richard
/
shadowsocks-libev
mirror of https://github.com/shadowsocks/shadowsocks-libev.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Remove white list option in CLI

pull/814/head
Max Lv 8 years ago
parent
02c51c3615
commit
42d9b68dcc
10 changed files with 60 additions and 37 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 3
      acl/chn.acl
  2. 5
      acl/gfwlist.acl
  3. 3
      acl/local.acl
  4. 3
      doc/ss-server.asciidoc
  5. 50
      src/acl.c
  6. 1
      src/acl.h
  7. 11
      src/local.c
  8. 18
      src/server.c
  9. 1
      src/shadowsocks.h
  10. 2
      src/utils.c

3
acl/chn.acl
View File

@ -1,3 +1,6 @@
[proxy_all]
[black_list]
1.0.1.0/24
1.0.2.0/23
1.0.8.0/21

5
acl/gfwlist.acl
View File

@ -1,6 +1,8 @@
# gfw list rules for shadowsocks-libev
# updated on 2016-09-08 12:09:55
#
[bypass_all]
[white_list]
.*4tern\.com
.*adorama\.com
.*akiba-web\.com
@ -115,7 +117,6 @@
.*xn--4gq171p\.com
.*xn--p8j9a0d9c9a\.xn--q9jyb4c
.*china-mmm\.jp\.net
[white_list]
.*lsxszzg\.com
.*china-mmm\.net
.*china-mmm\.sa\.com

3
acl/local.acl
View File

@ -1,3 +1,6 @@
[reject_all]
[white_list]
127.0.0.1
::1
10.0.0.0/8

3
doc/ss-server.asciidoc
View File

@ -95,9 +95,6 @@ Enable onetime authentication.
-6::
Resovle hostname to IPv6 address first.
-w::
Enable white list mode (when ACL enabled).
-d <addr>::
Setup name servers for internal DNS resolver (libudns).
The default server is fetched from '/etc/resolv.conf'.

50
src/acl.c
View File

@ -21,6 +21,7 @@
*/
#include <ipset/ipset.h>
#include <ctype.h>
#include "rule.h"
#include "utils.h"
@ -58,6 +59,26 @@ static void parse_addr_cidr(const char *str, char *host, int *cidr)
}
}
char *trimwhitespace(char *str)
{
char *end;
// Trim leading space
while(isspace(*str)) str++;
if(*str == 0) // All spaces?
return str;
// Trim trailing space
end = str + strlen(str) - 1;
while(end > str && isspace(*end)) end--;
// Write new null terminator
*(end+1) = 0;
return str;
}
int init_acl(const char *path)
{
// initialize ipset
@ -81,20 +102,26 @@ int init_acl(const char *path)
return -1;
}
char line[257];
char buf[257];
while (!feof(f))
if (fgets(line, 256, f)) {
if (fgets(buf, 256, f)) {
// Trim the newline
int len = strlen(line);
if (len > 0 && line[len - 1] == '\n') {
line[len - 1] = '\0';
int len = strlen(buf);
if (len > 0 && buf[len - 1] == '\n') {
buf[len - 1] = '\0';
}
char *line = trimwhitespace(buf);
// Skip comments
if (line[0] == '#') {
continue;
}
if (strlen(line) == 0) {
continue;
}
if (strcmp(line, "[black_list]") == 0
|| strcmp(line, "[bypass_list]") == 0) {
list_ipv4 = &black_list_ipv4;
@ -107,6 +134,14 @@ int init_acl(const char *path)
list_ipv6 = &white_list_ipv6;
rules = &white_list_rules;
continue;
} else if (strcmp(line, "[reject_all]") == 0
|| strcmp(line, "[bypass_all]") == 0) {
acl_mode = WHITE_LIST;
continue;
} else if (strcmp(line, "[accept_all]") == 0
|| strcmp(line, "[proxy_all]") == 0) {
acl_mode = BLACK_LIST;
continue;
}
char host[257];
@ -165,11 +200,6 @@ int get_acl_mode(void)
return acl_mode;
}
void set_acl_mode(int mode)
{
acl_mode = mode;
}
/*
* Return 0, if not match.
* Return 1, if match black list.

1
src/acl.h
View File

@ -34,6 +34,5 @@ int acl_add_ip(const char *ip);
int acl_remove_ip(const char *ip);
int get_acl_mode(void);
void set_acl_mode(int mode);
#endif // _ACL_H

11
src/local.c
View File

@ -1127,10 +1127,10 @@ int main(int argc, char **argv)
USE_TTY();
#ifdef ANDROID
while ((c = getopt_long(argc, argv, "f:s:p:l:k:t:m:i:c:b:a:n:P:huUvwVA",
while ((c = getopt_long(argc, argv, "f:s:p:l:k:t:m:i:c:b:a:n:P:huUvVA",
long_options, &option_index)) != -1) {
#else
while ((c = getopt_long(argc, argv, "f:s:p:l:k:t:m:i:c:b:a:n:huUvwA",
while ((c = getopt_long(argc, argv, "f:s:p:l:k:t:m:i:c:b:a:n:huUvA",
long_options, &option_index)) != -1) {
#endif
switch (c) {
@ -1208,9 +1208,6 @@ int main(int argc, char **argv)
case 'A':
auth = 1;
break;
case 'w':
set_acl_mode(WHITE_LIST);
break;
#ifdef ANDROID
case 'V':
vpn = 1;
@ -1474,10 +1471,6 @@ int start_ss_local_server(profile_t profile)
acl = !init_acl(profile.acl);
}
if (profile.white_list) {
set_acl_mode(WHITE_LIST);
}
if (local_addr == NULL) {
local_addr = "127.0.0.1";
}

18
src/server.c
View File

@ -1402,11 +1402,14 @@ static void accept_cb(EV_P_ ev_io *w, int revents)
if (acl) {
char *peer_name = get_peer_name(serverfd);
if (peer_name != NULL && acl_match_host(peer_name)) {
if (verbose)
LOGI("Access denied from %s", peer_name);
close(serverfd);
return;
if (peer_name != NULL) {
if ((get_acl_mode() == BLACK_LIST && acl_match_host(peer_name) == 1)
|| (get_acl_mode() == WHITE_LIST && acl_match_host(peer_name) >= 0)) {
if (verbose)
LOGI("Access denied from %s", peer_name);
close(serverfd);
return;
}
}
}
@ -1461,7 +1464,7 @@ int main(int argc, char **argv)
USE_TTY();
while ((c = getopt_long(argc, argv, "f:s:p:l:k:t:m:b:c:i:d:a:n:huUvAw6",
while ((c = getopt_long(argc, argv, "f:s:p:l:k:t:m:b:c:i:d:a:n:huUvA6",
long_options, &option_index)) != -1) {
switch (c) {
case 0:
@ -1541,9 +1544,6 @@ int main(int argc, char **argv)
case 'A':
auth = 1;
break;
case 'w':
set_acl_mode(WHITE_LIST);
break;
case '6':
ipv6first = 1;
break;

1
src/shadowsocks.h
View File

@ -40,7 +40,6 @@ typedef struct {
int auth; // enable one-time authentication
int mtu; // MTU of interface
int mptcp; // enable multipath TCP
int white_list; // enable white list
int verbose; // verbose mode
} profile_t;

2
src/utils.c
View File

@ -279,8 +279,6 @@ void usage()
#ifdef MODULE_REMOTE
printf(
" [-6] Resovle hostname to IPv6 address first.\n");
printf(
" [-w] Enable white list mode (when ACL enabled).\n");
#endif
printf("\n");
#ifdef MODULE_TUNNEL

Write Preview
Loading…
Cancel
Save