search

SagerNet / sing-box

The universal proxy platform
https://sing-box.sagernet.org/
Other
19.3k stars 2.29k forks source link

IP-based routing rules are not working (geoip-ru) #2009

Closed BLUEBL0B closed 2 months ago

BLUEBL0B commented 2 months ago

Operating system

Linux

System version

Ubuntu 24.04 LTS

Installation type

Original sing-box Command Line

If you are using a graphical client, please provide the version of the client.

-

Version

sing-box version 1.9.3

Environment: go1.22.3 linux/amd64
Tags: with_gvisor,with_quic,with_dhcp,with_wireguard,with_ech,with_utls,with_reality_server,with_acme,with_clash_api
Revision: 085f60337799afc906069b540a38368968c123e4
CGO: disabled

Description

The test config file contains a rule to block connections to Russian IPs, but it does not work with vk.com. This site uses Russian IP and I expect it to be blocked, but this does not happen, and the site can still be opened.

Reproduction

Here is the config file:

{
  "log": {
    "level": "trace",
    "timestamp": true
  },
  "dns": {
    "servers": [
      {
        "address": "local"
      }
    ]
  },
  "inbounds": [
    {
      "type": "mixed",
      "tag": "mixed-in",
      "listen": "127.0.0.1",
      "listen_port": 2080
    }
  ],
  "outbounds": [
    {
      "type": "direct"
    },
    {
      "type": "block",
      "tag": "block"
    }
  ],
  "route": {
    "auto_detect_interface": true,
    "rule_set": [
      {
        "type": "remote",
        "tag": "geoip-ru",
        "format": "binary",
        "url": "https://github.com/SagerNet/sing-geoip/raw/rule-set/geoip-ru.srs"
      }
    ],
    "rules": [
      {
        "rule_set": "geoip-ru",
        "inbound": "mixed-in",
        "outbound": "block"
      }
    ]
  }
}

If sing-box is started with this config, vk.com can still be opened.

Here are my proxy settings in Firefox browser: image

And here is the curl log:

ubuntu@ubuntu:~$ curl -x http://127.0.0.1:2080 -v vk.com
*   Trying 127.0.0.1:2080...
* Connected to 127.0.0.1 (127.0.0.1) port 2080
> GET http://vk.com/ HTTP/1.1
> Host: vk.com
> User-Agent: curl/8.5.0
> Accept: */*
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 301 Moved Permanently
< Content-Length: 164
< Access-Control-Expose-Headers: X-Frontend
< Connection: keep-alive
< Content-Type: text/html
< Date: Tue, 06 Aug 2024 21:31:56 GMT
< Keep-Alive: timeout=4
< Location: https://vk.com/
< Proxy-Connection: keep-alive
< Server: kittenx
< X-Frontend: front918200
< X-Trace-Id: CurEy6DcpBp6Kvidv1iKdJ3NTD_UWw
< 
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>kittenx</center>
</body>
</html>
* Connection #0 to host 127.0.0.1 left intact

Logs

авг 07 00:31:52 ubuntu sing-box[20678]: +0300 2024-08-07 00:31:52 INFO router: updated default interface wlp3s0, index 3
авг 07 00:31:52 ubuntu sing-box[20678]: +0300 2024-08-07 00:31:52 INFO inbound/mixed[mixed-in]: tcp server started at 127.0.0.1:2080
авг 07 00:31:52 ubuntu sing-box[20678]: +0300 2024-08-07 00:31:52 DEBUG router: updating rule-set geoip-ru from URL: https://github.com/SagerNet/sing-geoip/raw/rule-set/geoip-ru.srs
авг 07 00:31:52 ubuntu sing-box[20678]: +0300 2024-08-07 00:31:52 INFO outbound/direct[0]: outbound connection to github.com:443
авг 07 00:31:52 ubuntu sing-box[20678]: +0300 2024-08-07 00:31:52 DEBUG dns: lookup domain github.com
авг 07 00:31:52 ubuntu sing-box[20678]: +0300 2024-08-07 00:31:52 DEBUG outbound/direct[0]: outbound packet connection to 127.0.0.53:53
авг 07 00:31:52 ubuntu sing-box[20678]: +0300 2024-08-07 00:31:52 DEBUG outbound/direct[0]: outbound packet connection to 127.0.0.53:53
авг 07 00:31:52 ubuntu sing-box[20678]: +0300 2024-08-07 00:31:52 DEBUG dns: lookup succeed for github.com: 140.82.121.3
авг 07 00:31:52 ubuntu sing-box[20678]: +0300 2024-08-07 00:31:52 INFO outbound/direct[0]: outbound connection to raw.githubusercontent.com:443
авг 07 00:31:52 ubuntu sing-box[20678]: +0300 2024-08-07 00:31:52 DEBUG dns: lookup domain raw.githubusercontent.com
авг 07 00:31:52 ubuntu sing-box[20678]: +0300 2024-08-07 00:31:52 DEBUG outbound/direct[0]: outbound packet connection to 127.0.0.53:53
авг 07 00:31:52 ubuntu sing-box[20678]: +0300 2024-08-07 00:31:52 DEBUG outbound/direct[0]: outbound packet connection to 127.0.0.53:53
авг 07 00:31:52 ubuntu sing-box[20678]: +0300 2024-08-07 00:31:52 DEBUG dns: lookup succeed for raw.githubusercontent.com: 185.199.108.133 185.199.109.133 185.199.110.133 185.199.111.133 2606:50c0:8000::154 2606:50c0:8001::154 2606:50c0:8003::154 2606:50c0:8002::154
авг 07 00:31:52 ubuntu sing-box[20678]: +0300 2024-08-07 00:31:52 INFO router: updated rule-set geoip-ru
авг 07 00:31:52 ubuntu sing-box[20678]: +0300 2024-08-07 00:31:52 INFO sing-box started (0.688s)
авг 07 00:31:56 ubuntu sing-box[20678]: +0300 2024-08-07 00:31:56 INFO [2380746782 0ms] inbound/mixed[mixed-in]: inbound connection from 127.0.0.1:39726
авг 07 00:31:56 ubuntu sing-box[20678]: +0300 2024-08-07 00:31:56 INFO [2380746782 0ms] inbound/mixed[mixed-in]: inbound connection to vk.com:80
авг 07 00:31:56 ubuntu sing-box[20678]: +0300 2024-08-07 00:31:56 INFO [2380746782 0ms] outbound/direct[0]: outbound connection to vk.com:80
авг 07 00:31:56 ubuntu sing-box[20678]: +0300 2024-08-07 00:31:56 DEBUG [2380746782 0ms] dns: lookup domain vk.com
авг 07 00:31:56 ubuntu sing-box[20678]: +0300 2024-08-07 00:31:56 DEBUG [2380746782 0ms] outbound/direct[0]: outbound packet connection to 127.0.0.53:53
авг 07 00:31:56 ubuntu sing-box[20678]: +0300 2024-08-07 00:31:56 DEBUG [2380746782 0ms] outbound/direct[0]: outbound packet connection to 127.0.0.53:53
авг 07 00:31:56 ubuntu sing-box[20678]: +0300 2024-08-07 00:31:56 DEBUG [2380746782 37ms] dns: lookup succeed for vk.com: 87.240.132.72 87.240.132.67 93.186.225.194 87.240.129.133 87.240.132.78 87.240.137.164
авг 07 00:31:56 ubuntu sing-box[20678]: +0300 2024-08-07 00:31:56 DEBUG [2380746782 123ms] inbound/mixed[mixed-in]: connection closed: process connection from 127.0.0.1:39726: read http request: EOF

Supporter

Integrity requirements

ydoKFVJQDymJcb commented 2 months ago

It turns out it was a bug. I'm just starting to learn how to use Singbox. With my configuration, there are some sites, like access.smartmidea.net and api.weathercn.com, that aren't in the GeoSite and don't follow GeoIP.

{
    "dns": {
        "rules": [
            {
                "server": "dns_direct",
                "rule_set": [
                    "geoip-cn",
                    "geosite-geolocation-cn"
                ]
            },
            {
                "server": "dns_fakeip",
                "query_type": [
                    "A",
                    "AAAA"
                ],
                "rewrite_ttl": 1
            }
        ],
        "final": "dns_direct"
    },
    "route": {
        "rules": [
            {
                "outbound": "route_direct",
                "rule_set": [
                    "geoip-cn",
                    "geosite-geolocation-cn"
                ]
            }
        ],
        "final": "route_proxy"
    },
    "rule_set": [
        {
            "tag": "geoip-cn",
            "type": "remote",
            "format": "binary",
            "url": "https://raw.githubusercontent.com/SagerNet/sing-geoip/rule-set/geoip-cn.srs"
        },
        {
            "tag": "geosite-geolocation-cn",
            "type": "remote",
            "format": "binary",
            "url": "https://raw.githubusercontent.com/SagerNet/sing-geosite/rule-set/geosite-geolocation-cn.srs"
        }
    ]
}

I thought it was an issue on my end.

By the way, my Singbox version is1.10.0-alpha.28

dyhkwong commented 2 months ago

This is by design. Pure domain name request does not match IP rules. Enable domain_strategy to resolve domain name to IPs.

ydoKFVJQDymJcb commented 2 months ago

Thanks for explaining