diff --git a/docs/changelog.md b/docs/changelog.md index 007062d1..fcecce6d 100644 --- a/docs/changelog.md +++ b/docs/changelog.md @@ -1,11 +1,118 @@ -#### 1.2.7 +#### 1.3-beta13 + +* Fix resolving fakeip domains **1** +* Deprecate L3 routing +* Fix bugs and update dependencies + +**1**: + +If the destination address of the connection is obtained from fakeip, dns rules with server type fakeip will be skipped. + +#### 1.3-beta12 + +* Automatically add Windows firewall rules in order for the system tun stack to work +* Fix TLS 1.2 support for shadow-tls client +* Add `cache_id` [option](/configuration/experimental#cache_id) for Clash cache file +* Fixes and improvements + +#### 1.3-beta11 * Fix bugs and update dependencies +#### 1.3-beta10 + +* Improve direct copy **1** +* Improve DNS caching +* Add `independent_cache` [option](/configuration/dns#independent_cache) for DNS +* Reimplemented shadowsocks client **2** +* Add multiplex support for VLESS outbound +* Set TCP keepalive for WireGuard gVisor TCP connections +* Fixes and improvements + +**1**: + +* Make splice work with traffic statistics systems like Clash API +* Significantly reduces memory usage of idle connections + +**2**: + +Improved performance and reduced memory usage. + +#### 1.3-beta9 + +* Improve multiplex **1** +* Fixes and improvements + +*1*: + +Added new `h2mux` multiplex protocol and `padding` multiplex option, see [Multiplex](/configuration/shared/multiplex). + #### 1.2.6 * Fix bugs and update dependencies +#### 1.3-beta8 + +* Fix `system` tun stack for ios +* Fix network monitor for android/ios +* Update VLESS and XUDP protocol **1** +* Fixes and improvements + +*1: + +This is an incompatible update for XUDP in VLESS if vision flow is enabled. + +#### 1.3-beta7 + +* Add `path` and `headers` options for HTTP outbound +* Add multi-user support for Shadowsocks legacy AEAD inbound +* Fixes and improvements + +#### 1.2.4 + +* Fixes and improvements + +#### 1.3-beta6 + +* Fix WireGuard reconnect +* Perform URLTest recheck after network changes +* Fix bugs and update dependencies + +#### 1.3-beta5 + +* Add Clash.Meta API compatibility for Clash API +* Download Yacd-meta by default if the specified Clash `external_ui` directory is empty +* Add path and headers option for HTTP outbound +* Fixes and improvements + +#### 1.3-beta4 + +* Fix bugs + +#### 1.3-beta2 + +* Download clash-dashboard if the specified Clash `external_ui` directory is empty +* Fix bugs and update dependencies + +#### 1.3-beta1 + +* Add [DNS reverse mapping](/configuration/dns#reverse_mapping) support +* Add [L3 routing](/configuration/route/ip-rule) support **1** +* Add `rewrite_ttl` DNS rule action +* Add [FakeIP](/configuration/dns/fakeip) support **2** +* Add `store_fakeip` Clash API option +* Add multi-peer support for [WireGuard](/configuration/outbound/wireguard#peers) outbound +* Add loopback detect + +*1*: + +It can currently be used to [route connections directly to WireGuard](/examples/wireguard-direct) or block connections +at the IP layer. + +*2*: + +See [FAQ](/faq/fakeip) for more information. + #### 1.2.3 * Introducing our [new Android client application](/installation/clients/sfa) diff --git a/docs/configuration/outbound/index.md b/docs/configuration/outbound/index.md index a8a1874f..83320971 100644 --- a/docs/configuration/outbound/index.md +++ b/docs/configuration/outbound/index.md @@ -37,4 +37,10 @@ #### tag -The tag of the outbound. \ No newline at end of file +The tag of the outbound. + +### Features + +#### Outbounds that support IP connection + +* `WireGuard` diff --git a/docs/configuration/outbound/index.zh.md b/docs/configuration/outbound/index.zh.md index f9053356..e54a1d95 100644 --- a/docs/configuration/outbound/index.zh.md +++ b/docs/configuration/outbound/index.zh.md @@ -36,4 +36,10 @@ #### tag -出站的标签。 \ No newline at end of file +出站的标签。 + +### 特性 + +#### 支持 IP 连接的出站 + +* `WireGuard` diff --git a/docs/configuration/route/index.md b/docs/configuration/route/index.md index 7440f2bb..8c6ca6e1 100644 --- a/docs/configuration/route/index.md +++ b/docs/configuration/route/index.md @@ -19,11 +19,11 @@ ### Fields -| Key | Format | -|-----------|------------------------------| -| `geoip` | [GeoIP](./geoip) | -| `geosite` | [Geosite](./geosite) | -| `rules` | List of [Route Rule](./rule) | +| Key | Format | +|------------|------------------------------------| +| `geoip` | [GeoIP](./geoip) | +| `geosite` | [Geosite](./geosite) | +| `rules` | List of [Route Rule](./rule) | #### final diff --git a/docs/configuration/route/index.zh.md b/docs/configuration/route/index.zh.md index e0bbe917..8525f7b0 100644 --- a/docs/configuration/route/index.zh.md +++ b/docs/configuration/route/index.zh.md @@ -7,6 +7,7 @@ "route": { "geoip": {}, "geosite": {}, + "ip_rules": [], "rules": [], "final": "", "auto_detect_interface": false, @@ -19,11 +20,12 @@ ### 字段 -| 键 | 格式 | -|-----------|----------------------| -| `geoip` | [GeoIP](./geoip) | -| `geosite` | [GeoSite](./geosite) | -| `rules` | 一组 [路由规则](./rule) | +| 键 | 格式 | +|------------|-------------------------| +| `geoip` | [GeoIP](./geoip) | +| `geosite` | [GeoSite](./geosite) | +| `ip_rules` | 一组 [IP 路由规则](./ip-rule) | +| `rules` | 一组 [路由规则](./rule) | #### final @@ -65,4 +67,4 @@ 默认为出站连接设置路由标记。 -如果设置了 `outbound.routing_mark` 设置,则不生效。 +如果设置了 `outbound.routing_mark` 设置,则不生效。 \ No newline at end of file diff --git a/docs/configuration/route/ip-rule.md b/docs/configuration/route/ip-rule.md new file mode 100644 index 00000000..352c39f8 --- /dev/null +++ b/docs/configuration/route/ip-rule.md @@ -0,0 +1,205 @@ +### Structure + +```json +{ + "route": { + "ip_rules": [ + { + "inbound": [ + "mixed-in" + ], + "ip_version": 6, + "network": [ + "tcp" + ], + "domain": [ + "test.com" + ], + "domain_suffix": [ + ".cn" + ], + "domain_keyword": [ + "test" + ], + "domain_regex": [ + "^stun\\..+" + ], + "geosite": [ + "cn" + ], + "source_geoip": [ + "private" + ], + "geoip": [ + "cn" + ], + "source_ip_cidr": [ + "10.0.0.0/24", + "192.168.0.1" + ], + "ip_cidr": [ + "10.0.0.0/24", + "192.168.0.1" + ], + "source_port": [ + 12345 + ], + "source_port_range": [ + "1000:2000", + ":3000", + "4000:" + ], + "port": [ + 80, + 443 + ], + "port_range": [ + "1000:2000", + ":3000", + "4000:" + ], + "invert": false, + "action": "direct", + "outbound": "wireguard" + }, + { + "type": "logical", + "mode": "and", + "rules": [], + "invert": false, + "action": "direct", + "outbound": "wireguard" + } + ] + } +} + +``` + +!!! note "" + + You can ignore the JSON Array [] tag when the content is only one item + +### Default Fields + +!!! note "" + + The default rule uses the following matching logic: + (`domain` || `domain_suffix` || `domain_keyword` || `domain_regex` || `geosite` || `geoip` || `ip_cidr`) && + (`port` || `port_range`) && + (`source_geoip` || `source_ip_cidr`) && + (`source_port` || `source_port_range`) && + `other fields` + +#### inbound + +Tags of [Inbound](/configuration/inbound). + +#### ip_version + +4 or 6. + +Not limited if empty. + +#### network + +Match network protocol. + +Available values: + +* `tcp` +* `udp` +* `icmpv4` +* `icmpv6` + +#### domain + +Match full domain. + +#### domain_suffix + +Match domain suffix. + +#### domain_keyword + +Match domain using keyword. + +#### domain_regex + +Match domain using regular expression. + +#### geosite + +Match geosite. + +#### source_geoip + +Match source geoip. + +#### geoip + +Match geoip. + +#### source_ip_cidr + +Match source ip cidr. + +#### ip_cidr + +Match ip cidr. + +#### source_port + +Match source port. + +#### source_port_range + +Match source port range. + +#### port + +Match port. + +#### port_range + +Match port range. + +#### invert + +Invert match result. + +#### action + +==Required== + +| Action | Description | +|--------|--------------------------------------------------------------------| +| return | Stop IP routing and assemble the connection to the transport layer | +| block | Block the connection | +| direct | Directly forward the connection | + +#### outbound + +==Required if action is direct== + +Tag of the target outbound. + +Only outbound which supports IP connection can be used, see [Outbounds that support IP connection](/configuration/outbound/#outbounds-that-support-ip-connection). + +### Logical Fields + +#### type + +`logical` + +#### mode + +==Required== + +`and` or `or` + +#### rules + +==Required== + +Included default rules. \ No newline at end of file diff --git a/docs/configuration/route/ip-rule.zh.md b/docs/configuration/route/ip-rule.zh.md new file mode 100644 index 00000000..d580086c --- /dev/null +++ b/docs/configuration/route/ip-rule.zh.md @@ -0,0 +1,204 @@ +### 结构 + +```json +{ + "route": { + "ip_rules": [ + { + "inbound": [ + "mixed-in" + ], + "ip_version": 6, + "network": [ + "tcp" + ], + "domain": [ + "test.com" + ], + "domain_suffix": [ + ".cn" + ], + "domain_keyword": [ + "test" + ], + "domain_regex": [ + "^stun\\..+" + ], + "geosite": [ + "cn" + ], + "source_geoip": [ + "private" + ], + "geoip": [ + "cn" + ], + "source_ip_cidr": [ + "10.0.0.0/24", + "192.168.0.1" + ], + "ip_cidr": [ + "10.0.0.0/24", + "192.168.0.1" + ], + "source_port": [ + 12345 + ], + "source_port_range": [ + "1000:2000", + ":3000", + "4000:" + ], + "port": [ + 80, + 443 + ], + "port_range": [ + "1000:2000", + ":3000", + "4000:" + ], + "invert": false, + "action": "direct", + "outbound": "wireguard" + }, + { + "type": "logical", + "mode": "and", + "rules": [], + "invert": false, + "action": "direct", + "outbound": "wireguard" + } + ] + } +} + +``` + +!!! note "" + + 当内容只有一项时,可以忽略 JSON 数组 [] 标签。 + +### Default Fields + +!!! note "" + + 默认规则使用以下匹配逻辑: + (`domain` || `domain_suffix` || `domain_keyword` || `domain_regex` || `geosite` || `geoip` || `ip_cidr`) && + (`port` || `port_range`) && + (`source_geoip` || `source_ip_cidr`) && + (`source_port` || `source_port_range`) && + `other fields` + +#### inbound + +[入站](/zh/configuration/inbound) 标签。 + +#### ip_version + +4 或 6。 + +默认不限制。 + +#### network + +匹配网络协议。 + +可用值: + +* `tcp` +* `udp` +* `icmpv4` +* `icmpv6` + +#### domain + +匹配完整域名。 + +#### domain_suffix + +匹配域名后缀。 + +#### domain_keyword + +匹配域名关键字。 + +#### domain_regex + +匹配域名正则表达式。 + +#### geosite + +匹配 GeoSite。 + +#### source_geoip + +匹配源 GeoIP。 + +#### geoip + +匹配 GeoIP。 + +#### source_ip_cidr + +匹配源 IP CIDR。 + +#### ip_cidr + +匹配 IP CIDR。 + +#### source_port + +匹配源端口。 + +#### source_port_range + +匹配源端口范围。 + +#### port + +匹配端口。 + +#### port_range + +匹配端口范围。 + +#### invert + +反选匹配结果。 + +#### action + +==必填== + +| Action | 描述 | +|--------|---------------------| +| return | 停止 IP 路由并将该连接组装到传输层 | +| block | 屏蔽该连接 | +| direct | 直接转发该连接 | + + +#### outbound + +==action 为 direct 则必填== + +目标出站的标签。 + +### 逻辑字段 + +#### type + +`logical` + +#### mode + +==必填== + +`and` 或 `or` + +#### rules + +==必填== + +包括的默认规则。 \ No newline at end of file diff --git a/docs/examples/fakeip.md b/docs/examples/fakeip.md new file mode 100644 index 00000000..21407ece --- /dev/null +++ b/docs/examples/fakeip.md @@ -0,0 +1,106 @@ +```json +{ + "dns": { + "servers": [ + { + "tag": "google", + "address": "tls://8.8.8.8" + }, + { + "tag": "local", + "address": "223.5.5.5", + "detour": "direct" + }, + { + "tag": "remote", + "address": "fakeip" + }, + { + "tag": "block", + "address": "rcode://success" + } + ], + "rules": [ + { + "geosite": "category-ads-all", + "server": "block", + "disable_cache": true + }, + { + "outbound": "any", + "server": "local" + }, + { + "geosite": "cn", + "server": "local" + }, + { + "query_type": [ + "A", + "AAAA" + ], + "server": "remote" + } + ], + "fakeip": { + "enabled": true, + "inet4_range": "198.18.0.0/15", + "inet6_range": "fc00::/18" + }, + "independent_cache": true, + "strategy": "ipv4_only" + }, + "inbounds": [ + { + "type": "tun", + "inet4_address": "172.19.0.1/30", + "auto_route": true, + "sniff": true, + "domain_strategy": "ipv4_only" // remove this line if you want to resolve the domain remotely (if the server is not sing-box, UDP may not work due to wrong behavior). + } + ], + "outbounds": [ + { + "type": "shadowsocks", + "tag": "proxy", + "server": "mydomain.com", + "server_port": 8080, + "method": "2022-blake3-aes-128-gcm", + "password": "8JCsPssfgS8tiRwiMlhARg==" + }, + { + "type": "direct", + "tag": "direct" + }, + { + "type": "block", + "tag": "block" + }, + { + "type": "dns", + "tag": "dns-out" + } + ], + "route": { + "rules": [ + { + "protocol": "dns", + "outbound": "dns-out" + }, + { + "geosite": "cn", + "geoip": [ + "private", + "cn" + ], + "outbound": "direct" + }, + { + "geosite": "category-ads-all", + "outbound": "block" + } + ], + "auto_detect_interface": true + } +} +``` \ No newline at end of file diff --git a/docs/examples/fakeip.zh.md b/docs/examples/fakeip.zh.md new file mode 100644 index 00000000..947ce387 --- /dev/null +++ b/docs/examples/fakeip.zh.md @@ -0,0 +1,106 @@ +```json +{ + "dns": { + "servers": [ + { + "tag": "google", + "address": "tls://8.8.8.8" + }, + { + "tag": "local", + "address": "223.5.5.5", + "detour": "direct" + }, + { + "tag": "remote", + "address": "fakeip" + }, + { + "tag": "block", + "address": "rcode://success" + } + ], + "rules": [ + { + "geosite": "category-ads-all", + "server": "block", + "disable_cache": true + }, + { + "outbound": "any", + "server": "local" + }, + { + "geosite": "cn", + "server": "local" + }, + { + "query_type": [ + "A", + "AAAA" + ], + "server": "remote" + } + ], + "fakeip": { + "enabled": true, + "inet4_range": "198.18.0.0/15", + "inet6_range": "fc00::/18" + }, + "independent_cache": true, + "strategy": "ipv4_only" + }, + "inbounds": [ + { + "type": "tun", + "inet4_address": "172.19.0.1/30", + "auto_route": true, + "sniff": true, + "domain_strategy": "ipv4_only" // 如果您想在远程解析域,删除此行 (如果服务器程序不为 sing-box,可能由于错误的行为导致 UDP 无法使用)。 + } + ], + "outbounds": [ + { + "type": "shadowsocks", + "tag": "proxy", + "server": "mydomain.com", + "server_port": 8080, + "method": "2022-blake3-aes-128-gcm", + "password": "8JCsPssfgS8tiRwiMlhARg==" + }, + { + "type": "direct", + "tag": "direct" + }, + { + "type": "block", + "tag": "block" + }, + { + "type": "dns", + "tag": "dns-out" + } + ], + "route": { + "rules": [ + { + "protocol": "dns", + "outbound": "dns-out" + }, + { + "geosite": "cn", + "geoip": [ + "private", + "cn" + ], + "outbound": "direct" + }, + { + "geosite": "category-ads-all", + "outbound": "block" + } + ], + "auto_detect_interface": true + } +} +``` \ No newline at end of file diff --git a/docs/examples/index.md b/docs/examples/index.md index ca2fa8e9..c39a7f32 100644 --- a/docs/examples/index.md +++ b/docs/examples/index.md @@ -8,3 +8,5 @@ Configuration examples for sing-box. * [Shadowsocks](./shadowsocks) * [ShadowTLS](./shadowtls) * [Clash API](./clash-api) +* [WireGuard Direct](./wireguard-direct) +* [FakeIP](./fakeip) diff --git a/docs/examples/index.zh.md b/docs/examples/index.zh.md index e4d17c38..2dd801ec 100644 --- a/docs/examples/index.zh.md +++ b/docs/examples/index.zh.md @@ -8,3 +8,5 @@ sing-box 的配置示例。 * [Shadowsocks](./shadowsocks) * [ShadowTLS](./shadowtls) * [Clash API](./clash-api) +* [WireGuard Direct](./wireguard-direct) +* [FakeIP](./fakeip) diff --git a/docs/examples/wireguard-direct.md b/docs/examples/wireguard-direct.md new file mode 100644 index 00000000..98e5d575 --- /dev/null +++ b/docs/examples/wireguard-direct.md @@ -0,0 +1,90 @@ +# WireGuard Direct + +```json +{ + "dns": { + "servers": [ + { + "tag": "google", + "address": "tls://8.8.8.8" + }, + { + "tag": "local", + "address": "223.5.5.5", + "detour": "direct" + } + ], + "rules": [ + { + "geoip": "cn", + "server": "direct" + } + ], + "reverse_mapping": true + }, + "inbounds": [ + { + "type": "tun", + "tag": "tun", + "inet4_address": "172.19.0.1/30", + "auto_route": true, + "sniff": true, + "stack": "system" + } + ], + "outbounds": [ + { + "type": "wireguard", + "tag": "wg", + "server": "127.0.0.1", + "server_port": 2345, + "local_address": [ + "172.19.0.1/128" + ], + "private_key": "KLTnpPY03pig/WC3zR8U7VWmpANHPFh2/4pwICGJ5Fk=", + "peer_public_key": "uvNabcamf6Rs0vzmcw99jsjTJbxo6eWGOykSY66zsUk=" + }, + { + "type": "dns", + "tag": "dns" + }, + { + "type": "direct", + "tag": "direct" + }, + { + "type": "block", + "tag": "block" + } + ], + "route": { + "ip_rules": [ + { + "port": 53, + "action": "return" + }, + { + "geoip": "cn", + "geosite": "cn", + "action": "return" + }, + { + "action": "direct", + "outbound": "wg" + } + ], + "rules": [ + { + "protocol": "dns", + "outbound": "dns" + }, + { + "geoip": "cn", + "geosite": "cn", + "outbound": "direct" + } + ], + "auto_detect_interface": true + } +} +``` \ No newline at end of file diff --git a/docs/faq/fakeip.md b/docs/faq/fakeip.md index 89fcd0c9..59d9e730 100644 --- a/docs/faq/fakeip.md +++ b/docs/faq/fakeip.md @@ -5,7 +5,7 @@ responds to DNS requests with virtual results and restores mapping when acceptin #### Advantage -* +* #### Limitation @@ -14,5 +14,6 @@ responds to DNS requests with virtual results and restores mapping when acceptin #### Recommendation +* Enable `dns.independent_cache` unless you always resolve FakeIP domains remotely. * If using tun, make sure FakeIP ranges is included in the tun's routes. * Enable `experimental.clash_api.store_fakeip` to persist FakeIP records, or use `dns.rules.rewrite_ttl` to avoid losing records after program restart in DNS cached environments. diff --git a/docs/faq/fakeip.zh.md b/docs/faq/fakeip.zh.md index 4a323fb7..3ab77d2c 100644 --- a/docs/faq/fakeip.zh.md +++ b/docs/faq/fakeip.zh.md @@ -13,5 +13,6 @@ FakeIP 是指同时劫持 DNS 和连接请求的程序中的一种行为。它 #### 建议 +* 启用 `dns.independent_cache` 除非您始终远程解析 FakeIP 域。 * 如果使用 tun,请确保 tun 路由中包含 FakeIP 地址范围。 * 启用 `experimental.clash_api.store_fakeip` 以持久化 FakeIP 记录,或者使用 `dns.rules.rewrite_ttl` 避免程序重启后在 DNS 被缓存的环境中丢失记录。 diff --git a/mkdocs.yml b/mkdocs.yml index af0a15ad..92d8783f 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -114,6 +114,7 @@ nav: - ShadowTLS: examples/shadowtls.md - Clash API: examples/clash-api.md - WireGuard Direct: examples/wireguard-direct.md + - FakeIP: examples/fakeip.md - Contributing: - contributing/index.md - Developing: