Sniffing: Add ipsExcluded (supports IP, CIDR, "geoip:", "ext:") (#5929)

https://github.com/XTLS/Xray-core/pull/5927#issuecomment-4238197075

https://github.com/XTLS/Xray-core/pull/5929#issuecomment-4238550443

app/dispatcher/default.go

@@ -237,6 +237,9 @@ func (d *DefaultDispatcher) shouldOverride(ctx context.Context, result SniffResu
 	if request.ExcludeForDomain != nil && request.ExcludeForDomain.MatchAny(strings.ToLower(domain)) {
 		return false
 	}
+	if request.ExcludeForIP != nil && destination.Address.Family().IsIP() && request.ExcludeForIP.Match(destination.Address.IP()) {
+		return false
+	}
 	protocolString := result.Protocol()
 	if resComp, ok := result.(SnifferResultComposite); ok {
 		protocolString = resComp.ProtocolForDomainResult()

app/proxyman/config.go

@@ -23,5 +23,12 @@ func BuildSniffingRequest(config *SniffingConfig) (session.SniffingRequest, erro
 		}
 		request.ExcludeForDomain = excludeForDomain
 	}
+	if len(config.IpsExcluded) > 0 {
+		excludeForIP, err := geodata.IPReg.BuildIPMatcher(config.IpsExcluded)
+		if err != nil {
+			return session.SniffingRequest{}, err
+		}
+		request.ExcludeForIP = excludeForIP
+	}
 	return request, nil
 }

app/proxyman/config.pb.go

@@ -69,6 +69,7 @@ type SniffingConfig struct {
 	// Supported values are "http", "tls", "fakedns".
 	DestinationOverride []string              `protobuf:"bytes,2,rep,name=destination_override,json=destinationOverride,proto3" json:"destination_override,omitempty"`
 	DomainsExcluded     []*geodata.DomainRule `protobuf:"bytes,3,rep,name=domains_excluded,json=domainsExcluded,proto3" json:"domains_excluded,omitempty"`
+	IpsExcluded         []*geodata.IPRule     `protobuf:"bytes,6,rep,name=ips_excluded,json=ipsExcluded,proto3" json:"ips_excluded,omitempty"`
 	// Whether should only try to sniff metadata without waiting for client input.
 	// Can be used to support SMTP like protocol where server send the first
 	// message.
@@ -129,6 +130,13 @@ func (x *SniffingConfig) GetDomainsExcluded() []*geodata.DomainRule {
 	return nil
 }
 
+func (x *SniffingConfig) GetIpsExcluded() []*geodata.IPRule {
+	if x != nil {
+		return x.IpsExcluded
+	}
+	return nil
+}
+
 func (x *SniffingConfig) GetMetadataOnly() bool {
 	if x != nil {
 		return x.MetadataOnly
@@ -479,11 +487,12 @@ var File_app_proxyman_config_proto protoreflect.FileDescriptor
 const file_app_proxyman_config_proto_rawDesc = "" +
 	"\n" +
 	"\x19app/proxyman/config.proto\x12\x11xray.app.proxyman\x1a\x18common/net/address.proto\x1a\x15common/net/port.proto\x1a\x1ftransport/internet/config.proto\x1a!common/serial/typed_message.proto\x1a\x1bcommon/geodata/geodat.proto\"\x0f\n" +
-	"\rInboundConfig\"\xed\x01\n" +
+	"\rInboundConfig\"\xad\x02\n" +
 	"\x0eSniffingConfig\x12\x18\n" +
 	"\aenabled\x18\x01 \x01(\bR\aenabled\x121\n" +
 	"\x14destination_override\x18\x02 \x03(\tR\x13destinationOverride\x12J\n" +
-	"\x10domains_excluded\x18\x03 \x03(\v2\x1f.xray.common.geodata.DomainRuleR\x0fdomainsExcluded\x12#\n" +
+	"\x10domains_excluded\x18\x03 \x03(\v2\x1f.xray.common.geodata.DomainRuleR\x0fdomainsExcluded\x12>\n" +
+	"\fips_excluded\x18\x06 \x03(\v2\x1b.xray.common.geodata.IPRuleR\vipsExcluded\x12#\n" +
 	"\rmetadata_only\x18\x04 \x01(\bR\fmetadataOnly\x12\x1d\n" +
 	"\n" +
 	"route_only\x18\x05 \x01(\bR\trouteOnly\"\xe5\x02\n" +
@@ -534,31 +543,33 @@ var file_app_proxyman_config_proto_goTypes = []any{
 	(*SenderConfig)(nil),          // 5: xray.app.proxyman.SenderConfig
 	(*MultiplexingConfig)(nil),    // 6: xray.app.proxyman.MultiplexingConfig
 	(*geodata.DomainRule)(nil),    // 7: xray.common.geodata.DomainRule
-	(*net.PortList)(nil),          // 8: xray.common.net.PortList
-	(*net.IPOrDomain)(nil),        // 9: xray.common.net.IPOrDomain
-	(*internet.StreamConfig)(nil), // 10: xray.transport.internet.StreamConfig
-	(*serial.TypedMessage)(nil),   // 11: xray.common.serial.TypedMessage
-	(*internet.ProxyConfig)(nil),  // 12: xray.transport.internet.ProxyConfig
-	(internet.DomainStrategy)(0),  // 13: xray.transport.internet.DomainStrategy
+	(*geodata.IPRule)(nil),        // 8: xray.common.geodata.IPRule
+	(*net.PortList)(nil),          // 9: xray.common.net.PortList
+	(*net.IPOrDomain)(nil),        // 10: xray.common.net.IPOrDomain
+	(*internet.StreamConfig)(nil), // 11: xray.transport.internet.StreamConfig
+	(*serial.TypedMessage)(nil),   // 12: xray.common.serial.TypedMessage
+	(*internet.ProxyConfig)(nil),  // 13: xray.transport.internet.ProxyConfig
+	(internet.DomainStrategy)(0),  // 14: xray.transport.internet.DomainStrategy
 }
 var file_app_proxyman_config_proto_depIdxs = []int32{
 	7,  // 0: xray.app.proxyman.SniffingConfig.domains_excluded:type_name -> xray.common.geodata.DomainRule
-	8,  // 1: xray.app.proxyman.ReceiverConfig.port_list:type_name -> xray.common.net.PortList
-	9,  // 2: xray.app.proxyman.ReceiverConfig.listen:type_name -> xray.common.net.IPOrDomain
-	10, // 3: xray.app.proxyman.ReceiverConfig.stream_settings:type_name -> xray.transport.internet.StreamConfig
-	1,  // 4: xray.app.proxyman.ReceiverConfig.sniffing_settings:type_name -> xray.app.proxyman.SniffingConfig
-	11, // 5: xray.app.proxyman.InboundHandlerConfig.receiver_settings:type_name -> xray.common.serial.TypedMessage
-	11, // 6: xray.app.proxyman.InboundHandlerConfig.proxy_settings:type_name -> xray.common.serial.TypedMessage
-	9,  // 7: xray.app.proxyman.SenderConfig.via:type_name -> xray.common.net.IPOrDomain
-	10, // 8: xray.app.proxyman.SenderConfig.stream_settings:type_name -> xray.transport.internet.StreamConfig
-	12, // 9: xray.app.proxyman.SenderConfig.proxy_settings:type_name -> xray.transport.internet.ProxyConfig
-	6,  // 10: xray.app.proxyman.SenderConfig.multiplex_settings:type_name -> xray.app.proxyman.MultiplexingConfig
-	13, // 11: xray.app.proxyman.SenderConfig.target_strategy:type_name -> xray.transport.internet.DomainStrategy
-	12, // [12:12] is the sub-list for method output_type
-	12, // [12:12] is the sub-list for method input_type
-	12, // [12:12] is the sub-list for extension type_name
-	12, // [12:12] is the sub-list for extension extendee
-	0,  // [0:12] is the sub-list for field type_name
+	8,  // 1: xray.app.proxyman.SniffingConfig.ips_excluded:type_name -> xray.common.geodata.IPRule
+	9,  // 2: xray.app.proxyman.ReceiverConfig.port_list:type_name -> xray.common.net.PortList
+	10, // 3: xray.app.proxyman.ReceiverConfig.listen:type_name -> xray.common.net.IPOrDomain
+	11, // 4: xray.app.proxyman.ReceiverConfig.stream_settings:type_name -> xray.transport.internet.StreamConfig
+	1,  // 5: xray.app.proxyman.ReceiverConfig.sniffing_settings:type_name -> xray.app.proxyman.SniffingConfig
+	12, // 6: xray.app.proxyman.InboundHandlerConfig.receiver_settings:type_name -> xray.common.serial.TypedMessage
+	12, // 7: xray.app.proxyman.InboundHandlerConfig.proxy_settings:type_name -> xray.common.serial.TypedMessage
+	10, // 8: xray.app.proxyman.SenderConfig.via:type_name -> xray.common.net.IPOrDomain
+	11, // 9: xray.app.proxyman.SenderConfig.stream_settings:type_name -> xray.transport.internet.StreamConfig
+	13, // 10: xray.app.proxyman.SenderConfig.proxy_settings:type_name -> xray.transport.internet.ProxyConfig
+	6,  // 11: xray.app.proxyman.SenderConfig.multiplex_settings:type_name -> xray.app.proxyman.MultiplexingConfig
+	14, // 12: xray.app.proxyman.SenderConfig.target_strategy:type_name -> xray.transport.internet.DomainStrategy
+	13, // [13:13] is the sub-list for method output_type
+	13, // [13:13] is the sub-list for method input_type
+	13, // [13:13] is the sub-list for extension type_name
+	13, // [13:13] is the sub-list for extension extendee
+	0,  // [0:13] is the sub-list for field type_name
 }
 
 func init() { file_app_proxyman_config_proto_init() }

app/proxyman/config.proto

@@ -24,6 +24,8 @@ message SniffingConfig {
 
   repeated xray.common.geodata.DomainRule domains_excluded = 3;
 
+  repeated xray.common.geodata.IPRule ips_excluded = 6;
+
   // Whether should only try to sniff metadata without waiting for client input.
   // Can be used to support SMTP like protocol where server send the first
   // message.