This repository has been archived by the owner on Nov 3, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 37
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
shadowsocks-libev: update to version 3.1.0 with patch for CVE-2017-15924
CVE-2017-15924 - Command Execution in ss-manager More at shadowsocks/shadowsocks-libev#1734
- Loading branch information
Showing
8 changed files
with
944 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,125 @@ | ||
# | ||
# Copyright (C) 2017 Yousong Zhou <yszhou4tech@gmail.com> | ||
# | ||
# This is free software, licensed under the GNU General Public License v2. | ||
# See /LICENSE for more information. | ||
# | ||
|
||
include $(TOPDIR)/rules.mk | ||
|
||
# Checklist when bumping versions | ||
# | ||
# - update cipher list by checking src/crypto.c:crypto_init() | ||
# - check if default mode has changed from being tcp_only | ||
# | ||
PKG_NAME:=shadowsocks-libev | ||
PKG_VERSION:=3.1.0 | ||
PKG_RELEASE:=1 | ||
|
||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz | ||
PKG_SOURCE_URL:=https://github.com/shadowsocks/shadowsocks-libev/releases/download/v$(PKG_VERSION) | ||
PKG_MD5SUM:=3b6493ebdcfff1eb31faf34d164d57049f7253ff5bffafa6ce2263c9ac123f31 | ||
|
||
PKG_MAINTAINER:=Yousong Zhou <yszhou4tech@gmail.com> | ||
|
||
PKG_LICENSE:=GPL-3.0+ | ||
PKG_LICENSE_FILES:=LICENSE | ||
|
||
PKG_FIXUP:=autoreconf | ||
PKG_INSTALL:=1 | ||
PKG_USE_MIPS16:=0 | ||
PKG_BUILD_PARALLEL:=1 | ||
|
||
include $(INCLUDE_DIR)/package.mk | ||
|
||
|
||
define Package/shadowsocks-libev-config | ||
SECTION:=net | ||
CATEGORY:=Network | ||
SUBMENU:=Web Servers/Proxies | ||
TITLE:=shadowsocks-libev config scripts | ||
URL:=https://github.com/shadowsocks/shadowsocks-libev | ||
endef | ||
|
||
define Package/shadowsocks-libev-config/install | ||
$(INSTALL_DIR) $(1)/etc/config | ||
$(INSTALL_DATA) ./files/shadowsocks-libev.config $(1)/etc/config/shadowsocks-libev | ||
$(INSTALL_DIR) $(1)/etc/init.d | ||
$(INSTALL_BIN) ./files/shadowsocks-libev.init $(1)/etc/init.d/shadowsocks-libev | ||
endef | ||
|
||
|
||
define Package/shadowsocks-libev/Default | ||
define Package/shadowsocks-libev-$(1) | ||
SECTION:=net | ||
CATEGORY:=Network | ||
SUBMENU:=Web Servers/Proxies | ||
TITLE:=shadowsocks-libev $(1) | ||
URL:=https://github.com/shadowsocks/shadowsocks-libev | ||
DEPENDS:=+libcares +libev +libmbedtls +libpcre +libpthread +libsodium +shadowsocks-libev-config +zlib | ||
endef | ||
|
||
define Package/shadowsocks-libev-$(1)/install | ||
$$(INSTALL_DIR) $$(1)/usr/bin | ||
$$(INSTALL_BIN) $$(PKG_INSTALL_DIR)/usr/bin/$(1) $$(1)/usr/bin | ||
endef | ||
|
||
endef | ||
|
||
SHADOWSOCKS_COMPONENTS:=ss-local ss-redir ss-tunnel ss-server | ||
define shadowsocks-libev/templates | ||
$(foreach component,$(SHADOWSOCKS_COMPONENTS), | ||
$(call Package/shadowsocks-libev/Default,$(component)) | ||
) | ||
endef | ||
$(eval $(call shadowsocks-libev/templates)) | ||
|
||
|
||
define Package/shadowsocks-libev-ss-rules | ||
SECTION:=net | ||
CATEGORY:=Network | ||
SUBMENU:=Web Servers/Proxies | ||
TITLE:=shadowsocks-libev ss-rules | ||
URL:=https://github.com/shadowsocks/shadowsocks-libev | ||
DEPENDS:=+ip +ipset +iptables-mod-tproxy +resolveip +shadowsocks-libev-ss-redir +shadowsocks-libev-config | ||
endef | ||
|
||
define Package/shadowsocks-libev-ss-rules/install | ||
$(INSTALL_DIR) $(1)/usr/bin | ||
$(INSTALL_BIN) ./files/ss-rules $(1)/usr/bin | ||
$(INSTALL_DIR) $(1)/etc/uci-defaults | ||
$(INSTALL_DATA) ./files/firewall.ss-rules $(1)/etc | ||
$(INSTALL_BIN) ./files/ss-rules.defaults $(1)/etc/uci-defaults | ||
endef | ||
|
||
define Package/shadowsocks-libev-ss-rules/prerm | ||
#!/bin/sh | ||
s=firewall.ss_rules | ||
uci get "$$s" >/dev/null || exit 0 | ||
uci batch <<-EOF | ||
delete $$s | ||
commit firewall | ||
EOF | ||
endef | ||
|
||
define Build/Prepare | ||
$(call Build/Prepare/Default) | ||
$(FIND) $(PKG_BUILD_DIR) \ | ||
-name '*.o' \ | ||
-o -name '*.lo' \ | ||
-o -name '.deps' \ | ||
-o -name '.libs' \ | ||
| $(XARGS) rm -rvf | ||
endef | ||
|
||
CONFIGURE_ARGS += \ | ||
--disable-documentation \ | ||
--disable-silent-rules \ | ||
--disable-assert \ | ||
--disable-ssp \ | ||
|
||
$(eval $(call BuildPackage,shadowsocks-libev-config)) | ||
$(eval $(call BuildPackage,shadowsocks-libev-ss-rules)) | ||
$(foreach component,$(SHADOWSOCKS_COMPONENTS), \ | ||
$(eval $(call BuildPackage,shadowsocks-libev-$(component))) \ | ||
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,97 @@ | ||
## components | ||
|
||
`ss-local` provides SOCKS5 proxy with UDP associate support. | ||
|
||
socks5 ss plain | ||
--------> tcp:local_address:local_port ----> ss server -------> dest | ||
|
||
`ss-redir`. The REDIRECT and TPROXY part are to be provided by `ss-rules` script. REDIRECT only works for tcp traffic (see also darkk/redsocks). TPROXY is used to proxy udp messages, but it's only available in the PREROUTING chain and as such cannot proxy local out traffic. | ||
|
||
plain plain ss plain | ||
---------> REDIRECT ------> tcp:local_address:local_port ----> ss server -----> original dest | ||
|
||
plain plain ss plain | ||
---------> TPROXY -------> udp:local_address:local_port -----> ss server -----> original dest | ||
|
||
`ss-tunnel` provides ssh `-L` local-forwarding-like tunnel. Typically it's used to tunnel DNS traffic to the remote. | ||
|
||
plain ss plain | ||
---------> tcp|udp:local_address:local_port ------> ss server -------> tunnel_address | ||
|
||
`ss-server`, the "ss server" in the above diagram | ||
|
||
## uci | ||
|
||
Option names are the same as those used in json config files. Check `validate_xxx` func definition of the [service script](files/shadowsocks-libev.init) and shadowsocks-libev's own documentation for supported options and expected value types. A [sample config file](files/shadowsocks-libev.config) is also provided for reference. | ||
|
||
Every section have a `disabled` option to temporarily turn off the component instance or component instances referring to it. | ||
|
||
Section type `server` is for definition of remote shadowsocks servers. They will be referred to from other component sections and as such should be named (as compared to anonymous section). | ||
|
||
Section type `ss_local`, `ss_redir`, `ss_tunnel` are for specification of shadowsocks-libev components. They share mostly a common set of options like `local_port`, `verbose`, `fast_open`, `timeout`, etc. | ||
|
||
We can have multiple instances of component and `server` sections. The relationship between them is many-to-one. This will have the following implications | ||
|
||
- It's possible to have both `ss_local` and `ss_redir` referring to the same `server` definition | ||
- It's possible to have multiple instances of `ss_redir` listening on the same address:port with `reuse_port` enabled referring to the same or different `server` sections | ||
|
||
`ss_rules` section is for configuring the behaviour of `ss-rules` script. There can only exist at most one such section with the name also being `ss_rules` | ||
|
||
redir_tcp name of ss_redir section with mode tcp_only or tcp_and_udp | ||
redir_udp name of ss_redir section with mode udp_only or tcp_and_udp | ||
ifnames only apply rules on packets from these ifnames | ||
|
||
--- for incoming packets having source address in | ||
|
||
src_ips_bypass will bypass the redir chain | ||
src_ips_forward will always go through the redir chain | ||
src_ips_checkdst will continue to have their destination addresses checked | ||
|
||
--- otherwise, the default action can be specified with | ||
|
||
src_default bypass, forward, [checkdst] | ||
|
||
--- if the previous check result is checkdst, | ||
--- then packets having destination address in | ||
|
||
dst_ips_bypass_file | ||
dst_ips_bypass will bypass the redir chain | ||
dst_ips_forward_file | ||
dst_ips_forward will go through the redir chain | ||
|
||
--- otherwise, the default action can be specified with | ||
|
||
dst_default [bypass], forward | ||
|
||
--- for local out tcp packets, the default action can be specified with | ||
|
||
local_default [bypass], forward, checkdst | ||
|
||
Bool option `dst_forward_recentrst` requires iptables/netfilter `recent` match module (`opkg install iptables-mod-conntrack-extra`). When enabled, `ss-rules` will setup iptables rules to forward through `ss-redir` those packets whose destination have recently sent to us multiple tcp-rst. | ||
|
||
ss-rules uses kernel ipset mechanism for storing addresses/networks. Those ipsets are also part of the API and can be populated by other programs, e.g. dnsmasq with builtin ipset support. For more details please read output of `ss-rules --help` | ||
|
||
Note also that `src_ips_xx` and `dst_ips_xx` actually also accepts cidr network representation. Option names are retained in its current form for backward compatibility coniderations | ||
|
||
## notes and faq | ||
|
||
Useful paths and commands for debugging | ||
|
||
# check current running status | ||
ubus call service list '{"name": "shadowsocks-libev"}' | ||
ubus call service list '{"name": "shadowsocks-libev", "verbose": true}' | ||
|
||
# dump validate definition | ||
ubus call service validate '{"package": "shadowsocks-libev"}' | ||
ubus call service validate '{"package": "shadowsocks-libev"}' \ | ||
| jsonfilter -e '$["shadowsocks-libev"]["ss_tunnel"]' | ||
|
||
# check json config | ||
ls -l /var/etc/shadowsocks-libev/ | ||
|
||
# set uci config option verbose to 1, restart the service and follow the log | ||
logread -f | ||
|
||
ss-redir needs to open a new socket and setsockopt IP_TRANSPARENT when sending udp reply to client. This requires `CAP_NET_ADMIN` and as such the process cannot run as `nobody` | ||
|
||
ss-local, ss-redir, etc. supports specifying an array of remote ss server, but supporting this in uci seems to be overkill. The workaround can be defining multiple `server` sections and multiple `ss-redir` instances with `reuse_port` enabled |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
#!/bin/sh | ||
/etc/init.d/shadowsocks-libev reload |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,61 @@ | ||
config ss_local | ||
option disabled 1 | ||
option server 'sss0' | ||
option local_address '0.0.0.0' | ||
option local_port '1080' | ||
option timeout '30' | ||
|
||
config ss_tunnel | ||
option disabled 1 | ||
option server 'sss0' | ||
option local_address '0.0.0.0' | ||
option local_port '1090' | ||
option tunnel_address 'example.com:80' | ||
option mode 'tcp_and_udp' | ||
option timeout '60' | ||
|
||
config ss_redir hi | ||
option disabled 1 | ||
option server 'sss0' | ||
option local_address '0.0.0.0' | ||
option local_port '1100' | ||
option mode 'tcp_and_udp' | ||
option timeout '60' | ||
option fast_open 1 | ||
option verbose 1 | ||
option reuse_port 1 | ||
|
||
config ss_redir hj | ||
option disabled 1 | ||
option server 'sss0' | ||
option local_address '0.0.0.0' | ||
option local_port '1100' | ||
option mode 'tcp_and_udp' | ||
option timeout '60' | ||
option fast_open 1 | ||
option verbose 1 | ||
option reuse_port 1 | ||
|
||
config ss_rules 'ss_rules' | ||
option disabled 1 | ||
option redir_tcp 'hi' | ||
option redir_udp 'hi' | ||
option src_default 'checkdst' | ||
option dst_default 'bypass' | ||
option local_default 'checkdst' | ||
list src_ips_forward '192.168.1.4' | ||
list dst_ips_forward '8.8.8.8' | ||
|
||
config server 'sss0' | ||
option disabled 1 | ||
option server '192.168.1.3' | ||
option server_port '9001' | ||
option password '********' | ||
option method 'aes-256-cfb' | ||
|
||
config ss_server | ||
option disabled 1 | ||
option server_port '9001' | ||
option password '********' | ||
option method 'aes-256-cfb' | ||
option bind_address '192.168.7.72' |
Oops, something went wrong.