Fix Shadowsocks libev with nft

2025-03-09 15:40:03 +00:00 · 2024-01-15 16:44:17 +01:00 · 2024-01-15 16:44:17 +01:00 · 1eae173fdb
commit 1eae173fdb
parent 2455e4ab5a
3 changed files with 40 additions and 4 deletions
--- a/shadowsocks-libev/files/nft-rules/chain.uc
+++ b/shadowsocks-libev/files/nft-rules/chain.uc
@ -93,8 +93,10 @@ chain ss_rules_src_{{ proto }} {

 chain ss_rules_dst_{{ proto }} {
 	ip daddr @ss_rules_dst_bypass accept;
+	ip daddr @ss_rules_remote_servers accept;
 	ip daddr @ss_rules_dst_forward goto ss_rules_forward_{{ proto }};
 	ip6 daddr @ss_rules6_dst_bypass accept;
+	ip6 daddr @ss_rules6_remote_servers accept;
 	ip6 daddr @ss_rules6_dst_forward goto ss_rules_forward_{{ proto }};
 	{{ get_dst_default_verdict() }};
 }
@ -107,8 +109,10 @@ chain ss_rules_forward_{{ proto }} {
 chain ss_rules_local_out {
 	type {{ type }} hook output priority -1;
 	meta l4proto != tcp accept;
+	ip daddr @ss_rules_remote_servers accept;
 	ip daddr @ss_rules_dst_bypass_ accept;
 	ip daddr @ss_rules_dst_bypass accept;
+	ip6 daddr @ss_rules6_remote_servers accept;
 	ip6 daddr @ss_rules6_dst_bypass_ accept;
 	ip6 daddr @ss_rules6_dst_bypass accept;
 	{{ local_verdict }};
--- a/shadowsocks-libev/files/nft-rules/set.uc
+++ b/shadowsocks-libev/files/nft-rules/set.uc
@ -10,10 +10,10 @@ let o_dst_bypass4_ = "
 	172.16.0.0/12
 	192.0.0.0/24
 	192.0.2.0/24
+	192.168.0.0/16
 	192.31.196.0/24
 	192.52.193.0/24
 	192.88.99.0/24
-	192.168.0.0/16
 	192.175.48.0/24
 	198.18.0.0/15
 	198.51.100.0/24
@ -43,6 +43,9 @@ let set_suffix = {
 	"src_checkdst": {
 		str: o_src_checkdst,
 	},
+	"remote_servers": {
+		str: o_remote_servers
+	},
 	"dst_bypass": {
 		str: o_dst_bypass,
 		file: o_dst_bypass_file,
--- a/shadowsocks-libev/files/shadowsocks-libev.init-nft
+++ b/shadowsocks-libev/files/shadowsocks-libev.init-nft
@ -15,7 +15,7 @@ ss_confdir=/var/etc/shadowsocks-libev
 ss_bindir=/usr/bin

 ssrules_uc="/usr/share/ss-rules/ss-rules.uc"
-ssrules_nft="/etc/nftables.d/90-proxy-rules.nft"
+ssrules_nft="/etc/nftables.d/90-ss-rules.nft"

 ss_mkjson_server_conf() {
 	local cfgserver
@ -33,10 +33,38 @@ ss_mkjson_server_conf_() {
 	[ -z "$server" ] || json_add_string server "$server"
 	json_add_int server_port "$server_port"
 	[ -z "$method" ] || json_add_string method "$method"
-	[ -z "$key" ] || json_add_string key "$key"
-	[ -z "$password" ] || json_add_string password "$password"
+	[ -z "$key" ] || {
+		key="$(echo $key | sed 's/+/-/g; s/\//_/g;')"
+		json_add_string key "$key"
+	}
+	[ -z "$password" ] || {
+		password="$(echo $password | sed 's/+/-/g; s/\//_/g;')"
+		json_add_string password "$password"
+	}
+	[ -z "$password" ] && [ -z "$key" ] && return 1
 	[ -z "$plugin" ] || json_add_string plugin "$plugin"
 	[ -z "$plugin_opts" ] || json_add_string plugin_opts "$plugin_opts"
+	if [ "$obfs" = 1 ]; then
+	if [ "$obfs_plugin" = "obfs" ]; then
+		obfs_options="obfs=$obfs_type"
+		[ -z "$obfs_host" ] || obfs_options="$obfs_options;obfs-host=$obfs_host"
+		[ -z "$obfs_uri" ] || obfs_options="$obfs_options;obfs-uri=$obfs_uri"
+		[ "$fast_open" = 1 ] && obfs_options="$obfs_options;fast-open"
+		[ "$mptcp" = 1 ] && obfs_options="$obfs_options;mptcp"
+		[ -z "$timeout" ] || obfs_options="$obfs_options;t=$timeout"
+		json_add_string plugin "/usr/bin/obfs-local"
+		json_add_string plugin_opts "$obfs_options"
+	fi
+	if [ "$obfs_plugin" = "v2ray" ]; then
+			obfs_options="loglevel=default"
+			[ "$obfs_type" = "tls" ] && obfs_options="tls"
+			[ -z "$obfs_host" ] || obfs_options="$obfs_options;host=$obfs_host"
+			[ -z "$obfs_uri" ] || obfs_options="$obfs_options;path=$obfs_uri"
+			[ "$fast_open" = 1 ] && obfs_options="$obfs_options;fast-open"
+			json_add_string plugin "/usr/bin/v2ray-plugin"
+			json_add_string plugin_opts "$obfs_options"
+		fi
+	fi
 }

 ss_mkjson_ss_local_conf() {
@ -95,6 +123,7 @@ ss_xxx() {
 		procd_append_param command -b "$bind_address"
 	fi
 	procd_set_param file "$confjson"
+	procd_set_param limits nofile="512000 512000"
 	procd_set_param respawn
 	procd_close_instance
 	ss_rules_cb