fix tproxy udp "unable to get destination" in IPv6 environment

[lucifer9]

should use IPV6_RECVORIGDSTADDR. now working as expected.
#1979 #2209 #2214 #2225

[ToutyRater]

我编译了最新合并后的代码，还没来得及测试 IPv6，透明代理下 IPv4 也无法获取目标地址了，以下是 log(部分)：

2020/02/28 21:12:31 [Debug] [3978846380] v2ray.com/core/proxy/dokodemo: processing connection from: 192.168.5.168:58121
2020/02/28 21:12:31 [Info] [3978846380] v2ray.com/core/app/proxyman/inbound: connection ends > v2ray.com/core/proxy/dokodemo: unable to get destination
2020/02/28 21:12:36 [Debug] [3715593654] v2ray.com/core/proxy/dokodemo: processing connection from: 192.168.5.168:58121
2020/02/28 21:12:36 [Info] [3715593654] v2ray.com/core/app/proxyman/inbound: connection ends > v2ray.com/core/proxy/dokodemo: unable to get destination
2020/02/28 21:12:37 [Debug] [3307509112] v2ray.com/core/proxy/dokodemo: processing connection from: 192.168.5.168:123
2020/02/28 21:12:37 [Info] [3307509112] v2ray.com/core/app/proxyman/inbound: connection ends > v2ray.com/core/proxy/dokodemo: unable to get destination
2020/02/28 21:12:37 [Debug] [3332569185] v2ray.com/core/proxy/dokodemo: processing connection from: 192.168.5.168:60639
2020/02/28 21:12:37 [Info] [3332569185] v2ray.com/core/app/proxyman/inbound: connection ends > v2ray.com/core/proxy/dokodemo: unable to get destination

revert 后则不会出现这个问题。使用环境是 Debian 10.3 AMD64。

[changyp6]

是的。我可以确认。最新的Code，在IPv4环境下，TPROXY模式，会一直报“unable to get destination”

…

On Fri, Feb 28, 2020 at 9:45 PM ToutyRater ***@***.***> wrote: 我编译了最新合并后的代码，还没来得及测试 IPv6，透明代理下 IPv4 也无法获取目标地址了，以下是 log(部分)： 2020/02/28 21:12:31 [Debug] [3978846380] v2ray.com/core/proxy/dokodemo: processing connection from: 192.168.5.168:58121 2020/02/28 21:12:31 [Info] [3978846380] v2ray.com/core/app/proxyman/inbound: connection ends > v2ray.com/core/proxy/dokodemo: unable to get destination 2020/02/28 21:12:36 [Debug] [3715593654] v2ray.com/core/proxy/dokodemo: processing connection from: 192.168.5.168:58121 2020/02/28 21:12:36 [Info] [3715593654] v2ray.com/core/app/proxyman/inbound: connection ends > v2ray.com/core/proxy/dokodemo: unable to get destination 2020/02/28 21:12:37 [Debug] [3307509112] v2ray.com/core/proxy/dokodemo: processing connection from: 192.168.5.168:123 2020/02/28 21:12:37 [Info] [3307509112] v2ray.com/core/app/proxyman/inbound: connection ends > v2ray.com/core/proxy/dokodemo: unable to get destination 2020/02/28 21:12:37 [Debug] [3332569185] v2ray.com/core/proxy/dokodemo: processing connection from: 192.168.5.168:60639 2020/02/28 21:12:37 [Info] [3332569185] v2ray.com/core/app/proxyman/inbound: connection ends > v2ray.com/core/proxy/dokodemo: unable to get destination revert 后则不会出现这个问题。使用环境是 Debian 10.3 AMD64。 — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#2281?email_source=notifications&email_token=ABPLTYMCPSVKX7XG2WV5MP3RFEIPBA5CNFSM4K23OEZ2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOENIR6OQ#issuecomment-592518970>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABPLTYOWOHWTYLBM5TXB6KTRFEIPBANCNFSM4K23OEZQ> .

[lucifer9]

@changyp6 @ToutyRater 配置文件里面，任意门监听地址没写或者写的是 0.0.0.0 ？加上或者改为 "listen": "127.0.0.1"，iptables 规则也相应写上这个IP就行了。然后对于V6的情况，增加一个监听 ::1 的任意门即可。

[changyp6]

如果是这样修改，那"::"和"0.0.0.0"这样的地址就失去意义了。 如果我的任意门就是要监听所有网络，那按照你的建议，要为所有的网络地址都写上一个任意门的配置？

…

On Sat, Feb 29, 2020 at 12:02 AM lucifer ***@***.***> wrote: @changyp6 <https://github.com/changyp6> @ToutyRater <https://github.com/ToutyRater> 配置文件里面，任意门监听地址没写或者写的是 0.0.0.0 ？加上或者改为 "listen": "127.0.0.1"，iptables 规则也相应写上这个IP就行了。然后对于V6的情况，增加一个监听 ::1 的任意门即可。 — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#2281?email_source=notifications&email_token=ABPLTYLLQO4COVAU7YVKNB3RE7PZ3A5CNFSM4K23OEZ2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOENJAQHA#issuecomment-592578588>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABPLTYNHVDZE4KDVYY5ZQ63RE7PZ3ANCNFSM4K23OEZQ> .

[ToutyRater]

@lucifer9
监听改为 127.0.0.1 IPv4 无问题了。不过确实如 @changyp6 所说，这样会失去代理同局域网其他设备的能力。我这里测试 IPv6 获取的地址还是错误的，不知道哪里设置有误，请指点一下。

iptables:

ip -6 rule add fwmark 1 lookup 100
ip -6 route add local default dev lo table 100

ip6tables -t mangle -N V2RAY_IP6_PRE

ip6tables -t mangle -A V2RAY_IP6_PRE -d ::1/128 -j RETURN
ip6tables -t mangle -A V2RAY_IP6_PRE -d ::ffff:0:0/96 -j RETURN
ip6tables -t mangle -A V2RAY_IP6_PRE -d 64:ff9b::/96 -j RETURN
ip6tables -t mangle -A V2RAY_IP6_PRE -d 100::/64 -j RETURN
ip6tables -t mangle -A V2RAY_IP6_PRE -d 2001::/32 -j RETURN
ip6tables -t mangle -A V2RAY_IP6_PRE -d 2001:20::/28 -j RETURN
ip6tables -t mangle -A V2RAY_IP6_PRE -d 2001:db8::/32 -j RETURN
ip6tables -t mangle -A V2RAY_IP6_PRE -d 2002::/16 -j RETURN
ip6tables -t mangle -A V2RAY_IP6_PRE -d fc00::/7 -j RETURN
ip6tables -t mangle -A V2RAY_IP6_PRE -d fe80::/10 -j RETURN
ip6tables -t mangle -A V2RAY_IP6_PRE -d ff00::/8 -j RETURN

ip6tables -t mangle -A V2RAY_IP6_PRE -p udp -j TPROXY --on-port 12345 --tproxy-mark 1
ip6tables -t mangle -A V2RAY_IP6_PRE -p tcp -j TPROXY --on-port 12345 --tproxy-mark 1
ip6tables -t mangle -A PREROUTING -j V2RAY_IP6_PRE

ip6tables -t mangle -N V2RAY_IP6
ip6tables -t mangle -A V2RAY_IP6 -d ::1/128 -j RETURN
ip6tables -t mangle -A V2RAY_IP6 -d ::ffff:0:0/96 -j RETURN
ip6tables -t mangle -A V2RAY_IP6 -d 64:ff9b::/96 -j RETURN
ip6tables -t mangle -A V2RAY_IP6 -d 100::/64 -j RETURN
ip6tables -t mangle -A V2RAY_IP6 -d 2001::/32 -j RETURN
ip6tables -t mangle -A V2RAY_IP6 -d 2001:20::/28 -j RETURN
ip6tables -t mangle -A V2RAY_IP6 -d 2001:db8::/32 -j RETURN
ip6tables -t mangle -A V2RAY_IP6 -d 2002::/16 -j RETURN
ip6tables -t mangle -A V2RAY_IP6 -d fc00::/7 -j RETURN
ip6tables -t mangle -A V2RAY_IP6 -d fe80::/10 -j RETURN
ip6tables -t mangle -A V2RAY_IP6 -d ff00::/8 -j RETURN

ip6tables -t mangle -A V2RAY_IP6 -j RETURN -m mark --mark 0xff

ip6tables -t mangle -A V2RAY_IP6 -p udp -j MARK --set-mark 1
ip6tables -t mangle -A V2RAY_IP6 -p tcp -j MARK --set-mark 1
ip6tables -t mangle -A OUTPUT -j V2RAY_IP6 

log:

2020/02/29 00:39:32 [Debug] v2ray.com/core/transport/internet/udp: UDP original destination: udp:[::1]:44297
2020/02/29 00:39:32 [Debug] [22226369] v2ray.com/core/proxy/dokodemo: processing connection from: [::1]:57696
2020/02/29 00:39:32 [Info] [22226369] v2ray.com/core/app/dispatcher: taking detour [direct] for [udp:[::1]:44297]
2020/02/29 00:39:32 [Info] [22226369] v2ray.com/core/proxy/freedom: opening connection to udp:[::1]:44297
2020/02/29 00:39:32 [Debug] v2ray.com/core/transport/internet/udp: UDP original destination: udp:[::1]:44297
2020/02/29 00:39:32 [Debug] [2070418656] v2ray.com/core/proxy/dokodemo: processing connection from: [::1]:45604
2020/02/29 00:39:32 [Info] [2070418656] v2ray.com/core/app/dispatcher: taking detour [direct] for [udp:[::1]:44297]
2020/02/29 00:39:32 [Info] [2070418656] v2ray.com/core/proxy/freedom: opening connection to udp:[::1]:44297
2020/02/29 00:39:32 [Debug] v2ray.com/core/transport/internet/udp: UDP original destination: udp:[::1]:44297
2020/02/29 00:39:32 [Debug] [316593303] v2ray.com/core/proxy/dokodemo: processing connection from: [::1]:42611
2020/02/29 00:39:32 [Info] [316593303] v2ray.com/core/app/dispatcher: taking detour [direct] for [udp:[::1]:44297]
2020/02/29 00:39:32 [Info] [316593303] v2ray.com/core/proxy/freedom: opening connection to udp:[::1]:44297
2020/02/29 00:39:32 [Debug] v2ray.com/core/transport/internet/udp: UDP original destination: udp:[::1]:44297
2020/02/29 00:39:32 [Debug] [3605089902] v2ray.com/core/proxy/dokodemo: processing connection from: [::1]:54988
2020/02/29 00:39:32 [Info] [3605089902] v2ray.com/core/app/dispatcher: taking detour [direct] for [udp:[::1]:44297]
2020/02/29 00:39:32 [Info] [3605089902] v2ray.com/core/proxy/freedom: opening connection to udp:[::1]:44297
2020/02/29 00:39:32 [Debug] v2ray.com/core/transport/internet/udp: UDP original destination: udp:[::1]:44297

[lucifer9]

@ToutyRater @changyp6 目前的代码，只有在 tproxy 且 需要udp的情况下，才需要写清楚监听地址。如果跑v2ray的机器跟路由不是一台，那监听地址别写127.0.0.1，写v2ray机器的局域网地址就行了。我需要看下原来前面是怎么处理 0.0.0.0 这种地址的。后面设置sockopt的代码里面不容易拿到监听地址，也就没法分别设置v4或者v6的情况，只能要么不管是不是出错一律设置，要么先按一种猜，错了那就是另一种。我现在是按后一种方式处理的。但是貌似 0.0.0.0 这种，必须v4v6都设置才能都生效，然后现在又拿不到监听地址...我再看下，实在不行就不管是啥全都设置上一把撸了，就是难看点应该不影响功能了。

[lucifer9]

@ToutyRater 你这个看上去像是 rule 和/或 route 没生效？ip -6 ro show table 100，ip -6 ru show table 100 看下？

[lucifer9]

@ToutyRater @changyp6 看来GO里面 listen 0.0.0.0 就是v4 v6都有了，那必须一把撸了。 #2300

[ToutyRater]

测试环境给我玩坏了，过段时间再搞