Proxy: TUN: Enhance Darwin interface support.

- reduce number of actions done to create/configure the interface in the system
- assign synthetic static link-local ip address to the interface, that is required by the OS to just be available for routing
- make tun_darwin_endpoint be implemented significantly more similar to tun_windows_enpoint, preparing them for potential unification

Author: Owersun

proxy/tun/README.md

@@ -4,7 +4,7 @@ TUN interface support bridges the gap between network layer 3 and layer 7, intro
 
 This functionality is targeted to assist applications/end devices that don't have proxy support, or can't run external applications (like Smart TV's). Making it possible to run Xray proxy right on network edge devices (routers) with support to route raw network traffic. \
 Primary targets are Linux based router devices. Like most popular OpenWRT option. \
-Although support for Windows is also implemented (see below).
+Although support for Windows/MacOSX is also implemented (see below).
 
 ## PLEASE READ FOLLOWING CAREFULLY
 
@@ -172,3 +172,21 @@ route add 1.1.1.1 mask 255.0.0.0 0.0.0.0 if 47
 Note on ipv6 support. \
 Despite Windows also giving the adapter autoconfigured ipv6 address, the ipv6 is not possible until the interface has any _routable_ ipv6 address (given link-local address will not accept traffic from external addresses). \
 So everything applicable for ipv4 above also works for ipv6, you only need to give the interface some address manually, e.g. anything private like fc00::a:b:c:d/64 will do just fine
+
+## MAC OS X SUPPORT
+
+Darwin (Mac OS X) support of the same functionality is implemented through utun (userspace tunnel).
+
+Interface name in the configuration must comply to the scheme "utunN", where N is some number. \
+Most running OS'es create some amount of utun interfaces in advance for own needs. Please either check the interfaces you already have occupied by issuing following command:
+```
+ifconfig
+```
+Produced list will have all system interfaces listed, from which you will see how many "utun" ones already exists.
+It's not required to select next available number, e.g. if you have utun1-utun7 interfaces, it's not required to have "utun8" in the config. You can choose any available name, even utun20, to get surely available interface number.
+
+To attach routing to the interface, route command like following can be executed:
+```
+sudo route add -net 1.1.1.0/24 -iface utun10
+```
+Important to remember that everything written above about Linux routing concept, also apply to Mac OS X. If you simply route default route through utun interface, that will result network loop and immediate network failure.

proxy/tun/tun_darwin.go

@@ -5,7 +5,10 @@ package tun
 import (
 	"errors"
 	"fmt"
-	"strings"
+	"net"
+	"net/netip"
+	"os"
+	"syscall"
 	"unsafe"
 
 	"golang.org/x/sys/unix"
@@ -14,154 +17,163 @@ import (
 
 const (
 	utunControlName = "com.apple.net.utun_control"
-	utunOptIfName   = 2
 	sysprotoControl = 2
+	gateway         = "169.254.10.1/30"
 )
 
 type DarwinTun struct {
-	tunFd   int
-	name    string
+	tunFile *os.File
 	options TunOptions
 }
 
 var _ Tun = (*DarwinTun)(nil)
 var _ GVisorTun = (*DarwinTun)(nil)
 
 func NewTun(options TunOptions) (Tun, error) {
-	tunFd, name, err := openUTun(options.Name)
+	tunFile, err := open(options.Name)
 	if err != nil {
 		return nil, err
 	}
 
+	err = setup(options.Name, options.MTU)
+	if err != nil {
+		_ = tunFile.Close()
+		return nil, err
+	}
+
 	return &DarwinTun{
-		tunFd:   tunFd,
-		name:    name,
+		tunFile: tunFile,
 		options: options,
 	}, nil
 }
 
 func (t *DarwinTun) Start() error {
-	if t.options.MTU > 0 {
-		if err := setMTU(t.name, int(t.options.MTU)); err != nil {
-			return err
-		}
-	}
-	return setState(t.name, true)
+	return nil
 }
 
 func (t *DarwinTun) Close() error {
-	_ = setState(t.name, false)
-	return unix.Close(t.tunFd)
+	return t.tunFile.Close()
 }
 
 func (t *DarwinTun) newEndpoint() (stack.LinkEndpoint, error) {
-	return newDarwinEndpoint(t.tunFd, t.options.MTU), nil
+	return &DarwinEndpoint{tun: t}, nil
 }
 
-func openUTun(name string) (int, string, error) {
+// open the interface, by creating new utunN if in the system and returning its file descriptor
+func open(name string) (*os.File, error) {
+	ifIndex := -1
+	_, err := fmt.Sscanf(name, "utun%d", &ifIndex)
+	if err != nil || ifIndex < 0 {
+		return nil, errors.New("interface name must be utunN, where N is a number, e.g. utun9, utun11 and so on")
+	}
+
 	fd, err := unix.Socket(unix.AF_SYSTEM, unix.SOCK_DGRAM, sysprotoControl)
 	if err != nil {
-		return -1, "", err
+		return nil, err
 	}
 
 	ctlInfo := &unix.CtlInfo{}
 	copy(ctlInfo.Name[:], utunControlName)
 	if err := unix.IoctlCtlInfo(fd, ctlInfo); err != nil {
 		_ = unix.Close(fd)
-		return -1, "", err
+		return nil, err
 	}
 
 	sockaddr := &unix.SockaddrCtl{
 		ID:   ctlInfo.Id,
-		Unit: parseUTunUnit(name),
+		Unit: uint32(ifIndex) + 1,
 	}
-
 	if err := unix.Connect(fd, sockaddr); err != nil {
 		_ = unix.Close(fd)
-		return -1, "", err
+		return nil, err
 	}
 
 	if err := unix.SetNonblock(fd, true); err != nil {
 		_ = unix.Close(fd)
-		return -1, "", err
-	}
-
-	tunName, err := unix.GetsockoptString(fd, sysprotoControl, utunOptIfName)
-	if err != nil {
-		_ = unix.Close(fd)
-		return -1, "", err
-	}
-
-	tunName = strings.TrimRight(tunName, "\x00")
-	if tunName == "" {
-		_ = unix.Close(fd)
-		return -1, "", errors.New("empty utun name")
+		return nil, err
 	}
 
-	return fd, tunName, nil
+	return os.NewFile(uintptr(fd), name), nil
 }
 
-func parseUTunUnit(name string) uint32 {
-	var unit uint32
-	if _, err := fmt.Sscanf(name, "utun%d", &unit); err != nil {
-		return 0
-	}
-	return unit + 1
-}
-
-type ifreqMTU struct {
-	Name [unix.IFNAMSIZ]byte
-	MTU  int32
-	_    [12]byte
-}
-
-type ifreqFlags struct {
-	Name  [unix.IFNAMSIZ]byte
-	Flags int16
-	_     [14]byte
-}
-
-func setMTU(name string, mtu int) error {
-	if mtu <= 0 {
-		return nil
+// setup the interface by name
+func setup(name string, MTU uint32) error {
+	if err := setMTU(name, MTU); err != nil {
+		return err
 	}
 
-	fd, err := unix.Socket(unix.AF_INET, unix.SOCK_DGRAM, 0)
-	if err != nil {
+	/*
+	 * Darwin routing require tunnel type interface to have local and remote address, to be routable.
+	 * To simplify inevitable task, assign the interface static ip address, which in current implementation
+	 * is just some random ip from link-local pool, allowing to not bother about existing routing intersection.
+	 */
+	syntheticIP, _ := netip.ParsePrefix(gateway)
+	if err := setIPAddress(name, syntheticIP); err != nil {
 		return err
 	}
-	defer func() { _ = unix.Close(fd) }()
 
-	ifr := ifreqMTU{MTU: int32(mtu)}
-	copy(ifr.Name[:], name)
-	return ioctlPtr(fd, unix.SIOCSIFMTU, unsafe.Pointer(&ifr))
+	return nil
 }
 
-func setState(name string, up bool) error {
-	fd, err := unix.Socket(unix.AF_INET, unix.SOCK_DGRAM, 0)
+// setMTU sets MTU on the interface by given name
+func setMTU(name string, mtu uint32) error {
+	socket, err := unix.Socket(unix.AF_INET, unix.SOCK_DGRAM, 0)
 	if err != nil {
 		return err
 	}
-	defer func() { _ = unix.Close(fd) }()
+	defer unix.Close(socket)
 
-	ifr := ifreqFlags{}
+	ifr := unix.IfreqMTU{MTU: int32(mtu)}
 	copy(ifr.Name[:], name)
+	return unix.IoctlSetIfreqMTU(socket, &ifr)
+}
 
-	if err := ioctlPtr(fd, unix.SIOCGIFFLAGS, unsafe.Pointer(&ifr)); err != nil {
+type ifAliasReq struct {
+	Name    [unix.IFNAMSIZ]byte
+	Addr    unix.RawSockaddrInet4
+	Dstaddr unix.RawSockaddrInet4
+	Mask    unix.RawSockaddrInet4
+}
+
+// setIPAddress sets local and remote ends addresses on the tunnel interface
+func setIPAddress(name string, gateway netip.Prefix) error {
+	socket, err := unix.Socket(unix.AF_INET, unix.SOCK_DGRAM, 0)
+	if err != nil {
 		return err
 	}
-
-	if up {
-		ifr.Flags |= unix.IFF_UP
-	} else {
-		ifr.Flags &^= unix.IFF_UP
+	defer unix.Close(socket)
+
+	// assume local ip address is next one from the remote address
+	local := gateway.Addr().As4()
+	local[3]++
+	// fill the configuration
+	ifReq := ifAliasReq{
+		Addr: unix.RawSockaddrInet4{
+			Len:    unix.SizeofSockaddrInet4,
+			Family: unix.AF_INET,
+			Addr:   local,
+		},
+		Dstaddr: unix.RawSockaddrInet4{
+			Len:    unix.SizeofSockaddrInet4,
+			Family: unix.AF_INET,
+			Addr:   gateway.Addr().As4(),
+		},
+		Mask: unix.RawSockaddrInet4{
+			Len:    unix.SizeofSockaddrInet4,
+			Family: unix.AF_INET,
+			Addr:   netip.MustParseAddr(net.IP(net.CIDRMask(gateway.Bits(), 32)).String()).As4(),
+		},
+	}
+	copy(ifReq.Name[:], name)
+	if err = ioctlPtr(socket, unix.SIOCAIFADDR, unsafe.Pointer(&ifReq)); err != nil {
+		return os.NewSyscallError("SIOCAIFADDR", err)
 	}
 
-	return ioctlPtr(fd, unix.SIOCSIFFLAGS, unsafe.Pointer(&ifr))
+	return nil
 }
 
 func ioctlPtr(fd int, req uint, arg unsafe.Pointer) error {
-	_, _, errno := unix.Syscall(unix.SYS_IOCTL, uintptr(fd), uintptr(req), uintptr(arg))
+	_, _, errno := unix.Syscall(syscall.SYS_IOCTL, uintptr(fd), uintptr(req), uintptr(arg))
 	if errno != 0 {
 		return errno
 	}