diff --git a/docs/configuration/inbound/tun.md b/docs/configuration/inbound/tun.md index 095c3e9a..c43e18aa 100644 --- a/docs/configuration/inbound/tun.md +++ b/docs/configuration/inbound/tun.md @@ -53,8 +53,9 @@ "server_port": 8080 } }, - - ... // Listen Fields + "experimental_fix_windows_firewall": false, + ... + // Listen Fields } ``` @@ -180,10 +181,10 @@ Exclude users in route, but in range. Limit android users in route. -| Common user | ID | -|--------------|-----| -| Main | 0 | -| Work Profile | 10 | +| Common user | ID | +|--------------|----| +| Main | 0 | +| Work Profile | 10 | #### include_package @@ -201,6 +202,12 @@ Platform-specific settings, provided by client applications. System HTTP proxy settings. +#### experimental_fix_windows_firewall + +Automatically add Windows firewall rules in order for the system stack to work. + +This causes some start delays and does not work with existing firewall rules. + ### Listen Fields See [Listen Fields](/configuration/shared/listen) for details. diff --git a/docs/configuration/inbound/tun.zh.md b/docs/configuration/inbound/tun.zh.md index 350c8d9a..bcff1904 100644 --- a/docs/configuration/inbound/tun.zh.md +++ b/docs/configuration/inbound/tun.zh.md @@ -53,8 +53,9 @@ "server_port": 8080 } }, - - ... // 监听字段 + "experimental_fix_windows_firewall": false, + ... + // 监听字段 } ``` @@ -178,8 +179,8 @@ TCP/IP 栈。 限制被路由的 Android 用户。 | 常用用户 | ID | -|--|-----| -| 您 | 0 | +|------|----| +| 您 | 0 | | 工作资料 | 10 | #### include_package @@ -198,6 +199,12 @@ TCP/IP 栈。 系统 HTTP 代理设置。 +#### experimental_fix_windows_firewall + +自动添加 Windows 防火墙规则,以使 system 栈正常工作。 + +这会导致一些启动延迟,并且无法与现有防火墙规则一起使用。 + ### 监听字段 参阅 [监听字段](/zh/configuration/shared/listen/)。 diff --git a/experimental/libbox/platform.go b/experimental/libbox/platform.go index d968d571..04d73730 100644 --- a/experimental/libbox/platform.go +++ b/experimental/libbox/platform.go @@ -18,6 +18,7 @@ type PlatformInterface interface { CloseDefaultInterfaceMonitor(listener InterfaceUpdateListener) error UsePlatformInterfaceGetter() bool GetInterfaces() (NetworkInterfaceIterator, error) + UnderNetworkExtension() bool } type TunInterface interface { diff --git a/experimental/libbox/platform/interface.go b/experimental/libbox/platform/interface.go index a5920695..e811bdb0 100644 --- a/experimental/libbox/platform/interface.go +++ b/experimental/libbox/platform/interface.go @@ -22,6 +22,7 @@ type Interface interface { CreateDefaultInterfaceMonitor(errorHandler E.Handler) tun.DefaultInterfaceMonitor UsePlatformInterfaceGetter() bool Interfaces() ([]NetworkInterface, error) + UnderNetworkExtension() bool process.Searcher io.Writer } diff --git a/experimental/libbox/service.go b/experimental/libbox/service.go index 1236c38b..2032e541 100644 --- a/experimental/libbox/service.go +++ b/experimental/libbox/service.go @@ -169,3 +169,7 @@ func (w *platformInterfaceWrapper) Interfaces() ([]platform.NetworkInterface, er } return interfaces, nil } + +func (w *platformInterfaceWrapper) UnderNetworkExtension() bool { + return w.iif.UnderNetworkExtension() +} diff --git a/go.mod b/go.mod index 017c4325..fae3270e 100644 --- a/go.mod +++ b/go.mod @@ -30,7 +30,7 @@ require ( github.com/sagernet/sing-shadowsocks v0.2.2-0.20230417102954-f77257340507 github.com/sagernet/sing-shadowsocks2 v0.0.0-20230501032827-681c9c4ee0e9 github.com/sagernet/sing-shadowtls v0.1.2-0.20230417103049-4f682e05f19b - github.com/sagernet/sing-tun v0.1.5-0.20230422121432-209ec123ca7b + github.com/sagernet/sing-tun v0.1.5-0.20230509102026-91df97aee204 github.com/sagernet/sing-vmess v0.1.5-0.20230417103030-8c3070ae3fb3 github.com/sagernet/smux v0.0.0-20230312102458-337ec2a5af37 github.com/sagernet/tfo-go v0.0.0-20230303015439-ffcfd8c41cf9 diff --git a/go.sum b/go.sum index 422cbc35..3f521a3a 100644 --- a/go.sum +++ b/go.sum @@ -123,8 +123,8 @@ github.com/sagernet/sing-shadowsocks2 v0.0.0-20230501032827-681c9c4ee0e9 h1:0Dc1 github.com/sagernet/sing-shadowsocks2 v0.0.0-20230501032827-681c9c4ee0e9/go.mod h1:Dpib342FFR68SZ3CSRYxk/zWbanAqRBrCxoLuda5I0A= github.com/sagernet/sing-shadowtls v0.1.2-0.20230417103049-4f682e05f19b h1:ouW/6IDCrxkBe19YSbdCd7buHix7b+UZ6BM4Zz74XF4= github.com/sagernet/sing-shadowtls v0.1.2-0.20230417103049-4f682e05f19b/go.mod h1:oG8bPerYI6cZ74KquY3DvA7ynECyrILPBnce6wtBqeI= -github.com/sagernet/sing-tun v0.1.5-0.20230422121432-209ec123ca7b h1:9NsciSJGwzdkXwVvT2c2g+RvkTVkANeBLr2l+soJ7LM= -github.com/sagernet/sing-tun v0.1.5-0.20230422121432-209ec123ca7b/go.mod h1:DD7Ce2Gt0GFc6I/1+Uw4D/aUlBsGqrQsC52CMK/V818= +github.com/sagernet/sing-tun v0.1.5-0.20230509102026-91df97aee204 h1:V8eGGmvyjRtFDNmarASZGsTyyXz/gc/zStSxW/knc9E= +github.com/sagernet/sing-tun v0.1.5-0.20230509102026-91df97aee204/go.mod h1:DD7Ce2Gt0GFc6I/1+Uw4D/aUlBsGqrQsC52CMK/V818= github.com/sagernet/sing-vmess v0.1.5-0.20230417103030-8c3070ae3fb3 h1:BHOnxrbC929JonuKqFdJ7ZbDp7zs4oTlH5KFvKtWu9U= github.com/sagernet/sing-vmess v0.1.5-0.20230417103030-8c3070ae3fb3/go.mod h1:yKrAr+dqZd64DxBXCHWrYicp+n4qbqO73mtwv3dck8U= github.com/sagernet/smux v0.0.0-20230312102458-337ec2a5af37 h1:HuE6xSwco/Xed8ajZ+coeYLmioq0Qp1/Z2zczFaV8as= diff --git a/inbound/tun.go b/inbound/tun.go index e5342355..d5ebd2f5 100644 --- a/inbound/tun.go +++ b/inbound/tun.go @@ -38,6 +38,7 @@ type Tun struct { tunStack tun.Stack platformInterface platform.Interface platformOptions option.TunPlatformOptions + fixWindowsFirewall bool } func NewTun(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.TunInboundOptions, platformInterface platform.Interface) (*Tun, error) { @@ -95,6 +96,7 @@ func NewTun(ctx context.Context, router adapter.Router, logger log.ContextLogger stack: options.Stack, platformInterface: platformInterface, platformOptions: common.PtrValueOrDefault(options.Platform), + fixWindowsFirewall: options.ExperimentalFixWindowsFirewall, }, nil } @@ -166,19 +168,20 @@ func (t *Tun) Start() error { tunRouter = t } t.tunStack, err = tun.NewStack(t.stack, tun.StackOptions{ - Context: t.ctx, - Tun: tunInterface, - MTU: t.tunOptions.MTU, - Name: t.tunOptions.Name, - Inet4Address: t.tunOptions.Inet4Address, - Inet6Address: t.tunOptions.Inet6Address, - EndpointIndependentNat: t.endpointIndependentNat, - UDPTimeout: t.udpTimeout, - Router: tunRouter, - Handler: t, - Logger: t.logger, - ForwarderBindInterface: t.platformInterface != nil, - InterfaceFinder: t.router.InterfaceFinder(), + Context: t.ctx, + Tun: tunInterface, + MTU: t.tunOptions.MTU, + Name: t.tunOptions.Name, + Inet4Address: t.tunOptions.Inet4Address, + Inet6Address: t.tunOptions.Inet6Address, + EndpointIndependentNat: t.endpointIndependentNat, + UDPTimeout: t.udpTimeout, + Router: tunRouter, + Handler: t, + Logger: t.logger, + ForwarderBindInterface: t.platformInterface != nil, + InterfaceFinder: t.router.InterfaceFinder(), + ExperimentalFixWindowsFirewall: t.fixWindowsFirewall, }) if err != nil { return err diff --git a/option/tun.go b/option/tun.go index 731b6eed..dc99f134 100644 --- a/option/tun.go +++ b/option/tun.go @@ -1,24 +1,25 @@ package option type TunInboundOptions struct { - InterfaceName string `json:"interface_name,omitempty"` - MTU uint32 `json:"mtu,omitempty"` - Inet4Address Listable[ListenPrefix] `json:"inet4_address,omitempty"` - Inet6Address Listable[ListenPrefix] `json:"inet6_address,omitempty"` - AutoRoute bool `json:"auto_route,omitempty"` - StrictRoute bool `json:"strict_route,omitempty"` - Inet4RouteAddress Listable[ListenPrefix] `json:"inet4_route_address,omitempty"` - Inet6RouteAddress Listable[ListenPrefix] `json:"inet6_route_address,omitempty"` - IncludeUID Listable[uint32] `json:"include_uid,omitempty"` - IncludeUIDRange Listable[string] `json:"include_uid_range,omitempty"` - ExcludeUID Listable[uint32] `json:"exclude_uid,omitempty"` - ExcludeUIDRange Listable[string] `json:"exclude_uid_range,omitempty"` - IncludeAndroidUser Listable[int] `json:"include_android_user,omitempty"` - IncludePackage Listable[string] `json:"include_package,omitempty"` - ExcludePackage Listable[string] `json:"exclude_package,omitempty"` - EndpointIndependentNat bool `json:"endpoint_independent_nat,omitempty"` - UDPTimeout int64 `json:"udp_timeout,omitempty"` - Stack string `json:"stack,omitempty"` - Platform *TunPlatformOptions `json:"platform,omitempty"` + InterfaceName string `json:"interface_name,omitempty"` + MTU uint32 `json:"mtu,omitempty"` + Inet4Address Listable[ListenPrefix] `json:"inet4_address,omitempty"` + Inet6Address Listable[ListenPrefix] `json:"inet6_address,omitempty"` + AutoRoute bool `json:"auto_route,omitempty"` + StrictRoute bool `json:"strict_route,omitempty"` + Inet4RouteAddress Listable[ListenPrefix] `json:"inet4_route_address,omitempty"` + Inet6RouteAddress Listable[ListenPrefix] `json:"inet6_route_address,omitempty"` + IncludeUID Listable[uint32] `json:"include_uid,omitempty"` + IncludeUIDRange Listable[string] `json:"include_uid_range,omitempty"` + ExcludeUID Listable[uint32] `json:"exclude_uid,omitempty"` + ExcludeUIDRange Listable[string] `json:"exclude_uid_range,omitempty"` + IncludeAndroidUser Listable[int] `json:"include_android_user,omitempty"` + IncludePackage Listable[string] `json:"include_package,omitempty"` + ExcludePackage Listable[string] `json:"exclude_package,omitempty"` + EndpointIndependentNat bool `json:"endpoint_independent_nat,omitempty"` + UDPTimeout int64 `json:"udp_timeout,omitempty"` + Stack string `json:"stack,omitempty"` + ExperimentalFixWindowsFirewall bool `json:"experimental_fix_windows_firewall,omitempty"` + Platform *TunPlatformOptions `json:"platform,omitempty"` InboundOptions } diff --git a/route/router.go b/route/router.go index 4202b796..77a1aa5f 100644 --- a/route/router.go +++ b/route/router.go @@ -279,7 +279,8 @@ func NewRouter( router.networkMonitor = networkMonitor networkMonitor.RegisterCallback(router.interfaceFinder.update) interfaceMonitor, err := tun.NewDefaultInterfaceMonitor(router.networkMonitor, tun.DefaultInterfaceMonitorOptions{ - OverrideAndroidVPN: options.OverrideAndroidVPN, + OverrideAndroidVPN: options.OverrideAndroidVPN, + UnderNetworkExtension: platformInterface != nil && platformInterface.UnderNetworkExtension(), }) if err != nil { return nil, E.New("auto_detect_interface unsupported on current platform")