v0.4.6

fix: hide extra configs for non-basic tabs

README.md

@@ -17,16 +17,11 @@ https://podkop.net/
 # Установка Podkop
 Полная информация в [документации](https://podkop.net/docs/install/)
 
-Вкратце, достаточно одного скрипта для установки:
+Вкратце, достаточно одного скрипта для установки и обновления:
 ```
 sh <(wget -O - https://raw.githubusercontent.com/itdoginfo/podkop/refs/heads/main/install.sh)
 ```
 
-Для обновления:
-```
-sh <(wget -qO- https://raw.githubusercontent.com/itdoginfo/podkop/refs/heads/main/install.sh) --upgrade
-```
-
 # ToDo
 Этот раздел не означает задачи, которые нужно брать и делать. Это общий список хотелок. Если вы хотите помочь, пожалуйста, спросите сначала в телеграмме.
 

install.sh

@@ -1,66 +1,35 @@
 #!/bin/sh
 
 REPO="https://api.github.com/repos/itdoginfo/podkop/releases/latest"
-
-IS_SHOULD_RESTART_NETWORK=
 DOWNLOAD_DIR="/tmp/podkop"
 COUNT=3
-UPGRADE=0
 
 rm -rf "$DOWNLOAD_DIR"
 mkdir -p "$DOWNLOAD_DIR"
 
-for arg in "$@"; do
-    if [ "$arg" = "--upgrade" ]; then
-        UPGRADE=1
-    fi
-done
+msg() {
+    printf "\033[32;1m%s\033[0m\n" "$1"
+}
 
 main() {
     check_system
     sing_box
-    
-    opkg update
+
+    /usr/sbin/ntpd -q -p 194.190.168.1 -p 216.239.35.0 -p 216.239.35.4 -p 162.159.200.1 -p 162.159.200.123
+
+    opkg update || { echo "opkg update failed"; exit 1; }
   
     if [ -f "/etc/init.d/podkop" ]; then
-        if [ "$UPGRADE" -eq 1 ]; then
-            echo "Upgraded podkop with flag..."
-            break
-        else
-            printf "\033[32;1mPodkop is already installed. Just upgrade it?\033[0m\n"
-            printf "\033[32;1my - Only upgrade podkop\033[0m\n"
-            printf "\033[32;1mn - Upgrade and install tunnels (WG, AWG, OpenVPN, OC)\033[0m\n"
-
-            while true; do
-                printf "\033[32;1mEnter (y/n): \033[0m"
-                read -r -p '' UPDATE
-                case $UPDATE in
-                y)
-                    echo "Upgraded podkop..."
-                    break
-                    ;;
-
-                n)
-                    add_tunnel
-                    break
-                    ;;
-
-                *)
-                    echo "Please enter y or n"
-                    ;;
-                esac
-            done
-        fi
+        msg "Podkop is already installed. Upgraded..."
     else
-        echo "Installed podkop..."
-        add_tunnel
+        msg "Installed podkop..."
     fi
     
     if command -v curl &> /dev/null; then
         check_response=$(curl -s "https://api.github.com/repos/itdoginfo/podkop/releases/latest")
 
         if echo "$check_response" | grep -q 'API rate limit '; then
-            echo "You've reached rate limit from GitHub. Repeat in five minutes."
+            msg "You've reached rate limit from GitHub. Repeat in five minutes."
             exit 1
         fi
     fi
@@ -72,33 +41,33 @@ main() {
                
         attempt=0
         while [ $attempt -lt $COUNT ]; do
-            echo "Download $filename (count $((attempt+1)))..."
+            msg "Download $filename (count $((attempt+1)))..."
             if wget -q -O "$filepath" "$url"; then
                 if [ -s "$filepath" ]; then
-                    echo "$filename successfully downloaded"
+                    msg "$filename successfully downloaded"
                     download_success=1
                     break
                 fi
             fi
-            echo "Download error $filename. Retry..."
+            msg "Download error $filename. Retry..."
             rm -f "$filepath"
             attempt=$((attempt+1))
         done
         
         if [ $attempt -eq $COUNT ]; then
-            echo "Failed to download $filename after $COUNT attempts"
+            msg "Failed to download $filename after $COUNT attempts"
         fi
     done < <(wget -qO- "$REPO" | grep -o 'https://[^"[:space:]]*\.ipk')
     
     if [ $download_success -eq 0 ]; then
-        echo "No packages were downloaded successfully"
+        msg "No packages were downloaded successfully"
         exit 1
     fi
     
     for pkg in podkop luci-app-podkop; do
         file=$(ls "$DOWNLOAD_DIR" | grep "^$pkg" | head -n 1)
         if [ -n "$file" ]; then
-            echo "Installing $file"
+            msg "Installing $file"
             opkg install "$DOWNLOAD_DIR/$file"
             sleep 3
         fi
@@ -106,341 +75,57 @@ main() {
 
     ru=$(ls "$DOWNLOAD_DIR" | grep "luci-i18n-podkop-ru" | head -n 1)
     if [ -n "$ru" ]; then
-        printf "\033[32;1mРусский язык интерфейса ставим? y/n (Need a Russian translation?)\033[0m "
-        while true; do
-            read -r -p '' RUS
-            case $RUS in
-            y)
+        if opkg list-installed | grep -q luci-i18n-podkop-ru; then
+                msg "Upgraded ru translation..."
                 opkg remove luci-i18n-podkop*
                 opkg install "$DOWNLOAD_DIR/$ru"
-                break
-                ;;
-            n)
-                break
-                ;;
-            *)
-                echo "Введите y или n"
-                ;;
-            esac
-        done
+        else
+            msg "Русский язык интерфейса ставим? y/n (Need a Russian translation?)"
+            while true; do
+                read -r -p '' RUS
+                case $RUS in
+                y)
+                    opkg remove luci-i18n-podkop*
+                    opkg install "$DOWNLOAD_DIR/$ru"
+                    break
+                    ;;
+                n)
+                    break
+                    ;;
+                *)
+                    echo "Введите y или n"
+                    ;;
+                esac
+            done
+        fi
     fi
 
     find "$DOWNLOAD_DIR" -type f -name '*podkop*' -exec rm {} \;
-
-    if [ "$IS_SHOULD_RESTART_NETWORK" ]; then
-        printf "\033[32;1mRestart network\033[0m\n"
-        /etc/init.d/network restart
-    fi
-}
-
-add_tunnel() {
-    printf "\033[32;1mWill you be using Wireguard, AmneziaWG, OpenVPN, OpenConnect? If yes, select a number and they will be automatically installed\033[0m\n"
-    echo "1) Wireguard"
-    echo "2) AmneziaWG"
-    echo "3) OpenVPN"
-    echo "4) OpenConnect"
-    echo "5) I use VLESS/SS. Skip this step"
-
-    while true; do
-        read -r -p '' TUNNEL
-        case $TUNNEL in
-
-        1)
-            opkg install wireguard-tools luci-proto-wireguard luci-app-wireguard
-
-            printf "\033[32;1mDo you want to configure the wireguard interface? (y/n): \033[0m\n"
-            read IS_SHOULD_CONFIGURE_WG_INTERFACE
-
-            if [ "$IS_SHOULD_CONFIGURE_WG_INTERFACE" = "y" ] || [ "$IS_SHOULD_CONFIGURE_WG_INTERFACE" = "Y" ]; then
-                wg_awg_setup Wireguard
-            else
-            printf "\e[1;32mUse these instructions to manual configure https://itdog.info/nastrojka-klienta-wireguard-na-openwrt/\e[0m\n"
-            fi
-
-            break
-            ;;
-
-        2)
-            install_awg_packages
-
-            printf "\033[32;1mThere are no instructions for manual configure yet. Do you want to configure the amneziawg interface? (y/n): \033[0m\n"
-            read IS_SHOULD_CONFIGURE_WG_INTERFACE
-
-            if [ "$IS_SHOULD_CONFIGURE_WG_INTERFACE" = "y" ] || [ "$IS_SHOULD_CONFIGURE_WG_INTERFACE" = "Y" ]; then
-                wg_awg_setup AmneziaWG
-            fi
-
-            break
-            ;;
-
-        3)
-            opkg install openvpn-openssl luci-app-openvpn
-            printf "\e[1;32mUse these instructions to configure https://itdog.info/nastrojka-klienta-openvpn-na-openwrt/\e[0m\n"
-            break
-            ;;
-
-        4)
-            opkg install openconnect luci-proto-openconnect
-            printf "\e[1;32mUse these instructions to configure https://itdog.info/nastrojka-klienta-openconnect-na-openwrt/\e[0m\n"
-            break
-            ;;
-
-        5)
-            echo "Installation without additional dependencies."
-            break
-            ;;
-
-        *)
-            echo "Choose from the following options"
-            ;;
-        esac
-    done
-}
-
-handler_network_restart() {
-    IS_SHOULD_RESTART_NETWORK=true
-}
-
-install_awg_packages() {
-    # Получение pkgarch с наибольшим приоритетом
-    PKGARCH=$(opkg print-architecture | awk 'BEGIN {max=0} {if ($3 > max) {max = $3; arch = $2}} END {print arch}')
-
-    TARGET=$(ubus call system board | jsonfilter -e '@.release.target' | cut -d '/' -f 1)
-    SUBTARGET=$(ubus call system board | jsonfilter -e '@.release.target' | cut -d '/' -f 2)
-    VERSION=$(ubus call system board | jsonfilter -e '@.release.version')
-    PKGPOSTFIX="_v${VERSION}_${PKGARCH}_${TARGET}_${SUBTARGET}.ipk"
-    BASE_URL="https://github.com/Slava-Shchipunov/awg-openwrt/releases/download/"
-
-    AWG_DIR="/tmp/amneziawg"
-    mkdir -p "$AWG_DIR"
-    
-    if opkg list-installed | grep -q kmod-amneziawg; then
-        echo "kmod-amneziawg already installed"
-    else
-        KMOD_AMNEZIAWG_FILENAME="kmod-amneziawg${PKGPOSTFIX}"
-        DOWNLOAD_URL="${BASE_URL}v${VERSION}/${KMOD_AMNEZIAWG_FILENAME}"
-        wget -O "$AWG_DIR/$KMOD_AMNEZIAWG_FILENAME" "$DOWNLOAD_URL"
-
-        if [ $? -eq 0 ]; then
-            echo "kmod-amneziawg file downloaded successfully"
-        else
-            echo "Error downloading kmod-amneziawg. Please, install kmod-amneziawg manually and run the script again"
-            exit 1
-        fi
-        
-        opkg install "$AWG_DIR/$KMOD_AMNEZIAWG_FILENAME"
-
-        if [ $? -eq 0 ]; then
-            echo "kmod-amneziawg file downloaded successfully"
-        else
-            echo "Error installing kmod-amneziawg. Please, install kmod-amneziawg manually and run the script again"
-            exit 1
-        fi
-    fi
-
-    if opkg list-installed | grep -q amneziawg-tools; then
-        echo "amneziawg-tools already installed"
-    else
-        AMNEZIAWG_TOOLS_FILENAME="amneziawg-tools${PKGPOSTFIX}"
-        DOWNLOAD_URL="${BASE_URL}v${VERSION}/${AMNEZIAWG_TOOLS_FILENAME}"
-        wget -O "$AWG_DIR/$AMNEZIAWG_TOOLS_FILENAME" "$DOWNLOAD_URL"
-
-        if [ $? -eq 0 ]; then
-            echo "amneziawg-tools file downloaded successfully"
-        else
-            echo "Error downloading amneziawg-tools. Please, install amneziawg-tools manually and run the script again"
-            exit 1
-        fi
-
-        opkg install "$AWG_DIR/$AMNEZIAWG_TOOLS_FILENAME"
-
-        if [ $? -eq 0 ]; then
-            echo "amneziawg-tools file downloaded successfully"
-        else
-            echo "Error installing amneziawg-tools. Please, install amneziawg-tools manually and run the script again"
-            exit 1
-        fi
-    fi
-    
-    if opkg list-installed | grep -qE 'luci-app-amneziawg|luci-proto-amneziawg'; then
-        echo "luci-app-amneziawg or luci-proto-amneziawg already installed"
-    else
-        LUCI_APP_AMNEZIAWG_FILENAME="luci-app-amneziawg${PKGPOSTFIX}"
-        DOWNLOAD_URL="${BASE_URL}v${VERSION}/${LUCI_APP_AMNEZIAWG_FILENAME}"
-        wget -O "$AWG_DIR/$LUCI_APP_AMNEZIAWG_FILENAME" "$DOWNLOAD_URL"
-
-        if [ $? -eq 0 ]; then
-            echo "luci-app-amneziawg file downloaded successfully"
-        else
-            echo "Error downloading luci-app-amneziawg. Please, install luci-app-amneziawg manually and run the script again"
-            exit 1
-        fi
-
-        opkg install "$AWG_DIR/$LUCI_APP_AMNEZIAWG_FILENAME"
-
-        if [ $? -eq 0 ]; then
-            echo "luci-app-amneziawg file downloaded successfully"
-        else
-            echo "Error installing luci-app-amneziawg. Please, install luci-app-amneziawg manually and run the script again"
-            exit 1
-        fi
-    fi
-
-    rm -rf "$AWG_DIR"
-}
-
-wg_awg_setup() {
-    PROTOCOL_NAME=$1
-    printf "\033[32;1mConfigure ${PROTOCOL_NAME}\033[0m\n"
-    if [ "$PROTOCOL_NAME" = 'Wireguard' ]; then
-        INTERFACE_NAME="wg0"
-        CONFIG_NAME="wireguard_wg0"
-        PROTO="wireguard"
-        ZONE_NAME="wg"
-    fi
-
-    if [ "$PROTOCOL_NAME" = 'AmneziaWG' ]; then
-        INTERFACE_NAME="awg0"
-        CONFIG_NAME="amneziawg_awg0"
-        PROTO="amneziawg"
-        ZONE_NAME="awg"
-        
-        echo "Do you want to use AmneziaWG config or basic Wireguard config + automatic obfuscation?"
-        echo "1) AmneziaWG"
-        echo "2) Wireguard + automatic obfuscation"
-        read CONFIG_TYPE
-    fi
-
-    read -r -p "Enter the private key (from [Interface]):"$'\n' WG_PRIVATE_KEY_INT
-
-    while true; do
-        read -r -p "Enter internal IP address with subnet, example 192.168.100.5/24 (from [Interface]):"$'\n' WG_IP
-        if echo "$WG_IP" | egrep -oq '^([0-9]{1,3}\.){3}[0-9]{1,3}/[0-9]+$'; then
-            break
-        else
-            echo "This IP is not valid. Please repeat"
-        fi
-    done
-
-    read -r -p "Enter the public key (from [Peer]):"$'\n' WG_PUBLIC_KEY_INT
-    read -r -p "If use PresharedKey, Enter this (from [Peer]). If your don't use leave blank:"$'\n' WG_PRESHARED_KEY_INT
-    read -r -p "Enter Endpoint host without port (Domain or IP) (from [Peer]):"$'\n' WG_ENDPOINT_INT
-
-    read -r -p "Enter Endpoint host port (from [Peer]) [51820]:"$'\n' WG_ENDPOINT_PORT_INT
-    WG_ENDPOINT_PORT_INT=${WG_ENDPOINT_PORT_INT:-51820}
-    if [ "$WG_ENDPOINT_PORT_INT" = '51820' ]; then
-        echo $WG_ENDPOINT_PORT_INT
-    fi
-
-    if [ "$PROTOCOL_NAME" = 'AmneziaWG' ]; then
-        if [ "$CONFIG_TYPE" = '1' ]; then
-            read -r -p "Enter Jc value (from [Interface]):"$'\n' AWG_JC
-            read -r -p "Enter Jmin value (from [Interface]):"$'\n' AWG_JMIN
-            read -r -p "Enter Jmax value (from [Interface]):"$'\n' AWG_JMAX
-            read -r -p "Enter S1 value (from [Interface]):"$'\n' AWG_S1
-            read -r -p "Enter S2 value (from [Interface]):"$'\n' AWG_S2
-            read -r -p "Enter H1 value (from [Interface]):"$'\n' AWG_H1
-            read -r -p "Enter H2 value (from [Interface]):"$'\n' AWG_H2
-            read -r -p "Enter H3 value (from [Interface]):"$'\n' AWG_H3
-            read -r -p "Enter H4 value (from [Interface]):"$'\n' AWG_H4
-        elif [ "$CONFIG_TYPE" = '2' ]; then
-            #Default values to wg automatic obfuscation
-            AWG_JC=4
-            AWG_JMIN=40
-            AWG_JMAX=70
-            AWG_S1=0
-            AWG_S2=0
-            AWG_H1=1
-            AWG_H2=2
-            AWG_H3=3
-            AWG_H4=4
-        fi
-    fi
-    
-    uci set network.${INTERFACE_NAME}=interface
-    uci set network.${INTERFACE_NAME}.proto=$PROTO
-    uci set network.${INTERFACE_NAME}.private_key=$WG_PRIVATE_KEY_INT
-    uci set network.${INTERFACE_NAME}.listen_port='51821'
-    uci set network.${INTERFACE_NAME}.addresses=$WG_IP
-
-    if [ "$PROTOCOL_NAME" = 'AmneziaWG' ]; then
-        uci set network.${INTERFACE_NAME}.awg_jc=$AWG_JC
-        uci set network.${INTERFACE_NAME}.awg_jmin=$AWG_JMIN
-        uci set network.${INTERFACE_NAME}.awg_jmax=$AWG_JMAX
-        uci set network.${INTERFACE_NAME}.awg_s1=$AWG_S1
-        uci set network.${INTERFACE_NAME}.awg_s2=$AWG_S2
-        uci set network.${INTERFACE_NAME}.awg_h1=$AWG_H1
-        uci set network.${INTERFACE_NAME}.awg_h2=$AWG_H2
-        uci set network.${INTERFACE_NAME}.awg_h3=$AWG_H3
-        uci set network.${INTERFACE_NAME}.awg_h4=$AWG_H4
-    fi
-
-    if ! uci show network | grep -q ${CONFIG_NAME}; then
-        uci add network ${CONFIG_NAME}
-    fi
-
-    uci set network.@${CONFIG_NAME}[0]=$CONFIG_NAME
-    uci set network.@${CONFIG_NAME}[0].name="${INTERFACE_NAME}_client"
-    uci set network.@${CONFIG_NAME}[0].public_key=$WG_PUBLIC_KEY_INT
-    uci set network.@${CONFIG_NAME}[0].preshared_key=$WG_PRESHARED_KEY_INT
-    uci set network.@${CONFIG_NAME}[0].route_allowed_ips='0'
-    uci set network.@${CONFIG_NAME}[0].persistent_keepalive='25'
-    uci set network.@${CONFIG_NAME}[0].endpoint_host=$WG_ENDPOINT_INT
-    uci set network.@${CONFIG_NAME}[0].allowed_ips='0.0.0.0/0'
-    uci set network.@${CONFIG_NAME}[0].endpoint_port=$WG_ENDPOINT_PORT_INT
-    uci commit network
-
-    if ! uci show firewall | grep -q "@zone.*name='${ZONE_NAME}'"; then
-        printf "\033[32;1mZone Create\033[0m\n"
-        uci add firewall zone
-        uci set firewall.@zone[-1].name=$ZONE_NAME
-        uci set firewall.@zone[-1].network=$INTERFACE_NAME
-        uci set firewall.@zone[-1].forward='REJECT'
-        uci set firewall.@zone[-1].output='ACCEPT'
-        uci set firewall.@zone[-1].input='REJECT'
-        uci set firewall.@zone[-1].masq='1'
-        uci set firewall.@zone[-1].mtu_fix='1'
-        uci set firewall.@zone[-1].family='ipv4'
-        uci commit firewall
-    fi
-
-    if ! uci show firewall | grep -q "@forwarding.*name='${ZONE_NAME}'"; then
-        printf "\033[32;1mConfigured forwarding\033[0m\n"
-        uci add firewall forwarding
-        uci set firewall.@forwarding[-1]=forwarding
-        uci set firewall.@forwarding[-1].name="${ZONE_NAME}-lan"
-        uci set firewall.@forwarding[-1].dest=${ZONE_NAME}
-        uci set firewall.@forwarding[-1].src='lan'
-        uci set firewall.@forwarding[-1].family='ipv4'
-        uci commit firewall
-    fi
-
-    handler_network_restart
 }
 
 check_system() {
     # Get router model
     MODEL=$(cat /tmp/sysinfo/model)
-    echo "Router model: $MODEL"
+    msg "Router model: $MODEL"
 
     # Check available space
     AVAILABLE_SPACE=$(df /overlay | awk 'NR==2 {print $4}')
     REQUIRED_SPACE=15360 # 15MB in KB
 
     if [ "$AVAILABLE_SPACE" -lt "$REQUIRED_SPACE" ]; then
-        printf "\033[31;1mError: Insufficient space in flash\033[0m\n"
-        echo "Available: $((AVAILABLE_SPACE/1024))MB"
-        echo "Required: $((REQUIRED_SPACE/1024))MB"
+        msg "Error: Insufficient space in flash"
+        msg "Available: $((AVAILABLE_SPACE/1024))MB"
+        msg "Required: $((REQUIRED_SPACE/1024))MB"
         exit 1
     fi
 
     if ! nslookup google.com >/dev/null 2>&1; then
-        printf "\033[31;1mDNS not working\033[0m\n"
+        msg "DNS not working"
         exit 1
     fi
 
     if opkg list-installed | grep -q https-dns-proxy; then
-        printf "\033[31;1mСonflicting package detected: https-dns-proxy. Remove? yes/no\033[0m\n"
+        msg "Сonflicting package detected: https-dns-proxy. Remove?"
 
         while true; do
                 read -r -p '' DNSPROXY
@@ -451,7 +136,7 @@ check_system() {
                     break
                     ;;
                 *)
-                    echo "Exit"
+                    msg "Exit"
                     exit 1
                     ;;
         esac
@@ -459,7 +144,7 @@ check_system() {
     fi
 
     if opkg list-installed | grep -q "iptables-mod-extra"; then
-        printf "\033[31;1mFound incompatible iptables packages. If you're using FriendlyWrt: https://t.me/itdogchat/44512/181082\033[0m\n"
+        msg "Found incompatible iptables packages. If you're using FriendlyWrt: https://t.me/itdogchat/44512/181082"
     fi
 }
 
@@ -472,6 +157,8 @@ sing_box() {
     required_version="1.11.1"
 
     if [ "$(echo -e "$sing_box_version\n$required_version" | sort -V | head -n 1)" != "$required_version" ]; then
+        msg "sing-box version $sing_box_version is older than required $required_version"
+        msg "Removing old version..."
         opkg remove sing-box
     fi
 }

luci-app-podkop/Makefile

@@ -1,7 +1,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=luci-app-podkop
-PKG_VERSION:=0.4.4
+PKG_VERSION:=0.4.6
 PKG_RELEASE:=1
 
 LUCI_TITLE:=LuCI podkop app

luci-app-podkop/htdocs/luci-static/resources/view/podkop/additionalTab.js

@@ -34,7 +34,7 @@ function createAdditionalSection(mainSection, network) {
     o.value('doh', _('DNS over HTTPS (DoH)'));
     o.value('dot', _('DNS over TLS (DoT)'));
     o.value('udp', _('UDP (Unprotected DNS)'));
-    o.default = 'doh';
+    o.default = 'udp';
     o.rmempty = false;
     o.ucisection = 'main';
 
@@ -70,6 +70,53 @@ function createAdditionalSection(mainSection, network) {
         return true;
     };
 
+    o = mainSection.taboption('additional', form.Flag, 'split_dns_enabled', _('Split DNS'), _('DNS for the list via proxy'));
+    o.default = '1';
+    o.rmempty = false;
+    o.ucisection = 'main';
+
+    o = mainSection.taboption('additional', form.ListValue, 'split_dns_type', _('Split DNS Protocol Type'), _('Select DNS protocol for split'));
+    o.value('doh', _('DNS over HTTPS (DoH)'));
+    o.value('dot', _('DNS over TLS (DoT)'));
+    o.value('udp', _('UDP (Unprotected DNS)'));
+    o.default = 'udp';
+    o.rmempty = false;
+    o.depends('split_dns_enabled', '1');
+    o.ucisection = 'main';
+
+    o = mainSection.taboption('additional', form.Value, 'split_dns_server', _('Split DNS Server'), _('Select or enter DNS server address'));
+    Object.entries(constants.DNS_SERVER_OPTIONS).forEach(([key, label]) => {
+        o.value(key, _(label));
+    });
+    o.default = '1.1.1.1';
+    o.rmempty = false;
+    o.depends('split_dns_enabled', '1');
+    o.ucisection = 'main';
+    o.validate = function (section_id, value) {
+        if (!value) {
+            return _('DNS server address cannot be empty');
+        }
+
+        const ipRegex = /^(\d{1,3}\.){3}\d{1,3}$/;
+        if (ipRegex.test(value)) {
+            const parts = value.split('.');
+            for (const part of parts) {
+                const num = parseInt(part);
+                if (num < 0 || num > 255) {
+                    return _('IP address parts must be between 0 and 255');
+                }
+            }
+            return true;
+        }
+
+        const domainRegex = /^([a-zA-Z0-9-]+\.)*[a-zA-Z0-9-]+\.[a-zA-Z]{2,}(\/[^\s]*)?$/;
+        if (!domainRegex.test(value)) {
+            return _('Invalid DNS server format. Examples: 8.8.8.8 or dns.example.com or dns.example.com/nicedns for DoH');
+        }
+
+        return true;
+    };
+
     o = mainSection.taboption('additional', form.Value, 'dns_rewrite_ttl', _('DNS Rewrite TTL'), _('Time in seconds for DNS record caching (default: 60)'));
     o.default = '60';
     o.rmempty = false;

luci-app-podkop/htdocs/luci-static/resources/view/podkop/configSection.js

@@ -179,10 +179,6 @@ function createConfigSection(section, map, network) {
                     if (!params.get('pbk')) return _('Invalid VLESS URL: missing pbk parameter for reality security');
                     if (!params.get('fp')) return _('Invalid VLESS URL: missing fp parameter for reality security');
                 }
-
-                if (security === 'tls' && type !== 'tcp' && !params.get('sni')) {
-                    return _('Invalid VLESS URL: missing sni parameter for tls security');
-                }
             }
 
             return true;

luci-app-podkop/htdocs/luci-static/resources/view/podkop/diagnosticTab.js

@@ -726,7 +726,7 @@ async function updateDiagnostics() {
         updateTextElement('fakeip-browser-status',
             E('span', { style: `color: ${result.error ? constants.STATUS_COLORS.WARNING : result.color}` }, [
                 result.error ? '! ' : result.state === 'working' ? '✔ ' : result.state === 'not_working' ? '✘ ' : '! ',
-                result.error ? 'check error' : result.state === 'working' ? _('works in browser') : _('not works in browser')
+                result.error ? 'check error' : result.state === 'working' ? _('works in browser') : _('does not work in browser')
             ])
         );
     });
@@ -735,7 +735,7 @@ async function updateDiagnostics() {
         updateTextElement('fakeip-router-status',
             E('span', { style: `color: ${result.error ? constants.STATUS_COLORS.WARNING : result.color}` }, [
                 result.error ? '! ' : result.state === 'working' ? '✔ ' : result.state === 'not_working' ? '✘ ' : '! ',
-                result.error ? 'check error' : result.state === 'working' ? _('works on router') : _('not works on router')
+                result.error ? 'check error' : result.state === 'working' ? _('works on router') : _('does not work on router')
             ])
         );
     });

luci-app-podkop/htdocs/luci-static/resources/view/podkop/podkop.js

@@ -30,6 +30,10 @@ return view.extend({
                     background: var(--background-color-primary);
                     border-color: var(--border-color-medium);
                 }
+
+                #cbi-podkop:has(.cbi-tab-disabled[data-tab="basic"]) #cbi-podkop-extra {
+                    display: none;
+                }
             </style>
         `);
 

luci-app-podkop/po/ru/podkop.po

@@ -745,10 +745,10 @@ msgstr "Проверка FakeIP через CLI"
 msgid "FakeIP CLI Check Results"
 msgstr "Результаты проверки FakeIP через CLI"
 
-msgid "not works in browser"
+msgid "does not work in browser"
 msgstr "не работает в браузере"
 
-msgid "not works on router"
+msgid "does not work on router"
 msgstr "не работает на роутере"
 
 msgid "Diagnostics"

luci-app-podkop/po/templates/podkop.pot

@@ -1096,10 +1096,10 @@ msgstr ""
 msgid "FakeIP CLI Check Results"
 msgstr ""
 
-msgid "not works in browser"
+msgid "does not work in browser"
 msgstr ""
 
-msgid "not works on router"
+msgid "does not work on router"
 msgstr ""
 
 msgid "Diagnostics"

podkop/Makefile

@@ -1,7 +1,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=podkop
-PKG_VERSION:=0.4.4
+PKG_VERSION:=0.4.6
 PKG_RELEASE:=1
 
 PKG_MAINTAINER:=ITDog <podkop@itdog.info>

podkop/files/etc/config/podkop

@@ -31,8 +31,11 @@ config main 'main'
 	option quic_disable '0'
 	option dont_touch_dhcp '0'
 	option update_interval '1d'
-	option dns_type 'doh'
+	option dns_type 'udp'
 	option dns_server '8.8.8.8'
+	option split_dns_enabled '1'
+	option split_dns_type 'udp'
+	option split_dns_server '1.1.1.1'
 	option dns_rewrite_ttl '60'
 	option cache_file '/tmp/cache.db'
 	list iface 'br-lan'

podkop/files/etc/init.d/podkop

@@ -35,12 +35,14 @@ service_triggers() {
 	config_get mon_restart_ifaces "main" "mon_restart_ifaces"
 	config_get restart_ifaces "main" "restart_ifaces"
 
+    PROCD_RELOAD_DELAY=2000
+
 	procd_open_trigger
 		procd_add_config_trigger "config.change" "$NAME" "$initscript" restart 'on_config_change'
 
         if [ "$mon_restart_ifaces" = "1" ]; then
 			for iface in $restart_ifaces; do
-				procd_add_reload_interface_trigger $iface
+            	procd_add_interface_trigger "interface.*.up" "$iface" /etc/init.d/podkop reload
 			done
 		fi
 	procd_close_trigger

podkop/files/usr/bin/podkop

@@ -53,6 +53,10 @@ echolog() {
     nolog "$message"
 }
 
+build_sing_box_config() {
+    cat > /tmp/sing-box-config-tmp.json && mv /tmp/sing-box-config-tmp.json "$SING_BOX_CONFIG"
+}
+
 start_main() {
     log "Starting podkop"
 
@@ -65,10 +69,6 @@ start_main() {
         exit 1
     fi
 
-    if opkg list-installed | grep -q iptables-mod-extra; then
-        log "[critical] Conflicting package detected: iptables-mod-extra"
-    fi
-
     if grep -qE 'doh_backup_noresolv|doh_backup_server|doh_server' /etc/config/dhcp; then
         log "[critical] Detected https-dns-proxy in dhcp config. Edit /etc/config/dhcp"
     fi
@@ -76,11 +76,13 @@ start_main() {
     migration
 
     config_foreach process_validate_service
+    
+    br_netfilter_disable
 
     # Sync time for DoH/DoT
     /usr/sbin/ntpd -q -p 194.190.168.1 -p 216.239.35.0 -p 216.239.35.4 -p 162.159.200.1 -p 162.159.200.123
 
-    sleep 2
+    sleep 1
 
     mkdir -p /tmp/podkop
 
@@ -126,7 +128,7 @@ start_main() {
         jq '.experimental.clash_api = {
             "external_ui": "ui",
             "external_controller": "0.0.0.0:9090"
-        }' $SING_BOX_CONFIG >/tmp/sing-box-config-tmp.json && mv /tmp/sing-box-config-tmp.json $SING_BOX_CONFIG
+        }' "$SING_BOX_CONFIG" | build_sing_box_config
     fi
 
     config_get_bool exclude_ntp "main" "exclude_ntp" "0"
@@ -149,7 +151,6 @@ start_main() {
 
     sing_box_config_check
     /etc/init.d/sing-box start
-    #/etc/init.d/sing-box enable
     log "Nice"
 }
 
@@ -299,6 +300,14 @@ process_validate_service() {
     fi
 }
 
+br_netfilter_disable() {
+    if lsmod | grep -q br_netfilter && [ "$(sysctl -n net.bridge.bridge-nf-call-iptables 2>/dev/null)" = "1" ]; then
+        log "br_netfilter enabled detected. Disabling"
+        sysctl -w net.bridge.bridge-nf-call-iptables=0
+        sysctl -w net.bridge.bridge-nf-call-ip6tables=0
+	fi
+}
+
 # Main funcs
 
 route_table_rule_mark() {
@@ -416,8 +425,9 @@ dnsmasq_restore() {
     log "Removing configuration for dnsmasq"
 
     local cachesize=$(uci get dhcp.@dnsmasq[0].podkop_cachesize 2>/dev/null)
-    if [ -z "$cachesize" ]; then
+    if [[ "$cachesize" == "unset" ]]; then
         log "dnsmasq revert: cachesize is unset"
+        uci -q delete dhcp.@dnsmasq[0].cachesize
     else
         uci set dhcp.@dnsmasq[0].cachesize="$cachesize"
     fi
@@ -557,7 +567,7 @@ prepare_custom_ruleset() {
             "type": "local",
             "format": "source",
             "path": $file
-        }]' $SING_BOX_CONFIG >/tmp/sing-box-config-tmp.json && mv /tmp/sing-box-config-tmp.json $SING_BOX_CONFIG
+        }]' "$SING_BOX_CONFIG" | build_sing_box_config
 
         sing_box_rules $tag $section
         sing_box_dns_rule_fakeip_section $tag $tag
@@ -674,7 +684,7 @@ add_socks5_for_section() {
         "inbound": [$tag],
         "outbound": $section,
         "action": "route"
-    }]' $SING_BOX_CONFIG >/tmp/sing-box-config-tmp.json && mv /tmp/sing-box-config-tmp.json $SING_BOX_CONFIG
+    }]' "$SING_BOX_CONFIG" | build_sing_box_config
 }
 
 process_socks5() {
@@ -731,10 +741,14 @@ sing_box_dns() {
     local dns_type
     local dns_server
     local resolver_tag="resolver"
+    local split_resolver_tag="split-resolver"
 
     config_get dns_type "main" "dns_type" "doh"
     config_get dns_server "main" "dns_server" "1.1.1.1"
-    
+    config_get split_dns_enabled "main" "split_dns_enabled" "0"
+    config_get split_dns_type "main" "split_dns_type" "udp"
+    config_get split_dns_server "main" "split_dns_server" "1.1.1.1"
+
     local server_json
     local is_ip=$(echo "$dns_server" | grep -qE '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' && echo "1" || echo "0")
     
@@ -790,20 +804,79 @@ sing_box_dns() {
             }]')
     fi
     
+    if [ "$split_dns_enabled" = "1" ]; then
+        local split_is_ip=$(echo "$split_dns_server" | grep -qE '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' && echo "1" || echo "0")
+        if [ "$split_is_ip" = "0" ]; then
+            log "Finding working resolver for split DNS"
+            local split_dns_resolver=$(find_working_resolver)
+            if [ -z "$split_dns_resolver" ]; then
+                log "No working resolver found for split DNS, using default"
+                split_dns_resolver="1.1.1.1"
+            else
+                log "Found working resolver for split DNS: $split_dns_resolver"
+            fi
+        fi
+
+        server_json=$(echo "$server_json" | jq \
+            --arg type "$split_dns_type" \
+            --arg server "$split_dns_server" \
+            --arg split_is_ip "$split_is_ip" \
+            --arg split_resolver_tag "$split_resolver_tag" \
+            ' .servers += [
+                {
+                    "tag": "split-dns-server",
+                    "address": (
+                        if $type == "doh" then
+                            "https://" + $server + "/dns-query"
+                        elif $type == "dot" then
+                            "tls://" + $server
+                        else
+                            $server
+                        end
+                    ),
+                    "detour": "main"
+                } + (
+                    if $split_is_ip == "0" then
+                        {"address_resolver": $split_resolver_tag}
+                    else
+                        {}
+                    end
+                )
+            ]')
+
+        if [ "$split_is_ip" = "0" ]; then
+            server_json=$(echo "$server_json" | jq \
+                --arg split_resolver_tag "$split_resolver_tag" \
+                --arg split_dns_resolver "$split_dns_resolver" \
+                '.servers += [{
+                    "tag": $split_resolver_tag,
+                    "address": $split_dns_resolver
+                }]')
+        fi
+    fi
+
     server_json=$(echo "$server_json" | jq '.servers += [{"tag": "fakeip-server", "address": "fakeip"}]')
     
     jq \
         --argjson dns_config "$server_json" \
         --arg fakeip "$FAKEIP" \
+        --argjson split_dns_enabled "$split_dns_enabled" \
         '.dns = {
             "strategy": "ipv4_only",
             "independent_cache": true,
+            "final": (
+                if $split_dns_enabled == 1 then
+                    "split-dns-server"
+                else
+                    "dns-server"
+                end
+                ),
             "fakeip": {
                 "enabled": true,
                 "inet4_range": $fakeip
             },
             "servers": $dns_config.servers
-        }' $SING_BOX_CONFIG > /tmp/sing-box-config-tmp.json && mv /tmp/sing-box-config-tmp.json $SING_BOX_CONFIG
+        }' "$SING_BOX_CONFIG" | build_sing_box_config
 }
 
 sing_box_create_bypass_ruleset() {
@@ -820,7 +893,7 @@ sing_box_create_bypass_ruleset() {
                 ]
             }
         ]
-    }]' $SING_BOX_CONFIG >/tmp/sing-box-config-tmp.json && mv /tmp/sing-box-config-tmp.json $SING_BOX_CONFIG
+    }]' "$SING_BOX_CONFIG" | build_sing_box_config
     
     # Add a rule to route bypass domains to direct-out outbound
     jq '
@@ -829,49 +902,64 @@ sing_box_create_bypass_ruleset() {
         "rule_set": ["bypass"],
         "outbound": "main",
         "action": "route"
-    }]' $SING_BOX_CONFIG >/tmp/sing-box-config-tmp.json && mv /tmp/sing-box-config-tmp.json $SING_BOX_CONFIG
+    }]' "$SING_BOX_CONFIG" | build_sing_box_config
     
     # Make sure the bypass ruleset is in the fakeip DNS rule
     jq '
     .dns.rules = (.dns.rules | map(
-        if .server == "fakeip-server" then 
-            .rule_set += ["bypass"] 
-        else 
-            . 
+        if (.server == "fakeip-server" or (.server == "dns-server" and .invert == true)) then 
+            if any(.rule_set[]?; . == "bypass") then
+                .
+            else
+                .rule_set += ["bypass"]
+            end
+        else
+            .
         end
-    ))' $SING_BOX_CONFIG >/tmp/sing-box-config-tmp.json && mv /tmp/sing-box-config-tmp.json $SING_BOX_CONFIG
+    ))' "$SING_BOX_CONFIG" | build_sing_box_config
 }
 
 sing_box_dns_rule_fakeip() {
     local rewrite_ttl
-    config_get rewrite_ttl "main" "dns_rewrite_ttl" "600"
-    
+    config_get rewrite_ttl "main" "dns_rewrite_ttl" "60"
+    config_get split_dns_enabled "main" "split_dns_enabled" "0"
+
     log "Configure fakeip route in sing-box and set TTL to $rewrite_ttl seconds"
     
     jq \
     --arg ttl "$rewrite_ttl" \
-    '.dns += {
-        "rules": [
-              {
-            "query_type": [
-                "HTTPS"
-            ],
-            "action": "reject"
-            },
+    --argjson split_dns_enabled "$split_dns_enabled" \
+    '.dns.rules = [
             {
-            "domain_suffix": [
-                "use-application-dns.net"
-            ],
+                "query_type": [
+                    "HTTPS"
+                ],
                 "action": "reject"
             },
             {
-            "server": "fakeip-server",
-            "domain": "",
-            "rewrite_ttl": ($ttl | tonumber),
-            "rule_set": []
+                "domain_suffix": [
+                    "use-application-dns.net"
+                ],
+                    "action": "reject"
+            },
+            {
+                "server": "fakeip-server",
+                "domain": "",
+                "rewrite_ttl": ($ttl | tonumber),
+                "rule_set": []
             }
         ]
-    }' $SING_BOX_CONFIG >/tmp/sing-box-config-tmp.json && mv /tmp/sing-box-config-tmp.json $SING_BOX_CONFIG
+        + (
+            if $split_dns_enabled == 1 then
+                [{
+                    "server": "dns-server",
+                    "domain": "",
+                    "invert": true,
+                    "rule_set": []
+                }]
+            else []
+            end
+    )' "$SING_BOX_CONFIG" | build_sing_box_config
 }
 
 sing_box_dns_rule_fakeip_section() {
@@ -882,16 +970,16 @@ sing_box_dns_rule_fakeip_section() {
     jq \
     --arg rule_set "$rule_set" \
     '.dns.rules |= map(
-        if .server == "fakeip-server" then 
+        if (.server == "fakeip-server" or (.server == "dns-server" and .invert == true)) then 
             if any(.rule_set[]?; . == $rule_set) then 
                 .
-            else 
+            else
                 .rule_set += [$rule_set] 
             end
-        else 
-            . 
+        else
+            .
         end
-    )' "$SING_BOX_CONFIG" >/tmp/sing-box-config-tmp.json && mv /tmp/sing-box-config-tmp.json "$SING_BOX_CONFIG"
+    )' "$SING_BOX_CONFIG" | build_sing_box_config
 }
 
 sing_box_cache_file() {
@@ -907,7 +995,7 @@ sing_box_cache_file() {
         "store_fakeip": true,
         "path": $cache_file
         }
-    }' $SING_BOX_CONFIG >/tmp/sing-box-config-tmp.json && mv /tmp/sing-box-config-tmp.json $SING_BOX_CONFIG
+    }' "$SING_BOX_CONFIG" | build_sing_box_config
 }
 
 sing_box_outdound() {
@@ -990,7 +1078,7 @@ sing_box_outbound_interface() {
                 [{"tag": $section, "type": "direct", "bind_interface": $interface}]
               else [] end
             )
-          )' "$SING_BOX_CONFIG" > /tmp/sing-box-config-tmp.json && mv /tmp/sing-box-config-tmp.json "$SING_BOX_CONFIG"
+          )' "$SING_BOX_CONFIG" | build_sing_box_config
 
     if [ $? -eq 0 ]; then
         log "Config updated successfully"
@@ -1018,7 +1106,7 @@ sing_box_rule_dns() {
         }
         ],
         "auto_detect_interface": true
-    }' $SING_BOX_CONFIG >/tmp/sing-box-config-tmp.json && mv /tmp/sing-box-config-tmp.json $SING_BOX_CONFIG
+    }' "$SING_BOX_CONFIG" | build_sing_box_config
 }
 
 sing_box_config_check() {
@@ -1050,7 +1138,7 @@ sing_box_config_outbound_json() {
                 [$outbound]
               else [] end
             )
-          )' $SING_BOX_CONFIG >/tmp/sing-box-config-tmp.json && mv /tmp/sing-box-config-tmp.json $SING_BOX_CONFIG
+          )' "$SING_BOX_CONFIG" | build_sing_box_config
 
     if [ $? -eq 0 ]; then
         log "Outbound config updated successfully"
@@ -1113,7 +1201,7 @@ sing_box_config_shadowsocks() {
             } + (if $ss_uot == 1 then { "udp_over_tcp": { "enabled": true, "version": 2 } } else {} end)]
           else [] end
         )
-      )' $SING_BOX_CONFIG >/tmp/sing-box-config-tmp.json && mv /tmp/sing-box-config-tmp.json $SING_BOX_CONFIG
+      )' "$SING_BOX_CONFIG" | build_sing_box_config
 
     if [ $? -eq 0 ]; then
         log "Config Shadowsocks updated successfully"
@@ -1239,7 +1327,7 @@ sing_box_config_vless() {
             else . end
           else . end
         )
-      else . end' $SING_BOX_CONFIG >/tmp/sing-box-config-tmp.json && mv /tmp/sing-box-config-tmp.json $SING_BOX_CONFIG
+      else . end' "$SING_BOX_CONFIG" | build_sing_box_config
 
 
     if [ $? -eq 0 ]; then
@@ -1275,7 +1363,7 @@ sing_box_ruleset_domains() {
         else
             .
         end
-        ' /etc/sing-box/config.json > /tmp/sing-box-config-tmp.json && mv /tmp/sing-box-config-tmp.json /etc/sing-box/config.json
+        ' "$SING_BOX_CONFIG" | build_sing_box_config
 
         log "$domain added to the list for tag $tag"
     else
@@ -1294,7 +1382,7 @@ sing_box_ruleset_domains() {
                     }
                 ]
             }
-        ]' /etc/sing-box/config.json > /tmp/sing-box-config-tmp.json && mv /tmp/sing-box-config-tmp.json /etc/sing-box/config.json
+        ]' "$SING_BOX_CONFIG" | build_sing_box_config
 
         log "$domain added as a new rule set for tag $tag"
     fi
@@ -1326,7 +1414,7 @@ sing_box_ruleset_subnets() {
         else
             .
         end
-        ' /etc/sing-box/config.json > /tmp/sing-box-config-tmp.json && mv /tmp/sing-box-config-tmp.json /etc/sing-box/config.json
+        ' "$SING_BOX_CONFIG" | build_sing_box_config
 
         log "$subnet added to the list for tag $tag"
     else
@@ -1345,7 +1433,7 @@ sing_box_ruleset_subnets() {
                     }
                 ]
             }
-        ]' /etc/sing-box/config.json > /tmp/sing-box-config-tmp.json && mv /tmp/sing-box-config-tmp.json /etc/sing-box/config.json
+        ]' "$SING_BOX_CONFIG" | build_sing_box_config
 
         log "$subnet added as a new rule set for tag $tag"
     fi
@@ -1428,7 +1516,7 @@ sing_box_ruleset_remote() {
                 } +
                     (if $detour == "1" then {"download_detour": "main"} else {} end)
             )
-        ]' "$SING_BOX_CONFIG" > /tmp/sing-box-config-tmp.json && mv /tmp/sing-box-config-tmp.json "$SING_BOX_CONFIG"
+        ]' "$SING_BOX_CONFIG" | build_sing_box_config
 
         log "Added new ruleset with tag $tag"
     fi
@@ -1502,7 +1590,7 @@ sing_box_rules() {
             jq \
             --arg rule_set "$rule_set" \
             '(.route.rules[] | select(.inbound == ["tproxy-in"] and .action == "reject") .rule_set) += [$rule_set]' \
-            "$SING_BOX_CONFIG" > /tmp/sing-box-config-tmp.json && mv /tmp/sing-box-config-tmp.json "$SING_BOX_CONFIG"
+            "$SING_BOX_CONFIG" | build_sing_box_config
         else
             # If there is no rule for reject, create a new one with rule_set
             jq \
@@ -1511,7 +1599,7 @@ sing_box_rules() {
                 "inbound": ["tproxy-in"],
                 "rule_set": [$rule_set],
                 "action": "reject"
-            }]' "$SING_BOX_CONFIG" > /tmp/sing-box-config-tmp.json && mv /tmp/sing-box-config-tmp.json "$SING_BOX_CONFIG"
+            }]' "$SING_BOX_CONFIG" | build_sing_box_config
         fi
         return
     else
@@ -1525,7 +1613,7 @@ sing_box_rules() {
             --arg rule_set "$rule_set" \
             --arg outbound "$outbound" \
             '(.route.rules[] | select(.outbound == $outbound and .inbound == ["tproxy-in"]) .rule_set) += [$rule_set]' \
-            "$SING_BOX_CONFIG" >/tmp/sing-box-config-tmp.json && mv /tmp/sing-box-config-tmp.json "$SING_BOX_CONFIG"
+            "$SING_BOX_CONFIG" | build_sing_box_config
         else
             # If there is no rule for tproxy-in, create a new one with rule_set
             jq \
@@ -1536,7 +1624,7 @@ sing_box_rules() {
                 "rule_set": [$rule_set],
                 "outbound": $outbound,
                 "action": "route"
-            }]' "$SING_BOX_CONFIG" >/tmp/sing-box-config-tmp.json && mv /tmp/sing-box-config-tmp.json "$SING_BOX_CONFIG"
+            }]' "$SING_BOX_CONFIG" | build_sing_box_config
         fi
     fi
 }
@@ -1554,7 +1642,7 @@ sing_box_quic_reject() {
                     . + [$rule]
                 end
             )
-        )' "$SING_BOX_CONFIG" >/tmp/sing-box-config-tmp.json && mv /tmp/sing-box-config-tmp.json "$SING_BOX_CONFIG"
+        )' "$SING_BOX_CONFIG" | build_sing_box_config
 
         log "QUIC reject rule added successfully"
     fi
@@ -1729,15 +1817,13 @@ sing_box_rules_source_ip_cidr() {
     local source_ip_cidr="$1"
     local outbound="$2"
 
-    local current_source_ip_cidr=$(jq -r '.route.rules[] | select(.outbound == "'"$outbound"'" and .action == "route" and (.rule_set | not))' $SING_BOX_CONFIG)
-
+    local current_source_ip_cidr=$(jq -r '.route.rules[] | select(.outbound == "'"$outbound"'" and .action == "route" and .source_ip_cidr and (.inbound // [] | contains(["tproxy-in"])))' $SING_BOX_CONFIG)
 
     if [[ -n "$current_source_ip_cidr" ]]; then
         jq \
         --arg source_ip_cidr "$source_ip_cidr" \
         --arg outbound "$outbound" \
-        '(.route.rules[] | select(.outbound == $outbound and .action == "route" and (.rule_set | not)) | .source_ip_cidr) += [$source_ip_cidr]' \
-        $SING_BOX_CONFIG >/tmp/sing-box-config-tmp.json && mv /tmp/sing-box-config-tmp.json $SING_BOX_CONFIG
+        '(.route.rules[] | select(.outbound == $outbound and .action == "route" and .source_ip_cidr and (.inbound // [] | contains(["tproxy-in"]))) | .source_ip_cidr) += [$source_ip_cidr]' "$SING_BOX_CONFIG" | build_sing_box_config
     else
         jq \
         --arg source_ip_cidr "$source_ip_cidr" \
@@ -1749,7 +1835,7 @@ sing_box_rules_source_ip_cidr() {
                 "outbound": $outbound,
                 "action": "route"
             }
-        ] + .route.rules' $SING_BOX_CONFIG >/tmp/sing-box-config-tmp.json && mv /tmp/sing-box-config-tmp.json $SING_BOX_CONFIG
+        ] + .route.rules' "$SING_BOX_CONFIG" | build_sing_box_config
     fi
 }
 
@@ -1775,7 +1861,7 @@ detour_mixed() {
         "inbound": [$tag],
         "outbound": $section,
         "action": "route"
-    }]' $SING_BOX_CONFIG >/tmp/sing-box-config-tmp.json && mv /tmp/sing-box-config-tmp.json $SING_BOX_CONFIG
+    }]' "$SING_BOX_CONFIG" | build_sing_box_config
 }
 
 ## nftables
@@ -2348,7 +2434,7 @@ sing_box_add_secure_dns_probe_domain() {
     --arg domain "$domain" \
     --argjson override_port "$override_port" \
     '.dns.rules |= map(
-        if .server == "fakeip-server" then
+        if (.server == "fakeip-server" or (.server == "dns-server" and .invert == true)) then
             . + {
                 "domain": $domain
             }
@@ -2362,7 +2448,7 @@ sing_box_add_secure_dns_probe_domain() {
             "action": "route-options",
             "override_port": $override_port
         }
-    ]' "$SING_BOX_CONFIG" >/tmp/sing-box-config-tmp.json && mv /tmp/sing-box-config-tmp.json "$SING_BOX_CONFIG"
+    ]' "$SING_BOX_CONFIG" | build_sing_box_config
 
     log "DNS probe domain ${domain} configured with override to port ${override_port}"
 }
@@ -2461,6 +2547,11 @@ global_check() {
         done
     fi
 
+    if [ -d "/etc/init.d/zapret" ]; then
+        print_global "━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+        print_global "⚠️ Zapret detected"
+    fi
+
     print_global "━━━━━━━━━━━━━━━━━━━━━━━━━━━"
     print_global "➡️ DNS status"
     dns_info=$(check_dns_available)