Ignore UDP offload error

Makefile

@@ -29,4 +29,5 @@ lint_install:
 
 test:
 	go build -v .
+	go test -bench=. ./internal/checksum_test
 	#go test -v .

go.mod

@@ -9,7 +9,7 @@ require (
 	github.com/sagernet/gvisor v0.0.0-20241123041152-536d05261cff
 	github.com/sagernet/netlink v0.0.0-20240612041022-b9a21c07ac6a
 	github.com/sagernet/nftables v0.3.0-beta.4
-	github.com/sagernet/sing v0.6.0-alpha.18
+	github.com/sagernet/sing v0.6.0-beta.2
 	go4.org/netipx v0.0.0-20231129151722-fdeea329fbba
 	golang.org/x/exp v0.0.0-20240613232115-7f521ea00fb8
 	golang.org/x/net v0.26.0

go.sum

@@ -22,8 +22,8 @@ github.com/sagernet/netlink v0.0.0-20240612041022-b9a21c07ac6a h1:ObwtHN2VpqE0ZN
 github.com/sagernet/netlink v0.0.0-20240612041022-b9a21c07ac6a/go.mod h1:xLnfdiJbSp8rNqYEdIW/6eDO4mVoogml14Bh2hSiFpM=
 github.com/sagernet/nftables v0.3.0-beta.4 h1:kbULlAwAC3jvdGAC1P5Fa3GSxVwQJibNenDW2zaXr8I=
 github.com/sagernet/nftables v0.3.0-beta.4/go.mod h1:OQXAjvjNGGFxaTgVCSTRIhYB5/llyVDeapVoENYBDS8=
-github.com/sagernet/sing v0.6.0-alpha.18 h1:ih4CurU8KvbhfagYjSqVrE2LR0oBSXSZTNH2sAGPGiM=
-github.com/sagernet/sing v0.6.0-alpha.18/go.mod h1:ARkL0gM13/Iv5VCZmci/NuoOlePoIsW0m7BWfln/Hak=
+github.com/sagernet/sing v0.6.0-beta.2 h1:Dcutp3kxrsZes9q3oTiHQhYYjQvDn5rwp1OI9fDLYwQ=
+github.com/sagernet/sing v0.6.0-beta.2/go.mod h1:ARkL0gM13/Iv5VCZmci/NuoOlePoIsW0m7BWfln/Hak=
 github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
 github.com/vishvananda/netns v0.0.4 h1:Oeaw1EM2JMxD51g9uhtC0D7erkIjgmj8+JZc26m1YX8=
 github.com/vishvananda/netns v0.0.4/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM=

internal/checksum_test/sum_bench_test.go

@@ -28,6 +28,6 @@ func BenchmarkGChecksum(b *testing.B) {
 	}
 	b.ResetTimer()
 	for i := 0; i < b.N; i++ {
-		checksum.Checksum(packet[i%1000], 0)
+		checksum.ChecksumDefault(packet[i%1000], 0)
 	}
 }

internal/gtcpip/checksum/checksum.go

@@ -38,3 +38,8 @@ func Combine(a, b uint16) uint16 {
 	v := uint32(a) + uint32(b)
 	return uint16(v + v>>16)
 }
+
+func ChecksumDefault(buf []byte, initial uint16) uint16 {
+	s, _ := calculateChecksum(buf, false, initial)
+	return s
+}

internal/gtcpip/checksum/checksum_default.go

@@ -8,6 +8,5 @@ package checksum
 //
 // The initial checksum must have been computed on an even number of bytes.
 func Checksum(buf []byte, initial uint16) uint16 {
-	s, _ := calculateChecksum(buf, false, initial)
-	return s
+	return ChecksumDefault(buf, initial)
 }

internal/gtcpip/checksum/checksum_unsafe.go

@@ -1,5 +1,3 @@
-//go:build !amd64
-
 // Copyright 2023 The gVisor Authors.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");

internal/gtcpip/header/ipv6_extension_headers.go

@@ -18,10 +18,8 @@ import (
 	"encoding/binary"
 	"errors"
 	"fmt"
-	"io"
 	"math"
 
-	"github.com/sagernet/gvisor/pkg/buffer"
 	"github.com/sagernet/sing-tun/internal/gtcpip"
 	"github.com/sagernet/sing/common"
 )
@@ -145,79 +143,6 @@ func ipv6OptionsAlignmentPadding(headerOffset int, align int, alignOffset int) i
 	return ((padLen + align - 1) & ^(align - 1)) - padLen
 }
 
-// IPv6PayloadHeader is implemented by the various headers that can be found
-// in an IPv6 payload.
-//
-// These headers include IPv6 extension headers or upper layer data.
-type IPv6PayloadHeader interface {
-	isIPv6PayloadHeader()
-
-	// Release frees all resources held by the header.
-	Release()
-}
-
-// IPv6RawPayloadHeader the remainder of an IPv6 payload after an iterator
-// encounters a Next Header field it does not recognize as an IPv6 extension
-// header. The caller is responsible for releasing the underlying buffer after
-// it's no longer needed.
-type IPv6RawPayloadHeader struct {
-	Identifier IPv6ExtensionHeaderIdentifier
-	Buf        buffer.Buffer
-}
-
-// isIPv6PayloadHeader implements IPv6PayloadHeader.isIPv6PayloadHeader.
-func (IPv6RawPayloadHeader) isIPv6PayloadHeader() {}
-
-// Release implements IPv6PayloadHeader.Release.
-func (i IPv6RawPayloadHeader) Release() {
-	i.Buf.Release()
-}
-
-// ipv6OptionsExtHdr is an IPv6 extension header that holds options.
-type ipv6OptionsExtHdr struct {
-	buf *buffer.View
-}
-
-// Release implements IPv6PayloadHeader.Release.
-func (i ipv6OptionsExtHdr) Release() {
-	if i.buf != nil {
-		i.buf.Release()
-	}
-}
-
-// Iter returns an iterator over the IPv6 extension header options held in b.
-func (i ipv6OptionsExtHdr) Iter() IPv6OptionsExtHdrOptionsIterator {
-	it := IPv6OptionsExtHdrOptionsIterator{}
-	it.reader = i.buf
-	return it
-}
-
-// IPv6OptionsExtHdrOptionsIterator is an iterator over IPv6 extension header
-// options.
-//
-// Note, between when an IPv6OptionsExtHdrOptionsIterator is obtained and last
-// used, no changes to the underlying buffer may happen. Doing so may cause
-// undefined and unexpected behaviour. It is fine to obtain an
-// IPv6OptionsExtHdrOptionsIterator, iterate over the first few options then
-// modify the backing payload so long as the IPv6OptionsExtHdrOptionsIterator
-// obtained before modification is no longer used.
-type IPv6OptionsExtHdrOptionsIterator struct {
-	reader *buffer.View
-
-	// optionOffset is the number of bytes from the first byte of the
-	// options field to the beginning of the current option.
-	optionOffset uint32
-
-	// nextOptionOffset is the offset of the next option.
-	nextOptionOffset uint32
-}
-
-// OptionOffset returns the number of bytes parsed while processing the
-// option field of the current Extension Header.
-func (i *IPv6OptionsExtHdrOptionsIterator) OptionOffset() uint32 {
-	return i.optionOffset
-}
-
 // IPv6OptionUnknownAction is the action that must be taken if the processing
 // IPv6 node does not recognize the option, as outlined in RFC 8200 section 4.2.
 type IPv6OptionUnknownAction int
@@ -294,143 +219,6 @@ func ipv6UnknownActionFromIdentifier(id IPv6ExtHdrOptionIdentifier) IPv6OptionUn
 // is malformed.
 var ErrMalformedIPv6ExtHdrOption = errors.New("malformed IPv6 extension header option")
 
-// IPv6UnknownExtHdrOption holds the identifier and data for an IPv6 extension
-// header option that is unknown by the parsing utilities.
-type IPv6UnknownExtHdrOption struct {
-	Identifier IPv6ExtHdrOptionIdentifier
-	Data       *buffer.View
-}
-
-// UnknownAction implements IPv6OptionUnknownAction.UnknownAction.
-func (o *IPv6UnknownExtHdrOption) UnknownAction() IPv6OptionUnknownAction {
-	return ipv6UnknownActionFromIdentifier(o.Identifier)
-}
-
-// isIPv6ExtHdrOption implements IPv6ExtHdrOption.isIPv6ExtHdrOption.
-func (*IPv6UnknownExtHdrOption) isIPv6ExtHdrOption() {}
-
-// Next returns the next option in the options data.
-//
-// If the next item is not a known extension header option,
-// IPv6UnknownExtHdrOption will be returned with the option identifier and data.
-//
-// The return is of the format (option, done, error). done will be true when
-// Next is unable to return anything because the iterator has reached the end of
-// the options data, or an error occurred.
-func (i *IPv6OptionsExtHdrOptionsIterator) Next() (IPv6ExtHdrOption, bool, error) {
-	for {
-		i.optionOffset = i.nextOptionOffset
-		temp, err := i.reader.ReadByte()
-		if err != nil {
-			// If we can't read the first byte of a new option, then we know the
-			// options buffer has been exhausted and we are done iterating.
-			return nil, true, nil
-		}
-		id := IPv6ExtHdrOptionIdentifier(temp)
-
-		// If the option identifier indicates the option is a Pad1 option, then we
-		// know the option does not have Length and Data fields. End processing of
-		// the Pad1 option and continue processing the buffer as a new option.
-		if id == ipv6Pad1ExtHdrOptionIdentifier {
-			i.nextOptionOffset = i.optionOffset + 1
-			continue
-		}
-
-		length, err := i.reader.ReadByte()
-		if err != nil {
-			if err != io.EOF {
-				// ReadByte should only ever return nil or io.EOF.
-				panic(fmt.Sprintf("unexpected error when reading the option's Length field for option with id = %d: %s", id, err))
-			}
-
-			// We use io.ErrUnexpectedEOF as exhausting the buffer is unexpected once
-			// we start parsing an option; we expect the reader to contain enough
-			// bytes for the whole option.
-			return nil, true, fmt.Errorf("error when reading the option's Length field for option with id = %d: %w", id, io.ErrUnexpectedEOF)
-		}
-
-		// Do we have enough bytes in the reader for the next option?
-		if n := i.reader.Size(); n < int(length) {
-			// Consume the remaining buffer.
-			i.reader.TrimFront(i.reader.Size())
-
-			// We return the same error as if we failed to read a non-padding option
-			// so consumers of this iterator don't need to differentiate between
-			// padding and non-padding options.
-			return nil, true, fmt.Errorf("read %d out of %d option data bytes for option with id = %d: %w", n, length, id, io.ErrUnexpectedEOF)
-		}
-
-		i.nextOptionOffset = i.optionOffset + uint32(length) + 1 /* option ID */ + 1 /* length byte */
-
-		switch id {
-		case ipv6PadNExtHdrOptionIdentifier:
-			// Special-case the variable length padding option to avoid a copy.
-			i.reader.TrimFront(int(length))
-			continue
-		case ipv6RouterAlertHopByHopOptionIdentifier:
-			var routerAlertValue [ipv6RouterAlertPayloadLength]byte
-			if n, err := io.ReadFull(i.reader, routerAlertValue[:]); err != nil {
-				switch err {
-				case io.EOF, io.ErrUnexpectedEOF:
-					return nil, true, fmt.Errorf("got invalid length (%d) for router alert option (want = %d): %w", length, ipv6RouterAlertPayloadLength, ErrMalformedIPv6ExtHdrOption)
-				default:
-					return nil, true, fmt.Errorf("read %d out of %d option data bytes for router alert option: %w", n, ipv6RouterAlertPayloadLength, err)
-				}
-			} else if n != int(length) {
-				return nil, true, fmt.Errorf("got invalid length (%d) for router alert option (want = %d): %w", length, ipv6RouterAlertPayloadLength, ErrMalformedIPv6ExtHdrOption)
-			}
-			return &IPv6RouterAlertOption{Value: IPv6RouterAlertValue(binary.BigEndian.Uint16(routerAlertValue[:]))}, false, nil
-		default:
-			bytes := buffer.NewView(int(length))
-			if n, err := io.CopyN(bytes, i.reader, int64(length)); err != nil {
-				if err == io.EOF {
-					err = io.ErrUnexpectedEOF
-				}
-
-				return nil, true, fmt.Errorf("read %d out of %d option data bytes for option with id = %d: %w", n, length, id, err)
-			}
-			return &IPv6UnknownExtHdrOption{Identifier: id, Data: bytes}, false, nil
-		}
-	}
-}
-
-// IPv6HopByHopOptionsExtHdr is a buffer holding the Hop By Hop Options
-// extension header.
-type IPv6HopByHopOptionsExtHdr struct {
-	ipv6OptionsExtHdr
-}
-
-// isIPv6PayloadHeader implements IPv6PayloadHeader.isIPv6PayloadHeader.
-func (IPv6HopByHopOptionsExtHdr) isIPv6PayloadHeader() {}
-
-// IPv6DestinationOptionsExtHdr is a buffer holding the Destination Options
-// extension header.
-type IPv6DestinationOptionsExtHdr struct {
-	ipv6OptionsExtHdr
-}
-
-// isIPv6PayloadHeader implements IPv6PayloadHeader.isIPv6PayloadHeader.
-func (IPv6DestinationOptionsExtHdr) isIPv6PayloadHeader() {}
-
-// IPv6RoutingExtHdr is a buffer holding the Routing extension header specific
-// data as outlined in RFC 8200 section 4.4.
-type IPv6RoutingExtHdr struct {
-	Buf *buffer.View
-}
-
-// isIPv6PayloadHeader implements IPv6PayloadHeader.isIPv6PayloadHeader.
-func (IPv6RoutingExtHdr) isIPv6PayloadHeader() {}
-
-// Release implements IPv6PayloadHeader.Release.
-func (b IPv6RoutingExtHdr) Release() {
-	b.Buf.Release()
-}
-
-// SegmentsLeft returns the Segments Left field.
-func (b IPv6RoutingExtHdr) SegmentsLeft() uint8 {
-	return b.Buf.AsSlice()[ipv6RoutingExtHdrSegmentsLeftIdx]
-}
-
 // IPv6FragmentExtHdr is a buffer holding the Fragment extension header specific
 // data as outlined in RFC 8200 section 4.5.
 //
@@ -473,242 +261,6 @@ func (b IPv6FragmentExtHdr) IsAtomic() bool {
 	return !b.More() && b.FragmentOffset() == 0
 }
 
-// IPv6PayloadIterator is an iterator over the contents of an IPv6 payload.
-//
-// The IPv6 payload may contain IPv6 extension headers before any upper layer
-// data.
-//
-// Note, between when an IPv6PayloadIterator is obtained and last used, no
-// changes to the payload may happen. Doing so may cause undefined and
-// unexpected behaviour. It is fine to obtain an IPv6PayloadIterator, iterate
-// over the first few headers then modify the backing payload so long as the
-// IPv6PayloadIterator obtained before modification is no longer used.
-type IPv6PayloadIterator struct {
-	// The identifier of the next header to parse.
-	nextHdrIdentifier IPv6ExtensionHeaderIdentifier
-
-	payload buffer.Buffer
-
-	// Indicates to the iterator that it should return the remaining payload as a
-	// raw payload on the next call to Next.
-	forceRaw bool
-
-	// headerOffset is the offset of the beginning of the current extension
-	// header starting from the beginning of the fixed header.
-	headerOffset uint32
-
-	// parseOffset is the byte offset into the current extension header of the
-	// field we are currently examining. It can be added to the header offset
-	// if the absolute offset within the packet is required.
-	parseOffset uint32
-
-	// nextOffset is the offset of the next header.
-	nextOffset uint32
-}
-
-// HeaderOffset returns the offset to the start of the extension
-// header most recently processed.
-func (i IPv6PayloadIterator) HeaderOffset() uint32 {
-	return i.headerOffset
-}
-
-// ParseOffset returns the number of bytes successfully parsed.
-func (i IPv6PayloadIterator) ParseOffset() uint32 {
-	return i.headerOffset + i.parseOffset
-}
-
-// MakeIPv6PayloadIterator returns an iterator over the IPv6 payload containing
-// extension headers, or a raw payload if the payload cannot be parsed. The
-// iterator takes ownership of the payload.
-func MakeIPv6PayloadIterator(nextHdrIdentifier IPv6ExtensionHeaderIdentifier, payload buffer.Buffer) IPv6PayloadIterator {
-	return IPv6PayloadIterator{
-		nextHdrIdentifier: nextHdrIdentifier,
-		payload:           payload,
-		nextOffset:        IPv6FixedHeaderSize,
-	}
-}
-
-// Release frees the resources owned by the iterator.
-func (i *IPv6PayloadIterator) Release() {
-	i.payload.Release()
-}
-
-// AsRawHeader returns the remaining payload of i as a raw header and
-// optionally consumes the iterator.
-//
-// If consume is true, calls to Next after calling AsRawHeader on i will
-// indicate that the iterator is done. The returned header takes ownership of
-// its payload.
-func (i *IPv6PayloadIterator) AsRawHeader(consume bool) IPv6RawPayloadHeader {
-	identifier := i.nextHdrIdentifier
-
-	var buf buffer.Buffer
-	if consume {
-		// Since we consume the iterator, we return the payload as is.
-		buf = i.payload
-
-		// Mark i as done, but keep track of where we were for error reporting.
-		*i = IPv6PayloadIterator{
-			nextHdrIdentifier: IPv6NoNextHeaderIdentifier,
-			headerOffset:      i.headerOffset,
-			nextOffset:        i.nextOffset,
-		}
-	} else {
-		buf = i.payload.Clone()
-	}
-
-	return IPv6RawPayloadHeader{Identifier: identifier, Buf: buf}
-}
-
-// Next returns the next item in the payload.
-//
-// If the next item is not a known IPv6 extension header, IPv6RawPayloadHeader
-// will be returned with the remaining bytes and next header identifier.
-//
-// The return is of the format (header, done, error). done will be true when
-// Next is unable to return anything because the iterator has reached the end of
-// the payload, or an error occurred.
-func (i *IPv6PayloadIterator) Next() (IPv6PayloadHeader, bool, error) {
-	i.headerOffset = i.nextOffset
-	i.parseOffset = 0
-	// We could be forced to return i as a raw header when the previous header was
-	// a fragment extension header as the data following the fragment extension
-	// header may not be complete.
-	if i.forceRaw {
-		return i.AsRawHeader(true /* consume */), false, nil
-	}
-
-	// Is the header we are parsing a known extension header?
-	switch i.nextHdrIdentifier {
-	case IPv6HopByHopOptionsExtHdrIdentifier:
-		nextHdrIdentifier, view, err := i.nextHeaderData(false /* fragmentHdr */, nil)
-		if err != nil {
-			return nil, true, err
-		}
-
-		i.nextHdrIdentifier = nextHdrIdentifier
-		return IPv6HopByHopOptionsExtHdr{ipv6OptionsExtHdr{view}}, false, nil
-	case IPv6RoutingExtHdrIdentifier:
-		nextHdrIdentifier, view, err := i.nextHeaderData(false /* fragmentHdr */, nil)
-		if err != nil {
-			return nil, true, err
-		}
-
-		i.nextHdrIdentifier = nextHdrIdentifier
-		return IPv6RoutingExtHdr{view}, false, nil
-	case IPv6FragmentExtHdrIdentifier:
-		var data [6]byte
-		// We ignore the returned bytes because we know the fragment extension
-		// header specific data will fit in data.
-		nextHdrIdentifier, _, err := i.nextHeaderData(true /* fragmentHdr */, data[:])
-		if err != nil {
-			return nil, true, err
-		}
-
-		fragmentExtHdr := IPv6FragmentExtHdr(data)
-
-		// If the packet is not the first fragment, do not attempt to parse anything
-		// after the fragment extension header as the payload following the fragment
-		// extension header should not contain any headers; the first fragment must
-		// hold all the headers up to and including any upper layer headers, as per
-		// RFC 8200 section 4.5.
-		if fragmentExtHdr.FragmentOffset() != 0 {
-			i.forceRaw = true
-		}
-
-		i.nextHdrIdentifier = nextHdrIdentifier
-		return fragmentExtHdr, false, nil
-	case IPv6DestinationOptionsExtHdrIdentifier:
-		nextHdrIdentifier, view, err := i.nextHeaderData(false /* fragmentHdr */, nil)
-		if err != nil {
-			return nil, true, err
-		}
-
-		i.nextHdrIdentifier = nextHdrIdentifier
-		return IPv6DestinationOptionsExtHdr{ipv6OptionsExtHdr{view}}, false, nil
-	case IPv6NoNextHeaderIdentifier:
-		// This indicates the end of the IPv6 payload.
-		return nil, true, nil
-
-	default:
-		// The header we are parsing is not a known extension header. Return the
-		// raw payload.
-		return i.AsRawHeader(true /* consume */), false, nil
-	}
-}
-
-// NextHeaderIdentifier returns the identifier of the header next returned by
-// it.Next().
-func (i *IPv6PayloadIterator) NextHeaderIdentifier() IPv6ExtensionHeaderIdentifier {
-	return i.nextHdrIdentifier
-}
-
-// nextHeaderData returns the extension header's Next Header field and raw data.
-//
-// fragmentHdr indicates that the extension header being parsed is the Fragment
-// extension header so the Length field should be ignored as it is Reserved
-// for the Fragment extension header.
-//
-// If bytes is not nil, extension header specific data will be read into bytes
-// if it has enough capacity. If bytes is provided but does not have enough
-// capacity for the data, nextHeaderData will panic.
-func (i *IPv6PayloadIterator) nextHeaderData(fragmentHdr bool, bytes []byte) (IPv6ExtensionHeaderIdentifier, *buffer.View, error) {
-	// We ignore the number of bytes read because we know we will only ever read
-	// at max 1 bytes since rune has a length of 1. If we read 0 bytes, the Read
-	// would return io.EOF to indicate that io.Reader has reached the end of the
-	// payload.
-	rdr := i.payload.AsBufferReader()
-	nextHdrIdentifier, err := rdr.ReadByte()
-	if err != nil {
-		return 0, nil, fmt.Errorf("error when reading the Next Header field for extension header with id = %d: %w", i.nextHdrIdentifier, err)
-	}
-	i.parseOffset++
-
-	var length uint8
-	length, err = rdr.ReadByte()
-	if err != nil {
-		if fragmentHdr {
-			return 0, nil, fmt.Errorf("error when reading the Length field for extension header with id = %d: %w", i.nextHdrIdentifier, err)
-		}
-
-		return 0, nil, fmt.Errorf("error when reading the Reserved field for extension header with id = %d: %w", i.nextHdrIdentifier, err)
-	}
-	if fragmentHdr {
-		length = 0
-	}
-
-	// Make parseOffset point to the first byte of the Extension Header
-	// specific data.
-	i.parseOffset++
-
-	// length is in 8 byte chunks but doesn't include the first one.
-	// See RFC 8200 for each header type, sections 4.3-4.6 and the requirement
-	// in section 4.8 for new extension headers at the top of page 24.
-	//   [ Hdr Ext Len ] ... Length of the Destination Options header in 8-octet
-	//   units, not including the first 8 octets.
-	i.nextOffset += uint32((length + 1) * ipv6ExtHdrLenBytesPerUnit)
-
-	bytesLen := int(length)*ipv6ExtHdrLenBytesPerUnit + ipv6ExtHdrLenBytesExcluded
-	if fragmentHdr {
-		if n := len(bytes); n < bytesLen {
-			panic(fmt.Sprintf("bytes only has space for %d bytes but need space for %d bytes (length = %d) for extension header with id = %d", n, bytesLen, length, i.nextHdrIdentifier))
-		}
-		if n, err := io.ReadFull(&rdr, bytes); err != nil {
-			return 0, nil, fmt.Errorf("read %d out of %d extension header data bytes (length = %d) for header with id = %d: %w", n, bytesLen, length, i.nextHdrIdentifier, err)
-		}
-		return IPv6ExtensionHeaderIdentifier(nextHdrIdentifier), nil, nil
-	}
-	v := buffer.NewView(bytesLen)
-	if n, err := io.CopyN(v, &rdr, int64(bytesLen)); err != nil {
-		if err == io.EOF {
-			err = io.ErrUnexpectedEOF
-		}
-		v.Release()
-		return 0, nil, fmt.Errorf("read %d out of %d extension header data bytes (length = %d) for header with id = %d: %w", n, bytesLen, length, i.nextHdrIdentifier, err)
-	}
-	return IPv6ExtensionHeaderIdentifier(nextHdrIdentifier), v, nil
-}
-
 // IPv6SerializableExtHdr provides serialization for IPv6 extension
 // headers.
 type IPv6SerializableExtHdr interface {

monitor_android.go

@@ -51,12 +51,11 @@ func (m *defaultInterfaceMonitor) checkUpdate() error {
 		return err
 	}
 
-	oldInterface := m.defaultInterface.Load()
 	newInterface, err := m.interfaceFinder.ByIndex(link.Attrs().Index)
 	if err != nil {
 		return E.Cause(err, "find updated interface: ", link.Attrs().Name)
 	}
-	m.defaultInterface.Store(newInterface)
+	oldInterface := m.defaultInterface.Swap(newInterface)
 	if oldInterface != nil && oldInterface.Equals(*newInterface) && oldVPNEnabled == m.androidVPNEnabled {
 		return nil
 	}

monitor_darwin.go

@@ -165,12 +165,11 @@ func (m *defaultInterfaceMonitor) checkUpdate() error {
 	if defaultInterface == nil {
 		return ErrNoRoute
 	}
-	oldInterface := m.defaultInterface.Load()
 	newInterface, err := m.interfaceFinder.ByIndex(defaultInterface.Index)
 	if err != nil {
 		return E.Cause(err, "find updated interface: ", defaultInterface.Name)
 	}
-	m.defaultInterface.Store(newInterface)
+	oldInterface := m.defaultInterface.Swap(newInterface)
 	if oldInterface != nil && oldInterface.Equals(*newInterface) {
 		return nil
 	}

monitor_linux.go

@@ -27,7 +27,7 @@ type networkUpdateMonitor struct {
 var ErrNetlinkBanned = E.New(
 	"netlink socket in Android is banned by Google, " +
 		"use the root or system (ADB) user to run sing-box, " +
-		"or switch to the sing-box Adnroid graphical interface client",
+		"or switch to the sing-box Android graphical interface client",
 )
 
 func NewNetworkUpdateMonitor(logger logger.Logger) (NetworkUpdateMonitor, error) {

monitor_linux_default.go

@@ -25,12 +25,11 @@ func (m *defaultInterfaceMonitor) checkUpdate() error {
 			return err
 		}
 
-		oldInterface := m.defaultInterface.Load()
 		newInterface, err := m.interfaceFinder.ByIndex(link.Attrs().Index)
 		if err != nil {
 			return E.Cause(err, "find updated interface: ", link.Attrs().Name)
 		}
-		m.defaultInterface.Store(newInterface)
+		oldInterface := m.defaultInterface.Swap(newInterface)
 		if oldInterface != nil && oldInterface.Equals(*newInterface) {
 			return nil
 		}

monitor_windows.go

@@ -102,13 +102,12 @@ func (m *defaultInterfaceMonitor) checkUpdate() error {
 		return ErrNoRoute
 	}
 
-	oldInterface := m.defaultInterface.Load()
 	newInterface, err := m.interfaceFinder.ByIndex(index)
 	if err != nil {
 		return E.Cause(err, "find updated interface: ", alias)
 	}
-	m.defaultInterface.Store(newInterface)
-	if oldInterface != nil && !oldInterface.Equals(*newInterface) {
+	oldInterface := m.defaultInterface.Swap(newInterface)
+	if oldInterface != nil && oldInterface.Equals(*newInterface) {
 		return nil
 	}
 	m.emit(newInterface, 0)

redirect_linux.go

@@ -44,7 +44,7 @@ type autoRedirect struct {
 }
 
 func NewAutoRedirect(options AutoRedirectOptions) (AutoRedirect, error) {
-	r := &autoRedirect{
+	return &autoRedirect{
 		tunOptions:             options.TunOptions,
 		ctx:                    options.Context,
 		handler:                options.Handler,
@@ -56,7 +56,10 @@ func NewAutoRedirect(options AutoRedirectOptions) (AutoRedirect, error) {
 		customRedirectPortFunc: options.CustomRedirectPort,
 		routeAddressSet:        options.RouteAddressSet,
 		routeExcludeAddressSet: options.RouteExcludeAddressSet,
-	}
+	}, nil
+}
+
+func (r *autoRedirect) Start() error {
 	var err error
 	if runtime.GOOS == "android" {
 		r.enableIPv4 = true
@@ -74,7 +77,7 @@ func NewAutoRedirect(options AutoRedirectOptions) (AutoRedirect, error) {
 				}
 			}
 			if err != nil {
-				return nil, E.Extend(E.Cause(err, "root permission is required for auto redirect"), os.Getenv("PATH"))
+				return E.Extend(E.Cause(err, "root permission is required for auto redirect"), os.Getenv("PATH"))
 			}
 		}
 	} else {
@@ -90,7 +93,7 @@ func NewAutoRedirect(options AutoRedirectOptions) (AutoRedirect, error) {
 			if !r.useNFTables {
 				r.iptablesPath, err = exec.LookPath("iptables")
 				if err != nil {
-					return nil, E.Cause(err, "iptables is required")
+					return E.Cause(err, "iptables is required")
 				}
 			}
 		}
@@ -100,7 +103,7 @@ func NewAutoRedirect(options AutoRedirectOptions) (AutoRedirect, error) {
 				r.ip6tablesPath, err = exec.LookPath("ip6tables")
 				if err != nil {
 					if !r.enableIPv4 {
-						return nil, E.Cause(err, "ip6tables is required")
+						return E.Cause(err, "ip6tables is required")
 					} else {
 						r.enableIPv6 = false
 						r.logger.Error("device has no ip6tables nat support: ", err)
@@ -109,10 +112,6 @@ func NewAutoRedirect(options AutoRedirectOptions) (AutoRedirect, error) {
 			}
 		}
 	}
-	return r, nil
-}
-
-func (r *autoRedirect) Start() error {
 	if r.customRedirectPortFunc != nil {
 		r.customRedirectPort = r.customRedirectPortFunc()
 	}
@@ -132,7 +131,6 @@ func (r *autoRedirect) Start() error {
 		}
 		r.redirectServer = server
 	}
-	var err error
 	if r.useNFTables {
 		r.cleanupNFTables()
 		err = r.setupNFTables()

redirect_nftables.go

@@ -32,6 +32,10 @@ func (r *autoRedirect) setupNFTables() error {
 		return err
 	}
 
+	err = r.interfaceFinder.Update()
+	if err != nil {
+		return err
+	}
 	r.localAddresses = common.FlatMap(r.interfaceFinder.Interfaces(), func(it control.Interface) []netip.Prefix {
 		return common.Filter(it.Addresses, func(prefix netip.Prefix) bool {
 			return it.Name == "lo" || prefix.Addr().IsGlobalUnicast()

stack_mixed.go

@@ -50,6 +50,18 @@ func (m *Mixed) Start() error {
 	return nil
 }
 
+func (m *Mixed) Close() error {
+	if m.stack == nil {
+		return nil
+	}
+	m.endpoint.Attach(nil)
+	m.stack.Close()
+	for _, endpoint := range m.stack.CleanupEndpoints() {
+		endpoint.Abort()
+	}
+	return m.System.Close()
+}
+
 func (m *Mixed) tunLoop() {
 	if winTun, isWinTun := m.tun.(WinTun); isWinTun {
 		m.wintunLoop(winTun)
@@ -222,15 +234,3 @@ func (m *Mixed) packetLoop() {
 		packet.DecRef()
 	}
 }
-
-func (m *Mixed) Close() error {
-	if m.stack == nil {
-		return nil
-	}
-	m.endpoint.Attach(nil)
-	m.stack.Close()
-	for _, endpoint := range m.stack.CleanupEndpoints() {
-		endpoint.Abort()
-	}
-	return m.System.Close()
-}

stack_system.go

@@ -586,7 +586,7 @@ func (s *System) processIPv4ICMP(ipHdr header.IPv4, icmpHdr header.ICMPv4) error
 	sourceAddress := ipHdr.SourceAddr()
 	ipHdr.SetSourceAddr(ipHdr.DestinationAddr())
 	ipHdr.SetDestinationAddr(sourceAddress)
-	icmpHdr.SetChecksum(header.ICMPv4Checksum(icmpHdr, checksum.Checksum(icmpHdr.Payload(), 0)))
+	icmpHdr.SetChecksum(header.ICMPv4Checksum(icmpHdr[:header.ICMPv4MinimumSize], checksum.Checksum(icmpHdr.Payload(), 0)))
 	ipHdr.SetChecksum(0)
 	ipHdr.SetChecksum(^ipHdr.CalculateChecksum())
 	return nil

tun.go

@@ -25,8 +25,10 @@ type Handler interface {
 type Tun interface {
 	io.ReadWriter
 	N.VectorisedWriter
+	Name() (string, error)
 	Start() error
 	Close() error
+	UpdateRouteOptions(tunOptions Options) error
 }
 
 type WinTun interface {
@@ -102,10 +104,12 @@ func (o *Options) Inet4GatewayAddr() netip.Addr {
 		case "darwin":
 			return o.Inet4Address[0].Addr()
 		default:
-			if HasNextAddress(o.Inet4Address[0], 1) {
-				return o.Inet4Address[0].Addr().Next()
-			} else {
-				return o.Inet4Address[0].Addr()
+			if !o.InterfaceScope {
+				if HasNextAddress(o.Inet4Address[0], 1) {
+					return o.Inet4Address[0].Addr().Next()
+				} else {
+					return o.Inet4Address[0].Addr()
+				}
 			}
 		}
 	}
@@ -126,10 +130,12 @@ func (o *Options) Inet6GatewayAddr() netip.Addr {
 		case "darwin":
 			return o.Inet6Address[0].Addr()
 		default:
-			if HasNextAddress(o.Inet6Address[0], 1) {
-				return o.Inet6Address[0].Addr().Next()
-			} else {
-				return o.Inet6Address[0].Addr()
+			if !o.InterfaceScope {
+				if HasNextAddress(o.Inet6Address[0], 1) {
+					return o.Inet6Address[0].Addr().Next()
+				} else {
+					return o.Inet6Address[0].Addr()
+				}
 			}
 		}
 	}

tun_darwin.go

@@ -29,7 +29,15 @@ type NativeTun struct {
 	options      Options
 	inet4Address [4]byte
 	inet6Address [16]byte
-	routerSet    bool
+	routeSet     bool
+}
+
+func (t *NativeTun) Name() (string, error) {
+	return unix.GetsockoptString(
+		int(t.tunFile.Fd()),
+		2, /* #define SYSPROTO_CONTROL 2 */
+		2, /* #define UTUN_OPT_IFNAME 2 */
+	)
 }
 
 func New(options Options) (Tun, error) {
@@ -250,53 +258,63 @@ func configure(tunFd int, ifIndex int, name string, options Options) error {
 	return nil
 }
 
-func (t *NativeTun) setRoutes() error {
-	if t.options.AutoRoute && t.options.FileDescriptor == 0 {
+func (t *NativeTun) UpdateRouteOptions(tunOptions Options) error {
+	err := t.unsetRoutes()
+	if err != nil {
+		return err
+	}
+	t.options = tunOptions
+	return t.setRoutes()
+}
 
+func (t *NativeTun) setRoutes() error {
+	if t.options.FileDescriptor == 0 {
 		routeRanges, err := t.options.BuildAutoRouteRanges(false)
 		if err != nil {
 			return err
 		}
-		gateway4, gateway6 := t.options.Inet4GatewayAddr(), t.options.Inet6GatewayAddr()
-		for _, destination := range routeRanges {
-			var gateway netip.Addr
-			if destination.Addr().Is4() {
-				gateway = gateway4
-			} else {
-				gateway = gateway6
-			}
-			var interfaceIndex int
-			if t.options.InterfaceScope {
-				iff, err := t.options.InterfaceFinder.ByName(t.options.Name)
-				if err != nil {
-					return err
-				}
-				interfaceIndex = iff.Index
-			}
-			err = execRoute(unix.RTM_ADD, t.options.InterfaceScope, interfaceIndex, destination, gateway)
-			if err != nil {
-				if errors.Is(err, unix.EEXIST) {
-					err = execRoute(unix.RTM_DELETE, false, 0, destination, gateway)
-					if err != nil {
-						return E.Cause(err, "remove existing route: ", destination)
-					}
-					err = execRoute(unix.RTM_ADD, t.options.InterfaceScope, interfaceIndex, destination, gateway)
-					if err != nil {
-						return E.Cause(err, "re-add route: ", destination)
-					}
+		if len(routeRanges) > 0 {
+			gateway4, gateway6 := t.options.Inet4GatewayAddr(), t.options.Inet6GatewayAddr()
+			for _, destination := range routeRanges {
+				var gateway netip.Addr
+				if destination.Addr().Is4() {
+					gateway = gateway4
 				} else {
-					return E.Cause(err, "add route: ", destination)
+					gateway = gateway6
+				}
+				var interfaceIndex int
+				if t.options.InterfaceScope {
+					iff, err := t.options.InterfaceFinder.ByName(t.options.Name)
+					if err != nil {
+						return err
+					}
+					interfaceIndex = iff.Index
+				}
+				err = execRoute(unix.RTM_ADD, t.options.InterfaceScope, interfaceIndex, destination, gateway)
+				if err != nil {
+					if errors.Is(err, unix.EEXIST) {
+						err = execRoute(unix.RTM_DELETE, false, 0, destination, gateway)
+						if err != nil {
+							return E.Cause(err, "remove existing route: ", destination)
+						}
+						err = execRoute(unix.RTM_ADD, t.options.InterfaceScope, interfaceIndex, destination, gateway)
+						if err != nil {
+							return E.Cause(err, "re-add route: ", destination)
+						}
+					} else {
+						return E.Cause(err, "add route: ", destination)
+					}
 				}
 			}
+			flushDNSCache()
+			t.routeSet = true
 		}
-		flushDNSCache()
-		t.routerSet = true
 	}
 	return nil
 }
 
 func (t *NativeTun) unsetRoutes() error {
-	if !t.routerSet {
+	if !t.routeSet {
 		return nil
 	}
 	routeRanges, err := t.options.BuildAutoRouteRanges(false)

tun_linux.go

@@ -85,11 +85,244 @@ func New(options Options) (Tun, error) {
 	return nativeTun, nil
 }
 
-func (t *NativeTun) FrontHeadroom() int {
-	if t.vnetHdr {
-		return virtioNetHdrLen
+var controlPath string
+
+func init() {
+	const defaultTunPath = "/dev/net/tun"
+	const androidTunPath = "/dev/tun"
+	if rw.IsFile(androidTunPath) {
+		controlPath = androidTunPath
+	} else {
+		controlPath = defaultTunPath
 	}
-	return 0
+}
+
+func open(name string, vnetHdr bool) (int, error) {
+	fd, err := unix.Open(controlPath, unix.O_RDWR, 0)
+	if err != nil {
+		return -1, err
+	}
+	ifr, err := unix.NewIfreq(name)
+	if err != nil {
+		unix.Close(fd)
+		return 0, err
+	}
+	flags := unix.IFF_TUN | unix.IFF_NO_PI
+	if vnetHdr {
+		flags |= unix.IFF_VNET_HDR
+	}
+	ifr.SetUint16(uint16(flags))
+	err = unix.IoctlIfreq(fd, unix.TUNSETIFF, ifr)
+	if err != nil {
+		unix.Close(fd)
+		return 0, err
+	}
+	err = unix.SetNonblock(fd, true)
+	if err != nil {
+		unix.Close(fd)
+		return 0, err
+	}
+	return fd, nil
+}
+
+func (t *NativeTun) configure(tunLink netlink.Link) error {
+	err := netlink.LinkSetMTU(tunLink, int(t.options.MTU))
+	if errors.Is(err, unix.EPERM) {
+		return nil
+	} else if err != nil {
+		return err
+	}
+
+	if len(t.options.Inet4Address) > 0 {
+		for _, address := range t.options.Inet4Address {
+			addr4, _ := netlink.ParseAddr(address.String())
+			err = netlink.AddrAdd(tunLink, addr4)
+			if err != nil {
+				return err
+			}
+		}
+	}
+	if len(t.options.Inet6Address) > 0 {
+		for _, address := range t.options.Inet6Address {
+			addr6, _ := netlink.ParseAddr(address.String())
+			err = netlink.AddrAdd(tunLink, addr6)
+			if err != nil {
+				return err
+			}
+		}
+	}
+
+	if t.options.GSO {
+		err = t.enableGSO()
+		if err != nil {
+			t.options.Logger.Warn(err)
+		}
+	}
+
+	var rxChecksumOffload bool
+	rxChecksumOffload, err = checkChecksumOffload(t.options.Name, unix.ETHTOOL_GRXCSUM)
+	if err == nil && !rxChecksumOffload {
+		_ = setChecksumOffload(t.options.Name, unix.ETHTOOL_SRXCSUM)
+	}
+
+	if t.options._TXChecksumOffload {
+		var txChecksumOffload bool
+		txChecksumOffload, err = checkChecksumOffload(t.options.Name, unix.ETHTOOL_GTXCSUM)
+		if err != nil {
+			return err
+		}
+		if !txChecksumOffload {
+			err = setChecksumOffload(t.options.Name, unix.ETHTOOL_STXCSUM)
+			if err != nil {
+				return err
+			}
+		}
+		t.txChecksumOffload = true
+	}
+
+	return nil
+}
+
+func (t *NativeTun) enableGSO() error {
+	vnetHdrEnabled, err := checkVNETHDREnabled(t.tunFd, t.options.Name)
+	if err != nil {
+		return E.Cause(err, "enable offload: check IFF_VNET_HDR enabled")
+	}
+	if !vnetHdrEnabled {
+		return E.Cause(err, "enable offload: IFF_VNET_HDR not enabled")
+	}
+	err = setTCPOffload(t.tunFd)
+	if err != nil {
+		return E.Cause(err, "enable TCP offload")
+	}
+	t.vnetHdr = true
+	t.writeBuffer = make([]byte, virtioNetHdrLen+int(gsoMaxSize))
+	t.tcpGROTable = newTCPGROTable()
+	t.udpGROTable = newUDPGROTable()
+	err = setUDPOffload(t.tunFd)
+	if err != nil {
+		t.gro.disableUDPGRO()
+	}
+	return nil
+}
+
+func (t *NativeTun) probeTCPGRO() error {
+	ipPort := netip.AddrPortFrom(t.options.Inet4Address[0].Addr(), 0)
+	fingerprint := []byte("sing-tun-probe-tun-gro")
+	segmentSize := len(fingerprint)
+	iphLen := 20
+	tcphLen := 20
+	totalLen := iphLen + tcphLen + segmentSize
+	bufs := make([][]byte, 2)
+	for i := range bufs {
+		bufs[i] = make([]byte, virtioNetHdrLen+totalLen, virtioNetHdrLen+(totalLen*2))
+		ipv4H := header.IPv4(bufs[i][virtioNetHdrLen:])
+		ipv4H.Encode(&header.IPv4Fields{
+			SrcAddr:  ipPort.Addr(),
+			DstAddr:  ipPort.Addr(),
+			Protocol: unix.IPPROTO_TCP,
+			// Use a zero value TTL as best effort means to reduce chance of
+			// probe packet leaking further than it needs to.
+			TTL:         0,
+			TotalLength: uint16(totalLen),
+		})
+		tcpH := header.TCP(bufs[i][virtioNetHdrLen+iphLen:])
+		tcpH.Encode(&header.TCPFields{
+			SrcPort:    ipPort.Port(),
+			DstPort:    ipPort.Port(),
+			SeqNum:     1 + uint32(i*segmentSize),
+			AckNum:     1,
+			DataOffset: 20,
+			Flags:      header.TCPFlagAck,
+			WindowSize: 3000,
+		})
+		copy(bufs[i][virtioNetHdrLen+iphLen+tcphLen:], fingerprint)
+		ipv4H.SetChecksum(^ipv4H.CalculateChecksum())
+		pseudoCsum := header.PseudoHeaderChecksum(unix.IPPROTO_TCP, ipv4H.SourceAddressSlice(), ipv4H.DestinationAddressSlice(), uint16(tcphLen+segmentSize))
+		pseudoCsum = checksum.Checksum(bufs[i][virtioNetHdrLen+iphLen+tcphLen:], pseudoCsum)
+		tcpH.SetChecksum(^tcpH.CalculateChecksum(pseudoCsum))
+	}
+	_, err := t.BatchWrite(bufs, virtioNetHdrLen)
+	return err
+}
+
+func (t *NativeTun) Name() (string, error) {
+	var ifr [unix.IFNAMSIZ + 64]byte
+	_, _, errno := unix.Syscall(
+		unix.SYS_IOCTL,
+		uintptr(t.tunFd),
+		uintptr(unix.TUNGETIFF),
+		uintptr(unsafe.Pointer(&ifr[0])),
+	)
+	if errno != 0 {
+		return "", os.NewSyscallError("ioctl TUNGETIFF", errno)
+	}
+	return unix.ByteSliceToString(ifr[:]), nil
+}
+
+func (t *NativeTun) Start() error {
+	if t.options.FileDescriptor != 0 {
+		return nil
+	}
+
+	tunLink, err := netlink.LinkByName(t.options.Name)
+	if err != nil {
+		return err
+	}
+
+	err = netlink.LinkSetUp(tunLink)
+	if err != nil {
+		return err
+	}
+
+	if t.vnetHdr && len(t.options.Inet4Address) > 0 {
+		err = t.probeTCPGRO()
+		if err != nil {
+			t.gro.disableTCPGRO()
+			t.gro.disableUDPGRO()
+			t.options.Logger.Warn(E.Cause(err, "disabled TUN TCP & UDP GRO due to GRO probe error"))
+		}
+	}
+
+	if t.options.IPRoute2TableIndex == 0 {
+		for {
+			t.options.IPRoute2TableIndex = int(rand.Uint32())
+			routeList, fErr := netlink.RouteListFiltered(netlink.FAMILY_ALL, &netlink.Route{Table: t.options.IPRoute2TableIndex}, netlink.RT_FILTER_TABLE)
+			if len(routeList) == 0 || fErr != nil {
+				break
+			}
+		}
+	}
+
+	err = t.setRoute(tunLink)
+	if err != nil {
+		_ = t.unsetRoute0(tunLink)
+		return err
+	}
+
+	err = t.unsetRules()
+	if err != nil {
+		return E.Cause(err, "cleanup rules")
+	}
+	err = t.setRules()
+	if err != nil {
+		_ = t.unsetRules()
+		return err
+	}
+
+	t.setSearchDomainForSystemdResolved()
+
+	if t.options.AutoRoute && runtime.GOOS == "android" {
+		t.interfaceCallback = t.options.InterfaceMonitor.RegisterCallback(t.routeUpdate)
+	}
+	return nil
+}
+
+func (t *NativeTun) Close() error {
+	if t.interfaceCallback != nil {
+		t.options.InterfaceMonitor.UnregisterCallback(t.interfaceCallback)
+	}
+	return E.Errors(t.unsetRoute(), t.unsetRules(), common.Close(common.PtrOrNil(t.tunFile)))
 }
 
 func (t *NativeTun) Read(p []byte) (n int, err error) {
@@ -183,6 +416,13 @@ func (t *NativeTun) WriteVectorised(buffers []*buf.Buffer) error {
 	}
 }
 
+func (t *NativeTun) FrontHeadroom() int {
+	if t.vnetHdr {
+		return virtioNetHdrLen
+	}
+	return 0
+}
+
 func (t *NativeTun) BatchSize() int {
 	if !t.vnetHdr {
 		return 1
@@ -196,46 +436,6 @@ func (t *NativeTun) BatchSize() int {
 	return idealBatchSize
 }
 
-func (t *NativeTun) probeTCPGRO() error {
-	ipPort := netip.AddrPortFrom(t.options.Inet4Address[0].Addr(), 0)
-	fingerprint := []byte("sing-tun-probe-tun-gro")
-	segmentSize := len(fingerprint)
-	iphLen := 20
-	tcphLen := 20
-	totalLen := iphLen + tcphLen + segmentSize
-	bufs := make([][]byte, 2)
-	for i := range bufs {
-		bufs[i] = make([]byte, virtioNetHdrLen+totalLen, virtioNetHdrLen+(totalLen*2))
-		ipv4H := header.IPv4(bufs[i][virtioNetHdrLen:])
-		ipv4H.Encode(&header.IPv4Fields{
-			SrcAddr:  ipPort.Addr(),
-			DstAddr:  ipPort.Addr(),
-			Protocol: unix.IPPROTO_TCP,
-			// Use a zero value TTL as best effort means to reduce chance of
-			// probe packet leaking further than it needs to.
-			TTL:         0,
-			TotalLength: uint16(totalLen),
-		})
-		tcpH := header.TCP(bufs[i][virtioNetHdrLen+iphLen:])
-		tcpH.Encode(&header.TCPFields{
-			SrcPort:    ipPort.Port(),
-			DstPort:    ipPort.Port(),
-			SeqNum:     1 + uint32(i*segmentSize),
-			AckNum:     1,
-			DataOffset: 20,
-			Flags:      header.TCPFlagAck,
-			WindowSize: 3000,
-		})
-		copy(bufs[i][virtioNetHdrLen+iphLen+tcphLen:], fingerprint)
-		ipv4H.SetChecksum(^ipv4H.CalculateChecksum())
-		pseudoCsum := header.PseudoHeaderChecksum(unix.IPPROTO_TCP, ipv4H.SourceAddressSlice(), ipv4H.DestinationAddressSlice(), uint16(tcphLen+segmentSize))
-		pseudoCsum = checksum.Checksum(bufs[i][virtioNetHdrLen+iphLen+tcphLen:], pseudoCsum)
-		tcpH.SetChecksum(^tcpH.CalculateChecksum(pseudoCsum))
-	}
-	_, err := t.BatchWrite(bufs, virtioNetHdrLen)
-	return err
-}
-
 func (t *NativeTun) BatchRead(buffers [][]byte, offset int, readN []int) (n int, err error) {
 	t.readAccess.Lock()
 	defer t.readAccess.Unlock()
@@ -283,196 +483,6 @@ func (t *NativeTun) BatchWrite(buffers [][]byte, offset int) (int, error) {
 	return total, errs
 }
 
-var controlPath string
-
-func init() {
-	const defaultTunPath = "/dev/net/tun"
-	const androidTunPath = "/dev/tun"
-	if rw.IsFile(androidTunPath) {
-		controlPath = androidTunPath
-	} else {
-		controlPath = defaultTunPath
-	}
-}
-
-func open(name string, vnetHdr bool) (int, error) {
-	fd, err := unix.Open(controlPath, unix.O_RDWR, 0)
-	if err != nil {
-		return -1, err
-	}
-
-	var ifr struct {
-		name  [16]byte
-		flags uint16
-		_     [22]byte
-	}
-
-	copy(ifr.name[:], name)
-	ifr.flags = unix.IFF_TUN | unix.IFF_NO_PI
-	if vnetHdr {
-		ifr.flags |= unix.IFF_VNET_HDR
-	}
-	_, _, errno := unix.Syscall(unix.SYS_IOCTL, uintptr(fd), unix.TUNSETIFF, uintptr(unsafe.Pointer(&ifr)))
-	if errno != 0 {
-		unix.Close(fd)
-		return -1, errno
-	}
-
-	if err = unix.SetNonblock(fd, true); err != nil {
-		unix.Close(fd)
-		return -1, err
-	}
-
-	return fd, nil
-}
-
-func (t *NativeTun) configure(tunLink netlink.Link) error {
-	err := netlink.LinkSetMTU(tunLink, int(t.options.MTU))
-	if errors.Is(err, unix.EPERM) {
-		return nil
-	} else if err != nil {
-		return err
-	}
-
-	if len(t.options.Inet4Address) > 0 {
-		for _, address := range t.options.Inet4Address {
-			addr4, _ := netlink.ParseAddr(address.String())
-			err = netlink.AddrAdd(tunLink, addr4)
-			if err != nil {
-				return err
-			}
-		}
-	}
-	if len(t.options.Inet6Address) > 0 {
-		for _, address := range t.options.Inet6Address {
-			addr6, _ := netlink.ParseAddr(address.String())
-			err = netlink.AddrAdd(tunLink, addr6)
-			if err != nil {
-				return err
-			}
-		}
-	}
-
-	if t.options.GSO {
-		err = t.enableGSO()
-		if err != nil {
-			t.options.Logger.Warn(err)
-		}
-	}
-
-	var rxChecksumOffload bool
-	rxChecksumOffload, err = checkChecksumOffload(t.options.Name, unix.ETHTOOL_GRXCSUM)
-	if err == nil && !rxChecksumOffload {
-		_ = setChecksumOffload(t.options.Name, unix.ETHTOOL_SRXCSUM)
-	}
-
-	if t.options._TXChecksumOffload {
-		var txChecksumOffload bool
-		txChecksumOffload, err = checkChecksumOffload(t.options.Name, unix.ETHTOOL_GTXCSUM)
-		if err != nil {
-			return err
-		}
-		if !txChecksumOffload {
-			err = setChecksumOffload(t.options.Name, unix.ETHTOOL_STXCSUM)
-			if err != nil {
-				return err
-			}
-		}
-		t.txChecksumOffload = true
-	}
-
-	return nil
-}
-
-func (t *NativeTun) enableGSO() error {
-	vnetHdrEnabled, err := checkVNETHDREnabled(t.tunFd, t.options.Name)
-	if err != nil {
-		return E.Cause(err, "enable offload: check IFF_VNET_HDR enabled")
-	}
-	if !vnetHdrEnabled {
-		return E.Cause(err, "enable offload: IFF_VNET_HDR not enabled")
-	}
-	err = setTCPOffload(t.tunFd)
-	if err != nil {
-		return E.Cause(err, "enable TCP offload")
-	}
-	t.vnetHdr = true
-	t.writeBuffer = make([]byte, virtioNetHdrLen+int(gsoMaxSize))
-	t.tcpGROTable = newTCPGROTable()
-	t.udpGROTable = newUDPGROTable()
-	err = setUDPOffload(t.tunFd)
-	if err != nil {
-		t.gro.disableUDPGRO()
-		return E.Cause(err, "enable UDP offload")
-	}
-	return nil
-}
-
-func (t *NativeTun) Start() error {
-	if t.options.FileDescriptor != 0 {
-		return nil
-	}
-
-	tunLink, err := netlink.LinkByName(t.options.Name)
-	if err != nil {
-		return err
-	}
-
-	err = netlink.LinkSetUp(tunLink)
-	if err != nil {
-		return err
-	}
-
-	if t.vnetHdr && len(t.options.Inet4Address) > 0 {
-		err = t.probeTCPGRO()
-		if err != nil {
-			t.gro.disableTCPGRO()
-			t.gro.disableUDPGRO()
-			t.options.Logger.Warn(E.Cause(err, "disabled TUN TCP & UDP GRO due to GRO probe error"))
-		}
-	}
-
-	if t.options.IPRoute2TableIndex == 0 {
-		for {
-			t.options.IPRoute2TableIndex = int(rand.Uint32())
-			routeList, fErr := netlink.RouteListFiltered(netlink.FAMILY_ALL, &netlink.Route{Table: t.options.IPRoute2TableIndex}, netlink.RT_FILTER_TABLE)
-			if len(routeList) == 0 || fErr != nil {
-				break
-			}
-		}
-	}
-
-	err = t.setRoute(tunLink)
-	if err != nil {
-		_ = t.unsetRoute0(tunLink)
-		return err
-	}
-
-	err = t.unsetRules()
-	if err != nil {
-		return E.Cause(err, "cleanup rules")
-	}
-	err = t.setRules()
-	if err != nil {
-		_ = t.unsetRules()
-		return err
-	}
-
-	t.setSearchDomainForSystemdResolved()
-
-	if t.options.AutoRoute && runtime.GOOS == "android" {
-		t.interfaceCallback = t.options.InterfaceMonitor.RegisterCallback(t.routeUpdate)
-	}
-	return nil
-}
-
-func (t *NativeTun) Close() error {
-	if t.interfaceCallback != nil {
-		t.options.InterfaceMonitor.UnregisterCallback(t.interfaceCallback)
-	}
-	return E.Errors(t.unsetRoute(), t.unsetRules(), common.Close(common.PtrOrNil(t.tunFile)))
-}
-
 func (t *NativeTun) TXChecksumOffload() bool {
 	return t.txChecksumOffload
 }
@@ -484,6 +494,25 @@ func prefixToIPNet(prefix netip.Prefix) *net.IPNet {
 	}
 }
 
+func (t *NativeTun) UpdateRouteOptions(tunOptions Options) error {
+	if t.options.FileDescriptor > 0 {
+		return nil
+	} else if !t.options.AutoRoute {
+		t.options = tunOptions
+		return nil
+	}
+	tunLink, err := netlink.LinkByName(t.options.Name)
+	if err != nil {
+		return err
+	}
+	err = t.unsetRoute0(tunLink)
+	if err != nil {
+		return err
+	}
+	t.options = tunOptions
+	return t.setRoute(tunLink)
+}
+
 func (t *NativeTun) routes(tunLink netlink.Link) ([]netlink.Route, error) {
 	routeRanges, err := t.options.BuildAutoRouteRanges(false)
 	if err != nil {

tun_rules.go

@@ -108,7 +108,7 @@ const autoRouteUseSubRanges = runtime.GOOS == "darwin"
 
 func (o *Options) BuildAutoRouteRanges(underNetworkExtension bool) ([]netip.Prefix, error) {
 	var routeRanges []netip.Prefix
-	if o.AutoRoute && len(o.Inet4Address) > 0 {
+	if len(o.Inet4Address) > 0 {
 		var inet4Ranges []netip.Prefix
 		if len(o.Inet4RouteAddress) > 0 {
 			inet4Ranges = o.Inet4RouteAddress
@@ -119,19 +119,27 @@ func (o *Options) BuildAutoRouteRanges(underNetworkExtension bool) ([]netip.Pref
 					}
 				}
 			}
-		} else if autoRouteUseSubRanges && !underNetworkExtension {
-			inet4Ranges = []netip.Prefix{
-				netip.PrefixFrom(netip.AddrFrom4([4]byte{0: 1}), 8),
-				netip.PrefixFrom(netip.AddrFrom4([4]byte{0: 2}), 7),
-				netip.PrefixFrom(netip.AddrFrom4([4]byte{0: 4}), 6),
-				netip.PrefixFrom(netip.AddrFrom4([4]byte{0: 8}), 5),
-				netip.PrefixFrom(netip.AddrFrom4([4]byte{0: 16}), 4),
-				netip.PrefixFrom(netip.AddrFrom4([4]byte{0: 32}), 3),
-				netip.PrefixFrom(netip.AddrFrom4([4]byte{0: 64}), 2),
-				netip.PrefixFrom(netip.AddrFrom4([4]byte{0: 128}), 1),
+		} else if o.AutoRoute {
+			if autoRouteUseSubRanges && !underNetworkExtension {
+				inet4Ranges = []netip.Prefix{
+					netip.PrefixFrom(netip.AddrFrom4([4]byte{0: 1}), 8),
+					netip.PrefixFrom(netip.AddrFrom4([4]byte{0: 2}), 7),
+					netip.PrefixFrom(netip.AddrFrom4([4]byte{0: 4}), 6),
+					netip.PrefixFrom(netip.AddrFrom4([4]byte{0: 8}), 5),
+					netip.PrefixFrom(netip.AddrFrom4([4]byte{0: 16}), 4),
+					netip.PrefixFrom(netip.AddrFrom4([4]byte{0: 32}), 3),
+					netip.PrefixFrom(netip.AddrFrom4([4]byte{0: 64}), 2),
+					netip.PrefixFrom(netip.AddrFrom4([4]byte{0: 128}), 1),
+				}
+			} else {
+				inet4Ranges = []netip.Prefix{netip.PrefixFrom(netip.IPv4Unspecified(), 0)}
+			}
+		} else if runtime.GOOS == "darwin" {
+			for _, address := range o.Inet4Address {
+				if address.Bits() < 32 {
+					inet4Ranges = append(inet4Ranges, address.Masked())
+				}
 			}
-		} else {
-			inet4Ranges = []netip.Prefix{netip.PrefixFrom(netip.IPv4Unspecified(), 0)}
 		}
 		if len(o.Inet4RouteExcludeAddress) == 0 {
 			routeRanges = append(routeRanges, inet4Ranges...)
@@ -161,19 +169,27 @@ func (o *Options) BuildAutoRouteRanges(underNetworkExtension bool) ([]netip.Pref
 					}
 				}
 			}
-		} else if autoRouteUseSubRanges && !underNetworkExtension {
-			inet6Ranges = []netip.Prefix{
-				netip.PrefixFrom(netip.AddrFrom16([16]byte{0: 1}), 8),
-				netip.PrefixFrom(netip.AddrFrom16([16]byte{0: 2}), 7),
-				netip.PrefixFrom(netip.AddrFrom16([16]byte{0: 4}), 6),
-				netip.PrefixFrom(netip.AddrFrom16([16]byte{0: 8}), 5),
-				netip.PrefixFrom(netip.AddrFrom16([16]byte{0: 16}), 4),
-				netip.PrefixFrom(netip.AddrFrom16([16]byte{0: 32}), 3),
-				netip.PrefixFrom(netip.AddrFrom16([16]byte{0: 64}), 2),
-				netip.PrefixFrom(netip.AddrFrom16([16]byte{0: 128}), 1),
+		} else if o.AutoRoute {
+			if autoRouteUseSubRanges && !underNetworkExtension {
+				inet6Ranges = []netip.Prefix{
+					netip.PrefixFrom(netip.AddrFrom16([16]byte{0: 1}), 8),
+					netip.PrefixFrom(netip.AddrFrom16([16]byte{0: 2}), 7),
+					netip.PrefixFrom(netip.AddrFrom16([16]byte{0: 4}), 6),
+					netip.PrefixFrom(netip.AddrFrom16([16]byte{0: 8}), 5),
+					netip.PrefixFrom(netip.AddrFrom16([16]byte{0: 16}), 4),
+					netip.PrefixFrom(netip.AddrFrom16([16]byte{0: 32}), 3),
+					netip.PrefixFrom(netip.AddrFrom16([16]byte{0: 64}), 2),
+					netip.PrefixFrom(netip.AddrFrom16([16]byte{0: 128}), 1),
+				}
+			} else {
+				inet6Ranges = []netip.Prefix{netip.PrefixFrom(netip.IPv6Unspecified(), 0)}
+			}
+		} else if runtime.GOOS == "darwin" {
+			for _, address := range o.Inet6Address {
+				if address.Bits() < 32 {
+					inet6Ranges = append(inet6Ranges, address.Masked())
+				}
 			}
-		} else {
-			inet6Ranges = []netip.Prefix{netip.PrefixFrom(netip.IPv6Unspecified(), 0)}
 		}
 		if len(o.Inet6RouteExcludeAddress) == 0 {
 			routeRanges = append(routeRanges, inet6Ranges...)

tun_windows.go

@@ -72,7 +72,7 @@ func (t *NativeTun) configure() error {
 		if err != nil {
 			return E.Cause(err, "set ipv4 address")
 		}
-		if !t.options.EXP_DisableDNSHijack {
+		if t.options.AutoRoute && !t.options.EXP_DisableDNSHijack {
 			dnsServers := common.Filter(t.options.DNSServers, netip.Addr.Is4)
 			if len(dnsServers) == 0 && HasNextAddress(t.options.Inet4Address[0], 1) {
 				dnsServers = []netip.Addr{t.options.Inet4Address[0].Addr().Next()}
@@ -83,6 +83,11 @@ func (t *NativeTun) configure() error {
 					return E.Cause(err, "set ipv4 dns")
 				}
 			}
+		} else {
+			err = luid.SetDNS(winipcfg.AddressFamily(windows.AF_INET), nil, nil)
+			if err != nil {
+				return E.Cause(err, "set ipv4 dns")
+			}
 		}
 	}
 	if len(t.options.Inet6Address) > 0 {
@@ -90,7 +95,7 @@ func (t *NativeTun) configure() error {
 		if err != nil {
 			return E.Cause(err, "set ipv6 address")
 		}
-		if !t.options.EXP_DisableDNSHijack {
+		if t.options.AutoRoute && !t.options.EXP_DisableDNSHijack {
 			dnsServers := common.Filter(t.options.DNSServers, netip.Addr.Is6)
 			if len(dnsServers) == 0 && HasNextAddress(t.options.Inet6Address[0], 1) {
 				dnsServers = []netip.Addr{t.options.Inet6Address[0].Addr().Next()}
@@ -101,6 +106,11 @@ func (t *NativeTun) configure() error {
 					return E.Cause(err, "set ipv6 dns")
 				}
 			}
+		} else {
+			err = luid.SetDNS(winipcfg.AddressFamily(windows.AF_INET6), nil, nil)
+			if err != nil {
+				return E.Cause(err, "set ipv6 dns")
+			}
 		}
 	}
 	if len(t.options.Inet4Address) > 0 || len(t.options.Inet6Address) > 0 {
@@ -148,6 +158,10 @@ func (t *NativeTun) configure() error {
 	return nil
 }
 
+func (t *NativeTun) Name() (string, error) {
+	return t.options.Name, nil
+}
+
 func (t *NativeTun) Start() error {
 	if !t.options.AutoRoute {
 		return nil
@@ -158,13 +172,7 @@ func (t *NativeTun) Start() error {
 	if err != nil {
 		return err
 	}
-	for _, routeRange := range routeRanges {
-		if routeRange.Addr().Is4() {
-			err = luid.AddRoute(routeRange, gateway4, 0)
-		} else {
-			err = luid.AddRoute(routeRange, gateway6, 0)
-		}
-	}
+	err = addRouteList(luid, routeRanges, gateway4, gateway6, 0)
 	if err != nil {
 		return err
 	}
@@ -349,7 +357,40 @@ func (t *NativeTun) Start() error {
 }
 
 func (t *NativeTun) Read(p []byte) (n int, err error) {
-	return 0, os.ErrInvalid
+	t.running.Add(1)
+	defer t.running.Done()
+retry:
+	if t.close.Load() == 1 {
+		return 0, os.ErrClosed
+	}
+	start := nanotime()
+	shouldSpin := t.rate.current.Load() >= spinloopRateThreshold && uint64(start-t.rate.nextStartTime.Load()) <= rateMeasurementGranularity*2
+	for {
+		if t.close.Load() == 1 {
+			return 0, os.ErrClosed
+		}
+		var packet []byte
+		packet, err = t.session.ReceivePacket()
+		switch err {
+		case nil:
+			n = copy(p, packet)
+			t.session.ReleaseReceivePacket(packet)
+			t.rate.update(uint64(n))
+			return
+		case windows.ERROR_NO_MORE_ITEMS:
+			if !shouldSpin || uint64(nanotime()-start) >= spinloopDuration {
+				windows.WaitForSingleObject(t.readWait, windows.INFINITE)
+				goto retry
+			}
+			procyield(1)
+			continue
+		case windows.ERROR_HANDLE_EOF:
+			return 0, os.ErrClosed
+		case windows.ERROR_INVALID_DATA:
+			return 0, errors.New("send ring corrupt")
+		}
+		return 0, fmt.Errorf("read failed: %w", err)
+	}
 }
 
 func (t *NativeTun) ReadPacket() ([]byte, func(), error) {
@@ -498,6 +539,63 @@ func (t *NativeTun) Close() error {
 	return err
 }
 
+func (t *NativeTun) UpdateRouteOptions(tunOptions Options) error {
+	t.options = tunOptions
+	if !t.options.AutoRoute {
+		return nil
+	}
+	gateway4, gateway6 := t.options.Inet4GatewayAddr(), t.options.Inet6GatewayAddr()
+	routeRanges, err := t.options.BuildAutoRouteRanges(false)
+	if err != nil {
+		return err
+	}
+	luid := winipcfg.LUID(t.adapter.LUID())
+	err = luid.FlushRoutes(windows.AF_UNSPEC)
+	if err != nil {
+		return err
+	}
+	err = addRouteList(luid, routeRanges, gateway4, gateway6, 0)
+	if err != nil {
+		return err
+	}
+	err = windnsapi.FlushResolverCache()
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+func addRouteList(luid winipcfg.LUID, destinations []netip.Prefix, gateway4 netip.Addr, gateway6 netip.Addr, metric uint32) error {
+	row := winipcfg.MibIPforwardRow2{}
+	row.Init()
+	row.InterfaceLUID = luid
+	row.Metric = metric
+	nextHop4 := row.NextHop
+	nextHop6 := row.NextHop
+	if gateway4.IsValid() {
+		nextHop4.SetAddr(gateway4)
+	}
+	if gateway6.IsValid() {
+		nextHop6.SetAddr(gateway6)
+	}
+	for _, destination := range destinations {
+		err := row.DestinationPrefix.SetPrefix(destination)
+		if err != nil {
+			return err
+		}
+		if destination.Addr().Is4() {
+			row.NextHop = nextHop4
+		} else {
+			row.NextHop = nextHop6
+		}
+		err = row.Create()
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
 func generateGUIDByDeviceName(name string) *windows.GUID {
 	hash := md5.New()
 	hash.Write([]byte("wintun"))