fix: outbound freedom for xray (#2479)

* fix: outbound freedom for xray on linux * fix: outbound freedom for xray on macOS * build: auto-generate pf rules based on the build type
2026-05-08 14:33:23 +00:00 · 2026-05-04 15:39:07 +04:00
parent c28452a5da
commit c0cae0ff01
15 changed files with 221 additions and 7 deletions
--- a/client/platforms/linux/daemon/linuxfirewall.cpp
+++ b/client/platforms/linux/daemon/linuxfirewall.cpp
@@ -32,6 +32,7 @@

 #include "linuxfirewall.h"
 #include "logger.h"
+#include "xray_defs.h"
 #include <QProcess>

 #define BRAND_CODE "amn"
@@ -282,6 +283,10 @@ void LinuxFirewall::install()
                                                            QStringLiteral("-o tun2+ -j ACCEPT"),
                                                        });

+    installAnchor(Both, QStringLiteral("130.allowMarkedXray"), {
+                                                             QStringLiteral("-m mark --mark %1 -j ACCEPT").arg(amnezia::xray::xrayTrafficMark),
+                                                         });
+
    installAnchor(IPv4, QStringLiteral("120.blockNets"), {});

    installAnchor(IPv4, QStringLiteral("110.allowNets"), {});
@@ -358,6 +363,7 @@ void LinuxFirewall::uninstall()
    uninstallAnchor(IPv6, QStringLiteral("250.blockIPv6"));
    uninstallAnchor(Both, QStringLiteral("200.allowVPN"));
    uninstallAnchor(IPv4, QStringLiteral("120.blockNets"));
+    uninstallAnchor(Both, QStringLiteral("130.allowMarkedXray"));
    uninstallAnchor(IPv4, QStringLiteral("110.allowNets"));
    uninstallAnchor(Both, QStringLiteral("100.blockAll"));

--- a/client/vpnConnection.cpp
+++ b/client/vpnConnection.cpp
@@ -92,7 +92,13 @@ void VpnConnection::onConnectionStateChanged(Vpn::ConnectionState state)
                    QString dns1 = m_vpnConfiguration.value(configKey::dns1).toString();
                    QString dns2 = m_vpnConfiguration.value(configKey::dns2).toString();

+#ifdef Q_OS_MACOS
+                    if (!m_appSettingsRepository->isSitesSplitTunnelingEnabled() || m_appSettingsRepository->routeMode() != amnezia::RouteMode::VpnAllExceptSites) {
+                        iface->routeAddList(m_vpnProtocol->vpnGateway(), QStringList() << dns1 << dns2);
+                    }
+#else
                    iface->routeAddList(m_vpnProtocol->vpnGateway(), QStringList() << dns1 << dns2);
+#endif

                    if (m_appSettingsRepository->isSitesSplitTunnelingEnabled()) {
                        iface->routeDeleteList(m_vpnProtocol->vpnGateway(), QStringList() << "0.0.0.0");
@@ -105,6 +111,9 @@ void VpnConnection::onConnectionStateChanged(Vpn::ConnectionState state)
                            iface->routeAddList(m_vpnProtocol->vpnGateway(), QStringList() << "128.0.0.0/1");

                            iface->routeAddList(m_vpnProtocol->routeGateway(), QStringList() << remoteAddress());
+#ifdef Q_OS_MACOS
+                            iface->routeAddList(m_vpnProtocol->routeGateway(), QStringList() << dns1 << dns2);
+#endif
                            addSitesRoutes(m_vpnProtocol->routeGateway(), routeMode);
                        }
                    }