allow loopback src address in listener (#1730)

2026-05-13 17:35:37 +00:00 · 2026-01-01 00:41:56 +08:00
parent 7c563153ae
commit 4e651a72f7
7 changed files with 99 additions and 52 deletions
@@ -507,6 +507,15 @@ impl KcpProxyDst {
            Some(dst_socket.ip()) == global_ctx.get_ipv4().map(|ip| IpAddr::V4(ip.address()));

        if send_to_self && global_ctx.no_tun() {
+            if global_ctx.is_port_in_running_listeners(dst_socket.port(), false)
+                && global_ctx.is_ip_in_same_network(&src_ip)
+            {
+                return Err(anyhow::anyhow!(
+                    "dst socket {:?} is in running listeners, ignore it",
+                    dst_socket
+                )
+                .into());
+            }
            dst_socket = format!("127.0.0.1:{}", dst_socket.port()).parse().unwrap();
        }

@@ -416,6 +416,15 @@ impl QUICProxyDst {

        let send_to_self = Some(*dst_socket.ip()) == ctx.get_ipv4().map(|ip| ip.address());
        if send_to_self && ctx.no_tun() {
+            if ctx.is_port_in_running_listeners(dst_socket.port(), false)
+                && ctx.is_ip_in_same_network(&src_ip)
+            {
+                return Err(anyhow::anyhow!(
+                    "dst socket {:?} is in running listeners, ignore it",
+                    dst_socket
+                )
+                .into());
+            }
            dst_socket = format!("127.0.0.1:{}", dst_socket.port()).parse().unwrap();
        }

@@ -733,6 +733,18 @@ impl<C: NatDstConnector> TcpProxy<C> {
        let nat_dst = if Some(nat_entry.real_dst.ip())
            == global_ctx.get_ipv4().map(|ip| IpAddr::V4(ip.address()))
        {
+            if global_ctx.is_port_in_running_listeners(nat_entry.real_dst.port(), false)
+                && global_ctx.is_ip_in_same_network(&nat_entry.src.ip())
+            {
+                tracing::error!(
+                    ?nat_entry,
+                    "nat dst port {} is in running listeners, ignore it",
+                    nat_entry.real_dst.port()
+                );
+                nat_entry.state.store(NatDstEntryState::Closed);
+                Self::remove_entry_from_all_conn_map(conn_map, addr_conn_map, nat_entry);
+                return;
+            }
            format!("127.0.0.1:{}", nat_entry.real_dst.port())
                .parse()
                .unwrap()
@@ -298,6 +298,30 @@ impl UdpProxy {
            udp::UdpPacket::new(ipv4.payload())?
        };

+        // TODO: should it be async.
+        let dst_socket = if Some(ipv4.get_destination())
+            == self.global_ctx.get_ipv4().as_ref().map(Ipv4Inet::address)
+        {
+            if self
+                .global_ctx
+                .is_port_in_running_listeners(udp_packet.get_destination(), true)
+                && self
+                    .global_ctx
+                    .is_ip_in_same_network(&std::net::IpAddr::V4(ipv4.get_source()))
+            {
+                tracing::debug!(
+                    dst_port = udp_packet.get_destination(),
+                    "dst socket is in running listeners, ignore it"
+                );
+                return Some(());
+            }
+            format!("127.0.0.1:{}", udp_packet.get_destination())
+                .parse()
+                .unwrap()
+        } else {
+            SocketAddr::new(real_dst_ip.into(), udp_packet.get_destination())
+        };
+
        tracing::trace!(
            ?packet,
            ?ipv4,
@@ -339,17 +363,6 @@ impl UdpProxy {

        nat_entry.mark_active();

-        // TODO: should it be async.
-        let dst_socket = if Some(ipv4.get_destination())
-            == self.global_ctx.get_ipv4().as_ref().map(Ipv4Inet::address)
-        {
-            format!("127.0.0.1:{}", udp_packet.get_destination())
-                .parse()
-                .unwrap()
-        } else {
-            SocketAddr::new(real_dst_ip.into(), udp_packet.get_destination())
-        };
-
        let send_ret = {
            let _g = self.global_ctx.net_ns.guard();
            nat_entry