Chore: use "-m mark --mark" instead of "-m owner --uid-owner"
This commit is contained in:
parent
f376409041
commit
f1157d0a09
5 changed files with 12 additions and 31 deletions
19
README.md
19
README.md
|
@ -223,19 +223,6 @@ proxies:
|
||||||
servername: example.com # AKA SNI
|
servername: example.com # AKA SNI
|
||||||
# flow: xtls-rprx-direct # xtls-rprx-origin # enable XTLS
|
# flow: xtls-rprx-direct # xtls-rprx-origin # enable XTLS
|
||||||
# skip-cert-verify: true
|
# skip-cert-verify: true
|
||||||
|
|
||||||
- name: "vless-ws"
|
|
||||||
type: vless
|
|
||||||
server: server
|
|
||||||
port: 443
|
|
||||||
uuid: uuid
|
|
||||||
udp: true
|
|
||||||
network: ws
|
|
||||||
servername: example.com # priority over wss host
|
|
||||||
# skip-cert-verify: true
|
|
||||||
ws-path: /path
|
|
||||||
ws-headers:
|
|
||||||
Host: example.com
|
|
||||||
```
|
```
|
||||||
|
|
||||||
### IPTABLES auto-configuration
|
### IPTABLES auto-configuration
|
||||||
|
@ -249,9 +236,8 @@ tproxy-port: 9898
|
||||||
tun:
|
tun:
|
||||||
enable: false
|
enable: false
|
||||||
```
|
```
|
||||||
Create user given name `clash`.
|
|
||||||
|
|
||||||
Run Clash by user `clash` as a daemon.
|
Run Clash as a daemon.
|
||||||
|
|
||||||
Create the systemd configuration file at /etc/systemd/system/clash.service:
|
Create the systemd configuration file at /etc/systemd/system/clash.service:
|
||||||
```
|
```
|
||||||
|
@ -261,10 +247,7 @@ After=network.target
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
Type=simple
|
Type=simple
|
||||||
User=clash
|
|
||||||
Group=clash
|
|
||||||
CapabilityBoundingSet=cap_net_admin
|
CapabilityBoundingSet=cap_net_admin
|
||||||
AmbientCapabilities=cap_net_admin
|
|
||||||
Restart=always
|
Restart=always
|
||||||
ExecStart=/usr/local/bin/clash -d /etc/clash
|
ExecStart=/usr/local/bin/clash -d /etc/clash
|
||||||
|
|
||||||
|
|
|
@ -11,6 +11,7 @@ import (
|
||||||
func DialContext(ctx context.Context, network, address string, options ...Option) (net.Conn, error) {
|
func DialContext(ctx context.Context, network, address string, options ...Option) (net.Conn, error) {
|
||||||
opt := &option{
|
opt := &option{
|
||||||
interfaceName: DefaultInterface.Load(),
|
interfaceName: DefaultInterface.Load(),
|
||||||
|
routingMark: int(DefaultRoutingMark.Load()),
|
||||||
}
|
}
|
||||||
|
|
||||||
for _, o := range DefaultOptions {
|
for _, o := range DefaultOptions {
|
||||||
|
@ -58,6 +59,7 @@ func DialContext(ctx context.Context, network, address string, options ...Option
|
||||||
func ListenPacket(ctx context.Context, network, address string, options ...Option) (net.PacketConn, error) {
|
func ListenPacket(ctx context.Context, network, address string, options ...Option) (net.PacketConn, error) {
|
||||||
cfg := &option{
|
cfg := &option{
|
||||||
interfaceName: DefaultInterface.Load(),
|
interfaceName: DefaultInterface.Load(),
|
||||||
|
routingMark: int(DefaultRoutingMark.Load()),
|
||||||
}
|
}
|
||||||
|
|
||||||
for _, o := range DefaultOptions {
|
for _, o := range DefaultOptions {
|
||||||
|
|
|
@ -3,8 +3,9 @@ package dialer
|
||||||
import "go.uber.org/atomic"
|
import "go.uber.org/atomic"
|
||||||
|
|
||||||
var (
|
var (
|
||||||
DefaultOptions []Option
|
DefaultOptions []Option
|
||||||
DefaultInterface = atomic.NewString("")
|
DefaultInterface = atomic.NewString("")
|
||||||
|
DefaultRoutingMark = atomic.NewInt32(0)
|
||||||
)
|
)
|
||||||
|
|
||||||
type option struct {
|
type option struct {
|
||||||
|
|
|
@ -287,6 +287,7 @@ func updateIPTables(dns *config.DNS, general *config.General) {
|
||||||
|
|
||||||
tproxy.CleanUpTProxyLinuxIPTables()
|
tproxy.CleanUpTProxyLinuxIPTables()
|
||||||
|
|
||||||
|
dialer.DefaultRoutingMark.Store(2158)
|
||||||
err = tproxy.SetTProxyLinuxIPTables(general.Interface, general.TProxyPort, dnsPort)
|
err = tproxy.SetTProxyLinuxIPTables(general.Interface, general.TProxyPort, dnsPort)
|
||||||
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
|
@ -4,10 +4,10 @@ import (
|
||||||
"errors"
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
"os/exec"
|
"os/exec"
|
||||||
U "os/user"
|
|
||||||
"runtime"
|
"runtime"
|
||||||
"strings"
|
"strings"
|
||||||
|
|
||||||
|
"github.com/Dreamacro/clash/component/dialer"
|
||||||
"github.com/Dreamacro/clash/log"
|
"github.com/Dreamacro/clash/log"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -20,7 +20,6 @@ var (
|
||||||
const (
|
const (
|
||||||
PROXY_FWMARK = "0x2d0"
|
PROXY_FWMARK = "0x2d0"
|
||||||
PROXY_ROUTE_TABLE = "0x2d0"
|
PROXY_ROUTE_TABLE = "0x2d0"
|
||||||
USERNAME = "clash"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
func SetTProxyLinuxIPTables(ifname string, tport int, dport int) error {
|
func SetTProxyLinuxIPTables(ifname string, tport int, dport int) error {
|
||||||
|
@ -29,17 +28,10 @@ func SetTProxyLinuxIPTables(ifname string, tport int, dport int) error {
|
||||||
return fmt.Errorf("current operations system [%s] are not support iptables or command iptables does not exist", runtime.GOOS)
|
return fmt.Errorf("current operations system [%s] are not support iptables or command iptables does not exist", runtime.GOOS)
|
||||||
}
|
}
|
||||||
|
|
||||||
user, err := U.Lookup(USERNAME)
|
|
||||||
if err != nil {
|
|
||||||
return fmt.Errorf("the user \" %s\" does not exist, please create it", USERNAME)
|
|
||||||
}
|
|
||||||
|
|
||||||
if ifname == "" {
|
if ifname == "" {
|
||||||
return errors.New("the 'interface-name' can not be empty")
|
return errors.New("the 'interface-name' can not be empty")
|
||||||
}
|
}
|
||||||
|
|
||||||
ownerUid := user.Uid
|
|
||||||
|
|
||||||
interfaceName = ifname
|
interfaceName = ifname
|
||||||
tproxyPort = tport
|
tproxyPort = tport
|
||||||
dnsPort = dport
|
dnsPort = dport
|
||||||
|
@ -84,7 +76,7 @@ func SetTProxyLinuxIPTables(ifname string, tport int, dport int) error {
|
||||||
// set output
|
// set output
|
||||||
execCmd("iptables -t mangle -N clash_output")
|
execCmd("iptables -t mangle -N clash_output")
|
||||||
execCmd("iptables -t mangle -F clash_output")
|
execCmd("iptables -t mangle -F clash_output")
|
||||||
execCmd(fmt.Sprintf("iptables -t mangle -A clash_output -m owner --uid-owner %s -j RETURN", ownerUid))
|
execCmd(fmt.Sprintf("iptables -t mangle -A clash_output -m mark --mark %#x -j RETURN", dialer.DefaultRoutingMark.Load()))
|
||||||
execCmd("iptables -t mangle -A clash_output -p udp -m multiport --dports 53,123,137 -j ACCEPT")
|
execCmd("iptables -t mangle -A clash_output -p udp -m multiport --dports 53,123,137 -j ACCEPT")
|
||||||
execCmd("iptables -t mangle -A clash_output -p tcp --dport 53 -j ACCEPT")
|
execCmd("iptables -t mangle -A clash_output -p tcp --dport 53 -j ACCEPT")
|
||||||
execCmd("iptables -t mangle -A clash_output -m addrtype --dst-type LOCAL -j RETURN")
|
execCmd("iptables -t mangle -A clash_output -m addrtype --dst-type LOCAL -j RETURN")
|
||||||
|
@ -97,7 +89,7 @@ func SetTProxyLinuxIPTables(ifname string, tport int, dport int) error {
|
||||||
// set dns output
|
// set dns output
|
||||||
execCmd("iptables -t nat -N clash_dns_output")
|
execCmd("iptables -t nat -N clash_dns_output")
|
||||||
execCmd("iptables -t nat -F clash_dns_output")
|
execCmd("iptables -t nat -F clash_dns_output")
|
||||||
execCmd(fmt.Sprintf("iptables -t nat -A clash_dns_output -m owner --uid-owner %s -j RETURN", ownerUid))
|
execCmd(fmt.Sprintf("iptables -t nat -A clash_dns_output -m mark --mark %#x -j RETURN", dialer.DefaultRoutingMark.Load()))
|
||||||
execCmd("iptables -t nat -A clash_dns_output -s 172.17.0.0/16 -j RETURN")
|
execCmd("iptables -t nat -A clash_dns_output -s 172.17.0.0/16 -j RETURN")
|
||||||
execCmd(fmt.Sprintf("iptables -t nat -A clash_dns_output -p udp -j REDIRECT --to-ports %d", dnsPort))
|
execCmd(fmt.Sprintf("iptables -t nat -A clash_dns_output -p udp -j REDIRECT --to-ports %d", dnsPort))
|
||||||
execCmd(fmt.Sprintf("iptables -t nat -A clash_dns_output -p tcp -j REDIRECT --to-ports %d", dnsPort))
|
execCmd(fmt.Sprintf("iptables -t nat -A clash_dns_output -p tcp -j REDIRECT --to-ports %d", dnsPort))
|
||||||
|
@ -115,6 +107,8 @@ func CleanUpTProxyLinuxIPTables() {
|
||||||
|
|
||||||
log.Warnln("Clean up tproxy linux iptables")
|
log.Warnln("Clean up tproxy linux iptables")
|
||||||
|
|
||||||
|
dialer.DefaultRoutingMark.Store(0)
|
||||||
|
|
||||||
if _, err := execCmd("iptables -t mangle -L clash_divert"); err != nil {
|
if _, err := execCmd("iptables -t mangle -L clash_divert"); err != nil {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue