stream/socket states

Author: masterking32

internal/socksproto/target.go

@@ -0,0 +1,72 @@
+// ==============================================================================
+// MasterDnsVPN
+// Author: MasterkinG32
+// Github: https://github.com/masterking32
+// Year: 2026
+// ==============================================================================
+
+package socksproto
+
+import (
+	"encoding/binary"
+	"errors"
+	"net"
+)
+
+const (
+	AddressTypeIPv4   = 0x01
+	AddressTypeDomain = 0x03
+	AddressTypeIPv6   = 0x04
+)
+
+var (
+	ErrTargetTooShort         = errors.New("socks target payload too short")
+	ErrUnsupportedAddressType = errors.New("unsupported socks address type")
+	ErrInvalidDomainLength    = errors.New("invalid socks domain length")
+)
+
+type Target struct {
+	AddressType uint8
+	Host        string
+	Port        uint16
+}
+
+func ParseTargetPayload(payload []byte) (Target, error) {
+	if len(payload) < 3 {
+		return Target{}, ErrTargetTooShort
+	}
+
+	target := Target{AddressType: payload[0]}
+	offset := 1
+
+	switch payload[0] {
+	case AddressTypeIPv4:
+		if len(payload) < offset+4+2 {
+			return Target{}, ErrTargetTooShort
+		}
+		target.Host = net.IP(payload[offset : offset+4]).String()
+		offset += 4
+	case AddressTypeDomain:
+		if len(payload) < offset+1 {
+			return Target{}, ErrTargetTooShort
+		}
+		domainLength := int(payload[offset])
+		offset++
+		if domainLength < 1 || len(payload) < offset+domainLength+2 {
+			return Target{}, ErrInvalidDomainLength
+		}
+		target.Host = string(payload[offset : offset+domainLength])
+		offset += domainLength
+	case AddressTypeIPv6:
+		if len(payload) < offset+16+2 {
+			return Target{}, ErrTargetTooShort
+		}
+		target.Host = net.IP(payload[offset : offset+16]).String()
+		offset += 16
+	default:
+		return Target{}, ErrUnsupportedAddressType
+	}
+
+	target.Port = binary.BigEndian.Uint16(payload[offset : offset+2])
+	return target, nil
+}

internal/socksproto/target_test.go

@@ -0,0 +1,36 @@
+// ==============================================================================
+// MasterDnsVPN
+// Author: MasterkinG32
+// Github: https://github.com/masterking32
+// Year: 2026
+// ==============================================================================
+
+package socksproto
+
+import "testing"
+
+func TestParseTargetPayloadIPv4(t *testing.T) {
+	target, err := ParseTargetPayload([]byte{0x01, 127, 0, 0, 1, 0x01, 0xBB})
+	if err != nil {
+		t.Fatalf("ParseTargetPayload returned error: %v", err)
+	}
+	if target.Host != "127.0.0.1" || target.Port != 443 {
+		t.Fatalf("unexpected target: %+v", target)
+	}
+}
+
+func TestParseTargetPayloadDomain(t *testing.T) {
+	target, err := ParseTargetPayload([]byte{0x03, 0x0B, 'e', 'x', 'a', 'm', 'p', 'l', 'e', '.', 'c', 'o', 'm', 0x00, 0x35})
+	if err != nil {
+		t.Fatalf("ParseTargetPayload returned error: %v", err)
+	}
+	if target.Host != "example.com" || target.Port != 53 {
+		t.Fatalf("unexpected target: %+v", target)
+	}
+}
+
+func TestParseTargetPayloadRejectsUnsupportedType(t *testing.T) {
+	if _, err := ParseTargetPayload([]byte{0x05, 0x00, 0x35}); err != ErrUnsupportedAddressType {
+		t.Fatalf("unexpected error: %v", err)
+	}
+}

internal/udpserver/server.go

@@ -25,6 +25,7 @@ import (
 	Enums "masterdnsvpn-go/internal/enums"
 	"masterdnsvpn-go/internal/logger"
 	"masterdnsvpn-go/internal/security"
+	SocksProto "masterdnsvpn-go/internal/socksproto"
 	VpnProto "masterdnsvpn-go/internal/vpnproto"
 )
 
@@ -381,6 +382,8 @@ func (s *Server) handleTunnelCandidate(packet []byte, parsed DnsParser.LitePacke
 		return s.handleDNSQueryRequest(packet, parsed, decision, vpnPacket)
 	case Enums.PACKET_STREAM_SYN:
 		return s.handleStreamSynRequest(packet, decision, vpnPacket)
+	case Enums.PACKET_SOCKS5_SYN:
+		return s.handleSOCKS5SynRequest(packet, decision, vpnPacket)
 	case Enums.PACKET_STREAM_DATA, Enums.PACKET_STREAM_RESEND:
 		return s.handleStreamDataRequest(packet, decision, vpnPacket)
 	case Enums.PACKET_STREAM_FIN:
@@ -693,6 +696,54 @@ func (s *Server) handleStreamSynRequest(questionPacket []byte, decision domainma
 	})
 }
 
+func (s *Server) handleSOCKS5SynRequest(questionPacket []byte, decision domainmatcher.Decision, vpnPacket VpnProto.Packet) []byte {
+	if !vpnPacket.HasStreamID || vpnPacket.StreamID == 0 || !vpnPacket.HasSequenceNum {
+		return nil
+	}
+	sessionRecord, ok := s.sessions.Active(vpnPacket.SessionID)
+	if !ok {
+		return nil
+	}
+
+	target, err := SocksProto.ParseTargetPayload(vpnPacket.Payload)
+	if err != nil {
+		packetType := uint8(Enums.PACKET_SOCKS5_CONNECT_FAIL)
+		if errors.Is(err, SocksProto.ErrUnsupportedAddressType) || errors.Is(err, SocksProto.ErrInvalidDomainLength) {
+			packetType = uint8(Enums.PACKET_SOCKS5_ADDRESS_TYPE_UNSUPPORTED)
+		}
+		return s.buildSessionVPNResponse(questionPacket, decision.RequestName, sessionRecord, VpnProto.Packet{
+			PacketType:  packetType,
+			StreamID:    vpnPacket.StreamID,
+			SequenceNum: vpnPacket.SequenceNum,
+		})
+	}
+
+	record, ok := s.streams.BindTarget(vpnPacket.SessionID, vpnPacket.StreamID, target.Host, target.Port, time.Now())
+	if !ok || record == nil {
+		return s.buildSessionVPNResponse(questionPacket, decision.RequestName, sessionRecord, VpnProto.Packet{
+			PacketType:  Enums.PACKET_SOCKS5_CONNECT_FAIL,
+			StreamID:    vpnPacket.StreamID,
+			SequenceNum: vpnPacket.SequenceNum,
+		})
+	}
+
+	if s.log != nil {
+		s.log.Debugf(
+			"🧦 <green>SOCKS5 Stream Prepared</green> <magenta>|</magenta> <blue>Session</blue>: <cyan>%d</cyan> <magenta>|</magenta> <blue>Stream</blue>: <cyan>%d</cyan> <magenta>|</magenta> <blue>Target</blue>: <cyan>%s:%d</cyan>",
+			record.SessionID,
+			record.StreamID,
+			record.TargetHost,
+			record.TargetPort,
+		)
+	}
+
+	return s.buildSessionVPNResponse(questionPacket, decision.RequestName, sessionRecord, VpnProto.Packet{
+		PacketType:  Enums.PACKET_SOCKS5_SYN_ACK,
+		StreamID:    vpnPacket.StreamID,
+		SequenceNum: vpnPacket.SequenceNum,
+	})
+}
+
 func (s *Server) handleStreamDataRequest(questionPacket []byte, decision domainmatcher.Decision, vpnPacket VpnProto.Packet) []byte {
 	if !vpnPacket.HasStreamID || vpnPacket.StreamID == 0 || !vpnPacket.HasSequenceNum {
 		return nil

internal/udpserver/server_test.go

@@ -540,6 +540,80 @@ func TestHandlePacketResetsUnknownStreamData(t *testing.T) {
 	}
 }
 
+func TestHandlePacketRespondsToSocks5Syn(t *testing.T) {
+	codec, err := security.NewCodec(0, "")
+	if err != nil {
+		t.Fatalf("NewCodec returned error: %v", err)
+	}
+
+	srv := New(config.ServerConfig{
+		MaxPacketSize:     65535,
+		Domain:            []string{"a.com"},
+		MinVPNLabelLength: 3,
+	}, nil, codec)
+
+	initPayload := []byte{0, 0x00, 0x00, 0x96, 0x00, 0xC8, 0x10, 0x20, 0x30, 0x40}
+	initResponse := srv.handlePacket(buildTunnelQueryWithSessionID(t, codec, "a.com", 0, Enums.PACKET_SESSION_INIT, initPayload))
+	packet, err := DnsParser.ExtractVPNResponse(initResponse, false)
+	if err != nil {
+		t.Fatalf("ExtractVPNResponse returned error: %v", err)
+	}
+	sessionID := packet.Payload[0]
+	sessionCookie := packet.Payload[1]
+
+	_ = srv.handlePacket(buildTunnelStreamQuery(t, codec, "a.com", sessionID, sessionCookie, Enums.PACKET_STREAM_SYN, 15, 1, nil))
+
+	targetPayload := []byte{0x03, 0x0B, 'e', 'x', 'a', 'm', 'p', 'l', 'e', '.', 'c', 'o', 'm', 0x01, 0xBB}
+	query := buildTunnelStreamQuery(t, codec, "a.com", sessionID, sessionCookie, Enums.PACKET_SOCKS5_SYN, 15, 2, targetPayload)
+	response := srv.handlePacket(query)
+	vpnResponse, err := DnsParser.ExtractVPNResponse(response, false)
+	if err != nil {
+		t.Fatalf("ExtractVPNResponse returned error: %v", err)
+	}
+	if vpnResponse.PacketType != Enums.PACKET_SOCKS5_SYN_ACK {
+		t.Fatalf("unexpected packet type: got=%d want=%d", vpnResponse.PacketType, Enums.PACKET_SOCKS5_SYN_ACK)
+	}
+
+	streamRecord, ok := srv.streams.Lookup(sessionID, 15)
+	if !ok {
+		t.Fatal("expected stream state to exist")
+	}
+	if streamRecord.TargetHost != "example.com" || streamRecord.TargetPort != 443 {
+		t.Fatalf("unexpected bound target: %+v", streamRecord)
+	}
+}
+
+func TestHandlePacketRejectsInvalidSocks5Syn(t *testing.T) {
+	codec, err := security.NewCodec(0, "")
+	if err != nil {
+		t.Fatalf("NewCodec returned error: %v", err)
+	}
+
+	srv := New(config.ServerConfig{
+		MaxPacketSize:     65535,
+		Domain:            []string{"a.com"},
+		MinVPNLabelLength: 3,
+	}, nil, codec)
+
+	initPayload := []byte{0, 0x00, 0x00, 0x96, 0x00, 0xC8, 0x10, 0x20, 0x30, 0x40}
+	initResponse := srv.handlePacket(buildTunnelQueryWithSessionID(t, codec, "a.com", 0, Enums.PACKET_SESSION_INIT, initPayload))
+	packet, err := DnsParser.ExtractVPNResponse(initResponse, false)
+	if err != nil {
+		t.Fatalf("ExtractVPNResponse returned error: %v", err)
+	}
+
+	_ = srv.handlePacket(buildTunnelStreamQuery(t, codec, "a.com", packet.Payload[0], packet.Payload[1], Enums.PACKET_STREAM_SYN, 16, 1, nil))
+	query := buildTunnelStreamQuery(t, codec, "a.com", packet.Payload[0], packet.Payload[1], Enums.PACKET_SOCKS5_SYN, 16, 2, []byte{0x09, 0x00, 0x35})
+	response := srv.handlePacket(query)
+	vpnResponse, err := DnsParser.ExtractVPNResponse(response, false)
+	if err != nil {
+		t.Fatalf("ExtractVPNResponse returned error: %v", err)
+	}
+	if vpnResponse.PacketType != Enums.PACKET_SOCKS5_ADDRESS_TYPE_UNSUPPORTED {
+		t.Fatalf("unexpected packet type: got=%d want=%d", vpnResponse.PacketType, Enums.PACKET_SOCKS5_ADDRESS_TYPE_UNSUPPORTED)
+	}
+}
+
 func TestSessionStoreExpiresReuseSignatureWithoutDroppingSession(t *testing.T) {
 	store := newSessionStore()
 	payload := []byte{1, 0x21, 0x00, 0x96, 0x00, 0xC8, 0x44, 0x33, 0x22, 0x11}

internal/udpserver/stream_state.go

@@ -18,6 +18,8 @@ type streamStateRecord struct {
 	SessionID      uint8
 	StreamID       uint16
 	State          uint8
+	TargetHost     string
+	TargetPort     uint16
 	CreatedAt      time.Time
 	LastActivityAt time.Time
 	LastSequence   uint16
@@ -60,6 +62,23 @@ func (s *streamStateStore) EnsureOpen(sessionID uint8, streamID uint16, now time
 	return cloneStreamStateRecord(record), true
 }
 
+func (s *streamStateStore) BindTarget(sessionID uint8, streamID uint16, host string, port uint16, now time.Time) (*streamStateRecord, bool) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	record := s.lookupLocked(sessionID, streamID)
+	if record == nil {
+		return nil, false
+	}
+	if record.TargetHost != "" && (record.TargetHost != host || record.TargetPort != port) {
+		return nil, false
+	}
+	record.TargetHost = host
+	record.TargetPort = port
+	record.LastActivityAt = now
+	return cloneStreamStateRecord(record), true
+}
+
 func (s *streamStateStore) Touch(sessionID uint8, streamID uint16, sequenceNum uint16, now time.Time) (*streamStateRecord, bool) {
 	s.mu.Lock()
 	defer s.mu.Unlock()