diff --git a/.github/patch_go122/48042aa09c2f878c4faa576948b07fe625c4707a.diff b/.github/patch_go122/48042aa09c2f878c4faa576948b07fe625c4707a.diff deleted file mode 100644 index 2c68233358..0000000000 --- a/.github/patch_go122/48042aa09c2f878c4faa576948b07fe625c4707a.diff +++ /dev/null @@ -1,54 +0,0 @@ -diff --git a/src/syscall/exec_windows.go b/src/syscall/exec_windows.go -index 06e684c7116b4..b311a5c74684b 100644 ---- a/src/syscall/exec_windows.go -+++ b/src/syscall/exec_windows.go -@@ -319,17 +319,6 @@ func StartProcess(argv0 string, argv []string, attr *ProcAttr) (pid int, handle - } - } - -- var maj, min, build uint32 -- rtlGetNtVersionNumbers(&maj, &min, &build) -- isWin7 := maj < 6 || (maj == 6 && min <= 1) -- // NT kernel handles are divisible by 4, with the bottom 3 bits left as -- // a tag. The fully set tag correlates with the types of handles we're -- // concerned about here. Except, the kernel will interpret some -- // special handle values, like -1, -2, and so forth, so kernelbase.dll -- // checks to see that those bottom three bits are checked, but that top -- // bit is not checked. -- isLegacyWin7ConsoleHandle := func(handle Handle) bool { return isWin7 && handle&0x10000003 == 3 } -- - p, _ := GetCurrentProcess() - parentProcess := p - if sys.ParentProcess != 0 { -@@ -338,15 +327,7 @@ func StartProcess(argv0 string, argv []string, attr *ProcAttr) (pid int, handle - fd := make([]Handle, len(attr.Files)) - for i := range attr.Files { - if attr.Files[i] > 0 { -- destinationProcessHandle := parentProcess -- -- // On Windows 7, console handles aren't real handles, and can only be duplicated -- // into the current process, not a parent one, which amounts to the same thing. -- if parentProcess != p && isLegacyWin7ConsoleHandle(Handle(attr.Files[i])) { -- destinationProcessHandle = p -- } -- -- err := DuplicateHandle(p, Handle(attr.Files[i]), destinationProcessHandle, &fd[i], 0, true, DUPLICATE_SAME_ACCESS) -+ err := DuplicateHandle(p, Handle(attr.Files[i]), parentProcess, &fd[i], 0, true, DUPLICATE_SAME_ACCESS) - if err != nil { - return 0, 0, err - } -@@ -377,14 +358,6 @@ func StartProcess(argv0 string, argv []string, attr *ProcAttr) (pid int, handle - - fd = append(fd, sys.AdditionalInheritedHandles...) - -- // On Windows 7, console handles aren't real handles, so don't pass them -- // through to PROC_THREAD_ATTRIBUTE_HANDLE_LIST. -- for i := range fd { -- if isLegacyWin7ConsoleHandle(fd[i]) { -- fd[i] = 0 -- } -- } -- - // The presence of a NULL handle in the list is enough to cause PROC_THREAD_ATTRIBUTE_HANDLE_LIST - // to treat the entire list as empty, so remove NULL handles. - j := 0 \ No newline at end of file diff --git a/.github/patch_go122/693def151adff1af707d82d28f55dba81ceb08e1.diff b/.github/patch_go122/693def151adff1af707d82d28f55dba81ceb08e1.diff deleted file mode 100644 index ca41ec317e..0000000000 --- a/.github/patch_go122/693def151adff1af707d82d28f55dba81ceb08e1.diff +++ /dev/null @@ -1,158 +0,0 @@ -diff --git a/src/crypto/rand/rand.go b/src/crypto/rand/rand.go -index 62738e2cb1a7d..d0dcc7cc71fc0 100644 ---- a/src/crypto/rand/rand.go -+++ b/src/crypto/rand/rand.go -@@ -15,7 +15,7 @@ import "io" - // available, /dev/urandom otherwise. - // On OpenBSD and macOS, Reader uses getentropy(2). - // On other Unix-like systems, Reader reads from /dev/urandom. --// On Windows systems, Reader uses the RtlGenRandom API. -+// On Windows systems, Reader uses the ProcessPrng API. - // On JS/Wasm, Reader uses the Web Crypto API. - // On WASIP1/Wasm, Reader uses random_get from wasi_snapshot_preview1. - var Reader io.Reader -diff --git a/src/crypto/rand/rand_windows.go b/src/crypto/rand/rand_windows.go -index 6c0655c72b692..7380f1f0f1e6e 100644 ---- a/src/crypto/rand/rand_windows.go -+++ b/src/crypto/rand/rand_windows.go -@@ -15,11 +15,8 @@ func init() { Reader = &rngReader{} } - - type rngReader struct{} - --func (r *rngReader) Read(b []byte) (n int, err error) { -- // RtlGenRandom only returns 1<<32-1 bytes at a time. We only read at -- // most 1<<31-1 bytes at a time so that this works the same on 32-bit -- // and 64-bit systems. -- if err := batched(windows.RtlGenRandom, 1<<31-1)(b); err != nil { -+func (r *rngReader) Read(b []byte) (int, error) { -+ if err := windows.ProcessPrng(b); err != nil { - return 0, err - } - return len(b), nil -diff --git a/src/internal/syscall/windows/syscall_windows.go b/src/internal/syscall/windows/syscall_windows.go -index ab4ad2ec64108..5854ca60b5cef 100644 ---- a/src/internal/syscall/windows/syscall_windows.go -+++ b/src/internal/syscall/windows/syscall_windows.go -@@ -373,7 +373,7 @@ func ErrorLoadingGetTempPath2() error { - //sys DestroyEnvironmentBlock(block *uint16) (err error) = userenv.DestroyEnvironmentBlock - //sys CreateEvent(eventAttrs *SecurityAttributes, manualReset uint32, initialState uint32, name *uint16) (handle syscall.Handle, err error) = kernel32.CreateEventW - --//sys RtlGenRandom(buf []byte) (err error) = advapi32.SystemFunction036 -+//sys ProcessPrng(buf []byte) (err error) = bcryptprimitives.ProcessPrng - - type FILE_ID_BOTH_DIR_INFO struct { - NextEntryOffset uint32 -diff --git a/src/internal/syscall/windows/zsyscall_windows.go b/src/internal/syscall/windows/zsyscall_windows.go -index e3f6d8d2a2208..5a587ad4f146c 100644 ---- a/src/internal/syscall/windows/zsyscall_windows.go -+++ b/src/internal/syscall/windows/zsyscall_windows.go -@@ -37,13 +37,14 @@ func errnoErr(e syscall.Errno) error { - } - - var ( -- modadvapi32 = syscall.NewLazyDLL(sysdll.Add("advapi32.dll")) -- modiphlpapi = syscall.NewLazyDLL(sysdll.Add("iphlpapi.dll")) -- modkernel32 = syscall.NewLazyDLL(sysdll.Add("kernel32.dll")) -- modnetapi32 = syscall.NewLazyDLL(sysdll.Add("netapi32.dll")) -- modpsapi = syscall.NewLazyDLL(sysdll.Add("psapi.dll")) -- moduserenv = syscall.NewLazyDLL(sysdll.Add("userenv.dll")) -- modws2_32 = syscall.NewLazyDLL(sysdll.Add("ws2_32.dll")) -+ modadvapi32 = syscall.NewLazyDLL(sysdll.Add("advapi32.dll")) -+ modbcryptprimitives = syscall.NewLazyDLL(sysdll.Add("bcryptprimitives.dll")) -+ modiphlpapi = syscall.NewLazyDLL(sysdll.Add("iphlpapi.dll")) -+ modkernel32 = syscall.NewLazyDLL(sysdll.Add("kernel32.dll")) -+ modnetapi32 = syscall.NewLazyDLL(sysdll.Add("netapi32.dll")) -+ modpsapi = syscall.NewLazyDLL(sysdll.Add("psapi.dll")) -+ moduserenv = syscall.NewLazyDLL(sysdll.Add("userenv.dll")) -+ modws2_32 = syscall.NewLazyDLL(sysdll.Add("ws2_32.dll")) - - procAdjustTokenPrivileges = modadvapi32.NewProc("AdjustTokenPrivileges") - procDuplicateTokenEx = modadvapi32.NewProc("DuplicateTokenEx") -@@ -55,7 +56,7 @@ var ( - procQueryServiceStatus = modadvapi32.NewProc("QueryServiceStatus") - procRevertToSelf = modadvapi32.NewProc("RevertToSelf") - procSetTokenInformation = modadvapi32.NewProc("SetTokenInformation") -- procSystemFunction036 = modadvapi32.NewProc("SystemFunction036") -+ procProcessPrng = modbcryptprimitives.NewProc("ProcessPrng") - procGetAdaptersAddresses = modiphlpapi.NewProc("GetAdaptersAddresses") - procCreateEventW = modkernel32.NewProc("CreateEventW") - procGetACP = modkernel32.NewProc("GetACP") -@@ -179,12 +180,12 @@ func SetTokenInformation(tokenHandle syscall.Token, tokenInformationClass uint32 - return - } - --func RtlGenRandom(buf []byte) (err error) { -+func ProcessPrng(buf []byte) (err error) { - var _p0 *byte - if len(buf) > 0 { - _p0 = &buf[0] - } -- r1, _, e1 := syscall.Syscall(procSystemFunction036.Addr(), 2, uintptr(unsafe.Pointer(_p0)), uintptr(len(buf)), 0) -+ r1, _, e1 := syscall.Syscall(procProcessPrng.Addr(), 2, uintptr(unsafe.Pointer(_p0)), uintptr(len(buf)), 0) - if r1 == 0 { - err = errnoErr(e1) - } -diff --git a/src/runtime/os_windows.go b/src/runtime/os_windows.go -index 8ca8d7790909e..3772a864b2ff4 100644 ---- a/src/runtime/os_windows.go -+++ b/src/runtime/os_windows.go -@@ -127,15 +127,8 @@ var ( - _WriteFile, - _ stdFunction - -- // Use RtlGenRandom to generate cryptographically random data. -- // This approach has been recommended by Microsoft (see issue -- // 15589 for details). -- // The RtlGenRandom is not listed in advapi32.dll, instead -- // RtlGenRandom function can be found by searching for SystemFunction036. -- // Also some versions of Mingw cannot link to SystemFunction036 -- // when building executable as Cgo. So load SystemFunction036 -- // manually during runtime startup. -- _RtlGenRandom stdFunction -+ // Use ProcessPrng to generate cryptographically random data. -+ _ProcessPrng stdFunction - - // Load ntdll.dll manually during startup, otherwise Mingw - // links wrong printf function to cgo executable (see issue -@@ -151,11 +144,11 @@ var ( - ) - - var ( -- advapi32dll = [...]uint16{'a', 'd', 'v', 'a', 'p', 'i', '3', '2', '.', 'd', 'l', 'l', 0} -- ntdlldll = [...]uint16{'n', 't', 'd', 'l', 'l', '.', 'd', 'l', 'l', 0} -- powrprofdll = [...]uint16{'p', 'o', 'w', 'r', 'p', 'r', 'o', 'f', '.', 'd', 'l', 'l', 0} -- winmmdll = [...]uint16{'w', 'i', 'n', 'm', 'm', '.', 'd', 'l', 'l', 0} -- ws2_32dll = [...]uint16{'w', 's', '2', '_', '3', '2', '.', 'd', 'l', 'l', 0} -+ bcryptprimitivesdll = [...]uint16{'b', 'c', 'r', 'y', 'p', 't', 'p', 'r', 'i', 'm', 'i', 't', 'i', 'v', 'e', 's', '.', 'd', 'l', 'l', 0} -+ ntdlldll = [...]uint16{'n', 't', 'd', 'l', 'l', '.', 'd', 'l', 'l', 0} -+ powrprofdll = [...]uint16{'p', 'o', 'w', 'r', 'p', 'r', 'o', 'f', '.', 'd', 'l', 'l', 0} -+ winmmdll = [...]uint16{'w', 'i', 'n', 'm', 'm', '.', 'd', 'l', 'l', 0} -+ ws2_32dll = [...]uint16{'w', 's', '2', '_', '3', '2', '.', 'd', 'l', 'l', 0} - ) - - // Function to be called by windows CreateThread -@@ -251,11 +244,11 @@ func windowsLoadSystemLib(name []uint16) uintptr { - } - - func loadOptionalSyscalls() { -- a32 := windowsLoadSystemLib(advapi32dll[:]) -- if a32 == 0 { -- throw("advapi32.dll not found") -+ bcryptPrimitives := windowsLoadSystemLib(bcryptprimitivesdll[:]) -+ if bcryptPrimitives == 0 { -+ throw("bcryptprimitives.dll not found") - } -- _RtlGenRandom = windowsFindfunc(a32, []byte("SystemFunction036\000")) -+ _ProcessPrng = windowsFindfunc(bcryptPrimitives, []byte("ProcessPrng\000")) - - n32 := windowsLoadSystemLib(ntdlldll[:]) - if n32 == 0 { -@@ -531,7 +524,7 @@ func osinit() { - //go:nosplit - func readRandom(r []byte) int { - n := 0 -- if stdcall2(_RtlGenRandom, uintptr(unsafe.Pointer(&r[0])), uintptr(len(r)))&0xff != 0 { -+ if stdcall2(_ProcessPrng, uintptr(unsafe.Pointer(&r[0])), uintptr(len(r)))&0xff != 0 { - n = len(r) - } - return n \ No newline at end of file diff --git a/.github/patch_go122/7c1157f9544922e96945196b47b95664b1e39108.diff b/.github/patch_go122/7c1157f9544922e96945196b47b95664b1e39108.diff deleted file mode 100644 index c1fc5f6d2d..0000000000 --- a/.github/patch_go122/7c1157f9544922e96945196b47b95664b1e39108.diff +++ /dev/null @@ -1,162 +0,0 @@ -diff --git a/src/net/hook_windows.go b/src/net/hook_windows.go -index ab8656cbbf343..28c49cc6de7e7 100644 ---- a/src/net/hook_windows.go -+++ b/src/net/hook_windows.go -@@ -14,7 +14,6 @@ var ( - testHookDialChannel = func() { time.Sleep(time.Millisecond) } // see golang.org/issue/5349 - - // Placeholders for socket system calls. -- socketFunc func(int, int, int) (syscall.Handle, error) = syscall.Socket - wsaSocketFunc func(int32, int32, int32, *syscall.WSAProtocolInfo, uint32, uint32) (syscall.Handle, error) = windows.WSASocket - connectFunc func(syscall.Handle, syscall.Sockaddr) error = syscall.Connect - listenFunc func(syscall.Handle, int) error = syscall.Listen -diff --git a/src/net/internal/socktest/main_test.go b/src/net/internal/socktest/main_test.go -index 0197feb3f199a..967ce6795aedb 100644 ---- a/src/net/internal/socktest/main_test.go -+++ b/src/net/internal/socktest/main_test.go -@@ -2,7 +2,7 @@ - // Use of this source code is governed by a BSD-style - // license that can be found in the LICENSE file. - --//go:build !js && !plan9 && !wasip1 -+//go:build !js && !plan9 && !wasip1 && !windows - - package socktest_test - -diff --git a/src/net/internal/socktest/main_windows_test.go b/src/net/internal/socktest/main_windows_test.go -deleted file mode 100644 -index df1cb97784b51..0000000000000 ---- a/src/net/internal/socktest/main_windows_test.go -+++ /dev/null -@@ -1,22 +0,0 @@ --// Copyright 2015 The Go Authors. All rights reserved. --// Use of this source code is governed by a BSD-style --// license that can be found in the LICENSE file. -- --package socktest_test -- --import "syscall" -- --var ( -- socketFunc func(int, int, int) (syscall.Handle, error) -- closeFunc func(syscall.Handle) error --) -- --func installTestHooks() { -- socketFunc = sw.Socket -- closeFunc = sw.Closesocket --} -- --func uninstallTestHooks() { -- socketFunc = syscall.Socket -- closeFunc = syscall.Closesocket --} -diff --git a/src/net/internal/socktest/sys_windows.go b/src/net/internal/socktest/sys_windows.go -index 8c1c862f33c9b..1c42e5c7f34b7 100644 ---- a/src/net/internal/socktest/sys_windows.go -+++ b/src/net/internal/socktest/sys_windows.go -@@ -9,38 +9,6 @@ import ( - "syscall" - ) - --// Socket wraps syscall.Socket. --func (sw *Switch) Socket(family, sotype, proto int) (s syscall.Handle, err error) { -- sw.once.Do(sw.init) -- -- so := &Status{Cookie: cookie(family, sotype, proto)} -- sw.fmu.RLock() -- f, _ := sw.fltab[FilterSocket] -- sw.fmu.RUnlock() -- -- af, err := f.apply(so) -- if err != nil { -- return syscall.InvalidHandle, err -- } -- s, so.Err = syscall.Socket(family, sotype, proto) -- if err = af.apply(so); err != nil { -- if so.Err == nil { -- syscall.Closesocket(s) -- } -- return syscall.InvalidHandle, err -- } -- -- sw.smu.Lock() -- defer sw.smu.Unlock() -- if so.Err != nil { -- sw.stats.getLocked(so.Cookie).OpenFailed++ -- return syscall.InvalidHandle, so.Err -- } -- nso := sw.addLocked(s, family, sotype, proto) -- sw.stats.getLocked(nso.Cookie).Opened++ -- return s, nil --} -- - // WSASocket wraps [syscall.WSASocket]. - func (sw *Switch) WSASocket(family, sotype, proto int32, protinfo *syscall.WSAProtocolInfo, group uint32, flags uint32) (s syscall.Handle, err error) { - sw.once.Do(sw.init) -diff --git a/src/net/main_windows_test.go b/src/net/main_windows_test.go -index 07f21b72eb1fc..bc024c0bbd82d 100644 ---- a/src/net/main_windows_test.go -+++ b/src/net/main_windows_test.go -@@ -8,7 +8,6 @@ import "internal/poll" - - var ( - // Placeholders for saving original socket system calls. -- origSocket = socketFunc - origWSASocket = wsaSocketFunc - origClosesocket = poll.CloseFunc - origConnect = connectFunc -@@ -18,7 +17,6 @@ var ( - ) - - func installTestHooks() { -- socketFunc = sw.Socket - wsaSocketFunc = sw.WSASocket - poll.CloseFunc = sw.Closesocket - connectFunc = sw.Connect -@@ -28,7 +26,6 @@ func installTestHooks() { - } - - func uninstallTestHooks() { -- socketFunc = origSocket - wsaSocketFunc = origWSASocket - poll.CloseFunc = origClosesocket - connectFunc = origConnect -diff --git a/src/net/sock_windows.go b/src/net/sock_windows.go -index fa11c7af2e727..5540135a2c43e 100644 ---- a/src/net/sock_windows.go -+++ b/src/net/sock_windows.go -@@ -19,21 +19,6 @@ func maxListenerBacklog() int { - func sysSocket(family, sotype, proto int) (syscall.Handle, error) { - s, err := wsaSocketFunc(int32(family), int32(sotype), int32(proto), - nil, 0, windows.WSA_FLAG_OVERLAPPED|windows.WSA_FLAG_NO_HANDLE_INHERIT) -- if err == nil { -- return s, nil -- } -- // WSA_FLAG_NO_HANDLE_INHERIT flag is not supported on some -- // old versions of Windows, see -- // https://msdn.microsoft.com/en-us/library/windows/desktop/ms742212(v=vs.85).aspx -- // for details. Just use syscall.Socket, if windows.WSASocket failed. -- -- // See ../syscall/exec_unix.go for description of ForkLock. -- syscall.ForkLock.RLock() -- s, err = socketFunc(family, sotype, proto) -- if err == nil { -- syscall.CloseOnExec(s) -- } -- syscall.ForkLock.RUnlock() - if err != nil { - return syscall.InvalidHandle, os.NewSyscallError("socket", err) - } -diff --git a/src/syscall/exec_windows.go b/src/syscall/exec_windows.go -index 0a93bc0a80d4e..06e684c7116b4 100644 ---- a/src/syscall/exec_windows.go -+++ b/src/syscall/exec_windows.go -@@ -14,6 +14,7 @@ import ( - "unsafe" - ) - -+// ForkLock is not used on Windows. - var ForkLock sync.RWMutex - - // EscapeArg rewrites command line argument s as prescribed \ No newline at end of file diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 9b8e000a12..5ba2ef6f9e 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -40,10 +40,10 @@ jobs: - { goos: linux, goarch: arm, goarm: '5', output: armv5 } - { goos: linux, goarch: arm, goarm: '6', output: armv6 } - { goos: linux, goarch: arm, goarm: '7', output: armv7 } - - { goos: linux, goarch: mips, mips: hardfloat, output: mips-hardfloat } - - { goos: linux, goarch: mips, mips: softfloat, output: mips-softfloat } - - { goos: linux, goarch: mipsle, mips: hardfloat, output: mipsle-hardfloat } - - { goos: linux, goarch: mipsle, mips: softfloat, output: mipsle-softfloat } + - { goos: linux, goarch: mips, gomips: hardfloat, output: mips-hardfloat } + - { goos: linux, goarch: mips, gomips: softfloat, output: mips-softfloat } + - { goos: linux, goarch: mipsle, gomips: hardfloat, output: mipsle-hardfloat } + - { goos: linux, goarch: mipsle, gomips: softfloat, output: mipsle-softfloat } - { goos: linux, goarch: mips64, output: mips64 } - { goos: linux, goarch: mips64le, output: mips64le } - { goos: linux, goarch: loong64, output: loong64-abi1, abi: '1' } @@ -67,6 +67,12 @@ jobs: - { goos: android, goarch: arm, ndk: armv7a-linux-androideabi34, output: armv7 } - { goos: android, goarch: arm64, ndk: aarch64-linux-android34, output: arm64-v8 } + # Go 1.22 with special patch can work on Windows 7 + # https://github.com/MetaCubeX/go/commits/release-branch.go1.22/ + - { goos: windows, goarch: '386', output: '386-go122', goversion: '1.22' } + - { goos: windows, goarch: amd64, goamd64: v1, output: amd64-compatible-go122, goversion: '1.22' } + - { goos: windows, goarch: amd64, goamd64: v3, output: amd64-go122, goversion: '1.22' } + # Go 1.21 can revert commit `9e4385` to work on Windows 7 # https://github.com/golang/go/issues/64622#issuecomment-1847475161 # (OR we can just use golang1.21.4 which unneeded any patch) @@ -79,6 +85,11 @@ jobs: - { goos: windows, goarch: amd64, goamd64: v1, output: amd64-compatible-go120, goversion: '1.20' } - { goos: windows, goarch: amd64, goamd64: v3, output: amd64-go120, goversion: '1.20' } + # Go 1.22 is the last release that will run on macOS 10.15 Catalina. Go 1.23 will require macOS 11 Big Sur or later. + - { goos: darwin, goarch: arm64, output: arm64-go122, goversion: '1.22' } + - { goos: darwin, goarch: amd64, goamd64: v1, output: amd64-compatible-go122, goversion: '1.22' } + - { goos: darwin, goarch: amd64, goamd64: v3, output: amd64-go122, goversion: '1.22' } + # Go 1.20 is the last release that will run on macOS 10.13 High Sierra or 10.14 Mojave. Go 1.21 will require macOS 10.15 Catalina or later. - { goos: darwin, goarch: arm64, output: arm64-go120, goversion: '1.20' } - { goos: darwin, goarch: amd64, goamd64: v1, output: amd64-compatible-go120, goversion: '1.20' } @@ -96,7 +107,7 @@ jobs: if: ${{ matrix.jobs.goversion == '' && matrix.jobs.goarch != 'loong64' }} uses: actions/setup-go@v5 with: - go-version: '1.22' + go-version: '1.23' - name: Set up Go if: ${{ matrix.jobs.goversion != '' && matrix.jobs.goarch != 'loong64' }} @@ -107,31 +118,52 @@ jobs: - name: Set up Go1.22 loongarch abi1 if: ${{ matrix.jobs.goarch == 'loong64' && matrix.jobs.abi == '1' }} run: | - wget -q https://github.com/xishang0128/loongarch64-golang/releases/download/1.22.0/go1.22.0.linux-amd64-abi1.tar.gz - sudo tar zxf go1.22.0.linux-amd64-abi1.tar.gz -C /usr/local + wget -q https://github.com/MetaCubeX/loongarch64-golang/releases/download/1.22.4/go1.22.4.linux-amd64-abi1.tar.gz + sudo tar zxf go1.22.4.linux-amd64-abi1.tar.gz -C /usr/local echo "/usr/local/go/bin" >> $GITHUB_PATH - name: Set up Go1.22 loongarch abi2 if: ${{ matrix.jobs.goarch == 'loong64' && matrix.jobs.abi == '2' }} run: | - wget -q https://github.com/xishang0128/loongarch64-golang/releases/download/1.22.0/go1.22.0.linux-amd64-abi2.tar.gz - sudo tar zxf go1.22.0.linux-amd64-abi2.tar.gz -C /usr/local + wget -q https://github.com/MetaCubeX/loongarch64-golang/releases/download/1.22.4/go1.22.4.linux-amd64-abi2.tar.gz + sudo tar zxf go1.22.4.linux-amd64-abi2.tar.gz -C /usr/local echo "/usr/local/go/bin" >> $GITHUB_PATH + # modify from https://github.com/restic/restic/issues/4636#issuecomment-1896455557 + # this patch file only works on golang1.23.x + # that means after golang1.24 release it must be changed + # see: https://github.com/MetaCubeX/go/commits/release-branch.go1.23/ + # revert: + # 693def151adff1af707d82d28f55dba81ceb08e1: "crypto/rand,runtime: switch RtlGenRandom for ProcessPrng" + # 7c1157f9544922e96945196b47b95664b1e39108: "net: remove sysSocket fallback for Windows 7" + # 48042aa09c2f878c4faa576948b07fe625c4707a: "syscall: remove Windows 7 console handle workaround" + # a17d959debdb04cd550016a3501dd09d50cd62e7: "runtime: always use LoadLibraryEx to load system libraries" + - name: Revert Golang1.23 commit for Windows7/8 + if: ${{ matrix.jobs.goos == 'windows' && matrix.jobs.goversion == '' }} + run: | + cd $(go env GOROOT) + curl https://github.com/MetaCubeX/go/commit/9ac42137ef6730e8b7daca016ece831297a1d75b.diff | patch --verbose -p 1 + curl https://github.com/MetaCubeX/go/commit/21290de8a4c91408de7c2b5b68757b1e90af49dd.diff | patch --verbose -p 1 + curl https://github.com/MetaCubeX/go/commit/6a31d3fa8e47ddabc10bd97bff10d9a85f4cfb76.diff | patch --verbose -p 1 + curl https://github.com/MetaCubeX/go/commit/69e2eed6dd0f6d815ebf15797761c13f31213dd6.diff | patch --verbose -p 1 + # modify from https://github.com/restic/restic/issues/4636#issuecomment-1896455557 # this patch file only works on golang1.22.x # that means after golang1.23 release it must be changed + # see: https://github.com/MetaCubeX/go/commits/release-branch.go1.22/ # revert: # 693def151adff1af707d82d28f55dba81ceb08e1: "crypto/rand,runtime: switch RtlGenRandom for ProcessPrng" # 7c1157f9544922e96945196b47b95664b1e39108: "net: remove sysSocket fallback for Windows 7" # 48042aa09c2f878c4faa576948b07fe625c4707a: "syscall: remove Windows 7 console handle workaround" + # a17d959debdb04cd550016a3501dd09d50cd62e7: "runtime: always use LoadLibraryEx to load system libraries" - name: Revert Golang1.22 commit for Windows7/8 - if: ${{ matrix.jobs.goos == 'windows' && matrix.jobs.goversion == '' }} + if: ${{ matrix.jobs.goos == 'windows' && matrix.jobs.goversion == '1.22' }} run: | cd $(go env GOROOT) - patch --verbose -R -p 1 < $GITHUB_WORKSPACE/.github/patch_go122/693def151adff1af707d82d28f55dba81ceb08e1.diff - patch --verbose -R -p 1 < $GITHUB_WORKSPACE/.github/patch_go122/7c1157f9544922e96945196b47b95664b1e39108.diff - patch --verbose -R -p 1 < $GITHUB_WORKSPACE/.github/patch_go122/48042aa09c2f878c4faa576948b07fe625c4707a.diff + curl https://github.com/MetaCubeX/go/commit/9779155f18b6556a034f7bb79fb7fb2aad1e26a9.diff | patch --verbose -p 1 + curl https://github.com/MetaCubeX/go/commit/ef0606261340e608017860b423ffae5c1ce78239.diff | patch --verbose -p 1 + curl https://github.com/MetaCubeX/go/commit/7f83badcb925a7e743188041cb6e561fc9b5b642.diff | patch --verbose -p 1 + curl https://github.com/MetaCubeX/go/commit/83ff9782e024cb328b690cbf0da4e7848a327f4f.diff | patch --verbose -p 1 # modify from https://github.com/restic/restic/issues/4636#issuecomment-1896455557 - name: Revert Golang1.21 commit for Windows7/8 @@ -155,13 +187,14 @@ jobs: echo "BUILDTIME=$(date)" >> $GITHUB_ENV echo "CGO_ENABLED=0" >> $GITHUB_ENV echo "BUILDTAG=-extldflags --static" >> $GITHUB_ENV + echo "GOTOOLCHAIN=local" >> $GITHUB_ENV - name: Setup NDK if: ${{ matrix.jobs.goos == 'android' }} uses: nttld/setup-ndk@v1 id: setup-ndk with: - ndk-version: r26c + ndk-version: r27 - name: Set NDK path if: ${{ matrix.jobs.goos == 'android' }} @@ -174,6 +207,8 @@ jobs: if: ${{ matrix.jobs.test == 'test' }} run: | go test ./... + echo "---test with_gvisor---" + go test ./... -tags "with_gvisor" -count=1 - name: Update CA run: | @@ -186,10 +221,10 @@ jobs: GOOS: ${{matrix.jobs.goos}} GOARCH: ${{matrix.jobs.goarch}} GOAMD64: ${{matrix.jobs.goamd64}} - GOARM: ${{matrix.jobs.arm}} - GOMIPS: ${{matrix.jobs.mips}} + GOARM: ${{matrix.jobs.goarm}} + GOMIPS: ${{matrix.jobs.gomips}} run: | - echo $CGO_ENABLED + go env go build -v -tags "with_gvisor" -trimpath -ldflags "${BUILDTAG} -X 'github.com/metacubex/mihomo/constant.Version=${VERSION}' -X 'github.com/metacubex/mihomo/constant.BuildTime=${BUILDTIME}' -w -s -buildid=" if [ "${{matrix.jobs.goos}}" = "windows" ]; then cp mihomo.exe mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}.exe @@ -352,18 +387,18 @@ jobs: git fetch --tags echo "PREVERSION=$(git describe --tags --abbrev=0 HEAD)" >> $GITHUB_ENV - - name: Merge Alpha branch into Meta + - name: Force push Alpha branch to Meta run: | git config --global user.email "github-actions[bot]@users.noreply.github.com" git config --global user.name "github-actions[bot]" git fetch origin Alpha:Alpha - git merge Alpha - git push origin Meta + git push origin Alpha:Meta --force env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Tag the commit + - name: Tag the commit on Alpha run: | + git checkout Alpha git tag ${{ github.event.inputs.version }} git push origin ${{ github.event.inputs.version }} env: diff --git a/Dockerfile b/Dockerfile index 64b33cf748..67d4a6e56e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -13,7 +13,7 @@ WORKDIR /mihomo COPY bin/ bin/ RUN FILE_NAME=`sh file-name.sh` && echo $FILE_NAME && \ FILE_NAME=`ls bin/ | egrep "$FILE_NAME.gz"|awk NR==1` && echo $FILE_NAME && \ - mv bin/$FILE_NAME mihomo.gz && gzip -d mihomo.gz && echo "$FILE_NAME" > /mihomo-config/test + mv bin/$FILE_NAME mihomo.gz && gzip -d mihomo.gz && chmod +x mihomo && echo "$FILE_NAME" > /mihomo-config/test FROM alpine:latest LABEL org.opencontainers.image.source="https://github.com/MetaCubeX/mihomo" @@ -23,5 +23,4 @@ VOLUME ["/root/.config/mihomo/"] COPY --from=builder /mihomo-config/ /root/.config/mihomo/ COPY --from=builder /mihomo/mihomo /mihomo -RUN chmod +x /mihomo ENTRYPOINT [ "/mihomo" ] diff --git a/Makefile b/Makefile index 59bec41ebf..36c640d553 100644 --- a/Makefile +++ b/Makefile @@ -163,7 +163,3 @@ clean: CLANG ?= clang-14 CFLAGS := -O2 -g -Wall -Werror $(CFLAGS) -ebpf: export BPF_CLANG := $(CLANG) -ebpf: export BPF_CFLAGS := $(CFLAGS) -ebpf: - cd component/ebpf/ && go generate ./... diff --git a/adapter/inbound/addition.go b/adapter/inbound/addition.go index ed560818d8..894910aac1 100644 --- a/adapter/inbound/addition.go +++ b/adapter/inbound/addition.go @@ -69,3 +69,5 @@ func WithDSCP(dscp uint8) Addition { metadata.DSCP = dscp } } + +func Placeholder(metadata *C.Metadata) {} diff --git a/adapter/inbound/https.go b/adapter/inbound/https.go index 55f6731a43..24b30804b7 100644 --- a/adapter/inbound/https.go +++ b/adapter/inbound/https.go @@ -11,6 +11,8 @@ import ( func NewHTTPS(request *http.Request, conn net.Conn, additions ...Addition) (net.Conn, *C.Metadata) { metadata := parseHTTPAddr(request) metadata.Type = C.HTTPS + metadata.RawSrcAddr = conn.RemoteAddr() + metadata.RawDstAddr = conn.LocalAddr() ApplyAdditions(metadata, WithSrcAddr(conn.RemoteAddr()), WithInAddr(conn.LocalAddr())) ApplyAdditions(metadata, additions...) return conn, metadata diff --git a/adapter/inbound/listen.go b/adapter/inbound/listen.go index edbccea70a..1b86c811a7 100644 --- a/adapter/inbound/listen.go +++ b/adapter/inbound/listen.go @@ -3,10 +3,30 @@ package inbound import ( "context" "net" + + "github.com/metacubex/tfo-go" +) + +var ( + lc = tfo.ListenConfig{ + DisableTFO: true, + } ) +func SetTfo(open bool) { + lc.DisableTFO = !open +} + +func Tfo() bool { + return !lc.DisableTFO +} + func SetMPTCP(open bool) { - setMultiPathTCP(getListenConfig(), open) + setMultiPathTCP(&lc.ListenConfig, open) +} + +func MPTCP() bool { + return getMultiPathTCP(&lc.ListenConfig) } func ListenContext(ctx context.Context, network, address string) (net.Listener, error) { diff --git a/adapter/inbound/listen_unix.go b/adapter/inbound/listen_unix.go deleted file mode 100644 index bb78adb222..0000000000 --- a/adapter/inbound/listen_unix.go +++ /dev/null @@ -1,23 +0,0 @@ -//go:build unix - -package inbound - -import ( - "net" - - "github.com/metacubex/tfo-go" -) - -var ( - lc = tfo.ListenConfig{ - DisableTFO: true, - } -) - -func SetTfo(open bool) { - lc.DisableTFO = !open -} - -func getListenConfig() *net.ListenConfig { - return &lc.ListenConfig -} diff --git a/adapter/inbound/listen_windows.go b/adapter/inbound/listen_windows.go deleted file mode 100644 index a4223e2b58..0000000000 --- a/adapter/inbound/listen_windows.go +++ /dev/null @@ -1,15 +0,0 @@ -package inbound - -import ( - "net" -) - -var ( - lc = net.ListenConfig{} -) - -func SetTfo(open bool) {} - -func getListenConfig() *net.ListenConfig { - return &lc -} diff --git a/adapter/inbound/mptcp_go120.go b/adapter/inbound/mptcp_go120.go index f9b22533d2..faae6ec5d8 100644 --- a/adapter/inbound/mptcp_go120.go +++ b/adapter/inbound/mptcp_go120.go @@ -8,3 +8,7 @@ const multipathTCPAvailable = false func setMultiPathTCP(listenConfig *net.ListenConfig, open bool) { } + +func getMultiPathTCP(listenConfig *net.ListenConfig) bool { + return false +} diff --git a/adapter/inbound/mptcp_go121.go b/adapter/inbound/mptcp_go121.go index 6b35d1a83a..9163878a70 100644 --- a/adapter/inbound/mptcp_go121.go +++ b/adapter/inbound/mptcp_go121.go @@ -9,3 +9,7 @@ const multipathTCPAvailable = true func setMultiPathTCP(listenConfig *net.ListenConfig, open bool) { listenConfig.SetMultipathTCP(open) } + +func getMultiPathTCP(listenConfig *net.ListenConfig) bool { + return listenConfig.MultipathTCP() +} diff --git a/adapter/outbound/hysteria.go b/adapter/outbound/hysteria.go index dacffd106d..ccab16c12a 100644 --- a/adapter/outbound/hysteria.go +++ b/adapter/outbound/hysteria.go @@ -7,6 +7,7 @@ import ( "fmt" "net" "net/netip" + "runtime" "strconv" "time" @@ -14,6 +15,7 @@ import ( "github.com/metacubex/quic-go/congestion" M "github.com/sagernet/sing/common/metadata" + CN "github.com/metacubex/mihomo/common/net" "github.com/metacubex/mihomo/component/ca" "github.com/metacubex/mihomo/component/dialer" "github.com/metacubex/mihomo/component/proxydialer" @@ -43,6 +45,8 @@ type Hysteria struct { option *HysteriaOption client *core.Client + + closeCh chan struct{} // for test } func (h *Hysteria) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) { @@ -51,7 +55,7 @@ func (h *Hysteria) DialContext(ctx context.Context, metadata *C.Metadata, opts . return nil, err } - return NewConn(tcpConn, h), nil + return NewConn(CN.NewRefConn(tcpConn, h), h), nil } func (h *Hysteria) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) { @@ -59,7 +63,7 @@ func (h *Hysteria) ListenPacketContext(ctx context.Context, metadata *C.Metadata if err != nil { return nil, err } - return newPacketConn(&hyPacketConn{udpConn}, h), nil + return newPacketConn(CN.NewRefPacketConn(&hyPacketConn{udpConn}, h), h), nil } func (h *Hysteria) genHdc(ctx context.Context, opts ...dialer.Option) utils.PacketDialer { @@ -218,7 +222,7 @@ func NewHysteria(option HysteriaOption) (*Hysteria, error) { if err != nil { return nil, fmt.Errorf("hysteria %s create error: %w", addr, err) } - return &Hysteria{ + outbound := &Hysteria{ Base: &Base{ name: option.Name, addr: addr, @@ -231,7 +235,19 @@ func NewHysteria(option HysteriaOption) (*Hysteria, error) { }, option: &option, client: client, - }, nil + } + runtime.SetFinalizer(outbound, closeHysteria) + + return outbound, nil +} + +func closeHysteria(h *Hysteria) { + if h.client != nil { + _ = h.client.Close() + } + if h.closeCh != nil { + close(h.closeCh) + } } type hyPacketConn struct { diff --git a/adapter/outbound/hysteria2.go b/adapter/outbound/hysteria2.go index b8abf39cc2..c1a255a766 100644 --- a/adapter/outbound/hysteria2.go +++ b/adapter/outbound/hysteria2.go @@ -38,6 +38,8 @@ type Hysteria2 struct { option *Hysteria2Option client *hysteria2.Client dialer proxydialer.SingDialer + + closeCh chan struct{} // for test } type Hysteria2Option struct { @@ -89,6 +91,9 @@ func closeHysteria2(h *Hysteria2) { if h.client != nil { _ = h.client.CloseWithError(errors.New("proxy removed")) } + if h.closeCh != nil { + close(h.closeCh) + } } func NewHysteria2(option Hysteria2Option) (*Hysteria2, error) { diff --git a/adapter/outbound/hysteria2_test.go b/adapter/outbound/hysteria2_test.go new file mode 100644 index 0000000000..de7d82271d --- /dev/null +++ b/adapter/outbound/hysteria2_test.go @@ -0,0 +1,38 @@ +package outbound + +import ( + "context" + "runtime" + "testing" + "time" +) + +func TestHysteria2GC(t *testing.T) { + option := Hysteria2Option{} + option.Server = "127.0.0.1" + option.Ports = "200,204,401-429,501-503" + option.HopInterval = 30 + option.Password = "password" + option.Obfs = "salamander" + option.ObfsPassword = "password" + option.SNI = "example.com" + option.ALPN = []string{"h3"} + hy, err := NewHysteria2(option) + if err != nil { + t.Error(err) + return + } + closeCh := make(chan struct{}) + hy.closeCh = closeCh + ctx, cancel := context.WithTimeout(context.Background(), time.Second*5) + defer cancel() + + hy = nil + runtime.GC() + select { + case <-closeCh: + return + case <-ctx.Done(): + t.Error("timeout not GC") + } +} diff --git a/adapter/outbound/hysteria_test.go b/adapter/outbound/hysteria_test.go new file mode 100644 index 0000000000..f2297c6035 --- /dev/null +++ b/adapter/outbound/hysteria_test.go @@ -0,0 +1,39 @@ +package outbound + +import ( + "context" + "runtime" + "testing" + "time" +) + +func TestHysteriaGC(t *testing.T) { + option := HysteriaOption{} + option.Server = "127.0.0.1" + option.Ports = "200,204,401-429,501-503" + option.Protocol = "udp" + option.Up = "1Mbps" + option.Down = "1Mbps" + option.HopInterval = 30 + option.Obfs = "salamander" + option.SNI = "example.com" + option.ALPN = []string{"h3"} + hy, err := NewHysteria(option) + if err != nil { + t.Error(err) + return + } + closeCh := make(chan struct{}) + hy.closeCh = closeCh + ctx, cancel := context.WithTimeout(context.Background(), time.Second*5) + defer cancel() + + hy = nil + runtime.GC() + select { + case <-closeCh: + return + case <-ctx.Done(): + t.Error("timeout not GC") + } +} diff --git a/adapter/outbound/reject.go b/adapter/outbound/reject.go index 62f4aaa54b..a8e2100d1a 100644 --- a/adapter/outbound/reject.go +++ b/adapter/outbound/reject.go @@ -37,7 +37,7 @@ func NewRejectWithOption(option RejectOption) *Reject { return &Reject{ Base: &Base{ name: option.Name, - tp: C.Direct, + tp: C.Reject, udp: true, }, } diff --git a/adapter/outbound/vless.go b/adapter/outbound/vless.go index 43b4aa214a..b18bf4dac6 100644 --- a/adapter/outbound/vless.go +++ b/adapter/outbound/vless.go @@ -505,17 +505,14 @@ func NewVless(option VlessOption) (*Vless, error) { var addons *vless.Addons if option.Network != "ws" && len(option.Flow) >= 16 { option.Flow = option.Flow[:16] - switch option.Flow { - case vless.XRV: - log.Warnln("To use %s, ensure your server is upgrade to Xray-core v1.8.0+", vless.XRV) - addons = &vless.Addons{ - Flow: option.Flow, - } - case vless.XRO, vless.XRD, vless.XRS: - log.Fatalln("Legacy XTLS protocol %s is deprecated and no longer supported", option.Flow) - default: + if option.Flow != vless.XRV { return nil, fmt.Errorf("unsupported xtls flow type: %s", option.Flow) } + + log.Warnln("To use %s, ensure your server is upgrade to Xray-core v1.8.0+", vless.XRV) + addons = &vless.Addons{ + Flow: option.Flow, + } } switch option.PacketEncoding { diff --git a/adapter/outbound/wireguard.go b/adapter/outbound/wireguard.go index 2e34dd83cd..430463845c 100644 --- a/adapter/outbound/wireguard.go +++ b/adapter/outbound/wireguard.go @@ -24,19 +24,24 @@ import ( "github.com/metacubex/mihomo/dns" "github.com/metacubex/mihomo/log" + amnezia "github.com/metacubex/amneziawg-go/device" wireguard "github.com/metacubex/sing-wireguard" + "github.com/metacubex/wireguard-go/device" - "github.com/sagernet/sing/common" "github.com/sagernet/sing/common/debug" E "github.com/sagernet/sing/common/exceptions" M "github.com/sagernet/sing/common/metadata" - "github.com/sagernet/wireguard-go/device" ) +type wireguardGoDevice interface { + Close() + IpcSet(uapiConf string) error +} + type WireGuard struct { *Base bind *wireguard.ClientBind - device *device.Device + device wireguardGoDevice tunDevice wireguard.Device dialer proxydialer.SingDialer resolver *dns.Resolver @@ -68,6 +73,8 @@ type WireGuardOption struct { UDP bool `proxy:"udp,omitempty"` PersistentKeepalive int `proxy:"persistent-keepalive,omitempty"` + AmneziaWGOption *AmneziaWGOption `proxy:"amnezia-wg-option,omitempty"` + Peers []WireGuardPeerOption `proxy:"peers,omitempty"` RemoteDnsResolve bool `proxy:"remote-dns-resolve,omitempty"` @@ -85,6 +92,18 @@ type WireGuardPeerOption struct { AllowedIPs []string `proxy:"allowed-ips,omitempty"` } +type AmneziaWGOption struct { + JC int `proxy:"jc"` + JMin int `proxy:"jmin"` + JMax int `proxy:"jmax"` + S1 int `proxy:"s1"` + S2 int `proxy:"s2"` + H1 uint32 `proxy:"h1"` + H2 uint32 `proxy:"h2"` + H3 uint32 `proxy:"h3"` + H4 uint32 `proxy:"h4"` +} + type wgSingErrorHandler struct { name string } @@ -244,14 +263,19 @@ func NewWireGuard(option WireGuardOption) (*WireGuard, error) { if err != nil { return nil, E.Cause(err, "create WireGuard device") } - outbound.device = device.NewDevice(context.Background(), outbound.tunDevice, outbound.bind, &device.Logger{ + logger := &device.Logger{ Verbosef: func(format string, args ...interface{}) { log.SingLogger.Debug(fmt.Sprintf("[WG](%s) %s", option.Name, fmt.Sprintf(format, args...))) }, Errorf: func(format string, args ...interface{}) { log.SingLogger.Error(fmt.Sprintf("[WG](%s) %s", option.Name, fmt.Sprintf(format, args...))) }, - }, option.Workers) + } + if option.AmneziaWGOption != nil { + outbound.device = amnezia.NewDevice(outbound.tunDevice, outbound.bind, logger, option.Workers) + } else { + outbound.device = device.NewDevice(outbound.tunDevice, outbound.bind, logger, option.Workers) + } var has6 bool for _, address := range outbound.localPrefixes { @@ -368,6 +392,17 @@ func (w *WireGuard) genIpcConf(ctx context.Context, updateOnly bool) (string, er ipcConf := "" if !updateOnly { ipcConf += "private_key=" + w.option.PrivateKey + "\n" + if w.option.AmneziaWGOption != nil { + ipcConf += "jc=" + strconv.Itoa(w.option.AmneziaWGOption.JC) + "\n" + ipcConf += "jmin=" + strconv.Itoa(w.option.AmneziaWGOption.JMin) + "\n" + ipcConf += "jmax=" + strconv.Itoa(w.option.AmneziaWGOption.JMax) + "\n" + ipcConf += "s1=" + strconv.Itoa(w.option.AmneziaWGOption.S1) + "\n" + ipcConf += "s2=" + strconv.Itoa(w.option.AmneziaWGOption.S2) + "\n" + ipcConf += "h1=" + strconv.FormatUint(uint64(w.option.AmneziaWGOption.H1), 10) + "\n" + ipcConf += "h2=" + strconv.FormatUint(uint64(w.option.AmneziaWGOption.H2), 10) + "\n" + ipcConf += "h3=" + strconv.FormatUint(uint64(w.option.AmneziaWGOption.H3), 10) + "\n" + ipcConf += "h4=" + strconv.FormatUint(uint64(w.option.AmneziaWGOption.H4), 10) + "\n" + } } if len(w.option.Peers) > 0 { for i, peer := range w.option.Peers { @@ -456,7 +491,6 @@ func closeWireGuard(w *WireGuard) { if w.device != nil { w.device.Close() } - _ = common.Close(w.tunDevice) if w.closeCh != nil { close(w.closeCh) } diff --git a/adapter/outbound/wireguard_test.go b/adapter/outbound/wireguard_test.go index 20dbdbdd6b..2248bb7b1f 100644 --- a/adapter/outbound/wireguard_test.go +++ b/adapter/outbound/wireguard_test.go @@ -29,6 +29,7 @@ func TestWireGuardGC(t *testing.T) { err = wg.init(ctx) if err != nil { t.Error(err) + return } // must do a small sleep before test GC // because it maybe deadlocks if w.device.Close call too fast after w.device.Start diff --git a/adapter/outboundgroup/loadbalance.go b/adapter/outboundgroup/loadbalance.go index 4cb0db004f..738ed15479 100644 --- a/adapter/outboundgroup/loadbalance.go +++ b/adapter/outboundgroup/loadbalance.go @@ -205,7 +205,6 @@ func strategyStickySessions(url string) strategyFn { proxy := proxies[nowIdx] if proxy.AliveForTestUrl(url) { if nowIdx != idx { - lruCache.Delete(key) lruCache.Set(key, nowIdx) } @@ -215,7 +214,6 @@ func strategyStickySessions(url string) strategyFn { } } - lruCache.Delete(key) lruCache.Set(key, 0) return proxies[0] } diff --git a/adapter/outboundgroup/parser.go b/adapter/outboundgroup/parser.go index 67dc104dfb..b073c4bba7 100644 --- a/adapter/outboundgroup/parser.go +++ b/adapter/outboundgroup/parser.go @@ -69,7 +69,7 @@ func ParseProxyGroup(config map[string]any, proxyMap map[string]C.Proxy, provide } if groupOption.IncludeAllProviders { - groupOption.Use = append(groupOption.Use, AllProviders...) + groupOption.Use = AllProviders } if groupOption.IncludeAllProxies { if groupOption.Filter != "" { @@ -88,6 +88,9 @@ func ParseProxyGroup(config map[string]any, proxyMap map[string]C.Proxy, provide } else { groupOption.Proxies = append(groupOption.Proxies, AllProxies...) } + if len(groupOption.Proxies) == 0 && len(groupOption.Use) == 0 { + groupOption.Proxies = []string{"COMPATIBLE"} + } } if len(groupOption.Proxies) == 0 && len(groupOption.Use) == 0 { diff --git a/adapter/provider/healthcheck.go b/adapter/provider/healthcheck.go index 8b5e833851..8737ff96ae 100644 --- a/adapter/provider/healthcheck.go +++ b/adapter/provider/healthcheck.go @@ -27,6 +27,8 @@ type extraOption struct { } type HealthCheck struct { + ctx context.Context + ctxCancel context.CancelFunc url string extra map[string]*extraOption mu sync.Mutex @@ -36,7 +38,6 @@ type HealthCheck struct { lazy bool expectedStatus utils.IntRanges[uint16] lastTouch atomic.TypedValue[time.Time] - done chan struct{} singleDo *singledo.Single[struct{}] timeout time.Duration } @@ -59,7 +60,7 @@ func (hc *HealthCheck) process() { } else { log.Debugln("Skip once health check because we are lazy") } - case <-hc.done: + case <-hc.ctx.Done(): ticker.Stop() hc.stop() return @@ -146,7 +147,7 @@ func (hc *HealthCheck) check() { _, _, _ = hc.singleDo.Do(func() (struct{}, error) { id := utils.NewUUIDV4().String() log.Debugln("Start New Health Checking {%s}", id) - b, _ := batch.New[bool](context.Background(), batch.WithConcurrencyNum[bool](10)) + b, _ := batch.New[bool](hc.ctx, batch.WithConcurrencyNum[bool](10)) // execute default health check option := &extraOption{filters: nil, expectedStatus: hc.expectedStatus} @@ -195,7 +196,7 @@ func (hc *HealthCheck) execute(b *batch.Batch[bool], url, uid string, option *ex p := proxy b.Go(p.Name(), func() (bool, error) { - ctx, cancel := context.WithTimeout(context.Background(), hc.timeout) + ctx, cancel := context.WithTimeout(hc.ctx, hc.timeout) defer cancel() log.Debugln("Health Checking, proxy: %s, url: %s, id: {%s}", p.Name(), url, uid) _, _ = p.URLTest(ctx, url, expectedStatus) @@ -206,7 +207,7 @@ func (hc *HealthCheck) execute(b *batch.Batch[bool], url, uid string, option *ex } func (hc *HealthCheck) close() { - hc.done <- struct{}{} + hc.ctxCancel() } func NewHealthCheck(proxies []C.Proxy, url string, timeout uint, interval uint, lazy bool, expectedStatus utils.IntRanges[uint16]) *HealthCheck { @@ -217,8 +218,11 @@ func NewHealthCheck(proxies []C.Proxy, url string, timeout uint, interval uint, if timeout == 0 { timeout = 5000 } + ctx, cancel := context.WithCancel(context.Background()) return &HealthCheck{ + ctx: ctx, + ctxCancel: cancel, proxies: proxies, url: url, timeout: time.Duration(timeout) * time.Millisecond, @@ -226,7 +230,6 @@ func NewHealthCheck(proxies []C.Proxy, url string, timeout uint, interval uint, interval: time.Duration(interval) * time.Second, lazy: lazy, expectedStatus: expectedStatus, - done: make(chan struct{}, 1), singleDo: singledo.NewSingle[struct{}](time.Second), } } diff --git a/adapter/provider/parser.go b/adapter/provider/parser.go index edb6b9110a..b0db5db340 100644 --- a/adapter/provider/parser.go +++ b/adapter/provider/parser.go @@ -1,6 +1,7 @@ package provider import ( + "encoding" "errors" "fmt" "time" @@ -9,8 +10,9 @@ import ( "github.com/metacubex/mihomo/common/utils" "github.com/metacubex/mihomo/component/resource" C "github.com/metacubex/mihomo/constant" - "github.com/metacubex/mihomo/constant/features" types "github.com/metacubex/mihomo/constant/provider" + + "github.com/dlclark/regexp2" ) var ( @@ -27,6 +29,15 @@ type healthCheckSchema struct { ExpectedStatus string `provider:"expected-status,omitempty"` } +type OverrideProxyNameSchema struct { + // matching expression for regex replacement + Pattern *regexp2.Regexp `provider:"pattern"` + // the new content after regex matching + Target string `provider:"target"` +} + +var _ encoding.TextUnmarshaler = (*regexp2.Regexp)(nil) // ensure *regexp2.Regexp can decode direct by structure package + type OverrideSchema struct { TFO *bool `provider:"tfo,omitempty"` MPTcp *bool `provider:"mptcp,omitempty"` @@ -41,6 +52,8 @@ type OverrideSchema struct { IPVersion *string `provider:"ip-version,omitempty"` AdditionalPrefix *string `provider:"additional-prefix,omitempty"` AdditionalSuffix *string `provider:"additional-suffix,omitempty"` + + ProxyName []OverrideProxyNameSchema `provider:"proxy-name,omitempty"` } type proxyProviderSchema struct { @@ -94,11 +107,11 @@ func ParseProxyProvider(name string, mapping map[string]any) (types.ProxyProvide path := C.Path.GetPathByHash("proxies", schema.URL) if schema.Path != "" { path = C.Path.Resolve(schema.Path) - if !features.CMFA && !C.Path.IsSafePath(path) { + if !C.Path.IsSafePath(path) { return nil, fmt.Errorf("%w: %s", errSubPath, path) } } - vehicle = resource.NewHTTPVehicle(schema.URL, path, schema.Proxy, schema.Header) + vehicle = resource.NewHTTPVehicle(schema.URL, path, schema.Proxy, schema.Header, resource.DefaultHttpTimeout) default: return nil, fmt.Errorf("%w: %s", errVehicleType, schema.Type) } diff --git a/adapter/provider/patch_android.go b/adapter/provider/patch_android.go deleted file mode 100644 index e9042bdac0..0000000000 --- a/adapter/provider/patch_android.go +++ /dev/null @@ -1,36 +0,0 @@ -//go:build android && cmfa - -package provider - -import ( - "time" -) - -var ( - suspended bool -) - -type UpdatableProvider interface { - UpdatedAt() time.Time -} - -func (pp *proxySetProvider) UpdatedAt() time.Time { - return pp.Fetcher.UpdatedAt -} - -func (pp *proxySetProvider) Close() error { - pp.healthCheck.close() - pp.Fetcher.Destroy() - - return nil -} - -func (cp *compatibleProvider) Close() error { - cp.healthCheck.close() - - return nil -} - -func Suspend(s bool) { - suspended = s -} diff --git a/adapter/provider/provider.go b/adapter/provider/provider.go index 694eae436f..79a752a65e 100644 --- a/adapter/provider/provider.go +++ b/adapter/provider/provider.go @@ -18,7 +18,6 @@ import ( "github.com/metacubex/mihomo/component/resource" C "github.com/metacubex/mihomo/constant" types "github.com/metacubex/mihomo/constant/provider" - "github.com/metacubex/mihomo/log" "github.com/metacubex/mihomo/tunnel/statistic" "github.com/dlclark/regexp2" @@ -54,7 +53,7 @@ func (pp *proxySetProvider) MarshalJSON() ([]byte, error) { "proxies": pp.Proxies(), "testUrl": pp.healthCheck.url, "expectedStatus": pp.healthCheck.expectedStatus.String(), - "updatedAt": pp.UpdatedAt, + "updatedAt": pp.UpdatedAt(), "subscriptionInfo": pp.subscriptionInfo, }) } @@ -72,19 +71,15 @@ func (pp *proxySetProvider) HealthCheck() { } func (pp *proxySetProvider) Update() error { - elm, same, err := pp.Fetcher.Update() - if err == nil && !same { - pp.OnUpdate(elm) - } + _, _, err := pp.Fetcher.Update() return err } func (pp *proxySetProvider) Initial() error { - elm, err := pp.Fetcher.Initial() + _, err := pp.Fetcher.Initial() if err != nil { return err } - pp.OnUpdate(elm) pp.getSubscriptionInfo() pp.closeAllConnections() return nil @@ -98,6 +93,10 @@ func (pp *proxySetProvider) Proxies() []C.Proxy { return pp.proxies } +func (pp *proxySetProvider) Count() int { + return len(pp.proxies) +} + func (pp *proxySetProvider) Touch() { pp.healthCheck.touch() } @@ -125,8 +124,8 @@ func (pp *proxySetProvider) getSubscriptionInfo() { go func() { ctx, cancel := context.WithTimeout(context.Background(), time.Second*90) defer cancel() - resp, err := mihomoHttp.HttpRequestWithProxy(ctx, pp.Vehicle().(*resource.HTTPVehicle).Url(), - http.MethodGet, http.Header{"User-Agent": {C.UA}}, nil, pp.Vehicle().Proxy()) + resp, err := mihomoHttp.HttpRequestWithProxy(ctx, pp.Vehicle().Url(), + http.MethodGet, nil, nil, pp.Vehicle().Proxy()) if err != nil { return } @@ -134,7 +133,7 @@ func (pp *proxySetProvider) getSubscriptionInfo() { userInfoStr := strings.TrimSpace(resp.Header.Get("subscription-userinfo")) if userInfoStr == "" { - resp2, err := mihomoHttp.HttpRequestWithProxy(ctx, pp.Vehicle().(*resource.HTTPVehicle).Url(), + resp2, err := mihomoHttp.HttpRequestWithProxy(ctx, pp.Vehicle().Url(), http.MethodGet, http.Header{"User-Agent": {"Quantumultx"}}, nil, pp.Vehicle().Proxy()) if err != nil { return @@ -145,10 +144,7 @@ func (pp *proxySetProvider) getSubscriptionInfo() { return } } - pp.subscriptionInfo, err = NewSubscriptionInfo(userInfoStr) - if err != nil { - log.Warnln("[Provider] get subscription-userinfo: %e", err) - } + pp.subscriptionInfo = NewSubscriptionInfo(userInfoStr) }() } @@ -164,9 +160,9 @@ func (pp *proxySetProvider) closeAllConnections() { }) } -func stopProxyProvider(pd *ProxySetProvider) { - pd.healthCheck.close() - _ = pd.Fetcher.Destroy() +func (pp *proxySetProvider) Close() error { + pp.healthCheck.close() + return pp.Fetcher.Close() } func NewProxySetProvider(name string, interval time.Duration, filter string, excludeFilter string, excludeType string, dialerProxy string, override OverrideSchema, vehicle types.Vehicle, hc *HealthCheck) (*ProxySetProvider, error) { @@ -200,10 +196,15 @@ func NewProxySetProvider(name string, interval time.Duration, filter string, exc fetcher := resource.NewFetcher[[]C.Proxy](name, interval, vehicle, proxiesParseAndFilter(filter, excludeFilter, excludeTypeArray, filterRegs, excludeFilterReg, dialerProxy, override), proxiesOnUpdate(pd)) pd.Fetcher = fetcher wrapper := &ProxySetProvider{pd} - runtime.SetFinalizer(wrapper, stopProxyProvider) + runtime.SetFinalizer(wrapper, (*ProxySetProvider).Close) return wrapper, nil } +func (pp *ProxySetProvider) Close() error { + runtime.SetFinalizer(pp, nil) + return pp.proxySetProvider.Close() +} + // CompatibleProvider for auto gc type CompatibleProvider struct { *compatibleProvider @@ -262,6 +263,10 @@ func (cp *compatibleProvider) Proxies() []C.Proxy { return cp.proxies } +func (cp *compatibleProvider) Count() int { + return len(cp.proxies) +} + func (cp *compatibleProvider) Touch() { cp.healthCheck.touch() } @@ -274,8 +279,9 @@ func (cp *compatibleProvider) RegisterHealthCheckTask(url string, expectedStatus cp.healthCheck.registerHealthCheckTask(url, expectedStatus, filter, interval) } -func stopCompatibleProvider(pd *CompatibleProvider) { - pd.healthCheck.close() +func (cp *compatibleProvider) Close() error { + cp.healthCheck.close() + return nil } func NewCompatibleProvider(name string, proxies []C.Proxy, hc *HealthCheck) (*CompatibleProvider, error) { @@ -294,10 +300,15 @@ func NewCompatibleProvider(name string, proxies []C.Proxy, hc *HealthCheck) (*Co } wrapper := &CompatibleProvider{pd} - runtime.SetFinalizer(wrapper, stopCompatibleProvider) + runtime.SetFinalizer(wrapper, (*CompatibleProvider).Close) return wrapper, nil } +func (cp *CompatibleProvider) Close() error { + runtime.SetFinalizer(cp, nil) + return cp.compatibleProvider.Close() +} + func proxiesOnUpdate(pd *proxySetProvider) func([]C.Proxy) { return func(elm []C.Proxy) { pd.setProxies(elm) @@ -388,6 +399,16 @@ func proxiesParseAndFilter(filter string, excludeFilter string, excludeTypeArray case "additional-suffix": name := mapping["name"].(string) mapping["name"] = name + *field.Interface().(*string) + case "proxy-name": + // Iterate through all naming replacement rules and perform the replacements. + for _, expr := range override.ProxyName { + name := mapping["name"].(string) + newName, err := expr.Pattern.Replace(name, expr.Target, 0, -1) + if err != nil { + return nil, fmt.Errorf("proxy name replace error: %w", err) + } + mapping["name"] = newName + } default: mapping[fieldName] = field.Elem().Interface() } diff --git a/adapter/provider/subscription_info.go b/adapter/provider/subscription_info.go index 3a9e2d72c7..b72c7b6161 100644 --- a/adapter/provider/subscription_info.go +++ b/adapter/provider/subscription_info.go @@ -1,8 +1,11 @@ package provider import ( + "fmt" "strconv" "strings" + + "github.com/metacubex/mihomo/log" ) type SubscriptionInfo struct { @@ -12,28 +15,46 @@ type SubscriptionInfo struct { Expire int64 } -func NewSubscriptionInfo(userinfo string) (si *SubscriptionInfo, err error) { +func NewSubscriptionInfo(userinfo string) (si *SubscriptionInfo) { userinfo = strings.ToLower(userinfo) userinfo = strings.ReplaceAll(userinfo, " ", "") si = new(SubscriptionInfo) + for _, field := range strings.Split(userinfo, ";") { - switch name, value, _ := strings.Cut(field, "="); name { + name, value, ok := strings.Cut(field, "=") + if !ok { + continue + } + + intValue, err := parseValue(value) + if err != nil { + log.Warnln("[Provider] get subscription-userinfo: %e", err) + continue + } + + switch name { case "upload": - si.Upload, err = strconv.ParseInt(value, 10, 64) + si.Upload = intValue case "download": - si.Download, err = strconv.ParseInt(value, 10, 64) + si.Download = intValue case "total": - si.Total, err = strconv.ParseInt(value, 10, 64) + si.Total = intValue case "expire": - if value == "" { - si.Expire = 0 - } else { - si.Expire, err = strconv.ParseInt(value, 10, 64) - } - } - if err != nil { - return + si.Expire = intValue } } - return + + return si +} + +func parseValue(value string) (int64, error) { + if intValue, err := strconv.ParseInt(value, 10, 64); err == nil { + return intValue, nil + } + + if floatValue, err := strconv.ParseFloat(value, 64); err == nil { + return int64(floatValue), nil + } + + return 0, fmt.Errorf("failed to parse value '%s'", value) } diff --git a/common/arc/arc.go b/common/arc/arc.go index da78b1c1a0..8d44a180a7 100644 --- a/common/arc/arc.go +++ b/common/arc/arc.go @@ -33,15 +33,8 @@ type ARC[K comparable, V any] struct { // New returns a new Adaptive Replacement Cache (ARC). func New[K comparable, V any](options ...Option[K, V]) *ARC[K, V] { - arc := &ARC[K, V]{ - p: 0, - t1: list.New[*entry[K, V]](), - b1: list.New[*entry[K, V]](), - t2: list.New[*entry[K, V]](), - b2: list.New[*entry[K, V]](), - len: 0, - cache: make(map[K]*entry[K, V]), - } + arc := &ARC[K, V]{} + arc.Clear() for _, option := range options { option(arc) @@ -49,6 +42,19 @@ func New[K comparable, V any](options ...Option[K, V]) *ARC[K, V] { return arc } +func (a *ARC[K, V]) Clear() { + a.mutex.Lock() + defer a.mutex.Unlock() + + a.p = 0 + a.t1 = list.New[*entry[K, V]]() + a.b1 = list.New[*entry[K, V]]() + a.t2 = list.New[*entry[K, V]]() + a.b2 = list.New[*entry[K, V]]() + a.len = 0 + a.cache = make(map[K]*entry[K, V]) +} + // Set inserts a new key-value pair into the cache. // This optimizes future access to this entry (side effect). func (a *ARC[K, V]) Set(key K, value V) { diff --git a/common/lru/lrucache.go b/common/lru/lrucache.go index 6f32ed18b1..4afe8e0c35 100644 --- a/common/lru/lrucache.go +++ b/common/lru/lrucache.go @@ -68,10 +68,8 @@ type LruCache[K comparable, V any] struct { // New creates an LruCache func New[K comparable, V any](options ...Option[K, V]) *LruCache[K, V] { - lc := &LruCache[K, V]{ - lru: list.New[*entry[K, V]](), - cache: make(map[K]*list.Element[*entry[K, V]]), - } + lc := &LruCache[K, V]{} + lc.Clear() for _, option := range options { option(lc) @@ -80,6 +78,14 @@ func New[K comparable, V any](options ...Option[K, V]) *LruCache[K, V] { return lc } +func (c *LruCache[K, V]) Clear() { + c.mu.Lock() + defer c.mu.Unlock() + + c.lru = list.New[*entry[K, V]]() + c.cache = make(map[K]*list.Element[*entry[K, V]]) +} + // Get returns any representation of a cached response and a bool // set to true if the key was found. func (c *LruCache[K, V]) Get(key K) (V, bool) { @@ -223,6 +229,10 @@ func (c *LruCache[K, V]) Delete(key K) { c.mu.Lock() defer c.mu.Unlock() + c.delete(key) +} + +func (c *LruCache[K, V]) delete(key K) { if le, ok := c.cache[key]; ok { c.deleteElement(le) } @@ -246,13 +256,32 @@ func (c *LruCache[K, V]) deleteElement(le *list.Element[*entry[K, V]]) { } } -func (c *LruCache[K, V]) Clear() error { +// Compute either sets the computed new value for the key or deletes +// the value for the key. When the delete result of the valueFn function +// is set to true, the value will be deleted, if it exists. When delete +// is set to false, the value is updated to the newValue. +// The ok result indicates whether value was computed and stored, thus, is +// present in the map. The actual result contains the new value in cases where +// the value was computed and stored. +func (c *LruCache[K, V]) Compute( + key K, + valueFn func(oldValue V, loaded bool) (newValue V, delete bool), +) (actual V, ok bool) { c.mu.Lock() defer c.mu.Unlock() - c.cache = make(map[K]*list.Element[*entry[K, V]]) - - return nil + if el := c.get(key); el != nil { + actual, ok = el.value, true + } + if newValue, del := valueFn(actual, ok); del { + if ok { // data not in cache, so needn't delete + c.delete(key) + } + return lo.Empty[V](), false + } else { + c.set(key, newValue) + return newValue, true + } } type entry[K comparable, V any] struct { diff --git a/common/net/tcp_keepalive.go b/common/net/tcp_keepalive.go new file mode 100644 index 0000000000..047a1c05eb --- /dev/null +++ b/common/net/tcp_keepalive.go @@ -0,0 +1,23 @@ +package net + +import ( + "net" + "runtime" + "time" +) + +var ( + KeepAliveIdle = 0 * time.Second + KeepAliveInterval = 0 * time.Second + DisableKeepAlive = false +) + +func TCPKeepAlive(c net.Conn) { + if tcp, ok := c.(*net.TCPConn); ok { + if runtime.GOOS == "android" || DisableKeepAlive { + _ = tcp.SetKeepAlive(false) + } else { + tcpKeepAlive(tcp) + } + } +} diff --git a/common/net/tcp_keepalive_go122.go b/common/net/tcp_keepalive_go122.go new file mode 100644 index 0000000000..1287316868 --- /dev/null +++ b/common/net/tcp_keepalive_go122.go @@ -0,0 +1,10 @@ +//go:build !go1.23 + +package net + +import "net" + +func tcpKeepAlive(tcp *net.TCPConn) { + _ = tcp.SetKeepAlive(true) + _ = tcp.SetKeepAlivePeriod(KeepAliveInterval) +} diff --git a/common/net/tcp_keepalive_go123.go b/common/net/tcp_keepalive_go123.go new file mode 100644 index 0000000000..2dd4754bbe --- /dev/null +++ b/common/net/tcp_keepalive_go123.go @@ -0,0 +1,19 @@ +//go:build go1.23 + +package net + +import "net" + +func tcpKeepAlive(tcp *net.TCPConn) { + config := net.KeepAliveConfig{ + Enable: true, + Idle: KeepAliveIdle, + Interval: KeepAliveInterval, + } + if !SupportTCPKeepAliveCount() { + // it's recommended to set both Idle and Interval to non-negative values in conjunction with a -1 + // for Count on those old Windows if you intend to customize the TCP keep-alive settings. + config.Count = -1 + } + _ = tcp.SetKeepAliveConfig(config) +} diff --git a/common/net/tcp_keepalive_go123_unix.go b/common/net/tcp_keepalive_go123_unix.go new file mode 100644 index 0000000000..0ead7ca472 --- /dev/null +++ b/common/net/tcp_keepalive_go123_unix.go @@ -0,0 +1,15 @@ +//go:build go1.23 && unix + +package net + +func SupportTCPKeepAliveIdle() bool { + return true +} + +func SupportTCPKeepAliveInterval() bool { + return true +} + +func SupportTCPKeepAliveCount() bool { + return true +} diff --git a/common/net/tcp_keepalive_go123_windows.go b/common/net/tcp_keepalive_go123_windows.go new file mode 100644 index 0000000000..8f1e61f959 --- /dev/null +++ b/common/net/tcp_keepalive_go123_windows.go @@ -0,0 +1,63 @@ +//go:build go1.23 && windows + +// copy and modify from golang1.23's internal/syscall/windows/version_windows.go + +package net + +import ( + "errors" + "sync" + "syscall" + + "github.com/metacubex/mihomo/constant/features" + + "golang.org/x/sys/windows" +) + +var ( + supportTCPKeepAliveIdle bool + supportTCPKeepAliveInterval bool + supportTCPKeepAliveCount bool +) + +var initTCPKeepAlive = sync.OnceFunc(func() { + s, err := windows.WSASocket(syscall.AF_INET, syscall.SOCK_STREAM, syscall.IPPROTO_TCP, nil, 0, windows.WSA_FLAG_NO_HANDLE_INHERIT) + if err != nil { + // Fallback to checking the Windows version. + major, build := features.WindowsMajorVersion, features.WindowsBuildNumber + supportTCPKeepAliveIdle = major >= 10 && build >= 16299 + supportTCPKeepAliveInterval = major >= 10 && build >= 16299 + supportTCPKeepAliveCount = major >= 10 && build >= 15063 + return + } + defer windows.Closesocket(s) + var optSupported = func(opt int) bool { + err := windows.SetsockoptInt(s, syscall.IPPROTO_TCP, opt, 1) + return !errors.Is(err, syscall.WSAENOPROTOOPT) + } + supportTCPKeepAliveIdle = optSupported(windows.TCP_KEEPIDLE) + supportTCPKeepAliveInterval = optSupported(windows.TCP_KEEPINTVL) + supportTCPKeepAliveCount = optSupported(windows.TCP_KEEPCNT) +}) + +// SupportTCPKeepAliveIdle indicates whether TCP_KEEPIDLE is supported. +// The minimal requirement is Windows 10.0.16299. +func SupportTCPKeepAliveIdle() bool { + initTCPKeepAlive() + return supportTCPKeepAliveIdle +} + +// SupportTCPKeepAliveInterval indicates whether TCP_KEEPINTVL is supported. +// The minimal requirement is Windows 10.0.16299. +func SupportTCPKeepAliveInterval() bool { + initTCPKeepAlive() + return supportTCPKeepAliveInterval +} + +// SupportTCPKeepAliveCount indicates whether TCP_KEEPCNT is supported. +// supports TCP_KEEPCNT. +// The minimal requirement is Windows 10.0.15063. +func SupportTCPKeepAliveCount() bool { + initTCPKeepAlive() + return supportTCPKeepAliveCount +} diff --git a/common/net/tcpip.go b/common/net/tcpip.go index 0499e54c17..a84e7e4c4f 100644 --- a/common/net/tcpip.go +++ b/common/net/tcpip.go @@ -4,11 +4,8 @@ import ( "fmt" "net" "strings" - "time" ) -var KeepAliveInterval = 15 * time.Second - func SplitNetworkType(s string) (string, string, error) { var ( shecme string @@ -47,10 +44,3 @@ func SplitHostPort(s string) (host, port string, hasPort bool, err error) { host, port, err = net.SplitHostPort(temp) return } - -func TCPKeepAlive(c net.Conn) { - if tcp, ok := c.(*net.TCPConn); ok { - _ = tcp.SetKeepAlive(true) - _ = tcp.SetKeepAlivePeriod(KeepAliveInterval) - } -} diff --git a/common/nnip/netip.go b/common/nnip/netip.go index e456613888..b987bb457f 100644 --- a/common/nnip/netip.go +++ b/common/nnip/netip.go @@ -51,3 +51,23 @@ func UnMasked(p netip.Prefix) netip.Addr { } return addr } + +// PrefixCompare returns an integer comparing two prefixes. +// The result will be 0 if p == p2, -1 if p < p2, and +1 if p > p2. +// modify from https://github.com/golang/go/issues/61642#issuecomment-1848587909 +func PrefixCompare(p, p2 netip.Prefix) int { + // compare by validity, address family and prefix base address + if c := p.Masked().Addr().Compare(p2.Masked().Addr()); c != 0 { + return c + } + // compare by prefix length + f1, f2 := p.Bits(), p2.Bits() + if f1 < f2 { + return -1 + } + if f1 > f2 { + return 1 + } + // compare by prefix address + return p.Addr().Compare(p2.Addr()) +} diff --git a/common/queue/queue.go b/common/queue/queue.go index cb58e2f5a2..d1b6beebe5 100644 --- a/common/queue/queue.go +++ b/common/queue/queue.go @@ -59,8 +59,8 @@ func (q *Queue[T]) Copy() []T { // Len returns the number of items in this queue. func (q *Queue[T]) Len() int64 { - q.lock.Lock() - defer q.lock.Unlock() + q.lock.RLock() + defer q.lock.RUnlock() return int64(len(q.items)) } diff --git a/common/singleflight/singleflight.go b/common/singleflight/singleflight.go new file mode 100644 index 0000000000..e31c4eb6fb --- /dev/null +++ b/common/singleflight/singleflight.go @@ -0,0 +1,224 @@ +// copy and modify from "golang.org/x/sync/singleflight" + +// Copyright 2013 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// Package singleflight provides a duplicate function call suppression +// mechanism. +package singleflight + +import ( + "bytes" + "errors" + "fmt" + "runtime" + "runtime/debug" + "sync" +) + +// errGoexit indicates the runtime.Goexit was called in +// the user given function. +var errGoexit = errors.New("runtime.Goexit was called") + +// A panicError is an arbitrary value recovered from a panic +// with the stack trace during the execution of given function. +type panicError struct { + value interface{} + stack []byte +} + +// Error implements error interface. +func (p *panicError) Error() string { + return fmt.Sprintf("%v\n\n%s", p.value, p.stack) +} + +func (p *panicError) Unwrap() error { + err, ok := p.value.(error) + if !ok { + return nil + } + + return err +} + +func newPanicError(v interface{}) error { + stack := debug.Stack() + + // The first line of the stack trace is of the form "goroutine N [status]:" + // but by the time the panic reaches Do the goroutine may no longer exist + // and its status will have changed. Trim out the misleading line. + if line := bytes.IndexByte(stack[:], '\n'); line >= 0 { + stack = stack[line+1:] + } + return &panicError{value: v, stack: stack} +} + +// call is an in-flight or completed singleflight.Do call +type call[T any] struct { + wg sync.WaitGroup + + // These fields are written once before the WaitGroup is done + // and are only read after the WaitGroup is done. + val T + err error + + // These fields are read and written with the singleflight + // mutex held before the WaitGroup is done, and are read but + // not written after the WaitGroup is done. + dups int + chans []chan<- Result[T] +} + +// Group represents a class of work and forms a namespace in +// which units of work can be executed with duplicate suppression. +type Group[T any] struct { + mu sync.Mutex // protects m + m map[string]*call[T] // lazily initialized + + StoreResult bool +} + +// Result holds the results of Do, so they can be passed +// on a channel. +type Result[T any] struct { + Val T + Err error + Shared bool +} + +// Do executes and returns the results of the given function, making +// sure that only one execution is in-flight for a given key at a +// time. If a duplicate comes in, the duplicate caller waits for the +// original to complete and receives the same results. +// The return value shared indicates whether v was given to multiple callers. +func (g *Group[T]) Do(key string, fn func() (T, error)) (v T, err error, shared bool) { + g.mu.Lock() + if g.m == nil { + g.m = make(map[string]*call[T]) + } + if c, ok := g.m[key]; ok { + c.dups++ + g.mu.Unlock() + c.wg.Wait() + + if e, ok := c.err.(*panicError); ok { + panic(e) + } else if c.err == errGoexit { + runtime.Goexit() + } + return c.val, c.err, true + } + c := new(call[T]) + c.wg.Add(1) + g.m[key] = c + g.mu.Unlock() + + g.doCall(c, key, fn) + return c.val, c.err, c.dups > 0 +} + +// DoChan is like Do but returns a channel that will receive the +// results when they are ready. +// +// The returned channel will not be closed. +func (g *Group[T]) DoChan(key string, fn func() (T, error)) <-chan Result[T] { + ch := make(chan Result[T], 1) + g.mu.Lock() + if g.m == nil { + g.m = make(map[string]*call[T]) + } + if c, ok := g.m[key]; ok { + c.dups++ + c.chans = append(c.chans, ch) + g.mu.Unlock() + return ch + } + c := &call[T]{chans: []chan<- Result[T]{ch}} + c.wg.Add(1) + g.m[key] = c + g.mu.Unlock() + + go g.doCall(c, key, fn) + + return ch +} + +// doCall handles the single call for a key. +func (g *Group[T]) doCall(c *call[T], key string, fn func() (T, error)) { + normalReturn := false + recovered := false + + // use double-defer to distinguish panic from runtime.Goexit, + // more details see https://golang.org/cl/134395 + defer func() { + // the given function invoked runtime.Goexit + if !normalReturn && !recovered { + c.err = errGoexit + } + + g.mu.Lock() + defer g.mu.Unlock() + c.wg.Done() + if g.m[key] == c && !g.StoreResult { + delete(g.m, key) + } + + if e, ok := c.err.(*panicError); ok { + // In order to prevent the waiting channels from being blocked forever, + // needs to ensure that this panic cannot be recovered. + if len(c.chans) > 0 { + go panic(e) + select {} // Keep this goroutine around so that it will appear in the crash dump. + } else { + panic(e) + } + } else if c.err == errGoexit { + // Already in the process of goexit, no need to call again + } else { + // Normal return + for _, ch := range c.chans { + ch <- Result[T]{c.val, c.err, c.dups > 0} + } + } + }() + + func() { + defer func() { + if !normalReturn { + // Ideally, we would wait to take a stack trace until we've determined + // whether this is a panic or a runtime.Goexit. + // + // Unfortunately, the only way we can distinguish the two is to see + // whether the recover stopped the goroutine from terminating, and by + // the time we know that, the part of the stack trace relevant to the + // panic has been discarded. + if r := recover(); r != nil { + c.err = newPanicError(r) + } + } + }() + + c.val, c.err = fn() + normalReturn = true + }() + + if !normalReturn { + recovered = true + } +} + +// Forget tells the singleflight to forget about a key. Future calls +// to Do for this key will call the function rather than waiting for +// an earlier call to complete. +func (g *Group[T]) Forget(key string) { + g.mu.Lock() + delete(g.m, key) + g.mu.Unlock() +} + +func (g *Group[T]) Reset() { + g.mu.Lock() + g.m = nil + g.mu.Unlock() +} diff --git a/common/structure/structure.go b/common/structure/structure.go index fde223090a..99c980bc4c 100644 --- a/common/structure/structure.go +++ b/common/structure/structure.go @@ -3,6 +3,7 @@ package structure // references: https://github.com/mitchellh/mapstructure import ( + "encoding" "encoding/base64" "fmt" "reflect" @@ -86,35 +87,41 @@ func (d *Decoder) Decode(src map[string]any, dst any) error { } func (d *Decoder) decode(name string, data any, val reflect.Value) error { - kind := val.Kind() - switch { - case isInt(kind): - return d.decodeInt(name, data, val) - case isUint(kind): - return d.decodeUint(name, data, val) - case isFloat(kind): - return d.decodeFloat(name, data, val) - } - switch kind { - case reflect.Pointer: - if val.IsNil() { + for { + kind := val.Kind() + if kind == reflect.Pointer && val.IsNil() { val.Set(reflect.New(val.Type().Elem())) } - return d.decode(name, data, val.Elem()) - case reflect.String: - return d.decodeString(name, data, val) - case reflect.Bool: - return d.decodeBool(name, data, val) - case reflect.Slice: - return d.decodeSlice(name, data, val) - case reflect.Map: - return d.decodeMap(name, data, val) - case reflect.Interface: - return d.setInterface(name, data, val) - case reflect.Struct: - return d.decodeStruct(name, data, val) - default: - return fmt.Errorf("type %s not support", val.Kind().String()) + if ok, err := d.decodeTextUnmarshaller(name, data, val); ok { + return err + } + switch { + case isInt(kind): + return d.decodeInt(name, data, val) + case isUint(kind): + return d.decodeUint(name, data, val) + case isFloat(kind): + return d.decodeFloat(name, data, val) + } + switch kind { + case reflect.Pointer: + val = val.Elem() + continue + case reflect.String: + return d.decodeString(name, data, val) + case reflect.Bool: + return d.decodeBool(name, data, val) + case reflect.Slice: + return d.decodeSlice(name, data, val) + case reflect.Map: + return d.decodeMap(name, data, val) + case reflect.Interface: + return d.setInterface(name, data, val) + case reflect.Struct: + return d.decodeStruct(name, data, val) + default: + return fmt.Errorf("type %s not support", val.Kind().String()) + } } } @@ -553,3 +560,25 @@ func (d *Decoder) setInterface(name string, data any, val reflect.Value) (err er val.Set(dataVal) return nil } + +func (d *Decoder) decodeTextUnmarshaller(name string, data any, val reflect.Value) (bool, error) { + if !val.CanAddr() { + return false, nil + } + valAddr := val.Addr() + if !valAddr.CanInterface() { + return false, nil + } + unmarshaller, ok := valAddr.Interface().(encoding.TextUnmarshaler) + if !ok { + return false, nil + } + var str string + if err := d.decodeString(name, data, reflect.Indirect(reflect.ValueOf(&str))); err != nil { + return false, err + } + if err := unmarshaller.UnmarshalText([]byte(str)); err != nil { + return true, fmt.Errorf("cannot parse '%s' as %s: %s", name, val.Type(), err) + } + return true, nil +} diff --git a/common/structure/structure_test.go b/common/structure/structure_test.go index 9f31d3d111..e5fe693d79 100644 --- a/common/structure/structure_test.go +++ b/common/structure/structure_test.go @@ -1,6 +1,7 @@ package structure import ( + "strconv" "testing" "github.com/stretchr/testify/assert" @@ -179,3 +180,90 @@ func TestStructure_SliceNilValueComplex(t *testing.T) { err = decoder.Decode(rawMap, ss) assert.NotNil(t, err) } + +func TestStructure_SliceCap(t *testing.T) { + rawMap := map[string]any{ + "foo": []string{}, + } + + s := &struct { + Foo []string `test:"foo,omitempty"` + Bar []string `test:"bar,omitempty"` + }{} + + err := decoder.Decode(rawMap, s) + assert.Nil(t, err) + assert.NotNil(t, s.Foo) // structure's Decode will ensure value not nil when input has value even it was set an empty array + assert.Nil(t, s.Bar) +} + +func TestStructure_Base64(t *testing.T) { + rawMap := map[string]any{ + "foo": "AQID", + } + + s := &struct { + Foo []byte `test:"foo"` + }{} + + err := decoder.Decode(rawMap, s) + assert.Nil(t, err) + assert.Equal(t, []byte{1, 2, 3}, s.Foo) +} + +func TestStructure_Pointer(t *testing.T) { + rawMap := map[string]any{ + "foo": "foo", + } + + s := &struct { + Foo *string `test:"foo,omitempty"` + Bar *string `test:"bar,omitempty"` + }{} + + err := decoder.Decode(rawMap, s) + assert.Nil(t, err) + assert.NotNil(t, s.Foo) + assert.Equal(t, "foo", *s.Foo) + assert.Nil(t, s.Bar) +} + +type num struct { + a int +} + +func (n *num) UnmarshalText(text []byte) (err error) { + n.a, err = strconv.Atoi(string(text)) + return +} + +func TestStructure_TextUnmarshaller(t *testing.T) { + rawMap := map[string]any{ + "num": "255", + "num_p": "127", + } + + s := &struct { + Num num `test:"num"` + NumP *num `test:"num_p"` + }{} + + err := decoder.Decode(rawMap, s) + assert.Nil(t, err) + assert.Equal(t, 255, s.Num.a) + assert.NotNil(t, s.NumP) + assert.Equal(t, s.NumP.a, 127) + + // test WeaklyTypedInput + rawMap["num"] = 256 + err = decoder.Decode(rawMap, s) + assert.NotNilf(t, err, "should throw error: %#v", s) + err = weakTypeDecoder.Decode(rawMap, s) + assert.Nil(t, err) + assert.Equal(t, 256, s.Num.a) + + // test invalid input + rawMap["num_p"] = "abc" + err = decoder.Decode(rawMap, s) + assert.NotNilf(t, err, "should throw error: %#v", s) +} diff --git a/common/utils/callback.go b/common/utils/callback.go index df950d3a81..ad734c0fd6 100644 --- a/common/utils/callback.go +++ b/common/utils/callback.go @@ -17,8 +17,8 @@ func NewCallback[T any]() *Callback[T] { } func (c *Callback[T]) Register(item func(T)) io.Closer { - c.mutex.RLock() - defer c.mutex.RUnlock() + c.mutex.Lock() + defer c.mutex.Unlock() element := c.list.PushBack(item) return &callbackCloser[T]{ element: element, diff --git a/component/cidr/ipcidr_set.go b/component/cidr/ipcidr_set.go index 521fabab13..4bde96711e 100644 --- a/component/cidr/ipcidr_set.go +++ b/component/cidr/ipcidr_set.go @@ -46,6 +46,14 @@ func (set *IpCidrSet) IsContain(ip netip.Addr) bool { return set.ToIPSet().Contains(ip.WithZone("")) } +// MatchIp implements C.IpMatcher +func (set *IpCidrSet) MatchIp(ip netip.Addr) bool { + if set.IsEmpty() { + return false + } + return set.IsContain(ip) +} + func (set *IpCidrSet) Merge() error { var b netipx.IPSetBuilder b.AddSet(set.ToIPSet()) @@ -57,6 +65,20 @@ func (set *IpCidrSet) Merge() error { return nil } +func (set *IpCidrSet) IsEmpty() bool { + return set == nil || len(set.rr) == 0 +} + +func (set *IpCidrSet) Foreach(f func(prefix netip.Prefix) bool) { + for _, r := range set.rr { + for _, prefix := range r.Prefixes() { + if !f(prefix) { + return + } + } + } +} + // ToIPSet not safe convert to *netipx.IPSet // be careful, must be used after Merge func (set *IpCidrSet) ToIPSet() *netipx.IPSet { diff --git a/component/cidr/ipcidr_set_bin.go b/component/cidr/ipcidr_set_bin.go new file mode 100644 index 0000000000..f6a0348856 --- /dev/null +++ b/component/cidr/ipcidr_set_bin.go @@ -0,0 +1,77 @@ +package cidr + +import ( + "encoding/binary" + "errors" + "io" + "net/netip" + + "go4.org/netipx" +) + +func (ss *IpCidrSet) WriteBin(w io.Writer) (err error) { + // version + _, err = w.Write([]byte{1}) + if err != nil { + return err + } + + // rr + err = binary.Write(w, binary.BigEndian, int64(len(ss.rr))) + if err != nil { + return err + } + for _, r := range ss.rr { + err = binary.Write(w, binary.BigEndian, r.From().As16()) + if err != nil { + return err + } + err = binary.Write(w, binary.BigEndian, r.To().As16()) + if err != nil { + return err + } + } + + return nil +} + +func ReadIpCidrSet(r io.Reader) (ss *IpCidrSet, err error) { + // version + version := make([]byte, 1) + _, err = io.ReadFull(r, version) + if err != nil { + return nil, err + } + if version[0] != 1 { + return nil, errors.New("version is invalid") + } + + ss = NewIpCidrSet() + var length int64 + + // rr + err = binary.Read(r, binary.BigEndian, &length) + if err != nil { + return nil, err + } + if length < 1 { + return nil, errors.New("length is invalid") + } + ss.rr = make([]netipx.IPRange, length) + for i := int64(0); i < length; i++ { + var a16 [16]byte + err = binary.Read(r, binary.BigEndian, &a16) + if err != nil { + return nil, err + } + from := netip.AddrFrom16(a16).Unmap() + err = binary.Read(r, binary.BigEndian, &a16) + if err != nil { + return nil, err + } + to := netip.AddrFrom16(a16).Unmap() + ss.rr[i] = netipx.IPRangeFrom(from, to) + } + + return ss, nil +} diff --git a/component/dialer/dialer.go b/component/dialer/dialer.go index 54a1aa6ac7..41f79b8e52 100644 --- a/component/dialer/dialer.go +++ b/component/dialer/dialer.go @@ -13,7 +13,6 @@ import ( "time" "github.com/metacubex/mihomo/component/resolver" - "github.com/metacubex/mihomo/constant/features" "github.com/metacubex/mihomo/log" ) @@ -79,29 +78,29 @@ func DialContext(ctx context.Context, network, address string, options ...Option } func ListenPacket(ctx context.Context, network, address string, rAddrPort netip.AddrPort, options ...Option) (net.PacketConn, error) { - if features.CMFA && DefaultSocketHook != nil { - return listenPacketHooked(ctx, network, address) - } - cfg := applyOptions(options...) lc := &net.ListenConfig{} - if cfg.interfaceName != "" { - bind := bindIfaceToListenConfig - if cfg.fallbackBind { - bind = fallbackBindIfaceToListenConfig - } - addr, err := bind(cfg.interfaceName, lc, network, address, rAddrPort) - if err != nil { - return nil, err - } - address = addr - } if cfg.addrReuse { addrReuseToListenConfig(lc) } - if cfg.routingMark != 0 { - bindMarkToListenConfig(cfg.routingMark, lc, network, address) + if DefaultSocketHook != nil { // ignore interfaceName, routingMark when DefaultSocketHook not null (in CMFA) + socketHookToListenConfig(lc) + } else { + if cfg.interfaceName != "" { + bind := bindIfaceToListenConfig + if cfg.fallbackBind { + bind = fallbackBindIfaceToListenConfig + } + addr, err := bind(cfg.interfaceName, lc, network, address, rAddrPort) + if err != nil { + return nil, err + } + address = addr + } + if cfg.routingMark != 0 { + bindMarkToListenConfig(cfg.routingMark, lc, network, address) + } } return lc.ListenPacket(ctx, network, address) @@ -127,10 +126,6 @@ func GetTcpConcurrent() bool { } func dialContext(ctx context.Context, network string, destination netip.Addr, port string, opt *option) (net.Conn, error) { - if features.CMFA && DefaultSocketHook != nil { - return dialContextHooked(ctx, network, destination, port) - } - var address string if IP4PEnable { destination, port = lookupIP4P(destination, port) @@ -149,24 +144,30 @@ func dialContext(ctx context.Context, network string, destination netip.Addr, po } dialer := netDialer.(*net.Dialer) - if opt.interfaceName != "" { - bind := bindIfaceToDialer - if opt.fallbackBind { - bind = fallbackBindIfaceToDialer - } - if err := bind(opt.interfaceName, dialer, network, destination); err != nil { - return nil, err - } - } - if opt.routingMark != 0 { - bindMarkToDialer(opt.routingMark, dialer, network, destination) - } if opt.mpTcp { setMultiPathTCP(dialer) } - if opt.tfo && !DisableTFO { - return dialTFO(ctx, *dialer, network, address) + + if DefaultSocketHook != nil { // ignore interfaceName, routingMark and tfo when DefaultSocketHook not null (in CMFA) + socketHookToToDialer(dialer) + } else { + if opt.interfaceName != "" { + bind := bindIfaceToDialer + if opt.fallbackBind { + bind = fallbackBindIfaceToDialer + } + if err := bind(opt.interfaceName, dialer, network, destination); err != nil { + return nil, err + } + } + if opt.routingMark != 0 { + bindMarkToDialer(opt.routingMark, dialer, network, destination) + } + if opt.tfo && !DisableTFO { + return dialTFO(ctx, *dialer, network, address) + } } + return dialer.DialContext(ctx, network, address) } diff --git a/component/dialer/patch_android.go b/component/dialer/patch_android.go deleted file mode 100644 index 7c33a6c0c8..0000000000 --- a/component/dialer/patch_android.go +++ /dev/null @@ -1,39 +0,0 @@ -//go:build android && cmfa - -package dialer - -import ( - "context" - "net" - "net/netip" - "syscall" -) - -type SocketControl func(network, address string, conn syscall.RawConn) error - -var DefaultSocketHook SocketControl - -func dialContextHooked(ctx context.Context, network string, destination netip.Addr, port string) (net.Conn, error) { - dialer := &net.Dialer{ - Control: DefaultSocketHook, - } - - conn, err := dialer.DialContext(ctx, network, net.JoinHostPort(destination.String(), port)) - if err != nil { - return nil, err - } - - if t, ok := conn.(*net.TCPConn); ok { - t.SetKeepAlive(false) - } - - return conn, nil -} - -func listenPacketHooked(ctx context.Context, network, address string) (net.PacketConn, error) { - lc := &net.ListenConfig{ - Control: DefaultSocketHook, - } - - return lc.ListenPacket(ctx, network, address) -} diff --git a/component/dialer/patch_common.go b/component/dialer/patch_common.go deleted file mode 100644 index bad0ef4889..0000000000 --- a/component/dialer/patch_common.go +++ /dev/null @@ -1,22 +0,0 @@ -//go:build !(android && cmfa) - -package dialer - -import ( - "context" - "net" - "net/netip" - "syscall" -) - -type SocketControl func(network, address string, conn syscall.RawConn) error - -var DefaultSocketHook SocketControl - -func dialContextHooked(ctx context.Context, network string, destination netip.Addr, port string) (net.Conn, error) { - return nil, nil -} - -func listenPacketHooked(ctx context.Context, network, address string) (net.PacketConn, error) { - return nil, nil -} diff --git a/component/dialer/socket_hook.go b/component/dialer/socket_hook.go new file mode 100644 index 0000000000..f860552579 --- /dev/null +++ b/component/dialer/socket_hook.go @@ -0,0 +1,27 @@ +package dialer + +import ( + "context" + "net" + "syscall" +) + +// SocketControl +// never change type traits because it's used in CMFA +type SocketControl func(network, address string, conn syscall.RawConn) error + +// DefaultSocketHook +// never change type traits because it's used in CMFA +var DefaultSocketHook SocketControl + +func socketHookToToDialer(dialer *net.Dialer) { + addControlToDialer(dialer, func(ctx context.Context, network, address string, c syscall.RawConn) error { + return DefaultSocketHook(network, address, c) + }) +} + +func socketHookToListenConfig(lc *net.ListenConfig) { + addControlToListenConfig(lc, func(ctx context.Context, network, address string, c syscall.RawConn) error { + return DefaultSocketHook(network, address, c) + }) +} diff --git a/component/dialer/tfo.go b/component/dialer/tfo.go index bc32b38a74..76fe94d021 100644 --- a/component/dialer/tfo.go +++ b/component/dialer/tfo.go @@ -5,8 +5,12 @@ import ( "io" "net" "time" + + "github.com/metacubex/tfo-go" ) +var DisableTFO = false + type tfoConn struct { net.Conn closed bool @@ -120,3 +124,16 @@ func (c *tfoConn) ReaderReplaceable() bool { func (c *tfoConn) WriterReplaceable() bool { return c.Conn != nil } + +func dialTFO(ctx context.Context, netDialer net.Dialer, network, address string) (net.Conn, error) { + ctx, cancel := context.WithTimeout(context.Background(), DefaultTCPTimeout) + dialer := tfo.Dialer{Dialer: netDialer, DisableTFO: false} + return &tfoConn{ + dialed: make(chan bool, 1), + cancel: cancel, + ctx: ctx, + dialFn: func(ctx context.Context, earlyData []byte) (net.Conn, error) { + return dialer.DialContext(ctx, network, address, earlyData) + }, + }, nil +} diff --git a/component/dialer/tfo_unix.go b/component/dialer/tfo_unix.go deleted file mode 100644 index b8908849e8..0000000000 --- a/component/dialer/tfo_unix.go +++ /dev/null @@ -1,25 +0,0 @@ -//go:build unix - -package dialer - -import ( - "context" - "net" - - "github.com/metacubex/tfo-go" -) - -const DisableTFO = false - -func dialTFO(ctx context.Context, netDialer net.Dialer, network, address string) (net.Conn, error) { - ctx, cancel := context.WithTimeout(context.Background(), DefaultTCPTimeout) - dialer := tfo.Dialer{Dialer: netDialer, DisableTFO: false} - return &tfoConn{ - dialed: make(chan bool, 1), - cancel: cancel, - ctx: ctx, - dialFn: func(ctx context.Context, earlyData []byte) (net.Conn, error) { - return dialer.DialContext(ctx, network, address, earlyData) - }, - }, nil -} diff --git a/component/dialer/tfo_windows.go b/component/dialer/tfo_windows.go index f1dddcf44e..632661186c 100644 --- a/component/dialer/tfo_windows.go +++ b/component/dialer/tfo_windows.go @@ -1,12 +1,11 @@ package dialer -import ( - "context" - "net" -) +import "github.com/metacubex/mihomo/constant/features" -const DisableTFO = true - -func dialTFO(ctx context.Context, netDialer net.Dialer, network, address string) (net.Conn, error) { - return netDialer.DialContext(ctx, network, address) +func init() { + // According to MSDN, this option is available since Windows 10, 1607 + // https://msdn.microsoft.com/en-us/library/windows/desktop/ms738596(v=vs.85).aspx + if features.WindowsMajorVersion < 10 || (features.WindowsMajorVersion == 10 && features.WindowsBuildNumber < 14393) { + DisableTFO = true + } } diff --git a/component/ebpf/bpf/bpf_endian.h b/component/ebpf/bpf/bpf_endian.h deleted file mode 100644 index ec9db4feca..0000000000 --- a/component/ebpf/bpf/bpf_endian.h +++ /dev/null @@ -1,99 +0,0 @@ -/* SPDX-License-Identifier: (LGPL-2.1 OR BSD-2-Clause) */ -#ifndef __BPF_ENDIAN__ -#define __BPF_ENDIAN__ - -/* - * Isolate byte #n and put it into byte #m, for __u##b type. - * E.g., moving byte #6 (nnnnnnnn) into byte #1 (mmmmmmmm) for __u64: - * 1) xxxxxxxx nnnnnnnn xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx mmmmmmmm xxxxxxxx - * 2) nnnnnnnn xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx mmmmmmmm xxxxxxxx 00000000 - * 3) 00000000 00000000 00000000 00000000 00000000 00000000 00000000 nnnnnnnn - * 4) 00000000 00000000 00000000 00000000 00000000 00000000 nnnnnnnn 00000000 - */ -#define ___bpf_mvb(x, b, n, m) ((__u##b)(x) << (b-(n+1)*8) >> (b-8) << (m*8)) - -#define ___bpf_swab16(x) ((__u16)( \ - ___bpf_mvb(x, 16, 0, 1) | \ - ___bpf_mvb(x, 16, 1, 0))) - -#define ___bpf_swab32(x) ((__u32)( \ - ___bpf_mvb(x, 32, 0, 3) | \ - ___bpf_mvb(x, 32, 1, 2) | \ - ___bpf_mvb(x, 32, 2, 1) | \ - ___bpf_mvb(x, 32, 3, 0))) - -#define ___bpf_swab64(x) ((__u64)( \ - ___bpf_mvb(x, 64, 0, 7) | \ - ___bpf_mvb(x, 64, 1, 6) | \ - ___bpf_mvb(x, 64, 2, 5) | \ - ___bpf_mvb(x, 64, 3, 4) | \ - ___bpf_mvb(x, 64, 4, 3) | \ - ___bpf_mvb(x, 64, 5, 2) | \ - ___bpf_mvb(x, 64, 6, 1) | \ - ___bpf_mvb(x, 64, 7, 0))) - -/* LLVM's BPF target selects the endianness of the CPU - * it compiles on, or the user specifies (bpfel/bpfeb), - * respectively. The used __BYTE_ORDER__ is defined by - * the compiler, we cannot rely on __BYTE_ORDER from - * libc headers, since it doesn't reflect the actual - * requested byte order. - * - * Note, LLVM's BPF target has different __builtin_bswapX() - * semantics. It does map to BPF_ALU | BPF_END | BPF_TO_BE - * in bpfel and bpfeb case, which means below, that we map - * to cpu_to_be16(). We could use it unconditionally in BPF - * case, but better not rely on it, so that this header here - * can be used from application and BPF program side, which - * use different targets. - */ -#if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__ -# define __bpf_ntohs(x) __builtin_bswap16(x) -# define __bpf_htons(x) __builtin_bswap16(x) -# define __bpf_constant_ntohs(x) ___bpf_swab16(x) -# define __bpf_constant_htons(x) ___bpf_swab16(x) -# define __bpf_ntohl(x) __builtin_bswap32(x) -# define __bpf_htonl(x) __builtin_bswap32(x) -# define __bpf_constant_ntohl(x) ___bpf_swab32(x) -# define __bpf_constant_htonl(x) ___bpf_swab32(x) -# define __bpf_be64_to_cpu(x) __builtin_bswap64(x) -# define __bpf_cpu_to_be64(x) __builtin_bswap64(x) -# define __bpf_constant_be64_to_cpu(x) ___bpf_swab64(x) -# define __bpf_constant_cpu_to_be64(x) ___bpf_swab64(x) -#elif __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ -# define __bpf_ntohs(x) (x) -# define __bpf_htons(x) (x) -# define __bpf_constant_ntohs(x) (x) -# define __bpf_constant_htons(x) (x) -# define __bpf_ntohl(x) (x) -# define __bpf_htonl(x) (x) -# define __bpf_constant_ntohl(x) (x) -# define __bpf_constant_htonl(x) (x) -# define __bpf_be64_to_cpu(x) (x) -# define __bpf_cpu_to_be64(x) (x) -# define __bpf_constant_be64_to_cpu(x) (x) -# define __bpf_constant_cpu_to_be64(x) (x) -#else -# error "Fix your compiler's __BYTE_ORDER__?!" -#endif - -#define bpf_htons(x) \ - (__builtin_constant_p(x) ? \ - __bpf_constant_htons(x) : __bpf_htons(x)) -#define bpf_ntohs(x) \ - (__builtin_constant_p(x) ? \ - __bpf_constant_ntohs(x) : __bpf_ntohs(x)) -#define bpf_htonl(x) \ - (__builtin_constant_p(x) ? \ - __bpf_constant_htonl(x) : __bpf_htonl(x)) -#define bpf_ntohl(x) \ - (__builtin_constant_p(x) ? \ - __bpf_constant_ntohl(x) : __bpf_ntohl(x)) -#define bpf_cpu_to_be64(x) \ - (__builtin_constant_p(x) ? \ - __bpf_constant_cpu_to_be64(x) : __bpf_cpu_to_be64(x)) -#define bpf_be64_to_cpu(x) \ - (__builtin_constant_p(x) ? \ - __bpf_constant_be64_to_cpu(x) : __bpf_be64_to_cpu(x)) - -#endif /* __BPF_ENDIAN__ */ diff --git a/component/ebpf/bpf/bpf_helper_defs.h b/component/ebpf/bpf/bpf_helper_defs.h deleted file mode 100644 index 8a4edf613b..0000000000 --- a/component/ebpf/bpf/bpf_helper_defs.h +++ /dev/null @@ -1,4139 +0,0 @@ -/* This is auto-generated file. See bpf_doc.py for details. */ - -/* Forward declarations of BPF structs */ -struct bpf_fib_lookup; -struct bpf_sk_lookup; -struct bpf_perf_event_data; -struct bpf_perf_event_value; -struct bpf_pidns_info; -struct bpf_redir_neigh; -struct bpf_sock; -struct bpf_sock_addr; -struct bpf_sock_ops; -struct bpf_sock_tuple; -struct bpf_spin_lock; -struct bpf_sysctl; -struct bpf_tcp_sock; -struct bpf_tunnel_key; -struct bpf_xfrm_state; -struct linux_binprm; -struct pt_regs; -struct sk_reuseport_md; -struct sockaddr; -struct tcphdr; -struct seq_file; -struct tcp6_sock; -struct tcp_sock; -struct tcp_timewait_sock; -struct tcp_request_sock; -struct udp6_sock; -struct unix_sock; -struct task_struct; -struct __sk_buff; -struct sk_msg_md; -struct xdp_md; -struct path; -struct btf_ptr; -struct inode; -struct socket; -struct file; -struct bpf_timer; - -/* - * bpf_map_lookup_elem - * - * Perform a lookup in *map* for an entry associated to *key*. - * - * Returns - * Map value associated to *key*, or **NULL** if no entry was - * found. - */ -static void *(*bpf_map_lookup_elem)(void *map, const void *key) = (void *) 1; - -/* - * bpf_map_update_elem - * - * Add or update the value of the entry associated to *key* in - * *map* with *value*. *flags* is one of: - * - * **BPF_NOEXIST** - * The entry for *key* must not exist in the map. - * **BPF_EXIST** - * The entry for *key* must already exist in the map. - * **BPF_ANY** - * No condition on the existence of the entry for *key*. - * - * Flag value **BPF_NOEXIST** cannot be used for maps of types - * **BPF_MAP_TYPE_ARRAY** or **BPF_MAP_TYPE_PERCPU_ARRAY** (all - * elements always exist), the helper would return an error. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_map_update_elem)(void *map, const void *key, const void *value, __u64 flags) = (void *) 2; - -/* - * bpf_map_delete_elem - * - * Delete entry with *key* from *map*. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_map_delete_elem)(void *map, const void *key) = (void *) 3; - -/* - * bpf_probe_read - * - * For tracing programs, safely attempt to read *size* bytes from - * kernel space address *unsafe_ptr* and store the data in *dst*. - * - * Generally, use **bpf_probe_read_user**\ () or - * **bpf_probe_read_kernel**\ () instead. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_probe_read)(void *dst, __u32 size, const void *unsafe_ptr) = (void *) 4; - -/* - * bpf_ktime_get_ns - * - * Return the time elapsed since system boot, in nanoseconds. - * Does not include time the system was suspended. - * See: **clock_gettime**\ (**CLOCK_MONOTONIC**) - * - * Returns - * Current *ktime*. - */ -static __u64 (*bpf_ktime_get_ns)(void) = (void *) 5; - -/* - * bpf_trace_printk - * - * This helper is a "printk()-like" facility for debugging. It - * prints a message defined by format *fmt* (of size *fmt_size*) - * to file *\/sys/kernel/debug/tracing/trace* from DebugFS, if - * available. It can take up to three additional **u64** - * arguments (as an eBPF helpers, the total number of arguments is - * limited to five). - * - * Each time the helper is called, it appends a line to the trace. - * Lines are discarded while *\/sys/kernel/debug/tracing/trace* is - * open, use *\/sys/kernel/debug/tracing/trace_pipe* to avoid this. - * The format of the trace is customizable, and the exact output - * one will get depends on the options set in - * *\/sys/kernel/debug/tracing/trace_options* (see also the - * *README* file under the same directory). However, it usually - * defaults to something like: - * - * :: - * - * telnet-470 [001] .N.. 419421.045894: 0x00000001: - * - * In the above: - * - * * ``telnet`` is the name of the current task. - * * ``470`` is the PID of the current task. - * * ``001`` is the CPU number on which the task is - * running. - * * In ``.N..``, each character refers to a set of - * options (whether irqs are enabled, scheduling - * options, whether hard/softirqs are running, level of - * preempt_disabled respectively). **N** means that - * **TIF_NEED_RESCHED** and **PREEMPT_NEED_RESCHED** - * are set. - * * ``419421.045894`` is a timestamp. - * * ``0x00000001`` is a fake value used by BPF for the - * instruction pointer register. - * * ```` is the message formatted with - * *fmt*. - * - * The conversion specifiers supported by *fmt* are similar, but - * more limited than for printk(). They are **%d**, **%i**, - * **%u**, **%x**, **%ld**, **%li**, **%lu**, **%lx**, **%lld**, - * **%lli**, **%llu**, **%llx**, **%p**, **%s**. No modifier (size - * of field, padding with zeroes, etc.) is available, and the - * helper will return **-EINVAL** (but print nothing) if it - * encounters an unknown specifier. - * - * Also, note that **bpf_trace_printk**\ () is slow, and should - * only be used for debugging purposes. For this reason, a notice - * block (spanning several lines) is printed to kernel logs and - * states that the helper should not be used "for production use" - * the first time this helper is used (or more precisely, when - * **trace_printk**\ () buffers are allocated). For passing values - * to user space, perf events should be preferred. - * - * Returns - * The number of bytes written to the buffer, or a negative error - * in case of failure. - */ -static long (*bpf_trace_printk)(const char *fmt, __u32 fmt_size, ...) = (void *) 6; - -/* - * bpf_get_prandom_u32 - * - * Get a pseudo-random number. - * - * From a security point of view, this helper uses its own - * pseudo-random internal state, and cannot be used to infer the - * seed of other random functions in the kernel. However, it is - * essential to note that the generator used by the helper is not - * cryptographically secure. - * - * Returns - * A random 32-bit unsigned value. - */ -static __u32 (*bpf_get_prandom_u32)(void) = (void *) 7; - -/* - * bpf_get_smp_processor_id - * - * Get the SMP (symmetric multiprocessing) processor id. Note that - * all programs run with migration disabled, which means that the - * SMP processor id is stable during all the execution of the - * program. - * - * Returns - * The SMP id of the processor running the program. - */ -static __u32 (*bpf_get_smp_processor_id)(void) = (void *) 8; - -/* - * bpf_skb_store_bytes - * - * Store *len* bytes from address *from* into the packet - * associated to *skb*, at *offset*. *flags* are a combination of - * **BPF_F_RECOMPUTE_CSUM** (automatically recompute the - * checksum for the packet after storing the bytes) and - * **BPF_F_INVALIDATE_HASH** (set *skb*\ **->hash**, *skb*\ - * **->swhash** and *skb*\ **->l4hash** to 0). - * - * A call to this helper is susceptible to change the underlying - * packet buffer. Therefore, at load time, all checks on pointers - * previously done by the verifier are invalidated and must be - * performed again, if the helper is used in combination with - * direct packet access. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_skb_store_bytes)(struct __sk_buff *skb, __u32 offset, const void *from, __u32 len, __u64 flags) = (void *) 9; - -/* - * bpf_l3_csum_replace - * - * Recompute the layer 3 (e.g. IP) checksum for the packet - * associated to *skb*. Computation is incremental, so the helper - * must know the former value of the header field that was - * modified (*from*), the new value of this field (*to*), and the - * number of bytes (2 or 4) for this field, stored in *size*. - * Alternatively, it is possible to store the difference between - * the previous and the new values of the header field in *to*, by - * setting *from* and *size* to 0. For both methods, *offset* - * indicates the location of the IP checksum within the packet. - * - * This helper works in combination with **bpf_csum_diff**\ (), - * which does not update the checksum in-place, but offers more - * flexibility and can handle sizes larger than 2 or 4 for the - * checksum to update. - * - * A call to this helper is susceptible to change the underlying - * packet buffer. Therefore, at load time, all checks on pointers - * previously done by the verifier are invalidated and must be - * performed again, if the helper is used in combination with - * direct packet access. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_l3_csum_replace)(struct __sk_buff *skb, __u32 offset, __u64 from, __u64 to, __u64 size) = (void *) 10; - -/* - * bpf_l4_csum_replace - * - * Recompute the layer 4 (e.g. TCP, UDP or ICMP) checksum for the - * packet associated to *skb*. Computation is incremental, so the - * helper must know the former value of the header field that was - * modified (*from*), the new value of this field (*to*), and the - * number of bytes (2 or 4) for this field, stored on the lowest - * four bits of *flags*. Alternatively, it is possible to store - * the difference between the previous and the new values of the - * header field in *to*, by setting *from* and the four lowest - * bits of *flags* to 0. For both methods, *offset* indicates the - * location of the IP checksum within the packet. In addition to - * the size of the field, *flags* can be added (bitwise OR) actual - * flags. With **BPF_F_MARK_MANGLED_0**, a null checksum is left - * untouched (unless **BPF_F_MARK_ENFORCE** is added as well), and - * for updates resulting in a null checksum the value is set to - * **CSUM_MANGLED_0** instead. Flag **BPF_F_PSEUDO_HDR** indicates - * the checksum is to be computed against a pseudo-header. - * - * This helper works in combination with **bpf_csum_diff**\ (), - * which does not update the checksum in-place, but offers more - * flexibility and can handle sizes larger than 2 or 4 for the - * checksum to update. - * - * A call to this helper is susceptible to change the underlying - * packet buffer. Therefore, at load time, all checks on pointers - * previously done by the verifier are invalidated and must be - * performed again, if the helper is used in combination with - * direct packet access. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_l4_csum_replace)(struct __sk_buff *skb, __u32 offset, __u64 from, __u64 to, __u64 flags) = (void *) 11; - -/* - * bpf_tail_call - * - * This special helper is used to trigger a "tail call", or in - * other words, to jump into another eBPF program. The same stack - * frame is used (but values on stack and in registers for the - * caller are not accessible to the callee). This mechanism allows - * for program chaining, either for raising the maximum number of - * available eBPF instructions, or to execute given programs in - * conditional blocks. For security reasons, there is an upper - * limit to the number of successive tail calls that can be - * performed. - * - * Upon call of this helper, the program attempts to jump into a - * program referenced at index *index* in *prog_array_map*, a - * special map of type **BPF_MAP_TYPE_PROG_ARRAY**, and passes - * *ctx*, a pointer to the context. - * - * If the call succeeds, the kernel immediately runs the first - * instruction of the new program. This is not a function call, - * and it never returns to the previous program. If the call - * fails, then the helper has no effect, and the caller continues - * to run its subsequent instructions. A call can fail if the - * destination program for the jump does not exist (i.e. *index* - * is superior to the number of entries in *prog_array_map*), or - * if the maximum number of tail calls has been reached for this - * chain of programs. This limit is defined in the kernel by the - * macro **MAX_TAIL_CALL_CNT** (not accessible to user space), - * which is currently set to 33. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_tail_call)(void *ctx, void *prog_array_map, __u32 index) = (void *) 12; - -/* - * bpf_clone_redirect - * - * Clone and redirect the packet associated to *skb* to another - * net device of index *ifindex*. Both ingress and egress - * interfaces can be used for redirection. The **BPF_F_INGRESS** - * value in *flags* is used to make the distinction (ingress path - * is selected if the flag is present, egress path otherwise). - * This is the only flag supported for now. - * - * In comparison with **bpf_redirect**\ () helper, - * **bpf_clone_redirect**\ () has the associated cost of - * duplicating the packet buffer, but this can be executed out of - * the eBPF program. Conversely, **bpf_redirect**\ () is more - * efficient, but it is handled through an action code where the - * redirection happens only after the eBPF program has returned. - * - * A call to this helper is susceptible to change the underlying - * packet buffer. Therefore, at load time, all checks on pointers - * previously done by the verifier are invalidated and must be - * performed again, if the helper is used in combination with - * direct packet access. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_clone_redirect)(struct __sk_buff *skb, __u32 ifindex, __u64 flags) = (void *) 13; - -/* - * bpf_get_current_pid_tgid - * - * - * Returns - * A 64-bit integer containing the current tgid and pid, and - * created as such: - * *current_task*\ **->tgid << 32 \|** - * *current_task*\ **->pid**. - */ -static __u64 (*bpf_get_current_pid_tgid)(void) = (void *) 14; - -/* - * bpf_get_current_uid_gid - * - * - * Returns - * A 64-bit integer containing the current GID and UID, and - * created as such: *current_gid* **<< 32 \|** *current_uid*. - */ -static __u64 (*bpf_get_current_uid_gid)(void) = (void *) 15; - -/* - * bpf_get_current_comm - * - * Copy the **comm** attribute of the current task into *buf* of - * *size_of_buf*. The **comm** attribute contains the name of - * the executable (excluding the path) for the current task. The - * *size_of_buf* must be strictly positive. On success, the - * helper makes sure that the *buf* is NUL-terminated. On failure, - * it is filled with zeroes. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_get_current_comm)(void *buf, __u32 size_of_buf) = (void *) 16; - -/* - * bpf_get_cgroup_classid - * - * Retrieve the classid for the current task, i.e. for the net_cls - * cgroup to which *skb* belongs. - * - * This helper can be used on TC egress path, but not on ingress. - * - * The net_cls cgroup provides an interface to tag network packets - * based on a user-provided identifier for all traffic coming from - * the tasks belonging to the related cgroup. See also the related - * kernel documentation, available from the Linux sources in file - * *Documentation/admin-guide/cgroup-v1/net_cls.rst*. - * - * The Linux kernel has two versions for cgroups: there are - * cgroups v1 and cgroups v2. Both are available to users, who can - * use a mixture of them, but note that the net_cls cgroup is for - * cgroup v1 only. This makes it incompatible with BPF programs - * run on cgroups, which is a cgroup-v2-only feature (a socket can - * only hold data for one version of cgroups at a time). - * - * This helper is only available is the kernel was compiled with - * the **CONFIG_CGROUP_NET_CLASSID** configuration option set to - * "**y**" or to "**m**". - * - * Returns - * The classid, or 0 for the default unconfigured classid. - */ -static __u32 (*bpf_get_cgroup_classid)(struct __sk_buff *skb) = (void *) 17; - -/* - * bpf_skb_vlan_push - * - * Push a *vlan_tci* (VLAN tag control information) of protocol - * *vlan_proto* to the packet associated to *skb*, then update - * the checksum. Note that if *vlan_proto* is different from - * **ETH_P_8021Q** and **ETH_P_8021AD**, it is considered to - * be **ETH_P_8021Q**. - * - * A call to this helper is susceptible to change the underlying - * packet buffer. Therefore, at load time, all checks on pointers - * previously done by the verifier are invalidated and must be - * performed again, if the helper is used in combination with - * direct packet access. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_skb_vlan_push)(struct __sk_buff *skb, __be16 vlan_proto, __u16 vlan_tci) = (void *) 18; - -/* - * bpf_skb_vlan_pop - * - * Pop a VLAN header from the packet associated to *skb*. - * - * A call to this helper is susceptible to change the underlying - * packet buffer. Therefore, at load time, all checks on pointers - * previously done by the verifier are invalidated and must be - * performed again, if the helper is used in combination with - * direct packet access. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_skb_vlan_pop)(struct __sk_buff *skb) = (void *) 19; - -/* - * bpf_skb_get_tunnel_key - * - * Get tunnel metadata. This helper takes a pointer *key* to an - * empty **struct bpf_tunnel_key** of **size**, that will be - * filled with tunnel metadata for the packet associated to *skb*. - * The *flags* can be set to **BPF_F_TUNINFO_IPV6**, which - * indicates that the tunnel is based on IPv6 protocol instead of - * IPv4. - * - * The **struct bpf_tunnel_key** is an object that generalizes the - * principal parameters used by various tunneling protocols into a - * single struct. This way, it can be used to easily make a - * decision based on the contents of the encapsulation header, - * "summarized" in this struct. In particular, it holds the IP - * address of the remote end (IPv4 or IPv6, depending on the case) - * in *key*\ **->remote_ipv4** or *key*\ **->remote_ipv6**. Also, - * this struct exposes the *key*\ **->tunnel_id**, which is - * generally mapped to a VNI (Virtual Network Identifier), making - * it programmable together with the **bpf_skb_set_tunnel_key**\ - * () helper. - * - * Let's imagine that the following code is part of a program - * attached to the TC ingress interface, on one end of a GRE - * tunnel, and is supposed to filter out all messages coming from - * remote ends with IPv4 address other than 10.0.0.1: - * - * :: - * - * int ret; - * struct bpf_tunnel_key key = {}; - * - * ret = bpf_skb_get_tunnel_key(skb, &key, sizeof(key), 0); - * if (ret < 0) - * return TC_ACT_SHOT; // drop packet - * - * if (key.remote_ipv4 != 0x0a000001) - * return TC_ACT_SHOT; // drop packet - * - * return TC_ACT_OK; // accept packet - * - * This interface can also be used with all encapsulation devices - * that can operate in "collect metadata" mode: instead of having - * one network device per specific configuration, the "collect - * metadata" mode only requires a single device where the - * configuration can be extracted from this helper. - * - * This can be used together with various tunnels such as VXLan, - * Geneve, GRE or IP in IP (IPIP). - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_skb_get_tunnel_key)(struct __sk_buff *skb, struct bpf_tunnel_key *key, __u32 size, __u64 flags) = (void *) 20; - -/* - * bpf_skb_set_tunnel_key - * - * Populate tunnel metadata for packet associated to *skb.* The - * tunnel metadata is set to the contents of *key*, of *size*. The - * *flags* can be set to a combination of the following values: - * - * **BPF_F_TUNINFO_IPV6** - * Indicate that the tunnel is based on IPv6 protocol - * instead of IPv4. - * **BPF_F_ZERO_CSUM_TX** - * For IPv4 packets, add a flag to tunnel metadata - * indicating that checksum computation should be skipped - * and checksum set to zeroes. - * **BPF_F_DONT_FRAGMENT** - * Add a flag to tunnel metadata indicating that the - * packet should not be fragmented. - * **BPF_F_SEQ_NUMBER** - * Add a flag to tunnel metadata indicating that a - * sequence number should be added to tunnel header before - * sending the packet. This flag was added for GRE - * encapsulation, but might be used with other protocols - * as well in the future. - * - * Here is a typical usage on the transmit path: - * - * :: - * - * struct bpf_tunnel_key key; - * populate key ... - * bpf_skb_set_tunnel_key(skb, &key, sizeof(key), 0); - * bpf_clone_redirect(skb, vxlan_dev_ifindex, 0); - * - * See also the description of the **bpf_skb_get_tunnel_key**\ () - * helper for additional information. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_skb_set_tunnel_key)(struct __sk_buff *skb, struct bpf_tunnel_key *key, __u32 size, __u64 flags) = (void *) 21; - -/* - * bpf_perf_event_read - * - * Read the value of a perf event counter. This helper relies on a - * *map* of type **BPF_MAP_TYPE_PERF_EVENT_ARRAY**. The nature of - * the perf event counter is selected when *map* is updated with - * perf event file descriptors. The *map* is an array whose size - * is the number of available CPUs, and each cell contains a value - * relative to one CPU. The value to retrieve is indicated by - * *flags*, that contains the index of the CPU to look up, masked - * with **BPF_F_INDEX_MASK**. Alternatively, *flags* can be set to - * **BPF_F_CURRENT_CPU** to indicate that the value for the - * current CPU should be retrieved. - * - * Note that before Linux 4.13, only hardware perf event can be - * retrieved. - * - * Also, be aware that the newer helper - * **bpf_perf_event_read_value**\ () is recommended over - * **bpf_perf_event_read**\ () in general. The latter has some ABI - * quirks where error and counter value are used as a return code - * (which is wrong to do since ranges may overlap). This issue is - * fixed with **bpf_perf_event_read_value**\ (), which at the same - * time provides more features over the **bpf_perf_event_read**\ - * () interface. Please refer to the description of - * **bpf_perf_event_read_value**\ () for details. - * - * Returns - * The value of the perf event counter read from the map, or a - * negative error code in case of failure. - */ -static __u64 (*bpf_perf_event_read)(void *map, __u64 flags) = (void *) 22; - -/* - * bpf_redirect - * - * Redirect the packet to another net device of index *ifindex*. - * This helper is somewhat similar to **bpf_clone_redirect**\ - * (), except that the packet is not cloned, which provides - * increased performance. - * - * Except for XDP, both ingress and egress interfaces can be used - * for redirection. The **BPF_F_INGRESS** value in *flags* is used - * to make the distinction (ingress path is selected if the flag - * is present, egress path otherwise). Currently, XDP only - * supports redirection to the egress interface, and accepts no - * flag at all. - * - * The same effect can also be attained with the more generic - * **bpf_redirect_map**\ (), which uses a BPF map to store the - * redirect target instead of providing it directly to the helper. - * - * Returns - * For XDP, the helper returns **XDP_REDIRECT** on success or - * **XDP_ABORTED** on error. For other program types, the values - * are **TC_ACT_REDIRECT** on success or **TC_ACT_SHOT** on - * error. - */ -static long (*bpf_redirect)(__u32 ifindex, __u64 flags) = (void *) 23; - -/* - * bpf_get_route_realm - * - * Retrieve the realm or the route, that is to say the - * **tclassid** field of the destination for the *skb*. The - * identifier retrieved is a user-provided tag, similar to the - * one used with the net_cls cgroup (see description for - * **bpf_get_cgroup_classid**\ () helper), but here this tag is - * held by a route (a destination entry), not by a task. - * - * Retrieving this identifier works with the clsact TC egress hook - * (see also **tc-bpf(8)**), or alternatively on conventional - * classful egress qdiscs, but not on TC ingress path. In case of - * clsact TC egress hook, this has the advantage that, internally, - * the destination entry has not been dropped yet in the transmit - * path. Therefore, the destination entry does not need to be - * artificially held via **netif_keep_dst**\ () for a classful - * qdisc until the *skb* is freed. - * - * This helper is available only if the kernel was compiled with - * **CONFIG_IP_ROUTE_CLASSID** configuration option. - * - * Returns - * The realm of the route for the packet associated to *skb*, or 0 - * if none was found. - */ -static __u32 (*bpf_get_route_realm)(struct __sk_buff *skb) = (void *) 24; - -/* - * bpf_perf_event_output - * - * Write raw *data* blob into a special BPF perf event held by - * *map* of type **BPF_MAP_TYPE_PERF_EVENT_ARRAY**. This perf - * event must have the following attributes: **PERF_SAMPLE_RAW** - * as **sample_type**, **PERF_TYPE_SOFTWARE** as **type**, and - * **PERF_COUNT_SW_BPF_OUTPUT** as **config**. - * - * The *flags* are used to indicate the index in *map* for which - * the value must be put, masked with **BPF_F_INDEX_MASK**. - * Alternatively, *flags* can be set to **BPF_F_CURRENT_CPU** - * to indicate that the index of the current CPU core should be - * used. - * - * The value to write, of *size*, is passed through eBPF stack and - * pointed by *data*. - * - * The context of the program *ctx* needs also be passed to the - * helper. - * - * On user space, a program willing to read the values needs to - * call **perf_event_open**\ () on the perf event (either for - * one or for all CPUs) and to store the file descriptor into the - * *map*. This must be done before the eBPF program can send data - * into it. An example is available in file - * *samples/bpf/trace_output_user.c* in the Linux kernel source - * tree (the eBPF program counterpart is in - * *samples/bpf/trace_output_kern.c*). - * - * **bpf_perf_event_output**\ () achieves better performance - * than **bpf_trace_printk**\ () for sharing data with user - * space, and is much better suitable for streaming data from eBPF - * programs. - * - * Note that this helper is not restricted to tracing use cases - * and can be used with programs attached to TC or XDP as well, - * where it allows for passing data to user space listeners. Data - * can be: - * - * * Only custom structs, - * * Only the packet payload, or - * * A combination of both. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_perf_event_output)(void *ctx, void *map, __u64 flags, void *data, __u64 size) = (void *) 25; - -/* - * bpf_skb_load_bytes - * - * This helper was provided as an easy way to load data from a - * packet. It can be used to load *len* bytes from *offset* from - * the packet associated to *skb*, into the buffer pointed by - * *to*. - * - * Since Linux 4.7, usage of this helper has mostly been replaced - * by "direct packet access", enabling packet data to be - * manipulated with *skb*\ **->data** and *skb*\ **->data_end** - * pointing respectively to the first byte of packet data and to - * the byte after the last byte of packet data. However, it - * remains useful if one wishes to read large quantities of data - * at once from a packet into the eBPF stack. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_skb_load_bytes)(const void *skb, __u32 offset, void *to, __u32 len) = (void *) 26; - -/* - * bpf_get_stackid - * - * Walk a user or a kernel stack and return its id. To achieve - * this, the helper needs *ctx*, which is a pointer to the context - * on which the tracing program is executed, and a pointer to a - * *map* of type **BPF_MAP_TYPE_STACK_TRACE**. - * - * The last argument, *flags*, holds the number of stack frames to - * skip (from 0 to 255), masked with - * **BPF_F_SKIP_FIELD_MASK**. The next bits can be used to set - * a combination of the following flags: - * - * **BPF_F_USER_STACK** - * Collect a user space stack instead of a kernel stack. - * **BPF_F_FAST_STACK_CMP** - * Compare stacks by hash only. - * **BPF_F_REUSE_STACKID** - * If two different stacks hash into the same *stackid*, - * discard the old one. - * - * The stack id retrieved is a 32 bit long integer handle which - * can be further combined with other data (including other stack - * ids) and used as a key into maps. This can be useful for - * generating a variety of graphs (such as flame graphs or off-cpu - * graphs). - * - * For walking a stack, this helper is an improvement over - * **bpf_probe_read**\ (), which can be used with unrolled loops - * but is not efficient and consumes a lot of eBPF instructions. - * Instead, **bpf_get_stackid**\ () can collect up to - * **PERF_MAX_STACK_DEPTH** both kernel and user frames. Note that - * this limit can be controlled with the **sysctl** program, and - * that it should be manually increased in order to profile long - * user stacks (such as stacks for Java programs). To do so, use: - * - * :: - * - * # sysctl kernel.perf_event_max_stack= - * - * Returns - * The positive or null stack id on success, or a negative error - * in case of failure. - */ -static long (*bpf_get_stackid)(void *ctx, void *map, __u64 flags) = (void *) 27; - -/* - * bpf_csum_diff - * - * Compute a checksum difference, from the raw buffer pointed by - * *from*, of length *from_size* (that must be a multiple of 4), - * towards the raw buffer pointed by *to*, of size *to_size* - * (same remark). An optional *seed* can be added to the value - * (this can be cascaded, the seed may come from a previous call - * to the helper). - * - * This is flexible enough to be used in several ways: - * - * * With *from_size* == 0, *to_size* > 0 and *seed* set to - * checksum, it can be used when pushing new data. - * * With *from_size* > 0, *to_size* == 0 and *seed* set to - * checksum, it can be used when removing data from a packet. - * * With *from_size* > 0, *to_size* > 0 and *seed* set to 0, it - * can be used to compute a diff. Note that *from_size* and - * *to_size* do not need to be equal. - * - * This helper can be used in combination with - * **bpf_l3_csum_replace**\ () and **bpf_l4_csum_replace**\ (), to - * which one can feed in the difference computed with - * **bpf_csum_diff**\ (). - * - * Returns - * The checksum result, or a negative error code in case of - * failure. - */ -static __s64 (*bpf_csum_diff)(__be32 *from, __u32 from_size, __be32 *to, __u32 to_size, __wsum seed) = (void *) 28; - -/* - * bpf_skb_get_tunnel_opt - * - * Retrieve tunnel options metadata for the packet associated to - * *skb*, and store the raw tunnel option data to the buffer *opt* - * of *size*. - * - * This helper can be used with encapsulation devices that can - * operate in "collect metadata" mode (please refer to the related - * note in the description of **bpf_skb_get_tunnel_key**\ () for - * more details). A particular example where this can be used is - * in combination with the Geneve encapsulation protocol, where it - * allows for pushing (with **bpf_skb_get_tunnel_opt**\ () helper) - * and retrieving arbitrary TLVs (Type-Length-Value headers) from - * the eBPF program. This allows for full customization of these - * headers. - * - * Returns - * The size of the option data retrieved. - */ -static long (*bpf_skb_get_tunnel_opt)(struct __sk_buff *skb, void *opt, __u32 size) = (void *) 29; - -/* - * bpf_skb_set_tunnel_opt - * - * Set tunnel options metadata for the packet associated to *skb* - * to the option data contained in the raw buffer *opt* of *size*. - * - * See also the description of the **bpf_skb_get_tunnel_opt**\ () - * helper for additional information. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_skb_set_tunnel_opt)(struct __sk_buff *skb, void *opt, __u32 size) = (void *) 30; - -/* - * bpf_skb_change_proto - * - * Change the protocol of the *skb* to *proto*. Currently - * supported are transition from IPv4 to IPv6, and from IPv6 to - * IPv4. The helper takes care of the groundwork for the - * transition, including resizing the socket buffer. The eBPF - * program is expected to fill the new headers, if any, via - * **skb_store_bytes**\ () and to recompute the checksums with - * **bpf_l3_csum_replace**\ () and **bpf_l4_csum_replace**\ - * (). The main case for this helper is to perform NAT64 - * operations out of an eBPF program. - * - * Internally, the GSO type is marked as dodgy so that headers are - * checked and segments are recalculated by the GSO/GRO engine. - * The size for GSO target is adapted as well. - * - * All values for *flags* are reserved for future usage, and must - * be left at zero. - * - * A call to this helper is susceptible to change the underlying - * packet buffer. Therefore, at load time, all checks on pointers - * previously done by the verifier are invalidated and must be - * performed again, if the helper is used in combination with - * direct packet access. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_skb_change_proto)(struct __sk_buff *skb, __be16 proto, __u64 flags) = (void *) 31; - -/* - * bpf_skb_change_type - * - * Change the packet type for the packet associated to *skb*. This - * comes down to setting *skb*\ **->pkt_type** to *type*, except - * the eBPF program does not have a write access to *skb*\ - * **->pkt_type** beside this helper. Using a helper here allows - * for graceful handling of errors. - * - * The major use case is to change incoming *skb*s to - * **PACKET_HOST** in a programmatic way instead of having to - * recirculate via **redirect**\ (..., **BPF_F_INGRESS**), for - * example. - * - * Note that *type* only allows certain values. At this time, they - * are: - * - * **PACKET_HOST** - * Packet is for us. - * **PACKET_BROADCAST** - * Send packet to all. - * **PACKET_MULTICAST** - * Send packet to group. - * **PACKET_OTHERHOST** - * Send packet to someone else. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_skb_change_type)(struct __sk_buff *skb, __u32 type) = (void *) 32; - -/* - * bpf_skb_under_cgroup - * - * Check whether *skb* is a descendant of the cgroup2 held by - * *map* of type **BPF_MAP_TYPE_CGROUP_ARRAY**, at *index*. - * - * Returns - * The return value depends on the result of the test, and can be: - * - * * 0, if the *skb* failed the cgroup2 descendant test. - * * 1, if the *skb* succeeded the cgroup2 descendant test. - * * A negative error code, if an error occurred. - */ -static long (*bpf_skb_under_cgroup)(struct __sk_buff *skb, void *map, __u32 index) = (void *) 33; - -/* - * bpf_get_hash_recalc - * - * Retrieve the hash of the packet, *skb*\ **->hash**. If it is - * not set, in particular if the hash was cleared due to mangling, - * recompute this hash. Later accesses to the hash can be done - * directly with *skb*\ **->hash**. - * - * Calling **bpf_set_hash_invalid**\ (), changing a packet - * prototype with **bpf_skb_change_proto**\ (), or calling - * **bpf_skb_store_bytes**\ () with the - * **BPF_F_INVALIDATE_HASH** are actions susceptible to clear - * the hash and to trigger a new computation for the next call to - * **bpf_get_hash_recalc**\ (). - * - * Returns - * The 32-bit hash. - */ -static __u32 (*bpf_get_hash_recalc)(struct __sk_buff *skb) = (void *) 34; - -/* - * bpf_get_current_task - * - * - * Returns - * A pointer to the current task struct. - */ -static __u64 (*bpf_get_current_task)(void) = (void *) 35; - -/* - * bpf_probe_write_user - * - * Attempt in a safe way to write *len* bytes from the buffer - * *src* to *dst* in memory. It only works for threads that are in - * user context, and *dst* must be a valid user space address. - * - * This helper should not be used to implement any kind of - * security mechanism because of TOC-TOU attacks, but rather to - * debug, divert, and manipulate execution of semi-cooperative - * processes. - * - * Keep in mind that this feature is meant for experiments, and it - * has a risk of crashing the system and running programs. - * Therefore, when an eBPF program using this helper is attached, - * a warning including PID and process name is printed to kernel - * logs. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_probe_write_user)(void *dst, const void *src, __u32 len) = (void *) 36; - -/* - * bpf_current_task_under_cgroup - * - * Check whether the probe is being run is the context of a given - * subset of the cgroup2 hierarchy. The cgroup2 to test is held by - * *map* of type **BPF_MAP_TYPE_CGROUP_ARRAY**, at *index*. - * - * Returns - * The return value depends on the result of the test, and can be: - * - * * 0, if current task belongs to the cgroup2. - * * 1, if current task does not belong to the cgroup2. - * * A negative error code, if an error occurred. - */ -static long (*bpf_current_task_under_cgroup)(void *map, __u32 index) = (void *) 37; - -/* - * bpf_skb_change_tail - * - * Resize (trim or grow) the packet associated to *skb* to the - * new *len*. The *flags* are reserved for future usage, and must - * be left at zero. - * - * The basic idea is that the helper performs the needed work to - * change the size of the packet, then the eBPF program rewrites - * the rest via helpers like **bpf_skb_store_bytes**\ (), - * **bpf_l3_csum_replace**\ (), **bpf_l3_csum_replace**\ () - * and others. This helper is a slow path utility intended for - * replies with control messages. And because it is targeted for - * slow path, the helper itself can afford to be slow: it - * implicitly linearizes, unclones and drops offloads from the - * *skb*. - * - * A call to this helper is susceptible to change the underlying - * packet buffer. Therefore, at load time, all checks on pointers - * previously done by the verifier are invalidated and must be - * performed again, if the helper is used in combination with - * direct packet access. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_skb_change_tail)(struct __sk_buff *skb, __u32 len, __u64 flags) = (void *) 38; - -/* - * bpf_skb_pull_data - * - * Pull in non-linear data in case the *skb* is non-linear and not - * all of *len* are part of the linear section. Make *len* bytes - * from *skb* readable and writable. If a zero value is passed for - * *len*, then the whole length of the *skb* is pulled. - * - * This helper is only needed for reading and writing with direct - * packet access. - * - * For direct packet access, testing that offsets to access - * are within packet boundaries (test on *skb*\ **->data_end**) is - * susceptible to fail if offsets are invalid, or if the requested - * data is in non-linear parts of the *skb*. On failure the - * program can just bail out, or in the case of a non-linear - * buffer, use a helper to make the data available. The - * **bpf_skb_load_bytes**\ () helper is a first solution to access - * the data. Another one consists in using **bpf_skb_pull_data** - * to pull in once the non-linear parts, then retesting and - * eventually access the data. - * - * At the same time, this also makes sure the *skb* is uncloned, - * which is a necessary condition for direct write. As this needs - * to be an invariant for the write part only, the verifier - * detects writes and adds a prologue that is calling - * **bpf_skb_pull_data()** to effectively unclone the *skb* from - * the very beginning in case it is indeed cloned. - * - * A call to this helper is susceptible to change the underlying - * packet buffer. Therefore, at load time, all checks on pointers - * previously done by the verifier are invalidated and must be - * performed again, if the helper is used in combination with - * direct packet access. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_skb_pull_data)(struct __sk_buff *skb, __u32 len) = (void *) 39; - -/* - * bpf_csum_update - * - * Add the checksum *csum* into *skb*\ **->csum** in case the - * driver has supplied a checksum for the entire packet into that - * field. Return an error otherwise. This helper is intended to be - * used in combination with **bpf_csum_diff**\ (), in particular - * when the checksum needs to be updated after data has been - * written into the packet through direct packet access. - * - * Returns - * The checksum on success, or a negative error code in case of - * failure. - */ -static __s64 (*bpf_csum_update)(struct __sk_buff *skb, __wsum csum) = (void *) 40; - -/* - * bpf_set_hash_invalid - * - * Invalidate the current *skb*\ **->hash**. It can be used after - * mangling on headers through direct packet access, in order to - * indicate that the hash is outdated and to trigger a - * recalculation the next time the kernel tries to access this - * hash or when the **bpf_get_hash_recalc**\ () helper is called. - * - */ -static void (*bpf_set_hash_invalid)(struct __sk_buff *skb) = (void *) 41; - -/* - * bpf_get_numa_node_id - * - * Return the id of the current NUMA node. The primary use case - * for this helper is the selection of sockets for the local NUMA - * node, when the program is attached to sockets using the - * **SO_ATTACH_REUSEPORT_EBPF** option (see also **socket(7)**), - * but the helper is also available to other eBPF program types, - * similarly to **bpf_get_smp_processor_id**\ (). - * - * Returns - * The id of current NUMA node. - */ -static long (*bpf_get_numa_node_id)(void) = (void *) 42; - -/* - * bpf_skb_change_head - * - * Grows headroom of packet associated to *skb* and adjusts the - * offset of the MAC header accordingly, adding *len* bytes of - * space. It automatically extends and reallocates memory as - * required. - * - * This helper can be used on a layer 3 *skb* to push a MAC header - * for redirection into a layer 2 device. - * - * All values for *flags* are reserved for future usage, and must - * be left at zero. - * - * A call to this helper is susceptible to change the underlying - * packet buffer. Therefore, at load time, all checks on pointers - * previously done by the verifier are invalidated and must be - * performed again, if the helper is used in combination with - * direct packet access. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_skb_change_head)(struct __sk_buff *skb, __u32 len, __u64 flags) = (void *) 43; - -/* - * bpf_xdp_adjust_head - * - * Adjust (move) *xdp_md*\ **->data** by *delta* bytes. Note that - * it is possible to use a negative value for *delta*. This helper - * can be used to prepare the packet for pushing or popping - * headers. - * - * A call to this helper is susceptible to change the underlying - * packet buffer. Therefore, at load time, all checks on pointers - * previously done by the verifier are invalidated and must be - * performed again, if the helper is used in combination with - * direct packet access. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_xdp_adjust_head)(struct xdp_md *xdp_md, int delta) = (void *) 44; - -/* - * bpf_probe_read_str - * - * Copy a NUL terminated string from an unsafe kernel address - * *unsafe_ptr* to *dst*. See **bpf_probe_read_kernel_str**\ () for - * more details. - * - * Generally, use **bpf_probe_read_user_str**\ () or - * **bpf_probe_read_kernel_str**\ () instead. - * - * Returns - * On success, the strictly positive length of the string, - * including the trailing NUL character. On error, a negative - * value. - */ -static long (*bpf_probe_read_str)(void *dst, __u32 size, const void *unsafe_ptr) = (void *) 45; - -/* - * bpf_get_socket_cookie - * - * If the **struct sk_buff** pointed by *skb* has a known socket, - * retrieve the cookie (generated by the kernel) of this socket. - * If no cookie has been set yet, generate a new cookie. Once - * generated, the socket cookie remains stable for the life of the - * socket. This helper can be useful for monitoring per socket - * networking traffic statistics as it provides a global socket - * identifier that can be assumed unique. - * - * Returns - * A 8-byte long unique number on success, or 0 if the socket - * field is missing inside *skb*. - */ -static __u64 (*bpf_get_socket_cookie)(void *ctx) = (void *) 46; - -/* - * bpf_get_socket_uid - * - * - * Returns - * The owner UID of the socket associated to *skb*. If the socket - * is **NULL**, or if it is not a full socket (i.e. if it is a - * time-wait or a request socket instead), **overflowuid** value - * is returned (note that **overflowuid** might also be the actual - * UID value for the socket). - */ -static __u32 (*bpf_get_socket_uid)(struct __sk_buff *skb) = (void *) 47; - -/* - * bpf_set_hash - * - * Set the full hash for *skb* (set the field *skb*\ **->hash**) - * to value *hash*. - * - * Returns - * 0 - */ -static long (*bpf_set_hash)(struct __sk_buff *skb, __u32 hash) = (void *) 48; - -/* - * bpf_setsockopt - * - * Emulate a call to **setsockopt()** on the socket associated to - * *bpf_socket*, which must be a full socket. The *level* at - * which the option resides and the name *optname* of the option - * must be specified, see **setsockopt(2)** for more information. - * The option value of length *optlen* is pointed by *optval*. - * - * *bpf_socket* should be one of the following: - * - * * **struct bpf_sock_ops** for **BPF_PROG_TYPE_SOCK_OPS**. - * * **struct bpf_sock_addr** for **BPF_CGROUP_INET4_CONNECT** - * and **BPF_CGROUP_INET6_CONNECT**. - * - * This helper actually implements a subset of **setsockopt()**. - * It supports the following *level*\ s: - * - * * **SOL_SOCKET**, which supports the following *optname*\ s: - * **SO_RCVBUF**, **SO_SNDBUF**, **SO_MAX_PACING_RATE**, - * **SO_PRIORITY**, **SO_RCVLOWAT**, **SO_MARK**, - * **SO_BINDTODEVICE**, **SO_KEEPALIVE**. - * * **IPPROTO_TCP**, which supports the following *optname*\ s: - * **TCP_CONGESTION**, **TCP_BPF_IW**, - * **TCP_BPF_SNDCWND_CLAMP**, **TCP_SAVE_SYN**, - * **TCP_KEEPIDLE**, **TCP_KEEPINTVL**, **TCP_KEEPCNT**, - * **TCP_SYNCNT**, **TCP_USER_TIMEOUT**, **TCP_NOTSENT_LOWAT**. - * * **IPPROTO_IP**, which supports *optname* **IP_TOS**. - * * **IPPROTO_IPV6**, which supports *optname* **IPV6_TCLASS**. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_setsockopt)(void *bpf_socket, int level, int optname, void *optval, int optlen) = (void *) 49; - -/* - * bpf_skb_adjust_room - * - * Grow or shrink the room for data in the packet associated to - * *skb* by *len_diff*, and according to the selected *mode*. - * - * By default, the helper will reset any offloaded checksum - * indicator of the skb to CHECKSUM_NONE. This can be avoided - * by the following flag: - * - * * **BPF_F_ADJ_ROOM_NO_CSUM_RESET**: Do not reset offloaded - * checksum data of the skb to CHECKSUM_NONE. - * - * There are two supported modes at this time: - * - * * **BPF_ADJ_ROOM_MAC**: Adjust room at the mac layer - * (room space is added or removed below the layer 2 header). - * - * * **BPF_ADJ_ROOM_NET**: Adjust room at the network layer - * (room space is added or removed below the layer 3 header). - * - * The following flags are supported at this time: - * - * * **BPF_F_ADJ_ROOM_FIXED_GSO**: Do not adjust gso_size. - * Adjusting mss in this way is not allowed for datagrams. - * - * * **BPF_F_ADJ_ROOM_ENCAP_L3_IPV4**, - * **BPF_F_ADJ_ROOM_ENCAP_L3_IPV6**: - * Any new space is reserved to hold a tunnel header. - * Configure skb offsets and other fields accordingly. - * - * * **BPF_F_ADJ_ROOM_ENCAP_L4_GRE**, - * **BPF_F_ADJ_ROOM_ENCAP_L4_UDP**: - * Use with ENCAP_L3 flags to further specify the tunnel type. - * - * * **BPF_F_ADJ_ROOM_ENCAP_L2**\ (*len*): - * Use with ENCAP_L3/L4 flags to further specify the tunnel - * type; *len* is the length of the inner MAC header. - * - * * **BPF_F_ADJ_ROOM_ENCAP_L2_ETH**: - * Use with BPF_F_ADJ_ROOM_ENCAP_L2 flag to further specify the - * L2 type as Ethernet. - * - * A call to this helper is susceptible to change the underlying - * packet buffer. Therefore, at load time, all checks on pointers - * previously done by the verifier are invalidated and must be - * performed again, if the helper is used in combination with - * direct packet access. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_skb_adjust_room)(struct __sk_buff *skb, __s32 len_diff, __u32 mode, __u64 flags) = (void *) 50; - -/* - * bpf_redirect_map - * - * Redirect the packet to the endpoint referenced by *map* at - * index *key*. Depending on its type, this *map* can contain - * references to net devices (for forwarding packets through other - * ports), or to CPUs (for redirecting XDP frames to another CPU; - * but this is only implemented for native XDP (with driver - * support) as of this writing). - * - * The lower two bits of *flags* are used as the return code if - * the map lookup fails. This is so that the return value can be - * one of the XDP program return codes up to **XDP_TX**, as chosen - * by the caller. The higher bits of *flags* can be set to - * BPF_F_BROADCAST or BPF_F_EXCLUDE_INGRESS as defined below. - * - * With BPF_F_BROADCAST the packet will be broadcasted to all the - * interfaces in the map, with BPF_F_EXCLUDE_INGRESS the ingress - * interface will be excluded when do broadcasting. - * - * See also **bpf_redirect**\ (), which only supports redirecting - * to an ifindex, but doesn't require a map to do so. - * - * Returns - * **XDP_REDIRECT** on success, or the value of the two lower bits - * of the *flags* argument on error. - */ -static long (*bpf_redirect_map)(void *map, __u32 key, __u64 flags) = (void *) 51; - -/* - * bpf_sk_redirect_map - * - * Redirect the packet to the socket referenced by *map* (of type - * **BPF_MAP_TYPE_SOCKMAP**) at index *key*. Both ingress and - * egress interfaces can be used for redirection. The - * **BPF_F_INGRESS** value in *flags* is used to make the - * distinction (ingress path is selected if the flag is present, - * egress path otherwise). This is the only flag supported for now. - * - * Returns - * **SK_PASS** on success, or **SK_DROP** on error. - */ -static long (*bpf_sk_redirect_map)(struct __sk_buff *skb, void *map, __u32 key, __u64 flags) = (void *) 52; - -/* - * bpf_sock_map_update - * - * Add an entry to, or update a *map* referencing sockets. The - * *skops* is used as a new value for the entry associated to - * *key*. *flags* is one of: - * - * **BPF_NOEXIST** - * The entry for *key* must not exist in the map. - * **BPF_EXIST** - * The entry for *key* must already exist in the map. - * **BPF_ANY** - * No condition on the existence of the entry for *key*. - * - * If the *map* has eBPF programs (parser and verdict), those will - * be inherited by the socket being added. If the socket is - * already attached to eBPF programs, this results in an error. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_sock_map_update)(struct bpf_sock_ops *skops, void *map, void *key, __u64 flags) = (void *) 53; - -/* - * bpf_xdp_adjust_meta - * - * Adjust the address pointed by *xdp_md*\ **->data_meta** by - * *delta* (which can be positive or negative). Note that this - * operation modifies the address stored in *xdp_md*\ **->data**, - * so the latter must be loaded only after the helper has been - * called. - * - * The use of *xdp_md*\ **->data_meta** is optional and programs - * are not required to use it. The rationale is that when the - * packet is processed with XDP (e.g. as DoS filter), it is - * possible to push further meta data along with it before passing - * to the stack, and to give the guarantee that an ingress eBPF - * program attached as a TC classifier on the same device can pick - * this up for further post-processing. Since TC works with socket - * buffers, it remains possible to set from XDP the **mark** or - * **priority** pointers, or other pointers for the socket buffer. - * Having this scratch space generic and programmable allows for - * more flexibility as the user is free to store whatever meta - * data they need. - * - * A call to this helper is susceptible to change the underlying - * packet buffer. Therefore, at load time, all checks on pointers - * previously done by the verifier are invalidated and must be - * performed again, if the helper is used in combination with - * direct packet access. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_xdp_adjust_meta)(struct xdp_md *xdp_md, int delta) = (void *) 54; - -/* - * bpf_perf_event_read_value - * - * Read the value of a perf event counter, and store it into *buf* - * of size *buf_size*. This helper relies on a *map* of type - * **BPF_MAP_TYPE_PERF_EVENT_ARRAY**. The nature of the perf event - * counter is selected when *map* is updated with perf event file - * descriptors. The *map* is an array whose size is the number of - * available CPUs, and each cell contains a value relative to one - * CPU. The value to retrieve is indicated by *flags*, that - * contains the index of the CPU to look up, masked with - * **BPF_F_INDEX_MASK**. Alternatively, *flags* can be set to - * **BPF_F_CURRENT_CPU** to indicate that the value for the - * current CPU should be retrieved. - * - * This helper behaves in a way close to - * **bpf_perf_event_read**\ () helper, save that instead of - * just returning the value observed, it fills the *buf* - * structure. This allows for additional data to be retrieved: in - * particular, the enabled and running times (in *buf*\ - * **->enabled** and *buf*\ **->running**, respectively) are - * copied. In general, **bpf_perf_event_read_value**\ () is - * recommended over **bpf_perf_event_read**\ (), which has some - * ABI issues and provides fewer functionalities. - * - * These values are interesting, because hardware PMU (Performance - * Monitoring Unit) counters are limited resources. When there are - * more PMU based perf events opened than available counters, - * kernel will multiplex these events so each event gets certain - * percentage (but not all) of the PMU time. In case that - * multiplexing happens, the number of samples or counter value - * will not reflect the case compared to when no multiplexing - * occurs. This makes comparison between different runs difficult. - * Typically, the counter value should be normalized before - * comparing to other experiments. The usual normalization is done - * as follows. - * - * :: - * - * normalized_counter = counter * t_enabled / t_running - * - * Where t_enabled is the time enabled for event and t_running is - * the time running for event since last normalization. The - * enabled and running times are accumulated since the perf event - * open. To achieve scaling factor between two invocations of an - * eBPF program, users can use CPU id as the key (which is - * typical for perf array usage model) to remember the previous - * value and do the calculation inside the eBPF program. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_perf_event_read_value)(void *map, __u64 flags, struct bpf_perf_event_value *buf, __u32 buf_size) = (void *) 55; - -/* - * bpf_perf_prog_read_value - * - * For en eBPF program attached to a perf event, retrieve the - * value of the event counter associated to *ctx* and store it in - * the structure pointed by *buf* and of size *buf_size*. Enabled - * and running times are also stored in the structure (see - * description of helper **bpf_perf_event_read_value**\ () for - * more details). - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_perf_prog_read_value)(struct bpf_perf_event_data *ctx, struct bpf_perf_event_value *buf, __u32 buf_size) = (void *) 56; - -/* - * bpf_getsockopt - * - * Emulate a call to **getsockopt()** on the socket associated to - * *bpf_socket*, which must be a full socket. The *level* at - * which the option resides and the name *optname* of the option - * must be specified, see **getsockopt(2)** for more information. - * The retrieved value is stored in the structure pointed by - * *opval* and of length *optlen*. - * - * *bpf_socket* should be one of the following: - * - * * **struct bpf_sock_ops** for **BPF_PROG_TYPE_SOCK_OPS**. - * * **struct bpf_sock_addr** for **BPF_CGROUP_INET4_CONNECT** - * and **BPF_CGROUP_INET6_CONNECT**. - * - * This helper actually implements a subset of **getsockopt()**. - * It supports the following *level*\ s: - * - * * **IPPROTO_TCP**, which supports *optname* - * **TCP_CONGESTION**. - * * **IPPROTO_IP**, which supports *optname* **IP_TOS**. - * * **IPPROTO_IPV6**, which supports *optname* **IPV6_TCLASS**. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_getsockopt)(void *bpf_socket, int level, int optname, void *optval, int optlen) = (void *) 57; - -/* - * bpf_override_return - * - * Used for error injection, this helper uses kprobes to override - * the return value of the probed function, and to set it to *rc*. - * The first argument is the context *regs* on which the kprobe - * works. - * - * This helper works by setting the PC (program counter) - * to an override function which is run in place of the original - * probed function. This means the probed function is not run at - * all. The replacement function just returns with the required - * value. - * - * This helper has security implications, and thus is subject to - * restrictions. It is only available if the kernel was compiled - * with the **CONFIG_BPF_KPROBE_OVERRIDE** configuration - * option, and in this case it only works on functions tagged with - * **ALLOW_ERROR_INJECTION** in the kernel code. - * - * Also, the helper is only available for the architectures having - * the CONFIG_FUNCTION_ERROR_INJECTION option. As of this writing, - * x86 architecture is the only one to support this feature. - * - * Returns - * 0 - */ -static long (*bpf_override_return)(struct pt_regs *regs, __u64 rc) = (void *) 58; - -/* - * bpf_sock_ops_cb_flags_set - * - * Attempt to set the value of the **bpf_sock_ops_cb_flags** field - * for the full TCP socket associated to *bpf_sock_ops* to - * *argval*. - * - * The primary use of this field is to determine if there should - * be calls to eBPF programs of type - * **BPF_PROG_TYPE_SOCK_OPS** at various points in the TCP - * code. A program of the same type can change its value, per - * connection and as necessary, when the connection is - * established. This field is directly accessible for reading, but - * this helper must be used for updates in order to return an - * error if an eBPF program tries to set a callback that is not - * supported in the current kernel. - * - * *argval* is a flag array which can combine these flags: - * - * * **BPF_SOCK_OPS_RTO_CB_FLAG** (retransmission time out) - * * **BPF_SOCK_OPS_RETRANS_CB_FLAG** (retransmission) - * * **BPF_SOCK_OPS_STATE_CB_FLAG** (TCP state change) - * * **BPF_SOCK_OPS_RTT_CB_FLAG** (every RTT) - * - * Therefore, this function can be used to clear a callback flag by - * setting the appropriate bit to zero. e.g. to disable the RTO - * callback: - * - * **bpf_sock_ops_cb_flags_set(bpf_sock,** - * **bpf_sock->bpf_sock_ops_cb_flags & ~BPF_SOCK_OPS_RTO_CB_FLAG)** - * - * Here are some examples of where one could call such eBPF - * program: - * - * * When RTO fires. - * * When a packet is retransmitted. - * * When the connection terminates. - * * When a packet is sent. - * * When a packet is received. - * - * Returns - * Code **-EINVAL** if the socket is not a full TCP socket; - * otherwise, a positive number containing the bits that could not - * be set is returned (which comes down to 0 if all bits were set - * as required). - */ -static long (*bpf_sock_ops_cb_flags_set)(struct bpf_sock_ops *bpf_sock, int argval) = (void *) 59; - -/* - * bpf_msg_redirect_map - * - * This helper is used in programs implementing policies at the - * socket level. If the message *msg* is allowed to pass (i.e. if - * the verdict eBPF program returns **SK_PASS**), redirect it to - * the socket referenced by *map* (of type - * **BPF_MAP_TYPE_SOCKMAP**) at index *key*. Both ingress and - * egress interfaces can be used for redirection. The - * **BPF_F_INGRESS** value in *flags* is used to make the - * distinction (ingress path is selected if the flag is present, - * egress path otherwise). This is the only flag supported for now. - * - * Returns - * **SK_PASS** on success, or **SK_DROP** on error. - */ -static long (*bpf_msg_redirect_map)(struct sk_msg_md *msg, void *map, __u32 key, __u64 flags) = (void *) 60; - -/* - * bpf_msg_apply_bytes - * - * For socket policies, apply the verdict of the eBPF program to - * the next *bytes* (number of bytes) of message *msg*. - * - * For example, this helper can be used in the following cases: - * - * * A single **sendmsg**\ () or **sendfile**\ () system call - * contains multiple logical messages that the eBPF program is - * supposed to read and for which it should apply a verdict. - * * An eBPF program only cares to read the first *bytes* of a - * *msg*. If the message has a large payload, then setting up - * and calling the eBPF program repeatedly for all bytes, even - * though the verdict is already known, would create unnecessary - * overhead. - * - * When called from within an eBPF program, the helper sets a - * counter internal to the BPF infrastructure, that is used to - * apply the last verdict to the next *bytes*. If *bytes* is - * smaller than the current data being processed from a - * **sendmsg**\ () or **sendfile**\ () system call, the first - * *bytes* will be sent and the eBPF program will be re-run with - * the pointer for start of data pointing to byte number *bytes* - * **+ 1**. If *bytes* is larger than the current data being - * processed, then the eBPF verdict will be applied to multiple - * **sendmsg**\ () or **sendfile**\ () calls until *bytes* are - * consumed. - * - * Note that if a socket closes with the internal counter holding - * a non-zero value, this is not a problem because data is not - * being buffered for *bytes* and is sent as it is received. - * - * Returns - * 0 - */ -static long (*bpf_msg_apply_bytes)(struct sk_msg_md *msg, __u32 bytes) = (void *) 61; - -/* - * bpf_msg_cork_bytes - * - * For socket policies, prevent the execution of the verdict eBPF - * program for message *msg* until *bytes* (byte number) have been - * accumulated. - * - * This can be used when one needs a specific number of bytes - * before a verdict can be assigned, even if the data spans - * multiple **sendmsg**\ () or **sendfile**\ () calls. The extreme - * case would be a user calling **sendmsg**\ () repeatedly with - * 1-byte long message segments. Obviously, this is bad for - * performance, but it is still valid. If the eBPF program needs - * *bytes* bytes to validate a header, this helper can be used to - * prevent the eBPF program to be called again until *bytes* have - * been accumulated. - * - * Returns - * 0 - */ -static long (*bpf_msg_cork_bytes)(struct sk_msg_md *msg, __u32 bytes) = (void *) 62; - -/* - * bpf_msg_pull_data - * - * For socket policies, pull in non-linear data from user space - * for *msg* and set pointers *msg*\ **->data** and *msg*\ - * **->data_end** to *start* and *end* bytes offsets into *msg*, - * respectively. - * - * If a program of type **BPF_PROG_TYPE_SK_MSG** is run on a - * *msg* it can only parse data that the (**data**, **data_end**) - * pointers have already consumed. For **sendmsg**\ () hooks this - * is likely the first scatterlist element. But for calls relying - * on the **sendpage** handler (e.g. **sendfile**\ ()) this will - * be the range (**0**, **0**) because the data is shared with - * user space and by default the objective is to avoid allowing - * user space to modify data while (or after) eBPF verdict is - * being decided. This helper can be used to pull in data and to - * set the start and end pointer to given values. Data will be - * copied if necessary (i.e. if data was not linear and if start - * and end pointers do not point to the same chunk). - * - * A call to this helper is susceptible to change the underlying - * packet buffer. Therefore, at load time, all checks on pointers - * previously done by the verifier are invalidated and must be - * performed again, if the helper is used in combination with - * direct packet access. - * - * All values for *flags* are reserved for future usage, and must - * be left at zero. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_msg_pull_data)(struct sk_msg_md *msg, __u32 start, __u32 end, __u64 flags) = (void *) 63; - -/* - * bpf_bind - * - * Bind the socket associated to *ctx* to the address pointed by - * *addr*, of length *addr_len*. This allows for making outgoing - * connection from the desired IP address, which can be useful for - * example when all processes inside a cgroup should use one - * single IP address on a host that has multiple IP configured. - * - * This helper works for IPv4 and IPv6, TCP and UDP sockets. The - * domain (*addr*\ **->sa_family**) must be **AF_INET** (or - * **AF_INET6**). It's advised to pass zero port (**sin_port** - * or **sin6_port**) which triggers IP_BIND_ADDRESS_NO_PORT-like - * behavior and lets the kernel efficiently pick up an unused - * port as long as 4-tuple is unique. Passing non-zero port might - * lead to degraded performance. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_bind)(struct bpf_sock_addr *ctx, struct sockaddr *addr, int addr_len) = (void *) 64; - -/* - * bpf_xdp_adjust_tail - * - * Adjust (move) *xdp_md*\ **->data_end** by *delta* bytes. It is - * possible to both shrink and grow the packet tail. - * Shrink done via *delta* being a negative integer. - * - * A call to this helper is susceptible to change the underlying - * packet buffer. Therefore, at load time, all checks on pointers - * previously done by the verifier are invalidated and must be - * performed again, if the helper is used in combination with - * direct packet access. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_xdp_adjust_tail)(struct xdp_md *xdp_md, int delta) = (void *) 65; - -/* - * bpf_skb_get_xfrm_state - * - * Retrieve the XFRM state (IP transform framework, see also - * **ip-xfrm(8)**) at *index* in XFRM "security path" for *skb*. - * - * The retrieved value is stored in the **struct bpf_xfrm_state** - * pointed by *xfrm_state* and of length *size*. - * - * All values for *flags* are reserved for future usage, and must - * be left at zero. - * - * This helper is available only if the kernel was compiled with - * **CONFIG_XFRM** configuration option. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_skb_get_xfrm_state)(struct __sk_buff *skb, __u32 index, struct bpf_xfrm_state *xfrm_state, __u32 size, __u64 flags) = (void *) 66; - -/* - * bpf_get_stack - * - * Return a user or a kernel stack in bpf program provided buffer. - * To achieve this, the helper needs *ctx*, which is a pointer - * to the context on which the tracing program is executed. - * To store the stacktrace, the bpf program provides *buf* with - * a nonnegative *size*. - * - * The last argument, *flags*, holds the number of stack frames to - * skip (from 0 to 255), masked with - * **BPF_F_SKIP_FIELD_MASK**. The next bits can be used to set - * the following flags: - * - * **BPF_F_USER_STACK** - * Collect a user space stack instead of a kernel stack. - * **BPF_F_USER_BUILD_ID** - * Collect buildid+offset instead of ips for user stack, - * only valid if **BPF_F_USER_STACK** is also specified. - * - * **bpf_get_stack**\ () can collect up to - * **PERF_MAX_STACK_DEPTH** both kernel and user frames, subject - * to sufficient large buffer size. Note that - * this limit can be controlled with the **sysctl** program, and - * that it should be manually increased in order to profile long - * user stacks (such as stacks for Java programs). To do so, use: - * - * :: - * - * # sysctl kernel.perf_event_max_stack= - * - * Returns - * A non-negative value equal to or less than *size* on success, - * or a negative error in case of failure. - */ -static long (*bpf_get_stack)(void *ctx, void *buf, __u32 size, __u64 flags) = (void *) 67; - -/* - * bpf_skb_load_bytes_relative - * - * This helper is similar to **bpf_skb_load_bytes**\ () in that - * it provides an easy way to load *len* bytes from *offset* - * from the packet associated to *skb*, into the buffer pointed - * by *to*. The difference to **bpf_skb_load_bytes**\ () is that - * a fifth argument *start_header* exists in order to select a - * base offset to start from. *start_header* can be one of: - * - * **BPF_HDR_START_MAC** - * Base offset to load data from is *skb*'s mac header. - * **BPF_HDR_START_NET** - * Base offset to load data from is *skb*'s network header. - * - * In general, "direct packet access" is the preferred method to - * access packet data, however, this helper is in particular useful - * in socket filters where *skb*\ **->data** does not always point - * to the start of the mac header and where "direct packet access" - * is not available. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_skb_load_bytes_relative)(const void *skb, __u32 offset, void *to, __u32 len, __u32 start_header) = (void *) 68; - -/* - * bpf_fib_lookup - * - * Do FIB lookup in kernel tables using parameters in *params*. - * If lookup is successful and result shows packet is to be - * forwarded, the neighbor tables are searched for the nexthop. - * If successful (ie., FIB lookup shows forwarding and nexthop - * is resolved), the nexthop address is returned in ipv4_dst - * or ipv6_dst based on family, smac is set to mac address of - * egress device, dmac is set to nexthop mac address, rt_metric - * is set to metric from route (IPv4/IPv6 only), and ifindex - * is set to the device index of the nexthop from the FIB lookup. - * - * *plen* argument is the size of the passed in struct. - * *flags* argument can be a combination of one or more of the - * following values: - * - * **BPF_FIB_LOOKUP_DIRECT** - * Do a direct table lookup vs full lookup using FIB - * rules. - * **BPF_FIB_LOOKUP_OUTPUT** - * Perform lookup from an egress perspective (default is - * ingress). - * - * *ctx* is either **struct xdp_md** for XDP programs or - * **struct sk_buff** tc cls_act programs. - * - * Returns - * * < 0 if any input argument is invalid - * * 0 on success (packet is forwarded, nexthop neighbor exists) - * * > 0 one of **BPF_FIB_LKUP_RET_** codes explaining why the - * packet is not forwarded or needs assist from full stack - * - * If lookup fails with BPF_FIB_LKUP_RET_FRAG_NEEDED, then the MTU - * was exceeded and output params->mtu_result contains the MTU. - */ -static long (*bpf_fib_lookup)(void *ctx, struct bpf_fib_lookup *params, int plen, __u32 flags) = (void *) 69; - -/* - * bpf_sock_hash_update - * - * Add an entry to, or update a sockhash *map* referencing sockets. - * The *skops* is used as a new value for the entry associated to - * *key*. *flags* is one of: - * - * **BPF_NOEXIST** - * The entry for *key* must not exist in the map. - * **BPF_EXIST** - * The entry for *key* must already exist in the map. - * **BPF_ANY** - * No condition on the existence of the entry for *key*. - * - * If the *map* has eBPF programs (parser and verdict), those will - * be inherited by the socket being added. If the socket is - * already attached to eBPF programs, this results in an error. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_sock_hash_update)(struct bpf_sock_ops *skops, void *map, void *key, __u64 flags) = (void *) 70; - -/* - * bpf_msg_redirect_hash - * - * This helper is used in programs implementing policies at the - * socket level. If the message *msg* is allowed to pass (i.e. if - * the verdict eBPF program returns **SK_PASS**), redirect it to - * the socket referenced by *map* (of type - * **BPF_MAP_TYPE_SOCKHASH**) using hash *key*. Both ingress and - * egress interfaces can be used for redirection. The - * **BPF_F_INGRESS** value in *flags* is used to make the - * distinction (ingress path is selected if the flag is present, - * egress path otherwise). This is the only flag supported for now. - * - * Returns - * **SK_PASS** on success, or **SK_DROP** on error. - */ -static long (*bpf_msg_redirect_hash)(struct sk_msg_md *msg, void *map, void *key, __u64 flags) = (void *) 71; - -/* - * bpf_sk_redirect_hash - * - * This helper is used in programs implementing policies at the - * skb socket level. If the sk_buff *skb* is allowed to pass (i.e. - * if the verdict eBPF program returns **SK_PASS**), redirect it - * to the socket referenced by *map* (of type - * **BPF_MAP_TYPE_SOCKHASH**) using hash *key*. Both ingress and - * egress interfaces can be used for redirection. The - * **BPF_F_INGRESS** value in *flags* is used to make the - * distinction (ingress path is selected if the flag is present, - * egress otherwise). This is the only flag supported for now. - * - * Returns - * **SK_PASS** on success, or **SK_DROP** on error. - */ -static long (*bpf_sk_redirect_hash)(struct __sk_buff *skb, void *map, void *key, __u64 flags) = (void *) 72; - -/* - * bpf_lwt_push_encap - * - * Encapsulate the packet associated to *skb* within a Layer 3 - * protocol header. This header is provided in the buffer at - * address *hdr*, with *len* its size in bytes. *type* indicates - * the protocol of the header and can be one of: - * - * **BPF_LWT_ENCAP_SEG6** - * IPv6 encapsulation with Segment Routing Header - * (**struct ipv6_sr_hdr**). *hdr* only contains the SRH, - * the IPv6 header is computed by the kernel. - * **BPF_LWT_ENCAP_SEG6_INLINE** - * Only works if *skb* contains an IPv6 packet. Insert a - * Segment Routing Header (**struct ipv6_sr_hdr**) inside - * the IPv6 header. - * **BPF_LWT_ENCAP_IP** - * IP encapsulation (GRE/GUE/IPIP/etc). The outer header - * must be IPv4 or IPv6, followed by zero or more - * additional headers, up to **LWT_BPF_MAX_HEADROOM** - * total bytes in all prepended headers. Please note that - * if **skb_is_gso**\ (*skb*) is true, no more than two - * headers can be prepended, and the inner header, if - * present, should be either GRE or UDP/GUE. - * - * **BPF_LWT_ENCAP_SEG6**\ \* types can be called by BPF programs - * of type **BPF_PROG_TYPE_LWT_IN**; **BPF_LWT_ENCAP_IP** type can - * be called by bpf programs of types **BPF_PROG_TYPE_LWT_IN** and - * **BPF_PROG_TYPE_LWT_XMIT**. - * - * A call to this helper is susceptible to change the underlying - * packet buffer. Therefore, at load time, all checks on pointers - * previously done by the verifier are invalidated and must be - * performed again, if the helper is used in combination with - * direct packet access. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_lwt_push_encap)(struct __sk_buff *skb, __u32 type, void *hdr, __u32 len) = (void *) 73; - -/* - * bpf_lwt_seg6_store_bytes - * - * Store *len* bytes from address *from* into the packet - * associated to *skb*, at *offset*. Only the flags, tag and TLVs - * inside the outermost IPv6 Segment Routing Header can be - * modified through this helper. - * - * A call to this helper is susceptible to change the underlying - * packet buffer. Therefore, at load time, all checks on pointers - * previously done by the verifier are invalidated and must be - * performed again, if the helper is used in combination with - * direct packet access. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_lwt_seg6_store_bytes)(struct __sk_buff *skb, __u32 offset, const void *from, __u32 len) = (void *) 74; - -/* - * bpf_lwt_seg6_adjust_srh - * - * Adjust the size allocated to TLVs in the outermost IPv6 - * Segment Routing Header contained in the packet associated to - * *skb*, at position *offset* by *delta* bytes. Only offsets - * after the segments are accepted. *delta* can be as well - * positive (growing) as negative (shrinking). - * - * A call to this helper is susceptible to change the underlying - * packet buffer. Therefore, at load time, all checks on pointers - * previously done by the verifier are invalidated and must be - * performed again, if the helper is used in combination with - * direct packet access. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_lwt_seg6_adjust_srh)(struct __sk_buff *skb, __u32 offset, __s32 delta) = (void *) 75; - -/* - * bpf_lwt_seg6_action - * - * Apply an IPv6 Segment Routing action of type *action* to the - * packet associated to *skb*. Each action takes a parameter - * contained at address *param*, and of length *param_len* bytes. - * *action* can be one of: - * - * **SEG6_LOCAL_ACTION_END_X** - * End.X action: Endpoint with Layer-3 cross-connect. - * Type of *param*: **struct in6_addr**. - * **SEG6_LOCAL_ACTION_END_T** - * End.T action: Endpoint with specific IPv6 table lookup. - * Type of *param*: **int**. - * **SEG6_LOCAL_ACTION_END_B6** - * End.B6 action: Endpoint bound to an SRv6 policy. - * Type of *param*: **struct ipv6_sr_hdr**. - * **SEG6_LOCAL_ACTION_END_B6_ENCAP** - * End.B6.Encap action: Endpoint bound to an SRv6 - * encapsulation policy. - * Type of *param*: **struct ipv6_sr_hdr**. - * - * A call to this helper is susceptible to change the underlying - * packet buffer. Therefore, at load time, all checks on pointers - * previously done by the verifier are invalidated and must be - * performed again, if the helper is used in combination with - * direct packet access. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_lwt_seg6_action)(struct __sk_buff *skb, __u32 action, void *param, __u32 param_len) = (void *) 76; - -/* - * bpf_rc_repeat - * - * This helper is used in programs implementing IR decoding, to - * report a successfully decoded repeat key message. This delays - * the generation of a key up event for previously generated - * key down event. - * - * Some IR protocols like NEC have a special IR message for - * repeating last button, for when a button is held down. - * - * The *ctx* should point to the lirc sample as passed into - * the program. - * - * This helper is only available is the kernel was compiled with - * the **CONFIG_BPF_LIRC_MODE2** configuration option set to - * "**y**". - * - * Returns - * 0 - */ -static long (*bpf_rc_repeat)(void *ctx) = (void *) 77; - -/* - * bpf_rc_keydown - * - * This helper is used in programs implementing IR decoding, to - * report a successfully decoded key press with *scancode*, - * *toggle* value in the given *protocol*. The scancode will be - * translated to a keycode using the rc keymap, and reported as - * an input key down event. After a period a key up event is - * generated. This period can be extended by calling either - * **bpf_rc_keydown**\ () again with the same values, or calling - * **bpf_rc_repeat**\ (). - * - * Some protocols include a toggle bit, in case the button was - * released and pressed again between consecutive scancodes. - * - * The *ctx* should point to the lirc sample as passed into - * the program. - * - * The *protocol* is the decoded protocol number (see - * **enum rc_proto** for some predefined values). - * - * This helper is only available is the kernel was compiled with - * the **CONFIG_BPF_LIRC_MODE2** configuration option set to - * "**y**". - * - * Returns - * 0 - */ -static long (*bpf_rc_keydown)(void *ctx, __u32 protocol, __u64 scancode, __u32 toggle) = (void *) 78; - -/* - * bpf_skb_cgroup_id - * - * Return the cgroup v2 id of the socket associated with the *skb*. - * This is roughly similar to the **bpf_get_cgroup_classid**\ () - * helper for cgroup v1 by providing a tag resp. identifier that - * can be matched on or used for map lookups e.g. to implement - * policy. The cgroup v2 id of a given path in the hierarchy is - * exposed in user space through the f_handle API in order to get - * to the same 64-bit id. - * - * This helper can be used on TC egress path, but not on ingress, - * and is available only if the kernel was compiled with the - * **CONFIG_SOCK_CGROUP_DATA** configuration option. - * - * Returns - * The id is returned or 0 in case the id could not be retrieved. - */ -static __u64 (*bpf_skb_cgroup_id)(struct __sk_buff *skb) = (void *) 79; - -/* - * bpf_get_current_cgroup_id - * - * - * Returns - * A 64-bit integer containing the current cgroup id based - * on the cgroup within which the current task is running. - */ -static __u64 (*bpf_get_current_cgroup_id)(void) = (void *) 80; - -/* - * bpf_get_local_storage - * - * Get the pointer to the local storage area. - * The type and the size of the local storage is defined - * by the *map* argument. - * The *flags* meaning is specific for each map type, - * and has to be 0 for cgroup local storage. - * - * Depending on the BPF program type, a local storage area - * can be shared between multiple instances of the BPF program, - * running simultaneously. - * - * A user should care about the synchronization by himself. - * For example, by using the **BPF_ATOMIC** instructions to alter - * the shared data. - * - * Returns - * A pointer to the local storage area. - */ -static void *(*bpf_get_local_storage)(void *map, __u64 flags) = (void *) 81; - -/* - * bpf_sk_select_reuseport - * - * Select a **SO_REUSEPORT** socket from a - * **BPF_MAP_TYPE_REUSEPORT_SOCKARRAY** *map*. - * It checks the selected socket is matching the incoming - * request in the socket buffer. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_sk_select_reuseport)(struct sk_reuseport_md *reuse, void *map, void *key, __u64 flags) = (void *) 82; - -/* - * bpf_skb_ancestor_cgroup_id - * - * Return id of cgroup v2 that is ancestor of cgroup associated - * with the *skb* at the *ancestor_level*. The root cgroup is at - * *ancestor_level* zero and each step down the hierarchy - * increments the level. If *ancestor_level* == level of cgroup - * associated with *skb*, then return value will be same as that - * of **bpf_skb_cgroup_id**\ (). - * - * The helper is useful to implement policies based on cgroups - * that are upper in hierarchy than immediate cgroup associated - * with *skb*. - * - * The format of returned id and helper limitations are same as in - * **bpf_skb_cgroup_id**\ (). - * - * Returns - * The id is returned or 0 in case the id could not be retrieved. - */ -static __u64 (*bpf_skb_ancestor_cgroup_id)(struct __sk_buff *skb, int ancestor_level) = (void *) 83; - -/* - * bpf_sk_lookup_tcp - * - * Look for TCP socket matching *tuple*, optionally in a child - * network namespace *netns*. The return value must be checked, - * and if non-**NULL**, released via **bpf_sk_release**\ (). - * - * The *ctx* should point to the context of the program, such as - * the skb or socket (depending on the hook in use). This is used - * to determine the base network namespace for the lookup. - * - * *tuple_size* must be one of: - * - * **sizeof**\ (*tuple*\ **->ipv4**) - * Look for an IPv4 socket. - * **sizeof**\ (*tuple*\ **->ipv6**) - * Look for an IPv6 socket. - * - * If the *netns* is a negative signed 32-bit integer, then the - * socket lookup table in the netns associated with the *ctx* - * will be used. For the TC hooks, this is the netns of the device - * in the skb. For socket hooks, this is the netns of the socket. - * If *netns* is any other signed 32-bit value greater than or - * equal to zero then it specifies the ID of the netns relative to - * the netns associated with the *ctx*. *netns* values beyond the - * range of 32-bit integers are reserved for future use. - * - * All values for *flags* are reserved for future usage, and must - * be left at zero. - * - * This helper is available only if the kernel was compiled with - * **CONFIG_NET** configuration option. - * - * Returns - * Pointer to **struct bpf_sock**, or **NULL** in case of failure. - * For sockets with reuseport option, the **struct bpf_sock** - * result is from *reuse*\ **->socks**\ [] using the hash of the - * tuple. - */ -static struct bpf_sock *(*bpf_sk_lookup_tcp)(void *ctx, struct bpf_sock_tuple *tuple, __u32 tuple_size, __u64 netns, __u64 flags) = (void *) 84; - -/* - * bpf_sk_lookup_udp - * - * Look for UDP socket matching *tuple*, optionally in a child - * network namespace *netns*. The return value must be checked, - * and if non-**NULL**, released via **bpf_sk_release**\ (). - * - * The *ctx* should point to the context of the program, such as - * the skb or socket (depending on the hook in use). This is used - * to determine the base network namespace for the lookup. - * - * *tuple_size* must be one of: - * - * **sizeof**\ (*tuple*\ **->ipv4**) - * Look for an IPv4 socket. - * **sizeof**\ (*tuple*\ **->ipv6**) - * Look for an IPv6 socket. - * - * If the *netns* is a negative signed 32-bit integer, then the - * socket lookup table in the netns associated with the *ctx* - * will be used. For the TC hooks, this is the netns of the device - * in the skb. For socket hooks, this is the netns of the socket. - * If *netns* is any other signed 32-bit value greater than or - * equal to zero then it specifies the ID of the netns relative to - * the netns associated with the *ctx*. *netns* values beyond the - * range of 32-bit integers are reserved for future use. - * - * All values for *flags* are reserved for future usage, and must - * be left at zero. - * - * This helper is available only if the kernel was compiled with - * **CONFIG_NET** configuration option. - * - * Returns - * Pointer to **struct bpf_sock**, or **NULL** in case of failure. - * For sockets with reuseport option, the **struct bpf_sock** - * result is from *reuse*\ **->socks**\ [] using the hash of the - * tuple. - */ -static struct bpf_sock *(*bpf_sk_lookup_udp)(void *ctx, struct bpf_sock_tuple *tuple, __u32 tuple_size, __u64 netns, __u64 flags) = (void *) 85; - -/* - * bpf_sk_release - * - * Release the reference held by *sock*. *sock* must be a - * non-**NULL** pointer that was returned from - * **bpf_sk_lookup_xxx**\ (). - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_sk_release)(void *sock) = (void *) 86; - -/* - * bpf_map_push_elem - * - * Push an element *value* in *map*. *flags* is one of: - * - * **BPF_EXIST** - * If the queue/stack is full, the oldest element is - * removed to make room for this. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_map_push_elem)(void *map, const void *value, __u64 flags) = (void *) 87; - -/* - * bpf_map_pop_elem - * - * Pop an element from *map*. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_map_pop_elem)(void *map, void *value) = (void *) 88; - -/* - * bpf_map_peek_elem - * - * Get an element from *map* without removing it. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_map_peek_elem)(void *map, void *value) = (void *) 89; - -/* - * bpf_msg_push_data - * - * For socket policies, insert *len* bytes into *msg* at offset - * *start*. - * - * If a program of type **BPF_PROG_TYPE_SK_MSG** is run on a - * *msg* it may want to insert metadata or options into the *msg*. - * This can later be read and used by any of the lower layer BPF - * hooks. - * - * This helper may fail if under memory pressure (a malloc - * fails) in these cases BPF programs will get an appropriate - * error and BPF programs will need to handle them. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_msg_push_data)(struct sk_msg_md *msg, __u32 start, __u32 len, __u64 flags) = (void *) 90; - -/* - * bpf_msg_pop_data - * - * Will remove *len* bytes from a *msg* starting at byte *start*. - * This may result in **ENOMEM** errors under certain situations if - * an allocation and copy are required due to a full ring buffer. - * However, the helper will try to avoid doing the allocation - * if possible. Other errors can occur if input parameters are - * invalid either due to *start* byte not being valid part of *msg* - * payload and/or *pop* value being to large. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_msg_pop_data)(struct sk_msg_md *msg, __u32 start, __u32 len, __u64 flags) = (void *) 91; - -/* - * bpf_rc_pointer_rel - * - * This helper is used in programs implementing IR decoding, to - * report a successfully decoded pointer movement. - * - * The *ctx* should point to the lirc sample as passed into - * the program. - * - * This helper is only available is the kernel was compiled with - * the **CONFIG_BPF_LIRC_MODE2** configuration option set to - * "**y**". - * - * Returns - * 0 - */ -static long (*bpf_rc_pointer_rel)(void *ctx, __s32 rel_x, __s32 rel_y) = (void *) 92; - -/* - * bpf_spin_lock - * - * Acquire a spinlock represented by the pointer *lock*, which is - * stored as part of a value of a map. Taking the lock allows to - * safely update the rest of the fields in that value. The - * spinlock can (and must) later be released with a call to - * **bpf_spin_unlock**\ (\ *lock*\ ). - * - * Spinlocks in BPF programs come with a number of restrictions - * and constraints: - * - * * **bpf_spin_lock** objects are only allowed inside maps of - * types **BPF_MAP_TYPE_HASH** and **BPF_MAP_TYPE_ARRAY** (this - * list could be extended in the future). - * * BTF description of the map is mandatory. - * * The BPF program can take ONE lock at a time, since taking two - * or more could cause dead locks. - * * Only one **struct bpf_spin_lock** is allowed per map element. - * * When the lock is taken, calls (either BPF to BPF or helpers) - * are not allowed. - * * The **BPF_LD_ABS** and **BPF_LD_IND** instructions are not - * allowed inside a spinlock-ed region. - * * The BPF program MUST call **bpf_spin_unlock**\ () to release - * the lock, on all execution paths, before it returns. - * * The BPF program can access **struct bpf_spin_lock** only via - * the **bpf_spin_lock**\ () and **bpf_spin_unlock**\ () - * helpers. Loading or storing data into the **struct - * bpf_spin_lock** *lock*\ **;** field of a map is not allowed. - * * To use the **bpf_spin_lock**\ () helper, the BTF description - * of the map value must be a struct and have **struct - * bpf_spin_lock** *anyname*\ **;** field at the top level. - * Nested lock inside another struct is not allowed. - * * The **struct bpf_spin_lock** *lock* field in a map value must - * be aligned on a multiple of 4 bytes in that value. - * * Syscall with command **BPF_MAP_LOOKUP_ELEM** does not copy - * the **bpf_spin_lock** field to user space. - * * Syscall with command **BPF_MAP_UPDATE_ELEM**, or update from - * a BPF program, do not update the **bpf_spin_lock** field. - * * **bpf_spin_lock** cannot be on the stack or inside a - * networking packet (it can only be inside of a map values). - * * **bpf_spin_lock** is available to root only. - * * Tracing programs and socket filter programs cannot use - * **bpf_spin_lock**\ () due to insufficient preemption checks - * (but this may change in the future). - * * **bpf_spin_lock** is not allowed in inner maps of map-in-map. - * - * Returns - * 0 - */ -static long (*bpf_spin_lock)(struct bpf_spin_lock *lock) = (void *) 93; - -/* - * bpf_spin_unlock - * - * Release the *lock* previously locked by a call to - * **bpf_spin_lock**\ (\ *lock*\ ). - * - * Returns - * 0 - */ -static long (*bpf_spin_unlock)(struct bpf_spin_lock *lock) = (void *) 94; - -/* - * bpf_sk_fullsock - * - * This helper gets a **struct bpf_sock** pointer such - * that all the fields in this **bpf_sock** can be accessed. - * - * Returns - * A **struct bpf_sock** pointer on success, or **NULL** in - * case of failure. - */ -static struct bpf_sock *(*bpf_sk_fullsock)(struct bpf_sock *sk) = (void *) 95; - -/* - * bpf_tcp_sock - * - * This helper gets a **struct bpf_tcp_sock** pointer from a - * **struct bpf_sock** pointer. - * - * Returns - * A **struct bpf_tcp_sock** pointer on success, or **NULL** in - * case of failure. - */ -static struct bpf_tcp_sock *(*bpf_tcp_sock)(struct bpf_sock *sk) = (void *) 96; - -/* - * bpf_skb_ecn_set_ce - * - * Set ECN (Explicit Congestion Notification) field of IP header - * to **CE** (Congestion Encountered) if current value is **ECT** - * (ECN Capable Transport). Otherwise, do nothing. Works with IPv6 - * and IPv4. - * - * Returns - * 1 if the **CE** flag is set (either by the current helper call - * or because it was already present), 0 if it is not set. - */ -static long (*bpf_skb_ecn_set_ce)(struct __sk_buff *skb) = (void *) 97; - -/* - * bpf_get_listener_sock - * - * Return a **struct bpf_sock** pointer in **TCP_LISTEN** state. - * **bpf_sk_release**\ () is unnecessary and not allowed. - * - * Returns - * A **struct bpf_sock** pointer on success, or **NULL** in - * case of failure. - */ -static struct bpf_sock *(*bpf_get_listener_sock)(struct bpf_sock *sk) = (void *) 98; - -/* - * bpf_skc_lookup_tcp - * - * Look for TCP socket matching *tuple*, optionally in a child - * network namespace *netns*. The return value must be checked, - * and if non-**NULL**, released via **bpf_sk_release**\ (). - * - * This function is identical to **bpf_sk_lookup_tcp**\ (), except - * that it also returns timewait or request sockets. Use - * **bpf_sk_fullsock**\ () or **bpf_tcp_sock**\ () to access the - * full structure. - * - * This helper is available only if the kernel was compiled with - * **CONFIG_NET** configuration option. - * - * Returns - * Pointer to **struct bpf_sock**, or **NULL** in case of failure. - * For sockets with reuseport option, the **struct bpf_sock** - * result is from *reuse*\ **->socks**\ [] using the hash of the - * tuple. - */ -static struct bpf_sock *(*bpf_skc_lookup_tcp)(void *ctx, struct bpf_sock_tuple *tuple, __u32 tuple_size, __u64 netns, __u64 flags) = (void *) 99; - -/* - * bpf_tcp_check_syncookie - * - * Check whether *iph* and *th* contain a valid SYN cookie ACK for - * the listening socket in *sk*. - * - * *iph* points to the start of the IPv4 or IPv6 header, while - * *iph_len* contains **sizeof**\ (**struct iphdr**) or - * **sizeof**\ (**struct ip6hdr**). - * - * *th* points to the start of the TCP header, while *th_len* - * contains **sizeof**\ (**struct tcphdr**). - * - * Returns - * 0 if *iph* and *th* are a valid SYN cookie ACK, or a negative - * error otherwise. - */ -static long (*bpf_tcp_check_syncookie)(void *sk, void *iph, __u32 iph_len, struct tcphdr *th, __u32 th_len) = (void *) 100; - -/* - * bpf_sysctl_get_name - * - * Get name of sysctl in /proc/sys/ and copy it into provided by - * program buffer *buf* of size *buf_len*. - * - * The buffer is always NUL terminated, unless it's zero-sized. - * - * If *flags* is zero, full name (e.g. "net/ipv4/tcp_mem") is - * copied. Use **BPF_F_SYSCTL_BASE_NAME** flag to copy base name - * only (e.g. "tcp_mem"). - * - * Returns - * Number of character copied (not including the trailing NUL). - * - * **-E2BIG** if the buffer wasn't big enough (*buf* will contain - * truncated name in this case). - */ -static long (*bpf_sysctl_get_name)(struct bpf_sysctl *ctx, char *buf, unsigned long buf_len, __u64 flags) = (void *) 101; - -/* - * bpf_sysctl_get_current_value - * - * Get current value of sysctl as it is presented in /proc/sys - * (incl. newline, etc), and copy it as a string into provided - * by program buffer *buf* of size *buf_len*. - * - * The whole value is copied, no matter what file position user - * space issued e.g. sys_read at. - * - * The buffer is always NUL terminated, unless it's zero-sized. - * - * Returns - * Number of character copied (not including the trailing NUL). - * - * **-E2BIG** if the buffer wasn't big enough (*buf* will contain - * truncated name in this case). - * - * **-EINVAL** if current value was unavailable, e.g. because - * sysctl is uninitialized and read returns -EIO for it. - */ -static long (*bpf_sysctl_get_current_value)(struct bpf_sysctl *ctx, char *buf, unsigned long buf_len) = (void *) 102; - -/* - * bpf_sysctl_get_new_value - * - * Get new value being written by user space to sysctl (before - * the actual write happens) and copy it as a string into - * provided by program buffer *buf* of size *buf_len*. - * - * User space may write new value at file position > 0. - * - * The buffer is always NUL terminated, unless it's zero-sized. - * - * Returns - * Number of character copied (not including the trailing NUL). - * - * **-E2BIG** if the buffer wasn't big enough (*buf* will contain - * truncated name in this case). - * - * **-EINVAL** if sysctl is being read. - */ -static long (*bpf_sysctl_get_new_value)(struct bpf_sysctl *ctx, char *buf, unsigned long buf_len) = (void *) 103; - -/* - * bpf_sysctl_set_new_value - * - * Override new value being written by user space to sysctl with - * value provided by program in buffer *buf* of size *buf_len*. - * - * *buf* should contain a string in same form as provided by user - * space on sysctl write. - * - * User space may write new value at file position > 0. To override - * the whole sysctl value file position should be set to zero. - * - * Returns - * 0 on success. - * - * **-E2BIG** if the *buf_len* is too big. - * - * **-EINVAL** if sysctl is being read. - */ -static long (*bpf_sysctl_set_new_value)(struct bpf_sysctl *ctx, const char *buf, unsigned long buf_len) = (void *) 104; - -/* - * bpf_strtol - * - * Convert the initial part of the string from buffer *buf* of - * size *buf_len* to a long integer according to the given base - * and save the result in *res*. - * - * The string may begin with an arbitrary amount of white space - * (as determined by **isspace**\ (3)) followed by a single - * optional '**-**' sign. - * - * Five least significant bits of *flags* encode base, other bits - * are currently unused. - * - * Base must be either 8, 10, 16 or 0 to detect it automatically - * similar to user space **strtol**\ (3). - * - * Returns - * Number of characters consumed on success. Must be positive but - * no more than *buf_len*. - * - * **-EINVAL** if no valid digits were found or unsupported base - * was provided. - * - * **-ERANGE** if resulting value was out of range. - */ -static long (*bpf_strtol)(const char *buf, unsigned long buf_len, __u64 flags, long *res) = (void *) 105; - -/* - * bpf_strtoul - * - * Convert the initial part of the string from buffer *buf* of - * size *buf_len* to an unsigned long integer according to the - * given base and save the result in *res*. - * - * The string may begin with an arbitrary amount of white space - * (as determined by **isspace**\ (3)). - * - * Five least significant bits of *flags* encode base, other bits - * are currently unused. - * - * Base must be either 8, 10, 16 or 0 to detect it automatically - * similar to user space **strtoul**\ (3). - * - * Returns - * Number of characters consumed on success. Must be positive but - * no more than *buf_len*. - * - * **-EINVAL** if no valid digits were found or unsupported base - * was provided. - * - * **-ERANGE** if resulting value was out of range. - */ -static long (*bpf_strtoul)(const char *buf, unsigned long buf_len, __u64 flags, unsigned long *res) = (void *) 106; - -/* - * bpf_sk_storage_get - * - * Get a bpf-local-storage from a *sk*. - * - * Logically, it could be thought of getting the value from - * a *map* with *sk* as the **key**. From this - * perspective, the usage is not much different from - * **bpf_map_lookup_elem**\ (*map*, **&**\ *sk*) except this - * helper enforces the key must be a full socket and the map must - * be a **BPF_MAP_TYPE_SK_STORAGE** also. - * - * Underneath, the value is stored locally at *sk* instead of - * the *map*. The *map* is used as the bpf-local-storage - * "type". The bpf-local-storage "type" (i.e. the *map*) is - * searched against all bpf-local-storages residing at *sk*. - * - * *sk* is a kernel **struct sock** pointer for LSM program. - * *sk* is a **struct bpf_sock** pointer for other program types. - * - * An optional *flags* (**BPF_SK_STORAGE_GET_F_CREATE**) can be - * used such that a new bpf-local-storage will be - * created if one does not exist. *value* can be used - * together with **BPF_SK_STORAGE_GET_F_CREATE** to specify - * the initial value of a bpf-local-storage. If *value* is - * **NULL**, the new bpf-local-storage will be zero initialized. - * - * Returns - * A bpf-local-storage pointer is returned on success. - * - * **NULL** if not found or there was an error in adding - * a new bpf-local-storage. - */ -static void *(*bpf_sk_storage_get)(void *map, void *sk, void *value, __u64 flags) = (void *) 107; - -/* - * bpf_sk_storage_delete - * - * Delete a bpf-local-storage from a *sk*. - * - * Returns - * 0 on success. - * - * **-ENOENT** if the bpf-local-storage cannot be found. - * **-EINVAL** if sk is not a fullsock (e.g. a request_sock). - */ -static long (*bpf_sk_storage_delete)(void *map, void *sk) = (void *) 108; - -/* - * bpf_send_signal - * - * Send signal *sig* to the process of the current task. - * The signal may be delivered to any of this process's threads. - * - * Returns - * 0 on success or successfully queued. - * - * **-EBUSY** if work queue under nmi is full. - * - * **-EINVAL** if *sig* is invalid. - * - * **-EPERM** if no permission to send the *sig*. - * - * **-EAGAIN** if bpf program can try again. - */ -static long (*bpf_send_signal)(__u32 sig) = (void *) 109; - -/* - * bpf_tcp_gen_syncookie - * - * Try to issue a SYN cookie for the packet with corresponding - * IP/TCP headers, *iph* and *th*, on the listening socket in *sk*. - * - * *iph* points to the start of the IPv4 or IPv6 header, while - * *iph_len* contains **sizeof**\ (**struct iphdr**) or - * **sizeof**\ (**struct ip6hdr**). - * - * *th* points to the start of the TCP header, while *th_len* - * contains the length of the TCP header. - * - * Returns - * On success, lower 32 bits hold the generated SYN cookie in - * followed by 16 bits which hold the MSS value for that cookie, - * and the top 16 bits are unused. - * - * On failure, the returned value is one of the following: - * - * **-EINVAL** SYN cookie cannot be issued due to error - * - * **-ENOENT** SYN cookie should not be issued (no SYN flood) - * - * **-EOPNOTSUPP** kernel configuration does not enable SYN cookies - * - * **-EPROTONOSUPPORT** IP packet version is not 4 or 6 - */ -static __s64 (*bpf_tcp_gen_syncookie)(void *sk, void *iph, __u32 iph_len, struct tcphdr *th, __u32 th_len) = (void *) 110; - -/* - * bpf_skb_output - * - * Write raw *data* blob into a special BPF perf event held by - * *map* of type **BPF_MAP_TYPE_PERF_EVENT_ARRAY**. This perf - * event must have the following attributes: **PERF_SAMPLE_RAW** - * as **sample_type**, **PERF_TYPE_SOFTWARE** as **type**, and - * **PERF_COUNT_SW_BPF_OUTPUT** as **config**. - * - * The *flags* are used to indicate the index in *map* for which - * the value must be put, masked with **BPF_F_INDEX_MASK**. - * Alternatively, *flags* can be set to **BPF_F_CURRENT_CPU** - * to indicate that the index of the current CPU core should be - * used. - * - * The value to write, of *size*, is passed through eBPF stack and - * pointed by *data*. - * - * *ctx* is a pointer to in-kernel struct sk_buff. - * - * This helper is similar to **bpf_perf_event_output**\ () but - * restricted to raw_tracepoint bpf programs. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_skb_output)(void *ctx, void *map, __u64 flags, void *data, __u64 size) = (void *) 111; - -/* - * bpf_probe_read_user - * - * Safely attempt to read *size* bytes from user space address - * *unsafe_ptr* and store the data in *dst*. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_probe_read_user)(void *dst, __u32 size, const void *unsafe_ptr) = (void *) 112; - -/* - * bpf_probe_read_kernel - * - * Safely attempt to read *size* bytes from kernel space address - * *unsafe_ptr* and store the data in *dst*. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_probe_read_kernel)(void *dst, __u32 size, const void *unsafe_ptr) = (void *) 113; - -/* - * bpf_probe_read_user_str - * - * Copy a NUL terminated string from an unsafe user address - * *unsafe_ptr* to *dst*. The *size* should include the - * terminating NUL byte. In case the string length is smaller than - * *size*, the target is not padded with further NUL bytes. If the - * string length is larger than *size*, just *size*-1 bytes are - * copied and the last byte is set to NUL. - * - * On success, returns the number of bytes that were written, - * including the terminal NUL. This makes this helper useful in - * tracing programs for reading strings, and more importantly to - * get its length at runtime. See the following snippet: - * - * :: - * - * SEC("kprobe/sys_open") - * void bpf_sys_open(struct pt_regs *ctx) - * { - * char buf[PATHLEN]; // PATHLEN is defined to 256 - * int res = bpf_probe_read_user_str(buf, sizeof(buf), - * ctx->di); - * - * // Consume buf, for example push it to - * // userspace via bpf_perf_event_output(); we - * // can use res (the string length) as event - * // size, after checking its boundaries. - * } - * - * In comparison, using **bpf_probe_read_user**\ () helper here - * instead to read the string would require to estimate the length - * at compile time, and would often result in copying more memory - * than necessary. - * - * Another useful use case is when parsing individual process - * arguments or individual environment variables navigating - * *current*\ **->mm->arg_start** and *current*\ - * **->mm->env_start**: using this helper and the return value, - * one can quickly iterate at the right offset of the memory area. - * - * Returns - * On success, the strictly positive length of the output string, - * including the trailing NUL character. On error, a negative - * value. - */ -static long (*bpf_probe_read_user_str)(void *dst, __u32 size, const void *unsafe_ptr) = (void *) 114; - -/* - * bpf_probe_read_kernel_str - * - * Copy a NUL terminated string from an unsafe kernel address *unsafe_ptr* - * to *dst*. Same semantics as with **bpf_probe_read_user_str**\ () apply. - * - * Returns - * On success, the strictly positive length of the string, including - * the trailing NUL character. On error, a negative value. - */ -static long (*bpf_probe_read_kernel_str)(void *dst, __u32 size, const void *unsafe_ptr) = (void *) 115; - -/* - * bpf_tcp_send_ack - * - * Send out a tcp-ack. *tp* is the in-kernel struct **tcp_sock**. - * *rcv_nxt* is the ack_seq to be sent out. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_tcp_send_ack)(void *tp, __u32 rcv_nxt) = (void *) 116; - -/* - * bpf_send_signal_thread - * - * Send signal *sig* to the thread corresponding to the current task. - * - * Returns - * 0 on success or successfully queued. - * - * **-EBUSY** if work queue under nmi is full. - * - * **-EINVAL** if *sig* is invalid. - * - * **-EPERM** if no permission to send the *sig*. - * - * **-EAGAIN** if bpf program can try again. - */ -static long (*bpf_send_signal_thread)(__u32 sig) = (void *) 117; - -/* - * bpf_jiffies64 - * - * Obtain the 64bit jiffies - * - * Returns - * The 64 bit jiffies - */ -static __u64 (*bpf_jiffies64)(void) = (void *) 118; - -/* - * bpf_read_branch_records - * - * For an eBPF program attached to a perf event, retrieve the - * branch records (**struct perf_branch_entry**) associated to *ctx* - * and store it in the buffer pointed by *buf* up to size - * *size* bytes. - * - * Returns - * On success, number of bytes written to *buf*. On error, a - * negative value. - * - * The *flags* can be set to **BPF_F_GET_BRANCH_RECORDS_SIZE** to - * instead return the number of bytes required to store all the - * branch entries. If this flag is set, *buf* may be NULL. - * - * **-EINVAL** if arguments invalid or **size** not a multiple - * of **sizeof**\ (**struct perf_branch_entry**\ ). - * - * **-ENOENT** if architecture does not support branch records. - */ -static long (*bpf_read_branch_records)(struct bpf_perf_event_data *ctx, void *buf, __u32 size, __u64 flags) = (void *) 119; - -/* - * bpf_get_ns_current_pid_tgid - * - * Returns 0 on success, values for *pid* and *tgid* as seen from the current - * *namespace* will be returned in *nsdata*. - * - * Returns - * 0 on success, or one of the following in case of failure: - * - * **-EINVAL** if dev and inum supplied don't match dev_t and inode number - * with nsfs of current task, or if dev conversion to dev_t lost high bits. - * - * **-ENOENT** if pidns does not exists for the current task. - */ -static long (*bpf_get_ns_current_pid_tgid)(__u64 dev, __u64 ino, struct bpf_pidns_info *nsdata, __u32 size) = (void *) 120; - -/* - * bpf_xdp_output - * - * Write raw *data* blob into a special BPF perf event held by - * *map* of type **BPF_MAP_TYPE_PERF_EVENT_ARRAY**. This perf - * event must have the following attributes: **PERF_SAMPLE_RAW** - * as **sample_type**, **PERF_TYPE_SOFTWARE** as **type**, and - * **PERF_COUNT_SW_BPF_OUTPUT** as **config**. - * - * The *flags* are used to indicate the index in *map* for which - * the value must be put, masked with **BPF_F_INDEX_MASK**. - * Alternatively, *flags* can be set to **BPF_F_CURRENT_CPU** - * to indicate that the index of the current CPU core should be - * used. - * - * The value to write, of *size*, is passed through eBPF stack and - * pointed by *data*. - * - * *ctx* is a pointer to in-kernel struct xdp_buff. - * - * This helper is similar to **bpf_perf_eventoutput**\ () but - * restricted to raw_tracepoint bpf programs. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_xdp_output)(void *ctx, void *map, __u64 flags, void *data, __u64 size) = (void *) 121; - -/* - * bpf_get_netns_cookie - * - * Retrieve the cookie (generated by the kernel) of the network - * namespace the input *ctx* is associated with. The network - * namespace cookie remains stable for its lifetime and provides - * a global identifier that can be assumed unique. If *ctx* is - * NULL, then the helper returns the cookie for the initial - * network namespace. The cookie itself is very similar to that - * of **bpf_get_socket_cookie**\ () helper, but for network - * namespaces instead of sockets. - * - * Returns - * A 8-byte long opaque number. - */ -static __u64 (*bpf_get_netns_cookie)(void *ctx) = (void *) 122; - -/* - * bpf_get_current_ancestor_cgroup_id - * - * Return id of cgroup v2 that is ancestor of the cgroup associated - * with the current task at the *ancestor_level*. The root cgroup - * is at *ancestor_level* zero and each step down the hierarchy - * increments the level. If *ancestor_level* == level of cgroup - * associated with the current task, then return value will be the - * same as that of **bpf_get_current_cgroup_id**\ (). - * - * The helper is useful to implement policies based on cgroups - * that are upper in hierarchy than immediate cgroup associated - * with the current task. - * - * The format of returned id and helper limitations are same as in - * **bpf_get_current_cgroup_id**\ (). - * - * Returns - * The id is returned or 0 in case the id could not be retrieved. - */ -static __u64 (*bpf_get_current_ancestor_cgroup_id)(int ancestor_level) = (void *) 123; - -/* - * bpf_sk_assign - * - * Helper is overloaded depending on BPF program type. This - * description applies to **BPF_PROG_TYPE_SCHED_CLS** and - * **BPF_PROG_TYPE_SCHED_ACT** programs. - * - * Assign the *sk* to the *skb*. When combined with appropriate - * routing configuration to receive the packet towards the socket, - * will cause *skb* to be delivered to the specified socket. - * Subsequent redirection of *skb* via **bpf_redirect**\ (), - * **bpf_clone_redirect**\ () or other methods outside of BPF may - * interfere with successful delivery to the socket. - * - * This operation is only valid from TC ingress path. - * - * The *flags* argument must be zero. - * - * Returns - * 0 on success, or a negative error in case of failure: - * - * **-EINVAL** if specified *flags* are not supported. - * - * **-ENOENT** if the socket is unavailable for assignment. - * - * **-ENETUNREACH** if the socket is unreachable (wrong netns). - * - * **-EOPNOTSUPP** if the operation is not supported, for example - * a call from outside of TC ingress. - * - * **-ESOCKTNOSUPPORT** if the socket type is not supported - * (reuseport). - */ -static long (*bpf_sk_assign)(void *ctx, void *sk, __u64 flags) = (void *) 124; - -/* - * bpf_ktime_get_boot_ns - * - * Return the time elapsed since system boot, in nanoseconds. - * Does include the time the system was suspended. - * See: **clock_gettime**\ (**CLOCK_BOOTTIME**) - * - * Returns - * Current *ktime*. - */ -static __u64 (*bpf_ktime_get_boot_ns)(void) = (void *) 125; - -/* - * bpf_seq_printf - * - * **bpf_seq_printf**\ () uses seq_file **seq_printf**\ () to print - * out the format string. - * The *m* represents the seq_file. The *fmt* and *fmt_size* are for - * the format string itself. The *data* and *data_len* are format string - * arguments. The *data* are a **u64** array and corresponding format string - * values are stored in the array. For strings and pointers where pointees - * are accessed, only the pointer values are stored in the *data* array. - * The *data_len* is the size of *data* in bytes - must be a multiple of 8. - * - * Formats **%s**, **%p{i,I}{4,6}** requires to read kernel memory. - * Reading kernel memory may fail due to either invalid address or - * valid address but requiring a major memory fault. If reading kernel memory - * fails, the string for **%s** will be an empty string, and the ip - * address for **%p{i,I}{4,6}** will be 0. Not returning error to - * bpf program is consistent with what **bpf_trace_printk**\ () does for now. - * - * Returns - * 0 on success, or a negative error in case of failure: - * - * **-EBUSY** if per-CPU memory copy buffer is busy, can try again - * by returning 1 from bpf program. - * - * **-EINVAL** if arguments are invalid, or if *fmt* is invalid/unsupported. - * - * **-E2BIG** if *fmt* contains too many format specifiers. - * - * **-EOVERFLOW** if an overflow happened: The same object will be tried again. - */ -static long (*bpf_seq_printf)(struct seq_file *m, const char *fmt, __u32 fmt_size, const void *data, __u32 data_len) = (void *) 126; - -/* - * bpf_seq_write - * - * **bpf_seq_write**\ () uses seq_file **seq_write**\ () to write the data. - * The *m* represents the seq_file. The *data* and *len* represent the - * data to write in bytes. - * - * Returns - * 0 on success, or a negative error in case of failure: - * - * **-EOVERFLOW** if an overflow happened: The same object will be tried again. - */ -static long (*bpf_seq_write)(struct seq_file *m, const void *data, __u32 len) = (void *) 127; - -/* - * bpf_sk_cgroup_id - * - * Return the cgroup v2 id of the socket *sk*. - * - * *sk* must be a non-**NULL** pointer to a socket, e.g. one - * returned from **bpf_sk_lookup_xxx**\ (), - * **bpf_sk_fullsock**\ (), etc. The format of returned id is - * same as in **bpf_skb_cgroup_id**\ (). - * - * This helper is available only if the kernel was compiled with - * the **CONFIG_SOCK_CGROUP_DATA** configuration option. - * - * Returns - * The id is returned or 0 in case the id could not be retrieved. - */ -static __u64 (*bpf_sk_cgroup_id)(void *sk) = (void *) 128; - -/* - * bpf_sk_ancestor_cgroup_id - * - * Return id of cgroup v2 that is ancestor of cgroup associated - * with the *sk* at the *ancestor_level*. The root cgroup is at - * *ancestor_level* zero and each step down the hierarchy - * increments the level. If *ancestor_level* == level of cgroup - * associated with *sk*, then return value will be same as that - * of **bpf_sk_cgroup_id**\ (). - * - * The helper is useful to implement policies based on cgroups - * that are upper in hierarchy than immediate cgroup associated - * with *sk*. - * - * The format of returned id and helper limitations are same as in - * **bpf_sk_cgroup_id**\ (). - * - * Returns - * The id is returned or 0 in case the id could not be retrieved. - */ -static __u64 (*bpf_sk_ancestor_cgroup_id)(void *sk, int ancestor_level) = (void *) 129; - -/* - * bpf_ringbuf_output - * - * Copy *size* bytes from *data* into a ring buffer *ringbuf*. - * If **BPF_RB_NO_WAKEUP** is specified in *flags*, no notification - * of new data availability is sent. - * If **BPF_RB_FORCE_WAKEUP** is specified in *flags*, notification - * of new data availability is sent unconditionally. - * If **0** is specified in *flags*, an adaptive notification - * of new data availability is sent. - * - * An adaptive notification is a notification sent whenever the user-space - * process has caught up and consumed all available payloads. In case the user-space - * process is still processing a previous payload, then no notification is needed - * as it will process the newly added payload automatically. - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_ringbuf_output)(void *ringbuf, void *data, __u64 size, __u64 flags) = (void *) 130; - -/* - * bpf_ringbuf_reserve - * - * Reserve *size* bytes of payload in a ring buffer *ringbuf*. - * *flags* must be 0. - * - * Returns - * Valid pointer with *size* bytes of memory available; NULL, - * otherwise. - */ -static void *(*bpf_ringbuf_reserve)(void *ringbuf, __u64 size, __u64 flags) = (void *) 131; - -/* - * bpf_ringbuf_submit - * - * Submit reserved ring buffer sample, pointed to by *data*. - * If **BPF_RB_NO_WAKEUP** is specified in *flags*, no notification - * of new data availability is sent. - * If **BPF_RB_FORCE_WAKEUP** is specified in *flags*, notification - * of new data availability is sent unconditionally. - * If **0** is specified in *flags*, an adaptive notification - * of new data availability is sent. - * - * See 'bpf_ringbuf_output()' for the definition of adaptive notification. - * - * Returns - * Nothing. Always succeeds. - */ -static void (*bpf_ringbuf_submit)(void *data, __u64 flags) = (void *) 132; - -/* - * bpf_ringbuf_discard - * - * Discard reserved ring buffer sample, pointed to by *data*. - * If **BPF_RB_NO_WAKEUP** is specified in *flags*, no notification - * of new data availability is sent. - * If **BPF_RB_FORCE_WAKEUP** is specified in *flags*, notification - * of new data availability is sent unconditionally. - * If **0** is specified in *flags*, an adaptive notification - * of new data availability is sent. - * - * See 'bpf_ringbuf_output()' for the definition of adaptive notification. - * - * Returns - * Nothing. Always succeeds. - */ -static void (*bpf_ringbuf_discard)(void *data, __u64 flags) = (void *) 133; - -/* - * bpf_ringbuf_query - * - * Query various characteristics of provided ring buffer. What - * exactly is queries is determined by *flags*: - * - * * **BPF_RB_AVAIL_DATA**: Amount of data not yet consumed. - * * **BPF_RB_RING_SIZE**: The size of ring buffer. - * * **BPF_RB_CONS_POS**: Consumer position (can wrap around). - * * **BPF_RB_PROD_POS**: Producer(s) position (can wrap around). - * - * Data returned is just a momentary snapshot of actual values - * and could be inaccurate, so this facility should be used to - * power heuristics and for reporting, not to make 100% correct - * calculation. - * - * Returns - * Requested value, or 0, if *flags* are not recognized. - */ -static __u64 (*bpf_ringbuf_query)(void *ringbuf, __u64 flags) = (void *) 134; - -/* - * bpf_csum_level - * - * Change the skbs checksum level by one layer up or down, or - * reset it entirely to none in order to have the stack perform - * checksum validation. The level is applicable to the following - * protocols: TCP, UDP, GRE, SCTP, FCOE. For example, a decap of - * | ETH | IP | UDP | GUE | IP | TCP | into | ETH | IP | TCP | - * through **bpf_skb_adjust_room**\ () helper with passing in - * **BPF_F_ADJ_ROOM_NO_CSUM_RESET** flag would require one call - * to **bpf_csum_level**\ () with **BPF_CSUM_LEVEL_DEC** since - * the UDP header is removed. Similarly, an encap of the latter - * into the former could be accompanied by a helper call to - * **bpf_csum_level**\ () with **BPF_CSUM_LEVEL_INC** if the - * skb is still intended to be processed in higher layers of the - * stack instead of just egressing at tc. - * - * There are three supported level settings at this time: - * - * * **BPF_CSUM_LEVEL_INC**: Increases skb->csum_level for skbs - * with CHECKSUM_UNNECESSARY. - * * **BPF_CSUM_LEVEL_DEC**: Decreases skb->csum_level for skbs - * with CHECKSUM_UNNECESSARY. - * * **BPF_CSUM_LEVEL_RESET**: Resets skb->csum_level to 0 and - * sets CHECKSUM_NONE to force checksum validation by the stack. - * * **BPF_CSUM_LEVEL_QUERY**: No-op, returns the current - * skb->csum_level. - * - * Returns - * 0 on success, or a negative error in case of failure. In the - * case of **BPF_CSUM_LEVEL_QUERY**, the current skb->csum_level - * is returned or the error code -EACCES in case the skb is not - * subject to CHECKSUM_UNNECESSARY. - */ -static long (*bpf_csum_level)(struct __sk_buff *skb, __u64 level) = (void *) 135; - -/* - * bpf_skc_to_tcp6_sock - * - * Dynamically cast a *sk* pointer to a *tcp6_sock* pointer. - * - * Returns - * *sk* if casting is valid, or **NULL** otherwise. - */ -static struct tcp6_sock *(*bpf_skc_to_tcp6_sock)(void *sk) = (void *) 136; - -/* - * bpf_skc_to_tcp_sock - * - * Dynamically cast a *sk* pointer to a *tcp_sock* pointer. - * - * Returns - * *sk* if casting is valid, or **NULL** otherwise. - */ -static struct tcp_sock *(*bpf_skc_to_tcp_sock)(void *sk) = (void *) 137; - -/* - * bpf_skc_to_tcp_timewait_sock - * - * Dynamically cast a *sk* pointer to a *tcp_timewait_sock* pointer. - * - * Returns - * *sk* if casting is valid, or **NULL** otherwise. - */ -static struct tcp_timewait_sock *(*bpf_skc_to_tcp_timewait_sock)(void *sk) = (void *) 138; - -/* - * bpf_skc_to_tcp_request_sock - * - * Dynamically cast a *sk* pointer to a *tcp_request_sock* pointer. - * - * Returns - * *sk* if casting is valid, or **NULL** otherwise. - */ -static struct tcp_request_sock *(*bpf_skc_to_tcp_request_sock)(void *sk) = (void *) 139; - -/* - * bpf_skc_to_udp6_sock - * - * Dynamically cast a *sk* pointer to a *udp6_sock* pointer. - * - * Returns - * *sk* if casting is valid, or **NULL** otherwise. - */ -static struct udp6_sock *(*bpf_skc_to_udp6_sock)(void *sk) = (void *) 140; - -/* - * bpf_get_task_stack - * - * Return a user or a kernel stack in bpf program provided buffer. - * To achieve this, the helper needs *task*, which is a valid - * pointer to **struct task_struct**. To store the stacktrace, the - * bpf program provides *buf* with a nonnegative *size*. - * - * The last argument, *flags*, holds the number of stack frames to - * skip (from 0 to 255), masked with - * **BPF_F_SKIP_FIELD_MASK**. The next bits can be used to set - * the following flags: - * - * **BPF_F_USER_STACK** - * Collect a user space stack instead of a kernel stack. - * **BPF_F_USER_BUILD_ID** - * Collect buildid+offset instead of ips for user stack, - * only valid if **BPF_F_USER_STACK** is also specified. - * - * **bpf_get_task_stack**\ () can collect up to - * **PERF_MAX_STACK_DEPTH** both kernel and user frames, subject - * to sufficient large buffer size. Note that - * this limit can be controlled with the **sysctl** program, and - * that it should be manually increased in order to profile long - * user stacks (such as stacks for Java programs). To do so, use: - * - * :: - * - * # sysctl kernel.perf_event_max_stack= - * - * Returns - * A non-negative value equal to or less than *size* on success, - * or a negative error in case of failure. - */ -static long (*bpf_get_task_stack)(struct task_struct *task, void *buf, __u32 size, __u64 flags) = (void *) 141; - -/* - * bpf_load_hdr_opt - * - * Load header option. Support reading a particular TCP header - * option for bpf program (**BPF_PROG_TYPE_SOCK_OPS**). - * - * If *flags* is 0, it will search the option from the - * *skops*\ **->skb_data**. The comment in **struct bpf_sock_ops** - * has details on what skb_data contains under different - * *skops*\ **->op**. - * - * The first byte of the *searchby_res* specifies the - * kind that it wants to search. - * - * If the searching kind is an experimental kind - * (i.e. 253 or 254 according to RFC6994). It also - * needs to specify the "magic" which is either - * 2 bytes or 4 bytes. It then also needs to - * specify the size of the magic by using - * the 2nd byte which is "kind-length" of a TCP - * header option and the "kind-length" also - * includes the first 2 bytes "kind" and "kind-length" - * itself as a normal TCP header option also does. - * - * For example, to search experimental kind 254 with - * 2 byte magic 0xeB9F, the searchby_res should be - * [ 254, 4, 0xeB, 0x9F, 0, 0, .... 0 ]. - * - * To search for the standard window scale option (3), - * the *searchby_res* should be [ 3, 0, 0, .... 0 ]. - * Note, kind-length must be 0 for regular option. - * - * Searching for No-Op (0) and End-of-Option-List (1) are - * not supported. - * - * *len* must be at least 2 bytes which is the minimal size - * of a header option. - * - * Supported flags: - * - * * **BPF_LOAD_HDR_OPT_TCP_SYN** to search from the - * saved_syn packet or the just-received syn packet. - * - * - * Returns - * > 0 when found, the header option is copied to *searchby_res*. - * The return value is the total length copied. On failure, a - * negative error code is returned: - * - * **-EINVAL** if a parameter is invalid. - * - * **-ENOMSG** if the option is not found. - * - * **-ENOENT** if no syn packet is available when - * **BPF_LOAD_HDR_OPT_TCP_SYN** is used. - * - * **-ENOSPC** if there is not enough space. Only *len* number of - * bytes are copied. - * - * **-EFAULT** on failure to parse the header options in the - * packet. - * - * **-EPERM** if the helper cannot be used under the current - * *skops*\ **->op**. - */ -static long (*bpf_load_hdr_opt)(struct bpf_sock_ops *skops, void *searchby_res, __u32 len, __u64 flags) = (void *) 142; - -/* - * bpf_store_hdr_opt - * - * Store header option. The data will be copied - * from buffer *from* with length *len* to the TCP header. - * - * The buffer *from* should have the whole option that - * includes the kind, kind-length, and the actual - * option data. The *len* must be at least kind-length - * long. The kind-length does not have to be 4 byte - * aligned. The kernel will take care of the padding - * and setting the 4 bytes aligned value to th->doff. - * - * This helper will check for duplicated option - * by searching the same option in the outgoing skb. - * - * This helper can only be called during - * **BPF_SOCK_OPS_WRITE_HDR_OPT_CB**. - * - * - * Returns - * 0 on success, or negative error in case of failure: - * - * **-EINVAL** If param is invalid. - * - * **-ENOSPC** if there is not enough space in the header. - * Nothing has been written - * - * **-EEXIST** if the option already exists. - * - * **-EFAULT** on failrue to parse the existing header options. - * - * **-EPERM** if the helper cannot be used under the current - * *skops*\ **->op**. - */ -static long (*bpf_store_hdr_opt)(struct bpf_sock_ops *skops, const void *from, __u32 len, __u64 flags) = (void *) 143; - -/* - * bpf_reserve_hdr_opt - * - * Reserve *len* bytes for the bpf header option. The - * space will be used by **bpf_store_hdr_opt**\ () later in - * **BPF_SOCK_OPS_WRITE_HDR_OPT_CB**. - * - * If **bpf_reserve_hdr_opt**\ () is called multiple times, - * the total number of bytes will be reserved. - * - * This helper can only be called during - * **BPF_SOCK_OPS_HDR_OPT_LEN_CB**. - * - * - * Returns - * 0 on success, or negative error in case of failure: - * - * **-EINVAL** if a parameter is invalid. - * - * **-ENOSPC** if there is not enough space in the header. - * - * **-EPERM** if the helper cannot be used under the current - * *skops*\ **->op**. - */ -static long (*bpf_reserve_hdr_opt)(struct bpf_sock_ops *skops, __u32 len, __u64 flags) = (void *) 144; - -/* - * bpf_inode_storage_get - * - * Get a bpf_local_storage from an *inode*. - * - * Logically, it could be thought of as getting the value from - * a *map* with *inode* as the **key**. From this - * perspective, the usage is not much different from - * **bpf_map_lookup_elem**\ (*map*, **&**\ *inode*) except this - * helper enforces the key must be an inode and the map must also - * be a **BPF_MAP_TYPE_INODE_STORAGE**. - * - * Underneath, the value is stored locally at *inode* instead of - * the *map*. The *map* is used as the bpf-local-storage - * "type". The bpf-local-storage "type" (i.e. the *map*) is - * searched against all bpf_local_storage residing at *inode*. - * - * An optional *flags* (**BPF_LOCAL_STORAGE_GET_F_CREATE**) can be - * used such that a new bpf_local_storage will be - * created if one does not exist. *value* can be used - * together with **BPF_LOCAL_STORAGE_GET_F_CREATE** to specify - * the initial value of a bpf_local_storage. If *value* is - * **NULL**, the new bpf_local_storage will be zero initialized. - * - * Returns - * A bpf_local_storage pointer is returned on success. - * - * **NULL** if not found or there was an error in adding - * a new bpf_local_storage. - */ -static void *(*bpf_inode_storage_get)(void *map, void *inode, void *value, __u64 flags) = (void *) 145; - -/* - * bpf_inode_storage_delete - * - * Delete a bpf_local_storage from an *inode*. - * - * Returns - * 0 on success. - * - * **-ENOENT** if the bpf_local_storage cannot be found. - */ -static int (*bpf_inode_storage_delete)(void *map, void *inode) = (void *) 146; - -/* - * bpf_d_path - * - * Return full path for given **struct path** object, which - * needs to be the kernel BTF *path* object. The path is - * returned in the provided buffer *buf* of size *sz* and - * is zero terminated. - * - * - * Returns - * On success, the strictly positive length of the string, - * including the trailing NUL character. On error, a negative - * value. - */ -static long (*bpf_d_path)(struct path *path, char *buf, __u32 sz) = (void *) 147; - -/* - * bpf_copy_from_user - * - * Read *size* bytes from user space address *user_ptr* and store - * the data in *dst*. This is a wrapper of **copy_from_user**\ (). - * - * Returns - * 0 on success, or a negative error in case of failure. - */ -static long (*bpf_copy_from_user)(void *dst, __u32 size, const void *user_ptr) = (void *) 148; - -/* - * bpf_snprintf_btf - * - * Use BTF to store a string representation of *ptr*->ptr in *str*, - * using *ptr*->type_id. This value should specify the type - * that *ptr*->ptr points to. LLVM __builtin_btf_type_id(type, 1) - * can be used to look up vmlinux BTF type ids. Traversing the - * data structure using BTF, the type information and values are - * stored in the first *str_size* - 1 bytes of *str*. Safe copy of - * the pointer data is carried out to avoid kernel crashes during - * operation. Smaller types can use string space on the stack; - * larger programs can use map data to store the string - * representation. - * - * The string can be subsequently shared with userspace via - * bpf_perf_event_output() or ring buffer interfaces. - * bpf_trace_printk() is to be avoided as it places too small - * a limit on string size to be useful. - * - * *flags* is a combination of - * - * **BTF_F_COMPACT** - * no formatting around type information - * **BTF_F_NONAME** - * no struct/union member names/types - * **BTF_F_PTR_RAW** - * show raw (unobfuscated) pointer values; - * equivalent to printk specifier %px. - * **BTF_F_ZERO** - * show zero-valued struct/union members; they - * are not displayed by default - * - * - * Returns - * The number of bytes that were written (or would have been - * written if output had to be truncated due to string size), - * or a negative error in cases of failure. - */ -static long (*bpf_snprintf_btf)(char *str, __u32 str_size, struct btf_ptr *ptr, __u32 btf_ptr_size, __u64 flags) = (void *) 149; - -/* - * bpf_seq_printf_btf - * - * Use BTF to write to seq_write a string representation of - * *ptr*->ptr, using *ptr*->type_id as per bpf_snprintf_btf(). - * *flags* are identical to those used for bpf_snprintf_btf. - * - * Returns - * 0 on success or a negative error in case of failure. - */ -static long (*bpf_seq_printf_btf)(struct seq_file *m, struct btf_ptr *ptr, __u32 ptr_size, __u64 flags) = (void *) 150; - -/* - * bpf_skb_cgroup_classid - * - * See **bpf_get_cgroup_classid**\ () for the main description. - * This helper differs from **bpf_get_cgroup_classid**\ () in that - * the cgroup v1 net_cls class is retrieved only from the *skb*'s - * associated socket instead of the current process. - * - * Returns - * The id is returned or 0 in case the id could not be retrieved. - */ -static __u64 (*bpf_skb_cgroup_classid)(struct __sk_buff *skb) = (void *) 151; - -/* - * bpf_redirect_neigh - * - * Redirect the packet to another net device of index *ifindex* - * and fill in L2 addresses from neighboring subsystem. This helper - * is somewhat similar to **bpf_redirect**\ (), except that it - * populates L2 addresses as well, meaning, internally, the helper - * relies on the neighbor lookup for the L2 address of the nexthop. - * - * The helper will perform a FIB lookup based on the skb's - * networking header to get the address of the next hop, unless - * this is supplied by the caller in the *params* argument. The - * *plen* argument indicates the len of *params* and should be set - * to 0 if *params* is NULL. - * - * The *flags* argument is reserved and must be 0. The helper is - * currently only supported for tc BPF program types, and enabled - * for IPv4 and IPv6 protocols. - * - * Returns - * The helper returns **TC_ACT_REDIRECT** on success or - * **TC_ACT_SHOT** on error. - */ -static long (*bpf_redirect_neigh)(__u32 ifindex, struct bpf_redir_neigh *params, int plen, __u64 flags) = (void *) 152; - -/* - * bpf_per_cpu_ptr - * - * Take a pointer to a percpu ksym, *percpu_ptr*, and return a - * pointer to the percpu kernel variable on *cpu*. A ksym is an - * extern variable decorated with '__ksym'. For ksym, there is a - * global var (either static or global) defined of the same name - * in the kernel. The ksym is percpu if the global var is percpu. - * The returned pointer points to the global percpu var on *cpu*. - * - * bpf_per_cpu_ptr() has the same semantic as per_cpu_ptr() in the - * kernel, except that bpf_per_cpu_ptr() may return NULL. This - * happens if *cpu* is larger than nr_cpu_ids. The caller of - * bpf_per_cpu_ptr() must check the returned value. - * - * Returns - * A pointer pointing to the kernel percpu variable on *cpu*, or - * NULL, if *cpu* is invalid. - */ -static void *(*bpf_per_cpu_ptr)(const void *percpu_ptr, __u32 cpu) = (void *) 153; - -/* - * bpf_this_cpu_ptr - * - * Take a pointer to a percpu ksym, *percpu_ptr*, and return a - * pointer to the percpu kernel variable on this cpu. See the - * description of 'ksym' in **bpf_per_cpu_ptr**\ (). - * - * bpf_this_cpu_ptr() has the same semantic as this_cpu_ptr() in - * the kernel. Different from **bpf_per_cpu_ptr**\ (), it would - * never return NULL. - * - * Returns - * A pointer pointing to the kernel percpu variable on this cpu. - */ -static void *(*bpf_this_cpu_ptr)(const void *percpu_ptr) = (void *) 154; - -/* - * bpf_redirect_peer - * - * Redirect the packet to another net device of index *ifindex*. - * This helper is somewhat similar to **bpf_redirect**\ (), except - * that the redirection happens to the *ifindex*' peer device and - * the netns switch takes place from ingress to ingress without - * going through the CPU's backlog queue. - * - * The *flags* argument is reserved and must be 0. The helper is - * currently only supported for tc BPF program types at the ingress - * hook and for veth device types. The peer device must reside in a - * different network namespace. - * - * Returns - * The helper returns **TC_ACT_REDIRECT** on success or - * **TC_ACT_SHOT** on error. - */ -static long (*bpf_redirect_peer)(__u32 ifindex, __u64 flags) = (void *) 155; - -/* - * bpf_task_storage_get - * - * Get a bpf_local_storage from the *task*. - * - * Logically, it could be thought of as getting the value from - * a *map* with *task* as the **key**. From this - * perspective, the usage is not much different from - * **bpf_map_lookup_elem**\ (*map*, **&**\ *task*) except this - * helper enforces the key must be an task_struct and the map must also - * be a **BPF_MAP_TYPE_TASK_STORAGE**. - * - * Underneath, the value is stored locally at *task* instead of - * the *map*. The *map* is used as the bpf-local-storage - * "type". The bpf-local-storage "type" (i.e. the *map*) is - * searched against all bpf_local_storage residing at *task*. - * - * An optional *flags* (**BPF_LOCAL_STORAGE_GET_F_CREATE**) can be - * used such that a new bpf_local_storage will be - * created if one does not exist. *value* can be used - * together with **BPF_LOCAL_STORAGE_GET_F_CREATE** to specify - * the initial value of a bpf_local_storage. If *value* is - * **NULL**, the new bpf_local_storage will be zero initialized. - * - * Returns - * A bpf_local_storage pointer is returned on success. - * - * **NULL** if not found or there was an error in adding - * a new bpf_local_storage. - */ -static void *(*bpf_task_storage_get)(void *map, struct task_struct *task, void *value, __u64 flags) = (void *) 156; - -/* - * bpf_task_storage_delete - * - * Delete a bpf_local_storage from a *task*. - * - * Returns - * 0 on success. - * - * **-ENOENT** if the bpf_local_storage cannot be found. - */ -static long (*bpf_task_storage_delete)(void *map, struct task_struct *task) = (void *) 157; - -/* - * bpf_get_current_task_btf - * - * Return a BTF pointer to the "current" task. - * This pointer can also be used in helpers that accept an - * *ARG_PTR_TO_BTF_ID* of type *task_struct*. - * - * Returns - * Pointer to the current task. - */ -static struct task_struct *(*bpf_get_current_task_btf)(void) = (void *) 158; - -/* - * bpf_bprm_opts_set - * - * Set or clear certain options on *bprm*: - * - * **BPF_F_BPRM_SECUREEXEC** Set the secureexec bit - * which sets the **AT_SECURE** auxv for glibc. The bit - * is cleared if the flag is not specified. - * - * Returns - * **-EINVAL** if invalid *flags* are passed, zero otherwise. - */ -static long (*bpf_bprm_opts_set)(struct linux_binprm *bprm, __u64 flags) = (void *) 159; - -/* - * bpf_ktime_get_coarse_ns - * - * Return a coarse-grained version of the time elapsed since - * system boot, in nanoseconds. Does not include time the system - * was suspended. - * - * See: **clock_gettime**\ (**CLOCK_MONOTONIC_COARSE**) - * - * Returns - * Current *ktime*. - */ -static __u64 (*bpf_ktime_get_coarse_ns)(void) = (void *) 160; - -/* - * bpf_ima_inode_hash - * - * Returns the stored IMA hash of the *inode* (if it's avaialable). - * If the hash is larger than *size*, then only *size* - * bytes will be copied to *dst* - * - * Returns - * The **hash_algo** is returned on success, - * **-EOPNOTSUP** if IMA is disabled or **-EINVAL** if - * invalid arguments are passed. - */ -static long (*bpf_ima_inode_hash)(struct inode *inode, void *dst, __u32 size) = (void *) 161; - -/* - * bpf_sock_from_file - * - * If the given file represents a socket, returns the associated - * socket. - * - * Returns - * A pointer to a struct socket on success or NULL if the file is - * not a socket. - */ -static struct socket *(*bpf_sock_from_file)(struct file *file) = (void *) 162; - -/* - * bpf_check_mtu - * - * Check packet size against exceeding MTU of net device (based - * on *ifindex*). This helper will likely be used in combination - * with helpers that adjust/change the packet size. - * - * The argument *len_diff* can be used for querying with a planned - * size change. This allows to check MTU prior to changing packet - * ctx. Providing an *len_diff* adjustment that is larger than the - * actual packet size (resulting in negative packet size) will in - * principle not exceed the MTU, why it is not considered a - * failure. Other BPF-helpers are needed for performing the - * planned size change, why the responsability for catch a negative - * packet size belong in those helpers. - * - * Specifying *ifindex* zero means the MTU check is performed - * against the current net device. This is practical if this isn't - * used prior to redirect. - * - * On input *mtu_len* must be a valid pointer, else verifier will - * reject BPF program. If the value *mtu_len* is initialized to - * zero then the ctx packet size is use. When value *mtu_len* is - * provided as input this specify the L3 length that the MTU check - * is done against. Remember XDP and TC length operate at L2, but - * this value is L3 as this correlate to MTU and IP-header tot_len - * values which are L3 (similar behavior as bpf_fib_lookup). - * - * The Linux kernel route table can configure MTUs on a more - * specific per route level, which is not provided by this helper. - * For route level MTU checks use the **bpf_fib_lookup**\ () - * helper. - * - * *ctx* is either **struct xdp_md** for XDP programs or - * **struct sk_buff** for tc cls_act programs. - * - * The *flags* argument can be a combination of one or more of the - * following values: - * - * **BPF_MTU_CHK_SEGS** - * This flag will only works for *ctx* **struct sk_buff**. - * If packet context contains extra packet segment buffers - * (often knows as GSO skb), then MTU check is harder to - * check at this point, because in transmit path it is - * possible for the skb packet to get re-segmented - * (depending on net device features). This could still be - * a MTU violation, so this flag enables performing MTU - * check against segments, with a different violation - * return code to tell it apart. Check cannot use len_diff. - * - * On return *mtu_len* pointer contains the MTU value of the net - * device. Remember the net device configured MTU is the L3 size, - * which is returned here and XDP and TC length operate at L2. - * Helper take this into account for you, but remember when using - * MTU value in your BPF-code. - * - * - * Returns - * * 0 on success, and populate MTU value in *mtu_len* pointer. - * - * * < 0 if any input argument is invalid (*mtu_len* not updated) - * - * MTU violations return positive values, but also populate MTU - * value in *mtu_len* pointer, as this can be needed for - * implementing PMTU handing: - * - * * **BPF_MTU_CHK_RET_FRAG_NEEDED** - * * **BPF_MTU_CHK_RET_SEGS_TOOBIG** - */ -static long (*bpf_check_mtu)(void *ctx, __u32 ifindex, __u32 *mtu_len, __s32 len_diff, __u64 flags) = (void *) 163; - -/* - * bpf_for_each_map_elem - * - * For each element in **map**, call **callback_fn** function with - * **map**, **callback_ctx** and other map-specific parameters. - * The **callback_fn** should be a static function and - * the **callback_ctx** should be a pointer to the stack. - * The **flags** is used to control certain aspects of the helper. - * Currently, the **flags** must be 0. - * - * The following are a list of supported map types and their - * respective expected callback signatures: - * - * BPF_MAP_TYPE_HASH, BPF_MAP_TYPE_PERCPU_HASH, - * BPF_MAP_TYPE_LRU_HASH, BPF_MAP_TYPE_LRU_PERCPU_HASH, - * BPF_MAP_TYPE_ARRAY, BPF_MAP_TYPE_PERCPU_ARRAY - * - * long (\*callback_fn)(struct bpf_map \*map, const void \*key, void \*value, void \*ctx); - * - * For per_cpu maps, the map_value is the value on the cpu where the - * bpf_prog is running. - * - * If **callback_fn** return 0, the helper will continue to the next - * element. If return value is 1, the helper will skip the rest of - * elements and return. Other return values are not used now. - * - * - * Returns - * The number of traversed map elements for success, **-EINVAL** for - * invalid **flags**. - */ -static long (*bpf_for_each_map_elem)(void *map, void *callback_fn, void *callback_ctx, __u64 flags) = (void *) 164; - -/* - * bpf_snprintf - * - * Outputs a string into the **str** buffer of size **str_size** - * based on a format string stored in a read-only map pointed by - * **fmt**. - * - * Each format specifier in **fmt** corresponds to one u64 element - * in the **data** array. For strings and pointers where pointees - * are accessed, only the pointer values are stored in the *data* - * array. The *data_len* is the size of *data* in bytes - must be - * a multiple of 8. - * - * Formats **%s** and **%p{i,I}{4,6}** require to read kernel - * memory. Reading kernel memory may fail due to either invalid - * address or valid address but requiring a major memory fault. If - * reading kernel memory fails, the string for **%s** will be an - * empty string, and the ip address for **%p{i,I}{4,6}** will be 0. - * Not returning error to bpf program is consistent with what - * **bpf_trace_printk**\ () does for now. - * - * - * Returns - * The strictly positive length of the formatted string, including - * the trailing zero character. If the return value is greater than - * **str_size**, **str** contains a truncated string, guaranteed to - * be zero-terminated except when **str_size** is 0. - * - * Or **-EBUSY** if the per-CPU memory copy buffer is busy. - */ -static long (*bpf_snprintf)(char *str, __u32 str_size, const char *fmt, __u64 *data, __u32 data_len) = (void *) 165; - -/* - * bpf_sys_bpf - * - * Execute bpf syscall with given arguments. - * - * Returns - * A syscall result. - */ -static long (*bpf_sys_bpf)(__u32 cmd, void *attr, __u32 attr_size) = (void *) 166; - -/* - * bpf_btf_find_by_name_kind - * - * Find BTF type with given name and kind in vmlinux BTF or in module's BTFs. - * - * Returns - * Returns btf_id and btf_obj_fd in lower and upper 32 bits. - */ -static long (*bpf_btf_find_by_name_kind)(char *name, int name_sz, __u32 kind, int flags) = (void *) 167; - -/* - * bpf_sys_close - * - * Execute close syscall for given FD. - * - * Returns - * A syscall result. - */ -static long (*bpf_sys_close)(__u32 fd) = (void *) 168; - -/* - * bpf_timer_init - * - * Initialize the timer. - * First 4 bits of *flags* specify clockid. - * Only CLOCK_MONOTONIC, CLOCK_REALTIME, CLOCK_BOOTTIME are allowed. - * All other bits of *flags* are reserved. - * The verifier will reject the program if *timer* is not from - * the same *map*. - * - * Returns - * 0 on success. - * **-EBUSY** if *timer* is already initialized. - * **-EINVAL** if invalid *flags* are passed. - * **-EPERM** if *timer* is in a map that doesn't have any user references. - * The user space should either hold a file descriptor to a map with timers - * or pin such map in bpffs. When map is unpinned or file descriptor is - * closed all timers in the map will be cancelled and freed. - */ -static long (*bpf_timer_init)(struct bpf_timer *timer, void *map, __u64 flags) = (void *) 169; - -/* - * bpf_timer_set_callback - * - * Configure the timer to call *callback_fn* static function. - * - * Returns - * 0 on success. - * **-EINVAL** if *timer* was not initialized with bpf_timer_init() earlier. - * **-EPERM** if *timer* is in a map that doesn't have any user references. - * The user space should either hold a file descriptor to a map with timers - * or pin such map in bpffs. When map is unpinned or file descriptor is - * closed all timers in the map will be cancelled and freed. - */ -static long (*bpf_timer_set_callback)(struct bpf_timer *timer, void *callback_fn) = (void *) 170; - -/* - * bpf_timer_start - * - * Set timer expiration N nanoseconds from the current time. The - * configured callback will be invoked in soft irq context on some cpu - * and will not repeat unless another bpf_timer_start() is made. - * In such case the next invocation can migrate to a different cpu. - * Since struct bpf_timer is a field inside map element the map - * owns the timer. The bpf_timer_set_callback() will increment refcnt - * of BPF program to make sure that callback_fn code stays valid. - * When user space reference to a map reaches zero all timers - * in a map are cancelled and corresponding program's refcnts are - * decremented. This is done to make sure that Ctrl-C of a user - * process doesn't leave any timers running. If map is pinned in - * bpffs the callback_fn can re-arm itself indefinitely. - * bpf_map_update/delete_elem() helpers and user space sys_bpf commands - * cancel and free the timer in the given map element. - * The map can contain timers that invoke callback_fn-s from different - * programs. The same callback_fn can serve different timers from - * different maps if key/value layout matches across maps. - * Every bpf_timer_set_callback() can have different callback_fn. - * - * - * Returns - * 0 on success. - * **-EINVAL** if *timer* was not initialized with bpf_timer_init() earlier - * or invalid *flags* are passed. - */ -static long (*bpf_timer_start)(struct bpf_timer *timer, __u64 nsecs, __u64 flags) = (void *) 171; - -/* - * bpf_timer_cancel - * - * Cancel the timer and wait for callback_fn to finish if it was running. - * - * Returns - * 0 if the timer was not active. - * 1 if the timer was active. - * **-EINVAL** if *timer* was not initialized with bpf_timer_init() earlier. - * **-EDEADLK** if callback_fn tried to call bpf_timer_cancel() on its - * own timer which would have led to a deadlock otherwise. - */ -static long (*bpf_timer_cancel)(struct bpf_timer *timer) = (void *) 172; - -/* - * bpf_get_func_ip - * - * Get address of the traced function (for tracing and kprobe programs). - * - * Returns - * Address of the traced function. - */ -static __u64 (*bpf_get_func_ip)(void *ctx) = (void *) 173; - -/* - * bpf_get_attach_cookie - * - * Get bpf_cookie value provided (optionally) during the program - * attachment. It might be different for each individual - * attachment, even if BPF program itself is the same. - * Expects BPF program context *ctx* as a first argument. - * - * Supported for the following program types: - * - kprobe/uprobe; - * - tracepoint; - * - perf_event. - * - * Returns - * Value specified by user at BPF link creation/attachment time - * or 0, if it was not specified. - */ -static __u64 (*bpf_get_attach_cookie)(void *ctx) = (void *) 174; - -/* - * bpf_task_pt_regs - * - * Get the struct pt_regs associated with **task**. - * - * Returns - * A pointer to struct pt_regs. - */ -static long (*bpf_task_pt_regs)(struct task_struct *task) = (void *) 175; - -/* - * bpf_get_branch_snapshot - * - * Get branch trace from hardware engines like Intel LBR. The - * hardware engine is stopped shortly after the helper is - * called. Therefore, the user need to filter branch entries - * based on the actual use case. To capture branch trace - * before the trigger point of the BPF program, the helper - * should be called at the beginning of the BPF program. - * - * The data is stored as struct perf_branch_entry into output - * buffer *entries*. *size* is the size of *entries* in bytes. - * *flags* is reserved for now and must be zero. - * - * - * Returns - * On success, number of bytes written to *buf*. On error, a - * negative value. - * - * **-EINVAL** if *flags* is not zero. - * - * **-ENOENT** if architecture does not support branch records. - */ -static long (*bpf_get_branch_snapshot)(void *entries, __u32 size, __u64 flags) = (void *) 176; - -/* - * bpf_trace_vprintk - * - * Behaves like **bpf_trace_printk**\ () helper, but takes an array of u64 - * to format and can handle more format args as a result. - * - * Arguments are to be used as in **bpf_seq_printf**\ () helper. - * - * Returns - * The number of bytes written to the buffer, or a negative error - * in case of failure. - */ -static long (*bpf_trace_vprintk)(const char *fmt, __u32 fmt_size, const void *data, __u32 data_len) = (void *) 177; - -/* - * bpf_skc_to_unix_sock - * - * Dynamically cast a *sk* pointer to a *unix_sock* pointer. - * - * Returns - * *sk* if casting is valid, or **NULL** otherwise. - */ -static struct unix_sock *(*bpf_skc_to_unix_sock)(void *sk) = (void *) 178; - -/* - * bpf_kallsyms_lookup_name - * - * Get the address of a kernel symbol, returned in *res*. *res* is - * set to 0 if the symbol is not found. - * - * Returns - * On success, zero. On error, a negative value. - * - * **-EINVAL** if *flags* is not zero. - * - * **-EINVAL** if string *name* is not the same size as *name_sz*. - * - * **-ENOENT** if symbol is not found. - * - * **-EPERM** if caller does not have permission to obtain kernel address. - */ -static long (*bpf_kallsyms_lookup_name)(const char *name, int name_sz, int flags, __u64 *res) = (void *) 179; - -/* - * bpf_find_vma - * - * Find vma of *task* that contains *addr*, call *callback_fn* - * function with *task*, *vma*, and *callback_ctx*. - * The *callback_fn* should be a static function and - * the *callback_ctx* should be a pointer to the stack. - * The *flags* is used to control certain aspects of the helper. - * Currently, the *flags* must be 0. - * - * The expected callback signature is - * - * long (\*callback_fn)(struct task_struct \*task, struct vm_area_struct \*vma, void \*callback_ctx); - * - * - * Returns - * 0 on success. - * **-ENOENT** if *task->mm* is NULL, or no vma contains *addr*. - * **-EBUSY** if failed to try lock mmap_lock. - * **-EINVAL** for invalid **flags**. - */ -static long (*bpf_find_vma)(struct task_struct *task, __u64 addr, void *callback_fn, void *callback_ctx, __u64 flags) = (void *) 180; - - diff --git a/component/ebpf/bpf/bpf_helpers.h b/component/ebpf/bpf/bpf_helpers.h deleted file mode 100644 index 963b1060d9..0000000000 --- a/component/ebpf/bpf/bpf_helpers.h +++ /dev/null @@ -1,262 +0,0 @@ -/* SPDX-License-Identifier: (LGPL-2.1 OR BSD-2-Clause) */ -#ifndef __BPF_HELPERS__ -#define __BPF_HELPERS__ - -/* - * Note that bpf programs need to include either - * vmlinux.h (auto-generated from BTF) or linux/types.h - * in advance since bpf_helper_defs.h uses such types - * as __u64. - */ -#include "bpf_helper_defs.h" - -#define __uint(name, val) int (*name)[val] -#define __type(name, val) typeof(val) *name -#define __array(name, val) typeof(val) *name[] - -/* - * Helper macro to place programs, maps, license in - * different sections in elf_bpf file. Section names - * are interpreted by libbpf depending on the context (BPF programs, BPF maps, - * extern variables, etc). - * To allow use of SEC() with externs (e.g., for extern .maps declarations), - * make sure __attribute__((unused)) doesn't trigger compilation warning. - */ -#define SEC(name) \ - _Pragma("GCC diagnostic push") \ - _Pragma("GCC diagnostic ignored \"-Wignored-attributes\"") \ - __attribute__((section(name), used)) \ - _Pragma("GCC diagnostic pop") \ - -/* Avoid 'linux/stddef.h' definition of '__always_inline'. */ -#undef __always_inline -#define __always_inline inline __attribute__((always_inline)) - -#ifndef __noinline -#define __noinline __attribute__((noinline)) -#endif -#ifndef __weak -#define __weak __attribute__((weak)) -#endif - -/* - * Use __hidden attribute to mark a non-static BPF subprogram effectively - * static for BPF verifier's verification algorithm purposes, allowing more - * extensive and permissive BPF verification process, taking into account - * subprogram's caller context. - */ -#define __hidden __attribute__((visibility("hidden"))) - -/* When utilizing vmlinux.h with BPF CO-RE, user BPF programs can't include - * any system-level headers (such as stddef.h, linux/version.h, etc), and - * commonly-used macros like NULL and KERNEL_VERSION aren't available through - * vmlinux.h. This just adds unnecessary hurdles and forces users to re-define - * them on their own. So as a convenience, provide such definitions here. - */ -#ifndef NULL -#define NULL ((void *)0) -#endif - -#ifndef KERNEL_VERSION -#define KERNEL_VERSION(a, b, c) (((a) << 16) + ((b) << 8) + ((c) > 255 ? 255 : (c))) -#endif - -/* - * Helper macros to manipulate data structures - */ -#ifndef offsetof -#define offsetof(TYPE, MEMBER) ((unsigned long)&((TYPE *)0)->MEMBER) -#endif -#ifndef container_of -#define container_of(ptr, type, member) \ - ({ \ - void *__mptr = (void *)(ptr); \ - ((type *)(__mptr - offsetof(type, member))); \ - }) -#endif - -/* - * Helper macro to throw a compilation error if __bpf_unreachable() gets - * built into the resulting code. This works given BPF back end does not - * implement __builtin_trap(). This is useful to assert that certain paths - * of the program code are never used and hence eliminated by the compiler. - * - * For example, consider a switch statement that covers known cases used by - * the program. __bpf_unreachable() can then reside in the default case. If - * the program gets extended such that a case is not covered in the switch - * statement, then it will throw a build error due to the default case not - * being compiled out. - */ -#ifndef __bpf_unreachable -# define __bpf_unreachable() __builtin_trap() -#endif - -/* - * Helper function to perform a tail call with a constant/immediate map slot. - */ -#if __clang_major__ >= 8 && defined(__bpf__) -static __always_inline void -bpf_tail_call_static(void *ctx, const void *map, const __u32 slot) -{ - if (!__builtin_constant_p(slot)) - __bpf_unreachable(); - - /* - * Provide a hard guarantee that LLVM won't optimize setting r2 (map - * pointer) and r3 (constant map index) from _different paths_ ending - * up at the _same_ call insn as otherwise we won't be able to use the - * jmpq/nopl retpoline-free patching by the x86-64 JIT in the kernel - * given they mismatch. See also d2e4c1e6c294 ("bpf: Constant map key - * tracking for prog array pokes") for details on verifier tracking. - * - * Note on clobber list: we need to stay in-line with BPF calling - * convention, so even if we don't end up using r0, r4, r5, we need - * to mark them as clobber so that LLVM doesn't end up using them - * before / after the call. - */ - asm volatile("r1 = %[ctx]\n\t" - "r2 = %[map]\n\t" - "r3 = %[slot]\n\t" - "call 12" - :: [ctx]"r"(ctx), [map]"r"(map), [slot]"i"(slot) - : "r0", "r1", "r2", "r3", "r4", "r5"); -} -#endif - -/* - * Helper structure used by eBPF C program - * to describe BPF map attributes to libbpf loader - */ -struct bpf_map_def { - unsigned int type; - unsigned int key_size; - unsigned int value_size; - unsigned int max_entries; - unsigned int map_flags; -}; - -enum libbpf_pin_type { - LIBBPF_PIN_NONE, - /* PIN_BY_NAME: pin maps by name (in /sys/fs/bpf by default) */ - LIBBPF_PIN_BY_NAME, -}; - -enum libbpf_tristate { - TRI_NO = 0, - TRI_YES = 1, - TRI_MODULE = 2, -}; - -#define __kconfig __attribute__((section(".kconfig"))) -#define __ksym __attribute__((section(".ksyms"))) - -#ifndef ___bpf_concat -#define ___bpf_concat(a, b) a ## b -#endif -#ifndef ___bpf_apply -#define ___bpf_apply(fn, n) ___bpf_concat(fn, n) -#endif -#ifndef ___bpf_nth -#define ___bpf_nth(_, _1, _2, _3, _4, _5, _6, _7, _8, _9, _a, _b, _c, N, ...) N -#endif -#ifndef ___bpf_narg -#define ___bpf_narg(...) \ - ___bpf_nth(_, ##__VA_ARGS__, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0) -#endif - -#define ___bpf_fill0(arr, p, x) do {} while (0) -#define ___bpf_fill1(arr, p, x) arr[p] = x -#define ___bpf_fill2(arr, p, x, args...) arr[p] = x; ___bpf_fill1(arr, p + 1, args) -#define ___bpf_fill3(arr, p, x, args...) arr[p] = x; ___bpf_fill2(arr, p + 1, args) -#define ___bpf_fill4(arr, p, x, args...) arr[p] = x; ___bpf_fill3(arr, p + 1, args) -#define ___bpf_fill5(arr, p, x, args...) arr[p] = x; ___bpf_fill4(arr, p + 1, args) -#define ___bpf_fill6(arr, p, x, args...) arr[p] = x; ___bpf_fill5(arr, p + 1, args) -#define ___bpf_fill7(arr, p, x, args...) arr[p] = x; ___bpf_fill6(arr, p + 1, args) -#define ___bpf_fill8(arr, p, x, args...) arr[p] = x; ___bpf_fill7(arr, p + 1, args) -#define ___bpf_fill9(arr, p, x, args...) arr[p] = x; ___bpf_fill8(arr, p + 1, args) -#define ___bpf_fill10(arr, p, x, args...) arr[p] = x; ___bpf_fill9(arr, p + 1, args) -#define ___bpf_fill11(arr, p, x, args...) arr[p] = x; ___bpf_fill10(arr, p + 1, args) -#define ___bpf_fill12(arr, p, x, args...) arr[p] = x; ___bpf_fill11(arr, p + 1, args) -#define ___bpf_fill(arr, args...) \ - ___bpf_apply(___bpf_fill, ___bpf_narg(args))(arr, 0, args) - -/* - * BPF_SEQ_PRINTF to wrap bpf_seq_printf to-be-printed values - * in a structure. - */ -#define BPF_SEQ_PRINTF(seq, fmt, args...) \ -({ \ - static const char ___fmt[] = fmt; \ - unsigned long long ___param[___bpf_narg(args)]; \ - \ - _Pragma("GCC diagnostic push") \ - _Pragma("GCC diagnostic ignored \"-Wint-conversion\"") \ - ___bpf_fill(___param, args); \ - _Pragma("GCC diagnostic pop") \ - \ - bpf_seq_printf(seq, ___fmt, sizeof(___fmt), \ - ___param, sizeof(___param)); \ -}) - -/* - * BPF_SNPRINTF wraps the bpf_snprintf helper with variadic arguments instead of - * an array of u64. - */ -#define BPF_SNPRINTF(out, out_size, fmt, args...) \ -({ \ - static const char ___fmt[] = fmt; \ - unsigned long long ___param[___bpf_narg(args)]; \ - \ - _Pragma("GCC diagnostic push") \ - _Pragma("GCC diagnostic ignored \"-Wint-conversion\"") \ - ___bpf_fill(___param, args); \ - _Pragma("GCC diagnostic pop") \ - \ - bpf_snprintf(out, out_size, ___fmt, \ - ___param, sizeof(___param)); \ -}) - -#ifdef BPF_NO_GLOBAL_DATA -#define BPF_PRINTK_FMT_MOD -#else -#define BPF_PRINTK_FMT_MOD static const -#endif - -#define __bpf_printk(fmt, ...) \ -({ \ - BPF_PRINTK_FMT_MOD char ____fmt[] = fmt; \ - bpf_trace_printk(____fmt, sizeof(____fmt), \ - ##__VA_ARGS__); \ -}) - -/* - * __bpf_vprintk wraps the bpf_trace_vprintk helper with variadic arguments - * instead of an array of u64. - */ -#define __bpf_vprintk(fmt, args...) \ -({ \ - static const char ___fmt[] = fmt; \ - unsigned long long ___param[___bpf_narg(args)]; \ - \ - _Pragma("GCC diagnostic push") \ - _Pragma("GCC diagnostic ignored \"-Wint-conversion\"") \ - ___bpf_fill(___param, args); \ - _Pragma("GCC diagnostic pop") \ - \ - bpf_trace_vprintk(___fmt, sizeof(___fmt), \ - ___param, sizeof(___param)); \ -}) - -/* Use __bpf_printk when bpf_printk call has 3 or fewer fmt args - * Otherwise use __bpf_vprintk - */ -#define ___bpf_pick_printk(...) \ - ___bpf_nth(_, ##__VA_ARGS__, __bpf_vprintk, __bpf_vprintk, __bpf_vprintk, \ - __bpf_vprintk, __bpf_vprintk, __bpf_vprintk, __bpf_vprintk, \ - __bpf_vprintk, __bpf_vprintk, __bpf_printk /*3*/, __bpf_printk /*2*/,\ - __bpf_printk /*1*/, __bpf_printk /*0*/) - -/* Helper macro to print out debug messages */ -#define bpf_printk(fmt, args...) ___bpf_pick_printk(args)(fmt, ##args) - -#endif diff --git a/component/ebpf/bpf/redir.c b/component/ebpf/bpf/redir.c deleted file mode 100644 index 6ef5ee0ce2..0000000000 --- a/component/ebpf/bpf/redir.c +++ /dev/null @@ -1,342 +0,0 @@ -#include -#include -//#include - -#include -#include -//#include -//#include -#include -#include -#include -//#include - -#include - -#include "bpf_endian.h" -#include "bpf_helpers.h" - -#define IP_CSUM_OFF (ETH_HLEN + offsetof(struct iphdr, check)) -#define IP_DST_OFF (ETH_HLEN + offsetof(struct iphdr, daddr)) -#define IP_SRC_OFF (ETH_HLEN + offsetof(struct iphdr, saddr)) -#define IP_PROTO_OFF (ETH_HLEN + offsetof(struct iphdr, protocol)) -#define TCP_CSUM_OFF (ETH_HLEN + sizeof(struct iphdr) + offsetof(struct tcphdr, check)) -#define TCP_SRC_OFF (ETH_HLEN + sizeof(struct iphdr) + offsetof(struct tcphdr, source)) -#define TCP_DST_OFF (ETH_HLEN + sizeof(struct iphdr) + offsetof(struct tcphdr, dest)) -//#define UDP_CSUM_OFF (ETH_HLEN + sizeof(struct iphdr) + offsetof(struct udphdr, check)) -//#define UDP_SRC_OFF (ETH_HLEN + sizeof(struct iphdr) + offsetof(struct udphdr, source)) -//#define UDP_DST_OFF (ETH_HLEN + sizeof(struct iphdr) + offsetof(struct udphdr, dest)) -#define IS_PSEUDO 0x10 - -struct origin_info { - __be32 ip; - __be16 port; - __u16 pad; -}; - -struct origin_info *origin_info_unused __attribute__((unused)); - -struct redir_info { - __be32 sip; - __be32 dip; - __be16 sport; - __be16 dport; -}; - -struct redir_info *redir_info_unused __attribute__((unused)); - -struct { - __uint(type, BPF_MAP_TYPE_LRU_HASH); - __type(key, struct redir_info); - __type(value, struct origin_info); - __uint(max_entries, 65535); - __uint(pinning, LIBBPF_PIN_BY_NAME); -} pair_original_dst_map SEC(".maps"); - -struct { - __uint(type, BPF_MAP_TYPE_ARRAY); - __type(key, __u32); - __type(value, __u32); - __uint(max_entries, 3); - __uint(pinning, LIBBPF_PIN_BY_NAME); -} redir_params_map SEC(".maps"); - -static __always_inline int rewrite_ip(struct __sk_buff *skb, __be32 new_ip, bool is_dest) { - int ret, off = 0, flags = IS_PSEUDO; - __be32 old_ip; - - if (is_dest) - ret = bpf_skb_load_bytes(skb, IP_DST_OFF, &old_ip, 4); - else - ret = bpf_skb_load_bytes(skb, IP_SRC_OFF, &old_ip, 4); - - if (ret < 0) { - return ret; - } - - off = TCP_CSUM_OFF; -// __u8 proto; -// -// ret = bpf_skb_load_bytes(skb, IP_PROTO_OFF, &proto, 1); -// if (ret < 0) { -// return BPF_DROP; -// } -// -// switch (proto) { -// case IPPROTO_TCP: -// off = TCP_CSUM_OFF; -// break; -// -// case IPPROTO_UDP: -// off = UDP_CSUM_OFF; -// flags |= BPF_F_MARK_MANGLED_0; -// break; -// -// case IPPROTO_ICMPV6: -// off = offsetof(struct icmp6hdr, icmp6_cksum); -// break; -// } -// -// if (off) { - ret = bpf_l4_csum_replace(skb, off, old_ip, new_ip, flags | sizeof(new_ip)); - if (ret < 0) { - return ret; - } -// } - - ret = bpf_l3_csum_replace(skb, IP_CSUM_OFF, old_ip, new_ip, sizeof(new_ip)); - if (ret < 0) { - return ret; - } - - if (is_dest) - ret = bpf_skb_store_bytes(skb, IP_DST_OFF, &new_ip, sizeof(new_ip), 0); - else - ret = bpf_skb_store_bytes(skb, IP_SRC_OFF, &new_ip, sizeof(new_ip), 0); - - if (ret < 0) { - return ret; - } - - return 1; -} - -static __always_inline int rewrite_port(struct __sk_buff *skb, __be16 new_port, bool is_dest) { - int ret, off = 0; - __be16 old_port; - - if (is_dest) - ret = bpf_skb_load_bytes(skb, TCP_DST_OFF, &old_port, 2); - else - ret = bpf_skb_load_bytes(skb, TCP_SRC_OFF, &old_port, 2); - - if (ret < 0) { - return ret; - } - - off = TCP_CSUM_OFF; - - ret = bpf_l4_csum_replace(skb, off, old_port, new_port, sizeof(new_port)); - if (ret < 0) { - return ret; - } - - if (is_dest) - ret = bpf_skb_store_bytes(skb, TCP_DST_OFF, &new_port, sizeof(new_port), 0); - else - ret = bpf_skb_store_bytes(skb, TCP_SRC_OFF, &new_port, sizeof(new_port), 0); - - if (ret < 0) { - return ret; - } - - return 1; -} - -static __always_inline bool is_lan_ip(__be32 addr) { - if (addr == 0xffffffff) - return true; - - __u8 fist = (__u8)(addr & 0xff); - - if (fist == 127 || fist == 10) - return true; - - __u8 second = (__u8)((addr >> 8) & 0xff); - - if (fist == 172 && second >= 16 && second <= 31) - return true; - - if (fist == 192 && second == 168) - return true; - - return false; -} - -SEC("tc_mihomo_auto_redir_ingress") -int tc_redir_ingress_func(struct __sk_buff *skb) { - void *data = (void *)(long)skb->data; - void *data_end = (void *)(long)skb->data_end; - struct ethhdr *eth = data; - - if ((void *)(eth + 1) > data_end) - return TC_ACT_OK; - - if (eth->h_proto != bpf_htons(ETH_P_IP)) - return TC_ACT_OK; - - struct iphdr *iph = (struct iphdr *)(eth + 1); - if ((void *)(iph + 1) > data_end) - return TC_ACT_OK; - - __u32 key = 0, *route_index, *redir_ip, *redir_port; - - route_index = bpf_map_lookup_elem(&redir_params_map, &key); - if (!route_index) - return TC_ACT_OK; - - if (iph->protocol == IPPROTO_ICMP && *route_index != 0) - return bpf_redirect(*route_index, 0); - - if (iph->protocol != IPPROTO_TCP) - return TC_ACT_OK; - - struct tcphdr *tcph = (struct tcphdr *)(iph + 1); - if ((void *)(tcph + 1) > data_end) - return TC_ACT_SHOT; - - key = 1; - redir_ip = bpf_map_lookup_elem(&redir_params_map, &key); - if (!redir_ip) - return TC_ACT_OK; - - key = 2; - redir_port = bpf_map_lookup_elem(&redir_params_map, &key); - if (!redir_port) - return TC_ACT_OK; - - __be32 new_ip = bpf_htonl(*redir_ip); - __be16 new_port = bpf_htonl(*redir_port) >> 16; - __be32 old_ip = iph->daddr; - __be16 old_port = tcph->dest; - - if (old_ip == new_ip || is_lan_ip(old_ip) || bpf_ntohs(old_port) == 53) { - return TC_ACT_OK; - } - - struct redir_info p_key = { - .sip = iph->saddr, - .sport = tcph->source, - .dip = new_ip, - .dport = new_port, - }; - - if (tcph->syn && !tcph->ack) { - struct origin_info origin = { - .ip = old_ip, - .port = old_port, - }; - - bpf_map_update_elem(&pair_original_dst_map, &p_key, &origin, BPF_NOEXIST); - - if (rewrite_ip(skb, new_ip, true) < 0) { - return TC_ACT_SHOT; - } - - if (rewrite_port(skb, new_port, true) < 0) { - return TC_ACT_SHOT; - } - } else { - struct origin_info *origin = bpf_map_lookup_elem(&pair_original_dst_map, &p_key); - if (!origin) { - return TC_ACT_OK; - } - - if (rewrite_ip(skb, new_ip, true) < 0) { - return TC_ACT_SHOT; - } - - if (rewrite_port(skb, new_port, true) < 0) { - return TC_ACT_SHOT; - } - } - - return TC_ACT_OK; -} - -SEC("tc_mihomo_auto_redir_egress") -int tc_redir_egress_func(struct __sk_buff *skb) { - void *data = (void *)(long)skb->data; - void *data_end = (void *)(long)skb->data_end; - struct ethhdr *eth = data; - - if ((void *)(eth + 1) > data_end) - return TC_ACT_OK; - - if (eth->h_proto != bpf_htons(ETH_P_IP)) - return TC_ACT_OK; - - __u32 key = 0, *redir_ip, *redir_port; // *mihomo_mark - -// mihomo_mark = bpf_map_lookup_elem(&redir_params_map, &key); -// if (mihomo_mark && *mihomo_mark != 0 && *mihomo_mark == skb->mark) -// return TC_ACT_OK; - - struct iphdr *iph = (struct iphdr *)(eth + 1); - if ((void *)(iph + 1) > data_end) - return TC_ACT_OK; - - if (iph->protocol != IPPROTO_TCP) - return TC_ACT_OK; - - struct tcphdr *tcph = (struct tcphdr *)(iph + 1); - if ((void *)(tcph + 1) > data_end) - return TC_ACT_SHOT; - - key = 1; - redir_ip = bpf_map_lookup_elem(&redir_params_map, &key); - if (!redir_ip) - return TC_ACT_OK; - - key = 2; - redir_port = bpf_map_lookup_elem(&redir_params_map, &key); - if (!redir_port) - return TC_ACT_OK; - - __be32 new_ip = bpf_htonl(*redir_ip); - __be16 new_port = bpf_htonl(*redir_port) >> 16; - __be32 old_ip = iph->saddr; - __be16 old_port = tcph->source; - - if (old_ip != new_ip || old_port != new_port) { - return TC_ACT_OK; - } - - struct redir_info p_key = { - .sip = iph->daddr, - .sport = tcph->dest, - .dip = iph->saddr, - .dport = tcph->source, - }; - - struct origin_info *origin = bpf_map_lookup_elem(&pair_original_dst_map, &p_key); - if (!origin) { - return TC_ACT_OK; - } - - if (tcph->fin && tcph->ack) { - bpf_map_delete_elem(&pair_original_dst_map, &p_key); - } - - if (rewrite_ip(skb, origin->ip, false) < 0) { - return TC_ACT_SHOT; - } - - if (rewrite_port(skb, origin->port, false) < 0) { - return TC_ACT_SHOT; - } - - return TC_ACT_OK; -} - -char _license[] SEC("license") = "GPL"; diff --git a/component/ebpf/bpf/tc.c b/component/ebpf/bpf/tc.c deleted file mode 100644 index 3513bf040f..0000000000 --- a/component/ebpf/bpf/tc.c +++ /dev/null @@ -1,103 +0,0 @@ -#include -#include -#include -#include -#include -//#include -//#include -#include - -#include "bpf_endian.h" -#include "bpf_helpers.h" - -struct { - __uint(type, BPF_MAP_TYPE_ARRAY); - __type(key, __u32); - __type(value, __u32); - __uint(max_entries, 2); - __uint(pinning, LIBBPF_PIN_BY_NAME); -} tc_params_map SEC(".maps"); - -static __always_inline bool is_lan_ip(__be32 addr) { - if (addr == 0xffffffff) - return true; - - __u8 fist = (__u8)(addr & 0xff); - - if (fist == 127 || fist == 10) - return true; - - __u8 second = (__u8)((addr >> 8) & 0xff); - - if (fist == 172 && second >= 16 && second <= 31) - return true; - - if (fist == 192 && second == 168) - return true; - - return false; -} - -SEC("tc_mihomo_redirect_to_tun") -int tc_tun_func(struct __sk_buff *skb) { - void *data = (void *)(long)skb->data; - void *data_end = (void *)(long)skb->data_end; - struct ethhdr *eth = data; - - if ((void *)(eth + 1) > data_end) - return TC_ACT_OK; - - if (eth->h_proto == bpf_htons(ETH_P_ARP)) - return TC_ACT_OK; - - __u32 key = 0, *mihomo_mark, *tun_ifindex; - - mihomo_mark = bpf_map_lookup_elem(&tc_params_map, &key); - if (!mihomo_mark) - return TC_ACT_OK; - - if (skb->mark == *mihomo_mark) - return TC_ACT_OK; - - if (eth->h_proto == bpf_htons(ETH_P_IP)) { - struct iphdr *iph = (struct iphdr *)(eth + 1); - if ((void *)(iph + 1) > data_end) - return TC_ACT_OK; - - if (iph->protocol == IPPROTO_ICMP) - return TC_ACT_OK; - - __be32 daddr = iph->daddr; - - if (is_lan_ip(daddr)) - return TC_ACT_OK; - -// if (iph->protocol == IPPROTO_TCP) { -// struct tcphdr *tcph = (struct tcphdr *)(iph + 1); -// if ((void *)(tcph + 1) > data_end) -// return TC_ACT_OK; -// -// __u16 source = bpf_ntohs(tcph->source); -// if (source == 22 || source == 80 || source == 443 || source == 8080 || source == 8443 || source == 9090 || (source >= 7890 && source <= 7895)) -// return TC_ACT_OK; -// } else if (iph->protocol == IPPROTO_UDP) { -// struct udphdr *udph = (struct udphdr *)(iph + 1); -// if ((void *)(udph + 1) > data_end) -// return TC_ACT_OK; -// -// __u16 source = bpf_ntohs(udph->source); -// if (source == 53 || (source >= 135 && source <= 139)) -// return TC_ACT_OK; -// } - } - - key = 1; - tun_ifindex = bpf_map_lookup_elem(&tc_params_map, &key); - if (!tun_ifindex) - return TC_ACT_OK; - - //return bpf_redirect(*tun_ifindex, BPF_F_INGRESS); // __bpf_rx_skb - return bpf_redirect(*tun_ifindex, 0); // __bpf_tx_skb / __dev_xmit_skb -} - -char _license[] SEC("license") = "GPL"; diff --git a/component/ebpf/byteorder/byteorder.go b/component/ebpf/byteorder/byteorder.go deleted file mode 100644 index 63e0c611a3..0000000000 --- a/component/ebpf/byteorder/byteorder.go +++ /dev/null @@ -1,13 +0,0 @@ -package byteorder - -import ( - "net" -) - -// NetIPv4ToHost32 converts an net.IP to a uint32 in host byte order. ip -// must be a IPv4 address, otherwise the function will panic. -func NetIPv4ToHost32(ip net.IP) uint32 { - ipv4 := ip.To4() - _ = ipv4[3] // Assert length of ipv4. - return Native.Uint32(ipv4) -} diff --git a/component/ebpf/byteorder/byteorder_bigendian.go b/component/ebpf/byteorder/byteorder_bigendian.go deleted file mode 100644 index 4c5d710586..0000000000 --- a/component/ebpf/byteorder/byteorder_bigendian.go +++ /dev/null @@ -1,12 +0,0 @@ -//go:build arm64be || armbe || mips || mips64 || mips64p32 || ppc64 || s390 || s390x || sparc || sparc64 - -package byteorder - -import "encoding/binary" - -var Native binary.ByteOrder = binary.BigEndian - -func HostToNetwork16(u uint16) uint16 { return u } -func HostToNetwork32(u uint32) uint32 { return u } -func NetworkToHost16(u uint16) uint16 { return u } -func NetworkToHost32(u uint32) uint32 { return u } diff --git a/component/ebpf/byteorder/byteorder_littleendian.go b/component/ebpf/byteorder/byteorder_littleendian.go deleted file mode 100644 index d40f351732..0000000000 --- a/component/ebpf/byteorder/byteorder_littleendian.go +++ /dev/null @@ -1,15 +0,0 @@ -//go:build 386 || amd64 || amd64p32 || arm || arm64 || mips64le || mips64p32le || mipsle || ppc64le || riscv64 || loong64 - -package byteorder - -import ( - "encoding/binary" - "math/bits" -) - -var Native binary.ByteOrder = binary.LittleEndian - -func HostToNetwork16(u uint16) uint16 { return bits.ReverseBytes16(u) } -func HostToNetwork32(u uint32) uint32 { return bits.ReverseBytes32(u) } -func NetworkToHost16(u uint16) uint16 { return bits.ReverseBytes16(u) } -func NetworkToHost32(u uint32) uint32 { return bits.ReverseBytes32(u) } diff --git a/component/ebpf/ebpf.go b/component/ebpf/ebpf.go deleted file mode 100644 index b0f5a65f60..0000000000 --- a/component/ebpf/ebpf.go +++ /dev/null @@ -1,33 +0,0 @@ -package ebpf - -import ( - "net/netip" - - C "github.com/metacubex/mihomo/constant" - "github.com/metacubex/mihomo/transport/socks5" -) - -type TcEBpfProgram struct { - pros []C.EBpf - rawNICs []string -} - -func (t *TcEBpfProgram) RawNICs() []string { - return t.rawNICs -} - -func (t *TcEBpfProgram) Close() { - for _, p := range t.pros { - p.Close() - } -} - -func (t *TcEBpfProgram) Lookup(srcAddrPort netip.AddrPort) (addr socks5.Addr, err error) { - for _, p := range t.pros { - addr, err = p.Lookup(srcAddrPort) - if err == nil { - return - } - } - return -} diff --git a/component/ebpf/ebpf_linux.go b/component/ebpf/ebpf_linux.go deleted file mode 100644 index 304f32fe7b..0000000000 --- a/component/ebpf/ebpf_linux.go +++ /dev/null @@ -1,137 +0,0 @@ -//go:build !android - -package ebpf - -import ( - "fmt" - "net/netip" - - "github.com/metacubex/mihomo/common/cmd" - "github.com/metacubex/mihomo/component/dialer" - "github.com/metacubex/mihomo/component/ebpf/redir" - "github.com/metacubex/mihomo/component/ebpf/tc" - C "github.com/metacubex/mihomo/constant" - "github.com/sagernet/netlink" -) - -func GetAutoDetectInterface() (string, error) { - routes, err := netlink.RouteList(nil, netlink.FAMILY_V4) - if err != nil { - return "", err - } - - for _, route := range routes { - if route.Dst == nil { - lk, err := netlink.LinkByIndex(route.LinkIndex) - if err != nil { - return "", err - } - - if lk.Type() == "tuntap" { - continue - } - - return lk.Attrs().Name, nil - } - } - - return "", fmt.Errorf("interface not found") -} - -// NewTcEBpfProgram new redirect to tun ebpf program -func NewTcEBpfProgram(ifaceNames []string, tunName string) (*TcEBpfProgram, error) { - tunIface, err := netlink.LinkByName(tunName) - if err != nil { - return nil, fmt.Errorf("lookup network iface %q: %w", tunName, err) - } - - tunIndex := uint32(tunIface.Attrs().Index) - - dialer.DefaultRoutingMark.Store(C.MihomoTrafficMark) - - ifMark := uint32(dialer.DefaultRoutingMark.Load()) - - var pros []C.EBpf - for _, ifaceName := range ifaceNames { - iface, err := netlink.LinkByName(ifaceName) - if err != nil { - return nil, fmt.Errorf("lookup network iface %q: %w", ifaceName, err) - } - if iface.Attrs().OperState != netlink.OperUp { - return nil, fmt.Errorf("network iface %q is down", ifaceName) - } - - attrs := iface.Attrs() - index := attrs.Index - - tcPro := tc.NewEBpfTc(ifaceName, index, ifMark, tunIndex) - if err = tcPro.Start(); err != nil { - return nil, err - } - - pros = append(pros, tcPro) - } - - systemSetting(ifaceNames...) - - return &TcEBpfProgram{pros: pros, rawNICs: ifaceNames}, nil -} - -// NewRedirEBpfProgram new auto redirect ebpf program -func NewRedirEBpfProgram(ifaceNames []string, redirPort uint16, defaultRouteInterfaceName string) (*TcEBpfProgram, error) { - defaultRouteInterface, err := netlink.LinkByName(defaultRouteInterfaceName) - if err != nil { - return nil, fmt.Errorf("lookup network iface %q: %w", defaultRouteInterfaceName, err) - } - - defaultRouteIndex := uint32(defaultRouteInterface.Attrs().Index) - - var pros []C.EBpf - for _, ifaceName := range ifaceNames { - iface, err := netlink.LinkByName(ifaceName) - if err != nil { - return nil, fmt.Errorf("lookup network iface %q: %w", ifaceName, err) - } - - attrs := iface.Attrs() - index := attrs.Index - - addrs, err := netlink.AddrList(iface, netlink.FAMILY_V4) - if err != nil { - return nil, fmt.Errorf("lookup network iface %q address: %w", ifaceName, err) - } - - if len(addrs) == 0 { - return nil, fmt.Errorf("network iface %q does not contain any ipv4 addresses", ifaceName) - } - - address, _ := netip.AddrFromSlice(addrs[0].IP) - redirAddrPort := netip.AddrPortFrom(address, redirPort) - - redirPro := redir.NewEBpfRedirect(ifaceName, index, 0, defaultRouteIndex, redirAddrPort) - if err = redirPro.Start(); err != nil { - return nil, err - } - - pros = append(pros, redirPro) - } - - systemSetting(ifaceNames...) - - return &TcEBpfProgram{pros: pros, rawNICs: ifaceNames}, nil -} - -func systemSetting(ifaceNames ...string) { - _, _ = cmd.ExecCmd("sysctl -w net.ipv4.ip_forward=1") - _, _ = cmd.ExecCmd("sysctl -w net.ipv4.conf.all.forwarding=1") - _, _ = cmd.ExecCmd("sysctl -w net.ipv4.conf.all.accept_local=1") - _, _ = cmd.ExecCmd("sysctl -w net.ipv4.conf.all.accept_redirects=1") - _, _ = cmd.ExecCmd("sysctl -w net.ipv4.conf.all.rp_filter=0") - - for _, ifaceName := range ifaceNames { - _, _ = cmd.ExecCmd(fmt.Sprintf("sysctl -w net.ipv4.conf.%s.forwarding=1", ifaceName)) - _, _ = cmd.ExecCmd(fmt.Sprintf("sysctl -w net.ipv4.conf.%s.accept_local=1", ifaceName)) - _, _ = cmd.ExecCmd(fmt.Sprintf("sysctl -w net.ipv4.conf.%s.accept_redirects=1", ifaceName)) - _, _ = cmd.ExecCmd(fmt.Sprintf("sysctl -w net.ipv4.conf.%s.rp_filter=0", ifaceName)) - } -} diff --git a/component/ebpf/ebpf_others.go b/component/ebpf/ebpf_others.go deleted file mode 100644 index 44cf1c3aea..0000000000 --- a/component/ebpf/ebpf_others.go +++ /dev/null @@ -1,21 +0,0 @@ -//go:build !linux || android - -package ebpf - -import ( - "fmt" -) - -// NewTcEBpfProgram new ebpf tc program -func NewTcEBpfProgram(_ []string, _ string) (*TcEBpfProgram, error) { - return nil, fmt.Errorf("system not supported") -} - -// NewRedirEBpfProgram new ebpf redirect program -func NewRedirEBpfProgram(_ []string, _ uint16, _ string) (*TcEBpfProgram, error) { - return nil, fmt.Errorf("system not supported") -} - -func GetAutoDetectInterface() (string, error) { - return "", fmt.Errorf("system not supported") -} diff --git a/component/ebpf/redir/auto_redirect.go b/component/ebpf/redir/auto_redirect.go deleted file mode 100644 index 57c9961630..0000000000 --- a/component/ebpf/redir/auto_redirect.go +++ /dev/null @@ -1,216 +0,0 @@ -//go:build linux - -package redir - -import ( - "encoding/binary" - "fmt" - "io" - "net" - "net/netip" - "os" - "path/filepath" - - "github.com/cilium/ebpf" - "github.com/cilium/ebpf/rlimit" - "github.com/sagernet/netlink" - "golang.org/x/sys/unix" - - "github.com/metacubex/mihomo/component/ebpf/byteorder" - C "github.com/metacubex/mihomo/constant" - "github.com/metacubex/mihomo/transport/socks5" -) - -//go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc $BPF_CLANG -cflags $BPF_CFLAGS bpf ../bpf/redir.c - -const ( - mapKey1 uint32 = 0 - mapKey2 uint32 = 1 - mapKey3 uint32 = 2 -) - -type EBpfRedirect struct { - objs io.Closer - originMap *ebpf.Map - qdisc netlink.Qdisc - filter netlink.Filter - filterEgress netlink.Filter - - ifName string - ifIndex int - ifMark uint32 - rtIndex uint32 - redirIp uint32 - redirPort uint16 - - bpfPath string -} - -func NewEBpfRedirect(ifName string, ifIndex int, ifMark uint32, routeIndex uint32, redirAddrPort netip.AddrPort) *EBpfRedirect { - return &EBpfRedirect{ - ifName: ifName, - ifIndex: ifIndex, - ifMark: ifMark, - rtIndex: routeIndex, - redirIp: binary.BigEndian.Uint32(redirAddrPort.Addr().AsSlice()), - redirPort: redirAddrPort.Port(), - } -} - -func (e *EBpfRedirect) Start() error { - if err := rlimit.RemoveMemlock(); err != nil { - return fmt.Errorf("remove memory lock: %w", err) - } - - e.bpfPath = filepath.Join(C.BpfFSPath, e.ifName) - if err := os.MkdirAll(e.bpfPath, os.ModePerm); err != nil { - return fmt.Errorf("failed to create bpf fs subpath: %w", err) - } - - var objs bpfObjects - if err := loadBpfObjects(&objs, &ebpf.CollectionOptions{ - Maps: ebpf.MapOptions{ - PinPath: e.bpfPath, - }, - }); err != nil { - e.Close() - return fmt.Errorf("loading objects: %w", err) - } - - e.objs = &objs - e.originMap = objs.bpfMaps.PairOriginalDstMap - - if err := objs.bpfMaps.RedirParamsMap.Update(mapKey1, e.rtIndex, ebpf.UpdateAny); err != nil { - e.Close() - return fmt.Errorf("storing objects: %w", err) - } - - if err := objs.bpfMaps.RedirParamsMap.Update(mapKey2, e.redirIp, ebpf.UpdateAny); err != nil { - e.Close() - return fmt.Errorf("storing objects: %w", err) - } - - if err := objs.bpfMaps.RedirParamsMap.Update(mapKey3, uint32(e.redirPort), ebpf.UpdateAny); err != nil { - e.Close() - return fmt.Errorf("storing objects: %w", err) - } - - attrs := netlink.QdiscAttrs{ - LinkIndex: e.ifIndex, - Handle: netlink.MakeHandle(0xffff, 0), - Parent: netlink.HANDLE_CLSACT, - } - - qdisc := &netlink.GenericQdisc{ - QdiscAttrs: attrs, - QdiscType: "clsact", - } - - e.qdisc = qdisc - - if err := netlink.QdiscAdd(qdisc); err != nil { - if os.IsExist(err) { - _ = netlink.QdiscDel(qdisc) - err = netlink.QdiscAdd(qdisc) - } - - if err != nil { - e.Close() - return fmt.Errorf("cannot add clsact qdisc: %w", err) - } - } - - filterAttrs := netlink.FilterAttrs{ - LinkIndex: e.ifIndex, - Parent: netlink.HANDLE_MIN_INGRESS, - Handle: netlink.MakeHandle(0, 1), - Protocol: unix.ETH_P_IP, - Priority: 0, - } - - filter := &netlink.BpfFilter{ - FilterAttrs: filterAttrs, - Fd: objs.bpfPrograms.TcRedirIngressFunc.FD(), - Name: "mihomo-redir-ingress-" + e.ifName, - DirectAction: true, - } - - if err := netlink.FilterAdd(filter); err != nil { - e.Close() - return fmt.Errorf("cannot attach ebpf object to filter ingress: %w", err) - } - - e.filter = filter - - filterAttrsEgress := netlink.FilterAttrs{ - LinkIndex: e.ifIndex, - Parent: netlink.HANDLE_MIN_EGRESS, - Handle: netlink.MakeHandle(0, 1), - Protocol: unix.ETH_P_IP, - Priority: 0, - } - - filterEgress := &netlink.BpfFilter{ - FilterAttrs: filterAttrsEgress, - Fd: objs.bpfPrograms.TcRedirEgressFunc.FD(), - Name: "mihomo-redir-egress-" + e.ifName, - DirectAction: true, - } - - if err := netlink.FilterAdd(filterEgress); err != nil { - e.Close() - return fmt.Errorf("cannot attach ebpf object to filter egress: %w", err) - } - - e.filterEgress = filterEgress - - return nil -} - -func (e *EBpfRedirect) Close() { - if e.filter != nil { - _ = netlink.FilterDel(e.filter) - } - if e.filterEgress != nil { - _ = netlink.FilterDel(e.filterEgress) - } - if e.qdisc != nil { - _ = netlink.QdiscDel(e.qdisc) - } - if e.objs != nil { - _ = e.objs.Close() - } - _ = os.Remove(filepath.Join(e.bpfPath, "redir_params_map")) - _ = os.Remove(filepath.Join(e.bpfPath, "pair_original_dst_map")) -} - -func (e *EBpfRedirect) Lookup(srcAddrPort netip.AddrPort) (socks5.Addr, error) { - rAddr := srcAddrPort.Addr().Unmap() - if rAddr.Is6() { - return nil, fmt.Errorf("remote address is ipv6") - } - - srcIp := binary.BigEndian.Uint32(rAddr.AsSlice()) - scrPort := srcAddrPort.Port() - - key := bpfRedirInfo{ - Sip: byteorder.HostToNetwork32(srcIp), - Sport: byteorder.HostToNetwork16(scrPort), - Dip: byteorder.HostToNetwork32(e.redirIp), - Dport: byteorder.HostToNetwork16(e.redirPort), - } - - origin := bpfOriginInfo{} - - err := e.originMap.Lookup(key, &origin) - if err != nil { - return nil, err - } - - addr := make([]byte, net.IPv4len+3) - addr[0] = socks5.AtypIPv4 - - binary.BigEndian.PutUint32(addr[1:1+net.IPv4len], byteorder.NetworkToHost32(origin.Ip)) // big end - binary.BigEndian.PutUint16(addr[1+net.IPv4len:3+net.IPv4len], byteorder.NetworkToHost16(origin.Port)) // big end - return addr, nil -} diff --git a/component/ebpf/redir/bpf_bpfeb.go b/component/ebpf/redir/bpf_bpfeb.go deleted file mode 100644 index 57a526e850..0000000000 --- a/component/ebpf/redir/bpf_bpfeb.go +++ /dev/null @@ -1,139 +0,0 @@ -// Code generated by bpf2go; DO NOT EDIT. -//go:build arm64be || armbe || mips || mips64 || mips64p32 || ppc64 || s390 || s390x || sparc || sparc64 -// +build arm64be armbe mips mips64 mips64p32 ppc64 s390 s390x sparc sparc64 - -package redir - -import ( - "bytes" - _ "embed" - "fmt" - "io" - - "github.com/cilium/ebpf" -) - -type bpfOriginInfo struct { - Ip uint32 - Port uint16 - Pad uint16 -} - -type bpfRedirInfo struct { - Sip uint32 - Dip uint32 - Sport uint16 - Dport uint16 -} - -// loadBpf returns the embedded CollectionSpec for bpf. -func loadBpf() (*ebpf.CollectionSpec, error) { - reader := bytes.NewReader(_BpfBytes) - spec, err := ebpf.LoadCollectionSpecFromReader(reader) - if err != nil { - return nil, fmt.Errorf("can't load bpf: %w", err) - } - - return spec, err -} - -// loadBpfObjects loads bpf and converts it into a struct. -// -// The following types are suitable as obj argument: -// -// *bpfObjects -// *bpfPrograms -// *bpfMaps -// -// See ebpf.CollectionSpec.LoadAndAssign documentation for details. -func loadBpfObjects(obj interface{}, opts *ebpf.CollectionOptions) error { - spec, err := loadBpf() - if err != nil { - return err - } - - return spec.LoadAndAssign(obj, opts) -} - -// bpfSpecs contains maps and programs before they are loaded into the kernel. -// -// It can be passed ebpf.CollectionSpec.Assign. -type bpfSpecs struct { - bpfProgramSpecs - bpfMapSpecs -} - -// bpfSpecs contains programs before they are loaded into the kernel. -// -// It can be passed ebpf.CollectionSpec.Assign. -type bpfProgramSpecs struct { - TcRedirEgressFunc *ebpf.ProgramSpec `ebpf:"tc_redir_egress_func"` - TcRedirIngressFunc *ebpf.ProgramSpec `ebpf:"tc_redir_ingress_func"` -} - -// bpfMapSpecs contains maps before they are loaded into the kernel. -// -// It can be passed ebpf.CollectionSpec.Assign. -type bpfMapSpecs struct { - PairOriginalDstMap *ebpf.MapSpec `ebpf:"pair_original_dst_map"` - RedirParamsMap *ebpf.MapSpec `ebpf:"redir_params_map"` -} - -// bpfObjects contains all objects after they have been loaded into the kernel. -// -// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign. -type bpfObjects struct { - bpfPrograms - bpfMaps -} - -func (o *bpfObjects) Close() error { - return _BpfClose( - &o.bpfPrograms, - &o.bpfMaps, - ) -} - -// bpfMaps contains all maps after they have been loaded into the kernel. -// -// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign. -type bpfMaps struct { - PairOriginalDstMap *ebpf.Map `ebpf:"pair_original_dst_map"` - RedirParamsMap *ebpf.Map `ebpf:"redir_params_map"` -} - -func (m *bpfMaps) Close() error { - return _BpfClose( - m.PairOriginalDstMap, - m.RedirParamsMap, - ) -} - -// bpfPrograms contains all programs after they have been loaded into the kernel. -// -// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign. -type bpfPrograms struct { - TcRedirEgressFunc *ebpf.Program `ebpf:"tc_redir_egress_func"` - TcRedirIngressFunc *ebpf.Program `ebpf:"tc_redir_ingress_func"` -} - -func (p *bpfPrograms) Close() error { - return _BpfClose( - p.TcRedirEgressFunc, - p.TcRedirIngressFunc, - ) -} - -func _BpfClose(closers ...io.Closer) error { - for _, closer := range closers { - if err := closer.Close(); err != nil { - return err - } - } - return nil -} - -// Do not access this directly. -// -//go:embed bpf_bpfeb.o -var _BpfBytes []byte diff --git a/component/ebpf/redir/bpf_bpfeb.o b/component/ebpf/redir/bpf_bpfeb.o deleted file mode 100644 index ed51169194..0000000000 Binary files a/component/ebpf/redir/bpf_bpfeb.o and /dev/null differ diff --git a/component/ebpf/redir/bpf_bpfel.go b/component/ebpf/redir/bpf_bpfel.go deleted file mode 100644 index 1fe3454a5b..0000000000 --- a/component/ebpf/redir/bpf_bpfel.go +++ /dev/null @@ -1,139 +0,0 @@ -// Code generated by bpf2go; DO NOT EDIT. -//go:build 386 || amd64 || amd64p32 || arm || arm64 || mips64le || mips64p32le || mipsle || ppc64le || riscv64 || loong64 -// +build 386 amd64 amd64p32 arm arm64 mips64le mips64p32le mipsle ppc64le riscv64 loong64 - -package redir - -import ( - "bytes" - _ "embed" - "fmt" - "io" - - "github.com/cilium/ebpf" -) - -type bpfOriginInfo struct { - Ip uint32 - Port uint16 - Pad uint16 -} - -type bpfRedirInfo struct { - Sip uint32 - Dip uint32 - Sport uint16 - Dport uint16 -} - -// loadBpf returns the embedded CollectionSpec for bpf. -func loadBpf() (*ebpf.CollectionSpec, error) { - reader := bytes.NewReader(_BpfBytes) - spec, err := ebpf.LoadCollectionSpecFromReader(reader) - if err != nil { - return nil, fmt.Errorf("can't load bpf: %w", err) - } - - return spec, err -} - -// loadBpfObjects loads bpf and converts it into a struct. -// -// The following types are suitable as obj argument: -// -// *bpfObjects -// *bpfPrograms -// *bpfMaps -// -// See ebpf.CollectionSpec.LoadAndAssign documentation for details. -func loadBpfObjects(obj interface{}, opts *ebpf.CollectionOptions) error { - spec, err := loadBpf() - if err != nil { - return err - } - - return spec.LoadAndAssign(obj, opts) -} - -// bpfSpecs contains maps and programs before they are loaded into the kernel. -// -// It can be passed ebpf.CollectionSpec.Assign. -type bpfSpecs struct { - bpfProgramSpecs - bpfMapSpecs -} - -// bpfSpecs contains programs before they are loaded into the kernel. -// -// It can be passed ebpf.CollectionSpec.Assign. -type bpfProgramSpecs struct { - TcRedirEgressFunc *ebpf.ProgramSpec `ebpf:"tc_redir_egress_func"` - TcRedirIngressFunc *ebpf.ProgramSpec `ebpf:"tc_redir_ingress_func"` -} - -// bpfMapSpecs contains maps before they are loaded into the kernel. -// -// It can be passed ebpf.CollectionSpec.Assign. -type bpfMapSpecs struct { - PairOriginalDstMap *ebpf.MapSpec `ebpf:"pair_original_dst_map"` - RedirParamsMap *ebpf.MapSpec `ebpf:"redir_params_map"` -} - -// bpfObjects contains all objects after they have been loaded into the kernel. -// -// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign. -type bpfObjects struct { - bpfPrograms - bpfMaps -} - -func (o *bpfObjects) Close() error { - return _BpfClose( - &o.bpfPrograms, - &o.bpfMaps, - ) -} - -// bpfMaps contains all maps after they have been loaded into the kernel. -// -// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign. -type bpfMaps struct { - PairOriginalDstMap *ebpf.Map `ebpf:"pair_original_dst_map"` - RedirParamsMap *ebpf.Map `ebpf:"redir_params_map"` -} - -func (m *bpfMaps) Close() error { - return _BpfClose( - m.PairOriginalDstMap, - m.RedirParamsMap, - ) -} - -// bpfPrograms contains all programs after they have been loaded into the kernel. -// -// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign. -type bpfPrograms struct { - TcRedirEgressFunc *ebpf.Program `ebpf:"tc_redir_egress_func"` - TcRedirIngressFunc *ebpf.Program `ebpf:"tc_redir_ingress_func"` -} - -func (p *bpfPrograms) Close() error { - return _BpfClose( - p.TcRedirEgressFunc, - p.TcRedirIngressFunc, - ) -} - -func _BpfClose(closers ...io.Closer) error { - for _, closer := range closers { - if err := closer.Close(); err != nil { - return err - } - } - return nil -} - -// Do not access this directly. -// -//go:embed bpf_bpfel.o -var _BpfBytes []byte diff --git a/component/ebpf/redir/bpf_bpfel.o b/component/ebpf/redir/bpf_bpfel.o deleted file mode 100644 index 0ac4be06b9..0000000000 Binary files a/component/ebpf/redir/bpf_bpfel.o and /dev/null differ diff --git a/component/ebpf/tc/bpf_bpfeb.go b/component/ebpf/tc/bpf_bpfeb.go deleted file mode 100644 index 623986dc8a..0000000000 --- a/component/ebpf/tc/bpf_bpfeb.go +++ /dev/null @@ -1,120 +0,0 @@ -// Code generated by bpf2go; DO NOT EDIT. -//go:build arm64be || armbe || mips || mips64 || mips64p32 || ppc64 || s390 || s390x || sparc || sparc64 -// +build arm64be armbe mips mips64 mips64p32 ppc64 s390 s390x sparc sparc64 - -package tc - -import ( - "bytes" - _ "embed" - "fmt" - "io" - - "github.com/cilium/ebpf" -) - -// loadBpf returns the embedded CollectionSpec for bpf. -func loadBpf() (*ebpf.CollectionSpec, error) { - reader := bytes.NewReader(_BpfBytes) - spec, err := ebpf.LoadCollectionSpecFromReader(reader) - if err != nil { - return nil, fmt.Errorf("can't load bpf: %w", err) - } - - return spec, err -} - -// loadBpfObjects loads bpf and converts it into a struct. -// -// The following types are suitable as obj argument: -// -// *bpfObjects -// *bpfPrograms -// *bpfMaps -// -// See ebpf.CollectionSpec.LoadAndAssign documentation for details. -func loadBpfObjects(obj interface{}, opts *ebpf.CollectionOptions) error { - spec, err := loadBpf() - if err != nil { - return err - } - - return spec.LoadAndAssign(obj, opts) -} - -// bpfSpecs contains maps and programs before they are loaded into the kernel. -// -// It can be passed ebpf.CollectionSpec.Assign. -type bpfSpecs struct { - bpfProgramSpecs - bpfMapSpecs -} - -// bpfSpecs contains programs before they are loaded into the kernel. -// -// It can be passed ebpf.CollectionSpec.Assign. -type bpfProgramSpecs struct { - TcTunFunc *ebpf.ProgramSpec `ebpf:"tc_tun_func"` -} - -// bpfMapSpecs contains maps before they are loaded into the kernel. -// -// It can be passed ebpf.CollectionSpec.Assign. -type bpfMapSpecs struct { - TcParamsMap *ebpf.MapSpec `ebpf:"tc_params_map"` -} - -// bpfObjects contains all objects after they have been loaded into the kernel. -// -// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign. -type bpfObjects struct { - bpfPrograms - bpfMaps -} - -func (o *bpfObjects) Close() error { - return _BpfClose( - &o.bpfPrograms, - &o.bpfMaps, - ) -} - -// bpfMaps contains all maps after they have been loaded into the kernel. -// -// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign. -type bpfMaps struct { - TcParamsMap *ebpf.Map `ebpf:"tc_params_map"` -} - -func (m *bpfMaps) Close() error { - return _BpfClose( - m.TcParamsMap, - ) -} - -// bpfPrograms contains all programs after they have been loaded into the kernel. -// -// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign. -type bpfPrograms struct { - TcTunFunc *ebpf.Program `ebpf:"tc_tun_func"` -} - -func (p *bpfPrograms) Close() error { - return _BpfClose( - p.TcTunFunc, - ) -} - -func _BpfClose(closers ...io.Closer) error { - for _, closer := range closers { - if err := closer.Close(); err != nil { - return err - } - } - return nil -} - -// Do not access this directly. -// -//go:embed bpf_bpfeb.o -var _BpfBytes []byte diff --git a/component/ebpf/tc/bpf_bpfeb.o b/component/ebpf/tc/bpf_bpfeb.o deleted file mode 100644 index f0e7e608f5..0000000000 Binary files a/component/ebpf/tc/bpf_bpfeb.o and /dev/null differ diff --git a/component/ebpf/tc/bpf_bpfel.go b/component/ebpf/tc/bpf_bpfel.go deleted file mode 100644 index 3bfa165545..0000000000 --- a/component/ebpf/tc/bpf_bpfel.go +++ /dev/null @@ -1,120 +0,0 @@ -// -//go:build 386 || amd64 || amd64p32 || arm || arm64 || mips64le || mips64p32le || mipsle || ppc64le || riscv64 || loong64 -// +build 386 amd64 amd64p32 arm arm64 mips64le mips64p32le mipsle ppc64le riscv64 loong64 - -package tc - -import ( - "bytes" - _ "embed" - "fmt" - "io" - - "github.com/cilium/ebpf" -) - -// loadBpf returns the embedded CollectionSpec for bpf. -func loadBpf() (*ebpf.CollectionSpec, error) { - reader := bytes.NewReader(_BpfBytes) - spec, err := ebpf.LoadCollectionSpecFromReader(reader) - if err != nil { - return nil, fmt.Errorf("can't load bpf: %w", err) - } - - return spec, err -} - -// loadBpfObjects loads bpf and converts it into a struct. -// -// The following types are suitable as obj argument: -// -// *bpfObjects -// *bpfPrograms -// *bpfMaps -// -// See ebpf.CollectionSpec.LoadAndAssign documentation for details. -func loadBpfObjects(obj interface{}, opts *ebpf.CollectionOptions) error { - spec, err := loadBpf() - if err != nil { - return err - } - - return spec.LoadAndAssign(obj, opts) -} - -// bpfSpecs contains maps and programs before they are loaded into the kernel. -// -// It can be passed ebpf.CollectionSpec.Assign. -type bpfSpecs struct { - bpfProgramSpecs - bpfMapSpecs -} - -// bpfSpecs contains programs before they are loaded into the kernel. -// -// It can be passed ebpf.CollectionSpec.Assign. -type bpfProgramSpecs struct { - TcTunFunc *ebpf.ProgramSpec `ebpf:"tc_tun_func"` -} - -// bpfMapSpecs contains maps before they are loaded into the kernel. -// -// It can be passed ebpf.CollectionSpec.Assign. -type bpfMapSpecs struct { - TcParamsMap *ebpf.MapSpec `ebpf:"tc_params_map"` -} - -// bpfObjects contains all objects after they have been loaded into the kernel. -// -// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign. -type bpfObjects struct { - bpfPrograms - bpfMaps -} - -func (o *bpfObjects) Close() error { - return _BpfClose( - &o.bpfPrograms, - &o.bpfMaps, - ) -} - -// bpfMaps contains all maps after they have been loaded into the kernel. -// -// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign. -type bpfMaps struct { - TcParamsMap *ebpf.Map `ebpf:"tc_params_map"` -} - -func (m *bpfMaps) Close() error { - return _BpfClose( - m.TcParamsMap, - ) -} - -// bpfPrograms contains all programs after they have been loaded into the kernel. -// -// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign. -type bpfPrograms struct { - TcTunFunc *ebpf.Program `ebpf:"tc_tun_func"` -} - -func (p *bpfPrograms) Close() error { - return _BpfClose( - p.TcTunFunc, - ) -} - -func _BpfClose(closers ...io.Closer) error { - for _, closer := range closers { - if err := closer.Close(); err != nil { - return err - } - } - return nil -} - -// Do not access this directly. -// -//go:embed bpf_bpfel.o -var _BpfBytes []byte diff --git a/component/ebpf/tc/bpf_bpfel.o b/component/ebpf/tc/bpf_bpfel.o deleted file mode 100644 index 290ae9cad7..0000000000 Binary files a/component/ebpf/tc/bpf_bpfel.o and /dev/null differ diff --git a/component/ebpf/tc/redirect_to_tun.go b/component/ebpf/tc/redirect_to_tun.go deleted file mode 100644 index d7be64afdb..0000000000 --- a/component/ebpf/tc/redirect_to_tun.go +++ /dev/null @@ -1,147 +0,0 @@ -//go:build linux - -package tc - -import ( - "fmt" - "io" - "net/netip" - "os" - "path/filepath" - - "github.com/cilium/ebpf" - "github.com/cilium/ebpf/rlimit" - "github.com/sagernet/netlink" - "golang.org/x/sys/unix" - - C "github.com/metacubex/mihomo/constant" - "github.com/metacubex/mihomo/transport/socks5" -) - -//go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc $BPF_CLANG -cflags $BPF_CFLAGS bpf ../bpf/tc.c - -const ( - mapKey1 uint32 = 0 - mapKey2 uint32 = 1 -) - -type EBpfTC struct { - objs io.Closer - qdisc netlink.Qdisc - filter netlink.Filter - - ifName string - ifIndex int - ifMark uint32 - tunIfIndex uint32 - - bpfPath string -} - -func NewEBpfTc(ifName string, ifIndex int, ifMark uint32, tunIfIndex uint32) *EBpfTC { - return &EBpfTC{ - ifName: ifName, - ifIndex: ifIndex, - ifMark: ifMark, - tunIfIndex: tunIfIndex, - } -} - -func (e *EBpfTC) Start() error { - if err := rlimit.RemoveMemlock(); err != nil { - return fmt.Errorf("remove memory lock: %w", err) - } - - e.bpfPath = filepath.Join(C.BpfFSPath, e.ifName) - if err := os.MkdirAll(e.bpfPath, os.ModePerm); err != nil { - return fmt.Errorf("failed to create bpf fs subpath: %w", err) - } - - var objs bpfObjects - if err := loadBpfObjects(&objs, &ebpf.CollectionOptions{ - Maps: ebpf.MapOptions{ - PinPath: e.bpfPath, - }, - }); err != nil { - e.Close() - return fmt.Errorf("loading objects: %w", err) - } - - e.objs = &objs - - if err := objs.bpfMaps.TcParamsMap.Update(mapKey1, e.ifMark, ebpf.UpdateAny); err != nil { - e.Close() - return fmt.Errorf("storing objects: %w", err) - } - - if err := objs.bpfMaps.TcParamsMap.Update(mapKey2, e.tunIfIndex, ebpf.UpdateAny); err != nil { - e.Close() - return fmt.Errorf("storing objects: %w", err) - } - - attrs := netlink.QdiscAttrs{ - LinkIndex: e.ifIndex, - Handle: netlink.MakeHandle(0xffff, 0), - Parent: netlink.HANDLE_CLSACT, - } - - qdisc := &netlink.GenericQdisc{ - QdiscAttrs: attrs, - QdiscType: "clsact", - } - - e.qdisc = qdisc - - if err := netlink.QdiscAdd(qdisc); err != nil { - if os.IsExist(err) { - _ = netlink.QdiscDel(qdisc) - err = netlink.QdiscAdd(qdisc) - } - - if err != nil { - e.Close() - return fmt.Errorf("cannot add clsact qdisc: %w", err) - } - } - - filterAttrs := netlink.FilterAttrs{ - LinkIndex: e.ifIndex, - Parent: netlink.HANDLE_MIN_EGRESS, - Handle: netlink.MakeHandle(0, 1), - Protocol: unix.ETH_P_ALL, - Priority: 1, - } - - filter := &netlink.BpfFilter{ - FilterAttrs: filterAttrs, - Fd: objs.bpfPrograms.TcTunFunc.FD(), - Name: "mihomo-tc-" + e.ifName, - DirectAction: true, - } - - if err := netlink.FilterAdd(filter); err != nil { - e.Close() - return fmt.Errorf("cannot attach ebpf object to filter: %w", err) - } - - e.filter = filter - - return nil -} - -func (e *EBpfTC) Close() { - if e.filter != nil { - _ = netlink.FilterDel(e.filter) - } - if e.qdisc != nil { - _ = netlink.QdiscDel(e.qdisc) - } - if e.objs != nil { - _ = e.objs.Close() - } - _ = os.Remove(filepath.Join(e.bpfPath, "tc_params_map")) -} - -func (e *EBpfTC) Lookup(_ netip.AddrPort) (socks5.Addr, error) { - return nil, fmt.Errorf("not supported") -} diff --git a/component/fakeip/memory.go b/component/fakeip/memory.go index 00eff81015..0a8492f8aa 100644 --- a/component/fakeip/memory.go +++ b/component/fakeip/memory.go @@ -67,8 +67,9 @@ func (m *memoryStore) CloneTo(store store) { // FlushFakeIP implements store.FlushFakeIP func (m *memoryStore) FlushFakeIP() error { - _ = m.cacheIP.Clear() - return m.cacheHost.Clear() + m.cacheIP.Clear() + m.cacheHost.Clear() + return nil } func newMemoryStore(size int) *memoryStore { diff --git a/component/fakeip/pool.go b/component/fakeip/pool.go index 2b06fc0bdf..12c063324b 100644 --- a/component/fakeip/pool.go +++ b/component/fakeip/pool.go @@ -8,7 +8,7 @@ import ( "github.com/metacubex/mihomo/common/nnip" "github.com/metacubex/mihomo/component/profile/cachefile" - "github.com/metacubex/mihomo/component/trie" + C "github.com/metacubex/mihomo/constant" ) const ( @@ -35,7 +35,8 @@ type Pool struct { offset netip.Addr cycle bool mux sync.Mutex - host *trie.DomainTrie[struct{}] + host []C.DomainMatcher + mode C.FilterMode ipnet netip.Prefix store store } @@ -66,10 +67,20 @@ func (p *Pool) LookBack(ip netip.Addr) (string, bool) { // ShouldSkipped return if domain should be skipped func (p *Pool) ShouldSkipped(domain string) bool { - if p.host == nil { - return false + should := p.shouldSkipped(domain) + if p.mode == C.FilterWhiteList { + return !should } - return p.host.Search(domain) != nil + return should +} + +func (p *Pool) shouldSkipped(domain string) bool { + for _, matcher := range p.host { + if matcher.MatchDomain(domain) { + return true + } + } + return false } // Exist returns if given ip exists in fake-ip pool @@ -154,7 +165,8 @@ func (p *Pool) restoreState() { type Options struct { IPNet netip.Prefix - Host *trie.DomainTrie[struct{}] + Host []C.DomainMatcher + Mode C.FilterMode // Size sets the maximum number of entries in memory // and does not work if Persistence is true @@ -185,6 +197,7 @@ func New(options Options) (*Pool, error) { offset: first.Prev(), cycle: false, host: options.Host, + mode: options.Mode, ipnet: options.IPNet, } if options.Persistence { diff --git a/component/fakeip/pool_test.go b/component/fakeip/pool_test.go index cc50fcf7b5..ee607b68b4 100644 --- a/component/fakeip/pool_test.go +++ b/component/fakeip/pool_test.go @@ -9,8 +9,9 @@ import ( "github.com/metacubex/mihomo/component/profile/cachefile" "github.com/metacubex/mihomo/component/trie" + C "github.com/metacubex/mihomo/constant" - "github.com/sagernet/bbolt" + "github.com/metacubex/bbolt" "github.com/stretchr/testify/assert" ) @@ -62,13 +63,13 @@ func TestPool_Basic(t *testing.T) { last := pool.Lookup("bar.com") bar, exist := pool.LookBack(last) - assert.True(t, first == netip.AddrFrom4([4]byte{192, 168, 0, 4})) - assert.True(t, pool.Lookup("foo.com") == netip.AddrFrom4([4]byte{192, 168, 0, 4})) - assert.True(t, last == netip.AddrFrom4([4]byte{192, 168, 0, 5})) + assert.Equal(t, first, netip.AddrFrom4([4]byte{192, 168, 0, 4})) + assert.Equal(t, pool.Lookup("foo.com"), netip.AddrFrom4([4]byte{192, 168, 0, 4})) + assert.Equal(t, last, netip.AddrFrom4([4]byte{192, 168, 0, 5})) assert.True(t, exist) assert.Equal(t, bar, "bar.com") - assert.True(t, pool.Gateway() == netip.AddrFrom4([4]byte{192, 168, 0, 1})) - assert.True(t, pool.Broadcast() == netip.AddrFrom4([4]byte{192, 168, 0, 15})) + assert.Equal(t, pool.Gateway(), netip.AddrFrom4([4]byte{192, 168, 0, 1})) + assert.Equal(t, pool.Broadcast(), netip.AddrFrom4([4]byte{192, 168, 0, 15})) assert.Equal(t, pool.IPNet().String(), ipnet.String()) assert.True(t, pool.Exist(netip.AddrFrom4([4]byte{192, 168, 0, 5}))) assert.False(t, pool.Exist(netip.AddrFrom4([4]byte{192, 168, 0, 6}))) @@ -90,13 +91,13 @@ func TestPool_BasicV6(t *testing.T) { last := pool.Lookup("bar.com") bar, exist := pool.LookBack(last) - assert.True(t, first == netip.MustParseAddr("2001:4860:4860:0000:0000:0000:0000:8804")) - assert.True(t, pool.Lookup("foo.com") == netip.MustParseAddr("2001:4860:4860:0000:0000:0000:0000:8804")) - assert.True(t, last == netip.MustParseAddr("2001:4860:4860:0000:0000:0000:0000:8805")) + assert.Equal(t, first, netip.MustParseAddr("2001:4860:4860:0000:0000:0000:0000:8804")) + assert.Equal(t, pool.Lookup("foo.com"), netip.MustParseAddr("2001:4860:4860:0000:0000:0000:0000:8804")) + assert.Equal(t, last, netip.MustParseAddr("2001:4860:4860:0000:0000:0000:0000:8805")) assert.True(t, exist) assert.Equal(t, bar, "bar.com") - assert.True(t, pool.Gateway() == netip.MustParseAddr("2001:4860:4860:0000:0000:0000:0000:8801")) - assert.True(t, pool.Broadcast() == netip.MustParseAddr("2001:4860:4860:0000:0000:0000:0000:8bff")) + assert.Equal(t, pool.Gateway(), netip.MustParseAddr("2001:4860:4860:0000:0000:0000:0000:8801")) + assert.Equal(t, pool.Broadcast(), netip.MustParseAddr("2001:4860:4860:0000:0000:0000:0000:8bff")) assert.Equal(t, pool.IPNet().String(), ipnet.String()) assert.True(t, pool.Exist(netip.MustParseAddr("2001:4860:4860:0000:0000:0000:0000:8805"))) assert.False(t, pool.Exist(netip.MustParseAddr("2001:4860:4860:0000:0000:0000:0000:8806"))) @@ -142,19 +143,20 @@ func TestPool_CycleUsed(t *testing.T) { } baz := pool.Lookup("baz.com") next := pool.Lookup("foo.com") - assert.True(t, foo == baz) - assert.True(t, next == bar) + assert.Equal(t, foo, baz) + assert.Equal(t, next, bar) } } func TestPool_Skip(t *testing.T) { ipnet := netip.MustParsePrefix("192.168.0.1/29") tree := trie.New[struct{}]() - tree.Insert("example.com", struct{}{}) + assert.NoError(t, tree.Insert("example.com", struct{}{})) + assert.False(t, tree.IsEmpty()) pools, tempfile, err := createPools(Options{ IPNet: ipnet, Size: 10, - Host: tree, + Host: []C.DomainMatcher{tree.NewDomainSet()}, }) assert.Nil(t, err) defer os.Remove(tempfile) @@ -162,6 +164,28 @@ func TestPool_Skip(t *testing.T) { for _, pool := range pools { assert.True(t, pool.ShouldSkipped("example.com")) assert.False(t, pool.ShouldSkipped("foo.com")) + assert.False(t, pool.shouldSkipped("baz.com")) + } +} + +func TestPool_SkipWhiteList(t *testing.T) { + ipnet := netip.MustParsePrefix("192.168.0.1/29") + tree := trie.New[struct{}]() + assert.NoError(t, tree.Insert("example.com", struct{}{})) + assert.False(t, tree.IsEmpty()) + pools, tempfile, err := createPools(Options{ + IPNet: ipnet, + Size: 10, + Host: []C.DomainMatcher{tree.NewDomainSet()}, + Mode: C.FilterWhiteList, + }) + assert.Nil(t, err) + defer os.Remove(tempfile) + + for _, pool := range pools { + assert.False(t, pool.ShouldSkipped("example.com")) + assert.True(t, pool.ShouldSkipped("foo.com")) + assert.True(t, pool.ShouldSkipped("baz.com")) } } @@ -177,7 +201,7 @@ func TestPool_MaxCacheSize(t *testing.T) { pool.Lookup("baz.com") next := pool.Lookup("foo.com") - assert.False(t, first == next) + assert.NotEqual(t, first, next) } func TestPool_DoubleMapping(t *testing.T) { @@ -207,7 +231,7 @@ func TestPool_DoubleMapping(t *testing.T) { assert.False(t, bazExist) assert.True(t, barExist) - assert.False(t, bazIP == newBazIP) + assert.NotEqual(t, bazIP, newBazIP) } func TestPool_Clone(t *testing.T) { @@ -219,8 +243,8 @@ func TestPool_Clone(t *testing.T) { first := pool.Lookup("foo.com") last := pool.Lookup("bar.com") - assert.True(t, first == netip.AddrFrom4([4]byte{192, 168, 0, 4})) - assert.True(t, last == netip.AddrFrom4([4]byte{192, 168, 0, 5})) + assert.Equal(t, first, netip.AddrFrom4([4]byte{192, 168, 0, 4})) + assert.Equal(t, last, netip.AddrFrom4([4]byte{192, 168, 0, 5})) newPool, _ := New(Options{ IPNet: ipnet, @@ -265,13 +289,13 @@ func TestPool_FlushFileCache(t *testing.T) { baz := pool.Lookup("foo.com") nero := pool.Lookup("foo.com") - assert.True(t, foo == fox) - assert.True(t, foo == next) - assert.False(t, foo == baz) - assert.True(t, bar == bax) - assert.True(t, bar == baz) - assert.False(t, bar == next) - assert.True(t, baz == nero) + assert.Equal(t, foo, fox) + assert.Equal(t, foo, next) + assert.NotEqual(t, foo, baz) + assert.Equal(t, bar, bax) + assert.Equal(t, bar, baz) + assert.NotEqual(t, bar, next) + assert.Equal(t, baz, nero) } } @@ -294,11 +318,11 @@ func TestPool_FlushMemoryCache(t *testing.T) { baz := pool.Lookup("foo.com") nero := pool.Lookup("foo.com") - assert.True(t, foo == fox) - assert.True(t, foo == next) - assert.False(t, foo == baz) - assert.True(t, bar == bax) - assert.True(t, bar == baz) - assert.False(t, bar == next) - assert.True(t, baz == nero) + assert.Equal(t, foo, fox) + assert.Equal(t, foo, next) + assert.NotEqual(t, foo, baz) + assert.Equal(t, bar, bax) + assert.Equal(t, bar, baz) + assert.NotEqual(t, bar, next) + assert.Equal(t, baz, nero) } diff --git a/component/geodata/attr.go b/component/geodata/attr.go index a9742aca98..2fd41ad6c0 100644 --- a/component/geodata/attr.go +++ b/component/geodata/attr.go @@ -7,7 +7,7 @@ import ( ) type AttributeList struct { - matcher []AttributeMatcher + matcher []BooleanMatcher } func (al *AttributeList) Match(domain *router.Domain) bool { @@ -23,6 +23,14 @@ func (al *AttributeList) IsEmpty() bool { return len(al.matcher) == 0 } +func (al *AttributeList) String() string { + matcher := make([]string, len(al.matcher)) + for i, match := range al.matcher { + matcher[i] = string(match) + } + return strings.Join(matcher, ",") +} + func parseAttrs(attrs []string) *AttributeList { al := new(AttributeList) for _, attr := range attrs { diff --git a/component/geodata/init.go b/component/geodata/init.go index 834567a447..08ec1b948d 100644 --- a/component/geodata/init.go +++ b/component/geodata/init.go @@ -6,8 +6,10 @@ import ( "io" "net/http" "os" + "sync" "time" + "github.com/metacubex/mihomo/common/atomic" mihomoHttp "github.com/metacubex/mihomo/component/http" "github.com/metacubex/mihomo/component/mmdb" C "github.com/metacubex/mihomo/constant" @@ -18,55 +20,57 @@ var ( initGeoSite bool initGeoIP int initASN bool + + initGeoSiteMutex sync.Mutex + initGeoIPMutex sync.Mutex + initASNMutex sync.Mutex + + geoIpEnable atomic.Bool + geoSiteEnable atomic.Bool + asnEnable atomic.Bool + + geoIpUrl string + mmdbUrl string + geoSiteUrl string + asnUrl string ) -func InitGeoSite() error { - if _, err := os.Stat(C.Path.GeoSite()); os.IsNotExist(err) { - log.Infoln("Can't find GeoSite.dat, start download") - if err := downloadGeoSite(C.Path.GeoSite()); err != nil { - return fmt.Errorf("can't download GeoSite.dat: %s", err.Error()) - } - log.Infoln("Download GeoSite.dat finish") - initGeoSite = false - } - if !initGeoSite { - if err := Verify(C.GeositeName); err != nil { - log.Warnln("GeoSite.dat invalid, remove and download: %s", err) - if err := os.Remove(C.Path.GeoSite()); err != nil { - return fmt.Errorf("can't remove invalid GeoSite.dat: %s", err.Error()) - } - if err := downloadGeoSite(C.Path.GeoSite()); err != nil { - return fmt.Errorf("can't download GeoSite.dat: %s", err.Error()) - } - } - initGeoSite = true - } - return nil +func GeoIpUrl() string { + return geoIpUrl } -func downloadGeoSite(path string) (err error) { - ctx, cancel := context.WithTimeout(context.Background(), time.Second*90) - defer cancel() - resp, err := mihomoHttp.HttpRequest(ctx, C.GeoSiteUrl, http.MethodGet, http.Header{"User-Agent": {C.UA}}, nil) - if err != nil { - return - } - defer resp.Body.Close() +func SetGeoIpUrl(url string) { + geoIpUrl = url +} - f, err := os.OpenFile(path, os.O_CREATE|os.O_WRONLY, 0o644) - if err != nil { - return err - } - defer f.Close() - _, err = io.Copy(f, resp.Body) +func MmdbUrl() string { + return mmdbUrl +} - return err +func SetMmdbUrl(url string) { + mmdbUrl = url +} + +func GeoSiteUrl() string { + return geoSiteUrl +} + +func SetGeoSiteUrl(url string) { + geoSiteUrl = url } -func downloadGeoIP(path string) (err error) { +func ASNUrl() string { + return asnUrl +} + +func SetASNUrl(url string) { + asnUrl = url +} + +func downloadToPath(url string, path string) (err error) { ctx, cancel := context.WithTimeout(context.Background(), time.Second*90) defer cancel() - resp, err := mihomoHttp.HttpRequest(ctx, C.GeoIpUrl, http.MethodGet, http.Header{"User-Agent": {C.UA}}, nil) + resp, err := mihomoHttp.HttpRequest(ctx, url, http.MethodGet, nil, nil) if err != nil { return } @@ -82,11 +86,41 @@ func downloadGeoIP(path string) (err error) { return err } +func InitGeoSite() error { + geoSiteEnable.Store(true) + initGeoSiteMutex.Lock() + defer initGeoSiteMutex.Unlock() + if _, err := os.Stat(C.Path.GeoSite()); os.IsNotExist(err) { + log.Infoln("Can't find GeoSite.dat, start download") + if err := downloadToPath(GeoSiteUrl(), C.Path.GeoSite()); err != nil { + return fmt.Errorf("can't download GeoSite.dat: %s", err.Error()) + } + log.Infoln("Download GeoSite.dat finish") + initGeoSite = false + } + if !initGeoSite { + if err := Verify(C.GeositeName); err != nil { + log.Warnln("GeoSite.dat invalid, remove and download: %s", err) + if err := os.Remove(C.Path.GeoSite()); err != nil { + return fmt.Errorf("can't remove invalid GeoSite.dat: %s", err.Error()) + } + if err := downloadToPath(GeoSiteUrl(), C.Path.GeoSite()); err != nil { + return fmt.Errorf("can't download GeoSite.dat: %s", err.Error()) + } + } + initGeoSite = true + } + return nil +} + func InitGeoIP() error { - if C.GeodataMode { + geoIpEnable.Store(true) + initGeoIPMutex.Lock() + defer initGeoIPMutex.Unlock() + if GeodataMode() { if _, err := os.Stat(C.Path.GeoIP()); os.IsNotExist(err) { log.Infoln("Can't find GeoIP.dat, start download") - if err := downloadGeoIP(C.Path.GeoIP()); err != nil { + if err := downloadToPath(GeoIpUrl(), C.Path.GeoIP()); err != nil { return fmt.Errorf("can't download GeoIP.dat: %s", err.Error()) } log.Infoln("Download GeoIP.dat finish") @@ -99,7 +133,7 @@ func InitGeoIP() error { if err := os.Remove(C.Path.GeoIP()); err != nil { return fmt.Errorf("can't remove invalid GeoIP.dat: %s", err.Error()) } - if err := downloadGeoIP(C.Path.GeoIP()); err != nil { + if err := downloadToPath(GeoIpUrl(), C.Path.GeoIP()); err != nil { return fmt.Errorf("can't download GeoIP.dat: %s", err.Error()) } } @@ -110,7 +144,7 @@ func InitGeoIP() error { if _, err := os.Stat(C.Path.MMDB()); os.IsNotExist(err) { log.Infoln("Can't find MMDB, start download") - if err := mmdb.DownloadMMDB(C.Path.MMDB()); err != nil { + if err := downloadToPath(MmdbUrl(), C.Path.MMDB()); err != nil { return fmt.Errorf("can't download MMDB: %s", err.Error()) } } @@ -121,7 +155,7 @@ func InitGeoIP() error { if err := os.Remove(C.Path.MMDB()); err != nil { return fmt.Errorf("can't remove invalid MMDB: %s", err.Error()) } - if err := mmdb.DownloadMMDB(C.Path.MMDB()); err != nil { + if err := downloadToPath(MmdbUrl(), C.Path.MMDB()); err != nil { return fmt.Errorf("can't download MMDB: %s", err.Error()) } } @@ -131,9 +165,12 @@ func InitGeoIP() error { } func InitASN() error { + asnEnable.Store(true) + initASNMutex.Lock() + defer initASNMutex.Unlock() if _, err := os.Stat(C.Path.ASN()); os.IsNotExist(err) { log.Infoln("Can't find ASN.mmdb, start download") - if err := mmdb.DownloadASN(C.Path.ASN()); err != nil { + if err := downloadToPath(ASNUrl(), C.Path.ASN()); err != nil { return fmt.Errorf("can't download ASN.mmdb: %s", err.Error()) } log.Infoln("Download ASN.mmdb finish") @@ -145,7 +182,7 @@ func InitASN() error { if err := os.Remove(C.Path.ASN()); err != nil { return fmt.Errorf("can't remove invalid ASN: %s", err.Error()) } - if err := mmdb.DownloadASN(C.Path.ASN()); err != nil { + if err := downloadToPath(ASNUrl(), C.Path.ASN()); err != nil { return fmt.Errorf("can't download ASN: %s", err.Error()) } } @@ -153,3 +190,15 @@ func InitASN() error { } return nil } + +func GeoIpEnable() bool { + return geoIpEnable.Load() +} + +func GeoSiteEnable() bool { + return geoSiteEnable.Load() +} + +func ASNEnable() bool { + return asnEnable.Load() +} diff --git a/component/geodata/router/condition.go b/component/geodata/router/condition.go index 5261d2fee8..fb47e4a40c 100644 --- a/component/geodata/router/condition.go +++ b/component/geodata/router/condition.go @@ -33,12 +33,13 @@ func domainToMatcher(domain *Domain) (strmatcher.Matcher, error) { type DomainMatcher interface { ApplyDomain(string) bool + Count() int } type succinctDomainMatcher struct { set *trie.DomainSet otherMatchers []strmatcher.Matcher - not bool + count int } func (m *succinctDomainMatcher) ApplyDomain(domain string) bool { @@ -51,16 +52,17 @@ func (m *succinctDomainMatcher) ApplyDomain(domain string) bool { } } } - if m.not { - isMatched = !isMatched - } return isMatched } -func NewSuccinctMatcherGroup(domains []*Domain, not bool) (DomainMatcher, error) { +func (m *succinctDomainMatcher) Count() int { + return m.count +} + +func NewSuccinctMatcherGroup(domains []*Domain) (DomainMatcher, error) { t := trie.New[struct{}]() m := &succinctDomainMatcher{ - not: not, + count: len(domains), } for _, d := range domains { switch d.Type { @@ -90,10 +92,10 @@ func NewSuccinctMatcherGroup(domains []*Domain, not bool) (DomainMatcher, error) type v2rayDomainMatcher struct { matchers strmatcher.IndexMatcher - not bool + count int } -func NewMphMatcherGroup(domains []*Domain, not bool) (DomainMatcher, error) { +func NewMphMatcherGroup(domains []*Domain) (DomainMatcher, error) { g := strmatcher.NewMphMatcherGroup() for _, d := range domains { matcherType, f := matcherTypeMap[d.Type] @@ -108,119 +110,80 @@ func NewMphMatcherGroup(domains []*Domain, not bool) (DomainMatcher, error) { g.Build() return &v2rayDomainMatcher{ matchers: g, - not: not, + count: len(domains), }, nil } func (m *v2rayDomainMatcher) ApplyDomain(domain string) bool { - isMatched := len(m.matchers.Match(strings.ToLower(domain))) > 0 - if m.not { - isMatched = !isMatched - } - return isMatched + return len(m.matchers.Match(strings.ToLower(domain))) > 0 } -type GeoIPMatcher struct { - countryCode string - reverseMatch bool - cidrSet *cidr.IpCidrSet +func (m *v2rayDomainMatcher) Count() int { + return m.count } -func (m *GeoIPMatcher) Init(cidrs []*CIDR) error { - for _, cidr := range cidrs { - addr, ok := netip.AddrFromSlice(cidr.Ip) - if !ok { - return fmt.Errorf("error when loading GeoIP: invalid IP: %s", cidr.Ip) - } - err := m.cidrSet.AddIpCidr(netip.PrefixFrom(addr, int(cidr.Prefix))) - if err != nil { - return fmt.Errorf("error when loading GeoIP: %w", err) - } - } - return m.cidrSet.Merge() +type notDomainMatcher struct { + DomainMatcher } -func (m *GeoIPMatcher) SetReverseMatch(isReverseMatch bool) { - m.reverseMatch = isReverseMatch +func (m notDomainMatcher) ApplyDomain(domain string) bool { + return !m.DomainMatcher.ApplyDomain(domain) } -// Match returns true if the given ip is included by the GeoIP. -func (m *GeoIPMatcher) Match(ip netip.Addr) bool { - match := m.cidrSet.IsContain(ip) - if m.reverseMatch { - return !match - } - return match +func NewNotDomainMatcherGroup(matcher DomainMatcher) DomainMatcher { + return notDomainMatcher{matcher} } -// GeoIPMatcherContainer is a container for GeoIPMatchers. It keeps unique copies of GeoIPMatcher by country code. -type GeoIPMatcherContainer struct { - matchers []*GeoIPMatcher +type IPMatcher interface { + Match(ip netip.Addr) bool + Count() int } -// Add adds a new GeoIP set into the container. -// If the country code of GeoIP is not empty, GeoIPMatcherContainer will try to find an existing one, instead of adding a new one. -func (c *GeoIPMatcherContainer) Add(geoip *GeoIP) (*GeoIPMatcher, error) { - if len(geoip.CountryCode) > 0 { - for _, m := range c.matchers { - if m.countryCode == geoip.CountryCode && m.reverseMatch == geoip.ReverseMatch { - return m, nil - } - } - } - - m := &GeoIPMatcher{ - countryCode: geoip.CountryCode, - reverseMatch: geoip.ReverseMatch, - cidrSet: cidr.NewIpCidrSet(), - } - if err := m.Init(geoip.Cidr); err != nil { - return nil, err - } - if len(geoip.CountryCode) > 0 { - c.matchers = append(c.matchers, m) - } - return m, nil +type geoIPMatcher struct { + cidrSet *cidr.IpCidrSet + count int } -var globalGeoIPContainer GeoIPMatcherContainer +// Match returns true if the given ip is included by the GeoIP. +func (m *geoIPMatcher) Match(ip netip.Addr) bool { + return m.cidrSet.IsContain(ip) +} -type MultiGeoIPMatcher struct { - matchers []*GeoIPMatcher +func (m *geoIPMatcher) Count() int { + return m.count } -func NewGeoIPMatcher(geoip *GeoIP) (*GeoIPMatcher, error) { - matcher, err := globalGeoIPContainer.Add(geoip) +func NewGeoIPMatcher(cidrList []*CIDR) (IPMatcher, error) { + m := &geoIPMatcher{ + cidrSet: cidr.NewIpCidrSet(), + count: len(cidrList), + } + for _, cidr := range cidrList { + addr, ok := netip.AddrFromSlice(cidr.Ip) + if !ok { + return nil, fmt.Errorf("error when loading GeoIP: invalid IP: %s", cidr.Ip) + } + err := m.cidrSet.AddIpCidr(netip.PrefixFrom(addr, int(cidr.Prefix))) + if err != nil { + return nil, fmt.Errorf("error when loading GeoIP: %w", err) + } + } + err := m.cidrSet.Merge() if err != nil { return nil, err } - return matcher, nil + return m, nil } -func (m *MultiGeoIPMatcher) ApplyIp(ip netip.Addr) bool { - for _, matcher := range m.matchers { - if matcher.Match(ip) { - return true - } - } - - return false +type notIPMatcher struct { + IPMatcher } -func NewMultiGeoIPMatcher(geoips []*GeoIP) (*MultiGeoIPMatcher, error) { - var matchers []*GeoIPMatcher - for _, geoip := range geoips { - matcher, err := globalGeoIPContainer.Add(geoip) - if err != nil { - return nil, err - } - matchers = append(matchers, matcher) - } - - matcher := &MultiGeoIPMatcher{ - matchers: matchers, - } +func (m notIPMatcher) Match(ip netip.Addr) bool { + return !m.IPMatcher.Match(ip) +} - return matcher, nil +func NewNotIpMatcherGroup(matcher IPMatcher) IPMatcher { + return notIPMatcher{matcher} } diff --git a/component/geodata/utils.go b/component/geodata/utils.go index 981d7eba4f..4796624966 100644 --- a/component/geodata/utils.go +++ b/component/geodata/utils.go @@ -5,8 +5,7 @@ import ( "fmt" "strings" - "golang.org/x/sync/singleflight" - + "github.com/metacubex/mihomo/common/singleflight" "github.com/metacubex/mihomo/component/geodata/router" C "github.com/metacubex/mihomo/constant" "github.com/metacubex/mihomo/log" @@ -14,8 +13,6 @@ import ( var ( geoMode bool - AutoUpdate bool - UpdateInterval int geoLoaderName = "memconservative" geoSiteMatcher = "succinct" ) @@ -26,14 +23,6 @@ func GeodataMode() bool { return geoMode } -func GeoAutoUpdate() bool { - return AutoUpdate -} - -func GeoUpdateInterval() int { - return UpdateInterval -} - func LoaderName() string { return geoLoaderName } @@ -45,12 +34,6 @@ func SiteMatcherName() string { func SetGeodataMode(newGeodataMode bool) { geoMode = newGeodataMode } -func SetGeoAutoUpdate(newAutoUpdate bool) { - AutoUpdate = newAutoUpdate -} -func SetGeoUpdateInterval(newGeoUpdateInterval int) { - UpdateInterval = newGeoUpdateInterval -} func SetLoader(newLoader string) { if newLoader == "memc" { @@ -71,21 +54,22 @@ func SetSiteMatcher(newMatcher string) { func Verify(name string) error { switch name { case C.GeositeName: - _, _, err := LoadGeoSiteMatcher("CN") + _, err := LoadGeoSiteMatcher("CN") return err case C.GeoipName: - _, _, err := LoadGeoIPMatcher("CN") + _, err := LoadGeoIPMatcher("CN") return err default: return fmt.Errorf("not support name") } } -var loadGeoSiteMatcherSF = singleflight.Group{} +var loadGeoSiteMatcherListSF = singleflight.Group[[]*router.Domain]{StoreResult: true} +var loadGeoSiteMatcherSF = singleflight.Group[router.DomainMatcher]{StoreResult: true} -func LoadGeoSiteMatcher(countryCode string) (router.DomainMatcher, int, error) { +func LoadGeoSiteMatcher(countryCode string) (router.DomainMatcher, error) { if countryCode == "" { - return nil, 0, fmt.Errorf("country code could not be empty") + return nil, fmt.Errorf("country code could not be empty") } not := false @@ -97,73 +81,84 @@ func LoadGeoSiteMatcher(countryCode string) (router.DomainMatcher, int, error) { parts := strings.Split(countryCode, "@") if len(parts) == 0 { - return nil, 0, errors.New("empty rule") + return nil, errors.New("empty rule") } listName := strings.TrimSpace(parts[0]) attrVal := parts[1:] + attrs := parseAttrs(attrVal) if listName == "" { - return nil, 0, fmt.Errorf("empty listname in rule: %s", countryCode) + return nil, fmt.Errorf("empty listname in rule: %s", countryCode) } - v, err, shared := loadGeoSiteMatcherSF.Do(listName, func() (interface{}, error) { - geoLoader, err := GetGeoDataLoader(geoLoaderName) + matcherName := listName + if !attrs.IsEmpty() { + matcherName += "@" + attrs.String() + } + matcher, err, shared := loadGeoSiteMatcherSF.Do(matcherName, func() (router.DomainMatcher, error) { + log.Infoln("Load GeoSite rule: %s", matcherName) + domains, err, shared := loadGeoSiteMatcherListSF.Do(listName, func() ([]*router.Domain, error) { + geoLoader, err := GetGeoDataLoader(geoLoaderName) + if err != nil { + return nil, err + } + return geoLoader.LoadGeoSite(listName) + }) if err != nil { + if !shared { + loadGeoSiteMatcherListSF.Forget(listName) // don't store the error result + } return nil, err } - return geoLoader.LoadGeoSite(listName) - }) - if err != nil { - if !shared { - loadGeoSiteMatcherSF.Forget(listName) // don't store the error result - } - return nil, 0, err - } - domains := v.([]*router.Domain) - attrs := parseAttrs(attrVal) - if attrs.IsEmpty() { - if strings.Contains(countryCode, "@") { - log.Warnln("empty attribute list: %s", countryCode) - } - } else { - filteredDomains := make([]*router.Domain, 0, len(domains)) - hasAttrMatched := false - for _, domain := range domains { - if attrs.Match(domain) { - hasAttrMatched = true - filteredDomains = append(filteredDomains, domain) + if attrs.IsEmpty() { + if strings.Contains(countryCode, "@") { + log.Warnln("empty attribute list: %s", countryCode) } + } else { + filteredDomains := make([]*router.Domain, 0, len(domains)) + hasAttrMatched := false + for _, domain := range domains { + if attrs.Match(domain) { + hasAttrMatched = true + filteredDomains = append(filteredDomains, domain) + } + } + if !hasAttrMatched { + log.Warnln("attribute match no rule: geosite: %s", countryCode) + } + domains = filteredDomains } - if !hasAttrMatched { - log.Warnln("attribute match no rule: geosite: %s", countryCode) - } - domains = filteredDomains - } - /** - linear: linear algorithm - matcher, err := router.NewDomainMatcher(domains) - mph:minimal perfect hash algorithm - */ - var matcher router.DomainMatcher - if geoSiteMatcher == "mph" { - matcher, err = router.NewMphMatcherGroup(domains, not) - } else { - matcher, err = router.NewSuccinctMatcherGroup(domains, not) - } + /** + linear: linear algorithm + matcher, err := router.NewDomainMatcher(domains) + mph:minimal perfect hash algorithm + */ + if geoSiteMatcher == "mph" { + return router.NewMphMatcherGroup(domains) + } else { + return router.NewSuccinctMatcherGroup(domains) + } + }) if err != nil { - return nil, 0, err + if !shared { + loadGeoSiteMatcherSF.Forget(matcherName) // don't store the error result + } + return nil, err + } + if not { + matcher = router.NewNotDomainMatcherGroup(matcher) } - return matcher, len(domains), nil + return matcher, nil } -var loadGeoIPMatcherSF = singleflight.Group{} +var loadGeoIPMatcherSF = singleflight.Group[router.IPMatcher]{StoreResult: true} -func LoadGeoIPMatcher(country string) (*router.GeoIPMatcher, int, error) { +func LoadGeoIPMatcher(country string) (router.IPMatcher, error) { if len(country) == 0 { - return nil, 0, fmt.Errorf("country code could not be empty") + return nil, fmt.Errorf("country code could not be empty") } not := false @@ -173,35 +168,36 @@ func LoadGeoIPMatcher(country string) (*router.GeoIPMatcher, int, error) { } country = strings.ToLower(country) - v, err, shared := loadGeoIPMatcherSF.Do(country, func() (interface{}, error) { + matcher, err, shared := loadGeoIPMatcherSF.Do(country, func() (router.IPMatcher, error) { + log.Infoln("Load GeoIP rule: %s", country) geoLoader, err := GetGeoDataLoader(geoLoaderName) if err != nil { return nil, err } - return geoLoader.LoadGeoIP(country) + cidrList, err := geoLoader.LoadGeoIP(country) + if err != nil { + return nil, err + } + return router.NewGeoIPMatcher(cidrList) }) if err != nil { if !shared { loadGeoIPMatcherSF.Forget(country) // don't store the error result + log.Warnln("Load GeoIP rule: %s", country) } - return nil, 0, err + return nil, err } - records := v.([]*router.CIDR) - - geoIP := &router.GeoIP{ - CountryCode: country, - Cidr: records, - ReverseMatch: not, + if not { + matcher = router.NewNotIpMatcherGroup(matcher) } + return matcher, nil +} - matcher, err := router.NewGeoIPMatcher(geoIP) - if err != nil { - return nil, 0, err - } - return matcher, len(records), nil +func ClearGeoSiteCache() { + loadGeoSiteMatcherListSF.Reset() + loadGeoSiteMatcherSF.Reset() } -func ClearCache() { - loadGeoSiteMatcherSF = singleflight.Group{} - loadGeoIPMatcherSF = singleflight.Group{} +func ClearGeoIPCache() { + loadGeoIPMatcherSF.Reset() } diff --git a/component/http/http.go b/component/http/http.go index 21d65d2e96..3fc06da3cb 100644 --- a/component/http/http.go +++ b/component/http/http.go @@ -12,10 +12,21 @@ import ( "time" "github.com/metacubex/mihomo/component/ca" - C "github.com/metacubex/mihomo/constant" "github.com/metacubex/mihomo/listener/inner" ) +var ( + ua string +) + +func UA() string { + return ua +} + +func SetUA(UA string) { + ua = UA +} + func HttpRequest(ctx context.Context, url, method string, header map[string][]string, body io.Reader) (*http.Response, error) { return HttpRequestWithProxy(ctx, url, method, header, body, "") } @@ -35,7 +46,7 @@ func HttpRequestWithProxy(ctx context.Context, url, method string, header map[st } if _, ok := header["User-Agent"]; !ok { - req.Header.Set("User-Agent", C.UA) + req.Header.Set("User-Agent", UA()) } if err != nil { diff --git a/component/mmdb/mmdb.go b/component/mmdb/mmdb.go index 81156bc62d..81644b0076 100644 --- a/component/mmdb/mmdb.go +++ b/component/mmdb/mmdb.go @@ -1,15 +1,9 @@ package mmdb import ( - "context" - "io" - "net/http" - "os" "sync" - "time" mihomoOnce "github.com/metacubex/mihomo/common/once" - mihomoHttp "github.com/metacubex/mihomo/component/http" C "github.com/metacubex/mihomo/constant" "github.com/metacubex/mihomo/log" @@ -25,26 +19,26 @@ const ( ) var ( - IPreader IPReader - ASNreader ASNReader - IPonce sync.Once - ASNonce sync.Once + ipReader IPReader + asnReader ASNReader + ipOnce sync.Once + asnOnce sync.Once ) func LoadFromBytes(buffer []byte) { - IPonce.Do(func() { + ipOnce.Do(func() { mmdb, err := maxminddb.FromBytes(buffer) if err != nil { log.Fatalln("Can't load mmdb: %s", err.Error()) } - IPreader = IPReader{Reader: mmdb} + ipReader = IPReader{Reader: mmdb} switch mmdb.Metadata.DatabaseType { case "sing-geoip": - IPreader.databaseType = typeSing + ipReader.databaseType = typeSing case "Meta-geoip0": - IPreader.databaseType = typeMetaV0 + ipReader.databaseType = typeMetaV0 default: - IPreader.databaseType = typeMaxmind + ipReader.databaseType = typeMaxmind } }) } @@ -58,83 +52,45 @@ func Verify(path string) bool { } func IPInstance() IPReader { - IPonce.Do(func() { + ipOnce.Do(func() { mmdbPath := C.Path.MMDB() log.Infoln("Load MMDB file: %s", mmdbPath) mmdb, err := maxminddb.Open(mmdbPath) if err != nil { log.Fatalln("Can't load MMDB: %s", err.Error()) } - IPreader = IPReader{Reader: mmdb} + ipReader = IPReader{Reader: mmdb} switch mmdb.Metadata.DatabaseType { case "sing-geoip": - IPreader.databaseType = typeSing + ipReader.databaseType = typeSing case "Meta-geoip0": - IPreader.databaseType = typeMetaV0 + ipReader.databaseType = typeMetaV0 default: - IPreader.databaseType = typeMaxmind + ipReader.databaseType = typeMaxmind } }) - return IPreader -} - -func DownloadMMDB(path string) (err error) { - ctx, cancel := context.WithTimeout(context.Background(), time.Second*90) - defer cancel() - resp, err := mihomoHttp.HttpRequest(ctx, C.MmdbUrl, http.MethodGet, http.Header{"User-Agent": {C.UA}}, nil) - if err != nil { - return - } - defer resp.Body.Close() - - f, err := os.OpenFile(path, os.O_CREATE|os.O_WRONLY, 0o644) - if err != nil { - return err - } - defer f.Close() - _, err = io.Copy(f, resp.Body) - - return err + return ipReader } func ASNInstance() ASNReader { - ASNonce.Do(func() { + asnOnce.Do(func() { ASNPath := C.Path.ASN() log.Infoln("Load ASN file: %s", ASNPath) asn, err := maxminddb.Open(ASNPath) if err != nil { log.Fatalln("Can't load ASN: %s", err.Error()) } - ASNreader = ASNReader{Reader: asn} + asnReader = ASNReader{Reader: asn} }) - return ASNreader -} - -func DownloadASN(path string) (err error) { - ctx, cancel := context.WithTimeout(context.Background(), time.Second*90) - defer cancel() - resp, err := mihomoHttp.HttpRequest(ctx, C.ASNUrl, http.MethodGet, http.Header{"User-Agent": {C.UA}}, nil) - if err != nil { - return - } - defer resp.Body.Close() - - f, err := os.OpenFile(path, os.O_CREATE|os.O_WRONLY, 0o644) - if err != nil { - return err - } - defer f.Close() - _, err = io.Copy(f, resp.Body) - - return err + return asnReader } func ReloadIP() { - mihomoOnce.Reset(&IPonce) + mihomoOnce.Reset(&ipOnce) } func ReloadASN() { - mihomoOnce.Reset(&ASNonce) + mihomoOnce.Reset(&asnOnce) } diff --git a/component/mmdb/patch_android.go b/component/mmdb/patch_android.go deleted file mode 100644 index 147a332434..0000000000 --- a/component/mmdb/patch_android.go +++ /dev/null @@ -1,18 +0,0 @@ -//go:build android && cmfa - -package mmdb - -import "github.com/oschwald/maxminddb-golang" - -func InstallOverride(override *maxminddb.Reader) { - newReader := IPReader{Reader: override} - switch override.Metadata.DatabaseType { - case "sing-geoip": - IPreader.databaseType = typeSing - case "Meta-geoip0": - IPreader.databaseType = typeMetaV0 - default: - IPreader.databaseType = typeMaxmind - } - IPreader = newReader -} diff --git a/component/power/event_windows.go b/component/power/event_windows.go index 1265569522..a9489df417 100644 --- a/component/power/event_windows.go +++ b/component/power/event_windows.go @@ -55,6 +55,11 @@ func NewEventListener(cb func(Type)) (func(), error) { } handle := uintptr(0) + // DWORD PowerRegisterSuspendResumeNotification( + // [in] DWORD Flags, + // [in] HANDLE Recipient, + // [out] PHPOWERNOTIFY RegistrationHandle + //); _, _, err := powerRegisterSuspendResumeNotification.Call( _DEVICE_NOTIFY_CALLBACK, uintptr(unsafe.Pointer(¶ms)), @@ -65,8 +70,11 @@ func NewEventListener(cb func(Type)) (func(), error) { } return func() { + // DWORD PowerUnregisterSuspendResumeNotification( + // [in, out] HPOWERNOTIFY RegistrationHandle + //); _, _, _ = powerUnregisterSuspendResumeNotification.Call( - uintptr(unsafe.Pointer(&handle)), + handle, ) runtime.KeepAlive(params) runtime.KeepAlive(handle) diff --git a/component/process/process.go b/component/process/process.go index 76ec2c45e2..464f5a79bc 100644 --- a/component/process/process.go +++ b/component/process/process.go @@ -3,6 +3,8 @@ package process import ( "errors" "net/netip" + + C "github.com/metacubex/mihomo/constant" ) var ( @@ -19,3 +21,18 @@ const ( func FindProcessName(network string, srcIP netip.Addr, srcPort int) (uint32, string, error) { return findProcessName(network, srcIP, srcPort) } + +// PackageNameResolver +// never change type traits because it's used in CMFA +type PackageNameResolver func(metadata *C.Metadata) (string, error) + +// DefaultPackageNameResolver +// never change type traits because it's used in CMFA +var DefaultPackageNameResolver PackageNameResolver + +func FindPackageName(metadata *C.Metadata) (string, error) { + if resolver := DefaultPackageNameResolver; resolver != nil { + return resolver(metadata) + } + return "", ErrPlatformNotSupport +} diff --git a/component/process/process_android.go b/component/process/process_android.go deleted file mode 100644 index fd5d3b6cba..0000000000 --- a/component/process/process_android.go +++ /dev/null @@ -1,16 +0,0 @@ -//go:build android && cmfa - -package process - -import "github.com/metacubex/mihomo/constant" - -type PackageNameResolver func(metadata *constant.Metadata) (string, error) - -var DefaultPackageNameResolver PackageNameResolver - -func FindPackageName(metadata *constant.Metadata) (string, error) { - if resolver := DefaultPackageNameResolver; resolver != nil { - return resolver(metadata) - } - return "", ErrPlatformNotSupport -} diff --git a/component/process/process_common.go b/component/process/process_common.go deleted file mode 100644 index fa7eeb9fc8..0000000000 --- a/component/process/process_common.go +++ /dev/null @@ -1,9 +0,0 @@ -//go:build !(android && cmfa) - -package process - -import "github.com/metacubex/mihomo/constant" - -func FindPackageName(metadata *constant.Metadata) (string, error) { - return "", nil -} diff --git a/component/process/process_darwin.go b/component/process/process_darwin.go index 67d2e8332b..c02771ed78 100644 --- a/component/process/process_darwin.go +++ b/component/process/process_darwin.go @@ -46,12 +46,12 @@ func findProcessName(network string, ip netip.Addr, port int) (uint32, string, e isIPv4 := ip.Is4() - value, err := syscall.Sysctl(spath) + value, err := unix.SysctlRaw(spath) if err != nil { return 0, "", err } - buf := []byte(value) + buf := value itemSize := structSize if network == TCP { // rup8(sizeof(xtcpcb_n)) diff --git a/component/process/process_linux.go b/component/process/process_linux.go index 45c89e5a5a..3ce45ae816 100644 --- a/component/process/process_linux.go +++ b/component/process/process_linux.go @@ -2,23 +2,19 @@ package process import ( "bytes" - "context" "encoding/binary" "fmt" "net/netip" "os" + "path" "path/filepath" "runtime" "strings" - "sync" "syscall" "unicode" "unsafe" - "github.com/metacubex/mihomo/log" - "github.com/mdlayher/netlink" - tun "github.com/metacubex/sing-tun" "golang.org/x/sys/unix" ) @@ -63,25 +59,11 @@ type inetDiagResponse struct { INode uint32 } -type MyCallback struct{} - -var ( - packageManager tun.PackageManager - once sync.Once -) - -func (cb *MyCallback) OnPackagesUpdated(packageCount int, sharedCount int) {} - -func (cb *MyCallback) NewError(ctx context.Context, err error) { - log.Warnln("%s", err) -} - func findProcessName(network string, ip netip.Addr, srcPort int) (uint32, string, error) { uid, inode, err := resolveSocketByNetlink(network, ip, srcPort) if err != nil { return 0, "", err } - pp, err := resolveProcessNameByProcSearch(inode, uid) return uid, pp, err } @@ -177,44 +159,38 @@ func resolveProcessNameByProcSearch(inode, uid uint32) (string, error) { if err != nil { continue } + if runtime.GOOS == "android" { if bytes.Equal(buffer[:n], socket) { - return findPackageName(uid), nil + cmdline, err := os.ReadFile(path.Join(processPath, "cmdline")) + if err != nil { + return "", err + } + + return splitCmdline(cmdline), nil } } else { if bytes.Equal(buffer[:n], socket) { return os.Readlink(filepath.Join(processPath, "exe")) } } - } } return "", fmt.Errorf("process of uid(%d),inode(%d) not found", uid, inode) } -func findPackageName(uid uint32) string { - once.Do(func() { - callback := &MyCallback{} - var err error - packageManager, err = tun.NewPackageManager(callback) - if err != nil { - log.Warnln("%s", err) - } - err = packageManager.Start() - if err != nil { - log.Warnln("%s", err) - return - } +func splitCmdline(cmdline []byte) string { + cmdline = bytes.Trim(cmdline, " ") + + idx := bytes.IndexFunc(cmdline, func(r rune) bool { + return unicode.IsControl(r) || unicode.IsSpace(r) }) - if sharedPackage, loaded := packageManager.SharedPackageByID(uid % 100000); loaded { - return sharedPackage - } - if packageName, loaded := packageManager.PackageByID(uid % 100000); loaded { - return packageName + if idx == -1 { + return filepath.Base(string(cmdline)) } - return "" + return filepath.Base(string(cmdline[:idx])) } func isPid(s string) bool { diff --git a/component/profile/cachefile/cache.go b/component/profile/cachefile/cache.go index 11068647ac..0591c92b73 100644 --- a/component/profile/cachefile/cache.go +++ b/component/profile/cachefile/cache.go @@ -1,6 +1,7 @@ package cachefile import ( + "math" "os" "sync" "time" @@ -9,7 +10,7 @@ import ( C "github.com/metacubex/mihomo/constant" "github.com/metacubex/mihomo/log" - "github.com/sagernet/bbolt" + "github.com/metacubex/bbolt" ) var ( @@ -19,6 +20,7 @@ var ( bucketSelected = []byte("selected") bucketFakeip = []byte("fakeip") + bucketETag = []byte("etag") ) // CacheFile store and update the cache file @@ -143,6 +145,59 @@ func (c *CacheFile) FlushFakeIP() error { return err } +func (c *CacheFile) SetETagWithHash(url string, hash []byte, etag string) { + if c.DB == nil { + return + } + + lenHash := len(hash) + if lenHash > math.MaxUint8 { + return // maybe panic is better + } + + data := make([]byte, 1, 1+lenHash+len(etag)) + data[0] = uint8(lenHash) + data = append(data, hash...) + data = append(data, etag...) + + err := c.DB.Batch(func(t *bbolt.Tx) error { + bucket, err := t.CreateBucketIfNotExists(bucketETag) + if err != nil { + return err + } + + return bucket.Put([]byte(url), data) + }) + if err != nil { + log.Warnln("[CacheFile] write cache to %s failed: %s", c.DB.Path(), err.Error()) + return + } +} +func (c *CacheFile) GetETagWithHash(key string) (hash []byte, etag string) { + if c.DB == nil { + return + } + var value []byte + c.DB.View(func(t *bbolt.Tx) error { + if bucket := t.Bucket(bucketETag); bucket != nil { + if v := bucket.Get([]byte(key)); v != nil { + value = v + } + } + return nil + }) + if len(value) == 0 { + return + } + lenHash := int(value[0]) + if len(value) < 1+lenHash { + return + } + hash = value[1 : 1+lenHash] + etag = string(value[1+lenHash:]) + return +} + func (c *CacheFile) Close() error { return c.DB.Close() } diff --git a/component/resolver/resolver.go b/component/resolver/resolver.go index 07c68824c3..feb3f98fb5 100644 --- a/component/resolver/resolver.go +++ b/component/resolver/resolver.go @@ -46,6 +46,7 @@ type Resolver interface { LookupIPv6(ctx context.Context, host string) (ips []netip.Addr, err error) ExchangeContext(ctx context.Context, m *dns.Msg) (msg *dns.Msg, err error) Invalid() bool + ClearCache() } // LookupIPv4WithResolver same as LookupIPv4, but with a resolver diff --git a/component/resource/fetcher.go b/component/resource/fetcher.go index e62912937d..3e2ec23991 100644 --- a/component/resource/fetcher.go +++ b/component/resource/fetcher.go @@ -1,35 +1,31 @@ package resource import ( - "bytes" - "crypto/md5" + "context" "os" - "path/filepath" "time" types "github.com/metacubex/mihomo/constant/provider" "github.com/metacubex/mihomo/log" + "github.com/sagernet/fswatch" "github.com/samber/lo" ) -var ( - fileMode os.FileMode = 0o666 - dirMode os.FileMode = 0o755 -) - type Parser[V any] func([]byte) (V, error) type Fetcher[V any] struct { + ctx context.Context + ctxCancel context.CancelFunc resourceType string name string vehicle types.Vehicle - UpdatedAt time.Time - done chan struct{} - hash [16]byte + updatedAt time.Time + hash types.HashType parser Parser[V] interval time.Duration - OnUpdate func(V) + onUpdate func(V) + watcher *fswatch.Watcher } func (f *Fetcher[V]) Name() string { @@ -44,93 +40,69 @@ func (f *Fetcher[V]) VehicleType() types.VehicleType { return f.vehicle.Type() } +func (f *Fetcher[V]) UpdatedAt() time.Time { + return f.updatedAt +} + func (f *Fetcher[V]) Initial() (V, error) { var ( - buf []byte - err error - isLocal bool - forceUpdate bool + buf []byte + contents V + err error ) if stat, fErr := os.Stat(f.vehicle.Path()); fErr == nil { + // local file exists, use it first buf, err = os.ReadFile(f.vehicle.Path()) modTime := stat.ModTime() - f.UpdatedAt = modTime - isLocal = true - if f.interval != 0 && modTime.Add(f.interval).Before(time.Now()) { - log.Warnln("[Provider] %s not updated for a long time, force refresh", f.Name()) - forceUpdate = true - } - } else { - buf, err = f.vehicle.Read() - f.UpdatedAt = time.Now() - } + contents, _, err = f.loadBuf(buf, types.MakeHash(buf), false) + f.updatedAt = modTime // reset updatedAt to file's modTime - if err != nil { - return lo.Empty[V](), err - } - - var contents V - if forceUpdate { - var forceBuf []byte - if forceBuf, err = f.vehicle.Read(); err == nil { - if contents, err = f.parser(forceBuf); err == nil { - isLocal = false - buf = forceBuf + if err == nil { + err = f.startPullLoop(time.Since(modTime) > f.interval) + if err != nil { + return lo.Empty[V](), err } + return contents, nil } } - if err != nil || !forceUpdate { - contents, err = f.parser(buf) - } + // parse local file error, fallback to remote + contents, _, err = f.Update() if err != nil { - if !isLocal { - return lo.Empty[V](), err - } - - // parse local file error, fallback to remote - buf, err = f.vehicle.Read() - if err != nil { - return lo.Empty[V](), err - } - - contents, err = f.parser(buf) - if err != nil { - return lo.Empty[V](), err - } - - isLocal = false - } - - if f.vehicle.Type() != types.File && !isLocal { - if err := safeWrite(f.vehicle.Path(), buf); err != nil { - return lo.Empty[V](), err - } + return lo.Empty[V](), err } - - f.hash = md5.Sum(buf) - - // pull contents automatically - if f.interval > 0 { - go f.pullLoop() + err = f.startPullLoop(false) + if err != nil { + return lo.Empty[V](), err } - return contents, nil } func (f *Fetcher[V]) Update() (V, bool, error) { - buf, err := f.vehicle.Read() + buf, hash, err := f.vehicle.Read(f.ctx, f.hash) if err != nil { return lo.Empty[V](), false, err } + return f.loadBuf(buf, hash, f.vehicle.Type() != types.File) +} +func (f *Fetcher[V]) SideUpdate(buf []byte) (V, bool, error) { + return f.loadBuf(buf, types.MakeHash(buf), true) +} + +func (f *Fetcher[V]) loadBuf(buf []byte, hash types.HashType, updateFile bool) (V, bool, error) { now := time.Now() - hash := md5.Sum(buf) - if bytes.Equal(f.hash[:], hash[:]) { - f.UpdatedAt = now - _ = os.Chtimes(f.vehicle.Path(), now, now) + if f.hash.Equal(hash) { + if updateFile { + _ = os.Chtimes(f.vehicle.Path(), now, now) + } + f.updatedAt = now + return lo.Empty[V](), true, nil + } + + if buf == nil { // f.hash has been changed between f.vehicle.Read but should not happen (cause by concurrent) return lo.Empty[V](), true, nil } @@ -139,78 +111,103 @@ func (f *Fetcher[V]) Update() (V, bool, error) { return lo.Empty[V](), false, err } - if f.vehicle.Type() != types.File { - if err := safeWrite(f.vehicle.Path(), buf); err != nil { + if updateFile { + if err = f.vehicle.Write(buf); err != nil { return lo.Empty[V](), false, err } } - - f.UpdatedAt = now + f.updatedAt = now f.hash = hash + if f.onUpdate != nil { + f.onUpdate(contents) + } + return contents, false, nil } -func (f *Fetcher[V]) Destroy() error { - if f.interval > 0 { - f.done <- struct{}{} +func (f *Fetcher[V]) Close() error { + f.ctxCancel() + if f.watcher != nil { + _ = f.watcher.Close() } return nil } -func (f *Fetcher[V]) pullLoop() { - initialInterval := f.interval - time.Since(f.UpdatedAt) +func (f *Fetcher[V]) pullLoop(forceUpdate bool) { + initialInterval := f.interval - time.Since(f.updatedAt) if initialInterval > f.interval { initialInterval = f.interval } + if forceUpdate { + log.Warnln("[Provider] %s not updated for a long time, force refresh", f.Name()) + f.updateWithLog() + } + timer := time.NewTimer(initialInterval) defer timer.Stop() for { select { case <-timer.C: timer.Reset(f.interval) - elm, same, err := f.Update() - if err != nil { - log.Errorln("[Provider] %s pull error: %s", f.Name(), err.Error()) - continue - } - - if same { - log.Debugln("[Provider] %s's content doesn't change", f.Name()) - continue - } - - log.Infoln("[Provider] %s's content update", f.Name()) - if f.OnUpdate != nil { - f.OnUpdate(elm) - } - case <-f.done: + f.updateWithLog() + case <-f.ctx.Done(): return } } } -func safeWrite(path string, buf []byte) error { - dir := filepath.Dir(path) - - if _, err := os.Stat(dir); os.IsNotExist(err) { - if err := os.MkdirAll(dir, dirMode); err != nil { +func (f *Fetcher[V]) startPullLoop(forceUpdate bool) (err error) { + // pull contents automatically + if f.vehicle.Type() == types.File { + f.watcher, err = fswatch.NewWatcher(fswatch.Options{ + Path: []string{f.vehicle.Path()}, + Direct: true, + Callback: f.updateCallback, + }) + if err != nil { return err } + err = f.watcher.Start() + if err != nil { + return err + } + } else if f.interval > 0 { + go f.pullLoop(forceUpdate) + } + return +} + +func (f *Fetcher[V]) updateCallback(path string) { + f.updateWithLog() +} + +func (f *Fetcher[V]) updateWithLog() { + _, same, err := f.Update() + if err != nil { + log.Errorln("[Provider] %s pull error: %s", f.Name(), err.Error()) + return + } + + if same { + log.Debugln("[Provider] %s's content doesn't change", f.Name()) + return } - return os.WriteFile(path, buf, fileMode) + log.Infoln("[Provider] %s's content update", f.Name()) + return } func NewFetcher[V any](name string, interval time.Duration, vehicle types.Vehicle, parser Parser[V], onUpdate func(V)) *Fetcher[V] { - + ctx, cancel := context.WithCancel(context.Background()) return &Fetcher[V]{ - name: name, - vehicle: vehicle, - parser: parser, - done: make(chan struct{}, 8), - OnUpdate: onUpdate, - interval: interval, + ctx: ctx, + ctxCancel: cancel, + name: name, + vehicle: vehicle, + parser: parser, + onUpdate: onUpdate, + interval: interval, } } diff --git a/component/resource/vehicle.go b/component/resource/vehicle.go index b13369d22e..f30e22d0a7 100644 --- a/component/resource/vehicle.go +++ b/component/resource/vehicle.go @@ -6,12 +6,45 @@ import ( "io" "net/http" "os" + "path/filepath" "time" mihomoHttp "github.com/metacubex/mihomo/component/http" + "github.com/metacubex/mihomo/component/profile/cachefile" types "github.com/metacubex/mihomo/constant/provider" ) +const ( + DefaultHttpTimeout = time.Second * 20 + + fileMode os.FileMode = 0o666 + dirMode os.FileMode = 0o755 +) + +var ( + etag = false +) + +func ETag() bool { + return etag +} + +func SetETag(b bool) { + etag = b +} + +func safeWrite(path string, buf []byte) error { + dir := filepath.Dir(path) + + if _, err := os.Stat(dir); os.IsNotExist(err) { + if err := os.MkdirAll(dir, dirMode); err != nil { + return err + } + } + + return os.WriteFile(path, buf, fileMode) +} + type FileVehicle struct { path string } @@ -24,23 +57,37 @@ func (f *FileVehicle) Path() string { return f.path } -func (f *FileVehicle) Read() ([]byte, error) { - return os.ReadFile(f.path) +func (f *FileVehicle) Url() string { + return "file://" + f.path +} + +func (f *FileVehicle) Read(ctx context.Context, oldHash types.HashType) (buf []byte, hash types.HashType, err error) { + buf, err = os.ReadFile(f.path) + if err != nil { + return + } + hash = types.MakeHash(buf) + return } func (f *FileVehicle) Proxy() string { return "" } +func (f *FileVehicle) Write(buf []byte) error { + return safeWrite(f.path, buf) +} + func NewFileVehicle(path string) *FileVehicle { return &FileVehicle{path: path} } type HTTPVehicle struct { - url string - path string - proxy string - header http.Header + url string + path string + proxy string + header http.Header + timeout time.Duration } func (h *HTTPVehicle) Url() string { @@ -59,24 +106,56 @@ func (h *HTTPVehicle) Proxy() string { return h.proxy } -func (h *HTTPVehicle) Read() ([]byte, error) { - ctx, cancel := context.WithTimeout(context.Background(), time.Second*20) +func (h *HTTPVehicle) Write(buf []byte) error { + return safeWrite(h.path, buf) +} + +func (h *HTTPVehicle) Read(ctx context.Context, oldHash types.HashType) (buf []byte, hash types.HashType, err error) { + ctx, cancel := context.WithTimeout(ctx, h.timeout) defer cancel() - resp, err := mihomoHttp.HttpRequestWithProxy(ctx, h.url, http.MethodGet, h.header, nil, h.proxy) + header := h.header + setIfNoneMatch := false + if etag && oldHash.IsValid() { + hashBytes, etag := cachefile.Cache().GetETagWithHash(h.url) + if oldHash.EqualBytes(hashBytes) && etag != "" { + if header == nil { + header = http.Header{} + } else { + header = header.Clone() + } + header.Set("If-None-Match", etag) + setIfNoneMatch = true + } + } + resp, err := mihomoHttp.HttpRequestWithProxy(ctx, h.url, http.MethodGet, header, nil, h.proxy) if err != nil { - return nil, err + return } defer resp.Body.Close() if resp.StatusCode < 200 || resp.StatusCode > 299 { - return nil, errors.New(resp.Status) + if setIfNoneMatch && resp.StatusCode == http.StatusNotModified { + return nil, oldHash, nil + } + err = errors.New(resp.Status) + return } - buf, err := io.ReadAll(resp.Body) + buf, err = io.ReadAll(resp.Body) if err != nil { - return nil, err + return + } + hash = types.MakeHash(buf) + if etag { + cachefile.Cache().SetETagWithHash(h.url, hash.Bytes(), resp.Header.Get("ETag")) } - return buf, nil + return } -func NewHTTPVehicle(url string, path string, proxy string, header http.Header) *HTTPVehicle { - return &HTTPVehicle{url, path, proxy, header} +func NewHTTPVehicle(url string, path string, proxy string, header http.Header, timeout time.Duration) *HTTPVehicle { + return &HTTPVehicle{ + url: url, + path: path, + proxy: proxy, + header: header, + timeout: timeout, + } } diff --git a/component/sniffer/dispatcher.go b/component/sniffer/dispatcher.go index 97bf162969..4d13ddd065 100644 --- a/component/sniffer/dispatcher.go +++ b/component/sniffer/dispatcher.go @@ -2,15 +2,12 @@ package sniffer import ( "errors" - "fmt" "net" "net/netip" - "sync" "time" "github.com/metacubex/mihomo/common/lru" N "github.com/metacubex/mihomo/common/net" - "github.com/metacubex/mihomo/component/trie" C "github.com/metacubex/mihomo/constant" "github.com/metacubex/mihomo/constant/sniffer" "github.com/metacubex/mihomo/log" @@ -22,29 +19,46 @@ var ( ErrNoClue = errors.New("not enough information for making a decision") ) -var Dispatcher *SnifferDispatcher - -type SnifferDispatcher struct { +type Dispatcher struct { enable bool sniffers map[sniffer.Sniffer]SnifferConfig - forceDomain *trie.DomainSet - skipSNI *trie.DomainSet - skipList *lru.LruCache[string, uint8] - rwMux sync.RWMutex + forceDomain []C.DomainMatcher + skipSrcAddress []C.IpMatcher + skipDstAddress []C.IpMatcher + skipDomain []C.DomainMatcher + skipList *lru.LruCache[netip.AddrPort, uint8] forceDnsMapping bool parsePureIp bool } -func (sd *SnifferDispatcher) shouldOverride(metadata *C.Metadata) bool { - return (metadata.Host == "" && sd.parsePureIp) || - sd.forceDomain.Has(metadata.Host) || - (metadata.DNSMode == C.DNSMapping && sd.forceDnsMapping) +func (sd *Dispatcher) shouldOverride(metadata *C.Metadata) bool { + for _, matcher := range sd.skipDstAddress { + if matcher.MatchIp(metadata.DstIP) { + return false + } + } + for _, matcher := range sd.skipSrcAddress { + if matcher.MatchIp(metadata.SrcIP) { + return false + } + } + if metadata.Host == "" && sd.parsePureIp { + return true + } + if metadata.DNSMode == C.DNSMapping && sd.forceDnsMapping { + return true + } + for _, matcher := range sd.forceDomain { + if matcher.MatchDomain(metadata.Host) { + return true + } + } + return false } -func (sd *SnifferDispatcher) UDPSniff(packet C.PacketAdapter) bool { +func (sd *Dispatcher) UDPSniff(packet C.PacketAdapter) bool { metadata := packet.Metadata() - - if sd.shouldOverride(packet.Metadata()) { + if sd.shouldOverride(metadata) { for sniffer, config := range sd.sniffers { if sniffer.SupportNetwork() == C.UDP || sniffer.SupportNetwork() == C.ALLNet { inWhitelist := sniffer.SupportPort(metadata.DstPort) @@ -67,7 +81,7 @@ func (sd *SnifferDispatcher) UDPSniff(packet C.PacketAdapter) bool { } // TCPSniff returns true if the connection is sniffed to have a domain -func (sd *SnifferDispatcher) TCPSniff(conn *N.BufferedConn, metadata *C.Metadata) bool { +func (sd *Dispatcher) TCPSniff(conn *N.BufferedConn, metadata *C.Metadata) bool { if sd.shouldOverride(metadata) { inWhitelist := false overrideDest := false @@ -85,37 +99,35 @@ func (sd *SnifferDispatcher) TCPSniff(conn *N.BufferedConn, metadata *C.Metadata return false } - sd.rwMux.RLock() - dst := fmt.Sprintf("%s:%d", metadata.DstIP, metadata.DstPort) + dst := metadata.AddrPort() if count, ok := sd.skipList.Get(dst); ok && count > 5 { log.Debugln("[Sniffer] Skip sniffing[%s] due to multiple failures", dst) - defer sd.rwMux.RUnlock() return false } - sd.rwMux.RUnlock() - if host, err := sd.sniffDomain(conn, metadata); err != nil { + host, err := sd.sniffDomain(conn, metadata) + if err != nil { sd.cacheSniffFailed(metadata) log.Debugln("[Sniffer] All sniffing sniff failed with from [%s:%d] to [%s:%d]", metadata.SrcIP, metadata.SrcPort, metadata.String(), metadata.DstPort) return false - } else { - if sd.skipSNI.Has(host) { + } + + for _, matcher := range sd.skipDomain { + if matcher.MatchDomain(host) { log.Debugln("[Sniffer] Skip sni[%s]", host) return false } + } - sd.rwMux.RLock() - sd.skipList.Delete(dst) - sd.rwMux.RUnlock() + sd.skipList.Delete(dst) - sd.replaceDomain(metadata, host, overrideDest) - return true - } + sd.replaceDomain(metadata, host, overrideDest) + return true } return false } -func (sd *SnifferDispatcher) replaceDomain(metadata *C.Metadata, host string, overrideDest bool) { +func (sd *Dispatcher) replaceDomain(metadata *C.Metadata, host string, overrideDest bool) { metadata.SniffHost = host if overrideDest { log.Debugln("[Sniffer] Sniff %s [%s]-->[%s] success, replace domain [%s]-->[%s]", @@ -128,11 +140,11 @@ func (sd *SnifferDispatcher) replaceDomain(metadata *C.Metadata, host string, ov metadata.DNSMode = C.DNSNormal } -func (sd *SnifferDispatcher) Enable() bool { - return sd.enable +func (sd *Dispatcher) Enable() bool { + return sd != nil && sd.enable } -func (sd *SnifferDispatcher) sniffDomain(conn *N.BufferedConn, metadata *C.Metadata) (string, error) { +func (sd *Dispatcher) sniffDomain(conn *N.BufferedConn, metadata *C.Metadata) (string, error) { for s := range sd.sniffers { if s.SupportNetwork() == C.TCP { _ = conn.SetReadDeadline(time.Now().Add(1 * time.Second)) @@ -175,43 +187,45 @@ func (sd *SnifferDispatcher) sniffDomain(conn *N.BufferedConn, metadata *C.Metad return "", ErrorSniffFailed } -func (sd *SnifferDispatcher) cacheSniffFailed(metadata *C.Metadata) { - sd.rwMux.Lock() - dst := fmt.Sprintf("%s:%d", metadata.DstIP, metadata.DstPort) - count, _ := sd.skipList.Get(dst) - if count <= 5 { - count++ - } - sd.skipList.Set(dst, count) - sd.rwMux.Unlock() +func (sd *Dispatcher) cacheSniffFailed(metadata *C.Metadata) { + dst := metadata.AddrPort() + sd.skipList.Compute(dst, func(oldValue uint8, loaded bool) (newValue uint8, delete bool) { + if oldValue <= 5 { + oldValue++ + } + return oldValue, false + }) } -func NewCloseSnifferDispatcher() (*SnifferDispatcher, error) { - dispatcher := SnifferDispatcher{ - enable: false, - } - - return &dispatcher, nil +type Config struct { + Enable bool + Sniffers map[sniffer.Type]SnifferConfig + ForceDomain []C.DomainMatcher + SkipSrcAddress []C.IpMatcher + SkipDstAddress []C.IpMatcher + SkipDomain []C.DomainMatcher + ForceDnsMapping bool + ParsePureIp bool } -func NewSnifferDispatcher(snifferConfig map[sniffer.Type]SnifferConfig, - forceDomain *trie.DomainSet, skipSNI *trie.DomainSet, - forceDnsMapping bool, parsePureIp bool) (*SnifferDispatcher, error) { - dispatcher := SnifferDispatcher{ - enable: true, - forceDomain: forceDomain, - skipSNI: skipSNI, - skipList: lru.New(lru.WithSize[string, uint8](128), lru.WithAge[string, uint8](600)), - forceDnsMapping: forceDnsMapping, - parsePureIp: parsePureIp, - sniffers: make(map[sniffer.Sniffer]SnifferConfig, 0), +func NewDispatcher(snifferConfig *Config) (*Dispatcher, error) { + dispatcher := Dispatcher{ + enable: snifferConfig.Enable, + forceDomain: snifferConfig.ForceDomain, + skipSrcAddress: snifferConfig.SkipSrcAddress, + skipDstAddress: snifferConfig.SkipDstAddress, + skipDomain: snifferConfig.SkipDomain, + skipList: lru.New(lru.WithSize[netip.AddrPort, uint8](128), lru.WithAge[netip.AddrPort, uint8](600)), + forceDnsMapping: snifferConfig.ForceDnsMapping, + parsePureIp: snifferConfig.ParsePureIp, + sniffers: make(map[sniffer.Sniffer]SnifferConfig, len(snifferConfig.Sniffers)), } - for snifferName, config := range snifferConfig { + for snifferName, config := range snifferConfig.Sniffers { s, err := NewSniffer(snifferName, config) if err != nil { log.Errorln("Sniffer name[%s] is error", snifferName) - return &SnifferDispatcher{enable: false}, err + return &Dispatcher{enable: false}, err } dispatcher.sniffers[s] = config } diff --git a/component/trie/domain.go b/component/trie/domain.go index 3decbb0255..574a59caa7 100644 --- a/component/trie/domain.go +++ b/component/trie/domain.go @@ -3,6 +3,8 @@ package trie import ( "errors" "strings" + "unicode" + "unicode/utf8" ) const ( @@ -25,6 +27,14 @@ func ValidAndSplitDomain(domain string) ([]string, bool) { if domain != "" && domain[len(domain)-1] == '.' { return nil, false } + if domain != "" { + if r, _ := utf8.DecodeRuneInString(domain); unicode.IsSpace(r) { + return nil, false + } + if r, _ := utf8.DecodeLastRuneInString(domain); unicode.IsSpace(r) { + return nil, false + } + } domain = strings.ToLower(domain) parts := strings.Split(domain, domainStep) if len(parts) == 1 { @@ -123,27 +133,41 @@ func (t *DomainTrie[T]) Optimize() { t.root.optimize() } -func (t *DomainTrie[T]) Foreach(print func(domain string, data T)) { +func (t *DomainTrie[T]) Foreach(fn func(domain string, data T) bool) { for key, data := range t.root.getChildren() { - recursion([]string{key}, data, print) - if data != nil && data.inited { - print(joinDomain([]string{key}), data.data) + recursion([]string{key}, data, fn) + if !data.isEmpty() { + if !fn(joinDomain([]string{key}), data.data) { + return + } } } } -func recursion[T any](items []string, node *Node[T], fn func(domain string, data T)) { +func (t *DomainTrie[T]) IsEmpty() bool { + if t == nil || t.root == nil { + return true + } + return len(t.root.getChildren()) == 0 +} + +func recursion[T any](items []string, node *Node[T], fn func(domain string, data T) bool) bool { for key, data := range node.getChildren() { newItems := append([]string{key}, items...) - if data != nil && data.inited { + if !data.isEmpty() { domain := joinDomain(newItems) if domain[0] == domainStepByte { domain = complexWildcard + domain } - fn(domain, data.Data()) + if !fn(domain, data.Data()) { + return false + } + } + if !recursion(newItems, data, fn) { + return false } - recursion(newItems, data, fn) } + return true } func joinDomain(items []string) string { diff --git a/component/trie/domain_set.go b/component/trie/domain_set.go index 860d1235d5..3fd8041fb8 100644 --- a/component/trie/domain_set.go +++ b/component/trie/domain_set.go @@ -28,8 +28,9 @@ type qElt struct{ s, e, col int } // NewDomainSet creates a new *DomainSet struct, from a DomainTrie. func (t *DomainTrie[T]) NewDomainSet() *DomainSet { reserveDomains := make([]string, 0) - t.Foreach(func(domain string, data T) { + t.Foreach(func(domain string, data T) bool { reserveDomains = append(reserveDomains, utils.Reverse(domain)) + return true }) // ensure that the same prefix is continuous // and according to the ascending sequence of length @@ -136,6 +137,46 @@ func (ss *DomainSet) Has(key string) bool { } +func (ss *DomainSet) keys(f func(key string) bool) { + var currentKey []byte + var traverse func(int, int) bool + traverse = func(nodeId, bmIdx int) bool { + if getBit(ss.leaves, nodeId) != 0 { + if !f(string(currentKey)) { + return false + } + } + + for ; ; bmIdx++ { + if getBit(ss.labelBitmap, bmIdx) != 0 { + return true + } + nextLabel := ss.labels[bmIdx-nodeId] + currentKey = append(currentKey, nextLabel) + nextNodeId := countZeros(ss.labelBitmap, ss.ranks, bmIdx+1) + nextBmIdx := selectIthOne(ss.labelBitmap, ss.ranks, ss.selects, nextNodeId-1) + 1 + if !traverse(nextNodeId, nextBmIdx) { + return false + } + currentKey = currentKey[:len(currentKey)-1] + } + } + + traverse(0, 0) + return +} + +func (ss *DomainSet) Foreach(f func(key string) bool) { + ss.keys(func(key string) bool { + return f(utils.Reverse(key)) + }) +} + +// MatchDomain implements C.DomainMatcher +func (ss *DomainSet) MatchDomain(domain string) bool { + return ss.Has(domain) +} + func setBit(bm *[]uint64, i int, v int) { for i>>6 >= len(*bm) { *bm = append(*bm, 0) diff --git a/component/trie/domain_set_bin.go b/component/trie/domain_set_bin.go new file mode 100644 index 0000000000..27d15802e0 --- /dev/null +++ b/component/trie/domain_set_bin.go @@ -0,0 +1,115 @@ +package trie + +import ( + "encoding/binary" + "errors" + "io" +) + +func (ss *DomainSet) WriteBin(w io.Writer) (err error) { + // version + _, err = w.Write([]byte{1}) + if err != nil { + return err + } + + // leaves + err = binary.Write(w, binary.BigEndian, int64(len(ss.leaves))) + if err != nil { + return err + } + for _, d := range ss.leaves { + err = binary.Write(w, binary.BigEndian, d) + if err != nil { + return err + } + } + + // labelBitmap + err = binary.Write(w, binary.BigEndian, int64(len(ss.labelBitmap))) + if err != nil { + return err + } + for _, d := range ss.labelBitmap { + err = binary.Write(w, binary.BigEndian, d) + if err != nil { + return err + } + } + + // labels + err = binary.Write(w, binary.BigEndian, int64(len(ss.labels))) + if err != nil { + return err + } + _, err = w.Write(ss.labels) + if err != nil { + return err + } + + return nil +} + +func ReadDomainSetBin(r io.Reader) (ds *DomainSet, err error) { + // version + version := make([]byte, 1) + _, err = io.ReadFull(r, version) + if err != nil { + return nil, err + } + if version[0] != 1 { + return nil, errors.New("version is invalid") + } + + ds = &DomainSet{} + var length int64 + + // leaves + err = binary.Read(r, binary.BigEndian, &length) + if err != nil { + return nil, err + } + if length < 1 { + return nil, errors.New("length is invalid") + } + ds.leaves = make([]uint64, length) + for i := int64(0); i < length; i++ { + err = binary.Read(r, binary.BigEndian, &ds.leaves[i]) + if err != nil { + return nil, err + } + } + + // labelBitmap + err = binary.Read(r, binary.BigEndian, &length) + if err != nil { + return nil, err + } + if length < 1 { + return nil, errors.New("length is invalid") + } + ds.labelBitmap = make([]uint64, length) + for i := int64(0); i < length; i++ { + err = binary.Read(r, binary.BigEndian, &ds.labelBitmap[i]) + if err != nil { + return nil, err + } + } + + // labels + err = binary.Read(r, binary.BigEndian, &length) + if err != nil { + return nil, err + } + if length < 1 { + return nil, errors.New("length is invalid") + } + ds.labels = make([]byte, length) + _, err = io.ReadFull(r, ds.labels) + if err != nil { + return nil, err + } + + ds.init() + return ds, nil +} diff --git a/component/trie/domain_set_test.go b/component/trie/domain_set_test.go index 77106d5ffc..38ba1622a3 100644 --- a/component/trie/domain_set_test.go +++ b/component/trie/domain_set_test.go @@ -1,12 +1,29 @@ package trie_test import ( + "golang.org/x/exp/slices" "testing" "github.com/metacubex/mihomo/component/trie" "github.com/stretchr/testify/assert" ) +func testDump(t *testing.T, tree *trie.DomainTrie[struct{}], set *trie.DomainSet) { + var dataSrc []string + tree.Foreach(func(domain string, data struct{}) bool { + dataSrc = append(dataSrc, domain) + return true + }) + slices.Sort(dataSrc) + var dataSet []string + set.Foreach(func(key string) bool { + dataSet = append(dataSet, key) + return true + }) + slices.Sort(dataSet) + assert.Equal(t, dataSrc, dataSet) +} + func TestDomainSet(t *testing.T) { tree := trie.New[struct{}]() domainSet := []string{ @@ -23,6 +40,7 @@ func TestDomainSet(t *testing.T) { for _, domain := range domainSet { assert.NoError(t, tree.Insert(domain, struct{}{})) } + assert.False(t, tree.IsEmpty()) set := tree.NewDomainSet() assert.NotNil(t, set) assert.True(t, set.Has("test.cn")) @@ -33,6 +51,7 @@ func TestDomainSet(t *testing.T) { assert.True(t, set.Has("google.com")) assert.False(t, set.Has("qq.com")) assert.False(t, set.Has("www.baidu.com")) + testDump(t, tree, set) } func TestDomainSetComplexWildcard(t *testing.T) { @@ -50,11 +69,13 @@ func TestDomainSetComplexWildcard(t *testing.T) { for _, domain := range domainSet { assert.NoError(t, tree.Insert(domain, struct{}{})) } + assert.False(t, tree.IsEmpty()) set := tree.NewDomainSet() assert.NotNil(t, set) assert.False(t, set.Has("google.com")) assert.True(t, set.Has("www.baidu.com")) assert.True(t, set.Has("test.test.baidu.com")) + testDump(t, tree, set) } func TestDomainSetWildcard(t *testing.T) { @@ -71,6 +92,7 @@ func TestDomainSetWildcard(t *testing.T) { for _, domain := range domainSet { assert.NoError(t, tree.Insert(domain, struct{}{})) } + assert.False(t, tree.IsEmpty()) set := tree.NewDomainSet() assert.NotNil(t, set) assert.True(t, set.Has("www.baidu.com")) @@ -82,4 +104,5 @@ func TestDomainSetWildcard(t *testing.T) { assert.False(t, set.Has("a.www.google.com")) assert.False(t, set.Has("test.qq.com")) assert.False(t, set.Has("test.test.test.qq.com")) + testDump(t, tree, set) } diff --git a/component/trie/domain_test.go b/component/trie/domain_test.go index 4c5d8002d8..6aab72d3a7 100644 --- a/component/trie/domain_test.go +++ b/component/trie/domain_test.go @@ -121,8 +121,20 @@ func TestTrie_Foreach(t *testing.T) { assert.NoError(t, tree.Insert(domain, localIP)) } count := 0 - tree.Foreach(func(domain string, data netip.Addr) { + tree.Foreach(func(domain string, data netip.Addr) bool { count++ + return true }) assert.Equal(t, 7, count) } + +func TestTrie_Space(t *testing.T) { + validDomain := func(domain string) bool { + _, ok := trie.ValidAndSplitDomain(domain) + return ok + } + assert.True(t, validDomain("google.com")) + assert.False(t, validDomain(" google.com")) + assert.False(t, validDomain(" google.com ")) + assert.True(t, validDomain("Mijia Cloud")) +} diff --git a/component/updater/update_core.go b/component/updater/update_core.go index 0070fbb110..2aab7833ea 100644 --- a/component/updater/update_core.go +++ b/component/updater/update_core.go @@ -230,14 +230,14 @@ func clean() { // MaxPackageFileSize is a maximum package file length in bytes. The largest // package whose size is limited by this constant currently has the size of -// approximately 9 MiB. +// approximately 32 MiB. const MaxPackageFileSize = 32 * 1024 * 1024 // Download package file and save it to disk func downloadPackageFile() (err error) { ctx, cancel := context.WithTimeout(context.Background(), time.Second*90) defer cancel() - resp, err := mihomoHttp.HttpRequest(ctx, packageURL, http.MethodGet, http.Header{"User-Agent": {C.UA}}, nil) + resp, err := mihomoHttp.HttpRequest(ctx, packageURL, http.MethodGet, nil, nil) if err != nil { return fmt.Errorf("http request failed: %w", err) } @@ -418,7 +418,7 @@ func copyFile(src, dst string) error { func getLatestVersion() (version string, err error) { ctx, cancel := context.WithTimeout(context.Background(), time.Second*5) defer cancel() - resp, err := mihomoHttp.HttpRequest(ctx, versionURL, http.MethodGet, http.Header{"User-Agent": {C.UA}}, nil) + resp, err := mihomoHttp.HttpRequest(ctx, versionURL, http.MethodGet, nil, nil) if err != nil { return "", fmt.Errorf("get Latest Version fail: %w", err) } diff --git a/component/updater/update_geo.go b/component/updater/update_geo.go index b07cd31587..454cd84de0 100644 --- a/component/updater/update_geo.go +++ b/component/updater/update_geo.go @@ -1,6 +1,7 @@ package updater import ( + "context" "errors" "fmt" "os" @@ -8,92 +9,199 @@ import ( "time" "github.com/metacubex/mihomo/common/atomic" + "github.com/metacubex/mihomo/common/batch" "github.com/metacubex/mihomo/component/geodata" _ "github.com/metacubex/mihomo/component/geodata/standard" "github.com/metacubex/mihomo/component/mmdb" + "github.com/metacubex/mihomo/component/resource" C "github.com/metacubex/mihomo/constant" + P "github.com/metacubex/mihomo/constant/provider" "github.com/metacubex/mihomo/log" "github.com/oschwald/maxminddb-golang" ) var ( - UpdatingGeo atomic.Bool + autoUpdate bool + updateInterval int + + updatingGeo atomic.Bool ) -func updateGeoDatabases() error { - defer runtime.GC() - geoLoader, err := geodata.GetGeoDataLoader("standard") +func GeoAutoUpdate() bool { + return autoUpdate +} + +func GeoUpdateInterval() int { + return updateInterval +} + +func SetGeoAutoUpdate(newAutoUpdate bool) { + autoUpdate = newAutoUpdate +} + +func SetGeoUpdateInterval(newGeoUpdateInterval int) { + updateInterval = newGeoUpdateInterval +} + +func UpdateMMDB() (err error) { + vehicle := resource.NewHTTPVehicle(geodata.MmdbUrl(), C.Path.MMDB(), "", nil, defaultHttpTimeout) + var oldHash P.HashType + if buf, err := os.ReadFile(vehicle.Path()); err == nil { + oldHash = P.MakeHash(buf) + } + data, hash, err := vehicle.Read(context.Background(), oldHash) if err != nil { - return err + return fmt.Errorf("can't download MMDB database file: %w", err) + } + if oldHash.Equal(hash) { // same hash, ignored + return nil + } + if len(data) == 0 { + return fmt.Errorf("can't download MMDB database file: no data") } - if C.GeodataMode { - data, err := downloadForBytes(C.GeoIpUrl) - if err != nil { - return fmt.Errorf("can't download GeoIP database file: %w", err) - } - - if _, err = geoLoader.LoadIPByBytes(data, "cn"); err != nil { - return fmt.Errorf("invalid GeoIP database file: %s", err) - } + instance, err := maxminddb.FromBytes(data) + if err != nil { + return fmt.Errorf("invalid MMDB database file: %s", err) + } + _ = instance.Close() - if err = saveFile(data, C.Path.GeoIP()); err != nil { - return fmt.Errorf("can't save GeoIP database file: %w", err) - } + defer mmdb.ReloadIP() + mmdb.IPInstance().Reader.Close() // mmdb is loaded with mmap, so it needs to be closed before overwriting the file + if err = vehicle.Write(data); err != nil { + return fmt.Errorf("can't save MMDB database file: %w", err) + } + return nil +} - } else { - defer mmdb.ReloadIP() - data, err := downloadForBytes(C.MmdbUrl) - if err != nil { - return fmt.Errorf("can't download MMDB database file: %w", err) - } +func UpdateASN() (err error) { + vehicle := resource.NewHTTPVehicle(geodata.ASNUrl(), C.Path.ASN(), "", nil, defaultHttpTimeout) + var oldHash P.HashType + if buf, err := os.ReadFile(vehicle.Path()); err == nil { + oldHash = P.MakeHash(buf) + } + data, hash, err := vehicle.Read(context.Background(), oldHash) + if err != nil { + return fmt.Errorf("can't download ASN database file: %w", err) + } + if oldHash.Equal(hash) { // same hash, ignored + return nil + } + if len(data) == 0 { + return fmt.Errorf("can't download ASN database file: no data") + } - instance, err := maxminddb.FromBytes(data) - if err != nil { - return fmt.Errorf("invalid MMDB database file: %s", err) - } - _ = instance.Close() + instance, err := maxminddb.FromBytes(data) + if err != nil { + return fmt.Errorf("invalid ASN database file: %s", err) + } + _ = instance.Close() - mmdb.IPInstance().Reader.Close() // mmdb is loaded with mmap, so it needs to be closed before overwriting the file - if err = saveFile(data, C.Path.MMDB()); err != nil { - return fmt.Errorf("can't save MMDB database file: %w", err) - } + defer mmdb.ReloadASN() + mmdb.ASNInstance().Reader.Close() // mmdb is loaded with mmap, so it needs to be closed before overwriting the file + if err = vehicle.Write(data); err != nil { + return fmt.Errorf("can't save ASN database file: %w", err) } + return nil +} - if C.ASNEnable { - defer mmdb.ReloadASN() - data, err := downloadForBytes(C.ASNUrl) - if err != nil { - return fmt.Errorf("can't download ASN database file: %w", err) - } +func UpdateGeoIp() (err error) { + geoLoader, err := geodata.GetGeoDataLoader("standard") - instance, err := maxminddb.FromBytes(data) - if err != nil { - return fmt.Errorf("invalid ASN database file: %s", err) - } - _ = instance.Close() + vehicle := resource.NewHTTPVehicle(geodata.GeoIpUrl(), C.Path.GeoIP(), "", nil, defaultHttpTimeout) + var oldHash P.HashType + if buf, err := os.ReadFile(vehicle.Path()); err == nil { + oldHash = P.MakeHash(buf) + } + data, hash, err := vehicle.Read(context.Background(), oldHash) + if err != nil { + return fmt.Errorf("can't download GeoIP database file: %w", err) + } + if oldHash.Equal(hash) { // same hash, ignored + return nil + } + if len(data) == 0 { + return fmt.Errorf("can't download GeoIP database file: no data") + } - mmdb.ASNInstance().Reader.Close() - if err = saveFile(data, C.Path.ASN()); err != nil { - return fmt.Errorf("can't save ASN database file: %w", err) - } + if _, err = geoLoader.LoadIPByBytes(data, "cn"); err != nil { + return fmt.Errorf("invalid GeoIP database file: %s", err) } - data, err := downloadForBytes(C.GeoSiteUrl) + defer geodata.ClearGeoIPCache() + if err = vehicle.Write(data); err != nil { + return fmt.Errorf("can't save GeoIP database file: %w", err) + } + return nil +} + +func UpdateGeoSite() (err error) { + geoLoader, err := geodata.GetGeoDataLoader("standard") + + vehicle := resource.NewHTTPVehicle(geodata.GeoSiteUrl(), C.Path.GeoSite(), "", nil, defaultHttpTimeout) + var oldHash P.HashType + if buf, err := os.ReadFile(vehicle.Path()); err == nil { + oldHash = P.MakeHash(buf) + } + data, hash, err := vehicle.Read(context.Background(), oldHash) if err != nil { return fmt.Errorf("can't download GeoSite database file: %w", err) } + if oldHash.Equal(hash) { // same hash, ignored + return nil + } + if len(data) == 0 { + return fmt.Errorf("can't download GeoSite database file: no data") + } if _, err = geoLoader.LoadSiteByBytes(data, "cn"); err != nil { return fmt.Errorf("invalid GeoSite database file: %s", err) } - if err = saveFile(data, C.Path.GeoSite()); err != nil { + defer geodata.ClearGeoSiteCache() + if err = vehicle.Write(data); err != nil { return fmt.Errorf("can't save GeoSite database file: %w", err) } + return nil +} + +func updateGeoDatabases() error { + defer runtime.GC() + + b, _ := batch.New[interface{}](context.Background()) - geodata.ClearCache() + if geodata.GeoIpEnable() { + if geodata.GeodataMode() { + b.Go("UpdateGeoIp", func() (_ interface{}, err error) { + err = UpdateGeoIp() + return + }) + } else { + b.Go("UpdateMMDB", func() (_ interface{}, err error) { + err = UpdateMMDB() + return + }) + } + } + + if geodata.ASNEnable() { + b.Go("UpdateASN", func() (_ interface{}, err error) { + err = UpdateASN() + return + }) + } + + if geodata.GeoSiteEnable() { + b.Go("UpdateGeoSite", func() (_ interface{}, err error) { + err = UpdateGeoSite() + return + }) + } + + if e := b.Wait(); e != nil { + return e.Err + } return nil } @@ -103,12 +211,12 @@ var ErrGetDatabaseUpdateSkip = errors.New("GEO database is updating, skip") func UpdateGeoDatabases() error { log.Infoln("[GEO] Start updating GEO database") - if UpdatingGeo.Load() { + if updatingGeo.Load() { return ErrGetDatabaseUpdateSkip } - UpdatingGeo.Store(true) - defer UpdatingGeo.Store(false) + updatingGeo.Store(true) + defer updatingGeo.Store(false) log.Infoln("[GEO] Updating GEO database") @@ -122,7 +230,7 @@ func UpdateGeoDatabases() error { func getUpdateTime() (err error, time time.Time) { var fileInfo os.FileInfo - if C.GeodataMode { + if geodata.GeodataMode() { fileInfo, err = os.Stat(C.Path.GeoIP()) if err != nil { return err, time @@ -137,14 +245,14 @@ func getUpdateTime() (err error, time time.Time) { return nil, fileInfo.ModTime() } -func RegisterGeoUpdater(onSuccess func()) { - if C.GeoUpdateInterval <= 0 { - log.Errorln("[GEO] Invalid update interval: %d", C.GeoUpdateInterval) +func RegisterGeoUpdater() { + if updateInterval <= 0 { + log.Errorln("[GEO] Invalid update interval: %d", updateInterval) return } go func() { - ticker := time.NewTicker(time.Duration(C.GeoUpdateInterval) * time.Hour) + ticker := time.NewTicker(time.Duration(updateInterval) * time.Hour) defer ticker.Stop() err, lastUpdate := getUpdateTime() @@ -154,22 +262,18 @@ func RegisterGeoUpdater(onSuccess func()) { } log.Infoln("[GEO] last update time %s", lastUpdate) - if lastUpdate.Add(time.Duration(C.GeoUpdateInterval) * time.Hour).Before(time.Now()) { - log.Infoln("[GEO] Database has not been updated for %v, update now", time.Duration(C.GeoUpdateInterval)*time.Hour) + if lastUpdate.Add(time.Duration(updateInterval) * time.Hour).Before(time.Now()) { + log.Infoln("[GEO] Database has not been updated for %v, update now", time.Duration(updateInterval)*time.Hour) if err := UpdateGeoDatabases(); err != nil { log.Errorln("[GEO] Failed to update GEO database: %s", err.Error()) return - } else { - onSuccess() } } for range ticker.C { - log.Infoln("[GEO] updating database every %d hours", C.GeoUpdateInterval) + log.Infoln("[GEO] updating database every %d hours", updateInterval) if err := UpdateGeoDatabases(); err != nil { log.Errorln("[GEO] Failed to update GEO database: %s", err.Error()) - } else { - onSuccess() } } }() diff --git a/component/updater/update_ui.go b/component/updater/update_ui.go index 85452ba550..29081761a1 100644 --- a/component/updater/update_ui.go +++ b/component/updater/update_ui.go @@ -2,7 +2,6 @@ package updater import ( "archive/zip" - "errors" "fmt" "io" "os" @@ -12,26 +11,24 @@ import ( "sync" C "github.com/metacubex/mihomo/constant" + "github.com/metacubex/mihomo/log" ) var ( - ExternalUIURL string - ExternalUIPath string - ExternalUIFolder string - ExternalUIName string -) -var ( - ErrIncompleteConf = errors.New("ExternalUI configure incomplete") + ExternalUIURL string + ExternalUIPath string + AutoDownloadUI bool ) + var xdMutex sync.Mutex -func UpdateUI() error { +func DownloadUI() error { xdMutex.Lock() defer xdMutex.Unlock() - err := prepare_ui() + err := prepareUIPath() if err != nil { - return err + return fmt.Errorf("prepare UI path failed: %w", err) } data, err := downloadForBytes(ExternalUIURL) @@ -45,7 +42,7 @@ func UpdateUI() error { } defer os.Remove(saved) - err = cleanup(ExternalUIFolder) + err = cleanup(ExternalUIPath) if err != nil { if !os.IsNotExist(err) { return fmt.Errorf("cleanup exist file error: %w", err) @@ -57,29 +54,20 @@ func UpdateUI() error { return fmt.Errorf("can't extract zip file: %w", err) } - err = os.Rename(unzipFolder, ExternalUIFolder) + err = os.Rename(unzipFolder, ExternalUIPath) if err != nil { - return fmt.Errorf("can't rename folder: %w", err) + return fmt.Errorf("rename UI folder failed: %w", err) } return nil } -func prepare_ui() error { - if ExternalUIPath == "" || ExternalUIURL == "" { - return ErrIncompleteConf - } - - if ExternalUIName != "" { - ExternalUIFolder = filepath.Clean(path.Join(ExternalUIPath, ExternalUIName)) - if _, err := os.Stat(ExternalUIPath); os.IsNotExist(err) { - if err := os.MkdirAll(ExternalUIPath, os.ModePerm); err != nil { - return err - } +func prepareUIPath() error { + if _, err := os.Stat(ExternalUIPath); os.IsNotExist(err) { + log.Infoln("dir %s does not exist, creating", ExternalUIPath) + if err := os.MkdirAll(ExternalUIPath, os.ModePerm); err != nil { + log.Warnln("create dir %s error: %s", ExternalUIPath, err) } - } else { - ExternalUIFolder = ExternalUIPath } - return nil } diff --git a/component/updater/utils.go b/component/updater/utils.go index 0eecfc6cdc..b5c694ff44 100644 --- a/component/updater/utils.go +++ b/component/updater/utils.go @@ -9,15 +9,16 @@ import ( "time" mihomoHttp "github.com/metacubex/mihomo/component/http" - C "github.com/metacubex/mihomo/constant" "golang.org/x/exp/constraints" ) +const defaultHttpTimeout = time.Second * 90 + func downloadForBytes(url string) ([]byte, error) { - ctx, cancel := context.WithTimeout(context.Background(), time.Second*90) + ctx, cancel := context.WithTimeout(context.Background(), defaultHttpTimeout) defer cancel() - resp, err := mihomoHttp.HttpRequest(ctx, url, http.MethodGet, http.Header{"User-Agent": {C.UA}}, nil) + resp, err := mihomoHttp.HttpRequest(ctx, url, http.MethodGet, nil, nil) if err != nil { return nil, err } diff --git a/config/config.go b/config/config.go index 5676f7aae4..75616edcc2 100644 --- a/config/config.go +++ b/config/config.go @@ -7,9 +7,7 @@ import ( "net" "net/netip" "net/url" - "os" "path" - "regexp" "strings" "time" @@ -20,17 +18,18 @@ import ( N "github.com/metacubex/mihomo/common/net" "github.com/metacubex/mihomo/common/utils" "github.com/metacubex/mihomo/component/auth" + "github.com/metacubex/mihomo/component/cidr" "github.com/metacubex/mihomo/component/fakeip" "github.com/metacubex/mihomo/component/geodata" - "github.com/metacubex/mihomo/component/geodata/router" + mihomoHttp "github.com/metacubex/mihomo/component/http" P "github.com/metacubex/mihomo/component/process" "github.com/metacubex/mihomo/component/resolver" - SNIFF "github.com/metacubex/mihomo/component/sniffer" + "github.com/metacubex/mihomo/component/resource" + "github.com/metacubex/mihomo/component/sniffer" tlsC "github.com/metacubex/mihomo/component/tls" "github.com/metacubex/mihomo/component/trie" "github.com/metacubex/mihomo/component/updater" C "github.com/metacubex/mihomo/constant" - "github.com/metacubex/mihomo/constant/features" providerTypes "github.com/metacubex/mihomo/constant/provider" snifferTypes "github.com/metacubex/mihomo/constant/sniffer" "github.com/metacubex/mihomo/dns" @@ -38,23 +37,24 @@ import ( LC "github.com/metacubex/mihomo/listener/config" "github.com/metacubex/mihomo/log" R "github.com/metacubex/mihomo/rules" + RC "github.com/metacubex/mihomo/rules/common" RP "github.com/metacubex/mihomo/rules/provider" T "github.com/metacubex/mihomo/tunnel" orderedmap "github.com/wk8/go-ordered-map/v2" + "golang.org/x/exp/slices" "gopkg.in/yaml.v3" ) // General config type General struct { Inbound - Controller - Mode T.TunnelMode `json:"mode"` - UnifiedDelay bool + Mode T.TunnelMode `json:"mode"` + UnifiedDelay bool `json:"unified-delay"` LogLevel log.LogLevel `json:"log-level"` IPv6 bool `json:"ipv6"` Interface string `json:"interface-name"` - RoutingMark int `json:"-"` + RoutingMark int `json:"routing-mark"` GeoXUrl GeoXUrl `json:"geox-url"` GeoAutoUpdate bool `json:"geo-auto-update"` GeoUpdateInterval int `json:"geo-update-interval"` @@ -64,9 +64,9 @@ type General struct { TCPConcurrent bool `json:"tcp-concurrent"` FindProcessMode P.FindProcessMode `json:"find-process-mode"` Sniffing bool `json:"sniffing"` - EBpf EBpf `json:"-"` GlobalClientFingerprint string `json:"global-client-fingerprint"` GlobalUA string `json:"global-ua"` + ETagSupport bool `json:"etag-support"` } // Inbound config @@ -90,98 +90,92 @@ type Inbound struct { InboundMPTCP bool `json:"inbound-mptcp"` } +// GeoXUrl config +type GeoXUrl struct { + GeoIp string `json:"geo-ip"` + Mmdb string `json:"mmdb"` + ASN string `json:"asn"` + GeoSite string `json:"geo-site"` +} + // Controller config type Controller struct { - ExternalController string `json:"-"` - ExternalControllerTLS string `json:"-"` - ExternalControllerUnix string `json:"-"` - ExternalUI string `json:"-"` - Secret string `json:"-"` + ExternalController string + ExternalControllerTLS string + ExternalControllerUnix string + ExternalUI string + ExternalDohServer string + Secret string +} + +// Experimental config +type Experimental struct { + Fingerprints []string + QUICGoDisableGSO bool + QUICGoDisableECN bool + IP4PEnable bool +} + +// IPTables config +type IPTables struct { + Enable bool + InboundInterface string + Bypass []string + DnsRedirect bool } // NTP config type NTP struct { - Enable bool `yaml:"enable"` - Server string `yaml:"server"` - Port int `yaml:"port"` - Interval int `yaml:"interval"` - DialerProxy string `yaml:"dialer-proxy"` - WriteToSystem bool `yaml:"write-to-system"` + Enable bool + Server string + Port int + Interval int + DialerProxy string + WriteToSystem bool } // DNS config type DNS struct { - Enable bool `yaml:"enable"` - PreferH3 bool `yaml:"prefer-h3"` - IPv6 bool `yaml:"ipv6"` - IPv6Timeout uint `yaml:"ipv6-timeout"` - UseSystemHosts bool `yaml:"use-system-hosts"` - NameServer []dns.NameServer `yaml:"nameserver"` - Fallback []dns.NameServer `yaml:"fallback"` - FallbackFilter FallbackFilter `yaml:"fallback-filter"` - Listen string `yaml:"listen"` - EnhancedMode C.DNSMode `yaml:"enhanced-mode"` - DefaultNameserver []dns.NameServer `yaml:"default-nameserver"` - CacheAlgorithm string `yaml:"cache-algorithm"` + Enable bool + PreferH3 bool + IPv6 bool + IPv6Timeout uint + UseSystemHosts bool + NameServer []dns.NameServer + Fallback []dns.NameServer + FallbackIPFilter []C.IpMatcher + FallbackDomainFilter []C.DomainMatcher + Listen string + EnhancedMode C.DNSMode + DefaultNameserver []dns.NameServer + CacheAlgorithm string FakeIPRange *fakeip.Pool Hosts *trie.DomainTrie[resolver.HostValue] - NameServerPolicy *orderedmap.OrderedMap[string, []dns.NameServer] + NameServerPolicy []dns.Policy ProxyServerNameserver []dns.NameServer } -// FallbackFilter config -type FallbackFilter struct { - GeoIP bool `yaml:"geoip"` - GeoIPCode string `yaml:"geoip-code"` - IPCIDR []netip.Prefix `yaml:"ipcidr"` - Domain []string `yaml:"domain"` - GeoSite []router.DomainMatcher `yaml:"geosite"` -} - // Profile config type Profile struct { - StoreSelected bool `yaml:"store-selected"` - StoreFakeIP bool `yaml:"store-fake-ip"` + StoreSelected bool + StoreFakeIP bool } +// TLS config type TLS struct { - Certificate string `yaml:"certificate"` - PrivateKey string `yaml:"private-key"` - CustomTrustCert []string `yaml:"custom-certifactes"` -} - -// IPTables config -type IPTables struct { - Enable bool `yaml:"enable" json:"enable"` - InboundInterface string `yaml:"inbound-interface" json:"inbound-interface"` - Bypass []string `yaml:"bypass" json:"bypass"` - DnsRedirect bool `yaml:"dns-redirect" json:"dns-redirect"` -} - -type Sniffer struct { - Enable bool - Sniffers map[snifferTypes.Type]SNIFF.SnifferConfig - ForceDomain *trie.DomainSet - SkipDomain *trie.DomainSet - ForceDnsMapping bool - ParsePureIp bool -} - -// Experimental config -type Experimental struct { - Fingerprints []string `yaml:"fingerprints"` - QUICGoDisableGSO bool `yaml:"quic-go-disable-gso"` - QUICGoDisableECN bool `yaml:"quic-go-disable-ecn"` - IP4PEnable bool `yaml:"dialer-ip4p-convert"` + Certificate string + PrivateKey string + CustomTrustCert []string } // Config is mihomo config manager type Config struct { General *General + Controller *Controller + Experimental *Experimental IPTables *IPTables NTP *NTP DNS *DNS - Experimental *Experimental Hosts *trie.DomainTrie[resolver.HostValue] Profile *Profile Rules []C.Rule @@ -192,19 +186,10 @@ type Config struct { Providers map[string]providerTypes.ProxyProvider RuleProviders map[string]providerTypes.RuleProvider Tunnels []LC.Tunnel - Sniffer *Sniffer + Sniffer *sniffer.Config TLS *TLS } -type RawNTP struct { - Enable bool `yaml:"enable"` - Server string `yaml:"server"` - ServerPort int `yaml:"server-port"` - Interval int `yaml:"interval"` - DialerProxy string `yaml:"dialer-proxy"` - WriteToSystem bool `yaml:"write-to-system"` -} - type RawDNS struct { Enable bool `yaml:"enable" json:"enable"` PreferH3 bool `yaml:"prefer-h3" json:"prefer-h3"` @@ -220,6 +205,7 @@ type RawDNS struct { EnhancedMode C.DNSMode `yaml:"enhanced-mode" json:"enhanced-mode"` FakeIPRange string `yaml:"fake-ip-range" json:"fake-ip-range"` FakeIPFilter []string `yaml:"fake-ip-filter" json:"fake-ip-filter"` + FakeIPFilterMode C.FilterMode `yaml:"fake-ip-filter-mode" json:"fake-ip-filter-mode"` DefaultNameserver []string `yaml:"default-nameserver" json:"default-nameserver"` CacheAlgorithm string `yaml:"cache-algorithm" json:"cache-algorithm"` NameServerPolicy *orderedmap.OrderedMap[string, any] `yaml:"nameserver-policy" json:"nameserver-policy"` @@ -239,6 +225,15 @@ type RawClashForAndroid struct { UiSubtitlePattern string `yaml:"ui-subtitle-pattern" json:"ui-subtitle-pattern"` } +type RawNTP struct { + Enable bool `yaml:"enable" json:"enable"` + Server string `yaml:"server" json:"server"` + Port int `yaml:"port" json:"port"` + Interval int `yaml:"interval" json:"interval"` + DialerProxy string `yaml:"dialer-proxy" json:"dialer-proxy"` + WriteToSystem bool `yaml:"write-to-system" json:"write-to-system"` +} + type RawTun struct { Enable bool `yaml:"enable" json:"enable"` Device string `yaml:"device" json:"device"` @@ -250,35 +245,35 @@ type RawTun struct { MTU uint32 `yaml:"mtu" json:"mtu,omitempty"` GSO bool `yaml:"gso" json:"gso,omitempty"` GSOMaxSize uint32 `yaml:"gso-max-size" json:"gso-max-size,omitempty"` - //Inet4Address []netip.Prefix `yaml:"inet4-address" json:"inet4_address,omitempty"` - Inet6Address []netip.Prefix `yaml:"inet6-address" json:"inet6_address,omitempty"` - IPRoute2TableIndex int `yaml:"iproute2-table-index" json:"iproute2_table_index,omitempty"` - IPRoute2RuleIndex int `yaml:"iproute2-rule-index" json:"iproute2_rule_index,omitempty"` - AutoRedirect bool `yaml:"auto-redirect" json:"auto_redirect,omitempty"` - AutoRedirectInputMark uint32 `yaml:"auto-redirect-input-mark" json:"auto_redirect_input_mark,omitempty"` - AutoRedirectOutputMark uint32 `yaml:"auto-redirect-output-mark" json:"auto_redirect_output_mark,omitempty"` - StrictRoute bool `yaml:"strict-route" json:"strict_route,omitempty"` - RouteAddress []netip.Prefix `yaml:"route-address" json:"route_address,omitempty"` - RouteAddressSet []string `yaml:"route-address-set" json:"route_address_set,omitempty"` - RouteExcludeAddress []netip.Prefix `yaml:"route-exclude-address" json:"route_exclude_address,omitempty"` - RouteExcludeAddressSet []string `yaml:"route-exclude-address-set" json:"route_exclude_address_set,omitempty"` + //Inet4Address []netip.Prefix `yaml:"inet4-address" json:"inet4-address,omitempty"` + Inet6Address []netip.Prefix `yaml:"inet6-address" json:"inet6-address,omitempty"` + IPRoute2TableIndex int `yaml:"iproute2-table-index" json:"iproute2-table-index,omitempty"` + IPRoute2RuleIndex int `yaml:"iproute2-rule-index" json:"iproute2-rule-index,omitempty"` + AutoRedirect bool `yaml:"auto-redirect" json:"auto-redirect,omitempty"` + AutoRedirectInputMark uint32 `yaml:"auto-redirect-input-mark" json:"auto-redirect-input-mark,omitempty"` + AutoRedirectOutputMark uint32 `yaml:"auto-redirect-output-mark" json:"auto-redirect-output-mark,omitempty"` + StrictRoute bool `yaml:"strict-route" json:"strict-route,omitempty"` + RouteAddress []netip.Prefix `yaml:"route-address" json:"route-address,omitempty"` + RouteAddressSet []string `yaml:"route-address-set" json:"route-address-set,omitempty"` + RouteExcludeAddress []netip.Prefix `yaml:"route-exclude-address" json:"route-exclude-address,omitempty"` + RouteExcludeAddressSet []string `yaml:"route-exclude-address-set" json:"route-exclude-address-set,omitempty"` IncludeInterface []string `yaml:"include-interface" json:"include-interface,omitempty"` ExcludeInterface []string `yaml:"exclude-interface" json:"exclude-interface,omitempty"` - IncludeUID []uint32 `yaml:"include-uid" json:"include_uid,omitempty"` - IncludeUIDRange []string `yaml:"include-uid-range" json:"include_uid_range,omitempty"` - ExcludeUID []uint32 `yaml:"exclude-uid" json:"exclude_uid,omitempty"` - ExcludeUIDRange []string `yaml:"exclude-uid-range" json:"exclude_uid_range,omitempty"` - IncludeAndroidUser []int `yaml:"include-android-user" json:"include_android_user,omitempty"` - IncludePackage []string `yaml:"include-package" json:"include_package,omitempty"` - ExcludePackage []string `yaml:"exclude-package" json:"exclude_package,omitempty"` - EndpointIndependentNat bool `yaml:"endpoint-independent-nat" json:"endpoint_independent_nat,omitempty"` - UDPTimeout int64 `yaml:"udp-timeout" json:"udp_timeout,omitempty"` + IncludeUID []uint32 `yaml:"include-uid" json:"include-uid,omitempty"` + IncludeUIDRange []string `yaml:"include-uid-range" json:"include-uid-range,omitempty"` + ExcludeUID []uint32 `yaml:"exclude-uid" json:"exclude-uid,omitempty"` + ExcludeUIDRange []string `yaml:"exclude-uid-range" json:"exclude-uid-range,omitempty"` + IncludeAndroidUser []int `yaml:"include-android-user" json:"include-android-user,omitempty"` + IncludePackage []string `yaml:"include-package" json:"include-package,omitempty"` + ExcludePackage []string `yaml:"exclude-package" json:"exclude-package,omitempty"` + EndpointIndependentNat bool `yaml:"endpoint-independent-nat" json:"endpoint-independent-nat,omitempty"` + UDPTimeout int64 `yaml:"udp-timeout" json:"udp-timeout,omitempty"` FileDescriptor int `yaml:"file-descriptor" json:"file-descriptor"` - Inet4RouteAddress []netip.Prefix `yaml:"inet4-route-address" json:"inet4_route_address,omitempty"` - Inet6RouteAddress []netip.Prefix `yaml:"inet6-route-address" json:"inet6_route_address,omitempty"` - Inet4RouteExcludeAddress []netip.Prefix `yaml:"inet4-route-exclude-address" json:"inet4_route_exclude_address,omitempty"` - Inet6RouteExcludeAddress []netip.Prefix `yaml:"inet6-route-exclude-address" json:"inet6_route_exclude_address,omitempty"` + Inet4RouteAddress []netip.Prefix `yaml:"inet4-route-address" json:"inet4-route-address,omitempty"` + Inet6RouteAddress []netip.Prefix `yaml:"inet6-route-address" json:"inet6-route-address,omitempty"` + Inet4RouteExcludeAddress []netip.Prefix `yaml:"inet4-route-exclude-address" json:"inet4-route-exclude-address,omitempty"` + Inet6RouteExcludeAddress []netip.Prefix `yaml:"inet6-route-exclude-address" json:"inet6-route-exclude-address,omitempty"` } type RawTuicServer struct { @@ -296,36 +291,89 @@ type RawTuicServer struct { CWND int `yaml:"cwnd" json:"cwnd,omitempty"` } +type RawIPTables struct { + Enable bool `yaml:"enable" json:"enable"` + InboundInterface string `yaml:"inbound-interface" json:"inbound-interface"` + Bypass []string `yaml:"bypass" json:"bypass"` + DnsRedirect bool `yaml:"dns-redirect" json:"dns-redirect"` +} + +type RawExperimental struct { + Fingerprints []string `yaml:"fingerprints"` + QUICGoDisableGSO bool `yaml:"quic-go-disable-gso"` + QUICGoDisableECN bool `yaml:"quic-go-disable-ecn"` + IP4PEnable bool `yaml:"dialer-ip4p-convert"` +} + +type RawProfile struct { + StoreSelected bool `yaml:"store-selected" json:"store-selected"` + StoreFakeIP bool `yaml:"store-fake-ip" json:"store-fake-ip"` +} + +type RawGeoXUrl struct { + GeoIp string `yaml:"geoip" json:"geoip"` + Mmdb string `yaml:"mmdb" json:"mmdb"` + ASN string `yaml:"asn" json:"asn"` + GeoSite string `yaml:"geosite" json:"geosite"` +} + +type RawSniffer struct { + Enable bool `yaml:"enable" json:"enable"` + OverrideDest bool `yaml:"override-destination" json:"override-destination"` + Sniffing []string `yaml:"sniffing" json:"sniffing"` + ForceDomain []string `yaml:"force-domain" json:"force-domain"` + SkipSrcAddress []string `yaml:"skip-src-address" json:"skip-src-address"` + SkipDstAddress []string `yaml:"skip-dst-address" json:"skip-dst-address"` + SkipDomain []string `yaml:"skip-domain" json:"skip-domain"` + Ports []string `yaml:"port-whitelist" json:"port-whitelist"` + ForceDnsMapping bool `yaml:"force-dns-mapping" json:"force-dns-mapping"` + ParsePureIp bool `yaml:"parse-pure-ip" json:"parse-pure-ip"` + + Sniff map[string]RawSniffingConfig `yaml:"sniff" json:"sniff"` +} + +type RawSniffingConfig struct { + Ports []string `yaml:"ports" json:"ports"` + OverrideDest *bool `yaml:"override-destination" json:"override-destination"` +} + +type RawTLS struct { + Certificate string `yaml:"certificate" json:"certificate"` + PrivateKey string `yaml:"private-key" json:"private-key"` + CustomTrustCert []string `yaml:"custom-certifactes" json:"custom-certifactes"` +} + type RawConfig struct { Port int `yaml:"port" json:"port"` SocksPort int `yaml:"socks-port" json:"socks-port"` RedirPort int `yaml:"redir-port" json:"redir-port"` TProxyPort int `yaml:"tproxy-port" json:"tproxy-port"` MixedPort int `yaml:"mixed-port" json:"mixed-port"` - ShadowSocksConfig string `yaml:"ss-config"` - VmessConfig string `yaml:"vmess-config"` - InboundTfo bool `yaml:"inbound-tfo"` - InboundMPTCP bool `yaml:"inbound-mptcp"` + ShadowSocksConfig string `yaml:"ss-config" json:"ss-config"` + VmessConfig string `yaml:"vmess-config" json:"vmess-config"` + InboundTfo bool `yaml:"inbound-tfo" json:"inbound-tfo"` + InboundMPTCP bool `yaml:"inbound-mptcp" json:"inbound-mptcp"` Authentication []string `yaml:"authentication" json:"authentication"` - SkipAuthPrefixes []netip.Prefix `yaml:"skip-auth-prefixes"` - LanAllowedIPs []netip.Prefix `yaml:"lan-allowed-ips"` - LanDisAllowedIPs []netip.Prefix `yaml:"lan-disallowed-ips"` + SkipAuthPrefixes []netip.Prefix `yaml:"skip-auth-prefixes" json:"skip-auth-prefixes"` + LanAllowedIPs []netip.Prefix `yaml:"lan-allowed-ips" json:"lan-allowed-ips"` + LanDisAllowedIPs []netip.Prefix `yaml:"lan-disallowed-ips" json:"lan-disallowed-ips"` AllowLan bool `yaml:"allow-lan" json:"allow-lan"` BindAddress string `yaml:"bind-address" json:"bind-address"` Mode T.TunnelMode `yaml:"mode" json:"mode"` UnifiedDelay bool `yaml:"unified-delay" json:"unified-delay"` LogLevel log.LogLevel `yaml:"log-level" json:"log-level"` IPv6 bool `yaml:"ipv6" json:"ipv6"` - ExternalController string `yaml:"external-controller"` - ExternalControllerUnix string `yaml:"external-controller-unix"` - ExternalControllerTLS string `yaml:"external-controller-tls"` - ExternalUI string `yaml:"external-ui"` + ExternalController string `yaml:"external-controller" json:"external-controller"` + ExternalControllerUnix string `yaml:"external-controller-unix" json:"external-controller-unix"` + ExternalControllerTLS string `yaml:"external-controller-tls" json:"external-controller-tls"` + ExternalUI string `yaml:"external-ui" json:"external-ui"` ExternalUIURL string `yaml:"external-ui-url" json:"external-ui-url"` ExternalUIName string `yaml:"external-ui-name" json:"external-ui-name"` - Secret string `yaml:"secret"` - Interface string `yaml:"interface-name"` - RoutingMark int `yaml:"routing-mark"` - Tunnels []LC.Tunnel `yaml:"tunnels"` + ExternalDohServer string `yaml:"external-doh-server" json:"external-doh-server"` + Secret string `yaml:"secret" json:"secret"` + Interface string `yaml:"interface-name" json:"interface-name"` + RoutingMark int `yaml:"routing-mark" json:"routing-mark"` + Tunnels []LC.Tunnel `yaml:"tunnels" json:"tunnels"` GeoAutoUpdate bool `yaml:"geo-auto-update" json:"geo-auto-update"` GeoUpdateInterval int `yaml:"geo-update-interval" json:"geo-update-interval"` GeodataMode bool `yaml:"geodata-mode" json:"geodata-mode"` @@ -333,63 +381,35 @@ type RawConfig struct { GeositeMatcher string `yaml:"geosite-matcher" json:"geosite-matcher"` TCPConcurrent bool `yaml:"tcp-concurrent" json:"tcp-concurrent"` FindProcessMode P.FindProcessMode `yaml:"find-process-mode" json:"find-process-mode"` - GlobalClientFingerprint string `yaml:"global-client-fingerprint"` - GlobalUA string `yaml:"global-ua"` - KeepAliveInterval int `yaml:"keep-alive-interval"` - - Sniffer RawSniffer `yaml:"sniffer" json:"sniffer"` - ProxyProvider map[string]map[string]any `yaml:"proxy-providers"` - RuleProvider map[string]map[string]any `yaml:"rule-providers"` + GlobalClientFingerprint string `yaml:"global-client-fingerprint" json:"global-client-fingerprint"` + GlobalUA string `yaml:"global-ua" json:"global-ua"` + ETagSupport bool `yaml:"etag-support" json:"etag-support"` + KeepAliveIdle int `yaml:"keep-alive-idle" json:"keep-alive-idle"` + KeepAliveInterval int `yaml:"keep-alive-interval" json:"keep-alive-interval"` + DisableKeepAlive bool `yaml:"disable-keep-alive" json:"disable-keep-alive"` + + ProxyProvider map[string]map[string]any `yaml:"proxy-providers" json:"proxy-providers"` + RuleProvider map[string]map[string]any `yaml:"rule-providers" json:"rule-providers"` + Proxy []map[string]any `yaml:"proxies" json:"proxies"` + ProxyGroup []map[string]any `yaml:"proxy-groups" json:"proxy-groups"` + Rule []string `yaml:"rules" json:"rule"` + SubRules map[string][]string `yaml:"sub-rules" json:"sub-rules"` + Listeners []map[string]any `yaml:"listeners" json:"listeners"` Hosts map[string]any `yaml:"hosts" json:"hosts"` - NTP RawNTP `yaml:"ntp" json:"ntp"` DNS RawDNS `yaml:"dns" json:"dns"` - Tun RawTun `yaml:"tun"` - TuicServer RawTuicServer `yaml:"tuic-server"` - EBpf EBpf `yaml:"ebpf"` - IPTables IPTables `yaml:"iptables"` - Experimental Experimental `yaml:"experimental"` - Profile Profile `yaml:"profile"` - GeoXUrl GeoXUrl `yaml:"geox-url"` - Proxy []map[string]any `yaml:"proxies"` - ProxyGroup []map[string]any `yaml:"proxy-groups"` - Rule []string `yaml:"rules"` - SubRules map[string][]string `yaml:"sub-rules"` - RawTLS TLS `yaml:"tls"` - Listeners []map[string]any `yaml:"listeners"` + NTP RawNTP `yaml:"ntp" json:"ntp"` + Tun RawTun `yaml:"tun" json:"tun"` + TuicServer RawTuicServer `yaml:"tuic-server" json:"tuic-server"` + IPTables RawIPTables `yaml:"iptables" json:"iptables"` + Experimental RawExperimental `yaml:"experimental" json:"experimental"` + Profile RawProfile `yaml:"profile" json:"profile"` + GeoXUrl RawGeoXUrl `yaml:"geox-url" json:"geox-url"` + Sniffer RawSniffer `yaml:"sniffer" json:"sniffer"` + TLS RawTLS `yaml:"tls" json:"tls"` ClashForAndroid RawClashForAndroid `yaml:"clash-for-android" json:"clash-for-android"` } -type GeoXUrl struct { - GeoIp string `yaml:"geoip" json:"geoip"` - Mmdb string `yaml:"mmdb" json:"mmdb"` - ASN string `yaml:"asn" json:"asn"` - GeoSite string `yaml:"geosite" json:"geosite"` -} - -type RawSniffer struct { - Enable bool `yaml:"enable" json:"enable"` - OverrideDest bool `yaml:"override-destination" json:"override-destination"` - Sniffing []string `yaml:"sniffing" json:"sniffing"` - ForceDomain []string `yaml:"force-domain" json:"force-domain"` - SkipDomain []string `yaml:"skip-domain" json:"skip-domain"` - Ports []string `yaml:"port-whitelist" json:"port-whitelist"` - ForceDnsMapping bool `yaml:"force-dns-mapping" json:"force-dns-mapping"` - ParsePureIp bool `yaml:"parse-pure-ip" json:"parse-pure-ip"` - Sniff map[string]RawSniffingConfig `yaml:"sniff" json:"sniff"` -} - -type RawSniffingConfig struct { - Ports []string `yaml:"ports" json:"ports"` - OverrideDest *bool `yaml:"override-destination" json:"override-destination"` -} - -// EBpf config -type EBpf struct { - RedirectToTun []string `yaml:"redirect-to-tun" json:"redirect-to-tun"` - AutoRedir []string `yaml:"auto-redir" json:"auto-redir"` -} - var ( GroupsList = list.New() ProxiesList = list.New() @@ -406,9 +426,8 @@ func Parse(buf []byte) (*Config, error) { return ParseRawConfig(rawCfg) } -func UnmarshalRawConfig(buf []byte) (*RawConfig, error) { - // config with default value - rawCfg := &RawConfig{ +func DefaultRawConfig() *RawConfig { + return &RawConfig{ AllowLan: false, BindAddress: "*", LanAllowedIPs: []netip.Prefix{netip.MustParsePrefix("0.0.0.0/0"), netip.MustParsePrefix("::/0")}, @@ -416,7 +435,7 @@ func UnmarshalRawConfig(buf []byte) (*RawConfig, error) { Mode: T.Rule, GeoAutoUpdate: false, GeoUpdateInterval: 24, - GeodataMode: C.GeodataMode, + GeodataMode: geodata.GeodataMode(), GeodataLoader: "memconservative", UnifiedDelay: false, Authentication: []string{}, @@ -428,45 +447,7 @@ func UnmarshalRawConfig(buf []byte) (*RawConfig, error) { TCPConcurrent: false, FindProcessMode: P.FindProcessStrict, GlobalUA: "clash.meta/" + C.Version, - Tun: RawTun{ - Enable: false, - Device: "", - Stack: C.TunGvisor, - DNSHijack: []string{"0.0.0.0:53"}, // default hijack all dns query - AutoRoute: true, - AutoDetectInterface: true, - Inet6Address: []netip.Prefix{netip.MustParsePrefix("fdfe:dcba:9876::1/126")}, - }, - TuicServer: RawTuicServer{ - Enable: false, - Token: nil, - Users: nil, - Certificate: "", - PrivateKey: "", - Listen: "", - CongestionController: "", - MaxIdleTime: 15000, - AuthenticationTimeout: 1000, - ALPN: []string{"h3"}, - MaxUdpRelayPacketSize: 1500, - }, - EBpf: EBpf{ - RedirectToTun: []string{}, - AutoRedir: []string{}, - }, - IPTables: IPTables{ - Enable: false, - InboundInterface: "lo", - Bypass: []string{}, - DnsRedirect: true, - }, - NTP: RawNTP{ - Enable: false, - WriteToSystem: false, - Server: "time.apple.com", - ServerPort: 123, - Interval: 30, - }, + ETagSupport: true, DNS: RawDNS{ Enable: false, IPv6: false, @@ -496,15 +477,60 @@ func UnmarshalRawConfig(buf []byte) (*RawConfig, error) { "www.msftnsci.com", "www.msftconnecttest.com", }, + FakeIPFilterMode: C.FilterBlackList, + }, + NTP: RawNTP{ + Enable: false, + WriteToSystem: false, + Server: "time.apple.com", + Port: 123, + Interval: 30, + }, + Tun: RawTun{ + Enable: false, + Device: "", + Stack: C.TunGvisor, + DNSHijack: []string{"0.0.0.0:53"}, // default hijack all dns query + AutoRoute: true, + AutoDetectInterface: true, + Inet6Address: []netip.Prefix{netip.MustParsePrefix("fdfe:dcba:9876::1/126")}, }, - Experimental: Experimental{ + TuicServer: RawTuicServer{ + Enable: false, + Token: nil, + Users: nil, + Certificate: "", + PrivateKey: "", + Listen: "", + CongestionController: "", + MaxIdleTime: 15000, + AuthenticationTimeout: 1000, + ALPN: []string{"h3"}, + MaxUdpRelayPacketSize: 1500, + }, + IPTables: RawIPTables{ + Enable: false, + InboundInterface: "lo", + Bypass: []string{}, + DnsRedirect: true, + }, + Experimental: RawExperimental{ // https://github.com/quic-go/quic-go/issues/4178 // Quic-go currently cannot automatically fall back on platforms that do not support ecn, so this feature is turned off by default. QUICGoDisableECN: true, }, + Profile: RawProfile{ + StoreSelected: true, + }, + GeoXUrl: RawGeoXUrl{ + Mmdb: "https://github.com/MetaCubeX/meta-rules-dat/releases/download/latest/geoip.metadb", + ASN: "https://github.com/MetaCubeX/meta-rules-dat/releases/download/latest/GeoLite2-ASN.mmdb", + GeoIp: "https://github.com/MetaCubeX/meta-rules-dat/releases/download/latest/geoip.dat", + GeoSite: "https://github.com/MetaCubeX/meta-rules-dat/releases/download/latest/geosite.dat", + }, Sniffer: RawSniffer{ Enable: false, - Sniffing: []string{}, + Sniff: map[string]RawSniffingConfig{}, ForceDomain: []string{}, SkipDomain: []string{}, Ports: []string{}, @@ -512,17 +538,13 @@ func UnmarshalRawConfig(buf []byte) (*RawConfig, error) { ParsePureIp: true, OverrideDest: true, }, - Profile: Profile{ - StoreSelected: true, - }, - GeoXUrl: GeoXUrl{ - Mmdb: "https://github.com/MetaCubeX/meta-rules-dat/releases/download/latest/geoip.metadb", - ASN: "https://github.com/xishang0128/geoip/releases/download/latest/GeoLite2-ASN.mmdb", - GeoIp: "https://github.com/MetaCubeX/meta-rules-dat/releases/download/latest/geoip.dat", - GeoSite: "https://github.com/MetaCubeX/meta-rules-dat/releases/download/latest/geosite.dat", - }, ExternalUIURL: "https://github.com/MetaCubeX/metacubexd/archive/refs/heads/gh-pages.zip", } +} + +func UnmarshalRawConfig(buf []byte) (*RawConfig, error) { + // config with default value + rawCfg := DefaultRawConfig() if err := yaml.Unmarshal(buf, rawCfg); err != nil { return nil, err @@ -535,10 +557,6 @@ func ParseRawConfig(rawCfg *RawConfig) (*Config, error) { config := &Config{} log.Infoln("Start initial configuration in progress") //Segment finished in xxm startTime := time.Now() - config.Experimental = &rawCfg.Experimental - config.Profile = &rawCfg.Profile - config.IPTables = &rawCfg.IPTables - config.TLS = &rawCfg.RawTLS general, err := parseGeneral(rawCfg) if err != nil { @@ -551,6 +569,42 @@ func ParseRawConfig(rawCfg *RawConfig) (*Config, error) { tlsC.SetGlobalUtlsClient(config.General.GlobalClientFingerprint) } + controller, err := parseController(rawCfg) + if err != nil { + return nil, err + } + config.Controller = controller + + experimental, err := parseExperimental(rawCfg) + if err != nil { + return nil, err + } + config.Experimental = experimental + + iptables, err := parseIPTables(rawCfg) + if err != nil { + return nil, err + } + config.IPTables = iptables + + ntpCfg, err := parseNTP(rawCfg) + if err != nil { + return nil, err + } + config.NTP = ntpCfg + + profile, err := parseProfile(rawCfg) + if err != nil { + return nil, err + } + config.Profile = profile + + tlsCfg, err := parseTLS(rawCfg) + if err != nil { + return nil, err + } + config.TLS = tlsCfg + proxies, providers, err := parseProxies(rawCfg) if err != nil { return nil, err @@ -590,17 +644,14 @@ func ParseRawConfig(rawCfg *RawConfig) (*Config, error) { } config.Hosts = hosts - ntpCfg := paresNTP(rawCfg) - config.NTP = ntpCfg - - dnsCfg, err := parseDNS(rawCfg, hosts, rules, ruleProviders) + dnsCfg, err := parseDNS(rawCfg, hosts, ruleProviders) if err != nil { return nil, err } config.DNS = dnsCfg err = parseTun(rawCfg.Tun, config.General) - if !features.CMFA && err != nil { + if err != nil { return nil, err } @@ -621,7 +672,7 @@ func ParseRawConfig(rawCfg *RawConfig) (*Config, error) { } } - config.Sniffer, err = parseSniffer(rawCfg.Sniffer) + config.Sniffer, err = parseSniffer(rawCfg.Sniffer, ruleProviders) if err != nil { return nil, err } @@ -633,43 +684,41 @@ func ParseRawConfig(rawCfg *RawConfig) (*Config, error) { } func parseGeneral(cfg *RawConfig) (*General, error) { + updater.SetGeoAutoUpdate(cfg.GeoAutoUpdate) + updater.SetGeoUpdateInterval(cfg.GeoUpdateInterval) geodata.SetGeodataMode(cfg.GeodataMode) - geodata.SetGeoAutoUpdate(cfg.GeoAutoUpdate) - geodata.SetGeoUpdateInterval(cfg.GeoUpdateInterval) geodata.SetLoader(cfg.GeodataLoader) geodata.SetSiteMatcher(cfg.GeositeMatcher) - C.GeoAutoUpdate = cfg.GeoAutoUpdate - C.GeoUpdateInterval = cfg.GeoUpdateInterval - C.GeoIpUrl = cfg.GeoXUrl.GeoIp - C.GeoSiteUrl = cfg.GeoXUrl.GeoSite - C.MmdbUrl = cfg.GeoXUrl.Mmdb - C.ASNUrl = cfg.GeoXUrl.ASN - C.GeodataMode = cfg.GeodataMode - C.UA = cfg.GlobalUA + geodata.SetGeoIpUrl(cfg.GeoXUrl.GeoIp) + geodata.SetGeoSiteUrl(cfg.GeoXUrl.GeoSite) + geodata.SetMmdbUrl(cfg.GeoXUrl.Mmdb) + geodata.SetASNUrl(cfg.GeoXUrl.ASN) + mihomoHttp.SetUA(cfg.GlobalUA) + resource.SetETag(cfg.ETagSupport) + + if cfg.KeepAliveIdle != 0 { + N.KeepAliveIdle = time.Duration(cfg.KeepAliveIdle) * time.Second + } if cfg.KeepAliveInterval != 0 { N.KeepAliveInterval = time.Duration(cfg.KeepAliveInterval) * time.Second } + N.DisableKeepAlive = cfg.DisableKeepAlive - updater.ExternalUIPath = cfg.ExternalUI // checkout externalUI exist - if updater.ExternalUIPath != "" { - updater.ExternalUIPath = C.Path.Resolve(updater.ExternalUIPath) - if _, err := os.Stat(updater.ExternalUIPath); os.IsNotExist(err) { - defaultUIpath := path.Join(C.Path.HomeDir(), "ui") - log.Warnln("external-ui: %s does not exist, creating folder in %s", updater.ExternalUIPath, defaultUIpath) - if err := os.MkdirAll(defaultUIpath, os.ModePerm); err != nil { - return nil, err - } - updater.ExternalUIPath = defaultUIpath - cfg.ExternalUI = defaultUIpath - } + if cfg.ExternalUI != "" { + updater.AutoDownloadUI = true + updater.ExternalUIPath = C.Path.Resolve(cfg.ExternalUI) + } else { + // default externalUI path + updater.ExternalUIPath = path.Join(C.Path.HomeDir(), "ui") } + // checkout UIpath/name exist if cfg.ExternalUIName != "" { - updater.ExternalUIName = cfg.ExternalUIName - } else { - updater.ExternalUIFolder = updater.ExternalUIPath + updater.AutoDownloadUI = true + updater.ExternalUIPath = path.Join(updater.ExternalUIPath, cfg.ExternalUIName) } + if cfg.ExternalUIURL != "" { updater.ExternalUIURL = cfg.ExternalUIURL } @@ -691,29 +740,82 @@ func parseGeneral(cfg *RawConfig) (*General, error) { InboundTfo: cfg.InboundTfo, InboundMPTCP: cfg.InboundMPTCP, }, - Controller: Controller{ - ExternalController: cfg.ExternalController, - ExternalUI: cfg.ExternalUI, - Secret: cfg.Secret, - ExternalControllerUnix: cfg.ExternalControllerUnix, - ExternalControllerTLS: cfg.ExternalControllerTLS, + UnifiedDelay: cfg.UnifiedDelay, + Mode: cfg.Mode, + LogLevel: cfg.LogLevel, + IPv6: cfg.IPv6, + Interface: cfg.Interface, + RoutingMark: cfg.RoutingMark, + GeoXUrl: GeoXUrl{ + GeoIp: cfg.GeoXUrl.GeoIp, + Mmdb: cfg.GeoXUrl.Mmdb, + ASN: cfg.GeoXUrl.ASN, + GeoSite: cfg.GeoXUrl.GeoSite, }, - UnifiedDelay: cfg.UnifiedDelay, - Mode: cfg.Mode, - LogLevel: cfg.LogLevel, - IPv6: cfg.IPv6, - Interface: cfg.Interface, - RoutingMark: cfg.RoutingMark, - GeoXUrl: cfg.GeoXUrl, GeoAutoUpdate: cfg.GeoAutoUpdate, GeoUpdateInterval: cfg.GeoUpdateInterval, GeodataMode: cfg.GeodataMode, GeodataLoader: cfg.GeodataLoader, TCPConcurrent: cfg.TCPConcurrent, FindProcessMode: cfg.FindProcessMode, - EBpf: cfg.EBpf, GlobalClientFingerprint: cfg.GlobalClientFingerprint, GlobalUA: cfg.GlobalUA, + ETagSupport: cfg.ETagSupport, + }, nil +} + +func parseController(cfg *RawConfig) (*Controller, error) { + return &Controller{ + ExternalController: cfg.ExternalController, + ExternalUI: cfg.ExternalUI, + Secret: cfg.Secret, + ExternalControllerUnix: cfg.ExternalControllerUnix, + ExternalControllerTLS: cfg.ExternalControllerTLS, + ExternalDohServer: cfg.ExternalDohServer, + }, nil +} + +func parseExperimental(cfg *RawConfig) (*Experimental, error) { + return &Experimental{ + Fingerprints: cfg.Experimental.Fingerprints, + QUICGoDisableGSO: cfg.Experimental.QUICGoDisableGSO, + QUICGoDisableECN: cfg.Experimental.QUICGoDisableECN, + IP4PEnable: cfg.Experimental.IP4PEnable, + }, nil +} + +func parseIPTables(cfg *RawConfig) (*IPTables, error) { + return &IPTables{ + Enable: cfg.IPTables.Enable, + InboundInterface: cfg.IPTables.InboundInterface, + Bypass: cfg.IPTables.Bypass, + DnsRedirect: cfg.IPTables.DnsRedirect, + }, nil +} + +func parseNTP(cfg *RawConfig) (*NTP, error) { + return &NTP{ + Enable: cfg.NTP.Enable, + Server: cfg.NTP.Server, + Port: cfg.NTP.Port, + Interval: cfg.NTP.Interval, + DialerProxy: cfg.NTP.DialerProxy, + WriteToSystem: cfg.NTP.WriteToSystem, + }, nil +} + +func parseProfile(cfg *RawConfig) (*Profile, error) { + return &Profile{ + StoreSelected: cfg.Profile.StoreSelected, + StoreFakeIP: cfg.Profile.StoreFakeIP, + }, nil +} + +func parseTLS(cfg *RawConfig) (*TLS, error) { + return &TLS{ + Certificate: cfg.TLS.Certificate, + PrivateKey: cfg.TLS.PrivateKey, + CustomTrustCert: cfg.TLS.CustomTrustCert, }, nil } @@ -789,6 +891,9 @@ func parseProxies(cfg *RawConfig) (proxies map[string]C.Proxy, providersMap map[ AllProviders = append(AllProviders, name) } + slices.Sort(AllProxies) + slices.Sort(AllProviders) + // parse proxy group for idx, mapping := range groupsConfig { group, err := outboundgroup.ParseProxyGroup(mapping, proxies, providersMap, AllProxies, AllProviders) @@ -1087,13 +1192,16 @@ func parseNameServer(servers []string, respectRules bool, preferH3 bool) ([]dns. case "tls": addr, err = hostWithDefaultPort(u.Host, "853") dnsNetType = "tcp-tls" // DNS over TLS - case "https": + case "http", "https": addr, err = hostWithDefaultPort(u.Host, "443") + dnsNetType = "https" // DNS over HTTPS + if u.Scheme == "http" { + addr, err = hostWithDefaultPort(u.Host, "80") + } if err == nil { proxyName = "" - clearURL := url.URL{Scheme: "https", Host: addr, Path: u.Path, User: u.User} + clearURL := url.URL{Scheme: u.Scheme, Host: addr, Path: u.Path, User: u.User} addr = clearURL.String() - dnsNetType = "https" // DNS over HTTPS if len(u.Fragment) != 0 { for _, s := range strings.Split(u.Fragment, "&") { arr := strings.Split(s, "=") @@ -1182,141 +1290,82 @@ func parsePureDNSServer(server string) string { } } -func parseNameServerPolicy(nsPolicy *orderedmap.OrderedMap[string, any], ruleProviders map[string]providerTypes.RuleProvider, respectRules bool, preferH3 bool) (*orderedmap.OrderedMap[string, []dns.NameServer], error) { - policy := orderedmap.New[string, []dns.NameServer]() - updatedPolicy := orderedmap.New[string, any]() - re := regexp.MustCompile(`[a-zA-Z0-9\-]+\.[a-zA-Z]{2,}(\.[a-zA-Z]{2,})?`) +func parseNameServerPolicy(nsPolicy *orderedmap.OrderedMap[string, any], ruleProviders map[string]providerTypes.RuleProvider, respectRules bool, preferH3 bool) ([]dns.Policy, error) { + var policy []dns.Policy for pair := nsPolicy.Oldest(); pair != nil; pair = pair.Next() { k, v := pair.Key, pair.Value - if strings.Contains(strings.ToLower(k), ",") { - if strings.Contains(k, "geosite:") { + servers, err := utils.ToStringSlice(v) + if err != nil { + return nil, err + } + nameservers, err := parseNameServer(servers, respectRules, preferH3) + if err != nil { + return nil, err + } + kLower := strings.ToLower(k) + if strings.Contains(kLower, ",") { + if strings.Contains(kLower, "geosite:") { subkeys := strings.Split(k, ":") subkeys = subkeys[1:] subkeys = strings.Split(subkeys[0], ",") for _, subkey := range subkeys { newKey := "geosite:" + subkey - updatedPolicy.Store(newKey, v) + policy = append(policy, dns.Policy{Domain: newKey, NameServers: nameservers}) } - } else if strings.Contains(strings.ToLower(k), "rule-set:") { + } else if strings.Contains(kLower, "rule-set:") { subkeys := strings.Split(k, ":") subkeys = subkeys[1:] subkeys = strings.Split(subkeys[0], ",") for _, subkey := range subkeys { newKey := "rule-set:" + subkey - updatedPolicy.Store(newKey, v) + policy = append(policy, dns.Policy{Domain: newKey, NameServers: nameservers}) } - } else if re.MatchString(k) { + } else { subkeys := strings.Split(k, ",") for _, subkey := range subkeys { - updatedPolicy.Store(subkey, v) + policy = append(policy, dns.Policy{Domain: subkey, NameServers: nameservers}) } } } else { - if strings.Contains(strings.ToLower(k), "geosite:") { - updatedPolicy.Store("geosite:"+k[8:], v) - } else if strings.Contains(strings.ToLower(k), "rule-set:") { - updatedPolicy.Store("rule-set:"+k[9:], v) - } - updatedPolicy.Store(k, v) - } - } - - for pair := updatedPolicy.Oldest(); pair != nil; pair = pair.Next() { - domain, server := pair.Key, pair.Value - servers, err := utils.ToStringSlice(server) - if err != nil { - return nil, err - } - nameservers, err := parseNameServer(servers, respectRules, preferH3) - if err != nil { - return nil, err - } - if _, valid := trie.ValidAndSplitDomain(domain); !valid { - return nil, fmt.Errorf("DNS ResoverRule invalid domain: %s", domain) - } - if strings.HasPrefix(domain, "rule-set:") { - domainSetName := domain[9:] - if provider, ok := ruleProviders[domainSetName]; !ok { - return nil, fmt.Errorf("not found rule-set: %s", domainSetName) + if strings.Contains(kLower, "geosite:") { + policy = append(policy, dns.Policy{Domain: "geosite:" + k[8:], NameServers: nameservers}) + } else if strings.Contains(kLower, "rule-set:") { + policy = append(policy, dns.Policy{Domain: "rule-set:" + k[9:], NameServers: nameservers}) } else { - switch provider.Behavior() { - case providerTypes.IPCIDR: - return nil, fmt.Errorf("rule provider type error, except domain,actual %s", provider.Behavior()) - case providerTypes.Classical: - log.Warnln("%s provider is %s, only matching it contain domain rule", provider.Name(), provider.Behavior()) - } + policy = append(policy, dns.Policy{Domain: k, NameServers: nameservers}) } } - policy.Store(domain, nameservers) - } - - return policy, nil -} - -func parseFallbackIPCIDR(ips []string) ([]netip.Prefix, error) { - var ipNets []netip.Prefix - - for idx, ip := range ips { - ipnet, err := netip.ParsePrefix(ip) - if err != nil { - return nil, fmt.Errorf("DNS FallbackIP[%d] format error: %s", idx, err.Error()) - } - ipNets = append(ipNets, ipnet) } - return ipNets, nil -} - -func parseFallbackGeoSite(countries []string, rules []C.Rule) ([]router.DomainMatcher, error) { - var sites []router.DomainMatcher - if len(countries) > 0 { - if err := geodata.InitGeoSite(); err != nil { - return nil, fmt.Errorf("can't initial GeoSite: %s", err) - } - log.Warnln("replace fallback-filter.geosite with nameserver-policy, it will be removed in the future") - } + for idx, p := range policy { + domain, nameservers := p.Domain, p.NameServers - for _, country := range countries { - found := false - for _, rule := range rules { - if rule.RuleType() == C.GEOSITE { - if strings.EqualFold(country, rule.Payload()) { - found = true - sites = append(sites, rule.(C.RuleGeoSite).GetDomainMatcher()) - log.Infoln("Start initial GeoSite dns fallback filter from rule `%s`", country) - } + if strings.HasPrefix(domain, "rule-set:") { + domainSetName := domain[9:] + matcher, err := parseDomainRuleSet(domainSetName, "dns.nameserver-policy", ruleProviders) + if err != nil { + return nil, err } - } - - if !found { - matcher, recordsCount, err := geodata.LoadGeoSiteMatcher(country) + policy[idx] = dns.Policy{Matcher: matcher, NameServers: nameservers} + } else if strings.HasPrefix(domain, "geosite:") { + country := domain[8:] + matcher, err := RC.NewGEOSITE(country, "dns.nameserver-policy") if err != nil { return nil, err } - - sites = append(sites, matcher) - - log.Infoln("Start initial GeoSite dns fallback filter `%s`, records: %d", country, recordsCount) + policy[idx] = dns.Policy{Matcher: matcher, NameServers: nameservers} + } else { + if _, valid := trie.ValidAndSplitDomain(domain); !valid { + return nil, fmt.Errorf("DNS ResoverRule invalid domain: %s", domain) + } } } - return sites, nil -} -func paresNTP(rawCfg *RawConfig) *NTP { - cfg := rawCfg.NTP - ntpCfg := &NTP{ - Enable: cfg.Enable, - Server: cfg.Server, - Port: cfg.ServerPort, - Interval: cfg.Interval, - DialerProxy: cfg.DialerProxy, - WriteToSystem: cfg.WriteToSystem, - } - return ntpCfg + return policy, nil } -func parseDNS(rawCfg *RawConfig, hosts *trie.DomainTrie[resolver.HostValue], rules []C.Rule, ruleProviders map[string]providerTypes.RuleProvider) (*DNS, error) { +func parseDNS(rawCfg *RawConfig, hosts *trie.DomainTrie[resolver.HostValue], ruleProviders map[string]providerTypes.RuleProvider) (*DNS, error) { cfg := rawCfg.DNS if cfg.Enable && len(cfg.NameServer) == 0 { return nil, fmt.Errorf("if DNS configuration is turned on, NameServer cannot be empty") @@ -1334,10 +1383,6 @@ func parseDNS(rawCfg *RawConfig, hosts *trie.DomainTrie[resolver.HostValue], rul IPv6: cfg.IPv6, UseSystemHosts: cfg.UseSystemHosts, EnhancedMode: cfg.EnhancedMode, - FallbackFilter: FallbackFilter{ - IPCIDR: []netip.Prefix{}, - GeoSite: []router.DomainMatcher{}, - }, } var err error if dnsCfg.NameServer, err = parseNameServer(cfg.NameServer, cfg.RespectRules, cfg.PreferH3); err != nil { @@ -1385,33 +1430,28 @@ func parseDNS(rawCfg *RawConfig, hosts *trie.DomainTrie[resolver.HostValue], rul return nil, err } - var host *trie.DomainTrie[struct{}] - // fake ip skip host filter - if len(cfg.FakeIPFilter) != 0 { - host = trie.New[struct{}]() - for _, domain := range cfg.FakeIPFilter { - _ = host.Insert(domain, struct{}{}) - } - host.Optimize() - } - + var fakeIPTrie *trie.DomainTrie[struct{}] if len(dnsCfg.Fallback) != 0 { - if host == nil { - host = trie.New[struct{}]() - } + fakeIPTrie = trie.New[struct{}]() for _, fb := range dnsCfg.Fallback { if net.ParseIP(fb.Addr) != nil { continue } - _ = host.Insert(fb.Addr, struct{}{}) + _ = fakeIPTrie.Insert(fb.Addr, struct{}{}) } - host.Optimize() + } + + // fake ip skip host filter + host, err := parseDomain(cfg.FakeIPFilter, fakeIPTrie, "dns.fake-ip-filter", ruleProviders) + if err != nil { + return nil, err } pool, err := fakeip.New(fakeip.Options{ IPNet: fakeIPRange, Size: 1000, Host: host, + Mode: cfg.FakeIPFilterMode, Persistence: rawCfg.Profile.StoreFakeIP, }) if err != nil { @@ -1422,17 +1462,49 @@ func parseDNS(rawCfg *RawConfig, hosts *trie.DomainTrie[resolver.HostValue], rul } if len(cfg.Fallback) != 0 { - dnsCfg.FallbackFilter.GeoIP = cfg.FallbackFilter.GeoIP - dnsCfg.FallbackFilter.GeoIPCode = cfg.FallbackFilter.GeoIPCode - if fallbackip, err := parseFallbackIPCIDR(cfg.FallbackFilter.IPCIDR); err == nil { - dnsCfg.FallbackFilter.IPCIDR = fallbackip + if cfg.FallbackFilter.GeoIP { + matcher, err := RC.NewGEOIP(cfg.FallbackFilter.GeoIPCode, "dns.fallback-filter.geoip", false, true) + if err != nil { + return nil, fmt.Errorf("load GeoIP dns fallback filter error, %w", err) + } + dnsCfg.FallbackIPFilter = append(dnsCfg.FallbackIPFilter, matcher.DnsFallbackFilter()) } - dnsCfg.FallbackFilter.Domain = cfg.FallbackFilter.Domain - fallbackGeoSite, err := parseFallbackGeoSite(cfg.FallbackFilter.GeoSite, rules) - if err != nil { - return nil, fmt.Errorf("load GeoSite dns fallback filter error, %w", err) + if len(cfg.FallbackFilter.IPCIDR) > 0 { + cidrSet := cidr.NewIpCidrSet() + for idx, ipcidr := range cfg.FallbackFilter.IPCIDR { + err = cidrSet.AddIpCidrForString(ipcidr) + if err != nil { + return nil, fmt.Errorf("DNS FallbackIP[%d] format error: %w", idx, err) + } + } + err = cidrSet.Merge() + if err != nil { + return nil, err + } + matcher := cidrSet // dns.fallback-filter.ipcidr + dnsCfg.FallbackIPFilter = append(dnsCfg.FallbackIPFilter, matcher) + } + if len(cfg.FallbackFilter.Domain) > 0 { + domainTrie := trie.New[struct{}]() + for idx, domain := range cfg.FallbackFilter.Domain { + err = domainTrie.Insert(domain, struct{}{}) + if err != nil { + return nil, fmt.Errorf("DNS FallbackDomain[%d] format error: %w", idx, err) + } + } + matcher := domainTrie.NewDomainSet() // dns.fallback-filter.domain + dnsCfg.FallbackDomainFilter = append(dnsCfg.FallbackDomainFilter, matcher) + } + if len(cfg.FallbackFilter.GeoSite) > 0 { + log.Warnln("replace fallback-filter.geosite with nameserver-policy, it will be removed in the future") + for idx, geoSite := range cfg.FallbackFilter.GeoSite { + matcher, err := RC.NewGEOSITE(geoSite, "dns.fallback-filter.geosite") + if err != nil { + return nil, fmt.Errorf("DNS FallbackGeosite[%d] format error: %w", idx, err) + } + dnsCfg.FallbackDomainFilter = append(dnsCfg.FallbackDomainFilter, matcher) + } } - dnsCfg.FallbackFilter.GeoSite = fallbackGeoSite } if cfg.UseHosts { @@ -1532,13 +1604,13 @@ func parseTuicServer(rawTuic RawTuicServer, general *General) error { return nil } -func parseSniffer(snifferRaw RawSniffer) (*Sniffer, error) { - sniffer := &Sniffer{ +func parseSniffer(snifferRaw RawSniffer, ruleProviders map[string]providerTypes.RuleProvider) (*sniffer.Config, error) { + snifferConfig := &sniffer.Config{ Enable: snifferRaw.Enable, ForceDnsMapping: snifferRaw.ForceDnsMapping, ParsePureIp: snifferRaw.ParsePureIp, } - loadSniffer := make(map[snifferTypes.Type]SNIFF.SnifferConfig) + loadSniffer := make(map[snifferTypes.Type]sniffer.SnifferConfig) if len(snifferRaw.Sniff) != 0 { for sniffType, sniffConfig := range snifferRaw.Sniff { @@ -1554,7 +1626,7 @@ func parseSniffer(snifferRaw RawSniffer) (*Sniffer, error) { for _, snifferType := range snifferTypes.List { if snifferType.String() == strings.ToUpper(sniffType) { find = true - loadSniffer[snifferType] = SNIFF.SnifferConfig{ + loadSniffer[snifferType] = sniffer.SnifferConfig{ Ports: ports, OverrideDest: overrideDest, } @@ -1566,7 +1638,7 @@ func parseSniffer(snifferRaw RawSniffer) (*Sniffer, error) { } } } else { - if sniffer.Enable { + if snifferConfig.Enable && len(snifferRaw.Sniffing) != 0 { // Deprecated: Use Sniff instead log.Warnln("Deprecated: Use Sniff instead") } @@ -1580,7 +1652,7 @@ func parseSniffer(snifferRaw RawSniffer) (*Sniffer, error) { for _, snifferType := range snifferTypes.List { if snifferType.String() == strings.ToUpper(snifferName) { find = true - loadSniffer[snifferType] = SNIFF.SnifferConfig{ + loadSniffer[snifferType] = sniffer.SnifferConfig{ Ports: globalPorts, OverrideDest: snifferRaw.OverrideDest, } @@ -1593,25 +1665,151 @@ func parseSniffer(snifferRaw RawSniffer) (*Sniffer, error) { } } - sniffer.Sniffers = loadSniffer + snifferConfig.Sniffers = loadSniffer - forceDomainTrie := trie.New[struct{}]() - for _, domain := range snifferRaw.ForceDomain { - err := forceDomainTrie.Insert(domain, struct{}{}) + forceDomain, err := parseDomain(snifferRaw.ForceDomain, nil, "sniffer.force-domain", ruleProviders) + if err != nil { + return nil, fmt.Errorf("error in force-domain, error:%w", err) + } + snifferConfig.ForceDomain = forceDomain + + skipSrcAddress, err := parseIPCIDR(snifferRaw.SkipSrcAddress, nil, "sniffer.skip-src-address", ruleProviders) + if err != nil { + return nil, fmt.Errorf("error in skip-src-address, error:%w", err) + } + snifferConfig.SkipSrcAddress = skipSrcAddress + + skipDstAddress, err := parseIPCIDR(snifferRaw.SkipDstAddress, nil, "sniffer.skip-src-address", ruleProviders) + if err != nil { + return nil, fmt.Errorf("error in skip-dst-address, error:%w", err) + } + snifferConfig.SkipDstAddress = skipDstAddress + + skipDomain, err := parseDomain(snifferRaw.SkipDomain, nil, "sniffer.skip-domain", ruleProviders) + if err != nil { + return nil, fmt.Errorf("error in skip-domain, error:%w", err) + } + snifferConfig.SkipDomain = skipDomain + + return snifferConfig, nil +} + +func parseIPCIDR(addresses []string, cidrSet *cidr.IpCidrSet, adapterName string, ruleProviders map[string]providerTypes.RuleProvider) (matchers []C.IpMatcher, err error) { + var matcher C.IpMatcher + for _, ipcidr := range addresses { + ipcidrLower := strings.ToLower(ipcidr) + if strings.Contains(ipcidrLower, "geoip:") { + subkeys := strings.Split(ipcidr, ":") + subkeys = subkeys[1:] + subkeys = strings.Split(subkeys[0], ",") + for _, country := range subkeys { + matcher, err = RC.NewGEOIP(country, adapterName, false, false) + if err != nil { + return nil, err + } + matchers = append(matchers, matcher) + } + } else if strings.Contains(ipcidrLower, "rule-set:") { + subkeys := strings.Split(ipcidr, ":") + subkeys = subkeys[1:] + subkeys = strings.Split(subkeys[0], ",") + for _, domainSetName := range subkeys { + matcher, err = parseIPRuleSet(domainSetName, adapterName, ruleProviders) + if err != nil { + return nil, err + } + matchers = append(matchers, matcher) + } + } else { + if cidrSet == nil { + cidrSet = cidr.NewIpCidrSet() + } + err = cidrSet.AddIpCidrForString(ipcidr) + if err != nil { + return nil, err + } + } + } + if !cidrSet.IsEmpty() { + err = cidrSet.Merge() if err != nil { - return nil, fmt.Errorf("error domian[%s] in force-domain, error:%v", domain, err) + return nil, err } + matcher = cidrSet + matchers = append(matchers, matcher) } - sniffer.ForceDomain = forceDomainTrie.NewDomainSet() + return +} - skipDomainTrie := trie.New[struct{}]() - for _, domain := range snifferRaw.SkipDomain { - err := skipDomainTrie.Insert(domain, struct{}{}) - if err != nil { - return nil, fmt.Errorf("error domian[%s] in force-domain, error:%v", domain, err) +func parseDomain(domains []string, domainTrie *trie.DomainTrie[struct{}], adapterName string, ruleProviders map[string]providerTypes.RuleProvider) (matchers []C.DomainMatcher, err error) { + var matcher C.DomainMatcher + for _, domain := range domains { + domainLower := strings.ToLower(domain) + if strings.Contains(domainLower, "geosite:") { + subkeys := strings.Split(domain, ":") + subkeys = subkeys[1:] + subkeys = strings.Split(subkeys[0], ",") + for _, country := range subkeys { + matcher, err = RC.NewGEOSITE(country, adapterName) + if err != nil { + return nil, err + } + matchers = append(matchers, matcher) + } + } else if strings.Contains(domainLower, "rule-set:") { + subkeys := strings.Split(domain, ":") + subkeys = subkeys[1:] + subkeys = strings.Split(subkeys[0], ",") + for _, domainSetName := range subkeys { + matcher, err = parseDomainRuleSet(domainSetName, adapterName, ruleProviders) + if err != nil { + return nil, err + } + matchers = append(matchers, matcher) + } + } else { + if domainTrie == nil { + domainTrie = trie.New[struct{}]() + } + err = domainTrie.Insert(domain, struct{}{}) + if err != nil { + return nil, err + } + } + } + if !domainTrie.IsEmpty() { + matcher = domainTrie.NewDomainSet() + matchers = append(matchers, matcher) + } + return +} + +func parseIPRuleSet(domainSetName string, adapterName string, ruleProviders map[string]providerTypes.RuleProvider) (C.IpMatcher, error) { + if rp, ok := ruleProviders[domainSetName]; !ok { + return nil, fmt.Errorf("not found rule-set: %s", domainSetName) + } else { + switch rp.Behavior() { + case providerTypes.Domain: + return nil, fmt.Errorf("rule provider type error, except ipcidr,actual %s", rp.Behavior()) + case providerTypes.Classical: + log.Warnln("%s provider is %s, only matching it contain ip rule", rp.Name(), rp.Behavior()) + default: } } - sniffer.SkipDomain = skipDomainTrie.NewDomainSet() + return RP.NewRuleSet(domainSetName, adapterName, false, true) +} - return sniffer, nil +func parseDomainRuleSet(domainSetName string, adapterName string, ruleProviders map[string]providerTypes.RuleProvider) (C.DomainMatcher, error) { + if rp, ok := ruleProviders[domainSetName]; !ok { + return nil, fmt.Errorf("not found rule-set: %s", domainSetName) + } else { + switch rp.Behavior() { + case providerTypes.IPCIDR: + return nil, fmt.Errorf("rule provider type error, except domain,actual %s", rp.Behavior()) + case providerTypes.Classical: + log.Warnln("%s provider is %s, only matching it contain domain rule", rp.Name(), rp.Behavior()) + default: + } + } + return RP.NewRuleSet(domainSetName, adapterName, false, true) } diff --git a/constant/dns.go b/constant/dns.go index 3d97d97b71..b0874eef5b 100644 --- a/constant/dns.go +++ b/constant/dns.go @@ -3,6 +3,7 @@ package constant import ( "encoding/json" "errors" + "strings" ) // DNSModeMapping is a mapping for EnhancedMode enum @@ -27,7 +28,7 @@ func (e *DNSMode) UnmarshalYAML(unmarshal func(any) error) error { if err := unmarshal(&tp); err != nil { return err } - mode, exist := DNSModeMapping[tp] + mode, exist := DNSModeMapping[strings.ToLower(tp)] if !exist { return errors.New("invalid mode") } @@ -43,8 +44,10 @@ func (e DNSMode) MarshalYAML() (any, error) { // UnmarshalJSON unserialize EnhancedMode with json func (e *DNSMode) UnmarshalJSON(data []byte) error { var tp string - json.Unmarshal(data, &tp) - mode, exist := DNSModeMapping[tp] + if err := json.Unmarshal(data, &tp); err != nil { + return err + } + mode, exist := DNSModeMapping[strings.ToLower(tp)] if !exist { return errors.New("invalid mode") } @@ -57,6 +60,21 @@ func (e DNSMode) MarshalJSON() ([]byte, error) { return json.Marshal(e.String()) } +// UnmarshalText unserialize EnhancedMode +func (e *DNSMode) UnmarshalText(data []byte) error { + mode, exist := DNSModeMapping[strings.ToLower(string(data))] + if !exist { + return errors.New("invalid mode") + } + *e = mode + return nil +} + +// MarshalText serialize EnhancedMode +func (e DNSMode) MarshalText() ([]byte, error) { + return []byte(e.String()), nil +} + func (e DNSMode) String() string { switch e { case DNSNormal: @@ -115,6 +133,77 @@ func NewDNSPrefer(prefer string) DNSPrefer { } } +// FilterModeMapping is a mapping for FilterMode enum +var FilterModeMapping = map[string]FilterMode{ + FilterBlackList.String(): FilterBlackList, + FilterWhiteList.String(): FilterWhiteList, +} + +type FilterMode int + +const ( + FilterBlackList FilterMode = iota + FilterWhiteList +) + +func (e FilterMode) String() string { + switch e { + case FilterBlackList: + return "blacklist" + case FilterWhiteList: + return "whitelist" + default: + return "unknown" + } +} + +func (e FilterMode) MarshalYAML() (interface{}, error) { + return e.String(), nil +} + +func (e *FilterMode) UnmarshalYAML(unmarshal func(interface{}) error) error { + var tp string + if err := unmarshal(&tp); err != nil { + return err + } + mode, exist := FilterModeMapping[strings.ToLower(tp)] + if !exist { + return errors.New("invalid mode") + } + *e = mode + return nil +} + +func (e FilterMode) MarshalJSON() ([]byte, error) { + return json.Marshal(e.String()) +} + +func (e *FilterMode) UnmarshalJSON(data []byte) error { + var tp string + if err := json.Unmarshal(data, &tp); err != nil { + return err + } + mode, exist := FilterModeMapping[strings.ToLower(tp)] + if !exist { + return errors.New("invalid mode") + } + *e = mode + return nil +} + +func (e FilterMode) MarshalText() ([]byte, error) { + return []byte(e.String()), nil +} + +func (e *FilterMode) UnmarshalText(data []byte) error { + mode, exist := FilterModeMapping[strings.ToLower(string(data))] + if !exist { + return errors.New("invalid mode") + } + *e = mode + return nil +} + type HTTPVersion string const ( diff --git a/constant/ebpf.go b/constant/ebpf.go deleted file mode 100644 index e3bb62fedd..0000000000 --- a/constant/ebpf.go +++ /dev/null @@ -1,20 +0,0 @@ -package constant - -import ( - "net/netip" - - "github.com/metacubex/mihomo/transport/socks5" -) - -const ( - BpfFSPath = "/sys/fs/bpf/mihomo" - - TcpAutoRedirPort = 't'<<8 | 'r'<<0 - MihomoTrafficMark = 'c'<<24 | 'l'<<16 | 't'<<8 | 'm'<<0 -) - -type EBpf interface { - Start() error - Close() - Lookup(srcAddrPort netip.AddrPort) (socks5.Addr, error) -} diff --git a/constant/geodata.go b/constant/geodata.go deleted file mode 100644 index cd3f74e30c..0000000000 --- a/constant/geodata.go +++ /dev/null @@ -1,12 +0,0 @@ -package constant - -var ( - ASNEnable bool - GeodataMode bool - GeoAutoUpdate bool - GeoUpdateInterval int - GeoIpUrl string - MmdbUrl string - GeoSiteUrl string - ASNUrl string -) diff --git a/constant/http.go b/constant/http.go deleted file mode 100644 index 8e321f6bb0..0000000000 --- a/constant/http.go +++ /dev/null @@ -1,5 +0,0 @@ -package constant - -var ( - UA string -) diff --git a/constant/matcher.go b/constant/matcher.go new file mode 100644 index 0000000000..107f843d92 --- /dev/null +++ b/constant/matcher.go @@ -0,0 +1,11 @@ +package constant + +import "net/netip" + +type DomainMatcher interface { + MatchDomain(domain string) bool +} + +type IpMatcher interface { + MatchIp(ip netip.Addr) bool +} diff --git a/constant/metadata.go b/constant/metadata.go index 381e2dd44a..5436298925 100644 --- a/constant/metadata.go +++ b/constant/metadata.go @@ -133,7 +133,9 @@ type Metadata struct { Type Type `json:"type"` SrcIP netip.Addr `json:"sourceIP"` DstIP netip.Addr `json:"destinationIP"` + SrcGeoIP []string `json:"sourceGeoIP"` // can be nil if never queried, empty slice if got no result DstGeoIP []string `json:"destinationGeoIP"` // can be nil if never queried, empty slice if got no result + SrcIPASN string `json:"sourceIPASN"` DstIPASN string `json:"destinationIPASN"` SrcPort uint16 `json:"sourcePort,string"` // `,string` is used to compatible with old version json output DstPort uint16 `json:"destinationPort,string"` // `,string` is used to compatible with old version json output @@ -300,3 +302,10 @@ func (m *Metadata) SetRemoteAddress(rawAddress string) error { return nil } + +func (m *Metadata) SwapSrcDst() { + m.SrcIP, m.DstIP = m.DstIP, m.SrcIP + m.SrcPort, m.DstPort = m.DstPort, m.SrcPort + m.SrcIPASN, m.DstIPASN = m.DstIPASN, m.SrcIPASN + m.SrcGeoIP, m.DstGeoIP = m.DstGeoIP, m.SrcGeoIP +} diff --git a/constant/path.go b/constant/path.go index 77f7d0ef0a..0227937181 100644 --- a/constant/path.go +++ b/constant/path.go @@ -8,6 +8,8 @@ import ( "path/filepath" "strconv" "strings" + + "github.com/metacubex/mihomo/constant/features" ) const Name = "mihomo" @@ -73,7 +75,7 @@ func (p *path) Resolve(path string) string { // IsSafePath return true if path is a subpath of homedir func (p *path) IsSafePath(path string) bool { - if p.allowUnsafePath { + if p.allowUnsafePath || features.CMFA { return true } homedir := p.HomeDir() diff --git a/constant/provider/hash.go b/constant/provider/hash.go new file mode 100644 index 0000000000..b95ffe234a --- /dev/null +++ b/constant/provider/hash.go @@ -0,0 +1,29 @@ +package provider + +import ( + "bytes" + "crypto/md5" +) + +type HashType [md5.Size]byte // MD5 + +func MakeHash(data []byte) HashType { + return md5.Sum(data) +} + +func (h HashType) Equal(hash HashType) bool { + return h == hash +} + +func (h HashType) EqualBytes(hashBytes []byte) bool { + return bytes.Equal(hashBytes, h[:]) +} + +func (h HashType) Bytes() []byte { + return h[:] +} + +func (h HashType) IsValid() bool { + var zero HashType + return h != zero +} diff --git a/constant/provider/interface.go b/constant/provider/interface.go index f7dfc9cc60..511e8f18e2 100644 --- a/constant/provider/interface.go +++ b/constant/provider/interface.go @@ -1,6 +1,9 @@ package provider import ( + "context" + "fmt" + "github.com/metacubex/mihomo/common/utils" "github.com/metacubex/mihomo/constant" ) @@ -29,8 +32,10 @@ func (v VehicleType) String() string { } type Vehicle interface { - Read() ([]byte, error) + Read(ctx context.Context, oldHash HashType) (buf []byte, hash HashType, err error) + Write(buf []byte) error Path() string + Url() string Proxy() string Type() VehicleType } @@ -68,6 +73,7 @@ type Provider interface { type ProxyProvider interface { Provider Proxies() []constant.Proxy + Count() int // Touch is used to inform the provider that the proxy is actually being used while getting the list of proxies. // Commonly used in DialContext and DialPacketConn Touch() @@ -81,6 +87,7 @@ type ProxyProvider interface { type RuleProvider interface { Provider Behavior() RuleBehavior + Count() int Match(*constant.Metadata) bool ShouldResolveIP() bool ShouldFindProcess() bool @@ -110,9 +117,37 @@ func (rt RuleBehavior) String() string { } } +func (rt RuleBehavior) Byte() byte { + switch rt { + case Domain: + return 0 + case IPCIDR: + return 1 + case Classical: + return 2 + default: + return 255 + } +} + +func ParseBehavior(s string) (behavior RuleBehavior, err error) { + switch s { + case "domain": + behavior = Domain + case "ipcidr": + behavior = IPCIDR + case "classical": + behavior = Classical + default: + err = fmt.Errorf("unsupported behavior type: %s", s) + } + return +} + const ( YamlRule RuleFormat = iota TextRule + MrsRule ) type RuleFormat int @@ -123,11 +158,27 @@ func (rf RuleFormat) String() string { return "YamlRule" case TextRule: return "TextRule" + case MrsRule: + return "MrsRule" default: return "Unknown" } } +func ParseRuleFormat(s string) (format RuleFormat, err error) { + switch s { + case "", "yaml": + format = YamlRule + case "text": + format = TextRule + case "mrs": + format = MrsRule + default: + err = fmt.Errorf("unsupported format type: %s", s) + } + return +} + type Tunnel interface { Providers() map[string]ProxyProvider RuleProviders() map[string]RuleProvider diff --git a/constant/rule.go b/constant/rule.go index a495a01bf1..bfb52528fb 100644 --- a/constant/rule.go +++ b/constant/rule.go @@ -124,3 +124,8 @@ type Rule interface { ShouldFindProcess() bool ProviderNames() []string } + +type RuleGroup interface { + Rule + GetRecodeSize() int +} diff --git a/constant/rule_extra.go b/constant/rule_extra.go deleted file mode 100644 index b4ba65d993..0000000000 --- a/constant/rule_extra.go +++ /dev/null @@ -1,17 +0,0 @@ -package constant - -import ( - "github.com/metacubex/mihomo/component/geodata/router" -) - -type RuleGeoSite interface { - GetDomainMatcher() router.DomainMatcher -} - -type RuleGeoIP interface { - GetIPMatcher() *router.GeoIPMatcher -} - -type RuleGroup interface { - GetRecodeSize() int -} diff --git a/constant/tun.go b/constant/tun.go index f6c0e011b8..669f7a2e2b 100644 --- a/constant/tun.go +++ b/constant/tun.go @@ -56,6 +56,21 @@ func (e TUNStack) MarshalJSON() ([]byte, error) { return json.Marshal(e.String()) } +// UnmarshalText unserialize TUNStack +func (e *TUNStack) UnmarshalText(data []byte) error { + mode, exist := StackTypeMapping[strings.ToLower(string(data))] + if !exist { + return errors.New("invalid tun stack") + } + *e = mode + return nil +} + +// MarshalText serialize TUNStack with json +func (e TUNStack) MarshalText() ([]byte, error) { + return []byte(e.String()), nil +} + func (e TUNStack) String() string { switch e { case TunGvisor: diff --git a/dns/dhcp.go b/dns/dhcp.go index d4944a9600..dc1344f500 100644 --- a/dns/dhcp.go +++ b/dns/dhcp.go @@ -1,5 +1,3 @@ -//go:build !(android && cmfa) - package dns import ( diff --git a/dns/doh.go b/dns/doh.go index 54b8279657..ffb65fcef0 100644 --- a/dns/doh.go +++ b/dns/doh.go @@ -9,6 +9,7 @@ import ( "io" "net" "net/http" + "net/netip" "net/url" "runtime" "strconv" @@ -61,10 +62,14 @@ type dnsOverHTTPS struct { // for this upstream. quicConfig *quic.Config quicConfigGuard sync.Mutex - url *url.URL - httpVersions []C.HTTPVersion - dialer *dnsDialer - addr string + + url *url.URL + httpVersions []C.HTTPVersion + dialer *dnsDialer + addr string + skipCertVerify bool + ecsPrefix netip.Prefix + ecsOverride bool } // type check @@ -93,6 +98,32 @@ func newDoHClient(urlString string, r *Resolver, preferH3 bool, params map[strin httpVersions: httpVersions, } + if params["skip-cert-verify"] == "true" { + doh.skipCertVerify = true + } + + if ecs := params["ecs"]; ecs != "" { + prefix, err := netip.ParsePrefix(ecs) + if err != nil { + addr, err := netip.ParseAddr(ecs) + if err != nil { + log.Warnln("DOH [%s] config with invalid ecs: %s", doh.addr, ecs) + } else { + doh.ecsPrefix = netip.PrefixFrom(addr, addr.BitLen()) + } + } else { + doh.ecsPrefix = prefix + } + } + + if doh.ecsPrefix.IsValid() { + log.Debugln("DOH [%s] config with ecs: %s", doh.addr, doh.ecsPrefix) + } + + if params["ecs-override"] == "true" { + doh.ecsOverride = true + } + runtime.SetFinalizer(doh, (*dnsOverHTTPS).Close) return doh @@ -102,6 +133,7 @@ func newDoHClient(urlString string, r *Resolver, preferH3 bool, params map[strin func (doh *dnsOverHTTPS) Address() string { return doh.addr } + func (doh *dnsOverHTTPS) ExchangeContext(ctx context.Context, m *D.Msg) (msg *D.Msg, err error) { // Quote from https://www.rfc-editor.org/rfc/rfc8484.html: // In order to maximize HTTP cache friendliness, DoH clients using media @@ -119,6 +151,10 @@ func (doh *dnsOverHTTPS) ExchangeContext(ctx context.Context, m *D.Msg) (msg *D. } }() + if doh.ecsPrefix.IsValid() { + setEdns0Subnet(m, doh.ecsPrefix, doh.ecsOverride) + } + // Check if there was already an active client before sending the request. // We'll only attempt to re-connect if there was one. client, isCached, err := doh.getClient(ctx) @@ -178,19 +214,9 @@ func (doh *dnsOverHTTPS) closeClient(client *http.Client) (err error) { return nil } -// exchangeHTTPS logs the request and its result and calls exchangeHTTPSClient. -func (doh *dnsOverHTTPS) exchangeHTTPS(ctx context.Context, client *http.Client, req *D.Msg) (resp *D.Msg, err error) { - resp, err = doh.exchangeHTTPSClient(ctx, client, req) - return resp, err -} - -// exchangeHTTPSClient sends the DNS query to a DoH resolver using the specified +// exchangeHTTPS sends the DNS query to a DoH resolver using the specified // http.Client instance. -func (doh *dnsOverHTTPS) exchangeHTTPSClient( - ctx context.Context, - client *http.Client, - req *D.Msg, -) (resp *D.Msg, err error) { +func (doh *dnsOverHTTPS) exchangeHTTPS(ctx context.Context, client *http.Client, req *D.Msg) (resp *D.Msg, err error) { buf, err := req.Pack() if err != nil { return nil, fmt.Errorf("packing message: %w", err) @@ -204,24 +230,24 @@ func (doh *dnsOverHTTPS) exchangeHTTPSClient( method = http3.MethodGet0RTT } - url := doh.url - url.RawQuery = fmt.Sprintf("dns=%s", base64.RawURLEncoding.EncodeToString(buf)) - httpReq, err := http.NewRequestWithContext(ctx, method, url.String(), nil) + requestUrl := *doh.url // don't modify origin url + requestUrl.RawQuery = fmt.Sprintf("dns=%s", base64.RawURLEncoding.EncodeToString(buf)) + httpReq, err := http.NewRequestWithContext(ctx, method, requestUrl.String(), nil) if err != nil { - return nil, fmt.Errorf("creating http request to %s: %w", url, err) + return nil, fmt.Errorf("creating http request to %s: %w", doh.url, err) } httpReq.Header.Set("Accept", "application/dns-message") httpReq.Header.Set("User-Agent", "") httpResp, err := client.Do(httpReq) if err != nil { - return nil, fmt.Errorf("requesting %s: %w", url, err) + return nil, fmt.Errorf("requesting %s: %w", doh.url, err) } defer httpResp.Body.Close() body, err := io.ReadAll(httpResp.Body) if err != nil { - return nil, fmt.Errorf("reading %s: %w", url, err) + return nil, fmt.Errorf("reading %s: %w", doh.url, err) } if httpResp.StatusCode != http.StatusOK { @@ -230,7 +256,7 @@ func (doh *dnsOverHTTPS) exchangeHTTPSClient( "expected status %d, got %d from %s", http.StatusOK, httpResp.StatusCode, - url, + doh.url, ) } @@ -239,7 +265,7 @@ func (doh *dnsOverHTTPS) exchangeHTTPSClient( if err != nil { return nil, fmt.Errorf( "unpacking response from %s: body is %s: %w", - url, + doh.url, body, err, ) @@ -373,9 +399,21 @@ func (doh *dnsOverHTTPS) createClient(ctx context.Context) (*http.Client, error) // HTTP3 is enabled in the upstream options). If this attempt is successful, // it returns an HTTP3 transport, otherwise it returns the H1/H2 transport. func (doh *dnsOverHTTPS) createTransport(ctx context.Context) (t http.RoundTripper, err error) { + transport := &http.Transport{ + DisableCompression: true, + DialContext: doh.dialer.DialContext, + IdleConnTimeout: transportDefaultIdleConnTimeout, + MaxConnsPerHost: dohMaxConnsPerHost, + MaxIdleConns: dohMaxIdleConns, + } + + if doh.url.Scheme == "http" { + return transport, nil + } + tlsConfig := ca.GetGlobalTLSConfig( &tls.Config{ - InsecureSkipVerify: false, + InsecureSkipVerify: doh.skipCertVerify, MinVersion: tls.VersionTLS12, SessionTicketsDisabled: false, }) @@ -384,6 +422,7 @@ func (doh *dnsOverHTTPS) createTransport(ctx context.Context) (t http.RoundTripp nextProtos = append(nextProtos, string(v)) } tlsConfig.NextProtos = nextProtos + transport.TLSClientConfig = tlsConfig if slices.Contains(doh.httpVersions, C.HTTPVersion3) { // First, we attempt to create an HTTP3 transport. If the probe QUIC @@ -402,18 +441,10 @@ func (doh *dnsOverHTTPS) createTransport(ctx context.Context) (t http.RoundTripp return nil, errors.New("HTTP1/1 and HTTP2 are not supported by this upstream") } - transport := &http.Transport{ - TLSClientConfig: tlsConfig, - DisableCompression: true, - DialContext: doh.dialer.DialContext, - IdleConnTimeout: transportDefaultIdleConnTimeout, - MaxConnsPerHost: dohMaxConnsPerHost, - MaxIdleConns: dohMaxIdleConns, - // Since we have a custom DialContext, we need to use this field to - // make golang http.Client attempt to use HTTP/2. Otherwise, it would - // only be used when negotiated on the TLS level. - ForceAttemptHTTP2: true, - } + // Since we have a custom DialContext, we need to use this field to + // make golang http.Client attempt to use HTTP/2. Otherwise, it would + // only be used when negotiated on the TLS level. + transport.ForceAttemptHTTP2 = true // Explicitly configure transport to use HTTP/2. // diff --git a/dns/edns0_subnet.go b/dns/edns0_subnet.go new file mode 100644 index 0000000000..2ed4f140b5 --- /dev/null +++ b/dns/edns0_subnet.go @@ -0,0 +1,51 @@ +package dns + +import ( + "net/netip" + + "github.com/miekg/dns" +) + +func setEdns0Subnet(message *dns.Msg, clientSubnet netip.Prefix, override bool) bool { + var ( + optRecord *dns.OPT + subnetOption *dns.EDNS0_SUBNET + ) +findExists: + for _, record := range message.Extra { + var isOPTRecord bool + if optRecord, isOPTRecord = record.(*dns.OPT); isOPTRecord { + for _, option := range optRecord.Option { + var isEDNS0Subnet bool + if subnetOption, isEDNS0Subnet = option.(*dns.EDNS0_SUBNET); isEDNS0Subnet { + if !override { + return false + } + break findExists + } + } + } + } + if optRecord == nil { + optRecord = &dns.OPT{ + Hdr: dns.RR_Header{ + Name: ".", + Rrtype: dns.TypeOPT, + }, + } + message.Extra = append(message.Extra, optRecord) + } + if subnetOption == nil { + subnetOption = new(dns.EDNS0_SUBNET) + optRecord.Option = append(optRecord.Option, subnetOption) + } + subnetOption.Code = dns.EDNS0SUBNET + if clientSubnet.Addr().Is4() { + subnetOption.Family = 1 + } else { + subnetOption.Family = 2 + } + subnetOption.SourceNetmask = uint8(clientSubnet.Bits()) + subnetOption.Address = clientSubnet.Addr().AsSlice() + return true +} diff --git a/dns/filters.go b/dns/filters.go deleted file mode 100644 index 138f3429bb..0000000000 --- a/dns/filters.go +++ /dev/null @@ -1,102 +0,0 @@ -package dns - -import ( - "net/netip" - "strings" - - "github.com/metacubex/mihomo/component/geodata" - "github.com/metacubex/mihomo/component/geodata/router" - "github.com/metacubex/mihomo/component/mmdb" - "github.com/metacubex/mihomo/component/trie" - C "github.com/metacubex/mihomo/constant" - "github.com/metacubex/mihomo/log" -) - -type fallbackIPFilter interface { - Match(netip.Addr) bool -} - -type geoipFilter struct { - code string -} - -var geoIPMatcher *router.GeoIPMatcher - -func (gf *geoipFilter) Match(ip netip.Addr) bool { - if !C.GeodataMode { - codes := mmdb.IPInstance().LookupCode(ip.AsSlice()) - for _, code := range codes { - if !strings.EqualFold(code, gf.code) && !ip.IsPrivate() { - return true - } - } - return false - } - - if geoIPMatcher == nil { - var err error - geoIPMatcher, _, err = geodata.LoadGeoIPMatcher("CN") - if err != nil { - log.Errorln("[GeoIPFilter] LoadGeoIPMatcher error: %s", err.Error()) - return false - } - } - return !geoIPMatcher.Match(ip) -} - -type ipnetFilter struct { - ipnet netip.Prefix -} - -func (inf *ipnetFilter) Match(ip netip.Addr) bool { - return inf.ipnet.Contains(ip) -} - -type fallbackDomainFilter interface { - Match(domain string) bool -} - -type domainFilter struct { - tree *trie.DomainTrie[struct{}] -} - -func NewDomainFilter(domains []string) *domainFilter { - df := domainFilter{tree: trie.New[struct{}]()} - for _, domain := range domains { - _ = df.tree.Insert(domain, struct{}{}) - } - df.tree.Optimize() - return &df -} - -func (df *domainFilter) Match(domain string) bool { - return df.tree.Search(domain) != nil -} - -type geoSiteFilter struct { - matchers []router.DomainMatcher -} - -func NewGeoSite(group string) (fallbackDomainFilter, error) { - if err := geodata.InitGeoSite(); err != nil { - log.Errorln("can't initial GeoSite: %s", err) - return nil, err - } - matcher, _, err := geodata.LoadGeoSiteMatcher(group) - if err != nil { - return nil, err - } - filter := &geoSiteFilter{ - matchers: []router.DomainMatcher{matcher}, - } - return filter, nil -} - -func (gsf *geoSiteFilter) Match(domain string) bool { - for _, matcher := range gsf.matchers { - if matcher.ApplyDomain(domain) { - return true - } - } - return false -} diff --git a/dns/patch_android.go b/dns/patch_android.go index e62aabcdfc..6579ef071a 100644 --- a/dns/patch_android.go +++ b/dns/patch_android.go @@ -3,53 +3,14 @@ package dns import ( - "context" - - D "github.com/miekg/dns" - - "github.com/metacubex/mihomo/common/lru" - "github.com/metacubex/mihomo/component/dhcp" "github.com/metacubex/mihomo/component/resolver" ) -const SystemDNSPlaceholder = "system" - -var systemResolver *Resolver -var isolateHandler handler - -var _ dnsClient = (*dhcpClient)(nil) - -type dhcpClient struct { - enable bool -} - -func (d *dhcpClient) Address() string { - return SystemDNSPlaceholder -} - -func (d *dhcpClient) Exchange(m *D.Msg) (msg *D.Msg, err error) { - return d.ExchangeContext(context.Background(), m) -} - -func (d *dhcpClient) ExchangeContext(ctx context.Context, m *D.Msg) (msg *D.Msg, err error) { - if s := systemResolver; s != nil { - return s.ExchangeContext(ctx, m) - } - - return nil, dhcp.ErrNotFound -} - -func ServeDNSWithDefaultServer(msg *D.Msg) (*D.Msg, error) { - if h := isolateHandler; h != nil { - return handlerWithContext(context.Background(), h, msg) - } - - return nil, D.ErrTime -} +var systemResolver []dnsClient func FlushCacheWithDefaultResolver() { if r := resolver.DefaultResolver; r != nil { - r.(*Resolver).cache = lru.New(lru.WithSize[string, *D.Msg](4096), lru.WithStale[string, *D.Msg](true)) + r.ClearCache() } } @@ -63,19 +24,9 @@ func UpdateSystemDNS(addr []string) { ns = append(ns, NameServer{Addr: d}) } - systemResolver = NewResolver(Config{Main: ns}) -} - -func UpdateIsolateHandler(resolver *Resolver, mapper *ResolverEnhancer) { - if resolver == nil { - isolateHandler = nil - - return - } - - isolateHandler = NewHandler(resolver, mapper) + systemResolver = transform(ns, nil) } -func newDHCPClient(ifaceName string) *dhcpClient { - return &dhcpClient{enable: ifaceName == SystemDNSPlaceholder} +func (c *systemClient) getDnsClients() ([]dnsClient, error) { + return systemResolver, nil } diff --git a/dns/patch_common.go b/dns/patch_common.go deleted file mode 100644 index fae1e1265f..0000000000 --- a/dns/patch_common.go +++ /dev/null @@ -1,6 +0,0 @@ -//go:build !(android && cmfa) - -package dns - -func UpdateIsolateHandler(resolver *Resolver, mapper *ResolverEnhancer) { -} diff --git a/dns/policy.go b/dns/policy.go index fc60401b01..50dc17199b 100644 --- a/dns/policy.go +++ b/dns/policy.go @@ -3,7 +3,6 @@ package dns import ( "github.com/metacubex/mihomo/component/trie" C "github.com/metacubex/mihomo/constant" - "github.com/metacubex/mihomo/constant/provider" ) type dnsPolicy interface { @@ -22,32 +21,14 @@ func (p domainTriePolicy) Match(domain string) []dnsClient { return nil } -type geositePolicy struct { - matcher fallbackDomainFilter - inverse bool +type domainMatcherPolicy struct { + matcher C.DomainMatcher dnsClients []dnsClient } -func (p geositePolicy) Match(domain string) []dnsClient { - matched := p.matcher.Match(domain) - if matched != p.inverse { +func (p domainMatcherPolicy) Match(domain string) []dnsClient { + if p.matcher.MatchDomain(domain) { return p.dnsClients } return nil } - -type domainSetPolicy struct { - tunnel provider.Tunnel - name string - dnsClients []dnsClient -} - -func (p domainSetPolicy) Match(domain string) []dnsClient { - if ruleProvider, ok := p.tunnel.RuleProviders()[p.name]; ok { - metadata := &C.Metadata{Host: domain} - if ok := ruleProvider.Match(metadata); ok { - return p.dnsClients - } - } - return nil -} diff --git a/dns/resolver.go b/dns/resolver.go index 28ffec6f15..e03feef46f 100644 --- a/dns/resolver.go +++ b/dns/resolver.go @@ -4,13 +4,12 @@ import ( "context" "errors" "net/netip" - "strings" "time" "github.com/metacubex/mihomo/common/arc" "github.com/metacubex/mihomo/common/lru" + "github.com/metacubex/mihomo/common/singleflight" "github.com/metacubex/mihomo/component/fakeip" - "github.com/metacubex/mihomo/component/geodata/router" "github.com/metacubex/mihomo/component/resolver" "github.com/metacubex/mihomo/component/trie" C "github.com/metacubex/mihomo/constant" @@ -19,9 +18,7 @@ import ( D "github.com/miekg/dns" "github.com/samber/lo" - orderedmap "github.com/wk8/go-ordered-map/v2" "golang.org/x/exp/maps" - "golang.org/x/sync/singleflight" ) type dnsClient interface { @@ -32,6 +29,7 @@ type dnsClient interface { type dnsCache interface { GetWithExpire(key string) (*D.Msg, time.Time, bool) SetWithExpire(key string, value *D.Msg, expire time.Time) + Clear() } type result struct { @@ -45,9 +43,9 @@ type Resolver struct { hosts *trie.DomainTrie[resolver.HostValue] main []dnsClient fallback []dnsClient - fallbackDomainFilters []fallbackDomainFilter - fallbackIPFilters []fallbackIPFilter - group singleflight.Group + fallbackDomainFilters []C.DomainMatcher + fallbackIPFilters []C.IpMatcher + group singleflight.Group[*D.Msg] cache dnsCache policy []dnsPolicy proxyServer []dnsClient @@ -122,7 +120,7 @@ func (r *Resolver) LookupIPv6(ctx context.Context, host string) ([]netip.Addr, e func (r *Resolver) shouldIPFallback(ip netip.Addr) bool { for _, filter := range r.fallbackIPFilters { - if filter.Match(ip) { + if filter.MatchIp(ip) { return true } } @@ -146,9 +144,12 @@ func (r *Resolver) ExchangeContext(ctx context.Context, m *D.Msg) (msg *D.Msg, e }() q := m.Question[0] + domain := msgToDomain(m) + _, qTypeStr := msgToQtype(m) cacheM, expireTime, hit := r.cache.GetWithExpire(q.String()) if hit { - log.Debugln("[DNS] cache hit for %s, expire at %s", q.Name, expireTime.Format("2006-01-02 15:04:05")) + ips := msgToIP(cacheM) + log.Debugln("[DNS] cache hit %s --> %s %s, expire at %s", domain, ips, qTypeStr, expireTime.Format("2006-01-02 15:04:05")) now := time.Now() msg = cacheM.Copy() if expireTime.Before(now) { @@ -169,19 +170,20 @@ func (r *Resolver) exchangeWithoutCache(ctx context.Context, m *D.Msg) (msg *D.M retryNum := 0 retryMax := 3 - fn := func() (result any, err error) { + fn := func() (result *D.Msg, err error) { ctx, cancel := context.WithTimeout(context.Background(), resolver.DefaultDNSTimeout) // reset timeout in singleflight defer cancel() cache := false defer func() { if err != nil { - result = retryNum + result = &D.Msg{} + result.Opcode = retryNum retryNum++ return } - msg := result.(*D.Msg) + msg := result if cache { // OPT RRs MUST NOT be cached, forwarded, or stored in or loaded from master files. @@ -208,7 +210,7 @@ func (r *Resolver) exchangeWithoutCache(ctx context.Context, m *D.Msg) (msg *D.M ch := r.group.DoChan(q.String(), fn) - var result singleflight.Result + var result singleflight.Result[*D.Msg] select { case result = <-ch: @@ -221,7 +223,7 @@ func (r *Resolver) exchangeWithoutCache(ctx context.Context, m *D.Msg) (msg *D.M go func() { // start a retrying monitor in background result := <-ch ret, err, shared := result.Val, result.Err, result.Shared - if err != nil && !shared && ret.(int) < retryMax { // retry + if err != nil && !shared && ret.Opcode < retryMax { // retry r.group.DoChan(q.String(), fn) } }() @@ -230,12 +232,12 @@ func (r *Resolver) exchangeWithoutCache(ctx context.Context, m *D.Msg) (msg *D.M } ret, err, shared := result.Val, result.Err, result.Shared - if err != nil && !shared && ret.(int) < retryMax { // retry + if err != nil && !shared && ret.Opcode < retryMax { // retry r.group.DoChan(q.String(), fn) } if err == nil { - msg = ret.(*D.Msg) + msg = ret if shared { msg = msg.Copy() } @@ -274,7 +276,7 @@ func (r *Resolver) shouldOnlyQueryFallback(m *D.Msg) bool { } for _, df := range r.fallbackDomainFilters { - if df.Match(domain) { + if df.MatchDomain(domain) { return true } } @@ -368,6 +370,12 @@ func (r *Resolver) Invalid() bool { return len(r.main) > 0 } +func (r *Resolver) ClearCache() { + if r != nil && r.cache != nil { + r.cache.Clear() + } +} + type NameServer struct { Net string Addr string @@ -395,27 +403,26 @@ func (ns NameServer) Equal(ns2 NameServer) bool { return false } -type FallbackFilter struct { - GeoIP bool - GeoIPCode string - IPCIDR []netip.Prefix - Domain []string - GeoSite []router.DomainMatcher +type Policy struct { + Domain string + Matcher C.DomainMatcher + NameServers []NameServer } type Config struct { - Main, Fallback []NameServer - Default []NameServer - ProxyServer []NameServer - IPv6 bool - IPv6Timeout uint - EnhancedMode C.DNSMode - FallbackFilter FallbackFilter - Pool *fakeip.Pool - Hosts *trie.DomainTrie[resolver.HostValue] - Policy *orderedmap.OrderedMap[string, []NameServer] - Tunnel provider.Tunnel - CacheAlgorithm string + Main, Fallback []NameServer + Default []NameServer + ProxyServer []NameServer + IPv6 bool + IPv6Timeout uint + EnhancedMode C.DNSMode + FallbackIPFilter []C.IpMatcher + FallbackDomainFilter []C.DomainMatcher + Pool *fakeip.Pool + Hosts *trie.DomainTrie[resolver.HostValue] + Policy []Policy + Tunnel provider.Tunnel + CacheAlgorithm string } func NewResolver(config Config) *Resolver { @@ -479,7 +486,7 @@ func NewResolver(config Config) *Resolver { r.proxyServer = cacheTransform(config.ProxyServer) } - if config.Policy.Len() != 0 { + if len(config.Policy) != 0 { r.policy = make([]dnsPolicy, 0) var triePolicy *trie.DomainTrie[[]dnsClient] @@ -494,75 +501,20 @@ func NewResolver(config Config) *Resolver { } } - for pair := config.Policy.Oldest(); pair != nil; pair = pair.Next() { - domain, nameserver := pair.Key, pair.Value - - if temp := strings.Split(domain, ":"); len(temp) == 2 { - prefix := temp[0] - key := temp[1] - switch prefix { - case "rule-set": - if _, ok := config.Tunnel.RuleProviders()[key]; ok { - log.Debugln("Adding rule-set policy: %s ", key) - insertPolicy(domainSetPolicy{ - tunnel: config.Tunnel, - name: key, - dnsClients: cacheTransform(nameserver), - }) - continue - } else { - log.Warnln("Can't found ruleset policy: %s", key) - } - case "geosite": - inverse := false - if strings.HasPrefix(key, "!") { - inverse = true - key = key[1:] - } - log.Debugln("Adding geosite policy: %s inversed %t", key, inverse) - matcher, err := NewGeoSite(key) - if err != nil { - log.Warnln("adding geosite policy %s error: %s", key, err) - continue - } - insertPolicy(geositePolicy{ - matcher: matcher, - inverse: inverse, - dnsClients: cacheTransform(nameserver), - }) - continue // skip triePolicy new + for _, policy := range config.Policy { + if policy.Matcher != nil { + insertPolicy(domainMatcherPolicy{matcher: policy.Matcher, dnsClients: cacheTransform(policy.NameServers)}) + } else { + if triePolicy == nil { + triePolicy = trie.New[[]dnsClient]() } + _ = triePolicy.Insert(policy.Domain, cacheTransform(policy.NameServers)) } - if triePolicy == nil { - triePolicy = trie.New[[]dnsClient]() - } - _ = triePolicy.Insert(domain, cacheTransform(nameserver)) } insertPolicy(nil) } - - fallbackIPFilters := []fallbackIPFilter{} - if config.FallbackFilter.GeoIP { - fallbackIPFilters = append(fallbackIPFilters, &geoipFilter{ - code: config.FallbackFilter.GeoIPCode, - }) - } - for _, ipnet := range config.FallbackFilter.IPCIDR { - fallbackIPFilters = append(fallbackIPFilters, &ipnetFilter{ipnet: ipnet}) - } - r.fallbackIPFilters = fallbackIPFilters - - fallbackDomainFilters := []fallbackDomainFilter{} - if len(config.FallbackFilter.Domain) != 0 { - fallbackDomainFilters = append(fallbackDomainFilters, NewDomainFilter(config.FallbackFilter.Domain)) - } - - if len(config.FallbackFilter.GeoSite) != 0 { - fallbackDomainFilters = append(fallbackDomainFilters, &geoSiteFilter{ - matchers: config.FallbackFilter.GeoSite, - }) - } - r.fallbackDomainFilters = fallbackDomainFilters + r.fallbackIPFilters = config.FallbackIPFilter + r.fallbackDomainFilters = config.FallbackDomainFilter return r } diff --git a/dns/server.go b/dns/server.go index d45fb5ebad..1cf58d4d8a 100644 --- a/dns/server.go +++ b/dns/server.go @@ -6,7 +6,6 @@ import ( "net" "github.com/metacubex/mihomo/common/sockopt" - "github.com/metacubex/mihomo/constant/features" "github.com/metacubex/mihomo/context" "github.com/metacubex/mihomo/log" @@ -50,10 +49,6 @@ func (s *Server) SetHandler(handler handler) { } func ReCreateServer(addr string, resolver *Resolver, mapper *ResolverEnhancer) { - if features.CMFA { - UpdateIsolateHandler(resolver, mapper) - } - if addr == address && resolver != nil { handler := NewHandler(resolver, mapper) server.SetHandler(handler) diff --git a/dns/system.go b/dns/system.go index dc1006fa56..944f2824c2 100644 --- a/dns/system.go +++ b/dns/system.go @@ -3,16 +3,11 @@ package dns import ( "context" "fmt" - "net" "strings" "sync" "time" - "github.com/metacubex/mihomo/component/resolver" - "github.com/metacubex/mihomo/log" - D "github.com/miekg/dns" - "golang.org/x/exp/slices" ) const ( @@ -31,64 +26,6 @@ type systemClient struct { lastFlush time.Time } -func (c *systemClient) getDnsClients() ([]dnsClient, error) { - c.mu.Lock() - defer c.mu.Unlock() - var err error - if time.Since(c.lastFlush) > SystemDnsFlushTime { - var nameservers []string - if nameservers, err = dnsReadConfig(); err == nil { - log.Debugln("[DNS] system dns update to %s", nameservers) - for _, addr := range nameservers { - if resolver.IsSystemDnsBlacklisted(addr) { - continue - } - if _, ok := c.dnsClients[addr]; !ok { - clients := transform( - []NameServer{{ - Addr: net.JoinHostPort(addr, "53"), - Net: "udp", - }}, - nil, - ) - if len(clients) > 0 { - c.dnsClients[addr] = &systemDnsClient{ - disableTimes: 0, - dnsClient: clients[0], - } - } - } - } - available := 0 - for nameserver, sdc := range c.dnsClients { - if slices.Contains(nameservers, nameserver) { - sdc.disableTimes = 0 // enable - available++ - } else { - if sdc.disableTimes > SystemDnsDeleteTimes { - delete(c.dnsClients, nameserver) // drop too old dnsClient - } else { - sdc.disableTimes++ - } - } - } - if available > 0 { - c.lastFlush = time.Now() - } - } - } - dnsClients := make([]dnsClient, 0, len(c.dnsClients)) - for _, sdc := range c.dnsClients { - if sdc.disableTimes == 0 { - dnsClients = append(dnsClients, sdc.dnsClient) - } - } - if len(dnsClients) > 0 { - return dnsClients, nil - } - return nil, err -} - func (c *systemClient) ExchangeContext(ctx context.Context, m *D.Msg) (msg *D.Msg, err error) { dnsClients, err := c.getDnsClients() if err != nil { diff --git a/dns/system_common.go b/dns/system_common.go new file mode 100644 index 0000000000..06dc0b3020 --- /dev/null +++ b/dns/system_common.go @@ -0,0 +1,71 @@ +//go:build !(android && cmfa) + +package dns + +import ( + "net" + "time" + + "github.com/metacubex/mihomo/component/resolver" + "github.com/metacubex/mihomo/log" + + "golang.org/x/exp/slices" +) + +func (c *systemClient) getDnsClients() ([]dnsClient, error) { + c.mu.Lock() + defer c.mu.Unlock() + var err error + if time.Since(c.lastFlush) > SystemDnsFlushTime { + var nameservers []string + if nameservers, err = dnsReadConfig(); err == nil { + log.Debugln("[DNS] system dns update to %s", nameservers) + for _, addr := range nameservers { + if resolver.IsSystemDnsBlacklisted(addr) { + continue + } + if _, ok := c.dnsClients[addr]; !ok { + clients := transform( + []NameServer{{ + Addr: net.JoinHostPort(addr, "53"), + Net: "udp", + }}, + nil, + ) + if len(clients) > 0 { + c.dnsClients[addr] = &systemDnsClient{ + disableTimes: 0, + dnsClient: clients[0], + } + } + } + } + available := 0 + for nameserver, sdc := range c.dnsClients { + if slices.Contains(nameservers, nameserver) { + sdc.disableTimes = 0 // enable + available++ + } else { + if sdc.disableTimes > SystemDnsDeleteTimes { + delete(c.dnsClients, nameserver) // drop too old dnsClient + } else { + sdc.disableTimes++ + } + } + } + if available > 0 { + c.lastFlush = time.Now() + } + } + } + dnsClients := make([]dnsClient, 0, len(c.dnsClients)) + for _, sdc := range c.dnsClients { + if sdc.disableTimes == 0 { + dnsClients = append(dnsClients, sdc.dnsClient) + } + } + if len(dnsClients) > 0 { + return dnsClients, nil + } + return nil, err +} diff --git a/dns/system_windows.go b/dns/system_windows.go index 47c1ebaa4e..2f4d1b633d 100644 --- a/dns/system_windows.go +++ b/dns/system_windows.go @@ -8,6 +8,7 @@ import ( "syscall" "unsafe" + "golang.org/x/exp/slices" "golang.org/x/sys/windows" ) @@ -40,6 +41,9 @@ func dnsReadConfig() (servers []string, err error) { // Unexpected type. continue } + if slices.Contains(servers, ip.String()) { + continue + } servers = append(servers, ip.String()) } } diff --git a/dns/util.go b/dns/util.go index e4ec5917cf..92a86dbc2b 100644 --- a/dns/util.go +++ b/dns/util.go @@ -99,6 +99,10 @@ func transform(servers []NameServer, resolver *Resolver) []dnsClient { ret = append(ret, newDoHClient(s.Addr, resolver, s.PreferH3, s.Params, s.ProxyAdapter, s.ProxyName)) continue case "dhcp": + if s.Addr == "system" { // Compatible with old writing + ret = append(ret, newSystemClient()) + continue + } ret = append(ret, newDHCPClient(s.Addr)) continue case "system": @@ -173,11 +177,20 @@ func msgToDomain(msg *D.Msg) string { return "" } +func msgToQtype(msg *D.Msg) (uint16, string) { + if len(msg.Question) > 0 { + qType := msg.Question[0].Qtype + return qType, D.Type(qType).String() + } + return 0, "" +} + func batchExchange(ctx context.Context, clients []dnsClient, m *D.Msg) (msg *D.Msg, cache bool, err error) { cache = true fast, ctx := picker.WithTimeout[*D.Msg](ctx, resolver.DefaultDNSTimeout) defer fast.Close() domain := msgToDomain(m) + qType, qTypeStr := msgToQtype(m) var noIpMsg *D.Msg for _, client := range clients { if _, isRCodeClient := client.(rcodeClient); isRCodeClient { @@ -186,7 +199,7 @@ func batchExchange(ctx context.Context, clients []dnsClient, m *D.Msg) (msg *D.M } client := client // shadow define client to ensure the value captured by the closure will not be changed in the next loop fast.Go(func() (*D.Msg, error) { - log.Debugln("[DNS] resolve %s from %s", domain, client.Address()) + log.Debugln("[DNS] resolve %s %s from %s", domain, qTypeStr, client.Address()) m, err := client.ExchangeContext(ctx, m) if err != nil { return nil, err @@ -195,20 +208,18 @@ func batchExchange(ctx context.Context, clients []dnsClient, m *D.Msg) (msg *D.M // so we would ignore RCode errors from RCode clients. return nil, errors.New("server failure: " + D.RcodeToString[m.Rcode]) } - if ips := msgToIP(m); len(m.Question) > 0 { - qType := m.Question[0].Qtype - log.Debugln("[DNS] %s --> %s %s from %s", domain, ips, D.Type(qType), client.Address()) - switch qType { - case D.TypeAAAA: - if len(ips) == 0 { - noIpMsg = m - return nil, resolver.ErrIPNotFound - } - case D.TypeA: - if len(ips) == 0 { - noIpMsg = m - return nil, resolver.ErrIPNotFound - } + ips := msgToIP(m) + log.Debugln("[DNS] %s --> %s %s from %s", domain, ips, qTypeStr, client.Address()) + switch qType { + case D.TypeAAAA: + if len(ips) == 0 { + noIpMsg = m + return nil, resolver.ErrIPNotFound + } + case D.TypeA: + if len(ips) == 0 { + noIpMsg = m + return nil, resolver.ErrIPNotFound } } return m, nil diff --git a/docs/config.yaml b/docs/config.yaml index 9c51bc10b3..b3515a2060 100644 --- a/docs/config.yaml +++ b/docs/config.yaml @@ -70,6 +70,10 @@ external-ui: /path/to/ui/folder/ external-ui-name: xd external-ui-url: "https://github.com/MetaCubeX/metacubexd/archive/refs/heads/gh-pages.zip" +# 在RESTful API端口上开启DOH服务器 +# !!!该URL不会验证secret, 如果开启请自行保证安全问题 !!! +external-doh-server: /dns-query + # interface-name: en0 # 设置出口网卡 # 全局 TLS 指纹,优先低于 proxy 内的 client-fingerprint @@ -78,7 +82,9 @@ external-ui-url: "https://github.com/MetaCubeX/metacubexd/archive/refs/heads/gh- global-client-fingerprint: chrome # TCP keep alive interval -keep-alive-interval: 15 +# disable-keep-alive: false #目前在android端强制为true +# keep-alive-idle: 15 +# keep-alive-interval: 15 # routing-mark:6666 # 配置 fwmark 仅用于 Linux experimental: @@ -160,13 +166,6 @@ tun: # exclude-package: # 排除被路由的 Android 应用包名 # - com.android.captiveportallogin -#ebpf 配置 -ebpf: - auto-redir: # redirect 模式,仅支持 TCP - - eth0 - redirect-to-tun: # UDP+TCP 使用该功能请勿启用 auto-route - - eth0 - # 嗅探域名 可选配置 sniffer: enable: false @@ -191,6 +190,10 @@ sniffer: override-destination: true force-domain: - +.v2ex.com + # skip-src-address: # 对于来源ip跳过嗅探 + # - 192.168.0.3/32 + # skip-dst-address: # 对于目标ip跳过嗅探 + # - 192.168.0.3/32 ## 对嗅探结果进行跳过 # skip-domain: # - Mijia Cloud @@ -237,6 +240,19 @@ dns: fake-ip-range: 198.18.0.1/16 # fake-ip 池设置 + # 配置不使用 fake-ip 的域名 + fake-ip-filter: + - '*.lan' + - localhost.ptlogin2.qq.com + # fakeip-filter 为 rule-providers 中的名为 fakeip-filter 规则订阅, + # 且 behavior 必须为 domain/classical,当为 classical 时仅会生效域名类规则 + - rule-set:fakeip-filter + # fakeip-filter 为 geosite 中名为 fakeip-filter 的分类(需要自行保证该分类存在) + - geosite:fakeip-filter + # 配置fake-ip-filter的匹配模式,默认为blacklist,即如果匹配成功不返回fake-ip + # 可设置为whitelist,即只有匹配成功才返回fake-ip + fake-ip-filter-mode: blacklist + # use-hosts: true # 查询 hosts # 配置后面的nameserver、fallback和nameserver-policy向dns服务器的连接过程是否遵守遵守rules规则 @@ -246,11 +262,6 @@ dns: # 此外,这三者配置中的dns服务器如果出现域名会采用default-nameserver配置项解析,也请确保正确配置default-nameserver respect-rules: false - # 配置不使用 fake-ip 的域名 - # fake-ip-filter: - # - '*.lan' - # - localhost.ptlogin2.qq.com - # DNS 主要域名配置 # 支持 UDP,TCP,DoT,DoH,DoQ # 这部分为主要 DNS 配置,影响所有直连,确保使用对大陆解析精准的 DNS @@ -749,6 +760,17 @@ proxies: # socks5 # # pre-shared-key: 31aIhAPwktDGpH4JDhA8GNvjFXEf/a6+UaQRyOAiyfM= # allowed-ips: ['0.0.0.0/0'] # reserved: [209,98,59] + # 如果存在则开启AmneziaWG功能 + # amnezia-wg-option: + # jc: 5 + # jmin: 500 + # jmax: 501 + # s1: 30 + # s2: 40 + # h1: 123456 + # h2: 67543 + # h4: 32345 + # h3: 123123 # tuic - name: tuic @@ -918,6 +940,13 @@ proxy-providers: # ip-version: ipv4-prefer # additional-prefix: "[provider1]" # additional-suffix: "test" + # # 名字替换,支持正则表达式 + # proxy-name: + # - pattern: "test" + # target: "TEST" + # - pattern: "IPLC-(.*?)倍" + # target: "iplc x $1" + test: type: file path: /test.yaml @@ -938,6 +967,24 @@ rule-providers: interval: 259200 path: /path/to/save/file.yaml type: file + rule3: + # mrs类型ruleset,目前仅支持domain和ipcidr(即不支持classical), + # + # 对于behavior=domain: + # - format=yaml 可以通过“mihomo convert-ruleset domain yaml XXX.yaml XXX.mrs”转换到mrs格式 + # - format=text 可以通过“mihomo convert-ruleset domain text XXX.text XXX.mrs”转换到mrs格式 + # - XXX.mrs 可以通过"mihomo convert-ruleset domain mrs XXX.mrs XXX.text"转换回text格式(暂不支持转换回yaml格式) + # + # 对于behavior=ipcidr: + # - format=yaml 可以通过“mihomo convert-ruleset ipcidr yaml XXX.yaml XXX.mrs”转换到mrs格式 + # - format=text 可以通过“mihomo convert-ruleset ipcidr text XXX.text XXX.mrs”转换到mrs格式 + # - XXX.mrs 可以通过"mihomo convert-ruleset ipcidr mrs XXX.mrs XXX.text"转换回text格式(暂不支持转换回yaml格式) + # + type: http + url: "url" + format: mrs + behavior: domain + path: /path/to/save/file.mrs rules: - RULE-SET,rule1,REJECT - IP-ASN,1,PROXY @@ -983,6 +1030,9 @@ listeners: # rule: sub-rule-name1 # 默认使用 rules,如果未找到 sub-rule 则直接使用 rules # proxy: proxy # 如果不为空则直接将该入站流量交由指定 proxy 处理 # udp: false # 默认 true + # users: # 如果不填写users项,则遵从全局authentication设置,如果填写会忽略全局设置, 如想跳过该入站的验证可填写 users: [] + # - username: aaa + # password: aaa - name: http-in-1 type: http @@ -990,6 +1040,9 @@ listeners: listen: 0.0.0.0 # rule: sub-rule-name1 # 默认使用 rules,如果未找到 sub-rule 则直接使用 rules # proxy: proxy # 如果不为空则直接将该入站流量交由指定 proxy 处理 (当 proxy 不为空时,这里的 proxy 名称必须合法,否则会出错) + # users: # 如果不填写users项,则遵从全局authentication设置,如果填写会忽略全局设置, 如想跳过该入站的验证可填写 users: [] + # - username: aaa + # password: aaa - name: mixed-in-1 type: mixed # HTTP(S) 和 SOCKS 代理混合 @@ -998,6 +1051,9 @@ listeners: # rule: sub-rule-name1 # 默认使用 rules,如果未找到 sub-rule 则直接使用 rules # proxy: proxy # 如果不为空则直接将该入站流量交由指定 proxy 处理 (当 proxy 不为空时,这里的 proxy 名称必须合法,否则会出错) # udp: false # 默认 true + # users: # 如果不填写users项,则遵从全局authentication设置,如果填写会忽略全局设置, 如想跳过该入站的验证可填写 users: [] + # - username: aaa + # password: aaa - name: reidr-in-1 type: redir diff --git a/go.mod b/go.mod index 0f7a786f93..6c5242f591 100644 --- a/go.mod +++ b/go.mod @@ -4,54 +4,56 @@ go 1.20 require ( github.com/3andne/restls-client-go v0.1.6 - github.com/aead/chacha20 v0.0.0-20180709150244-8b13a72661da github.com/bahlo/generic-list-go v0.2.0 - github.com/cilium/ebpf v0.12.3 github.com/coreos/go-iptables v0.7.0 - github.com/dlclark/regexp2 v1.11.0 - github.com/go-chi/chi/v5 v5.0.14 + github.com/dlclark/regexp2 v1.11.4 + github.com/go-chi/chi/v5 v5.1.0 github.com/go-chi/cors v1.2.1 github.com/go-chi/render v1.0.3 github.com/gobwas/ws v1.4.0 - github.com/gofrs/uuid/v5 v5.2.0 - github.com/insomniacslk/dhcp v0.0.0-20240529192340-51bc6136a0a6 + github.com/gofrs/uuid/v5 v5.3.0 + github.com/insomniacslk/dhcp v0.0.0-20240812123929-b105c29bd1b5 + github.com/klauspost/compress v1.17.9 github.com/klauspost/cpuid/v2 v2.2.8 github.com/lunixbochs/struc v0.0.0-20200707160740-784aaebc1d40 github.com/mdlayher/netlink v1.7.2 + github.com/metacubex/amneziawg-go v0.0.0-20240922133038-fdf3a4d5a4ab + github.com/metacubex/bbolt v0.0.0-20240822011022-aed6d4850399 + github.com/metacubex/chacha v0.1.0 github.com/metacubex/gopacket v1.1.20-0.20230608035415-7e2f98a3e759 - github.com/metacubex/quic-go v0.45.1-0.20240610004319-163fee60637e + github.com/metacubex/quic-go v0.47.1-0.20240909010619-6b38f24bfcc4 github.com/metacubex/randv2 v0.2.0 - github.com/metacubex/sing-quic v0.0.0-20240518034124-7696d3f7da72 - github.com/metacubex/sing-shadowsocks v0.2.6 - github.com/metacubex/sing-shadowsocks2 v0.2.0 - github.com/metacubex/sing-tun v0.2.7-0.20240627012306-9d1f5fc0b45e - github.com/metacubex/sing-vmess v0.1.9-0.20231207122118-72303677451f - github.com/metacubex/sing-wireguard v0.0.0-20240618022557-a6efaa37127a - github.com/metacubex/tfo-go v0.0.0-20240228025757-be1269474a66 + github.com/metacubex/sing-quic v0.0.0-20240827003841-cd97758ed8b4 + github.com/metacubex/sing-shadowsocks v0.2.8 + github.com/metacubex/sing-shadowsocks2 v0.2.2 + github.com/metacubex/sing-tun v0.2.7-0.20240729131039-ed03f557dee1 + github.com/metacubex/sing-vmess v0.1.9-0.20240719134745-1df6fb20bbf9 + github.com/metacubex/sing-wireguard v0.0.0-20240922131718-0f10c39a5531 + github.com/metacubex/tfo-go v0.0.0-20240830120620-c5e019b67785 github.com/metacubex/utls v1.6.6 - github.com/miekg/dns v1.1.61 + github.com/metacubex/wireguard-go v0.0.0-20240922131502-c182e7471181 + github.com/miekg/dns v1.1.62 github.com/mroth/weightedrand/v2 v2.1.0 github.com/openacid/low v0.1.21 github.com/oschwald/maxminddb-golang v1.12.0 - github.com/puzpuzpuz/xsync/v3 v3.2.0 - github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a + github.com/puzpuzpuz/xsync/v3 v3.4.0 + github.com/sagernet/fswatch v0.1.1 github.com/sagernet/netlink v0.0.0-20240612041022-b9a21c07ac6a - github.com/sagernet/sing v0.5.0-alpha.10 + github.com/sagernet/sing v0.5.0-alpha.13 github.com/sagernet/sing-mux v0.2.1-0.20240124034317-9bfb33698bb6 github.com/sagernet/sing-shadowtls v0.1.4 - github.com/sagernet/wireguard-go v0.0.0-20231209092712-9a439356a62e - github.com/samber/lo v1.39.0 + github.com/samber/lo v1.47.0 github.com/shirou/gopsutil/v3 v3.24.5 github.com/sirupsen/logrus v1.9.3 github.com/stretchr/testify v1.9.0 github.com/wk8/go-ordered-map/v2 v2.1.8 + gitlab.com/go-extension/aes-ccm v0.0.0-20230221065045-e58665ef23c7 go.uber.org/automaxprocs v1.5.3 go4.org/netipx v0.0.0-20231129151722-fdeea329fbba - golang.org/x/crypto v0.24.0 - golang.org/x/exp v0.0.0-20240613232115-7f521ea00fb8 - golang.org/x/net v0.26.0 - golang.org/x/sync v0.7.0 - golang.org/x/sys v0.21.0 + golang.org/x/crypto v0.26.0 + golang.org/x/exp v0.0.0-20240808152545-0cdaa3abc0fa + golang.org/x/net v0.28.0 + golang.org/x/sys v0.24.0 google.golang.org/protobuf v1.34.2 gopkg.in/yaml.v3 v3.0.1 lukechampine.com/blake3 v1.3.0 @@ -80,7 +82,7 @@ require ( github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38 // indirect github.com/hashicorp/yamux v0.1.1 // indirect github.com/josharian/native v1.1.0 // indirect - github.com/klauspost/compress v1.17.4 // indirect + github.com/kr/text v0.2.0 // indirect github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect github.com/mailru/easyjson v0.7.7 // indirect github.com/mdlayher/socket v0.4.1 // indirect @@ -106,10 +108,11 @@ require ( github.com/yusufpapurcu/wmi v1.2.4 // indirect gitlab.com/yawning/bsaes.git v0.0.0-20190805113838-0a714cd429ec // indirect go.uber.org/mock v0.4.0 // indirect - golang.org/x/mod v0.18.0 // indirect - golang.org/x/text v0.16.0 // indirect + golang.org/x/mod v0.20.0 // indirect + golang.org/x/sync v0.8.0 // indirect + golang.org/x/text v0.17.0 // indirect golang.org/x/time v0.5.0 // indirect - golang.org/x/tools v0.22.0 // indirect + golang.org/x/tools v0.24.0 // indirect ) -replace github.com/sagernet/sing => github.com/metacubex/sing v0.0.0-20240617013425-3e3bd9dab6a2 +replace github.com/sagernet/sing => github.com/metacubex/sing v0.0.0-20240724044459-6f3cf5896297 diff --git a/go.sum b/go.sum index 0a675bf3f3..2f5b7d0f63 100644 --- a/go.sum +++ b/go.sum @@ -5,8 +5,6 @@ github.com/RyuaNerin/go-krypto v1.2.4 h1:mXuNdK6M317aPV0llW6Xpjbo4moOlPF7Yxz4tb4 github.com/RyuaNerin/go-krypto v1.2.4/go.mod h1:QqCYkoutU3yInyD9INt2PGolVRsc3W4oraQadVGXJ/8= github.com/Yawning/aez v0.0.0-20211027044916-e49e68abd344 h1:cDVUiFo+npB0ZASqnw4q90ylaVAbnYyx0JYqK4YcGok= github.com/Yawning/aez v0.0.0-20211027044916-e49e68abd344/go.mod h1:9pIqrY6SXNL8vjRQE5Hd/OL5GyK/9MrGUWs87z/eFfk= -github.com/aead/chacha20 v0.0.0-20180709150244-8b13a72661da h1:KjTM2ks9d14ZYCvmHS9iAKVt9AyzRSqNU1qabPih5BY= -github.com/aead/chacha20 v0.0.0-20180709150244-8b13a72661da/go.mod h1:eHEWzANqSiWQsof+nXEI9bUVUyV6F53Fp89EuCh2EAA= github.com/ajg/form v1.5.1 h1:t9c7v8JUKu/XxOGBU0yjNpaMloxGEJhUkqFRq0ibGeU= github.com/ajg/form v1.5.1/go.mod h1:uL1WgH+h2mgNtvBq0339dVnzXdBETtL2LeUXaIv25UY= github.com/andybalholm/brotli v1.0.6 h1:Yf9fFpf49Zrxb9NlQaluyE92/+X7UVHlhMNJN2sxfOI= @@ -19,17 +17,16 @@ github.com/buger/jsonparser v1.1.1/go.mod h1:6RYKKt7H4d4+iWqouImQ9R2FZql3VbhNgx2 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= -github.com/cilium/ebpf v0.12.3 h1:8ht6F9MquybnY97at+VDZb3eQQr8ev79RueWeVaEcG4= -github.com/cilium/ebpf v0.12.3/go.mod h1:TctK1ivibvI3znr66ljgi4hqOT8EYQjz1KWBfb1UVgM= github.com/cloudflare/circl v1.3.7 h1:qlCDlTPz2n9fu58M0Nh1J/JzcFpfgkFHHX3O35r5vcU= github.com/cloudflare/circl v1.3.7/go.mod h1:sRTcRWXGLrKw6yIGJ+l7amYJFfAXbZG0kBSc8r4zxgA= github.com/coreos/go-iptables v0.7.0 h1:XWM3V+MPRr5/q51NuWSgU0fqMad64Zyxs8ZUoMsamr8= github.com/coreos/go-iptables v0.7.0/go.mod h1:Qe8Bv2Xik5FyTXwgIbLAnv2sWSBmvWdFETJConOQ//Q= +github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/dlclark/regexp2 v1.11.0 h1:G/nrcoOa7ZXlpoa/91N3X7mM3r8eIlMBBJZvsz/mxKI= -github.com/dlclark/regexp2 v1.11.0/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8= +github.com/dlclark/regexp2 v1.11.4 h1:rPYF9/LECdNymJufQKmri9gV604RvvABwgOA8un7yAo= +github.com/dlclark/regexp2 v1.11.4/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8= github.com/ericlagergren/aegis v0.0.0-20230312195928-b4ce538b56f9 h1:/5RkVc9Rc81XmMyVqawCiDyrBHZbLAZgTTCqou4mwj8= github.com/ericlagergren/aegis v0.0.0-20230312195928-b4ce538b56f9/go.mod h1:hkIFzoiIPZYxdFOOLyDho59b7SrDfo+w3h+yWdlg45I= github.com/ericlagergren/polyval v0.0.0-20220411101811-e25bc10ba391 h1:8j2RH289RJplhA6WfdaPqzg1MjH2K8wX5e0uhAxrw2g= @@ -39,13 +36,12 @@ github.com/ericlagergren/siv v0.0.0-20220507050439-0b757b3aa5f1 h1:tlDMEdcPRQKBE github.com/ericlagergren/siv v0.0.0-20220507050439-0b757b3aa5f1/go.mod h1:4RfsapbGx2j/vU5xC/5/9qB3kn9Awp1YDiEnN43QrJ4= github.com/ericlagergren/subtle v0.0.0-20220507045147-890d697da010 h1:fuGucgPk5dN6wzfnxl3D0D3rVLw4v2SbBT9jb4VnxzA= github.com/ericlagergren/subtle v0.0.0-20220507045147-890d697da010/go.mod h1:JtBcj7sBuTTRupn7c2bFspMDIObMJsVK8TeUvpShPok= -github.com/frankban/quicktest v1.14.5 h1:dfYrrRyLtiqT9GyKXgdh+k4inNeTvmGbuSgZ3lx3GhA= github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM= github.com/gaukas/godicttls v0.0.4 h1:NlRaXb3J6hAnTmWdsEKb9bcSBD6BvcIjdGdeb0zfXbk= github.com/gaukas/godicttls v0.0.4/go.mod h1:l6EenT4TLWgTdwslVb4sEMOCf7Bv0JAK67deKr9/NCI= -github.com/go-chi/chi/v5 v5.0.14 h1:PyEwo2Vudraa0x/Wl6eDRRW2NXBvekgfxyydcM0WGE0= -github.com/go-chi/chi/v5 v5.0.14/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8= +github.com/go-chi/chi/v5 v5.1.0 h1:acVI1TYaD+hhedDJ3r54HyA6sExp3HfXq7QWEEY/xMw= +github.com/go-chi/chi/v5 v5.1.0/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8= github.com/go-chi/cors v1.2.1 h1:xEC8UT3Rlp2QuWNEr4Fs/c2EAGVKBwy/1vHx3bppil4= github.com/go-chi/cors v1.2.1/go.mod h1:sSbTewc+6wYHBBCW7ytsFSn836hqM7JxpglAy2Vzc58= github.com/go-chi/render v1.0.3 h1:AsXqd2a1/INaIfUSKq3G5uA8weYx20FOsM7uSoCyyt4= @@ -62,8 +58,8 @@ github.com/gobwas/pool v0.2.1 h1:xfeeEhW7pwmX8nuLVlqbzVc7udMDrwetjEv+TZIz1og= github.com/gobwas/pool v0.2.1/go.mod h1:q8bcK0KcYlCgd9e7WYLm9LpyS+YeLd8JVDW6WezmKEw= github.com/gobwas/ws v1.4.0 h1:CTaoG1tojrh4ucGPcoJFiAQUAsEWekEWvLy7GsVNqGs= github.com/gobwas/ws v1.4.0/go.mod h1:G3gNqMNtPppf5XUz7O4shetPpcZ1VJ7zt18dlUeakrc= -github.com/gofrs/uuid/v5 v5.2.0 h1:qw1GMx6/y8vhVsx626ImfKMuS5CvJmhIKKtuyvfajMM= -github.com/gofrs/uuid/v5 v5.2.0/go.mod h1:CDOjlDMVAtN56jqyRUZh58JT31Tiw7/oQyEXZV+9bD8= +github.com/gofrs/uuid/v5 v5.3.0 h1:m0mUMr+oVYUdxpMLgSYCZiXe7PuVPnI94+OMeVBNedk= +github.com/gofrs/uuid/v5 v5.3.0/go.mod h1:CDOjlDMVAtN56jqyRUZh58JT31Tiw7/oQyEXZV+9bD8= github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg= github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU= @@ -77,18 +73,19 @@ github.com/google/tink/go v1.6.1 h1:t7JHqO8Ath2w2ig5vjwQYJzhGEZymedQc90lQXUBa4I= github.com/hashicorp/yamux v0.1.1 h1:yrQxtgseBDrq9Y652vSRDvsKCJKOUD+GzTS4Y0Y8pvE= github.com/hashicorp/yamux v0.1.1/go.mod h1:CtWFDAQgb7dxtzFs4tWbplKIe2jSi3+5vKbgIO0SLnQ= github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= -github.com/insomniacslk/dhcp v0.0.0-20240529192340-51bc6136a0a6 h1:dh8D8FksyMhD64mRMbUhZHWYJfNoNMCxfVq6eexleMw= -github.com/insomniacslk/dhcp v0.0.0-20240529192340-51bc6136a0a6/go.mod h1:KclMyHxX06VrVr0DJmeFSUb1ankt7xTfoOA35pCkoic= +github.com/insomniacslk/dhcp v0.0.0-20240812123929-b105c29bd1b5 h1:GkMacU5ftc+IEg1449N3UEy2XLDz58W4fkrRu2fibb8= +github.com/insomniacslk/dhcp v0.0.0-20240812123929-b105c29bd1b5/go.mod h1:KclMyHxX06VrVr0DJmeFSUb1ankt7xTfoOA35pCkoic= github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= github.com/josharian/native v1.0.1-0.20221213033349-c1e37c09b531/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w= github.com/josharian/native v1.1.0 h1:uuaP0hAbW7Y4l0ZRQ6C9zfb7Mg1mbFKry/xzDAfmtLA= github.com/josharian/native v1.1.0/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w= -github.com/klauspost/compress v1.17.4 h1:Ej5ixsIri7BrIjBkRZLTo6ghwrEtHFk7ijlczPW4fZ4= -github.com/klauspost/compress v1.17.4/go.mod h1:/dCuZOvVtNoHsyb+cuJD3itjs3NbnF6KH9zAO4BDxPM= +github.com/klauspost/compress v1.17.9 h1:6KIumPrER1LHsvBVuDa0r5xaG0Es51mhhB9BQB2qeMA= +github.com/klauspost/compress v1.17.9/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw= github.com/klauspost/cpuid/v2 v2.2.8 h1:+StwCXwm9PdpiEkPyzBXIy+M9KUb4ODm0Zarf1kS5BM= github.com/klauspost/cpuid/v2 v2.2.8/go.mod h1:Lcz8mBdAVJIBVzewtcLocK12l3Y+JytZYpaMropDUws= -github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= +github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= +github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 h1:6E+4a0GO5zZEnZ81pIr0yLvtUWk2if982qA3F3QD6H4= github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0/go.mod h1:zJYVVT2jmtg6P3p1VtQj7WsuWi/y4VnjVBn7F8KPB3I= github.com/lunixbochs/struc v0.0.0-20200707160740-784aaebc1d40 h1:EnfXoSqDfSNJv0VBNqY/88RNnhSGYkrHaO0mmFGbVsc= @@ -99,34 +96,42 @@ github.com/mdlayher/netlink v1.7.2 h1:/UtM3ofJap7Vl4QWCPDGXY8d3GIY2UGSDbK+QWmY8/ github.com/mdlayher/netlink v1.7.2/go.mod h1:xraEF7uJbxLhc5fpHL4cPe221LI2bdttWlU+ZGLfQSw= github.com/mdlayher/socket v0.4.1 h1:eM9y2/jlbs1M615oshPQOHZzj6R6wMT7bX5NPiQvn2U= github.com/mdlayher/socket v0.4.1/go.mod h1:cAqeGjoufqdxWkD7DkpyS+wcefOtmu5OQ8KuoJGIReA= +github.com/metacubex/amneziawg-go v0.0.0-20240922133038-fdf3a4d5a4ab h1:Chbw+/31UC14YFNr78pESt5Vowlc62zziw05JCUqoL4= +github.com/metacubex/amneziawg-go v0.0.0-20240922133038-fdf3a4d5a4ab/go.mod h1:xVKK8jC5Sd3hfh7WjmCq+HorehIbrBijaUWmcuKjPcI= +github.com/metacubex/bbolt v0.0.0-20240822011022-aed6d4850399 h1:oBowHVKZycNtAFbZ6avaCSZJYeme2Nrj+4RpV2cNJig= +github.com/metacubex/bbolt v0.0.0-20240822011022-aed6d4850399/go.mod h1:4xcieuIK+M4bGQmQYZVqEaIYqjS1ahO4kXG7EmDgEro= +github.com/metacubex/chacha v0.1.0 h1:tg9RSJ18NvL38cCWNyYH1eiG6qDCyyXIaTLQthon0sc= +github.com/metacubex/chacha v0.1.0/go.mod h1:Djn9bPZxLTXbJFSeyo0/qzEzQI+gUSSzttuzZM75GH8= github.com/metacubex/gopacket v1.1.20-0.20230608035415-7e2f98a3e759 h1:cjd4biTvOzK9ubNCCkQ+ldc4YSH/rILn53l/xGBFHHI= github.com/metacubex/gopacket v1.1.20-0.20230608035415-7e2f98a3e759/go.mod h1:UHOv2xu+RIgLwpXca7TLrXleEd4oR3sPatW6IF8wU88= github.com/metacubex/gvisor v0.0.0-20240320004321-933faba989ec h1:HxreOiFTUrJXJautEo8rnE1uKTVGY8wtZepY1Tii/Nc= github.com/metacubex/gvisor v0.0.0-20240320004321-933faba989ec/go.mod h1:8BVmQ+3cxjqzWElafm24rb2Ae4jRI6vAXNXWqWjfrXw= -github.com/metacubex/quic-go v0.45.1-0.20240610004319-163fee60637e h1:bLYn3GuRvWDcBDAkIv5kUYIhzHwafDVq635BuybnKqI= -github.com/metacubex/quic-go v0.45.1-0.20240610004319-163fee60637e/go.mod h1:Yza2H7Ax1rxWPUcJx0vW+oAt9EsPuSiyQFhFabUPzwU= +github.com/metacubex/quic-go v0.47.1-0.20240909010619-6b38f24bfcc4 h1:CgdUBRxmNlxEGkp35HwvgQ10jwOOUJKWdOxpi8yWi8o= +github.com/metacubex/quic-go v0.47.1-0.20240909010619-6b38f24bfcc4/go.mod h1:Y7yRGqFE6UQL/3aKPYmiYdjfVkeujJaStP4+jiZMcN8= github.com/metacubex/randv2 v0.2.0 h1:uP38uBvV2SxYfLj53kuvAjbND4RUDfFJjwr4UigMiLs= github.com/metacubex/randv2 v0.2.0/go.mod h1:kFi2SzrQ5WuneuoLLCMkABtiBu6VRrMrWFqSPyj2cxY= -github.com/metacubex/sing v0.0.0-20240617013425-3e3bd9dab6a2 h1:N5tidgg/FRmkgPw/AjRwhLUinKDx/ODCSbvv9xqRoLM= -github.com/metacubex/sing v0.0.0-20240617013425-3e3bd9dab6a2/go.mod h1:ARkL0gM13/Iv5VCZmci/NuoOlePoIsW0m7BWfln/Hak= -github.com/metacubex/sing-quic v0.0.0-20240518034124-7696d3f7da72 h1:Wr4g1HCb5Z/QIFwFiVNjO2qL+dRu25+Mdn9xtAZZ+ew= -github.com/metacubex/sing-quic v0.0.0-20240518034124-7696d3f7da72/go.mod h1:g7Mxj7b7zm7YVqD975mk/hSmrb0A0G4bVvIMr2MMzn8= -github.com/metacubex/sing-shadowsocks v0.2.6 h1:6oEB3QcsFYnNiFeoevcXrCwJ3sAablwVSgtE9R3QeFQ= -github.com/metacubex/sing-shadowsocks v0.2.6/go.mod h1:zIkMeSnb8Mbf4hdqhw0pjzkn1d99YJ3JQm/VBg5WMTg= -github.com/metacubex/sing-shadowsocks2 v0.2.0 h1:hqwT/AfI5d5UdPefIzR6onGHJfDXs5zgOM5QSgaM/9A= -github.com/metacubex/sing-shadowsocks2 v0.2.0/go.mod h1:LCKF6j1P94zN8ZS+LXRK1gmYTVGB3squivBSXAFnOg8= -github.com/metacubex/sing-tun v0.2.7-0.20240627012306-9d1f5fc0b45e h1:o+zohxPRo45P35fS9u1zfdBgr+L/7S0ObGU6YjbVBIc= -github.com/metacubex/sing-tun v0.2.7-0.20240627012306-9d1f5fc0b45e/go.mod h1:WwJGbCx7bQcBzuQXiDOJvZH27R0kIjKNNlISIWsL6kM= -github.com/metacubex/sing-vmess v0.1.9-0.20231207122118-72303677451f h1:QjXrHKbTMBip/C+R79bvbfr42xH1gZl3uFb0RELdZiQ= -github.com/metacubex/sing-vmess v0.1.9-0.20231207122118-72303677451f/go.mod h1:olVkD4FChQ5gKMHG4ZzuD7+fMkJY1G8vwOKpRehjrmY= -github.com/metacubex/sing-wireguard v0.0.0-20240618022557-a6efaa37127a h1:NpSGclHJUYndUwBmyIpFBSoBVg8PoVX7QQKhYg0DjM0= -github.com/metacubex/sing-wireguard v0.0.0-20240618022557-a6efaa37127a/go.mod h1:uY+BYb0UEknLrqvbGcwi9i++KgrKxsurysgI6G1Pveo= -github.com/metacubex/tfo-go v0.0.0-20240228025757-be1269474a66 h1:as/aO/fM8nv4W4pOr9EETP6kV/Oaujk3fUNyQSJK61c= -github.com/metacubex/tfo-go v0.0.0-20240228025757-be1269474a66/go.mod h1:c7bVFM9f5+VzeZ/6Kg77T/jrg1Xp8QpqlSHvG/aXVts= +github.com/metacubex/sing v0.0.0-20240724044459-6f3cf5896297 h1:YG/JkwGPbca5rUtEMHIu8ZuqzR7BSVm1iqY8hNoMeMA= +github.com/metacubex/sing v0.0.0-20240724044459-6f3cf5896297/go.mod h1:ARkL0gM13/Iv5VCZmci/NuoOlePoIsW0m7BWfln/Hak= +github.com/metacubex/sing-quic v0.0.0-20240827003841-cd97758ed8b4 h1:HobpULaPK6OoxrHMmgcwLkwwIduXVmwdcznwUfH1GQM= +github.com/metacubex/sing-quic v0.0.0-20240827003841-cd97758ed8b4/go.mod h1:g7Mxj7b7zm7YVqD975mk/hSmrb0A0G4bVvIMr2MMzn8= +github.com/metacubex/sing-shadowsocks v0.2.8 h1:wIhlaigswzjPw4hej75sEvWte3QR0+AJRafgwBHO5B4= +github.com/metacubex/sing-shadowsocks v0.2.8/go.mod h1:X3x88XtJpBxG0W0/ECOJL6Ib0SJ3xdniAkU/6/RMWU0= +github.com/metacubex/sing-shadowsocks2 v0.2.2 h1:eaf42uVx4Lr21S6MDYs0ZdTvGA0GEhDpb9no4+gdXPo= +github.com/metacubex/sing-shadowsocks2 v0.2.2/go.mod h1:BhOug03a/RbI7y6hp6q+6ITM1dXjnLTmeWBHSTwvv2Q= +github.com/metacubex/sing-tun v0.2.7-0.20240729131039-ed03f557dee1 h1:ypfofGDZbP8p3Y4P/m74JYu7sQViesi3c8nbmT6cS0Y= +github.com/metacubex/sing-tun v0.2.7-0.20240729131039-ed03f557dee1/go.mod h1:olbEx9yVcaw5tHTNlRamRoxmMKcvDvcVS1YLnQGzvWE= +github.com/metacubex/sing-vmess v0.1.9-0.20240719134745-1df6fb20bbf9 h1:OAXiCosqY8xKDp3pqTW3qbrCprZ1l6WkrXSFSCwyY4I= +github.com/metacubex/sing-vmess v0.1.9-0.20240719134745-1df6fb20bbf9/go.mod h1:olVkD4FChQ5gKMHG4ZzuD7+fMkJY1G8vwOKpRehjrmY= +github.com/metacubex/sing-wireguard v0.0.0-20240922131718-0f10c39a5531 h1:BoIL2fZZTPzvSxuhng9kWwvUZ8fiMJyrWbgdHIX0CDs= +github.com/metacubex/sing-wireguard v0.0.0-20240922131718-0f10c39a5531/go.mod h1:6nitcmzPDL3MXnLdhu6Hm126Zk4S1fBbX3P7jxUxSFw= +github.com/metacubex/tfo-go v0.0.0-20240830120620-c5e019b67785 h1:NNmI+ZV0DzNuqaAInRQuZFLHlWVuyHeow8jYpdKjHjo= +github.com/metacubex/tfo-go v0.0.0-20240830120620-c5e019b67785/go.mod h1:c7bVFM9f5+VzeZ/6Kg77T/jrg1Xp8QpqlSHvG/aXVts= github.com/metacubex/utls v1.6.6 h1:3D12YKHTf2Z41UPhQU2dWerNWJ5TVQD9gKoQ+H+iLC8= github.com/metacubex/utls v1.6.6/go.mod h1:+WLFUnXjcpdxXCnyX25nggw8C6YonZ8zOK2Zm/oRvdo= -github.com/miekg/dns v1.1.61 h1:nLxbwF3XxhwVSm8g9Dghm9MHPaUZuqhPiGL+675ZmEs= -github.com/miekg/dns v1.1.61/go.mod h1:mnAarhS3nWaW+NVP2wTkYVIZyHNJ098SJZUki3eykwQ= +github.com/metacubex/wireguard-go v0.0.0-20240922131502-c182e7471181 h1:hJLQviGySBuaynlCwf/oYgIxbVbGRUIKZCxdya9YrbQ= +github.com/metacubex/wireguard-go v0.0.0-20240922131502-c182e7471181/go.mod h1:phewKljNYiTVT31Gcif8RiCKnTUOgVWFJjccqYM8s+Y= +github.com/miekg/dns v1.1.62 h1:cN8OuEF1/x5Rq6Np+h1epln8OiyPWV+lROx9LxcGgIQ= +github.com/miekg/dns v1.1.62/go.mod h1:mvDlcItzm+br7MToIKqkglaGhlFMHJ9DTNNWONWXbNQ= github.com/mroth/weightedrand/v2 v2.1.0 h1:o1ascnB1CIVzsqlfArQQjeMy1U0NcIbBO5rfd5E/OeU= github.com/mroth/weightedrand/v2 v2.1.0/go.mod h1:f2faGsfOGOwc1p94wzHKKZyTpcJUW7OJ/9U4yfiNAOU= github.com/oasisprotocol/deoxysii v0.0.0-20220228165953-2091330c22b7 h1:1102pQc2SEPp5+xrS26wEaeb26sZy6k9/ZXlZN+eXE4= @@ -151,15 +156,14 @@ github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZN github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c h1:ncq/mPwQF4JjgDlrVEn3C11VoGHZN7m8qihwgMEtzYw= github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE= github.com/prashantv/gostub v1.1.0 h1:BTyx3RfQjRHnUWaGF9oQos79AlQ5k8WNktv7VGvVH4g= -github.com/puzpuzpuz/xsync/v3 v3.2.0 h1:9AzuUeF88YC5bK8u2vEG1Fpvu4wgpM1wfPIExfaaDxQ= -github.com/puzpuzpuz/xsync/v3 v3.2.0/go.mod h1:VjzYrABPabuM4KyBh1Ftq6u8nhwY5tBPKP9jpmh0nnA= +github.com/puzpuzpuz/xsync/v3 v3.4.0 h1:DuVBAdXuGFHv8adVXjWWZ63pJq+NRXOWVXlKDBZ+mJ4= +github.com/puzpuzpuz/xsync/v3 v3.4.0/go.mod h1:VjzYrABPabuM4KyBh1Ftq6u8nhwY5tBPKP9jpmh0nnA= github.com/quic-go/qpack v0.4.0 h1:Cr9BXA1sQS2SmDUWjSofMPNKmvF6IiIfDRmgU0w1ZCo= github.com/quic-go/qpack v0.4.0/go.mod h1:UZVnYIfi5GRk+zI9UMaCPsmZ2xKJP7XBUvVyT1Knj9A= github.com/quic-go/qtls-go1-20 v0.4.1 h1:D33340mCNDAIKBqXuAvexTNMUByrYmFYVfKfDN5nfFs= github.com/quic-go/qtls-go1-20 v0.4.1/go.mod h1:X9Nh97ZL80Z+bX/gUXMbipO6OxdiDi58b/fMC9mAL+k= -github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8= -github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a h1:+NkI2670SQpQWvkkD2QgdTuzQG263YZ+2emfpeyGqW0= -github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a/go.mod h1:63s7jpZqcDAIpj8oI/1v4Izok+npJOHACFCU6+huCkM= +github.com/sagernet/fswatch v0.1.1 h1:YqID+93B7VRfqIH3PArW/XpJv5H4OLEVWDfProGoRQs= +github.com/sagernet/fswatch v0.1.1/go.mod h1:nz85laH0mkQqJfaOrqPpkwtU1znMFNVTpT/5oRsVz/o= github.com/sagernet/netlink v0.0.0-20240612041022-b9a21c07ac6a h1:ObwtHN2VpqE0ZNjr6sGeT00J8uU7JF4cNUdb44/Duis= github.com/sagernet/netlink v0.0.0-20240612041022-b9a21c07ac6a/go.mod h1:xLnfdiJbSp8rNqYEdIW/6eDO4mVoogml14Bh2hSiFpM= github.com/sagernet/nftables v0.3.0-beta.4 h1:kbULlAwAC3jvdGAC1P5Fa3GSxVwQJibNenDW2zaXr8I= @@ -170,10 +174,8 @@ github.com/sagernet/sing-shadowtls v0.1.4 h1:aTgBSJEgnumzFenPvc+kbD9/W0PywzWevnV github.com/sagernet/sing-shadowtls v0.1.4/go.mod h1:F8NBgsY5YN2beQavdgdm1DPlhaKQlaL6lpDdcBglGK4= github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7 h1:DImB4lELfQhplLTxeq2z31Fpv8CQqqrUwTbrIRumZqQ= github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7/go.mod h1:FP9X2xjT/Az1EsG/orYYoC+5MojWnuI7hrffz8fGwwo= -github.com/sagernet/wireguard-go v0.0.0-20231209092712-9a439356a62e h1:iGH0RMv2FzELOFNFQtvsxH7NPmlo7X5JizEK51UCojo= -github.com/sagernet/wireguard-go v0.0.0-20231209092712-9a439356a62e/go.mod h1:YbL4TKHRR6APYQv3U2RGfwLDpPYSyWz6oUlpISBEzBE= -github.com/samber/lo v1.39.0 h1:4gTz1wUhNYLhFSKl6O+8peW0v2F4BCY034GRpU9WnuA= -github.com/samber/lo v1.39.0/go.mod h1:+m/ZKRl6ClXCE2Lgf3MsQlWfh4bn1bz6CXEOxnEXnEA= +github.com/samber/lo v1.47.0 h1:z7RynLwP5nbyRscyvcD043DWYoOcYRv3mV8lBeqOCLc= +github.com/samber/lo v1.47.0/go.mod h1:RmDH9Ct32Qy3gduHQuKJ3gW1fMHAnE/fAzQuf6He5cU= github.com/shirou/gopsutil/v3 v3.24.5 h1:i0t8kL+kQTvpAYToeuiVk3TgDeKOFioZO3Ztz/iZ9pI= github.com/shirou/gopsutil/v3 v3.24.5/go.mod h1:bsoOS1aStSs9ErQ1WWfxllSeS1K5D+U30r2NfcubMVk= github.com/shoenig/go-m1cpu v0.1.6 h1:nxdKQNcEB6vzgA2E2bvzKIYRuNj7XNJ4S/aRSwKzFtM= @@ -214,6 +216,8 @@ github.com/wk8/go-ordered-map/v2 v2.1.8 h1:5h/BUHu93oj4gIdvHHHGsScSTMijfx5PeYkE/ github.com/wk8/go-ordered-map/v2 v2.1.8/go.mod h1:5nJHM5DyteebpVlHnWMV0rPz6Zp7+xBAnxjb1X5vnTw= github.com/yusufpapurcu/wmi v1.2.4 h1:zFUKzehAFReQwLys1b/iSMl+JQGSCSjtVqQn9bBrPo0= github.com/yusufpapurcu/wmi v1.2.4/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0= +gitlab.com/go-extension/aes-ccm v0.0.0-20230221065045-e58665ef23c7 h1:UNrDfkQqiEYzdMlNsVvBYOAJWZjdktqFE9tQh5BT2+4= +gitlab.com/go-extension/aes-ccm v0.0.0-20230221065045-e58665ef23c7/go.mod h1:E+rxHvJG9H6PUdzq9NRG6csuLN3XUx98BfGOVWNYnXs= gitlab.com/yawning/bsaes.git v0.0.0-20190805113838-0a714cd429ec h1:FpfFs4EhNehiVfzQttTuxanPIT43FtkkCFypIod8LHo= gitlab.com/yawning/bsaes.git v0.0.0-20190805113838-0a714cd429ec/go.mod h1:BZ1RAoRPbCxum9Grlv5aeksu2H8BiKehBYooU2LFiOQ= go.uber.org/automaxprocs v1.5.3 h1:kWazyxZUrS3Gs4qUpbwo5kEIMGe/DAvi5Z4tl2NW4j8= @@ -224,21 +228,21 @@ go4.org/netipx v0.0.0-20231129151722-fdeea329fbba h1:0b9z3AuHCjxk0x/opv64kcgZLBs go4.org/netipx v0.0.0-20231129151722-fdeea329fbba/go.mod h1:PLyyIXexvUFg3Owu6p/WfdlivPbZJsZdgWZlrGope/Y= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.24.0 h1:mnl8DM0o513X8fdIkmyFE/5hTYxbwYOjDS/+rK6qpRI= -golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM= -golang.org/x/exp v0.0.0-20240613232115-7f521ea00fb8 h1:yixxcjnhBmY0nkL253HFVIm0JsFHwrHdT3Yh6szTnfY= -golang.org/x/exp v0.0.0-20240613232115-7f521ea00fb8/go.mod h1:jj3sYF3dwk5D+ghuXyeI3r5MFf+NT2An6/9dOA95KSI= +golang.org/x/crypto v0.26.0 h1:RrRspgV4mU+YwB4FYnuBoKsUapNIL5cohGAmSH3azsw= +golang.org/x/crypto v0.26.0/go.mod h1:GY7jblb9wI+FOo5y8/S2oY4zWP07AkOJ4+jxCqdqn54= +golang.org/x/exp v0.0.0-20240808152545-0cdaa3abc0fa h1:ELnwvuAXPNtPk1TJRuGkI9fDTwym6AYBu0qzT8AcHdI= +golang.org/x/exp v0.0.0-20240808152545-0cdaa3abc0fa/go.mod h1:akd2r19cwCdwSwWeIdzYQGa/EZZyqcOdwWiwj5L5eKQ= golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= -golang.org/x/mod v0.18.0 h1:5+9lSbEzPSdWkH32vYPBwEpX8KwDbM52Ud9xBUvNlb0= -golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/mod v0.20.0 h1:utOm6MM3R3dnawAiJgn0y+xvuYRsm1RKM/4giyfDgV0= +golang.org/x/mod v0.20.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ= -golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE= +golang.org/x/net v0.28.0 h1:a9JDOJc5GMUJ0+UDqmLT86WiEy7iWyIhz8gz8E4e5hE= +golang.org/x/net v0.28.0/go.mod h1:yqtgsTWOOnlGLG9GFRrK3++bGOUEkNBoHZc8MEDWPNg= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M= -golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ= +golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190606203320-7fc4e5ec1444/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -254,17 +258,18 @@ golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws= golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/term v0.21.0 h1:WVXCp+/EBEHOj53Rvu+7KiT/iElMrO8ACK16SMZ3jaA= +golang.org/x/sys v0.24.0 h1:Twjiwq9dn6R1fQcyiK+wQyHWfaz/BJB+YIpzU/Cv3Xg= +golang.org/x/sys v0.24.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/term v0.23.0 h1:F6D4vR+EHoL9/sWAWgAR1H2DcHr4PareCbAaCo1RpuU= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4= -golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI= +golang.org/x/text v0.17.0 h1:XtiM5bkSOt+ewxlOE/aE/AKEHibwj/6gvWMl9Rsh0Qc= +golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk= golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.22.0 h1:gqSGLZqv+AI9lIQzniJ0nZDRG5GBPsSi+DRNHWNz6yA= -golang.org/x/tools v0.22.0/go.mod h1:aCwcsjqvq7Yqt6TNyX7QMU2enbQ/Gt0bo6krSeEri+c= +golang.org/x/tools v0.24.0 h1:J1shsA93PJUEVaUSaay7UXAyE8aimq3GW0pjlolpa24= +golang.org/x/tools v0.24.0/go.mod h1:YhNqVBIfWHdzvTLs0d8LCuMhkKUgSUKldakyV7W/WDQ= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= diff --git a/hub/executor/executor.go b/hub/executor/executor.go index 55c40b6d90..66bbc89ba4 100644 --- a/hub/executor/executor.go +++ b/hub/executor/executor.go @@ -17,15 +17,18 @@ import ( "github.com/metacubex/mihomo/component/ca" "github.com/metacubex/mihomo/component/dialer" G "github.com/metacubex/mihomo/component/geodata" + mihomoHttp "github.com/metacubex/mihomo/component/http" "github.com/metacubex/mihomo/component/iface" "github.com/metacubex/mihomo/component/profile" "github.com/metacubex/mihomo/component/profile/cachefile" "github.com/metacubex/mihomo/component/resolver" - SNI "github.com/metacubex/mihomo/component/sniffer" + "github.com/metacubex/mihomo/component/resource" + "github.com/metacubex/mihomo/component/sniffer" + tlsC "github.com/metacubex/mihomo/component/tls" "github.com/metacubex/mihomo/component/trie" + "github.com/metacubex/mihomo/component/updater" "github.com/metacubex/mihomo/config" C "github.com/metacubex/mihomo/constant" - "github.com/metacubex/mihomo/constant/features" "github.com/metacubex/mihomo/constant/provider" "github.com/metacubex/mihomo/dns" "github.com/metacubex/mihomo/listener" @@ -76,10 +79,11 @@ func ParseWithBytes(buf []byte) (*config.Config, error) { return config.Parse(buf) } -// ApplyConfig dispatch configure to all parts +// ApplyConfig dispatch configure to all parts without ExternalController func ApplyConfig(cfg *config.Config, force bool) { mux.Lock() defer mux.Unlock() + log.SetLevel(cfg.General.LogLevel) tunnel.OnSuspend() @@ -90,6 +94,7 @@ func ApplyConfig(cfg *config.Config, force bool) { } } + updateExperimental(cfg.Experimental) updateUsers(cfg.Users) updateProxies(cfg.Proxies, cfg.Providers) updateRules(cfg.Rules, cfg.SubRules, cfg.RuleProviders) @@ -99,9 +104,8 @@ func ApplyConfig(cfg *config.Config, force bool) { updateNTP(cfg.NTP) updateDNS(cfg.DNS, cfg.General.IPv6) updateListeners(cfg.General, cfg.Listeners, force) + updateTun(cfg.General) // tun should not care "force" updateIPTables(cfg) - updateTun(cfg.General) - updateExperimental(cfg) updateTunnels(cfg.Tunnels) tunnel.OnInnerLoading() @@ -113,8 +117,7 @@ func ApplyConfig(cfg *config.Config, force bool) { runtime.GC() tunnel.OnRunning() hcCompatibleProvider(cfg.Providers) - - log.SetLevel(cfg.General.LogLevel) + initExternalUI() } func initInnerTcp() { @@ -145,19 +148,32 @@ func GetGeneral() *config.General { LanDisAllowedIPs: inbound.DisAllowedIPs(), AllowLan: listener.AllowLan(), BindAddress: listener.BindAddress(), + InboundTfo: inbound.Tfo(), + InboundMPTCP: inbound.MPTCP(), + }, + Mode: tunnel.Mode(), + UnifiedDelay: adapter.UnifiedDelay.Load(), + LogLevel: log.Level(), + IPv6: !resolver.DisableIPv6, + Interface: dialer.DefaultInterface.Load(), + RoutingMark: int(dialer.DefaultRoutingMark.Load()), + GeoXUrl: config.GeoXUrl{ + GeoIp: G.GeoIpUrl(), + Mmdb: G.MmdbUrl(), + ASN: G.ASNUrl(), + GeoSite: G.GeoSiteUrl(), }, - Controller: config.Controller{}, - Mode: tunnel.Mode(), - LogLevel: log.Level(), - IPv6: !resolver.DisableIPv6, - GeodataMode: G.GeodataMode(), - GeoAutoUpdate: G.GeoAutoUpdate(), - GeoUpdateInterval: G.GeoUpdateInterval(), - GeodataLoader: G.LoaderName(), - GeositeMatcher: G.SiteMatcherName(), - Interface: dialer.DefaultInterface.Load(), - Sniffing: tunnel.IsSniffing(), - TCPConcurrent: dialer.GetTcpConcurrent(), + GeoAutoUpdate: updater.GeoAutoUpdate(), + GeoUpdateInterval: updater.GeoUpdateInterval(), + GeodataMode: G.GeodataMode(), + GeodataLoader: G.LoaderName(), + GeositeMatcher: G.SiteMatcherName(), + TCPConcurrent: dialer.GetTcpConcurrent(), + FindProcessMode: tunnel.FindProcessMode(), + Sniffing: tunnel.IsSniffing(), + GlobalClientFingerprint: tlsC.GetGlobalFingerprint(), + GlobalUA: mihomoHttp.UA(), + ETagSupport: resource.ETag(), } return general @@ -180,9 +196,6 @@ func updateListeners(general *config.General, listeners map[string]C.InboundList listener.ReCreateHTTP(general.Port, tunnel.Tunnel) listener.ReCreateSocks(general.SocksPort, tunnel.Tunnel) listener.ReCreateRedir(general.RedirPort, tunnel.Tunnel) - if !features.CMFA { - listener.ReCreateAutoRedir(general.EBpf.AutoRedir, tunnel.Tunnel) - } listener.ReCreateTProxy(general.TProxyPort, tunnel.Tunnel) listener.ReCreateMixed(general.MixedPort, tunnel.Tunnel) listener.ReCreateShadowSocks(general.ShadowSocksConfig, tunnel.Tunnel) @@ -190,14 +203,18 @@ func updateListeners(general *config.General, listeners map[string]C.InboundList listener.ReCreateTuic(general.TuicServer, tunnel.Tunnel) } -func updateExperimental(c *config.Config) { - if c.Experimental.QUICGoDisableGSO { +func updateTun(general *config.General) { + listener.ReCreateTun(general.Tun, tunnel.Tunnel) +} + +func updateExperimental(c *config.Experimental) { + if c.QUICGoDisableGSO { _ = os.Setenv("QUIC_GO_DISABLE_GSO", strconv.FormatBool(true)) } - if c.Experimental.QUICGoDisableECN { + if c.QUICGoDisableECN { _ = os.Setenv("QUIC_GO_DISABLE_ECN", strconv.FormatBool(true)) } - dialer.GetIP4PEnable(c.Experimental.IP4PEnable) + dialer.GetIP4PEnable(c.IP4PEnable) } func updateNTP(c *config.NTP) { @@ -220,25 +237,20 @@ func updateDNS(c *config.DNS, generalIPv6 bool) { return } cfg := dns.Config{ - Main: c.NameServer, - Fallback: c.Fallback, - IPv6: c.IPv6 && generalIPv6, - IPv6Timeout: c.IPv6Timeout, - EnhancedMode: c.EnhancedMode, - Pool: c.FakeIPRange, - Hosts: c.Hosts, - FallbackFilter: dns.FallbackFilter{ - GeoIP: c.FallbackFilter.GeoIP, - GeoIPCode: c.FallbackFilter.GeoIPCode, - IPCIDR: c.FallbackFilter.IPCIDR, - Domain: c.FallbackFilter.Domain, - GeoSite: c.FallbackFilter.GeoSite, - }, - Default: c.DefaultNameserver, - Policy: c.NameServerPolicy, - ProxyServer: c.ProxyServerNameserver, - Tunnel: tunnel.Tunnel, - CacheAlgorithm: c.CacheAlgorithm, + Main: c.NameServer, + Fallback: c.Fallback, + IPv6: c.IPv6 && generalIPv6, + IPv6Timeout: c.IPv6Timeout, + EnhancedMode: c.EnhancedMode, + Pool: c.FakeIPRange, + Hosts: c.Hosts, + FallbackIPFilter: c.FallbackIPFilter, + FallbackDomainFilter: c.FallbackDomainFilter, + Default: c.DefaultNameserver, + Policy: c.NameServerPolicy, + ProxyServer: c.ProxyServerNameserver, + Tunnel: tunnel.Tunnel, + CacheAlgorithm: c.CacheAlgorithm, } r := dns.NewResolver(cfg) @@ -350,33 +362,18 @@ func hcCompatibleProvider(proxyProviders map[string]provider.ProxyProvider) { } } -func updateTun(general *config.General) { - if general == nil { - return + +func updateSniffer(snifferConfig *sniffer.Config) { + dispatcher, err := sniffer.NewDispatcher(snifferConfig) + if err != nil { + log.Warnln("initial sniffer failed, err:%v", err) } - listener.ReCreateTun(general.Tun, tunnel.Tunnel) - listener.ReCreateRedirToTun(general.EBpf.RedirectToTun) -} -func updateSniffer(sniffer *config.Sniffer) { - if sniffer.Enable { - dispatcher, err := SNI.NewSnifferDispatcher( - sniffer.Sniffers, sniffer.ForceDomain, sniffer.SkipDomain, - sniffer.ForceDnsMapping, sniffer.ParsePureIp, - ) - if err != nil { - log.Warnln("initial sniffer failed, err:%v", err) - } + tunnel.UpdateSniffer(dispatcher) - tunnel.UpdateSniffer(dispatcher) + if snifferConfig.Enable { log.Infoln("Sniffer is loaded and working") } else { - dispatcher, err := SNI.NewCloseSnifferDispatcher() - if err != nil { - log.Warnln("initial sniffer failed, err:%v", err) - } - - tunnel.UpdateSniffer(dispatcher) log.Infoln("Sniffer is closed") } } @@ -385,6 +382,18 @@ func updateTunnels(tunnels []LC.Tunnel) { listener.PatchTunnel(tunnels, tunnel.Tunnel) } +func initExternalUI() { + if updater.AutoDownloadUI { + dirEntries, _ := os.ReadDir(updater.ExternalUIPath) + if len(dirEntries) > 0 { + log.Infoln("UI already exists, skip downloading") + } else { + log.Infoln("External UI downloading ...") + updater.DownloadUI() + } + } +} + func updateGeneral(general *config.General) { tunnel.SetMode(general.Mode) tunnel.SetFindProcessMode(general.FindProcessMode) diff --git a/hub/hub.go b/hub/hub.go index 38779e13b6..e22f721970 100644 --- a/hub/hub.go +++ b/hub/hub.go @@ -11,52 +11,69 @@ type Option func(*config.Config) func WithExternalUI(externalUI string) Option { return func(cfg *config.Config) { - cfg.General.ExternalUI = externalUI + cfg.Controller.ExternalUI = externalUI } } func WithExternalController(externalController string) Option { return func(cfg *config.Config) { - cfg.General.ExternalController = externalController + cfg.Controller.ExternalController = externalController } } func WithExternalControllerUnix(externalControllerUnix string) Option { return func(cfg *config.Config) { - cfg.General.ExternalControllerUnix = externalControllerUnix + cfg.Controller.ExternalControllerUnix = externalControllerUnix } } func WithSecret(secret string) Option { return func(cfg *config.Config) { - cfg.General.Secret = secret + cfg.Controller.Secret = secret } } -// Parse call at the beginning of mihomo -func Parse(options ...Option) error { - cfg, err := executor.Parse() - if err != nil { - return err - } +// ApplyConfig dispatch configure to all parts include ExternalController +func ApplyConfig(cfg *config.Config) { + applyRoute(cfg) + executor.ApplyConfig(cfg, true) +} - for _, option := range options { - option(cfg) +func applyRoute(cfg *config.Config) { + if cfg.Controller.ExternalUI != "" { + route.SetUIPath(cfg.Controller.ExternalUI) } + route.ReCreateServer(&route.Config{ + Addr: cfg.Controller.ExternalController, + TLSAddr: cfg.Controller.ExternalControllerTLS, + UnixAddr: cfg.Controller.ExternalControllerUnix, + Secret: cfg.Controller.Secret, + Certificate: cfg.TLS.Certificate, + PrivateKey: cfg.TLS.PrivateKey, + DohServer: cfg.Controller.ExternalDohServer, + IsDebug: cfg.General.LogLevel == log.DEBUG, + }) +} + +// Parse call at the beginning of mihomo +func Parse(configBytes []byte, options ...Option) error { + var cfg *config.Config + var err error - if cfg.General.ExternalUI != "" { - route.SetUIPath(cfg.General.ExternalUI) + if len(configBytes) != 0 { + cfg, err = executor.ParseWithBytes(configBytes) + } else { + cfg, err = executor.Parse() } - if cfg.General.ExternalController != "" { - go route.Start(cfg.General.ExternalController, cfg.General.ExternalControllerTLS, - cfg.General.Secret, cfg.TLS.Certificate, cfg.TLS.PrivateKey, cfg.General.LogLevel == log.DEBUG) + if err != nil { + return err } - if cfg.General.ExternalControllerUnix != "" { - go route.StartUnix(cfg.General.ExternalControllerUnix, cfg.General.LogLevel == log.DEBUG) + for _, option := range options { + option(cfg) } - executor.ApplyConfig(cfg, true) + ApplyConfig(cfg) return nil } diff --git a/hub/route/configs.go b/hub/route/configs.go index 17d858d47f..d4bda2bf4c 100644 --- a/hub/route/configs.go +++ b/hub/route/configs.go @@ -62,23 +62,22 @@ type tunSchema struct { DNSHijack *[]string `yaml:"dns-hijack" json:"dns-hijack"` AutoRoute *bool `yaml:"auto-route" json:"auto-route"` AutoDetectInterface *bool `yaml:"auto-detect-interface" json:"auto-detect-interface"` - //RedirectToTun []string `yaml:"-" json:"-"` MTU *uint32 `yaml:"mtu" json:"mtu,omitempty"` GSO *bool `yaml:"gso" json:"gso,omitempty"` GSOMaxSize *uint32 `yaml:"gso-max-size" json:"gso-max-size,omitempty"` //Inet4Address *[]netip.Prefix `yaml:"inet4-address" json:"inet4-address,omitempty"` Inet6Address *[]netip.Prefix `yaml:"inet6-address" json:"inet6-address,omitempty"` - IPRoute2TableIndex *int `yaml:"iproute2-table-index" json:"iproute2_table_index,omitempty"` - IPRoute2RuleIndex *int `yaml:"iproute2-rule-index" json:"iproute2_rule_index,omitempty"` - AutoRedirect *bool `yaml:"auto-redirect" json:"auto_redirect,omitempty"` - AutoRedirectInputMark *uint32 `yaml:"auto-redirect-input-mark" json:"auto_redirect_input_mark,omitempty"` - AutoRedirectOutputMark *uint32 `yaml:"auto-redirect-output-mark" json:"auto_redirect_output_mark,omitempty"` + IPRoute2TableIndex *int `yaml:"iproute2-table-index" json:"iproute2-table-index,omitempty"` + IPRoute2RuleIndex *int `yaml:"iproute2-rule-index" json:"iproute2-rule-index,omitempty"` + AutoRedirect *bool `yaml:"auto-redirect" json:"auto-redirect,omitempty"` + AutoRedirectInputMark *uint32 `yaml:"auto-redirect-input-mark" json:"auto-redirect-input-mark,omitempty"` + AutoRedirectOutputMark *uint32 `yaml:"auto-redirect-output-mark" json:"auto-redirect-output-mark,omitempty"` StrictRoute *bool `yaml:"strict-route" json:"strict-route,omitempty"` - RouteAddress *[]netip.Prefix `yaml:"route-address" json:"route_address,omitempty"` - RouteAddressSet *[]string `yaml:"route-address-set" json:"route_address_set,omitempty"` - RouteExcludeAddress *[]netip.Prefix `yaml:"route-exclude-address" json:"route_exclude_address,omitempty"` - RouteExcludeAddressSet *[]string `yaml:"route-exclude-address-set" json:"route_exclude_address_set,omitempty"` + RouteAddress *[]netip.Prefix `yaml:"route-address" json:"route-address,omitempty"` + RouteAddressSet *[]string `yaml:"route-address-set" json:"route-address-set,omitempty"` + RouteExcludeAddress *[]netip.Prefix `yaml:"route-exclude-address" json:"route-exclude-address,omitempty"` + RouteExcludeAddressSet *[]string `yaml:"route-exclude-address-set" json:"route-exclude-address-set,omitempty"` IncludeInterface *[]string `yaml:"include-interface" json:"include-interface,omitempty"` ExcludeInterface *[]string `yaml:"exclude-interface" json:"exclude-interface,omitempty"` IncludeUID *[]uint32 `yaml:"include-uid" json:"include-uid,omitempty"` @@ -118,21 +117,13 @@ func getConfigs(w http.ResponseWriter, r *http.Request) { render.JSON(w, r, general) } -func pointerOrDefault(p *int, def int) int { +func pointerOrDefault[T any](p *T, def T) T { if p != nil { return *p } return def } -func pointerOrDefaultString(p *string, def string) string { - if p != nil { - return *p - } - - return def -} - func pointerOrDefaultTun(p *tunSchema, def LC.Tun) LC.Tun { if p != nil { def.Enable = p.Enable @@ -336,8 +327,8 @@ func patchConfigs(w http.ResponseWriter, r *http.Request) { P.ReCreateTProxy(pointerOrDefault(general.TProxyPort, ports.TProxyPort), tunnel.Tunnel) P.ReCreateMixed(pointerOrDefault(general.MixedPort, ports.MixedPort), tunnel.Tunnel) P.ReCreateTun(pointerOrDefaultTun(general.Tun, P.LastTunConf), tunnel.Tunnel) - P.ReCreateShadowSocks(pointerOrDefaultString(general.ShadowSocksConfig, ports.ShadowSocksConfig), tunnel.Tunnel) - P.ReCreateVmess(pointerOrDefaultString(general.VmessConfig, ports.VmessConfig), tunnel.Tunnel) + P.ReCreateShadowSocks(pointerOrDefault(general.ShadowSocksConfig, ports.ShadowSocksConfig), tunnel.Tunnel) + P.ReCreateVmess(pointerOrDefault(general.VmessConfig, ports.VmessConfig), tunnel.Tunnel) P.ReCreateTuic(pointerOrDefaultTuicServer(general.TuicServer, P.LastTuicConf), tunnel.Tunnel) if general.Mode != nil { @@ -402,23 +393,11 @@ func updateConfigs(w http.ResponseWriter, r *http.Request) { func updateGeoDatabases(w http.ResponseWriter, r *http.Request) { err := updater.UpdateGeoDatabases() if err != nil { - log.Errorln("[REST-API] update GEO databases failed: %v", err) + log.Errorln("[GEO] update GEO databases failed: %v", err) render.Status(r, http.StatusInternalServerError) render.JSON(w, r, newError(err.Error())) return } - cfg, err := executor.ParseWithPath(C.Path.Config()) - if err != nil { - log.Errorln("[REST-API] update GEO databases failed: %v", err) - render.Status(r, http.StatusInternalServerError) - render.JSON(w, r, newError("Error parsing configuration")) - return - } - - log.Warnln("[GEO] update GEO databases success, applying config") - - executor.ApplyConfig(cfg, false) - render.NoContent(w, r) } diff --git a/hub/route/doh.go b/hub/route/doh.go new file mode 100644 index 0000000000..bb5416c436 --- /dev/null +++ b/hub/route/doh.go @@ -0,0 +1,63 @@ +package route + +import ( + "context" + "encoding/base64" + "io" + "net/http" + + "github.com/metacubex/mihomo/component/resolver" + + "github.com/go-chi/render" +) + +func dohRouter() http.Handler { + return http.HandlerFunc(dohHandler) +} + +func dohHandler(w http.ResponseWriter, r *http.Request) { + if resolver.DefaultResolver == nil { + render.Status(r, http.StatusInternalServerError) + render.PlainText(w, r, "DNS section is disabled") + return + } + + var dnsData []byte + var err error + switch r.Method { + case "GET": + dnsData, err = base64.RawURLEncoding.DecodeString(r.URL.Query().Get("dns")) + case "POST": + if r.Header.Get("Content-Type") != "application/dns-message" { + render.Status(r, http.StatusInternalServerError) + render.PlainText(w, r, "invalid content-type") + return + } + reader := io.LimitReader(r.Body, 65535) // according to rfc8484, the maximum size of the DNS message is 65535 bytes + dnsData, err = io.ReadAll(reader) + _ = r.Body.Close() + default: + render.Status(r, http.StatusMethodNotAllowed) + render.PlainText(w, r, "method not allowed") + return + } + if err != nil { + render.Status(r, http.StatusInternalServerError) + render.PlainText(w, r, err.Error()) + return + } + + ctx, cancel := context.WithTimeout(context.Background(), resolver.DefaultDNSTimeout) + defer cancel() + + dnsData, err = resolver.RelayDnsPacket(ctx, dnsData, dnsData) + if err != nil { + render.Status(r, http.StatusInternalServerError) + render.PlainText(w, r, err.Error()) + return + } + + w.Header().Set("Content-Type", "application/dns-message") + w.WriteHeader(http.StatusOK) + _, _ = w.Write(dnsData) +} diff --git a/hub/route/groups.go b/hub/route/groups.go index 30dec5f0bb..c4e9501f2d 100644 --- a/hub/route/groups.go +++ b/hub/route/groups.go @@ -60,9 +60,15 @@ func getGroupDelay(w http.ResponseWriter, r *http.Request) { return } - if proxy.(*adapter.Proxy).Type() == C.URLTest { - URLTestGroup := proxy.(*adapter.Proxy).ProxyAdapter.(*outboundgroup.URLTest) - URLTestGroup.ForceSet("") + switch proxy.(*adapter.Proxy).Type() { + case C.URLTest: + if urlTestGroup, ok := proxy.(*adapter.Proxy).ProxyAdapter.(*outboundgroup.URLTest); ok { + urlTestGroup.ForceSet("") + } + case C.Fallback: + if fallbackGroup, ok := proxy.(*adapter.Proxy).ProxyAdapter.(*outboundgroup.Fallback); ok { + fallbackGroup.ForceSet("") + } } if proxy.(*adapter.Proxy).Type() != C.Selector { diff --git a/hub/route/server.go b/hub/route/server.go index c28782b9c3..b707756321 100644 --- a/hub/route/server.go +++ b/hub/route/server.go @@ -30,10 +30,11 @@ import ( ) var ( - serverSecret = "" - serverAddr = "" - uiPath = "" + + httpServer *http.Server + tlsServer *http.Server + unixServer *http.Server ) type Traffic struct { @@ -46,11 +47,28 @@ type Memory struct { OSLimit uint64 `json:"oslimit"` // maybe we need it in the future } +type Config struct { + Addr string + TLSAddr string + UnixAddr string + Secret string + Certificate string + PrivateKey string + DohServer string + IsDebug bool +} + +func ReCreateServer(cfg *Config) { + go start(cfg) + go startTLS(cfg) + go startUnix(cfg) +} + func SetUIPath(path string) { uiPath = C.Path.Resolve(path) } -func router(isDebug bool, withAuth bool) *chi.Mux { +func router(isDebug bool, secret string, dohServer string) *chi.Mux { r := chi.NewRouter() corsM := cors.New(cors.Options{ AllowedOrigins: []string{"*"}, @@ -72,8 +90,8 @@ func router(isDebug bool, withAuth bool) *chi.Mux { }()) } r.Group(func(r chi.Router) { - if withAuth { - r.Use(authentication) + if secret != "" { + r.Use(authentication(secret)) } r.Get("/", hello) r.Get("/logs", getLogs) @@ -104,91 +122,118 @@ func router(isDebug bool, withAuth bool) *chi.Mux { }) }) } + if len(dohServer) > 0 && dohServer[0] == '/' { + r.Mount(dohServer, dohRouter()) + } + return r } -func Start(addr string, tlsAddr string, secret string, - certificate, privateKey string, isDebug bool) { - if serverAddr != "" { - return +func start(cfg *Config) { + // first stop existing server + if httpServer != nil { + _ = httpServer.Close() + httpServer = nil } - serverAddr = addr - serverSecret = secret - - if len(tlsAddr) > 0 { - go func() { - c, err := CN.ParseCert(certificate, privateKey, C.Path) - if err != nil { - log.Errorln("External controller tls listen error: %s", err) - return - } + // handle addr + if len(cfg.Addr) > 0 { + l, err := inbound.Listen("tcp", cfg.Addr) + if err != nil { + log.Errorln("External controller listen error: %s", err) + return + } + log.Infoln("RESTful API listening at: %s", l.Addr().String()) - l, err := inbound.Listen("tcp", tlsAddr) - if err != nil { - log.Errorln("External controller tls listen error: %s", err) - return - } + server := &http.Server{ + Handler: router(cfg.IsDebug, cfg.Secret, cfg.DohServer), + } + httpServer = server + if err = server.Serve(l); err != nil { + log.Errorln("External controller serve error: %s", err) + } + } +} - serverAddr = l.Addr().String() - log.Infoln("RESTful API tls listening at: %s", serverAddr) - tlsServe := &http.Server{ - Handler: router(isDebug, true), - TLSConfig: &tls.Config{ - Certificates: []tls.Certificate{c}, - }, - } - if err = tlsServe.ServeTLS(l, "", ""); err != nil { - log.Errorln("External controller tls serve error: %s", err) - } - }() +func startTLS(cfg *Config) { + // first stop existing server + if tlsServer != nil { + _ = tlsServer.Close() + tlsServer = nil } - l, err := inbound.Listen("tcp", addr) - if err != nil { - log.Errorln("External controller listen error: %s", err) - return + // handle tlsAddr + if len(cfg.TLSAddr) > 0 { + c, err := CN.ParseCert(cfg.Certificate, cfg.PrivateKey, C.Path) + if err != nil { + log.Errorln("External controller tls listen error: %s", err) + return + } + + l, err := inbound.Listen("tcp", cfg.TLSAddr) + if err != nil { + log.Errorln("External controller tls listen error: %s", err) + return + } + + log.Infoln("RESTful API tls listening at: %s", l.Addr().String()) + server := &http.Server{ + Handler: router(cfg.IsDebug, cfg.Secret, cfg.DohServer), + TLSConfig: &tls.Config{ + Certificates: []tls.Certificate{c}, + }, + } + tlsServer = server + if err = server.ServeTLS(l, "", ""); err != nil { + log.Errorln("External controller tls serve error: %s", err) + } } - serverAddr = l.Addr().String() - log.Infoln("RESTful API listening at: %s", serverAddr) +} - if err = http.Serve(l, router(isDebug, true)); err != nil { - log.Errorln("External controller serve error: %s", err) +func startUnix(cfg *Config) { + // first stop existing server + if unixServer != nil { + _ = unixServer.Close() + unixServer = nil } -} + // handle addr + if len(cfg.UnixAddr) > 0 { + addr := C.Path.Resolve(cfg.UnixAddr) -func StartUnix(addr string, isDebug bool) { - addr = C.Path.Resolve(addr) + dir := filepath.Dir(addr) + if _, err := os.Stat(dir); os.IsNotExist(err) { + if err := os.MkdirAll(dir, 0o755); err != nil { + log.Errorln("External controller unix listen error: %s", err) + return + } + } - dir := filepath.Dir(addr) - if _, err := os.Stat(dir); os.IsNotExist(err) { - if err := os.MkdirAll(dir, 0o755); err != nil { + // https://devblogs.microsoft.com/commandline/af_unix-comes-to-windows/ + // + // Note: As mentioned above in the ‘security’ section, when a socket binds a socket to a valid pathname address, + // a socket file is created within the filesystem. On Linux, the application is expected to unlink + // (see the notes section in the man page for AF_UNIX) before any other socket can be bound to the same address. + // The same applies to Windows unix sockets, except that, DeleteFile (or any other file delete API) + // should be used to delete the socket file prior to calling bind with the same path. + _ = syscall.Unlink(addr) + + l, err := inbound.Listen("unix", addr) + if err != nil { log.Errorln("External controller unix listen error: %s", err) return } - } + log.Infoln("RESTful API unix listening at: %s", l.Addr().String()) - // https://devblogs.microsoft.com/commandline/af_unix-comes-to-windows/ - // - // Note: As mentioned above in the ‘security’ section, when a socket binds a socket to a valid pathname address, - // a socket file is created within the filesystem. On Linux, the application is expected to unlink - // (see the notes section in the man page for AF_UNIX) before any other socket can be bound to the same address. - // The same applies to Windows unix sockets, except that, DeleteFile (or any other file delete API) - // should be used to delete the socket file prior to calling bind with the same path. - _ = syscall.Unlink(addr) - - l, err := inbound.Listen("unix", addr) - if err != nil { - log.Errorln("External controller unix listen error: %s", err) - return + server := &http.Server{ + Handler: router(cfg.IsDebug, "", cfg.DohServer), + } + unixServer = server + if err = server.Serve(l); err != nil { + log.Errorln("External controller unix serve error: %s", err) + } } - serverAddr = l.Addr().String() - log.Infoln("RESTful API unix listening at: %s", serverAddr) - if err = http.Serve(l, router(isDebug, false)); err != nil { - log.Errorln("External controller unix serve error: %s", err) - } } func setPrivateNetworkAccess(next http.Handler) http.Handler { @@ -206,38 +251,35 @@ func safeEuqal(a, b string) bool { return subtle.ConstantTimeCompare(aBuf, bBuf) == 1 } -func authentication(next http.Handler) http.Handler { - fn := func(w http.ResponseWriter, r *http.Request) { - if serverSecret == "" { - next.ServeHTTP(w, r) - return - } +func authentication(secret string) func(http.Handler) http.Handler { + return func(next http.Handler) http.Handler { + fn := func(w http.ResponseWriter, r *http.Request) { + // Browser websocket not support custom header + if r.Header.Get("Upgrade") == "websocket" && r.URL.Query().Get("token") != "" { + token := r.URL.Query().Get("token") + if !safeEuqal(token, secret) { + render.Status(r, http.StatusUnauthorized) + render.JSON(w, r, ErrUnauthorized) + return + } + next.ServeHTTP(w, r) + return + } - // Browser websocket not support custom header - if r.Header.Get("Upgrade") == "websocket" && r.URL.Query().Get("token") != "" { - token := r.URL.Query().Get("token") - if !safeEuqal(token, serverSecret) { + header := r.Header.Get("Authorization") + bearer, token, found := strings.Cut(header, " ") + + hasInvalidHeader := bearer != "Bearer" + hasInvalidSecret := !found || !safeEuqal(token, secret) + if hasInvalidHeader || hasInvalidSecret { render.Status(r, http.StatusUnauthorized) render.JSON(w, r, ErrUnauthorized) return } next.ServeHTTP(w, r) - return } - - header := r.Header.Get("Authorization") - bearer, token, found := strings.Cut(header, " ") - - hasInvalidHeader := bearer != "Bearer" - hasInvalidSecret := !found || !safeEuqal(token, serverSecret) - if hasInvalidHeader || hasInvalidSecret { - render.Status(r, http.StatusUnauthorized) - render.JSON(w, r, ErrUnauthorized) - return - } - next.ServeHTTP(w, r) + return http.HandlerFunc(fn) } - return http.HandlerFunc(fn) } func hello(w http.ResponseWriter, r *http.Request) { diff --git a/hub/route/upgrade.go b/hub/route/upgrade.go index db00af5c8a..25c326ddde 100644 --- a/hub/route/upgrade.go +++ b/hub/route/upgrade.go @@ -1,7 +1,6 @@ package route import ( - "errors" "fmt" "net/http" "os" @@ -48,17 +47,11 @@ func upgradeCore(w http.ResponseWriter, r *http.Request) { } func updateUI(w http.ResponseWriter, r *http.Request) { - err := updater.UpdateUI() + err := updater.DownloadUI() if err != nil { - if errors.Is(err, updater.ErrIncompleteConf) { - log.Warnln("%s", err) - render.Status(r, http.StatusNotImplemented) - render.JSON(w, r, newError(fmt.Sprintf("%s", err))) - } else { - log.Warnln("%s", err) - render.Status(r, http.StatusInternalServerError) - render.JSON(w, r, newError(fmt.Sprintf("%s", err))) - } + log.Warnln("%s", err) + render.Status(r, http.StatusInternalServerError) + render.JSON(w, r, newError(fmt.Sprintf("%s", err))) return } diff --git a/listener/auth/auth.go b/listener/auth/auth.go index 46f552b80c..772be3bdd7 100644 --- a/listener/auth/auth.go +++ b/listener/auth/auth.go @@ -13,3 +13,5 @@ func Authenticator() auth.Authenticator { func SetAuthenticator(au auth.Authenticator) { authenticator = au } + +func Nil() auth.Authenticator { return nil } diff --git a/listener/autoredir/tcp.go b/listener/autoredir/tcp.go deleted file mode 100644 index 2b21b087b3..0000000000 --- a/listener/autoredir/tcp.go +++ /dev/null @@ -1,95 +0,0 @@ -package autoredir - -import ( - "net" - "net/netip" - - "github.com/metacubex/mihomo/adapter/inbound" - N "github.com/metacubex/mihomo/common/net" - C "github.com/metacubex/mihomo/constant" - "github.com/metacubex/mihomo/log" - "github.com/metacubex/mihomo/transport/socks5" -) - -type Listener struct { - listener net.Listener - addr string - closed bool - additions []inbound.Addition - lookupFunc func(netip.AddrPort) (socks5.Addr, error) -} - -// RawAddress implements C.Listener -func (l *Listener) RawAddress() string { - return l.addr -} - -// Address implements C.Listener -func (l *Listener) Address() string { - return l.listener.Addr().String() -} - -// Close implements C.Listener -func (l *Listener) Close() error { - l.closed = true - return l.listener.Close() -} - -func (l *Listener) TCPAddr() netip.AddrPort { - return l.listener.Addr().(*net.TCPAddr).AddrPort() -} - -func (l *Listener) SetLookupFunc(lookupFunc func(netip.AddrPort) (socks5.Addr, error)) { - l.lookupFunc = lookupFunc -} - -func (l *Listener) handleRedir(conn net.Conn, tunnel C.Tunnel) { - if l.lookupFunc == nil { - log.Errorln("[Auto Redirect] lookup function is nil") - return - } - - target, err := l.lookupFunc(conn.RemoteAddr().(*net.TCPAddr).AddrPort()) - if err != nil { - log.Warnln("[Auto Redirect] %v", err) - _ = conn.Close() - return - } - - N.TCPKeepAlive(conn) - - tunnel.HandleTCPConn(inbound.NewSocket(target, conn, C.REDIR, l.additions...)) -} - -func New(addr string, tunnel C.Tunnel, additions ...inbound.Addition) (*Listener, error) { - if len(additions) == 0 { - additions = []inbound.Addition{ - inbound.WithInName("DEFAULT-REDIR"), - inbound.WithSpecialRules(""), - } - } - l, err := net.Listen("tcp", addr) - if err != nil { - return nil, err - } - rl := &Listener{ - listener: l, - addr: addr, - additions: additions, - } - - go func() { - for { - c, err := l.Accept() - if err != nil { - if rl.closed { - break - } - continue - } - go rl.handleRedir(c, tunnel) - } - }() - - return rl, nil -} diff --git a/listener/config/tun.go b/listener/config/tun.go index cea22bfdc8..3901bb1d6d 100644 --- a/listener/config/tun.go +++ b/listener/config/tun.go @@ -3,7 +3,10 @@ package config import ( "net/netip" + "github.com/metacubex/mihomo/common/nnip" C "github.com/metacubex/mihomo/constant" + + "golang.org/x/exp/slices" ) func StringSliceToNetipPrefixSlice(ss []string) ([]netip.Prefix, error) { @@ -25,23 +28,22 @@ type Tun struct { DNSHijack []string `yaml:"dns-hijack" json:"dns-hijack"` AutoRoute bool `yaml:"auto-route" json:"auto-route"` AutoDetectInterface bool `yaml:"auto-detect-interface" json:"auto-detect-interface"` - RedirectToTun []string `yaml:"-" json:"-"` MTU uint32 `yaml:"mtu" json:"mtu,omitempty"` GSO bool `yaml:"gso" json:"gso,omitempty"` GSOMaxSize uint32 `yaml:"gso-max-size" json:"gso-max-size,omitempty"` Inet4Address []netip.Prefix `yaml:"inet4-address" json:"inet4-address,omitempty"` Inet6Address []netip.Prefix `yaml:"inet6-address" json:"inet6-address,omitempty"` - IPRoute2TableIndex int `yaml:"iproute2-table-index" json:"iproute2_table_index,omitempty"` - IPRoute2RuleIndex int `yaml:"iproute2-rule-index" json:"iproute2_rule_index,omitempty"` - AutoRedirect bool `yaml:"auto-redirect" json:"auto_redirect,omitempty"` - AutoRedirectInputMark uint32 `yaml:"auto-redirect-input-mark" json:"auto_redirect_input_mark,omitempty"` - AutoRedirectOutputMark uint32 `yaml:"auto-redirect-output-mark" json:"auto_redirect_output_mark,omitempty"` + IPRoute2TableIndex int `yaml:"iproute2-table-index" json:"iproute2-table-index,omitempty"` + IPRoute2RuleIndex int `yaml:"iproute2-rule-index" json:"iproute2-rule-index,omitempty"` + AutoRedirect bool `yaml:"auto-redirect" json:"auto-redirect,omitempty"` + AutoRedirectInputMark uint32 `yaml:"auto-redirect-input-mark" json:"auto-redirect-input-mark,omitempty"` + AutoRedirectOutputMark uint32 `yaml:"auto-redirect-output-mark" json:"auto-redirect-output-mark,omitempty"` StrictRoute bool `yaml:"strict-route" json:"strict-route,omitempty"` - RouteAddress []netip.Prefix `yaml:"route-address" json:"route_address,omitempty"` - RouteAddressSet []string `yaml:"route-address-set" json:"route_address_set,omitempty"` - RouteExcludeAddress []netip.Prefix `yaml:"route-exclude-address" json:"route_exclude_address,omitempty"` - RouteExcludeAddressSet []string `yaml:"route-exclude-address-set" json:"route_exclude_address_set,omitempty"` + RouteAddress []netip.Prefix `yaml:"route-address" json:"route-address,omitempty"` + RouteAddressSet []string `yaml:"route-address-set" json:"route-address-set,omitempty"` + RouteExcludeAddress []netip.Prefix `yaml:"route-exclude-address" json:"route-exclude-address,omitempty"` + RouteExcludeAddressSet []string `yaml:"route-exclude-address-set" json:"route-exclude-address-set,omitempty"` IncludeInterface []string `yaml:"include-interface" json:"include-interface,omitempty"` ExcludeInterface []string `yaml:"exclude-interface" json:"exclude-interface,omitempty"` IncludeUID []uint32 `yaml:"include-uid" json:"include-uid,omitempty"` @@ -60,3 +62,146 @@ type Tun struct { Inet4RouteExcludeAddress []netip.Prefix `yaml:"inet4-route-exclude-address" json:"inet4-route-exclude-address,omitempty"` Inet6RouteExcludeAddress []netip.Prefix `yaml:"inet6-route-exclude-address" json:"inet6-route-exclude-address,omitempty"` } + +func (t *Tun) Sort() { + slices.Sort(t.DNSHijack) + + slices.SortFunc(t.Inet4Address, nnip.PrefixCompare) + slices.SortFunc(t.Inet6Address, nnip.PrefixCompare) + slices.SortFunc(t.RouteAddress, nnip.PrefixCompare) + slices.Sort(t.RouteAddressSet) + slices.SortFunc(t.RouteExcludeAddress, nnip.PrefixCompare) + slices.Sort(t.RouteExcludeAddressSet) + slices.Sort(t.IncludeInterface) + slices.Sort(t.ExcludeInterface) + slices.Sort(t.IncludeUID) + slices.Sort(t.IncludeUIDRange) + slices.Sort(t.ExcludeUID) + slices.Sort(t.ExcludeUIDRange) + slices.Sort(t.IncludeAndroidUser) + slices.Sort(t.IncludePackage) + slices.Sort(t.ExcludePackage) + + slices.SortFunc(t.Inet4RouteAddress, nnip.PrefixCompare) + slices.SortFunc(t.Inet6RouteAddress, nnip.PrefixCompare) + slices.SortFunc(t.Inet4RouteExcludeAddress, nnip.PrefixCompare) + slices.SortFunc(t.Inet6RouteExcludeAddress, nnip.PrefixCompare) +} + +func (t *Tun) Equal(other Tun) bool { + if t.Enable != other.Enable { + return false + } + if t.Device != other.Device { + return false + } + if t.Stack != other.Stack { + return false + } + if !slices.Equal(t.DNSHijack, other.DNSHijack) { + return false + } + if t.AutoRoute != other.AutoRoute { + return false + } + if t.AutoDetectInterface != other.AutoDetectInterface { + return false + } + + if t.MTU != other.MTU { + return false + } + if t.GSO != other.GSO { + return false + } + if t.GSOMaxSize != other.GSOMaxSize { + return false + } + if !slices.Equal(t.Inet4Address, other.Inet4Address) { + return false + } + if !slices.Equal(t.Inet6Address, other.Inet6Address) { + return false + } + if t.IPRoute2TableIndex != other.IPRoute2TableIndex { + return false + } + if t.IPRoute2RuleIndex != other.IPRoute2RuleIndex { + return false + } + if t.AutoRedirect != other.AutoRedirect { + return false + } + if t.AutoRedirectInputMark != other.AutoRedirectInputMark { + return false + } + if t.AutoRedirectOutputMark != other.AutoRedirectOutputMark { + return false + } + if t.StrictRoute != other.StrictRoute { + return false + } + if !slices.Equal(t.RouteAddress, other.RouteAddress) { + return false + } + if !slices.Equal(t.RouteAddressSet, other.RouteAddressSet) { + return false + } + if !slices.Equal(t.RouteExcludeAddress, other.RouteExcludeAddress) { + return false + } + if !slices.Equal(t.RouteExcludeAddressSet, other.RouteExcludeAddressSet) { + return false + } + if !slices.Equal(t.IncludeInterface, other.IncludeInterface) { + return false + } + if !slices.Equal(t.ExcludeInterface, other.ExcludeInterface) { + return false + } + if !slices.Equal(t.IncludeUID, other.IncludeUID) { + return false + } + if !slices.Equal(t.IncludeUIDRange, other.IncludeUIDRange) { + return false + } + if !slices.Equal(t.ExcludeUID, other.ExcludeUID) { + return false + } + if !slices.Equal(t.ExcludeUIDRange, other.ExcludeUIDRange) { + return false + } + if !slices.Equal(t.IncludeAndroidUser, other.IncludeAndroidUser) { + return false + } + if !slices.Equal(t.IncludePackage, other.IncludePackage) { + return false + } + if !slices.Equal(t.ExcludePackage, other.ExcludePackage) { + return false + } + if t.EndpointIndependentNat != other.EndpointIndependentNat { + return false + } + if t.UDPTimeout != other.UDPTimeout { + return false + } + if t.FileDescriptor != other.FileDescriptor { + return false + } + + if !slices.Equal(t.Inet4RouteAddress, other.Inet4RouteAddress) { + return false + } + if !slices.Equal(t.Inet6RouteAddress, other.Inet6RouteAddress) { + return false + } + if !slices.Equal(t.Inet4RouteExcludeAddress, other.Inet4RouteExcludeAddress) { + return false + } + if !slices.Equal(t.Inet6RouteExcludeAddress, other.Inet6RouteExcludeAddress) { + return false + } + + return true +} diff --git a/listener/http/client.go b/listener/http/client.go index dfd1985f8c..0f084fca7b 100644 --- a/listener/http/client.go +++ b/listener/http/client.go @@ -13,7 +13,7 @@ import ( "github.com/metacubex/mihomo/transport/socks5" ) -func newClient(srcConn net.Conn, tunnel C.Tunnel, additions ...inbound.Addition) *http.Client { +func newClient(srcConn net.Conn, tunnel C.Tunnel, additions []inbound.Addition) *http.Client { // additions using slice let caller can change its value (without size) after newClient return return &http.Client{ Transport: &http.Transport{ // from http.DefaultTransport @@ -21,6 +21,7 @@ func newClient(srcConn net.Conn, tunnel C.Tunnel, additions ...inbound.Addition) IdleConnTimeout: 90 * time.Second, TLSHandshakeTimeout: 10 * time.Second, ExpectContinueTimeout: 1 * time.Second, + DisableCompression: true, // prevents the Transport add "Accept-Encoding: gzip" DialContext: func(context context.Context, network, address string) (net.Conn, error) { if network != "tcp" && network != "tcp4" && network != "tcp6" { return nil, errors.New("unsupported network " + network) diff --git a/listener/http/patch_android.go b/listener/http/patch_android.go deleted file mode 100644 index b1b8bfc731..0000000000 --- a/listener/http/patch_android.go +++ /dev/null @@ -1,9 +0,0 @@ -//go:build android && cmfa - -package http - -import "net" - -func (l *Listener) Listener() net.Listener { - return l.listener -} diff --git a/listener/http/proxy.go b/listener/http/proxy.go index c77f92307f..04ab98eb8c 100644 --- a/listener/http/proxy.go +++ b/listener/http/proxy.go @@ -10,10 +10,9 @@ import ( "sync" "github.com/metacubex/mihomo/adapter/inbound" - "github.com/metacubex/mihomo/common/lru" N "github.com/metacubex/mihomo/common/net" + "github.com/metacubex/mihomo/component/auth" C "github.com/metacubex/mihomo/constant" - authStore "github.com/metacubex/mihomo/listener/auth" "github.com/metacubex/mihomo/log" ) @@ -31,8 +30,10 @@ func (b *bodyWrapper) Read(p []byte) (n int, err error) { return n, err } -func HandleConn(c net.Conn, tunnel C.Tunnel, cache *lru.LruCache[string, bool], additions ...inbound.Addition) { - client := newClient(c, tunnel, additions...) +func HandleConn(c net.Conn, tunnel C.Tunnel, getAuth func() auth.Authenticator, additions ...inbound.Addition) { + additions = append(additions, inbound.Placeholder) // Add a placeholder for InUser + inUserIdx := len(additions) - 1 + client := newClient(c, tunnel, additions) defer client.CloseIdleConnections() ctx, cancel := context.WithCancel(context.Background()) defer cancel() @@ -40,8 +41,10 @@ func HandleConn(c net.Conn, tunnel C.Tunnel, cache *lru.LruCache[string, bool], conn := N.NewBufferedConn(c) + authenticator := getAuth() keepAlive := true - trusted := cache == nil // disable authenticate if lru is nil + trusted := authenticator == nil // disable authenticate if lru is nil + lastUser := "" for keepAlive { peekMutex.Lock() @@ -57,12 +60,10 @@ func HandleConn(c net.Conn, tunnel C.Tunnel, cache *lru.LruCache[string, bool], var resp *http.Response - if !trusted { - var user string - resp, user = authenticate(request, cache) - additions = append(additions, inbound.WithInUser(user)) - trusted = resp == nil - } + var user string + resp, user = authenticate(request, authenticator) // always call authenticate function to get user + trusted = trusted || resp == nil + additions[inUserIdx] = inbound.WithInUser(user) if trusted { if request.Method == http.MethodConnect { @@ -89,6 +90,13 @@ func HandleConn(c net.Conn, tunnel C.Tunnel, cache *lru.LruCache[string, bool], return // hijack connection } + // ensure there is a client with correct additions + // when the authenticated user changed, outbound client should close idle connections + if user != lastUser { + client.CloseIdleConnections() + lastUser = user + } + removeHopByHopHeaders(request.Header) removeExtraHTTPHostPort(request) @@ -138,34 +146,21 @@ func HandleConn(c net.Conn, tunnel C.Tunnel, cache *lru.LruCache[string, bool], _ = conn.Close() } -func authenticate(request *http.Request, cache *lru.LruCache[string, bool]) (resp *http.Response, u string) { - authenticator := authStore.Authenticator() - if inbound.SkipAuthRemoteAddress(request.RemoteAddr) { - authenticator = nil +func authenticate(request *http.Request, authenticator auth.Authenticator) (resp *http.Response, user string) { + credential := parseBasicProxyAuthorization(request) + if credential == "" && authenticator != nil { + resp = responseWith(request, http.StatusProxyAuthRequired) + resp.Header.Set("Proxy-Authenticate", "Basic") + return } - if authenticator != nil { - credential := parseBasicProxyAuthorization(request) - if credential == "" { - resp := responseWith(request, http.StatusProxyAuthRequired) - resp.Header.Set("Proxy-Authenticate", "Basic") - return resp, "" - } - - authed, exist := cache.Get(credential) - if !exist { - user, pass, err := decodeBasicProxyAuthorization(credential) - authed = err == nil && authenticator.Verify(user, pass) - u = user - cache.Set(credential, authed) - } - if !authed { - log.Infoln("Auth failed from %s", request.RemoteAddr) - - return responseWith(request, http.StatusForbidden), u - } + user, pass, err := decodeBasicProxyAuthorization(credential) + authed := authenticator == nil || (err == nil && authenticator.Verify(user, pass)) + if !authed { + log.Infoln("Auth failed from %s", request.RemoteAddr) + return responseWith(request, http.StatusForbidden), user } - - return nil, u + log.Debugln("Auth success from %s -> %s", request.RemoteAddr, user) + return } func responseWith(request *http.Request, statusCode int) *http.Response { diff --git a/listener/http/server.go b/listener/http/server.go index 8fc9da5962..48f12dc5f1 100644 --- a/listener/http/server.go +++ b/listener/http/server.go @@ -4,9 +4,10 @@ import ( "net" "github.com/metacubex/mihomo/adapter/inbound" - "github.com/metacubex/mihomo/common/lru" + N "github.com/metacubex/mihomo/common/net" + "github.com/metacubex/mihomo/component/auth" C "github.com/metacubex/mihomo/constant" - "github.com/metacubex/mihomo/constant/features" + authStore "github.com/metacubex/mihomo/listener/auth" ) type Listener struct { @@ -32,10 +33,20 @@ func (l *Listener) Close() error { } func New(addr string, tunnel C.Tunnel, additions ...inbound.Addition) (*Listener, error) { - return NewWithAuthenticate(addr, tunnel, true, additions...) + return NewWithAuthenticator(addr, tunnel, authStore.Authenticator, additions...) } +// NewWithAuthenticate +// never change type traits because it's used in CMFA func NewWithAuthenticate(addr string, tunnel C.Tunnel, authenticate bool, additions ...inbound.Addition) (*Listener, error) { + getAuth := authStore.Authenticator + if !authenticate { + getAuth = authStore.Nil + } + return NewWithAuthenticator(addr, tunnel, getAuth, additions...) +} + +func NewWithAuthenticator(addr string, tunnel C.Tunnel, getAuth func() auth.Authenticator, additions ...inbound.Addition) (*Listener, error) { isDefault := false if len(additions) == 0 { isDefault = true @@ -50,11 +61,6 @@ func NewWithAuthenticate(addr string, tunnel C.Tunnel, authenticate bool, additi return nil, err } - var c *lru.LruCache[string, bool] - if authenticate { - c = lru.New[string, bool](lru.WithAge[string, bool](30)) - } - hl := &Listener{ listener: l, addr: addr, @@ -68,18 +74,19 @@ func NewWithAuthenticate(addr string, tunnel C.Tunnel, authenticate bool, additi } continue } - if features.CMFA { - if t, ok := conn.(*net.TCPConn); ok { - t.SetKeepAlive(false) - } - } + N.TCPKeepAlive(conn) + + getAuth := getAuth if isDefault { // only apply on default listener if !inbound.IsRemoteAddrDisAllowed(conn.RemoteAddr()) { _ = conn.Close() continue } + if inbound.SkipAuthRemoteAddr(conn.RemoteAddr()) { + getAuth = authStore.Nil + } } - go HandleConn(conn, tunnel, c, additions...) + go HandleConn(conn, tunnel, getAuth, additions...) } }() diff --git a/listener/inbound/auth.go b/listener/inbound/auth.go new file mode 100644 index 0000000000..41f18fc089 --- /dev/null +++ b/listener/inbound/auth.go @@ -0,0 +1,31 @@ +package inbound + +import ( + "github.com/metacubex/mihomo/component/auth" + authStore "github.com/metacubex/mihomo/listener/auth" +) + +type AuthUser struct { + Username string `inbound:"username"` + Password string `inbound:"password"` +} + +type AuthUsers []AuthUser + +func (a AuthUsers) GetAuth() func() auth.Authenticator { + if a != nil { // structure's Decode will ensure value not nil when input has value even it was set an empty array + if len(a) == 0 { + return authStore.Nil + } + users := make([]auth.AuthUser, len(a)) + for i, user := range a { + users[i] = auth.AuthUser{ + User: user.Username, + Pass: user.Password, + } + } + authenticator := auth.NewAuthenticator(users) + return func() auth.Authenticator { return authenticator } + } + return authStore.Authenticator +} diff --git a/listener/inbound/http.go b/listener/inbound/http.go index f5301f46c9..c78abefd5f 100644 --- a/listener/inbound/http.go +++ b/listener/inbound/http.go @@ -8,6 +8,7 @@ import ( type HTTPOption struct { BaseOption + Users AuthUsers `inbound:"users,omitempty"` } func (o HTTPOption) Equal(config C.InboundConfig) bool { @@ -44,7 +45,7 @@ func (h *HTTP) Address() string { // Listen implements constant.InboundListener func (h *HTTP) Listen(tunnel C.Tunnel) error { var err error - h.l, err = http.New(h.RawAddress(), tunnel, h.Additions()...) + h.l, err = http.NewWithAuthenticator(h.RawAddress(), tunnel, h.config.Users.GetAuth(), h.Additions()...) if err != nil { return err } diff --git a/listener/inbound/mixed.go b/listener/inbound/mixed.go index fc64382199..443a256452 100644 --- a/listener/inbound/mixed.go +++ b/listener/inbound/mixed.go @@ -12,7 +12,8 @@ import ( type MixedOption struct { BaseOption - UDP bool `inbound:"udp,omitempty"` + Users AuthUsers `inbound:"users,omitempty"` + UDP bool `inbound:"udp,omitempty"` } func (o MixedOption) Equal(config C.InboundConfig) bool { @@ -52,7 +53,7 @@ func (m *Mixed) Address() string { // Listen implements constant.InboundListener func (m *Mixed) Listen(tunnel C.Tunnel) error { var err error - m.l, err = mixed.New(m.RawAddress(), tunnel, m.Additions()...) + m.l, err = mixed.NewWithAuthenticator(m.RawAddress(), tunnel, m.config.Users.GetAuth(), m.Additions()...) if err != nil { return err } diff --git a/listener/inbound/socks.go b/listener/inbound/socks.go index 7e10d93afb..cf6d1ce433 100644 --- a/listener/inbound/socks.go +++ b/listener/inbound/socks.go @@ -9,7 +9,8 @@ import ( type SocksOption struct { BaseOption - UDP bool `inbound:"udp,omitempty"` + Users AuthUsers `inbound:"users,omitempty"` + UDP bool `inbound:"udp,omitempty"` } func (o SocksOption) Equal(config C.InboundConfig) bool { @@ -70,7 +71,7 @@ func (s *Socks) Address() string { // Listen implements constant.InboundListener func (s *Socks) Listen(tunnel C.Tunnel) error { var err error - if s.stl, err = socks.New(s.RawAddress(), tunnel, s.Additions()...); err != nil { + if s.stl, err = socks.NewWithAuthenticator(s.RawAddress(), tunnel, s.config.Users.GetAuth(), s.Additions()...); err != nil { return err } if s.udp { diff --git a/listener/inbound/tun.go b/listener/inbound/tun.go index a950f80db2..77ad6bd61c 100644 --- a/listener/inbound/tun.go +++ b/listener/inbound/tun.go @@ -21,35 +21,35 @@ type TunOption struct { MTU uint32 `inbound:"mtu,omitempty"` GSO bool `inbound:"gso,omitempty"` GSOMaxSize uint32 `inbound:"gso-max-size,omitempty"` - Inet4Address []string `inbound:"inet4_address,omitempty"` - Inet6Address []string `inbound:"inet6_address,omitempty"` + Inet4Address []string `inbound:"inet4-address,omitempty"` + Inet6Address []string `inbound:"inet6-address,omitempty"` IPRoute2TableIndex int `inbound:"iproute2-table-index"` IPRoute2RuleIndex int `inbound:"iproute2-rule-index"` AutoRedirect bool `inbound:"auto-redirect"` AutoRedirectInputMark uint32 `inbound:"auto-redirect-input-mark"` AutoRedirectOutputMark uint32 `inbound:"auto-redirect-output-mark"` - StrictRoute bool `inbound:"strict_route,omitempty"` + StrictRoute bool `inbound:"strict-route,omitempty"` RouteAddress []string `inbound:"route-address"` RouteAddressSet []string `inbound:"route-address-set"` RouteExcludeAddress []string `inbound:"route-exclude-address"` RouteExcludeAddressSet []string `inbound:"route-exclude-address-set"` IncludeInterface []string `inbound:"include-interface,omitempty"` ExcludeInterface []string `inbound:"exclude-interface"` - IncludeUID []uint32 `inbound:"include_uid,omitempty"` - IncludeUIDRange []string `inbound:"include_uid_range,omitempty"` - ExcludeUID []uint32 `inbound:"exclude_uid,omitempty"` - ExcludeUIDRange []string `inbound:"exclude_uid_range,omitempty"` - IncludeAndroidUser []int `inbound:"include_android_user,omitempty"` - IncludePackage []string `inbound:"include_package,omitempty"` - ExcludePackage []string `inbound:"exclude_package,omitempty"` - EndpointIndependentNat bool `inbound:"endpoint_independent_nat,omitempty"` - UDPTimeout int64 `inbound:"udp_timeout,omitempty"` + IncludeUID []uint32 `inbound:"include-uid,omitempty"` + IncludeUIDRange []string `inbound:"include-uid-range,omitempty"` + ExcludeUID []uint32 `inbound:"exclude-uid,omitempty"` + ExcludeUIDRange []string `inbound:"exclude-uid-range,omitempty"` + IncludeAndroidUser []int `inbound:"include-android-user,omitempty"` + IncludePackage []string `inbound:"include-package,omitempty"` + ExcludePackage []string `inbound:"exclude-package,omitempty"` + EndpointIndependentNat bool `inbound:"endpoint-independent-nat,omitempty"` + UDPTimeout int64 `inbound:"udp-timeout,omitempty"` FileDescriptor int `inbound:"file-descriptor,omitempty"` - Inet4RouteAddress []string `inbound:"inet4_route_address,omitempty"` - Inet6RouteAddress []string `inbound:"inet6_route_address,omitempty"` - Inet4RouteExcludeAddress []string `inbound:"inet4_route_exclude_address,omitempty"` - Inet6RouteExcludeAddress []string `inbound:"inet6_route_exclude_address,omitempty"` + Inet4RouteAddress []string `inbound:"inet4-route-address,omitempty"` + Inet6RouteAddress []string `inbound:"inet6-route-address,omitempty"` + Inet4RouteExcludeAddress []string `inbound:"inet4-route-exclude-address,omitempty"` + Inet6RouteExcludeAddress []string `inbound:"inet6-route-exclude-address,omitempty"` } func (o TunOption) Equal(config C.InboundConfig) bool { diff --git a/listener/listener.go b/listener/listener.go index 76860e0d43..2e25c8b8f6 100644 --- a/listener/listener.go +++ b/listener/listener.go @@ -2,16 +2,12 @@ package listener import ( "fmt" - "golang.org/x/exp/slices" "net" - "sort" "strconv" "strings" "sync" - "github.com/metacubex/mihomo/component/ebpf" C "github.com/metacubex/mihomo/constant" - "github.com/metacubex/mihomo/listener/autoredir" LC "github.com/metacubex/mihomo/listener/config" "github.com/metacubex/mihomo/listener/http" "github.com/metacubex/mihomo/listener/mixed" @@ -49,24 +45,19 @@ var ( shadowSocksListener C.MultiAddrListener vmessListener *sing_vmess.Listener tuicListener *tuic.Listener - autoRedirListener *autoredir.Listener - autoRedirProgram *ebpf.TcEBpfProgram - tcProgram *ebpf.TcEBpfProgram // lock for recreate function - socksMux sync.Mutex - httpMux sync.Mutex - redirMux sync.Mutex - tproxyMux sync.Mutex - mixedMux sync.Mutex - tunnelMux sync.Mutex - inboundMux sync.Mutex - tunMux sync.Mutex - ssMux sync.Mutex - vmessMux sync.Mutex - tuicMux sync.Mutex - autoRedirMux sync.Mutex - tcMux sync.Mutex + socksMux sync.Mutex + httpMux sync.Mutex + redirMux sync.Mutex + tproxyMux sync.Mutex + mixedMux sync.Mutex + tunnelMux sync.Mutex + inboundMux sync.Mutex + tunMux sync.Mutex + ssMux sync.Mutex + vmessMux sync.Mutex + tuicMux sync.Mutex LastTunConf LC.Tun LastTuicConf LC.TuicServer @@ -504,6 +495,8 @@ func ReCreateMixed(port int, tunnel C.Tunnel) { } func ReCreateTun(tunConf LC.Tun, tunnel C.Tunnel) { + tunConf.Sort() + tunMux.Lock() defer func() { LastTunConf = tunConf @@ -518,7 +511,7 @@ func ReCreateTun(tunConf LC.Tun, tunnel C.Tunnel) { } }() - if !hasTunConfigChange(&tunConf) { + if tunConf.Equal(LastTunConf) { if tunLister != nil { tunLister.FlushDefaultInterface() } @@ -540,95 +533,6 @@ func ReCreateTun(tunConf LC.Tun, tunnel C.Tunnel) { log.Infoln("[TUN] Tun adapter listening at: %s", tunLister.Address()) } -func ReCreateRedirToTun(ifaceNames []string) { - tcMux.Lock() - defer tcMux.Unlock() - - nicArr := ifaceNames - slices.Sort(nicArr) - nicArr = slices.Compact(nicArr) - - if tcProgram != nil { - tcProgram.Close() - tcProgram = nil - } - - if len(nicArr) == 0 { - return - } - - tunConf := GetTunConf() - - if !tunConf.Enable { - return - } - - program, err := ebpf.NewTcEBpfProgram(nicArr, tunConf.Device) - if err != nil { - log.Errorln("Attached tc ebpf program error: %v", err) - return - } - tcProgram = program - - log.Infoln("Attached tc ebpf program to interfaces %v", tcProgram.RawNICs()) -} - -func ReCreateAutoRedir(ifaceNames []string, tunnel C.Tunnel) { - autoRedirMux.Lock() - defer autoRedirMux.Unlock() - - var err error - defer func() { - if err != nil { - if autoRedirListener != nil { - _ = autoRedirListener.Close() - autoRedirListener = nil - } - if autoRedirProgram != nil { - autoRedirProgram.Close() - autoRedirProgram = nil - } - log.Errorln("Start auto redirect server error: %s", err.Error()) - } - }() - - nicArr := ifaceNames - slices.Sort(nicArr) - nicArr = slices.Compact(nicArr) - - if autoRedirListener != nil && autoRedirProgram != nil { - _ = autoRedirListener.Close() - autoRedirProgram.Close() - autoRedirListener = nil - autoRedirProgram = nil - } - - if len(nicArr) == 0 { - return - } - - defaultRouteInterfaceName, err := ebpf.GetAutoDetectInterface() - if err != nil { - return - } - - addr := genAddr("*", C.TcpAutoRedirPort, true) - - autoRedirListener, err = autoredir.New(addr, tunnel) - if err != nil { - return - } - - autoRedirProgram, err = ebpf.NewRedirEBpfProgram(nicArr, autoRedirListener.TCPAddr().Port(), defaultRouteInterfaceName) - if err != nil { - return - } - - autoRedirListener.SetLookupFunc(autoRedirProgram.Lookup) - - log.Infoln("Auto redirect proxy listening at: %s, attached tc ebpf program to interfaces %v", autoRedirListener.Address(), autoRedirProgram.RawNICs()) -} - func PatchTunnel(tunnels []LC.Tunnel, tunnel C.Tunnel) { tunnelMux.Lock() defer tunnelMux.Unlock() @@ -811,137 +715,6 @@ func genAddr(host string, port int, allowLan bool) string { return fmt.Sprintf("127.0.0.1:%d", port) } -func hasTunConfigChange(tunConf *LC.Tun) bool { - if LastTunConf.Enable != tunConf.Enable || - LastTunConf.Device != tunConf.Device || - LastTunConf.Stack != tunConf.Stack || - LastTunConf.AutoRoute != tunConf.AutoRoute || - LastTunConf.AutoDetectInterface != tunConf.AutoDetectInterface || - LastTunConf.MTU != tunConf.MTU || - LastTunConf.GSO != tunConf.GSO || - LastTunConf.GSOMaxSize != tunConf.GSOMaxSize || - LastTunConf.IPRoute2TableIndex != tunConf.IPRoute2TableIndex || - LastTunConf.IPRoute2RuleIndex != tunConf.IPRoute2RuleIndex || - LastTunConf.AutoRedirect != tunConf.AutoRedirect || - LastTunConf.AutoRedirectInputMark != tunConf.AutoRedirectInputMark || - LastTunConf.AutoRedirectOutputMark != tunConf.AutoRedirectOutputMark || - LastTunConf.StrictRoute != tunConf.StrictRoute || - LastTunConf.EndpointIndependentNat != tunConf.EndpointIndependentNat || - LastTunConf.UDPTimeout != tunConf.UDPTimeout || - LastTunConf.FileDescriptor != tunConf.FileDescriptor { - return true - } - - if len(LastTunConf.DNSHijack) != len(tunConf.DNSHijack) { - return true - } - - sort.Slice(tunConf.DNSHijack, func(i, j int) bool { - return tunConf.DNSHijack[i] < tunConf.DNSHijack[j] - }) - - sort.Slice(tunConf.RouteAddress, func(i, j int) bool { - return tunConf.RouteAddress[i].String() < tunConf.RouteAddress[j].String() - }) - - sort.Slice(tunConf.RouteAddressSet, func(i, j int) bool { - return tunConf.RouteAddressSet[i] < tunConf.RouteAddressSet[j] - }) - - sort.Slice(tunConf.RouteExcludeAddress, func(i, j int) bool { - return tunConf.RouteExcludeAddress[i].String() < tunConf.RouteExcludeAddress[j].String() - }) - - sort.Slice(tunConf.RouteExcludeAddressSet, func(i, j int) bool { - return tunConf.RouteExcludeAddressSet[i] < tunConf.RouteExcludeAddressSet[j] - }) - - sort.Slice(tunConf.Inet4Address, func(i, j int) bool { - return tunConf.Inet4Address[i].String() < tunConf.Inet4Address[j].String() - }) - - sort.Slice(tunConf.Inet6Address, func(i, j int) bool { - return tunConf.Inet6Address[i].String() < tunConf.Inet6Address[j].String() - }) - - sort.Slice(tunConf.Inet4RouteAddress, func(i, j int) bool { - return tunConf.Inet4RouteAddress[i].String() < tunConf.Inet4RouteAddress[j].String() - }) - - sort.Slice(tunConf.Inet6RouteAddress, func(i, j int) bool { - return tunConf.Inet6RouteAddress[i].String() < tunConf.Inet6RouteAddress[j].String() - }) - - sort.Slice(tunConf.Inet4RouteExcludeAddress, func(i, j int) bool { - return tunConf.Inet4RouteExcludeAddress[i].String() < tunConf.Inet4RouteExcludeAddress[j].String() - }) - - sort.Slice(tunConf.Inet6RouteExcludeAddress, func(i, j int) bool { - return tunConf.Inet6RouteExcludeAddress[i].String() < tunConf.Inet6RouteExcludeAddress[j].String() - }) - - sort.Slice(tunConf.IncludeInterface, func(i, j int) bool { - return tunConf.IncludeInterface[i] < tunConf.IncludeInterface[j] - }) - - sort.Slice(tunConf.ExcludeInterface, func(i, j int) bool { - return tunConf.ExcludeInterface[i] < tunConf.ExcludeInterface[j] - }) - - sort.Slice(tunConf.IncludeUID, func(i, j int) bool { - return tunConf.IncludeUID[i] < tunConf.IncludeUID[j] - }) - - sort.Slice(tunConf.IncludeUIDRange, func(i, j int) bool { - return tunConf.IncludeUIDRange[i] < tunConf.IncludeUIDRange[j] - }) - - sort.Slice(tunConf.ExcludeUID, func(i, j int) bool { - return tunConf.ExcludeUID[i] < tunConf.ExcludeUID[j] - }) - - sort.Slice(tunConf.ExcludeUIDRange, func(i, j int) bool { - return tunConf.ExcludeUIDRange[i] < tunConf.ExcludeUIDRange[j] - }) - - sort.Slice(tunConf.IncludeAndroidUser, func(i, j int) bool { - return tunConf.IncludeAndroidUser[i] < tunConf.IncludeAndroidUser[j] - }) - - sort.Slice(tunConf.IncludePackage, func(i, j int) bool { - return tunConf.IncludePackage[i] < tunConf.IncludePackage[j] - }) - - sort.Slice(tunConf.ExcludePackage, func(i, j int) bool { - return tunConf.ExcludePackage[i] < tunConf.ExcludePackage[j] - }) - - if !slices.Equal(tunConf.DNSHijack, LastTunConf.DNSHijack) || - !slices.Equal(tunConf.RouteAddress, LastTunConf.RouteAddress) || - !slices.Equal(tunConf.RouteAddressSet, LastTunConf.RouteAddressSet) || - !slices.Equal(tunConf.RouteExcludeAddress, LastTunConf.RouteExcludeAddress) || - !slices.Equal(tunConf.RouteExcludeAddressSet, LastTunConf.RouteExcludeAddressSet) || - !slices.Equal(tunConf.Inet4Address, LastTunConf.Inet4Address) || - !slices.Equal(tunConf.Inet6Address, LastTunConf.Inet6Address) || - !slices.Equal(tunConf.Inet4RouteAddress, LastTunConf.Inet4RouteAddress) || - !slices.Equal(tunConf.Inet6RouteAddress, LastTunConf.Inet6RouteAddress) || - !slices.Equal(tunConf.Inet4RouteExcludeAddress, LastTunConf.Inet4RouteExcludeAddress) || - !slices.Equal(tunConf.Inet6RouteExcludeAddress, LastTunConf.Inet6RouteExcludeAddress) || - !slices.Equal(tunConf.IncludeInterface, LastTunConf.IncludeInterface) || - !slices.Equal(tunConf.ExcludeInterface, LastTunConf.ExcludeInterface) || - !slices.Equal(tunConf.IncludeUID, LastTunConf.IncludeUID) || - !slices.Equal(tunConf.IncludeUIDRange, LastTunConf.IncludeUIDRange) || - !slices.Equal(tunConf.ExcludeUID, LastTunConf.ExcludeUID) || - !slices.Equal(tunConf.ExcludeUIDRange, LastTunConf.ExcludeUIDRange) || - !slices.Equal(tunConf.IncludeAndroidUser, LastTunConf.IncludeAndroidUser) || - !slices.Equal(tunConf.IncludePackage, LastTunConf.IncludePackage) || - !slices.Equal(tunConf.ExcludePackage, LastTunConf.ExcludePackage) { - return true - } - - return false -} - func closeTunListener() { if tunLister != nil { tunLister.Close() diff --git a/listener/mixed/mixed.go b/listener/mixed/mixed.go index 367b7a3683..12390061c0 100644 --- a/listener/mixed/mixed.go +++ b/listener/mixed/mixed.go @@ -4,9 +4,10 @@ import ( "net" "github.com/metacubex/mihomo/adapter/inbound" - "github.com/metacubex/mihomo/common/lru" N "github.com/metacubex/mihomo/common/net" + "github.com/metacubex/mihomo/component/auth" C "github.com/metacubex/mihomo/constant" + authStore "github.com/metacubex/mihomo/listener/auth" "github.com/metacubex/mihomo/listener/http" "github.com/metacubex/mihomo/listener/socks" "github.com/metacubex/mihomo/transport/socks4" @@ -16,7 +17,6 @@ import ( type Listener struct { listener net.Listener addr string - cache *lru.LruCache[string, bool] closed bool } @@ -37,6 +37,10 @@ func (l *Listener) Close() error { } func New(addr string, tunnel C.Tunnel, additions ...inbound.Addition) (*Listener, error) { + return NewWithAuthenticator(addr, tunnel, authStore.Authenticator, additions...) +} + +func NewWithAuthenticator(addr string, tunnel C.Tunnel, getAuth func() auth.Authenticator, additions ...inbound.Addition) (*Listener, error) { isDefault := false if len(additions) == 0 { isDefault = true @@ -53,7 +57,6 @@ func New(addr string, tunnel C.Tunnel, additions ...inbound.Addition) (*Listener ml := &Listener{ listener: l, addr: addr, - cache: lru.New[string, bool](lru.WithAge[string, bool](30)), } go func() { for { @@ -64,20 +67,24 @@ func New(addr string, tunnel C.Tunnel, additions ...inbound.Addition) (*Listener } continue } + getAuth := getAuth if isDefault { // only apply on default listener if !inbound.IsRemoteAddrDisAllowed(c.RemoteAddr()) { _ = c.Close() continue } + if inbound.SkipAuthRemoteAddr(c.RemoteAddr()) { + getAuth = authStore.Nil + } } - go handleConn(c, tunnel, ml.cache, additions...) + go handleConn(c, tunnel, getAuth, additions...) } }() return ml, nil } -func handleConn(conn net.Conn, tunnel C.Tunnel, cache *lru.LruCache[string, bool], additions ...inbound.Addition) { +func handleConn(conn net.Conn, tunnel C.Tunnel, getAuth func() auth.Authenticator, additions ...inbound.Addition) { N.TCPKeepAlive(conn) bufConn := N.NewBufferedConn(conn) @@ -88,10 +95,10 @@ func handleConn(conn net.Conn, tunnel C.Tunnel, cache *lru.LruCache[string, bool switch head[0] { case socks4.Version: - socks.HandleSocks4(bufConn, tunnel, additions...) + socks.HandleSocks4(bufConn, tunnel, getAuth, additions...) case socks5.Version: - socks.HandleSocks5(bufConn, tunnel, additions...) + socks.HandleSocks5(bufConn, tunnel, getAuth, additions...) default: - http.HandleConn(bufConn, tunnel, cache, additions...) + http.HandleConn(bufConn, tunnel, getAuth, additions...) } } diff --git a/listener/shadowsocks/tcp.go b/listener/shadowsocks/tcp.go index c08667de6b..c38438142d 100644 --- a/listener/shadowsocks/tcp.go +++ b/listener/shadowsocks/tcp.go @@ -22,7 +22,7 @@ type Listener struct { var _listener *Listener -func New(config LC.ShadowsocksServer, tunnel C.Tunnel) (*Listener, error) { +func New(config LC.ShadowsocksServer, tunnel C.Tunnel, additions ...inbound.Addition) (*Listener, error) { pickCipher, err := core.PickCipher(config.Cipher, nil, config.Password) if err != nil { return nil, err @@ -36,7 +36,7 @@ func New(config LC.ShadowsocksServer, tunnel C.Tunnel) (*Listener, error) { if config.Udp { //UDP - ul, err := NewUDP(addr, pickCipher, tunnel) + ul, err := NewUDP(addr, pickCipher, tunnel, additions...) if err != nil { return nil, err } @@ -60,7 +60,7 @@ func New(config LC.ShadowsocksServer, tunnel C.Tunnel) (*Listener, error) { continue } N.TCPKeepAlive(c) - go sl.HandleConn(c, tunnel) + go sl.HandleConn(c, tunnel, additions...) } }() } diff --git a/listener/shadowsocks/udp.go b/listener/shadowsocks/udp.go index 4336db2253..77932ed1b1 100644 --- a/listener/shadowsocks/udp.go +++ b/listener/shadowsocks/udp.go @@ -17,7 +17,7 @@ type UDPListener struct { closed bool } -func NewUDP(addr string, pickCipher core.Cipher, tunnel C.Tunnel) (*UDPListener, error) { +func NewUDP(addr string, pickCipher core.Cipher, tunnel C.Tunnel, additions ...inbound.Addition) (*UDPListener, error) { l, err := net.ListenPacket("udp", addr) if err != nil { return nil, err @@ -42,7 +42,7 @@ func NewUDP(addr string, pickCipher core.Cipher, tunnel C.Tunnel) (*UDPListener, } continue } - handleSocksUDP(conn, tunnel, data, put, remoteAddr) + handleSocksUDP(conn, tunnel, data, put, remoteAddr, additions...) } }() diff --git a/listener/sing/sing.go b/listener/sing/sing.go index 10390e7326..0d4bb92657 100644 --- a/listener/sing/sing.go +++ b/listener/sing/sing.go @@ -129,6 +129,12 @@ func (h *ListenerHandler) NewConnection(ctx context.Context, conn net.Conn, meta NetWork: C.TCP, Type: h.Type, } + if metadata.Source.IsIP() && metadata.Source.Fqdn == "" { + cMetadata.RawSrcAddr = metadata.Source.Unwrap().TCPAddr() + } + if metadata.Destination.IsIP() && metadata.Destination.Fqdn == "" { + cMetadata.RawDstAddr = metadata.Destination.Unwrap().TCPAddr() + } inbound.ApplyAdditions(cMetadata, inbound.WithDstAddr(metadata.Destination), inbound.WithSrcAddr(metadata.Source), inbound.WithInAddr(conn.LocalAddr())) inbound.ApplyAdditions(cMetadata, getAdditions(ctx)...) inbound.ApplyAdditions(cMetadata, h.Additions...) @@ -185,6 +191,12 @@ func (h *ListenerHandler) NewPacketConnection(ctx context.Context, conn network. NetWork: C.UDP, Type: h.Type, } + if metadata.Source.IsIP() && metadata.Source.Fqdn == "" { + cMetadata.RawSrcAddr = metadata.Source.Unwrap().UDPAddr() + } + if dest.IsIP() && dest.Fqdn == "" { + cMetadata.RawDstAddr = dest.Unwrap().UDPAddr() + } inbound.ApplyAdditions(cMetadata, inbound.WithDstAddr(dest), inbound.WithSrcAddr(metadata.Source), inbound.WithInAddr(conn.LocalAddr())) inbound.ApplyAdditions(cMetadata, getAdditions(ctx)...) inbound.ApplyAdditions(cMetadata, h.Additions...) diff --git a/listener/sing_shadowsocks/server.go b/listener/sing_shadowsocks/server.go index bd5002a464..1cb798f7d0 100644 --- a/listener/sing_shadowsocks/server.go +++ b/listener/sing_shadowsocks/server.go @@ -72,7 +72,7 @@ func New(config LC.ShadowsocksServer, tunnel C.Tunnel, additions ...inbound.Addi sl.service, err = shadowaead_2022.NewServiceWithPassword(config.Cipher, config.Password, udpTimeout, h, ntp.Now) default: err = fmt.Errorf("shadowsocks: unsupported method: %s", config.Cipher) - return embedSS.New(config, tunnel) + return embedSS.New(config, tunnel, additions...) } if err != nil { return nil, err diff --git a/listener/sing_tun/iface.go b/listener/sing_tun/iface.go index cc14207824..543d206c0d 100644 --- a/listener/sing_tun/iface.go +++ b/listener/sing_tun/iface.go @@ -13,6 +13,11 @@ type defaultInterfaceFinder struct{} var DefaultInterfaceFinder control.InterfaceFinder = (*defaultInterfaceFinder)(nil) +func (f *defaultInterfaceFinder) Update() error { + iface.FlushCache() + return nil +} + func (f *defaultInterfaceFinder) Interfaces() []control.Interface { ifaces, err := iface.Interfaces() if err != nil { diff --git a/listener/sing_tun/server.go b/listener/sing_tun/server.go index e8c2ad286b..c2c668b34e 100644 --- a/listener/sing_tun/server.go +++ b/listener/sing_tun/server.go @@ -136,7 +136,7 @@ func New(options LC.Tun, tunnel C.Tunnel, additions ...inbound.Addition) (l *Lis options.AutoRedirect = false } tunName := options.Device - if tunName == "" || !checkTunName(tunName) { + if options.FileDescriptor == 0 && (tunName == "" || !checkTunName(tunName)) { tunName = CalculateInterfaceName(InterfaceName) options.Device = tunName } @@ -264,31 +264,35 @@ func New(options LC.Tun, tunnel C.Tunnel, additions ...inbound.Addition) (l *Lis interfaceFinder := DefaultInterfaceFinder - networkUpdateMonitor, err := tun.NewNetworkUpdateMonitor(log.SingLogger) - if err != nil { - err = E.Cause(err, "create NetworkUpdateMonitor") - return - } - l.networkUpdateMonitor = networkUpdateMonitor - err = networkUpdateMonitor.Start() - if err != nil { - err = E.Cause(err, "start NetworkUpdateMonitor") - return - } + var networkUpdateMonitor tun.NetworkUpdateMonitor + var defaultInterfaceMonitor tun.DefaultInterfaceMonitor + if options.AutoRoute || options.AutoDetectInterface { // don't start NetworkUpdateMonitor because netlink banned by google on Android14+ + networkUpdateMonitor, err = tun.NewNetworkUpdateMonitor(log.SingLogger) + if err != nil { + err = E.Cause(err, "create NetworkUpdateMonitor") + return + } + l.networkUpdateMonitor = networkUpdateMonitor + err = networkUpdateMonitor.Start() + if err != nil { + err = E.Cause(err, "start NetworkUpdateMonitor") + return + } - defaultInterfaceMonitor, err := tun.NewDefaultInterfaceMonitor(networkUpdateMonitor, log.SingLogger, tun.DefaultInterfaceMonitorOptions{OverrideAndroidVPN: true}) - if err != nil { - err = E.Cause(err, "create DefaultInterfaceMonitor") - return - } - l.defaultInterfaceMonitor = defaultInterfaceMonitor - defaultInterfaceMonitor.RegisterCallback(func(event int) { - l.FlushDefaultInterface() - }) - err = defaultInterfaceMonitor.Start() - if err != nil { - err = E.Cause(err, "start DefaultInterfaceMonitor") - return + defaultInterfaceMonitor, err = tun.NewDefaultInterfaceMonitor(networkUpdateMonitor, log.SingLogger, tun.DefaultInterfaceMonitorOptions{OverrideAndroidVPN: true}) + if err != nil { + err = E.Cause(err, "create DefaultInterfaceMonitor") + return + } + l.defaultInterfaceMonitor = defaultInterfaceMonitor + defaultInterfaceMonitor.RegisterCallback(func(event int) { + l.FlushDefaultInterface() + }) + err = defaultInterfaceMonitor.Start() + if err != nil { + err = E.Cause(err, "start DefaultInterfaceMonitor") + return + } } tunOptions := tun.Options{ @@ -331,7 +335,7 @@ func New(options LC.Tun, tunnel C.Tunnel, additions ...inbound.Addition) (l *Lis Context: ctx, Handler: handler.TypeMutation(C.REDIR), Logger: log.SingLogger, - NetworkMonitor: networkUpdateMonitor, + NetworkMonitor: l.networkUpdateMonitor, InterfaceFinder: interfaceFinder, TableName: "mihomo", DisableNFTables: dErr == nil && disableNFTables, @@ -436,6 +440,9 @@ func New(options LC.Tun, tunnel C.Tunnel, additions ...inbound.Addition) (l *Lis //l.openAndroidHotspot(tunOptions) + if options.FileDescriptor != 0 { + tunName = fmt.Sprintf("%s(fd=%d)", tunName, options.FileDescriptor) + } l.addrStr = fmt.Sprintf("%s(%s,%s), mtu: %d, auto route: %v, auto redir: %v, ip stack: %s", tunName, tunOptions.Inet4Address, tunOptions.Inet6Address, tunMTU, options.AutoRoute, options.AutoRedirect, options.Stack) return @@ -489,7 +496,7 @@ func (l *Listener) updateRule(ruleProvider provider.RuleProvider, exclude bool, } func (l *Listener) FlushDefaultInterface() { - if l.options.AutoDetectInterface { + if l.options.AutoDetectInterface && l.defaultInterfaceMonitor != nil { for _, destination := range []netip.Addr{netip.IPv4Unspecified(), netip.IPv6Unspecified(), netip.MustParseAddr("1.1.1.1")} { autoDetectInterfaceName := l.defaultInterfaceMonitor.DefaultInterfaceName(destination) if autoDetectInterfaceName == l.tunName { diff --git a/listener/sing_tun/server_android.go b/listener/sing_tun/server_android.go index ac41282d51..d8240534ed 100644 --- a/listener/sing_tun/server_android.go +++ b/listener/sing_tun/server_android.go @@ -1,29 +1,82 @@ +//go:build android && !cmfa + package sing_tun import ( + "errors" + "runtime" + "sync" + + "github.com/metacubex/mihomo/component/process" + "github.com/metacubex/mihomo/constant" + "github.com/metacubex/mihomo/constant/features" "github.com/metacubex/mihomo/log" - tun "github.com/metacubex/sing-tun" + + "github.com/metacubex/sing-tun" "github.com/sagernet/netlink" "golang.org/x/sys/unix" - "runtime" ) -func (l *Listener) buildAndroidRules(tunOptions *tun.Options) error { - packageManager, err := tun.NewPackageManager(l.handler) +type packageManagerCallback struct{} + +func (cb *packageManagerCallback) OnPackagesUpdated(packageCount int, sharedCount int) {} + +func newPackageManager() (tun.PackageManager, error) { + packageManager, err := tun.NewPackageManager(tun.PackageManagerOptions{ + Callback: &packageManagerCallback{}, + Logger: log.SingLogger, + }) if err != nil { - return err + return nil, err } err = packageManager.Start() + if err != nil { + return nil, err + } + return packageManager, nil +} + +var ( + globalPM tun.PackageManager + pmOnce sync.Once + pmErr error +) + +func getPackageManager() (tun.PackageManager, error) { + pmOnce.Do(func() { + globalPM, pmErr = newPackageManager() + }) + return globalPM, pmErr +} + +func (l *Listener) buildAndroidRules(tunOptions *tun.Options) error { + packageManager, err := getPackageManager() if err != nil { return err } - l.packageManager = packageManager tunOptions.BuildAndroidRules(packageManager, l.handler) return nil } -func (h *ListenerHandler) OnPackagesUpdated(packages int, sharedUsers int) { - return +func findPackageName(metadata *constant.Metadata) (string, error) { + packageManager, err := getPackageManager() + if err != nil { + return "", err + } + uid := metadata.Uid + if sharedPackage, loaded := packageManager.SharedPackageByID(uid % 100000); loaded { + return sharedPackage, nil + } + if packageName, loaded := packageManager.PackageByID(uid % 100000); loaded { + return packageName, nil + } + return "", errors.New("package not found") +} + +func init() { + if !features.CMFA { + process.DefaultPackageNameResolver = findPackageName + } } func (l *Listener) openAndroidHotspot(tunOptions tun.Options) { diff --git a/listener/sing_tun/server_notandroid.go b/listener/sing_tun/server_notandroid.go index 6b30ee03b2..10fd3997b4 100644 --- a/listener/sing_tun/server_notandroid.go +++ b/listener/sing_tun/server_notandroid.go @@ -1,4 +1,4 @@ -//go:build !android +//go:build !android || cmfa package sing_tun diff --git a/listener/socks/tcp.go b/listener/socks/tcp.go index f2696e3fc1..3e98a60276 100644 --- a/listener/socks/tcp.go +++ b/listener/socks/tcp.go @@ -6,6 +6,7 @@ import ( "github.com/metacubex/mihomo/adapter/inbound" N "github.com/metacubex/mihomo/common/net" + "github.com/metacubex/mihomo/component/auth" C "github.com/metacubex/mihomo/constant" authStore "github.com/metacubex/mihomo/listener/auth" "github.com/metacubex/mihomo/transport/socks4" @@ -35,6 +36,10 @@ func (l *Listener) Close() error { } func New(addr string, tunnel C.Tunnel, additions ...inbound.Addition) (*Listener, error) { + return NewWithAuthenticator(addr, tunnel, authStore.Authenticator, additions...) +} + +func NewWithAuthenticator(addr string, tunnel C.Tunnel, getAuth func() auth.Authenticator, additions ...inbound.Addition) (*Listener, error) { isDefault := false if len(additions) == 0 { isDefault = true @@ -61,20 +66,24 @@ func New(addr string, tunnel C.Tunnel, additions ...inbound.Addition) (*Listener } continue } + getAuth := getAuth if isDefault { // only apply on default listener if !inbound.IsRemoteAddrDisAllowed(c.RemoteAddr()) { _ = c.Close() continue } + if inbound.SkipAuthRemoteAddr(c.RemoteAddr()) { + getAuth = authStore.Nil + } } - go handleSocks(c, tunnel, additions...) + go handleSocks(c, tunnel, getAuth, additions...) } }() return sl, nil } -func handleSocks(conn net.Conn, tunnel C.Tunnel, additions ...inbound.Addition) { +func handleSocks(conn net.Conn, tunnel C.Tunnel, getAuth func() auth.Authenticator, additions ...inbound.Addition) { N.TCPKeepAlive(conn) bufConn := N.NewBufferedConn(conn) head, err := bufConn.Peek(1) @@ -85,19 +94,16 @@ func handleSocks(conn net.Conn, tunnel C.Tunnel, additions ...inbound.Addition) switch head[0] { case socks4.Version: - HandleSocks4(bufConn, tunnel, additions...) + HandleSocks4(bufConn, tunnel, getAuth, additions...) case socks5.Version: - HandleSocks5(bufConn, tunnel, additions...) + HandleSocks5(bufConn, tunnel, getAuth, additions...) default: conn.Close() } } -func HandleSocks4(conn net.Conn, tunnel C.Tunnel, additions ...inbound.Addition) { - authenticator := authStore.Authenticator() - if inbound.SkipAuthRemoteAddr(conn.RemoteAddr()) { - authenticator = nil - } +func HandleSocks4(conn net.Conn, tunnel C.Tunnel, getAuth func() auth.Authenticator, additions ...inbound.Addition) { + authenticator := getAuth() addr, _, user, err := socks4.ServerHandshake(conn, authenticator) if err != nil { conn.Close() @@ -107,11 +113,8 @@ func HandleSocks4(conn net.Conn, tunnel C.Tunnel, additions ...inbound.Addition) tunnel.HandleTCPConn(inbound.NewSocket(socks5.ParseAddr(addr), conn, C.SOCKS4, additions...)) } -func HandleSocks5(conn net.Conn, tunnel C.Tunnel, additions ...inbound.Addition) { - authenticator := authStore.Authenticator() - if inbound.SkipAuthRemoteAddr(conn.RemoteAddr()) { - authenticator = nil - } +func HandleSocks5(conn net.Conn, tunnel C.Tunnel, getAuth func() auth.Authenticator, additions ...inbound.Addition) { + authenticator := getAuth() target, command, user, err := socks5.ServerHandshake(conn, authenticator) if err != nil { conn.Close() diff --git a/log/level.go b/log/level.go index ea06ee4bb9..a4c6ecbd41 100644 --- a/log/level.go +++ b/log/level.go @@ -3,6 +3,7 @@ package log import ( "encoding/json" "errors" + "strings" ) // LogLevelMapping is a mapping for LogLevel enum @@ -28,7 +29,7 @@ type LogLevel int func (l *LogLevel) UnmarshalYAML(unmarshal func(any) error) error { var tp string unmarshal(&tp) - level, exist := LogLevelMapping[tp] + level, exist := LogLevelMapping[strings.ToLower(tp)] if !exist { return errors.New("invalid mode") } @@ -40,7 +41,7 @@ func (l *LogLevel) UnmarshalYAML(unmarshal func(any) error) error { func (l *LogLevel) UnmarshalJSON(data []byte) error { var tp string json.Unmarshal(data, &tp) - level, exist := LogLevelMapping[tp] + level, exist := LogLevelMapping[strings.ToLower(tp)] if !exist { return errors.New("invalid mode") } @@ -48,9 +49,14 @@ func (l *LogLevel) UnmarshalJSON(data []byte) error { return nil } -// MarshalJSON serialize LogLevel with json -func (l LogLevel) MarshalJSON() ([]byte, error) { - return json.Marshal(l.String()) +// UnmarshalText unserialize LogLevel +func (l *LogLevel) UnmarshalText(data []byte) error { + level, exist := LogLevelMapping[strings.ToLower(string(data))] + if !exist { + return errors.New("invalid mode") + } + *l = level + return nil } // MarshalYAML serialize LogLevel with yaml @@ -58,6 +64,16 @@ func (l LogLevel) MarshalYAML() (any, error) { return l.String(), nil } +// MarshalJSON serialize LogLevel with json +func (l LogLevel) MarshalJSON() ([]byte, error) { + return json.Marshal(l.String()) +} + +// MarshalText serialize LogLevel +func (l LogLevel) MarshalText() ([]byte, error) { + return []byte(l.String()), nil +} + func (l LogLevel) String() string { switch l { case INFO: diff --git a/main.go b/main.go index 61f1d683bd..8910a00653 100644 --- a/main.go +++ b/main.go @@ -1,6 +1,7 @@ package main import ( + "encoding/base64" "flag" "fmt" "os" @@ -10,6 +11,7 @@ import ( "strings" "syscall" + "github.com/metacubex/mihomo/component/geodata" "github.com/metacubex/mihomo/component/updater" "github.com/metacubex/mihomo/config" C "github.com/metacubex/mihomo/constant" @@ -17,6 +19,7 @@ import ( "github.com/metacubex/mihomo/hub" "github.com/metacubex/mihomo/hub/executor" "github.com/metacubex/mihomo/log" + "github.com/metacubex/mihomo/rules/provider" "go.uber.org/automaxprocs/maxprocs" ) @@ -27,6 +30,8 @@ var ( geodataMode bool homeDir string configFile string + configString string + configBytes []byte externalUI string externalController string externalControllerUnix string @@ -36,6 +41,7 @@ var ( func init() { flag.StringVar(&homeDir, "d", os.Getenv("CLASH_HOME_DIR"), "set configuration directory") flag.StringVar(&configFile, "f", os.Getenv("CLASH_CONFIG_FILE"), "specify configuration file") + flag.StringVar(&configString, "config", os.Getenv("CLASH_CONFIG_STRING"), "specify base64-encoded configuration string") flag.StringVar(&externalUI, "ext-ui", os.Getenv("CLASH_OVERRIDE_EXTERNAL_UI_DIR"), "override external ui directory") flag.StringVar(&externalController, "ext-ctl", os.Getenv("CLASH_OVERRIDE_EXTERNAL_CONTROLLER"), "override external controller address") flag.StringVar(&externalControllerUnix, "ext-ctl-unix", os.Getenv("CLASH_OVERRIDE_EXTERNAL_CONTROLLER_UNIX"), "override external controller unix address") @@ -48,6 +54,12 @@ func init() { func main() { _, _ = maxprocs.Set(maxprocs.Logger(func(string, ...any) {})) + + if len(os.Args) > 1 && os.Args[1] == "convert-ruleset" { + provider.ConvertMain(os.Args[2:]) + return + } + if version { fmt.Printf("Mihomo Meta %s %s %s with %s %s\n", C.Version, runtime.GOOS, runtime.GOARCH, runtime.Version(), C.BuildTime) @@ -66,29 +78,46 @@ func main() { C.SetHomeDir(homeDir) } - if configFile != "" { - if !filepath.IsAbs(configFile) { - currentDir, _ := os.Getwd() - configFile = filepath.Join(currentDir, configFile) - } - } else { - configFile = filepath.Join(C.Path.HomeDir(), C.Path.Config()) - } - C.SetConfig(configFile) - if geodataMode { - C.GeodataMode = true + geodata.SetGeodataMode(true) } - if err := config.Init(C.Path.HomeDir()); err != nil { - log.Fatalln("Initial configuration directory error: %s", err.Error()) + if configString != "" { + var err error + configBytes, err = base64.StdEncoding.DecodeString(configString) + if err != nil { + log.Fatalln("Initial configuration error: %s", err.Error()) + return + } + } else { + if configFile != "" { + if !filepath.IsAbs(configFile) { + currentDir, _ := os.Getwd() + configFile = filepath.Join(currentDir, configFile) + } + } else { + configFile = filepath.Join(C.Path.HomeDir(), C.Path.Config()) + } + C.SetConfig(configFile) + + if err := config.Init(C.Path.HomeDir()); err != nil { + log.Fatalln("Initial configuration directory error: %s", err.Error()) + } } if testConfig { - if _, err := executor.Parse(); err != nil { - log.Errorln(err.Error()) - fmt.Printf("configuration file %s test failed\n", C.Path.Config()) - os.Exit(1) + if len(configBytes) != 0 { + if _, err := executor.ParseWithBytes(configBytes); err != nil { + log.Errorln(err.Error()) + fmt.Println("configuration test failed") + os.Exit(1) + } + } else { + if _, err := executor.Parse(); err != nil { + log.Errorln(err.Error()) + fmt.Printf("configuration file %s test failed\n", C.Path.Config()) + os.Exit(1) + } } fmt.Printf("configuration file %s test is successful\n", C.Path.Config()) return @@ -108,22 +137,12 @@ func main() { options = append(options, hub.WithSecret(secret)) } - if err := hub.Parse(options...); err != nil { + if err := hub.Parse(configBytes, options...); err != nil { log.Fatalln("Parse config error: %s", err.Error()) } - if C.GeoAutoUpdate { - updater.RegisterGeoUpdater(func() { - cfg, err := executor.ParseWithPath(C.Path.Config()) - if err != nil { - log.Errorln("[GEO] update GEO databases failed: %v", err) - return - } - - log.Warnln("[GEO] update GEO databases success, applying config") - - executor.ApplyConfig(cfg, false) - }) + if updater.GeoAutoUpdate() { + updater.RegisterGeoUpdater() } defer executor.Shutdown() @@ -137,11 +156,19 @@ func main() { case <-termSign: return case <-hupSign: - if cfg, err := executor.ParseWithPath(C.Path.Config()); err == nil { - executor.ApplyConfig(cfg, true) + var cfg *config.Config + var err error + if configString != "" { + cfg, err = executor.ParseWithBytes(configBytes) + } else { + cfg, err = executor.ParseWithPath(C.Path.Config()) + } + if err == nil { + hub.ApplyConfig(cfg) } else { log.Errorln("Parse config error: %s", err.Error()) } + } } } diff --git a/rules/common/base.go b/rules/common/base.go index 670df1d969..496bcaeecd 100644 --- a/rules/common/base.go +++ b/rules/common/base.go @@ -2,11 +2,18 @@ package common import ( "errors" + + "golang.org/x/exp/slices" ) var ( errPayload = errors.New("payloadRule error") - noResolve = "no-resolve" +) + +// params +var ( + NoResolve = "no-resolve" + Src = "src" ) type Base struct { @@ -22,11 +29,12 @@ func (b *Base) ShouldResolveIP() bool { func (b *Base) ProviderNames() []string { return nil } -func HasNoResolve(params []string) bool { - for _, p := range params { - if p == noResolve { - return true - } +func ParseParams(params []string) (isSrc bool, noResolve bool) { + isSrc = slices.Contains(params, Src) + if isSrc { + noResolve = true + } else { + noResolve = slices.Contains(params, NoResolve) } - return false + return } diff --git a/rules/common/geoip.go b/rules/common/geoip.go index b50680a47a..61fae50443 100644 --- a/rules/common/geoip.go +++ b/rules/common/geoip.go @@ -1,7 +1,9 @@ package common import ( + "errors" "fmt" + "net/netip" "strings" "github.com/metacubex/mihomo/component/geodata" @@ -10,16 +12,16 @@ import ( "github.com/metacubex/mihomo/component/resolver" C "github.com/metacubex/mihomo/constant" "github.com/metacubex/mihomo/log" + + "golang.org/x/exp/slices" ) type GEOIP struct { *Base - country string - adapter string - noResolveIP bool - isSourceIP bool - geoIPMatcher *router.GeoIPMatcher - recodeSize int + country string + adapter string + noResolveIP bool + isSourceIP bool } var _ C.Rule = (*GEOIP)(nil) @@ -41,48 +43,114 @@ func (g *GEOIP) Match(metadata *C.Metadata) (bool, string) { } if g.country == "lan" { - return ip.IsPrivate() || - ip.IsUnspecified() || - ip.IsLoopback() || - ip.IsMulticast() || - ip.IsLinkLocalUnicast() || - resolver.IsFakeBroadcastIP(ip), g.adapter + return g.isLan(ip), g.adapter } - for _, code := range metadata.DstGeoIP { - if g.country == code { - return true, g.adapter - } - } - - if !C.GeodataMode { + if geodata.GeodataMode() { if g.isSourceIP { - codes := mmdb.IPInstance().LookupCode(ip.AsSlice()) - for _, code := range codes { - if g.country == code { - return true, g.adapter - } + if slices.Contains(metadata.SrcGeoIP, g.country) { + return true, g.adapter + } + } else { + if slices.Contains(metadata.DstGeoIP, g.country) { + return true, g.adapter } - return false, g.adapter } + matcher, err := g.getIPMatcher() + if err != nil { + return false, "" + } + match := matcher.Match(ip) + if match { + if g.isSourceIP { + metadata.SrcGeoIP = append(metadata.SrcGeoIP, g.country) + } else { + metadata.DstGeoIP = append(metadata.DstGeoIP, g.country) + } + } + return match, g.adapter + } + if g.isSourceIP { + if metadata.SrcGeoIP != nil { + return slices.Contains(metadata.SrcGeoIP, g.country), g.adapter + } + } else { if metadata.DstGeoIP != nil { - return false, g.adapter + return slices.Contains(metadata.DstGeoIP, g.country), g.adapter } - metadata.DstGeoIP = mmdb.IPInstance().LookupCode(ip.AsSlice()) - for _, code := range metadata.DstGeoIP { - if g.country == code { - return true, g.adapter - } + } + codes := mmdb.IPInstance().LookupCode(ip.AsSlice()) + if g.isSourceIP { + metadata.SrcGeoIP = codes + } else { + metadata.DstGeoIP = codes + } + if slices.Contains(codes, g.country) { + return true, g.adapter + } + return false, "" +} + +// MatchIp implements C.IpMatcher +func (g *GEOIP) MatchIp(ip netip.Addr) bool { + if !ip.IsValid() { + return false + } + + if g.country == "lan" { + return g.isLan(ip) + } + + if geodata.GeodataMode() { + matcher, err := g.getIPMatcher() + if err != nil { + return false } - return false, g.adapter + return matcher.Match(ip) + } + + codes := mmdb.IPInstance().LookupCode(ip.AsSlice()) + return slices.Contains(codes, g.country) +} + +// MatchIp implements C.IpMatcher +func (g dnsFallbackFilter) MatchIp(ip netip.Addr) bool { + if !ip.IsValid() { + return false + } + + if g.isLan(ip) { // compatible with original behavior + return false } - match := g.geoIPMatcher.Match(ip) - if match && !g.isSourceIP { - metadata.DstGeoIP = append(metadata.DstGeoIP, g.country) + if geodata.GeodataMode() { + matcher, err := g.getIPMatcher() + if err != nil { + return false + } + return !matcher.Match(ip) } - return match, g.adapter + + codes := mmdb.IPInstance().LookupCode(ip.AsSlice()) + return !slices.Contains(codes, g.country) +} + +type dnsFallbackFilter struct { + *GEOIP +} + +func (g *GEOIP) DnsFallbackFilter() C.IpMatcher { // for dns.fallback-filter.geoip + return dnsFallbackFilter{GEOIP: g} +} + +func (g *GEOIP) isLan(ip netip.Addr) bool { + return ip.IsPrivate() || + ip.IsUnspecified() || + ip.IsLoopback() || + ip.IsMulticast() || + ip.IsLinkLocalUnicast() || + resolver.IsFakeBroadcastIP(ip) } func (g *GEOIP) Adapter() string { @@ -101,46 +169,56 @@ func (g *GEOIP) GetCountry() string { return g.country } -func (g *GEOIP) GetIPMatcher() *router.GeoIPMatcher { - return g.geoIPMatcher +func (g *GEOIP) GetIPMatcher() (router.IPMatcher, error) { + if geodata.GeodataMode() { + return g.getIPMatcher() + } + return nil, errors.New("not geodata mode") +} + +func (g *GEOIP) getIPMatcher() (router.IPMatcher, error) { + geoIPMatcher, err := geodata.LoadGeoIPMatcher(g.country) + if err != nil { + return nil, fmt.Errorf("[GeoIP] %w", err) + } + return geoIPMatcher, nil + } func (g *GEOIP) GetRecodeSize() int { - return g.recodeSize + if matcher, err := g.GetIPMatcher(); err == nil { + return matcher.Count() + } + return 0 } func NewGEOIP(country string, adapter string, isSrc, noResolveIP bool) (*GEOIP, error) { - if err := geodata.InitGeoIP(); err != nil { - log.Errorln("can't initial GeoIP: %s", err) - return nil, err - } country = strings.ToLower(country) - if !C.GeodataMode || country == "lan" { - geoip := &GEOIP{ - Base: &Base{}, - country: country, - adapter: adapter, - noResolveIP: noResolveIP, - isSourceIP: isSrc, - } + geoip := &GEOIP{ + Base: &Base{}, + country: country, + adapter: adapter, + noResolveIP: noResolveIP, + isSourceIP: isSrc, + } + + if country == "lan" { return geoip, nil } - geoIPMatcher, size, err := geodata.LoadGeoIPMatcher(country) - if err != nil { - return nil, fmt.Errorf("[GeoIP] %w", err) + if err := geodata.InitGeoIP(); err != nil { + log.Errorln("can't initial GeoIP: %s", err) + return nil, err } - log.Infoln("Start initial GeoIP rule %s => %s, records: %d", country, adapter, size) - geoip := &GEOIP{ - Base: &Base{}, - country: country, - adapter: adapter, - noResolveIP: noResolveIP, - isSourceIP: isSrc, - geoIPMatcher: geoIPMatcher, - recodeSize: size, + if geodata.GeodataMode() { + geoIPMatcher, err := geoip.getIPMatcher() // test load + if err != nil { + return nil, err + } + log.Infoln("Finished initial GeoIP rule %s => %s, records: %d", country, adapter, geoIPMatcher.Count()) } + return geoip, nil } diff --git a/rules/common/geosite.go b/rules/common/geosite.go index 1e3c1ab5ad..851bc8a43d 100644 --- a/rules/common/geosite.go +++ b/rules/common/geosite.go @@ -15,7 +15,6 @@ type GEOSITE struct { *Base country string adapter string - matcher router.DomainMatcher recodeSize int } @@ -24,11 +23,19 @@ func (gs *GEOSITE) RuleType() C.RuleType { } func (gs *GEOSITE) Match(metadata *C.Metadata) (bool, string) { - domain := metadata.RuleHost() + return gs.MatchDomain(metadata.RuleHost()), gs.adapter +} + +// MatchDomain implements C.DomainMatcher +func (gs *GEOSITE) MatchDomain(domain string) bool { if len(domain) == 0 { - return false, "" + return false + } + matcher, err := gs.GetDomainMatcher() + if err != nil { + return false } - return gs.matcher.ApplyDomain(domain), gs.adapter + return matcher.ApplyDomain(domain) } func (gs *GEOSITE) Adapter() string { @@ -39,12 +46,19 @@ func (gs *GEOSITE) Payload() string { return gs.country } -func (gs *GEOSITE) GetDomainMatcher() router.DomainMatcher { - return gs.matcher +func (gs *GEOSITE) GetDomainMatcher() (router.DomainMatcher, error) { + matcher, err := geodata.LoadGeoSiteMatcher(gs.country) + if err != nil { + return nil, fmt.Errorf("load GeoSite data error, %w", err) + } + return matcher, nil } func (gs *GEOSITE) GetRecodeSize() int { - return gs.recodeSize + if matcher, err := gs.GetDomainMatcher(); err == nil { + return matcher.Count() + } + return 0 } func NewGEOSITE(country string, adapter string) (*GEOSITE, error) { @@ -53,21 +67,19 @@ func NewGEOSITE(country string, adapter string) (*GEOSITE, error) { return nil, err } - matcher, size, err := geodata.LoadGeoSiteMatcher(country) - if err != nil { - return nil, fmt.Errorf("load GeoSite data error, %s", err.Error()) + geoSite := &GEOSITE{ + Base: &Base{}, + country: country, + adapter: adapter, } - log.Infoln("Start initial GeoSite rule %s => %s, records: %d", country, adapter, size) - - geoSite := &GEOSITE{ - Base: &Base{}, - country: country, - adapter: adapter, - matcher: matcher, - recodeSize: size, + matcher, err := geoSite.GetDomainMatcher() // test load + if err != nil { + return nil, err } + log.Infoln("Finished initial GeoSite rule %s => %s, records: %d", country, adapter, matcher.Count()) + return geoSite, nil } diff --git a/rules/common/ipasn.go b/rules/common/ipasn.go index df4b6531c6..813923ac1f 100644 --- a/rules/common/ipasn.go +++ b/rules/common/ipasn.go @@ -28,8 +28,11 @@ func (a *ASN) Match(metadata *C.Metadata) (bool, string) { result := mmdb.ASNInstance().LookupASN(ip.AsSlice()) asnNumber := strconv.FormatUint(uint64(result.AutonomousSystemNumber), 10) - if !a.isSourceIP { - metadata.DstIPASN = asnNumber + " " + result.AutonomousSystemOrganization + ipASN := asnNumber + " " + result.AutonomousSystemOrganization + if a.isSourceIP { + metadata.SrcIPASN = ipASN + } else { + metadata.DstIPASN = ipASN } match := a.asn == asnNumber @@ -60,7 +63,6 @@ func (a *ASN) GetASN() string { } func NewIPASN(asn string, adapter string, isSrc, noResolveIP bool) (*ASN, error) { - C.ASNEnable = true if err := geodata.InitASN(); err != nil { log.Errorln("can't initial ASN: %s", err) return nil, err diff --git a/rules/logic/logic.go b/rules/logic/logic.go index 747a47df18..bfc3307f56 100644 --- a/rules/logic/logic.go +++ b/rules/logic/logic.go @@ -4,6 +4,7 @@ import ( "fmt" "regexp" "strings" + "sync" list "github.com/bahlo/generic-list-go" @@ -13,19 +14,19 @@ import ( type Logic struct { *common.Base - payload string - adapter string - ruleType C.RuleType - rules []C.Rule - subRules map[string][]C.Rule - needIP bool - needProcess bool + payload string + adapter string + ruleType C.RuleType + rules []C.Rule + subRules map[string][]C.Rule + + payloadOnce sync.Once } type ParseRuleFunc func(tp, payload, target string, params []string, subRules map[string][]C.Rule) (C.Rule, error) func NewSubRule(payload, adapter string, subRules map[string][]C.Rule, parseRule ParseRuleFunc) (*Logic, error) { - logic := &Logic{Base: &common.Base{}, payload: payload, adapter: adapter, ruleType: C.SubRules} + logic := &Logic{Base: &common.Base{}, payload: payload, adapter: adapter, ruleType: C.SubRules, subRules: subRules} err := logic.parsePayload(fmt.Sprintf("(%s)", payload), parseRule) if err != nil { return nil, err @@ -34,15 +35,6 @@ func NewSubRule(payload, adapter string, subRules map[string][]C.Rule, parseRule if len(logic.rules) != 1 { return nil, fmt.Errorf("Sub-Rule rule must contain one rule") } - for _, rule := range subRules[adapter] { - if rule.ShouldResolveIP() { - logic.needIP = true - } - if rule.ShouldFindProcess() { - logic.needProcess = true - } - } - logic.subRules = subRules return logic, nil } @@ -56,9 +48,6 @@ func NewNOT(payload string, adapter string, parseRule ParseRuleFunc) (*Logic, er if len(logic.rules) != 1 { return nil, fmt.Errorf("not rule must contain one rule") } - logic.needIP = logic.rules[0].ShouldResolveIP() - logic.needProcess = logic.rules[0].ShouldFindProcess() - logic.payload = fmt.Sprintf("(!(%s,%s))", logic.rules[0].RuleType(), logic.rules[0].Payload()) return logic, nil } @@ -68,40 +57,15 @@ func NewOR(payload string, adapter string, parseRule ParseRuleFunc) (*Logic, err if err != nil { return nil, err } - - payloads := make([]string, 0, len(logic.rules)) - for _, rule := range logic.rules { - payloads = append(payloads, fmt.Sprintf("(%s,%s)", rule.RuleType().String(), rule.Payload())) - if rule.ShouldResolveIP() { - logic.needIP = true - } - if rule.ShouldFindProcess() { - logic.needProcess = true - } - } - logic.payload = fmt.Sprintf("(%s)", strings.Join(payloads, " || ")) - return logic, nil } + func NewAND(payload string, adapter string, parseRule ParseRuleFunc) (*Logic, error) { logic := &Logic{Base: &common.Base{}, payload: payload, adapter: adapter, ruleType: C.AND} err := logic.parsePayload(payload, parseRule) if err != nil { return nil, err } - - payloads := make([]string, 0, len(logic.rules)) - for _, rule := range logic.rules { - payloads = append(payloads, fmt.Sprintf("(%s,%s)", rule.RuleType().String(), rule.Payload())) - if rule.ShouldResolveIP() { - logic.needIP = true - } - if rule.ShouldFindProcess() { - logic.needProcess = true - } - } - logic.payload = fmt.Sprintf("(%s)", strings.Join(payloads, " && ")) - return logic, nil } @@ -218,13 +182,6 @@ func (logic *Logic) parsePayload(payload string, parseRule ParseRuleFunc) error return err } - if rule.ShouldResolveIP() { - logic.needIP = true - } - if rule.ShouldFindProcess() { - logic.needProcess = true - } - rules = append(rules, rule) } @@ -279,9 +236,9 @@ func (logic *Logic) Match(metadata *C.Metadata) (bool, string) { } } return true, logic.adapter + default: + return false, "" } - - return false, "" } func (logic *Logic) Adapter() string { @@ -289,15 +246,58 @@ func (logic *Logic) Adapter() string { } func (logic *Logic) Payload() string { + logic.payloadOnce.Do(func() { // a little bit expensive, so only computed once + switch logic.ruleType { + case C.NOT: + logic.payload = fmt.Sprintf("(!(%s,%s))", logic.rules[0].RuleType(), logic.rules[0].Payload()) + case C.OR: + payloads := make([]string, 0, len(logic.rules)) + for _, rule := range logic.rules { + payloads = append(payloads, fmt.Sprintf("(%s,%s)", rule.RuleType().String(), rule.Payload())) + } + logic.payload = fmt.Sprintf("(%s)", strings.Join(payloads, " || ")) + case C.AND: + payloads := make([]string, 0, len(logic.rules)) + for _, rule := range logic.rules { + payloads = append(payloads, fmt.Sprintf("(%s,%s)", rule.RuleType().String(), rule.Payload())) + } + logic.payload = fmt.Sprintf("(%s)", strings.Join(payloads, " && ")) + default: + } + }) return logic.payload } func (logic *Logic) ShouldResolveIP() bool { - return logic.needIP + if logic.ruleType == C.SubRules { + for _, rule := range logic.subRules[logic.adapter] { + if rule.ShouldResolveIP() { + return true + } + } + } + for _, rule := range logic.rules { + if rule.ShouldResolveIP() { + return true + } + } + return false } func (logic *Logic) ShouldFindProcess() bool { - return logic.needProcess + if logic.ruleType == C.SubRules { + for _, rule := range logic.subRules[logic.adapter] { + if rule.ShouldFindProcess() { + return true + } + } + } + for _, rule := range logic.rules { + if rule.ShouldFindProcess() { + return true + } + } + return false } func (logic *Logic) ProviderNames() (names []string) { diff --git a/rules/parser.go b/rules/parser.go index 45cfff95e6..aa8481f1dd 100644 --- a/rules/parser.go +++ b/rules/parser.go @@ -22,23 +22,23 @@ func ParseRule(tp, payload, target string, params []string, subRules map[string] case "GEOSITE": parsed, parseErr = RC.NewGEOSITE(payload, target) case "GEOIP": - noResolve := RC.HasNoResolve(params) - parsed, parseErr = RC.NewGEOIP(payload, target, false, noResolve) + isSrc, noResolve := RC.ParseParams(params) + parsed, parseErr = RC.NewGEOIP(payload, target, isSrc, noResolve) case "SRC-GEOIP": parsed, parseErr = RC.NewGEOIP(payload, target, true, true) case "IP-ASN": - noResolve := RC.HasNoResolve(params) - parsed, parseErr = RC.NewIPASN(payload, target, false, noResolve) + isSrc, noResolve := RC.ParseParams(params) + parsed, parseErr = RC.NewIPASN(payload, target, isSrc, noResolve) case "SRC-IP-ASN": parsed, parseErr = RC.NewIPASN(payload, target, true, true) case "IP-CIDR", "IP-CIDR6": - noResolve := RC.HasNoResolve(params) - parsed, parseErr = RC.NewIPCIDR(payload, target, RC.WithIPCIDRNoResolve(noResolve)) + isSrc, noResolve := RC.ParseParams(params) + parsed, parseErr = RC.NewIPCIDR(payload, target, RC.WithIPCIDRSourceIP(isSrc), RC.WithIPCIDRNoResolve(noResolve)) case "SRC-IP-CIDR": parsed, parseErr = RC.NewIPCIDR(payload, target, RC.WithIPCIDRSourceIP(true), RC.WithIPCIDRNoResolve(true)) case "IP-SUFFIX": - noResolve := RC.HasNoResolve(params) - parsed, parseErr = RC.NewIPSuffix(payload, target, false, noResolve) + isSrc, noResolve := RC.ParseParams(params) + parsed, parseErr = RC.NewIPSuffix(payload, target, isSrc, noResolve) case "SRC-IP-SUFFIX": parsed, parseErr = RC.NewIPSuffix(payload, target, true, true) case "SRC-PORT": @@ -80,8 +80,8 @@ func ParseRule(tp, payload, target string, params []string, subRules map[string] case "SCHEDULE": parsed, parseErr = RC.NewSchedule(payload, target) case "RULE-SET": - noResolve := RC.HasNoResolve(params) - parsed, parseErr = RP.NewRuleSet(payload, target, noResolve) + isSrc, noResolve := RC.ParseParams(params) + parsed, parseErr = RP.NewRuleSet(payload, target, isSrc, noResolve) case "MATCH": parsed = RC.NewMatch(target) parseErr = nil diff --git a/rules/provider/classical_strategy.go b/rules/provider/classical_strategy.go index 8353ebce40..205a8e5996 100644 --- a/rules/provider/classical_strategy.go +++ b/rules/provider/classical_strategy.go @@ -5,6 +5,7 @@ import ( "strings" C "github.com/metacubex/mihomo/constant" + P "github.com/metacubex/mihomo/constant/provider" "github.com/metacubex/mihomo/log" ) @@ -16,6 +17,10 @@ type classicalStrategy struct { parse func(tp, payload, target string, params []string) (parsed C.Rule, parseErr error) } +func (c *classicalStrategy) Behavior() P.RuleBehavior { + return P.Classical +} + func (c *classicalStrategy) Match(metadata *C.Metadata) bool { for _, rule := range c.rules { if m, _ := rule.Match(metadata); m { diff --git a/rules/provider/domain_strategy.go b/rules/provider/domain_strategy.go index c0787d5839..b893f038b2 100644 --- a/rules/provider/domain_strategy.go +++ b/rules/provider/domain_strategy.go @@ -1,9 +1,16 @@ package provider import ( + "errors" + "io" + "strings" + "github.com/metacubex/mihomo/component/trie" C "github.com/metacubex/mihomo/constant" + P "github.com/metacubex/mihomo/constant/provider" "github.com/metacubex/mihomo/log" + + "golang.org/x/exp/slices" ) type domainStrategy struct { @@ -12,6 +19,10 @@ type domainStrategy struct { domainSet *trie.DomainSet } +func (d *domainStrategy) Behavior() P.RuleBehavior { + return P.Domain +} + func (d *domainStrategy) ShouldFindProcess() bool { return false } @@ -35,6 +46,10 @@ func (d *domainStrategy) Reset() { } func (d *domainStrategy) Insert(rule string) { + if strings.ContainsRune(rule, '/') { + log.Warnln("invalid domain:[%s]", rule) + return + } err := d.domainTrie.Insert(rule, struct{}{}) if err != nil { log.Warnln("invalid domain:[%s]", rule) @@ -48,6 +63,45 @@ func (d *domainStrategy) FinishInsert() { d.domainTrie = nil } +func (d *domainStrategy) FromMrs(r io.Reader, count int) error { + domainSet, err := trie.ReadDomainSetBin(r) + if err != nil { + return err + } + d.count = count + d.domainSet = domainSet + return nil +} + +func (d *domainStrategy) WriteMrs(w io.Writer) error { + if d.domainSet == nil { + return errors.New("nil domainSet") + } + return d.domainSet.WriteBin(w) +} + +func (d *domainStrategy) DumpMrs(f func(key string) bool) { + if d.domainSet != nil { + var keys []string + d.domainSet.Foreach(func(key string) bool { + keys = append(keys, key) + return true + }) + slices.Sort(keys) + + for _, key := range keys { + if _, ok := slices.BinarySearch(keys, "+."+key); ok { + continue // ignore the rules added by trie internal processing + } + if !f(key) { + return + } + } + } +} + +var _ mrsRuleStrategy = (*domainStrategy)(nil) + func NewDomainStrategy() *domainStrategy { return &domainStrategy{} } diff --git a/rules/provider/ipcidr_strategy.go b/rules/provider/ipcidr_strategy.go index d0545c7cc2..9efffed96b 100644 --- a/rules/provider/ipcidr_strategy.go +++ b/rules/provider/ipcidr_strategy.go @@ -1,8 +1,13 @@ package provider import ( + "errors" + "io" + "net/netip" + "github.com/metacubex/mihomo/component/cidr" C "github.com/metacubex/mihomo/constant" + P "github.com/metacubex/mihomo/constant/provider" "github.com/metacubex/mihomo/log" "go4.org/netipx" @@ -15,6 +20,10 @@ type ipcidrStrategy struct { //trie *trie.IpCidrTrie } +func (i *ipcidrStrategy) Behavior() P.RuleBehavior { + return P.IPCIDR +} + func (i *ipcidrStrategy) ShouldFindProcess() bool { return false } @@ -54,6 +63,34 @@ func (i *ipcidrStrategy) FinishInsert() { i.cidrSet.Merge() } +func (i *ipcidrStrategy) FromMrs(r io.Reader, count int) error { + cidrSet, err := cidr.ReadIpCidrSet(r) + if err != nil { + return err + } + i.count = count + i.cidrSet = cidrSet + if i.count > 0 { + i.shouldResolveIP = true + } + return nil +} + +func (i *ipcidrStrategy) WriteMrs(w io.Writer) error { + if i.cidrSet == nil { + return errors.New("nil cidrSet") + } + return i.cidrSet.WriteBin(w) +} + +func (i *ipcidrStrategy) DumpMrs(f func(key string) bool) { + if i.cidrSet != nil { + i.cidrSet.Foreach(func(prefix netip.Prefix) bool { + return f(prefix.String()) + }) + } +} + func (i *ipcidrStrategy) ToIpCidr() *netipx.IPSet { return i.cidrSet.ToIPSet() } diff --git a/rules/provider/mrs_converter.go b/rules/provider/mrs_converter.go new file mode 100644 index 0000000000..dbbe51cb29 --- /dev/null +++ b/rules/provider/mrs_converter.go @@ -0,0 +1,120 @@ +package provider + +import ( + "encoding/binary" + "errors" + "fmt" + "io" + "os" + + P "github.com/metacubex/mihomo/constant/provider" + + "github.com/klauspost/compress/zstd" +) + +func ConvertToMrs(buf []byte, behavior P.RuleBehavior, format P.RuleFormat, w io.Writer) (err error) { + strategy := newStrategy(behavior, nil) + strategy, err = rulesParse(buf, strategy, format) + if err != nil { + return err + } + if strategy.Count() == 0 { + return errors.New("empty rule") + } + if _strategy, ok := strategy.(mrsRuleStrategy); ok { + if format == P.MrsRule { // export to TextRule + _strategy.DumpMrs(func(key string) bool { + _, err = fmt.Fprintln(w, key) + if err != nil { + return false + } + return true + }) + return nil + } + + var encoder *zstd.Encoder + encoder, err = zstd.NewWriter(w, zstd.WithEncoderLevel(zstd.SpeedBestCompression)) + if err != nil { + return err + } + defer func() { + zstdErr := encoder.Close() + if err == nil { + err = zstdErr + } + }() + + // header + _, err = encoder.Write(MrsMagicBytes[:]) + if err != nil { + return err + } + + // behavior + _behavior := []byte{behavior.Byte()} + _, err = encoder.Write(_behavior[:]) + if err != nil { + return err + } + + // count + count := int64(_strategy.Count()) + err = binary.Write(encoder, binary.BigEndian, count) + if err != nil { + return err + } + + // extra (reserved for future using) + var extra []byte + err = binary.Write(encoder, binary.BigEndian, int64(len(extra))) + if err != nil { + return err + } + _, err = encoder.Write(extra) + if err != nil { + return err + } + + return _strategy.WriteMrs(encoder) + } else { + return ErrInvalidFormat + } +} + +func ConvertMain(args []string) { + if len(args) > 3 { + behavior, err := P.ParseBehavior(args[0]) + if err != nil { + panic(err) + } + format, err := P.ParseRuleFormat(args[1]) + if err != nil { + panic(err) + } + source := args[2] + target := args[3] + + sourceFile, err := os.ReadFile(source) + if err != nil { + panic(err) + } + + targetFile, err := os.OpenFile(target, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0644) + if err != nil { + panic(err) + } + + err = ConvertToMrs(sourceFile, behavior, format, targetFile) + if err != nil { + panic(err) + } + + err = targetFile.Close() + if err != nil { + panic(err) + } + } else { + panic("Usage: convert-ruleset ") + } +} diff --git a/rules/provider/mrs_reader.go b/rules/provider/mrs_reader.go new file mode 100644 index 0000000000..66f62127c8 --- /dev/null +++ b/rules/provider/mrs_reader.go @@ -0,0 +1,72 @@ +package provider + +import ( + "bytes" + "encoding/binary" + "errors" + "fmt" + "io" + + "github.com/klauspost/compress/zstd" +) + +var MrsMagicBytes = [4]byte{'M', 'R', 'S', 1} // MRSv1 + +func rulesMrsParse(buf []byte, strategy ruleStrategy) (ruleStrategy, error) { + if _strategy, ok := strategy.(mrsRuleStrategy); ok { + reader, err := zstd.NewReader(bytes.NewReader(buf)) + if err != nil { + return nil, err + } + defer reader.Close() + + // header + var header [4]byte + _, err = io.ReadFull(reader, header[:]) + if err != nil { + return nil, err + } + if header != MrsMagicBytes { + return nil, fmt.Errorf("invalid MrsMagic bytes") + } + + // behavior + var _behavior [1]byte + _, err = io.ReadFull(reader, _behavior[:]) + if err != nil { + return nil, err + } + if _behavior[0] != strategy.Behavior().Byte() { + return nil, fmt.Errorf("invalid behavior") + } + + // count + var count int64 + err = binary.Read(reader, binary.BigEndian, &count) + if err != nil { + return nil, err + } + + // extra (reserved for future using) + var length int64 + err = binary.Read(reader, binary.BigEndian, &length) + if err != nil { + return nil, err + } + if length < 0 { + return nil, errors.New("length is invalid") + } + if length > 0 { + extra := make([]byte, length) + _, err = io.ReadFull(reader, extra) + if err != nil { + return nil, err + } + } + + err = _strategy.FromMrs(reader, int(count)) + return strategy, err + } else { + return nil, ErrInvalidFormat + } +} diff --git a/rules/provider/parse.go b/rules/provider/parse.go index a20da28d5c..3bd8f54c8e 100644 --- a/rules/provider/parse.go +++ b/rules/provider/parse.go @@ -8,7 +8,6 @@ import ( "github.com/metacubex/mihomo/common/structure" "github.com/metacubex/mihomo/component/resource" C "github.com/metacubex/mihomo/constant" - "github.com/metacubex/mihomo/constant/features" P "github.com/metacubex/mihomo/constant/provider" ) @@ -32,28 +31,13 @@ func ParseRuleProvider(name string, mapping map[string]interface{}, parse func(t if err := decoder.Decode(mapping, schema); err != nil { return nil, err } - var behavior P.RuleBehavior - - switch schema.Behavior { - case "domain": - behavior = P.Domain - case "ipcidr": - behavior = P.IPCIDR - case "classical": - behavior = P.Classical - default: - return nil, fmt.Errorf("unsupported behavior type: %s", schema.Behavior) + behavior, err := P.ParseBehavior(schema.Behavior) + if err != nil { + return nil, err } - - var format P.RuleFormat - - switch schema.Format { - case "", "yaml": - format = P.YamlRule - case "text": - format = P.TextRule - default: - return nil, fmt.Errorf("unsupported format type: %s", schema.Format) + format, err := P.ParseRuleFormat(schema.Format) + if err != nil { + return nil, err } var vehicle P.Vehicle @@ -65,11 +49,11 @@ func ParseRuleProvider(name string, mapping map[string]interface{}, parse func(t path := C.Path.GetPathByHash("rules", schema.URL) if schema.Path != "" { path = C.Path.Resolve(schema.Path) - if !features.CMFA && !C.Path.IsSafePath(path) { + if !C.Path.IsSafePath(path) { return nil, fmt.Errorf("%w: %s", errSubPath, path) } } - vehicle = resource.NewHTTPVehicle(schema.URL, path, schema.Proxy, nil) + vehicle = resource.NewHTTPVehicle(schema.URL, path, schema.Proxy, nil, resource.DefaultHttpTimeout) default: return nil, fmt.Errorf("unsupported vehicle type: %s", schema.Type) } diff --git a/rules/provider/patch_android.go b/rules/provider/patch_android.go deleted file mode 100644 index 7ef1df1b59..0000000000 --- a/rules/provider/patch_android.go +++ /dev/null @@ -1,27 +0,0 @@ -//go:build android && cmfa - -package provider - -import "time" - -var ( - suspended bool -) - -type UpdatableProvider interface { - UpdatedAt() time.Time -} - -func (rp *ruleSetProvider) UpdatedAt() time.Time { - return rp.Fetcher.UpdatedAt -} - -func (rp *ruleSetProvider) Close() error { - rp.Fetcher.Destroy() - - return nil -} - -func Suspend(s bool) { - suspended = s -} diff --git a/rules/provider/provider.go b/rules/provider/provider.go index 6c03c6e5f3..0cbf83bacd 100644 --- a/rules/provider/provider.go +++ b/rules/provider/provider.go @@ -4,16 +4,17 @@ import ( "bytes" "encoding/json" "errors" + "io" "runtime" "strings" "time" - "gopkg.in/yaml.v3" - "github.com/metacubex/mihomo/common/pool" "github.com/metacubex/mihomo/component/resource" C "github.com/metacubex/mihomo/constant" P "github.com/metacubex/mihomo/constant/provider" + + "gopkg.in/yaml.v3" ) var tunnel P.Tunnel @@ -43,6 +44,7 @@ type RulePayload struct { } type ruleStrategy interface { + Behavior() P.RuleBehavior Match(metadata *C.Metadata) bool Count() int ShouldResolveIP() bool @@ -52,27 +54,24 @@ type ruleStrategy interface { FinishInsert() } +type mrsRuleStrategy interface { + ruleStrategy + FromMrs(r io.Reader, count int) error + WriteMrs(w io.Writer) error + DumpMrs(f func(key string) bool) +} + func (rp *ruleSetProvider) Type() P.ProviderType { return P.Rule } func (rp *ruleSetProvider) Initial() error { - elm, err := rp.Fetcher.Initial() - if err != nil { - return err - } - - rp.OnUpdate(elm) - return nil + _, err := rp.Fetcher.Initial() + return err } func (rp *ruleSetProvider) Update() error { - elm, same, err := rp.Fetcher.Update() - if err == nil && !same { - rp.OnUpdate(elm) - return nil - } - + _, _, err := rp.Fetcher.Update() return err } @@ -80,6 +79,10 @@ func (rp *ruleSetProvider) Behavior() P.RuleBehavior { return rp.behavior } +func (rp *ruleSetProvider) Count() int { + return rp.strategy.Count() +} + func (rp *ruleSetProvider) Match(metadata *C.Metadata) bool { return rp.strategy != nil && rp.strategy.Match(metadata) } @@ -104,11 +107,16 @@ func (rp *ruleSetProvider) MarshalJSON() ([]byte, error) { "name": rp.Name(), "ruleCount": rp.strategy.Count(), "type": rp.Type().String(), - "updatedAt": rp.UpdatedAt, + "updatedAt": rp.UpdatedAt(), "vehicleType": rp.VehicleType().String(), }) } +func (rp *RuleSetProvider) Close() error { + runtime.SetFinalizer(rp, nil) + return rp.ruleSetProvider.Close() +} + func NewRuleSetProvider(name string, behavior P.RuleBehavior, format P.RuleFormat, interval time.Duration, vehicle P.Vehicle, parse func(tp, payload, target string, params []string, subRules map[string][]C.Rule) (parsed C.Rule, parseErr error)) P.RuleProvider { rp := &ruleSetProvider{ @@ -130,8 +138,7 @@ func NewRuleSetProvider(name string, behavior P.RuleBehavior, format P.RuleForma rp, } - final := func(provider *RuleSetProvider) { _ = rp.Fetcher.Destroy() } - runtime.SetFinalizer(wrapper, final) + runtime.SetFinalizer(wrapper, (*RuleSetProvider).Close) return wrapper } @@ -152,9 +159,13 @@ func newStrategy(behavior P.RuleBehavior, parse func(tp, payload, target string, } var ErrNoPayload = errors.New("file must have a `payload` field") +var ErrInvalidFormat = errors.New("invalid format") func rulesParse(buf []byte, strategy ruleStrategy, format P.RuleFormat) (ruleStrategy, error) { strategy.Reset() + if format == P.MrsRule { + return rulesMrsParse(buf, strategy) + } schema := &RulePayload{} @@ -228,6 +239,8 @@ func rulesParse(buf []byte, strategy ruleStrategy, format P.RuleFormat) (ruleStr if len(schema.Payload) > 0 { str = schema.Payload[0] } + default: + return nil, ErrInvalidFormat } if str == "" { diff --git a/rules/provider/rule_set.go b/rules/provider/rule_set.go index d85db80558..2ad0bd3d49 100644 --- a/rules/provider/rule_set.go +++ b/rules/provider/rule_set.go @@ -1,6 +1,8 @@ package provider import ( + "net/netip" + C "github.com/metacubex/mihomo/constant" P "github.com/metacubex/mihomo/constant/provider" "github.com/metacubex/mihomo/rules/common" @@ -10,6 +12,7 @@ type RuleSet struct { *common.Base ruleProviderName string adapter string + isSrc bool noResolveIP bool shouldFindProcess bool } @@ -30,20 +33,33 @@ func (rs *RuleSet) RuleType() C.RuleType { func (rs *RuleSet) Match(metadata *C.Metadata) (bool, string) { if provider, ok := rs.getProvider(); ok { + if rs.isSrc { + metadata.SwapSrcDst() + defer metadata.SwapSrcDst() + } return provider.Match(metadata), rs.adapter } return false, "" } +// MatchDomain implements C.DomainMatcher +func (rs *RuleSet) MatchDomain(domain string) bool { + ok, _ := rs.Match(&C.Metadata{Host: domain}) + return ok +} + +// MatchIp implements C.IpMatcher +func (rs *RuleSet) MatchIp(ip netip.Addr) bool { + ok, _ := rs.Match(&C.Metadata{DstIP: ip}) + return ok +} + func (rs *RuleSet) Adapter() string { return rs.adapter } func (rs *RuleSet) Payload() string { - if provider, ok := rs.getProvider(); ok { - return provider.Name() - } - return "" + return rs.ruleProviderName } func (rs *RuleSet) ShouldResolveIP() bool { @@ -65,11 +81,12 @@ func (rs *RuleSet) getProvider() (P.RuleProvider, bool) { return pp, ok } -func NewRuleSet(ruleProviderName string, adapter string, noResolveIP bool) (*RuleSet, error) { +func NewRuleSet(ruleProviderName string, adapter string, isSrc bool, noResolveIP bool) (*RuleSet, error) { rs := &RuleSet{ Base: &common.Base{}, ruleProviderName: ruleProviderName, adapter: adapter, + isSrc: isSrc, noResolveIP: noResolveIP, } return rs, nil diff --git a/test/go.mod b/test/go.mod index 9237488625..f364c2c89d 100644 --- a/test/go.mod +++ b/test/go.mod @@ -22,7 +22,6 @@ require ( github.com/andybalholm/brotli v1.0.5 // indirect github.com/bahlo/generic-list-go v0.2.0 // indirect github.com/buger/jsonparser v1.1.1 // indirect - github.com/cilium/ebpf v0.12.3 // indirect github.com/coreos/go-iptables v0.7.0 // indirect github.com/davecgh/go-spew v1.1.1 // indirect github.com/distribution/reference v0.5.0 // indirect diff --git a/test/go.sum b/test/go.sum index af34b356e3..05a23ce937 100644 --- a/test/go.sum +++ b/test/go.sum @@ -19,8 +19,6 @@ github.com/buger/jsonparser v1.1.1/go.mod h1:6RYKKt7H4d4+iWqouImQ9R2FZql3VbhNgx2 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= -github.com/cilium/ebpf v0.12.3 h1:8ht6F9MquybnY97at+VDZb3eQQr8ev79RueWeVaEcG4= -github.com/cilium/ebpf v0.12.3/go.mod h1:TctK1ivibvI3znr66ljgi4hqOT8EYQjz1KWBfb1UVgM= github.com/coreos/go-iptables v0.7.0 h1:XWM3V+MPRr5/q51NuWSgU0fqMad64Zyxs8ZUoMsamr8= github.com/coreos/go-iptables v0.7.0/go.mod h1:Qe8Bv2Xik5FyTXwgIbLAnv2sWSBmvWdFETJConOQ//Q= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= diff --git a/transport/hysteria/core/client.go b/transport/hysteria/core/client.go index 60db8fdf45..782948c018 100644 --- a/transport/hysteria/core/client.go +++ b/transport/hysteria/core/client.go @@ -289,7 +289,10 @@ func (c *Client) DialUDP(dialer utils.PacketDialer) (UDPConn, error) { func (c *Client) Close() error { c.reconnectMutex.Lock() defer c.reconnectMutex.Unlock() - err := c.quicSession.CloseWithError(closeErrorCodeGeneric, "") + var err error + if c.quicSession != nil { + err = c.quicSession.CloseWithError(closeErrorCodeGeneric, "") + } c.closed = true return err } diff --git a/transport/shadowsocks/core/cipher.go b/transport/shadowsocks/core/cipher.go index 44b2e8d42c..7cb12c45c3 100644 --- a/transport/shadowsocks/core/cipher.go +++ b/transport/shadowsocks/core/cipher.go @@ -34,6 +34,11 @@ const ( aeadAes256Gcm = "AEAD_AES_256_GCM" aeadChacha20Poly1305 = "AEAD_CHACHA20_POLY1305" aeadXChacha20Poly1305 = "AEAD_XCHACHA20_POLY1305" + aeadChacha8Poly1305 = "AEAD_CHACHA8_POLY1305" + aeadXChacha8Poly1305 = "AEAD_XCHACHA8_POLY1305" + aeadAes128Ccm = "AEAD_AES_128_CCM" + aeadAes192Ccm = "AEAD_AES_192_CCM" + aeadAes256Ccm = "AEAD_AES_256_CCM" ) // List of AEAD ciphers: key size in bytes and constructor @@ -46,6 +51,11 @@ var aeadList = map[string]struct { aeadAes256Gcm: {32, shadowaead.AESGCM}, aeadChacha20Poly1305: {32, shadowaead.Chacha20Poly1305}, aeadXChacha20Poly1305: {32, shadowaead.XChacha20Poly1305}, + aeadChacha8Poly1305: {32, shadowaead.Chacha8Poly1305}, + aeadXChacha8Poly1305: {32, shadowaead.XChacha8Poly1305}, + aeadAes128Ccm: {16, shadowaead.AESCCM}, + aeadAes192Ccm: {24, shadowaead.AESCCM}, + aeadAes256Ccm: {32, shadowaead.AESCCM}, } // List of stream ciphers: key size in bytes and constructor @@ -95,6 +105,16 @@ func PickCipher(name string, key []byte, password string) (Cipher, error) { name = aeadAes192Gcm case "AES-256-GCM": name = aeadAes256Gcm + case "CHACHA8-IETF-POLY1305": + name = aeadChacha8Poly1305 + case "XCHACHA8-IETF-POLY1305": + name = aeadXChacha8Poly1305 + case "AES-128-CCM": + name = aeadAes128Ccm + case "AES-192-CCM": + name = aeadAes192Ccm + case "AES-256-CCM": + name = aeadAes256Ccm } if choice, ok := aeadList[name]; ok { diff --git a/transport/shadowsocks/shadowaead/cipher.go b/transport/shadowsocks/shadowaead/cipher.go index 3cf7574974..7981d5b15a 100644 --- a/transport/shadowsocks/shadowaead/cipher.go +++ b/transport/shadowsocks/shadowaead/cipher.go @@ -7,6 +7,8 @@ import ( "io" "strconv" + "github.com/metacubex/chacha" + "gitlab.com/go-extension/aes-ccm" "golang.org/x/crypto/chacha20poly1305" "golang.org/x/crypto/hkdf" ) @@ -75,6 +77,25 @@ func AESGCM(psk []byte) (Cipher, error) { return &metaCipher{psk: psk, makeAEAD: aesGCM}, nil } +func aesCCM(key []byte) (cipher.AEAD, error) { + blk, err := aes.NewCipher(key) + if err != nil { + return nil, err + } + return ccm.NewCCM(blk) +} + +// AESCCM creates a new Cipher with a pre-shared key. len(psk) must be +// one of 16, 24, or 32 to select AES-128/196/256-GCM. +func AESCCM(psk []byte) (Cipher, error) { + switch l := len(psk); l { + case 16, 24, 32: // AES 128/196/256 + default: + return nil, aes.KeySizeError(l) + } + return &metaCipher{psk: psk, makeAEAD: aesCCM}, nil +} + // Chacha20Poly1305 creates a new Cipher with a pre-shared key. len(psk) // must be 32. func Chacha20Poly1305(psk []byte) (Cipher, error) { @@ -92,3 +113,21 @@ func XChacha20Poly1305(psk []byte) (Cipher, error) { } return &metaCipher{psk: psk, makeAEAD: chacha20poly1305.NewX}, nil } + +// Chacha8Poly1305 creates a new Cipher with a pre-shared key. len(psk) +// must be 32. +func Chacha8Poly1305(psk []byte) (Cipher, error) { + if len(psk) != chacha.KeySize { + return nil, KeySizeError(chacha.KeySize) + } + return &metaCipher{psk: psk, makeAEAD: chacha.NewChaCha8IETFPoly1305}, nil +} + +// XChacha8Poly1305 creates a new Cipher with a pre-shared key. len(psk) +// must be 32. +func XChacha8Poly1305(psk []byte) (Cipher, error) { + if len(psk) != chacha.KeySize { + return nil, KeySizeError(chacha.KeySize) + } + return &metaCipher{psk: psk, makeAEAD: chacha.NewXChaCha20IETFPoly1305}, nil +} diff --git a/transport/shadowsocks/shadowstream/old_chacha20.go b/transport/shadowsocks/shadowstream/old_chacha20.go index 65737fccd1..eb61232e30 100644 --- a/transport/shadowsocks/shadowstream/old_chacha20.go +++ b/transport/shadowsocks/shadowstream/old_chacha20.go @@ -2,7 +2,8 @@ package shadowstream import ( "crypto/cipher" - "github.com/aead/chacha20/chacha" + + "github.com/metacubex/chacha" ) type chacha20key []byte @@ -11,7 +12,7 @@ func (k chacha20key) IVSize() int { return chacha.NonceSize } func (k chacha20key) Encrypter(iv []byte) cipher.Stream { - c, _ := chacha.NewCipher(iv, k, 20) + c, _ := chacha.NewChaCha20(iv, k) return c } func (k chacha20key) Decrypter(iv []byte) cipher.Stream { diff --git a/tunnel/mode.go b/tunnel/mode.go index a1697a32b0..dd89c3a7b3 100644 --- a/tunnel/mode.go +++ b/tunnel/mode.go @@ -21,6 +21,18 @@ const ( Direct ) +// UnmarshalYAML unserialize Mode with yaml +func (m *TunnelMode) UnmarshalYAML(unmarshal func(any) error) error { + var tp string + unmarshal(&tp) + mode, exist := ModeMapping[strings.ToLower(tp)] + if !exist { + return errors.New("invalid mode") + } + *m = mode + return nil +} + // UnmarshalJSON unserialize Mode func (m *TunnelMode) UnmarshalJSON(data []byte) error { var tp string @@ -33,11 +45,9 @@ func (m *TunnelMode) UnmarshalJSON(data []byte) error { return nil } -// UnmarshalYAML unserialize Mode with yaml -func (m *TunnelMode) UnmarshalYAML(unmarshal func(any) error) error { - var tp string - unmarshal(&tp) - mode, exist := ModeMapping[strings.ToLower(tp)] +// UnmarshalText unserialize Mode +func (m *TunnelMode) UnmarshalText(data []byte) error { + mode, exist := ModeMapping[strings.ToLower(string(data))] if !exist { return errors.New("invalid mode") } @@ -45,14 +55,19 @@ func (m *TunnelMode) UnmarshalYAML(unmarshal func(any) error) error { return nil } +// MarshalYAML serialize TunnelMode with yaml +func (m TunnelMode) MarshalYAML() (any, error) { + return m.String(), nil +} + // MarshalJSON serialize Mode func (m TunnelMode) MarshalJSON() ([]byte, error) { return json.Marshal(m.String()) } -// MarshalYAML serialize TunnelMode with yaml -func (m TunnelMode) MarshalYAML() (any, error) { - return m.String(), nil +// MarshalText serialize Mode +func (m TunnelMode) MarshalText() ([]byte, error) { + return []byte(m.String()), nil } func (m TunnelMode) String() string { diff --git a/tunnel/status.go b/tunnel/status.go index d81dd45e8f..388d597b38 100644 --- a/tunnel/status.go +++ b/tunnel/status.go @@ -22,23 +22,33 @@ const ( Running ) +// UnmarshalYAML unserialize Status with yaml +func (s *TunnelStatus) UnmarshalYAML(unmarshal func(any) error) error { + var tp string + unmarshal(&tp) + status, exist := StatusMapping[strings.ToLower(tp)] + if !exist { + return errors.New("invalid status") + } + *s = status + return nil +} + // UnmarshalJSON unserialize Status func (s *TunnelStatus) UnmarshalJSON(data []byte) error { var tp string json.Unmarshal(data, &tp) status, exist := StatusMapping[strings.ToLower(tp)] if !exist { - return errors.New("invalid mode") + return errors.New("invalid status") } *s = status return nil } -// UnmarshalYAML unserialize Status with yaml -func (s *TunnelStatus) UnmarshalYAML(unmarshal func(any) error) error { - var tp string - unmarshal(&tp) - status, exist := StatusMapping[strings.ToLower(tp)] +// UnmarshalText unserialize Status +func (s *TunnelStatus) UnmarshalText(data []byte) error { + status, exist := StatusMapping[strings.ToLower(string(data))] if !exist { return errors.New("invalid status") } @@ -46,14 +56,19 @@ func (s *TunnelStatus) UnmarshalYAML(unmarshal func(any) error) error { return nil } +// MarshalYAML serialize TunnelMode with yaml +func (s TunnelStatus) MarshalYAML() (any, error) { + return s.String(), nil +} + // MarshalJSON serialize Status func (s TunnelStatus) MarshalJSON() ([]byte, error) { return json.Marshal(s.String()) } -// MarshalYAML serialize TunnelMode with yaml -func (s TunnelStatus) MarshalYAML() (any, error) { - return s.String(), nil +// MarshalText serialize Status +func (s TunnelStatus) MarshalText() ([]byte, error) { + return []byte(s.String()), nil } func (s TunnelStatus) String() string { diff --git a/tunnel/tunnel.go b/tunnel/tunnel.go index 1a6f104dc9..60ba03234d 100644 --- a/tunnel/tunnel.go +++ b/tunnel/tunnel.go @@ -29,18 +29,17 @@ import ( ) var ( - status = newAtomicStatus(Suspend) - tcpQueue = make(chan C.ConnContext, 200) - udpQueue = make(chan C.PacketAdapter, 200) - natTable = nat.New() - rules []C.Rule - listeners = make(map[string]C.InboundListener) - subRules map[string][]C.Rule - proxies = make(map[string]C.Proxy) - providers map[string]provider.ProxyProvider - ruleProviders map[string]provider.RuleProvider - sniffingEnable = false - configMux sync.RWMutex + status = newAtomicStatus(Suspend) + tcpQueue = make(chan C.ConnContext, 200) + udpQueue = make(chan C.PacketAdapter, 200) + natTable = nat.New() + rules []C.Rule + listeners = make(map[string]C.InboundListener) + subRules map[string][]C.Rule + proxies = make(map[string]C.Proxy) + providers map[string]provider.ProxyProvider + ruleProviders map[string]provider.RuleProvider + configMux sync.RWMutex // Outbound Rule mode = Rule @@ -52,6 +51,9 @@ var ( fakeIPRange netip.Prefix + snifferDispatcher *sniffer.Dispatcher + sniffingEnable = false + ruleUpdateCallback = utils.NewCallback[provider.RuleProvider]() ) @@ -115,7 +117,7 @@ func FakeIPRange() netip.Prefix { } func SetSniffing(b bool) { - if sniffer.Dispatcher.Enable() { + if snifferDispatcher.Enable() { configMux.Lock() sniffingEnable = b configMux.Unlock() @@ -208,9 +210,9 @@ func UpdateListeners(newListeners map[string]C.InboundListener) { listeners = newListeners } -func UpdateSniffer(dispatcher *sniffer.SnifferDispatcher) { +func UpdateSniffer(dispatcher *sniffer.Dispatcher) { configMux.Lock() - sniffer.Dispatcher = dispatcher + snifferDispatcher = dispatcher sniffingEnable = dispatcher.Enable() configMux.Unlock() } @@ -225,6 +227,10 @@ func SetMode(m TunnelMode) { mode = m } +func FindProcessMode() P.FindProcessMode { + return findProcessMode +} + // SetFindProcessMode replace SetAlwaysFindProcess // always find process info if legacyAlways = true or mode.Always() = true, may be increase many memory func SetFindProcessMode(mode P.FindProcessMode) { @@ -343,8 +349,8 @@ func handleUDPConn(packet C.PacketAdapter) { return } - if sniffer.Dispatcher.Enable() && sniffingEnable { - sniffer.Dispatcher.UDPSniff(packet) + if sniffingEnable && snifferDispatcher.Enable() { + snifferDispatcher.UDPSniff(packet) } // local resolve UDP dns @@ -452,10 +458,10 @@ func handleTCPConn(connCtx C.ConnContext) { conn := connCtx.Conn() conn.ResetPeeked() // reset before sniffer - if sniffer.Dispatcher.Enable() && sniffingEnable { + if sniffingEnable && snifferDispatcher.Enable() { // Try to sniff a domain when `preHandleMetadata` failed, this is usually // caused by a "Fake DNS record missing" error when enhanced-mode is fake-ip. - if sniffer.Dispatcher.TCPSniff(conn, metadata) { + if snifferDispatcher.TCPSniff(conn, metadata) { // we now have a domain name preHandleFailed = false } @@ -622,6 +628,10 @@ func match(metadata *C.Metadata) (C.Proxy, C.Rule, error) { metadata.Process = filepath.Base(path) metadata.ProcessPath = path metadata.Uid = uid + + if pkg, err := P.FindPackageName(metadata); err == nil { // for android (not CMFA) package names + metadata.Process = pkg + } } } else { // check package names