shadowsocks-libev: add nft_tcp_extra/nft_udp_extra options

To add extra statement to tcp/udp forward rule, example:

```
config ss_rules 'ss_rules'
    ...
    option nft_tcp_extra 'tcp dport { 80, 443 }' # tcp only forward connections with dport 80 or 443
    option nft_udp_extra 'udp dport { 53 }' # udp only forward connections with dport 53
```

This somewhat restores the old ipt_args functionality.

Signed-off-by: Zhong Jianxin <azuwis@gmail.com>
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
(Amend README.md a bit)

diff --git a/net/shadowsocks-libev/Makefile b/net/shadowsocks-libev/Makefile
index d5d26f53cd683fc04a716df73ebe010ec2349661..1a76d67fe1ff9258710ad545ead7f4f106bb610b 100644 (file)
--- a/net/shadowsocks-libev/Makefile
+++ b/net/shadowsocks-libev/Makefile
@@ -14,7 +14,7 @@ include $(TOPDIR)/rules.mk
 #
 PKG_NAME:=shadowsocks-libev
 PKG_VERSION:=3.3.5
-PKG_RELEASE:=3
+PKG_RELEASE:=4
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://github.com/shadowsocks/shadowsocks-libev/releases/download/v$(PKG_VERSION)

diff --git a/net/shadowsocks-libev/README.md b/net/shadowsocks-libev/README.md
index 3f57af62ead94d407cd890ccc0d22f9879614fb5..8e72e7fbf5cd1a319306c4e8412e2b879971999e 100644 (file)
--- a/net/shadowsocks-libev/README.md
+++ b/net/shadowsocks-libev/README.md
@@ -75,6 +75,8 @@ ss-rules now uses nft set for storing addresses/networks.  Those set names are a
 
 Note also that `src_ips_xx` and `dst_ips_xx` actually also accepts cidr network representation.  Option names are retained in its current form for backward compatibility coniderations
 
+Extra nftables expressions can be specified with `nft_tcp_extra` and `nft_udp_extra` to apply ss_rules only to selected tcp/udp traffics.  E.g. `tcp dport { 80, 443 }`, `udp dport 53`, etc.
+
 # incompatible changes
 
 | Commit date | Commit ID | Subject | Comment |

diff --git a/net/shadowsocks-libev/files/shadowsocks-libev.init b/net/shadowsocks-libev/files/shadowsocks-libev.init
index 0805e4019a8378ad8ef4ff4afea835828678daee..be72a9f66482c8d59f0f9e163034dc949ef9c91c 100644 (file)
--- a/net/shadowsocks-libev/files/shadowsocks-libev.init
+++ b/net/shadowsocks-libev/files/shadowsocks-libev.init
@@ -152,6 +152,8 @@ ss_rules() {
        json_add_string o_dst_bypass_file "$dst_ips_bypass_file"
        json_add_string o_dst_forward_file "$dst_ips_forward_file"
        json_add_string o_dst_default "$dst_default"
+       json_add_string o_nft_tcp_extra "$nft_tcp_extra"
+       json_add_string o_nft_udp_extra "$nft_udp_extra"
        json_dump -i >"$tmp.json"
 
        if ucode -S -i "$ssrules_uc" -E "$tmp.json" >"$tmp.nft" \
@@ -283,6 +285,8 @@ validate_ss_rules_section() {
                'src_default:or("bypass", "forward", "checkdst"):checkdst' \
                'dst_default:or("bypass", "forward"):bypass' \
                'local_default:or("bypass", "forward", "checkdst"):bypass' \
+               'nft_tcp_extra:string' \
+               'nft_udp_extra:string' \
                'ifnames:maxlength(15)'
 }
 

diff --git a/net/shadowsocks-libev/files/ss-rules/chain.uc b/net/shadowsocks-libev/files/ss-rules/chain.uc
index 00362f694d6789395bf859e66691035592b09f11..a378e770e6796c8527749a44b74a3590ff1d44d8 100644 (file)
--- a/net/shadowsocks-libev/files/ss-rules/chain.uc
+++ b/net/shadowsocks-libev/files/ss-rules/chain.uc
@@ -97,7 +97,7 @@ chain ss_rules_dst_{{ proto }} {
 
 {%   if (proto == "tcp"): %}
 chain ss_rules_forward_{{ proto }} {
-       meta l4proto tcp redirect to :{{ redir_port }};
+       meta l4proto tcp {{ o_nft_tcp_extra }} redirect to :{{ redir_port }};
 }
 {%   let local_verdict = get_local_verdict(); if (local_verdict): %}
 chain ss_rules_local_out {
@@ -112,7 +112,7 @@ chain ss_rules_local_out {
 {%     endif %}
 {%   elif (proto == "udp"): %}
 chain ss_rules_forward_{{ proto }} {
-       meta l4proto udp meta mark set 1 tproxy to :{{ redir_port }};
+       meta l4proto udp {{ o_nft_udp_extra }} meta mark set 1 tproxy to :{{ redir_port }};
 }
 {%   endif %}
 {% endif %}