Enhancement of "redirect" function, adding support for MacOS

Added the function of "MacOS" FreeBSD firewall traffic forwarding and resolving destination address
example:
"inbounds": [
{
"listen": "127.0.0.1",
"port": 1122,
"protocol": "dokodemo-door",
"tag": "dokodemo",
"settings": {
"network": "tcp",
"followRedirect": true,
"userLevel": 0
},
"streamSettings": {
"sockopt": {
"tproxy": "Redirect"
}
}
}
]

还原#1189 提交

Author: Mocking

app/proxyman/inbound/worker.go

@@ -72,13 +72,6 @@ func (w *tcpWorker) callback(conn stat.Connection) {
 			}
 		case internet.SocketConfig_TProxy:
 			dest = net.DestinationFromAddr(conn.LocalAddr())
-		case internet.SocketConfig_PF:
-			d, err := net.OriginalDst(conn)
-			if err != nil {
-				newError("failed to get original destination").Base(err).WriteToLog(session.ExportIDToError(ctx))
-			} else {
-				dest = d
-			}
 		}
 		if dest.IsValid() {
 			ctx = session.ContextWithOutbound(ctx, &session.Outbound{

common/net/destination-darwin.go

@@ -558,8 +558,6 @@ func (c *SocketConfig) Build() (*internet.SocketConfig, error) {
 		tproxy = internet.SocketConfig_TProxy
 	case "redirect":
 		tproxy = internet.SocketConfig_Redirect
-	case "pf":
-		tproxy = internet.SocketConfig_PF
 	default:
 		tproxy = internet.SocketConfig_Off
 	}

common/net/destination-other.go

@@ -74,8 +74,6 @@ message SocketConfig {
     TProxy = 1;
     // Redirect mode.
     Redirect = 2;
-    // PF mode.
-    PF = 3;
   }
 
   // TProxy is for enabling TProxy socket option.

infra/conf/transport_internet.go

@@ -1,7 +1,11 @@
 package internet
 
 import (
+	"github.com/xtls/xray-core/common/net"
 	"golang.org/x/sys/unix"
+	"os"
+	"syscall"
+	"unsafe"
 )
 
 const (
@@ -13,6 +17,83 @@ const (
 	sysTCP_KEEPINTVL = 0x101 // nolint: revive,stylecheck
 )
 
+const (
+	PfOut       = 2
+	IOCOut      = 0x40000000
+	IOCIn       = 0x80000000
+	IOCInOut    = IOCIn | IOCOut
+	IOCPARMMask = 0x1FFF
+	LEN         = 4*16 + 4*4 + 4*1
+	// #define	_IOC(inout,group,num,len) (inout | ((len & IOCPARMMask) << 16) | ((group) << 8) | (num))
+	// #define	_IOWR(g,n,t)	_IOC(IOCInOut,	(g), (n), sizeof(t))
+	// #define DIOCNATLOOK		_IOWR('D', 23, struct pfioc_natlook)
+	DIOCNATLOOK = IOCInOut | ((LEN & IOCPARMMask) << 16) | ('D' << 8) | 23
+)
+
+// OriginalDst uses ioctl to read original destination from /dev/pf
+func OriginalDst(la, ra net.Addr) (net.IP, int, error) {
+	f, err := os.Open("/dev/pf")
+	if err != nil {
+		return net.IP{}, -1, newError("failed to open device /dev/pf").Base(err)
+	}
+	defer f.Close()
+	fd := f.Fd()
+	nl := struct { // struct pfioc_natlook
+		saddr, daddr, rsaddr, rdaddr       [16]byte
+		sxport, dxport, rsxport, rdxport   [4]byte
+		af, proto, protoVariant, direction uint8
+	}{
+		af:        syscall.AF_INET,
+		proto:     syscall.IPPROTO_TCP,
+		direction: PfOut,
+	}
+	var raIP, laIP net.IP
+	var raPort, laPort int
+	switch la.(type) {
+	case *net.TCPAddr:
+		raIP = ra.(*net.TCPAddr).IP
+		laIP = la.(*net.TCPAddr).IP
+		raPort = ra.(*net.TCPAddr).Port
+		laPort = la.(*net.TCPAddr).Port
+	case *net.UDPAddr:
+		raIP = ra.(*net.UDPAddr).IP
+		laIP = la.(*net.UDPAddr).IP
+		raPort = ra.(*net.UDPAddr).Port
+		laPort = la.(*net.UDPAddr).Port
+	}
+	if raIP.To4() != nil {
+		if laIP.IsUnspecified() {
+			laIP = net.ParseIP("127.0.0.1")
+		}
+		copy(nl.saddr[:net.IPv4len], raIP.To4())
+		copy(nl.daddr[:net.IPv4len], laIP.To4())
+	}
+	if raIP.To16() != nil && raIP.To4() == nil {
+		if laIP.IsUnspecified() {
+			laIP = net.ParseIP("::1")
+		}
+		copy(nl.saddr[:], raIP)
+		copy(nl.daddr[:], laIP)
+	}
+	nl.sxport[0], nl.sxport[1] = byte(raPort>>8), byte(raPort)
+	nl.dxport[0], nl.dxport[1] = byte(laPort>>8), byte(laPort)
+	if _, _, errno := syscall.Syscall(syscall.SYS_IOCTL, fd, DIOCNATLOOK, uintptr(unsafe.Pointer(&nl))); errno != 0 {
+		return net.IP{}, -1, os.NewSyscallError("ioctl", err)
+	}
+
+	odPort := nl.rdxport
+	var odIP net.IP
+	switch nl.af {
+	case syscall.AF_INET:
+		odIP = make(net.IP, net.IPv4len)
+		copy(odIP, nl.rdaddr[:net.IPv4len])
+	case syscall.AF_INET6:
+		odIP = make(net.IP, net.IPv6len)
+		copy(odIP, nl.rdaddr[:])
+	}
+	return odIP, int(net.PortFromBytes(odPort[:2])), nil
+}
+
 func applyOutboundSocketOptions(network string, address string, fd uintptr, config *SocketConfig) error {
 	if isTCPSocket(network) {
 		tfo := config.ParseTFOValue()

transport/internet/config.pb.go

@@ -0,0 +1,25 @@
+//go:build darwin
+// +build darwin
+
+package tcp
+
+import (
+	"github.com/xtls/xray-core/common/net"
+	"github.com/xtls/xray-core/transport/internet"
+	"github.com/xtls/xray-core/transport/internet/stat"
+)
+
+// GetOriginalDestination from tcp conn
+func GetOriginalDestination(conn stat.Connection) (net.Destination, error) {
+	la := conn.LocalAddr()
+	ra := conn.RemoteAddr()
+	ip, port, err := internet.OriginalDst(la, ra)
+	if err != nil {
+		return net.Destination{}, newError("failed to get destination").Base(err)
+	}
+	dest := net.TCPDestination(net.IPAddress(ip), net.Port(port))
+	if !dest.IsValid() {
+		return net.Destination{}, newError("failed to parse destination.")
+	}
+	return dest, nil
+}

transport/internet/config.proto

@@ -1,5 +1,5 @@
-//go:build !linux && !freebsd
-// +build !linux,!freebsd
+//go:build !linux && !freebsd && !darwin
+// +build !linux,!freebsd,!darwin
 
 package tcp
 

transport/internet/sockopt_darwin.go

@@ -0,0 +1,46 @@
+//go:build darwin
+// +build darwin
+
+package udp
+
+import (
+	"bytes"
+	"encoding/gob"
+	"io"
+
+	"github.com/xtls/xray-core/common/errors"
+	"github.com/xtls/xray-core/common/net"
+	"github.com/xtls/xray-core/transport/internet"
+)
+
+// RetrieveOriginalDest from stored laddr, caddr
+func RetrieveOriginalDest(oob []byte) net.Destination {
+	dec := gob.NewDecoder(bytes.NewBuffer(oob))
+	var la, ra net.UDPAddr
+	dec.Decode(&la)
+	dec.Decode(&ra)
+	ip, port, err := internet.OriginalDst(&la, &ra)
+	if err != nil {
+		return net.Destination{}
+	}
+	return net.UDPDestination(net.IPAddress(ip), net.Port(port))
+}
+
+// ReadUDPMsg stores laddr, caddr for later use
+func ReadUDPMsg(conn *net.UDPConn, payload []byte, oob []byte) (int, int, int, *net.UDPAddr, error) {
+	nBytes, addr, err := conn.ReadFromUDP(payload)
+	var buf bytes.Buffer
+	enc := gob.NewEncoder(&buf)
+	udpAddr, ok := conn.LocalAddr().(*net.UDPAddr)
+	if !ok {
+		return 0, 0, 0, nil, errors.New("invalid local address")
+	}
+	if addr == nil {
+		return 0, 0, 0, nil, errors.New("invalid remote address")
+	}
+	enc.Encode(udpAddr)
+	enc.Encode(addr)
+	var reader io.Reader = &buf
+	noob, _ := reader.Read(oob)
+	return nBytes, noob, 0, addr, err
+}

transport/internet/tcp/sockopt_darwin.go

@@ -1,5 +1,5 @@
-//go:build !linux && !freebsd
-// +build !linux,!freebsd
+//go:build !linux && !freebsd && !darwin
+// +build !linux,!freebsd,!darwin
 
 package udp