From e01ce3a8a70e2f8982bac4239af61bdd8887c81d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E4=B8=96=E7=95=8C?= Date: Fri, 26 Aug 2022 20:54:59 +0800 Subject: [PATCH] Add strict route option --- Makefile | 2 +- go.mod | 2 +- go.sum | 4 +- tun.go | 1 + tun_linux.go | 171 ++++++++++++++++++++++++++++++--------------------- 5 files changed, 106 insertions(+), 74 deletions(-) diff --git a/Makefile b/Makefile index 77925e6..57c2360 100644 --- a/Makefile +++ b/Makefile @@ -18,4 +18,4 @@ lint_install: go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest test: - go test -v ./... \ No newline at end of file + go test -v . \ No newline at end of file diff --git a/go.mod b/go.mod index 7c84361..a6ac25f 100644 --- a/go.mod +++ b/go.mod @@ -6,7 +6,7 @@ require ( github.com/fsnotify/fsnotify v1.5.4 github.com/sagernet/abx-go v0.0.0-20220819185957-dba1257d738e github.com/sagernet/go-tun2socks v1.16.12-0.20220818015926-16cb67876a61 - github.com/sagernet/netlink v0.0.0-20220820041223-3cd8365d17ac + github.com/sagernet/netlink v0.0.0-20220826133217-3fb4ff92ea17 github.com/sagernet/sing v0.0.0-20220819003212-2424b1e2fac1 golang.org/x/net v0.0.0-20220812174116-3211cb980234 golang.org/x/sys v0.0.0-20220818161305-2296e01440c6 diff --git a/go.sum b/go.sum index 0f59487..3230df2 100644 --- a/go.sum +++ b/go.sum @@ -6,8 +6,8 @@ github.com/sagernet/abx-go v0.0.0-20220819185957-dba1257d738e h1:5CFRo8FJbCuf5s/ github.com/sagernet/abx-go v0.0.0-20220819185957-dba1257d738e/go.mod h1:qbt0dWObotCfcjAJJ9AxtFPNSDUfZF+6dCpgKEOBn/g= github.com/sagernet/go-tun2socks v1.16.12-0.20220818015926-16cb67876a61 h1:5+m7c6AkmAylhauulqN/c5dnh8/KssrE9c93TQrXldA= github.com/sagernet/go-tun2socks v1.16.12-0.20220818015926-16cb67876a61/go.mod h1:QUQ4RRHD6hGGHdFMEtR8T2P6GS6R3D/CXKdaYHKKXms= -github.com/sagernet/netlink v0.0.0-20220820041223-3cd8365d17ac h1:I03d2HNy5f3INRZfsvuoLhz0h3qqsDLbKSw0EsYxQxI= -github.com/sagernet/netlink v0.0.0-20220820041223-3cd8365d17ac/go.mod h1:xLnfdiJbSp8rNqYEdIW/6eDO4mVoogml14Bh2hSiFpM= +github.com/sagernet/netlink v0.0.0-20220826133217-3fb4ff92ea17 h1:zvm6IrIgo4rLizJCHkH+SWUBhm+jyjjozX031QdAlj8= +github.com/sagernet/netlink v0.0.0-20220826133217-3fb4ff92ea17/go.mod h1:xLnfdiJbSp8rNqYEdIW/6eDO4mVoogml14Bh2hSiFpM= github.com/sagernet/sing v0.0.0-20220817130738-ce854cda8522/go.mod h1:QVsS5L/ZA2Q5UhQwLrn0Trw+msNd/NPGEhBKR/ioWiY= github.com/sagernet/sing v0.0.0-20220819003212-2424b1e2fac1 h1:+YC0/ygsJc4Z8qhd7ypsbWgMSm+UWN+QK+PW7I19K4Q= github.com/sagernet/sing v0.0.0-20220819003212-2424b1e2fac1/go.mod h1:QVsS5L/ZA2Q5UhQwLrn0Trw+msNd/NPGEhBKR/ioWiY= diff --git a/tun.go b/tun.go index 73b189e..80c213c 100644 --- a/tun.go +++ b/tun.go @@ -36,6 +36,7 @@ type Options struct { Inet6Address netip.Prefix MTU uint32 AutoRoute bool + StrictRoute bool IncludeUID []ranges.Range[uint32] ExcludeUID []ranges.Range[uint32] IncludeAndroidUser []int diff --git a/tun_linux.go b/tun_linux.go index 7028d00..63f20f8 100644 --- a/tun_linux.go +++ b/tun_linux.go @@ -186,6 +186,7 @@ func (t *NativeTun) rules() []*netlink.Rule { excludeRanges := t.options.ExcludedRanges() priority := 9000 + priority6 := priority nopPriority := priority + 10 for _, excludeRange := range excludeRanges { @@ -199,7 +200,7 @@ func (t *NativeTun) rules() []*netlink.Rule { } if p6 { it = netlink.NewRule() - it.Priority = priority + it.Priority = priority6 it.UIDRange = netlink.NewRuleUIDRange(excludeRange.Start, excludeRange.End) it.Goto = nopPriority it.Family = unix.AF_INET6 @@ -207,29 +208,51 @@ func (t *NativeTun) rules() []*netlink.Rule { } } if len(excludeRanges) > 0 { - priority++ + if p4 { + priority++ + } + if p6 { + priority6++ + } } - if p4 { - it = netlink.NewRule() - it.Priority = priority - it.Dst = t.options.Inet4Address.Masked() - it.Table = tunTableIndex - it.Family = unix.AF_INET - rules = append(rules, it) + if t.options.StrictRoute { + if !p4 { + it = netlink.NewRule() + it.Priority = priority + it.Family = unix.AF_INET + it.Type = unix.FR_ACT_UNREACHABLE + rules = append(rules, it) + priority++ + } + if !p6 { + it = netlink.NewRule() + it.Priority = priority6 + it.Family = unix.AF_INET6 + it.Type = unix.FR_ACT_UNREACHABLE + rules = append(rules, it) + priority6++ + } } - if p6 { - it = netlink.NewRule() - it.Priority = priority - it.Dst = t.options.Inet6Address.Masked() - it.Table = tunTableIndex - it.Family = unix.AF_INET6 - rules = append(rules, it) - } - priority++ if runtime.GOOS != "android" { - // not supported on android, why? + if p4 { + it = netlink.NewRule() + it.Priority = priority + it.Dst = t.options.Inet4Address.Masked() + it.Table = tunTableIndex + it.Family = unix.AF_INET + rules = append(rules, it) + priority++ + } + /*if p6 { + it = netlink.NewRule() + it.Priority = priority + it.Dst = t.options.Inet6Address.Masked() + it.Table = tunTableIndex + it.Family = unix.AF_INET6 + rules = append(rules, it) + }*/ if p4 { it = netlink.NewRule() it.Priority = priority @@ -237,69 +260,77 @@ func (t *NativeTun) rules() []*netlink.Rule { it.Goto = nopPriority it.Family = unix.AF_INET rules = append(rules, it) + priority++ } if p6 { it = netlink.NewRule() - it.Priority = priority + it.Priority = priority6 it.IPProto = unix.IPPROTO_ICMPV6 it.Goto = nopPriority it.Family = unix.AF_INET6 rules = append(rules, it) + priority6++ + } + if p4 { + it = netlink.NewRule() + it.Priority = priority + it.Invert = true + it.Dport = netlink.NewRulePortRange(53, 53) + it.Table = unix.RT_TABLE_MAIN + it.SuppressPrefixlen = 0 + it.Family = unix.AF_INET + rules = append(rules, it) + } + if p6 { + it = netlink.NewRule() + it.Priority = priority6 + it.Invert = true + it.Dport = netlink.NewRulePortRange(53, 53) + it.Table = unix.RT_TABLE_MAIN + it.SuppressPrefixlen = 0 + it.Family = unix.AF_INET6 + rules = append(rules, it) + } + } + + if p4 { + if t.options.StrictRoute { + it = netlink.NewRule() + it.Priority = priority + it.Table = tunTableIndex + it.Family = unix.AF_INET + rules = append(rules, it) + } else { + it = netlink.NewRule() + it.Priority = priority + it.Invert = true + it.IifName = "lo" + it.Table = tunTableIndex + it.Family = unix.AF_INET + rules = append(rules, it) + + it = netlink.NewRule() + it.Priority = priority + it.IifName = "lo" + it.Src = netip.PrefixFrom(netip.IPv4Unspecified(), 32) + it.Table = tunTableIndex + it.Family = unix.AF_INET + rules = append(rules, it) + + it = netlink.NewRule() + it.Priority = priority + it.IifName = "lo" + it.Src = t.options.Inet4Address.Masked() + it.Table = tunTableIndex + it.Family = unix.AF_INET + rules = append(rules, it) } priority++ } - - if p4 { - it = netlink.NewRule() - it.Priority = priority - it.Invert = true - it.Dport = netlink.NewRulePortRange(53, 53) - it.Table = unix.RT_TABLE_MAIN - it.SuppressPrefixlen = 0 - it.Family = unix.AF_INET - rules = append(rules, it) - } - if p6 { - it = netlink.NewRule() - it.Priority = priority - it.Invert = true - it.Dport = netlink.NewRulePortRange(53, 53) - it.Table = unix.RT_TABLE_MAIN - it.SuppressPrefixlen = 0 - it.Family = unix.AF_INET6 - rules = append(rules, it) - } - priority++ - - if p4 { - it = netlink.NewRule() - it.Priority = priority - it.Invert = true - it.IifName = "lo" - it.Table = tunTableIndex - it.Family = unix.AF_INET - rules = append(rules, it) - - it = netlink.NewRule() - it.Priority = priority - it.IifName = "lo" - it.Src = netip.PrefixFrom(netip.IPv4Unspecified(), 32) - it.Table = tunTableIndex - it.Family = unix.AF_INET - rules = append(rules, it) - - it = netlink.NewRule() - it.Priority = priority - it.IifName = "lo" - it.Src = t.options.Inet4Address.Masked() - it.Table = tunTableIndex - it.Family = unix.AF_INET - rules = append(rules, it) - } if p6 { // FIXME: this match connections from public address it = netlink.NewRule() - it.Priority = priority + it.Priority = priority6 it.Table = tunTableIndex it.Family = unix.AF_INET6 rules = append(rules, it) @@ -327,8 +358,8 @@ func (t *NativeTun) rules() []*netlink.Rule { it.Table = tunTableIndex it.Family = unix.AF_INET6 rules = append(rules, it)*/ + priority6++ } - priority++ if p4 { it = netlink.NewRule() it.Priority = nopPriority