ss/transparent-proxy.nft
2024-10-29 20:34:01 +08:00

127 lines
3.6 KiB
Text

define tcp_host = @empty_ipv4
define udp_host = @empty_ipv4
define tcp_proxy_ifnames = @empty_str
define udp_proxy_ifnames = @empty_str
define tcp_server_port = 443
define udp_server_port = 443
define tcp_local_port = 1080
define udp_local_port = 1080
## DO NOT CHANGE THIS LINE
add table ip transparent_proxy
delete table ip transparent_proxy
table ip transparent_proxy {
set tcp_bypass {
type cgroupsv2
}
set udp_bypass {
type cgroupsv2
}
set tcp_enforce {
type cgroupsv2
}
set udp_enforce {
type cgroupsv2
}
set empty_ipv4 {
type ipv4_addr
flags constant
}
set empty_str {
typeof iifname
flags constant
}
set chnroute {
type ipv4_addr
flags interval
auto-merge
elements = {
0.0.0.0/8,
10.0.0.0/8,
100.64.0.0/10,
127.0.0.0/8,
169.254.0.0/16,
172.16.0.0/12,
192.0.0.0/24,
192.0.2.0/24,
192.88.99.0/24,
192.168.0.0/16,
198.18.0.0/15,
198.51.100.0/24,
203.0.113.0/24,
224.0.0.0/4,
240.0.0.0/4,
255.255.255.255,
}
}
# tcp part
chain nat_prerouting {
type nat hook prerouting priority dstnat
policy accept
ip protocol tcp iifname $tcp_proxy_ifnames jump tcp_pre_redirect
}
chain nat_output {
type nat hook output priority -100
policy accept
ip protocol tcp socket cgroupv2 level 2 @tcp_bypass accept
ip protocol tcp socket cgroupv2 level 2 @tcp_enforce goto tcp_redirect
ip protocol tcp jump tcp_pre_redirect
}
chain tcp_pre_redirect {
ip protocol tcp ip daddr $tcp_host tcp dport != $tcp_server_port goto tcp_redirect
ip protocol tcp ip daddr $tcp_host accept
ip protocol tcp ip daddr != @chnroute goto tcp_redirect
}
chain tcp_redirect {
ip protocol tcp redirect to :$tcp_local_port
}
# udp part
chain mangle_prerouting {
type filter hook prerouting priority mangle
policy accept
ip protocol udp iif lo meta mark 0xdeaf goto udp_tproxy
ip protocol udp iifname $udp_proxy_ifnames ip daddr != @chnroute goto udp_forward_conditional_tproxy
}
chain mangle_output {
type route hook output priority mangle
policy accept
ip protocol udp socket cgroupv2 level 2 @udp_bypass accept
ip protocol udp socket cgroupv2 level 2 @udp_enforce goto udp_output_mark
ip protocol udp ip daddr $udp_host udp dport != $udp_server_port goto udp_output_mark
ip protocol udp ip daddr $udp_host accept
ip protocol udp ip daddr != @chnroute goto udp_output_mark
}
chain udp_output_mark {
ip protocol udp mark set 0xdeaf
}
chain udp_forward_conditional_tproxy {
ip protocol udp ip daddr $udp_host udp dport != $udp_server_port meta mark set 0xdeaf goto udp_tproxy
ip protocol udp ip daddr $udp_host accept
ip protocol udp ip daddr != @chnroute meta mark set 0xdeaf goto udp_tproxy
}
chain udp_tproxy {
ip protocol udp tproxy to 127.0.0.1:$udp_local_port
}
}
add table ip6 output_deny
delete table ip6 output_deny
table ip6 output_deny {
chain output {
type filter hook output priority filter
policy accept
ip6 daddr != { ::/127, ::ffff:0:0/96, ::ffff:0:0:0/96, 64:ff9b::/96, 64:ff9b:1::/48, 100::/64, 2001:0000::/32, 2001:20::/28, 2001:db8::/32, fc00::/7, fe80::/64, ff00::/8 } reject
}
}