[LEDE-DEV] [PATCH] shadowsocks-libev:update app and fork github.com/shadowsocks-libev
? ??
yjr0821 at hotmail.com
Fri Jun 9 10:51:08 PDT 2017
Signed-off-by: GrayYip <yjr0821 at hotmail.com>
---
net/shadowsocks-client/Makefile | 39 ---
net/shadowsocks-client/files/sslocal.config | 7 -
net/shadowsocks-client/files/sslocal.init | 52 ----
net/shadowsocks-libev/Makefile | 62 ++--
net/shadowsocks-libev/files/firewall.include | 6 -
.../files/shadowsocks-libev.config | 15 -
net/shadowsocks-libev/files/shadowsocks-libev.init | 306 +++++++++++--------
net/shadowsocks-libev/files/ss-rules | 323 ++++++++++++---------
net/shadowsocks-libev/files/ss-rules-without-ipset | 245 ++++++++++++++++
9 files changed, 635 insertions(+), 420 deletions(-)
delete mode 100644 net/shadowsocks-client/Makefile
delete mode 100644 net/shadowsocks-client/files/sslocal.config
delete mode 100755 net/shadowsocks-client/files/sslocal.init
delete mode 100644 net/shadowsocks-libev/files/firewall.include
delete mode 100644 net/shadowsocks-libev/files/shadowsocks-libev.config
create mode 100644 net/shadowsocks-libev/files/ss-rules-without-ipset
diff --git a/net/shadowsocks-client/Makefile b/net/shadowsocks-client/Makefile
deleted file mode 100644
index 3e8c9be2..00000000
--- a/net/shadowsocks-client/Makefile
+++ /dev/null
@@ -1,39 +0,0 @@
-include $(TOPDIR)/rules.mk
-
-PKG_NAME:=shadowsocks-client
-PKG_VERSION:=0.6
-PKG_RELEASE=$(PKG_SOURCE_VERSION)
-
-PKG_SOURCE_PROTO:=git
-PKG_SOURCE_URL:=https://github.com/zhao-gang/shadowsocks-tiny.git
-PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION)
-PKG_SOURCE_VERSION:=b59d754f838213d60b908aed0b7d4d5a81f273e2
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
-PKG_MAINTAINER:=Zhao, Gang <gang.zhao.42 at gmail.com>
-
-PKG_LICENSE:=MIT
-PKG_LICENSE_FILES:=COPYING
-
-PKG_BUILD_PARALLEL:=1
-
-include $(INCLUDE_DIR)/package.mk
-
-define Package/shadowsocks-client
- SECTION:=net
- CATEGORY:=Network
- SUBMENU:=Web Servers/Proxies
- TITLE:=shadowsocks client for router
- URL:=https://github.com/zhao-gang/shadowsocks-tiny
- DEPENDS:=+libopenssl
-endef
-
-define Package/shadowsocks-client/install
- $(INSTALL_DIR) $(1)/usr/bin
- $(INSTALL_BIN) $(PKG_BUILD_DIR)/sslocal $(1)/usr/bin/
- $(INSTALL_DIR) $(1)/etc/config
- $(INSTALL_DATA) ./files/sslocal.config $(1)/etc/config/sslocal
- $(INSTALL_DIR) $(1)/etc/init.d
- $(INSTALL_BIN) ./files/sslocal.init $(1)/etc/init.d/sslocal
-endef
-
-$(eval $(call BuildPackage,shadowsocks-client))
diff --git a/net/shadowsocks-client/files/sslocal.config b/net/shadowsocks-client/files/sslocal.config
deleted file mode 100644
index 28dc261a..00000000
--- a/net/shadowsocks-client/files/sslocal.config
+++ /dev/null
@@ -1,7 +0,0 @@
-config sslocal
- option server_addr ''
- option server_port ''
- option local_addr ''
- option local_port ''
- option password ''
- option method ''
diff --git a/net/shadowsocks-client/files/sslocal.init b/net/shadowsocks-client/files/sslocal.init
deleted file mode 100755
index ac845e5f..00000000
--- a/net/shadowsocks-client/files/sslocal.init
+++ /dev/null
@@ -1,52 +0,0 @@
-#!/bin/sh /etc/rc.common
-# Copyright (C) 2006-2012 OpenWrt.org
-# Copyright (C) 2014 Zhao, Gang <gang.zhao.42 at gmail.com>
-
-START=99
-
-USE_PROCD=1
-PROG=/usr/bin/sslocal
-
-validate_section_sslocal() {
- uci_validate_section sslocal sslocal "${1}" \
- 'server_addr:host' \
- 'server_port:port' \
- 'local_addr:host' \
- 'local_port:port' \
- 'password:string' \
- 'method:string' \
- 'log_level:range(0,7):5'
-
- return $?
-}
-
-sslocal_instance() {
- local server_addr server_port local_addr local_port
- local password method log_level
-
- validate_section_sslocal "${1}" || {
- echo "validation failed"
- return 1
- }
-
- procd_open_instance
- procd_set_param command "$PROG"
- procd_append_param command -s "${server_addr}" -p "${server_port}"
- procd_append_param command -u "${local_addr}" -b "${local_port}"
- procd_append_param command -k "${password}" -m "${method}"
- procd_append_param command -l "${log_level}"
- procd_set_param respawn
- procd_close_instance
-}
-
-start_service() {
- config_load sslocal
-
- config_foreach sslocal_instance sslocal
-}
-
-service_triggers()
-{
- procd_add_reload_trigger "sslocal"
- procd_add_validation validate_section_sslocal
-}
diff --git a/net/shadowsocks-libev/Makefile b/net/shadowsocks-libev/Makefile
index 8b512324..2ce6b8af 100644
--- a/net/shadowsocks-libev/Makefile
+++ b/net/shadowsocks-libev/Makefile
@@ -1,8 +1,7 @@
#
-# Copyright (C) 2015 OpenWrt.org
-# Copyright (C) 2017 Yousong Zhou <yszhou4tech at gmail.com>
+# Copyright (C) 2014-2017 Jian Chang <aa65535 at live.com>
#
-# This is free software, licensed under the GNU General Public License v2.
+# This is free software, licensed under the GNU General Public License v3.
# See /LICENSE for more information.
#
@@ -12,13 +11,17 @@ PKG_NAME:=shadowsocks-libev
PKG_VERSION:=3.0.6
PKG_RELEASE:=1
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
-PKG_SOURCE_URL:=https://github.com/shadowsocks/shadowsocks-libev/releases/download/v$(PKG_VERSION)
-PKG_HASH:=7d9b43b0235a57c115bfe160efd54abef96bffcbfff61c5496e7c2800f0734ca
+PKG_SOURCE_PROTO:=git
+PKG_SOURCE_URL:=https://github.com/shadowsocks/shadowsocks-libev.git
+PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_RELEASE)
+PKG_SOURCE_VERSION:=bc96aed3b0e800f18cf7fc54272e48a22160a554
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.xz
-PKG_MAINTAINER:=Jian Chang <aa65535 at live.com>
-PKG_LICENSE:=GPLv2
+PKG_LICENSE:=GPLv3
PKG_LICENSE_FILES:=LICENSE
+PKG_MAINTAINER:=Jian Chang <aa65535 at live.com>
+
+PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)/$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)-$(PKG_RELEASE)
PKG_INSTALL:=1
PKG_FIXUP:=autoreconf
@@ -27,48 +30,37 @@ PKG_BUILD_PARALLEL:=1
include $(INCLUDE_DIR)/package.mk
-define Package/shadowsocks-libev
+define Package/shadowsocks-libev/Default
SECTION:=net
CATEGORY:=Network
TITLE:=Lightweight Secured Socks5 Proxy
URL:=https://github.com/shadowsocks/shadowsocks-libev
- DEPENDS:=+libev +libmbedtls +libpthread +libsodium +libudns \
- +ipset +ip +iptables-mod-tproxy +libpcre +zlib
+ DEPENDS:=+libev +libudns +libpcre +libpthread +libsodium +libmbedtls +iptables-mod-tproxy +ipset
endef
+Package/shadowsocks-libev = $(Package/shadowsocks-libev/Default)
+Package/shadowsocks-libev-server = $(Package/shadowsocks-libev/Default)
+
define Package/shadowsocks-libev/description
Shadowsocks-libev is a lightweight secured socks5 proxy for embedded devices and low end boxes.
endef
-define Package/shadowsocks-libev/conffiles
-/etc/config/shadowsocks-libev
-endef
+Package/shadowsocks-libev-server/description = $(Package/shadowsocks-libev/description)
-define Package/shadowsocks-libev/postinst
-#!/bin/sh
-uci -q batch <<-EOF >/dev/null
- delete firewall.shadowsocks_libev
- set firewall.shadowsocks_libev=include
- set firewall.shadowsocks_libev.type=script
- set firewall.shadowsocks_libev.path=/usr/share/shadowsocks-libev/firewall.include
- set firewall.shadowsocks_libev.reload=1
- commit firewall
-EOF
-exit 0
-endef
+CONFIGURE_ARGS += --disable-ssp --disable-documentation --disable-assert
define Package/shadowsocks-libev/install
- $(INSTALL_DIR) $(1)/usr/bin
- $(INSTALL_BIN) $(PKG_BUILD_DIR)/src/ss-{redir,tunnel} $(1)/usr/bin
- $(INSTALL_BIN) ./files/ss-rules $(1)/usr/bin
- $(INSTALL_DIR) $(1)/etc/config
- $(INSTALL_DATA) ./files/shadowsocks-libev.config $(1)/etc/config/shadowsocks-libev
$(INSTALL_DIR) $(1)/etc/init.d
- $(INSTALL_BIN) ./files/shadowsocks-libev.init $(1)/etc/init.d/shadowsocks-libev
- $(INSTALL_DIR) $(1)/usr/share/shadowsocks-libev
- $(INSTALL_DATA) ./files/firewall.include $(1)/usr/share/shadowsocks-libev/firewall.include
+ $(INSTALL_BIN) ./files/shadowsocks-libev.init $(1)/etc/init.d/shadowsocks
+ $(INSTALL_DIR) $(1)/usr/bin
+ $(INSTALL_BIN) $(PKG_BUILD_DIR)/src/ss-{local,redir,tunnel} $(1)/usr/bin
+ $(INSTALL_BIN) ./files/ss-{rules,rules-without-ipset} $(1)/usr/bin
endef
-CONFIGURE_ARGS += --disable-documentation
+define Package/shadowsocks-libev-server/install
+ $(INSTALL_DIR) $(1)/usr/bin
+ $(INSTALL_BIN) $(PKG_BUILD_DIR)/src/ss-server $(1)/usr/bin
+endef
$(eval $(call BuildPackage,shadowsocks-libev))
+$(eval $(call BuildPackage,shadowsocks-libev-server))
diff --git a/net/shadowsocks-libev/files/firewall.include b/net/shadowsocks-libev/files/firewall.include
deleted file mode 100644
index 3a00e802..00000000
--- a/net/shadowsocks-libev/files/firewall.include
+++ /dev/null
@@ -1,6 +0,0 @@
-#!/bin/sh
-
-if pidof ss-redir>/dev/null; then
- /etc/init.d/shadowsocks-libev rules
- logger -t ShadowSocks-libev "Reloading ShadowSocks-libev due to restart of firewall"
-fi
diff --git a/net/shadowsocks-libev/files/shadowsocks-libev.config b/net/shadowsocks-libev/files/shadowsocks-libev.config
deleted file mode 100644
index 95aec7b2..00000000
--- a/net/shadowsocks-libev/files/shadowsocks-libev.config
+++ /dev/null
@@ -1,15 +0,0 @@
-
-config shadowsocks-libev
- option enable '1'
- option server '127.0.0.1'
- option server_port '8388'
- option local_port '1080'
- option password 'barfoo!'
- option timeout '60'
- option encrypt_method 'rc4-md5'
- option ignore_list '/dev/null'
- option udp_mode '0'
- option tunnel_enable '1'
- option tunnel_port '5300'
- option tunnel_forward '8.8.4.4:53'
- option lan_ac_mode '0'
diff --git a/net/shadowsocks-libev/files/shadowsocks-libev.init b/net/shadowsocks-libev/files/shadowsocks-libev.init
index 9a64038a..b73c8566 100644
--- a/net/shadowsocks-libev/files/shadowsocks-libev.init
+++ b/net/shadowsocks-libev/files/shadowsocks-libev.init
@@ -1,156 +1,212 @@
#!/bin/sh /etc/rc.common
+#
+# Copyright (C) 2014-2017 Jian Chang <aa65535 at live.com>
+#
+# This is free software, licensed under the GNU General Public License v3.
+# See /LICENSE for more information.
+#
START=90
STOP=15
-SERVICE_USE_PID=1
-SERVICE_WRITE_PID=1
-SERVICE_DAEMONIZE=1
-EXTRA_COMMANDS="rules"
-CONFIG_FILE=/var/etc/shadowsocks-libev.json
-
-get_config() {
- config_get_bool enable $1 enable
- config_get server $1 server
- config_get server_port $1 server_port
- config_get local_port $1 local_port
- config_get timeout $1 timeout
- config_get password $1 password
- config_get encrypt_method $1 encrypt_method
- config_get ignore_list $1 ignore_list
- config_get udp_mode $1 udp_mode
- config_get udp_server $1 udp_server
- config_get udp_server_port $1 udp_server_port
- config_get udp_local_port $1 udp_local_port
- config_get udp_timeout $1 udp_timeout
- config_get udp_password $1 udp_password
- config_get udp_encrypt_method $1 udp_encrypt_method
- config_get_bool tunnel_enable $1 tunnel_enable
- config_get tunnel_port $1 tunnel_port
- config_get tunnel_forward $1 tunnel_forward
- config_get lan_ac_mode $1 lan_ac_mode
- config_get lan_ac_ip $1 lan_ac_ip
- config_get wan_bp_ip $1 wan_bp_ip
- config_get wan_fw_ip $1 wan_fw_ip
- config_get ipt_ext $1 ipt_ext
- : ${timeout:=60}
- : ${udp_timeout:=60}
- : ${tunnel_port:=5300}
- : ${tunnel_forward:=8.8.4.4:53}
+NAME=shadowsocks
+EXTRA_COMMANDS=rules
+
+uci_get_by_name() {
+ local ret=$(uci get $NAME.$1.$2 2>/dev/null)
+ echo ${ret:=$3}
}
-start_rules() {
- local ac_args
-
- if [ -n "$lan_ac_ip" ]; then
- case $lan_ac_mode in
- 1) ac_args="w$lan_ac_ip"
- ;;
- 2) ac_args="b$lan_ac_ip"
- ;;
- esac
+uci_get_by_type() {
+ local ret=$(uci get $NAME.@$1[0].$2 2>/dev/null)
+ echo ${ret:=$3}
+}
+
+uci_bool_by_name() {
+ case "$(uci_get_by_name $1 $2)" in
+ 1|on|true|yes|enabled) return 0;;
+ esac
+ return 1
+}
+
+validate_server() {
+ [ "$(uci get $NAME.$1 2>/dev/null)" = "servers" ]
+}
+
+has_valid_server() {
+ for server in $@; do
+ validate_server $server && return 0
+ done
+ return 1
+}
+
+get_arg_udp() {
+ local server=$(uci_get_by_type transparent_proxy udp_relay_server)
+ [ "$server" = "same" ] || validate_server $server && echo "-u"
+}
+
+get_arg_out() {
+ case "$(uci_get_by_type access_control self_proxy 1)" in
+ 1) echo "-o";;
+ 2) echo "-O";;
+ esac
+}
+
+get_arg_tfo() {
+ if [ "3" = "$(cat /proc/sys/net/ipv4/tcp_fastopen 2>/dev/null)" ]; then
+ uci_bool_by_name $1 fast_open && echo "--fast-open"
fi
- /usr/bin/ss-rules \
- -s "$server" \
- -l "$local_port" \
- -S "$udp_server" \
- -L "$udp_local_port" \
- -i "$ignore_list" \
- -a "$ac_args" \
- -b "$wan_bp_ip" \
- -w "$wan_fw_ip" \
- -e "$ipt_ext" \
- -o $udp
- return $?
}
-start_redir() {
- cat <<-EOF >$CONFIG_FILE
+get_server_ips() {
+ echo $(uci_get_by_name $1 server)
+}
+
+get_lan_hosts() {
+ uci_bool_by_name $1 enable && \
+ echo "$(uci_get_by_name $1 type),$(uci_get_by_name $1 host)"
+}
+
+get_plugin_config() {
+ local plugin=$(uci_get_by_name $1 plugin)
+ local plugin_opts=$(uci_get_by_name $1 plugin_opts)
+ if [ -n "$plugin" -a -n "$plugin_opts" ]; then
+ echo $plugin >>/var/run/ss-plugin
+ echo "
+ \"plugin\": \"$plugin\",
+ \"plugin_opts\": \"$plugin_opts\","
+ fi
+}
+
+get_crypto_config() {
+ local key=$(uci_get_by_name $1 key)
+ local password=$(uci_get_by_name $1 password)
+ if [ -n "$key" ]; then
+ echo "\"key\": \"$key\","
+ elif [ -n "$password" ]; then
+ echo "\"password\": \"$password\","
+ else
+ logger -st $NAME -p3 "The password or key is not set."
+ fi
+}
+
+gen_config_file() {
+ local config_file=/var/etc/$NAME.$1.json
+ cat <<-EOF >$config_file
{
- "server": "$server",
- "server_port": $server_port,
- "local_address": "0.0.0.0",
- "local_port": $local_port,
- "password": "$password",
- "timeout": $timeout,
- "method": "$encrypt_method"
+ "server": "$(uci_get_by_name $1 server)",
+ "server_port": $(uci_get_by_name $1 server_port),
+ $(get_crypto_config $1)
+ "method": "$(uci_get_by_name $1 encrypt_method)",
+ "local_address": "0.0.0.0",$(get_plugin_config $1)
+ "timeout": $(uci_get_by_name $1 timeout 60),
+ "reuse_port": true
}
EOF
- if [ "$udp_mode" = 2 ]; then
- /usr/bin/ss-redir \
- -c $CONFIG_FILE \
- -f /var/run/ss-redir_t.pid
- cat <<-EOF >$CONFIG_FILE
- {
- "server": "$udp_server",
- "server_port": $udp_server_port,
- "local_address": "0.0.0.0",
- "local_port": $udp_local_port,
- "password": "$udp_password",
- "timeout": $udp_timeout,
- "method": "$udp_encrypt_method"
- }
-EOF
- fi
- /usr/bin/ss-redir \
- -c $CONFIG_FILE \
- -f /var/run/ss-redir.pid \
- $udp
- return $?
+ echo $config_file
}
-start_tunnel() {
- : ${udp:="-u"}
- /usr/bin/ss-tunnel \
- -c $CONFIG_FILE \
- -l $tunnel_port \
- -L $tunnel_forward \
- -f /var/run/ss-tunnel.pid \
- $udp
- return $?
+start_rules() {
+ config_load $NAME
+ /usr/bin/ss-rules \
+ -s "$(config_foreach get_server_ips servers)" \
+ -l "$(uci_get_by_type transparent_proxy local_port 1234)" \
+ -B "$(uci_get_by_type access_control wan_bp_list)" \
+ -b "$(uci_get_by_type access_control wan_bp_ips)" \
+ -W "$(uci_get_by_type access_control wan_fw_list)" \
+ -w "$(uci_get_by_type access_control wan_fw_ips)" \
+ -I "$(uci_get_by_type access_control lan_ifaces)" \
+ -d "$(uci_get_by_type access_control lan_target)" \
+ -a "$(config_foreach get_lan_hosts lan_hosts)" \
+ -e "$(uci_get_by_type access_control ipt_ext)" \
+ $(get_arg_out) $(get_arg_udp)
}
rules() {
- config_load shadowsocks-libev
- config_foreach get_config shadowsocks-libev
- [ "$enable" = 1 ] || exit 0
- mkdir -p /var/run /var/etc
+ pidof ss-redir >/dev/null || return 0
+ start_rules || /usr/bin/ss-rules -f
+}
- : ${server:?}
- : ${server_port:?}
- : ${local_port:?}
- : ${password:?}
- : ${encrypt_method:?}
- case $udp_mode in
- 1) udp="-u"
- ;;
- 2)
- udp="-U"
- : ${udp_server:?}
- : ${udp_server_port:?}
- : ${udp_local_port:?}
- : ${udp_password:?}
- : ${udp_encrypt_method:?}
- ;;
- esac
+start_redir() {
+ validate_server $1 || return 0
+ ss-redir -c $(gen_config_file $1) $2 $(get_arg_tfo $1) \
+ -l $(uci_get_by_type transparent_proxy local_port 1234) \
+ --mtu $(uci_get_by_type transparent_proxy mtu 1492) \
+ -f /var/run/ss-redir$3-$1.pid
+}
- start_rules
+ss_redir() {
+ command -v ss-redir >/dev/null 2>&1 || return 1
+ local main_server=$(uci_get_by_type transparent_proxy main_server)
+ has_valid_server $main_server || return 1
+ local udp_relay_server=$(uci_get_by_type transparent_proxy udp_relay_server)
+ if [ "$udp_relay_server" = "same" ]; then
+ for server in $main_server; do
+ start_redir $server -u
+ done
+ else
+ for server in $main_server; do
+ start_redir $server
+ done
+ for server in $udp_relay_server; do
+ start_redir $server -U -udp
+ done
+ fi
}
-boot() {
- until iptables-save -t nat | grep -q "^:zone_lan_prerouting"; do
- sleep 1
+start_local() {
+ validate_server $1 || return 0
+ ss-local -c $(gen_config_file $1) -u $(get_arg_tfo $1) \
+ -l $(uci_get_by_type socks5_proxy local_port 1080) \
+ --mtu $(uci_get_by_type socks5_proxy mtu 1492) \
+ -f /var/run/ss-local-$1.pid
+}
+
+ss_local() {
+ command -v ss-local >/dev/null 2>&1 || return 0
+ for server in $(uci_get_by_type socks5_proxy server); do
+ start_local $server
+ done
+}
+
+start_tunnel() {
+ validate_server $1 || return 0
+ ss-tunnel -c $(gen_config_file $1) -u \
+ -l $(uci_get_by_type port_forward local_port 5300) \
+ -L $(uci_get_by_type port_forward destination 8.8.4.4:53) \
+ --mtu $(uci_get_by_type port_forward mtu 1492) \
+ -f /var/run/ss-tunnel-$1.pid
+}
+
+ss_tunnel() {
+ command -v ss-tunnel >/dev/null 2>&1 || return 0
+ for server in $(uci_get_by_type port_forward server); do
+ start_tunnel $server
done
- start
}
start() {
- rules && start_redir
- [ "$tunnel_enable" = 1 ] && start_tunnel
+ mkdir -p /var/run /var/etc
+ ss_redir && rules
+ ss_local
+ ss_tunnel
+}
+
+boot() {
+ local delay=$(uci_get_by_type general startup_delay 0)
+ (sleep $delay && start >/dev/null 2>&1) &
+ return 0
+}
+
+kill_all() {
+ kill -9 $(pidof $@) >/dev/null 2>&1
}
stop() {
/usr/bin/ss-rules -f
- killall -q -9 ss-redir
- killall -q -9 ss-tunnel
+ kill_all ss-redir ss-local ss-tunnel
+ if [ -f /var/run/ss-plugin ]; then
+ kill_all $(sort -u /var/run/ss-plugin)
+ rm -f /var/run/ss-plugin
+ fi
}
diff --git a/net/shadowsocks-libev/files/ss-rules b/net/shadowsocks-libev/files/ss-rules
index 8ce1000c..8bd7264a 100644
--- a/net/shadowsocks-libev/files/ss-rules
+++ b/net/shadowsocks-libev/files/ss-rules
@@ -1,4 +1,10 @@
#!/bin/sh
+#
+# Copyright (C) 2014-2017 Jian Chang <aa65535 at live.com>
+#
+# This is free software, licensed under the GNU General Public License v3.
+# See /LICENSE for more information.
+#
usage() {
cat <<-EOF
@@ -6,20 +12,28 @@ usage() {
Valid options are:
- -s <server_host> hostname or ip of shadowsocks remote server
+ -s <server_ips> ip address of shadowsocks remote server
-l <local_port> port number of shadowsocks local server
- -i <ip_list_file> a file content is bypassed ip list
- -a <lan_ips> lan ip of access control, need a prefix to
- define access control mode
+ -S <server_ips> ip address of shadowsocks remote UDP server
+ -L <local_port> port number of shadowsocks local UDP server
+ -B <ip_list_file> a file whose content is bypassed ip list
-b <wan_ips> wan ip of will be bypassed
+ -W <ip_list_file> a file whose content is forwarded ip list
-w <wan_ips> wan ip of will be forwarded
- -e <extra_options> extra options for iptables
+ -I <interface> proxy only for the given interface
+ -d <target> the default target of lan access control
+ -a <lan_hosts> lan ip of access control, need a prefix to
+ define proxy type
+ -e <extra_args> extra arguments for iptables
-o apply the rules to the OUTPUT chain
+ -O apply the global rules to the OUTPUT chain
-u enable udprelay mode, TPROXY is required
-U enable udprelay mode, using different IP
and ports for TCP and UDP
-f flush the rules
+ -h show this help message and exit
EOF
+ exit $1
}
loger() {
@@ -27,135 +41,192 @@ loger() {
logger -st ss-rules[$$] -p$1 $2
}
-ipt_n="iptables -t nat"
-ipt_m="iptables -t mangle"
-
-flush_r() {
- local IPT
-
- IPT=$(iptables-save -t nat)
- eval $(echo "$IPT" | grep "_SS_SPEC_RULE_" | \
- sed -e 's/^-A/$ipt_n -D/' -e 's/$/;/')
-
- for chain in $(echo "$IPT" | awk '/^:SS_SPEC/{print $1}'); do
- $ipt_n -F ${chain:1} 2>/dev/null && $ipt_n -X ${chain:1}
- done
-
- IPT=$(iptables-save -t mangle)
- eval $(echo "$IPT" | grep "_SS_SPEC_RULE_" | \
- sed -e 's/^-A/$ipt_m -D/' -e 's/$/;/')
-
- for chain in $(echo "$IPT" | awk '/^:SS_SPEC/{print $1}'); do
- $ipt_m -F ${chain:1} 2>/dev/null && $ipt_m -X ${chain:1}
+flush_rules() {
+ iptables-save -c | grep -v "SS_SPEC" | iptables-restore -c
+ if command -v ip >/dev/null 2>&1; then
+ ip rule del fwmark 1 lookup 100 2>/dev/null
+ ip route del local default dev lo table 100 2>/dev/null
+ fi
+ for setname in $(ipset -n list | grep "ss_spec"); do
+ ipset destroy $setname 2>/dev/null
done
-
- ip rule del fwmark 0x01/0x01 table 100 2>/dev/null
- ip route del local 0.0.0.0/0 dev lo table 100 2>/dev/null
- ipset -X ss_spec_lan_ac 2>/dev/null
- ipset -X ss_spec_wan_ac 2>/dev/null
+ FWI=$(uci get firewall.shadowsocks.path 2>/dev/null)
+ [ -n "$FWI" ] && echo '# firewall include file' >$FWI
return 0
}
-ipset_r() {
- ipset -! -R <<-EOF || return 1
- create ss_spec_wan_ac hash:net
- $(echo -e "$IPLIST" | sed -e "s/^/add ss_spec_wan_ac /")
- $(for ip in $WAN_FW_IP; do echo "add ss_spec_wan_ac $ip nomatch"; done)
+ipset_init() {
+ ipset -! restore <<-EOF || return 1
+ create ss_spec_src_ac hash:ip hashsize 64
+ create ss_spec_src_bp hash:ip hashsize 64
+ create ss_spec_src_fw hash:ip hashsize 64
+ create ss_spec_dst_sp hash:net hashsize 64
+ create ss_spec_dst_bp hash:net hashsize 64
+ create ss_spec_dst_fw hash:net hashsize 64
+ $(gen_lan_host_ipset_entry)
+ $(gen_special_purpose_ip | sed -e "s/^/add ss_spec_dst_sp /")
+ $(sed -e "s/^/add ss_spec_dst_bp /" ${WAN_BP_LIST:=/dev/null} 2>/dev/null)
+ $(for ip in $WAN_BP_IP; do echo "add ss_spec_dst_bp $ip"; done)
+ $(sed -e "s/^/add ss_spec_dst_fw /" ${WAN_FW_LIST:=/dev/null} 2>/dev/null)
+ $(for ip in $WAN_FW_IP; do echo "add ss_spec_dst_fw $ip"; done)
EOF
- $ipt_n -N SS_SPEC_WAN_AC && \
- $ipt_n -A SS_SPEC_WAN_AC -m set --match-set ss_spec_wan_ac dst -j RETURN && \
- $ipt_n -A SS_SPEC_WAN_AC -j SS_SPEC_WAN_FW
- return $?
+ return 0
}
-fw_rule() {
- $ipt_n -N SS_SPEC_WAN_FW && \
- $ipt_n -A SS_SPEC_WAN_FW -p tcp \
- -j REDIRECT --to-ports $local_port 2>/dev/null || {
- loger 3 "Can't redirect, please check the iptables."
- exit 1
- }
+ipt_nat() {
+ include_ac_rules nat
+ ipt="iptables -t nat"
+ $ipt -A SS_SPEC_WAN_FW -p tcp \
+ -j REDIRECT --to-ports $local_port || return 1
+ if [ -n "$OUTPUT" ]; then
+ $ipt -N SS_SPEC_WAN_DG
+ $ipt -A SS_SPEC_WAN_DG -m set --match-set ss_spec_dst_sp dst -j RETURN
+ $ipt -A SS_SPEC_WAN_DG -p tcp $EXT_ARGS -j $OUTPUT
+ $ipt -I OUTPUT 1 -p tcp -j SS_SPEC_WAN_DG
+ fi
return $?
}
-ac_rule() {
- local TAG ROUTECHAIN
-
- if [ -n "$LAN_AC_IP" ]; then
- if [ "${LAN_AC_IP:0:1}" = "w" ]; then
- TAG="nomatch"
- else
- if [ "${LAN_AC_IP:0:1}" != "b" ]; then
- loger 3 "Bad argument \`-a $LAN_AC_IP\`."
- return 2
- fi
- fi
+ipt_mangle() {
+ [ -n "$TPROXY" ] || return 0
+ if !(lsmod | grep -q TPROXY && command -v ip >/dev/null); then
+ loger 4 "TPROXY or ip not found."
+ return 0
fi
+ ip rule add fwmark 1 lookup 100
+ ip route add local default dev lo table 100
+ include_ac_rules mangle
+ iptables -t mangle -A SS_SPEC_WAN_FW -p udp \
+ -j TPROXY --on-port $LOCAL_PORT --tproxy-mark 0x01/0x01
+ return $?
+}
- ROUTECHAIN=PREROUTING
- if iptables-save -t nat | grep -q "^:zone_lan_prerouting"; then
- ROUTECHAIN=zone_lan_prerouting
- fi
+export_ipt_rules() {
+ [ -n "$FWI" ] || return 0
+ cat <<-CAT >>$FWI
+ iptables-save -c | grep -v "SS_SPEC" | iptables-restore -c
+ iptables-restore -n <<-EOF
+ $(iptables-save | grep -E "SS_SPEC|^\*|^COMMIT" |\
+ sed -e "s/^-A \(OUTPUT\|PREROUTING\)/-I \1 1/")
+ EOF
+CAT
+ return $?
+}
+
+gen_lan_host_ipset_entry() {
+ for host in $LAN_HOSTS; do
+ case "${host:0:1}" in
+ n|N)
+ echo add ss_spec_src_ac ${host:2}
+ ;;
+ b|B)
+ echo add ss_spec_src_bp ${host:2}
+ ;;
+ g|G)
+ echo add ss_spec_src_fw ${host:2}
+ ;;
+ esac
+ done
+}
- ipset -! -R <<-EOF || return 1
- create ss_spec_lan_ac hash:net
- $(for ip in ${LAN_AC_IP:1}; do echo "add ss_spec_lan_ac $ip $TAG"; done)
+gen_special_purpose_ip() {
+ cat <<-EOF | grep -E "^([0-9]{1,3}\.){3}[0-9]{1,3}"
+ 0.0.0.0/8
+ 10.0.0.0/8
+ 100.64.0.0/10
+ 127.0.0.0/8
+ 169.254.0.0/16
+ 172.16.0.0/12
+ 192.0.0.0/24
+ 192.0.2.0/24
+ 192.31.196.0/24
+ 192.52.193.0/24
+ 192.88.99.0/24
+ 192.168.0.0/16
+ 192.175.48.0/24
+ 198.18.0.0/15
+ 198.51.100.0/24
+ 203.0.113.0/24
+ 224.0.0.0/4
+ 240.0.0.0/4
+ 255.255.255.255
+ $server
+ $SERVER
EOF
- $ipt_n -A $ROUTECHAIN -p tcp $EXT_ARGS \
- -m set ! --match-set ss_spec_lan_ac src \
- -m comment --comment "_SS_SPEC_RULE_" -j SS_SPEC_WAN_AC
+}
- if [ "$OUTPUT" = 1 ]; then
- $ipt_n -A OUTPUT -p tcp $EXT_ARGS \
- -m comment --comment "_SS_SPEC_RULE_" -j SS_SPEC_WAN_AC
- fi
- return $?
+include_ac_rules() {
+ local protocol=$([ "$1" = "mangle" ] && echo udp || echo tcp)
+ iptables-restore -n <<-EOF
+ *$1
+ :SS_SPEC_LAN_DG - [0:0]
+ :SS_SPEC_LAN_AC - [0:0]
+ :SS_SPEC_WAN_AC - [0:0]
+ :SS_SPEC_WAN_FW - [0:0]
+ -A SS_SPEC_LAN_DG -m set --match-set ss_spec_dst_sp dst -j RETURN
+ -A SS_SPEC_LAN_DG -p $protocol $EXT_ARGS -j SS_SPEC_LAN_AC
+ -A SS_SPEC_LAN_AC -m set --match-set ss_spec_src_bp src -j RETURN
+ -A SS_SPEC_LAN_AC -m set --match-set ss_spec_src_fw src -j SS_SPEC_WAN_FW
+ -A SS_SPEC_LAN_AC -m set --match-set ss_spec_src_ac src -j SS_SPEC_WAN_AC
+ -A SS_SPEC_LAN_AC -j ${LAN_TARGET:=SS_SPEC_WAN_AC}
+ -A SS_SPEC_WAN_AC -m set --match-set ss_spec_dst_fw dst -j SS_SPEC_WAN_FW
+ -A SS_SPEC_WAN_AC -m set --match-set ss_spec_dst_bp dst -j RETURN
+ -A SS_SPEC_WAN_AC -j SS_SPEC_WAN_FW
+ $(gen_prerouting_rules $protocol)
+ COMMIT
+EOF
}
-tp_rule() {
- [ -n "$TPROXY" ] || return 0
- ip rule add fwmark 0x01/0x01 table 100
- ip route add local 0.0.0.0/0 dev lo table 100
- $ipt_m -N SS_SPEC_TPROXY
- $ipt_m -A SS_SPEC_TPROXY -p udp -m set ! --match-set ss_spec_wan_ac dst \
- -j TPROXY --on-port $LOCAL_PORT --tproxy-mark 0x01/0x01
- $ipt_m -A PREROUTING -p udp $EXT_ARGS \
- -m set ! --match-set ss_spec_lan_ac src \
- -m comment --comment "_SS_SPEC_RULE_" -j SS_SPEC_TPROXY
- return $?
+gen_prerouting_rules() {
+ [ -z "$IFNAMES" ] && echo -I PREROUTING 1 -p $1 -j SS_SPEC_LAN_DG
+ for ifname in $IFNAMES; do
+ echo -I PREROUTING 1 -i $ifname -p $1 -j SS_SPEC_LAN_DG
+ done
}
-while getopts ":s:l:S:L:i:e:a:b:w:ouUf" arg; do
- case $arg in
+while getopts ":s:l:S:L:B:b:W:w:I:d:a:e:oOuUfh" arg; do
+ case "$arg" in
s)
- server=$OPTARG
+ server=$(for ip in $OPTARG; do echo $ip; done)
;;
l)
local_port=$OPTARG
;;
S)
- SERVER=$OPTARG
+ SERVER=$(for ip in $OPTARG; do echo $ip; done)
;;
L)
LOCAL_PORT=$OPTARG
;;
- i)
- IGNORE=$OPTARG
- ;;
- e)
- EXT_ARGS=$OPTARG
- ;;
- a)
- LAN_AC_IP=$OPTARG
+ B)
+ WAN_BP_LIST=$OPTARG
;;
b)
- WAN_BP_IP=$(for ip in $OPTARG; do echo $ip; done)
+ WAN_BP_IP=$OPTARG
+ ;;
+ W)
+ WAN_FW_LIST=$OPTARG
;;
w)
WAN_FW_IP=$OPTARG
;;
+ I)
+ IFNAMES=$OPTARG
+ ;;
+ d)
+ LAN_TARGET=$OPTARG
+ ;;
+ a)
+ LAN_HOSTS=$OPTARG
+ ;;
+ e)
+ EXT_ARGS=$OPTARG
+ ;;
o)
- OUTPUT=1
+ OUTPUT=SS_SPEC_WAN_AC
+ ;;
+ O)
+ OUTPUT=SS_SPEC_WAN_FW
;;
u)
TPROXY=1
@@ -164,56 +235,26 @@ while getopts ":s:l:S:L:i:e:a:b:w:ouUf" arg; do
TPROXY=2
;;
f)
- flush_r
+ flush_rules
exit 0
;;
+ h)
+ usage 0
+ ;;
esac
done
-if [ -z "$server" -o -z "$local_port" ]; then
- usage
- exit 2
-fi
+[ -z "$server" -o -z "$local_port" ] && usage 2
if [ "$TPROXY" = 1 ]; then
- SERVER=$server
+ unset SERVER
LOCAL_PORT=$local_port
+elif [ "$TPROXY" = 2 ]; then
+ : ${SERVER:?"You must assign an ip for the udp relay server."}
+ : ${LOCAL_PORT:?"You must assign a port for the udp relay server."}
fi
-if [ "$TPROXY" = 2 ]; then
- if [ -z "$SERVER" -o -z "$LOCAL_PORT" ]; then
- loger 3 "Please use -S and -L specifies IP and port for UDP."
- fi
-fi
-
-if [ -f "$IGNORE" ]; then
- IGNORE_IP=$(cat $IGNORE 2>/dev/null)
-fi
-
-IPLIST=$(cat <<-EOF | grep -E "^([0-9]{1,3}\.){3}[0-9]{1,3}"
- $server
- $SERVER
- 0.0.0.0/8
- 10.0.0.0/8
- 100.64.0.0/10
- 127.0.0.0/8
- 169.254.0.0/16
- 172.16.0.0/12
- 192.0.0.0/24
- 192.0.2.0/24
- 192.88.99.0/24
- 192.168.0.0/16
- 198.18.0.0/15
- 198.51.100.0/24
- 203.0.113.0/24
- 224.0.0.0/4
- 240.0.0.0/4
- 255.255.255.255
- $WAN_BP_IP
- $IGNORE_IP
-EOF
-)
-
-flush_r && fw_rule && ipset_r && ac_rule && tp_rule
-
-exit $?
+flush_rules && ipset_init && ipt_nat && ipt_mangle && export_ipt_rules
+RET=$?
+[ "$RET" = 0 ] || loger 3 "Start failed!"
+exit $RET
diff --git a/net/shadowsocks-libev/files/ss-rules-without-ipset b/net/shadowsocks-libev/files/ss-rules-without-ipset
new file mode 100644
index 00000000..df35ee65
--- /dev/null
+++ b/net/shadowsocks-libev/files/ss-rules-without-ipset
@@ -0,0 +1,245 @@
+#!/bin/sh
+#
+# Copyright (C) 2016-2017 Jian Chang <aa65535 at live.com>
+#
+# This is free software, licensed under the GNU General Public License v3.
+# See /LICENSE for more information.
+#
+
+# Warning: This script will be slow!
+
+usage() {
+ cat <<-EOF
+ Usage: ss-rules [options]
+
+ Valid options are:
+
+ -s <server_ips> ip address of shadowsocks remote server
+ -l <local_port> port number of shadowsocks local server
+ -S <server_ips> ip address of shadowsocks remote UDP server
+ -L <local_port> port number of shadowsocks local UDP server
+ -B <ip_list_file> a file whose content is bypassed ip list
+ -b <wan_ips> wan ip of will be bypassed
+ -W <ip_list_file> a file whose content is forwarded ip list
+ -w <wan_ips> wan ip of will be forwarded
+ -I <interface> proxy only for the given interface
+ -d <target> the default target of lan access control
+ -a <lan_hosts> lan ip of access control, need a prefix to
+ define proxy type
+ -e <extra_args> extra arguments for iptables
+ -o apply the rules to the OUTPUT chain
+ -O apply the global rules to the OUTPUT chain
+ -u enable udprelay mode, TPROXY is required
+ -U enable udprelay mode, using different IP
+ and ports for TCP and UDP
+ -f flush the rules
+ -h show this help message and exit
+EOF
+ exit $1
+}
+
+loger() {
+ # 1.alert 2.crit 3.err 4.warn 5.notice 6.info 7.debug
+ logger -st ss-rules[$$] -p$1 $2
+}
+
+flush_rules() {
+ iptables-save -c | grep -v "SS_SPEC" | iptables-restore -c
+ if command -v ip >/dev/null 2>&1; then
+ ip rule del fwmark 1 lookup 100 2>/dev/null
+ ip route del local default dev lo table 100 2>/dev/null
+ fi
+ FWI=$(uci get firewall.shadowsocks.path 2>/dev/null)
+ [ -n "$FWI" ] && echo '# firewall include file' >$FWI
+ return 0
+}
+
+ipt_nat() {
+ include_ac_rules nat
+ ipt="iptables -t nat"
+ $ipt -A SS_SPEC_WAN_FW -p tcp \
+ -j REDIRECT --to-ports $local_port || return 1
+ if [ -n "$OUTPUT" ]; then
+ iptables-restore -n <<-EOF
+ *nat
+ :SS_SPEC_WAN_DG - [0:0]
+ $(gen_special_purpose_ip | sed -e "s/\(.*\)/-A SS_SPEC_WAN_DG -d \1 -j RETURN/")
+ -A SS_SPEC_WAN_DG -p tcp $EXT_ARGS -j $OUTPUT
+ -I OUTPUT 1 -p tcp -j SS_SPEC_WAN_DG
+ COMMIT
+EOF
+ fi
+ return $?
+}
+
+ipt_mangle() {
+ [ -n "$TPROXY" ] || return 0
+ if !(lsmod | grep -q TPROXY && command -v ip >/dev/null); then
+ loger 4 "TPROXY or ip not found."
+ return 0
+ fi
+ ip rule add fwmark 1 lookup 100
+ ip route add local default dev lo table 100
+ include_ac_rules mangle
+ iptables -t mangle -A SS_SPEC_WAN_FW -p udp \
+ -j TPROXY --on-port $LOCAL_PORT --tproxy-mark 0x01/0x01
+ return $?
+}
+
+export_ipt_rules() {
+ [ -n "$FWI" ] || return 0
+ cat <<-CAT >>$FWI
+ iptables-save -c | grep -v "SS_SPEC" | iptables-restore -c
+ iptables-restore -n <<-EOF
+ $(iptables-save | grep -E "SS_SPEC|^\*|^COMMIT" |\
+ sed -e "s/^-A \(OUTPUT\|PREROUTING\)/-I \1 1/")
+ EOF
+CAT
+ return $?
+}
+
+gen_lan_host_ipt_entry() {
+ for host in $LAN_HOSTS; do
+ case "${host:0:1}" in
+ n|N)
+ echo "3-A SS_SPEC_LAN_AC -s ${host:2} -j SS_SPEC_WAN_AC"
+ ;;
+ b|B)
+ echo "1-A SS_SPEC_LAN_AC -s ${host:2} -j RETURN"
+ ;;
+ g|G)
+ echo "2-A SS_SPEC_LAN_AC -s ${host:2} -j SS_SPEC_WAN_FW"
+ ;;
+ esac
+ done
+}
+
+gen_special_purpose_ip() {
+ cat <<-EOF | grep -E "^([0-9]{1,3}\.){3}[0-9]{1,3}"
+ 0.0.0.0/8
+ 10.0.0.0/8
+ 100.64.0.0/10
+ 127.0.0.0/8
+ 169.254.0.0/16
+ 172.16.0.0/12
+ 192.0.0.0/24
+ 192.0.2.0/24
+ 192.31.196.0/24
+ 192.52.193.0/24
+ 192.88.99.0/24
+ 192.168.0.0/16
+ 192.175.48.0/24
+ 198.18.0.0/15
+ 198.51.100.0/24
+ 203.0.113.0/24
+ 224.0.0.0/4
+ 240.0.0.0/4
+ 255.255.255.255
+ $server
+ $SERVER
+EOF
+}
+
+include_ac_rules() {
+ local protocol=$([ "$1" = "mangle" ] && echo udp || echo tcp)
+ iptables-restore -n <<-EOF
+ *$1
+ :SS_SPEC_LAN_DG - [0:0]
+ :SS_SPEC_LAN_AC - [0:0]
+ :SS_SPEC_WAN_AC - [0:0]
+ :SS_SPEC_WAN_FW - [0:0]
+ $(gen_special_purpose_ip | sed -e "s/\(.*\)/-A SS_SPEC_LAN_DG -d \1 -j RETURN/")
+ -A SS_SPEC_LAN_DG -p $protocol $EXT_ARGS -j SS_SPEC_LAN_AC
+ $(gen_lan_host_ipt_entry | sort | sed -e s/^.//)
+ -A SS_SPEC_LAN_AC -j ${LAN_TARGET:=SS_SPEC_WAN_AC}
+ $(sed -e "s/\(.*\)/-A SS_SPEC_WAN_AC -d \1 -j SS_SPEC_WAN_FW/" ${WAN_FW_LIST:=/dev/null} 2>/dev/null)
+ $(for ip in $WAN_FW_IP; do echo "-A SS_SPEC_WAN_AC -d $ip -j SS_SPEC_WAN_FW"; done)
+ $(sed -e "s/\(.*\)/-A SS_SPEC_WAN_AC -d \1 -j RETURN/" ${WAN_BP_LIST:=/dev/null} 2>/dev/null)
+ $(for ip in $WAN_BP_IP; do echo "-A SS_SPEC_WAN_AC -d $ip -j RETURN"; done)
+ -A SS_SPEC_WAN_AC -j SS_SPEC_WAN_FW
+ $(gen_prerouting_rules $protocol)
+ COMMIT
+EOF
+}
+
+gen_prerouting_rules() {
+ [ -z "$IFNAMES" ] && echo -I PREROUTING 1 -p $1 -j SS_SPEC_LAN_DG
+ for ifname in $IFNAMES; do
+ echo -I PREROUTING 1 -i $ifname -p $1 -j SS_SPEC_LAN_DG
+ done
+}
+
+while getopts ":s:l:S:L:B:b:W:w:I:d:a:e:oOuUfh" arg; do
+ case "$arg" in
+ s)
+ server=$(for ip in $OPTARG; do echo $ip; done)
+ ;;
+ l)
+ local_port=$OPTARG
+ ;;
+ S)
+ SERVER=$(for ip in $OPTARG; do echo $ip; done)
+ ;;
+ L)
+ LOCAL_PORT=$OPTARG
+ ;;
+ B)
+ WAN_BP_LIST=$OPTARG
+ ;;
+ b)
+ WAN_BP_IP=$OPTARG
+ ;;
+ W)
+ WAN_FW_LIST=$OPTARG
+ ;;
+ w)
+ WAN_FW_IP=$OPTARG
+ ;;
+ I)
+ IFNAMES=$OPTARG
+ ;;
+ d)
+ LAN_TARGET=$OPTARG
+ ;;
+ a)
+ LAN_HOSTS=$OPTARG
+ ;;
+ e)
+ EXT_ARGS=$OPTARG
+ ;;
+ o)
+ OUTPUT=SS_SPEC_WAN_AC
+ ;;
+ O)
+ OUTPUT=SS_SPEC_WAN_FW
+ ;;
+ u)
+ TPROXY=1
+ ;;
+ U)
+ TPROXY=2
+ ;;
+ f)
+ flush_rules
+ exit 0
+ ;;
+ h)
+ usage 0
+ ;;
+ esac
+done
+
+[ -z "$server" -o -z "$local_port" ] && usage 2
+
+if [ "$TPROXY" = 1 ]; then
+ unset SERVER
+ LOCAL_PORT=$local_port
+elif [ "$TPROXY" = 2 ]; then
+ : ${SERVER:?"You must assign an ip for the udp relay server."}
+ : ${LOCAL_PORT:?"You must assign a port for the udp relay server."}
+fi
+
+flush_rules && ipt_nat && ipt_mangle && export_ipt_rules
+RET=$?
+[ "$RET" = 0 ] || loger 3 "Start failed!"
+exit $RET
--
2.13.0
More information about the Lede-dev
mailing list