mirror of
https://github.com/Ysurac/openmptcprouter-feeds.git
synced 2025-02-15 03:51:51 +00:00
Fix omr-bypass
This commit is contained in:
Ycarus (Yannick Chabanois)
parent
c1bcff99c6
commit
3627014d77
4 changed files with 144 additions and 101 deletions
|
|
@ -135,6 +135,11 @@ _bypass_lan_ip() {
|
||||||
-A omr-bypass -s $ip -j MARK --set-mark 0x539
|
-A omr-bypass -s $ip -j MARK --set-mark 0x539
|
||||||
COMMIT
|
COMMIT
|
||||||
EOF
|
EOF
|
||||||
|
iptables-restore -w --wait=60 --noflush <<-EOF
|
||||||
|
*mangle
|
||||||
|
-A omr-bypass-local -s $ip -j MARK --set-mark 0x539
|
||||||
|
COMMIT
|
||||||
|
EOF
|
||||||
elif [ "$valid_ip6" = "ok" ]; then
|
elif [ "$valid_ip6" = "ok" ]; then
|
||||||
ip6tables-restore -w --wait=60 --noflush <<-EOF
|
ip6tables-restore -w --wait=60 --noflush <<-EOF
|
||||||
*mangle
|
*mangle
|
||||||
|
|
@ -149,6 +154,11 @@ _bypass_lan_ip() {
|
||||||
-A omr-bypass -s $ip -j MARK --set-mark 0x539$intfid
|
-A omr-bypass -s $ip -j MARK --set-mark 0x539$intfid
|
||||||
COMMIT
|
COMMIT
|
||||||
EOF
|
EOF
|
||||||
|
iptables-restore -w --wait=60 --noflush <<-EOF
|
||||||
|
*mangle
|
||||||
|
-A omr-bypass-local -s $ip -j MARK --set-mark 0x539$intfid
|
||||||
|
COMMIT
|
||||||
|
EOF
|
||||||
elif [ "$valid_ip6" = "ok" ]; then
|
elif [ "$valid_ip6" = "ok" ]; then
|
||||||
ip6tables-restore -w --wait=60 --noflush <<-EOF
|
ip6tables-restore -w --wait=60 --noflush <<-EOF
|
||||||
*mangle
|
*mangle
|
||||||
|
|
@ -176,6 +186,11 @@ _bypass_dest_port() {
|
||||||
-A omr-bypass --protocol $proto --destination-port $dport -j MARK --set-mark 0x539
|
-A omr-bypass --protocol $proto --destination-port $dport -j MARK --set-mark 0x539
|
||||||
COMMIT
|
COMMIT
|
||||||
EOF
|
EOF
|
||||||
|
iptables-restore -w --wait=60 --noflush <<-EOF
|
||||||
|
*mangle
|
||||||
|
-A omr-bypass-local --protocol $proto --destination-port $dport -j MARK --set-mark 0x539
|
||||||
|
COMMIT
|
||||||
|
EOF
|
||||||
if [ "$disableipv6" != "1" ]; then
|
if [ "$disableipv6" != "1" ]; then
|
||||||
ip6tables-restore -w --wait=60 --noflush <<-EOF
|
ip6tables-restore -w --wait=60 --noflush <<-EOF
|
||||||
*mangle
|
*mangle
|
||||||
|
|
@ -189,6 +204,11 @@ _bypass_dest_port() {
|
||||||
-A omr-bypass --protocol $proto --destination-port $dport -j MARK --set-mark 0x539$intfid
|
-A omr-bypass --protocol $proto --destination-port $dport -j MARK --set-mark 0x539$intfid
|
||||||
COMMIT
|
COMMIT
|
||||||
EOF
|
EOF
|
||||||
|
iptables-restore -w --wait=60 --noflush <<-EOF
|
||||||
|
*mangle
|
||||||
|
-A omr-bypass-local --protocol $proto --destination-port $dport -j MARK --set-mark 0x539$intfid
|
||||||
|
COMMIT
|
||||||
|
EOF
|
||||||
if [ "$disableipv6" != "1" ]; then
|
if [ "$disableipv6" != "1" ]; then
|
||||||
ip6tables-restore -w --wait=60 --noflush <<-EOF
|
ip6tables-restore -w --wait=60 --noflush <<-EOF
|
||||||
*mangle
|
*mangle
|
||||||
|
|
@ -216,6 +236,11 @@ _bypass_src_port() {
|
||||||
-A omr-bypass --protocol $proto --source-port $sport -j MARK --set-mark 0x539
|
-A omr-bypass --protocol $proto --source-port $sport -j MARK --set-mark 0x539
|
||||||
COMMIT
|
COMMIT
|
||||||
EOF
|
EOF
|
||||||
|
iptables-restore -w --wait=60 --noflush <<-EOF
|
||||||
|
*mangle
|
||||||
|
-A omr-bypass-local --protocol $proto --source-port $sport -j MARK --set-mark 0x539
|
||||||
|
COMMIT
|
||||||
|
EOF
|
||||||
if [ "$disableipv6" != "1" ]; then
|
if [ "$disableipv6" != "1" ]; then
|
||||||
ip6tables-restore -w --wait=60 --noflush <<-EOF
|
ip6tables-restore -w --wait=60 --noflush <<-EOF
|
||||||
*mangle
|
*mangle
|
||||||
|
|
@ -229,6 +254,11 @@ _bypass_src_port() {
|
||||||
-A omr-bypass --protocol $proto --source-port $sport -j MARK --set-mark 0x539$intfid
|
-A omr-bypass --protocol $proto --source-port $sport -j MARK --set-mark 0x539$intfid
|
||||||
COMMIT
|
COMMIT
|
||||||
EOF
|
EOF
|
||||||
|
iptables-restore -w --wait=60 --noflush <<-EOF
|
||||||
|
*mangle
|
||||||
|
-A omr-bypass-local --protocol $proto --source-port $sport -j MARK --set-mark 0x539$intfid
|
||||||
|
COMMIT
|
||||||
|
EOF
|
||||||
if [ "$disableipv6" != "1" ]; then
|
if [ "$disableipv6" != "1" ]; then
|
||||||
ip6tables-restore -w --wait=60 --noflush <<-EOF
|
ip6tables-restore -w --wait=60 --noflush <<-EOF
|
||||||
*mangle
|
*mangle
|
||||||
|
|
@ -290,14 +320,15 @@ _bypass_proto() {
|
||||||
_intf_rule_ss_rules() {
|
_intf_rule_ss_rules() {
|
||||||
rule_name=$1
|
rule_name=$1
|
||||||
[ "$rule_name" = "ss_rules" ] && rule_name="def"
|
[ "$rule_name" = "ss_rules" ] && rule_name="def"
|
||||||
if [ "$(iptables --wait=40 -t nat -L -n | grep ss_rules_${rule_name}_pre_src)" != "" ] && [ "$(iptables --wait=40 -t nat -L -n | grep omr_dst_bypass_$intf)" = "" ]; then
|
if [ "$(iptables --wait=40 -t nat -L -n | grep ssr_${rule_name}_pre_src)" != "" ] && [ "$(iptables --wait=40 -t nat -L -n | grep omr_dst_bypass_$intf)" = "" ]; then
|
||||||
iptables-restore -w --wait=60 --noflush <<-EOF
|
iptables-restore -w --wait=60 --noflush <<-EOF
|
||||||
*nat
|
*nat
|
||||||
-I ss_rules_${rule_name}_dst 1 -m set --match-set omr_dst_bypass_$intf dst -j RETURN
|
-I ssr_${rule_name}_dst 1 -m set --match-set omr_dst_bypass_$intf dst -j MARK --set-mark 0x539$count
|
||||||
-I ss_rules_${rule_name}_local_out 1 -m set --match-set omr_dst_bypass_$intf dst -j RETURN
|
-I ssr_${rule_name}_dst 1 -m mark --mark 0x539$count -j RETURN
|
||||||
-I ss_rules_${rule_name}_local_out 2 -m mark --mark 0x539$count -j RETURN
|
-I ssr_${rule_name}_local_out 1 -m set --match-set omr_dst_bypass_$intf dst -j MARK --set-mark 0x539$count
|
||||||
-I ss_rules_${rule_name}_pre_src 1 -m set --match-set omr_dst_bypass_$intf dst -j MARK --set-mark 0x539$count
|
-I ssr_${rule_name}_local_out 2 -m mark --mark 0x539$count -j RETURN
|
||||||
-I ss_rules_${rule_name}_pre_src 2 -m mark --mark 0x539$count -j RETURN
|
-I ssr_${rule_name}_pre_src 1 -m set --match-set omr_dst_bypass_$intf dst -j MARK --set-mark 0x539$count
|
||||||
|
-I ssr_${rule_name}_pre_src 2 -m mark --mark 0x539$count -j RETURN
|
||||||
COMMIT
|
COMMIT
|
||||||
EOF
|
EOF
|
||||||
fi
|
fi
|
||||||
|
|
@ -309,14 +340,15 @@ _intf_rule_ss_rules() {
|
||||||
COMMIT
|
COMMIT
|
||||||
EOF
|
EOF
|
||||||
fi
|
fi
|
||||||
if [ "$(ip6tables --wait=40 -t nat -L | grep ss_rules6_${rule_name}_pre_src)" != "" ] && [ "$(ip6tables --wait=40 -t nat -L | grep omr6_dst_bypass_$intf)" = "" ]; then
|
if [ "$(ip6tables --wait=40 -t nat -L | grep ssr6_${rule_name}_pre_src)" != "" ] && [ "$(ip6tables --wait=40 -t nat -L | grep omr6_dst_bypass_$intf)" = "" ]; then
|
||||||
ip6tables-restore -w --wait=60 --noflush <<-EOF
|
ip6tables-restore -w --wait=60 --noflush <<-EOF
|
||||||
*nat
|
*nat
|
||||||
-I ss_rules6_${rule_name}_dst 1 -m set --match-set omr6_dst_bypass_$intf dst -j RETURN
|
-I ssr6_${rule_name}_dst 1 -m set --match-set omr6_dst_bypass_$intf dst -j MARK --set-mark 0x6539$count
|
||||||
-I ss_rules6_${rule_name}_local_out 1 -m set --match-set omr6_dst_bypass_$intf dst -j RETURN
|
-I ssr6_${rule_name}_dst 1 -m mark --mark 0x6539$count -j RETURN
|
||||||
-I ss_rules6_${rule_name}_local_out 2 -m mark --mark 0x6539$count -j RETURN
|
-I ssr6_${rule_name}_local_out 1 -m set --match-set omr6_dst_bypass_$intf dst -j MARK --set-mark 0x6539$count
|
||||||
-I ss_rules6_${rule_name}_pre_src 1 -m set --match-set omr6_dst_bypass_$intf dst -j MARK --set-mark 0x6539$count
|
-I ssr6_${rule_name}_local_out 2 -m mark --mark 0x6539$count -j RETURN
|
||||||
-I ss_rules6_${rule_name}_pre_src 2 -m mark --mark 0x6539$count -j RETURN
|
-I ssr6_${rule_name}_pre_src 1 -m set --match-set omr6_dst_bypass_$intf dst -j MARK --set-mark 0x6539$count
|
||||||
|
-I ssr6_${rule_name}_pre_src 2 -m mark --mark 0x6539$count -j RETURN
|
||||||
COMMIT
|
COMMIT
|
||||||
EOF
|
EOF
|
||||||
fi
|
fi
|
||||||
|
|
@ -412,14 +444,15 @@ _bypass_omr_server() {
|
||||||
_ss_rules_config() {
|
_ss_rules_config() {
|
||||||
rule_name=$1
|
rule_name=$1
|
||||||
[ "$rule_name" = "ss_rules" ] && rule_name="def"
|
[ "$rule_name" = "ss_rules" ] && rule_name="def"
|
||||||
if [ "$(iptables --wait=40 -t nat -L -n | grep ss_rules_${rule_name}_pre_src)" != "" ] && [ "$(iptables --wait=40 -t nat -L -n | grep omr_dst_bypass_all)" = "" ]; then
|
if [ "$(iptables --wait=40 -t nat -L -n | grep ssr_${rule_name}_pre_src)" != "" ] && [ "$(iptables --wait=40 -t nat -L -n | grep omr_dst_bypass_all)" = "" ]; then
|
||||||
iptables-restore -w --wait=60 --noflush <<-EOF
|
iptables-restore -w --wait=60 --noflush <<-EOF
|
||||||
*nat
|
*nat
|
||||||
-I ss_rules_${rule_name}_dst 1 -m set --match-set omr_dst_bypass_all dst -j RETURN
|
-I ssr_${rule_name}_dst 1 -m set --match-set omr_dst_bypass_all dst -j MARK --set-mark 0x539
|
||||||
-I ss_rules_${rule_name}_local_out 1 -m set --match-set omr_dst_bypass_all dst -j RETURN
|
-I ssr_${rule_name}_dst 1 -m mark --mark 0x539 -j RETURN
|
||||||
-I ss_rules_${rule_name}_local_out 2 -m mark --mark 0x539 -j RETURN
|
-I ssr_${rule_name}_local_out 1 -m set --match-set omr_dst_bypass_all dst -j MARK --set-mark 0x539
|
||||||
-I ss_rules_${rule_name}_pre_src 1 -m set --match-set omr_dst_bypass_all dst -j MARK --set-mark 0x539
|
-I ssr_${rule_name}_local_out 2 -m mark --mark 0x539 -j RETURN
|
||||||
-I ss_rules_${rule_name}_pre_src 2 -m mark --mark 0x539 -j RETURN
|
-I ssr_${rule_name}_pre_src 1 -m set --match-set omr_dst_bypass_all dst -j MARK --set-mark 0x539
|
||||||
|
-I ssr_${rule_name}_pre_src 2 -m mark --mark 0x539 -j RETURN
|
||||||
COMMIT
|
COMMIT
|
||||||
EOF
|
EOF
|
||||||
fi
|
fi
|
||||||
|
|
@ -431,14 +464,15 @@ _ss_rules_config() {
|
||||||
COMMIT
|
COMMIT
|
||||||
EOF
|
EOF
|
||||||
fi
|
fi
|
||||||
if [ "$(ip6tables --wait=40 -t nat -L | grep ss_rules6_${rule_name}_pre_src)" != "" ] && [ "$(ip6tables --wait=40 -t nat -L | grep omr6_dst_bypass_all)" = "" ]; then
|
if [ "$(ip6tables --wait=40 -t nat -L | grep ssr6_${rule_name}_pre_src)" != "" ] && [ "$(ip6tables --wait=40 -t nat -L | grep omr6_dst_bypass_all)" = "" ]; then
|
||||||
ip6tables-restore -w --wait=60 --noflush <<-EOF
|
ip6tables-restore -w --wait=60 --noflush <<-EOF
|
||||||
*nat
|
*nat
|
||||||
-I ss_rules6_${rule_name}_dst 1 -m set --match-set omr6_dst_bypass_all dst -j RETURN
|
-I ssr6_${rule_name}_dst 1 -m set --match-set omr6_dst_bypass_all dst -j MARK --set-mark 0x6539
|
||||||
-I ss_rules6_${rule_name}_local_out 1 -m set --match-set omr6_dst_bypass_all dst -j RETURN
|
-I ssr6_${rule_name}_dst 1 -m mark --mark 0x6539 -j RETURN
|
||||||
-I ss_rules6_${rule_name}_local_out 2 -m mark --mark 0x6539 -j RETURN
|
-I ssr6_${rule_name}_local_out 1 -m set --match-set omr6_dst_bypass_all dst -j MARK --set-mark 0x6539
|
||||||
-I ss_rules6_${rule_name}_pre_src 1 -m set --match-set omr6_dst_bypass_all dst -j MARK --set-mark 0x6539
|
-I ssr6_${rule_name}_local_out 2 -m mark --mark 0x6539 -j RETURN
|
||||||
-I ss_rules6_${rule_name}_pre_src 2 -m mark --mark 0x6539 -j RETURN
|
-I ssr6_${rule_name}_pre_src 1 -m set --match-set omr6_dst_bypass_all dst -j MARK --set-mark 0x6539
|
||||||
|
-I ssr6_${rule_name}_pre_src 2 -m mark --mark 0x6539 -j RETURN
|
||||||
COMMIT
|
COMMIT
|
||||||
EOF
|
EOF
|
||||||
fi
|
fi
|
||||||
|
|
@ -473,7 +507,12 @@ start_service() {
|
||||||
*mangle
|
*mangle
|
||||||
:omr-bypass -
|
:omr-bypass -
|
||||||
-I PREROUTING -m addrtype ! --dst-type LOCAL -j omr-bypass
|
-I PREROUTING -m addrtype ! --dst-type LOCAL -j omr-bypass
|
||||||
-I OUTPUT -m addrtype ! --dst-type LOCAL -j omr-bypass
|
COMMIT
|
||||||
|
EOF
|
||||||
|
iptables-restore -w --wait=60 --noflush <<-EOF
|
||||||
|
*mangle
|
||||||
|
:omr-bypass-local -
|
||||||
|
-I OUTPUT -m addrtype ! --dst-type LOCAL -j omr-bypass-local
|
||||||
COMMIT
|
COMMIT
|
||||||
EOF
|
EOF
|
||||||
if [ "$disableipv6" != "1" ]; then
|
if [ "$disableipv6" != "1" ]; then
|
||||||
|
|
@ -482,7 +521,6 @@ start_service() {
|
||||||
*mangle
|
*mangle
|
||||||
:omr-bypass6 -
|
:omr-bypass6 -
|
||||||
-I PREROUTING -m addrtype ! --dst-type LOCAL -j omr-bypass6
|
-I PREROUTING -m addrtype ! --dst-type LOCAL -j omr-bypass6
|
||||||
-I OUTPUT -m addrtype ! --dst-type LOCAL -j omr-bypass6
|
|
||||||
COMMIT
|
COMMIT
|
||||||
EOF
|
EOF
|
||||||
fi
|
fi
|
||||||
|
|
@ -529,6 +567,11 @@ start_service() {
|
||||||
-A omr-bypass -m set --match-set omr_dst_bypass_all dst -j MARK --set-mark 0x539
|
-A omr-bypass -m set --match-set omr_dst_bypass_all dst -j MARK --set-mark 0x539
|
||||||
COMMIT
|
COMMIT
|
||||||
EOF
|
EOF
|
||||||
|
iptables-restore -w --wait=60 --noflush <<-EOF
|
||||||
|
*mangle
|
||||||
|
-A omr-bypass-local -m set --match-set omr_dst_bypass_all dst -j MARK --set-mark 0x539
|
||||||
|
COMMIT
|
||||||
|
EOF
|
||||||
fi
|
fi
|
||||||
|
|
||||||
config_load shadowsocks-libev
|
config_load shadowsocks-libev
|
||||||
|
|
|
||||||
|
|
@ -290,7 +290,7 @@ stop_service() {
|
||||||
}
|
}
|
||||||
|
|
||||||
rules_exist() {
|
rules_exist() {
|
||||||
[ -n "$(iptables -t nat -L -n | grep ss_rules)" ] && return 0
|
[ -n "$(iptables -t nat -L -n | grep ssr)" ] && return 0
|
||||||
return 1
|
return 1
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -122,7 +122,7 @@ ss_rules_parse_args() {
|
||||||
ss_rules_flush() {
|
ss_rules_flush() {
|
||||||
local setname
|
local setname
|
||||||
|
|
||||||
iptables-save --counters | grep -v ss_rules_ | iptables-restore -w --counters
|
iptables-save --counters | grep -v ssr_ | iptables-restore -w --counters
|
||||||
while ip rule del fwmark 1 lookup 100 2>/dev/null; do true; done
|
while ip rule del fwmark 1 lookup 100 2>/dev/null; do true; done
|
||||||
ip route flush table 100 || true
|
ip route flush table 100 || true
|
||||||
for setname in $(ipset -n list | grep "ss_rules_"); do
|
for setname in $(ipset -n list | grep "ss_rules_"); do
|
||||||
|
|
@ -181,20 +181,20 @@ ss_rules_iptchains_init_tcp() {
|
||||||
ss_rules_iptchains_init_ nat tcp
|
ss_rules_iptchains_init_ nat tcp
|
||||||
|
|
||||||
case "$o_local_default" in
|
case "$o_local_default" in
|
||||||
checkdst) local_target=ss_rules_${rule}_dst ;;
|
checkdst) local_target=ssr_${rule}_dst ;;
|
||||||
forward) local_target=ss_rules_${rule}_forward ;;
|
forward) local_target=ssr_${rule}_forward ;;
|
||||||
bypass|*) return 0;;
|
bypass|*) return 0;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
iptables-restore -w --noflush <<-EOF
|
iptables-restore -w --noflush <<-EOF
|
||||||
*nat
|
*nat
|
||||||
:ss_rules_${rule}_local_out -
|
:ssr_${rule}_local_out -
|
||||||
-I OUTPUT 1 -p tcp -j ss_rules_${rule}_local_out
|
-I OUTPUT 1 -p tcp -j ssr_${rule}_local_out
|
||||||
-A ss_rules_${rule}_local_out -m set --match-set ss_rules_dst_bypass dst -j RETURN
|
-A ssr_${rule}_local_out -m set --match-set ss_rules_dst_bypass dst -j RETURN
|
||||||
-A ss_rules_${rule}_local_out -m set --match-set ss_rules_dst_bypass_all dst -j RETURN
|
-A ssr_${rule}_local_out -m set --match-set ss_rules_dst_bypass_all dst -j RETURN
|
||||||
-A ss_rules_${rule}_local_out -m set --match-set ss_rules_dst_bypass_ dst -j RETURN
|
-A ssr_${rule}_local_out -m set --match-set ss_rules_dst_bypass_ dst -j RETURN
|
||||||
-A ss_rules_${rule}_local_out -m mark --mark 0x539 -j RETURN
|
-A ssr_${rule}_local_out -m mark --mark 0x539 -j RETURN
|
||||||
-A ss_rules_${rule}_local_out -p tcp $o_ipt_extra -j $local_target -m comment --comment "local_default: $o_local_default"
|
-A ssr_${rule}_local_out -p tcp $o_ipt_extra -j $local_target -m comment --comment "local_default: $o_local_default"
|
||||||
COMMIT
|
COMMIT
|
||||||
EOF
|
EOF
|
||||||
}
|
}
|
||||||
|
|
@ -213,7 +213,7 @@ ss_rules_iptchains_init_() {
|
||||||
|
|
||||||
case "$proto" in
|
case "$proto" in
|
||||||
tcp)
|
tcp)
|
||||||
forward_rules="-A ss_rules_${rule}_forward -p tcp -j REDIRECT --to-ports $o_redir_tcp_port"
|
forward_rules="-A ssr_${rule}_forward -p tcp -j REDIRECT --to-ports $o_redir_tcp_port"
|
||||||
if [ -n "$o_dst_forward_recentrst" ]; then
|
if [ -n "$o_dst_forward_recentrst" ]; then
|
||||||
recentrst_mangle_rules="
|
recentrst_mangle_rules="
|
||||||
*mangle
|
*mangle
|
||||||
|
|
@ -221,48 +221,48 @@ ss_rules_iptchains_init_() {
|
||||||
COMMIT
|
COMMIT
|
||||||
"
|
"
|
||||||
recentrst_addset_rules="
|
recentrst_addset_rules="
|
||||||
-A ss_rules_${rule}_dst -m recent --name ss_rules_recentrst --rcheck --rdest --seconds 3 --hitcount 3 -j SET --add-set ss_rules_dst_forward_recentrst_ dst --exist
|
-A ssr_${rule}_dst -m recent --name ss_rules_recentrst --rcheck --rdest --seconds 3 --hitcount 3 -j SET --add-set ss_rules_dst_forward_recentrst_ dst --exist
|
||||||
-A ss_rules_${rule}_dst -m set --match-set ss_rules_dst_forward_recentrst_ dst -j ss_rules_${rule}_forward
|
-A ssr_${rule}_dst -m set --match-set ss_rules_dst_forward_recentrst_ dst -j ssr_${rule}_forward
|
||||||
"
|
"
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
udp)
|
udp)
|
||||||
ip rule add fwmark 1 lookup 100
|
ip rule add fwmark 1 lookup 100
|
||||||
ip route add local default dev lo table 100
|
ip route add local default dev lo table 100
|
||||||
forward_rules="-A ss_rules_${rule}_forward -p udp -j TPROXY --on-port "$o_redir_udp_port" --tproxy-mark 0x01/0x01"
|
forward_rules="-A ssr_${rule}_forward -p udp -j TPROXY --on-port "$o_redir_udp_port" --tproxy-mark 0x01/0x01"
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
case "$o_src_default" in
|
case "$o_src_default" in
|
||||||
forward) src_default_target=ss_rules_${rule}_forward ;;
|
forward) src_default_target=ssr_${rule}_forward ;;
|
||||||
checkdst) src_default_target=ss_rules_${rule}_dst ;;
|
checkdst) src_default_target=ssr_${rule}_dst ;;
|
||||||
bypass|*) src_default_target=RETURN ;;
|
bypass|*) src_default_target=RETURN ;;
|
||||||
esac
|
esac
|
||||||
case "$o_dst_default" in
|
case "$o_dst_default" in
|
||||||
forward) dst_default_target=ss_rules_${rule}_forward ;;
|
forward) dst_default_target=ssr_${rule}_forward ;;
|
||||||
bypass|*) dst_default_target=RETURN ;;
|
bypass|*) dst_default_target=RETURN ;;
|
||||||
esac
|
esac
|
||||||
sed -e '/^\s*$/d' -e 's/^\s\+//' <<-EOF | iptables-restore -w --noflush
|
sed -e '/^\s*$/d' -e 's/^\s\+//' <<-EOF | iptables-restore -w --noflush
|
||||||
*$table
|
*$table
|
||||||
:ss_rules_${rule}_pre_src -
|
:ssr_${rule}_pre_src -
|
||||||
:ss_rules_${rule}_src -
|
:ssr_${rule}_src -
|
||||||
:ss_rules_${rule}_dst -
|
:ssr_${rule}_dst -
|
||||||
:ss_rules_${rule}_forward -
|
:ssr_${rule}_forward -
|
||||||
$(ss_rules_iptchains_mkprerules "$proto")
|
$(ss_rules_iptchains_mkprerules "$proto")
|
||||||
-A ss_rules_${rule}_pre_src -m set --match-set ss_rules_dst_bypass_ dst -j RETURN
|
-A ssr_${rule}_pre_src -m set --match-set ss_rules_dst_bypass_ dst -j RETURN
|
||||||
-A ss_rules_${rule}_pre_src -m set --match-set ss_rules_dst_bypass_all dst -j MARK --set-mark 0x539
|
-A ssr_${rule}_pre_src -m set --match-set ss_rules_dst_bypass_all dst -j MARK --set-mark 0x539
|
||||||
-A ss_rules_${rule}_pre_src -m set --match-set ss_rules_dst_bypass_all dst -j RETURN
|
-A ssr_${rule}_pre_src -m set --match-set ss_rules_dst_bypass_all dst -j RETURN
|
||||||
-A ss_rules_${rule}_pre_src -m set --match-set ss_rules_dst_bypass dst -j RETURN
|
-A ssr_${rule}_pre_src -m set --match-set ss_rules_dst_bypass dst -j RETURN
|
||||||
-A ss_rules_${rule}_pre_src -m mark --mark 0x539 -j RETURN
|
-A ssr_${rule}_pre_src -m mark --mark 0x539 -j RETURN
|
||||||
-A ss_rules_${rule}_dst -m set --match-set ss_rules_dst_bypass_all dst -j RETURN
|
-A ssr_${rule}_dst -m set --match-set ss_rules_dst_bypass_all dst -j RETURN
|
||||||
-A ss_rules_${rule}_dst -m set --match-set ss_rules_dst_bypass dst -j RETURN
|
-A ssr_${rule}_dst -m set --match-set ss_rules_dst_bypass dst -j RETURN
|
||||||
-A ss_rules_${rule}_pre_src -p $proto $o_ipt_extra -j ss_rules_${rule}_src
|
-A ssr_${rule}_pre_src -p $proto $o_ipt_extra -j ssr_${rule}_src
|
||||||
-A ss_rules_${rule}_src -m set --match-set ss_rules_src_bypass src -j RETURN
|
-A ssr_${rule}_src -m set --match-set ss_rules_src_bypass src -j RETURN
|
||||||
-A ss_rules_${rule}_src -m set --match-set ss_rules_src_forward src -j ss_rules_${rule}_forward
|
-A ssr_${rule}_src -m set --match-set ss_rules_src_forward src -j ssr_${rule}_forward
|
||||||
-A ss_rules_${rule}_src -m set --match-set ss_rules_src_checkdst src -j ss_rules_${rule}_dst
|
-A ssr_${rule}_src -m set --match-set ss_rules_src_checkdst src -j ssr_${rule}_dst
|
||||||
-A ss_rules_${rule}_src -j $src_default_target -m comment --comment "src_default: $o_src_default"
|
-A ssr_${rule}_src -j $src_default_target -m comment --comment "src_default: $o_src_default"
|
||||||
-A ss_rules_${rule}_dst -m set --match-set ss_rules_dst_forward dst -j ss_rules_${rule}_forward
|
-A ssr_${rule}_dst -m set --match-set ss_rules_dst_forward dst -j ssr_${rule}_forward
|
||||||
$recentrst_addset_rules
|
$recentrst_addset_rules
|
||||||
-A ss_rules_${rule}_dst -j $dst_default_target -m comment --comment "dst_default: $o_dst_default"
|
-A ssr_${rule}_dst -j $dst_default_target -m comment --comment "dst_default: $o_dst_default"
|
||||||
$forward_rules
|
$forward_rules
|
||||||
COMMIT
|
COMMIT
|
||||||
$recentrst_mangle_rules
|
$recentrst_mangle_rules
|
||||||
|
|
@ -273,11 +273,11 @@ ss_rules_iptchains_mkprerules() {
|
||||||
local proto="$1"
|
local proto="$1"
|
||||||
|
|
||||||
if [ -z "$o_ifnames" ]; then
|
if [ -z "$o_ifnames" ]; then
|
||||||
echo "-I PREROUTING 1 -p $proto -j ss_rules_${rule}_pre_src"
|
echo "-I PREROUTING 1 -p $proto -j ssr_${rule}_pre_src"
|
||||||
else
|
else
|
||||||
echo $o_ifnames \
|
echo $o_ifnames \
|
||||||
| tr ' ' '\n' \
|
| tr ' ' '\n' \
|
||||||
| sed "s/.*/-I PREROUTING 1 -i \\0 -p $proto -j ss_rules_${rule}_pre_src/"
|
| sed "s/.*/-I PREROUTING 1 -i \\0 -p $proto -j ssr_${rule}_pre_src/"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -105,7 +105,7 @@ ss_rules6_parse_args() {
|
||||||
ss_rules6_flush() {
|
ss_rules6_flush() {
|
||||||
local setname
|
local setname
|
||||||
|
|
||||||
ip6tables-save --counters | grep -v ss_rules6_ | ip6tables-restore -w --counters
|
ip6tables-save --counters | grep -v ssr6_ | ip6tables-restore -w --counters
|
||||||
while ip -f inet6 rule del fwmark 1 lookup 100 2>/dev/null; do true; done
|
while ip -f inet6 rule del fwmark 1 lookup 100 2>/dev/null; do true; done
|
||||||
ip -f inet6 route flush table 100 || true
|
ip -f inet6 route flush table 100 || true
|
||||||
for setname in $(ipset -n list | grep "ss_rules6_"); do
|
for setname in $(ipset -n list | grep "ss_rules6_"); do
|
||||||
|
|
@ -165,20 +165,20 @@ ss_rules6_iptchains_init_tcp() {
|
||||||
ss_rules6_iptchains_init_ nat tcp
|
ss_rules6_iptchains_init_ nat tcp
|
||||||
|
|
||||||
case "$o_local_default" in
|
case "$o_local_default" in
|
||||||
checkdst) local_target=ss_rules6_${rule}_dst ;;
|
checkdst) local_target=ssr6_${rule}_dst ;;
|
||||||
forward) local_target=ss_rules6_${rule}_forward ;;
|
forward) local_target=ssr6_${rule}_forward ;;
|
||||||
bypass|*) return 0;;
|
bypass|*) return 0;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
ip6tables-restore -w --noflush <<-EOF
|
ip6tables-restore -w --noflush <<-EOF
|
||||||
*nat
|
*nat
|
||||||
:ss_rules6_${rule}_local_out -
|
:ssr6_${rule}_local_out -
|
||||||
-I OUTPUT 1 -p tcp -j ss_rules6_${rule}_local_out
|
-I OUTPUT 1 -p tcp -j ssr6_${rule}_local_out
|
||||||
-A ss_rules6_${rule}_local_out -m set --match-set ss_rules6_dst_bypass dst -j RETURN
|
-A ssr6_${rule}_local_out -m set --match-set ss_rules6_dst_bypass dst -j RETURN
|
||||||
-A ss_rules6_${rule}_local_out -m set --match-set ss_rules6_dst_bypass_all dst -j RETURN
|
-A ssr6_${rule}_local_out -m set --match-set ss_rules6_dst_bypass_all dst -j RETURN
|
||||||
-A ss_rules6_${rule}_local_out -m set --match-set ss_rules6_dst_bypass_ dst -j RETURN
|
-A ssr6_${rule}_local_out -m set --match-set ss_rules6_dst_bypass_ dst -j RETURN
|
||||||
-A ss_rules6_${rule}_local_out -m mark --mark 0x6539 -j RETURN
|
-A ssr6_${rule}_local_out -m mark --mark 0x6539 -j RETURN
|
||||||
-A ss_rules6_${rule}_local_out -p tcp $o_ipt_extra -j $local_target -m comment --comment "local_default: $o_local_default"
|
-A ssr6_${rule}_local_out -p tcp $o_ipt_extra -j $local_target -m comment --comment "local_default: $o_local_default"
|
||||||
COMMIT
|
COMMIT
|
||||||
EOF
|
EOF
|
||||||
}
|
}
|
||||||
|
|
@ -197,7 +197,7 @@ ss_rules6_iptchains_init_() {
|
||||||
|
|
||||||
case "$proto" in
|
case "$proto" in
|
||||||
tcp)
|
tcp)
|
||||||
forward_rules="-A ss_rules6_${rule}_forward -p tcp -j REDIRECT --to-ports $o_redir_tcp_port"
|
forward_rules="-A ssr6_${rule}_forward -p tcp -j REDIRECT --to-ports $o_redir_tcp_port"
|
||||||
if [ -n "$o_dst_forward_recentrst" ]; then
|
if [ -n "$o_dst_forward_recentrst" ]; then
|
||||||
recentrst_mangle_rules="
|
recentrst_mangle_rules="
|
||||||
*mangle
|
*mangle
|
||||||
|
|
@ -205,48 +205,48 @@ ss_rules6_iptchains_init_() {
|
||||||
COMMIT
|
COMMIT
|
||||||
"
|
"
|
||||||
recentrst_addset_rules="
|
recentrst_addset_rules="
|
||||||
-A ss_rules6_${rule}_dst -m recent --name ss_rules6_recentrst --rcheck --rdest --seconds 3 --hitcount 3 -j SET --add-set ss_rules6_dst_forward_recrst_ dst --exist
|
-A ssr6_${rule}_dst -m recent --name ss_rules6_recentrst --rcheck --rdest --seconds 3 --hitcount 3 -j SET --add-set ss_rules6_dst_forward_recrst_ dst --exist
|
||||||
-A ss_rules6_${rule}_dst -m set --match-set ss_rules6_dst_forward_recrst_ dst -j ss_rules6_${rule}_forward
|
-A ssr6_${rule}_dst -m set --match-set ss_rules6_dst_forward_recrst_ dst -j ssr6_${rule}_forward
|
||||||
"
|
"
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
udp)
|
udp)
|
||||||
ip -f inet6 rule add fwmark 1 lookup 100
|
ip -f inet6 rule add fwmark 1 lookup 100
|
||||||
ip -f inet6 route add local default dev lo table 100
|
ip -f inet6 route add local default dev lo table 100
|
||||||
forward_rules="-A ss_rules6_${rule}_forward -p udp -j TPROXY --on-port "$o_redir_udp_port" --tproxy-mark 0x01/0x01"
|
forward_rules="-A ssr6_${rule}_forward -p udp -j TPROXY --on-port "$o_redir_udp_port" --tproxy-mark 0x01/0x01"
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
case "$o_src_default" in
|
case "$o_src_default" in
|
||||||
forward) src_default_target=ss_rules6_${rule}_forward ;;
|
forward) src_default_target=ssr6_${rule}_forward ;;
|
||||||
checkdst) src_default_target=ss_rules6_${rule}_dst ;;
|
checkdst) src_default_target=ssr6_${rule}_dst ;;
|
||||||
bypass|*) src_default_target=RETURN ;;
|
bypass|*) src_default_target=RETURN ;;
|
||||||
esac
|
esac
|
||||||
case "$o_dst_default" in
|
case "$o_dst_default" in
|
||||||
forward) dst_default_target=ss_rules6_${rule}_forward ;;
|
forward) dst_default_target=ssr6_${rule}_forward ;;
|
||||||
bypass|*) dst_default_target=RETURN ;;
|
bypass|*) dst_default_target=RETURN ;;
|
||||||
esac
|
esac
|
||||||
sed -e '/^\s*$/d' -e 's/^\s\+//' <<-EOF | ip6tables-restore -w --noflush
|
sed -e '/^\s*$/d' -e 's/^\s\+//' <<-EOF | ip6tables-restore -w --noflush
|
||||||
*$table
|
*$table
|
||||||
:ss_rules6_${rule}_pre_src -
|
:ssr6_${rule}_pre_src -
|
||||||
:ss_rules6_${rule}_src -
|
:ssr6_${rule}_src -
|
||||||
:ss_rules6_${rule}_dst -
|
:ssr6_${rule}_dst -
|
||||||
:ss_rules6_${rule}_forward -
|
:ssr6_${rule}_forward -
|
||||||
$(ss_rules6_iptchains_mkprerules "$proto")
|
$(ss_rules6_iptchains_mkprerules "$proto")
|
||||||
-A ss_rules6_${rule}_pre_src -m set --match-set ss_rules6_dst_bypass_ dst -j RETURN
|
-A ssr6_${rule}_pre_src -m set --match-set ss_rules6_dst_bypass_ dst -j RETURN
|
||||||
-A ss_rules6_${rule}_pre_src -m set --match-set ss_rules6_dst_bypass_all dst -j MARK --set-mark 0x6539
|
-A ssr6_${rule}_pre_src -m set --match-set ss_rules6_dst_bypass_all dst -j MARK --set-mark 0x6539
|
||||||
-A ss_rules6_${rule}_pre_src -m set --match-set ss_rules6_dst_bypass_all dst -j RETURN
|
-A ssr6_${rule}_pre_src -m set --match-set ss_rules6_dst_bypass_all dst -j RETURN
|
||||||
-A ss_rules6_${rule}_pre_src -m set --match-set ss_rules6_dst_bypass dst -j RETURN
|
-A ssr6_${rule}_pre_src -m set --match-set ss_rules6_dst_bypass dst -j RETURN
|
||||||
-A ss_rules6_${rule}_pre_src -m mark --mark 0x6539 -j RETURN
|
-A ssr6_${rule}_pre_src -m mark --mark 0x6539 -j RETURN
|
||||||
-A ss_rules6_${rule}_dst -m set --match-set ss_rules6_dst_bypass_all dst -j RETURN
|
-A ssr6_${rule}_dst -m set --match-set ss_rules6_dst_bypass_all dst -j RETURN
|
||||||
-A ss_rules6_${rule}_dst -m set --match-set ss_rules6_dst_bypass dst -j RETURN
|
-A ssr6_${rule}_dst -m set --match-set ss_rules6_dst_bypass dst -j RETURN
|
||||||
-A ss_rules6_${rule}_pre_src -p $proto $o_ipt_extra -j ss_rules6_${rule}_src
|
-A ssr6_${rule}_pre_src -p $proto $o_ipt_extra -j ssr6_${rule}_src
|
||||||
-A ss_rules6_${rule}_src -m set --match-set ss_rules6_src_bypass src -j RETURN
|
-A ssr6_${rule}_src -m set --match-set ss_rules6_src_bypass src -j RETURN
|
||||||
-A ss_rules6_${rule}_src -m set --match-set ss_rules6_src_forward src -j ss_rules6_${rule}_forward
|
-A ssr6_${rule}_src -m set --match-set ss_rules6_src_forward src -j ssr6_${rule}_forward
|
||||||
-A ss_rules6_${rule}_src -m set --match-set ss_rules6_src_checkdst src -j ss_rules6_${rule}_dst
|
-A ssr6_${rule}_src -m set --match-set ss_rules6_src_checkdst src -j ssr6_${rule}_dst
|
||||||
-A ss_rules6_${rule}_src -j $src_default_target -m comment --comment "src_default: $o_src_default"
|
-A ssr6_${rule}_src -j $src_default_target -m comment --comment "src_default: $o_src_default"
|
||||||
-A ss_rules6_${rule}_dst -m set --match-set ss_rules6_dst_forward dst -j ss_rules6_${rule}_forward
|
-A ssr6_${rule}_dst -m set --match-set ss_rules6_dst_forward dst -j ssr6_${rule}_forward
|
||||||
$recentrst_addset_rules
|
$recentrst_addset_rules
|
||||||
-A ss_rules6_${rule}_dst -j $dst_default_target -m comment --comment "dst_default: $o_dst_default"
|
-A ssr6_${rule}_dst -j $dst_default_target -m comment --comment "dst_default: $o_dst_default"
|
||||||
$forward_rules
|
$forward_rules
|
||||||
COMMIT
|
COMMIT
|
||||||
$recentrst_mangle_rules
|
$recentrst_mangle_rules
|
||||||
|
|
@ -257,11 +257,11 @@ ss_rules6_iptchains_mkprerules() {
|
||||||
local proto="$1"
|
local proto="$1"
|
||||||
|
|
||||||
if [ -z "$o_ifnames" ]; then
|
if [ -z "$o_ifnames" ]; then
|
||||||
echo "-I PREROUTING 1 -p $proto -j ss_rules6_${rule}_pre_src"
|
echo "-I PREROUTING 1 -p $proto -j ssr6_${rule}_pre_src"
|
||||||
else
|
else
|
||||||
echo $o_ifnames \
|
echo $o_ifnames \
|
||||||
| tr ' ' '\n' \
|
| tr ' ' '\n' \
|
||||||
| sed "s/.*/-I PREROUTING 1 -i \\0 -p $proto -j ss_rules6_${rule}_pre_src/"
|
| sed "s/.*/-I PREROUTING 1 -i \\0 -p $proto -j ssr6_${rule}_pre_src/"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue