diff --git a/net/shadowsocks-libev/Makefile b/net/shadowsocks-libev/Makefile new file mode 100644 index 000000000..40cd3e565 --- /dev/null +++ b/net/shadowsocks-libev/Makefile @@ -0,0 +1,91 @@ +# +# Copyright (C) 2015 OpenWrt.org +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=shadowsocks-libev +PKG_VERSION:=2.2.2 +PKG_RELEASE:=1 + +PKG_SOURCE_PROTO:=git +PKG_SOURCE_URL:=https://github.com/shadowsocks/shadowsocks-libev.git +PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_RELEASE) +PKG_SOURCE_VERSION:=4883903e657095b93f88a3a3b9a0dccdffdaa397 +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz +PKG_MAINTAINER:=aa65535 + +PKG_LICENSE:=GPLv2 +PKG_LICENSE_FILES:=LICENSE + +PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)-$(PKG_RELEASE) + +PKG_INSTALL:=1 +PKG_FIXUP:=autoreconf +PKG_USE_MIPS16:=0 +PKG_BUILD_PARALLEL:=1 + +include $(INCLUDE_DIR)/package.mk + +define Package/shadowsocks-libev/Default + SECTION:=net + CATEGORY:=Network + TITLE:=Lightweight Secured Socks5 Proxy $(2) + URL:=https://github.com/shadowsocks/shadowsocks-libev + VARIANT:=$(1) + DEPENDS:=$(3) +resolveip +ipset +ip +iptables-mod-tproxy +endef + +Package/shadowsocks-libev = $(call Package/shadowsocks-libev/Default,openssl,(OpenSSL),+libopenssl) +Package/shadowsocks-libev-polarssl = $(call Package/shadowsocks-libev/Default,polarssl,(PolarSSL),+libpolarssl) + +define Package/shadowsocks-libev/description +Shadowsocks-libev is a lightweight secured scoks5 proxy for embedded devices and low end boxes. +endef + +Package/shadowsocks-libev-polarssl/description = $(Package/shadowsocks-libev/description) + +define Package/shadowsocks-libev/conffiles +/etc/config/shadowsocks-libev +endef + +Package/shadowsocks-libev-polarssl/conffiles = $(Package/shadowsocks-libev/conffiles) + +define Package/shadowsocks-libev/postinst +#!/bin/sh +uci -q batch <<-EOF >/dev/null + delete firewall.shadowsocks_libev + set firewall.shadowsocks_libev=include + set firewall.shadowsocks_libev.type=script + set firewall.shadowsocks_libev.path=/usr/share/shadowsocks-libev/firewall.include + set firewall.shadowsocks_libev.reload=1 + commit firewall +EOF +exit 0 +endef + +Package/shadowsocks-libev-polarssl/postinst = $(Package/shadowsocks-libev/postinst) + +ifeq ($(BUILD_VARIANT),polarssl) + CONFIGURE_ARGS += --with-crypto-library=polarssl +endif + +define Package/shadowsocks-libev/install + $(INSTALL_DIR) $(1)/usr/bin + $(INSTALL_BIN) $(PKG_BUILD_DIR)/src/ss-{redir,tunnel} $(1)/usr/bin + $(INSTALL_BIN) ./files/ss-rules $(1)/usr/bin + $(INSTALL_DIR) $(1)/etc/config + $(INSTALL_DATA) ./files/shadowsocks-libev.config $(1)/etc/config/shadowsocks-libev + $(INSTALL_DIR) $(1)/etc/init.d + $(INSTALL_BIN) ./files/shadowsocks-libev.init $(1)/etc/init.d/shadowsocks-libev + $(INSTALL_DIR) $(1)/usr/share/shadowsocks-libev + $(INSTALL_DATA) ./files/firewall.include $(1)/usr/share/shadowsocks-libev/firewall.include +endef + +Package/shadowsocks-libev-polarssl/install = $(Package/shadowsocks-libev/install) + +$(eval $(call BuildPackage,shadowsocks-libev)) +$(eval $(call BuildPackage,shadowsocks-libev-polarssl)) diff --git a/net/shadowsocks-libev/files/firewall.include b/net/shadowsocks-libev/files/firewall.include new file mode 100644 index 000000000..3a00e8025 --- /dev/null +++ b/net/shadowsocks-libev/files/firewall.include @@ -0,0 +1,6 @@ +#!/bin/sh + +if pidof ss-redir>/dev/null; then + /etc/init.d/shadowsocks-libev rules + logger -t ShadowSocks-libev "Reloading ShadowSocks-libev due to restart of firewall" +fi diff --git a/net/shadowsocks-libev/files/shadowsocks-libev.config b/net/shadowsocks-libev/files/shadowsocks-libev.config new file mode 100644 index 000000000..2f7be3d2a --- /dev/null +++ b/net/shadowsocks-libev/files/shadowsocks-libev.config @@ -0,0 +1,15 @@ + +config shadowsocks-libev + option enable '1' + option server '127.0.0.1' + option server_port '8388' + option local_port '1080' + option password 'barfoo!' + option timeout '60' + option encrypt_method 'rc4-md5' + option ignore_list '/dev/null' + option udp_relay '0' + option tunnel_enable '1' + option tunnel_port '5300' + option tunnel_forward '8.8.4.4:53' + option lan_ac_mode '0' diff --git a/net/shadowsocks-libev/files/shadowsocks-libev.init b/net/shadowsocks-libev/files/shadowsocks-libev.init new file mode 100644 index 000000000..3d149e754 --- /dev/null +++ b/net/shadowsocks-libev/files/shadowsocks-libev.init @@ -0,0 +1,115 @@ +#!/bin/sh /etc/rc.common + +START=90 +STOP=15 + +SERVICE_USE_PID=1 +SERVICE_WRITE_PID=1 +SERVICE_DAEMONIZE=1 +EXTRA_COMMANDS="rules" +CONFIG_FILE=/var/etc/shadowsocks-libev.json + +get_config() { + config_get_bool enable $1 enable + config_get server $1 server + config_get server_port $1 server_port + config_get local_port $1 local_port + config_get password $1 password + config_get timeout $1 timeout + config_get encrypt_method $1 encrypt_method + config_get ignore_list $1 ignore_list + config_get udp_relay $1 udp_relay + config_get_bool tunnel_enable $1 tunnel_enable + config_get tunnel_port $1 tunnel_port + config_get tunnel_forward $1 tunnel_forward + config_get lan_ac_mode $1 lan_ac_mode + config_get lan_ac_ip $1 lan_ac_ip + config_get wan_bp_ip $1 wan_bp_ip + config_get wan_fw_ip $1 wan_fw_ip + config_get ipt_ext $1 ipt_ext + : ${tunnel_port:=5300} + : ${tunnel_forward:=8.8.4.4:53} +} + +start_rules() { + local ac_args + + if [ -n "$lan_ac_ip" ]; then + case $lan_ac_mode in + 1) ac_args="w$lan_ac_ip" + ;; + 2) ac_args="b$lan_ac_ip" + ;; + esac + fi + /usr/bin/ss-rules \ + -s "$server" \ + -l "$local_port" \ + -i "$ignore_list" \ + -a "$ac_args" \ + -b "$wan_bp_ip" \ + -w "$wan_fw_ip" \ + -e "$ipt_ext" \ + -o $udp + return $? +} + +start_redir() { + service_start /usr/bin/ss-redir \ + -c "$CONFIG_FILE" $udp + return $? +} + +start_tunnel() { + service_start /usr/bin/ss-tunnel \ + -c "$CONFIG_FILE" \ + -l "$tunnel_port" \ + -L "$tunnel_forward" \ + -u + return $? +} + +rules() { + config_load shadowsocks-libev + config_foreach get_config shadowsocks-libev + [ "$enable" = 1 ] || exit 0 + [ "$udp_relay" = 1 ] && udp="-u" + mkdir -p $(dirname $CONFIG_FILE) + + : ${server:?} + : ${server_port:?} + : ${local_port:?} + : ${password:?} + : ${encrypt_method:?} + cat <<-EOF >$CONFIG_FILE + { + "server": "$server", + "server_port": $server_port, + "local_address": "0.0.0.0", + "local_port": $local_port, + "password": "$password", + "timeout": $timeout, + "method": "$encrypt_method" + } +EOF + start_rules +} + +boot() { + until iptables-save -t nat | grep -q "^:zone_lan_prerouting"; do + sleep 1 + done + start +} + +start() { + rules && start_redir + [ "$tunnel_enable" = 1 ] && start_tunnel +} + +stop() { + /usr/bin/ss-rules -f + service_stop /usr/bin/ss-redir + service_stop /usr/bin/ss-tunnel + rm -f $CONFIG_FILE +} diff --git a/net/shadowsocks-libev/files/ss-rules b/net/shadowsocks-libev/files/ss-rules new file mode 100644 index 000000000..e9e229518 --- /dev/null +++ b/net/shadowsocks-libev/files/ss-rules @@ -0,0 +1,203 @@ +#!/bin/sh + +usage() { + cat <<-EOF + Usage: ss-rules [options] + + Valid options are: + + -s hostname or ip of shadowsocks remote server + -l port number of shadowsocks local server + -i a file content is bypassed ip list + -a lan ip of access control, need a prefix to + define access control mode + -b wan ip of will be bypassed + -w wan ip of will be forwarded + -e extra options for iptables + -o apply the rules to the OUTPUT chain + -u enable udprelay mode, TPROXY is required + -f flush the rules +EOF +} + +loger() { + # 1.alert 2.crit 3.err 4.warn 5.notice 6.info 7.debug + logger -st ss-rules[$$] -p$1 $2 +} + +ipt_n="iptables -t nat" +ipt_m="iptables -t mangle" + +flush_r() { + local IPT + + IPT=$(iptables-save -t nat) + eval $(echo "$IPT" | grep "_SS_SPEC_RULE_" | \ + sed -e 's/^-A/$ipt_n -D/' -e 's/$/;/') + + for chain in $(echo "$IPT" | awk '/^:SS_SPEC/{print $1}'); do + $ipt_n -F ${chain:1} 2>/dev/null && $ipt_n -X ${chain:1} + done + + IPT=$(iptables-save -t mangle) + eval $(echo "$IPT" | grep "_SS_SPEC_RULE_" | \ + sed -e 's/^-A/$ipt_m -D/' -e 's/$/;/') + + for chain in $(echo "$IPT" | awk '/^:SS_SPEC/{print $1}'); do + $ipt_m -F ${chain:1} 2>/dev/null && $ipt_m -X ${chain:1} + done + + ip rule del fwmark 0x01/0x01 table 100 2>/dev/null + ip route del local 0.0.0.0/0 dev lo table 100 2>/dev/null + ipset -X ss_spec_lan_ac 2>/dev/null + ipset -X ss_spec_wan_ac 2>/dev/null + return 0 +} + +ipset_r() { + ipset -! -R <<-EOF || return 1 + create ss_spec_wan_ac hash:net + $(echo -e "$IPLIST" | sed -e "s/^/add ss_spec_wan_ac /") + $(for ip in $WAN_FW_IP; do echo "add ss_spec_wan_ac $ip nomatch"; done) +EOF + $ipt_n -N SS_SPEC_WAN_AC && \ + $ipt_n -A SS_SPEC_WAN_AC -m set --match-set ss_spec_wan_ac dst -j RETURN && \ + $ipt_n -A SS_SPEC_WAN_AC -j SS_SPEC_WAN_FW + return $? +} + +fw_rule() { + $ipt_n -N SS_SPEC_WAN_FW && \ + $ipt_n -A SS_SPEC_WAN_FW -p tcp \ + -j REDIRECT --to-ports $LOCAL_PORT 2>/dev/null || { + loger 3 "Can't redirect, please check the iptables." + exit 1 + } + return $? +} + +ac_rule() { + local TAG ROUTECHAIN + + if [ -n "$LAN_AC_IP" ]; then + if [ "${LAN_AC_IP:0:1}" = "w" ]; then + TAG="nomatch" + else + if [ "${LAN_AC_IP:0:1}" != "b" ]; then + loger 3 "Bad argument \`-a $LAN_AC_IP\`." + return 2 + fi + fi + fi + + ROUTECHAIN=PREROUTING + if iptables-save -t nat | grep -q "^:zone_lan_prerouting"; then + ROUTECHAIN=zone_lan_prerouting + fi + + ipset -! -R <<-EOF || return 1 + create ss_spec_lan_ac hash:net + $(for ip in ${LAN_AC_IP:1}; do echo "add ss_spec_lan_ac $ip $TAG"; done) +EOF + $ipt_n -A $ROUTECHAIN -p tcp $EXT_ARGS \ + -m set ! --match-set ss_spec_lan_ac src \ + -m comment --comment "_SS_SPEC_RULE_" -j SS_SPEC_WAN_AC + + if [ "$OUTPUT" = 1 ]; then + $ipt_n -A OUTPUT -p tcp $EXT_ARGS \ + -m comment --comment "_SS_SPEC_RULE_" -j SS_SPEC_WAN_AC + fi + return $? +} + +tp_rule() { + [ "$TPROXY" = 1 ] || return 0 + ip rule add fwmark 0x01/0x01 table 100 + ip route add local 0.0.0.0/0 dev lo table 100 + $ipt_m -N SS_SPEC_TPROXY + $ipt_m -A SS_SPEC_TPROXY -p udp -m set ! --match-set ss_spec_wan_ac dst \ + -j TPROXY --on-port $LOCAL_PORT --tproxy-mark 0x01/0x01 + $ipt_m -A PREROUTING -p udp $EXT_ARGS \ + -m set ! --match-set ss_spec_lan_ac src \ + -m comment --comment "_SS_SPEC_RULE_" -j SS_SPEC_TPROXY + return $? +} + +while getopts ":s:l:c:i:e:a:b:w:ouf" arg; do + case $arg in + s) + SERVER=$OPTARG + ;; + l) + LOCAL_PORT=$OPTARG + ;; + i) + IGNORE=$OPTARG + ;; + e) + EXT_ARGS=$OPTARG + ;; + a) + LAN_AC_IP=$OPTARG + ;; + b) + WAN_BP_IP=$(for ip in $OPTARG; do echo $ip; done) + ;; + w) + WAN_FW_IP=$OPTARG + ;; + o) + OUTPUT=1 + ;; + u) + TPROXY=1 + ;; + f) + flush_r + exit 0 + ;; + esac +done + +if [ -z "$SERVER" -o -z "$LOCAL_PORT" ]; then + usage + exit 2 +fi + +SERVER=$(resolveip -t60 $SERVER) + +if [ -z "$SERVER" ]; then + loger 3 "Can't resolve the server hostname." + exit 1 +fi + +if [ -f "$IGNORE" ]; then + IGNORE_IP=$(cat $IGNORE 2>/dev/null) +fi + +IPLIST=$(cat <<-EOF | grep -E "^([0-9]{1,3}\.){3}[0-9]{1,3}" + $SERVER + 0.0.0.0/8 + 10.0.0.0/8 + 100.64.0.0/10 + 127.0.0.0/8 + 169.254.0.0/16 + 172.16.0.0/12 + 192.0.0.0/24 + 192.0.2.0/24 + 192.88.99.0/24 + 192.168.0.0/16 + 198.18.0.0/15 + 198.51.100.0/24 + 203.0.113.0/24 + 224.0.0.0/4 + 240.0.0.0/4 + 255.255.255.255 + $WAN_BP_IP + $IGNORE_IP +EOF +) + +flush_r && fw_rule && ipset_r && ac_rule && tp_rule + +exit $?