glider/proxy/redir/redir_linux.go

// getOrigDst:
// https://github.com/shadowsocks/go-shadowsocks2/blob/master/tcp_linux.go#L30

package redir

import (
	"errors"
	"net"
	"net/url"
	"syscall"
	"unsafe"

	"github.com/nadoo/glider/common/conn"
	"github.com/nadoo/glider/common/log"
	"github.com/nadoo/glider/common/socks"
	"github.com/nadoo/glider/proxy"
)

const (
	// SO_ORIGINAL_DST from linux/include/uapi/linux/netfilter_ipv4.h
	SO_ORIGINAL_DST = 80
	// IP6T_SO_ORIGINAL_DST from linux/include/uapi/linux/netfilter_ipv6/ip6_tables.h
	IP6T_SO_ORIGINAL_DST = 80
)

// RedirProxy struct
type RedirProxy struct {
	dialer proxy.Dialer
	addr   string
	ipv6   bool
}

func init() {
	proxy.RegisterServer("redir", NewRedirServer)
	proxy.RegisterServer("redir6", NewRedir6Server)
}

// NewRedirProxy returns a redirect proxy.
func NewRedirProxy(s string, dialer proxy.Dialer, ipv6 bool) (*RedirProxy, error) {
	u, err := url.Parse(s)
	if err != nil {
		log.F("parse err: %s", err)
		return nil, err
	}

	addr := u.Host
	r := &RedirProxy{
		dialer: dialer,
		addr:   addr,
		ipv6:   ipv6,
	}

	return r, nil
}

// NewRedirServer returns a redir server.
func NewRedirServer(s string, dialer proxy.Dialer) (proxy.Server, error) {
	return NewRedirProxy(s, dialer, false)
}

// NewRedir6Server returns a redir server for ipv6.
func NewRedir6Server(s string, dialer proxy.Dialer) (proxy.Server, error) {
	return NewRedirProxy(s, dialer, true)
}

// ListenAndServe .
func (s *RedirProxy) ListenAndServe() {
	l, err := net.Listen("tcp", s.addr)
	if err != nil {
		log.F("[redir] failed to listen on %s: %v", s.addr, err)
		return
	}

	log.F("[redir] listening TCP on %s", s.addr)

	for {
		c, err := l.Accept()
		if err != nil {
			log.F("[redir] failed to accept: %v", err)
			continue
		}

		go func() {
			defer c.Close()

			if c, ok := c.(*net.TCPConn); ok {
				c.SetKeepAlive(true)
			}

			tgt, err := getOrigDst(c, s.ipv6)
			if err != nil {
				log.F("[redir] failed to get target address: %v", err)
				return
			}

			rc, err := s.dialer.Dial("tcp", tgt.String())
			if err != nil {
				log.F("[redir] failed to connect to target: %v", err)
				return
			}
			defer rc.Close()

			log.F("[redir] %s <-> %s", c.RemoteAddr(), tgt)

			_, _, err = conn.Relay(c, rc)
			if err != nil {
				if err, ok := err.(net.Error); ok && err.Timeout() {
					return // ignore i/o timeout
				}
				log.F("[redir] relay error: %v", err)
			}

		}()
	}
}

// Serve .
func (s *RedirProxy) Serve(c net.Conn) {
	log.F("[redir] func Serve: can not be called directly")
}

// Get the original destination of a TCP connection.
func getOrigDst(conn net.Conn, ipv6 bool) (socks.Addr, error) {
	c, ok := conn.(*net.TCPConn)
	if !ok {
		return nil, errors.New("only work with TCP connection")
	}
	f, err := c.File()
	if err != nil {
		return nil, err
	}
	defer f.Close()

	fd := f.Fd()

	// The File() call above puts both the original socket fd and the file fd in blocking mode.
	// Set the file fd back to non-blocking mode and the original socket fd will become non-blocking as well.
	// Otherwise blocking I/O will waste OS threads.
	if err := syscall.SetNonblock(int(fd), true); err != nil {
		return nil, err
	}

	if ipv6 {
		return getorigdstIPv6(fd)
	}

	return getorigdst(fd)
}

// Call getorigdst() from linux/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
func getorigdst(fd uintptr) (socks.Addr, error) {
	raw := syscall.RawSockaddrInet4{}
	siz := unsafe.Sizeof(raw)
	if err := socketcall(GETSOCKOPT, fd, syscall.IPPROTO_IP, SO_ORIGINAL_DST, uintptr(unsafe.Pointer(&raw)), uintptr(unsafe.Pointer(&siz)), 0); err != nil {
		return nil, err
	}

	addr := make([]byte, 1+net.IPv4len+2)
	addr[0] = socks.ATypIP4
	copy(addr[1:1+net.IPv4len], raw.Addr[:])
	port := (*[2]byte)(unsafe.Pointer(&raw.Port)) // big-endian
	addr[1+net.IPv4len], addr[1+net.IPv4len+1] = port[0], port[1]
	return addr, nil
}

// Call ipv6_getorigdst() from linux/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
func getorigdstIPv6(fd uintptr) (socks.Addr, error) {
	raw := syscall.RawSockaddrInet6{}
	siz := unsafe.Sizeof(raw)
	if err := socketcall(GETSOCKOPT, fd, syscall.IPPROTO_IPV6, IP6T_SO_ORIGINAL_DST, uintptr(unsafe.Pointer(&raw)), uintptr(unsafe.Pointer(&siz)), 0); err != nil {
		return nil, err
	}

	addr := make([]byte, 1+net.IPv6len+2)
	addr[0] = socks.ATypIP6
	copy(addr[1:1+net.IPv6len], raw.Addr[:])
	port := (*[2]byte)(unsafe.Pointer(&raw.Port)) // big-endian
	addr[1+net.IPv6len], addr[1+net.IPv6len+1] = port[0], port[1]
	return addr, nil
}
parse domain in dns request playload. (prepare for the forward rule and ipset management features.) 2017-07-26 18:56:24 +08:00			`// getOrigDst:`
			`// https://github.com/shadowsocks/go-shadowsocks2/blob/master/tcp_linux.go#L30`

general: move proxy to separate package 2018-06-26 16:15:48 +08:00			`package redir`
parse domain in dns request playload. (prepare for the forward rule and ipset management features.) 2017-07-26 18:56:24 +08:00
			`import (`
fixed a bug in redir proxy. 2017-07-30 12:03:19 +08:00			`"errors"`
parse domain in dns request playload. (prepare for the forward rule and ipset management features.) 2017-07-26 18:56:24 +08:00			`"net"`
general: move proxy to separate package 2018-06-26 16:15:48 +08:00			`"net/url"`
parse domain in dns request playload. (prepare for the forward rule and ipset management features.) 2017-07-26 18:56:24 +08:00			`"syscall"`
			`"unsafe"`
general: move proxy to separate package 2018-06-26 16:15:48 +08:00
			`"github.com/nadoo/glider/common/conn"`
			`"github.com/nadoo/glider/common/log"`
			`"github.com/nadoo/glider/common/socks"`
			`"github.com/nadoo/glider/proxy"`
parse domain in dns request playload. (prepare for the forward rule and ipset management features.) 2017-07-26 18:56:24 +08:00			`)`

			`const (`
ipset: add comments 2017-10-02 19:39:57 +08:00			`// SO_ORIGINAL_DST from linux/include/uapi/linux/netfilter_ipv4.h`
redir: avoid underscore in func name 2017-09-21 23:13:44 +08:00			`SO_ORIGINAL_DST = 80`
ipset: add comments 2017-10-02 19:39:57 +08:00			`// IP6T_SO_ORIGINAL_DST from linux/include/uapi/linux/netfilter_ipv6/ip6_tables.h`
redir: avoid underscore in func name 2017-09-21 23:13:44 +08:00			`IP6T_SO_ORIGINAL_DST = 80`
parse domain in dns request playload. (prepare for the forward rule and ipset management features.) 2017-07-26 18:56:24 +08:00			`)`

forwarder: add the ability to get parameters like 'priority' 2018-08-12 12:37:25 +08:00			`// RedirProxy struct`
			`type RedirProxy struct {`
			`dialer proxy.Dialer`
			`addr string`
redir: added `redir6` proxy 2018-09-04 20:26:40 +08:00			`ipv6 bool`
forwarder: add the ability to get parameters like 'priority' 2018-08-12 12:37:25 +08:00			`}`

			`func init() {`
			`proxy.RegisterServer("redir", NewRedirServer)`
redir: fixed a typo 2018-09-17 19:22:36 +08:00			`proxy.RegisterServer("redir6", NewRedir6Server)`
general: move proxy to separate package 2018-06-26 16:15:48 +08:00			`}`

forwarder: add the ability to get parameters like 'priority' 2018-08-12 12:37:25 +08:00			`// NewRedirProxy returns a redirect proxy.`
redir: added `redir6` proxy 2018-09-04 20:26:40 +08:00			`func NewRedirProxy(s string, dialer proxy.Dialer, ipv6 bool) (*RedirProxy, error) {`
general: move proxy to separate package 2018-06-26 16:15:48 +08:00			`u, err := url.Parse(s)`
			`if err != nil {`
			`log.F("parse err: %s", err)`
			`return nil, err`
			`}`

forwarder: add the ability to get parameters like 'priority' 2018-08-12 12:37:25 +08:00			`addr := u.Host`
			`r := &RedirProxy{`
			`dialer: dialer,`
			`addr: addr,`
redir: added `redir6` proxy 2018-09-04 20:26:40 +08:00			`ipv6: ipv6,`
forwarder: add the ability to get parameters like 'priority' 2018-08-12 12:37:25 +08:00			`}`

			`return r, nil`
general: move proxy to separate package 2018-06-26 16:15:48 +08:00			`}`

forwarder: add the ability to get parameters like 'priority' 2018-08-12 12:37:25 +08:00			`// NewRedirServer returns a redir server.`
			`func NewRedirServer(s string, dialer proxy.Dialer) (proxy.Server, error) {`
redir: added `redir6` proxy 2018-09-04 20:26:40 +08:00			`return NewRedirProxy(s, dialer, false)`
			`}`

http: fixed a compatibility issue with some http proxy server. #62 2018-09-17 19:16:17 +08:00			`// NewRedir6Server returns a redir server for ipv6.`
			`func NewRedir6Server(s string, dialer proxy.Dialer) (proxy.Server, error) {`
redir: added `redir6` proxy 2018-09-04 20:26:40 +08:00			`return NewRedirProxy(s, dialer, true)`
parse domain in dns request playload. (prepare for the forward rule and ipset management features.) 2017-07-26 18:56:24 +08:00			`}`

tproxy: add base udp tproxy listener codes 2017-09-09 15:06:44 +08:00			`// ListenAndServe .`
server: changed interface definition and implementation 2018-11-25 13:18:15 +08:00			`func (s *RedirProxy) ListenAndServe() {`
parse domain in dns request playload. (prepare for the forward rule and ipset management features.) 2017-07-26 18:56:24 +08:00			`l, err := net.Listen("tcp", s.addr)`
			`if err != nil {`
tls: allow InsecureSkipVerify 2018-06-28 23:20:04 +08:00			`log.F("[redir] failed to listen on %s: %v", s.addr, err)`
parse domain in dns request playload. (prepare for the forward rule and ipset management features.) 2017-07-26 18:56:24 +08:00			`return`
			`}`

tls: allow InsecureSkipVerify 2018-06-28 23:20:04 +08:00			`log.F("[redir] listening TCP on %s", s.addr)`
parse domain in dns request playload. (prepare for the forward rule and ipset management features.) 2017-07-26 18:56:24 +08:00
			`for {`
			`c, err := l.Accept()`
			`if err != nil {`
tls: allow InsecureSkipVerify 2018-06-28 23:20:04 +08:00			`log.F("[redir] failed to accept: %v", err)`
parse domain in dns request playload. (prepare for the forward rule and ipset management features.) 2017-07-26 18:56:24 +08:00			`continue`
			`}`

			`go func() {`
			`defer c.Close()`

			`if c, ok := c.(*net.TCPConn); ok {`
			`c.SetKeepAlive(true)`
			`}`

redir: added `redir6` proxy 2018-09-04 20:26:40 +08:00			`tgt, err := getOrigDst(c, s.ipv6)`
parse domain in dns request playload. (prepare for the forward rule and ipset management features.) 2017-07-26 18:56:24 +08:00			`if err != nil {`
tls: allow InsecureSkipVerify 2018-06-28 23:20:04 +08:00			`log.F("[redir] failed to get target address: %v", err)`
parse domain in dns request playload. (prepare for the forward rule and ipset management features.) 2017-07-26 18:56:24 +08:00			`return`
			`}`

forwarder: add the ability to get parameters like 'priority' 2018-08-12 12:37:25 +08:00			`rc, err := s.dialer.Dial("tcp", tgt.String())`
parse domain in dns request playload. (prepare for the forward rule and ipset management features.) 2017-07-26 18:56:24 +08:00			`if err != nil {`
tls: allow InsecureSkipVerify 2018-06-28 23:20:04 +08:00			`log.F("[redir] failed to connect to target: %v", err)`
parse domain in dns request playload. (prepare for the forward rule and ipset management features.) 2017-07-26 18:56:24 +08:00			`return`
			`}`
			`defer rc.Close()`

tls: allow InsecureSkipVerify 2018-06-28 23:20:04 +08:00			`log.F("[redir] %s <-> %s", c.RemoteAddr(), tgt)`
parse domain in dns request playload. (prepare for the forward rule and ipset management features.) 2017-07-26 18:56:24 +08:00
general: move proxy to separate package 2018-06-26 16:15:48 +08:00			`_, _, err = conn.Relay(c, rc)`
parse domain in dns request playload. (prepare for the forward rule and ipset management features.) 2017-07-26 18:56:24 +08:00			`if err != nil {`
			`if err, ok := err.(net.Error); ok && err.Timeout() {`
			`return // ignore i/o timeout`
			`}`
tls: allow InsecureSkipVerify 2018-06-28 23:20:04 +08:00			`log.F("[redir] relay error: %v", err)`
parse domain in dns request playload. (prepare for the forward rule and ipset management features.) 2017-07-26 18:56:24 +08:00			`}`

			`}()`
			`}`
			`}`

server: changed interface definition and implementation 2018-11-25 13:18:15 +08:00			`// Serve .`
			`func (s *RedirProxy) Serve(c net.Conn) {`
tls: optimized code 2018-11-25 15:41:47 +08:00			`log.F("[redir] func Serve: can not be called directly")`
server: changed interface definition and implementation 2018-11-25 13:18:15 +08:00			`}`

fixed a bug in redir proxy. 2017-07-30 12:03:19 +08:00			`// Get the original destination of a TCP connection.`
general: move proxy to separate package 2018-06-26 16:15:48 +08:00			`func getOrigDst(conn net.Conn, ipv6 bool) (socks.Addr, error) {`
fixed a bug in redir proxy. 2017-07-30 12:03:19 +08:00			`c, ok := conn.(*net.TCPConn)`
			`if !ok {`
			`return nil, errors.New("only work with TCP connection")`
			`}`
			`f, err := c.File()`
			`if err != nil {`
			`return nil, err`
			`}`
			`defer f.Close()`

			`fd := f.Fd()`

			`// The File() call above puts both the original socket fd and the file fd in blocking mode.`
			`// Set the file fd back to non-blocking mode and the original socket fd will become non-blocking as well.`
			`// Otherwise blocking I/O will waste OS threads.`
			`if err := syscall.SetNonblock(int(fd), true); err != nil {`
			`return nil, err`
			`}`

			`if ipv6 {`
redir: avoid underscore in func name 2017-09-21 23:13:44 +08:00			`return getorigdstIPv6(fd)`
fixed a bug in redir proxy. 2017-07-30 12:03:19 +08:00			`}`

			`return getorigdst(fd)`
			`}`

parse domain in dns request playload. (prepare for the forward rule and ipset management features.) 2017-07-26 18:56:24 +08:00			`// Call getorigdst() from linux/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c`
general: move proxy to separate package 2018-06-26 16:15:48 +08:00			`func getorigdst(fd uintptr) (socks.Addr, error) {`
parse domain in dns request playload. (prepare for the forward rule and ipset management features.) 2017-07-26 18:56:24 +08:00			`raw := syscall.RawSockaddrInet4{}`
			`siz := unsafe.Sizeof(raw)`
			`if err := socketcall(GETSOCKOPT, fd, syscall.IPPROTO_IP, SO_ORIGINAL_DST, uintptr(unsafe.Pointer(&raw)), uintptr(unsafe.Pointer(&siz)), 0); err != nil {`
			`return nil, err`
			`}`

			`addr := make([]byte, 1+net.IPv4len+2)`
vmess: worked in SecTypeNone mode 2018-07-03 00:31:43 +08:00			`addr[0] = socks.ATypIP4`
parse domain in dns request playload. (prepare for the forward rule and ipset management features.) 2017-07-26 18:56:24 +08:00			`copy(addr[1:1+net.IPv4len], raw.Addr[:])`
			`port := (*[2]byte)(unsafe.Pointer(&raw.Port)) // big-endian`
			`addr[1+net.IPv4len], addr[1+net.IPv4len+1] = port[0], port[1]`
			`return addr, nil`
			`}`

			`// Call ipv6_getorigdst() from linux/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c`
general: move proxy to separate package 2018-06-26 16:15:48 +08:00			`func getorigdstIPv6(fd uintptr) (socks.Addr, error) {`
parse domain in dns request playload. (prepare for the forward rule and ipset management features.) 2017-07-26 18:56:24 +08:00			`raw := syscall.RawSockaddrInet6{}`
			`siz := unsafe.Sizeof(raw)`
			`if err := socketcall(GETSOCKOPT, fd, syscall.IPPROTO_IPV6, IP6T_SO_ORIGINAL_DST, uintptr(unsafe.Pointer(&raw)), uintptr(unsafe.Pointer(&siz)), 0); err != nil {`
			`return nil, err`
			`}`

			`addr := make([]byte, 1+net.IPv6len+2)`
vmess: worked in SecTypeNone mode 2018-07-03 00:31:43 +08:00			`addr[0] = socks.ATypIP6`
parse domain in dns request playload. (prepare for the forward rule and ipset management features.) 2017-07-26 18:56:24 +08:00			`copy(addr[1:1+net.IPv6len], raw.Addr[:])`
			`port := (*[2]byte)(unsafe.Pointer(&raw.Port)) // big-endian`
			`addr[1+net.IPv6len], addr[1+net.IPv6len+1] = port[0], port[1]`
			`return addr, nil`
			`}`