Giter VIP home page Giter VIP logo

Comments (16)

Ir1Ka avatar Ir1Ka commented on June 14, 2024 1

有没有可能是 gid 不对呢?因为 docker 容器默认情况下(如果我没记错)有自己单独的 uid/gid namespace。

docker 默认情况下没有用独立的 uid/gid namespace。

我在调试过程中注意到 ipt2socks 日志中有如下 log:

ERR: [udp_socks5_recv_udpmessage_cb] bind tproxy reply address: Permission denied

我再注意到我的 docker 配置中,我对 ipt2socks 容器移除了 NET_BIND_SERVICE cap,我尝试加回此权限,然后工作正常了。

from ipt2socks.

Ir1Ka avatar Ir1Ka commented on June 14, 2024

当我把 udp 关掉时(tcponly=true),可以正常工作。我可能需要确认我的服务器是否支持 udp。

from ipt2socks.

Ir1Ka avatar Ir1Ka commented on June 14, 2024

我通过工具 https://github.com/ezbik/scripts/tree/master/udpchk 测试,我的代理服务器支持 udp。

from ipt2socks.

zfl9 avatar zfl9 commented on June 14, 2024

trojan-go 的 socks5 的 udp 实现有问题吧,我看 log 好像意外的关闭了 tcp/1080 上的连接。

另外我记得 trojan-go 支持透明代理传入的呀?

from ipt2socks.

zfl9 avatar zfl9 commented on June 14, 2024

因为这个之前测试过 trojan 原版 C++ 写的客户端(开了 udp),是没问题的。

之前有个 issue 和你说的很像,看起来都是 socks5 服务器的 udp 实现有问题。

#51

from ipt2socks.

zfl9 avatar zfl9 commented on June 14, 2024

https://datatracker.ietf.org/doc/html/rfc1928

这是 socks5 的 RFC,其中有提到 UDP ASSOCIATE (也就是 udp 代理),有这样一段话:
意思是说,req 中的 dst.addr 和 dst.port 可以是全 0 的,这个本身和代理流程没关系。

The UDP ASSOCIATE request is used to establish an association within
the UDP relay process to handle UDP datagrams. The DST.ADDR and
DST.PORT fields contain the address and port that the client expects
to use to send UDP datagrams on for the association. The server MAY
use this information to limit access to the association. If the
client is not in possesion of the information at the time of the UDP
ASSOCIATE, the client MUST use a port number and address of all
zeros.

然后是这段话:socks5 服务器这边,如果关闭与 UDP ASSOCIATE 请求关联的那个 tcp 连接,则视为“udp代理”的终止信号。这就是 ipt2socks 的 recv unknown msg from socks5 server 的报错来源,因为这表示服务器要终止 udp 代理(但显然不应该,因为 udp 代理才刚开始呢。。)

A UDP association terminates when the TCP connection that the UDP
ASSOCIATE request arrived on terminates.

from ipt2socks.

zfl9 avatar zfl9 commented on June 14, 2024

所以这是 trojan-go 的 udp (socks5) 实现不符合 RFC 规范,建议去 trojan-go 报告 issue。

from ipt2socks.

Ir1Ka avatar Ir1Ka commented on June 14, 2024

我用原版 trojan-gfw 做,似乎也有相同的问题。
我尝试用 trojan-go 的透明代理模式,但似乎也不工作。😣

from ipt2socks.

zfl9 avatar zfl9 commented on June 14, 2024

不应该吧,我自己正在使用 trojan-gfw + ipt2socks,udp 正常。

from ipt2socks.

zfl9 avatar zfl9 commented on June 14, 2024

你这三个 docker 容器在同一个宿主机上吗?

有没有试过先把 docker 移除,在宿主机上看看?

from ipt2socks.

Ir1Ka avatar Ir1Ka commented on June 14, 2024

是的,三个容器均位于同一个宿主机上,并且均使用 host 网络。
ss-tproxy 使用 tcponly 是可以正常工作的。

接下来我将尝试均直接工作在宿主机上。

from ipt2socks.

Ir1Ka avatar Ir1Ka commented on June 14, 2024

trojan-gfw 报了和 trojan-go 上类似的信息(但并不是报错):

trojan-1  | Welcome to trojan 1.16.0
trojan-1  | [2024-04-05 03:52:25] [WARN] trojan service (client) started at 127.0.0.1:1080
trojan-1  | [2024-04-05 03:53:16] [INFO] 127.0.0.1:45494 requested UDP associate to 0.0.0.0:0, open UDP socket 127.0.0.1:50742 for relay
trojan-1  | [2024-04-05 03:53:16] [INFO] 127.0.0.1:45504 requested UDP associate to 0.0.0.0:0, open UDP socket 127.0.0.1:48627 for relay
trojan-1  | [2024-04-05 03:53:16] [INFO] 127.0.0.1:45496 requested UDP associate to 0000:0000:0000:0000:0000:0000:0000:0000:0, open UDP socket 127.0.0.1:60833 for relay
trojan-1  | [2024-04-05 03:53:16] [INFO] 127.0.0.1:45512 requested UDP associate to 0000:0000:0000:0000:0000:0000:0000:0000:0, open UDP socket 127.0.0.1:58958 for relay
trojan-1  | [2024-04-05 03:54:26] [INFO] 127.0.0.1:45496 disconnected, 213 bytes received, 69 bytes sent, lasted for 70 seconds
trojan-1  | [2024-04-05 03:54:26] [INFO] 127.0.0.1:45504 disconnected, 213 bytes received, 69 bytes sent, lasted for 70 seconds
trojan-1  | [2024-04-05 03:54:26] [INFO] 127.0.0.1:45494 disconnected, 213 bytes received, 69 bytes sent, lasted for 70 seconds
trojan-1  | [2024-04-05 03:54:26] [INFO] 127.0.0.1:45512 disconnected, 213 bytes received, 69 bytes sent, lasted for 70 seconds

from ipt2socks.

zfl9 avatar zfl9 commented on June 14, 2024

trojan-gfw 报了和 trojan-go 上类似的信息(但并不是报错):

trojan-1  | Welcome to trojan 1.16.0
trojan-1  | [2024-04-05 03:52:25] [WARN] trojan service (client) started at 127.0.0.1:1080
trojan-1  | [2024-04-05 03:53:16] [INFO] 127.0.0.1:45494 requested UDP associate to 0.0.0.0:0, open UDP socket 127.0.0.1:50742 for relay
trojan-1  | [2024-04-05 03:53:16] [INFO] 127.0.0.1:45504 requested UDP associate to 0.0.0.0:0, open UDP socket 127.0.0.1:48627 for relay
trojan-1  | [2024-04-05 03:53:16] [INFO] 127.0.0.1:45496 requested UDP associate to 0000:0000:0000:0000:0000:0000:0000:0000:0, open UDP socket 127.0.0.1:60833 for relay
trojan-1  | [2024-04-05 03:53:16] [INFO] 127.0.0.1:45512 requested UDP associate to 0000:0000:0000:0000:0000:0000:0000:0000:0, open UDP socket 127.0.0.1:58958 for relay
trojan-1  | [2024-04-05 03:54:26] [INFO] 127.0.0.1:45496 disconnected, 213 bytes received, 69 bytes sent, lasted for 70 seconds
trojan-1  | [2024-04-05 03:54:26] [INFO] 127.0.0.1:45504 disconnected, 213 bytes received, 69 bytes sent, lasted for 70 seconds
trojan-1  | [2024-04-05 03:54:26] [INFO] 127.0.0.1:45494 disconnected, 213 bytes received, 69 bytes sent, lasted for 70 seconds
trojan-1  | [2024-04-05 03:54:26] [INFO] 127.0.0.1:45512 disconnected, 213 bytes received, 69 bytes sent, lasted for 70 seconds

这个是正常的,从日志上看,udp 代理正常运行中。

from ipt2socks.

Ir1Ka avatar Ir1Ka commented on June 14, 2024
  • trojan-gfw + ipt2socks + ss-tproxy 全在宿主机上直接运行,看起来是可以工作的。
  • 仅 ss-tproxy 在容器中运行,可以工作。
  • ss-tproxy 和 ipt2socks 在容器中运行,工作异常。
  • ss-tproxy 和 trojan-gfw 在容器中运行,工作正常。

看起来是 ipt2socks 在容器中工作会有异常,或者我的容器或其他配置有问题。

from ipt2socks.

zfl9 avatar zfl9 commented on June 14, 2024

权限问题?操作 tproxy 套接字需要 CAP_NET_ADMIN;

但是看log,应该不是。

而且容器用的 net 都是宿主机的,并没有单独的 namespace,应该也不是这里的问题。

有没有可能是 gid 不对呢?因为 docker 容器默认情况下(如果我没记错)有自己单独的 uid/gid namespace。

from ipt2socks.

Ir1Ka avatar Ir1Ka commented on June 14, 2024

我知道是什么原因了,是我的配置有误,我把 ip2socks 容器的 NET_BIND_SERVICE cap 给移除了。

from ipt2socks.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.