From c17d7c02814513022d2c8af833ae94fd64f1e74f Mon Sep 17 00:00:00 2001 From: xishang0128 Date: Tue, 13 Aug 2024 00:57:08 +0800 Subject: [PATCH 01/42] ci: update loongarch golang and android ndk --- .github/workflows/build.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b936a57fea..cd5202e12e 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -107,15 +107,15 @@ jobs: - name: Set up Go1.22 loongarch abi1 if: ${{ matrix.jobs.goarch == 'loong64' && matrix.jobs.abi == '1' }} run: | - wget -q https://github.com/xishang0128/loongarch64-golang/releases/download/1.22.0/go1.22.0.linux-amd64-abi1.tar.gz - sudo tar zxf go1.22.0.linux-amd64-abi1.tar.gz -C /usr/local + wget -q https://github.com/MetaCubeX/loongarch64-golang/releases/download/1.22.4/go1.22.4.linux-amd64-abi1.tar.gz + sudo tar zxf go1.22.4.linux-amd64-abi1.tar.gz -C /usr/local echo "/usr/local/go/bin" >> $GITHUB_PATH - name: Set up Go1.22 loongarch abi2 if: ${{ matrix.jobs.goarch == 'loong64' && matrix.jobs.abi == '2' }} run: | - wget -q https://github.com/xishang0128/loongarch64-golang/releases/download/1.22.0/go1.22.0.linux-amd64-abi2.tar.gz - sudo tar zxf go1.22.0.linux-amd64-abi2.tar.gz -C /usr/local + wget -q https://github.com/MetaCubeX/loongarch64-golang/releases/download/1.22.4/go1.22.4.linux-amd64-abi2.tar.gz + sudo tar zxf go1.22.4.linux-amd64-abi2.tar.gz -C /usr/local echo "/usr/local/go/bin" >> $GITHUB_PATH # modify from https://github.com/restic/restic/issues/4636#issuecomment-1896455557 @@ -162,7 +162,7 @@ jobs: uses: nttld/setup-ndk@v1 id: setup-ndk with: - ndk-version: r26c + ndk-version: r27 - name: Set NDK path if: ${{ matrix.jobs.goos == 'android' }} From 5bf22422d9653933a6dc481c6f1021f743b9772f Mon Sep 17 00:00:00 2001 From: wwqgtxx Date: Tue, 13 Aug 2024 13:33:24 +0800 Subject: [PATCH 02/42] fix: wireguard not working in CMFA --- component/dialer/dialer.go | 15 ++++++++------- component/dialer/patch_android.go | 11 +++++------ component/dialer/patch_common.go | 3 +-- 3 files changed, 14 insertions(+), 15 deletions(-) diff --git a/component/dialer/dialer.go b/component/dialer/dialer.go index 54a1aa6ac7..ba95c31b81 100644 --- a/component/dialer/dialer.go +++ b/component/dialer/dialer.go @@ -127,10 +127,6 @@ func GetTcpConcurrent() bool { } func dialContext(ctx context.Context, network string, destination netip.Addr, port string, opt *option) (net.Conn, error) { - if features.CMFA && DefaultSocketHook != nil { - return dialContextHooked(ctx, network, destination, port) - } - var address string if IP4PEnable { destination, port = lookupIP4P(destination, port) @@ -149,6 +145,14 @@ func dialContext(ctx context.Context, network string, destination netip.Addr, po } dialer := netDialer.(*net.Dialer) + if opt.mpTcp { + setMultiPathTCP(dialer) + } + + if features.CMFA && DefaultSocketHook != nil { // ignore interfaceName, routingMark and tfo in CMFA + return dialContextHooked(ctx, dialer, network, address) + } + if opt.interfaceName != "" { bind := bindIfaceToDialer if opt.fallbackBind { @@ -161,9 +165,6 @@ func dialContext(ctx context.Context, network string, destination netip.Addr, po if opt.routingMark != 0 { bindMarkToDialer(opt.routingMark, dialer, network, destination) } - if opt.mpTcp { - setMultiPathTCP(dialer) - } if opt.tfo && !DisableTFO { return dialTFO(ctx, *dialer, network, address) } diff --git a/component/dialer/patch_android.go b/component/dialer/patch_android.go index 7c33a6c0c8..079b9772ab 100644 --- a/component/dialer/patch_android.go +++ b/component/dialer/patch_android.go @@ -5,7 +5,6 @@ package dialer import ( "context" "net" - "net/netip" "syscall" ) @@ -13,12 +12,12 @@ type SocketControl func(network, address string, conn syscall.RawConn) error var DefaultSocketHook SocketControl -func dialContextHooked(ctx context.Context, network string, destination netip.Addr, port string) (net.Conn, error) { - dialer := &net.Dialer{ - Control: DefaultSocketHook, - } +func dialContextHooked(ctx context.Context, dialer *net.Dialer, network string, address string) (net.Conn, error) { + addControlToDialer(dialer, func(ctx context.Context, network, address string, c syscall.RawConn) error { + return DefaultSocketHook(network, address, c) + }) - conn, err := dialer.DialContext(ctx, network, net.JoinHostPort(destination.String(), port)) + conn, err := dialer.DialContext(ctx, network, address) if err != nil { return nil, err } diff --git a/component/dialer/patch_common.go b/component/dialer/patch_common.go index bad0ef4889..2c96fe60b7 100644 --- a/component/dialer/patch_common.go +++ b/component/dialer/patch_common.go @@ -5,7 +5,6 @@ package dialer import ( "context" "net" - "net/netip" "syscall" ) @@ -13,7 +12,7 @@ type SocketControl func(network, address string, conn syscall.RawConn) error var DefaultSocketHook SocketControl -func dialContextHooked(ctx context.Context, network string, destination netip.Addr, port string) (net.Conn, error) { +func dialContextHooked(ctx context.Context, dialer *net.Dialer, network string, address string) (net.Conn, error) { return nil, nil } From 50d0cd363c84c14a4982731d24082e0ee65265f0 Mon Sep 17 00:00:00 2001 From: Larvan2 <78135608+Larvan2@users.noreply.github.com> Date: Tue, 13 Aug 2024 14:19:34 +0800 Subject: [PATCH 03/42] chore: auto download external UI when 'external-ui' is set and not empty --- component/updater/update_core.go | 2 +- component/updater/update_ui.go | 8 +------- config/config.go | 5 +++++ hub/executor/executor.go | 14 ++++++++++++++ hub/route/configs.go | 4 ++-- 5 files changed, 23 insertions(+), 10 deletions(-) diff --git a/component/updater/update_core.go b/component/updater/update_core.go index 0070fbb110..9f13af9ca5 100644 --- a/component/updater/update_core.go +++ b/component/updater/update_core.go @@ -230,7 +230,7 @@ func clean() { // MaxPackageFileSize is a maximum package file length in bytes. The largest // package whose size is limited by this constant currently has the size of -// approximately 9 MiB. +// approximately 32 MiB. const MaxPackageFileSize = 32 * 1024 * 1024 // Download package file and save it to disk diff --git a/component/updater/update_ui.go b/component/updater/update_ui.go index 85452ba550..a43648a9c6 100644 --- a/component/updater/update_ui.go +++ b/component/updater/update_ui.go @@ -29,11 +29,6 @@ func UpdateUI() error { xdMutex.Lock() defer xdMutex.Unlock() - err := prepare_ui() - if err != nil { - return err - } - data, err := downloadForBytes(ExternalUIURL) if err != nil { return fmt.Errorf("can't download file: %w", err) @@ -64,7 +59,7 @@ func UpdateUI() error { return nil } -func prepare_ui() error { +func PrepareUIPath() error { if ExternalUIPath == "" || ExternalUIURL == "" { return ErrIncompleteConf } @@ -79,7 +74,6 @@ func prepare_ui() error { } else { ExternalUIFolder = ExternalUIPath } - return nil } diff --git a/config/config.go b/config/config.go index ecd94c7dd9..5f2b68453d 100644 --- a/config/config.go +++ b/config/config.go @@ -677,6 +677,11 @@ func parseGeneral(cfg *RawConfig) (*General, error) { updater.ExternalUIURL = cfg.ExternalUIURL } + err := updater.PrepareUIPath() + if err != nil { + log.Errorln("PrepareUIPath error: %s", err) + } + return &General{ Inbound: Inbound{ Port: cfg.Port, diff --git a/hub/executor/executor.go b/hub/executor/executor.go index 55c40b6d90..1e5781901b 100644 --- a/hub/executor/executor.go +++ b/hub/executor/executor.go @@ -23,6 +23,7 @@ import ( "github.com/metacubex/mihomo/component/resolver" SNI "github.com/metacubex/mihomo/component/sniffer" "github.com/metacubex/mihomo/component/trie" + "github.com/metacubex/mihomo/component/updater" "github.com/metacubex/mihomo/config" C "github.com/metacubex/mihomo/constant" "github.com/metacubex/mihomo/constant/features" @@ -113,6 +114,7 @@ func ApplyConfig(cfg *config.Config, force bool) { runtime.GC() tunnel.OnRunning() hcCompatibleProvider(cfg.Providers) + initExternalUI() log.SetLevel(cfg.General.LogLevel) } @@ -385,6 +387,18 @@ func updateTunnels(tunnels []LC.Tunnel) { listener.PatchTunnel(tunnels, tunnel.Tunnel) } +func initExternalUI() { + if updater.ExternalUIFolder != "" { + dirEntries, _ := os.ReadDir(updater.ExternalUIFolder) + if len(dirEntries) > 0 { + log.Infoln("UI already exists") + } else { + log.Infoln("UI not exists, downloading") + updater.UpdateUI() + } + } +} + func updateGeneral(general *config.General) { tunnel.SetMode(general.Mode) tunnel.SetFindProcessMode(general.FindProcessMode) diff --git a/hub/route/configs.go b/hub/route/configs.go index 17d858d47f..a4dcaa5257 100644 --- a/hub/route/configs.go +++ b/hub/route/configs.go @@ -402,7 +402,7 @@ func updateConfigs(w http.ResponseWriter, r *http.Request) { func updateGeoDatabases(w http.ResponseWriter, r *http.Request) { err := updater.UpdateGeoDatabases() if err != nil { - log.Errorln("[REST-API] update GEO databases failed: %v", err) + log.Errorln("[GEO] update GEO databases failed: %v", err) render.Status(r, http.StatusInternalServerError) render.JSON(w, r, newError(err.Error())) return @@ -410,7 +410,7 @@ func updateGeoDatabases(w http.ResponseWriter, r *http.Request) { cfg, err := executor.ParseWithPath(C.Path.Config()) if err != nil { - log.Errorln("[REST-API] update GEO databases failed: %v", err) + log.Errorln("[GEO] update GEO databases failed: %v", err) render.Status(r, http.StatusInternalServerError) render.JSON(w, r, newError("Error parsing configuration")) return From 12c5cf361ded7a6a9b03e6560b17f0f35a3fde4a Mon Sep 17 00:00:00 2001 From: wwqgtxx Date: Wed, 14 Aug 2024 09:03:29 +0800 Subject: [PATCH 04/42] chore: update golang to 1.23 --- ...42aa09c2f878c4faa576948b07fe625c4707a.diff | 54 ------ ...def151adff1af707d82d28f55dba81ceb08e1.diff | 158 ----------------- ...157f9544922e96945196b47b95664b1e39108.diff | 162 ------------------ .github/workflows/build.yml | 23 ++- 4 files changed, 18 insertions(+), 379 deletions(-) delete mode 100644 .github/patch_go122/48042aa09c2f878c4faa576948b07fe625c4707a.diff delete mode 100644 .github/patch_go122/693def151adff1af707d82d28f55dba81ceb08e1.diff delete mode 100644 .github/patch_go122/7c1157f9544922e96945196b47b95664b1e39108.diff diff --git a/.github/patch_go122/48042aa09c2f878c4faa576948b07fe625c4707a.diff b/.github/patch_go122/48042aa09c2f878c4faa576948b07fe625c4707a.diff deleted file mode 100644 index 2c68233358..0000000000 --- a/.github/patch_go122/48042aa09c2f878c4faa576948b07fe625c4707a.diff +++ /dev/null @@ -1,54 +0,0 @@ -diff --git a/src/syscall/exec_windows.go b/src/syscall/exec_windows.go -index 06e684c7116b4..b311a5c74684b 100644 ---- a/src/syscall/exec_windows.go -+++ b/src/syscall/exec_windows.go -@@ -319,17 +319,6 @@ func StartProcess(argv0 string, argv []string, attr *ProcAttr) (pid int, handle - } - } - -- var maj, min, build uint32 -- rtlGetNtVersionNumbers(&maj, &min, &build) -- isWin7 := maj < 6 || (maj == 6 && min <= 1) -- // NT kernel handles are divisible by 4, with the bottom 3 bits left as -- // a tag. The fully set tag correlates with the types of handles we're -- // concerned about here. Except, the kernel will interpret some -- // special handle values, like -1, -2, and so forth, so kernelbase.dll -- // checks to see that those bottom three bits are checked, but that top -- // bit is not checked. -- isLegacyWin7ConsoleHandle := func(handle Handle) bool { return isWin7 && handle&0x10000003 == 3 } -- - p, _ := GetCurrentProcess() - parentProcess := p - if sys.ParentProcess != 0 { -@@ -338,15 +327,7 @@ func StartProcess(argv0 string, argv []string, attr *ProcAttr) (pid int, handle - fd := make([]Handle, len(attr.Files)) - for i := range attr.Files { - if attr.Files[i] > 0 { -- destinationProcessHandle := parentProcess -- -- // On Windows 7, console handles aren't real handles, and can only be duplicated -- // into the current process, not a parent one, which amounts to the same thing. -- if parentProcess != p && isLegacyWin7ConsoleHandle(Handle(attr.Files[i])) { -- destinationProcessHandle = p -- } -- -- err := DuplicateHandle(p, Handle(attr.Files[i]), destinationProcessHandle, &fd[i], 0, true, DUPLICATE_SAME_ACCESS) -+ err := DuplicateHandle(p, Handle(attr.Files[i]), parentProcess, &fd[i], 0, true, DUPLICATE_SAME_ACCESS) - if err != nil { - return 0, 0, err - } -@@ -377,14 +358,6 @@ func StartProcess(argv0 string, argv []string, attr *ProcAttr) (pid int, handle - - fd = append(fd, sys.AdditionalInheritedHandles...) - -- // On Windows 7, console handles aren't real handles, so don't pass them -- // through to PROC_THREAD_ATTRIBUTE_HANDLE_LIST. -- for i := range fd { -- if isLegacyWin7ConsoleHandle(fd[i]) { -- fd[i] = 0 -- } -- } -- - // The presence of a NULL handle in the list is enough to cause PROC_THREAD_ATTRIBUTE_HANDLE_LIST - // to treat the entire list as empty, so remove NULL handles. - j := 0 \ No newline at end of file diff --git a/.github/patch_go122/693def151adff1af707d82d28f55dba81ceb08e1.diff b/.github/patch_go122/693def151adff1af707d82d28f55dba81ceb08e1.diff deleted file mode 100644 index ca41ec317e..0000000000 --- a/.github/patch_go122/693def151adff1af707d82d28f55dba81ceb08e1.diff +++ /dev/null @@ -1,158 +0,0 @@ -diff --git a/src/crypto/rand/rand.go b/src/crypto/rand/rand.go -index 62738e2cb1a7d..d0dcc7cc71fc0 100644 ---- a/src/crypto/rand/rand.go -+++ b/src/crypto/rand/rand.go -@@ -15,7 +15,7 @@ import "io" - // available, /dev/urandom otherwise. - // On OpenBSD and macOS, Reader uses getentropy(2). - // On other Unix-like systems, Reader reads from /dev/urandom. --// On Windows systems, Reader uses the RtlGenRandom API. -+// On Windows systems, Reader uses the ProcessPrng API. - // On JS/Wasm, Reader uses the Web Crypto API. - // On WASIP1/Wasm, Reader uses random_get from wasi_snapshot_preview1. - var Reader io.Reader -diff --git a/src/crypto/rand/rand_windows.go b/src/crypto/rand/rand_windows.go -index 6c0655c72b692..7380f1f0f1e6e 100644 ---- a/src/crypto/rand/rand_windows.go -+++ b/src/crypto/rand/rand_windows.go -@@ -15,11 +15,8 @@ func init() { Reader = &rngReader{} } - - type rngReader struct{} - --func (r *rngReader) Read(b []byte) (n int, err error) { -- // RtlGenRandom only returns 1<<32-1 bytes at a time. We only read at -- // most 1<<31-1 bytes at a time so that this works the same on 32-bit -- // and 64-bit systems. -- if err := batched(windows.RtlGenRandom, 1<<31-1)(b); err != nil { -+func (r *rngReader) Read(b []byte) (int, error) { -+ if err := windows.ProcessPrng(b); err != nil { - return 0, err - } - return len(b), nil -diff --git a/src/internal/syscall/windows/syscall_windows.go b/src/internal/syscall/windows/syscall_windows.go -index ab4ad2ec64108..5854ca60b5cef 100644 ---- a/src/internal/syscall/windows/syscall_windows.go -+++ b/src/internal/syscall/windows/syscall_windows.go -@@ -373,7 +373,7 @@ func ErrorLoadingGetTempPath2() error { - //sys DestroyEnvironmentBlock(block *uint16) (err error) = userenv.DestroyEnvironmentBlock - //sys CreateEvent(eventAttrs *SecurityAttributes, manualReset uint32, initialState uint32, name *uint16) (handle syscall.Handle, err error) = kernel32.CreateEventW - --//sys RtlGenRandom(buf []byte) (err error) = advapi32.SystemFunction036 -+//sys ProcessPrng(buf []byte) (err error) = bcryptprimitives.ProcessPrng - - type FILE_ID_BOTH_DIR_INFO struct { - NextEntryOffset uint32 -diff --git a/src/internal/syscall/windows/zsyscall_windows.go b/src/internal/syscall/windows/zsyscall_windows.go -index e3f6d8d2a2208..5a587ad4f146c 100644 ---- a/src/internal/syscall/windows/zsyscall_windows.go -+++ b/src/internal/syscall/windows/zsyscall_windows.go -@@ -37,13 +37,14 @@ func errnoErr(e syscall.Errno) error { - } - - var ( -- modadvapi32 = syscall.NewLazyDLL(sysdll.Add("advapi32.dll")) -- modiphlpapi = syscall.NewLazyDLL(sysdll.Add("iphlpapi.dll")) -- modkernel32 = syscall.NewLazyDLL(sysdll.Add("kernel32.dll")) -- modnetapi32 = syscall.NewLazyDLL(sysdll.Add("netapi32.dll")) -- modpsapi = syscall.NewLazyDLL(sysdll.Add("psapi.dll")) -- moduserenv = syscall.NewLazyDLL(sysdll.Add("userenv.dll")) -- modws2_32 = syscall.NewLazyDLL(sysdll.Add("ws2_32.dll")) -+ modadvapi32 = syscall.NewLazyDLL(sysdll.Add("advapi32.dll")) -+ modbcryptprimitives = syscall.NewLazyDLL(sysdll.Add("bcryptprimitives.dll")) -+ modiphlpapi = syscall.NewLazyDLL(sysdll.Add("iphlpapi.dll")) -+ modkernel32 = syscall.NewLazyDLL(sysdll.Add("kernel32.dll")) -+ modnetapi32 = syscall.NewLazyDLL(sysdll.Add("netapi32.dll")) -+ modpsapi = syscall.NewLazyDLL(sysdll.Add("psapi.dll")) -+ moduserenv = syscall.NewLazyDLL(sysdll.Add("userenv.dll")) -+ modws2_32 = syscall.NewLazyDLL(sysdll.Add("ws2_32.dll")) - - procAdjustTokenPrivileges = modadvapi32.NewProc("AdjustTokenPrivileges") - procDuplicateTokenEx = modadvapi32.NewProc("DuplicateTokenEx") -@@ -55,7 +56,7 @@ var ( - procQueryServiceStatus = modadvapi32.NewProc("QueryServiceStatus") - procRevertToSelf = modadvapi32.NewProc("RevertToSelf") - procSetTokenInformation = modadvapi32.NewProc("SetTokenInformation") -- procSystemFunction036 = modadvapi32.NewProc("SystemFunction036") -+ procProcessPrng = modbcryptprimitives.NewProc("ProcessPrng") - procGetAdaptersAddresses = modiphlpapi.NewProc("GetAdaptersAddresses") - procCreateEventW = modkernel32.NewProc("CreateEventW") - procGetACP = modkernel32.NewProc("GetACP") -@@ -179,12 +180,12 @@ func SetTokenInformation(tokenHandle syscall.Token, tokenInformationClass uint32 - return - } - --func RtlGenRandom(buf []byte) (err error) { -+func ProcessPrng(buf []byte) (err error) { - var _p0 *byte - if len(buf) > 0 { - _p0 = &buf[0] - } -- r1, _, e1 := syscall.Syscall(procSystemFunction036.Addr(), 2, uintptr(unsafe.Pointer(_p0)), uintptr(len(buf)), 0) -+ r1, _, e1 := syscall.Syscall(procProcessPrng.Addr(), 2, uintptr(unsafe.Pointer(_p0)), uintptr(len(buf)), 0) - if r1 == 0 { - err = errnoErr(e1) - } -diff --git a/src/runtime/os_windows.go b/src/runtime/os_windows.go -index 8ca8d7790909e..3772a864b2ff4 100644 ---- a/src/runtime/os_windows.go -+++ b/src/runtime/os_windows.go -@@ -127,15 +127,8 @@ var ( - _WriteFile, - _ stdFunction - -- // Use RtlGenRandom to generate cryptographically random data. -- // This approach has been recommended by Microsoft (see issue -- // 15589 for details). -- // The RtlGenRandom is not listed in advapi32.dll, instead -- // RtlGenRandom function can be found by searching for SystemFunction036. -- // Also some versions of Mingw cannot link to SystemFunction036 -- // when building executable as Cgo. So load SystemFunction036 -- // manually during runtime startup. -- _RtlGenRandom stdFunction -+ // Use ProcessPrng to generate cryptographically random data. -+ _ProcessPrng stdFunction - - // Load ntdll.dll manually during startup, otherwise Mingw - // links wrong printf function to cgo executable (see issue -@@ -151,11 +144,11 @@ var ( - ) - - var ( -- advapi32dll = [...]uint16{'a', 'd', 'v', 'a', 'p', 'i', '3', '2', '.', 'd', 'l', 'l', 0} -- ntdlldll = [...]uint16{'n', 't', 'd', 'l', 'l', '.', 'd', 'l', 'l', 0} -- powrprofdll = [...]uint16{'p', 'o', 'w', 'r', 'p', 'r', 'o', 'f', '.', 'd', 'l', 'l', 0} -- winmmdll = [...]uint16{'w', 'i', 'n', 'm', 'm', '.', 'd', 'l', 'l', 0} -- ws2_32dll = [...]uint16{'w', 's', '2', '_', '3', '2', '.', 'd', 'l', 'l', 0} -+ bcryptprimitivesdll = [...]uint16{'b', 'c', 'r', 'y', 'p', 't', 'p', 'r', 'i', 'm', 'i', 't', 'i', 'v', 'e', 's', '.', 'd', 'l', 'l', 0} -+ ntdlldll = [...]uint16{'n', 't', 'd', 'l', 'l', '.', 'd', 'l', 'l', 0} -+ powrprofdll = [...]uint16{'p', 'o', 'w', 'r', 'p', 'r', 'o', 'f', '.', 'd', 'l', 'l', 0} -+ winmmdll = [...]uint16{'w', 'i', 'n', 'm', 'm', '.', 'd', 'l', 'l', 0} -+ ws2_32dll = [...]uint16{'w', 's', '2', '_', '3', '2', '.', 'd', 'l', 'l', 0} - ) - - // Function to be called by windows CreateThread -@@ -251,11 +244,11 @@ func windowsLoadSystemLib(name []uint16) uintptr { - } - - func loadOptionalSyscalls() { -- a32 := windowsLoadSystemLib(advapi32dll[:]) -- if a32 == 0 { -- throw("advapi32.dll not found") -+ bcryptPrimitives := windowsLoadSystemLib(bcryptprimitivesdll[:]) -+ if bcryptPrimitives == 0 { -+ throw("bcryptprimitives.dll not found") - } -- _RtlGenRandom = windowsFindfunc(a32, []byte("SystemFunction036\000")) -+ _ProcessPrng = windowsFindfunc(bcryptPrimitives, []byte("ProcessPrng\000")) - - n32 := windowsLoadSystemLib(ntdlldll[:]) - if n32 == 0 { -@@ -531,7 +524,7 @@ func osinit() { - //go:nosplit - func readRandom(r []byte) int { - n := 0 -- if stdcall2(_RtlGenRandom, uintptr(unsafe.Pointer(&r[0])), uintptr(len(r)))&0xff != 0 { -+ if stdcall2(_ProcessPrng, uintptr(unsafe.Pointer(&r[0])), uintptr(len(r)))&0xff != 0 { - n = len(r) - } - return n \ No newline at end of file diff --git a/.github/patch_go122/7c1157f9544922e96945196b47b95664b1e39108.diff b/.github/patch_go122/7c1157f9544922e96945196b47b95664b1e39108.diff deleted file mode 100644 index c1fc5f6d2d..0000000000 --- a/.github/patch_go122/7c1157f9544922e96945196b47b95664b1e39108.diff +++ /dev/null @@ -1,162 +0,0 @@ -diff --git a/src/net/hook_windows.go b/src/net/hook_windows.go -index ab8656cbbf343..28c49cc6de7e7 100644 ---- a/src/net/hook_windows.go -+++ b/src/net/hook_windows.go -@@ -14,7 +14,6 @@ var ( - testHookDialChannel = func() { time.Sleep(time.Millisecond) } // see golang.org/issue/5349 - - // Placeholders for socket system calls. -- socketFunc func(int, int, int) (syscall.Handle, error) = syscall.Socket - wsaSocketFunc func(int32, int32, int32, *syscall.WSAProtocolInfo, uint32, uint32) (syscall.Handle, error) = windows.WSASocket - connectFunc func(syscall.Handle, syscall.Sockaddr) error = syscall.Connect - listenFunc func(syscall.Handle, int) error = syscall.Listen -diff --git a/src/net/internal/socktest/main_test.go b/src/net/internal/socktest/main_test.go -index 0197feb3f199a..967ce6795aedb 100644 ---- a/src/net/internal/socktest/main_test.go -+++ b/src/net/internal/socktest/main_test.go -@@ -2,7 +2,7 @@ - // Use of this source code is governed by a BSD-style - // license that can be found in the LICENSE file. - --//go:build !js && !plan9 && !wasip1 -+//go:build !js && !plan9 && !wasip1 && !windows - - package socktest_test - -diff --git a/src/net/internal/socktest/main_windows_test.go b/src/net/internal/socktest/main_windows_test.go -deleted file mode 100644 -index df1cb97784b51..0000000000000 ---- a/src/net/internal/socktest/main_windows_test.go -+++ /dev/null -@@ -1,22 +0,0 @@ --// Copyright 2015 The Go Authors. All rights reserved. --// Use of this source code is governed by a BSD-style --// license that can be found in the LICENSE file. -- --package socktest_test -- --import "syscall" -- --var ( -- socketFunc func(int, int, int) (syscall.Handle, error) -- closeFunc func(syscall.Handle) error --) -- --func installTestHooks() { -- socketFunc = sw.Socket -- closeFunc = sw.Closesocket --} -- --func uninstallTestHooks() { -- socketFunc = syscall.Socket -- closeFunc = syscall.Closesocket --} -diff --git a/src/net/internal/socktest/sys_windows.go b/src/net/internal/socktest/sys_windows.go -index 8c1c862f33c9b..1c42e5c7f34b7 100644 ---- a/src/net/internal/socktest/sys_windows.go -+++ b/src/net/internal/socktest/sys_windows.go -@@ -9,38 +9,6 @@ import ( - "syscall" - ) - --// Socket wraps syscall.Socket. --func (sw *Switch) Socket(family, sotype, proto int) (s syscall.Handle, err error) { -- sw.once.Do(sw.init) -- -- so := &Status{Cookie: cookie(family, sotype, proto)} -- sw.fmu.RLock() -- f, _ := sw.fltab[FilterSocket] -- sw.fmu.RUnlock() -- -- af, err := f.apply(so) -- if err != nil { -- return syscall.InvalidHandle, err -- } -- s, so.Err = syscall.Socket(family, sotype, proto) -- if err = af.apply(so); err != nil { -- if so.Err == nil { -- syscall.Closesocket(s) -- } -- return syscall.InvalidHandle, err -- } -- -- sw.smu.Lock() -- defer sw.smu.Unlock() -- if so.Err != nil { -- sw.stats.getLocked(so.Cookie).OpenFailed++ -- return syscall.InvalidHandle, so.Err -- } -- nso := sw.addLocked(s, family, sotype, proto) -- sw.stats.getLocked(nso.Cookie).Opened++ -- return s, nil --} -- - // WSASocket wraps [syscall.WSASocket]. - func (sw *Switch) WSASocket(family, sotype, proto int32, protinfo *syscall.WSAProtocolInfo, group uint32, flags uint32) (s syscall.Handle, err error) { - sw.once.Do(sw.init) -diff --git a/src/net/main_windows_test.go b/src/net/main_windows_test.go -index 07f21b72eb1fc..bc024c0bbd82d 100644 ---- a/src/net/main_windows_test.go -+++ b/src/net/main_windows_test.go -@@ -8,7 +8,6 @@ import "internal/poll" - - var ( - // Placeholders for saving original socket system calls. -- origSocket = socketFunc - origWSASocket = wsaSocketFunc - origClosesocket = poll.CloseFunc - origConnect = connectFunc -@@ -18,7 +17,6 @@ var ( - ) - - func installTestHooks() { -- socketFunc = sw.Socket - wsaSocketFunc = sw.WSASocket - poll.CloseFunc = sw.Closesocket - connectFunc = sw.Connect -@@ -28,7 +26,6 @@ func installTestHooks() { - } - - func uninstallTestHooks() { -- socketFunc = origSocket - wsaSocketFunc = origWSASocket - poll.CloseFunc = origClosesocket - connectFunc = origConnect -diff --git a/src/net/sock_windows.go b/src/net/sock_windows.go -index fa11c7af2e727..5540135a2c43e 100644 ---- a/src/net/sock_windows.go -+++ b/src/net/sock_windows.go -@@ -19,21 +19,6 @@ func maxListenerBacklog() int { - func sysSocket(family, sotype, proto int) (syscall.Handle, error) { - s, err := wsaSocketFunc(int32(family), int32(sotype), int32(proto), - nil, 0, windows.WSA_FLAG_OVERLAPPED|windows.WSA_FLAG_NO_HANDLE_INHERIT) -- if err == nil { -- return s, nil -- } -- // WSA_FLAG_NO_HANDLE_INHERIT flag is not supported on some -- // old versions of Windows, see -- // https://msdn.microsoft.com/en-us/library/windows/desktop/ms742212(v=vs.85).aspx -- // for details. Just use syscall.Socket, if windows.WSASocket failed. -- -- // See ../syscall/exec_unix.go for description of ForkLock. -- syscall.ForkLock.RLock() -- s, err = socketFunc(family, sotype, proto) -- if err == nil { -- syscall.CloseOnExec(s) -- } -- syscall.ForkLock.RUnlock() - if err != nil { - return syscall.InvalidHandle, os.NewSyscallError("socket", err) - } -diff --git a/src/syscall/exec_windows.go b/src/syscall/exec_windows.go -index 0a93bc0a80d4e..06e684c7116b4 100644 ---- a/src/syscall/exec_windows.go -+++ b/src/syscall/exec_windows.go -@@ -14,6 +14,7 @@ import ( - "unsafe" - ) - -+// ForkLock is not used on Windows. - var ForkLock sync.RWMutex - - // EscapeArg rewrites command line argument s as prescribed \ No newline at end of file diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index cd5202e12e..1255fc2229 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -67,6 +67,12 @@ jobs: - { goos: android, goarch: arm, ndk: armv7a-linux-androideabi34, output: armv7 } - { goos: android, goarch: arm64, ndk: aarch64-linux-android34, output: arm64-v8 } + # Go 1.22 with special patch can work on Windows 7 + # https://github.com/MetaCubeX/go/commits/release-branch.go1.22/ + - { goos: windows, goarch: '386', output: '386-go122', goversion: '1.22' } + - { goos: windows, goarch: amd64, goamd64: v1, output: amd64-compatible-go122, goversion: '1.22' } + - { goos: windows, goarch: amd64, goamd64: v3, output: amd64-go122, goversion: '1.22' } + # Go 1.21 can revert commit `9e4385` to work on Windows 7 # https://github.com/golang/go/issues/64622#issuecomment-1847475161 # (OR we can just use golang1.21.4 which unneeded any patch) @@ -79,6 +85,11 @@ jobs: - { goos: windows, goarch: amd64, goamd64: v1, output: amd64-compatible-go120, goversion: '1.20' } - { goos: windows, goarch: amd64, goamd64: v3, output: amd64-go120, goversion: '1.20' } + # Go 1.22 is the last release that will run on macOS 10.15 Catalina. Go 1.23 will require macOS 11 Big Sur or later. + - { goos: darwin, goarch: arm64, output: arm64-go122, goversion: '1.22' } + - { goos: darwin, goarch: amd64, goamd64: v1, output: amd64-compatible-go122, goversion: '1.22' } + - { goos: darwin, goarch: amd64, goamd64: v3, output: amd64-go122, goversion: '1.22' } + # Go 1.20 is the last release that will run on macOS 10.13 High Sierra or 10.14 Mojave. Go 1.21 will require macOS 10.15 Catalina or later. - { goos: darwin, goarch: arm64, output: arm64-go120, goversion: '1.20' } - { goos: darwin, goarch: amd64, goamd64: v1, output: amd64-compatible-go120, goversion: '1.20' } @@ -96,7 +107,7 @@ jobs: if: ${{ matrix.jobs.goversion == '' && matrix.jobs.goarch != 'loong64' }} uses: actions/setup-go@v5 with: - go-version: '1.22' + go-version: '1.23' - name: Set up Go if: ${{ matrix.jobs.goversion != '' && matrix.jobs.goarch != 'loong64' }} @@ -125,13 +136,15 @@ jobs: # 693def151adff1af707d82d28f55dba81ceb08e1: "crypto/rand,runtime: switch RtlGenRandom for ProcessPrng" # 7c1157f9544922e96945196b47b95664b1e39108: "net: remove sysSocket fallback for Windows 7" # 48042aa09c2f878c4faa576948b07fe625c4707a: "syscall: remove Windows 7 console handle workaround" + # a17d959debdb04cd550016a3501dd09d50cd62e7: "runtime: always use LoadLibraryEx to load system libraries" - name: Revert Golang1.22 commit for Windows7/8 - if: ${{ matrix.jobs.goos == 'windows' && matrix.jobs.goversion == '' }} + if: ${{ matrix.jobs.goos == 'windows' && matrix.jobs.goversion == '1.22' }} run: | cd $(go env GOROOT) - patch --verbose -R -p 1 < $GITHUB_WORKSPACE/.github/patch_go122/693def151adff1af707d82d28f55dba81ceb08e1.diff - patch --verbose -R -p 1 < $GITHUB_WORKSPACE/.github/patch_go122/7c1157f9544922e96945196b47b95664b1e39108.diff - patch --verbose -R -p 1 < $GITHUB_WORKSPACE/.github/patch_go122/48042aa09c2f878c4faa576948b07fe625c4707a.diff + curl https://github.com/MetaCubeX/go/commit/9779155f18b6556a034f7bb79fb7fb2aad1e26a9.diff | patch --verbose -p 1 + curl https://github.com/MetaCubeX/go/commit/ef0606261340e608017860b423ffae5c1ce78239.diff | patch --verbose -p 1 + curl https://github.com/MetaCubeX/go/commit/7f83badcb925a7e743188041cb6e561fc9b5b642.diff | patch --verbose -p 1 + curl https://github.com/MetaCubeX/go/commit/83ff9782e024cb328b690cbf0da4e7848a327f4f.diff | patch --verbose -p 1 # modify from https://github.com/restic/restic/issues/4636#issuecomment-1896455557 - name: Revert Golang1.21 commit for Windows7/8 From acaacd8ab1405232e36054fa11933731430cf4d0 Mon Sep 17 00:00:00 2001 From: wwqgtxx Date: Wed, 14 Aug 2024 10:13:57 +0800 Subject: [PATCH 05/42] action: let golang1.23's build can work on windows7/8 --- .github/workflows/build.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 1255fc2229..fb3eb621a4 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -129,9 +129,28 @@ jobs: sudo tar zxf go1.22.4.linux-amd64-abi2.tar.gz -C /usr/local echo "/usr/local/go/bin" >> $GITHUB_PATH + # modify from https://github.com/restic/restic/issues/4636#issuecomment-1896455557 + # this patch file only works on golang1.23.x + # that means after golang1.24 release it must be changed + # see: https://github.com/MetaCubeX/go/commits/release-branch.go1.23/ + # revert: + # 693def151adff1af707d82d28f55dba81ceb08e1: "crypto/rand,runtime: switch RtlGenRandom for ProcessPrng" + # 7c1157f9544922e96945196b47b95664b1e39108: "net: remove sysSocket fallback for Windows 7" + # 48042aa09c2f878c4faa576948b07fe625c4707a: "syscall: remove Windows 7 console handle workaround" + # a17d959debdb04cd550016a3501dd09d50cd62e7: "runtime: always use LoadLibraryEx to load system libraries" + - name: Revert Golang1.23 commit for Windows7/8 + if: ${{ matrix.jobs.goos == 'windows' && matrix.jobs.goversion == '' }} + run: | + cd $(go env GOROOT) + curl https://github.com/MetaCubeX/go/commit/9ac42137ef6730e8b7daca016ece831297a1d75b.diff | patch --verbose -p 1 + curl https://github.com/MetaCubeX/go/commit/21290de8a4c91408de7c2b5b68757b1e90af49dd.diff | patch --verbose -p 1 + curl https://github.com/MetaCubeX/go/commit/6a31d3fa8e47ddabc10bd97bff10d9a85f4cfb76.diff | patch --verbose -p 1 + curl https://github.com/MetaCubeX/go/commit/69e2eed6dd0f6d815ebf15797761c13f31213dd6.diff | patch --verbose -p 1 + # modify from https://github.com/restic/restic/issues/4636#issuecomment-1896455557 # this patch file only works on golang1.22.x # that means after golang1.23 release it must be changed + # see: https://github.com/MetaCubeX/go/commits/release-branch.go1.22/ # revert: # 693def151adff1af707d82d28f55dba81ceb08e1: "crypto/rand,runtime: switch RtlGenRandom for ProcessPrng" # 7c1157f9544922e96945196b47b95664b1e39108: "net: remove sysSocket fallback for Windows 7" From 24c6e7d8193a5cc9a3937393a7d42c3cf36e626e Mon Sep 17 00:00:00 2001 From: Larvan2 <78135608+Larvan2@users.noreply.github.com> Date: Wed, 14 Aug 2024 11:51:39 +0800 Subject: [PATCH 06/42] chore: update tcp keepAlive setting for go1.23 --- common/net/tcp_keepalive_go122.go | 12 ++++++++++++ common/net/tcp_keepalive_go123.go | 15 +++++++++++++++ common/net/tcpip.go | 12 ++++-------- config/config.go | 5 +++++ docs/config.yaml | 3 ++- 5 files changed, 38 insertions(+), 9 deletions(-) create mode 100644 common/net/tcp_keepalive_go122.go create mode 100644 common/net/tcp_keepalive_go123.go diff --git a/common/net/tcp_keepalive_go122.go b/common/net/tcp_keepalive_go122.go new file mode 100644 index 0000000000..099701578e --- /dev/null +++ b/common/net/tcp_keepalive_go122.go @@ -0,0 +1,12 @@ +//go:build !go1.23 + +package net + +import "net" + +func TCPKeepAlive(c net.Conn) { + if tcp, ok := c.(*net.TCPConn); ok { + _ = tcp.SetKeepAlive(true) + _ = tcp.SetKeepAlivePeriod(KeepAliveInterval) + } +} diff --git a/common/net/tcp_keepalive_go123.go b/common/net/tcp_keepalive_go123.go new file mode 100644 index 0000000000..f5bca964d2 --- /dev/null +++ b/common/net/tcp_keepalive_go123.go @@ -0,0 +1,15 @@ +//go:build go1.23 + +package net + +import "net" + +func TCPKeepAlive(c net.Conn) { + if tcp, ok := c.(*net.TCPConn); ok { + _ = tcp.SetKeepAliveConfig(net.KeepAliveConfig{ + Enable: true, + Idle: KeepAliveIdle, + Interval: KeepAliveInterval, + }) + } +} diff --git a/common/net/tcpip.go b/common/net/tcpip.go index 0499e54c17..4f4fa66118 100644 --- a/common/net/tcpip.go +++ b/common/net/tcpip.go @@ -7,7 +7,10 @@ import ( "time" ) -var KeepAliveInterval = 15 * time.Second +var ( + KeepAliveIdle = 0 * time.Second + KeepAliveInterval = 0 * time.Second +) func SplitNetworkType(s string) (string, string, error) { var ( @@ -47,10 +50,3 @@ func SplitHostPort(s string) (host, port string, hasPort bool, err error) { host, port, err = net.SplitHostPort(temp) return } - -func TCPKeepAlive(c net.Conn) { - if tcp, ok := c.(*net.TCPConn); ok { - _ = tcp.SetKeepAlive(true) - _ = tcp.SetKeepAlivePeriod(KeepAliveInterval) - } -} diff --git a/config/config.go b/config/config.go index 5f2b68453d..3b13146df4 100644 --- a/config/config.go +++ b/config/config.go @@ -338,6 +338,7 @@ type RawConfig struct { FindProcessMode P.FindProcessMode `yaml:"find-process-mode" json:"find-process-mode"` GlobalClientFingerprint string `yaml:"global-client-fingerprint"` GlobalUA string `yaml:"global-ua"` + KeepAliveIdle int `yaml:"keep-alive-idle"` KeepAliveInterval int `yaml:"keep-alive-interval"` Sniffer RawSniffer `yaml:"sniffer" json:"sniffer"` @@ -649,6 +650,10 @@ func parseGeneral(cfg *RawConfig) (*General, error) { C.ASNUrl = cfg.GeoXUrl.ASN C.GeodataMode = cfg.GeodataMode C.UA = cfg.GlobalUA + + if cfg.KeepAliveIdle != 0 { + N.KeepAliveIdle = time.Duration(cfg.KeepAliveIdle) * time.Second + } if cfg.KeepAliveInterval != 0 { N.KeepAliveInterval = time.Duration(cfg.KeepAliveInterval) * time.Second } diff --git a/docs/config.yaml b/docs/config.yaml index d7c686d01f..6feca27d81 100644 --- a/docs/config.yaml +++ b/docs/config.yaml @@ -82,7 +82,8 @@ external-doh-server: /dns-query global-client-fingerprint: chrome # TCP keep alive interval -keep-alive-interval: 15 +# keep-alive-idle: 7200 +# keep-alive-interval: 75 # routing-mark:6666 # 配置 fwmark 仅用于 Linux experimental: From f20f371a612a6cb62fb1045fc63732b503e30071 Mon Sep 17 00:00:00 2001 From: wwqgtxx Date: Wed, 14 Aug 2024 13:01:06 +0800 Subject: [PATCH 07/42] chore: better keepalive handle --- common/net/tcp_keepalive.go | 23 ++++++++ common/net/tcp_keepalive_go122.go | 8 +-- common/net/tcp_keepalive_go123.go | 18 +++--- common/net/tcp_keepalive_go123_unix.go | 15 +++++ common/net/tcp_keepalive_go123_windows.go | 63 +++++++++++++++++++++ common/net/tcpip.go | 6 -- component/dialer/dialer.go | 68 +++++++++++------------ component/dialer/patch_android.go | 38 ------------- component/dialer/patch_common.go | 21 ------- component/dialer/socket_hook.go | 27 +++++++++ config/config.go | 2 + docs/config.yaml | 5 +- listener/http/server.go | 8 +-- 13 files changed, 183 insertions(+), 119 deletions(-) create mode 100644 common/net/tcp_keepalive.go create mode 100644 common/net/tcp_keepalive_go123_unix.go create mode 100644 common/net/tcp_keepalive_go123_windows.go delete mode 100644 component/dialer/patch_android.go delete mode 100644 component/dialer/patch_common.go create mode 100644 component/dialer/socket_hook.go diff --git a/common/net/tcp_keepalive.go b/common/net/tcp_keepalive.go new file mode 100644 index 0000000000..047a1c05eb --- /dev/null +++ b/common/net/tcp_keepalive.go @@ -0,0 +1,23 @@ +package net + +import ( + "net" + "runtime" + "time" +) + +var ( + KeepAliveIdle = 0 * time.Second + KeepAliveInterval = 0 * time.Second + DisableKeepAlive = false +) + +func TCPKeepAlive(c net.Conn) { + if tcp, ok := c.(*net.TCPConn); ok { + if runtime.GOOS == "android" || DisableKeepAlive { + _ = tcp.SetKeepAlive(false) + } else { + tcpKeepAlive(tcp) + } + } +} diff --git a/common/net/tcp_keepalive_go122.go b/common/net/tcp_keepalive_go122.go index 099701578e..1287316868 100644 --- a/common/net/tcp_keepalive_go122.go +++ b/common/net/tcp_keepalive_go122.go @@ -4,9 +4,7 @@ package net import "net" -func TCPKeepAlive(c net.Conn) { - if tcp, ok := c.(*net.TCPConn); ok { - _ = tcp.SetKeepAlive(true) - _ = tcp.SetKeepAlivePeriod(KeepAliveInterval) - } +func tcpKeepAlive(tcp *net.TCPConn) { + _ = tcp.SetKeepAlive(true) + _ = tcp.SetKeepAlivePeriod(KeepAliveInterval) } diff --git a/common/net/tcp_keepalive_go123.go b/common/net/tcp_keepalive_go123.go index f5bca964d2..2dd4754bbe 100644 --- a/common/net/tcp_keepalive_go123.go +++ b/common/net/tcp_keepalive_go123.go @@ -4,12 +4,16 @@ package net import "net" -func TCPKeepAlive(c net.Conn) { - if tcp, ok := c.(*net.TCPConn); ok { - _ = tcp.SetKeepAliveConfig(net.KeepAliveConfig{ - Enable: true, - Idle: KeepAliveIdle, - Interval: KeepAliveInterval, - }) +func tcpKeepAlive(tcp *net.TCPConn) { + config := net.KeepAliveConfig{ + Enable: true, + Idle: KeepAliveIdle, + Interval: KeepAliveInterval, } + if !SupportTCPKeepAliveCount() { + // it's recommended to set both Idle and Interval to non-negative values in conjunction with a -1 + // for Count on those old Windows if you intend to customize the TCP keep-alive settings. + config.Count = -1 + } + _ = tcp.SetKeepAliveConfig(config) } diff --git a/common/net/tcp_keepalive_go123_unix.go b/common/net/tcp_keepalive_go123_unix.go new file mode 100644 index 0000000000..0ead7ca472 --- /dev/null +++ b/common/net/tcp_keepalive_go123_unix.go @@ -0,0 +1,15 @@ +//go:build go1.23 && unix + +package net + +func SupportTCPKeepAliveIdle() bool { + return true +} + +func SupportTCPKeepAliveInterval() bool { + return true +} + +func SupportTCPKeepAliveCount() bool { + return true +} diff --git a/common/net/tcp_keepalive_go123_windows.go b/common/net/tcp_keepalive_go123_windows.go new file mode 100644 index 0000000000..8f1e61f959 --- /dev/null +++ b/common/net/tcp_keepalive_go123_windows.go @@ -0,0 +1,63 @@ +//go:build go1.23 && windows + +// copy and modify from golang1.23's internal/syscall/windows/version_windows.go + +package net + +import ( + "errors" + "sync" + "syscall" + + "github.com/metacubex/mihomo/constant/features" + + "golang.org/x/sys/windows" +) + +var ( + supportTCPKeepAliveIdle bool + supportTCPKeepAliveInterval bool + supportTCPKeepAliveCount bool +) + +var initTCPKeepAlive = sync.OnceFunc(func() { + s, err := windows.WSASocket(syscall.AF_INET, syscall.SOCK_STREAM, syscall.IPPROTO_TCP, nil, 0, windows.WSA_FLAG_NO_HANDLE_INHERIT) + if err != nil { + // Fallback to checking the Windows version. + major, build := features.WindowsMajorVersion, features.WindowsBuildNumber + supportTCPKeepAliveIdle = major >= 10 && build >= 16299 + supportTCPKeepAliveInterval = major >= 10 && build >= 16299 + supportTCPKeepAliveCount = major >= 10 && build >= 15063 + return + } + defer windows.Closesocket(s) + var optSupported = func(opt int) bool { + err := windows.SetsockoptInt(s, syscall.IPPROTO_TCP, opt, 1) + return !errors.Is(err, syscall.WSAENOPROTOOPT) + } + supportTCPKeepAliveIdle = optSupported(windows.TCP_KEEPIDLE) + supportTCPKeepAliveInterval = optSupported(windows.TCP_KEEPINTVL) + supportTCPKeepAliveCount = optSupported(windows.TCP_KEEPCNT) +}) + +// SupportTCPKeepAliveIdle indicates whether TCP_KEEPIDLE is supported. +// The minimal requirement is Windows 10.0.16299. +func SupportTCPKeepAliveIdle() bool { + initTCPKeepAlive() + return supportTCPKeepAliveIdle +} + +// SupportTCPKeepAliveInterval indicates whether TCP_KEEPINTVL is supported. +// The minimal requirement is Windows 10.0.16299. +func SupportTCPKeepAliveInterval() bool { + initTCPKeepAlive() + return supportTCPKeepAliveInterval +} + +// SupportTCPKeepAliveCount indicates whether TCP_KEEPCNT is supported. +// supports TCP_KEEPCNT. +// The minimal requirement is Windows 10.0.15063. +func SupportTCPKeepAliveCount() bool { + initTCPKeepAlive() + return supportTCPKeepAliveCount +} diff --git a/common/net/tcpip.go b/common/net/tcpip.go index 4f4fa66118..a84e7e4c4f 100644 --- a/common/net/tcpip.go +++ b/common/net/tcpip.go @@ -4,12 +4,6 @@ import ( "fmt" "net" "strings" - "time" -) - -var ( - KeepAliveIdle = 0 * time.Second - KeepAliveInterval = 0 * time.Second ) func SplitNetworkType(s string) (string, string, error) { diff --git a/component/dialer/dialer.go b/component/dialer/dialer.go index ba95c31b81..2a39508f3f 100644 --- a/component/dialer/dialer.go +++ b/component/dialer/dialer.go @@ -13,7 +13,6 @@ import ( "time" "github.com/metacubex/mihomo/component/resolver" - "github.com/metacubex/mihomo/constant/features" "github.com/metacubex/mihomo/log" ) @@ -79,29 +78,29 @@ func DialContext(ctx context.Context, network, address string, options ...Option } func ListenPacket(ctx context.Context, network, address string, rAddrPort netip.AddrPort, options ...Option) (net.PacketConn, error) { - if features.CMFA && DefaultSocketHook != nil { - return listenPacketHooked(ctx, network, address) - } - cfg := applyOptions(options...) lc := &net.ListenConfig{} - if cfg.interfaceName != "" { - bind := bindIfaceToListenConfig - if cfg.fallbackBind { - bind = fallbackBindIfaceToListenConfig - } - addr, err := bind(cfg.interfaceName, lc, network, address, rAddrPort) - if err != nil { - return nil, err - } - address = addr - } if cfg.addrReuse { addrReuseToListenConfig(lc) } - if cfg.routingMark != 0 { - bindMarkToListenConfig(cfg.routingMark, lc, network, address) + if DefaultSocketHook != nil { // ignore interfaceName, routingMark when DefaultSocketHook not null (in CFMA) + socketHookToListenConfig(lc) + } else { + if cfg.interfaceName != "" { + bind := bindIfaceToListenConfig + if cfg.fallbackBind { + bind = fallbackBindIfaceToListenConfig + } + addr, err := bind(cfg.interfaceName, lc, network, address, rAddrPort) + if err != nil { + return nil, err + } + address = addr + } + if cfg.routingMark != 0 { + bindMarkToListenConfig(cfg.routingMark, lc, network, address) + } } return lc.ListenPacket(ctx, network, address) @@ -149,25 +148,26 @@ func dialContext(ctx context.Context, network string, destination netip.Addr, po setMultiPathTCP(dialer) } - if features.CMFA && DefaultSocketHook != nil { // ignore interfaceName, routingMark and tfo in CMFA - return dialContextHooked(ctx, dialer, network, address) - } - - if opt.interfaceName != "" { - bind := bindIfaceToDialer - if opt.fallbackBind { - bind = fallbackBindIfaceToDialer + if DefaultSocketHook != nil { // ignore interfaceName, routingMark and tfo when DefaultSocketHook not null (in CFMA) + socketHookToToDialer(dialer) + } else { + if opt.interfaceName != "" { + bind := bindIfaceToDialer + if opt.fallbackBind { + bind = fallbackBindIfaceToDialer + } + if err := bind(opt.interfaceName, dialer, network, destination); err != nil { + return nil, err + } } - if err := bind(opt.interfaceName, dialer, network, destination); err != nil { - return nil, err + if opt.routingMark != 0 { + bindMarkToDialer(opt.routingMark, dialer, network, destination) + } + if opt.tfo && !DisableTFO { + return dialTFO(ctx, *dialer, network, address) } } - if opt.routingMark != 0 { - bindMarkToDialer(opt.routingMark, dialer, network, destination) - } - if opt.tfo && !DisableTFO { - return dialTFO(ctx, *dialer, network, address) - } + return dialer.DialContext(ctx, network, address) } diff --git a/component/dialer/patch_android.go b/component/dialer/patch_android.go deleted file mode 100644 index 079b9772ab..0000000000 --- a/component/dialer/patch_android.go +++ /dev/null @@ -1,38 +0,0 @@ -//go:build android && cmfa - -package dialer - -import ( - "context" - "net" - "syscall" -) - -type SocketControl func(network, address string, conn syscall.RawConn) error - -var DefaultSocketHook SocketControl - -func dialContextHooked(ctx context.Context, dialer *net.Dialer, network string, address string) (net.Conn, error) { - addControlToDialer(dialer, func(ctx context.Context, network, address string, c syscall.RawConn) error { - return DefaultSocketHook(network, address, c) - }) - - conn, err := dialer.DialContext(ctx, network, address) - if err != nil { - return nil, err - } - - if t, ok := conn.(*net.TCPConn); ok { - t.SetKeepAlive(false) - } - - return conn, nil -} - -func listenPacketHooked(ctx context.Context, network, address string) (net.PacketConn, error) { - lc := &net.ListenConfig{ - Control: DefaultSocketHook, - } - - return lc.ListenPacket(ctx, network, address) -} diff --git a/component/dialer/patch_common.go b/component/dialer/patch_common.go deleted file mode 100644 index 2c96fe60b7..0000000000 --- a/component/dialer/patch_common.go +++ /dev/null @@ -1,21 +0,0 @@ -//go:build !(android && cmfa) - -package dialer - -import ( - "context" - "net" - "syscall" -) - -type SocketControl func(network, address string, conn syscall.RawConn) error - -var DefaultSocketHook SocketControl - -func dialContextHooked(ctx context.Context, dialer *net.Dialer, network string, address string) (net.Conn, error) { - return nil, nil -} - -func listenPacketHooked(ctx context.Context, network, address string) (net.PacketConn, error) { - return nil, nil -} diff --git a/component/dialer/socket_hook.go b/component/dialer/socket_hook.go new file mode 100644 index 0000000000..7a2ea43215 --- /dev/null +++ b/component/dialer/socket_hook.go @@ -0,0 +1,27 @@ +package dialer + +import ( + "context" + "net" + "syscall" +) + +// SocketControl +// never change type traits because it's used in CFMA +type SocketControl func(network, address string, conn syscall.RawConn) error + +// DefaultSocketHook +// never change type traits because it's used in CFMA +var DefaultSocketHook SocketControl + +func socketHookToToDialer(dialer *net.Dialer) { + addControlToDialer(dialer, func(ctx context.Context, network, address string, c syscall.RawConn) error { + return DefaultSocketHook(network, address, c) + }) +} + +func socketHookToListenConfig(lc *net.ListenConfig) { + addControlToListenConfig(lc, func(ctx context.Context, network, address string, c syscall.RawConn) error { + return DefaultSocketHook(network, address, c) + }) +} diff --git a/config/config.go b/config/config.go index 3b13146df4..235d71ae5c 100644 --- a/config/config.go +++ b/config/config.go @@ -340,6 +340,7 @@ type RawConfig struct { GlobalUA string `yaml:"global-ua"` KeepAliveIdle int `yaml:"keep-alive-idle"` KeepAliveInterval int `yaml:"keep-alive-interval"` + DisableKeepAlive bool `yaml:"disable-keep-alive"` Sniffer RawSniffer `yaml:"sniffer" json:"sniffer"` ProxyProvider map[string]map[string]any `yaml:"proxy-providers"` @@ -657,6 +658,7 @@ func parseGeneral(cfg *RawConfig) (*General, error) { if cfg.KeepAliveInterval != 0 { N.KeepAliveInterval = time.Duration(cfg.KeepAliveInterval) * time.Second } + N.DisableKeepAlive = cfg.DisableKeepAlive updater.ExternalUIPath = cfg.ExternalUI // checkout externalUI exist diff --git a/docs/config.yaml b/docs/config.yaml index 6feca27d81..c4644550a0 100644 --- a/docs/config.yaml +++ b/docs/config.yaml @@ -82,8 +82,9 @@ external-doh-server: /dns-query global-client-fingerprint: chrome # TCP keep alive interval -# keep-alive-idle: 7200 -# keep-alive-interval: 75 +# disable-keep-alive: false #目前在android端强制为true +# keep-alive-idle: 15 +# keep-alive-interval: 15 # routing-mark:6666 # 配置 fwmark 仅用于 Linux experimental: diff --git a/listener/http/server.go b/listener/http/server.go index 77e10f0841..f61dd03609 100644 --- a/listener/http/server.go +++ b/listener/http/server.go @@ -4,9 +4,9 @@ import ( "net" "github.com/metacubex/mihomo/adapter/inbound" + N "github.com/metacubex/mihomo/common/net" "github.com/metacubex/mihomo/component/auth" C "github.com/metacubex/mihomo/constant" - "github.com/metacubex/mihomo/constant/features" authStore "github.com/metacubex/mihomo/listener/auth" ) @@ -74,11 +74,7 @@ func NewWithAuthenticator(addr string, tunnel C.Tunnel, authenticator auth.Authe } continue } - if features.CMFA { - if t, ok := conn.(*net.TCPConn); ok { - t.SetKeepAlive(false) - } - } + N.TCPKeepAlive(conn) if isDefault { // only apply on default listener if !inbound.IsRemoteAddrDisAllowed(conn.RemoteAddr()) { _ = conn.Close() From 696b75ee375660bb8478ca94fe2f16b8ad2ff3c3 Mon Sep 17 00:00:00 2001 From: wwqgtxx Date: Wed, 14 Aug 2024 20:02:02 +0800 Subject: [PATCH 08/42] feat: `fake-ip-filter` support `rule-set:` and `geosite:` --- component/fakeip/pool.go | 19 +++++++++++-- config/config.go | 59 ++++++++++++++++++++++++++++++++++++++-- docs/config.yaml | 15 ++++++---- 3 files changed, 83 insertions(+), 10 deletions(-) diff --git a/component/fakeip/pool.go b/component/fakeip/pool.go index 2b06fc0bdf..90e648fe2c 100644 --- a/component/fakeip/pool.go +++ b/component/fakeip/pool.go @@ -9,6 +9,7 @@ import ( "github.com/metacubex/mihomo/common/nnip" "github.com/metacubex/mihomo/component/profile/cachefile" "github.com/metacubex/mihomo/component/trie" + C "github.com/metacubex/mihomo/constant" ) const ( @@ -36,6 +37,7 @@ type Pool struct { cycle bool mux sync.Mutex host *trie.DomainTrie[struct{}] + rules []C.Rule ipnet netip.Prefix store store } @@ -66,10 +68,18 @@ func (p *Pool) LookBack(ip netip.Addr) (string, bool) { // ShouldSkipped return if domain should be skipped func (p *Pool) ShouldSkipped(domain string) bool { - if p.host == nil { - return false + if p.host != nil { + if p.host.Search(domain) != nil { + return true + } + } + for _, rule := range p.rules { + metadata := &C.Metadata{Host: domain} + if match, _ := rule.Match(metadata); match { + return true + } } - return p.host.Search(domain) != nil + return false } // Exist returns if given ip exists in fake-ip pool @@ -156,6 +166,8 @@ type Options struct { IPNet netip.Prefix Host *trie.DomainTrie[struct{}] + Rules []C.Rule + // Size sets the maximum number of entries in memory // and does not work if Persistence is true Size int @@ -185,6 +197,7 @@ func New(options Options) (*Pool, error) { offset: first.Prev(), cycle: false, host: options.Host, + rules: options.Rules, ipnet: options.IPNet, } if options.Persistence { diff --git a/config/config.go b/config/config.go index 235d71ae5c..fae88e1a04 100644 --- a/config/config.go +++ b/config/config.go @@ -38,6 +38,7 @@ import ( LC "github.com/metacubex/mihomo/listener/config" "github.com/metacubex/mihomo/log" R "github.com/metacubex/mihomo/rules" + RC "github.com/metacubex/mihomo/rules/common" RP "github.com/metacubex/mihomo/rules/provider" T "github.com/metacubex/mihomo/tunnel" @@ -1408,13 +1409,63 @@ func parseDNS(rawCfg *RawConfig, hosts *trie.DomainTrie[resolver.HostValue], rul } var host *trie.DomainTrie[struct{}] + var fakeIPRules []C.Rule // fake ip skip host filter if len(cfg.FakeIPFilter) != 0 { host = trie.New[struct{}]() for _, domain := range cfg.FakeIPFilter { - _ = host.Insert(domain, struct{}{}) + if strings.Contains(strings.ToLower(domain), ",") { + if strings.Contains(domain, "geosite:") { + subkeys := strings.Split(domain, ":") + subkeys = subkeys[1:] + subkeys = strings.Split(subkeys[0], ",") + for _, country := range subkeys { + found := false + for _, rule := range rules { + if rule.RuleType() == C.GEOSITE { + if strings.EqualFold(country, rule.Payload()) { + found = true + fakeIPRules = append(fakeIPRules, rule) + } + } + } + if !found { + rule, err := RC.NewGEOSITE(country, "") + if err != nil { + return nil, err + } + fakeIPRules = append(fakeIPRules, rule) + } + } + + } + } else if strings.Contains(strings.ToLower(domain), "rule-set:") { + subkeys := strings.Split(domain, ":") + subkeys = subkeys[1:] + subkeys = strings.Split(subkeys[0], ",") + for _, domainSetName := range subkeys { + if rp, ok := ruleProviders[domainSetName]; !ok { + return nil, fmt.Errorf("not found rule-set: %s", domainSetName) + } else { + switch rp.Behavior() { + case providerTypes.IPCIDR: + return nil, fmt.Errorf("rule provider type error, except domain,actual %s", rp.Behavior()) + case providerTypes.Classical: + log.Warnln("%s provider is %s, only matching it contain domain rule", rp.Name(), rp.Behavior()) + default: + } + } + rule, err := RP.NewRuleSet(domainSetName, "", true) + if err != nil { + return nil, err + } + + fakeIPRules = append(fakeIPRules, rule) + } + } else { + _ = host.Insert(domain, struct{}{}) + } } - host.Optimize() } if len(dnsCfg.Fallback) != 0 { @@ -1427,6 +1478,9 @@ func parseDNS(rawCfg *RawConfig, hosts *trie.DomainTrie[resolver.HostValue], rul } _ = host.Insert(fb.Addr, struct{}{}) } + } + + if host != nil { host.Optimize() } @@ -1434,6 +1488,7 @@ func parseDNS(rawCfg *RawConfig, hosts *trie.DomainTrie[resolver.HostValue], rul IPNet: fakeIPRange, Size: 1000, Host: host, + Rules: fakeIPRules, Persistence: rawCfg.Profile.StoreFakeIP, }) if err != nil { diff --git a/docs/config.yaml b/docs/config.yaml index c4644550a0..8db06b6d7d 100644 --- a/docs/config.yaml +++ b/docs/config.yaml @@ -243,6 +243,16 @@ dns: fake-ip-range: 198.18.0.1/16 # fake-ip 池设置 + # 配置不使用 fake-ip 的域名 + fake-ip-filter: + - '*.lan' + - localhost.ptlogin2.qq.com + # fakeip-filter 为 rule-providers 中的名为 fakeip-filter 规则订阅, + # 且 behavior 必须为 domain/classical,当为 classical 时仅会生效域名类规则 + - rule-set:fakeip-filter + # fakeip-filter 为 geosite 中名为 fakeip-filter 的分类(需要自行保证该分类存在) + - geosite:fakeip-filter + # use-hosts: true # 查询 hosts # 配置后面的nameserver、fallback和nameserver-policy向dns服务器的连接过程是否遵守遵守rules规则 @@ -252,11 +262,6 @@ dns: # 此外,这三者配置中的dns服务器如果出现域名会采用default-nameserver配置项解析,也请确保正确配置default-nameserver respect-rules: false - # 配置不使用 fake-ip 的域名 - # fake-ip-filter: - # - '*.lan' - # - localhost.ptlogin2.qq.com - # DNS 主要域名配置 # 支持 UDP,TCP,DoT,DoH,DoQ # 这部分为主要 DNS 配置,影响所有直连,确保使用对大陆解析精准的 DNS From 7fd0467aefee2cf286e3a4f69d08dde9bfe339f8 Mon Sep 17 00:00:00 2001 From: wwqgtxx Date: Wed, 14 Aug 2024 22:38:17 +0800 Subject: [PATCH 09/42] feat: `sniffer`'s `force-domain` and `skip-domain` support `rule-set:` and `geosite:` --- component/fakeip/pool.go | 19 +--- component/fakeip/pool_test.go | 4 +- component/sniffer/dispatcher.go | 32 +++--- component/trie/domain.go | 7 ++ config/config.go | 170 ++++++++++++++++---------------- constant/rule.go | 3 + rules/provider/domain_set.go | 43 ++++++++ 7 files changed, 166 insertions(+), 112 deletions(-) create mode 100644 rules/provider/domain_set.go diff --git a/component/fakeip/pool.go b/component/fakeip/pool.go index 90e648fe2c..8096a868af 100644 --- a/component/fakeip/pool.go +++ b/component/fakeip/pool.go @@ -8,7 +8,6 @@ import ( "github.com/metacubex/mihomo/common/nnip" "github.com/metacubex/mihomo/component/profile/cachefile" - "github.com/metacubex/mihomo/component/trie" C "github.com/metacubex/mihomo/constant" ) @@ -36,8 +35,7 @@ type Pool struct { offset netip.Addr cycle bool mux sync.Mutex - host *trie.DomainTrie[struct{}] - rules []C.Rule + host []C.Rule ipnet netip.Prefix store store } @@ -68,14 +66,8 @@ func (p *Pool) LookBack(ip netip.Addr) (string, bool) { // ShouldSkipped return if domain should be skipped func (p *Pool) ShouldSkipped(domain string) bool { - if p.host != nil { - if p.host.Search(domain) != nil { - return true - } - } - for _, rule := range p.rules { - metadata := &C.Metadata{Host: domain} - if match, _ := rule.Match(metadata); match { + for _, rule := range p.host { + if match, _ := rule.Match(&C.Metadata{Host: domain}); match { return true } } @@ -164,9 +156,7 @@ func (p *Pool) restoreState() { type Options struct { IPNet netip.Prefix - Host *trie.DomainTrie[struct{}] - - Rules []C.Rule + Host []C.Rule // Size sets the maximum number of entries in memory // and does not work if Persistence is true @@ -197,7 +187,6 @@ func New(options Options) (*Pool, error) { offset: first.Prev(), cycle: false, host: options.Host, - rules: options.Rules, ipnet: options.IPNet, } if options.Persistence { diff --git a/component/fakeip/pool_test.go b/component/fakeip/pool_test.go index cc50fcf7b5..9c05a32778 100644 --- a/component/fakeip/pool_test.go +++ b/component/fakeip/pool_test.go @@ -9,6 +9,8 @@ import ( "github.com/metacubex/mihomo/component/profile/cachefile" "github.com/metacubex/mihomo/component/trie" + C "github.com/metacubex/mihomo/constant" + RP "github.com/metacubex/mihomo/rules/provider" "github.com/sagernet/bbolt" "github.com/stretchr/testify/assert" @@ -154,7 +156,7 @@ func TestPool_Skip(t *testing.T) { pools, tempfile, err := createPools(Options{ IPNet: ipnet, Size: 10, - Host: tree, + Host: []C.Rule{RP.NewDomainSet(tree.NewDomainSet(), "")}, }) assert.Nil(t, err) defer os.Remove(tempfile) diff --git a/component/sniffer/dispatcher.go b/component/sniffer/dispatcher.go index 4438638dad..c96f5a4b03 100644 --- a/component/sniffer/dispatcher.go +++ b/component/sniffer/dispatcher.go @@ -9,7 +9,6 @@ import ( "github.com/metacubex/mihomo/common/lru" N "github.com/metacubex/mihomo/common/net" - "github.com/metacubex/mihomo/component/trie" C "github.com/metacubex/mihomo/constant" "github.com/metacubex/mihomo/constant/sniffer" "github.com/metacubex/mihomo/log" @@ -26,17 +25,26 @@ var Dispatcher *SnifferDispatcher type SnifferDispatcher struct { enable bool sniffers map[sniffer.Sniffer]SnifferConfig - forceDomain *trie.DomainSet - skipSNI *trie.DomainSet + forceDomain []C.Rule + skipDomain []C.Rule skipList *lru.LruCache[string, uint8] forceDnsMapping bool parsePureIp bool } func (sd *SnifferDispatcher) shouldOverride(metadata *C.Metadata) bool { - return (metadata.Host == "" && sd.parsePureIp) || - sd.forceDomain.Has(metadata.Host) || - (metadata.DNSMode == C.DNSMapping && sd.forceDnsMapping) + if metadata.Host == "" && sd.parsePureIp { + return true + } + if metadata.DNSMode == C.DNSMapping && sd.forceDnsMapping { + return true + } + for _, rule := range sd.forceDomain { + if ok, _ := rule.Match(&C.Metadata{Host: metadata.Host}); ok { + return true + } + } + return false } func (sd *SnifferDispatcher) UDPSniff(packet C.PacketAdapter) bool { @@ -94,9 +102,11 @@ func (sd *SnifferDispatcher) TCPSniff(conn *N.BufferedConn, metadata *C.Metadata log.Debugln("[Sniffer] All sniffing sniff failed with from [%s:%d] to [%s:%d]", metadata.SrcIP, metadata.SrcPort, metadata.String(), metadata.DstPort) return false } else { - if sd.skipSNI.Has(host) { - log.Debugln("[Sniffer] Skip sni[%s]", host) - return false + for _, rule := range sd.skipDomain { + if ok, _ := rule.Match(&C.Metadata{Host: host}); ok { + log.Debugln("[Sniffer] Skip sni[%s]", host) + return false + } } sd.skipList.Delete(dst) @@ -187,12 +197,12 @@ func NewCloseSnifferDispatcher() (*SnifferDispatcher, error) { } func NewSnifferDispatcher(snifferConfig map[sniffer.Type]SnifferConfig, - forceDomain *trie.DomainSet, skipSNI *trie.DomainSet, + forceDomain []C.Rule, skipDomain []C.Rule, forceDnsMapping bool, parsePureIp bool) (*SnifferDispatcher, error) { dispatcher := SnifferDispatcher{ enable: true, forceDomain: forceDomain, - skipSNI: skipSNI, + skipDomain: skipDomain, skipList: lru.New(lru.WithSize[string, uint8](128), lru.WithAge[string, uint8](600)), forceDnsMapping: forceDnsMapping, parsePureIp: parsePureIp, diff --git a/component/trie/domain.go b/component/trie/domain.go index db30402ede..6d3e37f70a 100644 --- a/component/trie/domain.go +++ b/component/trie/domain.go @@ -134,6 +134,13 @@ func (t *DomainTrie[T]) Foreach(fn func(domain string, data T) bool) { } } +func (t *DomainTrie[T]) IsEmpty() bool { + if t == nil { + return true + } + return t.root.isEmpty() +} + func recursion[T any](items []string, node *Node[T], fn func(domain string, data T) bool) bool { for key, data := range node.getChildren() { newItems := append([]string{key}, items...) diff --git a/config/config.go b/config/config.go index fae88e1a04..74ffdd038c 100644 --- a/config/config.go +++ b/config/config.go @@ -164,8 +164,8 @@ type IPTables struct { type Sniffer struct { Enable bool Sniffers map[snifferTypes.Type]SNIFF.SnifferConfig - ForceDomain *trie.DomainSet - SkipDomain *trie.DomainSet + ForceDomain []C.Rule + SkipDomain []C.Rule ForceDnsMapping bool ParsePureIp bool } @@ -627,7 +627,7 @@ func ParseRawConfig(rawCfg *RawConfig) (*Config, error) { } } - config.Sniffer, err = parseSniffer(rawCfg.Sniffer) + config.Sniffer, err = parseSniffer(rawCfg.Sniffer, rules, ruleProviders) if err != nil { return nil, err } @@ -1408,87 +1408,27 @@ func parseDNS(rawCfg *RawConfig, hosts *trie.DomainTrie[resolver.HostValue], rul return nil, err } - var host *trie.DomainTrie[struct{}] - var fakeIPRules []C.Rule - // fake ip skip host filter - if len(cfg.FakeIPFilter) != 0 { - host = trie.New[struct{}]() - for _, domain := range cfg.FakeIPFilter { - if strings.Contains(strings.ToLower(domain), ",") { - if strings.Contains(domain, "geosite:") { - subkeys := strings.Split(domain, ":") - subkeys = subkeys[1:] - subkeys = strings.Split(subkeys[0], ",") - for _, country := range subkeys { - found := false - for _, rule := range rules { - if rule.RuleType() == C.GEOSITE { - if strings.EqualFold(country, rule.Payload()) { - found = true - fakeIPRules = append(fakeIPRules, rule) - } - } - } - if !found { - rule, err := RC.NewGEOSITE(country, "") - if err != nil { - return nil, err - } - fakeIPRules = append(fakeIPRules, rule) - } - } - - } - } else if strings.Contains(strings.ToLower(domain), "rule-set:") { - subkeys := strings.Split(domain, ":") - subkeys = subkeys[1:] - subkeys = strings.Split(subkeys[0], ",") - for _, domainSetName := range subkeys { - if rp, ok := ruleProviders[domainSetName]; !ok { - return nil, fmt.Errorf("not found rule-set: %s", domainSetName) - } else { - switch rp.Behavior() { - case providerTypes.IPCIDR: - return nil, fmt.Errorf("rule provider type error, except domain,actual %s", rp.Behavior()) - case providerTypes.Classical: - log.Warnln("%s provider is %s, only matching it contain domain rule", rp.Name(), rp.Behavior()) - default: - } - } - rule, err := RP.NewRuleSet(domainSetName, "", true) - if err != nil { - return nil, err - } - - fakeIPRules = append(fakeIPRules, rule) - } - } else { - _ = host.Insert(domain, struct{}{}) - } - } - } - + var fakeIPTrie *trie.DomainTrie[struct{}] if len(dnsCfg.Fallback) != 0 { - if host == nil { - host = trie.New[struct{}]() - } + fakeIPTrie = trie.New[struct{}]() for _, fb := range dnsCfg.Fallback { if net.ParseIP(fb.Addr) != nil { continue } - _ = host.Insert(fb.Addr, struct{}{}) + _ = fakeIPTrie.Insert(fb.Addr, struct{}{}) } } - if host != nil { - host.Optimize() + // fake ip skip host filter + host, err := parseDomain(cfg.FakeIPFilter, fakeIPTrie, rules, ruleProviders) + if err != nil { + return nil, err } pool, err := fakeip.New(fakeip.Options{ IPNet: fakeIPRange, Size: 1000, Host: host, - Rules: fakeIPRules, Persistence: rawCfg.Profile.StoreFakeIP, }) if err != nil { @@ -1609,7 +1549,7 @@ func parseTuicServer(rawTuic RawTuicServer, general *General) error { return nil } -func parseSniffer(snifferRaw RawSniffer) (*Sniffer, error) { +func parseSniffer(snifferRaw RawSniffer, rules []C.Rule, ruleProviders map[string]providerTypes.RuleProvider) (*Sniffer, error) { sniffer := &Sniffer{ Enable: snifferRaw.Enable, ForceDnsMapping: snifferRaw.ForceDnsMapping, @@ -1672,23 +1612,83 @@ func parseSniffer(snifferRaw RawSniffer) (*Sniffer, error) { sniffer.Sniffers = loadSniffer - forceDomainTrie := trie.New[struct{}]() - for _, domain := range snifferRaw.ForceDomain { - err := forceDomainTrie.Insert(domain, struct{}{}) - if err != nil { - return nil, fmt.Errorf("error domian[%s] in force-domain, error:%v", domain, err) - } + forceDomain, err := parseDomain(snifferRaw.ForceDomain, nil, rules, ruleProviders) + if err != nil { + return nil, fmt.Errorf("error in force-domain, error:%w", err) } - sniffer.ForceDomain = forceDomainTrie.NewDomainSet() + sniffer.ForceDomain = forceDomain - skipDomainTrie := trie.New[struct{}]() - for _, domain := range snifferRaw.SkipDomain { - err := skipDomainTrie.Insert(domain, struct{}{}) - if err != nil { - return nil, fmt.Errorf("error domian[%s] in force-domain, error:%v", domain, err) - } + skipDomain, err := parseDomain(snifferRaw.SkipDomain, nil, rules, ruleProviders) + if err != nil { + return nil, fmt.Errorf("error in skip-domain, error:%w", err) } - sniffer.SkipDomain = skipDomainTrie.NewDomainSet() + sniffer.SkipDomain = skipDomain return sniffer, nil } + +func parseDomain(domains []string, domainTrie *trie.DomainTrie[struct{}], rules []C.Rule, ruleProviders map[string]providerTypes.RuleProvider) (domainRules []C.Rule, err error) { + var rule C.Rule + for _, domain := range domains { + domainLower := strings.ToLower(domain) + if strings.Contains(domainLower, "geosite:") { + subkeys := strings.Split(domain, ":") + subkeys = subkeys[1:] + subkeys = strings.Split(subkeys[0], ",") + for _, country := range subkeys { + found := false + for _, rule = range rules { + if rule.RuleType() == C.GEOSITE { + if strings.EqualFold(country, rule.Payload()) { + found = true + domainRules = append(domainRules, rule) + } + } + } + if !found { + rule, err = RC.NewGEOSITE(country, "") + if err != nil { + return nil, err + } + domainRules = append(domainRules, rule) + } + } + } else if strings.Contains(domainLower, "rule-set:") { + subkeys := strings.Split(domain, ":") + subkeys = subkeys[1:] + subkeys = strings.Split(subkeys[0], ",") + for _, domainSetName := range subkeys { + if rp, ok := ruleProviders[domainSetName]; !ok { + return nil, fmt.Errorf("not found rule-set: %s", domainSetName) + } else { + switch rp.Behavior() { + case providerTypes.IPCIDR: + return nil, fmt.Errorf("rule provider type error, except domain,actual %s", rp.Behavior()) + case providerTypes.Classical: + log.Warnln("%s provider is %s, only matching it contain domain rule", rp.Name(), rp.Behavior()) + default: + } + } + rule, err = RP.NewRuleSet(domainSetName, "", true) + if err != nil { + return nil, err + } + + domainRules = append(domainRules, rule) + } + } else { + if domainTrie == nil { + domainTrie = trie.New[struct{}]() + } + err = domainTrie.Insert(domain, struct{}{}) + if err != nil { + return nil, err + } + } + } + if !domainTrie.IsEmpty() { + rule = RP.NewDomainSet(domainTrie.NewDomainSet(), "") + domainRules = append(domainRules, rule) + } + return +} diff --git a/constant/rule.go b/constant/rule.go index a91ee6cb07..f9f987e672 100644 --- a/constant/rule.go +++ b/constant/rule.go @@ -27,6 +27,7 @@ const ( ProcessNameRegex ProcessPathRegex RuleSet + DomainSet Network Uid SubRules @@ -90,6 +91,8 @@ func (rt RuleType) String() string { return "Match" case RuleSet: return "RuleSet" + case DomainSet: + return "DomainSet" case Network: return "Network" case DSCP: diff --git a/rules/provider/domain_set.go b/rules/provider/domain_set.go new file mode 100644 index 0000000000..372b438ea8 --- /dev/null +++ b/rules/provider/domain_set.go @@ -0,0 +1,43 @@ +package provider + +import ( + "github.com/metacubex/mihomo/component/trie" + C "github.com/metacubex/mihomo/constant" +) + +type DomainSet struct { + *domainStrategy + adapter string +} + +func (d *DomainSet) ProviderNames() []string { + return nil +} + +func (d *DomainSet) RuleType() C.RuleType { + return C.DomainSet +} + +func (d *DomainSet) Match(metadata *C.Metadata) (bool, string) { + if d.domainSet == nil { + return false, "" + } + return d.domainSet.Has(metadata.RuleHost()), d.adapter +} + +func (d *DomainSet) Adapter() string { + return d.adapter +} + +func (d *DomainSet) Payload() string { + return "" +} + +func NewDomainSet(domainSet *trie.DomainSet, adapter string) *DomainSet { + return &DomainSet{ + domainStrategy: &domainStrategy{domainSet: domainSet}, + adapter: adapter, + } +} + +var _ C.Rule = (*DomainSet)(nil) From 4c10d42fbff0ba8e22570015be234a45da28c11e Mon Sep 17 00:00:00 2001 From: wwqgtxx Date: Thu, 15 Aug 2024 07:42:59 +0800 Subject: [PATCH 10/42] fix: normal rule not working in `fake-ip-filter` --- component/fakeip/pool_test.go | 3 ++- component/trie/domain.go | 8 ++++---- component/trie/domain_set_test.go | 3 +++ 3 files changed, 9 insertions(+), 5 deletions(-) diff --git a/component/fakeip/pool_test.go b/component/fakeip/pool_test.go index 9c05a32778..ed52fb6d63 100644 --- a/component/fakeip/pool_test.go +++ b/component/fakeip/pool_test.go @@ -152,7 +152,8 @@ func TestPool_CycleUsed(t *testing.T) { func TestPool_Skip(t *testing.T) { ipnet := netip.MustParsePrefix("192.168.0.1/29") tree := trie.New[struct{}]() - tree.Insert("example.com", struct{}{}) + assert.NoError(t, tree.Insert("example.com", struct{}{})) + assert.False(t, tree.IsEmpty()) pools, tempfile, err := createPools(Options{ IPNet: ipnet, Size: 10, diff --git a/component/trie/domain.go b/component/trie/domain.go index 6d3e37f70a..87dfeda60d 100644 --- a/component/trie/domain.go +++ b/component/trie/domain.go @@ -126,7 +126,7 @@ func (t *DomainTrie[T]) Optimize() { func (t *DomainTrie[T]) Foreach(fn func(domain string, data T) bool) { for key, data := range t.root.getChildren() { recursion([]string{key}, data, fn) - if data != nil && data.inited { + if !data.isEmpty() { if !fn(joinDomain([]string{key}), data.data) { return } @@ -135,16 +135,16 @@ func (t *DomainTrie[T]) Foreach(fn func(domain string, data T) bool) { } func (t *DomainTrie[T]) IsEmpty() bool { - if t == nil { + if t == nil || t.root == nil { return true } - return t.root.isEmpty() + return len(t.root.getChildren()) == 0 } func recursion[T any](items []string, node *Node[T], fn func(domain string, data T) bool) bool { for key, data := range node.getChildren() { newItems := append([]string{key}, items...) - if data != nil && data.inited { + if !data.isEmpty() { domain := joinDomain(newItems) if domain[0] == domainStepByte { domain = complexWildcard + domain diff --git a/component/trie/domain_set_test.go b/component/trie/domain_set_test.go index e343d11d1c..38ba1622a3 100644 --- a/component/trie/domain_set_test.go +++ b/component/trie/domain_set_test.go @@ -40,6 +40,7 @@ func TestDomainSet(t *testing.T) { for _, domain := range domainSet { assert.NoError(t, tree.Insert(domain, struct{}{})) } + assert.False(t, tree.IsEmpty()) set := tree.NewDomainSet() assert.NotNil(t, set) assert.True(t, set.Has("test.cn")) @@ -68,6 +69,7 @@ func TestDomainSetComplexWildcard(t *testing.T) { for _, domain := range domainSet { assert.NoError(t, tree.Insert(domain, struct{}{})) } + assert.False(t, tree.IsEmpty()) set := tree.NewDomainSet() assert.NotNil(t, set) assert.False(t, set.Has("google.com")) @@ -90,6 +92,7 @@ func TestDomainSetWildcard(t *testing.T) { for _, domain := range domainSet { assert.NoError(t, tree.Insert(domain, struct{}{})) } + assert.False(t, tree.IsEmpty()) set := tree.NewDomainSet() assert.NotNil(t, set) assert.True(t, set.Has("www.baidu.com")) From 92ec5f223681a3dcf1f97e986717cfae353a66e1 Mon Sep 17 00:00:00 2001 From: wwqgtxx Date: Thu, 15 Aug 2024 20:04:24 +0800 Subject: [PATCH 11/42] chore: cleanup dns policy match code --- config/config.go | 268 ++++++++++++++++------------------- constant/rule.go | 8 ++ constant/rule_extra.go | 17 --- dns/filters.go | 102 ------------- dns/policy.go | 27 +--- dns/resolver.go | 121 ++++------------ hub/executor/executor.go | 33 ++--- rules/provider/domain_set.go | 5 +- rules/provider/ipcidr_set.go | 40 ++++++ 9 files changed, 221 insertions(+), 400 deletions(-) delete mode 100644 constant/rule_extra.go delete mode 100644 dns/filters.go create mode 100644 rules/provider/ipcidr_set.go diff --git a/config/config.go b/config/config.go index 74ffdd038c..c1c155ecce 100644 --- a/config/config.go +++ b/config/config.go @@ -20,9 +20,9 @@ import ( N "github.com/metacubex/mihomo/common/net" "github.com/metacubex/mihomo/common/utils" "github.com/metacubex/mihomo/component/auth" + "github.com/metacubex/mihomo/component/cidr" "github.com/metacubex/mihomo/component/fakeip" "github.com/metacubex/mihomo/component/geodata" - "github.com/metacubex/mihomo/component/geodata/router" P "github.com/metacubex/mihomo/component/process" "github.com/metacubex/mihomo/component/resolver" SNIFF "github.com/metacubex/mihomo/component/sniffer" @@ -114,33 +114,25 @@ type NTP struct { // DNS config type DNS struct { - Enable bool `yaml:"enable"` - PreferH3 bool `yaml:"prefer-h3"` - IPv6 bool `yaml:"ipv6"` - IPv6Timeout uint `yaml:"ipv6-timeout"` - UseSystemHosts bool `yaml:"use-system-hosts"` - NameServer []dns.NameServer `yaml:"nameserver"` - Fallback []dns.NameServer `yaml:"fallback"` - FallbackFilter FallbackFilter `yaml:"fallback-filter"` - Listen string `yaml:"listen"` - EnhancedMode C.DNSMode `yaml:"enhanced-mode"` - DefaultNameserver []dns.NameServer `yaml:"default-nameserver"` - CacheAlgorithm string `yaml:"cache-algorithm"` + Enable bool + PreferH3 bool + IPv6 bool + IPv6Timeout uint + UseSystemHosts bool + NameServer []dns.NameServer + Fallback []dns.NameServer + FallbackIPFilter []C.Rule + FallbackDomainFilter []C.Rule + Listen string + EnhancedMode C.DNSMode + DefaultNameserver []dns.NameServer + CacheAlgorithm string FakeIPRange *fakeip.Pool Hosts *trie.DomainTrie[resolver.HostValue] - NameServerPolicy *orderedmap.OrderedMap[string, []dns.NameServer] + NameServerPolicy []dns.Policy ProxyServerNameserver []dns.NameServer } -// FallbackFilter config -type FallbackFilter struct { - GeoIP bool `yaml:"geoip"` - GeoIPCode string `yaml:"geoip-code"` - IPCIDR []netip.Prefix `yaml:"ipcidr"` - Domain []string `yaml:"domain"` - GeoSite []router.DomainMatcher `yaml:"geosite"` -} - // Profile config type Profile struct { StoreSelected bool `yaml:"store-selected"` @@ -1205,13 +1197,20 @@ func parsePureDNSServer(server string) string { } } -func parseNameServerPolicy(nsPolicy *orderedmap.OrderedMap[string, any], ruleProviders map[string]providerTypes.RuleProvider, respectRules bool, preferH3 bool) (*orderedmap.OrderedMap[string, []dns.NameServer], error) { - policy := orderedmap.New[string, []dns.NameServer]() - updatedPolicy := orderedmap.New[string, any]() +func parseNameServerPolicy(nsPolicy *orderedmap.OrderedMap[string, any], rules []C.Rule, ruleProviders map[string]providerTypes.RuleProvider, respectRules bool, preferH3 bool) ([]dns.Policy, error) { + var policy []dns.Policy re := regexp.MustCompile(`[a-zA-Z0-9\-]+\.[a-zA-Z]{2,}(\.[a-zA-Z]{2,})?`) for pair := nsPolicy.Oldest(); pair != nil; pair = pair.Next() { k, v := pair.Key, pair.Value + servers, err := utils.ToStringSlice(v) + if err != nil { + return nil, err + } + nameservers, err := parseNameServer(servers, respectRules, preferH3) + if err != nil { + return nil, err + } if strings.Contains(strings.ToLower(k), ",") { if strings.Contains(k, "geosite:") { subkeys := strings.Split(k, ":") @@ -1219,7 +1218,7 @@ func parseNameServerPolicy(nsPolicy *orderedmap.OrderedMap[string, any], rulePro subkeys = strings.Split(subkeys[0], ",") for _, subkey := range subkeys { newKey := "geosite:" + subkey - updatedPolicy.Store(newKey, v) + policy = append(policy, dns.Policy{Domain: newKey, NameServers: nameservers}) } } else if strings.Contains(strings.ToLower(k), "rule-set:") { subkeys := strings.Split(k, ":") @@ -1227,103 +1226,50 @@ func parseNameServerPolicy(nsPolicy *orderedmap.OrderedMap[string, any], rulePro subkeys = strings.Split(subkeys[0], ",") for _, subkey := range subkeys { newKey := "rule-set:" + subkey - updatedPolicy.Store(newKey, v) + policy = append(policy, dns.Policy{Domain: newKey, NameServers: nameservers}) } } else if re.MatchString(k) { subkeys := strings.Split(k, ",") for _, subkey := range subkeys { - updatedPolicy.Store(subkey, v) + policy = append(policy, dns.Policy{Domain: subkey, NameServers: nameservers}) } } } else { if strings.Contains(strings.ToLower(k), "geosite:") { - updatedPolicy.Store("geosite:"+k[8:], v) + policy = append(policy, dns.Policy{Domain: "geosite:" + k[8:], NameServers: nameservers}) } else if strings.Contains(strings.ToLower(k), "rule-set:") { - updatedPolicy.Store("rule-set:"+k[9:], v) - } - updatedPolicy.Store(k, v) - } - } - - for pair := updatedPolicy.Oldest(); pair != nil; pair = pair.Next() { - domain, server := pair.Key, pair.Value - servers, err := utils.ToStringSlice(server) - if err != nil { - return nil, err - } - nameservers, err := parseNameServer(servers, respectRules, preferH3) - if err != nil { - return nil, err - } - if _, valid := trie.ValidAndSplitDomain(domain); !valid { - return nil, fmt.Errorf("DNS ResoverRule invalid domain: %s", domain) - } - if strings.HasPrefix(domain, "rule-set:") { - domainSetName := domain[9:] - if provider, ok := ruleProviders[domainSetName]; !ok { - return nil, fmt.Errorf("not found rule-set: %s", domainSetName) + policy = append(policy, dns.Policy{Domain: "rule-set:" + k[9:], NameServers: nameservers}) } else { - switch provider.Behavior() { - case providerTypes.IPCIDR: - return nil, fmt.Errorf("rule provider type error, except domain,actual %s", provider.Behavior()) - case providerTypes.Classical: - log.Warnln("%s provider is %s, only matching it contain domain rule", provider.Name(), provider.Behavior()) - } + policy = append(policy, dns.Policy{Domain: k, NameServers: nameservers}) } } - policy.Store(domain, nameservers) } - return policy, nil -} - -func parseFallbackIPCIDR(ips []string) ([]netip.Prefix, error) { - var ipNets []netip.Prefix - - for idx, ip := range ips { - ipnet, err := netip.ParsePrefix(ip) - if err != nil { - return nil, fmt.Errorf("DNS FallbackIP[%d] format error: %s", idx, err.Error()) - } - ipNets = append(ipNets, ipnet) - } - - return ipNets, nil -} - -func parseFallbackGeoSite(countries []string, rules []C.Rule) ([]router.DomainMatcher, error) { - var sites []router.DomainMatcher - if len(countries) > 0 { - if err := geodata.InitGeoSite(); err != nil { - return nil, fmt.Errorf("can't initial GeoSite: %s", err) - } - log.Warnln("replace fallback-filter.geosite with nameserver-policy, it will be removed in the future") - } + for idx, p := range policy { + domain, nameservers := p.Domain, p.NameServers - for _, country := range countries { - found := false - for _, rule := range rules { - if rule.RuleType() == C.GEOSITE { - if strings.EqualFold(country, rule.Payload()) { - found = true - sites = append(sites, rule.(C.RuleGeoSite).GetDomainMatcher()) - log.Infoln("Start initial GeoSite dns fallback filter from rule `%s`", country) - } + if strings.HasPrefix(domain, "rule-set:") { + domainSetName := domain[9:] + rule, err := parseDomainRuleSet(domainSetName, ruleProviders) + if err != nil { + return nil, err } - } - - if !found { - matcher, recordsCount, err := geodata.LoadGeoSiteMatcher(country) + policy[idx] = dns.Policy{Rule: rule, NameServers: nameservers} + } else if strings.HasPrefix(domain, "geosite:") { + country := domain[8:] + rule, err := parseGEOSITE(country, rules) if err != nil { return nil, err } - - sites = append(sites, matcher) - - log.Infoln("Start initial GeoSite dns fallback filter `%s`, records: %d", country, recordsCount) + policy[idx] = dns.Policy{Rule: rule, NameServers: nameservers} + } else { + if _, valid := trie.ValidAndSplitDomain(domain); !valid { + return nil, fmt.Errorf("DNS ResoverRule invalid domain: %s", domain) + } } } - return sites, nil + + return policy, nil } func paresNTP(rawCfg *RawConfig) *NTP { @@ -1357,10 +1303,6 @@ func parseDNS(rawCfg *RawConfig, hosts *trie.DomainTrie[resolver.HostValue], rul IPv6: cfg.IPv6, UseSystemHosts: cfg.UseSystemHosts, EnhancedMode: cfg.EnhancedMode, - FallbackFilter: FallbackFilter{ - IPCIDR: []netip.Prefix{}, - GeoSite: []router.DomainMatcher{}, - }, } var err error if dnsCfg.NameServer, err = parseNameServer(cfg.NameServer, cfg.RespectRules, cfg.PreferH3); err != nil { @@ -1371,7 +1313,7 @@ func parseDNS(rawCfg *RawConfig, hosts *trie.DomainTrie[resolver.HostValue], rul return nil, err } - if dnsCfg.NameServerPolicy, err = parseNameServerPolicy(cfg.NameServerPolicy, ruleProviders, cfg.RespectRules, cfg.PreferH3); err != nil { + if dnsCfg.NameServerPolicy, err = parseNameServerPolicy(cfg.NameServerPolicy, rules, ruleProviders, cfg.RespectRules, cfg.PreferH3); err != nil { return nil, err } @@ -1438,18 +1380,51 @@ func parseDNS(rawCfg *RawConfig, hosts *trie.DomainTrie[resolver.HostValue], rul dnsCfg.FakeIPRange = pool } + var rule C.Rule if len(cfg.Fallback) != 0 { - dnsCfg.FallbackFilter.GeoIP = cfg.FallbackFilter.GeoIP - dnsCfg.FallbackFilter.GeoIPCode = cfg.FallbackFilter.GeoIPCode - if fallbackip, err := parseFallbackIPCIDR(cfg.FallbackFilter.IPCIDR); err == nil { - dnsCfg.FallbackFilter.IPCIDR = fallbackip + if cfg.FallbackFilter.GeoIP { + rule, err = RC.NewGEOIP(cfg.FallbackFilter.GeoIPCode, "", false, true) + if err != nil { + return nil, fmt.Errorf("load GeoIP dns fallback filter error, %w", err) + } + dnsCfg.FallbackIPFilter = append(dnsCfg.FallbackIPFilter, rule) } - dnsCfg.FallbackFilter.Domain = cfg.FallbackFilter.Domain - fallbackGeoSite, err := parseFallbackGeoSite(cfg.FallbackFilter.GeoSite, rules) - if err != nil { - return nil, fmt.Errorf("load GeoSite dns fallback filter error, %w", err) + if len(cfg.FallbackFilter.IPCIDR) > 0 { + cidrSet := cidr.NewIpCidrSet() + for idx, ipcidr := range cfg.FallbackFilter.IPCIDR { + err = cidrSet.AddIpCidrForString(ipcidr) + if err != nil { + return nil, fmt.Errorf("DNS FallbackIP[%d] format error: %w", idx, err) + } + } + err = cidrSet.Merge() + if err != nil { + return nil, err + } + rule = RP.NewIpCidrSet(cidrSet, "") + dnsCfg.FallbackIPFilter = append(dnsCfg.FallbackIPFilter, rule) + } + if len(cfg.FallbackFilter.Domain) > 0 { + domainTrie := trie.New[struct{}]() + for idx, domain := range cfg.FallbackFilter.Domain { + err = domainTrie.Insert(domain, struct{}{}) + if err != nil { + return nil, fmt.Errorf("DNS FallbackDomain[%d] format error: %w", idx, err) + } + } + rule = RP.NewDomainSet(domainTrie.NewDomainSet(), "") + dnsCfg.FallbackIPFilter = append(dnsCfg.FallbackIPFilter, rule) + } + if len(cfg.FallbackFilter.GeoSite) > 0 { + log.Warnln("replace fallback-filter.geosite with nameserver-policy, it will be removed in the future") + for idx, geoSite := range cfg.FallbackFilter.GeoSite { + rule, err = parseGEOSITE(geoSite, rules) + if err != nil { + return nil, fmt.Errorf("DNS FallbackGeosite[%d] format error: %w", idx, err) + } + dnsCfg.FallbackIPFilter = append(dnsCfg.FallbackIPFilter, rule) + } } - dnsCfg.FallbackFilter.GeoSite = fallbackGeoSite } if cfg.UseHosts { @@ -1636,44 +1611,21 @@ func parseDomain(domains []string, domainTrie *trie.DomainTrie[struct{}], rules subkeys = subkeys[1:] subkeys = strings.Split(subkeys[0], ",") for _, country := range subkeys { - found := false - for _, rule = range rules { - if rule.RuleType() == C.GEOSITE { - if strings.EqualFold(country, rule.Payload()) { - found = true - domainRules = append(domainRules, rule) - } - } - } - if !found { - rule, err = RC.NewGEOSITE(country, "") - if err != nil { - return nil, err - } - domainRules = append(domainRules, rule) + rule, err = parseGEOSITE(country, rules) + if err != nil { + return nil, err } + domainRules = append(domainRules, rule) } } else if strings.Contains(domainLower, "rule-set:") { subkeys := strings.Split(domain, ":") subkeys = subkeys[1:] subkeys = strings.Split(subkeys[0], ",") for _, domainSetName := range subkeys { - if rp, ok := ruleProviders[domainSetName]; !ok { - return nil, fmt.Errorf("not found rule-set: %s", domainSetName) - } else { - switch rp.Behavior() { - case providerTypes.IPCIDR: - return nil, fmt.Errorf("rule provider type error, except domain,actual %s", rp.Behavior()) - case providerTypes.Classical: - log.Warnln("%s provider is %s, only matching it contain domain rule", rp.Name(), rp.Behavior()) - default: - } - } - rule, err = RP.NewRuleSet(domainSetName, "", true) + rule, err = parseDomainRuleSet(domainSetName, ruleProviders) if err != nil { return nil, err } - domainRules = append(domainRules, rule) } } else { @@ -1692,3 +1644,29 @@ func parseDomain(domains []string, domainTrie *trie.DomainTrie[struct{}], rules } return } + +func parseDomainRuleSet(domainSetName string, ruleProviders map[string]providerTypes.RuleProvider) (C.Rule, error) { + if rp, ok := ruleProviders[domainSetName]; !ok { + return nil, fmt.Errorf("not found rule-set: %s", domainSetName) + } else { + switch rp.Behavior() { + case providerTypes.IPCIDR: + return nil, fmt.Errorf("rule provider type error, except domain,actual %s", rp.Behavior()) + case providerTypes.Classical: + log.Warnln("%s provider is %s, only matching it contain domain rule", rp.Name(), rp.Behavior()) + default: + } + } + return RP.NewRuleSet(domainSetName, "", true) +} + +func parseGEOSITE(country string, rules []C.Rule) (C.Rule, error) { + for _, rule := range rules { + if rule.RuleType() == C.GEOSITE { + if strings.EqualFold(country, rule.Payload()) { + return rule, nil + } + } + } + return RC.NewGEOSITE(country, "") +} diff --git a/constant/rule.go b/constant/rule.go index f9f987e672..30cb2f8e11 100644 --- a/constant/rule.go +++ b/constant/rule.go @@ -28,6 +28,7 @@ const ( ProcessPathRegex RuleSet DomainSet + IpCidrSet Network Uid SubRules @@ -93,6 +94,8 @@ func (rt RuleType) String() string { return "RuleSet" case DomainSet: return "DomainSet" + case IpCidrSet: + return "IpCidrSet" case Network: return "Network" case DSCP: @@ -121,3 +124,8 @@ type Rule interface { ShouldFindProcess() bool ProviderNames() []string } + +type RuleGroup interface { + Rule + GetRecodeSize() int +} diff --git a/constant/rule_extra.go b/constant/rule_extra.go deleted file mode 100644 index b4ba65d993..0000000000 --- a/constant/rule_extra.go +++ /dev/null @@ -1,17 +0,0 @@ -package constant - -import ( - "github.com/metacubex/mihomo/component/geodata/router" -) - -type RuleGeoSite interface { - GetDomainMatcher() router.DomainMatcher -} - -type RuleGeoIP interface { - GetIPMatcher() *router.GeoIPMatcher -} - -type RuleGroup interface { - GetRecodeSize() int -} diff --git a/dns/filters.go b/dns/filters.go deleted file mode 100644 index 138f3429bb..0000000000 --- a/dns/filters.go +++ /dev/null @@ -1,102 +0,0 @@ -package dns - -import ( - "net/netip" - "strings" - - "github.com/metacubex/mihomo/component/geodata" - "github.com/metacubex/mihomo/component/geodata/router" - "github.com/metacubex/mihomo/component/mmdb" - "github.com/metacubex/mihomo/component/trie" - C "github.com/metacubex/mihomo/constant" - "github.com/metacubex/mihomo/log" -) - -type fallbackIPFilter interface { - Match(netip.Addr) bool -} - -type geoipFilter struct { - code string -} - -var geoIPMatcher *router.GeoIPMatcher - -func (gf *geoipFilter) Match(ip netip.Addr) bool { - if !C.GeodataMode { - codes := mmdb.IPInstance().LookupCode(ip.AsSlice()) - for _, code := range codes { - if !strings.EqualFold(code, gf.code) && !ip.IsPrivate() { - return true - } - } - return false - } - - if geoIPMatcher == nil { - var err error - geoIPMatcher, _, err = geodata.LoadGeoIPMatcher("CN") - if err != nil { - log.Errorln("[GeoIPFilter] LoadGeoIPMatcher error: %s", err.Error()) - return false - } - } - return !geoIPMatcher.Match(ip) -} - -type ipnetFilter struct { - ipnet netip.Prefix -} - -func (inf *ipnetFilter) Match(ip netip.Addr) bool { - return inf.ipnet.Contains(ip) -} - -type fallbackDomainFilter interface { - Match(domain string) bool -} - -type domainFilter struct { - tree *trie.DomainTrie[struct{}] -} - -func NewDomainFilter(domains []string) *domainFilter { - df := domainFilter{tree: trie.New[struct{}]()} - for _, domain := range domains { - _ = df.tree.Insert(domain, struct{}{}) - } - df.tree.Optimize() - return &df -} - -func (df *domainFilter) Match(domain string) bool { - return df.tree.Search(domain) != nil -} - -type geoSiteFilter struct { - matchers []router.DomainMatcher -} - -func NewGeoSite(group string) (fallbackDomainFilter, error) { - if err := geodata.InitGeoSite(); err != nil { - log.Errorln("can't initial GeoSite: %s", err) - return nil, err - } - matcher, _, err := geodata.LoadGeoSiteMatcher(group) - if err != nil { - return nil, err - } - filter := &geoSiteFilter{ - matchers: []router.DomainMatcher{matcher}, - } - return filter, nil -} - -func (gsf *geoSiteFilter) Match(domain string) bool { - for _, matcher := range gsf.matchers { - if matcher.ApplyDomain(domain) { - return true - } - } - return false -} diff --git a/dns/policy.go b/dns/policy.go index fc60401b01..d872286c55 100644 --- a/dns/policy.go +++ b/dns/policy.go @@ -3,7 +3,6 @@ package dns import ( "github.com/metacubex/mihomo/component/trie" C "github.com/metacubex/mihomo/constant" - "github.com/metacubex/mihomo/constant/provider" ) type dnsPolicy interface { @@ -22,32 +21,14 @@ func (p domainTriePolicy) Match(domain string) []dnsClient { return nil } -type geositePolicy struct { - matcher fallbackDomainFilter - inverse bool +type domainRulePolicy struct { + rule C.Rule dnsClients []dnsClient } -func (p geositePolicy) Match(domain string) []dnsClient { - matched := p.matcher.Match(domain) - if matched != p.inverse { +func (p domainRulePolicy) Match(domain string) []dnsClient { + if ok, _ := p.rule.Match(&C.Metadata{Host: domain}); ok { return p.dnsClients } return nil } - -type domainSetPolicy struct { - tunnel provider.Tunnel - name string - dnsClients []dnsClient -} - -func (p domainSetPolicy) Match(domain string) []dnsClient { - if ruleProvider, ok := p.tunnel.RuleProviders()[p.name]; ok { - metadata := &C.Metadata{Host: domain} - if ok := ruleProvider.Match(metadata); ok { - return p.dnsClients - } - } - return nil -} diff --git a/dns/resolver.go b/dns/resolver.go index fc228761a3..7b9aafd0ec 100644 --- a/dns/resolver.go +++ b/dns/resolver.go @@ -4,13 +4,11 @@ import ( "context" "errors" "net/netip" - "strings" "time" "github.com/metacubex/mihomo/common/arc" "github.com/metacubex/mihomo/common/lru" "github.com/metacubex/mihomo/component/fakeip" - "github.com/metacubex/mihomo/component/geodata/router" "github.com/metacubex/mihomo/component/resolver" "github.com/metacubex/mihomo/component/trie" C "github.com/metacubex/mihomo/constant" @@ -19,7 +17,6 @@ import ( D "github.com/miekg/dns" "github.com/samber/lo" - orderedmap "github.com/wk8/go-ordered-map/v2" "golang.org/x/exp/maps" "golang.org/x/sync/singleflight" ) @@ -45,8 +42,8 @@ type Resolver struct { hosts *trie.DomainTrie[resolver.HostValue] main []dnsClient fallback []dnsClient - fallbackDomainFilters []fallbackDomainFilter - fallbackIPFilters []fallbackIPFilter + fallbackDomainFilters []C.Rule + fallbackIPFilters []C.Rule group singleflight.Group cache dnsCache policy []dnsPolicy @@ -122,7 +119,7 @@ func (r *Resolver) LookupIPv6(ctx context.Context, host string) ([]netip.Addr, e func (r *Resolver) shouldIPFallback(ip netip.Addr) bool { for _, filter := range r.fallbackIPFilters { - if filter.Match(ip) { + if ok, _ := filter.Match(&C.Metadata{DstIP: ip}); ok { return true } } @@ -277,7 +274,7 @@ func (r *Resolver) shouldOnlyQueryFallback(m *D.Msg) bool { } for _, df := range r.fallbackDomainFilters { - if df.Match(domain) { + if ok, _ := df.Match(&C.Metadata{Host: domain}); ok { return true } } @@ -398,27 +395,26 @@ func (ns NameServer) Equal(ns2 NameServer) bool { return false } -type FallbackFilter struct { - GeoIP bool - GeoIPCode string - IPCIDR []netip.Prefix - Domain []string - GeoSite []router.DomainMatcher +type Policy struct { + Domain string + Rule C.Rule + NameServers []NameServer } type Config struct { - Main, Fallback []NameServer - Default []NameServer - ProxyServer []NameServer - IPv6 bool - IPv6Timeout uint - EnhancedMode C.DNSMode - FallbackFilter FallbackFilter - Pool *fakeip.Pool - Hosts *trie.DomainTrie[resolver.HostValue] - Policy *orderedmap.OrderedMap[string, []NameServer] - Tunnel provider.Tunnel - CacheAlgorithm string + Main, Fallback []NameServer + Default []NameServer + ProxyServer []NameServer + IPv6 bool + IPv6Timeout uint + EnhancedMode C.DNSMode + FallbackIPFilter []C.Rule + FallbackDomainFilter []C.Rule + Pool *fakeip.Pool + Hosts *trie.DomainTrie[resolver.HostValue] + Policy []Policy + Tunnel provider.Tunnel + CacheAlgorithm string } func NewResolver(config Config) *Resolver { @@ -482,7 +478,7 @@ func NewResolver(config Config) *Resolver { r.proxyServer = cacheTransform(config.ProxyServer) } - if config.Policy.Len() != 0 { + if len(config.Policy) != 0 { r.policy = make([]dnsPolicy, 0) var triePolicy *trie.DomainTrie[[]dnsClient] @@ -497,75 +493,20 @@ func NewResolver(config Config) *Resolver { } } - for pair := config.Policy.Oldest(); pair != nil; pair = pair.Next() { - domain, nameserver := pair.Key, pair.Value - - if temp := strings.Split(domain, ":"); len(temp) == 2 { - prefix := temp[0] - key := temp[1] - switch prefix { - case "rule-set": - if _, ok := config.Tunnel.RuleProviders()[key]; ok { - log.Debugln("Adding rule-set policy: %s ", key) - insertPolicy(domainSetPolicy{ - tunnel: config.Tunnel, - name: key, - dnsClients: cacheTransform(nameserver), - }) - continue - } else { - log.Warnln("Can't found ruleset policy: %s", key) - } - case "geosite": - inverse := false - if strings.HasPrefix(key, "!") { - inverse = true - key = key[1:] - } - log.Debugln("Adding geosite policy: %s inversed %t", key, inverse) - matcher, err := NewGeoSite(key) - if err != nil { - log.Warnln("adding geosite policy %s error: %s", key, err) - continue - } - insertPolicy(geositePolicy{ - matcher: matcher, - inverse: inverse, - dnsClients: cacheTransform(nameserver), - }) - continue // skip triePolicy new + for _, policy := range config.Policy { + if policy.Rule != nil { + insertPolicy(domainRulePolicy{rule: policy.Rule, dnsClients: cacheTransform(policy.NameServers)}) + } else { + if triePolicy == nil { + triePolicy = trie.New[[]dnsClient]() } + _ = triePolicy.Insert(policy.Domain, cacheTransform(policy.NameServers)) } - if triePolicy == nil { - triePolicy = trie.New[[]dnsClient]() - } - _ = triePolicy.Insert(domain, cacheTransform(nameserver)) } insertPolicy(nil) } - - fallbackIPFilters := []fallbackIPFilter{} - if config.FallbackFilter.GeoIP { - fallbackIPFilters = append(fallbackIPFilters, &geoipFilter{ - code: config.FallbackFilter.GeoIPCode, - }) - } - for _, ipnet := range config.FallbackFilter.IPCIDR { - fallbackIPFilters = append(fallbackIPFilters, &ipnetFilter{ipnet: ipnet}) - } - r.fallbackIPFilters = fallbackIPFilters - - fallbackDomainFilters := []fallbackDomainFilter{} - if len(config.FallbackFilter.Domain) != 0 { - fallbackDomainFilters = append(fallbackDomainFilters, NewDomainFilter(config.FallbackFilter.Domain)) - } - - if len(config.FallbackFilter.GeoSite) != 0 { - fallbackDomainFilters = append(fallbackDomainFilters, &geoSiteFilter{ - matchers: config.FallbackFilter.GeoSite, - }) - } - r.fallbackDomainFilters = fallbackDomainFilters + r.fallbackIPFilters = config.FallbackIPFilter + r.fallbackDomainFilters = config.FallbackDomainFilter return r } diff --git a/hub/executor/executor.go b/hub/executor/executor.go index 1e5781901b..6504e96aef 100644 --- a/hub/executor/executor.go +++ b/hub/executor/executor.go @@ -222,25 +222,20 @@ func updateDNS(c *config.DNS, generalIPv6 bool) { return } cfg := dns.Config{ - Main: c.NameServer, - Fallback: c.Fallback, - IPv6: c.IPv6 && generalIPv6, - IPv6Timeout: c.IPv6Timeout, - EnhancedMode: c.EnhancedMode, - Pool: c.FakeIPRange, - Hosts: c.Hosts, - FallbackFilter: dns.FallbackFilter{ - GeoIP: c.FallbackFilter.GeoIP, - GeoIPCode: c.FallbackFilter.GeoIPCode, - IPCIDR: c.FallbackFilter.IPCIDR, - Domain: c.FallbackFilter.Domain, - GeoSite: c.FallbackFilter.GeoSite, - }, - Default: c.DefaultNameserver, - Policy: c.NameServerPolicy, - ProxyServer: c.ProxyServerNameserver, - Tunnel: tunnel.Tunnel, - CacheAlgorithm: c.CacheAlgorithm, + Main: c.NameServer, + Fallback: c.Fallback, + IPv6: c.IPv6 && generalIPv6, + IPv6Timeout: c.IPv6Timeout, + EnhancedMode: c.EnhancedMode, + Pool: c.FakeIPRange, + Hosts: c.Hosts, + FallbackIPFilter: c.FallbackIPFilter, + FallbackDomainFilter: c.FallbackDomainFilter, + Default: c.DefaultNameserver, + Policy: c.NameServerPolicy, + ProxyServer: c.ProxyServerNameserver, + Tunnel: tunnel.Tunnel, + CacheAlgorithm: c.CacheAlgorithm, } r := dns.NewResolver(cfg) diff --git a/rules/provider/domain_set.go b/rules/provider/domain_set.go index 372b438ea8..573dd10574 100644 --- a/rules/provider/domain_set.go +++ b/rules/provider/domain_set.go @@ -19,10 +19,7 @@ func (d *DomainSet) RuleType() C.RuleType { } func (d *DomainSet) Match(metadata *C.Metadata) (bool, string) { - if d.domainSet == nil { - return false, "" - } - return d.domainSet.Has(metadata.RuleHost()), d.adapter + return d.domainStrategy.Match(metadata), d.adapter } func (d *DomainSet) Adapter() string { diff --git a/rules/provider/ipcidr_set.go b/rules/provider/ipcidr_set.go new file mode 100644 index 0000000000..348b6ab0ac --- /dev/null +++ b/rules/provider/ipcidr_set.go @@ -0,0 +1,40 @@ +package provider + +import ( + "github.com/metacubex/mihomo/component/cidr" + C "github.com/metacubex/mihomo/constant" +) + +type IpCidrSet struct { + *ipcidrStrategy + adapter string +} + +func (d *IpCidrSet) ProviderNames() []string { + return nil +} + +func (d *IpCidrSet) RuleType() C.RuleType { + return C.IpCidrSet +} + +func (d *IpCidrSet) Match(metadata *C.Metadata) (bool, string) { + return d.ipcidrStrategy.Match(metadata), d.adapter +} + +func (d *IpCidrSet) Adapter() string { + return d.adapter +} + +func (d *IpCidrSet) Payload() string { + return "" +} + +func NewIpCidrSet(cidrSet *cidr.IpCidrSet, adapter string) *IpCidrSet { + return &IpCidrSet{ + ipcidrStrategy: &ipcidrStrategy{cidrSet: cidrSet}, + adapter: adapter, + } +} + +var _ C.Rule = (*IpCidrSet)(nil) From 4fedfc47b0e968b4b47d102826c463c808172618 Mon Sep 17 00:00:00 2001 From: wwqgtxx Date: Fri, 16 Aug 2024 09:19:18 +0800 Subject: [PATCH 12/42] chore: update geo unneeded reload whole config --- common/singleflight/singleflight.go | 224 ++++++++++++++++++++++++++ component/geodata/attr.go | 10 +- component/geodata/router/condition.go | 149 +++++++---------- component/geodata/utils.go | 149 +++++++++-------- component/updater/update_geo.go | 6 +- dns/resolver.go | 19 +-- go.mod | 2 +- hub/route/configs.go | 12 -- main.go | 12 +- rules/common/geoip.go | 64 ++++---- rules/common/geosite.go | 40 +++-- 11 files changed, 440 insertions(+), 247 deletions(-) create mode 100644 common/singleflight/singleflight.go diff --git a/common/singleflight/singleflight.go b/common/singleflight/singleflight.go new file mode 100644 index 0000000000..e31c4eb6fb --- /dev/null +++ b/common/singleflight/singleflight.go @@ -0,0 +1,224 @@ +// copy and modify from "golang.org/x/sync/singleflight" + +// Copyright 2013 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// Package singleflight provides a duplicate function call suppression +// mechanism. +package singleflight + +import ( + "bytes" + "errors" + "fmt" + "runtime" + "runtime/debug" + "sync" +) + +// errGoexit indicates the runtime.Goexit was called in +// the user given function. +var errGoexit = errors.New("runtime.Goexit was called") + +// A panicError is an arbitrary value recovered from a panic +// with the stack trace during the execution of given function. +type panicError struct { + value interface{} + stack []byte +} + +// Error implements error interface. +func (p *panicError) Error() string { + return fmt.Sprintf("%v\n\n%s", p.value, p.stack) +} + +func (p *panicError) Unwrap() error { + err, ok := p.value.(error) + if !ok { + return nil + } + + return err +} + +func newPanicError(v interface{}) error { + stack := debug.Stack() + + // The first line of the stack trace is of the form "goroutine N [status]:" + // but by the time the panic reaches Do the goroutine may no longer exist + // and its status will have changed. Trim out the misleading line. + if line := bytes.IndexByte(stack[:], '\n'); line >= 0 { + stack = stack[line+1:] + } + return &panicError{value: v, stack: stack} +} + +// call is an in-flight or completed singleflight.Do call +type call[T any] struct { + wg sync.WaitGroup + + // These fields are written once before the WaitGroup is done + // and are only read after the WaitGroup is done. + val T + err error + + // These fields are read and written with the singleflight + // mutex held before the WaitGroup is done, and are read but + // not written after the WaitGroup is done. + dups int + chans []chan<- Result[T] +} + +// Group represents a class of work and forms a namespace in +// which units of work can be executed with duplicate suppression. +type Group[T any] struct { + mu sync.Mutex // protects m + m map[string]*call[T] // lazily initialized + + StoreResult bool +} + +// Result holds the results of Do, so they can be passed +// on a channel. +type Result[T any] struct { + Val T + Err error + Shared bool +} + +// Do executes and returns the results of the given function, making +// sure that only one execution is in-flight for a given key at a +// time. If a duplicate comes in, the duplicate caller waits for the +// original to complete and receives the same results. +// The return value shared indicates whether v was given to multiple callers. +func (g *Group[T]) Do(key string, fn func() (T, error)) (v T, err error, shared bool) { + g.mu.Lock() + if g.m == nil { + g.m = make(map[string]*call[T]) + } + if c, ok := g.m[key]; ok { + c.dups++ + g.mu.Unlock() + c.wg.Wait() + + if e, ok := c.err.(*panicError); ok { + panic(e) + } else if c.err == errGoexit { + runtime.Goexit() + } + return c.val, c.err, true + } + c := new(call[T]) + c.wg.Add(1) + g.m[key] = c + g.mu.Unlock() + + g.doCall(c, key, fn) + return c.val, c.err, c.dups > 0 +} + +// DoChan is like Do but returns a channel that will receive the +// results when they are ready. +// +// The returned channel will not be closed. +func (g *Group[T]) DoChan(key string, fn func() (T, error)) <-chan Result[T] { + ch := make(chan Result[T], 1) + g.mu.Lock() + if g.m == nil { + g.m = make(map[string]*call[T]) + } + if c, ok := g.m[key]; ok { + c.dups++ + c.chans = append(c.chans, ch) + g.mu.Unlock() + return ch + } + c := &call[T]{chans: []chan<- Result[T]{ch}} + c.wg.Add(1) + g.m[key] = c + g.mu.Unlock() + + go g.doCall(c, key, fn) + + return ch +} + +// doCall handles the single call for a key. +func (g *Group[T]) doCall(c *call[T], key string, fn func() (T, error)) { + normalReturn := false + recovered := false + + // use double-defer to distinguish panic from runtime.Goexit, + // more details see https://golang.org/cl/134395 + defer func() { + // the given function invoked runtime.Goexit + if !normalReturn && !recovered { + c.err = errGoexit + } + + g.mu.Lock() + defer g.mu.Unlock() + c.wg.Done() + if g.m[key] == c && !g.StoreResult { + delete(g.m, key) + } + + if e, ok := c.err.(*panicError); ok { + // In order to prevent the waiting channels from being blocked forever, + // needs to ensure that this panic cannot be recovered. + if len(c.chans) > 0 { + go panic(e) + select {} // Keep this goroutine around so that it will appear in the crash dump. + } else { + panic(e) + } + } else if c.err == errGoexit { + // Already in the process of goexit, no need to call again + } else { + // Normal return + for _, ch := range c.chans { + ch <- Result[T]{c.val, c.err, c.dups > 0} + } + } + }() + + func() { + defer func() { + if !normalReturn { + // Ideally, we would wait to take a stack trace until we've determined + // whether this is a panic or a runtime.Goexit. + // + // Unfortunately, the only way we can distinguish the two is to see + // whether the recover stopped the goroutine from terminating, and by + // the time we know that, the part of the stack trace relevant to the + // panic has been discarded. + if r := recover(); r != nil { + c.err = newPanicError(r) + } + } + }() + + c.val, c.err = fn() + normalReturn = true + }() + + if !normalReturn { + recovered = true + } +} + +// Forget tells the singleflight to forget about a key. Future calls +// to Do for this key will call the function rather than waiting for +// an earlier call to complete. +func (g *Group[T]) Forget(key string) { + g.mu.Lock() + delete(g.m, key) + g.mu.Unlock() +} + +func (g *Group[T]) Reset() { + g.mu.Lock() + g.m = nil + g.mu.Unlock() +} diff --git a/component/geodata/attr.go b/component/geodata/attr.go index a9742aca98..2fd41ad6c0 100644 --- a/component/geodata/attr.go +++ b/component/geodata/attr.go @@ -7,7 +7,7 @@ import ( ) type AttributeList struct { - matcher []AttributeMatcher + matcher []BooleanMatcher } func (al *AttributeList) Match(domain *router.Domain) bool { @@ -23,6 +23,14 @@ func (al *AttributeList) IsEmpty() bool { return len(al.matcher) == 0 } +func (al *AttributeList) String() string { + matcher := make([]string, len(al.matcher)) + for i, match := range al.matcher { + matcher[i] = string(match) + } + return strings.Join(matcher, ",") +} + func parseAttrs(attrs []string) *AttributeList { al := new(AttributeList) for _, attr := range attrs { diff --git a/component/geodata/router/condition.go b/component/geodata/router/condition.go index 5261d2fee8..fb47e4a40c 100644 --- a/component/geodata/router/condition.go +++ b/component/geodata/router/condition.go @@ -33,12 +33,13 @@ func domainToMatcher(domain *Domain) (strmatcher.Matcher, error) { type DomainMatcher interface { ApplyDomain(string) bool + Count() int } type succinctDomainMatcher struct { set *trie.DomainSet otherMatchers []strmatcher.Matcher - not bool + count int } func (m *succinctDomainMatcher) ApplyDomain(domain string) bool { @@ -51,16 +52,17 @@ func (m *succinctDomainMatcher) ApplyDomain(domain string) bool { } } } - if m.not { - isMatched = !isMatched - } return isMatched } -func NewSuccinctMatcherGroup(domains []*Domain, not bool) (DomainMatcher, error) { +func (m *succinctDomainMatcher) Count() int { + return m.count +} + +func NewSuccinctMatcherGroup(domains []*Domain) (DomainMatcher, error) { t := trie.New[struct{}]() m := &succinctDomainMatcher{ - not: not, + count: len(domains), } for _, d := range domains { switch d.Type { @@ -90,10 +92,10 @@ func NewSuccinctMatcherGroup(domains []*Domain, not bool) (DomainMatcher, error) type v2rayDomainMatcher struct { matchers strmatcher.IndexMatcher - not bool + count int } -func NewMphMatcherGroup(domains []*Domain, not bool) (DomainMatcher, error) { +func NewMphMatcherGroup(domains []*Domain) (DomainMatcher, error) { g := strmatcher.NewMphMatcherGroup() for _, d := range domains { matcherType, f := matcherTypeMap[d.Type] @@ -108,119 +110,80 @@ func NewMphMatcherGroup(domains []*Domain, not bool) (DomainMatcher, error) { g.Build() return &v2rayDomainMatcher{ matchers: g, - not: not, + count: len(domains), }, nil } func (m *v2rayDomainMatcher) ApplyDomain(domain string) bool { - isMatched := len(m.matchers.Match(strings.ToLower(domain))) > 0 - if m.not { - isMatched = !isMatched - } - return isMatched + return len(m.matchers.Match(strings.ToLower(domain))) > 0 } -type GeoIPMatcher struct { - countryCode string - reverseMatch bool - cidrSet *cidr.IpCidrSet +func (m *v2rayDomainMatcher) Count() int { + return m.count } -func (m *GeoIPMatcher) Init(cidrs []*CIDR) error { - for _, cidr := range cidrs { - addr, ok := netip.AddrFromSlice(cidr.Ip) - if !ok { - return fmt.Errorf("error when loading GeoIP: invalid IP: %s", cidr.Ip) - } - err := m.cidrSet.AddIpCidr(netip.PrefixFrom(addr, int(cidr.Prefix))) - if err != nil { - return fmt.Errorf("error when loading GeoIP: %w", err) - } - } - return m.cidrSet.Merge() +type notDomainMatcher struct { + DomainMatcher } -func (m *GeoIPMatcher) SetReverseMatch(isReverseMatch bool) { - m.reverseMatch = isReverseMatch +func (m notDomainMatcher) ApplyDomain(domain string) bool { + return !m.DomainMatcher.ApplyDomain(domain) } -// Match returns true if the given ip is included by the GeoIP. -func (m *GeoIPMatcher) Match(ip netip.Addr) bool { - match := m.cidrSet.IsContain(ip) - if m.reverseMatch { - return !match - } - return match +func NewNotDomainMatcherGroup(matcher DomainMatcher) DomainMatcher { + return notDomainMatcher{matcher} } -// GeoIPMatcherContainer is a container for GeoIPMatchers. It keeps unique copies of GeoIPMatcher by country code. -type GeoIPMatcherContainer struct { - matchers []*GeoIPMatcher +type IPMatcher interface { + Match(ip netip.Addr) bool + Count() int } -// Add adds a new GeoIP set into the container. -// If the country code of GeoIP is not empty, GeoIPMatcherContainer will try to find an existing one, instead of adding a new one. -func (c *GeoIPMatcherContainer) Add(geoip *GeoIP) (*GeoIPMatcher, error) { - if len(geoip.CountryCode) > 0 { - for _, m := range c.matchers { - if m.countryCode == geoip.CountryCode && m.reverseMatch == geoip.ReverseMatch { - return m, nil - } - } - } - - m := &GeoIPMatcher{ - countryCode: geoip.CountryCode, - reverseMatch: geoip.ReverseMatch, - cidrSet: cidr.NewIpCidrSet(), - } - if err := m.Init(geoip.Cidr); err != nil { - return nil, err - } - if len(geoip.CountryCode) > 0 { - c.matchers = append(c.matchers, m) - } - return m, nil +type geoIPMatcher struct { + cidrSet *cidr.IpCidrSet + count int } -var globalGeoIPContainer GeoIPMatcherContainer +// Match returns true if the given ip is included by the GeoIP. +func (m *geoIPMatcher) Match(ip netip.Addr) bool { + return m.cidrSet.IsContain(ip) +} -type MultiGeoIPMatcher struct { - matchers []*GeoIPMatcher +func (m *geoIPMatcher) Count() int { + return m.count } -func NewGeoIPMatcher(geoip *GeoIP) (*GeoIPMatcher, error) { - matcher, err := globalGeoIPContainer.Add(geoip) +func NewGeoIPMatcher(cidrList []*CIDR) (IPMatcher, error) { + m := &geoIPMatcher{ + cidrSet: cidr.NewIpCidrSet(), + count: len(cidrList), + } + for _, cidr := range cidrList { + addr, ok := netip.AddrFromSlice(cidr.Ip) + if !ok { + return nil, fmt.Errorf("error when loading GeoIP: invalid IP: %s", cidr.Ip) + } + err := m.cidrSet.AddIpCidr(netip.PrefixFrom(addr, int(cidr.Prefix))) + if err != nil { + return nil, fmt.Errorf("error when loading GeoIP: %w", err) + } + } + err := m.cidrSet.Merge() if err != nil { return nil, err } - return matcher, nil + return m, nil } -func (m *MultiGeoIPMatcher) ApplyIp(ip netip.Addr) bool { - for _, matcher := range m.matchers { - if matcher.Match(ip) { - return true - } - } - - return false +type notIPMatcher struct { + IPMatcher } -func NewMultiGeoIPMatcher(geoips []*GeoIP) (*MultiGeoIPMatcher, error) { - var matchers []*GeoIPMatcher - for _, geoip := range geoips { - matcher, err := globalGeoIPContainer.Add(geoip) - if err != nil { - return nil, err - } - matchers = append(matchers, matcher) - } - - matcher := &MultiGeoIPMatcher{ - matchers: matchers, - } +func (m notIPMatcher) Match(ip netip.Addr) bool { + return !m.IPMatcher.Match(ip) +} - return matcher, nil +func NewNotIpMatcherGroup(matcher IPMatcher) IPMatcher { + return notIPMatcher{matcher} } diff --git a/component/geodata/utils.go b/component/geodata/utils.go index 981d7eba4f..a16e255e14 100644 --- a/component/geodata/utils.go +++ b/component/geodata/utils.go @@ -5,8 +5,7 @@ import ( "fmt" "strings" - "golang.org/x/sync/singleflight" - + "github.com/metacubex/mihomo/common/singleflight" "github.com/metacubex/mihomo/component/geodata/router" C "github.com/metacubex/mihomo/constant" "github.com/metacubex/mihomo/log" @@ -71,21 +70,22 @@ func SetSiteMatcher(newMatcher string) { func Verify(name string) error { switch name { case C.GeositeName: - _, _, err := LoadGeoSiteMatcher("CN") + _, err := LoadGeoSiteMatcher("CN") return err case C.GeoipName: - _, _, err := LoadGeoIPMatcher("CN") + _, err := LoadGeoIPMatcher("CN") return err default: return fmt.Errorf("not support name") } } -var loadGeoSiteMatcherSF = singleflight.Group{} +var loadGeoSiteMatcherListSF = singleflight.Group[[]*router.Domain]{StoreResult: true} +var loadGeoSiteMatcherSF = singleflight.Group[router.DomainMatcher]{StoreResult: true} -func LoadGeoSiteMatcher(countryCode string) (router.DomainMatcher, int, error) { +func LoadGeoSiteMatcher(countryCode string) (router.DomainMatcher, error) { if countryCode == "" { - return nil, 0, fmt.Errorf("country code could not be empty") + return nil, fmt.Errorf("country code could not be empty") } not := false @@ -97,73 +97,84 @@ func LoadGeoSiteMatcher(countryCode string) (router.DomainMatcher, int, error) { parts := strings.Split(countryCode, "@") if len(parts) == 0 { - return nil, 0, errors.New("empty rule") + return nil, errors.New("empty rule") } listName := strings.TrimSpace(parts[0]) attrVal := parts[1:] + attrs := parseAttrs(attrVal) if listName == "" { - return nil, 0, fmt.Errorf("empty listname in rule: %s", countryCode) + return nil, fmt.Errorf("empty listname in rule: %s", countryCode) } - v, err, shared := loadGeoSiteMatcherSF.Do(listName, func() (interface{}, error) { - geoLoader, err := GetGeoDataLoader(geoLoaderName) + matcherName := listName + if !attrs.IsEmpty() { + matcherName += "@" + attrs.String() + } + matcher, err, shared := loadGeoSiteMatcherSF.Do(matcherName, func() (router.DomainMatcher, error) { + log.Infoln("Load GeoSite rule: %s", matcherName) + domains, err, shared := loadGeoSiteMatcherListSF.Do(listName, func() ([]*router.Domain, error) { + geoLoader, err := GetGeoDataLoader(geoLoaderName) + if err != nil { + return nil, err + } + return geoLoader.LoadGeoSite(listName) + }) if err != nil { + if !shared { + loadGeoSiteMatcherListSF.Forget(listName) // don't store the error result + } return nil, err } - return geoLoader.LoadGeoSite(listName) - }) - if err != nil { - if !shared { - loadGeoSiteMatcherSF.Forget(listName) // don't store the error result - } - return nil, 0, err - } - domains := v.([]*router.Domain) - attrs := parseAttrs(attrVal) - if attrs.IsEmpty() { - if strings.Contains(countryCode, "@") { - log.Warnln("empty attribute list: %s", countryCode) - } - } else { - filteredDomains := make([]*router.Domain, 0, len(domains)) - hasAttrMatched := false - for _, domain := range domains { - if attrs.Match(domain) { - hasAttrMatched = true - filteredDomains = append(filteredDomains, domain) + if attrs.IsEmpty() { + if strings.Contains(countryCode, "@") { + log.Warnln("empty attribute list: %s", countryCode) } + } else { + filteredDomains := make([]*router.Domain, 0, len(domains)) + hasAttrMatched := false + for _, domain := range domains { + if attrs.Match(domain) { + hasAttrMatched = true + filteredDomains = append(filteredDomains, domain) + } + } + if !hasAttrMatched { + log.Warnln("attribute match no rule: geosite: %s", countryCode) + } + domains = filteredDomains } - if !hasAttrMatched { - log.Warnln("attribute match no rule: geosite: %s", countryCode) - } - domains = filteredDomains - } - /** - linear: linear algorithm - matcher, err := router.NewDomainMatcher(domains) - mph:minimal perfect hash algorithm - */ - var matcher router.DomainMatcher - if geoSiteMatcher == "mph" { - matcher, err = router.NewMphMatcherGroup(domains, not) - } else { - matcher, err = router.NewSuccinctMatcherGroup(domains, not) - } + /** + linear: linear algorithm + matcher, err := router.NewDomainMatcher(domains) + mph:minimal perfect hash algorithm + */ + if geoSiteMatcher == "mph" { + return router.NewMphMatcherGroup(domains) + } else { + return router.NewSuccinctMatcherGroup(domains) + } + }) if err != nil { - return nil, 0, err + if !shared { + loadGeoSiteMatcherSF.Forget(matcherName) // don't store the error result + } + return nil, err + } + if not { + matcher = router.NewNotDomainMatcherGroup(matcher) } - return matcher, len(domains), nil + return matcher, nil } -var loadGeoIPMatcherSF = singleflight.Group{} +var loadGeoIPMatcherSF = singleflight.Group[router.IPMatcher]{StoreResult: true} -func LoadGeoIPMatcher(country string) (*router.GeoIPMatcher, int, error) { +func LoadGeoIPMatcher(country string) (router.IPMatcher, error) { if len(country) == 0 { - return nil, 0, fmt.Errorf("country code could not be empty") + return nil, fmt.Errorf("country code could not be empty") } not := false @@ -173,35 +184,33 @@ func LoadGeoIPMatcher(country string) (*router.GeoIPMatcher, int, error) { } country = strings.ToLower(country) - v, err, shared := loadGeoIPMatcherSF.Do(country, func() (interface{}, error) { + matcher, err, shared := loadGeoIPMatcherSF.Do(country, func() (router.IPMatcher, error) { + log.Infoln("Load GeoIP rule: %s", country) geoLoader, err := GetGeoDataLoader(geoLoaderName) if err != nil { return nil, err } - return geoLoader.LoadGeoIP(country) + cidrList, err := geoLoader.LoadGeoIP(country) + if err != nil { + return nil, err + } + return router.NewGeoIPMatcher(cidrList) }) if err != nil { if !shared { loadGeoIPMatcherSF.Forget(country) // don't store the error result + log.Warnln("Load GeoIP rule: %s", country) } - return nil, 0, err + return nil, err } - records := v.([]*router.CIDR) - - geoIP := &router.GeoIP{ - CountryCode: country, - Cidr: records, - ReverseMatch: not, - } - - matcher, err := router.NewGeoIPMatcher(geoIP) - if err != nil { - return nil, 0, err + if not { + matcher = router.NewNotIpMatcherGroup(matcher) } - return matcher, len(records), nil + return matcher, nil } func ClearCache() { - loadGeoSiteMatcherSF = singleflight.Group{} - loadGeoIPMatcherSF = singleflight.Group{} + loadGeoSiteMatcherListSF.Reset() + loadGeoSiteMatcherSF.Reset() + loadGeoIPMatcherSF.Reset() } diff --git a/component/updater/update_geo.go b/component/updater/update_geo.go index b07cd31587..4d16c12874 100644 --- a/component/updater/update_geo.go +++ b/component/updater/update_geo.go @@ -137,7 +137,7 @@ func getUpdateTime() (err error, time time.Time) { return nil, fileInfo.ModTime() } -func RegisterGeoUpdater(onSuccess func()) { +func RegisterGeoUpdater() { if C.GeoUpdateInterval <= 0 { log.Errorln("[GEO] Invalid update interval: %d", C.GeoUpdateInterval) return @@ -159,8 +159,6 @@ func RegisterGeoUpdater(onSuccess func()) { if err := UpdateGeoDatabases(); err != nil { log.Errorln("[GEO] Failed to update GEO database: %s", err.Error()) return - } else { - onSuccess() } } @@ -168,8 +166,6 @@ func RegisterGeoUpdater(onSuccess func()) { log.Infoln("[GEO] updating database every %d hours", C.GeoUpdateInterval) if err := UpdateGeoDatabases(); err != nil { log.Errorln("[GEO] Failed to update GEO database: %s", err.Error()) - } else { - onSuccess() } } }() diff --git a/dns/resolver.go b/dns/resolver.go index 7b9aafd0ec..3cc7a41e35 100644 --- a/dns/resolver.go +++ b/dns/resolver.go @@ -8,6 +8,7 @@ import ( "github.com/metacubex/mihomo/common/arc" "github.com/metacubex/mihomo/common/lru" + "github.com/metacubex/mihomo/common/singleflight" "github.com/metacubex/mihomo/component/fakeip" "github.com/metacubex/mihomo/component/resolver" "github.com/metacubex/mihomo/component/trie" @@ -18,7 +19,6 @@ import ( D "github.com/miekg/dns" "github.com/samber/lo" "golang.org/x/exp/maps" - "golang.org/x/sync/singleflight" ) type dnsClient interface { @@ -44,7 +44,7 @@ type Resolver struct { fallback []dnsClient fallbackDomainFilters []C.Rule fallbackIPFilters []C.Rule - group singleflight.Group + group singleflight.Group[*D.Msg] cache dnsCache policy []dnsPolicy proxyServer []dnsClient @@ -169,19 +169,20 @@ func (r *Resolver) exchangeWithoutCache(ctx context.Context, m *D.Msg) (msg *D.M retryNum := 0 retryMax := 3 - fn := func() (result any, err error) { + fn := func() (result *D.Msg, err error) { ctx, cancel := context.WithTimeout(context.Background(), resolver.DefaultDNSTimeout) // reset timeout in singleflight defer cancel() cache := false defer func() { if err != nil { - result = retryNum + result = &D.Msg{} + result.Opcode = retryNum retryNum++ return } - msg := result.(*D.Msg) + msg := result if cache { // OPT RRs MUST NOT be cached, forwarded, or stored in or loaded from master files. @@ -208,7 +209,7 @@ func (r *Resolver) exchangeWithoutCache(ctx context.Context, m *D.Msg) (msg *D.M ch := r.group.DoChan(q.String(), fn) - var result singleflight.Result + var result singleflight.Result[*D.Msg] select { case result = <-ch: @@ -221,7 +222,7 @@ func (r *Resolver) exchangeWithoutCache(ctx context.Context, m *D.Msg) (msg *D.M go func() { // start a retrying monitor in background result := <-ch ret, err, shared := result.Val, result.Err, result.Shared - if err != nil && !shared && ret.(int) < retryMax { // retry + if err != nil && !shared && ret.Opcode < retryMax { // retry r.group.DoChan(q.String(), fn) } }() @@ -230,12 +231,12 @@ func (r *Resolver) exchangeWithoutCache(ctx context.Context, m *D.Msg) (msg *D.M } ret, err, shared := result.Val, result.Err, result.Shared - if err != nil && !shared && ret.(int) < retryMax { // retry + if err != nil && !shared && ret.Opcode < retryMax { // retry r.group.DoChan(q.String(), fn) } if err == nil { - msg = ret.(*D.Msg) + msg = ret if shared { msg = msg.Copy() } diff --git a/go.mod b/go.mod index 90c252798b..bc9fccba98 100644 --- a/go.mod +++ b/go.mod @@ -53,7 +53,6 @@ require ( golang.org/x/crypto v0.26.0 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 golang.org/x/net v0.28.0 - golang.org/x/sync v0.8.0 golang.org/x/sys v0.23.0 google.golang.org/protobuf v1.34.2 gopkg.in/yaml.v3 v3.0.1 @@ -108,6 +107,7 @@ require ( gitlab.com/yawning/bsaes.git v0.0.0-20190805113838-0a714cd429ec // indirect go.uber.org/mock v0.4.0 // indirect golang.org/x/mod v0.19.0 // indirect + golang.org/x/sync v0.8.0 // indirect golang.org/x/text v0.17.0 // indirect golang.org/x/time v0.5.0 // indirect golang.org/x/tools v0.23.0 // indirect diff --git a/hub/route/configs.go b/hub/route/configs.go index a4dcaa5257..c7b340c603 100644 --- a/hub/route/configs.go +++ b/hub/route/configs.go @@ -408,17 +408,5 @@ func updateGeoDatabases(w http.ResponseWriter, r *http.Request) { return } - cfg, err := executor.ParseWithPath(C.Path.Config()) - if err != nil { - log.Errorln("[GEO] update GEO databases failed: %v", err) - render.Status(r, http.StatusInternalServerError) - render.JSON(w, r, newError("Error parsing configuration")) - return - } - - log.Warnln("[GEO] update GEO databases success, applying config") - - executor.ApplyConfig(cfg, false) - render.NoContent(w, r) } diff --git a/main.go b/main.go index cd903ce6d9..06a04ca17b 100644 --- a/main.go +++ b/main.go @@ -120,17 +120,7 @@ func main() { } if C.GeoAutoUpdate { - updater.RegisterGeoUpdater(func() { - cfg, err := executor.ParseWithPath(C.Path.Config()) - if err != nil { - log.Errorln("[GEO] update GEO databases failed: %v", err) - return - } - - log.Warnln("[GEO] update GEO databases success, applying config") - - executor.ApplyConfig(cfg, false) - }) + updater.RegisterGeoUpdater() } defer executor.Shutdown() diff --git a/rules/common/geoip.go b/rules/common/geoip.go index b50680a47a..839253212a 100644 --- a/rules/common/geoip.go +++ b/rules/common/geoip.go @@ -1,6 +1,7 @@ package common import ( + "errors" "fmt" "strings" @@ -14,12 +15,11 @@ import ( type GEOIP struct { *Base - country string - adapter string - noResolveIP bool - isSourceIP bool - geoIPMatcher *router.GeoIPMatcher - recodeSize int + country string + adapter string + noResolveIP bool + isSourceIP bool + geodata bool } var _ C.Rule = (*GEOIP)(nil) @@ -78,7 +78,11 @@ func (g *GEOIP) Match(metadata *C.Metadata) (bool, string) { return false, g.adapter } - match := g.geoIPMatcher.Match(ip) + matcher, err := g.GetIPMatcher() + if err != nil { + return false, "" + } + match := matcher.Match(ip) if match && !g.isSourceIP { metadata.DstGeoIP = append(metadata.DstGeoIP, g.country) } @@ -101,12 +105,22 @@ func (g *GEOIP) GetCountry() string { return g.country } -func (g *GEOIP) GetIPMatcher() *router.GeoIPMatcher { - return g.geoIPMatcher +func (g *GEOIP) GetIPMatcher() (router.IPMatcher, error) { + if g.geodata { + geoIPMatcher, err := geodata.LoadGeoIPMatcher(g.country) + if err != nil { + return nil, fmt.Errorf("[GeoIP] %w", err) + } + return geoIPMatcher, nil + } + return nil, errors.New("geoip country not set") } func (g *GEOIP) GetRecodeSize() int { - return g.recodeSize + if matcher, err := g.GetIPMatcher(); err == nil { + return matcher.Count() + } + return 0 } func NewGEOIP(country string, adapter string, isSrc, noResolveIP bool) (*GEOIP, error) { @@ -116,31 +130,23 @@ func NewGEOIP(country string, adapter string, isSrc, noResolveIP bool) (*GEOIP, } country = strings.ToLower(country) + geoip := &GEOIP{ + Base: &Base{}, + country: country, + adapter: adapter, + noResolveIP: noResolveIP, + isSourceIP: isSrc, + } if !C.GeodataMode || country == "lan" { - geoip := &GEOIP{ - Base: &Base{}, - country: country, - adapter: adapter, - noResolveIP: noResolveIP, - isSourceIP: isSrc, - } return geoip, nil } - geoIPMatcher, size, err := geodata.LoadGeoIPMatcher(country) + geoip.geodata = true + geoIPMatcher, err := geoip.GetIPMatcher() // test load if err != nil { - return nil, fmt.Errorf("[GeoIP] %w", err) + return nil, err } - log.Infoln("Start initial GeoIP rule %s => %s, records: %d", country, adapter, size) - geoip := &GEOIP{ - Base: &Base{}, - country: country, - adapter: adapter, - noResolveIP: noResolveIP, - isSourceIP: isSrc, - geoIPMatcher: geoIPMatcher, - recodeSize: size, - } + log.Infoln("Finished initial GeoIP rule %s => %s, records: %d", country, adapter, geoIPMatcher.Count()) return geoip, nil } diff --git a/rules/common/geosite.go b/rules/common/geosite.go index 1e3c1ab5ad..a728e9917f 100644 --- a/rules/common/geosite.go +++ b/rules/common/geosite.go @@ -15,7 +15,6 @@ type GEOSITE struct { *Base country string adapter string - matcher router.DomainMatcher recodeSize int } @@ -28,7 +27,11 @@ func (gs *GEOSITE) Match(metadata *C.Metadata) (bool, string) { if len(domain) == 0 { return false, "" } - return gs.matcher.ApplyDomain(domain), gs.adapter + matcher, err := gs.GetDomainMatcher() + if err != nil { + return false, "" + } + return matcher.ApplyDomain(domain), gs.adapter } func (gs *GEOSITE) Adapter() string { @@ -39,12 +42,19 @@ func (gs *GEOSITE) Payload() string { return gs.country } -func (gs *GEOSITE) GetDomainMatcher() router.DomainMatcher { - return gs.matcher +func (gs *GEOSITE) GetDomainMatcher() (router.DomainMatcher, error) { + matcher, err := geodata.LoadGeoSiteMatcher(gs.country) + if err != nil { + return nil, fmt.Errorf("load GeoSite data error, %w", err) + } + return matcher, nil } func (gs *GEOSITE) GetRecodeSize() int { - return gs.recodeSize + if matcher, err := gs.GetDomainMatcher(); err == nil { + return matcher.Count() + } + return 0 } func NewGEOSITE(country string, adapter string) (*GEOSITE, error) { @@ -53,21 +63,19 @@ func NewGEOSITE(country string, adapter string) (*GEOSITE, error) { return nil, err } - matcher, size, err := geodata.LoadGeoSiteMatcher(country) - if err != nil { - return nil, fmt.Errorf("load GeoSite data error, %s", err.Error()) + geoSite := &GEOSITE{ + Base: &Base{}, + country: country, + adapter: adapter, } - log.Infoln("Start initial GeoSite rule %s => %s, records: %d", country, adapter, size) - - geoSite := &GEOSITE{ - Base: &Base{}, - country: country, - adapter: adapter, - matcher: matcher, - recodeSize: size, + matcher, err := geoSite.GetDomainMatcher() // test load + if err != nil { + return nil, err } + log.Infoln("Finished initial GeoSite rule %s => %s, records: %d", country, adapter, matcher.Count()) + return geoSite, nil } From 6bf419c5fea2cb2556f98a9b8580e1254484d91e Mon Sep 17 00:00:00 2001 From: wwqgtxx Date: Fri, 16 Aug 2024 12:04:37 +0800 Subject: [PATCH 13/42] chore: better geo init logging --- config/config.go | 43 ++++++++++++++++--------------------------- 1 file changed, 16 insertions(+), 27 deletions(-) diff --git a/config/config.go b/config/config.go index c1c155ecce..d4868c0293 100644 --- a/config/config.go +++ b/config/config.go @@ -619,7 +619,7 @@ func ParseRawConfig(rawCfg *RawConfig) (*Config, error) { } } - config.Sniffer, err = parseSniffer(rawCfg.Sniffer, rules, ruleProviders) + config.Sniffer, err = parseSniffer(rawCfg.Sniffer, ruleProviders) if err != nil { return nil, err } @@ -1250,14 +1250,14 @@ func parseNameServerPolicy(nsPolicy *orderedmap.OrderedMap[string, any], rules [ if strings.HasPrefix(domain, "rule-set:") { domainSetName := domain[9:] - rule, err := parseDomainRuleSet(domainSetName, ruleProviders) + rule, err := parseDomainRuleSet(domainSetName, "dns.nameserver-policy", ruleProviders) if err != nil { return nil, err } policy[idx] = dns.Policy{Rule: rule, NameServers: nameservers} } else if strings.HasPrefix(domain, "geosite:") { country := domain[8:] - rule, err := parseGEOSITE(country, rules) + rule, err := RC.NewGEOSITE(country, "dns.nameserver-policy") if err != nil { return nil, err } @@ -1362,7 +1362,7 @@ func parseDNS(rawCfg *RawConfig, hosts *trie.DomainTrie[resolver.HostValue], rul } // fake ip skip host filter - host, err := parseDomain(cfg.FakeIPFilter, fakeIPTrie, rules, ruleProviders) + host, err := parseDomain(cfg.FakeIPFilter, fakeIPTrie, "dns.fake-ip-filter", ruleProviders) if err != nil { return nil, err } @@ -1401,7 +1401,7 @@ func parseDNS(rawCfg *RawConfig, hosts *trie.DomainTrie[resolver.HostValue], rul if err != nil { return nil, err } - rule = RP.NewIpCidrSet(cidrSet, "") + rule = RP.NewIpCidrSet(cidrSet, "dns.fallback-filter.ipcidr") dnsCfg.FallbackIPFilter = append(dnsCfg.FallbackIPFilter, rule) } if len(cfg.FallbackFilter.Domain) > 0 { @@ -1412,13 +1412,13 @@ func parseDNS(rawCfg *RawConfig, hosts *trie.DomainTrie[resolver.HostValue], rul return nil, fmt.Errorf("DNS FallbackDomain[%d] format error: %w", idx, err) } } - rule = RP.NewDomainSet(domainTrie.NewDomainSet(), "") + rule = RP.NewDomainSet(domainTrie.NewDomainSet(), "dns.fallback-filter.domain") dnsCfg.FallbackIPFilter = append(dnsCfg.FallbackIPFilter, rule) } if len(cfg.FallbackFilter.GeoSite) > 0 { log.Warnln("replace fallback-filter.geosite with nameserver-policy, it will be removed in the future") for idx, geoSite := range cfg.FallbackFilter.GeoSite { - rule, err = parseGEOSITE(geoSite, rules) + rule, err = RC.NewGEOSITE(geoSite, "dns.fallback-filter.geosite") if err != nil { return nil, fmt.Errorf("DNS FallbackGeosite[%d] format error: %w", idx, err) } @@ -1524,7 +1524,7 @@ func parseTuicServer(rawTuic RawTuicServer, general *General) error { return nil } -func parseSniffer(snifferRaw RawSniffer, rules []C.Rule, ruleProviders map[string]providerTypes.RuleProvider) (*Sniffer, error) { +func parseSniffer(snifferRaw RawSniffer, ruleProviders map[string]providerTypes.RuleProvider) (*Sniffer, error) { sniffer := &Sniffer{ Enable: snifferRaw.Enable, ForceDnsMapping: snifferRaw.ForceDnsMapping, @@ -1587,13 +1587,13 @@ func parseSniffer(snifferRaw RawSniffer, rules []C.Rule, ruleProviders map[strin sniffer.Sniffers = loadSniffer - forceDomain, err := parseDomain(snifferRaw.ForceDomain, nil, rules, ruleProviders) + forceDomain, err := parseDomain(snifferRaw.ForceDomain, nil, "sniffer.force-domain", ruleProviders) if err != nil { return nil, fmt.Errorf("error in force-domain, error:%w", err) } sniffer.ForceDomain = forceDomain - skipDomain, err := parseDomain(snifferRaw.SkipDomain, nil, rules, ruleProviders) + skipDomain, err := parseDomain(snifferRaw.SkipDomain, nil, "sniffer.skip-domain", ruleProviders) if err != nil { return nil, fmt.Errorf("error in skip-domain, error:%w", err) } @@ -1602,7 +1602,7 @@ func parseSniffer(snifferRaw RawSniffer, rules []C.Rule, ruleProviders map[strin return sniffer, nil } -func parseDomain(domains []string, domainTrie *trie.DomainTrie[struct{}], rules []C.Rule, ruleProviders map[string]providerTypes.RuleProvider) (domainRules []C.Rule, err error) { +func parseDomain(domains []string, domainTrie *trie.DomainTrie[struct{}], adapterName string, ruleProviders map[string]providerTypes.RuleProvider) (domainRules []C.Rule, err error) { var rule C.Rule for _, domain := range domains { domainLower := strings.ToLower(domain) @@ -1611,7 +1611,7 @@ func parseDomain(domains []string, domainTrie *trie.DomainTrie[struct{}], rules subkeys = subkeys[1:] subkeys = strings.Split(subkeys[0], ",") for _, country := range subkeys { - rule, err = parseGEOSITE(country, rules) + rule, err = RC.NewGEOSITE(country, adapterName) if err != nil { return nil, err } @@ -1622,7 +1622,7 @@ func parseDomain(domains []string, domainTrie *trie.DomainTrie[struct{}], rules subkeys = subkeys[1:] subkeys = strings.Split(subkeys[0], ",") for _, domainSetName := range subkeys { - rule, err = parseDomainRuleSet(domainSetName, ruleProviders) + rule, err = parseDomainRuleSet(domainSetName, adapterName, ruleProviders) if err != nil { return nil, err } @@ -1639,13 +1639,13 @@ func parseDomain(domains []string, domainTrie *trie.DomainTrie[struct{}], rules } } if !domainTrie.IsEmpty() { - rule = RP.NewDomainSet(domainTrie.NewDomainSet(), "") + rule = RP.NewDomainSet(domainTrie.NewDomainSet(), adapterName) domainRules = append(domainRules, rule) } return } -func parseDomainRuleSet(domainSetName string, ruleProviders map[string]providerTypes.RuleProvider) (C.Rule, error) { +func parseDomainRuleSet(domainSetName string, adapterName string, ruleProviders map[string]providerTypes.RuleProvider) (C.Rule, error) { if rp, ok := ruleProviders[domainSetName]; !ok { return nil, fmt.Errorf("not found rule-set: %s", domainSetName) } else { @@ -1657,16 +1657,5 @@ func parseDomainRuleSet(domainSetName string, ruleProviders map[string]providerT default: } } - return RP.NewRuleSet(domainSetName, "", true) -} - -func parseGEOSITE(country string, rules []C.Rule) (C.Rule, error) { - for _, rule := range rules { - if rule.RuleType() == C.GEOSITE { - if strings.EqualFold(country, rule.Payload()) { - return rule, nil - } - } - } - return RC.NewGEOSITE(country, "") + return RP.NewRuleSet(domainSetName, adapterName, true) } From 0793998de885cef77e9eeb455351ad5c2e4112e6 Mon Sep 17 00:00:00 2001 From: Larvan2 <78135608+Larvan2@users.noreply.github.com> Date: Fri, 16 Aug 2024 14:15:36 +0800 Subject: [PATCH 14/42] chore: drop support of eBPF --- Makefile | 4 - component/ebpf/bpf/bpf_endian.h | 99 - component/ebpf/bpf/bpf_helper_defs.h | 4139 ----------------- component/ebpf/bpf/bpf_helpers.h | 262 -- component/ebpf/bpf/redir.c | 342 -- component/ebpf/bpf/tc.c | 103 - component/ebpf/byteorder/byteorder.go | 13 - .../ebpf/byteorder/byteorder_bigendian.go | 12 - .../ebpf/byteorder/byteorder_littleendian.go | 15 - component/ebpf/ebpf.go | 33 - component/ebpf/ebpf_linux.go | 137 - component/ebpf/ebpf_others.go | 21 - component/ebpf/redir/auto_redirect.go | 216 - component/ebpf/redir/bpf_bpfeb.go | 139 - component/ebpf/redir/bpf_bpfeb.o | Bin 15608 -> 0 bytes component/ebpf/redir/bpf_bpfel.go | 139 - component/ebpf/redir/bpf_bpfel.o | Bin 15624 -> 0 bytes component/ebpf/tc/bpf_bpfeb.go | 120 - component/ebpf/tc/bpf_bpfeb.o | Bin 5168 -> 0 bytes component/ebpf/tc/bpf_bpfel.go | 120 - component/ebpf/tc/bpf_bpfel.o | Bin 5168 -> 0 bytes component/ebpf/tc/redirect_to_tun.go | 147 - config/config.go | 13 - constant/ebpf.go | 20 - docs/config.yaml | 7 - go.mod | 2 +- go.sum | 8 +- hub/executor/executor.go | 5 - listener/autoredir/tcp.go | 95 - listener/listener.go | 94 - test/go.mod | 1 - test/go.sum | 2 - 32 files changed, 4 insertions(+), 6304 deletions(-) delete mode 100644 component/ebpf/bpf/bpf_endian.h delete mode 100644 component/ebpf/bpf/bpf_helper_defs.h delete mode 100644 component/ebpf/bpf/bpf_helpers.h delete mode 100644 component/ebpf/bpf/redir.c delete mode 100644 component/ebpf/bpf/tc.c delete mode 100644 component/ebpf/byteorder/byteorder.go delete mode 100644 component/ebpf/byteorder/byteorder_bigendian.go delete mode 100644 component/ebpf/byteorder/byteorder_littleendian.go delete mode 100644 component/ebpf/ebpf.go delete mode 100644 component/ebpf/ebpf_linux.go delete mode 100644 component/ebpf/ebpf_others.go delete mode 100644 component/ebpf/redir/auto_redirect.go delete mode 100644 component/ebpf/redir/bpf_bpfeb.go delete mode 100644 component/ebpf/redir/bpf_bpfeb.o delete mode 100644 component/ebpf/redir/bpf_bpfel.go delete mode 100644 component/ebpf/redir/bpf_bpfel.o delete mode 100644 component/ebpf/tc/bpf_bpfeb.go delete mode 100644 component/ebpf/tc/bpf_bpfeb.o delete mode 100644 component/ebpf/tc/bpf_bpfel.go delete mode 100644 component/ebpf/tc/bpf_bpfel.o delete mode 100644 component/ebpf/tc/redirect_to_tun.go delete mode 100644 constant/ebpf.go delete mode 100644 listener/autoredir/tcp.go diff --git a/Makefile b/Makefile index 59bec41ebf..36c640d553 100644 --- a/Makefile +++ b/Makefile @@ -163,7 +163,3 @@ clean: CLANG ?= clang-14 CFLAGS := -O2 -g -Wall -Werror $(CFLAGS) -ebpf: export BPF_CLANG := $(CLANG) -ebpf: export BPF_CFLAGS := $(CFLAGS) -ebpf: - cd component/ebpf/ && go generate ./... diff --git a/component/ebpf/bpf/bpf_endian.h b/component/ebpf/bpf/bpf_endian.h deleted file mode 100644 index ec9db4feca..0000000000 --- a/component/ebpf/bpf/bpf_endian.h +++ /dev/null @@ -1,99 +0,0 @@ -/* SPDX-License-Identifier: (LGPL-2.1 OR BSD-2-Clause) */ -#ifndef __BPF_ENDIAN__ -#define __BPF_ENDIAN__ - -/* - * Isolate byte #n and put it into byte #m, for __u##b type. - * E.g., moving byte #6 (nnnnnnnn) into byte #1 (mmmmmmmm) for __u64: - * 1) xxxxxxxx nnnnnnnn xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx mmmmmmmm xxxxxxxx - * 2) nnnnnnnn xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx mmmmmmmm xxxxxxxx 00000000 - * 3) 00000000 00000000 00000000 00000000 00000000 00000000 00000000 nnnnnnnn - * 4) 00000000 00000000 00000000 00000000 00000000 00000000 nnnnnnnn 00000000 - */ -#define ___bpf_mvb(x, b, n, m) ((__u##b)(x) << (b-(n+1)*8) >> (b-8) << (m*8)) - -#define ___bpf_swab16(x) ((__u16)( \ - ___bpf_mvb(x, 16, 0, 1) | \ - ___bpf_mvb(x, 16, 1, 0))) - -#define ___bpf_swab32(x) ((__u32)( \ - ___bpf_mvb(x, 32, 0, 3) | \ - ___bpf_mvb(x, 32, 1, 2) | \ - ___bpf_mvb(x, 32, 2, 1) | \ - ___bpf_mvb(x, 32, 3, 0))) - -#define ___bpf_swab64(x) ((__u64)( \ - ___bpf_mvb(x, 64, 0, 7) | \ - ___bpf_mvb(x, 64, 1, 6) | \ - ___bpf_mvb(x, 64, 2, 5) | \ - ___bpf_mvb(x, 64, 3, 4) | \ - ___bpf_mvb(x, 64, 4, 3) | \ - ___bpf_mvb(x, 64, 5, 2) | \ - ___bpf_mvb(x, 64, 6, 1) | \ - ___bpf_mvb(x, 64, 7, 0))) - -/* LLVM's BPF target selects the endianness of the CPU - * it compiles on, or the user specifies (bpfel/bpfeb), - * respectively. The used __BYTE_ORDER__ is defined by - * the compiler, we cannot rely on __BYTE_ORDER from - * libc headers, since it doesn't reflect the actual - * requested byte order. - * - * Note, LLVM's BPF target has different __builtin_bswapX() - * semantics. It does map to BPF_ALU | BPF_END | BPF_TO_BE - * in bpfel and bpfeb case, which means below, that we map - * to cpu_to_be16(). We could use it unconditionally in BPF - * case, but better not rely on it, so that this header here - * can be used from application and BPF program side, which - * use different targets. - */ -#if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__ -# define __bpf_ntohs(x) __builtin_bswap16(x) -# define __bpf_htons(x) __builtin_bswap16(x) -# define __bpf_constant_ntohs(x) ___bpf_swab16(x) -# define __bpf_constant_htons(x) ___bpf_swab16(x) -# define __bpf_ntohl(x) __builtin_bswap32(x) -# define __bpf_htonl(x) __builtin_bswap32(x) -# define __bpf_constant_ntohl(x) ___bpf_swab32(x) -# define __bpf_constant_htonl(x) ___bpf_swab32(x) -# define __bpf_be64_to_cpu(x) __builtin_bswap64(x) -# define __bpf_cpu_to_be64(x) __builtin_bswap64(x) -# define __bpf_constant_be64_to_cpu(x) ___bpf_swab64(x) -# define __bpf_constant_cpu_to_be64(x) ___bpf_swab64(x) -#elif __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ -# define __bpf_ntohs(x) (x) -# define __bpf_htons(x) (x) -# define __bpf_constant_ntohs(x) (x) -# define __bpf_constant_htons(x) (x) -# define __bpf_ntohl(x) (x) -# define __bpf_htonl(x) (x) -# define __bpf_constant_ntohl(x) (x) -# define __bpf_constant_htonl(x) (x) -# define __bpf_be64_to_cpu(x) (x) -# define __bpf_cpu_to_be64(x) (x) -# define __bpf_constant_be64_to_cpu(x) (x) -# define __bpf_constant_cpu_to_be64(x) (x) -#else -# error "Fix your compiler's __BYTE_ORDER__?!" -#endif - -#define bpf_htons(x) \ - (__builtin_constant_p(x) ? \ - __bpf_constant_htons(x) : __bpf_htons(x)) -#define bpf_ntohs(x) \ - (__builtin_constant_p(x) ? \ - __bpf_constant_ntohs(x) : __bpf_ntohs(x)) -#define bpf_htonl(x) \ - (__builtin_constant_p(x) ? \ - __bpf_constant_htonl(x) : __bpf_htonl(x)) -#define bpf_ntohl(x) \ - (__builtin_constant_p(x) ? \ - __bpf_constant_ntohl(x) : __bpf_ntohl(x)) -#define bpf_cpu_to_be64(x) \ - (__builtin_constant_p(x) ? \ - __bpf_constant_cpu_to_be64(x) : __bpf_cpu_to_be64(x)) -#define bpf_be64_to_cpu(x) \ - (__builtin_constant_p(x) ? \ - __bpf_constant_be64_to_cpu(x) : __bpf_be64_to_cpu(x)) - -#endif /* __BPF_ENDIAN__ */ diff --git a/component/ebpf/bpf/bpf_helper_defs.h b/component/ebpf/bpf/bpf_helper_defs.h deleted file mode 100644 index 8a4edf613b..0000000000 --- a/component/ebpf/bpf/bpf_helper_defs.h +++ /dev/null @@ -1,4139 +0,0 @@ -/* This is auto-generated file. See bpf_doc.py for details. */ - -/* Forward declarations of BPF structs */ -struct bpf_fib_lookup; -struct bpf_sk_lookup; -struct bpf_perf_event_data; -struct bpf_perf_event_value; -struct bpf_pidns_info; -struct bpf_redir_neigh; -struct bpf_sock; -struct bpf_sock_addr; -struct bpf_sock_ops; -struct bpf_sock_tuple; -struct bpf_spin_lock; -struct bpf_sysctl; -struct bpf_tcp_sock; -struct bpf_tunnel_key; -struct bpf_xfrm_state; -struct linux_binprm; -struct pt_regs; -struct sk_reuseport_md; -struct sockaddr; -struct tcphdr; -struct seq_file; -struct tcp6_sock; -struct tcp_sock; -struct tcp_timewait_sock; -struct tcp_request_sock; -struct udp6_sock; -struct unix_sock; -struct task_struct; -struct __sk_buff; -struct sk_msg_md; -struct xdp_md; -struct path; -struct btf_ptr; -struct inode; -struct socket; -struct file; -struct bpf_timer; - -/* - * bpf_map_lookup_elem - * - * Perform a lookup in *map* for an entry associated to *key*. - * - * Returns - * Map value associated to *key*, or **NULL** if no entry was - * found. - */ -static void *(*bpf_map_lookup_elem)(void *map, const void *key) = (void *) 1; - -/* - * bpf_map_update_elem - * - * Add or update the value of the entry associated to *key* in - * *map* with *value*. *flags* is one of: - * - * **BPF_NOEXIST** - * The entry for *key* must not exist in the map. - * **BPF_EXIST** - * The entry for *key* must already exist in the map. - * **BPF_ANY** - * No condition on the existence of the entry for *key*. - * - * Flag value **BPF_NOEXIST** cannot be used for maps of types - * **BPF_MAP_TYPE_ARRAY** or **BPF_MAP_TYPE_PERCPU_ARRAY** (all - * elements always exist), the helper would return an error. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_map_update_elem)(void *map, const void *key, const void *value, __u64 flags) = (void *) 2; - -/* - * bpf_map_delete_elem - * - * Delete entry with *key* from *map*. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_map_delete_elem)(void *map, const void *key) = (void *) 3; - -/* - * bpf_probe_read - * - * For tracing programs, safely attempt to read *size* bytes from - * kernel space address *unsafe_ptr* and store the data in *dst*. - * - * Generally, use **bpf_probe_read_user**\ () or - * **bpf_probe_read_kernel**\ () instead. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_probe_read)(void *dst, __u32 size, const void *unsafe_ptr) = (void *) 4; - -/* - * bpf_ktime_get_ns - * - * Return the time elapsed since system boot, in nanoseconds. - * Does not include time the system was suspended. - * See: **clock_gettime**\ (**CLOCK_MONOTONIC**) - * - * Returns - * Current *ktime*. - */ -static __u64 (*bpf_ktime_get_ns)(void) = (void *) 5; - -/* - * bpf_trace_printk - * - * This helper is a "printk()-like" facility for debugging. It - * prints a message defined by format *fmt* (of size *fmt_size*) - * to file *\/sys/kernel/debug/tracing/trace* from DebugFS, if - * available. It can take up to three additional **u64** - * arguments (as an eBPF helpers, the total number of arguments is - * limited to five). - * - * Each time the helper is called, it appends a line to the trace. - * Lines are discarded while *\/sys/kernel/debug/tracing/trace* is - * open, use *\/sys/kernel/debug/tracing/trace_pipe* to avoid this. - * The format of the trace is customizable, and the exact output - * one will get depends on the options set in - * *\/sys/kernel/debug/tracing/trace_options* (see also the - * *README* file under the same directory). However, it usually - * defaults to something like: - * - * :: - * - * telnet-470 [001] .N.. 419421.045894: 0x00000001: - * - * In the above: - * - * * ``telnet`` is the name of the current task. - * * ``470`` is the PID of the current task. - * * ``001`` is the CPU number on which the task is - * running. - * * In ``.N..``, each character refers to a set of - * options (whether irqs are enabled, scheduling - * options, whether hard/softirqs are running, level of - * preempt_disabled respectively). **N** means that - * **TIF_NEED_RESCHED** and **PREEMPT_NEED_RESCHED** - * are set. - * * ``419421.045894`` is a timestamp. - * * ``0x00000001`` is a fake value used by BPF for the - * instruction pointer register. - * * ```` is the message formatted with - * *fmt*. - * - * The conversion specifiers supported by *fmt* are similar, but - * more limited than for printk(). They are **%d**, **%i**, - * **%u**, **%x**, **%ld**, **%li**, **%lu**, **%lx**, **%lld**, - * **%lli**, **%llu**, **%llx**, **%p**, **%s**. No modifier (size - * of field, padding with zeroes, etc.) is available, and the - * helper will return **-EINVAL** (but print nothing) if it - * encounters an unknown specifier. - * - * Also, note that **bpf_trace_printk**\ () is slow, and should - * only be used for debugging purposes. For this reason, a notice - * block (spanning several lines) is printed to kernel logs and - * states that the helper should not be used "for production use" - * the first time this helper is used (or more precisely, when - * **trace_printk**\ () buffers are allocated). For passing values - * to user space, perf events should be preferred. - * - * Returns - * The number of bytes written to the buffer, or a negative error - * in case of failure. - */ -static long (*bpf_trace_printk)(const char *fmt, __u32 fmt_size, ...) = (void *) 6; - -/* - * bpf_get_prandom_u32 - * - * Get a pseudo-random number. - * - * From a security point of view, this helper uses its own - * pseudo-random internal state, and cannot be used to infer the - * seed of other random functions in the kernel. However, it is - * essential to note that the generator used by the helper is not - * cryptographically secure. - * - * Returns - * A random 32-bit unsigned value. - */ -static __u32 (*bpf_get_prandom_u32)(void) = (void *) 7; - -/* - * bpf_get_smp_processor_id - * - * Get the SMP (symmetric multiprocessing) processor id. Note that - * all programs run with migration disabled, which means that the - * SMP processor id is stable during all the execution of the - * program. - * - * Returns - * The SMP id of the processor running the program. - */ -static __u32 (*bpf_get_smp_processor_id)(void) = (void *) 8; - -/* - * bpf_skb_store_bytes - * - * Store *len* bytes from address *from* into the packet - * associated to *skb*, at *offset*. *flags* are a combination of - * **BPF_F_RECOMPUTE_CSUM** (automatically recompute the - * checksum for the packet after storing the bytes) and - * **BPF_F_INVALIDATE_HASH** (set *skb*\ **->hash**, *skb*\ - * **->swhash** and *skb*\ **->l4hash** to 0). - * - * A call to this helper is susceptible to change the underlying - * packet buffer. Therefore, at load time, all checks on pointers - * previously done by the verifier are invalidated and must be - * performed again, if the helper is used in combination with - * direct packet access. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_skb_store_bytes)(struct __sk_buff *skb, __u32 offset, const void *from, __u32 len, __u64 flags) = (void *) 9; - -/* - * bpf_l3_csum_replace - * - * Recompute the layer 3 (e.g. IP) checksum for the packet - * associated to *skb*. Computation is incremental, so the helper - * must know the former value of the header field that was - * modified (*from*), the new value of this field (*to*), and the - * number of bytes (2 or 4) for this field, stored in *size*. - * Alternatively, it is possible to store the difference between - * the previous and the new values of the header field in *to*, by - * setting *from* and *size* to 0. For both methods, *offset* - * indicates the location of the IP checksum within the packet. - * - * This helper works in combination with **bpf_csum_diff**\ (), - * which does not update the checksum in-place, but offers more - * flexibility and can handle sizes larger than 2 or 4 for the - * checksum to update. - * - * A call to this helper is susceptible to change the underlying - * packet buffer. Therefore, at load time, all checks on pointers - * previously done by the verifier are invalidated and must be - * performed again, if the helper is used in combination with - * direct packet access. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_l3_csum_replace)(struct __sk_buff *skb, __u32 offset, __u64 from, __u64 to, __u64 size) = (void *) 10; - -/* - * bpf_l4_csum_replace - * - * Recompute the layer 4 (e.g. TCP, UDP or ICMP) checksum for the - * packet associated to *skb*. Computation is incremental, so the - * helper must know the former value of the header field that was - * modified (*from*), the new value of this field (*to*), and the - * number of bytes (2 or 4) for this field, stored on the lowest - * four bits of *flags*. Alternatively, it is possible to store - * the difference between the previous and the new values of the - * header field in *to*, by setting *from* and the four lowest - * bits of *flags* to 0. For both methods, *offset* indicates the - * location of the IP checksum within the packet. In addition to - * the size of the field, *flags* can be added (bitwise OR) actual - * flags. With **BPF_F_MARK_MANGLED_0**, a null checksum is left - * untouched (unless **BPF_F_MARK_ENFORCE** is added as well), and - * for updates resulting in a null checksum the value is set to - * **CSUM_MANGLED_0** instead. Flag **BPF_F_PSEUDO_HDR** indicates - * the checksum is to be computed against a pseudo-header. - * - * This helper works in combination with **bpf_csum_diff**\ (), - * which does not update the checksum in-place, but offers more - * flexibility and can handle sizes larger than 2 or 4 for the - * checksum to update. - * - * A call to this helper is susceptible to change the underlying - * packet buffer. Therefore, at load time, all checks on pointers - * previously done by the verifier are invalidated and must be - * performed again, if the helper is used in combination with - * direct packet access. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_l4_csum_replace)(struct __sk_buff *skb, __u32 offset, __u64 from, __u64 to, __u64 flags) = (void *) 11; - -/* - * bpf_tail_call - * - * This special helper is used to trigger a "tail call", or in - * other words, to jump into another eBPF program. The same stack - * frame is used (but values on stack and in registers for the - * caller are not accessible to the callee). This mechanism allows - * for program chaining, either for raising the maximum number of - * available eBPF instructions, or to execute given programs in - * conditional blocks. For security reasons, there is an upper - * limit to the number of successive tail calls that can be - * performed. - * - * Upon call of this helper, the program attempts to jump into a - * program referenced at index *index* in *prog_array_map*, a - * special map of type **BPF_MAP_TYPE_PROG_ARRAY**, and passes - * *ctx*, a pointer to the context. - * - * If the call succeeds, the kernel immediately runs the first - * instruction of the new program. This is not a function call, - * and it never returns to the previous program. If the call - * fails, then the helper has no effect, and the caller continues - * to run its subsequent instructions. A call can fail if the - * destination program for the jump does not exist (i.e. *index* - * is superior to the number of entries in *prog_array_map*), or - * if the maximum number of tail calls has been reached for this - * chain of programs. This limit is defined in the kernel by the - * macro **MAX_TAIL_CALL_CNT** (not accessible to user space), - * which is currently set to 33. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_tail_call)(void *ctx, void *prog_array_map, __u32 index) = (void *) 12; - -/* - * bpf_clone_redirect - * - * Clone and redirect the packet associated to *skb* to another - * net device of index *ifindex*. Both ingress and egress - * interfaces can be used for redirection. The **BPF_F_INGRESS** - * value in *flags* is used to make the distinction (ingress path - * is selected if the flag is present, egress path otherwise). - * This is the only flag supported for now. - * - * In comparison with **bpf_redirect**\ () helper, - * **bpf_clone_redirect**\ () has the associated cost of - * duplicating the packet buffer, but this can be executed out of - * the eBPF program. Conversely, **bpf_redirect**\ () is more - * efficient, but it is handled through an action code where the - * redirection happens only after the eBPF program has returned. - * - * A call to this helper is susceptible to change the underlying - * packet buffer. Therefore, at load time, all checks on pointers - * previously done by the verifier are invalidated and must be - * performed again, if the helper is used in combination with - * direct packet access. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_clone_redirect)(struct __sk_buff *skb, __u32 ifindex, __u64 flags) = (void *) 13; - -/* - * bpf_get_current_pid_tgid - * - * - * Returns - * A 64-bit integer containing the current tgid and pid, and - * created as such: - * *current_task*\ **->tgid << 32 \|** - * *current_task*\ **->pid**. - */ -static __u64 (*bpf_get_current_pid_tgid)(void) = (void *) 14; - -/* - * bpf_get_current_uid_gid - * - * - * Returns - * A 64-bit integer containing the current GID and UID, and - * created as such: *current_gid* **<< 32 \|** *current_uid*. - */ -static __u64 (*bpf_get_current_uid_gid)(void) = (void *) 15; - -/* - * bpf_get_current_comm - * - * Copy the **comm** attribute of the current task into *buf* of - * *size_of_buf*. The **comm** attribute contains the name of - * the executable (excluding the path) for the current task. The - * *size_of_buf* must be strictly positive. On success, the - * helper makes sure that the *buf* is NUL-terminated. On failure, - * it is filled with zeroes. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_get_current_comm)(void *buf, __u32 size_of_buf) = (void *) 16; - -/* - * bpf_get_cgroup_classid - * - * Retrieve the classid for the current task, i.e. for the net_cls - * cgroup to which *skb* belongs. - * - * This helper can be used on TC egress path, but not on ingress. - * - * The net_cls cgroup provides an interface to tag network packets - * based on a user-provided identifier for all traffic coming from - * the tasks belonging to the related cgroup. See also the related - * kernel documentation, available from the Linux sources in file - * *Documentation/admin-guide/cgroup-v1/net_cls.rst*. - * - * The Linux kernel has two versions for cgroups: there are - * cgroups v1 and cgroups v2. Both are available to users, who can - * use a mixture of them, but note that the net_cls cgroup is for - * cgroup v1 only. This makes it incompatible with BPF programs - * run on cgroups, which is a cgroup-v2-only feature (a socket can - * only hold data for one version of cgroups at a time). - * - * This helper is only available is the kernel was compiled with - * the **CONFIG_CGROUP_NET_CLASSID** configuration option set to - * "**y**" or to "**m**". - * - * Returns - * The classid, or 0 for the default unconfigured classid. - */ -static __u32 (*bpf_get_cgroup_classid)(struct __sk_buff *skb) = (void *) 17; - -/* - * bpf_skb_vlan_push - * - * Push a *vlan_tci* (VLAN tag control information) of protocol - * *vlan_proto* to the packet associated to *skb*, then update - * the checksum. Note that if *vlan_proto* is different from - * **ETH_P_8021Q** and **ETH_P_8021AD**, it is considered to - * be **ETH_P_8021Q**. - * - * A call to this helper is susceptible to change the underlying - * packet buffer. Therefore, at load time, all checks on pointers - * previously done by the verifier are invalidated and must be - * performed again, if the helper is used in combination with - * direct packet access. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_skb_vlan_push)(struct __sk_buff *skb, __be16 vlan_proto, __u16 vlan_tci) = (void *) 18; - -/* - * bpf_skb_vlan_pop - * - * Pop a VLAN header from the packet associated to *skb*. - * - * A call to this helper is susceptible to change the underlying - * packet buffer. Therefore, at load time, all checks on pointers - * previously done by the verifier are invalidated and must be - * performed again, if the helper is used in combination with - * direct packet access. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_skb_vlan_pop)(struct __sk_buff *skb) = (void *) 19; - -/* - * bpf_skb_get_tunnel_key - * - * Get tunnel metadata. This helper takes a pointer *key* to an - * empty **struct bpf_tunnel_key** of **size**, that will be - * filled with tunnel metadata for the packet associated to *skb*. - * The *flags* can be set to **BPF_F_TUNINFO_IPV6**, which - * indicates that the tunnel is based on IPv6 protocol instead of - * IPv4. - * - * The **struct bpf_tunnel_key** is an object that generalizes the - * principal parameters used by various tunneling protocols into a - * single struct. This way, it can be used to easily make a - * decision based on the contents of the encapsulation header, - * "summarized" in this struct. In particular, it holds the IP - * address of the remote end (IPv4 or IPv6, depending on the case) - * in *key*\ **->remote_ipv4** or *key*\ **->remote_ipv6**. Also, - * this struct exposes the *key*\ **->tunnel_id**, which is - * generally mapped to a VNI (Virtual Network Identifier), making - * it programmable together with the **bpf_skb_set_tunnel_key**\ - * () helper. - * - * Let's imagine that the following code is part of a program - * attached to the TC ingress interface, on one end of a GRE - * tunnel, and is supposed to filter out all messages coming from - * remote ends with IPv4 address other than 10.0.0.1: - * - * :: - * - * int ret; - * struct bpf_tunnel_key key = {}; - * - * ret = bpf_skb_get_tunnel_key(skb, &key, sizeof(key), 0); - * if (ret < 0) - * return TC_ACT_SHOT; // drop packet - * - * if (key.remote_ipv4 != 0x0a000001) - * return TC_ACT_SHOT; // drop packet - * - * return TC_ACT_OK; // accept packet - * - * This interface can also be used with all encapsulation devices - * that can operate in "collect metadata" mode: instead of having - * one network device per specific configuration, the "collect - * metadata" mode only requires a single device where the - * configuration can be extracted from this helper. - * - * This can be used together with various tunnels such as VXLan, - * Geneve, GRE or IP in IP (IPIP). - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_skb_get_tunnel_key)(struct __sk_buff *skb, struct bpf_tunnel_key *key, __u32 size, __u64 flags) = (void *) 20; - -/* - * bpf_skb_set_tunnel_key - * - * Populate tunnel metadata for packet associated to *skb.* The - * tunnel metadata is set to the contents of *key*, of *size*. The - * *flags* can be set to a combination of the following values: - * - * **BPF_F_TUNINFO_IPV6** - * Indicate that the tunnel is based on IPv6 protocol - * instead of IPv4. - * **BPF_F_ZERO_CSUM_TX** - * For IPv4 packets, add a flag to tunnel metadata - * indicating that checksum computation should be skipped - * and checksum set to zeroes. - * **BPF_F_DONT_FRAGMENT** - * Add a flag to tunnel metadata indicating that the - * packet should not be fragmented. - * **BPF_F_SEQ_NUMBER** - * Add a flag to tunnel metadata indicating that a - * sequence number should be added to tunnel header before - * sending the packet. This flag was added for GRE - * encapsulation, but might be used with other protocols - * as well in the future. - * - * Here is a typical usage on the transmit path: - * - * :: - * - * struct bpf_tunnel_key key; - * populate key ... - * bpf_skb_set_tunnel_key(skb, &key, sizeof(key), 0); - * bpf_clone_redirect(skb, vxlan_dev_ifindex, 0); - * - * See also the description of the **bpf_skb_get_tunnel_key**\ () - * helper for additional information. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_skb_set_tunnel_key)(struct __sk_buff *skb, struct bpf_tunnel_key *key, __u32 size, __u64 flags) = (void *) 21; - -/* - * bpf_perf_event_read - * - * Read the value of a perf event counter. This helper relies on a - * *map* of type **BPF_MAP_TYPE_PERF_EVENT_ARRAY**. The nature of - * the perf event counter is selected when *map* is updated with - * perf event file descriptors. The *map* is an array whose size - * is the number of available CPUs, and each cell contains a value - * relative to one CPU. The value to retrieve is indicated by - * *flags*, that contains the index of the CPU to look up, masked - * with **BPF_F_INDEX_MASK**. Alternatively, *flags* can be set to - * **BPF_F_CURRENT_CPU** to indicate that the value for the - * current CPU should be retrieved. - * - * Note that before Linux 4.13, only hardware perf event can be - * retrieved. - * - * Also, be aware that the newer helper - * **bpf_perf_event_read_value**\ () is recommended over - * **bpf_perf_event_read**\ () in general. The latter has some ABI - * quirks where error and counter value are used as a return code - * (which is wrong to do since ranges may overlap). This issue is - * fixed with **bpf_perf_event_read_value**\ (), which at the same - * time provides more features over the **bpf_perf_event_read**\ - * () interface. Please refer to the description of - * **bpf_perf_event_read_value**\ () for details. - * - * Returns - * The value of the perf event counter read from the map, or a - * negative error code in case of failure. - */ -static __u64 (*bpf_perf_event_read)(void *map, __u64 flags) = (void *) 22; - -/* - * bpf_redirect - * - * Redirect the packet to another net device of index *ifindex*. - * This helper is somewhat similar to **bpf_clone_redirect**\ - * (), except that the packet is not cloned, which provides - * increased performance. - * - * Except for XDP, both ingress and egress interfaces can be used - * for redirection. The **BPF_F_INGRESS** value in *flags* is used - * to make the distinction (ingress path is selected if the flag - * is present, egress path otherwise). Currently, XDP only - * supports redirection to the egress interface, and accepts no - * flag at all. - * - * The same effect can also be attained with the more generic - * **bpf_redirect_map**\ (), which uses a BPF map to store the - * redirect target instead of providing it directly to the helper. - * - * Returns - * For XDP, the helper returns **XDP_REDIRECT** on success or - * **XDP_ABORTED** on error. For other program types, the values - * are **TC_ACT_REDIRECT** on success or **TC_ACT_SHOT** on - * error. - */ -static long (*bpf_redirect)(__u32 ifindex, __u64 flags) = (void *) 23; - -/* - * bpf_get_route_realm - * - * Retrieve the realm or the route, that is to say the - * **tclassid** field of the destination for the *skb*. The - * identifier retrieved is a user-provided tag, similar to the - * one used with the net_cls cgroup (see description for - * **bpf_get_cgroup_classid**\ () helper), but here this tag is - * held by a route (a destination entry), not by a task. - * - * Retrieving this identifier works with the clsact TC egress hook - * (see also **tc-bpf(8)**), or alternatively on conventional - * classful egress qdiscs, but not on TC ingress path. In case of - * clsact TC egress hook, this has the advantage that, internally, - * the destination entry has not been dropped yet in the transmit - * path. Therefore, the destination entry does not need to be - * artificially held via **netif_keep_dst**\ () for a classful - * qdisc until the *skb* is freed. - * - * This helper is available only if the kernel was compiled with - * **CONFIG_IP_ROUTE_CLASSID** configuration option. - * - * Returns - * The realm of the route for the packet associated to *skb*, or 0 - * if none was found. - */ -static __u32 (*bpf_get_route_realm)(struct __sk_buff *skb) = (void *) 24; - -/* - * bpf_perf_event_output - * - * Write raw *data* blob into a special BPF perf event held by - * *map* of type **BPF_MAP_TYPE_PERF_EVENT_ARRAY**. This perf - * event must have the following attributes: **PERF_SAMPLE_RAW** - * as **sample_type**, **PERF_TYPE_SOFTWARE** as **type**, and - * **PERF_COUNT_SW_BPF_OUTPUT** as **config**. - * - * The *flags* are used to indicate the index in *map* for which - * the value must be put, masked with **BPF_F_INDEX_MASK**. - * Alternatively, *flags* can be set to **BPF_F_CURRENT_CPU** - * to indicate that the index of the current CPU core should be - * used. - * - * The value to write, of *size*, is passed through eBPF stack and - * pointed by *data*. - * - * The context of the program *ctx* needs also be passed to the - * helper. - * - * On user space, a program willing to read the values needs to - * call **perf_event_open**\ () on the perf event (either for - * one or for all CPUs) and to store the file descriptor into the - * *map*. This must be done before the eBPF program can send data - * into it. An example is available in file - * *samples/bpf/trace_output_user.c* in the Linux kernel source - * tree (the eBPF program counterpart is in - * *samples/bpf/trace_output_kern.c*). - * - * **bpf_perf_event_output**\ () achieves better performance - * than **bpf_trace_printk**\ () for sharing data with user - * space, and is much better suitable for streaming data from eBPF - * programs. - * - * Note that this helper is not restricted to tracing use cases - * and can be used with programs attached to TC or XDP as well, - * where it allows for passing data to user space listeners. Data - * can be: - * - * * Only custom structs, - * * Only the packet payload, or - * * A combination of both. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_perf_event_output)(void *ctx, void *map, __u64 flags, void *data, __u64 size) = (void *) 25; - -/* - * bpf_skb_load_bytes - * - * This helper was provided as an easy way to load data from a - * packet. It can be used to load *len* bytes from *offset* from - * the packet associated to *skb*, into the buffer pointed by - * *to*. - * - * Since Linux 4.7, usage of this helper has mostly been replaced - * by "direct packet access", enabling packet data to be - * manipulated with *skb*\ **->data** and *skb*\ **->data_end** - * pointing respectively to the first byte of packet data and to - * the byte after the last byte of packet data. However, it - * remains useful if one wishes to read large quantities of data - * at once from a packet into the eBPF stack. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_skb_load_bytes)(const void *skb, __u32 offset, void *to, __u32 len) = (void *) 26; - -/* - * bpf_get_stackid - * - * Walk a user or a kernel stack and return its id. To achieve - * this, the helper needs *ctx*, which is a pointer to the context - * on which the tracing program is executed, and a pointer to a - * *map* of type **BPF_MAP_TYPE_STACK_TRACE**. - * - * The last argument, *flags*, holds the number of stack frames to - * skip (from 0 to 255), masked with - * **BPF_F_SKIP_FIELD_MASK**. The next bits can be used to set - * a combination of the following flags: - * - * **BPF_F_USER_STACK** - * Collect a user space stack instead of a kernel stack. - * **BPF_F_FAST_STACK_CMP** - * Compare stacks by hash only. - * **BPF_F_REUSE_STACKID** - * If two different stacks hash into the same *stackid*, - * discard the old one. - * - * The stack id retrieved is a 32 bit long integer handle which - * can be further combined with other data (including other stack - * ids) and used as a key into maps. This can be useful for - * generating a variety of graphs (such as flame graphs or off-cpu - * graphs). - * - * For walking a stack, this helper is an improvement over - * **bpf_probe_read**\ (), which can be used with unrolled loops - * but is not efficient and consumes a lot of eBPF instructions. - * Instead, **bpf_get_stackid**\ () can collect up to - * **PERF_MAX_STACK_DEPTH** both kernel and user frames. Note that - * this limit can be controlled with the **sysctl** program, and - * that it should be manually increased in order to profile long - * user stacks (such as stacks for Java programs). To do so, use: - * - * :: - * - * # sysctl kernel.perf_event_max_stack= - * - * Returns - * The positive or null stack id on success, or a negative error - * in case of failure. - */ -static long (*bpf_get_stackid)(void *ctx, void *map, __u64 flags) = (void *) 27; - -/* - * bpf_csum_diff - * - * Compute a checksum difference, from the raw buffer pointed by - * *from*, of length *from_size* (that must be a multiple of 4), - * towards the raw buffer pointed by *to*, of size *to_size* - * (same remark). An optional *seed* can be added to the value - * (this can be cascaded, the seed may come from a previous call - * to the helper). - * - * This is flexible enough to be used in several ways: - * - * * With *from_size* == 0, *to_size* > 0 and *seed* set to - * checksum, it can be used when pushing new data. - * * With *from_size* > 0, *to_size* == 0 and *seed* set to - * checksum, it can be used when removing data from a packet. - * * With *from_size* > 0, *to_size* > 0 and *seed* set to 0, it - * can be used to compute a diff. Note that *from_size* and - * *to_size* do not need to be equal. - * - * This helper can be used in combination with - * **bpf_l3_csum_replace**\ () and **bpf_l4_csum_replace**\ (), to - * which one can feed in the difference computed with - * **bpf_csum_diff**\ (). - * - * Returns - * The checksum result, or a negative error code in case of - * failure. - */ -static __s64 (*bpf_csum_diff)(__be32 *from, __u32 from_size, __be32 *to, __u32 to_size, __wsum seed) = (void *) 28; - -/* - * bpf_skb_get_tunnel_opt - * - * Retrieve tunnel options metadata for the packet associated to - * *skb*, and store the raw tunnel option data to the buffer *opt* - * of *size*. - * - * This helper can be used with encapsulation devices that can - * operate in "collect metadata" mode (please refer to the related - * note in the description of **bpf_skb_get_tunnel_key**\ () for - * more details). A particular example where this can be used is - * in combination with the Geneve encapsulation protocol, where it - * allows for pushing (with **bpf_skb_get_tunnel_opt**\ () helper) - * and retrieving arbitrary TLVs (Type-Length-Value headers) from - * the eBPF program. This allows for full customization of these - * headers. - * - * Returns - * The size of the option data retrieved. - */ -static long (*bpf_skb_get_tunnel_opt)(struct __sk_buff *skb, void *opt, __u32 size) = (void *) 29; - -/* - * bpf_skb_set_tunnel_opt - * - * Set tunnel options metadata for the packet associated to *skb* - * to the option data contained in the raw buffer *opt* of *size*. - * - * See also the description of the **bpf_skb_get_tunnel_opt**\ () - * helper for additional information. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_skb_set_tunnel_opt)(struct __sk_buff *skb, void *opt, __u32 size) = (void *) 30; - -/* - * bpf_skb_change_proto - * - * Change the protocol of the *skb* to *proto*. Currently - * supported are transition from IPv4 to IPv6, and from IPv6 to - * IPv4. The helper takes care of the groundwork for the - * transition, including resizing the socket buffer. The eBPF - * program is expected to fill the new headers, if any, via - * **skb_store_bytes**\ () and to recompute the checksums with - * **bpf_l3_csum_replace**\ () and **bpf_l4_csum_replace**\ - * (). The main case for this helper is to perform NAT64 - * operations out of an eBPF program. - * - * Internally, the GSO type is marked as dodgy so that headers are - * checked and segments are recalculated by the GSO/GRO engine. - * The size for GSO target is adapted as well. - * - * All values for *flags* are reserved for future usage, and must - * be left at zero. - * - * A call to this helper is susceptible to change the underlying - * packet buffer. Therefore, at load time, all checks on pointers - * previously done by the verifier are invalidated and must be - * performed again, if the helper is used in combination with - * direct packet access. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_skb_change_proto)(struct __sk_buff *skb, __be16 proto, __u64 flags) = (void *) 31; - -/* - * bpf_skb_change_type - * - * Change the packet type for the packet associated to *skb*. This - * comes down to setting *skb*\ **->pkt_type** to *type*, except - * the eBPF program does not have a write access to *skb*\ - * **->pkt_type** beside this helper. Using a helper here allows - * for graceful handling of errors. - * - * The major use case is to change incoming *skb*s to - * **PACKET_HOST** in a programmatic way instead of having to - * recirculate via **redirect**\ (..., **BPF_F_INGRESS**), for - * example. - * - * Note that *type* only allows certain values. At this time, they - * are: - * - * **PACKET_HOST** - * Packet is for us. - * **PACKET_BROADCAST** - * Send packet to all. - * **PACKET_MULTICAST** - * Send packet to group. - * **PACKET_OTHERHOST** - * Send packet to someone else. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_skb_change_type)(struct __sk_buff *skb, __u32 type) = (void *) 32; - -/* - * bpf_skb_under_cgroup - * - * Check whether *skb* is a descendant of the cgroup2 held by - * *map* of type **BPF_MAP_TYPE_CGROUP_ARRAY**, at *index*. - * - * Returns - * The return value depends on the result of the test, and can be: - * - * * 0, if the *skb* failed the cgroup2 descendant test. - * * 1, if the *skb* succeeded the cgroup2 descendant test. - * * A negative error code, if an error occurred. - */ -static long (*bpf_skb_under_cgroup)(struct __sk_buff *skb, void *map, __u32 index) = (void *) 33; - -/* - * bpf_get_hash_recalc - * - * Retrieve the hash of the packet, *skb*\ **->hash**. If it is - * not set, in particular if the hash was cleared due to mangling, - * recompute this hash. Later accesses to the hash can be done - * directly with *skb*\ **->hash**. - * - * Calling **bpf_set_hash_invalid**\ (), changing a packet - * prototype with **bpf_skb_change_proto**\ (), or calling - * **bpf_skb_store_bytes**\ () with the - * **BPF_F_INVALIDATE_HASH** are actions susceptible to clear - * the hash and to trigger a new computation for the next call to - * **bpf_get_hash_recalc**\ (). - * - * Returns - * The 32-bit hash. - */ -static __u32 (*bpf_get_hash_recalc)(struct __sk_buff *skb) = (void *) 34; - -/* - * bpf_get_current_task - * - * - * Returns - * A pointer to the current task struct. - */ -static __u64 (*bpf_get_current_task)(void) = (void *) 35; - -/* - * bpf_probe_write_user - * - * Attempt in a safe way to write *len* bytes from the buffer - * *src* to *dst* in memory. It only works for threads that are in - * user context, and *dst* must be a valid user space address. - * - * This helper should not be used to implement any kind of - * security mechanism because of TOC-TOU attacks, but rather to - * debug, divert, and manipulate execution of semi-cooperative - * processes. - * - * Keep in mind that this feature is meant for experiments, and it - * has a risk of crashing the system and running programs. - * Therefore, when an eBPF program using this helper is attached, - * a warning including PID and process name is printed to kernel - * logs. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_probe_write_user)(void *dst, const void *src, __u32 len) = (void *) 36; - -/* - * bpf_current_task_under_cgroup - * - * Check whether the probe is being run is the context of a given - * subset of the cgroup2 hierarchy. The cgroup2 to test is held by - * *map* of type **BPF_MAP_TYPE_CGROUP_ARRAY**, at *index*. - * - * Returns - * The return value depends on the result of the test, and can be: - * - * * 0, if current task belongs to the cgroup2. - * * 1, if current task does not belong to the cgroup2. - * * A negative error code, if an error occurred. - */ -static long (*bpf_current_task_under_cgroup)(void *map, __u32 index) = (void *) 37; - -/* - * bpf_skb_change_tail - * - * Resize (trim or grow) the packet associated to *skb* to the - * new *len*. The *flags* are reserved for future usage, and must - * be left at zero. - * - * The basic idea is that the helper performs the needed work to - * change the size of the packet, then the eBPF program rewrites - * the rest via helpers like **bpf_skb_store_bytes**\ (), - * **bpf_l3_csum_replace**\ (), **bpf_l3_csum_replace**\ () - * and others. This helper is a slow path utility intended for - * replies with control messages. And because it is targeted for - * slow path, the helper itself can afford to be slow: it - * implicitly linearizes, unclones and drops offloads from the - * *skb*. - * - * A call to this helper is susceptible to change the underlying - * packet buffer. Therefore, at load time, all checks on pointers - * previously done by the verifier are invalidated and must be - * performed again, if the helper is used in combination with - * direct packet access. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_skb_change_tail)(struct __sk_buff *skb, __u32 len, __u64 flags) = (void *) 38; - -/* - * bpf_skb_pull_data - * - * Pull in non-linear data in case the *skb* is non-linear and not - * all of *len* are part of the linear section. Make *len* bytes - * from *skb* readable and writable. If a zero value is passed for - * *len*, then the whole length of the *skb* is pulled. - * - * This helper is only needed for reading and writing with direct - * packet access. - * - * For direct packet access, testing that offsets to access - * are within packet boundaries (test on *skb*\ **->data_end**) is - * susceptible to fail if offsets are invalid, or if the requested - * data is in non-linear parts of the *skb*. On failure the - * program can just bail out, or in the case of a non-linear - * buffer, use a helper to make the data available. The - * **bpf_skb_load_bytes**\ () helper is a first solution to access - * the data. Another one consists in using **bpf_skb_pull_data** - * to pull in once the non-linear parts, then retesting and - * eventually access the data. - * - * At the same time, this also makes sure the *skb* is uncloned, - * which is a necessary condition for direct write. As this needs - * to be an invariant for the write part only, the verifier - * detects writes and adds a prologue that is calling - * **bpf_skb_pull_data()** to effectively unclone the *skb* from - * the very beginning in case it is indeed cloned. - * - * A call to this helper is susceptible to change the underlying - * packet buffer. Therefore, at load time, all checks on pointers - * previously done by the verifier are invalidated and must be - * performed again, if the helper is used in combination with - * direct packet access. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_skb_pull_data)(struct __sk_buff *skb, __u32 len) = (void *) 39; - -/* - * bpf_csum_update - * - * Add the checksum *csum* into *skb*\ **->csum** in case the - * driver has supplied a checksum for the entire packet into that - * field. Return an error otherwise. This helper is intended to be - * used in combination with **bpf_csum_diff**\ (), in particular - * when the checksum needs to be updated after data has been - * written into the packet through direct packet access. - * - * Returns - * The checksum on success, or a negative error code in case of - * failure. - */ -static __s64 (*bpf_csum_update)(struct __sk_buff *skb, __wsum csum) = (void *) 40; - -/* - * bpf_set_hash_invalid - * - * Invalidate the current *skb*\ **->hash**. It can be used after - * mangling on headers through direct packet access, in order to - * indicate that the hash is outdated and to trigger a - * recalculation the next time the kernel tries to access this - * hash or when the **bpf_get_hash_recalc**\ () helper is called. - * - */ -static void (*bpf_set_hash_invalid)(struct __sk_buff *skb) = (void *) 41; - -/* - * bpf_get_numa_node_id - * - * Return the id of the current NUMA node. The primary use case - * for this helper is the selection of sockets for the local NUMA - * node, when the program is attached to sockets using the - * **SO_ATTACH_REUSEPORT_EBPF** option (see also **socket(7)**), - * but the helper is also available to other eBPF program types, - * similarly to **bpf_get_smp_processor_id**\ (). - * - * Returns - * The id of current NUMA node. - */ -static long (*bpf_get_numa_node_id)(void) = (void *) 42; - -/* - * bpf_skb_change_head - * - * Grows headroom of packet associated to *skb* and adjusts the - * offset of the MAC header accordingly, adding *len* bytes of - * space. It automatically extends and reallocates memory as - * required. - * - * This helper can be used on a layer 3 *skb* to push a MAC header - * for redirection into a layer 2 device. - * - * All values for *flags* are reserved for future usage, and must - * be left at zero. - * - * A call to this helper is susceptible to change the underlying - * packet buffer. Therefore, at load time, all checks on pointers - * previously done by the verifier are invalidated and must be - * performed again, if the helper is used in combination with - * direct packet access. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_skb_change_head)(struct __sk_buff *skb, __u32 len, __u64 flags) = (void *) 43; - -/* - * bpf_xdp_adjust_head - * - * Adjust (move) *xdp_md*\ **->data** by *delta* bytes. Note that - * it is possible to use a negative value for *delta*. This helper - * can be used to prepare the packet for pushing or popping - * headers. - * - * A call to this helper is susceptible to change the underlying - * packet buffer. Therefore, at load time, all checks on pointers - * previously done by the verifier are invalidated and must be - * performed again, if the helper is used in combination with - * direct packet access. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_xdp_adjust_head)(struct xdp_md *xdp_md, int delta) = (void *) 44; - -/* - * bpf_probe_read_str - * - * Copy a NUL terminated string from an unsafe kernel address - * *unsafe_ptr* to *dst*. See **bpf_probe_read_kernel_str**\ () for - * more details. - * - * Generally, use **bpf_probe_read_user_str**\ () or - * **bpf_probe_read_kernel_str**\ () instead. - * - * Returns - * On success, the strictly positive length of the string, - * including the trailing NUL character. On error, a negative - * value. - */ -static long (*bpf_probe_read_str)(void *dst, __u32 size, const void *unsafe_ptr) = (void *) 45; - -/* - * bpf_get_socket_cookie - * - * If the **struct sk_buff** pointed by *skb* has a known socket, - * retrieve the cookie (generated by the kernel) of this socket. - * If no cookie has been set yet, generate a new cookie. Once - * generated, the socket cookie remains stable for the life of the - * socket. This helper can be useful for monitoring per socket - * networking traffic statistics as it provides a global socket - * identifier that can be assumed unique. - * - * Returns - * A 8-byte long unique number on success, or 0 if the socket - * field is missing inside *skb*. - */ -static __u64 (*bpf_get_socket_cookie)(void *ctx) = (void *) 46; - -/* - * bpf_get_socket_uid - * - * - * Returns - * The owner UID of the socket associated to *skb*. If the socket - * is **NULL**, or if it is not a full socket (i.e. if it is a - * time-wait or a request socket instead), **overflowuid** value - * is returned (note that **overflowuid** might also be the actual - * UID value for the socket). - */ -static __u32 (*bpf_get_socket_uid)(struct __sk_buff *skb) = (void *) 47; - -/* - * bpf_set_hash - * - * Set the full hash for *skb* (set the field *skb*\ **->hash**) - * to value *hash*. - * - * Returns - * 0 - */ -static long (*bpf_set_hash)(struct __sk_buff *skb, __u32 hash) = (void *) 48; - -/* - * bpf_setsockopt - * - * Emulate a call to **setsockopt()** on the socket associated to - * *bpf_socket*, which must be a full socket. The *level* at - * which the option resides and the name *optname* of the option - * must be specified, see **setsockopt(2)** for more information. - * The option value of length *optlen* is pointed by *optval*. - * - * *bpf_socket* should be one of the following: - * - * * **struct bpf_sock_ops** for **BPF_PROG_TYPE_SOCK_OPS**. - * * **struct bpf_sock_addr** for **BPF_CGROUP_INET4_CONNECT** - * and **BPF_CGROUP_INET6_CONNECT**. - * - * This helper actually implements a subset of **setsockopt()**. - * It supports the following *level*\ s: - * - * * **SOL_SOCKET**, which supports the following *optname*\ s: - * **SO_RCVBUF**, **SO_SNDBUF**, **SO_MAX_PACING_RATE**, - * **SO_PRIORITY**, **SO_RCVLOWAT**, **SO_MARK**, - * **SO_BINDTODEVICE**, **SO_KEEPALIVE**. - * * **IPPROTO_TCP**, which supports the following *optname*\ s: - * **TCP_CONGESTION**, **TCP_BPF_IW**, - * **TCP_BPF_SNDCWND_CLAMP**, **TCP_SAVE_SYN**, - * **TCP_KEEPIDLE**, **TCP_KEEPINTVL**, **TCP_KEEPCNT**, - * **TCP_SYNCNT**, **TCP_USER_TIMEOUT**, **TCP_NOTSENT_LOWAT**. - * * **IPPROTO_IP**, which supports *optname* **IP_TOS**. - * * **IPPROTO_IPV6**, which supports *optname* **IPV6_TCLASS**. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_setsockopt)(void *bpf_socket, int level, int optname, void *optval, int optlen) = (void *) 49; - -/* - * bpf_skb_adjust_room - * - * Grow or shrink the room for data in the packet associated to - * *skb* by *len_diff*, and according to the selected *mode*. - * - * By default, the helper will reset any offloaded checksum - * indicator of the skb to CHECKSUM_NONE. This can be avoided - * by the following flag: - * - * * **BPF_F_ADJ_ROOM_NO_CSUM_RESET**: Do not reset offloaded - * checksum data of the skb to CHECKSUM_NONE. - * - * There are two supported modes at this time: - * - * * **BPF_ADJ_ROOM_MAC**: Adjust room at the mac layer - * (room space is added or removed below the layer 2 header). - * - * * **BPF_ADJ_ROOM_NET**: Adjust room at the network layer - * (room space is added or removed below the layer 3 header). - * - * The following flags are supported at this time: - * - * * **BPF_F_ADJ_ROOM_FIXED_GSO**: Do not adjust gso_size. - * Adjusting mss in this way is not allowed for datagrams. - * - * * **BPF_F_ADJ_ROOM_ENCAP_L3_IPV4**, - * **BPF_F_ADJ_ROOM_ENCAP_L3_IPV6**: - * Any new space is reserved to hold a tunnel header. - * Configure skb offsets and other fields accordingly. - * - * * **BPF_F_ADJ_ROOM_ENCAP_L4_GRE**, - * **BPF_F_ADJ_ROOM_ENCAP_L4_UDP**: - * Use with ENCAP_L3 flags to further specify the tunnel type. - * - * * **BPF_F_ADJ_ROOM_ENCAP_L2**\ (*len*): - * Use with ENCAP_L3/L4 flags to further specify the tunnel - * type; *len* is the length of the inner MAC header. - * - * * **BPF_F_ADJ_ROOM_ENCAP_L2_ETH**: - * Use with BPF_F_ADJ_ROOM_ENCAP_L2 flag to further specify the - * L2 type as Ethernet. - * - * A call to this helper is susceptible to change the underlying - * packet buffer. Therefore, at load time, all checks on pointers - * previously done by the verifier are invalidated and must be - * performed again, if the helper is used in combination with - * direct packet access. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_skb_adjust_room)(struct __sk_buff *skb, __s32 len_diff, __u32 mode, __u64 flags) = (void *) 50; - -/* - * bpf_redirect_map - * - * Redirect the packet to the endpoint referenced by *map* at - * index *key*. Depending on its type, this *map* can contain - * references to net devices (for forwarding packets through other - * ports), or to CPUs (for redirecting XDP frames to another CPU; - * but this is only implemented for native XDP (with driver - * support) as of this writing). - * - * The lower two bits of *flags* are used as the return code if - * the map lookup fails. This is so that the return value can be - * one of the XDP program return codes up to **XDP_TX**, as chosen - * by the caller. The higher bits of *flags* can be set to - * BPF_F_BROADCAST or BPF_F_EXCLUDE_INGRESS as defined below. - * - * With BPF_F_BROADCAST the packet will be broadcasted to all the - * interfaces in the map, with BPF_F_EXCLUDE_INGRESS the ingress - * interface will be excluded when do broadcasting. - * - * See also **bpf_redirect**\ (), which only supports redirecting - * to an ifindex, but doesn't require a map to do so. - * - * Returns - * **XDP_REDIRECT** on success, or the value of the two lower bits - * of the *flags* argument on error. - */ -static long (*bpf_redirect_map)(void *map, __u32 key, __u64 flags) = (void *) 51; - -/* - * bpf_sk_redirect_map - * - * Redirect the packet to the socket referenced by *map* (of type - * **BPF_MAP_TYPE_SOCKMAP**) at index *key*. Both ingress and - * egress interfaces can be used for redirection. The - * **BPF_F_INGRESS** value in *flags* is used to make the - * distinction (ingress path is selected if the flag is present, - * egress path otherwise). This is the only flag supported for now. - * - * Returns - * **SK_PASS** on success, or **SK_DROP** on error. - */ -static long (*bpf_sk_redirect_map)(struct __sk_buff *skb, void *map, __u32 key, __u64 flags) = (void *) 52; - -/* - * bpf_sock_map_update - * - * Add an entry to, or update a *map* referencing sockets. The - * *skops* is used as a new value for the entry associated to - * *key*. *flags* is one of: - * - * **BPF_NOEXIST** - * The entry for *key* must not exist in the map. - * **BPF_EXIST** - * The entry for *key* must already exist in the map. - * **BPF_ANY** - * No condition on the existence of the entry for *key*. - * - * If the *map* has eBPF programs (parser and verdict), those will - * be inherited by the socket being added. If the socket is - * already attached to eBPF programs, this results in an error. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_sock_map_update)(struct bpf_sock_ops *skops, void *map, void *key, __u64 flags) = (void *) 53; - -/* - * bpf_xdp_adjust_meta - * - * Adjust the address pointed by *xdp_md*\ **->data_meta** by - * *delta* (which can be positive or negative). Note that this - * operation modifies the address stored in *xdp_md*\ **->data**, - * so the latter must be loaded only after the helper has been - * called. - * - * The use of *xdp_md*\ **->data_meta** is optional and programs - * are not required to use it. The rationale is that when the - * packet is processed with XDP (e.g. as DoS filter), it is - * possible to push further meta data along with it before passing - * to the stack, and to give the guarantee that an ingress eBPF - * program attached as a TC classifier on the same device can pick - * this up for further post-processing. Since TC works with socket - * buffers, it remains possible to set from XDP the **mark** or - * **priority** pointers, or other pointers for the socket buffer. - * Having this scratch space generic and programmable allows for - * more flexibility as the user is free to store whatever meta - * data they need. - * - * A call to this helper is susceptible to change the underlying - * packet buffer. Therefore, at load time, all checks on pointers - * previously done by the verifier are invalidated and must be - * performed again, if the helper is used in combination with - * direct packet access. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_xdp_adjust_meta)(struct xdp_md *xdp_md, int delta) = (void *) 54; - -/* - * bpf_perf_event_read_value - * - * Read the value of a perf event counter, and store it into *buf* - * of size *buf_size*. This helper relies on a *map* of type - * **BPF_MAP_TYPE_PERF_EVENT_ARRAY**. The nature of the perf event - * counter is selected when *map* is updated with perf event file - * descriptors. The *map* is an array whose size is the number of - * available CPUs, and each cell contains a value relative to one - * CPU. The value to retrieve is indicated by *flags*, that - * contains the index of the CPU to look up, masked with - * **BPF_F_INDEX_MASK**. Alternatively, *flags* can be set to - * **BPF_F_CURRENT_CPU** to indicate that the value for the - * current CPU should be retrieved. - * - * This helper behaves in a way close to - * **bpf_perf_event_read**\ () helper, save that instead of - * just returning the value observed, it fills the *buf* - * structure. This allows for additional data to be retrieved: in - * particular, the enabled and running times (in *buf*\ - * **->enabled** and *buf*\ **->running**, respectively) are - * copied. In general, **bpf_perf_event_read_value**\ () is - * recommended over **bpf_perf_event_read**\ (), which has some - * ABI issues and provides fewer functionalities. - * - * These values are interesting, because hardware PMU (Performance - * Monitoring Unit) counters are limited resources. When there are - * more PMU based perf events opened than available counters, - * kernel will multiplex these events so each event gets certain - * percentage (but not all) of the PMU time. In case that - * multiplexing happens, the number of samples or counter value - * will not reflect the case compared to when no multiplexing - * occurs. This makes comparison between different runs difficult. - * Typically, the counter value should be normalized before - * comparing to other experiments. The usual normalization is done - * as follows. - * - * :: - * - * normalized_counter = counter * t_enabled / t_running - * - * Where t_enabled is the time enabled for event and t_running is - * the time running for event since last normalization. The - * enabled and running times are accumulated since the perf event - * open. To achieve scaling factor between two invocations of an - * eBPF program, users can use CPU id as the key (which is - * typical for perf array usage model) to remember the previous - * value and do the calculation inside the eBPF program. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_perf_event_read_value)(void *map, __u64 flags, struct bpf_perf_event_value *buf, __u32 buf_size) = (void *) 55; - -/* - * bpf_perf_prog_read_value - * - * For en eBPF program attached to a perf event, retrieve the - * value of the event counter associated to *ctx* and store it in - * the structure pointed by *buf* and of size *buf_size*. Enabled - * and running times are also stored in the structure (see - * description of helper **bpf_perf_event_read_value**\ () for - * more details). - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_perf_prog_read_value)(struct bpf_perf_event_data *ctx, struct bpf_perf_event_value *buf, __u32 buf_size) = (void *) 56; - -/* - * bpf_getsockopt - * - * Emulate a call to **getsockopt()** on the socket associated to - * *bpf_socket*, which must be a full socket. The *level* at - * which the option resides and the name *optname* of the option - * must be specified, see **getsockopt(2)** for more information. - * The retrieved value is stored in the structure pointed by - * *opval* and of length *optlen*. - * - * *bpf_socket* should be one of the following: - * - * * **struct bpf_sock_ops** for **BPF_PROG_TYPE_SOCK_OPS**. - * * **struct bpf_sock_addr** for **BPF_CGROUP_INET4_CONNECT** - * and **BPF_CGROUP_INET6_CONNECT**. - * - * This helper actually implements a subset of **getsockopt()**. - * It supports the following *level*\ s: - * - * * **IPPROTO_TCP**, which supports *optname* - * **TCP_CONGESTION**. - * * **IPPROTO_IP**, which supports *optname* **IP_TOS**. - * * **IPPROTO_IPV6**, which supports *optname* **IPV6_TCLASS**. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_getsockopt)(void *bpf_socket, int level, int optname, void *optval, int optlen) = (void *) 57; - -/* - * bpf_override_return - * - * Used for error injection, this helper uses kprobes to override - * the return value of the probed function, and to set it to *rc*. - * The first argument is the context *regs* on which the kprobe - * works. - * - * This helper works by setting the PC (program counter) - * to an override function which is run in place of the original - * probed function. This means the probed function is not run at - * all. The replacement function just returns with the required - * value. - * - * This helper has security implications, and thus is subject to - * restrictions. It is only available if the kernel was compiled - * with the **CONFIG_BPF_KPROBE_OVERRIDE** configuration - * option, and in this case it only works on functions tagged with - * **ALLOW_ERROR_INJECTION** in the kernel code. - * - * Also, the helper is only available for the architectures having - * the CONFIG_FUNCTION_ERROR_INJECTION option. As of this writing, - * x86 architecture is the only one to support this feature. - * - * Returns - * 0 - */ -static long (*bpf_override_return)(struct pt_regs *regs, __u64 rc) = (void *) 58; - -/* - * bpf_sock_ops_cb_flags_set - * - * Attempt to set the value of the **bpf_sock_ops_cb_flags** field - * for the full TCP socket associated to *bpf_sock_ops* to - * *argval*. - * - * The primary use of this field is to determine if there should - * be calls to eBPF programs of type - * **BPF_PROG_TYPE_SOCK_OPS** at various points in the TCP - * code. A program of the same type can change its value, per - * connection and as necessary, when the connection is - * established. This field is directly accessible for reading, but - * this helper must be used for updates in order to return an - * error if an eBPF program tries to set a callback that is not - * supported in the current kernel. - * - * *argval* is a flag array which can combine these flags: - * - * * **BPF_SOCK_OPS_RTO_CB_FLAG** (retransmission time out) - * * **BPF_SOCK_OPS_RETRANS_CB_FLAG** (retransmission) - * * **BPF_SOCK_OPS_STATE_CB_FLAG** (TCP state change) - * * **BPF_SOCK_OPS_RTT_CB_FLAG** (every RTT) - * - * Therefore, this function can be used to clear a callback flag by - * setting the appropriate bit to zero. e.g. to disable the RTO - * callback: - * - * **bpf_sock_ops_cb_flags_set(bpf_sock,** - * **bpf_sock->bpf_sock_ops_cb_flags & ~BPF_SOCK_OPS_RTO_CB_FLAG)** - * - * Here are some examples of where one could call such eBPF - * program: - * - * * When RTO fires. - * * When a packet is retransmitted. - * * When the connection terminates. - * * When a packet is sent. - * * When a packet is received. - * - * Returns - * Code **-EINVAL** if the socket is not a full TCP socket; - * otherwise, a positive number containing the bits that could not - * be set is returned (which comes down to 0 if all bits were set - * as required). - */ -static long (*bpf_sock_ops_cb_flags_set)(struct bpf_sock_ops *bpf_sock, int argval) = (void *) 59; - -/* - * bpf_msg_redirect_map - * - * This helper is used in programs implementing policies at the - * socket level. If the message *msg* is allowed to pass (i.e. if - * the verdict eBPF program returns **SK_PASS**), redirect it to - * the socket referenced by *map* (of type - * **BPF_MAP_TYPE_SOCKMAP**) at index *key*. Both ingress and - * egress interfaces can be used for redirection. The - * **BPF_F_INGRESS** value in *flags* is used to make the - * distinction (ingress path is selected if the flag is present, - * egress path otherwise). This is the only flag supported for now. - * - * Returns - * **SK_PASS** on success, or **SK_DROP** on error. - */ -static long (*bpf_msg_redirect_map)(struct sk_msg_md *msg, void *map, __u32 key, __u64 flags) = (void *) 60; - -/* - * bpf_msg_apply_bytes - * - * For socket policies, apply the verdict of the eBPF program to - * the next *bytes* (number of bytes) of message *msg*. - * - * For example, this helper can be used in the following cases: - * - * * A single **sendmsg**\ () or **sendfile**\ () system call - * contains multiple logical messages that the eBPF program is - * supposed to read and for which it should apply a verdict. - * * An eBPF program only cares to read the first *bytes* of a - * *msg*. If the message has a large payload, then setting up - * and calling the eBPF program repeatedly for all bytes, even - * though the verdict is already known, would create unnecessary - * overhead. - * - * When called from within an eBPF program, the helper sets a - * counter internal to the BPF infrastructure, that is used to - * apply the last verdict to the next *bytes*. If *bytes* is - * smaller than the current data being processed from a - * **sendmsg**\ () or **sendfile**\ () system call, the first - * *bytes* will be sent and the eBPF program will be re-run with - * the pointer for start of data pointing to byte number *bytes* - * **+ 1**. If *bytes* is larger than the current data being - * processed, then the eBPF verdict will be applied to multiple - * **sendmsg**\ () or **sendfile**\ () calls until *bytes* are - * consumed. - * - * Note that if a socket closes with the internal counter holding - * a non-zero value, this is not a problem because data is not - * being buffered for *bytes* and is sent as it is received. - * - * Returns - * 0 - */ -static long (*bpf_msg_apply_bytes)(struct sk_msg_md *msg, __u32 bytes) = (void *) 61; - -/* - * bpf_msg_cork_bytes - * - * For socket policies, prevent the execution of the verdict eBPF - * program for message *msg* until *bytes* (byte number) have been - * accumulated. - * - * This can be used when one needs a specific number of bytes - * before a verdict can be assigned, even if the data spans - * multiple **sendmsg**\ () or **sendfile**\ () calls. The extreme - * case would be a user calling **sendmsg**\ () repeatedly with - * 1-byte long message segments. Obviously, this is bad for - * performance, but it is still valid. If the eBPF program needs - * *bytes* bytes to validate a header, this helper can be used to - * prevent the eBPF program to be called again until *bytes* have - * been accumulated. - * - * Returns - * 0 - */ -static long (*bpf_msg_cork_bytes)(struct sk_msg_md *msg, __u32 bytes) = (void *) 62; - -/* - * bpf_msg_pull_data - * - * For socket policies, pull in non-linear data from user space - * for *msg* and set pointers *msg*\ **->data** and *msg*\ - * **->data_end** to *start* and *end* bytes offsets into *msg*, - * respectively. - * - * If a program of type **BPF_PROG_TYPE_SK_MSG** is run on a - * *msg* it can only parse data that the (**data**, **data_end**) - * pointers have already consumed. For **sendmsg**\ () hooks this - * is likely the first scatterlist element. But for calls relying - * on the **sendpage** handler (e.g. **sendfile**\ ()) this will - * be the range (**0**, **0**) because the data is shared with - * user space and by default the objective is to avoid allowing - * user space to modify data while (or after) eBPF verdict is - * being decided. This helper can be used to pull in data and to - * set the start and end pointer to given values. Data will be - * copied if necessary (i.e. if data was not linear and if start - * and end pointers do not point to the same chunk). - * - * A call to this helper is susceptible to change the underlying - * packet buffer. Therefore, at load time, all checks on pointers - * previously done by the verifier are invalidated and must be - * performed again, if the helper is used in combination with - * direct packet access. - * - * All values for *flags* are reserved for future usage, and must - * be left at zero. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_msg_pull_data)(struct sk_msg_md *msg, __u32 start, __u32 end, __u64 flags) = (void *) 63; - -/* - * bpf_bind - * - * Bind the socket associated to *ctx* to the address pointed by - * *addr*, of length *addr_len*. This allows for making outgoing - * connection from the desired IP address, which can be useful for - * example when all processes inside a cgroup should use one - * single IP address on a host that has multiple IP configured. - * - * This helper works for IPv4 and IPv6, TCP and UDP sockets. The - * domain (*addr*\ **->sa_family**) must be **AF_INET** (or - * **AF_INET6**). It's advised to pass zero port (**sin_port** - * or **sin6_port**) which triggers IP_BIND_ADDRESS_NO_PORT-like - * behavior and lets the kernel efficiently pick up an unused - * port as long as 4-tuple is unique. Passing non-zero port might - * lead to degraded performance. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_bind)(struct bpf_sock_addr *ctx, struct sockaddr *addr, int addr_len) = (void *) 64; - -/* - * bpf_xdp_adjust_tail - * - * Adjust (move) *xdp_md*\ **->data_end** by *delta* bytes. It is - * possible to both shrink and grow the packet tail. - * Shrink done via *delta* being a negative integer. - * - * A call to this helper is susceptible to change the underlying - * packet buffer. Therefore, at load time, all checks on pointers - * previously done by the verifier are invalidated and must be - * performed again, if the helper is used in combination with - * direct packet access. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_xdp_adjust_tail)(struct xdp_md *xdp_md, int delta) = (void *) 65; - -/* - * bpf_skb_get_xfrm_state - * - * Retrieve the XFRM state (IP transform framework, see also - * **ip-xfrm(8)**) at *index* in XFRM "security path" for *skb*. - * - * The retrieved value is stored in the **struct bpf_xfrm_state** - * pointed by *xfrm_state* and of length *size*. - * - * All values for *flags* are reserved for future usage, and must - * be left at zero. - * - * This helper is available only if the kernel was compiled with - * **CONFIG_XFRM** configuration option. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_skb_get_xfrm_state)(struct __sk_buff *skb, __u32 index, struct bpf_xfrm_state *xfrm_state, __u32 size, __u64 flags) = (void *) 66; - -/* - * bpf_get_stack - * - * Return a user or a kernel stack in bpf program provided buffer. - * To achieve this, the helper needs *ctx*, which is a pointer - * to the context on which the tracing program is executed. - * To store the stacktrace, the bpf program provides *buf* with - * a nonnegative *size*. - * - * The last argument, *flags*, holds the number of stack frames to - * skip (from 0 to 255), masked with - * **BPF_F_SKIP_FIELD_MASK**. The next bits can be used to set - * the following flags: - * - * **BPF_F_USER_STACK** - * Collect a user space stack instead of a kernel stack. - * **BPF_F_USER_BUILD_ID** - * Collect buildid+offset instead of ips for user stack, - * only valid if **BPF_F_USER_STACK** is also specified. - * - * **bpf_get_stack**\ () can collect up to - * **PERF_MAX_STACK_DEPTH** both kernel and user frames, subject - * to sufficient large buffer size. Note that - * this limit can be controlled with the **sysctl** program, and - * that it should be manually increased in order to profile long - * user stacks (such as stacks for Java programs). To do so, use: - * - * :: - * - * # sysctl kernel.perf_event_max_stack= - * - * Returns - * A non-negative value equal to or less than *size* on success, - * or a negative error in case of failure. - */ -static long (*bpf_get_stack)(void *ctx, void *buf, __u32 size, __u64 flags) = (void *) 67; - -/* - * bpf_skb_load_bytes_relative - * - * This helper is similar to **bpf_skb_load_bytes**\ () in that - * it provides an easy way to load *len* bytes from *offset* - * from the packet associated to *skb*, into the buffer pointed - * by *to*. The difference to **bpf_skb_load_bytes**\ () is that - * a fifth argument *start_header* exists in order to select a - * base offset to start from. *start_header* can be one of: - * - * **BPF_HDR_START_MAC** - * Base offset to load data from is *skb*'s mac header. - * **BPF_HDR_START_NET** - * Base offset to load data from is *skb*'s network header. - * - * In general, "direct packet access" is the preferred method to - * access packet data, however, this helper is in particular useful - * in socket filters where *skb*\ **->data** does not always point - * to the start of the mac header and where "direct packet access" - * is not available. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_skb_load_bytes_relative)(const void *skb, __u32 offset, void *to, __u32 len, __u32 start_header) = (void *) 68; - -/* - * bpf_fib_lookup - * - * Do FIB lookup in kernel tables using parameters in *params*. - * If lookup is successful and result shows packet is to be - * forwarded, the neighbor tables are searched for the nexthop. - * If successful (ie., FIB lookup shows forwarding and nexthop - * is resolved), the nexthop address is returned in ipv4_dst - * or ipv6_dst based on family, smac is set to mac address of - * egress device, dmac is set to nexthop mac address, rt_metric - * is set to metric from route (IPv4/IPv6 only), and ifindex - * is set to the device index of the nexthop from the FIB lookup. - * - * *plen* argument is the size of the passed in struct. - * *flags* argument can be a combination of one or more of the - * following values: - * - * **BPF_FIB_LOOKUP_DIRECT** - * Do a direct table lookup vs full lookup using FIB - * rules. - * **BPF_FIB_LOOKUP_OUTPUT** - * Perform lookup from an egress perspective (default is - * ingress). - * - * *ctx* is either **struct xdp_md** for XDP programs or - * **struct sk_buff** tc cls_act programs. - * - * Returns - * * < 0 if any input argument is invalid - * * 0 on success (packet is forwarded, nexthop neighbor exists) - * * > 0 one of **BPF_FIB_LKUP_RET_** codes explaining why the - * packet is not forwarded or needs assist from full stack - * - * If lookup fails with BPF_FIB_LKUP_RET_FRAG_NEEDED, then the MTU - * was exceeded and output params->mtu_result contains the MTU. - */ -static long (*bpf_fib_lookup)(void *ctx, struct bpf_fib_lookup *params, int plen, __u32 flags) = (void *) 69; - -/* - * bpf_sock_hash_update - * - * Add an entry to, or update a sockhash *map* referencing sockets. - * The *skops* is used as a new value for the entry associated to - * *key*. *flags* is one of: - * - * **BPF_NOEXIST** - * The entry for *key* must not exist in the map. - * **BPF_EXIST** - * The entry for *key* must already exist in the map. - * **BPF_ANY** - * No condition on the existence of the entry for *key*. - * - * If the *map* has eBPF programs (parser and verdict), those will - * be inherited by the socket being added. If the socket is - * already attached to eBPF programs, this results in an error. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_sock_hash_update)(struct bpf_sock_ops *skops, void *map, void *key, __u64 flags) = (void *) 70; - -/* - * bpf_msg_redirect_hash - * - * This helper is used in programs implementing policies at the - * socket level. If the message *msg* is allowed to pass (i.e. if - * the verdict eBPF program returns **SK_PASS**), redirect it to - * the socket referenced by *map* (of type - * **BPF_MAP_TYPE_SOCKHASH**) using hash *key*. Both ingress and - * egress interfaces can be used for redirection. The - * **BPF_F_INGRESS** value in *flags* is used to make the - * distinction (ingress path is selected if the flag is present, - * egress path otherwise). This is the only flag supported for now. - * - * Returns - * **SK_PASS** on success, or **SK_DROP** on error. - */ -static long (*bpf_msg_redirect_hash)(struct sk_msg_md *msg, void *map, void *key, __u64 flags) = (void *) 71; - -/* - * bpf_sk_redirect_hash - * - * This helper is used in programs implementing policies at the - * skb socket level. If the sk_buff *skb* is allowed to pass (i.e. - * if the verdict eBPF program returns **SK_PASS**), redirect it - * to the socket referenced by *map* (of type - * **BPF_MAP_TYPE_SOCKHASH**) using hash *key*. Both ingress and - * egress interfaces can be used for redirection. The - * **BPF_F_INGRESS** value in *flags* is used to make the - * distinction (ingress path is selected if the flag is present, - * egress otherwise). This is the only flag supported for now. - * - * Returns - * **SK_PASS** on success, or **SK_DROP** on error. - */ -static long (*bpf_sk_redirect_hash)(struct __sk_buff *skb, void *map, void *key, __u64 flags) = (void *) 72; - -/* - * bpf_lwt_push_encap - * - * Encapsulate the packet associated to *skb* within a Layer 3 - * protocol header. This header is provided in the buffer at - * address *hdr*, with *len* its size in bytes. *type* indicates - * the protocol of the header and can be one of: - * - * **BPF_LWT_ENCAP_SEG6** - * IPv6 encapsulation with Segment Routing Header - * (**struct ipv6_sr_hdr**). *hdr* only contains the SRH, - * the IPv6 header is computed by the kernel. - * **BPF_LWT_ENCAP_SEG6_INLINE** - * Only works if *skb* contains an IPv6 packet. Insert a - * Segment Routing Header (**struct ipv6_sr_hdr**) inside - * the IPv6 header. - * **BPF_LWT_ENCAP_IP** - * IP encapsulation (GRE/GUE/IPIP/etc). The outer header - * must be IPv4 or IPv6, followed by zero or more - * additional headers, up to **LWT_BPF_MAX_HEADROOM** - * total bytes in all prepended headers. Please note that - * if **skb_is_gso**\ (*skb*) is true, no more than two - * headers can be prepended, and the inner header, if - * present, should be either GRE or UDP/GUE. - * - * **BPF_LWT_ENCAP_SEG6**\ \* types can be called by BPF programs - * of type **BPF_PROG_TYPE_LWT_IN**; **BPF_LWT_ENCAP_IP** type can - * be called by bpf programs of types **BPF_PROG_TYPE_LWT_IN** and - * **BPF_PROG_TYPE_LWT_XMIT**. - * - * A call to this helper is susceptible to change the underlying - * packet buffer. Therefore, at load time, all checks on pointers - * previously done by the verifier are invalidated and must be - * performed again, if the helper is used in combination with - * direct packet access. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_lwt_push_encap)(struct __sk_buff *skb, __u32 type, void *hdr, __u32 len) = (void *) 73; - -/* - * bpf_lwt_seg6_store_bytes - * - * Store *len* bytes from address *from* into the packet - * associated to *skb*, at *offset*. Only the flags, tag and TLVs - * inside the outermost IPv6 Segment Routing Header can be - * modified through this helper. - * - * A call to this helper is susceptible to change the underlying - * packet buffer. Therefore, at load time, all checks on pointers - * previously done by the verifier are invalidated and must be - * performed again, if the helper is used in combination with - * direct packet access. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_lwt_seg6_store_bytes)(struct __sk_buff *skb, __u32 offset, const void *from, __u32 len) = (void *) 74; - -/* - * bpf_lwt_seg6_adjust_srh - * - * Adjust the size allocated to TLVs in the outermost IPv6 - * Segment Routing Header contained in the packet associated to - * *skb*, at position *offset* by *delta* bytes. Only offsets - * after the segments are accepted. *delta* can be as well - * positive (growing) as negative (shrinking). - * - * A call to this helper is susceptible to change the underlying - * packet buffer. Therefore, at load time, all checks on pointers - * previously done by the verifier are invalidated and must be - * performed again, if the helper is used in combination with - * direct packet access. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_lwt_seg6_adjust_srh)(struct __sk_buff *skb, __u32 offset, __s32 delta) = (void *) 75; - -/* - * bpf_lwt_seg6_action - * - * Apply an IPv6 Segment Routing action of type *action* to the - * packet associated to *skb*. Each action takes a parameter - * contained at address *param*, and of length *param_len* bytes. - * *action* can be one of: - * - * **SEG6_LOCAL_ACTION_END_X** - * End.X action: Endpoint with Layer-3 cross-connect. - * Type of *param*: **struct in6_addr**. - * **SEG6_LOCAL_ACTION_END_T** - * End.T action: Endpoint with specific IPv6 table lookup. - * Type of *param*: **int**. - * **SEG6_LOCAL_ACTION_END_B6** - * End.B6 action: Endpoint bound to an SRv6 policy. - * Type of *param*: **struct ipv6_sr_hdr**. - * **SEG6_LOCAL_ACTION_END_B6_ENCAP** - * End.B6.Encap action: Endpoint bound to an SRv6 - * encapsulation policy. - * Type of *param*: **struct ipv6_sr_hdr**. - * - * A call to this helper is susceptible to change the underlying - * packet buffer. Therefore, at load time, all checks on pointers - * previously done by the verifier are invalidated and must be - * performed again, if the helper is used in combination with - * direct packet access. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_lwt_seg6_action)(struct __sk_buff *skb, __u32 action, void *param, __u32 param_len) = (void *) 76; - -/* - * bpf_rc_repeat - * - * This helper is used in programs implementing IR decoding, to - * report a successfully decoded repeat key message. This delays - * the generation of a key up event for previously generated - * key down event. - * - * Some IR protocols like NEC have a special IR message for - * repeating last button, for when a button is held down. - * - * The *ctx* should point to the lirc sample as passed into - * the program. - * - * This helper is only available is the kernel was compiled with - * the **CONFIG_BPF_LIRC_MODE2** configuration option set to - * "**y**". - * - * Returns - * 0 - */ -static long (*bpf_rc_repeat)(void *ctx) = (void *) 77; - -/* - * bpf_rc_keydown - * - * This helper is used in programs implementing IR decoding, to - * report a successfully decoded key press with *scancode*, - * *toggle* value in the given *protocol*. The scancode will be - * translated to a keycode using the rc keymap, and reported as - * an input key down event. After a period a key up event is - * generated. This period can be extended by calling either - * **bpf_rc_keydown**\ () again with the same values, or calling - * **bpf_rc_repeat**\ (). - * - * Some protocols include a toggle bit, in case the button was - * released and pressed again between consecutive scancodes. - * - * The *ctx* should point to the lirc sample as passed into - * the program. - * - * The *protocol* is the decoded protocol number (see - * **enum rc_proto** for some predefined values). - * - * This helper is only available is the kernel was compiled with - * the **CONFIG_BPF_LIRC_MODE2** configuration option set to - * "**y**". - * - * Returns - * 0 - */ -static long (*bpf_rc_keydown)(void *ctx, __u32 protocol, __u64 scancode, __u32 toggle) = (void *) 78; - -/* - * bpf_skb_cgroup_id - * - * Return the cgroup v2 id of the socket associated with the *skb*. - * This is roughly similar to the **bpf_get_cgroup_classid**\ () - * helper for cgroup v1 by providing a tag resp. identifier that - * can be matched on or used for map lookups e.g. to implement - * policy. The cgroup v2 id of a given path in the hierarchy is - * exposed in user space through the f_handle API in order to get - * to the same 64-bit id. - * - * This helper can be used on TC egress path, but not on ingress, - * and is available only if the kernel was compiled with the - * **CONFIG_SOCK_CGROUP_DATA** configuration option. - * - * Returns - * The id is returned or 0 in case the id could not be retrieved. - */ -static __u64 (*bpf_skb_cgroup_id)(struct __sk_buff *skb) = (void *) 79; - -/* - * bpf_get_current_cgroup_id - * - * - * Returns - * A 64-bit integer containing the current cgroup id based - * on the cgroup within which the current task is running. - */ -static __u64 (*bpf_get_current_cgroup_id)(void) = (void *) 80; - -/* - * bpf_get_local_storage - * - * Get the pointer to the local storage area. - * The type and the size of the local storage is defined - * by the *map* argument. - * The *flags* meaning is specific for each map type, - * and has to be 0 for cgroup local storage. - * - * Depending on the BPF program type, a local storage area - * can be shared between multiple instances of the BPF program, - * running simultaneously. - * - * A user should care about the synchronization by himself. - * For example, by using the **BPF_ATOMIC** instructions to alter - * the shared data. - * - * Returns - * A pointer to the local storage area. - */ -static void *(*bpf_get_local_storage)(void *map, __u64 flags) = (void *) 81; - -/* - * bpf_sk_select_reuseport - * - * Select a **SO_REUSEPORT** socket from a - * **BPF_MAP_TYPE_REUSEPORT_SOCKARRAY** *map*. - * It checks the selected socket is matching the incoming - * request in the socket buffer. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_sk_select_reuseport)(struct sk_reuseport_md *reuse, void *map, void *key, __u64 flags) = (void *) 82; - -/* - * bpf_skb_ancestor_cgroup_id - * - * Return id of cgroup v2 that is ancestor of cgroup associated - * with the *skb* at the *ancestor_level*. The root cgroup is at - * *ancestor_level* zero and each step down the hierarchy - * increments the level. If *ancestor_level* == level of cgroup - * associated with *skb*, then return value will be same as that - * of **bpf_skb_cgroup_id**\ (). - * - * The helper is useful to implement policies based on cgroups - * that are upper in hierarchy than immediate cgroup associated - * with *skb*. - * - * The format of returned id and helper limitations are same as in - * **bpf_skb_cgroup_id**\ (). - * - * Returns - * The id is returned or 0 in case the id could not be retrieved. - */ -static __u64 (*bpf_skb_ancestor_cgroup_id)(struct __sk_buff *skb, int ancestor_level) = (void *) 83; - -/* - * bpf_sk_lookup_tcp - * - * Look for TCP socket matching *tuple*, optionally in a child - * network namespace *netns*. The return value must be checked, - * and if non-**NULL**, released via **bpf_sk_release**\ (). - * - * The *ctx* should point to the context of the program, such as - * the skb or socket (depending on the hook in use). This is used - * to determine the base network namespace for the lookup. - * - * *tuple_size* must be one of: - * - * **sizeof**\ (*tuple*\ **->ipv4**) - * Look for an IPv4 socket. - * **sizeof**\ (*tuple*\ **->ipv6**) - * Look for an IPv6 socket. - * - * If the *netns* is a negative signed 32-bit integer, then the - * socket lookup table in the netns associated with the *ctx* - * will be used. For the TC hooks, this is the netns of the device - * in the skb. For socket hooks, this is the netns of the socket. - * If *netns* is any other signed 32-bit value greater than or - * equal to zero then it specifies the ID of the netns relative to - * the netns associated with the *ctx*. *netns* values beyond the - * range of 32-bit integers are reserved for future use. - * - * All values for *flags* are reserved for future usage, and must - * be left at zero. - * - * This helper is available only if the kernel was compiled with - * **CONFIG_NET** configuration option. - * - * Returns - * Pointer to **struct bpf_sock**, or **NULL** in case of failure. - * For sockets with reuseport option, the **struct bpf_sock** - * result is from *reuse*\ **->socks**\ [] using the hash of the - * tuple. - */ -static struct bpf_sock *(*bpf_sk_lookup_tcp)(void *ctx, struct bpf_sock_tuple *tuple, __u32 tuple_size, __u64 netns, __u64 flags) = (void *) 84; - -/* - * bpf_sk_lookup_udp - * - * Look for UDP socket matching *tuple*, optionally in a child - * network namespace *netns*. The return value must be checked, - * and if non-**NULL**, released via **bpf_sk_release**\ (). - * - * The *ctx* should point to the context of the program, such as - * the skb or socket (depending on the hook in use). This is used - * to determine the base network namespace for the lookup. - * - * *tuple_size* must be one of: - * - * **sizeof**\ (*tuple*\ **->ipv4**) - * Look for an IPv4 socket. - * **sizeof**\ (*tuple*\ **->ipv6**) - * Look for an IPv6 socket. - * - * If the *netns* is a negative signed 32-bit integer, then the - * socket lookup table in the netns associated with the *ctx* - * will be used. For the TC hooks, this is the netns of the device - * in the skb. For socket hooks, this is the netns of the socket. - * If *netns* is any other signed 32-bit value greater than or - * equal to zero then it specifies the ID of the netns relative to - * the netns associated with the *ctx*. *netns* values beyond the - * range of 32-bit integers are reserved for future use. - * - * All values for *flags* are reserved for future usage, and must - * be left at zero. - * - * This helper is available only if the kernel was compiled with - * **CONFIG_NET** configuration option. - * - * Returns - * Pointer to **struct bpf_sock**, or **NULL** in case of failure. - * For sockets with reuseport option, the **struct bpf_sock** - * result is from *reuse*\ **->socks**\ [] using the hash of the - * tuple. - */ -static struct bpf_sock *(*bpf_sk_lookup_udp)(void *ctx, struct bpf_sock_tuple *tuple, __u32 tuple_size, __u64 netns, __u64 flags) = (void *) 85; - -/* - * bpf_sk_release - * - * Release the reference held by *sock*. *sock* must be a - * non-**NULL** pointer that was returned from - * **bpf_sk_lookup_xxx**\ (). - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_sk_release)(void *sock) = (void *) 86; - -/* - * bpf_map_push_elem - * - * Push an element *value* in *map*. *flags* is one of: - * - * **BPF_EXIST** - * If the queue/stack is full, the oldest element is - * removed to make room for this. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_map_push_elem)(void *map, const void *value, __u64 flags) = (void *) 87; - -/* - * bpf_map_pop_elem - * - * Pop an element from *map*. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_map_pop_elem)(void *map, void *value) = (void *) 88; - -/* - * bpf_map_peek_elem - * - * Get an element from *map* without removing it. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_map_peek_elem)(void *map, void *value) = (void *) 89; - -/* - * bpf_msg_push_data - * - * For socket policies, insert *len* bytes into *msg* at offset - * *start*. - * - * If a program of type **BPF_PROG_TYPE_SK_MSG** is run on a - * *msg* it may want to insert metadata or options into the *msg*. - * This can later be read and used by any of the lower layer BPF - * hooks. - * - * This helper may fail if under memory pressure (a malloc - * fails) in these cases BPF programs will get an appropriate - * error and BPF programs will need to handle them. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_msg_push_data)(struct sk_msg_md *msg, __u32 start, __u32 len, __u64 flags) = (void *) 90; - -/* - * bpf_msg_pop_data - * - * Will remove *len* bytes from a *msg* starting at byte *start*. - * This may result in **ENOMEM** errors under certain situations if - * an allocation and copy are required due to a full ring buffer. - * However, the helper will try to avoid doing the allocation - * if possible. Other errors can occur if input parameters are - * invalid either due to *start* byte not being valid part of *msg* - * payload and/or *pop* value being to large. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_msg_pop_data)(struct sk_msg_md *msg, __u32 start, __u32 len, __u64 flags) = (void *) 91; - -/* - * bpf_rc_pointer_rel - * - * This helper is used in programs implementing IR decoding, to - * report a successfully decoded pointer movement. - * - * The *ctx* should point to the lirc sample as passed into - * the program. - * - * This helper is only available is the kernel was compiled with - * the **CONFIG_BPF_LIRC_MODE2** configuration option set to - * "**y**". - * - * Returns - * 0 - */ -static long (*bpf_rc_pointer_rel)(void *ctx, __s32 rel_x, __s32 rel_y) = (void *) 92; - -/* - * bpf_spin_lock - * - * Acquire a spinlock represented by the pointer *lock*, which is - * stored as part of a value of a map. Taking the lock allows to - * safely update the rest of the fields in that value. The - * spinlock can (and must) later be released with a call to - * **bpf_spin_unlock**\ (\ *lock*\ ). - * - * Spinlocks in BPF programs come with a number of restrictions - * and constraints: - * - * * **bpf_spin_lock** objects are only allowed inside maps of - * types **BPF_MAP_TYPE_HASH** and **BPF_MAP_TYPE_ARRAY** (this - * list could be extended in the future). - * * BTF description of the map is mandatory. - * * The BPF program can take ONE lock at a time, since taking two - * or more could cause dead locks. - * * Only one **struct bpf_spin_lock** is allowed per map element. - * * When the lock is taken, calls (either BPF to BPF or helpers) - * are not allowed. - * * The **BPF_LD_ABS** and **BPF_LD_IND** instructions are not - * allowed inside a spinlock-ed region. - * * The BPF program MUST call **bpf_spin_unlock**\ () to release - * the lock, on all execution paths, before it returns. - * * The BPF program can access **struct bpf_spin_lock** only via - * the **bpf_spin_lock**\ () and **bpf_spin_unlock**\ () - * helpers. Loading or storing data into the **struct - * bpf_spin_lock** *lock*\ **;** field of a map is not allowed. - * * To use the **bpf_spin_lock**\ () helper, the BTF description - * of the map value must be a struct and have **struct - * bpf_spin_lock** *anyname*\ **;** field at the top level. - * Nested lock inside another struct is not allowed. - * * The **struct bpf_spin_lock** *lock* field in a map value must - * be aligned on a multiple of 4 bytes in that value. - * * Syscall with command **BPF_MAP_LOOKUP_ELEM** does not copy - * the **bpf_spin_lock** field to user space. - * * Syscall with command **BPF_MAP_UPDATE_ELEM**, or update from - * a BPF program, do not update the **bpf_spin_lock** field. - * * **bpf_spin_lock** cannot be on the stack or inside a - * networking packet (it can only be inside of a map values). - * * **bpf_spin_lock** is available to root only. - * * Tracing programs and socket filter programs cannot use - * **bpf_spin_lock**\ () due to insufficient preemption checks - * (but this may change in the future). - * * **bpf_spin_lock** is not allowed in inner maps of map-in-map. - * - * Returns - * 0 - */ -static long (*bpf_spin_lock)(struct bpf_spin_lock *lock) = (void *) 93; - -/* - * bpf_spin_unlock - * - * Release the *lock* previously locked by a call to - * **bpf_spin_lock**\ (\ *lock*\ ). - * - * Returns - * 0 - */ -static long (*bpf_spin_unlock)(struct bpf_spin_lock *lock) = (void *) 94; - -/* - * bpf_sk_fullsock - * - * This helper gets a **struct bpf_sock** pointer such - * that all the fields in this **bpf_sock** can be accessed. - * - * Returns - * A **struct bpf_sock** pointer on success, or **NULL** in - * case of failure. - */ -static struct bpf_sock *(*bpf_sk_fullsock)(struct bpf_sock *sk) = (void *) 95; - -/* - * bpf_tcp_sock - * - * This helper gets a **struct bpf_tcp_sock** pointer from a - * **struct bpf_sock** pointer. - * - * Returns - * A **struct bpf_tcp_sock** pointer on success, or **NULL** in - * case of failure. - */ -static struct bpf_tcp_sock *(*bpf_tcp_sock)(struct bpf_sock *sk) = (void *) 96; - -/* - * bpf_skb_ecn_set_ce - * - * Set ECN (Explicit Congestion Notification) field of IP header - * to **CE** (Congestion Encountered) if current value is **ECT** - * (ECN Capable Transport). Otherwise, do nothing. Works with IPv6 - * and IPv4. - * - * Returns - * 1 if the **CE** flag is set (either by the current helper call - * or because it was already present), 0 if it is not set. - */ -static long (*bpf_skb_ecn_set_ce)(struct __sk_buff *skb) = (void *) 97; - -/* - * bpf_get_listener_sock - * - * Return a **struct bpf_sock** pointer in **TCP_LISTEN** state. - * **bpf_sk_release**\ () is unnecessary and not allowed. - * - * Returns - * A **struct bpf_sock** pointer on success, or **NULL** in - * case of failure. - */ -static struct bpf_sock *(*bpf_get_listener_sock)(struct bpf_sock *sk) = (void *) 98; - -/* - * bpf_skc_lookup_tcp - * - * Look for TCP socket matching *tuple*, optionally in a child - * network namespace *netns*. The return value must be checked, - * and if non-**NULL**, released via **bpf_sk_release**\ (). - * - * This function is identical to **bpf_sk_lookup_tcp**\ (), except - * that it also returns timewait or request sockets. Use - * **bpf_sk_fullsock**\ () or **bpf_tcp_sock**\ () to access the - * full structure. - * - * This helper is available only if the kernel was compiled with - * **CONFIG_NET** configuration option. - * - * Returns - * Pointer to **struct bpf_sock**, or **NULL** in case of failure. - * For sockets with reuseport option, the **struct bpf_sock** - * result is from *reuse*\ **->socks**\ [] using the hash of the - * tuple. - */ -static struct bpf_sock *(*bpf_skc_lookup_tcp)(void *ctx, struct bpf_sock_tuple *tuple, __u32 tuple_size, __u64 netns, __u64 flags) = (void *) 99; - -/* - * bpf_tcp_check_syncookie - * - * Check whether *iph* and *th* contain a valid SYN cookie ACK for - * the listening socket in *sk*. - * - * *iph* points to the start of the IPv4 or IPv6 header, while - * *iph_len* contains **sizeof**\ (**struct iphdr**) or - * **sizeof**\ (**struct ip6hdr**). - * - * *th* points to the start of the TCP header, while *th_len* - * contains **sizeof**\ (**struct tcphdr**). - * - * Returns - * 0 if *iph* and *th* are a valid SYN cookie ACK, or a negative - * error otherwise. - */ -static long (*bpf_tcp_check_syncookie)(void *sk, void *iph, __u32 iph_len, struct tcphdr *th, __u32 th_len) = (void *) 100; - -/* - * bpf_sysctl_get_name - * - * Get name of sysctl in /proc/sys/ and copy it into provided by - * program buffer *buf* of size *buf_len*. - * - * The buffer is always NUL terminated, unless it's zero-sized. - * - * If *flags* is zero, full name (e.g. "net/ipv4/tcp_mem") is - * copied. Use **BPF_F_SYSCTL_BASE_NAME** flag to copy base name - * only (e.g. "tcp_mem"). - * - * Returns - * Number of character copied (not including the trailing NUL). - * - * **-E2BIG** if the buffer wasn't big enough (*buf* will contain - * truncated name in this case). - */ -static long (*bpf_sysctl_get_name)(struct bpf_sysctl *ctx, char *buf, unsigned long buf_len, __u64 flags) = (void *) 101; - -/* - * bpf_sysctl_get_current_value - * - * Get current value of sysctl as it is presented in /proc/sys - * (incl. newline, etc), and copy it as a string into provided - * by program buffer *buf* of size *buf_len*. - * - * The whole value is copied, no matter what file position user - * space issued e.g. sys_read at. - * - * The buffer is always NUL terminated, unless it's zero-sized. - * - * Returns - * Number of character copied (not including the trailing NUL). - * - * **-E2BIG** if the buffer wasn't big enough (*buf* will contain - * truncated name in this case). - * - * **-EINVAL** if current value was unavailable, e.g. because - * sysctl is uninitialized and read returns -EIO for it. - */ -static long (*bpf_sysctl_get_current_value)(struct bpf_sysctl *ctx, char *buf, unsigned long buf_len) = (void *) 102; - -/* - * bpf_sysctl_get_new_value - * - * Get new value being written by user space to sysctl (before - * the actual write happens) and copy it as a string into - * provided by program buffer *buf* of size *buf_len*. - * - * User space may write new value at file position > 0. - * - * The buffer is always NUL terminated, unless it's zero-sized. - * - * Returns - * Number of character copied (not including the trailing NUL). - * - * **-E2BIG** if the buffer wasn't big enough (*buf* will contain - * truncated name in this case). - * - * **-EINVAL** if sysctl is being read. - */ -static long (*bpf_sysctl_get_new_value)(struct bpf_sysctl *ctx, char *buf, unsigned long buf_len) = (void *) 103; - -/* - * bpf_sysctl_set_new_value - * - * Override new value being written by user space to sysctl with - * value provided by program in buffer *buf* of size *buf_len*. - * - * *buf* should contain a string in same form as provided by user - * space on sysctl write. - * - * User space may write new value at file position > 0. To override - * the whole sysctl value file position should be set to zero. - * - * Returns - * 0 on success. - * - * **-E2BIG** if the *buf_len* is too big. - * - * **-EINVAL** if sysctl is being read. - */ -static long (*bpf_sysctl_set_new_value)(struct bpf_sysctl *ctx, const char *buf, unsigned long buf_len) = (void *) 104; - -/* - * bpf_strtol - * - * Convert the initial part of the string from buffer *buf* of - * size *buf_len* to a long integer according to the given base - * and save the result in *res*. - * - * The string may begin with an arbitrary amount of white space - * (as determined by **isspace**\ (3)) followed by a single - * optional '**-**' sign. - * - * Five least significant bits of *flags* encode base, other bits - * are currently unused. - * - * Base must be either 8, 10, 16 or 0 to detect it automatically - * similar to user space **strtol**\ (3). - * - * Returns - * Number of characters consumed on success. Must be positive but - * no more than *buf_len*. - * - * **-EINVAL** if no valid digits were found or unsupported base - * was provided. - * - * **-ERANGE** if resulting value was out of range. - */ -static long (*bpf_strtol)(const char *buf, unsigned long buf_len, __u64 flags, long *res) = (void *) 105; - -/* - * bpf_strtoul - * - * Convert the initial part of the string from buffer *buf* of - * size *buf_len* to an unsigned long integer according to the - * given base and save the result in *res*. - * - * The string may begin with an arbitrary amount of white space - * (as determined by **isspace**\ (3)). - * - * Five least significant bits of *flags* encode base, other bits - * are currently unused. - * - * Base must be either 8, 10, 16 or 0 to detect it automatically - * similar to user space **strtoul**\ (3). - * - * Returns - * Number of characters consumed on success. Must be positive but - * no more than *buf_len*. - * - * **-EINVAL** if no valid digits were found or unsupported base - * was provided. - * - * **-ERANGE** if resulting value was out of range. - */ -static long (*bpf_strtoul)(const char *buf, unsigned long buf_len, __u64 flags, unsigned long *res) = (void *) 106; - -/* - * bpf_sk_storage_get - * - * Get a bpf-local-storage from a *sk*. - * - * Logically, it could be thought of getting the value from - * a *map* with *sk* as the **key**. From this - * perspective, the usage is not much different from - * **bpf_map_lookup_elem**\ (*map*, **&**\ *sk*) except this - * helper enforces the key must be a full socket and the map must - * be a **BPF_MAP_TYPE_SK_STORAGE** also. - * - * Underneath, the value is stored locally at *sk* instead of - * the *map*. The *map* is used as the bpf-local-storage - * "type". The bpf-local-storage "type" (i.e. the *map*) is - * searched against all bpf-local-storages residing at *sk*. - * - * *sk* is a kernel **struct sock** pointer for LSM program. - * *sk* is a **struct bpf_sock** pointer for other program types. - * - * An optional *flags* (**BPF_SK_STORAGE_GET_F_CREATE**) can be - * used such that a new bpf-local-storage will be - * created if one does not exist. *value* can be used - * together with **BPF_SK_STORAGE_GET_F_CREATE** to specify - * the initial value of a bpf-local-storage. If *value* is - * **NULL**, the new bpf-local-storage will be zero initialized. - * - * Returns - * A bpf-local-storage pointer is returned on success. - * - * **NULL** if not found or there was an error in adding - * a new bpf-local-storage. - */ -static void *(*bpf_sk_storage_get)(void *map, void *sk, void *value, __u64 flags) = (void *) 107; - -/* - * bpf_sk_storage_delete - * - * Delete a bpf-local-storage from a *sk*. - * - * Returns - * 0 on success. - * - * **-ENOENT** if the bpf-local-storage cannot be found. - * **-EINVAL** if sk is not a fullsock (e.g. a request_sock). - */ -static long (*bpf_sk_storage_delete)(void *map, void *sk) = (void *) 108; - -/* - * bpf_send_signal - * - * Send signal *sig* to the process of the current task. - * The signal may be delivered to any of this process's threads. - * - * Returns - * 0 on success or successfully queued. - * - * **-EBUSY** if work queue under nmi is full. - * - * **-EINVAL** if *sig* is invalid. - * - * **-EPERM** if no permission to send the *sig*. - * - * **-EAGAIN** if bpf program can try again. - */ -static long (*bpf_send_signal)(__u32 sig) = (void *) 109; - -/* - * bpf_tcp_gen_syncookie - * - * Try to issue a SYN cookie for the packet with corresponding - * IP/TCP headers, *iph* and *th*, on the listening socket in *sk*. - * - * *iph* points to the start of the IPv4 or IPv6 header, while - * *iph_len* contains **sizeof**\ (**struct iphdr**) or - * **sizeof**\ (**struct ip6hdr**). - * - * *th* points to the start of the TCP header, while *th_len* - * contains the length of the TCP header. - * - * Returns - * On success, lower 32 bits hold the generated SYN cookie in - * followed by 16 bits which hold the MSS value for that cookie, - * and the top 16 bits are unused. - * - * On failure, the returned value is one of the following: - * - * **-EINVAL** SYN cookie cannot be issued due to error - * - * **-ENOENT** SYN cookie should not be issued (no SYN flood) - * - * **-EOPNOTSUPP** kernel configuration does not enable SYN cookies - * - * **-EPROTONOSUPPORT** IP packet version is not 4 or 6 - */ -static __s64 (*bpf_tcp_gen_syncookie)(void *sk, void *iph, __u32 iph_len, struct tcphdr *th, __u32 th_len) = (void *) 110; - -/* - * bpf_skb_output - * - * Write raw *data* blob into a special BPF perf event held by - * *map* of type **BPF_MAP_TYPE_PERF_EVENT_ARRAY**. This perf - * event must have the following attributes: **PERF_SAMPLE_RAW** - * as **sample_type**, **PERF_TYPE_SOFTWARE** as **type**, and - * **PERF_COUNT_SW_BPF_OUTPUT** as **config**. - * - * The *flags* are used to indicate the index in *map* for which - * the value must be put, masked with **BPF_F_INDEX_MASK**. - * Alternatively, *flags* can be set to **BPF_F_CURRENT_CPU** - * to indicate that the index of the current CPU core should be - * used. - * - * The value to write, of *size*, is passed through eBPF stack and - * pointed by *data*. - * - * *ctx* is a pointer to in-kernel struct sk_buff. - * - * This helper is similar to **bpf_perf_event_output**\ () but - * restricted to raw_tracepoint bpf programs. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_skb_output)(void *ctx, void *map, __u64 flags, void *data, __u64 size) = (void *) 111; - -/* - * bpf_probe_read_user - * - * Safely attempt to read *size* bytes from user space address - * *unsafe_ptr* and store the data in *dst*. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_probe_read_user)(void *dst, __u32 size, const void *unsafe_ptr) = (void *) 112; - -/* - * bpf_probe_read_kernel - * - * Safely attempt to read *size* bytes from kernel space address - * *unsafe_ptr* and store the data in *dst*. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_probe_read_kernel)(void *dst, __u32 size, const void *unsafe_ptr) = (void *) 113; - -/* - * bpf_probe_read_user_str - * - * Copy a NUL terminated string from an unsafe user address - * *unsafe_ptr* to *dst*. The *size* should include the - * terminating NUL byte. In case the string length is smaller than - * *size*, the target is not padded with further NUL bytes. If the - * string length is larger than *size*, just *size*-1 bytes are - * copied and the last byte is set to NUL. - * - * On success, returns the number of bytes that were written, - * including the terminal NUL. This makes this helper useful in - * tracing programs for reading strings, and more importantly to - * get its length at runtime. See the following snippet: - * - * :: - * - * SEC("kprobe/sys_open") - * void bpf_sys_open(struct pt_regs *ctx) - * { - * char buf[PATHLEN]; // PATHLEN is defined to 256 - * int res = bpf_probe_read_user_str(buf, sizeof(buf), - * ctx->di); - * - * // Consume buf, for example push it to - * // userspace via bpf_perf_event_output(); we - * // can use res (the string length) as event - * // size, after checking its boundaries. - * } - * - * In comparison, using **bpf_probe_read_user**\ () helper here - * instead to read the string would require to estimate the length - * at compile time, and would often result in copying more memory - * than necessary. - * - * Another useful use case is when parsing individual process - * arguments or individual environment variables navigating - * *current*\ **->mm->arg_start** and *current*\ - * **->mm->env_start**: using this helper and the return value, - * one can quickly iterate at the right offset of the memory area. - * - * Returns - * On success, the strictly positive length of the output string, - * including the trailing NUL character. On error, a negative - * value. - */ -static long (*bpf_probe_read_user_str)(void *dst, __u32 size, const void *unsafe_ptr) = (void *) 114; - -/* - * bpf_probe_read_kernel_str - * - * Copy a NUL terminated string from an unsafe kernel address *unsafe_ptr* - * to *dst*. Same semantics as with **bpf_probe_read_user_str**\ () apply. - * - * Returns - * On success, the strictly positive length of the string, including - * the trailing NUL character. On error, a negative value. - */ -static long (*bpf_probe_read_kernel_str)(void *dst, __u32 size, const void *unsafe_ptr) = (void *) 115; - -/* - * bpf_tcp_send_ack - * - * Send out a tcp-ack. *tp* is the in-kernel struct **tcp_sock**. - * *rcv_nxt* is the ack_seq to be sent out. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_tcp_send_ack)(void *tp, __u32 rcv_nxt) = (void *) 116; - -/* - * bpf_send_signal_thread - * - * Send signal *sig* to the thread corresponding to the current task. - * - * Returns - * 0 on success or successfully queued. - * - * **-EBUSY** if work queue under nmi is full. - * - * **-EINVAL** if *sig* is invalid. - * - * **-EPERM** if no permission to send the *sig*. - * - * **-EAGAIN** if bpf program can try again. - */ -static long (*bpf_send_signal_thread)(__u32 sig) = (void *) 117; - -/* - * bpf_jiffies64 - * - * Obtain the 64bit jiffies - * - * Returns - * The 64 bit jiffies - */ -static __u64 (*bpf_jiffies64)(void) = (void *) 118; - -/* - * bpf_read_branch_records - * - * For an eBPF program attached to a perf event, retrieve the - * branch records (**struct perf_branch_entry**) associated to *ctx* - * and store it in the buffer pointed by *buf* up to size - * *size* bytes. - * - * Returns - * On success, number of bytes written to *buf*. On error, a - * negative value. - * - * The *flags* can be set to **BPF_F_GET_BRANCH_RECORDS_SIZE** to - * instead return the number of bytes required to store all the - * branch entries. If this flag is set, *buf* may be NULL. - * - * **-EINVAL** if arguments invalid or **size** not a multiple - * of **sizeof**\ (**struct perf_branch_entry**\ ). - * - * **-ENOENT** if architecture does not support branch records. - */ -static long (*bpf_read_branch_records)(struct bpf_perf_event_data *ctx, void *buf, __u32 size, __u64 flags) = (void *) 119; - -/* - * bpf_get_ns_current_pid_tgid - * - * Returns 0 on success, values for *pid* and *tgid* as seen from the current - * *namespace* will be returned in *nsdata*. - * - * Returns - * 0 on success, or one of the following in case of failure: - * - * **-EINVAL** if dev and inum supplied don't match dev_t and inode number - * with nsfs of current task, or if dev conversion to dev_t lost high bits. - * - * **-ENOENT** if pidns does not exists for the current task. - */ -static long (*bpf_get_ns_current_pid_tgid)(__u64 dev, __u64 ino, struct bpf_pidns_info *nsdata, __u32 size) = (void *) 120; - -/* - * bpf_xdp_output - * - * Write raw *data* blob into a special BPF perf event held by - * *map* of type **BPF_MAP_TYPE_PERF_EVENT_ARRAY**. This perf - * event must have the following attributes: **PERF_SAMPLE_RAW** - * as **sample_type**, **PERF_TYPE_SOFTWARE** as **type**, and - * **PERF_COUNT_SW_BPF_OUTPUT** as **config**. - * - * The *flags* are used to indicate the index in *map* for which - * the value must be put, masked with **BPF_F_INDEX_MASK**. - * Alternatively, *flags* can be set to **BPF_F_CURRENT_CPU** - * to indicate that the index of the current CPU core should be - * used. - * - * The value to write, of *size*, is passed through eBPF stack and - * pointed by *data*. - * - * *ctx* is a pointer to in-kernel struct xdp_buff. - * - * This helper is similar to **bpf_perf_eventoutput**\ () but - * restricted to raw_tracepoint bpf programs. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_xdp_output)(void *ctx, void *map, __u64 flags, void *data, __u64 size) = (void *) 121; - -/* - * bpf_get_netns_cookie - * - * Retrieve the cookie (generated by the kernel) of the network - * namespace the input *ctx* is associated with. The network - * namespace cookie remains stable for its lifetime and provides - * a global identifier that can be assumed unique. If *ctx* is - * NULL, then the helper returns the cookie for the initial - * network namespace. The cookie itself is very similar to that - * of **bpf_get_socket_cookie**\ () helper, but for network - * namespaces instead of sockets. - * - * Returns - * A 8-byte long opaque number. - */ -static __u64 (*bpf_get_netns_cookie)(void *ctx) = (void *) 122; - -/* - * bpf_get_current_ancestor_cgroup_id - * - * Return id of cgroup v2 that is ancestor of the cgroup associated - * with the current task at the *ancestor_level*. The root cgroup - * is at *ancestor_level* zero and each step down the hierarchy - * increments the level. If *ancestor_level* == level of cgroup - * associated with the current task, then return value will be the - * same as that of **bpf_get_current_cgroup_id**\ (). - * - * The helper is useful to implement policies based on cgroups - * that are upper in hierarchy than immediate cgroup associated - * with the current task. - * - * The format of returned id and helper limitations are same as in - * **bpf_get_current_cgroup_id**\ (). - * - * Returns - * The id is returned or 0 in case the id could not be retrieved. - */ -static __u64 (*bpf_get_current_ancestor_cgroup_id)(int ancestor_level) = (void *) 123; - -/* - * bpf_sk_assign - * - * Helper is overloaded depending on BPF program type. This - * description applies to **BPF_PROG_TYPE_SCHED_CLS** and - * **BPF_PROG_TYPE_SCHED_ACT** programs. - * - * Assign the *sk* to the *skb*. When combined with appropriate - * routing configuration to receive the packet towards the socket, - * will cause *skb* to be delivered to the specified socket. - * Subsequent redirection of *skb* via **bpf_redirect**\ (), - * **bpf_clone_redirect**\ () or other methods outside of BPF may - * interfere with successful delivery to the socket. - * - * This operation is only valid from TC ingress path. - * - * The *flags* argument must be zero. - * - * Returns - * 0 on success, or a negative error in case of failure: - * - * **-EINVAL** if specified *flags* are not supported. - * - * **-ENOENT** if the socket is unavailable for assignment. - * - * **-ENETUNREACH** if the socket is unreachable (wrong netns). - * - * **-EOPNOTSUPP** if the operation is not supported, for example - * a call from outside of TC ingress. - * - * **-ESOCKTNOSUPPORT** if the socket type is not supported - * (reuseport). - */ -static long (*bpf_sk_assign)(void *ctx, void *sk, __u64 flags) = (void *) 124; - -/* - * bpf_ktime_get_boot_ns - * - * Return the time elapsed since system boot, in nanoseconds. - * Does include the time the system was suspended. - * See: **clock_gettime**\ (**CLOCK_BOOTTIME**) - * - * Returns - * Current *ktime*. - */ -static __u64 (*bpf_ktime_get_boot_ns)(void) = (void *) 125; - -/* - * bpf_seq_printf - * - * **bpf_seq_printf**\ () uses seq_file **seq_printf**\ () to print - * out the format string. - * The *m* represents the seq_file. The *fmt* and *fmt_size* are for - * the format string itself. The *data* and *data_len* are format string - * arguments. The *data* are a **u64** array and corresponding format string - * values are stored in the array. For strings and pointers where pointees - * are accessed, only the pointer values are stored in the *data* array. - * The *data_len* is the size of *data* in bytes - must be a multiple of 8. - * - * Formats **%s**, **%p{i,I}{4,6}** requires to read kernel memory. - * Reading kernel memory may fail due to either invalid address or - * valid address but requiring a major memory fault. If reading kernel memory - * fails, the string for **%s** will be an empty string, and the ip - * address for **%p{i,I}{4,6}** will be 0. Not returning error to - * bpf program is consistent with what **bpf_trace_printk**\ () does for now. - * - * Returns - * 0 on success, or a negative error in case of failure: - * - * **-EBUSY** if per-CPU memory copy buffer is busy, can try again - * by returning 1 from bpf program. - * - * **-EINVAL** if arguments are invalid, or if *fmt* is invalid/unsupported. - * - * **-E2BIG** if *fmt* contains too many format specifiers. - * - * **-EOVERFLOW** if an overflow happened: The same object will be tried again. - */ -static long (*bpf_seq_printf)(struct seq_file *m, const char *fmt, __u32 fmt_size, const void *data, __u32 data_len) = (void *) 126; - -/* - * bpf_seq_write - * - * **bpf_seq_write**\ () uses seq_file **seq_write**\ () to write the data. - * The *m* represents the seq_file. The *data* and *len* represent the - * data to write in bytes. - * - * Returns - * 0 on success, or a negative error in case of failure: - * - * **-EOVERFLOW** if an overflow happened: The same object will be tried again. - */ -static long (*bpf_seq_write)(struct seq_file *m, const void *data, __u32 len) = (void *) 127; - -/* - * bpf_sk_cgroup_id - * - * Return the cgroup v2 id of the socket *sk*. - * - * *sk* must be a non-**NULL** pointer to a socket, e.g. one - * returned from **bpf_sk_lookup_xxx**\ (), - * **bpf_sk_fullsock**\ (), etc. The format of returned id is - * same as in **bpf_skb_cgroup_id**\ (). - * - * This helper is available only if the kernel was compiled with - * the **CONFIG_SOCK_CGROUP_DATA** configuration option. - * - * Returns - * The id is returned or 0 in case the id could not be retrieved. - */ -static __u64 (*bpf_sk_cgroup_id)(void *sk) = (void *) 128; - -/* - * bpf_sk_ancestor_cgroup_id - * - * Return id of cgroup v2 that is ancestor of cgroup associated - * with the *sk* at the *ancestor_level*. The root cgroup is at - * *ancestor_level* zero and each step down the hierarchy - * increments the level. If *ancestor_level* == level of cgroup - * associated with *sk*, then return value will be same as that - * of **bpf_sk_cgroup_id**\ (). - * - * The helper is useful to implement policies based on cgroups - * that are upper in hierarchy than immediate cgroup associated - * with *sk*. - * - * The format of returned id and helper limitations are same as in - * **bpf_sk_cgroup_id**\ (). - * - * Returns - * The id is returned or 0 in case the id could not be retrieved. - */ -static __u64 (*bpf_sk_ancestor_cgroup_id)(void *sk, int ancestor_level) = (void *) 129; - -/* - * bpf_ringbuf_output - * - * Copy *size* bytes from *data* into a ring buffer *ringbuf*. - * If **BPF_RB_NO_WAKEUP** is specified in *flags*, no notification - * of new data availability is sent. - * If **BPF_RB_FORCE_WAKEUP** is specified in *flags*, notification - * of new data availability is sent unconditionally. - * If **0** is specified in *flags*, an adaptive notification - * of new data availability is sent. - * - * An adaptive notification is a notification sent whenever the user-space - * process has caught up and consumed all available payloads. In case the user-space - * process is still processing a previous payload, then no notification is needed - * as it will process the newly added payload automatically. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_ringbuf_output)(void *ringbuf, void *data, __u64 size, __u64 flags) = (void *) 130; - -/* - * bpf_ringbuf_reserve - * - * Reserve *size* bytes of payload in a ring buffer *ringbuf*. - * *flags* must be 0. - * - * Returns - * Valid pointer with *size* bytes of memory available; NULL, - * otherwise. - */ -static void *(*bpf_ringbuf_reserve)(void *ringbuf, __u64 size, __u64 flags) = (void *) 131; - -/* - * bpf_ringbuf_submit - * - * Submit reserved ring buffer sample, pointed to by *data*. - * If **BPF_RB_NO_WAKEUP** is specified in *flags*, no notification - * of new data availability is sent. - * If **BPF_RB_FORCE_WAKEUP** is specified in *flags*, notification - * of new data availability is sent unconditionally. - * If **0** is specified in *flags*, an adaptive notification - * of new data availability is sent. - * - * See 'bpf_ringbuf_output()' for the definition of adaptive notification. - * - * Returns - * Nothing. Always succeeds. - */ -static void (*bpf_ringbuf_submit)(void *data, __u64 flags) = (void *) 132; - -/* - * bpf_ringbuf_discard - * - * Discard reserved ring buffer sample, pointed to by *data*. - * If **BPF_RB_NO_WAKEUP** is specified in *flags*, no notification - * of new data availability is sent. - * If **BPF_RB_FORCE_WAKEUP** is specified in *flags*, notification - * of new data availability is sent unconditionally. - * If **0** is specified in *flags*, an adaptive notification - * of new data availability is sent. - * - * See 'bpf_ringbuf_output()' for the definition of adaptive notification. - * - * Returns - * Nothing. Always succeeds. - */ -static void (*bpf_ringbuf_discard)(void *data, __u64 flags) = (void *) 133; - -/* - * bpf_ringbuf_query - * - * Query various characteristics of provided ring buffer. What - * exactly is queries is determined by *flags*: - * - * * **BPF_RB_AVAIL_DATA**: Amount of data not yet consumed. - * * **BPF_RB_RING_SIZE**: The size of ring buffer. - * * **BPF_RB_CONS_POS**: Consumer position (can wrap around). - * * **BPF_RB_PROD_POS**: Producer(s) position (can wrap around). - * - * Data returned is just a momentary snapshot of actual values - * and could be inaccurate, so this facility should be used to - * power heuristics and for reporting, not to make 100% correct - * calculation. - * - * Returns - * Requested value, or 0, if *flags* are not recognized. - */ -static __u64 (*bpf_ringbuf_query)(void *ringbuf, __u64 flags) = (void *) 134; - -/* - * bpf_csum_level - * - * Change the skbs checksum level by one layer up or down, or - * reset it entirely to none in order to have the stack perform - * checksum validation. The level is applicable to the following - * protocols: TCP, UDP, GRE, SCTP, FCOE. For example, a decap of - * | ETH | IP | UDP | GUE | IP | TCP | into | ETH | IP | TCP | - * through **bpf_skb_adjust_room**\ () helper with passing in - * **BPF_F_ADJ_ROOM_NO_CSUM_RESET** flag would require one call - * to **bpf_csum_level**\ () with **BPF_CSUM_LEVEL_DEC** since - * the UDP header is removed. Similarly, an encap of the latter - * into the former could be accompanied by a helper call to - * **bpf_csum_level**\ () with **BPF_CSUM_LEVEL_INC** if the - * skb is still intended to be processed in higher layers of the - * stack instead of just egressing at tc. - * - * There are three supported level settings at this time: - * - * * **BPF_CSUM_LEVEL_INC**: Increases skb->csum_level for skbs - * with CHECKSUM_UNNECESSARY. - * * **BPF_CSUM_LEVEL_DEC**: Decreases skb->csum_level for skbs - * with CHECKSUM_UNNECESSARY. - * * **BPF_CSUM_LEVEL_RESET**: Resets skb->csum_level to 0 and - * sets CHECKSUM_NONE to force checksum validation by the stack. - * * **BPF_CSUM_LEVEL_QUERY**: No-op, returns the current - * skb->csum_level. - * - * Returns - * 0 on success, or a negative error in case of failure. In the - * case of **BPF_CSUM_LEVEL_QUERY**, the current skb->csum_level - * is returned or the error code -EACCES in case the skb is not - * subject to CHECKSUM_UNNECESSARY. - */ -static long (*bpf_csum_level)(struct __sk_buff *skb, __u64 level) = (void *) 135; - -/* - * bpf_skc_to_tcp6_sock - * - * Dynamically cast a *sk* pointer to a *tcp6_sock* pointer. - * - * Returns - * *sk* if casting is valid, or **NULL** otherwise. - */ -static struct tcp6_sock *(*bpf_skc_to_tcp6_sock)(void *sk) = (void *) 136; - -/* - * bpf_skc_to_tcp_sock - * - * Dynamically cast a *sk* pointer to a *tcp_sock* pointer. - * - * Returns - * *sk* if casting is valid, or **NULL** otherwise. - */ -static struct tcp_sock *(*bpf_skc_to_tcp_sock)(void *sk) = (void *) 137; - -/* - * bpf_skc_to_tcp_timewait_sock - * - * Dynamically cast a *sk* pointer to a *tcp_timewait_sock* pointer. - * - * Returns - * *sk* if casting is valid, or **NULL** otherwise. - */ -static struct tcp_timewait_sock *(*bpf_skc_to_tcp_timewait_sock)(void *sk) = (void *) 138; - -/* - * bpf_skc_to_tcp_request_sock - * - * Dynamically cast a *sk* pointer to a *tcp_request_sock* pointer. - * - * Returns - * *sk* if casting is valid, or **NULL** otherwise. - */ -static struct tcp_request_sock *(*bpf_skc_to_tcp_request_sock)(void *sk) = (void *) 139; - -/* - * bpf_skc_to_udp6_sock - * - * Dynamically cast a *sk* pointer to a *udp6_sock* pointer. - * - * Returns - * *sk* if casting is valid, or **NULL** otherwise. - */ -static struct udp6_sock *(*bpf_skc_to_udp6_sock)(void *sk) = (void *) 140; - -/* - * bpf_get_task_stack - * - * Return a user or a kernel stack in bpf program provided buffer. - * To achieve this, the helper needs *task*, which is a valid - * pointer to **struct task_struct**. To store the stacktrace, the - * bpf program provides *buf* with a nonnegative *size*. - * - * The last argument, *flags*, holds the number of stack frames to - * skip (from 0 to 255), masked with - * **BPF_F_SKIP_FIELD_MASK**. The next bits can be used to set - * the following flags: - * - * **BPF_F_USER_STACK** - * Collect a user space stack instead of a kernel stack. - * **BPF_F_USER_BUILD_ID** - * Collect buildid+offset instead of ips for user stack, - * only valid if **BPF_F_USER_STACK** is also specified. - * - * **bpf_get_task_stack**\ () can collect up to - * **PERF_MAX_STACK_DEPTH** both kernel and user frames, subject - * to sufficient large buffer size. Note that - * this limit can be controlled with the **sysctl** program, and - * that it should be manually increased in order to profile long - * user stacks (such as stacks for Java programs). To do so, use: - * - * :: - * - * # sysctl kernel.perf_event_max_stack= - * - * Returns - * A non-negative value equal to or less than *size* on success, - * or a negative error in case of failure. - */ -static long (*bpf_get_task_stack)(struct task_struct *task, void *buf, __u32 size, __u64 flags) = (void *) 141; - -/* - * bpf_load_hdr_opt - * - * Load header option. Support reading a particular TCP header - * option for bpf program (**BPF_PROG_TYPE_SOCK_OPS**). - * - * If *flags* is 0, it will search the option from the - * *skops*\ **->skb_data**. The comment in **struct bpf_sock_ops** - * has details on what skb_data contains under different - * *skops*\ **->op**. - * - * The first byte of the *searchby_res* specifies the - * kind that it wants to search. - * - * If the searching kind is an experimental kind - * (i.e. 253 or 254 according to RFC6994). It also - * needs to specify the "magic" which is either - * 2 bytes or 4 bytes. It then also needs to - * specify the size of the magic by using - * the 2nd byte which is "kind-length" of a TCP - * header option and the "kind-length" also - * includes the first 2 bytes "kind" and "kind-length" - * itself as a normal TCP header option also does. - * - * For example, to search experimental kind 254 with - * 2 byte magic 0xeB9F, the searchby_res should be - * [ 254, 4, 0xeB, 0x9F, 0, 0, .... 0 ]. - * - * To search for the standard window scale option (3), - * the *searchby_res* should be [ 3, 0, 0, .... 0 ]. - * Note, kind-length must be 0 for regular option. - * - * Searching for No-Op (0) and End-of-Option-List (1) are - * not supported. - * - * *len* must be at least 2 bytes which is the minimal size - * of a header option. - * - * Supported flags: - * - * * **BPF_LOAD_HDR_OPT_TCP_SYN** to search from the - * saved_syn packet or the just-received syn packet. - * - * - * Returns - * > 0 when found, the header option is copied to *searchby_res*. - * The return value is the total length copied. On failure, a - * negative error code is returned: - * - * **-EINVAL** if a parameter is invalid. - * - * **-ENOMSG** if the option is not found. - * - * **-ENOENT** if no syn packet is available when - * **BPF_LOAD_HDR_OPT_TCP_SYN** is used. - * - * **-ENOSPC** if there is not enough space. Only *len* number of - * bytes are copied. - * - * **-EFAULT** on failure to parse the header options in the - * packet. - * - * **-EPERM** if the helper cannot be used under the current - * *skops*\ **->op**. - */ -static long (*bpf_load_hdr_opt)(struct bpf_sock_ops *skops, void *searchby_res, __u32 len, __u64 flags) = (void *) 142; - -/* - * bpf_store_hdr_opt - * - * Store header option. The data will be copied - * from buffer *from* with length *len* to the TCP header. - * - * The buffer *from* should have the whole option that - * includes the kind, kind-length, and the actual - * option data. The *len* must be at least kind-length - * long. The kind-length does not have to be 4 byte - * aligned. The kernel will take care of the padding - * and setting the 4 bytes aligned value to th->doff. - * - * This helper will check for duplicated option - * by searching the same option in the outgoing skb. - * - * This helper can only be called during - * **BPF_SOCK_OPS_WRITE_HDR_OPT_CB**. - * - * - * Returns - * 0 on success, or negative error in case of failure: - * - * **-EINVAL** If param is invalid. - * - * **-ENOSPC** if there is not enough space in the header. - * Nothing has been written - * - * **-EEXIST** if the option already exists. - * - * **-EFAULT** on failrue to parse the existing header options. - * - * **-EPERM** if the helper cannot be used under the current - * *skops*\ **->op**. - */ -static long (*bpf_store_hdr_opt)(struct bpf_sock_ops *skops, const void *from, __u32 len, __u64 flags) = (void *) 143; - -/* - * bpf_reserve_hdr_opt - * - * Reserve *len* bytes for the bpf header option. The - * space will be used by **bpf_store_hdr_opt**\ () later in - * **BPF_SOCK_OPS_WRITE_HDR_OPT_CB**. - * - * If **bpf_reserve_hdr_opt**\ () is called multiple times, - * the total number of bytes will be reserved. - * - * This helper can only be called during - * **BPF_SOCK_OPS_HDR_OPT_LEN_CB**. - * - * - * Returns - * 0 on success, or negative error in case of failure: - * - * **-EINVAL** if a parameter is invalid. - * - * **-ENOSPC** if there is not enough space in the header. - * - * **-EPERM** if the helper cannot be used under the current - * *skops*\ **->op**. - */ -static long (*bpf_reserve_hdr_opt)(struct bpf_sock_ops *skops, __u32 len, __u64 flags) = (void *) 144; - -/* - * bpf_inode_storage_get - * - * Get a bpf_local_storage from an *inode*. - * - * Logically, it could be thought of as getting the value from - * a *map* with *inode* as the **key**. From this - * perspective, the usage is not much different from - * **bpf_map_lookup_elem**\ (*map*, **&**\ *inode*) except this - * helper enforces the key must be an inode and the map must also - * be a **BPF_MAP_TYPE_INODE_STORAGE**. - * - * Underneath, the value is stored locally at *inode* instead of - * the *map*. The *map* is used as the bpf-local-storage - * "type". The bpf-local-storage "type" (i.e. the *map*) is - * searched against all bpf_local_storage residing at *inode*. - * - * An optional *flags* (**BPF_LOCAL_STORAGE_GET_F_CREATE**) can be - * used such that a new bpf_local_storage will be - * created if one does not exist. *value* can be used - * together with **BPF_LOCAL_STORAGE_GET_F_CREATE** to specify - * the initial value of a bpf_local_storage. If *value* is - * **NULL**, the new bpf_local_storage will be zero initialized. - * - * Returns - * A bpf_local_storage pointer is returned on success. - * - * **NULL** if not found or there was an error in adding - * a new bpf_local_storage. - */ -static void *(*bpf_inode_storage_get)(void *map, void *inode, void *value, __u64 flags) = (void *) 145; - -/* - * bpf_inode_storage_delete - * - * Delete a bpf_local_storage from an *inode*. - * - * Returns - * 0 on success. - * - * **-ENOENT** if the bpf_local_storage cannot be found. - */ -static int (*bpf_inode_storage_delete)(void *map, void *inode) = (void *) 146; - -/* - * bpf_d_path - * - * Return full path for given **struct path** object, which - * needs to be the kernel BTF *path* object. The path is - * returned in the provided buffer *buf* of size *sz* and - * is zero terminated. - * - * - * Returns - * On success, the strictly positive length of the string, - * including the trailing NUL character. On error, a negative - * value. - */ -static long (*bpf_d_path)(struct path *path, char *buf, __u32 sz) = (void *) 147; - -/* - * bpf_copy_from_user - * - * Read *size* bytes from user space address *user_ptr* and store - * the data in *dst*. This is a wrapper of **copy_from_user**\ (). - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_copy_from_user)(void *dst, __u32 size, const void *user_ptr) = (void *) 148; - -/* - * bpf_snprintf_btf - * - * Use BTF to store a string representation of *ptr*->ptr in *str*, - * using *ptr*->type_id. This value should specify the type - * that *ptr*->ptr points to. LLVM __builtin_btf_type_id(type, 1) - * can be used to look up vmlinux BTF type ids. Traversing the - * data structure using BTF, the type information and values are - * stored in the first *str_size* - 1 bytes of *str*. Safe copy of - * the pointer data is carried out to avoid kernel crashes during - * operation. Smaller types can use string space on the stack; - * larger programs can use map data to store the string - * representation. - * - * The string can be subsequently shared with userspace via - * bpf_perf_event_output() or ring buffer interfaces. - * bpf_trace_printk() is to be avoided as it places too small - * a limit on string size to be useful. - * - * *flags* is a combination of - * - * **BTF_F_COMPACT** - * no formatting around type information - * **BTF_F_NONAME** - * no struct/union member names/types - * **BTF_F_PTR_RAW** - * show raw (unobfuscated) pointer values; - * equivalent to printk specifier %px. - * **BTF_F_ZERO** - * show zero-valued struct/union members; they - * are not displayed by default - * - * - * Returns - * The number of bytes that were written (or would have been - * written if output had to be truncated due to string size), - * or a negative error in cases of failure. - */ -static long (*bpf_snprintf_btf)(char *str, __u32 str_size, struct btf_ptr *ptr, __u32 btf_ptr_size, __u64 flags) = (void *) 149; - -/* - * bpf_seq_printf_btf - * - * Use BTF to write to seq_write a string representation of - * *ptr*->ptr, using *ptr*->type_id as per bpf_snprintf_btf(). - * *flags* are identical to those used for bpf_snprintf_btf. - * - * Returns - * 0 on success or a negative error in case of failure. - */ -static long (*bpf_seq_printf_btf)(struct seq_file *m, struct btf_ptr *ptr, __u32 ptr_size, __u64 flags) = (void *) 150; - -/* - * bpf_skb_cgroup_classid - * - * See **bpf_get_cgroup_classid**\ () for the main description. - * This helper differs from **bpf_get_cgroup_classid**\ () in that - * the cgroup v1 net_cls class is retrieved only from the *skb*'s - * associated socket instead of the current process. - * - * Returns - * The id is returned or 0 in case the id could not be retrieved. - */ -static __u64 (*bpf_skb_cgroup_classid)(struct __sk_buff *skb) = (void *) 151; - -/* - * bpf_redirect_neigh - * - * Redirect the packet to another net device of index *ifindex* - * and fill in L2 addresses from neighboring subsystem. This helper - * is somewhat similar to **bpf_redirect**\ (), except that it - * populates L2 addresses as well, meaning, internally, the helper - * relies on the neighbor lookup for the L2 address of the nexthop. - * - * The helper will perform a FIB lookup based on the skb's - * networking header to get the address of the next hop, unless - * this is supplied by the caller in the *params* argument. The - * *plen* argument indicates the len of *params* and should be set - * to 0 if *params* is NULL. - * - * The *flags* argument is reserved and must be 0. The helper is - * currently only supported for tc BPF program types, and enabled - * for IPv4 and IPv6 protocols. - * - * Returns - * The helper returns **TC_ACT_REDIRECT** on success or - * **TC_ACT_SHOT** on error. - */ -static long (*bpf_redirect_neigh)(__u32 ifindex, struct bpf_redir_neigh *params, int plen, __u64 flags) = (void *) 152; - -/* - * bpf_per_cpu_ptr - * - * Take a pointer to a percpu ksym, *percpu_ptr*, and return a - * pointer to the percpu kernel variable on *cpu*. A ksym is an - * extern variable decorated with '__ksym'. For ksym, there is a - * global var (either static or global) defined of the same name - * in the kernel. The ksym is percpu if the global var is percpu. - * The returned pointer points to the global percpu var on *cpu*. - * - * bpf_per_cpu_ptr() has the same semantic as per_cpu_ptr() in the - * kernel, except that bpf_per_cpu_ptr() may return NULL. This - * happens if *cpu* is larger than nr_cpu_ids. The caller of - * bpf_per_cpu_ptr() must check the returned value. - * - * Returns - * A pointer pointing to the kernel percpu variable on *cpu*, or - * NULL, if *cpu* is invalid. - */ -static void *(*bpf_per_cpu_ptr)(const void *percpu_ptr, __u32 cpu) = (void *) 153; - -/* - * bpf_this_cpu_ptr - * - * Take a pointer to a percpu ksym, *percpu_ptr*, and return a - * pointer to the percpu kernel variable on this cpu. See the - * description of 'ksym' in **bpf_per_cpu_ptr**\ (). - * - * bpf_this_cpu_ptr() has the same semantic as this_cpu_ptr() in - * the kernel. Different from **bpf_per_cpu_ptr**\ (), it would - * never return NULL. - * - * Returns - * A pointer pointing to the kernel percpu variable on this cpu. - */ -static void *(*bpf_this_cpu_ptr)(const void *percpu_ptr) = (void *) 154; - -/* - * bpf_redirect_peer - * - * Redirect the packet to another net device of index *ifindex*. - * This helper is somewhat similar to **bpf_redirect**\ (), except - * that the redirection happens to the *ifindex*' peer device and - * the netns switch takes place from ingress to ingress without - * going through the CPU's backlog queue. - * - * The *flags* argument is reserved and must be 0. The helper is - * currently only supported for tc BPF program types at the ingress - * hook and for veth device types. The peer device must reside in a - * different network namespace. - * - * Returns - * The helper returns **TC_ACT_REDIRECT** on success or - * **TC_ACT_SHOT** on error. - */ -static long (*bpf_redirect_peer)(__u32 ifindex, __u64 flags) = (void *) 155; - -/* - * bpf_task_storage_get - * - * Get a bpf_local_storage from the *task*. - * - * Logically, it could be thought of as getting the value from - * a *map* with *task* as the **key**. From this - * perspective, the usage is not much different from - * **bpf_map_lookup_elem**\ (*map*, **&**\ *task*) except this - * helper enforces the key must be an task_struct and the map must also - * be a **BPF_MAP_TYPE_TASK_STORAGE**. - * - * Underneath, the value is stored locally at *task* instead of - * the *map*. The *map* is used as the bpf-local-storage - * "type". The bpf-local-storage "type" (i.e. the *map*) is - * searched against all bpf_local_storage residing at *task*. - * - * An optional *flags* (**BPF_LOCAL_STORAGE_GET_F_CREATE**) can be - * used such that a new bpf_local_storage will be - * created if one does not exist. *value* can be used - * together with **BPF_LOCAL_STORAGE_GET_F_CREATE** to specify - * the initial value of a bpf_local_storage. If *value* is - * **NULL**, the new bpf_local_storage will be zero initialized. - * - * Returns - * A bpf_local_storage pointer is returned on success. - * - * **NULL** if not found or there was an error in adding - * a new bpf_local_storage. - */ -static void *(*bpf_task_storage_get)(void *map, struct task_struct *task, void *value, __u64 flags) = (void *) 156; - -/* - * bpf_task_storage_delete - * - * Delete a bpf_local_storage from a *task*. - * - * Returns - * 0 on success. - * - * **-ENOENT** if the bpf_local_storage cannot be found. - */ -static long (*bpf_task_storage_delete)(void *map, struct task_struct *task) = (void *) 157; - -/* - * bpf_get_current_task_btf - * - * Return a BTF pointer to the "current" task. - * This pointer can also be used in helpers that accept an - * *ARG_PTR_TO_BTF_ID* of type *task_struct*. - * - * Returns - * Pointer to the current task. - */ -static struct task_struct *(*bpf_get_current_task_btf)(void) = (void *) 158; - -/* - * bpf_bprm_opts_set - * - * Set or clear certain options on *bprm*: - * - * **BPF_F_BPRM_SECUREEXEC** Set the secureexec bit - * which sets the **AT_SECURE** auxv for glibc. The bit - * is cleared if the flag is not specified. - * - * Returns - * **-EINVAL** if invalid *flags* are passed, zero otherwise. - */ -static long (*bpf_bprm_opts_set)(struct linux_binprm *bprm, __u64 flags) = (void *) 159; - -/* - * bpf_ktime_get_coarse_ns - * - * Return a coarse-grained version of the time elapsed since - * system boot, in nanoseconds. Does not include time the system - * was suspended. - * - * See: **clock_gettime**\ (**CLOCK_MONOTONIC_COARSE**) - * - * Returns - * Current *ktime*. - */ -static __u64 (*bpf_ktime_get_coarse_ns)(void) = (void *) 160; - -/* - * bpf_ima_inode_hash - * - * Returns the stored IMA hash of the *inode* (if it's avaialable). - * If the hash is larger than *size*, then only *size* - * bytes will be copied to *dst* - * - * Returns - * The **hash_algo** is returned on success, - * **-EOPNOTSUP** if IMA is disabled or **-EINVAL** if - * invalid arguments are passed. - */ -static long (*bpf_ima_inode_hash)(struct inode *inode, void *dst, __u32 size) = (void *) 161; - -/* - * bpf_sock_from_file - * - * If the given file represents a socket, returns the associated - * socket. - * - * Returns - * A pointer to a struct socket on success or NULL if the file is - * not a socket. - */ -static struct socket *(*bpf_sock_from_file)(struct file *file) = (void *) 162; - -/* - * bpf_check_mtu - * - * Check packet size against exceeding MTU of net device (based - * on *ifindex*). This helper will likely be used in combination - * with helpers that adjust/change the packet size. - * - * The argument *len_diff* can be used for querying with a planned - * size change. This allows to check MTU prior to changing packet - * ctx. Providing an *len_diff* adjustment that is larger than the - * actual packet size (resulting in negative packet size) will in - * principle not exceed the MTU, why it is not considered a - * failure. Other BPF-helpers are needed for performing the - * planned size change, why the responsability for catch a negative - * packet size belong in those helpers. - * - * Specifying *ifindex* zero means the MTU check is performed - * against the current net device. This is practical if this isn't - * used prior to redirect. - * - * On input *mtu_len* must be a valid pointer, else verifier will - * reject BPF program. If the value *mtu_len* is initialized to - * zero then the ctx packet size is use. When value *mtu_len* is - * provided as input this specify the L3 length that the MTU check - * is done against. Remember XDP and TC length operate at L2, but - * this value is L3 as this correlate to MTU and IP-header tot_len - * values which are L3 (similar behavior as bpf_fib_lookup). - * - * The Linux kernel route table can configure MTUs on a more - * specific per route level, which is not provided by this helper. - * For route level MTU checks use the **bpf_fib_lookup**\ () - * helper. - * - * *ctx* is either **struct xdp_md** for XDP programs or - * **struct sk_buff** for tc cls_act programs. - * - * The *flags* argument can be a combination of one or more of the - * following values: - * - * **BPF_MTU_CHK_SEGS** - * This flag will only works for *ctx* **struct sk_buff**. - * If packet context contains extra packet segment buffers - * (often knows as GSO skb), then MTU check is harder to - * check at this point, because in transmit path it is - * possible for the skb packet to get re-segmented - * (depending on net device features). This could still be - * a MTU violation, so this flag enables performing MTU - * check against segments, with a different violation - * return code to tell it apart. Check cannot use len_diff. - * - * On return *mtu_len* pointer contains the MTU value of the net - * device. Remember the net device configured MTU is the L3 size, - * which is returned here and XDP and TC length operate at L2. - * Helper take this into account for you, but remember when using - * MTU value in your BPF-code. - * - * - * Returns - * * 0 on success, and populate MTU value in *mtu_len* pointer. - * - * * < 0 if any input argument is invalid (*mtu_len* not updated) - * - * MTU violations return positive values, but also populate MTU - * value in *mtu_len* pointer, as this can be needed for - * implementing PMTU handing: - * - * * **BPF_MTU_CHK_RET_FRAG_NEEDED** - * * **BPF_MTU_CHK_RET_SEGS_TOOBIG** - */ -static long (*bpf_check_mtu)(void *ctx, __u32 ifindex, __u32 *mtu_len, __s32 len_diff, __u64 flags) = (void *) 163; - -/* - * bpf_for_each_map_elem - * - * For each element in **map**, call **callback_fn** function with - * **map**, **callback_ctx** and other map-specific parameters. - * The **callback_fn** should be a static function and - * the **callback_ctx** should be a pointer to the stack. - * The **flags** is used to control certain aspects of the helper. - * Currently, the **flags** must be 0. - * - * The following are a list of supported map types and their - * respective expected callback signatures: - * - * BPF_MAP_TYPE_HASH, BPF_MAP_TYPE_PERCPU_HASH, - * BPF_MAP_TYPE_LRU_HASH, BPF_MAP_TYPE_LRU_PERCPU_HASH, - * BPF_MAP_TYPE_ARRAY, BPF_MAP_TYPE_PERCPU_ARRAY - * - * long (\*callback_fn)(struct bpf_map \*map, const void \*key, void \*value, void \*ctx); - * - * For per_cpu maps, the map_value is the value on the cpu where the - * bpf_prog is running. - * - * If **callback_fn** return 0, the helper will continue to the next - * element. If return value is 1, the helper will skip the rest of - * elements and return. Other return values are not used now. - * - * - * Returns - * The number of traversed map elements for success, **-EINVAL** for - * invalid **flags**. - */ -static long (*bpf_for_each_map_elem)(void *map, void *callback_fn, void *callback_ctx, __u64 flags) = (void *) 164; - -/* - * bpf_snprintf - * - * Outputs a string into the **str** buffer of size **str_size** - * based on a format string stored in a read-only map pointed by - * **fmt**. - * - * Each format specifier in **fmt** corresponds to one u64 element - * in the **data** array. For strings and pointers where pointees - * are accessed, only the pointer values are stored in the *data* - * array. The *data_len* is the size of *data* in bytes - must be - * a multiple of 8. - * - * Formats **%s** and **%p{i,I}{4,6}** require to read kernel - * memory. Reading kernel memory may fail due to either invalid - * address or valid address but requiring a major memory fault. If - * reading kernel memory fails, the string for **%s** will be an - * empty string, and the ip address for **%p{i,I}{4,6}** will be 0. - * Not returning error to bpf program is consistent with what - * **bpf_trace_printk**\ () does for now. - * - * - * Returns - * The strictly positive length of the formatted string, including - * the trailing zero character. If the return value is greater than - * **str_size**, **str** contains a truncated string, guaranteed to - * be zero-terminated except when **str_size** is 0. - * - * Or **-EBUSY** if the per-CPU memory copy buffer is busy. - */ -static long (*bpf_snprintf)(char *str, __u32 str_size, const char *fmt, __u64 *data, __u32 data_len) = (void *) 165; - -/* - * bpf_sys_bpf - * - * Execute bpf syscall with given arguments. - * - * Returns - * A syscall result. - */ -static long (*bpf_sys_bpf)(__u32 cmd, void *attr, __u32 attr_size) = (void *) 166; - -/* - * bpf_btf_find_by_name_kind - * - * Find BTF type with given name and kind in vmlinux BTF or in module's BTFs. - * - * Returns - * Returns btf_id and btf_obj_fd in lower and upper 32 bits. - */ -static long (*bpf_btf_find_by_name_kind)(char *name, int name_sz, __u32 kind, int flags) = (void *) 167; - -/* - * bpf_sys_close - * - * Execute close syscall for given FD. - * - * Returns - * A syscall result. - */ -static long (*bpf_sys_close)(__u32 fd) = (void *) 168; - -/* - * bpf_timer_init - * - * Initialize the timer. - * First 4 bits of *flags* specify clockid. - * Only CLOCK_MONOTONIC, CLOCK_REALTIME, CLOCK_BOOTTIME are allowed. - * All other bits of *flags* are reserved. - * The verifier will reject the program if *timer* is not from - * the same *map*. - * - * Returns - * 0 on success. - * **-EBUSY** if *timer* is already initialized. - * **-EINVAL** if invalid *flags* are passed. - * **-EPERM** if *timer* is in a map that doesn't have any user references. - * The user space should either hold a file descriptor to a map with timers - * or pin such map in bpffs. When map is unpinned or file descriptor is - * closed all timers in the map will be cancelled and freed. - */ -static long (*bpf_timer_init)(struct bpf_timer *timer, void *map, __u64 flags) = (void *) 169; - -/* - * bpf_timer_set_callback - * - * Configure the timer to call *callback_fn* static function. - * - * Returns - * 0 on success. - * **-EINVAL** if *timer* was not initialized with bpf_timer_init() earlier. - * **-EPERM** if *timer* is in a map that doesn't have any user references. - * The user space should either hold a file descriptor to a map with timers - * or pin such map in bpffs. When map is unpinned or file descriptor is - * closed all timers in the map will be cancelled and freed. - */ -static long (*bpf_timer_set_callback)(struct bpf_timer *timer, void *callback_fn) = (void *) 170; - -/* - * bpf_timer_start - * - * Set timer expiration N nanoseconds from the current time. The - * configured callback will be invoked in soft irq context on some cpu - * and will not repeat unless another bpf_timer_start() is made. - * In such case the next invocation can migrate to a different cpu. - * Since struct bpf_timer is a field inside map element the map - * owns the timer. The bpf_timer_set_callback() will increment refcnt - * of BPF program to make sure that callback_fn code stays valid. - * When user space reference to a map reaches zero all timers - * in a map are cancelled and corresponding program's refcnts are - * decremented. This is done to make sure that Ctrl-C of a user - * process doesn't leave any timers running. If map is pinned in - * bpffs the callback_fn can re-arm itself indefinitely. - * bpf_map_update/delete_elem() helpers and user space sys_bpf commands - * cancel and free the timer in the given map element. - * The map can contain timers that invoke callback_fn-s from different - * programs. The same callback_fn can serve different timers from - * different maps if key/value layout matches across maps. - * Every bpf_timer_set_callback() can have different callback_fn. - * - * - * Returns - * 0 on success. - * **-EINVAL** if *timer* was not initialized with bpf_timer_init() earlier - * or invalid *flags* are passed. - */ -static long (*bpf_timer_start)(struct bpf_timer *timer, __u64 nsecs, __u64 flags) = (void *) 171; - -/* - * bpf_timer_cancel - * - * Cancel the timer and wait for callback_fn to finish if it was running. - * - * Returns - * 0 if the timer was not active. - * 1 if the timer was active. - * **-EINVAL** if *timer* was not initialized with bpf_timer_init() earlier. - * **-EDEADLK** if callback_fn tried to call bpf_timer_cancel() on its - * own timer which would have led to a deadlock otherwise. - */ -static long (*bpf_timer_cancel)(struct bpf_timer *timer) = (void *) 172; - -/* - * bpf_get_func_ip - * - * Get address of the traced function (for tracing and kprobe programs). - * - * Returns - * Address of the traced function. - */ -static __u64 (*bpf_get_func_ip)(void *ctx) = (void *) 173; - -/* - * bpf_get_attach_cookie - * - * Get bpf_cookie value provided (optionally) during the program - * attachment. It might be different for each individual - * attachment, even if BPF program itself is the same. - * Expects BPF program context *ctx* as a first argument. - * - * Supported for the following program types: - * - kprobe/uprobe; - * - tracepoint; - * - perf_event. - * - * Returns - * Value specified by user at BPF link creation/attachment time - * or 0, if it was not specified. - */ -static __u64 (*bpf_get_attach_cookie)(void *ctx) = (void *) 174; - -/* - * bpf_task_pt_regs - * - * Get the struct pt_regs associated with **task**. - * - * Returns - * A pointer to struct pt_regs. - */ -static long (*bpf_task_pt_regs)(struct task_struct *task) = (void *) 175; - -/* - * bpf_get_branch_snapshot - * - * Get branch trace from hardware engines like Intel LBR. The - * hardware engine is stopped shortly after the helper is - * called. Therefore, the user need to filter branch entries - * based on the actual use case. To capture branch trace - * before the trigger point of the BPF program, the helper - * should be called at the beginning of the BPF program. - * - * The data is stored as struct perf_branch_entry into output - * buffer *entries*. *size* is the size of *entries* in bytes. - * *flags* is reserved for now and must be zero. - * - * - * Returns - * On success, number of bytes written to *buf*. On error, a - * negative value. - * - * **-EINVAL** if *flags* is not zero. - * - * **-ENOENT** if architecture does not support branch records. - */ -static long (*bpf_get_branch_snapshot)(void *entries, __u32 size, __u64 flags) = (void *) 176; - -/* - * bpf_trace_vprintk - * - * Behaves like **bpf_trace_printk**\ () helper, but takes an array of u64 - * to format and can handle more format args as a result. - * - * Arguments are to be used as in **bpf_seq_printf**\ () helper. - * - * Returns - * The number of bytes written to the buffer, or a negative error - * in case of failure. - */ -static long (*bpf_trace_vprintk)(const char *fmt, __u32 fmt_size, const void *data, __u32 data_len) = (void *) 177; - -/* - * bpf_skc_to_unix_sock - * - * Dynamically cast a *sk* pointer to a *unix_sock* pointer. - * - * Returns - * *sk* if casting is valid, or **NULL** otherwise. - */ -static struct unix_sock *(*bpf_skc_to_unix_sock)(void *sk) = (void *) 178; - -/* - * bpf_kallsyms_lookup_name - * - * Get the address of a kernel symbol, returned in *res*. *res* is - * set to 0 if the symbol is not found. - * - * Returns - * On success, zero. On error, a negative value. - * - * **-EINVAL** if *flags* is not zero. - * - * **-EINVAL** if string *name* is not the same size as *name_sz*. - * - * **-ENOENT** if symbol is not found. - * - * **-EPERM** if caller does not have permission to obtain kernel address. - */ -static long (*bpf_kallsyms_lookup_name)(const char *name, int name_sz, int flags, __u64 *res) = (void *) 179; - -/* - * bpf_find_vma - * - * Find vma of *task* that contains *addr*, call *callback_fn* - * function with *task*, *vma*, and *callback_ctx*. - * The *callback_fn* should be a static function and - * the *callback_ctx* should be a pointer to the stack. - * The *flags* is used to control certain aspects of the helper. - * Currently, the *flags* must be 0. - * - * The expected callback signature is - * - * long (\*callback_fn)(struct task_struct \*task, struct vm_area_struct \*vma, void \*callback_ctx); - * - * - * Returns - * 0 on success. - * **-ENOENT** if *task->mm* is NULL, or no vma contains *addr*. - * **-EBUSY** if failed to try lock mmap_lock. - * **-EINVAL** for invalid **flags**. - */ -static long (*bpf_find_vma)(struct task_struct *task, __u64 addr, void *callback_fn, void *callback_ctx, __u64 flags) = (void *) 180; - - diff --git a/component/ebpf/bpf/bpf_helpers.h b/component/ebpf/bpf/bpf_helpers.h deleted file mode 100644 index 963b1060d9..0000000000 --- a/component/ebpf/bpf/bpf_helpers.h +++ /dev/null @@ -1,262 +0,0 @@ -/* SPDX-License-Identifier: (LGPL-2.1 OR BSD-2-Clause) */ -#ifndef __BPF_HELPERS__ -#define __BPF_HELPERS__ - -/* - * Note that bpf programs need to include either - * vmlinux.h (auto-generated from BTF) or linux/types.h - * in advance since bpf_helper_defs.h uses such types - * as __u64. - */ -#include "bpf_helper_defs.h" - -#define __uint(name, val) int (*name)[val] -#define __type(name, val) typeof(val) *name -#define __array(name, val) typeof(val) *name[] - -/* - * Helper macro to place programs, maps, license in - * different sections in elf_bpf file. Section names - * are interpreted by libbpf depending on the context (BPF programs, BPF maps, - * extern variables, etc). - * To allow use of SEC() with externs (e.g., for extern .maps declarations), - * make sure __attribute__((unused)) doesn't trigger compilation warning. - */ -#define SEC(name) \ - _Pragma("GCC diagnostic push") \ - _Pragma("GCC diagnostic ignored \"-Wignored-attributes\"") \ - __attribute__((section(name), used)) \ - _Pragma("GCC diagnostic pop") \ - -/* Avoid 'linux/stddef.h' definition of '__always_inline'. */ -#undef __always_inline -#define __always_inline inline __attribute__((always_inline)) - -#ifndef __noinline -#define __noinline __attribute__((noinline)) -#endif -#ifndef __weak -#define __weak __attribute__((weak)) -#endif - -/* - * Use __hidden attribute to mark a non-static BPF subprogram effectively - * static for BPF verifier's verification algorithm purposes, allowing more - * extensive and permissive BPF verification process, taking into account - * subprogram's caller context. - */ -#define __hidden __attribute__((visibility("hidden"))) - -/* When utilizing vmlinux.h with BPF CO-RE, user BPF programs can't include - * any system-level headers (such as stddef.h, linux/version.h, etc), and - * commonly-used macros like NULL and KERNEL_VERSION aren't available through - * vmlinux.h. This just adds unnecessary hurdles and forces users to re-define - * them on their own. So as a convenience, provide such definitions here. - */ -#ifndef NULL -#define NULL ((void *)0) -#endif - -#ifndef KERNEL_VERSION -#define KERNEL_VERSION(a, b, c) (((a) << 16) + ((b) << 8) + ((c) > 255 ? 255 : (c))) -#endif - -/* - * Helper macros to manipulate data structures - */ -#ifndef offsetof -#define offsetof(TYPE, MEMBER) ((unsigned long)&((TYPE *)0)->MEMBER) -#endif -#ifndef container_of -#define container_of(ptr, type, member) \ - ({ \ - void *__mptr = (void *)(ptr); \ - ((type *)(__mptr - offsetof(type, member))); \ - }) -#endif - -/* - * Helper macro to throw a compilation error if __bpf_unreachable() gets - * built into the resulting code. This works given BPF back end does not - * implement __builtin_trap(). This is useful to assert that certain paths - * of the program code are never used and hence eliminated by the compiler. - * - * For example, consider a switch statement that covers known cases used by - * the program. __bpf_unreachable() can then reside in the default case. If - * the program gets extended such that a case is not covered in the switch - * statement, then it will throw a build error due to the default case not - * being compiled out. - */ -#ifndef __bpf_unreachable -# define __bpf_unreachable() __builtin_trap() -#endif - -/* - * Helper function to perform a tail call with a constant/immediate map slot. - */ -#if __clang_major__ >= 8 && defined(__bpf__) -static __always_inline void -bpf_tail_call_static(void *ctx, const void *map, const __u32 slot) -{ - if (!__builtin_constant_p(slot)) - __bpf_unreachable(); - - /* - * Provide a hard guarantee that LLVM won't optimize setting r2 (map - * pointer) and r3 (constant map index) from _different paths_ ending - * up at the _same_ call insn as otherwise we won't be able to use the - * jmpq/nopl retpoline-free patching by the x86-64 JIT in the kernel - * given they mismatch. See also d2e4c1e6c294 ("bpf: Constant map key - * tracking for prog array pokes") for details on verifier tracking. - * - * Note on clobber list: we need to stay in-line with BPF calling - * convention, so even if we don't end up using r0, r4, r5, we need - * to mark them as clobber so that LLVM doesn't end up using them - * before / after the call. - */ - asm volatile("r1 = %[ctx]\n\t" - "r2 = %[map]\n\t" - "r3 = %[slot]\n\t" - "call 12" - :: [ctx]"r"(ctx), [map]"r"(map), [slot]"i"(slot) - : "r0", "r1", "r2", "r3", "r4", "r5"); -} -#endif - -/* - * Helper structure used by eBPF C program - * to describe BPF map attributes to libbpf loader - */ -struct bpf_map_def { - unsigned int type; - unsigned int key_size; - unsigned int value_size; - unsigned int max_entries; - unsigned int map_flags; -}; - -enum libbpf_pin_type { - LIBBPF_PIN_NONE, - /* PIN_BY_NAME: pin maps by name (in /sys/fs/bpf by default) */ - LIBBPF_PIN_BY_NAME, -}; - -enum libbpf_tristate { - TRI_NO = 0, - TRI_YES = 1, - TRI_MODULE = 2, -}; - -#define __kconfig __attribute__((section(".kconfig"))) -#define __ksym __attribute__((section(".ksyms"))) - -#ifndef ___bpf_concat -#define ___bpf_concat(a, b) a ## b -#endif -#ifndef ___bpf_apply -#define ___bpf_apply(fn, n) ___bpf_concat(fn, n) -#endif -#ifndef ___bpf_nth -#define ___bpf_nth(_, _1, _2, _3, _4, _5, _6, _7, _8, _9, _a, _b, _c, N, ...) N -#endif -#ifndef ___bpf_narg -#define ___bpf_narg(...) \ - ___bpf_nth(_, ##__VA_ARGS__, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0) -#endif - -#define ___bpf_fill0(arr, p, x) do {} while (0) -#define ___bpf_fill1(arr, p, x) arr[p] = x -#define ___bpf_fill2(arr, p, x, args...) arr[p] = x; ___bpf_fill1(arr, p + 1, args) -#define ___bpf_fill3(arr, p, x, args...) arr[p] = x; ___bpf_fill2(arr, p + 1, args) -#define ___bpf_fill4(arr, p, x, args...) arr[p] = x; ___bpf_fill3(arr, p + 1, args) -#define ___bpf_fill5(arr, p, x, args...) arr[p] = x; ___bpf_fill4(arr, p + 1, args) -#define ___bpf_fill6(arr, p, x, args...) arr[p] = x; ___bpf_fill5(arr, p + 1, args) -#define ___bpf_fill7(arr, p, x, args...) arr[p] = x; ___bpf_fill6(arr, p + 1, args) -#define ___bpf_fill8(arr, p, x, args...) arr[p] = x; ___bpf_fill7(arr, p + 1, args) -#define ___bpf_fill9(arr, p, x, args...) arr[p] = x; ___bpf_fill8(arr, p + 1, args) -#define ___bpf_fill10(arr, p, x, args...) arr[p] = x; ___bpf_fill9(arr, p + 1, args) -#define ___bpf_fill11(arr, p, x, args...) arr[p] = x; ___bpf_fill10(arr, p + 1, args) -#define ___bpf_fill12(arr, p, x, args...) arr[p] = x; ___bpf_fill11(arr, p + 1, args) -#define ___bpf_fill(arr, args...) \ - ___bpf_apply(___bpf_fill, ___bpf_narg(args))(arr, 0, args) - -/* - * BPF_SEQ_PRINTF to wrap bpf_seq_printf to-be-printed values - * in a structure. - */ -#define BPF_SEQ_PRINTF(seq, fmt, args...) \ -({ \ - static const char ___fmt[] = fmt; \ - unsigned long long ___param[___bpf_narg(args)]; \ - \ - _Pragma("GCC diagnostic push") \ - _Pragma("GCC diagnostic ignored \"-Wint-conversion\"") \ - ___bpf_fill(___param, args); \ - _Pragma("GCC diagnostic pop") \ - \ - bpf_seq_printf(seq, ___fmt, sizeof(___fmt), \ - ___param, sizeof(___param)); \ -}) - -/* - * BPF_SNPRINTF wraps the bpf_snprintf helper with variadic arguments instead of - * an array of u64. - */ -#define BPF_SNPRINTF(out, out_size, fmt, args...) \ -({ \ - static const char ___fmt[] = fmt; \ - unsigned long long ___param[___bpf_narg(args)]; \ - \ - _Pragma("GCC diagnostic push") \ - _Pragma("GCC diagnostic ignored \"-Wint-conversion\"") \ - ___bpf_fill(___param, args); \ - _Pragma("GCC diagnostic pop") \ - \ - bpf_snprintf(out, out_size, ___fmt, \ - ___param, sizeof(___param)); \ -}) - -#ifdef BPF_NO_GLOBAL_DATA -#define BPF_PRINTK_FMT_MOD -#else -#define BPF_PRINTK_FMT_MOD static const -#endif - -#define __bpf_printk(fmt, ...) \ -({ \ - BPF_PRINTK_FMT_MOD char ____fmt[] = fmt; \ - bpf_trace_printk(____fmt, sizeof(____fmt), \ - ##__VA_ARGS__); \ -}) - -/* - * __bpf_vprintk wraps the bpf_trace_vprintk helper with variadic arguments - * instead of an array of u64. - */ -#define __bpf_vprintk(fmt, args...) \ -({ \ - static const char ___fmt[] = fmt; \ - unsigned long long ___param[___bpf_narg(args)]; \ - \ - _Pragma("GCC diagnostic push") \ - _Pragma("GCC diagnostic ignored \"-Wint-conversion\"") \ - ___bpf_fill(___param, args); \ - _Pragma("GCC diagnostic pop") \ - \ - bpf_trace_vprintk(___fmt, sizeof(___fmt), \ - ___param, sizeof(___param)); \ -}) - -/* Use __bpf_printk when bpf_printk call has 3 or fewer fmt args - * Otherwise use __bpf_vprintk - */ -#define ___bpf_pick_printk(...) \ - ___bpf_nth(_, ##__VA_ARGS__, __bpf_vprintk, __bpf_vprintk, __bpf_vprintk, \ - __bpf_vprintk, __bpf_vprintk, __bpf_vprintk, __bpf_vprintk, \ - __bpf_vprintk, __bpf_vprintk, __bpf_printk /*3*/, __bpf_printk /*2*/,\ - __bpf_printk /*1*/, __bpf_printk /*0*/) - -/* Helper macro to print out debug messages */ -#define bpf_printk(fmt, args...) ___bpf_pick_printk(args)(fmt, ##args) - -#endif diff --git a/component/ebpf/bpf/redir.c b/component/ebpf/bpf/redir.c deleted file mode 100644 index 6ef5ee0ce2..0000000000 --- a/component/ebpf/bpf/redir.c +++ /dev/null @@ -1,342 +0,0 @@ -#include -#include -//#include - -#include -#include -//#include -//#include -#include -#include -#include -//#include - -#include - -#include "bpf_endian.h" -#include "bpf_helpers.h" - -#define IP_CSUM_OFF (ETH_HLEN + offsetof(struct iphdr, check)) -#define IP_DST_OFF (ETH_HLEN + offsetof(struct iphdr, daddr)) -#define IP_SRC_OFF (ETH_HLEN + offsetof(struct iphdr, saddr)) -#define IP_PROTO_OFF (ETH_HLEN + offsetof(struct iphdr, protocol)) -#define TCP_CSUM_OFF (ETH_HLEN + sizeof(struct iphdr) + offsetof(struct tcphdr, check)) -#define TCP_SRC_OFF (ETH_HLEN + sizeof(struct iphdr) + offsetof(struct tcphdr, source)) -#define TCP_DST_OFF (ETH_HLEN + sizeof(struct iphdr) + offsetof(struct tcphdr, dest)) -//#define UDP_CSUM_OFF (ETH_HLEN + sizeof(struct iphdr) + offsetof(struct udphdr, check)) -//#define UDP_SRC_OFF (ETH_HLEN + sizeof(struct iphdr) + offsetof(struct udphdr, source)) -//#define UDP_DST_OFF (ETH_HLEN + sizeof(struct iphdr) + offsetof(struct udphdr, dest)) -#define IS_PSEUDO 0x10 - -struct origin_info { - __be32 ip; - __be16 port; - __u16 pad; -}; - -struct origin_info *origin_info_unused __attribute__((unused)); - -struct redir_info { - __be32 sip; - __be32 dip; - __be16 sport; - __be16 dport; -}; - -struct redir_info *redir_info_unused __attribute__((unused)); - -struct { - __uint(type, BPF_MAP_TYPE_LRU_HASH); - __type(key, struct redir_info); - __type(value, struct origin_info); - __uint(max_entries, 65535); - __uint(pinning, LIBBPF_PIN_BY_NAME); -} pair_original_dst_map SEC(".maps"); - -struct { - __uint(type, BPF_MAP_TYPE_ARRAY); - __type(key, __u32); - __type(value, __u32); - __uint(max_entries, 3); - __uint(pinning, LIBBPF_PIN_BY_NAME); -} redir_params_map SEC(".maps"); - -static __always_inline int rewrite_ip(struct __sk_buff *skb, __be32 new_ip, bool is_dest) { - int ret, off = 0, flags = IS_PSEUDO; - __be32 old_ip; - - if (is_dest) - ret = bpf_skb_load_bytes(skb, IP_DST_OFF, &old_ip, 4); - else - ret = bpf_skb_load_bytes(skb, IP_SRC_OFF, &old_ip, 4); - - if (ret < 0) { - return ret; - } - - off = TCP_CSUM_OFF; -// __u8 proto; -// -// ret = bpf_skb_load_bytes(skb, IP_PROTO_OFF, &proto, 1); -// if (ret < 0) { -// return BPF_DROP; -// } -// -// switch (proto) { -// case IPPROTO_TCP: -// off = TCP_CSUM_OFF; -// break; -// -// case IPPROTO_UDP: -// off = UDP_CSUM_OFF; -// flags |= BPF_F_MARK_MANGLED_0; -// break; -// -// case IPPROTO_ICMPV6: -// off = offsetof(struct icmp6hdr, icmp6_cksum); -// break; -// } -// -// if (off) { - ret = bpf_l4_csum_replace(skb, off, old_ip, new_ip, flags | sizeof(new_ip)); - if (ret < 0) { - return ret; - } -// } - - ret = bpf_l3_csum_replace(skb, IP_CSUM_OFF, old_ip, new_ip, sizeof(new_ip)); - if (ret < 0) { - return ret; - } - - if (is_dest) - ret = bpf_skb_store_bytes(skb, IP_DST_OFF, &new_ip, sizeof(new_ip), 0); - else - ret = bpf_skb_store_bytes(skb, IP_SRC_OFF, &new_ip, sizeof(new_ip), 0); - - if (ret < 0) { - return ret; - } - - return 1; -} - -static __always_inline int rewrite_port(struct __sk_buff *skb, __be16 new_port, bool is_dest) { - int ret, off = 0; - __be16 old_port; - - if (is_dest) - ret = bpf_skb_load_bytes(skb, TCP_DST_OFF, &old_port, 2); - else - ret = bpf_skb_load_bytes(skb, TCP_SRC_OFF, &old_port, 2); - - if (ret < 0) { - return ret; - } - - off = TCP_CSUM_OFF; - - ret = bpf_l4_csum_replace(skb, off, old_port, new_port, sizeof(new_port)); - if (ret < 0) { - return ret; - } - - if (is_dest) - ret = bpf_skb_store_bytes(skb, TCP_DST_OFF, &new_port, sizeof(new_port), 0); - else - ret = bpf_skb_store_bytes(skb, TCP_SRC_OFF, &new_port, sizeof(new_port), 0); - - if (ret < 0) { - return ret; - } - - return 1; -} - -static __always_inline bool is_lan_ip(__be32 addr) { - if (addr == 0xffffffff) - return true; - - __u8 fist = (__u8)(addr & 0xff); - - if (fist == 127 || fist == 10) - return true; - - __u8 second = (__u8)((addr >> 8) & 0xff); - - if (fist == 172 && second >= 16 && second <= 31) - return true; - - if (fist == 192 && second == 168) - return true; - - return false; -} - -SEC("tc_mihomo_auto_redir_ingress") -int tc_redir_ingress_func(struct __sk_buff *skb) { - void *data = (void *)(long)skb->data; - void *data_end = (void *)(long)skb->data_end; - struct ethhdr *eth = data; - - if ((void *)(eth + 1) > data_end) - return TC_ACT_OK; - - if (eth->h_proto != bpf_htons(ETH_P_IP)) - return TC_ACT_OK; - - struct iphdr *iph = (struct iphdr *)(eth + 1); - if ((void *)(iph + 1) > data_end) - return TC_ACT_OK; - - __u32 key = 0, *route_index, *redir_ip, *redir_port; - - route_index = bpf_map_lookup_elem(&redir_params_map, &key); - if (!route_index) - return TC_ACT_OK; - - if (iph->protocol == IPPROTO_ICMP && *route_index != 0) - return bpf_redirect(*route_index, 0); - - if (iph->protocol != IPPROTO_TCP) - return TC_ACT_OK; - - struct tcphdr *tcph = (struct tcphdr *)(iph + 1); - if ((void *)(tcph + 1) > data_end) - return TC_ACT_SHOT; - - key = 1; - redir_ip = bpf_map_lookup_elem(&redir_params_map, &key); - if (!redir_ip) - return TC_ACT_OK; - - key = 2; - redir_port = bpf_map_lookup_elem(&redir_params_map, &key); - if (!redir_port) - return TC_ACT_OK; - - __be32 new_ip = bpf_htonl(*redir_ip); - __be16 new_port = bpf_htonl(*redir_port) >> 16; - __be32 old_ip = iph->daddr; - __be16 old_port = tcph->dest; - - if (old_ip == new_ip || is_lan_ip(old_ip) || bpf_ntohs(old_port) == 53) { - return TC_ACT_OK; - } - - struct redir_info p_key = { - .sip = iph->saddr, - .sport = tcph->source, - .dip = new_ip, - .dport = new_port, - }; - - if (tcph->syn && !tcph->ack) { - struct origin_info origin = { - .ip = old_ip, - .port = old_port, - }; - - bpf_map_update_elem(&pair_original_dst_map, &p_key, &origin, BPF_NOEXIST); - - if (rewrite_ip(skb, new_ip, true) < 0) { - return TC_ACT_SHOT; - } - - if (rewrite_port(skb, new_port, true) < 0) { - return TC_ACT_SHOT; - } - } else { - struct origin_info *origin = bpf_map_lookup_elem(&pair_original_dst_map, &p_key); - if (!origin) { - return TC_ACT_OK; - } - - if (rewrite_ip(skb, new_ip, true) < 0) { - return TC_ACT_SHOT; - } - - if (rewrite_port(skb, new_port, true) < 0) { - return TC_ACT_SHOT; - } - } - - return TC_ACT_OK; -} - -SEC("tc_mihomo_auto_redir_egress") -int tc_redir_egress_func(struct __sk_buff *skb) { - void *data = (void *)(long)skb->data; - void *data_end = (void *)(long)skb->data_end; - struct ethhdr *eth = data; - - if ((void *)(eth + 1) > data_end) - return TC_ACT_OK; - - if (eth->h_proto != bpf_htons(ETH_P_IP)) - return TC_ACT_OK; - - __u32 key = 0, *redir_ip, *redir_port; // *mihomo_mark - -// mihomo_mark = bpf_map_lookup_elem(&redir_params_map, &key); -// if (mihomo_mark && *mihomo_mark != 0 && *mihomo_mark == skb->mark) -// return TC_ACT_OK; - - struct iphdr *iph = (struct iphdr *)(eth + 1); - if ((void *)(iph + 1) > data_end) - return TC_ACT_OK; - - if (iph->protocol != IPPROTO_TCP) - return TC_ACT_OK; - - struct tcphdr *tcph = (struct tcphdr *)(iph + 1); - if ((void *)(tcph + 1) > data_end) - return TC_ACT_SHOT; - - key = 1; - redir_ip = bpf_map_lookup_elem(&redir_params_map, &key); - if (!redir_ip) - return TC_ACT_OK; - - key = 2; - redir_port = bpf_map_lookup_elem(&redir_params_map, &key); - if (!redir_port) - return TC_ACT_OK; - - __be32 new_ip = bpf_htonl(*redir_ip); - __be16 new_port = bpf_htonl(*redir_port) >> 16; - __be32 old_ip = iph->saddr; - __be16 old_port = tcph->source; - - if (old_ip != new_ip || old_port != new_port) { - return TC_ACT_OK; - } - - struct redir_info p_key = { - .sip = iph->daddr, - .sport = tcph->dest, - .dip = iph->saddr, - .dport = tcph->source, - }; - - struct origin_info *origin = bpf_map_lookup_elem(&pair_original_dst_map, &p_key); - if (!origin) { - return TC_ACT_OK; - } - - if (tcph->fin && tcph->ack) { - bpf_map_delete_elem(&pair_original_dst_map, &p_key); - } - - if (rewrite_ip(skb, origin->ip, false) < 0) { - return TC_ACT_SHOT; - } - - if (rewrite_port(skb, origin->port, false) < 0) { - return TC_ACT_SHOT; - } - - return TC_ACT_OK; -} - -char _license[] SEC("license") = "GPL"; diff --git a/component/ebpf/bpf/tc.c b/component/ebpf/bpf/tc.c deleted file mode 100644 index 3513bf040f..0000000000 --- a/component/ebpf/bpf/tc.c +++ /dev/null @@ -1,103 +0,0 @@ -#include -#include -#include -#include -#include -//#include -//#include -#include - -#include "bpf_endian.h" -#include "bpf_helpers.h" - -struct { - __uint(type, BPF_MAP_TYPE_ARRAY); - __type(key, __u32); - __type(value, __u32); - __uint(max_entries, 2); - __uint(pinning, LIBBPF_PIN_BY_NAME); -} tc_params_map SEC(".maps"); - -static __always_inline bool is_lan_ip(__be32 addr) { - if (addr == 0xffffffff) - return true; - - __u8 fist = (__u8)(addr & 0xff); - - if (fist == 127 || fist == 10) - return true; - - __u8 second = (__u8)((addr >> 8) & 0xff); - - if (fist == 172 && second >= 16 && second <= 31) - return true; - - if (fist == 192 && second == 168) - return true; - - return false; -} - -SEC("tc_mihomo_redirect_to_tun") -int tc_tun_func(struct __sk_buff *skb) { - void *data = (void *)(long)skb->data; - void *data_end = (void *)(long)skb->data_end; - struct ethhdr *eth = data; - - if ((void *)(eth + 1) > data_end) - return TC_ACT_OK; - - if (eth->h_proto == bpf_htons(ETH_P_ARP)) - return TC_ACT_OK; - - __u32 key = 0, *mihomo_mark, *tun_ifindex; - - mihomo_mark = bpf_map_lookup_elem(&tc_params_map, &key); - if (!mihomo_mark) - return TC_ACT_OK; - - if (skb->mark == *mihomo_mark) - return TC_ACT_OK; - - if (eth->h_proto == bpf_htons(ETH_P_IP)) { - struct iphdr *iph = (struct iphdr *)(eth + 1); - if ((void *)(iph + 1) > data_end) - return TC_ACT_OK; - - if (iph->protocol == IPPROTO_ICMP) - return TC_ACT_OK; - - __be32 daddr = iph->daddr; - - if (is_lan_ip(daddr)) - return TC_ACT_OK; - -// if (iph->protocol == IPPROTO_TCP) { -// struct tcphdr *tcph = (struct tcphdr *)(iph + 1); -// if ((void *)(tcph + 1) > data_end) -// return TC_ACT_OK; -// -// __u16 source = bpf_ntohs(tcph->source); -// if (source == 22 || source == 80 || source == 443 || source == 8080 || source == 8443 || source == 9090 || (source >= 7890 && source <= 7895)) -// return TC_ACT_OK; -// } else if (iph->protocol == IPPROTO_UDP) { -// struct udphdr *udph = (struct udphdr *)(iph + 1); -// if ((void *)(udph + 1) > data_end) -// return TC_ACT_OK; -// -// __u16 source = bpf_ntohs(udph->source); -// if (source == 53 || (source >= 135 && source <= 139)) -// return TC_ACT_OK; -// } - } - - key = 1; - tun_ifindex = bpf_map_lookup_elem(&tc_params_map, &key); - if (!tun_ifindex) - return TC_ACT_OK; - - //return bpf_redirect(*tun_ifindex, BPF_F_INGRESS); // __bpf_rx_skb - return bpf_redirect(*tun_ifindex, 0); // __bpf_tx_skb / __dev_xmit_skb -} - -char _license[] SEC("license") = "GPL"; diff --git a/component/ebpf/byteorder/byteorder.go b/component/ebpf/byteorder/byteorder.go deleted file mode 100644 index 63e0c611a3..0000000000 --- a/component/ebpf/byteorder/byteorder.go +++ /dev/null @@ -1,13 +0,0 @@ -package byteorder - -import ( - "net" -) - -// NetIPv4ToHost32 converts an net.IP to a uint32 in host byte order. ip -// must be a IPv4 address, otherwise the function will panic. -func NetIPv4ToHost32(ip net.IP) uint32 { - ipv4 := ip.To4() - _ = ipv4[3] // Assert length of ipv4. - return Native.Uint32(ipv4) -} diff --git a/component/ebpf/byteorder/byteorder_bigendian.go b/component/ebpf/byteorder/byteorder_bigendian.go deleted file mode 100644 index 4c5d710586..0000000000 --- a/component/ebpf/byteorder/byteorder_bigendian.go +++ /dev/null @@ -1,12 +0,0 @@ -//go:build arm64be || armbe || mips || mips64 || mips64p32 || ppc64 || s390 || s390x || sparc || sparc64 - -package byteorder - -import "encoding/binary" - -var Native binary.ByteOrder = binary.BigEndian - -func HostToNetwork16(u uint16) uint16 { return u } -func HostToNetwork32(u uint32) uint32 { return u } -func NetworkToHost16(u uint16) uint16 { return u } -func NetworkToHost32(u uint32) uint32 { return u } diff --git a/component/ebpf/byteorder/byteorder_littleendian.go b/component/ebpf/byteorder/byteorder_littleendian.go deleted file mode 100644 index d40f351732..0000000000 --- a/component/ebpf/byteorder/byteorder_littleendian.go +++ /dev/null @@ -1,15 +0,0 @@ -//go:build 386 || amd64 || amd64p32 || arm || arm64 || mips64le || mips64p32le || mipsle || ppc64le || riscv64 || loong64 - -package byteorder - -import ( - "encoding/binary" - "math/bits" -) - -var Native binary.ByteOrder = binary.LittleEndian - -func HostToNetwork16(u uint16) uint16 { return bits.ReverseBytes16(u) } -func HostToNetwork32(u uint32) uint32 { return bits.ReverseBytes32(u) } -func NetworkToHost16(u uint16) uint16 { return bits.ReverseBytes16(u) } -func NetworkToHost32(u uint32) uint32 { return bits.ReverseBytes32(u) } diff --git a/component/ebpf/ebpf.go b/component/ebpf/ebpf.go deleted file mode 100644 index b0f5a65f60..0000000000 --- a/component/ebpf/ebpf.go +++ /dev/null @@ -1,33 +0,0 @@ -package ebpf - -import ( - "net/netip" - - C "github.com/metacubex/mihomo/constant" - "github.com/metacubex/mihomo/transport/socks5" -) - -type TcEBpfProgram struct { - pros []C.EBpf - rawNICs []string -} - -func (t *TcEBpfProgram) RawNICs() []string { - return t.rawNICs -} - -func (t *TcEBpfProgram) Close() { - for _, p := range t.pros { - p.Close() - } -} - -func (t *TcEBpfProgram) Lookup(srcAddrPort netip.AddrPort) (addr socks5.Addr, err error) { - for _, p := range t.pros { - addr, err = p.Lookup(srcAddrPort) - if err == nil { - return - } - } - return -} diff --git a/component/ebpf/ebpf_linux.go b/component/ebpf/ebpf_linux.go deleted file mode 100644 index 304f32fe7b..0000000000 --- a/component/ebpf/ebpf_linux.go +++ /dev/null @@ -1,137 +0,0 @@ -//go:build !android - -package ebpf - -import ( - "fmt" - "net/netip" - - "github.com/metacubex/mihomo/common/cmd" - "github.com/metacubex/mihomo/component/dialer" - "github.com/metacubex/mihomo/component/ebpf/redir" - "github.com/metacubex/mihomo/component/ebpf/tc" - C "github.com/metacubex/mihomo/constant" - "github.com/sagernet/netlink" -) - -func GetAutoDetectInterface() (string, error) { - routes, err := netlink.RouteList(nil, netlink.FAMILY_V4) - if err != nil { - return "", err - } - - for _, route := range routes { - if route.Dst == nil { - lk, err := netlink.LinkByIndex(route.LinkIndex) - if err != nil { - return "", err - } - - if lk.Type() == "tuntap" { - continue - } - - return lk.Attrs().Name, nil - } - } - - return "", fmt.Errorf("interface not found") -} - -// NewTcEBpfProgram new redirect to tun ebpf program -func NewTcEBpfProgram(ifaceNames []string, tunName string) (*TcEBpfProgram, error) { - tunIface, err := netlink.LinkByName(tunName) - if err != nil { - return nil, fmt.Errorf("lookup network iface %q: %w", tunName, err) - } - - tunIndex := uint32(tunIface.Attrs().Index) - - dialer.DefaultRoutingMark.Store(C.MihomoTrafficMark) - - ifMark := uint32(dialer.DefaultRoutingMark.Load()) - - var pros []C.EBpf - for _, ifaceName := range ifaceNames { - iface, err := netlink.LinkByName(ifaceName) - if err != nil { - return nil, fmt.Errorf("lookup network iface %q: %w", ifaceName, err) - } - if iface.Attrs().OperState != netlink.OperUp { - return nil, fmt.Errorf("network iface %q is down", ifaceName) - } - - attrs := iface.Attrs() - index := attrs.Index - - tcPro := tc.NewEBpfTc(ifaceName, index, ifMark, tunIndex) - if err = tcPro.Start(); err != nil { - return nil, err - } - - pros = append(pros, tcPro) - } - - systemSetting(ifaceNames...) - - return &TcEBpfProgram{pros: pros, rawNICs: ifaceNames}, nil -} - -// NewRedirEBpfProgram new auto redirect ebpf program -func NewRedirEBpfProgram(ifaceNames []string, redirPort uint16, defaultRouteInterfaceName string) (*TcEBpfProgram, error) { - defaultRouteInterface, err := netlink.LinkByName(defaultRouteInterfaceName) - if err != nil { - return nil, fmt.Errorf("lookup network iface %q: %w", defaultRouteInterfaceName, err) - } - - defaultRouteIndex := uint32(defaultRouteInterface.Attrs().Index) - - var pros []C.EBpf - for _, ifaceName := range ifaceNames { - iface, err := netlink.LinkByName(ifaceName) - if err != nil { - return nil, fmt.Errorf("lookup network iface %q: %w", ifaceName, err) - } - - attrs := iface.Attrs() - index := attrs.Index - - addrs, err := netlink.AddrList(iface, netlink.FAMILY_V4) - if err != nil { - return nil, fmt.Errorf("lookup network iface %q address: %w", ifaceName, err) - } - - if len(addrs) == 0 { - return nil, fmt.Errorf("network iface %q does not contain any ipv4 addresses", ifaceName) - } - - address, _ := netip.AddrFromSlice(addrs[0].IP) - redirAddrPort := netip.AddrPortFrom(address, redirPort) - - redirPro := redir.NewEBpfRedirect(ifaceName, index, 0, defaultRouteIndex, redirAddrPort) - if err = redirPro.Start(); err != nil { - return nil, err - } - - pros = append(pros, redirPro) - } - - systemSetting(ifaceNames...) - - return &TcEBpfProgram{pros: pros, rawNICs: ifaceNames}, nil -} - -func systemSetting(ifaceNames ...string) { - _, _ = cmd.ExecCmd("sysctl -w net.ipv4.ip_forward=1") - _, _ = cmd.ExecCmd("sysctl -w net.ipv4.conf.all.forwarding=1") - _, _ = cmd.ExecCmd("sysctl -w net.ipv4.conf.all.accept_local=1") - _, _ = cmd.ExecCmd("sysctl -w net.ipv4.conf.all.accept_redirects=1") - _, _ = cmd.ExecCmd("sysctl -w net.ipv4.conf.all.rp_filter=0") - - for _, ifaceName := range ifaceNames { - _, _ = cmd.ExecCmd(fmt.Sprintf("sysctl -w net.ipv4.conf.%s.forwarding=1", ifaceName)) - _, _ = cmd.ExecCmd(fmt.Sprintf("sysctl -w net.ipv4.conf.%s.accept_local=1", ifaceName)) - _, _ = cmd.ExecCmd(fmt.Sprintf("sysctl -w net.ipv4.conf.%s.accept_redirects=1", ifaceName)) - _, _ = cmd.ExecCmd(fmt.Sprintf("sysctl -w net.ipv4.conf.%s.rp_filter=0", ifaceName)) - } -} diff --git a/component/ebpf/ebpf_others.go b/component/ebpf/ebpf_others.go deleted file mode 100644 index 44cf1c3aea..0000000000 --- a/component/ebpf/ebpf_others.go +++ /dev/null @@ -1,21 +0,0 @@ -//go:build !linux || android - -package ebpf - -import ( - "fmt" -) - -// NewTcEBpfProgram new ebpf tc program -func NewTcEBpfProgram(_ []string, _ string) (*TcEBpfProgram, error) { - return nil, fmt.Errorf("system not supported") -} - -// NewRedirEBpfProgram new ebpf redirect program -func NewRedirEBpfProgram(_ []string, _ uint16, _ string) (*TcEBpfProgram, error) { - return nil, fmt.Errorf("system not supported") -} - -func GetAutoDetectInterface() (string, error) { - return "", fmt.Errorf("system not supported") -} diff --git a/component/ebpf/redir/auto_redirect.go b/component/ebpf/redir/auto_redirect.go deleted file mode 100644 index 57c9961630..0000000000 --- a/component/ebpf/redir/auto_redirect.go +++ /dev/null @@ -1,216 +0,0 @@ -//go:build linux - -package redir - -import ( - "encoding/binary" - "fmt" - "io" - "net" - "net/netip" - "os" - "path/filepath" - - "github.com/cilium/ebpf" - "github.com/cilium/ebpf/rlimit" - "github.com/sagernet/netlink" - "golang.org/x/sys/unix" - - "github.com/metacubex/mihomo/component/ebpf/byteorder" - C "github.com/metacubex/mihomo/constant" - "github.com/metacubex/mihomo/transport/socks5" -) - -//go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc $BPF_CLANG -cflags $BPF_CFLAGS bpf ../bpf/redir.c - -const ( - mapKey1 uint32 = 0 - mapKey2 uint32 = 1 - mapKey3 uint32 = 2 -) - -type EBpfRedirect struct { - objs io.Closer - originMap *ebpf.Map - qdisc netlink.Qdisc - filter netlink.Filter - filterEgress netlink.Filter - - ifName string - ifIndex int - ifMark uint32 - rtIndex uint32 - redirIp uint32 - redirPort uint16 - - bpfPath string -} - -func NewEBpfRedirect(ifName string, ifIndex int, ifMark uint32, routeIndex uint32, redirAddrPort netip.AddrPort) *EBpfRedirect { - return &EBpfRedirect{ - ifName: ifName, - ifIndex: ifIndex, - ifMark: ifMark, - rtIndex: routeIndex, - redirIp: binary.BigEndian.Uint32(redirAddrPort.Addr().AsSlice()), - redirPort: redirAddrPort.Port(), - } -} - -func (e *EBpfRedirect) Start() error { - if err := rlimit.RemoveMemlock(); err != nil { - return fmt.Errorf("remove memory lock: %w", err) - } - - e.bpfPath = filepath.Join(C.BpfFSPath, e.ifName) - if err := os.MkdirAll(e.bpfPath, os.ModePerm); err != nil { - return fmt.Errorf("failed to create bpf fs subpath: %w", err) - } - - var objs bpfObjects - if err := loadBpfObjects(&objs, &ebpf.CollectionOptions{ - Maps: ebpf.MapOptions{ - PinPath: e.bpfPath, - }, - }); err != nil { - e.Close() - return fmt.Errorf("loading objects: %w", err) - } - - e.objs = &objs - e.originMap = objs.bpfMaps.PairOriginalDstMap - - if err := objs.bpfMaps.RedirParamsMap.Update(mapKey1, e.rtIndex, ebpf.UpdateAny); err != nil { - e.Close() - return fmt.Errorf("storing objects: %w", err) - } - - if err := objs.bpfMaps.RedirParamsMap.Update(mapKey2, e.redirIp, ebpf.UpdateAny); err != nil { - e.Close() - return fmt.Errorf("storing objects: %w", err) - } - - if err := objs.bpfMaps.RedirParamsMap.Update(mapKey3, uint32(e.redirPort), ebpf.UpdateAny); err != nil { - e.Close() - return fmt.Errorf("storing objects: %w", err) - } - - attrs := netlink.QdiscAttrs{ - LinkIndex: e.ifIndex, - Handle: netlink.MakeHandle(0xffff, 0), - Parent: netlink.HANDLE_CLSACT, - } - - qdisc := &netlink.GenericQdisc{ - QdiscAttrs: attrs, - QdiscType: "clsact", - } - - e.qdisc = qdisc - - if err := netlink.QdiscAdd(qdisc); err != nil { - if os.IsExist(err) { - _ = netlink.QdiscDel(qdisc) - err = netlink.QdiscAdd(qdisc) - } - - if err != nil { - e.Close() - return fmt.Errorf("cannot add clsact qdisc: %w", err) - } - } - - filterAttrs := netlink.FilterAttrs{ - LinkIndex: e.ifIndex, - Parent: netlink.HANDLE_MIN_INGRESS, - Handle: netlink.MakeHandle(0, 1), - Protocol: unix.ETH_P_IP, - Priority: 0, - } - - filter := &netlink.BpfFilter{ - FilterAttrs: filterAttrs, - Fd: objs.bpfPrograms.TcRedirIngressFunc.FD(), - Name: "mihomo-redir-ingress-" + e.ifName, - DirectAction: true, - } - - if err := netlink.FilterAdd(filter); err != nil { - e.Close() - return fmt.Errorf("cannot attach ebpf object to filter ingress: %w", err) - } - - e.filter = filter - - filterAttrsEgress := netlink.FilterAttrs{ - LinkIndex: e.ifIndex, - Parent: netlink.HANDLE_MIN_EGRESS, - Handle: netlink.MakeHandle(0, 1), - Protocol: unix.ETH_P_IP, - Priority: 0, - } - - filterEgress := &netlink.BpfFilter{ - FilterAttrs: filterAttrsEgress, - Fd: objs.bpfPrograms.TcRedirEgressFunc.FD(), - Name: "mihomo-redir-egress-" + e.ifName, - DirectAction: true, - } - - if err := netlink.FilterAdd(filterEgress); err != nil { - e.Close() - return fmt.Errorf("cannot attach ebpf object to filter egress: %w", err) - } - - e.filterEgress = filterEgress - - return nil -} - -func (e *EBpfRedirect) Close() { - if e.filter != nil { - _ = netlink.FilterDel(e.filter) - } - if e.filterEgress != nil { - _ = netlink.FilterDel(e.filterEgress) - } - if e.qdisc != nil { - _ = netlink.QdiscDel(e.qdisc) - } - if e.objs != nil { - _ = e.objs.Close() - } - _ = os.Remove(filepath.Join(e.bpfPath, "redir_params_map")) - _ = os.Remove(filepath.Join(e.bpfPath, "pair_original_dst_map")) -} - -func (e *EBpfRedirect) Lookup(srcAddrPort netip.AddrPort) (socks5.Addr, error) { - rAddr := srcAddrPort.Addr().Unmap() - if rAddr.Is6() { - return nil, fmt.Errorf("remote address is ipv6") - } - - srcIp := binary.BigEndian.Uint32(rAddr.AsSlice()) - scrPort := srcAddrPort.Port() - - key := bpfRedirInfo{ - Sip: byteorder.HostToNetwork32(srcIp), - Sport: byteorder.HostToNetwork16(scrPort), - Dip: byteorder.HostToNetwork32(e.redirIp), - Dport: byteorder.HostToNetwork16(e.redirPort), - } - - origin := bpfOriginInfo{} - - err := e.originMap.Lookup(key, &origin) - if err != nil { - return nil, err - } - - addr := make([]byte, net.IPv4len+3) - addr[0] = socks5.AtypIPv4 - - binary.BigEndian.PutUint32(addr[1:1+net.IPv4len], byteorder.NetworkToHost32(origin.Ip)) // big end - binary.BigEndian.PutUint16(addr[1+net.IPv4len:3+net.IPv4len], byteorder.NetworkToHost16(origin.Port)) // big end - return addr, nil -} diff --git a/component/ebpf/redir/bpf_bpfeb.go b/component/ebpf/redir/bpf_bpfeb.go deleted file mode 100644 index 57a526e850..0000000000 --- a/component/ebpf/redir/bpf_bpfeb.go +++ /dev/null @@ -1,139 +0,0 @@ -// Code generated by bpf2go; DO NOT EDIT. -//go:build arm64be || armbe || mips || mips64 || mips64p32 || ppc64 || s390 || s390x || sparc || sparc64 -// +build arm64be armbe mips mips64 mips64p32 ppc64 s390 s390x sparc sparc64 - -package redir - -import ( - "bytes" - _ "embed" - "fmt" - "io" - - "github.com/cilium/ebpf" -) - -type bpfOriginInfo struct { - Ip uint32 - Port uint16 - Pad uint16 -} - -type bpfRedirInfo struct { - Sip uint32 - Dip uint32 - Sport uint16 - Dport uint16 -} - -// loadBpf returns the embedded CollectionSpec for bpf. -func loadBpf() (*ebpf.CollectionSpec, error) { - reader := bytes.NewReader(_BpfBytes) - spec, err := ebpf.LoadCollectionSpecFromReader(reader) - if err != nil { - return nil, fmt.Errorf("can't load bpf: %w", err) - } - - return spec, err -} - -// loadBpfObjects loads bpf and converts it into a struct. -// -// The following types are suitable as obj argument: -// -// *bpfObjects -// *bpfPrograms -// *bpfMaps -// -// See ebpf.CollectionSpec.LoadAndAssign documentation for details. -func loadBpfObjects(obj interface{}, opts *ebpf.CollectionOptions) error { - spec, err := loadBpf() - if err != nil { - return err - } - - return spec.LoadAndAssign(obj, opts) -} - -// bpfSpecs contains maps and programs before they are loaded into the kernel. -// -// It can be passed ebpf.CollectionSpec.Assign. -type bpfSpecs struct { - bpfProgramSpecs - bpfMapSpecs -} - -// bpfSpecs contains programs before they are loaded into the kernel. -// -// It can be passed ebpf.CollectionSpec.Assign. -type bpfProgramSpecs struct { - TcRedirEgressFunc *ebpf.ProgramSpec `ebpf:"tc_redir_egress_func"` - TcRedirIngressFunc *ebpf.ProgramSpec `ebpf:"tc_redir_ingress_func"` -} - -// bpfMapSpecs contains maps before they are loaded into the kernel. -// -// It can be passed ebpf.CollectionSpec.Assign. -type bpfMapSpecs struct { - PairOriginalDstMap *ebpf.MapSpec `ebpf:"pair_original_dst_map"` - RedirParamsMap *ebpf.MapSpec `ebpf:"redir_params_map"` -} - -// bpfObjects contains all objects after they have been loaded into the kernel. -// -// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign. -type bpfObjects struct { - bpfPrograms - bpfMaps -} - -func (o *bpfObjects) Close() error { - return _BpfClose( - &o.bpfPrograms, - &o.bpfMaps, - ) -} - -// bpfMaps contains all maps after they have been loaded into the kernel. -// -// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign. -type bpfMaps struct { - PairOriginalDstMap *ebpf.Map `ebpf:"pair_original_dst_map"` - RedirParamsMap *ebpf.Map `ebpf:"redir_params_map"` -} - -func (m *bpfMaps) Close() error { - return _BpfClose( - m.PairOriginalDstMap, - m.RedirParamsMap, - ) -} - -// bpfPrograms contains all programs after they have been loaded into the kernel. -// -// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign. -type bpfPrograms struct { - TcRedirEgressFunc *ebpf.Program `ebpf:"tc_redir_egress_func"` - TcRedirIngressFunc *ebpf.Program `ebpf:"tc_redir_ingress_func"` -} - -func (p *bpfPrograms) Close() error { - return _BpfClose( - p.TcRedirEgressFunc, - p.TcRedirIngressFunc, - ) -} - -func _BpfClose(closers ...io.Closer) error { - for _, closer := range closers { - if err := closer.Close(); err != nil { - return err - } - } - return nil -} - -// Do not access this directly. -// -//go:embed bpf_bpfeb.o -var _BpfBytes []byte diff --git a/component/ebpf/redir/bpf_bpfeb.o b/component/ebpf/redir/bpf_bpfeb.o deleted file mode 100644 index ed511691940a8ecc39bcf82283fd234bad18af19..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 15608 zcmb_i4QyP;ao+nQDalTmM2cz0KTozQlMYFflq}PUrJjFeOMzouY^i1nr^nOrNFI3P zop?t}veo8VG>O{O01G>)3M46Q7YG9w0gDEeP!u2=6o?800Z|yK>IMN(1dY%*C|lU5 z;HbEM-|pF;VTxU<=JUs z=jSbLawklNRPGPVV=R}u`81|Iu*FCE?ld=(Ix%dnw`I4vj^#war|CFyhb_&qz}x_6 zmM0x{w3hcs}G3ls_Nv8QQ&JdEVjWEw22!D~#yHr61e-CK|tD zmG~cfzy2>*oZ--)O5?vH_Tul?UTDWOF4In~%iLDMhcG=4_h6&Qo~Hb^st z^&e}j5ijrL)0n3MKGz$*en-&wi7}n8w$__yJ;!xxME=LXUuuP`zL<+^}HqG*FkING@o`HH;kXmueh?m zOX3%Q5Ao}u{i4M0^i8rK1>_nXKW{IL-wwBno*@2l`sL>V#)0eE zU>xl@O!@WOx?Zn(dDY&pGjD7>^}IR#S=YYI?~UfoN9ZT~-NRDF;i|G1`lZ(k=T)5s zBxU8K_x(eB?D>p#c2h*Pv-V-NbIdgCJ}m9BUv`Eq=bU5b#lPGq zy5(LmEcc25YoOzZoD0~uC+xlAoHN`$Z_C?#JAHp<^5npdy$^Uk?jxgMw+W6f_fRUl z*KF_GX`Uwjz~?!QAnmA_Cs>NT_kEr(V|=Z?D|oN5`%Ugn$MEN$@81`P%)_iH-Y4}R zb>&HCr!$oMxcM#C`1?WrWjQ}zlJm36ox?Z}-TC>FJ3rs+z82nVT=R^>Aj#s5ZaklI z{+vD5iK$}D+4pESk^8DMm|xuZJYD{TtC#!SO>zz-!*c-hr0zuQGi!Gtdyd{rMtBak z+8J85QQzPkZR*?m>?ZnMO5gjlwQF;K?0r_P*Q@92)@`#{KlT3L`xow$PCfp0SDNBU zlO#E{$^AsNbGyXT?`Jn*5i$iokaD_iY~=iTs`T|anI%R(Gmv*C;Q#iGNlK^?! zUl=5Npc(sK5|iybi85fFeOV#l#5i^oPkA}e0kXHjTjGuOf`cs%^lh8S*;%}SZOamW zw$bheGS(y<;X3X{?nRbn?3yP(jeHL>={oXfkm=S6@}tO@>sIB6Jrs={bIXvne*-cb zwQc=B9jh~e=c+yQlwSZ%-$<{3X8%a9f!^h4x)AFVIsm<2=rrhqLXU!e95mivV|C=uJAOO>{o6vP zLFa@X1wAfw9W=)r?Zy{Cb9s|q0sZ?zuYvw!N7MD#3wYdykqAJ4OXvmAi=d&KB>#It zr$H|ZJ&KYkfJ`0ye=>&ep2-!^tDvEqLJ|8{p#zjmh(#(5{=b8!OdVx(9)M@(GL<*t zW7w=^1`~5G_6w9d$zzJUVhH@VWd7a(`d1W2A}dV-#zjBQDe{}-F^T>j(zrlU2CO*O z7|zM~4lFS8b|Y_4-|;P}@5Y{XzqHA{%(}v8OX61^_5*p_12RWH1q{(`pB2oxP5ec{ zoLj_YYzpG0;ap;({eDYXdRr|bWADMJgHOi33psk*vyg#3n|h_BKY!RR0Q7uF7iVfF zn|u2EO>K!hRobdwKy?T7z-#?J6$Q5slsXVOs+InFw?nH z*}_b1wpgf|N^xeUI5S~p3uDFEY$Z3Fo33W3a}{9}XU5B>TCA8c_T-N)9c#%3LWsR;}6gvf1iX_W0cRxG5E8 zOl7K;wO&u>W~a=Fxx!q5Qt)=dRA$Sya=u(L&y;dA*~)C8iq1Gt%NIQtGLS5yo!V&w zHHcNS#qr|ISmBiMWi1c)$jBczley}o0V7|^Rjb7@GnT96>;thHGc&nLF$?Z^Zn{`H zjp$65YlUpFve%T#d31wR$lMn)_j#u6y%Tj&g!Sxn0Zr7ZwHz)NCyTR%EW18YEoZBR ziK-)t&lb#hseCev;j1#v`}Q{DTq@5@1bmq46#kCWeK(N4!{c)^dEcqYY;LYrZWS>7 zclY<-eY`S$x7F*{FYF2h+NuK&8ZZ}gYM97p*9(ODj4hu4g}tCkD(b#p|bD5BxVTa zLa=jxfNo|dYvq}0_rarwvYG7ROixodG+C@{V$v?G0ONp;4fF;fuQ zLXyMmJdOxLm0n;fXG`Vs)LbQ7C>5r=ckAWX8|+3yJf-I5^ z4-Tvp>n2KPr#E;o^GNpbBL_zgKY28=f-v8M`>_C|H-v66miA`z)wyYGjFnO@U+Bg* z)f<$@$MLXJp;tz)HyAJFCaS@ipo(3&Jl^dFwMW{B7~Hdg!NZyCLr)(2T=vK#kG#|H zyBWNuhnz0XM@L1B*_kB%Z4&&u!sz>$w`@$;jCsT|M}Ma?#R!KdNWmSvo1R0izV+0J z=v@2IVWX{EAhtNa1s;7UbIo;aXZ}0ZDhxE&D#xE8ck{7R#EP^oiROMW zxGz+d`NktC+%KHT0|&4|oeqa7xm3R8!mG{nZ|Iwy|)G2vQ$sv+Q#dZEJk~i>^s2Ibv#$97J8y9nGVesoCbr_szZ*} z%1`EIO}13b7iOx3=sh(%H#1i)jN#J8+c0mgp3{H4S~dMRx2wkMv5U>C8Bw*I=exfD zrV_}teHTjPtuvB+0j@wbf_aREL zoumF0!Oxr6tAp;NJLq940Qhy2h$#heH3Hr&5!`|QIh{E-z{A<)dtLmkHp}zDd z#7+O>+o|95Kfayqd;foG;=Sm93X0Z$V)&ox4%?3pKtDAQ!O%~M{~dh@6~3LMPPzJy zubRXgl%IFl`;%Hwcr~Hsv`!n5Q;=Vf~uI>#evw2=(pww0r-0j2$2TH%2%f zJ(yR+5sdL^A8qP$eA=7-#|Pkld)?I=N$qD9UTNwdrT%4Aul((Z_(yqr);!>h)6b3{ znIv3po+Dqw5{RB7-#5v<#DQxk{+3BT3_tn(nED}>e&Sq7X1K49xO$5zKPvc;NuJ`l zBIA@GW_{h&gG~Mr_2(m)^$QMTUr)ZsZ{14~%=#6<^Cr1Kyy`G0mo7>DH%;=dI@)Dn|ubEWuPGIT3krZEW@_wI>i~oL~_ve(~=lwZlG1gIB{Pp|1KZh)4 z`|Dy~_L2CN2!?(_{G~ki5r0lu41LT?+duDbVnpG(*n>Xzk;GY5f6igtOHvt3wuJO| zTboJUe+Tf2lK1|~J`$c&vd<^s2;LvlADFQzDe?CB+9ghP z{OJ_KCw9;0`td22itq!^#T?}C+hQk`j_{vu^4l&%_>VRDso@BJZmS+ba=1zqN}$?Q0SK_9nk0-Q-(g_D!YO7#PA&AkIF;N=-i3gHN&hoBYJQ=ORA4 zBK(C2AMX#|KF2Lg|A381jY|jHso_VG_E5?Z-6(!H!Y5{8`7f}e`juP({{_f*po}I? z#P5QSIoFaX_l*eO>-my#;rjqLUKS&GMDb!P=6bZhQ;K|w@*Eez=2ELX_vaRSYrqlt zxVFbQ@f=})kW!q3UC16Y=Je0wI%wMS_#9}SV}irqoIU0kbA5Qs_UOCEqY76Pt}8sR z@Pfii3a==e^>#f*^IpVKf-%%VW`2mH~3TG4^Rk)&XUEz6!7ZhGnctzn=h1V2b zZ^d!I=y>t`Yr%oS0}7`V&L}*pa7E#|!t)9*D7>Wbio&Z3uPMCVitV-%8Sg}=st*(% zP&ln{M&VI~D+<>Yo>zE5;U$Gv6kb($P2u%cY?o=I|H)2OA1FMaa9ZJv!lMdT6s{{g zukeDxOA4r^;UctGK_!Wo4}6|N{;S9o4wo|lpH#on8u_@b)kc^R$0tnigq+}@!u z&&G&8-+No|u)>EF9#MEw;Zq8qRrs93iwa**_@cs>6uzwRl~&x*p>UVN-3kvYd`RID zg(nq0rSMsW&ndj9@CAi0Dtt-d%L-p<#alWQ?ozm0;bDajDLkU^q{62ZKCAFKg%=gR zpzuY7FDZOk;VZ3pYlp&J3U@0!tneX)M--k^_>{tD6+Wl%qQ^JicFV1S>8}+|)lC0v zq16B2(MS3{kbi60_&-1(yivXUG8g&bW5eG9<+qZ^e-8DRO3zGZ`MWay1*!Qn%R7Hl ziTqaOe`X1PH`M>Y;tk?4aO1 z`-E>x@CEO=NBC0i*(3IbSPo`~q#X2k5aaM+r8i(mz0Y~m_s%&gcE)q0HCp+bNjmAif`k{q*{*A4cA!{SKag zNcO$dk?!gBiS{CI*8V63kkZI(-@osAeYQV>?Aur4a6SEI@})zq@5e8KxtacgC`98; zmX{~}B(nEMx4%dMB>EXmULHJaDrzqxcfII;^z#uW$*4b9fj5ia0)>&-f5s30FKv@= zpMK%HT1$VNgniyh+elk4xH5c3+vhin&Dvjg8e8iq**@dm`&_O9gwn zs`gX$hqZrUjZ<8;XU%_A^|7B1tFNlZT(NpmFMrB*kUHu5c?bPP$a=ZEj{l35Ye#38 zW}ByEwSMbA*|LR=EH&m?$}QLG+hRYs_SOc>S6B}@-@YyOy=z>V8vp&Zm%w%M=%H5s zch?r@jLDwa4k^gpW0P8asxfQO zZfS*mdcMi+Q|>FMH|ZDNcY1<$SJ7^I&YgpWmz_TDN3I;(JWU*QJnoZ338!OKr_Ydbc)W03f`C~ct-gy4#wXpAG{-(bvehH2B z{CR!h{I!_@+rHUM+xdU-jY});m!I#)j@x$W7i7N$`-JoN(f7$Gt(~biWgdg|(Bq_k z2{PAp4}vuCntZT%Tq$VCQlAn{FM({rL_0;e394 z`^L?u-Z#_VcKvgIue@(~o6_E0Zoeq|LVe+W*5^g`RmCd9N0Lqv!H=)axcj-;+30r^sj67ewBF`6%@_ccRQ*^X( z%spRx#qkfBGoN#WegxZF|Wo^Px7VW7wQ z$uBv%>+aKPd+s9G=kMd7z4enp`zFZI&)WNRReRj?ZRjVh|8m!sS#6x!Px$dw{U!S4 ze)P|`*^{&e>%7WyO4!df$m#oa6lD?OUr9RA;tsyQSHt%DzM&odzR`Nl4TE^P4&#+lA=Mc;ZoR;)r;JxA_Xv&meLeFCu;p(e89KI*dHRdak(F zfo$v+mby@9Uto6(F2oEWVosXaejITlB0~X@`3SLu$S0aO;Grfd}(84+Uvdx+n zp6J&k--c9NY6It-zElF;K846L zSwZ>*DUUGuzbN@Q@_fH%zeC86NWOx6LGrW6pOpL}^1mwiCFH*%dCvS-k>~k{kpG6{ zXOW*1nFt%}JCcthPrqXOMV=u-tRVl_DBp(sBJ!6+h8zDMB_HuXAZ$mBBmd7*UXgMX z+kHUYR9!2sFJ~PCnm2RL!JU|`wxs$Iqrd$L$`M-b!N<>BzJc;_Lc4>wSl@yAea>+-fO+PbFxWBfM26#Fe8kDEzYlo| z{em#}Hu-sB?t5|p3^S~2=ms-zTs=1D^5sCrJxv-zo7@|b%fA2_=(Bq0yBKKC8P^}( zrkM%yCYvvtWb%=xpMKWF}vp%w|fan9b+2`B5{O8O}~7i>b-fL@7CuDoQ~%KTgyNx?$3{mwn>1+GlBuf`!TKXf~g;D$v?CE2f4`F@>I7Wh$2(E|qP6$z*9f zd2DKA#N;x0QyecRt<@8$$#HXhDl?U#6s#RJ#mPdskS^rRiCik5EKX)h7>t8*I_paz z1IaAkCqC_Qf9Q|GT9e0W+YcQnZ)vyIL~|c)aE%?$d5++Fr{()9i#bfA^m_yrt)b& zsIg>fs$8fSFg^G8^xS`}IC8&j*OTV9idIz9Q7TVPrOQ!up`xAWvNL+oL z=Zw?Ek|^3Ab-3cr4jS1B@$Lg&x>RWUU8?P z8cLzE`@k4>2=+p>b$^6mCdbN!e5vE$k%43)c_`6Y6RxVv7FSVe4_1VAz`%ODqMeh4 zDQ*GoACf&l* z?gRcjMEmzghZ2dW4<9+4JoMP-6VZ+xbw+XudR<%2&}61OHJP{O*xobga!37`deQ%{ z7|Pboc{#n>47s`KlTpire1sv324}NVzAIGDDgLPHsl#>PTv}Af4dXOp(EB4hy~C;D z;Yru4NaQmoy@cOVIZU0mwzg=Z3hN?GPM?mlr6k=}w%FlnJ0lcQO}<LE7lGwM(WW2w>njv;pz>N zaTo8Z_mHcvzjcB(H@Xo;jP^;g`v7m(kyNgf=?qUY z4Vuij7Mz^=HZ0Mt(qs7VWippdXY!>?_?()Y%1@Ot!+2=p(=eZ0eM!%;Qpxn--Yyy6 zjzg?HnvqI{^f;f>`9GD28HDW;%lPNQIrpzL`+jhrdv~!ipT_4O2QMX^V7^~aCSxV= z9*z7UqWR01ZBPCU#GdcQtStF2$QNVw-JARq#Ma9(`>qjkFVv7fiMOBiKZ=<|z^&jx z;Q`d&@m|b~1>6d*2)J-MDEzV_^R+jctP5*rP03UQ~xNqVSAJ5z>5?)3*NM+(ewt~3XTiUpuRQU zXcEFuYr~-M?@|BbjrP5t`o2$jOv;SZ{|EUufsl7e?|B;)Za1(djq}=+=6wbz4NHQ_btq~@IQcC z7aI+RTvuNa_T!ls?!;T~I{dTdLcpzHsIcw#p}zC=26Hjso59P0{JL`u=4!yLV7^$> zzSq#c@2v*Y67bF7xUlVizQGIx+zK8P_Vx}bJ{!odd%MAKpRqq5<`pk0UJl#e9y3=1 zZUyt7G1T`%j=u~3AmE$9y~5UhY@YsrTfu|E-S9a(u3&!){~CDRyN%|Yu(x+k@nvDZ zK1%^}eXa=m^;r&>>%;HvX}@ic^@sxI`g92U_2~_m>oXR}ufuv21LpcvguVS|6?0!! z`^WlRQ1w?7Usc?Jd9Sv|dh`a&_30P(>k|){>oXR}ufuv21Lpdi754VeD83lTuR9Vm z%c}mW;$Ez4)n3T+u6ab1v;1$trnjkjkJx*qzo~kU*n4G9lZhZkd3&!s-emuO9CE+Z z+j}L^RJ}*Yt>7W49{}HRs>z%RxD{Lx<_|H}f2pZ(?(dRqqY!*Z&OT6?yB& zFE*Jm;T^Dl%O#9gcmTZl9gJ7_H2AK!o6K3^S@5RsV*CO3fc-tg_N{0?C-rZG+m=+*HpcSeEpJYe?@pLo>R8LscgX9asG~hTh}(5cHt@TEnAvR6!2|e ze=mKF@=>#WUSa#U!CSkU%_))h^NFjewlCo~<^!f5xghNQh`*=E^dtTr@_uAFY!5$j zRoMFxBliHAexzU6w#Vef1EwEI2zz^n6rT;`t)Ex*v%>bdB++cDM)|F# zHmDA1^vhE2*{9#LdTQf>`?7)GHQs99I2`-#`Q75J_7`)mT)H)1mvYZOJ?F#>hr#b5 z=_?sL)0c%Dmw90^zpES)(>&9cGx+u$sy%&~uV?$X%)f7s<7flN!|zR>3%DIz4w&{< z0;WDbBQdZ&zZ(j_vtb|m5E)p{?}7P_#Xx5L5F&%;qQfdz6wfH0Rm{7P!RuSJRO3sE zmlQ86wnn1N>+|Q^b0qWYxmR&qaYFHs;-cb;;u*!WisuzCD!!z6N%68`Bm2dVk9Q%1 z=SXp{V!z+Kd_vU^DK09mD4tO~t9V}VqT)-6mlQ86_AbTSzd_EU=SXp{;<#eorQ!Sy zDK09mD4tO~t9V}VqT)-6mlQ86whJAs_XZ9;;7D<=;<)03;vvOF#TCUfif0wiD_&H5 zN%4~6WySuAV=<4$hQQyEBgMUn5~ z`u6_0%=4I%Kc)Dr;&Y1U6kkw$QSoKPR}^1W+=6$;a6Q`x%y-nV{h;D8#itaX zReVnIoZ<_LFDkyQ_=@7Iid*o`8rt8kxI=Nj;sM2jipLb6QhZkNImL5|x7>Z#ry|o+ z&YUWnp2vNv_z6<& zYnJQ3QwhGS@?W!5zc&UFseqP$^ z`KD|bo&iv&?*D?c_w(f2=>FNc)=634{tNtpauBpV@1t&|`I}#1{pf;x|K2YCL~*75 z*UFE+FNojrCg}co4X@O{>2@tD(w^(L7E$;AD#{w4yjDO`L9B*~oF942tCnk9-$RYO Z3RPv8x!CE@{~w3#_}gmVKhF)r{{ePC2d)4B diff --git a/component/ebpf/tc/bpf_bpfeb.go b/component/ebpf/tc/bpf_bpfeb.go deleted file mode 100644 index 623986dc8a..0000000000 --- a/component/ebpf/tc/bpf_bpfeb.go +++ /dev/null @@ -1,120 +0,0 @@ -// Code generated by bpf2go; DO NOT EDIT. -//go:build arm64be || armbe || mips || mips64 || mips64p32 || ppc64 || s390 || s390x || sparc || sparc64 -// +build arm64be armbe mips mips64 mips64p32 ppc64 s390 s390x sparc sparc64 - -package tc - -import ( - "bytes" - _ "embed" - "fmt" - "io" - - "github.com/cilium/ebpf" -) - -// loadBpf returns the embedded CollectionSpec for bpf. -func loadBpf() (*ebpf.CollectionSpec, error) { - reader := bytes.NewReader(_BpfBytes) - spec, err := ebpf.LoadCollectionSpecFromReader(reader) - if err != nil { - return nil, fmt.Errorf("can't load bpf: %w", err) - } - - return spec, err -} - -// loadBpfObjects loads bpf and converts it into a struct. -// -// The following types are suitable as obj argument: -// -// *bpfObjects -// *bpfPrograms -// *bpfMaps -// -// See ebpf.CollectionSpec.LoadAndAssign documentation for details. -func loadBpfObjects(obj interface{}, opts *ebpf.CollectionOptions) error { - spec, err := loadBpf() - if err != nil { - return err - } - - return spec.LoadAndAssign(obj, opts) -} - -// bpfSpecs contains maps and programs before they are loaded into the kernel. -// -// It can be passed ebpf.CollectionSpec.Assign. -type bpfSpecs struct { - bpfProgramSpecs - bpfMapSpecs -} - -// bpfSpecs contains programs before they are loaded into the kernel. -// -// It can be passed ebpf.CollectionSpec.Assign. -type bpfProgramSpecs struct { - TcTunFunc *ebpf.ProgramSpec `ebpf:"tc_tun_func"` -} - -// bpfMapSpecs contains maps before they are loaded into the kernel. -// -// It can be passed ebpf.CollectionSpec.Assign. -type bpfMapSpecs struct { - TcParamsMap *ebpf.MapSpec `ebpf:"tc_params_map"` -} - -// bpfObjects contains all objects after they have been loaded into the kernel. -// -// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign. -type bpfObjects struct { - bpfPrograms - bpfMaps -} - -func (o *bpfObjects) Close() error { - return _BpfClose( - &o.bpfPrograms, - &o.bpfMaps, - ) -} - -// bpfMaps contains all maps after they have been loaded into the kernel. -// -// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign. -type bpfMaps struct { - TcParamsMap *ebpf.Map `ebpf:"tc_params_map"` -} - -func (m *bpfMaps) Close() error { - return _BpfClose( - m.TcParamsMap, - ) -} - -// bpfPrograms contains all programs after they have been loaded into the kernel. -// -// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign. -type bpfPrograms struct { - TcTunFunc *ebpf.Program `ebpf:"tc_tun_func"` -} - -func (p *bpfPrograms) Close() error { - return _BpfClose( - p.TcTunFunc, - ) -} - -func _BpfClose(closers ...io.Closer) error { - for _, closer := range closers { - if err := closer.Close(); err != nil { - return err - } - } - return nil -} - -// Do not access this directly. -// -//go:embed bpf_bpfeb.o -var _BpfBytes []byte diff --git a/component/ebpf/tc/bpf_bpfeb.o b/component/ebpf/tc/bpf_bpfeb.o deleted file mode 100644 index f0e7e608f54b58168a4598bf254cedd82c996a43..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 5168 zcmb_fZ-`u16+drw(yVQ=U8}L1NbHS;IGb)}casJFZbW!mdz8U zeZL~=_xtZm7{5k{?^g}y93nc-tS9Z>$7q!C(PQ*5)4TQmX+;m9|7`ppMf@KY`v;jG z8mGe`jyFLcVLYL9Tz%%b9DRTg3gVV=J*^n+^f5m8AHTU>wM(7XPb}PiqRln4{k1MNSpT<`fWr0~pcRB=JG;8|Wm{kZTw&~vD)vxWKuD!SJuS9p?8?nTuC87HspXVHfOeI0cfRWeH} z!Yj~3_!8)v@Qa`?2;T!;7k&fu`@(O5zAXGU=uZu=LwG}Y1^P?jOQ63Jei8I{s0iKZ zf&Kv%vE>x#pM)=gz9sx3=--9!f$~0N{SDajTrs}|{yyQi!GFl`db$;OtmzR@=MmvI zz;k|Kn`ik&;Y;B8++g`4C>N~wd=K)^fXAN6Z-IXnJal-foSN_ol*AMo;jI3&t1^>vy6+(?@`FVB5Uvi;9u04*ZNdqy_Eg;0QDKbaT?MAT_jsfiRXk%0TJa> z@*_sf_WKU(7XbdqfDc*;x$ecQS1&%}K6UxCbMC@356+{Z`Tr{FtJk)e2h6lvLcvYkSSuZF&)W#4GMnr&gne-=b(GakY!4 z*IuFP9lztV7EG5ZYKKW!2^+N9@LF!v_G5T9AgKga3LR($VLM3H2xd@=-JlkVvS)#fZ*Eyz2!;9mfN>wlM^ap`gspUn13u(=328}gp`^_-%-5@$cjj-Z1G&c~Q z9SF}_%_wXqBGoK=cbh)CNaDn6M)X|J_FW$OavZv`zZ@GT_<~QhM);hIT*jQ}vuB2h zZiKC6#UF}S@LS^WlTOR6by^iWl)BsYtMFYxLPKt);&ib%y%g1^lS;9I)FdipR)~{! zr;@0_bf^<>JgL4&3S~76s_KM}9Z6w{Qs-5{h$jmi$|TfJUa%_Xh*gGWj7-_n%$Ni< zRT%j7le&6D%}%Nd$~vATcEeg|Jb9sxb$}UH=g%vQ%&jM3D=y3}Jn5FPT+5S2TQ5_E zL?Y&yDRqKpx{hVlUIE~|$+9pJ3|pbjPO<*nMi{PiBG+&D&BAe{ZMcA^)Ny#897ca^ z=wKMEP7e3Tk){F|YTRu&moXZd4V!^Mo`PtPJXuXBoV;N74~KBMT)ui`;fj0tu}_sv z46N$9OaAFo$aS^a#^AM;2E);rCgibOlQJAaEr=6#K6~mD>c$Ns6P@&@i; zr(`fmamtzYuHeUT?X&%h8U1x>FOzeF?|m76{u|`Yt^0kya8c2ygk3?nsINNAHf=7&g^Q3eO;Gcq=-$d!cZwoFx zRJM`Wo%P*#^o zK&M_YRKznT@s>c>nwm<7G=J&Rj5~Wq=qZHue<^i%$?Pxdcl>k0ealLO>V=cyEza({ zQpV0gyI&Yjq29$_?{{mm;IAslpZgOtUmKMGMHsja`T26{hO5tP5Z+czvuXIU+ALn@|?v?**#!l}u?%(R!{Bi$tVSirdy=RnD-*K@Y%$sdX a#~VQ?e?x7vr3bl<%PXjCW8=2{Py7o4L$vMy diff --git a/component/ebpf/tc/bpf_bpfel.go b/component/ebpf/tc/bpf_bpfel.go deleted file mode 100644 index 3bfa165545..0000000000 --- a/component/ebpf/tc/bpf_bpfel.go +++ /dev/null @@ -1,120 +0,0 @@ -// -//go:build 386 || amd64 || amd64p32 || arm || arm64 || mips64le || mips64p32le || mipsle || ppc64le || riscv64 || loong64 -// +build 386 amd64 amd64p32 arm arm64 mips64le mips64p32le mipsle ppc64le riscv64 loong64 - -package tc - -import ( - "bytes" - _ "embed" - "fmt" - "io" - - "github.com/cilium/ebpf" -) - -// loadBpf returns the embedded CollectionSpec for bpf. -func loadBpf() (*ebpf.CollectionSpec, error) { - reader := bytes.NewReader(_BpfBytes) - spec, err := ebpf.LoadCollectionSpecFromReader(reader) - if err != nil { - return nil, fmt.Errorf("can't load bpf: %w", err) - } - - return spec, err -} - -// loadBpfObjects loads bpf and converts it into a struct. -// -// The following types are suitable as obj argument: -// -// *bpfObjects -// *bpfPrograms -// *bpfMaps -// -// See ebpf.CollectionSpec.LoadAndAssign documentation for details. -func loadBpfObjects(obj interface{}, opts *ebpf.CollectionOptions) error { - spec, err := loadBpf() - if err != nil { - return err - } - - return spec.LoadAndAssign(obj, opts) -} - -// bpfSpecs contains maps and programs before they are loaded into the kernel. -// -// It can be passed ebpf.CollectionSpec.Assign. -type bpfSpecs struct { - bpfProgramSpecs - bpfMapSpecs -} - -// bpfSpecs contains programs before they are loaded into the kernel. -// -// It can be passed ebpf.CollectionSpec.Assign. -type bpfProgramSpecs struct { - TcTunFunc *ebpf.ProgramSpec `ebpf:"tc_tun_func"` -} - -// bpfMapSpecs contains maps before they are loaded into the kernel. -// -// It can be passed ebpf.CollectionSpec.Assign. -type bpfMapSpecs struct { - TcParamsMap *ebpf.MapSpec `ebpf:"tc_params_map"` -} - -// bpfObjects contains all objects after they have been loaded into the kernel. -// -// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign. -type bpfObjects struct { - bpfPrograms - bpfMaps -} - -func (o *bpfObjects) Close() error { - return _BpfClose( - &o.bpfPrograms, - &o.bpfMaps, - ) -} - -// bpfMaps contains all maps after they have been loaded into the kernel. -// -// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign. -type bpfMaps struct { - TcParamsMap *ebpf.Map `ebpf:"tc_params_map"` -} - -func (m *bpfMaps) Close() error { - return _BpfClose( - m.TcParamsMap, - ) -} - -// bpfPrograms contains all programs after they have been loaded into the kernel. -// -// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign. -type bpfPrograms struct { - TcTunFunc *ebpf.Program `ebpf:"tc_tun_func"` -} - -func (p *bpfPrograms) Close() error { - return _BpfClose( - p.TcTunFunc, - ) -} - -func _BpfClose(closers ...io.Closer) error { - for _, closer := range closers { - if err := closer.Close(); err != nil { - return err - } - } - return nil -} - -// Do not access this directly. -// -//go:embed bpf_bpfel.o -var _BpfBytes []byte diff --git a/component/ebpf/tc/bpf_bpfel.o b/component/ebpf/tc/bpf_bpfel.o deleted file mode 100644 index 290ae9cad7b7873a457a1a8757c0bee298fa8840..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 5168 zcmbtYZ)jXu6+bi0+QcSlH*0FPQoZX!nRJs$(tj3e%d|^&w-D*jjc!*hFE2B1GSAGP zxAWd)6RqrYK~zv_VFf|du!8hMkqY82vXFdJ{8U6iP$c3vl{FxuAIiqxx%b?em%CZ( zpF`d|zu&p%o_p@O_r3cjuguOplg(tvN{0SHJ!Y*$+lP9%pkaZA;JNWZV}Ij)M*C|; z4gA$Ptv7BO`+fu+2AsToQX5{nIcW5&Ls~CoiTZ)AjA%-u**x_lrj1+r+=Cr%*?8Tw z?}z_`ot>RAC)qEdnN6c~OgsA0?zcEP(b177wSL(6pUjTveA4-U6g?+ze@Ob9iH~L; z*W>v&KdkLz$O~!dT-k8+iBWCeka@kp?c2x?@$aIhyX^2B%^sxpYduV_K)-y1i8v*;vzBhw4;C$1PV;et`}aeC#Nc=N4H!G$cg5z~u^@h5 z4tfHYwapki6`)TG?m(Zz#Xg(3p2eki5)4;>A;Y|0HU?mpcl32!3S+zpy@X53OUr`M zMv348^qSxW=r0TIK;II)4*ea$o6tWHyaoLu!JNcT1uNiR2rdBsQt$%sZ-Mz)>;V5> z>JY+kzK>|0cKt{6O$Ja3A{fyf%Rk2;KrdESM{=fDgh)0Y4>p9r(2PC@lCz z!3E$s!3(?*Ab3Qm1N277r2jG8zG85O{R_BQZ2xZqm^Xm2+i;In4bxDdIubuOHK#)2Fc;-!-TE&?Gdob^1|+9yv?yAg*=ji9X9Em?~KS`OA|#jmvk zs{5;6&`4Tg5K|O38ewCJl9CtsEx#Unbw5Ikc-dQQS1MEs8Wb%jo(@s>Tg&uPJ7@>& zg|15!wVFw@)U44;&2M;7D~J)!&cz&)R*F>7Y9qR0paHZs??eMn;m zj=)cTkwkUO8<&1ee$El3Nee!~JIY;c$>&DE;dv-Hj!ivgu;|57p zJ*8&G)dgh(j}wPsFEmbGsA3;r#nt)q3N!PnNwX2>X6K*tirB8japSGGsX`%<^Ynx| z&MRHTwrVYdaNT5Em<)QYaOa@de_pNGTy95RPz&n0V<=m115c=9h&;G|9DiE)JB!aVw#j!3{S5fm z>~P1lF@FbF{vPRXDdwjUFMpRv!HszpeBdpjX@{Q`{tdJb|D5PriVuKSg};UN1HZ!A zCLBsj2X~JDC$x|Jj_6y$kKxoA*dkgNeh&QbUv$dapZPF2Qtt8r@Hd5D=k|XR{U*f+ zz_)~d4ek6}V%yBWay6Yud{zAL-&M#AAAtb_l3U=o_P)AA+pbW zitO^bso6dqE8Xx_u}4nW&%!>EinAr{eC9uz`s&F^u;;biew~_c0&eQ?4Z_{|vjEf4 zV)<*RISZzy+wZ10N1NbA2)A>e0xlNIi-vajg2N++cN~7p;p+~+=kQI3-*@)8hZh`Pbohe9BZqe!e#_zO4!`H{O^4ri_?E-B9Zq;Bu-N(9cbw(Q zX&)LsNckjKO(@?AYWYj^&*U}HFV@3NY`pEhw>`RYA!rnO+y zyY5`ywD5EF@A}(yw0-(55Y5j$|28fNw`z=k5JHr`o8KcmPupLnr_VSZ->rdNe~zCP z+uz#e0ru+uTx$PVU)JoKmKz|hjoas>|6iQ}-TJMZwv>;M1& diff --git a/component/ebpf/tc/redirect_to_tun.go b/component/ebpf/tc/redirect_to_tun.go deleted file mode 100644 index d7be64afdb..0000000000 --- a/component/ebpf/tc/redirect_to_tun.go +++ /dev/null @@ -1,147 +0,0 @@ -//go:build linux - -package tc - -import ( - "fmt" - "io" - "net/netip" - "os" - "path/filepath" - - "github.com/cilium/ebpf" - "github.com/cilium/ebpf/rlimit" - "github.com/sagernet/netlink" - "golang.org/x/sys/unix" - - C "github.com/metacubex/mihomo/constant" - "github.com/metacubex/mihomo/transport/socks5" -) - -//go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc $BPF_CLANG -cflags $BPF_CFLAGS bpf ../bpf/tc.c - -const ( - mapKey1 uint32 = 0 - mapKey2 uint32 = 1 -) - -type EBpfTC struct { - objs io.Closer - qdisc netlink.Qdisc - filter netlink.Filter - - ifName string - ifIndex int - ifMark uint32 - tunIfIndex uint32 - - bpfPath string -} - -func NewEBpfTc(ifName string, ifIndex int, ifMark uint32, tunIfIndex uint32) *EBpfTC { - return &EBpfTC{ - ifName: ifName, - ifIndex: ifIndex, - ifMark: ifMark, - tunIfIndex: tunIfIndex, - } -} - -func (e *EBpfTC) Start() error { - if err := rlimit.RemoveMemlock(); err != nil { - return fmt.Errorf("remove memory lock: %w", err) - } - - e.bpfPath = filepath.Join(C.BpfFSPath, e.ifName) - if err := os.MkdirAll(e.bpfPath, os.ModePerm); err != nil { - return fmt.Errorf("failed to create bpf fs subpath: %w", err) - } - - var objs bpfObjects - if err := loadBpfObjects(&objs, &ebpf.CollectionOptions{ - Maps: ebpf.MapOptions{ - PinPath: e.bpfPath, - }, - }); err != nil { - e.Close() - return fmt.Errorf("loading objects: %w", err) - } - - e.objs = &objs - - if err := objs.bpfMaps.TcParamsMap.Update(mapKey1, e.ifMark, ebpf.UpdateAny); err != nil { - e.Close() - return fmt.Errorf("storing objects: %w", err) - } - - if err := objs.bpfMaps.TcParamsMap.Update(mapKey2, e.tunIfIndex, ebpf.UpdateAny); err != nil { - e.Close() - return fmt.Errorf("storing objects: %w", err) - } - - attrs := netlink.QdiscAttrs{ - LinkIndex: e.ifIndex, - Handle: netlink.MakeHandle(0xffff, 0), - Parent: netlink.HANDLE_CLSACT, - } - - qdisc := &netlink.GenericQdisc{ - QdiscAttrs: attrs, - QdiscType: "clsact", - } - - e.qdisc = qdisc - - if err := netlink.QdiscAdd(qdisc); err != nil { - if os.IsExist(err) { - _ = netlink.QdiscDel(qdisc) - err = netlink.QdiscAdd(qdisc) - } - - if err != nil { - e.Close() - return fmt.Errorf("cannot add clsact qdisc: %w", err) - } - } - - filterAttrs := netlink.FilterAttrs{ - LinkIndex: e.ifIndex, - Parent: netlink.HANDLE_MIN_EGRESS, - Handle: netlink.MakeHandle(0, 1), - Protocol: unix.ETH_P_ALL, - Priority: 1, - } - - filter := &netlink.BpfFilter{ - FilterAttrs: filterAttrs, - Fd: objs.bpfPrograms.TcTunFunc.FD(), - Name: "mihomo-tc-" + e.ifName, - DirectAction: true, - } - - if err := netlink.FilterAdd(filter); err != nil { - e.Close() - return fmt.Errorf("cannot attach ebpf object to filter: %w", err) - } - - e.filter = filter - - return nil -} - -func (e *EBpfTC) Close() { - if e.filter != nil { - _ = netlink.FilterDel(e.filter) - } - if e.qdisc != nil { - _ = netlink.QdiscDel(e.qdisc) - } - if e.objs != nil { - _ = e.objs.Close() - } - _ = os.Remove(filepath.Join(e.bpfPath, "tc_params_map")) -} - -func (e *EBpfTC) Lookup(_ netip.AddrPort) (socks5.Addr, error) { - return nil, fmt.Errorf("not supported") -} diff --git a/config/config.go b/config/config.go index d4868c0293..788f227b85 100644 --- a/config/config.go +++ b/config/config.go @@ -66,7 +66,6 @@ type General struct { TCPConcurrent bool `json:"tcp-concurrent"` FindProcessMode P.FindProcessMode `json:"find-process-mode"` Sniffing bool `json:"sniffing"` - EBpf EBpf `json:"-"` GlobalClientFingerprint string `json:"global-client-fingerprint"` GlobalUA string `json:"global-ua"` } @@ -343,7 +342,6 @@ type RawConfig struct { DNS RawDNS `yaml:"dns" json:"dns"` Tun RawTun `yaml:"tun"` TuicServer RawTuicServer `yaml:"tuic-server"` - EBpf EBpf `yaml:"ebpf"` IPTables IPTables `yaml:"iptables"` Experimental Experimental `yaml:"experimental"` Profile Profile `yaml:"profile"` @@ -382,12 +380,6 @@ type RawSniffingConfig struct { OverrideDest *bool `yaml:"override-destination" json:"override-destination"` } -// EBpf config -type EBpf struct { - RedirectToTun []string `yaml:"redirect-to-tun" json:"redirect-to-tun"` - AutoRedir []string `yaml:"auto-redir" json:"auto-redir"` -} - var ( GroupsList = list.New() ProxiesList = list.New() @@ -448,10 +440,6 @@ func UnmarshalRawConfig(buf []byte) (*RawConfig, error) { ALPN: []string{"h3"}, MaxUdpRelayPacketSize: 1500, }, - EBpf: EBpf{ - RedirectToTun: []string{}, - AutoRedir: []string{}, - }, IPTables: IPTables{ Enable: false, InboundInterface: "lo", @@ -720,7 +708,6 @@ func parseGeneral(cfg *RawConfig) (*General, error) { GeodataLoader: cfg.GeodataLoader, TCPConcurrent: cfg.TCPConcurrent, FindProcessMode: cfg.FindProcessMode, - EBpf: cfg.EBpf, GlobalClientFingerprint: cfg.GlobalClientFingerprint, GlobalUA: cfg.GlobalUA, }, nil diff --git a/constant/ebpf.go b/constant/ebpf.go deleted file mode 100644 index e3bb62fedd..0000000000 --- a/constant/ebpf.go +++ /dev/null @@ -1,20 +0,0 @@ -package constant - -import ( - "net/netip" - - "github.com/metacubex/mihomo/transport/socks5" -) - -const ( - BpfFSPath = "/sys/fs/bpf/mihomo" - - TcpAutoRedirPort = 't'<<8 | 'r'<<0 - MihomoTrafficMark = 'c'<<24 | 'l'<<16 | 't'<<8 | 'm'<<0 -) - -type EBpf interface { - Start() error - Close() - Lookup(srcAddrPort netip.AddrPort) (socks5.Addr, error) -} diff --git a/docs/config.yaml b/docs/config.yaml index 8db06b6d7d..647cf14c61 100644 --- a/docs/config.yaml +++ b/docs/config.yaml @@ -166,13 +166,6 @@ tun: # exclude-package: # 排除被路由的 Android 应用包名 # - com.android.captiveportallogin -#ebpf 配置 -ebpf: - auto-redir: # redirect 模式,仅支持 TCP - - eth0 - redirect-to-tun: # UDP+TCP 使用该功能请勿启用 auto-route - - eth0 - # 嗅探域名 可选配置 sniffer: enable: false diff --git a/go.mod b/go.mod index bc9fccba98..796e096289 100644 --- a/go.mod +++ b/go.mod @@ -5,7 +5,6 @@ go 1.20 require ( github.com/3andne/restls-client-go v0.1.6 github.com/bahlo/generic-list-go v0.2.0 - github.com/cilium/ebpf v0.12.3 github.com/coreos/go-iptables v0.7.0 github.com/dlclark/regexp2 v1.11.4 github.com/go-chi/chi/v5 v5.1.0 @@ -82,6 +81,7 @@ require ( github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38 // indirect github.com/hashicorp/yamux v0.1.1 // indirect github.com/josharian/native v1.1.0 // indirect + github.com/kr/text v0.2.0 // indirect github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect github.com/mailru/easyjson v0.7.7 // indirect github.com/mdlayher/socket v0.4.1 // indirect diff --git a/go.sum b/go.sum index d5b5705371..a34788609b 100644 --- a/go.sum +++ b/go.sum @@ -17,12 +17,11 @@ github.com/buger/jsonparser v1.1.1/go.mod h1:6RYKKt7H4d4+iWqouImQ9R2FZql3VbhNgx2 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= -github.com/cilium/ebpf v0.12.3 h1:8ht6F9MquybnY97at+VDZb3eQQr8ev79RueWeVaEcG4= -github.com/cilium/ebpf v0.12.3/go.mod h1:TctK1ivibvI3znr66ljgi4hqOT8EYQjz1KWBfb1UVgM= github.com/cloudflare/circl v1.3.7 h1:qlCDlTPz2n9fu58M0Nh1J/JzcFpfgkFHHX3O35r5vcU= github.com/cloudflare/circl v1.3.7/go.mod h1:sRTcRWXGLrKw6yIGJ+l7amYJFfAXbZG0kBSc8r4zxgA= github.com/coreos/go-iptables v0.7.0 h1:XWM3V+MPRr5/q51NuWSgU0fqMad64Zyxs8ZUoMsamr8= github.com/coreos/go-iptables v0.7.0/go.mod h1:Qe8Bv2Xik5FyTXwgIbLAnv2sWSBmvWdFETJConOQ//Q= +github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= @@ -37,7 +36,6 @@ github.com/ericlagergren/siv v0.0.0-20220507050439-0b757b3aa5f1 h1:tlDMEdcPRQKBE github.com/ericlagergren/siv v0.0.0-20220507050439-0b757b3aa5f1/go.mod h1:4RfsapbGx2j/vU5xC/5/9qB3kn9Awp1YDiEnN43QrJ4= github.com/ericlagergren/subtle v0.0.0-20220507045147-890d697da010 h1:fuGucgPk5dN6wzfnxl3D0D3rVLw4v2SbBT9jb4VnxzA= github.com/ericlagergren/subtle v0.0.0-20220507045147-890d697da010/go.mod h1:JtBcj7sBuTTRupn7c2bFspMDIObMJsVK8TeUvpShPok= -github.com/frankban/quicktest v1.14.5 h1:dfYrrRyLtiqT9GyKXgdh+k4inNeTvmGbuSgZ3lx3GhA= github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM= github.com/gaukas/godicttls v0.0.4 h1:NlRaXb3J6hAnTmWdsEKb9bcSBD6BvcIjdGdeb0zfXbk= @@ -85,8 +83,9 @@ github.com/klauspost/compress v1.17.9 h1:6KIumPrER1LHsvBVuDa0r5xaG0Es51mhhB9BQB2 github.com/klauspost/compress v1.17.9/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw= github.com/klauspost/cpuid/v2 v2.2.8 h1:+StwCXwm9PdpiEkPyzBXIy+M9KUb4ODm0Zarf1kS5BM= github.com/klauspost/cpuid/v2 v2.2.8/go.mod h1:Lcz8mBdAVJIBVzewtcLocK12l3Y+JytZYpaMropDUws= -github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= +github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= +github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 h1:6E+4a0GO5zZEnZ81pIr0yLvtUWk2if982qA3F3QD6H4= github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0/go.mod h1:zJYVVT2jmtg6P3p1VtQj7WsuWi/y4VnjVBn7F8KPB3I= github.com/lunixbochs/struc v0.0.0-20200707160740-784aaebc1d40 h1:EnfXoSqDfSNJv0VBNqY/88RNnhSGYkrHaO0mmFGbVsc= @@ -155,7 +154,6 @@ github.com/quic-go/qpack v0.4.0 h1:Cr9BXA1sQS2SmDUWjSofMPNKmvF6IiIfDRmgU0w1ZCo= github.com/quic-go/qpack v0.4.0/go.mod h1:UZVnYIfi5GRk+zI9UMaCPsmZ2xKJP7XBUvVyT1Knj9A= github.com/quic-go/qtls-go1-20 v0.4.1 h1:D33340mCNDAIKBqXuAvexTNMUByrYmFYVfKfDN5nfFs= github.com/quic-go/qtls-go1-20 v0.4.1/go.mod h1:X9Nh97ZL80Z+bX/gUXMbipO6OxdiDi58b/fMC9mAL+k= -github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8= github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a h1:+NkI2670SQpQWvkkD2QgdTuzQG263YZ+2emfpeyGqW0= github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a/go.mod h1:63s7jpZqcDAIpj8oI/1v4Izok+npJOHACFCU6+huCkM= github.com/sagernet/fswatch v0.1.1 h1:YqID+93B7VRfqIH3PArW/XpJv5H4OLEVWDfProGoRQs= diff --git a/hub/executor/executor.go b/hub/executor/executor.go index 6504e96aef..891452412f 100644 --- a/hub/executor/executor.go +++ b/hub/executor/executor.go @@ -26,7 +26,6 @@ import ( "github.com/metacubex/mihomo/component/updater" "github.com/metacubex/mihomo/config" C "github.com/metacubex/mihomo/constant" - "github.com/metacubex/mihomo/constant/features" "github.com/metacubex/mihomo/constant/provider" "github.com/metacubex/mihomo/dns" "github.com/metacubex/mihomo/listener" @@ -182,9 +181,6 @@ func updateListeners(general *config.General, listeners map[string]C.InboundList listener.ReCreateHTTP(general.Port, tunnel.Tunnel) listener.ReCreateSocks(general.SocksPort, tunnel.Tunnel) listener.ReCreateRedir(general.RedirPort, tunnel.Tunnel) - if !features.CMFA { - listener.ReCreateAutoRedir(general.EBpf.AutoRedir, tunnel.Tunnel) - } listener.ReCreateTProxy(general.TProxyPort, tunnel.Tunnel) listener.ReCreateMixed(general.MixedPort, tunnel.Tunnel) listener.ReCreateShadowSocks(general.ShadowSocksConfig, tunnel.Tunnel) @@ -352,7 +348,6 @@ func updateTun(general *config.General) { return } listener.ReCreateTun(general.Tun, tunnel.Tunnel) - listener.ReCreateRedirToTun(general.EBpf.RedirectToTun) } func updateSniffer(sniffer *config.Sniffer) { diff --git a/listener/autoredir/tcp.go b/listener/autoredir/tcp.go deleted file mode 100644 index 2b21b087b3..0000000000 --- a/listener/autoredir/tcp.go +++ /dev/null @@ -1,95 +0,0 @@ -package autoredir - -import ( - "net" - "net/netip" - - "github.com/metacubex/mihomo/adapter/inbound" - N "github.com/metacubex/mihomo/common/net" - C "github.com/metacubex/mihomo/constant" - "github.com/metacubex/mihomo/log" - "github.com/metacubex/mihomo/transport/socks5" -) - -type Listener struct { - listener net.Listener - addr string - closed bool - additions []inbound.Addition - lookupFunc func(netip.AddrPort) (socks5.Addr, error) -} - -// RawAddress implements C.Listener -func (l *Listener) RawAddress() string { - return l.addr -} - -// Address implements C.Listener -func (l *Listener) Address() string { - return l.listener.Addr().String() -} - -// Close implements C.Listener -func (l *Listener) Close() error { - l.closed = true - return l.listener.Close() -} - -func (l *Listener) TCPAddr() netip.AddrPort { - return l.listener.Addr().(*net.TCPAddr).AddrPort() -} - -func (l *Listener) SetLookupFunc(lookupFunc func(netip.AddrPort) (socks5.Addr, error)) { - l.lookupFunc = lookupFunc -} - -func (l *Listener) handleRedir(conn net.Conn, tunnel C.Tunnel) { - if l.lookupFunc == nil { - log.Errorln("[Auto Redirect] lookup function is nil") - return - } - - target, err := l.lookupFunc(conn.RemoteAddr().(*net.TCPAddr).AddrPort()) - if err != nil { - log.Warnln("[Auto Redirect] %v", err) - _ = conn.Close() - return - } - - N.TCPKeepAlive(conn) - - tunnel.HandleTCPConn(inbound.NewSocket(target, conn, C.REDIR, l.additions...)) -} - -func New(addr string, tunnel C.Tunnel, additions ...inbound.Addition) (*Listener, error) { - if len(additions) == 0 { - additions = []inbound.Addition{ - inbound.WithInName("DEFAULT-REDIR"), - inbound.WithSpecialRules(""), - } - } - l, err := net.Listen("tcp", addr) - if err != nil { - return nil, err - } - rl := &Listener{ - listener: l, - addr: addr, - additions: additions, - } - - go func() { - for { - c, err := l.Accept() - if err != nil { - if rl.closed { - break - } - continue - } - go rl.handleRedir(c, tunnel) - } - }() - - return rl, nil -} diff --git a/listener/listener.go b/listener/listener.go index 76860e0d43..4d10677812 100644 --- a/listener/listener.go +++ b/listener/listener.go @@ -9,9 +9,7 @@ import ( "strings" "sync" - "github.com/metacubex/mihomo/component/ebpf" C "github.com/metacubex/mihomo/constant" - "github.com/metacubex/mihomo/listener/autoredir" LC "github.com/metacubex/mihomo/listener/config" "github.com/metacubex/mihomo/listener/http" "github.com/metacubex/mihomo/listener/mixed" @@ -49,9 +47,6 @@ var ( shadowSocksListener C.MultiAddrListener vmessListener *sing_vmess.Listener tuicListener *tuic.Listener - autoRedirListener *autoredir.Listener - autoRedirProgram *ebpf.TcEBpfProgram - tcProgram *ebpf.TcEBpfProgram // lock for recreate function socksMux sync.Mutex @@ -540,95 +535,6 @@ func ReCreateTun(tunConf LC.Tun, tunnel C.Tunnel) { log.Infoln("[TUN] Tun adapter listening at: %s", tunLister.Address()) } -func ReCreateRedirToTun(ifaceNames []string) { - tcMux.Lock() - defer tcMux.Unlock() - - nicArr := ifaceNames - slices.Sort(nicArr) - nicArr = slices.Compact(nicArr) - - if tcProgram != nil { - tcProgram.Close() - tcProgram = nil - } - - if len(nicArr) == 0 { - return - } - - tunConf := GetTunConf() - - if !tunConf.Enable { - return - } - - program, err := ebpf.NewTcEBpfProgram(nicArr, tunConf.Device) - if err != nil { - log.Errorln("Attached tc ebpf program error: %v", err) - return - } - tcProgram = program - - log.Infoln("Attached tc ebpf program to interfaces %v", tcProgram.RawNICs()) -} - -func ReCreateAutoRedir(ifaceNames []string, tunnel C.Tunnel) { - autoRedirMux.Lock() - defer autoRedirMux.Unlock() - - var err error - defer func() { - if err != nil { - if autoRedirListener != nil { - _ = autoRedirListener.Close() - autoRedirListener = nil - } - if autoRedirProgram != nil { - autoRedirProgram.Close() - autoRedirProgram = nil - } - log.Errorln("Start auto redirect server error: %s", err.Error()) - } - }() - - nicArr := ifaceNames - slices.Sort(nicArr) - nicArr = slices.Compact(nicArr) - - if autoRedirListener != nil && autoRedirProgram != nil { - _ = autoRedirListener.Close() - autoRedirProgram.Close() - autoRedirListener = nil - autoRedirProgram = nil - } - - if len(nicArr) == 0 { - return - } - - defaultRouteInterfaceName, err := ebpf.GetAutoDetectInterface() - if err != nil { - return - } - - addr := genAddr("*", C.TcpAutoRedirPort, true) - - autoRedirListener, err = autoredir.New(addr, tunnel) - if err != nil { - return - } - - autoRedirProgram, err = ebpf.NewRedirEBpfProgram(nicArr, autoRedirListener.TCPAddr().Port(), defaultRouteInterfaceName) - if err != nil { - return - } - - autoRedirListener.SetLookupFunc(autoRedirProgram.Lookup) - - log.Infoln("Auto redirect proxy listening at: %s, attached tc ebpf program to interfaces %v", autoRedirListener.Address(), autoRedirProgram.RawNICs()) -} - func PatchTunnel(tunnels []LC.Tunnel, tunnel C.Tunnel) { tunnelMux.Lock() defer tunnelMux.Unlock() diff --git a/test/go.mod b/test/go.mod index 9237488625..f364c2c89d 100644 --- a/test/go.mod +++ b/test/go.mod @@ -22,7 +22,6 @@ require ( github.com/andybalholm/brotli v1.0.5 // indirect github.com/bahlo/generic-list-go v0.2.0 // indirect github.com/buger/jsonparser v1.1.1 // indirect - github.com/cilium/ebpf v0.12.3 // indirect github.com/coreos/go-iptables v0.7.0 // indirect github.com/davecgh/go-spew v1.1.1 // indirect github.com/distribution/reference v0.5.0 // indirect diff --git a/test/go.sum b/test/go.sum index af34b356e3..05a23ce937 100644 --- a/test/go.sum +++ b/test/go.sum @@ -19,8 +19,6 @@ github.com/buger/jsonparser v1.1.1/go.mod h1:6RYKKt7H4d4+iWqouImQ9R2FZql3VbhNgx2 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= -github.com/cilium/ebpf v0.12.3 h1:8ht6F9MquybnY97at+VDZb3eQQr8ev79RueWeVaEcG4= -github.com/cilium/ebpf v0.12.3/go.mod h1:TctK1ivibvI3znr66ljgi4hqOT8EYQjz1KWBfb1UVgM= github.com/coreos/go-iptables v0.7.0 h1:XWM3V+MPRr5/q51NuWSgU0fqMad64Zyxs8ZUoMsamr8= github.com/coreos/go-iptables v0.7.0/go.mod h1:Qe8Bv2Xik5FyTXwgIbLAnv2sWSBmvWdFETJConOQ//Q= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= From 82984891e4f5b8f8541d2c8213d59e8ca11e0014 Mon Sep 17 00:00:00 2001 From: wwqgtxx Date: Mon, 19 Aug 2024 10:01:05 +0800 Subject: [PATCH 15/42] action: fix build for armv5/6/7 --- .github/workflows/build.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index fb3eb621a4..e0b964f492 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -40,10 +40,10 @@ jobs: - { goos: linux, goarch: arm, goarm: '5', output: armv5 } - { goos: linux, goarch: arm, goarm: '6', output: armv6 } - { goos: linux, goarch: arm, goarm: '7', output: armv7 } - - { goos: linux, goarch: mips, mips: hardfloat, output: mips-hardfloat } - - { goos: linux, goarch: mips, mips: softfloat, output: mips-softfloat } - - { goos: linux, goarch: mipsle, mips: hardfloat, output: mipsle-hardfloat } - - { goos: linux, goarch: mipsle, mips: softfloat, output: mipsle-softfloat } + - { goos: linux, goarch: mips, gomips: hardfloat, output: mips-hardfloat } + - { goos: linux, goarch: mips, gomips: softfloat, output: mips-softfloat } + - { goos: linux, goarch: mipsle, gomips: hardfloat, output: mipsle-hardfloat } + - { goos: linux, goarch: mipsle, gomips: softfloat, output: mipsle-softfloat } - { goos: linux, goarch: mips64, output: mips64 } - { goos: linux, goarch: mips64le, output: mips64le } - { goos: linux, goarch: loong64, output: loong64-abi1, abi: '1' } @@ -219,8 +219,8 @@ jobs: GOOS: ${{matrix.jobs.goos}} GOARCH: ${{matrix.jobs.goarch}} GOAMD64: ${{matrix.jobs.goamd64}} - GOARM: ${{matrix.jobs.arm}} - GOMIPS: ${{matrix.jobs.mips}} + GOARM: ${{matrix.jobs.goarm}} + GOMIPS: ${{matrix.jobs.gomips}} run: | echo $CGO_ENABLED go build -v -tags "with_gvisor" -trimpath -ldflags "${BUILDTAG} -X 'github.com/metacubex/mihomo/constant.Version=${VERSION}' -X 'github.com/metacubex/mihomo/constant.BuildTime=${BUILDTIME}' -w -s -buildid=" From c8380335cbdea02965876b443c070ff8cd048956 Mon Sep 17 00:00:00 2001 From: xishang0128 Date: Mon, 19 Aug 2024 16:02:43 +0800 Subject: [PATCH 16/42] chore: improve `include-all-proxies` compatibility --- adapter/outboundgroup/parser.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/adapter/outboundgroup/parser.go b/adapter/outboundgroup/parser.go index efc38aabee..b073c4bba7 100644 --- a/adapter/outboundgroup/parser.go +++ b/adapter/outboundgroup/parser.go @@ -88,6 +88,9 @@ func ParseProxyGroup(config map[string]any, proxyMap map[string]C.Proxy, provide } else { groupOption.Proxies = append(groupOption.Proxies, AllProxies...) } + if len(groupOption.Proxies) == 0 && len(groupOption.Use) == 0 { + groupOption.Proxies = []string{"COMPATIBLE"} + } } if len(groupOption.Proxies) == 0 && len(groupOption.Use) == 0 { From ba605b693b4ce2f7a50e31508d99032b04232051 Mon Sep 17 00:00:00 2001 From: wwqgtxx Date: Tue, 20 Aug 2024 09:39:33 +0800 Subject: [PATCH 17/42] action: show go env when build --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e0b964f492..94854f2748 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -222,7 +222,7 @@ jobs: GOARM: ${{matrix.jobs.goarm}} GOMIPS: ${{matrix.jobs.gomips}} run: | - echo $CGO_ENABLED + go env go build -v -tags "with_gvisor" -trimpath -ldflags "${BUILDTAG} -X 'github.com/metacubex/mihomo/constant.Version=${VERSION}' -X 'github.com/metacubex/mihomo/constant.BuildTime=${BUILDTIME}' -w -s -buildid=" if [ "${{matrix.jobs.goos}}" = "windows" ]; then cp mihomo.exe mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}.exe From 512d188384ca0468df8daf23f59a247c025cedd5 Mon Sep 17 00:00:00 2001 From: Larvan2 <78135608+Larvan2@users.noreply.github.com> Date: Tue, 20 Aug 2024 21:13:26 +0800 Subject: [PATCH 18/42] fix redundant WindowsDNS (#1456) Co-authored-by: ForestL <45709305+forestl18@users.noreply.github.com> --- dns/system_windows.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/dns/system_windows.go b/dns/system_windows.go index 47c1ebaa4e..2f4d1b633d 100644 --- a/dns/system_windows.go +++ b/dns/system_windows.go @@ -8,6 +8,7 @@ import ( "syscall" "unsafe" + "golang.org/x/exp/slices" "golang.org/x/sys/windows" ) @@ -40,6 +41,9 @@ func dnsReadConfig() (servers []string, err error) { // Unexpected type. continue } + if slices.Contains(servers, ip.String()) { + continue + } servers = append(servers, ip.String()) } } From c4660e1aad5cf8f5a89874dc191e8c110c15eb58 Mon Sep 17 00:00:00 2001 From: wwqgtxx Date: Wed, 21 Aug 2024 10:51:49 +0800 Subject: [PATCH 19/42] chore: reopen tfo support on windows for golang1.23 maybe broken again when golang1.24 release --- adapter/inbound/listen.go | 14 +++++++++++++- adapter/inbound/listen_unix.go | 23 ----------------------- adapter/inbound/listen_windows.go | 15 --------------- component/dialer/tfo.go | 17 +++++++++++++++++ component/dialer/tfo_unix.go | 25 ------------------------- component/dialer/tfo_windows.go | 15 +++++++-------- go.mod | 2 +- go.sum | 4 ++-- 8 files changed, 40 insertions(+), 75 deletions(-) delete mode 100644 adapter/inbound/listen_unix.go delete mode 100644 adapter/inbound/listen_windows.go delete mode 100644 component/dialer/tfo_unix.go diff --git a/adapter/inbound/listen.go b/adapter/inbound/listen.go index edbccea70a..18dc1bc242 100644 --- a/adapter/inbound/listen.go +++ b/adapter/inbound/listen.go @@ -3,10 +3,22 @@ package inbound import ( "context" "net" + + "github.com/metacubex/tfo-go" +) + +var ( + lc = tfo.ListenConfig{ + DisableTFO: true, + } ) +func SetTfo(open bool) { + lc.DisableTFO = !open +} + func SetMPTCP(open bool) { - setMultiPathTCP(getListenConfig(), open) + setMultiPathTCP(&lc.ListenConfig, open) } func ListenContext(ctx context.Context, network, address string) (net.Listener, error) { diff --git a/adapter/inbound/listen_unix.go b/adapter/inbound/listen_unix.go deleted file mode 100644 index bb78adb222..0000000000 --- a/adapter/inbound/listen_unix.go +++ /dev/null @@ -1,23 +0,0 @@ -//go:build unix - -package inbound - -import ( - "net" - - "github.com/metacubex/tfo-go" -) - -var ( - lc = tfo.ListenConfig{ - DisableTFO: true, - } -) - -func SetTfo(open bool) { - lc.DisableTFO = !open -} - -func getListenConfig() *net.ListenConfig { - return &lc.ListenConfig -} diff --git a/adapter/inbound/listen_windows.go b/adapter/inbound/listen_windows.go deleted file mode 100644 index a4223e2b58..0000000000 --- a/adapter/inbound/listen_windows.go +++ /dev/null @@ -1,15 +0,0 @@ -package inbound - -import ( - "net" -) - -var ( - lc = net.ListenConfig{} -) - -func SetTfo(open bool) {} - -func getListenConfig() *net.ListenConfig { - return &lc -} diff --git a/component/dialer/tfo.go b/component/dialer/tfo.go index bc32b38a74..76fe94d021 100644 --- a/component/dialer/tfo.go +++ b/component/dialer/tfo.go @@ -5,8 +5,12 @@ import ( "io" "net" "time" + + "github.com/metacubex/tfo-go" ) +var DisableTFO = false + type tfoConn struct { net.Conn closed bool @@ -120,3 +124,16 @@ func (c *tfoConn) ReaderReplaceable() bool { func (c *tfoConn) WriterReplaceable() bool { return c.Conn != nil } + +func dialTFO(ctx context.Context, netDialer net.Dialer, network, address string) (net.Conn, error) { + ctx, cancel := context.WithTimeout(context.Background(), DefaultTCPTimeout) + dialer := tfo.Dialer{Dialer: netDialer, DisableTFO: false} + return &tfoConn{ + dialed: make(chan bool, 1), + cancel: cancel, + ctx: ctx, + dialFn: func(ctx context.Context, earlyData []byte) (net.Conn, error) { + return dialer.DialContext(ctx, network, address, earlyData) + }, + }, nil +} diff --git a/component/dialer/tfo_unix.go b/component/dialer/tfo_unix.go deleted file mode 100644 index b8908849e8..0000000000 --- a/component/dialer/tfo_unix.go +++ /dev/null @@ -1,25 +0,0 @@ -//go:build unix - -package dialer - -import ( - "context" - "net" - - "github.com/metacubex/tfo-go" -) - -const DisableTFO = false - -func dialTFO(ctx context.Context, netDialer net.Dialer, network, address string) (net.Conn, error) { - ctx, cancel := context.WithTimeout(context.Background(), DefaultTCPTimeout) - dialer := tfo.Dialer{Dialer: netDialer, DisableTFO: false} - return &tfoConn{ - dialed: make(chan bool, 1), - cancel: cancel, - ctx: ctx, - dialFn: func(ctx context.Context, earlyData []byte) (net.Conn, error) { - return dialer.DialContext(ctx, network, address, earlyData) - }, - }, nil -} diff --git a/component/dialer/tfo_windows.go b/component/dialer/tfo_windows.go index f1dddcf44e..632661186c 100644 --- a/component/dialer/tfo_windows.go +++ b/component/dialer/tfo_windows.go @@ -1,12 +1,11 @@ package dialer -import ( - "context" - "net" -) +import "github.com/metacubex/mihomo/constant/features" -const DisableTFO = true - -func dialTFO(ctx context.Context, netDialer net.Dialer, network, address string) (net.Conn, error) { - return netDialer.DialContext(ctx, network, address) +func init() { + // According to MSDN, this option is available since Windows 10, 1607 + // https://msdn.microsoft.com/en-us/library/windows/desktop/ms738596(v=vs.85).aspx + if features.WindowsMajorVersion < 10 || (features.WindowsMajorVersion == 10 && features.WindowsBuildNumber < 14393) { + DisableTFO = true + } } diff --git a/go.mod b/go.mod index 796e096289..cc1c8b635e 100644 --- a/go.mod +++ b/go.mod @@ -27,7 +27,7 @@ require ( github.com/metacubex/sing-tun v0.2.7-0.20240729131039-ed03f557dee1 github.com/metacubex/sing-vmess v0.1.9-0.20240719134745-1df6fb20bbf9 github.com/metacubex/sing-wireguard v0.0.0-20240618022557-a6efaa37127a - github.com/metacubex/tfo-go v0.0.0-20240228025757-be1269474a66 + github.com/metacubex/tfo-go v0.0.0-20240821025650-e9be0afd5e7d github.com/metacubex/utls v1.6.6 github.com/miekg/dns v1.1.61 github.com/mroth/weightedrand/v2 v2.1.0 diff --git a/go.sum b/go.sum index a34788609b..9e63c337e8 100644 --- a/go.sum +++ b/go.sum @@ -120,8 +120,8 @@ github.com/metacubex/sing-vmess v0.1.9-0.20240719134745-1df6fb20bbf9 h1:OAXiCosq github.com/metacubex/sing-vmess v0.1.9-0.20240719134745-1df6fb20bbf9/go.mod h1:olVkD4FChQ5gKMHG4ZzuD7+fMkJY1G8vwOKpRehjrmY= github.com/metacubex/sing-wireguard v0.0.0-20240618022557-a6efaa37127a h1:NpSGclHJUYndUwBmyIpFBSoBVg8PoVX7QQKhYg0DjM0= github.com/metacubex/sing-wireguard v0.0.0-20240618022557-a6efaa37127a/go.mod h1:uY+BYb0UEknLrqvbGcwi9i++KgrKxsurysgI6G1Pveo= -github.com/metacubex/tfo-go v0.0.0-20240228025757-be1269474a66 h1:as/aO/fM8nv4W4pOr9EETP6kV/Oaujk3fUNyQSJK61c= -github.com/metacubex/tfo-go v0.0.0-20240228025757-be1269474a66/go.mod h1:c7bVFM9f5+VzeZ/6Kg77T/jrg1Xp8QpqlSHvG/aXVts= +github.com/metacubex/tfo-go v0.0.0-20240821025650-e9be0afd5e7d h1:j9LtzkYstLFoNvXW824QQeN7Y26uPL5249kzWKbzO9U= +github.com/metacubex/tfo-go v0.0.0-20240821025650-e9be0afd5e7d/go.mod h1:c7bVFM9f5+VzeZ/6Kg77T/jrg1Xp8QpqlSHvG/aXVts= github.com/metacubex/utls v1.6.6 h1:3D12YKHTf2Z41UPhQU2dWerNWJ5TVQD9gKoQ+H+iLC8= github.com/metacubex/utls v1.6.6/go.mod h1:+WLFUnXjcpdxXCnyX25nggw8C6YonZ8zOK2Zm/oRvdo= github.com/miekg/dns v1.1.61 h1:nLxbwF3XxhwVSm8g9Dghm9MHPaUZuqhPiGL+675ZmEs= From 41efc5e5aba871aa43ea26656326f5c35979b6e1 Mon Sep 17 00:00:00 2001 From: wwqgtxx Date: Thu, 22 Aug 2024 09:24:27 +0800 Subject: [PATCH 20/42] chore: update dependencies --- component/fakeip/pool_test.go | 2 +- component/profile/cachefile/cache.go | 2 +- go.mod | 18 +++++++------- go.sum | 36 ++++++++++++++-------------- 4 files changed, 29 insertions(+), 29 deletions(-) diff --git a/component/fakeip/pool_test.go b/component/fakeip/pool_test.go index ed52fb6d63..c2e4658469 100644 --- a/component/fakeip/pool_test.go +++ b/component/fakeip/pool_test.go @@ -12,7 +12,7 @@ import ( C "github.com/metacubex/mihomo/constant" RP "github.com/metacubex/mihomo/rules/provider" - "github.com/sagernet/bbolt" + "github.com/metacubex/bbolt" "github.com/stretchr/testify/assert" ) diff --git a/component/profile/cachefile/cache.go b/component/profile/cachefile/cache.go index 11068647ac..e3da03699d 100644 --- a/component/profile/cachefile/cache.go +++ b/component/profile/cachefile/cache.go @@ -9,7 +9,7 @@ import ( C "github.com/metacubex/mihomo/constant" "github.com/metacubex/mihomo/log" - "github.com/sagernet/bbolt" + "github.com/metacubex/bbolt" ) var ( diff --git a/go.mod b/go.mod index cc1c8b635e..b0c1b3dd96 100644 --- a/go.mod +++ b/go.mod @@ -11,12 +11,13 @@ require ( github.com/go-chi/cors v1.2.1 github.com/go-chi/render v1.0.3 github.com/gobwas/ws v1.4.0 - github.com/gofrs/uuid/v5 v5.2.0 - github.com/insomniacslk/dhcp v0.0.0-20240710054256-ddd8a41251c9 + github.com/gofrs/uuid/v5 v5.3.0 + github.com/insomniacslk/dhcp v0.0.0-20240812123929-b105c29bd1b5 github.com/klauspost/compress v1.17.9 github.com/klauspost/cpuid/v2 v2.2.8 github.com/lunixbochs/struc v0.0.0-20200707160740-784aaebc1d40 github.com/mdlayher/netlink v1.7.2 + github.com/metacubex/bbolt v0.0.0-20240822011022-aed6d4850399 github.com/metacubex/chacha v0.1.0 github.com/metacubex/gopacket v1.1.20-0.20230608035415-7e2f98a3e759 github.com/metacubex/quic-go v0.46.1-0.20240807232329-1c6cb2d67f58 @@ -29,19 +30,18 @@ require ( github.com/metacubex/sing-wireguard v0.0.0-20240618022557-a6efaa37127a github.com/metacubex/tfo-go v0.0.0-20240821025650-e9be0afd5e7d github.com/metacubex/utls v1.6.6 - github.com/miekg/dns v1.1.61 + github.com/miekg/dns v1.1.62 github.com/mroth/weightedrand/v2 v2.1.0 github.com/openacid/low v0.1.21 github.com/oschwald/maxminddb-golang v1.12.0 github.com/puzpuzpuz/xsync/v3 v3.4.0 - github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a github.com/sagernet/fswatch v0.1.1 github.com/sagernet/netlink v0.0.0-20240612041022-b9a21c07ac6a github.com/sagernet/sing v0.5.0-alpha.13 github.com/sagernet/sing-mux v0.2.1-0.20240124034317-9bfb33698bb6 github.com/sagernet/sing-shadowtls v0.1.4 github.com/sagernet/wireguard-go v0.0.0-20231209092712-9a439356a62e - github.com/samber/lo v1.46.0 + github.com/samber/lo v1.47.0 github.com/shirou/gopsutil/v3 v3.24.5 github.com/sirupsen/logrus v1.9.3 github.com/stretchr/testify v1.9.0 @@ -50,9 +50,9 @@ require ( go.uber.org/automaxprocs v1.5.3 go4.org/netipx v0.0.0-20231129151722-fdeea329fbba golang.org/x/crypto v0.26.0 - golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 + golang.org/x/exp v0.0.0-20240808152545-0cdaa3abc0fa golang.org/x/net v0.28.0 - golang.org/x/sys v0.23.0 + golang.org/x/sys v0.24.0 google.golang.org/protobuf v1.34.2 gopkg.in/yaml.v3 v3.0.1 lukechampine.com/blake3 v1.3.0 @@ -106,11 +106,11 @@ require ( github.com/yusufpapurcu/wmi v1.2.4 // indirect gitlab.com/yawning/bsaes.git v0.0.0-20190805113838-0a714cd429ec // indirect go.uber.org/mock v0.4.0 // indirect - golang.org/x/mod v0.19.0 // indirect + golang.org/x/mod v0.20.0 // indirect golang.org/x/sync v0.8.0 // indirect golang.org/x/text v0.17.0 // indirect golang.org/x/time v0.5.0 // indirect - golang.org/x/tools v0.23.0 // indirect + golang.org/x/tools v0.24.0 // indirect ) replace github.com/sagernet/sing => github.com/metacubex/sing v0.0.0-20240724044459-6f3cf5896297 diff --git a/go.sum b/go.sum index 9e63c337e8..8194b68adc 100644 --- a/go.sum +++ b/go.sum @@ -58,8 +58,8 @@ github.com/gobwas/pool v0.2.1 h1:xfeeEhW7pwmX8nuLVlqbzVc7udMDrwetjEv+TZIz1og= github.com/gobwas/pool v0.2.1/go.mod h1:q8bcK0KcYlCgd9e7WYLm9LpyS+YeLd8JVDW6WezmKEw= github.com/gobwas/ws v1.4.0 h1:CTaoG1tojrh4ucGPcoJFiAQUAsEWekEWvLy7GsVNqGs= github.com/gobwas/ws v1.4.0/go.mod h1:G3gNqMNtPppf5XUz7O4shetPpcZ1VJ7zt18dlUeakrc= -github.com/gofrs/uuid/v5 v5.2.0 h1:qw1GMx6/y8vhVsx626ImfKMuS5CvJmhIKKtuyvfajMM= -github.com/gofrs/uuid/v5 v5.2.0/go.mod h1:CDOjlDMVAtN56jqyRUZh58JT31Tiw7/oQyEXZV+9bD8= +github.com/gofrs/uuid/v5 v5.3.0 h1:m0mUMr+oVYUdxpMLgSYCZiXe7PuVPnI94+OMeVBNedk= +github.com/gofrs/uuid/v5 v5.3.0/go.mod h1:CDOjlDMVAtN56jqyRUZh58JT31Tiw7/oQyEXZV+9bD8= github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg= github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU= @@ -73,8 +73,8 @@ github.com/google/tink/go v1.6.1 h1:t7JHqO8Ath2w2ig5vjwQYJzhGEZymedQc90lQXUBa4I= github.com/hashicorp/yamux v0.1.1 h1:yrQxtgseBDrq9Y652vSRDvsKCJKOUD+GzTS4Y0Y8pvE= github.com/hashicorp/yamux v0.1.1/go.mod h1:CtWFDAQgb7dxtzFs4tWbplKIe2jSi3+5vKbgIO0SLnQ= github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= -github.com/insomniacslk/dhcp v0.0.0-20240710054256-ddd8a41251c9 h1:LZJWucZz7ztCqY6Jsu7N9g124iJ2kt/O62j3+UchZFg= -github.com/insomniacslk/dhcp v0.0.0-20240710054256-ddd8a41251c9/go.mod h1:KclMyHxX06VrVr0DJmeFSUb1ankt7xTfoOA35pCkoic= +github.com/insomniacslk/dhcp v0.0.0-20240812123929-b105c29bd1b5 h1:GkMacU5ftc+IEg1449N3UEy2XLDz58W4fkrRu2fibb8= +github.com/insomniacslk/dhcp v0.0.0-20240812123929-b105c29bd1b5/go.mod h1:KclMyHxX06VrVr0DJmeFSUb1ankt7xTfoOA35pCkoic= github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= github.com/josharian/native v1.0.1-0.20221213033349-c1e37c09b531/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w= github.com/josharian/native v1.1.0 h1:uuaP0hAbW7Y4l0ZRQ6C9zfb7Mg1mbFKry/xzDAfmtLA= @@ -96,6 +96,8 @@ github.com/mdlayher/netlink v1.7.2 h1:/UtM3ofJap7Vl4QWCPDGXY8d3GIY2UGSDbK+QWmY8/ github.com/mdlayher/netlink v1.7.2/go.mod h1:xraEF7uJbxLhc5fpHL4cPe221LI2bdttWlU+ZGLfQSw= github.com/mdlayher/socket v0.4.1 h1:eM9y2/jlbs1M615oshPQOHZzj6R6wMT7bX5NPiQvn2U= github.com/mdlayher/socket v0.4.1/go.mod h1:cAqeGjoufqdxWkD7DkpyS+wcefOtmu5OQ8KuoJGIReA= +github.com/metacubex/bbolt v0.0.0-20240822011022-aed6d4850399 h1:oBowHVKZycNtAFbZ6avaCSZJYeme2Nrj+4RpV2cNJig= +github.com/metacubex/bbolt v0.0.0-20240822011022-aed6d4850399/go.mod h1:4xcieuIK+M4bGQmQYZVqEaIYqjS1ahO4kXG7EmDgEro= github.com/metacubex/chacha v0.1.0 h1:tg9RSJ18NvL38cCWNyYH1eiG6qDCyyXIaTLQthon0sc= github.com/metacubex/chacha v0.1.0/go.mod h1:Djn9bPZxLTXbJFSeyo0/qzEzQI+gUSSzttuzZM75GH8= github.com/metacubex/gopacket v1.1.20-0.20230608035415-7e2f98a3e759 h1:cjd4biTvOzK9ubNCCkQ+ldc4YSH/rILn53l/xGBFHHI= @@ -124,8 +126,8 @@ github.com/metacubex/tfo-go v0.0.0-20240821025650-e9be0afd5e7d h1:j9LtzkYstLFoNv github.com/metacubex/tfo-go v0.0.0-20240821025650-e9be0afd5e7d/go.mod h1:c7bVFM9f5+VzeZ/6Kg77T/jrg1Xp8QpqlSHvG/aXVts= github.com/metacubex/utls v1.6.6 h1:3D12YKHTf2Z41UPhQU2dWerNWJ5TVQD9gKoQ+H+iLC8= github.com/metacubex/utls v1.6.6/go.mod h1:+WLFUnXjcpdxXCnyX25nggw8C6YonZ8zOK2Zm/oRvdo= -github.com/miekg/dns v1.1.61 h1:nLxbwF3XxhwVSm8g9Dghm9MHPaUZuqhPiGL+675ZmEs= -github.com/miekg/dns v1.1.61/go.mod h1:mnAarhS3nWaW+NVP2wTkYVIZyHNJ098SJZUki3eykwQ= +github.com/miekg/dns v1.1.62 h1:cN8OuEF1/x5Rq6Np+h1epln8OiyPWV+lROx9LxcGgIQ= +github.com/miekg/dns v1.1.62/go.mod h1:mvDlcItzm+br7MToIKqkglaGhlFMHJ9DTNNWONWXbNQ= github.com/mroth/weightedrand/v2 v2.1.0 h1:o1ascnB1CIVzsqlfArQQjeMy1U0NcIbBO5rfd5E/OeU= github.com/mroth/weightedrand/v2 v2.1.0/go.mod h1:f2faGsfOGOwc1p94wzHKKZyTpcJUW7OJ/9U4yfiNAOU= github.com/oasisprotocol/deoxysii v0.0.0-20220228165953-2091330c22b7 h1:1102pQc2SEPp5+xrS26wEaeb26sZy6k9/ZXlZN+eXE4= @@ -154,8 +156,6 @@ github.com/quic-go/qpack v0.4.0 h1:Cr9BXA1sQS2SmDUWjSofMPNKmvF6IiIfDRmgU0w1ZCo= github.com/quic-go/qpack v0.4.0/go.mod h1:UZVnYIfi5GRk+zI9UMaCPsmZ2xKJP7XBUvVyT1Knj9A= github.com/quic-go/qtls-go1-20 v0.4.1 h1:D33340mCNDAIKBqXuAvexTNMUByrYmFYVfKfDN5nfFs= github.com/quic-go/qtls-go1-20 v0.4.1/go.mod h1:X9Nh97ZL80Z+bX/gUXMbipO6OxdiDi58b/fMC9mAL+k= -github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a h1:+NkI2670SQpQWvkkD2QgdTuzQG263YZ+2emfpeyGqW0= -github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a/go.mod h1:63s7jpZqcDAIpj8oI/1v4Izok+npJOHACFCU6+huCkM= github.com/sagernet/fswatch v0.1.1 h1:YqID+93B7VRfqIH3PArW/XpJv5H4OLEVWDfProGoRQs= github.com/sagernet/fswatch v0.1.1/go.mod h1:nz85laH0mkQqJfaOrqPpkwtU1znMFNVTpT/5oRsVz/o= github.com/sagernet/netlink v0.0.0-20240612041022-b9a21c07ac6a h1:ObwtHN2VpqE0ZNjr6sGeT00J8uU7JF4cNUdb44/Duis= @@ -170,8 +170,8 @@ github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7 h1:DImB4lELfQhplLTxe github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7/go.mod h1:FP9X2xjT/Az1EsG/orYYoC+5MojWnuI7hrffz8fGwwo= github.com/sagernet/wireguard-go v0.0.0-20231209092712-9a439356a62e h1:iGH0RMv2FzELOFNFQtvsxH7NPmlo7X5JizEK51UCojo= github.com/sagernet/wireguard-go v0.0.0-20231209092712-9a439356a62e/go.mod h1:YbL4TKHRR6APYQv3U2RGfwLDpPYSyWz6oUlpISBEzBE= -github.com/samber/lo v1.46.0 h1:w8G+oaCPgz1PoCJztqymCFaKwXt+5cCXn51uPxExFfQ= -github.com/samber/lo v1.46.0/go.mod h1:RmDH9Ct32Qy3gduHQuKJ3gW1fMHAnE/fAzQuf6He5cU= +github.com/samber/lo v1.47.0 h1:z7RynLwP5nbyRscyvcD043DWYoOcYRv3mV8lBeqOCLc= +github.com/samber/lo v1.47.0/go.mod h1:RmDH9Ct32Qy3gduHQuKJ3gW1fMHAnE/fAzQuf6He5cU= github.com/shirou/gopsutil/v3 v3.24.5 h1:i0t8kL+kQTvpAYToeuiVk3TgDeKOFioZO3Ztz/iZ9pI= github.com/shirou/gopsutil/v3 v3.24.5/go.mod h1:bsoOS1aStSs9ErQ1WWfxllSeS1K5D+U30r2NfcubMVk= github.com/shoenig/go-m1cpu v0.1.6 h1:nxdKQNcEB6vzgA2E2bvzKIYRuNj7XNJ4S/aRSwKzFtM= @@ -226,12 +226,12 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.26.0 h1:RrRspgV4mU+YwB4FYnuBoKsUapNIL5cohGAmSH3azsw= golang.org/x/crypto v0.26.0/go.mod h1:GY7jblb9wI+FOo5y8/S2oY4zWP07AkOJ4+jxCqdqn54= -golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8= -golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY= +golang.org/x/exp v0.0.0-20240808152545-0cdaa3abc0fa h1:ELnwvuAXPNtPk1TJRuGkI9fDTwym6AYBu0qzT8AcHdI= +golang.org/x/exp v0.0.0-20240808152545-0cdaa3abc0fa/go.mod h1:akd2r19cwCdwSwWeIdzYQGa/EZZyqcOdwWiwj5L5eKQ= golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= -golang.org/x/mod v0.19.0 h1:fEdghXQSo20giMthA7cd28ZC+jts4amQ3YMXiP5oMQ8= -golang.org/x/mod v0.19.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/mod v0.20.0 h1:utOm6MM3R3dnawAiJgn0y+xvuYRsm1RKM/4giyfDgV0= +golang.org/x/mod v0.20.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.28.0 h1:a9JDOJc5GMUJ0+UDqmLT86WiEy7iWyIhz8gz8E4e5hE= @@ -255,8 +255,8 @@ golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/sys v0.23.0 h1:YfKFowiIMvtgl1UERQoTPPToxltDeZfbj4H7dVUCwmM= -golang.org/x/sys v0.23.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.24.0 h1:Twjiwq9dn6R1fQcyiK+wQyHWfaz/BJB+YIpzU/Cv3Xg= +golang.org/x/sys v0.24.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.23.0 h1:F6D4vR+EHoL9/sWAWgAR1H2DcHr4PareCbAaCo1RpuU= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.17.0 h1:XtiM5bkSOt+ewxlOE/aE/AKEHibwj/6gvWMl9Rsh0Qc= @@ -264,8 +264,8 @@ golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk= golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.23.0 h1:SGsXPZ+2l4JsgaCKkx+FQ9YZ5XEtA1GZYuoDjenLjvg= -golang.org/x/tools v0.23.0/go.mod h1:pnu6ufv6vQkll6szChhK3C3L/ruaIv5eBeztNG8wtsI= +golang.org/x/tools v0.24.0 h1:J1shsA93PJUEVaUSaay7UXAyE8aimq3GW0pjlolpa24= +golang.org/x/tools v0.24.0/go.mod h1:YhNqVBIfWHdzvTLs0d8LCuMhkKUgSUKldakyV7W/WDQ= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= From 16c95fca87a51ad1ff70a960e5035552a33c7474 Mon Sep 17 00:00:00 2001 From: wwqgtxx Date: Fri, 23 Aug 2024 21:05:43 +0800 Subject: [PATCH 21/42] fix: tradition shadowsocks server not apply additions https://github.com/MetaCubeX/mihomo/issues/1466 --- listener/shadowsocks/tcp.go | 6 +++--- listener/shadowsocks/udp.go | 4 ++-- listener/sing_shadowsocks/server.go | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/listener/shadowsocks/tcp.go b/listener/shadowsocks/tcp.go index c08667de6b..c38438142d 100644 --- a/listener/shadowsocks/tcp.go +++ b/listener/shadowsocks/tcp.go @@ -22,7 +22,7 @@ type Listener struct { var _listener *Listener -func New(config LC.ShadowsocksServer, tunnel C.Tunnel) (*Listener, error) { +func New(config LC.ShadowsocksServer, tunnel C.Tunnel, additions ...inbound.Addition) (*Listener, error) { pickCipher, err := core.PickCipher(config.Cipher, nil, config.Password) if err != nil { return nil, err @@ -36,7 +36,7 @@ func New(config LC.ShadowsocksServer, tunnel C.Tunnel) (*Listener, error) { if config.Udp { //UDP - ul, err := NewUDP(addr, pickCipher, tunnel) + ul, err := NewUDP(addr, pickCipher, tunnel, additions...) if err != nil { return nil, err } @@ -60,7 +60,7 @@ func New(config LC.ShadowsocksServer, tunnel C.Tunnel) (*Listener, error) { continue } N.TCPKeepAlive(c) - go sl.HandleConn(c, tunnel) + go sl.HandleConn(c, tunnel, additions...) } }() } diff --git a/listener/shadowsocks/udp.go b/listener/shadowsocks/udp.go index 4336db2253..77932ed1b1 100644 --- a/listener/shadowsocks/udp.go +++ b/listener/shadowsocks/udp.go @@ -17,7 +17,7 @@ type UDPListener struct { closed bool } -func NewUDP(addr string, pickCipher core.Cipher, tunnel C.Tunnel) (*UDPListener, error) { +func NewUDP(addr string, pickCipher core.Cipher, tunnel C.Tunnel, additions ...inbound.Addition) (*UDPListener, error) { l, err := net.ListenPacket("udp", addr) if err != nil { return nil, err @@ -42,7 +42,7 @@ func NewUDP(addr string, pickCipher core.Cipher, tunnel C.Tunnel) (*UDPListener, } continue } - handleSocksUDP(conn, tunnel, data, put, remoteAddr) + handleSocksUDP(conn, tunnel, data, put, remoteAddr, additions...) } }() diff --git a/listener/sing_shadowsocks/server.go b/listener/sing_shadowsocks/server.go index bd5002a464..1cb798f7d0 100644 --- a/listener/sing_shadowsocks/server.go +++ b/listener/sing_shadowsocks/server.go @@ -72,7 +72,7 @@ func New(config LC.ShadowsocksServer, tunnel C.Tunnel, additions ...inbound.Addi sl.service, err = shadowaead_2022.NewServiceWithPassword(config.Cipher, config.Password, udpTimeout, h, ntp.Now) default: err = fmt.Errorf("shadowsocks: unsupported method: %s", config.Cipher) - return embedSS.New(config, tunnel) + return embedSS.New(config, tunnel, additions...) } if err != nil { return nil, err From f5834dd5e272d69a9f494ad318c8f3f6e5f34c1f Mon Sep 17 00:00:00 2001 From: wwqgtxx Date: Sat, 24 Aug 2024 13:25:23 +0800 Subject: [PATCH 22/42] chore: code cleanup --- common/nnip/netip.go | 20 +++++ hub/executor/executor.go | 10 +-- hub/route/configs.go | 15 +--- listener/config/tun.go | 147 ++++++++++++++++++++++++++++++++++- listener/listener.go | 161 ++++----------------------------------- 5 files changed, 185 insertions(+), 168 deletions(-) diff --git a/common/nnip/netip.go b/common/nnip/netip.go index e456613888..b987bb457f 100644 --- a/common/nnip/netip.go +++ b/common/nnip/netip.go @@ -51,3 +51,23 @@ func UnMasked(p netip.Prefix) netip.Addr { } return addr } + +// PrefixCompare returns an integer comparing two prefixes. +// The result will be 0 if p == p2, -1 if p < p2, and +1 if p > p2. +// modify from https://github.com/golang/go/issues/61642#issuecomment-1848587909 +func PrefixCompare(p, p2 netip.Prefix) int { + // compare by validity, address family and prefix base address + if c := p.Masked().Addr().Compare(p2.Masked().Addr()); c != 0 { + return c + } + // compare by prefix length + f1, f2 := p.Bits(), p2.Bits() + if f1 < f2 { + return -1 + } + if f1 > f2 { + return 1 + } + // compare by prefix address + return p.Addr().Compare(p2.Addr()) +} diff --git a/hub/executor/executor.go b/hub/executor/executor.go index 891452412f..8eb54ac4ac 100644 --- a/hub/executor/executor.go +++ b/hub/executor/executor.go @@ -90,6 +90,7 @@ func ApplyConfig(cfg *config.Config, force bool) { } } + updateExperimental(cfg) updateUsers(cfg.Users) updateProxies(cfg.Proxies, cfg.Providers) updateRules(cfg.Rules, cfg.SubRules, cfg.RuleProviders) @@ -100,8 +101,6 @@ func ApplyConfig(cfg *config.Config, force bool) { updateDNS(cfg.DNS, cfg.General.IPv6) updateListeners(cfg.General, cfg.Listeners, force) updateIPTables(cfg) - updateTun(cfg.General) - updateExperimental(cfg) updateTunnels(cfg.Tunnels) tunnel.OnInnerLoading() @@ -186,6 +185,7 @@ func updateListeners(general *config.General, listeners map[string]C.InboundList listener.ReCreateShadowSocks(general.ShadowSocksConfig, tunnel.Tunnel) listener.ReCreateVmess(general.VmessConfig, tunnel.Tunnel) listener.ReCreateTuic(general.TuicServer, tunnel.Tunnel) + listener.ReCreateTun(general.Tun, tunnel.Tunnel) } func updateExperimental(c *config.Config) { @@ -343,12 +343,6 @@ func hcCompatibleProvider(proxyProviders map[string]provider.ProxyProvider) { } } -func updateTun(general *config.General) { - if general == nil { - return - } - listener.ReCreateTun(general.Tun, tunnel.Tunnel) -} func updateSniffer(sniffer *config.Sniffer) { if sniffer.Enable { diff --git a/hub/route/configs.go b/hub/route/configs.go index c7b340c603..b31a607e95 100644 --- a/hub/route/configs.go +++ b/hub/route/configs.go @@ -62,7 +62,6 @@ type tunSchema struct { DNSHijack *[]string `yaml:"dns-hijack" json:"dns-hijack"` AutoRoute *bool `yaml:"auto-route" json:"auto-route"` AutoDetectInterface *bool `yaml:"auto-detect-interface" json:"auto-detect-interface"` - //RedirectToTun []string `yaml:"-" json:"-"` MTU *uint32 `yaml:"mtu" json:"mtu,omitempty"` GSO *bool `yaml:"gso" json:"gso,omitempty"` @@ -118,21 +117,13 @@ func getConfigs(w http.ResponseWriter, r *http.Request) { render.JSON(w, r, general) } -func pointerOrDefault(p *int, def int) int { +func pointerOrDefault[T any](p *T, def T) T { if p != nil { return *p } return def } -func pointerOrDefaultString(p *string, def string) string { - if p != nil { - return *p - } - - return def -} - func pointerOrDefaultTun(p *tunSchema, def LC.Tun) LC.Tun { if p != nil { def.Enable = p.Enable @@ -336,8 +327,8 @@ func patchConfigs(w http.ResponseWriter, r *http.Request) { P.ReCreateTProxy(pointerOrDefault(general.TProxyPort, ports.TProxyPort), tunnel.Tunnel) P.ReCreateMixed(pointerOrDefault(general.MixedPort, ports.MixedPort), tunnel.Tunnel) P.ReCreateTun(pointerOrDefaultTun(general.Tun, P.LastTunConf), tunnel.Tunnel) - P.ReCreateShadowSocks(pointerOrDefaultString(general.ShadowSocksConfig, ports.ShadowSocksConfig), tunnel.Tunnel) - P.ReCreateVmess(pointerOrDefaultString(general.VmessConfig, ports.VmessConfig), tunnel.Tunnel) + P.ReCreateShadowSocks(pointerOrDefault(general.ShadowSocksConfig, ports.ShadowSocksConfig), tunnel.Tunnel) + P.ReCreateVmess(pointerOrDefault(general.VmessConfig, ports.VmessConfig), tunnel.Tunnel) P.ReCreateTuic(pointerOrDefaultTuicServer(general.TuicServer, P.LastTuicConf), tunnel.Tunnel) if general.Mode != nil { diff --git a/listener/config/tun.go b/listener/config/tun.go index cea22bfdc8..06dc53ef6a 100644 --- a/listener/config/tun.go +++ b/listener/config/tun.go @@ -3,7 +3,10 @@ package config import ( "net/netip" + "github.com/metacubex/mihomo/common/nnip" C "github.com/metacubex/mihomo/constant" + + "golang.org/x/exp/slices" ) func StringSliceToNetipPrefixSlice(ss []string) ([]netip.Prefix, error) { @@ -25,7 +28,6 @@ type Tun struct { DNSHijack []string `yaml:"dns-hijack" json:"dns-hijack"` AutoRoute bool `yaml:"auto-route" json:"auto-route"` AutoDetectInterface bool `yaml:"auto-detect-interface" json:"auto-detect-interface"` - RedirectToTun []string `yaml:"-" json:"-"` MTU uint32 `yaml:"mtu" json:"mtu,omitempty"` GSO bool `yaml:"gso" json:"gso,omitempty"` @@ -60,3 +62,146 @@ type Tun struct { Inet4RouteExcludeAddress []netip.Prefix `yaml:"inet4-route-exclude-address" json:"inet4-route-exclude-address,omitempty"` Inet6RouteExcludeAddress []netip.Prefix `yaml:"inet6-route-exclude-address" json:"inet6-route-exclude-address,omitempty"` } + +func (t *Tun) Sort() { + slices.Sort(t.DNSHijack) + + slices.SortFunc(t.Inet4Address, nnip.PrefixCompare) + slices.SortFunc(t.Inet6Address, nnip.PrefixCompare) + slices.SortFunc(t.RouteAddress, nnip.PrefixCompare) + slices.Sort(t.RouteAddressSet) + slices.SortFunc(t.RouteExcludeAddress, nnip.PrefixCompare) + slices.Sort(t.RouteExcludeAddressSet) + slices.Sort(t.IncludeInterface) + slices.Sort(t.ExcludeInterface) + slices.Sort(t.IncludeUID) + slices.Sort(t.IncludeUIDRange) + slices.Sort(t.ExcludeUID) + slices.Sort(t.ExcludeUIDRange) + slices.Sort(t.IncludeAndroidUser) + slices.Sort(t.IncludePackage) + slices.Sort(t.ExcludePackage) + + slices.SortFunc(t.Inet4RouteAddress, nnip.PrefixCompare) + slices.SortFunc(t.Inet6RouteAddress, nnip.PrefixCompare) + slices.SortFunc(t.Inet4RouteExcludeAddress, nnip.PrefixCompare) + slices.SortFunc(t.Inet6RouteExcludeAddress, nnip.PrefixCompare) +} + +func (t *Tun) Equal(other Tun) bool { + if t.Enable != other.Enable { + return false + } + if t.Device != other.Device { + return false + } + if t.Stack != other.Stack { + return false + } + if !slices.Equal(t.DNSHijack, other.DNSHijack) { + return false + } + if t.AutoRoute != other.AutoRoute { + return false + } + if t.AutoDetectInterface != other.AutoDetectInterface { + return false + } + + if t.MTU != other.MTU { + return false + } + if t.GSO != other.GSO { + return false + } + if t.GSOMaxSize != other.GSOMaxSize { + return false + } + if !slices.Equal(t.Inet4Address, other.Inet4Address) { + return false + } + if !slices.Equal(t.Inet6Address, other.Inet6Address) { + return false + } + if t.IPRoute2TableIndex != other.IPRoute2TableIndex { + return false + } + if t.IPRoute2RuleIndex != other.IPRoute2RuleIndex { + return false + } + if t.AutoRedirect != other.AutoRedirect { + return false + } + if t.AutoRedirectInputMark != other.AutoRedirectInputMark { + return false + } + if t.AutoRedirectOutputMark != other.AutoRedirectOutputMark { + return false + } + if t.StrictRoute != other.StrictRoute { + return false + } + if !slices.Equal(t.RouteAddress, other.RouteAddress) { + return false + } + if !slices.Equal(t.RouteAddressSet, other.RouteAddressSet) { + return false + } + if !slices.Equal(t.RouteExcludeAddress, other.RouteExcludeAddress) { + return false + } + if !slices.Equal(t.RouteExcludeAddressSet, other.RouteExcludeAddressSet) { + return false + } + if !slices.Equal(t.IncludeInterface, other.IncludeInterface) { + return false + } + if !slices.Equal(t.ExcludeInterface, other.ExcludeInterface) { + return false + } + if !slices.Equal(t.IncludeUID, other.IncludeUID) { + return false + } + if !slices.Equal(t.IncludeUIDRange, other.IncludeUIDRange) { + return false + } + if !slices.Equal(t.ExcludeUID, other.ExcludeUID) { + return false + } + if !slices.Equal(t.ExcludeUIDRange, other.ExcludeUIDRange) { + return false + } + if !slices.Equal(t.IncludeAndroidUser, other.IncludeAndroidUser) { + return false + } + if !slices.Equal(t.IncludePackage, other.IncludePackage) { + return false + } + if !slices.Equal(t.ExcludePackage, other.ExcludePackage) { + return false + } + if t.EndpointIndependentNat != other.EndpointIndependentNat { + return false + } + if t.UDPTimeout != other.UDPTimeout { + return false + } + if t.FileDescriptor != other.FileDescriptor { + return false + } + + if !slices.Equal(t.Inet4RouteAddress, other.Inet4RouteAddress) { + return false + } + if !slices.Equal(t.Inet6RouteAddress, other.Inet6RouteAddress) { + return false + } + if !slices.Equal(t.Inet4RouteExcludeAddress, other.Inet4RouteExcludeAddress) { + return false + } + if !slices.Equal(t.Inet6RouteExcludeAddress, other.Inet6RouteExcludeAddress) { + return false + } + + return true +} diff --git a/listener/listener.go b/listener/listener.go index 4d10677812..2e25c8b8f6 100644 --- a/listener/listener.go +++ b/listener/listener.go @@ -2,9 +2,7 @@ package listener import ( "fmt" - "golang.org/x/exp/slices" "net" - "sort" "strconv" "strings" "sync" @@ -49,19 +47,17 @@ var ( tuicListener *tuic.Listener // lock for recreate function - socksMux sync.Mutex - httpMux sync.Mutex - redirMux sync.Mutex - tproxyMux sync.Mutex - mixedMux sync.Mutex - tunnelMux sync.Mutex - inboundMux sync.Mutex - tunMux sync.Mutex - ssMux sync.Mutex - vmessMux sync.Mutex - tuicMux sync.Mutex - autoRedirMux sync.Mutex - tcMux sync.Mutex + socksMux sync.Mutex + httpMux sync.Mutex + redirMux sync.Mutex + tproxyMux sync.Mutex + mixedMux sync.Mutex + tunnelMux sync.Mutex + inboundMux sync.Mutex + tunMux sync.Mutex + ssMux sync.Mutex + vmessMux sync.Mutex + tuicMux sync.Mutex LastTunConf LC.Tun LastTuicConf LC.TuicServer @@ -499,6 +495,8 @@ func ReCreateMixed(port int, tunnel C.Tunnel) { } func ReCreateTun(tunConf LC.Tun, tunnel C.Tunnel) { + tunConf.Sort() + tunMux.Lock() defer func() { LastTunConf = tunConf @@ -513,7 +511,7 @@ func ReCreateTun(tunConf LC.Tun, tunnel C.Tunnel) { } }() - if !hasTunConfigChange(&tunConf) { + if tunConf.Equal(LastTunConf) { if tunLister != nil { tunLister.FlushDefaultInterface() } @@ -717,137 +715,6 @@ func genAddr(host string, port int, allowLan bool) string { return fmt.Sprintf("127.0.0.1:%d", port) } -func hasTunConfigChange(tunConf *LC.Tun) bool { - if LastTunConf.Enable != tunConf.Enable || - LastTunConf.Device != tunConf.Device || - LastTunConf.Stack != tunConf.Stack || - LastTunConf.AutoRoute != tunConf.AutoRoute || - LastTunConf.AutoDetectInterface != tunConf.AutoDetectInterface || - LastTunConf.MTU != tunConf.MTU || - LastTunConf.GSO != tunConf.GSO || - LastTunConf.GSOMaxSize != tunConf.GSOMaxSize || - LastTunConf.IPRoute2TableIndex != tunConf.IPRoute2TableIndex || - LastTunConf.IPRoute2RuleIndex != tunConf.IPRoute2RuleIndex || - LastTunConf.AutoRedirect != tunConf.AutoRedirect || - LastTunConf.AutoRedirectInputMark != tunConf.AutoRedirectInputMark || - LastTunConf.AutoRedirectOutputMark != tunConf.AutoRedirectOutputMark || - LastTunConf.StrictRoute != tunConf.StrictRoute || - LastTunConf.EndpointIndependentNat != tunConf.EndpointIndependentNat || - LastTunConf.UDPTimeout != tunConf.UDPTimeout || - LastTunConf.FileDescriptor != tunConf.FileDescriptor { - return true - } - - if len(LastTunConf.DNSHijack) != len(tunConf.DNSHijack) { - return true - } - - sort.Slice(tunConf.DNSHijack, func(i, j int) bool { - return tunConf.DNSHijack[i] < tunConf.DNSHijack[j] - }) - - sort.Slice(tunConf.RouteAddress, func(i, j int) bool { - return tunConf.RouteAddress[i].String() < tunConf.RouteAddress[j].String() - }) - - sort.Slice(tunConf.RouteAddressSet, func(i, j int) bool { - return tunConf.RouteAddressSet[i] < tunConf.RouteAddressSet[j] - }) - - sort.Slice(tunConf.RouteExcludeAddress, func(i, j int) bool { - return tunConf.RouteExcludeAddress[i].String() < tunConf.RouteExcludeAddress[j].String() - }) - - sort.Slice(tunConf.RouteExcludeAddressSet, func(i, j int) bool { - return tunConf.RouteExcludeAddressSet[i] < tunConf.RouteExcludeAddressSet[j] - }) - - sort.Slice(tunConf.Inet4Address, func(i, j int) bool { - return tunConf.Inet4Address[i].String() < tunConf.Inet4Address[j].String() - }) - - sort.Slice(tunConf.Inet6Address, func(i, j int) bool { - return tunConf.Inet6Address[i].String() < tunConf.Inet6Address[j].String() - }) - - sort.Slice(tunConf.Inet4RouteAddress, func(i, j int) bool { - return tunConf.Inet4RouteAddress[i].String() < tunConf.Inet4RouteAddress[j].String() - }) - - sort.Slice(tunConf.Inet6RouteAddress, func(i, j int) bool { - return tunConf.Inet6RouteAddress[i].String() < tunConf.Inet6RouteAddress[j].String() - }) - - sort.Slice(tunConf.Inet4RouteExcludeAddress, func(i, j int) bool { - return tunConf.Inet4RouteExcludeAddress[i].String() < tunConf.Inet4RouteExcludeAddress[j].String() - }) - - sort.Slice(tunConf.Inet6RouteExcludeAddress, func(i, j int) bool { - return tunConf.Inet6RouteExcludeAddress[i].String() < tunConf.Inet6RouteExcludeAddress[j].String() - }) - - sort.Slice(tunConf.IncludeInterface, func(i, j int) bool { - return tunConf.IncludeInterface[i] < tunConf.IncludeInterface[j] - }) - - sort.Slice(tunConf.ExcludeInterface, func(i, j int) bool { - return tunConf.ExcludeInterface[i] < tunConf.ExcludeInterface[j] - }) - - sort.Slice(tunConf.IncludeUID, func(i, j int) bool { - return tunConf.IncludeUID[i] < tunConf.IncludeUID[j] - }) - - sort.Slice(tunConf.IncludeUIDRange, func(i, j int) bool { - return tunConf.IncludeUIDRange[i] < tunConf.IncludeUIDRange[j] - }) - - sort.Slice(tunConf.ExcludeUID, func(i, j int) bool { - return tunConf.ExcludeUID[i] < tunConf.ExcludeUID[j] - }) - - sort.Slice(tunConf.ExcludeUIDRange, func(i, j int) bool { - return tunConf.ExcludeUIDRange[i] < tunConf.ExcludeUIDRange[j] - }) - - sort.Slice(tunConf.IncludeAndroidUser, func(i, j int) bool { - return tunConf.IncludeAndroidUser[i] < tunConf.IncludeAndroidUser[j] - }) - - sort.Slice(tunConf.IncludePackage, func(i, j int) bool { - return tunConf.IncludePackage[i] < tunConf.IncludePackage[j] - }) - - sort.Slice(tunConf.ExcludePackage, func(i, j int) bool { - return tunConf.ExcludePackage[i] < tunConf.ExcludePackage[j] - }) - - if !slices.Equal(tunConf.DNSHijack, LastTunConf.DNSHijack) || - !slices.Equal(tunConf.RouteAddress, LastTunConf.RouteAddress) || - !slices.Equal(tunConf.RouteAddressSet, LastTunConf.RouteAddressSet) || - !slices.Equal(tunConf.RouteExcludeAddress, LastTunConf.RouteExcludeAddress) || - !slices.Equal(tunConf.RouteExcludeAddressSet, LastTunConf.RouteExcludeAddressSet) || - !slices.Equal(tunConf.Inet4Address, LastTunConf.Inet4Address) || - !slices.Equal(tunConf.Inet6Address, LastTunConf.Inet6Address) || - !slices.Equal(tunConf.Inet4RouteAddress, LastTunConf.Inet4RouteAddress) || - !slices.Equal(tunConf.Inet6RouteAddress, LastTunConf.Inet6RouteAddress) || - !slices.Equal(tunConf.Inet4RouteExcludeAddress, LastTunConf.Inet4RouteExcludeAddress) || - !slices.Equal(tunConf.Inet6RouteExcludeAddress, LastTunConf.Inet6RouteExcludeAddress) || - !slices.Equal(tunConf.IncludeInterface, LastTunConf.IncludeInterface) || - !slices.Equal(tunConf.ExcludeInterface, LastTunConf.ExcludeInterface) || - !slices.Equal(tunConf.IncludeUID, LastTunConf.IncludeUID) || - !slices.Equal(tunConf.IncludeUIDRange, LastTunConf.IncludeUIDRange) || - !slices.Equal(tunConf.ExcludeUID, LastTunConf.ExcludeUID) || - !slices.Equal(tunConf.ExcludeUIDRange, LastTunConf.ExcludeUIDRange) || - !slices.Equal(tunConf.IncludeAndroidUser, LastTunConf.IncludeAndroidUser) || - !slices.Equal(tunConf.IncludePackage, LastTunConf.IncludePackage) || - !slices.Equal(tunConf.ExcludePackage, LastTunConf.ExcludePackage) { - return true - } - - return false -} - func closeTunListener() { if tunLister != nil { tunLister.Close() From 53425bb9f2e34c4fd0ac0438d4b6edc7622cdb6c Mon Sep 17 00:00:00 2001 From: karin0 Date: Sat, 24 Aug 2024 19:10:09 +0900 Subject: [PATCH 23/42] chore: add `json` struct tags for more fields in `config.RawConfig` (#1469) Applications like CMFA marshall their config overrides in JSON, so `json` tags are required for parsing configurations of features such as external controllers. --- config/config.go | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/config/config.go b/config/config.go index 788f227b85..5208d83593 100644 --- a/config/config.go +++ b/config/config.go @@ -296,10 +296,10 @@ type RawConfig struct { RedirPort int `yaml:"redir-port" json:"redir-port"` TProxyPort int `yaml:"tproxy-port" json:"tproxy-port"` MixedPort int `yaml:"mixed-port" json:"mixed-port"` - ShadowSocksConfig string `yaml:"ss-config"` - VmessConfig string `yaml:"vmess-config"` - InboundTfo bool `yaml:"inbound-tfo"` - InboundMPTCP bool `yaml:"inbound-mptcp"` + ShadowSocksConfig string `yaml:"ss-config" json:"ss-config"` + VmessConfig string `yaml:"vmess-config" json:"vmess-config"` + InboundTfo bool `yaml:"inbound-tfo" json:"inbound-tfo"` + InboundMPTCP bool `yaml:"inbound-mptcp" json:"inbound-mptcp"` Authentication []string `yaml:"authentication" json:"authentication"` SkipAuthPrefixes []netip.Prefix `yaml:"skip-auth-prefixes"` LanAllowedIPs []netip.Prefix `yaml:"lan-allowed-ips"` @@ -310,17 +310,17 @@ type RawConfig struct { UnifiedDelay bool `yaml:"unified-delay" json:"unified-delay"` LogLevel log.LogLevel `yaml:"log-level" json:"log-level"` IPv6 bool `yaml:"ipv6" json:"ipv6"` - ExternalController string `yaml:"external-controller"` - ExternalControllerUnix string `yaml:"external-controller-unix"` - ExternalControllerTLS string `yaml:"external-controller-tls"` - ExternalUI string `yaml:"external-ui"` + ExternalController string `yaml:"external-controller" json:"external-controller"` + ExternalControllerUnix string `yaml:"external-controller-unix" json:"external-controller-unix"` + ExternalControllerTLS string `yaml:"external-controller-tls" json:"external-controller-tls"` + ExternalUI string `yaml:"external-ui" json:"external-ui"` ExternalUIURL string `yaml:"external-ui-url" json:"external-ui-url"` ExternalUIName string `yaml:"external-ui-name" json:"external-ui-name"` - ExternalDohServer string `yaml:"external-doh-server"` - Secret string `yaml:"secret"` - Interface string `yaml:"interface-name"` - RoutingMark int `yaml:"routing-mark"` - Tunnels []LC.Tunnel `yaml:"tunnels"` + ExternalDohServer string `yaml:"external-doh-server" json:"external-doh-server"` + Secret string `yaml:"secret" json:"secret"` + Interface string `yaml:"interface-name" json:"interface-name"` + RoutingMark int `yaml:"routing-mark" json:"routing-mark"` + Tunnels []LC.Tunnel `yaml:"tunnels" json:"tunnels"` GeoAutoUpdate bool `yaml:"geo-auto-update" json:"geo-auto-update"` GeoUpdateInterval int `yaml:"geo-update-interval" json:"geo-update-interval"` GeodataMode bool `yaml:"geodata-mode" json:"geodata-mode"` @@ -328,11 +328,11 @@ type RawConfig struct { GeositeMatcher string `yaml:"geosite-matcher" json:"geosite-matcher"` TCPConcurrent bool `yaml:"tcp-concurrent" json:"tcp-concurrent"` FindProcessMode P.FindProcessMode `yaml:"find-process-mode" json:"find-process-mode"` - GlobalClientFingerprint string `yaml:"global-client-fingerprint"` - GlobalUA string `yaml:"global-ua"` - KeepAliveIdle int `yaml:"keep-alive-idle"` - KeepAliveInterval int `yaml:"keep-alive-interval"` - DisableKeepAlive bool `yaml:"disable-keep-alive"` + GlobalClientFingerprint string `yaml:"global-client-fingerprint" json:"global-client-fingerprint"` + GlobalUA string `yaml:"global-ua" json:"global-ua"` + KeepAliveIdle int `yaml:"keep-alive-idle" json:"keep-alive-idle"` + KeepAliveInterval int `yaml:"keep-alive-interval" json:"keep-alive-interval"` + DisableKeepAlive bool `yaml:"disable-keep-alive" json:"disable-keep-alive"` Sniffer RawSniffer `yaml:"sniffer" json:"sniffer"` ProxyProvider map[string]map[string]any `yaml:"proxy-providers"` From 27bcb26ecdb1828e042047e154f2083748a90d23 Mon Sep 17 00:00:00 2001 From: wwqgtxx Date: Sat, 24 Aug 2024 20:49:12 +0800 Subject: [PATCH 24/42] chore: better config internal structure --- adapter/inbound/listen.go | 8 + adapter/inbound/mptcp_go120.go | 4 + adapter/inbound/mptcp_go121.go | 4 + config/config.go | 493 ++++++++++++++++++++------------- hub/executor/executor.go | 47 ++-- hub/hub.go | 22 +- hub/route/configs.go | 18 +- listener/config/tun.go | 18 +- listener/inbound/tun.go | 32 +-- tunnel/tunnel.go | 4 + 10 files changed, 393 insertions(+), 257 deletions(-) diff --git a/adapter/inbound/listen.go b/adapter/inbound/listen.go index 18dc1bc242..1b86c811a7 100644 --- a/adapter/inbound/listen.go +++ b/adapter/inbound/listen.go @@ -17,10 +17,18 @@ func SetTfo(open bool) { lc.DisableTFO = !open } +func Tfo() bool { + return !lc.DisableTFO +} + func SetMPTCP(open bool) { setMultiPathTCP(&lc.ListenConfig, open) } +func MPTCP() bool { + return getMultiPathTCP(&lc.ListenConfig) +} + func ListenContext(ctx context.Context, network, address string) (net.Listener, error) { return lc.Listen(ctx, network, address) } diff --git a/adapter/inbound/mptcp_go120.go b/adapter/inbound/mptcp_go120.go index f9b22533d2..faae6ec5d8 100644 --- a/adapter/inbound/mptcp_go120.go +++ b/adapter/inbound/mptcp_go120.go @@ -8,3 +8,7 @@ const multipathTCPAvailable = false func setMultiPathTCP(listenConfig *net.ListenConfig, open bool) { } + +func getMultiPathTCP(listenConfig *net.ListenConfig) bool { + return false +} diff --git a/adapter/inbound/mptcp_go121.go b/adapter/inbound/mptcp_go121.go index 6b35d1a83a..9163878a70 100644 --- a/adapter/inbound/mptcp_go121.go +++ b/adapter/inbound/mptcp_go121.go @@ -9,3 +9,7 @@ const multipathTCPAvailable = true func setMultiPathTCP(listenConfig *net.ListenConfig, open bool) { listenConfig.SetMultipathTCP(open) } + +func getMultiPathTCP(listenConfig *net.ListenConfig) bool { + return listenConfig.MultipathTCP() +} diff --git a/config/config.go b/config/config.go index 5208d83593..f1ffbce1fd 100644 --- a/config/config.go +++ b/config/config.go @@ -50,13 +50,12 @@ import ( // General config type General struct { Inbound - Controller - Mode T.TunnelMode `json:"mode"` - UnifiedDelay bool + Mode T.TunnelMode `json:"mode"` + UnifiedDelay bool `json:"unified-delay"` LogLevel log.LogLevel `json:"log-level"` IPv6 bool `json:"ipv6"` Interface string `json:"interface-name"` - RoutingMark int `json:"-"` + RoutingMark int `json:"routing-mark"` GeoXUrl GeoXUrl `json:"geox-url"` GeoAutoUpdate bool `json:"geo-auto-update"` GeoUpdateInterval int `json:"geo-update-interval"` @@ -91,24 +90,48 @@ type Inbound struct { InboundMPTCP bool `json:"inbound-mptcp"` } +// GeoXUrl config +type GeoXUrl struct { + GeoIp string `json:"geo-ip"` + Mmdb string `json:"mmdb"` + ASN string `json:"asn"` + GeoSite string `json:"geo-site"` +} + // Controller config type Controller struct { - ExternalController string `json:"-"` - ExternalControllerTLS string `json:"-"` - ExternalControllerUnix string `json:"-"` - ExternalUI string `json:"-"` - ExternalDohServer string `json:"-"` - Secret string `json:"-"` + ExternalController string + ExternalControllerTLS string + ExternalControllerUnix string + ExternalUI string + ExternalDohServer string + Secret string +} + +// Experimental config +type Experimental struct { + Fingerprints []string + QUICGoDisableGSO bool + QUICGoDisableECN bool + IP4PEnable bool +} + +// IPTables config +type IPTables struct { + Enable bool + InboundInterface string + Bypass []string + DnsRedirect bool } // NTP config type NTP struct { - Enable bool `yaml:"enable"` - Server string `yaml:"server"` - Port int `yaml:"port"` - Interval int `yaml:"interval"` - DialerProxy string `yaml:"dialer-proxy"` - WriteToSystem bool `yaml:"write-to-system"` + Enable bool + Server string + Port int + Interval int + DialerProxy string + WriteToSystem bool } // DNS config @@ -134,24 +157,11 @@ type DNS struct { // Profile config type Profile struct { - StoreSelected bool `yaml:"store-selected"` - StoreFakeIP bool `yaml:"store-fake-ip"` -} - -type TLS struct { - Certificate string `yaml:"certificate"` - PrivateKey string `yaml:"private-key"` - CustomTrustCert []string `yaml:"custom-certifactes"` -} - -// IPTables config -type IPTables struct { - Enable bool `yaml:"enable" json:"enable"` - InboundInterface string `yaml:"inbound-interface" json:"inbound-interface"` - Bypass []string `yaml:"bypass" json:"bypass"` - DnsRedirect bool `yaml:"dns-redirect" json:"dns-redirect"` + StoreSelected bool + StoreFakeIP bool } +// Sniffer config type Sniffer struct { Enable bool Sniffers map[snifferTypes.Type]SNIFF.SnifferConfig @@ -161,21 +171,21 @@ type Sniffer struct { ParsePureIp bool } -// Experimental config -type Experimental struct { - Fingerprints []string `yaml:"fingerprints"` - QUICGoDisableGSO bool `yaml:"quic-go-disable-gso"` - QUICGoDisableECN bool `yaml:"quic-go-disable-ecn"` - IP4PEnable bool `yaml:"dialer-ip4p-convert"` +// TLS config +type TLS struct { + Certificate string + PrivateKey string + CustomTrustCert []string } // Config is mihomo config manager type Config struct { General *General + Controller *Controller + Experimental *Experimental IPTables *IPTables NTP *NTP DNS *DNS - Experimental *Experimental Hosts *trie.DomainTrie[resolver.HostValue] Profile *Profile Rules []C.Rule @@ -190,15 +200,6 @@ type Config struct { TLS *TLS } -type RawNTP struct { - Enable bool `yaml:"enable"` - Server string `yaml:"server"` - ServerPort int `yaml:"server-port"` - Interval int `yaml:"interval"` - DialerProxy string `yaml:"dialer-proxy"` - WriteToSystem bool `yaml:"write-to-system"` -} - type RawDNS struct { Enable bool `yaml:"enable" json:"enable"` PreferH3 bool `yaml:"prefer-h3" json:"prefer-h3"` @@ -233,6 +234,15 @@ type RawClashForAndroid struct { UiSubtitlePattern string `yaml:"ui-subtitle-pattern" json:"ui-subtitle-pattern"` } +type RawNTP struct { + Enable bool `yaml:"enable" json:"enable"` + Server string `yaml:"server" json:"server"` + Port int `yaml:"port" json:"port"` + Interval int `yaml:"interval" json:"interval"` + DialerProxy string `yaml:"dialer-proxy" json:"dialer-proxy"` + WriteToSystem bool `yaml:"write-to-system" json:"write-to-system"` +} + type RawTun struct { Enable bool `yaml:"enable" json:"enable"` Device string `yaml:"device" json:"device"` @@ -244,35 +254,35 @@ type RawTun struct { MTU uint32 `yaml:"mtu" json:"mtu,omitempty"` GSO bool `yaml:"gso" json:"gso,omitempty"` GSOMaxSize uint32 `yaml:"gso-max-size" json:"gso-max-size,omitempty"` - //Inet4Address []netip.Prefix `yaml:"inet4-address" json:"inet4_address,omitempty"` - Inet6Address []netip.Prefix `yaml:"inet6-address" json:"inet6_address,omitempty"` - IPRoute2TableIndex int `yaml:"iproute2-table-index" json:"iproute2_table_index,omitempty"` - IPRoute2RuleIndex int `yaml:"iproute2-rule-index" json:"iproute2_rule_index,omitempty"` - AutoRedirect bool `yaml:"auto-redirect" json:"auto_redirect,omitempty"` - AutoRedirectInputMark uint32 `yaml:"auto-redirect-input-mark" json:"auto_redirect_input_mark,omitempty"` - AutoRedirectOutputMark uint32 `yaml:"auto-redirect-output-mark" json:"auto_redirect_output_mark,omitempty"` - StrictRoute bool `yaml:"strict-route" json:"strict_route,omitempty"` - RouteAddress []netip.Prefix `yaml:"route-address" json:"route_address,omitempty"` - RouteAddressSet []string `yaml:"route-address-set" json:"route_address_set,omitempty"` - RouteExcludeAddress []netip.Prefix `yaml:"route-exclude-address" json:"route_exclude_address,omitempty"` - RouteExcludeAddressSet []string `yaml:"route-exclude-address-set" json:"route_exclude_address_set,omitempty"` + //Inet4Address []netip.Prefix `yaml:"inet4-address" json:"inet4-address,omitempty"` + Inet6Address []netip.Prefix `yaml:"inet6-address" json:"inet6-address,omitempty"` + IPRoute2TableIndex int `yaml:"iproute2-table-index" json:"iproute2-table-index,omitempty"` + IPRoute2RuleIndex int `yaml:"iproute2-rule-index" json:"iproute2-rule-index,omitempty"` + AutoRedirect bool `yaml:"auto-redirect" json:"auto-redirect,omitempty"` + AutoRedirectInputMark uint32 `yaml:"auto-redirect-input-mark" json:"auto-redirect-input-mark,omitempty"` + AutoRedirectOutputMark uint32 `yaml:"auto-redirect-output-mark" json:"auto-redirect-output-mark,omitempty"` + StrictRoute bool `yaml:"strict-route" json:"strict-route,omitempty"` + RouteAddress []netip.Prefix `yaml:"route-address" json:"route-address,omitempty"` + RouteAddressSet []string `yaml:"route-address-set" json:"route-address-set,omitempty"` + RouteExcludeAddress []netip.Prefix `yaml:"route-exclude-address" json:"route-exclude-address,omitempty"` + RouteExcludeAddressSet []string `yaml:"route-exclude-address-set" json:"route-exclude-address-set,omitempty"` IncludeInterface []string `yaml:"include-interface" json:"include-interface,omitempty"` ExcludeInterface []string `yaml:"exclude-interface" json:"exclude-interface,omitempty"` - IncludeUID []uint32 `yaml:"include-uid" json:"include_uid,omitempty"` - IncludeUIDRange []string `yaml:"include-uid-range" json:"include_uid_range,omitempty"` - ExcludeUID []uint32 `yaml:"exclude-uid" json:"exclude_uid,omitempty"` - ExcludeUIDRange []string `yaml:"exclude-uid-range" json:"exclude_uid_range,omitempty"` - IncludeAndroidUser []int `yaml:"include-android-user" json:"include_android_user,omitempty"` - IncludePackage []string `yaml:"include-package" json:"include_package,omitempty"` - ExcludePackage []string `yaml:"exclude-package" json:"exclude_package,omitempty"` - EndpointIndependentNat bool `yaml:"endpoint-independent-nat" json:"endpoint_independent_nat,omitempty"` - UDPTimeout int64 `yaml:"udp-timeout" json:"udp_timeout,omitempty"` + IncludeUID []uint32 `yaml:"include-uid" json:"include-uid,omitempty"` + IncludeUIDRange []string `yaml:"include-uid-range" json:"include-uid-range,omitempty"` + ExcludeUID []uint32 `yaml:"exclude-uid" json:"exclude-uid,omitempty"` + ExcludeUIDRange []string `yaml:"exclude-uid-range" json:"exclude-uid-range,omitempty"` + IncludeAndroidUser []int `yaml:"include-android-user" json:"include-android-user,omitempty"` + IncludePackage []string `yaml:"include-package" json:"include-package,omitempty"` + ExcludePackage []string `yaml:"exclude-package" json:"exclude-package,omitempty"` + EndpointIndependentNat bool `yaml:"endpoint-independent-nat" json:"endpoint-independent-nat,omitempty"` + UDPTimeout int64 `yaml:"udp-timeout" json:"udp-timeout,omitempty"` FileDescriptor int `yaml:"file-descriptor" json:"file-descriptor"` - Inet4RouteAddress []netip.Prefix `yaml:"inet4-route-address" json:"inet4_route_address,omitempty"` - Inet6RouteAddress []netip.Prefix `yaml:"inet6-route-address" json:"inet6_route_address,omitempty"` - Inet4RouteExcludeAddress []netip.Prefix `yaml:"inet4-route-exclude-address" json:"inet4_route_exclude_address,omitempty"` - Inet6RouteExcludeAddress []netip.Prefix `yaml:"inet6-route-exclude-address" json:"inet6_route_exclude_address,omitempty"` + Inet4RouteAddress []netip.Prefix `yaml:"inet4-route-address" json:"inet4-route-address,omitempty"` + Inet6RouteAddress []netip.Prefix `yaml:"inet6-route-address" json:"inet6-route-address,omitempty"` + Inet4RouteExcludeAddress []netip.Prefix `yaml:"inet4-route-exclude-address" json:"inet4-route-exclude-address,omitempty"` + Inet6RouteExcludeAddress []netip.Prefix `yaml:"inet6-route-exclude-address" json:"inet6-route-exclude-address,omitempty"` } type RawTuicServer struct { @@ -290,6 +300,55 @@ type RawTuicServer struct { CWND int `yaml:"cwnd" json:"cwnd,omitempty"` } +type RawIPTables struct { + Enable bool `yaml:"enable" json:"enable"` + InboundInterface string `yaml:"inbound-interface" json:"inbound-interface"` + Bypass []string `yaml:"bypass" json:"bypass"` + DnsRedirect bool `yaml:"dns-redirect" json:"dns-redirect"` +} + +type RawExperimental struct { + Fingerprints []string `yaml:"fingerprints"` + QUICGoDisableGSO bool `yaml:"quic-go-disable-gso"` + QUICGoDisableECN bool `yaml:"quic-go-disable-ecn"` + IP4PEnable bool `yaml:"dialer-ip4p-convert"` +} + +type RawProfile struct { + StoreSelected bool `yaml:"store-selected" json:"store-selected"` + StoreFakeIP bool `yaml:"store-fake-ip" json:"store-fake-ip"` +} + +type RawGeoXUrl struct { + GeoIp string `yaml:"geoip" json:"geoip"` + Mmdb string `yaml:"mmdb" json:"mmdb"` + ASN string `yaml:"asn" json:"asn"` + GeoSite string `yaml:"geosite" json:"geosite"` +} + +type RawSniffer struct { + Enable bool `yaml:"enable" json:"enable"` + OverrideDest bool `yaml:"override-destination" json:"override-destination"` + Sniffing []string `yaml:"sniffing" json:"sniffing"` + ForceDomain []string `yaml:"force-domain" json:"force-domain"` + SkipDomain []string `yaml:"skip-domain" json:"skip-domain"` + Ports []string `yaml:"port-whitelist" json:"port-whitelist"` + ForceDnsMapping bool `yaml:"force-dns-mapping" json:"force-dns-mapping"` + ParsePureIp bool `yaml:"parse-pure-ip" json:"parse-pure-ip"` + Sniff map[string]RawSniffingConfig `yaml:"sniff" json:"sniff"` +} + +type RawSniffingConfig struct { + Ports []string `yaml:"ports" json:"ports"` + OverrideDest *bool `yaml:"override-destination" json:"override-destination"` +} + +type RawTLS struct { + Certificate string `yaml:"certificate" json:"certificate"` + PrivateKey string `yaml:"private-key" json:"private-key"` + CustomTrustCert []string `yaml:"custom-certifactes" json:"custom-certifactes"` +} + type RawConfig struct { Port int `yaml:"port" json:"port"` SocksPort int `yaml:"socks-port" json:"socks-port"` @@ -301,9 +360,9 @@ type RawConfig struct { InboundTfo bool `yaml:"inbound-tfo" json:"inbound-tfo"` InboundMPTCP bool `yaml:"inbound-mptcp" json:"inbound-mptcp"` Authentication []string `yaml:"authentication" json:"authentication"` - SkipAuthPrefixes []netip.Prefix `yaml:"skip-auth-prefixes"` - LanAllowedIPs []netip.Prefix `yaml:"lan-allowed-ips"` - LanDisAllowedIPs []netip.Prefix `yaml:"lan-disallowed-ips"` + SkipAuthPrefixes []netip.Prefix `yaml:"skip-auth-prefixes" json:"skip-auth-prefixes"` + LanAllowedIPs []netip.Prefix `yaml:"lan-allowed-ips" json:"lan-allowed-ips"` + LanDisAllowedIPs []netip.Prefix `yaml:"lan-disallowed-ips" json:"lan-disallowed-ips"` AllowLan bool `yaml:"allow-lan" json:"allow-lan"` BindAddress string `yaml:"bind-address" json:"bind-address"` Mode T.TunnelMode `yaml:"mode" json:"mode"` @@ -334,52 +393,28 @@ type RawConfig struct { KeepAliveInterval int `yaml:"keep-alive-interval" json:"keep-alive-interval"` DisableKeepAlive bool `yaml:"disable-keep-alive" json:"disable-keep-alive"` - Sniffer RawSniffer `yaml:"sniffer" json:"sniffer"` - ProxyProvider map[string]map[string]any `yaml:"proxy-providers"` - RuleProvider map[string]map[string]any `yaml:"rule-providers"` + ProxyProvider map[string]map[string]any `yaml:"proxy-providers" json:"proxy-providers"` + RuleProvider map[string]map[string]any `yaml:"rule-providers" json:"rule-providers"` + Proxy []map[string]any `yaml:"proxies" json:"proxies"` + ProxyGroup []map[string]any `yaml:"proxy-groups" json:"proxy-groups"` + Rule []string `yaml:"rules" json:"rule"` + SubRules map[string][]string `yaml:"sub-rules" json:"sub-rules"` + Listeners []map[string]any `yaml:"listeners" json:"listeners"` Hosts map[string]any `yaml:"hosts" json:"hosts"` - NTP RawNTP `yaml:"ntp" json:"ntp"` DNS RawDNS `yaml:"dns" json:"dns"` - Tun RawTun `yaml:"tun"` - TuicServer RawTuicServer `yaml:"tuic-server"` - IPTables IPTables `yaml:"iptables"` - Experimental Experimental `yaml:"experimental"` - Profile Profile `yaml:"profile"` - GeoXUrl GeoXUrl `yaml:"geox-url"` - Proxy []map[string]any `yaml:"proxies"` - ProxyGroup []map[string]any `yaml:"proxy-groups"` - Rule []string `yaml:"rules"` - SubRules map[string][]string `yaml:"sub-rules"` - RawTLS TLS `yaml:"tls"` - Listeners []map[string]any `yaml:"listeners"` + NTP RawNTP `yaml:"ntp" json:"ntp"` + Tun RawTun `yaml:"tun" json:"tun"` + TuicServer RawTuicServer `yaml:"tuic-server" json:"tuic-server"` + IPTables RawIPTables `yaml:"iptables" json:"iptables"` + Experimental RawExperimental `yaml:"experimental" json:"experimental"` + Profile RawProfile `yaml:"profile" json:"profile"` + GeoXUrl RawGeoXUrl `yaml:"geox-url" json:"geox-url"` + Sniffer RawSniffer `yaml:"sniffer" json:"sniffer"` + TLS RawTLS `yaml:"tls" json:"tls"` ClashForAndroid RawClashForAndroid `yaml:"clash-for-android" json:"clash-for-android"` } -type GeoXUrl struct { - GeoIp string `yaml:"geoip" json:"geoip"` - Mmdb string `yaml:"mmdb" json:"mmdb"` - ASN string `yaml:"asn" json:"asn"` - GeoSite string `yaml:"geosite" json:"geosite"` -} - -type RawSniffer struct { - Enable bool `yaml:"enable" json:"enable"` - OverrideDest bool `yaml:"override-destination" json:"override-destination"` - Sniffing []string `yaml:"sniffing" json:"sniffing"` - ForceDomain []string `yaml:"force-domain" json:"force-domain"` - SkipDomain []string `yaml:"skip-domain" json:"skip-domain"` - Ports []string `yaml:"port-whitelist" json:"port-whitelist"` - ForceDnsMapping bool `yaml:"force-dns-mapping" json:"force-dns-mapping"` - ParsePureIp bool `yaml:"parse-pure-ip" json:"parse-pure-ip"` - Sniff map[string]RawSniffingConfig `yaml:"sniff" json:"sniff"` -} - -type RawSniffingConfig struct { - Ports []string `yaml:"ports" json:"ports"` - OverrideDest *bool `yaml:"override-destination" json:"override-destination"` -} - var ( GroupsList = list.New() ProxiesList = list.New() @@ -418,41 +453,6 @@ func UnmarshalRawConfig(buf []byte) (*RawConfig, error) { TCPConcurrent: false, FindProcessMode: P.FindProcessStrict, GlobalUA: "clash.meta/" + C.Version, - Tun: RawTun{ - Enable: false, - Device: "", - Stack: C.TunGvisor, - DNSHijack: []string{"0.0.0.0:53"}, // default hijack all dns query - AutoRoute: true, - AutoDetectInterface: true, - Inet6Address: []netip.Prefix{netip.MustParsePrefix("fdfe:dcba:9876::1/126")}, - }, - TuicServer: RawTuicServer{ - Enable: false, - Token: nil, - Users: nil, - Certificate: "", - PrivateKey: "", - Listen: "", - CongestionController: "", - MaxIdleTime: 15000, - AuthenticationTimeout: 1000, - ALPN: []string{"h3"}, - MaxUdpRelayPacketSize: 1500, - }, - IPTables: IPTables{ - Enable: false, - InboundInterface: "lo", - Bypass: []string{}, - DnsRedirect: true, - }, - NTP: RawNTP{ - Enable: false, - WriteToSystem: false, - Server: "time.apple.com", - ServerPort: 123, - Interval: 30, - }, DNS: RawDNS{ Enable: false, IPv6: false, @@ -483,11 +483,55 @@ func UnmarshalRawConfig(buf []byte) (*RawConfig, error) { "www.msftconnecttest.com", }, }, - Experimental: Experimental{ + NTP: RawNTP{ + Enable: false, + WriteToSystem: false, + Server: "time.apple.com", + Port: 123, + Interval: 30, + }, + Tun: RawTun{ + Enable: false, + Device: "", + Stack: C.TunGvisor, + DNSHijack: []string{"0.0.0.0:53"}, // default hijack all dns query + AutoRoute: true, + AutoDetectInterface: true, + Inet6Address: []netip.Prefix{netip.MustParsePrefix("fdfe:dcba:9876::1/126")}, + }, + TuicServer: RawTuicServer{ + Enable: false, + Token: nil, + Users: nil, + Certificate: "", + PrivateKey: "", + Listen: "", + CongestionController: "", + MaxIdleTime: 15000, + AuthenticationTimeout: 1000, + ALPN: []string{"h3"}, + MaxUdpRelayPacketSize: 1500, + }, + IPTables: RawIPTables{ + Enable: false, + InboundInterface: "lo", + Bypass: []string{}, + DnsRedirect: true, + }, + Experimental: RawExperimental{ // https://github.com/quic-go/quic-go/issues/4178 // Quic-go currently cannot automatically fall back on platforms that do not support ecn, so this feature is turned off by default. QUICGoDisableECN: true, }, + Profile: RawProfile{ + StoreSelected: true, + }, + GeoXUrl: RawGeoXUrl{ + Mmdb: "https://github.com/MetaCubeX/meta-rules-dat/releases/download/latest/geoip.metadb", + ASN: "https://github.com/xishang0128/geoip/releases/download/latest/GeoLite2-ASN.mmdb", + GeoIp: "https://github.com/MetaCubeX/meta-rules-dat/releases/download/latest/geoip.dat", + GeoSite: "https://github.com/MetaCubeX/meta-rules-dat/releases/download/latest/geosite.dat", + }, Sniffer: RawSniffer{ Enable: false, Sniff: map[string]RawSniffingConfig{}, @@ -498,15 +542,6 @@ func UnmarshalRawConfig(buf []byte) (*RawConfig, error) { ParsePureIp: true, OverrideDest: true, }, - Profile: Profile{ - StoreSelected: true, - }, - GeoXUrl: GeoXUrl{ - Mmdb: "https://github.com/MetaCubeX/meta-rules-dat/releases/download/latest/geoip.metadb", - ASN: "https://github.com/xishang0128/geoip/releases/download/latest/GeoLite2-ASN.mmdb", - GeoIp: "https://github.com/MetaCubeX/meta-rules-dat/releases/download/latest/geoip.dat", - GeoSite: "https://github.com/MetaCubeX/meta-rules-dat/releases/download/latest/geosite.dat", - }, ExternalUIURL: "https://github.com/MetaCubeX/metacubexd/archive/refs/heads/gh-pages.zip", } @@ -521,10 +556,6 @@ func ParseRawConfig(rawCfg *RawConfig) (*Config, error) { config := &Config{} log.Infoln("Start initial configuration in progress") //Segment finished in xxm startTime := time.Now() - config.Experimental = &rawCfg.Experimental - config.Profile = &rawCfg.Profile - config.IPTables = &rawCfg.IPTables - config.TLS = &rawCfg.RawTLS general, err := parseGeneral(rawCfg) if err != nil { @@ -537,6 +568,42 @@ func ParseRawConfig(rawCfg *RawConfig) (*Config, error) { tlsC.SetGlobalUtlsClient(config.General.GlobalClientFingerprint) } + controller, err := parseController(rawCfg) + if err != nil { + return nil, err + } + config.Controller = controller + + experimental, err := parseExperimental(rawCfg) + if err != nil { + return nil, err + } + config.Experimental = experimental + + iptables, err := parseIPTables(rawCfg) + if err != nil { + return nil, err + } + config.IPTables = iptables + + ntpCfg, err := parseNTP(rawCfg) + if err != nil { + return nil, err + } + config.NTP = ntpCfg + + profile, err := parseProfile(rawCfg) + if err != nil { + return nil, err + } + config.Profile = profile + + tlsCfg, err := parseTLS(rawCfg) + if err != nil { + return nil, err + } + config.TLS = tlsCfg + proxies, providers, err := parseProxies(rawCfg) if err != nil { return nil, err @@ -576,9 +643,6 @@ func ParseRawConfig(rawCfg *RawConfig) (*Config, error) { } config.Hosts = hosts - ntpCfg := paresNTP(rawCfg) - config.NTP = ntpCfg - dnsCfg, err := parseDNS(rawCfg, hosts, rules, ruleProviders) if err != nil { return nil, err @@ -687,21 +751,18 @@ func parseGeneral(cfg *RawConfig) (*General, error) { InboundTfo: cfg.InboundTfo, InboundMPTCP: cfg.InboundMPTCP, }, - Controller: Controller{ - ExternalController: cfg.ExternalController, - ExternalUI: cfg.ExternalUI, - Secret: cfg.Secret, - ExternalControllerUnix: cfg.ExternalControllerUnix, - ExternalControllerTLS: cfg.ExternalControllerTLS, - ExternalDohServer: cfg.ExternalDohServer, + UnifiedDelay: cfg.UnifiedDelay, + Mode: cfg.Mode, + LogLevel: cfg.LogLevel, + IPv6: cfg.IPv6, + Interface: cfg.Interface, + RoutingMark: cfg.RoutingMark, + GeoXUrl: GeoXUrl{ + GeoIp: cfg.GeoXUrl.GeoIp, + Mmdb: cfg.GeoXUrl.Mmdb, + ASN: cfg.GeoXUrl.ASN, + GeoSite: cfg.GeoXUrl.GeoSite, }, - UnifiedDelay: cfg.UnifiedDelay, - Mode: cfg.Mode, - LogLevel: cfg.LogLevel, - IPv6: cfg.IPv6, - Interface: cfg.Interface, - RoutingMark: cfg.RoutingMark, - GeoXUrl: cfg.GeoXUrl, GeoAutoUpdate: cfg.GeoAutoUpdate, GeoUpdateInterval: cfg.GeoUpdateInterval, GeodataMode: cfg.GeodataMode, @@ -713,6 +774,61 @@ func parseGeneral(cfg *RawConfig) (*General, error) { }, nil } +func parseController(cfg *RawConfig) (*Controller, error) { + return &Controller{ + ExternalController: cfg.ExternalController, + ExternalUI: cfg.ExternalUI, + Secret: cfg.Secret, + ExternalControllerUnix: cfg.ExternalControllerUnix, + ExternalControllerTLS: cfg.ExternalControllerTLS, + ExternalDohServer: cfg.ExternalDohServer, + }, nil +} + +func parseExperimental(cfg *RawConfig) (*Experimental, error) { + return &Experimental{ + Fingerprints: cfg.Experimental.Fingerprints, + QUICGoDisableGSO: cfg.Experimental.QUICGoDisableGSO, + QUICGoDisableECN: cfg.Experimental.QUICGoDisableECN, + IP4PEnable: cfg.Experimental.IP4PEnable, + }, nil +} + +func parseIPTables(cfg *RawConfig) (*IPTables, error) { + return &IPTables{ + Enable: cfg.IPTables.Enable, + InboundInterface: cfg.IPTables.InboundInterface, + Bypass: cfg.IPTables.Bypass, + DnsRedirect: cfg.IPTables.DnsRedirect, + }, nil +} + +func parseNTP(cfg *RawConfig) (*NTP, error) { + return &NTP{ + Enable: cfg.NTP.Enable, + Server: cfg.NTP.Server, + Port: cfg.NTP.Port, + Interval: cfg.NTP.Interval, + DialerProxy: cfg.NTP.DialerProxy, + WriteToSystem: cfg.NTP.WriteToSystem, + }, nil +} + +func parseProfile(cfg *RawConfig) (*Profile, error) { + return &Profile{ + StoreSelected: cfg.Profile.StoreSelected, + StoreFakeIP: cfg.Profile.StoreFakeIP, + }, nil +} + +func parseTLS(cfg *RawConfig) (*TLS, error) { + return &TLS{ + Certificate: cfg.TLS.Certificate, + PrivateKey: cfg.TLS.PrivateKey, + CustomTrustCert: cfg.TLS.CustomTrustCert, + }, nil +} + func parseProxies(cfg *RawConfig) (proxies map[string]C.Proxy, providersMap map[string]providerTypes.ProxyProvider, err error) { proxies = make(map[string]C.Proxy) providersMap = make(map[string]providerTypes.ProxyProvider) @@ -1259,19 +1375,6 @@ func parseNameServerPolicy(nsPolicy *orderedmap.OrderedMap[string, any], rules [ return policy, nil } -func paresNTP(rawCfg *RawConfig) *NTP { - cfg := rawCfg.NTP - ntpCfg := &NTP{ - Enable: cfg.Enable, - Server: cfg.Server, - Port: cfg.ServerPort, - Interval: cfg.Interval, - DialerProxy: cfg.DialerProxy, - WriteToSystem: cfg.WriteToSystem, - } - return ntpCfg -} - func parseDNS(rawCfg *RawConfig, hosts *trie.DomainTrie[resolver.HostValue], rules []C.Rule, ruleProviders map[string]providerTypes.RuleProvider) (*DNS, error) { cfg := rawCfg.DNS if cfg.Enable && len(cfg.NameServer) == 0 { diff --git a/hub/executor/executor.go b/hub/executor/executor.go index 8eb54ac4ac..d54d55b752 100644 --- a/hub/executor/executor.go +++ b/hub/executor/executor.go @@ -22,6 +22,7 @@ import ( "github.com/metacubex/mihomo/component/profile/cachefile" "github.com/metacubex/mihomo/component/resolver" SNI "github.com/metacubex/mihomo/component/sniffer" + tlsC "github.com/metacubex/mihomo/component/tls" "github.com/metacubex/mihomo/component/trie" "github.com/metacubex/mihomo/component/updater" "github.com/metacubex/mihomo/config" @@ -90,7 +91,7 @@ func ApplyConfig(cfg *config.Config, force bool) { } } - updateExperimental(cfg) + updateExperimental(cfg.Experimental) updateUsers(cfg.Users) updateProxies(cfg.Proxies, cfg.Providers) updateRules(cfg.Rules, cfg.SubRules, cfg.RuleProviders) @@ -145,19 +146,31 @@ func GetGeneral() *config.General { LanDisAllowedIPs: inbound.DisAllowedIPs(), AllowLan: listener.AllowLan(), BindAddress: listener.BindAddress(), + InboundTfo: inbound.Tfo(), + InboundMPTCP: inbound.MPTCP(), }, - Controller: config.Controller{}, - Mode: tunnel.Mode(), - LogLevel: log.Level(), - IPv6: !resolver.DisableIPv6, - GeodataMode: G.GeodataMode(), - GeoAutoUpdate: G.GeoAutoUpdate(), - GeoUpdateInterval: G.GeoUpdateInterval(), - GeodataLoader: G.LoaderName(), - GeositeMatcher: G.SiteMatcherName(), - Interface: dialer.DefaultInterface.Load(), - Sniffing: tunnel.IsSniffing(), - TCPConcurrent: dialer.GetTcpConcurrent(), + Mode: tunnel.Mode(), + UnifiedDelay: adapter.UnifiedDelay.Load(), + LogLevel: log.Level(), + IPv6: !resolver.DisableIPv6, + Interface: dialer.DefaultInterface.Load(), + RoutingMark: int(dialer.DefaultRoutingMark.Load()), + GeoXUrl: config.GeoXUrl{ + GeoIp: C.GeoIpUrl, + Mmdb: C.MmdbUrl, + ASN: C.ASNUrl, + GeoSite: C.GeoSiteUrl, + }, + GeoAutoUpdate: G.GeoAutoUpdate(), + GeoUpdateInterval: G.GeoUpdateInterval(), + GeodataMode: G.GeodataMode(), + GeodataLoader: G.LoaderName(), + GeositeMatcher: G.SiteMatcherName(), + TCPConcurrent: dialer.GetTcpConcurrent(), + FindProcessMode: tunnel.FindProcessMode(), + Sniffing: tunnel.IsSniffing(), + GlobalClientFingerprint: tlsC.GetGlobalFingerprint(), + GlobalUA: C.UA, } return general @@ -188,14 +201,14 @@ func updateListeners(general *config.General, listeners map[string]C.InboundList listener.ReCreateTun(general.Tun, tunnel.Tunnel) } -func updateExperimental(c *config.Config) { - if c.Experimental.QUICGoDisableGSO { +func updateExperimental(c *config.Experimental) { + if c.QUICGoDisableGSO { _ = os.Setenv("QUIC_GO_DISABLE_GSO", strconv.FormatBool(true)) } - if c.Experimental.QUICGoDisableECN { + if c.QUICGoDisableECN { _ = os.Setenv("QUIC_GO_DISABLE_ECN", strconv.FormatBool(true)) } - dialer.GetIP4PEnable(c.Experimental.IP4PEnable) + dialer.GetIP4PEnable(c.IP4PEnable) } func updateNTP(c *config.NTP) { diff --git a/hub/hub.go b/hub/hub.go index 57c91aaef9..2a53b19793 100644 --- a/hub/hub.go +++ b/hub/hub.go @@ -11,25 +11,25 @@ type Option func(*config.Config) func WithExternalUI(externalUI string) Option { return func(cfg *config.Config) { - cfg.General.ExternalUI = externalUI + cfg.Controller.ExternalUI = externalUI } } func WithExternalController(externalController string) Option { return func(cfg *config.Config) { - cfg.General.ExternalController = externalController + cfg.Controller.ExternalController = externalController } } func WithExternalControllerUnix(externalControllerUnix string) Option { return func(cfg *config.Config) { - cfg.General.ExternalControllerUnix = externalControllerUnix + cfg.Controller.ExternalControllerUnix = externalControllerUnix } } func WithSecret(secret string) Option { return func(cfg *config.Config) { - cfg.General.Secret = secret + cfg.Controller.Secret = secret } } @@ -44,18 +44,18 @@ func Parse(options ...Option) error { option(cfg) } - if cfg.General.ExternalUI != "" { - route.SetUIPath(cfg.General.ExternalUI) + if cfg.Controller.ExternalUI != "" { + route.SetUIPath(cfg.Controller.ExternalUI) } - if cfg.General.ExternalController != "" { - go route.Start(cfg.General.ExternalController, cfg.General.ExternalControllerTLS, - cfg.General.Secret, cfg.TLS.Certificate, cfg.TLS.PrivateKey, cfg.General.ExternalDohServer, + if cfg.Controller.ExternalController != "" { + go route.Start(cfg.Controller.ExternalController, cfg.Controller.ExternalControllerTLS, + cfg.Controller.Secret, cfg.TLS.Certificate, cfg.TLS.PrivateKey, cfg.Controller.ExternalDohServer, cfg.General.LogLevel == log.DEBUG) } - if cfg.General.ExternalControllerUnix != "" { - go route.StartUnix(cfg.General.ExternalControllerUnix, cfg.General.ExternalDohServer, cfg.General.LogLevel == log.DEBUG) + if cfg.Controller.ExternalControllerUnix != "" { + go route.StartUnix(cfg.Controller.ExternalControllerUnix, cfg.Controller.ExternalDohServer, cfg.General.LogLevel == log.DEBUG) } executor.ApplyConfig(cfg, true) diff --git a/hub/route/configs.go b/hub/route/configs.go index b31a607e95..d4bda2bf4c 100644 --- a/hub/route/configs.go +++ b/hub/route/configs.go @@ -68,16 +68,16 @@ type tunSchema struct { GSOMaxSize *uint32 `yaml:"gso-max-size" json:"gso-max-size,omitempty"` //Inet4Address *[]netip.Prefix `yaml:"inet4-address" json:"inet4-address,omitempty"` Inet6Address *[]netip.Prefix `yaml:"inet6-address" json:"inet6-address,omitempty"` - IPRoute2TableIndex *int `yaml:"iproute2-table-index" json:"iproute2_table_index,omitempty"` - IPRoute2RuleIndex *int `yaml:"iproute2-rule-index" json:"iproute2_rule_index,omitempty"` - AutoRedirect *bool `yaml:"auto-redirect" json:"auto_redirect,omitempty"` - AutoRedirectInputMark *uint32 `yaml:"auto-redirect-input-mark" json:"auto_redirect_input_mark,omitempty"` - AutoRedirectOutputMark *uint32 `yaml:"auto-redirect-output-mark" json:"auto_redirect_output_mark,omitempty"` + IPRoute2TableIndex *int `yaml:"iproute2-table-index" json:"iproute2-table-index,omitempty"` + IPRoute2RuleIndex *int `yaml:"iproute2-rule-index" json:"iproute2-rule-index,omitempty"` + AutoRedirect *bool `yaml:"auto-redirect" json:"auto-redirect,omitempty"` + AutoRedirectInputMark *uint32 `yaml:"auto-redirect-input-mark" json:"auto-redirect-input-mark,omitempty"` + AutoRedirectOutputMark *uint32 `yaml:"auto-redirect-output-mark" json:"auto-redirect-output-mark,omitempty"` StrictRoute *bool `yaml:"strict-route" json:"strict-route,omitempty"` - RouteAddress *[]netip.Prefix `yaml:"route-address" json:"route_address,omitempty"` - RouteAddressSet *[]string `yaml:"route-address-set" json:"route_address_set,omitempty"` - RouteExcludeAddress *[]netip.Prefix `yaml:"route-exclude-address" json:"route_exclude_address,omitempty"` - RouteExcludeAddressSet *[]string `yaml:"route-exclude-address-set" json:"route_exclude_address_set,omitempty"` + RouteAddress *[]netip.Prefix `yaml:"route-address" json:"route-address,omitempty"` + RouteAddressSet *[]string `yaml:"route-address-set" json:"route-address-set,omitempty"` + RouteExcludeAddress *[]netip.Prefix `yaml:"route-exclude-address" json:"route-exclude-address,omitempty"` + RouteExcludeAddressSet *[]string `yaml:"route-exclude-address-set" json:"route-exclude-address-set,omitempty"` IncludeInterface *[]string `yaml:"include-interface" json:"include-interface,omitempty"` ExcludeInterface *[]string `yaml:"exclude-interface" json:"exclude-interface,omitempty"` IncludeUID *[]uint32 `yaml:"include-uid" json:"include-uid,omitempty"` diff --git a/listener/config/tun.go b/listener/config/tun.go index 06dc53ef6a..3901bb1d6d 100644 --- a/listener/config/tun.go +++ b/listener/config/tun.go @@ -34,16 +34,16 @@ type Tun struct { GSOMaxSize uint32 `yaml:"gso-max-size" json:"gso-max-size,omitempty"` Inet4Address []netip.Prefix `yaml:"inet4-address" json:"inet4-address,omitempty"` Inet6Address []netip.Prefix `yaml:"inet6-address" json:"inet6-address,omitempty"` - IPRoute2TableIndex int `yaml:"iproute2-table-index" json:"iproute2_table_index,omitempty"` - IPRoute2RuleIndex int `yaml:"iproute2-rule-index" json:"iproute2_rule_index,omitempty"` - AutoRedirect bool `yaml:"auto-redirect" json:"auto_redirect,omitempty"` - AutoRedirectInputMark uint32 `yaml:"auto-redirect-input-mark" json:"auto_redirect_input_mark,omitempty"` - AutoRedirectOutputMark uint32 `yaml:"auto-redirect-output-mark" json:"auto_redirect_output_mark,omitempty"` + IPRoute2TableIndex int `yaml:"iproute2-table-index" json:"iproute2-table-index,omitempty"` + IPRoute2RuleIndex int `yaml:"iproute2-rule-index" json:"iproute2-rule-index,omitempty"` + AutoRedirect bool `yaml:"auto-redirect" json:"auto-redirect,omitempty"` + AutoRedirectInputMark uint32 `yaml:"auto-redirect-input-mark" json:"auto-redirect-input-mark,omitempty"` + AutoRedirectOutputMark uint32 `yaml:"auto-redirect-output-mark" json:"auto-redirect-output-mark,omitempty"` StrictRoute bool `yaml:"strict-route" json:"strict-route,omitempty"` - RouteAddress []netip.Prefix `yaml:"route-address" json:"route_address,omitempty"` - RouteAddressSet []string `yaml:"route-address-set" json:"route_address_set,omitempty"` - RouteExcludeAddress []netip.Prefix `yaml:"route-exclude-address" json:"route_exclude_address,omitempty"` - RouteExcludeAddressSet []string `yaml:"route-exclude-address-set" json:"route_exclude_address_set,omitempty"` + RouteAddress []netip.Prefix `yaml:"route-address" json:"route-address,omitempty"` + RouteAddressSet []string `yaml:"route-address-set" json:"route-address-set,omitempty"` + RouteExcludeAddress []netip.Prefix `yaml:"route-exclude-address" json:"route-exclude-address,omitempty"` + RouteExcludeAddressSet []string `yaml:"route-exclude-address-set" json:"route-exclude-address-set,omitempty"` IncludeInterface []string `yaml:"include-interface" json:"include-interface,omitempty"` ExcludeInterface []string `yaml:"exclude-interface" json:"exclude-interface,omitempty"` IncludeUID []uint32 `yaml:"include-uid" json:"include-uid,omitempty"` diff --git a/listener/inbound/tun.go b/listener/inbound/tun.go index a950f80db2..77ad6bd61c 100644 --- a/listener/inbound/tun.go +++ b/listener/inbound/tun.go @@ -21,35 +21,35 @@ type TunOption struct { MTU uint32 `inbound:"mtu,omitempty"` GSO bool `inbound:"gso,omitempty"` GSOMaxSize uint32 `inbound:"gso-max-size,omitempty"` - Inet4Address []string `inbound:"inet4_address,omitempty"` - Inet6Address []string `inbound:"inet6_address,omitempty"` + Inet4Address []string `inbound:"inet4-address,omitempty"` + Inet6Address []string `inbound:"inet6-address,omitempty"` IPRoute2TableIndex int `inbound:"iproute2-table-index"` IPRoute2RuleIndex int `inbound:"iproute2-rule-index"` AutoRedirect bool `inbound:"auto-redirect"` AutoRedirectInputMark uint32 `inbound:"auto-redirect-input-mark"` AutoRedirectOutputMark uint32 `inbound:"auto-redirect-output-mark"` - StrictRoute bool `inbound:"strict_route,omitempty"` + StrictRoute bool `inbound:"strict-route,omitempty"` RouteAddress []string `inbound:"route-address"` RouteAddressSet []string `inbound:"route-address-set"` RouteExcludeAddress []string `inbound:"route-exclude-address"` RouteExcludeAddressSet []string `inbound:"route-exclude-address-set"` IncludeInterface []string `inbound:"include-interface,omitempty"` ExcludeInterface []string `inbound:"exclude-interface"` - IncludeUID []uint32 `inbound:"include_uid,omitempty"` - IncludeUIDRange []string `inbound:"include_uid_range,omitempty"` - ExcludeUID []uint32 `inbound:"exclude_uid,omitempty"` - ExcludeUIDRange []string `inbound:"exclude_uid_range,omitempty"` - IncludeAndroidUser []int `inbound:"include_android_user,omitempty"` - IncludePackage []string `inbound:"include_package,omitempty"` - ExcludePackage []string `inbound:"exclude_package,omitempty"` - EndpointIndependentNat bool `inbound:"endpoint_independent_nat,omitempty"` - UDPTimeout int64 `inbound:"udp_timeout,omitempty"` + IncludeUID []uint32 `inbound:"include-uid,omitempty"` + IncludeUIDRange []string `inbound:"include-uid-range,omitempty"` + ExcludeUID []uint32 `inbound:"exclude-uid,omitempty"` + ExcludeUIDRange []string `inbound:"exclude-uid-range,omitempty"` + IncludeAndroidUser []int `inbound:"include-android-user,omitempty"` + IncludePackage []string `inbound:"include-package,omitempty"` + ExcludePackage []string `inbound:"exclude-package,omitempty"` + EndpointIndependentNat bool `inbound:"endpoint-independent-nat,omitempty"` + UDPTimeout int64 `inbound:"udp-timeout,omitempty"` FileDescriptor int `inbound:"file-descriptor,omitempty"` - Inet4RouteAddress []string `inbound:"inet4_route_address,omitempty"` - Inet6RouteAddress []string `inbound:"inet6_route_address,omitempty"` - Inet4RouteExcludeAddress []string `inbound:"inet4_route_exclude_address,omitempty"` - Inet6RouteExcludeAddress []string `inbound:"inet6_route_exclude_address,omitempty"` + Inet4RouteAddress []string `inbound:"inet4-route-address,omitempty"` + Inet6RouteAddress []string `inbound:"inet6-route-address,omitempty"` + Inet4RouteExcludeAddress []string `inbound:"inet4-route-exclude-address,omitempty"` + Inet6RouteExcludeAddress []string `inbound:"inet6-route-exclude-address,omitempty"` } func (o TunOption) Equal(config C.InboundConfig) bool { diff --git a/tunnel/tunnel.go b/tunnel/tunnel.go index 5dd468f3b4..b1b417bee2 100644 --- a/tunnel/tunnel.go +++ b/tunnel/tunnel.go @@ -225,6 +225,10 @@ func SetMode(m TunnelMode) { mode = m } +func FindProcessMode() P.FindProcessMode { + return findProcessMode +} + // SetFindProcessMode replace SetAlwaysFindProcess // always find process info if legacyAlways = true or mode.Always() = true, may be increase many memory func SetFindProcessMode(mode P.FindProcessMode) { From 518e9bdb0b5b46c5699365a7f3485e42547e85e2 Mon Sep 17 00:00:00 2001 From: wwqgtxx Date: Sun, 25 Aug 2024 19:26:06 +0800 Subject: [PATCH 25/42] feat: socks5, http and mixed listeners support independence `users` --- docs/config.yaml | 9 +++++++++ listener/auth/auth.go | 2 ++ listener/http/proxy.go | 6 ++---- listener/http/server.go | 17 +++++++++++------ listener/inbound/auth.go | 31 +++++++++++++++++++++++++++++++ listener/inbound/http.go | 3 ++- listener/inbound/mixed.go | 5 +++-- listener/inbound/socks.go | 5 +++-- listener/mixed/mixed.go | 19 ++++++++++++++----- listener/socks/tcp.go | 31 +++++++++++++++++-------------- 10 files changed, 94 insertions(+), 34 deletions(-) create mode 100644 listener/inbound/auth.go diff --git a/docs/config.yaml b/docs/config.yaml index 647cf14c61..b67880f77b 100644 --- a/docs/config.yaml +++ b/docs/config.yaml @@ -1005,6 +1005,9 @@ listeners: # rule: sub-rule-name1 # 默认使用 rules,如果未找到 sub-rule 则直接使用 rules # proxy: proxy # 如果不为空则直接将该入站流量交由指定 proxy 处理 # udp: false # 默认 true + # users: # 如果不填写users项,则遵从全局authentication设置,如果填写会忽略全局设置, 如想跳过该入站的验证可填写 users: [] + # - username: aaa + # password: aaa - name: http-in-1 type: http @@ -1012,6 +1015,9 @@ listeners: listen: 0.0.0.0 # rule: sub-rule-name1 # 默认使用 rules,如果未找到 sub-rule 则直接使用 rules # proxy: proxy # 如果不为空则直接将该入站流量交由指定 proxy 处理 (当 proxy 不为空时,这里的 proxy 名称必须合法,否则会出错) + # users: # 如果不填写users项,则遵从全局authentication设置,如果填写会忽略全局设置, 如想跳过该入站的验证可填写 users: [] + # - username: aaa + # password: aaa - name: mixed-in-1 type: mixed # HTTP(S) 和 SOCKS 代理混合 @@ -1020,6 +1026,9 @@ listeners: # rule: sub-rule-name1 # 默认使用 rules,如果未找到 sub-rule 则直接使用 rules # proxy: proxy # 如果不为空则直接将该入站流量交由指定 proxy 处理 (当 proxy 不为空时,这里的 proxy 名称必须合法,否则会出错) # udp: false # 默认 true + # users: # 如果不填写users项,则遵从全局authentication设置,如果填写会忽略全局设置, 如想跳过该入站的验证可填写 users: [] + # - username: aaa + # password: aaa - name: reidr-in-1 type: redir diff --git a/listener/auth/auth.go b/listener/auth/auth.go index 46f552b80c..772be3bdd7 100644 --- a/listener/auth/auth.go +++ b/listener/auth/auth.go @@ -13,3 +13,5 @@ func Authenticator() auth.Authenticator { func SetAuthenticator(au auth.Authenticator) { authenticator = au } + +func Nil() auth.Authenticator { return nil } diff --git a/listener/http/proxy.go b/listener/http/proxy.go index b2f312a578..04ab98eb8c 100644 --- a/listener/http/proxy.go +++ b/listener/http/proxy.go @@ -30,7 +30,7 @@ func (b *bodyWrapper) Read(p []byte) (n int, err error) { return n, err } -func HandleConn(c net.Conn, tunnel C.Tunnel, authenticator auth.Authenticator, additions ...inbound.Addition) { +func HandleConn(c net.Conn, tunnel C.Tunnel, getAuth func() auth.Authenticator, additions ...inbound.Addition) { additions = append(additions, inbound.Placeholder) // Add a placeholder for InUser inUserIdx := len(additions) - 1 client := newClient(c, tunnel, additions) @@ -41,6 +41,7 @@ func HandleConn(c net.Conn, tunnel C.Tunnel, authenticator auth.Authenticator, a conn := N.NewBufferedConn(c) + authenticator := getAuth() keepAlive := true trusted := authenticator == nil // disable authenticate if lru is nil lastUser := "" @@ -146,9 +147,6 @@ func HandleConn(c net.Conn, tunnel C.Tunnel, authenticator auth.Authenticator, a } func authenticate(request *http.Request, authenticator auth.Authenticator) (resp *http.Response, user string) { - if inbound.SkipAuthRemoteAddress(request.RemoteAddr) { - authenticator = nil - } credential := parseBasicProxyAuthorization(request) if credential == "" && authenticator != nil { resp = responseWith(request, http.StatusProxyAuthRequired) diff --git a/listener/http/server.go b/listener/http/server.go index f61dd03609..74e117f265 100644 --- a/listener/http/server.go +++ b/listener/http/server.go @@ -33,20 +33,20 @@ func (l *Listener) Close() error { } func New(addr string, tunnel C.Tunnel, additions ...inbound.Addition) (*Listener, error) { - return NewWithAuthenticator(addr, tunnel, authStore.Authenticator(), additions...) + return NewWithAuthenticator(addr, tunnel, authStore.Authenticator, additions...) } // NewWithAuthenticate // never change type traits because it's used in CFMA func NewWithAuthenticate(addr string, tunnel C.Tunnel, authenticate bool, additions ...inbound.Addition) (*Listener, error) { - authenticator := authStore.Authenticator() + getAuth := authStore.Authenticator if !authenticate { - authenticator = nil + getAuth = authStore.Nil } - return NewWithAuthenticator(addr, tunnel, authenticator, additions...) + return NewWithAuthenticator(addr, tunnel, getAuth, additions...) } -func NewWithAuthenticator(addr string, tunnel C.Tunnel, authenticator auth.Authenticator, additions ...inbound.Addition) (*Listener, error) { +func NewWithAuthenticator(addr string, tunnel C.Tunnel, getAuth func() auth.Authenticator, additions ...inbound.Addition) (*Listener, error) { isDefault := false if len(additions) == 0 { isDefault = true @@ -75,13 +75,18 @@ func NewWithAuthenticator(addr string, tunnel C.Tunnel, authenticator auth.Authe continue } N.TCPKeepAlive(conn) + + getAuth := getAuth if isDefault { // only apply on default listener if !inbound.IsRemoteAddrDisAllowed(conn.RemoteAddr()) { _ = conn.Close() continue } + if inbound.SkipAuthRemoteAddr(conn.RemoteAddr()) { + getAuth = authStore.Nil + } } - go HandleConn(conn, tunnel, authenticator, additions...) + go HandleConn(conn, tunnel, getAuth, additions...) } }() diff --git a/listener/inbound/auth.go b/listener/inbound/auth.go new file mode 100644 index 0000000000..41f18fc089 --- /dev/null +++ b/listener/inbound/auth.go @@ -0,0 +1,31 @@ +package inbound + +import ( + "github.com/metacubex/mihomo/component/auth" + authStore "github.com/metacubex/mihomo/listener/auth" +) + +type AuthUser struct { + Username string `inbound:"username"` + Password string `inbound:"password"` +} + +type AuthUsers []AuthUser + +func (a AuthUsers) GetAuth() func() auth.Authenticator { + if a != nil { // structure's Decode will ensure value not nil when input has value even it was set an empty array + if len(a) == 0 { + return authStore.Nil + } + users := make([]auth.AuthUser, len(a)) + for i, user := range a { + users[i] = auth.AuthUser{ + User: user.Username, + Pass: user.Password, + } + } + authenticator := auth.NewAuthenticator(users) + return func() auth.Authenticator { return authenticator } + } + return authStore.Authenticator +} diff --git a/listener/inbound/http.go b/listener/inbound/http.go index f5301f46c9..c78abefd5f 100644 --- a/listener/inbound/http.go +++ b/listener/inbound/http.go @@ -8,6 +8,7 @@ import ( type HTTPOption struct { BaseOption + Users AuthUsers `inbound:"users,omitempty"` } func (o HTTPOption) Equal(config C.InboundConfig) bool { @@ -44,7 +45,7 @@ func (h *HTTP) Address() string { // Listen implements constant.InboundListener func (h *HTTP) Listen(tunnel C.Tunnel) error { var err error - h.l, err = http.New(h.RawAddress(), tunnel, h.Additions()...) + h.l, err = http.NewWithAuthenticator(h.RawAddress(), tunnel, h.config.Users.GetAuth(), h.Additions()...) if err != nil { return err } diff --git a/listener/inbound/mixed.go b/listener/inbound/mixed.go index fc64382199..443a256452 100644 --- a/listener/inbound/mixed.go +++ b/listener/inbound/mixed.go @@ -12,7 +12,8 @@ import ( type MixedOption struct { BaseOption - UDP bool `inbound:"udp,omitempty"` + Users AuthUsers `inbound:"users,omitempty"` + UDP bool `inbound:"udp,omitempty"` } func (o MixedOption) Equal(config C.InboundConfig) bool { @@ -52,7 +53,7 @@ func (m *Mixed) Address() string { // Listen implements constant.InboundListener func (m *Mixed) Listen(tunnel C.Tunnel) error { var err error - m.l, err = mixed.New(m.RawAddress(), tunnel, m.Additions()...) + m.l, err = mixed.NewWithAuthenticator(m.RawAddress(), tunnel, m.config.Users.GetAuth(), m.Additions()...) if err != nil { return err } diff --git a/listener/inbound/socks.go b/listener/inbound/socks.go index 7e10d93afb..cf6d1ce433 100644 --- a/listener/inbound/socks.go +++ b/listener/inbound/socks.go @@ -9,7 +9,8 @@ import ( type SocksOption struct { BaseOption - UDP bool `inbound:"udp,omitempty"` + Users AuthUsers `inbound:"users,omitempty"` + UDP bool `inbound:"udp,omitempty"` } func (o SocksOption) Equal(config C.InboundConfig) bool { @@ -70,7 +71,7 @@ func (s *Socks) Address() string { // Listen implements constant.InboundListener func (s *Socks) Listen(tunnel C.Tunnel) error { var err error - if s.stl, err = socks.New(s.RawAddress(), tunnel, s.Additions()...); err != nil { + if s.stl, err = socks.NewWithAuthenticator(s.RawAddress(), tunnel, s.config.Users.GetAuth(), s.Additions()...); err != nil { return err } if s.udp { diff --git a/listener/mixed/mixed.go b/listener/mixed/mixed.go index 773cabe3f1..12390061c0 100644 --- a/listener/mixed/mixed.go +++ b/listener/mixed/mixed.go @@ -5,6 +5,7 @@ import ( "github.com/metacubex/mihomo/adapter/inbound" N "github.com/metacubex/mihomo/common/net" + "github.com/metacubex/mihomo/component/auth" C "github.com/metacubex/mihomo/constant" authStore "github.com/metacubex/mihomo/listener/auth" "github.com/metacubex/mihomo/listener/http" @@ -36,6 +37,10 @@ func (l *Listener) Close() error { } func New(addr string, tunnel C.Tunnel, additions ...inbound.Addition) (*Listener, error) { + return NewWithAuthenticator(addr, tunnel, authStore.Authenticator, additions...) +} + +func NewWithAuthenticator(addr string, tunnel C.Tunnel, getAuth func() auth.Authenticator, additions ...inbound.Addition) (*Listener, error) { isDefault := false if len(additions) == 0 { isDefault = true @@ -62,20 +67,24 @@ func New(addr string, tunnel C.Tunnel, additions ...inbound.Addition) (*Listener } continue } + getAuth := getAuth if isDefault { // only apply on default listener if !inbound.IsRemoteAddrDisAllowed(c.RemoteAddr()) { _ = c.Close() continue } + if inbound.SkipAuthRemoteAddr(c.RemoteAddr()) { + getAuth = authStore.Nil + } } - go handleConn(c, tunnel, additions...) + go handleConn(c, tunnel, getAuth, additions...) } }() return ml, nil } -func handleConn(conn net.Conn, tunnel C.Tunnel, additions ...inbound.Addition) { +func handleConn(conn net.Conn, tunnel C.Tunnel, getAuth func() auth.Authenticator, additions ...inbound.Addition) { N.TCPKeepAlive(conn) bufConn := N.NewBufferedConn(conn) @@ -86,10 +95,10 @@ func handleConn(conn net.Conn, tunnel C.Tunnel, additions ...inbound.Addition) { switch head[0] { case socks4.Version: - socks.HandleSocks4(bufConn, tunnel, additions...) + socks.HandleSocks4(bufConn, tunnel, getAuth, additions...) case socks5.Version: - socks.HandleSocks5(bufConn, tunnel, additions...) + socks.HandleSocks5(bufConn, tunnel, getAuth, additions...) default: - http.HandleConn(bufConn, tunnel, authStore.Authenticator(), additions...) + http.HandleConn(bufConn, tunnel, getAuth, additions...) } } diff --git a/listener/socks/tcp.go b/listener/socks/tcp.go index f2696e3fc1..3e98a60276 100644 --- a/listener/socks/tcp.go +++ b/listener/socks/tcp.go @@ -6,6 +6,7 @@ import ( "github.com/metacubex/mihomo/adapter/inbound" N "github.com/metacubex/mihomo/common/net" + "github.com/metacubex/mihomo/component/auth" C "github.com/metacubex/mihomo/constant" authStore "github.com/metacubex/mihomo/listener/auth" "github.com/metacubex/mihomo/transport/socks4" @@ -35,6 +36,10 @@ func (l *Listener) Close() error { } func New(addr string, tunnel C.Tunnel, additions ...inbound.Addition) (*Listener, error) { + return NewWithAuthenticator(addr, tunnel, authStore.Authenticator, additions...) +} + +func NewWithAuthenticator(addr string, tunnel C.Tunnel, getAuth func() auth.Authenticator, additions ...inbound.Addition) (*Listener, error) { isDefault := false if len(additions) == 0 { isDefault = true @@ -61,20 +66,24 @@ func New(addr string, tunnel C.Tunnel, additions ...inbound.Addition) (*Listener } continue } + getAuth := getAuth if isDefault { // only apply on default listener if !inbound.IsRemoteAddrDisAllowed(c.RemoteAddr()) { _ = c.Close() continue } + if inbound.SkipAuthRemoteAddr(c.RemoteAddr()) { + getAuth = authStore.Nil + } } - go handleSocks(c, tunnel, additions...) + go handleSocks(c, tunnel, getAuth, additions...) } }() return sl, nil } -func handleSocks(conn net.Conn, tunnel C.Tunnel, additions ...inbound.Addition) { +func handleSocks(conn net.Conn, tunnel C.Tunnel, getAuth func() auth.Authenticator, additions ...inbound.Addition) { N.TCPKeepAlive(conn) bufConn := N.NewBufferedConn(conn) head, err := bufConn.Peek(1) @@ -85,19 +94,16 @@ func handleSocks(conn net.Conn, tunnel C.Tunnel, additions ...inbound.Addition) switch head[0] { case socks4.Version: - HandleSocks4(bufConn, tunnel, additions...) + HandleSocks4(bufConn, tunnel, getAuth, additions...) case socks5.Version: - HandleSocks5(bufConn, tunnel, additions...) + HandleSocks5(bufConn, tunnel, getAuth, additions...) default: conn.Close() } } -func HandleSocks4(conn net.Conn, tunnel C.Tunnel, additions ...inbound.Addition) { - authenticator := authStore.Authenticator() - if inbound.SkipAuthRemoteAddr(conn.RemoteAddr()) { - authenticator = nil - } +func HandleSocks4(conn net.Conn, tunnel C.Tunnel, getAuth func() auth.Authenticator, additions ...inbound.Addition) { + authenticator := getAuth() addr, _, user, err := socks4.ServerHandshake(conn, authenticator) if err != nil { conn.Close() @@ -107,11 +113,8 @@ func HandleSocks4(conn net.Conn, tunnel C.Tunnel, additions ...inbound.Addition) tunnel.HandleTCPConn(inbound.NewSocket(socks5.ParseAddr(addr), conn, C.SOCKS4, additions...)) } -func HandleSocks5(conn net.Conn, tunnel C.Tunnel, additions ...inbound.Addition) { - authenticator := authStore.Authenticator() - if inbound.SkipAuthRemoteAddr(conn.RemoteAddr()) { - authenticator = nil - } +func HandleSocks5(conn net.Conn, tunnel C.Tunnel, getAuth func() auth.Authenticator, additions ...inbound.Addition) { + authenticator := getAuth() target, command, user, err := socks5.ServerHandshake(conn, authenticator) if err != nil { conn.Close() From 81756fc927f00f360d8c74709c6cd05c23c8645d Mon Sep 17 00:00:00 2001 From: wwqgtxx Date: Mon, 26 Aug 2024 14:02:56 +0800 Subject: [PATCH 26/42] fix: wireguard outbound memory leaks when close --- adapter/outbound/wireguard.go | 2 -- go.mod | 2 +- go.sum | 4 ++-- 3 files changed, 3 insertions(+), 5 deletions(-) diff --git a/adapter/outbound/wireguard.go b/adapter/outbound/wireguard.go index 2e34dd83cd..0382debb24 100644 --- a/adapter/outbound/wireguard.go +++ b/adapter/outbound/wireguard.go @@ -26,7 +26,6 @@ import ( wireguard "github.com/metacubex/sing-wireguard" - "github.com/sagernet/sing/common" "github.com/sagernet/sing/common/debug" E "github.com/sagernet/sing/common/exceptions" M "github.com/sagernet/sing/common/metadata" @@ -456,7 +455,6 @@ func closeWireGuard(w *WireGuard) { if w.device != nil { w.device.Close() } - _ = common.Close(w.tunDevice) if w.closeCh != nil { close(w.closeCh) } diff --git a/go.mod b/go.mod index b0c1b3dd96..dbfa9ba17c 100644 --- a/go.mod +++ b/go.mod @@ -27,7 +27,7 @@ require ( github.com/metacubex/sing-shadowsocks2 v0.2.2 github.com/metacubex/sing-tun v0.2.7-0.20240729131039-ed03f557dee1 github.com/metacubex/sing-vmess v0.1.9-0.20240719134745-1df6fb20bbf9 - github.com/metacubex/sing-wireguard v0.0.0-20240618022557-a6efaa37127a + github.com/metacubex/sing-wireguard v0.0.0-20240826061955-1e4e67afe5cd github.com/metacubex/tfo-go v0.0.0-20240821025650-e9be0afd5e7d github.com/metacubex/utls v1.6.6 github.com/miekg/dns v1.1.62 diff --git a/go.sum b/go.sum index 8194b68adc..1bb4b5ba43 100644 --- a/go.sum +++ b/go.sum @@ -120,8 +120,8 @@ github.com/metacubex/sing-tun v0.2.7-0.20240729131039-ed03f557dee1 h1:ypfofGDZbP github.com/metacubex/sing-tun v0.2.7-0.20240729131039-ed03f557dee1/go.mod h1:olbEx9yVcaw5tHTNlRamRoxmMKcvDvcVS1YLnQGzvWE= github.com/metacubex/sing-vmess v0.1.9-0.20240719134745-1df6fb20bbf9 h1:OAXiCosqY8xKDp3pqTW3qbrCprZ1l6WkrXSFSCwyY4I= github.com/metacubex/sing-vmess v0.1.9-0.20240719134745-1df6fb20bbf9/go.mod h1:olVkD4FChQ5gKMHG4ZzuD7+fMkJY1G8vwOKpRehjrmY= -github.com/metacubex/sing-wireguard v0.0.0-20240618022557-a6efaa37127a h1:NpSGclHJUYndUwBmyIpFBSoBVg8PoVX7QQKhYg0DjM0= -github.com/metacubex/sing-wireguard v0.0.0-20240618022557-a6efaa37127a/go.mod h1:uY+BYb0UEknLrqvbGcwi9i++KgrKxsurysgI6G1Pveo= +github.com/metacubex/sing-wireguard v0.0.0-20240826061955-1e4e67afe5cd h1:r7alry8u4qlUFLNMwGvG1A8ZcfPM6AMSmrm6E2yKdB4= +github.com/metacubex/sing-wireguard v0.0.0-20240826061955-1e4e67afe5cd/go.mod h1:uY+BYb0UEknLrqvbGcwi9i++KgrKxsurysgI6G1Pveo= github.com/metacubex/tfo-go v0.0.0-20240821025650-e9be0afd5e7d h1:j9LtzkYstLFoNvXW824QQeN7Y26uPL5249kzWKbzO9U= github.com/metacubex/tfo-go v0.0.0-20240821025650-e9be0afd5e7d/go.mod h1:c7bVFM9f5+VzeZ/6Kg77T/jrg1Xp8QpqlSHvG/aXVts= github.com/metacubex/utls v1.6.6 h1:3D12YKHTf2Z41UPhQU2dWerNWJ5TVQD9gKoQ+H+iLC8= From 9cf3eb39f5120dcab008810eec5d0d5fba40f39e Mon Sep 17 00:00:00 2001 From: wwqgtxx Date: Mon, 26 Aug 2024 18:33:04 +0800 Subject: [PATCH 27/42] fix: hysteria1 outbound should be closed when proxy removed --- .github/workflows/build.yml | 2 ++ adapter/outbound/hysteria.go | 24 +++++++++++++++--- adapter/outbound/hysteria2.go | 5 ++++ adapter/outbound/hysteria2_test.go | 38 +++++++++++++++++++++++++++++ adapter/outbound/hysteria_test.go | 39 ++++++++++++++++++++++++++++++ adapter/outbound/wireguard_test.go | 1 + transport/hysteria/core/client.go | 5 +++- 7 files changed, 109 insertions(+), 5 deletions(-) create mode 100644 adapter/outbound/hysteria2_test.go create mode 100644 adapter/outbound/hysteria_test.go diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 94854f2748..b62e982000 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -207,6 +207,8 @@ jobs: if: ${{ matrix.jobs.test == 'test' }} run: | go test ./... + echo "---test with_gvisor---" + go test ./... -tags "with_gvisor" -count=1 - name: Update CA run: | diff --git a/adapter/outbound/hysteria.go b/adapter/outbound/hysteria.go index dacffd106d..ccab16c12a 100644 --- a/adapter/outbound/hysteria.go +++ b/adapter/outbound/hysteria.go @@ -7,6 +7,7 @@ import ( "fmt" "net" "net/netip" + "runtime" "strconv" "time" @@ -14,6 +15,7 @@ import ( "github.com/metacubex/quic-go/congestion" M "github.com/sagernet/sing/common/metadata" + CN "github.com/metacubex/mihomo/common/net" "github.com/metacubex/mihomo/component/ca" "github.com/metacubex/mihomo/component/dialer" "github.com/metacubex/mihomo/component/proxydialer" @@ -43,6 +45,8 @@ type Hysteria struct { option *HysteriaOption client *core.Client + + closeCh chan struct{} // for test } func (h *Hysteria) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) { @@ -51,7 +55,7 @@ func (h *Hysteria) DialContext(ctx context.Context, metadata *C.Metadata, opts . return nil, err } - return NewConn(tcpConn, h), nil + return NewConn(CN.NewRefConn(tcpConn, h), h), nil } func (h *Hysteria) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) { @@ -59,7 +63,7 @@ func (h *Hysteria) ListenPacketContext(ctx context.Context, metadata *C.Metadata if err != nil { return nil, err } - return newPacketConn(&hyPacketConn{udpConn}, h), nil + return newPacketConn(CN.NewRefPacketConn(&hyPacketConn{udpConn}, h), h), nil } func (h *Hysteria) genHdc(ctx context.Context, opts ...dialer.Option) utils.PacketDialer { @@ -218,7 +222,7 @@ func NewHysteria(option HysteriaOption) (*Hysteria, error) { if err != nil { return nil, fmt.Errorf("hysteria %s create error: %w", addr, err) } - return &Hysteria{ + outbound := &Hysteria{ Base: &Base{ name: option.Name, addr: addr, @@ -231,7 +235,19 @@ func NewHysteria(option HysteriaOption) (*Hysteria, error) { }, option: &option, client: client, - }, nil + } + runtime.SetFinalizer(outbound, closeHysteria) + + return outbound, nil +} + +func closeHysteria(h *Hysteria) { + if h.client != nil { + _ = h.client.Close() + } + if h.closeCh != nil { + close(h.closeCh) + } } type hyPacketConn struct { diff --git a/adapter/outbound/hysteria2.go b/adapter/outbound/hysteria2.go index b8abf39cc2..c1a255a766 100644 --- a/adapter/outbound/hysteria2.go +++ b/adapter/outbound/hysteria2.go @@ -38,6 +38,8 @@ type Hysteria2 struct { option *Hysteria2Option client *hysteria2.Client dialer proxydialer.SingDialer + + closeCh chan struct{} // for test } type Hysteria2Option struct { @@ -89,6 +91,9 @@ func closeHysteria2(h *Hysteria2) { if h.client != nil { _ = h.client.CloseWithError(errors.New("proxy removed")) } + if h.closeCh != nil { + close(h.closeCh) + } } func NewHysteria2(option Hysteria2Option) (*Hysteria2, error) { diff --git a/adapter/outbound/hysteria2_test.go b/adapter/outbound/hysteria2_test.go new file mode 100644 index 0000000000..de7d82271d --- /dev/null +++ b/adapter/outbound/hysteria2_test.go @@ -0,0 +1,38 @@ +package outbound + +import ( + "context" + "runtime" + "testing" + "time" +) + +func TestHysteria2GC(t *testing.T) { + option := Hysteria2Option{} + option.Server = "127.0.0.1" + option.Ports = "200,204,401-429,501-503" + option.HopInterval = 30 + option.Password = "password" + option.Obfs = "salamander" + option.ObfsPassword = "password" + option.SNI = "example.com" + option.ALPN = []string{"h3"} + hy, err := NewHysteria2(option) + if err != nil { + t.Error(err) + return + } + closeCh := make(chan struct{}) + hy.closeCh = closeCh + ctx, cancel := context.WithTimeout(context.Background(), time.Second*5) + defer cancel() + + hy = nil + runtime.GC() + select { + case <-closeCh: + return + case <-ctx.Done(): + t.Error("timeout not GC") + } +} diff --git a/adapter/outbound/hysteria_test.go b/adapter/outbound/hysteria_test.go new file mode 100644 index 0000000000..f2297c6035 --- /dev/null +++ b/adapter/outbound/hysteria_test.go @@ -0,0 +1,39 @@ +package outbound + +import ( + "context" + "runtime" + "testing" + "time" +) + +func TestHysteriaGC(t *testing.T) { + option := HysteriaOption{} + option.Server = "127.0.0.1" + option.Ports = "200,204,401-429,501-503" + option.Protocol = "udp" + option.Up = "1Mbps" + option.Down = "1Mbps" + option.HopInterval = 30 + option.Obfs = "salamander" + option.SNI = "example.com" + option.ALPN = []string{"h3"} + hy, err := NewHysteria(option) + if err != nil { + t.Error(err) + return + } + closeCh := make(chan struct{}) + hy.closeCh = closeCh + ctx, cancel := context.WithTimeout(context.Background(), time.Second*5) + defer cancel() + + hy = nil + runtime.GC() + select { + case <-closeCh: + return + case <-ctx.Done(): + t.Error("timeout not GC") + } +} diff --git a/adapter/outbound/wireguard_test.go b/adapter/outbound/wireguard_test.go index 20dbdbdd6b..2248bb7b1f 100644 --- a/adapter/outbound/wireguard_test.go +++ b/adapter/outbound/wireguard_test.go @@ -29,6 +29,7 @@ func TestWireGuardGC(t *testing.T) { err = wg.init(ctx) if err != nil { t.Error(err) + return } // must do a small sleep before test GC // because it maybe deadlocks if w.device.Close call too fast after w.device.Start diff --git a/transport/hysteria/core/client.go b/transport/hysteria/core/client.go index 60db8fdf45..782948c018 100644 --- a/transport/hysteria/core/client.go +++ b/transport/hysteria/core/client.go @@ -289,7 +289,10 @@ func (c *Client) DialUDP(dialer utils.PacketDialer) (UDPConn, error) { func (c *Client) Close() error { c.reconnectMutex.Lock() defer c.reconnectMutex.Unlock() - err := c.quicSession.CloseWithError(closeErrorCodeGeneric, "") + var err error + if c.quicSession != nil { + err = c.quicSession.CloseWithError(closeErrorCodeGeneric, "") + } c.closed = true return err } From d79423a4fa0f4a67ab4e9ba82b45a14eaac6b847 Mon Sep 17 00:00:00 2001 From: wwqgtxx Date: Mon, 26 Aug 2024 20:52:56 +0800 Subject: [PATCH 28/42] fix: tun should not care "force" when Put configs from restful api --- hub/executor/executor.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/hub/executor/executor.go b/hub/executor/executor.go index d54d55b752..97072ec88d 100644 --- a/hub/executor/executor.go +++ b/hub/executor/executor.go @@ -101,6 +101,7 @@ func ApplyConfig(cfg *config.Config, force bool) { updateNTP(cfg.NTP) updateDNS(cfg.DNS, cfg.General.IPv6) updateListeners(cfg.General, cfg.Listeners, force) + updateTun(cfg.General) // tun should not care "force" updateIPTables(cfg) updateTunnels(cfg.Tunnels) @@ -198,6 +199,9 @@ func updateListeners(general *config.General, listeners map[string]C.InboundList listener.ReCreateShadowSocks(general.ShadowSocksConfig, tunnel.Tunnel) listener.ReCreateVmess(general.VmessConfig, tunnel.Tunnel) listener.ReCreateTuic(general.TuicServer, tunnel.Tunnel) +} + +func updateTun(general *config.General) { listener.ReCreateTun(general.Tun, tunnel.Tunnel) } From 6e04e1e9dc0916621beb1f8cdccced2fad5eb8f8 Mon Sep 17 00:00:00 2001 From: wwqgtxx Date: Tue, 27 Aug 2024 08:41:57 +0800 Subject: [PATCH 29/42] fix: hysteria2 close safety --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index dbfa9ba17c..6a43c7302f 100644 --- a/go.mod +++ b/go.mod @@ -22,7 +22,7 @@ require ( github.com/metacubex/gopacket v1.1.20-0.20230608035415-7e2f98a3e759 github.com/metacubex/quic-go v0.46.1-0.20240807232329-1c6cb2d67f58 github.com/metacubex/randv2 v0.2.0 - github.com/metacubex/sing-quic v0.0.0-20240518034124-7696d3f7da72 + github.com/metacubex/sing-quic v0.0.0-20240827003841-cd97758ed8b4 github.com/metacubex/sing-shadowsocks v0.2.8 github.com/metacubex/sing-shadowsocks2 v0.2.2 github.com/metacubex/sing-tun v0.2.7-0.20240729131039-ed03f557dee1 diff --git a/go.sum b/go.sum index 1bb4b5ba43..3b059db0df 100644 --- a/go.sum +++ b/go.sum @@ -110,8 +110,8 @@ github.com/metacubex/randv2 v0.2.0 h1:uP38uBvV2SxYfLj53kuvAjbND4RUDfFJjwr4UigMiL github.com/metacubex/randv2 v0.2.0/go.mod h1:kFi2SzrQ5WuneuoLLCMkABtiBu6VRrMrWFqSPyj2cxY= github.com/metacubex/sing v0.0.0-20240724044459-6f3cf5896297 h1:YG/JkwGPbca5rUtEMHIu8ZuqzR7BSVm1iqY8hNoMeMA= github.com/metacubex/sing v0.0.0-20240724044459-6f3cf5896297/go.mod h1:ARkL0gM13/Iv5VCZmci/NuoOlePoIsW0m7BWfln/Hak= -github.com/metacubex/sing-quic v0.0.0-20240518034124-7696d3f7da72 h1:Wr4g1HCb5Z/QIFwFiVNjO2qL+dRu25+Mdn9xtAZZ+ew= -github.com/metacubex/sing-quic v0.0.0-20240518034124-7696d3f7da72/go.mod h1:g7Mxj7b7zm7YVqD975mk/hSmrb0A0G4bVvIMr2MMzn8= +github.com/metacubex/sing-quic v0.0.0-20240827003841-cd97758ed8b4 h1:HobpULaPK6OoxrHMmgcwLkwwIduXVmwdcznwUfH1GQM= +github.com/metacubex/sing-quic v0.0.0-20240827003841-cd97758ed8b4/go.mod h1:g7Mxj7b7zm7YVqD975mk/hSmrb0A0G4bVvIMr2MMzn8= github.com/metacubex/sing-shadowsocks v0.2.8 h1:wIhlaigswzjPw4hej75sEvWte3QR0+AJRafgwBHO5B4= github.com/metacubex/sing-shadowsocks v0.2.8/go.mod h1:X3x88XtJpBxG0W0/ECOJL6Ib0SJ3xdniAkU/6/RMWU0= github.com/metacubex/sing-shadowsocks2 v0.2.2 h1:eaf42uVx4Lr21S6MDYs0ZdTvGA0GEhDpb9no4+gdXPo= From 3e2c9ce8216d38ab9416070ffe23cf4c9c20f9e6 Mon Sep 17 00:00:00 2001 From: wwqgtxx Date: Tue, 27 Aug 2024 11:04:42 +0800 Subject: [PATCH 30/42] chore: cleanup patch code --- adapter/provider/healthcheck.go | 15 +++++---- adapter/provider/patch_android.go | 17 ---------- adapter/provider/provider.go | 27 +++++++++++----- component/resource/fetcher.go | 54 ++++++++++++++++++------------- component/resource/vehicle.go | 6 ++-- config/config.go | 10 ++++-- constant/provider/interface.go | 4 ++- rules/provider/patch_android.go | 10 ------ rules/provider/provider.go | 14 ++++++-- 9 files changed, 83 insertions(+), 74 deletions(-) diff --git a/adapter/provider/healthcheck.go b/adapter/provider/healthcheck.go index 8b5e833851..8737ff96ae 100644 --- a/adapter/provider/healthcheck.go +++ b/adapter/provider/healthcheck.go @@ -27,6 +27,8 @@ type extraOption struct { } type HealthCheck struct { + ctx context.Context + ctxCancel context.CancelFunc url string extra map[string]*extraOption mu sync.Mutex @@ -36,7 +38,6 @@ type HealthCheck struct { lazy bool expectedStatus utils.IntRanges[uint16] lastTouch atomic.TypedValue[time.Time] - done chan struct{} singleDo *singledo.Single[struct{}] timeout time.Duration } @@ -59,7 +60,7 @@ func (hc *HealthCheck) process() { } else { log.Debugln("Skip once health check because we are lazy") } - case <-hc.done: + case <-hc.ctx.Done(): ticker.Stop() hc.stop() return @@ -146,7 +147,7 @@ func (hc *HealthCheck) check() { _, _, _ = hc.singleDo.Do(func() (struct{}, error) { id := utils.NewUUIDV4().String() log.Debugln("Start New Health Checking {%s}", id) - b, _ := batch.New[bool](context.Background(), batch.WithConcurrencyNum[bool](10)) + b, _ := batch.New[bool](hc.ctx, batch.WithConcurrencyNum[bool](10)) // execute default health check option := &extraOption{filters: nil, expectedStatus: hc.expectedStatus} @@ -195,7 +196,7 @@ func (hc *HealthCheck) execute(b *batch.Batch[bool], url, uid string, option *ex p := proxy b.Go(p.Name(), func() (bool, error) { - ctx, cancel := context.WithTimeout(context.Background(), hc.timeout) + ctx, cancel := context.WithTimeout(hc.ctx, hc.timeout) defer cancel() log.Debugln("Health Checking, proxy: %s, url: %s, id: {%s}", p.Name(), url, uid) _, _ = p.URLTest(ctx, url, expectedStatus) @@ -206,7 +207,7 @@ func (hc *HealthCheck) execute(b *batch.Batch[bool], url, uid string, option *ex } func (hc *HealthCheck) close() { - hc.done <- struct{}{} + hc.ctxCancel() } func NewHealthCheck(proxies []C.Proxy, url string, timeout uint, interval uint, lazy bool, expectedStatus utils.IntRanges[uint16]) *HealthCheck { @@ -217,8 +218,11 @@ func NewHealthCheck(proxies []C.Proxy, url string, timeout uint, interval uint, if timeout == 0 { timeout = 5000 } + ctx, cancel := context.WithCancel(context.Background()) return &HealthCheck{ + ctx: ctx, + ctxCancel: cancel, proxies: proxies, url: url, timeout: time.Duration(timeout) * time.Millisecond, @@ -226,7 +230,6 @@ func NewHealthCheck(proxies []C.Proxy, url string, timeout uint, interval uint, interval: time.Duration(interval) * time.Second, lazy: lazy, expectedStatus: expectedStatus, - done: make(chan struct{}, 1), singleDo: singledo.NewSingle[struct{}](time.Second), } } diff --git a/adapter/provider/patch_android.go b/adapter/provider/patch_android.go index e9042bdac0..2a91d7f14a 100644 --- a/adapter/provider/patch_android.go +++ b/adapter/provider/patch_android.go @@ -14,23 +14,6 @@ type UpdatableProvider interface { UpdatedAt() time.Time } -func (pp *proxySetProvider) UpdatedAt() time.Time { - return pp.Fetcher.UpdatedAt -} - -func (pp *proxySetProvider) Close() error { - pp.healthCheck.close() - pp.Fetcher.Destroy() - - return nil -} - -func (cp *compatibleProvider) Close() error { - cp.healthCheck.close() - - return nil -} - func Suspend(s bool) { suspended = s } diff --git a/adapter/provider/provider.go b/adapter/provider/provider.go index 694eae436f..a99c1d9680 100644 --- a/adapter/provider/provider.go +++ b/adapter/provider/provider.go @@ -54,7 +54,7 @@ func (pp *proxySetProvider) MarshalJSON() ([]byte, error) { "proxies": pp.Proxies(), "testUrl": pp.healthCheck.url, "expectedStatus": pp.healthCheck.expectedStatus.String(), - "updatedAt": pp.UpdatedAt, + "updatedAt": pp.UpdatedAt(), "subscriptionInfo": pp.subscriptionInfo, }) } @@ -164,9 +164,9 @@ func (pp *proxySetProvider) closeAllConnections() { }) } -func stopProxyProvider(pd *ProxySetProvider) { - pd.healthCheck.close() - _ = pd.Fetcher.Destroy() +func (pp *proxySetProvider) Close() error { + pp.healthCheck.close() + return pp.Fetcher.Close() } func NewProxySetProvider(name string, interval time.Duration, filter string, excludeFilter string, excludeType string, dialerProxy string, override OverrideSchema, vehicle types.Vehicle, hc *HealthCheck) (*ProxySetProvider, error) { @@ -200,10 +200,15 @@ func NewProxySetProvider(name string, interval time.Duration, filter string, exc fetcher := resource.NewFetcher[[]C.Proxy](name, interval, vehicle, proxiesParseAndFilter(filter, excludeFilter, excludeTypeArray, filterRegs, excludeFilterReg, dialerProxy, override), proxiesOnUpdate(pd)) pd.Fetcher = fetcher wrapper := &ProxySetProvider{pd} - runtime.SetFinalizer(wrapper, stopProxyProvider) + runtime.SetFinalizer(wrapper, (*ProxySetProvider).Close) return wrapper, nil } +func (pp *ProxySetProvider) Close() error { + runtime.SetFinalizer(pp, nil) + return pp.proxySetProvider.Close() +} + // CompatibleProvider for auto gc type CompatibleProvider struct { *compatibleProvider @@ -274,8 +279,9 @@ func (cp *compatibleProvider) RegisterHealthCheckTask(url string, expectedStatus cp.healthCheck.registerHealthCheckTask(url, expectedStatus, filter, interval) } -func stopCompatibleProvider(pd *CompatibleProvider) { - pd.healthCheck.close() +func (cp *compatibleProvider) Close() error { + cp.healthCheck.close() + return nil } func NewCompatibleProvider(name string, proxies []C.Proxy, hc *HealthCheck) (*CompatibleProvider, error) { @@ -294,10 +300,15 @@ func NewCompatibleProvider(name string, proxies []C.Proxy, hc *HealthCheck) (*Co } wrapper := &CompatibleProvider{pd} - runtime.SetFinalizer(wrapper, stopCompatibleProvider) + runtime.SetFinalizer(wrapper, (*CompatibleProvider).Close) return wrapper, nil } +func (cp *CompatibleProvider) Close() error { + runtime.SetFinalizer(cp, nil) + return cp.compatibleProvider.Close() +} + func proxiesOnUpdate(pd *proxySetProvider) func([]C.Proxy) { return func(elm []C.Proxy) { pd.setProxies(elm) diff --git a/component/resource/fetcher.go b/component/resource/fetcher.go index c82a54a3d1..9a4f5a7591 100644 --- a/component/resource/fetcher.go +++ b/component/resource/fetcher.go @@ -2,6 +2,7 @@ package resource import ( "bytes" + "context" "crypto/md5" "os" "path/filepath" @@ -22,11 +23,12 @@ var ( type Parser[V any] func([]byte) (V, error) type Fetcher[V any] struct { + ctx context.Context + ctxCancel context.CancelFunc resourceType string name string vehicle types.Vehicle - UpdatedAt time.Time - done chan struct{} + updatedAt time.Time hash [16]byte parser Parser[V] interval time.Duration @@ -46,6 +48,10 @@ func (f *Fetcher[V]) VehicleType() types.VehicleType { return f.vehicle.Type() } +func (f *Fetcher[V]) UpdatedAt() time.Time { + return f.updatedAt +} + func (f *Fetcher[V]) Initial() (V, error) { var ( buf []byte @@ -57,15 +63,15 @@ func (f *Fetcher[V]) Initial() (V, error) { if stat, fErr := os.Stat(f.vehicle.Path()); fErr == nil { buf, err = os.ReadFile(f.vehicle.Path()) modTime := stat.ModTime() - f.UpdatedAt = modTime + f.updatedAt = modTime isLocal = true if f.interval != 0 && modTime.Add(f.interval).Before(time.Now()) { log.Warnln("[Provider] %s not updated for a long time, force refresh", f.Name()) forceUpdate = true } } else { - buf, err = f.vehicle.Read() - f.UpdatedAt = time.Now() + buf, err = f.vehicle.Read(f.ctx) + f.updatedAt = time.Now() } if err != nil { @@ -75,7 +81,7 @@ func (f *Fetcher[V]) Initial() (V, error) { var contents V if forceUpdate { var forceBuf []byte - if forceBuf, err = f.vehicle.Read(); err == nil { + if forceBuf, err = f.vehicle.Read(f.ctx); err == nil { if contents, err = f.parser(forceBuf); err == nil { isLocal = false buf = forceBuf @@ -93,7 +99,7 @@ func (f *Fetcher[V]) Initial() (V, error) { } // parse local file error, fallback to remote - buf, err = f.vehicle.Read() + buf, err = f.vehicle.Read(f.ctx) if err != nil { return lo.Empty[V](), err } @@ -136,15 +142,18 @@ func (f *Fetcher[V]) Initial() (V, error) { } func (f *Fetcher[V]) Update() (V, bool, error) { - buf, err := f.vehicle.Read() + buf, err := f.vehicle.Read(f.ctx) if err != nil { return lo.Empty[V](), false, err } + return f.SideUpdate(buf) +} +func (f *Fetcher[V]) SideUpdate(buf []byte) (V, bool, error) { now := time.Now() hash := md5.Sum(buf) if bytes.Equal(f.hash[:], hash[:]) { - f.UpdatedAt = now + f.updatedAt = now _ = os.Chtimes(f.vehicle.Path(), now, now) return lo.Empty[V](), true, nil } @@ -160,16 +169,14 @@ func (f *Fetcher[V]) Update() (V, bool, error) { } } - f.UpdatedAt = now + f.updatedAt = now f.hash = hash return contents, false, nil } -func (f *Fetcher[V]) Destroy() error { - if f.interval > 0 { - f.done <- struct{}{} - } +func (f *Fetcher[V]) Close() error { + f.ctxCancel() if f.watcher != nil { _ = f.watcher.Close() } @@ -177,7 +184,7 @@ func (f *Fetcher[V]) Destroy() error { } func (f *Fetcher[V]) pullLoop() { - initialInterval := f.interval - time.Since(f.UpdatedAt) + initialInterval := f.interval - time.Since(f.updatedAt) if initialInterval > f.interval { initialInterval = f.interval } @@ -189,7 +196,7 @@ func (f *Fetcher[V]) pullLoop() { case <-timer.C: timer.Reset(f.interval) f.update(f.vehicle.Path()) - case <-f.done: + case <-f.ctx.Done(): return } } @@ -226,13 +233,14 @@ func safeWrite(path string, buf []byte) error { } func NewFetcher[V any](name string, interval time.Duration, vehicle types.Vehicle, parser Parser[V], onUpdate func(V)) *Fetcher[V] { - + ctx, cancel := context.WithCancel(context.Background()) return &Fetcher[V]{ - name: name, - vehicle: vehicle, - parser: parser, - done: make(chan struct{}, 8), - OnUpdate: onUpdate, - interval: interval, + ctx: ctx, + ctxCancel: cancel, + name: name, + vehicle: vehicle, + parser: parser, + OnUpdate: onUpdate, + interval: interval, } } diff --git a/component/resource/vehicle.go b/component/resource/vehicle.go index b13369d22e..4618ef52f2 100644 --- a/component/resource/vehicle.go +++ b/component/resource/vehicle.go @@ -24,7 +24,7 @@ func (f *FileVehicle) Path() string { return f.path } -func (f *FileVehicle) Read() ([]byte, error) { +func (f *FileVehicle) Read(ctx context.Context) ([]byte, error) { return os.ReadFile(f.path) } @@ -59,8 +59,8 @@ func (h *HTTPVehicle) Proxy() string { return h.proxy } -func (h *HTTPVehicle) Read() ([]byte, error) { - ctx, cancel := context.WithTimeout(context.Background(), time.Second*20) +func (h *HTTPVehicle) Read(ctx context.Context) ([]byte, error) { + ctx, cancel := context.WithTimeout(ctx, time.Second*20) defer cancel() resp, err := mihomoHttp.HttpRequestWithProxy(ctx, h.url, http.MethodGet, h.header, nil, h.proxy) if err != nil { diff --git a/config/config.go b/config/config.go index f1ffbce1fd..48a99e41e3 100644 --- a/config/config.go +++ b/config/config.go @@ -431,9 +431,8 @@ func Parse(buf []byte) (*Config, error) { return ParseRawConfig(rawCfg) } -func UnmarshalRawConfig(buf []byte) (*RawConfig, error) { - // config with default value - rawCfg := &RawConfig{ +func DefaultRawConfig() *RawConfig { + return &RawConfig{ AllowLan: false, BindAddress: "*", LanAllowedIPs: []netip.Prefix{netip.MustParsePrefix("0.0.0.0/0"), netip.MustParsePrefix("::/0")}, @@ -544,6 +543,11 @@ func UnmarshalRawConfig(buf []byte) (*RawConfig, error) { }, ExternalUIURL: "https://github.com/MetaCubeX/metacubexd/archive/refs/heads/gh-pages.zip", } +} + +func UnmarshalRawConfig(buf []byte) (*RawConfig, error) { + // config with default value + rawCfg := DefaultRawConfig() if err := yaml.Unmarshal(buf, rawCfg); err != nil { return nil, err diff --git a/constant/provider/interface.go b/constant/provider/interface.go index bd6b6e9470..911f774a62 100644 --- a/constant/provider/interface.go +++ b/constant/provider/interface.go @@ -1,6 +1,7 @@ package provider import ( + "context" "fmt" "github.com/metacubex/mihomo/common/utils" @@ -31,7 +32,7 @@ func (v VehicleType) String() string { } type Vehicle interface { - Read() ([]byte, error) + Read(ctx context.Context) ([]byte, error) Path() string Proxy() string Type() VehicleType @@ -83,6 +84,7 @@ type ProxyProvider interface { type RuleProvider interface { Provider Behavior() RuleBehavior + Count() int Match(*constant.Metadata) bool ShouldResolveIP() bool ShouldFindProcess() bool diff --git a/rules/provider/patch_android.go b/rules/provider/patch_android.go index 7ef1df1b59..d4b752c3ad 100644 --- a/rules/provider/patch_android.go +++ b/rules/provider/patch_android.go @@ -12,16 +12,6 @@ type UpdatableProvider interface { UpdatedAt() time.Time } -func (rp *ruleSetProvider) UpdatedAt() time.Time { - return rp.Fetcher.UpdatedAt -} - -func (rp *ruleSetProvider) Close() error { - rp.Fetcher.Destroy() - - return nil -} - func Suspend(s bool) { suspended = s } diff --git a/rules/provider/provider.go b/rules/provider/provider.go index b9524c35e6..ad720d477d 100644 --- a/rules/provider/provider.go +++ b/rules/provider/provider.go @@ -89,6 +89,10 @@ func (rp *ruleSetProvider) Behavior() P.RuleBehavior { return rp.behavior } +func (rp *ruleSetProvider) Count() int { + return rp.strategy.Count() +} + func (rp *ruleSetProvider) Match(metadata *C.Metadata) bool { return rp.strategy != nil && rp.strategy.Match(metadata) } @@ -113,11 +117,16 @@ func (rp *ruleSetProvider) MarshalJSON() ([]byte, error) { "name": rp.Name(), "ruleCount": rp.strategy.Count(), "type": rp.Type().String(), - "updatedAt": rp.UpdatedAt, + "updatedAt": rp.UpdatedAt(), "vehicleType": rp.VehicleType().String(), }) } +func (rp *RuleSetProvider) Close() error { + runtime.SetFinalizer(rp, nil) + return rp.ruleSetProvider.Close() +} + func NewRuleSetProvider(name string, behavior P.RuleBehavior, format P.RuleFormat, interval time.Duration, vehicle P.Vehicle, parse func(tp, payload, target string, params []string, subRules map[string][]C.Rule) (parsed C.Rule, parseErr error)) P.RuleProvider { rp := &ruleSetProvider{ @@ -139,8 +148,7 @@ func NewRuleSetProvider(name string, behavior P.RuleBehavior, format P.RuleForma rp, } - final := func(provider *RuleSetProvider) { _ = rp.Fetcher.Destroy() } - runtime.SetFinalizer(wrapper, final) + runtime.SetFinalizer(wrapper, (*RuleSetProvider).Close) return wrapper } From 84831785242ddb409591ad4954e74e2a799d1e7e Mon Sep 17 00:00:00 2001 From: wwqgtxx Date: Tue, 27 Aug 2024 20:33:43 +0800 Subject: [PATCH 31/42] feat: `sniff` add `skip-src-address` and `skip-dst-address` --- component/cidr/ipcidr_set.go | 4 + component/sniffer/dispatcher.go | 106 ++++++++++++++----------- config/config.go | 135 ++++++++++++++++++++++++-------- docs/config.yaml | 4 + hub/executor/executor.go | 26 +++--- tunnel/tunnel.go | 40 +++++----- 6 files changed, 198 insertions(+), 117 deletions(-) diff --git a/component/cidr/ipcidr_set.go b/component/cidr/ipcidr_set.go index 4907146039..00ad7259b4 100644 --- a/component/cidr/ipcidr_set.go +++ b/component/cidr/ipcidr_set.go @@ -57,6 +57,10 @@ func (set *IpCidrSet) Merge() error { return nil } +func (set *IpCidrSet) IsEmpty() bool { + return set == nil || len(set.rr) == 0 +} + func (set *IpCidrSet) Foreach(f func(prefix netip.Prefix) bool) { for _, r := range set.rr { for _, prefix := range r.Prefixes() { diff --git a/component/sniffer/dispatcher.go b/component/sniffer/dispatcher.go index c96f5a4b03..8c9f692d0f 100644 --- a/component/sniffer/dispatcher.go +++ b/component/sniffer/dispatcher.go @@ -2,7 +2,6 @@ package sniffer import ( "errors" - "fmt" "net" "net/netip" "time" @@ -20,19 +19,29 @@ var ( ErrNoClue = errors.New("not enough information for making a decision") ) -var Dispatcher *SnifferDispatcher - -type SnifferDispatcher struct { +type Dispatcher struct { enable bool sniffers map[sniffer.Sniffer]SnifferConfig forceDomain []C.Rule + skipSrcAddress []C.Rule + skipDstAddress []C.Rule skipDomain []C.Rule - skipList *lru.LruCache[string, uint8] + skipList *lru.LruCache[netip.AddrPort, uint8] forceDnsMapping bool parsePureIp bool } -func (sd *SnifferDispatcher) shouldOverride(metadata *C.Metadata) bool { +func (sd *Dispatcher) shouldOverride(metadata *C.Metadata) bool { + for _, rule := range sd.skipDstAddress { + if ok, _ := rule.Match(&C.Metadata{DstIP: metadata.DstIP}); ok { + return false + } + } + for _, rule := range sd.skipSrcAddress { + if ok, _ := rule.Match(&C.Metadata{DstIP: metadata.SrcIP}); ok { + return false + } + } if metadata.Host == "" && sd.parsePureIp { return true } @@ -47,10 +56,9 @@ func (sd *SnifferDispatcher) shouldOverride(metadata *C.Metadata) bool { return false } -func (sd *SnifferDispatcher) UDPSniff(packet C.PacketAdapter) bool { +func (sd *Dispatcher) UDPSniff(packet C.PacketAdapter) bool { metadata := packet.Metadata() - - if sd.shouldOverride(packet.Metadata()) { + if sd.shouldOverride(metadata) { for sniffer, config := range sd.sniffers { if sniffer.SupportNetwork() == C.UDP || sniffer.SupportNetwork() == C.ALLNet { inWhitelist := sniffer.SupportPort(metadata.DstPort) @@ -73,7 +81,7 @@ func (sd *SnifferDispatcher) UDPSniff(packet C.PacketAdapter) bool { } // TCPSniff returns true if the connection is sniffed to have a domain -func (sd *SnifferDispatcher) TCPSniff(conn *N.BufferedConn, metadata *C.Metadata) bool { +func (sd *Dispatcher) TCPSniff(conn *N.BufferedConn, metadata *C.Metadata) bool { if sd.shouldOverride(metadata) { inWhitelist := false overrideDest := false @@ -91,34 +99,35 @@ func (sd *SnifferDispatcher) TCPSniff(conn *N.BufferedConn, metadata *C.Metadata return false } - dst := fmt.Sprintf("%s:%d", metadata.DstIP, metadata.DstPort) + dst := metadata.AddrPort() if count, ok := sd.skipList.Get(dst); ok && count > 5 { log.Debugln("[Sniffer] Skip sniffing[%s] due to multiple failures", dst) return false } - if host, err := sd.sniffDomain(conn, metadata); err != nil { + host, err := sd.sniffDomain(conn, metadata) + if err != nil { sd.cacheSniffFailed(metadata) log.Debugln("[Sniffer] All sniffing sniff failed with from [%s:%d] to [%s:%d]", metadata.SrcIP, metadata.SrcPort, metadata.String(), metadata.DstPort) return false - } else { - for _, rule := range sd.skipDomain { - if ok, _ := rule.Match(&C.Metadata{Host: host}); ok { - log.Debugln("[Sniffer] Skip sni[%s]", host) - return false - } + } + + for _, rule := range sd.skipDomain { + if ok, _ := rule.Match(&C.Metadata{Host: host}); ok { + log.Debugln("[Sniffer] Skip sni[%s]", host) + return false } + } - sd.skipList.Delete(dst) + sd.skipList.Delete(dst) - sd.replaceDomain(metadata, host, overrideDest) - return true - } + sd.replaceDomain(metadata, host, overrideDest) + return true } return false } -func (sd *SnifferDispatcher) replaceDomain(metadata *C.Metadata, host string, overrideDest bool) { +func (sd *Dispatcher) replaceDomain(metadata *C.Metadata, host string, overrideDest bool) { metadata.SniffHost = host if overrideDest { log.Debugln("[Sniffer] Sniff %s [%s]-->[%s] success, replace domain [%s]-->[%s]", @@ -131,11 +140,11 @@ func (sd *SnifferDispatcher) replaceDomain(metadata *C.Metadata, host string, ov metadata.DNSMode = C.DNSNormal } -func (sd *SnifferDispatcher) Enable() bool { - return sd.enable +func (sd *Dispatcher) Enable() bool { + return sd != nil && sd.enable } -func (sd *SnifferDispatcher) sniffDomain(conn *N.BufferedConn, metadata *C.Metadata) (string, error) { +func (sd *Dispatcher) sniffDomain(conn *N.BufferedConn, metadata *C.Metadata) (string, error) { for s := range sd.sniffers { if s.SupportNetwork() == C.TCP { _ = conn.SetReadDeadline(time.Now().Add(1 * time.Second)) @@ -178,8 +187,8 @@ func (sd *SnifferDispatcher) sniffDomain(conn *N.BufferedConn, metadata *C.Metad return "", ErrorSniffFailed } -func (sd *SnifferDispatcher) cacheSniffFailed(metadata *C.Metadata) { - dst := fmt.Sprintf("%s:%d", metadata.DstIP, metadata.DstPort) +func (sd *Dispatcher) cacheSniffFailed(metadata *C.Metadata) { + dst := metadata.AddrPort() sd.skipList.Compute(dst, func(oldValue uint8, loaded bool) (newValue uint8, delete bool) { if oldValue <= 5 { oldValue++ @@ -188,32 +197,35 @@ func (sd *SnifferDispatcher) cacheSniffFailed(metadata *C.Metadata) { }) } -func NewCloseSnifferDispatcher() (*SnifferDispatcher, error) { - dispatcher := SnifferDispatcher{ - enable: false, - } - - return &dispatcher, nil +type Config struct { + Enable bool + Sniffers map[sniffer.Type]SnifferConfig + ForceDomain []C.Rule + SkipSrcAddress []C.Rule + SkipDstAddress []C.Rule + SkipDomain []C.Rule + ForceDnsMapping bool + ParsePureIp bool } -func NewSnifferDispatcher(snifferConfig map[sniffer.Type]SnifferConfig, - forceDomain []C.Rule, skipDomain []C.Rule, - forceDnsMapping bool, parsePureIp bool) (*SnifferDispatcher, error) { - dispatcher := SnifferDispatcher{ - enable: true, - forceDomain: forceDomain, - skipDomain: skipDomain, - skipList: lru.New(lru.WithSize[string, uint8](128), lru.WithAge[string, uint8](600)), - forceDnsMapping: forceDnsMapping, - parsePureIp: parsePureIp, - sniffers: make(map[sniffer.Sniffer]SnifferConfig, 0), +func NewDispatcher(snifferConfig *Config) (*Dispatcher, error) { + dispatcher := Dispatcher{ + enable: snifferConfig.Enable, + forceDomain: snifferConfig.ForceDomain, + skipSrcAddress: snifferConfig.SkipSrcAddress, + skipDstAddress: snifferConfig.SkipDstAddress, + skipDomain: snifferConfig.SkipDomain, + skipList: lru.New(lru.WithSize[netip.AddrPort, uint8](128), lru.WithAge[netip.AddrPort, uint8](600)), + forceDnsMapping: snifferConfig.ForceDnsMapping, + parsePureIp: snifferConfig.ParsePureIp, + sniffers: make(map[sniffer.Sniffer]SnifferConfig, len(snifferConfig.Sniffers)), } - for snifferName, config := range snifferConfig { + for snifferName, config := range snifferConfig.Sniffers { s, err := NewSniffer(snifferName, config) if err != nil { log.Errorln("Sniffer name[%s] is error", snifferName) - return &SnifferDispatcher{enable: false}, err + return &Dispatcher{enable: false}, err } dispatcher.sniffers[s] = config } diff --git a/config/config.go b/config/config.go index 48a99e41e3..7197f524b9 100644 --- a/config/config.go +++ b/config/config.go @@ -25,7 +25,7 @@ import ( "github.com/metacubex/mihomo/component/geodata" P "github.com/metacubex/mihomo/component/process" "github.com/metacubex/mihomo/component/resolver" - SNIFF "github.com/metacubex/mihomo/component/sniffer" + "github.com/metacubex/mihomo/component/sniffer" tlsC "github.com/metacubex/mihomo/component/tls" "github.com/metacubex/mihomo/component/trie" "github.com/metacubex/mihomo/component/updater" @@ -161,16 +161,6 @@ type Profile struct { StoreFakeIP bool } -// Sniffer config -type Sniffer struct { - Enable bool - Sniffers map[snifferTypes.Type]SNIFF.SnifferConfig - ForceDomain []C.Rule - SkipDomain []C.Rule - ForceDnsMapping bool - ParsePureIp bool -} - // TLS config type TLS struct { Certificate string @@ -196,7 +186,7 @@ type Config struct { Providers map[string]providerTypes.ProxyProvider RuleProviders map[string]providerTypes.RuleProvider Tunnels []LC.Tunnel - Sniffer *Sniffer + Sniffer *sniffer.Config TLS *TLS } @@ -327,15 +317,18 @@ type RawGeoXUrl struct { } type RawSniffer struct { - Enable bool `yaml:"enable" json:"enable"` - OverrideDest bool `yaml:"override-destination" json:"override-destination"` - Sniffing []string `yaml:"sniffing" json:"sniffing"` - ForceDomain []string `yaml:"force-domain" json:"force-domain"` - SkipDomain []string `yaml:"skip-domain" json:"skip-domain"` - Ports []string `yaml:"port-whitelist" json:"port-whitelist"` - ForceDnsMapping bool `yaml:"force-dns-mapping" json:"force-dns-mapping"` - ParsePureIp bool `yaml:"parse-pure-ip" json:"parse-pure-ip"` - Sniff map[string]RawSniffingConfig `yaml:"sniff" json:"sniff"` + Enable bool `yaml:"enable" json:"enable"` + OverrideDest bool `yaml:"override-destination" json:"override-destination"` + Sniffing []string `yaml:"sniffing" json:"sniffing"` + ForceDomain []string `yaml:"force-domain" json:"force-domain"` + SkipSrcAddress []string `yaml:"skip-src-address" json:"skip-src-address"` + SkipDstAddress []string `yaml:"skip-dst-address" json:"skip-dst-address"` + SkipDomain []string `yaml:"skip-domain" json:"skip-domain"` + Ports []string `yaml:"port-whitelist" json:"port-whitelist"` + ForceDnsMapping bool `yaml:"force-dns-mapping" json:"force-dns-mapping"` + ParsePureIp bool `yaml:"parse-pure-ip" json:"parse-pure-ip"` + + Sniff map[string]RawSniffingConfig `yaml:"sniff" json:"sniff"` } type RawSniffingConfig struct { @@ -1477,7 +1470,7 @@ func parseDNS(rawCfg *RawConfig, hosts *trie.DomainTrie[resolver.HostValue], rul var rule C.Rule if len(cfg.Fallback) != 0 { if cfg.FallbackFilter.GeoIP { - rule, err = RC.NewGEOIP(cfg.FallbackFilter.GeoIPCode, "", false, true) + rule, err = RC.NewGEOIP(cfg.FallbackFilter.GeoIPCode, "dns.fallback-filter.geoip", false, true) if err != nil { return nil, fmt.Errorf("load GeoIP dns fallback filter error, %w", err) } @@ -1507,7 +1500,7 @@ func parseDNS(rawCfg *RawConfig, hosts *trie.DomainTrie[resolver.HostValue], rul } } rule = RP.NewDomainSet(domainTrie.NewDomainSet(), "dns.fallback-filter.domain") - dnsCfg.FallbackIPFilter = append(dnsCfg.FallbackIPFilter, rule) + dnsCfg.FallbackDomainFilter = append(dnsCfg.FallbackDomainFilter, rule) } if len(cfg.FallbackFilter.GeoSite) > 0 { log.Warnln("replace fallback-filter.geosite with nameserver-policy, it will be removed in the future") @@ -1516,7 +1509,7 @@ func parseDNS(rawCfg *RawConfig, hosts *trie.DomainTrie[resolver.HostValue], rul if err != nil { return nil, fmt.Errorf("DNS FallbackGeosite[%d] format error: %w", idx, err) } - dnsCfg.FallbackIPFilter = append(dnsCfg.FallbackIPFilter, rule) + dnsCfg.FallbackDomainFilter = append(dnsCfg.FallbackDomainFilter, rule) } } } @@ -1618,13 +1611,13 @@ func parseTuicServer(rawTuic RawTuicServer, general *General) error { return nil } -func parseSniffer(snifferRaw RawSniffer, ruleProviders map[string]providerTypes.RuleProvider) (*Sniffer, error) { - sniffer := &Sniffer{ +func parseSniffer(snifferRaw RawSniffer, ruleProviders map[string]providerTypes.RuleProvider) (*sniffer.Config, error) { + snifferConfig := &sniffer.Config{ Enable: snifferRaw.Enable, ForceDnsMapping: snifferRaw.ForceDnsMapping, ParsePureIp: snifferRaw.ParsePureIp, } - loadSniffer := make(map[snifferTypes.Type]SNIFF.SnifferConfig) + loadSniffer := make(map[snifferTypes.Type]sniffer.SnifferConfig) if len(snifferRaw.Sniff) != 0 { for sniffType, sniffConfig := range snifferRaw.Sniff { @@ -1640,7 +1633,7 @@ func parseSniffer(snifferRaw RawSniffer, ruleProviders map[string]providerTypes. for _, snifferType := range snifferTypes.List { if snifferType.String() == strings.ToUpper(sniffType) { find = true - loadSniffer[snifferType] = SNIFF.SnifferConfig{ + loadSniffer[snifferType] = sniffer.SnifferConfig{ Ports: ports, OverrideDest: overrideDest, } @@ -1652,7 +1645,7 @@ func parseSniffer(snifferRaw RawSniffer, ruleProviders map[string]providerTypes. } } } else { - if sniffer.Enable && len(snifferRaw.Sniffing) != 0 { + if snifferConfig.Enable && len(snifferRaw.Sniffing) != 0 { // Deprecated: Use Sniff instead log.Warnln("Deprecated: Use Sniff instead") } @@ -1666,7 +1659,7 @@ func parseSniffer(snifferRaw RawSniffer, ruleProviders map[string]providerTypes. for _, snifferType := range snifferTypes.List { if snifferType.String() == strings.ToUpper(snifferName) { find = true - loadSniffer[snifferType] = SNIFF.SnifferConfig{ + loadSniffer[snifferType] = sniffer.SnifferConfig{ Ports: globalPorts, OverrideDest: snifferRaw.OverrideDest, } @@ -1679,21 +1672,80 @@ func parseSniffer(snifferRaw RawSniffer, ruleProviders map[string]providerTypes. } } - sniffer.Sniffers = loadSniffer + snifferConfig.Sniffers = loadSniffer forceDomain, err := parseDomain(snifferRaw.ForceDomain, nil, "sniffer.force-domain", ruleProviders) if err != nil { return nil, fmt.Errorf("error in force-domain, error:%w", err) } - sniffer.ForceDomain = forceDomain + snifferConfig.ForceDomain = forceDomain + + skipSrcAddress, err := parseIPCIDR(snifferRaw.SkipSrcAddress, nil, "sniffer.skip-src-address", ruleProviders) + if err != nil { + return nil, fmt.Errorf("error in skip-src-address, error:%w", err) + } + snifferConfig.SkipSrcAddress = skipSrcAddress + + skipDstAddress, err := parseIPCIDR(snifferRaw.SkipDstAddress, nil, "sniffer.skip-src-address", ruleProviders) + if err != nil { + return nil, fmt.Errorf("error in skip-dst-address, error:%w", err) + } + snifferConfig.SkipDstAddress = skipDstAddress skipDomain, err := parseDomain(snifferRaw.SkipDomain, nil, "sniffer.skip-domain", ruleProviders) if err != nil { return nil, fmt.Errorf("error in skip-domain, error:%w", err) } - sniffer.SkipDomain = skipDomain + snifferConfig.SkipDomain = skipDomain - return sniffer, nil + return snifferConfig, nil +} + +func parseIPCIDR(addresses []string, cidrSet *cidr.IpCidrSet, adapterName string, ruleProviders map[string]providerTypes.RuleProvider) (ipRules []C.Rule, err error) { + var rule C.Rule + for _, ipcidr := range addresses { + ipcidrLower := strings.ToLower(ipcidr) + if strings.Contains(ipcidrLower, "geoip:") { + subkeys := strings.Split(ipcidr, ":") + subkeys = subkeys[1:] + subkeys = strings.Split(subkeys[0], ",") + for _, country := range subkeys { + rule, err = RC.NewGEOIP(country, adapterName, false, false) + if err != nil { + return nil, err + } + ipRules = append(ipRules, rule) + } + } else if strings.Contains(ipcidrLower, "rule-set:") { + subkeys := strings.Split(ipcidr, ":") + subkeys = subkeys[1:] + subkeys = strings.Split(subkeys[0], ",") + for _, domainSetName := range subkeys { + rule, err = parseIPRuleSet(domainSetName, adapterName, ruleProviders) + if err != nil { + return nil, err + } + ipRules = append(ipRules, rule) + } + } else { + if cidrSet == nil { + cidrSet = cidr.NewIpCidrSet() + } + err = cidrSet.AddIpCidrForString(ipcidr) + if err != nil { + return nil, err + } + } + } + if !cidrSet.IsEmpty() { + err = cidrSet.Merge() + if err != nil { + return nil, err + } + rule = RP.NewIpCidrSet(cidrSet, adapterName) + ipRules = append(ipRules, rule) + } + return } func parseDomain(domains []string, domainTrie *trie.DomainTrie[struct{}], adapterName string, ruleProviders map[string]providerTypes.RuleProvider) (domainRules []C.Rule, err error) { @@ -1739,6 +1791,21 @@ func parseDomain(domains []string, domainTrie *trie.DomainTrie[struct{}], adapte return } +func parseIPRuleSet(domainSetName string, adapterName string, ruleProviders map[string]providerTypes.RuleProvider) (C.Rule, error) { + if rp, ok := ruleProviders[domainSetName]; !ok { + return nil, fmt.Errorf("not found rule-set: %s", domainSetName) + } else { + switch rp.Behavior() { + case providerTypes.Domain: + return nil, fmt.Errorf("rule provider type error, except ipcidr,actual %s", rp.Behavior()) + case providerTypes.Classical: + log.Warnln("%s provider is %s, only matching it contain ip rule", rp.Name(), rp.Behavior()) + default: + } + } + return RP.NewRuleSet(domainSetName, adapterName, true) +} + func parseDomainRuleSet(domainSetName string, adapterName string, ruleProviders map[string]providerTypes.RuleProvider) (C.Rule, error) { if rp, ok := ruleProviders[domainSetName]; !ok { return nil, fmt.Errorf("not found rule-set: %s", domainSetName) diff --git a/docs/config.yaml b/docs/config.yaml index b67880f77b..bb60b28649 100644 --- a/docs/config.yaml +++ b/docs/config.yaml @@ -190,6 +190,10 @@ sniffer: override-destination: true force-domain: - +.v2ex.com + # skip-src-address: # 对于来源ip跳过嗅探 + # - 192.168.0.3/32 + # skip-dst-address: # 对于目标ip跳过嗅探 + # - 192.168.0.3/32 ## 对嗅探结果进行跳过 # skip-domain: # - Mijia Cloud diff --git a/hub/executor/executor.go b/hub/executor/executor.go index 97072ec88d..442666f05d 100644 --- a/hub/executor/executor.go +++ b/hub/executor/executor.go @@ -21,7 +21,7 @@ import ( "github.com/metacubex/mihomo/component/profile" "github.com/metacubex/mihomo/component/profile/cachefile" "github.com/metacubex/mihomo/component/resolver" - SNI "github.com/metacubex/mihomo/component/sniffer" + "github.com/metacubex/mihomo/component/sniffer" tlsC "github.com/metacubex/mihomo/component/tls" "github.com/metacubex/mihomo/component/trie" "github.com/metacubex/mihomo/component/updater" @@ -361,25 +361,17 @@ func hcCompatibleProvider(proxyProviders map[string]provider.ProxyProvider) { } -func updateSniffer(sniffer *config.Sniffer) { - if sniffer.Enable { - dispatcher, err := SNI.NewSnifferDispatcher( - sniffer.Sniffers, sniffer.ForceDomain, sniffer.SkipDomain, - sniffer.ForceDnsMapping, sniffer.ParsePureIp, - ) - if err != nil { - log.Warnln("initial sniffer failed, err:%v", err) - } +func updateSniffer(snifferConfig *sniffer.Config) { + dispatcher, err := sniffer.NewDispatcher(snifferConfig) + if err != nil { + log.Warnln("initial sniffer failed, err:%v", err) + } - tunnel.UpdateSniffer(dispatcher) + tunnel.UpdateSniffer(dispatcher) + + if snifferConfig.Enable { log.Infoln("Sniffer is loaded and working") } else { - dispatcher, err := SNI.NewCloseSnifferDispatcher() - if err != nil { - log.Warnln("initial sniffer failed, err:%v", err) - } - - tunnel.UpdateSniffer(dispatcher) log.Infoln("Sniffer is closed") } } diff --git a/tunnel/tunnel.go b/tunnel/tunnel.go index b1b417bee2..60ba03234d 100644 --- a/tunnel/tunnel.go +++ b/tunnel/tunnel.go @@ -29,18 +29,17 @@ import ( ) var ( - status = newAtomicStatus(Suspend) - tcpQueue = make(chan C.ConnContext, 200) - udpQueue = make(chan C.PacketAdapter, 200) - natTable = nat.New() - rules []C.Rule - listeners = make(map[string]C.InboundListener) - subRules map[string][]C.Rule - proxies = make(map[string]C.Proxy) - providers map[string]provider.ProxyProvider - ruleProviders map[string]provider.RuleProvider - sniffingEnable = false - configMux sync.RWMutex + status = newAtomicStatus(Suspend) + tcpQueue = make(chan C.ConnContext, 200) + udpQueue = make(chan C.PacketAdapter, 200) + natTable = nat.New() + rules []C.Rule + listeners = make(map[string]C.InboundListener) + subRules map[string][]C.Rule + proxies = make(map[string]C.Proxy) + providers map[string]provider.ProxyProvider + ruleProviders map[string]provider.RuleProvider + configMux sync.RWMutex // Outbound Rule mode = Rule @@ -52,6 +51,9 @@ var ( fakeIPRange netip.Prefix + snifferDispatcher *sniffer.Dispatcher + sniffingEnable = false + ruleUpdateCallback = utils.NewCallback[provider.RuleProvider]() ) @@ -115,7 +117,7 @@ func FakeIPRange() netip.Prefix { } func SetSniffing(b bool) { - if sniffer.Dispatcher.Enable() { + if snifferDispatcher.Enable() { configMux.Lock() sniffingEnable = b configMux.Unlock() @@ -208,9 +210,9 @@ func UpdateListeners(newListeners map[string]C.InboundListener) { listeners = newListeners } -func UpdateSniffer(dispatcher *sniffer.SnifferDispatcher) { +func UpdateSniffer(dispatcher *sniffer.Dispatcher) { configMux.Lock() - sniffer.Dispatcher = dispatcher + snifferDispatcher = dispatcher sniffingEnable = dispatcher.Enable() configMux.Unlock() } @@ -347,8 +349,8 @@ func handleUDPConn(packet C.PacketAdapter) { return } - if sniffer.Dispatcher.Enable() && sniffingEnable { - sniffer.Dispatcher.UDPSniff(packet) + if sniffingEnable && snifferDispatcher.Enable() { + snifferDispatcher.UDPSniff(packet) } // local resolve UDP dns @@ -456,10 +458,10 @@ func handleTCPConn(connCtx C.ConnContext) { conn := connCtx.Conn() conn.ResetPeeked() // reset before sniffer - if sniffer.Dispatcher.Enable() && sniffingEnable { + if sniffingEnable && snifferDispatcher.Enable() { // Try to sniff a domain when `preHandleMetadata` failed, this is usually // caused by a "Fake DNS record missing" error when enhanced-mode is fake-ip. - if sniffer.Dispatcher.TCPSniff(conn, metadata) { + if snifferDispatcher.TCPSniff(conn, metadata) { // we now have a domain name preHandleFailed = false } From 4fecf68b8ba3f6e95257607fa67af94f35bdc08e Mon Sep 17 00:00:00 2001 From: wwqgtxx Date: Wed, 28 Aug 2024 12:25:45 +0800 Subject: [PATCH 32/42] chore: add `sourceGeoIP` and `sourceIPASN` to metadata --- component/cidr/ipcidr_set.go | 8 ++ component/fakeip/pool.go | 8 +- component/fakeip/pool_test.go | 3 +- component/sniffer/dispatcher.go | 32 ++++---- component/trie/domain_set.go | 5 ++ config/config.go | 73 +++++++++--------- constant/matcher.go | 11 +++ constant/metadata.go | 2 + constant/rule.go | 6 -- dns/policy.go | 8 +- dns/resolver.go | 18 ++--- rules/common/geoip.go | 133 +++++++++++++++++++++----------- rules/common/geosite.go | 12 ++- rules/common/ipasn.go | 7 +- rules/provider/domain_set.go | 40 ---------- rules/provider/ipcidr_set.go | 40 ---------- rules/provider/rule_set.go | 14 ++++ 17 files changed, 210 insertions(+), 210 deletions(-) create mode 100644 constant/matcher.go delete mode 100644 rules/provider/domain_set.go delete mode 100644 rules/provider/ipcidr_set.go diff --git a/component/cidr/ipcidr_set.go b/component/cidr/ipcidr_set.go index 00ad7259b4..4bde96711e 100644 --- a/component/cidr/ipcidr_set.go +++ b/component/cidr/ipcidr_set.go @@ -46,6 +46,14 @@ func (set *IpCidrSet) IsContain(ip netip.Addr) bool { return set.ToIPSet().Contains(ip.WithZone("")) } +// MatchIp implements C.IpMatcher +func (set *IpCidrSet) MatchIp(ip netip.Addr) bool { + if set.IsEmpty() { + return false + } + return set.IsContain(ip) +} + func (set *IpCidrSet) Merge() error { var b netipx.IPSetBuilder b.AddSet(set.ToIPSet()) diff --git a/component/fakeip/pool.go b/component/fakeip/pool.go index 8096a868af..e2c1072254 100644 --- a/component/fakeip/pool.go +++ b/component/fakeip/pool.go @@ -35,7 +35,7 @@ type Pool struct { offset netip.Addr cycle bool mux sync.Mutex - host []C.Rule + host []C.DomainMatcher ipnet netip.Prefix store store } @@ -66,8 +66,8 @@ func (p *Pool) LookBack(ip netip.Addr) (string, bool) { // ShouldSkipped return if domain should be skipped func (p *Pool) ShouldSkipped(domain string) bool { - for _, rule := range p.host { - if match, _ := rule.Match(&C.Metadata{Host: domain}); match { + for _, matcher := range p.host { + if matcher.MatchDomain(domain) { return true } } @@ -156,7 +156,7 @@ func (p *Pool) restoreState() { type Options struct { IPNet netip.Prefix - Host []C.Rule + Host []C.DomainMatcher // Size sets the maximum number of entries in memory // and does not work if Persistence is true diff --git a/component/fakeip/pool_test.go b/component/fakeip/pool_test.go index c2e4658469..1d4fa05f0a 100644 --- a/component/fakeip/pool_test.go +++ b/component/fakeip/pool_test.go @@ -10,7 +10,6 @@ import ( "github.com/metacubex/mihomo/component/profile/cachefile" "github.com/metacubex/mihomo/component/trie" C "github.com/metacubex/mihomo/constant" - RP "github.com/metacubex/mihomo/rules/provider" "github.com/metacubex/bbolt" "github.com/stretchr/testify/assert" @@ -157,7 +156,7 @@ func TestPool_Skip(t *testing.T) { pools, tempfile, err := createPools(Options{ IPNet: ipnet, Size: 10, - Host: []C.Rule{RP.NewDomainSet(tree.NewDomainSet(), "")}, + Host: []C.DomainMatcher{tree.NewDomainSet()}, }) assert.Nil(t, err) defer os.Remove(tempfile) diff --git a/component/sniffer/dispatcher.go b/component/sniffer/dispatcher.go index 8c9f692d0f..4d13ddd065 100644 --- a/component/sniffer/dispatcher.go +++ b/component/sniffer/dispatcher.go @@ -22,23 +22,23 @@ var ( type Dispatcher struct { enable bool sniffers map[sniffer.Sniffer]SnifferConfig - forceDomain []C.Rule - skipSrcAddress []C.Rule - skipDstAddress []C.Rule - skipDomain []C.Rule + forceDomain []C.DomainMatcher + skipSrcAddress []C.IpMatcher + skipDstAddress []C.IpMatcher + skipDomain []C.DomainMatcher skipList *lru.LruCache[netip.AddrPort, uint8] forceDnsMapping bool parsePureIp bool } func (sd *Dispatcher) shouldOverride(metadata *C.Metadata) bool { - for _, rule := range sd.skipDstAddress { - if ok, _ := rule.Match(&C.Metadata{DstIP: metadata.DstIP}); ok { + for _, matcher := range sd.skipDstAddress { + if matcher.MatchIp(metadata.DstIP) { return false } } - for _, rule := range sd.skipSrcAddress { - if ok, _ := rule.Match(&C.Metadata{DstIP: metadata.SrcIP}); ok { + for _, matcher := range sd.skipSrcAddress { + if matcher.MatchIp(metadata.SrcIP) { return false } } @@ -48,8 +48,8 @@ func (sd *Dispatcher) shouldOverride(metadata *C.Metadata) bool { if metadata.DNSMode == C.DNSMapping && sd.forceDnsMapping { return true } - for _, rule := range sd.forceDomain { - if ok, _ := rule.Match(&C.Metadata{Host: metadata.Host}); ok { + for _, matcher := range sd.forceDomain { + if matcher.MatchDomain(metadata.Host) { return true } } @@ -112,8 +112,8 @@ func (sd *Dispatcher) TCPSniff(conn *N.BufferedConn, metadata *C.Metadata) bool return false } - for _, rule := range sd.skipDomain { - if ok, _ := rule.Match(&C.Metadata{Host: host}); ok { + for _, matcher := range sd.skipDomain { + if matcher.MatchDomain(host) { log.Debugln("[Sniffer] Skip sni[%s]", host) return false } @@ -200,10 +200,10 @@ func (sd *Dispatcher) cacheSniffFailed(metadata *C.Metadata) { type Config struct { Enable bool Sniffers map[sniffer.Type]SnifferConfig - ForceDomain []C.Rule - SkipSrcAddress []C.Rule - SkipDstAddress []C.Rule - SkipDomain []C.Rule + ForceDomain []C.DomainMatcher + SkipSrcAddress []C.IpMatcher + SkipDstAddress []C.IpMatcher + SkipDomain []C.DomainMatcher ForceDnsMapping bool ParsePureIp bool } diff --git a/component/trie/domain_set.go b/component/trie/domain_set.go index 7778d13379..3fd8041fb8 100644 --- a/component/trie/domain_set.go +++ b/component/trie/domain_set.go @@ -172,6 +172,11 @@ func (ss *DomainSet) Foreach(f func(key string) bool) { }) } +// MatchDomain implements C.DomainMatcher +func (ss *DomainSet) MatchDomain(domain string) bool { + return ss.Has(domain) +} + func setBit(bm *[]uint64, i int, v int) { for i>>6 >= len(*bm) { *bm = append(*bm, 0) diff --git a/config/config.go b/config/config.go index 7197f524b9..cd8eb469b5 100644 --- a/config/config.go +++ b/config/config.go @@ -143,8 +143,8 @@ type DNS struct { UseSystemHosts bool NameServer []dns.NameServer Fallback []dns.NameServer - FallbackIPFilter []C.Rule - FallbackDomainFilter []C.Rule + FallbackIPFilter []C.IpMatcher + FallbackDomainFilter []C.DomainMatcher Listen string EnhancedMode C.DNSMode DefaultNameserver []dns.NameServer @@ -640,7 +640,7 @@ func ParseRawConfig(rawCfg *RawConfig) (*Config, error) { } config.Hosts = hosts - dnsCfg, err := parseDNS(rawCfg, hosts, rules, ruleProviders) + dnsCfg, err := parseDNS(rawCfg, hosts, ruleProviders) if err != nil { return nil, err } @@ -1297,7 +1297,7 @@ func parsePureDNSServer(server string) string { } } -func parseNameServerPolicy(nsPolicy *orderedmap.OrderedMap[string, any], rules []C.Rule, ruleProviders map[string]providerTypes.RuleProvider, respectRules bool, preferH3 bool) ([]dns.Policy, error) { +func parseNameServerPolicy(nsPolicy *orderedmap.OrderedMap[string, any], ruleProviders map[string]providerTypes.RuleProvider, respectRules bool, preferH3 bool) ([]dns.Policy, error) { var policy []dns.Policy re := regexp.MustCompile(`[a-zA-Z0-9\-]+\.[a-zA-Z]{2,}(\.[a-zA-Z]{2,})?`) @@ -1350,18 +1350,18 @@ func parseNameServerPolicy(nsPolicy *orderedmap.OrderedMap[string, any], rules [ if strings.HasPrefix(domain, "rule-set:") { domainSetName := domain[9:] - rule, err := parseDomainRuleSet(domainSetName, "dns.nameserver-policy", ruleProviders) + matcher, err := parseDomainRuleSet(domainSetName, "dns.nameserver-policy", ruleProviders) if err != nil { return nil, err } - policy[idx] = dns.Policy{Rule: rule, NameServers: nameservers} + policy[idx] = dns.Policy{Matcher: matcher, NameServers: nameservers} } else if strings.HasPrefix(domain, "geosite:") { country := domain[8:] - rule, err := RC.NewGEOSITE(country, "dns.nameserver-policy") + matcher, err := RC.NewGEOSITE(country, "dns.nameserver-policy") if err != nil { return nil, err } - policy[idx] = dns.Policy{Rule: rule, NameServers: nameservers} + policy[idx] = dns.Policy{Matcher: matcher, NameServers: nameservers} } else { if _, valid := trie.ValidAndSplitDomain(domain); !valid { return nil, fmt.Errorf("DNS ResoverRule invalid domain: %s", domain) @@ -1372,7 +1372,7 @@ func parseNameServerPolicy(nsPolicy *orderedmap.OrderedMap[string, any], rules [ return policy, nil } -func parseDNS(rawCfg *RawConfig, hosts *trie.DomainTrie[resolver.HostValue], rules []C.Rule, ruleProviders map[string]providerTypes.RuleProvider) (*DNS, error) { +func parseDNS(rawCfg *RawConfig, hosts *trie.DomainTrie[resolver.HostValue], ruleProviders map[string]providerTypes.RuleProvider) (*DNS, error) { cfg := rawCfg.DNS if cfg.Enable && len(cfg.NameServer) == 0 { return nil, fmt.Errorf("if DNS configuration is turned on, NameServer cannot be empty") @@ -1400,7 +1400,7 @@ func parseDNS(rawCfg *RawConfig, hosts *trie.DomainTrie[resolver.HostValue], rul return nil, err } - if dnsCfg.NameServerPolicy, err = parseNameServerPolicy(cfg.NameServerPolicy, rules, ruleProviders, cfg.RespectRules, cfg.PreferH3); err != nil { + if dnsCfg.NameServerPolicy, err = parseNameServerPolicy(cfg.NameServerPolicy, ruleProviders, cfg.RespectRules, cfg.PreferH3); err != nil { return nil, err } @@ -1467,14 +1467,13 @@ func parseDNS(rawCfg *RawConfig, hosts *trie.DomainTrie[resolver.HostValue], rul dnsCfg.FakeIPRange = pool } - var rule C.Rule if len(cfg.Fallback) != 0 { if cfg.FallbackFilter.GeoIP { - rule, err = RC.NewGEOIP(cfg.FallbackFilter.GeoIPCode, "dns.fallback-filter.geoip", false, true) + matcher, err := RC.NewGEOIP(cfg.FallbackFilter.GeoIPCode, "dns.fallback-filter.geoip", false, true) if err != nil { return nil, fmt.Errorf("load GeoIP dns fallback filter error, %w", err) } - dnsCfg.FallbackIPFilter = append(dnsCfg.FallbackIPFilter, rule) + dnsCfg.FallbackIPFilter = append(dnsCfg.FallbackIPFilter, matcher) } if len(cfg.FallbackFilter.IPCIDR) > 0 { cidrSet := cidr.NewIpCidrSet() @@ -1488,8 +1487,8 @@ func parseDNS(rawCfg *RawConfig, hosts *trie.DomainTrie[resolver.HostValue], rul if err != nil { return nil, err } - rule = RP.NewIpCidrSet(cidrSet, "dns.fallback-filter.ipcidr") - dnsCfg.FallbackIPFilter = append(dnsCfg.FallbackIPFilter, rule) + matcher := cidrSet // dns.fallback-filter.ipcidr + dnsCfg.FallbackIPFilter = append(dnsCfg.FallbackIPFilter, matcher) } if len(cfg.FallbackFilter.Domain) > 0 { domainTrie := trie.New[struct{}]() @@ -1499,17 +1498,17 @@ func parseDNS(rawCfg *RawConfig, hosts *trie.DomainTrie[resolver.HostValue], rul return nil, fmt.Errorf("DNS FallbackDomain[%d] format error: %w", idx, err) } } - rule = RP.NewDomainSet(domainTrie.NewDomainSet(), "dns.fallback-filter.domain") - dnsCfg.FallbackDomainFilter = append(dnsCfg.FallbackDomainFilter, rule) + matcher := domainTrie.NewDomainSet() // dns.fallback-filter.domain + dnsCfg.FallbackDomainFilter = append(dnsCfg.FallbackDomainFilter, matcher) } if len(cfg.FallbackFilter.GeoSite) > 0 { log.Warnln("replace fallback-filter.geosite with nameserver-policy, it will be removed in the future") for idx, geoSite := range cfg.FallbackFilter.GeoSite { - rule, err = RC.NewGEOSITE(geoSite, "dns.fallback-filter.geosite") + matcher, err := RC.NewGEOSITE(geoSite, "dns.fallback-filter.geosite") if err != nil { return nil, fmt.Errorf("DNS FallbackGeosite[%d] format error: %w", idx, err) } - dnsCfg.FallbackDomainFilter = append(dnsCfg.FallbackDomainFilter, rule) + dnsCfg.FallbackDomainFilter = append(dnsCfg.FallbackDomainFilter, matcher) } } } @@ -1701,8 +1700,8 @@ func parseSniffer(snifferRaw RawSniffer, ruleProviders map[string]providerTypes. return snifferConfig, nil } -func parseIPCIDR(addresses []string, cidrSet *cidr.IpCidrSet, adapterName string, ruleProviders map[string]providerTypes.RuleProvider) (ipRules []C.Rule, err error) { - var rule C.Rule +func parseIPCIDR(addresses []string, cidrSet *cidr.IpCidrSet, adapterName string, ruleProviders map[string]providerTypes.RuleProvider) (matchers []C.IpMatcher, err error) { + var matcher C.IpMatcher for _, ipcidr := range addresses { ipcidrLower := strings.ToLower(ipcidr) if strings.Contains(ipcidrLower, "geoip:") { @@ -1710,22 +1709,22 @@ func parseIPCIDR(addresses []string, cidrSet *cidr.IpCidrSet, adapterName string subkeys = subkeys[1:] subkeys = strings.Split(subkeys[0], ",") for _, country := range subkeys { - rule, err = RC.NewGEOIP(country, adapterName, false, false) + matcher, err = RC.NewGEOIP(country, adapterName, false, false) if err != nil { return nil, err } - ipRules = append(ipRules, rule) + matchers = append(matchers, matcher) } } else if strings.Contains(ipcidrLower, "rule-set:") { subkeys := strings.Split(ipcidr, ":") subkeys = subkeys[1:] subkeys = strings.Split(subkeys[0], ",") for _, domainSetName := range subkeys { - rule, err = parseIPRuleSet(domainSetName, adapterName, ruleProviders) + matcher, err = parseIPRuleSet(domainSetName, adapterName, ruleProviders) if err != nil { return nil, err } - ipRules = append(ipRules, rule) + matchers = append(matchers, matcher) } } else { if cidrSet == nil { @@ -1742,14 +1741,14 @@ func parseIPCIDR(addresses []string, cidrSet *cidr.IpCidrSet, adapterName string if err != nil { return nil, err } - rule = RP.NewIpCidrSet(cidrSet, adapterName) - ipRules = append(ipRules, rule) + matcher = cidrSet + matchers = append(matchers, matcher) } return } -func parseDomain(domains []string, domainTrie *trie.DomainTrie[struct{}], adapterName string, ruleProviders map[string]providerTypes.RuleProvider) (domainRules []C.Rule, err error) { - var rule C.Rule +func parseDomain(domains []string, domainTrie *trie.DomainTrie[struct{}], adapterName string, ruleProviders map[string]providerTypes.RuleProvider) (matchers []C.DomainMatcher, err error) { + var matcher C.DomainMatcher for _, domain := range domains { domainLower := strings.ToLower(domain) if strings.Contains(domainLower, "geosite:") { @@ -1757,22 +1756,22 @@ func parseDomain(domains []string, domainTrie *trie.DomainTrie[struct{}], adapte subkeys = subkeys[1:] subkeys = strings.Split(subkeys[0], ",") for _, country := range subkeys { - rule, err = RC.NewGEOSITE(country, adapterName) + matcher, err = RC.NewGEOSITE(country, adapterName) if err != nil { return nil, err } - domainRules = append(domainRules, rule) + matchers = append(matchers, matcher) } } else if strings.Contains(domainLower, "rule-set:") { subkeys := strings.Split(domain, ":") subkeys = subkeys[1:] subkeys = strings.Split(subkeys[0], ",") for _, domainSetName := range subkeys { - rule, err = parseDomainRuleSet(domainSetName, adapterName, ruleProviders) + matcher, err = parseDomainRuleSet(domainSetName, adapterName, ruleProviders) if err != nil { return nil, err } - domainRules = append(domainRules, rule) + matchers = append(matchers, matcher) } } else { if domainTrie == nil { @@ -1785,13 +1784,13 @@ func parseDomain(domains []string, domainTrie *trie.DomainTrie[struct{}], adapte } } if !domainTrie.IsEmpty() { - rule = RP.NewDomainSet(domainTrie.NewDomainSet(), adapterName) - domainRules = append(domainRules, rule) + matcher = domainTrie.NewDomainSet() + matchers = append(matchers, matcher) } return } -func parseIPRuleSet(domainSetName string, adapterName string, ruleProviders map[string]providerTypes.RuleProvider) (C.Rule, error) { +func parseIPRuleSet(domainSetName string, adapterName string, ruleProviders map[string]providerTypes.RuleProvider) (C.IpMatcher, error) { if rp, ok := ruleProviders[domainSetName]; !ok { return nil, fmt.Errorf("not found rule-set: %s", domainSetName) } else { @@ -1806,7 +1805,7 @@ func parseIPRuleSet(domainSetName string, adapterName string, ruleProviders map[ return RP.NewRuleSet(domainSetName, adapterName, true) } -func parseDomainRuleSet(domainSetName string, adapterName string, ruleProviders map[string]providerTypes.RuleProvider) (C.Rule, error) { +func parseDomainRuleSet(domainSetName string, adapterName string, ruleProviders map[string]providerTypes.RuleProvider) (C.DomainMatcher, error) { if rp, ok := ruleProviders[domainSetName]; !ok { return nil, fmt.Errorf("not found rule-set: %s", domainSetName) } else { diff --git a/constant/matcher.go b/constant/matcher.go new file mode 100644 index 0000000000..107f843d92 --- /dev/null +++ b/constant/matcher.go @@ -0,0 +1,11 @@ +package constant + +import "net/netip" + +type DomainMatcher interface { + MatchDomain(domain string) bool +} + +type IpMatcher interface { + MatchIp(ip netip.Addr) bool +} diff --git a/constant/metadata.go b/constant/metadata.go index 381e2dd44a..04537688fd 100644 --- a/constant/metadata.go +++ b/constant/metadata.go @@ -133,7 +133,9 @@ type Metadata struct { Type Type `json:"type"` SrcIP netip.Addr `json:"sourceIP"` DstIP netip.Addr `json:"destinationIP"` + SrcGeoIP []string `json:"sourceGeoIP"` // can be nil if never queried, empty slice if got no result DstGeoIP []string `json:"destinationGeoIP"` // can be nil if never queried, empty slice if got no result + SrcIPASN string `json:"sourceIPASN"` DstIPASN string `json:"destinationIPASN"` SrcPort uint16 `json:"sourcePort,string"` // `,string` is used to compatible with old version json output DstPort uint16 `json:"destinationPort,string"` // `,string` is used to compatible with old version json output diff --git a/constant/rule.go b/constant/rule.go index 30cb2f8e11..31702ddc33 100644 --- a/constant/rule.go +++ b/constant/rule.go @@ -27,8 +27,6 @@ const ( ProcessNameRegex ProcessPathRegex RuleSet - DomainSet - IpCidrSet Network Uid SubRules @@ -92,10 +90,6 @@ func (rt RuleType) String() string { return "Match" case RuleSet: return "RuleSet" - case DomainSet: - return "DomainSet" - case IpCidrSet: - return "IpCidrSet" case Network: return "Network" case DSCP: diff --git a/dns/policy.go b/dns/policy.go index d872286c55..50dc17199b 100644 --- a/dns/policy.go +++ b/dns/policy.go @@ -21,13 +21,13 @@ func (p domainTriePolicy) Match(domain string) []dnsClient { return nil } -type domainRulePolicy struct { - rule C.Rule +type domainMatcherPolicy struct { + matcher C.DomainMatcher dnsClients []dnsClient } -func (p domainRulePolicy) Match(domain string) []dnsClient { - if ok, _ := p.rule.Match(&C.Metadata{Host: domain}); ok { +func (p domainMatcherPolicy) Match(domain string) []dnsClient { + if p.matcher.MatchDomain(domain) { return p.dnsClients } return nil diff --git a/dns/resolver.go b/dns/resolver.go index 3cc7a41e35..232f3b3367 100644 --- a/dns/resolver.go +++ b/dns/resolver.go @@ -42,8 +42,8 @@ type Resolver struct { hosts *trie.DomainTrie[resolver.HostValue] main []dnsClient fallback []dnsClient - fallbackDomainFilters []C.Rule - fallbackIPFilters []C.Rule + fallbackDomainFilters []C.DomainMatcher + fallbackIPFilters []C.IpMatcher group singleflight.Group[*D.Msg] cache dnsCache policy []dnsPolicy @@ -119,7 +119,7 @@ func (r *Resolver) LookupIPv6(ctx context.Context, host string) ([]netip.Addr, e func (r *Resolver) shouldIPFallback(ip netip.Addr) bool { for _, filter := range r.fallbackIPFilters { - if ok, _ := filter.Match(&C.Metadata{DstIP: ip}); ok { + if filter.MatchIp(ip) { return true } } @@ -275,7 +275,7 @@ func (r *Resolver) shouldOnlyQueryFallback(m *D.Msg) bool { } for _, df := range r.fallbackDomainFilters { - if ok, _ := df.Match(&C.Metadata{Host: domain}); ok { + if df.MatchDomain(domain) { return true } } @@ -398,7 +398,7 @@ func (ns NameServer) Equal(ns2 NameServer) bool { type Policy struct { Domain string - Rule C.Rule + Matcher C.DomainMatcher NameServers []NameServer } @@ -409,8 +409,8 @@ type Config struct { IPv6 bool IPv6Timeout uint EnhancedMode C.DNSMode - FallbackIPFilter []C.Rule - FallbackDomainFilter []C.Rule + FallbackIPFilter []C.IpMatcher + FallbackDomainFilter []C.DomainMatcher Pool *fakeip.Pool Hosts *trie.DomainTrie[resolver.HostValue] Policy []Policy @@ -495,8 +495,8 @@ func NewResolver(config Config) *Resolver { } for _, policy := range config.Policy { - if policy.Rule != nil { - insertPolicy(domainRulePolicy{rule: policy.Rule, dnsClients: cacheTransform(policy.NameServers)}) + if policy.Matcher != nil { + insertPolicy(domainMatcherPolicy{matcher: policy.Matcher, dnsClients: cacheTransform(policy.NameServers)}) } else { if triePolicy == nil { triePolicy = trie.New[[]dnsClient]() diff --git a/rules/common/geoip.go b/rules/common/geoip.go index 839253212a..c4f7ecf329 100644 --- a/rules/common/geoip.go +++ b/rules/common/geoip.go @@ -3,6 +3,7 @@ package common import ( "errors" "fmt" + "net/netip" "strings" "github.com/metacubex/mihomo/component/geodata" @@ -11,6 +12,8 @@ import ( "github.com/metacubex/mihomo/component/resolver" C "github.com/metacubex/mihomo/constant" "github.com/metacubex/mihomo/log" + + "golang.org/x/exp/slices" ) type GEOIP struct { @@ -41,52 +44,84 @@ func (g *GEOIP) Match(metadata *C.Metadata) (bool, string) { } if g.country == "lan" { - return ip.IsPrivate() || - ip.IsUnspecified() || - ip.IsLoopback() || - ip.IsMulticast() || - ip.IsLinkLocalUnicast() || - resolver.IsFakeBroadcastIP(ip), g.adapter - } - - for _, code := range metadata.DstGeoIP { - if g.country == code { - return true, g.adapter - } + return g.isLan(ip), g.adapter } - if !C.GeodataMode { + if C.GeodataMode { if g.isSourceIP { - codes := mmdb.IPInstance().LookupCode(ip.AsSlice()) - for _, code := range codes { - if g.country == code { - return true, g.adapter - } + if slices.Contains(metadata.SrcGeoIP, g.country) { + return true, g.adapter + } + } else { + if slices.Contains(metadata.DstGeoIP, g.country) { + return true, g.adapter } - return false, g.adapter } - - if metadata.DstGeoIP != nil { - return false, g.adapter + matcher, err := g.getIPMatcher() + if err != nil { + return false, "" } - metadata.DstGeoIP = mmdb.IPInstance().LookupCode(ip.AsSlice()) - for _, code := range metadata.DstGeoIP { - if g.country == code { - return true, g.adapter + match := matcher.Match(ip) + if match { + if g.isSourceIP { + metadata.SrcGeoIP = append(metadata.SrcGeoIP, g.country) + } else { + metadata.DstGeoIP = append(metadata.DstGeoIP, g.country) } } - return false, g.adapter + return match, g.adapter } - matcher, err := g.GetIPMatcher() - if err != nil { - return false, "" + if g.isSourceIP { + if metadata.SrcGeoIP != nil { + return slices.Contains(metadata.SrcGeoIP, g.country), g.adapter + } + } else { + if metadata.DstGeoIP != nil { + return slices.Contains(metadata.DstGeoIP, g.country), g.adapter + } + } + codes := mmdb.IPInstance().LookupCode(ip.AsSlice()) + if g.isSourceIP { + metadata.SrcGeoIP = codes + } else { + metadata.DstGeoIP = codes + } + if slices.Contains(codes, g.country) { + return true, g.adapter + } + return false, "" +} + +// MatchIp implements C.IpMatcher +func (g *GEOIP) MatchIp(ip netip.Addr) bool { + if !ip.IsValid() { + return false } - match := matcher.Match(ip) - if match && !g.isSourceIP { - metadata.DstGeoIP = append(metadata.DstGeoIP, g.country) + + if g.country == "lan" { + return g.isLan(ip) } - return match, g.adapter + + if C.GeodataMode { + matcher, err := g.getIPMatcher() + if err != nil { + return false + } + return matcher.Match(ip) + } + + codes := mmdb.IPInstance().LookupCode(ip.AsSlice()) + return slices.Contains(codes, g.country) +} + +func (g *GEOIP) isLan(ip netip.Addr) bool { + return ip.IsPrivate() || + ip.IsUnspecified() || + ip.IsLoopback() || + ip.IsMulticast() || + ip.IsLinkLocalUnicast() || + resolver.IsFakeBroadcastIP(ip) } func (g *GEOIP) Adapter() string { @@ -106,14 +141,19 @@ func (g *GEOIP) GetCountry() string { } func (g *GEOIP) GetIPMatcher() (router.IPMatcher, error) { - if g.geodata { - geoIPMatcher, err := geodata.LoadGeoIPMatcher(g.country) - if err != nil { - return nil, fmt.Errorf("[GeoIP] %w", err) - } - return geoIPMatcher, nil + if C.GeodataMode { + return g.getIPMatcher() } - return nil, errors.New("geoip country not set") + return nil, errors.New("not geodata mode") +} + +func (g *GEOIP) getIPMatcher() (router.IPMatcher, error) { + geoIPMatcher, err := geodata.LoadGeoIPMatcher(g.country) + if err != nil { + return nil, fmt.Errorf("[GeoIP] %w", err) + } + return geoIPMatcher, nil + } func (g *GEOIP) GetRecodeSize() int { @@ -141,12 +181,13 @@ func NewGEOIP(country string, adapter string, isSrc, noResolveIP bool) (*GEOIP, return geoip, nil } - geoip.geodata = true - geoIPMatcher, err := geoip.GetIPMatcher() // test load - if err != nil { - return nil, err + if C.GeodataMode { + geoIPMatcher, err := geoip.getIPMatcher() // test load + if err != nil { + return nil, err + } + log.Infoln("Finished initial GeoIP rule %s => %s, records: %d", country, adapter, geoIPMatcher.Count()) } - log.Infoln("Finished initial GeoIP rule %s => %s, records: %d", country, adapter, geoIPMatcher.Count()) return geoip, nil } diff --git a/rules/common/geosite.go b/rules/common/geosite.go index a728e9917f..851bc8a43d 100644 --- a/rules/common/geosite.go +++ b/rules/common/geosite.go @@ -23,15 +23,19 @@ func (gs *GEOSITE) RuleType() C.RuleType { } func (gs *GEOSITE) Match(metadata *C.Metadata) (bool, string) { - domain := metadata.RuleHost() + return gs.MatchDomain(metadata.RuleHost()), gs.adapter +} + +// MatchDomain implements C.DomainMatcher +func (gs *GEOSITE) MatchDomain(domain string) bool { if len(domain) == 0 { - return false, "" + return false } matcher, err := gs.GetDomainMatcher() if err != nil { - return false, "" + return false } - return matcher.ApplyDomain(domain), gs.adapter + return matcher.ApplyDomain(domain) } func (gs *GEOSITE) Adapter() string { diff --git a/rules/common/ipasn.go b/rules/common/ipasn.go index df4b6531c6..bcff4e7251 100644 --- a/rules/common/ipasn.go +++ b/rules/common/ipasn.go @@ -28,8 +28,11 @@ func (a *ASN) Match(metadata *C.Metadata) (bool, string) { result := mmdb.ASNInstance().LookupASN(ip.AsSlice()) asnNumber := strconv.FormatUint(uint64(result.AutonomousSystemNumber), 10) - if !a.isSourceIP { - metadata.DstIPASN = asnNumber + " " + result.AutonomousSystemOrganization + ipASN := asnNumber + " " + result.AutonomousSystemOrganization + if a.isSourceIP { + metadata.SrcIPASN = ipASN + } else { + metadata.DstIPASN = ipASN } match := a.asn == asnNumber diff --git a/rules/provider/domain_set.go b/rules/provider/domain_set.go deleted file mode 100644 index 573dd10574..0000000000 --- a/rules/provider/domain_set.go +++ /dev/null @@ -1,40 +0,0 @@ -package provider - -import ( - "github.com/metacubex/mihomo/component/trie" - C "github.com/metacubex/mihomo/constant" -) - -type DomainSet struct { - *domainStrategy - adapter string -} - -func (d *DomainSet) ProviderNames() []string { - return nil -} - -func (d *DomainSet) RuleType() C.RuleType { - return C.DomainSet -} - -func (d *DomainSet) Match(metadata *C.Metadata) (bool, string) { - return d.domainStrategy.Match(metadata), d.adapter -} - -func (d *DomainSet) Adapter() string { - return d.adapter -} - -func (d *DomainSet) Payload() string { - return "" -} - -func NewDomainSet(domainSet *trie.DomainSet, adapter string) *DomainSet { - return &DomainSet{ - domainStrategy: &domainStrategy{domainSet: domainSet}, - adapter: adapter, - } -} - -var _ C.Rule = (*DomainSet)(nil) diff --git a/rules/provider/ipcidr_set.go b/rules/provider/ipcidr_set.go deleted file mode 100644 index 348b6ab0ac..0000000000 --- a/rules/provider/ipcidr_set.go +++ /dev/null @@ -1,40 +0,0 @@ -package provider - -import ( - "github.com/metacubex/mihomo/component/cidr" - C "github.com/metacubex/mihomo/constant" -) - -type IpCidrSet struct { - *ipcidrStrategy - adapter string -} - -func (d *IpCidrSet) ProviderNames() []string { - return nil -} - -func (d *IpCidrSet) RuleType() C.RuleType { - return C.IpCidrSet -} - -func (d *IpCidrSet) Match(metadata *C.Metadata) (bool, string) { - return d.ipcidrStrategy.Match(metadata), d.adapter -} - -func (d *IpCidrSet) Adapter() string { - return d.adapter -} - -func (d *IpCidrSet) Payload() string { - return "" -} - -func NewIpCidrSet(cidrSet *cidr.IpCidrSet, adapter string) *IpCidrSet { - return &IpCidrSet{ - ipcidrStrategy: &ipcidrStrategy{cidrSet: cidrSet}, - adapter: adapter, - } -} - -var _ C.Rule = (*IpCidrSet)(nil) diff --git a/rules/provider/rule_set.go b/rules/provider/rule_set.go index 04ab9943e1..23864e1240 100644 --- a/rules/provider/rule_set.go +++ b/rules/provider/rule_set.go @@ -1,6 +1,8 @@ package provider import ( + "net/netip" + C "github.com/metacubex/mihomo/constant" P "github.com/metacubex/mihomo/constant/provider" "github.com/metacubex/mihomo/rules/common" @@ -35,6 +37,18 @@ func (rs *RuleSet) Match(metadata *C.Metadata) (bool, string) { return false, "" } +// MatchDomain implements C.DomainMatcher +func (rs *RuleSet) MatchDomain(domain string) bool { + ok, _ := rs.Match(&C.Metadata{Host: domain}) + return ok +} + +// MatchIp implements C.IpMatcher +func (rs *RuleSet) MatchIp(ip netip.Addr) bool { + ok, _ := rs.Match(&C.Metadata{DstIP: ip}) + return ok +} + func (rs *RuleSet) Adapter() string { return rs.adapter } From a96f72ade4d395e96e94d24d9b2b6261e21e6f98 Mon Sep 17 00:00:00 2001 From: wwqgtxx Date: Thu, 29 Aug 2024 22:00:55 +0800 Subject: [PATCH 33/42] fix: geoip wrong matching logic in fallback-filter https://github.com/MetaCubeX/mihomo/issues/1478 --- config/config.go | 2 +- rules/common/geoip.go | 31 ++++++++++++++++++++++++++++++- 2 files changed, 31 insertions(+), 2 deletions(-) diff --git a/config/config.go b/config/config.go index cd8eb469b5..370506d4c4 100644 --- a/config/config.go +++ b/config/config.go @@ -1473,7 +1473,7 @@ func parseDNS(rawCfg *RawConfig, hosts *trie.DomainTrie[resolver.HostValue], rul if err != nil { return nil, fmt.Errorf("load GeoIP dns fallback filter error, %w", err) } - dnsCfg.FallbackIPFilter = append(dnsCfg.FallbackIPFilter, matcher) + dnsCfg.FallbackIPFilter = append(dnsCfg.FallbackIPFilter, matcher.DnsFallbackFilter()) } if len(cfg.FallbackFilter.IPCIDR) > 0 { cidrSet := cidr.NewIpCidrSet() diff --git a/rules/common/geoip.go b/rules/common/geoip.go index c4f7ecf329..7d6871c7eb 100644 --- a/rules/common/geoip.go +++ b/rules/common/geoip.go @@ -22,7 +22,6 @@ type GEOIP struct { adapter string noResolveIP bool isSourceIP bool - geodata bool } var _ C.Rule = (*GEOIP)(nil) @@ -115,6 +114,36 @@ func (g *GEOIP) MatchIp(ip netip.Addr) bool { return slices.Contains(codes, g.country) } +// MatchIp implements C.IpMatcher +func (g dnsFallbackFilter) MatchIp(ip netip.Addr) bool { + if !ip.IsValid() { + return false + } + + if g.isLan(ip) { // compatible with original behavior + return false + } + + if C.GeodataMode { + matcher, err := g.getIPMatcher() + if err != nil { + return false + } + return !matcher.Match(ip) + } + + codes := mmdb.IPInstance().LookupCode(ip.AsSlice()) + return !slices.Contains(codes, g.country) +} + +type dnsFallbackFilter struct { + *GEOIP +} + +func (g *GEOIP) DnsFallbackFilter() C.IpMatcher { // for dns.fallback-filter.geoip + return dnsFallbackFilter{GEOIP: g} +} + func (g *GEOIP) isLan(ip netip.Addr) bool { return ip.IsPrivate() || ip.IsUnspecified() || From 763a127287697fe471f0e643e3bd3f5abfad85e9 Mon Sep 17 00:00:00 2001 From: wwqgtxx Date: Thu, 29 Aug 2024 23:49:16 +0800 Subject: [PATCH 34/42] feat: `RULE-SET` in rules support `,src` option should only be used with `ipcidr` behavior --- config/config.go | 4 ++-- constant/metadata.go | 7 +++++++ rules/common/base.go | 14 ++++++++------ rules/parser.go | 6 +++++- rules/provider/rule_set.go | 8 +++++++- 5 files changed, 29 insertions(+), 10 deletions(-) diff --git a/config/config.go b/config/config.go index 370506d4c4..c250d3ec21 100644 --- a/config/config.go +++ b/config/config.go @@ -1802,7 +1802,7 @@ func parseIPRuleSet(domainSetName string, adapterName string, ruleProviders map[ default: } } - return RP.NewRuleSet(domainSetName, adapterName, true) + return RP.NewRuleSet(domainSetName, adapterName, false, true) } func parseDomainRuleSet(domainSetName string, adapterName string, ruleProviders map[string]providerTypes.RuleProvider) (C.DomainMatcher, error) { @@ -1817,5 +1817,5 @@ func parseDomainRuleSet(domainSetName string, adapterName string, ruleProviders default: } } - return RP.NewRuleSet(domainSetName, adapterName, true) + return RP.NewRuleSet(domainSetName, adapterName, false, true) } diff --git a/constant/metadata.go b/constant/metadata.go index 04537688fd..5436298925 100644 --- a/constant/metadata.go +++ b/constant/metadata.go @@ -302,3 +302,10 @@ func (m *Metadata) SetRemoteAddress(rawAddress string) error { return nil } + +func (m *Metadata) SwapSrcDst() { + m.SrcIP, m.DstIP = m.DstIP, m.SrcIP + m.SrcPort, m.DstPort = m.DstPort, m.SrcPort + m.SrcIPASN, m.DstIPASN = m.DstIPASN, m.SrcIPASN + m.SrcGeoIP, m.DstGeoIP = m.DstGeoIP, m.SrcGeoIP +} diff --git a/rules/common/base.go b/rules/common/base.go index 670df1d969..04e3aec510 100644 --- a/rules/common/base.go +++ b/rules/common/base.go @@ -2,11 +2,14 @@ package common import ( "errors" + + "golang.org/x/exp/slices" ) var ( errPayload = errors.New("payloadRule error") noResolve = "no-resolve" + src = "src" ) type Base struct { @@ -23,10 +26,9 @@ func (b *Base) ShouldResolveIP() bool { func (b *Base) ProviderNames() []string { return nil } func HasNoResolve(params []string) bool { - for _, p := range params { - if p == noResolve { - return true - } - } - return false + return slices.Contains(params, noResolve) +} + +func HasSrc(params []string) bool { + return slices.Contains(params, src) } diff --git a/rules/parser.go b/rules/parser.go index 9b1f552007..2189cda9f0 100644 --- a/rules/parser.go +++ b/rules/parser.go @@ -77,7 +77,11 @@ func ParseRule(tp, payload, target string, params []string, subRules map[string] parsed, parseErr = logic.NewNOT(payload, target, ParseRule) case "RULE-SET": noResolve := RC.HasNoResolve(params) - parsed, parseErr = RP.NewRuleSet(payload, target, noResolve) + isSrc := RC.HasSrc(params) + if isSrc { + noResolve = true + } + parsed, parseErr = RP.NewRuleSet(payload, target, isSrc, noResolve) case "MATCH": parsed = RC.NewMatch(target) parseErr = nil diff --git a/rules/provider/rule_set.go b/rules/provider/rule_set.go index 23864e1240..2ad0bd3d49 100644 --- a/rules/provider/rule_set.go +++ b/rules/provider/rule_set.go @@ -12,6 +12,7 @@ type RuleSet struct { *common.Base ruleProviderName string adapter string + isSrc bool noResolveIP bool shouldFindProcess bool } @@ -32,6 +33,10 @@ func (rs *RuleSet) RuleType() C.RuleType { func (rs *RuleSet) Match(metadata *C.Metadata) (bool, string) { if provider, ok := rs.getProvider(); ok { + if rs.isSrc { + metadata.SwapSrcDst() + defer metadata.SwapSrcDst() + } return provider.Match(metadata), rs.adapter } return false, "" @@ -76,11 +81,12 @@ func (rs *RuleSet) getProvider() (P.RuleProvider, bool) { return pp, ok } -func NewRuleSet(ruleProviderName string, adapter string, noResolveIP bool) (*RuleSet, error) { +func NewRuleSet(ruleProviderName string, adapter string, isSrc bool, noResolveIP bool) (*RuleSet, error) { rs := &RuleSet{ Base: &common.Base{}, ruleProviderName: ruleProviderName, adapter: adapter, + isSrc: isSrc, noResolveIP: noResolveIP, } return rs, nil From 38fd37108b22b0e937cae7743c562a2147c65cca Mon Sep 17 00:00:00 2001 From: wwqgtxx Date: Fri, 30 Aug 2024 00:04:28 +0800 Subject: [PATCH 35/42] feat: `GEOIP`,`IP-ASN`,`IP-CIDR`,`IP-CIDR6` and `IP-SUFFIX` in rules support `,src` option keep the same writing style as `RULE-SET` --- rules/common/base.go | 22 ++++++++++++++-------- rules/parser.go | 22 +++++++++------------- 2 files changed, 23 insertions(+), 21 deletions(-) diff --git a/rules/common/base.go b/rules/common/base.go index 04e3aec510..496bcaeecd 100644 --- a/rules/common/base.go +++ b/rules/common/base.go @@ -8,8 +8,12 @@ import ( var ( errPayload = errors.New("payloadRule error") - noResolve = "no-resolve" - src = "src" +) + +// params +var ( + NoResolve = "no-resolve" + Src = "src" ) type Base struct { @@ -25,10 +29,12 @@ func (b *Base) ShouldResolveIP() bool { func (b *Base) ProviderNames() []string { return nil } -func HasNoResolve(params []string) bool { - return slices.Contains(params, noResolve) -} - -func HasSrc(params []string) bool { - return slices.Contains(params, src) +func ParseParams(params []string) (isSrc bool, noResolve bool) { + isSrc = slices.Contains(params, Src) + if isSrc { + noResolve = true + } else { + noResolve = slices.Contains(params, NoResolve) + } + return } diff --git a/rules/parser.go b/rules/parser.go index 2189cda9f0..4f7ddbe14f 100644 --- a/rules/parser.go +++ b/rules/parser.go @@ -22,23 +22,23 @@ func ParseRule(tp, payload, target string, params []string, subRules map[string] case "GEOSITE": parsed, parseErr = RC.NewGEOSITE(payload, target) case "GEOIP": - noResolve := RC.HasNoResolve(params) - parsed, parseErr = RC.NewGEOIP(payload, target, false, noResolve) + isSrc, noResolve := RC.ParseParams(params) + parsed, parseErr = RC.NewGEOIP(payload, target, isSrc, noResolve) case "SRC-GEOIP": parsed, parseErr = RC.NewGEOIP(payload, target, true, true) case "IP-ASN": - noResolve := RC.HasNoResolve(params) - parsed, parseErr = RC.NewIPASN(payload, target, false, noResolve) + isSrc, noResolve := RC.ParseParams(params) + parsed, parseErr = RC.NewIPASN(payload, target, isSrc, noResolve) case "SRC-IP-ASN": parsed, parseErr = RC.NewIPASN(payload, target, true, true) case "IP-CIDR", "IP-CIDR6": - noResolve := RC.HasNoResolve(params) - parsed, parseErr = RC.NewIPCIDR(payload, target, RC.WithIPCIDRNoResolve(noResolve)) + isSrc, noResolve := RC.ParseParams(params) + parsed, parseErr = RC.NewIPCIDR(payload, target, RC.WithIPCIDRSourceIP(isSrc), RC.WithIPCIDRNoResolve(noResolve)) case "SRC-IP-CIDR": parsed, parseErr = RC.NewIPCIDR(payload, target, RC.WithIPCIDRSourceIP(true), RC.WithIPCIDRNoResolve(true)) case "IP-SUFFIX": - noResolve := RC.HasNoResolve(params) - parsed, parseErr = RC.NewIPSuffix(payload, target, false, noResolve) + isSrc, noResolve := RC.ParseParams(params) + parsed, parseErr = RC.NewIPSuffix(payload, target, isSrc, noResolve) case "SRC-IP-SUFFIX": parsed, parseErr = RC.NewIPSuffix(payload, target, true, true) case "SRC-PORT": @@ -76,11 +76,7 @@ func ParseRule(tp, payload, target string, params []string, subRules map[string] case "NOT": parsed, parseErr = logic.NewNOT(payload, target, ParseRule) case "RULE-SET": - noResolve := RC.HasNoResolve(params) - isSrc := RC.HasSrc(params) - if isSrc { - noResolve = true - } + isSrc, noResolve := RC.ParseParams(params) parsed, parseErr = RP.NewRuleSet(payload, target, isSrc, noResolve) case "MATCH": parsed = RC.NewMatch(target) From 08ac9a3fae545d521626ecb6cb9b290e51a394b0 Mon Sep 17 00:00:00 2001 From: wwqgtxx Date: Fri, 30 Aug 2024 20:09:50 +0800 Subject: [PATCH 36/42] fix: tfo ipv6 addr zone --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 6a43c7302f..75aea3f03a 100644 --- a/go.mod +++ b/go.mod @@ -28,7 +28,7 @@ require ( github.com/metacubex/sing-tun v0.2.7-0.20240729131039-ed03f557dee1 github.com/metacubex/sing-vmess v0.1.9-0.20240719134745-1df6fb20bbf9 github.com/metacubex/sing-wireguard v0.0.0-20240826061955-1e4e67afe5cd - github.com/metacubex/tfo-go v0.0.0-20240821025650-e9be0afd5e7d + github.com/metacubex/tfo-go v0.0.0-20240830120620-c5e019b67785 github.com/metacubex/utls v1.6.6 github.com/miekg/dns v1.1.62 github.com/mroth/weightedrand/v2 v2.1.0 diff --git a/go.sum b/go.sum index 3b059db0df..40ca026404 100644 --- a/go.sum +++ b/go.sum @@ -122,8 +122,8 @@ github.com/metacubex/sing-vmess v0.1.9-0.20240719134745-1df6fb20bbf9 h1:OAXiCosq github.com/metacubex/sing-vmess v0.1.9-0.20240719134745-1df6fb20bbf9/go.mod h1:olVkD4FChQ5gKMHG4ZzuD7+fMkJY1G8vwOKpRehjrmY= github.com/metacubex/sing-wireguard v0.0.0-20240826061955-1e4e67afe5cd h1:r7alry8u4qlUFLNMwGvG1A8ZcfPM6AMSmrm6E2yKdB4= github.com/metacubex/sing-wireguard v0.0.0-20240826061955-1e4e67afe5cd/go.mod h1:uY+BYb0UEknLrqvbGcwi9i++KgrKxsurysgI6G1Pveo= -github.com/metacubex/tfo-go v0.0.0-20240821025650-e9be0afd5e7d h1:j9LtzkYstLFoNvXW824QQeN7Y26uPL5249kzWKbzO9U= -github.com/metacubex/tfo-go v0.0.0-20240821025650-e9be0afd5e7d/go.mod h1:c7bVFM9f5+VzeZ/6Kg77T/jrg1Xp8QpqlSHvG/aXVts= +github.com/metacubex/tfo-go v0.0.0-20240830120620-c5e019b67785 h1:NNmI+ZV0DzNuqaAInRQuZFLHlWVuyHeow8jYpdKjHjo= +github.com/metacubex/tfo-go v0.0.0-20240830120620-c5e019b67785/go.mod h1:c7bVFM9f5+VzeZ/6Kg77T/jrg1Xp8QpqlSHvG/aXVts= github.com/metacubex/utls v1.6.6 h1:3D12YKHTf2Z41UPhQU2dWerNWJ5TVQD9gKoQ+H+iLC8= github.com/metacubex/utls v1.6.6/go.mod h1:+WLFUnXjcpdxXCnyX25nggw8C6YonZ8zOK2Zm/oRvdo= github.com/miekg/dns v1.1.62 h1:cN8OuEF1/x5Rq6Np+h1epln8OiyPWV+lROx9LxcGgIQ= From f6164ac1959945cc5366bf3207ec41db13966a52 Mon Sep 17 00:00:00 2001 From: wwqgtxx Date: Sat, 31 Aug 2024 09:59:48 +0800 Subject: [PATCH 37/42] feat: add `fake-ip-filter-mode` in `dns` https://github.com/MetaCubeX/mihomo/issues/1479 --- component/fakeip/pool.go | 11 +++++++ component/fakeip/pool_test.go | 22 +++++++++++++ config/config.go | 3 ++ constant/dns.go | 62 ++++++++++++++++++++++++++++++++++- docs/config.yaml | 3 ++ 5 files changed, 100 insertions(+), 1 deletion(-) diff --git a/component/fakeip/pool.go b/component/fakeip/pool.go index e2c1072254..12c063324b 100644 --- a/component/fakeip/pool.go +++ b/component/fakeip/pool.go @@ -36,6 +36,7 @@ type Pool struct { cycle bool mux sync.Mutex host []C.DomainMatcher + mode C.FilterMode ipnet netip.Prefix store store } @@ -66,6 +67,14 @@ func (p *Pool) LookBack(ip netip.Addr) (string, bool) { // ShouldSkipped return if domain should be skipped func (p *Pool) ShouldSkipped(domain string) bool { + should := p.shouldSkipped(domain) + if p.mode == C.FilterWhiteList { + return !should + } + return should +} + +func (p *Pool) shouldSkipped(domain string) bool { for _, matcher := range p.host { if matcher.MatchDomain(domain) { return true @@ -157,6 +166,7 @@ func (p *Pool) restoreState() { type Options struct { IPNet netip.Prefix Host []C.DomainMatcher + Mode C.FilterMode // Size sets the maximum number of entries in memory // and does not work if Persistence is true @@ -187,6 +197,7 @@ func New(options Options) (*Pool, error) { offset: first.Prev(), cycle: false, host: options.Host, + mode: options.Mode, ipnet: options.IPNet, } if options.Persistence { diff --git a/component/fakeip/pool_test.go b/component/fakeip/pool_test.go index 1d4fa05f0a..923cca574d 100644 --- a/component/fakeip/pool_test.go +++ b/component/fakeip/pool_test.go @@ -164,6 +164,28 @@ func TestPool_Skip(t *testing.T) { for _, pool := range pools { assert.True(t, pool.ShouldSkipped("example.com")) assert.False(t, pool.ShouldSkipped("foo.com")) + assert.False(t, pool.shouldSkipped("baz.com")) + } +} + +func TestPool_SkipWhiteList(t *testing.T) { + ipnet := netip.MustParsePrefix("192.168.0.1/29") + tree := trie.New[struct{}]() + assert.NoError(t, tree.Insert("example.com", struct{}{})) + assert.False(t, tree.IsEmpty()) + pools, tempfile, err := createPools(Options{ + IPNet: ipnet, + Size: 10, + Host: []C.DomainMatcher{tree.NewDomainSet()}, + Mode: C.FilterWhiteList, + }) + assert.Nil(t, err) + defer os.Remove(tempfile) + + for _, pool := range pools { + assert.False(t, pool.ShouldSkipped("example.com")) + assert.True(t, pool.ShouldSkipped("foo.com")) + assert.True(t, pool.ShouldSkipped("baz.com")) } } diff --git a/config/config.go b/config/config.go index c250d3ec21..ed30bfe452 100644 --- a/config/config.go +++ b/config/config.go @@ -205,6 +205,7 @@ type RawDNS struct { EnhancedMode C.DNSMode `yaml:"enhanced-mode" json:"enhanced-mode"` FakeIPRange string `yaml:"fake-ip-range" json:"fake-ip-range"` FakeIPFilter []string `yaml:"fake-ip-filter" json:"fake-ip-filter"` + FakeIPFilterMode C.FilterMode `yaml:"fake-ip-filter-mode" json:"fake-ip-filter-mode"` DefaultNameserver []string `yaml:"default-nameserver" json:"default-nameserver"` CacheAlgorithm string `yaml:"cache-algorithm" json:"cache-algorithm"` NameServerPolicy *orderedmap.OrderedMap[string, any] `yaml:"nameserver-policy" json:"nameserver-policy"` @@ -474,6 +475,7 @@ func DefaultRawConfig() *RawConfig { "www.msftnsci.com", "www.msftconnecttest.com", }, + FakeIPFilterMode: C.FilterBlackList, }, NTP: RawNTP{ Enable: false, @@ -1458,6 +1460,7 @@ func parseDNS(rawCfg *RawConfig, hosts *trie.DomainTrie[resolver.HostValue], rul IPNet: fakeIPRange, Size: 1000, Host: host, + Mode: cfg.FakeIPFilterMode, Persistence: rawCfg.Profile.StoreFakeIP, }) if err != nil { diff --git a/constant/dns.go b/constant/dns.go index 3d97d97b71..8d038a6bbb 100644 --- a/constant/dns.go +++ b/constant/dns.go @@ -43,7 +43,9 @@ func (e DNSMode) MarshalYAML() (any, error) { // UnmarshalJSON unserialize EnhancedMode with json func (e *DNSMode) UnmarshalJSON(data []byte) error { var tp string - json.Unmarshal(data, &tp) + if err := json.Unmarshal(data, &tp); err != nil { + return err + } mode, exist := DNSModeMapping[tp] if !exist { return errors.New("invalid mode") @@ -115,6 +117,64 @@ func NewDNSPrefer(prefer string) DNSPrefer { } } +// FilterModeMapping is a mapping for FilterMode enum +var FilterModeMapping = map[string]FilterMode{ + FilterBlackList.String(): FilterBlackList, + FilterWhiteList.String(): FilterWhiteList, +} + +type FilterMode int + +const ( + FilterBlackList FilterMode = iota + FilterWhiteList +) + +func (e FilterMode) String() string { + switch e { + case FilterBlackList: + return "blacklist" + case FilterWhiteList: + return "whitelist" + default: + return "unknown" + } +} + +func (e FilterMode) MarshalYAML() (interface{}, error) { + return e.String(), nil +} + +func (e *FilterMode) UnmarshalYAML(unmarshal func(interface{}) error) error { + var tp string + if err := unmarshal(&tp); err != nil { + return err + } + mode, exist := FilterModeMapping[tp] + if !exist { + return errors.New("invalid mode") + } + *e = mode + return nil +} + +func (e FilterMode) MarshalJSON() ([]byte, error) { + return json.Marshal(e.String()) +} + +func (e *FilterMode) UnmarshalJSON(data []byte) error { + var tp string + if err := json.Unmarshal(data, &tp); err != nil { + return err + } + mode, exist := FilterModeMapping[tp] + if !exist { + return errors.New("invalid mode") + } + *e = mode + return nil +} + type HTTPVersion string const ( diff --git a/docs/config.yaml b/docs/config.yaml index bb60b28649..1da37841cb 100644 --- a/docs/config.yaml +++ b/docs/config.yaml @@ -249,6 +249,9 @@ dns: - rule-set:fakeip-filter # fakeip-filter 为 geosite 中名为 fakeip-filter 的分类(需要自行保证该分类存在) - geosite:fakeip-filter + # 配置fake-ip-filter的匹配模式,默认为blacklist,即如果匹配成功不返回fake-ip + # 可设置为whitelist,即只有匹配成功才返回fake-ip + fake-ip-filter-mode: blacklist # use-hosts: true # 查询 hosts From 6306c6b58070038c99a8765576a52a3fabc06537 Mon Sep 17 00:00:00 2001 From: wwqgtxx Date: Sat, 31 Aug 2024 19:23:40 +0800 Subject: [PATCH 38/42] chore: add `route.ApplyConfig` for CMFA --- hub/executor/executor.go | 2 +- hub/hub.go | 46 +++-- hub/route/server.go | 226 +++++++++++++++---------- listener/sing_tun/server_android.go | 2 + listener/sing_tun/server_notandroid.go | 2 +- main.go | 2 +- 6 files changed, 168 insertions(+), 112 deletions(-) diff --git a/hub/executor/executor.go b/hub/executor/executor.go index 442666f05d..e7e9b72c4c 100644 --- a/hub/executor/executor.go +++ b/hub/executor/executor.go @@ -77,7 +77,7 @@ func ParseWithBytes(buf []byte) (*config.Config, error) { return config.Parse(buf) } -// ApplyConfig dispatch configure to all parts +// ApplyConfig dispatch configure to all parts without ExternalController func ApplyConfig(cfg *config.Config, force bool) { mux.Lock() defer mux.Unlock() diff --git a/hub/hub.go b/hub/hub.go index 2a53b19793..d439d32e35 100644 --- a/hub/hub.go +++ b/hub/hub.go @@ -1,7 +1,10 @@ package hub import ( + "strings" + "github.com/metacubex/mihomo/config" + "github.com/metacubex/mihomo/constant/features" "github.com/metacubex/mihomo/hub/executor" "github.com/metacubex/mihomo/hub/route" "github.com/metacubex/mihomo/log" @@ -33,6 +36,33 @@ func WithSecret(secret string) Option { } } +// ApplyConfig dispatch configure to all parts include ExternalController +func ApplyConfig(cfg *config.Config) { + applyRoute(cfg) + executor.ApplyConfig(cfg, true) +} + +func applyRoute(cfg *config.Config) { + if features.CMFA && strings.HasSuffix(cfg.Controller.ExternalUI, ":0") { + // CMFA have set its default override value to end with ":0" for security. + // so we direct return at here + return + } + if cfg.Controller.ExternalUI != "" { + route.SetUIPath(cfg.Controller.ExternalUI) + } + route.ReCreateServer(&route.Config{ + Addr: cfg.Controller.ExternalController, + TLSAddr: cfg.Controller.ExternalControllerTLS, + UnixAddr: cfg.Controller.ExternalControllerUnix, + Secret: cfg.Controller.Secret, + Certificate: cfg.TLS.Certificate, + PrivateKey: cfg.TLS.PrivateKey, + DohServer: cfg.Controller.ExternalDohServer, + IsDebug: cfg.General.LogLevel == log.DEBUG, + }) +} + // Parse call at the beginning of mihomo func Parse(options ...Option) error { cfg, err := executor.Parse() @@ -44,20 +74,6 @@ func Parse(options ...Option) error { option(cfg) } - if cfg.Controller.ExternalUI != "" { - route.SetUIPath(cfg.Controller.ExternalUI) - } - - if cfg.Controller.ExternalController != "" { - go route.Start(cfg.Controller.ExternalController, cfg.Controller.ExternalControllerTLS, - cfg.Controller.Secret, cfg.TLS.Certificate, cfg.TLS.PrivateKey, cfg.Controller.ExternalDohServer, - cfg.General.LogLevel == log.DEBUG) - } - - if cfg.Controller.ExternalControllerUnix != "" { - go route.StartUnix(cfg.Controller.ExternalControllerUnix, cfg.Controller.ExternalDohServer, cfg.General.LogLevel == log.DEBUG) - } - - executor.ApplyConfig(cfg, true) + ApplyConfig(cfg) return nil } diff --git a/hub/route/server.go b/hub/route/server.go index 165c7c6970..1605b4bf74 100644 --- a/hub/route/server.go +++ b/hub/route/server.go @@ -30,10 +30,11 @@ import ( ) var ( - serverSecret = "" - serverAddr = "" - uiPath = "" + + httpServer *http.Server + tlsServer *http.Server + unixServer *http.Server ) type Traffic struct { @@ -46,11 +47,28 @@ type Memory struct { OSLimit uint64 `json:"oslimit"` // maybe we need it in the future } +type Config struct { + Addr string + TLSAddr string + UnixAddr string + Secret string + Certificate string + PrivateKey string + DohServer string + IsDebug bool +} + +func ReCreateServer(cfg *Config) { + go start(cfg) + go startTLS(cfg) + go startUnix(cfg) +} + func SetUIPath(path string) { uiPath = C.Path.Resolve(path) } -func router(isDebug bool, withAuth bool, dohServer string) *chi.Mux { +func router(isDebug bool, secret string, dohServer string) *chi.Mux { r := chi.NewRouter() corsM := cors.New(cors.Options{ AllowedOrigins: []string{"*"}, @@ -72,8 +90,8 @@ func router(isDebug bool, withAuth bool, dohServer string) *chi.Mux { }()) } r.Group(func(r chi.Router) { - if withAuth { - r.Use(authentication) + if secret != "" { + r.Use(authentication(secret)) } r.Get("/", hello) r.Get("/logs", getLogs) @@ -111,88 +129,111 @@ func router(isDebug bool, withAuth bool, dohServer string) *chi.Mux { return r } -func Start(addr string, tlsAddr string, secret string, - certificate, privateKey string, dohServer string, isDebug bool) { - if serverAddr != "" { - return +func start(cfg *Config) { + // first stop existing server + if httpServer != nil { + _ = httpServer.Close() + httpServer = nil } - serverAddr = addr - serverSecret = secret - - if len(tlsAddr) > 0 { - go func() { - c, err := CN.ParseCert(certificate, privateKey, C.Path) - if err != nil { - log.Errorln("External controller tls listen error: %s", err) - return - } + // handle addr + if len(cfg.Addr) > 0 { + l, err := inbound.Listen("tcp", cfg.Addr) + if err != nil { + log.Errorln("External controller listen error: %s", err) + return + } + log.Infoln("RESTful API listening at: %s", l.Addr().String()) - l, err := inbound.Listen("tcp", tlsAddr) - if err != nil { - log.Errorln("External controller tls listen error: %s", err) - return - } + server := &http.Server{ + Handler: router(cfg.IsDebug, cfg.Secret, cfg.DohServer), + } + if err = server.Serve(l); err != nil { + log.Errorln("External controller serve error: %s", err) + } + httpServer = server + } +} - serverAddr = l.Addr().String() - log.Infoln("RESTful API tls listening at: %s", serverAddr) - tlsServe := &http.Server{ - Handler: router(isDebug, true, dohServer), - TLSConfig: &tls.Config{ - Certificates: []tls.Certificate{c}, - }, - } - if err = tlsServe.ServeTLS(l, "", ""); err != nil { - log.Errorln("External controller tls serve error: %s", err) - } - }() +func startTLS(cfg *Config) { + // first stop existing server + if tlsServer != nil { + _ = tlsServer.Close() + tlsServer = nil } - l, err := inbound.Listen("tcp", addr) - if err != nil { - log.Errorln("External controller listen error: %s", err) - return + // handle tlsAddr + if len(cfg.TLSAddr) > 0 { + c, err := CN.ParseCert(cfg.Certificate, cfg.PrivateKey, C.Path) + if err != nil { + log.Errorln("External controller tls listen error: %s", err) + return + } + + l, err := inbound.Listen("tcp", cfg.TLSAddr) + if err != nil { + log.Errorln("External controller tls listen error: %s", err) + return + } + + log.Infoln("RESTful API tls listening at: %s", l.Addr().String()) + server := &http.Server{ + Handler: router(cfg.IsDebug, cfg.Secret, cfg.DohServer), + TLSConfig: &tls.Config{ + Certificates: []tls.Certificate{c}, + }, + } + if err = server.ServeTLS(l, "", ""); err != nil { + log.Errorln("External controller tls serve error: %s", err) + } + tlsServer = server } - serverAddr = l.Addr().String() - log.Infoln("RESTful API listening at: %s", serverAddr) +} - if err = http.Serve(l, router(isDebug, true, dohServer)); err != nil { - log.Errorln("External controller serve error: %s", err) +func startUnix(cfg *Config) { + // first stop existing server + if unixServer != nil { + _ = unixServer.Close() + unixServer = nil } -} + // handle addr + if len(cfg.UnixAddr) > 0 { + addr := C.Path.Resolve(cfg.UnixAddr) + + dir := filepath.Dir(addr) + if _, err := os.Stat(dir); os.IsNotExist(err) { + if err := os.MkdirAll(dir, 0o755); err != nil { + log.Errorln("External controller unix listen error: %s", err) + return + } + } -func StartUnix(addr string, dohServer string, isDebug bool) { - addr = C.Path.Resolve(addr) + // https://devblogs.microsoft.com/commandline/af_unix-comes-to-windows/ + // + // Note: As mentioned above in the ‘security’ section, when a socket binds a socket to a valid pathname address, + // a socket file is created within the filesystem. On Linux, the application is expected to unlink + // (see the notes section in the man page for AF_UNIX) before any other socket can be bound to the same address. + // The same applies to Windows unix sockets, except that, DeleteFile (or any other file delete API) + // should be used to delete the socket file prior to calling bind with the same path. + _ = syscall.Unlink(addr) - dir := filepath.Dir(addr) - if _, err := os.Stat(dir); os.IsNotExist(err) { - if err := os.MkdirAll(dir, 0o755); err != nil { + l, err := inbound.Listen("unix", addr) + if err != nil { log.Errorln("External controller unix listen error: %s", err) return } - } + log.Infoln("RESTful API unix listening at: %s", l.Addr().String()) - // https://devblogs.microsoft.com/commandline/af_unix-comes-to-windows/ - // - // Note: As mentioned above in the ‘security’ section, when a socket binds a socket to a valid pathname address, - // a socket file is created within the filesystem. On Linux, the application is expected to unlink - // (see the notes section in the man page for AF_UNIX) before any other socket can be bound to the same address. - // The same applies to Windows unix sockets, except that, DeleteFile (or any other file delete API) - // should be used to delete the socket file prior to calling bind with the same path. - _ = syscall.Unlink(addr) - - l, err := inbound.Listen("unix", addr) - if err != nil { - log.Errorln("External controller unix listen error: %s", err) - return + server := &http.Server{ + Handler: router(cfg.IsDebug, "", cfg.DohServer), + } + if err = server.Serve(l); err != nil { + log.Errorln("External controller unix serve error: %s", err) + } + unixServer = server } - serverAddr = l.Addr().String() - log.Infoln("RESTful API unix listening at: %s", serverAddr) - if err = http.Serve(l, router(isDebug, false, dohServer)); err != nil { - log.Errorln("External controller unix serve error: %s", err) - } } func setPrivateNetworkAccess(next http.Handler) http.Handler { @@ -210,38 +251,35 @@ func safeEuqal(a, b string) bool { return subtle.ConstantTimeCompare(aBuf, bBuf) == 1 } -func authentication(next http.Handler) http.Handler { - fn := func(w http.ResponseWriter, r *http.Request) { - if serverSecret == "" { - next.ServeHTTP(w, r) - return - } +func authentication(secret string) func(http.Handler) http.Handler { + return func(next http.Handler) http.Handler { + fn := func(w http.ResponseWriter, r *http.Request) { + // Browser websocket not support custom header + if r.Header.Get("Upgrade") == "websocket" && r.URL.Query().Get("token") != "" { + token := r.URL.Query().Get("token") + if !safeEuqal(token, secret) { + render.Status(r, http.StatusUnauthorized) + render.JSON(w, r, ErrUnauthorized) + return + } + next.ServeHTTP(w, r) + return + } - // Browser websocket not support custom header - if r.Header.Get("Upgrade") == "websocket" && r.URL.Query().Get("token") != "" { - token := r.URL.Query().Get("token") - if !safeEuqal(token, serverSecret) { + header := r.Header.Get("Authorization") + bearer, token, found := strings.Cut(header, " ") + + hasInvalidHeader := bearer != "Bearer" + hasInvalidSecret := !found || !safeEuqal(token, secret) + if hasInvalidHeader || hasInvalidSecret { render.Status(r, http.StatusUnauthorized) render.JSON(w, r, ErrUnauthorized) return } next.ServeHTTP(w, r) - return } - - header := r.Header.Get("Authorization") - bearer, token, found := strings.Cut(header, " ") - - hasInvalidHeader := bearer != "Bearer" - hasInvalidSecret := !found || !safeEuqal(token, serverSecret) - if hasInvalidHeader || hasInvalidSecret { - render.Status(r, http.StatusUnauthorized) - render.JSON(w, r, ErrUnauthorized) - return - } - next.ServeHTTP(w, r) + return http.HandlerFunc(fn) } - return http.HandlerFunc(fn) } func hello(w http.ResponseWriter, r *http.Request) { diff --git a/listener/sing_tun/server_android.go b/listener/sing_tun/server_android.go index bd5c4bd071..d8240534ed 100644 --- a/listener/sing_tun/server_android.go +++ b/listener/sing_tun/server_android.go @@ -1,3 +1,5 @@ +//go:build android && !cmfa + package sing_tun import ( diff --git a/listener/sing_tun/server_notandroid.go b/listener/sing_tun/server_notandroid.go index 6b30ee03b2..10fd3997b4 100644 --- a/listener/sing_tun/server_notandroid.go +++ b/listener/sing_tun/server_notandroid.go @@ -1,4 +1,4 @@ -//go:build !android +//go:build !android || cmfa package sing_tun diff --git a/main.go b/main.go index 06a04ca17b..c7a7acbc3b 100644 --- a/main.go +++ b/main.go @@ -135,7 +135,7 @@ func main() { return case <-hupSign: if cfg, err := executor.ParseWithPath(C.Path.Config()); err == nil { - executor.ApplyConfig(cfg, true) + hub.ApplyConfig(cfg) } else { log.Errorln("Parse config error: %s", err.Error()) } From 802267fb5b0a17bf7915b78abbb80afa407d8815 Mon Sep 17 00:00:00 2001 From: Larvan2 <78135608+Larvan2@users.noreply.github.com> Date: Sat, 31 Aug 2024 23:38:31 +0800 Subject: [PATCH 39/42] ci: better release --- .github/workflows/build.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b62e982000..5ba2ef6f9e 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -387,18 +387,18 @@ jobs: git fetch --tags echo "PREVERSION=$(git describe --tags --abbrev=0 HEAD)" >> $GITHUB_ENV - - name: Merge Alpha branch into Meta + - name: Force push Alpha branch to Meta run: | git config --global user.email "github-actions[bot]@users.noreply.github.com" git config --global user.name "github-actions[bot]" git fetch origin Alpha:Alpha - git merge Alpha - git push origin Meta + git push origin Alpha:Meta --force env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Tag the commit + - name: Tag the commit on Alpha run: | + git checkout Alpha git tag ${{ github.event.inputs.version }} git push origin ${{ github.event.inputs.version }} env: From 56fe7d5304f624e3df3c22113e8134004d136d63 Mon Sep 17 00:00:00 2001 From: Larvan2 <78135608+Larvan2@users.noreply.github.com> Date: Mon, 2 Sep 2024 11:17:35 +0800 Subject: [PATCH 40/42] chore: clean up update_ui code --- component/updater/update_ui.go | 42 +++++++++++++++------------------- config/config.go | 31 ++++++++----------------- hub/executor/executor.go | 8 +++---- hub/route/upgrade.go | 13 +++-------- 4 files changed, 35 insertions(+), 59 deletions(-) diff --git a/component/updater/update_ui.go b/component/updater/update_ui.go index a43648a9c6..b29bee9f90 100644 --- a/component/updater/update_ui.go +++ b/component/updater/update_ui.go @@ -2,7 +2,6 @@ package updater import ( "archive/zip" - "errors" "fmt" "io" "os" @@ -12,23 +11,26 @@ import ( "sync" C "github.com/metacubex/mihomo/constant" + "github.com/metacubex/mihomo/log" ) var ( - ExternalUIURL string - ExternalUIPath string - ExternalUIFolder string - ExternalUIName string -) -var ( - ErrIncompleteConf = errors.New("ExternalUI configure incomplete") + ExternalUIURL string + ExternalUIPath string + AutoUpdateUI bool ) + var xdMutex sync.Mutex func UpdateUI() error { xdMutex.Lock() defer xdMutex.Unlock() + err := prepareUIPath() + if err != nil { + return fmt.Errorf("prepare UI path failed: %w", err) + } + data, err := downloadForBytes(ExternalUIURL) if err != nil { return fmt.Errorf("can't download file: %w", err) @@ -40,7 +42,7 @@ func UpdateUI() error { } defer os.Remove(saved) - err = cleanup(ExternalUIFolder) + err = cleanup(ExternalUIPath) if err != nil { if !os.IsNotExist(err) { return fmt.Errorf("cleanup exist file error: %w", err) @@ -52,27 +54,19 @@ func UpdateUI() error { return fmt.Errorf("can't extract zip file: %w", err) } - err = os.Rename(unzipFolder, ExternalUIFolder) + err = os.Rename(unzipFolder, ExternalUIPath) if err != nil { - return fmt.Errorf("can't rename folder: %w", err) + return fmt.Errorf("rename UI folder failed: %w", err) } return nil } -func PrepareUIPath() error { - if ExternalUIPath == "" || ExternalUIURL == "" { - return ErrIncompleteConf - } - - if ExternalUIName != "" { - ExternalUIFolder = filepath.Clean(path.Join(ExternalUIPath, ExternalUIName)) - if _, err := os.Stat(ExternalUIPath); os.IsNotExist(err) { - if err := os.MkdirAll(ExternalUIPath, os.ModePerm); err != nil { - return err - } +func prepareUIPath() error { + if _, err := os.Stat(ExternalUIPath); os.IsNotExist(err) { + log.Infoln("dir %s does not exist, creating", ExternalUIPath) + if err := os.MkdirAll(ExternalUIPath, os.ModePerm); err != nil { + log.Warnln("create dir %s error: %s", ExternalUIPath, err) } - } else { - ExternalUIFolder = ExternalUIPath } return nil } diff --git a/config/config.go b/config/config.go index ed30bfe452..4490ebf6b2 100644 --- a/config/config.go +++ b/config/config.go @@ -7,7 +7,6 @@ import ( "net" "net/netip" "net/url" - "os" "path" "regexp" "strings" @@ -704,35 +703,25 @@ func parseGeneral(cfg *RawConfig) (*General, error) { } N.DisableKeepAlive = cfg.DisableKeepAlive - updater.ExternalUIPath = cfg.ExternalUI // checkout externalUI exist - if updater.ExternalUIPath != "" { - updater.ExternalUIPath = C.Path.Resolve(updater.ExternalUIPath) - if _, err := os.Stat(updater.ExternalUIPath); os.IsNotExist(err) { - defaultUIpath := path.Join(C.Path.HomeDir(), "ui") - log.Warnln("external-ui: %s does not exist, creating folder in %s", updater.ExternalUIPath, defaultUIpath) - if err := os.MkdirAll(defaultUIpath, os.ModePerm); err != nil { - return nil, err - } - updater.ExternalUIPath = defaultUIpath - cfg.ExternalUI = defaultUIpath - } + if cfg.ExternalUI != "" { + updater.AutoUpdateUI = true + updater.ExternalUIPath = C.Path.Resolve(cfg.ExternalUI) + } else { + // default externalUI path + updater.ExternalUIPath = path.Join(C.Path.HomeDir(), "ui") } + // checkout UIpath/name exist if cfg.ExternalUIName != "" { - updater.ExternalUIName = cfg.ExternalUIName - } else { - updater.ExternalUIFolder = updater.ExternalUIPath + updater.AutoUpdateUI = true + updater.ExternalUIPath = path.Join(updater.ExternalUIPath, cfg.ExternalUIName) } + if cfg.ExternalUIURL != "" { updater.ExternalUIURL = cfg.ExternalUIURL } - err := updater.PrepareUIPath() - if err != nil { - log.Errorln("PrepareUIPath error: %s", err) - } - return &General{ Inbound: Inbound{ Port: cfg.Port, diff --git a/hub/executor/executor.go b/hub/executor/executor.go index e7e9b72c4c..c83b254c96 100644 --- a/hub/executor/executor.go +++ b/hub/executor/executor.go @@ -381,12 +381,12 @@ func updateTunnels(tunnels []LC.Tunnel) { } func initExternalUI() { - if updater.ExternalUIFolder != "" { - dirEntries, _ := os.ReadDir(updater.ExternalUIFolder) + if updater.AutoUpdateUI { + dirEntries, _ := os.ReadDir(updater.ExternalUIPath) if len(dirEntries) > 0 { - log.Infoln("UI already exists") + log.Infoln("UI already exists, skip downloading") } else { - log.Infoln("UI not exists, downloading") + log.Infoln("External UI downloading ...") updater.UpdateUI() } } diff --git a/hub/route/upgrade.go b/hub/route/upgrade.go index db00af5c8a..76ac26a10f 100644 --- a/hub/route/upgrade.go +++ b/hub/route/upgrade.go @@ -1,7 +1,6 @@ package route import ( - "errors" "fmt" "net/http" "os" @@ -50,15 +49,9 @@ func upgradeCore(w http.ResponseWriter, r *http.Request) { func updateUI(w http.ResponseWriter, r *http.Request) { err := updater.UpdateUI() if err != nil { - if errors.Is(err, updater.ErrIncompleteConf) { - log.Warnln("%s", err) - render.Status(r, http.StatusNotImplemented) - render.JSON(w, r, newError(fmt.Sprintf("%s", err))) - } else { - log.Warnln("%s", err) - render.Status(r, http.StatusInternalServerError) - render.JSON(w, r, newError(fmt.Sprintf("%s", err))) - } + log.Warnln("%s", err) + render.Status(r, http.StatusInternalServerError) + render.JSON(w, r, newError(fmt.Sprintf("%s", err))) return } From 43f21c0b412b7a8701fe7a2ea6510c5b985a53d6 Mon Sep 17 00:00:00 2001 From: xishang0128 Date: Mon, 2 Sep 2024 16:18:28 +0800 Subject: [PATCH 41/42] fix: fallback cannot be unfixed --- hub/route/groups.go | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/hub/route/groups.go b/hub/route/groups.go index 30dec5f0bb..c4e9501f2d 100644 --- a/hub/route/groups.go +++ b/hub/route/groups.go @@ -60,9 +60,15 @@ func getGroupDelay(w http.ResponseWriter, r *http.Request) { return } - if proxy.(*adapter.Proxy).Type() == C.URLTest { - URLTestGroup := proxy.(*adapter.Proxy).ProxyAdapter.(*outboundgroup.URLTest) - URLTestGroup.ForceSet("") + switch proxy.(*adapter.Proxy).Type() { + case C.URLTest: + if urlTestGroup, ok := proxy.(*adapter.Proxy).ProxyAdapter.(*outboundgroup.URLTest); ok { + urlTestGroup.ForceSet("") + } + case C.Fallback: + if fallbackGroup, ok := proxy.(*adapter.Proxy).ProxyAdapter.(*outboundgroup.Fallback); ok { + fallbackGroup.ForceSet("") + } } if proxy.(*adapter.Proxy).Type() != C.Selector { From faaa90f8a621499ba86f8734a05bb80edb38ada9 Mon Sep 17 00:00:00 2001 From: xishang0128 Date: Tue, 3 Sep 2024 17:55:11 +0800 Subject: [PATCH 42/42] feat: Allows passing in base64-encoded configuration strings --- hub/hub.go | 12 ++++++++-- main.go | 65 +++++++++++++++++++++++++++++++++++++++--------------- 2 files changed, 57 insertions(+), 20 deletions(-) diff --git a/hub/hub.go b/hub/hub.go index d439d32e35..04662a7b68 100644 --- a/hub/hub.go +++ b/hub/hub.go @@ -64,8 +64,16 @@ func applyRoute(cfg *config.Config) { } // Parse call at the beginning of mihomo -func Parse(options ...Option) error { - cfg, err := executor.Parse() +func Parse(configBytes []byte, options ...Option) error { + var cfg *config.Config + var err error + + if len(configBytes) != 0 { + cfg, err = executor.ParseWithBytes(configBytes) + } else { + cfg, err = executor.Parse() + } + if err != nil { return err } diff --git a/main.go b/main.go index c7a7acbc3b..26f1d2c0c2 100644 --- a/main.go +++ b/main.go @@ -1,6 +1,7 @@ package main import ( + "encoding/base64" "flag" "fmt" "os" @@ -28,6 +29,8 @@ var ( geodataMode bool homeDir string configFile string + configString string + configBytes []byte externalUI string externalController string externalControllerUnix string @@ -37,6 +40,7 @@ var ( func init() { flag.StringVar(&homeDir, "d", os.Getenv("CLASH_HOME_DIR"), "set configuration directory") flag.StringVar(&configFile, "f", os.Getenv("CLASH_CONFIG_FILE"), "specify configuration file") + flag.StringVar(&configString, "config", os.Getenv("CLASH_CONFIG_STRING"), "specify base64-encoded configuration string") flag.StringVar(&externalUI, "ext-ui", os.Getenv("CLASH_OVERRIDE_EXTERNAL_UI_DIR"), "override external ui directory") flag.StringVar(&externalController, "ext-ctl", os.Getenv("CLASH_OVERRIDE_EXTERNAL_CONTROLLER"), "override external controller address") flag.StringVar(&externalControllerUnix, "ext-ctl-unix", os.Getenv("CLASH_OVERRIDE_EXTERNAL_CONTROLLER_UNIX"), "override external controller unix address") @@ -73,29 +77,46 @@ func main() { C.SetHomeDir(homeDir) } - if configFile != "" { - if !filepath.IsAbs(configFile) { - currentDir, _ := os.Getwd() - configFile = filepath.Join(currentDir, configFile) - } - } else { - configFile = filepath.Join(C.Path.HomeDir(), C.Path.Config()) - } - C.SetConfig(configFile) - if geodataMode { C.GeodataMode = true } - if err := config.Init(C.Path.HomeDir()); err != nil { - log.Fatalln("Initial configuration directory error: %s", err.Error()) + if configString != "" { + var err error + configBytes, err = base64.StdEncoding.DecodeString(configString) + if err != nil { + log.Fatalln("Initial configuration error: %s", err.Error()) + return + } + } else { + if configFile != "" { + if !filepath.IsAbs(configFile) { + currentDir, _ := os.Getwd() + configFile = filepath.Join(currentDir, configFile) + } + } else { + configFile = filepath.Join(C.Path.HomeDir(), C.Path.Config()) + } + C.SetConfig(configFile) + + if err := config.Init(C.Path.HomeDir()); err != nil { + log.Fatalln("Initial configuration directory error: %s", err.Error()) + } } if testConfig { - if _, err := executor.Parse(); err != nil { - log.Errorln(err.Error()) - fmt.Printf("configuration file %s test failed\n", C.Path.Config()) - os.Exit(1) + if len(configBytes) != 0 { + if _, err := executor.ParseWithBytes(configBytes); err != nil { + log.Errorln(err.Error()) + fmt.Println("configuration test failed") + os.Exit(1) + } + } else { + if _, err := executor.Parse(); err != nil { + log.Errorln(err.Error()) + fmt.Printf("configuration file %s test failed\n", C.Path.Config()) + os.Exit(1) + } } fmt.Printf("configuration file %s test is successful\n", C.Path.Config()) return @@ -115,7 +136,7 @@ func main() { options = append(options, hub.WithSecret(secret)) } - if err := hub.Parse(options...); err != nil { + if err := hub.Parse(configBytes, options...); err != nil { log.Fatalln("Parse config error: %s", err.Error()) } @@ -134,11 +155,19 @@ func main() { case <-termSign: return case <-hupSign: - if cfg, err := executor.ParseWithPath(C.Path.Config()); err == nil { + var cfg *config.Config + var err error + if configString != "" { + cfg, err = executor.ParseWithBytes(configBytes) + } else { + cfg, err = executor.ParseWithPath(C.Path.Config()) + } + if err == nil { hub.ApplyConfig(cfg) } else { log.Errorln("Parse config error: %s", err.Error()) } + } } }