MigrateRepos/OpenGFW
1
0
Fork 0
mirror of https://github.com/apernet/OpenGFW.git synced 2024-11-14 22:39:26 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #147 from kpetku/feat-expose-netlink-config-options

Browse Source 
feat: netlink queueNum/table config options
This commit is contained in:
Toby 2024-10-27 18:55:30 -07:00 committed by GitHub
commit 278d731b6f
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 94 additions and 52 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
cmd/root.go
View File

@ -173,11 +173,16 @@ type cliConfig struct {
} }
type cliConfigIO struct { type cliConfigIO struct {
QueueSize uint32 `mapstructure:"queueSize"` QueueSize uint32 `mapstructure:"queueSize"`
ReadBuffer int `mapstructure:"rcvBuf"` QueueNum *uint16 `mapstructure:"queueNum"`
WriteBuffer int `mapstructure:"sndBuf"` Table string `mapstructure:"table"`
Local bool `mapstructure:"local"` ConnMarkAccept uint32 `mapstructure:"connMarkAccept"`
RST bool `mapstructure:"rst"` ConnMarkDrop uint32 `mapstructure:"connMarkDrop"`
ReadBuffer int `mapstructure:"rcvBuf"`
WriteBuffer int `mapstructure:"sndBuf"`
Local bool `mapstructure:"local"`
RST bool `mapstructure:"rst"`
} }
type cliConfigReplay struct { type cliConfigReplay struct {
@ -216,7 +221,12 @@ func (c *cliConfig) fillIO(config *engine.Config) error {
} else { } else {
// Setup IO for nfqueue // Setup IO for nfqueue
ioImpl, err = io.NewNFQueuePacketIO(io.NFQueuePacketIOConfig{ ioImpl, err = io.NewNFQueuePacketIO(io.NFQueuePacketIOConfig{
QueueSize: c.IO.QueueSize, QueueSize: c.IO.QueueSize,
QueueNum: c.IO.QueueNum,
Table: c.IO.Table,
ConnMarkAccept: c.IO.ConnMarkAccept,
ConnMarkDrop: c.IO.ConnMarkDrop,
ReadBuffer: c.IO.ReadBuffer, ReadBuffer: c.IO.ReadBuffer,
WriteBuffer: c.IO.WriteBuffer, WriteBuffer: c.IO.WriteBuffer,
Local: c.IO.Local, Local: c.IO.Local,

124
io/nfqueue.go
View File

@ -19,29 +19,28 @@ import (
) )
const ( const (
nfqueueNum = 100 nfqueueDefaultQueueNum = 100
nfqueueMaxPacketLen = 0xFFFF nfqueueMaxPacketLen = 0xFFFF
nfqueueDefaultQueueSize = 128 nfqueueDefaultQueueSize = 128
nfqueueConnMarkAccept = 1001 nfqueueDefaultConnMarkAccept = 1001
nfqueueConnMarkDrop = 1002
nftFamily = "inet" nftFamily = "inet"
nftTable = "opengfw" nftDefaultTable = "opengfw"
) )
func generateNftRules(local, rst bool) (*nftTableSpec, error) { func (n *nfqueuePacketIO) generateNftRules() (*nftTableSpec, error) {
if local && rst { if n.local && n.rst {
return nil, errors.New("tcp rst is not supported in local mode") return nil, errors.New("tcp rst is not supported in local mode")
} }
table := &nftTableSpec{ table := &nftTableSpec{
Family: nftFamily, Family: nftFamily,
Table: nftTable, Table: n.table,
} }
table.Defines = append(table.Defines, fmt.Sprintf("define ACCEPT_CTMARK=%d", nfqueueConnMarkAccept)) table.Defines = append(table.Defines, fmt.Sprintf("define ACCEPT_CTMARK=%d", n.connMarkAccept))
table.Defines = append(table.Defines, fmt.Sprintf("define DROP_CTMARK=%d", nfqueueConnMarkDrop)) table.Defines = append(table.Defines, fmt.Sprintf("define DROP_CTMARK=%d", n.connMarkDrop))
table.Defines = append(table.Defines, fmt.Sprintf("define QUEUE_NUM=%d", nfqueueNum)) table.Defines = append(table.Defines, fmt.Sprintf("define QUEUE_NUM=%d", n.queueNum))
if local { if n.local {
table.Chains = []nftChainSpec{ table.Chains = []nftChainSpec{
{Chain: "INPUT", Header: "type filter hook input priority filter; policy accept;"}, {Chain: "INPUT", Header: "type filter hook input priority filter; policy accept;"},
{Chain: "OUTPUT", Header: "type filter hook output priority filter; policy accept;"}, {Chain: "OUTPUT", Header: "type filter hook output priority filter; policy accept;"},
@ -55,7 +54,7 @@ func generateNftRules(local, rst bool) (*nftTableSpec, error) {
c := &table.Chains[i] c := &table.Chains[i]
c.Rules = append(c.Rules, "meta mark $ACCEPT_CTMARK ct mark set $ACCEPT_CTMARK") // Bypass protected connections c.Rules = append(c.Rules, "meta mark $ACCEPT_CTMARK ct mark set $ACCEPT_CTMARK") // Bypass protected connections
c.Rules = append(c.Rules, "ct mark $ACCEPT_CTMARK counter accept") c.Rules = append(c.Rules, "ct mark $ACCEPT_CTMARK counter accept")
if rst { if n.rst {
c.Rules = append(c.Rules, "ip protocol tcp ct mark $DROP_CTMARK counter reject with tcp reset") c.Rules = append(c.Rules, "ip protocol tcp ct mark $DROP_CTMARK counter reject with tcp reset")
} }
c.Rules = append(c.Rules, "ct mark $DROP_CTMARK counter drop") c.Rules = append(c.Rules, "ct mark $DROP_CTMARK counter drop")
@ -64,12 +63,12 @@ func generateNftRules(local, rst bool) (*nftTableSpec, error) {
return table, nil return table, nil
} }
func generateIptRules(local, rst bool) ([]iptRule, error) { func (n *nfqueuePacketIO) generateIptRules() ([]iptRule, error) {
if local && rst { if n.local && n.rst {
return nil, errors.New("tcp rst is not supported in local mode") return nil, errors.New("tcp rst is not supported in local mode")
} }
var chains []string var chains []string
if local { if n.local {
chains = []string{"INPUT", "OUTPUT"} chains = []string{"INPUT", "OUTPUT"}
} else { } else {
chains = []string{"FORWARD"} chains = []string{"FORWARD"}
@ -77,13 +76,13 @@ func generateIptRules(local, rst bool) ([]iptRule, error) {
rules := make([]iptRule, 0, 4*len(chains)) rules := make([]iptRule, 0, 4*len(chains))
for _, chain := range chains { for _, chain := range chains {
// Bypass protected connections // Bypass protected connections
rules = append(rules, iptRule{"filter", chain, []string{"-m", "mark", "--mark", strconv.Itoa(nfqueueConnMarkAccept), "-j", "CONNMARK", "--set-mark", strconv.Itoa(nfqueueConnMarkAccept)}}) rules = append(rules, iptRule{"filter", chain, []string{"-m", "mark", "--mark", strconv.Itoa(n.connMarkAccept), "-j", "CONNMARK", "--set-mark", strconv.Itoa(n.connMarkAccept)}})
rules = append(rules, iptRule{"filter", chain, []string{"-m", "connmark", "--mark", strconv.Itoa(nfqueueConnMarkAccept), "-j", "ACCEPT"}}) rules = append(rules, iptRule{"filter", chain, []string{"-m", "connmark", "--mark", strconv.Itoa(n.connMarkAccept), "-j", "ACCEPT"}})
if rst { if n.rst {
rules = append(rules, iptRule{"filter", chain, []string{"-p", "tcp", "-m", "connmark", "--mark", strconv.Itoa(nfqueueConnMarkDrop), "-j", "REJECT", "--reject-with", "tcp-reset"}}) rules = append(rules, iptRule{"filter", chain, []string{"-p", "tcp", "-m", "connmark", "--mark", strconv.Itoa(n.connMarkDrop), "-j", "REJECT", "--reject-with", "tcp-reset"}})
} }
rules = append(rules, iptRule{"filter", chain, []string{"-m", "connmark", "--mark", strconv.Itoa(nfqueueConnMarkDrop), "-j", "DROP"}}) rules = append(rules, iptRule{"filter", chain, []string{"-m", "connmark", "--mark", strconv.Itoa(n.connMarkDrop), "-j", "DROP"}})
rules = append(rules, iptRule{"filter", chain, []string{"-j", "NFQUEUE", "--queue-num", strconv.Itoa(nfqueueNum), "--queue-bypass"}}) rules = append(rules, iptRule{"filter", chain, []string{"-j", "NFQUEUE", "--queue-num", strconv.Itoa(n.queueNum), "--queue-bypass"}})
} }
return rules, nil return rules, nil
@ -94,10 +93,14 @@ var _ PacketIO = (*nfqueuePacketIO)(nil)
var errNotNFQueuePacket = errors.New("not an NFQueue packet") var errNotNFQueuePacket = errors.New("not an NFQueue packet")
type nfqueuePacketIO struct { type nfqueuePacketIO struct {
n *nfqueue.Nfqueue n *nfqueue.Nfqueue
local bool local bool
rst bool rst bool
rSet bool // whether the nftables/iptables rules have been set rSet bool // whether the nftables/iptables rules have been set
queueNum int
table string // nftable name
connMarkAccept int
connMarkDrop int
// iptables not nil = use iptables instead of nftables // iptables not nil = use iptables instead of nftables
ipt4 *iptables.IPTables ipt4 *iptables.IPTables
@ -107,7 +110,12 @@ type nfqueuePacketIO struct {
} }
type NFQueuePacketIOConfig struct { type NFQueuePacketIOConfig struct {
QueueSize uint32 QueueSize uint32
QueueNum *uint16
Table string
ConnMarkAccept uint32
ConnMarkDrop uint32
ReadBuffer int ReadBuffer int
WriteBuffer int WriteBuffer int
Local bool Local bool
@ -118,6 +126,26 @@ func NewNFQueuePacketIO(config NFQueuePacketIOConfig) (PacketIO, error) {
if config.QueueSize == 0 { if config.QueueSize == 0 {
config.QueueSize = nfqueueDefaultQueueSize config.QueueSize = nfqueueDefaultQueueSize
} }
if config.QueueNum == nil {
queueNum := uint16(nfqueueDefaultQueueNum)
config.QueueNum = &queueNum
}
if config.Table == "" {
config.Table = nftDefaultTable
}
if config.ConnMarkAccept == 0 {
config.ConnMarkAccept = nfqueueDefaultConnMarkAccept
}
if config.ConnMarkDrop == 0 {
config.ConnMarkDrop = config.ConnMarkAccept + 1
if config.ConnMarkDrop == 0 {
// Overflow
config.ConnMarkDrop = 1
}
}
if config.ConnMarkAccept == config.ConnMarkDrop {
return nil, errors.New("connMarkAccept and connMarkDrop cannot be the same")
}
var ipt4, ipt6 *iptables.IPTables var ipt4, ipt6 *iptables.IPTables
var err error var err error
if nftCheck() != nil { if nftCheck() != nil {
@ -132,7 +160,7 @@ func NewNFQueuePacketIO(config NFQueuePacketIOConfig) (PacketIO, error) {
} }
} }
n, err := nfqueue.Open(&nfqueue.Config{ n, err := nfqueue.Open(&nfqueue.Config{
NfQueue: nfqueueNum, NfQueue: *config.QueueNum,
MaxPacketLen: nfqueueMaxPacketLen, MaxPacketLen: nfqueueMaxPacketLen,
MaxQueueLen: config.QueueSize, MaxQueueLen: config.QueueSize,
Copymode: nfqueue.NfQnlCopyPacket, Copymode: nfqueue.NfQnlCopyPacket,
@ -156,16 +184,20 @@ func NewNFQueuePacketIO(config NFQueuePacketIOConfig) (PacketIO, error) {
} }
} }
return &nfqueuePacketIO{ return &nfqueuePacketIO{
n: n, n: n,
local: config.Local, local: config.Local,
rst: config.RST, rst: config.RST,
ipt4: ipt4, queueNum: int(*config.QueueNum),
ipt6: ipt6, table: config.Table,
connMarkAccept: int(config.ConnMarkAccept),
connMarkDrop: int(config.ConnMarkDrop),
ipt4: ipt4,
ipt6: ipt6,
protectedDialer: &net.Dialer{ protectedDialer: &net.Dialer{
Control: func(network, address string, c syscall.RawConn) error { Control: func(network, address string, c syscall.RawConn) error {
var err error var err error
cErr := c.Control(func(fd uintptr) { cErr := c.Control(func(fd uintptr) {
err = syscall.SetsockoptInt(int(fd), syscall.SOL_SOCKET, syscall.SO_MARK, nfqueueConnMarkAccept) err = syscall.SetsockoptInt(int(fd), syscall.SOL_SOCKET, syscall.SO_MARK, int(config.ConnMarkAccept))
}) })
if cErr != nil { if cErr != nil {
return cErr return cErr
@ -212,9 +244,9 @@ func (n *nfqueuePacketIO) Register(ctx context.Context, cb PacketCallback) error
} }
if !n.rSet { if !n.rSet {
if n.ipt4 != nil { if n.ipt4 != nil {
err = n.setupIpt(n.local, n.rst, false) err = n.setupIpt(false)
} else { } else {
err = n.setupNft(n.local, n.rst, false) err = n.setupNft(false)
} }
if err != nil { if err != nil {
return err return err
@ -254,11 +286,11 @@ func (n *nfqueuePacketIO) SetVerdict(p Packet, v Verdict, newPacket []byte) erro
case VerdictAcceptModify: case VerdictAcceptModify:
return n.n.SetVerdictModPacket(nP.id, nfqueue.NfAccept, newPacket) return n.n.SetVerdictModPacket(nP.id, nfqueue.NfAccept, newPacket)
case VerdictAcceptStream: case VerdictAcceptStream:
return n.n.SetVerdictWithConnMark(nP.id, nfqueue.NfAccept, nfqueueConnMarkAccept) return n.n.SetVerdictWithConnMark(nP.id, nfqueue.NfAccept, n.connMarkAccept)
case VerdictDrop: case VerdictDrop:
return n.n.SetVerdict(nP.id, nfqueue.NfDrop) return n.n.SetVerdict(nP.id, nfqueue.NfDrop)
case VerdictDropStream: case VerdictDropStream:
return n.n.SetVerdictWithConnMark(nP.id, nfqueue.NfDrop, nfqueueConnMarkDrop) return n.n.SetVerdictWithConnMark(nP.id, nfqueue.NfDrop, n.connMarkDrop)
default: default:
// Invalid verdict, ignore for now // Invalid verdict, ignore for now
return nil return nil
@ -272,9 +304,9 @@ func (n *nfqueuePacketIO) ProtectedDialContext(ctx context.Context, network, add
func (n *nfqueuePacketIO) Close() error { func (n *nfqueuePacketIO) Close() error {
if n.rSet { if n.rSet {
if n.ipt4 != nil { if n.ipt4 != nil {
_ = n.setupIpt(n.local, n.rst, true) _ = n.setupIpt(true)
} else { } else {
_ = n.setupNft(n.local, n.rst, true) _ = n.setupNft(true)
} }
n.rSet = false n.rSet = false
} }
@ -286,17 +318,17 @@ func (n *nfqueuePacketIO) SetCancelFunc(cancelFunc context.CancelFunc) error {
return nil return nil
} }
func (n *nfqueuePacketIO) setupNft(local, rst, remove bool) error { func (n *nfqueuePacketIO) setupNft(remove bool) error {
rules, err := generateNftRules(local, rst) rules, err := n.generateNftRules()
if err != nil { if err != nil {
return err return err
} }
rulesText := rules.String() rulesText := rules.String()
if remove { if remove {
err = nftDelete(nftFamily, nftTable) err = nftDelete(nftFamily, n.table)
} else { } else {
// Delete first to make sure no leftover rules // Delete first to make sure no leftover rules
_ = nftDelete(nftFamily, nftTable) _ = nftDelete(nftFamily, n.table)
err = nftAdd(rulesText) err = nftAdd(rulesText)
} }
if err != nil { if err != nil {
@ -305,8 +337,8 @@ func (n *nfqueuePacketIO) setupNft(local, rst, remove bool) error {
return nil return nil
} }
func (n *nfqueuePacketIO) setupIpt(local, rst, remove bool) error { func (n *nfqueuePacketIO) setupIpt(remove bool) error {
rules, err := generateIptRules(local, rst) rules, err := n.generateIptRules()
if err != nil { if err != nil {
return err return err
} }