SagerNet/sing-tun
1
0
Fork 0
mirror of https://github.com/SagerNet/sing-tun.git synced 2025-04-05 04:47:41 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions

Improve nftables rules

Browse source
This commit is contained in:
世界 2024-06-11 21:12:08 +08:00
parent e5f9651d3d
commit 85fe25a592
No known key found for this signature in database
GPG key ID: CD109927C34A63C4
4 changed files with 169 additions and 154 deletions
Download patch file Download diff file Expand all files Collapse all files

41
redirect_iptables.go
View file

@ -10,23 +10,28 @@ import (
"github.com/sagernet/sing/common" "github.com/sagernet/sing/common"
E "github.com/sagernet/sing/common/exceptions" E "github.com/sagernet/sing/common/exceptions"
F "github.com/sagernet/sing/common/format" F "github.com/sagernet/sing/common/format"
"golang.org/x/sys/unix"
) )
func (r *autoRedirect) iptablesPathForFamily(family int) string { func (r *autoRedirect) setupIPTables() error {
if family == unix.AF_INET { if r.enableIPv4 {
return r.iptablesPath err := r.setupIPTablesForFamily(r.iptablesPath)
} else { if err != nil {
return r.ip6tablesPath return err
} }
} }
if r.enableIPv6 {
err := r.setupIPTablesForFamily(r.ip6tablesPath)
if err != nil {
return err
}
}
return nil
}
func (r *autoRedirect) setupIPTables(family int) error { func (r *autoRedirect) setupIPTablesForFamily(iptablesPath string) error {
tableNameOutput := r.tableName + "-output" tableNameOutput := r.tableName + "-output"
tableNameForward := r.tableName + "-forward" tableNameForward := r.tableName + "-forward"
tableNamePreRouteing := r.tableName + "-prerouting" tableNamePreRouteing := r.tableName + "-prerouting"
iptablesPath := r.iptablesPathForFamily(family)
redirectPort := r.redirectPort() redirectPort := r.redirectPort()
// OUTPUT // OUTPUT
err := r.runShell(iptablesPath, "-t nat -N", tableNameOutput) err := r.runShell(iptablesPath, "-t nat -N", tableNameOutput)
@ -74,7 +79,7 @@ func (r *autoRedirect) setupIPTables(family int) error {
routeAddress []netip.Prefix routeAddress []netip.Prefix
routeExcludeAddress []netip.Prefix routeExcludeAddress []netip.Prefix
) )
if family == unix.AF_INET { if iptablesPath == r.iptablesPath {
routeAddress = r.tunOptions.Inet4RouteAddress routeAddress = r.tunOptions.Inet4RouteAddress
routeExcludeAddress = r.tunOptions.Inet4RouteExcludeAddress routeExcludeAddress = r.tunOptions.Inet4RouteExcludeAddress
} else { } else {
@ -112,10 +117,10 @@ func (r *autoRedirect) setupIPTables(family int) error {
} }
if !r.tunOptions.EXP_DisableDNSHijack { if !r.tunOptions.EXP_DisableDNSHijack {
dnsServer := common.Find(r.tunOptions.DNSServers, func(it netip.Addr) bool { dnsServer := common.Find(r.tunOptions.DNSServers, func(it netip.Addr) bool {
return it.Is4() == (family == unix.AF_INET) return it.Is4() == (iptablesPath == r.iptablesPath)
}) })
if !dnsServer.IsValid() { if !dnsServer.IsValid() {
if family == unix.AF_INET { if iptablesPath == r.iptablesPath {
dnsServer = r.tunOptions.Inet4Address[0].Addr().Next() dnsServer = r.tunOptions.Inet4Address[0].Addr().Next()
} else { } else {
dnsServer = r.tunOptions.Inet6Address[0].Addr().Next() dnsServer = r.tunOptions.Inet6Address[0].Addr().Next()
@ -199,11 +204,19 @@ func (r *autoRedirect) setupIPTables(family int) error {
return nil return nil
} }
func (r *autoRedirect) cleanupIPTables(family int) { func (r *autoRedirect) cleanupIPTables() {
if r.enableIPv4 {
r.cleanupIPTablesForFamily(r.iptablesPath)
}
if r.enableIPv6 {
r.cleanupIPTablesForFamily(r.ip6tablesPath)
}
}
func (r *autoRedirect) cleanupIPTablesForFamily(iptablesPath string) {
tableNameOutput := r.tableName + "-output" tableNameOutput := r.tableName + "-output"
tableNameForward := r.tableName + "-forward" tableNameForward := r.tableName + "-forward"
tableNamePreRouteing := r.tableName + "-prerouting" tableNamePreRouteing := r.tableName + "-prerouting"
iptablesPath := r.iptablesPathForFamily(family)
_ = r.runShell(iptablesPath, "-t nat -D OUTPUT -j", tableNameOutput) _ = r.runShell(iptablesPath, "-t nat -D OUTPUT -j", tableNameOutput)
_ = r.runShell(iptablesPath, "-t nat -F", tableNameOutput) _ = r.runShell(iptablesPath, "-t nat -F", tableNameOutput)
_ = r.runShell(iptablesPath, "-t nat -X", tableNameOutput) _ = r.runShell(iptablesPath, "-t nat -X", tableNameOutput)

53
redirect_linux.go
View file

@ -12,8 +12,6 @@ import (
E "github.com/sagernet/sing/common/exceptions" E "github.com/sagernet/sing/common/exceptions"
"github.com/sagernet/sing/common/logger" "github.com/sagernet/sing/common/logger"
M "github.com/sagernet/sing/common/metadata" M "github.com/sagernet/sing/common/metadata"
"golang.org/x/sys/unix"
) )
type autoRedirect struct { type autoRedirect struct {
@ -118,11 +116,19 @@ func (r *autoRedirect) Start() error {
} }
r.redirectServer = server r.redirectServer = server
} }
return r.setupTables() if r.useNFTables {
return r.setupNFTables()
} else {
return r.setupIPTables()
}
} }
func (r *autoRedirect) Close() error { func (r *autoRedirect) Close() error {
r.cleanupTables() if r.useNFTables {
r.cleanupNFTables()
} else {
r.cleanupIPTables()
}
return common.Close( return common.Close(
common.PtrOrNil(r.redirectServer), common.PtrOrNil(r.redirectServer),
) )
@ -134,7 +140,7 @@ func (r *autoRedirect) initializeNFTables() error {
return err return err
} }
defer nft.CloseLasting() defer nft.CloseLasting()
_, err = nft.ListTablesOfFamily(unix.AF_INET) _, err = nft.ListTablesOfFamily(nftables.TableFamilyIPv4)
if err != nil { if err != nil {
return err return err
} }
@ -148,40 +154,3 @@ func (r *autoRedirect) redirectPort() uint16 {
} }
return M.AddrPortFromNet(r.redirectServer.listener.Addr()).Port() return M.AddrPortFromNet(r.redirectServer.listener.Addr()).Port()
} }
func (r *autoRedirect) setupTables() error {
var setupTables func(int) error
if r.useNFTables {
setupTables = r.setupNFTables
} else {
setupTables = r.setupIPTables
}
if r.enableIPv4 {
err := setupTables(unix.AF_INET)
if err != nil {
return err
}
}
if r.enableIPv6 {
err := setupTables(unix.AF_INET6)
if err != nil {
return err
}
}
return nil
}
func (r *autoRedirect) cleanupTables() {
var cleanupTables func(int)
if r.useNFTables {
cleanupTables = r.cleanupNFTables
} else {
cleanupTables = r.cleanupIPTables
}
if r.enableIPv4 {
cleanupTables(unix.AF_INET)
}
if r.enableIPv6 {
cleanupTables(unix.AF_INET6)
}
}

127
redirect_nftables.go
View file

@ -9,57 +9,24 @@ import (
"github.com/sagernet/nftables/binaryutil" "github.com/sagernet/nftables/binaryutil"
"github.com/sagernet/nftables/expr" "github.com/sagernet/nftables/expr"
"github.com/sagernet/sing/common" "github.com/sagernet/sing/common"
F "github.com/sagernet/sing/common/format"
"golang.org/x/sys/unix" "golang.org/x/sys/unix"
) )
const ( func (r *autoRedirect) setupNFTables() error {
nftablesChainOutput = "output"
nftablesChainForward = "forward"
nftablesChainPreRouting = "prerouting"
)
func nftablesFamily(family int) nftables.TableFamily {
switch family {
case unix.AF_INET:
return nftables.TableFamilyIPv4
case unix.AF_INET6:
return nftables.TableFamilyIPv6
default:
panic(F.ToString("unknown family ", family))
}
}
func (r *autoRedirect) setupNFTables(family int) error {
nft, err := nftables.New() nft, err := nftables.New()
if err != nil { if err != nil {
return err return err
} }
defer nft.CloseLasting() defer nft.CloseLasting()
redirectPort := r.redirectPort()
table := nft.AddTable(&nftables.Table{ table := nft.AddTable(&nftables.Table{
Name: r.tableName, Name: r.tableName,
Family: nftablesFamily(family), Family: nftables.TableFamilyINet,
})
chainOutput := nft.AddChain(&nftables.Chain{
Name: nftablesChainOutput,
Table: table,
Hooknum: nftables.ChainHookOutput,
Priority: nftables.ChainPriorityMangle,
Type: nftables.ChainTypeNAT,
})
nft.AddRule(&nftables.Rule{
Table: table,
Chain: chainOutput,
Exprs: nftablesRuleIfName(expr.MetaKeyOIFNAME, r.tunOptions.Name, nftablesRuleRedirectToPorts(redirectPort)...),
}) })
chainForward := nft.AddChain(&nftables.Chain{ chainForward := nft.AddChain(&nftables.Chain{
Name: nftablesChainForward, Name: "forward",
Table: table, Table: table,
Hooknum: nftables.ChainHookForward, Hooknum: nftables.ChainHookForward,
Priority: nftables.ChainPriorityMangle, Priority: nftables.ChainPriorityMangle,
@ -79,8 +46,22 @@ func (r *autoRedirect) setupNFTables(family int) error {
}), }),
}) })
redirectPort := r.redirectPort()
chainOutput := nft.AddChain(&nftables.Chain{
Name: "output",
Table: table,
Hooknum: nftables.ChainHookOutput,
Priority: nftables.ChainPriorityMangle,
Type: nftables.ChainTypeNAT,
})
nft.AddRule(&nftables.Rule{
Table: table,
Chain: chainOutput,
Exprs: nftablesRuleIfName(expr.MetaKeyOIFNAME, r.tunOptions.Name, nftablesRuleRedirectToPorts(redirectPort)...),
})
chainPreRouting := nft.AddChain(&nftables.Chain{ chainPreRouting := nft.AddChain(&nftables.Chain{
Name: nftablesChainPreRouting, Name: "prerouting",
Table: table, Table: table,
Hooknum: nftables.ChainHookPrerouting, Hooknum: nftables.ChainHookPrerouting,
Priority: nftables.ChainPriorityMangle, Priority: nftables.ChainPriorityMangle,
@ -97,12 +78,13 @@ func (r *autoRedirect) setupNFTables(family int) error {
routeAddress []netip.Prefix routeAddress []netip.Prefix
routeExcludeAddress []netip.Prefix routeExcludeAddress []netip.Prefix
) )
if table.Family == nftables.TableFamilyIPv4 { if r.enableIPv4 {
routeAddress = r.tunOptions.Inet4RouteAddress routeAddress = append(routeAddress, r.tunOptions.Inet4RouteAddress...)
routeExcludeAddress = r.tunOptions.Inet4RouteExcludeAddress routeExcludeAddress = append(routeExcludeAddress, r.tunOptions.Inet4RouteExcludeAddress...)
} else { }
routeAddress = r.tunOptions.Inet6RouteAddress if r.enableIPv6 {
routeExcludeAddress = r.tunOptions.Inet6RouteExcludeAddress routeAddress = append(routeAddress, r.tunOptions.Inet6RouteAddress...)
routeExcludeAddress = append(routeExcludeAddress, r.tunOptions.Inet6RouteExcludeAddress...)
} }
for _, address := range routeExcludeAddress { for _, address := range routeExcludeAddress {
nft.AddRule(&nftables.Rule{ nft.AddRule(&nftables.Rule{
@ -140,39 +122,68 @@ func (r *autoRedirect) setupNFTables(family int) error {
} }
if !r.tunOptions.EXP_DisableDNSHijack { if !r.tunOptions.EXP_DisableDNSHijack {
dnsServer := common.Find(r.tunOptions.DNSServers, func(it netip.Addr) bool { dnsServer4 := common.Find(r.tunOptions.DNSServers, func(it netip.Addr) bool {
return it.Is4() == (family == unix.AF_INET) return it.Is4()
}) })
if !dnsServer.IsValid() { dnsServer6 := common.Find(r.tunOptions.DNSServers, func(it netip.Addr) bool {
if family == unix.AF_INET { return it.Is6()
dnsServer = r.tunOptions.Inet4Address[0].Addr().Next() })
} else { if r.enableIPv4 && !dnsServer4.IsValid() {
dnsServer = r.tunOptions.Inet6Address[0].Addr().Next() dnsServer4 = r.tunOptions.Inet4Address[0].Addr().Next()
} }
if r.enableIPv6 && !dnsServer6.IsValid() {
dnsServer6 = r.tunOptions.Inet6Address[0].Addr().Next()
} }
if len(r.tunOptions.IncludeInterface) > 0 || len(r.tunOptions.IncludeUID) > 0 { if len(r.tunOptions.IncludeInterface) > 0 || len(r.tunOptions.IncludeUID) > 0 {
for _, name := range r.tunOptions.IncludeInterface { for _, name := range r.tunOptions.IncludeInterface {
if r.enableIPv4 {
nft.AddRule(&nftables.Rule{ nft.AddRule(&nftables.Rule{
Table: table, Table: table,
Chain: chainPreRouting, Chain: chainPreRouting,
Exprs: nftablesRuleIfName(expr.MetaKeyIIFNAME, name, append(routeExprs, nftablesRuleHijackDNS(table.Family, dnsServer)...)...), Exprs: nftablesRuleIfName(expr.MetaKeyIIFNAME, name, append(routeExprs, nftablesRuleHijackDNS(nftables.TableFamilyIPv4, dnsServer4)...)...),
}) })
} }
if r.enableIPv6 {
nft.AddRule(&nftables.Rule{
Table: table,
Chain: chainPreRouting,
Exprs: nftablesRuleIfName(expr.MetaKeyIIFNAME, name, append(routeExprs, nftablesRuleHijackDNS(nftables.TableFamilyIPv6, dnsServer6)...)...),
})
}
}
for _, uidRange := range r.tunOptions.IncludeUID { for _, uidRange := range r.tunOptions.IncludeUID {
if r.enableIPv4 {
nft.AddRule(&nftables.Rule{ nft.AddRule(&nftables.Rule{
Table: table, Table: table,
Chain: chainPreRouting, Chain: chainPreRouting,
Exprs: nftablesRuleMetaUInt32Range(expr.MetaKeySKUID, uidRange, append(routeExprs, nftablesRuleHijackDNS(table.Family, dnsServer)...)...), Exprs: nftablesRuleMetaUInt32Range(expr.MetaKeySKUID, uidRange, append(routeExprs, nftablesRuleHijackDNS(nftables.TableFamilyIPv4, dnsServer4)...)...),
}) })
} }
} else { if r.enableIPv6 {
nft.AddRule(&nftables.Rule{ nft.AddRule(&nftables.Rule{
Table: table, Table: table,
Chain: chainPreRouting, Chain: chainPreRouting,
Exprs: append(routeExprs, nftablesRuleHijackDNS(table.Family, dnsServer)...), Exprs: nftablesRuleMetaUInt32Range(expr.MetaKeySKUID, uidRange, append(routeExprs, nftablesRuleHijackDNS(nftables.TableFamilyIPv6, dnsServer6)...)...),
}) })
} }
} }
} else {
if r.enableIPv4 {
nft.AddRule(&nftables.Rule{
Table: table,
Chain: chainPreRouting,
Exprs: append(routeExprs, nftablesRuleHijackDNS(nftables.TableFamilyIPv4, dnsServer4)...),
})
}
if r.enableIPv6 {
nft.AddRule(&nftables.Rule{
Table: table,
Chain: chainPreRouting,
Exprs: append(routeExprs, nftablesRuleHijackDNS(nftables.TableFamilyIPv6, dnsServer6)...),
})
}
}
}
nft.AddRule(&nftables.Rule{ nft.AddRule(&nftables.Rule{
Table: table, Table: table,
@ -219,18 +230,14 @@ func (r *autoRedirect) setupNFTables(family int) error {
return nft.Flush() return nft.Flush()
} }
func (r *autoRedirect) cleanupNFTables(family int) { func (r *autoRedirect) cleanupNFTables() {
conn, err := nftables.New() conn, err := nftables.New()
if err != nil { if err != nil {
return return
} }
conn.FlushTable(&nftables.Table{
Name: r.tableName,
Family: nftablesFamily(family),
})
conn.DelTable(&nftables.Table{ conn.DelTable(&nftables.Table{
Name: r.tableName, Name: r.tableName,
Family: nftablesFamily(family), Family: nftables.TableFamilyINet,
}) })
_ = conn.Flush() _ = conn.Flush()
_ = conn.CloseLasting() _ = conn.CloseLasting()

32
redirect_nftables_expr.go
View file

@ -48,9 +48,20 @@ func nftablesRuleMetaUInt32Range(key expr.MetaKey, uidRange ranges.Range[uint32]
} }
func nftablesRuleDestinationAddress(address netip.Prefix, exprs ...expr.Any) []expr.Any { func nftablesRuleDestinationAddress(address netip.Prefix, exprs ...expr.Any) []expr.Any {
var newExprs []expr.Any newExprs := []expr.Any{
&expr.Meta{
Key: expr.MetaKeyNFPROTO,
Register: 1,
},
}
if address.Addr().Is4() { if address.Addr().Is4() {
newExprs = append(newExprs, &expr.Payload{ newExprs = append(newExprs,
&expr.Cmp{
Op: expr.CmpOpEq,
Register: 1,
Data: []byte{unix.NFPROTO_IPV4},
},
&expr.Payload{
OperationType: expr.PayloadLoad, OperationType: expr.PayloadLoad,
DestRegister: 1, DestRegister: 1,
SourceRegister: 0, SourceRegister: 0,
@ -65,7 +76,13 @@ func nftablesRuleDestinationAddress(address netip.Prefix, exprs ...expr.Any) []e
Mask: net.CIDRMask(address.Bits(), 32), Mask: net.CIDRMask(address.Bits(), 32),
}) })
} else { } else {
newExprs = append(newExprs, &expr.Payload{ newExprs = append(newExprs,
&expr.Cmp{
Op: expr.CmpOpEq,
Register: 1,
Data: []byte{unix.NFPROTO_IPV6},
},
&expr.Payload{
OperationType: expr.PayloadLoad, OperationType: expr.PayloadLoad,
DestRegister: 1, DestRegister: 1,
SourceRegister: 0, SourceRegister: 0,
@ -91,6 +108,15 @@ func nftablesRuleDestinationAddress(address netip.Prefix, exprs ...expr.Any) []e
func nftablesRuleHijackDNS(family nftables.TableFamily, dnsServerAddress netip.Addr) []expr.Any { func nftablesRuleHijackDNS(family nftables.TableFamily, dnsServerAddress netip.Addr) []expr.Any {
return []expr.Any{ return []expr.Any{
&expr.Meta{
Key: expr.MetaKeyNFPROTO,
Register: 1,
},
&expr.Cmp{
Op: expr.CmpOpEq,
Register: 1,
Data: []byte{uint8(family)},
},
&expr.Meta{ &expr.Meta{
Key: expr.MetaKeyL4PROTO, Key: expr.MetaKeyL4PROTO,
Register: 1, Register: 1,