From eedd893c9ca170fe91b7daa600173dedad235b0d Mon Sep 17 00:00:00 2001 From: Ycarus Date: Wed, 19 Sep 2018 23:08:07 +0200 Subject: [PATCH] Set a different ipset to bypass all and one to bypass only shadowsocks --- .../luasrc/controller/omr-bypass.lua | 2 +- luci-app-omr-bypass/root/etc/init.d/omr-bypass | 14 +++++++------- luci-app-openmptcprouter/root/bin/omr-ip-intf | 4 ++-- luci-app-openmptcprouter/root/bin/omr-mptcp-intf | 4 ++-- openmptcprouter/files/bin/omr-test-speed | 4 ++-- openmptcprouter/files/bin/omr-test-speedv6 | 4 ++-- openmptcprouter/files/bin/omr-tracebox | 4 ++-- openmptcprouter/files/bin/omr-tracebox-json | 4 ++-- shadowsocks-libev/files/ss-rules | 15 +++++++++++---- shadowsocks-libev/files/ss-rules6 | 9 +++++++-- 10 files changed, 38 insertions(+), 26 deletions(-) diff --git a/luci-app-omr-bypass/luasrc/controller/omr-bypass.lua b/luci-app-omr-bypass/luasrc/controller/omr-bypass.lua index d3dce5f9f..9169a1c68 100644 --- a/luci-app-omr-bypass/luasrc/controller/omr-bypass.lua +++ b/luci-app-omr-bypass/luasrc/controller/omr-bypass.lua @@ -41,7 +41,7 @@ function bypass_add() ucic:save("omr-bypass") ucic:commit("omr-bypass") - ucic:set_list("dhcp",ucic:get_first("dhcp","dnsmasq"),"ipset",domains_ipset .. "/ss_rules_dst_bypass") + ucic:set_list("dhcp",ucic:get_first("dhcp","dnsmasq"),"ipset",domains_ipset .. "/ss_rules_dst_bypass_all") ucic:save("dhcp") ucic:commit("dhcp") luci.sys.exec("/etc/init.d/dnsmasq reload") diff --git a/luci-app-omr-bypass/root/etc/init.d/omr-bypass b/luci-app-omr-bypass/root/etc/init.d/omr-bypass index 386af985e..f43229984 100755 --- a/luci-app-omr-bypass/root/etc/init.d/omr-bypass +++ b/luci-app-omr-bypass/root/etc/init.d/omr-bypass @@ -12,9 +12,9 @@ _bypass_ip() { valid_ip4=$( valid_subnet4 $ip) valid_ip6=$( valid_subnet6 $ip) if [ "$valid_ip4" = "ok" ]; then - ipset add ss_rules_dst_bypass $ip + ipset add ss_rules_dst_bypass_all $ip elif [ "$valid_ip6" = "ok" ]; then - ipset add ss_rules6_dst_bypass $ip + ipset add ss_rules6_dst_bypass_all $ip fi } @@ -22,7 +22,7 @@ _bypass_domain() { # Bypass domain even if OMR DNS is not used domains=$(uci -q get dhcp.@dnsmasq[0].ipset) for domain in ${domains//\// }; do - if [ -n "$domain" ] && [ "$domain" != "ss_rules_dst_bypass" ]; then + if [ -n "$domain" ] && [ "$domain" != "ss_rules_dst_bypass_all" ]; then resolve=$(dig a +nocmd +noall +answer $domain | awk '{print $5}') for ip in $resolve; do _bypass_ip $ip @@ -43,9 +43,9 @@ _bypass_proto() { } start_service() { - ipset -q flush ss_rules_dst_bypass > /dev/null 2>&1 + ipset -q flush ss_rules_dst_bypass_all > /dev/null 2>&1 ipset -q --exist restore <<-EOF - create ss_rules_dst_bypass hash:net hashsize 64 + create ss_rules_dst_bypass_all hash:net hashsize 64 EOF config_load omr-bypass @@ -55,10 +55,10 @@ start_service() { ip rule add prio 1 fwmark 0x539 lookup 991337 > /dev/null 2>&1 - if [ "$(iptables -w 40 -t mangle -L | grep 'match-set ss_rules_dst_bypass dst MARK set')" = "" ]; then + if [ "$(iptables -w 40 -t mangle -L | grep 'match-set ss_rules_dst_bypass_all dst MARK set')" = "" ]; then iptables-restore --wait=60 --noflush <<-EOF *mangle - -A PREROUTING -m set --match-set ss_rules_dst_bypass dst -j MARK --set-mark 0x539 + -A PREROUTING -m set --match-set ss_rules_dst_bypass_all dst -j MARK --set-mark 0x539 COMMIT EOF fi diff --git a/luci-app-openmptcprouter/root/bin/omr-ip-intf b/luci-app-openmptcprouter/root/bin/omr-ip-intf index cb7946a62..2cd6861bb 100755 --- a/luci-app-openmptcprouter/root/bin/omr-ip-intf +++ b/luci-app-openmptcprouter/root/bin/omr-ip-intf @@ -1,5 +1,5 @@ #!/bin/sh checkip=$(dig +short A ip.openmptcprouter.com | tr -d "\n") -ipset add ss_rules_dst_bypass $checkip > /dev/null 2>&1 +ipset add ss_rules_dst_bypass_all $checkip > /dev/null 2>&1 curl -s -4 -m 3 --interface $1 http://ip.openmptcprouter.com -ipset del ss_rules_dst_bypass $checkip > /dev/null 2>&1 +ipset del ss_rules_dst_bypass_all $checkip > /dev/null 2>&1 diff --git a/luci-app-openmptcprouter/root/bin/omr-mptcp-intf b/luci-app-openmptcprouter/root/bin/omr-mptcp-intf index 9967d9576..a384959ff 100755 --- a/luci-app-openmptcprouter/root/bin/omr-mptcp-intf +++ b/luci-app-openmptcprouter/root/bin/omr-mptcp-intf @@ -1,5 +1,5 @@ #!/bin/sh multipathip=$(dig +short A multipath-tcp.org | tr -d "\n") -ipset add ss_rules_dst_bypass $multipathip > /dev/null 2>&1 +ipset add ss_rules_dst_bypass_all $multipathip > /dev/null 2>&1 curl -s -4 -m 3 --interface $1 http://www.multipath-tcp.org -ipset del ss_rules_dst_bypass $multipathip > /dev/null 2>&1 +ipset del ss_rules_dst_bypass_all $multipathip > /dev/null 2>&1 diff --git a/openmptcprouter/files/bin/omr-test-speed b/openmptcprouter/files/bin/omr-test-speed index d3e542680..c500e3d2e 100755 --- a/openmptcprouter/files/bin/omr-test-speed +++ b/openmptcprouter/files/bin/omr-test-speed @@ -9,7 +9,7 @@ if [ -z "$INTERFACE" ]; then curl -4 http://$HOST/files/10Gio.dat >/dev/null || echo else hostip=$(dig +short A $HOST | tr -d "\n") - ipset add ss_rules_dst_bypass $hostip + ipset add ss_rules_dst_bypass_all $hostip curl -4 --interface $INTERFACE http://$HOST/files/10Gio.dat >/dev/null || echo - ipset del ss_rules_dst_bypass $hostip + ipset del ss_rules_dst_bypass_all $hostip fi diff --git a/openmptcprouter/files/bin/omr-test-speedv6 b/openmptcprouter/files/bin/omr-test-speedv6 index 43ca0141f..85b9e7df0 100755 --- a/openmptcprouter/files/bin/omr-test-speedv6 +++ b/openmptcprouter/files/bin/omr-test-speedv6 @@ -9,7 +9,7 @@ if [ -z "$INTERFACE" ]; then curl -6 http://$HOST/files/10Gio.dat >/dev/null || echo else hostip=$(dig +short A $HOST | tr -d "\n") - ipset add ss_rules_dst_bypass $hostip + ipset add ss_rules6_dst_bypass_all $hostip curl -6 --interface $INTERFACE http://$HOST/files/10Gio.dat >/dev/null || echo - ipset del ss_rules_dst_bypass $hostip + ipset del ss_rules6_dst_bypass_all $hostip fi diff --git a/openmptcprouter/files/bin/omr-tracebox b/openmptcprouter/files/bin/omr-tracebox index e6d96cfd3..2342d3b8c 100755 --- a/openmptcprouter/files/bin/omr-tracebox +++ b/openmptcprouter/files/bin/omr-tracebox @@ -1,10 +1,10 @@ #!/bin/sh INTERFACE="$1" multipathip=$(dig +short A multipath-tcp.org | tr -d "\n") -ipset add ss_rules_dst_bypass $multipathip > /dev/null 2>&1 +ipset add ss_rules_dst_bypass_all $multipathip > /dev/null 2>&1 if [ -z "$INTERFACE" ]; then tracebox -v -n -p IP/TCP/MSS/MPCAPABLE/WSCALE multipath-tcp.org else tracebox -v -i $INTERFACE -n -p IP/TCP/MSS/MPCAPABLE/WSCALE multipath-tcp.org fi -ipset del ss_rules_dst_bypass $multipathip > /dev/null 2>&1 +ipset del ss_rules_dst_bypass_all $multipathip > /dev/null 2>&1 diff --git a/openmptcprouter/files/bin/omr-tracebox-json b/openmptcprouter/files/bin/omr-tracebox-json index 6408778de..fa34f5354 100755 --- a/openmptcprouter/files/bin/omr-tracebox-json +++ b/openmptcprouter/files/bin/omr-tracebox-json @@ -1,10 +1,10 @@ #!/bin/sh INTERFACE="$1" multipathip=$(dig +short A multipath-tcp.org | tr -d "\n") -ipset add ss_rules_dst_bypass $multipathip > /dev/null 2>&1 +ipset add ss_rules_dst_bypass_all $multipathip > /dev/null 2>&1 if [ -z "$INTERFACE" ]; then tracebox -v -j -m 10 -p IP/TCP/MSS/MPCAPABLE/WSCALE multipath-tcp.org else tracebox -v -j -m 10 -i $INTERFACE -p IP/TCP/MSS/MPCAPABLE/WSCALE multipath-tcp.org fi -ipset del ss_rules_dst_bypass $multipathip > /dev/null 2>&1 +ipset del ss_rules_dst_bypass_all $multipathip > /dev/null 2>&1 diff --git a/shadowsocks-libev/files/ss-rules b/shadowsocks-libev/files/ss-rules index 37b069b61..4245159e1 100755 --- a/shadowsocks-libev/files/ss-rules +++ b/shadowsocks-libev/files/ss-rules @@ -47,6 +47,7 @@ populated by other programs like dnsmasq with ipset support ss_rules_src_forward ss_rules_src_checkdst ss_rules_dst_bypass + ss_rules_dst_bypass_all ss_rules_dst_forward EOF } @@ -97,6 +98,7 @@ ss_rules_parse_args() { --src-forward) o_src_forward="$2"; shift 2;; --src-checkdst) o_src_checkdst="$2"; shift 2;; --dst-bypass) o_dst_bypass="$2"; shift 2;; + --dst-bypass_all) o_dst_bypass_all="$2"; shift 2;; --dst-forward) o_dst_forward="$2"; shift 2;; --dst-forward-recentrst) o_dst_forward_recentrst=1; shift 1;; --dst-bypass-file) o_dst_bypass_file="$2"; shift 2;; @@ -132,11 +134,13 @@ ss_rules_ipset_init() { create ss_rules_src_bypass hash:net hashsize 64 create ss_rules_src_forward hash:net hashsize 64 create ss_rules_src_checkdst hash:net hashsize 64 + create ss_rules_dst_bypass_all hash:net hashsize 64 create ss_rules_dst_bypass hash:net hashsize 64 create ss_rules_dst_bypass_ hash:net hashsize 64 create ss_rules_dst_forward hash:net hashsize 64 create ss_rules_dst_forward_recentrst_ hash:ip hashsize 64 timeout 3600 $(ss_rules_ipset_mkadd ss_rules_dst_bypass_ "$o_dst_bypass_ $o_remote_servers") + $(ss_rules_ipset_mkadd ss_rules_dst_bypass_all "$o_dst_bypass_all") $(ss_rules_ipset_mkadd ss_rules_dst_bypass "$o_dst_bypass $(cat "$o_dst_bypass_file" 2>/dev/null | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}')") $(ss_rules_ipset_mkadd ss_rules_src_bypass "$o_src_bypass") $(ss_rules_ipset_mkadd ss_rules_src_forward "$o_src_forward") @@ -163,7 +167,7 @@ ss_rules_iptchains_init() { ss_rules_iptchains_init_mark() { iptables-restore --noflush <<-EOF *mangle - -A PREROUTING -m set --match-set ss_rules_dst_bypass dst -j MARK --set-mark 0x539 + -A PREROUTING -m set --match-set ss_rules_dst_bypass_all dst -j MARK --set-mark 0x539 COMMIT EOF } @@ -186,8 +190,9 @@ ss_rules_iptchains_init_tcp() { :ss_rules_local_out - -I OUTPUT 1 -p tcp -j ss_rules_local_out -A ss_rules_local_out -m set --match-set ss_rules_dst_bypass dst -j RETURN + -A ss_rules_local_out -m set --match-set ss_rules_dst_bypass_all dst -j RETURN -A ss_rules_local_out -m set --match-set ss_rules_dst_bypass_ dst -j RETURN - -A ss_rules_local_out -m mark --mark 0x539 -j RETURN + -A ss_rules_local_out -m mark ! --mark 0 -j RETURN -A ss_rules_local_out -p tcp $o_ipt_extra -j $local_target -m comment --comment "local_default: $o_local_default" COMMIT EOF @@ -243,9 +248,11 @@ ss_rules_iptchains_init_() { :ss_rules_forward - $(ss_rules_iptchains_mkprerules "$proto") -A ss_rules_pre_src -m set --match-set ss_rules_dst_bypass_ dst -j RETURN - -A ss_rules_pre_src -m set --match-set ss_rules_dst_bypass dst -j MARK --set-mark 0x539 + -A ss_rules_pre_src -m set --match-set ss_rules_dst_bypass_all dst -j MARK --set-mark 0x539 + -A ss_rules_pre_src -m set --match-set ss_rules_dst_bypass_all dst -j RETURN -A ss_rules_pre_src -m set --match-set ss_rules_dst_bypass dst -j RETURN - -A ss_rules_pre_src -m mark --mark 0x539 -j RETURN + -A ss_rules_pre_src -m mark ! --mark 0 -j RETURN + -A ss_rules_dst -m set --match-set ss_rules_dst_bypass_all dst -j RETURN -A ss_rules_dst -m set --match-set ss_rules_dst_bypass dst -j RETURN -A ss_rules_pre_src -p $proto $o_ipt_extra -j ss_rules_src -A ss_rules_src -m set --match-set ss_rules_src_bypass src -j RETURN diff --git a/shadowsocks-libev/files/ss-rules6 b/shadowsocks-libev/files/ss-rules6 index 2335e72e2..9cd446a40 100755 --- a/shadowsocks-libev/files/ss-rules6 +++ b/shadowsocks-libev/files/ss-rules6 @@ -116,10 +116,12 @@ ss_rules6_ipset_init() { create ss_rules6_src_forward hash:net family inet6 hashsize 64 create ss_rules6_src_checkdst hash:net family inet6 hashsize 64 create ss_rules6_dst_bypass hash:net family inet6 hashsize 64 + create ss_rules6_dst_bypass_all hash:net family inet6 hashsize 64 create ss_rules6_dst_bypass_ hash:net family inet6 hashsize 64 create ss_rules6_dst_forward hash:net family inet6 hashsize 64 create ss_rules6_dst_forward_recrst_ hash:ip family inet6 hashsize 64 timeout 3600 $(ss_rules6_ipset_mkadd ss_rules6_dst_bypass_ "$o_dst_bypass_ $o_remote_servers") + $(ss_rules6_ipset_mkadd ss_rules6_dst_bypass_all "$o_dst_bypass $(cat "$o_dst_bypass_file" 2>/dev/null | grep -o '\([0-9a-fA-F]\{0,4\}:\)\{1,7\}[0-9a-fA-F]\{0,4\}')") $(ss_rules6_ipset_mkadd ss_rules6_dst_bypass "$o_dst_bypass $(cat "$o_dst_bypass_file" 2>/dev/null | grep -o '\([0-9a-fA-F]\{0,4\}:\)\{1,7\}[0-9a-fA-F]\{0,4\}')") $(ss_rules6_ipset_mkadd ss_rules6_src_bypass "$o_src_bypass") $(ss_rules6_ipset_mkadd ss_rules6_src_forward "$o_src_forward") @@ -146,7 +148,7 @@ ss_rules6_iptchains_init() { ss_rules6_iptchains_init_mark() { ip6tables-restore --noflush <<-EOF *mangle - -A PREROUTING -m set --match-set ss_rules6_dst_bypass dst -j MARK --set-mark 0x539 + -A PREROUTING -m set --match-set ss_rules6_dst_bypass_all dst -j MARK --set-mark 0x539 COMMIT EOF } @@ -170,6 +172,7 @@ ss_rules6_iptchains_init_tcp() { :ss_rules6_local_out - -I OUTPUT 1 -p tcp -j ss_rules6_local_out -A ss_rules6_local_out -m set --match-set ss_rules6_dst_bypass dst -j RETURN + -A ss_rules6_local_out -m set --match-set ss_rules6_dst_bypass_all dst -j RETURN -A ss_rules6_local_out -m set --match-set ss_rules6_dst_bypass_ dst -j RETURN -A ss_rules6_local_out -m mark --mark 0x539 -j RETURN -A ss_rules6_local_out -p tcp $o_ipt_extra -j $local_target -m comment --comment "local_default: $o_local_default" @@ -228,9 +231,11 @@ ss_rules6_iptchains_init_() { :ss_rules6_forward - $(ss_rules6_iptchains_mkprerules "$proto") -A ss_rules6_pre_src -m set --match-set ss_rules6_dst_bypass_ dst -j RETURN - -A ss_rules6_pre_src -m set --match-set ss_rules6_dst_bypass dst -j MARK --set-mark 0x539 + -A ss_rules6_pre_src -m set --match-set ss_rules6_dst_bypass_all dst -j MARK --set-mark 0x539 + -A ss_rules6_pre_src -m set --match-set ss_rules6_dst_bypass_all dst -j RETURN -A ss_rules6_pre_src -m set --match-set ss_rules6_dst_bypass dst -j RETURN -A ss_rules6_pre_src -m mark --mark 0x539 -j RETURN + -A ss_rules6_dst -m set --match-set ss_rules6_dst_bypass_all dst -j RETURN -A ss_rules6_dst -m set --match-set ss_rules6_dst_bypass dst -j RETURN -A ss_rules6_pre_src -p $proto $o_ipt_extra -j ss_rules6_src -A ss_rules6_src -m set --match-set ss_rules6_src_bypass src -j RETURN