From d87c9fd24263541cac000e029062ecb4a02e0950 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E4=B8=96=E7=95=8C?= Date: Fri, 17 Oct 2025 16:30:13 +0800 Subject: [PATCH] Fix compatibility with MPTCP --- docs/configuration/inbound/tun.md | 19 +++++++++++++++++++ docs/configuration/inbound/tun.zh.md | 19 +++++++++++++++++++ option/tun.go | 1 + protocol/tun/inbound.go | 1 + 4 files changed, 40 insertions(+) diff --git a/docs/configuration/inbound/tun.md b/docs/configuration/inbound/tun.md index 92313c822..5dde6b207 100644 --- a/docs/configuration/inbound/tun.md +++ b/docs/configuration/inbound/tun.md @@ -2,6 +2,10 @@ icon: material/new-box --- +!!! quote "Changes in sing-box 1.13.0" + + :material-plus: [exclude_mptcp](#exclude_mptcp) + !!! quote "Changes in sing-box 1.12.0" :material-plus: [loopback_address](#loopback_address) @@ -63,6 +67,7 @@ icon: material/new-box "auto_redirect": true, "auto_redirect_input_mark": "0x2023", "auto_redirect_output_mark": "0x2024", + "exclude_mptcp": false, "loopback_address": [ "10.7.0.1" ], @@ -278,6 +283,20 @@ Connection output mark used by `auto_redirect`. `0x2024` is used by default. +#### exclude_mptcp + +!!! question "Since sing-box 1.13.0" + +!!! quote "" + + Only supported on Linux with nftables and requires `auto_route` and `auto_redirect` enabled. + +MPTCP cannot be transparently proxied due to protocol limitations. + +Such traffic is usually created by Apple systems. + +When enabled, MPTCP connections will bypass sing-box and connect directly, otherwise, will be rejected to avoid errors by default. + #### loopback_address !!! question "Since sing-box 1.12.0" diff --git a/docs/configuration/inbound/tun.zh.md b/docs/configuration/inbound/tun.zh.md index 9c0539991..e9dec46f8 100644 --- a/docs/configuration/inbound/tun.zh.md +++ b/docs/configuration/inbound/tun.zh.md @@ -2,6 +2,10 @@ icon: material/new-box --- +!!! quote "sing-box 1.13.0 中的更改" + + :material-plus: [exclude_mptcp](#exclude_mptcp) + !!! quote "sing-box 1.12.0 中的更改" :material-plus: [loopback_address](#loopback_address) @@ -63,6 +67,7 @@ icon: material/new-box "auto_redirect": true, "auto_redirect_input_mark": "0x2023", "auto_redirect_output_mark": "0x2024", + "exclude_mptcp": false, "loopback_address": [ "10.7.0.1" ], @@ -277,6 +282,20 @@ tun 接口的 IPv6 前缀。 默认使用 `0x2024`。 +#### exclude_mptcp + +!!! question "自 sing-box 1.13.0 起" + +!!! quote "" + + 仅支持 Linux,且需要 nftables,`auto_route` 和 `auto_redirect` 已启用。 + +由于协议限制,MPTCP 无法被透明代理。 + +此类流量通常由 Apple 系统创建。 + +启用时,MPTCP 连接将绕过 sing-box 直接连接,否则,将被拒绝以避免错误。 + #### loopback_address !!! question "自 sing-box 1.12.0 起" diff --git a/option/tun.go b/option/tun.go index 89affb23c..ca8e3a113 100644 --- a/option/tun.go +++ b/option/tun.go @@ -20,6 +20,7 @@ type TunInboundOptions struct { AutoRedirect bool `json:"auto_redirect,omitempty"` AutoRedirectInputMark FwMark `json:"auto_redirect_input_mark,omitempty"` AutoRedirectOutputMark FwMark `json:"auto_redirect_output_mark,omitempty"` + ExcludeMPTCP bool `json:"exclude_mptcp,omitempty"` LoopbackAddress badoption.Listable[netip.Addr] `json:"loopback_address,omitempty"` StrictRoute bool `json:"strict_route,omitempty"` RouteAddress badoption.Listable[netip.Prefix] `json:"route_address,omitempty"` diff --git a/protocol/tun/inbound.go b/protocol/tun/inbound.go index 3f013598a..20b1cd2f5 100644 --- a/protocol/tun/inbound.go +++ b/protocol/tun/inbound.go @@ -203,6 +203,7 @@ func NewInbound(ctx context.Context, router adapter.Router, logger log.ContextLo IPRoute2RuleIndex: ruleIndex, AutoRedirectInputMark: inputMark, AutoRedirectOutputMark: outputMark, + ExcludeMPTCP: options.ExcludeMPTCP, Inet4LoopbackAddress: common.Filter(options.LoopbackAddress, netip.Addr.Is4), Inet6LoopbackAddress: common.Filter(options.LoopbackAddress, netip.Addr.Is6), StrictRoute: options.StrictRoute,