Set a different ipset to bypass all and one to bypass only shadowsocks

2025-03-09 15:40:03 +00:00 · 2018-09-19 23:08:07 +02:00 · 2018-09-19 23:08:07 +02:00 · eedd893c9c
commit eedd893c9c
parent 97ff6a8bd5
10 changed files with 38 additions and 26 deletions
--- a/luci-app-omr-bypass/luasrc/controller/omr-bypass.lua
+++ b/luci-app-omr-bypass/luasrc/controller/omr-bypass.lua
@ -41,7 +41,7 @@ function bypass_add()
 	ucic:save("omr-bypass")
 	ucic:commit("omr-bypass")
-	ucic:set_list("dhcp",ucic:get_first("dhcp","dnsmasq"),"ipset",domains_ipset .. "/ss_rules_dst_bypass")
+	ucic:set_list("dhcp",ucic:get_first("dhcp","dnsmasq"),"ipset",domains_ipset .. "/ss_rules_dst_bypass_all")
 	ucic:save("dhcp")
 	ucic:commit("dhcp")
 	luci.sys.exec("/etc/init.d/dnsmasq reload")
--- a/luci-app-omr-bypass/root/etc/init.d/omr-bypass
+++ b/luci-app-omr-bypass/root/etc/init.d/omr-bypass
@ -12,9 +12,9 @@ _bypass_ip() {
 	valid_ip4=$( valid_subnet4 $ip)
 	valid_ip6=$( valid_subnet6 $ip)
 	if [ "$valid_ip4" = "ok" ]; then
-		ipset add ss_rules_dst_bypass $ip
+		ipset add ss_rules_dst_bypass_all $ip
 	elif [ "$valid_ip6" = "ok" ]; then
-		ipset add ss_rules6_dst_bypass $ip
+		ipset add ss_rules6_dst_bypass_all $ip
 	fi
 }
@ -22,7 +22,7 @@ _bypass_domain() {
 	# Bypass domain even if OMR DNS is not used
 	domains=$(uci -q get dhcp.@dnsmasq[0].ipset)
 	for domain in ${domains//\// }; do
-		if [ -n "$domain" ] && [ "$domain" != "ss_rules_dst_bypass" ]; then
+		if [ -n "$domain" ] && [ "$domain" != "ss_rules_dst_bypass_all" ]; then
 			resolve=$(dig a +nocmd +noall +answer $domain | awk '{print $5}')
 			for ip in $resolve; do
 				_bypass_ip $ip
@ -43,9 +43,9 @@ _bypass_proto() {
 }
 start_service() {
-	ipset -q flush ss_rules_dst_bypass > /dev/null 2>&1
+	ipset -q flush ss_rules_dst_bypass_all > /dev/null 2>&1
 	ipset -q --exist restore <<-EOF
-	create ss_rules_dst_bypass hash:net hashsize 64
+	create ss_rules_dst_bypass_all hash:net hashsize 64
 	EOF
 	config_load omr-bypass
@ -55,10 +55,10 @@ start_service() {
 	ip rule add prio 1 fwmark 0x539 lookup 991337 > /dev/null 2>&1
-	if [ "$(iptables -w 40 -t mangle -L | grep 'match-set ss_rules_dst_bypass dst MARK set')" = "" ]; then
+	if [ "$(iptables -w 40 -t mangle -L | grep 'match-set ss_rules_dst_bypass_all dst MARK set')" = "" ]; then
 		iptables-restore --wait=60 --noflush <<-EOF
 		*mangle
-		-A PREROUTING -m set --match-set ss_rules_dst_bypass dst -j MARK --set-mark 0x539
+		-A PREROUTING -m set --match-set ss_rules_dst_bypass_all dst -j MARK --set-mark 0x539
 		COMMIT
 		EOF
 	fi
--- a/luci-app-openmptcprouter/root/bin/omr-ip-intf
+++ b/luci-app-openmptcprouter/root/bin/omr-ip-intf
@ -1,5 +1,5 @@
 #!/bin/sh
 checkip=$(dig +short A ip.openmptcprouter.com | tr -d "\n")
-ipset add ss_rules_dst_bypass $checkip > /dev/null 2>&1
+ipset add ss_rules_dst_bypass_all $checkip > /dev/null 2>&1
 curl -s -4 -m 3 --interface $1 http://ip.openmptcprouter.com
-ipset del ss_rules_dst_bypass $checkip > /dev/null 2>&1
+ipset del ss_rules_dst_bypass_all $checkip > /dev/null 2>&1
--- a/luci-app-openmptcprouter/root/bin/omr-mptcp-intf
+++ b/luci-app-openmptcprouter/root/bin/omr-mptcp-intf
@ -1,5 +1,5 @@
 #!/bin/sh
 multipathip=$(dig +short A multipath-tcp.org | tr -d "\n")
-ipset add ss_rules_dst_bypass $multipathip > /dev/null 2>&1
+ipset add ss_rules_dst_bypass_all $multipathip > /dev/null 2>&1
 curl -s -4 -m 3 --interface $1 http://www.multipath-tcp.org
-ipset del ss_rules_dst_bypass $multipathip > /dev/null 2>&1
+ipset del ss_rules_dst_bypass_all $multipathip > /dev/null 2>&1
--- a/openmptcprouter/files/bin/omr-test-speed
+++ b/openmptcprouter/files/bin/omr-test-speed
@ -9,7 +9,7 @@ if [ -z "$INTERFACE" ]; then
 	curl -4 http://$HOST/files/10Gio.dat >/dev/null || echo
 else
 	hostip=$(dig +short A $HOST | tr -d "\n")
-	ipset add ss_rules_dst_bypass $hostip
+	ipset add ss_rules_dst_bypass_all $hostip
 	curl -4 --interface $INTERFACE http://$HOST/files/10Gio.dat >/dev/null || echo
-	ipset del ss_rules_dst_bypass $hostip
+	ipset del ss_rules_dst_bypass_all $hostip
 fi
--- a/openmptcprouter/files/bin/omr-test-speedv6
+++ b/openmptcprouter/files/bin/omr-test-speedv6
@ -9,7 +9,7 @@ if [ -z "$INTERFACE" ]; then
 	curl -6 http://$HOST/files/10Gio.dat >/dev/null || echo
 else
 	hostip=$(dig +short A $HOST | tr -d "\n")
-	ipset add ss_rules_dst_bypass $hostip
+	ipset add ss_rules6_dst_bypass_all $hostip
 	curl -6 --interface $INTERFACE http://$HOST/files/10Gio.dat >/dev/null || echo
-	ipset del ss_rules_dst_bypass $hostip
+	ipset del ss_rules6_dst_bypass_all $hostip
 fi
--- a/openmptcprouter/files/bin/omr-tracebox
+++ b/openmptcprouter/files/bin/omr-tracebox
@ -1,10 +1,10 @@
 #!/bin/sh
 INTERFACE="$1"
 multipathip=$(dig +short A multipath-tcp.org | tr -d "\n")
-ipset add ss_rules_dst_bypass $multipathip > /dev/null 2>&1
+ipset add ss_rules_dst_bypass_all $multipathip > /dev/null 2>&1
 if [ -z "$INTERFACE" ]; then
 	tracebox -v -n -p IP/TCP/MSS/MPCAPABLE/WSCALE multipath-tcp.org
 else
 	tracebox -v -i $INTERFACE -n -p IP/TCP/MSS/MPCAPABLE/WSCALE multipath-tcp.org
 fi
-ipset del ss_rules_dst_bypass $multipathip > /dev/null 2>&1
+ipset del ss_rules_dst_bypass_all $multipathip > /dev/null 2>&1
--- a/openmptcprouter/files/bin/omr-tracebox-json
+++ b/openmptcprouter/files/bin/omr-tracebox-json
@ -1,10 +1,10 @@
 #!/bin/sh
 INTERFACE="$1"
 multipathip=$(dig +short A multipath-tcp.org | tr -d "\n")
-ipset add ss_rules_dst_bypass $multipathip > /dev/null 2>&1
+ipset add ss_rules_dst_bypass_all $multipathip > /dev/null 2>&1
 if [ -z "$INTERFACE" ]; then
 	tracebox -v -j -m 10 -p IP/TCP/MSS/MPCAPABLE/WSCALE multipath-tcp.org
 else
 	tracebox -v -j -m 10 -i $INTERFACE -p IP/TCP/MSS/MPCAPABLE/WSCALE multipath-tcp.org
 fi
-ipset del ss_rules_dst_bypass $multipathip > /dev/null 2>&1
+ipset del ss_rules_dst_bypass_all $multipathip > /dev/null 2>&1
--- a/shadowsocks-libev/files/ss-rules
+++ b/shadowsocks-libev/files/ss-rules
@ -47,6 +47,7 @@ populated by other programs like dnsmasq with ipset support
 	ss_rules_src_forward
 	ss_rules_src_checkdst
 	ss_rules_dst_bypass
 	ss_rules_dst_bypass_all
 	ss_rules_dst_forward
 EOF
 }
@ -97,6 +98,7 @@ ss_rules_parse_args() {
 			--src-forward) o_src_forward="$2"; shift 2;;
 			--src-checkdst) o_src_checkdst="$2"; shift 2;;
 			--dst-bypass) o_dst_bypass="$2"; shift 2;;
 			--dst-bypass_all) o_dst_bypass_all="$2"; shift 2;;
 			--dst-forward) o_dst_forward="$2"; shift 2;;
 			--dst-forward-recentrst) o_dst_forward_recentrst=1; shift 1;;
 			--dst-bypass-file) o_dst_bypass_file="$2"; shift 2;;
@ -132,11 +134,13 @@ ss_rules_ipset_init() {
 		create ss_rules_src_bypass hash:net hashsize 64
 		create ss_rules_src_forward hash:net hashsize 64
 		create ss_rules_src_checkdst hash:net hashsize 64
 		create ss_rules_dst_bypass_all hash:net hashsize 64
 		create ss_rules_dst_bypass hash:net hashsize 64
 		create ss_rules_dst_bypass_ hash:net hashsize 64
 		create ss_rules_dst_forward hash:net hashsize 64
 		create ss_rules_dst_forward_recentrst_ hash:ip hashsize 64 timeout 3600
 		$(ss_rules_ipset_mkadd ss_rules_dst_bypass_ "$o_dst_bypass_ $o_remote_servers")
 		$(ss_rules_ipset_mkadd ss_rules_dst_bypass_all "$o_dst_bypass_all")
 		$(ss_rules_ipset_mkadd ss_rules_dst_bypass "$o_dst_bypass $(cat "$o_dst_bypass_file" 2>/dev/null | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}')")
 		$(ss_rules_ipset_mkadd ss_rules_src_bypass "$o_src_bypass")
 		$(ss_rules_ipset_mkadd ss_rules_src_forward "$o_src_forward")
@ -163,7 +167,7 @@ ss_rules_iptchains_init() {
 ss_rules_iptchains_init_mark() {
 	iptables-restore --noflush <<-EOF
 		*mangle
-		-A PREROUTING -m set --match-set ss_rules_dst_bypass dst -j MARK --set-mark 0x539
+		-A PREROUTING -m set --match-set ss_rules_dst_bypass_all dst -j MARK --set-mark 0x539
 		COMMIT
 	EOF
 }
@ -186,8 +190,9 @@ ss_rules_iptchains_init_tcp() {
 		:ss_rules_local_out -
 		-I OUTPUT 1 -p tcp -j ss_rules_local_out
 		-A ss_rules_local_out -m set --match-set ss_rules_dst_bypass dst -j RETURN
 		-A ss_rules_local_out -m set --match-set ss_rules_dst_bypass_all dst -j RETURN
 		-A ss_rules_local_out -m set --match-set ss_rules_dst_bypass_ dst -j RETURN
-		-A ss_rules_local_out -m mark --mark 0x539 -j RETURN
+		-A ss_rules_local_out -m mark ! --mark 0 -j RETURN
 		-A ss_rules_local_out -p tcp $o_ipt_extra -j $local_target -m comment --comment "local_default: $o_local_default"
 		COMMIT
 	EOF
@ -243,9 +248,11 @@ ss_rules_iptchains_init_() {
 		:ss_rules_forward -
 		$(ss_rules_iptchains_mkprerules "$proto")
 		-A ss_rules_pre_src -m set --match-set ss_rules_dst_bypass_ dst -j RETURN
-		-A ss_rules_pre_src -m set --match-set ss_rules_dst_bypass dst -j MARK --set-mark 0x539
+		-A ss_rules_pre_src -m set --match-set ss_rules_dst_bypass_all dst -j MARK --set-mark 0x539
 		-A ss_rules_pre_src -m set --match-set ss_rules_dst_bypass_all dst -j RETURN
 		-A ss_rules_pre_src -m set --match-set ss_rules_dst_bypass dst -j RETURN
-		-A ss_rules_pre_src -m mark --mark 0x539 -j RETURN
+		-A ss_rules_pre_src -m mark ! --mark 0 -j RETURN
 		-A ss_rules_dst -m set --match-set ss_rules_dst_bypass_all dst -j RETURN
 		-A ss_rules_dst -m set --match-set ss_rules_dst_bypass dst -j RETURN
 		-A ss_rules_pre_src -p $proto $o_ipt_extra -j ss_rules_src
 		-A ss_rules_src -m set --match-set ss_rules_src_bypass src -j RETURN
--- a/shadowsocks-libev/files/ss-rules6
+++ b/shadowsocks-libev/files/ss-rules6
@ -116,10 +116,12 @@ ss_rules6_ipset_init() {
 		create ss_rules6_src_forward hash:net family inet6 hashsize 64
 		create ss_rules6_src_checkdst hash:net family inet6 hashsize 64
 		create ss_rules6_dst_bypass hash:net family inet6 hashsize 64
 		create ss_rules6_dst_bypass_all hash:net family inet6 hashsize 64
 		create ss_rules6_dst_bypass_ hash:net family inet6 hashsize 64
 		create ss_rules6_dst_forward hash:net family inet6 hashsize 64
 		create ss_rules6_dst_forward_recrst_ hash:ip family inet6 hashsize 64 timeout 3600
 		$(ss_rules6_ipset_mkadd ss_rules6_dst_bypass_ "$o_dst_bypass_ $o_remote_servers")
 		$(ss_rules6_ipset_mkadd ss_rules6_dst_bypass_all "$o_dst_bypass $(cat "$o_dst_bypass_file" 2>/dev/null | grep -o '\([0-9a-fA-F]\{0,4\}:\)\{1,7\}[0-9a-fA-F]\{0,4\}')")
 		$(ss_rules6_ipset_mkadd ss_rules6_dst_bypass "$o_dst_bypass $(cat "$o_dst_bypass_file" 2>/dev/null | grep -o '\([0-9a-fA-F]\{0,4\}:\)\{1,7\}[0-9a-fA-F]\{0,4\}')")
 		$(ss_rules6_ipset_mkadd ss_rules6_src_bypass "$o_src_bypass")
 		$(ss_rules6_ipset_mkadd ss_rules6_src_forward "$o_src_forward")
@ -146,7 +148,7 @@ ss_rules6_iptchains_init() {
 ss_rules6_iptchains_init_mark() {
 	ip6tables-restore --noflush <<-EOF
 		*mangle
-		-A PREROUTING -m set --match-set ss_rules6_dst_bypass dst -j MARK --set-mark 0x539
+		-A PREROUTING -m set --match-set ss_rules6_dst_bypass_all dst -j MARK --set-mark 0x539
 		COMMIT
 	EOF
 }
@ -170,6 +172,7 @@ ss_rules6_iptchains_init_tcp() {
 		:ss_rules6_local_out -
 		-I OUTPUT 1 -p tcp -j ss_rules6_local_out
 		-A ss_rules6_local_out -m set --match-set ss_rules6_dst_bypass dst -j RETURN
 		-A ss_rules6_local_out -m set --match-set ss_rules6_dst_bypass_all dst -j RETURN
 		-A ss_rules6_local_out -m set --match-set ss_rules6_dst_bypass_ dst -j RETURN
 		-A ss_rules6_local_out -m mark --mark 0x539 -j RETURN
 		-A ss_rules6_local_out -p tcp $o_ipt_extra -j $local_target -m comment --comment "local_default: $o_local_default"
@ -228,9 +231,11 @@ ss_rules6_iptchains_init_() {
 		:ss_rules6_forward -
 		$(ss_rules6_iptchains_mkprerules "$proto")
 		-A ss_rules6_pre_src -m set --match-set ss_rules6_dst_bypass_ dst -j RETURN
-		-A ss_rules6_pre_src -m set --match-set ss_rules6_dst_bypass dst -j MARK --set-mark 0x539
+		-A ss_rules6_pre_src -m set --match-set ss_rules6_dst_bypass_all dst -j MARK --set-mark 0x539
 		-A ss_rules6_pre_src -m set --match-set ss_rules6_dst_bypass_all dst -j RETURN
 		-A ss_rules6_pre_src -m set --match-set ss_rules6_dst_bypass dst -j RETURN
 		-A ss_rules6_pre_src -m mark --mark 0x539 -j RETURN
 		-A ss_rules6_dst -m set --match-set ss_rules6_dst_bypass_all dst -j RETURN
 		-A ss_rules6_dst -m set --match-set ss_rules6_dst_bypass dst -j RETURN
 		-A ss_rules6_pre_src -p $proto $o_ipt_extra -j ss_rules6_src
 		-A ss_rules6_src -m set --match-set ss_rules6_src_bypass src -j RETURN