aboutsummaryrefslogtreecommitdiff
path: root/net/shadowsocks-libev/files/ss-rules
diff options
context:
space:
mode:
Diffstat (limited to 'net/shadowsocks-libev/files/ss-rules')
-rw-r--r--net/shadowsocks-libev/files/ss-rules/chain.uc122
-rw-r--r--net/shadowsocks-libev/files/ss-rules/set.uc113
-rw-r--r--net/shadowsocks-libev/files/ss-rules/ss-rules.uc8
3 files changed, 243 insertions, 0 deletions
diff --git a/net/shadowsocks-libev/files/ss-rules/chain.uc b/net/shadowsocks-libev/files/ss-rules/chain.uc
new file mode 100644
index 0000000..3047f16
--- /dev/null
+++ b/net/shadowsocks-libev/files/ss-rules/chain.uc
@@ -0,0 +1,122 @@
+{%
+function get_local_verdict() {
+ let v = o_local_default;
+ if (v == "checkdst") {
+ return "goto ss_rules_dst_" + proto;
+ } else if (v == "forward") {
+ return "goto ss_rules_forward_" + proto;
+ } else {
+ return null;
+ }
+}
+
+function get_src_default_verdict() {
+ let v = o_src_default;
+ if (v == "checkdst") {
+ return "goto ss_rules_dst_" + proto;
+ } else if (v == "forward") {
+ return "goto ss_rules_forward_" + proto;
+ } else {
+ return "accept";
+ }
+}
+
+function get_dst_default_verdict() {
+ let v = o_dst_default;
+ if (v == "forward") {
+ return "goto ss_rules_forward_" + proto;
+ } else {
+ return "accept";
+ }
+}
+
+function get_ifnames() {
+ let res = [];
+ for (let ifname in split(o_ifnames, /[ \t\n]/)) {
+ ifname = trim(ifname);
+ if (ifname) push(res, ifname);
+ }
+ return res;
+}
+
+let type, hook, priority, redir_port;
+if (proto == "tcp") {
+ type = "nat";
+ hook = "prerouting";
+ priority = -1;
+ redir_port = o_redir_tcp_port;
+} else if (proto == "udp") {
+ type = "filter";
+ hook = "prerouting";
+ priority = "mangle";
+ redir_port = o_redir_udp_port;
+ if (system("
+ set -o errexit
+ iprr() {
+ while ip $1 rule del fwmark 1 lookup 100 2>/dev/null; do true; done
+ ip $1 rule add fwmark 1 lookup 100
+ ip $1 route flush table 100 2>/dev/null || true
+ ip $1 route add local default dev lo table 100
+ }
+ iprr -4
+ iprr -6
+ ") != 0) {
+ return ;
+ }
+} else {
+ return;
+}
+
+%}
+{% if (redir_port): %}
+
+chain ss_rules_pre_{{ proto }} {
+ type {{ type }} hook {{ hook }} priority {{ priority }};
+ meta l4proto {{ proto }}{%- let ifnames=get_ifnames(); if (length(ifnames)): %} iifname { {{join(", ", ifnames)}} }{% endif %} goto ss_rules_pre_src_{{ proto }};
+}
+
+chain ss_rules_pre_src_{{ proto }} {
+ ip daddr @ss_rules_dst_bypass_ accept;
+ ip6 daddr @ss_rules6_dst_bypass_ accept;
+ goto ss_rules_src_{{ proto }};
+}
+
+chain ss_rules_src_{{ proto }} {
+ ip saddr @ss_rules_src_bypass accept;
+ ip saddr @ss_rules_src_forward goto ss_rules_forward_{{ proto }};
+ ip saddr @ss_rules_src_checkdst goto ss_rules_dst_{{ proto }};
+ ip6 saddr @ss_rules6_src_bypass accept;
+ ip6 saddr @ss_rules6_src_forward goto ss_rules_forward_{{ proto }};
+ ip6 saddr @ss_rules6_src_checkdst goto ss_rules_dst_{{ proto }};
+ {{ get_src_default_verdict() }};
+}
+
+chain ss_rules_dst_{{ proto }} {
+ ip daddr @ss_rules_dst_bypass accept;
+ ip daddr @ss_rules_dst_forward goto ss_rules_forward_{{ proto }};
+ ip6 daddr @ss_rules6_dst_bypass accept;
+ ip6 daddr @ss_rules6_dst_forward goto ss_rules_forward_{{ proto }};
+ {{ get_dst_default_verdict() }};
+}
+
+{% if (proto == "tcp"): %}
+chain ss_rules_forward_{{ proto }} {
+ meta l4proto tcp {{ o_nft_tcp_extra }} redirect to :{{ redir_port }};
+}
+{% let local_verdict = get_local_verdict(); if (local_verdict): %}
+chain ss_rules_local_out {
+ type {{ type }} hook output priority -1;
+ meta l4proto != tcp accept;
+ ip daddr @ss_rules_dst_bypass_ accept;
+ ip daddr @ss_rules_dst_bypass accept;
+ ip6 daddr @ss_rules6_dst_bypass_ accept;
+ ip6 daddr @ss_rules6_dst_bypass accept;
+ {{ local_verdict }};
+}
+{% endif %}
+{% elif (proto == "udp"): %}
+chain ss_rules_forward_{{ proto }} {
+ meta l4proto udp {{ o_nft_udp_extra }} meta mark set 1 tproxy to :{{ redir_port }};
+}
+{% endif %}
+{% endif %}
diff --git a/net/shadowsocks-libev/files/ss-rules/set.uc b/net/shadowsocks-libev/files/ss-rules/set.uc
new file mode 100644
index 0000000..5947f6c
--- /dev/null
+++ b/net/shadowsocks-libev/files/ss-rules/set.uc
@@ -0,0 +1,113 @@
+{%
+let fs = require("fs");
+
+let o_dst_bypass4_ = "
+ 0.0.0.0/8
+ 10.0.0.0/8
+ 100.64.0.0/10
+ 127.0.0.0/8
+ 169.254.0.0/16
+ 172.16.0.0/12
+ 192.0.0.0/24
+ 192.0.2.0/24
+ 192.31.196.0/24
+ 192.52.193.0/24
+ 192.88.99.0/24
+ 192.168.0.0/16
+ 192.175.48.0/24
+ 198.18.0.0/15
+ 198.51.100.0/24
+ 203.0.113.0/24
+ 224.0.0.0/4
+ 240.0.0.0/4
+";
+let o_dst_bypass6_ = "
+ ::1/128
+ ::/128
+ ::ffff:0:0/96
+ 64:ff9b:1::/48
+ 100::/64
+ fe80::/10
+ 2001::/23
+ fc00::/7
+";
+let o_dst_bypass_ = o_dst_bypass4_ + " " + o_dst_bypass6_;
+
+let set_suffix = {
+ "src_bypass": {
+ str: o_src_bypass,
+ },
+ "src_forward": {
+ str: o_src_forward,
+ },
+ "src_checkdst": {
+ str: o_src_checkdst,
+ },
+ "dst_bypass": {
+ str: o_dst_bypass,
+ file: o_dst_bypass_file,
+ },
+ "dst_bypass_": {
+ str: o_dst_bypass_,
+ },
+ "dst_forward": {
+ str: o_dst_forward,
+ file: o_dst_forward_file,
+ },
+ "dst_forward_rrst_": {},
+};
+
+function set_name(suf, af) {
+ if (af == 4) {
+ return "ss_rules_"+suf;
+ } else {
+ return "ss_rules6_"+suf;
+ }
+}
+
+function set_elements_parse(res, str, af) {
+ for (let addr in split(str, /[ \t\n]/)) {
+ addr = trim(addr);
+ if (!addr) continue;
+ if (af == 4 && index(addr, ":") != -1) continue;
+ if (af == 6 && index(addr, ":") == -1) continue;
+ push(res, addr);
+ }
+}
+
+function set_elements(suf, af) {
+ let obj = set_suffix[suf];
+ let res = [];
+ let addr;
+
+ let str = obj["str"];
+ if (str) {
+ set_elements_parse(res, str, af);
+ }
+
+ let file = obj["file"];
+ if (file) {
+ let fd = fs.open(file);
+ if (fd) {
+ str = fd.read("all");
+ set_elements_parse(res, str, af);
+ }
+ }
+
+ return res;
+}
+%}
+
+{% for (let suf in set_suffix): for (let af in [4, 6]): %}
+set {{ set_name(suf, af) }} {
+ type ipv{{af}}_addr;
+ flags interval;
+{% let elems = set_elements(suf, af); if (length(elems)): %}
+ elements = {
+{% for (let i = 0; i < length(elems); i++): %}
+ {{ elems[i] }}{% if (i < length(elems) - 1): %},{% endif %}{% print("\n") %}
+{% endfor %}
+ }
+{% endif %}
+}
+{% endfor; endfor %}
diff --git a/net/shadowsocks-libev/files/ss-rules/ss-rules.uc b/net/shadowsocks-libev/files/ss-rules/ss-rules.uc
new file mode 100644
index 0000000..f3955b2
--- /dev/null
+++ b/net/shadowsocks-libev/files/ss-rules/ss-rules.uc
@@ -0,0 +1,8 @@
+{%
+
+include("set.uc");
+include("chain.uc", {proto: "tcp"});
+include("chain.uc", {proto: "udp"});
+
+%}
+
Powered by cgit, Themed by Ted Yin.