d454aa0fdf
Before795d1c289, nested rule-set evaluation reused the parent rule match cache. In practice, this meant these fields leaked across nested evaluation: - SourceAddressMatch - SourcePortMatch - DestinationAddressMatch - DestinationPortMatch - DidMatch That leak had two opposite effects. First, it made included rule-sets partially behave like the docs' "merged" semantics. For example, if an outer route rule had: rule_set = ["geosite-additional-!cn"] ip_cidr = 104.26.10.0/24 and the inline rule-set matched `domain_suffix = speedtest.net`, the inner match could set `DestinationAddressMatch = true` and the outer rule would then pass its destination-address group check. This is why some `rule_set + ip_cidr` combinations used to work. But the same leak also polluted sibling rules and sibling rule-sets. A branch could partially match one group, then fail later, and still leave that group cache set for the next branch. This broke cases such as gh-3485: with `rule_set = [test1, test2]`, `test1` could touch destination-address cache before an AdGuard `@@` exclusion made the whole branch fail, and `test2` would then run against dirty state.795d1c289fixed that by cloning metadata for nested rule-set/rule evaluation and resetting the rule match cache for each branch. That stopped sibling pollution, but it also removed the only mechanism by which a successful nested branch could affect the parent rule's grouped matching state. As a result, nested rule-sets became pure boolean sub-items against the outer rule. The previous example stopped working: the inner `domain_suffix = speedtest.net` still matched, but the outer rule no longer observed any destination-address-group success, so it fell through to `final`. This change makes the semantics explicit instead of relying on cache side effects: - `rule_set: ["a", "b"]` is OR - rules inside one rule-set are OR - each nested branch is evaluated in isolation - failed branches contribute no grouped match state - a successful branch contributes its grouped match state back to the parent rule - grouped state from different rule-sets must not be combined together to satisfy one outer rule In other words, rule-sets now behave as "OR branches whose successful group matches merge into the outer rule", which matches the documented intent without reintroducing cross-branch cache leakage.
109 lines
2.5 KiB
Go
109 lines
2.5 KiB
Go
package rule
|
|
|
|
import "github.com/sagernet/sing-box/adapter"
|
|
|
|
type ruleMatchState uint8
|
|
|
|
const (
|
|
ruleMatchSourceAddress ruleMatchState = 1 << iota
|
|
ruleMatchSourcePort
|
|
ruleMatchDestinationAddress
|
|
ruleMatchDestinationPort
|
|
)
|
|
|
|
type ruleMatchStateSet uint16
|
|
|
|
func singleRuleMatchState(state ruleMatchState) ruleMatchStateSet {
|
|
return 1 << state
|
|
}
|
|
|
|
func emptyRuleMatchState() ruleMatchStateSet {
|
|
return singleRuleMatchState(0)
|
|
}
|
|
|
|
func (s ruleMatchStateSet) isEmpty() bool {
|
|
return s == 0
|
|
}
|
|
|
|
func (s ruleMatchStateSet) contains(state ruleMatchState) bool {
|
|
return s&(1<<state) != 0
|
|
}
|
|
|
|
func (s ruleMatchStateSet) add(state ruleMatchState) ruleMatchStateSet {
|
|
return s | singleRuleMatchState(state)
|
|
}
|
|
|
|
func (s ruleMatchStateSet) merge(other ruleMatchStateSet) ruleMatchStateSet {
|
|
return s | other
|
|
}
|
|
|
|
func (s ruleMatchStateSet) combine(other ruleMatchStateSet) ruleMatchStateSet {
|
|
if s.isEmpty() || other.isEmpty() {
|
|
return 0
|
|
}
|
|
var combined ruleMatchStateSet
|
|
for left := ruleMatchState(0); left < 16; left++ {
|
|
if !s.contains(left) {
|
|
continue
|
|
}
|
|
for right := ruleMatchState(0); right < 16; right++ {
|
|
if !other.contains(right) {
|
|
continue
|
|
}
|
|
combined = combined.add(left | right)
|
|
}
|
|
}
|
|
return combined
|
|
}
|
|
|
|
func (s ruleMatchStateSet) withBase(base ruleMatchState) ruleMatchStateSet {
|
|
if s.isEmpty() {
|
|
return 0
|
|
}
|
|
var withBase ruleMatchStateSet
|
|
for state := ruleMatchState(0); state < 16; state++ {
|
|
if !s.contains(state) {
|
|
continue
|
|
}
|
|
withBase = withBase.add(state | base)
|
|
}
|
|
return withBase
|
|
}
|
|
|
|
func (s ruleMatchStateSet) filter(allowed func(ruleMatchState) bool) ruleMatchStateSet {
|
|
var filtered ruleMatchStateSet
|
|
for state := ruleMatchState(0); state < 16; state++ {
|
|
if !s.contains(state) {
|
|
continue
|
|
}
|
|
if allowed(state) {
|
|
filtered = filtered.add(state)
|
|
}
|
|
}
|
|
return filtered
|
|
}
|
|
|
|
type ruleStateMatcher interface {
|
|
matchStates(metadata *adapter.InboundContext) ruleMatchStateSet
|
|
}
|
|
|
|
func matchHeadlessRuleStates(rule adapter.HeadlessRule, metadata *adapter.InboundContext) ruleMatchStateSet {
|
|
if matcher, isStateMatcher := rule.(ruleStateMatcher); isStateMatcher {
|
|
return matcher.matchStates(metadata)
|
|
}
|
|
if rule.Match(metadata) {
|
|
return emptyRuleMatchState()
|
|
}
|
|
return 0
|
|
}
|
|
|
|
func matchRuleItemStates(item RuleItem, metadata *adapter.InboundContext) ruleMatchStateSet {
|
|
if matcher, isStateMatcher := item.(ruleStateMatcher); isStateMatcher {
|
|
return matcher.matchStates(metadata)
|
|
}
|
|
if item.Match(metadata) {
|
|
return emptyRuleMatchState()
|
|
}
|
|
return 0
|
|
}
|