mirror of
https://github.com/apernet/OpenGFW.git
synced 2024-12-22 08:59:21 +08:00
feat: connmark accept/drop config options
This commit is contained in:
parent
5f4df7e806
commit
0e97c9f086
26
cmd/root.go
26
cmd/root.go
@ -173,13 +173,16 @@ type cliConfig struct {
|
|||||||
}
|
}
|
||||||
|
|
||||||
type cliConfigIO struct {
|
type cliConfigIO struct {
|
||||||
QueueSize uint32 `mapstructure:"queueSize"`
|
QueueSize uint32 `mapstructure:"queueSize"`
|
||||||
QueueNum *uint16 `mapstructure:"queueNum"`
|
QueueNum *uint16 `mapstructure:"queueNum"`
|
||||||
Table string `mapstructure:"table"`
|
Table string `mapstructure:"table"`
|
||||||
ReadBuffer int `mapstructure:"rcvBuf"`
|
ConnMarkAccept uint32 `mapstructure:"connMarkAccept"`
|
||||||
WriteBuffer int `mapstructure:"sndBuf"`
|
ConnMarkDrop uint32 `mapstructure:"connMarkDrop"`
|
||||||
Local bool `mapstructure:"local"`
|
|
||||||
RST bool `mapstructure:"rst"`
|
ReadBuffer int `mapstructure:"rcvBuf"`
|
||||||
|
WriteBuffer int `mapstructure:"sndBuf"`
|
||||||
|
Local bool `mapstructure:"local"`
|
||||||
|
RST bool `mapstructure:"rst"`
|
||||||
}
|
}
|
||||||
|
|
||||||
type cliConfigReplay struct {
|
type cliConfigReplay struct {
|
||||||
@ -218,13 +221,16 @@ func (c *cliConfig) fillIO(config *engine.Config) error {
|
|||||||
} else {
|
} else {
|
||||||
// Setup IO for nfqueue
|
// Setup IO for nfqueue
|
||||||
ioImpl, err = io.NewNFQueuePacketIO(io.NFQueuePacketIOConfig{
|
ioImpl, err = io.NewNFQueuePacketIO(io.NFQueuePacketIOConfig{
|
||||||
QueueSize: c.IO.QueueSize,
|
QueueSize: c.IO.QueueSize,
|
||||||
|
QueueNum: c.IO.QueueNum,
|
||||||
|
Table: c.IO.Table,
|
||||||
|
ConnMarkAccept: c.IO.ConnMarkAccept,
|
||||||
|
ConnMarkDrop: c.IO.ConnMarkDrop,
|
||||||
|
|
||||||
ReadBuffer: c.IO.ReadBuffer,
|
ReadBuffer: c.IO.ReadBuffer,
|
||||||
WriteBuffer: c.IO.WriteBuffer,
|
WriteBuffer: c.IO.WriteBuffer,
|
||||||
Local: c.IO.Local,
|
Local: c.IO.Local,
|
||||||
RST: c.IO.RST,
|
RST: c.IO.RST,
|
||||||
QueueNum: c.IO.QueueNum,
|
|
||||||
Table: c.IO.Table,
|
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
|
111
io/nfqueue.go
111
io/nfqueue.go
@ -23,25 +23,24 @@ const (
|
|||||||
nfqueueMaxPacketLen = 0xFFFF
|
nfqueueMaxPacketLen = 0xFFFF
|
||||||
nfqueueDefaultQueueSize = 128
|
nfqueueDefaultQueueSize = 128
|
||||||
|
|
||||||
nfqueueConnMarkAccept = 1001
|
nfqueueDefaultConnMarkAccept = 1001
|
||||||
nfqueueConnMarkDrop = 1002
|
|
||||||
|
|
||||||
nftFamily = "inet"
|
nftFamily = "inet"
|
||||||
nftDefaultTable = "opengfw"
|
nftDefaultTable = "opengfw"
|
||||||
)
|
)
|
||||||
|
|
||||||
func generateNftRules(local, rst bool, nfqueueNum int, nftTable string) (*nftTableSpec, error) {
|
func (n *nfqueuePacketIO) generateNftRules() (*nftTableSpec, error) {
|
||||||
if local && rst {
|
if n.local && n.rst {
|
||||||
return nil, errors.New("tcp rst is not supported in local mode")
|
return nil, errors.New("tcp rst is not supported in local mode")
|
||||||
}
|
}
|
||||||
table := &nftTableSpec{
|
table := &nftTableSpec{
|
||||||
Family: nftFamily,
|
Family: nftFamily,
|
||||||
Table: nftTable,
|
Table: n.table,
|
||||||
}
|
}
|
||||||
table.Defines = append(table.Defines, fmt.Sprintf("define ACCEPT_CTMARK=%d", nfqueueConnMarkAccept))
|
table.Defines = append(table.Defines, fmt.Sprintf("define ACCEPT_CTMARK=%d", n.connMarkAccept))
|
||||||
table.Defines = append(table.Defines, fmt.Sprintf("define DROP_CTMARK=%d", nfqueueConnMarkDrop))
|
table.Defines = append(table.Defines, fmt.Sprintf("define DROP_CTMARK=%d", n.connMarkDrop))
|
||||||
table.Defines = append(table.Defines, fmt.Sprintf("define QUEUE_NUM=%d", nfqueueNum))
|
table.Defines = append(table.Defines, fmt.Sprintf("define QUEUE_NUM=%d", n.queueNum))
|
||||||
if local {
|
if n.local {
|
||||||
table.Chains = []nftChainSpec{
|
table.Chains = []nftChainSpec{
|
||||||
{Chain: "INPUT", Header: "type filter hook input priority filter; policy accept;"},
|
{Chain: "INPUT", Header: "type filter hook input priority filter; policy accept;"},
|
||||||
{Chain: "OUTPUT", Header: "type filter hook output priority filter; policy accept;"},
|
{Chain: "OUTPUT", Header: "type filter hook output priority filter; policy accept;"},
|
||||||
@ -55,7 +54,7 @@ func generateNftRules(local, rst bool, nfqueueNum int, nftTable string) (*nftTab
|
|||||||
c := &table.Chains[i]
|
c := &table.Chains[i]
|
||||||
c.Rules = append(c.Rules, "meta mark $ACCEPT_CTMARK ct mark set $ACCEPT_CTMARK") // Bypass protected connections
|
c.Rules = append(c.Rules, "meta mark $ACCEPT_CTMARK ct mark set $ACCEPT_CTMARK") // Bypass protected connections
|
||||||
c.Rules = append(c.Rules, "ct mark $ACCEPT_CTMARK counter accept")
|
c.Rules = append(c.Rules, "ct mark $ACCEPT_CTMARK counter accept")
|
||||||
if rst {
|
if n.rst {
|
||||||
c.Rules = append(c.Rules, "ip protocol tcp ct mark $DROP_CTMARK counter reject with tcp reset")
|
c.Rules = append(c.Rules, "ip protocol tcp ct mark $DROP_CTMARK counter reject with tcp reset")
|
||||||
}
|
}
|
||||||
c.Rules = append(c.Rules, "ct mark $DROP_CTMARK counter drop")
|
c.Rules = append(c.Rules, "ct mark $DROP_CTMARK counter drop")
|
||||||
@ -64,12 +63,12 @@ func generateNftRules(local, rst bool, nfqueueNum int, nftTable string) (*nftTab
|
|||||||
return table, nil
|
return table, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func generateIptRules(local, rst bool, nfqueueNum int) ([]iptRule, error) {
|
func (n *nfqueuePacketIO) generateIptRules() ([]iptRule, error) {
|
||||||
if local && rst {
|
if n.local && n.rst {
|
||||||
return nil, errors.New("tcp rst is not supported in local mode")
|
return nil, errors.New("tcp rst is not supported in local mode")
|
||||||
}
|
}
|
||||||
var chains []string
|
var chains []string
|
||||||
if local {
|
if n.local {
|
||||||
chains = []string{"INPUT", "OUTPUT"}
|
chains = []string{"INPUT", "OUTPUT"}
|
||||||
} else {
|
} else {
|
||||||
chains = []string{"FORWARD"}
|
chains = []string{"FORWARD"}
|
||||||
@ -77,13 +76,13 @@ func generateIptRules(local, rst bool, nfqueueNum int) ([]iptRule, error) {
|
|||||||
rules := make([]iptRule, 0, 4*len(chains))
|
rules := make([]iptRule, 0, 4*len(chains))
|
||||||
for _, chain := range chains {
|
for _, chain := range chains {
|
||||||
// Bypass protected connections
|
// Bypass protected connections
|
||||||
rules = append(rules, iptRule{"filter", chain, []string{"-m", "mark", "--mark", strconv.Itoa(nfqueueConnMarkAccept), "-j", "CONNMARK", "--set-mark", strconv.Itoa(nfqueueConnMarkAccept)}})
|
rules = append(rules, iptRule{"filter", chain, []string{"-m", "mark", "--mark", strconv.Itoa(n.connMarkAccept), "-j", "CONNMARK", "--set-mark", strconv.Itoa(n.connMarkAccept)}})
|
||||||
rules = append(rules, iptRule{"filter", chain, []string{"-m", "connmark", "--mark", strconv.Itoa(nfqueueConnMarkAccept), "-j", "ACCEPT"}})
|
rules = append(rules, iptRule{"filter", chain, []string{"-m", "connmark", "--mark", strconv.Itoa(n.connMarkAccept), "-j", "ACCEPT"}})
|
||||||
if rst {
|
if n.rst {
|
||||||
rules = append(rules, iptRule{"filter", chain, []string{"-p", "tcp", "-m", "connmark", "--mark", strconv.Itoa(nfqueueConnMarkDrop), "-j", "REJECT", "--reject-with", "tcp-reset"}})
|
rules = append(rules, iptRule{"filter", chain, []string{"-p", "tcp", "-m", "connmark", "--mark", strconv.Itoa(n.connMarkDrop), "-j", "REJECT", "--reject-with", "tcp-reset"}})
|
||||||
}
|
}
|
||||||
rules = append(rules, iptRule{"filter", chain, []string{"-m", "connmark", "--mark", strconv.Itoa(nfqueueConnMarkDrop), "-j", "DROP"}})
|
rules = append(rules, iptRule{"filter", chain, []string{"-m", "connmark", "--mark", strconv.Itoa(n.connMarkDrop), "-j", "DROP"}})
|
||||||
rules = append(rules, iptRule{"filter", chain, []string{"-j", "NFQUEUE", "--queue-num", strconv.Itoa(nfqueueNum), "--queue-bypass"}})
|
rules = append(rules, iptRule{"filter", chain, []string{"-j", "NFQUEUE", "--queue-num", strconv.Itoa(n.queueNum), "--queue-bypass"}})
|
||||||
}
|
}
|
||||||
|
|
||||||
return rules, nil
|
return rules, nil
|
||||||
@ -94,12 +93,14 @@ var _ PacketIO = (*nfqueuePacketIO)(nil)
|
|||||||
var errNotNFQueuePacket = errors.New("not an NFQueue packet")
|
var errNotNFQueuePacket = errors.New("not an NFQueue packet")
|
||||||
|
|
||||||
type nfqueuePacketIO struct {
|
type nfqueuePacketIO struct {
|
||||||
n *nfqueue.Nfqueue
|
n *nfqueue.Nfqueue
|
||||||
local bool
|
local bool
|
||||||
rst bool
|
rst bool
|
||||||
rSet bool // whether the nftables/iptables rules have been set
|
rSet bool // whether the nftables/iptables rules have been set
|
||||||
queueNum int
|
queueNum int
|
||||||
table string // nftable name
|
table string // nftable name
|
||||||
|
connMarkAccept int
|
||||||
|
connMarkDrop int
|
||||||
|
|
||||||
// iptables not nil = use iptables instead of nftables
|
// iptables not nil = use iptables instead of nftables
|
||||||
ipt4 *iptables.IPTables
|
ipt4 *iptables.IPTables
|
||||||
@ -109,9 +110,12 @@ type nfqueuePacketIO struct {
|
|||||||
}
|
}
|
||||||
|
|
||||||
type NFQueuePacketIOConfig struct {
|
type NFQueuePacketIOConfig struct {
|
||||||
QueueSize uint32
|
QueueSize uint32
|
||||||
QueueNum *uint16
|
QueueNum *uint16
|
||||||
Table string
|
Table string
|
||||||
|
ConnMarkAccept uint32
|
||||||
|
ConnMarkDrop uint32
|
||||||
|
|
||||||
ReadBuffer int
|
ReadBuffer int
|
||||||
WriteBuffer int
|
WriteBuffer int
|
||||||
Local bool
|
Local bool
|
||||||
@ -129,6 +133,19 @@ func NewNFQueuePacketIO(config NFQueuePacketIOConfig) (PacketIO, error) {
|
|||||||
if config.Table == "" {
|
if config.Table == "" {
|
||||||
config.Table = nftDefaultTable
|
config.Table = nftDefaultTable
|
||||||
}
|
}
|
||||||
|
if config.ConnMarkAccept == 0 {
|
||||||
|
config.ConnMarkAccept = nfqueueDefaultConnMarkAccept
|
||||||
|
}
|
||||||
|
if config.ConnMarkDrop == 0 {
|
||||||
|
config.ConnMarkDrop = config.ConnMarkAccept + 1
|
||||||
|
if config.ConnMarkDrop == 0 {
|
||||||
|
// Overflow
|
||||||
|
config.ConnMarkDrop = 1
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if config.ConnMarkAccept == config.ConnMarkDrop {
|
||||||
|
return nil, errors.New("connMarkAccept and connMarkDrop cannot be the same")
|
||||||
|
}
|
||||||
var ipt4, ipt6 *iptables.IPTables
|
var ipt4, ipt6 *iptables.IPTables
|
||||||
var err error
|
var err error
|
||||||
if nftCheck() != nil {
|
if nftCheck() != nil {
|
||||||
@ -167,18 +184,20 @@ func NewNFQueuePacketIO(config NFQueuePacketIOConfig) (PacketIO, error) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
return &nfqueuePacketIO{
|
return &nfqueuePacketIO{
|
||||||
n: n,
|
n: n,
|
||||||
local: config.Local,
|
local: config.Local,
|
||||||
rst: config.RST,
|
rst: config.RST,
|
||||||
queueNum: int(*config.QueueNum),
|
queueNum: int(*config.QueueNum),
|
||||||
table: config.Table,
|
table: config.Table,
|
||||||
ipt4: ipt4,
|
connMarkAccept: int(config.ConnMarkAccept),
|
||||||
ipt6: ipt6,
|
connMarkDrop: int(config.ConnMarkDrop),
|
||||||
|
ipt4: ipt4,
|
||||||
|
ipt6: ipt6,
|
||||||
protectedDialer: &net.Dialer{
|
protectedDialer: &net.Dialer{
|
||||||
Control: func(network, address string, c syscall.RawConn) error {
|
Control: func(network, address string, c syscall.RawConn) error {
|
||||||
var err error
|
var err error
|
||||||
cErr := c.Control(func(fd uintptr) {
|
cErr := c.Control(func(fd uintptr) {
|
||||||
err = syscall.SetsockoptInt(int(fd), syscall.SOL_SOCKET, syscall.SO_MARK, nfqueueConnMarkAccept)
|
err = syscall.SetsockoptInt(int(fd), syscall.SOL_SOCKET, syscall.SO_MARK, int(config.ConnMarkAccept))
|
||||||
})
|
})
|
||||||
if cErr != nil {
|
if cErr != nil {
|
||||||
return cErr
|
return cErr
|
||||||
@ -225,9 +244,9 @@ func (n *nfqueuePacketIO) Register(ctx context.Context, cb PacketCallback) error
|
|||||||
}
|
}
|
||||||
if !n.rSet {
|
if !n.rSet {
|
||||||
if n.ipt4 != nil {
|
if n.ipt4 != nil {
|
||||||
err = n.setupIpt(n.local, n.rst, false)
|
err = n.setupIpt(false)
|
||||||
} else {
|
} else {
|
||||||
err = n.setupNft(n.local, n.rst, false)
|
err = n.setupNft(false)
|
||||||
}
|
}
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
@ -267,11 +286,11 @@ func (n *nfqueuePacketIO) SetVerdict(p Packet, v Verdict, newPacket []byte) erro
|
|||||||
case VerdictAcceptModify:
|
case VerdictAcceptModify:
|
||||||
return n.n.SetVerdictModPacket(nP.id, nfqueue.NfAccept, newPacket)
|
return n.n.SetVerdictModPacket(nP.id, nfqueue.NfAccept, newPacket)
|
||||||
case VerdictAcceptStream:
|
case VerdictAcceptStream:
|
||||||
return n.n.SetVerdictWithConnMark(nP.id, nfqueue.NfAccept, nfqueueConnMarkAccept)
|
return n.n.SetVerdictWithConnMark(nP.id, nfqueue.NfAccept, n.connMarkAccept)
|
||||||
case VerdictDrop:
|
case VerdictDrop:
|
||||||
return n.n.SetVerdict(nP.id, nfqueue.NfDrop)
|
return n.n.SetVerdict(nP.id, nfqueue.NfDrop)
|
||||||
case VerdictDropStream:
|
case VerdictDropStream:
|
||||||
return n.n.SetVerdictWithConnMark(nP.id, nfqueue.NfDrop, nfqueueConnMarkDrop)
|
return n.n.SetVerdictWithConnMark(nP.id, nfqueue.NfDrop, n.connMarkDrop)
|
||||||
default:
|
default:
|
||||||
// Invalid verdict, ignore for now
|
// Invalid verdict, ignore for now
|
||||||
return nil
|
return nil
|
||||||
@ -285,9 +304,9 @@ func (n *nfqueuePacketIO) ProtectedDialContext(ctx context.Context, network, add
|
|||||||
func (n *nfqueuePacketIO) Close() error {
|
func (n *nfqueuePacketIO) Close() error {
|
||||||
if n.rSet {
|
if n.rSet {
|
||||||
if n.ipt4 != nil {
|
if n.ipt4 != nil {
|
||||||
_ = n.setupIpt(n.local, n.rst, true)
|
_ = n.setupIpt(true)
|
||||||
} else {
|
} else {
|
||||||
_ = n.setupNft(n.local, n.rst, true)
|
_ = n.setupNft(true)
|
||||||
}
|
}
|
||||||
n.rSet = false
|
n.rSet = false
|
||||||
}
|
}
|
||||||
@ -299,8 +318,8 @@ func (n *nfqueuePacketIO) SetCancelFunc(cancelFunc context.CancelFunc) error {
|
|||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (n *nfqueuePacketIO) setupNft(local, rst, remove bool) error {
|
func (n *nfqueuePacketIO) setupNft(remove bool) error {
|
||||||
rules, err := generateNftRules(local, rst, n.queueNum, n.table)
|
rules, err := n.generateNftRules()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
@ -318,8 +337,8 @@ func (n *nfqueuePacketIO) setupNft(local, rst, remove bool) error {
|
|||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (n *nfqueuePacketIO) setupIpt(local, rst, remove bool) error {
|
func (n *nfqueuePacketIO) setupIpt(remove bool) error {
|
||||||
rules, err := generateIptRules(local, rst, n.queueNum)
|
rules, err := n.generateIptRules()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user