SagerNet/sing-tun
1
0
Fork 0
mirror of https://github.com/SagerNet/sing-tun.git synced 2025-04-04 20:37:43 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions

Add strict route option

Browse source
This commit is contained in:
世界 2022-08-26 20:54:59 +08:00
parent d1c9876e60
commit e01ce3a8a7
No known key found for this signature in database
GPG key ID: CD109927C34A63C4
5 changed files with 106 additions and 74 deletions
Download patch file Download diff file Expand all files Collapse all files

2
Makefile
View file

@ -18,4 +18,4 @@ lint_install:
go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest
test: test:
go test -v ./... go test -v .

2
go.mod
View file

@ -6,7 +6,7 @@ require (
github.com/fsnotify/fsnotify v1.5.4 github.com/fsnotify/fsnotify v1.5.4
github.com/sagernet/abx-go v0.0.0-20220819185957-dba1257d738e github.com/sagernet/abx-go v0.0.0-20220819185957-dba1257d738e
github.com/sagernet/go-tun2socks v1.16.12-0.20220818015926-16cb67876a61 github.com/sagernet/go-tun2socks v1.16.12-0.20220818015926-16cb67876a61
github.com/sagernet/netlink v0.0.0-20220820041223-3cd8365d17ac github.com/sagernet/netlink v0.0.0-20220826133217-3fb4ff92ea17
github.com/sagernet/sing v0.0.0-20220819003212-2424b1e2fac1 github.com/sagernet/sing v0.0.0-20220819003212-2424b1e2fac1
golang.org/x/net v0.0.0-20220812174116-3211cb980234 golang.org/x/net v0.0.0-20220812174116-3211cb980234
golang.org/x/sys v0.0.0-20220818161305-2296e01440c6 golang.org/x/sys v0.0.0-20220818161305-2296e01440c6

4
go.sum
View file

@ -6,8 +6,8 @@ github.com/sagernet/abx-go v0.0.0-20220819185957-dba1257d738e h1:5CFRo8FJbCuf5s/
github.com/sagernet/abx-go v0.0.0-20220819185957-dba1257d738e/go.mod h1:qbt0dWObotCfcjAJJ9AxtFPNSDUfZF+6dCpgKEOBn/g= github.com/sagernet/abx-go v0.0.0-20220819185957-dba1257d738e/go.mod h1:qbt0dWObotCfcjAJJ9AxtFPNSDUfZF+6dCpgKEOBn/g=
github.com/sagernet/go-tun2socks v1.16.12-0.20220818015926-16cb67876a61 h1:5+m7c6AkmAylhauulqN/c5dnh8/KssrE9c93TQrXldA= github.com/sagernet/go-tun2socks v1.16.12-0.20220818015926-16cb67876a61 h1:5+m7c6AkmAylhauulqN/c5dnh8/KssrE9c93TQrXldA=
github.com/sagernet/go-tun2socks v1.16.12-0.20220818015926-16cb67876a61/go.mod h1:QUQ4RRHD6hGGHdFMEtR8T2P6GS6R3D/CXKdaYHKKXms= github.com/sagernet/go-tun2socks v1.16.12-0.20220818015926-16cb67876a61/go.mod h1:QUQ4RRHD6hGGHdFMEtR8T2P6GS6R3D/CXKdaYHKKXms=
github.com/sagernet/netlink v0.0.0-20220820041223-3cd8365d17ac h1:I03d2HNy5f3INRZfsvuoLhz0h3qqsDLbKSw0EsYxQxI= github.com/sagernet/netlink v0.0.0-20220826133217-3fb4ff92ea17 h1:zvm6IrIgo4rLizJCHkH+SWUBhm+jyjjozX031QdAlj8=
github.com/sagernet/netlink v0.0.0-20220820041223-3cd8365d17ac/go.mod h1:xLnfdiJbSp8rNqYEdIW/6eDO4mVoogml14Bh2hSiFpM= github.com/sagernet/netlink v0.0.0-20220826133217-3fb4ff92ea17/go.mod h1:xLnfdiJbSp8rNqYEdIW/6eDO4mVoogml14Bh2hSiFpM=
github.com/sagernet/sing v0.0.0-20220817130738-ce854cda8522/go.mod h1:QVsS5L/ZA2Q5UhQwLrn0Trw+msNd/NPGEhBKR/ioWiY= github.com/sagernet/sing v0.0.0-20220817130738-ce854cda8522/go.mod h1:QVsS5L/ZA2Q5UhQwLrn0Trw+msNd/NPGEhBKR/ioWiY=
github.com/sagernet/sing v0.0.0-20220819003212-2424b1e2fac1 h1:+YC0/ygsJc4Z8qhd7ypsbWgMSm+UWN+QK+PW7I19K4Q= github.com/sagernet/sing v0.0.0-20220819003212-2424b1e2fac1 h1:+YC0/ygsJc4Z8qhd7ypsbWgMSm+UWN+QK+PW7I19K4Q=
github.com/sagernet/sing v0.0.0-20220819003212-2424b1e2fac1/go.mod h1:QVsS5L/ZA2Q5UhQwLrn0Trw+msNd/NPGEhBKR/ioWiY= github.com/sagernet/sing v0.0.0-20220819003212-2424b1e2fac1/go.mod h1:QVsS5L/ZA2Q5UhQwLrn0Trw+msNd/NPGEhBKR/ioWiY=

1
tun.go
View file

@ -36,6 +36,7 @@ type Options struct {
Inet6Address netip.Prefix Inet6Address netip.Prefix
MTU uint32 MTU uint32
AutoRoute bool AutoRoute bool
StrictRoute bool
IncludeUID []ranges.Range[uint32] IncludeUID []ranges.Range[uint32]
ExcludeUID []ranges.Range[uint32] ExcludeUID []ranges.Range[uint32]
IncludeAndroidUser []int IncludeAndroidUser []int

171
tun_linux.go
View file

@ -186,6 +186,7 @@ func (t *NativeTun) rules() []*netlink.Rule {
excludeRanges := t.options.ExcludedRanges() excludeRanges := t.options.ExcludedRanges()
priority := 9000 priority := 9000
priority6 := priority
nopPriority := priority + 10 nopPriority := priority + 10
for _, excludeRange := range excludeRanges { for _, excludeRange := range excludeRanges {
@ -199,7 +200,7 @@ func (t *NativeTun) rules() []*netlink.Rule {
} }
if p6 { if p6 {
it = netlink.NewRule() it = netlink.NewRule()
it.Priority = priority it.Priority = priority6
it.UIDRange = netlink.NewRuleUIDRange(excludeRange.Start, excludeRange.End) it.UIDRange = netlink.NewRuleUIDRange(excludeRange.Start, excludeRange.End)
it.Goto = nopPriority it.Goto = nopPriority
it.Family = unix.AF_INET6 it.Family = unix.AF_INET6
@ -207,29 +208,51 @@ func (t *NativeTun) rules() []*netlink.Rule {
} }
} }
if len(excludeRanges) > 0 { if len(excludeRanges) > 0 {
priority++ if p4 {
priority++
}
if p6 {
priority6++
}
} }
if p4 { if t.options.StrictRoute {
it = netlink.NewRule() if !p4 {
it.Priority = priority it = netlink.NewRule()
it.Dst = t.options.Inet4Address.Masked() it.Priority = priority
it.Table = tunTableIndex it.Family = unix.AF_INET
it.Family = unix.AF_INET it.Type = unix.FR_ACT_UNREACHABLE
rules = append(rules, it) rules = append(rules, it)
priority++
}
if !p6 {
it = netlink.NewRule()
it.Priority = priority6
it.Family = unix.AF_INET6
it.Type = unix.FR_ACT_UNREACHABLE
rules = append(rules, it)
priority6++
}
} }
if p6 {
it = netlink.NewRule()
it.Priority = priority
it.Dst = t.options.Inet6Address.Masked()
it.Table = tunTableIndex
it.Family = unix.AF_INET6
rules = append(rules, it)
}
priority++
if runtime.GOOS != "android" { if runtime.GOOS != "android" {
// not supported on android, why? if p4 {
it = netlink.NewRule()
it.Priority = priority
it.Dst = t.options.Inet4Address.Masked()
it.Table = tunTableIndex
it.Family = unix.AF_INET
rules = append(rules, it)
priority++
}
/*if p6 {
it = netlink.NewRule()
it.Priority = priority
it.Dst = t.options.Inet6Address.Masked()
it.Table = tunTableIndex
it.Family = unix.AF_INET6
rules = append(rules, it)
}*/
if p4 { if p4 {
it = netlink.NewRule() it = netlink.NewRule()
it.Priority = priority it.Priority = priority
@ -237,69 +260,77 @@ func (t *NativeTun) rules() []*netlink.Rule {
it.Goto = nopPriority it.Goto = nopPriority
it.Family = unix.AF_INET it.Family = unix.AF_INET
rules = append(rules, it) rules = append(rules, it)
priority++
} }
if p6 { if p6 {
it = netlink.NewRule() it = netlink.NewRule()
it.Priority = priority it.Priority = priority6
it.IPProto = unix.IPPROTO_ICMPV6 it.IPProto = unix.IPPROTO_ICMPV6
it.Goto = nopPriority it.Goto = nopPriority
it.Family = unix.AF_INET6 it.Family = unix.AF_INET6
rules = append(rules, it) rules = append(rules, it)
priority6++
}
if p4 {
it = netlink.NewRule()
it.Priority = priority
it.Invert = true
it.Dport = netlink.NewRulePortRange(53, 53)
it.Table = unix.RT_TABLE_MAIN
it.SuppressPrefixlen = 0
it.Family = unix.AF_INET
rules = append(rules, it)
}
if p6 {
it = netlink.NewRule()
it.Priority = priority6
it.Invert = true
it.Dport = netlink.NewRulePortRange(53, 53)
it.Table = unix.RT_TABLE_MAIN
it.SuppressPrefixlen = 0
it.Family = unix.AF_INET6
rules = append(rules, it)
}
}
if p4 {
if t.options.StrictRoute {
it = netlink.NewRule()
it.Priority = priority
it.Table = tunTableIndex
it.Family = unix.AF_INET
rules = append(rules, it)
} else {
it = netlink.NewRule()
it.Priority = priority
it.Invert = true
it.IifName = "lo"
it.Table = tunTableIndex
it.Family = unix.AF_INET
rules = append(rules, it)
it = netlink.NewRule()
it.Priority = priority
it.IifName = "lo"
it.Src = netip.PrefixFrom(netip.IPv4Unspecified(), 32)
it.Table = tunTableIndex
it.Family = unix.AF_INET
rules = append(rules, it)
it = netlink.NewRule()
it.Priority = priority
it.IifName = "lo"
it.Src = t.options.Inet4Address.Masked()
it.Table = tunTableIndex
it.Family = unix.AF_INET
rules = append(rules, it)
} }
priority++ priority++
} }
if p4 {
it = netlink.NewRule()
it.Priority = priority
it.Invert = true
it.Dport = netlink.NewRulePortRange(53, 53)
it.Table = unix.RT_TABLE_MAIN
it.SuppressPrefixlen = 0
it.Family = unix.AF_INET
rules = append(rules, it)
}
if p6 {
it = netlink.NewRule()
it.Priority = priority
it.Invert = true
it.Dport = netlink.NewRulePortRange(53, 53)
it.Table = unix.RT_TABLE_MAIN
it.SuppressPrefixlen = 0
it.Family = unix.AF_INET6
rules = append(rules, it)
}
priority++
if p4 {
it = netlink.NewRule()
it.Priority = priority
it.Invert = true
it.IifName = "lo"
it.Table = tunTableIndex
it.Family = unix.AF_INET
rules = append(rules, it)
it = netlink.NewRule()
it.Priority = priority
it.IifName = "lo"
it.Src = netip.PrefixFrom(netip.IPv4Unspecified(), 32)
it.Table = tunTableIndex
it.Family = unix.AF_INET
rules = append(rules, it)
it = netlink.NewRule()
it.Priority = priority
it.IifName = "lo"
it.Src = t.options.Inet4Address.Masked()
it.Table = tunTableIndex
it.Family = unix.AF_INET
rules = append(rules, it)
}
if p6 { if p6 {
// FIXME: this match connections from public address // FIXME: this match connections from public address
it = netlink.NewRule() it = netlink.NewRule()
it.Priority = priority it.Priority = priority6
it.Table = tunTableIndex it.Table = tunTableIndex
it.Family = unix.AF_INET6 it.Family = unix.AF_INET6
rules = append(rules, it) rules = append(rules, it)
@ -327,8 +358,8 @@ func (t *NativeTun) rules() []*netlink.Rule {
it.Table = tunTableIndex it.Table = tunTableIndex
it.Family = unix.AF_INET6 it.Family = unix.AF_INET6
rules = append(rules, it)*/ rules = append(rules, it)*/
priority6++
} }
priority++
if p4 { if p4 {
it = netlink.NewRule() it = netlink.NewRule()
it.Priority = nopPriority it.Priority = nopPriority