net/shadowsocks: add explicit outbound blocklist#5541
Open
MrClayPole wants to merge 2 commits into
Open
Conversation
Add optional ssserver outbound ACL generation using user-specified IPv4 and IPv6 destination blocklists. The generated ACL intentionally has no default private/reserved ranges so administrators choose the exact destinations to block.
Use TextField for the comma-separated outbound IPv4 and IPv6 blocklist inputs so values round-trip through the text form instead of being treated as list widget data.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Currently, the os-shadowsocks plugin allows the SOCKS proxy to connect to any destination accessible by the firewall; since the firewall is often in a privileged position on most networks, this is not aways ideal. This can allow a SOCKS proxy client to access internal VLANs/subnets that the source VLAN/subnet wouldn't normally be able to reach. This change exposes the ACL deny list in the web interface, allowing sensitive subnet connections to be denied from the SOCKS server.
My use case is that I want to provide an internet-facing SOCKS proxy but don't want users of the SOCKS proxy to be able to access other VLANs the OPNsense firewall is connected to.
This change will add optional ssserver outbound ACL generation using user-specified IPv4 and IPv6 destination blocklists. The generated ACL intentionally omits default private/reserved ranges, so administrators can choose the exact destinations to block.
Was AI used in this? Yes, I used Hermes Agent v0.18.2 (2026.7.7.2) connected to the GPT 5.5 model. While the agent authored the change, I performed all validation to ensure the plugin worked with the new feature disabled and IPv4 and IPv6 filters/drops worked as expected when enabled on my OPNsense 26.1.11 firewall.