Add experimental_fix_windows_firewall option for system tun stack

2024-11-16 16:32:23 +08:00 · 2023-05-09 12:26:13 +08:00 · 2023-05-09 12:26:13 +08:00 · ff1c1ef4c9
commit ff1c1ef4c9
parent 57f87eab87
10 changed files with 71 additions and 46 deletions
--- a/docs/configuration/inbound/tun.md
+++ b/docs/configuration/inbound/tun.md
@ -53,8 +53,9 @@
      "server_port": 8080
    }
  },
-  
-  ... // Listen Fields
+  "experimental_fix_windows_firewall": false,
+  ...
+  // Listen Fields
 }
 ```

@ -180,10 +181,10 @@ Exclude users in route, but in range.

 Limit android users in route.

-| Common user  | ID  |
-|--------------|-----|
-| Main         | 0   |
-| Work Profile | 10  |
+| Common user  | ID |
+|--------------|----|
+| Main         | 0  |
+| Work Profile | 10 |

 #### include_package

@ -201,6 +202,12 @@ Platform-specific settings, provided by client applications.

 System HTTP proxy settings.

+#### experimental_fix_windows_firewall
+
+Automatically add Windows firewall rules in order for the system stack to work.
+
+This causes some start delays and does not work with existing firewall rules.
+
 ### Listen Fields

 See [Listen Fields](/configuration/shared/listen) for details.
--- a/docs/configuration/inbound/tun.zh.md
+++ b/docs/configuration/inbound/tun.zh.md
@ -53,8 +53,9 @@
      "server_port": 8080
    }
  },
-  
-  ... // 监听字段
+  "experimental_fix_windows_firewall": false,
+  ...
+  // 监听字段
 }
 ```

@ -178,8 +179,8 @@ TCP/IP 栈。
 限制被路由的 Android 用户。

 | 常用用户 | ID |
-|--|-----|
-| 您 | 0 |
+|------|----|
+| 您    | 0  |
 | 工作资料 | 10 |

 #### include_package
@ -198,6 +199,12 @@ TCP/IP 栈。

 系统 HTTP 代理设置。

+#### experimental_fix_windows_firewall
+
+自动添加 Windows 防火墙规则，以使 system 栈正常工作。
+
+这会导致一些启动延迟，并且无法与现有防火墙规则一起使用。
+
 ### 监听字段

 参阅 [监听字段](/zh/configuration/shared/listen/)。
--- a/experimental/libbox/platform.go
+++ b/experimental/libbox/platform.go
@ -18,6 +18,7 @@ type PlatformInterface interface {
 	CloseDefaultInterfaceMonitor(listener InterfaceUpdateListener) error
 	UsePlatformInterfaceGetter() bool
 	GetInterfaces() (NetworkInterfaceIterator, error)
+	UnderNetworkExtension() bool
 }

 type TunInterface interface {
--- a/experimental/libbox/platform/interface.go
+++ b/experimental/libbox/platform/interface.go
@ -22,6 +22,7 @@ type Interface interface {
 	CreateDefaultInterfaceMonitor(errorHandler E.Handler) tun.DefaultInterfaceMonitor
 	UsePlatformInterfaceGetter() bool
 	Interfaces() ([]NetworkInterface, error)
+	UnderNetworkExtension() bool
 	process.Searcher
 	io.Writer
 }
--- a/experimental/libbox/service.go
+++ b/experimental/libbox/service.go
@ -169,3 +169,7 @@ func (w *platformInterfaceWrapper) Interfaces() ([]platform.NetworkInterface, er
 	}
 	return interfaces, nil
 }
+
+func (w *platformInterfaceWrapper) UnderNetworkExtension() bool {
+	return w.iif.UnderNetworkExtension()
+}
--- a/go.mod
+++ b/go.mod
@ -30,7 +30,7 @@ require (
 	github.com/sagernet/sing-shadowsocks v0.2.2-0.20230417102954-f77257340507
 	github.com/sagernet/sing-shadowsocks2 v0.0.0-20230501032827-681c9c4ee0e9
 	github.com/sagernet/sing-shadowtls v0.1.2-0.20230417103049-4f682e05f19b
-	github.com/sagernet/sing-tun v0.1.5-0.20230422121432-209ec123ca7b
+	github.com/sagernet/sing-tun v0.1.5-0.20230509102026-91df97aee204
 	github.com/sagernet/sing-vmess v0.1.5-0.20230417103030-8c3070ae3fb3
 	github.com/sagernet/smux v0.0.0-20230312102458-337ec2a5af37
 	github.com/sagernet/tfo-go v0.0.0-20230303015439-ffcfd8c41cf9
--- a/go.sum
+++ b/go.sum
@ -123,8 +123,8 @@ github.com/sagernet/sing-shadowsocks2 v0.0.0-20230501032827-681c9c4ee0e9 h1:0Dc1
 github.com/sagernet/sing-shadowsocks2 v0.0.0-20230501032827-681c9c4ee0e9/go.mod h1:Dpib342FFR68SZ3CSRYxk/zWbanAqRBrCxoLuda5I0A=
 github.com/sagernet/sing-shadowtls v0.1.2-0.20230417103049-4f682e05f19b h1:ouW/6IDCrxkBe19YSbdCd7buHix7b+UZ6BM4Zz74XF4=
 github.com/sagernet/sing-shadowtls v0.1.2-0.20230417103049-4f682e05f19b/go.mod h1:oG8bPerYI6cZ74KquY3DvA7ynECyrILPBnce6wtBqeI=
-github.com/sagernet/sing-tun v0.1.5-0.20230422121432-209ec123ca7b h1:9NsciSJGwzdkXwVvT2c2g+RvkTVkANeBLr2l+soJ7LM=
-github.com/sagernet/sing-tun v0.1.5-0.20230422121432-209ec123ca7b/go.mod h1:DD7Ce2Gt0GFc6I/1+Uw4D/aUlBsGqrQsC52CMK/V818=
+github.com/sagernet/sing-tun v0.1.5-0.20230509102026-91df97aee204 h1:V8eGGmvyjRtFDNmarASZGsTyyXz/gc/zStSxW/knc9E=
+github.com/sagernet/sing-tun v0.1.5-0.20230509102026-91df97aee204/go.mod h1:DD7Ce2Gt0GFc6I/1+Uw4D/aUlBsGqrQsC52CMK/V818=
 github.com/sagernet/sing-vmess v0.1.5-0.20230417103030-8c3070ae3fb3 h1:BHOnxrbC929JonuKqFdJ7ZbDp7zs4oTlH5KFvKtWu9U=
 github.com/sagernet/sing-vmess v0.1.5-0.20230417103030-8c3070ae3fb3/go.mod h1:yKrAr+dqZd64DxBXCHWrYicp+n4qbqO73mtwv3dck8U=
 github.com/sagernet/smux v0.0.0-20230312102458-337ec2a5af37 h1:HuE6xSwco/Xed8ajZ+coeYLmioq0Qp1/Z2zczFaV8as=
--- a/inbound/tun.go
+++ b/inbound/tun.go
@ -38,6 +38,7 @@ type Tun struct {
 	tunStack               tun.Stack
 	platformInterface      platform.Interface
 	platformOptions        option.TunPlatformOptions
+	fixWindowsFirewall     bool
 }

 func NewTun(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.TunInboundOptions, platformInterface platform.Interface) (*Tun, error) {
@ -95,6 +96,7 @@ func NewTun(ctx context.Context, router adapter.Router, logger log.ContextLogger
 		stack:                  options.Stack,
 		platformInterface:      platformInterface,
 		platformOptions:        common.PtrValueOrDefault(options.Platform),
+		fixWindowsFirewall:     options.ExperimentalFixWindowsFirewall,
 	}, nil
 }

@ -166,19 +168,20 @@ func (t *Tun) Start() error {
 		tunRouter = t
 	}
 	t.tunStack, err = tun.NewStack(t.stack, tun.StackOptions{
-		Context:                t.ctx,
-		Tun:                    tunInterface,
-		MTU:                    t.tunOptions.MTU,
-		Name:                   t.tunOptions.Name,
-		Inet4Address:           t.tunOptions.Inet4Address,
-		Inet6Address:           t.tunOptions.Inet6Address,
-		EndpointIndependentNat: t.endpointIndependentNat,
-		UDPTimeout:             t.udpTimeout,
-		Router:                 tunRouter,
-		Handler:                t,
-		Logger:                 t.logger,
-		ForwarderBindInterface: t.platformInterface != nil,
-		InterfaceFinder:        t.router.InterfaceFinder(),
+		Context:                        t.ctx,
+		Tun:                            tunInterface,
+		MTU:                            t.tunOptions.MTU,
+		Name:                           t.tunOptions.Name,
+		Inet4Address:                   t.tunOptions.Inet4Address,
+		Inet6Address:                   t.tunOptions.Inet6Address,
+		EndpointIndependentNat:         t.endpointIndependentNat,
+		UDPTimeout:                     t.udpTimeout,
+		Router:                         tunRouter,
+		Handler:                        t,
+		Logger:                         t.logger,
+		ForwarderBindInterface:         t.platformInterface != nil,
+		InterfaceFinder:                t.router.InterfaceFinder(),
+		ExperimentalFixWindowsFirewall: t.fixWindowsFirewall,
 	})
 	if err != nil {
 		return err
--- a/option/tun.go
+++ b/option/tun.go
@ -1,24 +1,25 @@
 package option

 type TunInboundOptions struct {
-	InterfaceName          string                 `json:"interface_name,omitempty"`
-	MTU                    uint32                 `json:"mtu,omitempty"`
-	Inet4Address           Listable[ListenPrefix] `json:"inet4_address,omitempty"`
-	Inet6Address           Listable[ListenPrefix] `json:"inet6_address,omitempty"`
-	AutoRoute              bool                   `json:"auto_route,omitempty"`
-	StrictRoute            bool                   `json:"strict_route,omitempty"`
-	Inet4RouteAddress      Listable[ListenPrefix] `json:"inet4_route_address,omitempty"`
-	Inet6RouteAddress      Listable[ListenPrefix] `json:"inet6_route_address,omitempty"`
-	IncludeUID             Listable[uint32]       `json:"include_uid,omitempty"`
-	IncludeUIDRange        Listable[string]       `json:"include_uid_range,omitempty"`
-	ExcludeUID             Listable[uint32]       `json:"exclude_uid,omitempty"`
-	ExcludeUIDRange        Listable[string]       `json:"exclude_uid_range,omitempty"`
-	IncludeAndroidUser     Listable[int]          `json:"include_android_user,omitempty"`
-	IncludePackage         Listable[string]       `json:"include_package,omitempty"`
-	ExcludePackage         Listable[string]       `json:"exclude_package,omitempty"`
-	EndpointIndependentNat bool                   `json:"endpoint_independent_nat,omitempty"`
-	UDPTimeout             int64                  `json:"udp_timeout,omitempty"`
-	Stack                  string                 `json:"stack,omitempty"`
-	Platform               *TunPlatformOptions    `json:"platform,omitempty"`
+	InterfaceName                  string                 `json:"interface_name,omitempty"`
+	MTU                            uint32                 `json:"mtu,omitempty"`
+	Inet4Address                   Listable[ListenPrefix] `json:"inet4_address,omitempty"`
+	Inet6Address                   Listable[ListenPrefix] `json:"inet6_address,omitempty"`
+	AutoRoute                      bool                   `json:"auto_route,omitempty"`
+	StrictRoute                    bool                   `json:"strict_route,omitempty"`
+	Inet4RouteAddress              Listable[ListenPrefix] `json:"inet4_route_address,omitempty"`
+	Inet6RouteAddress              Listable[ListenPrefix] `json:"inet6_route_address,omitempty"`
+	IncludeUID                     Listable[uint32]       `json:"include_uid,omitempty"`
+	IncludeUIDRange                Listable[string]       `json:"include_uid_range,omitempty"`
+	ExcludeUID                     Listable[uint32]       `json:"exclude_uid,omitempty"`
+	ExcludeUIDRange                Listable[string]       `json:"exclude_uid_range,omitempty"`
+	IncludeAndroidUser             Listable[int]          `json:"include_android_user,omitempty"`
+	IncludePackage                 Listable[string]       `json:"include_package,omitempty"`
+	ExcludePackage                 Listable[string]       `json:"exclude_package,omitempty"`
+	EndpointIndependentNat         bool                   `json:"endpoint_independent_nat,omitempty"`
+	UDPTimeout                     int64                  `json:"udp_timeout,omitempty"`
+	Stack                          string                 `json:"stack,omitempty"`
+	ExperimentalFixWindowsFirewall bool                   `json:"experimental_fix_windows_firewall,omitempty"`
+	Platform                       *TunPlatformOptions    `json:"platform,omitempty"`
 	InboundOptions
 }
--- a/route/router.go
+++ b/route/router.go
@ -279,7 +279,8 @@ func NewRouter(
 				router.networkMonitor = networkMonitor
 				networkMonitor.RegisterCallback(router.interfaceFinder.update)
 				interfaceMonitor, err := tun.NewDefaultInterfaceMonitor(router.networkMonitor, tun.DefaultInterfaceMonitorOptions{
-					OverrideAndroidVPN: options.OverrideAndroidVPN,
+					OverrideAndroidVPN:    options.OverrideAndroidVPN,
+					UnderNetworkExtension: platformInterface != nil && platformInterface.UnderNetworkExtension(),
 				})
 				if err != nil {
 					return nil, E.New("auto_detect_interface unsupported on current platform")