fix: fake ips should not be passed to ACL rules (#2029)

ACL rules are likely not written for fake IPs. One of the major selling point of using the `fake-dns` feature is to be able to make use of ACL rules that are based on domain names instead of purely IP addresses. Passing fake IPs to ACL nullifies this benefit, which is likely not expected from users. Closes #2028
2026-02-09 01:59:16 +08:00 · 2025-10-12 14:21:05 +08:00
parent f058ccb522
commit e2ffb9c50e
1 changed files with 9 additions and 1 deletions
--- a/crates/shadowsocks-service/src/local/net/tcp/auto_proxy_stream.rs
+++ b/crates/shadowsocks-service/src/local/net/tcp/auto_proxy_stream.rs
@@ -8,6 +8,7 @@ use std::{
    task::{self, Poll},
 };

+use log::trace;
 use pin_project::pin_project;
 use shadowsocks::{
    net::{ConnectOpts, TcpStream},
@@ -49,10 +50,17 @@ impl AutoProxyClientStream {
    where
        A: Into<Address>,
    {
-        let addr = addr.into();
+        #[cfg_attr(not(feature = "local-fake-dns"), allow(unused_mut))]
+        let mut addr = addr.into();
+        #[cfg(feature = "local-fake-dns")]
+        if let Some(mapped_addr) = context.try_map_fake_address(&addr).await {
+            addr = mapped_addr;
+        }
        if context.check_target_bypassed(&addr).await {
+            trace!("Bypassing target address {addr}");
            Self::connect_bypassed_with_opts(context, addr, opts).await
        } else {
+            trace!("Proxying target address {addr}");
            Self::connect_proxied_with_opts(context, server, addr, opts).await
        }
    }