From aff6768ff6c45565cd03f4878ccbc15429a8be38 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E4=B8=96=E7=95=8C?= <i@sekai.icu>
Date: Sun, 7 Jul 2024 15:45:50 +0800
Subject: [PATCH] Improve QUIC sniffer
---
adapter/inbound.go | 9 +-
common/ja3/LICENSE | 29 +++
common/ja3/README.md | 3 +
common/ja3/error.go | 31 +++
common/ja3/ja3.go | 83 +++++++
common/ja3/parser.go | 357 +++++++++++++++++++++++++++
common/sniff/bittorrent.go | 44 ++--
common/sniff/bittorrent_test.go | 11 +-
common/sniff/dns.go | 20 +-
common/sniff/dtls.go | 13 +-
common/sniff/dtls_test.go | 7 +-
common/sniff/http.go | 8 +-
common/sniff/http_test.go | 7 +-
common/sniff/quic.go | 218 ++++++++++------
common/sniff/quic_blacklist.go | 24 ++
common/sniff/quic_test.go | 56 ++++-
common/sniff/sniff.go | 28 +--
common/sniff/stun.go | 11 +-
common/sniff/stun_test.go | 7 +-
common/sniff/tls.go | 8 +-
constant/protocol.go | 8 +
docs/configuration/route/rule.md | 15 +-
docs/configuration/route/rule.zh.md | 15 +-
docs/configuration/route/sniff.md | 29 ++-
docs/configuration/route/sniff.zh.md | 29 ++-
go.mod | 2 +-
option/rule.go | 1 +
route/router.go | 99 +++++---
route/rule_default.go | 5 +
route/rule_item_client.go | 37 +++
30 files changed, 995 insertions(+), 219 deletions(-)
create mode 100644 common/ja3/LICENSE
create mode 100644 common/ja3/README.md
create mode 100644 common/ja3/error.go
create mode 100644 common/ja3/ja3.go
create mode 100644 common/ja3/parser.go
create mode 100644 common/sniff/quic_blacklist.go
create mode 100644 route/rule_item_client.go
diff --git a/adapter/inbound.go b/adapter/inbound.go
index 56eb5623..ffc4c564 100644
--- a/adapter/inbound.go
+++ b/adapter/inbound.go
@@ -31,11 +31,16 @@ type InboundContext struct {
Network string
Source M.Socksaddr
Destination M.Socksaddr
- Domain string
- Protocol string
User string
Outbound string
+ // sniffer
+
+ Protocol string
+ Domain string
+ Client string
+ SniffContext any
+
// cache
InboundDetour string
diff --git a/common/ja3/LICENSE b/common/ja3/LICENSE
new file mode 100644
index 00000000..b42ec95d
--- /dev/null
+++ b/common/ja3/LICENSE
@@ -0,0 +1,29 @@
+BSD 3-Clause License
+
+Copyright (c) 2018, Open Systems AG
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+* Redistributions of source code must retain the above copyright notice, this
+ list of conditions and the following disclaimer.
+
+* Redistributions in binary form must reproduce the above copyright notice,
+ this list of conditions and the following disclaimer in the documentation
+ and/or other materials provided with the distribution.
+
+* Neither the name of the copyright holder nor the names of its
+ contributors may be used to endorse or promote products derived from
+ this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/common/ja3/README.md b/common/ja3/README.md
new file mode 100644
index 00000000..5c0bd8ae
--- /dev/null
+++ b/common/ja3/README.md
@@ -0,0 +1,3 @@
+# JA3
+
+mod from: https://github.com/open-ch/ja3
\ No newline at end of file
diff --git a/common/ja3/error.go b/common/ja3/error.go
new file mode 100644
index 00000000..cab85492
--- /dev/null
+++ b/common/ja3/error.go
@@ -0,0 +1,31 @@
+// Copyright (c) 2018, Open Systems AG. All rights reserved.
+//
+// Use of this source code is governed by a BSD-style license
+// that can be found in the LICENSE file in the root of the source
+// tree.
+
+package ja3
+
+import "fmt"
+
+// Error types
+const (
+ LengthErr string = "length check %v failed"
+ ContentTypeErr string = "content type not matching"
+ VersionErr string = "version check %v failed"
+ HandshakeTypeErr string = "handshake type not matching"
+ SNITypeErr string = "SNI type not supported"
+)
+
+// ParseError can be encountered while parsing a segment
+type ParseError struct {
+ errType string
+ check int
+}
+
+func (e *ParseError) Error() string {
+ if e.errType == LengthErr || e.errType == VersionErr {
+ return fmt.Sprintf(e.errType, e.check)
+ }
+ return fmt.Sprint(e.errType)
+}
diff --git a/common/ja3/ja3.go b/common/ja3/ja3.go
new file mode 100644
index 00000000..608819fe
--- /dev/null
+++ b/common/ja3/ja3.go
@@ -0,0 +1,83 @@
+// Copyright (c) 2018, Open Systems AG. All rights reserved.
+//
+// Use of this source code is governed by a BSD-style license
+// that can be found in the LICENSE file in the root of the source
+// tree.
+
+package ja3
+
+import (
+ "crypto/md5"
+ "encoding/hex"
+
+ "golang.org/x/exp/slices"
+)
+
+type ClientHello struct {
+ Version uint16
+ CipherSuites []uint16
+ Extensions []uint16
+ EllipticCurves []uint16
+ EllipticCurvePF []uint8
+ Versions []uint16
+ SignatureAlgorithms []uint16
+ ServerName string
+ ja3ByteString []byte
+ ja3Hash string
+}
+
+func (j *ClientHello) Equals(another *ClientHello, ignoreExtensionsSequence bool) bool {
+ if j.Version != another.Version {
+ return false
+ }
+ if !slices.Equal(j.CipherSuites, another.CipherSuites) {
+ return false
+ }
+ if !ignoreExtensionsSequence && !slices.Equal(j.Extensions, another.Extensions) {
+ return false
+ }
+ if ignoreExtensionsSequence && !slices.Equal(j.Extensions, another.sortedExtensions()) {
+ return false
+ }
+ if !slices.Equal(j.EllipticCurves, another.EllipticCurves) {
+ return false
+ }
+ if !slices.Equal(j.EllipticCurvePF, another.EllipticCurvePF) {
+ return false
+ }
+ if !slices.Equal(j.SignatureAlgorithms, another.SignatureAlgorithms) {
+ return false
+ }
+ return true
+}
+
+func (j *ClientHello) sortedExtensions() []uint16 {
+ extensions := make([]uint16, len(j.Extensions))
+ copy(extensions, j.Extensions)
+ slices.Sort(extensions)
+ return extensions
+}
+
+func Compute(payload []byte) (*ClientHello, error) {
+ ja3 := ClientHello{}
+ err := ja3.parseSegment(payload)
+ return &ja3, err
+}
+
+func (j *ClientHello) String() string {
+ if j.ja3ByteString == nil {
+ j.marshalJA3()
+ }
+ return string(j.ja3ByteString)
+}
+
+func (j *ClientHello) Hash() string {
+ if j.ja3ByteString == nil {
+ j.marshalJA3()
+ }
+ if j.ja3Hash == "" {
+ h := md5.Sum(j.ja3ByteString)
+ j.ja3Hash = hex.EncodeToString(h[:])
+ }
+ return j.ja3Hash
+}
diff --git a/common/ja3/parser.go b/common/ja3/parser.go
new file mode 100644
index 00000000..f9cca603
--- /dev/null
+++ b/common/ja3/parser.go
@@ -0,0 +1,357 @@
+// Copyright (c) 2018, Open Systems AG. All rights reserved.
+//
+// Use of this source code is governed by a BSD-style license
+// that can be found in the LICENSE file in the root of the source
+// tree.
+
+package ja3
+
+import (
+ "encoding/binary"
+ "strconv"
+)
+
+const (
+ // Constants used for parsing
+ recordLayerHeaderLen int = 5
+ handshakeHeaderLen int = 6
+ randomDataLen int = 32
+ sessionIDHeaderLen int = 1
+ cipherSuiteHeaderLen int = 2
+ compressMethodHeaderLen int = 1
+ extensionsHeaderLen int = 2
+ extensionHeaderLen int = 4
+ sniExtensionHeaderLen int = 5
+ ecExtensionHeaderLen int = 2
+ ecpfExtensionHeaderLen int = 1
+ versionExtensionHeaderLen int = 1
+ signatureAlgorithmsExtensionHeaderLen int = 2
+ contentType uint8 = 22
+ handshakeType uint8 = 1
+ sniExtensionType uint16 = 0
+ sniNameDNSHostnameType uint8 = 0
+ ecExtensionType uint16 = 10
+ ecpfExtensionType uint16 = 11
+ versionExtensionType uint16 = 43
+ signatureAlgorithmsExtensionType uint16 = 13
+
+ // Versions
+ // The bitmask covers the versions SSL3.0 to TLS1.2
+ tlsVersionBitmask uint16 = 0xFFFC
+ tls13 uint16 = 0x0304
+
+ // GREASE values
+ // The bitmask covers all GREASE values
+ GreaseBitmask uint16 = 0x0F0F
+
+ // Constants used for marshalling
+ dashByte = byte(45)
+ commaByte = byte(44)
+)
+
+// parseSegment to populate the corresponding ClientHello object or return an error
+func (j *ClientHello) parseSegment(segment []byte) error {
+ // Check if we can decode the next fields
+ if len(segment) < recordLayerHeaderLen {
+ return &ParseError{LengthErr, 1}
+ }
+
+ // Check if we have "Content Type: Handshake (22)"
+ contType := uint8(segment[0])
+ if contType != contentType {
+ return &ParseError{errType: ContentTypeErr}
+ }
+
+ // Check if TLS record layer version is supported
+ tlsRecordVersion := uint16(segment[1])<<8 | uint16(segment[2])
+ if tlsRecordVersion&tlsVersionBitmask != 0x0300 && tlsRecordVersion != tls13 {
+ return &ParseError{VersionErr, 1}
+ }
+
+ // Check that the Handshake is as long as expected from the length field
+ segmentLen := uint16(segment[3])<<8 | uint16(segment[4])
+ if len(segment[recordLayerHeaderLen:]) < int(segmentLen) {
+ return &ParseError{LengthErr, 2}
+ }
+ // Keep the Handshake messege, ignore any additional following record types
+ hs := segment[recordLayerHeaderLen : recordLayerHeaderLen+int(segmentLen)]
+
+ err := j.parseHandshake(hs)
+
+ return err
+}
+
+// parseHandshake body
+func (j *ClientHello) parseHandshake(hs []byte) error {
+ // Check if we can decode the next fields
+ if len(hs) < handshakeHeaderLen+randomDataLen+sessionIDHeaderLen {
+ return &ParseError{LengthErr, 3}
+ }
+
+ // Check if we have "Handshake Type: Client Hello (1)"
+ handshType := uint8(hs[0])
+ if handshType != handshakeType {
+ return &ParseError{errType: HandshakeTypeErr}
+ }
+
+ // Check if actual length of handshake matches (this is a great exclusion criterion for false positives,
+ // as these fields have to match the actual length of the rest of the segment)
+ handshakeLen := uint32(hs[1])<<16 | uint32(hs[2])<<8 | uint32(hs[3])
+ if len(hs[4:]) != int(handshakeLen) {
+ return &ParseError{LengthErr, 4}
+ }
+
+ // Check if Client Hello version is supported
+ tlsVersion := uint16(hs[4])<<8 | uint16(hs[5])
+ if tlsVersion&tlsVersionBitmask != 0x0300 && tlsVersion != tls13 {
+ return &ParseError{VersionErr, 2}
+ }
+ j.Version = tlsVersion
+
+ // Check if we can decode the next fields
+ sessionIDLen := uint8(hs[38])
+ if len(hs) < handshakeHeaderLen+randomDataLen+sessionIDHeaderLen+int(sessionIDLen) {
+ return &ParseError{LengthErr, 5}
+ }
+
+ // Cipher Suites
+ cs := hs[handshakeHeaderLen+randomDataLen+sessionIDHeaderLen+int(sessionIDLen):]
+
+ // Check if we can decode the next fields
+ if len(cs) < cipherSuiteHeaderLen {
+ return &ParseError{LengthErr, 6}
+ }
+
+ csLen := uint16(cs[0])<<8 | uint16(cs[1])
+ numCiphers := int(csLen / 2)
+ cipherSuites := make([]uint16, 0, numCiphers)
+
+ // Check if we can decode the next fields
+ if len(cs) < cipherSuiteHeaderLen+int(csLen)+compressMethodHeaderLen {
+ return &ParseError{LengthErr, 7}
+ }
+
+ for i := 0; i < numCiphers; i++ {
+ cipherSuite := uint16(cs[2+i<<1])<<8 | uint16(cs[3+i<<1])
+ cipherSuites = append(cipherSuites, cipherSuite)
+ }
+ j.CipherSuites = cipherSuites
+
+ // Check if we can decode the next fields
+ compressMethodLen := uint16(cs[cipherSuiteHeaderLen+int(csLen)])
+ if len(cs) < cipherSuiteHeaderLen+int(csLen)+compressMethodHeaderLen+int(compressMethodLen) {
+ return &ParseError{LengthErr, 8}
+ }
+
+ // Extensions
+ exs := cs[cipherSuiteHeaderLen+int(csLen)+compressMethodHeaderLen+int(compressMethodLen):]
+
+ err := j.parseExtensions(exs)
+
+ return err
+}
+
+// parseExtensions of the handshake
+func (j *ClientHello) parseExtensions(exs []byte) error {
+ // Check for no extensions, this fields header is nonexistent if no body is used
+ if len(exs) == 0 {
+ return nil
+ }
+
+ // Check if we can decode the next fields
+ if len(exs) < extensionsHeaderLen {
+ return &ParseError{LengthErr, 9}
+ }
+
+ exsLen := uint16(exs[0])<<8 | uint16(exs[1])
+ exs = exs[extensionsHeaderLen:]
+
+ // Check if we can decode the next fields
+ if len(exs) < int(exsLen) {
+ return &ParseError{LengthErr, 10}
+ }
+
+ var sni []byte
+ var extensions, ellipticCurves []uint16
+ var ellipticCurvePF []uint8
+ var versions []uint16
+ var signatureAlgorithms []uint16
+ for len(exs) > 0 {
+
+ // Check if we can decode the next fields
+ if len(exs) < extensionHeaderLen {
+ return &ParseError{LengthErr, 11}
+ }
+
+ exType := uint16(exs[0])<<8 | uint16(exs[1])
+ exLen := uint16(exs[2])<<8 | uint16(exs[3])
+ // Ignore any GREASE extensions
+ extensions = append(extensions, exType)
+ // Check if we can decode the next fields
+ if len(exs) < extensionHeaderLen+int(exLen) {
+ return &ParseError{LengthErr, 12}
+ }
+
+ sex := exs[extensionHeaderLen : extensionHeaderLen+int(exLen)]
+
+ switch exType {
+ case sniExtensionType: // Extensions: server_name
+
+ // Check if we can decode the next fields
+ if len(sex) < sniExtensionHeaderLen {
+ return &ParseError{LengthErr, 13}
+ }
+
+ sniType := uint8(sex[2])
+ sniLen := uint16(sex[3])<<8 | uint16(sex[4])
+ sex = sex[sniExtensionHeaderLen:]
+
+ // Check if we can decode the next fields
+ if len(sex) != int(sniLen) {
+ return &ParseError{LengthErr, 14}
+ }
+
+ switch sniType {
+ case sniNameDNSHostnameType:
+ sni = sex
+ default:
+ return &ParseError{errType: SNITypeErr}
+ }
+ case ecExtensionType: // Extensions: supported_groups
+
+ // Check if we can decode the next fields
+ if len(sex) < ecExtensionHeaderLen {
+ return &ParseError{LengthErr, 15}
+ }
+
+ ecsLen := uint16(sex[0])<<8 | uint16(sex[1])
+ numCurves := int(ecsLen / 2)
+ ellipticCurves = make([]uint16, 0, numCurves)
+ sex = sex[ecExtensionHeaderLen:]
+
+ // Check if we can decode the next fields
+ if len(sex) != int(ecsLen) {
+ return &ParseError{LengthErr, 16}
+ }
+
+ for i := 0; i < numCurves; i++ {
+ ecType := uint16(sex[i*2])<<8 | uint16(sex[1+i*2])
+ ellipticCurves = append(ellipticCurves, ecType)
+ }
+
+ case ecpfExtensionType: // Extensions: ec_point_formats
+
+ // Check if we can decode the next fields
+ if len(sex) < ecpfExtensionHeaderLen {
+ return &ParseError{LengthErr, 17}
+ }
+
+ ecpfsLen := uint8(sex[0])
+ numPF := int(ecpfsLen)
+ ellipticCurvePF = make([]uint8, numPF)
+ sex = sex[ecpfExtensionHeaderLen:]
+
+ // Check if we can decode the next fields
+ if len(sex) != numPF {
+ return &ParseError{LengthErr, 18}
+ }
+
+ for i := 0; i < numPF; i++ {
+ ellipticCurvePF[i] = uint8(sex[i])
+ }
+ case versionExtensionType:
+ if len(sex) < versionExtensionHeaderLen {
+ return &ParseError{LengthErr, 19}
+ }
+ versionsLen := int(sex[0])
+ for i := 0; i < versionsLen; i += 2 {
+ versions = append(versions, binary.BigEndian.Uint16(sex[1:][i:]))
+ }
+ case signatureAlgorithmsExtensionType:
+ if len(sex) < signatureAlgorithmsExtensionHeaderLen {
+ return &ParseError{LengthErr, 20}
+ }
+ ssaLen := binary.BigEndian.Uint16(sex)
+ for i := 0; i < int(ssaLen); i += 2 {
+ signatureAlgorithms = append(signatureAlgorithms, binary.BigEndian.Uint16(sex[2:][i:]))
+ }
+ }
+ exs = exs[4+exLen:]
+ }
+ j.ServerName = string(sni)
+ j.Extensions = extensions
+ j.EllipticCurves = ellipticCurves
+ j.EllipticCurvePF = ellipticCurvePF
+ j.Versions = versions
+ j.SignatureAlgorithms = signatureAlgorithms
+ return nil
+}
+
+// marshalJA3 into a byte string
+func (j *ClientHello) marshalJA3() {
+ // An uint16 can contain numbers with up to 5 digits and an uint8 can contain numbers with up to 3 digits, but we
+ // also need a byte for each separating character, except at the end.
+ byteStringLen := 6*(1+len(j.CipherSuites)+len(j.Extensions)+len(j.EllipticCurves)) + 4*len(j.EllipticCurvePF) - 1
+ byteString := make([]byte, 0, byteStringLen)
+
+ // Version
+ byteString = strconv.AppendUint(byteString, uint64(j.Version), 10)
+ byteString = append(byteString, commaByte)
+
+ // Cipher Suites
+ if len(j.CipherSuites) != 0 {
+ for _, val := range j.CipherSuites {
+ if val&GreaseBitmask != 0x0A0A {
+ continue
+ }
+ byteString = strconv.AppendUint(byteString, uint64(val), 10)
+ byteString = append(byteString, dashByte)
+ }
+ // Replace last dash with a comma
+ byteString[len(byteString)-1] = commaByte
+ } else {
+ byteString = append(byteString, commaByte)
+ }
+
+ // Extensions
+ if len(j.Extensions) != 0 {
+ for _, val := range j.Extensions {
+ if val&GreaseBitmask != 0x0A0A {
+ continue
+ }
+ byteString = strconv.AppendUint(byteString, uint64(val), 10)
+ byteString = append(byteString, dashByte)
+ }
+ // Replace last dash with a comma
+ byteString[len(byteString)-1] = commaByte
+ } else {
+ byteString = append(byteString, commaByte)
+ }
+
+ // Elliptic curves
+ if len(j.EllipticCurves) != 0 {
+ for _, val := range j.EllipticCurves {
+ if val&GreaseBitmask != 0x0A0A {
+ continue
+ }
+ byteString = strconv.AppendUint(byteString, uint64(val), 10)
+ byteString = append(byteString, dashByte)
+ }
+ // Replace last dash with a comma
+ byteString[len(byteString)-1] = commaByte
+ } else {
+ byteString = append(byteString, commaByte)
+ }
+
+ // ECPF
+ if len(j.EllipticCurvePF) != 0 {
+ for _, val := range j.EllipticCurvePF {
+ byteString = strconv.AppendUint(byteString, uint64(val), 10)
+ byteString = append(byteString, dashByte)
+ }
+ // Remove last dash
+ byteString = byteString[:len(byteString)-1]
+ }
+
+ j.ja3ByteString = byteString
+}
diff --git a/common/sniff/bittorrent.go b/common/sniff/bittorrent.go
index debc35ca..9e123c41 100644
--- a/common/sniff/bittorrent.go
+++ b/common/sniff/bittorrent.go
@@ -19,45 +19,44 @@ const (
// BitTorrent detects if the stream is a BitTorrent connection.
// For the BitTorrent protocol specification, see https://www.bittorrent.org/beps/bep_0003.html
-func BitTorrent(_ context.Context, reader io.Reader) (*adapter.InboundContext, error) {
+func BitTorrent(_ context.Context, metadata *adapter.InboundContext, reader io.Reader) error {
var first byte
err := binary.Read(reader, binary.BigEndian, &first)
if err != nil {
- return nil, err
+ return err
}
if first != 19 {
- return nil, os.ErrInvalid
+ return os.ErrInvalid
}
var protocol [19]byte
_, err = reader.Read(protocol[:])
if err != nil {
- return nil, err
+ return err
}
if string(protocol[:]) != "BitTorrent protocol" {
- return nil, os.ErrInvalid
+ return os.ErrInvalid
}
- return &adapter.InboundContext{
- Protocol: C.ProtocolBitTorrent,
- }, nil
+ metadata.Protocol = C.ProtocolBitTorrent
+ return nil
}
// UTP detects if the packet is a uTP connection packet.
// For the uTP protocol specification, see
// 1. https://www.bittorrent.org/beps/bep_0029.html
// 2. https://github.com/bittorrent/libutp/blob/2b364cbb0650bdab64a5de2abb4518f9f228ec44/utp_internal.cpp#L112
-func UTP(_ context.Context, packet []byte) (*adapter.InboundContext, error) {
+func UTP(_ context.Context, metadata *adapter.InboundContext, packet []byte) error {
// A valid uTP packet must be at least 20 bytes long.
if len(packet) < 20 {
- return nil, os.ErrInvalid
+ return os.ErrInvalid
}
version := packet[0] & 0x0F
ty := packet[0] >> 4
if version != 1 || ty > 4 {
- return nil, os.ErrInvalid
+ return os.ErrInvalid
}
// Validate the extensions
@@ -66,36 +65,35 @@ func UTP(_ context.Context, packet []byte) (*adapter.InboundContext, error) {
for extension != 0 {
err := binary.Read(reader, binary.BigEndian, &extension)
if err != nil {
- return nil, err
+ return err
}
var length byte
err = binary.Read(reader, binary.BigEndian, &length)
if err != nil {
- return nil, err
+ return err
}
_, err = reader.Seek(int64(length), io.SeekCurrent)
if err != nil {
- return nil, err
+ return err
}
}
-
- return &adapter.InboundContext{
- Protocol: C.ProtocolBitTorrent,
- }, nil
+ metadata.Protocol = C.ProtocolBitTorrent
+ return nil
}
// UDPTracker detects if the packet is a UDP Tracker Protocol packet.
// For the UDP Tracker Protocol specification, see https://www.bittorrent.org/beps/bep_0015.html
-func UDPTracker(_ context.Context, packet []byte) (*adapter.InboundContext, error) {
+func UDPTracker(_ context.Context, metadata *adapter.InboundContext, packet []byte) error {
if len(packet) < trackerConnectMinSize {
- return nil, os.ErrInvalid
+ return os.ErrInvalid
}
if binary.BigEndian.Uint64(packet[:8]) != trackerProtocolID {
- return nil, os.ErrInvalid
+ return os.ErrInvalid
}
if binary.BigEndian.Uint32(packet[8:12]) != trackerConnectFlag {
- return nil, os.ErrInvalid
+ return os.ErrInvalid
}
- return &adapter.InboundContext{Protocol: C.ProtocolBitTorrent}, nil
+ metadata.Protocol = C.ProtocolBitTorrent
+ return nil
}
diff --git a/common/sniff/bittorrent_test.go b/common/sniff/bittorrent_test.go
index 6b3ab64e..65f095bd 100644
--- a/common/sniff/bittorrent_test.go
+++ b/common/sniff/bittorrent_test.go
@@ -6,6 +6,7 @@ import (
"encoding/hex"
"testing"
+ "github.com/sagernet/sing-box/adapter"
"github.com/sagernet/sing-box/common/sniff"
C "github.com/sagernet/sing-box/constant"
@@ -24,7 +25,8 @@ func TestSniffBittorrent(t *testing.T) {
for _, pkt := range packets {
pkt, err := hex.DecodeString(pkt)
require.NoError(t, err)
- metadata, err := sniff.BitTorrent(context.TODO(), bytes.NewReader(pkt))
+ var metadata adapter.InboundContext
+ err = sniff.BitTorrent(context.TODO(), &metadata, bytes.NewReader(pkt))
require.NoError(t, err)
require.Equal(t, C.ProtocolBitTorrent, metadata.Protocol)
}
@@ -43,8 +45,8 @@ func TestSniffUTP(t *testing.T) {
for _, pkt := range packets {
pkt, err := hex.DecodeString(pkt)
require.NoError(t, err)
-
- metadata, err := sniff.UTP(context.TODO(), pkt)
+ var metadata adapter.InboundContext
+ err = sniff.UTP(context.TODO(), &metadata, pkt)
require.NoError(t, err)
require.Equal(t, C.ProtocolBitTorrent, metadata.Protocol)
}
@@ -63,7 +65,8 @@ func TestSniffUDPTracker(t *testing.T) {
pkt, err := hex.DecodeString(pkt)
require.NoError(t, err)
- metadata, err := sniff.UDPTracker(context.TODO(), pkt)
+ var metadata adapter.InboundContext
+ err = sniff.UDPTracker(context.TODO(), &metadata, pkt)
require.NoError(t, err)
require.Equal(t, C.ProtocolBitTorrent, metadata.Protocol)
}
diff --git a/common/sniff/dns.go b/common/sniff/dns.go
index d69f3b15..96670eca 100644
--- a/common/sniff/dns.go
+++ b/common/sniff/dns.go
@@ -17,18 +17,17 @@ import (
mDNS "github.com/miekg/dns"
)
-func StreamDomainNameQuery(readCtx context.Context, reader io.Reader) (*adapter.InboundContext, error) {
+func StreamDomainNameQuery(readCtx context.Context, metadata *adapter.InboundContext, reader io.Reader) error {
var length uint16
err := binary.Read(reader, binary.BigEndian, &length)
if err != nil {
- return nil, err
+ return os.ErrInvalid
}
if length == 0 {
- return nil, os.ErrInvalid
+ return os.ErrInvalid
}
buffer := buf.NewSize(int(length))
defer buffer.Release()
-
readCtx, cancel := context.WithTimeout(readCtx, time.Millisecond*100)
var readTask task.Group
readTask.Append0(func(ctx context.Context) error {
@@ -37,19 +36,20 @@ func StreamDomainNameQuery(readCtx context.Context, reader io.Reader) (*adapter.
err = readTask.Run(readCtx)
cancel()
if err != nil {
- return nil, err
+ return err
}
- return DomainNameQuery(readCtx, buffer.Bytes())
+ return DomainNameQuery(readCtx, metadata, buffer.Bytes())
}
-func DomainNameQuery(ctx context.Context, packet []byte) (*adapter.InboundContext, error) {
+func DomainNameQuery(ctx context.Context, metadata *adapter.InboundContext, packet []byte) error {
var msg mDNS.Msg
err := msg.Unpack(packet)
if err != nil {
- return nil, err
+ return err
}
if len(msg.Question) == 0 || msg.Question[0].Qclass != mDNS.ClassINET || !M.IsDomainName(msg.Question[0].Name) {
- return nil, os.ErrInvalid
+ return os.ErrInvalid
}
- return &adapter.InboundContext{Protocol: C.ProtocolDNS}, nil
+ metadata.Protocol = C.ProtocolDNS
+ return nil
}
diff --git a/common/sniff/dtls.go b/common/sniff/dtls.go
index 6469b097..e2704a27 100644
--- a/common/sniff/dtls.go
+++ b/common/sniff/dtls.go
@@ -8,24 +8,25 @@ import (
C "github.com/sagernet/sing-box/constant"
)
-func DTLSRecord(ctx context.Context, packet []byte) (*adapter.InboundContext, error) {
+func DTLSRecord(ctx context.Context, metadata *adapter.InboundContext, packet []byte) error {
const fixedHeaderSize = 13
if len(packet) < fixedHeaderSize {
- return nil, os.ErrInvalid
+ return os.ErrInvalid
}
contentType := packet[0]
switch contentType {
case 20, 21, 22, 23, 25:
default:
- return nil, os.ErrInvalid
+ return os.ErrInvalid
}
versionMajor := packet[1]
if versionMajor != 0xfe {
- return nil, os.ErrInvalid
+ return os.ErrInvalid
}
versionMinor := packet[2]
if versionMinor != 0xff && versionMinor != 0xfd {
- return nil, os.ErrInvalid
+ return os.ErrInvalid
}
- return &adapter.InboundContext{Protocol: C.ProtocolDTLS}, nil
+ metadata.Protocol = C.ProtocolDTLS
+ return nil
}
diff --git a/common/sniff/dtls_test.go b/common/sniff/dtls_test.go
index 45f77126..48c9b42b 100644
--- a/common/sniff/dtls_test.go
+++ b/common/sniff/dtls_test.go
@@ -5,6 +5,7 @@ import (
"encoding/hex"
"testing"
+ "github.com/sagernet/sing-box/adapter"
"github.com/sagernet/sing-box/common/sniff"
C "github.com/sagernet/sing-box/constant"
@@ -15,7 +16,8 @@ func TestSniffDTLSClientHello(t *testing.T) {
t.Parallel()
packet, err := hex.DecodeString("16fefd0000000000000000007e010000720000000000000072fefd668a43523798e064bd806d0c87660de9c611a59bbdfc3892c4e072d94f2cafc40000000cc02bc02fc00ac014c02cc0300100003c000d0010000e0403050306030401050106010807ff01000100000a00080006001d00170018000b00020100000e000900060008000700010000170000")
require.NoError(t, err)
- metadata, err := sniff.DTLSRecord(context.Background(), packet)
+ var metadata adapter.InboundContext
+ err = sniff.DTLSRecord(context.Background(), &metadata, packet)
require.NoError(t, err)
require.Equal(t, metadata.Protocol, C.ProtocolDTLS)
}
@@ -24,7 +26,8 @@ func TestSniffDTLSClientApplicationData(t *testing.T) {
t.Parallel()
packet, err := hex.DecodeString("17fefd000100000000000100440001000000000001a4f682b77ecadd10f3f3a2f78d90566212366ff8209fd77314f5a49352f9bb9bd12f4daba0b4736ae29e46b9714d3b424b3e6d0234736619b5aa0d3f")
require.NoError(t, err)
- metadata, err := sniff.DTLSRecord(context.Background(), packet)
+ var metadata adapter.InboundContext
+ err = sniff.DTLSRecord(context.Background(), &metadata, packet)
require.NoError(t, err)
require.Equal(t, metadata.Protocol, C.ProtocolDTLS)
}
diff --git a/common/sniff/http.go b/common/sniff/http.go
index faf05fd3..0e6ab406 100644
--- a/common/sniff/http.go
+++ b/common/sniff/http.go
@@ -11,10 +11,12 @@ import (
"github.com/sagernet/sing/protocol/http"
)
-func HTTPHost(ctx context.Context, reader io.Reader) (*adapter.InboundContext, error) {
+func HTTPHost(_ context.Context, metadata *adapter.InboundContext, reader io.Reader) error {
request, err := http.ReadRequest(std_bufio.NewReader(reader))
if err != nil {
- return nil, err
+ return err
}
- return &adapter.InboundContext{Protocol: C.ProtocolHTTP, Domain: M.ParseSocksaddr(request.Host).AddrString()}, nil
+ metadata.Protocol = C.ProtocolHTTP
+ metadata.Domain = M.ParseSocksaddr(request.Host).AddrString()
+ return nil
}
diff --git a/common/sniff/http_test.go b/common/sniff/http_test.go
index 98100e09..9f64efa8 100644
--- a/common/sniff/http_test.go
+++ b/common/sniff/http_test.go
@@ -5,6 +5,7 @@ import (
"strings"
"testing"
+ "github.com/sagernet/sing-box/adapter"
"github.com/sagernet/sing-box/common/sniff"
"github.com/stretchr/testify/require"
@@ -13,7 +14,8 @@ import (
func TestSniffHTTP1(t *testing.T) {
t.Parallel()
pkt := "GET / HTTP/1.1\r\nHost: www.google.com\r\nAccept: */*\r\n\r\n"
- metadata, err := sniff.HTTPHost(context.Background(), strings.NewReader(pkt))
+ var metadata adapter.InboundContext
+ err := sniff.HTTPHost(context.Background(), &metadata, strings.NewReader(pkt))
require.NoError(t, err)
require.Equal(t, metadata.Domain, "www.google.com")
}
@@ -21,7 +23,8 @@ func TestSniffHTTP1(t *testing.T) {
func TestSniffHTTP1WithPort(t *testing.T) {
t.Parallel()
pkt := "GET / HTTP/1.1\r\nHost: www.gov.cn:8080\r\nAccept: */*\r\n\r\n"
- metadata, err := sniff.HTTPHost(context.Background(), strings.NewReader(pkt))
+ var metadata adapter.InboundContext
+ err := sniff.HTTPHost(context.Background(), &metadata, strings.NewReader(pkt))
require.NoError(t, err)
require.Equal(t, metadata.Domain, "www.gov.cn")
}
diff --git a/common/sniff/quic.go b/common/sniff/quic.go
index 55dc1c00..adec7008 100644
--- a/common/sniff/quic.go
+++ b/common/sniff/quic.go
@@ -5,95 +5,99 @@ import (
"context"
"crypto"
"crypto/aes"
+ "crypto/tls"
"encoding/binary"
"io"
"os"
"github.com/sagernet/sing-box/adapter"
+ "github.com/sagernet/sing-box/common/ja3"
"github.com/sagernet/sing-box/common/sniff/internal/qtls"
C "github.com/sagernet/sing-box/constant"
+ "github.com/sagernet/sing/common/buf"
E "github.com/sagernet/sing/common/exceptions"
"golang.org/x/crypto/hkdf"
)
-func QUICClientHello(ctx context.Context, packet []byte) (*adapter.InboundContext, error) {
- reader := bytes.NewReader(packet)
+var ErrClientHelloFragmented = E.New("need more packet for chromium QUIC connection")
+func QUICClientHello(ctx context.Context, metadata *adapter.InboundContext, packet []byte) error {
+ reader := bytes.NewReader(packet)
typeByte, err := reader.ReadByte()
if err != nil {
- return nil, err
+ return err
}
if typeByte&0x40 == 0 {
- return nil, E.New("bad type byte")
+ return E.New("bad type byte")
}
var versionNumber uint32
err = binary.Read(reader, binary.BigEndian, &versionNumber)
if err != nil {
- return nil, err
+ return err
}
if versionNumber != qtls.VersionDraft29 && versionNumber != qtls.Version1 && versionNumber != qtls.Version2 {
- return nil, E.New("bad version")
+ return E.New("bad version")
}
packetType := (typeByte & 0x30) >> 4
if packetType == 0 && versionNumber == qtls.Version2 || packetType == 2 && versionNumber != qtls.Version2 || packetType > 2 {
- return nil, E.New("bad packet type")
+ return E.New("bad packet type")
}
destConnIDLen, err := reader.ReadByte()
if err != nil {
- return nil, err
+ return err
}
if destConnIDLen == 0 || destConnIDLen > 20 {
- return nil, E.New("bad destination connection id length")
+ return E.New("bad destination connection id length")
}
destConnID := make([]byte, destConnIDLen)
_, err = io.ReadFull(reader, destConnID)
if err != nil {
- return nil, err
+ return err
}
srcConnIDLen, err := reader.ReadByte()
if err != nil {
- return nil, err
+ return err
}
_, err = io.CopyN(io.Discard, reader, int64(srcConnIDLen))
if err != nil {
- return nil, err
+ return err
}
tokenLen, err := qtls.ReadUvarint(reader)
if err != nil {
- return nil, err
+ return err
}
_, err = io.CopyN(io.Discard, reader, int64(tokenLen))
if err != nil {
- return nil, err
+ return err
}
packetLen, err := qtls.ReadUvarint(reader)
if err != nil {
- return nil, err
+ return err
}
hdrLen := int(reader.Size()) - reader.Len()
if hdrLen+int(packetLen) > len(packet) {
- return nil, os.ErrInvalid
+ return os.ErrInvalid
}
_, err = io.CopyN(io.Discard, reader, 4)
if err != nil {
- return nil, err
+ return err
}
pnBytes := make([]byte, aes.BlockSize)
_, err = io.ReadFull(reader, pnBytes)
if err != nil {
- return nil, err
+ return err
}
var salt []byte
@@ -117,7 +121,7 @@ func QUICClientHello(ctx context.Context, packet []byte) (*adapter.InboundContex
hpKey := qtls.HKDFExpandLabel(crypto.SHA256, secret, []byte{}, hkdfHeaderProtectionLabel, 16)
block, err := aes.NewCipher(hpKey)
if err != nil {
- return nil, err
+ return err
}
mask := make([]byte, aes.BlockSize)
block.Encrypt(mask, pnBytes)
@@ -129,7 +133,7 @@ func QUICClientHello(ctx context.Context, packet []byte) (*adapter.InboundContex
}
packetNumberLength := newPacket[0]&0x3 + 1
if hdrLen+int(packetNumberLength) > int(packetLen)+hdrLen {
- return nil, os.ErrInvalid
+ return os.ErrInvalid
}
var packetNumber uint32
switch packetNumberLength {
@@ -142,7 +146,7 @@ func QUICClientHello(ctx context.Context, packet []byte) (*adapter.InboundContex
case 4:
packetNumber = binary.BigEndian.Uint32(newPacket[hdrLen:])
default:
- return nil, E.New("bad packet number length")
+ return E.New("bad packet number length")
}
extHdrLen := hdrLen + int(packetNumberLength)
copy(newPacket[extHdrLen:hdrLen+4], packet[extHdrLen:])
@@ -166,138 +170,208 @@ func QUICClientHello(ctx context.Context, packet []byte) (*adapter.InboundContex
binary.BigEndian.PutUint64(nonce[len(nonce)-8:], uint64(packetNumber))
decrypted, err := cipher.Open(newPacket[extHdrLen:extHdrLen], nonce, data, newPacket[:extHdrLen])
if err != nil {
- return nil, err
+ return err
}
var frameType byte
- var frameLen uint64
- var fragments []struct {
- offset uint64
- length uint64
- payload []byte
- }
+ var fragments []qCryptoFragment
decryptedReader := bytes.NewReader(decrypted)
+ const (
+ frameTypePadding = 0x00
+ frameTypePing = 0x01
+ frameTypeAck = 0x02
+ frameTypeAck2 = 0x03
+ frameTypeCrypto = 0x06
+ frameTypeConnectionClose = 0x1c
+ )
+ var frameTypeList []uint8
for {
frameType, err = decryptedReader.ReadByte()
if err == io.EOF {
break
}
+ frameTypeList = append(frameTypeList, frameType)
switch frameType {
- case 0x00: // PADDING
+ case frameTypePadding:
continue
- case 0x01: // PING
+ case frameTypePing:
continue
- case 0x02, 0x03: // ACK
+ case frameTypeAck, frameTypeAck2:
_, err = qtls.ReadUvarint(decryptedReader) // Largest Acknowledged
if err != nil {
- return nil, err
+ return err
}
_, err = qtls.ReadUvarint(decryptedReader) // ACK Delay
if err != nil {
- return nil, err
+ return err
}
ackRangeCount, err := qtls.ReadUvarint(decryptedReader) // ACK Range Count
if err != nil {
- return nil, err
+ return err
}
_, err = qtls.ReadUvarint(decryptedReader) // First ACK Range
if err != nil {
- return nil, err
+ return err
}
for i := 0; i < int(ackRangeCount); i++ {
_, err = qtls.ReadUvarint(decryptedReader) // Gap
if err != nil {
- return nil, err
+ return err
}
_, err = qtls.ReadUvarint(decryptedReader) // ACK Range Length
if err != nil {
- return nil, err
+ return err
}
}
if frameType == 0x03 {
_, err = qtls.ReadUvarint(decryptedReader) // ECT0 Count
if err != nil {
- return nil, err
+ return err
}
_, err = qtls.ReadUvarint(decryptedReader) // ECT1 Count
if err != nil {
- return nil, err
+ return err
}
_, err = qtls.ReadUvarint(decryptedReader) // ECN-CE Count
if err != nil {
- return nil, err
+ return err
}
}
- case 0x06: // CRYPTO
+ case frameTypeCrypto:
var offset uint64
offset, err = qtls.ReadUvarint(decryptedReader)
if err != nil {
- return &adapter.InboundContext{Protocol: C.ProtocolQUIC}, err
+ return err
}
var length uint64
length, err = qtls.ReadUvarint(decryptedReader)
if err != nil {
- return &adapter.InboundContext{Protocol: C.ProtocolQUIC}, err
+ return err
}
index := len(decrypted) - decryptedReader.Len()
- fragments = append(fragments, struct {
- offset uint64
- length uint64
- payload []byte
- }{offset, length, decrypted[index : index+int(length)]})
- frameLen += length
+ fragments = append(fragments, qCryptoFragment{offset, length, decrypted[index : index+int(length)]})
_, err = decryptedReader.Seek(int64(length), io.SeekCurrent)
if err != nil {
- return nil, err
+ return err
}
- case 0x1c: // CONNECTION_CLOSE
+ case frameTypeConnectionClose:
_, err = qtls.ReadUvarint(decryptedReader) // Error Code
if err != nil {
- return nil, err
+ return err
}
_, err = qtls.ReadUvarint(decryptedReader) // Frame Type
if err != nil {
- return nil, err
+ return err
}
var length uint64
length, err = qtls.ReadUvarint(decryptedReader) // Reason Phrase Length
if err != nil {
- return nil, err
+ return err
}
_, err = decryptedReader.Seek(int64(length), io.SeekCurrent) // Reason Phrase
if err != nil {
- return nil, err
+ return err
}
default:
- return nil, os.ErrInvalid
+ return os.ErrInvalid
}
}
- tlsHdr := make([]byte, 5)
- tlsHdr[0] = 0x16
- binary.BigEndian.PutUint16(tlsHdr[1:], uint16(0x0303))
- binary.BigEndian.PutUint16(tlsHdr[3:], uint16(frameLen))
+ if metadata.SniffContext != nil {
+ fragments = append(fragments, metadata.SniffContext.([]qCryptoFragment)...)
+ metadata.SniffContext = nil
+ }
+ var frameLen uint64
+ for _, fragment := range fragments {
+ frameLen += fragment.length
+ }
+ buffer := buf.NewSize(5 + int(frameLen))
+ defer buffer.Release()
+ buffer.WriteByte(0x16)
+ binary.Write(buffer, binary.BigEndian, uint16(0x0303))
+ binary.Write(buffer, binary.BigEndian, uint16(frameLen))
var index uint64
var length int
- var readers []io.Reader
- readers = append(readers, bytes.NewReader(tlsHdr))
find:
for {
for _, fragment := range fragments {
if fragment.offset == index {
- readers = append(readers, bytes.NewReader(fragment.payload))
+ buffer.Write(fragment.payload)
index = fragment.offset + fragment.length
length++
continue find
}
}
- if length == len(fragments) {
- break
- }
- return &adapter.InboundContext{Protocol: C.ProtocolQUIC}, E.New("bad fragments")
- }
- metadata, err := TLSClientHello(ctx, io.MultiReader(readers...))
- if err != nil {
- return &adapter.InboundContext{Protocol: C.ProtocolQUIC}, err
+ break
}
metadata.Protocol = C.ProtocolQUIC
- return metadata, nil
+ fingerprint, err := ja3.Compute(buffer.Bytes())
+ if err != nil {
+ metadata.Protocol = C.ProtocolQUIC
+ metadata.Client = C.ClientChromium
+ metadata.SniffContext = fragments
+ return ErrClientHelloFragmented
+ }
+ metadata.Domain = fingerprint.ServerName
+ for metadata.Client == "" {
+ if len(frameTypeList) == 1 {
+ metadata.Client = C.ClientFirefox
+ break
+ }
+ if frameTypeList[0] == frameTypeCrypto && isZero(frameTypeList[1:]) {
+ if len(fingerprint.Versions) == 2 && fingerprint.Versions[0]&ja3.GreaseBitmask == 0x0A0A &&
+ len(fingerprint.EllipticCurves) == 5 && fingerprint.EllipticCurves[0]&ja3.GreaseBitmask == 0x0A0A {
+ metadata.Client = C.ClientSafari
+ break
+ }
+ if len(fingerprint.CipherSuites) == 1 && fingerprint.CipherSuites[0] == tls.TLS_AES_256_GCM_SHA384 &&
+ len(fingerprint.EllipticCurves) == 1 && fingerprint.EllipticCurves[0] == uint16(tls.X25519) &&
+ len(fingerprint.SignatureAlgorithms) == 1 && fingerprint.SignatureAlgorithms[0] == uint16(tls.ECDSAWithP256AndSHA256) {
+ metadata.Client = C.ClientSafari
+ break
+ }
+ }
+
+ if frameTypeList[len(frameTypeList)-1] == frameTypeCrypto && isZero(frameTypeList[:len(frameTypeList)-1]) {
+ metadata.Client = C.ClientQUICGo
+ break
+ }
+
+ if count(frameTypeList, frameTypeCrypto) > 1 || count(frameTypeList, frameTypePing) > 0 {
+ if maybeUQUIC(fingerprint) {
+ metadata.Client = C.ClientQUICGo
+ } else {
+ metadata.Client = C.ClientChromium
+ }
+ break
+ }
+
+ metadata.Client = C.ClientUnknown
+ //nolint:staticcheck
+ break
+ }
+ return nil
+}
+
+func isZero(slices []uint8) bool {
+ for _, slice := range slices {
+ if slice != 0 {
+ return false
+ }
+ }
+ return true
+}
+
+func count(slices []uint8, value uint8) int {
+ var times int
+ for _, slice := range slices {
+ if slice == value {
+ times++
+ }
+ }
+ return times
+}
+
+type qCryptoFragment struct {
+ offset uint64
+ length uint64
+ payload []byte
}
diff --git a/common/sniff/quic_blacklist.go b/common/sniff/quic_blacklist.go
new file mode 100644
index 00000000..7d5f91e7
--- /dev/null
+++ b/common/sniff/quic_blacklist.go
@@ -0,0 +1,24 @@
+package sniff
+
+import (
+ "crypto/tls"
+
+ "github.com/sagernet/sing-box/common/ja3"
+)
+
+// Chromium sends separate client hello packets, but UQUIC has not yet implemented this behavior
+// The cronet without this behavior does not have version 115
+var uQUICChrome115 = &ja3.ClientHello{
+ Version: tls.VersionTLS12,
+ CipherSuites: []uint16{4865, 4866, 4867},
+ Extensions: []uint16{0, 10, 13, 16, 27, 43, 45, 51, 57, 17513},
+ EllipticCurves: []uint16{29, 23, 24},
+ SignatureAlgorithms: []uint16{1027, 2052, 1025, 1283, 2053, 1281, 2054, 1537, 513},
+}
+
+func maybeUQUIC(fingerprint *ja3.ClientHello) bool {
+ if uQUICChrome115.Equals(fingerprint, true) {
+ return true
+ }
+ return false
+}
diff --git a/common/sniff/quic_test.go b/common/sniff/quic_test.go
index 80719765..e75e86a5 100644
--- a/common/sniff/quic_test.go
+++ b/common/sniff/quic_test.go
@@ -5,31 +5,69 @@ import (
"encoding/hex"
"testing"
+ "github.com/sagernet/sing-box/adapter"
"github.com/sagernet/sing-box/common/sniff"
+ C "github.com/sagernet/sing-box/constant"
"github.com/stretchr/testify/require"
)
-func TestSniffQUICv1(t *testing.T) {
+func TestSniffQUICChromium(t *testing.T) {
t.Parallel()
- pkt, err := hex.DecodeString("cc0000000108d2dc7bad02241f5003796e71004215a71bfcb05159416c724be418537389acdd9a4047306283dcb4d7a9cad5cc06322042d204da67a8dbaa328ab476bb428b48fd001501863afd203f8d4ef085629d664f1a734a65969a47e4a63d4e01a21f18c1d90db0c027180906dc135f9ae421bb8617314c8d54c175fef3d3383d310d0916ebcbd6eed9329befbbb109d8fd4af1d2cf9d6adce8e6c1260a7f8256e273e326da0aa7cc148d76e7a08489dc9d52ade89c027cbc3491ada46417c2c04e2ca768e9a7dd6aa00c594e48b678927325da796817693499bb727050cb3baf3d3291a397c3a8d868e8ec7b8f7295e347455c9dadbe2252ae917ac793d958c7fb8a3d2cdb34e3891eb4286f18617556ff7216dd60256aa5b1d11ff4753459fc5f9dedf11d483a26a0835dc6cd50e1c1f54f86e8f1e502821183cd874f6447a74e818bf3445c7795acf4559d1c1fac474911d2ead5c8d23e4aa4f67afb66efe305a30a0b5d825679b31ddc186cbea936535795c7e8c378c87b8c5adc065154d15bae8f85ac8fec2da40c3aa623b682a065440831555011d7647cde44446a0fb4cf5892f2c088ae1920643094be72e3c499fe8d265caf939e8ab607a5b9317917d2a32a812e8a0e6a2f84721bbb5984ffd242838f705d13f4cfb249bc6a5c80d58ac2595edf56648ec3fe21d787573c253a79805252d6d81e26d367d4ff29ef66b5fe8992086af7bada8cad10b82a7c0dc406c5b6d0c5ec3c583e767f759ce08cad6c3c8f91e5a8")
+ pkt, err := hex.DecodeString("c30000000108f40d654cc09b27f5000044d08a94548e57e43cc5483f129986187c432d58d46674830442988f869566a6e31e2ae37c9f7acbf61cc81621594fab0b3dfdc1635460b32389563dc8e74006315661cd22694114612973c1c45910621713a48b375854f095e8a77ccf3afa64e972f0f7f7002f50e0b014b1b146ea47c07fb20b73ad5587872b51a0b3fafdf1c4cf4fe6f8b112142392efa25d993abe2f42582be145148bdfe12edcd96c3655b65a4781b093e5594ba8e3ae5320f12e8314fc3ca374128cc43381046c322b964681ed4395c813b28534505118201459665a44b8f0abead877de322e9040631d20b05f15b81fa7ff785d4041aecc37c7e2ccdc5d1532787ce566517e8985fd5c200dbfd1e67bc255efaba94cfc07bb52fea4a90887413b134f2715b5643542aa897c6116486f428d82da64d2a2c1e1bdd40bd592558901a554b003d6966ac5a7b8b9413eddbf6ef21f28386c74981e3ce1d724c341e95494907626659692720c81114ca4acea35a14c402cfa3dc2228446e78dc1b81fa4325cf7e314a9cad6a6bdff33b3351dcba74eb15fae67f1227283aa4cdd64bcadf8f19358333f8549b596f4350297b5c65274565869d497398339947b9d3d064e5b06d39d34b436d8a41c1a3880de10bd26c3b1c5b4e2a49b0d4d07b8d90cd9e92bc611564d19ea8ec33099e92033caf21f5307dbeaa4708b99eb313bff99e2081ac25fd12d6a72e8335e0724f6718fe023cd0ad0d6e6a6309f09c9c391eec2bc08e9c3210a043c08e1759f354c121f6517fff4d6e20711a871e41285d48d930352fddffb92c96ba57df045ce99f8bfdfa8edc0969ce68a51e9fbb4f54b956d9df74a9e4af27ed2b27839bce1cffeca8333c0aaee81a570217442f9029ba8fedb84a2cf4be4d910982d891ea00e816c7fb98e8020e896a9c6fdd9106611da0a99dde18df1b7a8f6327acb1eed9ad93314451e48cb0dfb9571728521ca3db2ac0968159d5622556a55d51a422d11995b650949aaefc5d24c16080446dfc4fbc10353f9f93ce161ab513367bb89ab83988e0630b689e174e27bcfcc31996ee7b0bca909e251b82d69a28fee5a5d662e127508cd19dbbe5097b7d5b62a49203d66764197a527e472e2627e44a93d44177dace9d60e7d0e03305ddf4cfe47cdf2362e14de79ef46a6763ce696cd7854a48d9419a0817507a4713ffd4977b906d4f2b5fb6dbe1bd15bc505d5fea582190bf531a45d5ee026da8918547fd5105f15e5d061c7b0cf80a34990366ed8e91e13c2f0d85e5dad537298808d193cf54b7eaac33f10051f74cb6b75e52f81618c36f03d86aef613ba237a1a793ba1539938a38f62ccaf7bd5f6c5e0ce53cde4012fcf2b758214a0422d2faaa798e86e19d7481b42df2b36a73d287ff28c20cce01ce598771fec16a8f1f00305c06010126013a6c1de9f589b4e79d693717cd88ad1c42a2d99fa96617ba0bc6365b68e21a70ebc447904aa27979e1514433cfd83bfec09f137c747d47582cb63eb28f873fb94cf7a59ff764ddfbb687d79a58bb10f85949269f7f72c611a5e0fbb52adfa298ff060ec2eb7216fd7302ea8fb07798cbb3be25cb53ac8161aac2b5bbcfbcfb01c113d28bd1cb0333fb89ac82a95930f7abded0a2f5a623cc6a1f62bf3f38ef1b81c1e50a634f657dbb6770e4af45879e2fb1e00c742e7b52205c8015b5c0f5b1e40186ff9aa7288ab3e01a51fb87761f9bc6837082af109b39cc9f620")
require.NoError(t, err)
- metadata, err := sniff.QUICClientHello(context.Background(), pkt)
+ var metadata adapter.InboundContext
+ err = sniff.QUICClientHello(context.Background(), &metadata, pkt)
+ require.Equal(t, metadata.Protocol, C.ProtocolQUIC)
+ require.Equal(t, metadata.Client, C.ClientChromium)
+ require.ErrorIs(t, err, sniff.ErrClientHelloFragmented)
+ pkt, err = hex.DecodeString("c90000000108f40d654cc09b27f5000044d073eb38807026d4088455e650e7ccf750d01a72f15f9bfc8ff40d223499db1a485cff14dbd45b9be118172834dc35dca3cf62f61a1266f40b92faf3d28d67a466cfdca678ddced15cd606d31959cf441828467857b226d1a241847c82c57312cefe68ba5042d929919bcd4403b39e5699fe87dda05df1b3801e048edee792458e9b1a9b1d4039df05847bcee3be567494b5876e3bd4c3220fe9dfdb2c07d77410f907f744251ef15536cc03b267d3668d5b75bc1ad2fe735cd3bb73519dd9f1625a49e17ad27bdeccf706c83b5ea339a0a05dd0072f4a8f162bd29926b4997f05613c6e4b0270b0c02805ca0543f27c1ff8505a5750bdd33529ee73c491050a10c6903f53c1121dbe0380e84c007c8df74a1b02443ed80ba7766aef5549e618d4fd249844ee28565142005369869299e8c3035ecef3d799f6cada8549e75b4ce4cbf4c85ef071fd7ff067b1ca9b5968dc41d13d011f6d7843823bac97acb1eb8ee45883f0f254b5f9bd4c763b67e2d8c70a7618a0ef0de304cf597a485126e09f8b2fd795b394c0b4bc4cd2634c2057970da2c798c5e8af7aed4f76f5e25d04e3f8c9c5a5b150d17e0d4c74229898c69b8dc7b8bcc9d359eb441de75c68fbdebec62fb669dcccfb1aad03e3fa073adb2ccf7bb14cbaf99e307d2c903ee71a8f028102eb510caee7e7397512086a78d1f95635c7d06845b5a708652dc4e5cd61245aae5b3c05b84815d84d367bce9b9e3f6d6b90701ac3679233c14d5ce2a1eff26469c966266dc6284bdb95c9c6158934c413a872ce22101e4163e3293d236b301592ca4ccacc1fd4c37066e79c2d9857c8a2560dcf0b33b19163c4240c471b19907476e7e25c65f7eb37276594a0f6b4c33c340cc3284178f17ac5e34dbe7509db890e4ddfd0540fbf9deb32a0101d24fe58b26c5f81c627db9d6ae59d7a111a3d5d1f6109f4eec0d0234e6d73c73a44f50999462724b51ce0fd8283535d70d9e83872c79c59897407a0736741011ae5c64862eb0712f9e7b07aa1d5418ca3fde8626257c6fe418f3c5479055bb2b0ab4c25f649923fc2a41c79aaa7d0f3af6d8b8cf06f61f0230d09bbb60bb49b9e49cc5973748a6cf7ffdee7804d424f9423c63e7ff22f4bd24e4867636ef9fe8dd37f59941a8a47c27765caa8e875a30b62834f17c569227e5e6ed15d58e05d36e76332befad065a2cd4079e66d5af189b0337624c89b1560c3b1b0befd5c1f20e6de8e3d664b3ac06b3d154b488983e14aa93266f5f8b621d2a9bb7ccce509eb26e025c9c45f7cccc09ce85b3103af0c93ce9822f82ecb168ca3177829afb2ea0da2c380e7b1728add55a5d42632e2290363d4cbe432b67e13691648e1acfab22cf0d551eee857709b428bb78e27a45aff6eca301c02e4d13cf36cc2494fdd1aef8dede6e18febd79dca4c6964d09b91c25a08f0947c76ab5104de9404459c2edf5f4adb9dfd771be83656f77fbbafb1ad3281717066010be8778952495383c9f2cf0a38527228c662a35171c5981731f1af09bab842fe6c3162ad4152a4221f560eb6f9bea66b294ffbd3643da2fe34096da13c246505452540177a2a0a1a69106e5cfc279a4890fc3be2952f26be245f930e6c2d9e7e26ee960481e72b99594a1185b46b94b6436d00ba6c70ffe135d43907c92c6f1c09fb9453f103730714f5700fa4347f9715c774cb04a7218dacc66d9c2fade18b14e684aa7fc9ebda0a28")
require.NoError(t, err)
- require.Equal(t, metadata.Domain, "cloudflare-quic.com")
+ err = sniff.QUICClientHello(context.Background(), &metadata, pkt)
+ require.NoError(t, err)
+ require.Equal(t, metadata.Domain, "google.com")
}
-func TestSniffQUICFragment(t *testing.T) {
+func TestSniffUQUICChrome115(t *testing.T) {
t.Parallel()
- pkt, err := hex.DecodeString("cc00000001082e3d5d1b64040c55000044d0ccea69e773f6631c1d18b04ae9ee75fcfc34ef74fa62533c93534338a86f101a05d70e0697fb483063fa85db1c59ccfbda5c35234931d8524d8aac37eaaad649470a67794cd754b23c98695238b8363452333bc8c4858376b4166e001da2006e35cf98a91e11a56419b2786775284942d0f7163982f7c248867d12dd374957481dbc564013ff785e1916195eef671f725908f761099d992d69231336ba81d9e25fe2fa3a6eff4318a6ccf10176fc841a1b315f7b35c5b292266fc869d76ca533e7d14e86d82db2e22eacd350977e47d2e012d8a5891c5aaf2a0f4c2b2dae897c161e5b68cbb4dee952472bdc1e21504b8f02534ec4366ce3f8bf86efc78e0232778fbd554457567112abdcafcf6d4d8fcf35083c25d9495679614aba21696e338c62b585046cc55ba8c09c844361d889a47c3ea703b4e23545a9ab2c0bb369693a9ddfb5daffa85cf80fdd6ad66738664e5b0a551729b4955cff7255afcb04dee88c2f072c9de7400947a1bd9327ac5d012a33000ada021d4c03d249fb017d6ac9200b2f9436beab8183ddfbe2d8aee31ffb7df9e1cc181c1af80c39a89965d18ed12da8e3ebe2ae1fbe4b348f83ba19e3e3d1c9b22bcf03ab6ad9b30fe180623faa291ebad83bcd71d7b57f2f5e2f3b8e81d24fb70b2f2159239e8f21ffafef2747aba47d97ab4081e603c018b10678cf99cab1fb42156a14486fa435153979d7279fd22cd40af7088bfc7eff41af2f4b3c0c8864d0040d74dff427f7bffdb8c278474ea00311326cf4925471a8cf596cb92119f19e0f789490ba9cb77b98015a987d93e0324cf1a38b55109f00c3e6ddc5180fb107bf468323afec9bb49fd6a86418569789d66cafe3b8253c2aebb3af3782c1c54dd560487d031d28e6a6e23e159581bb1d47efc4da3fe1d169f9ffb0ca9ba61af0a38a92fde5bc5e6ec026e8378a6315a7b95abf1d2da790a391306ce74d0baf8e2ce648ca74c487f2c0a76a28a80cdf5bd34316eb607684fe7e6d9e83824a00e07660d0b90e3cddd61ebf10748263474afa88c300549e64ce2e90560bb1a12dee7e9484f729a8a4ee7c5651adb5194b3b3ae38e501567c7dbf36e7bb37a2c20b74655f47f2d9af18e52e9d4c9c9eee8e63745779b8f0b06f3a09d846ba62eb978ad77c85de1ee2fee3fbb4c2d283c73e1ccba56a4658e48a2665d200f7f9342f8e84c2ba490094a4f94feec89e42d2f654f564c2beb2997bafa1fc2c68ad8e160b63587d49abc31b834878d52acfb05fb73d0e059b206162e3c90b40c4bc08407ffcb3c08431895b691a3fea923f1f3b48db75d3e6b91fd319ffe4d486e0e14bd5c6affc838dee63d9e0b80f169b5e6c02c7321dcb20deb2b8e707b60e345a308d505bbf26a93d8f18b39d62632e9a77cbe48b3b32eb8819d6311a49820d40f5acbf0273c91c36b2269a03e72ee64df3dfb10ddefe73c64ef60870b2b77bd99dea655f5fe791b538a929a14d99f6d69685d72431ea5f0f4b27a044f2f575ab474fcc3857895934de1ca2581798eaef2c17fe5aaf2e6add97fa32997c7026f15c1b1ad0e6043ae506027a7c0242546fdc851cca39a204e56879f2cef838be8ec66e0f2292f8c862e06f810eb9b80c7a467ce6e90155206352c7f82b1173ba3b98d35bb72c259a60db20dd1a43fe6d7aef0265e6eaa5caafd9b64b448ff745a2046acbdb65cf2a5007809808a4828dc99097feedc734c236260c584")
+ pkt, err := hex.DecodeString("cb0000000108181e17c387120abc000044d0705b6a3ef9ee37a8d3949a7d393ed078243c2ee2c3627fad1c3f107c117f4f071131ad61848068fcbbe5c65803c147f7f8ec5e2cd77b77beea23ba779d936dccac540f8396400e3190ea35cc2942af4171a04cb14272491920f90124959f44e80143678c0b52f5d31af319aaa589db2f940f004562724d0af40f737e1bb0002a071e6a1dbc9f52c64f070806a5010abed0298053634d9c9126bd7949ae5087998ade762c0ad06691d99c0875a38c601fc1ee77bfc3b8c11381829f2c9bdd022f4499c43ff1d6aee1a0d296861461dda217d22c568b276016ef3929e59d2f7d7ddf7809920fb7dc805641608949f3f8466ab3d37149aac501f0b107d808f3add4acfc657e4a82e2b88e97a6c74a00c419548760ab3414ba13915c78a1ca79dceee8d59fbe299f20b671ac44823218368b2a026baa55170cf549519ac21dbb6d31d248bd339438a4e663bcdca1fe3ae3f045a5dc19b122e9db9d7af9757076666dda4e9ace1c67def77fa14786f0cab3ebf7a270ea6e2b37838318c95779f80c3b8471948d0046c3614b3a13477c939a39a7855d85d13522a45ae0765739cd5eedef87237e824a929983ace27640c6495dbf5a72fa0b96893dc5d28f3988249a57bdb458d460b4a57043de3da750a76b6e5d2259247ca27cd864ea18f0d09aa62ab6eb7c014fb43179b2a1963d170b756cce83eeaebff78a828d025c811848e16ff862a8080d093478cd2208c8ab0803178325bc0d9d6bb25e62fa50c4ad15cf80916da6578796932036c72e43eb480d1e423ed812ac75a97722f8416529b82ba8ee2219c535012282bb17066bd53e78b87a71abdb7ebdb2a7c2766ff8397962e87d0f85485b64b4ee81cc84f99c47f33f2b0872716441992773f59186e38d32dbf5609a6fda94cb928cd25f5a7a3ab736b5a4236b6d5409ab18892c6a4d3480fc2350abfdf0bab1cedb55bdf0760fdb703e6688f4de596254eed4ed3e67eb03d0717b8e15b31e735214e588c87ae36bc6c310e1894b4c15143e4ccf287b2dbc707a946bf9671ae3c574f9486b2c82eec784bba4cbc76113cbe0f97ac8c13cfa38f2925ab9d06887a612ce48280a91d7e074e6caf898d88e2bbf71360899abf48a03f9a70cf2891199f2d63b116f4871af0ebb4f4906792f66cc21d1609f189138532875c129a68c73e7bcd3b5d8100beac1d8ac4b20d94a59ac8df5a5af58a9acb20413eadf97189f5f19ff889155f0c4d37514ec184eb6903967ff38a41fc087abb0f2cad3761d6e3f95f92a09a72f5c065b16e188088b87460241f27ecdb1bc6ece92c8d36b2d68b58d0fb4d4b3c928c579ade8ae5a995833aadd297c30a37f7bc35440fc97070e1b198e0fac00157452177d16d2803b4239997452b4ad3a951173bdec47a033fd7f8a7942accaa9aaa905b3c5a2175e7c3e07c48bf25331727fd69cd1e64d74d8c9d4a6f8f4491adb7bc911505cb19877083d8f21a12475e313fccf57877ff3556318e81ed9145dd9427f2b65275440893035f417481f721c69215af8ae103530cd0a1d35bf2cb5a27628f8d44d7c6f5ec12ce79d0a8333e0eb48771115d0a191304e46b8db19bbe5c40f1c346dde98e76ff5e21ff38d2c34e60cb07766ed529dd6d2cbacd7fbf1ed8a0e6e40decad0ca5021e91552be87c156d3ae2fffef41c65b14ba6d488f2c3227a1ab11ffce0e2dc47723a69da27a67a7f26e1cb13a7103af9b87a8db8e18ea")
require.NoError(t, err)
- metadata, err := sniff.QUICClientHello(context.Background(), pkt)
+ var metadata adapter.InboundContext
+ err = sniff.QUICClientHello(context.Background(), &metadata, pkt)
require.NoError(t, err)
- require.Equal(t, metadata.Domain, "cloudflare-quic.com")
+ require.Equal(t, metadata.Protocol, C.ProtocolQUIC)
+ require.Equal(t, metadata.Client, C.ClientQUICGo)
+ require.Equal(t, metadata.Domain, "www.google.com")
+}
+
+func TestSniffQUICFirefox(t *testing.T) {
+ t.Parallel()
+ pkt, err := hex.DecodeString("c8000000010867f174d7ebfe1b0803cd9c20004286de068f7963cf1736349ee6ebe0ddcd3e4cd0041a51ced3f7ce9eea1fb595458e74bdb4b792b16449bd8cae71419862c4fcbe766eaec7d1af65cd298e1dd46f8bd94a77ab4ca28c54b8e9773de3f02d7cb2463c9f7dcacfb311f024b0266ec6ab7bfb615b4148333fb4d4ece7c4cd90029ca30c2cbae2216b428499ec873fa125797e71c5a5da85087760ad37ca610020f71b76e82651c47576e20bf33cf676cb2d400b8c09d3c8cb4e21c47d2b21f6b68732bef30c8cefd5c723fc23eb29e6f7f65a5e52aad9055c1fb3d8b1811f0380b38d7e2eee8eb37dd5bd5d4ca4b66540175d916289d88a9df7c161964d713999c5057d27edb298ef5164352568b0d4bac3c15d90456e8fd460e41b81d0ec1b1e94b87d3333cc6908b018e0914ae1f214d73e75398da3d55a0106161d3a75897b4eb66e98c59010fae75f0d367d38be48c3a5c58bc8a30773c3fff50690ac9d487822f85d4f5713d626baa92d36e858dd21259cf814bce0b90d18da88a1ade40113e5a088cdb304a2558879152a8cf15c1839e056378aa41acba6fcb9974dee54bd50b5d4eb2c475654e06c0ec06b7f18f4462c808684843a1071041b9bfb2688324e0120144944416e30e83eedbbbcbc275b1f53762d3db18f0998ce54f0e1c512946b4098f07781d49264fa148f4c8220a3b02e73d7f15554aa370aafeff73cb75c52c494edf90f0261abfdd32a4d670f729de50266162687aa8efe14b8506f313b058b02aaaab5825428f5f4510b8e49451fdcb7b5a4af4b59c831afcb89fb4f64dba78e3b38387e87e9e8cdaa1f3b700a87c7d442388863b8950296e5773b38f308d62f52548c0bbf308e40540747cca5bf99b1345bc0d70b8f0e69a83b85a8d69f795b87f93e2bfccf52b529afea4ff6fd456957000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
+ require.NoError(t, err)
+ var metadata adapter.InboundContext
+ err = sniff.QUICClientHello(context.Background(), &metadata, pkt)
+ require.NoError(t, err)
+ require.Equal(t, metadata.Protocol, C.ProtocolQUIC)
+ require.Equal(t, metadata.Client, C.ClientFirefox)
+ require.Equal(t, metadata.Domain, "www.google.com")
+}
+
+func TestSniffQUICSafari(t *testing.T) {
+ t.Parallel()
+ pkt, err := hex.DecodeString("c70000000108e4e75af2e223198a0000449ef2d83cb4473a62765eba67424cd4a5817315cbf55a9e8daaca360904b0bae60b1629cfeba11e2dfbbf5ea4c588cb134e31af36fd7a409fb0fcc0187e9b56037ac37964ed20a8c1ca19fd6cfd53398324b3d0c71537294f769db208fa998b6811234a4a7eb3b5eceb457ae92e3a2d98f7c110702db8064b5c29fa3298eb1d0529fd445a84a5fd6ff8709be90f8af4f94998d8a8f2953bb05ad08c80668eca784c6aec959114e68e5b827e7c41c79f2277c716a967e7fcc8d1b77442e6cb18329dbedb34b473516b468cba5fc20659e655fbe37f36408289b9a475fcee091bd82828d3be00367e9e5cec9423bb97854abdada1d7562a3777756eb3bddef826ddc1ef46137cb01bb504a54d410d9bcb74cd5f959050c84edf343fa6a49708c228a758ee7adbbadf260b2f1984911489712e2cb364a3d6520badba4b7e539b9c163eeddfd96c0abb0de151e47496bb9750be76ee17ccdb61d35d2c6795174037d6f9d282c3f36c4d9a90b64f3b6ddd0cf4d9ed8e6f7805e25928fa04b087e63ae02761df30720cc01dfc32b64c575c8a66ef82e9a17400ff80cd8609b93ba16d668f4aa734e71c4a5d145f14ee1151bec970214e0ff83fc3e1e85d8694f2975f9155c57c18b7b69bb6a36832a9435f1f4b346a7be188f3a75f9ad2cc6ad0a3d26d6fa7d4c1179bd49bd5989d15ba43ff602890107db96484695086627356750d7b2b3b714ba65d564654e8f60ac10f5b6d3bfb507e8eaa31bab1da2d676195046d165c7f8b32829c9f9b68d97b2af7ac04a1369357e4b65de2b2f24eaf27cc8d95e05db001adebe726f927a94e43e62ce671e6e306e16f05aafcbe6c49080e80286d7939f375023d110a5ad9069364ae928ca480454a9dcddd61bc48b7efeb716a5bd6c7cd39c486ceb20c738af6abf22ba1ddd8b4a3b781fc2f251173409e1aadccbd7514e97106d0ebfc3af6e59445f74cd733a1ba99b10fce3fb4e9f7c88f5e25b567f5ba2b8dabacd375e7faf7634bfa178cbe51aee63032c5126b196ea47b02385fc3062a000fb7e4b4d0d12e74579f8830ede20d10829496032b2cc56743287f9a9b4d5091877a82fea44deb2cffac8a379f78a151d99e28cbc74d732c083bf06d50584e3f18f254e71a48d6ababaf6fff6f425e9be001510dfbe6a32a27792c00ada036b62ddb90c706d7b882c76a7072f5dd11c69a1f49d4ba183cb0b57545419fa27b9b9706098848935ae9c9e8fbe9fac165d1339128b991a73d20e7795e8d6a8c6adfbf20bf13ada43f2aef3ba78c14697910507132623f721387dce60c4707225b84d9782d469a5d9eaa099f35d6a590ef142ddef766495cf3337815ceef5ff2b3ed352637e72b5c23a2a8ff7d7440236a19b981d47f8e519a0431ebfbc0b78d8a36798b4c060c0c6793499f1e2e818862560a5b501c8d02ba1517be1941da2af5b174e0189c62978d878eb0f9c9db3a9221c28fb94645cf6e85ff2eea8c65ba3083a7382b131b83102dd67aa5453ad7375a4eb8c69fc479fbd29dab8924f801d253f2c997120b705c6e5217fb74702e2f1038917dd5fb0eeb7ae1bf7a668fc7d50c034b4cd5a057a8482e6bc9c921297f44e76967265623a167cd9883eb6e64bc77856dc333bd605d7df3bed0e5cecb5a99fe8b62873d58530f")
+ require.NoError(t, err)
+ var metadata adapter.InboundContext
+ err = sniff.QUICClientHello(context.Background(), &metadata, pkt)
+ require.NoError(t, err)
+ require.Equal(t, metadata.Protocol, C.ProtocolQUIC)
+ require.Equal(t, metadata.Client, C.ClientSafari)
+ require.Equal(t, metadata.Domain, "www.google.com")
}
func FuzzSniffQUIC(f *testing.F) {
f.Fuzz(func(t *testing.T, data []byte) {
- sniff.QUICClientHello(context.Background(), data)
+ var metadata adapter.InboundContext
+ err := sniff.QUICClientHello(context.Background(), &metadata, data)
+ require.Error(t, err)
})
}
diff --git a/common/sniff/sniff.go b/common/sniff/sniff.go
index 424311a8..eaea3b10 100644
--- a/common/sniff/sniff.go
+++ b/common/sniff/sniff.go
@@ -14,11 +14,11 @@ import (
)
type (
- StreamSniffer = func(ctx context.Context, reader io.Reader) (*adapter.InboundContext, error)
- PacketSniffer = func(ctx context.Context, packet []byte) (*adapter.InboundContext, error)
+ StreamSniffer = func(ctx context.Context, metadata *adapter.InboundContext, reader io.Reader) error
+ PacketSniffer = func(ctx context.Context, metadata *adapter.InboundContext, packet []byte) error
)
-func PeekStream(ctx context.Context, conn net.Conn, buffer *buf.Buffer, timeout time.Duration, sniffers ...StreamSniffer) (*adapter.InboundContext, error) {
+func PeekStream(ctx context.Context, metadata *adapter.InboundContext, conn net.Conn, buffer *buf.Buffer, timeout time.Duration, sniffers ...StreamSniffer) error {
if timeout == 0 {
timeout = C.ReadPayloadTimeout
}
@@ -28,7 +28,7 @@ func PeekStream(ctx context.Context, conn net.Conn, buffer *buf.Buffer, timeout
for i := 0; i < 3; i++ {
err := conn.SetReadDeadline(deadline)
if err != nil {
- return nil, E.Cause(err, "set read deadline")
+ return E.Cause(err, "set read deadline")
}
_, err = buffer.ReadOnceFrom(conn)
err = E.Errors(err, conn.SetReadDeadline(time.Time{}))
@@ -36,27 +36,27 @@ func PeekStream(ctx context.Context, conn net.Conn, buffer *buf.Buffer, timeout
if i > 0 {
break
}
- return nil, E.Cause(err, "read payload")
+ return E.Cause(err, "read payload")
}
for _, sniffer := range sniffers {
- metadata, err := sniffer(ctx, bytes.NewReader(buffer.Bytes()))
- if metadata != nil {
- return metadata, nil
+ err = sniffer(ctx, metadata, bytes.NewReader(buffer.Bytes()))
+ if err == nil {
+ return nil
}
errors = append(errors, err)
}
}
- return nil, E.Errors(errors...)
+ return E.Errors(errors...)
}
-func PeekPacket(ctx context.Context, packet []byte, sniffers ...PacketSniffer) (*adapter.InboundContext, error) {
+func PeekPacket(ctx context.Context, metadata *adapter.InboundContext, packet []byte, sniffers ...PacketSniffer) error {
var errors []error
for _, sniffer := range sniffers {
- metadata, err := sniffer(ctx, packet)
- if metadata != nil {
- return metadata, nil
+ err := sniffer(ctx, metadata, packet)
+ if err == nil {
+ return nil
}
errors = append(errors, err)
}
- return nil, E.Errors(errors...)
+ return E.Errors(errors...)
}
diff --git a/common/sniff/stun.go b/common/sniff/stun.go
index 66a72d7e..dfd11259 100644
--- a/common/sniff/stun.go
+++ b/common/sniff/stun.go
@@ -9,16 +9,17 @@ import (
C "github.com/sagernet/sing-box/constant"
)
-func STUNMessage(ctx context.Context, packet []byte) (*adapter.InboundContext, error) {
+func STUNMessage(_ context.Context, metadata *adapter.InboundContext, packet []byte) error {
pLen := len(packet)
if pLen < 20 {
- return nil, os.ErrInvalid
+ return os.ErrInvalid
}
if binary.BigEndian.Uint32(packet[4:8]) != 0x2112A442 {
- return nil, os.ErrInvalid
+ return os.ErrInvalid
}
if len(packet) < 20+int(binary.BigEndian.Uint16(packet[2:4])) {
- return nil, os.ErrInvalid
+ return os.ErrInvalid
}
- return &adapter.InboundContext{Protocol: C.ProtocolSTUN}, nil
+ metadata.Protocol = C.ProtocolSTUN
+ return nil
}
diff --git a/common/sniff/stun_test.go b/common/sniff/stun_test.go
index 6da89162..f465763e 100644
--- a/common/sniff/stun_test.go
+++ b/common/sniff/stun_test.go
@@ -5,6 +5,7 @@ import (
"encoding/hex"
"testing"
+ "github.com/sagernet/sing-box/adapter"
"github.com/sagernet/sing-box/common/sniff"
C "github.com/sagernet/sing-box/constant"
@@ -15,14 +16,16 @@ func TestSniffSTUN(t *testing.T) {
t.Parallel()
packet, err := hex.DecodeString("000100002112a44224b1a025d0c180c484341306")
require.NoError(t, err)
- metadata, err := sniff.STUNMessage(context.Background(), packet)
+ var metadata adapter.InboundContext
+ err = sniff.STUNMessage(context.Background(), &metadata, packet)
require.NoError(t, err)
require.Equal(t, metadata.Protocol, C.ProtocolSTUN)
}
func FuzzSniffSTUN(f *testing.F) {
f.Fuzz(func(t *testing.T, data []byte) {
- if _, err := sniff.STUNMessage(context.Background(), data); err == nil {
+ var metadata adapter.InboundContext
+ if err := sniff.STUNMessage(context.Background(), &metadata, data); err == nil {
t.Fail()
}
})
diff --git a/common/sniff/tls.go b/common/sniff/tls.go
index dcba195a..6fe430e2 100644
--- a/common/sniff/tls.go
+++ b/common/sniff/tls.go
@@ -10,7 +10,7 @@ import (
"github.com/sagernet/sing/common/bufio"
)
-func TLSClientHello(ctx context.Context, reader io.Reader) (*adapter.InboundContext, error) {
+func TLSClientHello(ctx context.Context, metadata *adapter.InboundContext, reader io.Reader) error {
var clientHello *tls.ClientHelloInfo
err := tls.Server(bufio.NewReadOnlyConn(reader), &tls.Config{
GetConfigForClient: func(argHello *tls.ClientHelloInfo) (*tls.Config, error) {
@@ -19,7 +19,9 @@ func TLSClientHello(ctx context.Context, reader io.Reader) (*adapter.InboundCont
},
}).HandshakeContext(ctx)
if clientHello != nil {
- return &adapter.InboundContext{Protocol: C.ProtocolTLS, Domain: clientHello.ServerName}, nil
+ metadata.Protocol = C.ProtocolTLS
+ metadata.Domain = clientHello.ServerName
+ return nil
}
- return nil, err
+ return err
}
diff --git a/constant/protocol.go b/constant/protocol.go
index 915e64ca..8b1854d4 100644
--- a/constant/protocol.go
+++ b/constant/protocol.go
@@ -9,3 +9,11 @@ const (
ProtocolBitTorrent = "bittorrent"
ProtocolDTLS = "dtls"
)
+
+const (
+ ClientChromium = "chromium"
+ ClientSafari = "safari"
+ ClientFirefox = "firefox"
+ ClientQUICGo = "quic-go"
+ ClientUnknown = "unknown"
+)
diff --git a/docs/configuration/route/rule.md b/docs/configuration/route/rule.md
index 23d2bf1b..8e61e51d 100644
--- a/docs/configuration/route/rule.md
+++ b/docs/configuration/route/rule.md
@@ -4,6 +4,7 @@ icon: material/alert-decagram
!!! quote "Changes in sing-box 1.10.0"
+ :material-plus: [client](#client)
:material-delete-clock: [rule_set_ipcidr_match_source](#rule_set_ipcidr_match_source)
:material-plus: [rule_set_ip_cidr_match_source](#rule_set_ip_cidr_match_source)
@@ -40,6 +41,12 @@ icon: material/alert-decagram
"http",
"quic"
],
+ "client": [
+ "chromium",
+ "safari",
+ "firefox",
+ "quic-go"
+ ],
"domain": [
"test.com"
],
@@ -166,7 +173,13 @@ Username, see each inbound for details.
#### protocol
-Sniffed protocol, see [Sniff](/configuration/route/sniff/) for details.
+Sniffed protocol, see [Protocol Sniff](/configuration/route/sniff/) for details.
+
+#### client
+
+!!! question "Since sing-box 1.10.0"
+
+Sniffed client type, see [Protocol Sniff](/configuration/route/sniff/) for details.
#### network
diff --git a/docs/configuration/route/rule.zh.md b/docs/configuration/route/rule.zh.md
index 52d334f2..68e66cf5 100644
--- a/docs/configuration/route/rule.zh.md
+++ b/docs/configuration/route/rule.zh.md
@@ -4,8 +4,9 @@ icon: material/alert-decagram
!!! quote "sing-box 1.10.0 中的更改"
+ :material-plus: [client](#client)
:material-delete-clock: [rule_set_ipcidr_match_source](#rule_set_ipcidr_match_source)
- :material-plus: [rule_set_ip_cidr_match_source](#rule_set_ip_cidr_match_source)
+ :material-plus: [rule_set_ip_cidr_match_source](#rule_set_ip_cidr_match_source)
!!! quote "sing-box 1.8.0 中的更改"
@@ -40,6 +41,12 @@ icon: material/alert-decagram
"http",
"quic"
],
+ "client": [
+ "chromium",
+ "safari",
+ "firefox",
+ "quic-go"
+ ],
"domain": [
"test.com"
],
@@ -166,6 +173,12 @@ icon: material/alert-decagram
探测到的协议, 参阅 [协议探测](/zh/configuration/route/sniff/)。
+#### client
+
+!!! question "自 sing-box 1.10.0 起"
+
+探测到的客户端类型, 参阅 [协议探测](/zh/configuration/route/sniff/)。
+
#### network
`tcp` 或 `udp`。
diff --git a/docs/configuration/route/sniff.md b/docs/configuration/route/sniff.md
index cc9a5c13..ab96e75a 100644
--- a/docs/configuration/route/sniff.md
+++ b/docs/configuration/route/sniff.md
@@ -4,19 +4,28 @@ icon: material/new-box
!!! quote "Changes in sing-box 1.10.0"
- :material-plus: BitTorrent support
+ :material-plus: QUIC client type detect support for QUIC
+ :material-plus: Chromium support for QUIC
+ :material-plus: BitTorrent support
:material-plus: DTLS support
If enabled in the inbound, the protocol and domain name (if present) of by the connection can be sniffed.
#### Supported Protocols
-| Network | Protocol | Domain Name |
-|:-------:|:------------:|:-----------:|
-| TCP | `http` | Host |
-| TCP | `tls` | Server Name |
-| UDP | `quic` | Server Name |
-| UDP | `stun` | / |
-| TCP/UDP | `dns` | / |
-| TCP/UDP | `bittorrent` | / |
-| UDP | `dtls` | / |
+| Network | Protocol | Domain Name | Client |
+|:-------:|:------------:|:-----------:|:----------------:|
+| TCP | `http` | Host | / |
+| TCP | `tls` | Server Name | / |
+| UDP | `quic` | Server Name | QUIC Client Type |
+| UDP | `stun` | / | / |
+| TCP/UDP | `dns` | / | / |
+| TCP/UDP | `bittorrent` | / | / |
+| UDP | `dtls` | / | / |
+
+| QUIC Client | Type |
+|:------------------------:|:----------:|
+| Chromium/Cronet | `chrimium` |
+| Safari/Apple Network API | `safari` |
+| Firefox / uquic firefox | `firefox` |
+| quic-go / uquic chrome | `quic-go` |
\ No newline at end of file
diff --git a/docs/configuration/route/sniff.zh.md b/docs/configuration/route/sniff.zh.md
index 523ed44b..1ebc6d38 100644
--- a/docs/configuration/route/sniff.zh.md
+++ b/docs/configuration/route/sniff.zh.md
@@ -4,19 +4,28 @@ icon: material/new-box
!!! quote "sing-box 1.10.0 中的更改"
- :material-plus: BitTorrent 支持
+ :material-plus: QUIC 的 客户端类型探测支持
+ :material-plus: QUIC 的 Chromium 支持
+ :material-plus: BitTorrent 支持
:material-plus: DTLS 支持
如果在入站中启用,则可以嗅探连接的协议和域名(如果存在)。
#### 支持的协议
-| 网络 | 协议 | 域名 |
-|:-------:|:------------:|:-----------:|
-| TCP | `http` | Host |
-| TCP | `tls` | Server Name |
-| UDP | `quic` | Server Name |
-| UDP | `stun` | / |
-| TCP/UDP | `dns` | / |
-| TCP/UDP | `bittorrent` | / |
-| UDP | `dtls` | / |
+| 网络 | 协议 | 域名 | 客户端 |
+|:-------:|:------------:|:-----------:|:----------:|
+| TCP | `http` | Host | / |
+| TCP | `tls` | Server Name | / |
+| UDP | `quic` | Server Name | QUIC 客户端类型 |
+| UDP | `stun` | / | / |
+| TCP/UDP | `dns` | / | / |
+| TCP/UDP | `bittorrent` | / | / |
+| UDP | `dtls` | / | / |
+
+| QUIC 客户端 | 类型 |
+|:------------------------:|:----------:|
+| Chromium/Cronet | `chrimium` |
+| Safari/Apple Network API | `safari` |
+| Firefox / uquic firefox | `firefox` |
+| quic-go / uquic chrome | `quic-go` |
\ No newline at end of file
diff --git a/go.mod b/go.mod
index af554ea2..0351e4cd 100644
--- a/go.mod
+++ b/go.mod
@@ -45,6 +45,7 @@ require (
go.uber.org/zap v1.27.0
go4.org/netipx v0.0.0-20231129151722-fdeea329fbba
golang.org/x/crypto v0.25.0
+ golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56
golang.org/x/net v0.27.0
golang.org/x/sys v0.22.0
golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6
@@ -89,7 +90,6 @@ require (
github.com/vishvananda/netns v0.0.4 // indirect
github.com/zeebo/blake3 v0.2.3 // indirect
go.uber.org/multierr v1.11.0 // indirect
- golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
golang.org/x/mod v0.19.0 // indirect
golang.org/x/sync v0.7.0 // indirect
golang.org/x/text v0.16.0 // indirect
diff --git a/option/rule.go b/option/rule.go
index 74dd13c6..5c69ef00 100644
--- a/option/rule.go
+++ b/option/rule.go
@@ -70,6 +70,7 @@ type _DefaultRule struct {
Network Listable[string] `json:"network,omitempty"`
AuthUser Listable[string] `json:"auth_user,omitempty"`
Protocol Listable[string] `json:"protocol,omitempty"`
+ Client Listable[string] `json:"client,omitempty"`
Domain Listable[string] `json:"domain,omitempty"`
DomainSuffix Listable[string] `json:"domain_suffix,omitempty"`
DomainKeyword Listable[string] `json:"domain_keyword,omitempty"`
diff --git a/route/router.go b/route/router.go
index d8008ea1..dac2f09e 100644
--- a/route/router.go
+++ b/route/router.go
@@ -842,8 +842,9 @@ func (r *Router) RouteConnection(ctx context.Context, conn net.Conn, metadata ad
if metadata.InboundOptions.SniffEnabled {
buffer := buf.NewPacket()
- sniffMetadata, err := sniff.PeekStream(
+ err := sniff.PeekStream(
ctx,
+ &metadata,
conn,
buffer,
time.Duration(metadata.InboundOptions.SniffTimeout),
@@ -852,9 +853,7 @@ func (r *Router) RouteConnection(ctx context.Context, conn net.Conn, metadata ad
sniff.HTTPHost,
sniff.BitTorrent,
)
- if sniffMetadata != nil {
- metadata.Protocol = sniffMetadata.Protocol
- metadata.Domain = sniffMetadata.Domain
+ if err == nil {
if metadata.InboundOptions.SniffOverrideDestination && M.IsDomainName(metadata.Domain) {
metadata.Destination = M.Socksaddr{
Fqdn: metadata.Domain,
@@ -866,8 +865,6 @@ func (r *Router) RouteConnection(ctx context.Context, conn net.Conn, metadata ad
} else {
r.logger.DebugContext(ctx, "sniffed protocol: ", metadata.Protocol)
}
- } else if err != nil {
- r.logger.TraceContext(ctx, "sniffed no protocol: ", err)
}
if !buffer.IsEmpty() {
conn = bufio.NewCachedConn(conn, buffer)
@@ -968,43 +965,67 @@ func (r *Router) RoutePacketConnection(ctx context.Context, conn N.PacketConn, m
}*/
if metadata.InboundOptions.SniffEnabled || metadata.Destination.Addr.IsUnspecified() {
- buffer := buf.NewPacket()
- destination, err := conn.ReadPacket(buffer)
- if err != nil {
- buffer.Release()
- return err
- }
- if metadata.Destination.Addr.IsUnspecified() {
- metadata.Destination = destination
- }
- if metadata.InboundOptions.SniffEnabled {
- sniffMetadata, _ := sniff.PeekPacket(
- ctx,
- buffer.Bytes(),
- sniff.DomainNameQuery,
- sniff.QUICClientHello,
- sniff.STUNMessage,
- sniff.UTP,
- sniff.UDPTracker,
- sniff.DTLSRecord,
- )
- if sniffMetadata != nil {
- metadata.Protocol = sniffMetadata.Protocol
- metadata.Domain = sniffMetadata.Domain
- if metadata.InboundOptions.SniffOverrideDestination && M.IsDomainName(metadata.Domain) {
- metadata.Destination = M.Socksaddr{
- Fqdn: metadata.Domain,
- Port: metadata.Destination.Port,
+ var bufferList []*buf.Buffer
+ for {
+ buffer := buf.NewPacket()
+ destination, err := conn.ReadPacket(buffer)
+ if err != nil {
+ buffer.Release()
+ return err
+ }
+ if metadata.Destination.Addr.IsUnspecified() {
+ metadata.Destination = destination
+ }
+ if metadata.InboundOptions.SniffEnabled {
+ if len(bufferList) > 0 {
+ err = sniff.PeekPacket(
+ ctx,
+ &metadata,
+ buffer.Bytes(),
+ sniff.QUICClientHello,
+ )
+ } else {
+ err = sniff.PeekPacket(
+ ctx,
+ &metadata,
+ buffer.Bytes(),
+ sniff.DomainNameQuery,
+ sniff.QUICClientHello,
+ sniff.STUNMessage,
+ sniff.UTP,
+ sniff.UDPTracker,
+ sniff.DTLSRecord,
+ )
+ }
+ if E.IsMulti(err, sniff.ErrClientHelloFragmented) && len(bufferList) == 0 {
+ bufferList = append(bufferList, buffer)
+ r.logger.DebugContext(ctx, "attempt to sniff fragmented QUIC client hello")
+ continue
+ }
+ if metadata.Protocol != "" {
+ if metadata.InboundOptions.SniffOverrideDestination && M.IsDomainName(metadata.Domain) {
+ metadata.Destination = M.Socksaddr{
+ Fqdn: metadata.Domain,
+ Port: metadata.Destination.Port,
+ }
+ }
+ if metadata.Domain != "" && metadata.Client != "" {
+ r.logger.DebugContext(ctx, "sniffed packet protocol: ", metadata.Protocol, ", domain: ", metadata.Domain, ", client: ", metadata.Client)
+ } else if metadata.Domain != "" {
+ r.logger.DebugContext(ctx, "sniffed packet protocol: ", metadata.Protocol, ", domain: ", metadata.Domain)
+ } else if metadata.Client != "" {
+ r.logger.DebugContext(ctx, "sniffed packet protocol: ", metadata.Protocol, ", client: ", metadata.Client)
+ } else {
+ r.logger.DebugContext(ctx, "sniffed packet protocol: ", metadata.Protocol)
}
}
- if metadata.Domain != "" {
- r.logger.DebugContext(ctx, "sniffed packet protocol: ", metadata.Protocol, ", domain: ", metadata.Domain)
- } else {
- r.logger.DebugContext(ctx, "sniffed packet protocol: ", metadata.Protocol)
- }
}
+ conn = bufio.NewCachedPacketConn(conn, buffer, destination)
+ for _, cachedBuffer := range common.Reverse(bufferList) {
+ conn = bufio.NewCachedPacketConn(conn, cachedBuffer, destination)
+ }
+ break
}
- conn = bufio.NewCachedPacketConn(conn, buffer, destination)
}
if r.dnsReverseMapping != nil && metadata.Domain == "" {
domain, loaded := r.dnsReverseMapping.Query(metadata.Destination.Addr)
diff --git a/route/rule_default.go b/route/rule_default.go
index 53e53bdf..4bbc2b6b 100644
--- a/route/rule_default.go
+++ b/route/rule_default.go
@@ -79,6 +79,11 @@ func NewDefaultRule(router adapter.Router, logger log.ContextLogger, options opt
rule.items = append(rule.items, item)
rule.allItems = append(rule.allItems, item)
}
+ if len(options.Client) > 0 {
+ item := NewClientItem(options.Client)
+ rule.items = append(rule.items, item)
+ rule.allItems = append(rule.allItems, item)
+ }
if len(options.Domain) > 0 || len(options.DomainSuffix) > 0 {
item := NewDomainItem(options.Domain, options.DomainSuffix)
rule.destinationAddressItems = append(rule.destinationAddressItems, item)
diff --git a/route/rule_item_client.go b/route/rule_item_client.go
new file mode 100644
index 00000000..eeab4402
--- /dev/null
+++ b/route/rule_item_client.go
@@ -0,0 +1,37 @@
+package route
+
+import (
+ "strings"
+
+ "github.com/sagernet/sing-box/adapter"
+ F "github.com/sagernet/sing/common/format"
+)
+
+var _ RuleItem = (*ClientItem)(nil)
+
+type ClientItem struct {
+ clients []string
+ clientMap map[string]bool
+}
+
+func NewClientItem(clients []string) *ClientItem {
+ clientMap := make(map[string]bool)
+ for _, client := range clients {
+ clientMap[client] = true
+ }
+ return &ClientItem{
+ clients: clients,
+ clientMap: clientMap,
+ }
+}
+
+func (r *ClientItem) Match(metadata *adapter.InboundContext) bool {
+ return r.clientMap[metadata.Client]
+}
+
+func (r *ClientItem) String() string {
+ if len(r.clients) == 1 {
+ return F.ToString("client=", r.clients[0])
+ }
+ return F.ToString("client=[", strings.Join(r.clients, " "), "]")
+}