Improve iproute2 rules

tun_linux.go

@@ -516,7 +516,7 @@ func (t *NativeTun) rules() []*netlink.Rule {
 
 	if runtime.GOOS == "android" && t.options.InterfaceMonitor.AndroidVPNEnabled() {
 		const protectedFromVPN = 0x20000
-		if p4 || t.options.StrictRoute {
+		if p4 {
 			it = netlink.NewRule()
 			if t.options.InterfaceMonitor.OverrideAndroidVPN() {
 				it.Mark = protectedFromVPN
@@ -528,7 +528,7 @@ func (t *NativeTun) rules() []*netlink.Rule {
 			rules = append(rules, it)
 			priority++
 		}
-		if p6 || t.options.StrictRoute {
+		if p6 {
 			it = netlink.NewRule()
 			if t.options.InterfaceMonitor.OverrideAndroidVPN() {
 				it.Mark = protectedFromVPN
@@ -627,15 +627,15 @@ func (t *NativeTun) rules() []*netlink.Rule {
 			priority6++
 		}
 	}
-
 	if p4 {
-		if t.options.StrictRoute {
 		it = netlink.NewRule()
 		it.Priority = priority
-			it.Table = t.options.TableIndex
+		it.IifName = t.options.Name
+		it.Goto = nopPriority
 		it.Family = unix.AF_INET
 		rules = append(rules, it)
-		} else {
+		priority++
+
 		it = netlink.NewRule()
 		it.Priority = priority
 		it.Invert = true
@@ -661,11 +661,9 @@ func (t *NativeTun) rules() []*netlink.Rule {
 			it.Family = unix.AF_INET
 			rules = append(rules, it)
 		}
-		}
 		priority++
 	}
 	if p6 {
-		if !t.options.StrictRoute {
 		for _, address := range t.options.Inet6Address {
 			it = netlink.NewRule()
 			it.Priority = priority6
@@ -677,6 +675,13 @@ func (t *NativeTun) rules() []*netlink.Rule {
 		}
 		priority6++
 
+		it = netlink.NewRule()
+		it.Priority = priority6
+		it.IifName = t.options.Name
+		it.Goto = nopPriority
+		it.Family = unix.AF_INET6
+		rules = append(rules, it)
+
 		it = netlink.NewRule()
 		it.Priority = priority6
 		it.IifName = "lo"
@@ -694,7 +699,6 @@ func (t *NativeTun) rules() []*netlink.Rule {
 		rules = append(rules, it)
 
 		priority6++
-		}
 
 		it = netlink.NewRule()
 		it.Priority = priority6