feat: introduce netfilter ih filter

2025-12-16 16:57:08 +00:00 · 2025-12-11 19:08:29 +08:00 · 2025-12-11 19:08:29 +08:00 · eedb8bb72c
commit eedb8bb72c
parent bcee4f2c8b
3 changed files with 89 additions and 21 deletions
--- a/src/internal/netfilter/nftables.go
+++ b/src/internal/netfilter/nftables.go
@ -197,3 +197,42 @@ func (f *Firewall) NftAddSkipDomains() error {
 	}
 	return nil
 }
+
+func NftIHAvailable() bool {
+	const TestName = "UA3F_TEST_IH"
+	table := &knftables.Table{
+		Name:   TestName,
+		Family: knftables.InetFamily,
+	}
+	nft, err := knftables.New(table.Family, table.Name)
+	if err != nil {
+		slog.Error("NftIHAvailable knftables.New", slog.Any("error", err))
+		return false
+	}
+	tx := nft.NewTransaction()
+	chain := &knftables.Chain{
+		Name:     TestName,
+		Table:    table.Name,
+		Type:     knftables.PtrTo(knftables.FilterType),
+		Hook:     knftables.PtrTo(knftables.PostroutingHook),
+		Priority: knftables.PtrTo(knftables.ManglePriority),
+	}
+	rule := &knftables.Rule{
+		Chain: chain.Name,
+		Rule: knftables.Concat(
+			"meta l4proto tcp",
+			"ct direction original",
+			"ct state established",
+			"@ih,0,8 & 0 == 0",
+			"counter accept",
+		),
+	}
+	tx.Add(table)
+	tx.Add(chain)
+	tx.Add(rule)
+	err = nft.Check(context.TODO(), tx)
+	if err != nil {
+		slog.Info("@ih match not available", slog.Any("error", err))
+	}
+	return err == nil
+}
--- a/src/internal/server/desync/nftables.go
+++ b/src/internal/server/desync/nftables.go
@ -56,17 +56,32 @@ func (s *Server) NftSetDesync(tx *knftables.Transaction, table *knftables.Table)
 		Chain: chain.Name,
 		Rule:  netfilter.NftRuleIgnorePorts,
 	})
+
+	if netfilter.NftIHAvailable() {
 		tx.Add(&knftables.Rule{
 			Chain: chain.Name,
 			Rule: knftables.Concat(
-			"ip length > 41",
 				"meta l4proto tcp",
 				"ct state established",
 				"ct direction original",
+				"@ih,0,8 & 0 == 0",
 				fmt.Sprintf("ct bytes < %d", s.CtByte),
 				fmt.Sprintf("ct packets < %d", s.CtPackets),
 				fmt.Sprintf("counter queue num %d bypass", s.nfqServer.QueueNum),
 			),
 		})
-
+	} else {
+		tx.Add(&knftables.Rule{
+			Chain: chain.Name,
+			Rule: knftables.Concat(
+				"meta l4proto tcp",
+				"ct state established",
+				"ct direction original",
+				"ip length > 41",
+				fmt.Sprintf("ct bytes < %d", s.CtByte),
+				fmt.Sprintf("ct packets < %d", s.CtPackets),
+				fmt.Sprintf("counter queue num %d bypass", s.nfqServer.QueueNum),
+			),
+		})
+	}
 }
--- a/src/internal/server/nfqueue/nftables.go
+++ b/src/internal/server/nfqueue/nftables.go
@ -122,13 +122,27 @@ func (s *Server) NftSetNfqueue(tx *knftables.Transaction, table *knftables.Table
 		),
 	})

+	if netfilter.NftIHAvailable() {
 		tx.Add(&knftables.Rule{
 			Chain: chain.Name,
 			Rule: knftables.Concat(
+				"meta l4proto tcp",
+				"ct direction original",
+				"ct state established",
+				"@ih,0,8 & 0 == 0",
+				fmt.Sprintf("counter queue num %d bypass", s.nfqServer.QueueNum),
+			),
+		})
+	} else {
+		tx.Add(&knftables.Rule{
+			Chain: chain.Name,
+			Rule: knftables.Concat(
+				"meta l4proto tcp",
 				"ct direction original",
 				"ct state established",
 				"ip length > 40",
 				fmt.Sprintf("counter queue num %d bypass", s.nfqServer.QueueNum),
 			),
 		})
+	}
 }