update@20210127

luci-app-openclash/root/etc/init.d/openclash

@@ -1200,15 +1200,16 @@ firewall_redirect_exclude()
 
 set_firewall()
 {
-
-if [ "$enable_redirect_dns" -eq 1 ] && [ -z "$(iptables -t nat -nL PREROUTING --line-number |grep "redir ports 53$")"]; then
-   iptables -t nat -A PREROUTING -p udp --dport 53 -j REDIRECT --to-ports 53
-   iptables -t nat -A PREROUTING -p tcp --dport 53 -j REDIRECT --to-ports 53
+
+DNSPORT="$(uci get dhcp.@dnsmasq[0].port 2>/dev/null || echo 53)"
+if [ "$enable_redirect_dns" -eq 1 ] && [ -z "$(iptables -t nat -nL PREROUTING --line-number |grep 'dns_hijack')"]; then
+   iptables -t nat -A PREROUTING -p udp --dport 53 -j REDIRECT --to-ports "$DNSPORT" -m comment --comment dns_hijack
+   iptables -t nat -A PREROUTING -p tcp --dport 53 -j REDIRECT --to-ports "$DNSPORT" -m comment --comment dns_hijack
 fi
 
-if [ "$(iptables -t nat -nL PREROUTING --line-number |grep "redir ports 53" |wc -l)" -gt 2 ] && [ "$enable_redirect_dns" -eq 1 ]; then
+if [ "$(iptables -t nat -nL PREROUTING --line-number | grep "redir port $DNSPORT" | wc -l)" -gt 2 ] && [ "$enable_redirect_dns" -eq 1 ]; then
    echo "发现53端口被劫持，清理防火墙规则..." >$START_LOG
-   pre_lines=$(iptables -nvL PREROUTING -t nat |sed 1,2d |sed -n '/redir ports 53/=' 2>/dev/null |sort -rn)
+   pre_lines=$(iptables -nvL PREROUTING -t nat |sed 1,2d | sed -n "/redir port $DNSPORT/=" 2>/dev/null |sort -rn)
    for pre_line in $pre_lines; do
       iptables -t nat -D PREROUTING "$pre_line" >/dev/null 2>&1
    done
@@ -1521,6 +1522,11 @@ revert_firewall()
    done >/dev/null 2>&1
    iptables -t nat -D PREROUTING -p tcp -j openclash >/dev/null 2>&1
 
+   pre_lines=$(iptables -nvL PREROUTING -t nat |sed 1,2d |sed -n '/dns_hijack/=' 2>/dev/null |sort -rn)
+   for pre_line in $pre_lines; do
+      iptables -t nat -D PREROUTING "$pre_line" >/dev/null 2>&1
+   done >/dev/null 2>&1
+
    #ipv6
    #ip6tables -t mangle -F openclash >/dev/null 2>&1
    #ip6tables -t mangle -D PREROUTING -p udp -j openclash >/dev/null 2>&1