From e94baeac0c5c9f3a7f8a84c3a5dfc2ad72945e4d Mon Sep 17 00:00:00 2001 From: dyhkwong <50692134+dyhkwong@users.noreply.github.com> Date: Tue, 4 Mar 2025 15:04:28 +0800 Subject: [PATCH] fix Windows firewall rules and allow to disable firewall manipulation --- stack_system.go | 35 ++++++++++++++++++++--------------- stack_system_windows.go | 14 ++++++++++++-- tun.go | 3 ++- 3 files changed, 34 insertions(+), 18 deletions(-) diff --git a/stack_system.go b/stack_system.go index e48b8b6..2fd5e95 100644 --- a/stack_system.go +++ b/stack_system.go @@ -46,6 +46,7 @@ type System struct { interfaceFinder control.InterfaceFinder frontHeadroom int txChecksumOffload bool + disableFirewallFix bool } type Session struct { @@ -57,18 +58,19 @@ type Session struct { func NewSystem(options StackOptions) (Stack, error) { stack := &System{ - ctx: options.Context, - tun: options.Tun, - tunName: options.TunOptions.Name, - mtu: int(options.TunOptions.MTU), - udpTimeout: options.UDPTimeout, - handler: options.Handler, - logger: options.Logger, - inet4Prefixes: options.TunOptions.Inet4Address, - inet6Prefixes: options.TunOptions.Inet6Address, - broadcastAddr: BroadcastAddr(options.TunOptions.Inet4Address), - bindInterface: options.ForwarderBindInterface, - interfaceFinder: options.InterfaceFinder, + ctx: options.Context, + tun: options.Tun, + tunName: options.TunOptions.Name, + mtu: int(options.TunOptions.MTU), + udpTimeout: options.UDPTimeout, + handler: options.Handler, + logger: options.Logger, + inet4Prefixes: options.TunOptions.Inet4Address, + inet6Prefixes: options.TunOptions.Inet6Address, + broadcastAddr: BroadcastAddr(options.TunOptions.Inet4Address), + bindInterface: options.ForwarderBindInterface, + interfaceFinder: options.InterfaceFinder, + disableFirewallFix: options.TunOptions.EXP_DisableFirewallFix, } if len(options.TunOptions.Inet4Address) > 0 { if !HasNextAddress(options.TunOptions.Inet4Address[0], 1) { @@ -107,9 +109,12 @@ func (s *System) Start() error { } func (s *System) start() error { - err := fixWindowsFirewall() - if err != nil { - return E.Cause(err, "fix windows firewall for system stack") + var err error + if !s.disableFirewallFix { + err = fixWindowsFirewall() + if err != nil { + s.logger.Error(E.Cause(err, "fix windows firewall for system stack")) + } } var listener net.ListenConfig if s.bindInterface { diff --git a/stack_system_windows.go b/stack_system_windows.go index ffa2a09..f334e38 100644 --- a/stack_system_windows.go +++ b/stack_system_windows.go @@ -15,15 +15,25 @@ func fixWindowsFirewall() error { if err != nil { return err } - rule := winfw.FWRule{ + _, err = winfw.FirewallRuleAddAdvanced(winfw.FWRule{ Name: "sing-tun (" + absPath + ")", ApplicationName: absPath, Enabled: true, Protocol: winfw.NET_FW_IP_PROTOCOL_TCP, Direction: winfw.NET_FW_RULE_DIR_IN, Action: winfw.NET_FW_ACTION_ALLOW, + }) + if err != nil { + return err } - _, err = winfw.FirewallRuleAddAdvanced(rule) + _, err = winfw.FirewallRuleAddAdvanced(winfw.FWRule{ + Name: "sing-tun UDP (" + absPath + ")", + ApplicationName: absPath, + Enabled: true, + Protocol: winfw.NET_FW_IP_PROTOCOL_UDP, + Direction: winfw.NET_FW_RULE_DIR_IN, + Action: winfw.NET_FW_ACTION_ALLOW, + }) return err } diff --git a/tun.go b/tun.go index b0f573a..b066358 100644 --- a/tun.go +++ b/tun.go @@ -87,7 +87,8 @@ type Options struct { _TXChecksumOffload bool // For library usages. - EXP_DisableDNSHijack bool + EXP_DisableDNSHijack bool + EXP_DisableFirewallFix bool } func (o *Options) Inet4GatewayAddr() netip.Addr {