From 06a28d422708ab9c2222109a1e5249a4849bcb38 Mon Sep 17 00:00:00 2001
From: Ycarus <ycarus@zugaina.org>
Date: Mon, 22 Oct 2018 15:44:36 +0200
Subject: [PATCH] Better iptables rules for omr-bypass

---
 .../root/etc/firewall.omr-bypass              |  2 +
 .../root/etc/init.d/omr-bypass                | 73 +++++++++----------
 .../root/etc/uci-defaults/41_omr-bypass       | 10 +++
 .../share/omr/post-tracking.d/post-tracking   |  2 -
 .../files/shadowsocks-libev.init              |  9 +--
 shadowsocks-libev/files/ss-rules.defaults     |  9 ---
 shadowsocks-libev/files/ss-rules6             |  4 +-
 7 files changed, 50 insertions(+), 59 deletions(-)
 create mode 100644 luci-app-omr-bypass/root/etc/firewall.omr-bypass

diff --git a/luci-app-omr-bypass/root/etc/firewall.omr-bypass b/luci-app-omr-bypass/root/etc/firewall.omr-bypass
new file mode 100644
index 000000000..db51db601
--- /dev/null
+++ b/luci-app-omr-bypass/root/etc/firewall.omr-bypass
@@ -0,0 +1,2 @@
+#!/bin/sh
+/etc/init.d/omr-bypass restart
diff --git a/luci-app-omr-bypass/root/etc/init.d/omr-bypass b/luci-app-omr-bypass/root/etc/init.d/omr-bypass
index bb2241dcc..fda8b1993 100755
--- a/luci-app-omr-bypass/root/etc/init.d/omr-bypass
+++ b/luci-app-omr-bypass/root/etc/init.d/omr-bypass
@@ -14,9 +14,9 @@ _bypass_ip() {
 	valid_ip4=$( valid_subnet4 $ip)
 	valid_ip6=$( valid_subnet6 $ip)
 	if [ "$valid_ip4" = "ok" ]; then
-		ipset -q add ss_rules_dst_bypass_$type $ip
+		ipset -q add omr_rules_dst_bypass_$type $ip
 	elif [ "$valid_ip6" = "ok" ]; then
-		ipset -q add ss_rules6_dst_bypass_$type $ip
+		ipset -q add omr_rules6_dst_bypass_$type $ip
 	fi
 }
 
@@ -36,7 +36,7 @@ _bypass_domain() {
 		for ip in $resolve; do
 			_bypass_ip $ip $intf
 		done
-		uci -q add_list dhcp.@dnsmasq[0].ipset="/$domain/ss_rules_dst_bypass_$intf,ss_rules6_dst_bypass_$intf"
+		uci -q add_list dhcp.@dnsmasq[0].ipset="/$domain/omr_rules_dst_bypass_$intf,omr_rules6_dst_bypass_$intf"
 	fi
 }
 
@@ -50,7 +50,6 @@ _bypass_proto() {
 	[ -z "$intf" ] && intf="all"
 	[ -z "$proto" ] && return
 	if [ "$intf" = "all" ]; then
-		echo "Add $proto"
 		iptables-restore --wait=60  --noflush <<-EOF
 		*mangle
 		-A omr-bypass-dpi -m ndpi --$proto -j MARK --set-mark 0x539
@@ -83,49 +82,49 @@ _intf_rule() {
 	config_get mode $1 multipath "off"
 	[ "$mode" = "off" ] && return
 	[ "$(echo $1 | grep _dev)" != "" ] && return
-	ipset -q flush ss_rules_dst_bypass_$intf > /dev/null 2>&1
-	ipset -q flush ss_rules6_dst_bypass_$intf > /dev/null 2>&1
+	ipset -q flush omr_rules_dst_bypass_$intf > /dev/null 2>&1
+	ipset -q flush omr_rules6_dst_bypass_$intf > /dev/null 2>&1
 	ipset -q --exist restore <<-EOF
-	create ss_rules_dst_bypass_$intf hash:net hashsize 64
-	create ss_rules6_dst_bypass_$intf hash:net family inet6 hashsize 64
+	create omr_rules_dst_bypass_$intf hash:net hashsize 64
+	create omr_rules6_dst_bypass_$intf hash:net family inet6 hashsize 64
 	EOF
 	ip rule add prio 1 fwmark 0x539$count lookup $count > /dev/null 2>&1
 	ip -6 rule add prio 1 fwmark 0x539$count lookup $count > /dev/null 2>&1
-	if [ "$(iptables -w 40 -t mangle -L | grep ss_rules_dst_bypass_$intf)" = "" ]; then
+	if [ "$(iptables -w 40 -t mangle -L | grep omr_rules_dst_bypass_$intf)" = "" ]; then
 		iptables-restore --wait=60 --noflush <<-EOF
 		*mangle
-		-I PREROUTING 1 -m set --match-set ss_rules_dst_bypass_$intf dst -j MARK --set-mark 0x539$count
+		-I PREROUTING 1 -m set --match-set omr_rules_dst_bypass_$intf dst -j MARK --set-mark 0x539$count
 		COMMIT
 		EOF
 	fi
-	if [ "$(iptables -w 40 -t nat -L | grep ss_rules_pre_src)" != "" ] && [ "$(iptables -w 40 -t nat -L | grep ss_rules_dst_bypass_$intf)" = "" ]; then
+	if [ "$(iptables -w 40 -t nat -L | grep ss_rules_pre_src)" != "" ] && [ "$(iptables -w 40 -t nat -L | grep omr_rules_dst_bypass_$intf)" = "" ]; then
 		echo "add nat rules..."
 		iptables-restore --wait=60 --noflush <<-EOF
 		*nat
-		-I ss_rules_dst 1 -m set --match-set ss_rules_dst_bypass_$intf dst -j RETURN
-		-I ss_rules_local_out 1 -m set --match-set ss_rules_dst_bypass_$intf dst -j RETURN
+		-I ss_rules_dst 1 -m set --match-set omr_rules_dst_bypass_$intf dst -j RETURN
+		-I ss_rules_local_out 1 -m set --match-set omr_rules_dst_bypass_$intf dst -j RETURN
 		-I ss_rules_local_out 2 -m mark --mark 0x539$count -j RETURN
-		-I ss_rules_pre_src 1 -m set --match-set ss_rules_dst_bypass_$intf dst -j MARK --set-xmark 0x539$count
-		-I ss_rules_pre_src 2 -m set --match-set ss_rules_dst_bypass_$intf dst -j RETURN
+		-I ss_rules_pre_src 1 -m set --match-set omr_rules_dst_bypass_$intf dst -j MARK --set-xmark 0x539$count
+		-I ss_rules_pre_src 2 -m set --match-set omr_rules_dst_bypass_$intf dst -j RETURN
 		-I ss_rules_pre_src 3 -m mark --mark 0x539$count -j RETURN
 		COMMIT
 		EOF
 	fi
-	if [ "$(ip6tables -w 40 -t mangle -L | grep ss_rules6_dst_bypass_$intf)" = "" ]; then
+	if [ "$(ip6tables -w 40 -t mangle -L | grep omr_rules6_dst_bypass_$intf)" = "" ]; then
 		ip6tables-restore --wait=60 --noflush <<-EOF
 		*mangle
-		-I PREROUTING 1 -m set --match-set ss_rules6_dst_bypass_$intf dst -j MARK --set-mark 0x539$count
+		-I PREROUTING 1 -m set --match-set omr_rules6_dst_bypass_$intf dst -j MARK --set-mark 0x539$count
 		COMMIT
 		EOF
 	fi
-	if [ "$(ip6tables -w 40 -t nat -L | grep ss_rules6_pre_src)" != "" ] && [ "$(ip6tables -w 40 -t nat -L | grep ss_rules6_dst_bypass_$intf)" = "" ]; then
+	if [ "$(ip6tables -w 40 -t nat -L | grep ss_rules6_pre_src)" != "" ] && [ "$(ip6tables -w 40 -t nat -L | grep omr_rules6_dst_bypass_$intf)" = "" ]; then
 		ip6tables-restore --wait=60 --noflush <<-EOF
 		*nat
-		-I ss_rules6_dst 1 -m set --match-set ss_rules6_dst_bypass_$intf dst -j RETURN
-		-I ss_rules6_local_out 1 -m set --match-set ss_rules6_dst_bypass_$intf dst -j RETURN
+		-I ss_rules6_dst 1 -m set --match-set omr_rules6_dst_bypass_$intf dst -j RETURN
+		-I ss_rules6_local_out 1 -m set --match-set omr_rules6_dst_bypass_$intf dst -j RETURN
 		-I ss_rules6_local_out 2 -m mark --mark 0x539$count -j RETURN
-		-I ss_rules6_pre_src 1 -m set --match-set ss_rules6_dst_bypass_$intf dst -j MARK --set-xmark 0x539$count
-		-I ss_rules6_pre_src 2 -m set --match-set ss_rules6_dst_bypass_$intf dst -j RETURN
+		-I ss_rules6_pre_src 1 -m set --match-set omr_rules6_dst_bypass_$intf dst -j MARK --set-xmark 0x539$count
+		-I ss_rules6_pre_src 2 -m set --match-set omr_rules6_dst_bypass_$intf dst -j RETURN
 		-I ss_rules6_pre_src 3 -m mark --mark 0x539$count -j RETURN
 		COMMIT
 		EOF
@@ -145,11 +144,11 @@ _bypass_ip_set() {
 start_service() {
 	local count
 	logger -t "omr-bypass" "Starting OMR-ByPass..."
-	ipset -q flush ss_rules_dst_bypass_all > /dev/null 2>&1
-	ipset -q flush ss_rules6_dst_bypass_all > /dev/null 2>&1
+	ipset -q flush omr_rules_dst_bypass_all > /dev/null 2>&1
+	ipset -q flush omr_rules6_dst_bypass_all > /dev/null 2>&1
 	ipset -q --exist restore <<-EOF
-	create ss_rules_dst_bypass_all hash:net hashsize 64
-	create ss_rules6_dst_bypass_all hash:net family inet6 hashsize 64
+	create omr_rules_dst_bypass_all hash:net hashsize 64
+	create omr_rules6_dst_bypass_all hash:net family inet6 hashsize 64
 	EOF
 
 	config_load network
@@ -162,35 +161,33 @@ start_service() {
 	config_foreach _bypass_domain domains
 	uci -q commit dhcp
 	/etc/init.d/dnsmasq reload
-	#config_foreach _bypass_proto dpis
 
 	ip rule add prio 1 fwmark 0x539 lookup 991337 > /dev/null 2>&1
 	ip -6 rule add prio 1 fwmark 0x539 lookup 991337 > /dev/null 2>&1
 
-	if [ "$(iptables -w 40 -t mangle -L | grep 'match-set ss_rules_dst_bypass_all dst MARK set')" = "" ]; then
+	if [ "$(iptables -w 40 -t mangle -L | grep 'match-set omr_rules_dst_bypass_all dst MARK set')" = "" ]; then
 		iptables-restore --wait=60 --noflush <<-EOF
 		*mangle
-		-A PREROUTING -m set --match-set ss_rules_dst_bypass_all dst -j MARK --set-mark 0x539
+		-A PREROUTING -m set --match-set omr_rules_dst_bypass_all dst -j MARK --set-mark 0x539
 		COMMIT
 		EOF
 	fi
-	if [ "$(ip6tables -w 40 -t mangle -L | grep 'match-set ss_rules6_dst_bypass_all dst MARK set')" = "" ]; then
+	if [ "$(ip6tables -w 40 -t mangle -L | grep 'match-set omr_rules6_dst_bypass_all dst MARK set')" = "" ]; then
 		ip6tables-restore --wait=60 --noflush <<-EOF
 		*mangle
-		-A PREROUTING -m set --match-set ss_rules6_dst_bypass_all dst -j MARK --set-mark 0x539
+		-A PREROUTING -m set --match-set omr_rules6_dst_bypass_all dst -j MARK --set-mark 0x539
 		COMMIT
 		EOF
 	fi
 	
 	iptables-save --counters | grep -v omr-bypass-dpi | iptables-restore --counters
 	ip6tables-save --counters | grep -v omr-bypass-dpi | ip6tables-restore --counters
-	ndpi_rules=$(echo $ndpi_rules | awk 'NF')
-	#iptables-restore --wait=60  --noflush <<-EOF
-	#*mangle
-	#:omr-bypass-dpi -
-	#-A PREROUTING -m addrtype ! --dst-type LOCAL -j omr-bypass-dpi
-	#COMMIT
-	#EOF
+	iptables-restore --wait=60  --noflush <<-EOF
+	*mangle
+	:omr-bypass-dpi -
+	-A PREROUTING -m addrtype ! --dst-type LOCAL -j omr-bypass-dpi
+	COMMIT
+	EOF
 	ip6tables-restore --wait=60  --noflush <<-EOF
 	*mangle
 	:omr-bypass-dpi -
diff --git a/luci-app-omr-bypass/root/etc/uci-defaults/41_omr-bypass b/luci-app-omr-bypass/root/etc/uci-defaults/41_omr-bypass
index d75998031..7988fd79c 100644
--- a/luci-app-omr-bypass/root/etc/uci-defaults/41_omr-bypass
+++ b/luci-app-omr-bypass/root/etc/uci-defaults/41_omr-bypass
@@ -54,5 +54,15 @@ if [ "$(uci -q get ucitrack.@shadowsocks-libev[-1].affects | grep omr-bypass)" =
 		add_list ucitrack.@shadowsocks-libev[-1].affects=omr-bypass
 	EOF
 fi
+s=firewall.omr-bypass
+uci get "$s" >/dev/null || {
+    uci batch <<-EOF
+	set $s=include
+	set $s.path=/etc/firewall.omr-bypass
+	set $s.reload=1
+	commit firewall
+    EOF
+}
+
 rm -f /tmp/luci-indexcache
 exit 0
diff --git a/mptcp/files/usr/share/omr/post-tracking.d/post-tracking b/mptcp/files/usr/share/omr/post-tracking.d/post-tracking
index 472f53980..acd87eb5e 100755
--- a/mptcp/files/usr/share/omr/post-tracking.d/post-tracking
+++ b/mptcp/files/usr/share/omr/post-tracking.d/post-tracking
@@ -166,7 +166,6 @@ if [ "$OMR_TRACKER_STATUS" = "ERROR" ]; then
 			if /etc/init.d/shadowsocks-libev rules_exist ; then
 				/etc/init.d/shadowsocks-libev rules_down
 				/etc/init.d/shadowsocks-libev rules_up
-				/etc/init.d/omr-bypass reload >/dev/null 2>&1
 			fi
 		fi
 	fi
@@ -184,7 +183,6 @@ if [ "$OMR_TRACKER_INTERFACE" = "glorytun" ] || [ "$OMR_TRACKER_INTERFACE" = "om
 		if /etc/init.d/shadowsocks-libev rules_exist ; then
 			/etc/init.d/shadowsocks-libev rules_down
 			/etc/init.d/shadowsocks-libev rules_up
-			/etc/init.d/omr-bypass reload >/dev/null 2>&1
 		fi
 	fi
 
diff --git a/shadowsocks-libev/files/shadowsocks-libev.init b/shadowsocks-libev/files/shadowsocks-libev.init
index acd387bdf..320e534e9 100644
--- a/shadowsocks-libev/files/shadowsocks-libev.init
+++ b/shadowsocks-libev/files/shadowsocks-libev.init
@@ -308,20 +308,12 @@ start_service() {
 		config_foreach ss_xxx "$cfgtype" "$cfgtype"
 	done
 	rules_up
-	#ss_rules
-	#ss_rules6
-	[ -f /etc/init.d/omr-bypass ] && /etc/init.d/omr-bypass restart
 	# Add rule to match traffic marked by firewall for bypass
 	ip rule add prio 1 fwmark 0x539 lookup 991337 > /dev/null 2>&1
 }
 
 stop_service() {
-	#local bin="$ss_bindir/ss-rules"
-	#[ -x "$bin" ] && "$bin" -f
-	#local bin6="$ss_bindir/ss-rules6"
-	#[ -x "$bin6" ] && "$bin6" -f
 	rules_down
-	[ -f /etc/init.d/omr-bypass ] && /etc/init.d/omr-bypass restart
 	rm -rf "$ss_confdir"
 }
 
@@ -344,6 +336,7 @@ rules_up() {
 	done
 	ss_rules
 	ss_rules6
+	[ -f /etc/init.d/omr-bypass ] && /etc/init.d/omr-bypass restart
 }
 
 rules_down() {
diff --git a/shadowsocks-libev/files/ss-rules.defaults b/shadowsocks-libev/files/ss-rules.defaults
index 8c643c92a..20c95de4c 100755
--- a/shadowsocks-libev/files/ss-rules.defaults
+++ b/shadowsocks-libev/files/ss-rules.defaults
@@ -9,12 +9,3 @@ uci get "$s" >/dev/null || {
 		commit firewall
 	EOF
 }
-#s=firewall.ss_rules6
-#uci get "$s" >/dev/null || {
-#	uci batch <<-EOF
-#		set $s=include
-#		set $s.path=/etc/firewall.ss-rules6
-#		set $s.reload=1
-#		commit firewall
-#	EOF
-#}
diff --git a/shadowsocks-libev/files/ss-rules6 b/shadowsocks-libev/files/ss-rules6
index 4d179e08d..9cd446a40 100755
--- a/shadowsocks-libev/files/ss-rules6
+++ b/shadowsocks-libev/files/ss-rules6
@@ -174,7 +174,7 @@ ss_rules6_iptchains_init_tcp() {
 		-A ss_rules6_local_out -m set --match-set ss_rules6_dst_bypass dst -j RETURN
 		-A ss_rules6_local_out -m set --match-set ss_rules6_dst_bypass_all dst -j RETURN
 		-A ss_rules6_local_out -m set --match-set ss_rules6_dst_bypass_ dst -j RETURN
-		-A ss_rules6_local_out -m mark ! --mark 0 -j RETURN
+		-A ss_rules6_local_out -m mark --mark 0x539 -j RETURN
 		-A ss_rules6_local_out -p tcp $o_ipt_extra -j $local_target -m comment --comment "local_default: $o_local_default"
 		COMMIT
 	EOF
@@ -234,7 +234,7 @@ ss_rules6_iptchains_init_() {
 		-A ss_rules6_pre_src -m set --match-set ss_rules6_dst_bypass_all dst -j MARK --set-mark 0x539
 		-A ss_rules6_pre_src -m set --match-set ss_rules6_dst_bypass_all dst -j RETURN
 		-A ss_rules6_pre_src -m set --match-set ss_rules6_dst_bypass dst -j RETURN
-		-A ss_rules6_pre_src -m mark ! --mark 0 -j RETURN
+		-A ss_rules6_pre_src -m mark --mark 0x539 -j RETURN
 		-A ss_rules6_dst -m set --match-set ss_rules6_dst_bypass_all dst -j RETURN
 		-A ss_rules6_dst -m set --match-set ss_rules6_dst_bypass dst -j RETURN
 		-A ss_rules6_pre_src -p $proto $o_ipt_extra -j ss_rules6_src