#!/bin/sh /etc/rc.common
+#
+# Copyright (C) 2017 Yousong Zhou <yszhou4tech@gmail.com>
+#
+# This is free software, licensed under the GNU General Public License v3.
+# See /LICENSE for more information.
+#
-START=90
-STOP=15
-
-SERVICE_USE_PID=1
-SERVICE_WRITE_PID=1
-SERVICE_DAEMONIZE=1
-EXTRA_COMMANDS="rules"
-CONFIG_FILE=/var/etc/shadowsocks-libev.json
-
-get_config() {
- config_get_bool enable $1 enable
- config_get server $1 server
- config_get server_port $1 server_port
- config_get local_port $1 local_port
- config_get timeout $1 timeout
- config_get password $1 password
- config_get encrypt_method $1 encrypt_method
- config_get ignore_list $1 ignore_list
- config_get udp_mode $1 udp_mode
- config_get udp_server $1 udp_server
- config_get udp_server_port $1 udp_server_port
- config_get udp_local_port $1 udp_local_port
- config_get udp_timeout $1 udp_timeout
- config_get udp_password $1 udp_password
- config_get udp_encrypt_method $1 udp_encrypt_method
- config_get_bool tunnel_enable $1 tunnel_enable
- config_get tunnel_port $1 tunnel_port
- config_get tunnel_forward $1 tunnel_forward
- config_get lan_ac_mode $1 lan_ac_mode
- config_get lan_ac_ip $1 lan_ac_ip
- config_get wan_bp_ip $1 wan_bp_ip
- config_get wan_fw_ip $1 wan_fw_ip
- config_get ipt_ext $1 ipt_ext
- : ${timeout:=60}
- : ${udp_timeout:=60}
- : ${tunnel_port:=5300}
- : ${tunnel_forward:=8.8.4.4:53}
-}
-
-start_rules() {
- local ac_args
-
- if [ -n "$lan_ac_ip" ]; then
- case $lan_ac_mode in
- 1) ac_args="w$lan_ac_ip"
- ;;
- 2) ac_args="b$lan_ac_ip"
- ;;
- esac
+USE_PROCD=1
+START=99
+
+ss_confdir=/var/etc/shadowsocks-libev
+ss_bindir=/usr/bin
+q='"'
+
+ss_mkjson() {
+ echo "{" >"$confjson"
+ if ss_mkjson_ "$@" >>$confjson; then
+ sed -i -e '/^\s*$/d' -e '2,$s/^/\t/' -e '$s/,$//' "$confjson"
+ echo "}" >>"$confjson"
+ else
+ rm -f "$confjson"
+ return 1
fi
- /usr/bin/ss-rules \
- -s "$server" \
- -l "$local_port" \
- -S "$udp_server" \
- -L "$udp_local_port" \
- -i "$ignore_list" \
- -a "$ac_args" \
- -b "$wan_bp_ip" \
- -w "$wan_fw_ip" \
- -e "$ipt_ext" \
- -o $udp
- return $?
-}
-
-start_redir() {
- cat <<-EOF >$CONFIG_FILE
- {
- "server": "$server",
- "server_port": $server_port,
- "local_address": "0.0.0.0",
- "local_port": $local_port,
- "password": "$password",
- "timeout": $timeout,
- "method": "$encrypt_method"
- }
-EOF
- if [ "$udp_mode" = 2 ]; then
- /usr/bin/ss-redir \
- -c $CONFIG_FILE \
- -f /var/run/ss-redir_t.pid
- cat <<-EOF >$CONFIG_FILE
- {
- "server": "$udp_server",
- "server_port": $udp_server_port,
- "local_address": "0.0.0.0",
- "local_port": $udp_local_port,
- "password": "$udp_password",
- "timeout": $udp_timeout,
- "method": "$udp_encrypt_method"
- }
-EOF
+}
+
+ss_mkjson_() {
+ local func
+
+ for func in "$@"; do
+ "$func" || return 1
+ done
+}
+
+ss_mkjson_server_conf() {
+ local cfgserver
+
+ config_get cfgserver "$cfg" server
+ [ -n "$cfgserver" ] || return 1
+ eval "$(validate_server_section "$cfg" ss_validate_mklocal)"
+ validate_server_section "$cfgserver" || return 1
+ [ "$disabled" = 0 ] || return 1
+ ss_mkjson_server_conf_ "$cfgserver"
+}
+
+ss_mkjson_server_conf_() {
+ [ -n "$server_port" ] || return 1
+ password="${password//\"/\\\"}"
+ cat <<-EOF
+ ${server:+${q}server${q}: ${q}$server${q},}
+ "server_port": $server_port,
+ ${method:+${q}method${q}: ${q}$method${q},}
+ ${key:+${q}key${q}: ${q}$key${q},}
+ ${password:+${q}password${q}: ${q}$password${q},}
+ EOF
+}
+
+ss_mkjson_common_conf() {
+ [ "$ipv6_first" = 0 ] && ipv6_first=false || ipv6_first=true
+ [ "$fast_open" = 0 ] && fast_open=false || fast_open=true
+ [ "$reuse_port" = 0 ] && reuse_port=false || reuse_port=true
+ cat <<-EOF
+ "use_syslog": true,
+ "ipv6_first": $ipv6_first,
+ "fast_open": $fast_open,
+ "reuse_port": $reuse_port,
+ ${local_address:+${q}local_address${q}: ${q}$local_address${q},}
+ ${local_port:+${q}local_port${q}: $local_port,}
+ ${mode:+${q}mode${q}: ${q}$mode${q},}
+ ${mtu:+${q}mtu${q}: $mtu,}
+ ${timeout:+${q}timeout${q}: $timeout,}
+ ${user:+${q}user${q}: ${q}$user${q},}
+ EOF
+}
+
+ss_mkjson_ss_local_conf() {
+ ss_mkjson_server_conf
+}
+
+ss_mkjson_ss_redir_conf() {
+ ss_mkjson_server_conf || return 1
+ [ "$disable_sni" = 0 ] && disable_sni=false || disable_sni=true
+ cat <<-EOF
+ "disable_sni": $disable_sni,
+ EOF
+}
+
+ss_mkjson_ss_server_conf() {
+ ss_mkjson_server_conf_
+}
+
+ss_mkjson_ss_tunnel_conf() {
+ ss_mkjson_server_conf || return 1
+ [ -n "$tunnel_address" ] || return 1
+ cat <<-EOF
+ ${tunnel_address:+${q}tunnel_address${q}: ${q}$tunnel_address${q},}
+ EOF
+}
+
+ss_xxx() {
+ local cfg="$1"
+ local cfgtype="$2"
+ local bin="$ss_bindir/${cfgtype/_/-}"
+ local confjson="$ss_confdir/$cfgtype.$cfg.json"
+
+ [ -x "$bin" ] || return
+ eval "$("validate_${cfgtype}_section" "$cfg" ss_validate_mklocal)"
+ "validate_${cfgtype}_section" "$cfg" || return 1
+ [ "$disabled" = 0 ] || return
+
+ if ss_mkjson \
+ ss_mkjson_common_conf \
+ ss_mkjson_${cfgtype}_conf \
+ ; then
+ procd_open_instance "$cfgtype.$cfg"
+ procd_set_param command "$bin" -c "$confjson"
+ [ "$verbose" = 0 ] || procd_append_param command -v
+ [ -z "$bind_address" ] || procd_append_param command -b "$bind_address"
+ [ -z "$manager_address" ] || procd_append_param command --manager-address "$manager_address"
+ procd_set_param file "$confjson"
+ procd_set_param respawn
+ procd_close_instance
+ ss_rules_cb
fi
- /usr/bin/ss-redir \
- -c $CONFIG_FILE \
- -f /var/run/ss-redir.pid \
- $udp
- return $?
}
-start_tunnel() {
- : ${udp:="-u"}
- /usr/bin/ss-tunnel \
- -c $CONFIG_FILE \
- -l $tunnel_port \
- -L $tunnel_forward \
- -f /var/run/ss-tunnel.pid \
- $udp
- return $?
+ss_rules_cb() {
+ local cfgserver server
+
+ if [ "$cfgtype" = ss_redir ]; then
+ config_get cfgserver "$cfg" server
+ config_get server "$cfgserver" server
+ ss_redir_servers="$ss_redir_servers $server"
+ if [ "$mode" = tcp_only -o "$mode" = "tcp_and_udp" ]; then
+ eval "ss_rules_redir_tcp_$cfg=$local_port"
+ fi
+ if [ "$mode" = udp_only -o "$mode" = "tcp_and_udp" ]; then
+ eval "ss_rules_redir_udp_$cfg=$local_port"
+ fi
+ fi
}
-rules() {
+ss_rules() {
+ local cfg="ss_rules"
+ local bin="$ss_bindir/ss-rules"
+ local cfgtype
+ local local_port_tcp local_port_udp
+ local args
+
+ [ -x "$bin" ] || return 1
+ config_get cfgtype "$cfg" TYPE
+ [ "$cfgtype" = ss_rules ] || return 1
+
+ eval "$(validate_ss_rules_section "$cfg" ss_validate_mklocal)"
+ validate_ss_rules_section "$cfg" || return 1
+ [ "$disabled" = 0 ] || return 1
+
+ eval local_port_tcp="\$ss_rules_redir_tcp_$redir_tcp"
+ eval local_port_udp="\$ss_rules_redir_udp_$redir_udp"
+ [ -n "$local_port_tcp" -o -n "$local_port_udp" ] || return 1
+ ss_redir_servers="$(echo "$ss_redir_servers" | tr ' ' '\n' | sort -u)"
+ [ "$dst_forward_recentrst" = 0 ] || args="$args --dst-forward-recentrst"
+
+ "$bin" \
+ -s "$ss_redir_servers" \
+ -l "$local_port_tcp" \
+ -L "$local_port_udp" \
+ --src-default "$src_default" \
+ --dst-default "$dst_default" \
+ --local-default "$local_default" \
+ --dst-bypass-file "$dst_ips_bypass_file" \
+ --dst-forward-file "$dst_ips_forward_file" \
+ --dst-bypass "$dst_ips_bypass" \
+ --dst-forward "$dst_ips_forward" \
+ --src-bypass "$src_ips_bypass" \
+ --src-forward "$src_ips_forward" \
+ --src-checkdst "$src_ips_checkdst" \
+ --ifnames "$ifnames" \
+ --ipt-extra "$ipt_args" \
+ $args \
+ || "$bin" -f
+}
+
+start_service() {
+ local cfgtype
+
+ mkdir -p "$ss_confdir"
config_load shadowsocks-libev
- config_foreach get_config shadowsocks-libev
- [ "$enable" = 1 ] || exit 0
- mkdir -p /var/run /var/etc
-
- : ${server:?}
- : ${server_port:?}
- : ${local_port:?}
- : ${password:?}
- : ${encrypt_method:?}
- case $udp_mode in
- 1) udp="-u"
- ;;
- 2)
- udp="-U"
- : ${udp_server:?}
- : ${udp_server_port:?}
- : ${udp_local_port:?}
- : ${udp_password:?}
- : ${udp_encrypt_method:?}
- ;;
- esac
-
- start_rules
-}
-
-boot() {
- until iptables-save -t nat | grep -q "^:zone_lan_prerouting"; do
- sleep 1
+ for cfgtype in ss_local ss_redir ss_server ss_tunnel; do
+ config_foreach ss_xxx "$cfgtype" "$cfgtype"
done
- start
+ ss_rules
+}
+
+stop_service() {
+ local bin="$ss_bindir/ss-rules"
+
+ [ -x "$bin" ] && "$bin" -f
+ rm -rf "$ss_confdir"
+}
+
+service_triggers() {
+ procd_add_reload_interface_trigger wan
+ procd_add_reload_trigger shadowsocks-libev
+ procd_open_validate
+ validate_server_section
+ validate_ss_local_section
+ validate_ss_redir_section
+ validate_ss_rules_section
+ validate_ss_server_section
+ validate_ss_tunnel_section
+ procd_close_validate
+}
+
+ss_validate_mklocal() {
+ local tuple opts
+
+ shift 2
+ for tuple in "$@"; do
+ opts="${tuple%%:*} $opts"
+ done
+ [ -z "$opts" ] || echo "local $opts"
+}
+
+ss_validate() {
+ uci_validate_section shadowsocks-libev "$@"
+}
+
+validate_common_server_options_() {
+ local cfgtype="$1"; shift
+ local cfg="$1"; shift
+ local func="$1"; shift
+ local stream_methods='"table", "rc4", "rc4-md5", "aes-128-cfb", "aes-192-cfb", "aes-256-cfb", "aes-128-ctr", "aes-192-ctr", "aes-256-ctr", "bf-cfb", "camellia-128-cfb", "camellia-192-cfb", "camellia-256-cfb", "salsa20", "chacha20", "chacha20-ietf"'
+ local aead_methods='"aes-128-gcm", "aes-192-gcm", "aes-256-gcm", "chacha20-ietf-poly1305", "xchacha20-ietf-poly1305"'
+
+ "${func:-ss_validate}" "$cfgtype" "$cfg" "$@" \
+ 'disabled:bool:0' \
+ 'server:host' \
+ 'server_port:port' \
+ 'password:string' \
+ 'key:string' \
+ "method:or($stream_methods, $aead_methods)"
+}
+
+validate_common_client_options_() {
+ validate_common_options_ "$@" \
+ 'server:uci("shadowsocks-libev", "@server")' \
+ 'local_address:host:0.0.0.0' \
+ 'local_port:port'
+}
+
+validate_common_options_() {
+ local cfgtype="$1"; shift
+ local cfg="$1"; shift
+ local func="$1"; shift
+
+ "${func:-ss_validate}" "$cfgtype" "$cfg" "$@" \
+ 'disabled:bool:0' \
+ 'fast_open:bool:0' \
+ 'ipv6_first:bool:0' \
+ 'reuse_port:bool:0' \
+ 'verbose:bool:0' \
+ 'mode:or("tcp_only", "udp_only", "tcp_and_udp"):tcp_only' \
+ 'mtu:uinteger' \
+ 'timeout:uinteger' \
+ 'user:string'
+}
+
+validate_server_section() {
+ validate_common_server_options_ server "$1" "${2}"
+}
+
+validate_ss_local_section() {
+ validate_common_client_options_ ss_local "$1" "${2}"
+}
+
+validate_ss_redir_section() {
+ validate_common_client_options_ ss_redir "$1" \
+ "${2}" \
+ 'disable_sni:bool:0'
+}
+
+validate_ss_rules_section() {
+ "${2:-ss_validate}" ss_rules "$1" \
+ 'disabled:bool:0' \
+ 'redir_tcp:uci("shadowsocks-libev", "@ss_redir")' \
+ 'redir_udp:uci("shadowsocks-libev", "@ss_redir")' \
+ 'src_ips_bypass:or(ip4addr,cidr4)' \
+ 'src_ips_forward:or(ip4addr,cidr4)' \
+ 'src_ips_checkdst:or(ip4addr,cidr4)' \
+ 'dst_ips_bypass_file:file' \
+ 'dst_ips_bypass:or(ip4addr,cidr4)' \
+ 'dst_ips_forward_file:file' \
+ 'dst_ips_forward:or(ip4addr,cidr4)' \
+ 'src_default:or("bypass", "forward", "checkdst"):checkdst' \
+ 'dst_default:or("bypass", "forward"):bypass' \
+ 'local_default:or("bypass", "forward", "checkdst"):bypass' \
+ 'dst_forward_recentrst:bool:0' \
+ 'ifnames:maxlength(15)' \
+ 'ipt_args:string'
}
-start() {
- rules && start_redir
- [ "$tunnel_enable" = 1 ] && start_tunnel
+validate_ss_server_section() {
+ validate_common_server_options_ ss_server "$1" \
+ validate_common_options_ \
+ "${2}" \
+ 'bind_address:ipaddr' \
+ 'manager_address:host'
}
-stop() {
- /usr/bin/ss-rules -f
- killall -q -9 ss-redir
- killall -q -9 ss-tunnel
+validate_ss_tunnel_section() {
+ validate_common_client_options_ ss_tunnel "$1" \
+ "${2}" \
+ 'tunnel_address:regex(".+\:[0-9]+")'
}