1

2026-05-14 23:30:34 +03:00
parent 26cb65e936
commit 04c46042d9
239 changed files with 34102 additions and 438 deletions
@@ -184,6 +184,9 @@ func (g *Gateway) Snapshot() map[string]any {
 	if !lastRuntimeActivityAt.IsZero() {
 		out["last_runtime_activity_at"] = lastRuntimeActivityAt.UTC().Format(time.RFC3339Nano)
 	}
+	if platform := gatewayPlatformSnapshot(g.InterfaceName, g.RouteCIDR); len(platform) > 0 {
+		out["platform"] = platform
+	}
 	return out
 }

@@ -19,6 +19,8 @@ const (
 	iffNoPI       = 0x1000
 	tunSetIFF     = 0x400454ca
 	ifNameSize    = 16
+	gatewayTunMTU = "1000"
+	gatewayTCPMSS = "900"
 )

 type tunDevice struct {
@@ -86,6 +88,9 @@ func configureGatewayInterface(name, addressCIDR, routeCIDR string) error {
 	if err := runCommand("ip", "addr", "replace", addressCIDR, "dev", name); err != nil {
 		return err
 	}
+	if err := runCommand("ip", "link", "set", "dev", name, "mtu", gatewayTunMTU); err != nil {
+		return err
+	}
 	if err := runCommand("ip", "link", "set", name, "up"); err != nil {
 		return err
 	}
@@ -118,11 +123,10 @@ func ensureMasqueradeRules(routeCIDR string) error {
 }

 func ensureMSSClampRule(interfaceName string) error {
-	err := ensureIPTablesRule("mangle", "FORWARD", "-i", interfaceName, "-p", "tcp", "--tcp-flags", "SYN,RST", "SYN", "-j", "TCPMSS", "--clamp-mss-to-pmtu")
-	if err == nil {
-		return nil
+	if err := ensureIPTablesRule("mangle", "FORWARD", "-i", interfaceName, "-p", "tcp", "--tcp-flags", "SYN,RST", "SYN", "-j", "TCPMSS", "--set-mss", gatewayTCPMSS); err != nil {
+		return err
 	}
-	return nil
+	return ensureIPTablesRule("mangle", "FORWARD", "-o", interfaceName, "-p", "tcp", "--tcp-flags", "SYN,RST", "SYN", "-j", "TCPMSS", "--set-mss", gatewayTCPMSS)
 }

 func defaultIPv4Interface() (string, error) {
@@ -204,3 +208,47 @@ func runCommand(name string, args ...string) error {
 	}
 	return nil
 }
+
+func gatewayPlatformSnapshot(interfaceName, routeCIDR string) map[string]any {
+	out := map[string]any{
+		"os":         "linux",
+		"interface":  interfaceName,
+		"route_cidr": routeCIDR,
+	}
+	if value, err := readTrimmedFile("/proc/sys/net/ipv4/ip_forward"); err == nil {
+		out["ipv4_forward"] = value
+	}
+	for _, key := range []string{"all", "default", interfaceName} {
+		if strings.TrimSpace(key) == "" {
+			continue
+		}
+		if value, err := readTrimmedFile(fmt.Sprintf("/proc/sys/net/ipv4/conf/%s/rp_filter", key)); err == nil {
+			out["rp_filter_"+key] = value
+		}
+	}
+	if interfaceName != "" {
+		out["forward_in_rule"] = iptablesRulePresent("filter", "FORWARD", "-i", interfaceName, "-j", "ACCEPT")
+		out["forward_out_established_rule"] = iptablesRulePresent("filter", "FORWARD", "-o", interfaceName, "-m", "conntrack", "--ctstate", "RELATED,ESTABLISHED", "-j", "ACCEPT")
+	}
+	if routeCIDR != "" {
+		out["masquerade_rule"] = iptablesRulePresent("nat", "POSTROUTING", "-s", routeCIDR, "-j", "MASQUERADE")
+		if egress, err := defaultIPv4Interface(); err == nil && egress != "" {
+			out["default_egress"] = egress
+			out["egress_masquerade_rule"] = iptablesRulePresent("nat", "POSTROUTING", "-s", routeCIDR, "-o", egress, "-j", "MASQUERADE")
+		}
+	}
+	return out
+}
+
+func readTrimmedFile(path string) (string, error) {
+	payload, err := os.ReadFile(path)
+	if err != nil {
+		return "", err
+	}
+	return strings.TrimSpace(string(payload)), nil
+}
+
+func iptablesRulePresent(table, chain string, rule ...string) bool {
+	checkArgs := append([]string{"-t", table, "-C", chain}, rule...)
+	return exec.Command("iptables", checkArgs...).Run() == nil
+}
@@ -21,3 +21,11 @@ func (d *tunDevice) Write(packet []byte) (int, error) {
 func (d *tunDevice) Close() error {
 	return nil
 }
+
+func gatewayPlatformSnapshot(interfaceName, routeCIDR string) map[string]any {
+	return map[string]any{
+		"os":         "unsupported",
+		"interface":  interfaceName,
+		"route_cidr": routeCIDR,
+	}
+}