From 2de9035bda5464a3990b15ef582f6df243ea4f9c Mon Sep 17 00:00:00 2001 From: Zhong Jianxin Date: Wed, 2 Mar 2022 15:26:55 +0800 Subject: [PATCH] shadowsocks-libev: add nft_tcp_extra/nft_udp_extra options To add extra statement to tcp/udp forward rule, example: ``` config ss_rules 'ss_rules' ... option nft_tcp_extra 'tcp dport { 80, 443 }' # tcp only forward connections with dport 80 or 443 option nft_udp_extra 'udp dport { 53 }' # udp only forward connections with dport 53 ``` This somewhat restores the old ipt_args functionality. Signed-off-by: Zhong Jianxin Signed-off-by: Yousong Zhou (Amend README.md a bit) --- net/shadowsocks-libev/Makefile | 2 +- net/shadowsocks-libev/README.md | 2 ++ net/shadowsocks-libev/files/shadowsocks-libev.init | 4 ++++ net/shadowsocks-libev/files/ss-rules/chain.uc | 4 ++-- 4 files changed, 9 insertions(+), 3 deletions(-) diff --git a/net/shadowsocks-libev/Makefile b/net/shadowsocks-libev/Makefile index d5d26f53c..1a76d67fe 100644 --- a/net/shadowsocks-libev/Makefile +++ b/net/shadowsocks-libev/Makefile @@ -14,7 +14,7 @@ include $(TOPDIR)/rules.mk # PKG_NAME:=shadowsocks-libev PKG_VERSION:=3.3.5 -PKG_RELEASE:=3 +PKG_RELEASE:=4 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/shadowsocks/shadowsocks-libev/releases/download/v$(PKG_VERSION) diff --git a/net/shadowsocks-libev/README.md b/net/shadowsocks-libev/README.md index 3f57af62e..8e72e7fbf 100644 --- a/net/shadowsocks-libev/README.md +++ b/net/shadowsocks-libev/README.md @@ -75,6 +75,8 @@ ss-rules now uses nft set for storing addresses/networks. Those set names are a Note also that `src_ips_xx` and `dst_ips_xx` actually also accepts cidr network representation. Option names are retained in its current form for backward compatibility coniderations +Extra nftables expressions can be specified with `nft_tcp_extra` and `nft_udp_extra` to apply ss_rules only to selected tcp/udp traffics. E.g. `tcp dport { 80, 443 }`, `udp dport 53`, etc. + # incompatible changes | Commit date | Commit ID | Subject | Comment | diff --git a/net/shadowsocks-libev/files/shadowsocks-libev.init b/net/shadowsocks-libev/files/shadowsocks-libev.init index 0805e4019..be72a9f66 100644 --- a/net/shadowsocks-libev/files/shadowsocks-libev.init +++ b/net/shadowsocks-libev/files/shadowsocks-libev.init @@ -152,6 +152,8 @@ ss_rules() { json_add_string o_dst_bypass_file "$dst_ips_bypass_file" json_add_string o_dst_forward_file "$dst_ips_forward_file" json_add_string o_dst_default "$dst_default" + json_add_string o_nft_tcp_extra "$nft_tcp_extra" + json_add_string o_nft_udp_extra "$nft_udp_extra" json_dump -i >"$tmp.json" if ucode -S -i "$ssrules_uc" -E "$tmp.json" >"$tmp.nft" \ @@ -283,6 +285,8 @@ validate_ss_rules_section() { 'src_default:or("bypass", "forward", "checkdst"):checkdst' \ 'dst_default:or("bypass", "forward"):bypass' \ 'local_default:or("bypass", "forward", "checkdst"):bypass' \ + 'nft_tcp_extra:string' \ + 'nft_udp_extra:string' \ 'ifnames:maxlength(15)' } diff --git a/net/shadowsocks-libev/files/ss-rules/chain.uc b/net/shadowsocks-libev/files/ss-rules/chain.uc index 00362f694..a378e770e 100644 --- a/net/shadowsocks-libev/files/ss-rules/chain.uc +++ b/net/shadowsocks-libev/files/ss-rules/chain.uc @@ -97,7 +97,7 @@ chain ss_rules_dst_{{ proto }} { {% if (proto == "tcp"): %} chain ss_rules_forward_{{ proto }} { - meta l4proto tcp redirect to :{{ redir_port }}; + meta l4proto tcp {{ o_nft_tcp_extra }} redirect to :{{ redir_port }}; } {% let local_verdict = get_local_verdict(); if (local_verdict): %} chain ss_rules_local_out { @@ -112,7 +112,7 @@ chain ss_rules_local_out { {% endif %} {% elif (proto == "udp"): %} chain ss_rules_forward_{{ proto }} { - meta l4proto udp meta mark set 1 tproxy to :{{ redir_port }}; + meta l4proto udp {{ o_nft_udp_extra }} meta mark set 1 tproxy to :{{ redir_port }}; } {% endif %} {% endif %}