| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
| |
Link: https://github.com/openwrt/packages/pull/19872
Signed-off-by: Li Xin <i@crzidea.com>
(squash commits)
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
Remove nft rules file generated by ss-rules if ss-rules was or should be
turned off for by configuration. Use "fw4 restart" instead of "fw4
reload" to force the runtime rule reloading
Ref: https://github.com/openwrt/packages/pull/17937#issuecomment-1207357037
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| |
|
|
|
|
| |
Supersedes: https://github.com/openwrt/packages/pull/18852
Fixes: https://github.com/openwrt/packages/issues/18850
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| |
|
|
|
|
| |
Link: https://github.com/openwrt/packages/issues/18393
Reported-by: Huangbin Zhan <zhanhb88@gmail.com>
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To add extra statement to tcp/udp forward rule, example:
```
config ss_rules 'ss_rules'
...
option nft_tcp_extra 'tcp dport { 80, 443 }' # tcp only forward connections with dport 80 or 443
option nft_udp_extra 'udp dport { 53 }' # udp only forward connections with dport 53
```
This somewhat restores the old ipt_args functionality.
Signed-off-by: Zhong Jianxin <azuwis@gmail.com>
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
(Amend README.md a bit)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It will be mostly implemented with ucode templates installed at
/usr/share/ss-rules and called from init script. The generated nftables
rules will be stored at /etc/nftables.d/
Incompatible changes were introduced as described in the README.md file
- Netfilter ipset was replaced with nftables sets
- UCI options ipt_args and dst_forward_recentrst of section ss_rules
are now deprecated. The former does not apply to nftables. The
later not yet implemented with nftables.
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
ss-rules with iptables needs presence of netfilter nat table to work.
ss-rules works before without explicitly requesting it as a dependency
because it's present by default on a pre-firewall4/nftables OpenWrt
install. We request it explicitly now to make life easier in case
people would like to try ss-rules/iptables on firewall4/nftables enabled
OpenWrt system
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| |
|
|
|
|
| |
Patch removed because the relevant code was removed upstream
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
At the moment ss-server seems to be the only component using these two
options. It also accepts "local_address" of either ip4 or ip6 address,
but the meaning is different from that of ss-local, ss-tunnel etc.
where it is for listen bind
With this commit, we start deprecation process of uci option
"bind_address". The name was replaced with "local_addr" in upstream
project commit 5fa98a66 ("Fix #1911") and available as json config
option "local_address". This upstream change was released in 3.2.0
Link: https://github.com/shadowsocks/shadowsocks-libev/commit/4a42da641b6e0039497998614e84c94205939c24
Link: https://github.com/openwrt/packages/issues/12931
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| |
|
|
| |
Signed-off-by: Rosen Penev <rosenp@gmail.com>
|
| |
|
|
| |
Signed-off-by: Huangbin Zhan <zhanhb88@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Linux kernel and iproute2 together now implement strict checking of the
existence of route tables.
Previously kernel does not support filtering by table id, now it does
and will error with nlmsgerr "ipv4: FIB table does not exist".
Previously iproute2 dump all routes and filter by table id in userspace,
now this has changed with iproute2 commit c7e6371bc4af ("ip route: Add
protocol, table id and device to dump request")
Error scene
root@OpenWrt:/# ip route flush table 100
Error: ipv4: FIB table does not exist.
Flush terminated
root@OpenWrt:/# echo $?
2
Fixes: https://github.com/openwrt/packages/issues/12095
Ref: https://lists.openwall.net/netdev/2019/05/02/105
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| |
|
|
| |
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| |
|
|
| |
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| |
|
|
| |
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| |
|
|
|
|
|
|
| |
The CONTRIBUTING.md requests an (or multiple) SPDX identifier for GPL
licenses. But a lot of packages did use a different, non-SPDX style with a
"+" at the end instead of "-or-later".
Signed-off-by: Sven Eckelmann <sven@narfation.org>
|
| |
|
|
|
|
|
| |
This should fix openwrt/packages#9346 ("shadowsocks-libev: undefined
behavior from unaligned access")
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| |
|
|
|
|
|
| |
The most notable change was that socket data buffer has been increased
from 2KB to 16KB
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
Use link-time optimization and --gc-sections --as-needed ldflags
Reduces ipk size by 20%
Remove unnecessary dependencies
Signed-off-by: Deng Qingfang <dengqf6@mail2.sysu.edu.cn>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Plugin options are properties of shadowsocks deployment as a whole,
including both server and each client components. Multiple client
instances accessing the same server will need to share the same plugin
settings
With this change, plugin options will need to specified to "server" and
"ss-server" section, not to each component section.
Fixes: c19e949 ("shadowsocks-libev: add plugin options support")
Reference: https://github.com/openwrt/packages/issues/8903#issuecomment-489674137
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| |
|
|
|
| |
Reference: https://github.com/openwrt/packages/issues/8903
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| |
|
|
| |
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| |
|
|
| |
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| |
|
|
|
|
|
| |
It was introduced in 3.1.0 as a command line argument and was part of
the json config since 3.1.1
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| |
|
|
|
|
| |
As suggested by Jeffery To in openwrt/packages#8233
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| |
|
|
| |
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| |
|
|
|
|
| |
"-6" has to be the first argument
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| |
|
|
|
|
|
| |
- quash errors on detection of ipv6 nat
- remove unnecessary rule args "--comment ..." and "-p ..."
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| |
|
|
|
|
| |
Fixes issue reported in openwrt/luci#2527
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| |
|
|
| |
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It will require support from ip6tables-mod-nat. The added functionality
will be skipped otherwise.
For $o_dst_bypass6_, include only address blocks in link [1] whose
"Globally Reachable" field are explicitly "False"
Closes openwrt/packages#7508
[1] IANA IPv6 Special-Purpose Address Registry,
https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| |
|
|
|
|
|
| |
A short while after 3.2.2 was tagged, it was superseded by 3.2.3 with a
minor fix for aligned memory allocation for 32-bit arch
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| |
|
|
| |
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Changes summarized by upstream maintainer
* Add MinGW support by @linusyang.
* Refine c-ares integration by @xnoreq.
* Fix building issues with GCC8 by @FlyingheartCN.
* Minor bug fixes.
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| |
|
|
| |
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Notable changes since 3.1.2
afce1b3 eliminate timered delay between handshake and data stream #1572
539bf6e sni in redir removed and no disable_sni option #1876
1d94442..29ff5d3 udprelay fix (no idea what's the problem...) #1883
Now disable_sni=true is the default. Existing uci configs setting it
will be a nop
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| |
|
|
|
|
|
|
| |
It's an option that is supposed to be fed by ss-manager. It can be
in the form of host:port or path to unix dgram socket. Drop it now with
the assumption that it has no real user at the moment
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Notable changes since 3.1.1
- 57ab828 fix possible use-after-free in ss-server
- 65e9d23 filter through acl first before doing sni detection
- b26cbc2 another attack on null ref
- d237a05 udprelay: fix off-by-one bug
- 0c3cf8b fix runtime TFO detection
- d445ea9 Linux 4.11 TFO socket option support
|
| |
|
|
|
|
|
|
|
| |
--no-delay is a new cmdline argument introduced in 3.1.0 to NOT turn off
TCP_NODELAY socket option, i.e. keeping it's default value without
setting it explicitly. This can be potentially useful for interactive
traffics
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
Notable changes since 3.1.0
26ae365: fix possible socks5 exchange corruption caused by bad
state transition when parsing responses
f19a96e: fix segfault when presented with config {"mode": null}
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Notable changes since 3.0.8
ede744a: depends on libcares now instead of libudns
1c64829: new cmdline option --no-delay for not turning off TCP_NODELAY
9201619: ss-local: check if client supports socks5 protocol and no-auth-required method
f8283fc: Fix potential buffer overflow when parsing json config
380fddb: redir: fix conversion from DSCP to ToS
The two patches are now in the offical repo
|
| | |
|
| |
|
|
| |
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| |
|
|
| |
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| |
|
|
| |
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| |
|
|
| |
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| |
|
|
| |
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
ipset command line utility supports ranges of address: IP-IP, but the
dash character is also valid character in host names. If we have a
remote server ss-00.example.com, ipset may complain that
ipset v6.32: Syntax error: cannot parse ss: resolving to IPv4 address failed
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
ubox 'list' type is for validating multiple elements separated by
tabs/whitespaces in a single value. E.g. The following should not be
accepted
list src_ip_bypass '1.2.3.4 4.3.2.1'
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| |
|
|
| |
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|