99 lines
3.5 KiB
Text
99 lines
3.5 KiB
Text
|
define tcp_host = @empty_ipv4
|
||
|
define udp_host = @empty_ipv4
|
||
|
define tcp_proxy_ifnames = @empty_str
|
||
|
define udp_proxy_ifnames = @empty_str
|
||
|
define tcp_server_port = 443
|
||
|
define udp_server_port = 443
|
||
|
define tcp_local_port = 1080
|
||
|
define udp_local_port = 1080
|
||
|
|
||
|
## DO NOT CHANGE THIS LINE
|
||
|
# need "ss_bp.slice", "ss_bp_tcp.slice", "ss_bp_udp.slice", "ss_fw.slice", "ss_fw_tcp.slice", "ss_fw_udp.slice"
|
||
|
|
||
|
add table ip transparent_proxy
|
||
|
delete table ip transparent_proxy
|
||
|
table ip transparent_proxy {
|
||
|
set empty_ipv4 {
|
||
|
type ipv4_addr
|
||
|
flags constant
|
||
|
}
|
||
|
set empty_str {
|
||
|
typeof iifname
|
||
|
flags constant
|
||
|
}
|
||
|
set chnroute {
|
||
|
type ipv4_addr
|
||
|
flags interval
|
||
|
auto-merge
|
||
|
|
||
|
elements = {
|
||
|
0.0.0.0/8,
|
||
|
10.0.0.0/8,
|
||
|
100.64.0.0/10,
|
||
|
127.0.0.0/8,
|
||
|
169.254.0.0/16,
|
||
|
172.16.0.0/12,
|
||
|
192.0.0.0/24,
|
||
|
192.0.2.0/24,
|
||
|
192.88.99.0/24,
|
||
|
192.168.0.0/16,
|
||
|
198.18.0.0/15,
|
||
|
198.51.100.0/24,
|
||
|
203.0.113.0/24,
|
||
|
224.0.0.0/4,
|
||
|
240.0.0.0/4,
|
||
|
255.255.255.255,
|
||
|
}
|
||
|
}
|
||
|
|
||
|
chain mangle_prerouting {
|
||
|
type filter hook prerouting priority mangle
|
||
|
policy accept
|
||
|
|
||
|
ip protocol { tcp, udp } iif lo meta mark 0xdeaf goto tcp_udp_tproxy
|
||
|
ip protocol tcp iifname $tcp_proxy_ifnames ip daddr != @chnroute goto tcp_udp_forward_conditional_tproxy
|
||
|
ip protocol udp iifname $udp_proxy_ifnames ip daddr != @chnroute goto tcp_udp_forward_conditional_tproxy
|
||
|
}
|
||
|
|
||
|
chain mangle_output {
|
||
|
type route hook output priority mangle
|
||
|
policy accept
|
||
|
|
||
|
ip protocol tcp ct direction reply accept
|
||
|
ip protocol tcp socket cgroupv2 level 1 { "ss_bp.slice", "ss_bp_tcp.slice" } accept
|
||
|
ip protocol udp socket cgroupv2 level 1 { "ss_bp.slice", "ss_bp_udp.slice" } accept
|
||
|
ip protocol tcp socket cgroupv2 level 1 { "ss_fw.slice", "ss_fw_tcp.slice" } goto tcp_udp_output_mark
|
||
|
ip protocol udp socket cgroupv2 level 1 { "ss_fw.slice", "ss_fw_udp.slice" } goto tcp_udp_output_mark
|
||
|
ip protocol tcp ip daddr $tcp_host tcp dport != $tcp_server_port goto tcp_udp_output_mark
|
||
|
ip protocol udp ip daddr $udp_host udp dport != $udp_server_port goto tcp_udp_output_mark
|
||
|
ip protocol tcp ip daddr $tcp_host accept
|
||
|
ip protocol udp ip daddr $udp_host accept
|
||
|
ip protocol { tcp, udp } ip daddr != @chnroute goto tcp_udp_output_mark
|
||
|
}
|
||
|
chain tcp_udp_output_mark {
|
||
|
ip protocol { tcp, udp } mark set 0xdeaf
|
||
|
}
|
||
|
chain tcp_udp_forward_conditional_tproxy {
|
||
|
ip protocol tcp ip daddr $tcp_host tcp dport != $tcp_server_port meta mark set 0x0000deaf goto tcp_udp_tproxy
|
||
|
ip protocol udp ip daddr $udp_host udp dport != $udp_server_port meta mark set 0x0000deaf goto tcp_udp_tproxy
|
||
|
ip protocol tcp ip daddr $tcp_host accept
|
||
|
ip protocol udp ip daddr $udp_host accept
|
||
|
ip protocol { tcp, udp } ip daddr != @chnroute meta mark set 0x0000deaf goto tcp_udp_tproxy
|
||
|
}
|
||
|
chain tcp_udp_tproxy {
|
||
|
ip protocol tcp tproxy to 127.0.0.1:$tcp_local_port
|
||
|
ip protocol udp tproxy to 127.0.0.1:$udp_local_port
|
||
|
}
|
||
|
}
|
||
|
|
||
|
add table ip6 output_deny
|
||
|
delete table ip6 output_deny
|
||
|
table ip6 output_deny {
|
||
|
chain output {
|
||
|
type filter hook output priority filter
|
||
|
policy accept
|
||
|
|
||
|
ip6 daddr != { ::/127, ::ffff:0:0/96, ::ffff:0:0:0/96, 64:ff9b::/96, 64:ff9b:1::/48, 100::/64, 2001:0000::/32, 2001:20::/28, 2001:db8::/32, fc00::/7, fe80::/64, ff00::/8 } reject
|
||
|
}
|
||
|
}
|