SagerNet / sing-box

The universal proxy platform
https://sing-box.sagernet.org/
Other
20.25k stars 2.41k forks source link

route problem after migration to 1.11 #2256

Closed 10ta closed 1 week ago

10ta commented 2 weeks ago

Operating system

Linux

System version

debian12

Installation type

Original sing-box Command Line

If you are using a graphical client, please provide the version of the client.

No response

Version

sing-box version 1.11.0-alpha.10

Environment: go1.23.3 linux/amd64
Tags: with_gvisor,with_quic,with_dhcp,with_wireguard,with_ech,with_utls,with_reality_server,with_acme,with_clash_api
Revision: 61eff2c591f8a681d2ddd12b5b73f9711b40b9b6
CGO: disabled

Description

The requests in the form of IP:port (of Telegram) will match rules of the domain_suffix type under a certain condition:

Reproduction

client config:

{
  "log": {
    "disabled": false,
    "level": "debug",
    "output": "",
    "timestamp": true
  },
  "dns": {
    "servers": [
      {
        "tag": "chinadns",
        "address": "https://223.5.5.5/dns-query"
      }
    ],
    "rules": [
      {
        "outbound": "any",
        "server": "chinadns"
      }
    ],
    "independent_cache": true,
    "strategy": "ipv4_only",
    "final": "chinadns"
  },
  "route": {
    "auto_detect_interface": true,
    "override_android_vpn": true,
    "rules": [
      {
        "inbound": "TUN-IN",
        "action": "sniff"
      },
      {
        "protocol": "dns",
        "action": "hijack-dns"
      },
      {
        "type": "logical",
        "mode": "and",
        "rules": [
          {
            "rule_set": [
              "TELEGRAM"
            ],
            "invert": true 
          },
          {
            "protocol": "stun"
          }
        ],
        "action": "reject"
      },
      {
        "domain_suffix": [
          "66666666.com"
        ],
        "action": "reject"
      }
    ],
    "final": "DIRECT",
    "rule_set": [
      {
        "tag": "TELEGRAM",
        "type": "inline",
        "rules": [
          {
            "domain": [
              "api.imem.app",
              "api.swiftgram.app"
            ],
            "ip_cidr": [
              "109.239.140.0/24",
              "149.154.160.0/20",
              "5.28.192.0/18",
              "91.108.0.0/16",
              "2001:67c:4e8::/48",
              "2001:b28:f23c::/47",
              "2001:b28:f23f::/48",
              "2a0a:f280::/29"
            ],
            "domain_keyword": [
              "nicegram"
            ],
            "domain_suffix": [
              "cdn-telegram.org",
              "comments.app",
              "contest.com",
              "graph.org",
              "legra.ph",
              "mbrx.app",
              "quiz.directory",
              "stel.com",
              "t.me",
              "tdesktop.com",
              "telega.one",
              "telegra.ph",
              "telegram-cdn.org",
              "telegram.dog",
              "telegram.me",
              "telegram.org",
              "telegram.space",
              "telegramdownload.com",
              "telesco.pe",
              "tg.dev",
              "tx.me",
              "usercontent.dev"
            ]
          }
        ]
      }
    ]
  },
  "inbounds": [
    {
      "tag": "TUN-IN",
      "type": "tun",
      "stack": "system",
      "interface_name": "tun0",
      "auto_route": true,
      "auto_redirect": true,
      "address": [
        "172.18.0.1/30"
      ],
      "mtu": 9000,
      "strict_route": false
    }
  ],
  "outbounds": [
    {
      "tag": "DIRECT",
      "type": "direct"
    }
  ]
}

Logs

+0800 2024-11-09 22:03:13 INFO [233902832 0ms] inbound/tun[TUN-IN]: inbound redirect connection from 10.0.0.11:6228
+0800 2024-11-09 22:03:13 INFO [233902832 0ms] inbound/tun[TUN-IN]: inbound connection to 91.108.56.184:80
+0800 2024-11-09 22:03:13 DEBUG [233902832 0ms] router: match[0] inbound=TUN-IN => sniff
+0800 2024-11-09 22:03:13 DEBUG [233902832 0ms] router: sniffed protocol: http, domain: 91.108.56.184
+0800 2024-11-09 22:03:13 DEBUG [233902832 0ms] router: match[2] domain_suffix=66666666.com => reject
+0800 2024-11-09 22:03:13 DEBUG [233902832 0ms] router: dropped due to flooding
+0800 2024-11-09 22:03:13 INFO [971316749 0ms] inbound/tun[TUN-IN]: inbound redirect connection from 10.0.0.11:6242
+0800 2024-11-09 22:03:13 INFO [971316749 0ms] inbound/tun[TUN-IN]: inbound connection to 149.154.175.100:80
+0800 2024-11-09 22:03:13 DEBUG [971316749 0ms] router: match[0] inbound=TUN-IN => sniff
+0800 2024-11-09 22:03:13 DEBUG [971316749 0ms] router: sniffed protocol: http, domain: 149.154.175.100
+0800 2024-11-09 22:03:13 DEBUG [971316749 0ms] router: match[2] domain_suffix=66666666.com => reject
+0800 2024-11-09 22:03:13 DEBUG [971316749 0ms] router: dropped due to flooding

Supporter

Integrity requirements

ghost commented 2 weeks ago

it seems that ipcidr does not match using the mask correctly