Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SOCKS5 UDP route issue #2356

Open
4 of 5 tasks
dyhkwong opened this issue Dec 10, 2024 · 3 comments
Open
4 of 5 tasks

SOCKS5 UDP route issue #2356

dyhkwong opened this issue Dec 10, 2024 · 3 comments
Labels
bug Something isn't working

Comments

@dyhkwong
Copy link
Contributor

Operating system

Windows

System version

Windows 11 26100.2454

Installation type

Original sing-box Command Line

If you are using a graphical client, please provide the version of the client.

No response

Version

sing-box version 1.11.0-beta.8

Environment: go1.23.4 windows/amd64
Tags: with_gvisor,with_dhcp,with_clash_api,with_quic,with_utls
Revision: 8a138e34ccac59295e90a3885e8225631aa26311
CGO: disabled

Description

Since the route refactoring of v1.11, SOCKS5 UDP can't be route correctly. Previously only scenario in #1370 is affected, but this gets worse since version 1.11.

https://github.com/SagerNet/sing/blob/809d8eca139712f6c833cea813674a1cb1154ba5/protocol/socks/handshake.go#L270
A line of destination = request.Destination is missing. However, this violated related RFCs, and a correct fix should always fill the destination with 0.0.0.0:0 as described in #1370.

sing-box/route/route.go

Lines 464 to 475 in 8a138e3

if !preMatch && metadata.Destination.Addr.IsUnspecified() {
newBuffer, newPacketBuffers, newErr := r.actionSniff(ctx, metadata, &rule.RuleActionSniff{}, inputConn, inputPacketConn)
if newErr != nil {
fatalErr = newErr
return
}
if newBuffer != nil {
buffers = append(buffers, newBuffer)
} else if len(newPacketBuffers) > 0 {
packetBuffers = append(packetBuffers, newPacketBuffers...)
}
}

These lines are for handling 0.0.0.0:0, but they should be moved to a location before :match.

sing-box/route/route.go

Line 368 in 8a138e3

match:

Reproduction

Use software that support SOCKS5 UDP ASSOCIATE to test. e.g. configure NATTypeTester to use SOCKS5 proxy 127.0.0.1:1080 and do UDP STUN test.

{
    "log": {
        "level": "debug"
    },
    "inbounds": [
        {
            "type": "socks",
            "listen": "127.0.0.1",
            "listen_port": 1080,
        }
    ],
    "outbounds": [
        {
            "type": "direct"
        }
    ],
    "route": {
        "rules": [
            {
                "ip_cidr": [
                    "0.0.0.0/0"
                ],
                "action": "reject"
            }
        ]
    }
}

Logs

>sing-box.exe run -c config.json
INFO[0000] network: updated default interface WLAN, index 15
INFO[0000] inbound/socks[0]: tcp server started at 127.0.0.1:1080
INFO[0000] sing-box started (0.11s)
INFO[0021] [4133872565 0ms] inbound/socks[0]: inbound connection from 127.0.0.1:62351
INFO[0021] [4133872565 15ms] inbound/socks[0]: inbound packet connection to :0
INFO[0021] [4133872565 15ms] outbound/direct[0]: outbound packet connection
INFO[0043] [564257197 0ms] inbound/socks[0]: inbound connection from 127.0.0.1:62470
INFO[0043] [564257197 14ms] inbound/socks[0]: inbound packet connection to :0
INFO[0043] [564257197 14ms] outbound/direct[0]: outbound packet connection

Supporter

Integrity requirements

  • I confirm that I have read the documentation, understand the meaning of all the configuration items I wrote, and did not pile up seemingly useful options or default values.
  • I confirm that I have provided the server and client configuration files and process that can be reproduced locally, instead of a complicated client configuration file that has been stripped of sensitive data.
  • I confirm that I have provided the simplest configuration that can be used to reproduce the error I reported, instead of depending on remote servers, TUN, graphical interface clients, or other closed-source software.
  • I confirm that I have provided the complete configuration files and logs, rather than just providing parts I think are useful out of confidence in my own intelligence.
@mazzz1y
Copy link
Contributor

mazzz1y commented Dec 13, 2024

The same issue in v1.11.0-beta.9:

config.json 
{
  "log": {
    "disabled": false,
    "level": "debug"
  },
  "inbounds": [
    {
      "type": "mixed",
      "tag": "mixed-in",
      "listen": "127.0.0.1",
      "listen_port": 10888
    }
  ],
  "outbounds": [
    {
      "type": "direct",
      "tag": "direct-out"
    }
  ],
  "route": {
    "auto_detect_interface": true,
    "final": "direct-out",
    "rules": [
      {
        "port": 53,
        "action": "reject"
      }
    ]
  }
}

Here I'm sending a DNS request over a SOCKS proxy:

» docker run --net=host -v $PWD/config.json:/config.json -it ghcr.io/sagernet/sing-box:v1.11.0-beta.9 -c /config.json run
INFO[0000] network: updated default interface wlp0s20f3, index 2
INFO[0000] inbound/mixed[mixed-in]: tcp server started at 127.0.0.1:10888
INFO[0000] sing-box started (0.00s)
INFO[0002] [3058626039 0ms] inbound/mixed[mixed-in]: inbound connection from 127.0.0.1:41076
INFO[0002] [3058626039 0ms] inbound/mixed[mixed-in]: inbound packet connection to :0
DEBUG[0002] [3058626039 0ms] router: sniffed packet protocol: dns
INFO[0002] [3058626039 1ms] outbound/direct[direct-out]: outbound packet connection
ERROR[0002] [3058626039 1ms] inbound/mixed[mixed-in]: process connection from 127.0.0.1:41076: invalid argument
» docker run --net=host -v $PWD/config.json:/config.json -it ghcr.io/sagernet/sing-box:v1.11.0-beta.8 -c /config.json run
INFO[0000] network: updated default interface wlp0s20f3, index 2
INFO[0000] inbound/mixed[mixed-in]: tcp server started at 127.0.0.1:10888
INFO[0000] sing-box started (0.00s)
INFO[0001] [1992170862 0ms] inbound/mixed[mixed-in]: inbound connection from 127.0.0.1:42362
INFO[0001] [1992170862 0ms] inbound/mixed[mixed-in]: inbound packet connection to :0
INFO[0001] [1992170862 0ms] outbound/direct[direct-out]: outbound packet connection

I see two differences between these two versions: in beta 9, I see an "invalid arguments" error, and the sniffer detected a DNS packet, even though I didn't enable it.

@mazzz1y mazzz1y mentioned this issue Dec 14, 2024
Closed
5 tasks
@nekohasekai nekohasekai added the bug Something isn't working label Dec 15, 2024
@mazzz1y
Copy link
Contributor

mazzz1y commented Dec 15, 2024
edited
Loading

Behavior in v1.11.0-beta.11 hasn't changed. It currently looks impossible to create a custom route for UDP packets. The destination address is missing in the metadata.

config.json 
{
  "log": {
    "disabled": false,
    "level": "debug"
  },
  "inbounds": [
    {
      "type": "mixed",
      "tag": "mixed-in",
      "listen": "127.0.0.1",
      "listen_port": 10888
    }
  ],
  "outbounds": [
    {
      "type": "direct",
      "tag": "direct-out"
    }
  ],
  "route": {
    "auto_detect_interface": true,
    "final": "direct-out",
    "rules": [
      {
        "port": 53,
        "action": "reject"
      }
    ]
  }
}
Test script 
# virtualenv venv
# source ./venv/bin/activate
# pip install pysocks dnslib
# python main.py

import socket
import socks
import dnslib

socks.set_default_proxy(socks.SOCKS5, "127.0.0.1", 10888)
socket.socket = socks.socksocket

def send_dns_request(domain, dns_server="8.8.8.8"):
    request = dnslib.DNSRecord.question(domain)

    sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    sock.sendto(request.pack(), (dns_server, 53))

    response, _ = sock.recvfrom(1024)
    dns_response = dnslib.DNSRecord.parse(response)
    
    return dns_response

response = send_dns_request("example.com")
print(response)
» docker run --net=host -v $PWD/config.json:/config.json -it ghcr.io/sagernet/sing-box:v1.11.0-beta.11 -c /config.json run
INFO[0000] network: updated default interface wlp0s20f3, index 2
INFO[0000] inbound/mixed[mixed-in]: tcp server started at 127.0.0.1:10888
INFO[0000] sing-box started (0.00s)
INFO[0007] [1026707425 0ms] inbound/mixed[mixed-in]: inbound connection from 127.0.0.1:51940
INFO[0007] [1026707425 0ms] inbound/mixed[mixed-in]: inbound packet connection
DEBUG[0007] [1026707425 1ms] router: sniffed packet protocol: dns
INFO[0007] [1026707425 1ms] outbound/direct[direct-out]: outbound packet connection

@dyhkwong
Copy link
Contributor Author

sing-box/route/route.go

Lines 474 to 489 in a3278af

if !preMatch && inputPacketConn != nil && !metadata.Destination.IsFqdn() && !metadata.Destination.Addr.IsGlobalUnicast() {
var timeout time.Duration
if metadata.InboundType == C.TypeSOCKS {
timeout = C.TCPTimeout
}
newBuffer, newPacketBuffers, newErr := r.actionSniff(ctx, metadata, &rule.RuleActionSniff{Timeout: timeout}, inputConn, inputPacketConn)
if newErr != nil {
fatalErr = newErr
return
}
if newBuffer != nil {
buffers = append(buffers, newBuffer)
} else if len(newPacketBuffers) > 0 {
packetBuffers = append(packetBuffers, newPacketBuffers...)
}
}

These need to be before match:

And currently actionSniff with no sniffer means all sniffer enabled, so even if no sniff enabled, SOCKS5 UDP will do a sniffing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mazzz1y @dyhkwong @nekohasekai