search

SagerNet / sing-box

The universal proxy platform
https://sing-box.sagernet.org/
Other
20.48k stars 2.44k forks source link

Mixed/Socks Inbound: auth_user rule doesn't always work #292

Closed mazzz1y closed 1 year ago

mazzz1y commented 1 year ago

Welcome

Description of the problem

Routing rule with auth_user field sometimes not working and traffic goes to the next chain rule. It cause connection leak.

Type of connection: BitTorrent client(qBittorrent) over socks proxy with authorization.

I debugged a bit and some connections doesn't have metadata.User field. I think that it is the reason.

Version of sing-box

```console $ sing-box version 1.1.1 Environment: go1.19.4 linux/amd64 Tags: with_v2ray_api,with_utls Revision: 2016217c86e85391b5a337e338dc79ef783ca29e CGO: disabled ``` Also tried with the `dev` branch

Server and client configuration file

I expect that all traffic from `mixed-in/user-1` will go only through `2-trojan-out` due to routing rules ```console { "log": { "disabled": false, "level": "debug" }, "experimental": { "v2ray_api": { "listen": "0.0.0.0:54321", "stats": { "enabled": true, "inbounds": [ "mixed-in", "trojan-in" ], "outbounds": [ "1-trojan-out", "2-trojan-out" ] } } }, "dns": { "final": "dns-1", "strategy": "ipv4_only", "servers": [ { "tag": "dns-1", "address": "tcp://127.0.0.1:5053", "detour": "1-trojan-out" }, { "tag": "dns-2", "address": "tcp://127.0.0.1:5053", "detour": "2-trojan-out" }, { "tag": "local", "address": "local", "detour": "direct-out" } ] }, "route": { "geoip": { "path": "/data/geoip.db", "download_detour": "1-trojan-out" }, "geosite": { "path": "/data/geosite.db", "download_detour": "1-trojan-out" }, "final": "block-out", "rules": [ { "port": [ 53 ], "outbound": "dns-out" }, { "inbound": [ "mixed-in" ], "auth_user": [ "user-1" ], "outbound": "2-trojan-out" }, { "inbound": [ "trojan-in", "mixed-in" ], "outbound": "1-trojan-out" } ] }, "inbounds": [ { "type": "direct", "tag": "dns-in", "listen": "::", "listen_port": 5053 }, { "type": "mixed", "tag": "mixed-in", "listen": "::", "listen_port": 1080, "sniff": false, "domain_strategy": "prefer_ipv4", "users": [ { "username": "user-1", "password": "xxx" }, { "username": "user-2", "password": "xxx" } ] }, { "type": "trojan", "tag": "trojan-in", "listen": "0.0.0.0", "listen_port": 4433, "sniff": true, "sniff_override_destination": false, "domain_strategy": "ipv4_only", "users": [ { "password": "xxx", "name": "xxx" }, ], "tls": { "enabled": true, "server_name": "xxx", "alpn": [ "h2", "http/1.1" ], "certificate_path": "xxx", "key_path": "xxx" } } ], "outbounds": [ { "type": "block", "tag": "block-out" }, { "type": "direct", "tag": "direct-out" }, { "type": "dns", "tag": "dns-out" }, { "type": "trojan", "tag": "1-trojan-out", "server": "1-trojan-ip", "server_port": 443, "password": "xxx", "tls": { "enabled": true, "server_name": "xxx", "insecure": false, "alpn": [ "h2", "http/1.1" ], "utls": { "enabled": true } }, "multiplex": { "enabled": true, "max_streams": 32 }, "domain_strategy": "prefer_ipv4" }, { "type": "trojan", "tag": "2-trojan-out", "server": "2-trojan-ip", "server_port": 443, "password": "xxx", "tls": { "enabled": true, "server_name": "xxx", "insecure": false, "alpn": [ "h2", "http/1.1" ], "utls": { "enabled": true } }, "multiplex": { "enabled": true, "max_streams": 32 }, "domain_strategy": "prefer_ipv4" } ] } ```

Server and client log file

As file due to large size [1.log](https://github.com/SagerNet/sing-box/files/10239074/1.log)

Please pay attention to these lines:

inbound/mixed[mixed-in]: inbound packet connection to 0.0.0.0:0
router: match[2] inbound=[trojan-in mixed-in] => 1-trojan-out
outbound/trojan[1-trojan-out]: outbound multiplex packet connection to 0.0.0.0:0

Additional info

As workaround I added rule to block all mixed-in connections with non-matching auth_user field

nekohasekai commented 1 year ago

Try 9e67f3b4a59f6310f1a7df452e6659b148915848

mazzz1y commented 1 year ago

Can't reproduce now. Thank you