shadowsocks-libev: add packagelilik-openwrt-22.03
@ -0,0 +1,91 @@ | |||||
# | |||||
# Copyright (C) 2015 OpenWrt.org | |||||
# | |||||
# This is free software, licensed under the GNU General Public License v2. | |||||
# See /LICENSE for more information. | |||||
# | |||||
include $(TOPDIR)/rules.mk | |||||
PKG_NAME:=shadowsocks-libev | |||||
PKG_VERSION:=2.2.2 | |||||
PKG_RELEASE:=1 | |||||
PKG_SOURCE_PROTO:=git | |||||
PKG_SOURCE_URL:=https://github.com/shadowsocks/shadowsocks-libev.git | |||||
PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_RELEASE) | |||||
PKG_SOURCE_VERSION:=4883903e657095b93f88a3a3b9a0dccdffdaa397 | |||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz | |||||
PKG_MAINTAINER:=Jian Chang <aa65535@live.com> | |||||
PKG_LICENSE:=GPLv2 | |||||
PKG_LICENSE_FILES:=LICENSE | |||||
PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)-$(PKG_RELEASE) | |||||
PKG_INSTALL:=1 | |||||
PKG_FIXUP:=autoreconf | |||||
PKG_USE_MIPS16:=0 | |||||
PKG_BUILD_PARALLEL:=1 | |||||
include $(INCLUDE_DIR)/package.mk | |||||
define Package/shadowsocks-libev/Default | |||||
SECTION:=net | |||||
CATEGORY:=Network | |||||
TITLE:=Lightweight Secured Socks5 Proxy $(2) | |||||
URL:=https://github.com/shadowsocks/shadowsocks-libev | |||||
VARIANT:=$(1) | |||||
DEPENDS:=$(3) +resolveip +ipset +ip +iptables-mod-tproxy | |||||
endef | |||||
Package/shadowsocks-libev = $(call Package/shadowsocks-libev/Default,openssl,(OpenSSL),+libopenssl) | |||||
Package/shadowsocks-libev-polarssl = $(call Package/shadowsocks-libev/Default,polarssl,(PolarSSL),+libpolarssl) | |||||
define Package/shadowsocks-libev/description | |||||
Shadowsocks-libev is a lightweight secured scoks5 proxy for embedded devices and low end boxes. | |||||
endef | |||||
Package/shadowsocks-libev-polarssl/description = $(Package/shadowsocks-libev/description) | |||||
define Package/shadowsocks-libev/conffiles | |||||
/etc/config/shadowsocks-libev | |||||
endef | |||||
Package/shadowsocks-libev-polarssl/conffiles = $(Package/shadowsocks-libev/conffiles) | |||||
define Package/shadowsocks-libev/postinst | |||||
#!/bin/sh | |||||
uci -q batch <<-EOF >/dev/null | |||||
delete firewall.shadowsocks_libev | |||||
set firewall.shadowsocks_libev=include | |||||
set firewall.shadowsocks_libev.type=script | |||||
set firewall.shadowsocks_libev.path=/usr/share/shadowsocks-libev/firewall.include | |||||
set firewall.shadowsocks_libev.reload=1 | |||||
commit firewall | |||||
EOF | |||||
exit 0 | |||||
endef | |||||
Package/shadowsocks-libev-polarssl/postinst = $(Package/shadowsocks-libev/postinst) | |||||
ifeq ($(BUILD_VARIANT),polarssl) | |||||
CONFIGURE_ARGS += --with-crypto-library=polarssl | |||||
endif | |||||
define Package/shadowsocks-libev/install | |||||
$(INSTALL_DIR) $(1)/usr/bin | |||||
$(INSTALL_BIN) $(PKG_BUILD_DIR)/src/ss-{redir,tunnel} $(1)/usr/bin | |||||
$(INSTALL_BIN) ./files/ss-rules $(1)/usr/bin | |||||
$(INSTALL_DIR) $(1)/etc/config | |||||
$(INSTALL_DATA) ./files/shadowsocks-libev.config $(1)/etc/config/shadowsocks-libev | |||||
$(INSTALL_DIR) $(1)/etc/init.d | |||||
$(INSTALL_BIN) ./files/shadowsocks-libev.init $(1)/etc/init.d/shadowsocks-libev | |||||
$(INSTALL_DIR) $(1)/usr/share/shadowsocks-libev | |||||
$(INSTALL_DATA) ./files/firewall.include $(1)/usr/share/shadowsocks-libev/firewall.include | |||||
endef | |||||
Package/shadowsocks-libev-polarssl/install = $(Package/shadowsocks-libev/install) | |||||
$(eval $(call BuildPackage,shadowsocks-libev)) | |||||
$(eval $(call BuildPackage,shadowsocks-libev-polarssl)) |
@ -0,0 +1,6 @@ | |||||
#!/bin/sh | |||||
if pidof ss-redir>/dev/null; then | |||||
/etc/init.d/shadowsocks-libev rules | |||||
logger -t ShadowSocks-libev "Reloading ShadowSocks-libev due to restart of firewall" | |||||
fi |
@ -0,0 +1,15 @@ | |||||
config shadowsocks-libev | |||||
option enable '1' | |||||
option server '127.0.0.1' | |||||
option server_port '8388' | |||||
option local_port '1080' | |||||
option password 'barfoo!' | |||||
option timeout '60' | |||||
option encrypt_method 'rc4-md5' | |||||
option ignore_list '/dev/null' | |||||
option udp_relay '0' | |||||
option tunnel_enable '1' | |||||
option tunnel_port '5300' | |||||
option tunnel_forward '8.8.4.4:53' | |||||
option lan_ac_mode '0' |
@ -0,0 +1,115 @@ | |||||
#!/bin/sh /etc/rc.common | |||||
START=90 | |||||
STOP=15 | |||||
SERVICE_USE_PID=1 | |||||
SERVICE_WRITE_PID=1 | |||||
SERVICE_DAEMONIZE=1 | |||||
EXTRA_COMMANDS="rules" | |||||
CONFIG_FILE=/var/etc/shadowsocks-libev.json | |||||
get_config() { | |||||
config_get_bool enable $1 enable | |||||
config_get server $1 server | |||||
config_get server_port $1 server_port | |||||
config_get local_port $1 local_port | |||||
config_get password $1 password | |||||
config_get timeout $1 timeout | |||||
config_get encrypt_method $1 encrypt_method | |||||
config_get ignore_list $1 ignore_list | |||||
config_get udp_relay $1 udp_relay | |||||
config_get_bool tunnel_enable $1 tunnel_enable | |||||
config_get tunnel_port $1 tunnel_port | |||||
config_get tunnel_forward $1 tunnel_forward | |||||
config_get lan_ac_mode $1 lan_ac_mode | |||||
config_get lan_ac_ip $1 lan_ac_ip | |||||
config_get wan_bp_ip $1 wan_bp_ip | |||||
config_get wan_fw_ip $1 wan_fw_ip | |||||
config_get ipt_ext $1 ipt_ext | |||||
: ${tunnel_port:=5300} | |||||
: ${tunnel_forward:=8.8.4.4:53} | |||||
} | |||||
start_rules() { | |||||
local ac_args | |||||
if [ -n "$lan_ac_ip" ]; then | |||||
case $lan_ac_mode in | |||||
1) ac_args="w$lan_ac_ip" | |||||
;; | |||||
2) ac_args="b$lan_ac_ip" | |||||
;; | |||||
esac | |||||
fi | |||||
/usr/bin/ss-rules \ | |||||
-s "$server" \ | |||||
-l "$local_port" \ | |||||
-i "$ignore_list" \ | |||||
-a "$ac_args" \ | |||||
-b "$wan_bp_ip" \ | |||||
-w "$wan_fw_ip" \ | |||||
-e "$ipt_ext" \ | |||||
-o $udp | |||||
return $? | |||||
} | |||||
start_redir() { | |||||
service_start /usr/bin/ss-redir \ | |||||
-c "$CONFIG_FILE" $udp | |||||
return $? | |||||
} | |||||
start_tunnel() { | |||||
service_start /usr/bin/ss-tunnel \ | |||||
-c "$CONFIG_FILE" \ | |||||
-l "$tunnel_port" \ | |||||
-L "$tunnel_forward" \ | |||||
-u | |||||
return $? | |||||
} | |||||
rules() { | |||||
config_load shadowsocks-libev | |||||
config_foreach get_config shadowsocks-libev | |||||
[ "$enable" = 1 ] || exit 0 | |||||
[ "$udp_relay" = 1 ] && udp="-u" | |||||
mkdir -p $(dirname $CONFIG_FILE) | |||||
: ${server:?} | |||||
: ${server_port:?} | |||||
: ${local_port:?} | |||||
: ${password:?} | |||||
: ${encrypt_method:?} | |||||
cat <<-EOF >$CONFIG_FILE | |||||
{ | |||||
"server": "$server", | |||||
"server_port": $server_port, | |||||
"local_address": "0.0.0.0", | |||||
"local_port": $local_port, | |||||
"password": "$password", | |||||
"timeout": $timeout, | |||||
"method": "$encrypt_method" | |||||
} | |||||
EOF | |||||
start_rules | |||||
} | |||||
boot() { | |||||
until iptables-save -t nat | grep -q "^:zone_lan_prerouting"; do | |||||
sleep 1 | |||||
done | |||||
start | |||||
} | |||||
start() { | |||||
rules && start_redir | |||||
[ "$tunnel_enable" = 1 ] && start_tunnel | |||||
} | |||||
stop() { | |||||
/usr/bin/ss-rules -f | |||||
service_stop /usr/bin/ss-redir | |||||
service_stop /usr/bin/ss-tunnel | |||||
rm -f $CONFIG_FILE | |||||
} |
@ -0,0 +1,203 @@ | |||||
#!/bin/sh | |||||
usage() { | |||||
cat <<-EOF | |||||
Usage: ss-rules [options] | |||||
Valid options are: | |||||
-s <server_host> hostname or ip of shadowsocks remote server | |||||
-l <local_port> port number of shadowsocks local server | |||||
-i <ip_list_file> a file content is bypassed ip list | |||||
-a <lan_ips> lan ip of access control, need a prefix to | |||||
define access control mode | |||||
-b <wan_ips> wan ip of will be bypassed | |||||
-w <wan_ips> wan ip of will be forwarded | |||||
-e <extra_options> extra options for iptables | |||||
-o apply the rules to the OUTPUT chain | |||||
-u enable udprelay mode, TPROXY is required | |||||
-f flush the rules | |||||
EOF | |||||
} | |||||
loger() { | |||||
# 1.alert 2.crit 3.err 4.warn 5.notice 6.info 7.debug | |||||
logger -st ss-rules[$$] -p$1 $2 | |||||
} | |||||
ipt_n="iptables -t nat" | |||||
ipt_m="iptables -t mangle" | |||||
flush_r() { | |||||
local IPT | |||||
IPT=$(iptables-save -t nat) | |||||
eval $(echo "$IPT" | grep "_SS_SPEC_RULE_" | \ | |||||
sed -e 's/^-A/$ipt_n -D/' -e 's/$/;/') | |||||
for chain in $(echo "$IPT" | awk '/^:SS_SPEC/{print $1}'); do | |||||
$ipt_n -F ${chain:1} 2>/dev/null && $ipt_n -X ${chain:1} | |||||
done | |||||
IPT=$(iptables-save -t mangle) | |||||
eval $(echo "$IPT" | grep "_SS_SPEC_RULE_" | \ | |||||
sed -e 's/^-A/$ipt_m -D/' -e 's/$/;/') | |||||
for chain in $(echo "$IPT" | awk '/^:SS_SPEC/{print $1}'); do | |||||
$ipt_m -F ${chain:1} 2>/dev/null && $ipt_m -X ${chain:1} | |||||
done | |||||
ip rule del fwmark 0x01/0x01 table 100 2>/dev/null | |||||
ip route del local 0.0.0.0/0 dev lo table 100 2>/dev/null | |||||
ipset -X ss_spec_lan_ac 2>/dev/null | |||||
ipset -X ss_spec_wan_ac 2>/dev/null | |||||
return 0 | |||||
} | |||||
ipset_r() { | |||||
ipset -! -R <<-EOF || return 1 | |||||
create ss_spec_wan_ac hash:net | |||||
$(echo -e "$IPLIST" | sed -e "s/^/add ss_spec_wan_ac /") | |||||
$(for ip in $WAN_FW_IP; do echo "add ss_spec_wan_ac $ip nomatch"; done) | |||||
EOF | |||||
$ipt_n -N SS_SPEC_WAN_AC && \ | |||||
$ipt_n -A SS_SPEC_WAN_AC -m set --match-set ss_spec_wan_ac dst -j RETURN && \ | |||||
$ipt_n -A SS_SPEC_WAN_AC -j SS_SPEC_WAN_FW | |||||
return $? | |||||
} | |||||
fw_rule() { | |||||
$ipt_n -N SS_SPEC_WAN_FW && \ | |||||
$ipt_n -A SS_SPEC_WAN_FW -p tcp \ | |||||
-j REDIRECT --to-ports $LOCAL_PORT 2>/dev/null || { | |||||
loger 3 "Can't redirect, please check the iptables." | |||||
exit 1 | |||||
} | |||||
return $? | |||||
} | |||||
ac_rule() { | |||||
local TAG ROUTECHAIN | |||||
if [ -n "$LAN_AC_IP" ]; then | |||||
if [ "${LAN_AC_IP:0:1}" = "w" ]; then | |||||
TAG="nomatch" | |||||
else | |||||
if [ "${LAN_AC_IP:0:1}" != "b" ]; then | |||||
loger 3 "Bad argument \`-a $LAN_AC_IP\`." | |||||
return 2 | |||||
fi | |||||
fi | |||||
fi | |||||
ROUTECHAIN=PREROUTING | |||||
if iptables-save -t nat | grep -q "^:zone_lan_prerouting"; then | |||||
ROUTECHAIN=zone_lan_prerouting | |||||
fi | |||||
ipset -! -R <<-EOF || return 1 | |||||
create ss_spec_lan_ac hash:net | |||||
$(for ip in ${LAN_AC_IP:1}; do echo "add ss_spec_lan_ac $ip $TAG"; done) | |||||
EOF | |||||
$ipt_n -A $ROUTECHAIN -p tcp $EXT_ARGS \ | |||||
-m set ! --match-set ss_spec_lan_ac src \ | |||||
-m comment --comment "_SS_SPEC_RULE_" -j SS_SPEC_WAN_AC | |||||
if [ "$OUTPUT" = 1 ]; then | |||||
$ipt_n -A OUTPUT -p tcp $EXT_ARGS \ | |||||
-m comment --comment "_SS_SPEC_RULE_" -j SS_SPEC_WAN_AC | |||||
fi | |||||
return $? | |||||
} | |||||
tp_rule() { | |||||
[ "$TPROXY" = 1 ] || return 0 | |||||
ip rule add fwmark 0x01/0x01 table 100 | |||||
ip route add local 0.0.0.0/0 dev lo table 100 | |||||
$ipt_m -N SS_SPEC_TPROXY | |||||
$ipt_m -A SS_SPEC_TPROXY -p udp -m set ! --match-set ss_spec_wan_ac dst \ | |||||
-j TPROXY --on-port $LOCAL_PORT --tproxy-mark 0x01/0x01 | |||||
$ipt_m -A PREROUTING -p udp $EXT_ARGS \ | |||||
-m set ! --match-set ss_spec_lan_ac src \ | |||||
-m comment --comment "_SS_SPEC_RULE_" -j SS_SPEC_TPROXY | |||||
return $? | |||||
} | |||||
while getopts ":s:l:c:i:e:a:b:w:ouf" arg; do | |||||
case $arg in | |||||
s) | |||||
SERVER=$OPTARG | |||||
;; | |||||
l) | |||||
LOCAL_PORT=$OPTARG | |||||
;; | |||||
i) | |||||
IGNORE=$OPTARG | |||||
;; | |||||
e) | |||||
EXT_ARGS=$OPTARG | |||||
;; | |||||
a) | |||||
LAN_AC_IP=$OPTARG | |||||
;; | |||||
b) | |||||
WAN_BP_IP=$(for ip in $OPTARG; do echo $ip; done) | |||||
;; | |||||
w) | |||||
WAN_FW_IP=$OPTARG | |||||
;; | |||||
o) | |||||
OUTPUT=1 | |||||
;; | |||||
u) | |||||
TPROXY=1 | |||||
;; | |||||
f) | |||||
flush_r | |||||
exit 0 | |||||
;; | |||||
esac | |||||
done | |||||
if [ -z "$SERVER" -o -z "$LOCAL_PORT" ]; then | |||||
usage | |||||
exit 2 | |||||
fi | |||||
SERVER=$(resolveip -t60 $SERVER) | |||||
if [ -z "$SERVER" ]; then | |||||
loger 3 "Can't resolve the server hostname." | |||||
exit 1 | |||||
fi | |||||
if [ -f "$IGNORE" ]; then | |||||
IGNORE_IP=$(cat $IGNORE 2>/dev/null) | |||||
fi | |||||
IPLIST=$(cat <<-EOF | grep -E "^([0-9]{1,3}\.){3}[0-9]{1,3}" | |||||
$SERVER | |||||
0.0.0.0/8 | |||||
10.0.0.0/8 | |||||
100.64.0.0/10 | |||||
127.0.0.0/8 | |||||
169.254.0.0/16 | |||||
172.16.0.0/12 | |||||
192.0.0.0/24 | |||||
192.0.2.0/24 | |||||
192.88.99.0/24 | |||||
192.168.0.0/16 | |||||
198.18.0.0/15 | |||||
198.51.100.0/24 | |||||
203.0.113.0/24 | |||||
224.0.0.0/4 | |||||
240.0.0.0/4 | |||||
255.255.255.255 | |||||
$WAN_BP_IP | |||||
$IGNORE_IP | |||||
EOF | |||||
) | |||||
flush_r && fw_rule && ipset_r && ac_rule && tp_rule | |||||
exit $? |