|
|
楼主 |
发表于 2011-9-19 21:03
|
显示全部楼层
SetupSquidTransparentProxy5 s6 ~5 M" S7 M$ Q% b3 j3 G5 ]0 x
( b; m8 P8 o5 Z- `: s2 p
Squid Transparent Proxy on Palm Pre
" E/ Z9 D5 Z- A& p+ Y8 G+ W& {+ Y5 C
% l$ b' P3 ?* b6 LOk, someone asked for it, so I figured it out, how to do it for fun and profit:
4 q+ C+ _6 H L
6 i+ y: ?# O6 D# `1 U- uHide Preparation
: M) t* I `, |3 T2 r2 d: W$ t2 b
First, you need to have root access to your device. How to get root, is described here. It would be a good idea to know a little about linux and networking too. Be warned: this can make your networking unfunctional!1 E0 ?8 F, `/ r! f
3 L' p. U1 V+ W; l8 s; M! pNext thing you need to do is to install the package Optware Advanced Linux Command Line Installer from Preware, which installs ipkg-opt!3 F3 i" w z" _
# V" t# ]( Z# Y! k: }4 g$ O4 T↑ Jump Back A Section, {& C. q4 Z+ [5 M) U
Hide Installing Squid% C+ U) L$ Q" X5 ]' j
% I" O7 F$ \. S. iLogin to the pre console and make your root disk writable:
9 E/ p1 o9 v8 Z1 l! _: j8 P. n0 y# X- S7 O5 i2 J( U7 \
root@palm-webos-device: # cd / && mount -v -o remount,rw /
, U, ^/ q4 J( O* d3 F6 L5 V7 kType this command to install the squid optware package: G+ ?: C1 I; K) e) d; N! W8 d- d
0 S8 @* ]% Z8 o; Yroot@palm-webos-device: # ipkg-opt update0 X9 }. f0 O4 x2 N) M: f$ H" h7 O
...7 \* b# a* Y4 _, I
root@palm-webos-device: # ipkg-opt install squid
7 E2 k. c+ p) K/ U1 V: U8 N7 w Installing squid (2.6.21-2) to root...
0 b5 a% k0 d5 Z Downloading http://ipkg.nslu2-linux.org/feed ... id_2.6.21-2_arm.ipk
. W# K% H, [5 }$ `3 A Configuring squid
+ i5 v7 m6 C3 N/ X" p create default cache and logs dir; ]- |/ r5 ]8 W& X% U0 d/ W
chown: unknown user/group nobody:nobody
! J1 C, K- v9 i! T, F chown: unknown user/group nobody:nobody
# E' F3 T @% B* D- `) ? FATAL: Could not determine fully qualified hostname.Please set 'visible_hostname'
1 D L8 r. O" ?" W ; C8 r& h7 W" }8 g! z ]
Squid Cache (Version 2.6.STABLE21): Terminated abnormally.# ]; c3 I# q5 ]: c, {: S6 _
CPU Usage: 0.020 seconds = 0.010 user + 0.010 sys
2 [/ b2 b# \& d, C! M Maximum Resident Size: 0 KB$ N, k! h8 j2 h8 X0 M0 Q- \
Page faults with physical i/o: 0: l. l! x6 {, O
Segmentation fault
) Y" M- x+ H, a+ `# ]+ a2 I
+ T$ h: v& Z/ ^ You should review the configuration file /opt/etc/squid/squid.conf,5 A9 G% m/ ~2 |. ~8 @" P
make any necessary change, and complete the install by running -3 O% l! V5 `* k" j
/opt/etc/init.d/S80squid start
+ N$ k" [3 C8 N3 L' X$ w. e% Y
* H2 a8 Z! T {% [ Successfully terminated.3 s% Q' @% e3 _& w( d
Ignore the errors for the moment, we'll get to it soon.
) h! l1 {- j d; ^( a9 R5 ?* D) b
% ~# I, Q N0 L↑ Jump Back A Section
2 B5 ]+ A/ T3 S$ O; ~& mHide Create a basic proxy config. G+ O8 R9 g7 M+ V; X' d
* P: B4 B7 T1 Y) q; \
Change to the directory /opt/etc/squid and move the file squid.conf which is already there to somewhere else. Now create a new squid.conf, which should have the following contents:6 _$ E& c) C. U
/ w5 z$ s" Z/ e
visible_hostname localhost1 J, _5 G a) a
http_port 3128 transparent
1 D5 H4 V2 Q7 `/ e" B: o7 @4 ] hierarchy_stoplist cgi-bin ?
* s' N8 ?& Z/ j% k! X access_log /var/cache/squid/squid.log squid
$ k6 o+ v: e& r" [8 a" T3 B acl QUERY urlpath_regex cgi-bin \? # F6 Q7 e& {6 A; G& h
cache deny QUERY , u( K9 i2 ?. Y1 M$ G9 Q; Y
& S6 Z+ J8 ~6 F4 w # replace the ip address with the address of your proxy0 W7 H1 Z) P( d9 K" z3 B
# replace the port 3128 with the port of your proxy/ C, O. j Q4 z; y: _& N8 G9 ]5 X
cache_peer 192.168.2.205 parent 3128 3130 default
- g0 e' ]( ~# I. {1 X" U
/ k( p8 K1 r) H# D # if your proxy requires authentication, use this:
; i( A. A' X4 B) V2 Q3 j# Y! a* C5 C v4 S # cache_peer 192.168.2.205 parent 3128 3130 default login USERNAME PASSWORD
! F1 J0 c2 j, e1 }" D/ T& O: {
* ^' U+ f! }( B" L: Z refresh_pattern ^ftp: 1440 20% 10080/ W3 }* Z" q% o( R
refresh_pattern ^gopher: 1440 0% 1440
9 }9 R* V- f/ v3 S refresh_pattern . 0 20% 4320( H5 i, V, J( {, W' w
acl apache rep_header Server ^Apache $ ^& Q$ B1 I5 y# e6 \' \
broken_vary_encoding allow apache % @: w8 @( L: Q8 C: N) `
coredump_dir /var/cache/squid # w$ r S% h) s& A' O
cache_dir ufs /var/cache/squid 20 5 5 L5 r( X9 H) W9 N
access_log /var/cache/squid/squid.log
5 m6 d0 `! K G9 Z. D( u! j5 a cache_log /var/cache/squid/cache.log
" [, k. p: Z: Z1 ^) p& R9 G# B cache_store_log /dev/null
& ~5 J* r" Y( z9 o5 s- y 1 h# ]: V6 w; [
acl all src 0.0.0.0/0.0.0.0
% X7 o- y p# } F5 I) x$ U# ~' r acl manager proto cache_object2 m! C4 m k' F2 q7 P7 J
acl localhost src 127.0.0.1/255.255.255.255
( z/ Z' I1 W" w0 ?. c% h/ s# u acl to_localhost dst 127.0.0.0/8
7 Q9 } z# h$ C, y# U0 E: t! I6 v acl SSL_ports port 443 C* p8 I! x. c
acl Safe_ports port 80 # http" c3 e. U c& A+ R# C, D/ D3 o
acl Safe_ports port 21 # ftp
9 F9 m. c' d: d/ [& C' x acl Safe_ports port 443 # https
+ P' P7 b' r. D; B3 u- }0 W acl Safe_ports port 70 # gopher- H+ U% d3 I9 ?
acl Safe_ports port 210 # wais
2 F1 R( f/ h2 ^ acl Safe_ports port 1025-65535 # unregistered ports
u8 y! n( P# W) R# J acl Safe_ports port 280 # http-mgmt" U7 e4 ?4 W5 r) \; ]. L" u
acl Safe_ports port 488 # gss-http i$ f2 q% ^+ g$ l" |' M; D0 R
acl Safe_ports port 591 # filemaker
1 K4 ?+ N3 d5 k" J/ V$ v( D1 Y8 ~3 i acl Safe_ports port 777 # multiling http
6 K4 \7 Q+ D7 R3 C acl CONNECT method CONNECT
' A2 J/ z' T2 G+ a& s+ S' G$ @ http_access allow manager localhost( z1 x& B) l" \, t
http_access deny manager
7 J4 o6 t0 f4 X+ D* C' N$ L http_access deny !Safe_ports
4 J$ @; l2 W$ V4 o! u$ E http_access deny CONNECT !SSL_ports
$ E% A! D: \5 V7 t4 b' f# z( G7 w. _ # example for an ACL, uncomment and modify
' T4 @% X d6 k. N* Q) c i# {6 J #acl enemy dstdomain www.apple.com
' D y/ C3 L: W! @. J8 E1 H #http_access deny enemy' Q2 ?) J7 z" j
' n1 S- S& ]& a. e$ b8 b o8 Q http_access allow all' y2 n- V' k$ |
icp_access allow all9 |1 A5 x6 p3 A
Basically this is a config for a transparent proxy, thus a browser will be redirected to it without knowing that it is actually connected to a proxy. We must configure it this way because the WebOS browser cannot be configured to use a proxy.
" `2 Q2 Y2 c. R! ?4 R
: R0 z. ~" `9 ~& P3 Z, NNote that we have added a single ACL here, which denies access to some random site *g*. Any other requests will be allowed. SSL (HTTPS) will not be passed through the proxy because this requires the browser to connect to it using a proxy request.3 i$ I. d2 J2 N! M! M/ V6 m
- ]4 O$ n; D. L8 W1 V G( c
You WILL need to modify the squid.conf variable cache_peer, it points to your upstream proxy, e.g. your companys proxy. Refer to the comments for the syntax.
. F" G# W7 h, b; V h) u6 t1 r
" O, a$ U& t7 s' b5 z% W↑ Jump Back A Section: y! L: `) v# R. M
Hide Prepare the directories for squid4 n4 u. X- |5 o) y) N8 t
6 `) Z8 _, k. L/ PSquid needs a directory where to store it's files, as content it caches and logfiles. You may consider to disable caching and logging. But caching may be a good idea if your traffic is limited, so you'll save some. Logging is always usefull for debugging. If you want to turn it off, use /dev/null as target for the logfiles.8 h4 {- K& H, _% A1 Z
6 v" g. O" q! W% h5 F
mkdir /var/cache/squid* T+ E& x, P0 b: q
chown nobody /var/cache/squid
, h3 O o. v7 R& YNext you need let squid to prepare the directory structure using the -z option:
$ L2 b9 z2 D7 C$ p! |1 O1 W$ Q; d3 }
root@palm-webos-device: # squid -z -f squid.conf
: O5 S! _/ _0 A. E 2009/11/26 23:19:29| Creating Swap Directories
3 O c& V0 n! ~# g9 e: i9 |; ^4 }( rYou should not see any errors here!
$ k/ z) F/ o, ~) W0 M5 r" F+ U# Y! v9 O5 k1 x
↑ Jump Back A Section
) c; E: O# I2 q2 ^$ oHide Starting squid
& i0 o# ^5 P$ O0 g/ f1 G) J8 A7 q, j1 a2 n3 G a1 S8 Z
The installer already added it to the startup daemons, now we will start it manually:
( L$ L! J0 m; @7 N2 L: w& G( V# |8 n; Z. ~8 J4 j
/opt/etc/init.d/S80squid start
3 ?/ z5 X+ K/ j8 O( cLook in /var/cache/squid/cache.log for any errors. Use ps to see if it really runs. You may consider to install lynx and test the proxy:" q/ |9 x5 j- \9 K3 E% o6 h+ z
' C2 q: R6 K1 }8 r1 x: ~1 f
ipkg-opt install lynx) }$ X, K) p, f( w0 O
export http_proxy=http://localhost:3128
! e1 _8 _) [7 [* n: i$ u lynx www.google.com
4 m5 w; T) C& `6 M; Y2 C4 p2 jIf you see a google textmode site, it works.- Y! I0 I3 S: [( K' l& ^ I% `
# N$ U5 K }0 `4 y! [/ v9 \Turn it off if everything is ok:9 \1 }. Z& K# T |- ^
! l& r& V3 ?8 a& U6 {8 o/opt/etc/init.d/S80squid stop
5 {+ I' M4 X I7 m↑ Jump Back A Section1 w9 N0 Z/ U9 e+ ]( X+ y9 Q
Hide Add the rules to the squid startup file
0 d0 F {4 t: ] _0 a3 [9 ?) Q8 J
/ r3 A9 w' s2 k# ONow comes the ugly part. I'll not explain it in detail: we install some iptable Rules. We tell iptables to forward any traffic destined to tcp port 80 to localhost port 3128 (this is where squid listens for incoming connections). To avoid that the requests of the proxy itself are forwarded to localhost (which would create a loop), we add a rule telling iptables to not forward web traffic if it were generated by user nobody (the user squid runs as).
, R$ B" K2 L3 x/ J+ _: e, H% r% C% U: i
To do that, edit /opt/etc/init.d/S80squid so that it looks like this:2 A- L( `7 S* Z# G1 S/ T) C4 ^
9 n- }: q2 a4 {* Y7 d7 w9 z& Z* \
#! /bin/sh
! r$ ^. `5 f. P6 v# P9 v8 | : d5 o- {0 l6 s, y7 Z
case "$1" in
) I& F" D. r" m start)
h2 B4 `4 Y" y. \ echo -n "Starting proxy server: "
7 [: y) {! S [6 @ if [ -n "`pidof quotacheck`" ]; then
9 s( D D5 M) r. v7 {$ A" W #you don't need it if you don't have quota check enable.
9 U6 \) F- R3 X+ s$ S echo "Starting squid-cache server after delay for few mins:"
* Z7 ?: ^7 @9 p /opt/etc/squid/squid.delay-start.sh&
1 [; f& ] U& W* `: K else
# S1 k4 ^" s- R& l /opt/sbin/squid -f /opt/etc/squid/squid.conf
, d- c# m0 g6 B. m1 z' u0 n iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --gid-owner 65534 -j ACCEPT
' P* t+ N& C( |; f: s. r2 b1 ` iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination 127.0.0.1:3128
! ]! m% z! n( ?% c; K' `" ? echo "done."9 X( m8 O& k" |: u6 v1 {# C
fi
* H& E6 w r( [% v6 P echo "done."
+ \# o$ x1 g7 N i1 p1 b ;;
q3 M/ p9 v, ]% Q8 q5 | stop) y$ n- z( G. `
echo -n "Stopping proxy server: "
# y; x5 }/ E W- z /opt/sbin/squid -f /opt/etc/squid/squid.conf -k shutdown
7 w: K8 }' Y) \ p iptables -t nat -D OUTPUT -p tcp --dport 80 -m owner --gid-owner 65534 -j ACCEPT2 S5 s; T _+ {" b) E0 z
iptables -t nat -D OUTPUT -p tcp --dport 80 -j DNAT --to-destination 127.0.0.1:31281 o4 q0 u! J g( ~) i- j H/ n
echo "done."8 S/ J$ g, L1 p) G# F$ C
;;4 D% F3 p: _$ K) d
reload|force-reload)
( B' ~2 C4 L+ U6 z/ x& C echo -n "Reloading proxy server configuration files: "
2 _- Q$ o& W1 y+ { q. N3 z2 T /opt/sbin/squid -f /opt/etc/squid/squid.conf -k reconfigure; K f& g/ o( l
echo "done."! @: L) b( d0 s' o2 \2 {
;;& S, q" I9 r3 S7 v/ j7 E5 X0 K
restart)
* j! J& H$ W1 V% Z+ J6 e echo -n "Restarting proxy server: ", Q/ ~) X, `8 ?0 I: k
/opt/sbin/squid -f /opt/etc/squid/squid.conf -k shutdown
1 g, D6 ` j W. u sleep 2
4 C8 i! ~( C8 G) H8 t( n /opt/sbin/squid -f /opt/etc/squid/squid.conf
6 u W9 {5 y ~# x) j0 R echo "done."
! M ?2 E; A6 R' c2 N, f* @) G ;;
0 q% W: _3 n4 n. Z& a, j- P *)4 P2 k; s9 v% m, p" l% T
echo "Usage: /opt/etc/init.d/S80squid {start|stop|reload|force-reload|restart}" y% ] l+ H. U3 v# _# S
exit 1; F" P5 d4 F* b# }
;;
& K4 ^! T: {6 _/ s esac
5 c% E& N, w( @! H# ?" Y" }" U↑ Jump Back A Section4 F0 J$ c- e2 ?( E
Hide Configure network to startup squid if WIFI comes up8 m8 \) h4 M/ ^0 g0 V) @
2 h" u0 y4 |/ _8 w( g# J
Now we need to alter the behavior of the palm network manager so that it starts squid if WIFI comes up and stops it when WIFI goes down.
6 Q) P$ z! D1 D, {; r: n9 i2 d9 r8 q& E% ]0 V+ i# W! s: Y1 d
Change to directory /etc/pmnetconfig/.
9 X0 u+ v% n6 F/ P
# L, f* Z# F. s2 ]# \ N2 P* HIn the file if-up modify this part:2 e! w& H+ \) e; @6 |2 o% b
+ W x7 F1 e4 |0 n- M$ w if [ "$ISPPP" -ne 4 ] && [ "$ISRMNET" -ne 6 ] && [ "$ISTUN" -ne 4 ] && [ "$ISCSCOTUNVPN" -ne 8 ]; then8 y7 V6 [" S) s5 a( @4 |$ z: i5 f7 D
NetCfgSetAddr! \$ C, M& w$ w) l; E
CMSERVICES=$((${CMSERVICES} | ${CMSVCINTERNET}))
" A I. o. S4 [0 Y$ a: r, D3 N fi; e; B" R* K8 i& N' ?8 M
to, R# E: ^, t4 o% G. y
$ Q! K- \' l; j: Z0 W( x$ T
if [ "$ISPPP" -ne 4 ] && [ "$ISRMNET" -ne 6 ] && [ "$ISTUN" -ne 4 ] && [ "$ISCSCOTUNVPN" -ne 8 ]; then
& x9 F2 [4 A+ \8 M' l) ` NetCfgSetAddr8 }' V" k k9 A7 _
CMSERVICES=$((${CMSERVICES} | ${CMSVCINTERNET}))
; V) S: r6 {: B) o /usr/bin/logger "wifi up: execute /opt/etc/init.d/S80squid start"
, C. s; W( V% X7 l: r# ]1 p /opt/etc/init.d/S80squid start
$ r+ _0 M; y. B9 J7 q, f6 C& s5 Y fi
7 K+ Y; m6 d# ]In the file if-down modify this part:7 V, q! q) o" V3 j" f
7 [: g4 w: _+ \" f( _
if [ ${CMINTERFACE} = ${CMBTINTERFACENAME} ] || [ ${CMINTERFACE} = ${CMBRINTERFACENAME} ]; then& m' j- t9 @! v1 f& w1 T. B
${LOG} "${IPTABLES} -t nat -D POSTROUTING -s $CMNETADDR/$CMPREFIXLEN -j MASQUERADE"
. F3 W8 Y: G6 L) B3 t2 r ${IPTABLES} -t nat -D POSTROUTING -s $CMNETADDR/$CMPREFIXLEN -j MASQUERADE
. Z( O+ y3 V' t" Q+ K' b ${LOG} "${ECHO} 0 >/proc/sys/net/ipv4/ip_forward"
8 w: c! y! H7 t- |' D5 u$ p9 d4 A ${ECHO} 0 >/proc/sys/net/ipv4/ip_forward
3 Q4 \: ~2 ?, A/ Z: @) O G fi' |1 C0 x' W, n5 ~9 T" e9 `- i
to:
* J$ H* k) W* q: o, S
/ ^& S2 q' I; ]) N: V if [ ${CMINTERFACE} = ${CMBTINTERFACENAME} ] || [ ${CMINTERFACE} = ${CMBRINTERFACENAME} ]; then
% [, @3 w L* [8 ?# r- o/ J ${LOG} "${IPTABLES} -t nat -D POSTROUTING -s $CMNETADDR/$CMPREFIXLEN -j MASQUERADE"# i! ~) z5 [( g( o1 x% R
${IPTABLES} -t nat -D POSTROUTING -s $CMNETADDR/$CMPREFIXLEN -j MASQUERADE
" N& ~3 X' F8 C! X. ` ${LOG} "${ECHO} 0 >/proc/sys/net/ipv4/ip_forward"! @) Y* O' S/ L9 `0 h
${ECHO} 0 >/proc/sys/net/ipv4/ip_forward
m& y7 |$ p, v, z /usr/bin/logger "wifi up: execute /opt/etc/init.d/S80squid stop"
" u: R8 C- F2 A, b0 j% U; t* v' z$ m# ^ /opt/etc/init.d/S80squid stop 7 N4 G" H. ?$ @" p u, @! W
fi
* _6 ]" `, m1 @' k( S/ e1 r↑ Jump Back A Section" B3 Q1 A# V6 W: s# u' @
Hide Make your root disk read-only again
* X5 O9 E q( F: b- O. M
5 L k/ y+ n# jroot@palm-webos-device: # cd / && mount -v -o remount,ro /0 ~4 @0 {/ T s8 X6 e
↑ Jump Back A Section1 C8 O6 k1 E3 e) @0 Y4 j* X7 ^! F1 A5 {
Hide See it working
$ x" h c9 D. K: ?/ \' d8 q
B, o& x6 B/ G, F2 oSo, let's see how it works. Enable WIFI and fire up the browser and see if it works. You should see your requests on the remote proxy.; `+ J" K8 `) @9 E' t+ L
9 F" B, b) G q7 R* `+ KIf you added an ACL as mentioned earlier, a message like the following should appear if you enter the url of your favourite enemy vendor (the one we configured above):5 j. M) u& n; A& W; @
- I6 N) z) u! P3 @1 d
" e f8 h, Z5 x) I
7 i+ F' n1 c6 F: Y0 B' a. `0 p7 G! L8 M
↑ Jump Back A Section. ^5 T& L- w. d5 s2 C
Hide Blocking Adverts
; Z8 I% R! n. A# s5 C' A# w7 I" j" y
Now squid is set up, we can use it for ad blocking. There are two steps to this:
4 S! {( I) {% ]) T W7 f! y, P: h( V3 v
Obtain a block list/ R% u0 ^6 n" `
! m$ l% R! F! W6 m/ FAn excellent ad block list is maintained at http://pgl.yoyo.org/as/. We need to download it in a suitable format for squid, which can be done by running the following command:
, w& T, M( X0 O) v& \- d7 a/ e/ P$ h) {- `. g# J4 E
wget -q -O/opt/etc/squid/blocklist 'http://pgl.yoyo.org/as/serverlist.php?hostformat=squid-dstdom-regex;showintro=0&nohtml=true&mimetype=plaintext > /opt/etc/squid/blocklist8 N1 C6 g" \& e# l8 C; K6 {
(Technical details: the wget command downloads the URL given in single quotes, then we strip the HTML mark-up and blank lines using grep. The filename at the end is where the black list will be stored.)+ b; r. j. ^4 o. o. v1 w8 n: O9 d
" K: \) M! S5 X: uConfigure squid to use the block list; E2 k1 W$ f; ?" i- w C& N. ]
9 C K4 L4 U& D
Now we need to tell squid to block the list of URLs in the file we've just created. Open the /opt/etc/squid/squid.conf file we created above, and scroll down to where it reads:
" y5 o, @4 n) L& K
! Q: x& } a& Yacl enemy dstdomain www.apple.com% d( X+ ~( a% b" I) O1 @& Y9 F! }- d
Replace this line with:% U4 Q/ b' J% [( P
8 m. Y6 ?5 T( D L X9 \
acl enemy dstdom_regex "/opt/etc/squid/blocklist". p9 @. N T; h( t( ?
Finally, restart squid:
& B( S; K+ C2 j( ]% ]: ~% o- K5 C- l; I+ j2 W8 t2 P# `
/opt/etc/init.d/S80squid restart- U7 K5 h! B6 h# \: P/ V ^" I
To test it's working, open a browser and try to visit ads.msn.com (one of the blocked URLs). The error given should be similar to the screenshot given above.. \9 S; ^4 ~: ]. Z' l+ g5 t
: f* j Q! w( K" |( `/ }3 w, s
If in the future you need to update the ad blocking list, run the commands:( g9 g% U* q: u1 I
h, f- g' k! D9 ?" |( Dcd / && mount -v -o remount,rw /
2 F7 W; N8 D2 g) D( N( I" ?7 w wget -q -O - 'http://pgl.yoyo.org/as/serverlist.php?hostformat=squid-dstdom-regex;showintro=0' | grep -v ">" | grep "." > /opt/etc/squid/blocklist; D+ D R; R7 D; s/ s' n7 F
/opt/etc/init.d/S80squid restart
1 P7 b% z. H( y8 H- M2 ?. h6 NFor further details of filtering URLs using squid, please refer to the excelent documentation of the squid cache project. |
|
|Archiver|手机版|小黑屋|吹友吧
( 京ICP备05078561号 )
狗仔卡
发表于 2011-9-19 21:00
提升卡
变色卡
显身卡