refactor: unify local proxy handling across run modes

Author: whalechoi

app/src/main/kotlin/app/AppState.kt

@@ -92,7 +92,6 @@ data class AppState(
 
     val transparentProxyPort: String = DefaultTproxyPort.toString(),
     val enableRootBootScript: Boolean = false,
-    val enableSocks5Proxy: Boolean = false,
     val socks5ProxyPort: String = DefaultTun2SocksProxyPort.toString(),
     val enableHttpProxy: Boolean = false,
     val httpProxyPort: String = DefaultRootHttpProxyPort.toString(),

app/src/main/kotlin/app/effects/RootBootScriptSynchronizer.kt

@@ -9,6 +9,7 @@ import app.AppState
 import app.modes.RunModeTproxy
 import app.modes.RunModeTun2Socks
 import data.AndroidAppStateStore
+import engine.proxy.withResolvedDynamicLocalProxyPort
 import features.logs.AndroidAppLogger
 import features.proxy.server.model.ProxyServer
 import features.routing.model.RouteRule
@@ -29,7 +30,13 @@ internal fun RootBootScriptSynchronizer(
             .distinctUntilChanged { previous, next -> previous.signature == next.signature }
             .conflate()
             .collect { refresh ->
-                val state = refresh.appState
+                val state = refresh.appState.withResolvedDynamicLocalProxyPort()
+                if (state != refresh.appState) {
+                    stateStore.update { currentState ->
+                        if (currentState == refresh.appState) state else currentState
+                    }
+                    return@collect
+                }
                 if (!state.enableRootBootScript || (state.runMode != RunModeTproxy && state.runMode != RunModeTun2Socks)) {
                     return@collect
                 }
@@ -87,8 +94,12 @@ private data class RootBootScriptSignature(
     val directDnsDomains: List<String>,
     val enableDirectDnsForProxyServerDomains: Boolean,
     val dnsHosts: List<String>,
+    val localProxyPort: String,
+    val enableDynamicLocalProxyPort: Boolean,
+    val localProxyListenAllInterfaces: Boolean,
+    val localProxyUsername: String,
+    val localProxyPassword: String,
     val transparentProxyPort: String,
-    val enableSocks5Proxy: Boolean,
     val socks5ProxyPort: String,
     val enableHttpProxy: Boolean,
     val httpProxyPort: String,
@@ -143,8 +154,12 @@ private fun AppState.toRootBootScriptRefresh(): RootBootScriptRefresh {
             directDnsDomains = directDnsDomains,
             enableDirectDnsForProxyServerDomains = enableDirectDnsForProxyServerDomains,
             dnsHosts = dnsHosts,
+            localProxyPort = localProxyPort,
+            enableDynamicLocalProxyPort = enableDynamicLocalProxyPort,
+            localProxyListenAllInterfaces = localProxyListenAllInterfaces,
+            localProxyUsername = localProxyUsername,
+            localProxyPassword = localProxyPassword,
             transparentProxyPort = transparentProxyPort,
-            enableSocks5Proxy = enableSocks5Proxy,
             socks5ProxyPort = socks5ProxyPort,
             enableHttpProxy = enableHttpProxy,
             httpProxyPort = httpProxyPort,

app/src/main/kotlin/data/AppSettingsPreferences.kt

@@ -133,7 +133,6 @@ internal class AppSettingsPreferences(
                 KeyEnableRootBootScript,
                 defaults.enableRootBootScript,
             ),
-            enableSocks5Proxy = preferences.getBoolean(KeyEnableSocks5Proxy, defaults.enableSocks5Proxy),
             socks5ProxyPort = preferences.getString(
                 KeySocks5ProxyPort,
                 defaults.socks5ProxyPort,
@@ -203,7 +202,6 @@ internal class AppSettingsPreferences(
             .putStringList(KeyDnsHosts, state.dnsHosts)
             .putString(KeyTransparentProxyPort, state.transparentProxyPort)
             .putBoolean(KeyEnableRootBootScript, state.enableRootBootScript)
-            .putBoolean(KeyEnableSocks5Proxy, state.enableSocks5Proxy)
             .putString(KeySocks5ProxyPort, state.socks5ProxyPort)
             .putBoolean(KeyEnableHttpProxy, state.enableHttpProxy)
             .putString(KeyHttpProxyPort, state.httpProxyPort)
@@ -291,7 +289,6 @@ private const val KeyEnableDirectDnsForProxyServerDomains = "enable_direct_dns_f
 private const val KeyDnsHosts = "dns_hosts"
 private const val KeyTransparentProxyPort = "transparent_proxy_port"
 private const val KeyEnableRootBootScript = "enable_root_boot_script"
-private const val KeyEnableSocks5Proxy = "enable_socks5_proxy"
 private const val KeySocks5ProxyPort = "socks5_proxy_port"
 private const val KeyEnableHttpProxy = "enable_http_proxy"
 private const val KeyHttpProxyPort = "http_proxy_port"

app/src/main/kotlin/engine/proxy/AndroidProxyEngine.kt

@@ -74,17 +74,18 @@ class AndroidProxyEngine(
     }
 
     private suspend fun startUnlocked(request: ProxyEngineStartRequest): ProxyEngineStatus = withContext(Dispatchers.Default) {
-        val nextEngine = when (request.appState.runMode) {
+        val resolvedRequest = request.copy(appState = request.appState.withResolvedDynamicLocalProxyPort())
+        val nextEngine = when (resolvedRequest.appState.runMode) {
             RunModeTproxy -> tproxyEngine
             RunModeTun2Socks -> tun2SocksEngine
             else -> vpnXrayEngine
         }
-        val currentEngine = activeEngine ?: findEngineToStop(request.appState.runMode)
+        val currentEngine = activeEngine ?: findEngineToStop(resolvedRequest.appState.runMode)
         if (currentEngine != null && currentEngine !== nextEngine) {
             currentEngine.stop()
         }
         activeEngine = nextEngine
-        nextEngine.start(request)
+        nextEngine.start(resolvedRequest).copy(appState = resolvedRequest.appState)
     }
 
     private suspend fun stopUnlocked(preferredRunMode: Int? = null): ProxyEngineStatus = withContext(Dispatchers.Default) {

app/src/main/kotlin/engine/proxy/LocalProxyConfig.kt

@@ -0,0 +1,182 @@
+// Copyright 2026, AsteriskNG contributors
+// SPDX-License-Identifier: GPL-3.0
+
+package engine.proxy
+
+import app.AppState
+import app.effectiveFakeDnsEnabled
+import app.modes.RunModeTun2Socks
+import app.modes.RunModeTproxy
+import engine.network.NetworkDefaults
+import engine.network.toPortOrNull
+import engine.tproxy.DefaultTproxyPort
+import engine.tun2socks.DefaultTun2SocksProxyPort
+import engine.vpn.VpnDefaults
+import engine.xray.XrayProtocols
+import engine.xray.toJsonStringArray
+import engine.xray.xraySniffingDestOverrides
+import java.net.InetAddress
+import java.net.ServerSocket
+import java.util.concurrent.atomic.AtomicReference
+import kotlinx.serialization.json.JsonObject
+import kotlinx.serialization.json.buildJsonArray
+import kotlinx.serialization.json.buildJsonObject
+import kotlinx.serialization.json.put
+
+internal const val LocalProxyLoopbackAddress = NetworkDefaults.IPV4_LOOPBACK_ADDRESS
+private const val LocalProxyAllInterfacesAddress = NetworkDefaults.IPV4_ANY_ADDRESS
+
+internal data class LocalProxyOptions(
+    val listenAddress: String,
+    val port: Int,
+    val username: String,
+    val password: String,
+)
+
+internal object LocalProxyRuntime {
+    private val currentOptions = AtomicReference<LocalProxyOptions?>()
+
+    fun update(options: LocalProxyOptions) {
+        currentOptions.set(options)
+    }
+
+    fun clear() {
+        currentOptions.set(null)
+    }
+
+    fun current(): LocalProxyOptions? {
+        return currentOptions.get()
+    }
+}
+
+internal fun AppState.withResolvedDynamicLocalProxyPort(): AppState {
+    if (!enableDynamicLocalProxyPort) return this
+
+    val configuredPort = localProxyPort.toPortOrNull()
+    val listenAddress = localProxyListenAddress()
+    val excludedPorts = localProxyExcludedPorts()
+    val currentOptions = LocalProxyRuntime.current()
+    val canKeepConfiguredPort = configuredPort != null &&
+        configuredPort !in excludedPorts &&
+        (
+            isPortAvailable(listenAddress, configuredPort) ||
+                currentOptions?.matches(listenAddress, configuredPort) == true
+            )
+    val resolvedPort = when {
+        canKeepConfiguredPort -> configuredPort
+        else -> availablePort(listenAddress, excludedPorts) ?: configuredPort ?: VpnDefaults.LOCAL_PROXY_PORT
+    }
+    val resolvedPortText = resolvedPort.toString()
+    return if (localProxyPort == resolvedPortText) this else copy(localProxyPort = resolvedPortText)
+}
+
+internal fun AppState.toLocalProxyOptions(): LocalProxyOptions {
+    return LocalProxyOptions(
+        listenAddress = localProxyListenAddress(),
+        port = localProxyPort.toPortOrNull() ?: VpnDefaults.LOCAL_PROXY_PORT,
+        username = localProxyUsername.trim(),
+        password = localProxyPassword,
+    )
+}
+
+internal fun buildLocalSocksInbound(
+    appState: AppState,
+    tag: String,
+    options: LocalProxyOptions,
+): JsonObject {
+    return buildJsonObject {
+        put("tag", tag)
+        put("listen", options.listenAddress)
+        put("port", options.port)
+        put("protocol", XrayProtocols.SOCKS)
+        put("settings", options.toSocksInboundSettings())
+        put(
+            "sniffing",
+            buildJsonObject {
+                put("enabled", appState.enableSniffing)
+                put("destOverride", xraySniffingDestOverrides(appState.effectiveFakeDnsEnabled).toJsonStringArray())
+                put("routeOnly", appState.enableSniffingRouteOnly)
+            },
+        )
+    }
+}
+
+private fun AppState.localProxyListenAddress(): String {
+    return if (localProxyListenAllInterfaces) {
+        LocalProxyAllInterfacesAddress
+    } else {
+        LocalProxyLoopbackAddress
+    }
+}
+
+private fun AppState.localProxyExcludedPorts(): Set<Int> {
+    return buildSet {
+        if (runMode == RunModeTproxy) {
+            add(transparentProxyPort.toPortOrNull() ?: DefaultTproxyPort)
+        }
+        if (runMode == RunModeTun2Socks) {
+            add(socks5ProxyPort.toPortOrNull() ?: DefaultTun2SocksProxyPort)
+        }
+        if (enableHttpProxy) {
+            httpProxyPort.toPortOrNull()?.let(::add)
+        }
+    }
+}
+
+private fun LocalProxyOptions.matches(listenAddress: String, port: Int): Boolean {
+    return this.port == port &&
+        (
+            this.listenAddress == listenAddress ||
+                this.listenAddress == LocalProxyAllInterfacesAddress &&
+                listenAddress == LocalProxyLoopbackAddress
+            )
+}
+
+private fun LocalProxyOptions.toSocksInboundSettings(): JsonObject {
+    return buildJsonObject {
+        put("auth", if (username.isBlank()) "noauth" else "password")
+        put("udp", true)
+        put("userLevel", 0)
+        if (listenAddress == LocalProxyLoopbackAddress) {
+            put("ip", LocalProxyLoopbackAddress)
+        }
+        if (username.isNotBlank()) {
+            put(
+                "users",
+                buildJsonArray {
+                    add(
+                        buildJsonObject {
+                            put("user", username)
+                            put("pass", password)
+                        },
+                    )
+                },
+            )
+        }
+    }
+}
+
+internal fun availablePort(
+    listenAddress: String,
+    excludedPorts: Set<Int> = emptySet(),
+): Int? {
+    return runCatching {
+        repeat(10) {
+            ServerSocket(0, 0, InetAddress.getByName(listenAddress)).use { socket ->
+                if (socket.localPort !in excludedPorts) {
+                    return@runCatching socket.localPort
+                }
+            }
+        }
+        null
+    }.getOrNull()
+}
+
+private fun isPortAvailable(
+    listenAddress: String,
+    port: Int,
+): Boolean {
+    return runCatching {
+        ServerSocket(port, 0, InetAddress.getByName(listenAddress)).use { }
+    }.isSuccess
+}

app/src/main/kotlin/engine/proxy/ProxyEngineModels.kt

@@ -14,4 +14,5 @@ data class ProxyEngineStartRequest(
 data class ProxyEngineStatus(
     val running: Boolean,
     val runMode: Int? = null,
+    val appState: AppState? = null,
 )

app/src/main/kotlin/engine/root/RootConfigSupport.kt

@@ -97,45 +97,19 @@ private fun AppState.toRootStartConfig(
 }
 
 internal fun AppState.buildRootSharedProxyInbounds(
-    socksInboundTag: String,
     httpInboundTag: String,
-    includeSocks5Proxy: Boolean = true,
 ): List<JsonObject> {
     return buildList {
-        socks5ProxyPort.toPortOrNull()
-            ?.takeIf { includeSocks5Proxy && enableSocks5Proxy }
-            ?.let { port -> add(buildRootSocksProxyInbound(socksInboundTag, port)) }
         httpProxyPort.toPortOrNull()
             ?.takeIf { enableHttpProxy }
             ?.let { port -> add(buildRootHttpProxyInbound(httpInboundTag, port)) }
     }
 }
 
-internal fun AppState.rootSocks5ProxyPortValue(): Int {
+internal fun AppState.tun2SocksInternalProxyPortValue(): Int {
     return socks5ProxyPort.toPortOrNull() ?: DefaultTun2SocksProxyPort
 }
 
-private fun buildRootSocksProxyInbound(
-    tag: String,
-    port: Int,
-): JsonObject {
-    return buildJsonObject {
-        put("tag", tag)
-        put("listen", RootSharedProxyListenAddress)
-        put("port", port)
-        put("protocol", XrayProtocols.SOCKS)
-        put(
-            "settings",
-            buildJsonObject {
-                put("auth", "noauth")
-                put("udp", true)
-                put("ip", RootSharedProxyListenAddress)
-                put("userLevel", 0)
-            },
-        )
-    }
-}
-
 private fun buildRootHttpProxyInbound(
     tag: String,
     port: Int,

app/src/main/kotlin/engine/root/RootIptablesConfig.kt

@@ -4,6 +4,7 @@
 package engine.root
 
 import android.content.Context
+import android.os.Process
 import app.AppState
 import app.modes.ProxyAppListModeGlobal
 import utils.toTrimmedNonEmptyDistinctList
@@ -20,6 +21,7 @@ internal data class RootIptablesConfig(
     val proxyPrivateIpv6Cidrs: List<String> = emptyList(),
     val bypassPrivateIpv4Cidrs: List<String> = emptyList(),
     val bypassPrivateIpv6Cidrs: List<String> = emptyList(),
+    val forcedBypassUids: List<Int> = emptyList(),
     val proxyAppListMode: Int = ProxyAppListModeGlobal,
     val proxyApplicationUids: List<Int> = emptyList(),
 )
@@ -50,6 +52,7 @@ internal fun RootIptablesConfig.withAppSettings(
         proxyPrivateIpv6Cidrs = proxyPrivateCidrs.ipv6Cidrs(),
         bypassPrivateIpv4Cidrs = bypassPrivateCidrs.ipv4Cidrs(),
         bypassPrivateIpv6Cidrs = bypassPrivateCidrs.ipv6Cidrs(),
+        forcedBypassUids = listOf(Process.myUid()),
         proxyAppListMode = appListMode,
         proxyApplicationUids = if (appListMode == ProxyAppListModeGlobal) {
             emptyList()

app/src/main/kotlin/engine/root/RootModeEngine.kt

@@ -4,6 +4,7 @@
 package engine.root
 
 import android.content.Context
+import engine.proxy.LocalProxyRuntime
 import engine.proxy.ProxyEngineStartRequest
 import engine.proxy.ProxyEngineStatus
 import engine.proxy.mode.AndroidModeProxyEngine
@@ -42,6 +43,7 @@ internal class RootModeEngine<Config : RootModeStartConfig>(
         logFileTailers = config.root.coreLogPaths.startCoreLogTailers(config.root.enableAccessLog)
         runCatching {
             runner.start(config)
+            LocalProxyRuntime.update(config.localProxyOptions)
             if (rootContext.appState.enableRootBootScript) {
                 runner.installBootScript(config)
             } else {
@@ -50,6 +52,7 @@ internal class RootModeEngine<Config : RootModeStartConfig>(
         }.onFailure { error ->
             runCatching { runner.stop(config.root.runtimeLayout) }
                 .onFailure { stopError -> AndroidAppLogger.warn(logTag, "Failed to clean up $modeName after startup failure", stopError) }
+            LocalProxyRuntime.clear()
             logFileTailers.forEach { tailer -> tailer.stop() }
             logFileTailers = emptyList()
             AndroidAppLogger.error(logTag, "Failed to start $modeName mode", error)
@@ -69,6 +72,7 @@ internal class RootModeEngine<Config : RootModeStartConfig>(
         }.onFailure { error ->
             AndroidAppLogger.warn(logTag, "Failed to stop $modeName mode", error)
         }
+        LocalProxyRuntime.clear()
         return status()
     }