@@ -1253,6 +1253,173 @@ apply_service_hardening() {
12531253 return 0
12541254}
12551255
1256+ # ─── Change MTU ──────────────────────────────────────────────────────────────────
1257+
1258+ do_change_mtu () {
1259+ banner
1260+ print_header " Change DNSTT MTU"
1261+
1262+ if [[ $EUID -ne 0 ]]; then
1263+ print_fail " Not running as root."
1264+ exit 1
1265+ fi
1266+
1267+ if ! command -v dnstm & > /dev/null; then
1268+ print_fail " dnstm is not installed."
1269+ return 1
1270+ fi
1271+
1272+ # Find DNSTT tunnels from dnstm
1273+ local tunnel_output
1274+ tunnel_output=$( dnstm tunnel list 2> /dev/null || true)
1275+ if [[ -z " $tunnel_output " ; then
1276+ print_warn " No tunnels found."
1277+ return 0
1278+ fi
1279+
1280+ # Find DNSTT service files by looking for dnstt-server in ExecStart
1281+ local dnstt_svcs=()
1282+ local dnstt_tags=()
1283+ local svc_files
1284+ svc_files=$( find /etc/systemd/system -maxdepth 1 -name ' dnstm*.service' ' dnsrouter*.service' 2> /dev/null || true)
1285+ # Also check for dnstm tunnel list tag-based discovery
1286+ local all_tags
1287+ all_tags=$( echo " $tunnel_output " | grep -o ' tag=[^ ]*' | sed ' s/tag=//' || true)
1288+
1289+ # Method 1: Find services containing dnstt-server in ExecStart
1290+ for svc_file in $svc_files ; do
1291+ if grep -q ' dnstt-server\|dnstt' " $svc_file " 2> /dev/null; then
1292+ local svc_name
1293+ svc_name=$( basename " $svc_file " )
1294+ local exec_line
1295+ exec_line=$( grep ' ^ExecStart=' " $svc_file " 2> /dev/null | tail -1 || true)
1296+ # Only include if it actually runs dnstt-server (not router)
1297+ if echo " $exec_line " | grep -q ' dnstt-server' ; then
1298+ dnstt_svcs+=(" $svc_name "
1299+ local tag_name
1300+ tag_name=$( echo " $svc_name " | sed ' s/^dnstm-tunnel-//;s/^dnstm-//;s/\.service$//' )
1301+ dnstt_tags+=(" $tag_name "
1302+ fi
1303+ fi
1304+ done
1305+
1306+ # Method 2: If Method 1 found nothing, try from dnstm tunnel list
1307+ if [[ ${# dnstt_svcs[@]} -eq 0 ]]; then
1308+ for tag in $all_tags ; do
1309+ # Skip noiz tunnels — they don't support MTU
1310+ if [[ " $tag " == noiz* ]]; then
1311+ continue
1312+ fi
1313+ if echo " $tunnel_output " | awk -v t=" tag=${tag} " ' {for(i=1;i<=NF;i++) if($i==t){print;next}}' | grep -qi " transport=dnstt" ; then
1314+ # Try common service name patterns
1315+ local found_svc=" "
1316+ for pattern in " dnstm-tunnel-${tag} .service" " dnstm-${tag} .service" ; do
1317+ if systemctl cat " $pattern " & > /dev/null; then
1318+ # Verify it actually runs dnstt-server, not noiz
1319+ if systemctl cat " $pattern " 2> /dev/null | grep -q ' dnstt-server' ; then
1320+ found_svc=" $pattern "
1321+ break
1322+ fi
1323+ fi
1324+ done
1325+ if [[ -n " $found_svc " ; then
1326+ dnstt_svcs+=(" $found_svc "
1327+ dnstt_tags+=(" $tag "
1328+ fi
1329+ fi
1330+ done
1331+ fi
1332+
1333+ if [[ ${# dnstt_svcs[@]} -eq 0 ]]; then
1334+ print_warn " No DNSTT tunnel services found. MTU only applies to DNSTT tunnels."
1335+ return 0
1336+ fi
1337+
1338+ # Show current MTU for each DNSTT tunnel
1339+ echo " "
1340+ print_info " Current DNSTT tunnels and MTU values:"
1341+ echo " "
1342+ local i
1343+ for i in " ${! dnstt_svcs[@]} " ; do
1344+ local svc=" ${dnstt_svcs[$i]} "
1345+ local tag=" ${dnstt_tags[$i]} "
1346+ local exec_line
1347+ exec_line=$( systemctl cat " $svc " 2> /dev/null | grep ' ^ExecStart=' | tail -1 || true)
1348+ local current_mtu
1349+ current_mtu=$( echo " $exec_line " | grep -oE ' \-mtu\s+[0-9]+' | grep -oE ' [0-9]+' || true)
1350+ if [[ -z " $current_mtu " ; then
1351+ current_mtu=" default (1232)"
1352+ fi
1353+ echo -e " ${BOLD}${tag}${NC} : MTU = ${GREEN}${current_mtu}${NC} ${DIM} (${svc} )${NC} "
1354+ done
1355+
1356+ echo " "
1357+ local new_mtu
1358+ new_mtu=$( prompt_input " Enter new MTU value for ALL DNSTT tunnels (512-1400)" " 1100" )
1359+ new_mtu=$( echo " $new_mtu " | sed ' s/^[[:space:]]*//;s/[[:space:]]*$//' )
1360+
1361+ if ! [[ " $new_mtu " =~ ^[0-9]+$ ]] || [[ " $new_mtu " -lt 512 ]] || [[ " $new_mtu " -gt 1400 ]]; then
1362+ print_fail " Invalid MTU value. Must be 512-1400."
1363+ return 1
1364+ fi
1365+
1366+ echo " "
1367+ print_info " Setting MTU to ${new_mtu} on all DNSTT tunnels..."
1368+
1369+ local changed=0
1370+ for i in " ${! dnstt_svcs[@]} " ; do
1371+ local svc=" ${dnstt_svcs[$i]} "
1372+ local tag=" ${dnstt_tags[$i]} "
1373+ local exec_line
1374+ exec_line=$( systemctl cat " $svc " 2> /dev/null | grep ' ^ExecStart=' | tail -1 || true)
1375+ if [[ -z " $exec_line " ; then
1376+ print_warn " Could not read ExecStart for ${tag} , skipping"
1377+ continue
1378+ fi
1379+
1380+ local new_exec
1381+ if echo " $exec_line " | grep -qE ' \-mtu\s+[0-9]+' ; then
1382+ # Replace existing MTU
1383+ new_exec=$( echo " $exec_line " | sed -E " s/-mtu\s+[0-9]+/-mtu ${new_mtu} /" )
1384+ else
1385+ # Add MTU after -udp :PORT
1386+ new_exec=$( echo " $exec_line " | sed -E " s/(-udp\s+:[0-9]+)/\1 -mtu ${new_mtu} /" )
1387+ fi
1388+
1389+ # Write override
1390+ local override_dir=" /etc/systemd/system/${svc} .d"
1391+ mkdir -p " $override_dir "
1392+ cat > " ${override_dir} /mtu-override.conf" << MTEOF
1393+ [Service]
1394+ ExecStart=
1395+ ${new_exec}
1396+ MTEOF
1397+
1398+ print_ok " ${tag} : MTU → ${new_mtu} "
1399+ (( changed++ )) || true
1400+ done
1401+
1402+ if [[ $changed -gt 0 ]]; then
1403+ systemctl daemon-reload
1404+ echo " "
1405+ print_info " Restarting DNSTT tunnels..."
1406+ for svc in " ${dnstt_svcs[@]} " ; do
1407+ systemctl restart " $svc " 2> /dev/null || true
1408+ done
1409+ sleep 2
1410+ # Restart router to pick up changes
1411+ if systemctl is-active dnstm-router & > /dev/null; then
1412+ systemctl restart dnstm-router 2> /dev/null || true
1413+ fi
1414+ echo " "
1415+ print_ok " MTU updated to ${new_mtu} on ${changed} tunnel(s). Keys unchanged."
1416+ else
1417+ print_warn " No tunnels were modified."
1418+ fi
1419+ }
1420+
1421+ # ─── --harden ────────────────────────────────────────────────────────────────────
1422+
12561423do_harden () {
12571424 banner
12581425 print_header " Security Hardening Mode"
@@ -3213,15 +3380,16 @@ do_manage() {
32133380 echo -e " ${BOLD} 6)${NC} Configure SOCKS auth ${DIM} (enable, disable, or change credentials)${NC} "
32143381 echo -e " ${BOLD} 7)${NC} Apply hardening ${DIM} (systemd security for all services)${NC} "
32153382 echo -e " ${BOLD} 8)${NC} Xray backend ${DIM} (connect 3x-ui panel via DNS tunnel)${NC} "
3383+ echo -e " ${BOLD} 9)${NC} Change DNSTT MTU ${DIM} (change MTU on existing DNSTT tunnels)${NC} "
32163384 echo " "
32173385 echo -e " ${DIM} ──────────────────────────────────────────────${NC} "
3218- echo -e " ${BOLD}${RED} 9 )${NC} ${RED} Uninstall everything${NC} "
3386+ echo -e " ${BOLD}${RED} 10 )${NC} ${RED} Uninstall everything${NC} "
32193387 echo " "
32203388 echo -e " ${BOLD} 0)${NC} Exit"
32213389 echo " "
32223390
32233391 local choice=" "
3224- read -rp " Select [0-9 ]: " || break
3392+ read -rp " Select [0-10 ]: " || break
32253393
32263394 case " $choice " in
32273395 1)
@@ -3249,6 +3417,9 @@ do_manage() {
32493417 ( trap - INT; do_add_xray ) || true
32503418 ;;
32513419 9)
3420+ ( trap - INT; do_change_mtu ) || true
3421+ ;;
3422+ 10)
32523423 ( trap - INT; do_uninstall ) || true
32533424 # If uninstall succeeded, dnstm is gone — exit menu
32543425 hash -d dnstm 2> /dev/null || true
@@ -3267,7 +3438,7 @@ do_manage() {
32673438 continue
32683439 ;;
32693440 * )
3270- print_warn " Invalid choice. Enter 0-9 ."
3441+ print_warn " Invalid choice. Enter 0-10 ."
32713442 sleep 1
32723443 continue
32733444 ;;
0 commit comments