Merge pull request #6 from Sherlock-Holo/ip_in_list_connect_directly

replace whitelist mode with ip_in_list_connect_directly

README.md

@@ -34,7 +34,7 @@ bpf lru map, and send to `lycoris-server`
 `lycoris-server` is a simple proxy server, like [camouflage](https://github.com/Sherlock-Holo/camouflage), trojan or
 something else
 
-## the whitelist/blacklist ip file
+## the ip list file
 
 it just a simple txt like
 
@@ -49,7 +49,7 @@ it just a simple txt like
 - [ ] UDP4 proxy
 - [x] TCP6 proxy
 - [ ] UDP6 proxy
-- [x] whitelist/blacklist ip mode switch
+- [x] ip list filter
 - [x] container proxy
   - need set `container_bridge_listen_addr` and `container_bridge_listen_addr_v6`
   - podman with slirp4netns doesn't need set, it connects tcp outside the container

bpf/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "lycoris-bpf"
-version = "0.2.6"
+version = "0.3.0"
 edition = "2021"
 license = "MIT"
 

bpf/src/cgroup_connect4.rs

@@ -9,7 +9,7 @@ use aya_log_ebpf::debug;
 use crate::command_check::command_can_connect_directly;
 use crate::kernel_binding::require;
 use crate::map::*;
-use crate::{should_proxy, Ipv4Addr};
+use crate::{connect_directly, Ipv4Addr};
 
 /// check connect ipv4 in proxy ipv4 list or not, if in list, save the origin dst ipv4 addr into
 /// DST_IPV4_ADDR_STORE with (cookie, origin_dst_ipv4_addr), otherwise let it connect directly
@@ -37,18 +37,18 @@ pub fn handle_cgroup_connect4(ctx: SockAddrContext) -> Result<(), c_long> {
     let user_ip4 = user_ip4_u32.to_be_bytes();
     let key = Key::new(32, user_ip4);
 
-    let is_blacklist_mode = match PROXY_IPV4_LIST_MODE.get(0) {
+    let in_list_connect_directly = match PROXY_LIST_MODE.get(0) {
         None => {
-            debug!(&ctx, "get proxy ipv4 list mode failed");
+            debug!(&ctx, "get proxy list mode failed");
 
             return Err(0);
         }
 
-        Some(mode) => *mode == BLACKLIST_MODE,
+        Some(mode) => *mode == CONNECT_DIRECTLY_MODE,
     };
 
     let in_list = PROXY_IPV4_LIST.get(&key).copied().unwrap_or(0) > 0;
-    if !should_proxy(is_blacklist_mode, in_list) {
+    if connect_directly(in_list_connect_directly, in_list) {
         debug!(&ctx, "{:i} is direct connect ip", user_ip4_u32);
 
         return Ok(());

bpf/src/cgroup_connect6.rs

@@ -10,7 +10,7 @@ use aya_log_ebpf::debug;
 use crate::command_check::command_can_connect_directly;
 use crate::kernel_binding::require;
 use crate::map::*;
-use crate::{u16_ipv6_to_u8_ipv6, Ipv6Addr};
+use crate::{connect_directly, u16_ipv6_to_u8_ipv6, Ipv6Addr};
 
 /// check connect ipv6 in proxy ipv6 list or not, if in list, save the origin dst ipv6 addr into
 /// DST_IPV6_ADDR_STORE with (cookie, origin_dst_ipv6_addr), otherwise let it connect directly
@@ -38,19 +38,19 @@ pub fn handle_cgroup_connect6(ctx: SockAddrContext) -> Result<(), c_long> {
     let user_ipv6_octets = u16_ipv6_to_u8_ipv6(user_ipv6);
     let key = Key::new(128, user_ipv6);
 
-    let is_blacklist_mode = match PROXY_IPV4_LIST_MODE.get(0) {
+    let in_list_connect_directly = match PROXY_LIST_MODE.get(0) {
         None => {
-            debug!(&ctx, "get proxy ipv6 list mode failed");
+            debug!(&ctx, "get proxy list mode failed");
 
             return Err(0);
         }
 
-        Some(mode) => *mode == BLACKLIST_MODE,
+        Some(mode) => *mode == CONNECT_DIRECTLY_MODE,
     };
 
     let in_list = PROXY_IPV6_LIST.get(&key).copied().unwrap_or(0) > 0;
-    if !crate::should_proxy(is_blacklist_mode, in_list) {
-        // debug!(&ctx, "{:ipv6} is direct connect ip", user_ipv6_octets);
+    if connect_directly(in_list_connect_directly, in_list) {
+        debug!(&ctx, "{:i} is direct connect ip", user_ipv6_octets);
 
         return Ok(());
     }

bpf/src/lib.rs

@@ -50,12 +50,8 @@ pub struct Ipv6Addr {
 }
 
 #[inline]
-fn should_proxy(is_blacklist_mode: bool, in_list: bool) -> bool {
-    if is_blacklist_mode {
-        in_list
-    } else {
-        !in_list
-    }
+fn connect_directly(in_list_connect_directly: bool, in_list: bool) -> bool {
+    in_list_connect_directly && in_list
 }
 
 #[inline]

bpf/src/map/mod.rs

@@ -32,13 +32,15 @@ pub static PROXY_IPV4_LIST: LpmTrie<[u8; 4], u8> =
 pub static PROXY_IPV6_LIST: LpmTrie<[u16; 8], u8> =
     LpmTrie::with_max_entries(65535, BPF_F_NO_PREALLOC);
 
-/// proxy ipv4 list mode, 0 is blacklist mode, 1 is whitelist mode
-/// when blacklist mode, the dst ip in list will be proxy
-/// when whitelist mode, the dst ip in list will not be proxy
+/// proxy [`PROXY_IPV4_LIST`] and [`PROXY_IPV6_LIST`] list mode
+///
+/// `0` means the dst ip in list will connect directly
+///
+/// `1` means the dst ip in list will not be proxy
 #[map]
-pub static PROXY_IPV4_LIST_MODE: Array<u8> = Array::with_max_entries(1, 0);
+pub static PROXY_LIST_MODE: Array<u8> = Array::with_max_entries(1, 0);
 
-pub const BLACKLIST_MODE: u8 = 0;
+pub const CONNECT_DIRECTLY_MODE: u8 = 0;
 
 /// only has 1 element
 #[map]

client/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "lycoris-client"
-version = "0.2.6"
+version = "0.3.0"
 edition = "2021"
 license = "MIT"
 rust-version = "1.75"

client/example.yaml

@@ -8,7 +8,7 @@ ca_cert: example/ca.cert
 token_secret: test
 token_header: x-token
 cgroup_path: /sys/fs/cgroup
-blacklist_mode: false
+ip_in_list_directly: true
 ip_list:
   - file1
   - file2

client/src/bpf_map_name.rs

@@ -4,7 +4,7 @@ pub const IPV6_ADDR_MAP: &str = "IPV6_ADDR_MAP";
 pub const PROXY_IPV4_LIST: &str = "PROXY_IPV4_LIST";
 pub const PROXY_IPV6_LIST: &str = "PROXY_IPV6_LIST";
 
-pub const PROXY_IPV4_LIST_MODE: &str = "PROXY_IPV4_LIST_MODE";
+pub const PROXY_LIST_MODE: &str = "PROXY_LIST_MODE";
 pub const PROXY_IPV4_CLIENT: &str = "PROXY_IPV4_CLIENT";
 pub const PROXY_IPV6_CLIENT: &str = "PROXY_IPV6_CLIENT";
 

client/src/config.rs

@@ -15,8 +15,8 @@ pub struct Config {
     pub token_secret: String,
     pub token_header: String,
     pub cgroup_path: PathBuf,
-    #[serde(default = "default_blacklist_mode")]
-    pub blacklist_mode: bool,
+    #[serde(default = "default_ip_in_list_directly")]
+    pub ip_in_list_directly: bool,
     #[serde(default)]
     pub command_list: Vec<String>,
     #[serde(default = "default_command_in_list_directly")]
@@ -41,6 +41,6 @@ const fn default_command_in_list_directly() -> bool {
     true
 }
 
-const fn default_blacklist_mode() -> bool {
+const fn default_ip_in_list_directly() -> bool {
     true
 }

client/src/lib.rs

@@ -83,19 +83,19 @@ async fn run_bpf(args: Args, config: Config) -> anyhow::Result<()> {
 
     info!("set target ip done");
 
-    set_proxy_ip_list_mode(&mut bpf, config.blacklist_mode)?;
+    set_proxy_ip_list_mode(&mut bpf, config.ip_in_list_directly)?;
     set_command_list(
         &mut bpf,
         config.command_list,
         config.command_in_list_directly,
     )?;
 
-    if !config.blacklist_mode {
+    if config.ip_in_list_directly {
         append_remote_ip_list(&mut bpf, &remote_domain_ips)?;
     }
 
     info!(
-        blacklist_mode = config.blacklist_mode,
+        ip_in_list_directly = config.ip_in_list_directly,
         "set proxy ip list mode done"
     );
 
@@ -414,15 +414,15 @@ fn append_remote_ip_list(bpf: &mut Bpf, remote_domain_ip: &[IpAddr]) -> anyhow::
     Ok(())
 }
 
-fn set_proxy_ip_list_mode(bpf: &mut Bpf, blacklist_mode: bool) -> anyhow::Result<()> {
-    let mut proxy_ipv4_list_mode: Array<_, u8> = bpf
-        .map_mut(PROXY_IPV4_LIST_MODE)
-        .expect("PROXY_IPV4_LIST_MODE not found")
+fn set_proxy_ip_list_mode(bpf: &mut Bpf, ip_in_list_directly: bool) -> anyhow::Result<()> {
+    let mut proxy_list_mode: Array<_, u8> = bpf
+        .map_mut(PROXY_LIST_MODE)
+        .expect("PROXY_LIST_MODE not found")
         .try_into()?;
 
-    let mode = if blacklist_mode { 0 } else { 1 };
+    let mode = if ip_in_list_directly { 0 } else { 1 };
 
-    proxy_ipv4_list_mode.set(0, mode, 0)?;
+    proxy_list_mode.set(0, mode, 0)?;
 
     Ok(())
 }

client/tests/proxy.rs

@@ -69,7 +69,7 @@ async fn main() {
     init_bpf_log(&mut bpf);
 
     set_proxy_addr(&mut bpf, listen_addr, listen_addr_v6);
-    set_proxy_ip_list_blacklist_mode(&mut bpf);
+    set_proxy_ip_list_mode(&mut bpf);
     load_target_ip(&mut bpf);
 
     let _connect4_link = load_connect4(&mut bpf, Path::new(CGROUP_PATH)).await;
@@ -308,14 +308,14 @@ fn set_proxy_addr(bpf: &mut Bpf, addr: SocketAddrV4, addr_v6: SocketAddrV6) {
     v6_proxy_server.set(0, proxy_addr, 0).unwrap();
 }
 
-fn set_proxy_ip_list_blacklist_mode(bpf: &mut Bpf) {
+fn set_proxy_ip_list_mode(bpf: &mut Bpf) {
     let mut proxy_ipv4_list_mode: Array<_, u8> = bpf
-        .map_mut(PROXY_IPV4_LIST_MODE)
-        .expect("PROXY_IPV4_LIST_MODE not found")
+        .map_mut(PROXY_LIST_MODE)
+        .expect("PROXY_LIST_MODE not found")
         .try_into()
         .unwrap();
 
-    proxy_ipv4_list_mode.set(0, 0u8, 0).unwrap();
+    proxy_ipv4_list_mode.set(0, 1u8, 0).unwrap();
 }
 
 fn init_bpf_log(bpf: &mut Bpf) {

client/tests/proxy_v6.rs

@@ -69,7 +69,7 @@ async fn main() {
     init_bpf_log(&mut bpf);
 
     set_proxy_addr(&mut bpf, listen_addr, listen_addr_v6);
-    set_proxy_ip_list_blacklist_mode(&mut bpf);
+    set_proxy_ip_list_mode(&mut bpf);
     load_target_ip(&mut bpf);
 
     let _connect6_link = load_connect6(&mut bpf, Path::new(CGROUP_PATH)).await;
@@ -306,14 +306,14 @@ fn set_proxy_addr(bpf: &mut Bpf, addr: SocketAddrV4, addr_v6: SocketAddrV6) {
     v6_proxy_server.set(0, proxy_addr, 0).unwrap();
 }
 
-fn set_proxy_ip_list_blacklist_mode(bpf: &mut Bpf) {
+fn set_proxy_ip_list_mode(bpf: &mut Bpf) {
     let mut proxy_ipv4_list_mode: Array<_, u8> = bpf
-        .map_mut(PROXY_IPV4_LIST_MODE)
-        .expect("PROXY_IPV4_LIST_MODE not found")
+        .map_mut(PROXY_LIST_MODE)
+        .expect("PROXY_LIST_MODE not found")
         .try_into()
         .unwrap();
 
-    proxy_ipv4_list_mode.set(0, 0u8, 0).unwrap();
+    proxy_ipv4_list_mode.set(0, 1u8, 0).unwrap();
 }
 
 fn init_bpf_log(bpf: &mut Bpf) {

server/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "lycoris-server"
-version = "0.2.6"
+version = "0.3.0"
 edition = "2021"
 license = "MIT"