Support setting SO_MARK on Linux

Author: zonyitoo

src/bin/local.rs

@@ -81,7 +81,7 @@ fn main() {
 
         (@arg PROTOCOL: --protocol +takes_value default_value("socks5") possible_values(AVAILABLE_PROTOCOLS) +next_line_help "Protocol that for communicating with clients")
 
-        (@arg NO_DELAY: --("no-delay") !takes_value "Set no-delay option for socket")
+        (@arg NO_DELAY: --("no-delay") !takes_value "Set TCP_NODELAY option for socket")
         (@arg NOFILE: -n --nofile +takes_value "Set RLIMIT_NOFILE with both soft and hard limit (only for *nix systems)")
         (@arg ACL: --acl +takes_value "Path to ACL (Access Control List)")
 
@@ -101,6 +101,13 @@ fn main() {
             .help("Resolve hostname to IPv6 address first"),
     );
 
+    #[cfg(any(target_os = "linux", target_os = "android"))]
+    {
+        app = clap_app!(@app (app)
+            (@arg OUTBOUND_FWMARK: --("outbound-fwmark") +takes_value {validator::validate_u32} "Set SO_MARK option for outbound socket")
+        );
+    }
+
     #[cfg(feature = "local-redir")]
     {
         let available_redir_types = RedirType::available_types();
@@ -118,7 +125,8 @@ fn main() {
         }
     }
 
-    if cfg!(target_os = "android") {
+    #[cfg(target_os = "android")]
+    {
         app = clap_app!(@app (app)
             (@arg VPN_MODE: --vpn "Enable VPN mode (only for Android)")
         );
@@ -239,7 +247,8 @@ fn main() {
         config.server.push(svr_addr);
     }
 
-    if cfg!(target_os = "android") {
+    #[cfg(target_os = "android")]
+    {
         config.local_dns_path = Some(From::from("local_dns_path"));
 
         if matches.is_present("VPN_MODE") {
@@ -294,6 +303,11 @@ fn main() {
         config.no_delay = true;
     }
 
+    #[cfg(any(target_os = "linux", target_os = "android"))]
+    if let Some(mark) = matches.value_of("OUTBOUND_FWMARK") {
+        config.outbound_fwmark = Some(mark.parse::<u32>().expect("an unsigned integer for `outbound-fwmark`"));
+    }
+
     if let Some(nofile) = matches.value_of("NOFILE") {
         config.nofile = Some(nofile.parse::<u64>().expect("an unsigned integer for `nofile`"));
     }

src/bin/manager.rs

@@ -55,7 +55,7 @@ fn main() {
         (@arg BIND_ADDR: -b --("bind-addr") +takes_value "Bind address, outbound socket will bind this address")
         (@arg SERVER_HOST: -s --("server-host") +takes_value "Host name or IP address of your remote server")
 
-        (@arg NO_DELAY: --("no-delay") !takes_value "Set no-delay option for socket")
+        (@arg NO_DELAY: --("no-delay") !takes_value "Set TCP_NODELAY option for socket")
 
         (@arg MANAGER_ADDRESS: --("manager-address") +takes_value {validator::validate_manager_addr} "ShadowSocks Manager (ssmgr) address, could be ip:port, domain:port or /path/to/unix.sock")
         (@arg ENCRYPT_METHOD: -m --("encrypt-method") +takes_value possible_values(&available_ciphers) +next_line_help "Default encryption method")
@@ -76,6 +76,13 @@ fn main() {
         );
     }
 
+    #[cfg(any(target_os = "linux", target_os = "android"))]
+    {
+        app = clap_app!(@app (app)
+            (@arg OUTBOUND_FWMARK: --("outbound-fwmark") +takes_value {validator::validate_u32} "Set SO_MARK option for outbound socket")
+        );
+    }
+
     let matches = app
         .arg(
             Arg::with_name("IPV6_FIRST")
@@ -130,6 +137,11 @@ fn main() {
         config.no_delay = true;
     }
 
+    #[cfg(any(target_os = "linux", target_os = "android"))]
+    if let Some(mark) = matches.value_of("OUTBOUND_FWMARK") {
+        config.outbound_fwmark = Some(mark.parse::<u32>().expect("an unsigned integer for `outbound-fwmark`"));
+    }
+
     if let Some(m) = matches.value_of("MANAGER_ADDRESS") {
         if let Some(ref mut manager_config) = config.manager {
             manager_config.addr = m.parse::<ManagerAddr>().expect("manager-address");

src/bin/server.rs

@@ -62,7 +62,7 @@ fn main() {
 
         (@arg MANAGER_ADDRESS: --("manager-address") +takes_value "ShadowSocks Manager (ssmgr) address, could be \"IP:Port\", \"Domain:Port\" or \"/path/to/unix.sock\"")
 
-        (@arg NO_DELAY: --("no-delay") !takes_value "Set no-delay option for socket")
+        (@arg NO_DELAY: --("no-delay") !takes_value "Set TCP_NODELAY option for socket")
         (@arg NOFILE: -n --nofile +takes_value "Set RLIMIT_NOFILE with both soft and hard limit (only for *nix systems)")
         (@arg ACL: --acl +takes_value "Path to ACL (Access Control List)")
 
@@ -81,6 +81,13 @@ fn main() {
         );
     }
 
+    #[cfg(any(target_os = "linux", target_os = "android"))]
+    {
+        app = clap_app!(@app (app)
+            (@arg OUTBOUND_FWMARK: --("outbound-fwmark") +takes_value {validator::validate_u32} "Set SO_MARK option for outbound socket")
+        );
+    }
+
     let matches = app
         .arg(
             Arg::with_name("IPV6_FIRST")
@@ -163,6 +170,11 @@ fn main() {
         config.no_delay = true;
     }
 
+    #[cfg(any(target_os = "linux", target_os = "android"))]
+    if let Some(mark) = matches.value_of("OUTBOUND_FWMARK") {
+        config.outbound_fwmark = Some(mark.parse::<u32>().expect("an unsigned integer for `outbound-fwmark`"));
+    }
+
     if let Some(m) = matches.value_of("MANAGER_ADDRESS") {
         config.manager = Some(ManagerConfig::new(m.parse::<ManagerAddr>().expect("manager address")));
     }

src/bin/validator/mod.rs

@@ -30,6 +30,7 @@ validate_type!(
     "should be either ip:port, domain:port or /path/to/unix.sock"
 );
 validate_type!(validate_u64, u64, "should be unsigned integer");
+validate_type!(validate_u32, u32, "should be unsigned integer");
 
 pub fn validate_server_url(v: String) -> Result<(), String> {
     match ServerConfig::from_url(&v) {

src/config.rs

@@ -1052,6 +1052,9 @@ pub struct Config {
     pub mode: Mode,
     /// Set `TCP_NODELAY` socket option
     pub no_delay: bool,
+    /// Set `SO_MARK` socket option for outbound sockets
+    #[cfg(any(target_os = "linux", target_os = "android"))]
+    pub outbound_fwmark: Option<u32>,
     /// Manager's configuration
     pub manager: Option<ManagerConfig>,
     /// Config is for Client or Server
@@ -1178,6 +1181,8 @@ impl Config {
             dns: None,
             mode: Mode::TcpOnly,
             no_delay: false,
+            #[cfg(any(target_os = "linux", target_os = "android"))]
+            outbound_fwmark: None,
             manager: None,
             config_type,
             udp_timeout: None,

src/relay/manager.rs

@@ -476,6 +476,12 @@ impl ManagerService {
             config.no_delay = self.context.config().no_delay;
         }
 
+        // SO_MARK
+        #[cfg(any(target_os = "linux", target_os = "android"))]
+        {
+            config.outbound_fwmark = self.context.config().outbound_fwmark;
+        }
+
         // UDP configurations
         config.udp_timeout = self.context.config().udp_timeout;
         config.udp_max_associations = self.context.config().udp_max_associations;

src/relay/sys/unix/mod.rs

@@ -87,6 +87,24 @@ pub async fn tcp_stream_connect(saddr: &SocketAddr, context: &Context) -> io::Re
         }
     }
 
+    // Set SO_MARK for mark-based routing on Linux (since 2.6.25)
+    // NOTE: This will require CAP_NET_ADMIN capability (root in most cases)
+    #[cfg(any(target_os = "linux", target_os = "android"))]
+    if let Some(mark) = context.config().outbound_fwmark {
+        let ret = unsafe {
+            libc::setsockopt(
+                socket.as_raw_fd(),
+                libc::SOL_SOCKET,
+                libc::SO_MARK,
+                &mark as *const _ as *const _,
+                mem::size_of_val(&mark) as libc::socklen_t,
+            )
+        };
+        if ret != 0 {
+            return Err(Error::last_os_error());
+        }
+    }
+
     // it's important that the socket is protected before connecting
     let stream = socket.into_tcp_stream();
     TcpStream::connect_std(stream, &saddr).await