diff --git a/shadowsocks-libev/Makefile b/shadowsocks-libev/Makefile index b06d7921a..956860181 100644 --- a/shadowsocks-libev/Makefile +++ b/shadowsocks-libev/Makefile @@ -104,6 +104,12 @@ uci batch <<-EOF delete $$s commit firewall EOF +s=firewall.ss_rules6 +uci get "$$s" >/dev/null || exit 0 +uci batch <<-EOF + delete $$s + commit firewall +EOF endef define Build/Prepare diff --git a/shadowsocks-libev/files/ss-rules b/shadowsocks-libev/files/ss-rules index 7eb171a9f..7ca563cf5 100755 --- a/shadowsocks-libev/files/ss-rules +++ b/shadowsocks-libev/files/ss-rules @@ -136,10 +136,10 @@ ss_rules_ipset_init() { create ss_rules_dst_forward hash:net hashsize 64 create ss_rules_dst_forward_recentrst_ hash:ip hashsize 64 timeout 3600 $(ss_rules_ipset_mkadd ss_rules_dst_bypass_ "$o_dst_bypass_ $o_remote_servers") + $(ss_rules_ipset_mkadd ss_rules_dst_bypass "$o_dst_bypass $(cat "$o_dst_bypass_file" 2>/dev/null | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}')") $(ss_rules_ipset_mkadd ss_rules_src_bypass "$o_src_bypass") $(ss_rules_ipset_mkadd ss_rules_src_forward "$o_src_forward") $(ss_rules_ipset_mkadd ss_rules_src_checkdst "$o_src_checkdst") - $(ss_rules_ipset_mkadd ss_rules_dst_bypass "$o_dst_bypass $(cat "$o_dst_bypass_file" 2>/dev/null | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}')") $(ss_rules_ipset_mkadd ss_rules_dst_forward "$o_dst_forward $(cat "$o_dst_forward_file" 2>/dev/null | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}')") EOF } @@ -176,6 +176,7 @@ ss_rules_iptchains_init_tcp() { :ss_rules_local_out - -I OUTPUT 1 -p tcp -j ss_rules_local_out -A ss_rules_local_out -m set --match-set ss_rules_dst_bypass_ dst -j RETURN + -A ss_rules_local_out -m set --match-set ss_rules_dst_bypass dst -j RETURN -A ss_rules_local_out -p tcp $o_ipt_extra -j $local_target -m comment --comment "local_default: $o_local_default" COMMIT EOF @@ -231,12 +232,12 @@ ss_rules_iptchains_init_() { :ss_rules_forward - $(ss_rules_iptchains_mkprerules "$proto") -A ss_rules_pre_src -m set --match-set ss_rules_dst_bypass_ dst -j RETURN + -A ss_rules_dst -m set --match-set ss_rules_dst_bypass dst -j RETURN -A ss_rules_pre_src -p $proto $o_ipt_extra -j ss_rules_src -A ss_rules_src -m set --match-set ss_rules_src_bypass src -j RETURN -A ss_rules_src -m set --match-set ss_rules_src_forward src -j ss_rules_forward -A ss_rules_src -m set --match-set ss_rules_src_checkdst src -j ss_rules_dst -A ss_rules_src -j $src_default_target -m comment --comment "src_default: $o_src_default" - -A ss_rules_dst -m set --match-set ss_rules_dst_bypass dst -j RETURN -A ss_rules_dst -m set --match-set ss_rules_dst_forward dst -j ss_rules_forward $recentrst_addset_rules -A ss_rules_dst -j $dst_default_target -m comment --comment "dst_default: $o_dst_default" diff --git a/shadowsocks-libev/files/ss-rules.defaults b/shadowsocks-libev/files/ss-rules.defaults index c89e2d0b8..adaf1450d 100755 --- a/shadowsocks-libev/files/ss-rules.defaults +++ b/shadowsocks-libev/files/ss-rules.defaults @@ -1,10 +1,20 @@ #!/bin/sh s=firewall.ss_rules -uci get "$s" >/dev/null && exit 0 -uci batch <<-EOF - set $s=include - set $s.path=/etc/firewall.ss-rules - set $s.reload=1 - commit firewall -EOF +uci get "$s" >/dev/null || { + uci batch <<-EOF + set $s=include + set $s.path=/etc/firewall.ss-rules + set $s.reload=1 + commit firewall + EOF +} +s=firewall.ss_rules6 +uci get "$s" >/dev/null || { + uci batch <<-EOF + set $s=include + set $s.path=/etc/firewall.ss-rules6 + set $s.reload=1 + commit firewall + EOF +} diff --git a/shadowsocks-libev/files/ss-rules6 b/shadowsocks-libev/files/ss-rules6 index a99471121..66b4d6a94 100755 --- a/shadowsocks-libev/files/ss-rules6 +++ b/shadowsocks-libev/files/ss-rules6 @@ -119,10 +119,10 @@ ss_rules6_ipset_init() { create ss_rules6_dst_forward hash:net family inet6 hashsize 64 create ss_rules6_dst_forward_recrst_ hash:ip family inet6 hashsize 64 timeout 3600 $(ss_rules6_ipset_mkadd ss_rules6_dst_bypass_ "$o_dst_bypass_ $o_remote_servers") + $(ss_rules6_ipset_mkadd ss_rules6_dst_bypass "$o_dst_bypass $(cat "$o_dst_bypass_file" 2>/dev/null | grep -o '\([0-9a-fA-F]\{0,4\}:\)\{1,7\}[0-9a-fA-F]\{0,4\}')") $(ss_rules6_ipset_mkadd ss_rules6_src_bypass "$o_src_bypass") $(ss_rules6_ipset_mkadd ss_rules6_src_forward "$o_src_forward") $(ss_rules6_ipset_mkadd ss_rules6_src_checkdst "$o_src_checkdst") - $(ss_rules6_ipset_mkadd ss_rules6_dst_bypass "$o_dst_bypass $(cat "$o_dst_bypass_file" 2>/dev/null | grep -o '\([0-9a-fA-F]\{0,4\}:\)\{1,7\}[0-9a-fA-F]\{0,4\}')") $(ss_rules6_ipset_mkadd ss_rules6_dst_forward "$o_dst_forward $(cat "$o_dst_forward_file" 2>/dev/null | grep -o '\([0-9a-fA-F]\{0,4\}:\)\{1,7\}[0-9a-fA-F]\{0,4\}')") EOF } @@ -159,6 +159,7 @@ ss_rules6_iptchains_init_tcp() { :ss_rules6_local_out - -I OUTPUT 1 -p tcp -j ss_rules6_local_out -A ss_rules6_local_out -m set --match-set ss_rules6_dst_bypass_ dst -j RETURN + -A ss_rules6_local_out -m set --match-set ss_rules6_dst_bypass dst -j RETURN -A ss_rules6_local_out -p tcp $o_ipt_extra -j $local_target -m comment --comment "local_default: $o_local_default" COMMIT EOF @@ -215,12 +216,12 @@ ss_rules6_iptchains_init_() { :ss_rules6_forward - $(ss_rules6_iptchains_mkprerules "$proto") -A ss_rules6_pre_src -m set --match-set ss_rules6_dst_bypass_ dst -j RETURN + -A ss_rules6_dst -m set --match-set ss_rules6_dst_bypass dst -j RETURN -A ss_rules6_pre_src -p $proto $o_ipt_extra -j ss_rules6_src -A ss_rules6_src -m set --match-set ss_rules6_src_bypass src -j RETURN -A ss_rules6_src -m set --match-set ss_rules6_src_forward src -j ss_rules6_forward -A ss_rules6_src -m set --match-set ss_rules6_src_checkdst src -j ss_rules6_dst -A ss_rules6_src -j $src_default_target -m comment --comment "src_default: $o_src_default" - -A ss_rules6_dst -m set --match-set ss_rules6_dst_bypass dst -j RETURN -A ss_rules6_dst -m set --match-set ss_rules6_dst_forward dst -j ss_rules6_forward $recentrst_addset_rules -A ss_rules6_dst -j $dst_default_target -m comment --comment "dst_default: $o_dst_default"