Shadowsocks-libev is a lightweight secured socks5 proxy for embedded devices and low end boxes.
Signed-off-by: aa65535 <aa65535@live.com>
--- /dev/null
+#
+# Copyright (C) 2015 OpenWrt.org
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=shadowsocks-libev
+PKG_VERSION:=2.2.2
+PKG_RELEASE:=1
+
+PKG_SOURCE_PROTO:=git
+PKG_SOURCE_URL:=https://github.com/shadowsocks/shadowsocks-libev.git
+PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_RELEASE)
+PKG_SOURCE_VERSION:=4883903e657095b93f88a3a3b9a0dccdffdaa397
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
+PKG_MAINTAINER:=aa65535 <aa65535@live.com>
+
+PKG_LICENSE:=GPLv2
+PKG_LICENSE_FILES:=LICENSE
+
+PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)-$(PKG_RELEASE)
+
+PKG_INSTALL:=1
+PKG_FIXUP:=autoreconf
+PKG_USE_MIPS16:=0
+PKG_BUILD_PARALLEL:=1
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/shadowsocks-libev/Default
+ SECTION:=net
+ CATEGORY:=Network
+ TITLE:=Lightweight Secured Socks5 Proxy $(2)
+ URL:=https://github.com/shadowsocks/shadowsocks-libev
+ VARIANT:=$(1)
+ DEPENDS:=$(3) +resolveip +ipset +ip +iptables-mod-tproxy
+endef
+
+Package/shadowsocks-libev = $(call Package/shadowsocks-libev/Default,openssl,(OpenSSL),+libopenssl)
+Package/shadowsocks-libev-polarssl = $(call Package/shadowsocks-libev/Default,polarssl,(PolarSSL),+libpolarssl)
+
+define Package/shadowsocks-libev/description
+Shadowsocks-libev is a lightweight secured scoks5 proxy for embedded devices and low end boxes.
+endef
+
+Package/shadowsocks-libev-polarssl/description = $(Package/shadowsocks-libev/description)
+
+define Package/shadowsocks-libev/conffiles
+/etc/config/shadowsocks-libev
+endef
+
+Package/shadowsocks-libev-polarssl/conffiles = $(Package/shadowsocks-libev/conffiles)
+
+define Package/shadowsocks-libev/postinst
+#!/bin/sh
+uci -q batch <<-EOF >/dev/null
+ delete firewall.shadowsocks_libev
+ set firewall.shadowsocks_libev=include
+ set firewall.shadowsocks_libev.type=script
+ set firewall.shadowsocks_libev.path=/usr/share/shadowsocks-libev/firewall.include
+ set firewall.shadowsocks_libev.reload=1
+ commit firewall
+EOF
+exit 0
+endef
+
+Package/shadowsocks-libev-polarssl/postinst = $(Package/shadowsocks-libev/postinst)
+
+ifeq ($(BUILD_VARIANT),polarssl)
+ CONFIGURE_ARGS += --with-crypto-library=polarssl
+endif
+
+define Package/shadowsocks-libev/install
+ $(INSTALL_DIR) $(1)/usr/bin
+ $(INSTALL_BIN) $(PKG_BUILD_DIR)/src/ss-{redir,tunnel} $(1)/usr/bin
+ $(INSTALL_BIN) ./files/ss-rules $(1)/usr/bin
+ $(INSTALL_DIR) $(1)/etc/config
+ $(INSTALL_DATA) ./files/shadowsocks-libev.config $(1)/etc/config/shadowsocks-libev
+ $(INSTALL_DIR) $(1)/etc/init.d
+ $(INSTALL_BIN) ./files/shadowsocks-libev.init $(1)/etc/init.d/shadowsocks-libev
+ $(INSTALL_DIR) $(1)/usr/share/shadowsocks-libev
+ $(INSTALL_DATA) ./files/firewall.include $(1)/usr/share/shadowsocks-libev/firewall.include
+endef
+
+Package/shadowsocks-libev-polarssl/install = $(Package/shadowsocks-libev/install)
+
+$(eval $(call BuildPackage,shadowsocks-libev))
+$(eval $(call BuildPackage,shadowsocks-libev-polarssl))
--- /dev/null
+#!/bin/sh
+
+if pidof ss-redir>/dev/null; then
+ /etc/init.d/shadowsocks-libev rules
+ logger -t ShadowSocks-libev "Reloading ShadowSocks-libev due to restart of firewall"
+fi
--- /dev/null
+
+config shadowsocks-libev
+ option enable '1'
+ option server '127.0.0.1'
+ option server_port '8388'
+ option local_port '1080'
+ option password 'barfoo!'
+ option timeout '60'
+ option encrypt_method 'rc4-md5'
+ option ignore_list '/dev/null'
+ option udp_relay '0'
+ option tunnel_enable '1'
+ option tunnel_port '5300'
+ option tunnel_forward '8.8.4.4:53'
+ option lan_ac_mode '0'
--- /dev/null
+#!/bin/sh /etc/rc.common
+
+START=90
+STOP=15
+
+SERVICE_USE_PID=1
+SERVICE_WRITE_PID=1
+SERVICE_DAEMONIZE=1
+EXTRA_COMMANDS="rules"
+CONFIG_FILE=/var/etc/shadowsocks-libev.json
+
+get_config() {
+ config_get_bool enable $1 enable
+ config_get server $1 server
+ config_get server_port $1 server_port
+ config_get local_port $1 local_port
+ config_get password $1 password
+ config_get timeout $1 timeout
+ config_get encrypt_method $1 encrypt_method
+ config_get ignore_list $1 ignore_list
+ config_get udp_relay $1 udp_relay
+ config_get_bool tunnel_enable $1 tunnel_enable
+ config_get tunnel_port $1 tunnel_port
+ config_get tunnel_forward $1 tunnel_forward
+ config_get lan_ac_mode $1 lan_ac_mode
+ config_get lan_ac_ip $1 lan_ac_ip
+ config_get wan_bp_ip $1 wan_bp_ip
+ config_get wan_fw_ip $1 wan_fw_ip
+ config_get ipt_ext $1 ipt_ext
+ : ${tunnel_port:=5300}
+ : ${tunnel_forward:=8.8.4.4:53}
+}
+
+start_rules() {
+ local ac_args
+
+ if [ -n "$lan_ac_ip" ]; then
+ case $lan_ac_mode in
+ 1) ac_args="w$lan_ac_ip"
+ ;;
+ 2) ac_args="b$lan_ac_ip"
+ ;;
+ esac
+ fi
+ /usr/bin/ss-rules \
+ -s "$server" \
+ -l "$local_port" \
+ -i "$ignore_list" \
+ -a "$ac_args" \
+ -b "$wan_bp_ip" \
+ -w "$wan_fw_ip" \
+ -e "$ipt_ext" \
+ -o $udp
+ return $?
+}
+
+start_redir() {
+ service_start /usr/bin/ss-redir \
+ -c "$CONFIG_FILE" $udp
+ return $?
+}
+
+start_tunnel() {
+ service_start /usr/bin/ss-tunnel \
+ -c "$CONFIG_FILE" \
+ -l "$tunnel_port" \
+ -L "$tunnel_forward" \
+ -u
+ return $?
+}
+
+rules() {
+ config_load shadowsocks-libev
+ config_foreach get_config shadowsocks-libev
+ [ "$enable" = 1 ] || exit 0
+ [ "$udp_relay" = 1 ] && udp="-u"
+ mkdir -p $(dirname $CONFIG_FILE)
+
+ : ${server:?}
+ : ${server_port:?}
+ : ${local_port:?}
+ : ${password:?}
+ : ${encrypt_method:?}
+ cat <<-EOF >$CONFIG_FILE
+ {
+ "server": "$server",
+ "server_port": $server_port,
+ "local_address": "0.0.0.0",
+ "local_port": $local_port,
+ "password": "$password",
+ "timeout": $timeout,
+ "method": "$encrypt_method"
+ }
+EOF
+ start_rules
+}
+
+boot() {
+ until iptables-save -t nat | grep -q "^:zone_lan_prerouting"; do
+ sleep 1
+ done
+ start
+}
+
+start() {
+ rules && start_redir
+ [ "$tunnel_enable" = 1 ] && start_tunnel
+}
+
+stop() {
+ /usr/bin/ss-rules -f
+ service_stop /usr/bin/ss-redir
+ service_stop /usr/bin/ss-tunnel
+ rm -f $CONFIG_FILE
+}
--- /dev/null
+#!/bin/sh
+
+usage() {
+ cat <<-EOF
+ Usage: ss-rules [options]
+
+ Valid options are:
+
+ -s <server_host> hostname or ip of shadowsocks remote server
+ -l <local_port> port number of shadowsocks local server
+ -i <ip_list_file> a file content is bypassed ip list
+ -a <lan_ips> lan ip of access control, need a prefix to
+ define access control mode
+ -b <wan_ips> wan ip of will be bypassed
+ -w <wan_ips> wan ip of will be forwarded
+ -e <extra_options> extra options for iptables
+ -o apply the rules to the OUTPUT chain
+ -u enable udprelay mode, TPROXY is required
+ -f flush the rules
+EOF
+}
+
+loger() {
+ # 1.alert 2.crit 3.err 4.warn 5.notice 6.info 7.debug
+ logger -st ss-rules[$$] -p$1 $2
+}
+
+ipt_n="iptables -t nat"
+ipt_m="iptables -t mangle"
+
+flush_r() {
+ local IPT
+
+ IPT=$(iptables-save -t nat)
+ eval $(echo "$IPT" | grep "_SS_SPEC_RULE_" | \
+ sed -e 's/^-A/$ipt_n -D/' -e 's/$/;/')
+
+ for chain in $(echo "$IPT" | awk '/^:SS_SPEC/{print $1}'); do
+ $ipt_n -F ${chain:1} 2>/dev/null && $ipt_n -X ${chain:1}
+ done
+
+ IPT=$(iptables-save -t mangle)
+ eval $(echo "$IPT" | grep "_SS_SPEC_RULE_" | \
+ sed -e 's/^-A/$ipt_m -D/' -e 's/$/;/')
+
+ for chain in $(echo "$IPT" | awk '/^:SS_SPEC/{print $1}'); do
+ $ipt_m -F ${chain:1} 2>/dev/null && $ipt_m -X ${chain:1}
+ done
+
+ ip rule del fwmark 0x01/0x01 table 100 2>/dev/null
+ ip route del local 0.0.0.0/0 dev lo table 100 2>/dev/null
+ ipset -X ss_spec_lan_ac 2>/dev/null
+ ipset -X ss_spec_wan_ac 2>/dev/null
+ return 0
+}
+
+ipset_r() {
+ ipset -! -R <<-EOF || return 1
+ create ss_spec_wan_ac hash:net
+ $(echo -e "$IPLIST" | sed -e "s/^/add ss_spec_wan_ac /")
+ $(for ip in $WAN_FW_IP; do echo "add ss_spec_wan_ac $ip nomatch"; done)
+EOF
+ $ipt_n -N SS_SPEC_WAN_AC && \
+ $ipt_n -A SS_SPEC_WAN_AC -m set --match-set ss_spec_wan_ac dst -j RETURN && \
+ $ipt_n -A SS_SPEC_WAN_AC -j SS_SPEC_WAN_FW
+ return $?
+}
+
+fw_rule() {
+ $ipt_n -N SS_SPEC_WAN_FW && \
+ $ipt_n -A SS_SPEC_WAN_FW -p tcp \
+ -j REDIRECT --to-ports $LOCAL_PORT 2>/dev/null || {
+ loger 3 "Can't redirect, please check the iptables."
+ exit 1
+ }
+ return $?
+}
+
+ac_rule() {
+ local TAG ROUTECHAIN
+
+ if [ -n "$LAN_AC_IP" ]; then
+ if [ "${LAN_AC_IP:0:1}" = "w" ]; then
+ TAG="nomatch"
+ else
+ if [ "${LAN_AC_IP:0:1}" != "b" ]; then
+ loger 3 "Bad argument \`-a $LAN_AC_IP\`."
+ return 2
+ fi
+ fi
+ fi
+
+ ROUTECHAIN=PREROUTING
+ if iptables-save -t nat | grep -q "^:zone_lan_prerouting"; then
+ ROUTECHAIN=zone_lan_prerouting
+ fi
+
+ ipset -! -R <<-EOF || return 1
+ create ss_spec_lan_ac hash:net
+ $(for ip in ${LAN_AC_IP:1}; do echo "add ss_spec_lan_ac $ip $TAG"; done)
+EOF
+ $ipt_n -A $ROUTECHAIN -p tcp $EXT_ARGS \
+ -m set ! --match-set ss_spec_lan_ac src \
+ -m comment --comment "_SS_SPEC_RULE_" -j SS_SPEC_WAN_AC
+
+ if [ "$OUTPUT" = 1 ]; then
+ $ipt_n -A OUTPUT -p tcp $EXT_ARGS \
+ -m comment --comment "_SS_SPEC_RULE_" -j SS_SPEC_WAN_AC
+ fi
+ return $?
+}
+
+tp_rule() {
+ [ "$TPROXY" = 1 ] || return 0
+ ip rule add fwmark 0x01/0x01 table 100
+ ip route add local 0.0.0.0/0 dev lo table 100
+ $ipt_m -N SS_SPEC_TPROXY
+ $ipt_m -A SS_SPEC_TPROXY -p udp -m set ! --match-set ss_spec_wan_ac dst \
+ -j TPROXY --on-port $LOCAL_PORT --tproxy-mark 0x01/0x01
+ $ipt_m -A PREROUTING -p udp $EXT_ARGS \
+ -m set ! --match-set ss_spec_lan_ac src \
+ -m comment --comment "_SS_SPEC_RULE_" -j SS_SPEC_TPROXY
+ return $?
+}
+
+while getopts ":s:l:c:i:e:a:b:w:ouf" arg; do
+ case $arg in
+ s)
+ SERVER=$OPTARG
+ ;;
+ l)
+ LOCAL_PORT=$OPTARG
+ ;;
+ i)
+ IGNORE=$OPTARG
+ ;;
+ e)
+ EXT_ARGS=$OPTARG
+ ;;
+ a)
+ LAN_AC_IP=$OPTARG
+ ;;
+ b)
+ WAN_BP_IP=$(for ip in $OPTARG; do echo $ip; done)
+ ;;
+ w)
+ WAN_FW_IP=$OPTARG
+ ;;
+ o)
+ OUTPUT=1
+ ;;
+ u)
+ TPROXY=1
+ ;;
+ f)
+ flush_r
+ exit 0
+ ;;
+ esac
+done
+
+if [ -z "$SERVER" -o -z "$LOCAL_PORT" ]; then
+ usage
+ exit 2
+fi
+
+SERVER=$(resolveip -t60 $SERVER)
+
+if [ -z "$SERVER" ]; then
+ loger 3 "Can't resolve the server hostname."
+ exit 1
+fi
+
+if [ -f "$IGNORE" ]; then
+ IGNORE_IP=$(cat $IGNORE 2>/dev/null)
+fi
+
+IPLIST=$(cat <<-EOF | grep -E "^([0-9]{1,3}\.){3}[0-9]{1,3}"
+ $SERVER
+ 0.0.0.0/8
+ 10.0.0.0/8
+ 100.64.0.0/10
+ 127.0.0.0/8
+ 169.254.0.0/16
+ 172.16.0.0/12
+ 192.0.0.0/24
+ 192.0.2.0/24
+ 192.88.99.0/24
+ 192.168.0.0/16
+ 198.18.0.0/15
+ 198.51.100.0/24
+ 203.0.113.0/24
+ 224.0.0.0/4
+ 240.0.0.0/4
+ 255.255.255.255
+ $WAN_BP_IP
+ $IGNORE_IP
+EOF
+)
+
+flush_r && fw_rule && ipset_r && ac_rule && tp_rule
+
+exit $?
projects / feed / packages.git / commitdiff