auto-redirect: Add route address set support for nftables

2025-04-04 04:17:39 +03:00 · 2024-06-12 02:37:51 +08:00 · 2024-06-12 02:37:51 +08:00 · 85f5f2dd58
commit 85f5f2dd58
parent 85fe25a592
14 changed files with 1255 additions and 426 deletions
--- a/tun_linux.go
+++ b/tun_linux.go
@ -293,10 +293,10 @@ func (t *NativeTun) configure(tunLink netlink.Link) error {
 		return err
 	}

-	if t.options.TableIndex == 0 {
+	if t.options.IPRoute2TableIndex == 0 {
 		for {
-			t.options.TableIndex = int(rand.Uint32())
-			routeList, fErr := netlink.RouteListFiltered(netlink.FAMILY_ALL, &netlink.Route{Table: t.options.TableIndex}, netlink.RT_FILTER_TABLE)
+			t.options.IPRoute2TableIndex = int(rand.Uint32())
+			routeList, fErr := netlink.RouteListFiltered(netlink.FAMILY_ALL, &netlink.Route{Table: t.options.IPRoute2TableIndex}, netlink.RT_FILTER_TABLE)
 			if len(routeList) == 0 || fErr != nil {
 				break
 			}
@ -354,7 +354,7 @@ func (t *NativeTun) routes(tunLink netlink.Link) ([]netlink.Route, error) {
 		return netlink.Route{
 			Dst:       prefixToIPNet(it),
 			LinkIndex: tunLink.Attrs().Index,
-			Table:     t.options.TableIndex,
+			Table:     t.options.IPRoute2TableIndex,
 		}
 	}), nil
 }
@ -380,7 +380,7 @@ func (t *NativeTun) rules() []*netlink.Rule {
 		if len(t.options.Inet6Address) > 0 {
 			it := netlink.NewRule()
 			it.Priority = t.nextIndex6()
-			it.Table = t.options.TableIndex
+			it.Table = t.options.IPRoute2TableIndex
 			it.Family = unix.AF_INET6
 			it.OifName = t.options.Name
 			return []*netlink.Rule{it}
@ -408,13 +408,62 @@ func (t *NativeTun) rules() []*netlink.Rule {
 	excludeRanges := t.options.ExcludedRanges()

 	ruleStart := t.options.IPRoute2RuleIndex
-	if ruleStart == 0 {
-		ruleStart = 9000
-	}
 	priority := ruleStart
 	priority6 := priority
-	nopPriority := ruleStart + 10

+	if t.options.AutoRedirectMarkMode {
+		if p4 {
+			it = netlink.NewRule()
+			it.Priority = priority
+			it.Mark = t.options.AutoRedirectOutputMark
+			it.MarkSet = true
+			it.Goto = priority + 2
+			it.Family = unix.AF_INET
+			rules = append(rules, it)
+			priority++
+
+			it = netlink.NewRule()
+			it.Priority = priority
+			it.Mark = t.options.AutoRedirectInputMark
+			it.MarkSet = true
+			it.Table = t.options.IPRoute2TableIndex
+			it.Family = unix.AF_INET
+			rules = append(rules, it)
+			priority++
+
+			it = netlink.NewRule()
+			it.Priority = priority
+			it.Family = unix.AF_INET
+			rules = append(rules, it)
+		}
+		if p6 {
+			it = netlink.NewRule()
+			it.Priority = priority6
+			it.Mark = t.options.AutoRedirectOutputMark
+			it.MarkSet = true
+			it.Goto = priority6 + 2
+			it.Family = unix.AF_INET6
+			rules = append(rules, it)
+			priority6++
+
+			it = netlink.NewRule()
+			it.Priority = priority6
+			it.Mark = t.options.AutoRedirectInputMark
+			it.MarkSet = true
+			it.Table = t.options.IPRoute2TableIndex
+			it.Family = unix.AF_INET6
+			rules = append(rules, it)
+			priority6++
+
+			it = netlink.NewRule()
+			it.Priority = priority6
+			it.Family = unix.AF_INET6
+			rules = append(rules, it)
+		}
+		return rules
+	}
+
+	nopPriority := ruleStart + 10
 	for _, excludeRange := range excludeRanges {
 		if p4 {
 			it = netlink.NewRule()
@ -567,7 +616,7 @@ func (t *NativeTun) rules() []*netlink.Rule {
 				it = netlink.NewRule()
 				it.Priority = priority
 				it.Dst = address.Masked()
-				it.Table = t.options.TableIndex
+				it.Table = t.options.IPRoute2TableIndex
 				it.Family = unix.AF_INET
 				rules = append(rules, it)
 			}
@ -575,7 +624,7 @@ func (t *NativeTun) rules() []*netlink.Rule {

 			it = netlink.NewRule()
 			it.Priority = priority
-			it.Table = t.options.TableIndex
+			it.Table = t.options.IPRoute2TableIndex
 			it.SuppressPrefixlen = 0
 			it.Family = unix.AF_INET
 			rules = append(rules, it)
@ -584,13 +633,13 @@ func (t *NativeTun) rules() []*netlink.Rule {
 		if p6 {
 			it = netlink.NewRule()
 			it.Priority = priority6
-			it.Table = t.options.TableIndex
+			it.Table = t.options.IPRoute2TableIndex
 			it.SuppressPrefixlen = 0
 			it.Family = unix.AF_INET6
 			rules = append(rules, it)
 			priority6++
 		}
-		if p4 && !t.options.StrictRoute {
+		if p4 {
 			it = netlink.NewRule()
 			it.Priority = priority
 			it.Invert = true
@ -599,16 +648,16 @@ func (t *NativeTun) rules() []*netlink.Rule {
 			it.SuppressPrefixlen = 0
 			it.Family = unix.AF_INET
 			rules = append(rules, it)
-
+		}
+		if p4 && !t.options.StrictRoute {
 			it = netlink.NewRule()
 			it.Priority = priority
 			it.IPProto = syscall.IPPROTO_ICMP
 			it.Goto = nopPriority
 			it.Family = unix.AF_INET
 			rules = append(rules, it)
-			priority++
 		}
-		if p6 && !t.options.StrictRoute {
+		if p6 {
 			it = netlink.NewRule()
 			it.Priority = priority6
 			it.Invert = true
@ -617,7 +666,9 @@ func (t *NativeTun) rules() []*netlink.Rule {
 			it.SuppressPrefixlen = 0
 			it.Family = unix.AF_INET6
 			rules = append(rules, it)
+		}

+		if p6 && !t.options.StrictRoute {
 			it = netlink.NewRule()
 			it.Priority = priority6
 			it.IPProto = syscall.IPPROTO_ICMPV6
@ -640,7 +691,7 @@ func (t *NativeTun) rules() []*netlink.Rule {
 		it.Priority = priority
 		it.Invert = true
 		it.IifName = "lo"
-		it.Table = t.options.TableIndex
+		it.Table = t.options.IPRoute2TableIndex
 		it.Family = unix.AF_INET
 		rules = append(rules, it)

@ -648,7 +699,7 @@ func (t *NativeTun) rules() []*netlink.Rule {
 		it.Priority = priority
 		it.IifName = "lo"
 		it.Src = netip.PrefixFrom(netip.IPv4Unspecified(), 32)
-		it.Table = t.options.TableIndex
+		it.Table = t.options.IPRoute2TableIndex
 		it.Family = unix.AF_INET
 		rules = append(rules, it)

@ -657,24 +708,13 @@ func (t *NativeTun) rules() []*netlink.Rule {
 			it.Priority = priority
 			it.IifName = "lo"
 			it.Src = address.Masked()
-			it.Table = t.options.TableIndex
+			it.Table = t.options.IPRoute2TableIndex
 			it.Family = unix.AF_INET
 			rules = append(rules, it)
 		}
 		priority++
 	}
 	if p6 {
-		for _, address := range t.options.Inet6Address {
-			it = netlink.NewRule()
-			it.Priority = priority6
-			it.IifName = "lo"
-			it.Src = address.Masked()
-			it.Table = t.options.TableIndex
-			it.Family = unix.AF_INET6
-			rules = append(rules, it)
-		}
-		priority6++
-
 		it = netlink.NewRule()
 		it.Priority = priority6
 		it.IifName = t.options.Name
@ -697,12 +737,22 @@ func (t *NativeTun) rules() []*netlink.Rule {
 		it.Goto = nopPriority
 		it.Family = unix.AF_INET6
 		rules = append(rules, it)
+		priority6++

+		for _, address := range t.options.Inet6Address {
+			it = netlink.NewRule()
+			it.Priority = priority6
+			it.IifName = "lo"
+			it.Src = address.Masked()
+			it.Table = t.options.IPRoute2TableIndex
+			it.Family = unix.AF_INET6
+			rules = append(rules, it)
+		}
 		priority6++

 		it = netlink.NewRule()
 		it.Priority = priority6
-		it.Table = t.options.TableIndex
+		it.Table = t.options.IPRoute2TableIndex
 		it.Family = unix.AF_INET6
 		rules = append(rules, it)
 		priority6++
@ -789,9 +839,6 @@ func (t *NativeTun) unsetRules() error {
 		}
 		for _, rule := range ruleList {
 			ruleStart := t.options.IPRoute2RuleIndex
-			if ruleStart == 0 {
-				ruleStart = 9000
-			}
 			ruleEnd := ruleStart + 10
 			if rule.Priority >= ruleStart && rule.Priority <= ruleEnd {
 				ruleToDel := netlink.NewRule()