或许能考虑一下对acl的匹配逻辑优化一下？

[dev4u]

2021-11-17 00:18:46.535 31886-32015/com.github.shadowsocks E/libsslocal: 2021-11-17T00:18:46.534690198+08:00 DEBUG [32013:524853849344] [shadowsocks_service::local::dns::server] DNS lookup A android.clients.google.com.
2021-11-17 00:18:46.536 31886-32015/com.github.shadowsocks E/libsslocal: 2021-11-17T00:18:46.535003687+08:00 DEBUG [32013:524853849344] [shadowsocks_service::acl] Checking: android.clients.google.com., in wl, proxied
2021-11-17 00:18:46.536 31886-32015/com.github.shadowsocks E/libsslocal: 2021-11-17T00:18:46.535071187+08:00 DEBUG [32013:524853849344] [shadowsocks_service::local::loadbalancing::ping_balancer] size: 2, current index: 1, req_count: 34
2021-11-17 00:18:46.733 31886-32015/com.github.shadowsocks E/libsslocal: 2021-11-17T00:18:46.732917958+08:00 DEBUG [32013:524853849344] [shadowsocks_service::local::utils] established tcp tunnel 127.0.0.1:39496 <-> 142.250.189.170:443 through sever ####### (outbound: #######)
2021-11-17 00:18:46.813 31886-32015/com.github.shadowsocks E/libsslocal: 2021-11-17T00:18:46.808968687+08:00 DEBUG [32013:524855966976] [shadowsocks_service::acl] Checking: 172.217.6.46, is in proxy list? false
2021-11-17 00:18:46.814 31886-32015/com.github.shadowsocks E/libsslocal: 2021-11-17T00:18:46.809125093+08:00 DEBUG [32013:524855966976] [shadowsocks_service::acl] Checking: 142.250.189.174, is in proxy list? false
2021-11-17 00:18:46.814 31886-32015/com.github.shadowsocks E/libsslocal: 2021-11-17T00:18:46.809185145+08:00 DEBUG [32013:524855966976] [shadowsocks_service::acl] Checking: 142.250.191.78, is in proxy list? false
2021-11-17 00:18:46.814 31886-32015/com.github.shadowsocks E/libsslocal: 2021-11-17T00:18:46.809241291+08:00 DEBUG [32013:524855966976] [shadowsocks_service::acl] Checking: 172.217.164.110, is in proxy list? false
2021-11-17 00:18:46.814 31886-32015/com.github.shadowsocks E/libsslocal: 2021-11-17T00:18:46.809295249+08:00 DEBUG [32013:524855966976] [shadowsocks_service::acl] Checking: 216.58.195.78, is in proxy list? false
2021-11-17 00:18:46.814 31886-32015/com.github.shadowsocks E/libsslocal: 2021-11-17T00:18:46.809349364+08:00 DEBUG [32013:524855966976] [shadowsocks_service::acl] Checking: 216.58.194.174, is in proxy list? false
2021-11-17 00:18:46.815 31886-32015/com.github.shadowsocks E/libsslocal: 2021-11-17T00:18:46.809403322+08:00 DEBUG [32013:524855966976] [shadowsocks_service::acl] Checking: 142.250.189.238, is in proxy list? false
2021-11-17 00:18:46.815 31886-32015/com.github.shadowsocks E/libsslocal: 2021-11-17T00:18:46.809457281+08:00 DEBUG [32013:524855966976] [shadowsocks_service::acl] Checking: 172.217.5.110, is in proxy list? false

上述日志是rust收到代理请求后的处理逻辑：

1. rust收到用户请求的域名：android.clients.google.com
2. rust判断这个域名在proxy列表中
3. rust将域名的解析请求转发给远程服务器
4. 远程服务器解析到这个域名有8个对应的IP，并返回给rust
5. rust将这8个地址一个个匹配，看看是不是在proxy中（需要做8次的匹配操作）
6. rust判断后，8个地址都匹配不在proxy中
7. 最后结果是，rust将本次用户的请求，需要转发给远程服务器进行代理请求。

我没有统计过，其他用户有没有域名、ip地址分别是用不同的处理方式，而需要在acl中分别设定是byproxy？还是bypass？

虽说现在acl改成了SET方式，这比原先的正则要快不少。但是上面那8步还是有优化空间：实际情况，大多数只要做：A-B-G就可以。当然，其他的步骤也不是毫无用处，毕竟还是存在有需求的用户的。这里可以增加通过acl规则来设定，决定要不要对ip地址进行二次匹配。

这样的优化是否可行？有性能上的提高吗？

[zonyitoo]

The SET optimization is only work for domain name matching. It is unrelated for IP address matching. IP address matching is a lot faster.

All the steps are mandatory, if ACL file only have IP addresses, we have to resolve the domain name to IP addresses and then check if any of them are in the proxy list.

[dev4u]

嗯，多谢你的提醒。
我试了数种方式试图修改，结果都是没修改成功，我就猜应该是只读的数据。
或许用读写锁，可以平衡对性能的损耗。从实际情况来看，写操作只要分布在程序的启动之初，后面读比写更频繁。所以用读写锁，应该是正确的选择。

[madeye]

For any domain names in the proxy_list, I think it's okay to send the hostname directly to the remote server, without resolving it locally.

[madeye]

The only exception is that one domain is in proxy_list but its local resolved IPs are in the bypass_list.

But in shadowsocks' use cases, we can assume proxy_list always has a higher priority than bypass_list.

[dev4u]

@madeye
But in shadowsocks' use cases, we can assume proxy_list always has a higher priority than bypass_list.

我觉得这个不能一刀切，应该视乎用户当时选择的acl文件的默认规则是什么而定，bypass_all、proxy_all是相反的逻辑含义。
不知这样的想法，是否有偏差？

[madeye]

Right, so in the proxy_all mode, we can apply that assumption safely.

[Tigerfyj]

Hi zonyitoo,

I have a similar question about the local-dns. Assume I combine to use local-dns and redir. If a domain is in the proxy list, does the traffic of redir go through the proxy automatically? Or, do I have to put the domain's ip address in the proxy list manually?

Thanks for your help!

[zonyitoo]

Or, do I have to put the domain's ip address in the proxy list manually?

Yes.

[metercai]

It means the acl rules in --acl file be for local-dns only, the bypass ip set for local-redir in iptables should be set by another way.

Or, the acl rules in --acl file be for local-dns and local-redir both, the bypass ip set for local-redir will be from --acl file, rather than set another bypass ip set in iptables.

which one is true? thanks for your help!

[zonyitoo]

I just cannot understand what exactly are you talking about. Can you explain more about your question?

[metercai]

In short, I am not sure of ACL enabled scope. If redir is included, it means the long bypass IP list in ipset for transparent proxy is moved to unique ACL. It's right or not?

[zonyitoo]

They should work the same. ACL works for all local-* protocols.