Merge pull request #1530 from aa65535/master

shadowsocks-libev: add package

net/shadowsocks-libev/Makefile

@@ -0,0 +1,91 @@
+#
+# Copyright (C) 2015 OpenWrt.org
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=shadowsocks-libev
+PKG_VERSION:=2.2.2
+PKG_RELEASE:=1
+
+PKG_SOURCE_PROTO:=git
+PKG_SOURCE_URL:=https://github.com/shadowsocks/shadowsocks-libev.git
+PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_RELEASE)
+PKG_SOURCE_VERSION:=4883903e657095b93f88a3a3b9a0dccdffdaa397
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
+PKG_MAINTAINER:=Jian Chang <aa65535@live.com>
+
+PKG_LICENSE:=GPLv2
+PKG_LICENSE_FILES:=LICENSE
+
+PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)-$(PKG_RELEASE)
+
+PKG_INSTALL:=1
+PKG_FIXUP:=autoreconf
+PKG_USE_MIPS16:=0
+PKG_BUILD_PARALLEL:=1
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/shadowsocks-libev/Default
+	SECTION:=net
+	CATEGORY:=Network
+	TITLE:=Lightweight Secured Socks5 Proxy $(2)
+	URL:=https://github.com/shadowsocks/shadowsocks-libev
+	VARIANT:=$(1)
+	DEPENDS:=$(3) +resolveip +ipset +ip +iptables-mod-tproxy
+endef
+
+Package/shadowsocks-libev = $(call Package/shadowsocks-libev/Default,openssl,(OpenSSL),+libopenssl)
+Package/shadowsocks-libev-polarssl = $(call Package/shadowsocks-libev/Default,polarssl,(PolarSSL),+libpolarssl)
+
+define Package/shadowsocks-libev/description
+Shadowsocks-libev is a lightweight secured scoks5 proxy for embedded devices and low end boxes.
+endef
+
+Package/shadowsocks-libev-polarssl/description = $(Package/shadowsocks-libev/description)
+
+define Package/shadowsocks-libev/conffiles
+/etc/config/shadowsocks-libev
+endef
+
+Package/shadowsocks-libev-polarssl/conffiles = $(Package/shadowsocks-libev/conffiles)
+
+define Package/shadowsocks-libev/postinst
+#!/bin/sh
+uci -q batch <<-EOF >/dev/null
+	delete firewall.shadowsocks_libev
+	set firewall.shadowsocks_libev=include
+	set firewall.shadowsocks_libev.type=script
+	set firewall.shadowsocks_libev.path=/usr/share/shadowsocks-libev/firewall.include
+	set firewall.shadowsocks_libev.reload=1
+	commit firewall
+EOF
+exit 0
+endef
+
+Package/shadowsocks-libev-polarssl/postinst = $(Package/shadowsocks-libev/postinst)
+
+ifeq ($(BUILD_VARIANT),polarssl)
+	CONFIGURE_ARGS += --with-crypto-library=polarssl
+endif
+
+define Package/shadowsocks-libev/install
+	$(INSTALL_DIR) $(1)/usr/bin
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/src/ss-{redir,tunnel} $(1)/usr/bin
+	$(INSTALL_BIN) ./files/ss-rules $(1)/usr/bin
+	$(INSTALL_DIR) $(1)/etc/config
+	$(INSTALL_DATA) ./files/shadowsocks-libev.config $(1)/etc/config/shadowsocks-libev
+	$(INSTALL_DIR) $(1)/etc/init.d
+	$(INSTALL_BIN) ./files/shadowsocks-libev.init $(1)/etc/init.d/shadowsocks-libev
+	$(INSTALL_DIR) $(1)/usr/share/shadowsocks-libev
+	$(INSTALL_DATA) ./files/firewall.include $(1)/usr/share/shadowsocks-libev/firewall.include
+endef
+
+Package/shadowsocks-libev-polarssl/install = $(Package/shadowsocks-libev/install)
+
+$(eval $(call BuildPackage,shadowsocks-libev))
+$(eval $(call BuildPackage,shadowsocks-libev-polarssl))

net/shadowsocks-libev/files/firewall.include

@@ -0,0 +1,6 @@
+#!/bin/sh
+
+if pidof ss-redir>/dev/null; then
+	/etc/init.d/shadowsocks-libev rules
+	logger -t ShadowSocks-libev "Reloading ShadowSocks-libev due to restart of firewall"
+fi

net/shadowsocks-libev/files/shadowsocks-libev.config

@@ -0,0 +1,15 @@
+
+config shadowsocks-libev
+	option enable '1'
+	option server '127.0.0.1'
+	option server_port '8388'
+	option local_port '1080'
+	option password 'barfoo!'
+	option timeout '60'
+	option encrypt_method 'rc4-md5'
+	option ignore_list '/dev/null'
+	option udp_relay '0'
+	option tunnel_enable '1'
+	option tunnel_port '5300'
+	option tunnel_forward '8.8.4.4:53'
+	option lan_ac_mode '0'

net/shadowsocks-libev/files/shadowsocks-libev.init

@@ -0,0 +1,115 @@
+#!/bin/sh /etc/rc.common
+
+START=90
+STOP=15
+
+SERVICE_USE_PID=1
+SERVICE_WRITE_PID=1
+SERVICE_DAEMONIZE=1
+EXTRA_COMMANDS="rules"
+CONFIG_FILE=/var/etc/shadowsocks-libev.json
+
+get_config() {
+	config_get_bool enable $1 enable
+	config_get server $1 server
+	config_get server_port $1 server_port
+	config_get local_port $1 local_port
+	config_get password $1 password
+	config_get timeout $1 timeout
+	config_get encrypt_method $1 encrypt_method
+	config_get ignore_list $1 ignore_list
+	config_get udp_relay $1 udp_relay
+	config_get_bool tunnel_enable $1 tunnel_enable
+	config_get tunnel_port $1 tunnel_port
+	config_get tunnel_forward $1 tunnel_forward
+	config_get lan_ac_mode $1 lan_ac_mode
+	config_get lan_ac_ip $1 lan_ac_ip
+	config_get wan_bp_ip $1 wan_bp_ip
+	config_get wan_fw_ip $1 wan_fw_ip
+	config_get ipt_ext $1 ipt_ext
+	: ${tunnel_port:=5300}
+	: ${tunnel_forward:=8.8.4.4:53}
+}
+
+start_rules() {
+	local ac_args
+
+	if [ -n "$lan_ac_ip" ]; then
+		case $lan_ac_mode in
+			1) ac_args="w$lan_ac_ip"
+			;;
+			2) ac_args="b$lan_ac_ip"
+			;;
+		esac
+	fi
+	/usr/bin/ss-rules \
+		-s "$server" \
+		-l "$local_port" \
+		-i "$ignore_list" \
+		-a "$ac_args" \
+		-b "$wan_bp_ip" \
+		-w "$wan_fw_ip" \
+		-e "$ipt_ext" \
+		-o $udp
+	return $?
+}
+
+start_redir() {
+	service_start /usr/bin/ss-redir \
+		-c "$CONFIG_FILE" $udp
+	return $?
+}
+
+start_tunnel() {
+	service_start /usr/bin/ss-tunnel \
+		-c "$CONFIG_FILE" \
+		-l "$tunnel_port" \
+		-L "$tunnel_forward" \
+		-u
+	return $?
+}
+
+rules() {
+	config_load shadowsocks-libev
+	config_foreach get_config shadowsocks-libev
+	[ "$enable" = 1 ] || exit 0
+	[ "$udp_relay" = 1 ] && udp="-u"
+	mkdir -p $(dirname $CONFIG_FILE)
+
+	: ${server:?}
+	: ${server_port:?}
+	: ${local_port:?}
+	: ${password:?}
+	: ${encrypt_method:?}
+	cat <<-EOF >$CONFIG_FILE
+		{
+		    "server": "$server",
+		    "server_port": $server_port,
+		    "local_address": "0.0.0.0",
+		    "local_port": $local_port,
+		    "password": "$password",
+		    "timeout": $timeout,
+		    "method": "$encrypt_method"
+		}
+EOF
+	start_rules
+}
+
+boot() {
+	until iptables-save -t nat | grep -q "^:zone_lan_prerouting"; do
+		sleep 1
+	done
+	start
+}
+
+start() {
+	rules && start_redir
+	[ "$tunnel_enable" = 1 ] && start_tunnel
+}
+
+stop() {
+	/usr/bin/ss-rules -f
+	service_stop /usr/bin/ss-redir
+	service_stop /usr/bin/ss-tunnel
+	rm -f $CONFIG_FILE
+}

net/shadowsocks-libev/files/ss-rules

@@ -0,0 +1,203 @@
+#!/bin/sh
+
+usage() {
+	cat <<-EOF
+		Usage: ss-rules [options]
+
+		Valid options are:
+
+		    -s <server_host>        hostname or ip of shadowsocks remote server
+		    -l <local_port>         port number of shadowsocks local server
+		    -i <ip_list_file>       a file content is bypassed ip list
+		    -a <lan_ips>            lan ip of access control, need a prefix to
+		                            define access control mode
+		    -b <wan_ips>            wan ip of will be bypassed
+		    -w <wan_ips>            wan ip of will be forwarded
+		    -e <extra_options>      extra options for iptables
+		    -o                      apply the rules to the OUTPUT chain
+		    -u                      enable udprelay mode, TPROXY is required
+		    -f                      flush the rules
+EOF
+}
+
+loger() {
+	# 1.alert 2.crit 3.err 4.warn 5.notice 6.info 7.debug
+	logger -st ss-rules[$$] -p$1 $2
+}
+
+ipt_n="iptables -t nat"
+ipt_m="iptables -t mangle"
+
+flush_r() {
+	local IPT
+
+	IPT=$(iptables-save -t nat)
+	eval $(echo "$IPT" | grep "_SS_SPEC_RULE_" | \
+		sed -e 's/^-A/$ipt_n -D/' -e 's/$/;/')
+
+	for chain in $(echo "$IPT" | awk '/^:SS_SPEC/{print $1}'); do
+		$ipt_n -F ${chain:1} 2>/dev/null && $ipt_n -X ${chain:1}
+	done
+
+	IPT=$(iptables-save -t mangle)
+	eval $(echo "$IPT" | grep "_SS_SPEC_RULE_" | \
+		sed -e 's/^-A/$ipt_m -D/' -e 's/$/;/')
+
+	for chain in $(echo "$IPT" | awk '/^:SS_SPEC/{print $1}'); do
+		$ipt_m -F ${chain:1} 2>/dev/null && $ipt_m -X ${chain:1}
+	done
+
+	ip rule del fwmark 0x01/0x01 table 100 2>/dev/null
+	ip route del local 0.0.0.0/0 dev lo table 100 2>/dev/null
+	ipset -X ss_spec_lan_ac 2>/dev/null
+	ipset -X ss_spec_wan_ac 2>/dev/null
+	return 0
+}
+
+ipset_r() {
+	ipset -! -R <<-EOF || return 1
+		create ss_spec_wan_ac hash:net
+		$(echo -e "$IPLIST" | sed -e "s/^/add ss_spec_wan_ac /")
+		$(for ip in $WAN_FW_IP; do echo "add ss_spec_wan_ac $ip nomatch"; done)
+EOF
+	$ipt_n -N SS_SPEC_WAN_AC && \
+	$ipt_n -A SS_SPEC_WAN_AC -m set --match-set ss_spec_wan_ac dst -j RETURN && \
+	$ipt_n -A SS_SPEC_WAN_AC -j SS_SPEC_WAN_FW
+	return $?
+}
+
+fw_rule() {
+	$ipt_n -N SS_SPEC_WAN_FW && \
+	$ipt_n -A SS_SPEC_WAN_FW -p tcp \
+		-j REDIRECT --to-ports $LOCAL_PORT 2>/dev/null || {
+		loger 3 "Can't redirect, please check the iptables."
+		exit 1
+	}
+	return $?
+}
+
+ac_rule() {
+	local TAG ROUTECHAIN
+
+	if [ -n "$LAN_AC_IP" ]; then
+		if [ "${LAN_AC_IP:0:1}" = "w" ]; then
+			TAG="nomatch"
+		else
+			if [ "${LAN_AC_IP:0:1}" != "b" ]; then
+				loger 3 "Bad argument \`-a $LAN_AC_IP\`."
+				return 2
+			fi
+		fi
+	fi
+
+	ROUTECHAIN=PREROUTING
+	if iptables-save -t nat | grep -q "^:zone_lan_prerouting"; then
+		ROUTECHAIN=zone_lan_prerouting
+	fi
+
+	ipset -! -R <<-EOF || return 1
+		create ss_spec_lan_ac hash:net
+		$(for ip in ${LAN_AC_IP:1}; do echo "add ss_spec_lan_ac $ip $TAG"; done)
+EOF
+	$ipt_n -A $ROUTECHAIN -p tcp $EXT_ARGS \
+		-m set ! --match-set ss_spec_lan_ac src \
+		-m comment --comment "_SS_SPEC_RULE_" -j SS_SPEC_WAN_AC
+
+	if [ "$OUTPUT" = 1 ]; then
+		$ipt_n -A OUTPUT -p tcp $EXT_ARGS \
+			-m comment --comment "_SS_SPEC_RULE_" -j SS_SPEC_WAN_AC
+	fi
+	return $?
+}
+
+tp_rule() {
+	[ "$TPROXY" = 1 ] || return 0
+	ip rule add fwmark 0x01/0x01 table 100
+	ip route add local 0.0.0.0/0 dev lo table 100
+	$ipt_m -N SS_SPEC_TPROXY
+	$ipt_m -A SS_SPEC_TPROXY -p udp -m set ! --match-set ss_spec_wan_ac dst \
+		-j TPROXY --on-port $LOCAL_PORT --tproxy-mark 0x01/0x01
+	$ipt_m -A PREROUTING -p udp $EXT_ARGS \
+		-m set ! --match-set ss_spec_lan_ac src \
+		-m comment --comment "_SS_SPEC_RULE_" -j SS_SPEC_TPROXY
+	return $?
+}
+
+while getopts ":s:l:c:i:e:a:b:w:ouf" arg; do
+	case $arg in
+		s)
+			SERVER=$OPTARG
+			;;
+		l)
+			LOCAL_PORT=$OPTARG
+			;;
+		i)
+			IGNORE=$OPTARG
+			;;
+		e)
+			EXT_ARGS=$OPTARG
+			;;
+		a)
+			LAN_AC_IP=$OPTARG
+			;;
+		b)
+			WAN_BP_IP=$(for ip in $OPTARG; do echo $ip; done)
+			;;
+		w)
+			WAN_FW_IP=$OPTARG
+			;;
+		o)
+			OUTPUT=1
+			;;
+		u)
+			TPROXY=1
+			;;
+		f)
+			flush_r
+			exit 0
+			;;
+	esac
+done
+
+if [ -z "$SERVER" -o -z "$LOCAL_PORT" ]; then
+	usage
+	exit 2
+fi
+
+SERVER=$(resolveip -t60 $SERVER)
+
+if [ -z "$SERVER" ]; then
+	loger 3 "Can't resolve the server hostname."
+	exit 1
+fi
+
+if [ -f "$IGNORE" ]; then
+	IGNORE_IP=$(cat $IGNORE 2>/dev/null)
+fi
+
+IPLIST=$(cat <<-EOF | grep -E "^([0-9]{1,3}\.){3}[0-9]{1,3}"
+	$SERVER
+	0.0.0.0/8
+	10.0.0.0/8
+	100.64.0.0/10
+	127.0.0.0/8
+	169.254.0.0/16
+	172.16.0.0/12
+	192.0.0.0/24
+	192.0.2.0/24
+	192.88.99.0/24
+	192.168.0.0/16
+	198.18.0.0/15
+	198.51.100.0/24
+	203.0.113.0/24
+	224.0.0.0/4
+	240.0.0.0/4
+	255.255.255.255
+	$WAN_BP_IP
+	$IGNORE_IP
+EOF
+)
+
+flush_r && fw_rule && ipset_r && ac_rule && tp_rule
+
+exit $?