shadowsocks-libev: bump to 3.3.1

net/shadowsocks-libev/Makefile

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2017-2018 Yousong Zhou <yszhou4tech@gmail.com>
+# Copyright (C) 2017-2019 Yousong Zhou <yszhou4tech@gmail.com>
 #
 # This is free software, licensed under the GNU General Public License v2.
 # See /LICENSE for more information.
@@ -13,24 +13,23 @@ include $(TOPDIR)/rules.mk
 # - check if default mode has changed from being tcp_only
 #
 PKG_NAME:=shadowsocks-libev
-PKG_VERSION:=3.2.1
+PKG_VERSION:=3.3.1
-PKG_RELEASE:=1
+PKG_RELEASE:=3
 
-PKG_SOURCE_PROTO:=git
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
-PKG_SOURCE_URL:=https://github.com/shadowsocks/shadowsocks-libev.git
+PKG_SOURCE_URL:=https://github.com/shadowsocks/shadowsocks-libev/releases/download/v$(PKG_VERSION)
-PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION)
+PKG_HASH:=afd25ae5e737be385fa53364c66095c354277e98cf141b54beb2be93d9228f4f
-PKG_SOURCE_VERSION:=92cab3503c94b36234872f66926de0070a9cdcd0
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 
 PKG_MAINTAINER:=Yousong Zhou <yszhou4tech@gmail.com>
 
-PKG_LICENSE:=GPL-3.0+
+PKG_LICENSE:=GPL-3.0-or-later
 PKG_LICENSE_FILES:=LICENSE
 
 PKG_FIXUP:=autoreconf
 PKG_INSTALL:=1
 PKG_USE_MIPS16:=0
 PKG_BUILD_PARALLEL:=1
+PKG_BUILD_DEPENDS:=c-ares pcre
 
 include $(INCLUDE_DIR)/package.mk
 
@@ -58,7 +57,7 @@ define Package/shadowsocks-libev/Default
     SUBMENU:=Web Servers/Proxies
     TITLE:=shadowsocks-libev $(1)
     URL:=https://github.com/shadowsocks/shadowsocks-libev
-    DEPENDS:=+libcares +libev +libmbedtls +libpcre +libpthread +libsodium +shadowsocks-libev-config +zlib
+    DEPENDS:=+libev +libmbedtls +libpthread +libsodium +shadowsocks-libev-config $(DEPENDS_$(1))
   endef
 
   define Package/shadowsocks-libev-$(1)/install
@@ -68,6 +67,9 @@ define Package/shadowsocks-libev/Default
 
 endef
 
+DEPENDS_ss-local = +libpcre
+DEPENDS_ss-server = +libcares +libpcre
+
 SHADOWSOCKS_COMPONENTS:=ss-local ss-redir ss-tunnel ss-server
 define shadowsocks-libev/templates
   $(foreach component,$(SHADOWSOCKS_COMPONENTS),
@@ -120,6 +122,9 @@ CONFIGURE_ARGS += \
 	--disable-assert \
 	--disable-ssp \
 
+TARGET_CFLAGS += -flto
+TARGET_LDFLAGS += -Wl,--gc-sections,--as-needed
+
 $(eval $(call BuildPackage,shadowsocks-libev-config))
 $(eval $(call BuildPackage,shadowsocks-libev-ss-rules))
 $(foreach component,$(SHADOWSOCKS_COMPONENTS), \

net/shadowsocks-libev/README.md

@@ -1,4 +1,6 @@
-## components
+Skip to [recipes](#recipes) for quick setup instructions
+
+# components
 
 `ss-local` provides SOCKS5 proxy with UDP associate support.
 
@@ -20,7 +22,7 @@
 
 `ss-server`, the "ss server" in the above diagram
 
-## uci
+# uci
 
 Option names are the same as those used in json config files.  Check `validate_xxx` func definition of the [service script](files/shadowsocks-libev.init) and shadowsocks-libev's own documentation for supported options and expected value types.  A [sample config file](files/shadowsocks-libev.config) is also provided for reference.
 
@@ -30,6 +32,8 @@ Section type `server` is for definition of remote shadowsocks servers.  They wil
 
 Section type `ss_local`, `ss_redir`, `ss_tunnel` are for specification of shadowsocks-libev components.  They share mostly a common set of options like `local_port`, `verbose`, `fast_open`, `timeout`, etc.
 
+Plugin options should be specified in `server` section and will be inherited by other compoenents referring to it.
+
 We can have multiple instances of component and `server` sections.  The relationship between them is many-to-one.  This will have the following implications
 
  - It's possible to have both `ss_local` and `ss_redir` referring to the same `server` definition
@@ -73,7 +77,14 @@ ss-rules uses kernel ipset mechanism for storing addresses/networks.  Those ipse
 
 Note also that `src_ips_xx` and `dst_ips_xx` actually also accepts cidr network representation.  Option names are retained in its current form for backward compatibility coniderations
 
-## notes and faq
+# incompatible changes
+
+| Commit date | Commit ID | Subject | Comment |
+| ----------- | --------- | ------- | ------- |
+| 2019-05-09  | afe7d3424 | shadowsocks-libev: move plugin options to server section | This is a revision against c19e949 committed 2019-05-06 |
+| 2017-07-02  | b61af9703 | shadowsocks-libev: rewrite | Packaging of shadowsocks-libev was rewritten from scratch |
+
+# notes and faq
 
 Useful paths and commands for debugging
 
@@ -95,3 +106,76 @@ Useful paths and commands for debugging
 ss-redir needs to open a new socket and setsockopt IP_TRANSPARENT when sending udp reply to client.  This requires `CAP_NET_ADMIN` and as such the process cannot run as `nobody`
 
 ss-local, ss-redir, etc. supports specifying an array of remote ss server, but supporting this in uci seems to be overkill.  The workaround can be defining multiple `server` sections and multiple `ss-redir` instances with `reuse_port` enabled
+
+# recipes
+
+## forward all
+
+This will setup firewall rules to forward almost all incoming tcp/udp and locally generated tcp traffic (excluding those to private addresses like 192.168.0.0/16 etc.) through remote shadowsocks server
+
+Install components.
+Retry each command till it succeed
+
+	opkg install shadowsocks-libev-ss-redir
+	opkg install shadowsocks-libev-ss-rules
+	opkg install shadowsocks-libev-ss-tunnel
+
+Edit uci config `/etc/config/shadowsocks-libev`.
+Replace `config server 'sss0'` section with parameters of your own remote shadowsocks server.
+As for other options, change them only when you know the effect.
+
+	config server 'sss0'
+		option disabled 0
+		option server '_sss_addr_'
+		option server_port '_sss_port_'
+		option password '********'
+		option method 'aes-256-cfb'
+
+	config ss_tunnel
+		option disabled 0
+		option server 'sss0'
+		option local_address '0.0.0.0'
+		option local_port '8053'
+		option tunnel_address '8.8.8.8:53'
+		option mode 'tcp_and_udp'
+
+	config ss_redir ssr0
+		option disabled 0
+		option server 'sss0'
+		option local_address '0.0.0.0'
+		option local_port '1100'
+		option mode 'tcp_and_udp'
+		option reuse_port 1
+
+	config ss_rules 'ss_rules'
+		option disabled 0
+		option redir_tcp 'ssr0'
+		option redir_udp 'ssr0'
+		option src_default 'checkdst'
+		option dst_default 'forward'
+		option local_default 'forward'
+
+Restart shadowsocks-libev components
+
+	/etc/init.d/shadowsocks-libev restart
+
+Check if things are in place
+
+	iptables-save | grep ss_rules
+	netstat -lntp | grep -E '8053|1100'
+	ps ww | grep ss-
+
+Edit `/etc/config/dhcp`, add a line to the first dnsmasq section like the following to let it use local tunnel endpoint for upstream dns query
+
+	config dnsmasq
+		...
+		list server '127.0.0.1#8053'
+
+Restart dnsmasq
+
+	/etc/init.d/dnsmasq restart
+
+Check network on your computer
+
+	nslookup www.google.com
+	curl -vv https://www.google.com

net/shadowsocks-libev/files/shadowsocks-libev.init

@@ -1,6 +1,6 @@
 #!/bin/sh /etc/rc.common
 #
-# Copyright (C) 2017 Yousong Zhou <yszhou4tech@gmail.com>
+# Copyright (C) 2017-2019 Yousong Zhou <yszhou4tech@gmail.com>
 #
 # This is free software, licensed under the GNU General Public License v3.
 # See /LICENSE for more information.
@@ -11,26 +11,6 @@ START=99
 
 ss_confdir=/var/etc/shadowsocks-libev
 ss_bindir=/usr/bin
-q='"'
-
-ss_mkjson() {
-	echo "{" >"$confjson"
-	if ss_mkjson_ "$@" >>$confjson; then
-		sed -i -e '/^\s*$/d' -e '2,$s/^/\t/' -e '$s/,$//' "$confjson"
-		echo "}" >>"$confjson"
-	else
-		rm -f "$confjson"
-		return 1
-	fi
-}
-
-ss_mkjson_() {
-	local func
-
-	for func in "$@"; do
-		"$func" || return 1
-	done
-}
 
 ss_mkjson_server_conf() {
 	local cfgserver
@@ -45,32 +25,13 @@ ss_mkjson_server_conf() {
 
 ss_mkjson_server_conf_() {
 	[ -n "$server_port" ] || return 1
-	password="${password//\"/\\\"}"
+	[ -z "$server" ] || json_add_string server "$server"
-	cat <<-EOF
+	json_add_int server_port "$server_port"
-		${server:+${q}server${q}: ${q}$server${q},}
+	[ -z "$method" ] || json_add_string method "$method"
-		"server_port": $server_port,
+	[ -z "$key" ] || json_add_string key "$key"
-		${method:+${q}method${q}: ${q}$method${q},}
+	[ -z "$password" ] || json_add_string password "$password"
-		${key:+${q}key${q}: ${q}$key${q},}
+	[ -z "$plugin" ] || json_add_string plugin "$plugin"
-		${password:+${q}password${q}: ${q}$password${q},}
+	[ -z "$plugin_opts" ] || json_add_string plugin_opts "$plugin_opts"
-	EOF
-}
-
-ss_mkjson_common_conf() {
-	[ "$ipv6_first" = 0 ] && ipv6_first=false || ipv6_first=true
-	[ "$fast_open" = 0 ] && fast_open=false || fast_open=true
-	[ "$reuse_port" = 0 ] && reuse_port=false || reuse_port=true
-	cat <<-EOF
-		"use_syslog": true,
-		"ipv6_first": $ipv6_first,
-		"fast_open": $fast_open,
-		"reuse_port": $reuse_port,
-		${local_address:+${q}local_address${q}: ${q}$local_address${q},}
-		${local_port:+${q}local_port${q}: $local_port,}
-		${mode:+${q}mode${q}: ${q}$mode${q},}
-		${mtu:+${q}mtu${q}: $mtu,}
-		${timeout:+${q}timeout${q}: $timeout,}
-		${user:+${q}user${q}: ${q}$user${q},}
-	EOF
 }
 
 ss_mkjson_ss_local_conf() {
@@ -88,9 +49,7 @@ ss_mkjson_ss_server_conf() {
 ss_mkjson_ss_tunnel_conf() {
 	ss_mkjson_server_conf || return 1
 	[ -n "$tunnel_address" ] || return 1
-	cat <<-EOF
+	json_add_string tunnel_address "$tunnel_address"
-		${tunnel_address:+${q}tunnel_address${q}: ${q}$tunnel_address${q},}
-	EOF
 }
 
 ss_xxx() {
@@ -101,23 +60,32 @@ ss_xxx() {
 
 	[ -x "$bin" ] || return
 	eval "$("validate_${cfgtype}_section" "$cfg" ss_validate_mklocal)"
-	"validate_${cfgtype}_section" "$cfg" || return 1
+	"validate_${cfgtype}_section" "$cfg" || return
 	[ "$disabled" = 0 ] || return
 
-	if ss_mkjson \
+	json_init
-			ss_mkjson_common_conf \
+	ss_mkjson_${cfgtype}_conf || return
-			ss_mkjson_${cfgtype}_conf \
+	json_add_boolean use_syslog 1
-			; then
+	json_add_boolean ipv6_first "$ipv6_first"
+	json_add_boolean fast_open "$fast_open"
+	json_add_boolean reuse_port "$reuse_port"
+	json_add_boolean no_delay "$no_delay"
+	[ -z "$local_address" ] || json_add_string local_address "$local_address"
+	[ -z "$local_port" ] || json_add_int local_port "$local_port"
+	[ -z "$mode" ] || json_add_string mode "$mode"
+	[ -z "$mtu" ] || json_add_int mtu "$mtu"
+	[ -z "$timeout" ] || json_add_int timeout "$timeout"
+	[ -z "$user" ] || json_add_string user "$user"
+	json_dump -i >"$confjson"
+
 	procd_open_instance "$cfgtype.$cfg"
 	procd_set_param command "$bin" -c "$confjson"
 	[ "$verbose" = 0 ] || procd_append_param command -v
-		[ "$no_delay" = 0 ] || procd_append_param command --no-delay
 	[ -z "$bind_address" ] || procd_append_param command -b "$bind_address"
 	procd_set_param file "$confjson"
 	procd_set_param respawn
 	procd_close_instance
 	ss_rules_cb
-	fi
 }
 
 ss_rules_cb() {
@@ -144,12 +112,15 @@ ss_rules() {
 	local args
 
 	[ -x "$bin" ] || return 1
+	"$bin" -f
+	"$bin" -6 -f
+
 	config_get cfgtype "$cfg" TYPE
 	[ "$cfgtype" = ss_rules ] || return 1
 
 	eval "$(validate_ss_rules_section "$cfg" ss_validate_mklocal)"
 	validate_ss_rules_section "$cfg" || return 1
-	[ "$disabled" = 0 ] || return 1
+	[ "$disabled" = 0 ] || return 0
 
 	eval local_port_tcp="\$ss_rules_redir_tcp_$redir_tcp"
 	eval local_port_udp="\$ss_rules_redir_udp_$redir_udp"
@@ -157,7 +128,12 @@ ss_rules() {
 	ss_redir_servers="$(echo "$ss_redir_servers" | tr ' ' '\n' | sort -u)"
 	[ "$dst_forward_recentrst" = 0 ] || args="$args --dst-forward-recentrst"
 
-	"$bin" \
+	ss_rules_call
+	ss_rules_call -6
+}
+
+ss_rules_call() {
+	"$bin" "$@" \
 			-s "$ss_redir_servers" \
 			-l "$local_port_tcp" \
 			-L "$local_port_udp" \
@@ -174,7 +150,7 @@ ss_rules() {
 			--ifnames "$ifnames" \
 			--ipt-extra "$ipt_args" \
 			$args \
-		|| "$bin" -f
+		|| "$bin" "$@" -f
 }
 
 start_service() {
@@ -191,7 +167,10 @@ start_service() {
 stop_service() {
 	local bin="$ss_bindir/ss-rules"
 
-	[ -x "$bin" ] && "$bin" -f
+	[ -x "$bin" ] && {
+		"$bin" -f
+		"$bin" -6 -f
+	}
 	rm -rf "$ss_confdir"
 }
 
@@ -235,7 +214,9 @@ validate_common_server_options_() {
 		'server_port:port' \
 		'password:string' \
 		'key:string' \
-		"method:or($stream_methods, $aead_methods)"
+		"method:or($stream_methods, $aead_methods)" \
+		'plugin:string' \
+		'plugin_opts:string'
 }
 
 validate_common_client_options_() {
@@ -280,13 +261,13 @@ validate_ss_rules_section() {
 		'disabled:bool:0' \
 		'redir_tcp:uci("shadowsocks-libev", "@ss_redir")' \
 		'redir_udp:uci("shadowsocks-libev", "@ss_redir")' \
-		'src_ips_bypass:or(ip4addr,cidr4)' \
+		'src_ips_bypass:or(ipaddr,cidr)' \
-		'src_ips_forward:or(ip4addr,cidr4)' \
+		'src_ips_forward:or(ipaddr,cidr)' \
-		'src_ips_checkdst:or(ip4addr,cidr4)' \
+		'src_ips_checkdst:or(ipaddr,cidr)' \
 		'dst_ips_bypass_file:file' \
-		'dst_ips_bypass:or(ip4addr,cidr4)' \
+		'dst_ips_bypass:or(ipaddr,cidr)' \
 		'dst_ips_forward_file:file' \
-		'dst_ips_forward:or(ip4addr,cidr4)' \
+		'dst_ips_forward:or(ipaddr,cidr)' \
 		'src_default:or("bypass", "forward", "checkdst"):checkdst' \
 		'dst_default:or("bypass", "forward"):bypass' \
 		'local_default:or("bypass", "forward", "checkdst"):bypass' \

net/shadowsocks-libev/files/ss-rules

@@ -8,10 +8,24 @@
 # See /LICENSE for more information.
 #
 
+__errmsg() {
+	echo "ss-rules: $*" >&2
+}
+
+if [ "$1" = "-6" ]; then
+	if ! ip6tables -t nat -L -n &>/dev/null; then
+		__errmsg "Skipping ipv6.  Requires ip6tables-mod-nat"
+		exit 1
+	fi
+	o_use_ipv6=1; shift
+fi
+
 ss_rules_usage() {
 	cat >&2 <<EOF
 Usage: ss-rules [options]
 
+	-6              Operate on address family IPv6
+	                When present, must be the first argument
 	-h, --help      Show this help message then exit
 	-f, --flush     Flush rules, ipset then exit
 	-l <port>       Local port number of ss-redir with TCP mode
@@ -50,7 +64,7 @@ populated by other programs like dnsmasq with ipset support
 EOF
 }
 
-o_dst_bypass_="
+o_dst_bypass4_="
 	0.0.0.0/8
 	10.0.0.0/8
 	100.64.0.0/10
@@ -71,13 +85,33 @@ o_dst_bypass_="
 	240.0.0.0/4
 	255.255.255.255
 "
+o_dst_bypass6_="
+	::1/128
+	::/128
+	::ffff:0:0/96
+	64:ff9b:1::/48
+	100::/64
+	2001:2::/48
+	2001:db8::/32
+	fe80::/10
+	2001::/23
+	fc00::/7
+"
 o_src_default=bypass
 o_dst_default=bypass
 o_local_default=bypass
 
-__errmsg() {
+alias grep_af="sed -ne '/:/!p'"
-	echo "ss-rules: $*" >&2
+o_dst_bypass_="$o_dst_bypass4_"
-}
+if [ -n "$o_use_ipv6" ]; then
+	alias grep_af="sed -ne /:/p"
+	alias iptables=ip6tables
+	alias iptables-save=ip6tables-save
+	alias iptables-restore=ip6tables-restore
+	alias ip="ip -6"
+	o_af=6
+	o_dst_bypass_="$o_dst_bypass6_"
+fi
 
 ss_rules_parse_args() {
 	while [ "$#" -gt 0 ]; do
@@ -109,10 +143,10 @@ ss_rules_parse_args() {
 		return 1
 	fi
 	if [ -n "$o_dst_forward_recentrst" ] && ! iptables -m recent -h >/dev/null; then
-		__errmsg "Please install iptables-mod-conntrack-extra with opkg"
+		__errmsg "Please install iptables-mod-conntrack-extra"
 		return 1
 	fi
-	o_remote_servers="$(for s in $o_remote_servers; do resolveip -4 "$s"; done)"
+	o_remote_servers="$(for s in $o_remote_servers; do resolveip "$s" | grep_af; done)"
 }
 
 ss_rules_flush() {
@@ -121,26 +155,26 @@ ss_rules_flush() {
 	iptables-save --counters | grep -v ss_rules_ | iptables-restore --counters
 	while ip rule del fwmark 1 lookup 100 2>/dev/null; do true; done
 	ip route flush table 100
-	for setname in $(ipset -n list | grep "ss_rules_"); do
+	for setname in $(ipset -n list | grep "ss_rules${o_af}_"); do
 		ipset destroy "$setname" 2>/dev/null || true
 	done
 }
 
 ss_rules_ipset_init() {
 	ipset --exist restore <<-EOF
-		create ss_rules_src_bypass hash:net hashsize 64
+		create ss_rules${o_af}_src_bypass hash:net family inet$o_af hashsize 64
-		create ss_rules_src_forward hash:net hashsize 64
+		create ss_rules${o_af}_src_forward hash:net family inet$o_af hashsize 64
-		create ss_rules_src_checkdst hash:net hashsize 64
+		create ss_rules${o_af}_src_checkdst hash:net family inet$o_af hashsize 64
-		create ss_rules_dst_bypass hash:net hashsize 64
+		create ss_rules${o_af}_dst_bypass hash:net family inet$o_af hashsize 64
-		create ss_rules_dst_bypass_ hash:net hashsize 64
+		create ss_rules${o_af}_dst_bypass_ hash:net family inet$o_af hashsize 64
-		create ss_rules_dst_forward hash:net hashsize 64
+		create ss_rules${o_af}_dst_forward hash:net family inet$o_af hashsize 64
-		create ss_rules_dst_forward_recentrst_ hash:ip hashsize 64 timeout 3600
+		create ss_rules${o_af}_dst_forward_rrst_ hash:ip family inet$o_af hashsize 8 timeout 3600
-		$(ss_rules_ipset_mkadd ss_rules_dst_bypass_ "$o_dst_bypass_ $o_remote_servers")
+		$(ss_rules_ipset_mkadd ss_rules${o_af}_dst_bypass_ "$o_dst_bypass_ $o_remote_servers")
-		$(ss_rules_ipset_mkadd ss_rules_src_bypass "$o_src_bypass")
+		$(ss_rules_ipset_mkadd ss_rules${o_af}_src_bypass "$o_src_bypass")
-		$(ss_rules_ipset_mkadd ss_rules_src_forward "$o_src_forward")
+		$(ss_rules_ipset_mkadd ss_rules${o_af}_src_forward "$o_src_forward")
-		$(ss_rules_ipset_mkadd ss_rules_src_checkdst "$o_src_checkdst")
+		$(ss_rules_ipset_mkadd ss_rules${o_af}_src_checkdst "$o_src_checkdst")
-		$(ss_rules_ipset_mkadd ss_rules_dst_bypass "$o_dst_bypass $(cat "$o_dst_bypass_file" 2>/dev/null)")
+		$(ss_rules_ipset_mkadd ss_rules${o_af}_dst_bypass "$o_dst_bypass $(cat "$o_dst_bypass_file" 2>/dev/null)")
-		$(ss_rules_ipset_mkadd ss_rules_dst_forward "$o_dst_forward $(cat "$o_dst_forward_file" 2>/dev/null)")
+		$(ss_rules_ipset_mkadd ss_rules${o_af}_dst_forward "$o_dst_forward $(cat "$o_dst_forward_file" 2>/dev/null)")
 	EOF
 }
 
@@ -150,7 +184,7 @@ ss_rules_ipset_mkadd() {
 
 	for i in $*; do
 		echo "add $setname $i"
-	done
+	done | grep_af
 }
 
 ss_rules_iptchains_init() {
@@ -175,8 +209,8 @@ ss_rules_iptchains_init_tcp() {
 		*nat
 		:ss_rules_local_out -
 		-I OUTPUT 1 -p tcp -j ss_rules_local_out
-		-A ss_rules_local_out -m set --match-set ss_rules_dst_bypass_ dst -j RETURN
+		-A ss_rules_local_out -m set --match-set ss_rules${o_af}_dst_bypass_ dst -j RETURN
-		-A ss_rules_local_out -p tcp $o_ipt_extra -j $local_target -m comment --comment "local_default: $o_local_default"
+		-A ss_rules_local_out $o_ipt_extra -j $local_target
 		COMMIT
 	EOF
 }
@@ -203,8 +237,8 @@ ss_rules_iptchains_init_() {
 					COMMIT
 				"
 				recentrst_addset_rules="
-					-A ss_rules_dst -m recent --name ss_rules_recentrst --rcheck --rdest --seconds 3 --hitcount 3 -j SET --add-set ss_rules_dst_forward_recentrst_ dst --exist
+					-A ss_rules_dst -m recent --name ss_rules_recentrst --rcheck --rdest --seconds 3 --hitcount 3 -j SET --add-set ss_rules${o_af}_dst_forward_rrst_ dst --exist
-					-A ss_rules_dst -m set --match-set ss_rules_dst_forward_recentrst_ dst -j ss_rules_forward
+					-A ss_rules_dst -m set --match-set ss_rules${o_af}_dst_forward_rrst_ dst -j ss_rules_forward
 				"
 			fi
 			;;
@@ -230,16 +264,16 @@ ss_rules_iptchains_init_() {
 		:ss_rules_dst -
 		:ss_rules_forward -
 		$(ss_rules_iptchains_mkprerules "$proto")
-		-A ss_rules_pre_src -m set --match-set ss_rules_dst_bypass_ dst -j RETURN
+		-A ss_rules_pre_src -m set --match-set ss_rules${o_af}_dst_bypass_ dst -j RETURN
-		-A ss_rules_pre_src -p $proto $o_ipt_extra -j ss_rules_src
+		-A ss_rules_pre_src $o_ipt_extra -j ss_rules_src
-		-A ss_rules_src -m set --match-set ss_rules_src_bypass src -j RETURN
+		-A ss_rules_src -m set --match-set ss_rules${o_af}_src_bypass src -j RETURN
-		-A ss_rules_src -m set --match-set ss_rules_src_forward src -j ss_rules_forward
+		-A ss_rules_src -m set --match-set ss_rules${o_af}_src_forward src -j ss_rules_forward
-		-A ss_rules_src -m set --match-set ss_rules_src_checkdst src -j ss_rules_dst
+		-A ss_rules_src -m set --match-set ss_rules${o_af}_src_checkdst src -j ss_rules_dst
-		-A ss_rules_src -j $src_default_target -m comment --comment "src_default: $o_src_default"
+		-A ss_rules_src -j $src_default_target
-		-A ss_rules_dst -m set --match-set ss_rules_dst_bypass dst -j RETURN
+		-A ss_rules_dst -m set --match-set ss_rules${o_af}_dst_bypass dst -j RETURN
-		-A ss_rules_dst -m set --match-set ss_rules_dst_forward dst -j ss_rules_forward
+		-A ss_rules_dst -m set --match-set ss_rules${o_af}_dst_forward dst -j ss_rules_forward
 		$recentrst_addset_rules
-		-A ss_rules_dst -j $dst_default_target -m comment --comment "dst_default: $o_dst_default"
+		-A ss_rules_dst -j $dst_default_target
 		$forward_rules
 		COMMIT
 		$recentrst_mangle_rules