Hysteria2 入站监听 :: 时源 IPv4 CIDR 匹配不合预期

[zacred0rryn]

操作系统

Linux

系统版本

Arch Linux rolling

安装类型

sing-box 原始命令行程序

如果您使用图形客户端程序，请提供该程序版本。

No response

版本

sing-box version 1.10.6

Environment: go1.23.4 linux/amd64
Tags: with_gvisor,with_quic,with_dhcp,with_wireguard,with_ech,with_utls,with_reality_server,with_acme,with_clash_api
Revision: 578571b97291bd60e1083b006f12dfb82efb0603
CGO: disabled

描述

当 Hysteria2 入站监听 ::，源 IPv4 地址会变成映射地址，此时 source_ip_cidr 的匹配会出现非预期结果。

重现方式

使用如下配置：

{
    "log": {
        "level": "debug"
    },
    "inbounds": [
        {
            "type": "hysteria2",
            "tag": "hy2-in",
            "listen": "::",
            "listen_port": 40443,
            "users": [
                {
                    "name": "tobyxdd",
                    "password": "goofy_ahh_password"
                }
            ],
            "ignore_client_bandwidth": true,
            "tls": {
                "enabled": true,
                "server_name": "example.com",
                "alpn": ["h3"],
                "certificate_path": "/path/to/fullchain.crt",
                "key_path": "/path/to/cert.key"
            }
        },
        {
            "type": "socks",
            "tag": "socks-in_1",
            "listen": "::",
            "listen_port": 7890
        },
        {
            "type": "socks",
            "tag": "socks-in_2",
            "listen": "::",
            "listen_port": 7891
        }
    ],
    "outbounds": [
        {
            "type": "direct"
        },
        {
            "type": "block",
            "tag": "block"
        },
        {
            "type": "hysteria2",
            "tag": "hy2-out",
            "server": "127.0.0.1",
            "server_port": 40443,
            "password": "goofy_ahh_password",
            "tls": {
                "enabled": true,
                "server_name": "example.com",
                "alpn": ["h3"]
            }
        }
    ],
    "route": {
        "rules": [
            {
                "inbound": "socks-in_1",
                "outbound": "hy2-out"
            },
            {
                "source_ip_cidr": "127.0.0.1/8",
                "invert": true,
                "outbound": "block"
            }
        ]
    }
}

执行如下命令：

$ curl -x socks5://127.0.0.1:7890 1.1.1.1
curl: (52) Empty reply from server

$ curl -x socks5://127.0.0.1:7891 1.1.1.1
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>cloudflare</center>
</body>
</html>

日志

INFO[0000] router: updated default interface ens5, index 2
INFO[0000] inbound/hysteria2[hy2-in]: udp server started at [::]:40443
INFO[0000] inbound/socks[socks-in_1]: tcp server started at [::]:7890
INFO[0000] inbound/socks[socks-in_2]: tcp server started at [::]:7891
INFO[0000] sing-box started (0.00s)
INFO[0002] [3142747626 0ms] inbound/socks[socks-in_1]: inbound connection from 127.0.0.1:9068
INFO[0002] [3142747626 0ms] inbound/socks[socks-in_1]: inbound connection to 1.1.1.1:80
DEBUG[0002] [3142747626 0ms] router: match[0] inbound=socks-in_1 => hy2-out
INFO[0002] [3142747626 0ms] outbound/hysteria2[hy2-out]: outbound connection to 1.1.1.1:80
INFO[0002] [4232332154 0ms] inbound/hysteria2[hy2-in]: inbound connection from [::ffff:127.0.0.1]:36663
INFO[0002] [4232332154 0ms] inbound/hysteria2[hy2-in]: [tobyxdd] inbound connection to 1.1.1.1:80
DEBUG[0002] [4232332154 0ms] router: match[1] !(source_ip_cidr=127.0.0.1/8) => block
INFO[0002] [4232332154 0ms] outbound/block[block]: blocked connection to 1.1.1.1:80
INFO[0004] [2473973361 0ms] inbound/socks[socks-in_2]: inbound connection from 127.0.0.1:39596
INFO[0004] [2473973361 0ms] inbound/socks[socks-in_2]: inbound connection to 1.1.1.1:80
INFO[0004] [2473973361 0ms] outbound/direct[0]: outbound connection to 1.1.1.1:80

支持我们

• 我已经 赞助

完整性要求

• 我保证阅读了文档，了解所有我编写的配置文件项的含义，而不是大量堆砌看似有用的选项或默认值。
• 我保证提供了可以在本地重现该问题的服务器、客户端配置文件与流程，而不是一个脱敏的复杂客户端配置文件。
• 我保证提供了可用于重现我报告的错误的最简配置，而不是依赖远程服务器、TUN、图形界面客户端或者其他闭源软件。
• 我保证提供了完整的配置文件与日志，而不是出于对自身智力的自信而仅提供了部分认为有用的部分。