github.com/Asutorufa/yuhaiin@v0.3.6-0.20240502055049-7984da7023a0/scripts/tproxy/nftables.conf (about)

     1  #! /usr/sbin/nft -f
     2  
     3  define RESERVED_IP = {
     4      # 10.0.0.0/8,
     5      100.64.0.0/10,
     6      127.0.0.0/8,
     7      169.254.0.0/16,
     8      172.16.0.0/12,
     9      192.0.0.0/24,
    10      224.0.0.0/4,
    11      240.0.0.0/4,
    12      255.255.255.255/32,
    13      100.64.0.0/10, 
    14      192.168.122.255/32,
    15      192.168.2.255/32, 
    16      192.168.2.0/24, 
    17      239.255.255.250,
    18      203.0.113.1
    19  }
    20  
    21  define PROXY_IP = {
    22      192.168.2.145,
    23      192.168.2.146,
    24      192.168.2.147,
    25      192.168.2.135,
    26      192.168.122.17,
    27      192.168.122.185
    28  }
    29  
    30  define PROXY_MAC = {
    31      FC:D9:08:35:72:6A,
    32      78:20:A5:F5:8A:6D
    33  }
    34  
    35  # add table ip yuhaiin
    36  
    37  table inet yuhaiin {
    38          # this only for child device connect to current device
    39          #
    40          chain prerouting {
    41                  type filter hook prerouting priority mangle; policy accept;
    42                  ip daddr $RESERVED_IP return
    43                  # meta l4proto tcp ip daddr 192.168.0.0/16 return
    44                  # ip daddr 192.168.0.0/16 udp dport != 53 return
    45                  # ip6 daddr { ::1, fe80::/10 } return
    46                  # meta l4proto tcp ip6 daddr fd00::/8 return
    47                  # ip6 daddr fd00::/8 udp dport != 53 return
    48                  udp dport { 5353,5355,5351,1900 } return
    49                  udp sport { 5353,5355,5351,1900 } return
    50                  meta mark 0xff return
    51                  meta l4proto { tcp, udp } ip saddr $PROXY_IP meta mark set 0x1 tproxy ip to 127.0.0.1:8083 accept
    52                  meta l4proto { tcp, udp } ether saddr $PROXY_MAC meta mark set 0x1 tproxy ip6 to [::1]:8083 accept
    53          }
    54  
    55          # this is for proxy the deivce self
    56          # at most router case this is not need
    57          #
    58          # chain output {
    59          #         type route hook output priority filter; policy accept;
    60          #         ip daddr $RESERVED_IP return
    61          #         meta l4proto tcp ip daddr 192.168.0.0/16 return
    62          #         ip daddr 192.168.0.0/16 udp dport != 53 return
    63          #         ip6 daddr { ::1, fe80::/10 } return
    64          #         meta l4proto tcp ip6 daddr fd00::/8 return
    65          #         ip6 daddr fd00::/8 udp dport != 53 return
    66          #         meta mark 0xff return
    67          #         meta l4proto { tcp, udp } meta mark set 0x00000001 accept
    68          # }
    69  
    70  
    71          chain divert {
    72                  type filter hook prerouting priority mangle; policy accept;
    73                  meta l4proto tcp socket transparent 1 meta mark set 0x00000001 accept
    74          }
    75  }