define tcp_host = @empty_ipv6 define udp_host = @empty_ipv6 define tcp_proxy_ifnames = @empty_str define udp_proxy_ifnames = @empty_str define tcp_server_port = 443 define udp_server_port = 443 define tcp_local_port = 1080 define udp_local_port = 1080 ## DO NOT CHANGE THIS LINE # this works since v4 rule is always loaded first add table ip6 output_deny delete table ip6 output_deny add table ip6 transparent_proxy_v6 delete table ip6 transparent_proxy_v6 table ip6 transparent_proxy_v6 { set tcp_bypass { type cgroupsv2 } set udp_bypass { type cgroupsv2 } set tcp_enforce { type cgroupsv2 } set udp_enforce { type cgroupsv2 } set empty_ipv6 { type ipv6_addr flags constant } set empty_str { typeof iifname flags constant } set chnroute { type ipv6_addr flags interval auto-merge elements = { ::/127, ::ffff:0:0/96, ::ffff:0:0:0/96, 64:ff9b::/96, 64:ff9b:1::/48, 100::/64, 2001:0000::/32, 2001:20::/28, 2001:db8::/32, fc00::/7, fe80::/64, ff00::/8, } } # tcp part chain nat_prerouting { type nat hook prerouting priority dstnat policy accept meta l4proto tcp iifname $tcp_proxy_ifnames jump tcp_pre_redirect } chain nat_output { type nat hook output priority -100 policy accept meta l4proto tcp socket cgroupv2 level 2 @tcp_bypass accept meta l4proto tcp socket cgroupv2 level 2 @tcp_enforce goto tcp_redirect meta l4proto tcp jump tcp_pre_redirect } chain tcp_pre_redirect { meta l4proto tcp ip6 daddr $tcp_host tcp dport != $tcp_server_port goto tcp_redirect meta l4proto tcp ip6 daddr $tcp_host accept meta l4proto tcp ip6 daddr != @chnroute goto tcp_redirect } chain tcp_redirect { meta l4proto tcp redirect to :$tcp_local_port } # udp part chain mangle_prerouting { type filter hook prerouting priority mangle policy accept meta l4proto udp iif lo meta mark 0xdeaf goto udp_tproxy meta l4proto udp iifname $udp_proxy_ifnames ip6 daddr != @chnroute goto udp_forward_conditional_tproxy } chain mangle_output { type route hook output priority mangle policy accept meta l4proto udp socket cgroupv2 level 2 @udp_bypass accept meta l4proto udp socket cgroupv2 level 2 @udp_enforce goto udp_output_mark meta l4proto udp ip6 daddr $udp_host udp dport != $udp_server_port goto udp_output_mark meta l4proto udp ip6 daddr $udp_host accept meta l4proto udp ip6 daddr != @chnroute goto udp_output_mark } chain udp_output_mark { meta l4proto udp mark set 0xdeaf } chain udp_forward_conditional_tproxy { meta l4proto udp ip6 daddr $udp_host udp dport != $udp_server_port meta mark set 0xdeaf goto udp_tproxy meta l4proto udp ip6 daddr $udp_host accept meta l4proto udp ip6 daddr != @chnroute meta mark set 0xdeaf goto udp_tproxy } chain udp_tproxy { meta l4proto udp tproxy to [::1]:$udp_local_port } }