diff --git a/net/shadowsocks-libev/Makefile b/net/shadowsocks-libev/Makefile index 307fac9d8..1b49b4991 100644 --- a/net/shadowsocks-libev/Makefile +++ b/net/shadowsocks-libev/Makefile @@ -14,7 +14,7 @@ include $(TOPDIR)/rules.mk # PKG_NAME:=shadowsocks-libev PKG_VERSION:=3.0.8 -PKG_RELEASE:=7 +PKG_RELEASE:=8 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/shadowsocks/shadowsocks-libev/releases/download/v$(PKG_VERSION) diff --git a/net/shadowsocks-libev/README.md b/net/shadowsocks-libev/README.md index bb0545c51..ad81a021a 100644 --- a/net/shadowsocks-libev/README.md +++ b/net/shadowsocks-libev/README.md @@ -67,9 +67,11 @@ We can have multiple instances of component and `server` sections. The relation local_default [bypass], forward, checkdst +Bool option `dst_forward_recentrst` requires iptables/netfilter `recent` match module (`opkg install iptables-mod-conntrack-extra`). When enabled, `ss-rules` will setup iptables rules to forward through `ss-redir` those packets whose destination have recently sent to us multiple tcp-rst. + ss-rules uses kernel ipset mechanism for storing addresses/networks. Those ipsets are also part of the API and can be populated by other programs, e.g. dnsmasq with builtin ipset support. For more details please read output of `ss-rules --help` -Note also that `src_ips_xx` and `dst_ips_xx` actually also accepts cidr network representation. Names are retained for backward compatibility coniderations +Note also that `src_ips_xx` and `dst_ips_xx` actually also accepts cidr network representation. Option names are retained in its current form for backward compatibility coniderations ## notes and faq diff --git a/net/shadowsocks-libev/files/shadowsocks-libev.init b/net/shadowsocks-libev/files/shadowsocks-libev.init index 0142cc1d8..4226600d9 100644 --- a/net/shadowsocks-libev/files/shadowsocks-libev.init +++ b/net/shadowsocks-libev/files/shadowsocks-libev.init @@ -147,6 +147,7 @@ ss_rules() { local bin="$ss_bindir/ss-rules" local cfgtype local local_port_tcp local_port_udp + local args [ -x "$bin" ] || return 1 config_get cfgtype "$cfg" TYPE @@ -160,6 +161,7 @@ ss_rules() { eval local_port_udp="\$ss_rules_redir_udp_$redir_udp" [ -n "$local_port_tcp" -o -n "$local_port_udp" ] || return 1 ss_redir_servers="$(echo "$ss_redir_servers" | tr ' ' '\n' | sort -u)" + [ "$dst_forward_recentrst" = 0 ] || args="$args --dst-forward-recentrst" "$bin" \ -s "$ss_redir_servers" \ @@ -177,6 +179,7 @@ ss_rules() { --src-checkdst "$src_ips_checkdst" \ --ifnames "$ifnames" \ --ipt-extra "$ipt_args" \ + $args \ || "$bin" -f } @@ -294,6 +297,7 @@ validate_ss_rules_section() { 'src_default:or("bypass", "forward", "checkdst"):checkdst' \ 'dst_default:or("bypass", "forward"):bypass' \ 'local_default:or("bypass", "forward", "checkdst"):bypass' \ + 'dst_forward_recentrst:bool:0' \ 'ifnames:list(maxlength(15))' \ 'ipt_args:string' } diff --git a/net/shadowsocks-libev/files/ss-rules b/net/shadowsocks-libev/files/ss-rules index 855ba9d31..d0de77a0b 100755 --- a/net/shadowsocks-libev/files/ss-rules +++ b/net/shadowsocks-libev/files/ss-rules @@ -33,6 +33,9 @@ Usage: ss-rules [options] --dst-forward-file --dst-default Same as with their --src-xx equivalent + --dst-forward-recentrst + Forward those packets whose destinations have recently + sent to us multiple tcp-rst packets --local-default Default action for local out TCP traffic @@ -94,6 +97,7 @@ ss_rules_parse_args() { --src-checkdst) o_src_checkdst="$2"; shift 2;; --dst-bypass) o_dst_bypass="$2"; shift 2;; --dst-forward) o_dst_forward="$2"; shift 2;; + --dst-forward-recentrst) o_dst_forward_recentrst=1; shift 1;; --dst-bypass-file) o_dst_bypass_file="$2"; shift 2;; --dst-forward-file) o_dst_forward_file="$2"; shift 2;; *) __errmsg "unknown option $1"; return 1;; @@ -104,6 +108,10 @@ ss_rules_parse_args() { __errmsg "Requires at least -l or -L option" return 1 fi + if [ -n "$o_dst_forward_recentrst" ] && ! iptables -m recent -h >/dev/null; then + __errmsg "Please install iptables-mod-conntrack-extra with opkg" + return 1 + fi } ss_rules_flush() { @@ -125,6 +133,7 @@ ss_rules_ipset_init() { create ss_rules_dst_bypass hash:net hashsize 64 create ss_rules_dst_bypass_ hash:net hashsize 64 create ss_rules_dst_forward hash:net hashsize 64 + create ss_rules_dst_forward_recentrst_ hash:ip hashsize 64 timeout 3600 $(ss_rules_ipset_mkadd ss_rules_dst_bypass_ "$o_dst_bypass_ $o_remote_servers") $(ss_rules_ipset_mkadd ss_rules_src_bypass "$o_src_bypass") $(ss_rules_ipset_mkadd ss_rules_src_forward "$o_src_forward") @@ -151,8 +160,6 @@ ss_rules_iptchains_init() { ss_rules_iptchains_init_tcp() { local ipt="iptables -t nat" local local_target - local forward_rules - local r [ -n "$o_redir_tcp_port" ] || return 0 @@ -184,10 +191,22 @@ ss_rules_iptchains_init_() { local proto="$2" local forward_rules local src_default_target dst_default_target + local recentrst_mangle_rules recentrst_addset_rules case "$proto" in tcp) forward_rules="-A ss_rules_forward -p tcp -j REDIRECT --to-ports $o_redir_tcp_port" + if [ -n "$o_dst_forward_recentrst" ]; then + recentrst_mangle_rules=" + *mangle + -I PREROUTING 1 -p tcp -m tcp --tcp-flags RST RST -m recent --name ss_rules_recentrst --set --rsource + COMMIT + " + recentrst_addset_rules=" + -A ss_rules_dst -m recent --name ss_rules_recentrst --rcheck --rdest --seconds 3 --hitcount 3 -j SET --add-set ss_rules_dst_forward_recentrst_ dst --exist + -A ss_rules_dst -m set --match-set ss_rules_dst_forward_recentrst_ dst -j ss_rules_forward + " + fi ;; udp) ip rule add fwmark 1 lookup 100 @@ -204,7 +223,7 @@ ss_rules_iptchains_init_() { forward) dst_default_target=ss_rules_forward ;; bypass|*) dst_default_target=RETURN ;; esac - iptables-restore --noflush <<-EOF + sed -e '/^\s*$/d' -e 's/^\s\+//' <<-EOF | iptables-restore --noflush *$table :ss_rules_pre_src - :ss_rules_src - @@ -219,9 +238,11 @@ ss_rules_iptchains_init_() { -A ss_rules_src -j $src_default_target -m comment --comment "src_default: $o_src_default" -A ss_rules_dst -m set --match-set ss_rules_dst_bypass dst -j RETURN -A ss_rules_dst -m set --match-set ss_rules_dst_forward dst -j ss_rules_forward + $recentrst_addset_rules -A ss_rules_dst -j $dst_default_target -m comment --comment "dst_default: $o_dst_default" $forward_rules COMMIT + $recentrst_mangle_rules EOF }