From b614d006c14d9824c11847e336177165f6a762a9 Mon Sep 17 00:00:00 2001 From: fancy Date: Thu, 23 Apr 2020 12:27:10 +0800 Subject: [PATCH] some code adjustment --- cgproxy.conf | 7 ++++--- cgroup-tproxy.sh | 18 ++++++++++-------- 2 files changed, 14 insertions(+), 11 deletions(-) diff --git a/cgproxy.conf b/cgproxy.conf index 65b94ab..b0e39ef 100644 --- a/cgproxy.conf +++ b/cgproxy.conf @@ -1,6 +1,7 @@ ## any process in this cgroup will be proxied ## must start with slash '/' proxy_cgroup="/proxy.slice" +# proxy_cgroup="/user.slice" ## listening port of another proxy process, for example v2ray port=12345 @@ -15,9 +16,9 @@ enable_ipv6=true ## only useful if v2ray process is also in proxy_cgroup, for example, you want to proxy whole userspace, ## and v2ray is also running in the same userspace ## otherwise ignore this -v2ray_so_mark=255 +v2ray_outbound_mark=0xff # 255 ## do not modify this if you don't known what you are doing table=100 -mark=100 -mark_newin=1 \ No newline at end of file +mark=0x01 +mark_newin=0x02 \ No newline at end of file diff --git a/cgroup-tproxy.sh b/cgroup-tproxy.sh index b00e1ce..7e1ee1c 100644 --- a/cgroup-tproxy.sh +++ b/cgroup-tproxy.sh @@ -31,7 +31,7 @@ DOC } ## any process in this cgroup will be proxied -proxy_cgroup="/user.slice/user-1000.slice/proxy.slice" +proxy_cgroup="/proxy.slice" ## some variables port=12345 @@ -41,10 +41,10 @@ enable_ipv4=true enable_ipv6=true ## do not modify this if you don't known what you are doing -mark=100 table=100 -mark_newin=101 -v2ray_so_mark=255 +mark=0x01 +mark_newin=0x02 +v2ray_outbound_mark=0xff ## cgroup things # cgroup_mount_point=$(findmnt -t cgroup,cgroup2 -n -J|jq '.filesystems[0].target') @@ -99,11 +99,12 @@ iptables -t mangle -A TPROXY_PRE -m conntrack --ctstate NEW -j CONNMARK --restor iptables -t mangle -A PREROUTING -j TPROXY_PRE iptables -t mangle -N TPROXY_OUT +iptables -t mangle -A TPROXY_OUT -o lo -j RETURN +iptables -t mangle -A TPROXY_OUT -m mark --mark $v2ray_outbound_mark -j RETURN iptables -t mangle -A TPROXY_OUT -m connmark --mark $mark_newin -j RETURN # return incoming connection directly, v2ray tproxy not work for this situation, see this: https://github.com/Kr328/ClashForAndroid/issues/146 -iptables -t mangle -A TPROXY_OUT -m mark --mark $v2ray_so_mark -j RETURN iptables -t mangle -A TPROXY_OUT -p udp -m cgroup --path $proxy_cgroup -j MARK --set-mark $mark iptables -t mangle -A TPROXY_OUT -p tcp -m cgroup --path $proxy_cgroup -j MARK --set-mark $mark -iptables -t mangle -A OUTPUT ! -o lo -j TPROXY_OUT # exclude lo to avoid local bind problem, for example if your dns is 127.0.0.1:53, then v2ray can't bind to reply back result +iptables -t mangle -A OUTPUT -j TPROXY_OUT #ipv6# ip -6 rule add fwmark $mark table $table @@ -116,11 +117,12 @@ ip6tables -t mangle -A TPROXY_PRE -m conntrack --ctstate NEW -j CONNMARK --resto ip6tables -t mangle -A PREROUTING -j TPROXY_PRE ip6tables -t mangle -N TPROXY_OUT +ip6tables -t mangle -A TPROXY_OUT -o lo -j RETURN +ip6tables -t mangle -A TPROXY_OUT -m mark --mark $v2ray_outbound_mark -j RETURN ip6tables -t mangle -A TPROXY_OUT -m connmark --mark $mark_newin -j RETURN -ip6tables -t mangle -A TPROXY_OUT -m mark --mark $v2ray_so_mark -j RETURN ip6tables -t mangle -A TPROXY_OUT -p udp -m cgroup --path $proxy_cgroup -j MARK --set-mark $mark ip6tables -t mangle -A TPROXY_OUT -p tcp -m cgroup --path $proxy_cgroup -j MARK --set-mark $mark -ip6tables -t mangle -A OUTPUT ! -o lo -j TPROXY_OUT +ip6tables -t mangle -A OUTPUT -j TPROXY_OUT ## use REDIRECT