同一个域名，tun模式能匹配ip规则而代理模式匹配不到

[kckm]

Welcome

• Yes, I'm using the latest major release. Only such installations are supported.
• Yes, I'm using the latest Golang release. Only such installations are supported.
• Yes, I've searched similar issues on GitHub and didn't find any.
• Yes, I've included all information below (version, FULL config, FULL log, etc).

Description of the problem

域名是 hl.proxys5.net ，浏览器代理和tun模式会走不同的路由。mixed入口已经写了domain_strategy，理论上能匹配到ip规则的。

这个域名有多个解析，或许跟这个有关系。

Version of sing-box

$ sing-box version
sing-box version 1.3.0

Environment: go1.20.5 windows/amd64
Tags: with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_reality_server,with_clash_api
Revision: 29b1dba2bb70b0f77bbeb764d745c592147785ad
CGO: disabled

Server and client configuration file

{
  "log": {
    "disabled": true,
    "level": "debug",
    "output": "",
    "timestamp": true
  },
  "dns": {
    "servers": [
      {
        "tag": "remote",
        "address": "8.8.8.8"
      },
      {
        "tag": "local",
        "address": "223.5.5.5",
        "detour": "direct"
      },
      {
        "tag": "block",
        "address": "rcode://success"
      }
    ],
    "rules": [
      {
        "outbound": "any",
        "server": "local"
      },
      {
        "domain_suffix": [
          "googleapis.cn"
        ],
        "server": "remote"
      },
      {
        "geosite": [
          "category-games@cn",
          "private",
          "cn"
        ],
        "server": "local"
      }
    ],
    "strategy": "prefer_ipv6"
  },
  "route": {
    "default_interface": "以太网",
    "geoip": {
      "download_url": "https://github.com/lyc8503/sing-box-rules/releases/latest/download/geoip.db",
      "path": "C:\\Program Files\\Software\\sing-box\\geoip.db",
      "download_detour": "vless-out"
    },
    "geosite": {
      "download_url": "https://github.com/lyc8503/sing-box-rules/releases/latest/download/geosite.db",
      "path": "C:\\Program Files\\Software\\sing-box\\geosite.db",
      "download_detour": "vless-out"
    },
    "rules": [
      {
        "protocol": "dns",
        "outbound": "dns-out"
      },
      {
        "process_name": [
          "qbittorrent.exe"
        ],
        "ip_version": 6,
        "outbound": "block"
      },
      {
        "process_name": [
          "qbittorrent.exe"
        ],
        "outbound": "direct"
      },
      {
        "geosite": [
          "private",
          "category-games@cn",
          "win-update",
          "cn"
        ],
        "outbound": "direct"
      },
      {
        "geosite": [
          "geolocation-!cn"
        ],
        "geoip": [
          "telegram"
        ],
        "network": [
          "tcp"
        ],
        "outbound": "vless-out"
      },
      {
        "geoip": [
          "lan",
          "cn"
        ],
        "ip_version": 6,
        "outbound": "block"
      },
      {
        "geoip": [
          "lan",
          "cn"
        ],
        "outbound": "direct"
      },
      {
        "protocol": [
          "quic"
        ],
        "outbound": "block"
      }
    ]
  },
  "inbounds": [
    {
      "type": "mixed",
      "tag": "mixed-in",
      "set_system_proxy": false,
      "listen": "127.0.0.1",
      "listen_port": 2080,
      "tcp_fast_open": true,
      "udp_fragment": true,
      "sniff": true,
      "sniff_override_destination": false,
      "domain_strategy": "prefer_ipv6"
    },
    {
      "type": "tun",
      "tag": "tun-in",
      "interface_name": "tun0",
      "inet4_address": "172.19.0.1/30",
      "inet6_address": "fdfe:dcba:9876::1/126",
      "mtu": 9000,
      "auto_route": true,
      "strict_route": true,
      "endpoint_independent_nat": false,
      "stack": "system",
      "sniff": true
    }
  ],
  "outbounds": [
    {
      "type": "vless",
      "tag": "vless-out",
      "server": "1.2.3.4",
      "server_port": 443,
      "tcp_fast_open": true,
      "udp_fragment": true,
      "uuid": "0000",
      "flow": "xtls-rprx-vision",
      "tls": {
        "enabled": true,
        "disable_sni": false,
        "server_name": "asd",
        "utls": {
          "enabled": true,
          "fingerprint": "chrome"
        },
        "reality": {
          "enabled": true,
          "public_key": "1234",
          "short_id": ""
        }
      }
    },
    {
      "type": "direct",
      "tag": "direct",
      "udp_fragment": true,
      "domain_strategy": "",
      "fallback_delay": "120ms"
    },
    {
      "type": "dns",
      "tag": "dns-out"
    },
    {
      "type": "block",
      "tag": "block"
    }
  ]
}

Server and client log file

代理模式：

+0800 2023-07-02 22:36:23 INFO [3738636083 0ms] inbound/mixed[mixed-in]: inbound connection from 127.0.0.1:55343
+0800 2023-07-02 22:36:23 INFO [3738636083 1ms] inbound/mixed[mixed-in]: inbound connection to hl.proxys5.net:443
+0800 2023-07-02 22:36:23 DEBUG [3738636083 1ms] router: sniffed protocol: tls, domain: hl.proxys5.net
+0800 2023-07-02 22:36:23 DEBUG [3738636083 1ms] dns: lookup domain hl.proxys5.net
+0800 2023-07-02 22:36:23 INFO [3738636083 365ms] dns: lookup succeed for hl.proxys5.net: 2404:2280:10d:0:3::3fc 2404:2280:10d:0:3::3fb 128.1.157.213
+0800 2023-07-02 22:36:23 DEBUG [3738636083 366ms] dns: resolved [2404:2280:10d:0:3::3fc 2404:2280:10d:0:3::3fb 128.1.157.213]
+0800 2023-07-02 22:36:23 INFO [3738636083 366ms] router: found process path: \Device\HarddiskVolume3\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
+0800 2023-07-02 22:36:23 INFO [3738636083 366ms] outbound/vless[vless-out]: outbound connection to [2404:2280:10d:0:3::3fc]:443

Tun模式：

+0800 2023-07-02 22:11:27 INFO [4048274772 0ms] inbound/tun[tun-in]: inbound connection from [fdfe:dcba:9876::1]:53780
+0800 2023-07-02 22:11:27 INFO [4048274772 0ms] inbound/tun[tun-in]: inbound connection to [2404:2280:113:0:3::3fb]:443
+0800 2023-07-02 22:11:27 DEBUG [4048274772 0ms] router: sniffed protocol: tls, domain: hl.proxys5.net
+0800 2023-07-02 22:11:27 INFO [4048274772 1ms] router: found process path: \Device\HarddiskVolume3\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
+0800 2023-07-02 22:11:27 DEBUG [4048274772 1ms] router: match[6] ip_version=6 geoip=[lan cn] => block
+0800 2023-07-02 22:11:27 INFO [4048274772 1ms] outbound/block[block]: blocked connection to [2404:2280:113:0:3::3fb]:443

socks.log
tun.log

[kckm]

socks 和 tun 的 log 显示是两个不同的 IP 的匹配结果，而且2404:2280:10d:0:3::3fc、2404:2280:10d:0:3::3fb 应当都是 sg 而不是 cn 的，有没有可能只是因为你的 geoip 认为 2404:2280:113:0:3::3fb 是 cn 的。尝试使用相同的 IP 进行测试无法复现。

不对，socks那边dns返回有3个ip，其中包括了tun的那个ip。那么socks的路由查询是按照哪个ip去匹配的呢

[dyhkwong]

应该是 bug，ip_version 不对 metadata.DestinationAddresses 生效

[dyhkwong]

如果要让 ip_version 对 metadata.DestinationAddresses 生效又有别的问题，像这种 domain_strategy 同时解析出了 IPv4 和 IPv6 的，是否应该 ip_version: 4 和 ip_version: 6 都匹配？

[nekohasekai]

ip_version 规则仅适用于 IP 请求。