Add auto-redirect

Author: nekohasekai

go.mod

@@ -7,14 +7,20 @@ require (
 	github.com/go-ole/go-ole v1.3.0
 	github.com/sagernet/gvisor v0.0.0-20240428053021-e691de28565f
 	github.com/sagernet/netlink v0.0.0-20240523065131-45e60152f9ba
-	github.com/sagernet/sing v0.4.0
+	github.com/sagernet/nftables v0.3.0-beta.2
+	github.com/sagernet/sing v0.5.0-alpha.7.0.20240601064531-e5caac20a367
 	go4.org/netipx v0.0.0-20231129151722-fdeea329fbba
 	golang.org/x/net v0.25.0
 	golang.org/x/sys v0.20.0
 )
 
 require (
 	github.com/google/btree v1.1.2 // indirect
-	github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74 // indirect
+	github.com/google/go-cmp v0.5.9 // indirect
+	github.com/josharian/native v1.1.0 // indirect
+	github.com/mdlayher/netlink v1.7.2 // indirect
+	github.com/mdlayher/socket v0.4.1 // indirect
+	github.com/vishvananda/netns v0.0.4 // indirect
+	golang.org/x/sync v0.1.0 // indirect
 	golang.org/x/time v0.5.0 // indirect
 )

go.sum

@@ -5,21 +5,32 @@ github.com/go-ole/go-ole v1.3.0 h1:Dt6ye7+vXGIKZ7Xtk4s6/xVdGDQynvom7xCFEdWr6uE=
 github.com/go-ole/go-ole v1.3.0/go.mod h1:5LS6F96DhAwUc7C+1HLexzMXY1xGRSryjyPPKW6zv78=
 github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU=
 github.com/google/btree v1.1.2/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
+github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
+github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/josharian/native v1.1.0 h1:uuaP0hAbW7Y4l0ZRQ6C9zfb7Mg1mbFKry/xzDAfmtLA=
+github.com/josharian/native v1.1.0/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
+github.com/mdlayher/netlink v1.7.2 h1:/UtM3ofJap7Vl4QWCPDGXY8d3GIY2UGSDbK+QWmY8/g=
+github.com/mdlayher/netlink v1.7.2/go.mod h1:xraEF7uJbxLhc5fpHL4cPe221LI2bdttWlU+ZGLfQSw=
+github.com/mdlayher/socket v0.4.1 h1:eM9y2/jlbs1M615oshPQOHZzj6R6wMT7bX5NPiQvn2U=
+github.com/mdlayher/socket v0.4.1/go.mod h1:cAqeGjoufqdxWkD7DkpyS+wcefOtmu5OQ8KuoJGIReA=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/sagernet/gvisor v0.0.0-20240428053021-e691de28565f h1:NkhuupzH5ch7b/Y/6ZHJWrnNLoiNnSJaow6DPb8VW2I=
 github.com/sagernet/gvisor v0.0.0-20240428053021-e691de28565f/go.mod h1:KXmw+ouSJNOsuRpg4wgwwCQuunrGz4yoAqQjsLjc6N0=
 github.com/sagernet/netlink v0.0.0-20240523065131-45e60152f9ba h1:EY5AS7CCtfmARNv2zXUOrsEMPFDGYxaw65JzA2p51Vk=
 github.com/sagernet/netlink v0.0.0-20240523065131-45e60152f9ba/go.mod h1:xLnfdiJbSp8rNqYEdIW/6eDO4mVoogml14Bh2hSiFpM=
-github.com/sagernet/sing v0.4.0 h1:sCLSqLHOptgFvzQO9FfaYMl4PONePZkclMznpeKhdHc=
-github.com/sagernet/sing v0.4.0/go.mod h1:Xh4KO9nGdvm4K/LVg9Xn9jSxJdqe9KcXbAzNC1S2qfw=
+github.com/sagernet/nftables v0.3.0-beta.2 h1:yKqMl4Dpb6nKxAmlE6fXjJRlLO2c1f2wyNFBg4hBr8w=
+github.com/sagernet/nftables v0.3.0-beta.2/go.mod h1:OQXAjvjNGGFxaTgVCSTRIhYB5/llyVDeapVoENYBDS8=
+github.com/sagernet/sing v0.5.0-alpha.7.0.20240601064531-e5caac20a367 h1:XP/zuP4591/DappwlLDjl7a21QKE6olgkYOGSGx9nf8=
+github.com/sagernet/sing v0.5.0-alpha.7.0.20240601064531-e5caac20a367/go.mod h1:Xh4KO9nGdvm4K/LVg9Xn9jSxJdqe9KcXbAzNC1S2qfw=
 github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
-github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74 h1:gga7acRE695APm9hlsSMoOoE65U4/TcqNj90mc69Rlg=
-github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=
+github.com/vishvananda/netns v0.0.4 h1:Oeaw1EM2JMxD51g9uhtC0D7erkIjgmj8+JZc26m1YX8=
+github.com/vishvananda/netns v0.0.4/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM=
 go4.org/netipx v0.0.0-20231129151722-fdeea329fbba h1:0b9z3AuHCjxk0x/opv64kcgZLBseWJUpBw5I82+2U4M=
 go4.org/netipx v0.0.0-20231129151722-fdeea329fbba/go.mod h1:PLyyIXexvUFg3Owu6p/WfdlivPbZJsZdgWZlrGope/Y=
 golang.org/x/net v0.25.0 h1:d/OCCoBEUq33pjydKrGQhw7IlUPI2Oylr+8qLx49kac=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
-golang.org/x/sys v0.0.0-20200217220822-9197077df867/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o=
+golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=

redirect.go

@@ -0,0 +1,22 @@
+package tun
+
+import (
+	"context"
+
+	"github.com/sagernet/sing/common/logger"
+)
+
+type AutoRedirect interface {
+	Start() error
+	Close() error
+}
+
+type AutoRedirectOptions struct {
+	TunOptions         *Options
+	Context            context.Context
+	Handler            Handler
+	Logger             logger.Logger
+	TableName          string
+	DisableNFTables    bool
+	CustomRedirectPort func() int
+}

redirect_iptables.go

@@ -0,0 +1,227 @@
+//go:build linux
+
+package tun
+
+import (
+	"net/netip"
+	"os/exec"
+	"strings"
+
+	E "github.com/sagernet/sing/common/exceptions"
+	F "github.com/sagernet/sing/common/format"
+
+	"golang.org/x/sys/unix"
+)
+
+func (r *autoRedirect) iptablesPathForFamily(family int) string {
+	if family == unix.AF_INET {
+		return r.iptablesPath
+	} else {
+		return r.ip6tablesPath
+	}
+}
+
+func (r *autoRedirect) setupIPTables(family int) error {
+	tableNameOutput := r.tableName + "-output"
+	tableNameForward := r.tableName + "-forward"
+	tableNamePreRouteing := r.tableName + "-prerouting"
+	iptablesPath := r.iptablesPathForFamily(family)
+	redirectPort := r.redirectPort()
+	// OUTPUT
+	err := r.runShell(iptablesPath, "-t nat -N", tableNameOutput)
+	if err != nil {
+		return err
+	}
+	err = r.runShell(iptablesPath, "-t nat -A", tableNameOutput,
+		"-p tcp -o", r.tunOptions.Name,
+		"-j REDIRECT --to-ports", redirectPort)
+	if err != nil {
+		return err
+	}
+	err = r.runShell(iptablesPath, "-t nat -I OUTPUT -j", tableNameOutput)
+	if err != nil {
+		return err
+	}
+	if r.androidSu {
+		return nil
+	}
+	// FORWARD
+	err = r.runShell(iptablesPath, "-N", tableNameForward)
+	if err != nil {
+		return err
+	}
+	err = r.runShell(iptablesPath, "-A", tableNameForward,
+		"-i", r.tunOptions.Name, "-j", "ACCEPT")
+	if err != nil {
+		return err
+	}
+	err = r.runShell(iptablesPath, "-A", tableNameForward,
+		"-o", r.tunOptions.Name, "-j", "ACCEPT")
+	if err != nil {
+		return err
+	}
+	err = r.runShell(iptablesPath, "-I FORWARD -j", tableNameForward)
+	if err != nil {
+		return err
+	}
+	// PREROUTING
+	err = r.runShell(iptablesPath, "-t nat -N", tableNamePreRouteing)
+	if err != nil {
+		return err
+	}
+	var (
+		routeAddress        []netip.Prefix
+		routeExcludeAddress []netip.Prefix
+	)
+	if family == unix.AF_INET {
+		routeAddress = r.tunOptions.Inet4RouteAddress
+		routeExcludeAddress = r.tunOptions.Inet4RouteExcludeAddress
+	} else {
+		routeAddress = r.tunOptions.Inet6RouteAddress
+		routeExcludeAddress = r.tunOptions.Inet6RouteExcludeAddress
+	}
+	if len(routeAddress) > 0 && (len(r.tunOptions.IncludeInterface) > 0 || len(r.tunOptions.IncludeUID) > 0) {
+		return E.New("`*_route_address` is conflict with `include_interface` or `include_uid`")
+	}
+	err = r.runShell(iptablesPath, "-t nat -A", tableNamePreRouteing,
+		"-i", r.tunOptions.Name, "-j RETURN")
+	if err != nil {
+		return err
+	}
+	for _, address := range routeExcludeAddress {
+		err = r.runShell(iptablesPath, "-t nat -A", tableNamePreRouteing,
+			"-d", address.String(), "-j RETURN")
+		if err != nil {
+			return err
+		}
+	}
+	for _, name := range r.tunOptions.ExcludeInterface {
+		err = r.runShell(iptablesPath, "-t nat -A", tableNamePreRouteing,
+			"-i", name, "-j RETURN")
+		if err != nil {
+			return err
+		}
+	}
+	for _, uid := range r.tunOptions.ExcludeUID {
+		err = r.runShell(iptablesPath, "-t nat -A", tableNamePreRouteing,
+			"-m owner --uid-owner", uid, "-j RETURN")
+		if err != nil {
+			return err
+		}
+	}
+	var dnsServerAddress netip.Addr
+	if family == unix.AF_INET {
+		dnsServerAddress = r.tunOptions.Inet4Address[0].Addr().Next()
+	} else {
+		dnsServerAddress = r.tunOptions.Inet6Address[0].Addr().Next()
+	}
+	if len(routeAddress) > 0 {
+		for _, address := range routeAddress {
+			err = r.runShell(iptablesPath, "-t nat -A", tableNamePreRouteing,
+				"-d", address.String(), "-p udp --dport 53 -j DNAT --to", dnsServerAddress)
+			if err != nil {
+				return err
+			}
+		}
+	} else if len(r.tunOptions.IncludeInterface) > 0 || len(r.tunOptions.IncludeUID) > 0 {
+		for _, name := range r.tunOptions.IncludeInterface {
+			err = r.runShell(iptablesPath, "-t nat -A", tableNamePreRouteing,
+				"-i", name, "-p udp --dport 53 -j DNAT --to", dnsServerAddress)
+			if err != nil {
+				return err
+			}
+		}
+		for _, uidRange := range r.tunOptions.IncludeUID {
+			for uid := uidRange.Start; uid <= uidRange.End; uid++ {
+				err = r.runShell(iptablesPath, "-t nat -A", tableNamePreRouteing,
+					"-m owner --uid-owner", uid, "-p udp --dport 53 -j DNAT --to", dnsServerAddress)
+				if err != nil {
+					return err
+				}
+			}
+		}
+	} else {
+		err = r.runShell(iptablesPath, "-t nat -A", tableNamePreRouteing,
+			"-p udp --dport 53 -j DNAT --to", dnsServerAddress)
+		if err != nil {
+			return err
+		}
+	}
+
+	err = r.runShell(iptablesPath, "-t nat -A", tableNamePreRouteing, "-m addrtype --dst-type LOCAL -j RETURN")
+	if err != nil {
+		return err
+	}
+
+	if len(routeAddress) > 0 {
+		for _, address := range routeAddress {
+			err = r.runShell(iptablesPath, "-t nat -A", tableNamePreRouteing,
+				"-d", address.String(), "-p tcp -j REDIRECT --to-ports", redirectPort)
+			if err != nil {
+				return err
+			}
+		}
+	} else if len(r.tunOptions.IncludeInterface) > 0 || len(r.tunOptions.IncludeUID) > 0 {
+		for _, name := range r.tunOptions.IncludeInterface {
+			err = r.runShell(iptablesPath, "-t nat -A", tableNamePreRouteing,
+				"-i", name, "-p tcp -j REDIRECT --to-ports", redirectPort)
+			if err != nil {
+				return err
+			}
+		}
+		for _, uidRange := range r.tunOptions.IncludeUID {
+			for uid := uidRange.Start; uid <= uidRange.End; uid++ {
+				err = r.runShell(iptablesPath, "-t nat -A", tableNamePreRouteing,
+					"-m owner --uid-owner", uid, "-p tcp -j REDIRECT --to-ports", redirectPort)
+				if err != nil {
+					return err
+				}
+			}
+		}
+	} else {
+		err = r.runShell(iptablesPath, "-t nat -A", tableNamePreRouteing,
+			"-p tcp -j REDIRECT --to-ports", redirectPort)
+		if err != nil {
+			return err
+		}
+	}
+	err = r.runShell(iptablesPath, "-t nat -I PREROUTING -j", tableNamePreRouteing)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+func (r *autoRedirect) cleanupIPTables(family int) {
+	tableNameOutput := r.tableName + "-output"
+	tableNameForward := r.tableName + "-forward"
+	tableNamePreRouteing := r.tableName + "-prerouting"
+	iptablesPath := r.iptablesPathForFamily(family)
+	_ = r.runShell(iptablesPath, "-t nat -D OUTPUT -j", tableNameOutput)
+	_ = r.runShell(iptablesPath, "-t nat -F", tableNameOutput)
+	_ = r.runShell(iptablesPath, "-t nat -X", tableNameOutput)
+	if !r.androidSu {
+		_ = r.runShell(iptablesPath, "-D FORWARD -j", tableNameForward)
+		_ = r.runShell(iptablesPath, "-F", tableNameForward)
+		_ = r.runShell(iptablesPath, "-X", tableNameForward)
+		_ = r.runShell(iptablesPath, "-t nat -D PREROUTING -j", tableNamePreRouteing)
+		_ = r.runShell(iptablesPath, "-t nat -F", tableNamePreRouteing)
+		_ = r.runShell(iptablesPath, "-t nat -X", tableNamePreRouteing)
+	}
+}
+
+func (r *autoRedirect) runShell(commands ...any) error {
+	commandStr := strings.Join(F.MapToString(commands), " ")
+	var command *exec.Cmd
+	if r.androidSu {
+		command = exec.Command(r.suPath, "-c", commandStr)
+	} else {
+		commandArray := strings.Split(commandStr, " ")
+		command = exec.Command(commandArray[0], commandArray[1:]...)
+	}
+	combinedOutput, err := command.CombinedOutput()
+	if err != nil {
+		return E.Extend(err, F.ToString(commandStr, ": ", string(combinedOutput)))
+	}
+	return nil
+}