sing-box icon indicating copy to clipboard operation
sing-box copied to clipboard
verified publisher icon SagerNet

在 macOS 上, sing-box 的 gVisor stack 无法处理由 cURL 发起的 HTTP/3 请求

Open nekolsd opened this issue 2 years ago • 7 comments

操作系统

macOS

系统版本

Ventura 13.5 (22G74)

安装类型

sing-box 原始命令行程序

如果您使用图形客户端程序,请提供该程序版本。

No response

版本

sing-box version unknown

Environment: go1.21.0 darwin/amd64
Tags: with_clash_api,with_quic,with_utls,with_gvisor,with_ech
Revision: b8a4125034a94bddf23f9982abaaec5bd0d36ee6
CGO: disabled

描述

当启用 TUN 入站,并选择 gVisor 或 mixed stack 时,sing-box 似乎无法正确处理由 cURL(使用 quiche 编译)发起的 HTTP/3 请求。 cURL 的 verbose 输出为:

* processing: https://223.5.5.5/dns-query
*   Trying 223.5.5.5:443...
*  CAfile: /etc/ssl/cert.pem
*  CApath: none

然而其他程序的 UDP 流量,例如 q 发起的 DNS over HTTP/3、DNS over QUIC 请求,或 iPerf3 发起的 UDP 测试都可以被正常地处理。 使用 system stack 或关闭 TUN,该问题消失。

重现方式

  1. 克隆 sing-box 仓库,切换至 dev-next 分支。
  2. 编译 sing-box,确保带上 with_quic,with_gvisor 编译标签。
  3. 新建配置文件,内容如下:
{
  "route": {
    "auto_detect_interface": true
  },
  "inbounds": [
    {
      "type": "tun",
      "tag": "tun-in",
      "inet4_address": "172.19.0.1/30",
      "stack": "gvisor",
      "auto_route": true,
      "strict_route": true,
      "sniff": true
    }
  ],
  "outbounds": [
    {
      "type": "direct",
      "tag": "direct"
    }
  ]
}
  1. 在管理员权限下使用该配置文件运行 sing-box。
  2. 编译 quiche 版本的 cURL。
  3. 用该版本的 cURL 发起 HTTP/3 请求,例如:
curl https://223.5.5.5/dns-query --http3-only -vvv
  1. 观察该请求是否能够正常被处理。

日志

+0800 2023-08-16 06:25:11 INFO router: updated default interface en0, index 6
+0800 2023-08-16 06:25:11 INFO inbound/tun[tun-in]: started at utun3
+0800 2023-08-16 06:25:11 INFO sing-box started (0.11s)
+0800 2023-08-16 06:25:23 INFO [414081248 0ms] inbound/tun[tun-in]: inbound packet connection from 172.19.0.1:54646
+0800 2023-08-16 06:25:23 INFO [414081248 0ms] inbound/tun[tun-in]: inbound packet connection to 223.5.5.5:443
+0800 2023-08-16 06:25:23 DEBUG [414081248 0ms] router: sniffed packet protocol: quic, domain: 223.5.5.5
+0800 2023-08-16 06:25:23 INFO [414081248 0ms] outbound/direct[direct]: outbound packet connection
+0800 2023-08-16 06:25:53 DEBUG [414081248 30.0s] inbound/tun[tun-in]: connection closed: upload: read udp 223.5.5.5:443: i/o timeout | upstream: context canceled | download: raw-read udp [::]:53325: use of closed network connection

nekolsd avatar Aug 15 '23 22:08 nekolsd

经测试 Linux 下也存在同样的问题。

gvisor.json

{
  "log": {
    "level": "trace"
  },
  "inbounds": [
    {
      "type": "tun",
      "tag": "tun-in",
      "interface_name": "tun0",
      "inet4_address": "172.18.0.1/30",
      "inet6_address": "fdfe:ddba:9876::1/126",
      "stack": "gvisor",
      "auto_route": false,
      "strict_route": false,
      "sniff": true
    }
  ],
  "outbounds": [
    {
      "type": "direct",
      "tag": "direct",
      "connect_timeout": "2m"
    },
    {
      "type": "block",
      "tag": "block"
    }
  ],
  "route": {
    "rules": [
      {
        "geosite": "category-ads-all",
        "outbound": "block"
      }
    ],
    "final": "direct",
    "auto_detect_interface": true
  }
}

$ sudo ./sing-box -D $(pwd)/sing-box-gvisor -c $(pwd)/gvisor.json run                      
INFO[0000] router: loaded geosite database: 1419 codes
INFO[0000] router: updated default interface wlp1s0, index 2
TRACE[0000] initializing inbound/tun[tun-in]
TRACE[0000] inbound/tun[tun-in]: opening interface
TRACE[0000] inbound/tun[tun-in]: creating stack
TRACE[0000] inbound/tun[tun-in]: starting stack
INFO[0000] inbound/tun[tun-in]: started at tun0
INFO[0000] sing-box started (0.11s)
INFO[0057] [92880587 0ms] inbound/tun[tun-in]: inbound connection from 172.18.0.1:57700
INFO[0057] [92880587 0ms] inbound/tun[tun-in]: inbound connection to 192.168.10.10:5201
TRACE[0057] [92880587 301ms] router: sniffed no protocol: unexpected EOF | tls: first record does not look like a TLS handshake | malformed HTTP request "kweacptpp5em4dsmk3spxrdoxkqd3poffwj2\x00"
INFO[0057] [92880587 301ms] outbound/direct[direct]: outbound connection to 192.168.10.10:5201
INFO[0057] [1881687587 0ms] inbound/tun[tun-in]: inbound packet connection from 172.18.0.1:52417
INFO[0057] [1881687587 0ms] inbound/tun[tun-in]: inbound packet connection to 192.168.10.10:5201
INFO[0057] [1881687587 0ms] outbound/direct[direct]: outbound packet connection
INFO[0173] [3687228157 0ms] inbound/tun[tun-in]: inbound packet connection from 172.18.0.1:55032
INFO[0173] [3687228157 0ms] inbound/tun[tun-in]: inbound packet connection to 104.16.123.96:443
DEBUG[0173] [3687228157 0ms] router: sniffed packet protocol: quic, domain: www.cloudflare.com
INFO[0173] [3687228157 0ms] outbound/direct[direct]: outbound packet connection
INFO[0188] [1888618396 0ms] inbound/tun[tun-in]: inbound packet connection from 172.18.0.1:59126
INFO[0188] [1888618396 0ms] inbound/tun[tun-in]: inbound packet connection to 104.16.124.96:443
DEBUG[0188] [1888618396 0ms] router: sniffed packet protocol: quic, domain: www.cloudflare.com
INFO[0188] [1888618396 0ms] outbound/direct[direct]: outbound packet connection
DEBUG[0203] [3687228157 30.1s] inbound/tun[tun-in]: connection closed: upload: read udp 104.16.123.96:443: i/o timeout | upstream: context canceled | download: raw-read udp [::]:52992: use of closed network connection
DEBUG[0218] [1888618396 30.0s] inbound/tun[tun-in]: connection closed: upload: read udp 104.16.124.96:443: i/o timeout | upstream: context canceled | download: raw-read udp [::]:57247: use of closed network connection

$ iperf3 --bind-dev tun0 -c 192.168.10.10 -u
Connecting to host 192.168.10.10, port 5201
[  5] local 172.18.0.1 port 52417 connected to 192.168.10.10 port 5201
[ ID] Interval           Transfer     Bitrate         Total Datagrams
[  5]   0.00-1.00   sec   131 KBytes  1.07 Mbits/sec  15  
[  5]   1.00-2.00   sec   131 KBytes  1.07 Mbits/sec  15  
[  5]   2.00-3.00   sec   122 KBytes  1.00 Mbits/sec  14  
[  5]   3.00-4.00   sec   131 KBytes  1.07 Mbits/sec  15  
[  5]   4.00-5.00   sec   131 KBytes  1.07 Mbits/sec  15  
[  5]   5.00-6.00   sec   122 KBytes  1.00 Mbits/sec  14  
[  5]   6.00-7.00   sec   131 KBytes  1.07 Mbits/sec  15  
[  5]   7.00-8.00   sec   131 KBytes  1.07 Mbits/sec  15  
[  5]   8.00-9.00   sec   122 KBytes  1.00 Mbits/sec  14  
[  5]   9.00-10.00  sec   131 KBytes  1.07 Mbits/sec  15  
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Jitter    Lost/Total Datagrams
[  5]   0.00-10.00  sec  1.25 MBytes  1.05 Mbits/sec  0.000 ms  0/147 (0%)  sender
[  5]   0.00-10.10  sec  1.25 MBytes  1.04 Mbits/sec  0.484 ms  0/147 (0%)  receiver

iperf Done.

$ curl3 -vs -o /dev/null -4 --http3-only --interface tun0 --connect-timeout 30 https://www.cloudflare.com
* processing: https://www.cloudflare.com
*   Trying 104.16.123.96:443...
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
* ipv4 connect timeout after 14572ms, move on!
*   Trying 104.16.124.96:443...
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
* Connection timeout after 30000 ms
* Closing connection

yingziwu avatar Aug 25 '23 13:08 yingziwu

Linux 下 tun 非 gVisor stack,使用 nslookup xxx.com 可以使用,但是制定 DNS 服务器后 nslookup xxx.com 1.1.1.1 就 timeout 了,不知道是不是同一类问题

everyx avatar Sep 21 '23 03:09 everyx

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days

github-actions[bot] avatar Nov 21 '23 01:11 github-actions[bot]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days

github-actions[bot] avatar Feb 20 '24 01:02 github-actions[bot]

这个问题同样遇到了

iKira avatar Mar 03 '24 06:03 iKira

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days

github-actions[bot] avatar May 03 '24 01:05 github-actions[bot]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days

github-actions[bot] avatar Jul 09 '24 01:07 github-actions[bot]