diff --git a/infra/conf/transport_internet.go b/infra/conf/transport_internet.go
index 7bd481652b43..62f3c8036a8d 100644
--- a/infra/conf/transport_internet.go
+++ b/infra/conf/transport_internet.go
@@ -23,6 +23,7 @@ import (
"github.com/xtls/xray-core/transport/internet"
"github.com/xtls/xray-core/transport/internet/finalmask/fragment"
"github.com/xtls/xray-core/transport/internet/finalmask/header/custom"
+ "github.com/xtls/xray-core/transport/internet/finalmask/rawpacket"
"github.com/xtls/xray-core/transport/internet/finalmask/header/dns"
"github.com/xtls/xray-core/transport/internet/finalmask/header/dtls"
"github.com/xtls/xray-core/transport/internet/finalmask/header/srtp"
@@ -1237,6 +1238,7 @@ var (
tcpmaskLoader = NewJSONConfigLoader(ConfigCreatorCache{
"header-custom": func() interface{} { return new(HeaderCustomTCP) },
"fragment": func() interface{} { return new(FragmentMask) },
+ "rawpacket": func() interface{} { return new(RawpacketMask) },
"sudoku": func() interface{} { return new(Sudoku) },
}, "type", "settings")
@@ -1447,6 +1449,23 @@ func (c *FragmentMask) Build() (proto.Message, error) {
return config, nil
}
+type RawpacketMask struct {
+ Payload string `json:"payload"`
+ Method string `json:"method"`
+ TTL int32 `json:"ttl"`
+ Count int32 `json:"count"`
+}
+
+func (c *RawpacketMask) Build() (proto.Message, error) {
+ config := &rawpacket.Config{
+ Payload: c.Payload,
+ Method: c.Method,
+ Ttl: uint32(c.TTL),
+ Count: c.Count,
+ }
+ return config, nil
+}
+
type NoiseItem struct {
Rand Int32Range `json:"rand"`
RandRange *Int32Range `json:"randRange"`
diff --git a/transport/internet/finalmask/rawpacket/config.go b/transport/internet/finalmask/rawpacket/config.go
new file mode 100644
index 000000000000..e4ee5d717d25
--- /dev/null
+++ b/transport/internet/finalmask/rawpacket/config.go
@@ -0,0 +1,14 @@
+package rawpacket
+
+import "net"
+
+func (c *Config) TCP() {}
+
+func (c *Config) WrapConnClient(raw net.Conn) (net.Conn, error) {
+ return NewConnClient(c, raw)
+}
+
+func (c *Config) WrapConnServer(raw net.Conn) (net.Conn, error) {
+ // Raw packet injection is client-side only.
+ return raw, nil
+}
diff --git a/transport/internet/finalmask/rawpacket/config.pb.go b/transport/internet/finalmask/rawpacket/config.pb.go
new file mode 100644
index 000000000000..26f8b63d26ca
--- /dev/null
+++ b/transport/internet/finalmask/rawpacket/config.pb.go
@@ -0,0 +1,156 @@
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// versions:
+// protoc-gen-go v1.36.11
+// protoc v6.33.5
+// source: transport/internet/finalmask/rawpacket/config.proto
+
+package rawpacket
+
+import (
+ protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+ protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+ reflect "reflect"
+ sync "sync"
+ unsafe "unsafe"
+)
+
+const (
+ // Verify that this generated code is sufficiently up-to-date.
+ _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+ // Verify that runtime/protoimpl is sufficiently up-to-date.
+ _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
+
+type Config struct {
+ state protoimpl.MessageState `protogen:"open.v1"`
+ // Base64-encoded fake payload bytes to inject before the real traffic.
+ Payload string `protobuf:"bytes,1,opt,name=payload,proto3" json:"payload,omitempty"`
+ // Corruption method to make the fake packet dropped by the server.
+ // Available: wrong-sequence, wrong-checksum, wrong-ack, wrong-md5, wrong-timestamp.
+ Method string `protobuf:"bytes,2,opt,name=method,proto3" json:"method,omitempty"`
+ // TTL of the fake packet. A low value (e.g. 3-5) ensures the packet
+ // is seen by middleboxes but does not reach the destination server.
+ Ttl uint32 `protobuf:"varint,3,opt,name=ttl,proto3" json:"ttl,omitempty"`
+ // How many Write() calls trigger injection. 0 or 1 = single-shot (default).
+ Count int32 `protobuf:"varint,4,opt,name=count,proto3" json:"count,omitempty"`
+ unknownFields protoimpl.UnknownFields
+ sizeCache protoimpl.SizeCache
+}
+
+func (x *Config) Reset() {
+ *x = Config{}
+ mi := &file_transport_internet_finalmask_rawpacket_config_proto_msgTypes[0]
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ ms.StoreMessageInfo(mi)
+}
+
+func (x *Config) String() string {
+ return protoimpl.X.MessageStringOf(x)
+}
+
+func (*Config) ProtoMessage() {}
+
+func (x *Config) ProtoReflect() protoreflect.Message {
+ mi := &file_transport_internet_finalmask_rawpacket_config_proto_msgTypes[0]
+ if x != nil {
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ if ms.LoadMessageInfo() == nil {
+ ms.StoreMessageInfo(mi)
+ }
+ return ms
+ }
+ return mi.MessageOf(x)
+}
+
+// Deprecated: Use Config.ProtoReflect.Descriptor instead.
+func (*Config) Descriptor() ([]byte, []int) {
+ return file_transport_internet_finalmask_rawpacket_config_proto_rawDescGZIP(), []int{0}
+}
+
+func (x *Config) GetPayload() string {
+ if x != nil {
+ return x.Payload
+ }
+ return ""
+}
+
+func (x *Config) GetMethod() string {
+ if x != nil {
+ return x.Method
+ }
+ return ""
+}
+
+func (x *Config) GetTtl() uint32 {
+ if x != nil {
+ return x.Ttl
+ }
+ return 0
+}
+
+func (x *Config) GetCount() int32 {
+ if x != nil {
+ return x.Count
+ }
+ return 0
+}
+
+var File_transport_internet_finalmask_rawpacket_config_proto protoreflect.FileDescriptor
+
+const file_transport_internet_finalmask_rawpacket_config_proto_rawDesc = "" +
+ "\n" +
+ "3transport/internet/finalmask/rawpacket/config.proto\x12+xray.transport.internet.finalmask.rawpacket\"b\n" +
+ "\x06Config\x12\x18\n" +
+ "\apayload\x18\x01 \x01(\tR\apayload\x12\x16\n" +
+ "\x06method\x18\x02 \x01(\tR\x06method\x12\x10\n" +
+ "\x03ttl\x18\x03 \x01(\rR\x03ttl\x12\x14\n" +
+ "\x05count\x18\x04 \x01(\x05R\x05countB\xa3\x01\n" +
+ "/com.xray.transport.internet.finalmask.rawpacketP\x01Z@github.com/xtls/xray-core/transport/internet/finalmask/rawpacket\xaa\x02+Xray.Transport.Internet.Finalmask.Rawpacketb\x06proto3"
+
+var (
+ file_transport_internet_finalmask_rawpacket_config_proto_rawDescOnce sync.Once
+ file_transport_internet_finalmask_rawpacket_config_proto_rawDescData []byte
+)
+
+func file_transport_internet_finalmask_rawpacket_config_proto_rawDescGZIP() []byte {
+ file_transport_internet_finalmask_rawpacket_config_proto_rawDescOnce.Do(func() {
+ file_transport_internet_finalmask_rawpacket_config_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_transport_internet_finalmask_rawpacket_config_proto_rawDesc), len(file_transport_internet_finalmask_rawpacket_config_proto_rawDesc)))
+ })
+ return file_transport_internet_finalmask_rawpacket_config_proto_rawDescData
+}
+
+var file_transport_internet_finalmask_rawpacket_config_proto_msgTypes = make([]protoimpl.MessageInfo, 1)
+var file_transport_internet_finalmask_rawpacket_config_proto_goTypes = []any{
+ (*Config)(nil), // 0: xray.transport.internet.finalmask.rawpacket.Config
+}
+var file_transport_internet_finalmask_rawpacket_config_proto_depIdxs = []int32{
+ 0, // [0:0] is the sub-list for method output_type
+ 0, // [0:0] is the sub-list for method input_type
+ 0, // [0:0] is the sub-list for extension type_name
+ 0, // [0:0] is the sub-list for extension extendee
+ 0, // [0:0] is the sub-list for field type_name
+}
+
+func init() { file_transport_internet_finalmask_rawpacket_config_proto_init() }
+func file_transport_internet_finalmask_rawpacket_config_proto_init() {
+ if File_transport_internet_finalmask_rawpacket_config_proto != nil {
+ return
+ }
+ type x struct{}
+ out := protoimpl.TypeBuilder{
+ File: protoimpl.DescBuilder{
+ GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+ RawDescriptor: unsafe.Slice(unsafe.StringData(file_transport_internet_finalmask_rawpacket_config_proto_rawDesc), len(file_transport_internet_finalmask_rawpacket_config_proto_rawDesc)),
+ NumEnums: 0,
+ NumMessages: 1,
+ NumExtensions: 0,
+ NumServices: 0,
+ },
+ GoTypes: file_transport_internet_finalmask_rawpacket_config_proto_goTypes,
+ DependencyIndexes: file_transport_internet_finalmask_rawpacket_config_proto_depIdxs,
+ MessageInfos: file_transport_internet_finalmask_rawpacket_config_proto_msgTypes,
+ }.Build()
+ File_transport_internet_finalmask_rawpacket_config_proto = out.File
+ file_transport_internet_finalmask_rawpacket_config_proto_goTypes = nil
+ file_transport_internet_finalmask_rawpacket_config_proto_depIdxs = nil
+}
diff --git a/transport/internet/finalmask/rawpacket/config.proto b/transport/internet/finalmask/rawpacket/config.proto
new file mode 100644
index 000000000000..f6b3e8dcb10e
--- /dev/null
+++ b/transport/internet/finalmask/rawpacket/config.proto
@@ -0,0 +1,23 @@
+syntax = "proto3";
+
+package xray.transport.internet.finalmask.rawpacket;
+option csharp_namespace = "Xray.Transport.Internet.Finalmask.Rawpacket";
+option go_package = "github.com/xtls/xray-core/transport/internet/finalmask/rawpacket";
+option java_package = "com.xray.transport.internet.finalmask.rawpacket";
+option java_multiple_files = true;
+
+message Config {
+ // Base64-encoded fake payload bytes to inject before the real traffic.
+ string payload = 1;
+
+ // Corruption method to make the fake packet dropped by the server.
+ // Available: wrong-sequence, wrong-checksum, wrong-ack, wrong-md5, wrong-timestamp.
+ string method = 2;
+
+ // TTL of the fake packet. A low value (e.g. 3-5) ensures the packet
+ // is seen by middleboxes but does not reach the destination server.
+ uint32 ttl = 3;
+
+ // How many Write() calls trigger injection. 0 or 1 = single-shot (default).
+ int32 count = 4;
+}
diff --git a/transport/internet/finalmask/rawpacket/conn.go b/transport/internet/finalmask/rawpacket/conn.go
new file mode 100644
index 000000000000..188b145ea2f7
--- /dev/null
+++ b/transport/internet/finalmask/rawpacket/conn.go
@@ -0,0 +1,170 @@
+package rawpacket
+
+import (
+ "encoding/base64"
+ "errors"
+ "fmt"
+ "net"
+ "runtime"
+ "syscall"
+)
+
+type Method int
+
+const (
+ MethodWrongSequence Method = iota
+ MethodWrongChecksum
+ MethodWrongAcknowledgment
+ MethodWrongMD5Sig
+ MethodWrongTimestamp
+)
+
+const (
+ MethodNameWrongSequence = "wrong-sequence"
+ MethodNameWrongChecksum = "wrong-checksum"
+ MethodNameWrongAcknowledgment = "wrong-ack"
+ MethodNameWrongMD5Sig = "wrong-md5"
+ MethodNameWrongTimestamp = "wrong-timestamp"
+)
+
+func ParseMethod(s string) (Method, error) {
+ switch s {
+ case "", MethodNameWrongSequence:
+ return MethodWrongSequence, nil
+ case MethodNameWrongChecksum:
+ return MethodWrongChecksum, nil
+ case MethodNameWrongAcknowledgment:
+ return MethodWrongAcknowledgment, nil
+ case MethodNameWrongMD5Sig:
+ return MethodWrongMD5Sig, nil
+ case MethodNameWrongTimestamp:
+ return MethodWrongTimestamp, nil
+ default:
+ return 0, fmt.Errorf("rawpacket: unknown method: %s", s)
+ }
+}
+
+func (m Method) String() string {
+ switch m {
+ case MethodWrongSequence:
+ return MethodNameWrongSequence
+ case MethodWrongChecksum:
+ return MethodNameWrongChecksum
+ case MethodWrongAcknowledgment:
+ return MethodNameWrongAcknowledgment
+ case MethodWrongMD5Sig:
+ return MethodNameWrongMD5Sig
+ case MethodWrongTimestamp:
+ return MethodNameWrongTimestamp
+ default:
+ return "unknown"
+ }
+}
+
+type rawSpoofer interface {
+ Inject(payload []byte) error
+ Close() error
+}
+
+type Conn struct {
+ net.Conn
+ spoofer rawSpoofer
+ fakePayload []byte
+ injectionCount int
+ maxInjections int
+}
+
+func NewConnClient(cfg *Config, conn net.Conn) (net.Conn, error) {
+ if cfg.Payload == "" {
+ return conn, nil
+ }
+ if !PlatformSupported {
+ return nil, errors.New("rawpacket is not supported on this platform")
+ }
+ payload, err := base64.StdEncoding.DecodeString(cfg.Payload)
+ if err != nil {
+ return nil, fmt.Errorf("rawpacket: invalid base64 payload: %w", err)
+ }
+ if len(payload) == 0 {
+ return nil, errors.New("rawpacket: payload is empty")
+ }
+ method, err := ParseMethod(cfg.Method)
+ if err != nil {
+ return nil, err
+ }
+ ttl := uint8(cfg.Ttl)
+ if ttl == 0 {
+ ttl = 3
+ }
+ spoofer, err := newRawSpoofer(conn, method, ttl)
+ if err != nil {
+ return nil, wrapPermissionError(err)
+ }
+ maxInjections := int(cfg.Count)
+ if maxInjections <= 0 {
+ maxInjections = 1
+ }
+ return &Conn{
+ Conn: conn,
+ spoofer: spoofer,
+ fakePayload: payload,
+ maxInjections: maxInjections,
+ }, nil
+}
+
+func NewConnServer(_ *Config, conn net.Conn) (net.Conn, error) {
+ return conn, nil
+}
+
+func (c *Conn) Write(b []byte) (n int, err error) {
+ if c.injectionCount >= c.maxInjections {
+ return c.Conn.Write(b)
+ }
+ err = c.spoofer.Inject(c.fakePayload)
+ if err != nil {
+ return 0, fmt.Errorf("rawpacket: inject: %w", err)
+ }
+ c.injectionCount++
+ if c.injectionCount >= c.maxInjections {
+ closeErr := c.spoofer.Close()
+ if closeErr != nil {
+ return 0, fmt.Errorf("rawpacket: close spoofer: %w", closeErr)
+ }
+ }
+ return c.Conn.Write(b)
+}
+
+func (c *Conn) Close() error {
+ connErr := c.Conn.Close()
+ spooferErr := c.spoofer.Close()
+ if connErr != nil {
+ return connErr
+ }
+ return spooferErr
+}
+
+func (c *Conn) TcpMaskConn() {}
+
+func (c *Conn) RawConn() net.Conn {
+ return c.Conn
+}
+
+func (c *Conn) Splice() bool {
+ return c.injectionCount >= c.maxInjections
+}
+
+func wrapPermissionError(err error) error {
+ if !errors.Is(err, syscall.EPERM) && !errors.Is(err, syscall.EACCES) {
+ return err
+ }
+ switch runtime.GOOS {
+ case "linux":
+ return fmt.Errorf("%w\n Hint: run as root, or grant capabilities:\n sudo setcap cap_net_raw,cap_net_admin+ep /path/to/xray", err)
+ case "darwin":
+ return fmt.Errorf("%w\n Hint: rawpacket requires root on macOS. Run with: sudo ./xray", err)
+ case "freebsd":
+ return fmt.Errorf("%w\n Hint: rawpacket requires root on FreeBSD. Run with: sudo ./xray", err)
+ default:
+ return err
+ }
+}
diff --git a/transport/internet/finalmask/rawpacket/conn_test.go b/transport/internet/finalmask/rawpacket/conn_test.go
new file mode 100644
index 000000000000..ab77ae584e26
--- /dev/null
+++ b/transport/internet/finalmask/rawpacket/conn_test.go
@@ -0,0 +1,46 @@
+package rawpacket
+
+import (
+ "testing"
+)
+
+func TestParseMethod(t *testing.T) {
+ tests := []struct {
+ input string
+ expected Method
+ hasErr bool
+ }{
+ {"", MethodWrongSequence, false},
+ {"wrong-sequence", MethodWrongSequence, false},
+ {"wrong-checksum", MethodWrongChecksum, false},
+ {"wrong-ack", MethodWrongAcknowledgment, false},
+ {"wrong-md5", MethodWrongMD5Sig, false},
+ {"wrong-timestamp", MethodWrongTimestamp, false},
+ {"invalid", 0, true},
+ }
+ for _, tt := range tests {
+ m, err := ParseMethod(tt.input)
+ if tt.hasErr {
+ if err == nil {
+ t.Errorf("ParseMethod(%q): expected error, got nil", tt.input)
+ }
+ continue
+ }
+ if err != nil {
+ t.Errorf("ParseMethod(%q): unexpected error: %v", tt.input, err)
+ continue
+ }
+ if m != tt.expected {
+ t.Errorf("ParseMethod(%q) = %v, want %v", tt.input, m, tt.expected)
+ }
+ }
+}
+
+func TestMethodString(t *testing.T) {
+ if MethodWrongSequence.String() != "wrong-sequence" {
+ t.Fatalf("unexpected method string: %s", MethodWrongSequence.String())
+ }
+ if MethodWrongChecksum.String() != "wrong-checksum" {
+ t.Fatalf("unexpected method string: %s", MethodWrongChecksum.String())
+ }
+}
diff --git a/transport/internet/finalmask/rawpacket/endpoints.go b/transport/internet/finalmask/rawpacket/endpoints.go
new file mode 100644
index 000000000000..6c7107eb3987
--- /dev/null
+++ b/transport/internet/finalmask/rawpacket/endpoints.go
@@ -0,0 +1,27 @@
+package rawpacket
+
+import (
+ "net"
+ "net/netip"
+
+ "errors"
+)
+
+// The returned addresses are v4-unmapped and share the same family.
+func tcpEndpoints(conn net.Conn) (*net.TCPConn, netip.AddrPort, netip.AddrPort, error) {
+ tcpConn, isTCP := conn.(*net.TCPConn)
+ if !isTCP {
+ return nil, netip.AddrPort{}, netip.AddrPort{}, errors.New("rawpacket: underlying conn is not *net.TCPConn")
+ }
+ local := tcpConn.LocalAddr().(*net.TCPAddr).AddrPort()
+ remote := tcpConn.RemoteAddr().(*net.TCPAddr).AddrPort()
+ if !local.IsValid() || !remote.IsValid() {
+ return nil, netip.AddrPort{}, netip.AddrPort{}, errors.New("rawpacket: invalid conn address")
+ }
+ local = netip.AddrPortFrom(local.Addr().Unmap(), local.Port())
+ remote = netip.AddrPortFrom(remote.Addr().Unmap(), remote.Port())
+ if local.Addr().Is4() != remote.Addr().Is4() {
+ return nil, netip.AddrPort{}, netip.AddrPort{}, errors.New("rawpacket: local/remote address family mismatch")
+ }
+ return tcpConn, local, remote, nil
+}
diff --git a/transport/internet/finalmask/rawpacket/packet.go b/transport/internet/finalmask/rawpacket/packet.go
new file mode 100644
index 000000000000..914dc04760b8
--- /dev/null
+++ b/transport/internet/finalmask/rawpacket/packet.go
@@ -0,0 +1,163 @@
+package rawpacket
+
+import (
+ "encoding/binary"
+ "net/netip"
+
+ "fmt"
+)
+
+const (
+ defaultWindowSize uint16 = 0xFFFF
+ tcpHeaderLen = TCPMinimumSize
+
+ tcpOptionMD5Signature = 19
+ tcpOptionMD5SignatureLength = 18
+ tcpTimestampBackdate = 3600000
+)
+
+type spoofPacketInfo struct {
+ seqNum uint32
+ ackNum uint32
+ corrupt bool
+ options []byte
+}
+
+func buildTCPSegment(
+ src netip.AddrPort,
+ dst netip.AddrPort,
+ packetInfo spoofPacketInfo,
+ payload []byte,
+ ttl uint8,
+) []byte {
+ if src.Addr().Is4() != dst.Addr().Is4() {
+ panic("rawpacket: mixed IPv4/IPv6 address family")
+ }
+ var (
+ frame []byte
+ ipHeaderLen int
+ )
+ ipPayloadLen := tcpHeaderLen + len(packetInfo.options) + len(payload)
+ if src.Addr().Is4() {
+ ipHeaderLen = IPv4MinimumSize
+ frame = make([]byte, ipHeaderLen+ipPayloadLen)
+ ip := IPv4(frame[:ipHeaderLen])
+ ip.Encode(uint16(len(frame)), 0, ttl, TCPProtocolNumber, src.Addr(), dst.Addr())
+ } else {
+ ipHeaderLen = IPv6MinimumSize
+ frame = make([]byte, ipHeaderLen+ipPayloadLen)
+ ip := IPv6(frame[:ipHeaderLen])
+ ip.Encode(uint16(ipPayloadLen), TCPProtocolNumber, ttl, src.Addr(), dst.Addr())
+ }
+ encodeTCP(frame, ipHeaderLen, src, dst, packetInfo, payload)
+ return frame
+}
+
+func encodeTCP(frame []byte, ipHeaderLen int, src, dst netip.AddrPort, packetInfo spoofPacketInfo, payload []byte) {
+ tcp := TCP(frame[ipHeaderLen:])
+ copy(frame[ipHeaderLen+tcpHeaderLen:], packetInfo.options)
+ optionsLen := len(packetInfo.options)
+ copy(frame[ipHeaderLen+tcpHeaderLen+optionsLen:], payload)
+ tcp.Encode(src.Port(), dst.Port(), packetInfo.seqNum, packetInfo.ackNum, uint8(tcpHeaderLen+optionsLen), TCPFlagAck|TCPFlagPsh, defaultWindowSize)
+ applyTCPChecksum(tcp, src.Addr(), dst.Addr(), payload, packetInfo.corrupt)
+}
+
+func buildSpoofFrame(method Method, src, dst netip.AddrPort, sendNext, receiveNext, timestamp uint32, tcpOptions, payload []byte, ttl uint8) ([]byte, error) {
+ packetInfo, err := resolveSpoofPacketInfo(method, sendNext, receiveNext, timestamp, tcpOptions, payload)
+ if err != nil {
+ return nil, err
+ }
+ return buildTCPSegment(src, dst, packetInfo, payload, ttl), nil
+}
+
+// buildSpoofTCPSegment returns a TCP segment without an IP header, for
+// platforms where the kernel synthesises the IP header (darwin IPv6).
+func buildSpoofTCPSegment(method Method, src, dst netip.AddrPort, sendNext, receiveNext, timestamp uint32, payload []byte) ([]byte, error) {
+ packetInfo, err := resolveSpoofPacketInfo(method, sendNext, receiveNext, timestamp, nil, payload)
+ if err != nil {
+ return nil, err
+ }
+ segment := make([]byte, tcpHeaderLen+len(packetInfo.options)+len(payload))
+ encodeTCP(segment, 0, src, dst, packetInfo, payload)
+ return segment, nil
+}
+
+func resolveSpoofPacketInfo(method Method, sendNext, receiveNext, timestamp uint32, tcpOptions, payload []byte) (spoofPacketInfo, error) {
+ packetInfo := spoofPacketInfo{seqNum: sendNext, ackNum: receiveNext}
+ switch method {
+ case MethodWrongSequence:
+ packetInfo.seqNum = sendNext - uint32(len(payload))
+ case MethodWrongChecksum:
+ packetInfo.corrupt = true
+ case MethodWrongAcknowledgment:
+ packetInfo.ackNum = receiveNext - uint32(defaultWindowSize/2)
+ case MethodWrongMD5Sig:
+ packetInfo.options = buildMD5SignatureOptions()
+ case MethodWrongTimestamp:
+ packetInfo.options = buildWrongTimestampOptions(timestamp, tcpOptions)
+ default:
+ return packetInfo, fmt.Errorf("rawpacket: unknown method %v", method)
+ }
+ return packetInfo, nil
+}
+
+func buildMD5SignatureOptions() []byte {
+ options := make([]byte, tcpOptionMD5SignatureLength+2)
+ options[0] = tcpOptionMD5Signature
+ options[1] = tcpOptionMD5SignatureLength
+ return options
+}
+
+func buildWrongTimestampOptions(timestamp uint32, tcpOptions []byte) []byte {
+ spoofedTimestamp := timestamp
+ if spoofedTimestamp > tcpTimestampBackdate {
+ spoofedTimestamp -= tcpTimestampBackdate
+ } else {
+ spoofedTimestamp = 0
+ }
+ if rewriteTCPOptionTimestamp(tcpOptions, spoofedTimestamp) {
+ return tcpOptions
+ }
+ options := make([]byte, TCPOptionTSLength+2)
+ EncodeTSOption(spoofedTimestamp, 0, options)
+ return options
+}
+
+// rewriteTCPOptionTimestamp finds the TS option in tcpOptions and writes
+// timestamp into its TSVal field in place. The caller must own tcpOptions
+// (parseTCPPacket already returns a private copy on Windows).
+func rewriteTCPOptionTimestamp(tcpOptions []byte, timestamp uint32) bool {
+ for i := 0; i < len(tcpOptions); {
+ switch tcpOptions[i] {
+ case TCPOptionEOL:
+ return false
+ case TCPOptionNOP:
+ i++
+ continue
+ }
+ if i+1 >= len(tcpOptions) {
+ return false
+ }
+ optionLen := int(tcpOptions[i+1])
+ if optionLen < 2 || i+optionLen > len(tcpOptions) {
+ return false
+ }
+ if tcpOptions[i] == TCPOptionTS && optionLen == TCPOptionTSLength {
+ binary.BigEndian.PutUint32(tcpOptions[i+2:], timestamp)
+ return true
+ }
+ i += optionLen
+ }
+ return false
+}
+
+func applyTCPChecksum(tcp TCP, srcAddr, dstAddr netip.Addr, payload []byte, corrupt bool) {
+ tcpLen := int(tcp.DataOffset()) + len(payload)
+ pseudo := PseudoHeaderChecksum(TCPProtocolNumber, srcAddr.AsSlice(), dstAddr.AsSlice(), uint16(tcpLen))
+ payloadChecksum := Checksum(payload, 0)
+ tcpChecksum := ^tcp.CalculateChecksum(CombineChecksum(pseudo, payloadChecksum))
+ if corrupt {
+ tcpChecksum ^= 0xFFFF
+ }
+ tcp.SetChecksum(tcpChecksum)
+}
diff --git a/transport/internet/finalmask/rawpacket/raw_darwin.go b/transport/internet/finalmask/rawpacket/raw_darwin.go
new file mode 100644
index 000000000000..1b2335565ae2
--- /dev/null
+++ b/transport/internet/finalmask/rawpacket/raw_darwin.go
@@ -0,0 +1,200 @@
+package rawpacket
+
+import (
+ "encoding/binary"
+ "net"
+ "net/netip"
+ "strconv"
+ "strings"
+ "sync"
+ "syscall"
+
+ "errors"
+ "fmt"
+
+ "golang.org/x/sys/unix"
+)
+
+const PlatformSupported = true
+
+// Offsets into xinpcb_n within each net.inet.tcp.pcblist_n record, identical
+// to the values used by common/process/searcher_darwin_shared.go.
+const (
+ darwinXinpgenSize = 24
+ darwinXsocketOffset = 104
+ darwinXinpcbForeignPort = 16
+ darwinXinpcbLocalPort = 18
+ darwinXinpcbVFlag = 44
+ darwinXinpcbForeignAddr = 48
+ darwinXinpcbLocalAddr = 64
+ darwinXinpcbIPv4Offset = 12
+
+ darwinTCPExtraSize = 208
+
+ darwinXtcpcbSndNxtOffset = 56
+ darwinXtcpcbRcvNxtOffset = 80
+)
+
+// darwinStructSize returns the size of xinpcb_n for the running Darwin kernel.
+// Darwin 22 (macOS 13 Ventura) grew the struct from 384 to 408 bytes; there is
+// no ABI-stable way to read it, so we key off the kernel version.
+var darwinStructSize = sync.OnceValues(func() (int, error) {
+ value, err := syscall.Sysctl("kern.osrelease")
+ if err != nil {
+ return 0, fmt.Errorf("sysctl kern.osrelease: %w", err)
+ }
+ major, _, ok := strings.Cut(value, ".")
+ if !ok {
+ return 0, fmt.Errorf("unexpected kern.osrelease format: %s", value)
+ }
+ n, err := strconv.ParseInt(major, 10, 64)
+ if err != nil {
+ return 0, fmt.Errorf("parse kern.osrelease major version: : %w", err)
+ }
+ if n >= 22 {
+ return 408, nil
+ }
+ return 384, nil
+})
+
+type darwinSpoofer struct {
+ method Method
+ src netip.AddrPort
+ dst netip.AddrPort
+ rawFD int
+ rawSockAddr unix.Sockaddr
+ sendNext uint32
+ receiveNext uint32
+ ttl uint8
+}
+
+func newRawSpoofer(conn net.Conn, method Method, ttl uint8) (rawSpoofer, error) {
+ if method == MethodWrongTimestamp {
+ return nil, errors.New("rawpacket: wrong-timestamp is not supported on macOS")
+ }
+ _, src, dst, err := tcpEndpoints(conn)
+ if err != nil {
+ return nil, err
+ }
+ fd, sockaddr, err := openDarwinRawSocket(src, dst)
+ if err != nil {
+ return nil, err
+ }
+ sendNext, receiveNext, err := readDarwinTCPSequence(src, dst)
+ if err != nil {
+ unix.Close(fd)
+ return nil, err
+ }
+ return &darwinSpoofer{
+ method: method,
+ src: src,
+ dst: dst,
+ rawFD: fd,
+ rawSockAddr: sockaddr,
+ sendNext: sendNext,
+ receiveNext: receiveNext,
+ ttl: ttl,
+ }, nil
+}
+
+// readDarwinTCPSequence scans net.inet.tcp.pcblist_n for the PCB that matches
+// src -> dst and returns (snd_nxt, rcv_nxt). These live in xtcpcb_n at the end
+// of each record; see darwin-xnu bsd/netinet/in_pcblist.c:get_pcblist_n.
+func readDarwinTCPSequence(src, dst netip.AddrPort) (uint32, uint32, error) {
+ buffer, err := unix.SysctlRaw("net.inet.tcp.pcblist_n")
+ if err != nil {
+ return 0, 0, fmt.Errorf("sysctl net.inet.tcp.pcblist_n: %w", err)
+ }
+ structSize, err := darwinStructSize()
+ if err != nil {
+ return 0, 0, err
+ }
+ itemSize := structSize + darwinTCPExtraSize
+ for i := darwinXinpgenSize; i+itemSize <= len(buffer); i += itemSize {
+ inpcb := buffer[i : i+darwinXsocketOffset]
+ xtcpcb := buffer[i+structSize : i+itemSize]
+ localPort := binary.BigEndian.Uint16(inpcb[darwinXinpcbLocalPort : darwinXinpcbLocalPort+2])
+ remotePort := binary.BigEndian.Uint16(inpcb[darwinXinpcbForeignPort : darwinXinpcbForeignPort+2])
+ if localPort != src.Port() || remotePort != dst.Port() {
+ continue
+ }
+ versionFlag := inpcb[darwinXinpcbVFlag]
+ var localAddr, remoteAddr netip.Addr
+ switch {
+ case versionFlag&0x1 != 0:
+ localAddr = netip.AddrFrom4([4]byte(inpcb[darwinXinpcbLocalAddr+darwinXinpcbIPv4Offset : darwinXinpcbLocalAddr+darwinXinpcbIPv4Offset+4]))
+ remoteAddr = netip.AddrFrom4([4]byte(inpcb[darwinXinpcbForeignAddr+darwinXinpcbIPv4Offset : darwinXinpcbForeignAddr+darwinXinpcbIPv4Offset+4]))
+ case versionFlag&0x2 != 0:
+ localAddr = netip.AddrFrom16([16]byte(inpcb[darwinXinpcbLocalAddr : darwinXinpcbLocalAddr+16]))
+ remoteAddr = netip.AddrFrom16([16]byte(inpcb[darwinXinpcbForeignAddr : darwinXinpcbForeignAddr+16]))
+ default:
+ continue
+ }
+ if localAddr.Unmap() != src.Addr() || remoteAddr.Unmap() != dst.Addr() {
+ continue
+ }
+ sendNext := binary.NativeEndian.Uint32(xtcpcb[darwinXtcpcbSndNxtOffset : darwinXtcpcbSndNxtOffset+4])
+ receiveNext := binary.NativeEndian.Uint32(xtcpcb[darwinXtcpcbRcvNxtOffset : darwinXtcpcbRcvNxtOffset+4])
+ return sendNext, receiveNext, nil
+ }
+ return 0, 0, fmt.Errorf("rawpacket: connection %v->%v not found in pcblist_n", src, dst)
+}
+
+func openDarwinRawSocket(src, dst netip.AddrPort) (int, unix.Sockaddr, error) {
+ if dst.Addr().Is4() {
+ return openIPv4RawSocket(dst)
+ }
+ // macOS does not accept IPV6_HDRINCL on AF_INET6 SOCK_RAW IPPROTO_TCP
+ // sockets, so the kernel builds the IPv6 header itself. Bind to the real
+ // connection's source address so in6_selectsrc returns it, and rely on
+ // in6p_cksum defaulting to -1 so the user-supplied TCP checksum is
+ // preserved (including deliberately corrupted ones).
+ fd, err := unix.Socket(unix.AF_INET6, unix.SOCK_RAW, unix.IPPROTO_TCP)
+ if err != nil {
+ return -1, nil, fmt.Errorf("open AF_INET6 SOCK_RAW: %w", err)
+ }
+ err = unix.Bind(fd, &unix.SockaddrInet6{Addr: src.Addr().As16()})
+ if err != nil {
+ unix.Close(fd)
+ return -1, nil, fmt.Errorf("bind AF_INET6 SOCK_RAW: %w", err)
+ }
+ sockaddr := &unix.SockaddrInet6{Port: int(dst.Port()), Addr: dst.Addr().As16()}
+ return fd, sockaddr, nil
+}
+
+func (s *darwinSpoofer) Inject(payload []byte) error {
+ if !s.src.Addr().Is4() {
+ segment, err := buildSpoofTCPSegment(s.method, s.src, s.dst, s.sendNext, s.receiveNext, 0, payload)
+ if err != nil {
+ return err
+ }
+ err = unix.Sendto(s.rawFD, segment, 0, s.rawSockAddr)
+ if err != nil {
+ return fmt.Errorf("sendto raw socket: %w", err)
+ }
+ return nil
+ }
+ frame, err := buildSpoofFrame(s.method, s.src, s.dst, s.sendNext, s.receiveNext, 0, nil, payload, s.ttl)
+ if err != nil {
+ return err
+ }
+ // Darwin inherits the historical BSD quirk: with IP_HDRINCL the kernel
+ // expects ip_len and ip_off in host byte order, not network byte order.
+ ip := IPv4(frame)
+ binary.NativeEndian.PutUint16(ip[2:4], ip.TotalLength())
+ binary.NativeEndian.PutUint16(ip[6:8], uint16(ip.Flags())<<13|ip.FragmentOffset())
+ err = unix.Sendto(s.rawFD, frame, 0, s.rawSockAddr)
+ if err != nil {
+ return fmt.Errorf("sendto raw socket: %w", err)
+ }
+ return nil
+}
+
+func (s *darwinSpoofer) Close() error {
+ if s.rawFD < 0 {
+ return nil
+ }
+ err := unix.Close(s.rawFD)
+ s.rawFD = -1
+ return err
+}
diff --git a/transport/internet/finalmask/rawpacket/raw_freebsd.go b/transport/internet/finalmask/rawpacket/raw_freebsd.go
new file mode 100644
index 000000000000..b3d2e13492a8
--- /dev/null
+++ b/transport/internet/finalmask/rawpacket/raw_freebsd.go
@@ -0,0 +1,174 @@
+package rawpacket
+
+import (
+ "encoding/binary"
+ "errors"
+ "fmt"
+ "net"
+ "net/netip"
+ "syscall"
+ "unsafe"
+
+ "golang.org/x/sys/unix"
+)
+
+const PlatformSupported = true
+
+// FreeBSD tcp_info offsets for snd_nxt and rcv_nxt.
+// Derived from FreeBSD sys/netinet/tcp.h struct tcp_info layout.
+//
+// struct tcp_info {
+// u8 state, __ca, __retrans, __probes, __backoff, opts, wscale = 8 bytes (with pad)
+// u32 rto, __ato, snd_mss, rcv_mss = 16 bytes (offset 8)
+// u32 __unacked, __sacked, __lost, __retrans, __fackets = 20 bytes (offset 24)
+// u32 __last_data_sent, __last_ack_sent, last_data_recv, __last_ack_recv = 16 bytes (offset 44)
+// u32 __pmtu, __rcv_ssthresh, rtt, rttvar, snd_ssthresh, snd_cwnd, __advmss, __reordering = 32 bytes (offset 60)
+// u32 __rcv_rtt, rcv_space = 8 bytes (offset 92)
+// u32 snd_wnd, snd_bwnd = 8 bytes (offset 100)
+// u32 snd_nxt, rcv_nxt = 8 bytes (offset 108)
+// ... remaining fields
+// }
+const (
+ freebsdTCPInfoSndNxtOffset = 108
+ freebsdTCPInfoRcvNxtOffset = 112
+ freebsdTCPInfoMinSize = 116 // must read at least through rcv_nxt
+)
+
+type freebsdSpoofer struct {
+ method Method
+ src netip.AddrPort
+ dst netip.AddrPort
+ rawFD int
+ rawSockAddr unix.Sockaddr
+ sendNext uint32
+ receiveNext uint32
+ ttl uint8
+}
+
+func newRawSpoofer(conn net.Conn, method Method, ttl uint8) (rawSpoofer, error) {
+ if method == MethodWrongTimestamp {
+ return nil, errors.New("rawpacket: wrong-timestamp is not supported on FreeBSD")
+ }
+ tcpConn, src, dst, err := tcpEndpoints(conn)
+ if err != nil {
+ return nil, err
+ }
+ fd, sockaddr, err := openFreeBSDRawSocket(src, dst)
+ if err != nil {
+ return nil, err
+ }
+ sendNext, receiveNext, err := readFreeBSDTCPSequence(tcpConn)
+ if err != nil {
+ unix.Close(fd)
+ return nil, err
+ }
+ return &freebsdSpoofer{
+ method: method,
+ src: src,
+ dst: dst,
+ rawFD: fd,
+ rawSockAddr: sockaddr,
+ sendNext: sendNext,
+ receiveNext: receiveNext,
+ ttl: ttl,
+ }, nil
+}
+
+// readFreeBSDTCPSequence retrieves snd_nxt and rcv_nxt via TCP_INFO getsockopt.
+func readFreeBSDTCPSequence(conn *net.TCPConn) (uint32, uint32, error) {
+ raw, err := conn.SyscallConn()
+ if err != nil {
+ return 0, 0, fmt.Errorf("rawpacket: SyscallConn: %w", err)
+ }
+ var sendNext, receiveNext uint32
+ var sockErr error
+ err = raw.Control(func(fd uintptr) {
+ buf := make([]byte, 256) // generous buffer for tcp_info
+ bufLen := uint32(len(buf))
+ _, _, errno := syscall.Syscall6(
+ syscall.SYS_GETSOCKOPT,
+ fd,
+ uintptr(syscall.IPPROTO_TCP),
+ uintptr(0x20), // TCP_INFO = 0x20
+ uintptr(unsafe.Pointer(&buf[0])),
+ uintptr(unsafe.Pointer(&bufLen)),
+ 0,
+ )
+ if errno != 0 {
+ sockErr = fmt.Errorf("rawpacket: getsockopt TCP_INFO: %w", errno)
+ return
+ }
+ if bufLen < freebsdTCPInfoMinSize {
+ sockErr = fmt.Errorf("rawpacket: TCP_INFO too short: %d < %d", bufLen, freebsdTCPInfoMinSize)
+ return
+ }
+ sendNext = binary.NativeEndian.Uint32(buf[freebsdTCPInfoSndNxtOffset : freebsdTCPInfoSndNxtOffset+4])
+ receiveNext = binary.NativeEndian.Uint32(buf[freebsdTCPInfoRcvNxtOffset : freebsdTCPInfoRcvNxtOffset+4])
+ })
+ if err != nil {
+ return 0, 0, err
+ }
+ if sockErr != nil {
+ return 0, 0, sockErr
+ }
+ return sendNext, receiveNext, nil
+}
+
+func openFreeBSDRawSocket(src, dst netip.AddrPort) (int, unix.Sockaddr, error) {
+ if dst.Addr().Is4() {
+ return openIPv4RawSocket(dst)
+ }
+ // FreeBSD, like macOS, does not support IPV6_HDRINCL on SOCK_RAW/IPPROTO_TCP.
+ // The kernel constructs the IPv6 header. Bind to the source address
+ // and let the kernel fill in the IPv6 header automatically.
+ fd, err := unix.Socket(unix.AF_INET6, unix.SOCK_RAW, unix.IPPROTO_TCP)
+ if err != nil {
+ return -1, nil, fmt.Errorf("rawpacket: open AF_INET6 SOCK_RAW: %w", err)
+ }
+ err = unix.Bind(fd, &unix.SockaddrInet6{Addr: src.Addr().As16()})
+ if err != nil {
+ unix.Close(fd)
+ return -1, nil, fmt.Errorf("rawpacket: bind AF_INET6 SOCK_RAW: %w", err)
+ }
+ sockaddr := &unix.SockaddrInet6{Port: int(dst.Port()), Addr: dst.Addr().As16()}
+ return fd, sockaddr, nil
+}
+
+func (s *freebsdSpoofer) Inject(payload []byte) error {
+ if !s.src.Addr().Is4() {
+ // IPv6: kernel builds the IP header, we supply TCP segment only.
+ segment, err := buildSpoofTCPSegment(s.method, s.src, s.dst, s.sendNext, s.receiveNext, 0, payload)
+ if err != nil {
+ return err
+ }
+ err = unix.Sendto(s.rawFD, segment, 0, s.rawSockAddr)
+ if err != nil {
+ return fmt.Errorf("rawpacket: sendto raw socket: %w", err)
+ }
+ return nil
+ }
+ // IPv4: we build the full IP+TCP frame with IP_HDRINCL.
+ frame, err := buildSpoofFrame(s.method, s.src, s.dst, s.sendNext, s.receiveNext, 0, nil, payload, s.ttl)
+ if err != nil {
+ return err
+ }
+ // FreeBSD inherits the historical BSD quirk: with IP_HDRINCL the kernel
+ // expects ip_len and ip_off in host byte order, not network byte order.
+ ip := IPv4(frame)
+ binary.NativeEndian.PutUint16(ip[2:4], ip.TotalLength())
+ binary.NativeEndian.PutUint16(ip[6:8], uint16(ip.Flags())<<13|ip.FragmentOffset())
+ err = unix.Sendto(s.rawFD, frame, 0, s.rawSockAddr)
+ if err != nil {
+ return fmt.Errorf("rawpacket: sendto raw socket: %w", err)
+ }
+ return nil
+}
+
+func (s *freebsdSpoofer) Close() error {
+ if s.rawFD < 0 {
+ return nil
+ }
+ err := unix.Close(s.rawFD)
+ s.rawFD = -1
+ return err
+}
diff --git a/transport/internet/finalmask/rawpacket/raw_linux.go b/transport/internet/finalmask/rawpacket/raw_linux.go
new file mode 100644
index 000000000000..1de3ff862839
--- /dev/null
+++ b/transport/internet/finalmask/rawpacket/raw_linux.go
@@ -0,0 +1,168 @@
+package rawpacket
+
+import (
+ "fmt"
+ "net"
+ "net/netip"
+
+ "golang.org/x/sys/unix"
+)
+
+const PlatformSupported = true
+
+const (
+ // Values of enum { TCP_NO_QUEUE, TCP_RECV_QUEUE, TCP_SEND_QUEUE } from
+ // include/net/tcp.h; not exported by golang.org/x/sys/unix.
+ tcpRecvQueue = 1
+ tcpSendQueue = 2
+)
+
+type linuxSpoofer struct {
+ method Method
+ src netip.AddrPort
+ dst netip.AddrPort
+ rawFD int
+ rawSockAddr unix.Sockaddr
+ sendNext uint32
+ receiveNext uint32
+ timestamp uint32
+ ttl uint8
+}
+
+func newRawSpoofer(conn net.Conn, method Method, ttl uint8) (rawSpoofer, error) {
+ tcpConn, src, dst, err := tcpEndpoints(conn)
+ if err != nil {
+ return nil, err
+ }
+ fd, sockaddr, err := openLinuxRawSocket(dst)
+ if err != nil {
+ return nil, err
+ }
+ spoofer := &linuxSpoofer{
+ method: method,
+ src: src,
+ dst: dst,
+ rawFD: fd,
+ rawSockAddr: sockaddr,
+ ttl: ttl,
+ }
+ err = spoofer.loadSequenceNumbers(tcpConn)
+ if err != nil {
+ unix.Close(fd)
+ return nil, err
+ }
+ return spoofer, nil
+}
+
+func openLinuxRawSocket(dst netip.AddrPort) (int, unix.Sockaddr, error) {
+ if dst.Addr().Is4() {
+ return openIPv4RawSocket(dst)
+ }
+ fd, err := unix.Socket(unix.AF_INET6, unix.SOCK_RAW, unix.IPPROTO_TCP)
+ if err != nil {
+ return -1, nil, fmt.Errorf("open AF_INET6 SOCK_RAW: %w", err)
+ }
+ err = unix.SetsockoptInt(fd, unix.IPPROTO_IPV6, unix.IPV6_HDRINCL, 1)
+ if err != nil {
+ unix.Close(fd)
+ return -1, nil, fmt.Errorf("set IPV6_HDRINCL: %w", err)
+ }
+ // Linux raw IPv6 sockets interpret sin6_port as a nexthdr protocol number
+ // (see raw(7)); any value other than 0 or the socket's IPPROTO_TCP causes
+ // sendto to fail with EINVAL. The destination is already encoded in the
+ // user-supplied IPv6 header under IPV6_HDRINCL.
+ sockaddr := &unix.SockaddrInet6{Addr: dst.Addr().As16()}
+ return fd, sockaddr, nil
+}
+
+// loadSequenceNumbers puts the socket briefly into TCP_REPAIR mode to read
+// snd_nxt and rcv_nxt from the kernel. TCP_REPAIR requires CAP_NET_ADMIN;
+// callers must run as root or grant both CAP_NET_RAW and CAP_NET_ADMIN.
+//
+// If the TCP_REPAIR_OFF revert fails, the socket would stay in TCP_REPAIR
+// state and subsequent Write() calls would silently buffer instead of sending.
+// Surface that error so callers can abort.
+func (s *linuxSpoofer) loadSequenceNumbers(tcpConn *net.TCPConn) error {
+ rawConn, err := tcpConn.SyscallConn()
+ if err != nil {
+ return err
+ }
+ var ctrlErr error
+ err = rawConn.Control(func(raw uintptr) {
+ fd := int(raw)
+
+ if s.method == MethodWrongTimestamp {
+ timestamp, tsErr := unix.GetsockoptInt(fd, unix.IPPROTO_TCP, unix.TCP_TIMESTAMP)
+ if tsErr != nil {
+ ctrlErr = fmt.Errorf("rawpacket: read timestamp: %w", tsErr)
+ return
+ }
+ s.timestamp = uint32(timestamp)
+ }
+
+ ctrlErr = unix.SetsockoptInt(fd, unix.IPPROTO_TCP, unix.TCP_REPAIR, unix.TCP_REPAIR_ON)
+ if ctrlErr != nil {
+ ctrlErr = fmt.Errorf("rawpacket: enter TCP_REPAIR (need CAP_NET_ADMIN): %w", ctrlErr)
+ return
+ }
+ defer func() {
+ offErr := unix.SetsockoptInt(fd, unix.IPPROTO_TCP, unix.TCP_REPAIR, unix.TCP_REPAIR_OFF)
+ if offErr != nil {
+ offErr = fmt.Errorf("rawpacket: leave TCP_REPAIR: %w", offErr)
+ if ctrlErr == nil {
+ ctrlErr = offErr
+ } else {
+ ctrlErr = fmt.Errorf("%v; also %w", ctrlErr, offErr)
+ }
+ }
+ }()
+
+ ctrlErr = unix.SetsockoptInt(fd, unix.IPPROTO_TCP, unix.TCP_REPAIR_QUEUE, tcpSendQueue)
+ if ctrlErr != nil {
+ ctrlErr = fmt.Errorf("rawpacket: select TCP_SEND_QUEUE: %w", ctrlErr)
+ return
+ }
+ sendSequence, seqErr := unix.GetsockoptInt(fd, unix.IPPROTO_TCP, unix.TCP_QUEUE_SEQ)
+ if seqErr != nil {
+ ctrlErr = fmt.Errorf("rawpacket: read send queue sequence: %w", seqErr)
+ return
+ }
+ ctrlErr = unix.SetsockoptInt(fd, unix.IPPROTO_TCP, unix.TCP_REPAIR_QUEUE, tcpRecvQueue)
+ if ctrlErr != nil {
+ ctrlErr = fmt.Errorf("rawpacket: select TCP_RECV_QUEUE: %w", ctrlErr)
+ return
+ }
+ receiveSequence, seqErr := unix.GetsockoptInt(fd, unix.IPPROTO_TCP, unix.TCP_QUEUE_SEQ)
+ if seqErr != nil {
+ ctrlErr = fmt.Errorf("rawpacket: read recv queue sequence: %w", seqErr)
+ return
+ }
+ s.sendNext = uint32(sendSequence)
+ s.receiveNext = uint32(receiveSequence)
+ })
+ if err != nil {
+ return err
+ }
+ return ctrlErr
+}
+
+func (s *linuxSpoofer) Inject(payload []byte) error {
+ frame, err := buildSpoofFrame(s.method, s.src, s.dst, s.sendNext, s.receiveNext, s.timestamp, nil, payload, s.ttl)
+ if err != nil {
+ return err
+ }
+ err = unix.Sendto(s.rawFD, frame, 0, s.rawSockAddr)
+ if err != nil {
+ return fmt.Errorf("sendto raw socket: %w", err)
+ }
+ return nil
+}
+
+func (s *linuxSpoofer) Close() error {
+ if s.rawFD < 0 {
+ return nil
+ }
+ err := unix.Close(s.rawFD)
+ s.rawFD = -1
+ return err
+}
diff --git a/transport/internet/finalmask/rawpacket/raw_stub.go b/transport/internet/finalmask/rawpacket/raw_stub.go
new file mode 100644
index 000000000000..c06a40f48bb2
--- /dev/null
+++ b/transport/internet/finalmask/rawpacket/raw_stub.go
@@ -0,0 +1,15 @@
+//go:build !linux && !darwin && !freebsd && !(windows && (amd64 || 386))
+
+package rawpacket
+
+import (
+ "net"
+
+ "errors"
+)
+
+const PlatformSupported = false
+
+func newRawSpoofer(conn net.Conn, method Method, ttl uint8) (rawSpoofer, error) {
+ return nil, errors.New("rawpacket: unsupported platform")
+}
diff --git a/transport/internet/finalmask/rawpacket/raw_unix.go b/transport/internet/finalmask/rawpacket/raw_unix.go
new file mode 100644
index 000000000000..bccd0fefe0de
--- /dev/null
+++ b/transport/internet/finalmask/rawpacket/raw_unix.go
@@ -0,0 +1,25 @@
+//go:build linux || darwin || freebsd
+
+package rawpacket
+
+import (
+ "fmt"
+ "net/netip"
+
+ "golang.org/x/sys/unix"
+)
+
+func openIPv4RawSocket(dst netip.AddrPort) (int, unix.Sockaddr, error) {
+ fd, err := unix.Socket(unix.AF_INET, unix.SOCK_RAW, unix.IPPROTO_TCP)
+ if err != nil {
+ return -1, nil, fmt.Errorf("open AF_INET SOCK_RAW: %w", err)
+ }
+ err = unix.SetsockoptInt(fd, unix.IPPROTO_IP, unix.IP_HDRINCL, 1)
+ if err != nil {
+ unix.Close(fd)
+ return -1, nil, fmt.Errorf("set IP_HDRINCL: %w", err)
+ }
+ sockaddr := &unix.SockaddrInet4{Port: int(dst.Port())}
+ sockaddr.Addr = dst.Addr().As4()
+ return fd, sockaddr, nil
+}
diff --git a/transport/internet/finalmask/rawpacket/raw_windows.go b/transport/internet/finalmask/rawpacket/raw_windows.go
new file mode 100644
index 000000000000..acfed30ff0c8
--- /dev/null
+++ b/transport/internet/finalmask/rawpacket/raw_windows.go
@@ -0,0 +1,236 @@
+//go:build windows && (amd64 || 386)
+
+package rawpacket
+
+import (
+ "errors"
+ "net"
+ "net/netip"
+ "slices"
+ "sync"
+ "sync/atomic"
+ "time"
+
+ "github.com/xtls/xray-core/transport/internet/finalmask/rawpacket/windivert"
+ "golang.org/x/sys/windows"
+)
+
+const PlatformSupported = true
+
+// closeGracePeriod caps how long Close() waits for the divert goroutine to
+// observe the kernel-emitted real ClientHello and perform the reorder
+// (fake → real). In practice this completes in microseconds; the cap
+// bounds the pathological case where the kernel buffers the packet.
+const closeGracePeriod = 2 * time.Second
+
+// windowsSpoofer uses a single WinDivert handle for both capture and
+// injection. Sequential Send() calls on one handle traverse one driver queue,
+// so the fake provably precedes the released real on the wire — a guarantee
+// two separate handles cannot make because cross-handle order depends on the
+// scheduler.
+type windowsSpoofer struct {
+ method Method
+ src, dst netip.AddrPort
+ divertH *windivert.Handle
+ ttl uint8
+
+ fakeReady chan []byte // buffered(1): staged by Inject
+ done chan struct{} // closed by run() on exit
+ closeOnce sync.Once
+ runErr atomic.Pointer[error]
+}
+
+func newRawSpoofer(conn net.Conn, method Method, ttl uint8) (rawSpoofer, error) {
+ _, src, dst, err := tcpEndpoints(conn)
+ if err != nil {
+ return nil, err
+ }
+ filter, err := windivert.OutboundTCP(src, dst)
+ if err != nil {
+ return nil, err
+ }
+ divertH, err := windivert.Open(filter, windivert.LayerNetwork, 0, 0)
+ if err != nil {
+ return nil, err
+ }
+ s := &windowsSpoofer{
+ method: method,
+ src: src,
+ dst: dst,
+ divertH: divertH,
+ ttl: ttl,
+ fakeReady: make(chan []byte, 1),
+ done: make(chan struct{}),
+ }
+ go s.run()
+ return s, nil
+}
+
+func (s *windowsSpoofer) Inject(payload []byte) error {
+ select {
+ case s.fakeReady <- payload:
+ return nil
+ case <-s.done:
+ if p := s.runErr.Load(); p != nil {
+ return *p
+ }
+ return errors.New("rawpacket: spoofer closed before Inject")
+ }
+}
+
+func (s *windowsSpoofer) Close() error {
+ s.closeOnce.Do(func() {
+ // Give run() a grace window to finish handling the real packet.
+ select {
+ case <-s.done:
+ case <-time.After(closeGracePeriod):
+ // Force Recv() to return by closing the divert handle.
+ s.divertH.Close()
+ <-s.done
+ }
+ })
+ if p := s.runErr.Load(); p != nil {
+ return *p
+ }
+ return nil
+}
+
+func (s *windowsSpoofer) recordErr(err error) { s.runErr.Store(&err) }
+
+func (s *windowsSpoofer) run() {
+ defer close(s.done)
+ defer s.divertH.Close()
+
+ buf := make([]byte, windivert.MTUMax)
+ for {
+ n, addr, err := s.divertH.Recv(buf)
+ if err != nil {
+ if errors.Is(err, windows.ERROR_OPERATION_ABORTED) ||
+ errors.Is(err, windows.ERROR_NO_DATA) {
+ return
+ }
+ s.recordErr(err)
+ return
+ }
+ pkt := buf[:n]
+ seq, ack, tcpOptions, payloadLen, ok := parseTCPPacket(pkt, addr.IPv6())
+ if !ok {
+ // Our filter is OutboundTCP(src, dst); a non-TCP or truncated
+ // match means driver state is suspect. Re-inject so the kernel
+ // still sees the byte stream, then abort — continuing would risk
+ // reordering against an unknown reference point.
+ _, sendErr := s.divertH.Send(pkt, &addr)
+ if sendErr != nil {
+ s.recordErr(sendErr)
+ return
+ }
+ s.recordErr(errors.New("windivert received malformed packet matching spoof filter"))
+ return
+ }
+ if payloadLen == 0 {
+ // Handshake ACK, keepalive, FIN — pass through unchanged.
+ _, err := s.divertH.Send(pkt, &addr)
+ if err != nil {
+ s.recordErr(err)
+ return
+ }
+ continue
+ }
+
+ // Non-empty outbound TCP payload = the real ClientHello.
+ var fake []byte
+ select {
+ case fake = <-s.fakeReady:
+ default:
+ // Inject() not yet called — pass through and keep observing.
+ _, err := s.divertH.Send(pkt, &addr)
+ if err != nil {
+ s.recordErr(err)
+ return
+ }
+ continue
+ }
+
+ var timestamp uint32
+ if tsVal, hasTS := ParseTCPOptions(tcpOptions); hasTS {
+ timestamp = tsVal
+ }
+ frame, err := buildSpoofFrame(s.method, s.src, s.dst, seq, ack, timestamp, tcpOptions, fake, s.ttl)
+ if err != nil {
+ s.recordErr(err)
+ return
+ }
+ fakeAddr := addr // inherit Outbound, IfIdx
+ // buildSpoofFrame emits ready-to-wire bytes. The driver recomputes
+ // checksums on Send when TCPChecksum/IPChecksum are 0 — which would
+ // overwrite the intentionally corrupt checksum in WrongChecksum mode.
+ // Force both to 1 to keep our bytes intact.
+ fakeAddr.SetIPChecksum(true)
+ fakeAddr.SetTCPChecksum(true)
+ _, err = s.divertH.Send(frame, &fakeAddr)
+ if err != nil {
+ s.recordErr(err)
+ return
+ }
+ _, err = s.divertH.Send(pkt, &addr)
+ if err != nil {
+ s.recordErr(err)
+ return
+ }
+ return // single-shot reorder complete
+ }
+}
+
+func parseTCPPacket(pkt []byte, isV6 bool) (seq, ack uint32, options []byte, payloadLen int, ok bool) {
+ if isV6 {
+ if len(pkt) < IPv6MinimumSize+TCPMinimumSize {
+ return 0, 0, nil, 0, false
+ }
+ ip := IPv6(pkt)
+ if ip.TransportProtocol() != TCPProtocolNumber {
+ return 0, 0, nil, 0, false
+ }
+ tcp := TCP(pkt[IPv6MinimumSize:])
+ tcpHdr := int(tcp.DataOffset())
+ if tcpHdr < TCPMinimumSize || IPv6MinimumSize+tcpHdr > len(pkt) {
+ return 0, 0, nil, 0, false
+ }
+ total := IPv6MinimumSize + int(ip.PayloadLength())
+ if total == IPv6MinimumSize || total > len(pkt) {
+ total = len(pkt)
+ }
+ if total < IPv6MinimumSize+tcpHdr {
+ return 0, 0, nil, 0, false
+ }
+ return tcp.SequenceNumber(), tcp.AckNumber(), slices.Clone(tcp.Options()),
+ total - IPv6MinimumSize - tcpHdr, true
+ }
+ if len(pkt) < IPv4MinimumSize+TCPMinimumSize {
+ return 0, 0, nil, 0, false
+ }
+ ip := IPv4(pkt)
+ if ip.Protocol() != TCPProtocolNumber {
+ return 0, 0, nil, 0, false
+ }
+ ihl := int(ip.HeaderLength())
+ // ihl+TCPMinimumSize guards the TCP-header field reads below; without
+ // this, an IPv4 packet with options (ihl>20) against a 40-byte buffer
+ // reads past the TCP slice when calling DataOffset.
+ if ihl < IPv4MinimumSize || ihl+TCPMinimumSize > len(pkt) {
+ return 0, 0, nil, 0, false
+ }
+ tcp := TCP(pkt[ihl:])
+ tcpHdr := int(tcp.DataOffset())
+ if tcpHdr < TCPMinimumSize || ihl+tcpHdr > len(pkt) {
+ return 0, 0, nil, 0, false
+ }
+ total := int(ip.TotalLength())
+ if total == 0 || total > len(pkt) {
+ total = len(pkt)
+ }
+ if total < ihl+tcpHdr {
+ return 0, 0, nil, 0, false
+ }
+ return tcp.SequenceNumber(), tcp.AckNumber(), slices.Clone(tcp.Options()),
+ total - ihl - tcpHdr, true
+}
diff --git a/transport/internet/finalmask/rawpacket/tcpip.go b/transport/internet/finalmask/rawpacket/tcpip.go
new file mode 100644
index 000000000000..8814422e35ed
--- /dev/null
+++ b/transport/internet/finalmask/rawpacket/tcpip.go
@@ -0,0 +1,155 @@
+package rawpacket
+
+import (
+ "encoding/binary"
+ "net/netip"
+)
+
+const (
+ IPv4MinimumSize = 20
+ IPv6MinimumSize = 40
+ TCPMinimumSize = 20
+ TCPProtocolNumber = 6
+
+ TCPOptionEOL = 0
+ TCPOptionNOP = 1
+ TCPOptionTS = 8
+ TCPOptionTSLength = 10
+
+ TCPFlagFin = 0x01
+ TCPFlagSyn = 0x02
+ TCPFlagRst = 0x04
+ TCPFlagPsh = 0x08
+ TCPFlagAck = 0x10
+)
+
+func Checksum(data []byte, initial uint16) uint16 {
+ var csum uint32 = uint32(initial)
+ for i := 0; i < len(data)-1; i += 2 {
+ csum += uint32(binary.BigEndian.Uint16(data[i:]))
+ }
+ if len(data)%2 == 1 {
+ csum += uint32(data[len(data)-1]) << 8
+ }
+ for csum > 0xffff {
+ csum = (csum >> 16) + (csum & 0xffff)
+ }
+ return uint16(csum)
+}
+
+func PseudoHeaderChecksum(protocol uint8, srcAddr, dstAddr []byte, totalLen uint16) uint16 {
+ var csum uint32
+ for i := 0; i < len(srcAddr); i += 2 {
+ csum += uint32(binary.BigEndian.Uint16(srcAddr[i:]))
+ }
+ for i := 0; i < len(dstAddr); i += 2 {
+ csum += uint32(binary.BigEndian.Uint16(dstAddr[i:]))
+ }
+ csum += uint32(protocol)
+ csum += uint32(totalLen)
+ for csum > 0xffff {
+ csum = (csum >> 16) + (csum & 0xffff)
+ }
+ return uint16(csum)
+}
+
+func CombineChecksum(c1, c2 uint16) uint16 {
+ csum := uint32(c1) + uint32(c2)
+ for csum > 0xffff {
+ csum = (csum >> 16) + (csum & 0xffff)
+ }
+ return uint16(csum)
+}
+
+func EncodeTSOption(val uint32, ecr uint32, b []byte) {
+ b[0] = TCPOptionTS
+ b[1] = TCPOptionTSLength
+ binary.BigEndian.PutUint32(b[2:], val)
+ binary.BigEndian.PutUint32(b[6:], ecr)
+}
+
+func ParseTCPOptions(b []byte) (tsVal uint32, hasTS bool) {
+ for i := 0; i < len(b); {
+ if b[i] == TCPOptionEOL {
+ break
+ }
+ if b[i] == TCPOptionNOP {
+ i++
+ continue
+ }
+ if i+1 >= len(b) {
+ break
+ }
+ optLen := int(b[i+1])
+ if optLen < 2 || i+optLen > len(b) {
+ break
+ }
+ if b[i] == TCPOptionTS && optLen == TCPOptionTSLength {
+ return binary.BigEndian.Uint32(b[i+2:]), true
+ }
+ i += optLen
+ }
+ return 0, false
+}
+
+// IPv4 header representation
+type IPv4 []byte
+
+func (b IPv4) TotalLength() uint16 { return binary.BigEndian.Uint16(b[2:]) }
+func (b IPv4) Flags() uint8 { return uint8(binary.BigEndian.Uint16(b[6:]) >> 13) }
+func (b IPv4) FragmentOffset() uint16 { return binary.BigEndian.Uint16(b[6:]) & 0x1fff }
+func (b IPv4) Protocol() uint8 { return b[9] }
+func (b IPv4) HeaderLength() uint8 { return (b[0] & 0x0f) * 4 }
+
+func (b IPv4) Encode(totalLength uint16, id uint16, ttl uint8, protocol uint8, src, dst netip.Addr) {
+ b[0] = (4 << 4) | 5 // IPv4, Header Length = 20
+ b[1] = 0 // TOS
+ binary.BigEndian.PutUint16(b[2:], totalLength)
+ binary.BigEndian.PutUint16(b[4:], id)
+ binary.BigEndian.PutUint16(b[6:], 0) // Flags and Fragment Offset
+ b[8] = ttl
+ b[9] = protocol
+ b[10] = 0 // Checksum (0 for calculation)
+ copy(b[12:16], src.AsSlice())
+ copy(b[16:20], dst.AsSlice())
+ csum := Checksum(b[:20], 0)
+ binary.BigEndian.PutUint16(b[10:], ^csum)
+}
+
+type IPv6 []byte
+
+func (b IPv6) PayloadLength() uint16 { return binary.BigEndian.Uint16(b[4:]) }
+func (b IPv6) TransportProtocol() uint8 { return b[6] }
+
+func (b IPv6) Encode(payloadLength uint16, transportProtocol uint8, hopLimit uint8, src, dst netip.Addr) {
+ binary.BigEndian.PutUint32(b[0:], 6<<28) // Version 6, Traffic Class 0, Flow Label 0
+ binary.BigEndian.PutUint16(b[4:], payloadLength)
+ b[6] = transportProtocol
+ b[7] = hopLimit
+ copy(b[8:24], src.AsSlice())
+ copy(b[24:40], dst.AsSlice())
+}
+
+type TCP []byte
+
+func (b TCP) DataOffset() uint8 { return (b[12] >> 4) * 4 }
+func (b TCP) SequenceNumber() uint32 { return binary.BigEndian.Uint32(b[4:]) }
+func (b TCP) AckNumber() uint32 { return binary.BigEndian.Uint32(b[8:]) }
+func (b TCP) Options() []byte { return b[TCPMinimumSize:b.DataOffset()] }
+func (b TCP) SetChecksum(csum uint16) { binary.BigEndian.PutUint16(b[16:], csum) }
+
+func (b TCP) Encode(srcPort, dstPort uint16, seqNum, ackNum uint32, dataOffset uint8, flags uint8, windowSize uint16) {
+ binary.BigEndian.PutUint16(b[0:], srcPort)
+ binary.BigEndian.PutUint16(b[2:], dstPort)
+ binary.BigEndian.PutUint32(b[4:], seqNum)
+ binary.BigEndian.PutUint32(b[8:], ackNum)
+ b[12] = (dataOffset / 4) << 4
+ b[13] = flags
+ binary.BigEndian.PutUint16(b[14:], windowSize)
+ b[16] = 0 // Checksum
+ binary.BigEndian.PutUint16(b[18:], 0) // Urgent pointer
+}
+
+func (b TCP) CalculateChecksum(initial uint16) uint16 {
+ return Checksum(b, initial)
+}
diff --git a/transport/internet/finalmask/rawpacket/windivert/assets/LICENSE.txt b/transport/internet/finalmask/rawpacket/windivert/assets/LICENSE.txt
new file mode 100644
index 000000000000..8489a8e773c3
--- /dev/null
+++ b/transport/internet/finalmask/rawpacket/windivert/assets/LICENSE.txt
@@ -0,0 +1,1191 @@
+WinDivert is dual-licensed under your choice of the GNU Lesser General Public
+License (LGPL) Version 3 or the GNU General Public License (GPL) Version 2.
+Copies of the LGPLv3, GPLv3 and GPLv2 are provided below.
+
+==============================================================================
+
+ GNU LESSER GENERAL PUBLIC LICENSE
+ Version 3, 29 June 2007
+
+ Copyright (C) 2007 Free Software Foundation, Inc.
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+
+ This version of the GNU Lesser General Public License incorporates
+the terms and conditions of version 3 of the GNU General Public
+License, supplemented by the additional permissions listed below.
+
+ 0. Additional Definitions.
+
+ As used herein, "this License" refers to version 3 of the GNU Lesser
+General Public License, and the "GNU GPL" refers to version 3 of the GNU
+General Public License.
+
+ "The Library" refers to a covered work governed by this License,
+other than an Application or a Combined Work as defined below.
+
+ An "Application" is any work that makes use of an interface provided
+by the Library, but which is not otherwise based on the Library.
+Defining a subclass of a class defined by the Library is deemed a mode
+of using an interface provided by the Library.
+
+ A "Combined Work" is a work produced by combining or linking an
+Application with the Library. The particular version of the Library
+with which the Combined Work was made is also called the "Linked
+Version".
+
+ The "Minimal Corresponding Source" for a Combined Work means the
+Corresponding Source for the Combined Work, excluding any source code
+for portions of the Combined Work that, considered in isolation, are
+based on the Application, and not on the Linked Version.
+
+ The "Corresponding Application Code" for a Combined Work means the
+object code and/or source code for the Application, including any data
+and utility programs needed for reproducing the Combined Work from the
+Application, but excluding the System Libraries of the Combined Work.
+
+ 1. Exception to Section 3 of the GNU GPL.
+
+ You may convey a covered work under sections 3 and 4 of this License
+without being bound by section 3 of the GNU GPL.
+
+ 2. Conveying Modified Versions.
+
+ If you modify a copy of the Library, and, in your modifications, a
+facility refers to a function or data to be supplied by an Application
+that uses the facility (other than as an argument passed when the
+facility is invoked), then you may convey a copy of the modified
+version:
+
+ a) under this License, provided that you make a good faith effort to
+ ensure that, in the event an Application does not supply the
+ function or data, the facility still operates, and performs
+ whatever part of its purpose remains meaningful, or
+
+ b) under the GNU GPL, with none of the additional permissions of
+ this License applicable to that copy.
+
+ 3. Object Code Incorporating Material from Library Header Files.
+
+ The object code form of an Application may incorporate material from
+a header file that is part of the Library. You may convey such object
+code under terms of your choice, provided that, if the incorporated
+material is not limited to numerical parameters, data structure
+layouts and accessors, or small macros, inline functions and templates
+(ten or fewer lines in length), you do both of the following:
+
+ a) Give prominent notice with each copy of the object code that the
+ Library is used in it and that the Library and its use are
+ covered by this License.
+
+ b) Accompany the object code with a copy of the GNU GPL and this license
+ document.
+
+ 4. Combined Works.
+
+ You may convey a Combined Work under terms of your choice that,
+taken together, effectively do not restrict modification of the
+portions of the Library contained in the Combined Work and reverse
+engineering for debugging such modifications, if you also do each of
+the following:
+
+ a) Give prominent notice with each copy of the Combined Work that
+ the Library is used in it and that the Library and its use are
+ covered by this License.
+
+ b) Accompany the Combined Work with a copy of the GNU GPL and this license
+ document.
+
+ c) For a Combined Work that displays copyright notices during
+ execution, include the copyright notice for the Library among
+ these notices, as well as a reference directing the user to the
+ copies of the GNU GPL and this license document.
+
+ d) Do one of the following:
+
+ 0) Convey the Minimal Corresponding Source under the terms of this
+ License, and the Corresponding Application Code in a form
+ suitable for, and under terms that permit, the user to
+ recombine or relink the Application with a modified version of
+ the Linked Version to produce a modified Combined Work, in the
+ manner specified by section 6 of the GNU GPL for conveying
+ Corresponding Source.
+
+ 1) Use a suitable shared library mechanism for linking with the
+ Library. A suitable mechanism is one that (a) uses at run time
+ a copy of the Library already present on the user's computer
+ system, and (b) will operate properly with a modified version
+ of the Library that is interface-compatible with the Linked
+ Version.
+
+ e) Provide Installation Information, but only if you would otherwise
+ be required to provide such information under section 6 of the
+ GNU GPL, and only to the extent that such information is
+ necessary to install and execute a modified version of the
+ Combined Work produced by recombining or relinking the
+ Application with a modified version of the Linked Version. (If
+ you use option 4d0, the Installation Information must accompany
+ the Minimal Corresponding Source and Corresponding Application
+ Code. If you use option 4d1, you must provide the Installation
+ Information in the manner specified by section 6 of the GNU GPL
+ for conveying Corresponding Source.)
+
+ 5. Combined Libraries.
+
+ You may place library facilities that are a work based on the
+Library side by side in a single library together with other library
+facilities that are not Applications and are not covered by this
+License, and convey such a combined library under terms of your
+choice, if you do both of the following:
+
+ a) Accompany the combined library with a copy of the same work based
+ on the Library, uncombined with any other library facilities,
+ conveyed under the terms of this License.
+
+ b) Give prominent notice with the combined library that part of it
+ is a work based on the Library, and explaining where to find the
+ accompanying uncombined form of the same work.
+
+ 6. Revised Versions of the GNU Lesser General Public License.
+
+ The Free Software Foundation may publish revised and/or new versions
+of the GNU Lesser General Public License from time to time. Such new
+versions will be similar in spirit to the present version, but may
+differ in detail to address new problems or concerns.
+
+ Each version is given a distinguishing version number. If the
+Library as you received it specifies that a certain numbered version
+of the GNU Lesser General Public License "or any later version"
+applies to it, you have the option of following the terms and
+conditions either of that published version or of any later version
+published by the Free Software Foundation. If the Library as you
+received it does not specify a version number of the GNU Lesser
+General Public License, you may choose any version of the GNU Lesser
+General Public License ever published by the Free Software Foundation.
+
+ If the Library as you received it specifies that a proxy can decide
+whether future versions of the GNU Lesser General Public License shall
+apply, that proxy's public statement of acceptance of any version is
+permanent authorization for you to choose that version for the
+Library.
+
+==============================================================================
+
+ GNU GENERAL PUBLIC LICENSE
+ Version 3, 29 June 2007
+
+ Copyright (C) 2007 Free Software Foundation, Inc.
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+ Preamble
+
+ The GNU General Public License is a free, copyleft license for
+software and other kinds of works.
+
+ The licenses for most software and other practical works are designed
+to take away your freedom to share and change the works. By contrast,
+the GNU General Public License is intended to guarantee your freedom to
+share and change all versions of a program--to make sure it remains free
+software for all its users. We, the Free Software Foundation, use the
+GNU General Public License for most of our software; it applies also to
+any other work released this way by its authors. You can apply it to
+your programs, too.
+
+ When we speak of free software, we are referring to freedom, not
+price. Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+them if you wish), that you receive source code or can get it if you
+want it, that you can change the software or use pieces of it in new
+free programs, and that you know you can do these things.
+
+ To protect your rights, we need to prevent others from denying you
+these rights or asking you to surrender the rights. Therefore, you have
+certain responsibilities if you distribute copies of the software, or if
+you modify it: responsibilities to respect the freedom of others.
+
+ For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must pass on to the recipients the same
+freedoms that you received. You must make sure that they, too, receive
+or can get the source code. And you must show them these terms so they
+know their rights.
+
+ Developers that use the GNU GPL protect your rights with two steps:
+(1) assert copyright on the software, and (2) offer you this License
+giving you legal permission to copy, distribute and/or modify it.
+
+ For the developers' and authors' protection, the GPL clearly explains
+that there is no warranty for this free software. For both users' and
+authors' sake, the GPL requires that modified versions be marked as
+changed, so that their problems will not be attributed erroneously to
+authors of previous versions.
+
+ Some devices are designed to deny users access to install or run
+modified versions of the software inside them, although the manufacturer
+can do so. This is fundamentally incompatible with the aim of
+protecting users' freedom to change the software. The systematic
+pattern of such abuse occurs in the area of products for individuals to
+use, which is precisely where it is most unacceptable. Therefore, we
+have designed this version of the GPL to prohibit the practice for those
+products. If such problems arise substantially in other domains, we
+stand ready to extend this provision to those domains in future versions
+of the GPL, as needed to protect the freedom of users.
+
+ Finally, every program is threatened constantly by software patents.
+States should not allow patents to restrict development and use of
+software on general-purpose computers, but in those that do, we wish to
+avoid the special danger that patents applied to a free program could
+make it effectively proprietary. To prevent this, the GPL assures that
+patents cannot be used to render the program non-free.
+
+ The precise terms and conditions for copying, distribution and
+modification follow.
+
+ TERMS AND CONDITIONS
+
+ 0. Definitions.
+
+ "This License" refers to version 3 of the GNU General Public License.
+
+ "Copyright" also means copyright-like laws that apply to other kinds of
+works, such as semiconductor masks.
+
+ "The Program" refers to any copyrightable work licensed under this
+License. Each licensee is addressed as "you". "Licensees" and
+"recipients" may be individuals or organizations.
+
+ To "modify" a work means to copy from or adapt all or part of the work
+in a fashion requiring copyright permission, other than the making of an
+exact copy. The resulting work is called a "modified version" of the
+earlier work or a work "based on" the earlier work.
+
+ A "covered work" means either the unmodified Program or a work based
+on the Program.
+
+ To "propagate" a work means to do anything with it that, without
+permission, would make you directly or secondarily liable for
+infringement under applicable copyright law, except executing it on a
+computer or modifying a private copy. Propagation includes copying,
+distribution (with or without modification), making available to the
+public, and in some countries other activities as well.
+
+ To "convey" a work means any kind of propagation that enables other
+parties to make or receive copies. Mere interaction with a user through
+a computer network, with no transfer of a copy, is not conveying.
+
+ An interactive user interface displays "Appropriate Legal Notices"
+to the extent that it includes a convenient and prominently visible
+feature that (1) displays an appropriate copyright notice, and (2)
+tells the user that there is no warranty for the work (except to the
+extent that warranties are provided), that licensees may convey the
+work under this License, and how to view a copy of this License. If
+the interface presents a list of user commands or options, such as a
+menu, a prominent item in the list meets this criterion.
+
+ 1. Source Code.
+
+ The "source code" for a work means the preferred form of the work
+for making modifications to it. "Object code" means any non-source
+form of a work.
+
+ A "Standard Interface" means an interface that either is an official
+standard defined by a recognized standards body, or, in the case of
+interfaces specified for a particular programming language, one that
+is widely used among developers working in that language.
+
+ The "System Libraries" of an executable work include anything, other
+than the work as a whole, that (a) is included in the normal form of
+packaging a Major Component, but which is not part of that Major
+Component, and (b) serves only to enable use of the work with that
+Major Component, or to implement a Standard Interface for which an
+implementation is available to the public in source code form. A
+"Major Component", in this context, means a major essential component
+(kernel, window system, and so on) of the specific operating system
+(if any) on which the executable work runs, or a compiler used to
+produce the work, or an object code interpreter used to run it.
+
+ The "Corresponding Source" for a work in object code form means all
+the source code needed to generate, install, and (for an executable
+work) run the object code and to modify the work, including scripts to
+control those activities. However, it does not include the work's
+System Libraries, or general-purpose tools or generally available free
+programs which are used unmodified in performing those activities but
+which are not part of the work. For example, Corresponding Source
+includes interface definition files associated with source files for
+the work, and the source code for shared libraries and dynamically
+linked subprograms that the work is specifically designed to require,
+such as by intimate data communication or control flow between those
+subprograms and other parts of the work.
+
+ The Corresponding Source need not include anything that users
+can regenerate automatically from other parts of the Corresponding
+Source.
+
+ The Corresponding Source for a work in source code form is that
+same work.
+
+ 2. Basic Permissions.
+
+ All rights granted under this License are granted for the term of
+copyright on the Program, and are irrevocable provided the stated
+conditions are met. This License explicitly affirms your unlimited
+permission to run the unmodified Program. The output from running a
+covered work is covered by this License only if the output, given its
+content, constitutes a covered work. This License acknowledges your
+rights of fair use or other equivalent, as provided by copyright law.
+
+ You may make, run and propagate covered works that you do not
+convey, without conditions so long as your license otherwise remains
+in force. You may convey covered works to others for the sole purpose
+of having them make modifications exclusively for you, or provide you
+with facilities for running those works, provided that you comply with
+the terms of this License in conveying all material for which you do
+not control copyright. Those thus making or running the covered works
+for you must do so exclusively on your behalf, under your direction
+and control, on terms that prohibit them from making any copies of
+your copyrighted material outside their relationship with you.
+
+ Conveying under any other circumstances is permitted solely under
+the conditions stated below. Sublicensing is not allowed; section 10
+makes it unnecessary.
+
+ 3. Protecting Users' Legal Rights From Anti-Circumvention Law.
+
+ No covered work shall be deemed part of an effective technological
+measure under any applicable law fulfilling obligations under article
+11 of the WIPO copyright treaty adopted on 20 December 1996, or
+similar laws prohibiting or restricting circumvention of such
+measures.
+
+ When you convey a covered work, you waive any legal power to forbid
+circumvention of technological measures to the extent such circumvention
+is effected by exercising rights under this License with respect to
+the covered work, and you disclaim any intention to limit operation or
+modification of the work as a means of enforcing, against the work's
+users, your or third parties' legal rights to forbid circumvention of
+technological measures.
+
+ 4. Conveying Verbatim Copies.
+
+ You may convey verbatim copies of the Program's source code as you
+receive it, in any medium, provided that you conspicuously and
+appropriately publish on each copy an appropriate copyright notice;
+keep intact all notices stating that this License and any
+non-permissive terms added in accord with section 7 apply to the code;
+keep intact all notices of the absence of any warranty; and give all
+recipients a copy of this License along with the Program.
+
+ You may charge any price or no price for each copy that you convey,
+and you may offer support or warranty protection for a fee.
+
+ 5. Conveying Modified Source Versions.
+
+ You may convey a work based on the Program, or the modifications to
+produce it from the Program, in the form of source code under the
+terms of section 4, provided that you also meet all of these conditions:
+
+ a) The work must carry prominent notices stating that you modified
+ it, and giving a relevant date.
+
+ b) The work must carry prominent notices stating that it is
+ released under this License and any conditions added under section
+ 7. This requirement modifies the requirement in section 4 to
+ "keep intact all notices".
+
+ c) You must license the entire work, as a whole, under this
+ License to anyone who comes into possession of a copy. This
+ License will therefore apply, along with any applicable section 7
+ additional terms, to the whole of the work, and all its parts,
+ regardless of how they are packaged. This License gives no
+ permission to license the work in any other way, but it does not
+ invalidate such permission if you have separately received it.
+
+ d) If the work has interactive user interfaces, each must display
+ Appropriate Legal Notices; however, if the Program has interactive
+ interfaces that do not display Appropriate Legal Notices, your
+ work need not make them do so.
+
+ A compilation of a covered work with other separate and independent
+works, which are not by their nature extensions of the covered work,
+and which are not combined with it such as to form a larger program,
+in or on a volume of a storage or distribution medium, is called an
+"aggregate" if the compilation and its resulting copyright are not
+used to limit the access or legal rights of the compilation's users
+beyond what the individual works permit. Inclusion of a covered work
+in an aggregate does not cause this License to apply to the other
+parts of the aggregate.
+
+ 6. Conveying Non-Source Forms.
+
+ You may convey a covered work in object code form under the terms
+of sections 4 and 5, provided that you also convey the
+machine-readable Corresponding Source under the terms of this License,
+in one of these ways:
+
+ a) Convey the object code in, or embodied in, a physical product
+ (including a physical distribution medium), accompanied by the
+ Corresponding Source fixed on a durable physical medium
+ customarily used for software interchange.
+
+ b) Convey the object code in, or embodied in, a physical product
+ (including a physical distribution medium), accompanied by a
+ written offer, valid for at least three years and valid for as
+ long as you offer spare parts or customer support for that product
+ model, to give anyone who possesses the object code either (1) a
+ copy of the Corresponding Source for all the software in the
+ product that is covered by this License, on a durable physical
+ medium customarily used for software interchange, for a price no
+ more than your reasonable cost of physically performing this
+ conveying of source, or (2) access to copy the
+ Corresponding Source from a network server at no charge.
+
+ c) Convey individual copies of the object code with a copy of the
+ written offer to provide the Corresponding Source. This
+ alternative is allowed only occasionally and noncommercially, and
+ only if you received the object code with such an offer, in accord
+ with subsection 6b.
+
+ d) Convey the object code by offering access from a designated
+ place (gratis or for a charge), and offer equivalent access to the
+ Corresponding Source in the same way through the same place at no
+ further charge. You need not require recipients to copy the
+ Corresponding Source along with the object code. If the place to
+ copy the object code is a network server, the Corresponding Source
+ may be on a different server (operated by you or a third party)
+ that supports equivalent copying facilities, provided you maintain
+ clear directions next to the object code saying where to find the
+ Corresponding Source. Regardless of what server hosts the
+ Corresponding Source, you remain obligated to ensure that it is
+ available for as long as needed to satisfy these requirements.
+
+ e) Convey the object code using peer-to-peer transmission, provided
+ you inform other peers where the object code and Corresponding
+ Source of the work are being offered to the general public at no
+ charge under subsection 6d.
+
+ A separable portion of the object code, whose source code is excluded
+from the Corresponding Source as a System Library, need not be
+included in conveying the object code work.
+
+ A "User Product" is either (1) a "consumer product", which means any
+tangible personal property which is normally used for personal, family,
+or household purposes, or (2) anything designed or sold for incorporation
+into a dwelling. In determining whether a product is a consumer product,
+doubtful cases shall be resolved in favor of coverage. For a particular
+product received by a particular user, "normally used" refers to a
+typical or common use of that class of product, regardless of the status
+of the particular user or of the way in which the particular user
+actually uses, or expects or is expected to use, the product. A product
+is a consumer product regardless of whether the product has substantial
+commercial, industrial or non-consumer uses, unless such uses represent
+the only significant mode of use of the product.
+
+ "Installation Information" for a User Product means any methods,
+procedures, authorization keys, or other information required to install
+and execute modified versions of a covered work in that User Product from
+a modified version of its Corresponding Source. The information must
+suffice to ensure that the continued functioning of the modified object
+code is in no case prevented or interfered with solely because
+modification has been made.
+
+ If you convey an object code work under this section in, or with, or
+specifically for use in, a User Product, and the conveying occurs as
+part of a transaction in which the right of possession and use of the
+User Product is transferred to the recipient in perpetuity or for a
+fixed term (regardless of how the transaction is characterized), the
+Corresponding Source conveyed under this section must be accompanied
+by the Installation Information. But this requirement does not apply
+if neither you nor any third party retains the ability to install
+modified object code on the User Product (for example, the work has
+been installed in ROM).
+
+ The requirement to provide Installation Information does not include a
+requirement to continue to provide support service, warranty, or updates
+for a work that has been modified or installed by the recipient, or for
+the User Product in which it has been modified or installed. Access to a
+network may be denied when the modification itself materially and
+adversely affects the operation of the network or violates the rules and
+protocols for communication across the network.
+
+ Corresponding Source conveyed, and Installation Information provided,
+in accord with this section must be in a format that is publicly
+documented (and with an implementation available to the public in
+source code form), and must require no special password or key for
+unpacking, reading or copying.
+
+ 7. Additional Terms.
+
+ "Additional permissions" are terms that supplement the terms of this
+License by making exceptions from one or more of its conditions.
+Additional permissions that are applicable to the entire Program shall
+be treated as though they were included in this License, to the extent
+that they are valid under applicable law. If additional permissions
+apply only to part of the Program, that part may be used separately
+under those permissions, but the entire Program remains governed by
+this License without regard to the additional permissions.
+
+ When you convey a copy of a covered work, you may at your option
+remove any additional permissions from that copy, or from any part of
+it. (Additional permissions may be written to require their own
+removal in certain cases when you modify the work.) You may place
+additional permissions on material, added by you to a covered work,
+for which you have or can give appropriate copyright permission.
+
+ Notwithstanding any other provision of this License, for material you
+add to a covered work, you may (if authorized by the copyright holders of
+that material) supplement the terms of this License with terms:
+
+ a) Disclaiming warranty or limiting liability differently from the
+ terms of sections 15 and 16 of this License; or
+
+ b) Requiring preservation of specified reasonable legal notices or
+ author attributions in that material or in the Appropriate Legal
+ Notices displayed by works containing it; or
+
+ c) Prohibiting misrepresentation of the origin of that material, or
+ requiring that modified versions of such material be marked in
+ reasonable ways as different from the original version; or
+
+ d) Limiting the use for publicity purposes of names of licensors or
+ authors of the material; or
+
+ e) Declining to grant rights under trademark law for use of some
+ trade names, trademarks, or service marks; or
+
+ f) Requiring indemnification of licensors and authors of that
+ material by anyone who conveys the material (or modified versions of
+ it) with contractual assumptions of liability to the recipient, for
+ any liability that these contractual assumptions directly impose on
+ those licensors and authors.
+
+ All other non-permissive additional terms are considered "further
+restrictions" within the meaning of section 10. If the Program as you
+received it, or any part of it, contains a notice stating that it is
+governed by this License along with a term that is a further
+restriction, you may remove that term. If a license document contains
+a further restriction but permits relicensing or conveying under this
+License, you may add to a covered work material governed by the terms
+of that license document, provided that the further restriction does
+not survive such relicensing or conveying.
+
+ If you add terms to a covered work in accord with this section, you
+must place, in the relevant source files, a statement of the
+additional terms that apply to those files, or a notice indicating
+where to find the applicable terms.
+
+ Additional terms, permissive or non-permissive, may be stated in the
+form of a separately written license, or stated as exceptions;
+the above requirements apply either way.
+
+ 8. Termination.
+
+ You may not propagate or modify a covered work except as expressly
+provided under this License. Any attempt otherwise to propagate or
+modify it is void, and will automatically terminate your rights under
+this License (including any patent licenses granted under the third
+paragraph of section 11).
+
+ However, if you cease all violation of this License, then your
+license from a particular copyright holder is reinstated (a)
+provisionally, unless and until the copyright holder explicitly and
+finally terminates your license, and (b) permanently, if the copyright
+holder fails to notify you of the violation by some reasonable means
+prior to 60 days after the cessation.
+
+ Moreover, your license from a particular copyright holder is
+reinstated permanently if the copyright holder notifies you of the
+violation by some reasonable means, this is the first time you have
+received notice of violation of this License (for any work) from that
+copyright holder, and you cure the violation prior to 30 days after
+your receipt of the notice.
+
+ Termination of your rights under this section does not terminate the
+licenses of parties who have received copies or rights from you under
+this License. If your rights have been terminated and not permanently
+reinstated, you do not qualify to receive new licenses for the same
+material under section 10.
+
+ 9. Acceptance Not Required for Having Copies.
+
+ You are not required to accept this License in order to receive or
+run a copy of the Program. Ancillary propagation of a covered work
+occurring solely as a consequence of using peer-to-peer transmission
+to receive a copy likewise does not require acceptance. However,
+nothing other than this License grants you permission to propagate or
+modify any covered work. These actions infringe copyright if you do
+not accept this License. Therefore, by modifying or propagating a
+covered work, you indicate your acceptance of this License to do so.
+
+ 10. Automatic Licensing of Downstream Recipients.
+
+ Each time you convey a covered work, the recipient automatically
+receives a license from the original licensors, to run, modify and
+propagate that work, subject to this License. You are not responsible
+for enforcing compliance by third parties with this License.
+
+ An "entity transaction" is a transaction transferring control of an
+organization, or substantially all assets of one, or subdividing an
+organization, or merging organizations. If propagation of a covered
+work results from an entity transaction, each party to that
+transaction who receives a copy of the work also receives whatever
+licenses to the work the party's predecessor in interest had or could
+give under the previous paragraph, plus a right to possession of the
+Corresponding Source of the work from the predecessor in interest, if
+the predecessor has it or can get it with reasonable efforts.
+
+ You may not impose any further restrictions on the exercise of the
+rights granted or affirmed under this License. For example, you may
+not impose a license fee, royalty, or other charge for exercise of
+rights granted under this License, and you may not initiate litigation
+(including a cross-claim or counterclaim in a lawsuit) alleging that
+any patent claim is infringed by making, using, selling, offering for
+sale, or importing the Program or any portion of it.
+
+ 11. Patents.
+
+ A "contributor" is a copyright holder who authorizes use under this
+License of the Program or a work on which the Program is based. The
+work thus licensed is called the contributor's "contributor version".
+
+ A contributor's "essential patent claims" are all patent claims
+owned or controlled by the contributor, whether already acquired or
+hereafter acquired, that would be infringed by some manner, permitted
+by this License, of making, using, or selling its contributor version,
+but do not include claims that would be infringed only as a
+consequence of further modification of the contributor version. For
+purposes of this definition, "control" includes the right to grant
+patent sublicenses in a manner consistent with the requirements of
+this License.
+
+ Each contributor grants you a non-exclusive, worldwide, royalty-free
+patent license under the contributor's essential patent claims, to
+make, use, sell, offer for sale, import and otherwise run, modify and
+propagate the contents of its contributor version.
+
+ In the following three paragraphs, a "patent license" is any express
+agreement or commitment, however denominated, not to enforce a patent
+(such as an express permission to practice a patent or covenant not to
+sue for patent infringement). To "grant" such a patent license to a
+party means to make such an agreement or commitment not to enforce a
+patent against the party.
+
+ If you convey a covered work, knowingly relying on a patent license,
+and the Corresponding Source of the work is not available for anyone
+to copy, free of charge and under the terms of this License, through a
+publicly available network server or other readily accessible means,
+then you must either (1) cause the Corresponding Source to be so
+available, or (2) arrange to deprive yourself of the benefit of the
+patent license for this particular work, or (3) arrange, in a manner
+consistent with the requirements of this License, to extend the patent
+license to downstream recipients. "Knowingly relying" means you have
+actual knowledge that, but for the patent license, your conveying the
+covered work in a country, or your recipient's use of the covered work
+in a country, would infringe one or more identifiable patents in that
+country that you have reason to believe are valid.
+
+ If, pursuant to or in connection with a single transaction or
+arrangement, you convey, or propagate by procuring conveyance of, a
+covered work, and grant a patent license to some of the parties
+receiving the covered work authorizing them to use, propagate, modify
+or convey a specific copy of the covered work, then the patent license
+you grant is automatically extended to all recipients of the covered
+work and works based on it.
+
+ A patent license is "discriminatory" if it does not include within
+the scope of its coverage, prohibits the exercise of, or is
+conditioned on the non-exercise of one or more of the rights that are
+specifically granted under this License. You may not convey a covered
+work if you are a party to an arrangement with a third party that is
+in the business of distributing software, under which you make payment
+to the third party based on the extent of your activity of conveying
+the work, and under which the third party grants, to any of the
+parties who would receive the covered work from you, a discriminatory
+patent license (a) in connection with copies of the covered work
+conveyed by you (or copies made from those copies), or (b) primarily
+for and in connection with specific products or compilations that
+contain the covered work, unless you entered into that arrangement,
+or that patent license was granted, prior to 28 March 2007.
+
+ Nothing in this License shall be construed as excluding or limiting
+any implied license or other defenses to infringement that may
+otherwise be available to you under applicable patent law.
+
+ 12. No Surrender of Others' Freedom.
+
+ If conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License. If you cannot convey a
+covered work so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you may
+not convey it at all. For example, if you agree to terms that obligate you
+to collect a royalty for further conveying from those to whom you convey
+the Program, the only way you could satisfy both those terms and this
+License would be to refrain entirely from conveying the Program.
+
+ 13. Use with the GNU Affero General Public License.
+
+ Notwithstanding any other provision of this License, you have
+permission to link or combine any covered work with a work licensed
+under version 3 of the GNU Affero General Public License into a single
+combined work, and to convey the resulting work. The terms of this
+License will continue to apply to the part which is the covered work,
+but the special requirements of the GNU Affero General Public License,
+section 13, concerning interaction through a network will apply to the
+combination as such.
+
+ 14. Revised Versions of this License.
+
+ The Free Software Foundation may publish revised and/or new versions of
+the GNU General Public License from time to time. Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+ Each version is given a distinguishing version number. If the
+Program specifies that a certain numbered version of the GNU General
+Public License "or any later version" applies to it, you have the
+option of following the terms and conditions either of that numbered
+version or of any later version published by the Free Software
+Foundation. If the Program does not specify a version number of the
+GNU General Public License, you may choose any version ever published
+by the Free Software Foundation.
+
+ If the Program specifies that a proxy can decide which future
+versions of the GNU General Public License can be used, that proxy's
+public statement of acceptance of a version permanently authorizes you
+to choose that version for the Program.
+
+ Later license versions may give you additional or different
+permissions. However, no additional obligations are imposed on any
+author or copyright holder as a result of your choosing to follow a
+later version.
+
+ 15. Disclaimer of Warranty.
+
+ THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
+HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
+OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
+THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
+IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
+ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+
+ 16. Limitation of Liability.
+
+ IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
+THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
+GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
+USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
+DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
+PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
+EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGES.
+
+ 17. Interpretation of Sections 15 and 16.
+
+ If the disclaimer of warranty and limitation of liability provided
+above cannot be given local legal effect according to their terms,
+reviewing courts shall apply local law that most closely approximates
+an absolute waiver of all civil liability in connection with the
+Program, unless a warranty or assumption of liability accompanies a
+copy of the Program in return for a fee.
+
+ END OF TERMS AND CONDITIONS
+
+ How to Apply These Terms to Your New Programs
+
+ If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+ To do so, attach the following notices to the program. It is safest
+to attach them to the start of each source file to most effectively
+state the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+
+ Copyright (C)
+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see .
+
+Also add information on how to contact you by electronic and paper mail.
+
+ If the program does terminal interaction, make it output a short
+notice like this when it starts in an interactive mode:
+
+ Copyright (C)
+ This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+ This is free software, and you are welcome to redistribute it
+ under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License. Of course, your program's commands
+might be different; for a GUI interface, you would use an "about box".
+
+ You should also get your employer (if you work as a programmer) or school,
+if any, to sign a "copyright disclaimer" for the program, if necessary.
+For more information on this, and how to apply and follow the GNU GPL, see
+.
+
+ The GNU General Public License does not permit incorporating your program
+into proprietary programs. If your program is a subroutine library, you
+may consider it more useful to permit linking proprietary applications with
+the library. If this is what you want to do, use the GNU Lesser General
+Public License instead of this License. But first, please read
+.
+
+==============================================================================
+
+ GNU GENERAL PUBLIC LICENSE
+ Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+ Preamble
+
+ The licenses for most software are designed to take away your
+freedom to share and change it. By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users. This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it. (Some other Free Software Foundation software is covered by
+the GNU Lesser General Public License instead.) You can apply it to
+your programs, too.
+
+ When we speak of free software, we are referring to freedom, not
+price. Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+ To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+ For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have. You must make sure that they, too, receive or can get the
+source code. And you must show them these terms so they know their
+rights.
+
+ We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+ Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software. If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+ Finally, any free program is threatened constantly by software
+patents. We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary. To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+ The precise terms and conditions for copying, distribution and
+modification follow.
+
+ GNU GENERAL PUBLIC LICENSE
+ TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+ 0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License. The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language. (Hereinafter, translation is included without limitation in
+the term "modification".) Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope. The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+ 1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+ 2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+ a) You must cause the modified files to carry prominent notices
+ stating that you changed the files and the date of any change.
+
+ b) You must cause any work that you distribute or publish, that in
+ whole or in part contains or is derived from the Program or any
+ part thereof, to be licensed as a whole at no charge to all third
+ parties under the terms of this License.
+
+ c) If the modified program normally reads commands interactively
+ when run, you must cause it, when started running for such
+ interactive use in the most ordinary way, to print or display an
+ announcement including an appropriate copyright notice and a
+ notice that there is no warranty (or else, saying that you provide
+ a warranty) and that users may redistribute the program under
+ these conditions, and telling the user how to view a copy of this
+ License. (Exception: if the Program itself is interactive but
+ does not normally print such an announcement, your work based on
+ the Program is not required to print an announcement.)
+
+These requirements apply to the modified work as a whole. If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works. But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+ 3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+ a) Accompany it with the complete corresponding machine-readable
+ source code, which must be distributed under the terms of Sections
+ 1 and 2 above on a medium customarily used for software interchange; or,
+
+ b) Accompany it with a written offer, valid for at least three
+ years, to give any third party, for a charge no more than your
+ cost of physically performing source distribution, a complete
+ machine-readable copy of the corresponding source code, to be
+ distributed under the terms of Sections 1 and 2 above on a medium
+ customarily used for software interchange; or,
+
+ c) Accompany it with the information you received as to the offer
+ to distribute corresponding source code. (This alternative is
+ allowed only for noncommercial distribution and only if you
+ received the program in object code or executable form with such
+ an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it. For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable. However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+ 4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License. Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+ 5. You are not required to accept this License, since you have not
+signed it. However, nothing else grants you permission to modify or
+distribute the Program or its derivative works. These actions are
+prohibited by law if you do not accept this License. Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+ 6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions. You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+ 7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License. If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all. For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices. Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+ 8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded. In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+ 9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time. Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number. If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation. If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+ 10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission. For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this. Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+ NO WARRANTY
+
+ 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+ 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+
+ END OF TERMS AND CONDITIONS
+
+ How to Apply These Terms to Your New Programs
+
+ If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+ To do so, attach the following notices to the program. It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+
+ Copyright (C)
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License along
+ with this program; if not, write to the Free Software Foundation, Inc.,
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+
+ Gnomovision version 69, Copyright (C) year name of author
+ Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+ This is free software, and you are welcome to redistribute it
+ under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License. Of course, the commands you use may
+be called something other than `show w' and `show c'; they could even be
+mouse-clicks or menu items--whatever suits your program.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary. Here is a sample; alter the names:
+
+ Yoyodyne, Inc., hereby disclaims all copyright interest in the program
+ `Gnomovision' (which makes passes at compilers) written by James Hacker.
+
+ , 1 April 1989
+ Ty Coon, President of Vice
+
+This General Public License does not permit incorporating your program into
+proprietary programs. If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library. If this is what you want to do, use the GNU Lesser General
+Public License instead of this License.
+
diff --git a/transport/internet/finalmask/rawpacket/windivert/assets/WinDivert32.sys b/transport/internet/finalmask/rawpacket/windivert/assets/WinDivert32.sys
new file mode 100644
index 000000000000..d06738cbb783
Binary files /dev/null and b/transport/internet/finalmask/rawpacket/windivert/assets/WinDivert32.sys differ
diff --git a/transport/internet/finalmask/rawpacket/windivert/assets/WinDivert64.sys b/transport/internet/finalmask/rawpacket/windivert/assets/WinDivert64.sys
new file mode 100644
index 000000000000..218ccaf423ef
Binary files /dev/null and b/transport/internet/finalmask/rawpacket/windivert/assets/WinDivert64.sys differ
diff --git a/transport/internet/finalmask/rawpacket/windivert/assets_386.go b/transport/internet/finalmask/rawpacket/windivert/assets_386.go
new file mode 100644
index 000000000000..0cbf35ed5cbf
--- /dev/null
+++ b/transport/internet/finalmask/rawpacket/windivert/assets_386.go
@@ -0,0 +1,14 @@
+//go:build windows && 386
+
+package windivert
+
+import _ "embed"
+
+//go:embed assets/WinDivert32.sys
+var sysBytes []byte
+
+func assetFiles() []assetFile {
+ return []assetFile{{"WinDivert32.sys", sysBytes}}
+}
+
+func driverSysName() string { return "WinDivert32.sys" }
diff --git a/transport/internet/finalmask/rawpacket/windivert/assets_amd64.go b/transport/internet/finalmask/rawpacket/windivert/assets_amd64.go
new file mode 100644
index 000000000000..2c9fb6c6ad19
--- /dev/null
+++ b/transport/internet/finalmask/rawpacket/windivert/assets_amd64.go
@@ -0,0 +1,14 @@
+//go:build windows && amd64
+
+package windivert
+
+import _ "embed"
+
+//go:embed assets/WinDivert64.sys
+var sysBytes []byte
+
+func assetFiles() []assetFile {
+ return []assetFile{{"WinDivert64.sys", sysBytes}}
+}
+
+func driverSysName() string { return "WinDivert64.sys" }
diff --git a/transport/internet/finalmask/rawpacket/windivert/assets_unsupported.go b/transport/internet/finalmask/rawpacket/windivert/assets_unsupported.go
new file mode 100644
index 000000000000..04698953fa6b
--- /dev/null
+++ b/transport/internet/finalmask/rawpacket/windivert/assets_unsupported.go
@@ -0,0 +1,7 @@
+//go:build windows && !amd64 && !386
+
+package windivert
+
+func assetFiles() []assetFile { return nil }
+
+func driverSysName() string { return "" }
diff --git a/transport/internet/finalmask/rawpacket/windivert/driver_windows.go b/transport/internet/finalmask/rawpacket/windivert/driver_windows.go
new file mode 100644
index 000000000000..50e94c578422
--- /dev/null
+++ b/transport/internet/finalmask/rawpacket/windivert/driver_windows.go
@@ -0,0 +1,211 @@
+//go:build windows
+
+package windivert
+
+import (
+ "errors"
+ "fmt"
+ "os"
+ "path/filepath"
+ "runtime"
+ "strconv"
+ "sync"
+
+ "golang.org/x/sys/windows"
+)
+
+const (
+ driverServiceName = "WinDivert"
+ driverDeviceName = `\\.\WinDivert`
+)
+
+var (
+ driverOnce sync.Once
+ driverErr error
+ // driverDevName is ASCII-safe and must be available before ensureDriver
+ // so Open can try CreateFile first and only install on FILE_NOT_FOUND.
+ driverDevName, _ = windows.UTF16PtrFromString(driverDeviceName)
+)
+
+// Requires SeLoadDriverPrivilege (Administrator). Running the 386 build
+// under WOW64 on a 64-bit kernel is rejected — use the amd64 build.
+func ensureDriver() error {
+ driverOnce.Do(func() {
+ driverErr = installDriver()
+ })
+ return driverErr
+}
+
+func installDriver() error {
+ if runtime.GOARCH == "386" {
+ var isWow64 bool
+ err := windows.IsWow64Process(windows.CurrentProcess(), &isWow64)
+ if err == nil && isWow64 {
+ return errors.New("windivert: 386 build detected running under WOW64 on a 64-bit kernel; use the amd64 build")
+ }
+ }
+
+ dir, err := ensureExtracted()
+ if err != nil {
+ return err
+ }
+ sysPath := filepath.Join(dir, driverSysName())
+ sysPathW, err := windows.UTF16PtrFromString(sysPath)
+ if err != nil {
+ return fmt.Errorf("windivert: utf16 driver path: %w", err)
+ }
+
+ // Serialize driver install across concurrent processes.
+ mutexName, _ := windows.UTF16PtrFromString("WinDivertDriverInstallMutex")
+ mutex, err := windows.CreateMutex(nil, false, mutexName)
+ if err != nil {
+ return fmt.Errorf("windivert: create install mutex: %w", err)
+ }
+ defer windows.CloseHandle(mutex)
+ _, err = windows.WaitForSingleObject(mutex, windows.INFINITE)
+ if err != nil {
+ return fmt.Errorf("windivert: wait install mutex: %w", err)
+ }
+ defer windows.ReleaseMutex(mutex)
+
+ manager, err := windows.OpenSCManager(nil, nil, windows.SC_MANAGER_ALL_ACCESS)
+ if err != nil {
+ return fmt.Errorf("windivert: open SCM: %w", err)
+ }
+ defer windows.CloseServiceHandle(manager)
+
+ serviceNameW, _ := windows.UTF16PtrFromString(driverServiceName)
+ service, err := windows.OpenService(manager, serviceNameW, windows.SERVICE_ALL_ACCESS)
+ if err != nil {
+ service, err = windows.CreateService(
+ manager,
+ serviceNameW,
+ serviceNameW,
+ windows.SERVICE_ALL_ACCESS,
+ windows.SERVICE_KERNEL_DRIVER,
+ windows.SERVICE_DEMAND_START,
+ windows.SERVICE_ERROR_NORMAL,
+ sysPathW,
+ nil, nil, nil, nil, nil,
+ )
+ if err != nil {
+ if errors.Is(err, windows.ERROR_SERVICE_EXISTS) {
+ service, err = windows.OpenService(manager, serviceNameW, windows.SERVICE_ALL_ACCESS)
+ }
+ if err != nil {
+ return wrapDriverInstallError(err)
+ }
+ }
+ }
+ defer windows.CloseServiceHandle(service)
+
+ err = windows.StartService(service, 0, nil)
+ if err != nil && errors.Is(err, windows.ERROR_SERVICE_DISABLED) {
+ // A prior process called DeleteService on a still-running kernel
+ // driver: SCM marks the record for deletion and flips START_TYPE
+ // to DISABLED until the last handle closes. Re-enable so we can
+ // start it instead of waiting for a reboot.
+ err = windows.ChangeServiceConfig(
+ service,
+ windows.SERVICE_NO_CHANGE,
+ windows.SERVICE_DEMAND_START,
+ windows.SERVICE_NO_CHANGE,
+ nil, nil, nil, nil, nil, nil, nil,
+ )
+ if err != nil {
+ return fmt.Errorf("windivert: re-enable disabled service: %w", err)
+ }
+ err = windows.StartService(service, 0, nil)
+ }
+ if err == nil {
+ // Mark for deletion so the driver unregisters when the last handle
+ // closes or on next reboot. Matches the upstream DLL's behavior:
+ // only the process that actually started the service takes on the
+ // cleanup responsibility. If another process already started it,
+ // we leave DeleteService to them.
+ _ = windows.DeleteService(service)
+ } else if !errors.Is(err, windows.ERROR_SERVICE_ALREADY_RUNNING) {
+ return fmt.Errorf("windivert: start service: %w", err)
+ }
+ return nil
+}
+
+func wrapDriverInstallError(err error) error {
+ if errors.Is(err, windows.ERROR_ACCESS_DENIED) {
+ return fmt.Errorf("windivert: installing the kernel driver requires Administrator privileges: %w", err)
+ }
+ return fmt.Errorf("windivert: create service: %w", err)
+}
+
+type assetFile struct {
+ name string
+ data []byte
+}
+
+var (
+ extractOnce sync.Once
+ extractErr error
+ extractDir string
+)
+
+// The on-disk copy is protected by Windows Authenticode signature
+// enforcement, which rejects any tampered .sys at StartService time.
+func ensureExtracted() (string, error) {
+ extractOnce.Do(func() {
+ extractDir, extractErr = extractImpl()
+ })
+ return extractDir, extractErr
+}
+
+func extractImpl() (string, error) {
+ files := assetFiles()
+ if len(files) == 0 {
+ return "", fmt.Errorf("windivert: unsupported architecture %s", runtime.GOARCH)
+ }
+
+ base, err := os.UserCacheDir()
+ if err != nil {
+ return "", fmt.Errorf("windivert: locate user cache dir: %w", err)
+ }
+ dir := filepath.Join(base, "xray-core", "windivert", "v"+AssetVersion)
+ err = os.MkdirAll(dir, 0o755)
+ if err != nil {
+ return "", fmt.Errorf("windivert: mkdir %s: %w", dir, err)
+ }
+
+ for _, asset := range files {
+ err = ensureAsset(dir, asset)
+ if err != nil {
+ return "", err
+ }
+ }
+ return dir, nil
+}
+
+// Concurrent sing-box processes race on os.Rename (atomic on NTFS);
+// whichever wins creates the final file. Writers that lose the race
+// silently discard their temp copy.
+func ensureAsset(dir string, asset assetFile) error {
+ target := filepath.Join(dir, asset.name)
+ _, err := os.Stat(target)
+ if err == nil {
+ return nil
+ }
+ if !os.IsNotExist(err) {
+ return fmt.Errorf("windivert: stat %s: %w", asset.name, err)
+ }
+ tmp := target + ".tmp-" + strconv.Itoa(os.Getpid())
+ err = os.WriteFile(tmp, asset.data, 0o644)
+ if err != nil {
+ return fmt.Errorf("windivert: write %s: %w", asset.name, err)
+ }
+ err = os.Rename(tmp, target)
+ if err != nil {
+ os.Remove(tmp)
+ if _, statErr := os.Stat(target); statErr == nil {
+ return nil
+ }
+ return fmt.Errorf("windivert: rename %s: %w", asset.name, err)
+ }
+ return nil
+}
diff --git a/transport/internet/finalmask/rawpacket/windivert/filter.go b/transport/internet/finalmask/rawpacket/windivert/filter.go
new file mode 100644
index 000000000000..d63adae2b630
--- /dev/null
+++ b/transport/internet/finalmask/rawpacket/windivert/filter.go
@@ -0,0 +1,181 @@
+package windivert
+
+import (
+ "encoding/binary"
+ "errors"
+ "net/netip"
+)
+
+// WINDIVERT_FILTER VM instruction layout (24 bytes, #pragma pack(1)):
+//
+// word 0 (LE): field:11 | test:5 | success:16
+// word 1 (LE): failure:16 | neg:1 | reserved:15
+// words 2..5: arg[4] (native-endian uint32 each)
+//
+// The driver walks this as a decision tree: evaluate the test at inst i;
+// on success jump to success; on failure jump to failure. Continuations
+// 0x7FFE and 0x7FFF are ACCEPT and REJECT terminals.
+const (
+ filterInstBytes = 24
+ filterMaxInsts = 256
+
+ fieldZero = 0
+ fieldOutbound = 2
+ fieldIP = 5
+ fieldIPv6 = 6
+ fieldTCP = 8
+ fieldIPSrcAddr = 21
+ fieldIPDstAddr = 22
+ fieldIPv6SrcAddr = 28
+ fieldIPv6DstAddr = 29
+ fieldTCPSrcPort = 38
+ fieldTCPDstPort = 39
+
+ testEQ = 0
+
+ resultAccept uint16 = 0x7FFE
+ resultReject uint16 = 0x7FFF
+)
+
+// Filter flags passed to IOCTL_WINDIVERT_STARTUP alongside the compiled
+// filter. These tell the driver what *kinds* of packets the filter might
+// match, used as a kernel-side fast-reject.
+const (
+ filterFlagOutbound uint64 = 0x0020
+ filterFlagIP uint64 = 0x0040
+ filterFlagIPv6 uint64 = 0x0080
+)
+
+type filterInst struct {
+ field uint16 // 11 bits used
+ test uint8 // 5 bits used
+ success uint16
+ failure uint16
+ neg bool
+ arg [4]uint32
+}
+
+// Filter is a typed specification of packets to capture. It replaces
+// WinDivert's filter string language.
+//
+// Zero value = "reject all" (match nothing), suitable for send-only handles.
+type Filter struct {
+ insts []filterInst
+ flags uint64 // filter flags for STARTUP ioctl
+}
+
+// reject returns a filter that matches no packet. The empty insts slice
+// is encoded as a single rejecting instruction by encode().
+func reject() *Filter {
+ return &Filter{}
+}
+
+// OutboundTCP returns a filter matching outbound TCP packets on the given
+// 5-tuple. Both addresses must share an address family (IPv4 or IPv6).
+func OutboundTCP(src, dst netip.AddrPort) (*Filter, error) {
+ if !src.IsValid() || !dst.IsValid() {
+ return nil, errors.New("windivert: filter: invalid address port")
+ }
+ if src.Addr().Is4() != dst.Addr().Is4() {
+ return nil, errors.New("windivert: filter: mixed IPv4/IPv6")
+ }
+ f := &Filter{
+ flags: filterFlagOutbound,
+ }
+ // Insts chain as AND: each test's failure = REJECT, success = next inst.
+ // The final inst's success = ACCEPT.
+ f.add(fieldOutbound, testEQ, argUint32(1))
+ if src.Addr().Is4() {
+ f.flags |= filterFlagIP
+ f.add(fieldIP, testEQ, argUint32(1))
+ f.add(fieldTCP, testEQ, argUint32(1))
+ f.add(fieldIPSrcAddr, testEQ, argIPv4(src.Addr()))
+ f.add(fieldIPDstAddr, testEQ, argIPv4(dst.Addr()))
+ } else {
+ f.flags |= filterFlagIPv6
+ f.add(fieldIPv6, testEQ, argUint32(1))
+ f.add(fieldTCP, testEQ, argUint32(1))
+ f.add(fieldIPv6SrcAddr, testEQ, argIPv6(src.Addr()))
+ f.add(fieldIPv6DstAddr, testEQ, argIPv6(dst.Addr()))
+ }
+ f.add(fieldTCPSrcPort, testEQ, argUint32(uint32(src.Port())))
+ f.add(fieldTCPDstPort, testEQ, argUint32(uint32(dst.Port())))
+ return f, nil
+}
+
+func (f *Filter) add(field uint16, test uint8, arg [4]uint32) {
+ f.insts = append(f.insts, filterInst{field: field, test: test, arg: arg})
+}
+
+func argUint32(v uint32) [4]uint32 { return [4]uint32{v, 0, 0, 0} }
+
+// argIPv4 encodes an IPv4 address for IP_SRCADDR/IP_DSTADDR. The driver
+// compares against an IPv4-mapped-IPv6 form: {host_order_u32, 0x0000FFFF,
+// 0, 0} (see sys/windivert.c windivert_get_ipv4_addr and the IPv4_SRCADDR
+// val-word construction). Omitting the 0x0000FFFF marker causes the EQ
+// test to fail for every packet.
+func argIPv4(addr netip.Addr) [4]uint32 {
+ b := addr.As4()
+ return [4]uint32{binary.BigEndian.Uint32(b[:]), 0x0000FFFF, 0, 0}
+}
+
+// argIPv6 encodes an IPv6 address for IPV6_SRCADDR/IPV6_DSTADDR. The
+// driver stores the address as four host-order uint32s in REVERSED word
+// order: val[0]=low (bytes 12..15), val[3]=high (bytes 0..3). See
+// sys/windivert.c windivert_outbound_network_v6_classify val-word
+// construction.
+func argIPv6(addr netip.Addr) [4]uint32 {
+ b := addr.As16()
+ return [4]uint32{
+ binary.BigEndian.Uint32(b[12:16]),
+ binary.BigEndian.Uint32(b[8:12]),
+ binary.BigEndian.Uint32(b[4:8]),
+ binary.BigEndian.Uint32(b[0:4]),
+ }
+}
+
+// encode serializes the Filter to the on-wire WINDIVERT_FILTER[] format
+// plus the filter_flags for STARTUP ioctl.
+func (f *Filter) encode() ([]byte, uint64, error) {
+ if len(f.insts) == 0 {
+ // "Reject all" — one instruction, ZERO == 0 is always true, but we
+ // invert by setting both success and failure to REJECT.
+ return encodeInst(filterInst{
+ field: fieldZero,
+ test: testEQ,
+ success: resultReject,
+ failure: resultReject,
+ }), 0, nil
+ }
+ if len(f.insts) > filterMaxInsts-1 {
+ return nil, 0, errors.New("windivert: filter too long")
+ }
+ buf := make([]byte, 0, filterInstBytes*len(f.insts))
+ for i, inst := range f.insts {
+ if i == len(f.insts)-1 {
+ inst.success = resultAccept
+ } else {
+ inst.success = uint16(i + 1)
+ }
+ inst.failure = resultReject
+ buf = append(buf, encodeInst(inst)...)
+ }
+ return buf, f.flags, nil
+}
+
+func encodeInst(inst filterInst) []byte {
+ out := make([]byte, filterInstBytes)
+ word0 := uint32(inst.field&0x7FF) | uint32(inst.test&0x1F)<<11 |
+ uint32(inst.success)<<16
+ word1 := uint32(inst.failure)
+ if inst.neg {
+ word1 |= 1 << 16
+ }
+ binary.LittleEndian.PutUint32(out[0:4], word0)
+ binary.LittleEndian.PutUint32(out[4:8], word1)
+ binary.LittleEndian.PutUint32(out[8:12], inst.arg[0])
+ binary.LittleEndian.PutUint32(out[12:16], inst.arg[1])
+ binary.LittleEndian.PutUint32(out[16:20], inst.arg[2])
+ binary.LittleEndian.PutUint32(out[20:24], inst.arg[3])
+ return out
+}
diff --git a/transport/internet/finalmask/rawpacket/windivert/handle_windows.go b/transport/internet/finalmask/rawpacket/windivert/handle_windows.go
new file mode 100644
index 000000000000..c48e6214c11b
--- /dev/null
+++ b/transport/internet/finalmask/rawpacket/windivert/handle_windows.go
@@ -0,0 +1,323 @@
+//go:build windows
+
+package windivert
+
+import (
+ "encoding/binary"
+ "errors"
+ "fmt"
+ "runtime"
+ "sync"
+ "unsafe"
+
+ "golang.org/x/sys/windows"
+)
+
+// Handle owns a WinDivert kernel device handle plus a private event for
+// overlapped I/O. Methods on *Handle are not safe for concurrent use
+// across goroutines (there is a single shared event per Handle).
+//
+// addr is a per-Handle Address buffer the IOCTL struct embeds a pointer
+// to. It lives on the heap (as a field of a heap-allocated Handle) so
+// the pointer value stored as bytes in the ioctl buffer remains valid
+// across stack growth between buildIoctl* and the DeviceIoControl
+// syscall — stack-local Address values are not safe for this pattern
+// because Go's escape analysis does not see the pointer through the
+// unsafe.Pointer → uintptr → bytes conversion.
+type Handle struct {
+ device windows.Handle
+ event windows.Handle
+ closing sync.Once
+ closeErr error
+ addr Address
+}
+
+// Filter may be nil for "reject all", suitable for send-only handles.
+// Requires Administrator on first call per process (installs the kernel
+// driver via SCM); subsequent calls reuse the running driver.
+func Open(filter *Filter, layer Layer, priority int16, flags Flag) (*Handle, error) {
+ err := validateOpenArgs(layer, priority, flags)
+ if err != nil {
+ return nil, err
+ }
+ if filter == nil {
+ filter = reject()
+ }
+ filterBin, filterFlags, err := filter.encode()
+ if err != nil {
+ return nil, err
+ }
+ device, err := openDevice()
+ if err != nil {
+ if !errors.Is(err, windows.ERROR_FILE_NOT_FOUND) &&
+ !errors.Is(err, windows.ERROR_PATH_NOT_FOUND) {
+ if errors.Is(err, windows.ERROR_ACCESS_DENIED) {
+ return nil, fmt.Errorf("windivert: open device (administrator required): %w", err)
+ }
+ return nil, fmt.Errorf("windivert: open device: %w", err)
+ }
+ // Device node missing: kernel driver not loaded. Install + retry.
+ // Matches WinDivertOpen's lazy-install path; avoids racing StartService
+ // against a still-loaded driver whose SCM record is marked for deletion.
+ err = ensureDriver()
+ if err != nil {
+ return nil, err
+ }
+ device, err = openDevice()
+ if err != nil {
+ if errors.Is(err, windows.ERROR_ACCESS_DENIED) {
+ return nil, fmt.Errorf("windivert: open device (administrator required): %w", err)
+ }
+ return nil, fmt.Errorf("windivert: open device: %w", err)
+ }
+ }
+ event, err := windows.CreateEvent(nil, 1, 0, nil) // manual reset, unsignaled
+ if err != nil {
+ windows.CloseHandle(device)
+ return nil, fmt.Errorf("windivert: create event: %w", err)
+ }
+ h := &Handle{device: device, event: event}
+
+ err = h.initialize(layer, priority, flags)
+ if err != nil {
+ h.Close()
+ return nil, err
+ }
+ err = h.startup(filterBin, filterFlags)
+ if err != nil {
+ h.Close()
+ return nil, err
+ }
+ return h, nil
+}
+
+func openDevice() (windows.Handle, error) {
+ return windows.CreateFile(
+ driverDevName,
+ windows.GENERIC_READ|windows.GENERIC_WRITE,
+ 0, nil,
+ windows.OPEN_EXISTING,
+ windows.FILE_ATTRIBUTE_NORMAL|windows.FILE_FLAG_OVERLAPPED,
+ 0,
+ )
+}
+
+func validateOpenArgs(layer Layer, priority int16, flags Flag) error {
+ if layer != LayerNetwork {
+ return fmt.Errorf("windivert: invalid layer %d", uint32(layer))
+ }
+ if priority < PriorityLowest || priority > PriorityHighest {
+ return errors.New("windivert: priority out of range")
+ }
+ const supportedFlags = FlagSniff | FlagSendOnly
+ if flags&^supportedFlags != 0 {
+ return errors.New("windivert: unknown flag bits")
+ }
+ if flags&FlagSniff != 0 && flags&FlagSendOnly != 0 {
+ return errors.New("windivert: FlagSniff and FlagSendOnly are mutually exclusive")
+ }
+ return nil
+}
+
+func (h *Handle) initialize(layer Layer, priority int16, flags Flag) error {
+ in := buildIoctlInitialize(layer, priority, flags)
+ // WINDIVERT_VERSION is a 64-byte packed struct; only the first 20
+ // bytes (magic, major, minor, bits) carry data, the rest is reserved.
+ var outBuf [versionStructSize]byte
+ binary.LittleEndian.PutUint64(outBuf[0:8], magicDLL)
+ binary.LittleEndian.PutUint32(outBuf[8:12], versionMajor)
+ binary.LittleEndian.PutUint32(outBuf[12:16], versionMinor)
+ binary.LittleEndian.PutUint32(outBuf[16:20], uint32(unsafe.Sizeof(uintptr(0))*8))
+ _, err := doIoctl(h.device, ioctlInitialize, in[:], outBuf[:], h.event)
+ if err != nil {
+ return fmt.Errorf("windivert: initialize ioctl: %w", err)
+ }
+ gotMagic := binary.LittleEndian.Uint64(outBuf[0:8])
+ if gotMagic != magicSYS {
+ return fmt.Errorf("windivert: driver magic mismatch (got %d)", gotMagic)
+ }
+ gotMajor := binary.LittleEndian.Uint32(outBuf[8:12])
+ if gotMajor < versionMajor {
+ gotMinor := binary.LittleEndian.Uint32(outBuf[12:16])
+ return fmt.Errorf("windivert: driver version too old: %d.%d", gotMajor, gotMinor)
+ }
+ return nil
+}
+
+func (h *Handle) startup(filterBin []byte, filterFlags uint64) error {
+ in := buildIoctlStartup(filterFlags)
+ _, err := doIoctl(h.device, ioctlStartup, in[:], filterBin, h.event)
+ if err != nil {
+ return fmt.Errorf("windivert: startup ioctl: %w", err)
+ }
+ return nil
+}
+
+// If the handle is closed mid-Recv the error wraps ERROR_OPERATION_ABORTED.
+func (h *Handle) Recv(buf []byte) (int, Address, error) {
+ if len(buf) == 0 {
+ return 0, Address{}, errors.New("windivert: recv: zero-length buffer")
+ }
+ h.addr = Address{}
+ in := buildIoctlRecv(&h.addr)
+ n, err := doIoctl(h.device, ioctlRecv, in[:], buf, h.event)
+ runtime.KeepAlive(h)
+ if err != nil {
+ return 0, Address{}, err
+ }
+ return int(n), h.addr, nil
+}
+
+// The address's Outbound flag controls whether the packet is sent toward
+// the wire (outbound=true) or delivered up the stack (outbound=false).
+// IfIdx and SubIfIdx can stay zero — the driver uses the routing table
+// when IfIdx=0.
+func (h *Handle) Send(packet []byte, addr *Address) (int, error) {
+ if len(packet) == 0 {
+ return 0, errors.New("windivert: send: empty packet")
+ }
+ if addr == nil {
+ return 0, errors.New("windivert: send: nil address")
+ }
+ h.addr = *addr
+ in := buildIoctlSend(&h.addr)
+ n, err := doIoctl(h.device, ioctlSend, in[:], packet, h.event)
+ runtime.KeepAlive(h)
+ if err != nil {
+ return 0, err
+ }
+ return int(n), nil
+}
+
+// Idempotent. Aborts any in-flight I/O on the handle.
+func (h *Handle) Close() error {
+ h.closing.Do(func() {
+ var errs []error
+ if h.device != 0 {
+ err := windows.CloseHandle(h.device)
+ if err != nil {
+ errs = append(errs, err)
+ }
+ h.device = 0
+ }
+ if h.event != 0 {
+ err := windows.CloseHandle(h.event)
+ if err != nil {
+ errs = append(errs, err)
+ }
+ h.event = 0
+ }
+ h.closeErr = errors.Join(errs...)
+ })
+ return h.closeErr
+}
+
+// IOCTL codes from windivert_device.h. CTL_CODE macro layout:
+//
+// (DeviceType << 16) | (Access << 14) | (Function << 2) | Method
+const (
+ fileDeviceNetwork uint32 = 0x12
+ accessReadWrite uint32 = 3 // FILE_READ_DATA | FILE_WRITE_DATA
+ accessRead uint32 = 1
+
+ methodInDirect uint32 = 1
+ methodOutDirect uint32 = 2
+)
+
+func ctlCode(deviceType, access, function, method uint32) uint32 {
+ return (deviceType << 16) | (access << 14) | (function << 2) | method
+}
+
+var (
+ ioctlInitialize = ctlCode(fileDeviceNetwork, accessReadWrite, 0x921, methodOutDirect)
+ ioctlStartup = ctlCode(fileDeviceNetwork, accessReadWrite, 0x922, methodInDirect)
+ ioctlRecv = ctlCode(fileDeviceNetwork, accessRead, 0x923, methodOutDirect)
+ ioctlSend = ctlCode(fileDeviceNetwork, accessReadWrite, 0x924, methodInDirect)
+)
+
+// Magic numbers exchanged during INITIALIZE. DLL sends magicDLL in the
+// version struct; driver returns magicSYS on success.
+const (
+ magicDLL uint64 = 0x4C4C447669645724 // "$WdivDLL" in LE bytes
+ magicSYS uint64 = 0x5359537669645723 // "#WdivSYS" in LE bytes
+)
+
+const (
+ versionMajor uint32 = 2
+ versionMinor uint32 = 2
+)
+
+// Size of the WINDIVERT_IOCTL union on wire (packed).
+const ioctlSize = 16
+
+// Size of WINDIVERT_VERSION on wire (packed). Only the first 20 bytes
+// carry data; the rest is reserved zero padding.
+const versionStructSize = 64
+
+// doIoctl performs a single synchronous (blocking) overlapped
+// DeviceIoControl. The handle is opened with FILE_FLAG_OVERLAPPED so
+// DeviceIoControl returns ERROR_IO_PENDING; we then wait for completion
+// via GetOverlappedResult. Event is passed in so callers can reuse it
+// across calls on the same handle (avoids per-call CreateEvent).
+func doIoctl(handle windows.Handle, code uint32, in []byte, out []byte, event windows.Handle) (uint32, error) {
+ var overlapped windows.Overlapped
+ overlapped.HEvent = event
+ _ = windows.ResetEvent(event)
+
+ var inPtr *byte
+ var inLen uint32
+ if len(in) > 0 {
+ inPtr = &in[0]
+ inLen = uint32(len(in))
+ }
+ var outPtr *byte
+ var outLen uint32
+ if len(out) > 0 {
+ outPtr = &out[0]
+ outLen = uint32(len(out))
+ }
+ var returned uint32
+ err := windows.DeviceIoControl(handle, code, inPtr, inLen, outPtr, outLen, &returned, &overlapped)
+ if err != nil && !errors.Is(err, windows.ERROR_IO_PENDING) {
+ return 0, err
+ }
+ err = windows.GetOverlappedResult(handle, &overlapped, &returned, true)
+ if err != nil {
+ return 0, err
+ }
+ return returned, nil
+}
+
+func buildIoctlInitialize(layer Layer, priority int16, flags Flag) [ioctlSize]byte {
+ var buf [ioctlSize]byte
+ binary.LittleEndian.PutUint32(buf[0:4], uint32(layer))
+ // The driver expects priority + WINDIVERT_PRIORITY_HIGHEST (30000) so
+ // the low range maps to non-negative integers.
+ binary.LittleEndian.PutUint32(buf[4:8], uint32(int32(priority)+int32(PriorityHighest)))
+ binary.LittleEndian.PutUint64(buf[8:16], uint64(flags))
+ return buf
+}
+
+func buildIoctlStartup(filterFlags uint64) [ioctlSize]byte {
+ var buf [ioctlSize]byte
+ binary.LittleEndian.PutUint64(buf[0:8], filterFlags)
+ return buf
+}
+
+// buildIoctlRecv packs a user-space pointer to a WINDIVERT_ADDRESS into
+// the ioctl struct. The driver dereferences it to write the address for
+// the received packet. Caller must keep the Address alive via
+// runtime.KeepAlive.
+func buildIoctlRecv(addr *Address) [ioctlSize]byte {
+ var buf [ioctlSize]byte
+ binary.LittleEndian.PutUint64(buf[0:8], uint64(uintptr(unsafe.Pointer(addr))))
+ binary.LittleEndian.PutUint64(buf[8:16], 0)
+ return buf
+}
+
+func buildIoctlSend(addr *Address) [ioctlSize]byte {
+ var buf [ioctlSize]byte
+ binary.LittleEndian.PutUint64(buf[0:8], uint64(uintptr(unsafe.Pointer(addr))))
+ binary.LittleEndian.PutUint64(buf[8:16], uint64(unsafe.Sizeof(Address{})))
+ return buf
+}
diff --git a/transport/internet/finalmask/rawpacket/windivert/windivert.go b/transport/internet/finalmask/rawpacket/windivert/windivert.go
new file mode 100644
index 000000000000..9d309886cbe3
--- /dev/null
+++ b/transport/internet/finalmask/rawpacket/windivert/windivert.go
@@ -0,0 +1,78 @@
+// Package windivert provides a pure-Go binding to the WinDivert kernel
+// driver on Windows (amd64 and 386). User-mode WinDivert calls are
+// reimplemented in Go; only the signed kernel driver is embedded as an
+// asset, since SCM-installed drivers must live on disk and their
+// Authenticode signature forbids modification.
+//
+// Administrator is required for the first Open in a process so SCM can
+// load the driver. Upstream: https://github.com/basil00/WinDivert v2.2.2,
+// redistributed under its LGPL v3 option; see assets/LICENSE.txt.
+package windivert
+
+import "unsafe"
+
+const AssetVersion = "2.2.2"
+
+// MTUMax is WINDIVERT_MTU_MAX from windivert.h (40 + 0xFFFF). Suitable as
+// a single-packet receive buffer size.
+const MTUMax = 40 + 0xFFFF
+
+type Layer uint32
+
+const LayerNetwork Layer = 0
+
+type Flag uint64
+
+const (
+ // FlagSniff opens a passive observer: the driver copies matching packets
+ // to userspace without removing them from the network stack. Send is not
+ // required (and not allowed) on a sniffing handle.
+ FlagSniff Flag = 0x0001
+ // FlagSendOnly opens a write-only injection handle; Recv is not allowed.
+ FlagSendOnly Flag = 0x0008
+)
+
+const (
+ PriorityHighest int16 = 30000
+ PriorityLowest int16 = -30000
+)
+
+// Address mirrors WINDIVERT_ADDRESS from windivert.h (80 bytes,
+// little-endian on both amd64 and 386):
+//
+// 0: INT64 Timestamp
+// 8: UINT32 bitfield: Layer:8 | Event:8 | flags | Reserved1:8
+// 12: UINT32 Reserved2
+// 16: 64 bytes union (WINDIVERT_DATA_NETWORK / FLOW / SOCKET / REFLECT)
+type Address struct {
+ Timestamp int64
+ bits uint32
+ Reserved2 uint32
+ union [64]byte
+}
+
+var _ [80]byte = [unsafe.Sizeof(Address{})]byte{}
+
+// Bit positions inside the Address's packed flags word.
+const (
+ addrBitIPv6 = 20
+ addrBitIPChecksum = 21
+ addrBitTCPChecksum = 22
+)
+
+func getFlagBit(bits uint32, pos uint) bool { return bits&(1<