Comments (16)
有没有可能是 gid 不对呢?因为 docker 容器默认情况下(如果我没记错)有自己单独的 uid/gid namespace。
docker 默认情况下没有用独立的 uid/gid namespace。
我在调试过程中注意到 ipt2socks 日志中有如下 log:
ERR: [udp_socks5_recv_udpmessage_cb] bind tproxy reply address: Permission denied
我再注意到我的 docker 配置中,我对 ipt2socks 容器移除了 NET_BIND_SERVICE cap,我尝试加回此权限,然后工作正常了。
from ipt2socks.
当我把 udp 关掉时(tcponly=true),可以正常工作。我可能需要确认我的服务器是否支持 udp。
from ipt2socks.
我通过工具 https://github.com/ezbik/scripts/tree/master/udpchk 测试,我的代理服务器支持 udp。
from ipt2socks.
trojan-go 的 socks5 的 udp 实现有问题吧,我看 log 好像意外的关闭了 tcp/1080 上的连接。
另外我记得 trojan-go 支持透明代理传入的呀?
from ipt2socks.
因为这个之前测试过 trojan 原版 C++ 写的客户端(开了 udp),是没问题的。
之前有个 issue 和你说的很像,看起来都是 socks5 服务器的 udp 实现有问题。
from ipt2socks.
https://datatracker.ietf.org/doc/html/rfc1928
这是 socks5 的 RFC,其中有提到 UDP ASSOCIATE (也就是 udp 代理),有这样一段话:
意思是说,req 中的 dst.addr 和 dst.port 可以是全 0 的,这个本身和代理流程没关系。
The UDP ASSOCIATE request is used to establish an association within
the UDP relay process to handle UDP datagrams. The DST.ADDR and
DST.PORT fields contain the address and port that the client expects
to use to send UDP datagrams on for the association. The server MAY
use this information to limit access to the association. If the
client is not in possesion of the information at the time of the UDP
ASSOCIATE, the client MUST use a port number and address of all
zeros.
然后是这段话:socks5 服务器这边,如果关闭与 UDP ASSOCIATE 请求关联的那个 tcp 连接,则视为“udp代理”的终止信号。这就是 ipt2socks 的 recv unknown msg from socks5 server 的报错来源,因为这表示服务器要终止 udp 代理(但显然不应该,因为 udp 代理才刚开始呢。。)
A UDP association terminates when the TCP connection that the UDP
ASSOCIATE request arrived on terminates.
from ipt2socks.
所以这是 trojan-go 的 udp (socks5) 实现不符合 RFC 规范,建议去 trojan-go 报告 issue。
from ipt2socks.
我用原版 trojan-gfw 做,似乎也有相同的问题。
我尝试用 trojan-go 的透明代理模式,但似乎也不工作。😣
from ipt2socks.
不应该吧,我自己正在使用 trojan-gfw + ipt2socks,udp 正常。
from ipt2socks.
你这三个 docker 容器在同一个宿主机上吗?
有没有试过先把 docker 移除,在宿主机上看看?
from ipt2socks.
是的,三个容器均位于同一个宿主机上,并且均使用 host 网络。
ss-tproxy 使用 tcponly 是可以正常工作的。
接下来我将尝试均直接工作在宿主机上。
from ipt2socks.
trojan-gfw 报了和 trojan-go 上类似的信息(但并不是报错):
trojan-1 | Welcome to trojan 1.16.0
trojan-1 | [2024-04-05 03:52:25] [WARN] trojan service (client) started at 127.0.0.1:1080
trojan-1 | [2024-04-05 03:53:16] [INFO] 127.0.0.1:45494 requested UDP associate to 0.0.0.0:0, open UDP socket 127.0.0.1:50742 for relay
trojan-1 | [2024-04-05 03:53:16] [INFO] 127.0.0.1:45504 requested UDP associate to 0.0.0.0:0, open UDP socket 127.0.0.1:48627 for relay
trojan-1 | [2024-04-05 03:53:16] [INFO] 127.0.0.1:45496 requested UDP associate to 0000:0000:0000:0000:0000:0000:0000:0000:0, open UDP socket 127.0.0.1:60833 for relay
trojan-1 | [2024-04-05 03:53:16] [INFO] 127.0.0.1:45512 requested UDP associate to 0000:0000:0000:0000:0000:0000:0000:0000:0, open UDP socket 127.0.0.1:58958 for relay
trojan-1 | [2024-04-05 03:54:26] [INFO] 127.0.0.1:45496 disconnected, 213 bytes received, 69 bytes sent, lasted for 70 seconds
trojan-1 | [2024-04-05 03:54:26] [INFO] 127.0.0.1:45504 disconnected, 213 bytes received, 69 bytes sent, lasted for 70 seconds
trojan-1 | [2024-04-05 03:54:26] [INFO] 127.0.0.1:45494 disconnected, 213 bytes received, 69 bytes sent, lasted for 70 seconds
trojan-1 | [2024-04-05 03:54:26] [INFO] 127.0.0.1:45512 disconnected, 213 bytes received, 69 bytes sent, lasted for 70 seconds
from ipt2socks.
trojan-gfw 报了和 trojan-go 上类似的信息(但并不是报错):
trojan-1 | Welcome to trojan 1.16.0 trojan-1 | [2024-04-05 03:52:25] [WARN] trojan service (client) started at 127.0.0.1:1080 trojan-1 | [2024-04-05 03:53:16] [INFO] 127.0.0.1:45494 requested UDP associate to 0.0.0.0:0, open UDP socket 127.0.0.1:50742 for relay trojan-1 | [2024-04-05 03:53:16] [INFO] 127.0.0.1:45504 requested UDP associate to 0.0.0.0:0, open UDP socket 127.0.0.1:48627 for relay trojan-1 | [2024-04-05 03:53:16] [INFO] 127.0.0.1:45496 requested UDP associate to 0000:0000:0000:0000:0000:0000:0000:0000:0, open UDP socket 127.0.0.1:60833 for relay trojan-1 | [2024-04-05 03:53:16] [INFO] 127.0.0.1:45512 requested UDP associate to 0000:0000:0000:0000:0000:0000:0000:0000:0, open UDP socket 127.0.0.1:58958 for relay trojan-1 | [2024-04-05 03:54:26] [INFO] 127.0.0.1:45496 disconnected, 213 bytes received, 69 bytes sent, lasted for 70 seconds trojan-1 | [2024-04-05 03:54:26] [INFO] 127.0.0.1:45504 disconnected, 213 bytes received, 69 bytes sent, lasted for 70 seconds trojan-1 | [2024-04-05 03:54:26] [INFO] 127.0.0.1:45494 disconnected, 213 bytes received, 69 bytes sent, lasted for 70 seconds trojan-1 | [2024-04-05 03:54:26] [INFO] 127.0.0.1:45512 disconnected, 213 bytes received, 69 bytes sent, lasted for 70 seconds
这个是正常的,从日志上看,udp 代理正常运行中。
from ipt2socks.
- trojan-gfw + ipt2socks + ss-tproxy 全在宿主机上直接运行,看起来是可以工作的。
- 仅 ss-tproxy 在容器中运行,可以工作。
- ss-tproxy 和 ipt2socks 在容器中运行,工作异常。
- ss-tproxy 和 trojan-gfw 在容器中运行,工作正常。
看起来是 ipt2socks 在容器中工作会有异常,或者我的容器或其他配置有问题。
from ipt2socks.
权限问题?操作 tproxy 套接字需要 CAP_NET_ADMIN;
但是看log,应该不是。
而且容器用的 net 都是宿主机的,并没有单独的 namespace,应该也不是这里的问题。
有没有可能是 gid 不对呢?因为 docker 容器默认情况下(如果我没记错)有自己单独的 uid/gid namespace。
from ipt2socks.
我知道是什么原因了,是我的配置有误,我把 ip2socks 容器的 NET_BIND_SERVICE cap 给移除了。
from ipt2socks.
Related Issues (20)
- 谁可以分享一下 ipt2socks ipatables透明代理规则。 HOT 5
- 是否能承受高负载转发 HOT 1
- How can I forward ipt2socks TPROXY port to a subnet? HOT 2
- 建议增加dns to socks5这里的功能 HOT 3
- linux
- 请各位大佬帮我看看为什么用ipt2socks转UDP出错,xray转就没问题 HOT 5
- '-b' 参数不起作用 HOT 4
- Can't forward UDP to a sub-net with tproxy HOT 4
- 编译环境有问题 HOT 8
- 可否加入代理链的支持? HOT 1
- 能否加入 socks4 协议支持? HOT 8
- [Question] How can I forward traffic across network namespaces with ipt2socks? HOT 3
- 在speedtest.net测试单线程峰值速度更高 HOT 28
- Is "really" transparent proxy? HOT 3
- ERROR: package/feeds/helloworld/ipt2socks failed to build. HOT 4
- nftables全局代理配置寻求帮助 HOT 16
- 为什么ipt2socks需要udp 443的端口监听呢? HOT 9
- 当socks服务开在本地服务器时,则会陷入socks循环请求(iptables规则死循环) HOT 3
- UDP报文经过代理后目标IP和端口都变成0 (上游socks5的udp实现不正确) HOT 14
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ipt2socks.