MigrateRepos/OpenGFW
1
0
Fork 0
mirror of https://github.com/apernet/OpenGFW.git synced 2024-11-14 22:39:26 +08:00
Code Issues Packages Projects Releases Wiki Activity

feat: connmark accept/drop config options

Browse Source
This commit is contained in:
Haruue 2024-10-28 10:17:46 +09:00
parent 5f4df7e806
commit 0e97c9f086
No known key found for this signature in database
GPG Key ID: F6083B28CBCBC148
2 changed files with 81 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
cmd/root.go
View File

@ -173,13 +173,16 @@ type cliConfig struct {
} }
type cliConfigIO struct { type cliConfigIO struct {
QueueSize uint32 `mapstructure:"queueSize"` QueueSize uint32 `mapstructure:"queueSize"`
QueueNum *uint16 `mapstructure:"queueNum"` QueueNum *uint16 `mapstructure:"queueNum"`
Table string `mapstructure:"table"` Table string `mapstructure:"table"`
ReadBuffer int `mapstructure:"rcvBuf"` ConnMarkAccept uint32 `mapstructure:"connMarkAccept"`
WriteBuffer int `mapstructure:"sndBuf"` ConnMarkDrop uint32 `mapstructure:"connMarkDrop"`
Local bool `mapstructure:"local"`
RST bool `mapstructure:"rst"` ReadBuffer int `mapstructure:"rcvBuf"`
WriteBuffer int `mapstructure:"sndBuf"`
Local bool `mapstructure:"local"`
RST bool `mapstructure:"rst"`
} }
type cliConfigReplay struct { type cliConfigReplay struct {
@ -218,13 +221,16 @@ func (c *cliConfig) fillIO(config *engine.Config) error {
} else { } else {
// Setup IO for nfqueue // Setup IO for nfqueue
ioImpl, err = io.NewNFQueuePacketIO(io.NFQueuePacketIOConfig{ ioImpl, err = io.NewNFQueuePacketIO(io.NFQueuePacketIOConfig{
QueueSize: c.IO.QueueSize, QueueSize: c.IO.QueueSize,
QueueNum: c.IO.QueueNum,
Table: c.IO.Table,
ConnMarkAccept: c.IO.ConnMarkAccept,
ConnMarkDrop: c.IO.ConnMarkDrop,
ReadBuffer: c.IO.ReadBuffer, ReadBuffer: c.IO.ReadBuffer,
WriteBuffer: c.IO.WriteBuffer, WriteBuffer: c.IO.WriteBuffer,
Local: c.IO.Local, Local: c.IO.Local,
RST: c.IO.RST, RST: c.IO.RST,
QueueNum: c.IO.QueueNum,
Table: c.IO.Table,
}) })
} }

111
io/nfqueue.go
View File

@ -23,25 +23,24 @@ const (
nfqueueMaxPacketLen = 0xFFFF nfqueueMaxPacketLen = 0xFFFF
nfqueueDefaultQueueSize = 128 nfqueueDefaultQueueSize = 128
nfqueueConnMarkAccept = 1001 nfqueueDefaultConnMarkAccept = 1001
nfqueueConnMarkDrop = 1002
nftFamily = "inet" nftFamily = "inet"
nftDefaultTable = "opengfw" nftDefaultTable = "opengfw"
) )
func generateNftRules(local, rst bool, nfqueueNum int, nftTable string) (*nftTableSpec, error) { func (n *nfqueuePacketIO) generateNftRules() (*nftTableSpec, error) {
if local && rst { if n.local && n.rst {
return nil, errors.New("tcp rst is not supported in local mode") return nil, errors.New("tcp rst is not supported in local mode")
} }
table := &nftTableSpec{ table := &nftTableSpec{
Family: nftFamily, Family: nftFamily,
Table: nftTable, Table: n.table,
} }
table.Defines = append(table.Defines, fmt.Sprintf("define ACCEPT_CTMARK=%d", nfqueueConnMarkAccept)) table.Defines = append(table.Defines, fmt.Sprintf("define ACCEPT_CTMARK=%d", n.connMarkAccept))
table.Defines = append(table.Defines, fmt.Sprintf("define DROP_CTMARK=%d", nfqueueConnMarkDrop)) table.Defines = append(table.Defines, fmt.Sprintf("define DROP_CTMARK=%d", n.connMarkDrop))
table.Defines = append(table.Defines, fmt.Sprintf("define QUEUE_NUM=%d", nfqueueNum)) table.Defines = append(table.Defines, fmt.Sprintf("define QUEUE_NUM=%d", n.queueNum))
if local { if n.local {
table.Chains = []nftChainSpec{ table.Chains = []nftChainSpec{
{Chain: "INPUT", Header: "type filter hook input priority filter; policy accept;"}, {Chain: "INPUT", Header: "type filter hook input priority filter; policy accept;"},
{Chain: "OUTPUT", Header: "type filter hook output priority filter; policy accept;"}, {Chain: "OUTPUT", Header: "type filter hook output priority filter; policy accept;"},
@ -55,7 +54,7 @@ func generateNftRules(local, rst bool, nfqueueNum int, nftTable string) (*nftTab
c := &table.Chains[i] c := &table.Chains[i]
c.Rules = append(c.Rules, "meta mark $ACCEPT_CTMARK ct mark set $ACCEPT_CTMARK") // Bypass protected connections c.Rules = append(c.Rules, "meta mark $ACCEPT_CTMARK ct mark set $ACCEPT_CTMARK") // Bypass protected connections
c.Rules = append(c.Rules, "ct mark $ACCEPT_CTMARK counter accept") c.Rules = append(c.Rules, "ct mark $ACCEPT_CTMARK counter accept")
if rst { if n.rst {
c.Rules = append(c.Rules, "ip protocol tcp ct mark $DROP_CTMARK counter reject with tcp reset") c.Rules = append(c.Rules, "ip protocol tcp ct mark $DROP_CTMARK counter reject with tcp reset")
} }
c.Rules = append(c.Rules, "ct mark $DROP_CTMARK counter drop") c.Rules = append(c.Rules, "ct mark $DROP_CTMARK counter drop")
@ -64,12 +63,12 @@ func generateNftRules(local, rst bool, nfqueueNum int, nftTable string) (*nftTab
return table, nil return table, nil
} }
func generateIptRules(local, rst bool, nfqueueNum int) ([]iptRule, error) { func (n *nfqueuePacketIO) generateIptRules() ([]iptRule, error) {
if local && rst { if n.local && n.rst {
return nil, errors.New("tcp rst is not supported in local mode") return nil, errors.New("tcp rst is not supported in local mode")
} }
var chains []string var chains []string
if local { if n.local {
chains = []string{"INPUT", "OUTPUT"} chains = []string{"INPUT", "OUTPUT"}
} else { } else {
chains = []string{"FORWARD"} chains = []string{"FORWARD"}
@ -77,13 +76,13 @@ func generateIptRules(local, rst bool, nfqueueNum int) ([]iptRule, error) {
rules := make([]iptRule, 0, 4*len(chains)) rules := make([]iptRule, 0, 4*len(chains))
for _, chain := range chains { for _, chain := range chains {
// Bypass protected connections // Bypass protected connections
rules = append(rules, iptRule{"filter", chain, []string{"-m", "mark", "--mark", strconv.Itoa(nfqueueConnMarkAccept), "-j", "CONNMARK", "--set-mark", strconv.Itoa(nfqueueConnMarkAccept)}}) rules = append(rules, iptRule{"filter", chain, []string{"-m", "mark", "--mark", strconv.Itoa(n.connMarkAccept), "-j", "CONNMARK", "--set-mark", strconv.Itoa(n.connMarkAccept)}})
rules = append(rules, iptRule{"filter", chain, []string{"-m", "connmark", "--mark", strconv.Itoa(nfqueueConnMarkAccept), "-j", "ACCEPT"}}) rules = append(rules, iptRule{"filter", chain, []string{"-m", "connmark", "--mark", strconv.Itoa(n.connMarkAccept), "-j", "ACCEPT"}})
if rst { if n.rst {
rules = append(rules, iptRule{"filter", chain, []string{"-p", "tcp", "-m", "connmark", "--mark", strconv.Itoa(nfqueueConnMarkDrop), "-j", "REJECT", "--reject-with", "tcp-reset"}}) rules = append(rules, iptRule{"filter", chain, []string{"-p", "tcp", "-m", "connmark", "--mark", strconv.Itoa(n.connMarkDrop), "-j", "REJECT", "--reject-with", "tcp-reset"}})
} }
rules = append(rules, iptRule{"filter", chain, []string{"-m", "connmark", "--mark", strconv.Itoa(nfqueueConnMarkDrop), "-j", "DROP"}}) rules = append(rules, iptRule{"filter", chain, []string{"-m", "connmark", "--mark", strconv.Itoa(n.connMarkDrop), "-j", "DROP"}})
rules = append(rules, iptRule{"filter", chain, []string{"-j", "NFQUEUE", "--queue-num", strconv.Itoa(nfqueueNum), "--queue-bypass"}}) rules = append(rules, iptRule{"filter", chain, []string{"-j", "NFQUEUE", "--queue-num", strconv.Itoa(n.queueNum), "--queue-bypass"}})
} }
return rules, nil return rules, nil
@ -94,12 +93,14 @@ var _ PacketIO = (*nfqueuePacketIO)(nil)
var errNotNFQueuePacket = errors.New("not an NFQueue packet") var errNotNFQueuePacket = errors.New("not an NFQueue packet")
type nfqueuePacketIO struct { type nfqueuePacketIO struct {
n *nfqueue.Nfqueue n *nfqueue.Nfqueue
local bool local bool
rst bool rst bool
rSet bool // whether the nftables/iptables rules have been set rSet bool // whether the nftables/iptables rules have been set
queueNum int queueNum int
table string // nftable name table string // nftable name
connMarkAccept int
connMarkDrop int
// iptables not nil = use iptables instead of nftables // iptables not nil = use iptables instead of nftables
ipt4 *iptables.IPTables ipt4 *iptables.IPTables
@ -109,9 +110,12 @@ type nfqueuePacketIO struct {
} }
type NFQueuePacketIOConfig struct { type NFQueuePacketIOConfig struct {
QueueSize uint32 QueueSize uint32
QueueNum *uint16 QueueNum *uint16
Table string Table string
ConnMarkAccept uint32
ConnMarkDrop uint32
ReadBuffer int ReadBuffer int
WriteBuffer int WriteBuffer int
Local bool Local bool
@ -129,6 +133,19 @@ func NewNFQueuePacketIO(config NFQueuePacketIOConfig) (PacketIO, error) {
if config.Table == "" { if config.Table == "" {
config.Table = nftDefaultTable config.Table = nftDefaultTable
} }
if config.ConnMarkAccept == 0 {
config.ConnMarkAccept = nfqueueDefaultConnMarkAccept
}
if config.ConnMarkDrop == 0 {
config.ConnMarkDrop = config.ConnMarkAccept + 1
if config.ConnMarkDrop == 0 {
// Overflow
config.ConnMarkDrop = 1
}
}
if config.ConnMarkAccept == config.ConnMarkDrop {
return nil, errors.New("connMarkAccept and connMarkDrop cannot be the same")
}
var ipt4, ipt6 *iptables.IPTables var ipt4, ipt6 *iptables.IPTables
var err error var err error
if nftCheck() != nil { if nftCheck() != nil {
@ -167,18 +184,20 @@ func NewNFQueuePacketIO(config NFQueuePacketIOConfig) (PacketIO, error) {
} }
} }
return &nfqueuePacketIO{ return &nfqueuePacketIO{
n: n, n: n,
local: config.Local, local: config.Local,
rst: config.RST, rst: config.RST,
queueNum: int(*config.QueueNum), queueNum: int(*config.QueueNum),
table: config.Table, table: config.Table,
ipt4: ipt4, connMarkAccept: int(config.ConnMarkAccept),
ipt6: ipt6, connMarkDrop: int(config.ConnMarkDrop),
ipt4: ipt4,
ipt6: ipt6,
protectedDialer: &net.Dialer{ protectedDialer: &net.Dialer{
Control: func(network, address string, c syscall.RawConn) error { Control: func(network, address string, c syscall.RawConn) error {
var err error var err error
cErr := c.Control(func(fd uintptr) { cErr := c.Control(func(fd uintptr) {
err = syscall.SetsockoptInt(int(fd), syscall.SOL_SOCKET, syscall.SO_MARK, nfqueueConnMarkAccept) err = syscall.SetsockoptInt(int(fd), syscall.SOL_SOCKET, syscall.SO_MARK, int(config.ConnMarkAccept))
}) })
if cErr != nil { if cErr != nil {
return cErr return cErr
@ -225,9 +244,9 @@ func (n *nfqueuePacketIO) Register(ctx context.Context, cb PacketCallback) error
} }
if !n.rSet { if !n.rSet {
if n.ipt4 != nil { if n.ipt4 != nil {
err = n.setupIpt(n.local, n.rst, false) err = n.setupIpt(false)
} else { } else {
err = n.setupNft(n.local, n.rst, false) err = n.setupNft(false)
} }
if err != nil { if err != nil {
return err return err
@ -267,11 +286,11 @@ func (n *nfqueuePacketIO) SetVerdict(p Packet, v Verdict, newPacket []byte) erro
case VerdictAcceptModify: case VerdictAcceptModify:
return n.n.SetVerdictModPacket(nP.id, nfqueue.NfAccept, newPacket) return n.n.SetVerdictModPacket(nP.id, nfqueue.NfAccept, newPacket)
case VerdictAcceptStream: case VerdictAcceptStream:
return n.n.SetVerdictWithConnMark(nP.id, nfqueue.NfAccept, nfqueueConnMarkAccept) return n.n.SetVerdictWithConnMark(nP.id, nfqueue.NfAccept, n.connMarkAccept)
case VerdictDrop: case VerdictDrop:
return n.n.SetVerdict(nP.id, nfqueue.NfDrop) return n.n.SetVerdict(nP.id, nfqueue.NfDrop)
case VerdictDropStream: case VerdictDropStream:
return n.n.SetVerdictWithConnMark(nP.id, nfqueue.NfDrop, nfqueueConnMarkDrop) return n.n.SetVerdictWithConnMark(nP.id, nfqueue.NfDrop, n.connMarkDrop)
default: default:
// Invalid verdict, ignore for now // Invalid verdict, ignore for now
return nil return nil
@ -285,9 +304,9 @@ func (n *nfqueuePacketIO) ProtectedDialContext(ctx context.Context, network, add
func (n *nfqueuePacketIO) Close() error { func (n *nfqueuePacketIO) Close() error {
if n.rSet { if n.rSet {
if n.ipt4 != nil { if n.ipt4 != nil {
_ = n.setupIpt(n.local, n.rst, true) _ = n.setupIpt(true)
} else { } else {
_ = n.setupNft(n.local, n.rst, true) _ = n.setupNft(true)
} }
n.rSet = false n.rSet = false
} }
@ -299,8 +318,8 @@ func (n *nfqueuePacketIO) SetCancelFunc(cancelFunc context.CancelFunc) error {
return nil return nil
} }
func (n *nfqueuePacketIO) setupNft(local, rst, remove bool) error { func (n *nfqueuePacketIO) setupNft(remove bool) error {
rules, err := generateNftRules(local, rst, n.queueNum, n.table) rules, err := n.generateNftRules()
if err != nil { if err != nil {
return err return err
} }
@ -318,8 +337,8 @@ func (n *nfqueuePacketIO) setupNft(local, rst, remove bool) error {
return nil return nil
} }
func (n *nfqueuePacketIO) setupIpt(local, rst, remove bool) error { func (n *nfqueuePacketIO) setupIpt(remove bool) error {
rules, err := generateIptRules(local, rst, n.queueNum) rules, err := n.generateIptRules()
if err != nil { if err != nil {
return err return err
} }