From 22c630aa662a51c04795759bd75366b1c84944de Mon Sep 17 00:00:00 2001
From: hotyue <52734432+hotyue@users.noreply.github.com>
Date: Mon, 1 Jun 2026 05:03:54 +0000
Subject: [PATCH] =?UTF-8?q?fix(install):=20=E5=A2=9E=E5=8A=A0=E4=BA=91?=
 =?UTF-8?q?=E7=AB=AF=20NAT=20=E5=8F=8A=20WARP=20=E4=BC=AA=E8=A3=85=20IP=20?=
 =?UTF-8?q?=E7=9A=84=E5=BA=95=E5=B1=82=E5=97=85=E6=8E=A2=E6=8B=A6=E6=88=AA?=
 =?UTF-8?q?=EF=BC=8C=E9=98=B2=E6=AD=A2=E5=81=87=E5=85=AC=E7=BD=91=20v4=20?=
 =?UTF-8?q?=E5=9C=B0=E5=9D=80=E5=AF=BC=E8=87=B4=E5=8F=8C=E8=BD=A8=E9=80=9A?=
 =?UTF-8?q?=E8=AE=AF=E6=9E=B6=E6=9E=84=E5=B4=A9=E6=BA=83?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 core/install.sh | 24 ++++++++++++++++--------
 1 file changed, 16 insertions(+), 8 deletions(-)

diff --git a/core/install.sh b/core/install.sh
index 108791a..8ed6349 100755
--- a/core/install.sh
+++ b/core/install.sh
@@ -465,18 +465,19 @@ if [ "$UPGRADE_MODE" == "false" ]; then
         SAFE_PUBLIC_IP="$PUBLIC_IP"
     fi
 
-    # ==========================================================
-    # [v4.2.0 核心架构] 控制面(通讯)与数据面(养护)分离架构
-    # ==========================================================
     COMM_IP="$PUBLIC_IP"
     if [[ "$PUBLIC_IP" == *":"* ]]; then
         echo -e "\n\033[36m[4.6/7] 正在构建双轨通讯分离架构 (Control Plane Separation)...\033[0m"
         echo -e " \033[33m⚠️ 检测到养护锚点为 IPv6，正在嗅探本机 IPv4 以构建防 MTU 黑洞通讯专线...\033[0m"
-        if [[ -n "$DETECT_V4" ]]; then
+        
+        # [终极防线] 拦截 WARP IP (如 104.28.x.x) 及各类云服务商大内网/CGNAT 保留段
+        if [[ -n "$DETECT_V4" ]] && \
+           ! [[ "$DETECT_V4" =~ ^104\.28\. ]] && \
+           ! [[ "$DETECT_V4" =~ ^10\.|^192\.168\.|^172\.(1[6-9]|2[0-9]|3[0-1])\.|^100\.(6[4-9]|[7-9][0-9]|1[0-1][0-9]|12[0-7])\. ]]; then
             COMM_IP="$DETECT_V4"
             echo -e " \033[32m✅ 成功建立双轨架构: 养护数据流走 IPv6 ($PUBLIC_IP)，中枢控制流走 IPv4 ($COMM_IP)\033[0m"
         else
-            echo -e " \033[33m⚠️ 本机无公网 IPv4，双轨降级为纯 IPv6 单轨模式。\033[0m"
+            echo -e " \033[33m⚠️ 本机无公网 IPv4 或检测到 WARP/NAT 伪装 IP，为防阻断，双轨已安全降级为纯 IPv6 单轨模式。\033[0m"
         fi
     fi
 
@@ -608,16 +609,23 @@ if [ "$UPGRADE_MODE" == "true" ]; then
         SAFE_PUBLIC_IP="${PUBLIC_IP}"
     fi
 
-    # [v4.2.0 热修复] 为老版本司令部平滑补齐双轨通讯 IP
+    # [v4.2.0 热修复] 为老版本司令部平滑补齐双轨通讯 IP (含严格入站存活校验)
     if ! grep -q "^COMM_IP=" "$CONFIG_FILE"; then
         echo -e "\n🔄 [平滑迁移] 正在为老节点无损注入 v4.2.0 双轨通讯架构..."
         TMP_PUB_IP=$(grep "^PUBLIC_IP=" "$CONFIG_FILE" | cut -d'"' -f2 | tr -d '[]')
+        
         if [[ "$TMP_PUB_IP" == *":"* ]]; then
             TMP_V4=$(curl -4 -s -m 3 api.ip.sb/ip 2>/dev/null | tr -d '[:space:]')
-            if [ -n "$TMP_V4" ]; then
+            
+            # [终极防线] 拦截 WARP IP (如 104.28.x.x 等 Cloudflare 段) 及各类内网 NAT 段
+            # 注: api.ip.sb 返回的一般是出网公网 IP，极少是 10./192. 但为防万一全面封锁
+            if [[ -n "$TMP_V4" ]] && \
+               ! [[ "$TMP_V4" =~ ^104\.28\. ]] && \
+               ! [[ "$TMP_V4" =~ ^10\.|^192\.168\.|^172\.(1[6-9]|2[0-9]|3[0-1])\.|^100\.(6[4-9]|[7-9][0-9]|1[0-1][0-9]|12[0-7])\. ]]; then
                 NEW_COMM_IP="$TMP_V4"
-                echo -e " \033[32m✅ 已成功抓取备用 IPv4 ($NEW_COMM_IP) 作为控制面通讯专线。\033[0m"
+                echo -e " \033[32m✅ 成功建立双轨架构: 养护走 IPv6，中枢控制走 IPv4 ($NEW_COMM_IP)\033[0m"
             else
+                echo -e " \033[33m⚠️ 嗅探到的备用 IPv4 疑似为内网 NAT 或 WARP 伪装 IP，存在无法入站的风险，已安全退回纯 IPv6 单轨模式。\033[0m"
                 NEW_COMM_IP="[$TMP_PUB_IP]"
             fi
         else