Skip to content

Commit

Permalink
tun: Set address sets to routes
Browse files Browse the repository at this point in the history
  • Loading branch information
nekohasekai committed Dec 24, 2024
1 parent eb4a184 commit 41f4b71
Show file tree
Hide file tree
Showing 10 changed files with 212 additions and 89 deletions.
56 changes: 42 additions & 14 deletions docs/configuration/inbound/tun.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,9 @@ icon: material/alert-decagram

!!! quote "Changes in sing-box 1.11.0"

:material-delete-alert: [gso](#gso)
:material-delete-alert: [gso](#gso)
:material-alert-decagram: [route_address_set](#stack)
:material-alert-decagram: [route_exclude_address_set](#stack)

!!! quote "Changes in sing-box 1.10.0"

Expand Down Expand Up @@ -248,15 +250,15 @@ use [VPNHotspot](https://github.com/Mygod/VPNHotspot).

!!! question "Since sing-box 1.10.0"

Connection input mark used by `route_address_set` and `route_exclude_address_set`.
Connection input mark used by `route[_exclude]_address_set` with `auto_redirect`.

`0x2023` is used by default.

#### auto_redirect_output_mark

!!! question "Since sing-box 1.10.0"

Connection output mark used by `route_address_set` and `route_exclude_address_set`.
Connection input mark used by `route[_exclude]_address_set` with `auto_redirect`.

`0x2024` is used by default.

Expand Down Expand Up @@ -329,29 +331,55 @@ Exclude custom routes when `auto_route` is enabled.

#### route_address_set

!!! question "Since sing-box 1.10.0"
=== "With `auto_redirect` enabled"

!!! quote ""
!!! question "Since sing-box 1.10.0"

Only supported on Linux with nftables and requires `auto_route` and `auto_redirect` enabled.
!!! quote ""

Only supported on Linux with nftables and requires `auto_route` and `auto_redirect` enabled.

Add the destination IP CIDR rules in the specified rule-sets to the firewall.
Unmatched traffic will bypass the sing-box routes.

Conflict with `route.default_mark` and `[dialOptions].routing_mark`.

Add the destination IP CIDR rules in the specified rule-sets to the firewall.
Unmatched traffic will bypass the sing-box routes.
=== "Without `auto_redirect` enabled"

Conflict with `route.default_mark` and `[dialOptions].routing_mark`.
!!! question "Since sing-box 1.11.0"

Add the destination IP CIDR rules in the specified rule-sets to routes, equivalent to adding to `route_address`.
Unmatched traffic will bypass the sing-box routes.

Note that it **doesn't work on the Android graphical client** due to
the Android VpnService not being able to handle a large number of routes (DeadSystemException),
but otherwise it works fine on all command line clients and Apple platforms.

#### route_exclude_address_set

!!! question "Since sing-box 1.10.0"
=== "With `auto_redirect` enabled"

!!! quote ""
!!! question "Since sing-box 1.10.0"

!!! quote ""

Only supported on Linux with nftables and requires `auto_route` and `auto_redirect` enabled.

Add the destination IP CIDR rules in the specified rule-sets to the firewall.
Matched traffic will bypass the sing-box routes.
Add the destination IP CIDR rules in the specified rule-sets to the firewall.
Matched traffic will bypass the sing-box routes.

Conflict with `route.default_mark` and `[dialOptions].routing_mark`.

=== "Without `auto_redirect` enabled"

!!! question "Since sing-box 1.11.0"

Add the destination IP CIDR rules in the specified rule-sets to routes, equivalent to adding to `route_exclude_address`.
Matched traffic will bypass the sing-box routes.

Conflict with `route.default_mark` and `[dialOptions].routing_mark`.
Note that it **doesn't work on the Android graphical client** due to
the Android VpnService not being able to handle a large number of routes (DeadSystemException),
but otherwise it works fine on all command line clients and Apple platforms.

#### endpoint_independent_nat

Expand Down
52 changes: 39 additions & 13 deletions docs/configuration/inbound/tun.zh.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,9 @@ icon: material/alert-decagram

!!! quote "sing-box 1.11.0 中的更改"

:material-delete-alert: [gso](#gso)
:material-delete-alert: [gso](#gso)
:material-alert-decagram: [route_address_set](#stack)
:material-alert-decagram: [route_exclude_address_set](#stack)

!!! quote "sing-box 1.10.0 中的更改"

Expand Down Expand Up @@ -329,29 +331,53 @@ tun 接口的 IPv6 前缀。

#### route_address_set

!!! question "自 sing-box 1.10.0 起"
=== "`auto_redirect` 已启用"

!!! quote ""
!!! question "自 sing-box 1.10.0 起"

!!! quote ""

仅支持 Linux,且需要 nftables,`auto_route` 和 `auto_redirect` 已启用。

将指定规则集中的目标 IP CIDR 规则添加到防火墙。
不匹配的流量将绕过 sing-box 路由。

与 `route.default_mark` 和 `[dialOptions].routing_mark` 冲突。

仅支持 Linux,且需要 nftables,`auto_route` 和 `auto_redirect` 已启用。
=== "`auto_redirect` 未启用"

将指定规则集中的目标 IP CIDR 规则添加到防火墙。
不匹配的流量将绕过 sing-box 路由。
!!! question "自 sing-box 1.11.0 起"

`route.default_mark``[dialOptions].routing_mark` 冲突。
将指定规则集中的目标 IP CIDR 规则添加到路由,相当于添加到 `route_address`。
不匹配的流量将绕过 sing-box 路由。

请注意,由于 Android VpnService 无法处理大量路由(DeadSystemException),
因此它**在 Android 图形客户端上不起作用**,但除此之外,它在所有命令行客户端和 Apple 平台上都可以正常工作。

#### route_exclude_address_set

!!! question "自 sing-box 1.10.0 起"
=== "`auto_redirect` 已启用"

!!! quote ""
!!! question "自 sing-box 1.10.0 起"

!!! quote ""

仅支持 Linux,且需要 nftables,`auto_route` 和 `auto_redirect` 已启用。

将指定规则集中的目标 IP CIDR 规则添加到防火墙。
匹配的流量将绕过 sing-box 路由。

与 `route.default_mark` 和 `[dialOptions].routing_mark` 冲突。

=== "`auto_redirect` 未启用"

仅支持 Linux,且需要 nftables,`auto_route` 和 `auto_redirect` 已启用。
!!! question "自 sing-box 1.11.0 起"

将指定规则集中的目标 IP CIDR 规则添加到防火墙
匹配的流量将绕过 sing-box 路由。
将指定规则集中的目标 IP CIDR 规则添加到路由,相当于添加到 `route_exclude_address`
匹配的流量将绕过 sing-box 路由。

`route.default_mark``[dialOptions].routing_mark` 冲突。
请注意,由于 Android VpnService 无法处理大量路由(DeadSystemException),
因此它**在 Android 图形客户端上不起作用**,但除此之外,它在所有命令行客户端和 Apple 平台上都可以正常工作。

#### endpoint_independent_nat

Expand Down
4 changes: 4 additions & 0 deletions experimental/libbox/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,10 @@ func (s *platformInterfaceStub) OpenTun(options *tun.Options, platformOptions op
return nil, os.ErrInvalid
}

func (s *platformInterfaceStub) UpdateRouteOptions(options *tun.Options, platformInterface option.TunPlatformOptions) error {
return os.ErrInvalid
}

func (s *platformInterfaceStub) UsePlatformDefaultInterfaceMonitor() bool {
return true
}
Expand Down
1 change: 1 addition & 0 deletions experimental/libbox/platform.go
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ type PlatformInterface interface {
UsePlatformAutoDetectInterfaceControl() bool
AutoDetectInterfaceControl(fd int32) error
OpenTun(options TunOptions) (int32, error)
UpdateRouteOptions(options TunOptions) error
WriteLog(message string)
UseProcFS() bool
FindConnectionOwner(ipProtocol int32, sourceAddress string, sourcePort int32, destinationAddress string, destinationPort int32) (int32, error)
Expand Down
1 change: 1 addition & 0 deletions experimental/libbox/platform/interface.go
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ type Interface interface {
UsePlatformAutoDetectInterfaceControl() bool
AutoDetectInterfaceControl(fd int) error
OpenTun(options *tun.Options, platformOptions option.TunPlatformOptions) (tun.Tun, error)
UpdateRouteOptions(options *tun.Options, platformOptions option.TunPlatformOptions) error
CreateDefaultInterfaceMonitor(logger logger.Logger) tun.DefaultInterfaceMonitor
Interfaces() ([]adapter.NetworkInterface, error)
SetUnderlyingNetworks(networks []adapter.NetworkInterface) error
Expand Down
18 changes: 16 additions & 2 deletions experimental/libbox/service.go
Original file line number Diff line number Diff line change
Expand Up @@ -148,10 +148,10 @@ func (w *platformInterfaceWrapper) AutoDetectInterfaceControl(fd int) error {

func (w *platformInterfaceWrapper) OpenTun(options *tun.Options, platformOptions option.TunPlatformOptions) (tun.Tun, error) {
if len(options.IncludeUID) > 0 || len(options.ExcludeUID) > 0 {
return nil, E.New("android: unsupported uid options")
return nil, E.New("platform: unsupported uid options")
}
if len(options.IncludeAndroidUser) > 0 {
return nil, E.New("android: unsupported android_user option")
return nil, E.New("platform: unsupported android_user option")
}
routeRanges, err := options.BuildAutoRouteRanges(true)
if err != nil {
Expand All @@ -174,6 +174,20 @@ func (w *platformInterfaceWrapper) OpenTun(options *tun.Options, platformOptions
return tun.New(*options)
}

func (w *platformInterfaceWrapper) UpdateRouteOptions(options *tun.Options, platformOptions option.TunPlatformOptions) error {
if len(options.IncludeUID) > 0 || len(options.ExcludeUID) > 0 {
return E.New("android: unsupported uid options")
}
if len(options.IncludeAndroidUser) > 0 {
return E.New("android: unsupported android_user option")
}
routeRanges, err := options.BuildAutoRouteRanges(true)
if err != nil {
return err
}
return w.iif.UpdateRouteOptions(&tunOptions{options, routeRanges, platformOptions})
}

func (w *platformInterfaceWrapper) CreateDefaultInterfaceMonitor(logger logger.Logger) tun.DefaultInterfaceMonitor {
return &platformDefaultInterfaceMonitor{
platformInterfaceWrapper: w,
Expand Down
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ require (
github.com/sagernet/sing-shadowsocks v0.2.7
github.com/sagernet/sing-shadowsocks2 v0.2.0
github.com/sagernet/sing-shadowtls v0.2.0-alpha.2
github.com/sagernet/sing-tun v0.6.0-beta.6
github.com/sagernet/sing-tun v0.6.0-beta.7
github.com/sagernet/sing-vmess v0.2.0-beta.1
github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7
github.com/sagernet/utls v1.6.7
Expand Down
4 changes: 2 additions & 2 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -133,8 +133,8 @@ github.com/sagernet/sing-shadowsocks2 v0.2.0 h1:wpZNs6wKnR7mh1wV9OHwOyUr21VkS3wK
github.com/sagernet/sing-shadowsocks2 v0.2.0/go.mod h1:RnXS0lExcDAovvDeniJ4IKa2IuChrdipolPYWBv9hWQ=
github.com/sagernet/sing-shadowtls v0.2.0-alpha.2 h1:RPrpgAdkP5td0vLfS5ldvYosFjSsZtRPxiyLV6jyKg0=
github.com/sagernet/sing-shadowtls v0.2.0-alpha.2/go.mod h1:0j5XlzKxaWRIEjc1uiSKmVoWb0k+L9QgZVb876+thZA=
github.com/sagernet/sing-tun v0.6.0-beta.6 h1:xaIHoH78MqTSvZqQ4SQto8pC1A+X4qXReDRNaC8DQeI=
github.com/sagernet/sing-tun v0.6.0-beta.6/go.mod h1:fisFCbC4Vfb6HqQNcwPJi2CDK2bf0Xapyz3j3t4cnHE=
github.com/sagernet/sing-tun v0.6.0-beta.7 h1:FCSX8oGBqb0H57AAvfGeeH/jMGYWCOg6XWkN/oeES+0=
github.com/sagernet/sing-tun v0.6.0-beta.7/go.mod h1:fisFCbC4Vfb6HqQNcwPJi2CDK2bf0Xapyz3j3t4cnHE=
github.com/sagernet/sing-vmess v0.2.0-beta.1 h1:5sXQ23uwNlZuDvygzi0dFtnG0Csm/SNqTjAHXJkpuj4=
github.com/sagernet/sing-vmess v0.2.0-beta.1/go.mod h1:fLyE1emIcvQ5DV8reFWnufquZ7MkCSYM5ThodsR9NrQ=
github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7 h1:DImB4lELfQhplLTxeq2z31Fpv8CQqqrUwTbrIRumZqQ=
Expand Down
Loading

0 comments on commit 41f4b71

Please sign in to comment.