From bca6eee16db38b4ad466e19c20d0441e3caf20a3 Mon Sep 17 00:00:00 2001 From: CN_SZTL Date: Sun, 8 Mar 2020 15:21:16 +0800 Subject: [PATCH] luci-app-vssr: sync with upstream source --- package/ctcgfw/luci-app-vssr/Makefile | 4 +- .../luasrc/model/cbi/vssr/client-config.lua | 7 + .../luasrc/model/cbi/vssr/client.lua | 16 +- .../ctcgfw/luci-app-vssr/root/etc/init.d/vssr | 417 +++++++----------- .../luci-app-vssr/root/usr/bin/vssr-rules | 410 +++++++++-------- .../root/usr/share/vssr/gentrojanconfig.lua | 58 +-- 6 files changed, 405 insertions(+), 507 deletions(-) diff --git a/package/ctcgfw/luci-app-vssr/Makefile b/package/ctcgfw/luci-app-vssr/Makefile index ec01111af8..b97f387830 100644 --- a/package/ctcgfw/luci-app-vssr/Makefile +++ b/package/ctcgfw/luci-app-vssr/Makefile @@ -1,8 +1,8 @@ include $(TOPDIR)/rules.mk PKG_NAME:=luci-app-vssr -PKG_VERSION:=1.19 -PKG_RELEASE:=20200307-4 +PKG_VERSION:=1.20 +PKG_RELEASE:=20200308-4 PKG_CONFIG_DEPENDS:= CONFIG_PACKAGE_$(PKG_NAME)_INCLUDE_Shadowsocks \ CONFIG_PACKAGE_$(PKG_NAME)_INCLUDE_V2ray \ diff --git a/package/ctcgfw/luci-app-vssr/luasrc/model/cbi/vssr/client-config.lua b/package/ctcgfw/luci-app-vssr/luasrc/model/cbi/vssr/client-config.lua index dc3bbb9bc0..a4708735c2 100644 --- a/package/ctcgfw/luci-app-vssr/luasrc/model/cbi/vssr/client-config.lua +++ b/package/ctcgfw/luci-app-vssr/luasrc/model/cbi/vssr/client-config.lua @@ -329,6 +329,13 @@ o = s:option(Flag, "tls", translate("TLS")) o.rmempty = true o.default = "0" o:depends("type", "v2ray") +o:depends("type", "trojan") + +o = s:option(Value, "tls_host", translate("TLS Host")) +--o:depends("type", "trojan") +o:depends("tls", "1") +o.rmempty = true + -- [[ Mux ]]-- o = s:option(Flag, "mux", translate("Mux")) diff --git a/package/ctcgfw/luci-app-vssr/luasrc/model/cbi/vssr/client.lua b/package/ctcgfw/luci-app-vssr/luasrc/model/cbi/vssr/client.lua index c250111d8a..93127b7a25 100644 --- a/package/ctcgfw/luci-app-vssr/luasrc/model/cbi/vssr/client.lua +++ b/package/ctcgfw/luci-app-vssr/luasrc/model/cbi/vssr/client.lua @@ -146,6 +146,11 @@ o:value("oversea", translate("Oversea GFW List Mode")) o:value("all", translate("Global Mode")) o.default = gfw +o = s:option(ListValue, "dports", translate("Proxy Ports")) +o:value("1", translate("All Ports")) +o:value("2", translate("Only Common Ports")) +o.default = 1 + o = s:option(ListValue, "pdnsd_enable", translate("Resolve Dns Mode")) o:value("0", translate("Use Local DNS Service listen port 5335")) o:value("1", translate("Use Pdnsd tcp query and cache")) @@ -206,17 +211,6 @@ o:depends("pdnsd_enable", "6") o.default = "8.8.4.4:53" -o = s:option(Flag, "bt", translate("Kill BT")) -o.default = 0 -o.rmempty = false -o.description = translate("Prohibit downloading tool ports through proxy") - -o = s:option(Value, "bt_port", translate("BT Port")) -o.default = "1236:65535" -o.rmempty = true -o:depends("bt", "1") - - o = s:option(Button,"gfw_data",translate("GFW List Data")) o.rawhtml = true o.template = "vssr/refresh" diff --git a/package/ctcgfw/luci-app-vssr/root/etc/init.d/vssr b/package/ctcgfw/luci-app-vssr/root/etc/init.d/vssr index 2721da6c90..ff3cf09081 100755 --- a/package/ctcgfw/luci-app-vssr/root/etc/init.d/vssr +++ b/package/ctcgfw/luci-app-vssr/root/etc/init.d/vssr @@ -14,12 +14,9 @@ STOP=15 SERVICE_DAEMONIZE=1 NAME=vssr EXTRA_COMMANDS=rules - -#定义配置文件名称 -CONFIG_FILE=/var/etc/${NAME}_t.json +CONFIG_FILE=/var/etc/${NAME}.json CONFIG_UDP_FILE=/var/etc/${NAME}_u.json CONFIG_SOCK5_FILE=/var/etc/${NAME}_s.json - server_count=0 redir_tcp=0 redir_udp=0 @@ -53,13 +50,13 @@ uci_get_by_type() { } add_cron() { - sed -i '/vssr.log/d' $CRON_FILE - echo '0 1 * * 0 echo "" > /tmp/vssr.log' >>$CRON_FILE -# [ $(uci_get_by_type server_subscribe auto_update 0) -eq 1 ] && echo "0 $(uci_get_by_type server_subscribe auto_update_time) * * * /usr/bin/lua /usr/share/vssr/subscribe.lua" >> $CRON_FILE - [ $(uci_get_by_type server_subscribe auto_update 0) -eq 1 ] && echo "0 $(uci_get_by_type server_subscribe auto_update_time) * * * /usr/bin/lua /usr/share/vssr/update.lua" >> $CRON_FILE - [ -n "$(grep -w "/usr/share/vssr/subscribe.sh" $CRON_FILE)" ] && sed -i '/\/usr\/share\/vssr\/subscribe.sh/d' $CRON_FILE + sed -i '/vssr/d' $CRON_FILE + sed -i '/vssr.log/d' $CRON_FILE && echo '0 1 * * * echo "" > /tmp/vssr.log' >>$CRON_FILE +# [ $(uci_get_by_type server_subscribe auto_update 0) -eq 1 ] && echo "0 $(uci_get_by_type server_subscribe auto_update_time) * * * /usr/bin/lua /usr/share/vssr/subscribe.lua" >>$CRON_FILE + [ $(uci_get_by_type server_subscribe auto_update 0) -eq 1 ] && echo "0 5 * * * /usr/bin/lua /usr/share/vssr/update.lua" >>$CRON_FILE + [ -n "$(grep -w "/usr/share/vssr/subscribe.sh" $CRON_FILE)" ] && sed -i '/\/usr\/share\/vssr\/subscribe.sh/d' $CRON_FILE [ $(uci_get_by_type server_subscribe auto_update 0) -eq 1 ] && echo "0 $(uci_get_by_type server_subscribe auto_update_time) * * * /usr/share/vssr/subscribe.sh" >> $CRON_FILE - [ -z "$(grep -w "/usr/share/vssr/update.sh" $CRON_FILE)" ] && echo "0 5 * * 0 /usr/share/vssr/update.sh" >> $CRON_FILE + [ -z "$(grep -w "/usr/share/vssr/update.sh" $CRON_FILE)" ] && echo "0 5 * * 0 /usr/share/vssr/update.sh" >> $CRON_FILE crontab $CRON_FILE } @@ -71,52 +68,47 @@ del_cron() { run_mode=$(uci_get_by_type global run_mode) v2ray_path=$(uci_get_by_type server_subscribe v2ray_path) - gen_config_file() { - local use_conf_file=$(uci_get_by_name $1 use_conf_file) + local use_conf_file=$(uci_get_by_name $1 use_conf_file) local conf_file_path=$(uci_get_by_name $1 conf_file_path) local host=$(uci_get_by_name $1 server) - if echo $host|grep -E "^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$">/dev/null; then - hostip=${host} - elif [ "$host" != "${host#*:[0-9a-fA-F]}" ] ;then - hostip=${host} + if echo $host | grep -E "^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$" >/dev/null; then + hostip=$host + elif [ "$host" != "${host#*:[0-9a-fA-F]}" ]; then + hostip=$host else - hostip=`nslookup ${host} | grep 'Address 1' | sed 's/Address 1: //g'` - if echo $hostip|grep -E "^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$">/dev/null; then - hostip=${hostip} + hostip=$(ping $host -W 1 -s 1 -c 1 | grep PING | cut -d'(' -f 2 | cut -d')' -f1) + if echo $hostip | grep -E "^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$" >/dev/null; then + hostip=$hostip else - hostip=`cat /etc/ssr_ip` + hostip=$(cat /etc/ssr_ip) fi fi - - [ $2 = "0" -a $kcp_flag = "1" ] && hostip="127.0.0.1" - - if [ $2 = "0" ] ;then + [ "$2" == "0" -a "$kcp_flag" == "1" ] && hostip="127.0.0.1" + if [ "$2" == "0" ]; then config_file=$CONFIG_FILE - elif [ $2 = "1" ]; then + elif [ "$2" == "1" ]; then config_file=$CONFIG_UDP_FILE else config_file=$CONFIG_SOCK5_FILE fi - - if [ $(uci_get_by_name $1 fast_open 0) = "1" ] ;then - fastopen="true"; + if [ $(uci_get_by_name $1 fast_open 0) == "1" ]; then + fastopen="true" else - fastopen="false"; + fastopen="false" fi - - local port=$(uci_get_by_name $1 server_port) + local port=$(uci_get_by_name $1 server_port) if [ $HAPROXY_MODE = "1" ]; then hostip="0.0.0.0" port="4433" fi - - local local_port=$(uci_get_by_name $1 local_port) + local local_port=$(uci_get_by_name $1 local_port) iptables -A SS_WAN_DROP -p tcp --dport $local_port -j DROP local stype=$(uci_get_by_name $1 type) - local plugin=$(uci_get_by_name $1 plugin) + local plugin=$(uci_get_by_name $1 plugin) + if [ "$stype" == "ss" ] ;then if [ "$plugin" == "none" ] ;then cat <<-EOF >$config_file @@ -149,126 +141,108 @@ EOF } EOF fi - elif [ "$stype" == "ssr" ] ;then - cat <<-EOF >$config_file - { - - "server": "$hostip", - "server_port": $port, - "local_address": "0.0.0.0", - "local_port": $local_port, - "password": "$(uci_get_by_name $1 password)", - "timeout": $(uci_get_by_name $1 timeout 60), - "method": "$(uci_get_by_name $1 encrypt_method)", - "protocol": "$(uci_get_by_name $1 protocol)", - "protocol_param": "$(uci_get_by_name $1 protocol_param)", - "obfs": "$(uci_get_by_name $1 obfs)", - "obfs_param": "$(uci_get_by_name $1 obfs_param)", - "reuse_port": true, - "fast_open": $fastopen - } -EOF - elif [ "$stype" == "v2ray" ] ;then - if [ "$use_conf_file" -eq 1 ] ;then - cp $conf_file_path /var/etc/v2-ssr-retcp.json - else - global_server=$(uci_get_by_type global global_server) - if [ "$global_server" = "__haproxy__" ]; then - local haproxy_server=$(uci -X show vssr | grep servers | awk -F'[.=]' '{print $2}' | sed -n 2p) - lua /usr/share/vssr/genv2config_haproxy.lua $haproxy_server tcp $local_port > /var/etc/v2-ssr-retcp.json - else - lua /usr/share/vssr/genv2config.lua $GLOBAL_SERVER tcp $(uci_get_by_name $1 local_port) > /var/etc/v2-ssr-retcp.json - fi - sed -i 's/\\//g' /var/etc/v2-ssr-retcp.json - fi - elif [ "$stype" == "trojan" ] ;then - lua /usr/share/vssr/gentrojanconfig.lua $GLOBAL_SERVER nat $(uci_get_by_name $1 local_port) > /var/etc/trojan-ssr-retcp.json - sed -i 's/\\//g' /var/etc/trojan-ssr-retcp.json + elif [ "$stype" == "ssr" ]; then + cat <<-EOF >$config_file + { + "server": "$hostip", + "server_port": $(uci_get_by_name $1 server_port), + "local_address": "::", + "local_port": $(uci_get_by_name $1 local_port), + "password": "$(uci_get_by_name $1 password)", + "timeout": $(uci_get_by_name $1 timeout 60), + "method": "$(uci_get_by_name $1 encrypt_method)", + "protocol": "$(uci_get_by_name $1 protocol)", + "protocol_param": "$(uci_get_by_name $1 protocol_param)", + "obfs": "$(uci_get_by_name $1 obfs)", + "obfs_param": "$(uci_get_by_name $1 obfs_param)", + "reuse_port": true, + "fast_open": $fastopen + } + EOF + elif [ "$stype" == "v2ray" ]; then + lua /usr/share/vssr/genv2config.lua $GLOBAL_SERVER tcp $(uci_get_by_name $1 local_port) >/var/etc/v2-ssr-retcp.json + sed -i 's/\\//g' /var/etc/v2-ssr-retcp.json + elif [ "$stype" == "trojan" ]; then + lua /usr/share/vssr/gentrojanconfig.lua $GLOBAL_SERVER nat $(uci_get_by_name $1 local_port) >/var/etc/trojan-ssr-retcp.json + sed -i 's/\\//g' /var/etc/trojan-ssr-retcp.json fi - } + get_arg_out() { case "$(uci_get_by_type access_control router_proxy 1)" in - 1) echo "-o";; - 2) echo "-O";; + 1) echo "-o" ;; + 2) echo "-O" ;; esac } start_rules() { local server=$(uci_get_by_name $GLOBAL_SERVER server) #resolve name - if echo $server|grep -E "^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$">/dev/null; then - server=${server} - elif [ "$server" != "${server#*:[0-9a-fA-F]}" ] ;then - server=${server} + if echo $server | grep -E "^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$" >/dev/null; then + server=$server + elif [ "$server" != "${server#*:[0-9a-fA-F]}" ]; then + server=$server else - server=`ping ${server} -s 1 -c 1 | grep PING | cut -d'(' -f 2 | cut -d')' -f1` - if echo $server|grep -E "^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$">/dev/null; then - echo $server >/etc/ssr_ip - else - server=`cat /etc/ssr_ip` - fi + server=$(ping $server -W 1 -s 1 -c 1 | grep PING | cut -d'(' -f 2 | cut -d')' -f1) + if echo $server | grep -E "^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$" >/dev/null; then + echo $server >/etc/ssr_ip + else + server=$(cat /etc/ssr_ip) + fi fi - kcp_server=$server - local kcp_enable=$(uci_get_by_name $GLOBAL_SERVER kcp_enable 0) - if [ $kcp_enable = "1" ]; then + if [ $kcp_enable == "1" ]; then kcp_flag=1 fi - local local_port=$(uci_get_by_name $GLOBAL_SERVER local_port) local lan_ac_ips=$(uci_get_by_type access_control lan_ac_ips) local lan_ac_mode=$(uci_get_by_type access_control lan_ac_mode) local router_proxy=$(uci_get_by_type access_control router_proxy) - if [ "$GLOBAL_SERVER" = "$UDP_RELAY_SERVER" -a $kcp_flag = 0 ]; then + if [ "$GLOBAL_SERVER" == "$UDP_RELAY_SERVER" -a "$kcp_flag" == "0" ]; then ARG_UDP="-u" elif [ -n "$UDP_RELAY_SERVER" ]; then ARG_UDP="-U" local udp_server=$(uci_get_by_name $UDP_RELAY_SERVER server) local udp_local_port=$(uci_get_by_name $UDP_RELAY_SERVER local_port) fi - if [ -n "$lan_ac_ips" ]; then case "$lan_ac_mode" in w | W | b | B) local ac_ips="$lan_ac_mode$lan_ac_ips" ;; esac fi - #deal gfw firewall rule + #deal gfw firewall rule local gfwmode="" - if [ "$run_mode" = "gfw" ]; then + if [ "$run_mode" == "gfw" ]; then gfwmode="-g" - elif [ "$run_mode" = "router" ]; then + elif [ "$run_mode" == "router" ]; then gfwmode="-r" - elif [ "$run_mode" = "oversea" ]; then + elif [ "$run_mode" == "oversea" ]; then gfwmode="-c" - elif [ "$run_mode" = "all" ]; then + elif [ "$run_mode" == "all" ]; then gfwmode="-z" fi - local dports=$(uci_get_by_type global dports 1) - if [ $dports = "1" ]; then + if [ $dports == "1" ]; then proxyport=" " else - proxyport="-m multiport --dports 22,53,587,465,995,993,143,80,443 " + proxyport="-m multiport --dports 22,53,587,465,995,993,143,80,443" fi - /usr/bin/vssr-rules \ - -s "$server" \ - -l "$local_port" \ - -S "$udp_server" \ - -L "$udp_local_port" \ - -a "$ac_ips" \ - -i "$(uci_get_by_type access_control wan_bp_list)" \ - -b "$(uci_get_by_type access_control wan_bp_ips)" \ - -w "$(uci_get_by_type access_control wan_fw_ips)" \ - -B "$(uci_get_by_type access_control lan_bp_ips)" \ - -p "$(uci_get_by_type access_control lan_fp_ips)" \ - -G "$(uci_get_by_type access_control lan_gm_ips)" \ - -D "$proxyport" \ - $(get_arg_out) $gfwmode $ARG_UDP - + -s "$server" \ + -l "$local_port" \ + -S "$udp_server" \ + -L "$udp_local_port" \ + -a "$ac_ips" \ + -i "$(uci_get_by_type access_control wan_bp_list)" \ + -b "$(uci_get_by_type access_control wan_bp_ips)" \ + -w "$(uci_get_by_type access_control wan_fw_ips)" \ + -B "$(uci_get_by_type access_control lan_bp_ips)" \ + -p "$(uci_get_by_type access_control lan_fp_ips)" \ + -G "$(uci_get_by_type access_control lan_gm_ips)" \ + -D "$proxyport" \ + $(get_arg_out) $gfwmode $ARG_UDP return $? } @@ -612,33 +586,32 @@ EOF /usr/sbin/haproxy -q -D -f /var/etc/haproxy.cfg -p /var/run/haproxy.pid } + start_redir() { case "$(uci_get_by_name $GLOBAL_SERVER auth_enable)" in - 1|on|true|yes|enabled) ARG_OTA="-A";; - *) ARG_OTA="";; + 1 | on | true | yes | enabled) ARG_OTA="-A" ;; + *) ARG_OTA="" ;; esac - #deal kcp local kcp_enable=$(uci_get_by_name $GLOBAL_SERVER kcp_enable 0) - if [ $kcp_enable = "1" ] ;then - [ ! -f "/usr/bin/kcptun-client" ] && return 1 - - local kcp_str=`/usr/bin/kcptun-client -v |grep kcptun|wc -l` - [ "0" = $kcp_str ] && return 1 + if [ "$kcp_enable" == "1" ]; then + [ ! -f "/usr/bin/kcptun-client" ] && return 1 + local kcp_str=$(/usr/bin/kcptun-client -v | grep kcptun | wc -l) + [ "0" == "$kcp_str" ] && return 1 local kcp_port=$(uci_get_by_name $GLOBAL_SERVER kcp_port) local server_port=$(uci_get_by_name $GLOBAL_SERVER server_port) local password=$(uci_get_by_name $GLOBAL_SERVER kcp_password) local kcp_param=$(uci_get_by_name $GLOBAL_SERVER kcp_param) - [ "$password" != "" ] && password="--key "${password} + [ "$password" != "" ] && password="--key "$password service_start /usr/bin/kcptun-client \ - -r $kcp_server:$kcp_port \ - -l :$server_port $password $kcp_param + -r $kcp_server:$kcp_port \ + -l :$server_port $password $kcp_param kcp_enable_flag=1 fi - gen_config_file $GLOBAL_SERVER 0 - local stype=$(uci_get_by_name $GLOBAL_SERVER type) - if [ "$stype" == "ss" ] ;then + gen_config_file $GLOBAL_SERVER 0 + local stype=$(uci_get_by_name $GLOBAL_SERVER type) + if [ "$stype" == "ss" ] ;then sscmd="/usr/bin/ss-redir" elif [ "$stype" == "ssr" ] ;then sscmd="/usr/bin/ssr-redir" @@ -661,13 +634,12 @@ start_redir() { ucmd="/usr/sbin/trojan" elif [ "$stype" == "socks5" ]; then ucmd="/usr/bin/ipt2socks" - - fi - if [ "$(uci_get_by_type global threads 0)" = "0" ] ;then - threads=$(cat /proc/cpuinfo | grep 'processor' | wc -l) - else - threads=$(uci_get_by_type global threads) - fi + fi + if [ "$(uci_get_by_type global threads 0)" == "0" ]; then + threads=$(cat /proc/cpuinfo | grep 'processor' | wc -l) + else + threads=$(uci_get_by_type global threads) + fi #转发TCP redir_tcp=1 if [ "$stype" == "ss" -o "$stype" == "ssr" ] ;then @@ -731,11 +703,10 @@ elif [ "$stype" == "socks5" ]; then else $ucmd -4 -b 0.0.0.0 -s $(uci_get_by_name $UDP_RELAY_SERVER server) -p $(uci_get_by_name $UDP_RELAY_SERVER server_port) -a $(uci_get_by_name $GLOBAL_SERVER username) \ -k $(uci_get_by_name $GLOBAL_SERVER password) -l $(uci_get_by_name $UDP_RELAY_SERVER local_port) -U ssr-reudp >/dev/null 2>&1 & - - fi - fi + fi + fi fi - #deal with dns +#deal with dns if [ "$(uci_get_by_type global pdnsd_enable)" -ne "0" ] ;then local dnsstr="$(uci_get_by_type global tunnel_forward 8.8.4.4:53)" @@ -785,10 +756,9 @@ fi fi fi - - if [ "$(uci_get_by_type global enable_switch)" = "1" ] && [ $HAPROXY_MODE = "0" ]; then - if [ "$(uci_get_by_name $GLOBAL_SERVER switch_enable)" = "1" ] ;then - if [ -z "$switch_server" ] ;then + if [ "$(uci_get_by_type global enable_switch)" == "1" ]; then + if [ "$(uci_get_by_name $GLOBAL_SERVER switch_enable 1)" == "1" ]; then + if [ -z "$switch_server" ]; then local switch_time=$(uci_get_by_type global switch_time) local switch_timeout=$(uci_get_by_type global switch_timeout) service_start /usr/bin/vssr-switch start $switch_time $switch_timeout @@ -797,7 +767,6 @@ fi fi fi add_cron - return $? } start_udp2raw() { @@ -827,7 +796,6 @@ start_udpspeeeder() { --timeout $(uci_get_by_type udpspeeder timeout) \ >/dev/null 2>&1 & } - gen_service_file() { if [ $(uci_get_by_name $1 fast_open) = "1" ] ;then fastopen="true"; @@ -928,30 +896,30 @@ start_service() { fi return 0 } + gen_serv_include() { -FWI=$(uci get firewall.vssr.path 2>/dev/null) -[ -n "$FWI" ] || return 0 -if [ ! -f $FWI ] ;then -echo '#!/bin/sh' >$FWI -fi -extract_rules() { -echo "*filter" -iptables-save -t filter | grep SSR-SERVER-RULE|sed -e "s/^-A INPUT/-I INPUT/" -echo 'COMMIT' -} + FWI=$(uci get firewall.vssr.path 2>/dev/null) + [ -n "$FWI" ] || return 0 + if [ ! -f $FWI ]; then + echo '#!/bin/sh' >$FWI + fi + extract_rules() { + echo "*filter" + iptables-save -t filter | grep SSR-SERVER-RULE | sed -e "s/^-A INPUT/-I INPUT/" + echo 'COMMIT' + } cat <<-EOF >>$FWI - iptables-save -c | grep -v "SSR-SERVER" | iptables-restore -c - iptables-restore -n <<-EOT - $(extract_rules) - EOT -EOF - + iptables-save -c | grep -v "SSR-SERVER" | iptables-restore -c + iptables-restore -n <<-EOT + $(extract_rules) + EOT + EOF } -start_server() { - SERVER_ENABLE=$(uci_get_by_type server_global enable_server) - [ "$SERVER_ENABLE" = 0 ] && return 0 - mkdir -p /var/run /var/etc +start_server() { + SERVER_ENABLE=$(uci_get_by_type server_global enable_server 0) + [ "$SERVER_ENABLE" == "0" ] && return 0 + mkdir -p /var/run /var/etc config_load $NAME config_foreach start_service server_config gen_serv_include @@ -990,22 +958,22 @@ start_local() { /etc/init.d/privoxy enable && /etc/init.d/privoxy start privoxy_enable=1 fi - } rules() { - [ "$GLOBAL_SERVER" = "nil" ] && return 1 + [ "$GLOBAL_SERVER" == "nil" ] && return 1 mkdir -p /var/run /var/etc UDP_RELAY_SERVER=$(uci_get_by_type global udp_relay_server) - [ "$UDP_RELAY_SERVER" = "same" ] && UDP_RELAY_SERVER=$GLOBAL_SERVER - if start_rules ;then - return 0 + [ "$UDP_RELAY_SERVER" == "same" ] && UDP_RELAY_SERVER=$GLOBAL_SERVER + if start_rules; then + return 0 else - return 1 + return 1 fi } -start() { - case "$(uci_get_by_type udp2raw udp2raw_enable)" in + +start() { + case "$(uci_get_by_type udp2raw udp2raw_enable)" in 1|on|true|yes|enabled) start_udp2raw ;; @@ -1016,48 +984,24 @@ start() { ;; esac - if [ -z "$switch_server" ] ;then + if [ -z "$switch_server" ]; then GLOBAL_SERVER=$(uci_get_by_type global global_server) else GLOBAL_SERVER=$switch_server switch_enable=1 fi - - HAPROXY_MODE="0" - if [ "$GLOBAL_SERVER" = "__haproxy__" ]; then - GLOBAL_SERVER=$(uci -X show vssr | grep servers | awk -F'[.=]' '{print $2}' | head -n 1) - HAPROXY_MODE="1" - fi - - if rules ;then - [ $HAPROXY_MODE = "1" ] && start_haproxy && haproxy_enable=1 - + if rules; then start_redir - - mkdir -p /tmp/dnsmasq.d - - if ! [ "$run_mode" = "oversea" ]; then -# for domain_names in $(uci -X show vssr | grep domain_white_list | awk -F'[.=]' '{print $2}'); do -# local DOMAIN_NANES=$(uci_get_by_name $domain_names domain_names) -# -# sed -i "/$DOMAIN_NANES/d" /etc/dnsmasq.ssr/custom_forward.conf -# sed -i "/$DOMAIN_NANES/d" /etc/dnsmasq.ssr/gfw_base.conf -# sed -i "/$DOMAIN_NANES/d" /etc/dnsmasq.ssr/gfw_list.conf -# done - - sleep 2 - - cat > /tmp/dnsmasq.d/dnsmasq-ssr.conf </tmp/dnsmasq.d/dnsmasq-ssr.conf + conf-dir=/tmp/dnsmasq.ssr + EOF + else + cat <<-EOF >/tmp/dnsmasq.d/dnsmasq-ssr.conf + conf-dir=/tmp/dnsmasq.oversea else - cat > /tmp/dnsmasq.d/dnsmasq-ssr.conf </dev/null 2>&1 - + /usr/share/vssr/gfw2ipset.sh + /etc/init.d/dnsmasq restart >/dev/null 2>&1 fi start_server start_local - -if [ $(uci_get_by_type global monitor_enable) = 1 ] ;then + if [ $(uci_get_by_type global monitor_enable 0) == "1" ]; then let total_count=server_count+redir_tcp+redir_udp+tunnel_enable+kcp_enable_flag+local_enable+pdnsd_enable_flag+dnsforwarder_enable_flag+switch_enable+ssserver_enable+ssrserver_enable+v2rayserver_enable+haproxy_enable+privoxy_enable+chinadns_enable_flag+dnscrypt-proxy_enable_flag if [ $total_count -gt 0 ] ;then @@ -1087,37 +1027,28 @@ if [ $(uci_get_by_type global monitor_enable) = 1 ] ;then service_start /usr/bin/vssr-monitor $server_count $redir_tcp $redir_udp $tunnel_enable $kcp_enable_flag $local_enable $pdnsd_enable_flag $dnsforwarder_enable_flag $switch_enable $ssserver_enable $ssrserver_enable $v2rayserver_enable $haproxy_enable $privoxy_enable $chinadns_enable_flag $dnscrypt-proxy_enable_flag fi fi - - ENABLE_SERVER=$(uci_get_by_type global global_server) - [ "$ENABLE_SERVER" = "nil" ] && return 1 + ENABLE_SERVER=$(uci_get_by_type global global_server nil) + [ "$ENABLE_SERVER" == "nil" ] && return 1 } - boot() { - (/usr/share/vssr/chinaipset.sh && sleep 5 && start >/dev/null 2>&1) & + (/usr/share/vssr/chinaipset.sh && sleep 3 && start >/dev/null 2>&1) & } stop() { /usr/bin/vssr-rules -f - srulecount=`iptables -L|grep SSR-SERVER-RULE|wc -l` - if [ $srulecount -gt 0 ] ;then + srulecount=$(iptables -L | grep SSR-SERVER-RULE | wc -l) + if [ $srulecount -gt 0 ]; then iptables -F SSR-SERVER-RULE - iptables -t filter -D INPUT -j SSR-SERVER-RULE + iptables -t filter -D INPUT -j SSR-SERVER-RULE iptables -X SSR-SERVER-RULE 2>/dev/null fi - - iptables -t nat -F HAPROXY 2>/dev/null - iptables -t nat -D OUTPUT -j HAPROXY 2>/dev/null - iptables -t nat -X HAPROXY 2>/dev/null - - if [ -z "$switch_server" ] ;then - kill -9 $(ps | grep vssr-switch | grep -v "grep" | awk '{print $1}') >/dev/null 2>&1 + if [ -z "$switch_server" ]; then + kill -9 $(busybox ps -w | grep vssr-switch | grep -v grep | awk '{print $1}') >/dev/null 2>&1 fi - - if [ $(uci_get_by_type global monitor_enable) = 1 ] ;then - kill -9 $(ps | grep vssr-monitor | grep -v "grep" | awk '{print $1}') >/dev/null 2>&1 + if [ $(uci_get_by_type global monitor_enable 0) == "1" ]; then + kill -9 $(busybox ps -w | grep vssr-monitor | grep -v grep | awk '{print $1}') >/dev/null 2>&1 fi - killall -q -9 vssr-monitor killall -q -9 ss-redir killall -q -9 ssr-redir @@ -1139,17 +1070,11 @@ stop() { killall -q -9 chinadns killall -q -9 udp2raw killall -q -9 udpspeeder - /usr/bin/udp2raw --clear >/dev/null - if [ -f /var/run/pdnsd.pid ] ;then + if [ -f /var/run/pdnsd.pid ]; then kill $(cat /var/run/pdnsd.pid) >/dev/null 2>&1 else - - kill -9 $(ps | grep pdnsd | grep -v "grep" | awk '{print $1}') >/dev/null 2>&1 + kill -9 $(busybox ps -w | grep pdnsd | grep -v grep | awk '{print $1}') >/dev/null 2>&1 fi - - kill $(pidof dnsparsing) >/dev/null 2>&1 || killall -9 dnsparsing >/dev/null 2>&1 - rm -rf /var/run/dnsparsing - if [ $(uci_get_by_type global adblock 0) == "0" ]; then rm -f /tmp/dnsmasq.d/ad.conf else @@ -1157,21 +1082,7 @@ stop() { fi if [ -f "/tmp/dnsmasq.d/dnsmasq-ssr.conf" ]; then rm -f /tmp/dnsmasq.d/dnsmasq-ssr.conf - - if [ -d "/var/dnsmasq.ssr" ]; then - rm -rf /var/etc/dnsmasq.ssr - fi - - if [ -d "/var/dnsmasq.oversea" ]; then - rm -rf /var/etc/dnsmasq.oversea - fi - /etc/init.d/dnsmasq restart >/dev/null 2>&1 fi - /etc/init.d/dnscrypt-proxy disable - /etc/init.d/dnscrypt-proxy stop - /etc/init.d/privoxy disable - /etc/init.d/privoxy stop - - + /etc/init.d/dnsmasq restart >/dev/null 2>&1 del_cron } diff --git a/package/ctcgfw/luci-app-vssr/root/usr/bin/vssr-rules b/package/ctcgfw/luci-app-vssr/root/usr/bin/vssr-rules index 44c23c12b4..615fdaebc1 100755 --- a/package/ctcgfw/luci-app-vssr/root/usr/bin/vssr-rules +++ b/package/ctcgfw/luci-app-vssr/root/usr/bin/vssr-rules @@ -7,38 +7,40 @@ # See /LICENSE for more information. # -TAG="_SS_SPEC_RULE_" # comment tag -IPT="iptables -t nat" # alias of iptables -FWI=$(uci get firewall.vssr.path 2>/dev/null) # firewall include file +TAG="_SS_SPEC_RULE_" # comment tag +IPT="iptables -t nat" # alias of iptables +FWI=$(uci get firewall.vssr.path 2>/dev/null) # firewall include file usage() { cat <<-EOF - Usage: vssr-rules [options] - Valid options are: - -s ip address of vssr remote server - -l port number of vssr local server - -S ip address of vssr remote UDP server - -L port number of vssr local UDP server - -i a file content is bypassed ip list - -a lan ip of access control, need a prefix to - define access control mode - -b wan ip of will be bypassed - -w wan ip of will be forwarded - -B lan ip of will be bypassed proxy - -p lan ip of will be global proxy - -G lan ip of will be game mode proxy - -D proxy ports - -e extra options for iptables - -o apply the rules to the OUTPUT chain - -O apply the global rules to the OUTPUT chain - -u enable udprelay mode, TPROXY is required - -U enable udprelay mode, using different IP - and ports for TCP and UDP - -f flush the rules - -g gfw list mode - -r return china mode - -h show this help message and exit -EOF +Usage: vssr-rules [options] + +Valid options are: + + -s ip address of vssr remote server + -l port number of vssr local server + -S ip address of vssr remote UDP server + -L port number of vssr local UDP server + -i a file content is bypassed ip list + -a lan ip of access control, need a prefix to + define access control mode + -b wan ip of will be bypassed + -w wan ip of will be forwarded + -B lan ip of will be bypassed proxy + -p lan ip of will be global proxy + -G lan ip of will be game mode proxy + -D proxy ports + -e extra options for iptables + -o apply the rules to the OUTPUT chain + -O apply the global rules to the OUTPUT chain + -u enable udprelay mode, TPROXY is required + -U enable udprelay mode, using different IP + and ports for TCP and UDP + -f flush the rules + -g gfw list mode + -r return china mode + -h show this help message and exit + EOF exit $1 } @@ -75,44 +77,38 @@ flush_r() { ipset_r() { ipset -N gmlan hash:net 2>/dev/null - for ip in $LAN_GM_IP; do ipset -! add gmlan $ip ; done - - if [ "$RUNMODE" = "router" ] ;then - ipset -! -R <<-EOF || return 1 - create ss_spec_wan_ac hash:net - $(gen_iplist | sed -e "s/^/add ss_spec_wan_ac /") -EOF - ipset -N gfwlist hash:net 2>/dev/null - $IPT -N SS_SPEC_WAN_AC - $IPT -I SS_SPEC_WAN_AC -p tcp ! --dport 53 -d $server -j RETURN - $IPT -A SS_SPEC_WAN_AC -m set --match-set ss_spec_wan_ac dst -j RETURN - $IPT -A SS_SPEC_WAN_AC -j SS_SPEC_WAN_FW - - elif [ "$RUNMODE" = "gfw" ] ;then - ipset -N gfwlist hash:net 2>/dev/null - $IPT -N SS_SPEC_WAN_AC - $IPT -A SS_SPEC_WAN_AC -m set --match-set gfwlist dst -j SS_SPEC_WAN_FW - $IPT -A SS_SPEC_WAN_AC -m set --match-set gmlan src -m set ! --match-set china dst -j SS_SPEC_WAN_FW - $IPT -A SS_SPEC_WAN_AC -m set --match-set china dst -j RETURN - $IPT -I SS_SPEC_WAN_AC -p tcp ! --dport 53 -d $server -j RETURN - - elif [ "$RUNMODE" = "oversea" ] ;then - ipset -N oversea hash:net 2>/dev/null - $IPT -N SS_SPEC_WAN_AC - ipset -N gmlan hash:net 2>/dev/null - for ip in $LAN_GM_IP; do ipset -! add gmlan $ip ; done - $IPT -A SS_SPEC_WAN_AC -m set --match-set china dst -j SS_SPEC_WAN_FW - $IPT -I SS_SPEC_WAN_AC -p tcp ! --dport 53 -d $server -j RETURN - - elif [ "$RUNMODE" = "all" ] ;then - $IPT -N SS_SPEC_WAN_AC - $IPT -A SS_SPEC_WAN_AC -j SS_SPEC_WAN_FW - $IPT -I SS_SPEC_WAN_AC -p tcp ! --dport 53 -d $server -j RETURN - + for ip in $LAN_GM_IP; do ipset -! add gmlan $ip; done + if [ "$RUNMODE" == "router" ]; then + ipset -! -R <<-EOF || return 1 + create ss_spec_wan_ac hash:net + $(gen_iplist | sed -e "s/^/add ss_spec_wan_ac /") + EOF + ipset -N gfwlist hash:net 2>/dev/null + $IPT -N SS_SPEC_WAN_AC + $IPT -I SS_SPEC_WAN_AC -p tcp ! --dport 53 -d $server -j RETURN + $IPT -A SS_SPEC_WAN_AC -m set --match-set ss_spec_wan_ac dst -j RETURN + $IPT -A SS_SPEC_WAN_AC -j SS_SPEC_WAN_FW + elif [ "$RUNMODE" == "gfw" ]; then + ipset -N gfwlist hash:net 2>/dev/null + $IPT -N SS_SPEC_WAN_AC + $IPT -A SS_SPEC_WAN_AC -m set --match-set gfwlist dst -j SS_SPEC_WAN_FW + $IPT -A SS_SPEC_WAN_AC -m set --match-set gmlan src -m set ! --match-set china dst -j SS_SPEC_WAN_FW + $IPT -A SS_SPEC_WAN_AC -m set --match-set china dst -j RETURN + $IPT -I SS_SPEC_WAN_AC -p tcp ! --dport 53 -d $server -j RETURN + elif [ "$RUNMODE" == "oversea" ]; then + ipset -N oversea hash:net 2>/dev/null + $IPT -N SS_SPEC_WAN_AC + ipset -N gmlan hash:net 2>/dev/null + for ip in $LAN_GM_IP; do ipset -! add gmlan $ip; done + $IPT -A SS_SPEC_WAN_AC -m set --match-set china dst -j SS_SPEC_WAN_FW + $IPT -I SS_SPEC_WAN_AC -p tcp ! --dport 53 -d $server -j RETURN + elif [ "$RUNMODE" == "all" ]; then + $IPT -N SS_SPEC_WAN_AC + $IPT -A SS_SPEC_WAN_AC -j SS_SPEC_WAN_FW + $IPT -I SS_SPEC_WAN_AC -p tcp ! --dport 53 -d $server -j RETURN fi - ipset -N fplan hash:net 2>/dev/null - for ip in $LAN_FP_IP; do ipset -! add fplan $ip ; done + for ip in $LAN_FP_IP; do ipset -! add fplan $ip; done $IPT -I SS_SPEC_WAN_AC -m set --match-set fplan src -j SS_SPEC_WAN_FW ipset -N bplan hash:net 2>/dev/null for ip in $LAN_BP_IP; do ipset -! add bplan $ip; done @@ -121,25 +117,23 @@ EOF ipset -N blacklist hash:net 2>/dev/null $IPT -I SS_SPEC_WAN_AC -m set --match-set blacklist dst -j SS_SPEC_WAN_FW $IPT -I SS_SPEC_WAN_AC -m set --match-set whitelist dst -j RETURN - for ip in $WAN_BP_IP; do ipset -! add whitelist $ip; done for ip in $WAN_FW_IP; do ipset -! add blacklist $ip; done - return $? } fw_rule() { $IPT -N SS_SPEC_WAN_FW - $IPT -A SS_SPEC_WAN_FW -d 0.0.0.0/8 -j RETURN - $IPT -A SS_SPEC_WAN_FW -d 10.0.0.0/8 -j RETURN - $IPT -A SS_SPEC_WAN_FW -d 127.0.0.0/8 -j RETURN - $IPT -A SS_SPEC_WAN_FW -d 169.254.0.0/16 -j RETURN - $IPT -A SS_SPEC_WAN_FW -d 172.16.0.0/12 -j RETURN - $IPT -A SS_SPEC_WAN_FW -d 192.168.0.0/16 -j RETURN - $IPT -A SS_SPEC_WAN_FW -d 224.0.0.0/4 -j RETURN - $IPT -A SS_SPEC_WAN_FW -d 240.0.0.0/4 -j RETURN - $IPT -A SS_SPEC_WAN_FW -p tcp $PROXY_PORTS \ - -j REDIRECT --to-ports $local_port 2>/dev/null || { + $IPT -A SS_SPEC_WAN_FW -d 0.0.0.0/8 -j RETURN + $IPT -A SS_SPEC_WAN_FW -d 10.0.0.0/8 -j RETURN + $IPT -A SS_SPEC_WAN_FW -d 127.0.0.0/8 -j RETURN + $IPT -A SS_SPEC_WAN_FW -d 169.254.0.0/16 -j RETURN + $IPT -A SS_SPEC_WAN_FW -d 172.16.0.0/12 -j RETURN + $IPT -A SS_SPEC_WAN_FW -d 192.168.0.0/16 -j RETURN + $IPT -A SS_SPEC_WAN_FW -d 224.0.0.0/4 -j RETURN + $IPT -A SS_SPEC_WAN_FW -d 240.0.0.0/4 -j RETURN + $IPT -A SS_SPEC_WAN_FW -p tcp $PROXY_PORTS \ + -j REDIRECT --to-ports $local_port 2>/dev/null || { loger 3 "Can't redirect, please check the iptables." exit 1 } @@ -149,37 +143,37 @@ fw_rule() { ac_rule() { if [ -n "$LAN_AC_IP" ]; then case "${LAN_AC_IP:0:1}" in - w|W) - MATCH_SET="-m set --match-set ss_spec_lan_ac src" - ;; - b|B) - MATCH_SET="-m set ! --match-set ss_spec_lan_ac src" - ;; - *) - loger 3 "Bad argument \`-a $LAN_AC_IP\`." - return 2 - ;; + w | W) + MATCH_SET="-m set --match-set ss_spec_lan_ac src" + ;; + b | B) + MATCH_SET="-m set ! --match-set ss_spec_lan_ac src" + ;; + *) + loger 3 "Bad argument \`-a $LAN_AC_IP\`." + return 2 + ;; esac fi IFNAME=$(uci get -P/var/state network.lan.ifname 2>/dev/null) ipset -! -R <<-EOF || return 1 create ss_spec_lan_ac hash:net $(for ip in ${LAN_AC_IP:1}; do echo "add ss_spec_lan_ac $ip"; done) -EOF + EOF $IPT -I PREROUTING 1 ${IFNAME:+-i $IFNAME} -p tcp $EXT_ARGS $MATCH_SET \ - -m comment --comment "$TAG" -j SS_SPEC_WAN_AC + -m comment --comment "$TAG" -j SS_SPEC_WAN_AC if [ "$OUTPUT" = 1 ]; then $IPT -I OUTPUT 1 -p tcp $EXT_ARGS \ - -m comment --comment "$TAG" -j SS_SPEC_WAN_AC + -m comment --comment "$TAG" -j SS_SPEC_WAN_AC elif [ "$OUTPUT" = 2 ]; then ipset -! -R <<-EOF || return 1 - create ssr_gen_router hash:net - $(gen_spec_iplist | sed -e "s/^/add ssr_gen_router /") -EOF + create ssr_gen_router hash:net + $(gen_spec_iplist | sed -e "s/^/add ssr_gen_router /") + EOF $IPT -N SS_SPEC_ROUTER && \ $IPT -A SS_SPEC_ROUTER -m set --match-set ssr_gen_router dst -j RETURN && \ $IPT -A SS_SPEC_ROUTER -j SS_SPEC_WAN_FW - $IPT -I OUTPUT 1 -p tcp -m comment --comment "$TAG" -j SS_SPEC_ROUTER + $IPT -I OUTPUT 1 -p tcp -m comment --comment "$TAG" -j SS_SPEC_ROUTER fi return $? } @@ -190,44 +184,39 @@ tp_rule() { ip route add local 0.0.0.0/0 dev lo table 100 local ipt="iptables -t mangle" $ipt -N SS_SPEC_TPROXY + $ipt -A SS_SPEC_TPROXY -p udp --dport 443 -j DROP $ipt -A SS_SPEC_TPROXY -p udp --dport 53 -j RETURN - $ipt -A SS_SPEC_TPROXY -p udp -d 0.0.0.0/8 -j RETURN - $ipt -A SS_SPEC_TPROXY -p udp -d 10.0.0.0/8 -j RETURN - $ipt -A SS_SPEC_TPROXY -p udp -d 127.0.0.0/8 -j RETURN - $ipt -A SS_SPEC_TPROXY -p udp -d 169.254.0.0/16 -j RETURN - $ipt -A SS_SPEC_TPROXY -p udp -d 172.16.0.0/12 -j RETURN - $ipt -A SS_SPEC_TPROXY -p udp -d 192.168.0.0/16 -j RETURN - $ipt -A SS_SPEC_TPROXY -p udp -d 224.0.0.0/4 -j RETURN - $ipt -A SS_SPEC_TPROXY -p udp -d 240.0.0.0/4 -j RETURN - $ipt -A SS_SPEC_TPROXY -p udp ! --dport 53 -d $server -j RETURN - $ipt -A SS_SPEC_TPROXY -p udp -m set --match-set bplan src -j RETURN - $ipt -A SS_SPEC_TPROXY -p udp $PROXY_PORTS -m set --match-set fplan src \ + $ipt -A SS_SPEC_TPROXY -p udp -d 0.0.0.0/8 -j RETURN + $ipt -A SS_SPEC_TPROXY -p udp -d 10.0.0.0/8 -j RETURN + $ipt -A SS_SPEC_TPROXY -p udp -d 127.0.0.0/8 -j RETURN + $ipt -A SS_SPEC_TPROXY -p udp -d 169.254.0.0/16 -j RETURN + $ipt -A SS_SPEC_TPROXY -p udp -d 172.16.0.0/12 -j RETURN + $ipt -A SS_SPEC_TPROXY -p udp -d 192.168.0.0/16 -j RETURN + $ipt -A SS_SPEC_TPROXY -p udp -d 224.0.0.0/4 -j RETURN + $ipt -A SS_SPEC_TPROXY -p udp -d 240.0.0.0/4 -j RETURN + $ipt -A SS_SPEC_TPROXY -p udp ! --dport 53 -d $server -j RETURN + $ipt -A SS_SPEC_TPROXY -p udp -m set --match-set bplan src -j RETURN + $ipt -A SS_SPEC_TPROXY -p udp $PROXY_PORTS -m set --match-set fplan src \ + -j TPROXY --on-port "$LOCAL_PORT" --tproxy-mark 0x01/0x01 + if [ "$RUNMODE" == "router" ]; then + $ipt -A SS_SPEC_TPROXY -p udp -m set --match-set gmlan src -m set ! --match-set china dst \ -j TPROXY --on-port "$LOCAL_PORT" --tproxy-mark 0x01/0x01 - - if [ "$RUNMODE" = "router" ] ;then - $ipt -A SS_SPEC_TPROXY -p udp -m set --match-set gmlan src -m set ! --match-set china dst \ + $ipt -A SS_SPEC_TPROXY -p udp $PROXY_PORTS -m set ! --match-set ss_spec_wan_ac dst \ -j TPROXY --on-port "$LOCAL_PORT" --tproxy-mark 0x01/0x01 - $ipt -A SS_SPEC_TPROXY -p udp $PROXY_PORTS -m set ! --match-set ss_spec_wan_ac dst \ + elif [ "$RUNMODE" == "gfw" ]; then + $ipt -A SS_SPEC_TPROXY -p udp -m set --match-set china dst -j RETURN + $ipt -A SS_SPEC_TPROXY -p udp -m set --match-set gmlan src -m set ! --match-set china dst \ -j TPROXY --on-port "$LOCAL_PORT" --tproxy-mark 0x01/0x01 - - elif [ "$RUNMODE" = "gfw" ] ;then - $ipt -A SS_SPEC_TPROXY -p udp -m set --match-set china dst -j RETURN - $ipt -A SS_SPEC_TPROXY -p udp -m set --match-set gmlan src -m set ! --match-set china dst \ + $ipt -A SS_SPEC_TPROXY -p udp -m set $PROXY_PORTS --match-set gfwlist dst \ -j TPROXY --on-port "$LOCAL_PORT" --tproxy-mark 0x01/0x01 - $ipt -A SS_SPEC_TPROXY -p udp -m set $PROXY_PORTS --match-set gfwlist dst \ + elif [ "$RUNMODE" == "oversea" ]; then + $ipt -A SS_SPEC_TPROXY -p udp $PROXY_PORTS -m set --match-set china dst \ -j TPROXY --on-port "$LOCAL_PORT" --tproxy-mark 0x01/0x01 - - elif [ "$RUNMODE" = "oversea" ] ;then - $ipt -A SS_SPEC_TPROXY -p udp $PROXY_PORTS -m set --match-set china dst \ - -j TPROXY --on-port "$LOCAL_PORT" --tproxy-mark 0x01/0x01 - - elif [ "$RUNMODE" = "all" ] ;then - $ipt -A SS_SPEC_TPROXY -p udp $PROXY_PORTS -j TPROXY --on-port "$LOCAL_PORT" --tproxy-mark 0x01/0x01 - fi - + elif [ "$RUNMODE" == "all" ]; then + $ipt -A SS_SPEC_TPROXY -p udp $PROXY_PORTS -j TPROXY --on-port "$LOCAL_PORT" --tproxy-mark 0x01/0x01 + fi $ipt -I PREROUTING 1 ${IFNAME:+-i $IFNAME} -p udp $EXT_ARGS $MATCH_SET \ - -m comment --comment "$TAG" -j SS_SPEC_TPROXY - + -m comment --comment "$TAG" -j SS_SPEC_TPROXY return $? } @@ -236,7 +225,7 @@ get_wan_ip() { $server $SERVER $WAN_BP_IP -EOF + EOF } gen_iplist() { @@ -259,7 +248,7 @@ gen_iplist() { 255.255.255.255 $(get_wan_ip) $(cat ${IGNORE_LIST:=/dev/null} 2>/dev/null) -EOF + EOF } gen_spec_iplist() { @@ -280,115 +269,110 @@ gen_spec_iplist() { 224.0.0.0/4 240.0.0.0/4 255.255.255.255 - $(get_wan_ip) -EOF + $(get_wan_ip) + EOF } gen_include() { [ -n "$FWI" ] || return 0 extract_rules() { echo "*$1" - iptables-save -t $1 | grep SS_SPEC_ |\ - sed -e "s/^-A \(OUTPUT\|PREROUTING\)/-I \1 1/" + iptables-save -t $1 | grep SS_SPEC_ | \ + sed -e "s/^-A \(OUTPUT\|PREROUTING\)/-I \1 1/" echo 'COMMIT' } cat <<-EOF >>$FWI - iptables-save -c | grep -v "SS_SPEC" | iptables-restore -c - iptables-restore -n <<-EOT - $(extract_rules nat) - $(extract_rules mangle) - EOT -EOF + iptables-save -c | grep -v "SS_SPEC" | iptables-restore -c + iptables-restore -n <<-EOT + $(extract_rules nat) + $(extract_rules mangle) + EOT + EOF return 0 } while getopts ":s:l:S:L:i:e:a:B:b:w:p:G:D:oOuUfgrczh" arg; do case "$arg" in - s) - server=$OPTARG - ;; - l) - local_port=$OPTARG - ;; - S) - SERVER=$OPTARG - ;; - L) - LOCAL_PORT=$OPTARG - ;; - i) - IGNORE_LIST=$OPTARG - ;; - e) - EXT_ARGS=$OPTARG - ;; - a) - LAN_AC_IP=$OPTARG - ;; - B) - LAN_BP_IP=$OPTARG - ;; - b) - WAN_BP_IP=$(for ip in $OPTARG; do echo $ip; done) - ;; - w) - WAN_FW_IP=$OPTARG - ;; - p) - LAN_FP_IP=$OPTARG - ;; - G) - LAN_GM_IP=$OPTARG - ;; - D) - PROXY_PORTS=$OPTARG - ;; - o) - OUTPUT=1 - ;; - O) - OUTPUT=2 - ;; - u) - TPROXY=1 - ;; - U) - TPROXY=2 - ;; - g) - RUNMODE=gfw - ;; - r) - RUNMODE=router - ;; - c) - RUNMODE=oversea - ;; - z) - RUNMODE=all - ;; - f) - flush_r - exit 0 - ;; - h) - usage 0 - ;; + s) + server=$OPTARG + ;; + l) + local_port=$OPTARG + ;; + S) + SERVER=$OPTARG + ;; + L) + LOCAL_PORT=$OPTARG + ;; + i) + IGNORE_LIST=$OPTARG + ;; + e) + EXT_ARGS=$OPTARG + ;; + a) + LAN_AC_IP=$OPTARG + ;; + B) + LAN_BP_IP=$OPTARG + ;; + b) + WAN_BP_IP=$(for ip in $OPTARG; do echo $ip; done) + ;; + w) + WAN_FW_IP=$OPTARG + ;; + p) + LAN_FP_IP=$OPTARG + ;; + G) + LAN_GM_IP=$OPTARG + ;; + D) + PROXY_PORTS=$OPTARG + ;; + o) + OUTPUT=1 + ;; + O) + OUTPUT=2 + ;; + u) + TPROXY=1 + ;; + U) + TPROXY=2 + ;; + g) + RUNMODE=gfw + ;; + r) + RUNMODE=router + ;; + c) + RUNMODE=oversea + ;; + z) + RUNMODE=all + ;; + f) + flush_r + exit 0 + ;; + h) usage 0 ;; esac done - if [ -z "$server" -o -z "$local_port" ]; then usage 2 fi - -if [ "$TPROXY" = 1 ]; then +if [ "$TPROXY" == 1 ]; then SERVER=$server LOCAL_PORT=$local_port -elif [ "$TPROXY" = 2 ]; then +elif [ "$TPROXY" == 2 ]; then : ${SERVER:?"You must assign an ip for the udp relay server."} : ${LOCAL_PORT:?"You must assign a port for the udp relay server."} fi - flush_r && fw_rule && ipset_r && ac_rule && tp_rule && gen_include -[ "$?" = 0 ] || loger 3 "Start failed!" +[ "$?" == 0 ] || loger 3 "Start failed!" exit $? diff --git a/package/ctcgfw/luci-app-vssr/root/usr/share/vssr/gentrojanconfig.lua b/package/ctcgfw/luci-app-vssr/root/usr/share/vssr/gentrojanconfig.lua index 85c9aa09c3..aceb02601f 100755 --- a/package/ctcgfw/luci-app-vssr/root/usr/share/vssr/gentrojanconfig.lua +++ b/package/ctcgfw/luci-app-vssr/root/usr/share/vssr/gentrojanconfig.lua @@ -1,38 +1,40 @@ local ucursor = require "luci.model.uci".cursor() local json = require "luci.jsonc" local server_section = arg[1] -local proto = arg[2] +local proto = arg[2] local local_port = arg[3] local server = ucursor:get_all("vssr", server_section) local trojan = { - - run_type = "nat", - local_addr = "0.0.0.0", - local_port = tonumber(local_port), - remote_addr = server.server, - remote_port = tonumber(server.server_port), - -- 传入连接 - password = {server.password}, - -- 传出连接 - ssl = { - verify = true, - verify_hostname = true, - cert = (server.certificate == "1") and server.certpath or "", - cipher = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:RSA-AES128-GCM-SHA256:RSA-AES256-GCM-SHA384:RSA-AES128-SHA:RSA-AES256-SHA:RSA-3DES-EDE-SHA", - sni = server.tls_host, - alpn = {"h2", "http/1.1"}, - curve = "", - reuse_session = true, - session_ticket = true, - }, - tcp = { - no_delay = true, - keep_alive = true, - reuse_port = true, - fast_open = (server.fast_open == "1") and true or false, - fast_open_qlen = 20 - } + log_level = 3, + run_type = proto, + local_addr = "0.0.0.0", + local_port = tonumber(local_port), + remote_addr = server.server, + remote_port = tonumber(server.server_port), + udp_timeout = 60, + -- 传入连接 + password = {server.password}, + -- 传出连接 + ssl = { + verify = (server.insecure == "0") and true or false, + verify_hostname = (server.tls == "1") and true or false, + cert = "", + cipher = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA", + cipher_tls13 = "TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384", + sni = server.tls_host, + alpn = {"h2", "http/1.1"}, + curve = "", + reuse_session = true, + session_ticket = false, + }, + tcp = { + no_delay = true, + keep_alive = true, + reuse_port = true, + fast_open = (server.fast_open == "1") and true or false, + fast_open_qlen = 20 + } } print(json.stringify(trojan, 1))