change a lot, stable now

2026-01-07 13:07:56 +08:00 · 2020-04-24 00:47:25 +08:00
parent 0aa9dd2f45
commit 6ed1be3c8a
8 changed files with 121 additions and 76 deletions
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -5,10 +5,19 @@ add_executable(cgattach cgattach.cpp)

 install(TARGETS cgattach DESTINATION /usr/bin 
        PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE SETUID)
-install(FILES cgproxy.sh DESTINATION /usr/bin RENAME cgproxy
+install(FILES  cgproxy.sh DESTINATION /usr/bin 
+        RENAME cgproxy
        PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE)
-install(FILES run_in_cgroup.sh DESTINATION /usr/bin RENAME run_in_cgroup
-       PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE)
-install(FILES cgproxy.service DESTINATION /usr/lib/systemd/system/)
-install(FILES cgproxy.conf DESTINATION /etc/)
-install(FILES cgroup-tproxy.sh DESTINATION /usr/share/cgproxy/scripts/)
+install(FILES  nocgproxy.sh DESTINATION /usr/bin 
+        RENAME nocgproxy
+        PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE)
+# install(FILES  run_in_cgroup.sh DESTINATION /usr/bin 
+#         RENAME run_in_cgroup
+#        PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE)
+
+install(FILES cgproxy.service 
+        DESTINATION /usr/lib/systemd/system/)
+install(FILES cgproxy.conf 
+        DESTINATION /etc/)
+install(FILES cgroup-tproxy.sh 
+        DESTINATION /usr/share/cgproxy/scripts/)
--- a/cgattach.cpp
+++ b/cgattach.cpp
@@ -22,10 +22,11 @@ bool exist(string path) {

 bool validate(string pid, string cgroup) {
  bool pid_v = regex_match(pid, regex("^[0-9]+$"));
-  bool cg_v = regex_match(cgroup, regex("^\\/[a-zA-Z0-9\\-_./@]+$"));
+  bool cg_v = regex_match(cgroup, regex("^\\/[a-zA-Z0-9\\-_./@]*$"));
  if (pid_v && cg_v)
    return true;
  // cout<<pid_v<<" "<<cg_v<<endl;
+  puts("paramater validate error\n");
  print_usage();
  exit(EXIT_FAILURE);
 }
@@ -39,6 +40,7 @@ int main(int argc, char *argv[]) {
  }

  if (argc != 3) {
+    puts("only need 2 paramaters\n");
    print_usage();
    exit(EXIT_FAILURE);
  }
--- a/cgproxy.conf
+++ b/cgproxy.conf
@@ -1,8 +1,14 @@
-## any process in this cgroup will be proxied
-## must start with slash '/'
-proxy_cgroup="/proxy.slice"
-# proxy_cgroup="/user.slice"
+########################################################################
+## cgroup transparent proxy
+## any process in cgroup_proxy will be proxied, and cgroup_noproxy is the opposite
+## note: v2ray should not run in a proxied cgroup
+## cgroup must start with slash '/'
+# cgroup_proxy="/" 
+cgroup_proxy="/proxy.slice" 
+cgroup_noproxy="/noproxy.slice"

+
+########################################################################
 ## listening port of another proxy process, for example v2ray 
 port=12345

@@ -11,14 +17,12 @@ enable_tcp=true
 enable_udp=true
 enable_ipv4=true
 enable_ipv6=true
+enable_dns=true # due to v2ray bug https://github.com/v2ray/v2ray-core/issues/1432

-## v2ray outbound mark, depend on your v2ray setting
-## only useful if v2ray process is also in proxy_cgroup, for example, you want to proxy whole userspace,
-## and v2ray is also running in the same userspace
-## otherwise ignore this
-v2ray_outbound_mark=0xff # 255

+########################################################################
 ## do not modify this if you don't known what you are doing
 table=100
-mark=0x01
+mark_proxy=0x01
+mark_noproxy=0xff
 mark_newin=0x02
--- a/cgproxy.service
+++ b/cgproxy.service
@@ -4,7 +4,7 @@ After=network.target

 [Service]
 ExecStart=sh /usr/share/cgproxy/scripts/cgroup-tproxy.sh --config=/etc/cgproxy.conf
-ExecStop=sh /usr/share/cgproxy/scripts/cgroup-tproxy.sh stop
+ExecStop= sh /usr/share/cgproxy/scripts/cgroup-tproxy.sh stop
 RemainAfterExit=1

 [Install]
--- a/cgproxy.sh
+++ b/cgproxy.sh
@@ -5,9 +5,9 @@ source $config

 # test suid bit
 if [ -u "$(which cgattach)" ]; then 
-    cgattach $$ $proxy_cgroup && attached=1
+    cgattach $$ $cgroup_proxy && attached=1
 else
-    sudo cgattach $$ $proxy_cgroup && attached=1
+    sudo cgattach $$ $cgroup_proxy && attached=1
 fi

 # test attach success or not
--- a/cgroup-tproxy.sh
+++ b/cgroup-tproxy.sh
@@ -31,7 +31,8 @@ DOC
 }

 ## any process in this cgroup will be proxied
-proxy_cgroup="/proxy.slice"
+cgroup_proxy="/proxy.slice"
+cgroup_noproxy="/noproxy.slice"

 ## some variables
 port=12345
@@ -42,9 +43,9 @@ enable_ipv6=true

 ## do not modify this if you don't known what you are doing
 table=100
-mark=0x01
-mark_newin=0x02
-v2ray_outbound_mark=0xff
+mark_proxy=0x01
+mark_noproxy=0xff
+make_newin=0x02

 ## cgroup things
 # cgroup_mount_point=$(findmnt -t cgroup,cgroup2 -n -J|jq '.filesystems[0].target')
@@ -53,6 +54,7 @@ cgroup_mount_point="/sys/fs/cgroup"
 cgroup_type="cgroup2"
 cgroup_procs_file="cgroup.procs"

+set -x
 ## parse parameter
 for i in "$@"
 do
@@ -64,9 +66,9 @@ case $i in
        ip6tables -t mangle -F
        ip6tables -t mangle -X TPROXY_PRE
        ip6tables -t mangle -X TPROXY_OUT
-        ip rule delete fwmark $mark lookup $table
+        ip rule delete fwmark $mark_proxy lookup $table
        ip route flush table $table
-        ip -6 rule delete fwmark $mark lookup $table
+        ip -6 rule delete fwmark $mark_proxy lookup $table
        ip -6 route flush table $table
        iptables -t nat -A OUTPUT -F
        ip6tables -t nat -A OUTPUT -F
@@ -85,51 +87,56 @@ esac
 done

 ## TODO cgroup need to exists before using in iptables since 5.6.5, maybe it's bug
-test -d $cgroup_mount_point$proxy_cgroup || mkdir $cgroup_mount_point$proxy_cgroup || exit -1; 
+test -d $cgroup_mount_point$cgroup_proxy    || mkdir $cgroup_mount_point$cgroup_proxy   || exit -1; 
+test -d $cgroup_mount_point$cgroup_noproxy  || mkdir $cgroup_mount_point$cgroup_noproxy || exit -1; 

 ## use TPROXY
 #ipv4#
-ip rule add fwmark $mark table $table
+ip rule add fwmark $mark_proxy table $table
 ip route add local default dev lo table $table
 iptables -t mangle -N TPROXY_PRE
-iptables -t mangle -A TPROXY_PRE -p udp -m mark --mark $mark -j TPROXY --on-ip 127.0.0.1 --on-port $port --tproxy-mark $mark
-iptables -t mangle -A TPROXY_PRE -p tcp -m mark --mark $mark -j TPROXY --on-ip 127.0.0.1 --on-port $port --tproxy-mark $mark
-iptables -t mangle -A TPROXY_PRE -m conntrack --ctstate NEW -j CONNMARK --set-mark $mark_newin
+iptables -t mangle -A TPROXY_PRE -p udp -m mark --mark $mark_proxy -j TPROXY --on-ip 127.0.0.1 --on-port $port --tproxy-mark $mark_proxy
+iptables -t mangle -A TPROXY_PRE -p tcp -m mark --mark $mark_proxy -j TPROXY --on-ip 127.0.0.1 --on-port $port --tproxy-mark $mark_proxy
+iptables -t mangle -A TPROXY_PRE -m conntrack --ctstate NEW -j CONNMARK --set-mark $make_newin
 iptables -t mangle -A TPROXY_PRE -m conntrack --ctstate NEW -j CONNMARK --restore-mark
 iptables -t mangle -A PREROUTING -j TPROXY_PRE

 iptables -t mangle -N TPROXY_OUT
 iptables -t mangle -A TPROXY_OUT -o lo -j RETURN
-iptables -t mangle -A TPROXY_OUT -m mark --mark $v2ray_outbound_mark -j RETURN
-iptables -t mangle -A TPROXY_OUT -m connmark --mark  $mark_newin -j RETURN # return incoming connection directly, v2ray tproxy not work for this situation, see this: https://github.com/Kr328/ClashForAndroid/issues/146
-iptables -t mangle -A TPROXY_OUT -p udp -m cgroup --path $proxy_cgroup -j MARK --set-mark $mark
-iptables -t mangle -A TPROXY_OUT -p tcp -m cgroup --path $proxy_cgroup -j MARK --set-mark $mark
+iptables -t mangle -A TPROXY_OUT -p icmp -j RETURN
+iptables -t mangle -A TPROXY_OUT -m connmark --mark  $make_newin -j RETURN # return incoming connection directly, v2ray tproxy not work for this situation, see this: https://github.com/Kr328/ClashForAndroid/issues/146
+iptables -t mangle -A TPROXY_OUT -m mark --mark $mark_noproxy -j RETURN
+iptables -t mangle -A TPROXY_OUT -m cgroup --path $cgroup_noproxy -j RETURN
+iptables -t mangle -A TPROXY_OUT -m cgroup --path $cgroup_proxy -j MARK --set-mark $mark_proxy
 iptables -t mangle -A OUTPUT -j TPROXY_OUT

 #ipv6#
-ip -6 rule add fwmark $mark table $table
+ip -6 rule add fwmark $mark_proxy table $table
 ip -6 route add local default dev lo table $table
 ip6tables -t mangle -N TPROXY_PRE
-ip6tables -t mangle -A TPROXY_PRE -p udp -m mark --mark $mark -j TPROXY --on-ip ::1 --on-port $port --tproxy-mark $mark
-ip6tables -t mangle -A TPROXY_PRE -p tcp -m mark --mark $mark -j TPROXY --on-ip ::1 --on-port $port --tproxy-mark $mark
-ip6tables -t mangle -A TPROXY_PRE -m conntrack --ctstate NEW -j CONNMARK --set-mark $mark_newin
+ip6tables -t mangle -A TPROXY_PRE -p udp -m mark --mark $mark_proxy -j TPROXY --on-ip ::1 --on-port $port --tproxy-mark $mark_proxy
+ip6tables -t mangle -A TPROXY_PRE -p tcp -m mark --mark $mark_proxy -j TPROXY --on-ip ::1 --on-port $port --tproxy-mark $mark_proxy
+ip6tables -t mangle -A TPROXY_PRE -m conntrack --ctstate NEW -j CONNMARK --set-mark $make_newin
 ip6tables -t mangle -A TPROXY_PRE -m conntrack --ctstate NEW -j CONNMARK --restore-mark
 ip6tables -t mangle -A PREROUTING -j TPROXY_PRE

 ip6tables -t mangle -N TPROXY_OUT
 ip6tables -t mangle -A TPROXY_OUT -o lo -j RETURN
-ip6tables -t mangle -A TPROXY_OUT -m mark --mark $v2ray_outbound_mark -j RETURN
-ip6tables -t mangle -A TPROXY_OUT -m connmark --mark  $mark_newin -j RETURN
-ip6tables -t mangle -A TPROXY_OUT -p udp -m cgroup --path $proxy_cgroup -j MARK --set-mark $mark
-ip6tables -t mangle -A TPROXY_OUT -p tcp -m cgroup --path $proxy_cgroup -j MARK --set-mark $mark
+ip6tables -t mangle -A TPROXY_OUT -p icmp -j RETURN
+ip6tables -t mangle -A TPROXY_OUT -m connmark --mark  $make_newin -j RETURN
+ip6tables -t mangle -A TPROXY_OUT -m mark --mark $mark_noproxy -j RETURN
+ip6tables -t mangle -A TPROXY_OUT -m cgroup --path $cgroup_noproxy -j RETURN
+ip6tables -t mangle -A TPROXY_OUT -m cgroup --path $cgroup_proxy -j MARK --set-mark $mark_proxy
 ip6tables -t mangle -A OUTPUT -j TPROXY_OUT


 ## use REDIRECT
-# iptables -t nat -A OUTPUT -p tcp -m cgroup --path $proxy_cgroup -j DNAT --to-destination 127.0.0.1:12345
-# ip6tables -t nat -A OUTPUT -p tcp -m cgroup --path $proxy_cgroup -j DNAT --to-destination [::1]:12345
+# iptables -t nat -A OUTPUT -p tcp -m cgroup --path $cgroup_proxy -j DNAT --to-destination 127.0.0.1:12345
+# ip6tables -t nat -A OUTPUT -p tcp -m cgroup --path $cgroup_proxy -j DNAT --to-destination [::1]:12345

 ## allow to disable, order is important
+$enable_dns    	|| iptables  -t mangle -I TPROXY_OUT -p udp --dport 53 -j RETURN
+$enable_dns    	|| ip6tables -t mangle -I TPROXY_OUT -p udp --dport 53 -j RETURN
 $enable_udp 	|| iptables  -t mangle -I TPROXY_OUT -p udp -j RETURN
 $enable_udp 	|| ip6tables -t mangle -I TPROXY_OUT -p udp -j RETURN
 $enable_tcp 	|| iptables  -t mangle -I TPROXY_OUT -p tcp -j RETURN
@@ -147,7 +154,7 @@ $enable_ipv6 	|| ip6tables -t mangle -I TPROXY_OUT -j RETURN

 ## message for user
 cat << DOC
-proxied cgroup: $proxy_cgroup
+proxied cgroup: $cgroup_proxy
 DOC

 ## tproxy need Root or cap_net_admin capability
--- a/nocgproxy.sh
+++ b/nocgproxy.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+config="/etc/cgproxy.conf"
+source $config
+
+# test suid bit
+if [ -u "$(which cgattach)" ]; then 
+    cgattach $$ $cgroup_noproxy && attached=1
+else
+    sudo cgattach $$ $cgroup_noproxy && attached=1
+fi
+
+# test attach success or not
+[[ -z "$attached" ]] && echo "config error" && exit 1
+
+exec "$@"
--- a/readme.md
+++ b/readme.md
@@ -4,7 +4,9 @@

 ## Introduction

-cgproxy will **transparent** proxy anything running in specific cgroup. It resembles with *proxychains* and *tsock*, but without their disadvantages.
+cgproxy will transparent proxy anything running in specific cgroup. It resembles with *proxychains* and *tsock*, but without their disadvantages, and more powerfull.
+
+It aslo supports global transparent proxy. See [Global transparent proxy](#global-transparent-proxy)


 <!--ts-->
@@ -66,11 +68,17 @@ It is alreay in [archlinux AUR](https://aur.archlinux.org/packages/cgproxy/).
 More config in `/etc/cgproxy.conf`:

 ```bash
-## any process in this cgroup will be proxied
-## must start with slash '/'
-proxy_cgroup="/proxy.slice"
-# proxy_cgroup="/user.slice"
+########################################################################
+## cgroup transparent proxy
+## any process in cgroup_proxy will be proxied, and cgroup_noproxy is the opposite
+## note: v2ray should not run in a proxied cgroup
+## cgroup must start with slash '/'
+# cgroup_proxy="/" 
+cgroup_proxy="/proxy.slice" 
+cgroup_noproxy="/noproxy.slice"

+
+########################################################################
 ## listening port of another proxy process, for example v2ray 
 port=12345

@@ -79,16 +87,14 @@ enable_tcp=true
 enable_udp=true
 enable_ipv4=true
 enable_ipv6=true
+enable_dns=true # due to v2ray bug https://github.com/v2ray/v2ray-core/issues/1432

-## v2ray outbound mark, depend on your v2ray setting
-## only useful if v2ray process is also in proxy_cgroup, for example, you want to proxy whole userspace,
-## and v2ray is also running in the same userspace
-## otherwise ignore this
-v2ray_outbound_mark=0xff # 255

+########################################################################
 ## do not modify this if you don't known what you are doing
 table=100
-mark=0x01
+mark_proxy=0x01
+mark_noproxy=0xff
 mark_newin=0x02
 ```

@@ -100,35 +106,28 @@ sudo systemctl restart cgproxy.service

 ## Global transparent proxy

- First, set `proxy_cgroup=/user.slice` in `/etc/cgproxy.conf`, this will proxy your whole user space
+- First, set **cgroup_proxy=/**  in `/etc/cgproxy.conf`, this will proxy all connection

- Then, allow proxy software itself connect direct to internet, two available solutions:
+- Then,  run your proxy software in cgroup_noproxy to allow  direct to internet

-  - Sloution 1: set all outbound mark in v2ray, and set `v2ray_outbound_mark` in `/etc/cgproxy.conf`
-
-  - Sloution 2: run your proxy software in another cgroup that won't be proxyied
-
-    ```bash
-    # qv2ray as example
-    run_in_cgroup --cgroup=/noproxy.slice qv2ray
-    # v2ray as example
-    run_in_cgroup --cgroup=/noproxy.slice v2ray --config config_file
-    ```
+  ```bash
+  nocgproxy  <PROXY PROGRAM>
+  # qv2ray as example
+  nocgproxy   qv2ray
+  # v2ray as example
+  nocgproxy v2ray --config config_file
+  ```

 - Finally, restart service `sudo systemctl restart cgproxy.service`, that's all

-## 
-
 ## Other useful tools provided in this project

- `cgattach` attach specific process pid to specific cgroup which will create if not exist , cgroup can be only one level down exist cgroup, otherwise created fail.
+- `nocgproxy` run program wihout proxy, very useful in global transparent proxy

  ```bash
-  cgattch <pid> <cgroup>
-  # example
-  cgattch 9999 /proxy.slice
+  nocgproxy <CMD> 
  ```
-
+  
 - `run_in_cgroup` run command in specific cgroup which will create if not exist , cgroup can be only one level down exist cgroup, otherwise created fail.

  ```bash
@@ -136,6 +135,14 @@ sudo systemctl restart cgproxy.service
  # example
  run_in_cgroup --cgroup=/mycgroup.slice ping 127.0.0.1
  ```
+  
+- `cgattach` attach specific process pid to specific cgroup which will create if not exist , cgroup can be only one level down exist cgroup, otherwise created fail.
+
+  ```bash
+  cgattch <pid> <cgroup>
+  # example
+  cgattch 9999 /proxy.slice
+  ```

 ## NOTES