search

hq450 / fancyss

fancyss is a project providing tools to across the GFW on asuswrt/merlin based router.
GNU General Public License v3.0
12.44k stars 3.17k forks source link

IPv6 issue #220

Closed taolianggit closed 5 years ago

taolianggit commented 5 years ago

在梅林开启IPv6 Native后,插件显示工作正常,但被墙网站大多不走SS

hq450 commented 5 years ago

优先走ipv6了了,插件并不支持ipv6

leeeboo commented 5 years ago

希望能尽快支持ipv6,请问有这个计划么?谢谢!

sdhzdmzzl commented 5 years ago

同希望支持ipv6,另外,请教一下目前是哪些方面不支持ipv6,如果要支持ipv6的话, 需要做哪些模块的改进呢?

leeeboo commented 5 years ago

@sdhzdmzzl 现在如果路由器可以获得公网ipv6地址,并且上网的设备可以通过ipv6-test.com,在开启ss的情况下,如果目标网站有v6的解析,浏览器会优先请求v6的资源,例如medium.com用的cdn,但是目前的表现是所有v6的请求都不走ss的线路,而是直接直连,那么因为gfw的原因,就无法访问了。 @hq450

sdhzdmzzl commented 5 years ago

@leeeboo,我明白这个,请问如果要支持v6的话需要改哪些地方?比如把ssr服务器地址写成v6的地址,那么如何配置才能让v6的数据包转到ssr处理呢?

leeeboo commented 5 years ago

@sdhzdmzzl 现在就是希望作者支持这个啊,现在ssr地址写v6的是没问题的,如果访问的目标地址是v4也可以正常翻墙,但是目标是v6就不行。应该ss插件设定的ip6tables的对应规则吧。

sdhzdmzzl commented 5 years ago

我查了下资料,应该是需要添加dnsmasq和ipset的ipv6地址支持,目前ipset看到的ip都是v4的。然后就是需要ip6tables转发规则。把这俩添加上感觉就ok了。

leeeboo commented 5 years ago

@sdhzdmzzl 是的

sdhzdmzzl commented 5 years ago

悲催的是ac86u带的ip6tables没有nat这个链。

leeeboo commented 5 years ago

我的是r7000

sdhzdmzzl commented 5 years ago

问题来了,如何升级ip6tables呢?如果自己编译的话应该怎么操作

leeeboo commented 5 years ago

https://blog.csdn.net/xc889078/article/details/8796906 @sdhzdmzzl 我也在尝试 其实就是编译arm平台的版本。

sdhzdmzzl commented 5 years ago

我在用这个教程。https://github.com/RMerl/asuswrt-merlin/wiki/Compile-Firmware-from-source-using-Ubuntu。。但是编译到iptables就挂掉了。还没有找到解决办法

sdhzdmzzl commented 5 years ago

看来要自力更生了。梅林官方开发者回复说There's currently no plans to update iptables, as this can get tricky to do because of the kernel version, and the risk of breaking other firmware components.

leeeboo commented 5 years ago

可以考虑自己修改源码编译梅林

love4taylor commented 5 years ago

@leeeboo 我记得 R7000 的 Kernel 是 2.6.y 吧? 那这个就别想了 不支持 IPv6 NAT 的

leeeboo commented 5 years ago

@Love4Taylor 是的,不知道现在有什么其他的路由器可以做这个

love4taylor commented 5 years ago

@leeeboo 选择吧, openwrt/ddwrt 和梅林之间.

leeeboo commented 5 years ago

@Love4Taylor 请教目前openwrt或ddwrt可以支持么?谢谢

love4taylor commented 5 years ago

@leeeboo 支持, 这俩的 Kernel 基本都是 4.x 之上了 但可能依旧需要自行编译开启 v6 NAT

leeeboo commented 5 years ago

@Love4Taylor 谢谢

sdhzdmzzl commented 5 years ago

我今天把ac86u的梅林版本编译出来了,默认是1.4.15版本的iptables。比较了梅林的1.4.15版本代码和官方的1.4.15和1.4.17版本代码,改动量还挺大的,得有时间了再弄。

sdhzdmzzl commented 5 years ago

#

Xtables matches

# CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y

CONFIG_NETFILTER_XT_MATCH_BPF is not set

CONFIG_NETFILTER_XT_MATCH_CLUSTER is not set

CONFIG_NETFILTER_XT_MATCH_COMMENT=m CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y

CONFIG_NETFILTER_XT_MATCH_CONNLABEL is not set

CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=y CONFIG_NETFILTER_XT_MATCH_CONNMARK=y CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y

CONFIG_NETFILTER_XT_MATCH_CPU is not set

CONFIG_NETFILTER_XT_MATCH_DCCP is not set

CONFIG_NETFILTER_XT_MATCH_DEVGROUP is not set

CONFIG_NETFILTER_XT_MATCH_DSCP=y

CONFIG_NETFILTER_XT_MATCH_ECN is not set

CONFIG_NETFILTER_XT_MATCH_ESP is not set

CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=m CONFIG_NETFILTER_XT_MATCH_HELPER=y CONFIG_NETFILTER_XT_MATCH_HL=m

CONFIG_NETFILTER_XT_MATCH_IPCOMP is not set

CONFIG_NETFILTER_XT_MATCH_IPRANGE=y

CONFIG_NETFILTER_XT_MATCH_L2TP is not set

CONFIG_NETFILTER_XT_MATCH_LENGTH=m CONFIG_NETFILTER_XT_MATCH_LIMIT=y CONFIG_NETFILTER_XT_MATCH_MAC=y CONFIG_NETFILTER_XT_MATCH_MARK=y CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y

CONFIG_NETFILTER_XT_MATCH_NFACCT is not set

CONFIG_NETFILTER_XT_MATCH_OSF is not set

CONFIG_NETFILTER_XT_MATCH_OWNER is not set

CONFIG_NETFILTER_XT_MATCH_POLICY=y

CONFIG_NETFILTER_XT_MATCH_PKTTYPE is not set

CONFIG_NETFILTER_XT_MATCH_QUOTA=m

CONFIG_NETFILTER_XT_MATCH_RATEEST is not set

CONFIG_NETFILTER_XT_MATCH_REALM is not set

CONFIG_NETFILTER_XT_MATCH_RECENT=y

CONFIG_NETFILTER_XT_MATCH_SCTP is not set

CONFIG_NETFILTER_XT_MATCH_SOCKET=m CONFIG_NETFILTER_XT_MATCH_STATE=y CONFIG_NETFILTER_XT_MATCH_STATISTIC=y CONFIG_NETFILTER_XT_MATCH_STRING=y CONFIG_NETFILTER_XT_MATCH_TCPMSS=y CONFIG_NETFILTER_XT_MATCH_TIME=y CONFIG_NETFILTER_XT_MATCH_U32=y CONFIG_NETFILTER_XT_MATCH_WEBSTR=y CONFIG_NETFILTER_XT_MATCH_CONDITION=m CONFIG_NETFILTER_XT_MATCH_GEOIP=m CONFIG_IP_SET=y CONFIG_IP_SET_MAX=256 CONFIG_IP_SET_BITMAP_IP=m CONFIG_IP_SET_BITMAP_IPMAC=m CONFIG_IP_SET_BITMAP_PORT=m CONFIG_IP_SET_HASH_IP=y CONFIG_IP_SET_HASH_IPMARK=m CONFIG_IP_SET_HASH_IPPORT=m CONFIG_IP_SET_HASH_IPPORTIP=m CONFIG_IP_SET_HASH_IPPORTNET=m CONFIG_IP_SET_HASH_MAC=m CONFIG_IP_SET_HASH_NETPORTNET=m CONFIG_IP_SET_HASH_NET=y CONFIG_IP_SET_HASH_NETNET=m CONFIG_IP_SET_HASH_NETPORT=m CONFIG_IP_SET_HASH_NETIFACE=m CONFIG_IP_SET_LIST_SET=m

CONFIG_IP_VS is not set

#

IP: Netfilter Configuration

# CONFIG_NF_DEFRAG_IPV4=y CONFIG_NF_CONNTRACK_IPV4=y CONFIG_NF_CONNTRACK_PROC_COMPAT=y

CONFIG_NF_LOG_ARP is not set

CONFIG_NF_LOG_IPV4=y CONFIG_NF_REJECT_IPV4=y CONFIG_NF_NAT_IPV4=y CONFIG_NF_NAT_MASQUERADE_IPV4=y CONFIG_IP_NF_TARGET_TOS=m CONFIG_IP_NF_TARGET_TRIGGER=y CONFIG_NF_NAT_PROTO_GRE=y CONFIG_NF_NAT_PPTP=y CONFIG_NF_NAT_H323=m CONFIG_IP_NF_IPTABLES=y

CONFIG_IP_NF_MATCH_AH is not set

CONFIG_IP_NF_MATCH_ECN is not set

CONFIG_IP_NF_MATCH_RPFILTER is not set

CONFIG_IP_NF_MATCH_TTL is not set

CONFIG_IP_NF_MATCH_TOS=m CONFIG_IP_NF_MATCH_IPP2P=m CONFIG_IP_NF_MATCH_WEB=m CONFIG_IP_NF_MATCH_WEBMON=m CONFIG_IP_NF_FILTER=y CONFIG_IP_NF_TARGET_REJECT=y CONFIG_IP_NF_TARGET_ROUTE=m

CONFIG_IP_NF_TARGET_SYNPROXY is not set

CONFIG_IP_NF_NAT=y CONFIG_IP_NF_TARGET_MASQUERADE=y CONFIG_IP_NF_TARGET_NETMAP=y CONFIG_IP_NF_TARGET_REDIRECT=y

CONFIG_NF_NAT_IPSEC is not set

CONFIG_NF_NAT_PT=m CONFIG_NF_NAT_RTSP=m CONFIG_IP_NF_MANGLE=y

CONFIG_IP_NF_TARGET_CLUSTERIP is not set

CONFIG_IP_NF_TARGET_ECN is not set

CONFIG_IP_NF_TARGET_TTL is not set

CONFIG_IP_NF_RAW=y

CONFIG_IP_NF_ARPTABLES is not set

CONFIG_IP_NF_LFP is not set

CONFIG_IP_NF_DNSMQ=y

#

IPv6: Netfilter Configuration

# CONFIG_NF_DEFRAG_IPV6=y CONFIG_NF_CONNTRACK_IPV6=y CONFIG_NF_REJECT_IPV6=y CONFIG_NF_LOG_IPV6=y CONFIG_NF_NAT_IPV6=y

CONFIG_NF_NAT_MASQUERADE_IPV6 is not set

CONFIG_IP6_NF_IPTABLES=y

CONFIG_IP6_NF_MATCH_AH is not set

CONFIG_IP6_NF_MATCH_EUI64 is not set

CONFIG_IP6_NF_MATCH_FRAG is not set

CONFIG_IP6_NF_MATCH_OPTS is not set

CONFIG_IP6_NF_MATCH_HL is not set

CONFIG_IP6_NF_MATCH_IPV6HEADER is not set

CONFIG_IP6_NF_MATCH_MH is not set

CONFIG_IP6_NF_MATCH_RPFILTER is not set

CONFIG_IP6_NF_MATCH_RT=y

CONFIG_IP6_NF_TARGET_HL is not set

CONFIG_IP6_NF_FILTER=y CONFIG_IP6_NF_TARGET_REJECT=y

CONFIG_IP6_NF_TARGET_SYNPROXY is not set

CONFIG_IP6_NF_MANGLE=y

CONFIG_IP6_NF_RAW is not set

CONFIG_IP6_NF_NAT is not set

CONFIG_BRIDGE_NF_EBTABLES=m CONFIG_BRIDGE_EBT_BROUTE=m CONFIG_BRIDGE_EBT_T_FILTER=m CONFIG_BRIDGE_EBT_T_NAT=m

CONFIG_BRIDGE_EBT_802_3 is not set

CONFIG_BRIDGE_EBT_AMONG is not set

CONFIG_BRIDGE_EBT_ARP=m CONFIG_BRIDGE_EBT_IP=m CONFIG_BRIDGE_EBT_IP6=m CONFIG_BRIDGE_EBT_LIMIT=m CONFIG_BRIDGE_EBT_MARK=m CONFIG_BRIDGE_EBT_PKTTYPE=m CONFIG_BRIDGE_EBT_STP=m CONFIG_BRIDGE_EBT_VLAN=m CONFIG_BRIDGE_EBT_TIME=m CONFIG_BRIDGE_EBT_ARPREPLY=m CONFIG_BRIDGE_EBT_DNAT=m CONFIG_BRIDGE_EBT_MARK_T=m CONFIG_BRIDGE_EBT_REDIRECT=m CONFIG_BRIDGE_EBT_SNAT=m CONFIG_BRIDGE_EBT_FTOS_T=m CONFIG_BRIDGE_EBT_SKIPLOG_T=m CONFIG_BRIDGE_EBT_WMM_MARK=m CONFIG_BRIDGE_EBT_LOG=m

CONFIG_BRIDGE_EBT_NFLOG is not set

CONFIG_IP_DCCP is not set

CONFIG_IP_SCTP is not set

CONFIG_RDS is not set

CONFIG_TIPC is not set

CONFIG_ATM is not set

CONFIG_L2TP=y

CONFIG_L2TP_DEBUGFS is not set

CONFIG_L2TP_V3 is not set

CONFIG_STP=y CONFIG_BRIDGE=y

CONFIG_BRIDGE_IGMP_SNOOPING is not set

CONFIG_BRIDGE_VLAN_FILTERING is not set

CONFIG_BCM_VLAN_AGGREGATION is not set

CONFIG_HAVE_NET_DSA=y CONFIG_VLAN_8021Q=y

CONFIG_VLAN_8021Q_GVRP is not set

CONFIG_VLAN_8021Q_MVRP is not set

CONFIG_DECNET is not set

CONFIG_LLC=y

CONFIG_LLC2 is not set

CONFIG_IPX is not set

CONFIG_ATALK is not set

CONFIG_X25 is not set

CONFIG_LAPB is not set

CONFIG_PHONET is not set

CONFIG_6LOWPAN is not set

CONFIG_MHI is not set

CONFIG_IEEE802154 is not set

CONFIG_NET_SCHED=y

这是我的ac86u官改版本的内核编译参数。不知道内核里有没编进去ipv6的redirect模块。

sdhzdmzzl commented 5 years ago

临时解决方法:1:修改dnsmasq配置,不返回gfwlist列表里的AAAA记录。2:ip6tables规则把gfwlist对应的ipv6地址段drop掉。

leeeboo commented 5 years ago

请问具体怎么做呢?谢谢!

sdhzdmzzl commented 5 years ago

待我明天研究下配置吧。

sdhzdmzzl commented 5 years ago

感觉可行的方案是修改dnsmasq配置,把gfwlist的ipset也给加上v6地址。跟之前设想的一样。区别就是之前设想是ip6tables支持转发到ssr上,但是由于版本问题这个方案不可行,那就用ip6tables给drop掉呗。

love4taylor commented 5 years ago

没必要丢弃 IPv6 段, 直接用 iptables 过滤 AAAA 记录就行, 参考 https://www.v2ex.com/t/493222

leeeboo commented 5 years ago

@Love4Taylor 如果是这个办法那么这个项目的作者就可以考虑做进来。

sdhzdmzzl commented 5 years ago

我懒得折腾了,现在的做法是遇到v6不能访问的地址,直接扔到路由器里用ip6tables扔掉,慢慢积攒被禁掉的ip。

leeeboo commented 5 years ago

@sdhzdmzzl 请问你的drop的具体命令是怎么做的?谢谢

sdhzdmzzl commented 5 years ago

ip6tables -I FORWARD -d 2607:f8b0::/32 -j REJECT --reject-with icmp6-adm-prohibited 把v6地址替换掉就行。 @leeeboo 也可以加上协议类型,只禁掉tcp的协议。

leeeboo commented 5 years ago

@sdhzdmzzl 但是这样其实针对的是ip而不是域名,那么有可能有疏漏

sdhzdmzzl commented 5 years ago

是的,所以要不断积累ip。也可以自己枚举域名对应的ip表。

sdhzdmzzl commented 5 years ago

ip6tables -I FORWARD -d 2404:6800:4008:c000::/56 -p tcp -j REJECT --reject-with icmp6-adm-prohibited

@leeeboo 这个可以过滤掉部分google和youtube 的ip,对我来说,可以过滤掉我这边所有的v6地址了。跟自己搭建的dns服务器的上游服务器有关系。

leeeboo commented 5 years ago

@sdhzdmzzl 谢

halfu commented 4 years ago

简单屏蔽AAAA记录,可以在DNS处选择smartdns,然后修改 /koolshare/ss/rules/smartdns_template.conf把force-AAAA-SOA yes反注释。