From 844b25cbb017505477dfca0ce825df2b0ab78d55 Mon Sep 17 00:00:00 2001
From: zfl9 <zfl9.com@gmail.com>
Date: Tue, 6 Jun 2023 10:57:30 +0800
Subject: [PATCH] fix #224 #237 #239

---
 gfwlist.ext    |  3 +++
 ss-tproxy      | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++
 ss-tproxy.conf |  1 +
 3 files changed, 60 insertions(+)

diff --git a/gfwlist.ext b/gfwlist.ext
index def48cb3..81c211df 100644
--- a/gfwlist.ext
+++ b/gfwlist.ext
@@ -23,3 +23,6 @@
 # Telegram IPv6
 ~2001:67c:4e8::/48
 ~2001:0b28:f23d::/48
+
+# Google Play 问题
+@googleapis.cn
diff --git a/ss-tproxy b/ss-tproxy
index 288bcc8b..6c791e36 100755
--- a/ss-tproxy
+++ b/ss-tproxy
@@ -208,6 +208,17 @@ is_proxy_other() {
     is_false "$selfonly"
 }
 
+is_drop_quic() {
+    case "$ipts_drop_quic" in
+        tcponly)
+            ! is_enabled_udp;;
+        always)
+            true;;
+        *)
+            false;;
+    esac
+}
+
 is_enabled_ipv4() {
     is_true "$ipv4"
 }
@@ -499,6 +510,7 @@ start_chinadns() {
 
     if is_gfwlist_mode; then
         sstp_pid_chinadns=$(
+            trap "" CHLD # 避免bash变为僵尸进程
             chinadns-ng \
             $args \
             -g gfwlist.txt,<(list_ext_domain gfwlist.ext) \
@@ -509,6 +521,7 @@ start_chinadns() {
         )
     else # chnroute
         sstp_pid_chinadns=$(
+            trap "" CHLD # 避免bash变为僵尸进程
             chinadns-ng \
             $args \
             -g gfwlist.txt,<(list_ext_domain gfwlist.ext) \
@@ -801,6 +814,45 @@ create_sstp_rule() {
     fi
 }
 
+# mangle表 OUTPUT/PREROUTING -p udp --dport 443
+drop_quic() {
+    $1 -t mangle -N SSTP_QUIC
+
+    if is_global_mode; then
+        $1 -t mangle -A SSTP_QUIC \
+            -m set ! --match-set $white_setname dst \
+            -j DROP
+    elif is_gfwlist_mode; then
+        $1 -t mangle -A SSTP_QUIC \
+            -m set --match-set $black_setname dst \
+            -j DROP
+    elif is_chnroute_mode; then
+        # 放行白名单ip (若该ip同时也位于黑名单，则不放行)
+        $1 -t $table -A SSTP_QUIC \
+            -m set --match-set $white_setname dst \
+            -m set ! --match-set $black_setname dst \
+            -j RETURN
+        $1 -t $table -A SSTP_QUIC \
+            -j DROP
+    fi
+
+    $1 -t mangle -A SSTP_OUTPUT \
+        -p udp \
+        -m udp --dport 443 \
+        -m conntrack --ctdir ORIGINAL \
+        -m addrtype ! --dst-type LOCAL \
+        -m owner ! --gid-owner $proxy_procgroup \
+        -j SSTP_QUIC
+
+    is_proxy_other &&
+        $1 -t mangle -A SSTP_PREROUTING \
+            -p udp \
+            -m udp --dport 443 \
+            -m conntrack --ctdir ORIGINAL \
+            -m addrtype ! --dst-type LOCAL \
+            -j SSTP_QUIC
+}
+
 # mangle表 OUTPUT/PREROUTING
 do_proxy_tproxy() {
     local tcp=$(is_tcp_tproxy && echo 1 || echo 0)
@@ -964,6 +1016,10 @@ _start_iptables() {
     local loopback_addr loopback_addrx white_setname black_setname
     init_iptables_param $1
 
+    if is_drop_quic; then
+        drop_quic $1
+    fi
+
     if is_tcp_tproxy; then
         start_iptables_tproxy $1
     else
diff --git a/ss-tproxy.conf b/ss-tproxy.conf
index a5756a7c..f4372608 100644
--- a/ss-tproxy.conf
+++ b/ss-tproxy.conf
@@ -137,6 +137,7 @@ ipts_set_snat6='false'              # 设置 ipv6 MASQUERADE(SNAT) 规则，self
 ipts_reddns_onstop='223.5.5.5#53'   # stop后重定向内网主机发来的dns至指定dns，selfonly=false 时有效，详见 README
 ipts_reddns6_onstop='240C::6666#53' # stop后重定向内网主机发来的dns至指定dns，selfonly=false 时有效，详见 README
 ipts_proxy_dst_port=''              # 要代理哪些端口，留空表示全部，多个逗号隔开，冒号表示范围(含边界)，详见 README
+ipts_drop_quic='tcponly'            # 丢弃发往"黑名单"的QUIC: 留空:不丢弃 | tcponly:tcponly时丢弃 | always:总是丢弃
 
 ## opts
 opts_ss_netstat='auto'      # auto/ss/netstat，用哪个端口检测工具: auto(自动选择,优先考虑ss) | ss | netstat