Decrease or completely remove Shadowsocks SIP003 plugin support | 减少或完全移除 Shadowsocks SIP003 插件支持 #314
Description
Shadowsocks Android introduced a significant change recently. For the method of excluding the traffic sent by a plugin from VPN, Shadowsocks Android removed the support for protect in favor of excluding the Shadowsocks Android app itself from VPN.
However, Shadowsocks Android is not the only Android SIP003 implementation. For userspace TUN-to-L4 stacks (e.g. LwIP, gVisor and smoltcp), excluding the app itself from VPN does work. For the popular "twice NAT" (also known as "system stack") mechanism, it requires the app to listen on a TCP socket of TUN address, therefore it is not possible to exclude the app itself from VPN. Even with a userspace TUN-to-L4 stack, it is a significant problem if the app itself needs to send network requests through the VPN.
Although SIP003 is a public specification, it has never mentioned the additional requirements of an Android plugin (-V、--android_vpn= and protect_path, an IPC protocol based on Unix Domain Socket, where the plugin passes the connection fd to Shadowsocks, and Shadowsocks invokes protect).
In the future, it is not a MUST for an Android SIP003 plugin to implement protect as a plugin without protect support will work on newer Shadowsocks Android. Some plugin developers have also stated that they will not support protect.
However, newly-developed plugins without protect support, and updated plugins that have removed protect support, will not work under "system stack" for us.
Considered options (one of them):
- When using the SIP003 plugin, force to use gVisor stack. To reduce complexity, NaiveProxy plugin and browser forwarder will also be forced to use gVisor stack if this is realized.
- Completely remove Shadowsocks SIP003 plugin support. Internal simple-obfs and v2ray-plugin implementation is not affected.
Shadowsocks Android 最近引入了一个重大变化。对于插件发出的流量绕过 VPN 的方法,Shadowsocks Android 删除了插件的 protect 支持,转而使用把 Shadowsocks Android 应用本身绕过 VPN 的方法。
然而,Shadowsocks Android 并非唯一的 Android SIP003 实现。对于用户空间 TUN-to-L4 栈(如:LwIP、gVisor、smoltcp)来说,把应用本身绕过 VPN 的方法确实可以工作。对于流行的所谓“二次 NAT”或称“system 栈”方法,它要求应用监听在 TUN 地址的一个 TCP 套接字上,因此把应用本身绕过 VPN 是不可能的。即使是用户空间 TUN-to-L4 栈把代理软件本身绕过 VPN,如果应用本身需要通过 VPN 发出网络请求,这也是一个很大的麻烦。
尽管 SIP003 是一个公开规范,但是从未提及 Android 插件的额外要求(-V、--android_vpn= 以及 protect_path,一个 基于 Unix Domain Socket 的 IPC 协议,插件把连接的 fd 传递给 Shadowsocks,Shadowsocks 调用 protect)。在将来,Android SIP003 插件实现 protect 将不是必需,因为不实现 protect 也可以在新版的 Shadowsocks Android 上工作。一些插件开发者也已经表态不会支持 protect。但是,对于我们而言,新出现的不支持 protect 的插件与更新后移除 protect 支持的插件将无法在“system 栈”下工作。
考虑方案(其中之一):
- 使用 SIP003 插件时,强制使用 gVisor 栈。为降低复杂度,如果该方案实现,NaiveProxy 插件和浏览器转发也将强制使用 gVisor 栈。
- 完全删除 Shadowsocks SIP003 插件支持。内置的 simple-obfs 和 v2ray-plugin 实现不受影响。