ss/transparent-proxy-v6-tproxy.nft

99 lines
3.2 KiB
Text
Raw Normal View History

2023-07-10 15:35:57 +08:00
define tcp_host = @empty_ipv6
define udp_host = @empty_ipv6
define tcp_proxy_ifnames = @empty_str
define udp_proxy_ifnames = @empty_str
define tcp_server_port = 443
define udp_server_port = 443
define tcp_local_port = 1080
define udp_local_port = 1080
## DO NOT CHANGE THIS LINE
# this works since v4 rule is always loaded first
add table ip6 output_deny
delete table ip6 output_deny
add table ip6 transparent_proxy_v6
delete table ip6 transparent_proxy_v6
table ip6 transparent_proxy_v6 {
2024-10-29 20:34:01 +08:00
set tcp_bypass {
type cgroupsv2
}
set udp_bypass {
type cgroupsv2
}
set tcp_enforce {
type cgroupsv2
}
set udp_enforce {
type cgroupsv2
}
2023-07-10 15:35:57 +08:00
set empty_ipv6 {
type ipv6_addr
flags constant
}
set empty_str {
typeof iifname
flags constant
}
set chnroute {
type ipv6_addr
flags interval
auto-merge
elements = {
::/127,
::ffff:0:0/96,
::ffff:0:0:0/96,
64:ff9b::/96,
64:ff9b:1::/48,
100::/64,
2001:0000::/32,
2001:20::/28,
2001:db8::/32,
fc00::/7,
fe80::/64,
ff00::/8,
}
}
chain mangle_prerouting {
type filter hook prerouting priority mangle
policy accept
meta l4proto { tcp, udp } iif lo meta mark 0xdeaf goto tcp_udp_tproxy
meta l4proto tcp iifname $tcp_proxy_ifnames ip6 daddr != @chnroute goto tcp_udp_forward_conditional_tproxy
meta l4proto udp iifname $udp_proxy_ifnames ip6 daddr != @chnroute goto tcp_udp_forward_conditional_tproxy
}
chain mangle_output {
type route hook output priority mangle
policy accept
meta l4proto tcp ct direction reply accept
2024-10-29 20:34:01 +08:00
meta l4proto tcp socket cgroupv2 level 2 @tcp_bypass accept
meta l4proto udp socket cgroupv2 level 2 @udp_bypass accept
meta l4proto tcp socket cgroupv2 level 2 @tcp_enforce goto tcp_udp_output_mark
meta l4proto udp socket cgroupv2 level 2 @udp_enforce goto tcp_udp_output_mark
2023-07-10 15:35:57 +08:00
meta l4proto tcp ip6 daddr $tcp_host tcp dport != $tcp_server_port goto tcp_udp_output_mark
meta l4proto udp ip6 daddr $udp_host udp dport != $udp_server_port goto tcp_udp_output_mark
meta l4proto tcp ip6 daddr $tcp_host accept
meta l4proto udp ip6 daddr $udp_host accept
meta l4proto { tcp, udp } ip6 daddr != @chnroute goto tcp_udp_output_mark
}
chain tcp_udp_output_mark {
meta l4proto { tcp, udp } mark set 0xdeaf
}
chain tcp_udp_forward_conditional_tproxy {
2024-10-29 20:34:01 +08:00
meta l4proto tcp ip6 daddr $tcp_host tcp dport != $tcp_server_port meta mark set 0xdeaf goto tcp_udp_tproxy
meta l4proto udp ip6 daddr $udp_host udp dport != $udp_server_port meta mark set 0xdeaf goto tcp_udp_tproxy
2023-07-10 15:35:57 +08:00
meta l4proto tcp ip6 daddr $tcp_host accept
meta l4proto udp ip6 daddr $udp_host accept
2024-10-29 20:34:01 +08:00
meta l4proto { tcp, udp } ip6 daddr != @chnroute meta mark set 0xdeaf goto tcp_udp_tproxy
2023-07-10 15:35:57 +08:00
}
chain tcp_udp_tproxy {
meta l4proto tcp tproxy to [::1]:$tcp_local_port
meta l4proto udp tproxy to [::1]:$udp_local_port
}
}