- selector.go: Select() now only returns methods the client actually offered,
defaulting to MethodNoAcceptable (0xFF) when no mutually-supported method
exists. Prevents protocol desync when authenticator is set but client
doesn't offer UserPass. (#1, #2)
- connect.go: CONNECT success reply now carries the outbound connection's
actual local address as BND.ADDR per RFC 1928 §6, instead of 0.0.0.0:0. (#4)
- udp.go: UDP ASSOCIATE now verifies the upstream chain is reachable before
sending Success to the client; on failure sends a proper Failure reply.
Also adds safe type assertions for net.TCPAddr and net.UDPAddr to prevent
panics on wrapped connections, and returns errors on DNS resolution failure
instead of silently dropping datagrams. (#5, #1, #2, #3)
When sniffing is enabled, the sniffer extracts the real domain from HTTP
Host header or TLS SNI and checks bypass rules against it. However, most
handlers were not passing WithBypass(...) to the sniffer, so the sniffer
internal bypass check was always skipped.
Additionally, the TLS-to-HTTP fallback paths in internal util sniffer
and forwarder also omitted bypass when constructing options for the
recursive HandleHTTP call after decrypting TLS.
Add WithBypass to all sniffer call sites that were missing it across
handlers (http, relay, socks4, socks5, ss, sshd, unix) and internal
TLS fallback paths.
Also fix import ordering in handler/http/connect.go.
Fixesgo-gost/gost#874