Skip to content

header custom & fix dialerProxy with finalmask/udp #5657

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
LjhAUMEM wants to merge 11 commits into
base: main
Choose a base branch
from
Open

header custom & fix dialerProxy with finalmask/udp #5657

LjhAUMEM wants to merge 11 commits into from
+1,111 −134

Conversation

@LjhAUMEM
Copy link
Contributor

@LjhAUMEM LjhAUMEM commented Feb 5, 2026
edited
Loading

tcp/udp 的 header-custom 与修复伪装层下的 sockopt dialerProxy

tcp header-custom 配置

clients: 二维十进制字节数组,客户端将会发送的数据,与 servers 遵循一发一收
servers: 二维十进制字节数组,服务端将会发送的数据,与 clients 遵循一收一发
errors: 仅服务端,二维十进制字节数组,任一 clients 过来的数据不对时返回的数据,没有对应 clients 将不会触发

udp header-custom 配置

client: 十进制字节数组,客户端每个 udp 包头
server: 十进制字节数组,服务端每个 udp 包头

tcp/udp header-custom 目前只支持固定字节验证

tcp 的 header-custom clients 与 servers 不必数量对应
clients 如果没有要发送的将会直接接收剩下的
servers 如果没有要接收的将会直接发送剩下的

一个伪装 ssh banner 的例子,对应 SSH-2.0-OpenSSH_10.0p2 Debian-7\r\n

"finalmask": {
  "tcp": [
    {
      "type": "header-custom",
      "settings": {
        "clients": [],
        "servers": [
          [83,83,72,45,50,46,48,45,79,112,101,110,83,83,72,95,49,48,46,48,112,50,32,68,101,98,105,97,110,45,55,13,10]
        ]
      }
    }
  ]
}

伪装 socks5 user pass 代理 example.com

"finalmask": {
  "tcp": [
    {
      "type": "header-custom",
      "settings": {
        "clients": [
		  [5,1,2],
		  [1,4,117,115,101,114,4,112,97,115,115],
		  [5,1,0,3,11,101,120,97,109,112,108,101,46,99,111,109,1,187]
		],
        "servers": [
          [5,2],
		  [1,0],
		  [5,0,0,1,0,0,0,0,0,0]
        ]
      }
    }
  ]
}

对应 hex

05 01 02

05 02

01 04 75 73 65 72 04 70 61 73 73

01 00

05 01 00 03 0b 65 78 61 6d 70 6c 65 2e 63 6f 6d 01 bb

05 00 00 01 00 00 00 00 00 00

go 的 json 对字节数组好像原生支持 base64 解析,不确定,可以试试

@LjhAUMEM
Copy link
Contributor Author

LjhAUMEM commented Feb 5, 2026

还没测试

@RPRX
Copy link
Member

RPRX commented Feb 5, 2026

盲猜 Splice 啥的会炸,新版先不包含这个吧,这俩又不急,设计还可以再讨论下

@LjhAUMEM
Copy link
Contributor Author

LjhAUMEM commented Feb 6, 2026
edited
Loading

盲猜 Splice 啥的会炸

tcp 那个吗,确实有点问题,流式的可能多次 read 才收到对端完整的一次 write

关于 Splice 那就给 tcpmask 多加个解包接口可以给 UnwrapRawConn 使用应该可以

感觉修复 dialerProxy 那个应该没啥问题,是不是应该放另一个 pr

@MoRanYue
Copy link

MoRanYue commented Feb 6, 2026

header-*mkcp-*先前仅支持mKCP,改为“伪装层”后,是否能够应用于WIreGuard、Hysteria2呢?)

@LjhAUMEM
Copy link
Contributor Author

LjhAUMEM commented Feb 6, 2026

header-*mkcp-*先前仅支持mKCP,改为“伪装层”后,是否能够应用于WIreGuard、Hysteria2呢?)

已经可以了,只是无法搭配 dialerProxy,这个 pr 应该修复了

@RPRX
Copy link
Member

RPRX commented Feb 6, 2026

Finalmask 加 dialer-proxy 的话有点用但不多,不过 header-custom 可玩性较高,我想想

@RPRX
Copy link
Member

RPRX commented Feb 6, 2026

先不包含吧,不然搞出问题的话又要发版

@LjhAUMEM
Copy link
Contributor Author

LjhAUMEM commented Feb 6, 2026

先不包含吧,不然搞出问题的话又要发版

嗯,我也只测试了 dialerProxy 部分,那两个 header 还没有,tryunwrappermask 也没加

@LjhAUMEM
Copy link
Contributor Author

LjhAUMEM commented Feb 6, 2026

看了下 Splice 对于出站只需要读方向的 raw conn,对于入站只需要写方向的 raw conn,而 header-custom 和 fragment 都满足这一要求,所以可以直接默认 tcpmask 支持解 wrap

简单测试了下 tcp header-custom 以及有无 tcpmask 的 splice 下的行为和之前一样

明天再测下 udp 的 header-custom 以及 conn 清理细节方面应该就可以了 还要顺便说明下 tcp header,其实可以 clients 不填只填 servers 伪装个 ssh banner

睡觉

@LjhAUMEM
Copy link
Contributor Author

LjhAUMEM commented Feb 9, 2026
edited
Loading

改了下,去掉 OnCloseHeaderError,增加 ServersError,可选在不同 clients 位置过来的数据不对时回应的不同错误

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@LjhAUMEM @RPRX @MoRanYue