fix(shadowsocks-service): ACL host rule resolved IP check return if matched

zonyitoo · zonyitoo · commit c0361e652222 · 2025-06-12T10:10:09.000+08:00
diff --git a/crates/shadowsocks-service/src/acl/mod.rs b/crates/shadowsocks-service/src/acl/mod.rs
@@ -565,7 +565,13 @@ impl AccessControl {
                 }
                 if let Ok(vaddr) = context.dns_resolve(host, port).await {
                     for addr in vaddr {
-                        if !self.check_ip_in_proxy_list(&addr.ip()) {
+                        let ip = addr.ip();
+                        if self.black_list.check_ip_matched(&ip) {
+                            // If IP is in black_list, it should be bypassed
+                            return false;
+                        }
+                        if self.white_list.check_ip_matched(&ip) {
+                            // If IP is in white_list, it should be proxied
                             return true;
                         }
                     }
@@ -614,9 +620,15 @@ impl AccessControl {
 
                 if let Ok(vaddr) = context.dns_resolve(host, *port).await {
                     for addr in vaddr {
-                        if self.check_outbound_ip_blocked(&addr.ip()) {
+                        let ip = addr.ip();
+                        if self.outbound_block.check_ip_matched(&ip) {
+                            // If IP is in outbound_block, it should be blocked
                             return true;
                         }
+                        if self.outbound_allow.check_ip_matched(&ip) {
+                            // If IP is in outbound_allow, it should be allowed
+                            return false;
+                        }
                     }
                 }
 

Original file line number	Diff line number	Diff line change
`@@ -565,7 +565,13 @@ impl AccessControl {`
`565`	`565`	`}`
`566`	`566`	`if let Ok(vaddr) = context.dns_resolve(host, port).await {`
`567`	`567`	`for addr in vaddr {`
`568`		`- if !self.check_ip_in_proxy_list(&addr.ip()) {`
	`568`	`+ let ip = addr.ip();`
	`569`	`+ if self.black_list.check_ip_matched(&ip) {`
	`570`	`+ // If IP is in black_list, it should be bypassed`
	`571`	`+ return false;`
	`572`	`+ }`
	`573`	`+ if self.white_list.check_ip_matched(&ip) {`
	`574`	`+ // If IP is in white_list, it should be proxied`
`569`	`575`	`return true;`
`570`	`576`	`}`
`571`	`577`	`}`
`@@ -614,9 +620,15 @@ impl AccessControl {`
`614`	`620`
`615`	`621`	`if let Ok(vaddr) = context.dns_resolve(host, *port).await {`
`616`	`622`	`for addr in vaddr {`
`617`		`- if self.check_outbound_ip_blocked(&addr.ip()) {`
	`623`	`+ let ip = addr.ip();`
	`624`	`+ if self.outbound_block.check_ip_matched(&ip) {`
	`625`	`+ // If IP is in outbound_block, it should be blocked`
`618`	`626`	`return true;`
`619`	`627`	`}`
	`628`	`+ if self.outbound_allow.check_ip_matched(&ip) {`
	`629`	`+ // If IP is in outbound_allow, it should be allowed`
	`630`	`+ return false;`
	`631`	`+ }`
`620`	`632`	`}`
`621`	`633`	`}`
`622`	`634`