From 91896c5c4a2037fb688f29cd3863051ae3581d1e Mon Sep 17 00:00:00 2001 From: Jerry Date: Tue, 29 Oct 2024 20:34:01 +0800 Subject: [PATCH] ss.py: support nftset --- ss.py | 7 ------- transparent-proxy-tproxy.nft | 27 +++++++++++++++++++-------- transparent-proxy-v6-tproxy.nft | 27 +++++++++++++++++++-------- transparent-proxy-v6.nft | 25 ++++++++++++++++++------- transparent-proxy.nft | 25 ++++++++++++++++++------- 5 files changed, 74 insertions(+), 37 deletions(-) diff --git a/ss.py b/ss.py index 7a198dc..a1c978e 100755 --- a/ss.py +++ b/ss.py @@ -163,12 +163,6 @@ def invoke_self_with_sudo(): import sys return subprocess.run(["sudo", sys.executable, *sys.argv], check=False).returncode -def prepare_cgroup_path(): - CGv2_ROOT = Path('/sys/fs/cgroup') - needed_slices = ('ss_bp.slice', 'ss_bp_tcp.slice', 'ss_bp_udp.slice', 'ss_fw.slice', 'ss_fw_tcp.slice', 'ss_fw_udp.slice') - for slice in needed_slices: - (CGv2_ROOT / slice).mkdir(exist_ok=True) - def process_nft_rule(configs: dict) -> list: nft_rule, nft_rule_v6 = (nft_rule_redir, nft_rule_v6_redir) \ if configs['common']['tcp_redir'] == 'redirect' \ @@ -242,7 +236,6 @@ def main(): elif args.action == 'up': if os.getuid() != 0: return invoke_self_with_sudo() - prepare_cgroup_path() if not args.config: name = print_config_names(do_print=False) args.config = name diff --git a/transparent-proxy-tproxy.nft b/transparent-proxy-tproxy.nft index 583e34c..40322d1 100644 --- a/transparent-proxy-tproxy.nft +++ b/transparent-proxy-tproxy.nft @@ -8,11 +8,22 @@ define tcp_local_port = 1080 define udp_local_port = 1080 ## DO NOT CHANGE THIS LINE -# need "ss_bp.slice", "ss_bp_tcp.slice", "ss_bp_udp.slice", "ss_fw.slice", "ss_fw_tcp.slice", "ss_fw_udp.slice" add table ip transparent_proxy delete table ip transparent_proxy table ip transparent_proxy { + set tcp_bypass { + type cgroupsv2 + } + set udp_bypass { + type cgroupsv2 + } + set tcp_enforce { + type cgroupsv2 + } + set udp_enforce { + type cgroupsv2 + } set empty_ipv4 { type ipv4_addr flags constant @@ -60,10 +71,10 @@ table ip transparent_proxy { policy accept ip protocol tcp ct direction reply accept - ip protocol tcp socket cgroupv2 level 1 { "ss_bp.slice", "ss_bp_tcp.slice" } accept - ip protocol udp socket cgroupv2 level 1 { "ss_bp.slice", "ss_bp_udp.slice" } accept - ip protocol tcp socket cgroupv2 level 1 { "ss_fw.slice", "ss_fw_tcp.slice" } goto tcp_udp_output_mark - ip protocol udp socket cgroupv2 level 1 { "ss_fw.slice", "ss_fw_udp.slice" } goto tcp_udp_output_mark + ip protocol tcp socket cgroupv2 level 2 @tcp_bypass accept + ip protocol udp socket cgroupv2 level 2 @udp_bypass accept + ip protocol tcp socket cgroupv2 level 2 @tcp_enforce goto tcp_udp_output_mark + ip protocol udp socket cgroupv2 level 2 @udp_enforce goto tcp_udp_output_mark ip protocol tcp ip daddr $tcp_host tcp dport != $tcp_server_port goto tcp_udp_output_mark ip protocol udp ip daddr $udp_host udp dport != $udp_server_port goto tcp_udp_output_mark ip protocol tcp ip daddr $tcp_host accept @@ -74,11 +85,11 @@ table ip transparent_proxy { ip protocol { tcp, udp } mark set 0xdeaf } chain tcp_udp_forward_conditional_tproxy { - ip protocol tcp ip daddr $tcp_host tcp dport != $tcp_server_port meta mark set 0x0000deaf goto tcp_udp_tproxy - ip protocol udp ip daddr $udp_host udp dport != $udp_server_port meta mark set 0x0000deaf goto tcp_udp_tproxy + ip protocol tcp ip daddr $tcp_host tcp dport != $tcp_server_port meta mark set 0xdeaf goto tcp_udp_tproxy + ip protocol udp ip daddr $udp_host udp dport != $udp_server_port meta mark set 0xdeaf goto tcp_udp_tproxy ip protocol tcp ip daddr $tcp_host accept ip protocol udp ip daddr $udp_host accept - ip protocol { tcp, udp } ip daddr != @chnroute meta mark set 0x0000deaf goto tcp_udp_tproxy + ip protocol { tcp, udp } ip daddr != @chnroute meta mark set 0xdeaf goto tcp_udp_tproxy } chain tcp_udp_tproxy { ip protocol tcp tproxy to 127.0.0.1:$tcp_local_port diff --git a/transparent-proxy-v6-tproxy.nft b/transparent-proxy-v6-tproxy.nft index eaad51c..f98e3b8 100644 --- a/transparent-proxy-v6-tproxy.nft +++ b/transparent-proxy-v6-tproxy.nft @@ -8,7 +8,6 @@ define tcp_local_port = 1080 define udp_local_port = 1080 ## DO NOT CHANGE THIS LINE -# need "ss_bp.slice", "ss_bp_tcp.slice", "ss_bp_udp.slice", "ss_fw.slice", "ss_fw_tcp.slice", "ss_fw_udp.slice" # this works since v4 rule is always loaded first add table ip6 output_deny @@ -17,6 +16,18 @@ delete table ip6 output_deny add table ip6 transparent_proxy_v6 delete table ip6 transparent_proxy_v6 table ip6 transparent_proxy_v6 { + set tcp_bypass { + type cgroupsv2 + } + set udp_bypass { + type cgroupsv2 + } + set tcp_enforce { + type cgroupsv2 + } + set udp_enforce { + type cgroupsv2 + } set empty_ipv6 { type ipv6_addr flags constant @@ -60,10 +71,10 @@ table ip6 transparent_proxy_v6 { policy accept meta l4proto tcp ct direction reply accept - meta l4proto tcp socket cgroupv2 level 1 { "ss_bp.slice", "ss_bp_tcp.slice" } accept - meta l4proto udp socket cgroupv2 level 1 { "ss_bp.slice", "ss_bp_udp.slice" } accept - meta l4proto tcp socket cgroupv2 level 1 { "ss_fw.slice", "ss_fw_tcp.slice" } goto tcp_udp_output_mark - meta l4proto udp socket cgroupv2 level 1 { "ss_fw.slice", "ss_fw_udp.slice" } goto tcp_udp_output_mark + meta l4proto tcp socket cgroupv2 level 2 @tcp_bypass accept + meta l4proto udp socket cgroupv2 level 2 @udp_bypass accept + meta l4proto tcp socket cgroupv2 level 2 @tcp_enforce goto tcp_udp_output_mark + meta l4proto udp socket cgroupv2 level 2 @udp_enforce goto tcp_udp_output_mark meta l4proto tcp ip6 daddr $tcp_host tcp dport != $tcp_server_port goto tcp_udp_output_mark meta l4proto udp ip6 daddr $udp_host udp dport != $udp_server_port goto tcp_udp_output_mark meta l4proto tcp ip6 daddr $tcp_host accept @@ -74,11 +85,11 @@ table ip6 transparent_proxy_v6 { meta l4proto { tcp, udp } mark set 0xdeaf } chain tcp_udp_forward_conditional_tproxy { - meta l4proto tcp ip6 daddr $tcp_host tcp dport != $tcp_server_port meta mark set 0x0000deaf goto tcp_udp_tproxy - meta l4proto udp ip6 daddr $udp_host udp dport != $udp_server_port meta mark set 0x0000deaf goto tcp_udp_tproxy + meta l4proto tcp ip6 daddr $tcp_host tcp dport != $tcp_server_port meta mark set 0xdeaf goto tcp_udp_tproxy + meta l4proto udp ip6 daddr $udp_host udp dport != $udp_server_port meta mark set 0xdeaf goto tcp_udp_tproxy meta l4proto tcp ip6 daddr $tcp_host accept meta l4proto udp ip6 daddr $udp_host accept - meta l4proto { tcp, udp } ip6 daddr != @chnroute meta mark set 0x0000deaf goto tcp_udp_tproxy + meta l4proto { tcp, udp } ip6 daddr != @chnroute meta mark set 0xdeaf goto tcp_udp_tproxy } chain tcp_udp_tproxy { meta l4proto tcp tproxy to [::1]:$tcp_local_port diff --git a/transparent-proxy-v6.nft b/transparent-proxy-v6.nft index a59ce41..5521918 100644 --- a/transparent-proxy-v6.nft +++ b/transparent-proxy-v6.nft @@ -8,7 +8,6 @@ define tcp_local_port = 1080 define udp_local_port = 1080 ## DO NOT CHANGE THIS LINE -# need "ss_bp.slice", "ss_bp_tcp.slice", "ss_bp_udp.slice", "ss_fw.slice", "ss_fw_tcp.slice", "ss_fw_udp.slice" # this works since v4 rule is always loaded first add table ip6 output_deny @@ -17,6 +16,18 @@ delete table ip6 output_deny add table ip6 transparent_proxy_v6 delete table ip6 transparent_proxy_v6 table ip6 transparent_proxy_v6 { + set tcp_bypass { + type cgroupsv2 + } + set udp_bypass { + type cgroupsv2 + } + set tcp_enforce { + type cgroupsv2 + } + set udp_enforce { + type cgroupsv2 + } set empty_ipv6 { type ipv6_addr flags constant @@ -58,8 +69,8 @@ table ip6 transparent_proxy_v6 { type nat hook output priority -100 policy accept - meta l4proto tcp socket cgroupv2 level 1 { "ss_bp.slice", "ss_bp_tcp.slice" } accept - meta l4proto tcp socket cgroupv2 level 1 { "ss_fw.slice", "ss_fw_tcp.slice" } goto tcp_redirect + meta l4proto tcp socket cgroupv2 level 2 @tcp_bypass accept + meta l4proto tcp socket cgroupv2 level 2 @tcp_enforce goto tcp_redirect meta l4proto tcp jump tcp_pre_redirect } chain tcp_pre_redirect { @@ -85,8 +96,8 @@ table ip6 transparent_proxy_v6 { type route hook output priority mangle policy accept - meta l4proto udp socket cgroupv2 level 1 { "ss_bp.slice", "ss_bp_udp.slice" } accept - meta l4proto udp socket cgroupv2 level 1 { "ss_fw.slice", "ss_fw_udp.slice" } goto udp_output_mark + meta l4proto udp socket cgroupv2 level 2 @udp_bypass accept + meta l4proto udp socket cgroupv2 level 2 @udp_enforce goto udp_output_mark meta l4proto udp ip6 daddr $udp_host udp dport != $udp_server_port goto udp_output_mark meta l4proto udp ip6 daddr $udp_host accept meta l4proto udp ip6 daddr != @chnroute goto udp_output_mark @@ -95,9 +106,9 @@ table ip6 transparent_proxy_v6 { meta l4proto udp mark set 0xdeaf } chain udp_forward_conditional_tproxy { - meta l4proto udp ip6 daddr $udp_host udp dport != $udp_server_port meta mark set 0x0000deaf goto udp_tproxy + meta l4proto udp ip6 daddr $udp_host udp dport != $udp_server_port meta mark set 0xdeaf goto udp_tproxy meta l4proto udp ip6 daddr $udp_host accept - meta l4proto udp ip6 daddr != @chnroute meta mark set 0x0000deaf goto udp_tproxy + meta l4proto udp ip6 daddr != @chnroute meta mark set 0xdeaf goto udp_tproxy } chain udp_tproxy { meta l4proto udp tproxy to [::1]:$udp_local_port diff --git a/transparent-proxy.nft b/transparent-proxy.nft index 9636f3a..b594e93 100644 --- a/transparent-proxy.nft +++ b/transparent-proxy.nft @@ -8,11 +8,22 @@ define tcp_local_port = 1080 define udp_local_port = 1080 ## DO NOT CHANGE THIS LINE -# need "ss_bp.slice", "ss_bp_tcp.slice", "ss_bp_udp.slice", "ss_fw.slice", "ss_fw_tcp.slice", "ss_fw_udp.slice" add table ip transparent_proxy delete table ip transparent_proxy table ip transparent_proxy { + set tcp_bypass { + type cgroupsv2 + } + set udp_bypass { + type cgroupsv2 + } + set tcp_enforce { + type cgroupsv2 + } + set udp_enforce { + type cgroupsv2 + } set empty_ipv4 { type ipv4_addr flags constant @@ -58,8 +69,8 @@ table ip transparent_proxy { type nat hook output priority -100 policy accept - ip protocol tcp socket cgroupv2 level 1 { "ss_bp.slice", "ss_bp_tcp.slice" } accept - ip protocol tcp socket cgroupv2 level 1 { "ss_fw.slice", "ss_fw_tcp.slice" } goto tcp_redirect + ip protocol tcp socket cgroupv2 level 2 @tcp_bypass accept + ip protocol tcp socket cgroupv2 level 2 @tcp_enforce goto tcp_redirect ip protocol tcp jump tcp_pre_redirect } chain tcp_pre_redirect { @@ -85,8 +96,8 @@ table ip transparent_proxy { type route hook output priority mangle policy accept - ip protocol udp socket cgroupv2 level 1 { "ss_bp.slice", "ss_bp_udp.slice" } accept - ip protocol udp socket cgroupv2 level 1 { "ss_fw.slice", "ss_fw_udp.slice" } goto udp_output_mark + ip protocol udp socket cgroupv2 level 2 @udp_bypass accept + ip protocol udp socket cgroupv2 level 2 @udp_enforce goto udp_output_mark ip protocol udp ip daddr $udp_host udp dport != $udp_server_port goto udp_output_mark ip protocol udp ip daddr $udp_host accept ip protocol udp ip daddr != @chnroute goto udp_output_mark @@ -95,9 +106,9 @@ table ip transparent_proxy { ip protocol udp mark set 0xdeaf } chain udp_forward_conditional_tproxy { - ip protocol udp ip daddr $udp_host udp dport != $udp_server_port meta mark set 0x0000deaf goto udp_tproxy + ip protocol udp ip daddr $udp_host udp dport != $udp_server_port meta mark set 0xdeaf goto udp_tproxy ip protocol udp ip daddr $udp_host accept - ip protocol udp ip daddr != @chnroute meta mark set 0x0000deaf goto udp_tproxy + ip protocol udp ip daddr != @chnroute meta mark set 0xdeaf goto udp_tproxy } chain udp_tproxy { ip protocol udp tproxy to 127.0.0.1:$udp_local_port