Update README.md

README.md

@@ -5,11 +5,11 @@ A Tunnel which turns UDP Traffic into Encrypted FakeTCP/UDP/ICMP Traffic by usin
 
 ![image0](images/image0.PNG)
 
-When used alone,udp2raw tunnels only UDP traffic. Nevertheless,if you used udp2raw + any UDP-based VPN together,you can tunnel any traffic(include TCP/UDP/ICMP),currently OpenVPN/L2TP/ShadowVPN and [tinyFecVPN](https://github.com/wangyu-/tinyFecVPN) are confirmed to be supported. 
+When used alone,udp2raw tunnels only UDP traffic. Nevertheless,if you used udp2raw + any UDP-based VPN together,you can tunnel any traffic(include TCP/UDP/ICMP),currently OpenVPN/L2TP/ShadowVPN and [tinyfecVPN](https://github.com/wangyu-/tinyfecVPN) are confirmed to be supported. 
 
 ![image_vpn](images/udp2rawopenvpn.PNG)
 
-[简体中文](/doc/README.zh-cn.md)
+[简体中文](/doc/README.zh-cn.md)(内容更丰富)
 
 # Support Platforms
 Linux host (including desktop Linux,Android phone/tablet,OpenWRT router,or Raspberry PI) with root access.
@@ -81,6 +81,8 @@ Assume your UDP is blocked or being QOS-ed or just poorly supported. Assume your
 # Run at client side
 ./udp2raw_amd64 -c -l0.0.0.0:3333  -r44.55.66.77:4096 -a -k "passwd" --raw-mode faketcp
 ```
+(The above commands need to be run as root. For better security, with some extra steps, you can run udp2raw as non-root. Check [this link](https://github.com/wangyu-/udp2raw-tunnel/wiki/run-udp2raw-as-non-root) for more info  )
+
 ###### Server Output:
 ![](images/output_server.PNG)
 ###### Client Output:
@@ -91,9 +93,9 @@ Now,an encrypted raw tunnel has been established between client and server throu
 ### Note
 To run on Android, check [Android_Guide](/doc/android_guide.md)
 
-If you have connection problems.Take a look at `--seq-mode` option.
+If you have connection problems. Take a look at `--seq-mode` option.
+
 
-You can run udp2raw with a non-root account(for better security).Take a look at [#26](https://github.com/wangyu-/udp2raw-tunnel/issues/26) for more info. 
 
 # Advanced Topic
 ### Usage

doc/README.zh-cn.md

@@ -79,11 +79,13 @@ https://github.com/wangyu-/udp2raw-tunnel/releases
 
 ```
 在server端运行:
-./udp2raw_amd64 -s -l0.0.0.0:4096 -r 127.0.0.1:7777  -a -k "passwd" --raw-mode faketcp
+./udp2raw_amd64 -s -l0.0.0.0:4096  -r127.0.0.1:7777   -a -k "passwd" --raw-mode faketcp   --cipher-mode xor
 
 在client端运行:
-./udp2raw_amd64 -c -l0.0.0.0:3333  -r44.55.66.77:4096 -a -k "passwd" --raw-mode faketcp
+./udp2raw_amd64 -c -l0.0.0.0:3333  -r44.55.66.77:4096 -a -k "passwd" --raw-mode faketcp   --cipher-mode xor
 ```
+(以上例子需要用root账号运行。 用非root运行udp2raw需要一些额外的步骤，具体方法请看 [这个](https://github.com/wangyu-/udp2raw-tunnel/wiki/run-udp2raw-as-non-root) 链接。用非root运行更安全)
+
 ###### Server端输出:
 ![](/images/output_server.PNG)
 ###### Client端输出:
@@ -96,14 +98,14 @@ https://github.com/wangyu-/udp2raw-tunnel/releases
 不论你用udp2raw来加速kcptun还是vpn,为了稳定使用,都需要设置合理的MTU（在kcptun/vpn里设置，而不是在udp2raw里），建议把MTU设置成1200。client和server端都要设置。
 
 ### 提醒
+`--cipher-mode xor`表示仅使用简单的XOR加密，这样可以节省CPU占用，以免CPU成为速度瓶颈。如果你需要更强的加密，可以去掉此选项，使用默认的AES加密。加密相关的选项见后文的`--cipher-mode`和`--auth-mode`。
+
 如果要在anroid上运行，请看[Android简明教程](/doc/android_guide.md)
 
 如果要在梅林固件的路由器上使用，添加`--lower-level auto` `--keep-rule`
 
 如果client和server无法连接，或者连接经常断开，请看一下`--seq-mode`的用法，尝试不同的seq-mode。
 
-udp2raw可以用非root账号运行，这样更安全。具体方法见：[#26](https://github.com/wangyu-/udp2raw-tunnel/issues/26) 
-
 # 进阶操作说明
 
 ### 命令选项
@@ -164,7 +166,7 @@ other options:
 
 用raw收发udp包也类似，只是内核回复的是icmp unreachable。而用raw 收发icmp，内核会自动回复icmp echo。都需要相应的iptables规则。
 ### `--cipher-mode` 和 `--auth-mode` 
-如果要最大的安全性建议用aes128cbc+md5。如果要运行再路由器上，建议xor+simple。但是注意xor+simple只能骗过防火墙的包检测，不能防止真正的攻击者。
+如果要最大的安全性建议用aes128cbc+md5。如果要运行在路由器上，建议用xor+simple，可以节省CPU。但是注意xor+simple只能骗过防火墙的包检测，不能防止真正的攻击者。
 
 ### `--seq-mode`
 facktcp模式并没有模拟tcp的全部。所以理论上有办法把faketcp和真正的tcp流量区分开来（虽然大部分ISP不太可能做这种程度的包检测）。seq-mode可以改变一些seq ack的行为。如果遇到了连接问题，可以尝试更改。在我这边的移动线路用3种模式都没问题。

doc/build_guide.md

@@ -1,8 +1,10 @@
 # udp2raw build guide
 
-the guide on how to build udp2raw to you own platform
+the guide on how to build udp2raw
 
-## linux platform which supports local compile
+## Build udp2raw for a specific platform
+
+### linux platform which supports local compile
 such as PC,raspberry pi
 
 ##### install git
@@ -36,7 +38,7 @@ sudo yum groupinstall 'Development Tools'
 
 run 'make'，compilation done. the udp2raw file is the just compiled binary
 
-## platform which needs cross-compile
+### platform which needs cross-compile
 such as openwrt router,run following instructions on your PC
 
 ##### install git
@@ -74,3 +76,17 @@ cc_cross=/home/wangyu/Desktop/OpenWrt-SDK-15.05-ar71xx-generic_gcc-4.8-linaro_uC
 run `make cross`，the just generated `udp2raw_cross` is the binary,compile done. copy it to your router to run.
 
 `make cross` generates non-static binary. If you have any problem on running it,try to compile a static binary by using `make cross2` or `make cross3`.If your toolchain supports static compiling, usually one of them will succeed. The generated file is still named `udp2raw_cross`.
+
+
+
+## Build a full release (include all binaries supported in the makefile)
+
+1. make sure your linux is amd64 version
+
+2. clone the repo
+
+3. make sure you have g++ , make sure your g++ support the `-m32` option; make your your have installed libraries for `-m32` option
+
+4. download https://github.com/wangyu-/files/releases/download/files/toolchains.tar.gz , and extract it to the right position (according to the makefile)
+
+5. run `make release` inside udp2raw's directory

encrypt.cpp

@@ -17,23 +17,13 @@ static int8_t zero_iv[]={0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,   0,0,0,0};//this prog
 ****/
 
 char key[16];//generated from key_string by md5.
-/*
-TODO
-
-Change md5 to HMAC-md5 if necessary.Change padding to PKCS#7 style if necessary.
-
-Need someone with cryptography knowledge to help review the encryption method.
-
-Change them if necessary(I can do this by myself,if it turns out to be necessary).
-
-github issue:
-
-https://github.com/wangyu-/udp2raw-tunnel/issues/17
-
-*/
+//TODO key derive function
 
 unordered_map<int, const char *> auth_mode_tostring = {{auth_none, "none"}, {auth_md5, "md5"}, {auth_crc32, "crc32"},{auth_simple,"simple"}};
+//TODO HMAC-md5 ,HMAC-sha1
+
 unordered_map<int, const char *> cipher_mode_tostring={{cipher_none,"none"},{cipher_aes128cbc,"aes128cbc"},{cipher_xor,"xor"}};
+//TODO aes-gcm
 
 auth_mode_t auth_mode=auth_md5;
 cipher_mode_t cipher_mode=cipher_aes128cbc;
@@ -356,13 +346,28 @@ int my_decrypt(const char *data,char *output,int &len,char * key)
 	return 0;
 }
 
-int my_encrypt_pesudo_header(uint8_t *data,uint8_t *output,int &len,uint8_t * key,uint8_t *header,int hlen)
+int encrypt_AE(const char *data,char *output,int &len,char * key)
 {
-
-	return 0;
-}
-int my_decrypt_pesudo_header(uint8_t *data,uint8_t *output,int &len,uint8_t * key,uint8_t *header,int hlen)
-{
-	return 0;
+	//TODO
+	//use encrypt-then-MAC scheme
+	return -1;
+}
+
+int decrypt_AE(const char *data,char *output,int &len,char * key)
+{
+	//TODO
+	return -1;
+}
+
+int encrypt_AEAD(uint8_t *data,uint8_t *output,int &len,uint8_t * key,uint8_t *header,int hlen)
+{
+	//TODO
+	return -1;
+}
+
+int decrypt_AEAD(uint8_t *data,uint8_t *output,int &len,uint8_t * key,uint8_t *header,int hlen)
+{
+	//TODO
+	return -1;
 }
 

encrypt.h

@@ -17,9 +17,6 @@ extern char key[16];
 int my_encrypt(const char *data,char *output,int &len,char * key);
 int my_decrypt(const char *data,char *output,int &len,char * key);
 
-int my_encrypt_pesudo_header(uint8_t *data,uint8_t *output,int &len,uint8_t * key,uint8_t *header,int hlen);
-int my_decrypt_pesudo_header(uint8_t *data,uint8_t *output,int &len,uint8_t * key,uint8_t *header,int hlen);
-
 
 unsigned short csum(const unsigned short *ptr,int nbytes) ;
 

main.cpp

@@ -1049,10 +1049,31 @@ int client_event_loop()
 			u32_t dest_ip;
 			string if_name_string;
 			string hw_string;
-			if(find_lower_level_info(remote_ip_uint32,dest_ip,if_name_string,hw_string)!=0)
+
+			if(retry_on_error==0)
 			{
-				mylog(log_fatal,"auto detect lower-level info failed for %s,specific it manually\n",remote_ip);
-				myexit(-1);
+				if(find_lower_level_info(remote_ip_uint32,dest_ip,if_name_string,hw_string)!=0)
+				{
+					mylog(log_fatal,"auto detect lower-level info failed for %s,specific it manually\n",remote_ip);
+					myexit(-1);
+				}
+			}
+			else
+			{
+				int ok=0;
+				while(!ok)
+				{
+					if(find_lower_level_info(remote_ip_uint32,dest_ip,if_name_string,hw_string)!=0)
+					{
+						mylog(log_warn,"auto detect lower-level info failed for %s,retry in %d seconds\n",remote_ip,retry_on_error_interval);
+						sleep(retry_on_error_interval);
+					}
+					else
+					{
+						ok=1;
+					}
+
+				}
 			}
 			mylog(log_info,"we are running at lower-level (auto) mode,%s %s %s\n",my_ntoa(dest_ip),if_name_string.c_str(),hw_string.c_str());
 
@@ -1086,11 +1107,32 @@ int client_event_loop()
 	if(source_ip_uint32==0)
 	{
 		mylog(log_info,"get_src_adress called\n");
-		if(get_src_adress(source_ip_uint32,remote_ip_uint32,remote_port)!=0)
+		if(retry_on_error==0)
 		{
-			mylog(log_fatal,"the trick to auto get source ip failed,you should specific an ip by --source-ip\n");
-			myexit(-1);
+			if(get_src_adress(source_ip_uint32,remote_ip_uint32,remote_port)!=0)
+			{
+				mylog(log_fatal,"the trick to auto get source ip failed, maybe you dont have internet access\n");
+				myexit(-1);
+			}
 		}
+		else
+		{
+			int ok=0;
+			while(!ok)
+			{
+				if(get_src_adress(source_ip_uint32,remote_ip_uint32,remote_port)!=0)
+				{
+					mylog(log_warn,"the trick to auto get source ip failed, maybe you dont have internet access, retry in %d seconds\n",retry_on_error_interval);
+					sleep(retry_on_error_interval);
+				}
+				else
+				{
+					ok=1;
+				}
+
+			}
+		}
+
 	}
 	in_addr tmp;
 	tmp.s_addr=source_ip_uint32;
@@ -1676,7 +1718,11 @@ int main(int argc, char *argv[])
 
 	if(geteuid() != 0)
 	{
-		mylog(log_error,"root check failed,make sure you run this program with root,we can try to continue,but it will likely fail\n");
+		mylog(log_error,"root check failed, it seems like you are using a non-root account. we can try to continue, but it may fail. If you want to run udp2raw as non-root, you have to add iptables rule manually, and grant udp2raw CAP_NET_RAW capability, check README.md in repo for more info.\n");
+	}
+	else
+	{
+		mylog(log_warn,"you can run udp2raw with non-root account for better security. check README.md in repo for more info.\n");
 	}
 
 	local_ip_uint32=inet_addr(local_ip);

makefile

@@ -1,10 +1,12 @@
 cc_cross=/home/wangyu/Desktop/arm-2014.05/bin/arm-none-linux-gnueabi-g++
 cc_local=g++
+#cc_local=/opt/cross/x86_64-linux-musl/bin/x86_64-linux-musl-g++
 #cc_mips34kc=/toolchains/OpenWrt-SDK-ar71xx-for-linux-x86_64-gcc-4.8-linaro_uClibc-0.9.33.2/staging_dir/toolchain-mips_34kc_gcc-4.8-linaro_uClibc-0.9.33.2/bin/mips-openwrt-linux-g++
 cc_mips24kc_be=/toolchains/lede-sdk-17.01.2-ar71xx-generic_gcc-5.4.0_musl-1.1.16.Linux-x86_64/staging_dir/toolchain-mips_24kc_gcc-5.4.0_musl-1.1.16/bin/mips-openwrt-linux-musl-g++
 cc_mips24kc_le=/toolchains/lede-sdk-17.01.2-ramips-mt7621_gcc-5.4.0_musl-1.1.16.Linux-x86_64/staging_dir/toolchain-mipsel_24kc_gcc-5.4.0_musl-1.1.16/bin/mipsel-openwrt-linux-musl-g++
 #cc_arm= /toolchains/gcc-linaro-4.9.4-2017.01-x86_64_arm-linux-gnueabi/bin/arm-linux-gnueabi-g++ -march=armv6 -marm 
 cc_arm= /toolchains/arm-2014.05/bin/arm-none-linux-gnueabi-g++
+#cc_arm=/toolchains/lede-sdk-17.01.2-brcm2708-bcm2708_gcc-5.4.0_musl-1.1.16_eabi.Linux-x86_64/staging_dir/toolchain-arm_arm1176jzf-s+vfp_gcc-5.4.0_musl-1.1.16_eabi/bin/arm-openwrt-linux-muslgnueabi-g++
 #cc_bcm2708=/home/wangyu/raspberry/tools/arm-bcm2708/gcc-linaro-arm-linux-gnueabihf-raspbian/bin/arm-linux-gnueabihf-g++ 
 FLAGS= -std=c++11 -Wall -Wextra -Wno-unused-variable -Wno-unused-parameter -Wno-missing-field-initializers
 
@@ -47,6 +49,10 @@ mips24kc_le_asm_aes: git_version
 #	${cc_bcm2708} -o ${NAME}_bcm2708  -I. ${SOURCES} ${FLAGS} -lrt -static -O3
 amd64:git_version
 	${cc_local}   -o ${NAME}_$@    -I. ${SOURCES} ${FLAGS} -lrt -static -O3
+
+amd64_perf:git_version
+	${cc_local}   -o ${NAME}_$@    -I. ${SOURCES} ${FLAGS} -lrt -static -O0 -fno-omit-frame-pointer -g
+
 amd64_hw_aes:git_version
 	${cc_local}   -o ${NAME}_$@   -I. ${SOURCES_AES_ACC} ${FLAGS} -lrt -static -O3 lib/aes_acc/asm/x64.S
 x86:git_version
@@ -56,6 +62,9 @@ x86_asm_aes:git_version
 arm:git_version
 	${cc_arm}   -o ${NAME}_$@      -I. ${SOURCES} ${FLAGS} -lrt -static -O3
 
+arm_perf:git_version
+	${cc_arm}   -o ${NAME}_$@      -I. ${SOURCES} ${FLAGS} -lrt -static -mapcs-frame -fno-omit-frame-pointer -g -O0 -lgcc_eh
+
 arm_asm_aes:git_version
 	${cc_arm}   -o ${NAME}_$@    -I. ${SOURCES_AES_ACC} ${FLAGS} -lrt -static -O3 lib/aes_acc/asm/arm.S
 

misc.cpp

@@ -44,12 +44,18 @@ int auto_add_iptables_rule=0;//if -a is set
 int generate_iptables_rule=0;//if -g is set
 int generate_iptables_rule_add=0;// if --gen-add is set
 
+int retry_on_error=0;
+
 int debug_resend=0; // debug only
 
 char key_string[1000]= "secret key";// -k option
 
 char fifo_file[1000]="";
 
+int clear_iptables=0;
+int wait_xtables_lock=0;
+string iptables_command0="iptables ";
+string iptables_command="";
 string iptables_pattern="";
 int iptables_rule_added=0;
 int iptables_rule_keeped=0;
@@ -153,11 +159,13 @@ void print_help()
 	printf("    --lower-level         <string>        send packets at OSI level 2, format:'if_name#dest_mac_adress'\n");
 	printf("                                          ie:'eth0#00:23:45:67:89:b9'.or try '--lower-level auto' to obtain\n");
 	printf("                                          the parameter automatically,specify it manually if 'auto' failed\n");
+	printf("    --wait-lock                           wait for xtables lock while invoking iptables, need iptables v1.4.20+\n");
 	printf("    --gen-add                             generate iptables rule and add it permanently,then exit.overrides -g\n");
 	printf("    --keep-rule                           monitor iptables and auto re-add if necessary.implys -a\n");
 	printf("    --hb-len              <number>        length of heart-beat packet, >=0 and <=1500\n");
 	printf("    --mtu-warn            <number>        mtu warning threshold, unit:byte, default:1375\n");
 	printf("    --clear                               clear any iptables rules added by this program.overrides everything\n");
+	printf("    --retry-on-error                      retry on error, allow to start udp2raw before network is initialized\n");
 	printf("    -h,--help                             print this help message\n");
 
 	//printf("common options,these options must be same on both side\n");
@@ -245,6 +253,7 @@ void process_arg(int argc, char *argv[])  //process all options
 		{"gen-rule", no_argument,    0, 'g'},
 		{"gen-add", no_argument,    0, 1},
 		{"debug", no_argument,    0, 1},
+		{"retry-on-error", no_argument,    0, 1},
 		{"clear", no_argument,    0, 1},
 		{"simple-rule", no_argument,    0, 1},
 		{"keep-rule", no_argument,    0, 1},
@@ -253,6 +262,7 @@ void process_arg(int argc, char *argv[])  //process all options
 		{"seq-mode", required_argument,    0, 1},
 		{"conf-file", required_argument,   0, 1},
 		{"force-sock-buf", no_argument,   0, 1},
+		{"wait-lock", no_argument,   0, 1},
 		{"random-drop", required_argument,    0, 1},
 		{"fifo", required_argument,    0, 1},
 		{"hb-mode", required_argument,    0, 1},
@@ -426,15 +436,7 @@ void process_arg(int argc, char *argv[])  //process all options
 			mylog(log_debug,"option_index: %d\n",option_index);
 			if(strcmp(long_options[option_index].name,"clear")==0)
 			{
-				char *output;
-				//int ret =system("iptables-save |grep udp2raw_dWRwMnJhdw|sed -n 's/^-A/iptables -D/p'|sh");
-				int ret =run_command("iptables -S|sed -n '/udp2rawDwrW/p'|sed -n 's/^-A/iptables -D/p'|sh",output);
-
-				int ret2 =run_command("iptables -S|sed -n '/udp2rawDwrW/p'|sed -n 's/^-N/iptables -X/p'|sh",output);
-				//system("iptables-save |grep udp2raw_dWRwMnJhdw|sed 's/^-A/iptables -D/'|sh");
-				//system("iptables-save|grep -v udp2raw_dWRwMnJhdw|iptables-restore");
-				mylog(log_info,"tried to clear all iptables rule created previously,return value %d %d\n",ret,ret2);
-				myexit(-1);
+				clear_iptables=1;
 			}
 			else if(strcmp(long_options[option_index].name,"source-ip")==0)
 			{
@@ -546,6 +548,14 @@ void process_arg(int argc, char *argv[])  //process all options
 			{
 				force_socket_buf=1;
 			}
+			else if(strcmp(long_options[option_index].name,"retry-on-error")==0)
+			{
+				retry_on_error=1;
+			}
+			else if(strcmp(long_options[option_index].name,"wait-lock")==0)
+			{
+				wait_xtables_lock=1;
+			}
 			else if(strcmp(long_options[option_index].name,"disable-bpf")==0)
 			{
 				disable_bpf_filter=1;
@@ -640,6 +650,7 @@ void process_arg(int argc, char *argv[])  //process all options
 		print_help();
 		myexit(-1);
 	}
+
 	//if(lower_level)
 		//process_lower_level_arg();
 
@@ -768,8 +779,30 @@ void *run_keep(void *none)  //called in a new thread for --keep-rule option
 	return NULL;
 
 }
-void iptables_rule()  // handles -a -g --gen-add  --keep-rule
+void iptables_rule()  // handles -a -g --gen-add  --keep-rule --clear --wait-lock
 {
+	if(!wait_xtables_lock)
+	{
+		iptables_command=iptables_command0;
+	}
+	else
+	{
+		iptables_command=iptables_command0+"-w ";
+	}
+
+	if(clear_iptables)
+	{
+		char *output;
+		//int ret =system("iptables-save |grep udp2raw_dWRwMnJhdw|sed -n 's/^-A/iptables -D/p'|sh");
+		int ret =run_command(iptables_command+"-S|sed -n '/udp2rawDwrW/p'|sed -n 's/^-A/"+iptables_command+"-D/p'|sh",output);
+
+		int ret2 =run_command(iptables_command+"-S|sed -n '/udp2rawDwrW/p'|sed -n 's/^-N/"+iptables_command+"-X/p'|sh",output);
+		//system("iptables-save |grep udp2raw_dWRwMnJhdw|sed 's/^-A/iptables -D/'|sh");
+		//system("iptables-save|grep -v udp2raw_dWRwMnJhdw|iptables-restore");
+		mylog(log_info,"tried to clear all iptables rule created previously,return value %d %d\n",ret,ret2);
+		myexit(-1);
+	}
+
 	if(auto_add_iptables_rule&&generate_iptables_rule)
 	{
 		mylog(log_warn," -g overrides -a\n");
@@ -872,7 +905,7 @@ void iptables_rule()  // handles -a -g --gen-add  --keep-rule
 	}
 	if(generate_iptables_rule)
 	{
-		string rule="iptables -I INPUT ";
+		string rule=iptables_command+"-I INPUT ";
 		rule+=pattern;
 		rule+=" -j DROP";
 
@@ -1042,31 +1075,6 @@ int handle_lower_level(raw_info_t &raw_info)//fill lower_level info,when --lower
 }
 
 
-
-/*
-int add_iptables_rule(const char * s)
-{
-
-	iptables_pattern=s;
-
-	string rule="iptables -I INPUT ";
-	rule+=iptables_pattern;
-	rule+=" -j DROP";
-
-	char *output;
-	if(run_command(rule.c_str(),output)==0)
-	{
-		mylog(log_warn,"auto added iptables rule by:  %s\n",rule.c_str());
-	}
-	else
-	{
-		mylog(log_fatal,"auto added iptables failed by: %s\n",rule.c_str());
-		//mylog(log_fatal,"reason : %s\n",strerror(errno));
-		myexit(-1);
-	}
-	iptables_rule_added=1;
-	return 0;
-}*/
 string chain[2];
 string rule_keep[2];
 string rule_keep_add[2];
@@ -1081,14 +1089,14 @@ int iptables_gen_add(const char * s,u32_t const_id)
 	iptables_pattern=s;
 	chain[0] =dummy+ "udp2rawDwrW_C";
 	rule_keep[0]=dummy+ iptables_pattern+" -j " +chain[0];
-	rule_keep_add[0]=dummy+"iptables -I INPUT "+rule_keep[0];
+	rule_keep_add[0]=iptables_command+"-I INPUT "+rule_keep[0];
 
 	char *output;
-	run_command(dummy+"iptables -N "+chain[0],output,show_none);
-	run_command(dummy+"iptables -F "+chain[0],output);
-	run_command(dummy+"iptables -I "+chain[0] + " -j DROP",output);
+	run_command(iptables_command+"-N "+chain[0],output,show_none);
+	run_command(iptables_command+"-F "+chain[0],output);
+	run_command(iptables_command+"-I "+chain[0] + " -j DROP",output);
 
-	rule_keep_del[0]=dummy+"iptables -D INPUT "+rule_keep[0];
+	rule_keep_del[0]=iptables_command+"-D INPUT "+rule_keep[0];
 
 	run_command(rule_keep_del[0],output,show_none);
 	run_command(rule_keep_del[0],output,show_none);
@@ -1116,11 +1124,11 @@ int iptables_rule_init(const char * s,u32_t const_id,int keep)
 	rule_keep[0]=dummy+ iptables_pattern+" -j " +chain[0];
 	rule_keep[1]=dummy+ iptables_pattern+" -j " +chain[1];
 
-	rule_keep_add[0]=dummy+"iptables -I INPUT "+rule_keep[0];
-	rule_keep_add[1]=dummy+"iptables -I INPUT "+rule_keep[1];
+	rule_keep_add[0]=iptables_command+"-I INPUT "+rule_keep[0];
+	rule_keep_add[1]=iptables_command+"-I INPUT "+rule_keep[1];
 
-	rule_keep_del[0]=dummy+"iptables -D INPUT "+rule_keep[0];
-	rule_keep_del[1]=dummy+"iptables -D INPUT "+rule_keep[1];
+	rule_keep_del[0]=iptables_command+"-D INPUT "+rule_keep[0];
+	rule_keep_del[1]=iptables_command+"-D INPUT "+rule_keep[1];
 
 	keep_rule_last_time=get_current_time();
 
@@ -1128,9 +1136,9 @@ int iptables_rule_init(const char * s,u32_t const_id,int keep)
 
 	for(int i=0;i<=iptables_rule_keeped;i++)
 	{
-		run_command(dummy+"iptables -N "+chain[i],output);
-		run_command(dummy+"iptables -F "+chain[i],output);
-		run_command(dummy+"iptables -I "+chain[i] + " -j DROP",output);
+		run_command(iptables_command+"-N "+chain[i],output);
+		run_command(iptables_command+"-F "+chain[i],output);
+		run_command(iptables_command+"-I "+chain[i] + " -j DROP",output);
 
 		if(run_command(rule_keep_add[i],output)!=0)
 		{
@@ -1167,12 +1175,12 @@ int keep_iptables_rule()  //magic to work on a machine without grep/iptables --c
 
 	int i=iptables_rule_keep_index;
 
-	run_command(dummy + "iptables -N " + chain[i], output,show_none);
+	run_command(iptables_command + "-N " + chain[i], output,show_none);
 
-	if (run_command(dummy + "iptables -F " + chain[i], output,show_none) != 0)
+	if (run_command(iptables_command + "-F " + chain[i], output,show_none) != 0)
 		mylog(log_warn, "iptables -F failed %d\n",i);
 
-	if (run_command(dummy + "iptables -I " + chain[i] + " -j DROP",output,show_none) != 0)
+	if (run_command(iptables_command + "-I " + chain[i] + " -j DROP",output,show_none) != 0)
 		mylog(log_warn, "iptables -I failed %d\n",i);
 
 	if (run_command(rule_keep_del[i], output,show_none) != 0)
@@ -1196,8 +1204,8 @@ int clear_iptables_rule()
 	for(int i=0;i<=iptables_rule_keeped;i++ )
 	{
 		run_command(rule_keep_del[i],output);
-		run_command(dummy+"iptables -F "+chain[i],output);
-		run_command(dummy+"iptables -X "+chain[i],output);
+		run_command(iptables_command+"-F "+chain[i],output);
+		run_command(iptables_command+"-X "+chain[i],output);
 	}
 	return 0;
 }

misc.h

@@ -51,7 +51,7 @@ const u32_t client_conn_uplink_timeout=client_conn_timeout+2000;//ms
 const uint32_t server_conn_timeout=conv_timeout+60000;//ms. this should be 60s+ longer than conv_timeout,so that conv_manager can destruct convs gradually,to avoid latency glicth
 //const u32_t server_conn_timeout=conv_timeout+10000;//for test
 
-const u32_t iptables_rule_keep_interval=15;//unit: second;
+const u32_t iptables_rule_keep_interval=20;//unit: second;
 
 enum server_current_state_t {server_idle=0,server_handshake1,server_ready};  //server state machine
 enum client_current_state_t {client_idle=0,client_tcp_handshake,client_handshake1,client_handshake2,client_ready};//client state machine
@@ -87,6 +87,8 @@ extern int keep_rule; //whether to monitor the iptables rule periodly,re-add if
 extern int auto_add_iptables_rule;//if -a is set
 extern int generate_iptables_rule;//if -g is set
 extern int generate_iptables_rule_add;// if --gen-add is set
+extern int retry_on_error;
+const  int retry_on_error_interval=10;
 
 extern int debug_resend; // debug only
 

third-party/luci-app-udp2raw/moved_to_new_repo

@@ -0,0 +1 @@
+https://github.com/sensec/luci-app-udp2raw

third-party/udp2raw-openwrt-makefile/moved_to_new_repo

@@ -0,0 +1 @@
+https://github.com/sensec/openwrt-udp2raw