Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SOCKS5 UDP 路由匹配错误 #1370

Open
HMBSbige opened this issue Jan 16, 2024 · 9 comments · May be fixed by SagerNet/sing#62
Open

SOCKS5 UDP 路由匹配错误 #1370

HMBSbige opened this issue Jan 16, 2024 · 9 comments · May be fixed by SagerNet/sing#62
Labels
bug Something isn't working

Comments

@HMBSbige
Copy link

操作系统

Linux

系统版本

ArchLinux

安装类型

sing-box 原始命令行程序

如果您使用图形客户端程序,请提供该程序版本。

No response

版本

sing-box version 1.8.2

Environment: go1.21.6 linux/amd64
Tags: with_gvisor,with_quic,with_dhcp,with_wireguard,with_ech,with_utls,with_reality_server,with_acme,with_clash_api
Revision: 216a0380fe85a88ea1c423ade15145b38d7dbe89
CGO: disabled

描述

最小化重现配置如下:

{
	"inbounds": [
		{
			"type": "socks",
			"listen_port": 1080
		}
	],
	"outbounds": [
		{
			"type": "direct",
			"tag": "direct"
		},
		{
			"type": "block",
			"tag": "block"
		}
	],
	"route": {
		"rules": [
			{
				"ip_cidr": "127.0.0.1",
				"outbound": "block"
			}
		],
		"final": "direct"
	}
}

如果 SOCKS5 客户端 UDP associate 前,UDP Socket bind(127.0.0.1:0),请求后日志中会出现inbound packet connection to 127.0.0.1:port,并会触发 block 规则。

当然 127.0.0.1 只是举例,实际不应该将此地址去匹配目的路由。

重现方式

此错误跟平台无关,在 Windows 中可以使用 NatTypeTester 当作 SOCKS5 客户端测试

  1. 设置完 SOCKS5 代理 127.0.0.1:1080
  2. 设置本地地址 127.0.0.1:0
  3. 按测试发送请求

日志

INFO[0010] [3526765493 0ms] inbound/socks[0]: inbound connection from 127.0.0.1:7157
INFO[0010] [3526765493 1ms] inbound/socks[0]: inbound packet connection to 127.0.0.1:51753
DEBUG[0010] [3526765493 1ms] router: match[0] ip_cidr=127.0.0.1 => block
INFO[0010] [3526765493 1ms] outbound/block[block]: blocked packet connection to 127.0.0.1:51753
DEBUG[0010] [3526765493 1ms] inbound/socks[0]: connection closed: process connection from 127.0.0.1:7157: read tcp 127.0.0.1:1080->127.0.0.1:7157: use of closed network connection


### 完整性要求

- [X] 我保证阅读了文档,了解所有我编写的配置文件项的含义,而不是大量堆砌看似有用的选项或默认值。
- [X] 我保证提供了可以在本地重现该问题的服务器、客户端配置文件与流程,而不是一个脱敏的复杂客户端配置文件。
- [X] 我保证提供了可用于重现我报告的错误的最简配置,而不是依赖远程服务器、TUN、图形界面客户端或者其他闭源软件。
- [X] 我保证提供了完整的配置文件与日志,而不是出于对自身智力的自信而仅提供了部分认为有用的部分。
@nekohasekai
Copy link
Member

rfc1928 没有指示 UDP 代理请求的 DST 应作为 bind 地址,发送问题给 NatTypeTester。

@dyhkwong
Copy link
Contributor

dyhkwong commented Jan 16, 2024
edited
Loading

1dd2c26 为了处理 #755,使 SOCKS5 UDP 的路由依赖于客户端发送地址为 0.0.0.0 的 UDP associate 实现。

@HMBSbige
Copy link
Author

两位意思是 SOCKS5 UDP socket 必须是 bind(0.0.0.0:0),而不能是其他本机地址?

@nekohasekai
Copy link
Member

一般认为 SOCKS5 UDP 的 ADDR 仍用于指示连接地址。如为 0.0.0.0:0,sing-box 转而使用第一个包的地址用于规则匹配。

@HMBSbige
Copy link
Author

The DST.ADDR and DST.PORT fields contain the address and port that the client expects to use to send UDP datagrams on for the association.

UdpAssociate Request 里的 DST 用于目的路由匹配感觉怪怪的。

作为 inbounds 与客户端的交互,却和ip_is_privateip_cidr之类的规则匹配,而不是source_ip_is_privatesource_ip_cidr

@nekohasekai
Copy link
Member

nekohasekai commented Jan 16, 2024
edited
Loading

我的错误。经检查,同类项目均忽略该地址(除 v2ray 的客户端仍发送目标地址),考虑提案将行为修正。

@nekohasekai nekohasekai added the bug Something isn't working label Jan 16, 2024
@github-actions GitHub Actions
Copy link

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days

@github-actions github-actions bot added the Stale label Mar 17, 2024
@dyhkwong dyhkwong removed the Stale label Mar 17, 2024
@github-actions GitHub Actions
Copy link

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days

@github-actions github-actions bot added the Stale label May 17, 2024
@dyhkwong dyhkwong linked a pull request May 19, 2024 that will close this issue
Fix socks5 udp associate address SagerNet/sing#62
Open
@dyhkwong dyhkwong removed the Stale label May 19, 2024
@github-actions GitHub Actions
Copy link

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days

@github-actions github-actions bot added the Stale label Jul 19, 2024
@dyhkwong dyhkwong removed the Stale label Jul 23, 2024
@dyhkwong dyhkwong mentioned this issue Aug 9, 2024
Closed
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix socks5 udp associate address dyhkwong/sing
3 participants
@HMBSbige @dyhkwong @nekohasekai