mirror of
https://github.com/Ysurac/openmptcprouter-feeds.git
synced 2025-03-09 15:40:03 +00:00
Add XRay
This commit is contained in:
parent
a816b09134
commit
ee1ffa2bd8
7 changed files with 3280 additions and 0 deletions
68
xray-core/Makefile
Normal file
68
xray-core/Makefile
Normal file
|
@ -0,0 +1,68 @@
|
|||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=xray-core
|
||||
PKG_VERSION:=1.8.5
|
||||
PKG_RELEASE:=1
|
||||
|
||||
PKG_LICENSE:=MPLv2
|
||||
PKG_LICENSE_FILES:=LICENSE
|
||||
PKG_MAINTAINER:=Yannick Chabanois <contact@openmptcprouter.com>
|
||||
PKG_SOURCE_PROTO:=git
|
||||
PKG_SOURCE_URL:=https://github.com/XTLS/Xray-core.git
|
||||
PKG_SOURCE_VERSION:=585d5ba7c8b64f6da60837546a70bbcfd2350c64
|
||||
|
||||
PKG_BUILD_DEPENDS:=golang/host
|
||||
PKG_BUILD_PARALLEL:=1
|
||||
|
||||
GO_PKG:=github.com/XTLS/Xray-core
|
||||
|
||||
include $(INCLUDE_DIR)/package.mk
|
||||
include $(TOPDIR)/feeds/openmptcprouter/golang/golang-package.mk
|
||||
|
||||
define Package/$(PKG_NAME)
|
||||
SECTION:=Custom
|
||||
CATEGORY:=Extra packages
|
||||
TITLE:=Xray-core
|
||||
DEPENDS:=$(GO_ARCH_DEPENDS)
|
||||
PROVIDES:=xray-core
|
||||
endef
|
||||
|
||||
define Package/$(PKG_NAME)/description
|
||||
Xray-core bare bones binary (compiled without cgo)
|
||||
endef
|
||||
|
||||
define Package/$(PKG_NAME)/config
|
||||
menu "Xray Configuration"
|
||||
depends on PACKAGE_$(PKG_NAME)
|
||||
|
||||
config PACKAGE_XRAY_ENABLE_GOPROXY_IO
|
||||
bool "Use goproxy.io to speed up module fetching (recommended for some network situations)"
|
||||
default n
|
||||
|
||||
endmenu
|
||||
endef
|
||||
|
||||
USE_GOPROXY:=
|
||||
ifdef CONFIG_PACKAGE_XRAY_ENABLE_GOPROXY_IO
|
||||
USE_GOPROXY:=GOPROXY=https://goproxy.io,direct
|
||||
endif
|
||||
|
||||
MAKE_PATH:=$(GO_PKG_WORK_DIR_NAME)/build/src/$(GO_PKG)
|
||||
MAKE_VARS += $(GO_PKG_VARS)
|
||||
|
||||
#define Build/Patch
|
||||
# $(CP) $(PKG_BUILD_DIR)/../Xray-core-$(PKG_VERSION)/* $(PKG_BUILD_DIR)
|
||||
# $(Build/Patch/Default)
|
||||
#endef
|
||||
|
||||
define Build/Compile
|
||||
cd $(PKG_BUILD_DIR); $(GO_PKG_VARS) $(USE_GOPROXY) CGO_ENABLED=0 go build -trimpath -ldflags "-s -w" -o $(PKG_INSTALL_DIR)/bin/xray ./main;
|
||||
endef
|
||||
|
||||
define Package/$(PKG_NAME)/install
|
||||
$(INSTALL_DIR) $(1)/usr/bin
|
||||
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/bin/xray $(1)/usr/bin/xray
|
||||
$(CP) ./files/* $(1)/
|
||||
endef
|
||||
|
||||
$(eval $(call BuildPackage,$(PKG_NAME)))
|
2
xray-core/files/etc/firewall.xray-rules
Normal file
2
xray-core/files/etc/firewall.xray-rules
Normal file
|
@ -0,0 +1,2 @@
|
|||
#!/bin/sh
|
||||
/etc/init.d/xray rules_up
|
2282
xray-core/files/etc/init.d/xray
Executable file
2282
xray-core/files/etc/init.d/xray
Executable file
File diff suppressed because it is too large
Load diff
202
xray-core/files/etc/uci-defaults/3010-omr-xray
Normal file
202
xray-core/files/etc/uci-defaults/3010-omr-xray
Normal file
|
@ -0,0 +1,202 @@
|
|||
#!/bin/sh
|
||||
|
||||
if [ -z "$(uci -q get xray.main)" ]; then
|
||||
touch /etc/config/xray
|
||||
uci batch <<-EOF
|
||||
set xray.main=xray
|
||||
set xray.main.xray_file='/usr/bin/xray'
|
||||
set xray.main.mem_percentage='0'
|
||||
set xray.main.loglevel='error'
|
||||
set xray.main.access_log='/dev/null'
|
||||
set xray.main.error_log='/dev/null'
|
||||
set xray.main.enabled='0'
|
||||
set xray.main.outbounds='omrout'
|
||||
set xray.main.inbounds='omr'
|
||||
add_list xray.main.inbounds='omrtest'
|
||||
set xray.main_dns=dns
|
||||
set xray.main_dns.hosts='example.com|127.0.0.1'
|
||||
set xray.main_dns.enabled='0'
|
||||
set xray.main_policy=policy
|
||||
set xray.main_policy.enabled='1'
|
||||
set xray.main_policy.levels='policy_level_0'
|
||||
set xray.policy_level_0=policy_level
|
||||
set xray.policy_level_0.level='0'
|
||||
set xray.policy_level_0.handshake='4'
|
||||
set xray.policy_level_0.conn_idle='1200'
|
||||
set xray.policy_level_0.uplink_only='0'
|
||||
set xray.policy_level_0.downlink_only='0'
|
||||
set xray.policy_level_0.buffer_size='512'
|
||||
set xray.main_transparent_proxy=transparent_proxy
|
||||
set xray.main_transparent_proxy.proxy_mode='default'
|
||||
set xray.main_transparent_proxy.apnic_delegated_mirror='apnic'
|
||||
set xray.main_transparent_proxy.gfwlist_mirror='github'
|
||||
set xray.main_transparent_proxy.redirect_udp='0'
|
||||
set xray.main_transparent_proxy.redirect_port='1897'
|
||||
set xray.omrout=outbound
|
||||
set xray.omrout.tag='omrout_tunnel'
|
||||
set xray.omrout.protocol='vless'
|
||||
set xray.omrout.s_vmess_address=''
|
||||
set xray.omrout.s_vmess_port='65230'
|
||||
set xray.omrout.s_vmess_user_id=''
|
||||
set xray.omrout.s_vmess_user_security='none'
|
||||
set xray.omrout.s_vmess_user_alter_id='0'
|
||||
set xray.omrout.s_vless_address=''
|
||||
set xray.omrout.s_vless_port='65228'
|
||||
set xray.omrout.s_vless_user_id=''
|
||||
set xray.omrout.s_vless_user_security='none'
|
||||
set xray.omrout.s_vless_user_encryption='none'
|
||||
set xray.omrout.s_vless_user_alter_id='0'
|
||||
set xray.omrout.s_trojan_address=''
|
||||
set xray.omrout.s_trojan_port='65229'
|
||||
set xray.omrout.s_trojan_user_id=''
|
||||
set xray.omrout.s_trojan_user_security='none'
|
||||
set xray.omrout.s_trojan_user_encryption='none'
|
||||
set xray.omrout.s_trojan_user_alter_id='0'
|
||||
set xray.omrout.s_socks_address=''
|
||||
set xray.omrout.s_socks_port='65231'
|
||||
set xray.omrout.s_socks_user_id=''
|
||||
set xray.omrout.s_socks_user_security='none'
|
||||
set xray.omrout.s_socks_user_encryption='none'
|
||||
set xray.omrout.s_socks_user_alter_id='0'
|
||||
set xray.omrout.ss_network='tcp'
|
||||
set xray.omrout.ss_security='tls'
|
||||
set xray.omrout.ss_tls_allow_insecure='1'
|
||||
set xray.omrout.ss_tls_disable_system_root='1'
|
||||
set xray.omrout.ss_tls_cert_usage='verify'
|
||||
set xray.omrout.ss_tls_cert_file='/etc/luci-uploads/client.crt'
|
||||
set xray.omrout.ss_tls_key_file='/etc/luci-uploads/client.key'
|
||||
set xray.omrout.s_shadowsocks_port='65252'
|
||||
set xray.omrout.mux_concurrency='8'
|
||||
set xray.omr=inbound
|
||||
set xray.omr.tag='omrtunnel'
|
||||
set xray.omr.listen='0.0.0.0'
|
||||
set xray.omr.port='1897'
|
||||
set xray.omr.protocol='dokodemo-door'
|
||||
set xray.omr.s_dokodemo_door_network='tcp'
|
||||
add_list xray.omr.s_dokodemo_door_network='udp'
|
||||
set xray.omr.ss_sockopt_tproxy='redirect'
|
||||
set xray.omr.ss_sockopt_tcp_fast_open='1'
|
||||
set xray.omr.ss_sockopt_mptcp='1'
|
||||
set xray.omr.s_dokodemo_door_follow_redirect='1'
|
||||
set xray.omr6=inbound
|
||||
set xray.omr6.tag='omrtunnel6'
|
||||
set xray.omr6.listen='::'
|
||||
set xray.omr6.port='1898'
|
||||
set xray.omr6.protocol='dokodemo-door'
|
||||
set xray.omr6.s_dokodemo_door_network='tcp'
|
||||
add_list xray.omr6.s_dokodemo_door_network='udp'
|
||||
set xray.omr6.ss_sockopt_tproxy='tproxy'
|
||||
set xray.omr6.ss_sockopt_tcp_fast_open='1'
|
||||
set xray.omr6.s_dokodemo_door_follow_redirect='1'
|
||||
set xray.omrtest=inbound
|
||||
set xray.omrtest.port='1111'
|
||||
set xray.omrtest.protocol='socks'
|
||||
set xray.omrtest.listen='127.0.0.1'
|
||||
set xray.omrtest.s_socks_auth='noauth'
|
||||
set xray.omrtest.s_socks_udp='1'
|
||||
set xray.omrtest.s_socks_ip='127.0.0.1'
|
||||
set xray.omrtest.s_socks_userlevel='0'
|
||||
commit xray
|
||||
EOF
|
||||
fi
|
||||
uci -q batch <<-EOF >/dev/null
|
||||
set xray.omr.listen='0.0.0.0'
|
||||
commit xray
|
||||
EOF
|
||||
|
||||
if [ "$(uci -q get firewall.xray)" = "" ]; then
|
||||
uci -q batch <<-EOF >/dev/null
|
||||
set firewall.xray=include
|
||||
set firewall.xray.path=/etc/firewall.xray-rules
|
||||
set firewall.xray.reload=0
|
||||
commit firewall
|
||||
EOF
|
||||
fi
|
||||
if [ "$(uci -q get firewall.xray.path)" != "/etc/firewall.xray-rules" ]; then
|
||||
uci -q batch <<-EOF >/dev/null
|
||||
set firewall.xray.path=/etc/firewall.xray-rules
|
||||
commit firewall
|
||||
EOF
|
||||
fi
|
||||
|
||||
if [ "$(uci -q get xray.main_reverse.bridges | grep omrbridge)" = "" ]; then
|
||||
uci -q batch <<-EOF >/dev/null
|
||||
set xray.main_reverse=reverse
|
||||
set xray.main_reverse.enabled=1
|
||||
set xray.main_reverse.bridges='omrbridge|omr.lan'
|
||||
commit xray
|
||||
EOF
|
||||
fi
|
||||
if [ "$(uci -q get xray.omrrouting)" = "" ]; then
|
||||
uci -q batch <<-EOF >/dev/null
|
||||
set xray.omrexit=outbound
|
||||
set xray.omrexit.protocol='freedom'
|
||||
set xray.omrexit.tag='out'
|
||||
add_list xray.main.outbounds=omrexit
|
||||
set xray.omrrouting=routing_rule
|
||||
set xray.omrrouting.type='field'
|
||||
set xray.omrrouting.inbound_tag='omrbridge'
|
||||
set xray.omrrouting.outbound_tag='omrout_tunnel'
|
||||
set xray.omrrouting.domain='full:omr.lan'
|
||||
set xray.omrroutingo=routing_rule
|
||||
set xray.omrroutingo.type='field'
|
||||
set xray.omrroutingo.inbound_tag='omrbridge'
|
||||
set xray.omrroutingo.outbound_tag='out'
|
||||
set xray.main_routing=routing
|
||||
set xray.main_routing.enabled=1
|
||||
set xray.main_routing.rules='omrrouting'
|
||||
add_list xray.main_routing.rules='omrroutingo'
|
||||
commit xray
|
||||
EOF
|
||||
fi
|
||||
|
||||
if [ "$(uci -q get xray.main.error_log)" != "/dev/null" ]; then
|
||||
uci -q batch <<-EOF >/dev/null
|
||||
set xray.main.error_log='/dev/null'
|
||||
commit xray
|
||||
EOF
|
||||
fi
|
||||
#if [ "$(uci -q get xray.main.mem_percentage)" = "0" ]; then
|
||||
# uci -q batch <<-EOF >/dev/null
|
||||
# set xray.main.mem_percentage='80'
|
||||
# commit xray
|
||||
# EOF
|
||||
#fi
|
||||
if [ "$(uci -q get xray.policy_level_0.conn_idle)" = "2400" ]; then
|
||||
uci -q batch <<-EOF >/dev/null
|
||||
set xray.policy_level_0.conn_idle='1200'
|
||||
commit xray
|
||||
EOF
|
||||
fi
|
||||
|
||||
if [ "$(uci -q get xray.omrout.s_vmess_port)" = "65228" ]; then
|
||||
uci -q batch <<-EOF >/dev/null
|
||||
set xray.omrout.s_vmess_port='65230'
|
||||
commit xray
|
||||
EOF
|
||||
fi
|
||||
|
||||
if [ "$(uci -q get xray.omrout.s_trojan_port)" = "" ]; then
|
||||
uci -q batch <<-EOF >/dev/null
|
||||
set xray.omrout.s_trojan_address=''
|
||||
set xray.omrout.s_trojan_port='65229'
|
||||
set xray.omrout.s_trojan_user_id=''
|
||||
set xray.omrout.s_trojan_user_security='none'
|
||||
set xray.omrout.s_trojan_user_encryption='none'
|
||||
set xray.omrout.s_trojan_user_alter_id='0'
|
||||
commit xray
|
||||
EOF
|
||||
fi
|
||||
if [ "$(uci -q get xray.omrout.s_socks_port)" = "" ]; then
|
||||
uci -q batch <<-EOF >/dev/null
|
||||
set xray.omrout.s_socks_address=''
|
||||
set xray.omrout.s_socks_port='65231'
|
||||
set xray.omrout.s_socks_user_id=''
|
||||
set xray.omrout.s_socks_user_security='none'
|
||||
set xray.omrout.s_socks_user_encryption='none'
|
||||
set xray.omrout.s_socks_user_alter_id='0'
|
||||
commit xray
|
||||
EOF
|
||||
fi
|
||||
|
||||
exit 0
|
319
xray-core/files/usr/bin/xray-rules
Executable file
319
xray-core/files/usr/bin/xray-rules
Executable file
|
@ -0,0 +1,319 @@
|
|||
#!/bin/sh -e
|
||||
#
|
||||
# Copyright (C) 2017 Yousong Zhou <yszhou4tech@gmail.com>
|
||||
# Copyright (C) 2018-2021 Ycarus (Yannick Chabanois) <ycarus@zugaina.org> for OpenMPTCProuter
|
||||
#
|
||||
# The design idea was derived from ss-rules by Jian Chang <aa65535@live.com>
|
||||
#
|
||||
# This is free software, licensed under the GNU General Public License v3.
|
||||
# See /LICENSE for more information.
|
||||
#
|
||||
|
||||
if [ -f /usr/sbin/iptables-legacy ]; then
|
||||
IPTABLES="/usr/sbin/iptables-legacy"
|
||||
IPTABLESRESTORE="/usr/sbin/iptables-legacy-restore"
|
||||
IPTABLESSAVE="/usr/sbin/iptables-legacy-save"
|
||||
else
|
||||
IPTABLES="/usr/sbin/iptables"
|
||||
IPTABLESRESTORE="/usr/sbin/iptables-restore"
|
||||
IPTABLESSAVE="/usr/sbin/iptables-save"
|
||||
fi
|
||||
|
||||
|
||||
|
||||
xr_rules_usage() {
|
||||
cat >&2 <<EOF
|
||||
Usage: xray-rules [options]
|
||||
|
||||
-h, --help Show this help message then exit
|
||||
-f, --flush Flush rules, ipset then exit
|
||||
-l <port> Local port number of ss-redir with TCP mode
|
||||
-L <port> Local port number of ss-redir with UDP mode
|
||||
-s <ips> List of ip addresses of remote shadowsocks server
|
||||
--ifnames Only apply rules on packets from these ifnames
|
||||
--src-bypass <ips|cidr>
|
||||
--src-forward <ips|cidr>
|
||||
--src-checkdst <ips|cidr>
|
||||
--src-default <bypass|forward|checkdst>
|
||||
Packets will have their src ip checked in order against
|
||||
bypass, forward, checkdst list and will bypass, forward
|
||||
through, or continue to have their dst ip checked
|
||||
respectively on the first match. Otherwise, --src-default
|
||||
decide the default action
|
||||
--dst-bypass <ips|cidr>
|
||||
--dst-forward <ips|cidr>
|
||||
--dst-bypass-file <file>
|
||||
--dst-forward-file <file>
|
||||
--dst-default <bypass|forward>
|
||||
Same as with their --src-xx equivalent
|
||||
--dst-forward-recentrst
|
||||
Forward those packets whose destinations have recently
|
||||
sent to us multiple tcp-rst packets
|
||||
--local-default <bypass|forward|checkdst>
|
||||
Default action for local out TCP traffic
|
||||
|
||||
The following ipsets will be created by ss-rules. They are also intended to be
|
||||
populated by other programs like dnsmasq with ipset support
|
||||
|
||||
ss_rules_src_bypass
|
||||
ss_rules_src_forward
|
||||
ss_rules_src_checkdst
|
||||
ss_rules_dst_bypass
|
||||
ss_rules_dst_bypass_all
|
||||
ss_rules_dst_forward
|
||||
EOF
|
||||
}
|
||||
|
||||
o_dst_bypass_="
|
||||
0.0.0.0/8
|
||||
10.0.0.0/8
|
||||
100.64.0.0/10
|
||||
127.0.0.0/8
|
||||
169.254.0.0/16
|
||||
172.16.0.0/12
|
||||
192.0.0.0/24
|
||||
192.0.2.0/24
|
||||
192.31.196.0/24
|
||||
192.52.193.0/24
|
||||
192.88.99.0/24
|
||||
192.168.0.0/16
|
||||
192.175.48.0/24
|
||||
198.18.0.0/15
|
||||
198.51.100.0/24
|
||||
203.0.113.0/24
|
||||
224.0.0.0/4
|
||||
240.0.0.0/4
|
||||
255.255.255.255
|
||||
"
|
||||
o_src_default=bypass
|
||||
o_dst_default=bypass
|
||||
o_local_default=bypass
|
||||
|
||||
__errmsg() {
|
||||
echo "xray-rules: $*" >&2
|
||||
}
|
||||
|
||||
xr_rules_parse_args() {
|
||||
while [ "$#" -gt 0 ]; do
|
||||
case "$1" in
|
||||
-h|--help) xr_rules_usage; exit 0;;
|
||||
-f|--flush) xr_rules_flush; exit 0;;
|
||||
-l) o_redir_tcp_port="$2"; shift 2;;
|
||||
-L) o_redir_udp_port="$2"; shift 2;;
|
||||
-s) o_remote_servers="$2"; shift 2;;
|
||||
--ifnames) o_ifnames="$2"; shift 2;;
|
||||
--ipt-extra) o_ipt_extra="$2"; shift 2;;
|
||||
--src-default) o_src_default="$2"; shift 2;;
|
||||
--dst-default) o_dst_default="$2"; shift 2;;
|
||||
--local-default) o_local_default="$2"; shift 2;;
|
||||
--src-bypass) o_src_bypass="$2"; shift 2;;
|
||||
--src-forward) o_src_forward="$2"; shift 2;;
|
||||
--src-checkdst) o_src_checkdst="$2"; shift 2;;
|
||||
--dst-bypass) o_dst_bypass="$2"; shift 2;;
|
||||
--dst-bypass_all) o_dst_bypass_all="$2"; shift 2;;
|
||||
--dst-forward) o_dst_forward="$2"; shift 2;;
|
||||
--dst-forward-recentrst) o_dst_forward_recentrst=1; shift 1;;
|
||||
--dst-bypass-file) o_dst_bypass_file="$2"; shift 2;;
|
||||
--dst-forward-file) o_dst_forward_file="$2"; shift 2;;
|
||||
--rule-name) rule="$2"; shift 2;;
|
||||
*) __errmsg "unknown option $1"; return 1;;
|
||||
esac
|
||||
done
|
||||
|
||||
if [ -z "$o_redir_tcp_port" -a -z "$o_redir_udp_port" ]; then
|
||||
__errmsg "Requires at least -l or -L option"
|
||||
return 1
|
||||
fi
|
||||
if [ -n "$o_dst_forward_recentrst" ] && ! $IPTABLES -w -m recent -h >/dev/null; then
|
||||
__errmsg "Please install iptables-mod-conntrack-extra with opkg"
|
||||
return 1
|
||||
fi
|
||||
o_remote_servers="$(for s in $o_remote_servers; do resolveip -4 "$s"; done)"
|
||||
}
|
||||
|
||||
xr_rules_flush() {
|
||||
local setname
|
||||
|
||||
$IPTABLESSAVE --counters 2>/dev/null | grep -v xr_ | $IPTABLESRESTORE --counters
|
||||
while ip rule del fwmark 1 lookup 100 2>/dev/null; do true; done
|
||||
ip route flush table 100 || true
|
||||
for setname in $(ipset -n list | grep "ssr_${rule}"); do
|
||||
ipset destroy "$setname" 2>/dev/null || true
|
||||
done
|
||||
}
|
||||
|
||||
xr_rules_ipset_init() {
|
||||
ipset --exist restore <<-EOF
|
||||
create ssr_${rule}_src_bypass hash:net hashsize 64
|
||||
create ssr_${rule}_src_forward hash:net hashsize 64
|
||||
create ssr_${rule}_src_checkdst hash:net hashsize 64
|
||||
create ss_rules_dst_bypass_all hash:net hashsize 64
|
||||
create ssr_${rule}_dst_bypass hash:net hashsize 64
|
||||
create ssr_${rule}_dst_bypass_ hash:net hashsize 64
|
||||
create ssr_${rule}_dst_forward hash:net hashsize 64
|
||||
create ss_rules_dst_forward_recentrst_ hash:ip hashsize 64 timeout 3600
|
||||
$(xr_rules_ipset_mkadd ssr_${rule}_dst_bypass_ "$o_dst_bypass_ $o_remote_servers")
|
||||
$(xr_rules_ipset_mkadd ss_rules_dst_bypass_all "$o_dst_bypass_all")
|
||||
$(xr_rules_ipset_mkadd ssr_${rule}_dst_bypass "$o_dst_bypass $(cat "$o_dst_bypass_file" 2>/dev/null | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}')")
|
||||
$(xr_rules_ipset_mkadd ssr_${rule}_src_bypass "$o_src_bypass")
|
||||
$(xr_rules_ipset_mkadd ssr_${rule}_src_forward "$o_src_forward")
|
||||
$(xr_rules_ipset_mkadd ssr_${rule}_src_checkdst "$o_src_checkdst")
|
||||
$(xr_rules_ipset_mkadd ssr_${rule}_dst_forward "$o_dst_forward $(cat "$o_dst_forward_file" 2>/dev/null | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}')")
|
||||
EOF
|
||||
}
|
||||
|
||||
xr_rules_ipset_mkadd() {
|
||||
local setname="$1"; shift
|
||||
local i
|
||||
|
||||
for i in $*; do
|
||||
echo "add $setname $i"
|
||||
done
|
||||
}
|
||||
|
||||
xr_rules_iptchains_init() {
|
||||
xr_rules_iptchains_init_mark
|
||||
xr_rules_iptchains_init_tcp
|
||||
xr_rules_iptchains_init_udp
|
||||
}
|
||||
|
||||
xr_rules_iptchains_init_mark() {
|
||||
if [ "$($IPTABLES -w -t mangle -L PREROUTING | grep ss_rules_dst_bypass_all)" = "" ]; then
|
||||
$IPTABLESRESTORE --noflush <<-EOF
|
||||
*mangle
|
||||
-A PREROUTING -m set --match-set ss_rules_dst_bypass_all dst -j MARK --set-mark 0x539
|
||||
COMMIT
|
||||
EOF
|
||||
fi
|
||||
}
|
||||
|
||||
xr_rules_iptchains_init_tcp() {
|
||||
local local_target
|
||||
|
||||
[ -n "$o_redir_tcp_port" ] || return 0
|
||||
|
||||
xr_rules_iptchains_init_ nat tcp
|
||||
|
||||
case "$o_local_default" in
|
||||
checkdst) local_target=xr_${rule}_dst ;;
|
||||
forward) local_target=xr_${rule}_forward ;;
|
||||
bypass|*) return 0;;
|
||||
esac
|
||||
|
||||
$IPTABLESRESTORE --noflush <<-EOF
|
||||
*nat
|
||||
:xr_${rule}_local_out -
|
||||
-I OUTPUT 1 -p tcp -j xr_${rule}_local_out
|
||||
-A xr_${rule}_local_out -m set --match-set ssr_${rule}_dst_bypass dst -j RETURN
|
||||
-A xr_${rule}_local_out -m set --match-set ss_rules_dst_bypass_all dst -j RETURN
|
||||
-A xr_${rule}_local_out -m set --match-set ssr_${rule}_dst_bypass_ dst -j RETURN
|
||||
-A xr_${rule}_local_out -m mark --mark 0x539 -j RETURN
|
||||
-A xr_${rule}_local_out -p tcp $o_ipt_extra -j $local_target -m comment --comment "local_default: $o_local_default"
|
||||
COMMIT
|
||||
EOF
|
||||
}
|
||||
|
||||
xr_rules_iptchains_init_udp() {
|
||||
[ -n "$o_redir_udp_port" ] || return 0
|
||||
xr_rules_iptchains_init_ mangle udp
|
||||
}
|
||||
|
||||
xr_rules_iptchains_init_() {
|
||||
local table="$1"
|
||||
local proto="$2"
|
||||
local forward_rules
|
||||
local src_default_target dst_default_target
|
||||
local recentrst_mangle_rules recentrst_addset_rules
|
||||
|
||||
case "$proto" in
|
||||
tcp)
|
||||
forward_rules="-A xr_${rule}_forward -p tcp -j REDIRECT --to-ports $o_redir_tcp_port"
|
||||
if [ -n "$o_dst_forward_recentrst" ]; then
|
||||
recentrst_mangle_rules="
|
||||
*mangle
|
||||
-I PREROUTING 1 -p tcp -m tcp --tcp-flags RST RST -m recent --name xr_recentrst --set --rsource
|
||||
COMMIT
|
||||
"
|
||||
recentrst_addset_rules="
|
||||
-A xr_${rule}_dst -m recent --name xr_recentrst --rcheck --rdest --seconds 3 --hitcount 3 -j SET --add-set ss_rules_dst_forward_recentrst_ dst --exist
|
||||
-A xr_${rule}_dst -m set --match-set ss_rules_dst_forward_recentrst_ dst -j xr_${rule}_forward
|
||||
"
|
||||
fi
|
||||
;;
|
||||
udp)
|
||||
ip rule add fwmark 1 lookup 100 || true
|
||||
ip route add local default dev lo table 100 || true
|
||||
forward_rules="-A xr_${rule}_forward -p udp -j TPROXY --on-port "$o_redir_udp_port" --tproxy-mark 0x01/0x01"
|
||||
;;
|
||||
esac
|
||||
case "$o_src_default" in
|
||||
forward) src_default_target=xr_${rule}_forward ;;
|
||||
checkdst) src_default_target=xr_${rule}_dst ;;
|
||||
bypass|*) src_default_target=RETURN ;;
|
||||
esac
|
||||
case "$o_dst_default" in
|
||||
forward) dst_default_target=xr_${rule}_forward ;;
|
||||
bypass|*) dst_default_target=RETURN ;;
|
||||
esac
|
||||
sed -e '/^\s*$/d' -e 's/^\s\+//' <<-EOF | $IPTABLESRESTORE --noflush
|
||||
*$table
|
||||
:xr_${rule}_pre_src -
|
||||
:xr_${rule}_src -
|
||||
:xr_${rule}_dst -
|
||||
:xr_${rule}_forward -
|
||||
$(xr_rules_iptchains_mkprerules "$proto")
|
||||
-A xr_${rule}_pre_src -m set --match-set ssr_${rule}_dst_bypass_ dst -j RETURN
|
||||
-A xr_${rule}_pre_src -m set --match-set ss_rules_dst_bypass_all dst -j MARK --set-mark 0x539
|
||||
-A xr_${rule}_pre_src -m set --match-set ss_rules_dst_bypass_all dst -j RETURN
|
||||
-A xr_${rule}_pre_src -m set --match-set ssr_${rule}_dst_bypass dst -j RETURN
|
||||
-A xr_${rule}_pre_src -m mark --mark 0x539 -j RETURN
|
||||
-A xr_${rule}_dst -m set --match-set ss_rules_dst_bypass_all dst -j RETURN
|
||||
-A xr_${rule}_dst -m set --match-set ssr_${rule}_dst_bypass dst -j RETURN
|
||||
-A xr_${rule}_pre_src -p $proto $o_ipt_extra -j xr_${rule}_src
|
||||
-A xr_${rule}_src -m set --match-set ssr_${rule}_src_bypass src -j RETURN
|
||||
-A xr_${rule}_src -m set --match-set ssr_${rule}_src_forward src -j xr_${rule}_forward
|
||||
-A xr_${rule}_src -m set --match-set ssr_${rule}_src_checkdst src -j xr_${rule}_dst
|
||||
-A xr_${rule}_src -j $src_default_target -m comment --comment "src_default: $o_src_default"
|
||||
-A xr_${rule}_dst -m set --match-set ssr_${rule}_dst_forward dst -j xr_${rule}_forward
|
||||
$recentrst_addset_rules
|
||||
-A xr_${rule}_dst -j $dst_default_target -m comment --comment "dst_default: $o_dst_default"
|
||||
$forward_rules
|
||||
COMMIT
|
||||
$recentrst_mangle_rules
|
||||
EOF
|
||||
}
|
||||
|
||||
xr_rules_iptchains_mkprerules() {
|
||||
local proto="$1"
|
||||
|
||||
if [ -z "$o_ifnames" ]; then
|
||||
echo "-A PREROUTING -p $proto -j xr_${rule}_pre_src"
|
||||
else
|
||||
echo $o_ifnames \
|
||||
| tr ' ' '\n' \
|
||||
| sed "s/.*/-I PREROUTING 1 -i \\0 -p $proto -j xr_${rule}_pre_src/"
|
||||
fi
|
||||
}
|
||||
|
||||
xr_rules_fw_drop() {
|
||||
fw3 -4 print 2>/dev/null | awk '/iptables/&&/zone_lan_forward/&&/tcp/&&/-t filter/&&/-j reject/ {for(i=6; i<=NF; i++) { printf "%s ",$i } print "\n" }' |
|
||||
while IFS=$"\n" read -r c; do
|
||||
fwrule=$(echo "$c" | sed 's/reject/REDIRECT --to-ports 65535/')
|
||||
if [ -n "$fwrule" ] && [ -z "$($IPTABLESSAVE 2>/dev/null | grep zone_lan_prerouting | grep '${fwrule}')" ]; then
|
||||
eval "$IPTABLES -w -t nat -A zone_lan_prerouting ${fwrule} 2>&1 >/dev/null"
|
||||
fi
|
||||
done
|
||||
fw3 -4 print 2>/dev/null | awk '/iptables/&&/zone_lan_forward/&&/tcp/&&/-t filter/&&/-j drop/ {for(i=6; i<=NF; i++) { printf "%s ",$i } print "\n" }' |
|
||||
while IFS=$"\n" read -r c; do
|
||||
fwrule=$(echo "$c" | sed 's/drop/REDIRECT --to-ports 65535/')
|
||||
if [ -n "$fwrule" ] && [ -z "$($IPTABLESSAVE 2>/dev/null | grep zone_lan_prerouting | grep '${fwrule}')" ]; then
|
||||
eval "$IPTABLES -t nat -A zone_lan_prerouting ${fwrule} 2>&1 >/dev/null"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
xr_rules_parse_args "$@"
|
||||
#xr_rules_flush
|
||||
xr_rules_ipset_init
|
||||
xr_rules_iptchains_init
|
||||
xr_rules_fw_drop
|
310
xray-core/files/usr/bin/xray-rules6
Executable file
310
xray-core/files/usr/bin/xray-rules6
Executable file
|
@ -0,0 +1,310 @@
|
|||
#!/bin/sh -e
|
||||
#
|
||||
# Copyright (C) 2017 Yousong Zhou <yszhou4tech@gmail.com>
|
||||
# Copyright (C) 2018-2021 Ycarus (Yannick Chabanois) <ycarus@zugaina.org>
|
||||
#
|
||||
# The design idea was derived from ss-rules by Jian Chang <aa65535@live.com>
|
||||
#
|
||||
# This is free software, licensed under the GNU General Public License v3.
|
||||
# See /LICENSE for more information.
|
||||
#
|
||||
|
||||
if [ -f /usr/sbin/iptables-legacy ]; then
|
||||
IP6TABLES="/usr/sbin/ip6tables-legacy"
|
||||
IP6TABLESRESTORE="/usr/sbin/ip6tables-legacy-restore"
|
||||
IP6TABLESSAVE="/usr/sbin/ip6tables-legacy-save"
|
||||
else
|
||||
IP6TABLES="/usr/sbin/ip6tables"
|
||||
IP6TABLESRESTORE="/usr/sbin/ip6tables-restore"
|
||||
IP6TABLESSAVE="/usr/sbin/ip6tables-save"
|
||||
fi
|
||||
|
||||
|
||||
|
||||
xray_rules6_usage() {
|
||||
cat >&2 <<EOF
|
||||
Usage: xray-rules6 [options]
|
||||
|
||||
-h, --help Show this help message then exit
|
||||
-f, --flush Flush rules, ipset then exit
|
||||
-l <port> Local port number of ss-redir with TCP mode
|
||||
-L <port> Local port number of ss-redir with UDP mode
|
||||
-s <ips> List of ip addresses of remote shadowsocks server
|
||||
--ifnames Only apply rules on packets from these ifnames
|
||||
--src-bypass <ips|cidr>
|
||||
--src-forward <ips|cidr>
|
||||
--src-checkdst <ips|cidr>
|
||||
--src-default <bypass|forward|checkdst>
|
||||
Packets will have their src ip checked in order against
|
||||
bypass, forward, checkdst list and will bypass, forward
|
||||
through, or continue to have their dst ip checked
|
||||
respectively on the first match. Otherwise, --src-default
|
||||
decide the default action
|
||||
--dst-bypass <ips|cidr>
|
||||
--dst-forward <ips|cidr>
|
||||
--dst-bypass-file <file>
|
||||
--dst-forward-file <file>
|
||||
--dst-default <bypass|forward>
|
||||
Same as with their --src-xx equivalent
|
||||
--dst-forward-recentrst
|
||||
Forward those packets whose destinations have recently
|
||||
sent to us multiple tcp-rst packets
|
||||
--local-default <bypass|forward|checkdst>
|
||||
Default action for local out TCP traffic
|
||||
|
||||
The following ipsets will be created by xray-rules. They are also intended to be
|
||||
populated by other programs like dnsmasq with ipset support
|
||||
|
||||
xray_rules6_src_bypass
|
||||
xray_rules6_src_forward
|
||||
xray_rules6_src_checkdst
|
||||
xray_rules6_dst_bypass
|
||||
xray_rules6_dst_forward
|
||||
EOF
|
||||
}
|
||||
|
||||
o_dst_bypass_="
|
||||
fe80::/10
|
||||
fd00::/8
|
||||
::1
|
||||
"
|
||||
o_src_default=bypass
|
||||
o_dst_default=bypass
|
||||
o_local_default=bypass
|
||||
|
||||
__errmsg() {
|
||||
echo "xray-rules6: $*" >&2
|
||||
}
|
||||
|
||||
xray_rules6_parse_args() {
|
||||
while [ "$#" -gt 0 ]; do
|
||||
case "$1" in
|
||||
-h|--help) xray_rules6_usage; exit 0;;
|
||||
-f|--flush) xray_rules6_flush; exit 0;;
|
||||
-l) o_redir_tcp_port="$2"; shift 2;;
|
||||
-L) o_redir_udp_port="$2"; shift 2;;
|
||||
-s) o_remote_servers="$2"; shift 2;;
|
||||
--ifnames) o_ifnames="$2"; shift 2;;
|
||||
--ipt-extra) o_ipt_extra="$2"; shift 2;;
|
||||
--src-default) o_src_default="$2"; shift 2;;
|
||||
--dst-default) o_dst_default="$2"; shift 2;;
|
||||
--local-default) o_local_default="$2"; shift 2;;
|
||||
--src-bypass) o_src_bypass="$2"; shift 2;;
|
||||
--src-forward) o_src_forward="$2"; shift 2;;
|
||||
--src-checkdst) o_src_checkdst="$2"; shift 2;;
|
||||
--dst-bypass) o_dst_bypass="$2"; shift 2;;
|
||||
--dst-bypass_all) o_dst_bypass_all="$2"; shift 2;;
|
||||
--dst-forward) o_dst_forward="$2"; shift 2;;
|
||||
--dst-forward-recentrst) o_dst_forward_recentrst=1; shift 1;;
|
||||
--dst-bypass-file) o_dst_bypass_file="$2"; shift 2;;
|
||||
--dst-forward-file) o_dst_forward_file="$2"; shift 2;;
|
||||
--rule-name) rule="$2"; shift 2;;
|
||||
*) __errmsg "unknown option $1"; return 1;;
|
||||
esac
|
||||
done
|
||||
|
||||
if [ -z "$o_redir_tcp_port" -a -z "$o_redir_udp_port" ]; then
|
||||
__errmsg "Requires at least -l or -L option"
|
||||
return 1
|
||||
fi
|
||||
if [ -n "$o_dst_forward_recentrst" ] && ! $IP6TABLES -w -m recent -h >/dev/null; then
|
||||
__errmsg "Please install ip6tables-mod-conntrack-extra with opkg"
|
||||
return 1
|
||||
fi
|
||||
o_remote_servers="$(for s in $o_remote_servers; do resolveip -6 "$s"; done)"
|
||||
}
|
||||
|
||||
xray_rules6_flush() {
|
||||
local setname
|
||||
|
||||
$IP6TABLESSAVE --counters 2>/dev/null | grep -v xr6_ | $IP6TABLESRESTORE --counters
|
||||
while ip -f inet6 rule del fwmark 1 lookup 100 2>/dev/null; do true; done
|
||||
ip -f inet6 route flush table 100 || true
|
||||
for setname in $(ipset -n list | grep "ssr6_${rule}"); do
|
||||
ipset destroy "$setname" 2>/dev/null || true
|
||||
done
|
||||
}
|
||||
|
||||
xray_rules6_ipset_init() {
|
||||
ipset --exist restore <<-EOF
|
||||
create ssr6_${rule}_src_bypass hash:net family inet6 hashsize 64
|
||||
create ssr6_${rule}_src_forward hash:net family inet6 hashsize 64
|
||||
create ssr6_${rule}_src_checkdst hash:net family inet6 hashsize 64
|
||||
create ssr6_${rule}_dst_bypass hash:net family inet6 hashsize 64
|
||||
create ss_rules6_dst_bypass_all hash:net family inet6 hashsize 64
|
||||
create ssr6_${rule}_dst_bypass_ hash:net family inet6 hashsize 64
|
||||
create ssr6_${rule}_dst_forward hash:net family inet6 hashsize 64
|
||||
create ss_rules6_dst_forward_recrst_ hash:ip family inet6 hashsize 64 timeout 3600
|
||||
$(xray_rules6_ipset_mkadd ssr6_${rule}_dst_bypass_ "$o_dst_bypass_ $o_remote_servers")
|
||||
$(xray_rules6_ipset_mkadd ss_rules6_dst_bypass_all "$o_dst_bypass $(cat "$o_dst_bypass_file" 2>/dev/null | grep -o '\([0-9a-fA-F]\{0,4\}:\)\{1,7\}[0-9a-fA-F]\{0,4\}')")
|
||||
$(xray_rules6_ipset_mkadd ssr6_${rule}_dst_bypass "$o_dst_bypass $(cat "$o_dst_bypass_file" 2>/dev/null | grep -o '\([0-9a-fA-F]\{0,4\}:\)\{1,7\}[0-9a-fA-F]\{0,4\}')")
|
||||
$(xray_rules6_ipset_mkadd ssr6_${rule}_src_bypass "$o_src_bypass")
|
||||
$(xray_rules6_ipset_mkadd ssr6_${rule}_src_forward "$o_src_forward")
|
||||
$(xray_rules6_ipset_mkadd ssr6_${rule}_src_checkdst "$o_src_checkdst")
|
||||
$(xray_rules6_ipset_mkadd ssr6_${rule}_dst_forward "$o_dst_forward $(cat "$o_dst_forward_file" 2>/dev/null | grep -o '\([0-9a-fA-F]\{0,4\}:\)\{1,7\}[0-9a-fA-F]\{0,4\}')")
|
||||
EOF
|
||||
}
|
||||
|
||||
xray_rules6_ipset_mkadd() {
|
||||
local setname="$1"; shift
|
||||
local i
|
||||
|
||||
for i in $*; do
|
||||
echo "add $setname $i"
|
||||
done
|
||||
}
|
||||
|
||||
xray_rules6_iptchains_init() {
|
||||
xray_rules6_iptchains_init_mark
|
||||
xray_rules6_iptchains_init_tcp
|
||||
xray_rules6_iptchains_init_udp
|
||||
}
|
||||
|
||||
xray_rules6_iptchains_init_mark() {
|
||||
$IP6TABLESRESTORE --noflush <<-EOF
|
||||
*mangle
|
||||
-A PREROUTING -m set --match-set ss_rules6_dst_bypass_all dst -j MARK --set-mark 0x6539
|
||||
COMMIT
|
||||
EOF
|
||||
}
|
||||
|
||||
|
||||
xray_rules6_iptchains_init_tcp() {
|
||||
local local_target
|
||||
|
||||
[ -n "$o_redir_tcp_port" ] || return 0
|
||||
|
||||
#xray_rules6_iptchains_init_ nat tcp
|
||||
xray_rules6_iptchains_init_ mangle tcp
|
||||
|
||||
case "$o_local_default" in
|
||||
checkdst) local_target=xr6_${rule}_dst ;;
|
||||
forward) local_target=xr6_${rule}_forward ;;
|
||||
bypass|*) return 0;;
|
||||
esac
|
||||
|
||||
# echo "tcp mangle"
|
||||
# $IP6TABLESRESTORE --noflush <<-EOF
|
||||
# *mangle
|
||||
# :xr6_${rule}_local_out -
|
||||
# -I OUTPUT 1 -p tcp -j xr6_${rule}_local_out
|
||||
# -A xr6_${rule}_local_out -m set --match-set ss_rules6_dst_bypass dst -j RETURN
|
||||
# -A xr6_${rule}_local_out -m set --match-set ss_rules6_dst_bypass_all dst -j RETURN
|
||||
# -A xr6_${rule}_local_out -m set --match-set ss_rules6_dst_bypass_ dst -j RETURN
|
||||
# -A xr6_${rule}_local_out -m mark --mark 0x6539 -j RETURN
|
||||
# -A xr6_${rule}_local_out -p tcp $o_ipt_extra -j $local_target -m comment --comment "local_default: $o_local_default"
|
||||
# COMMIT
|
||||
# EOF
|
||||
# echo "done"
|
||||
}
|
||||
|
||||
xray_rules6_iptchains_init_udp() {
|
||||
[ -n "$o_redir_udp_port" ] || return 0
|
||||
xray_rules6_iptchains_init_ mangle udp
|
||||
}
|
||||
|
||||
xray_rules6_iptchains_init_() {
|
||||
local table="$1"
|
||||
local proto="$2"
|
||||
local forward_rules
|
||||
local src_default_target dst_default_target
|
||||
local recentrst_mangle_rules recentrst_addset_rules
|
||||
|
||||
case "$proto" in
|
||||
tcp)
|
||||
#forward_rules="-A xr6_${rule}_forward -p tcp -j REDIRECT --to-ports $o_redir_tcp_port"
|
||||
forward_rules="-A xr6_${rule}_forward -p tcp -j TPROXY --on-port $o_redir_tcp_port --tproxy-mark 0x01/0x01"
|
||||
if [ -n "$o_dst_forward_recentrst" ]; then
|
||||
recentrst_mangle_rules="
|
||||
*mangle
|
||||
-I PREROUTING 1 -p tcp -m tcp --tcp-flags RST RST -m recent --name ss_rules6_recentrst --set --rsource
|
||||
COMMIT
|
||||
"
|
||||
recentrst_addset_rules="
|
||||
-A xr6_${rule}_dst -m recent --name ss_rules6_recentrst --rcheck --rdest --seconds 3 --hitcount 3 -j SET --add-set ss_rules6_dst_forward_recrst_ dst --exist
|
||||
-A xr6_${rule}_dst -m set --match-set ss_rules6_dst_forward_recrst_ dst -j xr6_${rule}_forward
|
||||
"
|
||||
fi
|
||||
;;
|
||||
udp)
|
||||
ip -f inet6 rule add fwmark 1 lookup 100 || true
|
||||
ip -f inet6 route add local default dev lo table 100 || true
|
||||
forward_rules="
|
||||
-A xr6_${rule}_forward -p udp -j TPROXY --on-port "$o_redir_udp_port" --tproxy-mark 0x01/0x01
|
||||
-A xr6_${rule}_forward -p tcp -j TPROXY --on-port "$o_redir_udp_port" --tproxy-mark 0x01/0x01
|
||||
"
|
||||
;;
|
||||
esac
|
||||
case "$o_src_default" in
|
||||
forward) src_default_target=xr6_${rule}_forward ;;
|
||||
checkdst) src_default_target=xr6_${rule}_dst ;;
|
||||
bypass|*) src_default_target=RETURN ;;
|
||||
esac
|
||||
case "$o_dst_default" in
|
||||
forward) dst_default_target=xr6_${rule}_forward ;;
|
||||
bypass|*) dst_default_target=RETURN ;;
|
||||
esac
|
||||
sed -e '/^\s*$/d' -e 's/^\s\+//' <<-EOF | $IP6TABLESRESTORE --noflush
|
||||
*$table
|
||||
:xr6_${rule}_pre_src -
|
||||
:xr6_${rule}_src -
|
||||
:xr6_${rule}_dst -
|
||||
:xr6_${rule}_forward -
|
||||
$(xray_rules6_iptchains_mkprerules "udp")
|
||||
$(xray_rules6_iptchains_mkprerules "tcp")
|
||||
-A xr6_${rule}_pre_src -m set --match-set ssr6_${rule}_dst_bypass_ dst -j RETURN
|
||||
-A xr6_${rule}_pre_src -m set --match-set ss_rules6_dst_bypass_all dst -j MARK --set-mark 0x6539
|
||||
-A xr6_${rule}_pre_src -m set --match-set ss_rules6_dst_bypass_all dst -j RETURN
|
||||
-A xr6_${rule}_pre_src -m set --match-set ssr6_${rule}_dst_bypass dst -j RETURN
|
||||
-A xr6_${rule}_pre_src -m mark --mark 0x6539 -j RETURN
|
||||
-A xr6_${rule}_dst -m set --match-set ss_rules6_dst_bypass_all dst -j RETURN
|
||||
-A xr6_${rule}_dst -m set --match-set ssr6_${rule}_dst_bypass dst -j RETURN
|
||||
-A xr6_${rule}_pre_src -p tcp $o_ipt_extra -j xr6_${rule}_src
|
||||
-A xr6_${rule}_pre_src -p udp $o_ipt_extra -j xr6_${rule}_src
|
||||
-A xr6_${rule}_src -m set --match-set ssr6_${rule}_src_bypass src -j RETURN
|
||||
-A xr6_${rule}_src -m set --match-set ssr6_${rule}_src_forward src -j xr6_${rule}_forward
|
||||
-A xr6_${rule}_src -m set --match-set ssr6_${rule}_src_checkdst src -j xr6_${rule}_dst
|
||||
-A xr6_${rule}_src -j $src_default_target -m comment --comment "src_default: $o_src_default"
|
||||
-A xr6_${rule}_dst -m set --match-set ssr6_${rule}_dst_forward dst -j xr6_${rule}_forward
|
||||
$recentrst_addset_rules
|
||||
-A xr6_${rule}_dst -j $dst_default_target -m comment --comment "dst_default: $o_dst_default"
|
||||
$forward_rules
|
||||
COMMIT
|
||||
$recentrst_mangle_rules
|
||||
EOF
|
||||
}
|
||||
|
||||
xray_rules6_iptchains_mkprerules() {
|
||||
local proto="$1"
|
||||
|
||||
if [ -z "$o_ifnames" ]; then
|
||||
echo "-A PREROUTING -p $proto -j xr6_${rule}_pre_src"
|
||||
else
|
||||
echo $o_ifnames \
|
||||
| tr ' ' '\n' \
|
||||
| sed "s/.*/-I PREROUTING 1 -i \\0 -p $proto -j xr6_${rule}_pre_src/"
|
||||
fi
|
||||
}
|
||||
|
||||
xray_rules6_fw_drop() {
|
||||
fw3 -6 print 2>/dev/null | awk '/iptables/&&/zone_lan_forward/&&/tcp/&&/-t filter/&&/-j reject/ {for(i=6; i<=NF; i++) { printf "%s ",$i } print "\n" }' |
|
||||
while IFS=$"\n" read -r c; do
|
||||
fwrule=$(echo "$c" | sed 's/reject/REDIRECT --to-ports 65535/')
|
||||
if [ -n "$fwrule" ] && [ -z "$(iptables-save | grep zone_lan_prerouting | grep '${fwrule}')" ]; then
|
||||
eval "$IP6TABLES -w -t nat -A zone_lan_prerouting ${fwrule} 2>&1 >/dev/null"
|
||||
fi
|
||||
done
|
||||
fw3 -6 print 2>/dev/null | awk '/iptables/&&/zone_lan_forward/&&/tcp/&&/-t filter/&&/-j drop/ {for(i=6; i<=NF; i++) { printf "%s ",$i } print "\n" }' |
|
||||
while IFS=$"\n" read -r c; do
|
||||
fwrule=$(echo "$c" | sed 's/drop/REDIRECT --to-ports 65535/')
|
||||
if [ -n "$fwrule" ] && [ -z "$(iptables-save | grep zone_lan_prerouting | grep '${fwrule}')" ]; then
|
||||
eval "$IP6TABLES -t nat -A zone_lan_prerouting ${fwrule} 2>&1 >/dev/null"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
xray_rules6_parse_args "$@"
|
||||
xray_rules6_flush
|
||||
xray_rules6_ipset_init
|
||||
xray_rules6_iptchains_init
|
||||
xray_rules6_fw_drop
|
97
xray-core/patches/001-fix-wireguard-go.patch
Normal file
97
xray-core/patches/001-fix-wireguard-go.patch
Normal file
|
@ -0,0 +1,97 @@
|
|||
diff -aurN xray-core-1.8.5.old/go.mod xray-core-1.8.5/go.mod
|
||||
--- a/go.mod 2023-09-18 16:14:12.554956393 +0200
|
||||
+++ b/go.mod 2023-09-18 16:16:56.304259547 +0200
|
||||
@@ -12,13 +12,13 @@
|
||||
github.com/pires/go-proxyproto v0.7.0
|
||||
github.com/quic-go/quic-go v0.38.1
|
||||
github.com/refraction-networking/utls v1.4.3
|
||||
- github.com/sagernet/sing v0.2.9
|
||||
+ github.com/sagernet/sing v0.2.10-0.20230807080248-4db0062caa0a
|
||||
github.com/sagernet/sing-shadowsocks v0.2.4
|
||||
- github.com/sagernet/wireguard-go v0.0.0-20221116151939-c99467f53f2c
|
||||
github.com/seiflotfy/cuckoofilter v0.0.0-20220411075957-e3b120b3f5fb
|
||||
github.com/stretchr/testify v1.8.4
|
||||
github.com/v2fly/ss-bloomring v0.0.0-20210312155135-28617310f63e
|
||||
github.com/xtls/reality v0.0.0-20230828171259-e426190d57f6
|
||||
+ github.com/xtls/wireguard-go v0.0.0-20230303120718-56f003b3a66e
|
||||
go4.org/netipx v0.0.0-20230824141953-6213f710f925
|
||||
golang.org/x/crypto v0.12.0
|
||||
golang.org/x/net v0.14.0
|
||||
@@ -47,7 +47,7 @@
|
||||
github.com/pmezard/go-difflib v1.0.0 // indirect
|
||||
github.com/quic-go/qtls-go1-20 v0.3.3 // indirect
|
||||
github.com/riobard/go-bloom v0.0.0-20200614022211-cdc8013cb5b3 // indirect
|
||||
- go.uber.org/atomic v1.11.0 // indirect
|
||||
+ go.uber.org/atomic v1.10.0 // indirect
|
||||
golang.org/x/exp v0.0.0-20230725093048-515e97ebf090 // indirect
|
||||
golang.org/x/mod v0.12.0 // indirect
|
||||
golang.org/x/text v0.12.0 // indirect
|
||||
diff -aurN xray-core-1.8.5.old/go.sum xray-core-1.8.5/go.sum
|
||||
--- a/go.sum 2023-09-18 16:14:12.554956393 +0200
|
||||
+++ b/go.sum 2023-09-18 16:16:56.304259547 +0200
|
||||
@@ -123,12 +123,10 @@
|
||||
github.com/riobard/go-bloom v0.0.0-20200614022211-cdc8013cb5b3 h1:f/FNXud6gA3MNr8meMVVGxhp+QBTqY91tM8HjEuMjGg=
|
||||
github.com/riobard/go-bloom v0.0.0-20200614022211-cdc8013cb5b3/go.mod h1:HgjTstvQsPGkxUsCd2KWxErBblirPizecHcpD3ffK+s=
|
||||
github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g=
|
||||
-github.com/sagernet/sing v0.2.9 h1:3wsTz+JG5Wzy65eZnh6AuCrD2QqcRF6Iq6f7ttmJsAo=
|
||||
-github.com/sagernet/sing v0.2.9/go.mod h1:Ta8nHnDLAwqySzKhGoKk4ZIB+vJ3GTKj7UPrWYvM+4w=
|
||||
+github.com/sagernet/sing v0.2.10-0.20230807080248-4db0062caa0a h1:b89t6Mjgk4rJ5lrNMnCzy1/J116XkhgdB3YNd9FHyF4=
|
||||
+github.com/sagernet/sing v0.2.10-0.20230807080248-4db0062caa0a/go.mod h1:9uOZwWkhT2Z2WldolLxX34s+1svAX4i4vvz5hy8u1MA=
|
||||
github.com/sagernet/sing-shadowsocks v0.2.4 h1:s/CqXlvFAZhlIoHWUwPw5CoNnQ9Ibki9pckjuugtVfY=
|
||||
github.com/sagernet/sing-shadowsocks v0.2.4/go.mod h1:80fNKP0wnqlu85GZXV1H1vDPC/2t+dQbFggOw4XuFUM=
|
||||
-github.com/sagernet/wireguard-go v0.0.0-20221116151939-c99467f53f2c h1:vK2wyt9aWYHHvNLWniwijBu/n4pySypiKRhN32u/JGo=
|
||||
-github.com/sagernet/wireguard-go v0.0.0-20221116151939-c99467f53f2c/go.mod h1:euOmN6O5kk9dQmgSS8Df4psAl3TCjxOz0NW60EWkSaI=
|
||||
github.com/seiflotfy/cuckoofilter v0.0.0-20220411075957-e3b120b3f5fb h1:XfLJSPIOUX+osiMraVgIrMR27uMXnRJWGm1+GL8/63U=
|
||||
github.com/seiflotfy/cuckoofilter v0.0.0-20220411075957-e3b120b3f5fb/go.mod h1:bR6DqgcAl1zTcOX8/pE2Qkj9XO00eCNqmKb7lXP8EAg=
|
||||
github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
|
||||
@@ -168,10 +166,12 @@
|
||||
github.com/viant/toolbox v0.24.0/go.mod h1:OxMCG57V0PXuIP2HNQrtJf2CjqdmbrOx5EkMILuUhzM=
|
||||
github.com/xtls/reality v0.0.0-20230828171259-e426190d57f6 h1:T+YCYGfFdzyaKTDCdZn/hEiKvsw6yUfd+e4hze0rCUw=
|
||||
github.com/xtls/reality v0.0.0-20230828171259-e426190d57f6/go.mod h1:rkuAY1S9F8eI8gDiPDYvACE8e2uwkyg8qoOTuwWov7Y=
|
||||
+github.com/xtls/wireguard-go v0.0.0-20230303120718-56f003b3a66e h1:Y0CxNt+TeOhFUS2J/EF6osq9RukduvGYUNk2xPdKW60=
|
||||
+github.com/xtls/wireguard-go v0.0.0-20230303120718-56f003b3a66e/go.mod h1:XFvPXP1gUqy/12j+KbdShku+YWiZJjaYLEAn4ZXaRGU=
|
||||
github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
|
||||
go.opencensus.io v0.18.0/go.mod h1:vKdFvxhtzZ9onBp9VKHK8z/sRpBMnKAsufL7wlDrCOA=
|
||||
-go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
|
||||
-go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
|
||||
+go.uber.org/atomic v1.10.0 h1:9qC72Qh0+3MqyJbAn8YU5xVq1frD8bn3JtD2oXtafVQ=
|
||||
+go.uber.org/atomic v1.10.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
|
||||
go4.org v0.0.0-20180809161055-417644f6feb5/go.mod h1:MkTOUMDaeVYJUOUsaDXIhWPZYa1yOyC1qaOBpL57BhE=
|
||||
go4.org/netipx v0.0.0-20230824141953-6213f710f925 h1:eeQDDVKFkx0g4Hyy8pHgmZaK0EqB4SD6rvKbUdN3ziQ=
|
||||
go4.org/netipx v0.0.0-20230824141953-6213f710f925/go.mod h1:PLyyIXexvUFg3Owu6p/WfdlivPbZJsZdgWZlrGope/Y=
|
||||
diff -aurN xray-core-1.8.5.old/proxy/wireguard/bind.go xray-core-1.8.5/proxy/wireguard/bind.go
|
||||
--- a/proxy/wireguard/bind.go 2023-09-18 16:14:12.562956262 +0200
|
||||
+++ b/proxy/wireguard/bind.go 2023-09-18 16:15:43.597456179 +0200
|
||||
@@ -9,7 +9,7 @@
|
||||
"strconv"
|
||||
"sync"
|
||||
|
||||
- "github.com/sagernet/wireguard-go/conn"
|
||||
+ "github.com/xtls/wireguard-go/conn"
|
||||
xnet "github.com/xtls/xray-core/common/net"
|
||||
"github.com/xtls/xray-core/features/dns"
|
||||
"github.com/xtls/xray-core/transport/internet"
|
||||
diff -aurN xray-core-1.8.5.old/proxy/wireguard/tun.go xray-core-1.8.5/proxy/wireguard/tun.go
|
||||
--- a/proxy/wireguard/tun.go 2023-09-18 16:14:12.562956262 +0200
|
||||
+++ b/proxy/wireguard/tun.go 2023-09-18 16:15:52.413310983 +0200
|
||||
@@ -12,7 +12,7 @@
|
||||
"net/netip"
|
||||
"os"
|
||||
|
||||
- "github.com/sagernet/wireguard-go/tun"
|
||||
+ "github.com/xtls/wireguard-go/tun"
|
||||
"github.com/xtls/xray-core/features/dns"
|
||||
"gvisor.dev/gvisor/pkg/buffer"
|
||||
"gvisor.dev/gvisor/pkg/tcpip"
|
||||
diff -aurN xray-core-1.8.5.old/proxy/wireguard/wireguard.go xray-core-1.8.5/proxy/wireguard/wireguard.go
|
||||
--- a/proxy/wireguard/wireguard.go 2023-09-18 16:14:12.562956262 +0200
|
||||
+++ b/proxy/wireguard/wireguard.go 2023-09-18 16:16:01.109167878 +0200
|
||||
@@ -27,7 +27,7 @@
|
||||
"net/netip"
|
||||
"strings"
|
||||
|
||||
- "github.com/sagernet/wireguard-go/device"
|
||||
+ "github.com/xtls/wireguard-go/device"
|
||||
"github.com/xtls/xray-core/common"
|
||||
"github.com/xtls/xray-core/common/buf"
|
||||
"github.com/xtls/xray-core/common/log"
|
Loading…
Add table
Add a link
Reference in a new issue