github.com/xtls/xray-core@v1.8.12-0.20240518155711-3168d27b0bdb/proxy/wireguard/tun_linux.go (about)

     1  //go:build linux && !android
     2  
     3  package wireguard
     4  
     5  import (
     6  	"context"
     7  	"errors"
     8  	"fmt"
     9  	"net"
    10  	"net/netip"
    11  	"os"
    12  
    13  	"golang.org/x/sys/unix"
    14  
    15  	"github.com/sagernet/sing/common/control"
    16  	"github.com/vishvananda/netlink"
    17  	wgtun "golang.zx2c4.com/wireguard/tun"
    18  )
    19  
    20  type deviceNet struct {
    21  	tunnel
    22  	dialer net.Dialer
    23  
    24  	handle    *netlink.Handle
    25  	linkAddrs []netlink.Addr
    26  	routes    []*netlink.Route
    27  	rules     []*netlink.Rule
    28  }
    29  
    30  func newDeviceNet(interfaceName string) *deviceNet {
    31  	var dialer net.Dialer
    32  	bindControl := control.BindToInterface(control.DefaultInterfaceFinder(), interfaceName, -1)
    33  	dialer.Control = control.Append(dialer.Control, bindControl)
    34  	return &deviceNet{dialer: dialer}
    35  }
    36  
    37  func (d *deviceNet) DialContextTCPAddrPort(ctx context.Context, addr netip.AddrPort) (
    38  	net.Conn, error,
    39  ) {
    40  	return d.dialer.DialContext(ctx, "tcp", addr.String())
    41  }
    42  
    43  func (d *deviceNet) DialUDPAddrPort(laddr, raddr netip.AddrPort) (net.Conn, error) {
    44  	dialer := d.dialer
    45  	dialer.LocalAddr = &net.UDPAddr{IP: laddr.Addr().AsSlice(), Port: int(laddr.Port())}
    46  	return dialer.DialContext(context.Background(), "udp", raddr.String())
    47  }
    48  
    49  func (d *deviceNet) Close() (err error) {
    50  	var errs []error
    51  	for _, rule := range d.rules {
    52  		if err = d.handle.RuleDel(rule); err != nil {
    53  			errs = append(errs, fmt.Errorf("failed to delete rule: %w", err))
    54  		}
    55  	}
    56  	for _, route := range d.routes {
    57  		if err = d.handle.RouteDel(route); err != nil {
    58  			errs = append(errs, fmt.Errorf("failed to delete route: %w", err))
    59  		}
    60  	}
    61  	if err = d.tunnel.Close(); err != nil {
    62  		errs = append(errs, fmt.Errorf("failed to close tunnel: %w", err))
    63  	}
    64  	if d.handle != nil {
    65  		d.handle.Close()
    66  		d.handle = nil
    67  	}
    68  	if len(errs) == 0 {
    69  		return nil
    70  	}
    71  	return errors.Join(errs...)
    72  }
    73  
    74  func createKernelTun(localAddresses []netip.Addr, mtu int, handler promiscuousModeHandler) (t Tunnel, err error) {
    75  	if handler != nil {
    76  		return nil, newError("TODO: support promiscuous mode")
    77  	}
    78  
    79  	var v4, v6 *netip.Addr
    80  	for _, prefixes := range localAddresses {
    81  		if v4 == nil && prefixes.Is4() {
    82  			x := prefixes
    83  			v4 = &x
    84  		}
    85  		if v6 == nil && prefixes.Is6() {
    86  			x := prefixes
    87  			v6 = &x
    88  		}
    89  	}
    90  
    91  	writeSysctlZero := func(path string) error {
    92  		_, err := os.Stat(path)
    93  		if os.IsNotExist(err) {
    94  			return nil
    95  		}
    96  		if err != nil {
    97  			return err
    98  		}
    99  		return os.WriteFile(path, []byte("0"), 0o644)
   100  	}
   101  
   102  	// system configs.
   103  	if v4 != nil {
   104  		if err = writeSysctlZero("/proc/sys/net/ipv4/conf/all/rp_filter"); err != nil {
   105  			return nil, fmt.Errorf("failed to disable ipv4 rp_filter for all: %w", err)
   106  		}
   107  	}
   108  	if v6 != nil {
   109  		if err = writeSysctlZero("/proc/sys/net/ipv6/conf/all/disable_ipv6"); err != nil {
   110  			return nil, fmt.Errorf("failed to enable ipv6: %w", err)
   111  		}
   112  		if err = writeSysctlZero("/proc/sys/net/ipv6/conf/all/rp_filter"); err != nil {
   113  			return nil, fmt.Errorf("failed to disable ipv6 rp_filter for all: %w", err)
   114  		}
   115  	}
   116  
   117  	n := CalculateInterfaceName("wg")
   118  	wgt, err := wgtun.CreateTUN(n, mtu)
   119  	if err != nil {
   120  		return nil, err
   121  	}
   122  	defer func() {
   123  		if err != nil {
   124  			_ = wgt.Close()
   125  		}
   126  	}()
   127  
   128  	// disable linux rp_filter for tunnel device to avoid packet drop.
   129  	// the operation require root privilege on container require '--privileged' flag.
   130  	if v4 != nil {
   131  		if err = writeSysctlZero("/proc/sys/net/ipv4/conf/" + n + "/rp_filter"); err != nil {
   132  			return nil, fmt.Errorf("failed to disable ipv4 rp_filter for tunnel: %w", err)
   133  		}
   134  	}
   135  	if v6 != nil {
   136  		if err = writeSysctlZero("/proc/sys/net/ipv6/conf/" + n + "/rp_filter"); err != nil {
   137  			return nil, fmt.Errorf("failed to disable ipv6 rp_filter for tunnel: %w", err)
   138  		}
   139  	}
   140  
   141  	ipv6TableIndex := 1023
   142  	if v6 != nil {
   143  		r := &netlink.Route{Table: ipv6TableIndex}
   144  		for {
   145  			routeList, fErr := netlink.RouteListFiltered(netlink.FAMILY_V6, r, netlink.RT_FILTER_TABLE)
   146  			if len(routeList) == 0 || fErr != nil {
   147  				break
   148  			}
   149  			ipv6TableIndex--
   150  			if ipv6TableIndex < 0 {
   151  				return nil, fmt.Errorf("failed to find available ipv6 table index")
   152  			}
   153  		}
   154  	}
   155  
   156  	out := newDeviceNet(n)
   157  	out.handle, err = netlink.NewHandle()
   158  	if err != nil {
   159  		return nil, err
   160  	}
   161  	defer func() {
   162  		if err != nil {
   163  			_ = out.Close()
   164  		}
   165  	}()
   166  
   167  	l, err := netlink.LinkByName(n)
   168  	if err != nil {
   169  		return nil, err
   170  	}
   171  
   172  	if v4 != nil {
   173  		addr := netlink.Addr{
   174  			IPNet: &net.IPNet{
   175  				IP:   v4.AsSlice(),
   176  				Mask: net.CIDRMask(v4.BitLen(), v4.BitLen()),
   177  			},
   178  		}
   179  		out.linkAddrs = append(out.linkAddrs, addr)
   180  	}
   181  	if v6 != nil {
   182  		addr := netlink.Addr{
   183  			IPNet: &net.IPNet{
   184  				IP:   v6.AsSlice(),
   185  				Mask: net.CIDRMask(v6.BitLen(), v6.BitLen()),
   186  			},
   187  		}
   188  		out.linkAddrs = append(out.linkAddrs, addr)
   189  
   190  		rt := &netlink.Route{
   191  			LinkIndex: l.Attrs().Index,
   192  			Dst: &net.IPNet{
   193  				IP:   net.IPv6zero,
   194  				Mask: net.CIDRMask(0, 128),
   195  			},
   196  			Table: ipv6TableIndex,
   197  		}
   198  		out.routes = append(out.routes, rt)
   199  
   200  		r := netlink.NewRule()
   201  		r.Table, r.Family, r.Src = ipv6TableIndex, unix.AF_INET6, addr.IPNet
   202  		out.rules = append(out.rules, r)
   203  	}
   204  
   205  	for _, addr := range out.linkAddrs {
   206  		if err = out.handle.AddrAdd(l, &addr); err != nil {
   207  			return nil, fmt.Errorf("failed to add address %s to %s: %w", addr, n, err)
   208  		}
   209  	}
   210  	if err = out.handle.LinkSetMTU(l, mtu); err != nil {
   211  		return nil, err
   212  	}
   213  	if err = out.handle.LinkSetUp(l); err != nil {
   214  		return nil, err
   215  	}
   216  
   217  	for _, route := range out.routes {
   218  		if err = out.handle.RouteAdd(route); err != nil {
   219  			return nil, fmt.Errorf("failed to add route %s: %w", route, err)
   220  		}
   221  	}
   222  	for _, rule := range out.rules {
   223  		if err = out.handle.RuleAdd(rule); err != nil {
   224  			return nil, fmt.Errorf("failed to add rule %s: %w", rule, err)
   225  		}
   226  	}
   227  	out.tun = wgt
   228  	return out, nil
   229  }
   230  
   231  func KernelTunSupported() bool {
   232  	// run a superuser permission check to check
   233  	// if the current user has the sufficient permission
   234  	// to create a tun device.
   235  
   236  	return unix.Geteuid() == 0 // 0 means root
   237  }