recall704/openwrt-gost.service

## openwrt-gost.service
#!/bin/sh /etc/rc.common

USE_PROCD=1

START=99
STOP=98

ProxyIPSet="proxy_ipset"
InternalIPSet="internal_ipset"
GreatFireWallIPSet="gfw_ipset"
ChinaIPSet="china_ipset"

# sni 端口， http 和 https 转发到该端口
SniPort=1443
# redirect 端口
RedirectPort=8443

# 代理 ip
ProxyIP="vps_ip_ip"
# 代理端口
ProxyPort=5655
# 代理算法
ProxyEncryptionAlgorithm="AEAD_CHACHA20_POLY1305"
# 代理密码
ProxyPassword="xxoo10086"
GostProxyCommand="-F=ss2://${ProxyEncryptionAlgorithm}:${ProxyPassword}@${ProxyIP}:${ProxyPort}"

# gost 路径
BinaryPath="/data/gost/gost_amrv7"

create_ipset() {
        ipset -N -! ${ProxyIPSet} hash:net maxelem 1000000
        ipset -N -! ${InternalIPSet} hash:net maxelem 1000000
        ipset -N -! ${GreatFireWallIPSet} hash:net maxelem 1000000
        ipset -N -! ${ChinaIPSet} hash:net maxelem 1000000

        # 将代理 IP 添加到 ipset 中
        ipset add ${ProxyIPSet} ${ProxyIP}

        # 保留地址也直接连接，不通过代理
        ipset add ${InternalIPSet} 0.0.0.0/8
        ipset add ${InternalIPSet} 10.0.0.0/8
        ipset add ${InternalIPSet} 127.0.0.0/8
        ipset add ${InternalIPSet} 169.254.0.0/16
        ipset add ${InternalIPSet} 172.16.0.0/12
        ipset add ${InternalIPSet} 192.168.0.0/16
        ipset add ${InternalIPSet} 224.0.0.0/4
        ipset add ${InternalIPSet} 240.0.0.0/4
}

create_iptables() {
        echo "create iptable rule for gost"
        # check chain exists or not
        iptables -t nat -C GOST >/dev/null 2>&1
        if [ $? -eq 0 ]; then
                echo "iptables chain GOST exists, ignore command..."
        else
                echo "create iptables chain: GOST"
                iptables -t nat -N GOST
        fi

        # 清空 gost chain 规则
        iptables -t nat -F GOST

        # 代理 IP 不走代理
        iptables -t nat -I GOST 1 -p all -m set --match-set ${ProxyIPSet} dst -j ACCEPT
        # 内部 IP 不走代理
        iptables -t nat -I GOST 2 -p all -m set --match-set ${InternalIPSet} dst -j ACCEPT
        # GFW IP 走代理
        iptables -t nat -I GOST 3 -p tcp --dport 443 -m set --match-set ${GreatFireWallIPSet} dst -j REDIRECT --to-port ${SniPort}
        iptables -t nat -I GOST 4 -p tcp -m set --match-set ${GreatFireWallIPSet} dst -j REDIRECT --to-port ${RedirectPort}
        # 中国 IP 不走代理
        iptables -t nat -I GOST 5 -p tcp -m set --match-set ${ChinaIPSet} dst -j ACCEPT
        #　其他 IP 走代理
        iptables -t nat -I GOST 6 -p tcp --dport 443 -j REDIRECT --to-port ${SniPort}
        iptables -t nat -I GOST 7 -p tcp -j REDIRECT --to-port ${RedirectPort}

        # 将 OUTPUT 和 PREROUTING 的数据转发到 GOST 链上
        # iptables -t nat -A OUTPUT -p all -j GOST
        # iptables -t nat -D PREROUTING -p all -j GOST
        iptables -t nat -I PREROUTING 1 -p all -j GOST
}

remove_iptables() {
        echo "remove gost iptable rules"
        iptables -t nat -D PREROUTING -p all -j GOST
        iptables -t nat -F GOST
        iptables -t nat -X GOST

        ipset flush ${ProxyIPSet}
        ipset flush ${InternalIPSet}
        ipset flush ${GreatFireWallIPSet}
        ipset flush ${ChinaIPSet}
}

start_service() {
        echo "start"
        procd_open_instance gost
        procd_set_param command /bin/sh -c "${BinaryPath}  -L sni://:${SniPort} -L=redirect://:${RedirectPort} ${GostProxyCommand}  > /tmp/gost.log 2>&1"
        procd_set_param respawn
        [ -e /proc/sys/kernel/core_pattern ] && {
                procd_set_param limits core="unlimited"
        }
        procd_close_instance

        create_ipset
        create_iptables
}

stop_service() {
        echo "stop"
        remove_iptables

        local service_pid=""

        service_pid=$(ps -w | grep gost | grep -v grep | awk '{print $1}')
        if [ "${service_pid}" != "" ]; then
                kill -2 ${service_pid}
        fi

        # force kill process
        service_pid=$(ps -w | grep gost | grep -v grep | awk '{print $1}')
        if [ "${service_pid}" != "" ]; then
                sleep 3
                kill -9 ${service_pid}
        fi
}

reload_service() {
        echo "restart"
        stop_service
        start_service
}

status_service() {
        local service_pid=""

        service_pid=$(ps -w | grep gost | grep -v grep | awk '{print $1}')
        if [ "${service_pid}" != "" ]; then
                echo "gost is running"
                return 1
        else
                echo "gost is not running"
                return 0
        fi
}
	#!/bin/sh /etc/rc.common

	USE_PROCD=1

	START=99
	STOP=98

	ProxyIPSet="proxy_ipset"
	InternalIPSet="internal_ipset"
	GreatFireWallIPSet="gfw_ipset"
	ChinaIPSet="china_ipset"

	# sni 端口， http 和 https 转发到该端口
	SniPort=1443
	# redirect 端口
	RedirectPort=8443

	# 代理 ip
	ProxyIP="vps_ip_ip"
	# 代理端口
	ProxyPort=5655
	# 代理算法
	ProxyEncryptionAlgorithm="AEAD_CHACHA20_POLY1305"
	# 代理密码
	ProxyPassword="xxoo10086"
	GostProxyCommand="-F=ss2://${ProxyEncryptionAlgorithm}:${ProxyPassword}@${ProxyIP}:${ProxyPort}"

	# gost 路径
	BinaryPath="/data/gost/gost_amrv7"

	create_ipset() {
	ipset -N -! ${ProxyIPSet} hash:net maxelem 1000000
	ipset -N -! ${InternalIPSet} hash:net maxelem 1000000
	ipset -N -! ${GreatFireWallIPSet} hash:net maxelem 1000000
	ipset -N -! ${ChinaIPSet} hash:net maxelem 1000000

	# 将代理 IP 添加到 ipset 中
	ipset add ${ProxyIPSet} ${ProxyIP}

	# 保留地址也直接连接，不通过代理
	ipset add ${InternalIPSet} 0.0.0.0/8
	ipset add ${InternalIPSet} 10.0.0.0/8
	ipset add ${InternalIPSet} 127.0.0.0/8
	ipset add ${InternalIPSet} 169.254.0.0/16
	ipset add ${InternalIPSet} 172.16.0.0/12
	ipset add ${InternalIPSet} 192.168.0.0/16
	ipset add ${InternalIPSet} 224.0.0.0/4
	ipset add ${InternalIPSet} 240.0.0.0/4
	}

	create_iptables() {
	echo "create iptable rule for gost"
	# check chain exists or not
	iptables -t nat -C GOST >/dev/null 2>&1
	if [ $? -eq 0 ]; then
	echo "iptables chain GOST exists, ignore command..."
	else
	echo "create iptables chain: GOST"
	iptables -t nat -N GOST
	fi

	# 清空 gost chain 规则
	iptables -t nat -F GOST

	# 代理 IP 不走代理
	iptables -t nat -I GOST 1 -p all -m set --match-set ${ProxyIPSet} dst -j ACCEPT
	# 内部 IP 不走代理
	iptables -t nat -I GOST 2 -p all -m set --match-set ${InternalIPSet} dst -j ACCEPT
	# GFW IP 走代理
	iptables -t nat -I GOST 3 -p tcp --dport 443 -m set --match-set ${GreatFireWallIPSet} dst -j REDIRECT --to-port ${SniPort}
	iptables -t nat -I GOST 4 -p tcp -m set --match-set ${GreatFireWallIPSet} dst -j REDIRECT --to-port ${RedirectPort}
	# 中国 IP 不走代理
	iptables -t nat -I GOST 5 -p tcp -m set --match-set ${ChinaIPSet} dst -j ACCEPT
	#　其他 IP 走代理
	iptables -t nat -I GOST 6 -p tcp --dport 443 -j REDIRECT --to-port ${SniPort}
	iptables -t nat -I GOST 7 -p tcp -j REDIRECT --to-port ${RedirectPort}

	# 将 OUTPUT 和 PREROUTING 的数据转发到 GOST 链上
	# iptables -t nat -A OUTPUT -p all -j GOST
	# iptables -t nat -D PREROUTING -p all -j GOST
	iptables -t nat -I PREROUTING 1 -p all -j GOST
	}

	remove_iptables() {
	echo "remove gost iptable rules"
	iptables -t nat -D PREROUTING -p all -j GOST
	iptables -t nat -F GOST
	iptables -t nat -X GOST

	ipset flush ${ProxyIPSet}
	ipset flush ${InternalIPSet}
	ipset flush ${GreatFireWallIPSet}
	ipset flush ${ChinaIPSet}
	}

	start_service() {
	echo "start"
	procd_open_instance gost
	procd_set_param command /bin/sh -c "${BinaryPath} -L sni://:${SniPort} -L=redirect://:${RedirectPort} ${GostProxyCommand} > /tmp/gost.log 2>&1"
	procd_set_param respawn
	[ -e /proc/sys/kernel/core_pattern ] && {
	procd_set_param limits core="unlimited"
	}
	procd_close_instance

	create_ipset
	create_iptables
	}

	stop_service() {
	echo "stop"
	remove_iptables

	local service_pid=""

	service_pid=$(ps -w \| grep gost \| grep -v grep \| awk '{print $1}')
	if [ "${service_pid}" != "" ]; then
	kill -2 ${service_pid}
	fi

	# force kill process
	service_pid=$(ps -w \| grep gost \| grep -v grep \| awk '{print $1}')
	if [ "${service_pid}" != "" ]; then
	sleep 3
	kill -9 ${service_pid}
	fi
	}

	reload_service() {
	echo "restart"
	stop_service
	start_service
	}

	status_service() {
	local service_pid=""

	service_pid=$(ps -w \| grep gost \| grep -v grep \| awk '{print $1}')
	if [ "${service_pid}" != "" ]; then
	echo "gost is running"
	return 1
	else
	echo "gost is not running"
	return 0
	fi
	}