tcp,udp,icmp: force use ipn.[Base|Exit] for firestack's own egress

Author: ignoramous

intra/common.go

@@ -225,8 +225,24 @@ func (h *baseHandler) onFlow(localaddr, target netip.AddrPort) (fm *Mark, undidA
 		log.W("com: %s: onFlow: empty res or on flow timeout %t; block!", h.proto, ok)
 		fm = optionsBlock
 	} else if len(fm.PIDCSV) <= 0 {
-		log.E("com: %s: onFlow: no pid for (%s => %s) from kt (alg: %v + %v); exit!", h.proto, src, dst, ips, doms)
-		fm.PIDCSV = ipn.Exit
+		if pre.IsUidSelf {
+			fm.PIDCSV = ipn.Exit
+		} else if h.prox.AutoActive() {
+			fm.PIDCSV = ipn.Auto
+		} else {
+			fm.PIDCSV = ipn.Exit
+		}
+		log.E("com: %s: onFlow: no pid for (%s => %s) from kt (alg: %v + %v); %s!",
+			h.proto, src, dst, ips, doms, fm.PIDCSV)
+	}
+	if pre.IsUidSelf && !ipn.IsAnyLocalProxy(strings.Split(fm.PIDCSV, ",")...) {
+		egress := ipn.Exit
+		if h.resolver.IsDnsAddr(target) {
+			egress = ipn.Base // see: udp.go:dnsOverride
+		}
+		log.W("com: %s: onFlow: preflow: pid (%s => %s) is rethink! override %s to %s!",
+			h.proto, src, dst, fm.PIDCSV, egress)
+		fm.PIDCSV = egress
 	}
 
 	return

intra/ipn/proxies.go

@@ -1474,6 +1474,15 @@ func isWG(id string) bool {
 	return strings.Contains(id, WG)
 }
 
+func IsAnyLocalProxy(ids ...string) bool {
+	for _, id := range ids {
+		if local(id) {
+			return true
+		}
+	}
+	return false
+}
+
 // Base, Block, Exit, Rpn64, Ingress
 func local(id string) bool {
 	return id == Base || id == Block || id == Exit || id == Rpn64 || id == Ingress