106 lines
3.3 KiB
Text
106 lines
3.3 KiB
Text
|
define tcp_host = @empty_ipv6
|
||
|
define udp_host = @empty_ipv6
|
||
|
define tcp_proxy_ifnames = @empty_str
|
||
|
define udp_proxy_ifnames = @empty_str
|
||
|
define tcp_server_port = 443
|
||
|
define udp_server_port = 443
|
||
|
define tcp_local_port = 1080
|
||
|
define udp_local_port = 1080
|
||
|
|
||
|
## DO NOT CHANGE THIS LINE
|
||
|
# need "ss_bp.slice", "ss_bp_tcp.slice", "ss_bp_udp.slice", "ss_fw.slice", "ss_fw_tcp.slice", "ss_fw_udp.slice"
|
||
|
|
||
|
# this works since v4 rule is always loaded first
|
||
|
add table ip6 output_deny
|
||
|
delete table ip6 output_deny
|
||
|
|
||
|
add table ip6 transparent_proxy_v6
|
||
|
delete table ip6 transparent_proxy_v6
|
||
|
table ip6 transparent_proxy_v6 {
|
||
|
set empty_ipv6 {
|
||
|
type ipv6_addr
|
||
|
flags constant
|
||
|
}
|
||
|
set empty_str {
|
||
|
typeof iifname
|
||
|
flags constant
|
||
|
}
|
||
|
set chnroute {
|
||
|
type ipv6_addr
|
||
|
flags interval
|
||
|
auto-merge
|
||
|
|
||
|
elements = {
|
||
|
::/127,
|
||
|
::ffff:0:0/96,
|
||
|
::ffff:0:0:0/96,
|
||
|
64:ff9b::/96,
|
||
|
64:ff9b:1::/48,
|
||
|
100::/64,
|
||
|
2001:0000::/32,
|
||
|
2001:20::/28,
|
||
|
2001:db8::/32,
|
||
|
fc00::/7,
|
||
|
fe80::/64,
|
||
|
ff00::/8,
|
||
|
}
|
||
|
}
|
||
|
|
||
|
# tcp part
|
||
|
|
||
|
chain nat_prerouting {
|
||
|
type nat hook prerouting priority dstnat
|
||
|
policy accept
|
||
|
|
||
|
meta l4proto tcp iifname $tcp_proxy_ifnames jump tcp_pre_redirect
|
||
|
}
|
||
|
chain nat_output {
|
||
|
type nat hook output priority -100
|
||
|
policy accept
|
||
|
|
||
|
meta l4proto tcp socket cgroupv2 level 1 { "ss_bp.slice", "ss_bp_tcp.slice" } accept
|
||
|
meta l4proto tcp socket cgroupv2 level 1 { "ss_fw.slice", "ss_fw_tcp.slice" } goto tcp_redirect
|
||
|
meta l4proto tcp jump tcp_pre_redirect
|
||
|
}
|
||
|
chain tcp_pre_redirect {
|
||
|
meta l4proto tcp ip6 daddr $tcp_host tcp dport != $tcp_server_port goto tcp_redirect
|
||
|
meta l4proto tcp ip6 daddr $tcp_host accept
|
||
|
meta l4proto tcp ip6 daddr != @chnroute goto tcp_redirect
|
||
|
}
|
||
|
chain tcp_redirect {
|
||
|
meta l4proto tcp redirect to :$tcp_local_port
|
||
|
}
|
||
|
|
||
|
# udp part
|
||
|
|
||
|
chain mangle_prerouting {
|
||
|
type filter hook prerouting priority mangle
|
||
|
policy accept
|
||
|
|
||
|
meta l4proto udp iif lo meta mark 0xdeaf goto udp_tproxy
|
||
|
meta l4proto udp iifname $udp_proxy_ifnames ip6 daddr != @chnroute goto udp_forward_conditional_tproxy
|
||
|
}
|
||
|
|
||
|
chain mangle_output {
|
||
|
type route hook output priority mangle
|
||
|
policy accept
|
||
|
|
||
|
meta l4proto udp socket cgroupv2 level 1 { "ss_bp.slice", "ss_bp_udp.slice" } accept
|
||
|
meta l4proto udp socket cgroupv2 level 1 { "ss_fw.slice", "ss_fw_udp.slice" } goto udp_output_mark
|
||
|
meta l4proto udp ip6 daddr $udp_host udp dport != $udp_server_port goto udp_output_mark
|
||
|
meta l4proto udp ip6 daddr $udp_host accept
|
||
|
meta l4proto udp ip6 daddr != @chnroute goto udp_output_mark
|
||
|
}
|
||
|
chain udp_output_mark {
|
||
|
meta l4proto udp mark set 0xdeaf
|
||
|
}
|
||
|
chain udp_forward_conditional_tproxy {
|
||
|
meta l4proto udp ip6 daddr $udp_host udp dport != $udp_server_port meta mark set 0x0000deaf goto udp_tproxy
|
||
|
meta l4proto udp ip6 daddr $udp_host accept
|
||
|
meta l4proto udp ip6 daddr != @chnroute meta mark set 0x0000deaf goto udp_tproxy
|
||
|
}
|
||
|
chain udp_tproxy {
|
||
|
meta l4proto udp tproxy to [::1]:$udp_local_port
|
||
|
}
|
||
|
}
|