LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
26966 Commits
1 Branch
46 MiB
Tree: 864bc0eac6
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '864bc0eac6'
${ noResults }
openwrt-packages-dist/net/shadowsocks-libev/files/ss-rules/chain.uc

118 lines
3.1 KiB
Raw Normal View History

shadowsocks-libev: convert to using nft It will be mostly implemented with ucode templates installed at /usr/share/ss-rules and called from init script. The generated nftables rules will be stored at /etc/nftables.d/ Incompatible changes were introduced as described in the README.md file - Netfilter ipset was replaced with nftables sets - UCI options ipt_args and dst_forward_recentrst of section ss_rules are now deprecated. The former does not apply to nftables. The later not yet implemented with nftables. Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
3 years ago
shadowsocks-libev: add nft_tcp_extra/nft_udp_extra options To add extra statement to tcp/udp forward rule, example: ``` config ss_rules 'ss_rules' ... option nft_tcp_extra 'tcp dport { 80, 443 }' # tcp only forward connections with dport 80 or 443 option nft_udp_extra 'udp dport { 53 }' # udp only forward connections with dport 53 ``` This somewhat restores the old ipt_args functionality. Signed-off-by: Zhong Jianxin <azuwis@gmail.com> Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com> (Amend README.md a bit)
3 years ago
shadowsocks-libev: convert to using nft It will be mostly implemented with ucode templates installed at /usr/share/ss-rules and called from init script. The generated nftables rules will be stored at /etc/nftables.d/ Incompatible changes were introduced as described in the README.md file - Netfilter ipset was replaced with nftables sets - UCI options ipt_args and dst_forward_recentrst of section ss_rules are now deprecated. The former does not apply to nftables. The later not yet implemented with nftables. Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
3 years ago
shadowsocks-libev: add nft_tcp_extra/nft_udp_extra options To add extra statement to tcp/udp forward rule, example: ``` config ss_rules 'ss_rules' ... option nft_tcp_extra 'tcp dport { 80, 443 }' # tcp only forward connections with dport 80 or 443 option nft_udp_extra 'udp dport { 53 }' # udp only forward connections with dport 53 ``` This somewhat restores the old ipt_args functionality. Signed-off-by: Zhong Jianxin <azuwis@gmail.com> Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com> (Amend README.md a bit)
3 years ago
shadowsocks-libev: convert to using nft It will be mostly implemented with ucode templates installed at /usr/share/ss-rules and called from init script. The generated nftables rules will be stored at /etc/nftables.d/ Incompatible changes were introduced as described in the README.md file - Netfilter ipset was replaced with nftables sets - UCI options ipt_args and dst_forward_recentrst of section ss_rules are now deprecated. The former does not apply to nftables. The later not yet implemented with nftables. Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
3 years ago
 
  1. {%
  2. function get_local_verdict() {
  3. 	let v = o_local_default;
  4. 	if (v == "checkdst") {
  5. 		return "goto ss_rules_dst_" + proto;
  6. 	} else if (v == "forward") {
  7. 		return "goto ss_rules_forward_" + proto;
  8. 	} else {
  9. 		return null;
  10. 	}
  11. }
  12. 

  13. function get_src_default_verdict() {
  14. 	let v = o_src_default;
  15. 	if (v == "checkdst") {
  16. 		return "goto ss_rules_dst_" + proto;
  17. 	} else if (v == "forward") {
  18. 		return "goto ss_rules_forward_" + proto;
  19. 	} else {
  20. 		return "accept";
  21. 	}
  22. }
  23. 

  24. function get_dst_default_verdict() {
  25. 	let v = o_dst_default;
  26. 	if (v == "forward") {
  27. 		return "goto ss_rules_forward_" + proto;
  28. 	} else {
  29. 		return "accept";
  30. 	}
  31. }
  32. 

  33. function get_ifnames() {
  34. 	let res = [];
  35. 	for (let ifname in split(o_ifnames, /[ \t\n]/)) {
  36. 		ifname = trim(ifname);
  37. 		if (ifname) push(res, ifname);
  38. 	}
  39. 	return res;
  40. }
  41. 

  42. let type, hook, priority, redir_port;
  43. if (proto == "tcp") {
  44. 	type = "nat";
  45. 	hook = "prerouting";
  46. 	priority = -1;
  47. 	redir_port = o_redir_tcp_port;
  48. } else if (proto == "udp") {
  49. 	type = "filter";
  50. 	hook = "prerouting";
  51. 	priority = "mangle";
  52. 	redir_port = o_redir_udp_port;
  53. 	if (system("
  54. 		set -o errexit
  55. 		while ip rule del fwmark 1 lookup 100 2>/dev/null; do true; done
  56. 		      ip rule add fwmark 1 lookup 100
  57. 		ip route flush table 100 2>/dev/null || true
  58. 		ip route add local default dev lo table 100
  59. 	") != 0) {
  60. 		return ;
  61. 	}
  62. } else {
  63. 	return;
  64. }
  65. 

  66. %}
  67. {% if (redir_port): %}
  68. 

  69. chain ss_rules_pre_{{ proto }} {
  70. 	type {{ type }} hook {{ hook }} priority {{ priority }};
  71. 	meta l4proto {{ proto }}{%- let ifnames=get_ifnames(); if (length(ifnames)): %} iifname { {{join(", ", ifnames)}} }{% endif %} goto ss_rules_pre_src_{{ proto }};
  72. }
  73. 

  74. chain ss_rules_pre_src_{{ proto }} {
  75. 	ip daddr @ss_rules_dst_bypass_ accept;
  76. 	ip6 daddr @ss_rules6_dst_bypass_ accept;
  77. 	goto ss_rules_src_{{ proto }};
  78. }
  79. 

  80. chain ss_rules_src_{{ proto }} {
  81. 	ip saddr @ss_rules_src_bypass accept;
  82. 	ip saddr @ss_rules_src_forward goto ss_rules_forward_{{ proto }};
  83. 	ip saddr @ss_rules_src_checkdst goto ss_rules_dst_{{ proto }};
  84. 	ip6 saddr @ss_rules6_src_bypass accept;
  85. 	ip6 saddr @ss_rules6_src_forward goto ss_rules_forward_{{ proto }};
  86. 	ip6 saddr @ss_rules6_src_checkdst goto ss_rules_dst_{{ proto }};
  87. 	{{ get_src_default_verdict() }};
  88. }
  89. 

  90. chain ss_rules_dst_{{ proto }} {
  91. 	ip daddr @ss_rules_dst_bypass accept;
  92. 	ip daddr @ss_rules_dst_forward goto ss_rules_forward_{{ proto }};
  93. 	ip6 daddr @ss_rules6_dst_bypass accept;
  94. 	ip6 daddr @ss_rules6_dst_forward goto ss_rules_forward_{{ proto }};
  95. 	{{ get_dst_default_verdict() }};
  96. }
  97. 

  98. {%   if (proto == "tcp"): %}
  99. chain ss_rules_forward_{{ proto }} {
  100. 	meta l4proto tcp {{ o_nft_tcp_extra }} redirect to :{{ redir_port }};
  101. }
  102. {%   let local_verdict = get_local_verdict(); if (local_verdict): %}
  103. chain ss_rules_local_out {
  104. 	type {{ type }} hook output priority -1;
  105. 	meta l4proto != tcp accept;
  106. 	ip daddr @ss_rules_dst_bypass_ accept;
  107. 	ip daddr @ss_rules_dst_bypass accept;
  108. 	ip6 daddr @ss_rules6_dst_bypass_ accept;
  109. 	ip6 daddr @ss_rules6_dst_bypass accept;
  110. 	{{ local_verdict }};
  111. }
  112. {%     endif %}
  113. {%   elif (proto == "udp"): %}
  114. chain ss_rules_forward_{{ proto }} {
  115. 	meta l4proto udp {{ o_nft_udp_extra }} meta mark set 1 tproxy to :{{ redir_port }};
  116. }
  117. {%   endif %}
  118. {% endif %}