Disable none cipher for shadowsocks#6303
Conversation
Forbid insecure outbound settings.
增加了内网地址检测(IsLoopback和IsPrivate应该够了)
Add Vless Hysteria2 and Trojan support
Removed duplicated TLS outbound detection on hysteria2 (should always with QUIC)
Add extra detection for Trojan protocol
bytecategory
left a comment
bytecategory
left a comment
There was a problem hiding this comment.
加个标签: 破坏性变更
问题在于即使是CipherType_NONE 也可以再套一层TLS(依旧安全)
理论上Shadowsocks不应该出现无加密这种组合 |
也就是把以前的换成Socks5了 ... 我先去忙Astrbot事件了 |
|
为什么不删Vmess的 None安全模式 |
|
毕竟计划是 #5640 (comment) ,似乎的确可以直接把 SS 和 VMess 不加密的模式删掉,只剩 VLESS 和 Trojan 需要配置检查了 @LjhAUMEM 有空给 Hy2 协议加个限制,只能搭配 Hy2 传输层,避免有人搞出公网明文传输的配置 |
|
俩pr都是一个人合一起不就行了吗 |
|
这个 PR base 更新一些,@OfficialKatana 可以把 #5640 的内容并入这个 PR Private IP 段的话 Freedom 那里有,可以移到 common 那里 至于判断我想了一下,确实应该仅认可 VLESS Encryption 和 TLS/REALITY,毕竟 Finalmask 那些东西被认为不够可靠
|
|
此外还有个 dialerProxy 感觉不太好处理 |
|
@OfficialKatana 以及修一下 test 和 fmt |
|
看了下代码,private IP 段貌似和 @Meo597 写的不太一样? |
| if ip4 == nil && ip16 == nil { | ||
| return false | ||
| } | ||
| private := ip.IsPrivate() || ip.IsLoopback() || ip.IsMulticast() || ip.IsLinkLocalUnicast() |
There was a problem hiding this comment.
IsPrivate() IsLoopback() ... 内部实现会多次 To4() To16()
There was a problem hiding this comment.
可以手写,不过为了简洁和美观目前还是保持这个实现,测试下来是纳秒级别的差距,后续维护起来也方便
| return subs[0], nil | ||
| default: | ||
| return &HeuristicMultiIPMatcher{matchers: subs}, nil | ||
| return &GeneralMultiIPMatcher{matchers: subs}, nil |
There was a problem hiding this comment.
只要用户的规则含有 geoip:private 启发式优化就被扬掉了
而且直觉上 PrebuildPrivateIPMatcher 不会比 go4.org/netipx 的二分查找更快
为啥不考虑用 geodata.ParseIPRules 手写那些 CIDR 呢?
|
不应该造 PrivateIPMatcher 这破坏了原本的设计 应该用 ParseIPRule 直接 new Matcher 实例 |
RPRX
force-pushed
the
main
branch
2 times, most recently
from
4af24e9 to
829d54d
Compare
|
@OfficialKatana 你俩讨论下 |
|
|
| m, err := buildOptimizedIPMatcher(r.ipsetFactory, rules) | ||
| expanded := make([]*IPRule, 0, len(rules)) | ||
| for _, rule := range rules { | ||
| if geoip, ok := rule.Value.(*IPRule_Geoip); ok && isPrivateGeoIPCode(geoip.Geoip.Code) { |
There was a problem hiding this comment.
ext:xxx.dat:private 被破坏,社区修改 private 全部无效
There was a problem hiding this comment.
此外应该禁止使用自定义的private ip段(即使配置了也强制使用内置的内网段),第一是防止绕过限制,第二是固定private ip段防止被dat内部的规则篡改预期行为。
There was a problem hiding this comment.
不要这样做破坏了抽象,而且是负收益,后面都是维护债
篡改方面不用担心
你的 isInternalOrInvalidAddress 不会被 geoip.dat:private 影响
新开个 common/geodata/consts.go 然后 PRIVATE_xxxx = must2(geodata.IPReg.BuildIPMatcher(must2(geodata.ParseIPRules(...)))) 就行了
|
|
||
| // NewPrivateIPMatcher returns an IPMatcher prebuilt with all IANA | ||
| // private/special-use IP ranges. It does not require geoip.dat. | ||
| func NewPrivateIPMatcher() IPMatcher { |
| } | ||
| } | ||
|
|
||
| func TestNewPrivateIPMatcher(t *testing.T) { |
| expanded := make([]*IPRule, 0, len(rules)) | ||
| for _, rule := range rules { | ||
| if geoip, ok := rule.Value.(*IPRule_Geoip); ok && isPrivateGeoIPCode(geoip.Geoip.Code) { | ||
| for _, cidrStr := range PrivateCIDRStrings { |
7 participants
Remove "NONE Cipher" which is not widely used.