mirror of
https://github.com/Ysurac/openmptcprouter-feeds.git
synced 2025-02-13 02:51:50 +00:00
Allow multiples rules
This commit is contained in:
Ycarus (Yannick Chabanois)
parent
75f2277fbd
commit
5ec0060dfb
4 changed files with 99 additions and 84 deletions
|
|
@ -32,6 +32,7 @@ config ss_rules 'ss_rules'
|
||||||
option src_default 'forward'
|
option src_default 'forward'
|
||||||
option dst_default 'forward'
|
option dst_default 'forward'
|
||||||
option local_default 'forward'
|
option local_default 'forward'
|
||||||
|
option server 'sss0'
|
||||||
|
|
||||||
config server 'sss0'
|
config server 'sss0'
|
||||||
option disabled 1
|
option disabled 1
|
||||||
|
|
|
||||||
|
|
@ -145,40 +145,51 @@ ss_rules_cb() {
|
||||||
|
|
||||||
ss_redir_ports() {
|
ss_redir_ports() {
|
||||||
port=$(uci -q get shadowsocks-libev.$1.local_port)
|
port=$(uci -q get shadowsocks-libev.$1.local_port)
|
||||||
if [ "$port" -lt "$min_ss_redir_ports" ]; then
|
server=$(uci -q get shadowsocks-libev.$1.server)
|
||||||
min_ss_redir_ports=$port
|
if [ "$server" = "$2" ] || [ "$2" = "" ]; then
|
||||||
fi
|
if [ "$port" -lt "$min_ss_redir_ports" ]; then
|
||||||
if [ "$port" -gt "$max_ss_redir_ports" ]; then
|
min_ss_redir_ports=$port
|
||||||
max_ss_redir_ports=$port
|
fi
|
||||||
|
if [ "$port" -gt "$max_ss_redir_ports" ]; then
|
||||||
|
max_ss_redir_ports=$port
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
ss_rules() {
|
ss_rules() {
|
||||||
local cfg="ss_rules"
|
local cfg="$1"
|
||||||
local bin="$ss_bindir/ss-rules"
|
local bin="$ss_bindir/ss-rules"
|
||||||
local bin6="$ss_bindir/ss-rules6"
|
local bin6="$ss_bindir/ss-rules6"
|
||||||
local cfgtype
|
local cfgtype
|
||||||
|
local cfgrulesserver
|
||||||
local local_port_tcp local_port_udp
|
local local_port_tcp local_port_udp
|
||||||
local local_port_tcp6 local_port_udp6
|
local local_port_tcp6 local_port_udp6
|
||||||
local args
|
local args
|
||||||
|
local rule_name
|
||||||
|
if [ "$cfg" = "ss_rules" ]; then
|
||||||
|
rule_name="default"
|
||||||
|
else
|
||||||
|
rule_name="$(echo $cfg | sed 's/_rule//' | cut -c -7)"
|
||||||
|
fi
|
||||||
|
|
||||||
[ -x "$bin" ] || return 1
|
[ -x "$bin" ] || return 1
|
||||||
"$bin" -f
|
#"$bin" -f
|
||||||
[ -x "$bin6" ] || return 1
|
[ -x "$bin6" ] || return 1
|
||||||
"$bin6" -f
|
#"$bin6" -f
|
||||||
|
|
||||||
config_get cfgtype "$cfg" TYPE
|
config_get cfgtype "$cfg" TYPE
|
||||||
[ "$cfgtype" = ss_rules ] || return 1
|
[ "$cfgtype" = ss_rules ] || return 1
|
||||||
|
|
||||||
|
config_get cfgrulesserver "$cfg" server
|
||||||
|
|
||||||
eval "$(validate_ss_rules_section "$cfg" ss_validate_mklocal)"
|
eval "$(validate_ss_rules_section "$cfg" ss_validate_mklocal)"
|
||||||
validate_ss_rules_section "$cfg" || return 1
|
validate_ss_rules_section "$cfg" || return 1
|
||||||
[ "$disabled" = 0 ] || return 0
|
[ "$disabled" = 0 ] || return 0
|
||||||
|
|
||||||
if [ "$ss_rules_redir_tcp_$redir_tcp" = "all" ]; then
|
if [ "$ss_rules_redir_tcp_$redir_tcp" = "all" ]; then
|
||||||
min_ss_redir_ports="65535"
|
min_ss_redir_ports="65535"
|
||||||
max_ss_redir_ports="0"
|
max_ss_redir_ports="0"
|
||||||
config_load shadowsocks-libev
|
config_load shadowsocks-libev
|
||||||
config_foreach ss_redir_ports ss_redir
|
config_foreach ss_redir_ports ss_redir $cfgrulesserver
|
||||||
if [ "$min_ss_redir_ports" != "$max_ss_redir_ports" ]; then
|
if [ "$min_ss_redir_ports" != "$max_ss_redir_ports" ]; then
|
||||||
all_ss_redir_ports=$min_ss_redir_ports-$max_ss_redir_ports
|
all_ss_redir_ports=$min_ss_redir_ports-$max_ss_redir_ports
|
||||||
else
|
else
|
||||||
|
|
@ -233,6 +244,7 @@ ss_rules_call() {
|
||||||
${src_ips_checkdst4:+--src-checkdst "$src_ips_checkdst4"} \
|
${src_ips_checkdst4:+--src-checkdst "$src_ips_checkdst4"} \
|
||||||
${ifnames:+--ifnames "$ifnames"} \
|
${ifnames:+--ifnames "$ifnames"} \
|
||||||
${ipt_args:+--ipt-extra "$ipt_args"} \
|
${ipt_args:+--ipt-extra "$ipt_args"} \
|
||||||
|
${cfg:+--rule-name "$rule_name"} \
|
||||||
$args \
|
$args \
|
||||||
|| "$bin" "$@" -f
|
|| "$bin" "$@" -f
|
||||||
}
|
}
|
||||||
|
|
@ -302,7 +314,7 @@ rules_up() {
|
||||||
for cfgtype in ss_redir; do
|
for cfgtype in ss_redir; do
|
||||||
config_foreach ss_rules_restart "$cfgtype" "$cfgtype"
|
config_foreach ss_rules_restart "$cfgtype" "$cfgtype"
|
||||||
done
|
done
|
||||||
ss_rules
|
config_foreach ss_rules ss_rules
|
||||||
[ -f /etc/init.d/omr-bypass ] && {
|
[ -f /etc/init.d/omr-bypass ] && {
|
||||||
logger -t "Shadowsocks" "Reload omr-bypass rules"
|
logger -t "Shadowsocks" "Reload omr-bypass rules"
|
||||||
/etc/init.d/omr-bypass reload_rules
|
/etc/init.d/omr-bypass reload_rules
|
||||||
|
|
|
||||||
|
|
@ -103,6 +103,7 @@ ss_rules_parse_args() {
|
||||||
--dst-forward-recentrst) o_dst_forward_recentrst=1; shift 1;;
|
--dst-forward-recentrst) o_dst_forward_recentrst=1; shift 1;;
|
||||||
--dst-bypass-file) o_dst_bypass_file="$2"; shift 2;;
|
--dst-bypass-file) o_dst_bypass_file="$2"; shift 2;;
|
||||||
--dst-forward-file) o_dst_forward_file="$2"; shift 2;;
|
--dst-forward-file) o_dst_forward_file="$2"; shift 2;;
|
||||||
|
--rule-name) rule="$2"; shift 2;;
|
||||||
*) __errmsg "unknown option $1"; return 1;;
|
*) __errmsg "unknown option $1"; return 1;;
|
||||||
esac
|
esac
|
||||||
done
|
done
|
||||||
|
|
@ -180,20 +181,20 @@ ss_rules_iptchains_init_tcp() {
|
||||||
ss_rules_iptchains_init_ nat tcp
|
ss_rules_iptchains_init_ nat tcp
|
||||||
|
|
||||||
case "$o_local_default" in
|
case "$o_local_default" in
|
||||||
checkdst) local_target=ss_rules_dst ;;
|
checkdst) local_target=ss_rules_${rule}_dst ;;
|
||||||
forward) local_target=ss_rules_forward ;;
|
forward) local_target=ss_rules_${rule}_forward ;;
|
||||||
bypass|*) return 0;;
|
bypass|*) return 0;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
iptables-restore -w --noflush <<-EOF
|
iptables-restore -w --noflush <<-EOF
|
||||||
*nat
|
*nat
|
||||||
:ss_rules_local_out -
|
:ss_rules_${rule}_local_out -
|
||||||
-I OUTPUT 1 -p tcp -j ss_rules_local_out
|
-I OUTPUT 1 -p tcp -j ss_rules_${rule}_local_out
|
||||||
-A ss_rules_local_out -m set --match-set ss_rules_dst_bypass dst -j RETURN
|
-A ss_rules_${rule}_local_out -m set --match-set ss_rules_dst_bypass dst -j RETURN
|
||||||
-A ss_rules_local_out -m set --match-set ss_rules_dst_bypass_all dst -j RETURN
|
-A ss_rules_${rule}_local_out -m set --match-set ss_rules_dst_bypass_all dst -j RETURN
|
||||||
-A ss_rules_local_out -m set --match-set ss_rules_dst_bypass_ dst -j RETURN
|
-A ss_rules_${rule}_local_out -m set --match-set ss_rules_dst_bypass_ dst -j RETURN
|
||||||
-A ss_rules_local_out -m mark --mark 0x539 -j RETURN
|
-A ss_rules_${rule}_local_out -m mark --mark 0x539 -j RETURN
|
||||||
-A ss_rules_local_out -p tcp $o_ipt_extra -j $local_target -m comment --comment "local_default: $o_local_default"
|
-A ss_rules_${rule}_local_out -p tcp $o_ipt_extra -j $local_target -m comment --comment "local_default: $o_local_default"
|
||||||
COMMIT
|
COMMIT
|
||||||
EOF
|
EOF
|
||||||
}
|
}
|
||||||
|
|
@ -212,7 +213,7 @@ ss_rules_iptchains_init_() {
|
||||||
|
|
||||||
case "$proto" in
|
case "$proto" in
|
||||||
tcp)
|
tcp)
|
||||||
forward_rules="-A ss_rules_forward -p tcp -j REDIRECT --to-ports $o_redir_tcp_port"
|
forward_rules="-A ss_rules_${rule}_forward -p tcp -j REDIRECT --to-ports $o_redir_tcp_port"
|
||||||
if [ -n "$o_dst_forward_recentrst" ]; then
|
if [ -n "$o_dst_forward_recentrst" ]; then
|
||||||
recentrst_mangle_rules="
|
recentrst_mangle_rules="
|
||||||
*mangle
|
*mangle
|
||||||
|
|
@ -220,48 +221,48 @@ ss_rules_iptchains_init_() {
|
||||||
COMMIT
|
COMMIT
|
||||||
"
|
"
|
||||||
recentrst_addset_rules="
|
recentrst_addset_rules="
|
||||||
-A ss_rules_dst -m recent --name ss_rules_recentrst --rcheck --rdest --seconds 3 --hitcount 3 -j SET --add-set ss_rules_dst_forward_recentrst_ dst --exist
|
-A ss_rules_${rule}_dst -m recent --name ss_rules_recentrst --rcheck --rdest --seconds 3 --hitcount 3 -j SET --add-set ss_rules_dst_forward_recentrst_ dst --exist
|
||||||
-A ss_rules_dst -m set --match-set ss_rules_dst_forward_recentrst_ dst -j ss_rules_forward
|
-A ss_rules_${rule}_dst -m set --match-set ss_rules_dst_forward_recentrst_ dst -j ss_rules_${rule}_forward
|
||||||
"
|
"
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
udp)
|
udp)
|
||||||
ip rule add fwmark 1 lookup 100
|
ip rule add fwmark 1 lookup 100
|
||||||
ip route add local default dev lo table 100
|
ip route add local default dev lo table 100
|
||||||
forward_rules="-A ss_rules_forward -p udp -j TPROXY --on-port "$o_redir_udp_port" --tproxy-mark 0x01/0x01"
|
forward_rules="-A ss_rules_${rule}_forward -p udp -j TPROXY --on-port "$o_redir_udp_port" --tproxy-mark 0x01/0x01"
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
case "$o_src_default" in
|
case "$o_src_default" in
|
||||||
forward) src_default_target=ss_rules_forward ;;
|
forward) src_default_target=ss_rules_${rule}_forward ;;
|
||||||
checkdst) src_default_target=ss_rules_dst ;;
|
checkdst) src_default_target=ss_rules_${rule}_dst ;;
|
||||||
bypass|*) src_default_target=RETURN ;;
|
bypass|*) src_default_target=RETURN ;;
|
||||||
esac
|
esac
|
||||||
case "$o_dst_default" in
|
case "$o_dst_default" in
|
||||||
forward) dst_default_target=ss_rules_forward ;;
|
forward) dst_default_target=ss_rules_${rule}_forward ;;
|
||||||
bypass|*) dst_default_target=RETURN ;;
|
bypass|*) dst_default_target=RETURN ;;
|
||||||
esac
|
esac
|
||||||
sed -e '/^\s*$/d' -e 's/^\s\+//' <<-EOF | iptables-restore -w --noflush
|
sed -e '/^\s*$/d' -e 's/^\s\+//' <<-EOF | iptables-restore -w --noflush
|
||||||
*$table
|
*$table
|
||||||
:ss_rules_pre_src -
|
:ss_rules_${rule}_pre_src -
|
||||||
:ss_rules_src -
|
:ss_rules_${rule}_src -
|
||||||
:ss_rules_dst -
|
:ss_rules_${rule}_dst -
|
||||||
:ss_rules_forward -
|
:ss_rules_${rule}_forward -
|
||||||
$(ss_rules_iptchains_mkprerules "$proto")
|
$(ss_rules_iptchains_mkprerules "$proto")
|
||||||
-A ss_rules_pre_src -m set --match-set ss_rules_dst_bypass_ dst -j RETURN
|
-A ss_rules_${rule}_pre_src -m set --match-set ss_rules_dst_bypass_ dst -j RETURN
|
||||||
-A ss_rules_pre_src -m set --match-set ss_rules_dst_bypass_all dst -j MARK --set-mark 0x539
|
-A ss_rules_${rule}_pre_src -m set --match-set ss_rules_dst_bypass_all dst -j MARK --set-mark 0x539
|
||||||
-A ss_rules_pre_src -m set --match-set ss_rules_dst_bypass_all dst -j RETURN
|
-A ss_rules_${rule}_pre_src -m set --match-set ss_rules_dst_bypass_all dst -j RETURN
|
||||||
-A ss_rules_pre_src -m set --match-set ss_rules_dst_bypass dst -j RETURN
|
-A ss_rules_${rule}_pre_src -m set --match-set ss_rules_dst_bypass dst -j RETURN
|
||||||
-A ss_rules_pre_src -m mark --mark 0x539 -j RETURN
|
-A ss_rules_${rule}_pre_src -m mark --mark 0x539 -j RETURN
|
||||||
-A ss_rules_dst -m set --match-set ss_rules_dst_bypass_all dst -j RETURN
|
-A ss_rules_${rule}_dst -m set --match-set ss_rules_dst_bypass_all dst -j RETURN
|
||||||
-A ss_rules_dst -m set --match-set ss_rules_dst_bypass dst -j RETURN
|
-A ss_rules_${rule}_dst -m set --match-set ss_rules_dst_bypass dst -j RETURN
|
||||||
-A ss_rules_pre_src -p $proto $o_ipt_extra -j ss_rules_src
|
-A ss_rules_${rule}_pre_src -p $proto $o_ipt_extra -j ss_rules_${rule}_src
|
||||||
-A ss_rules_src -m set --match-set ss_rules_src_bypass src -j RETURN
|
-A ss_rules_${rule}_src -m set --match-set ss_rules_src_bypass src -j RETURN
|
||||||
-A ss_rules_src -m set --match-set ss_rules_src_forward src -j ss_rules_forward
|
-A ss_rules_${rule}_src -m set --match-set ss_rules_src_forward src -j ss_rules_${rule}_forward
|
||||||
-A ss_rules_src -m set --match-set ss_rules_src_checkdst src -j ss_rules_dst
|
-A ss_rules_${rule}_src -m set --match-set ss_rules_src_checkdst src -j ss_rules_${rule}_dst
|
||||||
-A ss_rules_src -j $src_default_target -m comment --comment "src_default: $o_src_default"
|
-A ss_rules_${rule}_src -j $src_default_target -m comment --comment "src_default: $o_src_default"
|
||||||
-A ss_rules_dst -m set --match-set ss_rules_dst_forward dst -j ss_rules_forward
|
-A ss_rules_${rule}_dst -m set --match-set ss_rules_dst_forward dst -j ss_rules_${rule}_forward
|
||||||
$recentrst_addset_rules
|
$recentrst_addset_rules
|
||||||
-A ss_rules_dst -j $dst_default_target -m comment --comment "dst_default: $o_dst_default"
|
-A ss_rules_${rule}_dst -j $dst_default_target -m comment --comment "dst_default: $o_dst_default"
|
||||||
$forward_rules
|
$forward_rules
|
||||||
COMMIT
|
COMMIT
|
||||||
$recentrst_mangle_rules
|
$recentrst_mangle_rules
|
||||||
|
|
@ -272,15 +273,15 @@ ss_rules_iptchains_mkprerules() {
|
||||||
local proto="$1"
|
local proto="$1"
|
||||||
|
|
||||||
if [ -z "$o_ifnames" ]; then
|
if [ -z "$o_ifnames" ]; then
|
||||||
echo "-I PREROUTING 1 -p $proto -j ss_rules_pre_src"
|
echo "-I PREROUTING 1 -p $proto -j ss_rules_${rule}_pre_src"
|
||||||
else
|
else
|
||||||
echo $o_ifnames \
|
echo $o_ifnames \
|
||||||
| tr ' ' '\n' \
|
| tr ' ' '\n' \
|
||||||
| sed "s/.*/-I PREROUTING 1 -i \\0 -p $proto -j ss_rules_pre_src/"
|
| sed "s/.*/-I PREROUTING 1 -i \\0 -p $proto -j ss_rules_${rule}_pre_src/"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
ss_rules_parse_args "$@"
|
ss_rules_parse_args "$@"
|
||||||
ss_rules_flush
|
#ss_rules_flush
|
||||||
ss_rules_ipset_init
|
ss_rules_ipset_init
|
||||||
ss_rules_iptchains_init
|
ss_rules_iptchains_init
|
||||||
|
|
|
||||||
|
|
@ -85,6 +85,7 @@ ss_rules6_parse_args() {
|
||||||
--dst-forward-recentrst) o_dst_forward_recentrst=1; shift 1;;
|
--dst-forward-recentrst) o_dst_forward_recentrst=1; shift 1;;
|
||||||
--dst-bypass-file) o_dst_bypass_file="$2"; shift 2;;
|
--dst-bypass-file) o_dst_bypass_file="$2"; shift 2;;
|
||||||
--dst-forward-file) o_dst_forward_file="$2"; shift 2;;
|
--dst-forward-file) o_dst_forward_file="$2"; shift 2;;
|
||||||
|
--rule-name) rule="$2"; shift 2;;
|
||||||
*) __errmsg "unknown option $1"; return 1;;
|
*) __errmsg "unknown option $1"; return 1;;
|
||||||
esac
|
esac
|
||||||
done
|
done
|
||||||
|
|
@ -149,7 +150,7 @@ ss_rules6_iptchains_init() {
|
||||||
ss_rules6_iptchains_init_mark() {
|
ss_rules6_iptchains_init_mark() {
|
||||||
ip6tables-restore -w --noflush <<-EOF
|
ip6tables-restore -w --noflush <<-EOF
|
||||||
*mangle
|
*mangle
|
||||||
-A PREROUTING -m set --match-set ss_rules6_dst_bypass_all dst -j MARK --set-mark 0x6539
|
-A PREROUTING -m set --match-set ss_rules6_${rule}_dst_bypass_all dst -j MARK --set-mark 0x6539
|
||||||
COMMIT
|
COMMIT
|
||||||
EOF
|
EOF
|
||||||
}
|
}
|
||||||
|
|
@ -163,20 +164,20 @@ ss_rules6_iptchains_init_tcp() {
|
||||||
ss_rules6_iptchains_init_ nat tcp
|
ss_rules6_iptchains_init_ nat tcp
|
||||||
|
|
||||||
case "$o_local_default" in
|
case "$o_local_default" in
|
||||||
checkdst) local_target=ss_rules6_dst ;;
|
checkdst) local_target=ss_rules6_${rule}_dst ;;
|
||||||
forward) local_target=ss_rules6_forward ;;
|
forward) local_target=ss_rules6_${rule}_forward ;;
|
||||||
bypass|*) return 0;;
|
bypass|*) return 0;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
ip6tables-restore -w --noflush <<-EOF
|
ip6tables-restore -w --noflush <<-EOF
|
||||||
*nat
|
*nat
|
||||||
:ss_rules6_local_out -
|
:ss_rules6_${rule}_local_out -
|
||||||
-I OUTPUT 1 -p tcp -j ss_rules6_local_out
|
-I OUTPUT 1 -p tcp -j ss_rules6_${rule}_local_out
|
||||||
-A ss_rules6_local_out -m set --match-set ss_rules6_dst_bypass dst -j RETURN
|
-A ss_rules6_${rule}_local_out -m set --match-set ss_rules6_dst_bypass dst -j RETURN
|
||||||
-A ss_rules6_local_out -m set --match-set ss_rules6_dst_bypass_all dst -j RETURN
|
-A ss_rules6_${rule}_local_out -m set --match-set ss_rules6_dst_bypass_all dst -j RETURN
|
||||||
-A ss_rules6_local_out -m set --match-set ss_rules6_dst_bypass_ dst -j RETURN
|
-A ss_rules6_${rule}_local_out -m set --match-set ss_rules6_dst_bypass_ dst -j RETURN
|
||||||
-A ss_rules6_local_out -m mark --mark 0x6539 -j RETURN
|
-A ss_rules6_${rule}_local_out -m mark --mark 0x6539 -j RETURN
|
||||||
-A ss_rules6_local_out -p tcp $o_ipt_extra -j $local_target -m comment --comment "local_default: $o_local_default"
|
-A ss_rules6_${rule}_local_out -p tcp $o_ipt_extra -j $local_target -m comment --comment "local_default: $o_local_default"
|
||||||
COMMIT
|
COMMIT
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
|
|
@ -196,7 +197,7 @@ ss_rules6_iptchains_init_() {
|
||||||
|
|
||||||
case "$proto" in
|
case "$proto" in
|
||||||
tcp)
|
tcp)
|
||||||
forward_rules="-A ss_rules6_forward -p tcp -j REDIRECT --to-ports $o_redir_tcp_port"
|
forward_rules="-A ss_rules6_${rule}_forward -p tcp -j REDIRECT --to-ports $o_redir_tcp_port"
|
||||||
if [ -n "$o_dst_forward_recentrst" ]; then
|
if [ -n "$o_dst_forward_recentrst" ]; then
|
||||||
recentrst_mangle_rules="
|
recentrst_mangle_rules="
|
||||||
*mangle
|
*mangle
|
||||||
|
|
@ -205,47 +206,47 @@ ss_rules6_iptchains_init_() {
|
||||||
"
|
"
|
||||||
recentrst_addset_rules="
|
recentrst_addset_rules="
|
||||||
-A ss_rules6_dst -m recent --name ss_rules6_recentrst --rcheck --rdest --seconds 3 --hitcount 3 -j SET --add-set ss_rules6_dst_forward_recrst_ dst --exist
|
-A ss_rules6_dst -m recent --name ss_rules6_recentrst --rcheck --rdest --seconds 3 --hitcount 3 -j SET --add-set ss_rules6_dst_forward_recrst_ dst --exist
|
||||||
-A ss_rules6_dst -m set --match-set ss_rules6_dst_forward_recrst_ dst -j ss_rules6_forward
|
-A ss_rules6_dst -m set --match-set ss_rules6_dst_forward_recrst_ dst -j ss_rules6_${rule}_forward
|
||||||
"
|
"
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
udp)
|
udp)
|
||||||
ip -f inet6 rule add fwmark 1 lookup 100
|
ip -f inet6 rule add fwmark 1 lookup 100
|
||||||
ip -f inet6 route add local default dev lo table 100
|
ip -f inet6 route add local default dev lo table 100
|
||||||
forward_rules="-A ss_rules6_forward -p udp -j TPROXY --on-port "$o_redir_udp_port" --tproxy-mark 0x01/0x01"
|
forward_rules="-A ss_rules6_${rule}_forward -p udp -j TPROXY --on-port "$o_redir_udp_port" --tproxy-mark 0x01/0x01"
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
case "$o_src_default" in
|
case "$o_src_default" in
|
||||||
forward) src_default_target=ss_rules6_forward ;;
|
forward) src_default_target=ss_rules6_${rule}_forward ;;
|
||||||
checkdst) src_default_target=ss_rules6_dst ;;
|
checkdst) src_default_target=ss_rules6_${rule}_dst ;;
|
||||||
bypass|*) src_default_target=RETURN ;;
|
bypass|*) src_default_target=RETURN ;;
|
||||||
esac
|
esac
|
||||||
case "$o_dst_default" in
|
case "$o_dst_default" in
|
||||||
forward) dst_default_target=ss_rules6_forward ;;
|
forward) dst_default_target=ss_rules6_${rule}_forward ;;
|
||||||
bypass|*) dst_default_target=RETURN ;;
|
bypass|*) dst_default_target=RETURN ;;
|
||||||
esac
|
esac
|
||||||
sed -e '/^\s*$/d' -e 's/^\s\+//' <<-EOF | ip6tables-restore -w --noflush
|
sed -e '/^\s*$/d' -e 's/^\s\+//' <<-EOF | ip6tables-restore -w --noflush
|
||||||
*$table
|
*$table
|
||||||
:ss_rules6_pre_src -
|
:ss_rules6_${rule}_pre_src -
|
||||||
:ss_rules6_src -
|
:ss_rules6_${rule}_src -
|
||||||
:ss_rules6_dst -
|
:ss_rules6_${rule}_dst -
|
||||||
:ss_rules6_forward -
|
:ss_rules6_${rule}_forward -
|
||||||
$(ss_rules6_iptchains_mkprerules "$proto")
|
$(ss_rules6_iptchains_mkprerules "$proto")
|
||||||
-A ss_rules6_pre_src -m set --match-set ss_rules6_dst_bypass_ dst -j RETURN
|
-A ss_rules6_${rule}_pre_src -m set --match-set ss_rules6_dst_bypass_ dst -j RETURN
|
||||||
-A ss_rules6_pre_src -m set --match-set ss_rules6_dst_bypass_all dst -j MARK --set-mark 0x6539
|
-A ss_rules6_${rule}_pre_src -m set --match-set ss_rules6_dst_bypass_all dst -j MARK --set-mark 0x6539
|
||||||
-A ss_rules6_pre_src -m set --match-set ss_rules6_dst_bypass_all dst -j RETURN
|
-A ss_rules6_${rule}_pre_src -m set --match-set ss_rules6_dst_bypass_all dst -j RETURN
|
||||||
-A ss_rules6_pre_src -m set --match-set ss_rules6_dst_bypass dst -j RETURN
|
-A ss_rules6_${rule}_pre_src -m set --match-set ss_rules6_dst_bypass dst -j RETURN
|
||||||
-A ss_rules6_pre_src -m mark --mark 0x6539 -j RETURN
|
-A ss_rules6_${rule}_pre_src -m mark --mark 0x6539 -j RETURN
|
||||||
-A ss_rules6_dst -m set --match-set ss_rules6_dst_bypass_all dst -j RETURN
|
-A ss_rules6_${rule}_dst -m set --match-set ss_rules6_dst_bypass_all dst -j RETURN
|
||||||
-A ss_rules6_dst -m set --match-set ss_rules6_dst_bypass dst -j RETURN
|
-A ss_rules6_${rule}_dst -m set --match-set ss_rules6_dst_bypass dst -j RETURN
|
||||||
-A ss_rules6_pre_src -p $proto $o_ipt_extra -j ss_rules6_src
|
-A ss_rules6_${rule}_pre_src -p $proto $o_ipt_extra -j ss_rules6_${rule}_src
|
||||||
-A ss_rules6_src -m set --match-set ss_rules6_src_bypass src -j RETURN
|
-A ss_rules6_${rule}_src -m set --match-set ss_rules6_src_bypass src -j RETURN
|
||||||
-A ss_rules6_src -m set --match-set ss_rules6_src_forward src -j ss_rules6_forward
|
-A ss_rules6_${rule}_src -m set --match-set ss_rules6_src_forward src -j ss_rules6_${rule}_forward
|
||||||
-A ss_rules6_src -m set --match-set ss_rules6_src_checkdst src -j ss_rules6_dst
|
-A ss_rules6_${rule}_src -m set --match-set ss_rules6_src_checkdst src -j ss_rules6_${rule}_dst
|
||||||
-A ss_rules6_src -j $src_default_target -m comment --comment "src_default: $o_src_default"
|
-A ss_rules6_${rule}_src -j $src_default_target -m comment --comment "src_default: $o_src_default"
|
||||||
-A ss_rules6_dst -m set --match-set ss_rules6_dst_forward dst -j ss_rules6_forward
|
-A ss_rules6_${rule}_dst -m set --match-set ss_rules6_dst_forward dst -j ss_rules6_${rule}_forward
|
||||||
$recentrst_addset_rules
|
$recentrst_addset_rules
|
||||||
-A ss_rules6_dst -j $dst_default_target -m comment --comment "dst_default: $o_dst_default"
|
-A ss_rules6_${rule}_dst -j $dst_default_target -m comment --comment "dst_default: $o_dst_default"
|
||||||
$forward_rules
|
$forward_rules
|
||||||
COMMIT
|
COMMIT
|
||||||
$recentrst_mangle_rules
|
$recentrst_mangle_rules
|
||||||
|
|
@ -257,11 +258,11 @@ ss_rules6_iptchains_mkprerules() {
|
||||||
local proto="$1"
|
local proto="$1"
|
||||||
|
|
||||||
if [ -z "$o_ifnames" ]; then
|
if [ -z "$o_ifnames" ]; then
|
||||||
echo "-I PREROUTING 1 -p $proto -j ss_rules6_pre_src"
|
echo "-I PREROUTING 1 -p $proto -j ss_rules6_${rule}_pre_src"
|
||||||
else
|
else
|
||||||
echo $o_ifnames \
|
echo $o_ifnames \
|
||||||
| tr ' ' '\n' \
|
| tr ' ' '\n' \
|
||||||
| sed "s/.*/-I PREROUTING 1 -i \\0 -p $proto -j ss_rules6_pre_src/"
|
| sed "s/.*/-I PREROUTING 1 -i \\0 -p $proto -j ss_rules6_${rule}_pre_src/"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue