zhao/openwrt_helloworld
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

🎄 Sync 2026-01-31 03:15:58
All checks were successful
openwrt_helloworld / Update openwrt_helloworld (openwrt-25.12) (push) Successful in 27s
Details

Browse Source
This commit is contained in:
Xiaokailnol
2026-01-31 03:15:58 +00:00
parent e6141ee20a
commit 3a983ab130
17 changed files with 85670 additions and 338 deletions
Download Patch File Download Diff File Expand all files Collapse all files

140
daed/Makefile Normal file
View File

@@ -0,0 +1,140 @@
# SPDX-License-Identifier: GPL-2.0-only
#
# Copyright (C) 2023 ImmortalWrt.org
include $(TOPDIR)/rules.mk
PKG_NAME:=daed
PKG_VERSION:=1.21.1
PKG_RELEASE:=1
PKG_SOURCE_PROTO:=git
PKG_SOURCE_URL:=https://github.com/daeuniverse/daed.git
PKG_SOURCE_VERSION:=v$(PKG_VERSION)
PKG_MIRROR_HASH:=9839ee2d8b968bcdd1ae599e8dc11e43df13bc2e667c59b8f64ee78e5bd8059d
PKG_LICENSE:=AGPL-3.0-only MIT
PKG_LICENSE_FILES:=LICENSE wing/LICENSE
PKG_MAINTAINER:=Tianling Shen <cnsztl@immortalwrt.org>
PKG_BUILD_DIR=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)/wing
PKG_BUILD_DEPENDS:=golang/host bpf-headers
PKG_BUILD_PARALLEL:=1
PKG_BUILD_FLAGS:=no-mips16
ifeq ($(ARCH),arm)
PATCH_DIR:=patches_arm
endif
GO_PKG:=github.com/daeuniverse/dae-wing
GO_PKG_LDFLAGS:= \
-X '$(GO_PKG)/db.AppDescription=$(PKG_NAME) is a integration solution of dae, API and UI.'
GO_PKG_LDFLAGS_X= \
$(GO_PKG)/db.AppName=$(PKG_NAME) \
$(GO_PKG)/db.AppVersion=$(PKG_VERSION)
GO_PKG_TAGS:=embedallowed,trace
include $(INCLUDE_DIR)/package.mk
include $(INCLUDE_DIR)/bpf.mk
include $(TOPDIR)/feeds/packages/lang/golang/golang-package.mk
TAR_CMD=$(HOST_TAR) -C $(BUILD_DIR)/ $(TAR_OPTIONS)
define Package/daed/Default
SECTION:=net
CATEGORY:=Network
SUBMENU:=Web Servers/Proxies
URL:=https://github.com/daeuniverse/daed
endef
define Package/daed
$(call Package/daed/Default)
TITLE:=A Modern Dashboard For dae
# You need enable KERNEL_DEBUG_INFO_BTF and KERNEL_BPF_EVENTS
DEPENDS:=$(GO_ARCH_DEPENDS) $(BPF_DEPENDS) \
+ca-bundle +kmod-sched-core +kmod-sched-bpf +kmod-xdp-sockets-diag \
+kmod-veth +v2ray-geoip +v2ray-geosite
endef
define Package/daed/description
daed is a backend of dae, provides a method to bundle arbitrary
frontend, dae and geodata into one binary.
endef
define Package/daed/conffiles
/etc/daed/wing.db
/etc/config/daed
endef
WEB_FILE:=$(PKG_NAME)-web-$(PKG_VERSION).zip
define Download/daed-web
URL:=https://github.com/daeuniverse/daed/releases/download/v$(PKG_VERSION)
URL_FILE:=web.zip
FILE:=$(WEB_FILE)
HASH:=ffba0f8b5e9411ad0da10349dfaab2336922d47cd5effd81163ce4415b4d84d7
endef
define Build/Prepare
$(call Build/Prepare/Default)
( \
mkdir -p $(PKG_BUILD_DIR)/webrender ; \
unzip -q -d $(PKG_BUILD_DIR)/webrender/ $(DL_DIR)/$(WEB_FILE) ; \
find $(PKG_BUILD_DIR)/webrender/web -type f -size +4k ! -name "*.gz" ! -name "*.woff" ! -name "*.woff2" -exec sh -c '\
gzip -9 -k "{}"; \
if [ "$$$$(stat -c %s "{}")" -lt "$$$$(stat -c %s "{}.gz")" ]; then \
rm "{}.gz"; \
else \
rm "{}"; \
fi' \
";" ; \
)
endef
DAE_CFLAGS:= \
-O2 -Wall -Werror \
-DMAX_MATCH_SET_LEN=1024 \
-I$(BPF_HEADERS_DIR)/tools/lib \
-I$(BPF_HEADERS_DIR)/arch/$(BPF_KARCH)/include/asm/mach-generic
ifneq ($(CONFIG_USE_MUSL),)
TARGET_CFLAGS += -D_LARGEFILE64_SOURCE
endif
define Build/Compile
( \
pushd $(PKG_BUILD_DIR) ; \
export \
$(GO_GENERAL_BUILD_CONFIG_VARS) \
$(GO_PKG_BUILD_CONFIG_VARS) \
$(GO_PKG_BUILD_VARS) ; \
go generate ./... ; \
cd dae-core ; \
export \
BPF_CLANG="$(CLANG)" \
BPF_STRIP_FLAG="-strip=$(LLVM_STRIP)" \
BPF_CFLAGS="$(DAE_CFLAGS)" \
BPF_TARGET="bpfel,bpfeb" \
BPF_TRACE_TARGET="$(GO_ARCH)" ; \
go generate control/control.go ; \
go generate trace/trace.go ; \
popd ; \
$(call GoPackage/Build/Compile) ; \
)
endef
define Package/daed/install
$(call GoPackage/Package/Install/Bin,$(PKG_INSTALL_DIR))
$(INSTALL_DIR) $(1)/usr/bin
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/dae-wing $(1)/usr/bin/daed
$(INSTALL_DIR) $(1)/etc/config
$(INSTALL_CONF) $(CURDIR)/files/daed.config $(1)/etc/config/daed
$(INSTALL_DIR) $(1)/etc/init.d
$(INSTALL_BIN) $(CURDIR)/files/daed.init $(1)/etc/init.d/daed
endef
$(eval $(call Download,daed-web))
$(eval $(call GoBinPackage,daed))
$(eval $(call BuildPackage,daed))

7
daed/files/daed.config Normal file
View File

@@ -0,0 +1,7 @@
config daed 'config'
option enabled '0'
option listen_addr '0.0.0.0:2023'
option log_maxbackups '1'
option log_maxsize '5'

47
daed/files/daed.init Normal file
View File

@@ -0,0 +1,47 @@
#!/bin/sh /etc/rc.common
# Copyright (C) 2023 Tianling Shen <cnsztl@immortalwrt.org>
USE_PROCD=1
START=99
CONF="daed"
PROG="/usr/bin/daed"
LOG="/var/log/daed/daed.log"
start_service() {
config_load "$CONF"
local enabled
config_get_bool enabled "config" "enabled" "0"
[ "$enabled" -eq "1" ] || return 1
local listen_addr log_maxbackups log_maxsize
config_get listen_addr "config" "listen_addr" "0.0.0.0:2023"
config_get log_maxbackups "config" "log_maxbackups" "1"
config_get log_maxsize "config" "log_maxsize" "5"
procd_open_instance "$CONF"
procd_set_param env DAE_LOCATION_ASSET="/usr/share/v2ray"
procd_set_param command "$PROG" run
procd_append_param command --config "/etc/daed/"
procd_append_param command --listen "$listen_addr"
procd_append_param command --logfile "$LOG"
procd_append_param command --logfile-maxbackups "$log_maxbackups"
procd_append_param command --logfile-maxsize "$log_maxsize"
procd_set_param limits core="unlimited"
procd_set_param limits nofile="1000000 1000000"
procd_set_param respawn
# procd_set_param stdout 1
procd_set_param stderr 1
procd_close_instance
}
stop_service() {
rm -f "$LOG"
}
service_triggers() {
procd_add_reload_trigger "$CONF"
}

84744
daed/patches_arm/0002-feat-Add-vmlinux-arm.h.patch Normal file
View File

File diff suppressed because it is too large Load Diff

24
daed/patches_arm/0003-drop-kprobe-skb-5.patch Normal file
View File

@@ -0,0 +1,24 @@
--- a/dae-core/trace/kern/trace.c
+++ b/dae-core/trace/kern/trace.c
@@ -228,7 +228,7 @@ KPROBE_SKB_AT(1)
KPROBE_SKB_AT(2)
KPROBE_SKB_AT(3)
KPROBE_SKB_AT(4)
-KPROBE_SKB_AT(5)
+//KPROBE_SKB_AT(5)
SEC("kprobe/skb_lifetime_termination")
int kprobe_skb_lifetime_termination(struct pt_regs *ctx)
--- a/dae-core/trace/trace.go
+++ b/dae-core/trace/trace.go
@@ -206,8 +206,8 @@ func attachBpfToTargets(objs *bpfObjects
kp, err = link.Kprobe(fn, objs.KprobeSkb3, nil)
case 4:
kp, err = link.Kprobe(fn, objs.KprobeSkb4, nil)
- case 5:
- kp, err = link.Kprobe(fn, objs.KprobeSkb5, nil)
+ //case 5:
+ // kp, err = link.Kprobe(fn, objs.KprobeSkb5, nil)
}
if err != nil {
logrus.Debugf("failed to attach kprobe to %s: %+v\n", fn, err)

13
luci-app-daed/Makefile Normal file
View File

@@ -0,0 +1,13 @@
# SPDX-License-Identifier: Apache-2.0
#
# Copyright (C) 2023 ImmortalWrt.org
include $(TOPDIR)/rules.mk
LUCI_TITLE:=LuCI app for dae dashboard
LUCI_DEPENDS:=+daed
LUCI_PKGARCH:=all
include $(TOPDIR)/feeds/luci/luci.mk
# call BuildPackage - OpenWrt buildroot signature

93
luci-app-daed/htdocs/luci-static/resources/view/daed/config.js Normal file
View File

@@ -0,0 +1,93 @@
// SPDX-License-Identifier: Apache-2.0
'use strict';
'require form';
'require poll';
'require rpc';
'require uci';
'require view';
const callServiceList = rpc.declare({
object: 'service',
method: 'list',
params: ['name'],
expect: { '': {} }
});
function getServiceStatus() {
return L.resolveDefault(callServiceList('daed'), {}).then(function(res) {
let isRunning = false;
try {
isRunning = res['daed']['instances']['daed']['running'];
} catch (e) { }
return isRunning;
});
}
function renderStatus(isRunning, port) {
let spanTemp = '<span style="color:%s"><strong>%s %s</strong></span>';
let renderHTML;
if (isRunning) {
let button = String.format('&#160;<a class="btn cbi-button" href="http://%s:%s" target="_blank" rel="noreferrer noopener">%s</a>',
window.location.hostname, port, _('Open Web Interface'));
renderHTML = spanTemp.format('green', _('daed'), _('RUNNING')) + button;
} else {
renderHTML = spanTemp.format('red', _('daed'), _('NOT RUNNING'));
}
return renderHTML;
}
return view.extend({
load: function() {
return Promise.all([
uci.load('daed')
]);
},
render: function(data) {
let m, s, o;
let webport = (uci.get(data[0], 'config', 'address') || '0.0.0.0:2023').split(':').slice(-1)[0];
m = new form.Map('daed', _('daed'),
_('A modern dashboard for dae.'));
s = m.section(form.TypedSection);
s.anonymous = true;
s.render = function() {
poll.add(function() {
return L.resolveDefault(getServiceStatus()).then(function(res) {
let view = document.getElementById('service_status');
view.innerHTML = renderStatus(res, webport);
});
});
return E('div', { class: 'cbi-section', id: 'status_bar' }, [
E('p', { id: 'service_status' }, _('Collecting data…'))
]);
}
s = m.section(form.NamedSection, 'config', 'daed');
o = s.option(form.Flag, 'enabled', _('Enable'));
o.default = o.disabled;
o.rmempty = false;
o = s.option(form.Value, 'listen_addr', _('Listening address'));
o.datatype = 'ipaddrport(1)';
o.default = '0.0.0.0:2023';
o.rmempty = false;
o = s.option(form.Value, 'log_maxbackups', _('Max log backups'),
_('The maximum number of old log files to retain.'));
o.datatype = 'uinteger';
o.default = '1';
o = s.option(form.Value, 'log_maxsize', _('Max log size'),
_('The maximum size in megabytes of the log file before it gets rotated.'));
o.datatype = 'uinteger';
o.default = '5';
return m.render();
}
});

94
luci-app-daed/htdocs/luci-static/resources/view/daed/log.js Normal file
View File

@@ -0,0 +1,94 @@
// SPDX-License-Identifier: Apache-2.0
'use strict';
'require dom';
'require fs';
'require poll';
'require view';
return view.extend({
render() {
/* Thanks to luci-app-aria2 */
let css = ' \
#log_textarea { \
text-align: left; \
} \
#log_textarea pre { \
padding: .5rem; \
word-break: break-all; \
margin: 0; \
} \
.description { \
background-color: #33ccff; \
}';
let log_textarea = E('div', { 'id': 'log_textarea' },
E('img', {
'src': L.resource('icons/loading.svg'),
'alt': _('Loading...'),
'style': 'vertical-align:middle'
}, _('Collecting data…'))
);
poll.add(L.bind(function() {
return fs.read_direct('/var/log/daed/daed.log', 'text')
.then(function(content) {
let log = E('pre', { 'wrap': 'pre' }, [
content.trim() || _('Log is empty.')
]);
dom.content(log_textarea, log);
}).catch(function(e) {
let log;
if (e.toString().includes('NotFoundError'))
log = E('pre', { 'wrap': 'pre' }, [
_('Log file does not exist.')
]);
else
log = E('pre', { 'wrap': 'pre' }, [
_('Unknown error: %s').format(e)
]);
dom.content(log_textarea, log);
});
}));
const scrollDownButton = E('button', {
'id': 'scrollDownButton',
'class': 'cbi-button cbi-button-neutral',
}, _('Scroll to tail', 'scroll to bottom (the tail) of the log file')
);
scrollDownButton.addEventListener('click', () => {
scrollUpButton.focus();
});
const scrollUpButton = E('button', {
'id' : 'scrollUpButton',
'class': 'cbi-button cbi-button-neutral',
}, _('Scroll to head', 'scroll to top (the head) of the log file')
);
scrollUpButton.addEventListener('click', () => {
scrollDownButton.focus();
});
return E([
E('style', [ css ]),
E('h2', {}, [ _('Log') ]),
E('div', {'class': 'cbi-map'}, [
E('div', {'style': 'padding-bottom: 20px'}, [scrollDownButton]),
E('div', {'class': 'cbi-section'}, [
log_textarea,
E('div', {'style': 'text-align:right'},
E('small', {}, _('Refresh every %s seconds.').format(L.env.pollinterval))
)
]),
E('div', {'style': 'padding-bottom: 20px'}, [scrollUpButton])
])
]);
},
handleSaveApply: null,
handleSave: null,
handleReset: null
});

97
luci-app-daed/po/templates/daed.pot Normal file
View File

@@ -0,0 +1,97 @@
msgid ""
msgstr "Content-Type: text/plain; charset=UTF-8"
#: applications/luci-app-daed/htdocs/luci-static/resources/view/daed/config.js:53
msgid "A modern dashboard for dae."
msgstr ""
#: applications/luci-app-daed/htdocs/luci-static/resources/view/daed/config.js:66
#: applications/luci-app-daed/htdocs/luci-static/resources/view/daed/log.js:30
msgid "Collecting data…"
msgstr ""
#: applications/luci-app-daed/htdocs/luci-static/resources/view/daed/config.js:72
msgid "Enable"
msgstr ""
#: applications/luci-app-daed/root/usr/share/rpcd/acl.d/luci-app-daed.json:3
msgid "Grant access to daed configuration"
msgstr ""
#: applications/luci-app-daed/htdocs/luci-static/resources/view/daed/config.js:76
msgid "Listening address"
msgstr ""
#: applications/luci-app-daed/htdocs/luci-static/resources/view/daed/log.js:28
msgid "Loading..."
msgstr ""
#: applications/luci-app-daed/htdocs/luci-static/resources/view/daed/log.js:77
#: applications/luci-app-daed/root/usr/share/luci/menu.d/luci-app-daed.json:22
msgid "Log"
msgstr ""
#: applications/luci-app-daed/htdocs/luci-static/resources/view/daed/log.js:46
msgid "Log file does not exist."
msgstr ""
#: applications/luci-app-daed/htdocs/luci-static/resources/view/daed/log.js:37
msgid "Log is empty."
msgstr ""
#: applications/luci-app-daed/htdocs/luci-static/resources/view/daed/config.js:81
msgid "Max log backups"
msgstr ""
#: applications/luci-app-daed/htdocs/luci-static/resources/view/daed/config.js:86
msgid "Max log size"
msgstr ""
#: applications/luci-app-daed/htdocs/luci-static/resources/view/daed/config.js:35
msgid "NOT RUNNING"
msgstr ""
#: applications/luci-app-daed/htdocs/luci-static/resources/view/daed/config.js:32
msgid "Open Web Interface"
msgstr ""
#: applications/luci-app-daed/htdocs/luci-static/resources/view/daed/config.js:33
msgid "RUNNING"
msgstr ""
#: applications/luci-app-daed/htdocs/luci-static/resources/view/daed/log.js:83
msgid "Refresh every %s seconds."
msgstr ""
#: applications/luci-app-daed/htdocs/luci-static/resources/view/daed/log.js:69
msgctxt "scroll to top (the head) of the log file"
msgid "Scroll to head"
msgstr ""
#: applications/luci-app-daed/htdocs/luci-static/resources/view/daed/log.js:60
msgctxt "scroll to bottom (the tail) of the log file"
msgid "Scroll to tail"
msgstr ""
#: applications/luci-app-daed/root/usr/share/luci/menu.d/luci-app-daed.json:14
msgid "Settings"
msgstr ""
#: applications/luci-app-daed/htdocs/luci-static/resources/view/daed/config.js:82
msgid "The maximum number of old log files to retain."
msgstr ""
#: applications/luci-app-daed/htdocs/luci-static/resources/view/daed/config.js:87
msgid "The maximum size in megabytes of the log file before it gets rotated."
msgstr ""
#: applications/luci-app-daed/htdocs/luci-static/resources/view/daed/log.js:50
msgid "Unknown error: %s"
msgstr ""
#: applications/luci-app-daed/htdocs/luci-static/resources/view/daed/config.js:33
#: applications/luci-app-daed/htdocs/luci-static/resources/view/daed/config.js:35
#: applications/luci-app-daed/htdocs/luci-static/resources/view/daed/config.js:52
#: applications/luci-app-daed/root/usr/share/luci/menu.d/luci-app-daed.json:3
msgid "daed"
msgstr ""

1
luci-app-daed/po/zh-cn Symbolic link
View File

@@ -0,0 +1 @@
zh_Hans

104
luci-app-daed/po/zh_Hans/daed.po Normal file
View File

@@ -0,0 +1,104 @@
msgid ""
msgstr ""
"Content-Type: text/plain; charset=UTF-8\n"
"Project-Id-Version: PACKAGE VERSION\n"
"Last-Translator: Automatically generated\n"
"Language-Team: none\n"
"Language: zh-Hans\n"
"MIME-Version: 1.0\n"
"Content-Transfer-Encoding: 8bit\n"
#: applications/luci-app-daed/htdocs/luci-static/resources/view/daed/config.js:53
msgid "A modern dashboard for dae."
msgstr "dae 现代化控制面板。"
#: applications/luci-app-daed/htdocs/luci-static/resources/view/daed/config.js:66
#: applications/luci-app-daed/htdocs/luci-static/resources/view/daed/log.js:30
msgid "Collecting data…"
msgstr "正在收集数据中…"
#: applications/luci-app-daed/htdocs/luci-static/resources/view/daed/config.js:72
msgid "Enable"
msgstr "启用"
#: applications/luci-app-daed/root/usr/share/rpcd/acl.d/luci-app-daed.json:3
msgid "Grant access to daed configuration"
msgstr "授予访问 daed 配置的权限"
#: applications/luci-app-daed/htdocs/luci-static/resources/view/daed/config.js:76
msgid "Listening address"
msgstr "监听地址"
#: applications/luci-app-daed/htdocs/luci-static/resources/view/daed/log.js:28
msgid "Loading..."
msgstr "加载中..."
#: applications/luci-app-daed/htdocs/luci-static/resources/view/daed/log.js:77
#: applications/luci-app-daed/root/usr/share/luci/menu.d/luci-app-daed.json:22
msgid "Log"
msgstr "日志"
#: applications/luci-app-daed/htdocs/luci-static/resources/view/daed/log.js:46
msgid "Log file does not exist."
msgstr "日志文件不存在。"
#: applications/luci-app-daed/htdocs/luci-static/resources/view/daed/log.js:37
msgid "Log is empty."
msgstr "日志为空"
#: applications/luci-app-daed/htdocs/luci-static/resources/view/daed/config.js:81
msgid "Max log backups"
msgstr "最大日志备份"
#: applications/luci-app-daed/htdocs/luci-static/resources/view/daed/config.js:86
msgid "Max log size"
msgstr "最大日志大小"
#: applications/luci-app-daed/htdocs/luci-static/resources/view/daed/config.js:35
msgid "NOT RUNNING"
msgstr "未运行"
#: applications/luci-app-daed/htdocs/luci-static/resources/view/daed/config.js:32
msgid "Open Web Interface"
msgstr "打开 Web 界面"
#: applications/luci-app-daed/htdocs/luci-static/resources/view/daed/config.js:33
msgid "RUNNING"
msgstr "运行中"
#: applications/luci-app-daed/htdocs/luci-static/resources/view/daed/log.js:83
msgid "Refresh every %s seconds."
msgstr "每 %s 秒刷新。"
#: applications/luci-app-daed/htdocs/luci-static/resources/view/daed/log.js:69
msgctxt "scroll to top (the head) of the log file"
msgid "Scroll to head"
msgstr "滚动到顶部"
#: applications/luci-app-daed/htdocs/luci-static/resources/view/daed/log.js:60
msgctxt "scroll to bottom (the tail) of the log file"
msgid "Scroll to tail"
msgstr "滚动到尾部"
#: applications/luci-app-daed/root/usr/share/luci/menu.d/luci-app-daed.json:14
msgid "Settings"
msgstr "设置"
#: applications/luci-app-daed/htdocs/luci-static/resources/view/daed/config.js:82
msgid "The maximum number of old log files to retain."
msgstr "要保留的最大旧日志文件数量。"
#: applications/luci-app-daed/htdocs/luci-static/resources/view/daed/config.js:87
msgid "The maximum size in megabytes of the log file before it gets rotated."
msgstr "要保留的最大日志大小单位MB。"
#: applications/luci-app-daed/htdocs/luci-static/resources/view/daed/log.js:50
msgid "Unknown error: %s"
msgstr "未知错误:%s"
#: applications/luci-app-daed/htdocs/luci-static/resources/view/daed/config.js:33
#: applications/luci-app-daed/htdocs/luci-static/resources/view/daed/config.js:35
#: applications/luci-app-daed/htdocs/luci-static/resources/view/daed/config.js:52
#: applications/luci-app-daed/root/usr/share/luci/menu.d/luci-app-daed.json:3
msgid "daed"
msgstr "daed"

29
luci-app-daed/root/usr/share/luci/menu.d/luci-app-daed.json Normal file
View File

@@ -0,0 +1,29 @@
{
"admin/services/daed": {
"title": "DAED",
"order": 20,
"action": {
"type": "firstchild"
},
"depends": {
"acl": [ "luci-app-daed" ],
"uci": { "daed": true }
}
},
"admin/services/daed/config": {
"title": "Settings",
"order": 10,
"action": {
"type": "view",
"path": "daed/config"
}
},
"admin/services/daed/log": {
"title": "Log",
"order": 20,
"action": {
"type": "view",
"path": "daed/log"
}
}
}

17
luci-app-daed/root/usr/share/rpcd/acl.d/luci-app-daed.json Normal file
View File

@@ -0,0 +1,17 @@
{
"luci-app-daed": {
"description": "Grant access to daed configuration",
"read": {
"file": {
"/var/log/daed/daed.log": [ "read" ]
},
"ubus": {
"service": [ "list" ]
},
"uci": [ "daed" ]
},
"write": {
"uci": [ "daed" ]
}
}
}

15
luci-app-ssr-plus/root/etc/init.d/shadowsocksr
View File

@@ -1590,15 +1590,16 @@ start() {
Start_Run
start_xhttp_addr
start_rules
start_dns
# Restore ipsets after rules creation
if [ "$HAS_IPSET" -eq 1 ]; then
for setname in gfwlist china blacklist whitelist netflix; do
[ "$setname" = "gfwlist" ] && [ "$run_mode" != "gfw" ] && continue
if [ -f "/tmp/ssrplus_save/${setname}.save" ]; then
ipset restore -! < "/tmp/ssrplus_save/${setname}.save" 2>/dev/null
fi
done
fi
start_dns
add_cron
start_switch
else
@@ -1652,11 +1653,13 @@ stop() {
# Save ipsets before stopping to persist transparent proxy state
if [ "$HAS_IPSET" -eq 1 ]; then
mkdir -p /tmp/ssrplus_save
ipset save gfwlist > /tmp/ssrplus_save/gfwlist.save 2>/dev/null
ipset save china > /tmp/ssrplus_save/china.save 2>/dev/null
ipset save blacklist > /tmp/ssrplus_save/blacklist.save 2>/dev/null
ipset save whitelist > /tmp/ssrplus_save/whitelist.save 2>/dev/null
ipset save netflix > /tmp/ssrplus_save/netflix.save 2>/dev/null
local run_mode="$(uci_get_by_type global run_mode)"
if [ "$run_mode" = "gfw" ]; then
ipset save gfwlist > /tmp/ssrplus_save/gfwlist.save 2>/dev/null
fi
for setname in china blacklist whitelist netflix; do
ipset save $setname > /tmp/ssrplus_save/$setname.save 2>/dev/null
done
fi
unlock
set_lock

110
luci-app-ssr-plus/root/etc/ssrplus/gfw_base.conf
View File

@@ -1,108 +1,110 @@
ipset=/91smartyun.pt/gfwlist
ipset=/adobe.com/gfwlist
ipset=/amazonaws.com/gfwlist
ipset=/ampproject.org/gfwlist
ipset=/apple.news/gfwlist
ipset=/aws.amazon.com/gfwlist
ipset=/azureedge.net/gfwlist
ipset=/backpackers.com.tw/gfwlist
ipset=/bitfinex.com/gfwlist
ipset=/buzzfeed.com/gfwlist
ipset=/clockwise.ee/gfwlist
ipset=/cloudfront.net/gfwlist
ipset=/coindesk.com/gfwlist
ipset=/coinsquare.io/gfwlist
ipset=/cryptocompare.com/gfwlist
ipset=/dropboxstatic.com/gfwlist
ipset=/eurecom.fr/gfwlist
ipset=/gdax.com/gfwlist
ipset=/github.com/gfwlist
ipset=/kknews.cc/gfwlist
ipset=/nutaq.com/gfwlist
ipset=/openairinterface.org/gfwlist
ipset=/skype.com/gfwlist
ipset=/sublimetext.com/gfwlist
ipset=/textnow.com/gfwlist
ipset=/textnow.me/gfwlist
ipset=/trouter.io/gfwlist
ipset=/t66y.com/gfwlist
ipset=/uploaded.net/gfwlist
ipset=/whatsapp.com/gfwlist
ipset=/whatsapp.net/gfwlist
ipset=/wsj.net/gfwlist
ipset=/google.com/gfwlist
ipset=/google.com.hk/gfwlist
ipset=/gstatic.com/gfwlist
ipset=/googleusercontent.com/gfwlist
ipset=/googlepages.com/gfwlist
ipset=/googlevideo.com/gfwlist
ipset=/googlecode.com/gfwlist
ipset=/googleapis.com/gfwlist
ipset=/googlesource.com/gfwlist
ipset=/googledrive.com/gfwlist
ipset=/ggpht.com/gfwlist
ipset=/youtube.com/gfwlist
ipset=/youtu.be/gfwlist
ipset=/ytimg.com/gfwlist
ipset=/twitter.com/gfwlist
ipset=/facebook.com/gfwlist
ipset=/fastly.net/gfwlist
ipset=/akamai.net/gfwlist
ipset=/akamaiedge.net/gfwlist
ipset=/akamaihd.net/gfwlist
ipset=/edgesuite.net/gfwlist
ipset=/edgekey.net/gfwlist
server=/91smartyun.pt/127.0.0.1#5335
ipset=/91smartyun.pt/gfwlist
server=/adobe.com/127.0.0.1#5335
ipset=/adobe.com/gfwlist
server=/amazonaws.com/127.0.0.1#5335
ipset=/amazonaws.com/gfwlist
server=/ampproject.org/127.0.0.1#5335
ipset=/ampproject.org/gfwlist
server=/apple.news/127.0.0.1#5335
ipset=/apple.news/gfwlist
server=/aws.amazon.com/127.0.0.1#5335
ipset=/aws.amazon.com/gfwlist
server=/azureedge.net/127.0.0.1#5335
ipset=/azureedge.net/gfwlist
server=/backpackers.com.tw/127.0.0.1#5335
ipset=/backpackers.com.tw/gfwlist
server=/bitfinex.com/127.0.0.1#5335
ipset=/bitfinex.com/gfwlist
server=/buzzfeed.com/127.0.0.1#5335
ipset=/buzzfeed.com/gfwlist
server=/clockwise.ee/127.0.0.1#5335
ipset=/clockwise.ee/gfwlist
server=/cloudfront.net/127.0.0.1#5335
ipset=/cloudfront.net/gfwlist
server=/coindesk.com/127.0.0.1#5335
ipset=/coindesk.com/gfwlist
server=/coinsquare.io/127.0.0.1#5335
ipset=/coinsquare.io/gfwlist
server=/cryptocompare.com/127.0.0.1#5335
ipset=/cryptocompare.com/gfwlist
server=/dropboxstatic.com/127.0.0.1#5335
ipset=/dropboxstatic.com/gfwlist
server=/eurecom.fr/127.0.0.1#5335
ipset=/eurecom.fr/gfwlist
server=/gdax.com/127.0.0.1#5335
ipset=/gdax.com/gfwlist
server=/github.com/127.0.0.1#5335
ipset=/github.com/gfwlist
server=/kknews.cc/127.0.0.1#5335
ipset=/kknews.cc/gfwlist
server=/nutaq.com/127.0.0.1#5335
ipset=/nutaq.com/gfwlist
server=/openairinterface.org/127.0.0.1#5335
ipset=/openairinterface.org/gfwlist
server=/skype.com/127.0.0.1#5335
ipset=/skype.com/gfwlist
server=/sublimetext.com/127.0.0.1#5335
ipset=/sublimetext.com/gfwlist
server=/textnow.com/127.0.0.1#5335
ipset=/textnow.com/gfwlist
server=/textnow.me/127.0.0.1#5335
ipset=/textnow.me/gfwlist
server=/trouter.io/127.0.0.1#5335
ipset=/trouter.io/gfwlist
server=/t66y.com/127.0.0.1#5335
ipset=/t66y.com/gfwlist
server=/uploaded.net/127.0.0.1#5335
ipset=/uploaded.net/gfwlist
server=/v2rayssr.com/127.0.0.1#5335
ipset=/v2rayssr.com/gfwlist
server=/whatsapp.com/127.0.0.1#5335
ipset=/whatsapp.com/gfwlist
server=/whatsapp.net/127.0.0.1#5335
ipset=/whatsapp.net/gfwlist
server=/wsj.net/127.0.0.1#5335
ipset=/wsj.net/gfwlist
server=/google.com/127.0.0.1#5335
ipset=/google.com/gfwlist
server=/google.com.hk/127.0.0.1#5335
ipset=/google.com.hk/gfwlist
server=/gstatic.com/127.0.0.1#5335
ipset=/gstatic.com/gfwlist
server=/googleusercontent.com/127.0.0.1#5335
ipset=/googleusercontent.com/gfwlist
server=/googlepages.com/127.0.0.1#5335
ipset=/googlepages.com/gfwlist
server=/googlevideo.com/127.0.0.1#5335
ipset=/googlevideo.com/gfwlist
server=/googlecode.com/127.0.0.1#5335
ipset=/googlecode.com/gfwlist
server=/googleapis.com/127.0.0.1#5335
ipset=/googleapis.com/gfwlist
server=/googlesource.com/127.0.0.1#5335
ipset=/googlesource.com/gfwlist
server=/googledrive.com/127.0.0.1#5335
ipset=/googledrive.com/gfwlist
server=/ggpht.com/127.0.0.1#5335
ipset=/ggpht.com/gfwlist
server=/youtube.com/127.0.0.1#5335
ipset=/youtube.com/gfwlist
server=/youtu.be/127.0.0.1#5335
ipset=/youtu.be/gfwlist
server=/ytimg.com/127.0.0.1#5335
ipset=/ytimg.com/gfwlist
server=/twitter.com/127.0.0.1#5335
ipset=/twitter.com/gfwlist
server=/facebook.com/127.0.0.1#5335
ipset=/facebook.com/gfwlist
server=/fastly.net/127.0.0.1#5335
ipset=/fastly.net/gfwlist
server=/akamai.net/127.0.0.1#5335
ipset=/akamai.net/gfwlist
server=/akamaiedge.net/127.0.0.1#5335
ipset=/akamaiedge.net/gfwlist
server=/akamaihd.net/127.0.0.1#5335
ipset=/akamaihd.net/gfwlist
server=/edgesuite.net/127.0.0.1#5335
ipset=/edgesuite.net/gfwlist
server=/edgekey.net/127.0.0.1#5335
ipset=/edgekey.net/gfwlist

413
luci-app-ssr-plus/root/usr/bin/ssr-rules
View File

@@ -258,7 +258,6 @@ flush_nftables() {
$NFT flush set ip ss_spec_mangle $setname 2>/dev/null
$NFT delete set ip ss_spec_mangle $setname 2>/dev/null
done
# Delete entire table
$NFT delete table ip ss_spec_mangle 2>/dev/null
fi
@@ -268,7 +267,8 @@ flush_nftables() {
ip route del local 0.0.0.0/0 dev lo table 100 2>/dev/null
# Optional: force delete all ss_spec related sets (even if table was accidentally deleted)
for setname in ss_spec_lan_ac ss_spec_wan_ac ssr_gen_router fplan bplan gmlan oversea whitelist blacklist netflix gfwlist china music; do
for setname in ss_spec_lan_ac ss_spec_wan_ac ssr_gen_router \
china fplan bplan gmlan oversea whitelist blacklist netflix gfwlist music; do
$NFT delete set inet ss_spec $setname 2>/dev/null
$NFT delete set ip ss_spec_mangle $setname 2>/dev/null
done
@@ -299,8 +299,8 @@ flush_iptables_legacy() {
flush_iptables mangle
ip rule del fwmark 0x01/0x01 table 100 2>/dev/null
ip route del local 0.0.0.0/0 dev lo table 100 2>/dev/null
for setname in ss_spec_lan_ac ss_spec_lan_ac_udp ss_spec_wan_ac ss_spec_wan_ac_tcp ss_spec_wan_ac_udp ssr_gen_router \
china fplan bplan gmlan oversea whitelist blacklist netflix; do
for setname in ss_spec_lan_ac ss_spec_wan_ac ssr_gen_router \
china fplan bplan gmlan oversea whitelist blacklist netflix gfwlist music; do
ipset -X $setname 2>/dev/null
done
[ -n "$FWI" ] && echo '#!/bin/sh' >$FWI
@@ -359,7 +359,7 @@ ipset_nft() {
done
# Create main chains for WAN access control
for chain in ss_spec_wan_fw_tcp ss_spec_wan_fw_udp ss_spec_wan_ac_tcp ss_spec_wan_ac_udp; do
for chain in ss_spec_wan_fw ss_spec_wan_ac; do
if ! $NFT list chain inet ss_spec $chain >/dev/null 2>&1; then
$NFT add chain inet ss_spec $chain
fi
@@ -368,29 +368,18 @@ ipset_nft() {
# Add basic rules
# BASIC RULES (exceptions first) — TCP
$NFT add rule inet ss_spec ss_spec_wan_ac_tcp meta l4proto tcp tcp dport 53 ip daddr 127.0.0.0/8 return
[ -n "$server" ] && $NFT add rule inet ss_spec ss_spec_wan_ac_tcp meta l4proto tcp tcp dport != 53 ip daddr "$server" return
$NFT add rule inet ss_spec ss_spec_wan_ac meta l4proto tcp tcp dport 53 ip daddr 127.0.0.0/8 return
[ -n "$server" ] && $NFT add rule inet ss_spec ss_spec_wan_ac meta l4proto tcp tcp dport != 53 ip daddr "$server" return
# Access control: blacklist -> whitelist -> fplan/bplan — TCP
$NFT add rule inet ss_spec ss_spec_wan_ac_tcp ip daddr @blacklist jump ss_spec_wan_fw_tcp
$NFT add rule inet ss_spec ss_spec_wan_ac_tcp ip daddr @whitelist return
$NFT add rule inet ss_spec ss_spec_wan_ac_tcp ip saddr @fplan jump ss_spec_wan_fw_tcp
$NFT add rule inet ss_spec ss_spec_wan_ac_tcp ip saddr @bplan return
# BASIC RULES (exceptions first) — UDP
$NFT add rule inet ss_spec ss_spec_wan_ac_udp meta l4proto udp udp dport 53 ip daddr 127.0.0.0/8 return
[ -n "$server" ] && $NFT add rule inet ss_spec ss_spec_wan_ac_udp meta l4proto udp udp dport != 53 ip daddr "$server" return
# Access control: blacklist -> whitelist -> fplan/bplan — UDP
$NFT add rule inet ss_spec ss_spec_wan_ac_udp ip daddr @blacklist jump ss_spec_wan_fw_udp
$NFT add rule inet ss_spec ss_spec_wan_ac_udp ip daddr @whitelist return
$NFT add rule inet ss_spec ss_spec_wan_ac_udp ip saddr @fplan jump ss_spec_wan_fw_udp
$NFT add rule inet ss_spec ss_spec_wan_ac_udp ip saddr @bplan return
$NFT add rule inet ss_spec ss_spec_wan_ac ip daddr @blacklist jump ss_spec_wan_fw
$NFT add rule inet ss_spec ss_spec_wan_ac ip daddr @whitelist return
$NFT add rule inet ss_spec ss_spec_wan_ac ip saddr @fplan jump ss_spec_wan_fw
$NFT add rule inet ss_spec ss_spec_wan_ac ip saddr @bplan return
# Music unlocking support
if $NFT list set inet ss_spec music >/dev/null 2>&1; then
$NFT add rule inet ss_spec ss_spec_wan_ac_tcp meta l4proto tcp ip daddr @music return
$NFT add rule inet ss_spec ss_spec_wan_ac_udp meta l4proto udp ip daddr @music return
$NFT add rule inet ss_spec ss_spec_wan_ac meta l4proto tcp ip daddr @music return
fi
# Shunt/Netflix rules
@@ -403,66 +392,42 @@ ipset_nft() {
# Set up mode-specific rules
case "$RUNMODE" in
router)
if ! $NFT list set inet ss_spec ss_spec_wan_ac_tcp >/dev/null 2>&1; then
$NFT add set inet ss_spec ss_spec_wan_ac_tcp '{ type ipv4_addr; flags interval; auto-merge; }'
if ! $NFT list set inet ss_spec ss_spec_wan_ac >/dev/null 2>&1; then
$NFT add set inet ss_spec ss_spec_wan_ac '{ type ipv4_addr; flags interval; auto-merge; }'
else
$NFT flush set inet ss_spec ss_spec_wan_ac_tcp 2>/dev/null
$NFT flush set inet ss_spec ss_spec_wan_ac 2>/dev/null
fi
# Add special IP ranges to WAN AC set
for ip in $(gen_spec_iplist); do
[ -n "$ip" ] && $NFT add element inet ss_spec ss_spec_wan_ac_tcp "{ $ip }" 2>/dev/null
[ -n "$ip" ] && $NFT add element inet ss_spec ss_spec_wan_ac "{ $ip }" 2>/dev/null
done
$NFT add rule inet ss_spec ss_spec_wan_ac_tcp ip daddr @ss_spec_wan_ac_tcp return
$NFT add rule inet ss_spec ss_spec_wan_ac_tcp ip daddr @china return
if $NFT list chain inet ss_spec ss_spec_wan_ac_tcp >/dev/null 2>&1; then
$NFT add rule inet ss_spec ss_spec_wan_ac_tcp ip saddr @gmlan ip daddr != @china jump ss_spec_wan_fw_tcp
$NFT add rule inet ss_spec ss_spec_wan_ac_tcp jump ss_spec_wan_fw_tcp
fi
if ! $NFT list set inet ss_spec ss_spec_wan_ac_udp >/dev/null 2>&1; then
$NFT add set inet ss_spec ss_spec_wan_ac_udp '{ type ipv4_addr; flags interval; auto-merge; }'
else
$NFT flush set inet ss_spec ss_spec_wan_ac_udp 2>/dev/null
fi
# Add special IP ranges to WAN AC set
for ip in $(gen_spec_iplist); do
[ -n "$ip" ] && $NFT add element inet ss_spec ss_spec_wan_ac_udp "{ $ip }" 2>/dev/null
done
$NFT add rule inet ss_spec ss_spec_wan_ac_udp ip daddr @ss_spec_wan_ac_udp return
$NFT add rule inet ss_spec ss_spec_wan_ac_udp ip daddr @china return
if $NFT list chain inet ss_spec ss_spec_wan_fw_udp >/dev/null 2>&1; then
$NFT add rule inet ss_spec ss_spec_wan_ac_udp ip saddr @gmlan ip daddr != @china jump ss_spec_wan_fw_udp
$NFT add rule inet ss_spec ss_spec_wan_ac_udp jump ss_spec_wan_fw_udp
$NFT add rule inet ss_spec ss_spec_wan_ac ip daddr @ss_spec_wan_ac return
$NFT add rule inet ss_spec ss_spec_wan_ac ip daddr @china return
if $NFT list chain inet ss_spec ss_spec_wan_ac >/dev/null 2>&1; then
$NFT add rule inet ss_spec ss_spec_wan_ac ip saddr @gmlan ip daddr != @china jump ss_spec_wan_fw
$NFT add rule inet ss_spec ss_spec_wan_ac jump ss_spec_wan_fw
fi
;;
gfw)
if ! $NFT list set inet ss_spec gfwlist >/dev/null 2>&1; then
$NFT add set inet ss_spec gfwlist '{ type ipv4_addr; flags interval; auto-merge; }' 2>/dev/null
fi
$NFT add rule inet ss_spec ss_spec_wan_ac_tcp ip daddr @china return
$NFT add rule inet ss_spec ss_spec_wan_ac_tcp ip daddr @gfwlist jump ss_spec_wan_fw_tcp
$NFT add rule inet ss_spec ss_spec_wan_ac_tcp ip saddr @gmlan ip daddr != @china jump ss_spec_wan_fw_tcp
$NFT add rule inet ss_spec ss_spec_wan_ac_udp ip daddr @china return
$NFT add rule inet ss_spec ss_spec_wan_ac_udp ip daddr @gfwlist jump ss_spec_wan_fw_udp
$NFT add rule inet ss_spec ss_spec_wan_ac_udp ip saddr @gmlan ip daddr != @china jump ss_spec_wan_fw_udp
$NFT add rule inet ss_spec ss_spec_wan_ac ip daddr @china return
$NFT add rule inet ss_spec ss_spec_wan_ac ip daddr @gfwlist jump ss_spec_wan_fw
$NFT add rule inet ss_spec ss_spec_wan_ac ip saddr @gmlan ip daddr != @china jump ss_spec_wan_fw
;;
oversea)
if ! $NFT list set inet ss_spec oversea >/dev/null 2>&1; then
$NFT add set inet ss_spec oversea '{ type ipv4_addr; flags interval; auto-merge; }' 2>/dev/null
fi
$NFT add rule inet ss_spec ss_spec_wan_ac_tcp ip daddr @oversea jump ss_spec_wan_fw_tcp
$NFT add rule inet ss_spec ss_spec_wan_ac_tcp ip saddr @gmlan jump ss_spec_wan_fw_tcp
$NFT add rule inet ss_spec ss_spec_wan_ac_tcp ip daddr @china jump ss_spec_wan_fw_tcp
$NFT add rule inet ss_spec ss_spec_wan_ac_udp ip daddr @oversea jump ss_spec_wan_fw_udp
$NFT add rule inet ss_spec ss_spec_wan_ac_udp ip saddr @gmlan jump ss_spec_wan_fw_udp
$NFT add rule inet ss_spec ss_spec_wan_ac_udp ip daddr @china jump ss_spec_wan_fw_udp
$NFT add rule inet ss_spec ss_spec_wan_ac ip daddr @oversea jump ss_spec_wan_fw
$NFT add rule inet ss_spec ss_spec_wan_ac ip saddr @gmlan jump ss_spec_wan_fw
$NFT add rule inet ss_spec ss_spec_wan_ac ip daddr @china jump ss_spec_wan_fw
;;
all)
if $NFT list chain inet ss_spec ss_spec_wan_fw_tcp >/dev/null 2>&1; then
$NFT add rule inet ss_spec ss_spec_wan_ac_tcp jump ss_spec_wan_fw_tcp
fi
if $NFT list chain inet ss_spec ss_spec_wan_fw_udp >/dev/null 2>&1; then
$NFT add rule inet ss_spec ss_spec_wan_ac_udp jump ss_spec_wan_fw_udp
if $NFT list chain inet ss_spec ss_spec_wan_fw >/dev/null 2>&1; then
$NFT add rule inet ss_spec ss_spec_wan_ac jump ss_spec_wan_fw
fi
;;
esac
@@ -473,17 +438,11 @@ ipset_nft() {
ipset_iptables() {
[ -f "$IGNORE_LIST" ] && /usr/share/shadowsocksr/chinaipset.sh "$IGNORE_LIST"
$IPT -N SS_SPEC_WAN_AC_TCP 2>/dev/null
$ipt -N SS_SPEC_WAN_AC_UDP 2>/dev/null
$IPT -N SS_SPEC_WAN_AC 2>/dev/null
$IPT -F SS_SPEC_WAN_AC
$IPT -F SS_SPEC_WAN_AC_TCP
$ipt -F SS_SPEC_WAN_AC_UDP
$IPT -I SS_SPEC_WAN_AC_TCP -p tcp --dport 53 -d 127.0.0.0/8 -j RETURN
$IPT -I SS_SPEC_WAN_AC_TCP -p tcp ! --dport 53 -d "$server" -j RETURN
$ipt -I SS_SPEC_WAN_AC_UDP -p udp --dport 53 -d 127.0.0.0/8 -j RETURN
$ipt -I SS_SPEC_WAN_AC_UDP -p udp ! --dport 53 -d "$server" -j RETURN
$IPT -I SS_SPEC_WAN_AC -p tcp --dport 53 -d 127.0.0.0/8 -j RETURN
$IPT -I SS_SPEC_WAN_AC -p tcp ! --dport 53 -d "$server" -j RETURN
ipset -N gmlan hash:net 2>/dev/null
for ip in $LAN_GM_IP; do ipset -! add gmlan "$ip"; done
@@ -491,58 +450,38 @@ ipset_iptables() {
case "$RUNMODE" in
router)
ipset -! -R <<-EOF || return 1
create ss_spec_wan_ac_tcp hash:net
$(gen_spec_iplist | sed -e "s/^/add ss_spec_wan_ac_tcp /")
create ss_spec_wan_ac hash:net
$(gen_spec_iplist | sed -e "s/^/add ss_spec_wan_ac /")
EOF
ipset -! -R <<-EOF || return 1
create ss_spec_wan_ac_udp hash:net
$(gen_spec_iplist | sed -e "s/^/add ss_spec_wan_ac_udp /")
EOF
$IPT -A SS_SPEC_WAN_AC_TCP -m set --match-set ss_spec_wan_ac_tcp dst -j RETURN
$IPT -A SS_SPEC_WAN_AC_TCP -m set --match-set china dst -j RETURN
$IPT -A SS_SPEC_WAN_AC_TCP -m set --match-set gmlan src -m set ! --match-set china dst -j SS_SPEC_WAN_FW_TCP
$IPT -A SS_SPEC_WAN_AC_TCP -j SS_SPEC_WAN_FW_TCP
$ipt -A SS_SPEC_WAN_AC_UDP -m set --match-set ss_spec_wan_ac_udp dst -j RETURN
$ipt -A SS_SPEC_WAN_AC_UDP -m set --match-set china dst -j RETURN
$ipt -A SS_SPEC_WAN_AC_UDP -m set --match-set gmlan src -m set ! --match-set china dst -j SS_SPEC_WAN_FW_UDP
$ipt -A SS_SPEC_WAN_AC_UDP -j SS_SPEC_WAN_FW_UDP
$IPT -A SS_SPEC_WAN_AC -m set --match-set ss_spec_wan_ac dst -j RETURN
$IPT -A SS_SPEC_WAN_AC -m set --match-set china dst -j RETURN
$IPT -A SS_SPEC_WAN_AC -m set --match-set gmlan src -m set ! --match-set china dst -j SS_SPEC_WAN_FW
$IPT -A SS_SPEC_WAN_AC -j SS_SPEC_WAN_FW
;;
gfw)
ipset -N gfwlist hash:net 2>/dev/null
$IPT -A SS_SPEC_WAN_AC_TCP -m set --match-set china dst -j RETURN
$IPT -A SS_SPEC_WAN_AC_TCP -m set --match-set gfwlist dst -j SS_SPEC_WAN_FW_TCP
$IPT -A SS_SPEC_WAN_AC_TCP -m set --match-set gmlan src -m set ! --match-set china dst -j SS_SPEC_WAN_FW_TCP
$ipt -A SS_SPEC_WAN_AC_UDP -m set --match-set china dst -j RETURN
$ipt -A SS_SPEC_WAN_AC_UDP -m set --match-set gfwlist dst -j SS_SPEC_WAN_FW_UDP
$ipt -A SS_SPEC_WAN_AC_UDP -m set --match-set gmlan src -m set ! --match-set china dst -j SS_SPEC_WAN_FW_UDP
$IPT -A SS_SPEC_WAN_AC -m set --match-set china dst -j RETURN
$IPT -A SS_SPEC_WAN_AC -m set --match-set gfwlist dst -j SS_SPEC_WAN_FW
$IPT -A SS_SPEC_WAN_AC -m set --match-set gmlan src -m set ! --match-set china dst -j SS_SPEC_WAN_FW
;;
oversea)
ipset -N oversea hash:net 2>/dev/null
$IPT -I SS_SPEC_WAN_AC_TCP -m set --match-set oversea dst -j SS_SPEC_WAN_FW_TCP
$IPT -A SS_SPEC_WAN_AC_TCP -m set --match-set gmlan src -j SS_SPEC_WAN_FW_TCP
$IPT -A SS_SPEC_WAN_AC_TCP -m set --match-set china dst -j SS_SPEC_WAN_FW_TCP
$ipt -I SS_SPEC_WAN_AC_UDP -m set --match-set oversea dst -j SS_SPEC_WAN_FW_UDP
$ipt -A SS_SPEC_WAN_AC_UDP -m set --match-set gmlan src -j SS_SPEC_WAN_FW_UDP
$ipt -A SS_SPEC_WAN_AC_UDP -m set --match-set china dst -j SS_SPEC_WAN_FW_UDP
$IPT -I SS_SPEC_WAN_AC -m set --match-set oversea dst -j SS_SPEC_WAN_FW
$IPT -A SS_SPEC_WAN_AC -m set --match-set gmlan src -j SS_SPEC_WAN_FW
$IPT -A SS_SPEC_WAN_AC -m set --match-set china dst -j SS_SPEC_WAN_FW
;;
all)
$IPT -A SS_SPEC_WAN_AC_TCP -j SS_SPEC_WAN_FW_TCP
$ipt -A SS_SPEC_WAN_AC_UDP -j SS_SPEC_WAN_FW_UDP
$IPT -A SS_SPEC_WAN_AC -j SS_SPEC_WAN_FW
;;
esac
ipset -N fplan hash:net 2>/dev/null
for ip in $LAN_FP_IP; do ipset -! add fplan "$ip"; done
$IPT -I SS_SPEC_WAN_AC_TCP -m set --match-set fplan src -j SS_SPEC_WAN_FW_TCP
$ipt -I SS_SPEC_WAN_AC_UDP -m set --match-set fplan src -j SS_SPEC_WAN_FW_UDP
$IPT -I SS_SPEC_WAN_AC -m set --match-set fplan src -j SS_SPEC_WAN_FW
ipset -N bplan hash:net 2>/dev/null
for ip in $LAN_BP_IP; do ipset -! add bplan "$ip"; done
$IPT -I SS_SPEC_WAN_AC_TCP -m set --match-set bplan src -j RETURN
$ipt -I SS_SPEC_WAN_AC_UDP -m set --match-set bplan src -j RETURN
$IPT -I SS_SPEC_WAN_AC -m set --match-set bplan src -j RETURN
ipset -N whitelist hash:net 2>/dev/null
if [ -f "${xhttp_ip:=/etc/ssrplus/xhttp_address.txt}" ]; then
@@ -552,15 +491,11 @@ ipset_iptables() {
fi
ipset -N blacklist hash:net 2>/dev/null
$IPT -I SS_SPEC_WAN_AC_TCP -m set --match-set blacklist dst -j SS_SPEC_WAN_FW_TCP
$IPT -I SS_SPEC_WAN_AC_TCP -m set --match-set whitelist dst -j RETURN
$ipt -I SS_SPEC_WAN_AC_UDP -m set --match-set blacklist dst -j SS_SPEC_WAN_FW_UDP
$ipt -I SS_SPEC_WAN_AC_UDP -m set --match-set whitelist dst -j RETURN
$IPT -I SS_SPEC_WAN_AC -m set --match-set blacklist dst -j SS_SPEC_WAN_FW
$IPT -I SS_SPEC_WAN_AC -m set --match-set whitelist dst -j RETURN
if [ $(ipset list music -name -quiet | grep music) ]; then
$IPT -I SS_SPEC_WAN_AC_TCP -m set --match-set music dst -j RETURN 2>/dev/null
$ipt -I SS_SPEC_WAN_AC_UDP -m set --match-set music dst -j RETURN 2>/dev/null
$IPT -I SS_SPEC_WAN_AC -m set --match-set music dst -j RETURN 2>/dev/null
fi
for ip in $WAN_BP_IP; do ipset -! add whitelist "$ip"; done
@@ -572,15 +507,12 @@ ipset_iptables() {
case "$SHUNT_PORT" in
0) ;;
1)
$IPT -I SS_SPEC_WAN_AC_TCP -p tcp -m set --match-set netflix dst -j REDIRECT --to-ports "$local_port"
$ipt -I SS_SPEC_WAN_AC_UDP -p udp -m set --match-set netflix dst -j TPROXY --on-port "$local_port" --tproxy-mark 0x01/0x01
$IPT -I SS_SPEC_WAN_AC -p tcp -m set --match-set netflix dst -j REDIRECT --to-ports "$local_port"
;;
*)
$IPT -I SS_SPEC_WAN_AC_TCP -p tcp -m set --match-set netflix dst -j REDIRECT --to-ports "$SHUNT_PORT"
$ipt -I SS_SPEC_WAN_AC_UDP -p udp -m set --match-set netflix dst -j TPROXY --on-port "$SHUNT_PORT" --tproxy-mark 0x01/0x01
$IPT -I SS_SPEC_WAN_AC -p tcp -m set --match-set netflix dst -j REDIRECT --to-ports "$SHUNT_PORT"
if [ "$SHUNT_PROXY" = "1" ]; then
$IPT -I SS_SPEC_WAN_AC_TCP -p tcp -d "$SHUNT_IP" -j REDIRECT --to-ports "$local_port"
$ipt -I SS_SPEC_WAN_AC_UDP -p udp -d "$SHUNT_IP" -j TPROXY --on-port "$local_port" --tproxy-mark 0x01/0x01
$IPT -I SS_SPEC_WAN_AC -p tcp -d "$SHUNT_IP" -j REDIRECT --to-ports "$local_port"
else
ipset -! add whitelist "$SHUNT_IP"
fi
@@ -614,47 +546,30 @@ fw_rule_nft() {
PORTS_ARGS=$(echo "$PROXY_PORTS" | sed 's/-m multiport --dports //')
if [ -n "$PORTS_ARGS" ]; then
TCP_EXT_ARGS="meta l4proto tcp tcp dport { $PORTS_ARGS }"
UDP_EXT_ARGS="meta l4proto udp udp dport { $PORTS_ARGS }"
TCP_RULE="meta l4proto tcp tcp dport { $PORTS_ARGS } counter redirect to :$local_port"
UDP_RULE="meta l4proto udp udp dport { $PORTS_ARGS } counter tproxy ip to :$local_port meta mark set 0x01"
fi
else
TCP_EXT_ARGS="meta l4proto tcp"
UDP_EXT_ARGS="meta l4proto udp"
# default: redirect everything except ssh(22)
TCP_RULE="meta l4proto tcp tcp dport != 22 counter redirect to :$local_port"
# default: when PROXY_PORTS present, redirect those udp ports to local_port
UDP_RULE="meta l4proto udp counter tproxy ip to :$local_port meta mark set 0x01"
fi
# add TCP rule to fw chain if not exists (use -F exact match)
if ! $NFT list chain inet ss_spec ss_spec_wan_fw_tcp 2>/dev/null | grep -F -- "$TCP_RULE" >/dev/null 2>&1; then
if ! $NFT add rule inet ss_spec ss_spec_wan_fw_tcp $TCP_RULE 2>/dev/null; then
if ! $NFT list chain inet ss_spec ss_spec_wan_fw 2>/dev/null | grep -F -- "$TCP_RULE" >/dev/null 2>&1; then
if ! $NFT add rule inet ss_spec ss_spec_wan_fw $TCP_RULE 2>/dev/null; then
loger 3 "Can't redirect TCP, please check nftables."
return 1
fi
fi
if ! $NFT list chain inet ss_spec ss_spec_wan_fw_udp 2>/dev/null | grep -F -- "$UDP_RULE" >/dev/null 2>&1; then
if ! $NFT add rule inet ss_spec ss_spec_wan_fw_udp $UDP_RULE 2>/dev/null; then
loger 3 "Can't tproxy UDP, please check nftables."
return 1
fi
fi
if [ "$SHUNT_PORT" != "0" ] && [ -f "$SHUNT_LIST" ]; then
case "$SHUNT_PORT" in
1)
$NFT add rule inet ss_spec ss_spec_wan_ac_tcp $TCP_EXT_ARGS ip daddr @netflix counter redirect to :$local_port
$NFT add rule inet ss_spec ss_spec_wan_ac_udp $UDP_EXT_ARGS ip daddr @netflix counter tproxy ip to :$local_port meta mark set 0x01
$NFT add rule inet ss_spec ss_spec_wan_ac $TCP_EXT_ARGS ip daddr @netflix counter redirect to :$local_port
;;
*)
$NFT add rule inet ss_spec ss_spec_wan_ac_tcp $TCP_EXT_ARGS ip daddr @netflix counter redirect to :$SHUNT_PORT
$NFT add rule inet ss_spec ss_spec_wan_ac_udp $UDP_EXT_ARGS ip daddr @netflix counter tproxy ip to :$SHUNT_PORT meta mark set 0x01
$NFT add rule inet ss_spec ss_spec_wan_ac $TCP_EXT_ARGS ip daddr @netflix counter redirect to :$SHUNT_PORT
if [ "$SHUNT_PROXY" = "1" ]; then
$NFT add rule inet ss_spec ss_spec_wan_ac_tcp $TCP_EXT_ARGS ip daddr $SHUNT_IP counter redirect to :$local_port
$NFT add rule inet ss_spec ss_spec_wan_ac_udp $UDP_EXT_ARGS ip daddr $SHUNT_IP counter tproxy ip to :$local_port meta mark set 0x01
$NFT add rule inet ss_spec ss_spec_wan_ac $TCP_EXT_ARGS ip daddr $SHUNT_IP counter redirect to :$local_port
else
[ -n "$SHUNT_IP" ] && $NFT add element inet ss_spec whitelist "{ $SHUNT_IP }" 2>/dev/null
fi
@@ -675,39 +590,22 @@ fw_rule_iptables() {
ip route add local 0.0.0.0/0 dev lo table 100 2>/dev/null
fi
# 创建TCP链 (在nat表中)
$IPT -N SS_SPEC_WAN_FW_TCP 2>/dev/null
$IPT -F SS_SPEC_WAN_FW_TCP
# Create TCP chain in NAT table
$IPT -N SS_SPEC_WAN_FW 2>/dev/null
$IPT -F SS_SPEC_WAN_FW
for net in \
0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \
172.16.0.0/12 192.168.0.0/16 224.0.0.0/4 240.0.0.0/4
do
$IPT -A SS_SPEC_WAN_FW_TCP -d "$net" -j RETURN
$IPT -A SS_SPEC_WAN_FW -d "$net" -j RETURN
done
$IPT -A SS_SPEC_WAN_FW_TCP -p tcp $PROXY_PORTS -j REDIRECT --to-ports "$local_port" 2>/dev/null || {
$IPT -A SS_SPEC_WAN_FW -p tcp $PROXY_PORTS -j REDIRECT --to-ports "$local_port" 2>/dev/null || {
loger 3 "Can't redirect TCP, please check the iptables."
exit 1
}
# 创建UDP链 (在mangle表中)
$ipt -N SS_SPEC_WAN_FW_UDP 2>/dev/null
$ipt -F SS_SPEC_WAN_FW_UDP
for net in \
0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \
172.16.0.0/12 192.168.0.0/16 224.0.0.0/4 240.0.0.0/4
do
$ipt -A SS_SPEC_WAN_FW_UDP -p udp -d "$net" -j RETURN
done
# UDP TPROXY规则 (必须在mangle表中)
$ipt -A SS_SPEC_WAN_FW_UDP -p udp $PROXY_PORTS -j TPROXY --on-port "$local_port" --tproxy-mark 0x01/0x01 2>/dev/null || {
loger 3 "Can't set UDP TPROXY, please check the iptables."
exit 1
}
return $?
}
@@ -750,42 +648,22 @@ ac_rule_nft() {
fi
# Create ss_spec_prerouting tcp chain
if ! $NFT list chain inet ss_spec ss_spec_prerouting_tcp >/dev/null 2>&1; then
$NFT add chain inet ss_spec ss_spec_prerouting_tcp '{ type nat hook prerouting priority 0; policy accept; }'
if ! $NFT list chain inet ss_spec ss_spec_prerouting >/dev/null 2>&1; then
$NFT add chain inet ss_spec ss_spec_prerouting '{ type nat hook prerouting priority 0; policy accept; }'
fi
$NFT flush chain inet ss_spec ss_spec_prerouting_tcp 2>/dev/null
$NFT flush chain inet ss_spec ss_spec_prerouting 2>/dev/null
# Exclude special local addresses
if $NFT list chain inet ss_spec ss_spec_prerouting_tcp >/dev/null 2>&1; then
if $NFT list chain inet ss_spec ss_spec_prerouting >/dev/null 2>&1; then
for net in 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 192.168.0.0/16 224.0.0.0/4 240.0.0.0/4; do
$NFT add rule inet ss_spec ss_spec_prerouting_tcp ip daddr $net return 2>/dev/null
$NFT add rule inet ss_spec ss_spec_prerouting ip daddr $net return 2>/dev/null
done
fi
# Temporarily comment IPV6 for future enablement
#if $NFT list chain inet ss_spec ss_spec_prerouting_tcp >/dev/null 2>&1; then
#if $NFT list chain inet ss_spec ss_spec_prerouting >/dev/null 2>&1; then
# for net in ::1/128 fe80::/10 fc00::/7 ff00::/8 ::/128 ::ffff:0:0/96; do
# $NFT add rule inet ss_spec ss_spec_prerouting_tcp ip6 daddr $net return 2>/dev/null
# done
#fi
# Create ss_spec_prerouting udp chain
if ! $NFT list chain inet ss_spec ss_spec_prerouting_udp >/dev/null 2>&1; then
$NFT add chain inet ss_spec ss_spec_prerouting_udp '{ type filter hook prerouting priority -150; policy accept; }'
fi
$NFT flush chain inet ss_spec ss_spec_prerouting_udp 2>/dev/null
# Exclude special local addresses
if $NFT list chain inet ss_spec ss_spec_prerouting_udp >/dev/null 2>&1; then
for net in 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 192.168.0.0/16 224.0.0.0/4 240.0.0.0/4; do
$NFT add rule inet ss_spec ss_spec_prerouting_udp ip daddr $net return 2>/dev/null
done
fi
# Temporarily comment IPV6 for future enablement
#if $NFT list chain inet ss_spec ss_spec_prerouting_udp >/dev/null 2>&1; then
# for net in ::1/128 fe80::/10 fc00::/7 ff00::/8 ::/128 ::ffff:0:0/96; do
# $NFT add rule inet ss_spec ss_spec_prerouting_udp ip6 daddr $net return 2>/dev/null
# $NFT add rule inet ss_spec ss_spec_prerouting ip6 daddr $net return 2>/dev/null
# done
#fi
@@ -794,22 +672,41 @@ ac_rule_nft() {
PORTS_ARGS=$(echo "$PROXY_PORTS" | sed 's/-m multiport --dports //')
if [ -n "$PORTS_ARGS" ]; then
TCP_EXT_ARGS="meta l4proto tcp tcp dport { $PORTS_ARGS }"
UDP_EXT_ARGS="meta l4proto udp udp dport { $PORTS_ARGS }"
fi
else
TCP_EXT_ARGS="meta l4proto tcp"
UDP_EXT_ARGS="meta l4proto udp"
fi
# Block UDP port 443 when TPROXY not Enable
if [ -z "$TPROXY" ]; then
# Add UDP 443 block rule
if [ -z "$Interface" ]; then
if [ -n "$MATCH_SET" ]; then
$NFT add rule inet ss_spec ss_spec_prerouting meta l4proto udp $MATCH_SET udp dport 443 drop comment "\"$TAG\"" 2>/dev/null
else
$NFT add rule inet ss_spec ss_spec_prerouting meta l4proto udp udp dport 443 drop comment "\"$TAG\"" 2>/dev/null
fi
else
for name in $Interface; do
local IFNAME=$(uci -P /var/state get network."$name".ifname 2>/dev/null)
[ -z "$IFNAME" ] && IFNAME=$(uci -P /var/state get network."$name".device 2>/dev/null)
if [ -n "$IFNAME" ]; then
if [ -n "$MATCH_SET" ]; then
$NFT add rule inet ss_spec ss_spec_prerouting meta iifname "$IFNAME" meta l4proto udp $MATCH_SET udp dport 443 drop comment "\"$TAG\"" 2>/dev/null
else
$NFT add rule inet ss_spec ss_spec_prerouting meta iifname "$IFNAME" meta l4proto udp udp dport 443 drop comment "\"$TAG\"" 2>/dev/null
fi
fi
done
fi
fi
if [ -z "$Interface" ]; then
# generic prerouting jump already exists (see ipset_nft), but if we have MATCH_SET_CONDITION we add a more specific rule
if [ -n "$MATCH_SET" ]; then
# add a more specific rule at the top of ss_spec_prerouting
$NFT add rule inet ss_spec ss_spec_prerouting_tcp $TCP_EXT_ARGS $MATCH_SET jump ss_spec_wan_ac_tcp comment "\"$TAG\"" 2>/dev/null
$NFT add rule inet ss_spec ss_spec_prerouting_udp $UDP_EXT_ARGS $MATCH_SET jump ss_spec_wan_ac_udp comment "\"$TAG\"" 2>/dev/null
$NFT add rule inet ss_spec ss_spec_prerouting $TCP_EXT_ARGS $MATCH_SET jump ss_spec_wan_ac comment "\"$TAG\"" 2>/dev/null
else
$NFT add rule inet ss_spec ss_spec_prerouting_tcp $TCP_EXT_ARGS jump ss_spec_wan_ac_tcp comment "\"$TAG\"" 2>/dev/null
$NFT add rule inet ss_spec ss_spec_prerouting_udp $UDP_EXT_ARGS jump ss_spec_wan_ac_udp comment "\"$TAG\"" 2>/dev/null
$NFT add rule inet ss_spec ss_spec_prerouting $TCP_EXT_ARGS jump ss_spec_wan_ac comment "\"$TAG\"" 2>/dev/null
fi
else
# For each Interface, find its actual ifname and add an iifname-limited prerouting rule
@@ -818,63 +715,37 @@ ac_rule_nft() {
[ -z "$IFNAME" ] && IFNAME=$(uci -P /var/state get network."$name".device 2>/dev/null)
if [ -n "$IFNAME" ]; then
if [ -n "$MATCH_SET" ]; then
$NFT add rule inet ss_spec ss_spec_prerouting_tcp meta iifname "$IFNAME" $TCP_EXT_ARGS $MATCH_SET jump ss_spec_wan_ac_tcp comment "\"$TAG\"" 2>/dev/null
$NFT add rule inet ss_spec ss_spec_prerouting_udp meta iifname "$IFNAME" $UDP_EXT_ARGS $MATCH_SET jump ss_spec_wan_ac_udp comment "\"$TAG\"" 2>/dev/null
$NFT add rule inet ss_spec ss_spec_prerouting meta iifname "$IFNAME" $TCP_EXT_ARGS $MATCH_SET jump ss_spec_wan_ac comment "\"$TAG\"" 2>/dev/null
else
$NFT add rule inet ss_spec ss_spec_prerouting_tcp meta iifname "$IFNAME" $TCP_EXT_ARGS jump ss_spec_wan_ac_tcp comment "\"$TAG\"" 2>/dev/null
$NFT add rule inet ss_spec ss_spec_prerouting_udp meta iifname "$IFNAME" $UDP_EXT_ARGS jump ss_spec_wan_ac_udp comment "\"$TAG\"" 2>/dev/null
$NFT add rule inet ss_spec ss_spec_prerouting meta iifname "$IFNAME" $TCP_EXT_ARGS jump ss_spec_wan_ac comment "\"$TAG\"" 2>/dev/null
fi
fi
done
fi
case "$OUTPUT" in
1)
# Create ss_spec_output tcp chain
if ! $NFT list chain inet ss_spec ss_spec_output_tcp >/dev/null 2>&1; then
$NFT add chain inet ss_spec ss_spec_output_tcp '{ type nat hook output priority 0; policy accept; }'
if ! $NFT list chain inet ss_spec ss_spec_output >/dev/null 2>&1; then
$NFT add chain inet ss_spec ss_spec_output '{ type nat hook output priority 0; policy accept; }'
fi
$NFT flush chain inet ss_spec ss_spec_output_tcp 2>/dev/null
$NFT flush chain inet ss_spec ss_spec_output 2>/dev/null
# Exclude special local addresses
if $NFT list chain inet ss_spec ss_spec_output_tcp >/dev/null 2>&1; then
if $NFT list chain inet ss_spec ss_spec_output >/dev/null 2>&1; then
for net in 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 192.168.0.0/16 224.0.0.0/4 240.0.0.0/4; do
$NFT add rule inet ss_spec ss_spec_output_tcp ip daddr $net return 2>/dev/null
$NFT add rule inet ss_spec ss_spec_output ip daddr $net return 2>/dev/null
done
fi
# Temporarily comment IPV6 for future enablement
#if $NFT list chain inet ss_spec ss_spec_output_tcp >/dev/null 2>&1; then
#if $NFT list chain inet ss_spec ss_spec_output >/dev/null 2>&1; then
# for net in ::1/128 fe80::/10 fc00::/7 ff00::/8 ::/128 ::ffff:0:0/96; do
# $NFT add rule inet ss_spec ss_spec_output_tcp ip6 daddr $net return 2>/dev/null
# $NFT add rule inet ss_spec ss_spec_output ip6 daddr $net return 2>/dev/null
# done
#fi
# create output hook chain & route output traffic into router chain
$NFT add rule inet ss_spec ss_spec_output_tcp $TCP_EXT_ARGS jump ss_spec_wan_ac_tcp comment "\"$TAG\"" 2>/dev/null
# Create ss_spec_output udp chain
if ! $NFT list chain inet ss_spec ss_spec_output_udp >/dev/null 2>&1; then
$NFT add chain inet ss_spec ss_spec_output_udp '{ type filter hook output priority -150; policy accept; }'
fi
$NFT flush chain inet ss_spec ss_spec_output_udp 2>/dev/null
# Exclude special local addresses
if $NFT list chain inet ss_spec ss_spec_output_udp >/dev/null 2>&1; then
for net in 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 192.168.0.0/16 224.0.0.0/4 240.0.0.0/4; do
$NFT add rule inet ss_spec ss_spec_output_udp ip daddr $net return 2>/dev/null
done
fi
# Temporarily comment IPV6 for future enablement
#if $NFT list chain inet ss_spec ss_spec_output_udp >/dev/null 2>&1; then
# for net in ::1/128 fe80::/10 fc00::/7 ff00::/8 ::/128 ::ffff:0:0/96; do
# $NFT add rule inet ss_spec ss_spec_output_udp ip6 daddr $net return 2>/dev/null
# done
#fi
# create output hook chain & route output traffic into router chain
$NFT add rule inet ss_spec ss_spec_output_udp $UDP_EXT_ARGS meta mark set 0x01 comment "\"$TAG\"" 2>/dev/null
$NFT add rule inet ss_spec ss_spec_output $TCP_EXT_ARGS jump ss_spec_wan_ac comment "\"$TAG\"" 2>/dev/null
;;
2)
# Create ss_spec_output tcp chain
@@ -895,13 +766,13 @@ ac_rule_nft() {
for ip in $(gen_spec_iplist); do
[ -n "$ip" ] && $NFT add element inet ss_spec ssr_gen_router "{ $ip }" 2>/dev/null
done
$NFT add chain inet ss_spec ss_spec_router 2>/dev/null
if ! $NFT list chain inet ss_spec ss_spec_router >/dev/null 2>&1; then
$NFT add chain inet ss_spec ss_spec_router 2>/dev/null
fi
$NFT flush chain inet ss_spec ss_spec_router 2>/dev/null
$NFT add rule inet ss_spec ss_spec_router ip daddr @ssr_gen_router return 2>/dev/null
$NFT add rule inet ss_spec ss_spec_router jump ss_spec_wan_fw_tcp 2>/dev/null
$NFT add rule inet ss_spec ss_spec_router jump ss_spec_wan_fw_udp 2>/dev/null
$NFT add rule inet ss_spec ss_spec_router jump ss_spec_wan_fw 2>/dev/null
$NFT add rule inet ss_spec ss_spec_output $TCP_EXT_ARGS jump ss_spec_router comment "\"$TAG\"" 2>/dev/null
$NFT add rule inet ss_spec ss_spec_output $UDP_EXT_ARGS meta mark set 0x01 comment "\"$TAG\"" 2>/dev/null
;;
esac
return 0
@@ -927,40 +798,48 @@ ac_rule_iptables() {
create ss_spec_lan_ac hash:net
$(for ip in ${LAN_AC_IP#?}; do echo "add ss_spec_lan_ac $ip"; done)
EOF
# Block UDP port 443 when TPROXY not Enable
if [ -z "$TPROXY" ]; then
# Add UDP 443 block rule
if [ -z "$Interface" ]; then
$ipt -I PREROUTING 1 -p udp $EXT_ARGS $MATCH_SET --dport 443 -j DROP -m comment --comment "$TAG"
else
for name in $Interface; do
local IFNAME=$(uci -P /var/state get network."$name".ifname 2>/dev/null)
[ -z "$IFNAME" ] && IFNAME=$(uci -P /var/state get network."$name".device 2>/dev/null)
if [ -n "$IFNAME" ]; then
$ipt -I PREROUTING 1 ${IFNAME:+-i $IFNAME} -p udp $EXT_ARGS $MATCH_SET --dport 443 -j DROP -m comment --comment "$TAG"
fi
done
fi
fi
if [ -z "$Interface" ]; then
$IPT -I PREROUTING 1 -p tcp $EXT_ARGS $MATCH_SET -m comment --comment "$TAG" -j SS_SPEC_WAN_AC_TCP
$ipt -I PREROUTING 1 -p udp $EXT_ARGS $MATCH_SET -m comment --comment "$TAG" -j SS_SPEC_WAN_AC_UDP
$IPT -I PREROUTING 1 -p tcp $EXT_ARGS $MATCH_SET -m comment --comment "$TAG" -j SS_SPEC_WAN_AC
else
for name in $Interface; do
local IFNAME=$(uci -P /var/state get network."$name".ifname 2>/dev/null)
[ -z "$IFNAME" ] && IFNAME=$(uci -P /var/state get network."$name".device 2>/dev/null)
if [ -n "$IFNAME" ]; then
$IPT -I PREROUTING 1 ${IFNAME:+-i $IFNAME} -p tcp $EXT_ARGS $MATCH_SET -m comment --comment "$TAG" -j SS_SPEC_WAN_AC_TCP
$ipt -I PREROUTING 1 ${IFNAME:+-i $IFNAME} -p udp $EXT_ARGS $MATCH_SET -m comment --comment "$TAG" -j SS_SPEC_WAN_AC_UDP
$IPT -I PREROUTING 1 ${IFNAME:+-i $IFNAME} -p tcp $EXT_ARGS $MATCH_SET -m comment --comment "$TAG" -j SS_SPEC_WAN_AC
fi
done
fi
case "$OUTPUT" in
1)
$IPT -I OUTPUT 1 -p tcp $EXT_ARGS -m comment --comment "$TAG" -j SS_SPEC_WAN_AC_TCP
#$ipt -I OUTPUT 1 -p udp $EXT_ARGS -m comment --comment "$TAG" -j MARK --set-xmark 0x01/0x01
$IPT -I OUTPUT 1 -p tcp $EXT_ARGS -m comment --comment "$TAG" -j SS_SPEC_WAN_AC
;;
2)
ipset -! -R <<-EOF || return 1
create ssr_gen_router hash:net
$(gen_spec_iplist | sed -e "s/^/add ssr_gen_router /")
EOF
$IPT -N SS_SPEC_ROUTER_TCP 2>/dev/null
$IPT -F SS_SPEC_ROUTER_TCP 2>/dev/null
$IPT -A SS_SPEC_ROUTER_TCP -m set --match-set ssr_gen_router dst -j RETURN && \
$IPT -A SS_SPEC_ROUTER_TCP -j SS_SPEC_WAN_FW_TCP
$IPT -I OUTPUT 1 -p tcp -m comment --comment "$TAG" -j SS_SPEC_ROUTER_TCP
$ipt -N SS_SPEC_ROUTER_UDP 2>/dev/null
$ipt -F SS_SPEC_ROUTER_UDP 2>/dev/null
$ipt -A SS_SPEC_ROUTER_UDP -m set --match-set ssr_gen_router dst -j RETURN && \
$ipt -A SS_SPEC_ROUTER_UDP -j SS_SPEC_WAN_FW_UDP
#$ipt -I OUTPUT 1 -p udp -m comment --comment "$TAG" -j SS_SPEC_ROUTER_UDP
$IPT -N SS_SPEC_ROUTER 2>/dev/null
$IPT -F SS_SPEC_ROUTER 2>/dev/null
$IPT -A SS_SPEC_ROUTER -m set --match-set ssr_gen_router dst -j RETURN && \
$IPT -A SS_SPEC_ROUTER -j SS_SPEC_WAN_FW
$IPT -I OUTPUT 1 -p tcp -m comment --comment "$TAG" -j SS_SPEC_ROUTER
;;
esac
return $?
@@ -1102,7 +981,8 @@ tp_rule_nft() {
$NFT add rule ip ss_spec_mangle ss_spec_tproxy meta l4proto udp ip daddr @ss_spec_wan_ac return 2>/dev/null
$NFT add rule ip ss_spec_mangle ss_spec_tproxy meta l4proto udp ip daddr @china return 2>/dev/null
$NFT add rule ip ss_spec_mangle ss_spec_tproxy meta l4proto udp udp dport 80 drop 2>/dev/null
$NFT add rule ip ss_spec_mangle ss_spec_tproxy meta l4proto udp udp dport 80 counter drop comment "\"$TAG\"" 2>/dev/null
$NFT add rule ip ss_spec_mangle ss_spec_tproxy meta l4proto udp udp dport 443 counter drop comment "\"$TAG\"" 2>/dev/null
$NFT add rule ip ss_spec_mangle ss_spec_tproxy meta l4proto udp ip saddr @gmlan ip daddr != @china counter tproxy ip to :"$LOCAL_PORT" meta mark set 0x01 2>/dev/null
$NFT add rule ip ss_spec_mangle ss_spec_tproxy meta l4proto udp $EXT_ARGS ip daddr != @ss_spec_wan_ac counter tproxy ip to :"$LOCAL_PORT" meta mark set 0x01 2>/dev/null
;;
@@ -1111,7 +991,8 @@ tp_rule_nft() {
$NFT add set ip ss_spec_mangle gfwlist '{ type ipv4_addr; flags interval; auto-merge; }' 2>/dev/null
fi
$NFT add rule ip ss_spec_mangle ss_spec_tproxy meta l4proto udp ip daddr @china return 2>/dev/null
$NFT add rule ip ss_spec_mangle ss_spec_tproxy meta l4proto udp udp dport 80 drop 2>/dev/null
$NFT add rule ip ss_spec_mangle ss_spec_tproxy meta l4proto udp udp dport 80 counter drop comment "\"$TAG\"" 2>/dev/null
$NFT add rule ip ss_spec_mangle ss_spec_tproxy meta l4proto udp udp dport 443 counter drop comment "\"$TAG\"" 2>/dev/null
$NFT add rule ip ss_spec_mangle ss_spec_tproxy meta l4proto udp $EXT_ARGS ip daddr @gfwlist counter tproxy ip to :"$LOCAL_PORT" meta mark set 0x01 2>/dev/null
$NFT add rule ip ss_spec_mangle ss_spec_tproxy meta l4proto udp ip saddr @gmlan ip daddr != @china counter tproxy ip to :"$LOCAL_PORT" meta mark set 0x01 2>/dev/null
;;
@@ -1170,19 +1051,17 @@ tp_rule_iptables() {
fi
$ipt -N SS_SPEC_TPROXY 2>/dev/null
$ipt -F SS_SPEC_TPROXY
$ipt -N PREROUTING_UDP 2>/dev/null
$ipt -F PREROUTING_UDP
$ipt -A SS_SPEC_TPROXY -p udp --dport 53 -j RETURN
local MATCH_SET_UDP=""
local MATCH_SET=""
if [ -n "$LAN_AC_IP" ]; then
case "${LAN_AC_IP%${LAN_AC_IP#?}}" in
w | W)
MATCH_SET_UDP="-m set --match-set ss_spec_lan_ac_udp src"
MATCH_SET_UDP="-m set --match-set ss_spec_lan_ac src"
;;
b | B)
MATCH_SET_UDP="-m set ! --match-set ss_spec_lan_ac_udp src"
MATCH_SET_UDP="-m set ! --match-set ss_spec_lan_ac src"
;;
*)
loger 3 "Bad argument \`-a $LAN_AC_IP\`."
@@ -1191,8 +1070,8 @@ tp_rule_iptables() {
esac
fi
ipset -! -R <<-EOF || return 1
create ss_spec_lan_ac_udp hash:net
$(for ip in ${LAN_AC_IP#?}; do echo "add ss_spec_lan_ac_udp $ip"; done)
create ss_spec_lan_ac hash:net
$(for ip in ${LAN_AC_IP#?}; do echo "add ss_spec_lan_ac $ip"; done)
EOF
for net in \
@@ -1219,12 +1098,14 @@ tp_rule_iptables() {
$ipt -A SS_SPEC_TPROXY -p udp -m set --match-set ss_spec_wan_ac dst -j RETURN
$ipt -A SS_SPEC_TPROXY -p udp -m set --match-set china dst -j RETURN
$ipt -A SS_SPEC_TPROXY -p udp --dport 80 -j DROP
$ipt -A SS_SPEC_TPROXY -p udp --dport 443 -j DROP
$ipt -A SS_SPEC_TPROXY -p udp -m set --match-set gmlan src -m set ! --match-set china dst -j TPROXY --on-port "$LOCAL_PORT" --tproxy-mark 0x01/0x01
$ipt -A SS_SPEC_TPROXY -p udp $PROXY_PORTS -m set ! --match-set ss_spec_wan_ac dst -j TPROXY --on-port "$LOCAL_PORT" --tproxy-mark 0x01/0x01
;;
gfw)
$ipt -A SS_SPEC_TPROXY -p udp -m set --match-set china dst -j RETURN
$ipt -A SS_SPEC_TPROXY -p udp --dport 80 -j DROP
$ipt -A SS_SPEC_TPROXY -p udp --dport 443 -j DROP
$ipt -A SS_SPEC_TPROXY -p udp $PROXY_PORTS -m set --match-set gfwlist dst -j TPROXY --on-port "$LOCAL_PORT" --tproxy-mark 0x01/0x01
$ipt -A SS_SPEC_TPROXY -p udp -m set --match-set gmlan src -m set ! --match-set china dst -j TPROXY --on-port "$LOCAL_PORT" --tproxy-mark 0x01/0x01
;;
@@ -1238,12 +1119,12 @@ tp_rule_iptables() {
;;
esac
if [ -z "$Interface" ]; then
$ipt -I PREROUTING_UDP 1 -p udp $EXT_ARGS $MATCH_SET_UDP -m comment --comment "$TAG" -j SS_SPEC_TPROXY
$ipt -I PREROUTING 1 -p udp $EXT_ARGS $MATCH_SET -m comment --comment "$TAG" -j SS_SPEC_TPROXY
else
for name in $Interface; do
local IFNAME=$(uci -P /var/state get network."$name".ifname 2>/dev/null)
[ -z "$IFNAME" ] && IFNAME=$(uci -P /var/state get network."$name".device 2>/dev/null)
[ -n "$IFNAME" ] && $ipt -I PREROUTING_UDP 1 ${IFNAME:+-i $IFNAME} -p udp $EXT_ARGS $MATCH_SET_UDP -m comment --comment "$TAG" -j SS_SPEC_TPROXY
[ -n "$IFNAME" ] && $ipt -I PREROUTING 1 ${IFNAME:+-i $IFNAME} -p udp $EXT_ARGS $MATCH_SET -m comment --comment "$TAG" -j SS_SPEC_TPROXY
done
fi
return $?

60
shadowsocks-rust/Makefile
View File

@@ -1,7 +1,7 @@
# SPDX-License-Identifier: GPL-2.0-only
#
# Copyright (C) 2017-2020 Yousong Zhou <yszhou4tech@gmail.com>
# Copyright (C) 2021-2023 ImmortalWrt.org
# Copyright (C) 2021 ImmortalWrt.org
include $(TOPDIR)/rules.mk
@@ -9,21 +9,54 @@ PKG_NAME:=shadowsocks-rust
PKG_VERSION:=1.24.0
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://codeload.github.com/shadowsocks/shadowsocks-rust/tar.gz/v$(PKG_VERSION)?
PKG_HASH:=a89865d1c5203de1b732017dd032e85f943d1592e8d3152eb7d2c4f3fca387bf
PKG_SOURCE_HEADER:=shadowsocks-v$(PKG_VERSION)
PKG_SOURCE_BODY:=unknown-linux-musl
PKG_SOURCE_FOOTER:=tar.xz
ifeq ($(filter $(ARCH),mips mipsel),)
PKG_SOURCE_URL:=https://github.com/shadowsocks/shadowsocks-rust/releases/download/v$(PKG_VERSION)/
else
PKG_SOURCE_URL:=https://github.com/sbwml/shadowsocks-rust-mips/releases/download/v$(PKG_VERSION)/
endif
ifeq ($(ARCH),aarch64)
PKG_SOURCE:=$(PKG_SOURCE_HEADER).aarch64-$(PKG_SOURCE_BODY).$(PKG_SOURCE_FOOTER)
PKG_HASH:=e00b6551f40bb2d61adb2503909e0df6550c022372c812f3f34350510797ef2f
else ifeq ($(ARCH),arm)
# Referred to golang/golang-values.mk
ARM_CPU_FEATURES:=$(word 2,$(subst +,$(space),$(call qstrip,$(CONFIG_CPU_TYPE))))
ifeq ($(ARM_CPU_FEATURES),)
PKG_SOURCE:=$(PKG_SOURCE_HEADER).arm-$(PKG_SOURCE_BODY)eabi.$(PKG_SOURCE_FOOTER)
PKG_HASH:=b00694ac484eaf994408c874c70e1d3392d1654cf3d9391ddf2b589bbee9106c
else
PKG_SOURCE:=$(PKG_SOURCE_HEADER).arm-$(PKG_SOURCE_BODY)eabihf.$(PKG_SOURCE_FOOTER)
PKG_HASH:=db56c8e64ce3651907c31fe6a585a68e4c4576c8379f50d82be31d79ba8d00ad
endif
else ifeq ($(ARCH),i386)
PKG_SOURCE:=$(PKG_SOURCE_HEADER).i686-$(PKG_SOURCE_BODY).$(PKG_SOURCE_FOOTER)
PKG_HASH:=a9aabb4209a8f29afabddb2aaaa8a38d8f604fd0075250d61bd594bb10ae38c7
else ifeq ($(ARCH),x86_64)
PKG_SOURCE:=$(PKG_SOURCE_HEADER).x86_64-$(PKG_SOURCE_BODY).$(PKG_SOURCE_FOOTER)
PKG_HASH:=0d84f5f350ec99396867d718f146fc3810975b2a7cd06192f158d96bdef460e7
else ifeq ($(ARCH),mips)
PKG_SOURCE:=$(PKG_SOURCE_HEADER).mips-$(PKG_SOURCE_BODY).$(PKG_SOURCE_FOOTER)
PKG_HASH:=40319c20934121e8d5df90e54cd2b41e064a3487f180f6924ac42ba3cbcebe4f
else ifeq ($(ARCH),mipsel)
PKG_SOURCE:=$(PKG_SOURCE_HEADER).mipsel-$(PKG_SOURCE_BODY).$(PKG_SOURCE_FOOTER)
PKG_HASH:=d51792a5b4f6a28bb2e8b07e2f39a60535d1ede9d1973a257c5751a991e26ac8
# Set the default value to make OpenWrt Package Checker happy
else
PKG_SOURCE:=dummy
PKG_HASH:=dummy
endif
PKG_MAINTAINER:=Tianling Shen <cnsztl@immortalwrt.org>
PKG_LICENSE:=MIT
PKG_LICENSE_FILES:=LICENSE
PKG_BUILD_DEPENDS:=rust/host
PKG_BUILD_PARALLEL:=1
RUST_PKG_FEATURES:=local-redir
include $(INCLUDE_DIR)/package.mk
include $(TOPDIR)/feeds/packages/lang/rust/rust-package.mk
TAR_CMD:=$(HOST_TAR) -C $(PKG_BUILD_DIR) $(TAR_OPTIONS)
define Package/shadowsocks-rust/Default
define Package/shadowsocks-rust-$(1)
@@ -32,12 +65,12 @@ define Package/shadowsocks-rust/Default
SUBMENU:=Web Servers/Proxies
TITLE:=shadowsocks-rust $(1)
URL:=https://github.com/shadowsocks/shadowsocks-rust
DEPENDS:=$$(RUST_ARCH_DEPENDS)
DEPENDS:=@(aarch64||arm||i386||mips||mipsel||x86_64)
endef
define Package/shadowsocks-rust-$(1)/install
$$(INSTALL_DIR) $$(1)/usr/bin
$$(INSTALL_BIN) $$(PKG_INSTALL_DIR)/bin/$(1) $$(1)/usr/bin/
$$(INSTALL_BIN) $$(PKG_BUILD_DIR)/$(1) $$(1)/usr/bin
endef
endef
@@ -49,6 +82,9 @@ define shadowsocks-rust/templates
endef
$(eval $(call shadowsocks-rust/templates))
define Build/Compile
endef
$(foreach component,$(SHADOWSOCKS_COMPONENTS), \
$(eval $(call BuildPackage,shadowsocks-rust-$(component))) \
)