Add fwmark support

blechschmidt · blechschmidt · commit 560438f6ef7e · 2025-01-12T13:17:27.000+01:00
diff --git a/main.go b/main.go
@@ -49,6 +49,7 @@ var (
 	denyRange             IPPortRangeSlice
 	dnsTTL                time.Duration
 	readyFile             string
+	fwmark                int
 )
 
 func initFlagSet(flag *flag.FlagSet) {
@@ -73,6 +74,7 @@ func initFlagSet(flag *flag.FlagSet) {
 	flag.Var(&denyRange, "deny", "When routing, deny specified IP prefix and port range")
 	flag.DurationVar(&dnsTTL, "dns-ttl", time.Duration(5*time.Second), "For how long to cache DNS in case of dns labels passed to forward target.")
 	flag.StringVar(&readyFile, "ready-file", "", "After initialization, write a byte to this file to signal readiness")
+	flag.IntVar(&fwmark, "fwmark", 0, "Set fwmark on outbound packets")
 }
 
 func main() {
@@ -99,6 +101,8 @@ type State struct {
 	denyRange             IPPortRangeSlice
 
 	srcIPs SrcIPs
+
+	fwmark int
 }
 
 func Main(programName string, args []string) int {
@@ -170,6 +174,7 @@ func Main(programName string, args []string) int {
 	state.srcIPs.srcIPv6 = sourceIPv6.ip
 	state.allowRange = allowRange
 	state.denyRange = denyRange
+	state.fwmark = fwmark
 
 	logConnections = !quiet
 
diff --git a/net.go b/net.go
@@ -7,6 +7,7 @@ import (
 	"strconv"
 	"strings"
 	"sync"
+	"syscall"
 	"time"
 
 	"gvisor.dev/gvisor/pkg/tcpip"
@@ -243,8 +244,22 @@ func netParseOrResolveIP(h string) (_ip net.IP, _resolved bool, _err error) {
 	return ip, true, err
 }
 
-func OutboundDial(srcIPs *SrcIPs, dst net.Addr) (net.Conn, error) {
+func OutboundDial(state *State, dst net.Addr) (net.Conn, error) {
+	srcIPs := &state.srcIPs
 	network := dst.Network()
+	dialer := &net.Dialer{}
+	if state.fwmark != 0 {
+		dialer.Control = func(network, address string, c syscall.RawConn) error {
+			var controlErr error
+			err := c.Control(func(fd uintptr) {
+				controlErr = syscall.SetsockoptInt(int(fd), syscall.SOL_SOCKET, syscall.SO_MARK, state.fwmark)
+			})
+			if err != nil {
+				return err
+			}
+			return controlErr
+		}
+	}
 	if network == "tcp" {
 		dstTcp := dst.(*net.TCPAddr)
 		var srcTcp *net.TCPAddr
@@ -254,7 +269,8 @@ func OutboundDial(srcIPs *SrcIPs, dst net.Addr) (net.Conn, error) {
 		if srcIPs != nil && dstTcp.IP.To4() == nil && srcIPs.srcIPv6 != nil {
 			srcTcp = &net.TCPAddr{IP: srcIPs.srcIPv6}
 		}
-		return net.DialTCP(network, srcTcp, dstTcp)
+		dialer.LocalAddr = srcTcp
+		return dialer.Dial(network, dstTcp.String())
 	}
 	if network == "udp" {
 		dstUdp := dst.(*net.UDPAddr)
@@ -265,7 +281,8 @@ func OutboundDial(srcIPs *SrcIPs, dst net.Addr) (net.Conn, error) {
 		if srcIPs != nil && dstUdp.IP.To4() == nil && srcIPs.srcIPv6 != nil {
 			srcUdp = &net.UDPAddr{IP: srcIPs.srcIPv6}
 		}
-		return net.DialUDP(network, srcUdp, dstUdp)
+		dialer.LocalAddr = srcUdp
+		return dialer.Dial(network, dstUdp.String())
 	}
 	return nil, fmt.Errorf("not tcp/udp")
 }
diff --git a/routing.go b/routing.go
@@ -70,9 +70,9 @@ func UdpRoutingHandler(s *stack.Stack, state *State) func(*udp.ForwarderRequest)
 
 		go func() {
 			if rf != nil {
-				RemoteForward(conn, &state.srcIPs, rf)
+				RemoteForward(conn, state, rf)
 			} else {
-				RoutingForward(conn, &state.srcIPs, loc)
+				RoutingForward(conn, state, loc)
 			}
 		}()
 	}
@@ -118,22 +118,22 @@ func TcpRoutingHandler(state *State) func(*tcp.ForwarderRequest) {
 
 		go func() {
 			if rf != nil {
-				RemoteForward(conn, &state.srcIPs, rf)
+				RemoteForward(conn, state, rf)
 			} else {
-				RoutingForward(conn, &state.srcIPs, loc)
+				RoutingForward(conn, state, loc)
 			}
 		}()
 	}
 	return h
 }
 
-func RoutingForward(guest KaConn, srcIPs *SrcIPs, loc net.Addr) {
+func RoutingForward(guest KaConn, state *State, loc net.Addr) {
 	// Cache guest.RemoteAddr() because it becomes nil on
 	// guest.Close().
 	guestRemoteAddr := guest.RemoteAddr()
 
 	var pe ProxyError
-	xhost, err := OutboundDial(srcIPs, loc)
+	xhost, err := OutboundDial(state, loc)
 	if err != nil {
 		SetResetOnClose(guest)
 		guest.Close()
@@ -173,7 +173,7 @@ func RoutingForward(guest KaConn, srcIPs *SrcIPs, loc net.Addr) {
 	}
 }
 
-func RemoteForward(guest KaConn, srcIPs *SrcIPs, rf *FwdAddr) {
+func RemoteForward(guest KaConn, state *State, rf *FwdAddr) {
 	// Cache guest.RemoteAddr() because it becomes nil on
 	// guest.Close().
 	guestRemoteAddr := guest.RemoteAddr()
@@ -190,7 +190,7 @@ func RemoteForward(guest KaConn, srcIPs *SrcIPs, rf *FwdAddr) {
 			err)
 		return
 	}
-	xhost, err := OutboundDial(srcIPs, hostAddr)
+	xhost, err := OutboundDial(state, hostAddr)
 	if err != nil {
 		SetResetOnClose(guest)
 		guest.Close()
