From 7f0ebe9d35858aa5954bd070d15e897041b7074c Mon Sep 17 00:00:00 2001
From: fancy <sciencezfx@tju.edu.cn>
Date: Mon, 4 May 2020 08:00:00 +0800
Subject: [PATCH] remove mark_noproxy, and other small change

---
 CMakeLists.txt   |  4 +--
 cgproxy.conf     |  5 ++--
 cgroup-tproxy.sh | 63 ++++++++++++++++++++++--------------------------
 readme.md        |  3 +--
 4 files changed, 34 insertions(+), 41 deletions(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 5101250..7a13528 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -1,6 +1,6 @@
 cmake_minimum_required(VERSION 3.10)
 
-project(cgproxy VERSION 3.5)
+project(cgproxy VERSION 3.6)
 add_executable(cgattach cgattach.cpp)
 
 install(TARGETS cgattach DESTINATION /usr/bin 
@@ -48,4 +48,4 @@ set(CONTROL_DIR ${CMAKE_SOURCE_DIR}/control)
 set(CPACK_RPM_POST_INSTALL_SCRIPT_FILE "${CONTROL_DIR}/postinst")
 set(CPACK_RPM_PRE_UNINSTALL_SCRIPT_FILE "${CONTROL_DIR}/prerm")
 
-include(CPack)
\ No newline at end of file
+include(CPack)
diff --git a/cgproxy.conf b/cgproxy.conf
index 03249e3..6f37473 100644
--- a/cgproxy.conf
+++ b/cgproxy.conf
@@ -6,9 +6,9 @@
 ## any process in cgroup_proxy will be proxied, and cgroup_noproxy the opposite
 ## cgroup must start with slash '/'
 # cgroup_proxy="/"
-# cgroup_noproxy="/system.slice/v2ray.service"
 cgroup_proxy="/proxy.slice"
 cgroup_noproxy="/noproxy.slice"
+# cgroup_noproxy="/system.slice/v2ray.service"
 
 ########################################################################
 ## allow as gateway for local network
@@ -20,15 +20,14 @@ port=12345
 
 ########################################################################
 ## if you set to false, it's traffic won't go through proxy, but still can go direct to internet 
+enable_dns=true
 enable_tcp=true
 enable_udp=true
 enable_ipv4=true
 enable_ipv6=true
-enable_dns=true
 
 ########################################################################
 ## do not modify this if you don't known what you are doing
 table=100
 fwmark=0x01
-mark_noproxy=0xff
 mark_newin=0x02
diff --git a/cgroup-tproxy.sh b/cgroup-tproxy.sh
index e9f6cbe..4f1e9a7 100644
--- a/cgroup-tproxy.sh
+++ b/cgroup-tproxy.sh
@@ -39,16 +39,17 @@ enable_gateway=false
 
 ## some variables
 port=12345
+
+## some options
+enable_dns=true
 enable_tcp=true
 enable_udp=true
 enable_ipv4=true
 enable_ipv6=true
-enable_dns=true
 
 ## do not modify this if you don't known what you are doing
 table=100
 fwmark=0x01
-mark_noproxy=0xff
 make_newin=0x02
 
 ## cgroup things
@@ -119,18 +120,15 @@ iptables -t mangle -A TPROXY_PRE -p icmp -j RETURN
 iptables -t mangle -A TPROXY_PRE -p udp --dport 53 -j TPROXY_ENT
 iptables -t mangle -A TPROXY_PRE -p tcp --dport 53 -j TPROXY_ENT
 iptables -t mangle -A TPROXY_PRE -m addrtype --dst-type LOCAL -j RETURN
-iptables -t mangle -A TPROXY_PRE -m pkttype --pkt-type broadcast -j RETURN
-iptables -t mangle -A TPROXY_PRE -m pkttype --pkt-type multicast -j RETURN
+iptables -t mangle -A TPROXY_PRE -m addrtype ! --dst-type UNICAST -j RETURN
 iptables -t mangle -A TPROXY_PRE -j TPROXY_ENT
 iptables -t mangle -A PREROUTING -j TPROXY_PRE
 
 iptables -t mangle -N TPROXY_OUT
-iptables -t mangle -A TPROXY_OUT -o lo -j RETURN
 iptables -t mangle -A TPROXY_OUT -p icmp -j RETURN
 iptables -t mangle -A TPROXY_OUT -m connmark --mark  $make_newin -j RETURN
-iptables -t mangle -A TPROXY_OUT -m pkttype --pkt-type broadcast -j RETURN
-iptables -t mangle -A TPROXY_OUT -m pkttype --pkt-type multicast -j RETURN
-iptables -t mangle -A TPROXY_OUT -m mark --mark $mark_noproxy -j RETURN
+iptables -t mangle -A TPROXY_PRE -m addrtype --dst-type LOCAL -j RETURN
+iptables -t mangle -A TPROXY_PRE -m addrtype ! --dst-type UNICAST -j RETURN
 iptables -t mangle -A TPROXY_OUT -m cgroup --path $cgroup_noproxy -j RETURN
 iptables -t mangle -A TPROXY_OUT -m cgroup --path $cgroup_proxy -j MARK --set-mark $fwmark
 iptables -t mangle -A OUTPUT -j TPROXY_OUT
@@ -145,50 +143,47 @@ ip6tables -t mangle -A TPROXY_ENT -p udp -j TPROXY --on-ip localhost --on-port $
 ip6tables -t mangle -N TPROXY_PRE
 ip6tables -t mangle -A TPROXY_PRE -m socket --transparent -j MARK --set-mark $fwmark
 ip6tables -t mangle -A TPROXY_PRE -m socket --transparent -j RETURN
-ip6tables -t mangle -A TPROXY_PRE -p icmp -j RETURN
+ip6tables -t mangle -A TPROXY_PRE -p icmpv6 -j RETURN
 ip6tables -t mangle -A TPROXY_PRE -p udp --dport 53 -j TPROXY_ENT
 ip6tables -t mangle -A TPROXY_PRE -p tcp --dport 53 -j TPROXY_ENT
 ip6tables -t mangle -A TPROXY_PRE -m addrtype --dst-type LOCAL -j RETURN
-ip6tables -t mangle -A TPROXY_PRE -m pkttype --pkt-type broadcast -j RETURN
-ip6tables -t mangle -A TPROXY_PRE -m pkttype --pkt-type multicast -j RETURN
+ip6tables -t mangle -A TPROXY_PRE -m addrtype ! --dst-type UNICAST -j RETURN
 ip6tables -t mangle -A TPROXY_PRE -j TPROXY_ENT
 ip6tables -t mangle -A PREROUTING -j TPROXY_PRE
 
 ip6tables -t mangle -N TPROXY_OUT
-ip6tables -t mangle -A TPROXY_OUT -o lo -j RETURN
-ip6tables -t mangle -A TPROXY_OUT -p icmp -j RETURN
-ip6tables -t mangle -A TPROXY_OUT -m pkttype --pkt-type broadcast -j RETURN
-ip6tables -t mangle -A TPROXY_OUT -m pkttype --pkt-type multicast -j RETURN
+ip6tables -t mangle -A TPROXY_OUT -p icmpv6 -j RETURN
 ip6tables -t mangle -A TPROXY_OUT -m connmark --mark  $make_newin -j RETURN
-ip6tables -t mangle -A TPROXY_OUT -m mark --mark $mark_noproxy -j RETURN
+ip6tables -t mangle -A TPROXY_PRE -m addrtype --dst-type LOCAL -j RETURN
+ip6tables -t mangle -A TPROXY_PRE -m addrtype ! --dst-type UNICAST -j RETURN
 ip6tables -t mangle -A TPROXY_OUT -m cgroup --path $cgroup_noproxy -j RETURN
 ip6tables -t mangle -A TPROXY_OUT -m cgroup --path $cgroup_proxy -j MARK --set-mark $fwmark
 ip6tables -t mangle -A OUTPUT -j TPROXY_OUT
 
 ## allow to disable, order is important
-$enable_dns    	|| iptables  -t mangle -I TPROXY_OUT -p udp --dport 53 -j RETURN
-$enable_dns    	|| ip6tables -t mangle -I TPROXY_OUT -p udp --dport 53 -j RETURN
-$enable_udp 	|| iptables  -t mangle -I TPROXY_OUT -p udp -j RETURN
-$enable_udp 	|| ip6tables -t mangle -I TPROXY_OUT -p udp -j RETURN
-$enable_tcp 	|| iptables  -t mangle -I TPROXY_OUT -p tcp -j RETURN
-$enable_tcp 	|| ip6tables -t mangle -I TPROXY_OUT -p tcp -j RETURN
-$enable_ipv4 	|| iptables  -t mangle -I TPROXY_OUT -j RETURN
-$enable_ipv6 	|| ip6tables -t mangle -I TPROXY_OUT -j RETURN
+$enable_dns     || iptables  -t mangle -I TPROXY_OUT -p udp --dport 53 -j RETURN
+$enable_dns     || ip6tables -t mangle -I TPROXY_OUT -p udp --dport 53 -j RETURN
+$enable_udp     || iptables  -t mangle -I TPROXY_OUT -p udp -j RETURN
+$enable_udp     || ip6tables -t mangle -I TPROXY_OUT -p udp -j RETURN
+$enable_tcp     || iptables  -t mangle -I TPROXY_OUT -p tcp -j RETURN
+$enable_tcp     || ip6tables -t mangle -I TPROXY_OUT -p tcp -j RETURN
+$enable_ipv4    || iptables  -t mangle -I TPROXY_OUT -j RETURN
+$enable_ipv6    || ip6tables -t mangle -I TPROXY_OUT -j RETURN
 
 if $enable_gateway; then
-$enable_dns    	|| iptables  -t mangle -I TPROXY_PRE -p udp --dport 53 -j RETURN
-$enable_dns    	|| ip6tables -t mangle -I TPROXY_PRE -p udp --dport 53 -j RETURN
-$enable_udp 	|| iptables  -t mangle -I TPROXY_PRE -p udp -j RETURN
-$enable_udp 	|| ip6tables -t mangle -I TPROXY_PRE -p udp -j RETURN
-$enable_tcp 	|| iptables  -t mangle -I TPROXY_PRE -p tcp -j RETURN
-$enable_tcp 	|| ip6tables -t mangle -I TPROXY_PRE -p tcp -j RETURN
-$enable_ipv4 	|| iptables  -t mangle -I TPROXY_PRE -j RETURN
-$enable_ipv6 	|| ip6tables -t mangle -I TPROXY_PRE -j RETURN
+$enable_dns     || iptables  -t mangle -I TPROXY_PRE -p udp --dport 53 -j RETURN
+$enable_dns     || ip6tables -t mangle -I TPROXY_PRE -p udp --dport 53 -j RETURN
+$enable_udp     || iptables  -t mangle -I TPROXY_PRE -p udp -j RETURN
+$enable_udp     || ip6tables -t mangle -I TPROXY_PRE -p udp -j RETURN
+$enable_tcp     || iptables  -t mangle -I TPROXY_PRE -p tcp -j RETURN
+$enable_tcp     || ip6tables -t mangle -I TPROXY_PRE -p tcp -j RETURN
+$enable_ipv4    || iptables  -t mangle -I TPROXY_PRE -j RETURN
+$enable_ipv6    || ip6tables -t mangle -I TPROXY_PRE -j RETURN
 fi
 
 ## do not handle local device connection through tproxy if gateway is not enabled
-$enable_gateway || iptables  -t mangle -I TPROXY_PRE  -m addrtype ! --src-type LOCAL -m addrtype ! --dst-type LOCAL -j RETURN
-$enable_gateway || ip6tables -t mangle -I TPROXY_PRE  -m addrtype ! --src-type LOCAL -m addrtype ! --dst-type LOCAL -j RETURN
+$enable_gateway || iptables  -t mangle -I TPROXY_PRE -m addrtype ! --src-type LOCAL -j RETURN
+$enable_gateway || ip6tables -t mangle -I TPROXY_PRE -m addrtype ! --src-type LOCAL -j RETURN
 
 ## make sure following rules are the first in chain TPROXY_PRE to mark new incoming connection or gateway proxy connection
 ## so must put at last to insert first
diff --git a/readme.md b/readme.md
index 605bfac..e4f3bee 100644
--- a/readme.md
+++ b/readme.md
@@ -98,17 +98,16 @@ port=12345
 
 ########################################################################
 ## if you set to false, it's traffic won't go through proxy, but still can go direct to internet 
+enable_dns=true
 enable_tcp=true
 enable_udp=true
 enable_ipv4=true
 enable_ipv6=true
-enable_dns=true
 
 ########################################################################
 ## do not modify this if you don't known what you are doing
 table=100
 fwmark=0x01
-mark_noproxy=0xff
 mark_newin=0x02
 ```
 </details>