Merge branch 'main' into version-print-patch

.github/ISSUE_TEMPLATE/config.yml

@@ -13,10 +13,6 @@ contact_links:
     url: https://github.com/daeuniverse/dae/tree/main/docs/zh
     about: 'daeuniverse Documentation Link'
 
-  - name: '💬 daeuniverse Telegram Support'
-    url: https://t.me/daeuniverse
-    about: 'daeuniverse Telegram Support Channel'
-
   - name: '💬 daeuniverse GitHub Discussion Support'
     url: https://github.com/daeuniverse/dae/discussions
     about: 'daeuniverse GitHub Discussion Portal'

cmd/run.go

@@ -268,10 +268,11 @@ loop:
 			break loop
 		}
 	}
+	defer os.Remove(PidFilePath)
+	defer control.GetDaeNetns().Close()
 	if e := c.Close(); e != nil {
 		return fmt.Errorf("close control plane: %w", e)
 	}
-	_ = os.Remove(PidFilePath)
 	return nil
 }
 

common/consts/ebpf.go

@@ -157,9 +157,10 @@ var (
 )
 
 const (
-	TproxyMark      uint32 = 0x8000000
-	Recognize       uint16 = 0x2017
-	LoopbackIfIndex        = 1
+	TproxyMark       uint32 = 0x08000000
+	TproxyMarkString string = "0x08000000" // Should be aligned with nftables
+	Recognize        uint16 = 0x2017
+	LoopbackIfIndex         = 1
 )
 
 type LanWanFlag uint8

component/outbound/dialer/connectivity_check.go

@@ -272,10 +272,10 @@ type CheckOption struct {
 func (d *Dialer) ActivateCheck() {
 	d.tickerMu.Lock()
 	defer d.tickerMu.Unlock()
-	if d.InstanceOption.CheckEnabled {
+	if d.InstanceOption.DisableCheck || d.checkActivated {
 		return
 	}
-	d.InstanceOption.CheckEnabled = true
+	d.checkActivated = true
 	go d.aliveBackground()
 }
 

component/outbound/dialer/dialer.go

@@ -35,6 +35,8 @@ type Dialer struct {
 	checkCh  chan time.Time
 	ctx      context.Context
 	cancel   context.CancelFunc
+
+	checkActivated bool
 }
 
 type GlobalOption struct {
@@ -48,7 +50,7 @@ type GlobalOption struct {
 }
 
 type InstanceOption struct {
-	CheckEnabled bool
+	DisableCheck bool
 }
 
 type Property struct {
@@ -78,9 +80,6 @@ func NewDialer(dialer netproxy.Dialer, option *GlobalOption, iOption InstanceOpt
 		ctx:              ctx,
 		cancel:           cancel,
 	}
-	if iOption.CheckEnabled {
-		go d.aliveBackground()
-	}
 	return d
 }
 

component/outbound/dialer_group_test.go

@@ -30,7 +30,7 @@ var log = logger.NewLogger("trace", false, nil)
 
 func newDirectDialer(option *dialer.GlobalOption, fullcone bool) *dialer.Dialer {
 	_d, p := dialer.NewDirectDialer(option, true)
-	d := dialer.NewDialer(_d, option, dialer.InstanceOption{CheckEnabled: false}, p)
+	d := dialer.NewDialer(_d, option, dialer.InstanceOption{DisableCheck: false}, p)
 	return d
 }
 

component/outbound/filter.go

@@ -39,7 +39,7 @@ func NewDialerSetFromLinks(option *dialer.GlobalOption, tagToNodeList map[string
 	}
 	for subscriptionTag, nodes := range tagToNodeList {
 		for _, node := range nodes {
-			d, err := dialer.NewFromLink(option, dialer.InstanceOption{CheckEnabled: false}, node, subscriptionTag)
+			d, err := dialer.NewFromLink(option, dialer.InstanceOption{DisableCheck: false}, node, subscriptionTag)
 			if err != nil {
 				option.Log.Infof("failed to parse node: %v", err)
 				continue

config/config.go

@@ -35,6 +35,7 @@ type Global struct {
 	DialMode                  string        `mapstructure:"dial_mode" default:"domain"`
 	DisableWaitingNetwork     bool          `mapstructure:"disable_waiting_network" default:"false"`
 	AutoConfigKernelParameter bool          `mapstructure:"auto_config_kernel_parameter" default:"false"`
+	AutoConfigFirewallRule    bool          `mapstructure:"auto_config_firewall_rule" default:"false"`
 	SniffingTimeout           time.Duration `mapstructure:"sniffing_timeout" default:"100ms"`
 	TlsImplementation         string        `mapstructure:"tls_implementation" default:"tls"`
 	UtlsImitate               string        `mapstructure:"utls_imitate" default:"chrome_auto"`

control/control_plane.go

@@ -198,6 +198,14 @@ func NewControlPlane(
 		if err = core.setupRoutingPolicy(); err != nil {
 			return nil, err
 		}
+		if global.AutoConfigFirewallRule {
+			if ok := core.addAcceptInputMark(); ok {
+				core.deferFuncs = append(core.deferFuncs, func() error {
+					core.delAcceptInputMark()
+					return nil
+				})
+			}
+		}
 	}
 
 	/// Bind to links. Binding should be advance of dialerGroups to avoid un-routable old connection.
@@ -253,9 +261,9 @@ func NewControlPlane(
 	}
 	disableKernelAliveCallback := dialMode != consts.DialMode_Ip
 	_direct, directProperty := dialer.NewDirectDialer(option, true)
-	direct := dialer.NewDialer(_direct, option, dialer.InstanceOption{CheckEnabled: false}, directProperty)
+	direct := dialer.NewDialer(_direct, option, dialer.InstanceOption{DisableCheck: true}, directProperty)
 	_block, blockProperty := dialer.NewBlockDialer(option, func() { /*Dialer Outbound*/ })
-	block := dialer.NewDialer(_block, option, dialer.InstanceOption{CheckEnabled: false}, blockProperty)
+	block := dialer.NewDialer(_block, option, dialer.InstanceOption{DisableCheck: true}, blockProperty)
 	outbounds := []*outbound.DialerGroup{
 		outbound.NewDialerGroup(option, consts.OutboundDirect.String(),
 			[]*dialer.Dialer{direct}, []*dialer.Annotation{{}},
@@ -292,8 +300,6 @@ func NewControlPlane(
 		log.Infof(`Group "%v" node list:`, group.Name)
 		for _, d := range dialers {
 			log.Infoln("\t" + d.Property().Name)
-			// We only activate check of nodes that have a group.
-			d.ActivateCheck()
 		}
 		if len(dialers) == 0 {
 			log.Infoln("\t<Empty>")
@@ -555,6 +561,14 @@ func (c *ControlPlane) dnsUpstreamReadyCallback(dnsUpstream *dns.Upstream) (err
 	return nil
 }
 
+func (c *ControlPlane) ActivateCheck() {
+	for _, g := range c.outbounds {
+		for _, d := range g.Dialers {
+			// We only activate check of nodes that have a group.
+			d.ActivateCheck()
+		}
+	}
+}
 func (c *ControlPlane) ChooseDialTarget(outbound consts.OutboundIndex, dst netip.AddrPort, domain string) (dialTarget string, shouldReroute bool, dialIp bool) {
 	dialMode := consts.DialMode_Ip
 
@@ -751,6 +765,7 @@ func (c *ControlPlane) Serve(readyChan chan<- bool, listener *Listener) (err err
 			}(newBuf, newOob, src)
 		}
 	}()
+	c.ActivateCheck()
 	<-c.ctx.Done()
 	return nil
 }

control/control_plane_core.go

@@ -12,7 +12,9 @@ import (
 	"net"
 	"net/netip"
 	"os"
+	"os/exec"
 	"regexp"
+	"strings"
 	"sync"
 
 	"github.com/cilium/ebpf"
@@ -192,6 +194,43 @@ func (c *controlPlaneCore) delQdisc(ifname string) error {
 	return nil
 }
 
+// TODO: Support more than firewalld and fw4: need more user feedback.
+var nftInputChains = [][3]string{
+	{"inet", "firewalld", "filter_INPUT"},
+	{"inet", "fw4", "input"},
+}
+
+func (c *controlPlaneCore) addAcceptInputMark() (ok bool) {
+	for _, rule := range nftInputChains {
+		if err := exec.Command("nft", "insert rule "+strings.Join(rule[:], " ")+" mark & "+consts.TproxyMarkString+" == "+consts.TproxyMarkString+" accept").Run(); err == nil {
+			ok = true
+		}
+	}
+	return ok
+}
+
+func (c *controlPlaneCore) delAcceptInputMark() (ok bool) {
+	for _, rule := range nftInputChains {
+		output, err := exec.Command("nft", "--handle", "--numeric", "list", "chain", rule[0], rule[1], rule[2]).Output()
+		if err != nil {
+			continue
+		}
+		lines := strings.Split(string(output), "\n")
+		regex := regexp.MustCompile("meta mark & " + consts.TproxyMarkString + " == " + consts.TproxyMarkString + " accept # handle ([0-9]+)")
+		for _, line := range lines {
+			matches := regex.FindStringSubmatch(line)
+			if len(matches) >= 2 {
+				handle := matches[1]
+				if err = exec.Command("nft", "delete rule "+strings.Join(rule[:], " ")+" handle "+handle).Run(); err == nil {
+					ok = true
+				}
+				break
+			}
+		}
+	}
+	return ok
+}
+
 func (c *controlPlaneCore) setupRoutingPolicy() (err error) {
 	/// Insert ip rule / ip route.
 	var table = 2023 + c.flip