openwrt-mirror/packages
1
0
Fork 0
mirror of https://github.com/openwrt/packages.git synced 2025-12-26 11:16:31 +04:00
Code Issues Packages Projects Releases Wiki Activity

shadowsocks-libev: rewrite ss-rules

Browse Source 
- New UCI options ifnames, dst_default
 - UCI options src_ips_xxx now accept cidr as their values
 - Export ipset names as part of the interface so that it can be
   depended on and used by other programs
 - Bypass only remote servers used ss-redir instances, so that it's
   possible to let other servers to go through existing re-redir
   instances

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
This commit is contained in:
Yousong Zhou
2017-08-13 16:00:19 +08:00
parent b1cd3a955a
commit df395767d3
4 changed files with 262 additions and 283 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
net/shadowsocks-libev/README.md
View File

@@ -39,8 +39,9 @@ We can have multiple instances of component and `server` sections. The relation
redir_tcp name of ss_redir section with mode tcp_only or tcp_and_udp
redir_udp name of ss_redir section with mode udp_only or tcp_and_udp
ifnames only apply rules on packets from these ifnames
--- incoming packets having source address in
--- for incoming packets having source address in
src_ips_bypass will bypass the redir chain
src_ips_forward will always go through the redir chain
@@ -50,10 +51,6 @@ We can have multiple instances of component and `server` sections. The relation
src_default bypass, forward, [checkdst]
--- for local out tcp packets, the default action can be specified with
local_default [bypass], forward, checkdst
--- if the previous check result is checkdst,
--- then packets having destination address in
@@ -62,6 +59,18 @@ We can have multiple instances of component and `server` sections. The relation
dst_ips_forward_file
dst_ips_forward will go through the redir chain
--- otherwise, the default action can be specified with
dst_default [bypass], forward
--- for local out tcp packets, the default action can be specified with
local_default [bypass], forward, checkdst
ss-rules uses kernel ipset mechanism for storing addresses/networks. Those ipsets are also part of the API and can be populated by other programs, e.g. dnsmasq with builtin ipset support. For more details please read output of `ss-rules --help`
Note also that `src_ips_xx` and `dst_ips_xx` actually also accepts cidr network representation. Names are retained for backward compatibility coniderations
## notes and faq
Useful paths and commands for debugging