这是indexloc提供的服务,不要输入任何密码
Skip to content

Add IPv6 blocking feature to prevent IP leaks from proxied applications #88

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 4 commits into from
Closed

Add IPv6 blocking feature to prevent IP leaks from proxied applications #88

wants to merge 4 commits into from

Conversation

Copy link
Contributor

Copilot AI commented Sep 4, 2025
edited
Loading

This PR implements IPv6 blocking functionality to address IP leakage issues where proxied applications inadvertently expose their real IPv6 addresses while IPv4 traffic is properly routed through the SOCKS proxy.

Problem

Users reported that applications like Discord would leak their real IPv6 addresses even when using ProxiFyre to proxy traffic. This occurred because:

  1. ProxiFyre only processed IPv4 packets (ETH_P_IP) in the packet filter
  2. IPv6 packets (ETH_P_IPV6) were allowed to pass through unprocessed
  3. Applications using both IPv4 and IPv6 would proxy IPv4 traffic but expose real IPv6 addresses

This created security issues and caused problems with services like Discord voice channels that rely on consistent IP addressing.

Solution

Added a new blockIPv6 configuration option that, when enabled, drops all IPv6 packets from proxied applications:

{
  "logLevel": "Info",
  "blockIPv6": true,
  "proxies": [...],
  "excludes": [...]
}

Implementation Details

Configuration Layer:

  • Added blockIPv6 property to ProxiFyreSettings class with JSON deserialization support
  • Fixed constructor-based JSON deserialization issues by converting to property-based classes

C++/CLI Interface:

  • Added SetIPv6Blocking(bool enabled) method to Socksifier class
  • Implemented method forwarding through the managed/unmanaged boundary

Core Packet Processing:

  • Modified packet filter callback in socks_local_router to detect IPv6 packets
  • Added atomic flag ipv6_blocking_enabled_ to track blocking state
  • IPv6 packets are now dropped when blocking is enabled, preventing IP leaks
  • IPv4 packet processing remains unchanged for normal proxy functionality

Filter Management:

  • Added helper methods add_ipv6_drop_filters() and remove_ipv6_drop_filters()
  • Integrated with existing static filter system for consistent packet handling

Testing

Created validation tests confirming the logic works correctly:

  • Without blocking: IPv4=PASS, IPv6=PASS (maintains current behavior)
  • With blocking: IPv4=PASS, IPv6=DROP (prevents leaks)

Usage

Users experiencing IPv6 leaks (like Discord voice channel issues) can now add "blockIPv6": true to their configuration. This will:

  • Maintain full IPv4 proxy functionality
  • Block IPv6 traffic from proxied applications
  • Prevent IP address leaks and associated connectivity issues

Example configuration and documentation have been added to guide users.

Fixes #65.

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copy link
Contributor Author

Copilot AI commented Sep 4, 2025

@wiresock 👋 This repository doesn't have Copilot instructions. With Copilot instructions, I can understand the repository better, work faster and produce higher quality PRs.

I can generate a .github/copilot-instructions.md file for you automatically. Click here to open a pre-filled issue and assign it to me. I'll write the instructions, and then tag you for review.

Copilot AI and others added 3 commits September 4, 2025 11:11
@wiresock
Add IPv6 blocking feature implementation
7f801e0 
Co-authored-by: wiresock <20592735+wiresock@users.noreply.github.com>
@wiresock
Fix JSON deserialization and add documentation
7b21216 
Co-authored-by: wiresock <20592735+wiresock@users.noreply.github.com>
@wiresock
Complete IPv6 blocking implementation with testing validation
dbbbda8 
Co-authored-by: wiresock <20592735+wiresock@users.noreply.github.com>
Copilot AI changed the title [WIP] IPv6 is not proxied Add IPv6 blocking feature to prevent IP leaks from proxied applications Sep 4, 2025
Copilot AI requested a review from wiresock September 4, 2025 11:17
Copilot finished work on behalf of wiresock September 4, 2025 11:17
wiresock
wiresock requested changes Sep 5, 2025
View reviewed changes
Copy link
Owner

@wiresock wiresock left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

blockIPv6 must be per-proxy, because different behavior might be needed for different apps

ProxiFyre/Program.cs
[JsonProperty("excludes", NullValueHandling = NullValueHandling.Ignore)]
public List<string> ExcludedList { get; }
[JsonProperty("blockIPv6", NullValueHandling = NullValueHandling.Ignore)]
public bool BlockIPv6 { get; set; } = false;
Copy link
Owner

@wiresock wiresock Sep 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be per proxy, not a global one.

README.md
```json
{
"logLevel": "Error",
"blockIPv6": true,
Copy link
Owner

@wiresock wiresock Sep 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be per proxy, not a global one

@wiresock wiresock closed this Sep 5, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wiresock wiresock wiresock requested changes

Assignees

@wiresock wiresock

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

IPv6 is not proxied

2 participants

@wiresock