shadowsocks-libev: ss-rules: new bool option --dst-forward-recentrst
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
This commit is contained in:
parent
4ca3a7fcec
commit
d6d0a7612a
|
@ -14,7 +14,7 @@ include $(TOPDIR)/rules.mk
|
|||
#
|
||||
PKG_NAME:=shadowsocks-libev
|
||||
PKG_VERSION:=3.0.8
|
||||
PKG_RELEASE:=7
|
||||
PKG_RELEASE:=8
|
||||
|
||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
|
||||
PKG_SOURCE_URL:=https://github.com/shadowsocks/shadowsocks-libev/releases/download/v$(PKG_VERSION)
|
||||
|
|
|
@ -67,9 +67,11 @@ We can have multiple instances of component and `server` sections. The relation
|
|||
|
||||
local_default [bypass], forward, checkdst
|
||||
|
||||
Bool option `dst_forward_recentrst` requires iptables/netfilter `recent` match module (`opkg install iptables-mod-conntrack-extra`). When enabled, `ss-rules` will setup iptables rules to forward through `ss-redir` those packets whose destination have recently sent to us multiple tcp-rst.
|
||||
|
||||
ss-rules uses kernel ipset mechanism for storing addresses/networks. Those ipsets are also part of the API and can be populated by other programs, e.g. dnsmasq with builtin ipset support. For more details please read output of `ss-rules --help`
|
||||
|
||||
Note also that `src_ips_xx` and `dst_ips_xx` actually also accepts cidr network representation. Names are retained for backward compatibility coniderations
|
||||
Note also that `src_ips_xx` and `dst_ips_xx` actually also accepts cidr network representation. Option names are retained in its current form for backward compatibility coniderations
|
||||
|
||||
## notes and faq
|
||||
|
||||
|
|
|
@ -147,6 +147,7 @@ ss_rules() {
|
|||
local bin="$ss_bindir/ss-rules"
|
||||
local cfgtype
|
||||
local local_port_tcp local_port_udp
|
||||
local args
|
||||
|
||||
[ -x "$bin" ] || return 1
|
||||
config_get cfgtype "$cfg" TYPE
|
||||
|
@ -160,6 +161,7 @@ ss_rules() {
|
|||
eval local_port_udp="\$ss_rules_redir_udp_$redir_udp"
|
||||
[ -n "$local_port_tcp" -o -n "$local_port_udp" ] || return 1
|
||||
ss_redir_servers="$(echo "$ss_redir_servers" | tr ' ' '\n' | sort -u)"
|
||||
[ "$dst_forward_recentrst" = 0 ] || args="$args --dst-forward-recentrst"
|
||||
|
||||
"$bin" \
|
||||
-s "$ss_redir_servers" \
|
||||
|
@ -177,6 +179,7 @@ ss_rules() {
|
|||
--src-checkdst "$src_ips_checkdst" \
|
||||
--ifnames "$ifnames" \
|
||||
--ipt-extra "$ipt_args" \
|
||||
$args \
|
||||
|| "$bin" -f
|
||||
}
|
||||
|
||||
|
@ -294,6 +297,7 @@ validate_ss_rules_section() {
|
|||
'src_default:or("bypass", "forward", "checkdst"):checkdst' \
|
||||
'dst_default:or("bypass", "forward"):bypass' \
|
||||
'local_default:or("bypass", "forward", "checkdst"):bypass' \
|
||||
'dst_forward_recentrst:bool:0' \
|
||||
'ifnames:list(maxlength(15))' \
|
||||
'ipt_args:string'
|
||||
}
|
||||
|
|
|
@ -33,6 +33,9 @@ Usage: ss-rules [options]
|
|||
--dst-forward-file <file>
|
||||
--dst-default <bypass|forward>
|
||||
Same as with their --src-xx equivalent
|
||||
--dst-forward-recentrst
|
||||
Forward those packets whose destinations have recently
|
||||
sent to us multiple tcp-rst packets
|
||||
--local-default <bypass|forward|checkdst>
|
||||
Default action for local out TCP traffic
|
||||
|
||||
|
@ -94,6 +97,7 @@ ss_rules_parse_args() {
|
|||
--src-checkdst) o_src_checkdst="$2"; shift 2;;
|
||||
--dst-bypass) o_dst_bypass="$2"; shift 2;;
|
||||
--dst-forward) o_dst_forward="$2"; shift 2;;
|
||||
--dst-forward-recentrst) o_dst_forward_recentrst=1; shift 1;;
|
||||
--dst-bypass-file) o_dst_bypass_file="$2"; shift 2;;
|
||||
--dst-forward-file) o_dst_forward_file="$2"; shift 2;;
|
||||
*) __errmsg "unknown option $1"; return 1;;
|
||||
|
@ -104,6 +108,10 @@ ss_rules_parse_args() {
|
|||
__errmsg "Requires at least -l or -L option"
|
||||
return 1
|
||||
fi
|
||||
if [ -n "$o_dst_forward_recentrst" ] && ! iptables -m recent -h >/dev/null; then
|
||||
__errmsg "Please install iptables-mod-conntrack-extra with opkg"
|
||||
return 1
|
||||
fi
|
||||
}
|
||||
|
||||
ss_rules_flush() {
|
||||
|
@ -125,6 +133,7 @@ ss_rules_ipset_init() {
|
|||
create ss_rules_dst_bypass hash:net hashsize 64
|
||||
create ss_rules_dst_bypass_ hash:net hashsize 64
|
||||
create ss_rules_dst_forward hash:net hashsize 64
|
||||
create ss_rules_dst_forward_recentrst_ hash:ip hashsize 64 timeout 3600
|
||||
$(ss_rules_ipset_mkadd ss_rules_dst_bypass_ "$o_dst_bypass_ $o_remote_servers")
|
||||
$(ss_rules_ipset_mkadd ss_rules_src_bypass "$o_src_bypass")
|
||||
$(ss_rules_ipset_mkadd ss_rules_src_forward "$o_src_forward")
|
||||
|
@ -151,8 +160,6 @@ ss_rules_iptchains_init() {
|
|||
ss_rules_iptchains_init_tcp() {
|
||||
local ipt="iptables -t nat"
|
||||
local local_target
|
||||
local forward_rules
|
||||
local r
|
||||
|
||||
[ -n "$o_redir_tcp_port" ] || return 0
|
||||
|
||||
|
@ -184,10 +191,22 @@ ss_rules_iptchains_init_() {
|
|||
local proto="$2"
|
||||
local forward_rules
|
||||
local src_default_target dst_default_target
|
||||
local recentrst_mangle_rules recentrst_addset_rules
|
||||
|
||||
case "$proto" in
|
||||
tcp)
|
||||
forward_rules="-A ss_rules_forward -p tcp -j REDIRECT --to-ports $o_redir_tcp_port"
|
||||
if [ -n "$o_dst_forward_recentrst" ]; then
|
||||
recentrst_mangle_rules="
|
||||
*mangle
|
||||
-I PREROUTING 1 -p tcp -m tcp --tcp-flags RST RST -m recent --name ss_rules_recentrst --set --rsource
|
||||
COMMIT
|
||||
"
|
||||
recentrst_addset_rules="
|
||||
-A ss_rules_dst -m recent --name ss_rules_recentrst --rcheck --rdest --seconds 3 --hitcount 3 -j SET --add-set ss_rules_dst_forward_recentrst_ dst --exist
|
||||
-A ss_rules_dst -m set --match-set ss_rules_dst_forward_recentrst_ dst -j ss_rules_forward
|
||||
"
|
||||
fi
|
||||
;;
|
||||
udp)
|
||||
ip rule add fwmark 1 lookup 100
|
||||
|
@ -204,7 +223,7 @@ ss_rules_iptchains_init_() {
|
|||
forward) dst_default_target=ss_rules_forward ;;
|
||||
bypass|*) dst_default_target=RETURN ;;
|
||||
esac
|
||||
iptables-restore --noflush <<-EOF
|
||||
sed -e '/^\s*$/d' -e 's/^\s\+//' <<-EOF | iptables-restore --noflush
|
||||
*$table
|
||||
:ss_rules_pre_src -
|
||||
:ss_rules_src -
|
||||
|
@ -219,9 +238,11 @@ ss_rules_iptchains_init_() {
|
|||
-A ss_rules_src -j $src_default_target -m comment --comment "src_default: $o_src_default"
|
||||
-A ss_rules_dst -m set --match-set ss_rules_dst_bypass dst -j RETURN
|
||||
-A ss_rules_dst -m set --match-set ss_rules_dst_forward dst -j ss_rules_forward
|
||||
$recentrst_addset_rules
|
||||
-A ss_rules_dst -j $dst_default_target -m comment --comment "dst_default: $o_dst_default"
|
||||
$forward_rules
|
||||
COMMIT
|
||||
$recentrst_mangle_rules
|
||||
EOF
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue