only masquerade ipv6 private address

CMakeLists.txt

@@ -1,6 +1,6 @@
 cmake_minimum_required(VERSION 3.10)
 
-project(cgproxy VERSION 3.6)
+project(cgproxy VERSION 3.7)
 add_executable(cgattach cgattach.cpp)
 
 install(TARGETS cgattach DESTINATION /usr/bin 
@@ -21,6 +21,9 @@ install(FILES cgproxy.conf
         DESTINATION /etc/)
 install(FILES cgroup-tproxy.sh 
         DESTINATION /usr/share/cgproxy/scripts/)
+        
+install(FILES readme.md
+        DESTINATION /share/doc/cgproxy/)
 
 
 ## package for deb and rpm

cgproxy.conf

@@ -1,24 +1,19 @@
-# see how to configure 
-# https://github.com/springzfx/cgproxy
-
-########################################################################
 ## cgroup transparent proxy
+## see how to configure, https://github.com/springzfx/cgproxy
+
 ## any process in cgroup_proxy will be proxied, and cgroup_noproxy the opposite
-## cgroup must start with slash '/'
+## note, cgroup must start with slash '/'
-# cgroup_proxy="/"
+# cgroup_proxy="/"  # for global tproxy
+# cgroup_noproxy="/system.slice/v2ray.service" # for v2ray service
 cgroup_proxy="/proxy.slice"
 cgroup_noproxy="/noproxy.slice"
-# cgroup_noproxy="/system.slice/v2ray.service"
 
-########################################################################
 ## allow as gateway for local network
 enable_gateway=false
 
-########################################################################
 ## listening port of another proxy process, for example v2ray 
 port=12345
 
-########################################################################
 ## if you set to false, it's traffic won't go through proxy, but still can go direct to internet 
 enable_dns=true
 enable_tcp=true
@@ -26,7 +21,6 @@ enable_udp=true
 enable_ipv4=true
 enable_ipv6=true
 
-########################################################################
 ## do not modify this if you don't known what you are doing
 table=100
 fwmark=0x01

cgroup-tproxy.sh

@@ -53,9 +53,7 @@ fwmark=0x01
 make_newin=0x02
 
 ## cgroup things
-# cgroup_mount_point=$(findmnt -t cgroup,cgroup2 -n -J|jq '.filesystems[0].target')
+cgroup_mount_point=$(findmnt -t cgroup2 -n -o TARGET)
-# cgroup_type=$(findmnt -t cgroup,cgroup2 -n -J|jq '.filesystems[0].fstype')
-cgroup_mount_point=$(findmnt -t cgroup2 -n |cut -d' ' -f 1)
 cgroup_type="cgroup2"
 cgroup_procs_file="cgroup.procs"
 
@@ -86,7 +84,7 @@ case $i in
         ip -6 route flush table $table
         ## may not exist, just ignore, and tracking their existence is not reliable
         iptables -t nat -D POSTROUTING -m owner ! --socket-exists -j MASQUERADE &> /dev/null
-        ip6tables -t nat -D POSTROUTING -m owner ! --socket-exists -j MASQUERADE &> /dev/null
+        ip6tables -t nat -D POSTROUTING -m owner ! --socket-exists -s fc00::/7 -j MASQUERADE &> /dev/null
         exit 0
         ;;
     --config=*)
@@ -127,8 +125,8 @@ iptables -t mangle -A PREROUTING -j TPROXY_PRE
 iptables -t mangle -N TPROXY_OUT
 iptables -t mangle -A TPROXY_OUT -p icmp -j RETURN
 iptables -t mangle -A TPROXY_OUT -m connmark --mark  $make_newin -j RETURN
-iptables -t mangle -A TPROXY_PRE -m addrtype --dst-type LOCAL -j RETURN
+iptables -t mangle -A TPROXY_OUT -m addrtype --dst-type LOCAL -j RETURN
-iptables -t mangle -A TPROXY_PRE -m addrtype ! --dst-type UNICAST -j RETURN
+iptables -t mangle -A TPROXY_OUT -m addrtype ! --dst-type UNICAST -j RETURN
 iptables -t mangle -A TPROXY_OUT -m cgroup --path $cgroup_noproxy -j RETURN
 iptables -t mangle -A TPROXY_OUT -m cgroup --path $cgroup_proxy -j MARK --set-mark $fwmark
 iptables -t mangle -A OUTPUT -j TPROXY_OUT
@@ -154,8 +152,8 @@ ip6tables -t mangle -A PREROUTING -j TPROXY_PRE
 ip6tables -t mangle -N TPROXY_OUT
 ip6tables -t mangle -A TPROXY_OUT -p icmpv6 -j RETURN
 ip6tables -t mangle -A TPROXY_OUT -m connmark --mark  $make_newin -j RETURN
-ip6tables -t mangle -A TPROXY_PRE -m addrtype --dst-type LOCAL -j RETURN
+ip6tables -t mangle -A TPROXY_OUT -m addrtype --dst-type LOCAL -j RETURN
-ip6tables -t mangle -A TPROXY_PRE -m addrtype ! --dst-type UNICAST -j RETURN
+ip6tables -t mangle -A TPROXY_OUT -m addrtype ! --dst-type UNICAST -j RETURN
 ip6tables -t mangle -A TPROXY_OUT -m cgroup --path $cgroup_noproxy -j RETURN
 ip6tables -t mangle -A TPROXY_OUT -m cgroup --path $cgroup_proxy -j MARK --set-mark $fwmark
 ip6tables -t mangle -A OUTPUT -j TPROXY_OUT
@@ -199,7 +197,7 @@ DOC
 
 if $enable_gateway; then
     iptables  -t nat -A POSTROUTING -m owner ! --socket-exists -j MASQUERADE
-    ip6tables -t nat -A POSTROUTING -m owner ! --socket-exists -j MASQUERADE
+    ip6tables -t nat -A POSTROUTING -m owner ! --socket-exists -s fc00::/7 -j MASQUERADE # only masquerade ipv6 private address
     sysctl -w net.ipv4.ip_forward=1
     sysctl -w net.ipv6.conf.all.forwarding=1
     echo "gateway enabled"

readme.md

@@ -8,7 +8,7 @@
 
 cgproxy will transparent proxy anything running in specific cgroup. It resembles with *proxychains* and *tsock*, but without their disadvantages, and more powerfull.
 
-It aslo supports global transparent proxy and gateway proxy. See [Global transparent proxy](#global-transparent-proxy) and  [Gateway proxy](#gateway-proxy)
+It aslo supports global transparent proxy and gateway proxy. See [Global transparent proxy](#global-transparent-proxy) and  [Gateway proxy](#gateway-proxy).
 
 <!--ts-->
 
@@ -46,7 +46,7 @@ It aslo supports global transparent proxy and gateway proxy. See [Global transpa
 mkdir build && cd build && cmake .. && make && sudo make install
 ```
 
-- It is alreay in [archlinux AUR](https://aur.archlinux.org/packages/cgproxy/). 
+- It is alreay in [archlinux AUR](https://aur.archlinux.org/packages/cgproxy-git/). 
 
 - DEB and RPM are packaged in [release page](https://github.com/springzfx/cgproxy/releases).
 

v2ray_config/00_log.json

@@ -1,5 +1,5 @@
 {
   "log": {
-    "loglevel": "error"
+    "loglevel": "none"
   }
 }

v2ray_config/02_dns.json

@@ -1,7 +1,10 @@
 {
   "dns": {
+    "hosts": {
+      "geosite:category-ads": "127.0.0.1"
+    },
     "servers": [
-      "https://223.5.5.5/dns-query",
+      "https+local://223.5.5.5/dns-query",
       "https://1.1.1.1/dns-query",
       {
         "address": "localhost",

v2ray_config/04_routing_00.json

@@ -21,13 +21,6 @@
         "port": "53",
         "type": "field"
       },
-      {
-        "inboundTag": [
-          "dns_inbound"
-        ],
-        "outboundTag": "outBound_DIRECT",
-        "type": "field"
-      },
       {
         "domain": [
           "geosite:google",

v2ray_config/merge.sh

@@ -1,2 +1,2 @@
 #!/bin/bash
-jq -rs 'reduce .[] as $item ({}; . + $item  + {inbounds: (.inbounds + $item.inbounds)} + {outbounds: ($item.outbounds + .outbounds)})' *.json |sudo tee /etc/v2ray/config.json
+jq -rs 'reduce .[] as $item ({}; . + $item  + {inbounds: (.inbounds + $item.inbounds)} + {outbounds: ($item.outbounds + .outbounds)})' *.json |sudo tee /etc/v2ray/config.json > /dev/null

v2ray_config/v2ray.service

@@ -5,15 +5,14 @@ After=network.target nss-lookup.target
 Wants=network-online.target
 
 [Service]
-Type=simple
+Type=exec
+ExecStart=/usr/lib/v2ray/v2ray -config /etc/v2ray/config.json
 User=nobody
-#AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
-CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
 NoNewPrivileges=yes
-ExecStart=+/usr/lib/v2ray/v2ray -config /etc/v2ray/config.json
 Restart=on-failure
 # Don't restart in the case of configuration error
 RestartPreventExitStatus=23
 
 [Install]
-WantedBy=multi-user.target
+WantedBy=multi-user.target