Remove white list option in CLI

SPYFF · Sep 8, 2016 · 42d9b68 · 42d9b68
1 parent 02c51c3
commit 42d9b68
Show file tree

Hide file tree

Showing 10 changed files with 60 additions and 37 deletions.
diff --git a/acl/chn.acl b/acl/chn.acl
@@ -1,3 +1,6 @@
+[proxy_all]
+
+[black_list]
 1.0.1.0/24
 1.0.2.0/23
 1.0.8.0/21

diff --git a/acl/gfwlist.acl b/acl/gfwlist.acl
@@ -1,6 +1,8 @@
 # gfw list rules for shadowsocks-libev 
 # updated on 2016-09-08 12:09:55
-#
+[bypass_all]
+
+[white_list]
 .*4tern\.com
 .*adorama\.com
 .*akiba-web\.com
@@ -115,7 +117,6 @@
 .*xn--4gq171p\.com
 .*xn--p8j9a0d9c9a\.xn--q9jyb4c
 .*china-mmm\.jp\.net
-[white_list]
 .*lsxszzg\.com
 .*china-mmm\.net
 .*china-mmm\.sa\.com

diff --git a/acl/local.acl b/acl/local.acl
@@ -1,3 +1,6 @@
+[reject_all]
+
+[white_list]
 127.0.0.1
 ::1
 10.0.0.0/8

diff --git a/doc/ss-server.asciidoc b/doc/ss-server.asciidoc
@@ -95,9 +95,6 @@ Enable onetime authentication.
 -6::
 Resovle hostname to IPv6 address first.
 
--w::
-Enable white list mode (when ACL enabled).
-
 -d <addr>::
 Setup name servers for internal DNS resolver (libudns).
 The default server is fetched from '/etc/resolv.conf'.

diff --git a/src/acl.c b/src/acl.c
@@ -21,6 +21,7 @@
  */
 
 #include <ipset/ipset.h>
+#include <ctype.h>
 
 #include "rule.h"
 #include "utils.h"
@@ -58,6 +59,26 @@ static void parse_addr_cidr(const char *str, char *host, int *cidr)
     }
 }
 
+char *trimwhitespace(char *str)
+{
+      char *end;
+
+      // Trim leading space
+      while(isspace(*str)) str++;
+
+      if(*str == 0)  // All spaces?
+          return str;
+
+      // Trim trailing space
+      end = str + strlen(str) - 1;
+      while(end > str && isspace(*end)) end--;
+
+      // Write new null terminator
+      *(end+1) = 0;
+
+      return str;
+}
+
 int init_acl(const char *path)
 {
     // initialize ipset
@@ -81,20 +102,26 @@ int init_acl(const char *path)
         return -1;
     }
 
-    char line[257];
+    char buf[257];
     while (!feof(f))
-        if (fgets(line, 256, f)) {
+        if (fgets(buf, 256, f)) {
             // Trim the newline
-            int len = strlen(line);
-            if (len > 0 && line[len - 1] == '\n') {
-                line[len - 1] = '\0';
+            int len = strlen(buf);
+            if (len > 0 && buf[len - 1] == '\n') {
+                buf[len - 1] = '\0';
             }
 
+            char *line = trimwhitespace(buf);
+
             // Skip comments
             if (line[0] == '#') {
                 continue;
             }
 
+            if (strlen(line) == 0) {
+                continue;
+            }
+
             if (strcmp(line, "[black_list]") == 0
                     || strcmp(line, "[bypass_list]") == 0) {
                 list_ipv4 = &black_list_ipv4;
@@ -107,6 +134,14 @@ int init_acl(const char *path)
                 list_ipv6 = &white_list_ipv6;
                 rules     = &white_list_rules;
                 continue;
+            } else if (strcmp(line, "[reject_all]") == 0
+                    || strcmp(line, "[bypass_all]") == 0) {
+                acl_mode = WHITE_LIST;
+                continue;
+            } else if (strcmp(line, "[accept_all]") == 0
+                    || strcmp(line, "[proxy_all]") == 0) {
+                acl_mode = BLACK_LIST;
+                continue;
             }
 
             char host[257];
@@ -165,11 +200,6 @@ int get_acl_mode(void)
     return acl_mode;
 }
 
-void set_acl_mode(int mode)
-{
-    acl_mode = mode;
-}
-
 /*
  * Return 0,  if not match.
  * Return 1,  if match black list.

diff --git a/src/acl.h b/src/acl.h
@@ -34,6 +34,5 @@ int acl_add_ip(const char *ip);
 int acl_remove_ip(const char *ip);
 
 int get_acl_mode(void);
-void set_acl_mode(int mode);
 
 #endif // _ACL_H
diff --git a/src/local.c b/src/local.c
@@ -1127,10 +1127,10 @@ int main(int argc, char **argv)
     USE_TTY();
 
 #ifdef ANDROID
-    while ((c = getopt_long(argc, argv, "f:s:p:l:k:t:m:i:c:b:a:n:P:huUvwVA",
+    while ((c = getopt_long(argc, argv, "f:s:p:l:k:t:m:i:c:b:a:n:P:huUvVA",
                             long_options, &option_index)) != -1) {
 #else
-    while ((c = getopt_long(argc, argv, "f:s:p:l:k:t:m:i:c:b:a:n:huUvwA",
+    while ((c = getopt_long(argc, argv, "f:s:p:l:k:t:m:i:c:b:a:n:huUvA",
                             long_options, &option_index)) != -1) {
 #endif
         switch (c) {
@@ -1208,9 +1208,6 @@ int main(int argc, char **argv)
         case 'A':
             auth = 1;
             break;
-        case 'w':
-            set_acl_mode(WHITE_LIST);
-            break;
 #ifdef ANDROID
         case 'V':
             vpn = 1;
@@ -1474,10 +1471,6 @@ int start_ss_local_server(profile_t profile)
         acl = !init_acl(profile.acl);
     }
 
-    if (profile.white_list) {
-        set_acl_mode(WHITE_LIST);
-    }
-
     if (local_addr == NULL) {
         local_addr = "127.0.0.1";
     }

diff --git a/src/server.c b/src/server.c
@@ -1402,11 +1402,14 @@ static void accept_cb(EV_P_ ev_io *w, int revents)
 
     if (acl) {
         char *peer_name = get_peer_name(serverfd);
-        if (peer_name != NULL && acl_match_host(peer_name)) {
-            if (verbose)
-                LOGI("Access denied from %s", peer_name);
-            close(serverfd);
-            return;
+        if (peer_name != NULL) {
+            if ((get_acl_mode() == BLACK_LIST && acl_match_host(peer_name) == 1)
+                    || (get_acl_mode() == WHITE_LIST && acl_match_host(peer_name) >= 0)) {
+                if (verbose)
+                    LOGI("Access denied from %s", peer_name);
+                close(serverfd);
+                return;
+            }
         }
     }
 
@@ -1461,7 +1464,7 @@ int main(int argc, char **argv)
 
     USE_TTY();
 
-    while ((c = getopt_long(argc, argv, "f:s:p:l:k:t:m:b:c:i:d:a:n:huUvAw6",
+    while ((c = getopt_long(argc, argv, "f:s:p:l:k:t:m:b:c:i:d:a:n:huUvA6",
                             long_options, &option_index)) != -1) {
         switch (c) {
         case 0:
@@ -1541,9 +1544,6 @@ int main(int argc, char **argv)
         case 'A':
             auth = 1;
             break;
-        case 'w':
-            set_acl_mode(WHITE_LIST);
-            break;
         case '6':
             ipv6first = 1;
             break;

diff --git a/src/shadowsocks.h b/src/shadowsocks.h
@@ -40,7 +40,6 @@ typedef struct {
     int auth;             // enable one-time authentication
     int mtu;              // MTU of interface
     int mptcp;            // enable multipath TCP
-    int white_list;       // enable white list
     int verbose;          // verbose mode
 } profile_t;
 

diff --git a/src/utils.c b/src/utils.c
@@ -279,8 +279,6 @@ void usage()
 #ifdef MODULE_REMOTE
     printf(
         "       [-6]                       Resovle hostname to IPv6 address first.\n");
-    printf(
-        "       [-w]                       Enable white list mode (when ACL enabled).\n");
 #endif
     printf("\n");
 #ifdef MODULE_TUNNEL