Use API to create windows firewall rule

2023-05-20 12:13:23 +08:00 · 2023-05-20 12:13:23 +08:00 · db4d86e5ea
parent 1ba267ed23
commit db4d86e5ea
6 changed files with 52 additions and 63 deletions
--- a/docs/configuration/inbound/tun.md
+++ b/docs/configuration/inbound/tun.md
@ -53,9 +53,8 @@
      "server_port": 8080
    }
  },
-  "experimental_fix_windows_firewall": false,
-  ...
-  // Listen Fields
+  
+  ... // Listen Fields
 }
 ```

@ -181,10 +180,10 @@ Exclude users in route, but in range.

 Limit android users in route.

-| Common user  | ID |
-|--------------|----|
-| Main         | 0  |
-| Work Profile | 10 |
+| Common user  | ID  |
+|--------------|-----|
+| Main         | 0   |
+| Work Profile | 10  |

 #### include_package

@ -202,12 +201,6 @@ Platform-specific settings, provided by client applications.

 System HTTP proxy settings.

-#### experimental_fix_windows_firewall
-
-Automatically add Windows firewall rules in order for the system stack to work.
-
-This causes some start delays and does not work with existing firewall rules.
-
 ### Listen Fields

 See [Listen Fields](/configuration/shared/listen) for details.
--- a/docs/configuration/inbound/tun.zh.md
+++ b/docs/configuration/inbound/tun.zh.md
@ -53,9 +53,8 @@
      "server_port": 8080
    }
  },
-  "experimental_fix_windows_firewall": false,
-  ...
-  // 监听字段
+  
+  ... // 监听字段
 }
 ```

@ -179,8 +178,8 @@ TCP/IP 栈。
 限制被路由的 Android 用户。

 | 常用用户 | ID |
-|------|----|
-| 您    | 0  |
+|--|-----|
+| 您 | 0 |
 | 工作资料 | 10 |

 #### include_package
@ -199,12 +198,6 @@ TCP/IP 栈。

 系统 HTTP 代理设置。

-#### experimental_fix_windows_firewall
-
-自动添加 Windows 防火墙规则，以使 system 栈正常工作。
-
-这会导致一些启动延迟，并且无法与现有防火墙规则一起使用。
-
 ### 监听字段

 参阅 [监听字段](/zh/configuration/shared/listen/)。
--- a/go.mod
+++ b/go.mod
@ -30,7 +30,7 @@ require (
 	github.com/sagernet/sing-shadowsocks v0.2.2-0.20230509053848-d83f8fe1194c
 	github.com/sagernet/sing-shadowsocks2 v0.0.0-20230512030659-23bb92c1eb97
 	github.com/sagernet/sing-shadowtls v0.1.2-0.20230417103049-4f682e05f19b
-	github.com/sagernet/sing-tun v0.1.5-0.20230509102026-91df97aee204
+	github.com/sagernet/sing-tun v0.1.5-0.20230520041100-b02f2529160e
 	github.com/sagernet/sing-vmess v0.1.5-0.20230417103030-8c3070ae3fb3
 	github.com/sagernet/smux v0.0.0-20230312102458-337ec2a5af37
 	github.com/sagernet/tfo-go v0.0.0-20230303015439-ffcfd8c41cf9
@ -59,6 +59,7 @@ require (
 	github.com/andybalholm/brotli v1.0.5 // indirect
 	github.com/cloudflare/circl v1.2.1-0.20221019164342-6ab4dfed8f3c // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/go-ole/go-ole v1.2.6 // indirect
 	github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 // indirect
 	github.com/golang/mock v1.6.0 // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
@ -80,6 +81,7 @@ require (
 	github.com/quic-go/qtls-go1-20 v0.1.0 // indirect
 	github.com/sagernet/go-tun2socks v1.16.12-0.20220818015926-16cb67876a61 // indirect
 	github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97 // indirect
+	github.com/scjalliance/comshim v0.0.0-20230315213746-5e51f40bd3b9 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/u-root/uio v0.0.0-20230220225925-ffce2a382923 // indirect
 	github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74 // indirect
--- a/go.sum
+++ b/go.sum
@ -31,6 +31,8 @@ github.com/go-chi/cors v1.2.1 h1:xEC8UT3Rlp2QuWNEr4Fs/c2EAGVKBwy/1vHx3bppil4=
 github.com/go-chi/cors v1.2.1/go.mod h1:sSbTewc+6wYHBBCW7ytsFSn836hqM7JxpglAy2Vzc58=
 github.com/go-chi/render v1.0.2 h1:4ER/udB0+fMWB2Jlf15RV3F4A2FDuYi/9f+lFttR/Lg=
 github.com/go-chi/render v1.0.2/go.mod h1:/gr3hVkmYR0YlEy3LxCuVRFzEu9Ruok+gFqbIofjao0=
+github.com/go-ole/go-ole v1.2.6 h1:/Fpf6oFPoeFik9ty7siob0G6Ke8QvQEuVcuChpwXzpY=
+github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0=
 github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 h1:p104kn46Q8WdvHunIJ9dAyjPVtrBPhSr3KT2yUst43I=
 github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
 github.com/gofrs/uuid/v5 v5.0.0 h1:p544++a97kEL+svbcFbCQVM9KFu0Yo25UoISXGNNH9M=
@ -123,8 +125,8 @@ github.com/sagernet/sing-shadowsocks2 v0.0.0-20230512030659-23bb92c1eb97 h1:Mc5d
 github.com/sagernet/sing-shadowsocks2 v0.0.0-20230512030659-23bb92c1eb97/go.mod h1:i6Eoor37Cy4JKBcelMMFfUVBNjqRYuvcqOBjUI3Zw80=
 github.com/sagernet/sing-shadowtls v0.1.2-0.20230417103049-4f682e05f19b h1:ouW/6IDCrxkBe19YSbdCd7buHix7b+UZ6BM4Zz74XF4=
 github.com/sagernet/sing-shadowtls v0.1.2-0.20230417103049-4f682e05f19b/go.mod h1:oG8bPerYI6cZ74KquY3DvA7ynECyrILPBnce6wtBqeI=
-github.com/sagernet/sing-tun v0.1.5-0.20230509102026-91df97aee204 h1:V8eGGmvyjRtFDNmarASZGsTyyXz/gc/zStSxW/knc9E=
-github.com/sagernet/sing-tun v0.1.5-0.20230509102026-91df97aee204/go.mod h1:DD7Ce2Gt0GFc6I/1+Uw4D/aUlBsGqrQsC52CMK/V818=
+github.com/sagernet/sing-tun v0.1.5-0.20230520041100-b02f2529160e h1:fivkzQowiOPBafklJmNePBu/sr83rsY5SuSakvoJ2A0=
+github.com/sagernet/sing-tun v0.1.5-0.20230520041100-b02f2529160e/go.mod h1:6yju6cNdTow38IZHwcbFA3lHnHeSd5HG/zCzHyaxScI=
 github.com/sagernet/sing-vmess v0.1.5-0.20230417103030-8c3070ae3fb3 h1:BHOnxrbC929JonuKqFdJ7ZbDp7zs4oTlH5KFvKtWu9U=
 github.com/sagernet/sing-vmess v0.1.5-0.20230417103030-8c3070ae3fb3/go.mod h1:yKrAr+dqZd64DxBXCHWrYicp+n4qbqO73mtwv3dck8U=
 github.com/sagernet/smux v0.0.0-20230312102458-337ec2a5af37 h1:HuE6xSwco/Xed8ajZ+coeYLmioq0Qp1/Z2zczFaV8as=
@ -137,6 +139,8 @@ github.com/sagernet/websocket v0.0.0-20220913015213-615516348b4e h1:7uw2njHFGE+V
 github.com/sagernet/websocket v0.0.0-20220913015213-615516348b4e/go.mod h1:45TUl8+gH4SIKr4ykREbxKWTxkDlSzFENzctB1dVRRY=
 github.com/sagernet/wireguard-go v0.0.0-20230420044414-a7bac1754e77 h1:g6QtRWQ2dKX7EQP++1JLNtw4C2TNxd4/ov8YUpOPOSo=
 github.com/sagernet/wireguard-go v0.0.0-20230420044414-a7bac1754e77/go.mod h1:pJDdXzZIwJ+2vmnT0TKzmf8meeum+e2mTDSehw79eE0=
+github.com/scjalliance/comshim v0.0.0-20230315213746-5e51f40bd3b9 h1:rc/CcqLH3lh8n+csdOuDfP+NuykE0U6AeYSJJHKDgSg=
+github.com/scjalliance/comshim v0.0.0-20230315213746-5e51f40bd3b9/go.mod h1:a/83NAfUXvEuLpmxDssAXxgUgrEy12MId3Wd7OTs76s=
 github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I=
 github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
@ -192,6 +196,7 @@ golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200217220822-9197077df867/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
--- a/inbound/tun.go
+++ b/inbound/tun.go
@ -38,7 +38,6 @@ type Tun struct {
 	tunStack               tun.Stack
 	platformInterface      platform.Interface
 	platformOptions        option.TunPlatformOptions
-	fixWindowsFirewall     bool
 }

 func NewTun(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.TunInboundOptions, platformInterface platform.Interface) (*Tun, error) {
@ -96,7 +95,6 @@ func NewTun(ctx context.Context, router adapter.Router, logger log.ContextLogger
 		stack:                  options.Stack,
 		platformInterface:      platformInterface,
 		platformOptions:        common.PtrValueOrDefault(options.Platform),
-		fixWindowsFirewall:     options.ExperimentalFixWindowsFirewall,
 	}, nil
 }

@ -168,20 +166,19 @@ func (t *Tun) Start() error {
 		tunRouter = t
 	}
 	t.tunStack, err = tun.NewStack(t.stack, tun.StackOptions{
-		Context:                        t.ctx,
-		Tun:                            tunInterface,
-		MTU:                            t.tunOptions.MTU,
-		Name:                           t.tunOptions.Name,
-		Inet4Address:                   t.tunOptions.Inet4Address,
-		Inet6Address:                   t.tunOptions.Inet6Address,
-		EndpointIndependentNat:         t.endpointIndependentNat,
-		UDPTimeout:                     t.udpTimeout,
-		Router:                         tunRouter,
-		Handler:                        t,
-		Logger:                         t.logger,
-		ForwarderBindInterface:         t.platformInterface != nil,
-		InterfaceFinder:                t.router.InterfaceFinder(),
-		ExperimentalFixWindowsFirewall: t.fixWindowsFirewall,
+		Context:                t.ctx,
+		Tun:                    tunInterface,
+		MTU:                    t.tunOptions.MTU,
+		Name:                   t.tunOptions.Name,
+		Inet4Address:           t.tunOptions.Inet4Address,
+		Inet6Address:           t.tunOptions.Inet6Address,
+		EndpointIndependentNat: t.endpointIndependentNat,
+		UDPTimeout:             t.udpTimeout,
+		Router:                 tunRouter,
+		Handler:                t,
+		Logger:                 t.logger,
+		ForwarderBindInterface: t.platformInterface != nil,
+		InterfaceFinder:        t.router.InterfaceFinder(),
 	})
 	if err != nil {
 		return err
--- a/option/tun.go
+++ b/option/tun.go
@ -1,25 +1,24 @@
 package option

 type TunInboundOptions struct {
-	InterfaceName                  string                 `json:"interface_name,omitempty"`
-	MTU                            uint32                 `json:"mtu,omitempty"`
-	Inet4Address                   Listable[ListenPrefix] `json:"inet4_address,omitempty"`
-	Inet6Address                   Listable[ListenPrefix] `json:"inet6_address,omitempty"`
-	AutoRoute                      bool                   `json:"auto_route,omitempty"`
-	StrictRoute                    bool                   `json:"strict_route,omitempty"`
-	Inet4RouteAddress              Listable[ListenPrefix] `json:"inet4_route_address,omitempty"`
-	Inet6RouteAddress              Listable[ListenPrefix] `json:"inet6_route_address,omitempty"`
-	IncludeUID                     Listable[uint32]       `json:"include_uid,omitempty"`
-	IncludeUIDRange                Listable[string]       `json:"include_uid_range,omitempty"`
-	ExcludeUID                     Listable[uint32]       `json:"exclude_uid,omitempty"`
-	ExcludeUIDRange                Listable[string]       `json:"exclude_uid_range,omitempty"`
-	IncludeAndroidUser             Listable[int]          `json:"include_android_user,omitempty"`
-	IncludePackage                 Listable[string]       `json:"include_package,omitempty"`
-	ExcludePackage                 Listable[string]       `json:"exclude_package,omitempty"`
-	EndpointIndependentNat         bool                   `json:"endpoint_independent_nat,omitempty"`
-	UDPTimeout                     int64                  `json:"udp_timeout,omitempty"`
-	Stack                          string                 `json:"stack,omitempty"`
-	ExperimentalFixWindowsFirewall bool                   `json:"experimental_fix_windows_firewall,omitempty"`
-	Platform                       *TunPlatformOptions    `json:"platform,omitempty"`
+	InterfaceName          string                 `json:"interface_name,omitempty"`
+	MTU                    uint32                 `json:"mtu,omitempty"`
+	Inet4Address           Listable[ListenPrefix] `json:"inet4_address,omitempty"`
+	Inet6Address           Listable[ListenPrefix] `json:"inet6_address,omitempty"`
+	AutoRoute              bool                   `json:"auto_route,omitempty"`
+	StrictRoute            bool                   `json:"strict_route,omitempty"`
+	Inet4RouteAddress      Listable[ListenPrefix] `json:"inet4_route_address,omitempty"`
+	Inet6RouteAddress      Listable[ListenPrefix] `json:"inet6_route_address,omitempty"`
+	IncludeUID             Listable[uint32]       `json:"include_uid,omitempty"`
+	IncludeUIDRange        Listable[string]       `json:"include_uid_range,omitempty"`
+	ExcludeUID             Listable[uint32]       `json:"exclude_uid,omitempty"`
+	ExcludeUIDRange        Listable[string]       `json:"exclude_uid_range,omitempty"`
+	IncludeAndroidUser     Listable[int]          `json:"include_android_user,omitempty"`
+	IncludePackage         Listable[string]       `json:"include_package,omitempty"`
+	ExcludePackage         Listable[string]       `json:"exclude_package,omitempty"`
+	EndpointIndependentNat bool                   `json:"endpoint_independent_nat,omitempty"`
+	UDPTimeout             int64                  `json:"udp_timeout,omitempty"`
+	Stack                  string                 `json:"stack,omitempty"`
+	Platform               *TunPlatformOptions    `json:"platform,omitempty"`
 	InboundOptions
 }