imporved gateway nat, and bypass broadcast things

cgproxy.conf

@@ -7,6 +7,7 @@
 ## cgroup must start with slash '/'
 # cgroup_proxy="/"
 cgroup_proxy="/proxy.slice"
+# cgroup_noproxy="/system.slice/v2ray.service"
 cgroup_noproxy="/noproxy.slice"
 
 ########################################################################

cgroup-tproxy.sh

@@ -84,8 +84,8 @@ case $i in
         ip -6 rule delete fwmark $fwmark lookup $table
         ip -6 route flush table $table
         ## may not exist, just ignore, and tracking their existence is not reliable
-        iptables -t nat -D POSTROUTING -m addrtype ! --src-type LOCAL -j MASQUERADE &> /dev/null
-        ip6tables -t nat -D POSTROUTING -m addrtype ! --src-type LOCAL -j MASQUERADE &> /dev/null
+        iptables -t nat -D POSTROUTING -m owner ! --socket-exists -j MASQUERADE &> /dev/null
+        ip6tables -t nat -D POSTROUTING -m owner ! --socket-exists -j MASQUERADE &> /dev/null
         exit 0
         ;;
     --config=*)
@@ -128,6 +128,8 @@ iptables -t mangle -N TPROXY_OUT
 iptables -t mangle -A TPROXY_OUT -o lo -j RETURN
 iptables -t mangle -A TPROXY_OUT -p icmp -j RETURN
 iptables -t mangle -A TPROXY_OUT -m connmark --mark  $make_newin -j RETURN
+iptables -t mangle -A TPROXY_OUT -m pkttype --pkt-type broadcast -j RETURN
+iptables -t mangle -A TPROXY_OUT -m pkttype --pkt-type multicast -j RETURN
 iptables -t mangle -A TPROXY_OUT -m mark --mark $mark_noproxy -j RETURN
 iptables -t mangle -A TPROXY_OUT -m cgroup --path $cgroup_noproxy -j RETURN
 iptables -t mangle -A TPROXY_OUT -m cgroup --path $cgroup_proxy -j MARK --set-mark $fwmark
@@ -155,6 +157,8 @@ ip6tables -t mangle -A PREROUTING -j TPROXY_PRE
 ip6tables -t mangle -N TPROXY_OUT
 ip6tables -t mangle -A TPROXY_OUT -o lo -j RETURN
 ip6tables -t mangle -A TPROXY_OUT -p icmp -j RETURN
+ip6tables -t mangle -A TPROXY_OUT -m pkttype --pkt-type broadcast -j RETURN
+ip6tables -t mangle -A TPROXY_OUT -m pkttype --pkt-type multicast -j RETURN
 ip6tables -t mangle -A TPROXY_OUT -m connmark --mark  $make_newin -j RETURN
 ip6tables -t mangle -A TPROXY_OUT -m mark --mark $mark_noproxy -j RETURN
 ip6tables -t mangle -A TPROXY_OUT -m cgroup --path $cgroup_noproxy -j RETURN
@@ -193,13 +197,14 @@ ip6tables -t mangle -I TPROXY_PRE -m addrtype ! --src-type LOCAL -m conntrack --
 
 ## message for user
 cat << DOC
+noproxy cgroup: $cgroup_noproxy
 proxied cgroup: $cgroup_proxy
 DOC
 
 
 if $enable_gateway; then
-    iptables  -t nat -A POSTROUTING -m addrtype ! --src-type LOCAL -j MASQUERADE
-    ip6tables -t nat -A POSTROUTING -m addrtype ! --src-type LOCAL -j MASQUERADE
+    iptables  -t nat -A POSTROUTING -m owner ! --socket-exists -j MASQUERADE
+    ip6tables -t nat -A POSTROUTING -m owner ! --socket-exists -j MASQUERADE
     sysctl -w net.ipv4.ip_forward=1
     sysctl -w net.ipv6.conf.all.forwarding=1
     echo "gateway enabled"

readme.md

@@ -129,8 +129,9 @@ sudo systemctl restart cgproxy.service
 
 ## Gateway proxy
 
-- set **enable_gateway=true** in `/etc/cgproxy.conf` and restart service
-- other device set this host as gateway, and set public dns if necessary
+- Set **enable_gateway=true** in `/etc/cgproxy.conf` and restart service
+- Run your proxy software in cgroup_noproxy to allow  direct to internet as above. This is necessary when you use global transparent proxy the same time.
+- Other device set this host as gateway, and set public dns if necessary
 
 ## Other useful tools provided in this project
 
@@ -166,6 +167,8 @@ sudo systemctl restart cgproxy.service
   sudo setcap "cap_net_admin,cap_net_bind_service=ep" /usr/lib/v2ray/v2ray
   ```
 
+- Why not outbound mark solution, because in v2ray [when `"localhost"` is used, out-going DNS traffic is not controlled by V2Ray](https://www.v2fly.org/en/configuration/dns.html), so no mark at all, that's pitty.
+
 ## TIPS
 
 - `systemd-cgls` to see the cgroup hierarchical tree.