgid "Exclude NTP"
+msgstr ""
+
+msgid "For issues with open connections sing-box"
+msgstr ""
+
+msgid "Service Domain List Enable"
+msgstr ""
+
+msgid "Enable predefined service domain lists for routing"
+msgstr ""
+
+msgid "Service List"
+msgstr ""
+
+msgid "Select predefined services for routing"
+msgstr ""
+
+msgid "Domains"
+msgstr ""
+
+msgid "Subnet List"
+msgstr ""
+
+msgid "Configure custom subnets for routing"
+msgstr ""
+
+msgid "Subnets"
+msgstr ""
+
+msgid "Invalid domain format. Enter domain without protocol (example: sub.example.com)"
+msgstr ""
+
+msgid "URL must use http:// or https:// protocol"
+msgstr ""
+
+msgid "Invalid URL format. URL must start with http:// or https://"
+msgstr ""
+
+msgid "Invalid subnet format. Use format: X.X.X.X/Y (like 103.21.244.0/22)"
+msgstr ""
+
+msgid "IP address parts must be between 0 and 255"
+msgstr ""
+
+msgid "CIDR must be between 0 and 32"
+msgstr ""
+
+msgid "Invalid IP format. Use format: X.X.X.X (like 192.168.1.1)"
+msgstr ""

luci-app-podkop/root/etc/uci-defaults/50_luci-podkop

@@ -0,0 +1,10 @@
+#!/bin/sh
+
+rm -f /var/luci-indexcache*
+rm -f /tmp/luci-indexcache*
+
+[ -x /etc/init.d/rpcd ] && /etc/init.d/rpcd reload
+
+logger -t "podkop" "$timestamp uci-defaults script executed"
+
+exit 0

podkop/Makefile

@@ -1,7 +1,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=podkop
-PKG_VERSION:=0.1.7
+PKG_VERSION:=0.2.4
 PKG_RELEASE:=1
 
 PKG_MAINTAINER:=ITDog <podkop@itdog.info>
@@ -12,7 +12,7 @@ include $(INCLUDE_DIR)/package.mk
 define Package/podkop
 	SECTION:=net
 	CATEGORY:=Network
-	DEPENDS:=+curl +jq +kmod-nft-tproxy +coreutils-base64
+	DEPENDS:=+dnsmasq-full +curl +jq +kmod-nft-tproxy +coreutils-base64
 	TITLE:=Domain routing app
 	URL:=https://itdog.info
 	PKGARCH:=all
@@ -28,25 +28,13 @@ endef
 define Build/Compile
 endef
 
-define Package/podkop/postinst
-#!/bin/sh
-
-if ! uci show ucitrack | grep -q 'podkop'; then
-    uci add ucitrack podkop
-    uci set ucitrack.@podkop[-1].init=podkop
-    uci commit ucitrack
-
-	/etc/init.d/ucitrack restart
-fi
-
-exit 0
-endef
-
 define Package/podkop/prerm
 #!/bin/sh
 
 grep -q "105 podkop" /etc/iproute2/rt_tables && sed -i "/105 podkop/d" /etc/iproute2/rt_tables
 
+rm -f /etc/hotplug.d/iface/50-podkop
+
 exit 0
 endef
 
@@ -57,6 +45,7 @@ endef
 define Package/podkop/install
 	$(INSTALL_DIR) $(1)/etc/init.d
 	$(INSTALL_BIN) ./files/etc/init.d/podkop $(1)/etc/init.d/podkop
+	sed -i "s/VERSION_FROM_MAKEFILE/$(PKG_VERSION)/g" $(1)/etc/init.d/podkop
 
 	$(INSTALL_DIR) $(1)/etc/config
 	$(INSTALL_CONF) ./files/etc/config/podkop $(1)/etc/config/podkop

podkop/files/etc/config/podkop

@@ -1,28 +1,38 @@
 config main 'main'
-	option mode 'proxy'
-	option interface 'wg0'
-	option proxy_string 'vless://60e7a3b2-5edb-4c0e-aa96-16702e4e0501@test.test:443/?type=tcp&encryption=none&flow=xtls-rprx-vision&sni=www.microsoft.com&fp=chrome&security=reality&pbk=O-IOLOcpVuzn9Eo3htHi0lxJ4YmeToNb6BhqUC7f7TQ&sid=4283c431d5a2263d#VLESS-podkop'
+	option mode ''
+	option interface ''
+	option proxy_string ''
 	option domain_list_enabled '1'
 	option domain_list 'ru_inside'
 	option subnets_list_enabled '0'
-	list subnets 'twitter'
+	#list subnets 'twitter'
 	option custom_domains_list_enabled '0'
-	list custom_domains 'ifconfig.co'
+	#list custom_domains ''
+	option custom_download_domains_list_enabled '0'
+	#list custom_download_domains ''
 	option custom_subnets_list_enabled '0'
-	list custom_subnets '188.114.96.0/20'
+	#list custom_subnets ''
+	option custom_download_subnets_list_enabled '0'
+	#list custom_download_subnets ''
 	option all_traffic_from_ip_enabled '0'
-	list all_traffic_ip '192.168.56.226'
+	#list all_traffic_ip ''
 	option delist_domains_enabled '0'
-	list delist_domains 'zerossl.com'
+	#list delist_domains ''
+	option exclude_from_ip_enabled '0'
+	#list exclude_traffic_ip ''
+	option yacd '0'
+	option socks5 '0'
+	option exclude_ntp '0'
+	option update_interval ''
 
 config second 'second'
 	option second_enable '0'
-	option mode 'proxy'
-	option interface 'wg1'
-	option proxy_string ''
-	option domain_list_enabled '0'
-	list domains 'youtube'
-	option custom_domains_list_enabled '0'
-	list custom_domains 'ifconfig.io'
-	option custom_subnets_list_enabled '0'
-	list custom_subnets '-'
+	option second_mode 'proxy'
+	option second_interface ''
+	option second_proxy_string ''
+	option second_domain_service_enabled '0'
+	#list second_service_list 'youtube'
+	option second_custom_domains_list_enabled '0'
+	#list second_custom_domains 'ifconfig.io'
+	option second_custom_subnets_list_enabled '0'
+	#list second_custom_subnets ''

podkop/files/etc/hotplug.d/iface/50-podkop

@@ -1,3 +1,28 @@
 #!/bin/sh
 
-/etc/init.d/podkop add_route_interface
+. /lib/functions.sh
+config_load "/etc/config/podkop"
+. /etc/init.d/podkop
+
+config_get "interface" "main" "interface" "0"
+config_get "mode" "main" "mode" "0"
+if [ "$mode" = "vpn" ] && [ -n "$interface" ]; then
+    add_route_interface "$interface" "podkop"
+fi
+
+if [ "$mode" = "proxy" ]; then
+    echo "Add route for main tproxy"
+    add_route_tproxy podkop
+fi
+
+config_get second_enable "second" "second_enable" "0"
+config_get second_interface "second" "second_interface" "0"
+config_get "second_mode" "second" "second_mode" "0"
+if [ "$second_enable" -eq "1" ] && [ "$second_mode" = "vpn" ] && [ -n "$second_interface" ]; then
+    add_route_interface "$second_interface" "podkop2"
+fi
+
+if [ "$second_enable" -eq "1" ] && [ "$second_mode" = "proxy" ]; then
+    echo "Add route for second tproxy"
+    add_route_tproxy podkop2
+fi

podkop/files/etc/init.d/podkop

@@ -1,6 +1,7 @@
 #!/bin/sh /etc/rc.common
 
 START=99
+USE_PROCD=1
 
 script=$(readlink "$initscript")
 NAME="$(basename ${script:-$initscript})"
@@ -11,13 +12,13 @@ EXTRA_HELP="        list_update    Updating domain and subnet lists
         add_route_interface  Adding route for interface
         sing_box_config_vless For test vless string"
 
-cron_job="0 4 * * * /etc/init.d/podkop list_update"
+config_get update_interval "main" "update_interval" "0 4 * * *"
+cron_job="${update_interval} /etc/init.d/podkop list_update"
 
-start() {
+start_service() {
     log "Start podkop"
 
     dnsmasqfull
-    ucitrack
     routing_table_create
     add_mark
 
@@ -34,23 +35,27 @@ start() {
         fi
 
         config_get_bool second_enable "second" "second_enable" "0"
-        config_get mode "second" "mode" "0"
-        if [ "$second_enable" -eq "1" ] && [ "$mode" = "proxy" ]; then
-            config_get proxy_string second "proxy_string"
+        config_get second_mode "second" "second_mode" "0"
+        if [ "$second_enable" -eq "1" ] && [ "$second_mode" = "proxy" ]; then
+            config_get proxy_string "second" "second_proxy_string"
             if [[ "$proxy_string" =~ ^ss:// ]]; then
                 sing_box_config_shadowsocks "$proxy_string" "1603"
             elif [[ "$proxy_string" =~ ^vless:// ]]; then
                 sing_box_config_vless "$proxy_string" "1603"
             else
                 log "Unsupported proxy type: $proxy_string"
-                exit 1
+                return
             fi
             add_route_tproxy podkop2
+            sing_box_config_check
+            sing_box_uci
+            /etc/init.d/sing-box restart
+            /etc/init.d/sing-box enable
         fi
 
-        if [ "$second_enable" -eq "1" ] && [ "$mode" = "vpn" ]; then
+        if [ "$second_enable" -eq "1" ] && [ "$second_mode" = "vpn" ]; then
             log "VPN mode for second"
-            config_get interface "second" "interface" "0"
+            config_get interface "second" "second_interface" "0"
             if [ -n "$interface" ]; then
                 add_route_interface "$interface" "podkop2"
             else
@@ -62,13 +67,13 @@ start() {
         log "Proxy mode"
         if ! command -v sing-box >/dev/null 2>&1; then
             log "Sing-box isn't installed. Proxy mode works with sing-box"
-            exit 1
+            return
         fi
 
         # Main - proxy, Second - proxy
         config_get_bool second_enable "second" "second_enable" "0"
-        config_get mode "second" "mode" "0"
-        if [ "$second_enable" -eq "1" ] && [ "$mode" = "proxy" ]; then
+        config_get second_mode "second" "second_mode" "0"
+        if [ "$second_enable" -eq "1" ] && [ "$second_mode" = "proxy" ]; then
             log "Two proxy enable"
             outbound_main=$(mktemp)
             outbound_second=$(mktemp)
@@ -80,17 +85,17 @@ start() {
                 sing_box_config_outbound_vless "$proxy_string" "$outbound_main" main
             else
                 log "Unsupported proxy type: $proxy_string"
-                exit 1
+                return
             fi
 
-            config_get proxy_string second "proxy_string"
+            config_get proxy_string "second" "second_proxy_string"
             if [[ "$proxy_string" =~ ^ss:// ]]; then
                 sing_box_config_outbound_shadowsocks "$proxy_string" "$outbound_second" second
             elif [[ "$proxy_string" =~ ^vless:// ]]; then
                 sing_box_config_outbound_vless "$proxy_string" "$outbound_second" second
             else
                 log "Unsupported proxy type: $proxy_string"
-                exit 1
+                return
             fi
 
             jq --argjson outbounds "$(jq -s '{"outbounds": (.[0].outbounds + .[1].outbounds)}' "$outbound_main" "$outbound_second")" \
@@ -104,8 +109,8 @@ start() {
 
         # Main proxy, second disable/vpn
         config_get_bool second_enable "second" "second_enable" "0"
-        config_get mode "second" "mode" "0"
-        if [ "$second_enable" -eq "0" ] || [ "$mode" = "vpn" ]; then
+        config_get second_mode "second" "second_mode" "0"
+        if [ "$second_enable" -eq "0" ] || [ "$second_mode" = "vpn" ]; then
             config_get proxy_string main "proxy_string"
             if [[ "$proxy_string" =~ ^ss:// ]]; then
                 sing_box_config_shadowsocks "$proxy_string" "1602"
@@ -113,7 +118,7 @@ start() {
                 sing_box_config_vless "$proxy_string" "1602"
             else
                 log "Unsupported proxy type: $proxy_string"
-                exit 1
+                return
             fi
             add_route_tproxy podkop
         fi
@@ -125,11 +130,11 @@ start() {
 
         # Main proxy, Second VPN
         config_get_bool second_enable "second" "second_enable" "0"
-        config_get mode "second" "mode" "0"
-        if [ "$second_enable" -eq "1" ] && [ "$mode" = "vpn" ]; then
+        config_get second_mode "second" "second_mode" "0"
+        if [ "$second_enable" -eq "1" ] && [ "$second_mode" = "vpn" ]; then
             log "VPN mode for seconds"
             log "You are using VPN mode, make sure you have installed all the necessary packages, configured, created the zone and forwarding."
-            config_get interface "second" "interface" "0"
+            config_get interface "second" "second_interface" "0"
             if [ -n "$interface" ]; then
                 add_route_interface "$interface" "podkop2"
             else
@@ -139,7 +144,7 @@ start() {
         ;;
     *)
         log "Requires *vpn* or *proxy* value"
-        exit 1
+        return
         ;;
     esac
 
@@ -154,9 +159,43 @@ start() {
         log "Adding an IP to redirect all traffic"
         config_list_foreach main all_traffic_ip list_all_traffic_from_ip
     fi
+
+    config_get_bool exclude_from_ip_enabled "main" "exclude_from_ip_enabled" "0"
+    if [ "$exclude_from_ip_enabled" -eq 1 ]; then
+        log "Adding an IP for exclusion"
+        config_list_foreach main exclude_traffic_ip list_exclude_traffic_from_ip
+    fi
+
+    config_get_bool yacd "main" "yacd" "0"
+    if [ "$yacd" -eq 1 ]; then
+        log "Yacd enable"
+        jq '.experimental.clash_api = {
+            "external_ui": "ui",
+            "external_controller": "0.0.0.0:9090"
+        }' /etc/sing-box/config.json >/tmp/sing-box-config-tmp.json && mv /tmp/sing-box-config-tmp.json /etc/sing-box/config.json
+        /etc/init.d/sing-box restart
+    fi
+
+    config_get_bool socks5 "main" "socks5" "0"
+    if [ "$socks5" -eq 1 ]; then
+        log "Socks5 local enable port 2080"
+        jq '.inbounds += [{
+            "type": "mixed",
+            "listen": "0.0.0.0",
+            "listen_port": 2080,
+            "set_system_proxy": false
+        }]' /etc/sing-box/config.json >/tmp/sing-box-config-tmp.json && mv /tmp/sing-box-config-tmp.json /etc/sing-box/config.json
+        /etc/init.d/sing-box restart
+    fi
+
+    config_get_bool exclude_ntp "main" "exclude_ntp" "0"
+    if [ "$exclude_ntp" -eq 1 ]; then
+        log "NTP traffic exclude for proxy"
+        nft insert rule inet PodkopTable mangle udp dport 123 return
+    fi
 }
 
-stop() {
+stop_service() {
     log "Stopping the podkop"
     rm -f /tmp/dnsmasq.d/podkop*
     remove_cron_job
@@ -186,7 +225,7 @@ stop() {
 
     log "Stop sing-box"
     config_get mode_main "main" "mode" "0"
-    config_get mode_second "second" "mode" "0"
+    config_get mode_second "second" "second_mode" "0"
 
     if [ "$mode_main" = "proxy" ] || [ "$mode_second" = "proxy" ]; then
         /etc/init.d/sing-box stop
@@ -194,16 +233,21 @@ stop() {
     fi
 }
 
-restart() {
+restart_service() {
     stop
     start
 }
 
-reload() {
+reload_service() {
     stop
     start
 }
 
+service_triggers() {
+    log "service_triggers start"
+    procd_add_config_trigger "config.change" "$NAME" "$initscript" reload 'on_config_change'
+}
+
 log() {
     local message="$1"
     local timestamp=$(date +"%Y-%m-%d %H:%M:%S")
@@ -212,21 +256,20 @@ log() {
     local RESET="\033[0m"
 
     echo -e "${CYAN}[$timestamp]${RESET} ${GREEN}$message${RESET}"
+    logger -t "podkop" "$timestamp $message"
 }
 
 add_cron_job() {
-    if ! crontab -l | grep -q "podkop"; then
-        #echo "$cron_job" >>/etc/crontabs/root
+    remove_cron_job
     crontab -l | {
         cat
         echo "$cron_job"
     } | crontab -
-        log "The cron job has been created"
-    fi
+    log "The cron job has been created: $cron_job"
 }
 
 remove_cron_job() {
-    sed -i "\|podkop|d" /etc/crontabs/root
+    (crontab -l | grep -v "/etc/init.d/podkop list_update") | crontab -
     log "The cron job removed"
 }
 
@@ -249,6 +292,13 @@ list_update() {
         dnsmasq_config_check podkop-custom-domains.lst
     fi
 
+    config_get_bool custom_download_domains_list_enabled "main" "custom_download_domains_list_enabled" "0"
+    if [ "$custom_download_domains_list_enabled" -eq 1 ]; then
+        log "Adding a custom domains list from URL"
+        add_set "podkop_domains" "main"
+        config_list_foreach main custom_download_domains "list_custom_download_domains_create" "podkop"
+    fi
+
     config_get_bool delist_domains_enabled "main" "delist_domains_enabled" "0"
     if [ "$delist_domains_enabled" -eq 1 ] && [ "$domain_list_enabled" -eq 1 ]; then
         log "Exclude domains from the common list"
@@ -260,27 +310,27 @@ list_update() {
         /etc/init.d/dnsmasq restart
     fi
 
-    config_get_bool custom_domains_list_enabled "second" "custom_domains_list_enabled" "0"
-    if [ "$custom_domains_list_enabled" -eq 1 ]; then
+    config_get_bool second_custom_domains_list_enabled "second" "second_custom_domains_list_enabled" "0"
+    if [ "$second_custom_domains_list_enabled" -eq 1 ]; then
         log "Adding a custom domains list. Second podkop"
         add_set "podkop2_domains" "second"
         rm -f /tmp/dnsmasq.d/podkop2-custom-domains.lst
-        config_list_foreach second custom_domains "list_delist_domains"
-        config_list_foreach second custom_domains "list_custom_domains_create" "podkop2"
+        config_list_foreach second second_custom_domains "list_delist_domains"
+        config_list_foreach second second_custom_domains "list_custom_domains_create" "podkop2"
         dnsmasq_config_check podkop2-custom-domains.lst
     fi
 
-    config_get_bool domain_service_enabled "second" "domain_service_enabled" "0"
-    if [ "$domain_service_enabled" -eq 1 ]; then
+    config_get_bool second_domain_service_enabled "second" "second_domain_service_enabled" "0"
+    if [ "$second_domain_service_enabled" -eq 1 ]; then
         log "Adding a service for podkop2"
         add_set "podkop2_domains" "second"
-        config_get service_list second "service_list"
-        lists_services_download "$service_list"
-        config_list_foreach second custom_domains "list_delist_domains"
+        config_get second_service_list second "second_service_list"
+        lists_services_download "$second_service_list"
+        config_list_foreach second second_custom_domains "list_delist_domains"
         dnsmasq_config_check podkop2-domains.lst
     fi
 
-    if [ "$custom_domains_list_enabled" -eq 1 ] || [ "$domain_service_enabled" -eq 1 ]; then
+    if [ "$second_custom_domains_list_enabled" -eq 1 ] || [ "$second_domain_service_enabled" -eq 1 ]; then
         /etc/init.d/dnsmasq restart
     fi
 
@@ -292,6 +342,14 @@ list_update() {
         config_list_foreach main subnets "list_subnets_download"
     fi
 
+    config_get_bool custom_download_subnets_list_enabled "main" "custom_download_subnets_list_enabled" "0"
+    if [ "$custom_download_subnets_list_enabled" -eq 1 ]; then
+        log "Adding a subnets from URL"
+        mkdir -p /tmp/podkop
+        add_set "podkop_subnets" "main"
+        config_list_foreach main custom_download_subnets "list_subnets_download"
+    fi
+
     config_get_bool custom_subnets_list_enabled "main" "custom_subnets_list_enabled" "0"
     if [ "$custom_subnets_list_enabled" -eq 1 ]; then
         log "Adding a custom subnets list"
@@ -299,11 +357,11 @@ list_update() {
         config_list_foreach main custom_subnets "list_custom_subnets_create" "podkop"
     fi
 
-    config_get_bool custom_subnets_list_enabled "second" "custom_subnets_list_enabled" "0"
-    if [ "$custom_subnets_list_enabled" -eq 1 ]; then
+    config_get_bool second_custom_subnets_list_enabled "second" "second_custom_subnets_list_enabled" "0"
+    if [ "$second_custom_subnets_list_enabled" -eq 1 ]; then
         log "Adding a custom subnets list. Second"
         add_set "podkop2_subnets" "second"
-        config_list_foreach second custom_subnets "list_custom_subnets_create" "podkop2"
+        config_list_foreach second second_custom_subnets "list_custom_subnets_create" "podkop2"
     fi
 }
 
@@ -312,15 +370,7 @@ dnsmasqfull() {
         log "Dnsmasq-full is not installed. Future: link only"
         log "Use script or:"
         log "cd /tmp/ && /bin/opkg download dnsmasq-full && /bin/opkg remove dnsmasq && /bin/opkg install dnsmasq-full --cache /tmp/ && cp /etc/config/dhcp /etc/config/dhcp-old && mv /etc/config/dhcp-opkg /etc/config/dhcp"
-        exit 1
-    fi
-}
-
-ucitrack() {
-    if grep -q "podkop" /etc/config/ucitrack; then
-        log "ucitrack config ok"
-    else
-        log "ucitrack config not found"
+        return
     fi
 }
 
@@ -338,43 +388,51 @@ add_set() {
 
     nft add table inet PodkopTable
     log "Create set $set_name"
-    nft add chain inet PodkopTable mangle_podkop { type filter hook prerouting priority mangle \; policy accept \;}
+    nft add chain inet PodkopTable mangle { type filter hook prerouting priority -150 \; policy accept \;}
     nft add set inet PodkopTable "$set_name" { type ipv4_addr\; flags interval\; auto-merge\; }
+    if [ "$connect" = "main" ]; then
         config_get mode "$connect" "mode"
+    else
+        config_get mode "$connect" "second_mode"
+    fi
     case "$mode" in
     "vpn")
-        # if nft list table inet PodkopTable | grep -q "chain prerouting"; then
-        #     nft delete chain inet PodkopTable prerouting
-        # fi
-
-        if ! nft list chain inet PodkopTable mangle_podkop | grep -q "ip daddr @"$set_name" meta mark set"; then
+        if ! nft list chain inet PodkopTable mangle | grep -q "ip daddr @"$set_name" meta mark set"; then
             if [ "$connect" = "main" ]; then
-                nft add rule inet PodkopTable mangle_podkop ip daddr @"$set_name" meta mark set 0x105 counter
+                nft add rule inet PodkopTable mangle iifname "br-lan" ip daddr @"$set_name" meta mark set 0x105 counter
             elif [ "$connect" = "second" ]; then
-                nft add rule inet PodkopTable mangle_podkop ip daddr @"$set_name" meta mark set 0x106 counter
+                nft add rule inet PodkopTable mangle iifname "br-lan" ip daddr @"$set_name" meta mark set 0x106 counter
             fi
         fi
         ;;
 
     "proxy")
-        nft add chain inet PodkopTable prerouting { type filter hook prerouting priority mangle \; }
+        nft add chain inet PodkopTable proxy { type filter hook prerouting priority -100 \; }
         if nft list table inet PodkopTable | grep -q "ip daddr @"$set_name" meta l4proto"; then
             log "Nft rule tproxy exists"
         else
             log "Added nft rule tproxy"
             if [ "$connect" = "main" ]; then
-                nft add rule inet PodkopTable prerouting iifname "br-lan" ip daddr @"$set_name" meta l4proto tcp meta mark set 0x105 tproxy ip to :1602 counter
-                nft add rule inet PodkopTable prerouting iifname "br-lan" ip daddr @"$set_name" meta l4proto udp meta mark set 0x105 tproxy ip to :1602 counter
+                nft add rule inet PodkopTable mangle iifname "br-lan" ip daddr @"$set_name" meta l4proto tcp meta mark set 0x105 counter
+                nft add rule inet PodkopTable mangle iifname "br-lan" ip daddr @"$set_name" meta l4proto udp meta mark set 0x105 counter
+                if ! ( nft list table inet PodkopTable | grep -q "meta mark 0x00000105 meta l4proto tcp tproxy" ); then
+                    nft add rule inet PodkopTable proxy meta mark 0x105 meta l4proto tcp tproxy ip to :1602 counter
+                    nft add rule inet PodkopTable proxy meta mark 0x105 meta l4proto udp tproxy ip to :1602 counter
+                fi
             elif [ "$connect" = "second" ]; then
-                nft add rule inet PodkopTable prerouting iifname "br-lan" ip daddr @"$set_name" meta l4proto tcp meta mark set 0x106 tproxy ip to :1603 counter
-                nft add rule inet PodkopTable prerouting iifname "br-lan" ip daddr @"$set_name" meta l4proto udp meta mark set 0x106 tproxy ip to :1603 counter
+                nft add rule inet PodkopTable mangle iifname "br-lan" ip daddr @"$set_name" meta l4proto tcp meta mark set 0x106 counter
+                nft add rule inet PodkopTable mangle iifname "br-lan" ip daddr @"$set_name" meta l4proto udp meta mark set 0x106 counter
+                if ! ( nft list table inet PodkopTable | grep -q "meta mark 0x00000106 meta l4proto tcp tproxy" ); then
+                    nft add rule inet PodkopTable proxy meta mark 0x106 meta l4proto tcp tproxy ip to :1603 counter
+                    nft add rule inet PodkopTable proxy meta mark 0x106 meta l4proto udp tproxy ip to :1603 counter
+                fi
             fi
         fi
         ;;
 
     *)
         log "Requires *vpn* or *proxy* value"
-        exit 1
+        return
         ;;
     esac
 }
@@ -382,12 +440,22 @@ add_set() {
 add_route_interface() {
     local interface="$1"
     local table="$2"
-    local retry_count=0
-    local max_retries=20
+    local retry_count_route=0
+    local max_retries=10
+
+    if ! ip link show "$interface" >/dev/null 2>&1; then
+    log "Interface "$interface" undetected, wait 10 sec..."
+    sleep 10
+
+        if ! ip link show "$interface" >/dev/null 2>&1; then
+            log "Interface "$interface" undetected. exit"
+            return
+        fi
+    fi
 
     if ! ip link show "$interface" >/dev/null 2>&1; then
         log "Interface "$interface" does not exist, not possible to create a route"
-        exit 1
+        return
     fi
 
     if ip route show table $table | grep -q "^default dev"; then
@@ -396,11 +464,11 @@ add_route_interface() {
     fi
 
     log "Added route for "$interface""
-    while [ $retry_count -lt $max_retries ]; do
+    while [ $retry_count_route -lt $max_retries ]; do
         if ip route add table $table default dev "$interface" 2>&1 | grep -q "Network is down"; then
-            log "Error: Network is down. Let's try again in 3 seconds"
+            log "Attempt $retry_count_route: Interface "$interface" is down, retrying in 3 seconds..."
             sleep 3
-            retry_count=$((retry_count + 1))
+            retry_count_route=$((retry_count_route + 1))
         else
             log "Route for "$interface" added"
             return 0
@@ -408,7 +476,7 @@ add_route_interface() {
     done
 
     log "The maximum number of attempts has been exceeded. Failed to add a route."
-    exit 1
+    return
 }
 
 add_route_tproxy() {
@@ -459,7 +527,7 @@ lists_domains_download() {
         ;;
     *)
         log "Unidentified list of domains"
-        exit 1
+        return
         ;;
     esac
 
@@ -499,7 +567,7 @@ lists_services_download() {
         ;;
     *)
         log "Unidentified list of domains"
-        exit 1
+        return
         ;;
     esac
 
@@ -546,8 +614,12 @@ list_subnets_download() {
         URL=$DISCORD_SUBNETS
         ;;
     *)
-        log "Unidentified list of subnets"
-        exit 1
+        log "Custom URL for subnet"
+        if curl --output /dev/null --silent --head --fail "$URL"; then
+            log "URL is valid"
+        else
+            log "URL $URL is not valid"
+        fi
         ;;
     esac
 
@@ -565,6 +637,20 @@ list_custom_domains_create() {
     log "$domain added to the list"
 }
 
+list_custom_download_domains_create() {
+    local URL="$1"
+    local name="$2"
+    local filename=$(basename "$URL")
+    local config="/tmp/dnsmasq.d/${name}-${filename}.lst"
+
+    rm -f $config
+    curl -f "$URL" --output "/tmp/podkop/${filename}"
+    while IFS= read -r domain; do
+        echo "nftset=/$domain/4#inet#PodkopTable#${name}_domains" >>$config
+    done <"/tmp/podkop/$filename"
+    dnsmasq_config_check ${name}-${filename}.lst
+}
+
 list_custom_subnets_create() {
     local subnet="$1"
     local name="$2"
@@ -573,8 +659,37 @@ list_custom_subnets_create() {
 
 list_all_traffic_from_ip() {
     local ip="$1"
-    if ! nft list chain inet PodkopTable mangle_podkop | grep -q "ip saddr $ip"; then
-        nft add rule inet PodkopTable mangle_podkop ip saddr $ip meta mark set 0x105
+    if ! nft list chain inet PodkopTable mangle | grep -q "ip saddr $ip"; then
+        config_get mode "main" "mode" "0"
+        if [ "$mode" = "vpn" ]; then
+            nft insert rule inet PodkopTable mangle iifname "br-lan" ip saddr $ip meta mark set 0x105 counter
+        elif [ "$mode" = "proxy" ]; then
+            nft add set inet PodkopTable localv4 { type ipv4_addr\; flags interval\; }
+            nft add element inet PodkopTable localv4 { \
+                0.0.0.0/8, \
+                10.0.0.0/8, \
+                127.0.0.0/8, \
+                169.254.0.0/16, \
+                172.16.0.0/12, \
+                192.0.0.0/24, \
+                192.0.2.0/24, \
+                192.88.99.0/24, \
+                192.168.0.0/16, \
+                198.18.0.0/15, \
+                198.51.100.0/24, \
+                203.0.113.0/24, \
+                224.0.0.0/4, \
+                240.0.0.0-255.255.255.255 }
+            nft insert rule inet PodkopTable mangle iifname "br-lan" ip saddr $ip meta l4proto { tcp, udp } meta mark set 0x105 counter
+            nft insert rule inet PodkopTable mangle ip saddr $ip ip daddr @localv4 return
+        fi
+    fi
+}
+
+list_exclude_traffic_from_ip() {
+    local ip="$1"
+    if ! nft list chain inet PodkopTable mangle | grep -q "ip saddr $ip"; then
+        nft insert rule inet PodkopTable mangle ip saddr $ip return
     fi
 }
 
@@ -606,7 +721,7 @@ dnsmasq_config_check() {
     local config="$1"
     if ! /usr/sbin/dnsmasq --conf-file=/tmp/dnsmasq.d/$config --test 2>&1 | grep -q "syntax check OK"; then
         log "Dnsmasq config $config contains errors. Break"
-        exit 1
+        return
     fi
 }
 
@@ -678,6 +793,7 @@ sing_box_config_vless() {
     security=$(get_param "security")
     pbk=$(get_param "pbk")
     sid=$(get_param "sid")
+    encoding=$(get_param "packetEncoding")
     alpn=$(echo "$(get_param "alpn" | sed 's/%2C/,/g; s/%2F/\//g')" | jq -R -s -c 'split(",")' | sed 's/\\n//g')
     label=$(echo "$STRING" | cut -d'#' -f2)
 
@@ -694,6 +810,7 @@ sing_box_config_vless() {
         --arg pbk "$pbk" \
         --arg sid "$sid" \
         --argjson alpn "$alpn" \
+        --arg encoding "$encoding" \
         --arg listen_port "$listen_port" \
         '.inbounds[] |=
         if .type == "tproxy" then
@@ -707,6 +824,7 @@ sing_box_config_vless() {
             .uuid = $uuid |
             if $security == "reality" then 
                 if $flow == "" then del(.flow) else .flow = $flow end |
+                if $encoding == "" then del(.packet_encoding) else .packet_encoding = $encoding end |
                 .tls.server_name = $sni |
                 .tls.utls.fingerprint = $fp |
                 .tls.reality.public_key = $pbk |
@@ -725,7 +843,6 @@ sing_box_config_vless() {
         end)' "$template_config" >/etc/sing-box/config.json
 }
 
-# make one function for full and outbound only
 sing_box_config_outbound_shadowsocks() {
     local STRING="$1"
     local outbound="$2"
@@ -779,6 +896,7 @@ sing_box_config_outbound_vless() {
     pbk=$(get_param "pbk")
     sid=$(get_param "sid")
     alpn=$(echo "$(get_param "alpn" | sed 's/%2C/,/g; s/%2F/\//g')" | jq -R -s -c 'split(",")' | sed 's/\\n//g')
+    encoding=$(get_param "packetEncoding")
     label=$(echo "$STRING" | cut -d'#' -f2)
 
     template_config="/etc/podkop/sing-box-vless-outbound-template.json"
@@ -794,6 +912,7 @@ sing_box_config_outbound_vless() {
         --arg pbk "$pbk" \
         --arg sid "$sid" \
         --argjson alpn "$alpn" \
+        --arg encoding "$encoding" \
         --arg tag "$name" \
         '.outbounds[] |= 
            (.server = $server |
@@ -801,6 +920,7 @@ sing_box_config_outbound_vless() {
             .uuid = $uuid |
             if $security == "reality" then 
                 if $flow == "" then del(.flow) else .flow = $flow end |
+                if $encoding == "" then del(.packet_encoding) else .packet_encoding = $encoding end |
                 .tls.server_name = $sni |
                 .tls.utls.fingerprint = $fp |
                 .tls.reality.public_key = $pbk |
@@ -825,6 +945,6 @@ sing_box_config_outbound_vless() {
 sing_box_config_check() {
     if ! sing-box -c /etc/sing-box/config.json check >/dev/null 2>&1; then
         log "Sing-box configuration is invalid"
-        exit 1
+        return
     fi
 }