Add MPTCP support to shadowsocks

shadowsocks-libev/files/firewall.ss-rules

@@ -0,0 +1,2 @@
+#!/bin/sh
+/etc/init.d/shadowsocks-libev reload

shadowsocks-libev/files/shadowsocks-libev.config

@@ -0,0 +1,33 @@
+config ss_redir hi
+	option disabled 1
+	option server 'sss0'
+	option local_address '0.0.0.0'
+	option local_port '1100'
+	option mode 'tcp_and_udp'
+	option timeout '60'
+	option fast_open 1
+	option verbose 1
+	option reuse_port 1
+	option mptcp 1
+
+config ss_rules 'ss_rules'
+	option disabled 1
+	option redir_tcp 'hi'
+	option redir_udp 'hi'
+	option src_default 'forward'
+	option dst_default 'forward'
+	option local_default 'forward'
+	list dst_ips_forward '8.8.8.8'
+
+config server 'sss0'
+	option disabled 1
+	option server '192.168.1.3'
+	option server_port '65101'
+	option password '********'
+	option method 'aes-256-cfb'
+
+config ss_tunnel 'dns'
+	option mode 'tcp_and_udp'
+	option server 'sss0'
+	option local_port '5353'
+	option tunnel_address '8.8.8.8:53'

shadowsocks-libev/files/shadowsocks-libev.init

@@ -0,0 +1,321 @@
+#!/bin/sh /etc/rc.common
+#
+# Copyright (C) 2017 Yousong Zhou <yszhou4tech@gmail.com>
+#
+# This is free software, licensed under the GNU General Public License v3.
+# See /LICENSE for more information.
+#
+
+USE_PROCD=1
+START=99
+
+ss_confdir=/var/etc/shadowsocks-libev
+ss_bindir=/usr/bin
+q='"'
+
+ss_mkjson() {
+	echo "{" >"$confjson"
+	if ss_mkjson_ "$@" >>$confjson; then
+		sed -i -e '/^\s*$/d' -e '2,$s/^/\t/' -e '$s/,$//' "$confjson"
+		echo "}" >>"$confjson"
+	else
+		rm -f "$confjson"
+		return 1
+	fi
+}
+
+ss_mkjson_() {
+	local func
+
+	for func in "$@"; do
+		"$func" || return 1
+	done
+}
+
+ss_mkjson_server_conf() {
+	local cfgserver
+
+	config_get cfgserver "$cfg" server
+	[ -n "$cfgserver" ] || return 1
+	eval "$(validate_server_section "$cfg" ss_validate_mklocal)"
+	validate_server_section "$cfgserver" || return 1
+	[ "$disabled" = 0 ] || return 1
+	ss_mkjson_server_conf_ "$cfgserver"
+}
+
+ss_mkjson_server_conf_() {
+	[ -n "$server_port" ] || return 1
+	password="${password//\"/\\\"}"
+	cat <<-EOF
+		${server:+${q}server${q}: ${q}$server${q},}
+		"server_port": $server_port,
+		${method:+${q}method${q}: ${q}$method${q},}
+		${key:+${q}key${q}: ${q}$key${q},}
+		${password:+${q}password${q}: ${q}$password${q},}
+	EOF
+}
+
+ss_mkjson_common_conf() {
+	[ "$ipv6_first" = 0 ] && ipv6_first=false || ipv6_first=true
+	[ "$fast_open" = 0 ] && fast_open=false || fast_open=true
+	[ "$reuse_port" = 0 ] && reuse_port=false || reuse_port=true
+	[ "$mptcp" = 0 ] && mptcp=false || mptcp=true
+	cat <<-EOF
+		"use_syslog": true,
+		"ipv6_first": $ipv6_first,
+		"fast_open": $fast_open,
+		"mptcp": $mptcp,
+		"reuse_port": $reuse_port,
+		${local_address:+${q}local_address${q}: ${q}$local_address${q},}
+		${local_port:+${q}local_port${q}: $local_port,}
+		${mode:+${q}mode${q}: ${q}$mode${q},}
+		${mtu:+${q}mtu${q}: $mtu,}
+		${timeout:+${q}timeout${q}: $timeout,}
+		${user:+${q}user${q}: ${q}$user${q},}
+	EOF
+}
+
+ss_mkjson_ss_local_conf() {
+	ss_mkjson_server_conf
+}
+
+ss_mkjson_ss_redir_conf() {
+	ss_mkjson_server_conf || return 1
+	[ "$disable_sni" = 0 ] && disable_sni=false || disable_sni=true
+	cat <<-EOF
+		"disable_sni": $disable_sni,
+	EOF
+}
+
+ss_mkjson_ss_server_conf() {
+	ss_mkjson_server_conf_
+}
+
+ss_mkjson_ss_tunnel_conf() {
+	ss_mkjson_server_conf || return 1
+	[ -n "$tunnel_address" ] || return 1
+	cat <<-EOF
+		${tunnel_address:+${q}tunnel_address${q}: ${q}$tunnel_address${q},}
+	EOF
+}
+
+ss_xxx() {
+	local cfg="$1"
+	local cfgtype="$2"
+	local bin="$ss_bindir/${cfgtype/_/-}"
+	local confjson="$ss_confdir/$cfgtype.$cfg.json"
+
+	[ -x "$bin" ] || return
+	eval "$("validate_${cfgtype}_section" "$cfg" ss_validate_mklocal)"
+	"validate_${cfgtype}_section" "$cfg" || return 1
+	[ "$disabled" = 0 ] || return
+
+	if ss_mkjson \
+			ss_mkjson_common_conf \
+			ss_mkjson_${cfgtype}_conf \
+			; then
+		procd_open_instance "$cfgtype.$cfg"
+		procd_set_param command "$bin" -c "$confjson"
+		[ "$verbose" = 0 ] || procd_append_param command -v
+		[ "$no_delay" = 0 ] || procd_append_param command --no-delay
+		[ -z "$bind_address" ] || procd_append_param command -b "$bind_address"
+		[ -z "$manager_address" ] || procd_append_param command --manager-address "$manager_address"
+		procd_set_param file "$confjson"
+		procd_set_param limits nofile="51200 51200"
+		procd_set_param respawn
+		procd_close_instance
+		ss_rules_cb
+	fi
+}
+
+ss_rules_cb() {
+	local cfgserver server
+
+	if [ "$cfgtype" = ss_redir ]; then
+		config_get cfgserver "$cfg" server
+		config_get server "$cfgserver" server
+		ss_redir_servers="$ss_redir_servers $server"
+		if [ "$mode" = tcp_only -o "$mode" = "tcp_and_udp" ]; then
+			eval "ss_rules_redir_tcp_$cfg=$local_port"
+		fi
+		if [ "$mode" = udp_only -o "$mode" = "tcp_and_udp" ]; then
+			eval "ss_rules_redir_udp_$cfg=$local_port"
+		fi
+	fi
+}
+
+ss_rules() {
+	local cfg="ss_rules"
+	local bin="$ss_bindir/ss-rules"
+	local cfgtype
+	local local_port_tcp local_port_udp
+	local args
+
+	[ -x "$bin" ] || return 1
+	config_get cfgtype "$cfg" TYPE
+	[ "$cfgtype" = ss_rules ] || return 1
+
+	eval "$(validate_ss_rules_section "$cfg" ss_validate_mklocal)"
+	validate_ss_rules_section "$cfg" || return 1
+	[ "$disabled" = 0 ] || return 1
+
+	eval local_port_tcp="\$ss_rules_redir_tcp_$redir_tcp"
+	eval local_port_udp="\$ss_rules_redir_udp_$redir_udp"
+	[ -n "$local_port_tcp" -o -n "$local_port_udp" ] || return 1
+	ss_redir_servers="$(echo "$ss_redir_servers" | tr ' ' '\n' | sort -u)"
+	[ "$dst_forward_recentrst" = 0 ] || args="$args --dst-forward-recentrst"
+
+	"$bin" \
+			-s "$ss_redir_servers" \
+			-l "$local_port_tcp" \
+			-L "$local_port_udp" \
+			--src-default "$src_default" \
+			--dst-default "$dst_default" \
+			--local-default "$local_default" \
+			--dst-bypass-file "$dst_ips_bypass_file" \
+			--dst-forward-file "$dst_ips_forward_file" \
+			--dst-bypass "$dst_ips_bypass" \
+			--dst-forward "$dst_ips_forward" \
+			--src-bypass "$src_ips_bypass" \
+			--src-forward "$src_ips_forward" \
+			--src-checkdst "$src_ips_checkdst" \
+			--ifnames "$ifnames" \
+			--ipt-extra "$ipt_args" \
+			$args \
+		|| "$bin" -f
+}
+
+start_service() {
+	local cfgtype
+
+	mkdir -p "$ss_confdir"
+	config_load shadowsocks-libev
+	for cfgtype in ss_local ss_redir ss_server ss_tunnel; do
+		config_foreach ss_xxx "$cfgtype" "$cfgtype"
+	done
+	ss_rules
+}
+
+stop_service() {
+	local bin="$ss_bindir/ss-rules"
+
+	[ -x "$bin" ] && "$bin" -f
+	rm -rf "$ss_confdir"
+}
+
+service_triggers() {
+	procd_add_reload_interface_trigger wan
+	procd_add_reload_trigger shadowsocks-libev
+	procd_open_validate
+	validate_server_section
+	validate_ss_local_section
+	validate_ss_redir_section
+	validate_ss_rules_section
+	validate_ss_server_section
+	validate_ss_tunnel_section
+	procd_close_validate
+}
+
+ss_validate_mklocal() {
+	local tuple opts
+
+	shift 2
+	for tuple in "$@"; do
+		opts="${tuple%%:*} $opts"
+	done
+	[ -z "$opts" ] || echo "local $opts"
+}
+
+ss_validate() {
+	uci_validate_section shadowsocks-libev "$@"
+}
+
+validate_common_server_options_() {
+	local cfgtype="$1"; shift
+	local cfg="$1"; shift
+	local func="$1"; shift
+	local stream_methods='"table", "rc4", "rc4-md5", "aes-128-cfb", "aes-192-cfb", "aes-256-cfb", "aes-128-ctr", "aes-192-ctr", "aes-256-ctr", "bf-cfb", "camellia-128-cfb", "camellia-192-cfb", "camellia-256-cfb", "salsa20", "chacha20", "chacha20-ietf"'
+	local aead_methods='"aes-128-gcm", "aes-192-gcm", "aes-256-gcm", "chacha20-ietf-poly1305", "xchacha20-ietf-poly1305"'
+
+	"${func:-ss_validate}" "$cfgtype" "$cfg" "$@" \
+		'disabled:bool:0' \
+		'server:host' \
+		'server_port:port' \
+		'password:string' \
+		'key:string' \
+		"method:or($stream_methods, $aead_methods)"
+}
+
+validate_common_client_options_() {
+	validate_common_options_ "$@" \
+		'server:uci("shadowsocks-libev", "@server")' \
+		'local_address:host:0.0.0.0' \
+		'local_port:port'
+}
+
+validate_common_options_() {
+	local cfgtype="$1"; shift
+	local cfg="$1"; shift
+	local func="$1"; shift
+
+	"${func:-ss_validate}" "$cfgtype" "$cfg" "$@" \
+		'disabled:bool:0' \
+		'fast_open:bool:0' \
+		'ipv6_first:bool:0' \
+		'no_delay:bool:0' \
+		'reuse_port:bool:0' \
+		'mptcp:bool:0' \
+		'verbose:bool:0' \
+		'mode:or("tcp_only", "udp_only", "tcp_and_udp"):tcp_only' \
+		'mtu:uinteger' \
+		'timeout:uinteger' \
+		'user:string'
+}
+
+validate_server_section() {
+	validate_common_server_options_ server "$1" "${2}"
+}
+
+validate_ss_local_section() {
+	validate_common_client_options_ ss_local "$1" "${2}"
+}
+
+validate_ss_redir_section() {
+	validate_common_client_options_ ss_redir "$1" \
+		"${2}" \
+		'disable_sni:bool:0'
+}
+
+validate_ss_rules_section() {
+	"${2:-ss_validate}" ss_rules "$1" \
+		'disabled:bool:0' \
+		'redir_tcp:uci("shadowsocks-libev", "@ss_redir")' \
+		'redir_udp:uci("shadowsocks-libev", "@ss_redir")' \
+		'src_ips_bypass:or(ip4addr,cidr4)' \
+		'src_ips_forward:or(ip4addr,cidr4)' \
+		'src_ips_checkdst:or(ip4addr,cidr4)' \
+		'dst_ips_bypass_file:file' \
+		'dst_ips_bypass:or(ip4addr,cidr4)' \
+		'dst_ips_forward_file:file' \
+		'dst_ips_forward:or(ip4addr,cidr4)' \
+		'src_default:or("bypass", "forward", "checkdst"):checkdst' \
+		'dst_default:or("bypass", "forward"):bypass' \
+		'local_default:or("bypass", "forward", "checkdst"):bypass' \
+		'dst_forward_recentrst:bool:0' \
+		'ifnames:maxlength(15)' \
+		'ipt_args:string'
+}
+
+validate_ss_server_section() {
+	validate_common_server_options_ ss_server "$1" \
+		validate_common_options_ \
+		"${2}" \
+		'bind_address:ipaddr' \
+		'manager_address:host'
+}
+
+validate_ss_tunnel_section() {
+	validate_common_client_options_ ss_tunnel "$1" \
+		"${2}" \
+		'tunnel_address:regex(".+\:[0-9]+")'
+}

shadowsocks-libev/files/shadowsocks.track

@@ -0,0 +1,50 @@
+#!/bin/sh
+# vim: set noexpandtab tabstop=4 shiftwidth=4 softtabstop=4 :
+
+name=$0
+basename="$(basename $0)"
+
+usage() {
+	printf "Usage: %s: [-t TIMEOUT] [-v INTERVAL] [ -r RETRY ] HOST\n" "${name}"
+	exit 2
+}
+
+log() {
+	logger -p daemon.info -t "${basename}" "$@"
+}
+
+uri="ping"
+timeout=5
+interval=1
+retry=0
+
+while getopts "t:v:r:" opt; do
+	case $opt in
+		t) timeout="${OPTARG}";;
+		v) interval="${OPTARG}";;
+		r) retry="${OPTARG}";;
+		*) usage;;
+	esac
+done
+
+shift $((OPTIND - 1))
+
+[ -z "$1" ] && usage
+
+last=0
+
+log "Starting..."
+
+while true; do
+	if curl -s --max-time "${timeout}" --retry "${retry}" "$1/${uri}" &>/dev/null ; then
+		[ ${last} = 0 ] && log "Shadowsocks is up"
+		/etc/init.d/shadowsocks ifup 2> /dev/null
+		last=1
+	else
+		[ ${last} = 1 ] && log "Shadowsocks is down"
+		/etc/init.d/shadowsocks ifdown 2> /dev/null
+		last=0
+	fi
+
+	sleep "${interval}"
+done

shadowsocks-libev/files/ss-rules

@@ -0,0 +1,264 @@
+#!/bin/sh -e
+#
+# Copyright (C) 2017 Yousong Zhou <yszhou4tech@gmail.com>
+#
+# The design idea was derived from ss-rules by Jian Chang <aa65535@live.com>
+#
+# This is free software, licensed under the GNU General Public License v3.
+# See /LICENSE for more information.
+#
+
+ss_rules_usage() {
+	cat >&2 <<EOF
+Usage: ss-rules [options]
+
+	-h, --help      Show this help message then exit
+	-f, --flush     Flush rules, ipset then exit
+	-l <port>       Local port number of ss-redir with TCP mode
+	-L <port>       Local port number of ss-redir with UDP mode
+	-s <ips>        List of ip addresses of remote shadowsocks server
+	--ifnames       Only apply rules on packets from these ifnames
+	--src-bypass <ips|cidr>
+	--src-forward <ips|cidr>
+	--src-checkdst <ips|cidr>
+	--src-default <bypass|forward|checkdst>
+	                Packets will have their src ip checked in order against
+	                bypass, forward, checkdst list and will bypass, forward
+	                through, or continue to have their dst ip checked
+	                respectively on the first match.  Otherwise, --src-default
+	                decide the default action
+	--dst-bypass <ips|cidr>
+	--dst-forward <ips|cidr>
+	--dst-bypass-file <file>
+	--dst-forward-file <file>
+	--dst-default <bypass|forward>
+	                Same as with their --src-xx equivalent
+	--dst-forward-recentrst
+	                Forward those packets whose destinations have recently
+	                sent to us multiple tcp-rst packets
+	--local-default <bypass|forward|checkdst>
+	                Default action for local out TCP traffic
+
+The following ipsets will be created by ss-rules.  They are also intended to be
+populated by other programs like dnsmasq with ipset support
+
+	ss_rules_src_bypass
+	ss_rules_src_forward
+	ss_rules_src_checkdst
+	ss_rules_dst_bypass
+	ss_rules_dst_forward
+EOF
+}
+
+o_dst_bypass_="
+	0.0.0.0/8
+	10.0.0.0/8
+	100.64.0.0/10
+	127.0.0.0/8
+	169.254.0.0/16
+	172.16.0.0/12
+	192.0.0.0/24
+	192.0.2.0/24
+	192.31.196.0/24
+	192.52.193.0/24
+	192.88.99.0/24
+	192.168.0.0/16
+	192.175.48.0/24
+	198.18.0.0/15
+	198.51.100.0/24
+	203.0.113.0/24
+	224.0.0.0/4
+	240.0.0.0/4
+	255.255.255.255
+"
+o_src_default=bypass
+o_dst_default=bypass
+o_local_default=bypass
+
+__errmsg() {
+	echo "ss-rules: $*" >&2
+}
+
+ss_rules_parse_args() {
+	while [ "$#" -gt 0 ]; do
+		case "$1" in
+			-h|--help) ss_rules_usage; exit 0;;
+			-f|--flush) ss_rules_flush; exit 0;;
+			-l) o_redir_tcp_port="$2"; shift 2;;
+			-L) o_redir_udp_port="$2"; shift 2;;
+			-s) o_remote_servers="$2"; shift 2;;
+			--ifnames) o_ifnames="$2"; shift 2;;
+			--ipt-extra) o_ipt_extra="$2"; shift 2;;
+			--src-default) o_src_default="$2"; shift 2;;
+			--dst-default) o_dst_default="$2"; shift 2;;
+			--local-default) o_local_default="$2"; shift 2;;
+			--src-bypass) o_src_bypass="$2"; shift 2;;
+			--src-forward) o_src_forward="$2"; shift 2;;
+			--src-checkdst) o_src_checkdst="$2"; shift 2;;
+			--dst-bypass) o_dst_bypass="$2"; shift 2;;
+			--dst-forward) o_dst_forward="$2"; shift 2;;
+			--dst-forward-recentrst) o_dst_forward_recentrst=1; shift 1;;
+			--dst-bypass-file) o_dst_bypass_file="$2"; shift 2;;
+			--dst-forward-file) o_dst_forward_file="$2"; shift 2;;
+			*) __errmsg "unknown option $1"; return 1;;
+		esac
+	done
+
+	if [ -z "$o_redir_tcp_port" -a -z "$o_redir_udp_port" ]; then
+		__errmsg "Requires at least -l or -L option"
+		return 1
+	fi
+	if [ -n "$o_dst_forward_recentrst" ] && ! iptables -m recent -h >/dev/null; then
+		__errmsg "Please install iptables-mod-conntrack-extra with opkg"
+		return 1
+	fi
+	o_remote_servers="$(for s in $o_remote_servers; do resolveip -4 "$s"; done)"
+}
+
+ss_rules_flush() {
+	local setname
+
+	iptables-save --counters | grep -v ss_rules_ | iptables-restore --counters
+	while ip rule del fwmark 1 lookup 100 2>/dev/null; do true; done
+	ip route flush table 100
+	for setname in $(ipset -n list | grep "ss_rules_"); do
+		ipset destroy "$setname" 2>/dev/null || true
+	done
+}
+
+ss_rules_ipset_init() {
+	ipset --exist restore <<-EOF
+		create ss_rules_src_bypass hash:net hashsize 64
+		create ss_rules_src_forward hash:net hashsize 64
+		create ss_rules_src_checkdst hash:net hashsize 64
+		create ss_rules_dst_bypass hash:net hashsize 64
+		create ss_rules_dst_bypass_ hash:net hashsize 64
+		create ss_rules_dst_forward hash:net hashsize 64
+		create ss_rules_dst_forward_recentrst_ hash:ip hashsize 64 timeout 3600
+		$(ss_rules_ipset_mkadd ss_rules_dst_bypass_ "$o_dst_bypass_ $o_remote_servers")
+		$(ss_rules_ipset_mkadd ss_rules_src_bypass "$o_src_bypass")
+		$(ss_rules_ipset_mkadd ss_rules_src_forward "$o_src_forward")
+		$(ss_rules_ipset_mkadd ss_rules_src_checkdst "$o_src_checkdst")
+		$(ss_rules_ipset_mkadd ss_rules_dst_bypass "$o_dst_bypass $(cat "$o_dst_bypass_file" 2>/dev/null)")
+		$(ss_rules_ipset_mkadd ss_rules_dst_forward "$o_dst_forward $(cat "$o_dst_forward_file" 2>/dev/null)")
+	EOF
+}
+
+ss_rules_ipset_mkadd() {
+	local setname="$1"; shift
+	local i
+
+	for i in $*; do
+		echo "add $setname $i"
+	done
+}
+
+ss_rules_iptchains_init() {
+	ss_rules_iptchains_init_tcp
+	ss_rules_iptchains_init_udp
+}
+
+ss_rules_iptchains_init_tcp() {
+	local local_target
+
+	[ -n "$o_redir_tcp_port" ] || return 0
+
+	ss_rules_iptchains_init_ nat tcp
+
+	case "$o_local_default" in
+		checkdst) local_target=ss_rules_dst ;;
+		forward) local_target=ss_rules_forward ;;
+		bypass|*) return 0;;
+	esac
+
+	iptables-restore --noflush <<-EOF
+		*nat
+		:ss_rules_local_out -
+		-I OUTPUT 1 -p tcp -j ss_rules_local_out
+		-A ss_rules_local_out -m set --match-set ss_rules_dst_bypass_ dst -j RETURN
+		-A ss_rules_local_out -p tcp $o_ipt_extra -j $local_target -m comment --comment "local_default: $o_local_default"
+		COMMIT
+	EOF
+}
+
+ss_rules_iptchains_init_udp() {
+	[ -n "$o_redir_udp_port" ] || return 0
+	ss_rules_iptchains_init_ mangle udp
+}
+
+ss_rules_iptchains_init_() {
+	local table="$1"
+	local proto="$2"
+	local forward_rules
+	local src_default_target dst_default_target
+	local recentrst_mangle_rules recentrst_addset_rules
+
+	case "$proto" in
+		tcp)
+			forward_rules="-A ss_rules_forward -p tcp -j REDIRECT --to-ports $o_redir_tcp_port"
+			if [ -n "$o_dst_forward_recentrst" ]; then
+				recentrst_mangle_rules="
+					*mangle
+					-I PREROUTING 1 -p tcp -m tcp --tcp-flags RST RST -m recent --name ss_rules_recentrst --set --rsource
+					COMMIT
+				"
+				recentrst_addset_rules="
+					-A ss_rules_dst -m recent --name ss_rules_recentrst --rcheck --rdest --seconds 3 --hitcount 3 -j SET --add-set ss_rules_dst_forward_recentrst_ dst --exist
+					-A ss_rules_dst -m set --match-set ss_rules_dst_forward_recentrst_ dst -j ss_rules_forward
+				"
+			fi
+			;;
+		udp)
+			ip rule add fwmark 1 lookup 100
+			ip route add local default dev lo table 100
+			forward_rules="-A ss_rules_forward -p udp -j TPROXY --on-port "$o_redir_udp_port" --tproxy-mark 0x01/0x01"
+			;;
+	esac
+	case "$o_src_default" in
+		forward) src_default_target=ss_rules_forward ;;
+		checkdst) src_default_target=ss_rules_dst ;;
+		bypass|*) src_default_target=RETURN ;;
+	esac
+	case "$o_dst_default" in
+		forward) dst_default_target=ss_rules_forward ;;
+		bypass|*) dst_default_target=RETURN ;;
+	esac
+	sed -e '/^\s*$/d' -e 's/^\s\+//' <<-EOF | iptables-restore --noflush
+		*$table
+		:ss_rules_pre_src -
+		:ss_rules_src -
+		:ss_rules_dst -
+		:ss_rules_forward -
+		$(ss_rules_iptchains_mkprerules "$proto")
+		-A ss_rules_pre_src -m set --match-set ss_rules_dst_bypass_ dst -j RETURN
+		-A ss_rules_pre_src -p $proto $o_ipt_extra -j ss_rules_src
+		-A ss_rules_src -m set --match-set ss_rules_src_bypass src -j RETURN
+		-A ss_rules_src -m set --match-set ss_rules_src_forward src -j ss_rules_forward
+		-A ss_rules_src -m set --match-set ss_rules_src_checkdst src -j ss_rules_dst
+		-A ss_rules_src -j $src_default_target -m comment --comment "src_default: $o_src_default"
+		-A ss_rules_dst -m set --match-set ss_rules_dst_bypass dst -j RETURN
+		-A ss_rules_dst -m set --match-set ss_rules_dst_forward dst -j ss_rules_forward
+		$recentrst_addset_rules
+		-A ss_rules_dst -j $dst_default_target -m comment --comment "dst_default: $o_dst_default"
+		$forward_rules
+		COMMIT
+		$recentrst_mangle_rules
+	EOF
+}
+
+ss_rules_iptchains_mkprerules() {
+	local proto="$1"
+
+	if [ -z "$o_ifnames" ]; then
+		echo "-I PREROUTING 1 -p $proto -j ss_rules_pre_src"
+	else
+		echo $o_ifnames \
+			| tr ' ' '\n' \
+			| sed "s/.*/-I PREROUTING 1 -i \\0 -p $proto -j ss_rules_pre_src/"
+	fi
+}
+
+ss_rules_parse_args "$@"
+ss_rules_flush
+ss_rules_ipset_init
+ss_rules_iptchains_init

shadowsocks-libev/files/ss-rules.defaults

@@ -0,0 +1,10 @@
+#!/bin/sh
+
+s=firewall.ss_rules
+uci get "$s" >/dev/null && exit 0
+uci batch <<-EOF
+	set $s=include
+	set $s.path=/etc/firewall.ss-rules
+	set $s.reload=1
+	commit firewall
+EOF