him411/UA3F
1
0
Fork 0
mirror of https://github.com/SunBK201/UA3F.git synced 2025-12-18 17:56:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: use new tcp reset option feature

Browse Source
This commit is contained in:
SunBK201 2025-11-13 02:31:44 +08:00
parent 310d8da032
commit a6a456aecb
2 changed files with 69 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
src/internal/server/netlink/iptables.go
View File

@ -33,6 +33,13 @@ var RuleIP = []string{
"--queue-bypass", "--queue-bypass",
} }
var RuleRstTimestamp = []string{
"-p", "tcp",
"--tcp-option", "8",
"-j", "TCPOPTSTRIP",
"--strip-options", "timestamp",
}
func (s *Server) iptSetup() error { func (s *Server) iptSetup() error {
ipt, err := iptables.NewWithProtocol(iptables.ProtocolIPv4) ipt, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
if err != nil { if err != nil {
@ -79,7 +86,12 @@ func (s *Server) IptSetTTL(ipt *iptables.IPTables) error {
} }
func (s *Server) IptDelTCPTS(ipt *iptables.IPTables) error { func (s *Server) IptDelTCPTS(ipt *iptables.IPTables) error {
err := ipt.Append(table, chain, RuleDelTCPTS...) err := ipt.Append(table, chain, RuleRstTimestamp...)
if err == nil {
return nil
}
err = ipt.Append(table, chain, RuleDelTCPTS...)
if err != nil { if err != nil {
return err return err
} }

64
src/internal/server/netlink/nftables.go
View File

@ -6,6 +6,7 @@ import (
"context" "context"
"fmt" "fmt"
"github.com/sirupsen/logrus"
"sigs.k8s.io/knftables" "sigs.k8s.io/knftables"
) )
@ -52,8 +53,8 @@ func (s *Server) nftCleanup() error {
func (s *Server) NftSetTTL(tx *knftables.Transaction, table *knftables.Table) { func (s *Server) NftSetTTL(tx *knftables.Transaction, table *knftables.Table) {
chain := &knftables.Chain{ chain := &knftables.Chain{
Name: "TTL64", Name: "TTL64",
Type: knftables.PtrTo(knftables.FilterType),
Table: table.Name, Table: table.Name,
Type: knftables.PtrTo(knftables.FilterType),
Hook: knftables.PtrTo(knftables.PostroutingHook), Hook: knftables.PtrTo(knftables.PostroutingHook),
Priority: knftables.PtrTo(knftables.ManglePriority), Priority: knftables.PtrTo(knftables.ManglePriority),
} }
@ -69,16 +70,45 @@ func (s *Server) NftSetTTL(tx *knftables.Transaction, table *knftables.Table) {
func (s *Server) NftDelTCPTS(tx *knftables.Transaction, table *knftables.Table) { func (s *Server) NftDelTCPTS(tx *knftables.Transaction, table *knftables.Table) {
chain := &knftables.Chain{ chain := &knftables.Chain{
Name: "HELPER_QUEUE", Name: "DEL_TCPTS",
Type: knftables.PtrTo(knftables.FilterType),
Table: table.Name, Table: table.Name,
Type: knftables.PtrTo(knftables.FilterType),
Hook: knftables.PtrTo(knftables.PostroutingHook),
Priority: knftables.PtrTo(knftables.ManglePriority),
}
tx.Add(chain)
var rule *knftables.Rule
if resetOptionAvailable() {
rule = &knftables.Rule{
Chain: chain.Name,
Rule: knftables.Concat(
"tcp option timestamp exists",
"counter reset tcp option timestamp",
),
}
} else {
rule = &knftables.Rule{
Chain: chain.Name,
Rule: knftables.Concat(
"tcp flags syn",
fmt.Sprintf("counter queue num %d bypass", s.nfqServer.QueueNum),
),
}
}
tx.Add(rule)
}
func (s *Server) NftSetIP(tx *knftables.Transaction, table *knftables.Table) {
chain := &knftables.Chain{
Name: "HELPER_QUEUE",
Table: table.Name,
Type: knftables.PtrTo(knftables.FilterType),
Hook: knftables.PtrTo(knftables.PostroutingHook), Hook: knftables.PtrTo(knftables.PostroutingHook),
Priority: knftables.PtrTo(knftables.ManglePriority), Priority: knftables.PtrTo(knftables.ManglePriority),
} }
rule := &knftables.Rule{ rule := &knftables.Rule{
Chain: chain.Name, Chain: chain.Name,
Rule: knftables.Concat( Rule: knftables.Concat(
"tcp flags syn",
fmt.Sprintf("counter queue num %d bypass", s.nfqServer.QueueNum), fmt.Sprintf("counter queue num %d bypass", s.nfqServer.QueueNum),
), ),
} }
@ -86,20 +116,38 @@ func (s *Server) NftDelTCPTS(tx *knftables.Transaction, table *knftables.Table)
tx.Add(rule) tx.Add(rule)
} }
func (s *Server) NftSetIP(tx *knftables.Transaction, table *knftables.Table) { func resetOptionAvailable() bool {
const TestName = "UA3F_TEST_RESET"
table := &knftables.Table{
Name: TestName,
Family: knftables.InetFamily,
}
nft, err := knftables.New(table.Family, table.Name)
if err != nil {
logrus.Errorf("resetOptionAvailable knftables.New: %v", err)
return false
}
tx := nft.NewTransaction()
chain := &knftables.Chain{ chain := &knftables.Chain{
Name: "HELPER_QUEUE", Name: TestName,
Type: knftables.PtrTo(knftables.FilterType),
Table: table.Name, Table: table.Name,
Type: knftables.PtrTo(knftables.FilterType),
Hook: knftables.PtrTo(knftables.PostroutingHook), Hook: knftables.PtrTo(knftables.PostroutingHook),
Priority: knftables.PtrTo(knftables.ManglePriority), Priority: knftables.PtrTo(knftables.ManglePriority),
} }
rule := &knftables.Rule{ rule := &knftables.Rule{
Chain: chain.Name, Chain: chain.Name,
Rule: knftables.Concat( Rule: knftables.Concat(
fmt.Sprintf("counter queue num %d bypass", s.nfqServer.QueueNum), "tcp option timestamp exists",
"counter reset tcp option timestamp",
), ),
} }
tx.Add(table)
tx.Add(chain) tx.Add(chain)
tx.Add(rule) tx.Add(rule)
err = nft.Check(context.TODO(), tx)
if err != nil {
logrus.Infof("tcp option reset is not available")
}
return err == nil
} }