-
-
Notifications
You must be signed in to change notification settings - Fork 37
/
policy.rules
60 lines (54 loc) · 2.3 KB
/
policy.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
## Example of moproxy policy rulesets
# One rule per line, comment starts with a hashtag.
# Each rule are composited by two parts, FILTER and ACTION.
# Keywords and domain name are case-insensitive.
#
# Supported filters:
# - DEFUALT (matches everything / no filter)
# - LISTEN PORT <port-number> (moproxy's TCP listen port number)
# - DST IP <ipv4/6-addr>[/<prefix-len>] (destination IP address, won't resolve)
# - DST DOMAIN <domain-name> (domain name in TLS SNI or SOCKSv5 request)
#
# Supported actions:
# - REQUIRE <cap1> [or <cap2>|...] (limit avaiable upstream proxies)
# - DIRECT (do not use proxy, go direct, even if --allow-direct unset)
# - REJECT (close connection immediately)
#
# Evaluation order:
# For each incoming connection, rules are evaluated in the order according
# to their filter type: DEFAULT -> LSITEN PORT -> DST IP -> DST DOMAIN
#
# Multiple matches:
# One connection may be matched by multiple rules, depending on their actions:
# - REQUIRE actions accumulate with themself
# - DIRECT & REJECT are exclusive, they override other action and been
# overridden by others
# (Can be tweaked by priority)
#
# Action priority:
# One or more exclamation marks (!) after action promote its priority (up to 5).
# Actions with higher priority always override lower one.
#
# Example:
#
# Connection to TCP 8001 requires "cap1" on proxy's capabilities
# TCP 8002 requires "cap1" or "cap2"
# TCP 8003 requires "cap3" only. It ignore all rules without 3 or more "!".
listen port 8001 require cap1
listen port 8002 require cap1 or cap2
listen port 8003 require!!! cap3
# *.netflix.com goes to proxies with BOTH "streaming" AND "us".
dst domain netflix.com require streaming
dst domain netflix.com require us
# *.cn will not use any proxy, expect *.edu.cn require proxies with "edu"
# more specific match override less specific one
dst domain cn direct
dst domain edu.cn require edu
# *.edu.au will match both rules, thus requires BOTH "au" AND "edu"
# However, *.anu.edu.au requires just "au" due to its higher priority
dst domain au require au
dst domain edu.au require edu
dst domain anu.edu.au require! au
# `dst domain` lookup for SOCKSv5 hostname if it exists, or TLS SNI if
# `--remote-dns` is enabled. Explicit SOCKSv5 hostname get the priority.
# `dst domain .` will match any domain (but not for connection w/o domain).