mirror of
https://github.com/MHSanaei/3x-ui.git
synced 2026-07-09 06:06:08 +00:00
e424cc0f4d
* fix(routing): allow dns.servers on private IPs past the geoip:private block rule Xray's own DNS client traffic is dispatched through the same routing table as proxied client traffic. When dns.servers points at a private IP (e.g. a self-hosted AdGuard Home / Pi-hole reachable on the same Docker network as Xray) and the panel's default geoip:private block rule is active, Xray's own DNS lookups get silently dropped. Xray then falls back to dialing destinations by raw hostname once its internal DNS attempt times out (~4s), so proxied connections still work, just with a multi-second stall added to every new domain-based connection, with no error surfaced anywhere. EnsureDnsServerRouting keeps a managed "direct" allow-rule for any private literal IP found in dns.servers, inserted immediately before the geoip:private block rule (matched by shape, not position). It only acts when both ingredients are present, keeps the managed rule in sync as dns.servers changes across saves, and never touches manually authored rules. Fixes #5773 * fix(routing): scope the DNS allow-rule to its port, guard against reorder/UI drift Addresses three review findings on the initial fix: 1. The allow-rule now carries a "port" matcher (grouped by the dns.servers entries that share it), instead of opening every port on the private DNS IP to proxy-client traffic. A private resolver that also exposes an unauthenticated admin UI on the same address would otherwise become reachable through the proxy too. 2. EnsureDnsServerRouting now strips every previously-managed rule and rebuilds the current set fresh, reinserted immediately before the (re-indexed) geoip:private block rule on every save. Comparing IP content alone missed the case where an admin drags the rule below the block rule in the Routing tab (or reorders something else and incidentally moves it) — silently reintroducing the exact stall this fix addresses, with nothing to notice or correct it. 3. dnsAllowRuleShape now tolerates an "enabled" key as long as it's true, matching the existing EnsureStatsRouting precedent (xray_setting.go's `delete(apiRule, "enabled")`). The Routing tab's rule editor writes that key on every save regardless of whether anything changed, and its enabled switch writes it on a plain toggle — without this, either action permanently disowns the rule from management and a duplicate gets inserted next save. A rule explicitly disabled (enabled=false) is left alone and a fresh one is (re-)created, respecting the admin's choice instead of silently re-enabling it. No-op detection now compares rebuilt rules against the original routing.rules JSON (both decoded through encoding/json to a common type) rather than reflect.DeepEqual on the parsed Go values, which falsely reported changes for identical content stored as []any vs []string. 5 new tests cover multi-port grouping, position drift, and both enabled-key cases; existing tests updated for the port field. * fix: avoid size-computation overflow in allocation hint CodeQL flagged make([]map[string]any, 0, len(clean)+len(managed)) as a potential integer-overflow risk in the capacity computation. Drop the addition and hint with len(clean) alone — it already covers most of the eventual size, and append still grows correctly for the rest. --------- Co-authored-by: Volov <volovdata@google.com>