feat: adding dual stack (#863)

spongebob888 · web-flow · commit 1d2d932334d1 · 2025-07-20T17:38:44.000+10:00
* feat(tproxy): adding dual stack * refactor: remove set_ip_transparent_v6 * fix: add tproxy udp recv orig dst * fix(tproxy): bump unix-udp-socks to fix udp * fix(tproxy): udp packet with wrong src_addr #865 * fix(socks5): udp always associated ipv4 addr * fix(tproxy): ipv6 udp * feat(tproxy): add ip6table script * fix: avoid tproxy lan in iptables script * feat(ipv6): socks5 ipv6 listening * feat(http): dualstack listening * feat(mixed): dualstack listening * fix: fmt and clippy * feat(shadowsocks): dualstack listener * fix: commenting allow-lan for tproxy * fix: not set reuse address causing addr in use * fix: ss udp listener not dualstack * fix: address in use of tproxy udp
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/clash-lib/Cargo.toml b/clash-lib/Cargo.toml
@@ -197,7 +197,7 @@ httpmock = "0.7.0"
 prost-build = "0.14"
 
 [target.'cfg(target_os="linux")'.dependencies]
-unix-udp-sock = { git = "https://github.com/Watfaq/unix-udp-sock.git", rev = "cd3e4eca43e6f3be82a2703c3d711b7e18fbfd18" }
+unix-udp-sock = { git = "https://github.com/Watfaq/unix-udp-sock.git", rev = "847c80b519f0fd8cff5c887ae708429897d08671" }
 
 [target.'cfg(macos)'.dependencies]
 security-framework = "3.2.0"
diff --git a/clash-lib/src/config/internal/config.rs b/clash-lib/src/config/internal/config.rs
@@ -1,7 +1,7 @@
 use std::collections::{HashMap, HashSet};
 
 use std::{
-    net::{IpAddr, Ipv4Addr},
+    net::{IpAddr, Ipv4Addr, Ipv6Addr},
     str::FromStr,
 };
 
@@ -106,6 +106,10 @@ impl BindAddress {
         Self(IpAddr::V4(Ipv4Addr::UNSPECIFIED))
     }
 
+    pub fn dual_stack() -> Self {
+        Self(IpAddr::V6(Ipv6Addr::UNSPECIFIED))
+    }
+
     pub fn local() -> Self {
         Self(IpAddr::V4(Ipv4Addr::LOCALHOST))
     }
@@ -132,6 +136,7 @@ impl<'de> Deserialize<'de> for BindAddress {
         match str.as_str() {
             "*" => Ok(Self(IpAddr::V4(Ipv4Addr::UNSPECIFIED))),
             "localhost" => Ok(Self(IpAddr::from([127, 0, 0, 1]))),
+            "[::]" | "::" => Ok(Self(IpAddr::V6(Ipv6Addr::UNSPECIFIED))),
             _ => {
                 if let Ok(ip) = str.parse::<IpAddr>() {
                     Ok(Self(ip))
@@ -152,6 +157,7 @@ impl FromStr for BindAddress {
         match str {
             "*" => Ok(Self(IpAddr::V4(Ipv4Addr::UNSPECIFIED))),
             "localhost" => Ok(Self(IpAddr::from([127, 0, 0, 1]))),
+            "[::]" | "::" => Ok(Self(IpAddr::V6(Ipv6Addr::UNSPECIFIED))),
             _ => {
                 if let Ok(ip) = str.parse::<IpAddr>() {
                     Ok(Self(ip))
diff --git a/clash-lib/src/proxy/http/inbound/mod.rs b/clash-lib/src/proxy/http/inbound/mod.rs
@@ -5,15 +5,17 @@ mod proxy;
 use crate::{
     Dispatcher,
     common::auth::ThreadSafeAuthenticator,
-    proxy::{inbound::InboundHandlerTrait, utils::apply_tcp_options},
+    proxy::{
+        inbound::InboundHandlerTrait,
+        utils::{ToCanonical, apply_tcp_options, try_create_dualstack_tcplistener},
+    },
 };
 
 pub use proxy::handle as handle_http;
 
 use crate::common::errors::new_io_error;
 use async_trait::async_trait;
 use std::{net::SocketAddr, sync::Arc};
-use tokio::net::TcpListener;
 use tracing::warn;
 
 #[derive(Clone)]
@@ -60,13 +62,15 @@ impl InboundHandlerTrait for HttpInbound {
     }
 
     async fn listen_tcp(&self) -> std::io::Result<()> {
-        let listener = TcpListener::bind(self.addr).await?;
+        let listener = try_create_dualstack_tcplistener(self.addr)?;
 
         loop {
             let (socket, _) = listener.accept().await?;
-            let src_addr = socket.peer_addr()?;
+            let src_addr = socket.peer_addr()?.to_canonical();
 
-            if !self.allow_lan && src_addr.ip() != socket.local_addr()?.ip() {
+            if !self.allow_lan
+                && src_addr.ip() != socket.local_addr()?.ip().to_canonical()
+            {
                 warn!("Connection from {} is not allowed", src_addr);
                 continue;
             }
diff --git a/clash-lib/src/proxy/mixed/mod.rs b/clash-lib/src/proxy/mixed/mod.rs
@@ -1,14 +1,14 @@
 use crate::{
     Dispatcher,
     common::auth::ThreadSafeAuthenticator,
+    proxy::utils::{ToCanonical, try_create_dualstack_tcplistener},
     session::{Network, Session},
 };
 
 use super::{http, inbound::InboundHandlerTrait, socks, utils::apply_tcp_options};
 use crate::common::errors::new_io_error;
 use async_trait::async_trait;
 use std::{net::SocketAddr, sync::Arc};
-use tokio::net::TcpListener;
 use tracing::warn;
 
 pub struct MixedInbound {
@@ -54,7 +54,7 @@ impl InboundHandlerTrait for MixedInbound {
     }
 
     async fn listen_tcp(&self) -> std::io::Result<()> {
-        let listener = TcpListener::bind(self.addr).await?;
+        let listener = try_create_dualstack_tcplistener(self.addr)?;
 
         loop {
             let (socket, _) = match listener.accept().await {
@@ -65,13 +65,15 @@ impl InboundHandlerTrait for MixedInbound {
                 }
             };
             let src_addr = match socket.peer_addr() {
-                Ok(a) => a,
+                Ok(a) => a.to_canonical(),
                 Err(e) => {
                     warn!("failed to get peer address: {:?}", e);
                     continue;
                 }
             };
-            if !self.allow_lan && src_addr.ip() != socket.local_addr()?.ip() {
+            if !self.allow_lan
+                && src_addr.ip() != socket.local_addr()?.ip().to_canonical()
+            {
                 warn!("Connection from {} is not allowed", src_addr);
                 continue;
             }
@@ -101,7 +103,7 @@ impl InboundHandlerTrait for MixedInbound {
                 socks::SOCKS5_VERSION => {
                     let mut sess = Session {
                         network: Network::Tcp,
-                        source: socket.peer_addr()?,
+                        source: socket.peer_addr()?.to_canonical(),
                         so_mark: fw_mark,
                         ..Default::default()
                     };
@@ -118,7 +120,7 @@ impl InboundHandlerTrait for MixedInbound {
                 }
 
                 _ => {
-                    let src = socket.peer_addr()?;
+                    let src = socket.peer_addr()?.to_canonical();
                     let dispatcher = dispatcher.clone();
                     let authenticator = authenticator.clone();
                     tokio::spawn(async move {
diff --git a/clash-lib/src/proxy/shadowsocks/inbound/mod.rs b/clash-lib/src/proxy/shadowsocks/inbound/mod.rs
@@ -6,15 +6,17 @@ use crate::{
     proxy::{
         inbound::InboundHandlerTrait,
         shadowsocks::{inbound::datagram::InboundShadowsocksDatagram, map_cipher},
-        utils::{apply_tcp_options, new_udp_socket},
+        utils::{
+            ToCanonical, apply_tcp_options, new_udp_socket,
+            try_create_dualstack_tcplistener,
+        },
     },
     session::{Network, Session, SocksAddr, Type},
 };
 
 use async_trait::async_trait;
 use shadowsocks::{ProxySocket, context::Context, net::AcceptOpts, relay::Address};
 use std::{net::SocketAddr, sync::Arc};
-use tokio::net::TcpListener;
 use tracing::{debug, warn};
 
 #[derive(Clone)]
@@ -97,7 +99,7 @@ impl InboundHandlerTrait for ShadowsocksInbound {
         //
         // config.set_user_manager(user_manager);
 
-        let listener = TcpListener::bind(self.addr).await?;
+        let listener = try_create_dualstack_tcplistener(self.addr)?;
 
         let ss_listener = shadowsocks::relay::tcprelay::ProxyListener::from_listener(
             context,
@@ -130,7 +132,7 @@ impl InboundHandlerTrait for ShadowsocksInbound {
             if !self.allow_lan
                 && src_addr.ip() != socket.get_ref().local_addr()?.ip()
             {
-                warn!("Connection from {} is not allowed", src_addr);
+                warn!("Connection from {} is not allowed", src_addr.to_canonical());
                 continue;
             }
 
@@ -149,7 +151,7 @@ impl InboundHandlerTrait for ShadowsocksInbound {
             let sess = Session {
                 network: Network::Tcp,
                 typ: Type::Shadowsocks,
-                source: src_addr,
+                source: src_addr.to_canonical(),
                 so_mark: self.fw_mark,
                 destination: match target {
                     Address::SocketAddress(addr) => SocksAddr::Ip(addr),
diff --git a/clash-lib/src/proxy/socks/inbound/mod.rs b/clash-lib/src/proxy/socks/inbound/mod.rs
@@ -4,14 +4,16 @@ mod stream;
 use crate::{
     Dispatcher,
     common::auth::ThreadSafeAuthenticator,
-    proxy::{inbound::InboundHandlerTrait, utils::apply_tcp_options},
+    proxy::{
+        inbound::InboundHandlerTrait,
+        utils::{ToCanonical, apply_tcp_options, try_create_dualstack_tcplistener},
+    },
     session::{Network, Session, Type},
 };
 
 use async_trait::async_trait;
 use std::{net::SocketAddr, sync::Arc};
 pub use stream::handle_tcp;
-use tokio::net::TcpListener;
 use tracing::warn;
 
 use crate::common::errors::new_io_error;
@@ -60,12 +62,14 @@ impl InboundHandlerTrait for SocksInbound {
     }
 
     async fn listen_tcp(&self) -> std::io::Result<()> {
-        let listener = TcpListener::bind(self.addr).await?;
+        let listener = try_create_dualstack_tcplistener(self.addr)?;
 
         loop {
             let (socket, _) = listener.accept().await?;
-            let src_addr = socket.peer_addr()?;
-            if !self.allow_lan && src_addr.ip() != socket.local_addr()?.ip() {
+            let src_addr = socket.peer_addr()?.to_canonical();
+            if !self.allow_lan
+                && src_addr.ip() != socket.local_addr()?.ip().to_canonical()
+            {
                 warn!("Connection from {} is not allowed", src_addr);
                 continue;
             }
@@ -74,7 +78,7 @@ impl InboundHandlerTrait for SocksInbound {
             let mut sess = Session {
                 network: Network::Tcp,
                 typ: Type::Socks5,
-                source: socket.peer_addr()?,
+                source: socket.peer_addr()?.to_canonical(),
                 so_mark: self.fw_mark,
 
                 ..Default::default()
diff --git a/clash-lib/src/proxy/socks/socks5.rs b/clash-lib/src/proxy/socks/socks5.rs
@@ -99,7 +99,11 @@ pub(crate) async fn client_handshake(
     buf.put_u8(command);
     buf.put_u8(0x00);
     if command == socks_command::UDP_ASSOCIATE {
-        let addr = SocksAddr::any_ipv4();
+        let addr = if addr.clone().must_into_socket_addr().is_ipv4() {
+            SocksAddr::any_ipv4()
+        } else {
+            SocksAddr::any_ipv6()
+        };
         addr.write_buf(&mut buf);
     } else {
         addr.write_buf(&mut buf);
diff --git a/clash-lib/src/proxy/tproxy/ip6tables.sh b/clash-lib/src/proxy/tproxy/ip6tables.sh
@@ -0,0 +1,70 @@
+### IPv6 RULES
+
+
+TPROXY_IP=::
+TPROXY_PORT=8900
+
+readonly IPV6_RESERVED_IPADDRS="\
+::/128 \
+::1/128 \
+::ffff:0:0/96 \
+::ffff:0:0:0/96 \
+64:ff9b::/96 \
+100::/64 \
+2001::/32 \
+2001:20::/28 \
+2001:db8::/32 \
+2002::/16 \
+fc00::/7 \
+fe80::/10 \
+ff00::/8 \
+"
+
+## TCP+UDP
+# Strategy Route
+ip -6 rule del fwmark 0x1 table 803
+ip -6 rule add fwmark 0x1 table 803
+ip -6 route del local ::/0 dev lo table 803
+ip -6 route add local ::/0 dev lo table 803
+
+# TPROXY for LAN
+ip6tables -t mangle -N CLASH-TRPOXY
+# Skip LoopBack, Reserved
+for addr in ${IPV6_RESERVED_IPADDRS}; do
+   ip6tables -t mangle -A CLASH-TRPOXY -d "${addr}" -j RETURN
+done
+
+# Bypass LAN data
+ip6tables -t mangle -A CLASH-TRPOXY -m addrtype --dst-type LOCAL -j RETURN
+# Bypass sslocal's outbound data
+ip6tables -t mangle -A CLASH-TRPOXY -m mark --mark 0xff/0xff -j RETURN
+# UDP: TPROXY UDP
+ip6tables -t mangle -A CLASH-TRPOXY -p udp -j TPROXY --on-ip ${TPROXY_IP} --on-port ${TPROXY_PORT} --tproxy-mark 0x01/0x01
+
+# TCP: TPROXY UDP
+ip6tables -t mangle -A CLASH-TRPOXY -p tcp -j TPROXY --on-ip ${TPROXY_IP} --on-port ${TPROXY_PORT} --tproxy-mark 0x01/0x01
+
+# TPROXY for Local
+ip6tables -t mangle -N CLASH-TRPOXY-mark
+# Skip LoopBack, Reserved
+for addr in ${IPV6_RESERVED_IPADDRS}; do
+   ip6tables -t mangle -A CLASH-TRPOXY-mark -d "${addr}" -j RETURN
+done
+
+# TCP: conntrack
+ip6tables -t mangle -A CLASH-TRPOXY-mark -p tcp -m conntrack --ctdir REPLY -j RETURN
+# Bypass sslocal's outbound data
+ip6tables -t mangle -A CLASH-TRPOXY-mark -m mark --mark 0xff/0xff -j RETURN
+ip6tables -t mangle -A CLASH-TRPOXY-mark -m owner --uid-owner root -j RETURN
+# Set MARK and reroute
+ip6tables -t mangle -A CLASH-TRPOXY-mark -p udp -j MARK --set-xmark 0x01/0xffffffff
+ip6tables -t mangle -A CLASH-TRPOXY-mark -p tcp -j MARK --set-xmark 0x01/0xffffffff
+
+# Apply TPROXY to LAN
+ip6tables -t mangle -A PREROUTING -p udp -j CLASH-TRPOXY
+ip6tables -t mangle -A PREROUTING -p tcp -j CLASH-TRPOXY
+#ip6tables -t mangle -A PREROUTING -p udp -m addrtype ! --src-type LOCAL ! --dst-type LOCAL -j CLASH-TRPOXY
+# Apply TPROXY for Local
+ip6tables -t mangle -A OUTPUT -p udp -j CLASH-TRPOXY-mark
+ip6tables -t mangle -A OUTPUT -p tcp -j CLASH-TRPOXY-mark
+#ip6tables -t mangle -A OUTPUT -p udp -m addrtype --src-type LOCAL ! --dst-type LOCAL -j CLASH-TRPOXY-mark
diff --git a/clash-lib/src/proxy/tproxy/iptables.sh b/clash-lib/src/proxy/tproxy/iptables.sh
@@ -4,6 +4,7 @@
 readonly LOCAL_BY_PASS="\
 127/8 \
 10/8 \
+192/8
 "
 
 # declare ip as local for tproxy
diff --git a/clash-lib/src/proxy/tproxy/mod.rs b/clash-lib/src/proxy/tproxy/mod.rs
diff --git a/clash-lib/src/proxy/utils/socket_helpers.rs b/clash-lib/src/proxy/utils/socket_helpers.rs

Original file line number	Diff line number	Diff line change
`@@ -4,6 +4,7 @@`
`4`	`4`	`readonly LOCAL_BY_PASS="\`
`5`	`5`	`127/8 \`
`6`	`6`	`10/8 \`
	`7`	`+192/8`
`7`	`8`	`"`
`8`	`9`
`9`	`10`	`# declare ip as local for tproxy`