d5fd62aa47
Translate all Chinese comments in the relay handler package to English: handler.go, connect.go, bind.go, forward.go, conn.go, entrypoint.go, observe.go, metadata.go. All inline and doc comments are now in English. Also set a persistent preference: all future code comments must be written in English only.
309 lines
8.7 KiB
Go
309 lines
8.7 KiB
Go
package relay
|
|
|
|
import (
|
|
"bufio"
|
|
"bytes"
|
|
"context"
|
|
"crypto/tls"
|
|
"errors"
|
|
"io"
|
|
"net"
|
|
"time"
|
|
|
|
"github.com/go-gost/core/bypass"
|
|
"github.com/go-gost/core/limiter"
|
|
"github.com/go-gost/core/logger"
|
|
"github.com/go-gost/core/observer/stats"
|
|
"github.com/go-gost/relay"
|
|
xbypass "github.com/go-gost/x/bypass"
|
|
xctx "github.com/go-gost/x/ctx"
|
|
ictx "github.com/go-gost/x/internal/ctx"
|
|
xnet "github.com/go-gost/x/internal/net"
|
|
serial "github.com/go-gost/x/internal/util/serial"
|
|
"github.com/go-gost/x/internal/util/sniffing"
|
|
traffic_wrapper "github.com/go-gost/x/limiter/traffic/wrapper"
|
|
stats_wrapper "github.com/go-gost/x/observer/stats/wrapper"
|
|
xrecorder "github.com/go-gost/x/recorder"
|
|
)
|
|
|
|
// handleConnect processes a relay CmdConnect request.
|
|
//
|
|
// This is the core function of the relay handler: the client connects to a
|
|
// target address through the relay.
|
|
//
|
|
// Data flow:
|
|
//
|
|
// handleConnect()
|
|
// ├─ 1. Clean address (unix/serial special handling)
|
|
// ├─ 2. Wrap traffic limiter + stats
|
|
// ├─ 3. Check target address is non-empty
|
|
// ├─ 4. Bypass check
|
|
// ├─ 5. Set consistent-hashing source (e.g. "host")
|
|
// ├─ 6. Dial by network type:
|
|
// │ ├─ "unix" → net.Dialer.DialContext("unix")
|
|
// │ ├─ "serial" → serial.OpenPort()
|
|
// │ └─ other → h.options.Router.Dial() ← chain routing
|
|
// ├─ 7. Send response header (noDelay controls timing)
|
|
// │ ├─ noDelay=true → write relay.Response immediately
|
|
// │ └─ noDelay=false → buffer in wbuf, merged with first data packet
|
|
// ├─ 8. Wrap connection by network type:
|
|
// │ ├─ UDP → udpConn (2-byte length prefix)
|
|
// │ └─ TCP → tcpConn (passthrough)
|
|
// ├─ 9. Optional protocol sniffing:
|
|
// │ ├─ HTTP → sniffer.HandleHTTP()
|
|
// │ ├─ TLS → sniffer.HandleTLS()
|
|
// │ └─ other → continue to step 10
|
|
// └─ 10. xnet.Pipe() bidir copy (client ↔ target)
|
|
//
|
|
// Key design decisions:
|
|
// - noDelay: low-latency mode sends each write as an independent relay frame.
|
|
// Without it, the relay response header is merged with the first data packet.
|
|
// - Sniffing reads the first few bytes after connection to detect the protocol.
|
|
// HTTP/TLS traffic can be MITM-decrypted or recorded.
|
|
// - Route info (node chain) is recorded via ictx.ContextWithBuffer into ro.Route.
|
|
func (h *relayHandler) handleConnect(ctx context.Context, conn net.Conn, network, address string, ro *xrecorder.HandlerRecorderObject, log logger.Logger) (err error) {
|
|
if network == "unix" || network == "serial" {
|
|
if host, _, _ := net.SplitHostPort(address); host != "" {
|
|
address = host
|
|
}
|
|
}
|
|
|
|
log = log.WithFields(map[string]any{
|
|
"dst": address,
|
|
"cmd": "connect",
|
|
"host": address,
|
|
})
|
|
|
|
log.Debugf("%s >> %s/%s", conn.RemoteAddr(), address, network)
|
|
|
|
// --- Traffic limiter + stats wrapper ---
|
|
// clientID is used as the key for traffic limiting and stats collection.
|
|
{
|
|
clientID := xctx.ClientIDFromContext(ctx)
|
|
rw := traffic_wrapper.WrapReadWriter(
|
|
h.limiter,
|
|
conn,
|
|
string(clientID),
|
|
limiter.ScopeOption(limiter.ScopeClient),
|
|
limiter.ServiceOption(h.options.Service),
|
|
limiter.NetworkOption(network),
|
|
limiter.AddrOption(address),
|
|
limiter.ClientOption(string(clientID)),
|
|
limiter.SrcOption(conn.RemoteAddr().String()),
|
|
)
|
|
if h.options.Observer != nil {
|
|
pstats := h.stats.Stats(string(clientID))
|
|
pstats.Add(stats.KindTotalConns, 1)
|
|
pstats.Add(stats.KindCurrentConns, 1)
|
|
defer pstats.Add(stats.KindCurrentConns, -1)
|
|
rw = stats_wrapper.WrapReadWriter(rw, pstats)
|
|
}
|
|
|
|
conn = xnet.NewReadWriteConn(rw, rw, conn)
|
|
}
|
|
|
|
resp := relay.Response{
|
|
Version: relay.Version1,
|
|
Status: relay.StatusOK,
|
|
}
|
|
|
|
if address == "" {
|
|
resp.Status = relay.StatusBadRequest
|
|
resp.WriteTo(conn)
|
|
err = errors.New("target not specified")
|
|
log.Error(err)
|
|
return
|
|
}
|
|
|
|
// Bypass check — if the target is in the bypass list, return Forbidden
|
|
if h.options.Bypass != nil && h.options.Bypass.Contains(ctx, network, address, bypass.WithService(h.options.Service)) {
|
|
log.Debug("bypass: ", address)
|
|
resp.Status = relay.StatusForbidden
|
|
resp.WriteTo(conn)
|
|
return xbypass.ErrBypass
|
|
}
|
|
|
|
// Consistent hashing — used for sticky sessions across upstream nodes
|
|
switch h.md.hash {
|
|
case "host":
|
|
ctx = xctx.ContextWithHash(ctx, &xctx.Hash{Source: address})
|
|
}
|
|
|
|
// --- Dial to target ---
|
|
var cc net.Conn
|
|
switch network {
|
|
case "unix":
|
|
cc, err = (&net.Dialer{}).DialContext(ctx, "unix", address)
|
|
case "serial":
|
|
var port io.ReadWriteCloser
|
|
port, err = serial.OpenPort(serial.ParseConfigFromAddr(address))
|
|
if err == nil {
|
|
cc = &serialConn{
|
|
ReadWriteCloser: port,
|
|
port: address,
|
|
}
|
|
}
|
|
default:
|
|
var buf bytes.Buffer
|
|
cc, err = h.options.Router.Dial(ictx.ContextWithBuffer(ctx, &buf), network, address)
|
|
ro.Route = buf.String()
|
|
}
|
|
if err != nil {
|
|
resp.Status = relay.StatusNetworkUnreachable
|
|
resp.WriteTo(conn)
|
|
return err
|
|
}
|
|
defer cc.Close()
|
|
|
|
log = log.WithFields(map[string]any{"src": cc.LocalAddr().String(), "dst": cc.RemoteAddr().String()})
|
|
ro.SrcAddr = cc.LocalAddr().String()
|
|
ro.DstAddr = cc.RemoteAddr().String()
|
|
|
|
// --- Send relay response header ---
|
|
if h.md.noDelay {
|
|
if _, err := resp.WriteTo(conn); err != nil {
|
|
log.Error(err)
|
|
return err
|
|
}
|
|
}
|
|
|
|
// --- Wrap connection by network type ---
|
|
// UDP connections use a 2-byte length prefix for datagram framing.
|
|
// TCP connections pass data through directly.
|
|
switch network {
|
|
case "udp", "udp4", "udp6":
|
|
rc := &udpConn{
|
|
Conn: conn,
|
|
}
|
|
if !h.md.noDelay {
|
|
// 缓存响应头,与第一个数据包合并发送
|
|
if _, err := resp.WriteTo(&rc.wbuf); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
conn = rc
|
|
default:
|
|
if !h.md.noDelay {
|
|
rc := &tcpConn{
|
|
Conn: conn,
|
|
}
|
|
// 缓存响应头,与第一个数据包合并发送
|
|
if _, err := resp.WriteTo(&rc.wbuf); err != nil {
|
|
return err
|
|
}
|
|
conn = rc
|
|
}
|
|
}
|
|
|
|
// --- Optional protocol sniffing ---
|
|
// After connection establishment, sniff the first bytes of client traffic
|
|
// to detect HTTP or TLS. When detected, MITM decryption can be applied.
|
|
if h.md.sniffing {
|
|
if h.md.sniffingTimeout > 0 {
|
|
conn.SetReadDeadline(time.Now().Add(h.md.sniffingTimeout))
|
|
}
|
|
|
|
br := bufio.NewReader(conn)
|
|
proto, _ := sniffing.Sniff(ctx, br)
|
|
ro.Proto = proto
|
|
|
|
if h.md.sniffingTimeout > 0 {
|
|
conn.SetReadDeadline(time.Time{})
|
|
}
|
|
|
|
dial := func(ctx context.Context, network, address string) (net.Conn, error) {
|
|
return cc, nil
|
|
}
|
|
dialTLS := func(ctx context.Context, network, address string, cfg *tls.Config) (net.Conn, error) {
|
|
return cc, nil
|
|
}
|
|
sniffer := &sniffing.Sniffer{
|
|
Websocket: h.md.sniffingWebsocket,
|
|
WebsocketSampleRate: h.md.sniffingWebsocketSampleRate,
|
|
Recorder: h.recorder.Recorder,
|
|
RecorderOptions: h.recorder.Options,
|
|
Certificate: h.md.certificate,
|
|
PrivateKey: h.md.privateKey,
|
|
NegotiatedProtocol: h.md.alpn,
|
|
CertPool: h.certPool,
|
|
MitmBypass: h.md.mitmBypass,
|
|
ReadTimeout: h.md.readTimeout,
|
|
}
|
|
|
|
conn = xnet.NewReadWriteConn(br, conn, conn)
|
|
switch proto {
|
|
case sniffing.ProtoHTTP:
|
|
return sniffer.HandleHTTP(ctx, "tcp", conn,
|
|
sniffing.WithService(h.options.Service),
|
|
sniffing.WithDial(dial),
|
|
sniffing.WithDialTLS(dialTLS),
|
|
sniffing.WithRecorderObject(ro),
|
|
sniffing.WithLog(log),
|
|
)
|
|
case sniffing.ProtoTLS:
|
|
return sniffer.HandleTLS(ctx, "tcp", conn,
|
|
sniffing.WithService(h.options.Service),
|
|
sniffing.WithDial(dial),
|
|
sniffing.WithDialTLS(dialTLS),
|
|
sniffing.WithRecorderObject(ro),
|
|
sniffing.WithLog(log),
|
|
)
|
|
}
|
|
}
|
|
|
|
// --- 双向数据拷贝 ---
|
|
t := time.Now()
|
|
log.Infof("%s <-> %s", conn.RemoteAddr(), address)
|
|
xnet.Pipe(ctx, conn, cc)
|
|
log.WithFields(map[string]any{
|
|
"duration": time.Since(t),
|
|
}).Infof("%s >-< %s", conn.RemoteAddr(), address)
|
|
|
|
return nil
|
|
}
|
|
|
|
// serialConn wraps a serial port connection as net.Conn.
|
|
// Serial ports have no network addresses, so LocalAddr/RemoteAddr return
|
|
// custom serialAddr values. Deadline methods are no-ops since serial
|
|
// ports do not support deadlines.
|
|
type serialConn struct {
|
|
io.ReadWriteCloser
|
|
port string
|
|
}
|
|
|
|
func (c *serialConn) LocalAddr() net.Addr {
|
|
return &serialAddr{
|
|
port: "@",
|
|
}
|
|
}
|
|
|
|
func (c *serialConn) RemoteAddr() net.Addr {
|
|
return &serialAddr{
|
|
port: c.port,
|
|
}
|
|
}
|
|
|
|
func (c *serialConn) SetDeadline(t time.Time) error {
|
|
return nil
|
|
}
|
|
|
|
func (c *serialConn) SetReadDeadline(t time.Time) error {
|
|
return nil
|
|
}
|
|
|
|
func (c *serialConn) SetWriteDeadline(t time.Time) error {
|
|
return nil
|
|
}
|
|
|
|
// serialAddr is the address type for a serial port connection.
|
|
type serialAddr struct {
|
|
port string
|
|
}
|
|
|
|
func (a *serialAddr) Network() string {
|
|
return "serial"
|
|
}
|
|
|
|
func (a *serialAddr) String() string {
|
|
return a.port
|
|
} |