Add experimental_fix_windows_firewall option for system tun stack

2025-06-13 21:54:13 +08:00 · 2023-05-09 12:26:13 +08:00 · 2023-05-09 12:26:13 +08:00 · ff1c1ef4c9
commit ff1c1ef4c9
parent 57f87eab87
10 changed files with 71 additions and 46 deletions
--- a/docs/configuration/inbound/tun.md
+++ b/docs/configuration/inbound/tun.md
@ -53,8 +53,9 @@
      "server_port": 8080
    }
  },
-  
-  ... // Listen Fields
+  "experimental_fix_windows_firewall": false,
+  ...
+  // Listen Fields
 }
 ```

@ -181,7 +182,7 @@ Exclude users in route, but in range.
 Limit android users in route.

 | Common user  | ID |
-|--------------|-----|
+|--------------|----|
 | Main         | 0  |
 | Work Profile | 10 |

@ -201,6 +202,12 @@ Platform-specific settings, provided by client applications.

 System HTTP proxy settings.

+#### experimental_fix_windows_firewall
+
+Automatically add Windows firewall rules in order for the system stack to work.
+
+This causes some start delays and does not work with existing firewall rules.
+
 ### Listen Fields

 See [Listen Fields](/configuration/shared/listen) for details.
--- a/docs/configuration/inbound/tun.zh.md
+++ b/docs/configuration/inbound/tun.zh.md
@ -53,8 +53,9 @@
      "server_port": 8080
    }
  },
-  
-  ... // 监听字段
+  "experimental_fix_windows_firewall": false,
+  ...
+  // 监听字段
 }
 ```

@ -178,7 +179,7 @@ TCP/IP 栈。
 限制被路由的 Android 用户。

 | 常用用户 | ID |
-|--|-----|
+|------|----|
 | 您    | 0  |
 | 工作资料 | 10 |

@ -198,6 +199,12 @@ TCP/IP 栈。

 系统 HTTP 代理设置。

+#### experimental_fix_windows_firewall
+
+自动添加 Windows 防火墙规则，以使 system 栈正常工作。
+
+这会导致一些启动延迟，并且无法与现有防火墙规则一起使用。
+
 ### 监听字段

 参阅 [监听字段](/zh/configuration/shared/listen/)。
--- a/experimental/libbox/platform.go
+++ b/experimental/libbox/platform.go
@ -18,6 +18,7 @@ type PlatformInterface interface {
 	CloseDefaultInterfaceMonitor(listener InterfaceUpdateListener) error
 	UsePlatformInterfaceGetter() bool
 	GetInterfaces() (NetworkInterfaceIterator, error)
+	UnderNetworkExtension() bool
 }

 type TunInterface interface {
--- a/experimental/libbox/platform/interface.go
+++ b/experimental/libbox/platform/interface.go
@ -22,6 +22,7 @@ type Interface interface {
 	CreateDefaultInterfaceMonitor(errorHandler E.Handler) tun.DefaultInterfaceMonitor
 	UsePlatformInterfaceGetter() bool
 	Interfaces() ([]NetworkInterface, error)
+	UnderNetworkExtension() bool
 	process.Searcher
 	io.Writer
 }
--- a/experimental/libbox/service.go
+++ b/experimental/libbox/service.go
@ -169,3 +169,7 @@ func (w *platformInterfaceWrapper) Interfaces() ([]platform.NetworkInterface, er
 	}
 	return interfaces, nil
 }
+
+func (w *platformInterfaceWrapper) UnderNetworkExtension() bool {
+	return w.iif.UnderNetworkExtension()
+}
--- a/go.mod
+++ b/go.mod
@ -30,7 +30,7 @@ require (
 	github.com/sagernet/sing-shadowsocks v0.2.2-0.20230417102954-f77257340507
 	github.com/sagernet/sing-shadowsocks2 v0.0.0-20230501032827-681c9c4ee0e9
 	github.com/sagernet/sing-shadowtls v0.1.2-0.20230417103049-4f682e05f19b
-	github.com/sagernet/sing-tun v0.1.5-0.20230422121432-209ec123ca7b
+	github.com/sagernet/sing-tun v0.1.5-0.20230509102026-91df97aee204
 	github.com/sagernet/sing-vmess v0.1.5-0.20230417103030-8c3070ae3fb3
 	github.com/sagernet/smux v0.0.0-20230312102458-337ec2a5af37
 	github.com/sagernet/tfo-go v0.0.0-20230303015439-ffcfd8c41cf9
--- a/go.sum
+++ b/go.sum
@ -123,8 +123,8 @@ github.com/sagernet/sing-shadowsocks2 v0.0.0-20230501032827-681c9c4ee0e9 h1:0Dc1
 github.com/sagernet/sing-shadowsocks2 v0.0.0-20230501032827-681c9c4ee0e9/go.mod h1:Dpib342FFR68SZ3CSRYxk/zWbanAqRBrCxoLuda5I0A=
 github.com/sagernet/sing-shadowtls v0.1.2-0.20230417103049-4f682e05f19b h1:ouW/6IDCrxkBe19YSbdCd7buHix7b+UZ6BM4Zz74XF4=
 github.com/sagernet/sing-shadowtls v0.1.2-0.20230417103049-4f682e05f19b/go.mod h1:oG8bPerYI6cZ74KquY3DvA7ynECyrILPBnce6wtBqeI=
-github.com/sagernet/sing-tun v0.1.5-0.20230422121432-209ec123ca7b h1:9NsciSJGwzdkXwVvT2c2g+RvkTVkANeBLr2l+soJ7LM=
-github.com/sagernet/sing-tun v0.1.5-0.20230422121432-209ec123ca7b/go.mod h1:DD7Ce2Gt0GFc6I/1+Uw4D/aUlBsGqrQsC52CMK/V818=
+github.com/sagernet/sing-tun v0.1.5-0.20230509102026-91df97aee204 h1:V8eGGmvyjRtFDNmarASZGsTyyXz/gc/zStSxW/knc9E=
+github.com/sagernet/sing-tun v0.1.5-0.20230509102026-91df97aee204/go.mod h1:DD7Ce2Gt0GFc6I/1+Uw4D/aUlBsGqrQsC52CMK/V818=
 github.com/sagernet/sing-vmess v0.1.5-0.20230417103030-8c3070ae3fb3 h1:BHOnxrbC929JonuKqFdJ7ZbDp7zs4oTlH5KFvKtWu9U=
 github.com/sagernet/sing-vmess v0.1.5-0.20230417103030-8c3070ae3fb3/go.mod h1:yKrAr+dqZd64DxBXCHWrYicp+n4qbqO73mtwv3dck8U=
 github.com/sagernet/smux v0.0.0-20230312102458-337ec2a5af37 h1:HuE6xSwco/Xed8ajZ+coeYLmioq0Qp1/Z2zczFaV8as=
--- a/inbound/tun.go
+++ b/inbound/tun.go
@ -38,6 +38,7 @@ type Tun struct {
 	tunStack               tun.Stack
 	platformInterface      platform.Interface
 	platformOptions        option.TunPlatformOptions
+	fixWindowsFirewall     bool
 }

 func NewTun(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.TunInboundOptions, platformInterface platform.Interface) (*Tun, error) {
@ -95,6 +96,7 @@ func NewTun(ctx context.Context, router adapter.Router, logger log.ContextLogger
 		stack:                  options.Stack,
 		platformInterface:      platformInterface,
 		platformOptions:        common.PtrValueOrDefault(options.Platform),
+		fixWindowsFirewall:     options.ExperimentalFixWindowsFirewall,
 	}, nil
 }

@ -179,6 +181,7 @@ func (t *Tun) Start() error {
 		Logger:                         t.logger,
 		ForwarderBindInterface:         t.platformInterface != nil,
 		InterfaceFinder:                t.router.InterfaceFinder(),
+		ExperimentalFixWindowsFirewall: t.fixWindowsFirewall,
 	})
 	if err != nil {
 		return err
--- a/option/tun.go
+++ b/option/tun.go
@ -19,6 +19,7 @@ type TunInboundOptions struct {
 	EndpointIndependentNat         bool                   `json:"endpoint_independent_nat,omitempty"`
 	UDPTimeout                     int64                  `json:"udp_timeout,omitempty"`
 	Stack                          string                 `json:"stack,omitempty"`
+	ExperimentalFixWindowsFirewall bool                   `json:"experimental_fix_windows_firewall,omitempty"`
 	Platform                       *TunPlatformOptions    `json:"platform,omitempty"`
 	InboundOptions
 }
--- a/route/router.go
+++ b/route/router.go
@ -280,6 +280,7 @@ func NewRouter(
 				networkMonitor.RegisterCallback(router.interfaceFinder.update)
 				interfaceMonitor, err := tun.NewDefaultInterfaceMonitor(router.networkMonitor, tun.DefaultInterfaceMonitorOptions{
 					OverrideAndroidVPN:    options.OverrideAndroidVPN,
+					UnderNetworkExtension: platformInterface != nil && platformInterface.UnderNetworkExtension(),
 				})
 				if err != nil {
 					return nil, E.New("auto_detect_interface unsupported on current platform")