shadowsocks-libev: add nft_tcp_extra/nft_udp_extra options

To add extra statement to tcp/udp forward rule, example:

```
config ss_rules 'ss_rules'
    ...
    option nft_tcp_extra 'tcp dport { 80, 443 }' # tcp only forward connections with dport 80 or 443
    option nft_udp_extra 'udp dport { 53 }' # udp only forward connections with dport 53
```

This somewhat restores the old ipt_args functionality.

Signed-off-by: Zhong Jianxin <azuwis@gmail.com>
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
(Amend README.md a bit)

net/shadowsocks-libev/Makefile

@@ -14,7 +14,7 @@ include $(TOPDIR)/rules.mk
 #
 PKG_NAME:=shadowsocks-libev
 PKG_VERSION:=3.3.5
-PKG_RELEASE:=3
+PKG_RELEASE:=4
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://github.com/shadowsocks/shadowsocks-libev/releases/download/v$(PKG_VERSION)

net/shadowsocks-libev/README.md

@@ -75,6 +75,8 @@ ss-rules now uses nft set for storing addresses/networks.  Those set names are a
 
 Note also that `src_ips_xx` and `dst_ips_xx` actually also accepts cidr network representation.  Option names are retained in its current form for backward compatibility coniderations
 
+Extra nftables expressions can be specified with `nft_tcp_extra` and `nft_udp_extra` to apply ss_rules only to selected tcp/udp traffics.  E.g. `tcp dport { 80, 443 }`, `udp dport 53`, etc.
+
 # incompatible changes
 
 | Commit date | Commit ID | Subject | Comment |

net/shadowsocks-libev/files/shadowsocks-libev.init

@@ -152,6 +152,8 @@ ss_rules() {
 	json_add_string o_dst_bypass_file "$dst_ips_bypass_file"
 	json_add_string o_dst_forward_file "$dst_ips_forward_file"
 	json_add_string o_dst_default "$dst_default"
+	json_add_string o_nft_tcp_extra "$nft_tcp_extra"
+	json_add_string o_nft_udp_extra "$nft_udp_extra"
 	json_dump -i >"$tmp.json"
 
 	if ucode -S -i "$ssrules_uc" -E "$tmp.json" >"$tmp.nft" \
@@ -283,6 +285,8 @@ validate_ss_rules_section() {
 		'src_default:or("bypass", "forward", "checkdst"):checkdst' \
 		'dst_default:or("bypass", "forward"):bypass' \
 		'local_default:or("bypass", "forward", "checkdst"):bypass' \
+		'nft_tcp_extra:string' \
+		'nft_udp_extra:string' \
 		'ifnames:maxlength(15)'
 }
 

net/shadowsocks-libev/files/ss-rules/chain.uc

@@ -97,7 +97,7 @@ chain ss_rules_dst_{{ proto }} {
 
 {%   if (proto == "tcp"): %}
 chain ss_rules_forward_{{ proto }} {
-	meta l4proto tcp redirect to :{{ redir_port }};
+	meta l4proto tcp {{ o_nft_tcp_extra }} redirect to :{{ redir_port }};
 }
 {%   let local_verdict = get_local_verdict(); if (local_verdict): %}
 chain ss_rules_local_out {
@@ -112,7 +112,7 @@ chain ss_rules_local_out {
 {%     endif %}
 {%   elif (proto == "udp"): %}
 chain ss_rules_forward_{{ proto }} {
-	meta l4proto udp meta mark set 1 tproxy to :{{ redir_port }};
+	meta l4proto udp {{ o_nft_udp_extra }} meta mark set 1 tproxy to :{{ redir_port }};
 }
 {%   endif %}
 {% endif %}