feat(shadowsocks): reject UDP packet > MTU

- Setting `udp_mtu` to limits inbound, outbound MTU
shadowsocks · Dec 25, 2023 · f379042 · f379042
1 parent 2cf5c7e
commit f379042
Show file tree

Hide file tree

Showing 9 changed files with 201 additions and 20 deletions.
diff --git a/crates/shadowsocks-service/src/config.rs b/crates/shadowsocks-service/src/config.rs
@@ -158,6 +158,8 @@ struct SSConfig {
     udp_timeout: Option<u64>,
     #[serde(skip_serializing_if = "Option::is_none")]
     udp_max_associations: Option<usize>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    udp_mtu: Option<usize>,
 
     #[serde(skip_serializing_if = "Option::is_none", alias = "shadowsocks")]
     servers: Option<Vec<SSServerExtConfig>>,
@@ -1228,6 +1230,10 @@ pub struct Config {
     pub udp_timeout: Option<Duration>,
     /// Maximum number of UDP Associations, default is unconfigured
     pub udp_max_associations: Option<usize>,
+    /// Maximum Transmission Unit (MTU) size for UDP packets
+    /// 65535 by default. Suggestion: 1500
+    /// NOTE: mtu includes IP header, UDP header, UDP payload
+    pub udp_mtu: Option<usize>,
 
     /// ACL configuration (Global)
     ///
@@ -1353,6 +1359,7 @@ impl Config {
 
             udp_timeout: None,
             udp_max_associations: None,
+            udp_mtu: None,
 
             acl: None,
 
@@ -2056,6 +2063,9 @@ impl Config {
         // Maximum associations to be kept simultaneously
         nconfig.udp_max_associations = config.udp_max_associations;
 
+        // MTU for UDP
+        nconfig.udp_mtu = config.udp_mtu;
+
         // RLIMIT_NOFILE
         #[cfg(all(unix, not(target_os = "android")))]
         {
@@ -2764,6 +2774,8 @@ impl fmt::Display for Config {
 
         jconf.udp_max_associations = self.udp_max_associations;
 
+        jconf.udp_mtu = self.udp_mtu;
+
         #[cfg(all(unix, not(target_os = "android")))]
         {
             jconf.nofile = self.nofile;

diff --git a/crates/shadowsocks-service/src/local/http/http_stream.rs b/crates/shadowsocks-service/src/local/http/http_stream.rs
@@ -64,8 +64,7 @@ impl ProxyHttpStream {
         use once_cell::sync::Lazy;
         use std::sync::Arc;
         use tokio_rustls::{
-            rustls::pki_types::ServerName,
-            rustls::{ClientConfig, RootCertStore},
+            rustls::{pki_types::ServerName, ClientConfig, RootCertStore},
             TlsConnector,
         };
 

diff --git a/crates/shadowsocks-service/src/local/http/server.rs b/crates/shadowsocks-service/src/local/http/server.rs
@@ -13,7 +13,9 @@ use tokio::{
 };
 
 use crate::local::{
-    context::ServiceContext, loadbalancing::PingBalancer, net::tcp::listener::create_standard_tcp_listener,
+    context::ServiceContext,
+    loadbalancing::PingBalancer,
+    net::tcp::listener::create_standard_tcp_listener,
 };
 
 use super::{http_client::HttpClient, http_service::HttpService, tokio_rt::TokioIo};

diff --git a/crates/shadowsocks-service/src/local/mod.rs b/crates/shadowsocks-service/src/local/mod.rs
@@ -151,6 +151,7 @@ impl Server {
         connect_opts.tcp.fastopen = config.fast_open;
         connect_opts.tcp.keepalive = config.keep_alive.or(Some(LOCAL_DEFAULT_KEEPALIVE_TIMEOUT));
         connect_opts.tcp.mptcp = config.mptcp;
+        connect_opts.udp.mtu = config.udp_mtu;
         context.set_connect_opts(connect_opts);
 
         let mut accept_opts = AcceptOpts {
@@ -163,6 +164,7 @@ impl Server {
         accept_opts.tcp.fastopen = config.fast_open;
         accept_opts.tcp.keepalive = config.keep_alive.or(Some(LOCAL_DEFAULT_KEEPALIVE_TIMEOUT));
         accept_opts.tcp.mptcp = config.mptcp;
+        accept_opts.udp.mtu = config.udp_mtu;
         context.set_accept_opts(accept_opts);
 
         if let Some(resolver) = build_dns_resolver(

diff --git a/crates/shadowsocks-service/src/local/socks/server/server.rs b/crates/shadowsocks-service/src/local/socks/server/server.rs
@@ -7,7 +7,9 @@ use tokio::{net::TcpStream, time};
 #[cfg(feature = "local-http")]
 use crate::local::http::HttpConnectionHandler;
 use crate::local::{
-    context::ServiceContext, loadbalancing::PingBalancer, net::tcp::listener::create_standard_tcp_listener,
+    context::ServiceContext,
+    loadbalancing::PingBalancer,
+    net::tcp::listener::create_standard_tcp_listener,
     socks::config::Socks5AuthConfig,
 };
 

diff --git a/crates/shadowsocks-service/src/manager/mod.rs b/crates/shadowsocks-service/src/manager/mod.rs
@@ -52,6 +52,7 @@ pub async fn run(config: Config) -> io::Result<()> {
     connect_opts.tcp.fastopen = config.fast_open;
     connect_opts.tcp.keepalive = config.keep_alive.or(Some(SERVER_DEFAULT_KEEPALIVE_TIMEOUT));
     connect_opts.tcp.mptcp = config.mptcp;
+    connect_opts.udp.mtu = config.udp_mtu;
 
     let mut accept_opts = AcceptOpts {
         ipv6_only: config.ipv6_only,
@@ -63,6 +64,7 @@ pub async fn run(config: Config) -> io::Result<()> {
     accept_opts.tcp.fastopen = config.fast_open;
     accept_opts.tcp.keepalive = config.keep_alive.or(Some(SERVER_DEFAULT_KEEPALIVE_TIMEOUT));
     accept_opts.tcp.mptcp = config.mptcp;
+    accept_opts.udp.mtu = config.udp_mtu;
 
     if let Some(resolver) =
         build_dns_resolver(config.dns, config.ipv6_first, config.dns_cache_size, &connect_opts).await

diff --git a/crates/shadowsocks-service/src/server/mod.rs b/crates/shadowsocks-service/src/server/mod.rs
@@ -83,6 +83,7 @@ pub async fn run(config: Config) -> io::Result<()> {
     connect_opts.tcp.fastopen = config.fast_open;
     connect_opts.tcp.keepalive = config.keep_alive.or(Some(SERVER_DEFAULT_KEEPALIVE_TIMEOUT));
     connect_opts.tcp.mptcp = config.mptcp;
+    connect_opts.udp.mtu = config.udp_mtu;
 
     let mut accept_opts = AcceptOpts {
         ipv6_only: config.ipv6_only,
@@ -94,6 +95,7 @@ pub async fn run(config: Config) -> io::Result<()> {
     accept_opts.tcp.fastopen = config.fast_open;
     accept_opts.tcp.keepalive = config.keep_alive.or(Some(SERVER_DEFAULT_KEEPALIVE_TIMEOUT));
     accept_opts.tcp.mptcp = config.mptcp;
+    accept_opts.udp.mtu = config.udp_mtu;
 
     let resolver = build_dns_resolver(config.dns, config.ipv6_first, config.dns_cache_size, &connect_opts)
         .await

diff --git a/crates/shadowsocks/src/net/option.rs b/crates/shadowsocks/src/net/option.rs
@@ -30,6 +30,15 @@ pub struct TcpSocketOpts {
     pub mptcp: bool,
 }
 
+/// Options for UDP server
+#[derive(Debug, Clone, Default)]
+pub struct UdpSocketOpts {
+    /// Maximum Transmission Unit (MTU) for UDP socket `recv`
+    ///
+    /// NOTE: MTU includes IP header, UDP header, UDP payload
+    pub mtu: Option<usize>,
+}
+
 /// Options for connecting to remote server
 #[derive(Debug, Clone, Default)]
 pub struct ConnectOpts {
@@ -58,6 +67,9 @@ pub struct ConnectOpts {
 
     /// TCP options
     pub tcp: TcpSocketOpts,
+
+    /// UDP options
+    pub udp: UdpSocketOpts,
 }
 
 /// Inbound connection options
@@ -66,6 +78,9 @@ pub struct AcceptOpts {
     /// TCP options
     pub tcp: TcpSocketOpts,
 
+    /// UDP options
+    pub udp: UdpSocketOpts,
+
     /// Enable IPV6_V6ONLY option for socket
     pub ipv6_only: bool,
 }