Skip to content

ProxiFyre-v2.3.0

Latest

Choose a tag to compare

@wiresock wiresock released this 13 Jul 19:27
6ea08c4

ProxiFyre 2.3.0

ProxiFyre 2.3.0 adds IPv6 destination proxying and significantly improves SOCKS5 UDP reliability for QUIC/HTTP3 traffic. It also includes a broad stability, concurrency, configuration, and release-pipeline hardening pass over 2.2.1.

Highlights

IPv6 and address-family routing

  • ProxiFyre now redirects both IPv4 and IPv6 TCP/UDP destinations for matched applications (#144, #155).
  • Each proxy can declare supportedAddressFamilies with "IPv4", "IPv6", or both. Unsupported destination families are blocked instead of leaking directly or entering a SOCKS path that cannot complete, allowing browsers to fall back to IPv4 when a proxy cannot relay IPv6.
  • IPv6 routing now consistently uses an IPv4 upstream transport to the SOCKS5 endpoint and handles IPv4-mapped destinations, LAN bypass ranges, deferred packets, and asynchronous TCP connect failures safely.
  • bypassLan now covers IPv6 loopback, link-local, unique-local, multicast, and the corresponding IPv4-mapped local ranges.

QUIC and SOCKS5 UDP reliability

  • UDP ASSOCIATE setup no longer stalls packet reception during request bursts. Associations are negotiated by parallel workers while ordered, bounded first-flight queues preserve packets that arrive before setup completes (#155).
  • Dynamic SOCKS5 UDP relay endpoints are bypassed by proxy address, so relay ports returned by the server are not accidentally intercepted and recirculated.
  • Source-port authorization and PASS-filter installation are transactional, and failed UDP receive re-arms are recovered by the maintenance thread.
  • UDP receive loops ignore spurious ICMP reset notifications, reject malformed or zero-length relay datagrams safely, and use valid IPv4/IPv6 checksum handling.

Reliability and security hardening

  • Fixed a heap-corrupting race in the shared packet-buffer pool and hardened process attribution for dual-stack sockets (#148).
  • Reworked TCP and UDP overlapped-I/O lifetime tracking so shutdown, reconnect, and failed setup paths drain callbacks before releasing sockets (#145, #147).
  • Hardened SOCKS5 framing, authentication, negotiation timeouts, packet bounds checks, service startup, router reconfiguration, and graceful TCP teardown (#142, #144, #148).
  • Static-analysis findings were resolved, and packet/proxy helpers received a broad cleanup pass (#149, #154).
  • Interactive packet redirection now requires administrator privileges and fails early with actionable guidance when unelevated.

Configuration behavior

  • Restored "appNames": [""] as the catch-all for every non-excluded process; a catch-all proxy should be listed last (#150).
  • Non-empty appNames entries use anchored executable-name matching. For example, firefox matches firefox.exe, but not NewFirefox.exe. Entries containing a path separator continue to match path substrings (#151).
  • excludes remain permissive substring-based bypass rules, while empty exclude entries are ignored (#153).
  • Missing, malformed, empty, or partial configurations now produce clearer validation and startup errors.

Release engineering

  • socksify.dll now reports the 2.3.x assembly version.
  • Release publication is blocked unless x86, x64, and ARM64 builds all succeed.
  • The release-signing script validates and signs both ProxiFyre.exe and socksify.dll (#153).

Requirements and known limitations

  • The client must already have working IPv6 connectivity. ProxiFyre redirects IPv6 packets emitted by applications; it does not create IPv6 reachability.
  • The SOCKS5 server endpoint must be IPv4, either an IPv4 literal or a hostname with an A record. IPv6-only proxy endpoints are not supported.
  • To relay IPv6 destinations, the SOCKS5 server must accept IPv6 target addresses (ATYP=4). Configure supportedAddressFamilies to match the server's capabilities.
  • Fragmented IPv6 datagrams are passed through unproxied to avoid corrupting partially rewritten packets. A one-time warning is logged. TCP and normal PMTU-aware QUIC traffic are unaffected.
  • Credentials previously committed in app-config.json should be rotated; the live configuration and copied binaries are now ignored, and app-config.sample.json is provided instead.

Full changelog: v2.2.1...v2.3.0