stack_gvisor.go

//go:build with_gvisor

package tun

import (
	"context"
	"net/netip"
	"runtime"
	"time"

	"github.com/sagernet/gvisor/pkg/tcpip"
	"github.com/sagernet/gvisor/pkg/tcpip/adapters/gonet"
	"github.com/sagernet/gvisor/pkg/tcpip/header"
	"github.com/sagernet/gvisor/pkg/tcpip/network/ipv4"
	"github.com/sagernet/gvisor/pkg/tcpip/network/ipv6"
	"github.com/sagernet/gvisor/pkg/tcpip/stack"
	"github.com/sagernet/gvisor/pkg/tcpip/transport/icmp"
	"github.com/sagernet/gvisor/pkg/tcpip/transport/raw"
	"github.com/sagernet/gvisor/pkg/tcpip/transport/tcp"
	"github.com/sagernet/gvisor/pkg/tcpip/transport/udp"
	E "github.com/sagernet/sing/common/exceptions"
	"github.com/sagernet/sing/common/logger"
)

const WithGVisor = true

const DefaultNIC tcpip.NICID = 1

type GVisor struct {
	ctx                  context.Context
	tun                  GVisorTun
	inet4Address         netip.Addr
	inet6Address         netip.Addr
	inet4LoopbackAddress []netip.Addr
	inet6LoopbackAddress []netip.Addr
	udpTimeout           time.Duration
	broadcastAddr        netip.Addr
	handler              Handler
	logger               logger.Logger
	stack                *stack.Stack
	endpoint             stack.LinkEndpoint
}

type GVisorTun interface {
	Tun
	WritePacket(pkt *stack.PacketBuffer) (int, error)
	NewEndpoint() (stack.LinkEndpoint, stack.NICOptions, error)
}

func NewGVisor(
	options StackOptions,
) (Stack, error) {
	gTun, isGTun := options.Tun.(GVisorTun)
	if !isGTun {
		return nil, E.New("gVisor stack is unsupported on current platform")
	}

	var (
		inet4Address netip.Addr
		inet6Address netip.Addr
	)
	if len(options.TunOptions.Inet4Address) > 0 {
		inet4Address = options.TunOptions.Inet4Address[0].Addr()
	}
	if len(options.TunOptions.Inet6Address) > 0 {
		inet6Address = options.TunOptions.Inet6Address[0].Addr()
	}

	gStack := &GVisor{
		ctx:                  options.Context,
		tun:                  gTun,
		inet4Address:         inet4Address,
		inet6Address:         inet6Address,
		inet4LoopbackAddress: options.TunOptions.Inet4LoopbackAddress,
		inet6LoopbackAddress: options.TunOptions.Inet6LoopbackAddress,
		udpTimeout:           options.UDPTimeout,
		broadcastAddr:        BroadcastAddr(options.TunOptions.Inet4Address),
		handler:              options.Handler,
		logger:               options.Logger,
	}
	return gStack, nil
}

func (t *GVisor) Start() error {
	linkEndpoint, nicOptions, err := t.tun.NewEndpoint()
	if err != nil {
		return err
	}
	linkEndpoint = &LinkEndpointFilter{linkEndpoint, t.broadcastAddr, t.tun}
	ipStack, err := NewGVisorStackWithOptions(linkEndpoint, nicOptions, false)
	if err != nil {
		return err
	}
	ipStack.SetTransportProtocolHandler(tcp.ProtocolNumber, NewTCPForwarderWithLoopback(t.ctx, ipStack, t.handler, t.inet4LoopbackAddress, t.inet6LoopbackAddress, t.tun).HandlePacket)
	ipStack.SetTransportProtocolHandler(udp.ProtocolNumber, NewUDPForwarder(t.ctx, ipStack, t.handler, t.udpTimeout).HandlePacket)
	icmpForwarder := NewICMPForwarder(t.ctx, ipStack, t.handler, t.udpTimeout)
	icmpForwarder.SetLocalAddresses(t.inet4Address, t.inet6Address)
	ipStack.SetTransportProtocolHandler(icmp.ProtocolNumber4, icmpForwarder.HandlePacket)
	ipStack.SetTransportProtocolHandler(icmp.ProtocolNumber6, icmpForwarder.HandlePacket)
	t.stack = ipStack
	t.endpoint = linkEndpoint
	return nil
}

func (t *GVisor) Close() error {
	if t.stack == nil {
		return nil
	}
	t.endpoint.Attach(nil)
	t.stack.Close()
	for _, endpoint := range t.stack.CleanupEndpoints() {
		endpoint.Abort()
	}
	return nil
}

func AddressFromAddr(destination netip.Addr) tcpip.Address {
	if destination.Is6() {
		return tcpip.AddrFrom16(destination.As16())
	} else {
		return tcpip.AddrFrom4(destination.As4())
	}
}

func AddrFromAddress(address tcpip.Address) netip.Addr {
	if address.Len() == 16 {
		return netip.AddrFrom16(address.As16())
	} else {
		return netip.AddrFrom4(address.As4())
	}
}

func NewGVisorStack(ep stack.LinkEndpoint) (*stack.Stack, error) {
	return NewGVisorStackWithOptions(ep, stack.NICOptions{}, false)
}

func NewGVisorStackWithOptions(ep stack.LinkEndpoint, opts stack.NICOptions, allowRawEndpoint bool) (*stack.Stack, error) {
	stackOptions := stack.Options{
		NetworkProtocols: []stack.NetworkProtocolFactory{
			ipv4.NewProtocol,
			ipv6.NewProtocol,
		},
		TransportProtocols: []stack.TransportProtocolFactory{
			tcp.NewProtocol,
			udp.NewProtocol,
			icmp.NewProtocol4,
			icmp.NewProtocol6,
		},
	}
	if allowRawEndpoint {
		stackOptions.RawFactory = new(raw.EndpointFactory)
	}
	ipStack := stack.New(stackOptions)
	err := ipStack.CreateNICWithOptions(DefaultNIC, ep, opts)
	if err != nil {
		return nil, gonet.TranslateNetstackError(err)
	}
	ipStack.SetRouteTable([]tcpip.Route{
		{Destination: header.IPv4EmptySubnet, NIC: DefaultNIC},
		{Destination: header.IPv6EmptySubnet, NIC: DefaultNIC},
	})
	err = ipStack.SetSpoofing(DefaultNIC, true)
	if err != nil {
		return nil, gonet.TranslateNetstackError(err)
	}
	err = ipStack.SetPromiscuousMode(DefaultNIC, true)
	if err != nil {
		return nil, gonet.TranslateNetstackError(err)
	}
	sOpt := tcpip.TCPSACKEnabled(true)
	ipStack.SetTransportProtocolOption(tcp.ProtocolNumber, &sOpt)
	mOpt := tcpip.TCPModerateReceiveBufferOption(true)
	ipStack.SetTransportProtocolOption(tcp.ProtocolNumber, &mOpt)
	if runtime.GOOS == "windows" {
		tcpRecoveryOpt := tcpip.TCPRecovery(0)
		err = ipStack.SetTransportProtocolOption(tcp.ProtocolNumber, &tcpRecoveryOpt)
	}
	tcpRXBufOpt := tcpip.TCPReceiveBufferSizeRangeOption{
		Min:     tcpRXBufMinSize,
		Default: tcpRXBufDefSize,
		Max:     tcpRXBufMaxSize,
	}
	err = ipStack.SetTransportProtocolOption(tcp.ProtocolNumber, &tcpRXBufOpt)
	if err != nil {
		return nil, gonet.TranslateNetstackError(err)
	}
	tcpTXBufOpt := tcpip.TCPSendBufferSizeRangeOption{
		Min:     tcpTXBufMinSize,
		Default: tcpTXBufDefSize,
		Max:     tcpTXBufMaxSize,
	}
	err = ipStack.SetTransportProtocolOption(tcp.ProtocolNumber, &tcpTXBufOpt)
	if err != nil {
		return nil, gonet.TranslateNetstackError(err)
	}
	return ipStack, nil
}
Make gVisor optional 2022-09-15 11:19:31 +08:00			`//go:build with_gvisor`
Add darwin monitor 2022-08-04 18:23:58 +08:00
Init commit 2022-07-11 17:15:22 +08:00			`package tun`

			`import (`
			`"context"`
Update gVisor to release-20230605.0-21-g457c1c36d 2023-05-20 12:09:41 +08:00			`"net/netip"`
Remove unused ICMP replies & Improve tcpbuf options 2024-11-06 17:10:13 +08:00			`"runtime"`
Fix tcp keepalive 2022-07-25 23:34:12 +08:00			`"time"`
Init commit 2022-07-11 17:15:22 +08:00
Update gVisor to 20230605.0-33-g8ec8dbe7e 2023-06-11 21:55:48 +08:00			`"github.com/sagernet/gvisor/pkg/tcpip"`
			`"github.com/sagernet/gvisor/pkg/tcpip/adapters/gonet"`
			`"github.com/sagernet/gvisor/pkg/tcpip/header"`
			`"github.com/sagernet/gvisor/pkg/tcpip/network/ipv4"`
			`"github.com/sagernet/gvisor/pkg/tcpip/network/ipv6"`
			`"github.com/sagernet/gvisor/pkg/tcpip/stack"`
			`"github.com/sagernet/gvisor/pkg/tcpip/transport/icmp"`
ping: Add gVisor destination 2025-08-24 10:36:16 +08:00			`"github.com/sagernet/gvisor/pkg/tcpip/transport/raw"`
Update gVisor to 20230605.0-33-g8ec8dbe7e 2023-06-11 21:55:48 +08:00			`"github.com/sagernet/gvisor/pkg/tcpip/transport/tcp"`
			`"github.com/sagernet/gvisor/pkg/tcpip/transport/udp"`
Add windows support 2022-07-13 18:59:09 +08:00			`E "github.com/sagernet/sing/common/exceptions"`
Add route support 2023-03-21 15:31:43 +08:00			`"github.com/sagernet/sing/common/logger"`
Init commit 2022-07-11 17:15:22 +08:00			`)`

Make gVisor optional 2022-09-15 11:19:31 +08:00			`const WithGVisor = true`

Export interface for WireGuard 2024-11-21 18:12:21 +08:00			`const DefaultNIC tcpip.NICID = 1`
Init commit 2022-07-11 17:15:22 +08:00
Improve build tags 2022-08-07 15:40:46 +08:00			`type GVisor struct {`
Add loopback address support 2025-06-09 18:51:17 +08:00			`ctx context.Context`
			`tun GVisorTun`
Fix ping response for tun address 2025-08-23 16:37:46 +08:00			`inet4Address netip.Addr`
			`inet6Address netip.Addr`
Add loopback address support 2025-06-09 18:51:17 +08:00			`inet4LoopbackAddress []netip.Addr`
			`inet6LoopbackAddress []netip.Addr`
			`udpTimeout time.Duration`
			`broadcastAddr netip.Addr`
			`handler Handler`
			`logger logger.Logger`
			`stack *stack.Stack`
			`endpoint stack.LinkEndpoint`
Add optional LWIP stack support 2022-08-07 17:15:29 +08:00			`}`

			`type GVisorTun interface {`
			`Tun`
Improve darwin tun performance 2025-07-17 17:33:41 +08:00			`WritePacket(pkt *stack.PacketBuffer) (int, error)`
Improve darwin tun performance 2025-07-02 19:16:14 +08:00			`NewEndpoint() (stack.LinkEndpoint, stack.NICOptions, error)`
Init commit 2022-07-11 17:15:22 +08:00			`}`

Add endpoint independent nat support 2022-07-26 19:15:04 +08:00			`func NewGVisor(`
Add system stack 2022-09-06 19:24:47 +08:00			`options StackOptions,`
Improve build tags 2022-08-07 15:40:46 +08:00			`) (Stack, error) {`
Add system stack 2022-09-06 19:24:47 +08:00			`gTun, isGTun := options.Tun.(GVisorTun)`
Improve build tags 2022-08-07 15:40:46 +08:00			`if !isGTun {`
Make gVisor optional 2022-09-15 11:19:31 +08:00			`return nil, E.New("gVisor stack is unsupported on current platform")`
Improve build tags 2022-08-07 15:40:46 +08:00			`}`

Fix ping response for tun address 2025-08-23 16:37:46 +08:00			`var (`
			`inet4Address netip.Addr`
			`inet6Address netip.Addr`
			`)`
			`if len(options.TunOptions.Inet4Address) > 0 {`
			`inet4Address = options.TunOptions.Inet4Address[0].Addr()`
			`}`
			`if len(options.TunOptions.Inet6Address) > 0 {`
			`inet6Address = options.TunOptions.Inet6Address[0].Addr()`
			`}`

Fix system nat mapping 2023-04-18 21:21:59 +08:00			`gStack := &GVisor{`
Add loopback address support 2025-06-09 18:51:17 +08:00			`ctx: options.Context,`
			`tun: gTun,`
Fix ping response for tun address 2025-08-23 16:37:46 +08:00			`inet4Address: inet4Address,`
			`inet6Address: inet6Address,`
Add loopback address support 2025-06-09 18:51:17 +08:00			`inet4LoopbackAddress: options.TunOptions.Inet4LoopbackAddress,`
			`inet6LoopbackAddress: options.TunOptions.Inet6LoopbackAddress,`
			`udpTimeout: options.UDPTimeout,`
			`broadcastAddr: BroadcastAddr(options.TunOptions.Inet4Address),`
			`handler: options.Handler,`
			`logger: options.Logger,`
Fix system nat mapping 2023-04-18 21:21:59 +08:00			`}`
			`return gStack, nil`
Init commit 2022-07-11 17:15:22 +08:00			`}`

Improve build tags 2022-08-07 15:40:46 +08:00			`func (t *GVisor) Start() error {`
Improve darwin tun performance 2025-07-02 19:16:14 +08:00			`linkEndpoint, nicOptions, err := t.tun.NewEndpoint()`
Init commit 2022-07-11 17:15:22 +08:00			`if err != nil {`
			`return err`
			`}`
Add GSO support 2023-12-10 00:00:14 +08:00			`linkEndpoint = &LinkEndpointFilter{linkEndpoint, t.broadcastAddr, t.tun}`
ping: Add gVisor destination 2025-08-24 10:36:16 +08:00			`ipStack, err := NewGVisorStackWithOptions(linkEndpoint, nicOptions, false)`
Add handshake interface support for gVisor UDP 2023-07-23 14:18:36 +08:00			`if err != nil {`
			`return err`
Init commit 2022-07-11 17:15:22 +08:00			`}`
Add loopback address support 2025-06-09 18:51:17 +08:00			`ipStack.SetTransportProtocolHandler(tcp.ProtocolNumber, NewTCPForwarderWithLoopback(t.ctx, ipStack, t.handler, t.inet4LoopbackAddress, t.inet6LoopbackAddress, t.tun).HandlePacket)`
Revert "Update udpant usages" 2024-11-27 18:04:39 +08:00			`ipStack.SetTransportProtocolHandler(udp.ProtocolNumber, NewUDPForwarder(t.ctx, ipStack, t.handler, t.udpTimeout).HandlePacket)`
ping: Add gVisor destination 2025-08-24 10:36:16 +08:00			`icmpForwarder := NewICMPForwarder(t.ctx, ipStack, t.handler, t.udpTimeout)`
			`icmpForwarder.SetLocalAddresses(t.inet4Address, t.inet6Address)`
Add ping proxy support 2025-02-17 21:56:18 +08:00			`ipStack.SetTransportProtocolHandler(icmp.ProtocolNumber4, icmpForwarder.HandlePacket)`
			`ipStack.SetTransportProtocolHandler(icmp.ProtocolNumber6, icmpForwarder.HandlePacket)`
Init commit 2022-07-11 17:15:22 +08:00			`t.stack = ipStack`
Close stack faster 2022-07-31 19:55:51 +08:00			`t.endpoint = linkEndpoint`
Init commit 2022-07-11 17:15:22 +08:00			`return nil`
			`}`

Improve build tags 2022-08-07 15:40:46 +08:00			`func (t *GVisor) Close() error {`
stack: Fix close before start 2024-11-12 10:30:18 +08:00			`if t.stack == nil {`
			`return nil`
			`}`
Close stack faster 2022-07-31 19:55:51 +08:00			`t.endpoint.Attach(nil)`
Fix leak endpoint 2022-07-30 14:12:11 +08:00			`t.stack.Close()`
			`for _, endpoint := range t.stack.CleanupEndpoints() {`
			`endpoint.Abort()`
			`}`
			`return nil`
Init commit 2022-07-11 17:15:22 +08:00			`}`
Update gVisor to release-20230605.0-21-g457c1c36d 2023-05-20 12:09:41 +08:00
			`func AddressFromAddr(destination netip.Addr) tcpip.Address {`
			`if destination.Is6() {`
			`return tcpip.AddrFrom16(destination.As16())`
			`} else {`
			`return tcpip.AddrFrom4(destination.As4())`
			`}`
			`}`

			`func AddrFromAddress(address tcpip.Address) netip.Addr {`
			`if address.Len() == 16 {`
			`return netip.AddrFrom16(address.As16())`
			`} else {`
			`return netip.AddrFrom4(address.As4())`
			`}`
			`}`
Add handshake interface support for gVisor UDP 2023-07-23 14:18:36 +08:00
Export interface for WireGuard 2024-11-21 18:12:21 +08:00			`func NewGVisorStack(ep stack.LinkEndpoint) (*stack.Stack, error) {`
ping: Add gVisor destination 2025-08-24 10:36:16 +08:00			`return NewGVisorStackWithOptions(ep, stack.NICOptions{}, false)`
Improve darwin tun performance 2025-07-02 19:16:14 +08:00			`}`

ping: Add gVisor destination 2025-08-24 10:36:16 +08:00			`func NewGVisorStackWithOptions(ep stack.LinkEndpoint, opts stack.NICOptions, allowRawEndpoint bool) (*stack.Stack, error) {`
			`stackOptions := stack.Options{`
Add handshake interface support for gVisor UDP 2023-07-23 14:18:36 +08:00			`NetworkProtocols: []stack.NetworkProtocolFactory{`
			`ipv4.NewProtocol,`
			`ipv6.NewProtocol,`
			`},`
			`TransportProtocols: []stack.TransportProtocolFactory{`
			`tcp.NewProtocol,`
			`udp.NewProtocol,`
			`icmp.NewProtocol4,`
			`icmp.NewProtocol6,`
			`},`
ping: Add gVisor destination 2025-08-24 10:36:16 +08:00			`}`
			`if allowRawEndpoint {`
			`stackOptions.RawFactory = new(raw.EndpointFactory)`
			`}`
			`ipStack := stack.New(stackOptions)`
Improve darwin tun performance 2025-07-02 19:16:14 +08:00			`err := ipStack.CreateNICWithOptions(DefaultNIC, ep, opts)`
Remove unused ICMP replies & Improve tcpbuf options 2024-11-06 17:10:13 +08:00			`if err != nil {`
			`return nil, gonet.TranslateNetstackError(err)`
Add handshake interface support for gVisor UDP 2023-07-23 14:18:36 +08:00			`}`
			`ipStack.SetRouteTable([]tcpip.Route{`
Export interface for WireGuard 2024-11-21 18:12:21 +08:00			`{Destination: header.IPv4EmptySubnet, NIC: DefaultNIC},`
			`{Destination: header.IPv6EmptySubnet, NIC: DefaultNIC},`
Add handshake interface support for gVisor UDP 2023-07-23 14:18:36 +08:00			`})`
Export interface for WireGuard 2024-11-21 18:12:21 +08:00			`err = ipStack.SetSpoofing(DefaultNIC, true)`
Remove unused ICMP replies & Improve tcpbuf options 2024-11-06 17:10:13 +08:00			`if err != nil {`
			`return nil, gonet.TranslateNetstackError(err)`
			`}`
Export interface for WireGuard 2024-11-21 18:12:21 +08:00			`err = ipStack.SetPromiscuousMode(DefaultNIC, true)`
Remove unused ICMP replies & Improve tcpbuf options 2024-11-06 17:10:13 +08:00			`if err != nil {`
			`return nil, gonet.TranslateNetstackError(err)`
			`}`
Add handshake interface support for gVisor UDP 2023-07-23 14:18:36 +08:00			`sOpt := tcpip.TCPSACKEnabled(true)`
			`ipStack.SetTransportProtocolOption(tcp.ProtocolNumber, &sOpt)`
			`mOpt := tcpip.TCPModerateReceiveBufferOption(true)`
			`ipStack.SetTransportProtocolOption(tcp.ProtocolNumber, &mOpt)`
Remove unused ICMP replies & Improve tcpbuf options 2024-11-06 17:10:13 +08:00			`if runtime.GOOS == "windows" {`
			`tcpRecoveryOpt := tcpip.TCPRecovery(0)`
			`err = ipStack.SetTransportProtocolOption(tcp.ProtocolNumber, &tcpRecoveryOpt)`
			`}`
			`tcpRXBufOpt := tcpip.TCPReceiveBufferSizeRangeOption{`
			`Min: tcpRXBufMinSize,`
			`Default: tcpRXBufDefSize,`
			`Max: tcpRXBufMaxSize,`
			`}`
			`err = ipStack.SetTransportProtocolOption(tcp.ProtocolNumber, &tcpRXBufOpt)`
			`if err != nil {`
			`return nil, gonet.TranslateNetstackError(err)`
			`}`
			`tcpTXBufOpt := tcpip.TCPSendBufferSizeRangeOption{`
			`Min: tcpTXBufMinSize,`
			`Default: tcpTXBufDefSize,`
			`Max: tcpTXBufMaxSize,`
			`}`
			`err = ipStack.SetTransportProtocolOption(tcp.ProtocolNumber, &tcpTXBufOpt)`
			`if err != nil {`
			`return nil, gonet.TranslateNetstackError(err)`
			`}`
Add handshake interface support for gVisor UDP 2023-07-23 14:18:36 +08:00			`return ipStack, nil`
			`}`