define tcp_host = @empty_ipv4 define udp_host = @empty_ipv4 define tcp_proxy_ifnames = @empty_str define udp_proxy_ifnames = @empty_str define tcp_server_port = 443 define udp_server_port = 443 define tcp_local_port = 1080 define udp_local_port = 1080 ## DO NOT CHANGE THIS LINE # need "ss_bp.slice", "ss_bp_tcp.slice", "ss_bp_udp.slice", "ss_fw.slice", "ss_fw_tcp.slice", "ss_fw_udp.slice" add table ip transparent_proxy delete table ip transparent_proxy table ip transparent_proxy { set empty_ipv4 { type ipv4_addr flags constant } set empty_str { typeof iifname flags constant } set chnroute { type ipv4_addr flags interval auto-merge elements = { 0.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.0.0.0/24, 192.0.2.0/24, 192.88.99.0/24, 192.168.0.0/16, 198.18.0.0/15, 198.51.100.0/24, 203.0.113.0/24, 224.0.0.0/4, 240.0.0.0/4, 255.255.255.255, } } chain mangle_prerouting { type filter hook prerouting priority mangle policy accept ip protocol { tcp, udp } iif lo meta mark 0xdeaf goto tcp_udp_tproxy ip protocol tcp iifname $tcp_proxy_ifnames ip daddr != @chnroute goto tcp_udp_forward_conditional_tproxy ip protocol udp iifname $udp_proxy_ifnames ip daddr != @chnroute goto tcp_udp_forward_conditional_tproxy } chain mangle_output { type route hook output priority mangle policy accept ip protocol tcp ct direction reply accept ip protocol tcp socket cgroupv2 level 1 { "ss_bp.slice", "ss_bp_tcp.slice" } accept ip protocol udp socket cgroupv2 level 1 { "ss_bp.slice", "ss_bp_udp.slice" } accept ip protocol tcp socket cgroupv2 level 1 { "ss_fw.slice", "ss_fw_tcp.slice" } goto tcp_udp_output_mark ip protocol udp socket cgroupv2 level 1 { "ss_fw.slice", "ss_fw_udp.slice" } goto tcp_udp_output_mark ip protocol tcp ip daddr $tcp_host tcp dport != $tcp_server_port goto tcp_udp_output_mark ip protocol udp ip daddr $udp_host udp dport != $udp_server_port goto tcp_udp_output_mark ip protocol tcp ip daddr $tcp_host accept ip protocol udp ip daddr $udp_host accept ip protocol { tcp, udp } ip daddr != @chnroute goto tcp_udp_output_mark } chain tcp_udp_output_mark { ip protocol { tcp, udp } mark set 0xdeaf } chain tcp_udp_forward_conditional_tproxy { ip protocol tcp ip daddr $tcp_host tcp dport != $tcp_server_port meta mark set 0x0000deaf goto tcp_udp_tproxy ip protocol udp ip daddr $udp_host udp dport != $udp_server_port meta mark set 0x0000deaf goto tcp_udp_tproxy ip protocol tcp ip daddr $tcp_host accept ip protocol udp ip daddr $udp_host accept ip protocol { tcp, udp } ip daddr != @chnroute meta mark set 0x0000deaf goto tcp_udp_tproxy } chain tcp_udp_tproxy { ip protocol tcp tproxy to 127.0.0.1:$tcp_local_port ip protocol udp tproxy to 127.0.0.1:$udp_local_port } } add table ip6 output_deny delete table ip6 output_deny table ip6 output_deny { chain output { type filter hook output priority filter policy accept ip6 daddr != { ::/127, ::ffff:0:0/96, ::ffff:0:0:0/96, 64:ff9b::/96, 64:ff9b:1::/48, 100::/64, 2001:0000::/32, 2001:20::/28, 2001:db8::/32, fc00::/7, fe80::/64, ff00::/8 } reject } }