From bbd057e23f7ebb0c2522dd034a0c6693aea4c93d Mon Sep 17 00:00:00 2001 From: LEAN-ESX Date: Wed, 16 Oct 2019 22:07:24 -0700 Subject: [PATCH] shadowsocks-libev: bump to 3.3.1 --- net/shadowsocks-libev/Makefile | 25 ++-- net/shadowsocks-libev/README.md | 90 +++++++++++- .../files/shadowsocks-libev.init | 131 ++++++++---------- net/shadowsocks-libev/files/ss-rules | 102 +++++++++----- 4 files changed, 226 insertions(+), 122 deletions(-) diff --git a/net/shadowsocks-libev/Makefile b/net/shadowsocks-libev/Makefile index 1fb154cb..b8307557 100644 --- a/net/shadowsocks-libev/Makefile +++ b/net/shadowsocks-libev/Makefile @@ -1,5 +1,5 @@ # -# Copyright (C) 2017-2018 Yousong Zhou +# Copyright (C) 2017-2019 Yousong Zhou # # This is free software, licensed under the GNU General Public License v2. # See /LICENSE for more information. @@ -13,24 +13,23 @@ include $(TOPDIR)/rules.mk # - check if default mode has changed from being tcp_only # PKG_NAME:=shadowsocks-libev -PKG_VERSION:=3.2.1 -PKG_RELEASE:=1 +PKG_VERSION:=3.3.1 +PKG_RELEASE:=3 -PKG_SOURCE_PROTO:=git -PKG_SOURCE_URL:=https://github.com/shadowsocks/shadowsocks-libev.git -PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION) -PKG_SOURCE_VERSION:=92cab3503c94b36234872f66926de0070a9cdcd0 -PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz +PKG_SOURCE_URL:=https://github.com/shadowsocks/shadowsocks-libev/releases/download/v$(PKG_VERSION) +PKG_HASH:=afd25ae5e737be385fa53364c66095c354277e98cf141b54beb2be93d9228f4f PKG_MAINTAINER:=Yousong Zhou -PKG_LICENSE:=GPL-3.0+ +PKG_LICENSE:=GPL-3.0-or-later PKG_LICENSE_FILES:=LICENSE PKG_FIXUP:=autoreconf PKG_INSTALL:=1 PKG_USE_MIPS16:=0 PKG_BUILD_PARALLEL:=1 +PKG_BUILD_DEPENDS:=c-ares pcre include $(INCLUDE_DIR)/package.mk @@ -58,7 +57,7 @@ define Package/shadowsocks-libev/Default SUBMENU:=Web Servers/Proxies TITLE:=shadowsocks-libev $(1) URL:=https://github.com/shadowsocks/shadowsocks-libev - DEPENDS:=+libcares +libev +libmbedtls +libpcre +libpthread +libsodium +shadowsocks-libev-config +zlib + DEPENDS:=+libev +libmbedtls +libpthread +libsodium +shadowsocks-libev-config $(DEPENDS_$(1)) endef define Package/shadowsocks-libev-$(1)/install @@ -68,6 +67,9 @@ define Package/shadowsocks-libev/Default endef +DEPENDS_ss-local = +libpcre +DEPENDS_ss-server = +libcares +libpcre + SHADOWSOCKS_COMPONENTS:=ss-local ss-redir ss-tunnel ss-server define shadowsocks-libev/templates $(foreach component,$(SHADOWSOCKS_COMPONENTS), @@ -120,6 +122,9 @@ CONFIGURE_ARGS += \ --disable-assert \ --disable-ssp \ +TARGET_CFLAGS += -flto +TARGET_LDFLAGS += -Wl,--gc-sections,--as-needed + $(eval $(call BuildPackage,shadowsocks-libev-config)) $(eval $(call BuildPackage,shadowsocks-libev-ss-rules)) $(foreach component,$(SHADOWSOCKS_COMPONENTS), \ diff --git a/net/shadowsocks-libev/README.md b/net/shadowsocks-libev/README.md index d2800924..8ac08713 100644 --- a/net/shadowsocks-libev/README.md +++ b/net/shadowsocks-libev/README.md @@ -1,4 +1,6 @@ -## components +Skip to [recipes](#recipes) for quick setup instructions + +# components `ss-local` provides SOCKS5 proxy with UDP associate support. @@ -20,7 +22,7 @@ `ss-server`, the "ss server" in the above diagram -## uci +# uci Option names are the same as those used in json config files. Check `validate_xxx` func definition of the [service script](files/shadowsocks-libev.init) and shadowsocks-libev's own documentation for supported options and expected value types. A [sample config file](files/shadowsocks-libev.config) is also provided for reference. @@ -30,6 +32,8 @@ Section type `server` is for definition of remote shadowsocks servers. They wil Section type `ss_local`, `ss_redir`, `ss_tunnel` are for specification of shadowsocks-libev components. They share mostly a common set of options like `local_port`, `verbose`, `fast_open`, `timeout`, etc. +Plugin options should be specified in `server` section and will be inherited by other compoenents referring to it. + We can have multiple instances of component and `server` sections. The relationship between them is many-to-one. This will have the following implications - It's possible to have both `ss_local` and `ss_redir` referring to the same `server` definition @@ -73,7 +77,14 @@ ss-rules uses kernel ipset mechanism for storing addresses/networks. Those ipse Note also that `src_ips_xx` and `dst_ips_xx` actually also accepts cidr network representation. Option names are retained in its current form for backward compatibility coniderations -## notes and faq +# incompatible changes + +| Commit date | Commit ID | Subject | Comment | +| ----------- | --------- | ------- | ------- | +| 2019-05-09 | afe7d3424 | shadowsocks-libev: move plugin options to server section | This is a revision against c19e949 committed 2019-05-06 | +| 2017-07-02 | b61af9703 | shadowsocks-libev: rewrite | Packaging of shadowsocks-libev was rewritten from scratch | + +# notes and faq Useful paths and commands for debugging @@ -95,3 +106,76 @@ Useful paths and commands for debugging ss-redir needs to open a new socket and setsockopt IP_TRANSPARENT when sending udp reply to client. This requires `CAP_NET_ADMIN` and as such the process cannot run as `nobody` ss-local, ss-redir, etc. supports specifying an array of remote ss server, but supporting this in uci seems to be overkill. The workaround can be defining multiple `server` sections and multiple `ss-redir` instances with `reuse_port` enabled + +# recipes + +## forward all + +This will setup firewall rules to forward almost all incoming tcp/udp and locally generated tcp traffic (excluding those to private addresses like 192.168.0.0/16 etc.) through remote shadowsocks server + +Install components. +Retry each command till it succeed + + opkg install shadowsocks-libev-ss-redir + opkg install shadowsocks-libev-ss-rules + opkg install shadowsocks-libev-ss-tunnel + +Edit uci config `/etc/config/shadowsocks-libev`. +Replace `config server 'sss0'` section with parameters of your own remote shadowsocks server. +As for other options, change them only when you know the effect. + + config server 'sss0' + option disabled 0 + option server '_sss_addr_' + option server_port '_sss_port_' + option password '********' + option method 'aes-256-cfb' + + config ss_tunnel + option disabled 0 + option server 'sss0' + option local_address '0.0.0.0' + option local_port '8053' + option tunnel_address '8.8.8.8:53' + option mode 'tcp_and_udp' + + config ss_redir ssr0 + option disabled 0 + option server 'sss0' + option local_address '0.0.0.0' + option local_port '1100' + option mode 'tcp_and_udp' + option reuse_port 1 + + config ss_rules 'ss_rules' + option disabled 0 + option redir_tcp 'ssr0' + option redir_udp 'ssr0' + option src_default 'checkdst' + option dst_default 'forward' + option local_default 'forward' + +Restart shadowsocks-libev components + + /etc/init.d/shadowsocks-libev restart + +Check if things are in place + + iptables-save | grep ss_rules + netstat -lntp | grep -E '8053|1100' + ps ww | grep ss- + +Edit `/etc/config/dhcp`, add a line to the first dnsmasq section like the following to let it use local tunnel endpoint for upstream dns query + + config dnsmasq + ... + list server '127.0.0.1#8053' + +Restart dnsmasq + + /etc/init.d/dnsmasq restart + +Check network on your computer + + nslookup www.google.com + curl -vv https://www.google.com diff --git a/net/shadowsocks-libev/files/shadowsocks-libev.init b/net/shadowsocks-libev/files/shadowsocks-libev.init index 22d825d0..79ec2e8b 100644 --- a/net/shadowsocks-libev/files/shadowsocks-libev.init +++ b/net/shadowsocks-libev/files/shadowsocks-libev.init @@ -1,6 +1,6 @@ #!/bin/sh /etc/rc.common # -# Copyright (C) 2017 Yousong Zhou +# Copyright (C) 2017-2019 Yousong Zhou # # This is free software, licensed under the GNU General Public License v3. # See /LICENSE for more information. @@ -11,26 +11,6 @@ START=99 ss_confdir=/var/etc/shadowsocks-libev ss_bindir=/usr/bin -q='"' - -ss_mkjson() { - echo "{" >"$confjson" - if ss_mkjson_ "$@" >>$confjson; then - sed -i -e '/^\s*$/d' -e '2,$s/^/\t/' -e '$s/,$//' "$confjson" - echo "}" >>"$confjson" - else - rm -f "$confjson" - return 1 - fi -} - -ss_mkjson_() { - local func - - for func in "$@"; do - "$func" || return 1 - done -} ss_mkjson_server_conf() { local cfgserver @@ -45,32 +25,13 @@ ss_mkjson_server_conf() { ss_mkjson_server_conf_() { [ -n "$server_port" ] || return 1 - password="${password//\"/\\\"}" - cat <<-EOF - ${server:+${q}server${q}: ${q}$server${q},} - "server_port": $server_port, - ${method:+${q}method${q}: ${q}$method${q},} - ${key:+${q}key${q}: ${q}$key${q},} - ${password:+${q}password${q}: ${q}$password${q},} - EOF -} - -ss_mkjson_common_conf() { - [ "$ipv6_first" = 0 ] && ipv6_first=false || ipv6_first=true - [ "$fast_open" = 0 ] && fast_open=false || fast_open=true - [ "$reuse_port" = 0 ] && reuse_port=false || reuse_port=true - cat <<-EOF - "use_syslog": true, - "ipv6_first": $ipv6_first, - "fast_open": $fast_open, - "reuse_port": $reuse_port, - ${local_address:+${q}local_address${q}: ${q}$local_address${q},} - ${local_port:+${q}local_port${q}: $local_port,} - ${mode:+${q}mode${q}: ${q}$mode${q},} - ${mtu:+${q}mtu${q}: $mtu,} - ${timeout:+${q}timeout${q}: $timeout,} - ${user:+${q}user${q}: ${q}$user${q},} - EOF + [ -z "$server" ] || json_add_string server "$server" + json_add_int server_port "$server_port" + [ -z "$method" ] || json_add_string method "$method" + [ -z "$key" ] || json_add_string key "$key" + [ -z "$password" ] || json_add_string password "$password" + [ -z "$plugin" ] || json_add_string plugin "$plugin" + [ -z "$plugin_opts" ] || json_add_string plugin_opts "$plugin_opts" } ss_mkjson_ss_local_conf() { @@ -88,9 +49,7 @@ ss_mkjson_ss_server_conf() { ss_mkjson_ss_tunnel_conf() { ss_mkjson_server_conf || return 1 [ -n "$tunnel_address" ] || return 1 - cat <<-EOF - ${tunnel_address:+${q}tunnel_address${q}: ${q}$tunnel_address${q},} - EOF + json_add_string tunnel_address "$tunnel_address" } ss_xxx() { @@ -101,23 +60,32 @@ ss_xxx() { [ -x "$bin" ] || return eval "$("validate_${cfgtype}_section" "$cfg" ss_validate_mklocal)" - "validate_${cfgtype}_section" "$cfg" || return 1 + "validate_${cfgtype}_section" "$cfg" || return [ "$disabled" = 0 ] || return - if ss_mkjson \ - ss_mkjson_common_conf \ - ss_mkjson_${cfgtype}_conf \ - ; then - procd_open_instance "$cfgtype.$cfg" - procd_set_param command "$bin" -c "$confjson" - [ "$verbose" = 0 ] || procd_append_param command -v - [ "$no_delay" = 0 ] || procd_append_param command --no-delay - [ -z "$bind_address" ] || procd_append_param command -b "$bind_address" - procd_set_param file "$confjson" - procd_set_param respawn - procd_close_instance - ss_rules_cb - fi + json_init + ss_mkjson_${cfgtype}_conf || return + json_add_boolean use_syslog 1 + json_add_boolean ipv6_first "$ipv6_first" + json_add_boolean fast_open "$fast_open" + json_add_boolean reuse_port "$reuse_port" + json_add_boolean no_delay "$no_delay" + [ -z "$local_address" ] || json_add_string local_address "$local_address" + [ -z "$local_port" ] || json_add_int local_port "$local_port" + [ -z "$mode" ] || json_add_string mode "$mode" + [ -z "$mtu" ] || json_add_int mtu "$mtu" + [ -z "$timeout" ] || json_add_int timeout "$timeout" + [ -z "$user" ] || json_add_string user "$user" + json_dump -i >"$confjson" + + procd_open_instance "$cfgtype.$cfg" + procd_set_param command "$bin" -c "$confjson" + [ "$verbose" = 0 ] || procd_append_param command -v + [ -z "$bind_address" ] || procd_append_param command -b "$bind_address" + procd_set_param file "$confjson" + procd_set_param respawn + procd_close_instance + ss_rules_cb } ss_rules_cb() { @@ -144,12 +112,15 @@ ss_rules() { local args [ -x "$bin" ] || return 1 + "$bin" -f + "$bin" -6 -f + config_get cfgtype "$cfg" TYPE [ "$cfgtype" = ss_rules ] || return 1 eval "$(validate_ss_rules_section "$cfg" ss_validate_mklocal)" validate_ss_rules_section "$cfg" || return 1 - [ "$disabled" = 0 ] || return 1 + [ "$disabled" = 0 ] || return 0 eval local_port_tcp="\$ss_rules_redir_tcp_$redir_tcp" eval local_port_udp="\$ss_rules_redir_udp_$redir_udp" @@ -157,7 +128,12 @@ ss_rules() { ss_redir_servers="$(echo "$ss_redir_servers" | tr ' ' '\n' | sort -u)" [ "$dst_forward_recentrst" = 0 ] || args="$args --dst-forward-recentrst" - "$bin" \ + ss_rules_call + ss_rules_call -6 +} + +ss_rules_call() { + "$bin" "$@" \ -s "$ss_redir_servers" \ -l "$local_port_tcp" \ -L "$local_port_udp" \ @@ -174,7 +150,7 @@ ss_rules() { --ifnames "$ifnames" \ --ipt-extra "$ipt_args" \ $args \ - || "$bin" -f + || "$bin" "$@" -f } start_service() { @@ -191,7 +167,10 @@ start_service() { stop_service() { local bin="$ss_bindir/ss-rules" - [ -x "$bin" ] && "$bin" -f + [ -x "$bin" ] && { + "$bin" -f + "$bin" -6 -f + } rm -rf "$ss_confdir" } @@ -235,7 +214,9 @@ validate_common_server_options_() { 'server_port:port' \ 'password:string' \ 'key:string' \ - "method:or($stream_methods, $aead_methods)" + "method:or($stream_methods, $aead_methods)" \ + 'plugin:string' \ + 'plugin_opts:string' } validate_common_client_options_() { @@ -280,13 +261,13 @@ validate_ss_rules_section() { 'disabled:bool:0' \ 'redir_tcp:uci("shadowsocks-libev", "@ss_redir")' \ 'redir_udp:uci("shadowsocks-libev", "@ss_redir")' \ - 'src_ips_bypass:or(ip4addr,cidr4)' \ - 'src_ips_forward:or(ip4addr,cidr4)' \ - 'src_ips_checkdst:or(ip4addr,cidr4)' \ + 'src_ips_bypass:or(ipaddr,cidr)' \ + 'src_ips_forward:or(ipaddr,cidr)' \ + 'src_ips_checkdst:or(ipaddr,cidr)' \ 'dst_ips_bypass_file:file' \ - 'dst_ips_bypass:or(ip4addr,cidr4)' \ + 'dst_ips_bypass:or(ipaddr,cidr)' \ 'dst_ips_forward_file:file' \ - 'dst_ips_forward:or(ip4addr,cidr4)' \ + 'dst_ips_forward:or(ipaddr,cidr)' \ 'src_default:or("bypass", "forward", "checkdst"):checkdst' \ 'dst_default:or("bypass", "forward"):bypass' \ 'local_default:or("bypass", "forward", "checkdst"):bypass' \ diff --git a/net/shadowsocks-libev/files/ss-rules b/net/shadowsocks-libev/files/ss-rules index b0a30606..2016667f 100755 --- a/net/shadowsocks-libev/files/ss-rules +++ b/net/shadowsocks-libev/files/ss-rules @@ -8,10 +8,24 @@ # See /LICENSE for more information. # +__errmsg() { + echo "ss-rules: $*" >&2 +} + +if [ "$1" = "-6" ]; then + if ! ip6tables -t nat -L -n &>/dev/null; then + __errmsg "Skipping ipv6. Requires ip6tables-mod-nat" + exit 1 + fi + o_use_ipv6=1; shift +fi + ss_rules_usage() { cat >&2 < Local port number of ss-redir with TCP mode @@ -50,7 +64,7 @@ populated by other programs like dnsmasq with ipset support EOF } -o_dst_bypass_=" +o_dst_bypass4_=" 0.0.0.0/8 10.0.0.0/8 100.64.0.0/10 @@ -71,13 +85,33 @@ o_dst_bypass_=" 240.0.0.0/4 255.255.255.255 " +o_dst_bypass6_=" + ::1/128 + ::/128 + ::ffff:0:0/96 + 64:ff9b:1::/48 + 100::/64 + 2001:2::/48 + 2001:db8::/32 + fe80::/10 + 2001::/23 + fc00::/7 +" o_src_default=bypass o_dst_default=bypass o_local_default=bypass -__errmsg() { - echo "ss-rules: $*" >&2 -} +alias grep_af="sed -ne '/:/!p'" +o_dst_bypass_="$o_dst_bypass4_" +if [ -n "$o_use_ipv6" ]; then + alias grep_af="sed -ne /:/p" + alias iptables=ip6tables + alias iptables-save=ip6tables-save + alias iptables-restore=ip6tables-restore + alias ip="ip -6" + o_af=6 + o_dst_bypass_="$o_dst_bypass6_" +fi ss_rules_parse_args() { while [ "$#" -gt 0 ]; do @@ -109,10 +143,10 @@ ss_rules_parse_args() { return 1 fi if [ -n "$o_dst_forward_recentrst" ] && ! iptables -m recent -h >/dev/null; then - __errmsg "Please install iptables-mod-conntrack-extra with opkg" + __errmsg "Please install iptables-mod-conntrack-extra" return 1 fi - o_remote_servers="$(for s in $o_remote_servers; do resolveip -4 "$s"; done)" + o_remote_servers="$(for s in $o_remote_servers; do resolveip "$s" | grep_af; done)" } ss_rules_flush() { @@ -121,26 +155,26 @@ ss_rules_flush() { iptables-save --counters | grep -v ss_rules_ | iptables-restore --counters while ip rule del fwmark 1 lookup 100 2>/dev/null; do true; done ip route flush table 100 - for setname in $(ipset -n list | grep "ss_rules_"); do + for setname in $(ipset -n list | grep "ss_rules${o_af}_"); do ipset destroy "$setname" 2>/dev/null || true done } ss_rules_ipset_init() { ipset --exist restore <<-EOF - create ss_rules_src_bypass hash:net hashsize 64 - create ss_rules_src_forward hash:net hashsize 64 - create ss_rules_src_checkdst hash:net hashsize 64 - create ss_rules_dst_bypass hash:net hashsize 64 - create ss_rules_dst_bypass_ hash:net hashsize 64 - create ss_rules_dst_forward hash:net hashsize 64 - create ss_rules_dst_forward_recentrst_ hash:ip hashsize 64 timeout 3600 - $(ss_rules_ipset_mkadd ss_rules_dst_bypass_ "$o_dst_bypass_ $o_remote_servers") - $(ss_rules_ipset_mkadd ss_rules_src_bypass "$o_src_bypass") - $(ss_rules_ipset_mkadd ss_rules_src_forward "$o_src_forward") - $(ss_rules_ipset_mkadd ss_rules_src_checkdst "$o_src_checkdst") - $(ss_rules_ipset_mkadd ss_rules_dst_bypass "$o_dst_bypass $(cat "$o_dst_bypass_file" 2>/dev/null)") - $(ss_rules_ipset_mkadd ss_rules_dst_forward "$o_dst_forward $(cat "$o_dst_forward_file" 2>/dev/null)") + create ss_rules${o_af}_src_bypass hash:net family inet$o_af hashsize 64 + create ss_rules${o_af}_src_forward hash:net family inet$o_af hashsize 64 + create ss_rules${o_af}_src_checkdst hash:net family inet$o_af hashsize 64 + create ss_rules${o_af}_dst_bypass hash:net family inet$o_af hashsize 64 + create ss_rules${o_af}_dst_bypass_ hash:net family inet$o_af hashsize 64 + create ss_rules${o_af}_dst_forward hash:net family inet$o_af hashsize 64 + create ss_rules${o_af}_dst_forward_rrst_ hash:ip family inet$o_af hashsize 8 timeout 3600 + $(ss_rules_ipset_mkadd ss_rules${o_af}_dst_bypass_ "$o_dst_bypass_ $o_remote_servers") + $(ss_rules_ipset_mkadd ss_rules${o_af}_src_bypass "$o_src_bypass") + $(ss_rules_ipset_mkadd ss_rules${o_af}_src_forward "$o_src_forward") + $(ss_rules_ipset_mkadd ss_rules${o_af}_src_checkdst "$o_src_checkdst") + $(ss_rules_ipset_mkadd ss_rules${o_af}_dst_bypass "$o_dst_bypass $(cat "$o_dst_bypass_file" 2>/dev/null)") + $(ss_rules_ipset_mkadd ss_rules${o_af}_dst_forward "$o_dst_forward $(cat "$o_dst_forward_file" 2>/dev/null)") EOF } @@ -150,7 +184,7 @@ ss_rules_ipset_mkadd() { for i in $*; do echo "add $setname $i" - done + done | grep_af } ss_rules_iptchains_init() { @@ -175,8 +209,8 @@ ss_rules_iptchains_init_tcp() { *nat :ss_rules_local_out - -I OUTPUT 1 -p tcp -j ss_rules_local_out - -A ss_rules_local_out -m set --match-set ss_rules_dst_bypass_ dst -j RETURN - -A ss_rules_local_out -p tcp $o_ipt_extra -j $local_target -m comment --comment "local_default: $o_local_default" + -A ss_rules_local_out -m set --match-set ss_rules${o_af}_dst_bypass_ dst -j RETURN + -A ss_rules_local_out $o_ipt_extra -j $local_target COMMIT EOF } @@ -203,8 +237,8 @@ ss_rules_iptchains_init_() { COMMIT " recentrst_addset_rules=" - -A ss_rules_dst -m recent --name ss_rules_recentrst --rcheck --rdest --seconds 3 --hitcount 3 -j SET --add-set ss_rules_dst_forward_recentrst_ dst --exist - -A ss_rules_dst -m set --match-set ss_rules_dst_forward_recentrst_ dst -j ss_rules_forward + -A ss_rules_dst -m recent --name ss_rules_recentrst --rcheck --rdest --seconds 3 --hitcount 3 -j SET --add-set ss_rules${o_af}_dst_forward_rrst_ dst --exist + -A ss_rules_dst -m set --match-set ss_rules${o_af}_dst_forward_rrst_ dst -j ss_rules_forward " fi ;; @@ -230,16 +264,16 @@ ss_rules_iptchains_init_() { :ss_rules_dst - :ss_rules_forward - $(ss_rules_iptchains_mkprerules "$proto") - -A ss_rules_pre_src -m set --match-set ss_rules_dst_bypass_ dst -j RETURN - -A ss_rules_pre_src -p $proto $o_ipt_extra -j ss_rules_src - -A ss_rules_src -m set --match-set ss_rules_src_bypass src -j RETURN - -A ss_rules_src -m set --match-set ss_rules_src_forward src -j ss_rules_forward - -A ss_rules_src -m set --match-set ss_rules_src_checkdst src -j ss_rules_dst - -A ss_rules_src -j $src_default_target -m comment --comment "src_default: $o_src_default" - -A ss_rules_dst -m set --match-set ss_rules_dst_bypass dst -j RETURN - -A ss_rules_dst -m set --match-set ss_rules_dst_forward dst -j ss_rules_forward + -A ss_rules_pre_src -m set --match-set ss_rules${o_af}_dst_bypass_ dst -j RETURN + -A ss_rules_pre_src $o_ipt_extra -j ss_rules_src + -A ss_rules_src -m set --match-set ss_rules${o_af}_src_bypass src -j RETURN + -A ss_rules_src -m set --match-set ss_rules${o_af}_src_forward src -j ss_rules_forward + -A ss_rules_src -m set --match-set ss_rules${o_af}_src_checkdst src -j ss_rules_dst + -A ss_rules_src -j $src_default_target + -A ss_rules_dst -m set --match-set ss_rules${o_af}_dst_bypass dst -j RETURN + -A ss_rules_dst -m set --match-set ss_rules${o_af}_dst_forward dst -j ss_rules_forward $recentrst_addset_rules - -A ss_rules_dst -j $dst_default_target -m comment --comment "dst_default: $o_dst_default" + -A ss_rules_dst -j $dst_default_target $forward_rules COMMIT $recentrst_mangle_rules