feat: enable fwmark (SO_MARK) for outgoing sockets

[sabify]

No description provided.

[sbruens]

I have merged some large refactors we've been working on recently; apologies for the merge conflicts, and thank you for this contribution!

We may want to have some more dialer config options in future, so I suggest maybe a dialer wrapper in the config:

dialer:
  fwmark: ...

/cc @fortuna to weigh in on that

[fortuna]

@sabify thanks for the changes to inject the dialer. That's solid. As @sbruens pointed out, we need to pull the changes and I like the idea of putting the fwmark in a dialer config. That could be a place for other settings, like interface binding, routing, enable local network, etc)

[sabify]

@sbruens @fortuna I just made changes based on the refactored code.

[fortuna]

By the way, for your use case, have you considered using a firewall rule based on the PID?

You can probably do things like:

sudo nft add rule filter output meta pid $PID mark set 0x1234

With iptables you can use cgroups and add the pid to it.

It's also possible to use network namespaces.

[sabify]

By the way, for your use case, have you considered using a firewall rule based on the PID?

You can probably do things like:

sudo nft add rule filter output meta pid $PID mark set 0x1234

With iptables you can use cgroups and add the pid to it.

It's also possible to use network namespaces.

This already adds too much complexity for even simple routing logic.

I made the changes to be linux-specific but it also opens room for other similar functionality in other platforms like freebsd's SO_USER_COOKIE.

[fortuna]

Thanks for the changes. Looking good. I just have a few more tweaks.

[sabify]

Changes applied.

[sabify]

@fortuna @sbruens I just gave you maintainer access to my fork and you are able to apply any of your concerns and code styles that fit best with the codebase. I may not be able to keep up with the rapid changes and requests in the codebase and this PR due to time constraints. Sorry for that and appreciate your work to land this feature. Thank you!

[sbruens]

@fortuna @sbruens I just gave you maintainer access to my fork and you are able to apply any of your concerns and code styles that fit best with the codebase. I may not be able to keep up with the rapid changes and requests in the codebase and this PR due to time constraints. Sorry for that and appreciate your work to land this feature. Thank you!

Thanks for all your hard work on this @sabify. I finally found some time to pick this up and merge in the changes.

@fortuna PTAL

[fortuna]

Thanks for updating this! We should probably release it soon after

[sabify]

@sbruens Thanks for taking your time to land this feature.

How is it possible to take control of this feature from outline server (CLI and/or GUI)? https://github.com/Jigsaw-Code/outline-server

[sbruens]

You can't right now.

There is some work to be done to get this into outline-server, namely:

• Move outline-server to the new service config format introduced in 9992735 to which you added this dial option. We haven't gotten around to this yet.
• Add some new API endpoint to actually set/update the dial option(s) so you can call it via the command line.
• Expose this in the Manager/GUI.

The first 2 seem feasible, but the latter requires more UX research and we may not want to expose such an advanced feature in the Manager anyway.

[sbruens]

• Move outline-server to the new service config format introduced in 9992735 to which you added this dial option. We haven't gotten around to this yet.

Jigsaw-Code/outline-server#1628