mptcp/openmptcprouter-feeds
1
0
Fork 0
mirror of https://github.com/Ysurac/openmptcprouter-feeds.git synced 2025-02-12 10:31:51 +00:00
Code Issues Releases Wiki Activity

Add basic IPv6 support and replace haproxy by nginx for VPS failover

Browse source
This commit is contained in:
Ycarus 2018-03-09 10:51:29 +01:00
parent 2f4e19176c
commit 715d53300d
23 changed files with 1419 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
luci-app-nginx-ha/LICENSE Normal file
View file

@ -0,0 +1,21 @@
MIT License
Copyright (c) 2017 chenhw2
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

17
luci-app-nginx-ha/Makefile Normal file
View file

@ -0,0 +1,17 @@
#
# Copyright (C) 2016 chenhw2 <chenhw2@github.com>
# Copyright (C) 2018 Ycarus (Yannick Chabanois) <ycarus@zugaina.org>
#
# See /LICENSE for more information.
#
include $(TOPDIR)/rules.mk
LUCI_TITLE:=LuCI Support for nginx load balancing
LUCI_DEPENDS:=+nginx
PKG_LICENSE:=MIT
include ../luci/luci.mk
# call BuildPackage - OpenWrt buildroot signature

7
luci-app-nginx-ha/luasrc/controller/nginx-ha.lua Normal file
View file

@ -0,0 +1,7 @@
module("luci.controller.nginx-ha", package.seeall)
function index()
entry(
{"admin", "services", "nginx-ha"},
cbi("nginx-ha"), _("Nginx High Availability"), 55)
end

46
luci-app-nginx-ha/luasrc/model/cbi/nginx-ha.lua Normal file
View file

@ -0,0 +1,46 @@
local m, s, o
if luci.sys.call("pgrep nginx >/dev/null") == 0 then
m = Map("nginx-ha", translate("Nginx High Availability"), "%s - %s" %{translate("Nginx High Availability"), translate("RUNNING")})
else
m = Map("nginx-ha", translate("Nginx High Availability"), "%s - %s" %{translate("Nginx High Availability"), translate("NOT RUNNING")})
end
s = m:section(TypedSection, "general", translate("General Setting"))
s.anonymous = true
o = s:option(Flag, "enable", translate("Enable"))
o.rmempty = false
o = s:option(Value, "startup_delay", translate("Startup Delay"))
o:value(0, translate("Not enabled"))
for _, v in ipairs({5, 10, 15, 25, 40}) do
o:value(v, translate("%u seconds") %{v})
end
o.datatype = "uinteger"
o.default = 0
o.rmempty = false
o = s:option(Value, "listen", translate("Listen Address:Port"))
o.placeholder = "0.0.0.0:6666"
o.default = "0.0.0.0:6666"
o.rmempty = false
o = s:option(Value, "timeout", translate("Timeout Connect (ms)"))
o.placeholder = "666"
o.default = "666"
o.datatype = "range(33, 10000)"
o.rmempty = false
o = s:option(Value, "retries", translate("Retries"))
o.placeholder = "1"
o.default = "1"
o.datatype = "range(1, 10)"
o.rmempty = false
o = s:option(DynamicList, "upstreams", translate("UpStream Server"), translate("e.g. [123.123.123.123:65101 weight=1 max_fails=3 fail_timeout=30s]"))
o.placeholder = "123.123.123.123:65101 weight=1 max_fails=3 fail_timeout=30s"
o.rmempty = false
return m

8
luci-app-nginx-ha/root/etc/config/nginx-ha Normal file
View file

@ -0,0 +1,8 @@
config general 'general'
option enable '0'
option retries '1'
option timeout '1000'
option listen '0.0.0.0:65101'
option startup_delay '5'
list upstreams '1.2.3.4:65101 weight=1 max_fails=3 fail_timeout=30s'

115
luci-app-nginx-ha/root/etc/init.d/nginx-ha Executable file
View file

@ -0,0 +1,115 @@
#!/bin/sh /etc/rc.common
# Copyright (C) 2016 chenhw2 <chenhw2@github.com>
# Copyright (C) 2018 Ycarus (Yannick Chabanois) <ycarus@zugaina.org>
START=85
USE_PROCD=1
PROG_NAME=nginx
PROG=/usr/sbin/${PROG_NAME}
NAME=nginx-ha
PIDCOUNT=0
_log() {
logger -p daemon.info -t ${PROG_NAME} "$@"
}
_err() {
logger -p daemon.err -t ${PROG_NAME} "$@"
}
validate_section() {
uci_validate_section nginx-ha general "${1}" \
'enable:bool:0' \
'retries:uinteger:3' \
'timeout:uinteger:4000' \
'startup_delay:uinteger:5' \
'listen:string' \
'upstreams:list(string)'
}
genline_srv(){
echo " server $1;"
}
boot() {
local delay=$(uci -q get $NAME.general.startup_delay)
(sleep ${delay:-0} && start >/dev/null 2>&1) &
return 0
}
start_instance() {
local enable retries timeout startup_delay listen upstreams
validate_section "${1}" || {
_err "validation failed"
return 1
}
[ "$enable" = 1 ] || return 1
mkdir -p /var/etc
cat <<-EOF > /var/etc/$PROG_NAME.cfg
user nobody nogroup;
worker_processes $(grep -c '^processor' /proc/cpuinfo | tr -d "\n");
worker_rlimit_nofile 300000;
events {
worker_connections 15000;
multi_accept on;
use epoll;
}
stream {
upstream allservers {
zone dynamic 64k;
$(config_list_foreach "${1}" "upstreams" genline_srv)
}
server {
listen ${listen:-0.0.0.0:6666} udp;
proxy_pass allservers;
}
server {
listen ${listen:-0.0.0.0:6666};
proxy_pass allservers;
}
}
EOF
procd_open_instance "nginx-ha"
procd_set_param command /usr/sbin/nginx -c /var/etc/$PROG_NAME.cfg -g 'daemon off;'
procd_set_param file /var/etc/$PROG_NAME.cfg
procd_set_param respawn
procd_close_instance
}
start_service() {
config_load nginx-ha
config_foreach start_instance general
}
reload_service() {
stop
start
}
stop_service() {
local _PID=$(cat /var/run/nginx.pid 2>/dev/null)
kill -15 $_PID 2>/dev/null
sleep 1 # give time to shutdown
local _tmp=$(pgrep nginx | tr "\n" " ")
if [ -z "$_tmp" ]; then
logger -p daemon.notice -t "nginx-ha[$_PID]" "Shutdown successfully"
else
kill -9 $_tmp # Normally never come here
logger -p daemon.warn -t "nginx-ha[$_tmp]" "Shutdown forced by KILL"
fi
return 0
}
service_triggers() {
procd_add_reload_trigger nginx-ha
}

13
luci-app-nginx-ha/root/etc/uci-defaults/42_luci-nginx-ha Normal file
View file

@ -0,0 +1,13 @@
#!/bin/sh
uci -q batch <<-EOF >/dev/null
delete ucitrack.@nginx-ha[-1]
add ucitrack nginx-ha
set ucitrack.@nginx-ha[-1].init=nginx-ha
commit ucitrack
EOF
/etc/init.d/nginx-ha enable >/dev/null 2>&1
rm -f /tmp/luci-indexcache
exit 0

210
nginx/Config.in Normal file
View file

@ -0,0 +1,210 @@
#
# Copyright (C) 2010-2016 OpenWrt.org
#
# This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information.
#
menu "Configuration"
depends on PACKAGE_nginx
config NGINX_SSL
bool
prompt "Enable SSL module"
help
Enable HTTPS/SSL support.
default n
config NGINX_DAV
bool
prompt "Enable WebDAV module"
help
Enable the HTTP and WebDAV methods PUT, DELETE, MKCOL, COPY and MOVE.
default n
config NGINX_FLV
bool
prompt "Enable FLV module"
help
Provides the ability to seek within FLV (Flash) files using time-based offsets.
default n
config NGINX_STUB_STATUS
bool
prompt "Enable stub status module"
help
Enable the stub status module which gives some status from the server.
default n
config NGINX_HTTP_CHARSET
bool
prompt "Enable HTTP charset module"
default y
config NGINX_HTTP_GZIP
bool
prompt "Enable HTTP gzip module"
default y
config NGINX_HTTP_SSI
bool
prompt "Enable HTTP ssi module"
default y
config NGINX_HTTP_USERID
bool
prompt "Enable HTTP userid module"
default y
config NGINX_HTTP_ACCESS
bool
prompt "Enable HTTP access module"
default y
config NGINX_HTTP_AUTH_BASIC
bool
prompt "Enable HTTP auth basic"
default y
config NGINX_HTTP_AUTH_REQUEST
bool
prompt "Enable HTTP auth request module"
default n
config NGINX_HTTP_AUTOINDEX
bool
prompt "Enable HTTP autoindex module"
default y
config NGINX_HTTP_GEO
bool
prompt "Enable HTTP geo module"
default y
config NGINX_HTTP_MAP
bool
prompt "Enable HTTP map module"
default y
config NGINX_HTTP_SPLIT_CLIENTS
bool
prompt "Enable HTTP split clients"
default y
config NGINX_HTTP_REFERER
bool
prompt "Enable HTTP referer module"
default y
config NGINX_HTTP_REWRITE
bool
prompt "Enable HTTP rewrite module"
select NGINX_PCRE
default y
config NGINX_HTTP_PROXY
bool
prompt "Enable HTTP proxy module"
default y
config NGINX_HTTP_FASTCGI
bool
prompt "Enable HTTP fastcgi module"
default y
config NGINX_HTTP_UWSGI
bool
prompt "Enable HTTP uwsgi module"
default y
config NGINX_HTTP_SCGI
bool
prompt "Enable HTTP scgi module"
default y
config NGINX_HTTP_MEMCACHED
bool
prompt "Enable HTTP memcached module"
default y
config NGINX_HTTP_LIMIT_CONN
bool
prompt "Enable HTTP limit conn"
default y
config NGINX_HTTP_LIMIT_REQ
bool
prompt "Enable HTTP limit req"
default y
config NGINX_HTTP_EMPTY_GIF
bool
prompt "Enable HTTP empty gif"
default y
config NGINX_HTTP_BROWSER
bool
prompt "Enable HTTP browser module"
default y
config NGINX_HTTP_UPSTREAM_HASH
bool
prompt "Enable HTTP hash module"
default y
config NGINX_HTTP_UPSTREAM_IP_HASH
bool
prompt "Enable HTTP IP hash module"
default y
config NGINX_HTTP_UPSTREAM_LEAST_CONN
bool
prompt "Enable HTTP least conn module"
default y
config NGINX_HTTP_UPSTREAM_KEEPALIVE
bool
prompt "Enable HTTP keepalive module"
default y
config NGINX_HTTP_CACHE
bool
prompt "Enable HTTP cache"
default y
config NGINX_HTTP_V2
bool
prompt "Enable HTTP_V2 module"
default n
config NGINX_PCRE
bool
prompt "Enable PCRE library usage"
default y
config NGINX_NAXSI
bool
prompt "Enable NAXSI module"
default y
config NGINX_LUA
bool
prompt "Enable Lua module"
default n
config NGINX_HTTP_REAL_IP
bool
prompt "Enable HTTP real ip module"
default n
config NGINX_HTTP_SECURE_LINK
bool
prompt "Enable HTTP secure link module"
default n
config NGINX_STREAM
bool
prompt "Enable stream module"
default y
endmenu

290
nginx/Makefile Normal file
View file

@ -0,0 +1,290 @@
#
# Copyright (C) 2012-2016 OpenWrt.org
#
# This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information.
#
include $(TOPDIR)/rules.mk
PKG_NAME:=nginx
PKG_VERSION:=1.12.2
PKG_RELEASE:=1
PKG_SOURCE:=nginx-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=http://nginx.org/download/
PKG_HASH:=305f379da1d5fb5aefa79e45c829852ca6983c7cd2a79328f8e084a324cf0416
PKG_MAINTAINER:=Thomas Heil <heil@terminal-consulting.de>
PKG_LICENSE:=2-clause BSD-like license
PKG_BUILD_DIR:=$(BUILD_DIR)/nginx-$(PKG_VERSION)
PKG_BUILD_PARALLEL:=1
PKG_INSTALL:=1
PKG_CONFIG_DEPENDS := \
CONFIG_NGINX_SSL \
CONFIG_NGINX_DAV \
CONFIG_NGINX_FLV \
CONFIG_NGINX_STUB_STATUS \
CONFIG_NGINX_HTTP_CHARSET \
CONFIG_NGINX_HTTP_GZIP \
CONFIG_NGINX_HTTP_SSI \
CONFIG_NGINX_HTTP_USERID \
CONFIG_NGINX_HTTP_ACCESS \
CONFIG_NGINX_HTTP_AUTH_BASIC \
CONFIG_NGINX_HTTP_AUTH_REQUEST \
CONFIG_NGINX_HTTP_AUTOINDEX \
CONFIG_NGINX_HTTP_GEO \
CONFIG_NGINX_HTTP_MAP \
CONFIG_NGINX_HTTP_SPLIT_CLIENTS \
CONFIG_NGINX_HTTP_REFERER \
CONFIG_NGINX_HTTP_REWRITE \
CONFIG_NGINX_HTTP_PROXY \
CONFIG_NGINX_HTTP_FASTCGI \
CONFIG_NGINX_HTTP_UWSGI \
CONFIG_NGINX_HTTP_SCGI \
CONFIG_NGINX_HTTP_MEMCACHED \
CONFIG_NGINX_HTTP_LIMIT_CONN \
CONFIG_NGINX_HTTP_LIMIT_REQ \
CONFIG_NGINX_HTTP_EMPTY_GIF \
CONFIG_NGINX_HTTP_BROWSER \
CONFIG_NGINX_HTTP_UPSTREAM_HASH \
CONFIG_NGINX_HTTP_UPSTREAM_IP_HASH \
CONFIG_NGINX_HTTP_UPSTREAM_LEAST_CONN \
CONFIG_NGINX_HTTP_UPSTREAM_KEEPALIVE \
CONFIG_NGINX_HTTP_UPSTREAM_ZONE \
CONFIG_NGINX_HTTP_CACHE \
CONFIG_NGINX_HTTP_V2 \
CONFIG_NGINX_PCRE \
CONFIG_NGINX_STREAM \
CONFIG_NGINX_NAXSI \
CONFIG_NGINX_LUA \
CONFIG_NGINX_HTTP_REAL_IP \
CONFIG_NGINX_HTTP_SECURE_LINK
include $(INCLUDE_DIR)/package.mk
define Package/nginx
SECTION:=net
CATEGORY:=Network
SUBMENU:=Web Servers/Proxies
TITLE:=Nginx web server
URL:=http://nginx.org/
DEPENDS:=+NGINX_PCRE:libpcre +(NGINX_SSL||NGINX_HTTP_CACHE||NGINX_HTTP_AUTH_BASIC):libopenssl +NGINX_HTTP_GZIP:zlib +NGINX_LUA:liblua +libpthread
MENU:=1
endef
define Package/nginx/description
nginx is an HTTP and reverse proxy server, as well as a mail proxy server,
written by Igor Sysoev.
endef
define Package/nginx/config
source "$(SOURCE)/Config.in"
endef
config_files=nginx.conf mime.types
define Package/nginx/conffiles
/etc/nginx/
endef
ADDITIONAL_MODULES:=
ifeq ($(CONFIG_NGINX_NAXSI),y)
ADDITIONAL_MODULES += --add-module=$(PKG_BUILD_DIR)/nginx-naxsi/naxsi_src
endif
ifeq ($(CONFIG_NGINX_LUA),y)
ADDITIONAL_MODULES += --add-module=$(PKG_BUILD_DIR)/lua-nginx
endif
ifeq ($(CONFIG_IPV6),y)
ADDITIONAL_MODULES += --with-ipv6
endif
ifeq ($(CONFIG_NGINX_STUB_STATUS),y)
ADDITIONAL_MODULES += --with-http_stub_status_module
endif
ifeq ($(CONFIG_NGINX_FLV),y)
ADDITIONAL_MODULES += --with-http_flv_module
endif
ifeq ($(CONFIG_NGINX_SSL),y)
ADDITIONAL_MODULES += --with-http_ssl_module
endif
ifeq ($(CONFIG_NGINX_DAV),y)
ADDITIONAL_MODULES += --with-http_dav_module
endif
ifneq ($(CONFIG_NGINX_HTTP_CACHE),y)
ADDITIONAL_MODULES += --without-http-cache
endif
ifneq ($(CONFIG_NGINX_PCRE),y)
ADDITIONAL_MODULES += --without-pcre
endif
ifneq ($(CONFIG_NGINX_HTTP_CHARSET),y)
ADDITIONAL_MODULES += --without-http_charset_module
else
config_files += koi-utf koi-win win-utf
endif
ifneq ($(CONFIG_NGINX_HTTP_GZIP),y)
ADDITIONAL_MODULES += --without-http_gzip_module
endif
ifneq ($(CONFIG_NGINX_HTTP_SSI),y)
ADDITIONAL_MODULES += --without-http_ssi_module
endif
ifneq ($(CONFIG_NGINX_HTTP_USERID),y)
ADDITIONAL_MODULES += --without-http_userid_module
endif
ifneq ($(CONFIG_NGINX_HTTP_ACCESS),y)
ADDITIONAL_MODULES += --without-http_access_module
endif
ifneq ($(CONFIG_NGINX_HTTP_AUTH_BASIC),y)
ADDITIONAL_MODULES += --without-http_auth_basic_module
endif
ifeq ($(CONFIG_NGINX_HTTP_AUTH_REQUEST),y)
ADDITIONAL_MODULES += --with-http_auth_request_module
endif
ifneq ($(CONFIG_NGINX_HTTP_AUTOINDEX),y)
ADDITIONAL_MODULES += --without-http_autoindex_module
endif
ifneq ($(CONFIG_NGINX_HTTP_GEO),y)
ADDITIONAL_MODULES += --without-http_geo_module
endif
ifneq ($(CONFIG_NGINX_HTTP_MAP),y)
ADDITIONAL_MODULES += --without-http_map_module
endif
ifneq ($(CONFIG_NGINX_HTTP_SPLIT_CLIENTS),y)
ADDITIONAL_MODULES += --without-http_split_clients_module
endif
ifneq ($(CONFIG_NGINX_HTTP_REFERER),y)
ADDITIONAL_MODULES += --without-http_referer_module
endif
ifneq ($(CONFIG_NGINX_HTTP_REWRITE),y)
ADDITIONAL_MODULES += --without-http_rewrite_module
endif
ifneq ($(CONFIG_NGINX_HTTP_PROXY),y)
ADDITIONAL_MODULES += --without-http_proxy_module
endif
ifneq ($(CONFIG_NGINX_HTTP_FASTCGI),y)
ADDITIONAL_MODULES += --without-http_fastcgi_module
else
config_files += fastcgi_params
endif
ifneq ($(CONFIG_NGINX_HTTP_UWSGI),y)
ADDITIONAL_MODULES += --without-http_uwsgi_module
endif
ifneq ($(CONFIG_NGINX_HTTP_SCGI),y)
ADDITIONAL_MODULES += --without-http_scgi_module
endif
ifneq ($(CONFIG_NGINX_HTTP_MEMCACHED),y)
ADDITIONAL_MODULES += --without-http_memcached_module
endif
ifneq ($(CONFIG_NGINX_HTTP_LIMIT_CONN),y)
ADDITIONAL_MODULES += --without-http_limit_conn_module
endif
ifneq ($(CONFIG_NGINX_HTTP_LIMIT_REQ),y)
ADDITIONAL_MODULES += --without-http_limit_req_module
endif
ifneq ($(CONFIG_NGINX_HTTP_EMPTY_GIF),y)
ADDITIONAL_MODULES += --without-http_empty_gif_module
endif
ifneq ($(CONFIG_NGINX_HTTP_BROWSER),y)
ADDITIONAL_MODULES += --without-http_browser_module
endif
ifneq ($(CONFIG_NGINX_HTTP_UPSTREAM_HASH),y)
ADDITIONAL_MODULES += --without-http_upstream_hash_module
endif
ifneq ($(CONFIG_NGINX_HTTP_UPSTREAM_IP_HASH),y)
ADDITIONAL_MODULES += --without-http_upstream_ip_hash_module
endif
ifneq ($(CONFIG_NGINX_HTTP_UPSTREAM_LEAST_CONN),y)
ADDITIONAL_MODULES += --without-http_upstream_least_conn_module
endif
ifneq ($(CONFIG_NGINX_HTTP_UPSTREAM_KEEPALIVE),y)
ADDITIONAL_MODULES += --without-http_upstream_keepalive_module
endif
ifeq ($(CONFIG_NGINX_HTTP_V2),y)
ADDITIONAL_MODULES += --with-http_v2_module
endif
ifeq ($(CONFIG_NGINX_HTTP_REAL_IP),y)
ADDITIONAL_MODULES += --with-http_realip_module
endif
ifeq ($(CONFIG_NGINX_HTTP_SECURE_LINK),y)
ADDITIONAL_MODULES += --with-http_secure_link_module
endif
ifeq ($(CONFIG_NGINX_STREAM),y)
ADDITIONAL_MODULES += --with-stream
endif
TARGET_CFLAGS += -fvisibility=hidden -ffunction-sections -fdata-sections -DNGX_LUA_NO_BY_LUA_BLOCK
TARGET_LDFLAGS += -Wl,--gc-sections
define Build/Configure
( cd $(PKG_BUILD_DIR) ; \
$(if $(CONFIG_NGINX_LUA),LUA_INC=$(STAGING_DIR)/usr/include LUA_LIB=$(STAGING_DIR)/usr/lib) \
./configure \
--crossbuild=Linux::$(ARCH) \
--prefix=/usr \
--conf-path=/etc/nginx/nginx.conf \
$(ADDITIONAL_MODULES) \
--error-log-path=/var/log/nginx/error.log \
--pid-path=/var/run/nginx.pid \
--lock-path=/var/lock/nginx.lock \
--http-log-path=/var/log/nginx/access.log \
--http-client-body-temp-path=/var/lib/nginx/body \
--http-proxy-temp-path=/var/lib/nginx/proxy \
--http-fastcgi-temp-path=/var/lib/nginx/fastcgi \
--with-cc="$(TARGET_CC)" \
--with-cc-opt="$(TARGET_CPPFLAGS) $(TARGET_CFLAGS)" \
--with-ld-opt="$(TARGET_LDFLAGS)" \
--without-http_upstream_zone_module \
)
endef
define Package/nginx/install
$(INSTALL_DIR) $(1)/usr/sbin
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/nginx $(1)/usr/sbin/
$(INSTALL_DIR) $(1)/etc/nginx
$(INSTALL_DATA) $(addprefix $(PKG_INSTALL_DIR)/etc/nginx/,$(config_files)) $(1)/etc/nginx/
$(INSTALL_DIR) $(1)/etc/init.d
$(INSTALL_BIN) ./files/nginx.init $(1)/etc/init.d/nginx
ifeq ($(CONFIG_NGINX_NAXSI),y)
$(INSTALL_DIR) $(1)/etc/nginx
$(INSTALL_BIN) $(PKG_BUILD_DIR)/nginx-naxsi/naxsi_config/naxsi_core.rules $(1)/etc/nginx
chmod 0640 $(1)/etc/nginx/naxsi_core.rules
endif
$(if $(CONFIG_NGINX_NAXSI),$($(INSTALL_BIN) $(PKG_BUILD_DIR)/nginx-naxsi/naxsi_config/naxsi_core.rules $(1)/etc/nginx))
$(if $(CONFIG_NGINX_NAXSI),$(chmod 0640 $(1)/etc/nginx/naxsi_core.rules))
endef
define Build/Prepare
$(call Build/Prepare/Default)
$(if $(CONFIG_NGINX_NAXSI),$(call Prepare/nginx-naxsi))
$(if $(CONFIG_NGINX_LUA),$(call Prepare/lua-nginx))
endef
define Download/nginx-naxsi
VERSION:=cf73f9c8664127252c2a4958d2e169516d3845a1
SUBDIR:=nginx-naxsi
FILE:=nginx-naxsi-module-$(PKG_VERSION)-$$(VERSION).tar.gz
URL:=https://github.com/nbs-system/naxsi.git
PROTO:=git
endef
define Prepare/nginx-naxsi
$(eval $(call Download,nginx-naxsi))
gzip -dc $(DL_DIR)/$(FILE) | tar -C $(PKG_BUILD_DIR) $(TAR_OPTIONS)
endef
define Download/lua-nginx
VERSION:=cdd2ae921f67bf396c743406493127be496e57ce
SUBDIR:=lua-nginx
FILE:=lua-nginx-module-$(PKG_VERSION)-$$(VERSION).tar.gz
URL:=https://github.com/openresty/lua-nginx-module.git
PROTO:=git
endef
define Prepare/lua-nginx
$(eval $(call Download,lua-nginx))
gzip -dc $(DL_DIR)/$(FILE) | tar -C $(PKG_BUILD_DIR) $(TAR_OPTIONS)
$(call PatchDir,$(PKG_BUILD_DIR),./patches-lua-nginx)
endef
$(eval $(call BuildPackage,nginx))

17
nginx/files/nginx.init Normal file
View file

@ -0,0 +1,17 @@
#!/bin/sh /etc/rc.common
# Copyright (C) 2015 OpenWrt.org
START=80
USE_PROCD=1
start_service() {
[ -d /var/log/nginx ] || mkdir -p /var/log/nginx
[ -d /var/lib/nginx ] || mkdir -p /var/lib/nginx
procd_open_instance
procd_set_param command /usr/sbin/nginx -c /etc/nginx/nginx.conf -g 'daemon off;'
procd_set_param file /etc/nginx/nginx.conf
procd_set_param respawn
procd_close_instance
}

195
nginx/patches-lua-nginx/100-no_by_lua_block.patch Normal file
View file

@ -0,0 +1,195 @@
--- a/lua-nginx/src/ngx_http_lua_module.c
+++ b/lua-nginx/src/ngx_http_lua_module.c
@@ -157,14 +157,14 @@ static ngx_command_t ngx_http_lua_cmds[]
NGX_HTTP_LOC_CONF_OFFSET,
offsetof(ngx_http_lua_loc_conf_t, log_socket_errors),
NULL },
-
+#ifndef NGX_LUA_NO_BY_LUA_BLOCK
{ ngx_string("init_by_lua_block"),
NGX_HTTP_MAIN_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS,
ngx_http_lua_init_by_lua_block,
NGX_HTTP_MAIN_CONF_OFFSET,
0,
(void *) ngx_http_lua_init_by_inline },
-
+#endif
{ ngx_string("init_by_lua"),
NGX_HTTP_MAIN_CONF|NGX_CONF_TAKE1,
ngx_http_lua_init_by_lua,
@@ -178,14 +178,14 @@ static ngx_command_t ngx_http_lua_cmds[]
NGX_HTTP_MAIN_CONF_OFFSET,
0,
(void *) ngx_http_lua_init_by_file },
-
+#ifndef NGX_LUA_NO_BY_LUA_BLOCK
{ ngx_string("init_worker_by_lua_block"),
NGX_HTTP_MAIN_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS,
ngx_http_lua_init_worker_by_lua_block,
NGX_HTTP_MAIN_CONF_OFFSET,
0,
(void *) ngx_http_lua_init_worker_by_inline },
-
+#endif
{ ngx_string("init_worker_by_lua"),
NGX_HTTP_MAIN_CONF|NGX_CONF_TAKE1,
ngx_http_lua_init_worker_by_lua,
@@ -201,6 +201,7 @@ static ngx_command_t ngx_http_lua_cmds[]
(void *) ngx_http_lua_init_worker_by_file },
#if defined(NDK) && NDK
+#ifndef NGX_LUA_NO_BY_LUA_BLOCK
/* set_by_lua $res { inline Lua code } [$arg1 [$arg2 [...]]] */
{ ngx_string("set_by_lua_block"),
NGX_HTTP_SRV_CONF|NGX_HTTP_SIF_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF
@@ -209,7 +210,7 @@ static ngx_command_t ngx_http_lua_cmds[]
NGX_HTTP_LOC_CONF_OFFSET,
0,
(void *) ngx_http_lua_filter_set_by_lua_inline },
-
+#endif
/* set_by_lua $res <inline script> [$arg1 [$arg2 [...]]] */
{ ngx_string("set_by_lua"),
NGX_HTTP_SRV_CONF|NGX_HTTP_SIF_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF
@@ -237,7 +238,7 @@ static ngx_command_t ngx_http_lua_cmds[]
NGX_HTTP_LOC_CONF_OFFSET,
0,
(void *) ngx_http_lua_rewrite_handler_inline },
-
+#ifndef NGX_LUA_NO_BY_LUA_BLOCK
/* rewrite_by_lua_block { <inline script> } */
{ ngx_string("rewrite_by_lua_block"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF
@@ -246,7 +247,7 @@ static ngx_command_t ngx_http_lua_cmds[]
NGX_HTTP_LOC_CONF_OFFSET,
0,
(void *) ngx_http_lua_rewrite_handler_inline },
-
+#endif
/* access_by_lua "<inline script>" */
{ ngx_string("access_by_lua"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF
@@ -255,7 +256,7 @@ static ngx_command_t ngx_http_lua_cmds[]
NGX_HTTP_LOC_CONF_OFFSET,
0,
(void *) ngx_http_lua_access_handler_inline },
-
+#ifndef NGX_LUA_NO_BY_LUA_BLOCK
/* access_by_lua_block { <inline script> } */
{ ngx_string("access_by_lua_block"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF
@@ -264,7 +265,7 @@ static ngx_command_t ngx_http_lua_cmds[]
NGX_HTTP_LOC_CONF_OFFSET,
0,
(void *) ngx_http_lua_access_handler_inline },
-
+#endif
/* content_by_lua "<inline script>" */
{ ngx_string("content_by_lua"),
NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF|NGX_CONF_TAKE1,
@@ -272,7 +273,7 @@ static ngx_command_t ngx_http_lua_cmds[]
NGX_HTTP_LOC_CONF_OFFSET,
0,
(void *) ngx_http_lua_content_handler_inline },
-
+#ifndef NGX_LUA_NO_BY_LUA_BLOCK
/* content_by_lua_block { <inline script> } */
{ ngx_string("content_by_lua_block"),
NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS,
@@ -280,7 +281,7 @@ static ngx_command_t ngx_http_lua_cmds[]
NGX_HTTP_LOC_CONF_OFFSET,
0,
(void *) ngx_http_lua_content_handler_inline },
-
+#endif
/* log_by_lua <inline script> */
{ ngx_string("log_by_lua"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF
@@ -289,7 +290,7 @@ static ngx_command_t ngx_http_lua_cmds[]
NGX_HTTP_LOC_CONF_OFFSET,
0,
(void *) ngx_http_lua_log_handler_inline },
-
+#ifndef NGX_LUA_NO_BY_LUA_BLOCK
/* log_by_lua_block { <inline script> } */
{ ngx_string("log_by_lua_block"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF
@@ -298,7 +299,7 @@ static ngx_command_t ngx_http_lua_cmds[]
NGX_HTTP_LOC_CONF_OFFSET,
0,
(void *) ngx_http_lua_log_handler_inline },
-
+#endif
{ ngx_string("rewrite_by_lua_file"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF
|NGX_CONF_TAKE1,
@@ -353,7 +354,7 @@ static ngx_command_t ngx_http_lua_cmds[]
NGX_HTTP_LOC_CONF_OFFSET,
0,
(void *) ngx_http_lua_header_filter_inline },
-
+#ifndef NGX_LUA_NO_BY_LUA_BLOCK
/* header_filter_by_lua_block { <inline script> } */
{ ngx_string("header_filter_by_lua_block"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF
@@ -362,7 +363,7 @@ static ngx_command_t ngx_http_lua_cmds[]
NGX_HTTP_LOC_CONF_OFFSET,
0,
(void *) ngx_http_lua_header_filter_inline },
-
+#endif
{ ngx_string("header_filter_by_lua_file"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF
|NGX_CONF_TAKE1,
@@ -378,7 +379,7 @@ static ngx_command_t ngx_http_lua_cmds[]
NGX_HTTP_LOC_CONF_OFFSET,
0,
(void *) ngx_http_lua_body_filter_inline },
-
+#ifndef NGX_LUA_NO_BY_LUA_BLOCK
/* body_filter_by_lua_block { <inline script> } */
{ ngx_string("body_filter_by_lua_block"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF
@@ -387,7 +388,7 @@ static ngx_command_t ngx_http_lua_cmds[]
NGX_HTTP_LOC_CONF_OFFSET,
0,
(void *) ngx_http_lua_body_filter_inline },
-
+#endif
{ ngx_string("body_filter_by_lua_file"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF
|NGX_CONF_TAKE1,
@@ -395,14 +396,14 @@ static ngx_command_t ngx_http_lua_cmds[]
NGX_HTTP_LOC_CONF_OFFSET,
0,
(void *) ngx_http_lua_body_filter_file },
-
+#ifndef NGX_LUA_NO_BY_LUA_BLOCK
{ ngx_string("balancer_by_lua_block"),
NGX_HTTP_UPS_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS,
ngx_http_lua_balancer_by_lua_block,
NGX_HTTP_SRV_CONF_OFFSET,
0,
(void *) ngx_http_lua_balancer_handler_inline },
-
+#endif
{ ngx_string("balancer_by_lua_file"),
NGX_HTTP_UPS_CONF|NGX_CONF_TAKE1,
ngx_http_lua_balancer_by_lua,
@@ -509,14 +510,14 @@ static ngx_command_t ngx_http_lua_cmds[]
NGX_HTTP_LOC_CONF_OFFSET,
offsetof(ngx_http_lua_loc_conf_t, ssl_ciphers),
NULL },
-
+#ifndef NGX_LUA_NO_BY_LUA_BLOCK
{ ngx_string("ssl_certificate_by_lua_block"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS,
ngx_http_lua_ssl_cert_by_lua_block,
NGX_HTTP_SRV_CONF_OFFSET,
0,
(void *) ngx_http_lua_ssl_cert_handler_inline },
-
+#endif
{ ngx_string("ssl_certificate_by_lua_file"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
ngx_http_lua_ssl_cert_by_lua,

107
nginx/patches/101-feature_test_fix.patch Normal file
View file

@ -0,0 +1,107 @@
--- a/auto/cc/name
+++ b/auto/cc/name
@@ -7,7 +7,7 @@ if [ "$NGX_PLATFORM" != win32 ]; then
ngx_feature="C compiler"
ngx_feature_name=
- ngx_feature_run=yes
+ ngx_feature_run=
ngx_feature_incs=
ngx_feature_path=
ngx_feature_libs=
--- a/auto/cc/conf
+++ b/auto/cc/conf
@@ -200,7 +200,7 @@ if [ "$NGX_PLATFORM" != win32 ]; then
else
ngx_feature="C99 variadic macros"
ngx_feature_name="NGX_HAVE_C99_VARIADIC_MACROS"
- ngx_feature_run=yes
+ ngx_feature_run=no
ngx_feature_incs="#include <stdio.h>
#define var(dummy, ...) sprintf(__VA_ARGS__)"
ngx_feature_path=
@@ -214,7 +214,7 @@ if [ "$NGX_PLATFORM" != win32 ]; then
ngx_feature="gcc variadic macros"
ngx_feature_name="NGX_HAVE_GCC_VARIADIC_MACROS"
- ngx_feature_run=yes
+ ngx_feature_run=no
ngx_feature_incs="#include <stdio.h>
#define var(dummy, args...) sprintf(args)"
ngx_feature_path=
--- a/auto/os/linux
+++ b/auto/os/linux
@@ -36,7 +36,7 @@ fi
ngx_feature="epoll"
ngx_feature_name="NGX_HAVE_EPOLL"
-ngx_feature_run=yes
+ngx_feature_run=no
ngx_feature_incs="#include <sys/epoll.h>"
ngx_feature_path=
ngx_feature_libs=
@@ -93,7 +93,7 @@ ngx_feature_test="int fd; struct stat sb
CC_AUX_FLAGS="$cc_aux_flags -D_GNU_SOURCE"
ngx_feature="sendfile()"
ngx_feature_name="NGX_HAVE_SENDFILE"
-ngx_feature_run=yes
+ngx_feature_run=no
ngx_feature_incs="#include <sys/sendfile.h>
#include <errno.h>"
ngx_feature_path=
@@ -114,7 +114,7 @@ fi
CC_AUX_FLAGS="$cc_aux_flags -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64"
ngx_feature="sendfile64()"
ngx_feature_name="NGX_HAVE_SENDFILE64"
-ngx_feature_run=yes
+ngx_feature_run=no
ngx_feature_incs="#include <sys/sendfile.h>
#include <errno.h>"
ngx_feature_path=
@@ -132,7 +132,7 @@ ngx_include="sys/prctl.h"; . auto/includ
ngx_feature="prctl(PR_SET_DUMPABLE)"
ngx_feature_name="NGX_HAVE_PR_SET_DUMPABLE"
-ngx_feature_run=yes
+ngx_feature_run=no
ngx_feature_incs="#include <sys/prctl.h>"
ngx_feature_path=
ngx_feature_libs=
--- a/auto/unix
+++ b/auto/unix
@@ -735,7 +735,7 @@ ngx_feature_test="void *p; p = memalign(
ngx_feature="mmap(MAP_ANON|MAP_SHARED)"
ngx_feature_name="NGX_HAVE_MAP_ANON"
-ngx_feature_run=yes
+ngx_feature_run=no
ngx_feature_incs="#include <sys/mman.h>"
ngx_feature_path=
ngx_feature_libs=
@@ -748,7 +748,7 @@ ngx_feature_test="void *p;
ngx_feature='mmap("/dev/zero", MAP_SHARED)'
ngx_feature_name="NGX_HAVE_MAP_DEVZERO"
-ngx_feature_run=yes
+ngx_feature_run=no
ngx_feature_incs="#include <sys/mman.h>
#include <sys/stat.h>
#include <fcntl.h>"
@@ -763,7 +763,7 @@ ngx_feature_test='void *p; int fd;
ngx_feature="System V shared memory"
ngx_feature_name="NGX_HAVE_SYSVSHM"
-ngx_feature_run=yes
+ngx_feature_run=no
ngx_feature_incs="#include <sys/ipc.h>
#include <sys/shm.h>"
ngx_feature_path=
@@ -777,7 +777,7 @@ ngx_feature_test="int id;
ngx_feature="POSIX semaphores"
ngx_feature_name="NGX_HAVE_POSIX_SEM"
-ngx_feature_run=yes
+ngx_feature_run=no
ngx_feature_incs="#include <semaphore.h>"
ngx_feature_path=
ngx_feature_libs=

27
nginx/patches/102-sizeof_test_fix.patch Normal file
View file

@ -0,0 +1,27 @@
--- a/auto/types/sizeof
+++ b/auto/types/sizeof
@@ -25,8 +25,14 @@ $NGX_INCLUDE_UNISTD_H
$NGX_INCLUDE_INTTYPES_H
$NGX_INCLUDE_AUTO_CONFIG_H
+char object_code_block[] = {
+ '\n', 'e', '4', 'V', 'A',
+ '0', 'x', ('0' + sizeof($ngx_type)),
+ 'Y', '3', 'p', 'M', '\n'
+};
+
int main(void) {
- printf("%d", (int) sizeof($ngx_type));
+ printf("dummy use of object_code_block to avoid gc-section: %c", object_code_block[0]);
return 0;
}
@@ -40,7 +45,7 @@ eval "$ngx_test >> $NGX_AUTOCONF_ERR 2>&
if [ -x $NGX_AUTOTEST ]; then
- ngx_size=`$NGX_AUTOTEST`
+ ngx_size=`sed -ne 's/^e4VA0x\(.\)Y3pM$/\1/p' < $NGX_AUTOTEST`
echo " $ngx_size bytes"
fi

12
nginx/patches/103-sys_nerr.patch Normal file
View file

@ -0,0 +1,12 @@
--- a/src/os/unix/ngx_errno.c
+++ b/src/os/unix/ngx_errno.c
@@ -8,6 +8,9 @@
#include <ngx_config.h>
#include <ngx_core.h>
+#ifndef NGX_SYS_NERR
+#define NGX_SYS_NERR 128
+#endif
/*
* The strerror() messages are copied because:

18
nginx/patches/200-config.patch Normal file
View file

@ -0,0 +1,18 @@
--- a/conf/nginx.conf
+++ b/conf/nginx.conf
@@ -1,5 +1,5 @@
-#user nobody;
+user nobody nogroup;
worker_processes 1;
#error_log logs/error.log;
@@ -16,7 +16,7 @@ events {
http {
include mime.types;
- default_type application/octet-stream;
+ #default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '

11
nginx/patches/300-max-processes.patch Normal file
View file

@ -0,0 +1,11 @@
--- a/src/os/unix/ngx_process.h
+++ b/src/os/unix/ngx_process.h
@@ -44,7 +44,7 @@ typedef struct {
} ngx_exec_ctx_t;
-#define NGX_MAX_PROCESSES 1024
+#define NGX_MAX_PROCESSES 8
#define NGX_PROCESS_NORESPAWN -1
#define NGX_PROCESS_JUST_SPAWN -2

6
openmptcprouter-full/Makefile
View file

@ -60,9 +60,11 @@ MY_DEPENDS := \
luci-i18n-firewall-en \
luci-i18n-firewall-fr \
ca-bundle ca-certificates \
luci-mod-admin-full luci-app-firewall luci-app-glorytun luci-app-shadowsocks-libev luci-app-unbound luci-theme-openmptcprouter luci-base luci-app-haproxy-tcp luci-app-omr-tracker luci-app-qos \
luci-mod-admin-full luci-app-firewall luci-app-glorytun luci-app-shadowsocks-libev luci-app-unbound luci-theme-openmptcprouter luci-base \
luci-app-nginx-ha luci-app-omr-tracker luci-app-qos \
luci-app-vnstat omr-quota luci-app-omr-quota \
speedtestc
speedtestc \
ip6tables-mod-nat
define Package/$(PKG_NAME)
SECTION:=OMR

1
openmptcprouter/files/etc/sysctl.d/ipv6default.conf
View file

@ -1 +0,0 @@
net.ipv6.conf.all.disable_ipv6=1

2
openmptcprouter/files/etc/uci-defaults/1930-omr-shadowsocks
View file

@ -6,7 +6,7 @@ if [ "$NBCPU" -gt 1 ]; then
uci -q batch <<-EOF >/dev/null
set shadowsocks-libev.hi$c=ss_redir
set shadowsocks-libev.hi$c.server=sss0
set shadowsocks-libev.hi$c.local_address=0.0.0.0
set shadowsocks-libev.hi$c.local_address="::"
set shadowsocks-libev.hi$c.local_port=1100
set shadowsocks-libev.hi$c.mode=tcp_and_udp
set shadowsocks-libev.hi$c.timeout=60

3
shadowsocks-libev/Makefile
View file

@ -15,7 +15,7 @@ include $(TOPDIR)/rules.mk
#
PKG_NAME:=shadowsocks-libev
PKG_VERSION:=3.1.2
PKG_RELEASE:=4
PKG_RELEASE:=5
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://github.com/shadowsocks/shadowsocks-libev/releases/download/v$(PKG_VERSION)
@ -88,6 +88,7 @@ endef
define Package/shadowsocks-libev-ss-rules/install
$(INSTALL_DIR) $(1)/usr/bin
$(INSTALL_BIN) ./files/ss-rules $(1)/usr/bin
$(INSTALL_BIN) ./files/ss-rules6 $(1)/usr/bin
$(INSTALL_DIR) $(1)/etc/uci-defaults
$(INSTALL_DATA) ./files/firewall.ss-rules $(1)/etc
$(INSTALL_BIN) ./files/ss-rules.defaults $(1)/etc/uci-defaults

2
shadowsocks-libev/files/shadowsocks-libev.config
View file

@ -1,7 +1,7 @@
config ss_redir hi
option disabled 1
option server 'sss0'
option local_address '0.0.0.0'
option local_address '::'
option local_port '1100'
option mode 'tcp_and_udp'
option timeout '60'

53
shadowsocks-libev/files/shadowsocks-libev.init
View file

@ -178,9 +178,11 @@ ss_rules_cb() {
ss_redir_servers="$ss_redir_servers $server"
if [ "$mode" = tcp_only -o "$mode" = "tcp_and_udp" ]; then
eval "ss_rules_redir_tcp_$cfg=$local_port"
eval "ss_rules6_redir_tcp_$cfg=$local_port"
fi
if [ "$mode" = udp_only -o "$mode" = "tcp_and_udp" ]; then
eval "ss_rules_redir_udp_$cfg=$local_port"
eval "ss_rules6_redir_udp_$cfg=$local_port"
fi
fi
}
@ -203,11 +205,54 @@ ss_rules() {
eval local_port_tcp="\$ss_rules_redir_tcp_$redir_tcp"
eval local_port_udp="\$ss_rules_redir_udp_$redir_udp"
[ -n "$local_port_tcp" -o -n "$local_port_udp" ] || return 1
ss_redir_servers="$(echo "$ss_redir_servers" | tr ' ' '\n' | sort -u)"
ss_redir_servers4="$(echo "$ss_redir_servers" | awk -F. 'NF == 4' | tr ' ' '\n' | sort -u)"
[ "$dst_forward_recentrst" = 0 ] || args="$args --dst-forward-recentrst"
"$bin" \
-s "$ss_redir_servers" \
-s "$ss_redir_servers4" \
-l "$local_port_tcp" \
-L "$local_port_udp" \
--src-default "$src_default" \
--dst-default "$dst_default" \
--local-default "$local_default" \
--dst-bypass-file "$dst_ips_bypass_file" \
--dst-forward-file "$dst_ips_forward_file" \
--dst-bypass "$dst_ips_bypass" \
--dst-forward "$dst_ips_forward" \
--src-bypass "$src_ips_bypass" \
--src-forward "$src_ips_forward" \
--src-checkdst "$src_ips_checkdst" \
--ifnames "$ifnames" \
--ipt-extra "$ipt_args" \
$args \
|| "$bin" -f
}
ss_rules6() {
local cfg="ss_rules"
local bin="$ss_bindir/ss-rules6"
local cfgtype
local local_port_tcp local_port_udp
local args
[ -x "$bin" ] || return 1
config_get cfgtype "$cfg" TYPE
[ "$cfgtype" = ss_rules ] || return 1
eval "$(validate_ss_rules_section "$cfg" ss_validate_mklocal)"
validate_ss_rules_section "$cfg" || return 1
[ "$disabled" = 0 ] || return 1
eval local_port_tcp="\$ss_rules6_redir_tcp_$redir_tcp"
eval local_port_udp="\$ss_rules6_redir_udp_$redir_udp"
[ -n "$local_port_tcp" -o -n "$local_port_udp" ] || return 1
ss_redir_servers6="$(echo "$ss_redir_servers" | awk -F: 'NF>4' | tr ' ' '\n' | sort -u)"
[ "$dst_forward_recentrst" = 0 ] || args="$args --dst-forward-recentrst"
"$bin" \
-s "$ss_redir_servers6" \
-l "$local_port_tcp" \
-L "$local_port_udp" \
--src-default "$src_default" \
@ -235,12 +280,14 @@ start_service() {
config_foreach ss_xxx "$cfgtype" "$cfgtype"
done
ss_rules
ss_rules6
}
stop_service() {
local bin="$ss_bindir/ss-rules"
[ -x "$bin" ] && "$bin" -f
local bin6="$ss_bindir/ss-rules6"
[ -x "$bin6" ] && "$bin6" -f
rm -rf "$ss_confdir"
}

247
shadowsocks-libev/files/ss-rules6 Executable file
View file

@ -0,0 +1,247 @@
#!/bin/sh -e
#
# Copyright (C) 2017 Yousong Zhou <yszhou4tech@gmail.com>
#
# The design idea was derived from ss-rules by Jian Chang <aa65535@live.com>
#
# This is free software, licensed under the GNU General Public License v3.
# See /LICENSE for more information.
#
ss_rules6_usage() {
cat >&2 <<EOF
Usage: ss-rules [options]
-h, --help Show this help message then exit
-f, --flush Flush rules, ipset then exit
-l <port> Local port number of ss-redir with TCP mode
-L <port> Local port number of ss-redir with UDP mode
-s <ips> List of ip addresses of remote shadowsocks server
--ifnames Only apply rules on packets from these ifnames
--src-bypass <ips|cidr>
--src-forward <ips|cidr>
--src-checkdst <ips|cidr>
--src-default <bypass|forward|checkdst>
Packets will have their src ip checked in order against
bypass, forward, checkdst list and will bypass, forward
through, or continue to have their dst ip checked
respectively on the first match. Otherwise, --src-default
decide the default action
--dst-bypass <ips|cidr>
--dst-forward <ips|cidr>
--dst-bypass-file <file>
--dst-forward-file <file>
--dst-default <bypass|forward>
Same as with their --src-xx equivalent
--dst-forward-recentrst
Forward those packets whose destinations have recently
sent to us multiple tcp-rst packets
--local-default <bypass|forward|checkdst>
Default action for local out TCP traffic
The following ipsets will be created by ss-rules. They are also intended to be
populated by other programs like dnsmasq with ipset support
ss_rules6_src_bypass
ss_rules6_src_forward
ss_rules6_src_checkdst
ss_rules6_dst_bypass
ss_rules6_dst_forward
EOF
}
o_dst_bypass_="
"
o_src_default=bypass
o_dst_default=bypass
o_local_default=bypass
__errmsg() {
echo "ss-rules6: $*" >&2
}
ss_rules6_parse_args() {
while [ "$#" -gt 0 ]; do
case "$1" in
-h|--help) ss_rules6_usage; exit 0;;
-f|--flush) ss_rules6_flush; exit 0;;
-l) o_redir_tcp_port="$2"; shift 2;;
-L) o_redir_udp_port="$2"; shift 2;;
-s) o_remote_servers="$2"; shift 2;;
--ifnames) o_ifnames="$2"; shift 2;;
--ipt-extra) o_ipt_extra="$2"; shift 2;;
--src-default) o_src_default="$2"; shift 2;;
--dst-default) o_dst_default="$2"; shift 2;;
--local-default) o_local_default="$2"; shift 2;;
--src-bypass) o_src_bypass="$2"; shift 2;;
--src-forward) o_src_forward="$2"; shift 2;;
--src-checkdst) o_src_checkdst="$2"; shift 2;;
--dst-bypass) o_dst_bypass="$2"; shift 2;;
--dst-forward) o_dst_forward="$2"; shift 2;;
--dst-forward-recentrst) o_dst_forward_recentrst=1; shift 1;;
--dst-bypass-file) o_dst_bypass_file="$2"; shift 2;;
--dst-forward-file) o_dst_forward_file="$2"; shift 2;;
*) __errmsg "unknown option $1"; return 1;;
esac
done
if [ -z "$o_redir_tcp_port" -a -z "$o_redir_udp_port" ]; then
__errmsg "Requires at least -l or -L option"
return 1
fi
if [ -n "$o_dst_forward_recentrst" ] && ! ip6tables -m recent -h >/dev/null; then
__errmsg "Please install ip6tables-mod-conntrack-extra with opkg"
return 1
fi
o_remote_servers="$(for s in $o_remote_servers; do resolveip -6 "$s"; done)"
}
ss_rules6_flush() {
local setname
ip6tables-save --counters | grep -v ss_rules6_ | ip6tables-restore --counters
while ip -f inet6 rule del fwmark 1 lookup 100 2>/dev/null; do true; done
ip -f inet6 route flush table 100
for setname in $(ipset -n list | grep "ss_rules6_"); do
ipset destroy "$setname" 2>/dev/null || true
done
}
ss_rules6_ipset_init() {
ipset --exist restore <<-EOF
create ss_rules6_src_bypass hash:net family inet6 hashsize 64
create ss_rules6_src_forward hash:net family inet6 hashsize 64
create ss_rules6_src_checkdst hash:net family inet6 hashsize 64
create ss_rules6_dst_bypass hash:net family inet6 hashsize 64
create ss_rules6_dst_bypass_ hash:net family inet6 hashsize 64
create ss_rules6_dst_forward hash:net family inet6 hashsize 64
create ss_rules6_dst_forward_recrst_ hash:ip family inet6 hashsize 64 timeout 3600
$(ss_rules6_ipset_mkadd ss_rules6_dst_bypass_ "$o_dst_bypass_ $o_remote_servers")
$(ss_rules6_ipset_mkadd ss_rules6_src_bypass "$o_src_bypass")
$(ss_rules6_ipset_mkadd ss_rules6_src_forward "$o_src_forward")
$(ss_rules6_ipset_mkadd ss_rules6_src_checkdst "$o_src_checkdst")
$(ss_rules6_ipset_mkadd ss_rules6_dst_bypass "$o_dst_bypass $(cat "$o_dst_bypass_file" 2>/dev/null)")
$(ss_rules6_ipset_mkadd ss_rules6_dst_forward "$o_dst_forward $(cat "$o_dst_forward_file" 2>/dev/null)")
EOF
}
ss_rules6_ipset_mkadd() {
local setname="$1"; shift
local i
for i in $*; do
echo "add $setname $i"
done
}
ss_rules6_iptchains_init() {
ss_rules6_iptchains_init_tcp
ss_rules6_iptchains_init_udp
}
ss_rules6_iptchains_init_tcp() {
local local_target
[ -n "$o_redir_tcp_port" ] || return 0
ss_rules6_iptchains_init_ nat tcp
case "$o_local_default" in
checkdst) local_target=ss_rules6_dst ;;
forward) local_target=ss_rules6_forward ;;
bypass|*) return 0;;
esac
ip6tables-restore --noflush <<-EOF
*nat
:ss_rules6_local_out -
-I OUTPUT 1 -p tcp -j ss_rules6_local_out
-A ss_rules6_local_out -m set --match-set ss_rules6_dst_bypass_ dst -j RETURN
-A ss_rules6_local_out -p tcp $o_ipt_extra -j $local_target -m comment --comment "local_default: $o_local_default"
COMMIT
EOF
}
ss_rules6_iptchains_init_udp() {
[ -n "$o_redir_udp_port" ] || return 0
ss_rules6_iptchains_init_ mangle udp
}
ss_rules6_iptchains_init_() {
local table="$1"
local proto="$2"
local forward_rules
local src_default_target dst_default_target
local recentrst_mangle_rules recentrst_addset_rules
case "$proto" in
tcp)
forward_rules="-A ss_rules6_forward -p tcp -j REDIRECT --to-ports $o_redir_tcp_port"
if [ -n "$o_dst_forward_recentrst" ]; then
recentrst_mangle_rules="
*mangle
-I PREROUTING 1 -p tcp -m tcp --tcp-flags RST RST -m recent --name ss_rules6_recentrst --set --rsource
COMMIT
"
recentrst_addset_rules="
-A ss_rules6_dst -m recent --name ss_rules6_recentrst --rcheck --rdest --seconds 3 --hitcount 3 -j SET --add-set ss_rules6_dst_forward_recrst_ dst --exist
-A ss_rules6_dst -m set --match-set ss_rules6_dst_forward_recrst_ dst -j ss_rules6_forward
"
fi
;;
udp)
ip -f inet6 rule add fwmark 1 lookup 100
ip -f inet6 route add local default dev lo table 100
forward_rules="-A ss_rules6_forward -p udp -j TPROXY --on-port "$o_redir_udp_port" --tproxy-mark 0x01/0x01"
;;
esac
case "$o_src_default" in
forward) src_default_target=ss_rules6_forward ;;
checkdst) src_default_target=ss_rules6_dst ;;
bypass|*) src_default_target=RETURN ;;
esac
case "$o_dst_default" in
forward) dst_default_target=ss_rules6_forward ;;
bypass|*) dst_default_target=RETURN ;;
esac
sed -e '/^\s*$/d' -e 's/^\s\+//' <<-EOF | ip6tables-restore --noflush
*$table
:ss_rules6_pre_src -
:ss_rules6_src -
:ss_rules6_dst -
:ss_rules6_forward -
$(ss_rules6_iptchains_mkprerules "$proto")
-A ss_rules6_pre_src -p $proto $o_ipt_extra -j ss_rules6_src
-A ss_rules6_src -m set --match-set ss_rules6_src_bypass src -j RETURN
-A ss_rules6_src -m set --match-set ss_rules6_src_forward src -j ss_rules6_forward
-A ss_rules6_src -m set --match-set ss_rules6_src_checkdst src -j ss_rules6_dst
-A ss_rules6_src -j $src_default_target -m comment --comment "src_default: $o_src_default"
-A ss_rules6_pre_src -m set --match-set ss_rules6_dst_bypass_ dst -j RETURN
-A ss_rules6_dst -m set --match-set ss_rules6_dst_bypass dst -j RETURN
-A ss_rules6_dst -m set --match-set ss_rules6_dst_forward dst -j ss_rules6_forward
$recentrst_addset_rules
-A ss_rules6_dst -j $dst_default_target -m comment --comment "dst_default: $o_dst_default"
$forward_rules
COMMIT
$recentrst_mangle_rules
EOF
}
ss_rules6_iptchains_mkprerules() {
local proto="$1"
if [ -z "$o_ifnames" ]; then
echo "-I PREROUTING 1 -p $proto -j ss_rules6_pre_src"
else
echo $o_ifnames \
| tr ' ' '\n' \
| sed "s/.*/-I PREROUTING 1 -i \\0 -p $proto -j ss_rules6_pre_src/"
fi
}
ss_rules6_parse_args "$@"
ss_rules6_flush
ss_rules6_ipset_init
ss_rules6_iptchains_init