Make gVisor optional

.goreleaser.yaml

@@ -11,6 +11,7 @@ builds:
     ldflags:
       - -s -w -buildid=
     tags:
+      - with_gvisor
       - with_quic
       - with_wireguard
       - with_clash_api

Dockerfile

@@ -8,7 +8,7 @@ ENV CGO_ENABLED=0
 RUN set -ex \
     && apk add git build-base \
     && export COMMIT=$(git rev-parse --short HEAD) \
-    && go build -v -trimpath -tags 'no_gvisor,with_quic,with_wireguard,with_acme' \
+    && go build -v -trimpath -tags with_quic,with_wireguard,with_acme \
         -o /go/bin/sing-box \
         -ldflags "-s -w -buildid=" \
         ./cmd/sing-box

Makefile

@@ -1,6 +1,6 @@
 NAME = sing-box
 COMMIT = $(shell git rev-parse --short HEAD)
-TAGS ?= with_quic,with_wireguard,with_clash_api
+TAGS ?= with_gvisor,with_quic,with_wireguard,with_clash_api
 PARAMS = -v -trimpath -tags '$(TAGS)' -ldflags '-s -w -buildid='
 MAIN = ./cmd/sing-box
 
@@ -62,7 +62,7 @@ test:
 	@go test -v . && \
 	cd test && \
 	go mod tidy && \
-	go test -v -tags with_quic,with_wireguard,with_grpc,with_ech,with_utls,with_shadowsocksr .
+	go test -v -tags with_gvisor,with_quic,with_wireguard,with_grpc,with_ech,with_utls,with_shadowsocksr .
 
 clean:
 	rm -rf bin dist

docs/configuration/inbound/tun.md

@@ -16,7 +16,7 @@
   "auto_route": true,
   "strict_route": true,
   "endpoint_independent_nat": false,
-  "stack": "gvisor",
+  "stack": "system",
   "include_uid": [
     0
   ],
@@ -112,15 +112,15 @@ UDP NAT expiration time in seconds, default is 300 (5 minutes).
 
 TCP/IP stack.
 
-| Stack            | Description                                                                    | Status            |
-|------------------|--------------------------------------------------------------------------------|-------------------|
-| gVisor (default) | Based on [google/gvisor](https://github.com/google/gvisor)                     | recommended       |
- | system           | Less compatibility and sometimes better performance.                           | recommended       |
-| LWIP             | Based on [eycorsican/go-tun2socks](https://github.com/eycorsican/go-tun2socks) | upstream archived |
+| Stack            | Description                                                                      | Status            |
+|------------------|----------------------------------------------------------------------------------|-------------------|
+| system (default) | Sometimes better performance                                                     | recommended       |
+| gVisor           | Better compatibility, based on [google/gvisor](https://github.com/google/gvisor) | recommended       |
+| LWIP             | Based on [eycorsican/go-tun2socks](https://github.com/eycorsican/go-tun2socks)   | upstream archived |
 
 !!! warning ""
 
-    The LWIP stack is not included by default, see [Installation](/#installation).
+    gVisor and LWIP stacks is not included by default, see [Installation](/#installation).
 
 #### include_uid
 

docs/configuration/inbound/tun.zh.md

@@ -16,7 +16,7 @@
   "auto_route": true,
   "strict_route": true,
   "endpoint_independent_nat": false,
-  "stack": "gvisor",
+  "stack": "system",
   "include_uid": [
     0
   ],
@@ -107,15 +107,15 @@ UDP NAT 过期时间，以秒为单位，默认为 300（5 分钟）。
 
 TCP/IP 栈。
 
-| 栈                | 描述                                                                       | 状态    |
-|------------------|--------------------------------------------------------------------------|-------|
-| gVisor (default) | 基于 [google/gvisor](https://github.com/google/gvisor)                     | 推荐    |
-| system           | 兼容性较差，有时性能更好。                                                            | 推荐    |
-| LWIP             | 基于 [eycorsican/go-tun2socks](https://github.com/eycorsican/go-tun2socks) | 上游已存档 |
+| 栈           | 描述                                                                       | 状态    |
+|-------------|--------------------------------------------------------------------------|-------|
+| system （默认） | 有时性能更好                                                                   | 推荐    |
+| gVisor      | 兼容性较好，基于 [google/gvisor](https://github.com/google/gvisor)               | 推荐    |
+| LWIP        | 基于 [eycorsican/go-tun2socks](https://github.com/eycorsican/go-tun2socks) | 上游已存档 |
 
 !!! warning ""
 
-    默认安装不包含 LWIP 栈，请参阅 [安装](/zh/#_2)。
+    默认安装不包含 gVisor 和 LWIP 栈，请参阅 [安装](/zh/#_2)。
 
 #### include_uid
 
@@ -145,10 +145,10 @@ TCP/IP 栈。
 
 限制被路由的 Android 用户。
 
-| 常用用户 | ID  |
+| 常用用户 | ID |
 |--|-----|
-| 您 | 0   |
-| 工作资料 | 10  |
+| 您 | 0 |
+| 工作资料 | 10 |
 
 #### include_package
 

docs/configuration/outbound/wireguard.md

@@ -26,6 +26,10 @@
 
     WireGuard is not included by default, see [Installation](/#installation).
 
+!!! warning ""
+
+    gVisor, which is required by the unprivileged WireGuard is not included by default, see [Installation](/#installation).
+
 ### Fields
 
 #### server
@@ -44,7 +48,9 @@ The server port.
 
 Use system tun support.
 
-Requires privileges and cannot conflict with system interfaces.
+Requires privilege and cannot conflict with system interfaces.
+
+Forced if gVisor not included in the build.
 
 #### interface_name
 

docs/configuration/outbound/wireguard.zh.md

@@ -26,6 +26,10 @@
 
     默认安装不包含 WireGuard, 参阅 [安装](/zh/#_2)。
 
+!!! warning ""
+
+    默认安装不包含被非特权 WireGuard 需要的 gVisor, 参阅 [安装](/zh/#_2)。
+
 ### 字段
 
 #### server
@@ -46,6 +50,8 @@
 
 需要特权且不能与系统接口冲突。
 
+如果 gVisor 未包含在构建中，则强制执行。
+
 #### interface_name
 
 启用 `system_interface` 时的自定义设备名称。

docs/index.md

@@ -32,7 +32,7 @@ go install -v -tags with_clash_api github.com/sagernet/sing-box/cmd/sing-box@lat
 | `with_utls`                        | Build with [uTLS](https://github.com/refraction-networking/utls) support for TLS outbound, see [TLS](./configuration/shared/tls#utls).                                                                                                                                                                                          |
 | `with_acme`                        | Build with ACME TLS certificate issuer support, see [TLS](./configuration/shared/tls).                                                                                                                                                                                                                                          |
 | `with_clash_api`                   | Build with Clash API support, see [Experimental](./configuration/experimental#clash-api-fields).                                                                                                                                                                                                                                |
-| `no_gvisor`                        | Build without gVisor Tun stack support, see [Tun inbound](./configuration/inbound/tun#stack).                                                                                                                                                                                                                                   |
+| `with_gvisor`                      | Build with gVisor support, see [Tun inbound](./configuration/inbound/tun#stack) and [WireGuard outbound](./configuration/outbound/wireguard#system_interface).                                                                                                                                                                  |
 | `with_embedded_tor` (CGO required) | Build with embedded Tor support, see [Tor outbound](./configuration/outbound/tor).                                                                                                                                                                                                                                              |
 | `with_lwip` (CGO required)         | Build with LWIP Tun stack support, see [Tun inbound](./configuration/inbound/tun#stack).                                                                                                                                                                                                                                        |
 

docs/index.zh.md

@@ -25,14 +25,14 @@ go install -v -tags with_clash_api github.com/sagernet/sing-box/cmd/sing-box@lat
 | 构建标志                         | 描述                                                                                                                                                                                                                                                                           |
 |------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | `with_quic`                  | 启用 QUIC 支持，参阅 [QUIC 和 HTTP3 DNS 传输层](./configuration/dns/server)，[Naive 入站](./configuration/inbound/naive)，[Hysteria 入站](./configuration/inbound/hysteria)，[Hysteria 出站](./configuration/outbound/hysteria) 和 [V2Ray 传输层#QUIC](./configuration/shared/v2ray-transport#quic)。 |
-| `with_grpc`                  | 启用标准 gRPC 支持，参阅 [V2Ray 传输层#gRPC](./configuration/shared/v2ray-transport#grpc)。                                                                                                                                                                                               |
+| `with_grpc`                  | 启用标准 gRPCuTLS](https://github.com/refraction-networking/utls) 支持， 参阅 [TLS](./configuration/shared/tls#utls)。                                                                                                                                                                      |
+| `with_acme`                  | 启用 ACME TLS 证书签发支持，参阅 [TLS](./configuration/shared/tls)。                                                                                                                                                                                                                     |
+| `with_clash_api`             | 启用 Clash api 支 支持，参阅 [V2Ray 传输层#gRPC](./configuration/shared/v2ray-transport#grpc)。                                                                                                                                                                                               |
 | `with_wireguard`             | 启用 WireGuard 支持，参阅 [WireGuard 出站](./configuration/outbound/wireguard)。                                                                                                                                                                                                       |
 | `with_shadowsocksr`          | 启用 ShadowsocksR 支持，参阅 [ShadowsocksR 出站](./configuration/outbound/shadowsocksr)。                                                                                                                                                                                              |
 | `with_ech`                   | 启用 TLS ECH 扩展支持，参阅 [TLS](./configuration/shared/tls#ech)。                                                                                                                                                                                                                    |
-| `with_utls`                  | 启用 [uTLS](https://github.com/refraction-networking/utls) 支持， 参阅 [TLS](./configuration/shared/tls#utls)。                                                                                                                                                                      |
-| `with_acme`                  | 启用 ACME TLS 证书签发支持，参阅 [TLS](./configuration/shared/tls)。                                                                                                                                                                                                                     |
-| `with_clash_api`             | 启用 Clash api 支持，参阅 [实验性](./configuration/experimental#clash-api-fields)。                                                                                                                                                                                                     |
-| `no_gvisor`                  | 禁用 gVisor Tun 栈支持，参阅 [Tun 入站](./configuration/inbound/tun#stack)。                                                                                                                                                                                                            |
+| `with_utls`                  | 启用 [持，参阅 [实验性](./configuration/experimental#clash-api-fields)。                                                                                                                                                                                                     |
+| `with_gvisor`                | 启用 gVisor 支持，参阅 [Tun 入站](./configuration/inbound/tun#stack) 和 [WireGuard 出站](./configuration/outbound/wireguard#system_interface)。                                                                                                                                           |
 | `with_embedded_tor` (需要 CGO) | 启用 嵌入式 Tor 支持，参阅 [Tor 出站](./configuration/outbound/tor)。                                                                                                                                                                                                                     |
 | `with_lwip` (需要 CGO)         | 启用 LWIP Tun 栈支持，参阅 [Tun 入站](./configuration/inbound/tun#stack)。                                                                                                                                                                                                              |
 

go.mod

@@ -23,10 +23,10 @@ require (
 	github.com/pires/go-proxyproto v0.6.2
 	github.com/refraction-networking/utls v1.1.2
 	github.com/sagernet/quic-go v0.0.0-20220818150011-de611ab3e2bb
-	github.com/sagernet/sing v0.0.0-20220914045234-93cc53b60cee
+	github.com/sagernet/sing v0.0.0-20220915031330-38f39bc0c690
 	github.com/sagernet/sing-dns v0.0.0-20220913115644-aebff1dfbba8
 	github.com/sagernet/sing-shadowsocks v0.0.0-20220819002358-7461bb09a8f6
-	github.com/sagernet/sing-tun v0.0.0-20220914100102-057dd738a7f7
+	github.com/sagernet/sing-tun v0.0.0-20220915032336-60b1da576469
 	github.com/sagernet/sing-vmess v0.0.0-20220913015714-c4ab86d40e12
 	github.com/sagernet/smux v0.0.0-20220831015742-e0f1988e3195
 	github.com/sagernet/websocket v0.0.0-20220913015213-615516348b4e

go.sum

@@ -145,14 +145,14 @@ github.com/sagernet/quic-go v0.0.0-20220818150011-de611ab3e2bb h1:wc0yQ+SBn4TaTY
 github.com/sagernet/quic-go v0.0.0-20220818150011-de611ab3e2bb/go.mod h1:MIccjRKnPTjWwAOpl+AUGWOkzyTd9tERytudxu+1ra4=
 github.com/sagernet/sing v0.0.0-20220812082120-05f9836bff8f/go.mod h1:QVsS5L/ZA2Q5UhQwLrn0Trw+msNd/NPGEhBKR/ioWiY=
 github.com/sagernet/sing v0.0.0-20220817130738-ce854cda8522/go.mod h1:QVsS5L/ZA2Q5UhQwLrn0Trw+msNd/NPGEhBKR/ioWiY=
-github.com/sagernet/sing v0.0.0-20220914045234-93cc53b60cee h1:+3w7+QWnhWi3Qz7+Xcais8zViHRUPIkmxq3eYZm/zvk=
-github.com/sagernet/sing v0.0.0-20220914045234-93cc53b60cee/go.mod h1:x3NHUeJBQwV75L51zwmLKQdLtRvR+M4PmXkfQtU1vIY=
+github.com/sagernet/sing v0.0.0-20220915031330-38f39bc0c690 h1:pvaLdkDmsGN2K46vf8rorAhYGFvKPuQNzcofuy3aXXg=
+github.com/sagernet/sing v0.0.0-20220915031330-38f39bc0c690/go.mod h1:x3NHUeJBQwV75L51zwmLKQdLtRvR+M4PmXkfQtU1vIY=
 github.com/sagernet/sing-dns v0.0.0-20220913115644-aebff1dfbba8 h1:Iyfl+Rm5jcDvXuy/jpOBI3eu35ujci50tkqYHHwwg+8=
 github.com/sagernet/sing-dns v0.0.0-20220913115644-aebff1dfbba8/go.mod h1:bPVnJ5gJ0WmUfN1bJP9Cis0ab8SSByx6JVzyLJjDMwA=
 github.com/sagernet/sing-shadowsocks v0.0.0-20220819002358-7461bb09a8f6 h1:JJfDeYYhWunvtxsU/mOVNTmFQmnzGx9dY034qG6G3g4=
 github.com/sagernet/sing-shadowsocks v0.0.0-20220819002358-7461bb09a8f6/go.mod h1:EX3RbZvrwAkPI2nuGa78T2iQXmrkT+/VQtskjou42xM=
-github.com/sagernet/sing-tun v0.0.0-20220914100102-057dd738a7f7 h1:zdvFDYMz8s0e9UmOxMk0wNGOKh64KfeWpx8UAbJJI60=
-github.com/sagernet/sing-tun v0.0.0-20220914100102-057dd738a7f7/go.mod h1:5AhPUv9jWDQ3pv3Mj78SL/1TSjhoaj6WNASxRKLqXqM=
+github.com/sagernet/sing-tun v0.0.0-20220915032336-60b1da576469 h1:tvGUJsOqxZ3ofAY9undQfQ+JCWvmIwLpIOC+XaBFO88=
+github.com/sagernet/sing-tun v0.0.0-20220915032336-60b1da576469/go.mod h1:5AhPUv9jWDQ3pv3Mj78SL/1TSjhoaj6WNASxRKLqXqM=
 github.com/sagernet/sing-vmess v0.0.0-20220913015714-c4ab86d40e12 h1:4HYGbTDDemgBVTmaspXbkgjJlXc3hYVjNxSddJndq8Y=
 github.com/sagernet/sing-vmess v0.0.0-20220913015714-c4ab86d40e12/go.mod h1:u66Vv7NHXJWfeAmhh7JuJp/cwxmuQlM56QoZ7B7Mmd0=
 github.com/sagernet/smux v0.0.0-20220831015742-e0f1988e3195 h1:5VBIbVw9q7aKbrFdT83mjkyvQ+VaRsQ6yflTepfln38=

outbound/wireguard.go

@@ -16,6 +16,7 @@ import (
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-box/transport/wireguard"
+	"github.com/sagernet/sing-tun"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/debug"
 	E "github.com/sagernet/sing/common/exceptions"
@@ -98,7 +99,7 @@ func NewWireGuard(ctx context.Context, router adapter.Router, logger log.Context
 	}
 	var wireTunDevice wireguard.Device
 	var err error
-	if !options.SystemInterface {
+	if !options.SystemInterface && tun.WithGVisor {
 		wireTunDevice, err = wireguard.NewStackDevice(localPrefixes, mtu)
 	} else {
 		wireTunDevice, err = wireguard.NewSystemDevice(router, options.InterfaceName, localPrefixes, mtu)

release/local/debug.sh

@@ -13,7 +13,7 @@ pushd $PROJECT
 git fetch
 git reset FETCH_HEAD --hard
 git clean -fdx
-go install -v -trimpath -ldflags "-s -w -buildid=" -tags no_gvisor,with_quic,with_acme,debug ./cmd/sing-box
+go install -v -trimpath -ldflags "-s -w -buildid=" -tags with_quic,with_acme,debug ./cmd/sing-box
 popd
 
 sudo systemctl stop sing-box

release/local/install.sh

@@ -10,7 +10,7 @@ DIR=$(dirname "$0")
 PROJECT=$DIR/../..
 
 pushd $PROJECT
-go install -v -trimpath -ldflags "-s -w -buildid=" -tags no_gvisor,with_quic,with_wireguard,with_acme ./cmd/sing-box
+go install -v -trimpath -ldflags "-s -w -buildid=" -tags with_quic,with_wireguard,with_acme ./cmd/sing-box
 popd
 
 sudo cp $(go env GOPATH)/bin/sing-box /usr/local/bin/

release/local/reinstall.sh

@@ -10,7 +10,7 @@ DIR=$(dirname "$0")
 PROJECT=$DIR/../..
 
 pushd $PROJECT
-go install -v -trimpath -ldflags "-s -w -buildid=" -tags no_gvisor,with_quic,with_wireguard,with_acme ./cmd/sing-box
+go install -v -trimpath -ldflags "-s -w -buildid=" -tags with_quic,with_wireguard,with_acme ./cmd/sing-box
 popd
 
 sudo systemctl stop sing-box

transport/wireguard/device_stack.go

@@ -1,4 +1,4 @@
-//go:build !no_gvisor
+//go:build with_gvisor
 
 package wireguard
 

transport/wireguard/device_stack_stub.go

@@ -1,4 +1,4 @@
-//go:build no_gvisor
+//go:build !with_gvisor
 
 package wireguard