2023-07-10 15:35:57 +08:00
|
|
|
define tcp_host = @empty_ipv6
|
|
|
|
define udp_host = @empty_ipv6
|
|
|
|
define tcp_proxy_ifnames = @empty_str
|
|
|
|
define udp_proxy_ifnames = @empty_str
|
|
|
|
define tcp_server_port = 443
|
|
|
|
define udp_server_port = 443
|
|
|
|
define tcp_local_port = 1080
|
|
|
|
define udp_local_port = 1080
|
|
|
|
|
|
|
|
## DO NOT CHANGE THIS LINE
|
|
|
|
|
|
|
|
# this works since v4 rule is always loaded first
|
|
|
|
add table ip6 output_deny
|
|
|
|
delete table ip6 output_deny
|
|
|
|
|
|
|
|
add table ip6 transparent_proxy_v6
|
|
|
|
delete table ip6 transparent_proxy_v6
|
|
|
|
table ip6 transparent_proxy_v6 {
|
2024-10-29 20:34:01 +08:00
|
|
|
set tcp_bypass {
|
|
|
|
type cgroupsv2
|
|
|
|
}
|
|
|
|
set udp_bypass {
|
|
|
|
type cgroupsv2
|
|
|
|
}
|
|
|
|
set tcp_enforce {
|
|
|
|
type cgroupsv2
|
|
|
|
}
|
|
|
|
set udp_enforce {
|
|
|
|
type cgroupsv2
|
|
|
|
}
|
2023-07-10 15:35:57 +08:00
|
|
|
set empty_ipv6 {
|
|
|
|
type ipv6_addr
|
|
|
|
flags constant
|
|
|
|
}
|
|
|
|
set empty_str {
|
|
|
|
typeof iifname
|
|
|
|
flags constant
|
|
|
|
}
|
|
|
|
set chnroute {
|
|
|
|
type ipv6_addr
|
|
|
|
flags interval
|
|
|
|
auto-merge
|
|
|
|
|
|
|
|
elements = {
|
|
|
|
::/127,
|
|
|
|
::ffff:0:0/96,
|
|
|
|
::ffff:0:0:0/96,
|
|
|
|
64:ff9b::/96,
|
|
|
|
64:ff9b:1::/48,
|
|
|
|
100::/64,
|
|
|
|
2001:0000::/32,
|
|
|
|
2001:20::/28,
|
|
|
|
2001:db8::/32,
|
|
|
|
fc00::/7,
|
|
|
|
fe80::/64,
|
|
|
|
ff00::/8,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
# tcp part
|
|
|
|
|
|
|
|
chain nat_prerouting {
|
|
|
|
type nat hook prerouting priority dstnat
|
|
|
|
policy accept
|
|
|
|
|
|
|
|
meta l4proto tcp iifname $tcp_proxy_ifnames jump tcp_pre_redirect
|
|
|
|
}
|
|
|
|
chain nat_output {
|
|
|
|
type nat hook output priority -100
|
|
|
|
policy accept
|
|
|
|
|
2024-10-29 20:34:01 +08:00
|
|
|
meta l4proto tcp socket cgroupv2 level 2 @tcp_bypass accept
|
|
|
|
meta l4proto tcp socket cgroupv2 level 2 @tcp_enforce goto tcp_redirect
|
2023-07-10 15:35:57 +08:00
|
|
|
meta l4proto tcp jump tcp_pre_redirect
|
|
|
|
}
|
|
|
|
chain tcp_pre_redirect {
|
|
|
|
meta l4proto tcp ip6 daddr $tcp_host tcp dport != $tcp_server_port goto tcp_redirect
|
|
|
|
meta l4proto tcp ip6 daddr $tcp_host accept
|
|
|
|
meta l4proto tcp ip6 daddr != @chnroute goto tcp_redirect
|
|
|
|
}
|
|
|
|
chain tcp_redirect {
|
|
|
|
meta l4proto tcp redirect to :$tcp_local_port
|
|
|
|
}
|
|
|
|
|
|
|
|
# udp part
|
|
|
|
|
|
|
|
chain mangle_prerouting {
|
|
|
|
type filter hook prerouting priority mangle
|
|
|
|
policy accept
|
|
|
|
|
|
|
|
meta l4proto udp iif lo meta mark 0xdeaf goto udp_tproxy
|
|
|
|
meta l4proto udp iifname $udp_proxy_ifnames ip6 daddr != @chnroute goto udp_forward_conditional_tproxy
|
|
|
|
}
|
|
|
|
|
|
|
|
chain mangle_output {
|
|
|
|
type route hook output priority mangle
|
|
|
|
policy accept
|
|
|
|
|
2024-10-29 20:34:01 +08:00
|
|
|
meta l4proto udp socket cgroupv2 level 2 @udp_bypass accept
|
|
|
|
meta l4proto udp socket cgroupv2 level 2 @udp_enforce goto udp_output_mark
|
2023-07-10 15:35:57 +08:00
|
|
|
meta l4proto udp ip6 daddr $udp_host udp dport != $udp_server_port goto udp_output_mark
|
|
|
|
meta l4proto udp ip6 daddr $udp_host accept
|
|
|
|
meta l4proto udp ip6 daddr != @chnroute goto udp_output_mark
|
|
|
|
}
|
|
|
|
chain udp_output_mark {
|
|
|
|
meta l4proto udp mark set 0xdeaf
|
|
|
|
}
|
|
|
|
chain udp_forward_conditional_tproxy {
|
2024-10-29 20:34:01 +08:00
|
|
|
meta l4proto udp ip6 daddr $udp_host udp dport != $udp_server_port meta mark set 0xdeaf goto udp_tproxy
|
2023-07-10 15:35:57 +08:00
|
|
|
meta l4proto udp ip6 daddr $udp_host accept
|
2024-10-29 20:34:01 +08:00
|
|
|
meta l4proto udp ip6 daddr != @chnroute meta mark set 0xdeaf goto udp_tproxy
|
2023-07-10 15:35:57 +08:00
|
|
|
}
|
|
|
|
chain udp_tproxy {
|
|
|
|
meta l4proto udp tproxy to [::1]:$udp_local_port
|
|
|
|
}
|
|
|
|
}
|