ss.py: support nftset
This commit is contained in:
parent
f0c1c36418
commit
91896c5c4a
GPG key ID:
22618F758B5BE2E5
5 changed files with 74 additions and 37 deletions
7
ss.py
7
ss.py
|
|
@ -163,12 +163,6 @@ def invoke_self_with_sudo():
|
|||
import sys
|
||||
return subprocess.run(["sudo", sys.executable, *sys.argv], check=False).returncode
|
||||
|
||||
def prepare_cgroup_path():
|
||||
CGv2_ROOT = Path('/sys/fs/cgroup')
|
||||
needed_slices = ('ss_bp.slice', 'ss_bp_tcp.slice', 'ss_bp_udp.slice', 'ss_fw.slice', 'ss_fw_tcp.slice', 'ss_fw_udp.slice')
|
||||
for slice in needed_slices:
|
||||
(CGv2_ROOT / slice).mkdir(exist_ok=True)
|
||||
|
||||
def process_nft_rule(configs: dict) -> list:
|
||||
nft_rule, nft_rule_v6 = (nft_rule_redir, nft_rule_v6_redir) \
|
||||
if configs['common']['tcp_redir'] == 'redirect' \
|
||||
|
|
@ -242,7 +236,6 @@ def main():
|
|||
elif args.action == 'up':
|
||||
if os.getuid() != 0:
|
||||
return invoke_self_with_sudo()
|
||||
prepare_cgroup_path()
|
||||
if not args.config:
|
||||
name = print_config_names(do_print=False)
|
||||
args.config = name
|
||||
|
|
|
|||
|
|
@ -8,11 +8,22 @@ define tcp_local_port = 1080
|
|||
define udp_local_port = 1080
|
||||
|
||||
## DO NOT CHANGE THIS LINE
|
||||
# need "ss_bp.slice", "ss_bp_tcp.slice", "ss_bp_udp.slice", "ss_fw.slice", "ss_fw_tcp.slice", "ss_fw_udp.slice"
|
||||
|
||||
add table ip transparent_proxy
|
||||
delete table ip transparent_proxy
|
||||
table ip transparent_proxy {
|
||||
set tcp_bypass {
|
||||
type cgroupsv2
|
||||
}
|
||||
set udp_bypass {
|
||||
type cgroupsv2
|
||||
}
|
||||
set tcp_enforce {
|
||||
type cgroupsv2
|
||||
}
|
||||
set udp_enforce {
|
||||
type cgroupsv2
|
||||
}
|
||||
set empty_ipv4 {
|
||||
type ipv4_addr
|
||||
flags constant
|
||||
|
|
@ -60,10 +71,10 @@ table ip transparent_proxy {
|
|||
policy accept
|
||||
|
||||
ip protocol tcp ct direction reply accept
|
||||
ip protocol tcp socket cgroupv2 level 1 { "ss_bp.slice", "ss_bp_tcp.slice" } accept
|
||||
ip protocol udp socket cgroupv2 level 1 { "ss_bp.slice", "ss_bp_udp.slice" } accept
|
||||
ip protocol tcp socket cgroupv2 level 1 { "ss_fw.slice", "ss_fw_tcp.slice" } goto tcp_udp_output_mark
|
||||
ip protocol udp socket cgroupv2 level 1 { "ss_fw.slice", "ss_fw_udp.slice" } goto tcp_udp_output_mark
|
||||
ip protocol tcp socket cgroupv2 level 2 @tcp_bypass accept
|
||||
ip protocol udp socket cgroupv2 level 2 @udp_bypass accept
|
||||
ip protocol tcp socket cgroupv2 level 2 @tcp_enforce goto tcp_udp_output_mark
|
||||
ip protocol udp socket cgroupv2 level 2 @udp_enforce goto tcp_udp_output_mark
|
||||
ip protocol tcp ip daddr $tcp_host tcp dport != $tcp_server_port goto tcp_udp_output_mark
|
||||
ip protocol udp ip daddr $udp_host udp dport != $udp_server_port goto tcp_udp_output_mark
|
||||
ip protocol tcp ip daddr $tcp_host accept
|
||||
|
|
@ -74,11 +85,11 @@ table ip transparent_proxy {
|
|||
ip protocol { tcp, udp } mark set 0xdeaf
|
||||
}
|
||||
chain tcp_udp_forward_conditional_tproxy {
|
||||
ip protocol tcp ip daddr $tcp_host tcp dport != $tcp_server_port meta mark set 0x0000deaf goto tcp_udp_tproxy
|
||||
ip protocol udp ip daddr $udp_host udp dport != $udp_server_port meta mark set 0x0000deaf goto tcp_udp_tproxy
|
||||
ip protocol tcp ip daddr $tcp_host tcp dport != $tcp_server_port meta mark set 0xdeaf goto tcp_udp_tproxy
|
||||
ip protocol udp ip daddr $udp_host udp dport != $udp_server_port meta mark set 0xdeaf goto tcp_udp_tproxy
|
||||
ip protocol tcp ip daddr $tcp_host accept
|
||||
ip protocol udp ip daddr $udp_host accept
|
||||
ip protocol { tcp, udp } ip daddr != @chnroute meta mark set 0x0000deaf goto tcp_udp_tproxy
|
||||
ip protocol { tcp, udp } ip daddr != @chnroute meta mark set 0xdeaf goto tcp_udp_tproxy
|
||||
}
|
||||
chain tcp_udp_tproxy {
|
||||
ip protocol tcp tproxy to 127.0.0.1:$tcp_local_port
|
||||
|
|
|
|||
|
|
@ -8,7 +8,6 @@ define tcp_local_port = 1080
|
|||
define udp_local_port = 1080
|
||||
|
||||
## DO NOT CHANGE THIS LINE
|
||||
# need "ss_bp.slice", "ss_bp_tcp.slice", "ss_bp_udp.slice", "ss_fw.slice", "ss_fw_tcp.slice", "ss_fw_udp.slice"
|
||||
|
||||
# this works since v4 rule is always loaded first
|
||||
add table ip6 output_deny
|
||||
|
|
@ -17,6 +16,18 @@ delete table ip6 output_deny
|
|||
add table ip6 transparent_proxy_v6
|
||||
delete table ip6 transparent_proxy_v6
|
||||
table ip6 transparent_proxy_v6 {
|
||||
set tcp_bypass {
|
||||
type cgroupsv2
|
||||
}
|
||||
set udp_bypass {
|
||||
type cgroupsv2
|
||||
}
|
||||
set tcp_enforce {
|
||||
type cgroupsv2
|
||||
}
|
||||
set udp_enforce {
|
||||
type cgroupsv2
|
||||
}
|
||||
set empty_ipv6 {
|
||||
type ipv6_addr
|
||||
flags constant
|
||||
|
|
@ -60,10 +71,10 @@ table ip6 transparent_proxy_v6 {
|
|||
policy accept
|
||||
|
||||
meta l4proto tcp ct direction reply accept
|
||||
meta l4proto tcp socket cgroupv2 level 1 { "ss_bp.slice", "ss_bp_tcp.slice" } accept
|
||||
meta l4proto udp socket cgroupv2 level 1 { "ss_bp.slice", "ss_bp_udp.slice" } accept
|
||||
meta l4proto tcp socket cgroupv2 level 1 { "ss_fw.slice", "ss_fw_tcp.slice" } goto tcp_udp_output_mark
|
||||
meta l4proto udp socket cgroupv2 level 1 { "ss_fw.slice", "ss_fw_udp.slice" } goto tcp_udp_output_mark
|
||||
meta l4proto tcp socket cgroupv2 level 2 @tcp_bypass accept
|
||||
meta l4proto udp socket cgroupv2 level 2 @udp_bypass accept
|
||||
meta l4proto tcp socket cgroupv2 level 2 @tcp_enforce goto tcp_udp_output_mark
|
||||
meta l4proto udp socket cgroupv2 level 2 @udp_enforce goto tcp_udp_output_mark
|
||||
meta l4proto tcp ip6 daddr $tcp_host tcp dport != $tcp_server_port goto tcp_udp_output_mark
|
||||
meta l4proto udp ip6 daddr $udp_host udp dport != $udp_server_port goto tcp_udp_output_mark
|
||||
meta l4proto tcp ip6 daddr $tcp_host accept
|
||||
|
|
@ -74,11 +85,11 @@ table ip6 transparent_proxy_v6 {
|
|||
meta l4proto { tcp, udp } mark set 0xdeaf
|
||||
}
|
||||
chain tcp_udp_forward_conditional_tproxy {
|
||||
meta l4proto tcp ip6 daddr $tcp_host tcp dport != $tcp_server_port meta mark set 0x0000deaf goto tcp_udp_tproxy
|
||||
meta l4proto udp ip6 daddr $udp_host udp dport != $udp_server_port meta mark set 0x0000deaf goto tcp_udp_tproxy
|
||||
meta l4proto tcp ip6 daddr $tcp_host tcp dport != $tcp_server_port meta mark set 0xdeaf goto tcp_udp_tproxy
|
||||
meta l4proto udp ip6 daddr $udp_host udp dport != $udp_server_port meta mark set 0xdeaf goto tcp_udp_tproxy
|
||||
meta l4proto tcp ip6 daddr $tcp_host accept
|
||||
meta l4proto udp ip6 daddr $udp_host accept
|
||||
meta l4proto { tcp, udp } ip6 daddr != @chnroute meta mark set 0x0000deaf goto tcp_udp_tproxy
|
||||
meta l4proto { tcp, udp } ip6 daddr != @chnroute meta mark set 0xdeaf goto tcp_udp_tproxy
|
||||
}
|
||||
chain tcp_udp_tproxy {
|
||||
meta l4proto tcp tproxy to [::1]:$tcp_local_port
|
||||
|
|
|
|||
|
|
@ -8,7 +8,6 @@ define tcp_local_port = 1080
|
|||
define udp_local_port = 1080
|
||||
|
||||
## DO NOT CHANGE THIS LINE
|
||||
# need "ss_bp.slice", "ss_bp_tcp.slice", "ss_bp_udp.slice", "ss_fw.slice", "ss_fw_tcp.slice", "ss_fw_udp.slice"
|
||||
|
||||
# this works since v4 rule is always loaded first
|
||||
add table ip6 output_deny
|
||||
|
|
@ -17,6 +16,18 @@ delete table ip6 output_deny
|
|||
add table ip6 transparent_proxy_v6
|
||||
delete table ip6 transparent_proxy_v6
|
||||
table ip6 transparent_proxy_v6 {
|
||||
set tcp_bypass {
|
||||
type cgroupsv2
|
||||
}
|
||||
set udp_bypass {
|
||||
type cgroupsv2
|
||||
}
|
||||
set tcp_enforce {
|
||||
type cgroupsv2
|
||||
}
|
||||
set udp_enforce {
|
||||
type cgroupsv2
|
||||
}
|
||||
set empty_ipv6 {
|
||||
type ipv6_addr
|
||||
flags constant
|
||||
|
|
@ -58,8 +69,8 @@ table ip6 transparent_proxy_v6 {
|
|||
type nat hook output priority -100
|
||||
policy accept
|
||||
|
||||
meta l4proto tcp socket cgroupv2 level 1 { "ss_bp.slice", "ss_bp_tcp.slice" } accept
|
||||
meta l4proto tcp socket cgroupv2 level 1 { "ss_fw.slice", "ss_fw_tcp.slice" } goto tcp_redirect
|
||||
meta l4proto tcp socket cgroupv2 level 2 @tcp_bypass accept
|
||||
meta l4proto tcp socket cgroupv2 level 2 @tcp_enforce goto tcp_redirect
|
||||
meta l4proto tcp jump tcp_pre_redirect
|
||||
}
|
||||
chain tcp_pre_redirect {
|
||||
|
|
@ -85,8 +96,8 @@ table ip6 transparent_proxy_v6 {
|
|||
type route hook output priority mangle
|
||||
policy accept
|
||||
|
||||
meta l4proto udp socket cgroupv2 level 1 { "ss_bp.slice", "ss_bp_udp.slice" } accept
|
||||
meta l4proto udp socket cgroupv2 level 1 { "ss_fw.slice", "ss_fw_udp.slice" } goto udp_output_mark
|
||||
meta l4proto udp socket cgroupv2 level 2 @udp_bypass accept
|
||||
meta l4proto udp socket cgroupv2 level 2 @udp_enforce goto udp_output_mark
|
||||
meta l4proto udp ip6 daddr $udp_host udp dport != $udp_server_port goto udp_output_mark
|
||||
meta l4proto udp ip6 daddr $udp_host accept
|
||||
meta l4proto udp ip6 daddr != @chnroute goto udp_output_mark
|
||||
|
|
@ -95,9 +106,9 @@ table ip6 transparent_proxy_v6 {
|
|||
meta l4proto udp mark set 0xdeaf
|
||||
}
|
||||
chain udp_forward_conditional_tproxy {
|
||||
meta l4proto udp ip6 daddr $udp_host udp dport != $udp_server_port meta mark set 0x0000deaf goto udp_tproxy
|
||||
meta l4proto udp ip6 daddr $udp_host udp dport != $udp_server_port meta mark set 0xdeaf goto udp_tproxy
|
||||
meta l4proto udp ip6 daddr $udp_host accept
|
||||
meta l4proto udp ip6 daddr != @chnroute meta mark set 0x0000deaf goto udp_tproxy
|
||||
meta l4proto udp ip6 daddr != @chnroute meta mark set 0xdeaf goto udp_tproxy
|
||||
}
|
||||
chain udp_tproxy {
|
||||
meta l4proto udp tproxy to [::1]:$udp_local_port
|
||||
|
|
|
|||
|
|
@ -8,11 +8,22 @@ define tcp_local_port = 1080
|
|||
define udp_local_port = 1080
|
||||
|
||||
## DO NOT CHANGE THIS LINE
|
||||
# need "ss_bp.slice", "ss_bp_tcp.slice", "ss_bp_udp.slice", "ss_fw.slice", "ss_fw_tcp.slice", "ss_fw_udp.slice"
|
||||
|
||||
add table ip transparent_proxy
|
||||
delete table ip transparent_proxy
|
||||
table ip transparent_proxy {
|
||||
set tcp_bypass {
|
||||
type cgroupsv2
|
||||
}
|
||||
set udp_bypass {
|
||||
type cgroupsv2
|
||||
}
|
||||
set tcp_enforce {
|
||||
type cgroupsv2
|
||||
}
|
||||
set udp_enforce {
|
||||
type cgroupsv2
|
||||
}
|
||||
set empty_ipv4 {
|
||||
type ipv4_addr
|
||||
flags constant
|
||||
|
|
@ -58,8 +69,8 @@ table ip transparent_proxy {
|
|||
type nat hook output priority -100
|
||||
policy accept
|
||||
|
||||
ip protocol tcp socket cgroupv2 level 1 { "ss_bp.slice", "ss_bp_tcp.slice" } accept
|
||||
ip protocol tcp socket cgroupv2 level 1 { "ss_fw.slice", "ss_fw_tcp.slice" } goto tcp_redirect
|
||||
ip protocol tcp socket cgroupv2 level 2 @tcp_bypass accept
|
||||
ip protocol tcp socket cgroupv2 level 2 @tcp_enforce goto tcp_redirect
|
||||
ip protocol tcp jump tcp_pre_redirect
|
||||
}
|
||||
chain tcp_pre_redirect {
|
||||
|
|
@ -85,8 +96,8 @@ table ip transparent_proxy {
|
|||
type route hook output priority mangle
|
||||
policy accept
|
||||
|
||||
ip protocol udp socket cgroupv2 level 1 { "ss_bp.slice", "ss_bp_udp.slice" } accept
|
||||
ip protocol udp socket cgroupv2 level 1 { "ss_fw.slice", "ss_fw_udp.slice" } goto udp_output_mark
|
||||
ip protocol udp socket cgroupv2 level 2 @udp_bypass accept
|
||||
ip protocol udp socket cgroupv2 level 2 @udp_enforce goto udp_output_mark
|
||||
ip protocol udp ip daddr $udp_host udp dport != $udp_server_port goto udp_output_mark
|
||||
ip protocol udp ip daddr $udp_host accept
|
||||
ip protocol udp ip daddr != @chnroute goto udp_output_mark
|
||||
|
|
@ -95,9 +106,9 @@ table ip transparent_proxy {
|
|||
ip protocol udp mark set 0xdeaf
|
||||
}
|
||||
chain udp_forward_conditional_tproxy {
|
||||
ip protocol udp ip daddr $udp_host udp dport != $udp_server_port meta mark set 0x0000deaf goto udp_tproxy
|
||||
ip protocol udp ip daddr $udp_host udp dport != $udp_server_port meta mark set 0xdeaf goto udp_tproxy
|
||||
ip protocol udp ip daddr $udp_host accept
|
||||
ip protocol udp ip daddr != @chnroute meta mark set 0x0000deaf goto udp_tproxy
|
||||
ip protocol udp ip daddr != @chnroute meta mark set 0xdeaf goto udp_tproxy
|
||||
}
|
||||
chain udp_tproxy {
|
||||
ip protocol udp tproxy to 127.0.0.1:$udp_local_port
|
||||
|
|
|
|||
Loading…
Reference in a new issue