├── .gitignore
├── Makefile
├── README.md
└── files
    ├── shadowsocks.conf
    ├── shadowsocks.config
    ├── shadowsocks.include
    ├── shadowsocks.init
    ├── shadowsocks.rule
    └── shadowsocks.spec


/.gitignore:
--------------------------------------------------------------------------------
1 | dist/*
2 | 


--------------------------------------------------------------------------------
/Makefile:
--------------------------------------------------------------------------------
  1 | #
  2 | # Copyright (C) 2015 OpenWrt-dist
  3 | #
  4 | # This is free software, licensed under the GNU General Public License v3.
  5 | # See /LICENSE for more information.
  6 | #
  7 | 
  8 | include $(TOPDIR)/rules.mk
  9 | 
 10 | PKG_NAME:=shadowsocks-libev
 11 | PKG_VERSION:=2.3.0
 12 | PKG_RELEASE:=1
 13 | 
 14 | PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 15 | PKG_SOURCE_URL:=https://github.com/shadowsocks/openwrt-shadowsocks/releases/download/v$(PKG_VERSION)
 16 | PKG_MD5SUM:=d23713f18cdb9c077f4e8cf1948eeac3
 17 | 
 18 | PKG_LICENSE:=GPLv3
 19 | PKG_LICENSE_FILES:=LICENSE
 20 | PKG_MAINTAINER:=Max Lv <max.c.lv@gmail.com>
 21 | 
 22 | PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)/$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)
 23 | 
 24 | PKG_INSTALL:=1
 25 | PKG_FIXUP:=autoreconf
 26 | PKG_USE_MIPS16:=0
 27 | PKG_BUILD_PARALLEL:=1
 28 | 
 29 | include $(INCLUDE_DIR)/package.mk
 30 | 
 31 | define Package/shadowsocks-libev/Default
 32 | 	SECTION:=net
 33 | 	CATEGORY:=Network
 34 | 	TITLE:=Lightweight Secured Socks5 Proxy $(2)
 35 | 	URL:=https://github.com/shadowsocks/shadowsocks-libev
 36 | 	VARIANT:=$(1)
 37 | 	DEPENDS:=$(3)
 38 | endef
 39 | 
 40 | Package/shadowsocks-libev = $(call Package/shadowsocks-libev/Default,openssl,(OpenSSL),+libopenssl +libpthread)
 41 | Package/shadowsocks-libev-spec = $(call Package/shadowsocks-libev/Default,openssl,(OpenSSL),+libopenssl +libpthread +ipset +ip +iptables-mod-tproxy)
 42 | Package/shadowsocks-libev-polarssl = $(call Package/shadowsocks-libev/Default,polarssl,(PolarSSL),+libpolarssl +libpthread)
 43 | Package/shadowsocks-libev-spec-polarssl = $(call Package/shadowsocks-libev/Default,polarssl,(PolarSSL),+libpolarssl +libpthread +ipset +ip +iptables-mod-tproxy)
 44 | 
 45 | define Package/shadowsocks-libev/description
 46 | Shadowsocks-libev is a lightweight secured socks5 proxy for embedded devices and low end boxes.
 47 | endef
 48 | 
 49 | Package/shadowsocks-libev-spec/description = $(Package/shadowsocks-libev/description)
 50 | Package/shadowsocks-libev-polarssl/description = $(Package/shadowsocks-libev/description)
 51 | Package/shadowsocks-libev-spec-polarssl/description = $(Package/shadowsocks-libev/description)
 52 | 
 53 | define Package/shadowsocks-libev/conffiles
 54 | /etc/shadowsocks.json
 55 | endef
 56 | 
 57 | define Package/shadowsocks-libev-spec/conffiles
 58 | /etc/config/shadowsocks
 59 | endef
 60 | 
 61 | Package/shadowsocks-libev-polarssl/conffiles = $(Package/shadowsocks-libev/conffiles)
 62 | Package/shadowsocks-libev-spec-polarssl/conffiles = $(Package/shadowsocks-libev-spec/conffiles)
 63 | 
 64 | define Package/shadowsocks-libev-spec/postinst
 65 | #!/bin/sh
 66 | if [ -z "$${IPKG_INSTROOT}" ]; then
 67 | 	uci -q batch <<-EOF >/dev/null
 68 | 		delete firewall.shadowsocks
 69 | 		set firewall.shadowsocks=include
 70 | 		set firewall.shadowsocks.type=script
 71 | 		set firewall.shadowsocks.path=/usr/share/shadowsocks/firewall.include
 72 | 		set firewall.shadowsocks.reload=1
 73 | 		commit firewall
 74 | EOF
 75 | fi
 76 | exit 0
 77 | endef
 78 | 
 79 | Package/shadowsocks-libev-spec-polarssl/postinst = $(Package/shadowsocks-libev-spec/postinst)
 80 | 
 81 | ifeq ($(BUILD_VARIANT),polarssl)
 82 | 	CONFIGURE_ARGS += --with-crypto-library=polarssl
 83 | endif
 84 | 
 85 | define Package/shadowsocks-libev/install
 86 | 	$(INSTALL_DIR) $(1)/usr/bin
 87 | 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/src/ss-{local,redir,tunnel} $(1)/usr/bin
 88 | 	$(INSTALL_DIR) $(1)/etc/init.d
 89 | 	$(INSTALL_CONF) ./files/shadowsocks.conf $(1)/etc/shadowsocks.json
 90 | 	$(INSTALL_BIN) ./files/shadowsocks.init $(1)/etc/init.d/shadowsocks
 91 | endef
 92 | 
 93 | define Package/shadowsocks-libev-spec/install
 94 | 	$(INSTALL_DIR) $(1)/usr/bin
 95 | 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/src/ss-{redir,tunnel} $(1)/usr/bin
 96 | 	$(INSTALL_BIN) ./files/shadowsocks.rule $(1)/usr/bin/ss-rules
 97 | 	$(INSTALL_DIR) $(1)/etc/config
 98 | 	$(INSTALL_DATA) ./files/shadowsocks.config $(1)/etc/config/shadowsocks
 99 | 	$(INSTALL_DIR) $(1)/etc/init.d
100 | 	$(INSTALL_BIN) ./files/shadowsocks.spec $(1)/etc/init.d/shadowsocks
101 | 	$(INSTALL_DIR) $(1)/usr/share/shadowsocks
102 | 	$(INSTALL_DATA) ./files/shadowsocks.include $(1)/usr/share/shadowsocks/firewall.include
103 | endef
104 | 
105 | Package/shadowsocks-libev-polarssl/install = $(Package/shadowsocks-libev/install)
106 | Package/shadowsocks-libev-spec-polarssl/install = $(Package/shadowsocks-libev-spec/install)
107 | 
108 | $(eval $(call BuildPackage,shadowsocks-libev))
109 | $(eval $(call BuildPackage,shadowsocks-libev-spec))
110 | $(eval $(call BuildPackage,shadowsocks-libev-polarssl))
111 | $(eval $(call BuildPackage,shadowsocks-libev-spec-polarssl))
112 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | Shadowsocks-libev for OpenWrt
 2 | ===
 3 | 
 4 | 简介
 5 | ---
 6 | 
 7 |  本项目是 [shadowsocks-libev][1] 在 OpenWrt 上的移植  
 8 |  当前版本: 2.3.0-1  
 9 |  [预编译 IPK 下载][2]  
10 | 
11 | 特性
12 | ---
13 | 
14 | 可编译两种版本  
15 | 
16 |  - shadowsocks-libev
17 | 
18 |    > 官方原版  
19 |    > 可执行文件 `ss-{local,redir,tunnel}`  
20 |    > 默认启动: ss-local 提供 SOCKS 代理  
21 | 
22 |  - shadowsocks-libev-spec
23 | 
24 |    > 针对 OpenWrt 的优化版本  
25 |    > 可执行文件 `ss-{redir,rules,tunnel}`  
26 |    > 默认启动:  
27 |    > `ss-redir` 提供透明代理, 从 v2.2.0 开始支持 UDP  
28 |    > `ss-rules` 生成代理转发规则  
29 |    > `ss-tunnel` 提供 UDP 转发, 用于 DNS 查询  
30 | 
31 | 编译
32 | ---
33 | 
34 |  - 从 OpenWrt 的 [SDK][S] 编译
35 | 
36 |    ```bash
37 |    # 以 ar71xx 平台为例
38 |    tar xjf OpenWrt-SDK-ar71xx-for-linux-x86_64-gcc-4.8-linaro_uClibc-0.9.33.2.tar.bz2
39 |    cd OpenWrt-SDK-ar71xx-*
40 |    # 获取 Makefile
41 |    git clone https://github.com/shadowsocks/openwrt-shadowsocks.git package/shadowsocks-libev
42 |    # 选择要编译的包 Network -> shadowsocks-libev
43 |    make menuconfig
44 |    # 开始编译
45 |    make package/shadowsocks-libev/compile V=99
46 |    ```
47 | 
48 | 配置
49 | ---
50 | 
51 |  - shadowsocks-libev 配置文件: `/etc/shadowsocks.json`
52 | 
53 |  - shadowsocks-libev-spec 配置文件: `/etc/config/shadowsocks`
54 | 
55 |  - shadowsocks-libev-spec 从 `v1.5.2` 开始可以使用 [LuCI][L] 配置界面
56 | 
57 | ----------
58 | 
59 | 
60 |   [1]: https://github.com/shadowsocks/shadowsocks-libev
61 |   [2]: https://sourceforge.net/projects/openwrt-dist/files/shadowsocks-libev/
62 |   [L]: https://github.com/aa65535/openwrt-dist-luci
63 |   [S]: http://wiki.openwrt.org/doc/howto/obtain.firmware.sdk
64 | 


--------------------------------------------------------------------------------
/files/shadowsocks.conf:
--------------------------------------------------------------------------------
1 | {
2 |     "server": "127.0.0.1",
3 |     "server_port": 443,
4 |     "local_port": 1080,
5 |     "password": "password",
6 |     "timeout": 60,
7 |     "method": "rc4-md5"
8 | }
9 | 


--------------------------------------------------------------------------------
/files/shadowsocks.config:
--------------------------------------------------------------------------------
 1 | 
 2 | config shadowsocks
 3 | 	option enable '1'
 4 | 	option server '127.0.0.1'
 5 | 	option server_port '8388'
 6 | 	option local_port '1080'
 7 | 	option password 'barfoo!'
 8 | 	option timeout '60'
 9 | 	option encrypt_method 'rc4-md5'
10 | 	option ignore_list '/dev/null'
11 | 	option udp_mode '0'
12 | 	option tunnel_enable '1'
13 | 	option tunnel_port '5300'
14 | 	option tunnel_forward '8.8.4.4:53'
15 | 	option lan_ac_mode '0'
16 | 


--------------------------------------------------------------------------------
/files/shadowsocks.include:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | 
3 | if pidof ss-redir>/dev/null; then
4 | 	/etc/init.d/shadowsocks rules
5 | 	logger -t ShadowSocks "Reloading ShadowSocks due to restart of firewall"
6 | fi
7 | 


--------------------------------------------------------------------------------
/files/shadowsocks.init:
--------------------------------------------------------------------------------
 1 | #!/bin/sh /etc/rc.common
 2 | 
 3 | START=95
 4 | 
 5 | SERVICE_USE_PID=1
 6 | SERVICE_WRITE_PID=1
 7 | SERVICE_DAEMONIZE=1
 8 | 
 9 | CONFIG=/etc/shadowsocks.json
10 | 
11 | start() {
12 | 	service_start /usr/bin/ss-local -c $CONFIG -b 0.0.0.0
13 | 	#service_start /usr/bin/ss-redir -c $CONFIG -b 0.0.0.0
14 | 	#service_start /usr/bin/ss-tunnel -c $CONFIG -b 0.0.0.0 -l 5353 -L 8.8.8.8:53 -u
15 | }
16 | 
17 | stop() {
18 | 	service_stop /usr/bin/ss-local
19 | 	#service_stop /usr/bin/ss-redir
20 | 	#service_stop /usr/bin/ss-tunnel
21 | }
22 | 


--------------------------------------------------------------------------------
/files/shadowsocks.rule:
--------------------------------------------------------------------------------
  1 | #!/bin/sh
  2 | 
  3 | usage() {
  4 | 	cat <<-EOF
  5 | 		Usage: ss-rules [options]
  6 | 
  7 | 		Valid options are:
  8 | 
  9 | 		    -s <server_host>        hostname or ip of shadowsocks remote server
 10 | 		    -l <local_port>         port number of shadowsocks local server
 11 | 		    -i <ip_list_file>       a file content is bypassed ip list
 12 | 		    -a <lan_ips>            lan ip of access control, need a prefix to
 13 | 		                            define access control mode
 14 | 		    -b <wan_ips>            wan ip of will be bypassed
 15 | 		    -w <wan_ips>            wan ip of will be forwarded
 16 | 		    -e <extra_options>      extra options for iptables
 17 | 		    -o                      apply the rules to the OUTPUT chain
 18 | 		    -u                      enable udprelay mode, TPROXY is required
 19 | 		    -U                      enable udprelay mode, using different IP
 20 | 		                            and ports for TCP and UDP
 21 | 		    -f                      flush the rules
 22 | EOF
 23 | }
 24 | 
 25 | loger() {
 26 | 	# 1.alert 2.crit 3.err 4.warn 5.notice 6.info 7.debug
 27 | 	logger -st ss-rules[$$] -p$1 $2
 28 | }
 29 | 
 30 | ipt_n="iptables -t nat"
 31 | ipt_m="iptables -t mangle"
 32 | 
 33 | flush_r() {
 34 | 	local IPT
 35 | 
 36 | 	IPT=$(iptables-save -t nat)
 37 | 	eval $(echo "$IPT" | grep "_SS_SPEC_RULE_" | \
 38 | 		sed -e 's/^-A/$ipt_n -D/' -e 's/$/;/')
 39 | 
 40 | 	for chain in $(echo "$IPT" | awk '/^:SS_SPEC/{print $1}'); do
 41 | 		$ipt_n -F ${chain:1} 2>/dev/null && $ipt_n -X ${chain:1}
 42 | 	done
 43 | 
 44 | 	IPT=$(iptables-save -t mangle)
 45 | 	eval $(echo "$IPT" | grep "_SS_SPEC_RULE_" | \
 46 | 		sed -e 's/^-A/$ipt_m -D/' -e 's/$/;/')
 47 | 
 48 | 	for chain in $(echo "$IPT" | awk '/^:SS_SPEC/{print $1}'); do
 49 | 		$ipt_m -F ${chain:1} 2>/dev/null && $ipt_m -X ${chain:1}
 50 | 	done
 51 | 
 52 | 	ip rule del fwmark 0x01/0x01 table 100 2>/dev/null
 53 | 	ip route del local 0.0.0.0/0 dev lo table 100 2>/dev/null
 54 | 	ipset -X ss_spec_lan_ac 2>/dev/null
 55 | 	ipset -X ss_spec_wan_ac 2>/dev/null
 56 | 	return 0
 57 | }
 58 | 
 59 | ipset_r() {
 60 | 	ipset -! -R <<-EOF || return 1
 61 | 		create ss_spec_wan_ac hash:net
 62 | 		$(echo -e "$IPLIST" | sed -e "s/^/add ss_spec_wan_ac /")
 63 | 		$(for ip in $WAN_FW_IP; do echo "add ss_spec_wan_ac $ip nomatch"; done)
 64 | EOF
 65 | 	$ipt_n -N SS_SPEC_WAN_AC && \
 66 | 	$ipt_n -A SS_SPEC_WAN_AC -m set --match-set ss_spec_wan_ac dst -j RETURN && \
 67 | 	$ipt_n -A SS_SPEC_WAN_AC -j SS_SPEC_WAN_FW
 68 | 	return $?
 69 | }
 70 | 
 71 | fw_rule() {
 72 | 	$ipt_n -N SS_SPEC_WAN_FW && \
 73 | 	$ipt_n -A SS_SPEC_WAN_FW -p tcp \
 74 | 		-j REDIRECT --to-ports $local_port 2>/dev/null || {
 75 | 		loger 3 "Can't redirect, please check the iptables."
 76 | 		exit 1
 77 | 	}
 78 | 	return $?
 79 | }
 80 | 
 81 | ac_rule() {
 82 | 	local TAG ROUTECHAIN
 83 | 
 84 | 	if [ -n "$LAN_AC_IP" ]; then
 85 | 		if [ "${LAN_AC_IP:0:1}" = "w" ]; then
 86 | 			TAG="nomatch"
 87 | 		else
 88 | 			if [ "${LAN_AC_IP:0:1}" != "b" ]; then
 89 | 				loger 3 "Bad argument \`-a $LAN_AC_IP\`."
 90 | 				return 2
 91 | 			fi
 92 | 		fi
 93 | 	fi
 94 | 
 95 | 	ROUTECHAIN=PREROUTING
 96 | 	if iptables-save -t nat | grep -q "^:zone_lan_prerouting"; then
 97 | 		ROUTECHAIN=zone_lan_prerouting
 98 | 	fi
 99 | 
100 | 	ipset -! -R <<-EOF || return 1
101 | 		create ss_spec_lan_ac hash:net
102 | 		$(for ip in ${LAN_AC_IP:1}; do echo "add ss_spec_lan_ac $ip $TAG"; done)
103 | EOF
104 | 	$ipt_n -A $ROUTECHAIN -p tcp $EXT_ARGS \
105 | 		-m set ! --match-set ss_spec_lan_ac src \
106 | 		-m comment --comment "_SS_SPEC_RULE_" -j SS_SPEC_WAN_AC
107 | 
108 | 	if [ "$OUTPUT" = 1 ]; then
109 | 		$ipt_n -A OUTPUT -p tcp $EXT_ARGS \
110 | 			-m comment --comment "_SS_SPEC_RULE_" -j SS_SPEC_WAN_AC
111 | 	fi
112 | 	return $?
113 | }
114 | 
115 | tp_rule() {
116 | 	[ -n "$TPROXY" ] || return 0
117 | 	ip rule add fwmark 0x01/0x01 table 100
118 | 	ip route add local 0.0.0.0/0 dev lo table 100
119 | 	$ipt_m -N SS_SPEC_TPROXY
120 | 	$ipt_m -A SS_SPEC_TPROXY -p udp -m set ! --match-set ss_spec_wan_ac dst \
121 | 		-j TPROXY --on-port $LOCAL_PORT --tproxy-mark 0x01/0x01
122 | 	$ipt_m -A PREROUTING -p udp $EXT_ARGS \
123 | 		-m set ! --match-set ss_spec_lan_ac src \
124 | 		-m comment --comment "_SS_SPEC_RULE_" -j SS_SPEC_TPROXY
125 | 	return $?
126 | }
127 | 
128 | while getopts ":s:l:S:L:i:e:a:b:w:ouUf" arg; do
129 | 	case $arg in
130 | 		s)
131 | 			server=$OPTARG
132 | 			;;
133 | 		l)
134 | 			local_port=$OPTARG
135 | 			;;
136 | 		S)
137 | 			SERVER=$OPTARG
138 | 			;;
139 | 		L)
140 | 			LOCAL_PORT=$OPTARG
141 | 			;;
142 | 		i)
143 | 			IGNORE=$OPTARG
144 | 			;;
145 | 		e)
146 | 			EXT_ARGS=$OPTARG
147 | 			;;
148 | 		a)
149 | 			LAN_AC_IP=$OPTARG
150 | 			;;
151 | 		b)
152 | 			WAN_BP_IP=$(for ip in $OPTARG; do echo $ip; done)
153 | 			;;
154 | 		w)
155 | 			WAN_FW_IP=$OPTARG
156 | 			;;
157 | 		o)
158 | 			OUTPUT=1
159 | 			;;
160 | 		u)
161 | 			TPROXY=1
162 | 			;;
163 | 		U)
164 | 			TPROXY=2
165 | 			;;
166 | 		f)
167 | 			flush_r
168 | 			exit 0
169 | 			;;
170 | 	esac
171 | done
172 | 
173 | if [ -z "$server" -o -z "$local_port" ]; then
174 | 	usage
175 | 	exit 2
176 | fi
177 | 
178 | if [ "$TPROXY" = 1 ]; then
179 | 	SERVER=$server
180 | 	LOCAL_PORT=$local_port
181 | fi
182 | 
183 | if [ "$TPROXY" = 2 ]; then
184 | 	if [ -z "$SERVER" -o -z "$LOCAL_PORT" ]; then
185 | 		loger 3 "Please use -S and -L specifies IP and port for UDP."
186 | 	fi
187 | fi
188 | 
189 | if [ -f "$IGNORE" ]; then
190 | 	IGNORE_IP=$(cat $IGNORE 2>/dev/null)
191 | fi
192 | 
193 | IPLIST=$(cat <<-EOF | grep -E "^([0-9]{1,3}\.){3}[0-9]{1,3}"
194 | 	$server
195 | 	$SERVER
196 | 	0.0.0.0/8
197 | 	10.0.0.0/8
198 | 	100.64.0.0/10
199 | 	127.0.0.0/8
200 | 	169.254.0.0/16
201 | 	172.16.0.0/12
202 | 	192.0.0.0/24
203 | 	192.0.2.0/24
204 | 	192.88.99.0/24
205 | 	192.168.0.0/16
206 | 	198.18.0.0/15
207 | 	198.51.100.0/24
208 | 	203.0.113.0/24
209 | 	224.0.0.0/4
210 | 	240.0.0.0/4
211 | 	255.255.255.255
212 | 	$WAN_BP_IP
213 | 	$IGNORE_IP
214 | EOF
215 | )
216 | 
217 | flush_r && fw_rule && ipset_r && ac_rule && tp_rule
218 | 
219 | exit $?
220 | 


--------------------------------------------------------------------------------
/files/shadowsocks.spec:
--------------------------------------------------------------------------------
  1 | #!/bin/sh /etc/rc.common
  2 | 
  3 | START=90
  4 | STOP=15
  5 | 
  6 | EXTRA_COMMANDS="rules"
  7 | CONFIG_FILE=/var/etc/shadowsocks.json
  8 | 
  9 | get_config() {
 10 | 	config_get_bool enable $1 enable
 11 | 	config_get server $1 server
 12 | 	config_get server_port $1 server_port
 13 | 	config_get local_port $1 local_port
 14 | 	config_get timeout $1 timeout
 15 | 	config_get password $1 password
 16 | 	config_get encrypt_method $1 encrypt_method
 17 | 	config_get ignore_list $1 ignore_list
 18 | 	config_get udp_mode $1 udp_mode
 19 | 	config_get udp_server $1 udp_server
 20 | 	config_get udp_server_port $1 udp_server_port
 21 | 	config_get udp_local_port $1 udp_local_port
 22 | 	config_get udp_timeout $1 udp_timeout
 23 | 	config_get udp_password $1 udp_password
 24 | 	config_get udp_encrypt_method $1 udp_encrypt_method
 25 | 	config_get_bool tunnel_enable $1 tunnel_enable
 26 | 	config_get tunnel_port $1 tunnel_port
 27 | 	config_get tunnel_forward $1 tunnel_forward
 28 | 	config_get lan_ac_mode $1 lan_ac_mode
 29 | 	config_get lan_ac_ip $1 lan_ac_ip
 30 | 	config_get wan_bp_ip $1 wan_bp_ip
 31 | 	config_get wan_fw_ip $1 wan_fw_ip
 32 | 	config_get ipt_ext $1 ipt_ext
 33 | 	: ${timeout:=60}
 34 | 	: ${udp_timeout:=60}
 35 | 	: ${tunnel_port:=5300}
 36 | 	: ${tunnel_forward:=8.8.4.4:53}
 37 | }
 38 | 
 39 | start_rules() {
 40 | 	local ac_args
 41 | 
 42 | 	if [ -n "$lan_ac_ip" ]; then
 43 | 		case $lan_ac_mode in
 44 | 			1) ac_args="w$lan_ac_ip"
 45 | 			;;
 46 | 			2) ac_args="b$lan_ac_ip"
 47 | 			;;
 48 | 		esac
 49 | 	fi
 50 | 	/usr/bin/ss-rules \
 51 | 		-s "$server" \
 52 | 		-l "$local_port" \
 53 | 		-S "$udp_server" \
 54 | 		-L "$udp_local_port" \
 55 | 		-i "$ignore_list" \
 56 | 		-a "$ac_args" \
 57 | 		-b "$wan_bp_ip" \
 58 | 		-w "$wan_fw_ip" \
 59 | 		-e "$ipt_ext" \
 60 | 		-o $udp
 61 | 	return $?
 62 | }
 63 | 
 64 | start_redir() {
 65 | 	cat <<-EOF >$CONFIG_FILE
 66 | 		{
 67 | 		    "server": "$server",
 68 | 		    "server_port": $server_port,
 69 | 		    "local_address": "0.0.0.0",
 70 | 		    "local_port": $local_port,
 71 | 		    "password": "$password",
 72 | 		    "timeout": $timeout,
 73 | 		    "method": "$encrypt_method"
 74 | 		}
 75 | EOF
 76 | 	if [ "$udp_mode" = 2 ]; then
 77 | 		/usr/bin/ss-redir \
 78 | 			-c $CONFIG_FILE \
 79 | 			-f /var/run/ss-redir_t.pid
 80 | 		cat <<-EOF >$CONFIG_FILE
 81 | 			{
 82 | 			    "server": "$udp_server",
 83 | 			    "server_port": $udp_server_port,
 84 | 			    "local_address": "0.0.0.0",
 85 | 			    "local_port": $udp_local_port,
 86 | 			    "password": "$udp_password",
 87 | 			    "timeout": $udp_timeout,
 88 | 			    "method": "$udp_encrypt_method"
 89 | 			}
 90 | EOF
 91 | 	fi
 92 | 	/usr/bin/ss-redir \
 93 | 		-c $CONFIG_FILE \
 94 | 		-f /var/run/ss-redir.pid \
 95 | 		$udp
 96 | 	return $?
 97 | }
 98 | 
 99 | start_tunnel() {
100 | 	: ${udp:="-u"}
101 | 	/usr/bin/ss-tunnel \
102 | 		-c $CONFIG_FILE \
103 | 		-l $tunnel_port \
104 | 		-L $tunnel_forward \
105 | 		-f /var/run/ss-tunnel.pid \
106 | 		$udp
107 | 	return $?
108 | }
109 | 
110 | rules() {
111 | 	config_load shadowsocks
112 | 	config_foreach get_config shadowsocks
113 | 	[ "$enable" = 1 ] || exit 0
114 | 	mkdir -p /var/run /var/etc
115 | 
116 | 	: ${server:?}
117 | 	: ${server_port:?}
118 | 	: ${local_port:?}
119 | 	: ${password:?}
120 | 	: ${encrypt_method:?}
121 | 	case $udp_mode in
122 | 		1) udp="-u"
123 | 		;;
124 | 		2)
125 | 			udp="-U"
126 | 			: ${udp_server:?}
127 | 			: ${udp_server_port:?}
128 | 			: ${udp_local_port:?}
129 | 			: ${udp_password:?}
130 | 			: ${udp_encrypt_method:?}
131 | 		;;
132 | 	esac
133 | 
134 | 	start_rules
135 | }
136 | 
137 | boot() {
138 | 	until iptables-save -t nat | grep -q "^:zone_lan_prerouting"; do
139 | 		sleep 1
140 | 	done
141 | 	start
142 | }
143 | 
144 | start() {
145 | 	rules && start_redir
146 | 	[ "$tunnel_enable" = 1 ] && start_tunnel
147 | }
148 | 
149 | stop() {
150 | 	/usr/bin/ss-rules -f
151 | 	killall -q -9 ss-redir
152 | 	killall -q -9 ss-tunnel
153 | }
154 | 


--------------------------------------------------------------------------------