VMess inbound: Optimize replay filter (#5562)

And https://github.com/XTLS/Xray-core/pull/5562#issuecomment-3765387903
This commit is contained in:
风扇滑翔翼
2026-01-28 02:34:46 +08:00
committed by GitHub
parent 077070dbe0
commit f6a7e93923
12 changed files with 84 additions and 160 deletions
-6
View File
@@ -1,6 +0,0 @@
package antireplay
type GeneralizedReplayFilter interface {
Interval() int64
Check(sum []byte) bool
}
+33
View File
@@ -0,0 +1,33 @@
package antireplay
import (
"bufio"
"crypto/rand"
"testing"
)
func BenchmarkMapFilter(b *testing.B) {
filter := NewMapFilter[[16]byte](120)
var sample [16]byte
reader := bufio.NewReader(rand.Reader)
reader.Read(sample[:])
b.ResetTimer()
for range b.N {
reader.Read(sample[:])
filter.Check(sample)
}
}
func TestMapFilter(t *testing.T) {
filter := NewMapFilter[[16]byte](120)
var sample [16]byte
rand.Read(sample[:])
filter.Check(sample)
if filter.Check(sample) {
t.Error("Unexpected true negative")
}
sample[0]++
if !filter.Check(sample) {
t.Error("Unexpected false positive")
}
}
-36
View File
@@ -1,36 +0,0 @@
package antireplay
import (
"sync"
ss_bloomring "github.com/v2fly/ss-bloomring"
)
type BloomRing struct {
*ss_bloomring.BloomRing
lock *sync.Mutex
}
func (b BloomRing) Interval() int64 {
return 9999999
}
func (b BloomRing) Check(sum []byte) bool {
b.lock.Lock()
defer b.lock.Unlock()
if b.Test(sum) {
return false
}
b.Add(sum)
return true
}
func NewBloomRing() BloomRing {
const (
DefaultSFCapacity = 1e6
// FalsePositiveRate
DefaultSFFPR = 1e-6
DefaultSFSlot = 10
)
return BloomRing{ss_bloomring.NewBloomRing(DefaultSFSlot, DefaultSFCapacity, DefaultSFFPR), &sync.Mutex{}}
}
+46
View File
@@ -0,0 +1,46 @@
package antireplay
import (
"sync"
"time"
)
// ReplayFilter checks for replay attacks.
type ReplayFilter[T comparable] struct {
lock sync.Mutex
poolA map[T]struct{}
poolB map[T]struct{}
interval time.Duration
lastClean time.Time
}
// NewMapFilter create a new filter with specifying the expiration time interval in seconds.
func NewMapFilter[T comparable](interval int64) *ReplayFilter[T] {
filter := &ReplayFilter[T]{
poolA: make(map[T]struct{}),
poolB: make(map[T]struct{}),
interval: time.Duration(interval) * time.Second,
lastClean: time.Now(),
}
return filter
}
// Check determines if there are duplicate records.
func (filter *ReplayFilter[T]) Check(sum T) bool {
filter.lock.Lock()
defer filter.lock.Unlock()
now := time.Now()
if now.Sub(filter.lastClean) >= filter.interval {
filter.poolB = filter.poolA
filter.poolA = make(map[T]struct{})
filter.lastClean = now
}
_, existsA := filter.poolA[sum]
_, existsB := filter.poolB[sum]
if !existsA && !existsB {
filter.poolA[sum] = struct{}{}
}
return !(existsA || existsB)
}
-58
View File
@@ -1,58 +0,0 @@
package antireplay
import (
"sync"
"time"
cuckoo "github.com/seiflotfy/cuckoofilter"
)
const replayFilterCapacity = 100000
// ReplayFilter checks for replay attacks.
type ReplayFilter struct {
lock sync.Mutex
poolA *cuckoo.Filter
poolB *cuckoo.Filter
poolSwap bool
lastSwap int64
interval int64
}
// NewReplayFilter create a new filter with specifying the expiration time interval in seconds.
func NewReplayFilter(interval int64) *ReplayFilter {
filter := &ReplayFilter{}
filter.interval = interval
return filter
}
// Interval in second for expiration time for duplicate records.
func (filter *ReplayFilter) Interval() int64 {
return filter.interval
}
// Check determines if there are duplicate records.
func (filter *ReplayFilter) Check(sum []byte) bool {
filter.lock.Lock()
defer filter.lock.Unlock()
now := time.Now().Unix()
if filter.lastSwap == 0 {
filter.lastSwap = now
filter.poolA = cuckoo.NewFilter(replayFilterCapacity)
filter.poolB = cuckoo.NewFilter(replayFilterCapacity)
}
elapsed := now - filter.lastSwap
if elapsed >= filter.Interval() {
if filter.poolSwap {
filter.poolA.Reset()
} else {
filter.poolB.Reset()
}
filter.poolSwap = !filter.poolSwap
filter.lastSwap = now
}
return filter.poolA.InsertUnique(sum) && filter.poolB.InsertUnique(sum)
}