-
Notifications
You must be signed in to change notification settings - Fork 6
/
example.yaml
110 lines (99 loc) · 3.75 KB
/
example.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
# This file is my daily use configuration,
# I use it to show how to use cgtproxy with clash-meta.
#
# Further configuration documentation can be found at
# https://godoc.org/github.com/black-desk/cgtproxy/pkg/cgtproxy/config
version: 1
cgroup-root: AUTO # path to cgroupfs v2 mount point or "AUTO"
route-table: 300
# This means any traffic send to 127.0.0.1 and ::1 will be directly send
# without influenced by the following configuration.
bypass:
- 127.0.0.0/8
- ::1
tproxies:
clash-meta:
mark: 3000
port: 7893
# Do not proxy UDP traffic. They will be send directly.
# no-udp: false
# Do not proxy IPv6 traffic. They will be send directly.
# no-ipv6: false
# Hijack all IPv4 traffic which destination port is 53
# and redirect them to ip:port.
# This field is optional.
dns-hijack:
ip: 127.0.0.1
port: 53
# Rules are matched in order.
# `match` is an regex to match the cgroup path.
# `direct` means the traffic will not be redirect to any TPROXY server;
# `drop` means the traffic will be drop;
# `tproxy` means the traffic will be redirect to that TPROXY server.
#
# NOTE: You can use systemd-cgls to check the cgroup layout on your system.
#
# NOTE: Any web service will provide their service directly.
# Traffics in connection created by remote host
# will never redirect to TPROXY server or drop.
rules:
# https://aur.archlinux.org/packages/clash-meta
# https://aur.archlinux.org/packages/clash-meta-bin
# `clash-meta.service` will be launched by systemd
# at `/system.slice/clash-meta.service`.
# This regex match that path,
# and will make traffic from it directly send
# by produce and apply nft rules
# when such cgroup is created.
- match: |-
\/system\.slice\/clash-meta\.service
direct: true
# https://github.com/black-desk/debs/tree/master/one.metacubex.clash-meta
# But my clash-meta deb package
# use a systemd service name `one.metacubex.clash-meta`.
# So I add this rule, too.
- match: |-
\/system\.slice\/one\.metacubex\.clash-meta\.service
direct: true
# Same as above.
# Let's configure the user-level cgtproxy-direct.slice and
# cgtproxy-drop.slice cgroup.
#
# Using this setup, you can start a non-proxy shell
# by execute:
#
# systemd-run --user --slice cgtproxy-direct.slice --shell
#
# The command above start the new shell in a cgroup like
# `/user.slice/user-1000.slice/[email protected]/cgtproxy.slice/cgtproxy-direct.slice/run-u22.service`,
# which match the regex in your configuration.
# Then cgtproxy will produce nft rules to
# make that `run-u22.service` get rid of transparent proxy.
- match: |-
\/user\.slice\/user-\d+\.slice/user@\d+\.service\/cgtproxy\.slice\/cgtproxy-direct\.slice\/.*
direct: true
- match: |-
\/user\.slice\/user-\d+\.slice/user@\d+\.service\/cgtproxy\.slice\/cgtproxy-drop\.slice\/.*
drop: true
- match: |-
\/user\.slice\/user-\d+\.slice/user@\d+\.service\/cgtproxy\.slice\/cgtproxy-proxy\.slice\/.*
tproxy: clash-meta
# Application related rules:
# To make these rules working across desktop environments,
# please take a look on https://systemd.io/DESKTOP_ENVIRONMENTS/.
# NOTE:
# | Desktop Environment | Launcher |
# |---------------------|-----------|
# | GNOME | `"gnome"` |
# | dde | `"DDE"` |
# | KDE | none |
# So we should use `(?:-(?:gnome|DDE))?` to match `-<launcher>`
# https://parsec.app/
# `parsec` should always connect to network directly.
- match: |-
\/user\.slice\/user-\d+\.slice\/user@\d+\.service\/app\.slice\/app(?:-(?:gnome|DDE))?-parsecd-\d+\.(?:service|scope)
direct: true
# For any cgroup else, TPROXY to clash-meta.
- match: |-
\/.*
tproxy: clash-meta