Fix Trojan XTLS

RPRX · web-flow · commit 2e942e03036a · 2020-12-14T17:05:15.000+08:00
diff --git a/infra/conf/trojan.go b/infra/conf/trojan.go
@@ -52,6 +52,17 @@ func (c *TrojanClientConfig) Build() (proto.Message, error) {
 			Password: rec.Password,
 			Flow:     rec.Flow,
 		}
+
+		switch account.Flow {
+		case "", "xtls-rprx-origin", "xtls-rprx-origin-udp443", "xtls-rprx-direct", "xtls-rprx-direct-udp443":
+		case "xtls-rprx-splice", "xtls-rprx-splice-udp443":
+			if runtime.GOOS != "linux" && runtime.GOOS != "android" {
+				return nil, newError(`Trojan servers: "` + account.Flow + `" only support linux in this version`)
+			}
+		default:
+			return nil, newError(`Trojan servers: "flow" doesn't support "` + account.Flow + `" in this version`)
+		}
+
 		trojan := &protocol.ServerEndpoint{
 			Address: rec.Address.Build(),
 			Port:    uint32(rec.Port),
@@ -107,6 +118,14 @@ func (c *TrojanServerConfig) Build() (proto.Message, error) {
 			Flow:     rawUser.Flow,
 		}
 
+		switch account.Flow {
+		case "", "xtls-rprx-origin", "xtls-rprx-direct":
+		case "xtls-rprx-splice":
+			return nil, newError(`Trojan clients: inbound doesn't support "xtls-rprx-splice" in this version, please use "xtls-rprx-direct" instead`)
+		default:
+			return nil, newError(`Trojan clients: "flow" doesn't support "` + account.Flow + `" in this version`)
+		}
+
 		user.Email = rawUser.Email
 		user.Level = uint32(rawUser.Level)
 		user.Account = serial.ToTypedMessage(account)
diff --git a/proxy/trojan/client.go b/proxy/trojan/client.go
@@ -79,62 +79,63 @@ func (c *Client) Process(ctx context.Context, link *transport.Link, dialer inter
 
 	defer conn.Close()
 
+	iConn := conn
+	statConn, ok := iConn.(*internet.StatCouterConnection)
+	if ok {
+		iConn = statConn.Connection
+	}
+
 	user := server.PickUser()
 	account, ok := user.Account.(*MemoryAccount)
 	if !ok {
 		return newError("user account is not valid")
 	}
 
-	iConn := conn
-	statConn, ok := iConn.(*internet.StatCouterConnection)
-	if ok {
-		iConn = statConn.Connection
+	connWriter := &ConnWriter{
+		Flow: account.Flow,
 	}
 
 	var rawConn syscall.RawConn
 	var sctx context.Context
 
-	connWriter := &ConnWriter{}
 	allowUDP443 := false
-	switch account.Flow {
+	switch connWriter.Flow {
 	case XRO + "-udp443", XRD + "-udp443", XRS + "-udp443":
 		allowUDP443 = true
-		account.Flow = account.Flow[:16]
+		connWriter.Flow = connWriter.Flow[:16]
 		fallthrough
 	case XRO, XRD, XRS:
 		if destination.Address.Family().IsDomain() && destination.Address.Domain() == muxCoolAddress {
-			return newError(account.Flow + " doesn't support Mux").AtWarning()
+			return newError(connWriter.Flow + " doesn't support Mux").AtWarning()
 		}
 		if destination.Network == net.Network_UDP {
 			if !allowUDP443 && destination.Port == 443 {
-				return newError(account.Flow + " stopped UDP/443").AtInfo()
+				return newError(connWriter.Flow + " stopped UDP/443").AtInfo()
 			}
+			connWriter.Flow = ""
 		} else { // enable XTLS only if making TCP request
 			if xtlsConn, ok := iConn.(*xtls.Conn); ok {
 				xtlsConn.RPRX = true
-				xtlsConn.SHOW = trojanXTLSShow
+				xtlsConn.SHOW = xtls_show
 				xtlsConn.MARK = "XTLS"
-				if account.Flow == XRS {
+				if connWriter.Flow == XRS {
 					sctx = ctx
-					account.Flow = XRD
+					connWriter.Flow = XRD
 				}
-				if account.Flow == XRD {
+				if connWriter.Flow == XRD {
 					xtlsConn.DirectMode = true
 					if sc, ok := xtlsConn.Connection.(syscall.Conn); ok {
 						rawConn, _ = sc.SyscallConn()
 					}
 				}
-				connWriter.Flow = account.Flow
 			} else {
-				return newError(`failed to use ` + account.Flow + `, maybe "security" is not "xtls"`).AtWarning()
+				return newError(`failed to use ` + connWriter.Flow + `, maybe "security" is not "xtls"`).AtWarning()
 			}
 		}
-	case "":
+	default:
 		if _, ok := iConn.(*xtls.Conn); ok {
 			panic(`To avoid misunderstanding, you must fill in Trojan "flow" when using XTLS.`)
 		}
-	default:
-		return newError("unsupported flow " + account.Flow).AtWarning()
 	}
 
 	sessionPolicy := c.policyManager.ForLevel(user.Level)
@@ -211,6 +212,6 @@ func init() {
 
 	xtlsShow := platform.NewEnvFlag("xray.trojan.xtls.show").GetValue(func() string { return defaultFlagValue })
 	if xtlsShow == "true" {
-		trojanXTLSShow = true
+		xtls_show = true
 	}
 }
diff --git a/proxy/trojan/protocol.go b/proxy/trojan/protocol.go
@@ -28,7 +28,7 @@ var (
 		protocol.AddressFamilyByte(0x03, net.AddressFamilyDomain),
 	)
 
-	trojanXTLSShow = false
+	xtls_show = false
 )
 
 const (
@@ -90,10 +90,10 @@ func (c *ConnWriter) writeHeader() error {
 	command := commandTCP
 	if c.Target.Network == net.Network_UDP {
 		command = commandUDP
-	} else if c.Flow == XRO {
-		command = commandXRO
 	} else if c.Flow == XRD {
 		command = commandXRD
+	} else if c.Flow == XRO {
+		command = commandXRO
 	}
 
 	if _, err := buffer.Write(c.Account.Key); err != nil {
@@ -211,10 +211,10 @@ func (c *ConnReader) ParseHeader() error {
 	network := net.Network_TCP
 	if command[0] == commandUDP {
 		network = net.Network_UDP
-	} else if command[0] == commandXRO {
-		c.Flow = XRO
 	} else if command[0] == commandXRD {
 		c.Flow = XRD
+	} else if command[0] == commandXRO {
+		c.Flow = XRO
 	}
 
 	addr, port, err := addrParser.ReadAddressPort(nil, c.Reader)
diff --git a/proxy/trojan/server.go b/proxy/trojan/server.go
@@ -38,7 +38,7 @@ func init() {
 
 	xtlsShow := platform.NewEnvFlag("xray.trojan.xtls.show").GetValue(func() string { return defaultFlagValue })
 	if xtlsShow == "true" {
-		trojanXTLSShow = true
+		xtls_show = true
 	}
 }
 
@@ -219,7 +219,8 @@ func (s *Server) Process(ctx context.Context, network net.Network, conn internet
 			}
 			if xtlsConn, ok := iConn.(*xtls.Conn); ok {
 				xtlsConn.RPRX = true
-				xtlsConn.SHOW = trojanXTLSShow
+				xtlsConn.SHOW = xtls_show
+				xtlsConn.MARK = "XTLS"
 				if clientReader.Flow == XRD {
 					xtlsConn.DirectMode = true
 					if sc, ok := xtlsConn.Connection.(syscall.Conn); ok {
@@ -230,11 +231,9 @@ func (s *Server) Process(ctx context.Context, network net.Network, conn internet
 				return newError(`failed to use ` + clientReader.Flow + `, maybe "security" is not "xtls"`).AtWarning()
 			}
 		} else {
-			return newError("unable to use ", clientReader.Flow).AtWarning()
+			return newError(account.Password + " is not able to use " + clientReader.Flow).AtWarning()
 		}
 	case "":
-	default:
-		return newError("unsupported flow " + account.Flow).AtWarning()
 	}
 
 	ctx = log.ContextWithAccessMessage(ctx, &log.AccessMessage{

Original file line number	Diff line number	Diff line change
`@@ -38,7 +38,7 @@ func init() {`
`38`	`38`
`39`	`39`	`xtlsShow := platform.NewEnvFlag("xray.trojan.xtls.show").GetValue(func() string { return defaultFlagValue })`
`40`	`40`	`if xtlsShow == "true" {`
`41`		`- trojanXTLSShow = true`
	`41`	`+ xtls_show = true`
`42`	`42`	`}`
`43`	`43`	`}`
`44`	`44`
`@@ -219,7 +219,8 @@ func (s *Server) Process(ctx context.Context, network net.Network, conn internet`
`219`	`219`	`}`
`220`	`220`	`if xtlsConn, ok := iConn.(*xtls.Conn); ok {`
`221`	`221`	`xtlsConn.RPRX = true`
`222`		`- xtlsConn.SHOW = trojanXTLSShow`
	`222`	`+ xtlsConn.SHOW = xtls_show`
	`223`	`+ xtlsConn.MARK = "XTLS"`
`223`	`224`	`if clientReader.Flow == XRD {`
`224`	`225`	`xtlsConn.DirectMode = true`
`225`	`226`	`if sc, ok := xtlsConn.Connection.(syscall.Conn); ok {`
`@@ -230,11 +231,9 @@ func (s *Server) Process(ctx context.Context, network net.Network, conn internet`
`230`	`231`	return newError(`failed to use ` + clientReader.Flow + `, maybe "security" is not "xtls"`).AtWarning()
`231`	`232`	`}`
`232`	`233`	`} else {`
`233`		`- return newError("unable to use ", clientReader.Flow).AtWarning()`
	`234`	`+ return newError(account.Password + " is not able to use " + clientReader.Flow).AtWarning()`
`234`	`235`	`}`
`235`	`236`	`case "":`
`236`		`- default:`
`237`		`- return newError("unsupported flow " + account.Flow).AtWarning()`
`238`	`237`	`}`
`239`	`238`
`240`	`239`	`ctx = log.ContextWithAccessMessage(ctx, &log.AccessMessage{`