Problem with port rule matching

Operating system

Linux

System version

openwrt 23.05.05

Installation type

Original sing-box Command Line

If you are using a graphical client, please provide the version of the client.

No response

Version

sing-box version 1.11.0-alpha.13

Environment: go1.23.3 linux/arm64
Tags: with_gvisor,with_quic,with_dhcp,with_wireguard,with_ech,with_utls,with_reality_server,with_acme,with_clash_api
Revision: c0e48f865eccdf93a82cfe4627a5eba0b6fac6e9
CGO: disabled

Description

If there's a previous rule with matching port but didn't match other conditions, the next rule with a port/port_range will match any port.

The stable version of 1.10.1 don't have this issue.

Reproduction

./sing-box run -c config.json

curl -vx 127.0.0.1:2080 https://apple.com

Config:

{
    "log": {
        "level": "trace",
        "timestamp": true
    },
    "inbounds": [
        {
            "type": "mixed",
            "tag": "mixed-in",
            "listen": "127.0.0.1",
            "listen_port": 2080
        }
    ],
    "outbounds": [
        {
            "type": "direct",
            "tag": "DIRECT"
        }
    ],
    "route": {
        "rules": [
            {
                "network": "udp",
                "port": 443,
                "action": "reject",
                "method": "default"
            },
            {
                "port": [
                    18008,
                    30006,
                    30008,
                    8500,
                    8700,
                    30000,
                    29134,
                    12346,
                    8100,
                    8700
                ],
                "action": "reject",
                "method": "default"
            }
        ],
        "default_interface": "wlan0"
    }
}

Logs

+0800 2024-11-13 09:20:11 INFO network: updated default interface eth1, index 6
+0800 2024-11-13 09:20:11 INFO inbound/mixed[mixed-in]: tcp server started at 127.0.0.1:2080
+0800 2024-11-13 09:20:11 INFO sing-box started (0.11s)
+0800 2024-11-13 09:20:42 INFO [983518438 0ms] inbound/mixed[mixed-in]: inbound connection from 127.0.0.1:52032
+0800 2024-11-13 09:20:42 INFO [983518438 1ms] inbound/mixed[mixed-in]: inbound connection to apple.com:443
+0800 2024-11-13 09:20:42 DEBUG [983518438 1ms] router: match[1] port=[18008 30006 30008 8500 8700 30000 29134 12346 8100 8700] => reject

Supporter

[ ] I am a sponsor

Integrity requirements

[X] I confirm that I have read the documentation, understand the meaning of all the configuration items I wrote, and did not pile up seemingly useful options or default values.
[X] I confirm that I have provided the server and client configuration files and process that can be reproduced locally, instead of a complicated client configuration file that has been stripped of sensitive data.
[X] I confirm that I have provided the simplest configuration that can be used to reproduce the error I reported, instead of depending on remote servers, TUN, graphical interface clients, or other closed-source software.
[X] I confirm that I have provided the complete configuration files and logs, rather than just providing parts I think are useful out of confidence in my own intelligence.

SagerNet / sing-box

Problem with port rule matching #2274