|
| 1 | +# CLAUDE.md |
| 2 | + |
| 3 | +This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository. |
| 4 | + |
| 5 | +## Project Overview |
| 6 | + |
| 7 | +shadowsocks-libev is a lightweight SOCKS5 proxy written in pure C. Version 3.3.6, licensed under GPLv3. |
| 8 | + |
| 9 | +## Build Commands |
| 10 | + |
| 11 | +### CMake (sole build system) |
| 12 | + |
| 13 | +```bash |
| 14 | +git submodule update --init --recursive |
| 15 | +mkdir -p build && cd build |
| 16 | +cmake .. |
| 17 | +make |
| 18 | +sudo make install |
| 19 | +``` |
| 20 | + |
| 21 | +On macOS, CMake should auto-detect library paths. If needed, specify paths: |
| 22 | +```bash |
| 23 | +cmake .. -DCMAKE_PREFIX_PATH="/usr/local/opt/mbedtls;/usr/local/opt/libsodium" |
| 24 | +``` |
| 25 | + |
| 26 | +CMake outputs binaries to `build/bin/` (static) and `build/shared/bin/` (shared). |
| 27 | + |
| 28 | +### Build Dependencies |
| 29 | + |
| 30 | +- cmake (>= 3.2), a C compiler (gcc or clang), pkg-config |
| 31 | +- libmbedtls, libsodium (>= 1.0.4), libpcre3, libev, libc-ares |
| 32 | +- asciidoc + xmlto (documentation only) |
| 33 | + |
| 34 | +### CMake Options |
| 35 | + |
| 36 | +- `-DWITH_EMBEDDED_SRC=OFF`: use system libcork/libipset/libbloom instead of bundled submodules |
| 37 | +- `-DWITH_DOC_MAN=OFF`: skip man page generation |
| 38 | +- `-DENABLE_CONNMARKTOS=ON`: Linux netfilter conntrack QoS support |
| 39 | +- `-DENABLE_NFTABLES=ON`: nftables firewall integration |
| 40 | +- `-DDISABLE_SSP=ON`: disable stack protector |
| 41 | +- `-DBUILD_TESTING=OFF`: disable unit tests |
| 42 | + |
| 43 | +## Testing |
| 44 | + |
| 45 | +### Unit Tests (CTest) |
| 46 | + |
| 47 | +```bash |
| 48 | +cd build |
| 49 | +ctest --output-on-failure |
| 50 | +``` |
| 51 | + |
| 52 | +10 unit test modules cover: base64, buffer, crypto, json, jconf, cache, ppbloom, rule, netutils, utils. |
| 53 | + |
| 54 | +### Integration Tests |
| 55 | + |
| 56 | +Integration tests use Python and require `curl` and `dig` to be available: |
| 57 | +```bash |
| 58 | +bash tests/test.sh |
| 59 | +``` |
| 60 | + |
| 61 | +The test harness (`tests/test.py`) starts ss-server, ss-local, and ss-tunnel locally, then runs curl through the SOCKS5 proxy and dig through the tunnel. Each test config in `tests/*.json` exercises a different cipher. |
| 62 | + |
| 63 | +Run a single cipher test: |
| 64 | +```bash |
| 65 | +python tests/test.py --bin build/bin/ -c tests/aes-gcm.json |
| 66 | +``` |
| 67 | + |
| 68 | +## Code Formatting |
| 69 | + |
| 70 | +Uses **uncrustify** with the config at `.uncrustify.cfg`. Key settings: 4-space indent, no tabs, 120-column width, K&R brace style (braces on same line). |
| 71 | + |
| 72 | +## Architecture |
| 73 | + |
| 74 | +### Binaries (all in `src/`) |
| 75 | + |
| 76 | +Each binary is compiled with a module define that controls conditional compilation: |
| 77 | + |
| 78 | +| Binary | Define | Purpose | |
| 79 | +|---|---|---| |
| 80 | +| `ss-local` | `MODULE_LOCAL` | SOCKS5 client proxy | |
| 81 | +| `ss-server` | `MODULE_REMOTE` | Server-side proxy | |
| 82 | +| `ss-tunnel` | `MODULE_TUNNEL` | Port forwarding tunnel (implies `MODULE_LOCAL`) | |
| 83 | +| `ss-redir` | `MODULE_REDIR` | Transparent proxy via iptables (Linux only, implies `MODULE_LOCAL`) | |
| 84 | +| `ss-manager` | `MODULE_MANAGER` | Multi-server manager daemon | |
| 85 | + |
| 86 | +A shared library `libshadowsocks-libev` is also built from the ss-local sources with `-DLIB_ONLY`. Its public API is in `src/shadowsocks.h`. |
| 87 | + |
| 88 | +### Source Organization (`src/`) |
| 89 | + |
| 90 | +**Shared by all binaries:** |
| 91 | +- `utils.c` - logging, system utilities |
| 92 | +- `jconf.c` / `json.c` - JSON config file parsing |
| 93 | +- `netutils.c` - network address utilities |
| 94 | +- `cache.c` - hash-based LRU connection cache |
| 95 | +- `udprelay.c` - UDP relay implementation (shared, but uses `#ifdef MODULE_*` for per-binary behavior) |
| 96 | + |
| 97 | +**Crypto layer** (two parallel implementations behind a common `crypto_t` interface): |
| 98 | +- `crypto.c` / `crypto.h` - crypto initialization, key derivation (HKDF), buffer management. Defines `crypto_t` with function pointers for encrypt/decrypt. |
| 99 | +- `stream.c` - stream cipher implementation (CFB mode via mbedTLS) |
| 100 | +- `aead.c` - AEAD cipher implementation (AES-GCM via mbedTLS, ChaCha20-Poly1305 via libsodium) |
| 101 | +- `ppbloom.c` - ping-pong bloom filter for nonce replay detection |
| 102 | + |
| 103 | +**ACL (Access Control Lists):** |
| 104 | +- `acl.c` / `rule.c` - IP/domain-based routing rules using libipset |
| 105 | + |
| 106 | +**Plugin support:** |
| 107 | +- `plugin.c` - SIP003 plugin subprocess management |
| 108 | + |
| 109 | +### Bundled Submodules |
| 110 | + |
| 111 | +Three git submodules in the repo root (can be replaced with system libs via `-DWITH_EMBEDDED_SRC=OFF`): |
| 112 | +- `libcork/` - data structures (dllist, hash-table, buffers) |
| 113 | +- `libipset/` - IP set operations for ACL |
| 114 | +- `libbloom/` - bloom filter implementation |
| 115 | + |
| 116 | +### Event Loop |
| 117 | + |
| 118 | +All binaries use **libev** for async I/O. The connection lifecycle follows stages defined in `src/common.h`: `STAGE_INIT` -> `STAGE_HANDSHAKE` -> `STAGE_RESOLVE` -> `STAGE_STREAM` -> `STAGE_STOP`. Each binary defines its own `listen_ctx_t`, `server_t`, and `remote_t` structs (note: "server" in `local.h` means the local-side connection, "remote" means the ss-server side). |
| 119 | + |
| 120 | +### Compiler Flags |
| 121 | + |
| 122 | +Default flags from `CMakeLists.txt`: `-g -O2 -Wall -Werror -Wno-deprecated-declarations -fno-strict-aliasing -std=gnu99 -D_GNU_SOURCE` |
| 123 | + |
| 124 | +The `-Werror` flag means all warnings are errors - new code must compile warning-free. |
0 commit comments