From 9f8e93bd210e0408a862b1e24b1971aa1af3eed1 Mon Sep 17 00:00:00 2001 From: Ycarus Date: Wed, 11 Apr 2018 08:15:19 +0200 Subject: [PATCH] Rules to mark correctly bypassed traffic --- shadowsocks-libev/files/shadowsocks-libev.init | 2 +- shadowsocks-libev/files/ss-rules | 9 ++++++--- shadowsocks-libev/files/ss-rules6 | 5 +++-- 3 files changed, 10 insertions(+), 6 deletions(-) diff --git a/shadowsocks-libev/files/shadowsocks-libev.init b/shadowsocks-libev/files/shadowsocks-libev.init index 4daadecfb..318b982f5 100644 --- a/shadowsocks-libev/files/shadowsocks-libev.init +++ b/shadowsocks-libev/files/shadowsocks-libev.init @@ -296,7 +296,7 @@ start_service() { ss_rules ss_rules6 # Add rule to match traffic marked by firewall for bypass - ip rule add prio 1 fwmark 0x539 lookup 991337 + ip rule add prio 1 fwmark 0x539 lookup 991337 > /dev/null 2>&1 } stop_service() { diff --git a/shadowsocks-libev/files/ss-rules b/shadowsocks-libev/files/ss-rules index 753664db4..3cc82b68f 100755 --- a/shadowsocks-libev/files/ss-rules +++ b/shadowsocks-libev/files/ss-rules @@ -154,15 +154,15 @@ ss_rules_ipset_mkadd() { } ss_rules_iptchains_init() { + ss_rules_iptchains_init_mark ss_rules_iptchains_init_tcp ss_rules_iptchains_init_udp - ss_rules_iptchains_init_mark } ss_rules_iptchains_init_mark() { iptables-restore --noflush <<-EOF *mangle - -A OUTPUT -m set --match-set ss_rules_dst_bypass dst -j MARK --set-mark 0x539 + -A PREROUTING -m set --match-set ss_rules_dst_bypass dst -j MARK --set-mark 0x539 COMMIT EOF } @@ -184,8 +184,8 @@ ss_rules_iptchains_init_tcp() { *nat :ss_rules_local_out - -I OUTPUT 1 -p tcp -j ss_rules_local_out - -A ss_rules_local_out -m set --match-set ss_rules_dst_bypass_ dst -j RETURN -A ss_rules_local_out -m set --match-set ss_rules_dst_bypass dst -j RETURN + -A ss_rules_local_out -m set --match-set ss_rules_dst_bypass_ dst -j RETURN -A ss_rules_local_out -p tcp $o_ipt_extra -j $local_target -m comment --comment "local_default: $o_local_default" COMMIT EOF @@ -233,6 +233,7 @@ ss_rules_iptchains_init_() { forward) dst_default_target=ss_rules_forward ;; bypass|*) dst_default_target=RETURN ;; esac + echo "titi" sed -e '/^\s*$/d' -e 's/^\s\+//' <<-EOF | iptables-restore --noflush *$table :ss_rules_pre_src - @@ -241,6 +242,7 @@ ss_rules_iptchains_init_() { :ss_rules_forward - $(ss_rules_iptchains_mkprerules "$proto") -A ss_rules_pre_src -m set --match-set ss_rules_dst_bypass_ dst -j RETURN + -A ss_rules_pre_src -m set --match-set ss_rules_dst_bypass dst -j RETURN -A ss_rules_dst -m set --match-set ss_rules_dst_bypass dst -j RETURN -A ss_rules_pre_src -p $proto $o_ipt_extra -j ss_rules_src -A ss_rules_src -m set --match-set ss_rules_src_bypass src -j RETURN @@ -254,6 +256,7 @@ ss_rules_iptchains_init_() { COMMIT $recentrst_mangle_rules EOF + echo "toto" } ss_rules_iptchains_mkprerules() { diff --git a/shadowsocks-libev/files/ss-rules6 b/shadowsocks-libev/files/ss-rules6 index 2a29d2f91..9e9cae80b 100755 --- a/shadowsocks-libev/files/ss-rules6 +++ b/shadowsocks-libev/files/ss-rules6 @@ -142,8 +142,8 @@ ss_rules6_iptchains_init() { ss_rules6_iptchains_init_mark } -ss_rules_iptchains_init_mark() { - iptables-restore --noflush <<-EOF +ss_rules6_iptchains_init_mark() { + ip6tables-restore --noflush <<-EOF *mangle -A OUTPUT -m set --match-set ss_rules6_dst_bypass dst -j MARK --set-mark 0x539 COMMIT @@ -226,6 +226,7 @@ ss_rules6_iptchains_init_() { :ss_rules6_forward - $(ss_rules6_iptchains_mkprerules "$proto") -A ss_rules6_pre_src -m set --match-set ss_rules6_dst_bypass_ dst -j RETURN + -A ss_rules6_dst -m set --match-set ss_rules6_dst_bypass dst -j MARK --set-mark 0x539 -A ss_rules6_dst -m set --match-set ss_rules6_dst_bypass dst -j RETURN -A ss_rules6_pre_src -p $proto $o_ipt_extra -j ss_rules6_src -A ss_rules6_src -m set --match-set ss_rules6_src_bypass src -j RETURN