define tcp_host = @empty_ipv6 define udp_host = @empty_ipv6 define tcp_proxy_ifnames = @empty_str define udp_proxy_ifnames = @empty_str define tcp_server_port = 443 define udp_server_port = 443 define tcp_local_port = 1080 define udp_local_port = 1080 ## DO NOT CHANGE THIS LINE # need "ss_bp.slice", "ss_bp_tcp.slice", "ss_bp_udp.slice", "ss_fw.slice", "ss_fw_tcp.slice", "ss_fw_udp.slice" # this works since v4 rule is always loaded first add table ip6 output_deny delete table ip6 output_deny add table ip6 transparent_proxy_v6 delete table ip6 transparent_proxy_v6 table ip6 transparent_proxy_v6 { set empty_ipv6 { type ipv6_addr flags constant } set empty_str { typeof iifname flags constant } set chnroute { type ipv6_addr flags interval auto-merge elements = { ::/127, ::ffff:0:0/96, ::ffff:0:0:0/96, 64:ff9b::/96, 64:ff9b:1::/48, 100::/64, 2001:0000::/32, 2001:20::/28, 2001:db8::/32, fc00::/7, fe80::/64, ff00::/8, } } chain mangle_prerouting { type filter hook prerouting priority mangle policy accept meta l4proto { tcp, udp } iif lo meta mark 0xdeaf goto tcp_udp_tproxy meta l4proto tcp iifname $tcp_proxy_ifnames ip6 daddr != @chnroute goto tcp_udp_forward_conditional_tproxy meta l4proto udp iifname $udp_proxy_ifnames ip6 daddr != @chnroute goto tcp_udp_forward_conditional_tproxy } chain mangle_output { type route hook output priority mangle policy accept meta l4proto tcp ct direction reply accept meta l4proto tcp socket cgroupv2 level 1 { "ss_bp.slice", "ss_bp_tcp.slice" } accept meta l4proto udp socket cgroupv2 level 1 { "ss_bp.slice", "ss_bp_udp.slice" } accept meta l4proto tcp socket cgroupv2 level 1 { "ss_fw.slice", "ss_fw_tcp.slice" } goto tcp_udp_output_mark meta l4proto udp socket cgroupv2 level 1 { "ss_fw.slice", "ss_fw_udp.slice" } goto tcp_udp_output_mark meta l4proto tcp ip6 daddr $tcp_host tcp dport != $tcp_server_port goto tcp_udp_output_mark meta l4proto udp ip6 daddr $udp_host udp dport != $udp_server_port goto tcp_udp_output_mark meta l4proto tcp ip6 daddr $tcp_host accept meta l4proto udp ip6 daddr $udp_host accept meta l4proto { tcp, udp } ip6 daddr != @chnroute goto tcp_udp_output_mark } chain tcp_udp_output_mark { meta l4proto { tcp, udp } mark set 0xdeaf } chain tcp_udp_forward_conditional_tproxy { meta l4proto tcp ip6 daddr $tcp_host tcp dport != $tcp_server_port meta mark set 0x0000deaf goto tcp_udp_tproxy meta l4proto udp ip6 daddr $udp_host udp dport != $udp_server_port meta mark set 0x0000deaf goto tcp_udp_tproxy meta l4proto tcp ip6 daddr $tcp_host accept meta l4proto udp ip6 daddr $udp_host accept meta l4proto { tcp, udp } ip6 daddr != @chnroute meta mark set 0x0000deaf goto tcp_udp_tproxy } chain tcp_udp_tproxy { meta l4proto tcp tproxy to [::1]:$tcp_local_port meta l4proto udp tproxy to [::1]:$udp_local_port } }