Add loopback address support

Author: nekohasekai

redirect_nftables.go

@@ -46,6 +46,11 @@ func (r *autoRedirect) setupNFTables() error {
 		return err
 	}
 
+	err = r.nftablesCreateLoopbackAddressSets(nft, table)
+	if err != nil {
+		return err
+	}
+
 	skipOutput := len(r.tunOptions.IncludeInterface) > 0 && !common.Contains(r.tunOptions.IncludeInterface, "lo") || common.Contains(r.tunOptions.ExcludeInterface, "lo")
 	if !skipOutput {
 		chainOutput := nft.AddChain(&nftables.Chain{
@@ -61,8 +66,23 @@ func (r *autoRedirect) setupNFTables() error {
 				return err
 			}
 			r.nftablesCreateUnreachable(nft, table, chainOutput)
-			r.nftablesCreateRedirect(nft, table, chainOutput)
-
+			err = r.nftablesCreateRedirect(nft, table, chainOutput)
+			if err != nil {
+				return err
+			}
+			if len(r.tunOptions.Inet4LoopbackAddress) > 0 || len(r.tunOptions.Inet6LoopbackAddress) > 0 {
+				chainOutputRoute := nft.AddChain(&nftables.Chain{
+					Name:     "output_route",
+					Table:    table,
+					Hooknum:  nftables.ChainHookOutput,
+					Priority: nftables.ChainPriorityMangle,
+					Type:     nftables.ChainTypeRoute,
+				})
+				err = r.nftablesCreateLoopbackReroute(nft, table, chainOutputRoute)
+				if err != nil {
+					return err
+				}
+			}
 			chainOutputUDP := nft.AddChain(&nftables.Chain{
 				Name:     "output_udp_icmp",
 				Table:    table,
@@ -77,14 +97,17 @@ func (r *autoRedirect) setupNFTables() error {
 			r.nftablesCreateUnreachable(nft, table, chainOutputUDP)
 			r.nftablesCreateMark(nft, table, chainOutputUDP)
 		} else {
-			r.nftablesCreateRedirect(nft, table, chainOutput, &expr.Meta{
+			err = r.nftablesCreateRedirect(nft, table, chainOutput, &expr.Meta{
 				Key:      expr.MetaKeyOIFNAME,
 				Register: 1,
 			}, &expr.Cmp{
 				Op:       expr.CmpOpEq,
 				Register: 1,
 				Data:     nftablesIfname(r.tunOptions.Name),
 			})
+			if err != nil {
+				return err
+			}
 		}
 	}
 
@@ -100,12 +123,25 @@ func (r *autoRedirect) setupNFTables() error {
 		return err
 	}
 	r.nftablesCreateUnreachable(nft, table, chainPreRouting)
-	r.nftablesCreateRedirect(nft, table, chainPreRouting)
-	if r.tunOptions.AutoRedirectMarkMode {
-		r.nftablesCreateMark(nft, table, chainPreRouting)
+	err = r.nftablesCreateRedirect(nft, table, chainPreRouting)
+	if err != nil {
+		return err
 	}
-
 	if r.tunOptions.AutoRedirectMarkMode {
+		r.nftablesCreateMark(nft, table, chainPreRouting)
+		if len(r.tunOptions.Inet4LoopbackAddress) > 0 || len(r.tunOptions.Inet6LoopbackAddress) > 0 {
+			chainPreRoutingFilter := nft.AddChain(&nftables.Chain{
+				Name:     "prerouting_filter",
+				Table:    table,
+				Hooknum:  nftables.ChainHookPrerouting,
+				Priority: nftables.ChainPriorityRef(*nftables.ChainPriorityNATDest + 1),
+				Type:     nftables.ChainTypeFilter,
+			})
+			err = r.nftablesCreateLoopbackReroute(nft, table, chainPreRoutingFilter)
+			if err != nil {
+				return err
+			}
+		}
 		chainPreRoutingUDP := nft.AddChain(&nftables.Chain{
 			Name:     "prerouting_udp",
 			Table:    table,

redirect_nftables_exprs.go

@@ -7,6 +7,7 @@ import (
 
 	"github.com/sagernet/nftables"
 	"github.com/sagernet/nftables/expr"
+	"github.com/sagernet/sing/common"
 
 	"go4.org/netipx"
 )
@@ -21,6 +22,20 @@ func nftablesCreateExcludeDestinationIPSet(
 	nft *nftables.Conn, table *nftables.Table, chain *nftables.Chain,
 	id uint32, name string, family nftables.TableFamily, invert bool,
 ) {
+	nft.AddRule(&nftables.Rule{
+		Table: table,
+		Chain: chain,
+		Exprs: append(
+			nftablesCreateDestinationIPSetExprs(id, name, family, invert),
+			&expr.Counter{},
+			&expr.Verdict{
+				Kind: expr.VerdictReturn,
+			},
+		),
+	})
+}
+
+func nftablesCreateDestinationIPSetExprs(id uint32, name string, family nftables.TableFamily, invert bool) []expr.Any {
 	exprs := []expr.Any{
 		&expr.Meta{
 			Key:      expr.MetaKeyNFPROTO,
@@ -53,22 +68,63 @@ func nftablesCreateExcludeDestinationIPSet(
 			},
 		)
 	}
-	exprs = append(exprs,
-		&expr.Lookup{
-			SourceRegister: 1,
-			SetID:          id,
-			SetName:        name,
-			Invert:         invert,
-		},
-		&expr.Counter{},
-		&expr.Verdict{
-			Kind: expr.VerdictReturn,
-		})
-	nft.AddRule(&nftables.Rule{
-		Table: table,
-		Chain: chain,
-		Exprs: exprs,
+	exprs = append(exprs, &expr.Lookup{
+		SourceRegister: 1,
+		SetID:          id,
+		SetName:        name,
+		Invert:         invert,
 	})
+	return exprs
+}
+
+func nftablesCreateIPConst(
+	nft *nftables.Conn, table *nftables.Table, id uint32, name string, family nftables.TableFamily, addressList []netip.Addr,
+) (*nftables.Set, error) {
+	var keyType nftables.SetDatatype
+	if family == nftables.TableFamilyIPv4 {
+		keyType = nftables.TypeIPAddr
+	} else {
+		keyType = nftables.TypeIP6Addr
+	}
+	mySet := &nftables.Set{
+		Table:    table,
+		ID:       id,
+		Name:     name,
+		KeyType:  keyType,
+		Constant: true,
+	}
+	if id == 0 {
+		mySet.Anonymous = true
+	}
+	setElements := common.Map(addressList, func(addr netip.Addr) nftables.SetElement { return nftables.SetElement{Key: addr.AsSlice()} })
+	if id == 0 {
+		err := nft.AddSet(mySet, setElements)
+		if err != nil {
+			return nil, err
+		}
+		return mySet, nil
+	} else {
+		err := nft.AddSet(mySet, nil)
+		if err != nil {
+			return nil, err
+		}
+	}
+	for len(setElements) > 0 {
+		toAdd := setElements
+		if len(toAdd) > 1000 {
+			toAdd = toAdd[:1000]
+		}
+		setElements = setElements[len(toAdd):]
+		err := nft.SetAddElements(mySet, toAdd)
+		if err != nil {
+			return nil, err
+		}
+		err = nft.Flush()
+		if err != nil {
+			return nil, err
+		}
+	}
+	return mySet, nil
 }
 
 func nftablesCreateIPSet(