From ca6e79d8641e940a8ba4c989953fb8df465928f8 Mon Sep 17 00:00:00 2001
From: Arias Oscar <smallbear@outlook.com>
Date: Thu, 25 Jun 2026 17:11:53 +0800
Subject: [PATCH 1/3] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8Diptables=E6=94=BE?=
 =?UTF-8?q?=E8=A1=8C=E7=AB=AF=E5=8F=A3=E6=B7=BB=E5=8A=A0=E8=BF=87=E5=A4=9A?=
 =?UTF-8?q?=E5=AF=BC=E8=87=B4=E6=BA=A2=E5=87=BA=E7=9A=84=E9=94=99=E8=AF=AF?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 scripts/starts/fw_iptables.sh | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/scripts/starts/fw_iptables.sh b/scripts/starts/fw_iptables.sh
index 70c7b1ff2..57dc1f4e1 100644
--- a/scripts/starts/fw_iptables.sh
+++ b/scripts/starts/fw_iptables.sh
@@ -72,7 +72,22 @@ start_ipt_route() { #iptables-route通用工具
             done
         fi
         #将所在链指定流量指向shellcrash表
-        "$1" $w -t "$2" -I "$3" -p "$5" $ports -j "$4"
+        if [ -n "$ports" ]; then
+            clean_ports=$(echo "$multiport" | sed 's/ //g')
+            echo "$clean_ports" | awk -F, '{
+                for(i=1; i<=NF; i+=9) {
+                    group=""
+                    for(j=i; j<i+9 && j<=NF; j++) {
+                        group=(group == "" ? $j : group "," $j)
+                    }
+                    print group
+                }
+            }' | while read -r port_group; do
+                [ -n "$port_group" ] && "$1" $w -t "$2" -I "$3" -p "$5" -m multiport --dports "$port_group" -j "$4"
+            done
+        else
+            "$1" $w -t "$2" -I "$3" -p "$5" -j "$4"
+        fi
         [ "$dns_mod" = "mix" -o "$dns_mod" = "fake-ip" ] && [ "$common_ports" = "ON" ] && [ "$1" = iptables ] && "$1" $w -t "$2" -I "$3" -p "$5" -d 28.0.0.0/8 -j "$4"
         [ "$dns_mod" = "mix" -o "$dns_mod" = "fake-ip" ] && [ "$common_ports" = "ON" ] && [ "$1" = ip6tables ] && "$1" $w -t "$2" -I "$3" -p "$5" -d fc00::/16 -j "$4"
     }

From c25c7800be75ffba6a08294d4005894f803baef6 Mon Sep 17 00:00:00 2001
From: Kanna Kamui <smallbear@outlook.com>
Date: Thu, 25 Jun 2026 20:56:00 +0800
Subject: [PATCH 2/3] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8Diptables=E6=94=BE?=
 =?UTF-8?q?=E8=A1=8C=E7=AB=AF=E5=8F=A3=E6=B7=BB=E5=8A=A0=E8=BF=87=E5=A4=9A?=
 =?UTF-8?q?=E5=AF=BC=E8=87=B4=E6=BA=A2=E5=87=BA=E7=9A=84=E9=94=99=E8=AF=AF?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

```
iptables v1.8.10 (nf_tables): too many ports specified
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.8.10 (nf_tables): too many ports specified
Try `iptables -h' or 'iptables --help' for more information.
```
iptables放行端口添加过多导致溢出
---
 scripts/starts/fw_stop.sh | 67 +++++++++++++++++++++++++++++++--------
 1 file changed, 53 insertions(+), 14 deletions(-)

diff --git a/scripts/starts/fw_stop.sh b/scripts/starts/fw_stop.sh
index 8e3757b31..a996547bb 100644
--- a/scripts/starts/fw_stop.sh
+++ b/scripts/starts/fw_stop.sh
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/ash
 # Copyright (C) Juewuy
 
 #初始化目录
@@ -20,24 +20,44 @@ ckcmd iptables && {
     $iptable -t nat -D PREROUTING -p udp --dport 53 -j shellcrash_dns 2>/dev/null
     $iptable -t nat -D OUTPUT -p udp --dport 53 -j shellcrash_dns_out 2>/dev/null
     $iptable -t nat -D OUTPUT -p tcp --dport 53 -j shellcrash_dns_out 2>/dev/null
+    if [ -n "$ports" ]; then
+        clean_ports=$(echo "$multiport" | sed 's/ //g')
+        echo "$clean_ports" | awk -F, '{
+            for(i=1; i<=NF; i+=9) {
+                group=""; for(j=i; j<i+9 && j<=NF; j++) group=(group == "" ? $j : group "," $j)
+                print group
+            }
+        }' | while read -r port_group; do
+            if [ -n "$port_group" ]; then
+                $iptable -t nat -D PREROUTING -p tcp -m multiport --dports "$port_group" -j shellcrash 2>/dev/null
+                $iptable -t nat -D OUTPUT -p tcp -m multiport --dports "$port_group" -j shellcrash_out 2>/dev/null
+                $iptable -t nat -D PREROUTING -p tcp -m multiport --dports "$port_group" -j shellcrash_vm 2>/dev/null
+                $iptable -t mangle -D PREROUTING -p tcp -m multiport --dports "$port_group" -j shellcrash_mark 2>/dev/null
+                $iptable -t mangle -D PREROUTING -p udp -m multiport --dports "$port_group" -j shellcrash_mark 2>/dev/null
+                $iptable -t mangle -D OUTPUT -p tcp -m multiport --dports "$port_group" -j shellcrash_mark_out 2>/dev/null
+                $iptable -t mangle -D OUTPUT -p udp -m multiport --dports "$port_group" -j shellcrash_mark_out 2>/dev/null
+            fi
+        done
+    else
+        $iptable -t nat -D PREROUTING -p tcp -j shellcrash 2>/dev/null
+        $iptable -t nat -D OUTPUT -p tcp -j shellcrash_out 2>/dev/null
+        $iptable -t nat -D PREROUTING -p tcp -j shellcrash_vm 2>/dev/null
+        $iptable -t mangle -D PREROUTING -p tcp -j shellcrash_mark 2>/dev/null
+        $iptable -t mangle -D PREROUTING -p udp -j shellcrash_mark 2>/dev/null
+        $iptable -t mangle -D OUTPUT -p tcp -j shellcrash_mark_out 2>/dev/null
+        $iptable -t mangle -D OUTPUT -p udp -j shellcrash_mark_out 2>/dev/null
+    fi
     #redir
-    $iptable -t nat -D PREROUTING -p tcp $ports -j shellcrash 2>/dev/null
     $iptable -t nat -D PREROUTING -p tcp -d 28.0.0.0/8 -j shellcrash 2>/dev/null
-    $iptable -t nat -D OUTPUT -p tcp $ports -j shellcrash_out 2>/dev/null
     $iptable -t nat -D OUTPUT -p tcp -d 28.0.0.0/8 -j shellcrash_out 2>/dev/null
     #vm_dns
     $iptable -t nat -D PREROUTING -p tcp --dport 53 -j shellcrash_vm_dns 2>/dev/null
     $iptable -t nat -D PREROUTING -p udp --dport 53 -j shellcrash_vm_dns 2>/dev/null
     #vm_redir
-    $iptable -t nat -D PREROUTING -p tcp $ports -j shellcrash_vm 2>/dev/null
     $iptable -t nat -D PREROUTING -p tcp -d 28.0.0.0/8 -j shellcrash_vm 2>/dev/null
     #TPROXY&tun
-    $iptable -t mangle -D PREROUTING -p tcp $ports -j shellcrash_mark 2>/dev/null
-    $iptable -t mangle -D PREROUTING -p udp $ports -j shellcrash_mark 2>/dev/null
     $iptable -t mangle -D PREROUTING -p tcp -d 28.0.0.0/8 -j shellcrash_mark 2>/dev/null
     $iptable -t mangle -D PREROUTING -p udp -d 28.0.0.0/8 -j shellcrash_mark 2>/dev/null
-    $iptable -t mangle -D OUTPUT -p tcp $ports -j shellcrash_mark_out 2>/dev/null
-    $iptable -t mangle -D OUTPUT -p udp $ports -j shellcrash_mark_out 2>/dev/null
     $iptable -t mangle -D OUTPUT -p tcp -d 28.0.0.0/8 -j shellcrash_mark_out 2>/dev/null
     $iptable -t mangle -D OUTPUT -p udp -d 28.0.0.0/8 -j shellcrash_mark_out 2>/dev/null
     $iptable -t mangle -D PREROUTING -m mark --mark $fwmark -p tcp -j TPROXY --on-port $tproxy_port 2>/dev/null
@@ -73,20 +93,39 @@ ckcmd ip6tables && {
     #dns
     $ip6table -t nat -D PREROUTING -p tcp --dport 53 -j shellcrashv6_dns 2>/dev/null
     $ip6table -t nat -D PREROUTING -p udp --dport 53 -j shellcrashv6_dns 2>/dev/null
+    if [ -n "$ports" ]; then
+        clean_ports=$(echo "$multiport" | sed 's/ //g')
+        echo "$clean_ports" | awk -F, '{
+            for(i=1; i<=NF; i+=9) {
+                group=""; for(j=i; j<i+9 && j<=NF; j++) group=(group == "" ? $j : group "," $j)
+                print group
+            }
+        }' | while read -r port_group; do
+            if [ -n "$port_group" ]; then
+                $ip6table -t nat -D PREROUTING -p tcp -m multiport --dports "$port_group" -j shellcrashv6 2>/dev/null
+                $ip6table -t nat -D OUTPUT -p tcp -m multiport --dports "$port_group" -j shellcrashv6_out 2>/dev/null
+                $ip6table -t mangle -D PREROUTING -p tcp -m multiport --dports "$port_group" -j shellcrashv6_mark 2>/dev/null
+                $ip6table -t mangle -D PREROUTING -p udp -m multiport --dports "$port_group" -j shellcrashv6_mark 2>/dev/null
+                $ip6table -t mangle -D OUTPUT -p tcp -m multiport --dports "$port_group" -j shellcrashv6_mark_out 2>/dev/null
+                $ip6table -t mangle -D OUTPUT -p udp -m multiport --dports "$port_group" -j shellcrashv6_mark_out 2>/dev/null
+            fi
+        done
+    else
+        $ip6table -t nat -D PREROUTING -p tcp -j shellcrashv6 2>/dev/null
+        $ip6table -t nat -D OUTPUT -p tcp -j shellcrashv6_out 2>/dev/null
+        $ip6table -t mangle -D PREROUTING -p tcp -j shellcrashv6_mark 2>/dev/null
+        $ip6table -t mangle -D PREROUTING -p udp -j shellcrashv6_mark 2>/dev/null
+        $ip6table -t mangle -D OUTPUT -p tcp -j shellcrashv6_mark_out 2>/dev/null
+        $ip6table -t mangle -D OUTPUT -p udp -j shellcrashv6_mark_out 2>/dev/null
+    fi
     #redir
-    $ip6table -t nat -D PREROUTING -p tcp $ports -j shellcrashv6 2>/dev/null
     $ip6table -t nat -D PREROUTING -p tcp -d fc00::/16 -j shellcrashv6 2>/dev/null
-    $ip6table -t nat -D OUTPUT -p tcp $ports -j shellcrashv6_out 2>/dev/null
     $ip6table -t nat -D OUTPUT -p tcp -d fc00::/16 -j shellcrashv6_out 2>/dev/null
     $ip6table -D INPUT -p tcp --dport 53 -j REJECT 2>/dev/null
     $ip6table -D INPUT -p udp --dport 53 -j REJECT 2>/dev/null
     #mark
-    $ip6table -t mangle -D PREROUTING -p tcp $ports -j shellcrashv6_mark 2>/dev/null
-    $ip6table -t mangle -D PREROUTING -p udp $ports -j shellcrashv6_mark 2>/dev/null
     $ip6table -t mangle -D PREROUTING -p tcp -d fc00::/16 -j shellcrashv6_mark 2>/dev/null
     $ip6table -t mangle -D PREROUTING -p udp -d fc00::/16 -j shellcrashv6_mark 2>/dev/null
-    $ip6table -t mangle -D OUTPUT -p tcp $ports -j shellcrashv6_mark_out 2>/dev/null
-    $ip6table -t mangle -D OUTPUT -p udp $ports -j shellcrashv6_mark_out 2>/dev/null
     $ip6table -t mangle -D OUTPUT -p tcp -d fc00::/16 -j shellcrashv6_mark_out 2>/dev/null
     $ip6table -t mangle -D OUTPUT -p udp -d fc00::/16 -j shellcrashv6_mark_out 2>/dev/null
     $ip6table -D INPUT -p udp --dport 443 $set_cn_ip -j REJECT 2>/dev/null

From f89ac976a7f5e536b5f7c1dcd66572b737b83c15 Mon Sep 17 00:00:00 2001
From: Kanna Kamui <smallbear@outlook.com>
Date: Thu, 25 Jun 2026 20:59:30 +0800
Subject: [PATCH 3/3] Update fw_stop.sh

---
 scripts/starts/fw_stop.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/starts/fw_stop.sh b/scripts/starts/fw_stop.sh
index a996547bb..a8bb5eac4 100644
--- a/scripts/starts/fw_stop.sh
+++ b/scripts/starts/fw_stop.sh
@@ -1,4 +1,4 @@
-#!/bin/ash
+#!/bin/sh
 # Copyright (C) Juewuy
 
 #初始化目录