diff --git a/acl/chn.acl b/acl/chn.acl index a2257116c..870437a1b 100644 --- a/acl/chn.acl +++ b/acl/chn.acl @@ -1,3 +1,6 @@ +[proxy_all] + +[black_list] 1.0.1.0/24 1.0.2.0/23 1.0.8.0/21 diff --git a/acl/gfwlist.acl b/acl/gfwlist.acl index 08ff5b234..55c64b61f 100644 --- a/acl/gfwlist.acl +++ b/acl/gfwlist.acl @@ -1,6 +1,8 @@ # gfw list rules for shadowsocks-libev # updated on 2016-09-08 12:09:55 -# +[bypass_all] + +[white_list] .*4tern\.com .*adorama\.com .*akiba-web\.com @@ -115,7 +117,6 @@ .*xn--4gq171p\.com .*xn--p8j9a0d9c9a\.xn--q9jyb4c .*china-mmm\.jp\.net -[white_list] .*lsxszzg\.com .*china-mmm\.net .*china-mmm\.sa\.com diff --git a/acl/local.acl b/acl/local.acl index a6f00c16d..6484f768b 100644 --- a/acl/local.acl +++ b/acl/local.acl @@ -1,3 +1,6 @@ +[reject_all] + +[white_list] 127.0.0.1 ::1 10.0.0.0/8 diff --git a/doc/ss-server.asciidoc b/doc/ss-server.asciidoc index 31afc0ff7..1a9298391 100644 --- a/doc/ss-server.asciidoc +++ b/doc/ss-server.asciidoc @@ -95,9 +95,6 @@ Enable onetime authentication. -6:: Resovle hostname to IPv6 address first. --w:: -Enable white list mode (when ACL enabled). - -d :: Setup name servers for internal DNS resolver (libudns). The default server is fetched from '/etc/resolv.conf'. diff --git a/src/acl.c b/src/acl.c index c2c53b2bd..38a234ac1 100644 --- a/src/acl.c +++ b/src/acl.c @@ -21,6 +21,7 @@ */ #include +#include #include "rule.h" #include "utils.h" @@ -58,6 +59,26 @@ static void parse_addr_cidr(const char *str, char *host, int *cidr) } } +char *trimwhitespace(char *str) +{ + char *end; + + // Trim leading space + while(isspace(*str)) str++; + + if(*str == 0) // All spaces? + return str; + + // Trim trailing space + end = str + strlen(str) - 1; + while(end > str && isspace(*end)) end--; + + // Write new null terminator + *(end+1) = 0; + + return str; +} + int init_acl(const char *path) { // initialize ipset @@ -81,20 +102,26 @@ int init_acl(const char *path) return -1; } - char line[257]; + char buf[257]; while (!feof(f)) - if (fgets(line, 256, f)) { + if (fgets(buf, 256, f)) { // Trim the newline - int len = strlen(line); - if (len > 0 && line[len - 1] == '\n') { - line[len - 1] = '\0'; + int len = strlen(buf); + if (len > 0 && buf[len - 1] == '\n') { + buf[len - 1] = '\0'; } + char *line = trimwhitespace(buf); + // Skip comments if (line[0] == '#') { continue; } + if (strlen(line) == 0) { + continue; + } + if (strcmp(line, "[black_list]") == 0 || strcmp(line, "[bypass_list]") == 0) { list_ipv4 = &black_list_ipv4; @@ -107,6 +134,14 @@ int init_acl(const char *path) list_ipv6 = &white_list_ipv6; rules = &white_list_rules; continue; + } else if (strcmp(line, "[reject_all]") == 0 + || strcmp(line, "[bypass_all]") == 0) { + acl_mode = WHITE_LIST; + continue; + } else if (strcmp(line, "[accept_all]") == 0 + || strcmp(line, "[proxy_all]") == 0) { + acl_mode = BLACK_LIST; + continue; } char host[257]; @@ -165,11 +200,6 @@ int get_acl_mode(void) return acl_mode; } -void set_acl_mode(int mode) -{ - acl_mode = mode; -} - /* * Return 0, if not match. * Return 1, if match black list. diff --git a/src/acl.h b/src/acl.h index d6805cdce..a37f6eb8a 100644 --- a/src/acl.h +++ b/src/acl.h @@ -34,6 +34,5 @@ int acl_add_ip(const char *ip); int acl_remove_ip(const char *ip); int get_acl_mode(void); -void set_acl_mode(int mode); #endif // _ACL_H diff --git a/src/local.c b/src/local.c index f5e6d6da0..f3f2c229a 100644 --- a/src/local.c +++ b/src/local.c @@ -1127,10 +1127,10 @@ int main(int argc, char **argv) USE_TTY(); #ifdef ANDROID - while ((c = getopt_long(argc, argv, "f:s:p:l:k:t:m:i:c:b:a:n:P:huUvwVA", + while ((c = getopt_long(argc, argv, "f:s:p:l:k:t:m:i:c:b:a:n:P:huUvVA", long_options, &option_index)) != -1) { #else - while ((c = getopt_long(argc, argv, "f:s:p:l:k:t:m:i:c:b:a:n:huUvwA", + while ((c = getopt_long(argc, argv, "f:s:p:l:k:t:m:i:c:b:a:n:huUvA", long_options, &option_index)) != -1) { #endif switch (c) { @@ -1208,9 +1208,6 @@ int main(int argc, char **argv) case 'A': auth = 1; break; - case 'w': - set_acl_mode(WHITE_LIST); - break; #ifdef ANDROID case 'V': vpn = 1; @@ -1474,10 +1471,6 @@ int start_ss_local_server(profile_t profile) acl = !init_acl(profile.acl); } - if (profile.white_list) { - set_acl_mode(WHITE_LIST); - } - if (local_addr == NULL) { local_addr = "127.0.0.1"; } diff --git a/src/server.c b/src/server.c index 131aff9a4..23c1de04d 100644 --- a/src/server.c +++ b/src/server.c @@ -1402,11 +1402,14 @@ static void accept_cb(EV_P_ ev_io *w, int revents) if (acl) { char *peer_name = get_peer_name(serverfd); - if (peer_name != NULL && acl_match_host(peer_name)) { - if (verbose) - LOGI("Access denied from %s", peer_name); - close(serverfd); - return; + if (peer_name != NULL) { + if ((get_acl_mode() == BLACK_LIST && acl_match_host(peer_name) == 1) + || (get_acl_mode() == WHITE_LIST && acl_match_host(peer_name) >= 0)) { + if (verbose) + LOGI("Access denied from %s", peer_name); + close(serverfd); + return; + } } } @@ -1461,7 +1464,7 @@ int main(int argc, char **argv) USE_TTY(); - while ((c = getopt_long(argc, argv, "f:s:p:l:k:t:m:b:c:i:d:a:n:huUvAw6", + while ((c = getopt_long(argc, argv, "f:s:p:l:k:t:m:b:c:i:d:a:n:huUvA6", long_options, &option_index)) != -1) { switch (c) { case 0: @@ -1541,9 +1544,6 @@ int main(int argc, char **argv) case 'A': auth = 1; break; - case 'w': - set_acl_mode(WHITE_LIST); - break; case '6': ipv6first = 1; break; diff --git a/src/shadowsocks.h b/src/shadowsocks.h index 6018fd791..5b48ee572 100644 --- a/src/shadowsocks.h +++ b/src/shadowsocks.h @@ -40,7 +40,6 @@ typedef struct { int auth; // enable one-time authentication int mtu; // MTU of interface int mptcp; // enable multipath TCP - int white_list; // enable white list int verbose; // verbose mode } profile_t; diff --git a/src/utils.c b/src/utils.c index eddefa227..b5e0b3008 100644 --- a/src/utils.c +++ b/src/utils.c @@ -279,8 +279,6 @@ void usage() #ifdef MODULE_REMOTE printf( " [-6] Resovle hostname to IPv6 address first.\n"); - printf( - " [-w] Enable white list mode (when ACL enabled).\n"); #endif printf("\n"); #ifdef MODULE_TUNNEL