From 66b1ee2f15483af11dfd52b0d4748e3c5f679f2c Mon Sep 17 00:00:00 2001 From: "Ycarus (Yannick Chabanois)" Date: Mon, 29 Jun 2020 15:11:35 +0200 Subject: [PATCH] Fix bypass when multiples IPs --- .../root/etc/init.d/omr-bypass | 141 ++++++++++-------- 1 file changed, 79 insertions(+), 62 deletions(-) diff --git a/luci-app-omr-bypass/root/etc/init.d/omr-bypass b/luci-app-omr-bypass/root/etc/init.d/omr-bypass index 14558a60f..aaccb4061 100755 --- a/luci-app-omr-bypass/root/etc/init.d/omr-bypass +++ b/luci-app-omr-bypass/root/etc/init.d/omr-bypass @@ -287,6 +287,42 @@ _bypass_proto() { fi } +_intf_rule_ss_rules() { + rule_name=$1 + [ "$rule_name" = "ss_rules" ] && rule_name="default" + if [ "$(iptables --wait=40 -t nat -L -n | grep ss_rules_${rule_name}_pre_src)" != "" ] && [ "$(iptables --wait=40 -t nat -L -n | grep omr_dst_bypass_$intf)" = "" ]; then + iptables-restore -w --wait=60 --noflush <<-EOF + *nat + -I ss_rules_${rule_name}_dst 1 -m set --match-set omr_dst_bypass_$intf dst -j RETURN + -I ss_rules_${rule_name}_local_out 1 -m set --match-set omr_dst_bypass_$intf dst -j RETURN + -I ss_rules_${rule_name}_local_out 2 -m mark --mark 0x539$count -j RETURN + -I ss_rules_${rule_name}_pre_src 1 -m set --match-set omr_dst_bypass_$intf dst -j MARK --set-mark 0x539$count + -I ss_rules_${rule_name}_pre_src 2 -m mark --mark 0x539$count -j RETURN + COMMIT + EOF + fi + if [ "$disableipv6" != "1" ]; then + if [ "$(ip6tables --wait=40 -t mangle -L | grep omr6_dst_bypass_$intf)" = "" ]; then + ip6tables-restore -w --wait=60 --noflush <<-EOF + *mangle + -I omr-bypass6 1 -m set --match-set omr6_dst_bypass_$intf dst -j MARK --set-mark 0x6539$count + COMMIT + EOF + fi + if [ "$(ip6tables --wait=40 -t nat -L | grep ss_rules6_${rule_name}_pre_src)" != "" ] && [ "$(ip6tables --wait=40 -t nat -L | grep omr6_dst_bypass_$intf)" = "" ]; then + ip6tables-restore -w --wait=60 --noflush <<-EOF + *nat + -I ss_rules6_${rule_name}_dst 1 -m set --match-set omr6_dst_bypass_$intf dst -j RETURN + -I ss_rules6_${rule_name}_local_out 1 -m set --match-set omr6_dst_bypass_$intf dst -j RETURN + -I ss_rules6_${rule_name}_local_out 2 -m mark --mark 0x6539$count -j RETURN + -I ss_rules6_${rule_name}_pre_src 1 -m set --match-set omr6_dst_bypass_$intf dst -j MARK --set-mark 0x6539$count + -I ss_rules6_${rule_name}_pre_src 2 -m mark --mark 0x6539$count -j RETURN + COMMIT + EOF + fi + fi +} + _intf_rule() { local intf config_get intf $1 ifname @@ -333,37 +369,9 @@ _intf_rule() { COMMIT EOF fi - if [ "$(iptables --wait=40 -t nat -L -n | grep ss_rules_default_pre_src)" != "" ] && [ "$(iptables --wait=40 -t nat -L -n | grep omr_dst_bypass_$intf)" = "" ]; then - iptables-restore -w --wait=60 --noflush <<-EOF - *nat - -I ss_rules_default_dst 1 -m set --match-set omr_dst_bypass_$intf dst -j RETURN - -I ss_rules_default_local_out 1 -m set --match-set omr_dst_bypass_$intf dst -j RETURN - -I ss_rules_default_local_out 2 -m mark --mark 0x539$count -j RETURN - -I ss_rules_default_pre_src 1 -m set --match-set omr_dst_bypass_$intf dst -j MARK --set-mark 0x539$count - -I ss_rules_default_pre_src 2 -m mark --mark 0x539$count -j RETURN - COMMIT - EOF - fi - if [ "$disableipv6" != "1" ]; then - if [ "$(ip6tables --wait=40 -t mangle -L | grep omr6_dst_bypass_$intf)" = "" ]; then - ip6tables-restore -w --wait=60 --noflush <<-EOF - *mangle - -I omr-bypass6 1 -m set --match-set omr6_dst_bypass_$intf dst -j MARK --set-mark 0x6539$count - COMMIT - EOF - fi - if [ "$(ip6tables --wait=40 -t nat -L | grep ss_rules6_default_pre_src)" != "" ] && [ "$(ip6tables --wait=40 -t nat -L | grep omr6_dst_bypass_$intf)" = "" ]; then - ip6tables-restore -w --wait=60 --noflush <<-EOF - *nat - -I ss_rules6_default_dst 1 -m set --match-set omr6_dst_bypass_$intf dst -j RETURN - -I ss_rules6_default_local_out 1 -m set --match-set omr6_dst_bypass_$intf dst -j RETURN - -I ss_rules6_default_local_out 2 -m mark --mark 0x6539$count -j RETURN - -I ss_rules6_default_pre_src 1 -m set --match-set omr6_dst_bypass_$intf dst -j MARK --set-mark 0x6539$count - -I ss_rules6_default_pre_src 2 -m mark --mark 0x6539$count -j RETURN - COMMIT - EOF - fi - fi + config_load shadowsocks-libev + config_foreach _intf_rule_ss_rules ss_rules + uci -q set omr-bypass.$intf=interface uci -q set omr-bypass.$intf.id=$count } @@ -400,6 +408,43 @@ _bypass_omr_server() { _bypass_ip $ip } + +_ss_rules_config() { + rule_name=$1 + [ "$rule_name" = "ss_rules" ] && rule_name="default" + if [ "$(iptables --wait=40 -t nat -L -n | grep ss_rules_${rule_name}_pre_src)" != "" ] && [ "$(iptables --wait=40 -t nat -L -n | grep omr_dst_bypass_all)" = "" ]; then + iptables-restore -w --wait=60 --noflush <<-EOF + *nat + -I ss_rules_${rule_name}_dst 1 -m set --match-set omr_dst_bypass_all dst -j RETURN + -I ss_rules_${rule_name}_local_out 1 -m set --match-set omr_dst_bypass_all dst -j RETURN + -I ss_rules_${rule_name}_local_out 2 -m mark --mark 0x539 -j RETURN + -I ss_rules_${rule_name}_pre_src 1 -m set --match-set omr_dst_bypass_all dst -j MARK --set-mark 0x539 + -I ss_rules_${rule_name}_pre_src 2 -m mark --mark 0x539 -j RETURN + COMMIT + EOF + fi + if [ "$disableipv6" != "1" ]; then + if [ "$(ip6tables --wait=40 -t mangle -L | grep 'match-set omr6_dst_bypass_all dst MARK set')" = "" ]; then + ip6tables-restore -w --wait=60 --noflush <<-EOF + *mangle + -A omr-bypass6 -m set --match-set omr6_dst_bypass_all dst -j MARK --set-mark 0x6539 + COMMIT + EOF + fi + if [ "$(ip6tables --wait=40 -t nat -L | grep ss_rules6_default_pre_src)" != "" ] && [ "$(ip6tables --wait=40 -t nat -L | grep omr6_dst_bypass_all)" = "" ]; then + ip6tables-restore -w --wait=60 --noflush <<-EOF + *nat + -I ss_rules6_${rule_name}_dst 1 -m set --match-set omr6_dst_bypass_all dst -j RETURN + -I ss_rules6_${rule_name}_local_out 1 -m set --match-set omr6_dst_bypass_all dst -j RETURN + -I ss_rules6_${rule_name}_local_out 2 -m mark --mark 0x6539 -j RETURN + -I ss_rules6_${rule_name}_pre_src 1 -m set --match-set omr6_dst_bypass_all dst -j MARK --set-mark 0x6539 + -I ss_rules6_${rule_name}_pre_src 2 -m mark --mark 0x6539 -j RETURN + COMMIT + EOF + fi + fi +} + boot() { BOOT=1 start "$@" @@ -483,37 +528,9 @@ start_service() { COMMIT EOF fi - if [ "$(iptables --wait=40 -t nat -L -n | grep ss_rules_default_pre_src)" != "" ] && [ "$(iptables --wait=40 -t nat -L -n | grep omr_dst_bypass_all)" = "" ]; then - iptables-restore -w --wait=60 --noflush <<-EOF - *nat - -I ss_rules_default_dst 1 -m set --match-set omr_dst_bypass_all dst -j RETURN - -I ss_rules_default_local_out 1 -m set --match-set omr_dst_bypass_all dst -j RETURN - -I ss_rules_default_local_out 2 -m mark --mark 0x539 -j RETURN - -I ss_rules_default_pre_src 1 -m set --match-set omr_dst_bypass_all dst -j MARK --set-mark 0x539 - -I ss_rules_default_pre_src 2 -m mark --mark 0x539 -j RETURN - COMMIT - EOF - fi - if [ "$disableipv6" != "1" ]; then - if [ "$(ip6tables --wait=40 -t mangle -L | grep 'match-set omr6_dst_bypass_all dst MARK set')" = "" ]; then - ip6tables-restore -w --wait=60 --noflush <<-EOF - *mangle - -A omr-bypass6 -m set --match-set omr6_dst_bypass_all dst -j MARK --set-mark 0x6539 - COMMIT - EOF - fi - if [ "$(ip6tables --wait=40 -t nat -L | grep ss_rules6_default_pre_src)" != "" ] && [ "$(ip6tables --wait=40 -t nat -L | grep omr6_dst_bypass_all)" = "" ]; then - ip6tables-restore -w --wait=60 --noflush <<-EOF - *nat - -I ss_rules6_default_dst 1 -m set --match-set omr6_dst_bypass_all dst -j RETURN - -I ss_rules6_default_local_out 1 -m set --match-set omr6_dst_bypass_all dst -j RETURN - -I ss_rules6_default_local_out 2 -m mark --mark 0x6539 -j RETURN - -I ss_rules6_default_pre_src 1 -m set --match-set omr6_dst_bypass_all dst -j MARK --set-mark 0x6539 - -I ss_rules6_default_pre_src 2 -m mark --mark 0x6539 -j RETURN - COMMIT - EOF - fi - fi + + config_load shadowsocks-libev + config_foreach _ss_rules_config iptables-save --counters | grep -v omr-bypass-dpi | iptables-restore -w --counters iptables-restore -w --wait=60 --noflush <<-EOF