fixed regression of client blocking ACL strategy

zonyitoo · zonyitoo · commit 46934f5675b0 · 2022-02-11T01:05:51.000+08:00
- fixes #764 - bug introduced since v1.9.0
diff --git a/crates/shadowsocks-service/src/server/context.rs b/crates/shadowsocks-service/src/server/context.rs
@@ -1,6 +1,6 @@
 //! Shadowsocks Local Server Context
 
-use std::sync::Arc;
+use std::{net::SocketAddr, sync::Arc};
 
 use shadowsocks::{
     config::ServerType,
@@ -100,6 +100,14 @@ impl ServiceContext {
         }
     }
 
+    /// Check if client should be blocked
+    pub fn check_client_blocked(&self, addr: &SocketAddr) -> bool {
+        match self.acl {
+            None => false,
+            Some(ref acl) => acl.check_client_blocked(addr),
+        }
+    }
+
     /// Try to connect IPv6 addresses first if hostname could be resolved to both IPv4 and IPv6
     pub fn set_ipv6_first(&mut self, ipv6_first: bool) {
         let context = Arc::get_mut(&mut self.context).expect("cannot set ipv6_first on a shared context");
diff --git a/crates/shadowsocks-service/src/server/tcprelay.rs b/crates/shadowsocks-service/src/server/tcprelay.rs
@@ -61,6 +61,11 @@ impl TcpServer {
                     }
                 };
 
+            if self.context.check_client_blocked(&peer_addr) {
+                warn!("access denied from {} by ACL rules", peer_addr);
+                continue;
+            }
+
             let client = TcpServerClient {
                 context: self.context.clone(),
                 method: svr_cfg.method(),
diff --git a/crates/shadowsocks-service/src/server/udprelay.rs b/crates/shadowsocks-service/src/server/udprelay.rs
@@ -112,8 +112,16 @@ impl UdpServer {
                 }
             };
 
+            if self.context.check_client_blocked(&peer_addr) {
+                warn!(
+                    "udp client {} outbound {} access denied by ACL rules",
+                    peer_addr, target_addr
+                );
+                continue;
+            }
+
             if self.context.check_outbound_blocked(&target_addr).await {
-                error!("udp client {} outbound {} blocked by ACL rules", peer_addr, target_addr);
+                warn!("udp client {} outbound {} blocked by ACL rules", peer_addr, target_addr);
                 continue;
             }
 
