Update On Mon Jul 7 20:39:19 CEST 2025

mieru/Makefile

@@ -32,7 +32,7 @@ PROJECT_NAME=$(shell basename "${ROOT}")
 # - pkg/version/current.go
 #
 # Use `tools/bump_version.sh` script to change all those files at one shot.
-VERSION="3.16.1"
+VERSION="3.16.2"
 
 # Build binaries and installation packages.
 .PHONY: build

mieru/build/package/mieru/amd64/debian/DEBIAN/control

@@ -1,5 +1,5 @@
 Package: mieru
-Version: 3.16.1
+Version: 3.16.2
 Section: net
 Priority: optional
 Architecture: amd64

mieru/build/package/mieru/amd64/rpm/mieru.spec

@@ -1,5 +1,5 @@
 Name: mieru
-Version: 3.16.1
+Version: 3.16.2
 Release: 1%{?dist}
 Summary: Mieru proxy client
 License: GPLv3+

mieru/build/package/mieru/arm64/debian/DEBIAN/control

@@ -1,5 +1,5 @@
 Package: mieru
-Version: 3.16.1
+Version: 3.16.2
 Section: net
 Priority: optional
 Architecture: arm64

mieru/build/package/mieru/arm64/rpm/mieru.spec

@@ -1,5 +1,5 @@
 Name: mieru
-Version: 3.16.1
+Version: 3.16.2
 Release: 1%{?dist}
 Summary: Mieru proxy client
 License: GPLv3+

mieru/build/package/mita/amd64/debian/DEBIAN/control

@@ -1,5 +1,5 @@
 Package: mita
-Version: 3.16.1
+Version: 3.16.2
 Section: net
 Priority: optional
 Architecture: amd64

mieru/build/package/mita/amd64/rpm/mita.spec

@@ -1,5 +1,5 @@
 Name: mita
-Version: 3.16.1
+Version: 3.16.2
 Release: 1%{?dist}
 Summary: Mieru proxy server
 License: GPLv3+

mieru/build/package/mita/arm64/debian/DEBIAN/control

@@ -1,5 +1,5 @@
 Package: mita
-Version: 3.16.1
+Version: 3.16.2
 Section: net
 Priority: optional
 Architecture: arm64

mieru/build/package/mita/arm64/rpm/mita.spec

@@ -1,5 +1,5 @@
 Name: mita
-Version: 3.16.1
+Version: 3.16.2
 Release: 1%{?dist}
 Summary: Mieru proxy server
 License: GPLv3+

mieru/docs/server-install.md

@@ -18,32 +18,32 @@ Or you can manually install and configure proxy server using the steps below.
 
 ```sh
 # Debian / Ubuntu - X86_64
-curl -LSO https://github.com/enfein/mieru/releases/download/v3.16.1/mita_3.16.1_amd64.deb
+curl -LSO https://github.com/enfein/mieru/releases/download/v3.16.2/mita_3.16.2_amd64.deb
 
 # Debian / Ubuntu - ARM 64
-curl -LSO https://github.com/enfein/mieru/releases/download/v3.16.1/mita_3.16.1_arm64.deb
+curl -LSO https://github.com/enfein/mieru/releases/download/v3.16.2/mita_3.16.2_arm64.deb
 
 # RedHat / CentOS / Rocky Linux - X86_64
-curl -LSO https://github.com/enfein/mieru/releases/download/v3.16.1/mita-3.16.1-1.x86_64.rpm
+curl -LSO https://github.com/enfein/mieru/releases/download/v3.16.2/mita-3.16.2-1.x86_64.rpm
 
 # RedHat / CentOS / Rocky Linux - ARM 64
-curl -LSO https://github.com/enfein/mieru/releases/download/v3.16.1/mita-3.16.1-1.aarch64.rpm
+curl -LSO https://github.com/enfein/mieru/releases/download/v3.16.2/mita-3.16.2-1.aarch64.rpm
 ```
 
 ## Install mita package
 
 ```sh
 # Debian / Ubuntu - X86_64
-sudo dpkg -i mita_3.16.1_amd64.deb
+sudo dpkg -i mita_3.16.2_amd64.deb
 
 # Debian / Ubuntu - ARM 64
-sudo dpkg -i mita_3.16.1_arm64.deb
+sudo dpkg -i mita_3.16.2_arm64.deb
 
 # RedHat / CentOS / Rocky Linux - X86_64
-sudo rpm -Uvh --force mita-3.16.1-1.x86_64.rpm
+sudo rpm -Uvh --force mita-3.16.2-1.x86_64.rpm
 
 # RedHat / CentOS / Rocky Linux - ARM 64
-sudo rpm -Uvh --force mita-3.16.1-1.aarch64.rpm
+sudo rpm -Uvh --force mita-3.16.2-1.aarch64.rpm
 ```
 
 Those instructions can also be used to upgrade the version of mita software package.

mieru/docs/server-install.zh_CN.md

@@ -18,32 +18,32 @@ sudo python3 setup.py --lang=zh
 
 ```sh
 # Debian / Ubuntu - X86_64
-curl -LSO https://github.com/enfein/mieru/releases/download/v3.16.1/mita_3.16.1_amd64.deb
+curl -LSO https://github.com/enfein/mieru/releases/download/v3.16.2/mita_3.16.2_amd64.deb
 
 # Debian / Ubuntu - ARM 64
-curl -LSO https://github.com/enfein/mieru/releases/download/v3.16.1/mita_3.16.1_arm64.deb
+curl -LSO https://github.com/enfein/mieru/releases/download/v3.16.2/mita_3.16.2_arm64.deb
 
 # RedHat / CentOS / Rocky Linux - X86_64
-curl -LSO https://github.com/enfein/mieru/releases/download/v3.16.1/mita-3.16.1-1.x86_64.rpm
+curl -LSO https://github.com/enfein/mieru/releases/download/v3.16.2/mita-3.16.2-1.x86_64.rpm
 
 # RedHat / CentOS / Rocky Linux - ARM 64
-curl -LSO https://github.com/enfein/mieru/releases/download/v3.16.1/mita-3.16.1-1.aarch64.rpm
+curl -LSO https://github.com/enfein/mieru/releases/download/v3.16.2/mita-3.16.2-1.aarch64.rpm
 ```
 
 ## 安装 mita 软件包
 
 ```sh
 # Debian / Ubuntu - X86_64
-sudo dpkg -i mita_3.16.1_amd64.deb
+sudo dpkg -i mita_3.16.2_amd64.deb
 
 # Debian / Ubuntu - ARM 64
-sudo dpkg -i mita_3.16.1_arm64.deb
+sudo dpkg -i mita_3.16.2_arm64.deb
 
 # RedHat / CentOS / Rocky Linux - X86_64
-sudo rpm -Uvh --force mita-3.16.1-1.x86_64.rpm
+sudo rpm -Uvh --force mita-3.16.2-1.x86_64.rpm
 
 # RedHat / CentOS / Rocky Linux - ARM 64
-sudo rpm -Uvh --force mita-3.16.1-1.aarch64.rpm
+sudo rpm -Uvh --force mita-3.16.2-1.aarch64.rpm
 ```
 
 上述指令也可以用来升级 mita 软件包的版本。

mieru/pkg/socks5/egress.go

@@ -30,6 +30,20 @@ var (
 	_ egress.Controller = (*Server)(nil)
 )
 
+var wellKnownIPv4LocalDomainNames = []string{
+	"localhost", // can be resolved to IPv6 address
+	"localhost4",
+	"localhost.localdomain", // can be resolved to IPv6 address
+	"localhost4.localdomain4",
+}
+
+var wellKnownIPv6LocalDomainNames = []string{
+	"localhost6",
+	"ip6-localhost",
+	"ip6-loopback",
+	"localhost6.localdomain6",
+}
+
 func (s *Server) FindAction(ctx context.Context, in egress.Input) egress.Action {
 	// DIRECT is used for all invalid inputs, such that they are handled by
 	// the subsequent logic.
@@ -77,15 +91,31 @@ func (s *Server) rejectPrivateAndLoopbackIPAction(ctx context.Context, in egress
 	} else if in.Data[3] == constant.Socks5FQDNAddress {
 		domainNameLength := int(in.Data[4])
 		domainName := string(in.Data[5 : 5+domainNameLength])
-		ips, err := s.config.Resolver.LookupIP(ctx, "ip", domainName)
-		if err != nil || len(ips) == 0 {
-			// Allow the connection here.
-			// The correct error is returned when server is processing the request.
+		// If we do a DNS lookup, we leak the destination domain name to the DNS server.
+		// For user privacy, we only check some well-known local domain names.
+		isWellKnownIPv4LocalDomainName := false
+		isWellKnownIPv6LocalDomainName := false
+		for _, d := range wellKnownIPv4LocalDomainNames {
+			if domainName == d {
+				isWellKnownIPv4LocalDomainName = true
+				break
+			}
+		}
+		for _, d := range wellKnownIPv6LocalDomainNames {
+			if domainName == d {
+				isWellKnownIPv6LocalDomainName = true
+				break
+			}
+		}
+		if isWellKnownIPv4LocalDomainName {
+			ip = net.ParseIP("127.0.0.1")
+		} else if isWellKnownIPv6LocalDomainName {
+			ip = net.ParseIP("::1")
+		} else {
 			return egress.Action{
 				Action: appctlpb.EgressAction_DIRECT,
 			}
 		}
-		ip = ips[0]
 	}
 
 	if !ip.IsPrivate() && !ip.IsLoopback() {
@@ -105,6 +135,7 @@ func (s *Server) rejectPrivateAndLoopbackIPAction(ctx context.Context, in egress
 	userName, ok := in.Env["user"]
 	if !ok || userName == "" {
 		// User name is unknown.
+		// By default, we reject the request.
 		return egress.Action{
 			Action: appctlpb.EgressAction_REJECT,
 		}
@@ -112,6 +143,7 @@ func (s *Server) rejectPrivateAndLoopbackIPAction(ctx context.Context, in egress
 	user, ok := s.config.Users[userName]
 	if !ok {
 		// User is not registered.
+		// By default, we reject the request.
 		return egress.Action{
 			Action: appctlpb.EgressAction_REJECT,
 		}

mieru/pkg/socks5/request.go

@@ -14,6 +14,7 @@ import (
 	apicommon "github.com/enfein/mieru/v3/apis/common"
 	"github.com/enfein/mieru/v3/apis/constant"
 	"github.com/enfein/mieru/v3/apis/model"
+	"github.com/enfein/mieru/v3/pkg/appctl/appctlpb"
 	"github.com/enfein/mieru/v3/pkg/common"
 	"github.com/enfein/mieru/v3/pkg/log"
 	"github.com/enfein/mieru/v3/pkg/stderror"
@@ -354,6 +355,27 @@ func (s *Server) handleAssociate(_ context.Context, _ *Request, conn net.Conn) e
 	return udpErr.Load().(error)
 }
 
+func (s *Server) handleForwarding(req *Request, conn net.Conn, proxy *appctlpb.EgressProxy) error {
+	forwardHost := proxy.GetHost()
+	forwardPort := proxy.GetPort()
+	proxyConn, err := net.Dial("tcp", common.MaybeDecorateIPv6(forwardHost)+":"+strconv.Itoa(int(forwardPort)))
+	if err != nil {
+		HandshakeErrors.Add(1)
+		return fmt.Errorf("dial to egress proxy failed: %w", err)
+	}
+
+	if err := s.dialWithAuthentication(proxyConn, proxy.GetSocks5Authentication()); err != nil {
+		return err
+	}
+
+	if _, err := proxyConn.Write(req.Raw); err != nil {
+		HandshakeErrors.Add(1)
+		proxyConn.Close()
+		return fmt.Errorf("failed to write socks5 request to egress proxy: %w", err)
+	}
+	return common.BidiCopy(conn, proxyConn)
+}
+
 // proxySocks5AuthReq transfers the socks5 authentication request and response
 // between socks5 client and server.
 func (s *Server) proxySocks5AuthReq(conn, proxyConn net.Conn) error {

mieru/pkg/socks5/socks5.go

@@ -292,24 +292,3 @@ func (s *Server) serverServeConn(conn net.Conn) error {
 	}
 	return nil
 }
-
-func (s *Server) handleForwarding(req *Request, conn net.Conn, proxy *appctlpb.EgressProxy) error {
-	forwardHost := proxy.GetHost()
-	forwardPort := proxy.GetPort()
-	proxyConn, err := net.Dial("tcp", common.MaybeDecorateIPv6(forwardHost)+":"+strconv.Itoa(int(forwardPort)))
-	if err != nil {
-		HandshakeErrors.Add(1)
-		return fmt.Errorf("dial to egress proxy failed: %w", err)
-	}
-
-	if err := s.dialWithAuthentication(proxyConn, proxy.GetSocks5Authentication()); err != nil {
-		return err
-	}
-
-	if _, err := proxyConn.Write(req.Raw); err != nil {
-		HandshakeErrors.Add(1)
-		proxyConn.Close()
-		return fmt.Errorf("failed to write socks5 request to egress proxy: %w", err)
-	}
-	return common.BidiCopy(conn, proxyConn)
-}

mieru/pkg/version/current.go

@@ -16,5 +16,5 @@
 package version
 
 const (
-	AppVersion = "3.16.1"
+	AppVersion = "3.16.2"
 )