From 46934f5675b0554cad52c8884787519d7a4bee94 Mon Sep 17 00:00:00 2001
From: zonyitoo <zonyitoo@gmail.com>
Date: Fri, 11 Feb 2022 01:03:39 +0800
Subject: [PATCH] fixed regression of client blocking ACL strategy

- fixes #764
- bug introduced since v1.9.0
---
 crates/shadowsocks-service/src/server/context.rs  | 10 +++++++++-
 crates/shadowsocks-service/src/server/tcprelay.rs |  5 +++++
 crates/shadowsocks-service/src/server/udprelay.rs | 10 +++++++++-
 3 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/crates/shadowsocks-service/src/server/context.rs b/crates/shadowsocks-service/src/server/context.rs
index 41032b6d966a..f4ce9d233b2e 100644
--- a/crates/shadowsocks-service/src/server/context.rs
+++ b/crates/shadowsocks-service/src/server/context.rs
@@ -1,6 +1,6 @@
 //! Shadowsocks Local Server Context
 
-use std::sync::Arc;
+use std::{net::SocketAddr, sync::Arc};
 
 use shadowsocks::{
     config::ServerType,
@@ -100,6 +100,14 @@ impl ServiceContext {
         }
     }
 
+    /// Check if client should be blocked
+    pub fn check_client_blocked(&self, addr: &SocketAddr) -> bool {
+        match self.acl {
+            None => false,
+            Some(ref acl) => acl.check_client_blocked(addr),
+        }
+    }
+
     /// Try to connect IPv6 addresses first if hostname could be resolved to both IPv4 and IPv6
     pub fn set_ipv6_first(&mut self, ipv6_first: bool) {
         let context = Arc::get_mut(&mut self.context).expect("cannot set ipv6_first on a shared context");
diff --git a/crates/shadowsocks-service/src/server/tcprelay.rs b/crates/shadowsocks-service/src/server/tcprelay.rs
index 8311a501eb06..3c8c0a20e716 100644
--- a/crates/shadowsocks-service/src/server/tcprelay.rs
+++ b/crates/shadowsocks-service/src/server/tcprelay.rs
@@ -61,6 +61,11 @@ impl TcpServer {
                     }
                 };
 
+            if self.context.check_client_blocked(&peer_addr) {
+                warn!("access denied from {} by ACL rules", peer_addr);
+                continue;
+            }
+
             let client = TcpServerClient {
                 context: self.context.clone(),
                 method: svr_cfg.method(),
diff --git a/crates/shadowsocks-service/src/server/udprelay.rs b/crates/shadowsocks-service/src/server/udprelay.rs
index 6dc7bbbfcbe5..ec817a03d3cf 100644
--- a/crates/shadowsocks-service/src/server/udprelay.rs
+++ b/crates/shadowsocks-service/src/server/udprelay.rs
@@ -112,8 +112,16 @@ impl UdpServer {
                 }
             };
 
+            if self.context.check_client_blocked(&peer_addr) {
+                warn!(
+                    "udp client {} outbound {} access denied by ACL rules",
+                    peer_addr, target_addr
+                );
+                continue;
+            }
+
             if self.context.check_outbound_blocked(&target_addr).await {
-                error!("udp client {} outbound {} blocked by ACL rules", peer_addr, target_addr);
+                warn!("udp client {} outbound {} blocked by ACL rules", peer_addr, target_addr);
                 continue;
             }