diff options
| author | Yousong Zhou <yszhou4tech@gmail.com> | 2019-01-18 06:42:21 +0000 |
|---|---|---|
| committer | Yousong Zhou <yszhou4tech@gmail.com> | 2019-01-21 15:19:32 +0800 |
| commit | 5fd46871643f0dcf9790c1c9136ca28d388ed307 (patch) | |
| tree | 5dcb62b0138baf9df9fbdcbbf35e3a50b4408ac1 /net/shadowsocks-libev/files | |
| parent | 1f4a6d29a12691ba8c9c0ea8815c632d6225b0ae (diff) | |
shadowsocks-libev: ss-rules: add ipv6 support
It will require support from ip6tables-mod-nat. The added functionality
will be skipped otherwise.
For $o_dst_bypass6_, include only address blocks in link [1] whose
"Globally Reachable" field are explicitly "False"
Closes openwrt/packages#7508
[1] IANA IPv6 Special-Purpose Address Registry,
https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Diffstat (limited to 'net/shadowsocks-libev/files')
| -rw-r--r-- | net/shadowsocks-libev/files/shadowsocks-libev.init | 19 | ||||
| -rwxr-xr-x | net/shadowsocks-libev/files/ss-rules | 96 |
2 files changed, 77 insertions, 38 deletions
diff --git a/net/shadowsocks-libev/files/shadowsocks-libev.init b/net/shadowsocks-libev/files/shadowsocks-libev.init index 22d825d0b..23cb873cc 100644 --- a/net/shadowsocks-libev/files/shadowsocks-libev.init +++ b/net/shadowsocks-libev/files/shadowsocks-libev.init @@ -157,7 +157,12 @@ ss_rules() { ss_redir_servers="$(echo "$ss_redir_servers" | tr ' ' '\n' | sort -u)" [ "$dst_forward_recentrst" = 0 ] || args="$args --dst-forward-recentrst" - "$bin" \ + ss_rules_call + ss_rules_call -6 +} + +ss_rules_call() { + "$bin" "$@" \ -s "$ss_redir_servers" \ -l "$local_port_tcp" \ -L "$local_port_udp" \ @@ -174,7 +179,7 @@ ss_rules() { --ifnames "$ifnames" \ --ipt-extra "$ipt_args" \ $args \ - || "$bin" -f + || "$bin" "$@" -f } start_service() { @@ -280,13 +285,13 @@ validate_ss_rules_section() { 'disabled:bool:0' \ 'redir_tcp:uci("shadowsocks-libev", "@ss_redir")' \ 'redir_udp:uci("shadowsocks-libev", "@ss_redir")' \ - 'src_ips_bypass:or(ip4addr,cidr4)' \ - 'src_ips_forward:or(ip4addr,cidr4)' \ - 'src_ips_checkdst:or(ip4addr,cidr4)' \ + 'src_ips_bypass:or(ipaddr,cidr)' \ + 'src_ips_forward:or(ipaddr,cidr)' \ + 'src_ips_checkdst:or(ipaddr,cidr)' \ 'dst_ips_bypass_file:file' \ - 'dst_ips_bypass:or(ip4addr,cidr4)' \ + 'dst_ips_bypass:or(ipaddr,cidr)' \ 'dst_ips_forward_file:file' \ - 'dst_ips_forward:or(ip4addr,cidr4)' \ + 'dst_ips_forward:or(ipaddr,cidr)' \ 'src_default:or("bypass", "forward", "checkdst"):checkdst' \ 'dst_default:or("bypass", "forward"):bypass' \ 'local_default:or("bypass", "forward", "checkdst"):bypass' \ diff --git a/net/shadowsocks-libev/files/ss-rules b/net/shadowsocks-libev/files/ss-rules index b0a30606e..3d7bcdce3 100755 --- a/net/shadowsocks-libev/files/ss-rules +++ b/net/shadowsocks-libev/files/ss-rules @@ -8,10 +8,24 @@ # See /LICENSE for more information. # +__errmsg() { + echo "ss-rules: $*" >&2 +} + +if [ "$1" = "-6" ]; then + if ! ip6tables -t nat -L -n >/dev/null; then + __errmsg "Skipping ipv6. Please install ip6tables-mod-nat" + exit 1 + fi + o_use_ipv6=1; shift +fi + ss_rules_usage() { cat >&2 <<EOF Usage: ss-rules [options] + -6 Operate on address family IPv6 + When present, must be the first argument -h, --help Show this help message then exit -f, --flush Flush rules, ipset then exit -l <port> Local port number of ss-redir with TCP mode @@ -50,7 +64,7 @@ populated by other programs like dnsmasq with ipset support EOF } -o_dst_bypass_=" +o_dst_bypass4_=" 0.0.0.0/8 10.0.0.0/8 100.64.0.0/10 @@ -71,13 +85,33 @@ o_dst_bypass_=" 240.0.0.0/4 255.255.255.255 " +o_dst_bypass6_=" + ::1/128 + ::/128 + ::ffff:0:0/96 + 64:ff9b:1::/48 + 100::/64 + 2001:2::/48 + 2001:db8::/32 + fe80::/10 + 2001::/23 + fc00::/7 +" o_src_default=bypass o_dst_default=bypass o_local_default=bypass -__errmsg() { - echo "ss-rules: $*" >&2 -} +alias grep_af="sed -nre '/^([0-9]+\.){3}[0-9]+$/p'" +o_dst_bypass_="$o_dst_bypass4_" +if [ -n "$o_use_ipv6" ]; then + alias grep_af="sed -ne /:/p" + alias iptables=ip6tables + alias iptables-save=ip6tables-save + alias iptables-restore=ip6tables-restore + alias ip="ip -6" + o_af=6 + o_dst_bypass_="$o_dst_bypass6_" +fi ss_rules_parse_args() { while [ "$#" -gt 0 ]; do @@ -109,10 +143,10 @@ ss_rules_parse_args() { return 1 fi if [ -n "$o_dst_forward_recentrst" ] && ! iptables -m recent -h >/dev/null; then - __errmsg "Please install iptables-mod-conntrack-extra with opkg" + __errmsg "Please install iptables-mod-conntrack-extra" return 1 fi - o_remote_servers="$(for s in $o_remote_servers; do resolveip -4 "$s"; done)" + o_remote_servers="$(for s in $o_remote_servers; do resolveip "$s" | grep_af; done)" } ss_rules_flush() { @@ -121,26 +155,26 @@ ss_rules_flush() { iptables-save --counters | grep -v ss_rules_ | iptables-restore --counters while ip rule del fwmark 1 lookup 100 2>/dev/null; do true; done ip route flush table 100 - for setname in $(ipset -n list | grep "ss_rules_"); do + for setname in $(ipset -n list | grep "ss_rules${o_af}_"); do ipset destroy "$setname" 2>/dev/null || true done } ss_rules_ipset_init() { ipset --exist restore <<-EOF - create ss_rules_src_bypass hash:net hashsize 64 - create ss_rules_src_forward hash:net hashsize 64 - create ss_rules_src_checkdst hash:net hashsize 64 - create ss_rules_dst_bypass hash:net hashsize 64 - create ss_rules_dst_bypass_ hash:net hashsize 64 - create ss_rules_dst_forward hash:net hashsize 64 - create ss_rules_dst_forward_recentrst_ hash:ip hashsize 64 timeout 3600 - $(ss_rules_ipset_mkadd ss_rules_dst_bypass_ "$o_dst_bypass_ $o_remote_servers") - $(ss_rules_ipset_mkadd ss_rules_src_bypass "$o_src_bypass") - $(ss_rules_ipset_mkadd ss_rules_src_forward "$o_src_forward") - $(ss_rules_ipset_mkadd ss_rules_src_checkdst "$o_src_checkdst") - $(ss_rules_ipset_mkadd ss_rules_dst_bypass "$o_dst_bypass $(cat "$o_dst_bypass_file" 2>/dev/null)") - $(ss_rules_ipset_mkadd ss_rules_dst_forward "$o_dst_forward $(cat "$o_dst_forward_file" 2>/dev/null)") + create ss_rules${o_af}_src_bypass hash:net family inet$o_af hashsize 64 + create ss_rules${o_af}_src_forward hash:net family inet$o_af hashsize 64 + create ss_rules${o_af}_src_checkdst hash:net family inet$o_af hashsize 64 + create ss_rules${o_af}_dst_bypass hash:net family inet$o_af hashsize 64 + create ss_rules${o_af}_dst_bypass_ hash:net family inet$o_af hashsize 64 + create ss_rules${o_af}_dst_forward hash:net family inet$o_af hashsize 64 + create ss_rules${o_af}_dst_forward_rrst_ hash:ip family inet$o_af hashsize 8 timeout 3600 + $(ss_rules_ipset_mkadd ss_rules${o_af}_dst_bypass_ "$o_dst_bypass_ $o_remote_servers") + $(ss_rules_ipset_mkadd ss_rules${o_af}_src_bypass "$o_src_bypass") + $(ss_rules_ipset_mkadd ss_rules${o_af}_src_forward "$o_src_forward") + $(ss_rules_ipset_mkadd ss_rules${o_af}_src_checkdst "$o_src_checkdst") + $(ss_rules_ipset_mkadd ss_rules${o_af}_dst_bypass "$o_dst_bypass $(cat "$o_dst_bypass_file" 2>/dev/null)") + $(ss_rules_ipset_mkadd ss_rules${o_af}_dst_forward "$o_dst_forward $(cat "$o_dst_forward_file" 2>/dev/null)") EOF } @@ -149,8 +183,8 @@ ss_rules_ipset_mkadd() { local i for i in $*; do - echo "add $setname $i" - done + echo "$i" + done | grep_af | sed -e "s/^/add $setname /" } ss_rules_iptchains_init() { @@ -175,7 +209,7 @@ ss_rules_iptchains_init_tcp() { *nat :ss_rules_local_out - -I OUTPUT 1 -p tcp -j ss_rules_local_out - -A ss_rules_local_out -m set --match-set ss_rules_dst_bypass_ dst -j RETURN + -A ss_rules_local_out -m set --match-set ss_rules${o_af}_dst_bypass_ dst -j RETURN -A ss_rules_local_out -p tcp $o_ipt_extra -j $local_target -m comment --comment "local_default: $o_local_default" COMMIT EOF @@ -203,8 +237,8 @@ ss_rules_iptchains_init_() { COMMIT " recentrst_addset_rules=" - -A ss_rules_dst -m recent --name ss_rules_recentrst --rcheck --rdest --seconds 3 --hitcount 3 -j SET --add-set ss_rules_dst_forward_recentrst_ dst --exist - -A ss_rules_dst -m set --match-set ss_rules_dst_forward_recentrst_ dst -j ss_rules_forward + -A ss_rules_dst -m recent --name ss_rules_recentrst --rcheck --rdest --seconds 3 --hitcount 3 -j SET --add-set ss_rules${o_af}_dst_forward_rrst_ dst --exist + -A ss_rules_dst -m set --match-set ss_rules${o_af}_dst_forward_rrst_ dst -j ss_rules_forward " fi ;; @@ -230,14 +264,14 @@ ss_rules_iptchains_init_() { :ss_rules_dst - :ss_rules_forward - $(ss_rules_iptchains_mkprerules "$proto") - -A ss_rules_pre_src -m set --match-set ss_rules_dst_bypass_ dst -j RETURN + -A ss_rules_pre_src -m set --match-set ss_rules${o_af}_dst_bypass_ dst -j RETURN -A ss_rules_pre_src -p $proto $o_ipt_extra -j ss_rules_src - -A ss_rules_src -m set --match-set ss_rules_src_bypass src -j RETURN - -A ss_rules_src -m set --match-set ss_rules_src_forward src -j ss_rules_forward - -A ss_rules_src -m set --match-set ss_rules_src_checkdst src -j ss_rules_dst + -A ss_rules_src -m set --match-set ss_rules${o_af}_src_bypass src -j RETURN + -A ss_rules_src -m set --match-set ss_rules${o_af}_src_forward src -j ss_rules_forward + -A ss_rules_src -m set --match-set ss_rules${o_af}_src_checkdst src -j ss_rules_dst -A ss_rules_src -j $src_default_target -m comment --comment "src_default: $o_src_default" - -A ss_rules_dst -m set --match-set ss_rules_dst_bypass dst -j RETURN - -A ss_rules_dst -m set --match-set ss_rules_dst_forward dst -j ss_rules_forward + -A ss_rules_dst -m set --match-set ss_rules${o_af}_dst_bypass dst -j RETURN + -A ss_rules_dst -m set --match-set ss_rules${o_af}_dst_forward dst -j ss_rules_forward $recentrst_addset_rules -A ss_rules_dst -j $dst_default_target -m comment --comment "dst_default: $o_dst_default" $forward_rules |