ref shadowsocks/shadowsocks-rust#855
When receiving UDP packets from remote servers, Redir will have to
create transparent sockets to bind() on those target addresses and then
relay data back to the local client. Target addresses may be IPv4 or
IPv6 addresses, so we may have to create that transprent sockets based
on the target addresses' family.
The most simpliest and easiest way is to always create IPv6 sockets and
converts IPv4 binding addresses and peer addresses to IPv4-mapped-IPv6.
Set {listen,server}_sock to -1 when needed as already done in
src/manager.c by commit ecf1fcc845 to
avoid the following build failure:
local.c: In function 'create_and_bind':
local.c:218:12: error: 'listen_sock' may be used uninitialized in this function [-Werror=maybe-uninitialized]
218 | return listen_sock;
| ^~~~~~~~~~~
Fixes:
- http://autobuild.buildroot.org/results/27471a878ff52a972ac087d534e44fb0c50808f6
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
This confused me, and looking at the issues, it has confused other people as well. [1](https://github.com/shadowsocks/shadowsocks-libev/issues/2758)
I'm not sure if we can automate it though, e.g. in `autogen.sh`. Because some people might want to build with a modified version of the libraries.
Perhaps we could automatically fetch the submodules IF we see they are empty...
Anyway, for now, we can at least document this step.
The change is to support the 'fail2ban' feature. Instead of
blocking IPs by server itself, server just add malicious IPs
to specified sets of nftables. So admin can configure rules
to deal with those IPs.
Notes: cap_net_admin capability is required.
Example configuration:
# nft add table ip fail2ban
# nft add chain ip fail2ban input { type filter hook input priority 0 \; }
# nft add set ip fail2ban badips { type ipv4_addr \; flags dynamic, timeout \; timeout 1h \; }
# nft add rule ip fail2ban input ip saddr @badips drop
# ss-server -c config.json --nftables-sets badips
There is a race condition between shadowsocks-libev.service and
systemd-resolved.service after reboot/on boot. The shadowsocks
service tries to start before the dns service is started properly
and fails showing the corresponding errors in the logs.
Use pkg-config to retrieve the dependencies of netfilter_conntrack
and avoid the following build failure when building statically:
configure:13096: /data/buildroot-test/instance-1/output-1/host/bin/x86_64-linux-gcc -o conftest -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -Os -static -I/data/buildroot-test/instance-1/output-1/host/x86_64-buildroot-linux-uclibc/sysroot/usr/include -DPCRE_STATIC -pthread -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -static -L/data/buildroot-test/instance-1/output-1/host/x86_64-buildroot-linux-uclibc/sysroot/usr/lib conftest.c -lnetfilter_conntrack -lnfnetlink -lev -lcares -lsodium -lmbedcrypto -lpcre >&5
/data/buildroot-test/instance-1/output-1/host/opt/ext-toolchain/bin/../lib/gcc/x86_64-buildroot-linux-uclibc/8.3.0/../../../../x86_64-buildroot-linux-uclibc/bin/ld: /data/buildroot-test/instance-1/output-1/host/x86_64-buildroot-linux-uclibc/sysroot/usr/lib/libnetfilter_conntrack.a(api.o): in function `nfct_fill_hdr.constprop.4':
api.c:(.text+0x3f): undefined reference to `mnl_nlmsg_put_header'
Fixes:
- http://autobuild.buildroot.org/results/6cad497a7ab941a0ee3fd7007defc81e30cdcbe0
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
- This is very useful in advanced scenarios such as ss-redir or chaining of servers using TPROXY
to avoid bufferbloat-like performance degradation due to default large buffers of OS.
zonyitoo
Bill Zhong
Chen Shaoju
Tristan Schmelcher
Alexandre ABRIOUX
Fabrice Fontaine
Max Lv
Paul "Joey" Clark
Max Lv
Gilles Depeyrot
Aven
Max Lv
lixingcong
abner_bob
dependabot[bot]
Maxim Shpak
t0nyt4ng
Jared Pyzynski
Roger Shimizu
Not Sure
SamHurwitz
Morlay
John
babarosaM33
zfl9
DDoSolitary