From 197b599075c2abccbbbacb4acd31631948790404 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E4=B8=96=E7=95=8C?= <i@sekai.icu>
Date: Mon, 5 Sep 2022 14:22:19 +0800
Subject: [PATCH] Add support for use with android VPNService

---
 go.mod                   |   2 +-
 go.sum                   |   4 +-
 monitor.go               |  13 ++++-
 monitor_android.go       |  28 ++++++++--
 monitor_darwin.go        |   2 +-
 monitor_linux_default.go |   2 +-
 monitor_other.go         |   2 +-
 monitor_shared.go        |  17 ++++--
 monitor_windows.go       |   2 +-
 tun.go                   |   7 ++-
 tun_linux.go             | 109 ++++++++++++++++++++++++++++++++-------
 11 files changed, 153 insertions(+), 35 deletions(-)

diff --git a/go.mod b/go.mod
index 1339029..f4903a2 100644
--- a/go.mod
+++ b/go.mod
@@ -6,7 +6,7 @@ require (
 	github.com/fsnotify/fsnotify v1.5.4
 	github.com/sagernet/abx-go v0.0.0-20220819185957-dba1257d738e
 	github.com/sagernet/go-tun2socks v1.16.12-0.20220818015926-16cb67876a61
-	github.com/sagernet/netlink v0.0.0-20220826133217-3fb4ff92ea17
+	github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97
 	github.com/sagernet/sing v0.0.0-20220819003212-2424b1e2fac1
 	golang.org/x/net v0.0.0-20220826154423-83b083e8dc8b
 	golang.org/x/sys v0.0.0-20220825204002-c680a09ffe64
diff --git a/go.sum b/go.sum
index 66e25f7..f9a2ae7 100644
--- a/go.sum
+++ b/go.sum
@@ -6,8 +6,8 @@ github.com/sagernet/abx-go v0.0.0-20220819185957-dba1257d738e h1:5CFRo8FJbCuf5s/
 github.com/sagernet/abx-go v0.0.0-20220819185957-dba1257d738e/go.mod h1:qbt0dWObotCfcjAJJ9AxtFPNSDUfZF+6dCpgKEOBn/g=
 github.com/sagernet/go-tun2socks v1.16.12-0.20220818015926-16cb67876a61 h1:5+m7c6AkmAylhauulqN/c5dnh8/KssrE9c93TQrXldA=
 github.com/sagernet/go-tun2socks v1.16.12-0.20220818015926-16cb67876a61/go.mod h1:QUQ4RRHD6hGGHdFMEtR8T2P6GS6R3D/CXKdaYHKKXms=
-github.com/sagernet/netlink v0.0.0-20220826133217-3fb4ff92ea17 h1:zvm6IrIgo4rLizJCHkH+SWUBhm+jyjjozX031QdAlj8=
-github.com/sagernet/netlink v0.0.0-20220826133217-3fb4ff92ea17/go.mod h1:xLnfdiJbSp8rNqYEdIW/6eDO4mVoogml14Bh2hSiFpM=
+github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97 h1:iL5gZI3uFp0X6EslacyapiRz7LLSJyr4RajF/BhMVyE=
+github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97/go.mod h1:xLnfdiJbSp8rNqYEdIW/6eDO4mVoogml14Bh2hSiFpM=
 github.com/sagernet/sing v0.0.0-20220817130738-ce854cda8522/go.mod h1:QVsS5L/ZA2Q5UhQwLrn0Trw+msNd/NPGEhBKR/ioWiY=
 github.com/sagernet/sing v0.0.0-20220819003212-2424b1e2fac1 h1:+YC0/ygsJc4Z8qhd7ypsbWgMSm+UWN+QK+PW7I19K4Q=
 github.com/sagernet/sing v0.0.0-20220819003212-2424b1e2fac1/go.mod h1:QVsS5L/ZA2Q5UhQwLrn0Trw+msNd/NPGEhBKR/ioWiY=
diff --git a/monitor.go b/monitor.go
index 68bcff9..0fe6396 100644
--- a/monitor.go
+++ b/monitor.go
@@ -11,7 +11,12 @@ var ErrNoRoute = E.New("no route to internet")
 
 type (
 	NetworkUpdateCallback          = func() error
-	DefaultInterfaceUpdateCallback = func() error
+	DefaultInterfaceUpdateCallback = func(event int) error
+)
+
+const (
+	EventInterfaceUpdate  = 1
+	EventAndroidVPNUpdate = 2
 )
 
 type NetworkUpdateMonitor interface {
@@ -27,6 +32,12 @@ type DefaultInterfaceMonitor interface {
 	Close() error
 	DefaultInterfaceName(destination netip.Addr) string
 	DefaultInterfaceIndex(destination netip.Addr) int
+	OverrideAndroidVPN() bool
+	AndroidVPNEnabled() bool
 	RegisterCallback(callback DefaultInterfaceUpdateCallback) *list.Element[DefaultInterfaceUpdateCallback]
 	UnregisterCallback(element *list.Element[DefaultInterfaceUpdateCallback])
 }
+
+type DefaultInterfaceMonitorOptions struct {
+	OverrideAndroidVPN bool
+}
diff --git a/monitor_android.go b/monitor_android.go
index 588e8ac..3ded25d 100644
--- a/monitor_android.go
+++ b/monitor_android.go
@@ -11,15 +11,29 @@ func (m *defaultInterfaceMonitor) checkUpdate() error {
 		return err
 	}
 
+	oldVPNEnabled := m.androidVPNEnabled
 	var defaultTableIndex int
+	var vpnEnabled bool
 	for _, rule := range ruleList {
+		if rule.Priority >= ruleStart && rule.Priority <= ruleEnd {
+			continue
+		}
+		if rule.Mask == 0x20000 {
+			vpnEnabled = true
+			if m.options.OverrideAndroidVPN {
+				defaultTableIndex = rule.Table
+				break
+			}
+		}
 		if rule.Mask == 0xFFFF {
 			defaultTableIndex = rule.Table
+			break
 		}
 	}
+	m.androidVPNEnabled = vpnEnabled
 
 	if defaultTableIndex == 0 {
-		return E.Extend(ErrNoRoute, "no rule 0xFFFF")
+		return ErrNoRoute
 	}
 
 	routes, err := netlink.RouteListFiltered(netlink.FAMILY_ALL, &netlink.Route{Table: defaultTableIndex}, netlink.RT_FILTER_TABLE)
@@ -43,10 +57,16 @@ func (m *defaultInterfaceMonitor) checkUpdate() error {
 	m.defaultInterfaceName = link.Attrs().Name
 	m.defaultInterfaceIndex = link.Attrs().Index
 
-	if oldInterface == m.defaultInterfaceName && oldIndex == m.defaultInterfaceIndex {
-		return nil
+	var event int
+	if oldInterface != m.defaultInterfaceName || oldIndex != m.defaultInterfaceIndex {
+		event |= EventInterfaceUpdate
+	}
+	if oldVPNEnabled != m.androidVPNEnabled {
+		event |= EventAndroidVPNUpdate
+	}
+	if event != 0 {
+		m.emit(event)
 	}
 
-	m.emit()
 	return nil
 }
diff --git a/monitor_darwin.go b/monitor_darwin.go
index 8a37ed0..2613a72 100644
--- a/monitor_darwin.go
+++ b/monitor_darwin.go
@@ -103,7 +103,7 @@ func (m *defaultInterfaceMonitor) checkUpdate() error {
 			if oldInterface == m.defaultInterfaceName && oldIndex == m.defaultInterfaceIndex {
 				return nil
 			}
-			m.emit()
+			m.emit(EventInterfaceUpdate)
 			return nil
 		}
 	}
diff --git a/monitor_linux_default.go b/monitor_linux_default.go
index b190fef..c2292f4 100644
--- a/monitor_linux_default.go
+++ b/monitor_linux_default.go
@@ -34,7 +34,7 @@ func (m *defaultInterfaceMonitor) checkUpdate() error {
 		if oldInterface == m.defaultInterfaceName && oldIndex == m.defaultInterfaceIndex {
 			return nil
 		}
-		m.emit()
+		m.emit(EventInterfaceUpdate)
 		return nil
 	}
 	return E.New("no route to internet")
diff --git a/monitor_other.go b/monitor_other.go
index d44ff1b..388c219 100644
--- a/monitor_other.go
+++ b/monitor_other.go
@@ -12,6 +12,6 @@ func NewNetworkUpdateMonitor(errorHandler E.Handler) (NetworkUpdateMonitor, erro
 	return nil, os.ErrInvalid
 }
 
-func NewDefaultInterfaceMonitor(networkMonitor NetworkUpdateMonitor) (DefaultInterfaceMonitor, error) {
+func NewDefaultInterfaceMonitor(networkMonitor NetworkUpdateMonitor, options DefaultInterfaceMonitorOptions) (DefaultInterfaceMonitor, error) {
 	return nil, os.ErrInvalid
 }
diff --git a/monitor_shared.go b/monitor_shared.go
index 42c85d8..2f89bf2 100644
--- a/monitor_shared.go
+++ b/monitor_shared.go
@@ -44,9 +44,11 @@ func (m *networkUpdateMonitor) NewError(ctx context.Context, err error) {
 }
 
 type defaultInterfaceMonitor struct {
+	options               DefaultInterfaceMonitorOptions
 	networkAddresses      []networkAddress
 	defaultInterfaceName  string
 	defaultInterfaceIndex int
+	androidVPNEnabled     bool
 	networkMonitor        NetworkUpdateMonitor
 	element               *list.Element[NetworkUpdateCallback]
 	access                sync.Mutex
@@ -59,8 +61,9 @@ type networkAddress struct {
 	addresses      []netip.Prefix
 }
 
-func NewDefaultInterfaceMonitor(networkMonitor NetworkUpdateMonitor) (DefaultInterfaceMonitor, error) {
+func NewDefaultInterfaceMonitor(networkMonitor NetworkUpdateMonitor, options DefaultInterfaceMonitorOptions) (DefaultInterfaceMonitor, error) {
 	return &defaultInterfaceMonitor{
+		options:        options,
 		networkMonitor: networkMonitor,
 	}, nil
 }
@@ -140,6 +143,14 @@ func (m *defaultInterfaceMonitor) DefaultInterfaceIndex(destination netip.Addr)
 	return m.defaultInterfaceIndex
 }
 
+func (m *defaultInterfaceMonitor) OverrideAndroidVPN() bool {
+	return m.options.OverrideAndroidVPN
+}
+
+func (m *defaultInterfaceMonitor) AndroidVPNEnabled() bool {
+	return m.androidVPNEnabled
+}
+
 func (m *defaultInterfaceMonitor) RegisterCallback(callback DefaultInterfaceUpdateCallback) *list.Element[DefaultInterfaceUpdateCallback] {
 	m.access.Lock()
 	defer m.access.Unlock()
@@ -152,12 +163,12 @@ func (m *defaultInterfaceMonitor) UnregisterCallback(element *list.Element[Defau
 	m.callbacks.Remove(element)
 }
 
-func (m *defaultInterfaceMonitor) emit() {
+func (m *defaultInterfaceMonitor) emit(event int) {
 	m.access.Lock()
 	callbacks := m.callbacks.Array()
 	m.access.Unlock()
 	for _, callback := range callbacks {
-		err := callback()
+		err := callback(event)
 		if err != nil {
 			m.networkMonitor.NewError(context.Background(), err)
 		}
diff --git a/monitor_windows.go b/monitor_windows.go
index 7e8a566..a930c53 100644
--- a/monitor_windows.go
+++ b/monitor_windows.go
@@ -103,6 +103,6 @@ func (m *defaultInterfaceMonitor) checkUpdate() error {
 		return nil
 	}
 
-	m.emit()
+	m.emit(EventInterfaceUpdate)
 	return nil
 }
diff --git a/tun.go b/tun.go
index 80c213c..a44da10 100644
--- a/tun.go
+++ b/tun.go
@@ -42,10 +42,13 @@ type Options struct {
 	IncludeAndroidUser []int
 	IncludePackage     []string
 	ExcludePackage     []string
+	InterfaceMonitor   DefaultInterfaceMonitor
 }
 
-func DefaultInterfaceName() (tunName string) {
-	if runtime.GOOS == "darwin" {
+func CalculateInterfaceName(name string) (tunName string) {
+	if name != "" {
+		tunName = name
+	} else if runtime.GOOS == "darwin" {
 		tunName = "utun"
 	} else {
 		tunName = "tun"
diff --git a/tun_linux.go b/tun_linux.go
index 63f20f8..6833763 100644
--- a/tun_linux.go
+++ b/tun_linux.go
@@ -10,14 +10,16 @@ import (
 	"github.com/sagernet/netlink"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/rw"
+	"github.com/sagernet/sing/common/x/list"
 
 	"golang.org/x/sys/unix"
 )
 
 type NativeTun struct {
-	tunFd   int
-	tunFile *os.File
-	options Options
+	tunFd             int
+	tunFile           *os.File
+	interfaceCallback *list.Element[DefaultInterfaceUpdateCallback]
+	options           Options
 }
 
 func Open(options Options) (Tun, error) {
@@ -121,12 +123,18 @@ func (t *NativeTun) configure(tunLink netlink.Link) error {
 	}
 
 	if t.options.AutoRoute {
-		_ = t.unsetRoute0(tunLink)
+		err = t.unsetRoute0(tunLink)
+		if err != nil {
+			return E.Cause(err, "cleanup rules")
+		}
 		err = t.setRoute(tunLink)
 		if err != nil {
 			_ = t.unsetRoute0(tunLink)
 			return err
 		}
+		if runtime.GOOS == "android" {
+			t.interfaceCallback = t.options.InterfaceMonitor.RegisterCallback(t.routeUpdate)
+		}
 	}
 	return nil
 }
@@ -136,6 +144,9 @@ func (t *NativeTun) Close() error {
 	if t.options.AutoRoute {
 		errors = append(errors, t.unsetRoute())
 	}
+	if t.interfaceCallback != nil {
+		t.options.InterfaceMonitor.UnregisterCallback(t.interfaceCallback)
+	}
 	return E.Errors(append(errors, t.tunFile.Close())...)
 }
 
@@ -166,6 +177,11 @@ func (t *NativeTun) routes(tunLink netlink.Link) []netlink.Route {
 	return routes
 }
 
+const (
+	ruleStart = 9000
+	ruleEnd   = ruleStart + 10
+)
+
 func (t *NativeTun) rules() []*netlink.Rule {
 	var p4, p6 bool
 	var pRule int
@@ -185,9 +201,9 @@ func (t *NativeTun) rules() []*netlink.Rule {
 	var it *netlink.Rule
 
 	excludeRanges := t.options.ExcludedRanges()
-	priority := 9000
+	priority := ruleStart
 	priority6 := priority
-	nopPriority := priority + 10
+	nopPriority := ruleEnd
 
 	for _, excludeRange := range excludeRanges {
 		if p4 {
@@ -216,6 +232,34 @@ func (t *NativeTun) rules() []*netlink.Rule {
 		}
 	}
 
+	if runtime.GOOS == "android" && t.options.InterfaceMonitor.AndroidVPNEnabled() {
+		const protectedFromVPN = 0x20000
+		if p6 || t.options.StrictRoute {
+			it = netlink.NewRule()
+			if t.options.InterfaceMonitor.OverrideAndroidVPN() {
+				it.Mark = protectedFromVPN
+			}
+			it.Mask = protectedFromVPN
+			it.Priority = priority
+			it.Family = unix.AF_INET
+			it.Goto = nopPriority
+			rules = append(rules, it)
+			priority++
+		}
+		if p6 || t.options.StrictRoute {
+			it = netlink.NewRule()
+			if t.options.InterfaceMonitor.OverrideAndroidVPN() {
+				it.Mark = protectedFromVPN
+			}
+			it.Mask = protectedFromVPN
+			it.Family = unix.AF_INET6
+			it.Priority = priority6
+			it.Goto = nopPriority
+			rules = append(rules, it)
+			priority6++
+		}
+	}
+
 	if t.options.StrictRoute {
 		if !p4 {
 			it = netlink.NewRule()
@@ -382,6 +426,10 @@ func (t *NativeTun) setRoute(tunLink netlink.Link) error {
 			return E.Cause(err, "add route ", i)
 		}
 	}
+	return t.setRules()
+}
+
+func (t *NativeTun) setRules() error {
 	for i, rule := range t.rules() {
 		err := netlink.RuleAdd(rule)
 		if err != nil {
@@ -400,18 +448,43 @@ func (t *NativeTun) unsetRoute() error {
 }
 
 func (t *NativeTun) unsetRoute0(tunLink netlink.Link) error {
-	var errors []error
 	for _, route := range t.routes(tunLink) {
-		err := netlink.RouteDel(&route)
-		if err != nil {
-			errors = append(errors, err)
-		}
+		_ = netlink.RouteDel(&route)
 	}
-	for _, rule := range t.rules() {
-		err := netlink.RuleDel(rule)
-		if err != nil {
-			errors = append(errors, err)
-		}
-	}
-	return E.Errors(errors...)
+	return t.unsetRules()
+}
+
+func (t *NativeTun) unsetRules() error {
+	ruleList, err := netlink.RuleList(netlink.FAMILY_ALL)
+	if err != nil {
+		return err
+	}
+	for _, rule := range ruleList {
+		if rule.Priority >= ruleStart && rule.Priority <= ruleEnd {
+			ruleToDel := netlink.NewRule()
+			ruleToDel.Family = rule.Family
+			ruleToDel.Priority = rule.Priority
+			err = netlink.RuleDel(ruleToDel)
+			if err != nil {
+				return E.Cause(err, "unset rule ", rule.Priority, " for ", rule.Family)
+			}
+		}
+	}
+	return nil
+}
+
+func (t *NativeTun) resetRules() error {
+	t.unsetRules()
+	return t.setRules()
+}
+
+func (t *NativeTun) routeUpdate(event int) error {
+	if event&EventAndroidVPNUpdate == 0 {
+		return nil
+	}
+	err := t.resetRules()
+	if err != nil {
+		return E.Cause(err, "reset route")
+	}
+	return nil
 }