Chore: use "-m mark --mark" instead of "-m owner --uid-owner"

This commit is contained in:
yaling888 2022-02-02 21:59:44 +08:00
parent f376409041
commit f1157d0a09
5 changed files with 12 additions and 31 deletions

View file

@ -223,19 +223,6 @@ proxies:
servername: example.com # AKA SNI servername: example.com # AKA SNI
# flow: xtls-rprx-direct # xtls-rprx-origin # enable XTLS # flow: xtls-rprx-direct # xtls-rprx-origin # enable XTLS
# skip-cert-verify: true # skip-cert-verify: true
- name: "vless-ws"
type: vless
server: server
port: 443
uuid: uuid
udp: true
network: ws
servername: example.com # priority over wss host
# skip-cert-verify: true
ws-path: /path
ws-headers:
Host: example.com
``` ```
### IPTABLES auto-configuration ### IPTABLES auto-configuration
@ -249,9 +236,8 @@ tproxy-port: 9898
tun: tun:
enable: false enable: false
``` ```
Create user given name `clash`.
Run Clash by user `clash` as a daemon. Run Clash as a daemon.
Create the systemd configuration file at /etc/systemd/system/clash.service: Create the systemd configuration file at /etc/systemd/system/clash.service:
``` ```
@ -261,10 +247,7 @@ After=network.target
[Service] [Service]
Type=simple Type=simple
User=clash
Group=clash
CapabilityBoundingSet=cap_net_admin CapabilityBoundingSet=cap_net_admin
AmbientCapabilities=cap_net_admin
Restart=always Restart=always
ExecStart=/usr/local/bin/clash -d /etc/clash ExecStart=/usr/local/bin/clash -d /etc/clash

View file

@ -11,6 +11,7 @@ import (
func DialContext(ctx context.Context, network, address string, options ...Option) (net.Conn, error) { func DialContext(ctx context.Context, network, address string, options ...Option) (net.Conn, error) {
opt := &option{ opt := &option{
interfaceName: DefaultInterface.Load(), interfaceName: DefaultInterface.Load(),
routingMark: int(DefaultRoutingMark.Load()),
} }
for _, o := range DefaultOptions { for _, o := range DefaultOptions {
@ -58,6 +59,7 @@ func DialContext(ctx context.Context, network, address string, options ...Option
func ListenPacket(ctx context.Context, network, address string, options ...Option) (net.PacketConn, error) { func ListenPacket(ctx context.Context, network, address string, options ...Option) (net.PacketConn, error) {
cfg := &option{ cfg := &option{
interfaceName: DefaultInterface.Load(), interfaceName: DefaultInterface.Load(),
routingMark: int(DefaultRoutingMark.Load()),
} }
for _, o := range DefaultOptions { for _, o := range DefaultOptions {

View file

@ -3,8 +3,9 @@ package dialer
import "go.uber.org/atomic" import "go.uber.org/atomic"
var ( var (
DefaultOptions []Option DefaultOptions []Option
DefaultInterface = atomic.NewString("") DefaultInterface = atomic.NewString("")
DefaultRoutingMark = atomic.NewInt32(0)
) )
type option struct { type option struct {

View file

@ -287,6 +287,7 @@ func updateIPTables(dns *config.DNS, general *config.General) {
tproxy.CleanUpTProxyLinuxIPTables() tproxy.CleanUpTProxyLinuxIPTables()
dialer.DefaultRoutingMark.Store(2158)
err = tproxy.SetTProxyLinuxIPTables(general.Interface, general.TProxyPort, dnsPort) err = tproxy.SetTProxyLinuxIPTables(general.Interface, general.TProxyPort, dnsPort)
if err != nil { if err != nil {

View file

@ -4,10 +4,10 @@ import (
"errors" "errors"
"fmt" "fmt"
"os/exec" "os/exec"
U "os/user"
"runtime" "runtime"
"strings" "strings"
"github.com/Dreamacro/clash/component/dialer"
"github.com/Dreamacro/clash/log" "github.com/Dreamacro/clash/log"
) )
@ -20,7 +20,6 @@ var (
const ( const (
PROXY_FWMARK = "0x2d0" PROXY_FWMARK = "0x2d0"
PROXY_ROUTE_TABLE = "0x2d0" PROXY_ROUTE_TABLE = "0x2d0"
USERNAME = "clash"
) )
func SetTProxyLinuxIPTables(ifname string, tport int, dport int) error { func SetTProxyLinuxIPTables(ifname string, tport int, dport int) error {
@ -29,17 +28,10 @@ func SetTProxyLinuxIPTables(ifname string, tport int, dport int) error {
return fmt.Errorf("current operations system [%s] are not support iptables or command iptables does not exist", runtime.GOOS) return fmt.Errorf("current operations system [%s] are not support iptables or command iptables does not exist", runtime.GOOS)
} }
user, err := U.Lookup(USERNAME)
if err != nil {
return fmt.Errorf("the user \" %s\" does not exist, please create it", USERNAME)
}
if ifname == "" { if ifname == "" {
return errors.New("the 'interface-name' can not be empty") return errors.New("the 'interface-name' can not be empty")
} }
ownerUid := user.Uid
interfaceName = ifname interfaceName = ifname
tproxyPort = tport tproxyPort = tport
dnsPort = dport dnsPort = dport
@ -84,7 +76,7 @@ func SetTProxyLinuxIPTables(ifname string, tport int, dport int) error {
// set output // set output
execCmd("iptables -t mangle -N clash_output") execCmd("iptables -t mangle -N clash_output")
execCmd("iptables -t mangle -F clash_output") execCmd("iptables -t mangle -F clash_output")
execCmd(fmt.Sprintf("iptables -t mangle -A clash_output -m owner --uid-owner %s -j RETURN", ownerUid)) execCmd(fmt.Sprintf("iptables -t mangle -A clash_output -m mark --mark %#x -j RETURN", dialer.DefaultRoutingMark.Load()))
execCmd("iptables -t mangle -A clash_output -p udp -m multiport --dports 53,123,137 -j ACCEPT") execCmd("iptables -t mangle -A clash_output -p udp -m multiport --dports 53,123,137 -j ACCEPT")
execCmd("iptables -t mangle -A clash_output -p tcp --dport 53 -j ACCEPT") execCmd("iptables -t mangle -A clash_output -p tcp --dport 53 -j ACCEPT")
execCmd("iptables -t mangle -A clash_output -m addrtype --dst-type LOCAL -j RETURN") execCmd("iptables -t mangle -A clash_output -m addrtype --dst-type LOCAL -j RETURN")
@ -97,7 +89,7 @@ func SetTProxyLinuxIPTables(ifname string, tport int, dport int) error {
// set dns output // set dns output
execCmd("iptables -t nat -N clash_dns_output") execCmd("iptables -t nat -N clash_dns_output")
execCmd("iptables -t nat -F clash_dns_output") execCmd("iptables -t nat -F clash_dns_output")
execCmd(fmt.Sprintf("iptables -t nat -A clash_dns_output -m owner --uid-owner %s -j RETURN", ownerUid)) execCmd(fmt.Sprintf("iptables -t nat -A clash_dns_output -m mark --mark %#x -j RETURN", dialer.DefaultRoutingMark.Load()))
execCmd("iptables -t nat -A clash_dns_output -s 172.17.0.0/16 -j RETURN") execCmd("iptables -t nat -A clash_dns_output -s 172.17.0.0/16 -j RETURN")
execCmd(fmt.Sprintf("iptables -t nat -A clash_dns_output -p udp -j REDIRECT --to-ports %d", dnsPort)) execCmd(fmt.Sprintf("iptables -t nat -A clash_dns_output -p udp -j REDIRECT --to-ports %d", dnsPort))
execCmd(fmt.Sprintf("iptables -t nat -A clash_dns_output -p tcp -j REDIRECT --to-ports %d", dnsPort)) execCmd(fmt.Sprintf("iptables -t nat -A clash_dns_output -p tcp -j REDIRECT --to-ports %d", dnsPort))
@ -115,6 +107,8 @@ func CleanUpTProxyLinuxIPTables() {
log.Warnln("Clean up tproxy linux iptables") log.Warnln("Clean up tproxy linux iptables")
dialer.DefaultRoutingMark.Store(0)
if _, err := execCmd("iptables -t mangle -L clash_divert"); err != nil { if _, err := execCmd("iptables -t mangle -L clash_divert"); err != nil {
return return
} }