From 4b44fd8945824d081d158b78b9cb74cf0104c836 Mon Sep 17 00:00:00 2001
From: Meo597 <197331664+Meo597@users.noreply.github.com>
Date: Wed, 26 Mar 2025 22:45:01 +0800
Subject: [PATCH 1/3] REALITY: Add rate limiting to fallback handling via token
 bucket

---
 go.mod                                  |   6 +-
 go.sum                                  |   6 +-
 infra/conf/transport_internet.go        |  10 +++
 transport/internet/reality/config.go    |   5 ++
 transport/internet/reality/config.pb.go | 102 +++++++++++++++++-------
 transport/internet/reality/config.proto |   5 ++
 6 files changed, 102 insertions(+), 32 deletions(-)

diff --git a/go.mod b/go.mod
index 57bf8b99..1b6a0823 100644
--- a/go.mod
+++ b/go.mod
@@ -20,7 +20,7 @@ require (
 	github.com/stretchr/testify v1.10.0
 	github.com/v2fly/ss-bloomring v0.0.0-20210312155135-28617310f63e
 	github.com/vishvananda/netlink v1.3.0
-	github.com/xtls/reality v0.0.0-20240712055506-48f0b2d5ed6d
+	github.com/xtls/reality v0.0.0-20250326135520-b8b119e3a1f7
 	go4.org/netipx v0.0.0-20231129151722-fdeea329fbba
 	golang.org/x/crypto v0.36.0
 	golang.org/x/net v0.37.0
@@ -34,6 +34,9 @@ require (
 	lukechampine.com/blake3 v1.4.0
 )
 
+// temp test
+replace github.com/xtls/reality => github.com/meo597/reality v0.0.0-20250326135520-b8b119e3a1f7
+
 require (
 	github.com/andybalholm/brotli v1.1.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
@@ -41,6 +44,7 @@ require (
 	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
 	github.com/google/btree v1.1.2 // indirect
 	github.com/google/pprof v0.0.0-20240528025155-186aa0362fba // indirect
+	github.com/juju/ratelimit v1.0.2 // indirect
 	github.com/klauspost/compress v1.17.8 // indirect
 	github.com/klauspost/cpuid/v2 v2.2.7 // indirect
 	github.com/onsi/ginkgo/v2 v2.19.0 // indirect
diff --git a/go.sum b/go.sum
index aacd27ca..12f2add4 100644
--- a/go.sum
+++ b/go.sum
@@ -34,10 +34,14 @@ github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aN
 github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/h12w/go-socks5 v0.0.0-20200522160539-76189e178364 h1:5XxdakFhqd9dnXoAZy1Mb2R/DZ6D1e+0bGC/JhucGYI=
 github.com/h12w/go-socks5 v0.0.0-20200522160539-76189e178364/go.mod h1:eDJQioIyy4Yn3MVivT7rv/39gAJTrA7lgmYr8EW950c=
+github.com/juju/ratelimit v1.0.2 h1:sRxmtRiajbvrcLQT7S+JbqU0ntsb9W2yhSdNN8tWfaI=
+github.com/juju/ratelimit v1.0.2/go.mod h1:qapgC/Gy+xNh9UxzV13HGGl/6UXNN+ct+vwSgWNm/qk=
 github.com/klauspost/compress v1.17.8 h1:YcnTYrq7MikUT7k0Yb5eceMmALQPYBW/Xltxn0NAMnU=
 github.com/klauspost/compress v1.17.8/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw=
 github.com/klauspost/cpuid/v2 v2.2.7 h1:ZWSB3igEs+d0qvnxR/ZBzXVmxkgt8DdzP6m9pfuVLDM=
 github.com/klauspost/cpuid/v2 v2.2.7/go.mod h1:Lcz8mBdAVJIBVzewtcLocK12l3Y+JytZYpaMropDUws=
+github.com/meo597/reality v0.0.0-20250326135520-b8b119e3a1f7 h1:3CiCS6GMsxixHt9oHMQ13OvX8TTIReN7gbKwZjL+sc0=
+github.com/meo597/reality v0.0.0-20250326135520-b8b119e3a1f7/go.mod h1:YbGJ8AYQ83QsGjN//QrGnD4W80SvL5b2K3RJKGLcewE=
 github.com/miekg/dns v1.1.64 h1:wuZgD9wwCE6XMT05UU/mlSko71eRSXEAm2EbjQXLKnQ=
 github.com/miekg/dns v1.1.64/go.mod h1:Dzw9769uoKVaLuODMDZz9M6ynFU6Em65csPuoi8G0ck=
 github.com/onsi/ginkgo/v2 v2.19.0 h1:9Cnnf7UHo57Hy3k6/m5k3dRfGTMXGvxhHFvkDTCTpvA=
@@ -76,8 +80,6 @@ github.com/vishvananda/netlink v1.3.0 h1:X7l42GfcV4S6E4vHTsw48qbrV+9PVojNfIhZcwQ
 github.com/vishvananda/netlink v1.3.0/go.mod h1:i6NetklAujEcC6fK0JPjT8qSwWyO0HLn4UKG+hGqeJs=
 github.com/vishvananda/netns v0.0.4 h1:Oeaw1EM2JMxD51g9uhtC0D7erkIjgmj8+JZc26m1YX8=
 github.com/vishvananda/netns v0.0.4/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM=
-github.com/xtls/reality v0.0.0-20240712055506-48f0b2d5ed6d h1:+B97uD9uHLgAAulhigmys4BVwZZypzK7gPN3WtpgRJg=
-github.com/xtls/reality v0.0.0-20240712055506-48f0b2d5ed6d/go.mod h1:dm4y/1QwzjGaK17ofi0Vs6NpKAHegZky8qk6J2JJZAE=
 github.com/yuin/goldmark v1.4.1/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
 go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
diff --git a/infra/conf/transport_internet.go b/infra/conf/transport_internet.go
index e32be326..95920439 100644
--- a/infra/conf/transport_internet.go
+++ b/infra/conf/transport_internet.go
@@ -500,6 +500,11 @@ type REALITYConfig struct {
 	MaxTimeDiff  uint64          `json:"maxTimeDiff"`
 	ShortIds     []string        `json:"shortIds"`
 
+	LimitUploadRate    float64 `json:"limitUploadRate"`
+	LimitUploadBrust   int64   `json:"limitUploadBrust"`
+	LimitDownloadRate  float64 `json:"limitDownloadRate"`
+	LimitDownloadBrust int64   `json:"limitDownloadBrust"`
+
 	Fingerprint string `json:"fingerprint"`
 	ServerName  string `json:"serverName"`
 	Password    string `json:"password"`
@@ -600,6 +605,11 @@ func (c *REALITYConfig) Build() (proto.Message, error) {
 		config.Xver = c.Xver
 		config.ServerNames = c.ServerNames
 		config.MaxTimeDiff = c.MaxTimeDiff
+
+		config.LimitUploadRate = c.LimitUploadRate
+		config.LimitUploadBrust = c.LimitUploadBrust
+		config.LimitDownloadRate = c.LimitDownloadRate
+		config.LimitDownloadBrust = c.LimitDownloadBrust
 	} else {
 		config.Fingerprint = strings.ToLower(c.Fingerprint)
 		if config.Fingerprint == "unsafe" || config.Fingerprint == "hellogolang" {
diff --git a/transport/internet/reality/config.go b/transport/internet/reality/config.go
index 406494da..4de03618 100644
--- a/transport/internet/reality/config.go
+++ b/transport/internet/reality/config.go
@@ -31,6 +31,11 @@ func (c *Config) GetREALITYConfig() *reality.Config {
 		SessionTicketsDisabled: true,
 
 		KeyLogWriter: KeyLogWriterFromConfig(c),
+
+		LimitUploadRate:    c.LimitUploadRate,
+		LimitUploadBrust:   c.LimitUploadBrust,
+		LimitDownloadRate:  c.LimitDownloadRate,
+		LimitDownloadBrust: c.LimitDownloadBrust,
 	}
 	config.ServerNames = make(map[string]bool)
 	for _, serverName := range c.ServerNames {
diff --git a/transport/internet/reality/config.pb.go b/transport/internet/reality/config.pb.go
index 81038552..4aadd552 100644
--- a/transport/internet/reality/config.pb.go
+++ b/transport/internet/reality/config.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
 // 	protoc-gen-go v1.35.1
-// 	protoc        v5.28.2
+// 	protoc        v5.29.4
 // source: transport/internet/reality/config.proto
 
 package reality
@@ -25,23 +25,27 @@ type Config struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	Show         bool     `protobuf:"varint,1,opt,name=show,proto3" json:"show,omitempty"`
-	Dest         string   `protobuf:"bytes,2,opt,name=dest,proto3" json:"dest,omitempty"`
-	Type         string   `protobuf:"bytes,3,opt,name=type,proto3" json:"type,omitempty"`
-	Xver         uint64   `protobuf:"varint,4,opt,name=xver,proto3" json:"xver,omitempty"`
-	ServerNames  []string `protobuf:"bytes,5,rep,name=server_names,json=serverNames,proto3" json:"server_names,omitempty"`
-	PrivateKey   []byte   `protobuf:"bytes,6,opt,name=private_key,json=privateKey,proto3" json:"private_key,omitempty"`
-	MinClientVer []byte   `protobuf:"bytes,7,opt,name=min_client_ver,json=minClientVer,proto3" json:"min_client_ver,omitempty"`
-	MaxClientVer []byte   `protobuf:"bytes,8,opt,name=max_client_ver,json=maxClientVer,proto3" json:"max_client_ver,omitempty"`
-	MaxTimeDiff  uint64   `protobuf:"varint,9,opt,name=max_time_diff,json=maxTimeDiff,proto3" json:"max_time_diff,omitempty"`
-	ShortIds     [][]byte `protobuf:"bytes,10,rep,name=short_ids,json=shortIds,proto3" json:"short_ids,omitempty"`
-	Fingerprint  string   `protobuf:"bytes,21,opt,name=Fingerprint,proto3" json:"Fingerprint,omitempty"`
-	ServerName   string   `protobuf:"bytes,22,opt,name=server_name,json=serverName,proto3" json:"server_name,omitempty"`
-	PublicKey    []byte   `protobuf:"bytes,23,opt,name=public_key,json=publicKey,proto3" json:"public_key,omitempty"`
-	ShortId      []byte   `protobuf:"bytes,24,opt,name=short_id,json=shortId,proto3" json:"short_id,omitempty"`
-	SpiderX      string   `protobuf:"bytes,25,opt,name=spider_x,json=spiderX,proto3" json:"spider_x,omitempty"`
-	SpiderY      []int64  `protobuf:"varint,26,rep,packed,name=spider_y,json=spiderY,proto3" json:"spider_y,omitempty"`
-	MasterKeyLog string   `protobuf:"bytes,27,opt,name=master_key_log,json=masterKeyLog,proto3" json:"master_key_log,omitempty"`
+	Show               bool     `protobuf:"varint,1,opt,name=show,proto3" json:"show,omitempty"`
+	Dest               string   `protobuf:"bytes,2,opt,name=dest,proto3" json:"dest,omitempty"`
+	Type               string   `protobuf:"bytes,3,opt,name=type,proto3" json:"type,omitempty"`
+	Xver               uint64   `protobuf:"varint,4,opt,name=xver,proto3" json:"xver,omitempty"`
+	ServerNames        []string `protobuf:"bytes,5,rep,name=server_names,json=serverNames,proto3" json:"server_names,omitempty"`
+	PrivateKey         []byte   `protobuf:"bytes,6,opt,name=private_key,json=privateKey,proto3" json:"private_key,omitempty"`
+	MinClientVer       []byte   `protobuf:"bytes,7,opt,name=min_client_ver,json=minClientVer,proto3" json:"min_client_ver,omitempty"`
+	MaxClientVer       []byte   `protobuf:"bytes,8,opt,name=max_client_ver,json=maxClientVer,proto3" json:"max_client_ver,omitempty"`
+	MaxTimeDiff        uint64   `protobuf:"varint,9,opt,name=max_time_diff,json=maxTimeDiff,proto3" json:"max_time_diff,omitempty"`
+	ShortIds           [][]byte `protobuf:"bytes,10,rep,name=short_ids,json=shortIds,proto3" json:"short_ids,omitempty"`
+	Fingerprint        string   `protobuf:"bytes,21,opt,name=Fingerprint,proto3" json:"Fingerprint,omitempty"`
+	ServerName         string   `protobuf:"bytes,22,opt,name=server_name,json=serverName,proto3" json:"server_name,omitempty"`
+	PublicKey          []byte   `protobuf:"bytes,23,opt,name=public_key,json=publicKey,proto3" json:"public_key,omitempty"`
+	ShortId            []byte   `protobuf:"bytes,24,opt,name=short_id,json=shortId,proto3" json:"short_id,omitempty"`
+	SpiderX            string   `protobuf:"bytes,25,opt,name=spider_x,json=spiderX,proto3" json:"spider_x,omitempty"`
+	SpiderY            []int64  `protobuf:"varint,26,rep,packed,name=spider_y,json=spiderY,proto3" json:"spider_y,omitempty"`
+	MasterKeyLog       string   `protobuf:"bytes,27,opt,name=master_key_log,json=masterKeyLog,proto3" json:"master_key_log,omitempty"`
+	LimitUploadRate    float64  `protobuf:"fixed64,28,opt,name=limit_upload_rate,json=limitUploadRate,proto3" json:"limit_upload_rate,omitempty"`
+	LimitUploadBrust   int64    `protobuf:"zigzag64,29,opt,name=limit_upload_brust,json=limitUploadBrust,proto3" json:"limit_upload_brust,omitempty"`
+	LimitDownloadRate  float64  `protobuf:"fixed64,30,opt,name=limit_download_rate,json=limitDownloadRate,proto3" json:"limit_download_rate,omitempty"`
+	LimitDownloadBrust int64    `protobuf:"zigzag64,31,opt,name=limit_download_brust,json=limitDownloadBrust,proto3" json:"limit_download_brust,omitempty"`
 }
 
 func (x *Config) Reset() {
@@ -193,6 +197,34 @@ func (x *Config) GetMasterKeyLog() string {
 	return ""
 }
 
+func (x *Config) GetLimitUploadRate() float64 {
+	if x != nil {
+		return x.LimitUploadRate
+	}
+	return 0
+}
+
+func (x *Config) GetLimitUploadBrust() int64 {
+	if x != nil {
+		return x.LimitUploadBrust
+	}
+	return 0
+}
+
+func (x *Config) GetLimitDownloadRate() float64 {
+	if x != nil {
+		return x.LimitDownloadRate
+	}
+	return 0
+}
+
+func (x *Config) GetLimitDownloadBrust() int64 {
+	if x != nil {
+		return x.LimitDownloadBrust
+	}
+	return 0
+}
+
 var File_transport_internet_reality_config_proto protoreflect.FileDescriptor
 
 var file_transport_internet_reality_config_proto_rawDesc = []byte{
@@ -200,7 +232,7 @@ var file_transport_internet_reality_config_proto_rawDesc = []byte{
 	0x72, 0x6e, 0x65, 0x74, 0x2f, 0x72, 0x65, 0x61, 0x6c, 0x69, 0x74, 0x79, 0x2f, 0x63, 0x6f, 0x6e,
 	0x66, 0x69, 0x67, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x1f, 0x78, 0x72, 0x61, 0x79, 0x2e,
 	0x74, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e,
-	0x65, 0x74, 0x2e, 0x72, 0x65, 0x61, 0x6c, 0x69, 0x74, 0x79, 0x22, 0x82, 0x04, 0x0a, 0x06, 0x43,
+	0x65, 0x74, 0x2e, 0x72, 0x65, 0x61, 0x6c, 0x69, 0x74, 0x79, 0x22, 0xbe, 0x05, 0x0a, 0x06, 0x43,
 	0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x12, 0x0a, 0x04, 0x73, 0x68, 0x6f, 0x77, 0x18, 0x01, 0x20,
 	0x01, 0x28, 0x08, 0x52, 0x04, 0x73, 0x68, 0x6f, 0x77, 0x12, 0x12, 0x0a, 0x04, 0x64, 0x65, 0x73,
 	0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x64, 0x65, 0x73, 0x74, 0x12, 0x12, 0x0a,
@@ -232,16 +264,28 @@ var file_transport_internet_reality_config_proto_rawDesc = []byte{
 	0x0a, 0x08, 0x73, 0x70, 0x69, 0x64, 0x65, 0x72, 0x5f, 0x79, 0x18, 0x1a, 0x20, 0x03, 0x28, 0x03,
 	0x52, 0x07, 0x73, 0x70, 0x69, 0x64, 0x65, 0x72, 0x59, 0x12, 0x24, 0x0a, 0x0e, 0x6d, 0x61, 0x73,
 	0x74, 0x65, 0x72, 0x5f, 0x6b, 0x65, 0x79, 0x5f, 0x6c, 0x6f, 0x67, 0x18, 0x1b, 0x20, 0x01, 0x28,
-	0x09, 0x52, 0x0c, 0x6d, 0x61, 0x73, 0x74, 0x65, 0x72, 0x4b, 0x65, 0x79, 0x4c, 0x6f, 0x67, 0x42,
-	0x7f, 0x0a, 0x23, 0x63, 0x6f, 0x6d, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x74, 0x72, 0x61, 0x6e,
-	0x73, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x2e, 0x72,
-	0x65, 0x61, 0x6c, 0x69, 0x74, 0x79, 0x50, 0x01, 0x5a, 0x34, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62,
-	0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x78, 0x74, 0x6c, 0x73, 0x2f, 0x78, 0x72, 0x61, 0x79, 0x2d, 0x63,
-	0x6f, 0x72, 0x65, 0x2f, 0x74, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x69, 0x6e,
-	0x74, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x2f, 0x72, 0x65, 0x61, 0x6c, 0x69, 0x74, 0x79, 0xaa, 0x02,
-	0x1f, 0x58, 0x72, 0x61, 0x79, 0x2e, 0x54, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74, 0x2e,
-	0x49, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x2e, 0x52, 0x65, 0x61, 0x6c, 0x69, 0x74, 0x79,
-	0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x09, 0x52, 0x0c, 0x6d, 0x61, 0x73, 0x74, 0x65, 0x72, 0x4b, 0x65, 0x79, 0x4c, 0x6f, 0x67, 0x12,
+	0x2a, 0x0a, 0x11, 0x6c, 0x69, 0x6d, 0x69, 0x74, 0x5f, 0x75, 0x70, 0x6c, 0x6f, 0x61, 0x64, 0x5f,
+	0x72, 0x61, 0x74, 0x65, 0x18, 0x1c, 0x20, 0x01, 0x28, 0x01, 0x52, 0x0f, 0x6c, 0x69, 0x6d, 0x69,
+	0x74, 0x55, 0x70, 0x6c, 0x6f, 0x61, 0x64, 0x52, 0x61, 0x74, 0x65, 0x12, 0x2c, 0x0a, 0x12, 0x6c,
+	0x69, 0x6d, 0x69, 0x74, 0x5f, 0x75, 0x70, 0x6c, 0x6f, 0x61, 0x64, 0x5f, 0x62, 0x72, 0x75, 0x73,
+	0x74, 0x18, 0x1d, 0x20, 0x01, 0x28, 0x12, 0x52, 0x10, 0x6c, 0x69, 0x6d, 0x69, 0x74, 0x55, 0x70,
+	0x6c, 0x6f, 0x61, 0x64, 0x42, 0x72, 0x75, 0x73, 0x74, 0x12, 0x2e, 0x0a, 0x13, 0x6c, 0x69, 0x6d,
+	0x69, 0x74, 0x5f, 0x64, 0x6f, 0x77, 0x6e, 0x6c, 0x6f, 0x61, 0x64, 0x5f, 0x72, 0x61, 0x74, 0x65,
+	0x18, 0x1e, 0x20, 0x01, 0x28, 0x01, 0x52, 0x11, 0x6c, 0x69, 0x6d, 0x69, 0x74, 0x44, 0x6f, 0x77,
+	0x6e, 0x6c, 0x6f, 0x61, 0x64, 0x52, 0x61, 0x74, 0x65, 0x12, 0x30, 0x0a, 0x14, 0x6c, 0x69, 0x6d,
+	0x69, 0x74, 0x5f, 0x64, 0x6f, 0x77, 0x6e, 0x6c, 0x6f, 0x61, 0x64, 0x5f, 0x62, 0x72, 0x75, 0x73,
+	0x74, 0x18, 0x1f, 0x20, 0x01, 0x28, 0x12, 0x52, 0x12, 0x6c, 0x69, 0x6d, 0x69, 0x74, 0x44, 0x6f,
+	0x77, 0x6e, 0x6c, 0x6f, 0x61, 0x64, 0x42, 0x72, 0x75, 0x73, 0x74, 0x42, 0x7f, 0x0a, 0x23, 0x63,
+	0x6f, 0x6d, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x74, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72,
+	0x74, 0x2e, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x2e, 0x72, 0x65, 0x61, 0x6c, 0x69,
+	0x74, 0x79, 0x50, 0x01, 0x5a, 0x34, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d,
+	0x2f, 0x78, 0x74, 0x6c, 0x73, 0x2f, 0x78, 0x72, 0x61, 0x79, 0x2d, 0x63, 0x6f, 0x72, 0x65, 0x2f,
+	0x74, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e,
+	0x65, 0x74, 0x2f, 0x72, 0x65, 0x61, 0x6c, 0x69, 0x74, 0x79, 0xaa, 0x02, 0x1f, 0x58, 0x72, 0x61,
+	0x79, 0x2e, 0x54, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x49, 0x6e, 0x74, 0x65,
+	0x72, 0x6e, 0x65, 0x74, 0x2e, 0x52, 0x65, 0x61, 0x6c, 0x69, 0x74, 0x79, 0x62, 0x06, 0x70, 0x72,
+	0x6f, 0x74, 0x6f, 0x33,
 }
 
 var (
diff --git a/transport/internet/reality/config.proto b/transport/internet/reality/config.proto
index 233f6e05..a3fe15a9 100644
--- a/transport/internet/reality/config.proto
+++ b/transport/internet/reality/config.proto
@@ -25,4 +25,9 @@ message Config {
   string spider_x = 25;
   repeated int64 spider_y = 26;
   string master_key_log = 27;
+
+  double limit_upload_rate = 28;
+  sint64 limit_upload_brust = 29;
+  double limit_download_rate = 30;
+  sint64 limit_download_brust = 31;
 }

From 271305c301f7462d1497b502ce4d7c323edc7cab Mon Sep 17 00:00:00 2001
From: Meo597 <197331664+Meo597@users.noreply.github.com>
Date: Thu, 27 Mar 2025 05:12:40 +0800
Subject: [PATCH 2/3] ratelimit: limit after

---
 go.mod                                  |  4 +--
 go.sum                                  |  4 +--
 infra/conf/transport_internet.go        |  4 +++
 transport/internet/reality/config.go    |  2 ++
 transport/internet/reality/config.pb.go | 42 +++++++++++++++++++------
 transport/internet/reality/config.proto |  6 ++--
 6 files changed, 46 insertions(+), 16 deletions(-)

diff --git a/go.mod b/go.mod
index 1b6a0823..19f3fbf2 100644
--- a/go.mod
+++ b/go.mod
@@ -20,7 +20,7 @@ require (
 	github.com/stretchr/testify v1.10.0
 	github.com/v2fly/ss-bloomring v0.0.0-20210312155135-28617310f63e
 	github.com/vishvananda/netlink v1.3.0
-	github.com/xtls/reality v0.0.0-20250326135520-b8b119e3a1f7
+	github.com/xtls/reality v0.0.0-20250326210428-52ea918ead1b
 	go4.org/netipx v0.0.0-20231129151722-fdeea329fbba
 	golang.org/x/crypto v0.36.0
 	golang.org/x/net v0.37.0
@@ -35,7 +35,7 @@ require (
 )
 
 // temp test
-replace github.com/xtls/reality => github.com/meo597/reality v0.0.0-20250326135520-b8b119e3a1f7
+replace github.com/xtls/reality => github.com/meo597/reality v0.0.0-20250326210428-52ea918ead1b
 
 require (
 	github.com/andybalholm/brotli v1.1.0 // indirect
diff --git a/go.sum b/go.sum
index 12f2add4..1f89a22a 100644
--- a/go.sum
+++ b/go.sum
@@ -40,8 +40,8 @@ github.com/klauspost/compress v1.17.8 h1:YcnTYrq7MikUT7k0Yb5eceMmALQPYBW/Xltxn0N
 github.com/klauspost/compress v1.17.8/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw=
 github.com/klauspost/cpuid/v2 v2.2.7 h1:ZWSB3igEs+d0qvnxR/ZBzXVmxkgt8DdzP6m9pfuVLDM=
 github.com/klauspost/cpuid/v2 v2.2.7/go.mod h1:Lcz8mBdAVJIBVzewtcLocK12l3Y+JytZYpaMropDUws=
-github.com/meo597/reality v0.0.0-20250326135520-b8b119e3a1f7 h1:3CiCS6GMsxixHt9oHMQ13OvX8TTIReN7gbKwZjL+sc0=
-github.com/meo597/reality v0.0.0-20250326135520-b8b119e3a1f7/go.mod h1:YbGJ8AYQ83QsGjN//QrGnD4W80SvL5b2K3RJKGLcewE=
+github.com/meo597/reality v0.0.0-20250326210428-52ea918ead1b h1:W47edE5X8Ts/pgj1MFyN9ZdbBLQxcZy0bPzJPxNN3Ww=
+github.com/meo597/reality v0.0.0-20250326210428-52ea918ead1b/go.mod h1:YbGJ8AYQ83QsGjN//QrGnD4W80SvL5b2K3RJKGLcewE=
 github.com/miekg/dns v1.1.64 h1:wuZgD9wwCE6XMT05UU/mlSko71eRSXEAm2EbjQXLKnQ=
 github.com/miekg/dns v1.1.64/go.mod h1:Dzw9769uoKVaLuODMDZz9M6ynFU6Em65csPuoi8G0ck=
 github.com/onsi/ginkgo/v2 v2.19.0 h1:9Cnnf7UHo57Hy3k6/m5k3dRfGTMXGvxhHFvkDTCTpvA=
diff --git a/infra/conf/transport_internet.go b/infra/conf/transport_internet.go
index 95920439..acc8d420 100644
--- a/infra/conf/transport_internet.go
+++ b/infra/conf/transport_internet.go
@@ -502,8 +502,10 @@ type REALITYConfig struct {
 
 	LimitUploadRate    float64 `json:"limitUploadRate"`
 	LimitUploadBrust   int64   `json:"limitUploadBrust"`
+	LimitUploadAfter   int64   `json:"limitUploadAfter"`
 	LimitDownloadRate  float64 `json:"limitDownloadRate"`
 	LimitDownloadBrust int64   `json:"limitDownloadBrust"`
+	LimitDownloadAfter int64   `json:"limitDownloadAfter"`
 
 	Fingerprint string `json:"fingerprint"`
 	ServerName  string `json:"serverName"`
@@ -608,8 +610,10 @@ func (c *REALITYConfig) Build() (proto.Message, error) {
 
 		config.LimitUploadRate = c.LimitUploadRate
 		config.LimitUploadBrust = c.LimitUploadBrust
+		config.LimitUploadAfter = c.LimitUploadAfter
 		config.LimitDownloadRate = c.LimitDownloadRate
 		config.LimitDownloadBrust = c.LimitDownloadBrust
+		config.LimitDownloadAfter = c.LimitDownloadAfter
 	} else {
 		config.Fingerprint = strings.ToLower(c.Fingerprint)
 		if config.Fingerprint == "unsafe" || config.Fingerprint == "hellogolang" {
diff --git a/transport/internet/reality/config.go b/transport/internet/reality/config.go
index 4de03618..bb1dee3a 100644
--- a/transport/internet/reality/config.go
+++ b/transport/internet/reality/config.go
@@ -34,8 +34,10 @@ func (c *Config) GetREALITYConfig() *reality.Config {
 
 		LimitUploadRate:    c.LimitUploadRate,
 		LimitUploadBrust:   c.LimitUploadBrust,
+		LimitUploadAfter:   c.LimitUploadAfter,
 		LimitDownloadRate:  c.LimitDownloadRate,
 		LimitDownloadBrust: c.LimitDownloadBrust,
+		LimitDownloadAfter: c.LimitDownloadAfter,
 	}
 	config.ServerNames = make(map[string]bool)
 	for _, serverName := range c.ServerNames {
diff --git a/transport/internet/reality/config.pb.go b/transport/internet/reality/config.pb.go
index 4aadd552..99f09346 100644
--- a/transport/internet/reality/config.pb.go
+++ b/transport/internet/reality/config.pb.go
@@ -44,8 +44,10 @@ type Config struct {
 	MasterKeyLog       string   `protobuf:"bytes,27,opt,name=master_key_log,json=masterKeyLog,proto3" json:"master_key_log,omitempty"`
 	LimitUploadRate    float64  `protobuf:"fixed64,28,opt,name=limit_upload_rate,json=limitUploadRate,proto3" json:"limit_upload_rate,omitempty"`
 	LimitUploadBrust   int64    `protobuf:"zigzag64,29,opt,name=limit_upload_brust,json=limitUploadBrust,proto3" json:"limit_upload_brust,omitempty"`
-	LimitDownloadRate  float64  `protobuf:"fixed64,30,opt,name=limit_download_rate,json=limitDownloadRate,proto3" json:"limit_download_rate,omitempty"`
-	LimitDownloadBrust int64    `protobuf:"zigzag64,31,opt,name=limit_download_brust,json=limitDownloadBrust,proto3" json:"limit_download_brust,omitempty"`
+	LimitUploadAfter   int64    `protobuf:"zigzag64,30,opt,name=limit_upload_after,json=limitUploadAfter,proto3" json:"limit_upload_after,omitempty"`
+	LimitDownloadRate  float64  `protobuf:"fixed64,31,opt,name=limit_download_rate,json=limitDownloadRate,proto3" json:"limit_download_rate,omitempty"`
+	LimitDownloadBrust int64    `protobuf:"zigzag64,32,opt,name=limit_download_brust,json=limitDownloadBrust,proto3" json:"limit_download_brust,omitempty"`
+	LimitDownloadAfter int64    `protobuf:"zigzag64,33,opt,name=limit_download_after,json=limitDownloadAfter,proto3" json:"limit_download_after,omitempty"`
 }
 
 func (x *Config) Reset() {
@@ -211,6 +213,13 @@ func (x *Config) GetLimitUploadBrust() int64 {
 	return 0
 }
 
+func (x *Config) GetLimitUploadAfter() int64 {
+	if x != nil {
+		return x.LimitUploadAfter
+	}
+	return 0
+}
+
 func (x *Config) GetLimitDownloadRate() float64 {
 	if x != nil {
 		return x.LimitDownloadRate
@@ -225,6 +234,13 @@ func (x *Config) GetLimitDownloadBrust() int64 {
 	return 0
 }
 
+func (x *Config) GetLimitDownloadAfter() int64 {
+	if x != nil {
+		return x.LimitDownloadAfter
+	}
+	return 0
+}
+
 var File_transport_internet_reality_config_proto protoreflect.FileDescriptor
 
 var file_transport_internet_reality_config_proto_rawDesc = []byte{
@@ -232,7 +248,7 @@ var file_transport_internet_reality_config_proto_rawDesc = []byte{
 	0x72, 0x6e, 0x65, 0x74, 0x2f, 0x72, 0x65, 0x61, 0x6c, 0x69, 0x74, 0x79, 0x2f, 0x63, 0x6f, 0x6e,
 	0x66, 0x69, 0x67, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x1f, 0x78, 0x72, 0x61, 0x79, 0x2e,
 	0x74, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e,
-	0x65, 0x74, 0x2e, 0x72, 0x65, 0x61, 0x6c, 0x69, 0x74, 0x79, 0x22, 0xbe, 0x05, 0x0a, 0x06, 0x43,
+	0x65, 0x74, 0x2e, 0x72, 0x65, 0x61, 0x6c, 0x69, 0x74, 0x79, 0x22, 0x9e, 0x06, 0x0a, 0x06, 0x43,
 	0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x12, 0x0a, 0x04, 0x73, 0x68, 0x6f, 0x77, 0x18, 0x01, 0x20,
 	0x01, 0x28, 0x08, 0x52, 0x04, 0x73, 0x68, 0x6f, 0x77, 0x12, 0x12, 0x0a, 0x04, 0x64, 0x65, 0x73,
 	0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x64, 0x65, 0x73, 0x74, 0x12, 0x12, 0x0a,
@@ -270,13 +286,19 @@ var file_transport_internet_reality_config_proto_rawDesc = []byte{
 	0x74, 0x55, 0x70, 0x6c, 0x6f, 0x61, 0x64, 0x52, 0x61, 0x74, 0x65, 0x12, 0x2c, 0x0a, 0x12, 0x6c,
 	0x69, 0x6d, 0x69, 0x74, 0x5f, 0x75, 0x70, 0x6c, 0x6f, 0x61, 0x64, 0x5f, 0x62, 0x72, 0x75, 0x73,
 	0x74, 0x18, 0x1d, 0x20, 0x01, 0x28, 0x12, 0x52, 0x10, 0x6c, 0x69, 0x6d, 0x69, 0x74, 0x55, 0x70,
-	0x6c, 0x6f, 0x61, 0x64, 0x42, 0x72, 0x75, 0x73, 0x74, 0x12, 0x2e, 0x0a, 0x13, 0x6c, 0x69, 0x6d,
-	0x69, 0x74, 0x5f, 0x64, 0x6f, 0x77, 0x6e, 0x6c, 0x6f, 0x61, 0x64, 0x5f, 0x72, 0x61, 0x74, 0x65,
-	0x18, 0x1e, 0x20, 0x01, 0x28, 0x01, 0x52, 0x11, 0x6c, 0x69, 0x6d, 0x69, 0x74, 0x44, 0x6f, 0x77,
-	0x6e, 0x6c, 0x6f, 0x61, 0x64, 0x52, 0x61, 0x74, 0x65, 0x12, 0x30, 0x0a, 0x14, 0x6c, 0x69, 0x6d,
-	0x69, 0x74, 0x5f, 0x64, 0x6f, 0x77, 0x6e, 0x6c, 0x6f, 0x61, 0x64, 0x5f, 0x62, 0x72, 0x75, 0x73,
-	0x74, 0x18, 0x1f, 0x20, 0x01, 0x28, 0x12, 0x52, 0x12, 0x6c, 0x69, 0x6d, 0x69, 0x74, 0x44, 0x6f,
-	0x77, 0x6e, 0x6c, 0x6f, 0x61, 0x64, 0x42, 0x72, 0x75, 0x73, 0x74, 0x42, 0x7f, 0x0a, 0x23, 0x63,
+	0x6c, 0x6f, 0x61, 0x64, 0x42, 0x72, 0x75, 0x73, 0x74, 0x12, 0x2c, 0x0a, 0x12, 0x6c, 0x69, 0x6d,
+	0x69, 0x74, 0x5f, 0x75, 0x70, 0x6c, 0x6f, 0x61, 0x64, 0x5f, 0x61, 0x66, 0x74, 0x65, 0x72, 0x18,
+	0x1e, 0x20, 0x01, 0x28, 0x12, 0x52, 0x10, 0x6c, 0x69, 0x6d, 0x69, 0x74, 0x55, 0x70, 0x6c, 0x6f,
+	0x61, 0x64, 0x41, 0x66, 0x74, 0x65, 0x72, 0x12, 0x2e, 0x0a, 0x13, 0x6c, 0x69, 0x6d, 0x69, 0x74,
+	0x5f, 0x64, 0x6f, 0x77, 0x6e, 0x6c, 0x6f, 0x61, 0x64, 0x5f, 0x72, 0x61, 0x74, 0x65, 0x18, 0x1f,
+	0x20, 0x01, 0x28, 0x01, 0x52, 0x11, 0x6c, 0x69, 0x6d, 0x69, 0x74, 0x44, 0x6f, 0x77, 0x6e, 0x6c,
+	0x6f, 0x61, 0x64, 0x52, 0x61, 0x74, 0x65, 0x12, 0x30, 0x0a, 0x14, 0x6c, 0x69, 0x6d, 0x69, 0x74,
+	0x5f, 0x64, 0x6f, 0x77, 0x6e, 0x6c, 0x6f, 0x61, 0x64, 0x5f, 0x62, 0x72, 0x75, 0x73, 0x74, 0x18,
+	0x20, 0x20, 0x01, 0x28, 0x12, 0x52, 0x12, 0x6c, 0x69, 0x6d, 0x69, 0x74, 0x44, 0x6f, 0x77, 0x6e,
+	0x6c, 0x6f, 0x61, 0x64, 0x42, 0x72, 0x75, 0x73, 0x74, 0x12, 0x30, 0x0a, 0x14, 0x6c, 0x69, 0x6d,
+	0x69, 0x74, 0x5f, 0x64, 0x6f, 0x77, 0x6e, 0x6c, 0x6f, 0x61, 0x64, 0x5f, 0x61, 0x66, 0x74, 0x65,
+	0x72, 0x18, 0x21, 0x20, 0x01, 0x28, 0x12, 0x52, 0x12, 0x6c, 0x69, 0x6d, 0x69, 0x74, 0x44, 0x6f,
+	0x77, 0x6e, 0x6c, 0x6f, 0x61, 0x64, 0x41, 0x66, 0x74, 0x65, 0x72, 0x42, 0x7f, 0x0a, 0x23, 0x63,
 	0x6f, 0x6d, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x74, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72,
 	0x74, 0x2e, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x2e, 0x72, 0x65, 0x61, 0x6c, 0x69,
 	0x74, 0x79, 0x50, 0x01, 0x5a, 0x34, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d,
diff --git a/transport/internet/reality/config.proto b/transport/internet/reality/config.proto
index a3fe15a9..e3365f54 100644
--- a/transport/internet/reality/config.proto
+++ b/transport/internet/reality/config.proto
@@ -28,6 +28,8 @@ message Config {
 
   double limit_upload_rate = 28;
   sint64 limit_upload_brust = 29;
-  double limit_download_rate = 30;
-  sint64 limit_download_brust = 31;
+  sint64 limit_upload_after = 30;
+  double limit_download_rate = 31;
+  sint64 limit_download_brust = 32;
+  sint64 limit_download_after = 33;
 }

From 4cde0ed12bcd89ca401da8472afaeb57e3ec12ae Mon Sep 17 00:00:00 2001
From: Meo597 <197331664+Meo597@users.noreply.github.com>
Date: Sat, 29 Mar 2025 23:13:44 +0800
Subject: [PATCH 3/3] ratelimit: Update markdown

---
 go.mod | 4 ++--
 go.sum | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/go.mod b/go.mod
index 19f3fbf2..8489485e 100644
--- a/go.mod
+++ b/go.mod
@@ -20,7 +20,7 @@ require (
 	github.com/stretchr/testify v1.10.0
 	github.com/v2fly/ss-bloomring v0.0.0-20210312155135-28617310f63e
 	github.com/vishvananda/netlink v1.3.0
-	github.com/xtls/reality v0.0.0-20250326210428-52ea918ead1b
+	github.com/xtls/reality v0.0.0-20250329150927-d77e7560feae
 	go4.org/netipx v0.0.0-20231129151722-fdeea329fbba
 	golang.org/x/crypto v0.36.0
 	golang.org/x/net v0.37.0
@@ -35,7 +35,7 @@ require (
 )
 
 // temp test
-replace github.com/xtls/reality => github.com/meo597/reality v0.0.0-20250326210428-52ea918ead1b
+replace github.com/xtls/reality => github.com/meo597/reality v0.0.0-20250329150927-d77e7560feae
 
 require (
 	github.com/andybalholm/brotli v1.1.0 // indirect
diff --git a/go.sum b/go.sum
index 1f89a22a..11d9f315 100644
--- a/go.sum
+++ b/go.sum
@@ -40,8 +40,8 @@ github.com/klauspost/compress v1.17.8 h1:YcnTYrq7MikUT7k0Yb5eceMmALQPYBW/Xltxn0N
 github.com/klauspost/compress v1.17.8/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw=
 github.com/klauspost/cpuid/v2 v2.2.7 h1:ZWSB3igEs+d0qvnxR/ZBzXVmxkgt8DdzP6m9pfuVLDM=
 github.com/klauspost/cpuid/v2 v2.2.7/go.mod h1:Lcz8mBdAVJIBVzewtcLocK12l3Y+JytZYpaMropDUws=
-github.com/meo597/reality v0.0.0-20250326210428-52ea918ead1b h1:W47edE5X8Ts/pgj1MFyN9ZdbBLQxcZy0bPzJPxNN3Ww=
-github.com/meo597/reality v0.0.0-20250326210428-52ea918ead1b/go.mod h1:YbGJ8AYQ83QsGjN//QrGnD4W80SvL5b2K3RJKGLcewE=
+github.com/meo597/reality v0.0.0-20250329150927-d77e7560feae h1:MA6A5b1TxiQpCIQ2ky589OqYPy4R3fS3tkg8WezJuJg=
+github.com/meo597/reality v0.0.0-20250329150927-d77e7560feae/go.mod h1:YbGJ8AYQ83QsGjN//QrGnD4W80SvL5b2K3RJKGLcewE=
 github.com/miekg/dns v1.1.64 h1:wuZgD9wwCE6XMT05UU/mlSko71eRSXEAm2EbjQXLKnQ=
 github.com/miekg/dns v1.1.64/go.mod h1:Dzw9769uoKVaLuODMDZz9M6ynFU6Em65csPuoi8G0ck=
 github.com/onsi/ginkgo/v2 v2.19.0 h1:9Cnnf7UHo57Hy3k6/m5k3dRfGTMXGvxhHFvkDTCTpvA=