From b039627972884f6165939f643f373dc752b2c299 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E4=B8=96=E7=95=8C?= Date: Thu, 30 May 2024 22:25:26 +0800 Subject: [PATCH] Improve iproute2 rules --- tun_linux.go | 107 ++++++++++++++++++++++++++------------------------- 1 file changed, 55 insertions(+), 52 deletions(-) diff --git a/tun_linux.go b/tun_linux.go index 886b32b..1ce7cef 100644 --- a/tun_linux.go +++ b/tun_linux.go @@ -499,7 +499,6 @@ func (t *NativeTun) rules() []*netlink.Rule { it.IifName = excludeInterface it.Goto = nopPriority it.Family = unix.AF_INET - rules = append(rules, it) priority++ } if p6 { @@ -516,7 +515,7 @@ func (t *NativeTun) rules() []*netlink.Rule { if runtime.GOOS == "android" && t.options.InterfaceMonitor.AndroidVPNEnabled() { const protectedFromVPN = 0x20000 - if p4 || t.options.StrictRoute { + if p4 { it = netlink.NewRule() if t.options.InterfaceMonitor.OverrideAndroidVPN() { it.Mark = protectedFromVPN @@ -528,7 +527,7 @@ func (t *NativeTun) rules() []*netlink.Rule { rules = append(rules, it) priority++ } - if p6 || t.options.StrictRoute { + if p6 { it = netlink.NewRule() if t.options.InterfaceMonitor.OverrideAndroidVPN() { it.Mark = protectedFromVPN @@ -627,74 +626,78 @@ func (t *NativeTun) rules() []*netlink.Rule { priority6++ } } - if p4 { - if t.options.StrictRoute { - it = netlink.NewRule() - it.Priority = priority - it.Table = t.options.TableIndex - it.Family = unix.AF_INET - rules = append(rules, it) - } else { - it = netlink.NewRule() - it.Priority = priority - it.Invert = true - it.IifName = "lo" - it.Table = t.options.TableIndex - it.Family = unix.AF_INET - rules = append(rules, it) + it = netlink.NewRule() + it.Priority = priority + it.IifName = t.options.Name + it.Goto = nopPriority + it.Family = unix.AF_INET + rules = append(rules, it) + priority++ + + it = netlink.NewRule() + it.Priority = priority + it.Invert = true + it.IifName = "lo" + it.Table = t.options.TableIndex + it.Family = unix.AF_INET + rules = append(rules, it) + it = netlink.NewRule() + it.Priority = priority + it.IifName = "lo" + it.Src = netip.PrefixFrom(netip.IPv4Unspecified(), 32) + it.Table = t.options.TableIndex + it.Family = unix.AF_INET + rules = append(rules, it) + + for _, address := range t.options.Inet4Address { it = netlink.NewRule() it.Priority = priority it.IifName = "lo" - it.Src = netip.PrefixFrom(netip.IPv4Unspecified(), 32) + it.Src = address.Masked() it.Table = t.options.TableIndex it.Family = unix.AF_INET rules = append(rules, it) - - for _, address := range t.options.Inet4Address { - it = netlink.NewRule() - it.Priority = priority - it.IifName = "lo" - it.Src = address.Masked() - it.Table = t.options.TableIndex - it.Family = unix.AF_INET - rules = append(rules, it) - } } priority++ } if p6 { - if !t.options.StrictRoute { - for _, address := range t.options.Inet6Address { - it = netlink.NewRule() - it.Priority = priority6 - it.IifName = "lo" - it.Src = address.Masked() - it.Table = t.options.TableIndex - it.Family = unix.AF_INET6 - rules = append(rules, it) - } - priority6++ - + for _, address := range t.options.Inet6Address { it = netlink.NewRule() it.Priority = priority6 it.IifName = "lo" - it.Src = netip.PrefixFrom(netip.IPv6Unspecified(), 1) - it.Goto = nopPriority + it.Src = address.Masked() + it.Table = t.options.TableIndex it.Family = unix.AF_INET6 rules = append(rules, it) + } + priority6++ - it = netlink.NewRule() - it.Priority = priority6 - it.IifName = "lo" - it.Src = netip.PrefixFrom(netip.AddrFrom16([16]byte{0: 128}), 1) - it.Goto = nopPriority - it.Family = unix.AF_INET6 - rules = append(rules, it) + it = netlink.NewRule() + it.Priority = priority6 + it.IifName = t.options.Name + it.Goto = nopPriority + it.Family = unix.AF_INET6 + rules = append(rules, it) - priority6++ - } + it = netlink.NewRule() + it.Priority = priority6 + it.IifName = "lo" + it.Src = netip.PrefixFrom(netip.IPv6Unspecified(), 1) + it.Goto = nopPriority + it.Family = unix.AF_INET6 + rules = append(rules, it) + + it = netlink.NewRule() + it.Priority = priority6 + it.IifName = "lo" + it.Src = netip.PrefixFrom(netip.AddrFrom16([16]byte{0: 128}), 1) + it.Goto = nopPriority + it.Family = unix.AF_INET6 + rules = append(rules, it) + + priority6++ it = netlink.NewRule() it.Priority = priority6