//go:build linux && !android package tun import ( "context" "net" "net/netip" "strconv" "sync" "github.com/vishvananda/netlink" "github.com/xtls/xray-core/common/errors" "github.com/xtls/xray-core/common/platform" "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/tcpip/link/fdbased" "gvisor.dev/gvisor/pkg/tcpip/stack" ) // LinuxTun is an object that handles tun network interface on linux // current version is heavily stripped to do nothing more, // then create a network interface, to be provided as file descriptor to gVisor ip stack type LinuxTun struct { tunFd int tunLink netlink.Link options *Config ownsTun bool systemRoutes []netlink.Route routeMonitorStop chan struct{} routeMonitorOnce sync.Once } // LinuxTun implements Tun var _ Tun = (*LinuxTun)(nil) // NewTun builds new tun interface handler (linux specific) func NewTun(options *Config) (Tun, error) { tunFd, tunLink, fdProvided, err := openFromEnv(options.Name) if err != nil { return nil, err } if fdProvided { return &LinuxTun{ tunFd: tunFd, tunLink: tunLink, options: options, }, nil } tunFd, err = open(options.Name) if err != nil { return nil, err } tunLink, err = setup(options.Name, int(options.MTU)) if err != nil { _ = unix.Close(tunFd) return nil, err } linuxTun := &LinuxTun{ tunFd: tunFd, tunLink: tunLink, options: options, ownsTun: true, } return linuxTun, nil } func openFromEnv(expectedName string) (int, netlink.Link, bool, error) { fdStr := platform.NewEnvFlag(platform.TunFdKey).GetValue(func() string { return "" }) if fdStr == "" { return -1, nil, false, nil } fd, err := strconv.Atoi(fdStr) if err != nil { return -1, nil, true, errors.New("invalid ", platform.TunFdKey).Base(err) } if fd < 3 { return -1, nil, true, errors.New("invalid ", platform.TunFdKey, ": file descriptor must be >= 3") } ifr, err := unix.NewIfreq("") if err != nil { return -1, nil, true, err } if err = unix.IoctlIfreq(fd, unix.TUNGETIFF, ifr); err != nil { return -1, nil, true, err } flags := ifr.Uint16() if flags&unix.IFF_TUN == 0 { return -1, nil, true, errors.New("invalid ", platform.TunFdKey, ": file descriptor is not a TUN device") } if flags&unix.IFF_NO_PI == 0 { return -1, nil, true, errors.New("invalid ", platform.TunFdKey, ": TUN device must use IFF_NO_PI") } actualName := ifr.Name() if expectedName != "" && actualName != expectedName { return -1, nil, true, errors.New("invalid ", platform.TunFdKey, ": TUN device name ", actualName, " does not match configured name ", expectedName) } tunLink, err := netlink.LinkByName(actualName) if err != nil { return -1, nil, true, err } if err = unix.SetNonblock(fd, true); err != nil { return -1, nil, true, err } return fd, tunLink, true, nil } // open the file that implements tun interface in the OS func open(name string) (int, error) { fd, err := unix.Open("/dev/net/tun", unix.O_RDWR, 0) if err != nil { return -1, err } ifr, err := unix.NewIfreq(name) if err != nil { _ = unix.Close(fd) return 0, err } flags := unix.IFF_TUN | unix.IFF_NO_PI ifr.SetUint16(uint16(flags)) err = unix.IoctlIfreq(fd, unix.TUNSETIFF, ifr) if err != nil { _ = unix.Close(fd) return 0, err } err = unix.SetNonblock(fd, true) if err != nil { _ = unix.Close(fd) return 0, err } return fd, nil } // setup the interface through netlink socket func setup(name string, MTU int) (netlink.Link, error) { tunLink, err := netlink.LinkByName(name) if err != nil { return nil, err } err = netlink.LinkSetMTU(tunLink, MTU) if err != nil { _ = netlink.LinkSetDown(tunLink) return nil, err } return tunLink, nil } // Start is called by handler to bring tun interface to life func (t *LinuxTun) Start() error { if !t.ownsTun { return nil } if err := netlink.LinkSetUp(t.tunLink); err != nil { return err } if err := t.setSystemRoutes(); err != nil { return err } if updater != nil { t.routeMonitorStop = make(chan struct{}) go t.monitorRouteChanges() } return nil } // Close is called to shut down the tun interface func (t *LinuxTun) Close() error { t.routeMonitorOnce.Do(func() { if t.routeMonitorStop != nil { close(t.routeMonitorStop) } }) _ = t.unsetSystemRoutes() if t.ownsTun { _ = netlink.LinkSetDown(t.tunLink) } _ = unix.Close(t.tunFd) return nil } func (t *LinuxTun) Name() (string, error) { return t.tunLink.Attrs().Name, nil } func (t *LinuxTun) Index() (int, error) { return t.tunLink.Attrs().Index, nil } // newEndpoint builds new gVisor stack.LinkEndpoint from the tun interface file descriptor func (t *LinuxTun) newEndpoint() (stack.LinkEndpoint, error) { return fdbased.New(&fdbased.Options{ FDs: []int{t.tunFd}, MTU: t.options.MTU, RXChecksumOffload: true, }) } func setinterface(network, address string, fd uintptr, iface *net.Interface) error { return unix.BindToDevice(int(fd), iface.Name) } func (t *LinuxTun) setSystemRoutes() error { if len(t.options.AutoSystemRoutingTable) == 0 { return nil } tunIndex := t.tunLink.Attrs().Index for _, cidr := range t.options.AutoSystemRoutingTable { prefix, err := netip.ParsePrefix(cidr) if err != nil { return errors.New("invalid system route ", cidr).Base(err) } prefix = prefix.Masked() _, ipNet, _ := net.ParseCIDR(prefix.String()) route := netlink.Route{ LinkIndex: tunIndex, Dst: ipNet, Priority: 1, } if err := netlink.RouteAdd(&route); err != nil { _ = t.unsetSystemRoutes() return errors.New("failed to add system route ", cidr).Base(err) } t.systemRoutes = append(t.systemRoutes, route) } return nil } func (t *LinuxTun) unsetSystemRoutes() error { var errs []error for i := len(t.systemRoutes) - 1; i >= 0; i-- { route := t.systemRoutes[i] if err := netlink.RouteDel(&route); err != nil { errs = append(errs, errors.New("failed to delete system route").Base(err)) } } t.systemRoutes = nil return errors.Combine(errs...) } func (t *LinuxTun) monitorRouteChanges() { routeCh := make(chan netlink.RouteUpdate) if err := netlink.RouteSubscribe(routeCh, t.routeMonitorStop); err != nil { errors.LogInfoInner(context.Background(), err, "[tun] failed to subscribe route changes") return } linkCh := make(chan netlink.LinkUpdate) if err := netlink.LinkSubscribe(linkCh, t.routeMonitorStop); err != nil { errors.LogInfoInner(context.Background(), err, "[tun] failed to subscribe link changes") return } for { select { case _, ok := <-routeCh: if !ok { return } if updater != nil { updater.Update() } case _, ok := <-linkCh: if !ok { return } if updater != nil { updater.Update() } case <-t.routeMonitorStop: return } } } func findOutboundInterface(tunIndex int, fixedName string) (*net.Interface, error) { if fixedName != "" { iface, err := net.InterfaceByName(fixedName) if err != nil { return nil, err } if iface.Index == tunIndex { return nil, errors.New("outbound interface cannot be the TUN interface") } return iface, nil } probeIPs := []net.IP{ net.ParseIP("8.8.8.8"), net.ParseIP("2001:4860:4860::8888"), } for _, ip := range probeIPs { routes, err := netlink.RouteGet(ip) if err != nil || len(routes) == 0 { continue } route := routes[0] if route.LinkIndex == tunIndex { continue } link, err := netlink.LinkByIndex(route.LinkIndex) if err != nil { continue } attrs := link.Attrs() if attrs.Flags&net.FlagUp == 0 { continue } operState := attrs.OperState if operState != netlink.OperUp && operState != netlink.OperUnknown { continue } if route.Src == nil || route.Src.IsLoopback() || route.Src.IsLinkLocalUnicast() { continue } iface, err := net.InterfaceByIndex(route.LinkIndex) if err != nil { continue } return iface, nil } return nil, errors.New("no usable outbound interface found") }