Signed-off-by: GrayYip <yjr0...@hotmail.com> --- net/shadowsocks-client/Makefile | 39 --- net/shadowsocks-client/files/sslocal.config | 7 - net/shadowsocks-client/files/sslocal.init | 52 ---- net/shadowsocks-libev/Makefile | 62 ++-- net/shadowsocks-libev/files/firewall.include | 6 - .../files/shadowsocks-libev.config | 15 - net/shadowsocks-libev/files/shadowsocks-libev.init | 306 +++++++++++-------- net/shadowsocks-libev/files/ss-rules | 323 ++++++++++++--------- net/shadowsocks-libev/files/ss-rules-without-ipset | 245 ++++++++++++++++ 9 files changed, 635 insertions(+), 420 deletions(-) delete mode 100644 net/shadowsocks-client/Makefile delete mode 100644 net/shadowsocks-client/files/sslocal.config delete mode 100755 net/shadowsocks-client/files/sslocal.init delete mode 100644 net/shadowsocks-libev/files/firewall.include delete mode 100644 net/shadowsocks-libev/files/shadowsocks-libev.config create mode 100644 net/shadowsocks-libev/files/ss-rules-without-ipset
diff --git a/net/shadowsocks-client/Makefile b/net/shadowsocks-client/Makefile deleted file mode 100644 index 3e8c9be2..00000000 --- a/net/shadowsocks-client/Makefile +++ /dev/null @@ -1,39 +0,0 @@ -include $(TOPDIR)/rules.mk - -PKG_NAME:=shadowsocks-client -PKG_VERSION:=0.6 -PKG_RELEASE=$(PKG_SOURCE_VERSION) - -PKG_SOURCE_PROTO:=git -PKG_SOURCE_URL:=https://github.com/zhao-gang/shadowsocks-tiny.git -PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION) -PKG_SOURCE_VERSION:=b59d754f838213d60b908aed0b7d4d5a81f273e2 -PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz -PKG_MAINTAINER:=Zhao, Gang <gang.zhao...@gmail.com> - -PKG_LICENSE:=MIT -PKG_LICENSE_FILES:=COPYING - -PKG_BUILD_PARALLEL:=1 - -include $(INCLUDE_DIR)/package.mk - -define Package/shadowsocks-client - SECTION:=net - CATEGORY:=Network - SUBMENU:=Web Servers/Proxies - TITLE:=shadowsocks client for router - URL:=https://github.com/zhao-gang/shadowsocks-tiny - DEPENDS:=+libopenssl -endef - -define Package/shadowsocks-client/install - $(INSTALL_DIR) $(1)/usr/bin - $(INSTALL_BIN) $(PKG_BUILD_DIR)/sslocal $(1)/usr/bin/ - $(INSTALL_DIR) $(1)/etc/config - $(INSTALL_DATA) ./files/sslocal.config $(1)/etc/config/sslocal - $(INSTALL_DIR) $(1)/etc/init.d - $(INSTALL_BIN) ./files/sslocal.init $(1)/etc/init.d/sslocal -endef - -$(eval $(call BuildPackage,shadowsocks-client)) diff --git a/net/shadowsocks-client/files/sslocal.config b/net/shadowsocks-client/files/sslocal.config deleted file mode 100644 index 28dc261a..00000000 --- a/net/shadowsocks-client/files/sslocal.config +++ /dev/null @@ -1,7 +0,0 @@ -config sslocal - option server_addr '' - option server_port '' - option local_addr '' - option local_port '' - option password '' - option method '' diff --git a/net/shadowsocks-client/files/sslocal.init b/net/shadowsocks-client/files/sslocal.init deleted file mode 100755 index ac845e5f..00000000 --- a/net/shadowsocks-client/files/sslocal.init +++ /dev/null @@ -1,52 +0,0 @@ -#!/bin/sh /etc/rc.common -# Copyright (C) 2006-2012 OpenWrt.org -# Copyright (C) 2014 Zhao, Gang <gang.zhao...@gmail.com> - -START=99 - -USE_PROCD=1 -PROG=/usr/bin/sslocal - -validate_section_sslocal() { - uci_validate_section sslocal sslocal "${1}" \ - 'server_addr:host' \ - 'server_port:port' \ - 'local_addr:host' \ - 'local_port:port' \ - 'password:string' \ - 'method:string' \ - 'log_level:range(0,7):5' - - return $? -} - -sslocal_instance() { - local server_addr server_port local_addr local_port - local password method log_level - - validate_section_sslocal "${1}" || { - echo "validation failed" - return 1 - } - - procd_open_instance - procd_set_param command "$PROG" - procd_append_param command -s "${server_addr}" -p "${server_port}" - procd_append_param command -u "${local_addr}" -b "${local_port}" - procd_append_param command -k "${password}" -m "${method}" - procd_append_param command -l "${log_level}" - procd_set_param respawn - procd_close_instance -} - -start_service() { - config_load sslocal - - config_foreach sslocal_instance sslocal -} - -service_triggers() -{ - procd_add_reload_trigger "sslocal" - procd_add_validation validate_section_sslocal -} diff --git a/net/shadowsocks-libev/Makefile b/net/shadowsocks-libev/Makefile index 8b512324..2ce6b8af 100644 --- a/net/shadowsocks-libev/Makefile +++ b/net/shadowsocks-libev/Makefile @@ -1,8 +1,7 @@ # -# Copyright (C) 2015 OpenWrt.org -# Copyright (C) 2017 Yousong Zhou <yszhou4t...@gmail.com> +# Copyright (C) 2014-2017 Jian Chang <aa65...@live.com> # -# This is free software, licensed under the GNU General Public License v2. +# This is free software, licensed under the GNU General Public License v3. # See /LICENSE for more information. # @@ -12,13 +11,17 @@ PKG_NAME:=shadowsocks-libev PKG_VERSION:=3.0.6 PKG_RELEASE:=1 -PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz -PKG_SOURCE_URL:=https://github.com/shadowsocks/shadowsocks-libev/releases/download/v$(PKG_VERSION) -PKG_HASH:=7d9b43b0235a57c115bfe160efd54abef96bffcbfff61c5496e7c2800f0734ca +PKG_SOURCE_PROTO:=git +PKG_SOURCE_URL:=https://github.com/shadowsocks/shadowsocks-libev.git +PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_RELEASE) +PKG_SOURCE_VERSION:=bc96aed3b0e800f18cf7fc54272e48a22160a554 +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.xz -PKG_MAINTAINER:=Jian Chang <aa65...@live.com> -PKG_LICENSE:=GPLv2 +PKG_LICENSE:=GPLv3 PKG_LICENSE_FILES:=LICENSE +PKG_MAINTAINER:=Jian Chang <aa65...@live.com> + +PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)/$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)-$(PKG_RELEASE) PKG_INSTALL:=1 PKG_FIXUP:=autoreconf @@ -27,48 +30,37 @@ PKG_BUILD_PARALLEL:=1 include $(INCLUDE_DIR)/package.mk -define Package/shadowsocks-libev +define Package/shadowsocks-libev/Default SECTION:=net CATEGORY:=Network TITLE:=Lightweight Secured Socks5 Proxy URL:=https://github.com/shadowsocks/shadowsocks-libev - DEPENDS:=+libev +libmbedtls +libpthread +libsodium +libudns \ - +ipset +ip +iptables-mod-tproxy +libpcre +zlib + DEPENDS:=+libev +libudns +libpcre +libpthread +libsodium +libmbedtls +iptables-mod-tproxy +ipset endef +Package/shadowsocks-libev = $(Package/shadowsocks-libev/Default) +Package/shadowsocks-libev-server = $(Package/shadowsocks-libev/Default) + define Package/shadowsocks-libev/description Shadowsocks-libev is a lightweight secured socks5 proxy for embedded devices and low end boxes. endef -define Package/shadowsocks-libev/conffiles -/etc/config/shadowsocks-libev -endef +Package/shadowsocks-libev-server/description = $(Package/shadowsocks-libev/description) -define Package/shadowsocks-libev/postinst -#!/bin/sh -uci -q batch <<-EOF >/dev/null - delete firewall.shadowsocks_libev - set firewall.shadowsocks_libev=include - set firewall.shadowsocks_libev.type=script - set firewall.shadowsocks_libev.path=/usr/share/shadowsocks-libev/firewall.include - set firewall.shadowsocks_libev.reload=1 - commit firewall -EOF -exit 0 -endef +CONFIGURE_ARGS += --disable-ssp --disable-documentation --disable-assert define Package/shadowsocks-libev/install - $(INSTALL_DIR) $(1)/usr/bin - $(INSTALL_BIN) $(PKG_BUILD_DIR)/src/ss-{redir,tunnel} $(1)/usr/bin - $(INSTALL_BIN) ./files/ss-rules $(1)/usr/bin - $(INSTALL_DIR) $(1)/etc/config - $(INSTALL_DATA) ./files/shadowsocks-libev.config $(1)/etc/config/shadowsocks-libev $(INSTALL_DIR) $(1)/etc/init.d - $(INSTALL_BIN) ./files/shadowsocks-libev.init $(1)/etc/init.d/shadowsocks-libev - $(INSTALL_DIR) $(1)/usr/share/shadowsocks-libev - $(INSTALL_DATA) ./files/firewall.include $(1)/usr/share/shadowsocks-libev/firewall.include + $(INSTALL_BIN) ./files/shadowsocks-libev.init $(1)/etc/init.d/shadowsocks + $(INSTALL_DIR) $(1)/usr/bin + $(INSTALL_BIN) $(PKG_BUILD_DIR)/src/ss-{local,redir,tunnel} $(1)/usr/bin + $(INSTALL_BIN) ./files/ss-{rules,rules-without-ipset} $(1)/usr/bin endef -CONFIGURE_ARGS += --disable-documentation +define Package/shadowsocks-libev-server/install + $(INSTALL_DIR) $(1)/usr/bin + $(INSTALL_BIN) $(PKG_BUILD_DIR)/src/ss-server $(1)/usr/bin +endef $(eval $(call BuildPackage,shadowsocks-libev)) +$(eval $(call BuildPackage,shadowsocks-libev-server)) diff --git a/net/shadowsocks-libev/files/firewall.include b/net/shadowsocks-libev/files/firewall.include deleted file mode 100644 index 3a00e802..00000000 --- a/net/shadowsocks-libev/files/firewall.include +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/sh - -if pidof ss-redir>/dev/null; then - /etc/init.d/shadowsocks-libev rules - logger -t ShadowSocks-libev "Reloading ShadowSocks-libev due to restart of firewall" -fi diff --git a/net/shadowsocks-libev/files/shadowsocks-libev.config b/net/shadowsocks-libev/files/shadowsocks-libev.config deleted file mode 100644 index 95aec7b2..00000000 --- a/net/shadowsocks-libev/files/shadowsocks-libev.config +++ /dev/null @@ -1,15 +0,0 @@ - -config shadowsocks-libev - option enable '1' - option server '127.0.0.1' - option server_port '8388' - option local_port '1080' - option password 'barfoo!' - option timeout '60' - option encrypt_method 'rc4-md5' - option ignore_list '/dev/null' - option udp_mode '0' - option tunnel_enable '1' - option tunnel_port '5300' - option tunnel_forward '8.8.4.4:53' - option lan_ac_mode '0' diff --git a/net/shadowsocks-libev/files/shadowsocks-libev.init b/net/shadowsocks-libev/files/shadowsocks-libev.init index 9a64038a..b73c8566 100644 --- a/net/shadowsocks-libev/files/shadowsocks-libev.init +++ b/net/shadowsocks-libev/files/shadowsocks-libev.init @@ -1,156 +1,212 @@ #!/bin/sh /etc/rc.common +# +# Copyright (C) 2014-2017 Jian Chang <aa65...@live.com> +# +# This is free software, licensed under the GNU General Public License v3. +# See /LICENSE for more information. +# START=90 STOP=15 -SERVICE_USE_PID=1 -SERVICE_WRITE_PID=1 -SERVICE_DAEMONIZE=1 -EXTRA_COMMANDS="rules" -CONFIG_FILE=/var/etc/shadowsocks-libev.json - -get_config() { - config_get_bool enable $1 enable - config_get server $1 server - config_get server_port $1 server_port - config_get local_port $1 local_port - config_get timeout $1 timeout - config_get password $1 password - config_get encrypt_method $1 encrypt_method - config_get ignore_list $1 ignore_list - config_get udp_mode $1 udp_mode - config_get udp_server $1 udp_server - config_get udp_server_port $1 udp_server_port - config_get udp_local_port $1 udp_local_port - config_get udp_timeout $1 udp_timeout - config_get udp_password $1 udp_password - config_get udp_encrypt_method $1 udp_encrypt_method - config_get_bool tunnel_enable $1 tunnel_enable - config_get tunnel_port $1 tunnel_port - config_get tunnel_forward $1 tunnel_forward - config_get lan_ac_mode $1 lan_ac_mode - config_get lan_ac_ip $1 lan_ac_ip - config_get wan_bp_ip $1 wan_bp_ip - config_get wan_fw_ip $1 wan_fw_ip - config_get ipt_ext $1 ipt_ext - : ${timeout:=60} - : ${udp_timeout:=60} - : ${tunnel_port:=5300} - : ${tunnel_forward:=8.8.4.4:53} +NAME=shadowsocks +EXTRA_COMMANDS=rules + +uci_get_by_name() { + local ret=$(uci get $NAME.$1.$2 2>/dev/null) + echo ${ret:=$3} } -start_rules() { - local ac_args - - if [ -n "$lan_ac_ip" ]; then - case $lan_ac_mode in - 1) ac_args="w$lan_ac_ip" - ;; - 2) ac_args="b$lan_ac_ip" - ;; - esac +uci_get_by_type() { + local ret=$(uci get $NAME.@$1[0].$2 2>/dev/null) + echo ${ret:=$3} +} + +uci_bool_by_name() { + case "$(uci_get_by_name $1 $2)" in + 1|on|true|yes|enabled) return 0;; + esac + return 1 +} + +validate_server() { + [ "$(uci get $NAME.$1 2>/dev/null)" = "servers" ] +} + +has_valid_server() { + for server in $@; do + validate_server $server && return 0 + done + return 1 +} + +get_arg_udp() { + local server=$(uci_get_by_type transparent_proxy udp_relay_server) + [ "$server" = "same" ] || validate_server $server && echo "-u" +} + +get_arg_out() { + case "$(uci_get_by_type access_control self_proxy 1)" in + 1) echo "-o";; + 2) echo "-O";; + esac +} + +get_arg_tfo() { + if [ "3" = "$(cat /proc/sys/net/ipv4/tcp_fastopen 2>/dev/null)" ]; then + uci_bool_by_name $1 fast_open && echo "--fast-open" fi - /usr/bin/ss-rules \ - -s "$server" \ - -l "$local_port" \ - -S "$udp_server" \ - -L "$udp_local_port" \ - -i "$ignore_list" \ - -a "$ac_args" \ - -b "$wan_bp_ip" \ - -w "$wan_fw_ip" \ - -e "$ipt_ext" \ - -o $udp - return $? } -start_redir() { - cat <<-EOF >$CONFIG_FILE +get_server_ips() { + echo $(uci_get_by_name $1 server) +} + +get_lan_hosts() { + uci_bool_by_name $1 enable && \ + echo "$(uci_get_by_name $1 type),$(uci_get_by_name $1 host)" +} + +get_plugin_config() { + local plugin=$(uci_get_by_name $1 plugin) + local plugin_opts=$(uci_get_by_name $1 plugin_opts) + if [ -n "$plugin" -a -n "$plugin_opts" ]; then + echo $plugin >>/var/run/ss-plugin + echo " + \"plugin\": \"$plugin\", + \"plugin_opts\": \"$plugin_opts\"," + fi +} + +get_crypto_config() { + local key=$(uci_get_by_name $1 key) + local password=$(uci_get_by_name $1 password) + if [ -n "$key" ]; then + echo "\"key\": \"$key\"," + elif [ -n "$password" ]; then + echo "\"password\": \"$password\"," + else + logger -st $NAME -p3 "The password or key is not set." + fi +} + +gen_config_file() { + local config_file=/var/etc/$NAME.$1.json + cat <<-EOF >$config_file { - "server": "$server", - "server_port": $server_port, - "local_address": "0.0.0.0", - "local_port": $local_port, - "password": "$password", - "timeout": $timeout, - "method": "$encrypt_method" + "server": "$(uci_get_by_name $1 server)", + "server_port": $(uci_get_by_name $1 server_port), + $(get_crypto_config $1) + "method": "$(uci_get_by_name $1 encrypt_method)", + "local_address": "0.0.0.0",$(get_plugin_config $1) + "timeout": $(uci_get_by_name $1 timeout 60), + "reuse_port": true } EOF - if [ "$udp_mode" = 2 ]; then - /usr/bin/ss-redir \ - -c $CONFIG_FILE \ - -f /var/run/ss-redir_t.pid - cat <<-EOF >$CONFIG_FILE - { - "server": "$udp_server", - "server_port": $udp_server_port, - "local_address": "0.0.0.0", - "local_port": $udp_local_port, - "password": "$udp_password", - "timeout": $udp_timeout, - "method": "$udp_encrypt_method" - } -EOF - fi - /usr/bin/ss-redir \ - -c $CONFIG_FILE \ - -f /var/run/ss-redir.pid \ - $udp - return $? + echo $config_file } -start_tunnel() { - : ${udp:="-u"} - /usr/bin/ss-tunnel \ - -c $CONFIG_FILE \ - -l $tunnel_port \ - -L $tunnel_forward \ - -f /var/run/ss-tunnel.pid \ - $udp - return $? +start_rules() { + config_load $NAME + /usr/bin/ss-rules \ + -s "$(config_foreach get_server_ips servers)" \ + -l "$(uci_get_by_type transparent_proxy local_port 1234)" \ + -B "$(uci_get_by_type access_control wan_bp_list)" \ + -b "$(uci_get_by_type access_control wan_bp_ips)" \ + -W "$(uci_get_by_type access_control wan_fw_list)" \ + -w "$(uci_get_by_type access_control wan_fw_ips)" \ + -I "$(uci_get_by_type access_control lan_ifaces)" \ + -d "$(uci_get_by_type access_control lan_target)" \ + -a "$(config_foreach get_lan_hosts lan_hosts)" \ + -e "$(uci_get_by_type access_control ipt_ext)" \ + $(get_arg_out) $(get_arg_udp) } rules() { - config_load shadowsocks-libev - config_foreach get_config shadowsocks-libev - [ "$enable" = 1 ] || exit 0 - mkdir -p /var/run /var/etc + pidof ss-redir >/dev/null || return 0 + start_rules || /usr/bin/ss-rules -f +} - : ${server:?} - : ${server_port:?} - : ${local_port:?} - : ${password:?} - : ${encrypt_method:?} - case $udp_mode in - 1) udp="-u" - ;; - 2) - udp="-U" - : ${udp_server:?} - : ${udp_server_port:?} - : ${udp_local_port:?} - : ${udp_password:?} - : ${udp_encrypt_method:?} - ;; - esac +start_redir() { + validate_server $1 || return 0 + ss-redir -c $(gen_config_file $1) $2 $(get_arg_tfo $1) \ + -l $(uci_get_by_type transparent_proxy local_port 1234) \ + --mtu $(uci_get_by_type transparent_proxy mtu 1492) \ + -f /var/run/ss-redir$3-$1.pid +} - start_rules +ss_redir() { + command -v ss-redir >/dev/null 2>&1 || return 1 + local main_server=$(uci_get_by_type transparent_proxy main_server) + has_valid_server $main_server || return 1 + local udp_relay_server=$(uci_get_by_type transparent_proxy udp_relay_server) + if [ "$udp_relay_server" = "same" ]; then + for server in $main_server; do + start_redir $server -u + done + else + for server in $main_server; do + start_redir $server + done + for server in $udp_relay_server; do + start_redir $server -U -udp + done + fi } -boot() { - until iptables-save -t nat | grep -q "^:zone_lan_prerouting"; do - sleep 1 +start_local() { + validate_server $1 || return 0 + ss-local -c $(gen_config_file $1) -u $(get_arg_tfo $1) \ + -l $(uci_get_by_type socks5_proxy local_port 1080) \ + --mtu $(uci_get_by_type socks5_proxy mtu 1492) \ + -f /var/run/ss-local-$1.pid +} + +ss_local() { + command -v ss-local >/dev/null 2>&1 || return 0 + for server in $(uci_get_by_type socks5_proxy server); do + start_local $server + done +} + +start_tunnel() { + validate_server $1 || return 0 + ss-tunnel -c $(gen_config_file $1) -u \ + -l $(uci_get_by_type port_forward local_port 5300) \ + -L $(uci_get_by_type port_forward destination 8.8.4.4:53) \ + --mtu $(uci_get_by_type port_forward mtu 1492) \ + -f /var/run/ss-tunnel-$1.pid +} + +ss_tunnel() { + command -v ss-tunnel >/dev/null 2>&1 || return 0 + for server in $(uci_get_by_type port_forward server); do + start_tunnel $server done - start } start() { - rules && start_redir - [ "$tunnel_enable" = 1 ] && start_tunnel + mkdir -p /var/run /var/etc + ss_redir && rules + ss_local + ss_tunnel +} + +boot() { + local delay=$(uci_get_by_type general startup_delay 0) + (sleep $delay && start >/dev/null 2>&1) & + return 0 +} + +kill_all() { + kill -9 $(pidof $@) >/dev/null 2>&1 } stop() { /usr/bin/ss-rules -f - killall -q -9 ss-redir - killall -q -9 ss-tunnel + kill_all ss-redir ss-local ss-tunnel + if [ -f /var/run/ss-plugin ]; then + kill_all $(sort -u /var/run/ss-plugin) + rm -f /var/run/ss-plugin + fi } diff --git a/net/shadowsocks-libev/files/ss-rules b/net/shadowsocks-libev/files/ss-rules index 8ce1000c..8bd7264a 100644 --- a/net/shadowsocks-libev/files/ss-rules +++ b/net/shadowsocks-libev/files/ss-rules @@ -1,4 +1,10 @@ #!/bin/sh +# +# Copyright (C) 2014-2017 Jian Chang <aa65...@live.com> +# +# This is free software, licensed under the GNU General Public License v3. +# See /LICENSE for more information. +# usage() { cat <<-EOF @@ -6,20 +12,28 @@ usage() { Valid options are: - -s <server_host> hostname or ip of shadowsocks remote server + -s <server_ips> ip address of shadowsocks remote server -l <local_port> port number of shadowsocks local server - -i <ip_list_file> a file content is bypassed ip list - -a <lan_ips> lan ip of access control, need a prefix to - define access control mode + -S <server_ips> ip address of shadowsocks remote UDP server + -L <local_port> port number of shadowsocks local UDP server + -B <ip_list_file> a file whose content is bypassed ip list -b <wan_ips> wan ip of will be bypassed + -W <ip_list_file> a file whose content is forwarded ip list -w <wan_ips> wan ip of will be forwarded - -e <extra_options> extra options for iptables + -I <interface> proxy only for the given interface + -d <target> the default target of lan access control + -a <lan_hosts> lan ip of access control, need a prefix to + define proxy type + -e <extra_args> extra arguments for iptables -o apply the rules to the OUTPUT chain + -O apply the global rules to the OUTPUT chain -u enable udprelay mode, TPROXY is required -U enable udprelay mode, using different IP and ports for TCP and UDP -f flush the rules + -h show this help message and exit EOF + exit $1 } loger() { @@ -27,135 +41,192 @@ loger() { logger -st ss-rules[$$] -p$1 $2 } -ipt_n="iptables -t nat" -ipt_m="iptables -t mangle" - -flush_r() { - local IPT - - IPT=$(iptables-save -t nat) - eval $(echo "$IPT" | grep "_SS_SPEC_RULE_" | \ - sed -e 's/^-A/$ipt_n -D/' -e 's/$/;/') - - for chain in $(echo "$IPT" | awk '/^:SS_SPEC/{print $1}'); do - $ipt_n -F ${chain:1} 2>/dev/null && $ipt_n -X ${chain:1} - done - - IPT=$(iptables-save -t mangle) - eval $(echo "$IPT" | grep "_SS_SPEC_RULE_" | \ - sed -e 's/^-A/$ipt_m -D/' -e 's/$/;/') - - for chain in $(echo "$IPT" | awk '/^:SS_SPEC/{print $1}'); do - $ipt_m -F ${chain:1} 2>/dev/null && $ipt_m -X ${chain:1} +flush_rules() { + iptables-save -c | grep -v "SS_SPEC" | iptables-restore -c + if command -v ip >/dev/null 2>&1; then + ip rule del fwmark 1 lookup 100 2>/dev/null + ip route del local default dev lo table 100 2>/dev/null + fi + for setname in $(ipset -n list | grep "ss_spec"); do + ipset destroy $setname 2>/dev/null done - - ip rule del fwmark 0x01/0x01 table 100 2>/dev/null - ip route del local 0.0.0.0/0 dev lo table 100 2>/dev/null - ipset -X ss_spec_lan_ac 2>/dev/null - ipset -X ss_spec_wan_ac 2>/dev/null + FWI=$(uci get firewall.shadowsocks.path 2>/dev/null) + [ -n "$FWI" ] && echo '# firewall include file' >$FWI return 0 } -ipset_r() { - ipset -! -R <<-EOF || return 1 - create ss_spec_wan_ac hash:net - $(echo -e "$IPLIST" | sed -e "s/^/add ss_spec_wan_ac /") - $(for ip in $WAN_FW_IP; do echo "add ss_spec_wan_ac $ip nomatch"; done) +ipset_init() { + ipset -! restore <<-EOF || return 1 + create ss_spec_src_ac hash:ip hashsize 64 + create ss_spec_src_bp hash:ip hashsize 64 + create ss_spec_src_fw hash:ip hashsize 64 + create ss_spec_dst_sp hash:net hashsize 64 + create ss_spec_dst_bp hash:net hashsize 64 + create ss_spec_dst_fw hash:net hashsize 64 + $(gen_lan_host_ipset_entry) + $(gen_special_purpose_ip | sed -e "s/^/add ss_spec_dst_sp /") + $(sed -e "s/^/add ss_spec_dst_bp /" ${WAN_BP_LIST:=/dev/null} 2>/dev/null) + $(for ip in $WAN_BP_IP; do echo "add ss_spec_dst_bp $ip"; done) + $(sed -e "s/^/add ss_spec_dst_fw /" ${WAN_FW_LIST:=/dev/null} 2>/dev/null) + $(for ip in $WAN_FW_IP; do echo "add ss_spec_dst_fw $ip"; done) EOF - $ipt_n -N SS_SPEC_WAN_AC && \ - $ipt_n -A SS_SPEC_WAN_AC -m set --match-set ss_spec_wan_ac dst -j RETURN && \ - $ipt_n -A SS_SPEC_WAN_AC -j SS_SPEC_WAN_FW - return $? + return 0 } -fw_rule() { - $ipt_n -N SS_SPEC_WAN_FW && \ - $ipt_n -A SS_SPEC_WAN_FW -p tcp \ - -j REDIRECT --to-ports $local_port 2>/dev/null || { - loger 3 "Can't redirect, please check the iptables." - exit 1 - } +ipt_nat() { + include_ac_rules nat + ipt="iptables -t nat" + $ipt -A SS_SPEC_WAN_FW -p tcp \ + -j REDIRECT --to-ports $local_port || return 1 + if [ -n "$OUTPUT" ]; then + $ipt -N SS_SPEC_WAN_DG + $ipt -A SS_SPEC_WAN_DG -m set --match-set ss_spec_dst_sp dst -j RETURN + $ipt -A SS_SPEC_WAN_DG -p tcp $EXT_ARGS -j $OUTPUT + $ipt -I OUTPUT 1 -p tcp -j SS_SPEC_WAN_DG + fi return $? } -ac_rule() { - local TAG ROUTECHAIN - - if [ -n "$LAN_AC_IP" ]; then - if [ "${LAN_AC_IP:0:1}" = "w" ]; then - TAG="nomatch" - else - if [ "${LAN_AC_IP:0:1}" != "b" ]; then - loger 3 "Bad argument \`-a $LAN_AC_IP\`." - return 2 - fi - fi +ipt_mangle() { + [ -n "$TPROXY" ] || return 0 + if !(lsmod | grep -q TPROXY && command -v ip >/dev/null); then + loger 4 "TPROXY or ip not found." + return 0 fi + ip rule add fwmark 1 lookup 100 + ip route add local default dev lo table 100 + include_ac_rules mangle + iptables -t mangle -A SS_SPEC_WAN_FW -p udp \ + -j TPROXY --on-port $LOCAL_PORT --tproxy-mark 0x01/0x01 + return $? +} - ROUTECHAIN=PREROUTING - if iptables-save -t nat | grep -q "^:zone_lan_prerouting"; then - ROUTECHAIN=zone_lan_prerouting - fi +export_ipt_rules() { + [ -n "$FWI" ] || return 0 + cat <<-CAT >>$FWI + iptables-save -c | grep -v "SS_SPEC" | iptables-restore -c + iptables-restore -n <<-EOF + $(iptables-save | grep -E "SS_SPEC|^\*|^COMMIT" |\ + sed -e "s/^-A \(OUTPUT\|PREROUTING\)/-I \1 1/") + EOF +CAT + return $? +} + +gen_lan_host_ipset_entry() { + for host in $LAN_HOSTS; do + case "${host:0:1}" in + n|N) + echo add ss_spec_src_ac ${host:2} + ;; + b|B) + echo add ss_spec_src_bp ${host:2} + ;; + g|G) + echo add ss_spec_src_fw ${host:2} + ;; + esac + done +} - ipset -! -R <<-EOF || return 1 - create ss_spec_lan_ac hash:net - $(for ip in ${LAN_AC_IP:1}; do echo "add ss_spec_lan_ac $ip $TAG"; done) +gen_special_purpose_ip() { + cat <<-EOF | grep -E "^([0-9]{1,3}\.){3}[0-9]{1,3}" + 0.0.0.0/8 + 10.0.0.0/8 + 100.64.0.0/10 + 127.0.0.0/8 + 169.254.0.0/16 + 172.16.0.0/12 + 192.0.0.0/24 + 192.0.2.0/24 + 192.31.196.0/24 + 192.52.193.0/24 + 192.88.99.0/24 + 192.168.0.0/16 + 192.175.48.0/24 + 198.18.0.0/15 + 198.51.100.0/24 + 203.0.113.0/24 + 224.0.0.0/4 + 240.0.0.0/4 + 255.255.255.255 + $server + $SERVER EOF - $ipt_n -A $ROUTECHAIN -p tcp $EXT_ARGS \ - -m set ! --match-set ss_spec_lan_ac src \ - -m comment --comment "_SS_SPEC_RULE_" -j SS_SPEC_WAN_AC +} - if [ "$OUTPUT" = 1 ]; then - $ipt_n -A OUTPUT -p tcp $EXT_ARGS \ - -m comment --comment "_SS_SPEC_RULE_" -j SS_SPEC_WAN_AC - fi - return $? +include_ac_rules() { + local protocol=$([ "$1" = "mangle" ] && echo udp || echo tcp) + iptables-restore -n <<-EOF + *$1 + :SS_SPEC_LAN_DG - [0:0] + :SS_SPEC_LAN_AC - [0:0] + :SS_SPEC_WAN_AC - [0:0] + :SS_SPEC_WAN_FW - [0:0] + -A SS_SPEC_LAN_DG -m set --match-set ss_spec_dst_sp dst -j RETURN + -A SS_SPEC_LAN_DG -p $protocol $EXT_ARGS -j SS_SPEC_LAN_AC + -A SS_SPEC_LAN_AC -m set --match-set ss_spec_src_bp src -j RETURN + -A SS_SPEC_LAN_AC -m set --match-set ss_spec_src_fw src -j SS_SPEC_WAN_FW + -A SS_SPEC_LAN_AC -m set --match-set ss_spec_src_ac src -j SS_SPEC_WAN_AC + -A SS_SPEC_LAN_AC -j ${LAN_TARGET:=SS_SPEC_WAN_AC} + -A SS_SPEC_WAN_AC -m set --match-set ss_spec_dst_fw dst -j SS_SPEC_WAN_FW + -A SS_SPEC_WAN_AC -m set --match-set ss_spec_dst_bp dst -j RETURN + -A SS_SPEC_WAN_AC -j SS_SPEC_WAN_FW + $(gen_prerouting_rules $protocol) + COMMIT +EOF } -tp_rule() { - [ -n "$TPROXY" ] || return 0 - ip rule add fwmark 0x01/0x01 table 100 - ip route add local 0.0.0.0/0 dev lo table 100 - $ipt_m -N SS_SPEC_TPROXY - $ipt_m -A SS_SPEC_TPROXY -p udp -m set ! --match-set ss_spec_wan_ac dst \ - -j TPROXY --on-port $LOCAL_PORT --tproxy-mark 0x01/0x01 - $ipt_m -A PREROUTING -p udp $EXT_ARGS \ - -m set ! --match-set ss_spec_lan_ac src \ - -m comment --comment "_SS_SPEC_RULE_" -j SS_SPEC_TPROXY - return $? +gen_prerouting_rules() { + [ -z "$IFNAMES" ] && echo -I PREROUTING 1 -p $1 -j SS_SPEC_LAN_DG + for ifname in $IFNAMES; do + echo -I PREROUTING 1 -i $ifname -p $1 -j SS_SPEC_LAN_DG + done } -while getopts ":s:l:S:L:i:e:a:b:w:ouUf" arg; do - case $arg in +while getopts ":s:l:S:L:B:b:W:w:I:d:a:e:oOuUfh" arg; do + case "$arg" in s) - server=$OPTARG + server=$(for ip in $OPTARG; do echo $ip; done) ;; l) local_port=$OPTARG ;; S) - SERVER=$OPTARG + SERVER=$(for ip in $OPTARG; do echo $ip; done) ;; L) LOCAL_PORT=$OPTARG ;; - i) - IGNORE=$OPTARG - ;; - e) - EXT_ARGS=$OPTARG - ;; - a) - LAN_AC_IP=$OPTARG + B) + WAN_BP_LIST=$OPTARG ;; b) - WAN_BP_IP=$(for ip in $OPTARG; do echo $ip; done) + WAN_BP_IP=$OPTARG + ;; + W) + WAN_FW_LIST=$OPTARG ;; w) WAN_FW_IP=$OPTARG ;; + I) + IFNAMES=$OPTARG + ;; + d) + LAN_TARGET=$OPTARG + ;; + a) + LAN_HOSTS=$OPTARG + ;; + e) + EXT_ARGS=$OPTARG + ;; o) - OUTPUT=1 + OUTPUT=SS_SPEC_WAN_AC + ;; + O) + OUTPUT=SS_SPEC_WAN_FW ;; u) TPROXY=1 @@ -164,56 +235,26 @@ while getopts ":s:l:S:L:i:e:a:b:w:ouUf" arg; do TPROXY=2 ;; f) - flush_r + flush_rules exit 0 ;; + h) + usage 0 + ;; esac done -if [ -z "$server" -o -z "$local_port" ]; then - usage - exit 2 -fi +[ -z "$server" -o -z "$local_port" ] && usage 2 if [ "$TPROXY" = 1 ]; then - SERVER=$server + unset SERVER LOCAL_PORT=$local_port +elif [ "$TPROXY" = 2 ]; then + : ${SERVER:?"You must assign an ip for the udp relay server."} + : ${LOCAL_PORT:?"You must assign a port for the udp relay server."} fi -if [ "$TPROXY" = 2 ]; then - if [ -z "$SERVER" -o -z "$LOCAL_PORT" ]; then - loger 3 "Please use -S and -L specifies IP and port for UDP." - fi -fi - -if [ -f "$IGNORE" ]; then - IGNORE_IP=$(cat $IGNORE 2>/dev/null) -fi - -IPLIST=$(cat <<-EOF | grep -E "^([0-9]{1,3}\.){3}[0-9]{1,3}" - $server - $SERVER - 0.0.0.0/8 - 10.0.0.0/8 - 100.64.0.0/10 - 127.0.0.0/8 - 169.254.0.0/16 - 172.16.0.0/12 - 192.0.0.0/24 - 192.0.2.0/24 - 192.88.99.0/24 - 192.168.0.0/16 - 198.18.0.0/15 - 198.51.100.0/24 - 203.0.113.0/24 - 224.0.0.0/4 - 240.0.0.0/4 - 255.255.255.255 - $WAN_BP_IP - $IGNORE_IP -EOF -) - -flush_r && fw_rule && ipset_r && ac_rule && tp_rule - -exit $? +flush_rules && ipset_init && ipt_nat && ipt_mangle && export_ipt_rules +RET=$? +[ "$RET" = 0 ] || loger 3 "Start failed!" +exit $RET diff --git a/net/shadowsocks-libev/files/ss-rules-without-ipset b/net/shadowsocks-libev/files/ss-rules-without-ipset new file mode 100644 index 00000000..df35ee65 --- /dev/null +++ b/net/shadowsocks-libev/files/ss-rules-without-ipset @@ -0,0 +1,245 @@ +#!/bin/sh +# +# Copyright (C) 2016-2017 Jian Chang <aa65...@live.com> +# +# This is free software, licensed under the GNU General Public License v3. +# See /LICENSE for more information. +# + +# Warning: This script will be slow! + +usage() { + cat <<-EOF + Usage: ss-rules [options] + + Valid options are: + + -s <server_ips> ip address of shadowsocks remote server + -l <local_port> port number of shadowsocks local server + -S <server_ips> ip address of shadowsocks remote UDP server + -L <local_port> port number of shadowsocks local UDP server + -B <ip_list_file> a file whose content is bypassed ip list + -b <wan_ips> wan ip of will be bypassed + -W <ip_list_file> a file whose content is forwarded ip list + -w <wan_ips> wan ip of will be forwarded + -I <interface> proxy only for the given interface + -d <target> the default target of lan access control + -a <lan_hosts> lan ip of access control, need a prefix to + define proxy type + -e <extra_args> extra arguments for iptables + -o apply the rules to the OUTPUT chain + -O apply the global rules to the OUTPUT chain + -u enable udprelay mode, TPROXY is required + -U enable udprelay mode, using different IP + and ports for TCP and UDP + -f flush the rules + -h show this help message and exit +EOF + exit $1 +} + +loger() { + # 1.alert 2.crit 3.err 4.warn 5.notice 6.info 7.debug + logger -st ss-rules[$$] -p$1 $2 +} + +flush_rules() { + iptables-save -c | grep -v "SS_SPEC" | iptables-restore -c + if command -v ip >/dev/null 2>&1; then + ip rule del fwmark 1 lookup 100 2>/dev/null + ip route del local default dev lo table 100 2>/dev/null + fi + FWI=$(uci get firewall.shadowsocks.path 2>/dev/null) + [ -n "$FWI" ] && echo '# firewall include file' >$FWI + return 0 +} + +ipt_nat() { + include_ac_rules nat + ipt="iptables -t nat" + $ipt -A SS_SPEC_WAN_FW -p tcp \ + -j REDIRECT --to-ports $local_port || return 1 + if [ -n "$OUTPUT" ]; then + iptables-restore -n <<-EOF + *nat + :SS_SPEC_WAN_DG - [0:0] + $(gen_special_purpose_ip | sed -e "s/\(.*\)/-A SS_SPEC_WAN_DG -d \1 -j RETURN/") + -A SS_SPEC_WAN_DG -p tcp $EXT_ARGS -j $OUTPUT + -I OUTPUT 1 -p tcp -j SS_SPEC_WAN_DG + COMMIT +EOF + fi + return $? +} + +ipt_mangle() { + [ -n "$TPROXY" ] || return 0 + if !(lsmod | grep -q TPROXY && command -v ip >/dev/null); then + loger 4 "TPROXY or ip not found." + return 0 + fi + ip rule add fwmark 1 lookup 100 + ip route add local default dev lo table 100 + include_ac_rules mangle + iptables -t mangle -A SS_SPEC_WAN_FW -p udp \ + -j TPROXY --on-port $LOCAL_PORT --tproxy-mark 0x01/0x01 + return $? +} + +export_ipt_rules() { + [ -n "$FWI" ] || return 0 + cat <<-CAT >>$FWI + iptables-save -c | grep -v "SS_SPEC" | iptables-restore -c + iptables-restore -n <<-EOF + $(iptables-save | grep -E "SS_SPEC|^\*|^COMMIT" |\ + sed -e "s/^-A \(OUTPUT\|PREROUTING\)/-I \1 1/") + EOF +CAT + return $? +} + +gen_lan_host_ipt_entry() { + for host in $LAN_HOSTS; do + case "${host:0:1}" in + n|N) + echo "3-A SS_SPEC_LAN_AC -s ${host:2} -j SS_SPEC_WAN_AC" + ;; + b|B) + echo "1-A SS_SPEC_LAN_AC -s ${host:2} -j RETURN" + ;; + g|G) + echo "2-A SS_SPEC_LAN_AC -s ${host:2} -j SS_SPEC_WAN_FW" + ;; + esac + done +} + +gen_special_purpose_ip() { + cat <<-EOF | grep -E "^([0-9]{1,3}\.){3}[0-9]{1,3}" + 0.0.0.0/8 + 10.0.0.0/8 + 100.64.0.0/10 + 127.0.0.0/8 + 169.254.0.0/16 + 172.16.0.0/12 + 192.0.0.0/24 + 192.0.2.0/24 + 192.31.196.0/24 + 192.52.193.0/24 + 192.88.99.0/24 + 192.168.0.0/16 + 192.175.48.0/24 + 198.18.0.0/15 + 198.51.100.0/24 + 203.0.113.0/24 + 224.0.0.0/4 + 240.0.0.0/4 + 255.255.255.255 + $server + $SERVER +EOF +} + +include_ac_rules() { + local protocol=$([ "$1" = "mangle" ] && echo udp || echo tcp) + iptables-restore -n <<-EOF + *$1 + :SS_SPEC_LAN_DG - [0:0] + :SS_SPEC_LAN_AC - [0:0] + :SS_SPEC_WAN_AC - [0:0] + :SS_SPEC_WAN_FW - [0:0] + $(gen_special_purpose_ip | sed -e "s/\(.*\)/-A SS_SPEC_LAN_DG -d \1 -j RETURN/") + -A SS_SPEC_LAN_DG -p $protocol $EXT_ARGS -j SS_SPEC_LAN_AC + $(gen_lan_host_ipt_entry | sort | sed -e s/^.//) + -A SS_SPEC_LAN_AC -j ${LAN_TARGET:=SS_SPEC_WAN_AC} + $(sed -e "s/\(.*\)/-A SS_SPEC_WAN_AC -d \1 -j SS_SPEC_WAN_FW/" ${WAN_FW_LIST:=/dev/null} 2>/dev/null) + $(for ip in $WAN_FW_IP; do echo "-A SS_SPEC_WAN_AC -d $ip -j SS_SPEC_WAN_FW"; done) + $(sed -e "s/\(.*\)/-A SS_SPEC_WAN_AC -d \1 -j RETURN/" ${WAN_BP_LIST:=/dev/null} 2>/dev/null) + $(for ip in $WAN_BP_IP; do echo "-A SS_SPEC_WAN_AC -d $ip -j RETURN"; done) + -A SS_SPEC_WAN_AC -j SS_SPEC_WAN_FW + $(gen_prerouting_rules $protocol) + COMMIT +EOF +} + +gen_prerouting_rules() { + [ -z "$IFNAMES" ] && echo -I PREROUTING 1 -p $1 -j SS_SPEC_LAN_DG + for ifname in $IFNAMES; do + echo -I PREROUTING 1 -i $ifname -p $1 -j SS_SPEC_LAN_DG + done +} + +while getopts ":s:l:S:L:B:b:W:w:I:d:a:e:oOuUfh" arg; do + case "$arg" in + s) + server=$(for ip in $OPTARG; do echo $ip; done) + ;; + l) + local_port=$OPTARG + ;; + S) + SERVER=$(for ip in $OPTARG; do echo $ip; done) + ;; + L) + LOCAL_PORT=$OPTARG + ;; + B) + WAN_BP_LIST=$OPTARG + ;; + b) + WAN_BP_IP=$OPTARG + ;; + W) + WAN_FW_LIST=$OPTARG + ;; + w) + WAN_FW_IP=$OPTARG + ;; + I) + IFNAMES=$OPTARG + ;; + d) + LAN_TARGET=$OPTARG + ;; + a) + LAN_HOSTS=$OPTARG + ;; + e) + EXT_ARGS=$OPTARG + ;; + o) + OUTPUT=SS_SPEC_WAN_AC + ;; + O) + OUTPUT=SS_SPEC_WAN_FW + ;; + u) + TPROXY=1 + ;; + U) + TPROXY=2 + ;; + f) + flush_rules + exit 0 + ;; + h) + usage 0 + ;; + esac +done + +[ -z "$server" -o -z "$local_port" ] && usage 2 + +if [ "$TPROXY" = 1 ]; then + unset SERVER + LOCAL_PORT=$local_port +elif [ "$TPROXY" = 2 ]; then + : ${SERVER:?"You must assign an ip for the udp relay server."} + : ${LOCAL_PORT:?"You must assign a port for the udp relay server."} +fi + +flush_rules && ipt_nat && ipt_mangle && export_ipt_rules +RET=$? +[ "$RET" = 0 ] || loger 3 "Start failed!" +exit $RET -- 2.13.0 _______________________________________________ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
