Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

新增功能支持 #1186

Closed
wants to merge 2 commits into from
Closed

新增功能支持 #1186

wants to merge 2 commits into from

Conversation

S-Mocking
Copy link
Contributor

1.针对macos系统,增加入口pf,支持接收macos系统 pf防火墙转发过来的消息
2.重新启用部分出入口vless、vmess、socks、freedom、dokodemo、pf(本次新增入口)的timeout参数,来控制TCP链接超时时间,不配置默认使用300s或者600s(保持现有逻辑),在xray应用与内部之间系统代理执行长事物时有此需求应用场景

增加pf入口配置demo如下:
{
"inbounds": [
{
"tag": "all-in",
"port": 1234,
"protocol": "pf",
"settings": {
"network": "tcp",
"followRedirect": true,
"timeout": 7200,
"userLevel": 0
}
}
],
"log": {
"loglevel": "debug"
},
"outbounds": [
{}
]
}

2.重新启用部分出入口vless、vmess、socks、freedom、dokodemo、pf(本次新增入口)的timeout参数,来控制TCP链接超时时间,不配置默认使用300s或者600s(保持现有逻辑),在xray应用与内部之间系统代理执行长事物时有此需求应用场景

增加pf入口配置demo如下:
{
  "inbounds": [
    {
      "tag": "all-in",
      "port": 1234,
      "protocol": "pf",
      "settings": {
        "network": "tcp",
        "followRedirect": true,
        "timeout": 7200,
        "userLevel": 0
      }
    }
  ],
  "log": {
    "loglevel": "debug"
  },
  "outbounds": [
    {}
  ]
}
@yuhan6665
Copy link
Member

Thanks for you pr! A couple of things:

  • Is pf really a protocol? How do you configure it and why dokodemo doesn't work for you?
  • Tcp timeout should be part of the "streamsettings" -> take a look at tcp settings under Sockopt
  • Consider making smaller pull request for one feature separately

@S-Mocking
Copy link
Contributor Author

Is pf really a protocol? How do you configure it and why dokodemo doesn't work for you?
reply:
1.pf is the outbound protocol of FreeBSD port forwarding, similar to the relationship between iptables port forwarding and dokodemo
2.Because the MacOS firewall uses FreeBSD, the receiving end of this firewall needs to read the /dev/pf device to obtain the destination address and port when forwarding traffic. dokodemo does not support this part, so dokodemo cannot meet the requirements.

Tcp timeout should be part of the "streamsettings" -> take a look at tcp settings under Sockopt
reply:
Do you recommend setting the timeout parameter in "streamsettings"?

Consider making smaller pull request for one feature separately
reply:
What changes can I make to this?

@S-Mocking
Copy link
Contributor Author

FreeBSD configures transparent agents on MacOS as follows:

1.Create a new file ~/config/pf.conf with the following contents:
scrub-anchor "com.apple/*"

#Define table
table <direct_cidr> persist file "/usr/local/etc/direct_cidr.conf"
table <direct_src> persist file "/usr/local/etc/direct_src.conf"

nat-anchor "com.apple/*"

#Forward all traffic on lo0 whose destination is not in the direct address list to the Xray pf listening address 127.0.0.1:1234
rdr pass on lo0 proto tcp from any to !<direct_cidr> -> 127.0.0.1 port 1234

rdr-anchor "com.apple/*"

#Route all traffic of en0 whose destination is not in the direct address list to lo0
pass out on en0 route-to (lo0 127.0.0.1) proto tcp from !<direct_src> to !<direct_cidr> keep state queue std

dummynet-anchor "com.apple/"
anchor "com.apple/
"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"

2.Execute command:
sudo pfctl -e && sudo pfctl -F all && sudo pfctl -f ~/config/pf.conf

3.xray logs
2022/08/18 18:13:26 192.168.20.139:61649 accepted tcp:13.225.142.125:443 [pf-in >> proxy]
2022/08/18 18:13:27 192.168.20.139:61651 accepted tcp:13.225.142.125:443 [pf-in >> proxy]
2022/08/18 18:13:28 192.168.20.139:61653 accepted tcp:13.225.142.125:443 [pf-in >> proxy]
2022/08/18 18:13:29 192.168.20.139:61655 accepted tcp:13.225.142.125:443 [pf-in >> proxy]
2022/08/18 18:13:31 192.168.20.139:61657 accepted tcp:99.84.192.6:443 [pf-in >> proxy]
2022/08/18 18:13:31 192.168.20.139:61659 accepted tcp:99.84.192.6:443 [pf-in >> proxy]

@yuhan6665
Copy link
Member

Thanks for your info. Now I understand a bit more about pf. Essentially it is the similar port forwarding traffic with special way to read the destination address. I would propose the following:
Instead of adding a new protocol, you can add to "tproxy" option here

tproxy option determine how to override the dest address

if outbound := session.OutboundFromContext(ctx); outbound != nil && outbound.Target.IsValid() {

In fact you can see we already have platform dependant code for "tproxy": "redirect"

@S-Mocking
Copy link
Contributor Author

According to your suggestions, the corresponding modifications have been made
#1189

@yuhan6665
Copy link
Member

合了#1189 这个先关了

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants