update

luci-app-openclash/Makefile

@@ -1,7 +1,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=luci-app-openclash
-PKG_VERSION:=0.42.04
+PKG_VERSION:=0.42.05
 PKG_RELEASE:=beta
 PKG_MAINTAINER:=vernesong <https://github.com/vernesong/OpenClash>
 

luci-app-openclash/luasrc/controller/openclash.lua

@@ -34,6 +34,7 @@ function index()
 	entry({"admin", "services", "openclash", "ping"}, call("act_ping"))
 	entry({"admin", "services", "openclash", "download_rule"}, call("action_download_rule"))
 	entry({"admin", "services", "openclash", "restore"}, call("action_restore_config"))
+	entry({"admin", "services", "openclash", "remove_all_core"}, call("action_remove_all_core"))
 	entry({"admin", "services", "openclash", "one_key_update"}, call("action_one_key_update"))
 	entry({"admin", "services", "openclash", "one_key_update_check"}, call("action_one_key_update_check"))
 	entry({"admin", "services", "openclash", "switch_mode"}, call("action_switch_mode"))
@@ -268,6 +269,10 @@ function action_restore_config()
 	luci.sys.call("cp '/usr/share/openclash/backup/openclash_custom_domain_dns.list' '/etc/openclash/custom/openclash_custom_domain_dns.list' >/dev/null 2>&1 &")
 end
 
+function action_remove_all_core()
+	luci.sys.call("rm -rf /etc/openclash/core/* >/dev/null 2>&1")
+end
+
 function action_one_key_update()
   return luci.sys.call("sh /usr/share/openclash/openclash_update.sh 'one_key_update' >/dev/null 2>&1 &")
 end

luci-app-openclash/luasrc/model/cbi/openclash/settings.lua

@@ -60,10 +60,6 @@ o:depends("en_mode", "redir-host")
 o:depends("en_mode", "fake-ip")
 o.default=1
 
-o = s:taboption("op_mode", Flag, "disable_udp_quic", font_red..bold_on..translate("Disable quic")..bold_off..font_off)
-o.description = translate("Disable yt fb ig use quic")..", "..font_red..bold_on..translate("REJECT PORT 443 UDP")..bold_off..font_off
-o.default=1
-
 o = s:taboption("op_mode", ListValue, "stack_type", translate("Select Stack Type"))
 o.description = translate("Select Stack Type For TUN Mode, According To The Running Speed on Your Machine")
 o:depends("en_mode", "redir-host-tun")
@@ -82,6 +78,10 @@ o:value("direct", translate("Direct Proxy Mode"))
 o:value("script", translate("Script Proxy Mode (Tun Core Only)"))
 o.default = "rule"
 
+o = s:taboption("op_mode", Flag, "disable_udp_quic", font_red..bold_on..translate("Disable QUIC")..bold_off..font_off)
+o.description = translate("Prevent YouTube and Others To Use QUIC Transmission")..", "..font_red..bold_on..translate("REJECT UDP Traffic On Port 443")..bold_off..font_off
+o.default=1
+
 o = s:taboption("op_mode", Flag, "enable_rule_proxy", font_red..bold_on..translate("Rule Match Proxy Mode")..bold_off..font_off)
 o.description = translate("Only Proxy Rules Match, Prevent BT/P2P Passing")
 o.default=0

luci-app-openclash/luasrc/view/openclash/update.htm

@@ -44,16 +44,23 @@
 </fieldset>
 <fieldset class="cbi-section">
 	<table width="100%">
-	  <tr><td width="50%" colspan="2">
-	  	<p align="center" id="restore">
-	  		<%:Collecting data...%>
-	  	</p>
+	  <tr>
+	  	<td width="33%" colspan="2">
+	  	   <p align="center" id="restore">
+	  		   <%:Collecting data...%>
+	  	   </p>
 	  	</td>
-	  <td width="50%" colspan="2">
-	  	<p align="center" id="one_key_update">
-	  		<%:Collecting data...%>
-	  	</p>
-	  </td></tr>
+	  	<td width="33%" colspan="2">
+	  	   <p align="center" id="remove_core">
+	  		   <%:Collecting data...%>
+	  	   </p>
+	  	</td>
+	    <td width="33%" colspan="2">
+	  	   <p align="center" id="one_key_update">
+	  		   <%:Collecting data...%>
+	  	   </p>
+	    </td>
+	  </tr>
 	</table>
 </fieldset>
 
@@ -81,6 +88,7 @@
 	var ma_op_up  = document.getElementById('ma_op_up');
 	var restore  = document.getElementById('restore');
 	var one_key_update  = document.getElementById('one_key_update');
+	var remove_core  = document.getElementById('remove_core');
   
 	XHR.poll(6, '<%=luci.dispatcher.build_url("admin", "services", "openclash", "update")%>', null, function(x, status) {
 		if ( x && x.status == 200 ) {
@@ -186,8 +194,9 @@
 	ma_core_tun_up.innerHTML = '<input type="button" class="cbi-button cbi-button-reload" value="<%:Download%>" onclick="return ma_core_tun_update(this)"/>';
 	ma_core_game_up.innerHTML = '<input type="button" class="cbi-button cbi-button-reload" value="<%:Download%>" onclick="return ma_core_game_update(this)"/>';
 	ma_op_up.innerHTML = '<input type="button" class="cbi-button cbi-button-reload" value="<%:Download%>" onclick="return ma_op_update(this)"/>';
-	restore.innerHTML = '<input type="button" class="cbi-button cbi-button-reset" value="<%:Restore Default Configuration%>" onclick="return restore_config(this)"/>';
+	restore.innerHTML = '<input type="button" class="cbi-button cbi-button-reset" value="<%:Restore Default Config%>" onclick="return restore_config(this)"/>';
 	one_key_update.innerHTML = '<input type="button" class="cbi-button cbi-button-reset" value="<%:One Click Check Update%>" onclick="return all_one_key_update(this)"/>';
+	remove_core.innerHTML = '<input type="button" class="cbi-button cbi-button-remove" value="<%:Remove Core%>" onclick="return remove_all_core(this)"/>';
 	
 	function winOpen(url)
 	  {
@@ -314,11 +323,33 @@
         return false; 
     }
     
+    function remove_all_core(btn)
+    {
+        btn.value    = '<%:Remove Core%>';
+        btn.disabled = true;
+        var r = confirm("<%:Are you sure want to remove all core files?%>")
+        if (r == true) {
+        XHR.get('<%=luci.dispatcher.build_url("admin", "services", "openclash", "remove_all_core")%>', null, function(x, status) {
+        	if ( x && x.status == 200 ) {
+        		alert('<%:Remove succeeded!%>')
+        		window.location.href='<%="settings"%>';
+        	}
+          else {
+            alert('<%:Remove failed!%>')
+            window.location.href='<%="settings"%>';
+           }
+        });
+        } else {
+        }
+        btn.disabled = false;
+        return false; 
+    }
+    
     function restore_config(btn)
     {
-        btn.value    = '<%:Restore Default Configuration%>';
+        btn.value    = '<%:Restore Default Config%>';
         btn.disabled = true;
-        var r = confirm("<%:Are you sure want to restore the default configuration?%>")
+        var r = confirm("<%:Are you sure want to restore the default config?%>")
         if (r == true) {
         XHR.get('<%=luci.dispatcher.build_url("admin", "services", "openclash", "restore")%>', null, function(x, status) {
         	if ( x && x.status == 200 ) {

luci-app-openclash/po/zh_Hans/openclash.zh-cn.po

@@ -970,16 +970,16 @@ msgid "The Servers Must Support UDP forwarding"
 msgstr "启用时服务器必须支持UDP转发"
 
 msgid "If Docker is Installed, UDP May Not Forward Normally"
-msgstr "安装了Docker的固件可能无法正常转发UDP"
+msgstr "安装了Docker的固件请使用TUN模式，否则可能无法正常转发UDP，造成游戏异常"
 
-msgid "Disable quic"
-msgstr "*禁用quic"
+msgid "Disable QUIC"
+msgstr "*禁用QUIC"
 
-msgid "Disable yt fb ig use quic"
-msgstr "改善yt fb等走quic速度慢场景"
+msgid "Prevent YouTube and Others To Use QUIC Transmission"
+msgstr "防止YouTube等使用QUIC导致速度不佳"
 
-msgid "REJECT PORT 443 UDP"
-msgstr "禁用443端口udp流量"
+msgid "REJECT UDP Traffic On Port 443"
+msgstr "禁用443端口UDP流量"
 
 msgid "Operation Mode"
 msgstr "模式设置"
@@ -1329,7 +1329,7 @@ msgstr "下载最新版本客户端"
 msgid "Download"
 msgstr "下载到本地"
 
-msgid "Restore Default Configuration"
+msgid "Restore Default Config"
 msgstr "还原默认配置"
 
 msgid "One Click Check Update"
@@ -1338,7 +1338,7 @@ msgstr "一键检查更新"
 msgid "Failed to get the latest version. Please try again later!"
 msgstr "最新版本获取失败，请稍后再试！"
 
-msgid "Are you sure want to restore the default configuration?"
+msgid "Are you sure want to restore the default config?"
 msgstr "确定要还原默认配置吗？"
 
 msgid "Restore succeeded!"
@@ -1473,3 +1473,14 @@ msgstr "订阅转换服务地址"
 msgid "Note: There is A Risk of Privacy Leakage in Online Convert"
 msgstr "注意：在线订阅转换存在隐私泄露风险"
 
+msgid "Remove Core"
+msgstr "删除内核"
+
+msgid "Are you sure want to remove all core files?"
+msgstr "确定要删除所有内核文件吗？"
+
+msgid "Remove succeeded!"
+msgstr "删除成功！"
+
+msgid "Remove failed!"
+msgstr "删除失败！"

luci-app-openclash/root/usr/share/openclash/dashboard/index.html

@@ -8,7 +8,7 @@
     <meta name="description" content="Clash web port" />
     <!--meta name="external-controller" content="http://secret@example.com:9090"-->
     <title>Clash</title>
-  <script type="module" crossorigin src="./assets/index.044d452d.js"></script>
+  <script type="module" crossorigin src="./assets/index.c1a45b2c.js"></script>
   <link rel="modulepreload" href="./assets/vendor.a151eb93.js">
   <link rel="stylesheet" href="./assets/index.c138c813.css">
 </head>

nft-qos/Makefile

@@ -0,0 +1,59 @@
+#
+# Copyright (C) 2018 rosysong@rosinson.com
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=nft-qos
+PKG_VERSION:=1.0.6
+PKG_RELEASE:=2
+PKG_LICENSE:=GPL-2.0
+
+PKG_MAINTAINER:=Rosy Song <rosysong@rosinson.com>
+
+PKG_BUILD_DIR := $(BUILD_DIR)/$(PKG_NAME)
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/nft-qos
+  SECTION:=utils
+  CATEGORY:=Base system
+  DEPENDS:=+kmod-nft-netdev +kmod-nft-bridge +nftables
+  TITLE:=QoS scripts over nftables
+  PKGARCH:=all
+endef
+
+define Package/nft-qos/description
+ This package provides implementation for qos over nftables.
+ Currently, static/dynamic qos and traffic shaping are supported.
+endef
+
+define Package/nft-qos/conffiles
+/etc/config/nft-qos
+endef
+
+define Build/Prepare
+endef
+
+define Build/Configure
+endef
+
+define Build/Compile
+endef
+
+define Package/nft-qos/install
+	$(INSTALL_DIR) $(1)/lib/nft-qos
+	$(INSTALL_DATA) ./files/lib/* $(1)/lib/nft-qos/
+	$(INSTALL_DIR) $(1)/etc/config
+	$(INSTALL_CONF) ./files/nft-qos.config $(1)/etc/config/nft-qos
+	$(INSTALL_DIR) $(1)/etc/init.d
+	$(INSTALL_BIN) ./files/nft-qos.init $(1)/etc/init.d/nft-qos
+	$(INSTALL_DIR) $(1)/etc/hotplug.d/dhcp
+	$(INSTALL_BIN) ./files/nft-qos-monitor.hotplug $(1)/etc/hotplug.d/dhcp/00-nft-qos-monitor
+	$(INSTALL_BIN) ./files/nft-qos-dynamic.hotplug $(1)/etc/hotplug.d/dhcp/01-nft-qos-dynamic
+endef
+
+$(eval $(call BuildPackage,nft-qos))

nft-qos/files/lib/core.sh

@@ -0,0 +1,101 @@
+#!/bin/sh
+#
+# Copyright (C) 2018 rosysong@rosinson.com
+#
+
+NFT_QOS_HAS_BRIDGE=
+NFT_QOS_INET_FAMILY=ip
+NFT_QOS_SCRIPT_TEXT=
+NFT_QOS_SCRIPT_FILE=/tmp/qos.nft
+
+qosdef_appendx() { # <string to be appended>
+	NFT_QOS_SCRIPT_TEXT="$NFT_QOS_SCRIPT_TEXT""$1"
+}
+
+qosdef_append_chain_def() { # <type> <hook> <priority> <policy>
+	qosdef_appendx "\t\ttype $1 hook $2 priority $3; policy $4;\n"
+}
+
+qosdef_append_chain_ingress() { # <type> <device> <priority> <policy>
+	qosdef_appendx "\t\ttype $1 hook ingress device $2 priority $3; policy $4;\n"
+}
+
+# qosdef_append_rule_{MATCH}_{STATEMENT}
+qosdef_append_rule_ip_limit() { # <ipaddr> <operator> <unit> <rate>
+	local ipaddr=$1
+	local operator=$2
+	local unit=$3
+	local rate=$4
+
+	qosdef_appendx \
+	    "\t\tip $operator $ipaddr limit rate over $rate $unit/second drop\n"
+}
+
+# qosdef_append_rule_{MATCH}_{STATEMENT}
+qosdef_append_rule_mac_limit() { # <macaddr> <operator> <unit> <rate>
+	local macaddr=$1
+	local operator=$2
+	local unit=$3
+	local rate=$4
+
+	qosdef_appendx \
+	    "\t\tether $operator $macaddr limit rate over $rate $unit/second drop\n"
+}
+
+# qosdef_append_rule_{MATCH}_{POLICY}
+qosdef_append_rule_ip_policy() { # <operator> <ipaddr> <policy>
+	qosdef_appendx "\t\tip $1 $2 $3\n"
+}
+
+_handle_limit_whitelist() { # <value> <chain>
+	local ipaddr=$1
+	local operator
+
+	[ -z "$ipaddr" ] && return
+
+	case "$2" in
+		download) operator="daddr";;
+		upload) operator="saddr";;
+	esac
+
+	qosdef_append_rule_ip_policy $operator $ipaddr accept
+}
+
+qosdef_append_rule_limit_whitelist() { # <chain>
+	config_list_foreach default limit_whitelist _handle_limit_whitelist $1
+}
+
+qosdef_flush_table() { # <family> <table>
+	nft flush table $1 $2 2>/dev/null
+}
+
+qosdef_remove_table() { # <family> <table>
+	nft delete table $1 $2 2>/dev/null
+}
+
+qosdef_init_header() { # add header for nft script
+	qosdef_appendx "#!/usr/sbin/nft -f\n"
+	qosdef_appendx "# Copyright (C) 2018 rosysong@rosinson.com\n"
+	qosdef_appendx "#\n\n"
+}
+
+qosdef_init_env() {
+	# check interface type of lan
+	local lt="$(uci_get "network.lan.type")"
+	[ "$lt" = "bridge" ] && export NFT_QOS_HAS_BRIDGE="y"
+
+	# check if ipv6 support
+	[ -e /proc/sys/net/ipv6 ] && export NFT_QOS_INET_FAMILY="inet"
+}
+
+qosdef_clean_cache() {
+	rm -f $NFT_QOS_SCRIPT_FILE
+}
+
+qosdef_init_done() {
+	echo -e $NFT_QOS_SCRIPT_TEXT > $NFT_QOS_SCRIPT_FILE 2>/dev/null
+}
+
+qosdef_start() {
+	nft -f $NFT_QOS_SCRIPT_FILE 2>/dev/null
+}

nft-qos/files/lib/dynamic.sh

@@ -0,0 +1,88 @@
+#!/bin/sh
+#
+# Copyright (C) 2018 rosysong@rosinson.com
+#
+
+qosdef_validate_dynamic() {
+	uci_load_validate nft-qos default "$1" "$2" \
+		'limit_enable:bool:0' \
+		'limit_type:maxlength(8)' \
+		'dynamic_bw_up:uinteger:100' \
+		'dynamic_bw_down:uinteger:100'
+}
+
+# return average rate for dhcp leases
+qosdef_dynamic_rate() { # <bandwidth>
+	local c=0 c6=0
+
+	[ ! -e /tmp/dhcp.leases -a \
+	  ! -e /var/dhcp6.leases ] && return
+
+	[ -e /tmp/dhcp.leases ] && \
+	  c=$(wc -l < /tmp/dhcp.leases 2>/dev/null)
+	[ -e /var/dhcp6.leases ] && \
+	  c6=$(wc -l < /var/dhcp6.leases 2>/dev/null)
+	[ $c -eq 0 -a $c6 -eq 0 ] && \
+	  { echo 12500; return; }
+
+	echo $(($1 / ($c + $c6)))
+}
+
+qosdef_append_chain_dym() { # <hook> <name> <bandwidth>
+	local cidr cidr6
+	local operator rate
+	local hook=$1 name=$2 bandwidth=$3
+
+	config_get cidr default 'dynamic_cidr'
+	config_get cidr6 default 'dynamic_cidr6'
+
+	[ -z "$cidr" -a -z "$cidr6" ] && return
+
+	case "$2" in
+		download) operator=daddr;;
+		upload) operator=saddr;;
+	esac
+
+	rate=$(qosdef_dynamic_rate $bandwidth)
+
+	qosdef_appendx "\tchain $name {\n"
+	qosdef_append_chain_def filter $hook 0 accept
+	qosdef_append_rule_limit_whitelist $name
+	[ -n "$cidr" ] && \
+		qosdef_append_rule_ip_limit $cidr $operator kbytes $rate
+	[ -n "$cidr6" ] && \
+		qosdef_append_rule_ip_limit $cidr6 $operator kbytes $rate
+	qosdef_appendx "\t}\n"
+}
+
+qosdef_flush_dynamic() {
+	qosdef_flush_table "$NFT_QOS_INET_FAMILY" nft-qos-dynamic
+}
+
+# init dynamic qos
+qosdef_init_dynamic() {
+	local hook_ul="prerouting" hook_dl="postrouting"
+
+	[ "$2" = 0 ] || {
+		logger -t nft-qos-dynamic "validation failed"
+		return 1
+	}
+
+	[ $limit_enable -eq 0 -o \
+		"$limit_type" = "static" ] && return 1
+
+	# Transfer mbits/s to mbytes/s
+	# e.g. 100,000 kbits == 12,500 kbytes
+	dynamic_bw_up=$(($dynamic_bw_up * 1000 / 8))
+	dynamic_bw_down=$(($dynamic_bw_down * 1000 / 8))
+
+	[ -z "$NFT_QOS_HAS_BRIDGE" ] && {
+		hook_ul="postrouting"
+		hook_dl="prerouting"
+	}
+
+	qosdef_appendx "table $NFT_QOS_INET_FAMILY nft-qos-dynamic {\n"
+	qosdef_append_chain_dym $hook_ul upload $dynamic_bw_up
+	qosdef_append_chain_dym $hook_dl download $dynamic_bw_down
+	qosdef_appendx "}\n"
+}

nft-qos/files/lib/mac.sh

@@ -0,0 +1,77 @@
+#!/bin/sh
+# based on static.sh
+# Copyright (C) 2020 Tong Zhang<ztong0001@gmail.com>
+#
+
+qosdef_validate_mac() {
+	uci_load_validate nft-qos default "$1" "$2" \
+		'limit_mac_enable:bool:0'
+}
+
+# append rule for mac qos
+qosdef_append_rule_mac() { # <section> <operator>
+	local macaddr unit rate
+	local operator=$2
+
+	config_get macaddr $1 macaddr
+	if [ "$operator" = "saddr" ]; then
+		config_get unit $1 urunit
+		config_get rate $1 urate
+	else
+		config_get unit $1 drunit
+		config_get rate $1 drate
+	fi
+
+	[ -z "$macaddr" ] && return
+
+	qosdef_append_rule_mac_limit $macaddr $operator $unit $rate
+}
+
+# append chain for mac qos
+qosdef_append_chain_mac() { # <hook> <name> <section>
+	local hook=$1 name=$2
+	local config=$3 operator
+
+	case "$name" in
+		download) operator="daddr";;
+		upload) operator="saddr";;
+	esac
+
+	qosdef_appendx "\tchain $name {\n"
+	qosdef_append_chain_def filter $hook 0 accept
+	config_foreach qosdef_append_rule_mac $config $operator
+	qosdef_appendx "\t}\n"
+}
+
+qosdef_flush_mac() {
+	if [ -n "$NFT_QOS_HAS_BRIDGE" ]; then
+		qosdef_flush_table bridge nft-qos-mac
+	else
+		qosdef_flush_table "$NFT_QOS_INET_FAMILY" nft-qos-mac
+	fi
+}
+
+# limit rate by mac address init
+qosdef_init_mac() {
+	local hook_ul="prerouting" hook_dl="postrouting"
+
+	[ "$2" = 0 ] || {
+		logger -t nft-qos-mac "validation failed"
+		return 1
+	}
+
+	[ $limit_mac_enable -eq 0 ] && return 1
+
+	table_name=$NFT_QOS_INET_FAMILY
+	if [ -z "$NFT_QOS_HAS_BRIDGE" ]; then
+		hook_ul="postrouting"
+		hook_dl="prerouting"
+	else
+		table_name="bridge"
+	fi
+
+	qosdef_appendx "table $table_name nft-qos-mac {\n"
+	qosdef_append_chain_mac $hook_ul upload client
+	qosdef_append_chain_mac $hook_dl download client
+	qosdef_appendx "}\n"
+}

nft-qos/files/lib/monitor.sh

@@ -0,0 +1,41 @@
+#!/bin/sh
+#
+# Copyright (C) 2018 rosysong@rosinson.com
+#
+
+qosdef_monitor_get_ip_handle() { # <family> <chain> <ip>
+	echo $(nft -a list chain $1 nft-qos-monitor $2 2>/dev/null | grep " $3 " | awk '{print $11}')
+}
+
+qosdef_monitor_delete_handle() { # <family> <chain> <handle>
+	nft delete rule $1 nft-qos-monitor $2 handle $3
+}
+
+qosdef_monitor_add() { # <mac> <ip> <hostname>
+	handle_dl=$(qosdef_monitor_get_ip_handle $NFT_QOS_INET_FAMILY download $2)
+	[ -z "$handle_dl" ] && nft add rule $NFT_QOS_INET_FAMILY nft-qos-monitor download ip daddr $2 counter
+	handle_ul=$(qosdef_monitor_get_ip_handle $NFT_QOS_INET_FAMILY upload $2)
+	[ -z "$handle_ul" ] && nft add rule $NFT_QOS_INET_FAMILY nft-qos-monitor upload ip saddr $2 counter
+}
+
+qosdef_monitor_del() { # <mac> <ip> <hostname>
+	local handle_dl handle_ul
+	handle_dl=$(qosdef_monitor_get_ip_handle $NFT_QOS_INET_FAMILY download $2)
+	handle_ul=$(qosdef_monitor_get_ip_handle $NFT_QOS_INET_FAMILY upload $2)
+	[ -n "$handle_dl" ] && qosdef_monitor_delete_handle $NFT_QOS_INET_FAMILY download $handle_dl
+	[ -n "$handle_ul" ] && qosdef_monitor_delete_handle $NFT_QOS_INET_FAMILY upload $handle_ul
+}
+
+# init qos monitor
+qosdef_init_monitor() {
+	local hook_ul="prerouting" hook_dl="postrouting"
+
+	[ -z "$NFT_QOS_HAS_BRIDGE" ] && {
+		hook_ul="postrouting"
+		hook_dl="prerouting"
+	}
+
+	nft add table $NFT_QOS_INET_FAMILY nft-qos-monitor
+	nft add chain $NFT_QOS_INET_FAMILY nft-qos-monitor upload { type filter hook $hook_ul priority 0\; }
+	nft add chain $NFT_QOS_INET_FAMILY nft-qos-monitor download { type filter hook $hook_dl priority 0\; }
+}

nft-qos/files/lib/priority.sh

@@ -0,0 +1,90 @@
+#!/bin/sh
+#
+# Copyright (C) 2018 rosysong@rosinson.com
+#
+
+P1=""; P2=""; P3=""; P4=""; P5=""; P6="";
+P7=""; P8=""; P9=""; P10=""; P11="";
+
+qosdef_validate_priority() {
+	uci_load_validate nft-qos default "$1" "$2" \
+		'priority_enable:bool:0' \
+		'priority_netdev:maxlength(8)'
+}
+
+_qosdef_handle_protox() { # <priority> <rule>
+	case "$1" in
+		-400) P1="$P1""$2";;
+		-300) P2="$P2""$2";;
+		-225) P3="$P3""$2";;
+		-200) P4="$P4""$2";;
+		-150) P5="$P5""$2";;
+		-100) P6="$P6""$2";;
+		0) P7="$P7""$2";;
+		50) P8="$P8""$2";;
+		100) P9="$P9""$2";;
+		225) P10="$P10""$2";;
+		300) P11="$P11""$2";;
+	esac
+}
+
+qosdef_handle_protox() { # <section>
+	local proto prio srv
+
+	config_get proto $1 'protocol'
+	config_get prio $1 'priority'
+	config_get srv $1 'service'
+
+	[ -z "$proto" -o \
+		-z "$prio" -o \
+		-z "$srv" ] && return
+
+	_qosdef_handle_protox $prio \
+	    "\t\t$proto dport { $srv } accept\n"
+}
+
+qosdef_append_rule_protox() { # <section>
+	config_foreach qosdef_handle_protox $1
+	qosdef_appendx \
+		"${P1}${P2}${P3}${P4}${P5}${P6}${P7}${P8}${P9}${P10}${P11}"
+}
+
+qosdef_append_chain_priority() { # <name> <section> <device>
+	local name=$1 device=$3
+
+	qosdef_appendx "\tchain $name {\n"
+	qosdef_append_chain_ingress filter $device 0 accept
+	qosdef_append_rule_protox $2
+	qosdef_appendx "\t}\n"
+}
+
+qosdef_remove_priority() {
+	qosdef_remove_table netdev nft-qos-priority
+}
+
+# init traffic priority
+qosdef_init_priority() {
+	local ifname="br-lan"
+
+	[ "$2" = 0 ] || {
+		logger -t nft-qos-priority "validation failed"
+		return 1
+	}
+
+	[ $priority_enable -eq 0 ] && return 1
+
+	case "$priority_netdev" in
+		lan) [ "$(uci_get network.lan.type)" != "bridge" ] && {
+				network_get_device ifname "$priority_netdev" || \
+				ifname="$(uci_get network.lan.ifname)"
+			}
+		;;
+		wan*) network_get_device ifname "$priority_netdev" || \
+			ifname="$(uci_get network.$priority_netdev.ifname)"
+		;;
+	esac
+
+	qosdef_appendx "table netdev nft-qos-priority {\n"
+	qosdef_append_chain_priority filter priority $ifname
+	qosdef_appendx "}\n"
+}

nft-qos/files/lib/static.sh

@@ -0,0 +1,72 @@
+#!/bin/sh
+#
+# Copyright (C) 2018 rosysong@rosinson.com
+#
+
+qosdef_validate_static() {
+	uci_load_validate nft-qos default "$1" "$2" \
+		'limit_enable:bool:0' \
+		'limit_type:maxlength(8)' \
+		'static_unit_dl:string:kbytes' \
+		'static_unit_ul:string:kbytes' \
+		'static_rate_dl:uinteger:50' \
+		'static_rate_ul:uinteger:50'
+}
+
+# append rule for static qos
+qosdef_append_rule_sta() { # <section> <operator> <default-unit> <default-rate>
+	local ipaddr unit rate
+	local operator=$2
+
+	config_get ipaddr $1 ipaddr
+	config_get unit $1 unit $3
+	config_get rate $1 rate $4
+
+	[ -z "$ipaddr" ] && return
+
+	qosdef_append_rule_ip_limit $ipaddr $operator $unit $rate
+}
+
+# append chain for static qos
+qosdef_append_chain_sta() { # <hook> <name> <section> <unit> <rate>
+	local hook=$1 name=$2
+	local config=$3 operator
+
+	case "$name" in
+		download) operator="daddr";;
+		upload) operator="saddr";;
+	esac
+
+	qosdef_appendx "\tchain $name {\n"
+	qosdef_append_chain_def filter $hook 0 accept
+	qosdef_append_rule_limit_whitelist $name
+	config_foreach qosdef_append_rule_sta $config $operator $4 $5
+	qosdef_appendx "\t}\n"
+}
+
+qosdef_flush_static() {
+	qosdef_flush_table "$NFT_QOS_INET_FAMILY" nft-qos-static
+}
+
+# static limit rate init
+qosdef_init_static() {
+	local hook_ul="prerouting" hook_dl="postrouting"
+
+	[ "$2" = 0 ] || {
+		logger -t nft-qos-static "validation failed"
+		return 1
+	}
+
+	[ $limit_enable -eq 0 -o \
+		$limit_type = "dynamic" ] && return 1
+
+	[ -z "$NFT_QOS_HAS_BRIDGE" ] && {
+		hook_ul="postrouting"
+		hook_dl="prerouting"
+	}
+
+	qosdef_appendx "table $NFT_QOS_INET_FAMILY nft-qos-static {\n"
+	qosdef_append_chain_sta $hook_ul upload upload $static_unit_ul $static_rate_ul
+	qosdef_append_chain_sta $hook_dl download download $static_unit_dl $static_rate_dl
+	qosdef_appendx "}\n"
+}

nft-qos/files/nft-qos-dynamic.hotplug

@@ -0,0 +1,37 @@
+#!/bin/sh
+#
+# Copyright 2018 rosysong@rosinson.com
+#
+
+export initscript="nft-qos-dynamic"
+
+. $IPKG_INSTROOT/lib/functions/procd.sh
+. $IPKG_INSTROOT/lib/functions.sh
+. $IPKG_INSTROOT/lib/nft-qos/core.sh
+. $IPKG_INSTROOT/lib/nft-qos/dynamic.sh
+
+NFT_QOS_DYNAMIC_ON=
+
+qosdef_check_if_dynamic() {
+	[ $limit_enable -eq 1 -a \
+	  "$limit_type" = "dynamic" ] && \
+	    NFT_QOS_DYNAMIC_ON="y"
+}
+
+
+logger -t nft-qos-dynamic "ACTION=$ACTION, MACADDR=$MACADDR, IPADDR=$IPADDR, HOSTNAME=$HOSTNAME"
+
+case "$ACTION" in
+	add | update | remove)
+		qosdef_validate_dynamic default qosdef_check_if_dynamic
+		[ -z "$NFT_QOS_DYNAMIC_ON" ] && return
+
+		qosdef_init_env
+		qosdef_flush_dynamic
+
+		qosdef_init_header
+		qosdef_validate_dynamic default qosdef_init_dynamic
+		qosdef_init_done
+		qosdef_start
+		;;
+esac

nft-qos/files/nft-qos-monitor.hotplug

@@ -0,0 +1,26 @@
+#!/bin/sh
+#
+# Copyright 2018 rosysong@rosinson.com
+#
+
+export initscript="nft-qos-monitor"
+
+. $IPKG_INSTROOT/lib/functions/procd.sh
+. $IPKG_INSTROOT/lib/functions.sh
+. $IPKG_INSTROOT/lib/nft-qos/core.sh
+. $IPKG_INSTROOT/lib/nft-qos/monitor.sh
+
+logger -t nft-qos-monitor "ACTION=$ACTION, MACADDR=$MACADDR, IPADDR=$IPADDR, HOSTNAME=$HOSTNAME"
+
+case "$ACTION" in
+	add | update)
+		qosdef_init_env
+		qosdef_init_monitor
+		qosdef_monitor_add "$MACADDR" "$IPADDR" "$HOSTNAME"
+	;;
+	remove)
+		qosdef_init_env
+		qosdef_init_monitor
+		qosdef_monitor_del "$MACADDR" "$IPADDR" "$HOSTNAME"
+	;;
+esac

nft-qos/files/nft-qos.config

@@ -0,0 +1,119 @@
+#
+# Copyright (C) 2018 rosysong@rosinson.com
+#
+# This is the sample for nft-qos configuration file,
+# which will generate a nftables script in /tmp/qos.nft
+#
+
+# Getting Started
+# Official site      :
+#  https://netfilter.org/projects/nftables/index.html
+# What is nftables   :
+#  https://wiki.nftables.org/wiki-nftables/index.php/Main_Page
+#
+
+# Basic Operations
+# Configuring Tables :
+#  https://wiki.nftables.org/wiki-nftables/index.php/Configuring_tables
+# Configuring Chains :
+#  https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains
+# Configuring Rules  :
+#  https://wiki.nftables.org/wiki-nftables/index.php/Simple_rule_management
+# Quick Reference (recommended)   :
+#  https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes
+#  https://netfilter.org/projects/nftables/manpage.html
+#
+
+config default default
+	# Enable Flag for limit rate
+	option limit_enable '1'
+
+	# Options for enable Static QoS (rate limit)
+	option limit_type 'static'
+	# Options for Static QoS (rate limit)
+	option static_unit_dl 'kbytes'
+	option static_unit_ul 'kbytes'
+	option static_rate_dl '50'
+	option static_rate_ul '50'
+
+	# Options for enable Dynamic QoS
+	# This option can not compatible with Static QoS
+	# option limit_type 'dynamic'
+
+	# For Dynamic QoS Samples (unit of bandwidth is Mbps):
+	option dynamic_cidr '192.168.1.0/24'
+	option dynamic_cidr6 'AAAA:BBBB::1/64'
+	option dynamic_bw_up '100'
+	option dynamic_bw_down '100'
+
+	# White list for static/dynamic limit
+	# list limit_whitelist '192.168.1.225'
+	# list limit_whitelist '192.168.1.0/24'
+	# list limit_whitelist 'ABCD:CDEF::1/64'
+
+	# Option for Mac address based traffic control
+	option limit_mac_enable '0'
+
+	# Options for Traffic Priority
+	option priority_enable '0'
+	option priority_netdev 'lan'
+
+
+#
+# For Static QoS Rate Limit Samples :
+#
+# For Download :
+#config download
+#	option hostname 'My PC'
+#	option unit 'kbytes'
+#	option ipaddr '192.168.1.224'
+#	option rate '128'
+#
+# For Upload :
+#config upload
+#	option hostname 'office-pc'
+#	option unit 'mbytes'
+#	option ipaddr 'ABCD:FFED::1/64'
+#	option rate '1024'
+#
+# For MAC address based traffic control Samples :
+#
+#config client
+#	option drunit 'kbytes'
+#	option urunit 'kbytes'
+#	option hostname 'tvbox'
+#	option macaddr '00:00:00:00:00:00'
+#	option drate '300'
+#	option urate '30'
+#
+# Traffic Priority Samples :
+#
+# protocol : tcp, udp, udplite, sctp, dccp, tcp is default
+# priority : integer between 1-11, 1 is default and the highest
+# service : you can input a integer or service name,
+#           e.g. '22', '11-22', 'telnet', 'ssh, http, ftp', etc
+#
+#config priority
+#	option protocol 'tcp'
+#	option priority '-400'
+#	option service '23'
+#	option comment '?'
+#
+#config priority
+#	option protocol 'udp'
+#	option priority '-400'
+#	option service 'https'
+#	option comment '?'
+#
+#config priority
+#	option protocol 'dccp'
+#	option priority '0'
+#	option service '22-35'
+#	option comment '?'
+#
+#config priority
+#	option protocol 'dccp'
+#	option priority '300'
+#	option service 'ftp,ssh,http'
+#	option comment '?'
+#

nft-qos/files/nft-qos.init

@@ -0,0 +1,53 @@
+#!/bin/sh /etc/rc.common
+#
+# Copyright (C) 2018 rosysong@rosinson.com
+#
+
+. ${IPKG_INSTROOT}/lib/functions/network.sh
+. ${IPKG_INSTROOT}/lib/nft-qos/core.sh
+. ${IPKG_INSTROOT}/lib/nft-qos/monitor.sh
+. ${IPKG_INSTROOT}/lib/nft-qos/dynamic.sh
+. ${IPKG_INSTROOT}/lib/nft-qos/static.sh
+. ${IPKG_INSTROOT}/lib/nft-qos/mac.sh
+. ${IPKG_INSTROOT}/lib/nft-qos/priority.sh
+
+START=99
+USE_PROCD=1
+
+service_triggers() {
+	procd_add_reload_trigger nft-qos
+
+	procd_open_validate
+	qosdef_validate_dynamic
+	qosdef_validate_static
+	qosdef_validate_priority
+	qosdef_validate_mac
+	procd_close_validate
+}
+
+start_service() {
+	config_load nft-qos
+
+	qosdef_init_env
+	qosdef_flush_mac
+	qosdef_flush_static
+	qosdef_flush_dynamic
+	qosdef_remove_priority
+
+	qosdef_init_header
+	qosdef_init_monitor
+	qosdef_validate_dynamic default qosdef_init_dynamic
+	qosdef_validate_static default qosdef_init_static
+	qosdef_validate_mac default qosdef_init_mac
+	qosdef_validate_priority default qosdef_init_priority
+	qosdef_init_done
+	qosdef_start
+}
+
+stop_service() {
+	qosdef_flush_dynamic
+	qosdef_flush_static
+	qosdef_flush_mac
+	qosdef_remove_priority
+	qosdef_clean_cache
+}

shadowsocksr-libev/Makefile

@@ -0,0 +1,66 @@
+#
+# Copyright (C) 2021 ImmortalWrt
+# <https://immortalwrt.org>
+#
+# This is free software, licensed under the GNU General Public License v3.
+# See /LICENSE for more information.
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=shadowsocksr-libev
+PKG_VERSION:=2.5.6
+PKG_RELEASE:=7
+
+PKG_SOURCE_PROTO:=git
+PKG_SOURCE_URL:=https://github.com/shadowsocksrr/shadowsocksr-libev
+PKG_SOURCE_DATE:=2018-03-07
+PKG_SOURCE_VERSION:=d63ff863800a5645aca4309d5dd5962bd1e95543
+PKG_MIRROR_HASH:=34308ed827a5dd4f4e35619914102d55b00604faa44fda051d1d25fb4a319325
+
+PKG_LICENSE:=GPL-3.0
+PKG_LICENSE_FILES:=LICENSE
+
+PKG_FIXUP:=autoreconf
+PKG_USE_MIPS16:=0
+PKG_BUILD_PARALLEL:=1
+PKG_INSTALL:=1
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/shadowsocksr-libev/Default
+  define Package/shadowsocksr-libev-ssr-$(1)
+    SECTION:=net
+    CATEGORY:=Network
+    SUBMENU:=Web Servers/Proxies
+    TITLE:=shadowsocksr-libev ssr-$(1)
+    URL:=https://github.com/shadowsocksrr/shadowsocksr-libev
+    DEPENDS:=+libev +libsodium +libopenssl +libpthread +libpcre +libudns +zlib
+  endef
+
+  define Package/shadowsocksr-libev-ssr-$(1)/install
+	$$(INSTALL_DIR) $$(1)/usr/bin
+	$$(INSTALL_BIN) $$(PKG_INSTALL_DIR)/usr/bin/ss-$(1) $$(1)/usr/bin/ssr-$(1)
+  endef
+endef
+
+SHADOWSOCKSR_COMPONENTS:=check local nat redir server
+define shadowsocksr-libev/templates
+  $(foreach component,$(SHADOWSOCKSR_COMPONENTS),
+    $(call Package/shadowsocksr-libev/Default,$(component))
+  )
+endef
+$(eval $(call shadowsocksr-libev/templates))
+
+CONFIGURE_ARGS += \
+	--disable-documentation \
+	--disable-ssp \
+	--disable-assert \
+	--enable-system-shared-lib
+
+TARGET_CFLAGS += -flto
+TARGET_LDFLAGS += -Wl,--gc-sections,--as-needed
+
+$(foreach component,$(SHADOWSOCKSR_COMPONENTS), \
+  $(eval $(call BuildPackage,shadowsocksr-libev-ssr-$(component))) \
+)

shadowsocksr-libev/patches/0002-Revert-verify_simple-and-auth_simple.patch

@@ -0,0 +1,20 @@
+--- a/src/obfs/obfs.c
++++ b/src/obfs/obfs.c
+@@ -88,7 +88,7 @@ obfs_class *new_obfs_class(const char *p
+         plugin->client_decode = tls12_ticket_auth_client_decode;
+ 
+         return plugin;
+-        /*} else if (strcmp(plugin_name, "verify_simple") == 0) {
++        } else if (strcmp(plugin_name, "verify_simple") == 0) {
+             obfs_class * plugin = (obfs_class*)malloc(sizeof(obfs_class));
+             plugin->init_data = init_data;
+             plugin->new_obfs = verify_simple_new_obfs;
+@@ -115,7 +115,7 @@ obfs_class *new_obfs_class(const char *p
+             plugin->client_udp_pre_encrypt = NULL;
+             plugin->client_udp_post_decrypt = NULL;
+ 
+-            return plugin;*/
++            return plugin;
+     } else if (strcmp(plugin_name, "auth_sha1") == 0) {
+         obfs_class *plugin = (obfs_class *) malloc(sizeof(obfs_class));
+         plugin->init_data = auth_simple_init_data;

shadowsocksr-libev/patches/0003-Refine-Usage.patch

@@ -0,0 +1,37 @@
+--- a/src/utils.c
++++ b/src/utils.c
+@@ -258,8 +258,6 @@ usage()
+ {
+     printf("\n");
+     printf("shadowsocks-libev %s with %s\n\n", VERSION, USING_CRYPTO);
+-    printf(
+-        "  maintained by Max Lv <max.c.lv@gmail.com> and Linus Yang <laokongzi@gmail.com>\n\n");
+     printf("  usage:\n\n");
+ #ifdef MODULE_LOCAL
+     printf("    ss-local\n");
+@@ -299,6 +297,25 @@ usage()
+         "                                  The default cipher is rc4-md5.\n");
+     printf("\n");
+     printf(
++        "       -o <obfs>                  Obfs of your remote server: plain,\n");
++    printf(
++        "                                  http_simple, http_post and tls1.2_ticket_auth.\n");
++    printf(
++        "       -g <obfs-param>            Obfs-Param of your remote server.\n");
++    printf(
++        "       -O <protocol>              Protocol of your remote server: orgin,\n");
++    printf(
++        "                                  auth_sha1, auth_sha1_v2, auth_sha1_v4,\n");
++    printf(
++        "                                  auth_aes128_md5, auth_aes128_sha1,\n");
++    printf(
++        "                                  auth_chain_a, auth_chain_b, auth_chain_c,\n");
++    printf(
++        "                                  auth_chain_d, auth_chain_e and auth_chain_f.\n");
++    printf(
++        "       -G <protocol-param>        Protocol-Param of your remote server.\n");
++    printf("\n");
++    printf(
+         "       [-a <user>]                Run as another user.\n");
+     printf(
+         "       [-f <pid_file>]            The file path to store pid.\n");

shadowsocksr-libev/patches/0004-gcc10.patch

@@ -0,0 +1,20 @@
+--- a/src/http.h
++++ b/src/http.h
+@@ -29,6 +29,6 @@
+ #include <stdio.h>
+ #include "protocol.h"
+ 
+-const protocol_t *const http_protocol;
++extern const protocol_t *const http_protocol;
+ 
+ #endif
+--- a/src/tls.h
++++ b/src/tls.h
+@@ -28,6 +28,6 @@
+ 
+ #include "protocol.h"
+ 
+-const protocol_t *const tls_protocol;
++extern const protocol_t *const tls_protocol;
+ 
+ #endif

shadowsocksr-libev/patches/999-Fix-Werror-sizeof-pointer-memaccess.patch

@@ -0,0 +1,11 @@
+--- a/src/local.c
++++ b/src/local.c
+@@ -718,7 +718,7 @@ server_recv_cb(EV_P_ ev_io *w, int reven
+ 
+                     ss_free(hostname);
+                 } else {
+-                    strncpy(host, ip, sizeof(ip));
++                    strncpy(host, ip, INET6_ADDRSTRLEN);
+                 }
+             }
+