fix: pass correct dst address to outgoing PROXY protocol header

Previously handle_bad_client used stream.local_addr() (the ephemeral socket to the mask backend) as the dst in the outgoing PROXY protocol header. This is wrong: the dst should be the address telemt is listening on, or the dst from the incoming PROXY protocol header if one was present. - handle_bad_client now receives local_addr from the caller - handle_client_stream resolves local_addr from PROXY protocol info.dst_addr or falls back to a synthetic address based on config.server.port - RunningClientHandler.do_handshake resolves local_addr from stream.local_addr() overridden by PROXY protocol info.dst_addr when present, and passes it down to handle_tls_client / handle_direct_client - masking.rs uses the caller-supplied local_addr directly, eliminating the stream.local_addr() call
2026-04-15 01:24:09 +03:00 · 2026-02-28 19:09:32 +03:00
parent 0f6fcf49a7
commit e27ef04c3d
2 changed files with 36 additions and 28 deletions
--- a/src/proxy/masking.rs
+++ b/src/proxy/masking.rs
@@ -55,6 +55,7 @@ pub async fn handle_bad_client<R, W>(
    writer: W,
    initial_data: &[u8],
    peer: SocketAddr,
+    local_addr: SocketAddr,
    config: &ProxyConfig,
    beobachten: &BeobachtenStore,
 )
@@ -126,23 +127,16 @@ where
            let proxy_header: Option<Vec<u8>> = match config.censorship.mask_proxy_protocol {
                0 => None,
                version => {
-                    let header = if let Ok(local_addr) = stream.local_addr() {
-                        match version {
-                            2 => ProxyProtocolV2Builder::new().with_addrs(peer, local_addr).build(),
-                            _ => match (peer, local_addr) {
-                                (SocketAddr::V4(src), SocketAddr::V4(dst)) =>
-                                    ProxyProtocolV1Builder::new().tcp4(src.into(), dst.into()).build(),
-                                (SocketAddr::V6(src), SocketAddr::V6(dst)) =>
-                                    ProxyProtocolV1Builder::new().tcp6(src.into(), dst.into()).build(),
-                                _ =>
-                                    ProxyProtocolV1Builder::new().build(),
-                            },
-                        }
-                    } else {
-                        match version {
-                            2 => ProxyProtocolV2Builder::new().build(),
-                            _ => ProxyProtocolV1Builder::new().build(),
-                        }
+                    let header = match version {
+                        2 => ProxyProtocolV2Builder::new().with_addrs(peer, local_addr).build(),
+                        _ => match (peer, local_addr) {
+                            (SocketAddr::V4(src), SocketAddr::V4(dst)) =>
+                                ProxyProtocolV1Builder::new().tcp4(src.into(), dst.into()).build(),
+                            (SocketAddr::V6(src), SocketAddr::V6(dst)) =>
+                                ProxyProtocolV1Builder::new().tcp6(src.into(), dst.into()).build(),
+                            _ =>
+                                ProxyProtocolV1Builder::new().build(),
+                        },
                    };
                    Some(header)
                }