refactor: unify nftable handling

2025-12-16 16:57:08 +00:00 · 2025-11-14 23:42:36 +08:00 · 2025-11-14 23:42:36 +08:00 · b41e7a0d7f
commit b41e7a0d7f
parent b186daa2d0
9 changed files with 41 additions and 44 deletions
--- a/src/internal/netfilter/firewall.go
+++ b/src/internal/netfilter/firewall.go
@ -98,6 +98,7 @@ func init() {
 }

 type Firewall struct {
+	Nftable    *knftables.Table
 	NftSetup   func() error
 	NftCleanup func() error
 	IptSetup   func() error
--- a/src/internal/server/netlink/netlink_linux.go
+++ b/src/internal/server/netlink/netlink_linux.go
@ -15,7 +15,6 @@ type Server struct {
 	netfilter.Firewall
 	cfg       *config.Config
 	nfqServer *netfilter.NfqueueServer
-	nftable   *knftables.Table
 }

 func New(cfg *config.Config) *Server {
@ -24,13 +23,13 @@ func New(cfg *config.Config) *Server {
 		nfqServer: &netfilter.NfqueueServer{
 			QueueNum: netfilter.HELPER_QUEUE,
 		},
-		nftable: &knftables.Table{
-			Name:   "UA3F_HELPER",
-			Family: knftables.InetFamily,
-		},
 	}
 	s.nfqServer.HandlePacket = s.handlePacket
 	s.Firewall = netfilter.Firewall{
+		Nftable: &knftables.Table{
+			Name:   "UA3F_HELPER",
+			Family: knftables.InetFamily,
+		},
 		NftSetup:   s.nftSetup,
 		NftCleanup: s.nftCleanup,
 		IptSetup:   s.iptSetup,
--- a/src/internal/server/netlink/nftables.go
+++ b/src/internal/server/netlink/nftables.go
@ -16,22 +16,22 @@ func (s *Server) nftSetup() error {
 		return nil
 	}

-	nft, err := knftables.New(s.nftable.Family, s.nftable.Name)
+	nft, err := knftables.New(s.Nftable.Family, s.Nftable.Name)
 	if err != nil {
 		return err
 	}

 	tx := nft.NewTransaction()
-	tx.Add(s.nftable)
+	tx.Add(s.Nftable)

 	if s.cfg.SetTTL {
-		s.NftSetTTL(tx, s.nftable)
+		s.NftSetTTL(tx, s.Nftable)
 	}
 	if s.cfg.DelTCPTimestamp && !s.cfg.SetIPID {
-		s.NftDelTCPTS(tx, s.nftable)
+		s.NftDelTCPTS(tx, s.Nftable)
 	}
 	if s.cfg.SetIPID {
-		s.NftSetIP(tx, s.nftable)
+		s.NftSetIP(tx, s.Nftable)
 	}

 	if err := nft.Run(context.TODO(), tx); err != nil {
@ -41,13 +41,13 @@ func (s *Server) nftSetup() error {
 }

 func (s *Server) nftCleanup() error {
-	nft, err := knftables.New(s.nftable.Family, s.nftable.Name)
+	nft, err := knftables.New(s.Nftable.Family, s.Nftable.Name)
 	if err != nil {
 		return err
 	}

 	tx := nft.NewTransaction()
-	tx.Delete(s.nftable)
+	tx.Delete(s.Nftable)

 	if err := nft.Run(context.TODO(), tx); err != nil {
 		return err
--- a/src/internal/server/nfqueue/nfqueue_linux.go
+++ b/src/internal/server/nfqueue/nfqueue_linux.go
@ -22,7 +22,6 @@ type Server struct {
 	base.Server
 	netfilter.Firewall
 	nfqServer        *netfilter.NfqueueServer
-	nftable          *knftables.Table
 	SniffCtMarkLower uint32
 	SniffCtMarkUpper uint32
 	HTTPCtMark       uint32
@ -43,13 +42,13 @@ func New(cfg *config.Config, rw *rewrite.Rewriter) *Server {
 		nfqServer: &netfilter.NfqueueServer{
 			QueueNum: 10201,
 		},
-		nftable: &knftables.Table{
-			Name:   "UA3F",
-			Family: knftables.IPv4Family,
-		},
 	}
 	s.nfqServer.HandlePacket = s.handlePacket
 	s.Firewall = netfilter.Firewall{
+		Nftable: &knftables.Table{
+			Name:   "UA3F",
+			Family: knftables.IPv4Family,
+		},
 		NftSetup:   s.nftSetup,
 		NftCleanup: s.nftCleanup,
 		IptSetup:   s.iptSetup,
--- a/src/internal/server/nfqueue/nftables.go
+++ b/src/internal/server/nfqueue/nftables.go
@ -11,16 +11,16 @@ import (
 )

 func (s *Server) nftSetup() error {
-	nft, err := knftables.New(s.nftable.Family, s.nftable.Name)
+	nft, err := knftables.New(s.Nftable.Family, s.Nftable.Name)
 	if err != nil {
 		return err
 	}

 	tx := nft.NewTransaction()
-	tx.Add(s.nftable)
+	tx.Add(s.Nftable)

-	s.NftSetLanIP(tx, s.nftable)
-	s.NftSetNfqueue(tx, s.nftable)
+	s.NftSetLanIP(tx, s.Nftable)
+	s.NftSetNfqueue(tx, s.Nftable)

 	if err := nft.Run(context.TODO(), tx); err != nil {
 		return err
@ -29,13 +29,13 @@ func (s *Server) nftSetup() error {
 }

 func (s *Server) nftCleanup() error {
-	nft, err := knftables.New(s.nftable.Family, s.nftable.Name)
+	nft, err := knftables.New(s.Nftable.Family, s.Nftable.Name)
 	if err != nil {
 		return err
 	}

 	tx := nft.NewTransaction()
-	tx.Delete(s.nftable)
+	tx.Delete(s.Nftable)

 	if err := nft.Run(context.TODO(), tx); err != nil {
 		return err
--- a/src/internal/server/redirect/nftables.go
+++ b/src/internal/server/redirect/nftables.go
@ -11,16 +11,16 @@ import (
 )

 func (s *Server) nftSetup() error {
-	nft, err := knftables.New(s.nftable.Family, s.nftable.Name)
+	nft, err := knftables.New(s.Nftable.Family, s.Nftable.Name)
 	if err != nil {
 		return err
 	}

 	tx := nft.NewTransaction()
-	tx.Add(s.nftable)
+	tx.Add(s.Nftable)

-	s.NftSetLanIP(tx, s.nftable)
-	s.NftSetRedirect(tx, s.nftable)
+	s.NftSetLanIP(tx, s.Nftable)
+	s.NftSetRedirect(tx, s.Nftable)

 	if err := nft.Run(context.TODO(), tx); err != nil {
 		return err
@ -29,13 +29,13 @@ func (s *Server) nftSetup() error {
 }

 func (s *Server) nftCleanup() error {
-	nft, err := knftables.New(s.nftable.Family, s.nftable.Name)
+	nft, err := knftables.New(s.Nftable.Family, s.Nftable.Name)
 	if err != nil {
 		return err
 	}

 	tx := nft.NewTransaction()
-	tx.Delete(s.nftable)
+	tx.Delete(s.Nftable)

 	if err := nft.Run(context.TODO(), tx); err != nil {
 		return err
--- a/src/internal/server/redirect/redirect_linux.go
+++ b/src/internal/server/redirect/redirect_linux.go
@ -22,7 +22,6 @@ type Server struct {
 	base.Server
 	netfilter.Firewall
 	listener net.Listener
-	nftable  *knftables.Table
 	so_mark  int
 }

@ -34,12 +33,12 @@ func New(cfg *config.Config, rw *rewrite.Rewriter) *Server {
 			Cache:    expirable.NewLRU[string, struct{}](1024, nil, 30*time.Minute),
 		},
 		so_mark: netfilter.SO_MARK,
-		nftable: &knftables.Table{
+	}
+	s.Firewall = netfilter.Firewall{
+		Nftable: &knftables.Table{
 			Name:   "UA3F",
 			Family: knftables.IPv4Family,
 		},
-	}
-	s.Firewall = netfilter.Firewall{
 		NftSetup:   s.nftSetup,
 		NftCleanup: s.nftCleanup,
 		IptSetup:   s.iptSetup,
--- a/src/internal/server/tproxy/nftables.go
+++ b/src/internal/server/tproxy/nftables.go
@ -17,16 +17,16 @@ func (s *Server) nftSetup() error {
 		return err
 	}

-	nft, err := knftables.New(s.nftable.Family, s.nftable.Name)
+	nft, err := knftables.New(s.Nftable.Family, s.Nftable.Name)
 	if err != nil {
 		return err
 	}

 	tx := nft.NewTransaction()
-	tx.Add(s.nftable)
+	tx.Add(s.Nftable)

-	s.NftSetLanIP(tx, s.nftable)
-	s.NftSetTproxy(tx, s.nftable)
+	s.NftSetLanIP(tx, s.Nftable)
+	s.NftSetTproxy(tx, s.Nftable)

 	if err := nft.Run(context.TODO(), tx); err != nil {
 		return err
@ -37,12 +37,12 @@ func (s *Server) nftSetup() error {
 func (s *Server) nftCleanup() error {
 	_ = s.Firewall.DeleteTproxyRoute(s.tproxyFwMark, s.tproxyRouteTable)

-	nft, err := knftables.New(s.nftable.Family, s.nftable.Name)
+	nft, err := knftables.New(s.Nftable.Family, s.Nftable.Name)
 	if err != nil {
 		return err
 	}
 	tx := nft.NewTransaction()
-	tx.Delete(s.nftable)
+	tx.Delete(s.Nftable)

 	if err := nft.Run(context.TODO(), tx); err != nil {
 		return err
--- a/src/internal/server/tproxy/tproxy_linux.go
+++ b/src/internal/server/tproxy/tproxy_linux.go
@ -28,7 +28,6 @@ type Server struct {
 	so_mark          int
 	tproxyFwMark     string
 	tproxyRouteTable string
-	nftable          *knftables.Table
 	ignoreMark       []string
 }

@ -42,16 +41,16 @@ func New(cfg *config.Config, rw *rewrite.Rewriter) *Server {
 		so_mark:          netfilter.SO_MARK,
 		tproxyFwMark:     "0x1c9",
 		tproxyRouteTable: "0x1c9",
-		nftable: &knftables.Table{
-			Name:   "UA3F",
-			Family: knftables.IPv4Family,
-		},
 		ignoreMark: []string{
 			"0x162",
 			"0x1ed4", // sc tproxy mark 7892
 		},
 	}
 	s.Firewall = netfilter.Firewall{
+		Nftable: &knftables.Table{
+			Name:   "UA3F",
+			Family: knftables.IPv4Family,
+		},
 		NftSetup:   s.nftSetup,
 		NftCleanup: s.nftCleanup,
 		IptSetup:   s.iptSetup,