From bdbdc201ec632dbfabdc948b28ecc0eff860c6b8 Mon Sep 17 00:00:00 2001
From: "Ycarus (Yannick Chabanois)" <ycarus@zugaina.org>
Date: Thu, 4 Feb 2021 11:03:03 +0100
Subject: [PATCH] Fix shadowsocks iptables rules

---
 shadowsocks-libev/files/shadowsocks-libev.init | 4 +++-
 shadowsocks-libev/files/ss-rules               | 2 +-
 shadowsocks-libev/files/ss-rules6              | 2 +-
 3 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/shadowsocks-libev/files/shadowsocks-libev.init b/shadowsocks-libev/files/shadowsocks-libev.init
index 9e15c6241..fa1b1602d 100644
--- a/shadowsocks-libev/files/shadowsocks-libev.init
+++ b/shadowsocks-libev/files/shadowsocks-libev.init
@@ -308,6 +308,7 @@ start_service() {
 	# Add rule to match traffic marked by firewall for bypass
 	ip rule add prio 1 fwmark 0x539 lookup 991337 > /dev/null 2>&1
 	rules_up
+	[ -f /etc/firewall.gre-tunnel ] && sh /etc/firewall.gre-tunnel > /dev/null 2>&1
 }
 
 stop_service() {
@@ -320,7 +321,7 @@ reload_service() {
 }
 
 rules_exist() {
-	[ -n "$(iptables -t nat -L -n | grep ssr)" ] && return 0
+	[ -n "$(iptables-save | grep 'A ssr')" ] && return 0
 	return 1
 }
 
@@ -347,6 +348,7 @@ rules_up() {
 		config_foreach ss_rules_restart "$cfgtype" "$cfgtype"
 	done
 	config_foreach ss_rules ss_rules
+	[ -z "$(iptables-save | grep :ssr)" ] && logger -t "Shadowsocks" "Rules not applied"
 	[ -f /etc/init.d/omr-bypass ] && {
 		logger -t "Shadowsocks" "Reload omr-bypass rules"
 		/etc/init.d/omr-bypass reload_rules
diff --git a/shadowsocks-libev/files/ss-rules b/shadowsocks-libev/files/ss-rules
index 396de706d..2f4583e47 100755
--- a/shadowsocks-libev/files/ss-rules
+++ b/shadowsocks-libev/files/ss-rules
@@ -187,7 +187,7 @@ ss_rules_iptchains_init_tcp() {
 		forward) local_target=ssr_${rule}_forward ;;
 		bypass|*) return 0;;
 	esac
-	if [ "$(iptables -t nat -L ssr_${rule}_local_out | grep ssr_${rule}_dst_bypass)" = "" ]; then
+	if [ "$(iptables-save | grep ssr_${rule}_local_out | grep ssr_${rule}_dst_bypass)" = "" ]; then
 		iptables-restore -w --noflush <<-EOF
 			*nat
 			:ssr_${rule}_local_out -
diff --git a/shadowsocks-libev/files/ss-rules6 b/shadowsocks-libev/files/ss-rules6
index 84d04beb5..3225573a1 100755
--- a/shadowsocks-libev/files/ss-rules6
+++ b/shadowsocks-libev/files/ss-rules6
@@ -175,7 +175,7 @@ ss_rules6_iptchains_init_tcp() {
 		:ssr6_${rule}_local_out -
 		-I OUTPUT 1 -p tcp -j ssr6_${rule}_local_out
 		-A ssr6_${rule}_local_out -m set --match-set ssr6_${rule}_dst_bypass dst -j RETURN
-		-A ssr6_${rule}_local_out -m set --match-set ssr6_${rule}_dst_bypass_all dst -j RETURN
+		-A ssr6_${rule}_local_out -m set --match-set ss_rules6_dst_bypass_all dst -j RETURN
 		-A ssr6_${rule}_local_out -m set --match-set ssr6_${rule}_dst_bypass_ dst -j RETURN
 		-A ssr6_${rule}_local_out -m mark --mark 0x6539 -j RETURN
 		-A ssr6_${rule}_local_out -p tcp $o_ipt_extra -j $local_target -m comment --comment "local_default: $o_local_default"