27 |
28 | ## Documents
29 | * [how to use with Raspberry Pi](./misc/docs/how-to-use-with-raspberry-pi.md)
30 | * [how to use kone in an ENT network](./misc/docs/kone-in-ent-network.md)
31 | * [how to make gotunnel & kone work together](./misc/docs/gotunnel-kone-work-together.md)
32 |
33 | ## License
34 | The MIT License (MIT) Copyright (c) 2016 xjdrew
35 |
--------------------------------------------------------------------------------
/cmd/kone/main.go:
--------------------------------------------------------------------------------
1 | //
2 | // date : 2016-02-18
3 | // author: xjdrew
4 | //
5 |
6 | package main
7 |
8 | import (
9 | "flag"
10 | "fmt"
11 | "os"
12 |
13 | "github.com/op/go-logging"
14 | "github.com/xjdrew/kone"
15 | )
16 |
17 | var VERSION = "0.3-dev"
18 |
19 | var logger = logging.MustGetLogger("kone")
20 |
21 | func init() {
22 | logging.SetFormatter(logging.MustStringFormatter(
23 | `%{color}%{time:06-01-02 15:04:05.000} %{level:.4s} @%{shortfile}%{color:reset} %{message}`,
24 | ))
25 | logging.SetBackend(logging.NewLogBackend(os.Stdout, "", 0))
26 | }
27 |
28 | func main() {
29 | version := flag.Bool("version", false, "Get version info")
30 | debug := flag.Bool("debug", false, "Print debug info")
31 | config := flag.String("config", "config.ini", "config file")
32 | flag.Parse()
33 |
34 | if *version {
35 | fmt.Printf("Version: %s\n", VERSION)
36 | os.Exit(1)
37 | }
38 |
39 | if *debug {
40 | logging.SetLevel(logging.DEBUG, "kone")
41 | } else {
42 | logging.SetLevel(logging.INFO, "kone")
43 | }
44 |
45 | configFile := *config
46 | if configFile == "" {
47 | configFile = flag.Arg(0)
48 | }
49 | logger.Infof("using config file: %v", configFile)
50 |
51 | cfg, err := kone.ParseConfig(configFile)
52 | if err != nil {
53 | logger.Error(err.Error())
54 | os.Exit(2)
55 | }
56 |
57 | one, err := kone.FromConfig(cfg)
58 | if err != nil {
59 | logger.Error(err.Error())
60 | os.Exit(3)
61 | }
62 | one.Serve()
63 | }
64 |
--------------------------------------------------------------------------------
/cmd/kone/test.ini:
--------------------------------------------------------------------------------
1 | [General]
2 | # manager port
3 | manager-addr = "0.0.0.0:9200"
4 |
5 | # log level
6 | # log-level = 'verbose, info, notify, or warning'
7 |
8 | # nat config
9 | [Core]
10 | # outbound network interface
11 | # out = eth0
12 |
13 | # virtual network
14 |
15 | # tun name, auto allocate if not set
16 | # DEFAULT VALUE: ""
17 | # tun = tun0
18 |
19 | # inet addr/mask
20 | # DEFAULT VALUE: 10.192.0.1/16
21 | network = 10.192.0.1/16
22 |
23 | # tcp-listen-port = 82
24 | # tcp-nat-port-start = 10000
25 | # tcp-nat-port-end = 60000
26 |
27 | # udp-listen-port = 82
28 | # udp-nat-port-start = 10000
29 | # udp-nat-port-end = 60000
30 |
31 | # dns-listen-port = 53
32 |
33 | # dns-ttl = 600
34 | # dns-packet-size = 4096
35 | # dns-read-timeout = 5
36 | # dns-write-timeout = 5
37 |
38 | # set upstream dns
39 | # DEFAULT VALUE: system dns config
40 | # dns-server = 114.114.114.114,8.8.8.8
41 |
42 | [Proxy]
43 | # define a http proxy named "Proxy1"
44 | Proxy1 = http://example.com:23188
45 |
46 | # define a socks5 proxy named "Proxy2"
47 | Proxy2 = socks5://127.0.0.1:9080
48 |
49 | [Rule]
50 | # ALL domain's default rule is FINAL
51 | # ALL IP's default proxy is DIRECT
52 |
53 | # some applications use ip directly. To proxy these traffic, explicit routing rules need to be added.
54 | # eg: sudo ip route add 91.108.4.0/22 dev tun0
55 | IP-CIDR,91.108.4.0/22,Proxy1
56 | IP-CIDR,91.108.56.0/22,Proxy1
57 | IP-CIDR,109.239.140.0/24,Proxy1
58 | IP-CIDR,149.154.167.0/24,Proxy1
59 | IP-CIDR,172.16.0.0/16,DIRECT # ignore
60 | IP-CIDR,192.168.0.0/16,DIRECT # ignore
61 | IP-CIDR,208.31.254.33/32,Proxy1
62 |
63 | IP-CIDR,172.64.150.242/16,Proxy1
64 | IP-CIDR,104.18.37.14/16,Proxy1
65 |
66 | IP-CIDR6,2001:db8:abcd:8000::/50,DIRECT
67 |
68 | # match if the domain
69 | DOMAIN,www.twitter.com,Proxy1
70 | DOMAIN-SUFFIX,twitter.com,Proxy1
71 | DOMAIN-SUFFIX,telegram.org,Proxy1
72 | DOMAIN-KEYWORD,google,Proxy1
73 | DOMAIN-KEYWORD,taobao,DIRECT
74 | DOMAIN-KEYWORD,localhost,DIRECT
75 | DOMAIN-KEYWORD,baidu,REJECT
76 |
77 | # match if the GeoIP test result matches a specified country code
78 | # GEOIP,US,DIRECT
79 |
80 | # define default policy for requests which are not matched by any other rules
81 | FINAL,DIRECT
82 |
--------------------------------------------------------------------------------
/config.go:
--------------------------------------------------------------------------------
1 | //
2 | // date : 2023-12-12
3 | // author: xjdrew
4 | //
5 |
6 | package kone
7 |
8 | import (
9 | "os"
10 | "strings"
11 | "unicode"
12 |
13 | "github.com/xjdrew/dnsconfig"
14 | "gopkg.in/ini.v1"
15 | )
16 |
17 | func init() {
18 | ini.PrettyFormat = true
19 | }
20 |
21 | const (
22 | HTTP_PROXY = "http_proxy"
23 | HTTPS_PROXY = "https_proxy"
24 | SOCKS_PROXY = "socks_proxy"
25 | )
26 |
27 | type GeneralConfig struct {
28 | ManagerAddr string `ini:"manager-addr"`
29 | LogLevel string `ini:"log-level"`
30 | }
31 |
32 | type CoreConfig struct {
33 | Tun string `ini:"tun"` // tun name
34 | Network string `ini:"network"` // tun network
35 | TcpListenPort uint16 `ini:"tcp-listen-port"`
36 | TcpNatPortStart uint16 `ini:"tcp-nat-port-start"`
37 | TcpNatPortEnd uint16 `ini:"tcp-nat-port-end"`
38 | UdpListenPort uint16 `ini:"udp-listen-port"`
39 | UdpNatPortStart uint16 `ini:"udp-nat-port-start"`
40 | UdpNatPortEnd uint16 `ini:"udp-nat-port-end"`
41 | DnsListenPort uint16 `ini:"dns-listen-port"`
42 | DnsTtl uint `ini:"dns-ttl"`
43 | DnsPacketSize uint16 `ini:"dns-packet-size"`
44 | DnsReadTimeout uint `ini:"dns-read-timeout"`
45 | DnsWriteTimeout uint `ini:"dns-write-timeout"`
46 | DnsServer []string `ini:"dns-server" delim:","`
47 | }
48 |
49 | type RuleConfig struct {
50 | Schema string
51 | Pattern string
52 | Proxy string
53 | }
54 |
55 | type KoneConfig struct {
56 | source interface{} // config source: file name or raw ini data
57 | inif *ini.File // parsed ini file
58 |
59 | General GeneralConfig
60 | Core CoreConfig
61 | Proxy map[string]string
62 | Rule []RuleConfig
63 | }
64 |
65 | func (cfg *KoneConfig) parseRule(sec *ini.Section) (err error) {
66 | keys := sec.KeyStrings()
67 |
68 | var ops []string
69 | for _, key := range keys {
70 | ops = strings.FieldsFunc(key, func(c rune) bool {
71 | if c == ',' || unicode.IsSpace(c) {
72 | return true
73 | }
74 | return false
75 | })
76 | logger.Debugf("%s %v", key, ops)
77 | if len(ops) == 3 { // ignore invalid format
78 | cfg.Rule = append(cfg.Rule, RuleConfig{
79 | Schema: ops[0],
80 | Pattern: ops[1],
81 | Proxy: ops[2],
82 | })
83 | }
84 | }
85 | if len(ops) == 2 { //final rule
86 | cfg.Rule = append(cfg.Rule, RuleConfig{
87 | Schema: ops[0],
88 | Proxy: ops[1],
89 | })
90 | }
91 | return nil
92 | }
93 |
94 | func (cfg *KoneConfig) check() (err error) {
95 | return nil
96 | }
97 |
98 | func (cfg *KoneConfig) GetSystemDnsservers() (servers []string) {
99 | config := dnsconfig.ReadDnsConfig()
100 | if config.Err != nil {
101 | logger.Warningf("read dns config failed: %v", config.Err)
102 | return []string{"114.114.114.114", "8.8.8.8"} // default
103 | }
104 | return config.Servers
105 | }
106 |
107 | func ParseConfig(source interface{}) (*KoneConfig, error) {
108 | cfg := new(KoneConfig)
109 | cfg.source = source
110 |
111 | // set default value
112 | cfg.Core.Network = "10.192.0.1/16"
113 | cfg.Core.TcpListenPort = 82
114 | cfg.Core.TcpNatPortStart = 10000
115 | cfg.Core.TcpNatPortEnd = 60000
116 |
117 | cfg.Core.UdpListenPort = 82
118 | cfg.Core.UdpNatPortStart = 10000
119 | cfg.Core.UdpNatPortEnd = 60000
120 |
121 | cfg.Core.DnsListenPort = DnsDefaultPort
122 | cfg.Core.DnsTtl = DnsDefaultTtl
123 | cfg.Core.DnsPacketSize = DnsDefaultPacketSize
124 | cfg.Core.DnsReadTimeout = DnsDefaultReadTimeout
125 | cfg.Core.DnsWriteTimeout = DnsDefaultWriteTimeout
126 |
127 | // decode config value
128 | f, err := ini.LoadSources(ini.LoadOptions{AllowBooleanKeys: true, KeyValueDelimiters: "="}, source)
129 | if err != nil {
130 | logger.Errorf("%v", err)
131 | return nil, err
132 | }
133 | cfg.inif = f
134 |
135 | err = f.MapTo(cfg)
136 | if err != nil {
137 | return nil, err
138 | }
139 |
140 | // init proxy
141 | if proxySection, err := f.GetSection("Proxy"); err == nil {
142 | cfg.Proxy = proxySection.KeysHash()
143 | }
144 |
145 | // read proxy from env
146 | if os.Getenv(HTTP_PROXY) != "" {
147 | cfg.Proxy[HTTP_PROXY] = os.Getenv(HTTP_PROXY)
148 | logger.Debugf("[env]set proxy %s=%s", HTTP_PROXY, cfg.Proxy[HTTP_PROXY])
149 | }
150 |
151 | if os.Getenv(HTTPS_PROXY) != "" {
152 | cfg.Proxy[HTTPS_PROXY] = os.Getenv(HTTPS_PROXY)
153 | logger.Debugf("[env]set proxy %s=%s", HTTPS_PROXY, cfg.Proxy[HTTPS_PROXY])
154 | }
155 |
156 | if os.Getenv(SOCKS_PROXY) != "" {
157 | cfg.Proxy[SOCKS_PROXY] = os.Getenv(SOCKS_PROXY)
158 | logger.Debugf("[env]set proxy %s=%s", SOCKS_PROXY, cfg.Proxy[SOCKS_PROXY])
159 | }
160 |
161 | // set backend dns default value
162 | if len(cfg.Core.DnsServer) == 0 {
163 | cfg.Core.DnsServer = cfg.GetSystemDnsservers()
164 | }
165 |
166 | // init rule
167 | if err := cfg.parseRule(f.Section("Rule")); err != nil {
168 | return nil, err
169 | }
170 |
171 | err = cfg.check()
172 | if err != nil {
173 | return nil, err
174 | }
175 |
176 | return cfg, nil
177 | }
178 |
--------------------------------------------------------------------------------
/config_test.go:
--------------------------------------------------------------------------------
1 | //
2 | // date : 2023-12-13
3 | // author: xjdrew
4 | //
5 |
6 | package kone
7 |
8 | import (
9 | "testing"
10 |
11 | "github.com/stretchr/testify/assert"
12 | "github.com/stretchr/testify/require"
13 | )
14 |
15 | const (
16 | confData = `
17 | [General]
18 | manager-addr = "0.0.0.0:9200"
19 |
20 | [Core]
21 | network = 10.192.0.1/16
22 |
23 | tcp-listen-port = 82
24 | tcp-nat-port-start = 10000
25 | tcp-nat-port-end = 60000
26 |
27 | udp-listen-port = 82
28 | udp-nat-port-start = 10000
29 | udp-nat-port-end = 60000
30 |
31 | dns-listen-port = 53
32 | dns-ttl = 600
33 | dns-packet-size = 4096
34 | dns-read-timeout = 5
35 | dns-write-timeout = 5
36 | dns-server = 1.1.1.1,8.8.8.8
37 |
38 | [Proxy]
39 | # define a http proxy named "Proxy1"
40 | Proxy1 = http://proxy.example.com:8080
41 |
42 | # define a socks5 proxy named "Proxy2"
43 | Proxy2 = socks5://127.0.0.1:9080
44 |
45 | [Rule]
46 | IP-CIDR, 91.108.4.0/22, Proxy1 # rule 0
47 | IP-CIDR,91.108.56.0/22,Proxy1 # rule 1
48 | IP-CIDR,109.239.140.0/24,Proxy1
49 | IP-CIDR,149.154.167.0/24,Proxy1
50 | IP-CIDR,172.16.0.0/16,DIRECT
51 | IP-CIDR,192.168.0.0/16,DIRECT
52 |
53 | IP-CIDR6,2001:db8:abcd:8000::/50,DIRECT
54 |
55 | # match if the domain
56 | DOMAIN, www.twitter.com, Proxy1
57 | DOMAIN-SUFFIX,twitter.com,Proxy1
58 | DOMAIN-SUFFIX,telegram.org,Proxy1
59 | DOMAIN-KEYWORD,google,Proxy1
60 | DOMAIN-KEYWORD,localhost,DIRECT
61 | DOMAIN-KEYWORD,baidu,REJECT
62 |
63 | # match if the GeoIP test result matches a specified country code
64 | GEOIP,US,DIRECT # rule 13
65 |
66 | # define default policy for requests which are not matched by any other rules
67 | FINAL,DIRECT # rule 14
68 | `
69 | )
70 |
71 | func TestParseConfig(t *testing.T) {
72 | cfg, err := ParseConfig([]byte(confData))
73 |
74 | require.NoError(t, err)
75 | require.NotNil(t, cfg)
76 |
77 | assert.Equal(t, "0.0.0.0:9200", cfg.General.ManagerAddr)
78 |
79 | assert.Equal(t, "10.192.0.1/16", cfg.Core.Network)
80 |
81 | assert.Equal(t, uint16(82), cfg.Core.TcpListenPort)
82 | assert.Equal(t, uint16(10000), cfg.Core.TcpNatPortStart)
83 | assert.Equal(t, uint16(60000), cfg.Core.TcpNatPortEnd)
84 |
85 | assert.Equal(t, uint16(82), cfg.Core.UdpListenPort)
86 | assert.Equal(t, uint16(10000), cfg.Core.UdpNatPortStart)
87 | assert.Equal(t, uint16(60000), cfg.Core.UdpNatPortEnd)
88 |
89 | assert.Equal(t, uint16(53), cfg.Core.DnsListenPort)
90 | assert.Equal(t, uint(600), cfg.Core.DnsTtl)
91 | assert.Equal(t, uint16(4096), cfg.Core.DnsPacketSize)
92 | assert.Equal(t, uint(5), cfg.Core.DnsReadTimeout)
93 | assert.Equal(t, uint(5), cfg.Core.DnsWriteTimeout)
94 | assert.Equal(t, []string{"1.1.1.1", "8.8.8.8"}, cfg.Core.DnsServer)
95 |
96 | assert.Equal(t, "http://proxy.example.com:8080", cfg.Proxy["Proxy1"])
97 | assert.Equal(t, "socks5://127.0.0.1:9080", cfg.Proxy["Proxy2"])
98 |
99 | assert.Len(t, cfg.Rule, 15)
100 | assert.Equal(t, cfg.Rule[0].Schema, "IP-CIDR")
101 | assert.Equal(t, cfg.Rule[0].Pattern, "91.108.4.0/22")
102 | assert.Equal(t, cfg.Rule[0].Proxy, "Proxy1")
103 |
104 | assert.Equal(t, cfg.Rule[1].Schema, "IP-CIDR")
105 | assert.Equal(t, cfg.Rule[1].Pattern, "91.108.56.0/22")
106 | assert.Equal(t, cfg.Rule[1].Proxy, "Proxy1")
107 |
108 | assert.Equal(t, cfg.Rule[14].Schema, "FINAL")
109 | assert.Equal(t, cfg.Rule[14].Pattern, "")
110 | assert.Equal(t, cfg.Rule[14].Proxy, "DIRECT")
111 | }
112 |
--------------------------------------------------------------------------------
/dns.go:
--------------------------------------------------------------------------------
1 | //
2 | // date : 2016-05-13
3 | // author: xjdrew
4 | //
5 |
6 | package kone
7 |
8 | import (
9 | "errors"
10 | "fmt"
11 | "strings"
12 | "sync"
13 | "time"
14 |
15 | "github.com/miekg/dns"
16 | "github.com/miekg/dns/dnsutil"
17 | )
18 |
19 | const (
20 | DnsDefaultPort = 53
21 | DnsDefaultTtl = 600
22 | DnsDefaultPacketSize = 4096
23 | DnsDefaultReadTimeout = 5
24 | DnsDefaultWriteTimeout = 5
25 | )
26 |
27 | var ErrResolve = errors.New("resolve timeout")
28 |
29 | type Dns struct {
30 | one *One
31 | server *dns.Server
32 | client *dns.Client
33 | nameservers []string
34 | }
35 |
36 | // query synchronously
37 | func (d *Dns) Resolve(domain string) (*dns.Msg, error) {
38 | r := new(dns.Msg)
39 | r.SetQuestion(dns.Fqdn(domain), dns.TypeA)
40 |
41 | return d.resolve(r)
42 | }
43 |
44 | func (d *Dns) resolve(r *dns.Msg) (*dns.Msg, error) {
45 | var wg sync.WaitGroup
46 | msgCh := make(chan *dns.Msg, 1)
47 |
48 | qname := r.Question[0].Name
49 |
50 | Q := func(ns string) {
51 | defer wg.Done()
52 |
53 | r, rtt, err := d.client.Exchange(r, ns)
54 | if err != nil {
55 | logger.Debugf("[dns] resolve %s on %s failed: %v", qname, ns, err)
56 | return
57 | }
58 |
59 | // remove this code
60 | if r.Rcode != dns.RcodeSuccess {
61 | logger.Debugf("[dns] resolve %s on %s failed: code %d", qname, ns, r.Rcode)
62 | return
63 | }
64 |
65 | logger.Debugf("[dns] resolve %s on %s, code: %d, rtt: %d", qname, ns, r.Rcode, rtt)
66 |
67 | select {
68 | case msgCh <- r:
69 | default:
70 | }
71 | }
72 |
73 | ticker := time.NewTicker(100 * time.Millisecond)
74 | defer ticker.Stop()
75 |
76 | for _, ns := range d.nameservers {
77 | wg.Add(1)
78 | go Q(ns)
79 |
80 | select {
81 | case r := <-msgCh:
82 | return r, nil
83 | case <-ticker.C:
84 | continue
85 | }
86 | }
87 |
88 | wg.Wait()
89 |
90 | select {
91 | case r := <-msgCh:
92 | return r, nil
93 | default:
94 | logger.Errorf("[dns] query %s timeout", qname)
95 | return nil, ErrResolve
96 | }
97 | }
98 |
99 | func (d *Dns) doIPv4Query(r *dns.Msg) (*dns.Msg, error) {
100 | one := d.one
101 |
102 | domain := dnsutil.TrimDomainName(r.Question[0].Name, ".")
103 | // short circuit: non proxy
104 | if one.dnsTable.IsNonProxyDomain(domain) {
105 | return d.resolve(r)
106 | }
107 |
108 | // short circuit: proxy
109 | record := one.dnsTable.Get(domain)
110 | if record != nil {
111 | return record.Answer(r), nil
112 | }
113 |
114 | // match by domain
115 | proxy := one.rule.Proxy(domain)
116 | if proxy != "DIRECT" {
117 | record := one.dnsTable.Set(domain, proxy)
118 | return record.Answer(r), nil
119 | }
120 |
121 | // match by IP & CNAME
122 | msg, err := d.resolve(r)
123 | if err != nil || len(msg.Answer) == 0 {
124 | return msg, err
125 | }
126 |
127 | for _, item := range msg.Answer {
128 | switch answer := item.(type) {
129 | case *dns.A:
130 | // test ip
131 | proxy = one.rule.Proxy(answer.A)
132 | if proxy != "DIRECT" {
133 | break
134 | }
135 | case *dns.CNAME:
136 | // test cname
137 | proxy = one.rule.Proxy(answer.Target)
138 | if proxy != "DIRECT" {
139 | break
140 | }
141 | default:
142 | logger.Noticef("[dns] unexpected response %s -> %v", domain, item)
143 | }
144 | }
145 |
146 | // if IP or CNAME use proxy
147 | if proxy != "DIRECT" {
148 | record := one.dnsTable.Set(domain, proxy)
149 | record.SetRealIP(msg)
150 | return record.Answer(r), nil
151 | } else {
152 | // set domain as a non-proxy-domain
153 | one.dnsTable.SetNonProxyDomain(domain, msg.Answer[0].Header().Ttl)
154 | // final
155 | return msg, err
156 | }
157 | }
158 |
159 | func isIPv4Query(q dns.Question) bool {
160 | if q.Qclass == dns.ClassINET && q.Qtype == dns.TypeA {
161 | return true
162 | }
163 | return false
164 | }
165 |
166 | func (d *Dns) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
167 | isIPv4 := isIPv4Query(r.Question[0])
168 |
169 | var msg *dns.Msg
170 | var err error
171 |
172 | if isIPv4 {
173 | msg, err = d.doIPv4Query(r)
174 | } else {
175 | msg, err = d.resolve(r)
176 | }
177 |
178 | if err != nil {
179 | dns.HandleFailed(w, r)
180 | } else {
181 | w.WriteMsg(msg)
182 | }
183 | }
184 |
185 | func (d *Dns) Serve() error {
186 | logger.Infof("[dns] listen on %s", d.server.Addr)
187 | return d.server.ListenAndServe()
188 | }
189 |
190 | func NewDns(one *One, cfg CoreConfig) (*Dns, error) {
191 | d := new(Dns)
192 | d.one = one
193 |
194 | dnsListenAddr := fmt.Sprintf("%s:%d", fixTunIP(one.ip), cfg.DnsListenPort)
195 | server := &dns.Server{
196 | Net: "udp",
197 | Addr: dnsListenAddr,
198 | Handler: dns.HandlerFunc(d.ServeDNS),
199 | UDPSize: int(cfg.DnsPacketSize),
200 | ReadTimeout: time.Duration(cfg.DnsReadTimeout) * time.Second,
201 | WriteTimeout: time.Duration(cfg.DnsWriteTimeout) * time.Second,
202 | }
203 |
204 | client := &dns.Client{
205 | Net: "udp",
206 | UDPSize: cfg.DnsPacketSize,
207 | ReadTimeout: time.Duration(cfg.DnsReadTimeout) * time.Second,
208 | WriteTimeout: time.Duration(cfg.DnsWriteTimeout) * time.Second,
209 | }
210 |
211 | d.server = server
212 | d.client = client
213 |
214 | for _, addr := range cfg.DnsServer {
215 | if !strings.Contains(addr, ":") {
216 | addr = addr + ":53"
217 | }
218 |
219 | if addr != dnsListenAddr { // don't add self
220 | d.nameservers = append(d.nameservers, addr)
221 | }
222 | }
223 | logger.Infof("[dns] updstream dns server: %v", d.nameservers)
224 | return d, nil
225 | }
226 |
--------------------------------------------------------------------------------
/dns_ip_pool.go:
--------------------------------------------------------------------------------
1 | //
2 | // date : 2016-09-24
3 | // author: xjdrew
4 | //
5 |
6 | package kone
7 |
8 | import (
9 | "hash/adler32"
10 | "net"
11 |
12 | "github.com/xjdrew/kone/tcpip"
13 | )
14 |
15 | const DnsIPPoolMaxSpace = 0x3ffff // 4*65535
16 |
17 | type DnsIPPool struct {
18 | base uint32
19 | space uint32
20 | flags []bool
21 | }
22 |
23 | func (pool *DnsIPPool) Capacity() int {
24 | return int(pool.space)
25 | }
26 |
27 | func (pool *DnsIPPool) Contains(ip net.IP) bool {
28 | index := tcpip.ConvertIPv4ToUint32(ip) - pool.base
29 | return index < pool.space
30 | }
31 |
32 | func (pool *DnsIPPool) Release(ip net.IP) {
33 | index := tcpip.ConvertIPv4ToUint32(ip) - pool.base
34 | if index < pool.space {
35 | pool.flags[index] = false
36 | }
37 | }
38 |
39 | // use tips as a hint to find a stable index
40 | func (pool *DnsIPPool) Alloc(tips string) net.IP {
41 | index := adler32.Checksum([]byte(tips)) % pool.space
42 | if pool.flags[index] {
43 | logger.Debugf("[dns] %s is not in main index: %d", tips, index)
44 | for i, used := range pool.flags {
45 | if !used {
46 | index = uint32(i)
47 | break
48 | }
49 | }
50 | }
51 |
52 | if pool.flags[index] {
53 | return nil
54 | }
55 | pool.flags[index] = true
56 | return tcpip.ConvertUint32ToIPv4(pool.base + index)
57 | }
58 |
59 | func NewDnsIPPool(ip net.IP, subnet *net.IPNet) *DnsIPPool {
60 | base := tcpip.ConvertIPv4ToUint32(subnet.IP) + 1
61 | max := base + ^tcpip.ConvertIPv4ToUint32(net.IP(subnet.Mask))
62 |
63 | // space should not over 0x3ffff
64 | space := max - base
65 | if space > DnsIPPoolMaxSpace {
66 | space = DnsIPPoolMaxSpace
67 | }
68 | flags := make([]bool, space)
69 |
70 | // ip is used by tun
71 | index := tcpip.ConvertIPv4ToUint32(ip) - base
72 | if index < space {
73 | flags[index] = true
74 | }
75 |
76 | return &DnsIPPool{
77 | base: base,
78 | space: space,
79 | flags: flags,
80 | }
81 | }
82 |
--------------------------------------------------------------------------------
/dns_table.go:
--------------------------------------------------------------------------------
1 | //
2 | // date : 2016-05-13
3 | // author: xjdrew
4 | //
5 |
6 | package kone
7 |
8 | import (
9 | "fmt"
10 | "net"
11 | "sync"
12 | "time"
13 |
14 | "github.com/miekg/dns"
15 | )
16 |
17 | // hijacked domain
18 | type DomainRecord struct {
19 | Hostname string // hostname
20 | Proxy string // proxy
21 |
22 | IP net.IP // nat ip
23 | RealIP net.IP // real ip
24 | Hits int
25 | Expires time.Time
26 |
27 | answer *dns.A // cache dns answer
28 | }
29 |
30 | func (record *DomainRecord) SetRealIP(msg *dns.Msg) {
31 | if record.RealIP != nil {
32 | return
33 | }
34 |
35 | for _, item := range msg.Answer {
36 | switch answer := item.(type) {
37 | case *dns.A:
38 | record.RealIP = answer.A
39 | logger.Debugf("[dns] %s real ip: %s", record.Hostname, answer.A)
40 | return
41 | }
42 | }
43 | }
44 |
45 | func (record *DomainRecord) Answer(request *dns.Msg) *dns.Msg {
46 | rsp := new(dns.Msg)
47 | rsp.SetReply(request)
48 | rsp.RecursionAvailable = true
49 | rsp.Answer = append(rsp.Answer, record.answer)
50 | return rsp
51 | }
52 |
53 | func (record *DomainRecord) Touch() {
54 | record.Hits++
55 | record.Expires = time.Now().Add(DnsDefaultTtl * time.Second)
56 | }
57 |
58 | type DnsTable struct {
59 | ipNet *net.IPNet // local network
60 | ipPool *DnsIPPool // dns ip pool
61 |
62 | // hijacked domain records
63 | records map[string]*DomainRecord // domain -> record
64 | ip2Domain map[string]string // ip -> domain: map hijacked ip address to domain
65 | recordsLock sync.Mutex // protect records and ip2Domain
66 |
67 | nonProxyDomains map[string]time.Time // non proxy domain
68 | npdLock sync.Mutex // protect non proxy domain
69 | }
70 |
71 | func (c *DnsTable) IsLocalIP(ip net.IP) bool {
72 | return c.ipNet.Contains(ip)
73 | }
74 |
75 | func (c *DnsTable) get(domain string) *DomainRecord {
76 | record := c.records[domain]
77 | if record != nil {
78 | record.Touch()
79 | }
80 | return record
81 | }
82 |
83 | func (c *DnsTable) GetByIP(ip net.IP) *DomainRecord {
84 | c.recordsLock.Lock()
85 | defer c.recordsLock.Unlock()
86 | if domain, ok := c.ip2Domain[ip.String()]; ok {
87 | return c.get(domain)
88 | }
89 | return nil
90 | }
91 |
92 | func (c *DnsTable) Contains(ip net.IP) bool {
93 | return c.ipPool.Contains(ip)
94 | }
95 |
96 | func (c *DnsTable) Get(domain string) *DomainRecord {
97 | c.recordsLock.Lock()
98 | defer c.recordsLock.Unlock()
99 | return c.get(domain)
100 | }
101 |
102 | // forge a IPv4 dns reply
103 | func forgeIPv4Answer(domain string, ip net.IP) *dns.A {
104 | rr := new(dns.A)
105 | rr.Hdr = dns.RR_Header{Name: dns.Fqdn(domain), Rrtype: dns.TypeA, Class: dns.ClassINET, Ttl: DnsDefaultTtl}
106 | rr.A = ip.To4()
107 | return rr
108 | }
109 |
110 | func (c *DnsTable) Set(domain string, proxy string) *DomainRecord {
111 | c.recordsLock.Lock()
112 | defer c.recordsLock.Unlock()
113 | record := c.records[domain]
114 | if record != nil {
115 | record.Touch()
116 | return record
117 | }
118 |
119 | // alloc a ip
120 | ip := c.ipPool.Alloc(domain)
121 | if ip == nil {
122 | panic(fmt.Sprintf("[dns] ip space is used up, domain:%s", domain))
123 | }
124 |
125 | record = new(DomainRecord)
126 | record.IP = ip
127 | record.Hostname = domain
128 | record.Proxy = proxy
129 | record.answer = forgeIPv4Answer(domain, ip)
130 |
131 | c.records[domain] = record
132 | c.ip2Domain[ip.String()] = domain
133 | logger.Debugf("[dns] hijack %s -> %s", domain, ip.String())
134 |
135 | record.Touch()
136 | return record
137 | }
138 |
139 | func (c *DnsTable) IsNonProxyDomain(domain string) bool {
140 | c.npdLock.Lock()
141 | defer c.npdLock.Unlock()
142 | _, ok := c.nonProxyDomains[domain]
143 | return ok
144 | }
145 |
146 | func (c *DnsTable) SetNonProxyDomain(domain string, ttl uint32) {
147 | c.npdLock.Lock()
148 | defer c.npdLock.Unlock()
149 | c.nonProxyDomains[domain] = time.Now().Add(time.Duration(ttl) * time.Second)
150 | logger.Debugf("[dns] set non proxy domain: %s, ttl: %d", domain, ttl)
151 | }
152 |
153 | func (c *DnsTable) clearExpiredNonProxyDomain(now time.Time) {
154 | c.npdLock.Lock()
155 | defer c.npdLock.Unlock()
156 | for domain, expired := range c.nonProxyDomains {
157 | if expired.Before(now) {
158 | delete(c.nonProxyDomains, domain)
159 | logger.Debugf("[dns] release expired non proxy domain: %s", domain)
160 | }
161 | }
162 | }
163 |
164 | func (c *DnsTable) ClearNonProxyDomain() {
165 | c.npdLock.Lock()
166 | defer c.npdLock.Unlock()
167 | for domain := range c.nonProxyDomains {
168 | delete(c.nonProxyDomains, domain)
169 | logger.Debugf("[dns] release non proxy domain: %s", domain)
170 |
171 | }
172 | }
173 |
174 | func (c *DnsTable) clearExpiredDomain(now time.Time) {
175 | c.recordsLock.Lock()
176 | defer c.recordsLock.Unlock()
177 |
178 | threshold := 1000
179 | if threshold > c.ipPool.Capacity()/10 {
180 | threshold = c.ipPool.Capacity() / 10
181 | }
182 |
183 | if len(c.records) <= threshold {
184 | return
185 | }
186 |
187 | for domain, record := range c.records {
188 | if !record.Expires.Before(now) {
189 | continue
190 | }
191 | delete(c.records, domain)
192 | delete(c.ip2Domain, record.IP.String())
193 | c.ipPool.Release(record.IP)
194 | logger.Debugf("[dns] release %s -> %s, hit: %d", domain, record.IP.String(), record.Hits)
195 | }
196 | }
197 |
198 | func (c *DnsTable) Serve() error {
199 | tick := time.NewTicker(60 * time.Second)
200 | for now := range tick.C {
201 | c.clearExpiredDomain(now)
202 | //TODO: is it necessary?
203 | c.clearExpiredNonProxyDomain(now)
204 | }
205 | return nil
206 | }
207 |
208 | func NewDnsTable(ip net.IP, subnet *net.IPNet) *DnsTable {
209 | c := new(DnsTable)
210 | c.ipNet = subnet
211 | c.ipPool = NewDnsIPPool(ip, subnet)
212 | c.records = make(map[string]*DomainRecord)
213 | c.ip2Domain = make(map[string]string)
214 | c.nonProxyDomains = make(map[string]time.Time)
215 | return c
216 | }
217 |
--------------------------------------------------------------------------------
/filters.go:
--------------------------------------------------------------------------------
1 | //
2 | // date : 2016-05-13
3 | // author: xjdrew
4 | //
5 |
6 | package kone
7 |
8 | import (
9 | "io"
10 |
11 | "github.com/xjdrew/kone/tcpip"
12 | )
13 |
14 | type PacketFilter interface {
15 | Filter(wr io.Writer, p tcpip.IPv4Packet)
16 | }
17 |
18 | type PacketFilterFunc func(wr io.Writer, p tcpip.IPv4Packet)
19 |
20 | func (f PacketFilterFunc) Filter(wr io.Writer, p tcpip.IPv4Packet) {
21 | f(wr, p)
22 | }
23 |
24 | func icmpFilterFunc(wr io.Writer, ipPacket tcpip.IPv4Packet) {
25 | icmpPacket := tcpip.ICMPPacket(ipPacket.Payload())
26 | if icmpPacket.Type() == tcpip.ICMPRequest && icmpPacket.Code() == 0 {
27 | logger.Debugf("[icmp filter] ping %s > %s", ipPacket.SourceIP(), ipPacket.DestinationIP())
28 | // forge a reply
29 | icmpPacket.SetType(tcpip.ICMPEcho)
30 | srcIP := ipPacket.SourceIP()
31 | dstIP := ipPacket.DestinationIP()
32 | ipPacket.SetSourceIP(dstIP)
33 | ipPacket.SetDestinationIP(srcIP)
34 |
35 | icmpPacket.ResetChecksum()
36 | ipPacket.ResetChecksum()
37 | wr.Write(ipPacket)
38 | } else {
39 | logger.Debugf("icmp: %s -> %s", ipPacket.SourceIP(), ipPacket.DestinationIP())
40 | }
41 | }
42 |
--------------------------------------------------------------------------------
/geoip/geoip_test.go:
--------------------------------------------------------------------------------
1 | package geoip
2 |
3 | import (
4 | "net"
5 | "testing"
6 | )
7 |
8 | var cases = map[string]string{
9 | "1.208.0.0": "KR",
10 | "114.114.114.114": "CN",
11 | "101.226.103.106": "CN",
12 | "14.17.32.211": "CN",
13 | "8.8.8.8": "US",
14 | "183.79.227.111": "JP",
15 | "255.255.255.255": "",
16 | "192.168.0.1": "",
17 | "224.0.0.1": "",
18 | }
19 |
20 | func TestQuery(t *testing.T) {
21 | for ip, country := range cases {
22 | result := QueryCountryByString(ip)
23 | if country != result {
24 | t.Errorf("failed on: %s:%s ! %s", ip, country, result)
25 | }
26 | }
27 |
28 | for v, country := range cases {
29 | ip := net.ParseIP(v)
30 | result := QueryCountryByIP(ip)
31 | if country != result {
32 | t.Errorf("failed on: %s:%s ! %s", ip, country, result)
33 | }
34 | }
35 | }
36 |
37 | func BenchmarkQuery(b *testing.B) {
38 | var i uint32 = 1
39 | for ; i < 1000000; i++ {
40 | QueryCountry(i)
41 | }
42 | }
43 |
--------------------------------------------------------------------------------
/geoip/query.go:
--------------------------------------------------------------------------------
1 | //
2 | // date : 2016-05-13
3 | // author: xjdrew
4 | //
5 |
6 | package geoip
7 |
8 | import (
9 | "net"
10 | "sort"
11 | )
12 |
13 | var (
14 | geoIPLen = len(geoIP)
15 | )
16 |
17 | func QueryCountry(ip uint32) string {
18 | i := sort.Search(geoIPLen, func(i int) bool {
19 | n := geoIP[i]
20 | return n.End >= ip
21 | })
22 |
23 | var country string
24 | if i < geoIPLen {
25 | n := geoIP[i]
26 | if n.Start <= ip {
27 | country = n.Name
28 | }
29 | }
30 | return country
31 | }
32 |
33 | func QueryCountryByIP(ip net.IP) string {
34 | ip = ip.To4()
35 | if ip == nil {
36 | return ""
37 | }
38 |
39 | v := uint32(ip[0]) << 24
40 | v += uint32(ip[1]) << 16
41 | v += uint32(ip[2]) << 8
42 | v += uint32(ip[3])
43 | return QueryCountry(v)
44 | }
45 |
46 | func QueryCountryByString(v string) string {
47 | ip := net.ParseIP(v)
48 | if ip == nil {
49 | return ""
50 | }
51 | return QueryCountryByIP(ip)
52 | }
53 |
--------------------------------------------------------------------------------
/go.mod:
--------------------------------------------------------------------------------
1 | module github.com/xjdrew/kone
2 |
3 | go 1.21.5
4 |
5 | require (
6 | github.com/miekg/dns v1.1.57
7 | github.com/op/go-logging v0.0.0-20160315200505-970db520ece7
8 | github.com/songgao/water v0.0.0-20200317203138-2b4b6d7c09d8
9 | github.com/stretchr/testify v1.8.4
10 | github.com/thecodeteam/goodbye v0.0.0-20170927022442-a83968bda2d3
11 | gopkg.in/ini.v1 v1.67.0
12 | )
13 |
14 | require (
15 | github.com/davecgh/go-spew v1.1.1 // indirect
16 | github.com/pmezard/go-difflib v1.0.0 // indirect
17 | github.com/xjdrew/dnsconfig v0.0.0-20240104111907-3ab1a6f060b1
18 | golang.org/x/mod v0.14.0 // indirect
19 | golang.org/x/net v0.19.0 // indirect
20 | golang.org/x/sys v0.15.0 // indirect
21 | golang.org/x/tools v0.16.1 // indirect
22 | gopkg.in/yaml.v3 v3.0.1 // indirect
23 | )
24 |
--------------------------------------------------------------------------------
/go.sum:
--------------------------------------------------------------------------------
1 | github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
2 | github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
3 | github.com/miekg/dns v1.1.57 h1:Jzi7ApEIzwEPLHWRcafCN9LZSBbqQpxjt/wpgvg7wcM=
4 | github.com/miekg/dns v1.1.57/go.mod h1:uqRjCRUuEAA6qsOiJvDd+CFo/vW+y5WR6SNmHE55hZk=
5 | github.com/op/go-logging v0.0.0-20160315200505-970db520ece7 h1:lDH9UUVJtmYCjyT0CI4q8xvlXPxeZ0gYCVvWbmPlp88=
6 | github.com/op/go-logging v0.0.0-20160315200505-970db520ece7/go.mod h1:HzydrMdWErDVzsI23lYNej1Htcns9BCg93Dk0bBINWk=
7 | github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
8 | github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
9 | github.com/songgao/water v0.0.0-20200317203138-2b4b6d7c09d8 h1:TG/diQgUe0pntT/2D9tmUCz4VNwm9MfrtPr0SU2qSX8=
10 | github.com/songgao/water v0.0.0-20200317203138-2b4b6d7c09d8/go.mod h1:P5HUIBuIWKbyjl083/loAegFkfbFNx5i2qEP4CNbm7E=
11 | github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
12 | github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
13 | github.com/thecodeteam/goodbye v0.0.0-20170927022442-a83968bda2d3 h1:COy7ekr2jBEd34npP2LvMTqk9UtiLkuvkjiJFHihlTo=
14 | github.com/thecodeteam/goodbye v0.0.0-20170927022442-a83968bda2d3/go.mod h1:ehwM4AFY4byYSorQbigh79cKUOUNL3pAOz5eCAQNlGI=
15 | github.com/xjdrew/dnsconfig v0.0.0-20240104111907-3ab1a6f060b1 h1:8zrZIsWKgXLNQedGAPwaYK4OZ8EwWf/hWZhsvTD3MW4=
16 | github.com/xjdrew/dnsconfig v0.0.0-20240104111907-3ab1a6f060b1/go.mod h1:/6pBv59OGlUWZwToHJ7Aj5jBuWZJJArx0fRDpHoYJtI=
17 | golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0=
18 | golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
19 | golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c=
20 | golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U=
21 | golang.org/x/sync v0.5.0 h1:60k92dhOjHxJkrqnwsfl8KuaHbn/5dl0lUPUklKo3qE=
22 | golang.org/x/sync v0.5.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
23 | golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc=
24 | golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
25 | golang.org/x/tools v0.16.1 h1:TLyB3WofjdOEepBHAU20JdNC1Zbg87elYofWYAY5oZA=
26 | golang.org/x/tools v0.16.1/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0=
27 | gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
28 | gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
29 | gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA=
30 | gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
31 | gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
32 | gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
33 |
--------------------------------------------------------------------------------
/manager.go:
--------------------------------------------------------------------------------
1 | package kone
2 |
3 | import (
4 | "bytes"
5 | "fmt"
6 | "html/template"
7 | "io"
8 | "net/http"
9 | "strings"
10 | "time"
11 | )
12 |
13 | const masterTmpl = `
14 | {{define "header"}}
15 |
16 |
17 |
18 | | Total Hosts | {{.TotalHosts}} |
|---|---|
| Total Websites | {{.TotalWebistes}} |
| Total Proxies | {{.TotalProxies}} |
| Total Traffic | {{formatNumberComma .TotalTraffic}} |
| Upload Traffic | {{formatNumberComma .UploadTraffic}} |
| Download Traffic | {{formatNumberComma .DownloadTraffic}} |
| Uptime | {{.Uptime}} |
| Now | {{.Now.Format "2006-01-02 15:04:05.000"}} |
| Name | 100 |Total | 101 |Upload | 102 |Download | 103 |Last | 104 |
|---|---|---|---|---|
| 108 | {{if $.HasDetail}} 109 | {{.Name}} 110 | {{else}} 111 | {{.Name}} 112 | {{end}} 113 | | 114 |{{sumInt64 .Upload .Download | formatNumberComma}} | 115 |{{formatNumberComma .Upload}} | 116 |{{formatNumberComma .Download}} | 117 |{{.Touch.Format "2006-01-02 15:04:05.000"}} | 118 |
| Name | 140 |Total | 141 |Upload | 142 |Download | 143 |Last | 144 |
|---|---|---|---|---|
| {{.EndPoint}} | 148 |{{sumInt64 .Upload .Download | formatNumberComma}} | 149 |{{formatNumberComma .Upload}} | 150 |{{formatNumberComma .Download}} | 151 |{{.Touch.Format "2006-01-02 15:04:05.000"}} | 152 |
| Hostname | 170 |Address | 171 |Proxy | 172 |Hits | 173 |Expires | 174 |
|---|---|---|---|---|
| {{.Hostname}} | 178 |{{.IP}} | 179 |{{.Proxy}} | 180 |{{.Hits}} | 181 |{{.Expires.Format "2006-01-02 15:04:05.000"}}{{if .Expires.Before $.Now}}[expired]{{end}} | 182 |
| Source | 198 |
|---|
{{.Source}} |
201 |
3 |
4 | ## 准备工作
5 | * 企业网关服务器(4G内存,i3以上的CPU),假设网关的IP是192.168.1.1,企业内部所有设备的default gateway都配置成192.168.1.1。当然,这台网关可能不是一台linux,而是一台商业网关服务器,只要它支持路由配置,都属于一台称职的网关服务器,本案例假设这台网关是一台标准的linux服务器。
6 | * [PC/手机] ----> [网关192.168.1.1] -----> [Internet]
7 |
8 | * 一个用于xx的httpproxy/sock5proxy服务器。是的,kone本身并不是一个proxy实现,kone的作用只是把路由请求转发到proxy server上
9 |
10 | ## 过程
11 | * 检查你的httpproxy/sock5proxy是否工作正常
12 | ```
13 | curl -x http://myproxy:2080 https://www.google.com.hk
14 | ```
15 | * 在网关上启动kone,配置文件参考example.ini
16 | ```
17 | [general]
18 | network = 10.19.0.1/16
19 | ...
20 | [dns]
21 | # DEFAULT VALUE: 53
22 | # dns-port = 53
23 | nameserver = 192.168.1.1
24 | ...
25 | [proxy "A"]
26 | url = http://myproxy:2080
27 | default = yes
28 | ```
29 | * 查看kone是否启动成功,缺省会创建虚拟网口tun0,IP地址为10.19.0.1,同时10.19.0.1也是一个新的DNS服务器
30 | ```
31 | >ifconfig tun0
32 | tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
33 | inet addr:10.19.0.1 P-t-P:10.19.0.1 Mask:255.255.0.0
34 | UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
35 | ```
36 |
37 | * 在PC/手机上,把DNS服务器改成10.19.0.1,dig www.google.com.hk 测试是否返回一个10.19.x.x的地址池地址,如果返回的地址正常说明kone工作正常
38 | ```
39 | >dig www.google.com.hk @10.19.0.1
40 | ;; ANSWER SECTION:
41 | www.google.com.hk. 600 IN A 10.19.0.55
42 | ```
43 | * 改动企业网内部的DHCPD服务器,把缺省DNS服务器改为10.19.0.1,则企业内部的设备会自动使用kone实现透明xx
44 | * 一个200人的企业网络,httpproxy/sock5proxy至少需要3M带宽可以保证google/facebook/twitter等的访问,如果需要流畅的看youtube 720P,则带宽起码需要10M
45 |
--------------------------------------------------------------------------------
/misc/docs/squid.conf:
--------------------------------------------------------------------------------
1 | acl SSL_ports port 443
2 | acl Safe_ports port 1-65535 # unregistered ports
3 | acl CONNECT method CONNECT
4 | acl HEAD method HEAD
5 |
6 | http_access deny !Safe_ports
7 | #http_access deny CONNECT !SSL_ports
8 | #http_access allow localhost manager
9 | http_access deny manager
10 | http_access allow localhost
11 | http_access deny all
12 |
13 | http_port 127.0.0.1:3128
14 |
15 | coredump_dir /var/spool/squid3
16 |
17 | # based on http://code.google.com/p/ghebhes/downloads/detail?name=tunning.conf&can=2&q=
18 |
19 | #All File
20 | refresh_pattern -i \.(3gp|7z|ace|asx|avi|bin|cab|dat|deb|rpm|divx|dvr-ms) 1440 100% 129600 reload-into-ims
21 | refresh_pattern -i \.(rar|jar|gz|tgz|tar|bz2|iso|m1v|m2(v|p)|mo(d|v)|(x-|)flv) 1440 100% 129600 reload-into-ims
22 | refresh_pattern -i \.(jp(e?g|e|2)|gif|pn[pg]|bm?|tiff?|ico|swf|css|js) 1440 100% 129600 reload-into-ims
23 | refresh_pattern -i \.(mp(e?g|a|e|1|2|3|4)|mk(a|v)|ms(i|u|p)) 1440 100% 129600 reload-into-ims
24 | refresh_pattern -i \.(og(x|v|a|g)|rar|rm|r(a|p)m|snd|vob|wav) 1440 100% 129600 reload-into-ims
25 | refresh_pattern -i \.(pp(s|t)|wax|wm(a|v)|wmx|wpl|zip|cb(r|z|t)) 1440 100% 129600 reload-into-ims
26 |
27 | refresh_pattern -i \.(doc|pdf)$ 1440 50% 43200 reload-into-ims
28 | refresh_pattern -i \.(html|htm)$ 1440 50% 40320 reload-into-ims
29 |
30 | refresh_pattern ^ftp: 1440 20% 10080
31 | refresh_pattern ^gopher: 1440 0% 1440
32 | refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
33 | refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
34 | refresh_pattern . 0 20% 4320
35 |
36 | # http options
37 | via off
38 |
39 | # memory cache options
40 | cache_mem 512 MB
41 | maximum_object_size_in_memory 256 KB
42 |
43 | # disk cache
44 | #cache_dir diskd /var/spool/squid3 10240 16 256
45 | #maximum_object_size 20480 KB
46 |
47 | # timeouts
48 | # forward_timeout 10 seconds
49 | # connect_timeout 10 seconds
50 | # read_timeout 10 seconds
51 | # write_timeout 10 seconds
52 | # client_lifetime 59 minutes
53 | # request_timeout 30 seconds
54 | half_closed_clients off
55 |
56 | #
57 | forwarded_for delete
58 | dns_v4_first on
59 | ipcache_size 4096
60 | dns_nameservers 8.8.8.8 208.67.222.222 8.8.4.4 208.67.220.220
61 |
62 | # error page
63 | cache_mgr admin@example.com
64 | visible_hostname example.com
65 | email_err_data off
66 | err_page_stylesheet none
67 |
--------------------------------------------------------------------------------
/misc/images/kone.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xjdrew/kone/9c896fdc18b1ae6b266223ea5a16307a6ddc55d6/misc/images/kone.png
--------------------------------------------------------------------------------
/misc/images/kone_webui.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xjdrew/kone/9c896fdc18b1ae6b266223ea5a16307a6ddc55d6/misc/images/kone_webui.png
--------------------------------------------------------------------------------
/misc/windows/README.md:
--------------------------------------------------------------------------------
1 | # use kone in Windows
2 |
3 | ## 预设条件
4 | 1. 安装 tap-windows (NDIS 6)
5 |
6 | * [tap-windows](https://community.openvpn.net/openvpn/wiki/GettingTapWindows)
7 | * [直接下载](https://build.openvpn.net/downloads/releases/tap-windows-9.21.0.exe)
8 |
9 | 2. 配置防火墙,允许kone重定向连接
10 | 使用管理员权限启动 PowerShell,执行`update-firewall-rules.ps1`。
11 |
12 | > 请注意修改 `update-firewall-rules.ps1` 脚本中 Program 参数为kone实际路径。
13 | > 关于Windows防火墙的更多信息,参考:
14 | > * [Manage Windows Firewall with the command line](https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line?tabs=powershell)
15 | > * [NetSecurity](https://learn.microsoft.com/en-us/powershell/module/netsecurity/?view=windowsserver2022-ps)
16 |
17 | 3. 编译&运行kone方式同linux
--------------------------------------------------------------------------------
/misc/windows/check-firewall-rules.ps1:
--------------------------------------------------------------------------------
1 | #Requires -Version 3
2 | #Requires -Modules NetSecurity
3 |
4 | $List = Get-NetFirewallRule -Enabled True -Action Allow -Description 'Work with Kone.' | Where-Object { 'Kone' -eq $_.DisplayName }
5 | $Report = foreach ($Rule in $List)
6 | {
7 | $Program = (Get-NetFirewallApplicationFilter -AssociatedNetFirewallRule $Rule).Program
8 |
9 | @{
10 | Profile = $Rule.Profile
11 | Enabled = $Rule.Enabled
12 | Action = $Rule.Action
13 | Protocol = (Get-NetFirewallPortFilter -AssociatedNetFirewallRule $Rule).Protocol
14 | Program = $Program
15 | IsPathValid = Test-Path -PathType Leaf -LiteralPath $Program
16 | }
17 | }
18 | $Report
19 | Pause
--------------------------------------------------------------------------------
/misc/windows/update-firewall-rules.ps1:
--------------------------------------------------------------------------------
1 | # $Program should direct to execute file
2 | Remove-NetFirewallRule -Description "Work with Kone." -ErrorAction SilentlyContinue
3 | 'TCP', 'UDP' | ForEach-Object {
4 | New-NetFirewallRule `
5 | -DisplayName "Kone" `
6 | -Profile "Any" `
7 | -Description "Work with Kone." `
8 | -Direction Inbound `
9 | -Protocol $_ `
10 | -Action Allow `
11 | -Program "E:\go\github\kone\kone.exe" `
12 | | Out-Null
13 | }
--------------------------------------------------------------------------------
/nat.go:
--------------------------------------------------------------------------------
1 | //
2 | // date : 2016-05-13
3 | // author: xjdrew
4 | //
5 |
6 | package kone
7 |
8 | import (
9 | "net"
10 | "time"
11 | )
12 |
13 | const (
14 | NatSessionLifeSeconds = 600
15 | NatSessionCheckInterval = 300
16 | )
17 |
18 | type NatTable struct {
19 | from uint16
20 | to uint16
21 |
22 | next uint16 // next avaliable port
23 | h2Port map[uint64]uint16
24 | mapped []bool
25 | }
26 |
27 | func hashAddr(ip net.IP, port uint16) uint64 {
28 | v := uint64(ip[0]) << 40
29 | v += uint64(ip[1]) << 32
30 | v += uint64(ip[2]) << 24
31 | v += uint64(ip[3]) << 16
32 | v += uint64(port)
33 | return v
34 | }
35 |
36 | func (tbl *NatTable) Unmap(ip net.IP, port uint16) {
37 | h := hashAddr(ip, port)
38 | if port, ok := tbl.h2Port[h]; ok {
39 | delete(tbl.h2Port, h)
40 | tbl.mapped[port-tbl.from] = false
41 | }
42 | }
43 |
44 | // return: mapped port, is new mapped
45 | func (tbl *NatTable) Map(ip net.IP, port uint16) (uint16, bool) {
46 | h := hashAddr(ip, port)
47 | if port, ok := tbl.h2Port[h]; ok {
48 | return port, false
49 | }
50 |
51 | from := tbl.from
52 | to := tbl.to
53 | next := tbl.next
54 | var i uint16
55 | for ; i < to-from; i++ {
56 | next = next + i
57 | if next >= to {
58 | next = next%to + from
59 | }
60 |
61 | if tbl.mapped[next-from] {
62 | continue
63 | }
64 | tbl.mapped[next-from] = true
65 | tbl.h2Port[h] = next
66 | tbl.next = next + 1
67 | return next, true
68 | }
69 | return 0, false
70 | }
71 |
72 | func (tbl *NatTable) Count() int {
73 | return len(tbl.h2Port)
74 | }
75 |
76 | type NatSession struct {
77 | srcIP net.IP
78 | dstIP net.IP
79 | srcPort uint16
80 | dstPort uint16
81 | lastTouch int64
82 | }
83 |
84 | type Nat struct {
85 | tbl *NatTable
86 | sessions []*NatSession
87 |
88 | checkThreshold int
89 | lastCheck int64
90 | }
91 |
92 | func (nat *Nat) getSession(port uint16) *NatSession {
93 | if port < nat.tbl.from || port >= nat.tbl.to {
94 | return nil
95 | }
96 |
97 | session := nat.sessions[port-nat.tbl.from]
98 | if session != nil {
99 | session.lastTouch = time.Now().Unix()
100 | }
101 |
102 | return session
103 | }
104 |
105 | func (nat *Nat) allocSession(srcIP, dstIP net.IP, srcPort, dstPort uint16) (bool, uint16) {
106 | now := time.Now().Unix()
107 | nat.clearExpiredSessions(now)
108 |
109 | tbl := nat.tbl
110 | port, isNew := tbl.Map(srcIP, srcPort)
111 | if isNew {
112 | session := &NatSession{
113 | srcIP: srcIP,
114 | dstIP: dstIP,
115 | srcPort: srcPort,
116 | dstPort: dstPort,
117 | lastTouch: now,
118 | }
119 | nat.sessions[port-tbl.from] = session
120 | }
121 | return isNew, port
122 | }
123 |
124 | func (nat *Nat) clearExpiredSessions(now int64) {
125 | if now-nat.lastCheck < NatSessionCheckInterval {
126 | return
127 | }
128 |
129 | if nat.count() < nat.checkThreshold {
130 | return
131 | }
132 |
133 | nat.lastCheck = now
134 | for index, session := range nat.sessions {
135 | if session != nil && now-session.lastTouch >= NatSessionLifeSeconds {
136 | nat.sessions[index] = nil
137 | nat.tbl.Unmap(session.srcIP, session.srcPort)
138 | }
139 | }
140 | }
141 |
142 | func (nat *Nat) count() int {
143 | return nat.tbl.Count()
144 | }
145 |
146 | // port range [from, to)
147 | func NewNat(from, to uint16) *Nat {
148 | count := to - from
149 | tbl := &NatTable{
150 | from: from,
151 | to: to,
152 | next: from,
153 | h2Port: make(map[uint64]uint16, count),
154 | mapped: make([]bool, count),
155 | }
156 |
157 | logger.Infof("nat port range [%d, %d)", from, to)
158 |
159 | return &Nat{
160 | tbl: tbl,
161 | sessions: make([]*NatSession, count),
162 | checkThreshold: int(count) / 10,
163 | }
164 | }
165 |
--------------------------------------------------------------------------------
/nat_test.go:
--------------------------------------------------------------------------------
1 | //
2 | // date : 2016-05-13
3 | // author: xjdrew
4 | //
5 |
6 | package kone
7 |
8 | import (
9 | "math/rand"
10 | "net"
11 | "testing"
12 | "time"
13 | )
14 |
15 | func TestNatAlloc(t *testing.T) {
16 | var from uint16 = 10
17 | var to uint16 = 20
18 | nat := NewNat(from, to)
19 |
20 | srcIP := net.ParseIP("127.0.0.1")
21 | dstIP := srcIP
22 |
23 | // map all ports
24 | for i := from; i < to; i++ {
25 | _, port := nat.allocSession(srcIP, dstIP, i, i)
26 | if i != port {
27 | t.Error("alloc session failed")
28 | return
29 | }
30 | }
31 |
32 | // release all sessions
33 | now := time.Now().Unix() + NatSessionLifeSeconds
34 | nat.clearExpiredSessions(now)
35 | if nat.count() != 0 {
36 | t.Error("release session failed")
37 | return
38 | }
39 |
40 | // test get session
41 | srcPort := uint16(rand.Int())
42 | dstPort := uint16(rand.Int())
43 | _, port := nat.allocSession(srcIP, dstIP, srcPort, dstPort)
44 | session := nat.getSession(port)
45 | if session == nil {
46 | t.Error("get session failed")
47 | return
48 | }
49 |
50 | if !net.IP.Equal(session.srcIP, srcIP) || !net.IP.Equal(session.dstIP, dstIP) ||
51 | session.srcPort != srcPort || session.dstPort != dstPort {
52 | t.Error("check session failed")
53 | return
54 | }
55 | }
56 |
57 | func BenchmarkNat(b *testing.B) {
58 | var from uint16 = 10000
59 | var to uint16 = 60000
60 | nat := NewNat(from, to)
61 |
62 | srcIP := net.ParseIP("127.0.0.1")
63 | dstIP := srcIP
64 |
65 | // map all ports
66 | for i := from; i < to; i++ {
67 | _, port := nat.allocSession(srcIP, dstIP, i, i)
68 | if i != port {
69 | b.Error("alloc session failed")
70 | }
71 | }
72 |
73 | // release all sessions
74 | now := time.Now().Unix() + NatSessionLifeSeconds
75 | nat.clearExpiredSessions(now)
76 | if nat.count() != 0 {
77 | b.Error("release session failed")
78 | }
79 | }
80 |
--------------------------------------------------------------------------------
/one.go:
--------------------------------------------------------------------------------
1 | //
2 | // date : 2016-05-13
3 | // author: xjdrew
4 | //
5 |
6 | package kone
7 |
8 | import (
9 | "net"
10 | "sync"
11 |
12 | "github.com/op/go-logging"
13 | "github.com/xjdrew/kone/tcpip"
14 | )
15 |
16 | var logger = logging.MustGetLogger("kone")
17 |
18 | type One struct {
19 | // tun ip
20 | ip net.IP
21 |
22 | // tun virtual network
23 | subnet *net.IPNet
24 |
25 | rule *Rule
26 | dnsTable *DnsTable
27 | proxies *Proxies
28 |
29 | dns *Dns
30 | tcpRelay *TCPRelay
31 | udpRelay *UDPRelay
32 | tun *TunDriver
33 | manager *Manager
34 | }
35 |
36 | func (one *One) Serve() {
37 | var wg sync.WaitGroup
38 |
39 | runAndWait := func(f func() error) {
40 | defer wg.Done()
41 | err := f()
42 | logger.Errorf("%v", err)
43 | }
44 |
45 | wg.Add(5)
46 | go runAndWait(one.dnsTable.Serve)
47 | go runAndWait(one.dns.Serve)
48 | go runAndWait(one.tcpRelay.Serve)
49 | go runAndWait(one.udpRelay.Serve)
50 | go runAndWait(one.tun.Serve)
51 | if one.manager != nil {
52 | wg.Add(1)
53 | go runAndWait(one.manager.Serve)
54 | }
55 | wg.Wait()
56 | }
57 |
58 | func (one *One) Reload(cfg *KoneConfig) error {
59 | one.rule = NewRule(cfg.Rule)
60 | one.dnsTable.ClearNonProxyDomain()
61 | return nil
62 | }
63 |
64 | func FromConfig(cfg *KoneConfig) (*One, error) {
65 | ip, subnet, _ := net.ParseCIDR(cfg.Core.Network)
66 |
67 | logger.Infof("[tun] ip:%s, subnet: %s", ip, subnet)
68 |
69 | one := &One{
70 | ip: ip.To4(),
71 | subnet: subnet,
72 | }
73 |
74 | // new rule
75 | one.rule = NewRule(cfg.Rule)
76 |
77 | // new dns cache
78 | one.dnsTable = NewDnsTable(ip, subnet)
79 |
80 | var err error
81 |
82 | // new dns
83 | if one.dns, err = NewDns(one, cfg.Core); err != nil {
84 | return nil, err
85 | }
86 |
87 | if one.proxies, err = NewProxies(one, cfg.Proxy); err != nil {
88 | return nil, err
89 | }
90 |
91 | one.tcpRelay = NewTCPRelay(one, cfg.Core)
92 | one.udpRelay = NewUDPRelay(one, cfg.Core)
93 |
94 | filters := map[tcpip.IPProtocol]PacketFilter{
95 | tcpip.ICMP: PacketFilterFunc(icmpFilterFunc),
96 | tcpip.TCP: one.tcpRelay,
97 | tcpip.UDP: one.udpRelay,
98 | }
99 |
100 | if one.tun, err = NewTunDriver(ip, subnet, filters); err != nil {
101 | return nil, err
102 | }
103 |
104 | // set tun as all IP-CIDR rule output
105 | for _, pattern := range one.rule.patterns {
106 | switch p := pattern.(type) {
107 | case IPCIDRPattern:
108 | one.tun.AddRoute(p.ipNet)
109 | }
110 | }
111 |
112 | // new manager
113 | one.manager = NewManager(one, cfg)
114 | return one, nil
115 | }
116 |
--------------------------------------------------------------------------------
/pattern.go:
--------------------------------------------------------------------------------
1 | //
2 | // date : 2016-05-13
3 | // author: xjdrew
4 | //
5 |
6 | package kone
7 |
8 | import (
9 | "net"
10 | "strings"
11 |
12 | "github.com/xjdrew/kone/geoip"
13 | "github.com/xjdrew/kone/tcpip"
14 | )
15 |
16 | type Pattern interface {
17 | Proxy() string
18 | Match(val interface{}) bool
19 | }
20 |
21 | // DOMAIN
22 | type DomainPattern struct {
23 | proxy string
24 | domain string
25 | }
26 |
27 | func (p DomainPattern) Proxy() string {
28 | return p.proxy
29 | }
30 |
31 | func (p DomainPattern) Match(val interface{}) bool {
32 | v, ok := val.(string)
33 | if !ok {
34 | return false
35 | }
36 |
37 | v = strings.ToLower(v)
38 | return v == p.domain
39 | }
40 |
41 | func NewDomainPattern(proxy, domain string) Pattern {
42 | return DomainPattern{
43 | proxy: proxy,
44 | domain: strings.ToLower(domain),
45 | }
46 | }
47 |
48 | // DOMAIN-SUFFIX
49 | type DomainSuffixPattern struct {
50 | proxy string
51 | suffix string
52 | }
53 |
54 | func (p DomainSuffixPattern) Proxy() string {
55 | return p.proxy
56 | }
57 |
58 | func (p DomainSuffixPattern) Match(val interface{}) bool {
59 | v, ok := val.(string)
60 | if !ok {
61 | return false
62 | }
63 |
64 | v = strings.ToLower(v)
65 | return strings.HasSuffix(v, p.suffix)
66 | }
67 |
68 | func NewDomainSuffixPattern(proxy, suffix string) Pattern {
69 | return DomainSuffixPattern{
70 | proxy: proxy,
71 | suffix: strings.ToLower(suffix),
72 | }
73 | }
74 |
75 | // DOMAIN-KEYWORD
76 | type DomainKeywordPattern struct {
77 | proxy string
78 | key string
79 | }
80 |
81 | func (p DomainKeywordPattern) Proxy() string {
82 | return p.proxy
83 | }
84 |
85 | func (p DomainKeywordPattern) Match(val interface{}) bool {
86 | v, ok := val.(string)
87 | if !ok {
88 | return false
89 | }
90 | v = strings.ToLower(v)
91 | return strings.Contains(v, p.key)
92 | }
93 |
94 | func NewDomainKeywordPattern(proxy string, key string) Pattern {
95 | return DomainKeywordPattern{
96 | proxy: proxy,
97 | key: strings.ToLower(key),
98 | }
99 | }
100 |
101 | // GEOIP
102 | type GEOIPPattern struct {
103 | proxy string
104 | country string
105 | }
106 |
107 | func (p GEOIPPattern) Proxy() string {
108 | return p.proxy
109 | }
110 |
111 | func (p GEOIPPattern) Match(val interface{}) bool {
112 | var country string
113 | switch ip := val.(type) {
114 | case uint32:
115 | country = geoip.QueryCountry(ip)
116 | case net.IP:
117 | country = geoip.QueryCountryByIP(ip)
118 | }
119 |
120 | return p.country == country
121 | }
122 |
123 | func NewGEOIPPattern(proxy string, country string) Pattern {
124 | return GEOIPPattern{
125 | proxy: proxy,
126 | country: country,
127 | }
128 | }
129 |
130 | // IP-CIDR
131 | type IPCIDRPattern struct {
132 | proxy string
133 | ipNet *net.IPNet
134 | }
135 |
136 | func (p IPCIDRPattern) Proxy() string {
137 | return p.proxy
138 | }
139 |
140 | func (p IPCIDRPattern) Match(val interface{}) bool {
141 | switch ip := val.(type) {
142 | case net.IP:
143 | return p.ipNet.Contains(ip)
144 | case uint32:
145 | return p.ipNet.Contains(tcpip.ConvertUint32ToIPv4(ip))
146 | }
147 |
148 | return false
149 | }
150 |
151 | func NewIPCIDRPattern(proxy string, ipNet *net.IPNet) Pattern {
152 | return IPCIDRPattern{
153 | proxy: proxy,
154 | ipNet: ipNet,
155 | }
156 | }
157 |
158 | // FINAL
159 | type FinalPattern struct {
160 | proxy string
161 | }
162 |
163 | func (p FinalPattern) Proxy() string {
164 | return p.proxy
165 | }
166 |
167 | func (p FinalPattern) Match(val interface{}) bool {
168 | return true
169 | }
170 |
171 | func NewFinalPattern(proxy string) FinalPattern {
172 | return FinalPattern{proxy: proxy}
173 | }
174 |
175 | func CreatePattern(rc RuleConfig) Pattern {
176 | proxy := rc.Proxy
177 | pattern := rc.Pattern
178 | schema := strings.ToUpper(rc.Schema)
179 |
180 | switch schema {
181 | case "DOMAIN":
182 | return NewDomainPattern(proxy, pattern)
183 | case "DOMAIN-SUFFIX":
184 | return NewDomainSuffixPattern(proxy, pattern)
185 | case "DOMAIN-KEYWORD":
186 | return NewDomainKeywordPattern(proxy, pattern)
187 | case "IP-CIDR":
188 | fallthrough
189 | case "IP-CIDR6":
190 | if proxy == "DIRECT" { // all IPNet default proxy is DIRECT
191 | logger.Debugf("skip DIRECT rule: %s,%s,%s", rc.Schema, rc.Pattern, rc.Proxy)
192 | return nil
193 | }
194 | _, ipNet, err := net.ParseCIDR(pattern)
195 | if err == nil {
196 | return NewIPCIDRPattern(proxy, ipNet)
197 | }
198 | case "GEOIP":
199 | return NewGEOIPPattern(proxy, pattern)
200 | case "FINAL":
201 | return NewFinalPattern(proxy)
202 | }
203 | logger.Errorf("invalid rule: %s,%s,%s", rc.Schema, rc.Pattern, rc.Proxy)
204 | return nil
205 | }
206 |
--------------------------------------------------------------------------------
/pattern_test.go:
--------------------------------------------------------------------------------
1 | //
2 | // date : 2016-05-13
3 | // author: xjdrew
4 | //
5 |
6 | package kone
7 |
8 | import (
9 | "net"
10 | "testing"
11 |
12 | "github.com/xjdrew/kone/tcpip"
13 |
14 | "github.com/stretchr/testify/assert"
15 | )
16 |
17 | func TestDomainPattern(t *testing.T) {
18 | pattern := NewDomainPattern("A", "Example.com")
19 | assert.Equal(t, "A", pattern.Proxy())
20 | assert.True(t, pattern.Match("example.com"))
21 | assert.True(t, pattern.Match("Example.Com")) // case insensitive
22 | assert.False(t, pattern.Match("api.example.com")) // suffix
23 | assert.False(t, pattern.Match("1example.com"))
24 | assert.False(t, pattern.Match("example.hk"))
25 | assert.False(t, pattern.Match("example.com.hk"))
26 | }
27 |
28 | func TestDomainSuffixPattern(t *testing.T) {
29 | pattern := NewDomainSuffixPattern("A", "Example.com")
30 | assert.Equal(t, "A", pattern.Proxy())
31 | assert.True(t, pattern.Match("example.com"))
32 | assert.True(t, pattern.Match("Example.Com")) // case insensitive
33 | assert.True(t, pattern.Match("api.example.com")) // suffix
34 | assert.True(t, pattern.Match("1example.com"))
35 | assert.False(t, pattern.Match("example.hk"))
36 | assert.False(t, pattern.Match("example.com.hk"))
37 | }
38 |
39 | func TestDomainKeywordPattern(t *testing.T) {
40 | pattern := NewDomainKeywordPattern("A", "Example.com")
41 | assert.Equal(t, "A", pattern.Proxy())
42 | assert.True(t, pattern.Match("example.com"))
43 | assert.True(t, pattern.Match("Example.Com")) // case insensitive
44 | assert.True(t, pattern.Match("api.example.com")) // suffix
45 | assert.True(t, pattern.Match("1example.com"))
46 | assert.False(t, pattern.Match("example.hk"))
47 | assert.True(t, pattern.Match("example.com.hk"))
48 | }
49 |
50 | func TestIPCountryPattern(t *testing.T) {
51 | pattern := NewGEOIPPattern("A", "US")
52 | assert.Equal(t, "A", pattern.Proxy())
53 | assert.True(t, pattern.Match(net.ParseIP("216.58.197.99"))) // google.hk
54 | assert.False(t, pattern.Match(net.ParseIP("110.242.68.66"))) // baidu.com, china
55 | }
56 |
57 | func TestIPCIDRPattern(t *testing.T) {
58 | _, ipNet, _ := net.ParseCIDR("192.168.100.1/16")
59 | pattern := NewIPCIDRPattern("D", ipNet)
60 | assert.Equal(t, "D", pattern.Proxy())
61 | assert.False(t, pattern.Match(net.ParseIP("192.167.255.255")))
62 | assert.True(t, pattern.Match(net.ParseIP("192.168.0.0")))
63 | assert.True(t, pattern.Match(net.ParseIP("192.168.255.255")))
64 | assert.True(t, pattern.Match(net.ParseIP("192.168.108.255")))
65 | assert.False(t, pattern.Match(tcpip.ConvertIPv4ToUint32(net.ParseIP("192.167.255.255"))))
66 | assert.True(t, pattern.Match(tcpip.ConvertIPv4ToUint32(net.ParseIP("192.168.0.0"))))
67 | assert.True(t, pattern.Match(tcpip.ConvertIPv4ToUint32(net.ParseIP("192.168.255.255"))))
68 | assert.True(t, pattern.Match(tcpip.ConvertIPv4ToUint32(net.ParseIP("192.168.108.255"))))
69 | }
70 |
--------------------------------------------------------------------------------
/proxies.go:
--------------------------------------------------------------------------------
1 | //
2 | // date : 2016-05-13
3 | // author: xjdrew
4 | //
5 |
6 | package kone
7 |
8 | import (
9 | "fmt"
10 | "net"
11 | "strings"
12 |
13 | "github.com/xjdrew/kone/proxy"
14 | )
15 |
16 | type Proxies struct {
17 | proxies map[string]*proxy.Proxy
18 | }
19 |
20 | func (p *Proxies) Dial(pname string, addr string) (net.Conn, error) {
21 | logger.Debugf("[proxy] dail host %s by proxy %s", addr, pname)
22 | dialer := p.proxies[pname]
23 | if dialer != nil {
24 | return dialer.Dial("tcp", addr)
25 | }
26 | return nil, fmt.Errorf("no proxy: %s", pname)
27 | }
28 |
29 | func NewProxies(one *One, config map[string]string) (*Proxies, error) {
30 | p := &Proxies{}
31 |
32 | proxies := make(map[string]*proxy.Proxy)
33 | for pname, url := range config {
34 | proxy, err := proxy.FromUrl(url)
35 | if err != nil {
36 | return nil, err
37 | }
38 |
39 | logger.Debugf("[proxy] add proxy %s = %s", pname, url)
40 | proxies[pname] = proxy
41 |
42 | // don't hijack proxy domain
43 | host := proxy.Url.Host
44 | index := strings.IndexByte(proxy.Url.Host, ':')
45 | if index > 0 {
46 | host = proxy.Url.Host[:index]
47 | }
48 | one.rule.DirectDomain(host)
49 | }
50 | p.proxies = proxies
51 | return p, nil
52 | }
53 |
--------------------------------------------------------------------------------
/proxy/README.md:
--------------------------------------------------------------------------------
1 | # proxy
2 | Origin from [proxy](github.com/xjdrew/proxy)
3 |
4 | supported proxy client:
5 | * socks5
6 | * http
7 | * https
8 |
--------------------------------------------------------------------------------
/proxy/direct.go:
--------------------------------------------------------------------------------
1 | package proxy
2 |
3 | import (
4 | "net"
5 | )
6 |
7 | type direct struct{}
8 |
9 | // Direct is a direct proxy: one that makes network connections directly.
10 | var Direct = direct{}
11 |
12 | func (direct) Dial(network, addr string) (net.Conn, error) {
13 | return net.Dial(network, addr)
14 | }
15 |
--------------------------------------------------------------------------------
/proxy/http.go:
--------------------------------------------------------------------------------
1 | //
2 | // date : 2016-02-18
3 | // author: xjdrew
4 | //
5 | package proxy
6 |
7 | import (
8 | "bufio"
9 | "encoding/base64"
10 | "errors"
11 | "net"
12 | "net/http"
13 | "net/url"
14 | )
15 |
16 | type http11 struct {
17 | addr string
18 | user *url.Userinfo
19 | forward Dialer
20 | }
21 |
22 | func basicAuth(username, password string) string {
23 | auth := username + ":" + password
24 | return base64.StdEncoding.EncodeToString([]byte(auth))
25 | }
26 |
27 | func (h *http11) Dial(network, addr string) (net.Conn, error) {
28 | conn, err := h.forward.Dial(network, h.addr)
29 | if err != nil {
30 | return nil, err
31 | }
32 |
33 | req := &http.Request{
34 | Method: "CONNECT",
35 | URL: &url.URL{
36 | Host: addr,
37 | },
38 | Proto: "HTTP/1.1",
39 | ProtoMajor: 1,
40 | ProtoMinor: 1,
41 | Header: make(http.Header),
42 | }
43 |
44 | req.Header.Set("Proxy-Connection", "keep-alive")
45 |
46 | // req.Header.Set("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36")
47 |
48 | if h.user != nil {
49 | if password, ok := h.user.Password(); ok {
50 | req.Header.Set("Proxy-Authorization", "Basic "+basicAuth(h.user.Username(), password))
51 | }
52 | }
53 |
54 | if err = req.Write(conn); err != nil {
55 | conn.Close()
56 | return nil, err
57 | }
58 |
59 | var resp *http.Response
60 | resp, err = http.ReadResponse(bufio.NewReader(conn), nil)
61 | if err != nil {
62 | conn.Close()
63 | return nil, err
64 | }
65 |
66 | //defer resp.Body.Close()
67 | if resp.StatusCode != http.StatusOK {
68 | conn.Close()
69 | return nil, errors.New(resp.Status)
70 | }
71 |
72 | return conn, nil
73 | }
74 |
75 | func init() {
76 | registerDialerType("http", func(url *url.URL, forward Dialer) (Dialer, error) {
77 | return &http11{
78 | addr: url.Host,
79 | user: url.User,
80 | forward: forward,
81 | }, nil
82 | })
83 | }
84 |
--------------------------------------------------------------------------------
/proxy/https.go:
--------------------------------------------------------------------------------
1 | package proxy
2 |
3 | import (
4 | "crypto/tls"
5 | "net"
6 | "net/url"
7 | "strings"
8 | )
9 |
10 | type tlsDialer struct {
11 | forward Dialer
12 | }
13 |
14 | func hostname(addr string) string {
15 | colonPos := strings.LastIndex(addr, ":")
16 | if colonPos == -1 {
17 | return addr
18 | }
19 | return addr[:colonPos]
20 | }
21 |
22 | func (h *tlsDialer) Dial(network, addr string) (net.Conn, error) {
23 | conn, err := h.forward.Dial(network, addr)
24 | if err != nil {
25 | return nil, err
26 | }
27 | tlsConn := tls.Client(conn, &tls.Config{
28 | ServerName: hostname(addr),
29 | })
30 | return tlsConn, nil
31 | }
32 |
33 | func init() {
34 | registerDialerType("https", func(url *url.URL, forward Dialer) (Dialer, error) {
35 | dialer := &tlsDialer{
36 | forward: forward,
37 | }
38 | return &http11{
39 | addr: url.Host,
40 | user: url.User,
41 | forward: dialer,
42 | }, nil
43 | })
44 | }
45 |
--------------------------------------------------------------------------------
/proxy/proxy.go:
--------------------------------------------------------------------------------
1 | //
2 | // date : 2016-05-13
3 | // author: xjdrew
4 | //
5 |
6 | package proxy
7 |
8 | import (
9 | "errors"
10 | "net"
11 | "net/url"
12 | )
13 |
14 | // A Dialer is a means to establish a connection.
15 | type Dialer interface {
16 | // Dial connects to the given address via the proxy.
17 | Dial(network, addr string) (c net.Conn, err error)
18 | }
19 |
20 | // proxySchemes is a map from URL schemes to a function that creates a Dialer
21 | // from a URL with such a scheme.
22 | var proxySchemes = make(map[string]func(*url.URL, Dialer) (Dialer, error))
23 |
24 | // RegisterDialerType takes a URL scheme and a function to generate Dialers from
25 | // a URL with that scheme and a forwarding Dialer. Registered schemes are used
26 | // by FromURL.
27 | func registerDialerType(scheme string, f func(*url.URL, Dialer) (Dialer, error)) {
28 | proxySchemes[scheme] = f
29 | }
30 |
31 | func getDialerByURL(u *url.URL, forward Dialer) (Dialer, error) {
32 | if f, ok := proxySchemes[u.Scheme]; ok {
33 | return f(u, forward)
34 | }
35 | return nil, errors.New("proxy: unknown scheme: " + u.Scheme)
36 | }
37 |
38 | type Proxy struct {
39 | Url *url.URL
40 | dialer Dialer
41 | }
42 |
43 | func (p *Proxy) Dial(network, addr string) (net.Conn, error) {
44 | return p.dialer.Dial(network, addr)
45 | }
46 |
47 | func FromUrl(rawurl string) (*Proxy, error) {
48 | u, err := url.Parse(rawurl)
49 | if err != nil {
50 | return nil, err
51 | }
52 |
53 | dailer, err := getDialerByURL(u, Direct)
54 | if err != nil {
55 | return nil, err
56 | }
57 |
58 | proxy := &Proxy{
59 | Url: u,
60 | dialer: dailer,
61 | }
62 |
63 | return proxy, nil
64 | }
65 |
--------------------------------------------------------------------------------
/proxy/socks5.go:
--------------------------------------------------------------------------------
1 | package proxy
2 |
3 | import (
4 | "errors"
5 | "io"
6 | "net"
7 | "net/url"
8 | "strconv"
9 | )
10 |
11 | type socks5 struct {
12 | user, password string
13 | network, addr string
14 | forward Dialer
15 | }
16 |
17 | const socks5Version = 5
18 |
19 | const (
20 | socks5AuthNone = 0
21 | socks5AuthPassword = 2
22 | )
23 |
24 | const socks5Connect = 1
25 |
26 | const (
27 | socks5IP4 = 1
28 | socks5Domain = 3
29 | socks5IP6 = 4
30 | )
31 |
32 | var socks5Errors = []string{
33 | "",
34 | "general failure",
35 | "connection forbidden",
36 | "network unreachable",
37 | "host unreachable",
38 | "connection refused",
39 | "TTL expired",
40 | "command not supported",
41 | "address type not supported",
42 | }
43 |
44 | // Dial connects to the address addr on the network net via the SOCKS5 proxy.
45 | func (s *socks5) Dial(network, addr string) (net.Conn, error) {
46 | switch network {
47 | case "tcp", "tcp6", "tcp4":
48 | default:
49 | return nil, errors.New("proxy: no support for SOCKS5 proxy connections of type " + network)
50 | }
51 |
52 | conn, err := s.forward.Dial(s.network, s.addr)
53 | if err != nil {
54 | return nil, err
55 | }
56 | if err := s.connect(conn, addr); err != nil {
57 | conn.Close()
58 | return nil, err
59 | }
60 | return conn, nil
61 | }
62 |
63 | // connect takes an existing connection to a socks5 proxy server,
64 | // and commands the server to extend that connection to target,
65 | // which must be a canonical address with a host and port.
66 | func (s *socks5) connect(conn net.Conn, target string) error {
67 | host, portStr, err := net.SplitHostPort(target)
68 | if err != nil {
69 | return err
70 | }
71 |
72 | port, err := strconv.Atoi(portStr)
73 | if err != nil {
74 | return errors.New("proxy: failed to parse port number: " + portStr)
75 | }
76 | if port < 1 || port > 0xffff {
77 | return errors.New("proxy: port number out of range: " + portStr)
78 | }
79 |
80 | // the size here is just an estimate
81 | buf := make([]byte, 0, 6+len(host))
82 |
83 | buf = append(buf, socks5Version)
84 | if len(s.user) > 0 && len(s.user) < 256 && len(s.password) < 256 {
85 | buf = append(buf, 2 /* num auth methods */, socks5AuthNone, socks5AuthPassword)
86 | } else {
87 | buf = append(buf, 1 /* num auth methods */, socks5AuthNone)
88 | }
89 |
90 | if _, err := conn.Write(buf); err != nil {
91 | return errors.New("proxy: failed to write greeting to SOCKS5 proxy at " + s.addr + ": " + err.Error())
92 | }
93 |
94 | if _, err := io.ReadFull(conn, buf[:2]); err != nil {
95 | return errors.New("proxy: failed to read greeting from SOCKS5 proxy at " + s.addr + ": " + err.Error())
96 | }
97 | if buf[0] != 5 {
98 | return errors.New("proxy: SOCKS5 proxy at " + s.addr + " has unexpected version " + strconv.Itoa(int(buf[0])))
99 | }
100 | if buf[1] == 0xff {
101 | return errors.New("proxy: SOCKS5 proxy at " + s.addr + " requires authentication")
102 | }
103 |
104 | if buf[1] == socks5AuthPassword {
105 | buf = buf[:0]
106 | buf = append(buf, 1 /* password protocol version */)
107 | buf = append(buf, uint8(len(s.user)))
108 | buf = append(buf, s.user...)
109 | buf = append(buf, uint8(len(s.password)))
110 | buf = append(buf, s.password...)
111 |
112 | if _, err := conn.Write(buf); err != nil {
113 | return errors.New("proxy: failed to write authentication request to SOCKS5 proxy at " + s.addr + ": " + err.Error())
114 | }
115 |
116 | if _, err := io.ReadFull(conn, buf[:2]); err != nil {
117 | return errors.New("proxy: failed to read authentication reply from SOCKS5 proxy at " + s.addr + ": " + err.Error())
118 | }
119 |
120 | if buf[1] != 0 {
121 | return errors.New("proxy: SOCKS5 proxy at " + s.addr + " rejected username/password")
122 | }
123 | }
124 |
125 | buf = buf[:0]
126 | buf = append(buf, socks5Version, socks5Connect, 0 /* reserved */)
127 |
128 | if ip := net.ParseIP(host); ip != nil {
129 | if ip4 := ip.To4(); ip4 != nil {
130 | buf = append(buf, socks5IP4)
131 | ip = ip4
132 | } else {
133 | buf = append(buf, socks5IP6)
134 | }
135 | buf = append(buf, ip...)
136 | } else {
137 | if len(host) > 255 {
138 | return errors.New("proxy: destination hostname too long: " + host)
139 | }
140 | buf = append(buf, socks5Domain)
141 | buf = append(buf, byte(len(host)))
142 | buf = append(buf, host...)
143 | }
144 | buf = append(buf, byte(port>>8), byte(port))
145 |
146 | if _, err := conn.Write(buf); err != nil {
147 | return errors.New("proxy: failed to write connect request to SOCKS5 proxy at " + s.addr + ": " + err.Error())
148 | }
149 |
150 | if _, err := io.ReadFull(conn, buf[:4]); err != nil {
151 | return errors.New("proxy: failed to read connect reply from SOCKS5 proxy at " + s.addr + ": " + err.Error())
152 | }
153 |
154 | failure := "unknown error"
155 | if int(buf[1]) < len(socks5Errors) {
156 | failure = socks5Errors[buf[1]]
157 | }
158 |
159 | if len(failure) > 0 {
160 | return errors.New("proxy: SOCKS5 proxy at " + s.addr + " failed to connect: " + failure)
161 | }
162 |
163 | bytesToDiscard := 0
164 | switch buf[3] {
165 | case socks5IP4:
166 | bytesToDiscard = net.IPv4len
167 | case socks5IP6:
168 | bytesToDiscard = net.IPv6len
169 | case socks5Domain:
170 | _, err := io.ReadFull(conn, buf[:1])
171 | if err != nil {
172 | return errors.New("proxy: failed to read domain length from SOCKS5 proxy at " + s.addr + ": " + err.Error())
173 | }
174 | bytesToDiscard = int(buf[0])
175 | default:
176 | return errors.New("proxy: got unknown address type " + strconv.Itoa(int(buf[3])) + " from SOCKS5 proxy at " + s.addr)
177 | }
178 |
179 | if cap(buf) < bytesToDiscard {
180 | buf = make([]byte, bytesToDiscard)
181 | } else {
182 | buf = buf[:bytesToDiscard]
183 | }
184 | if _, err := io.ReadFull(conn, buf); err != nil {
185 | return errors.New("proxy: failed to read address from SOCKS5 proxy at " + s.addr + ": " + err.Error())
186 | }
187 |
188 | // Also need to discard the port number
189 | if _, err := io.ReadFull(conn, buf[:2]); err != nil {
190 | return errors.New("proxy: failed to read port from SOCKS5 proxy at " + s.addr + ": " + err.Error())
191 | }
192 |
193 | return nil
194 | }
195 |
196 | func init() {
197 | registerDialerType("socks5", func(url *url.URL, forward Dialer) (Dialer, error) {
198 | s := &socks5{
199 | network: "tcp",
200 | addr: url.Host,
201 | forward: forward,
202 | }
203 |
204 | if url.User != nil {
205 | s.user = url.User.Username()
206 | if p, ok := url.User.Password(); ok {
207 | s.password = p
208 | }
209 | }
210 | return s, nil
211 | })
212 | }
213 |
--------------------------------------------------------------------------------
/rule.go:
--------------------------------------------------------------------------------
1 | //
2 | // date : 2016-05-13
3 | // author: xjdrew
4 | //
5 |
6 | package kone
7 |
8 | type Rule struct {
9 | directDomains map[string]bool // always direct connect for proxy domain
10 | patterns []Pattern
11 | }
12 |
13 | func (rule *Rule) DirectDomain(domain string) {
14 | logger.Debugf("[rule] add direct domain: %s", domain)
15 | rule.directDomains[domain] = true
16 | }
17 |
18 | // match a proxy for target `val`
19 | func (rule *Rule) Proxy(val interface{}) string {
20 | if domain, ok := val.(string); ok {
21 | if rule.directDomains[domain] {
22 | logger.Debugf("[rule match] %v, proxy %q", val, "DIRECT")
23 | return "DIRECT" // direct
24 | }
25 | }
26 |
27 | for _, pattern := range rule.patterns {
28 | if pattern.Match(val) {
29 | proxy := pattern.Proxy()
30 | logger.Debugf("[rule match] %v, proxy %s", val, proxy)
31 | return proxy
32 | }
33 | }
34 | logger.Debugf("[rule final] %v, proxy %q", val, "")
35 | return "DIRECT" // direct connect
36 | }
37 |
38 | func NewRule(rcs []RuleConfig) *Rule {
39 | rule := &Rule{
40 | directDomains: map[string]bool{},
41 | }
42 |
43 | for _, rc := range rcs {
44 | if pattern := CreatePattern(rc); pattern != nil {
45 | rule.patterns = append(rule.patterns, pattern)
46 | }
47 | }
48 | return rule
49 | }
50 |
--------------------------------------------------------------------------------
/syscalls_darwin.go:
--------------------------------------------------------------------------------
1 | //
2 | // date : 2017-07-14
3 | // author: xjdrew
4 | //
5 |
6 | package kone
7 |
8 | import (
9 | "fmt"
10 | "net"
11 | "os/exec"
12 | "strings"
13 |
14 | "github.com/songgao/water"
15 | )
16 |
17 | func execCommand(name, sargs string) error {
18 | args := strings.Split(sargs, " ")
19 | cmd := exec.Command(name, args...)
20 | logger.Infof("exec command: %s %s", name, sargs)
21 | return cmd.Run()
22 | }
23 |
24 | func initTun(tun string, ipNet *net.IPNet, mtu int) error {
25 | ip := ipNet.IP
26 | maskIP := net.IP(ipNet.Mask)
27 | sargs := fmt.Sprintf("%s %s %s mtu %d netmask %s up", tun, ip.String(), ip.String(), mtu, maskIP.String())
28 | if err := execCommand("ifconfig", sargs); err != nil {
29 | return err
30 | }
31 | return addRoute(tun, ipNet)
32 | }
33 |
34 | func addRoute(tun string, subnet *net.IPNet) error {
35 | ip := subnet.IP
36 | maskIP := net.IP(subnet.Mask)
37 | sargs := fmt.Sprintf("-n add -net %s -netmask %s -interface %s", ip.String(), maskIP.String(), tun)
38 | return execCommand("route", sargs)
39 | }
40 |
41 | func createTun(ip net.IP, mask net.IPMask) (*water.Interface, error) {
42 | ifce, err := water.New(water.Config{
43 | DeviceType: water.TUN,
44 | })
45 |
46 | if err != nil {
47 | return nil, err
48 | }
49 |
50 | logger.Infof("create %s", ifce.Name())
51 |
52 | ipNet := &net.IPNet{
53 | IP: ip,
54 | Mask: mask,
55 | }
56 |
57 | if err := initTun(ifce.Name(), ipNet, MTU); err != nil {
58 | return nil, err
59 | }
60 | return ifce, nil
61 | }
62 |
63 | // can't listen on tun's ip in macosx
64 | func fixTunIP(ip net.IP) net.IP {
65 | return net.IPv4zero
66 | }
67 |
--------------------------------------------------------------------------------
/syscalls_linux.go:
--------------------------------------------------------------------------------
1 | //
2 | // date : 2017-07-14
3 | // author: xjdrew
4 | //
5 |
6 | package kone
7 |
8 | import (
9 | "fmt"
10 | "net"
11 | "os/exec"
12 | "strings"
13 |
14 | "github.com/songgao/water"
15 | )
16 |
17 | func execCommand(name, sargs string) error {
18 | args := strings.Split(sargs, " ")
19 | cmd := exec.Command(name, args...)
20 | logger.Infof("exec command: %s %s", name, sargs)
21 | return cmd.Run()
22 | }
23 |
24 | func initTun(tun string, ipNet *net.IPNet, mtu int) error {
25 | sargs := fmt.Sprintf("addr add %s dev %s", ipNet, tun)
26 | if err := execCommand("ip", sargs); err != nil {
27 | return err
28 | }
29 |
30 | // brings the link up
31 | sargs = fmt.Sprintf("link set dev %s up mtu %d qlen 1000", tun, mtu)
32 | return execCommand("ip", sargs)
33 | }
34 |
35 | func addRoute(tun string, subnet *net.IPNet) error {
36 | sargs := fmt.Sprintf("route add %s dev %s", subnet, tun)
37 | return execCommand("ip", sargs)
38 | }
39 |
40 | func createTun(ip net.IP, mask net.IPMask) (*water.Interface, error) {
41 | ifce, err := water.New(water.Config{
42 | DeviceType: water.TUN,
43 | })
44 |
45 | if err != nil {
46 | return nil, err
47 | }
48 |
49 | logger.Infof("create %s", ifce.Name())
50 |
51 | ipNet := &net.IPNet{
52 | IP: ip,
53 | Mask: mask,
54 | }
55 |
56 | if err := initTun(ifce.Name(), ipNet, MTU); err != nil {
57 | return nil, err
58 | }
59 | return ifce, nil
60 | }
61 |
62 | func fixTunIP(ip net.IP) net.IP {
63 | return ip
64 | }
65 |
--------------------------------------------------------------------------------
/syscalls_other.go:
--------------------------------------------------------------------------------
1 | //
2 | // date : 2017-07-14
3 | // author: xjdrew
4 | //
5 |
6 | //go:build !linux && !darwin && !windows
7 | // +build !linux,!darwin,!windows
8 |
9 | package kone
10 |
11 | import (
12 | "errors"
13 | "net"
14 | )
15 |
16 | var errOS = errors.New("unsupported os")
17 |
18 | func initTun(tun string, ipNet *net.IPNet, mtu int) error {
19 | return errOS
20 | }
21 |
22 | func addRoute(tun string, subnet *net.IPNet) error {
23 | return errOS
24 | }
25 |
26 | func fixTunIP(ip net.IP) net.IP {
27 | return ip
28 | }
29 |
--------------------------------------------------------------------------------
/syscalls_windows.go:
--------------------------------------------------------------------------------
1 | //
2 | // date : 2019-08-29
3 | // author: SUCHMOKUO
4 | //
5 |
6 | package kone
7 |
8 | import (
9 | "context"
10 | "fmt"
11 | "net"
12 | "os"
13 | "os/exec"
14 | "strconv"
15 | "strings"
16 |
17 | "github.com/songgao/water"
18 | "github.com/thecodeteam/goodbye"
19 | )
20 |
21 | var tunNet string
22 |
23 | func powershell(args ...string) error {
24 | cmd := exec.Command("powershell", args...)
25 | return cmd.Run()
26 | }
27 |
28 | func clearRoute(tun string) {
29 | powershell(
30 | "Remove-NetRoute",
31 | "-InterfaceAlias", tun,
32 | "-Confirm:$false")
33 | }
34 |
35 | func addRoute(tun string, subnet *net.IPNet) error {
36 | tun = fmt.Sprintf(`"%s"`, tun)
37 | subnetArg := fmt.Sprintf(`"%s"`, subnet.String())
38 | return powershell(
39 | "New-NetRoute",
40 | "-DestinationPrefix", subnetArg,
41 | "-InterfaceAlias", tun,
42 | "-PolicyStore", "ActiveStore",
43 | "-AddressFamily", "IPv4",
44 | "-NextHop", tunNet)
45 | }
46 |
47 | func createTun(ip net.IP, mask net.IPMask) (*water.Interface, error) {
48 | ipNet := &net.IPNet{
49 | IP: ip,
50 | Mask: mask,
51 | }
52 |
53 | s := make([]byte, 4)
54 | ip4 := ip.To4()
55 | for i := range s {
56 | s[i] = ip4[i] & mask[i]
57 | }
58 | tunNet = net.IPv4(s[0], s[1], s[2], s[3]).String()
59 |
60 | ifce, err := water.New(water.Config{
61 | DeviceType: water.TUN,
62 | PlatformSpecificParams: water.PlatformSpecificParams{
63 | ComponentID: "tap0901",
64 | Network: ipNet.String(),
65 | },
66 | })
67 |
68 | if err != nil {
69 | return nil, err
70 | }
71 |
72 | logger.Infof("initializing %s, please wait...", ifce.Name())
73 |
74 | err = initTun(ifce.Name(), ipNet, MTU)
75 | if err != nil {
76 | return nil, err
77 | }
78 |
79 | logger.Infof("created %s", ifce.Name())
80 | return ifce, nil
81 | }
82 |
83 | func initTun(tun string, ipNet *net.IPNet, mtu int) (err error) {
84 | tun = fmt.Sprintf(`"%s"`, tun)
85 | ip := fmt.Sprintf(`"%s"`, ipNet.IP)
86 | prefix := strings.Split(ipNet.String(), "/")[1]
87 |
88 | // clear previous route.
89 | clearRoute(tun)
90 |
91 | // clear route on quit.
92 | goodbye.Notify(context.Background())
93 | goodbye.Register(func(ctx context.Context, s os.Signal) {
94 | logger.Infof("clearing route of %s, please wait...", tun)
95 | clearRoute(tun)
96 | })
97 |
98 | // set interface mtu and metric.
99 | err = powershell(
100 | "Set-NetIPInterface",
101 | "-InterfaceAlias", tun,
102 | "-NlMtuBytes", strconv.Itoa(mtu),
103 | "-InterfaceMetric", "1")
104 |
105 | if err != nil {
106 | return err
107 | }
108 |
109 | // remove all previous ips of tun.
110 | err = powershell(
111 | "Remove-NetIPAddress",
112 | "-InterfaceAlias", tun,
113 | "-AddressFamily", "IPv4",
114 | "-Confirm:$false")
115 |
116 | if err != nil {
117 | return err
118 | }
119 |
120 | // add dns for tun.
121 | err = powershell(
122 | "Set-DnsClientServerAddress",
123 | "-InterfaceAlias", tun,
124 | "-ServerAddresses", ip)
125 |
126 | if err != nil {
127 | return err
128 | }
129 |
130 | // add ip for tun.
131 | return powershell(
132 | "New-NetIPAddress",
133 | "-InterfaceAlias", tun,
134 | "-IPAddress", ip,
135 | "-PrefixLength", prefix,
136 | "-PolicyStore", "ActiveStore",
137 | "-AddressFamily", "IPv4")
138 | }
139 |
140 | func fixTunIP(ip net.IP) net.IP {
141 | return ip
142 | }
143 |
--------------------------------------------------------------------------------
/tcp_relay.go:
--------------------------------------------------------------------------------
1 | //
2 | // date : 2016-05-13
3 | // author: xjdrew
4 | //
5 |
6 | package kone
7 |
8 | import (
9 | "fmt"
10 | "io"
11 | "net"
12 | "time"
13 |
14 | "github.com/xjdrew/kone/tcpip"
15 | )
16 |
17 | type TCPRelay struct {
18 | one *One
19 | nat *Nat
20 | relayIP net.IP
21 | relayPort uint16
22 | }
23 |
24 | func copy(src net.Conn, dst net.Conn, ch chan<- int64) {
25 | defer dst.Close()
26 |
27 | written, _ := io.Copy(dst, src)
28 | ch <- written
29 | }
30 |
31 | func (r *TCPRelay) realRemoteHost(conn net.Conn, connData *ConnData) (addr string, proxy string) {
32 | remoteAddr := conn.RemoteAddr().(*net.TCPAddr)
33 | remotePort := uint16(remoteAddr.Port)
34 |
35 | session := r.nat.getSession(remotePort)
36 | if session == nil {
37 | logger.Errorf("[tcp relay] %s > %s no session", conn.LocalAddr(), remoteAddr)
38 | return
39 | }
40 |
41 | one := r.one
42 | dstIP := session.dstIP
43 |
44 | var host string
45 | if one.dnsTable.IsLocalIP(dstIP) { // for dns hijacked traffic
46 | record := one.dnsTable.GetByIP(dstIP)
47 | if record == nil {
48 | logger.Debugf("[tcp relay] %s:%d > %s:%d dns expired", session.srcIP, session.srcPort, dstIP, session.dstPort)
49 | return
50 | }
51 |
52 | host = record.Hostname
53 | proxy = record.Proxy
54 | } else { // for IP-CIDR rule traffic
55 | host = dstIP.String()
56 | proxy = one.rule.Proxy(dstIP)
57 | }
58 |
59 | connData.Src = session.srcIP.String()
60 | connData.Dst = host
61 | connData.Proxy = proxy
62 |
63 | addr = fmt.Sprintf("%s:%d", host, session.dstPort)
64 | logger.Debugf("[tcp relay] tunnel %s:%d > %s proxy %q", session.srcIP, session.srcPort, addr, proxy)
65 | return
66 | }
67 |
68 | func (r *TCPRelay) handleConn(conn net.Conn) {
69 | var connData ConnData
70 | remoteAddr, proxy := r.realRemoteHost(conn, &connData)
71 | if remoteAddr == "" {
72 | conn.Close()
73 | return
74 | }
75 |
76 | if proxy == "DIRECT" { // impossible
77 | conn.Close()
78 | logger.Errorf("[tcp relay] %s > %s traffic dead loop", conn.LocalAddr(), remoteAddr)
79 | return
80 | }
81 |
82 | proxies := r.one.proxies
83 | tunnel, err := proxies.Dial(proxy, remoteAddr)
84 | if err != nil {
85 | conn.Close()
86 | logger.Errorf("[tcp relay] dial %s by proxy %q failed: %s", remoteAddr, proxy, err)
87 | return
88 | }
89 |
90 | logger.Debugf("[tcp relay] new tunnel, to %s through %s", remoteAddr, proxy)
91 |
92 | uploadChan := make(chan int64)
93 | downloadChan := make(chan int64)
94 |
95 | go copy(conn, tunnel, uploadChan)
96 | go copy(tunnel, conn, downloadChan)
97 |
98 | connData.Upload = <-uploadChan
99 | connData.Download = <-downloadChan
100 |
101 | logger.Debugf("[tcp relay] domain %s, upload %v bytes, download %v bytes", remoteAddr, connData.Upload, connData.Download)
102 | if r.one.manager != nil {
103 | r.one.manager.dataCh <- connData
104 | }
105 | }
106 |
107 | func (r *TCPRelay) Serve() error {
108 | addr := &net.TCPAddr{IP: r.relayIP, Port: int(r.relayPort)}
109 | ln, err := net.ListenTCP("tcp", addr)
110 | if err != nil {
111 | logger.Errorf("[tcp relay] listen failed: %v", err)
112 | return err
113 | }
114 |
115 | logger.Infof("[tcp relay] listen on %v", addr)
116 |
117 | for {
118 | conn, err := ln.AcceptTCP()
119 | if err != nil {
120 | logger.Errorf("[tcp relay] acceept failed temporary: %v", err)
121 | time.Sleep(time.Second) //prevent log storms
122 | continue
123 | }
124 | logger.Debugf("[tcp relay] new connection [%s > %s]", conn.RemoteAddr(), conn.LocalAddr())
125 | go r.handleConn(conn)
126 | }
127 | }
128 |
129 | // redirect tcp packet to relay
130 | func (r *TCPRelay) Filter(wr io.Writer, ipPacket tcpip.IPv4Packet) {
131 | tcpPacket := tcpip.TCPPacket(ipPacket.Payload())
132 |
133 | srcIP := ipPacket.SourceIP()
134 | dstIP := ipPacket.DestinationIP()
135 | srcPort := tcpPacket.SourcePort()
136 | dstPort := tcpPacket.DestinationPort()
137 |
138 | if r.relayIP.Equal(srcIP) && srcPort == r.relayPort {
139 | // from relay
140 | session := r.nat.getSession(dstPort)
141 | if session == nil {
142 | logger.Debugf("[tcp filter] %s:%d > %s:%d: no session", srcIP, srcPort, dstIP, dstPort)
143 | return
144 | }
145 |
146 | ipPacket.SetSourceIP(session.dstIP)
147 | ipPacket.SetDestinationIP(session.srcIP)
148 | tcpPacket.SetSourcePort(session.dstPort)
149 | tcpPacket.SetDestinationPort(session.srcPort)
150 | } else {
151 | // redirect to relay
152 | isNew, port := r.nat.allocSession(srcIP, dstIP, srcPort, dstPort)
153 |
154 | ipPacket.SetSourceIP(dstIP)
155 | tcpPacket.SetSourcePort(port)
156 | ipPacket.SetDestinationIP(r.relayIP)
157 | tcpPacket.SetDestinationPort(r.relayPort)
158 |
159 | if isNew {
160 | logger.Debugf("[tcp filter] reshape connection from [%s:%d > %s:%d] to [%s:%d > %s:%d]",
161 | srcIP, srcPort, dstIP, dstPort, dstIP, port, r.relayIP, r.relayPort)
162 | }
163 | }
164 |
165 | // write back packet
166 | tcpPacket.ResetChecksum(ipPacket.PseudoSum())
167 | ipPacket.ResetChecksum()
168 | wr.Write(ipPacket)
169 | }
170 |
171 | func NewTCPRelay(one *One, cfg CoreConfig) *TCPRelay {
172 | relay := new(TCPRelay)
173 | relay.one = one
174 | relay.nat = NewNat(cfg.TcpNatPortStart, cfg.TcpNatPortEnd)
175 | relay.relayIP = one.ip
176 | relay.relayPort = cfg.TcpListenPort
177 | return relay
178 | }
179 |
--------------------------------------------------------------------------------
/tcpip/checksum.go:
--------------------------------------------------------------------------------
1 | //
2 | // date : 2016-05-13
3 | // author: xjdrew
4 | //
5 |
6 | package tcpip
7 |
8 | var (
9 | zeroChecksum = [2]byte{0x00, 0x00}
10 | )
11 |
12 | func Sum(b []byte) uint32 {
13 | var sum uint32
14 |
15 | n := len(b)
16 | for i := 0; i < n; i = i + 2 {
17 | sum += (uint32(b[i]) << 8)
18 | if i+1 < n {
19 | sum += uint32(b[i+1])
20 | }
21 | }
22 | return sum
23 | }
24 |
25 | // checksum for Internet Protocol family headers
26 | func Checksum(sum uint32, b []byte) (answer [2]byte) {
27 | sum += Sum(b)
28 | sum = (sum >> 16) + (sum & 0xffff)
29 | sum += (sum >> 16)
30 | sum = ^sum
31 | answer[0] = byte(sum >> 8)
32 | answer[1] = byte(sum)
33 | return
34 | }
35 |
--------------------------------------------------------------------------------
/tcpip/checksum_test.go:
--------------------------------------------------------------------------------
1 | //
2 | // date : 2016-05-13
3 | // author: xjdrew
4 | //
5 |
6 | package tcpip
7 |
8 | import (
9 | "testing"
10 |
11 | "github.com/stretchr/testify/assert"
12 | )
13 |
14 | func TestChecksum(t *testing.T) {
15 | b := []byte{
16 | 0x45, 0x00, 0x00, 0x73, 0x00, 0x00, 0x40, 0x00, 0x40, 0x11,
17 | 0xb8, 0x61, 0xc0, 0xa8, 0x00, 0x01, 0xc0, 0xa8, 0x00, 0xc7,
18 | }
19 |
20 | expected := [2]byte{0x00, 0x00}
21 | v := Checksum(0, b)
22 | assert.Equal(t, v, expected)
23 | }
24 |
--------------------------------------------------------------------------------
/tcpip/common.go:
--------------------------------------------------------------------------------
1 | //
2 | // date : 2016-05-13
3 | // author: xjdrew
4 | //
5 |
6 | package tcpip
7 |
8 | import (
9 | "net"
10 | )
11 |
12 | func IsIPv4(packet []byte) bool {
13 | return (packet[0] >> 4) == 4
14 | }
15 |
16 | func IsIPv6(packet []byte) bool {
17 | return (packet[0] >> 4) == 6
18 | }
19 |
20 | func ConvertIPv4ToUint32(ip net.IP) uint32 {
21 | ip = ip.To4()
22 | if ip == nil {
23 | return 0
24 | }
25 |
26 | v := uint32(ip[0]) << 24
27 | v += uint32(ip[1]) << 16
28 | v += uint32(ip[2]) << 8
29 | v += uint32(ip[3])
30 | return v
31 | }
32 |
33 | func ConvertUint32ToIPv4(v uint32) net.IP {
34 | return net.IPv4(byte(v>>24), byte(v>>16), byte(v>>8), byte(v))
35 | }
36 |
--------------------------------------------------------------------------------
/tcpip/icmp.go:
--------------------------------------------------------------------------------
1 | //
2 | // date : 2016-05-13
3 | // author: xjdrew
4 | //
5 |
6 | package tcpip
7 |
8 | import (
9 | "encoding/binary"
10 | )
11 |
12 | type ICMPType byte
13 |
14 | const (
15 | ICMPEcho ICMPType = 0x0
16 | ICMPRequest ICMPType = 0x8
17 | )
18 |
19 | type ICMPPacket []byte
20 |
21 | func (p ICMPPacket) Type() ICMPType {
22 | return ICMPType(p[0])
23 | }
24 |
25 | func (p ICMPPacket) SetType(v ICMPType) {
26 | p[0] = byte(v)
27 | }
28 |
29 | func (p ICMPPacket) Code() byte {
30 | return p[1]
31 | }
32 |
33 | func (p ICMPPacket) Checksum() uint16 {
34 | return binary.BigEndian.Uint16(p[2:])
35 | }
36 |
37 | func (p ICMPPacket) SetChecksum(sum [2]byte) {
38 | p[2] = sum[0]
39 | p[3] = sum[1]
40 | }
41 |
42 | func (p ICMPPacket) ResetChecksum() {
43 | p.SetChecksum(zeroChecksum)
44 | p.SetChecksum(Checksum(0, p))
45 | }
46 |
--------------------------------------------------------------------------------
/tcpip/ipv4.go:
--------------------------------------------------------------------------------
1 | //
2 | // date : 2016-05-13
3 | // author: xjdrew
4 | //
5 |
6 | package tcpip
7 |
8 | import (
9 | "encoding/binary"
10 | "net"
11 | )
12 |
13 | type IPProtocol byte
14 |
15 | const (
16 | ICMP IPProtocol = 0x01
17 | TCP IPProtocol = 0x06
18 | UDP IPProtocol = 0x11
19 | )
20 |
21 | type IPv4Packet []byte
22 |
23 | func (p IPv4Packet) TotalLen() uint16 {
24 | return binary.BigEndian.Uint16(p[2:])
25 | }
26 |
27 | func (p IPv4Packet) HeaderLen() uint16 {
28 | return uint16(p[0]&0xf) * 4
29 | }
30 |
31 | func (p IPv4Packet) DataLen() uint16 {
32 | return p.TotalLen() - p.HeaderLen()
33 | }
34 |
35 | func (p IPv4Packet) Payload() []byte {
36 | return p[p.HeaderLen():p.TotalLen()]
37 | }
38 |
39 | func (p IPv4Packet) Protocol() IPProtocol {
40 | return IPProtocol(p[9])
41 | }
42 |
43 | func (p IPv4Packet) SourceIP() net.IP {
44 | var ip = [4]byte{p[12], p[13], p[14], p[15]}
45 | return net.IP(ip[:])
46 | }
47 |
48 | func (p IPv4Packet) SetSourceIP(ip net.IP) {
49 | ip = ip.To4()
50 | if ip != nil {
51 | copy(p[12:16], ip)
52 | }
53 | }
54 |
55 | func (p IPv4Packet) DestinationIP() net.IP {
56 | var ip = [4]byte{p[16], p[17], p[18], p[19]}
57 | return net.IP(ip[:])
58 | }
59 |
60 | func (p IPv4Packet) SetDestinationIP(ip net.IP) {
61 | ip = ip.To4()
62 | if ip != nil {
63 | copy(p[16:20], ip)
64 | }
65 | }
66 |
67 | func (p IPv4Packet) Checksum() uint16 {
68 | return binary.BigEndian.Uint16(p[10:])
69 | }
70 |
71 | func (p IPv4Packet) SetChecksum(sum [2]byte) {
72 | p[10] = sum[0]
73 | p[11] = sum[1]
74 | }
75 |
76 | func (p IPv4Packet) ResetChecksum() {
77 | p.SetChecksum(zeroChecksum)
78 | p.SetChecksum(Checksum(0, p[:p.HeaderLen()]))
79 | }
80 |
81 | // for tcp checksum
82 | func (p IPv4Packet) PseudoSum() uint32 {
83 | sum := Sum(p[12:20])
84 | sum += uint32(p.Protocol())
85 | sum += uint32(p.DataLen())
86 | return sum
87 | }
88 |
--------------------------------------------------------------------------------
/tcpip/tcp.go:
--------------------------------------------------------------------------------
1 | //
2 | // date : 2016-05-13
3 | // author: xjdrew
4 | //
5 |
6 | package tcpip
7 |
8 | import (
9 | "encoding/binary"
10 | )
11 |
12 | type TCPPacket []byte
13 |
14 | func (p TCPPacket) SourcePort() uint16 {
15 | return binary.BigEndian.Uint16(p)
16 | }
17 |
18 | func (p TCPPacket) SetSourcePort(port uint16) {
19 | binary.BigEndian.PutUint16(p, port)
20 | }
21 |
22 | func (p TCPPacket) DestinationPort() uint16 {
23 | return binary.BigEndian.Uint16(p[2:])
24 | }
25 |
26 | func (p TCPPacket) SetDestinationPort(port uint16) {
27 | binary.BigEndian.PutUint16(p[2:], port)
28 | }
29 |
30 | func (p TCPPacket) SetChecksum(sum [2]byte) {
31 | p[16] = sum[0]
32 | p[17] = sum[1]
33 | }
34 |
35 | func (p TCPPacket) Checksum() uint16 {
36 | return binary.BigEndian.Uint16(p[16:])
37 | }
38 |
39 | func (p TCPPacket) ResetChecksum(psum uint32) {
40 | p.SetChecksum(zeroChecksum)
41 | p.SetChecksum(Checksum(psum, p))
42 | }
43 |
--------------------------------------------------------------------------------
/tcpip/udp.go:
--------------------------------------------------------------------------------
1 | //
2 | // date : 2016-05-17
3 | // author: xjdrew
4 | //
5 |
6 | package tcpip
7 |
8 | import (
9 | "encoding/binary"
10 | )
11 |
12 | type UDPPacket []byte
13 |
14 | func (p UDPPacket) SourcePort() uint16 {
15 | return binary.BigEndian.Uint16(p)
16 | }
17 |
18 | func (p UDPPacket) SetSourcePort(port uint16) {
19 | binary.BigEndian.PutUint16(p, port)
20 | }
21 |
22 | func (p UDPPacket) DestinationPort() uint16 {
23 | return binary.BigEndian.Uint16(p[2:])
24 | }
25 |
26 | func (p UDPPacket) SetDestinationPort(port uint16) {
27 | binary.BigEndian.PutUint16(p[2:], port)
28 | }
29 |
30 | func (p UDPPacket) SetChecksum(sum [2]byte) {
31 | p[6] = sum[0]
32 | p[7] = sum[1]
33 | }
34 |
35 | func (p UDPPacket) Checksum() uint16 {
36 | return binary.BigEndian.Uint16(p[6:])
37 | }
38 |
39 | func (p UDPPacket) ResetChecksum(psum uint32) {
40 | p.SetChecksum(zeroChecksum)
41 | p.SetChecksum(Checksum(psum, p))
42 | }
43 |
--------------------------------------------------------------------------------
/tun.go:
--------------------------------------------------------------------------------
1 | //
2 | // date : 2016-05-13
3 | // author: xjdrew
4 | //
5 |
6 | package kone
7 |
8 | import (
9 | "net"
10 |
11 | "github.com/songgao/water"
12 |
13 | "github.com/xjdrew/kone/tcpip"
14 | )
15 |
16 | var MTU = 1500
17 |
18 | type TunDriver struct {
19 | ifce *water.Interface
20 | filters map[tcpip.IPProtocol]PacketFilter
21 | }
22 |
23 | func (tun *TunDriver) Serve() error {
24 | ifce := tun.ifce
25 | filters := tun.filters
26 |
27 | buffer := make([]byte, MTU)
28 | for {
29 | n, err := ifce.Read(buffer)
30 | if err != nil {
31 | logger.Errorf("[tun] read failed: %v", err)
32 | return err
33 | }
34 |
35 | packet := buffer[:n]
36 | if tcpip.IsIPv4(packet) {
37 | ipPacket := tcpip.IPv4Packet(packet)
38 | protocol := ipPacket.Protocol()
39 | filter := filters[protocol]
40 | if filter == nil {
41 | logger.Noticef("%v > %v protocol %d unsupport", ipPacket.SourceIP(), ipPacket.DestinationIP(), protocol)
42 | continue
43 | }
44 |
45 | filter.Filter(ifce, ipPacket)
46 | }
47 | }
48 | }
49 |
50 | func (tun *TunDriver) AddRoute(ipNet *net.IPNet) bool {
51 | addRoute(tun.ifce.Name(), ipNet)
52 | logger.Infof("add route %s by %s", ipNet.String(), tun.ifce.Name())
53 | return true
54 | }
55 |
56 | func (tun *TunDriver) AddRouteString(val string) bool {
57 | _, subnet, err := net.ParseCIDR(val)
58 | if err != nil {
59 | return false
60 | }
61 | return tun.AddRoute(subnet)
62 | }
63 |
64 | func NewTunDriver(ip net.IP, subnet *net.IPNet, filters map[tcpip.IPProtocol]PacketFilter) (*TunDriver, error) {
65 | ifce, err := createTun(ip, subnet.Mask)
66 | if err != nil {
67 | return nil, err
68 | }
69 | return &TunDriver{ifce: ifce, filters: filters}, nil
70 | }
71 |
--------------------------------------------------------------------------------
/udp_relay.go:
--------------------------------------------------------------------------------
1 | //
2 | // date : 2016-05-16
3 | // author: xjdrew
4 | //
5 |
6 | package kone
7 |
8 | import (
9 | "io"
10 | "net"
11 | "sync"
12 | "time"
13 |
14 | "github.com/xjdrew/kone/tcpip"
15 | )
16 |
17 | type UDPTunnel struct {
18 | session *NatSession
19 | record *DomainRecord
20 |
21 | cliaddr *net.UDPAddr
22 |
23 | localConn *net.UDPConn
24 | remoteConn *net.UDPConn
25 | }
26 |
27 | func (tunnel *UDPTunnel) SetDeadline(duration time.Duration) error {
28 | return tunnel.remoteConn.SetDeadline(time.Now().Add(duration))
29 | }
30 |
31 | func (tunnel *UDPTunnel) Pump() error {
32 | b := make([]byte, MTU)
33 | for {
34 | n, err := tunnel.remoteConn.Read(b)
35 | if err != nil {
36 | if opErr, ok := err.(*net.OpError); ok && opErr.Timeout() {
37 | return nil
38 | }
39 | return err
40 | }
41 | _, err = tunnel.localConn.WriteToUDP(b[:n], tunnel.cliaddr)
42 | if err != nil {
43 | return err
44 | }
45 | }
46 | }
47 |
48 | func (tunnel *UDPTunnel) Write(b []byte) (int, error) {
49 | return tunnel.remoteConn.Write(b)
50 | }
51 |
52 | type UDPRelay struct {
53 | one *One
54 | nat *Nat
55 | relayIP net.IP
56 | relayPort uint16
57 |
58 | lock sync.Mutex
59 | tunnels map[string]*UDPTunnel
60 | }
61 |
62 | // bypass udp packet
63 | func (r *UDPRelay) grabTunnel(localConn *net.UDPConn, cliaddr *net.UDPAddr) *UDPTunnel {
64 | r.lock.Lock()
65 | defer r.lock.Unlock()
66 | addr := cliaddr.String()
67 | tunnel := r.tunnels[addr]
68 | if tunnel == nil {
69 | port := uint16(cliaddr.Port)
70 | session := r.nat.getSession(port)
71 | if session == nil {
72 | return nil
73 | }
74 | record := r.one.dnsTable.GetByIP(session.dstIP)
75 | if record == nil { // by IP-CIDR rule
76 | return nil
77 | }
78 |
79 | if record.RealIP == nil {
80 | // try resolve real ip
81 | msg, err := r.one.dns.Resolve(record.Hostname)
82 | if err == nil {
83 | record.SetRealIP(msg)
84 | }
85 |
86 | if record.RealIP == nil {
87 | // resolve real ip failed
88 | return nil
89 | }
90 | }
91 |
92 | srvaddr := &net.UDPAddr{IP: record.RealIP, Port: int(session.dstPort)}
93 | remoteConn, err := net.DialUDP("udp", nil, srvaddr)
94 | if err != nil {
95 | logger.Errorf("[udp relay] connect to %s failed: %v", srvaddr, err)
96 | return nil
97 | }
98 | tunnel = &UDPTunnel{
99 | session: session,
100 | record: record,
101 | cliaddr: cliaddr,
102 | localConn: localConn,
103 | remoteConn: remoteConn,
104 | }
105 |
106 | logger.Debugf("[udp relay] %s:%d > %v: new tunnel", session.srcIP, session.srcPort, srvaddr)
107 |
108 | r.tunnels[addr] = tunnel
109 | go func() {
110 | err := tunnel.Pump()
111 | if err != nil {
112 | logger.Debugf("[udp relay] pump to %v failed: %v", tunnel.remoteConn.RemoteAddr(), err)
113 | }
114 | tunnel.remoteConn.Close()
115 | logger.Debugf("[udp relay] %s:%d > %v: destroy tunnel", tunnel.session.srcIP, tunnel.session.srcPort, srvaddr)
116 |
117 | r.lock.Lock()
118 | delete(r.tunnels, addr)
119 | r.lock.Unlock()
120 | }()
121 | }
122 | tunnel.SetDeadline(NatSessionLifeSeconds * time.Second)
123 | return tunnel
124 | }
125 |
126 | func (r *UDPRelay) handlePacket(localConn *net.UDPConn, cliaddr *net.UDPAddr, packet []byte) {
127 | tunnel := r.grabTunnel(localConn, cliaddr)
128 | if tunnel == nil {
129 | logger.Errorf("[udp relay %v > %v: grap tunnel failed", cliaddr, localConn.LocalAddr())
130 | return
131 | }
132 | _, err := tunnel.Write(packet)
133 | if err != nil {
134 | logger.Debugf("[udp relay] tunnel write failed: %v", err)
135 | }
136 | }
137 |
138 | func (r *UDPRelay) Serve() error {
139 | addr := &net.UDPAddr{IP: r.relayIP, Port: int(r.relayPort)}
140 | conn, err := net.ListenUDP("udp", addr)
141 | if err != nil {
142 | logger.Errorf("[udp relay] listen failed: %v", err)
143 | return err
144 | }
145 |
146 | for {
147 | b := make([]byte, MTU)
148 | n, cliaddr, err := conn.ReadFromUDP(b)
149 | if err != nil {
150 | logger.Errorf("[udp relay] acceept failed temporary: %v", err)
151 | time.Sleep(time.Second) //prevent log storms
152 | continue
153 | }
154 | go r.handlePacket(conn, cliaddr, b[:n])
155 | }
156 | }
157 |
158 | // redirect udp packet to relay
159 | func (r *UDPRelay) Filter(wr io.Writer, ipPacket tcpip.IPv4Packet) {
160 | udpPacket := tcpip.UDPPacket(ipPacket.Payload())
161 |
162 | srcIP := ipPacket.SourceIP()
163 | dstIP := ipPacket.DestinationIP()
164 | srcPort := udpPacket.SourcePort()
165 | dstPort := udpPacket.DestinationPort()
166 |
167 | one := r.one
168 |
169 | if net.IP.Equal(srcIP, r.relayIP) && srcPort == r.relayPort {
170 | // from remote
171 | session := r.nat.getSession(dstPort)
172 | if session == nil {
173 | logger.Debugf("[udp filter] %s:%d > %s:%d: no session", srcIP, srcPort, dstIP, dstPort)
174 | return
175 | }
176 | ipPacket.SetSourceIP(session.dstIP)
177 | ipPacket.SetDestinationIP(session.srcIP)
178 | udpPacket.SetSourcePort(session.dstPort)
179 | udpPacket.SetDestinationPort(session.srcPort)
180 | } else if one.dnsTable.Contains(dstIP) {
181 | // redirect to relay
182 | isNew, port := r.nat.allocSession(srcIP, dstIP, srcPort, dstPort)
183 |
184 | ipPacket.SetSourceIP(dstIP)
185 | udpPacket.SetSourcePort(port)
186 | ipPacket.SetDestinationIP(r.relayIP)
187 | udpPacket.SetDestinationPort(r.relayPort)
188 |
189 | if isNew {
190 | logger.Debugf("[udp filter] reshape packet from [%s:%d > %s:%d] to [%s:%d > %s:%d]",
191 | srcIP, srcPort, dstIP, dstPort, dstIP, port, r.relayIP, r.relayPort)
192 | }
193 | } else {
194 | logger.Errorf("[udp filter] %s:%d > %s:%d: invalid packet", srcIP, srcPort, dstIP, dstPort)
195 | return
196 | }
197 |
198 | // write back packet
199 | udpPacket.ResetChecksum(ipPacket.PseudoSum())
200 | ipPacket.ResetChecksum()
201 | wr.Write(ipPacket)
202 | }
203 |
204 | func NewUDPRelay(one *One, cfg CoreConfig) *UDPRelay {
205 | r := new(UDPRelay)
206 | r.one = one
207 | r.nat = NewNat(cfg.UdpNatPortStart, cfg.UdpNatPortEnd)
208 | r.relayIP = one.ip
209 | r.relayPort = cfg.UdpListenPort
210 | r.tunnels = make(map[string]*UDPTunnel)
211 | return r
212 | }
213 |
--------------------------------------------------------------------------------