Add pre-match support for auto redirect

2025-12-26 15:52:28 +08:00
parent a34868468f
commit 78b4eac974
17 changed files with 354 additions and 11 deletions
--- a/docs/configuration/inbound/tun.md
+++ b/docs/configuration/inbound/tun.md
@@ -4,6 +4,8 @@ icon: material/new-box

 !!! quote "Changes in sing-box 1.13.0"

+    :material-plus: [auto_redirect_reset_mark](#auto_redirect_reset_mark)
+    :material-plus: [auto_redirect_nfqueue](#auto_redirect_nfqueue)
    :material-plus: [exclude_mptcp](#exclude_mptcp)

 !!! quote "Changes in sing-box 1.12.0"
@@ -67,6 +69,8 @@ icon: material/new-box
  "auto_redirect": true,
  "auto_redirect_input_mark": "0x2023",
  "auto_redirect_output_mark": "0x2024",
+  "auto_redirect_reset_mark": "0x2025",
+  "auto_redirect_nfqueue": 100,
  "exclude_mptcp": false,
  "loopback_address": [
    "10.7.0.1"
@@ -283,6 +287,22 @@ Connection output mark used by `auto_redirect`.

 `0x2024` is used by default.

+#### auto_redirect_reset_mark
+
+!!! question "Since sing-box 1.13.0"
+
+Connection reset mark used by `auto_redirect` pre-matching.
+
+`0x2025` is used by default.
+
+#### auto_redirect_nfqueue
+
+!!! question "Since sing-box 1.13.0"
+
+NFQueue number used by `auto_redirect` pre-matching.
+
+`100` is used by default.
+
 #### exclude_mptcp

 !!! question "Since sing-box 1.13.0"
--- a/docs/configuration/inbound/tun.zh.md
+++ b/docs/configuration/inbound/tun.zh.md
@@ -4,6 +4,8 @@ icon: material/new-box

 !!! quote "sing-box 1.13.0 中的更改"

+    :material-plus: [auto_redirect_reset_mark](#auto_redirect_reset_mark)
+    :material-plus: [auto_redirect_nfqueue](#auto_redirect_nfqueue)
    :material-plus: [exclude_mptcp](#exclude_mptcp)

 !!! quote "sing-box 1.12.0 中的更改"
@@ -67,6 +69,8 @@ icon: material/new-box
  "auto_redirect": true,
  "auto_redirect_input_mark": "0x2023",
  "auto_redirect_output_mark": "0x2024",
+  "auto_redirect_reset_mark": "0x2025",
+  "auto_redirect_nfqueue": 100,
  "exclude_mptcp": false,
  "loopback_address": [
    "10.7.0.1"
@@ -282,6 +286,22 @@ tun 接口的 IPv6 前缀。

 默认使用 `0x2024`。

+#### auto_redirect_reset_mark
+
+!!! question "自 sing-box 1.13.0 起"
+
+`auto_redirect` 预匹配使用的连接重置标记。
+
+默认使用 `0x2025`。
+
+#### auto_redirect_nfqueue
+
+!!! question "自 sing-box 1.13.0 起"
+
+`auto_redirect` 预匹配使用的 NFQueue 编号。
+
+默认使用 `100`。
+
 #### exclude_mptcp

 !!! question "自 sing-box 1.13.0 起"
--- a/docs/configuration/route/rule_action.md
+++ b/docs/configuration/route/rule_action.md
@@ -4,6 +4,7 @@ icon: material/new-box

 !!! quote "Changes in sing-box 1.13.0"

+    :material-plus: [bypass](#bypass)
    :material-alert: [reject](#reject)

 !!! quote "Changes in sing-box 1.12.0"
@@ -44,6 +45,40 @@ Tag of target outbound.

 See `route-options` fields below.

+### bypass
+
+!!! question "Since sing-box 1.13.0"
+
+!!! quote ""
+
+    Only supported on Linux with `auto_redirect` enabled.
+
+```json
+{
+  "action": "bypass",
+  "outbound": "",
+
+  ... // route-options Fields
+}
+```
+
+`bypass` routes connection to the specified outbound.
+
+For tun connections in [pre-match](/configuration/shared/pre-match/),
+the connection will bypass sing-box and connect directly at the kernel level.
+
+For non-tun connections and already established connections, the behavior is the same as `route`.
+
+#### outbound
+
+==Required==
+
+Tag of target outbound.
+
+#### route-options Fields
+
+See `route-options` fields below.
+
 ### reject

 !!! quote "Changes in sing-box 1.13.0"
--- a/docs/configuration/route/rule_action.zh.md
+++ b/docs/configuration/route/rule_action.zh.md
@@ -4,6 +4,7 @@ icon: material/new-box

 !!! quote "sing-box 1.13.0 中的更改"

+    :material-plus: [bypass](#bypass)
    :material-alert: [reject](#reject)

 !!! quote "sing-box 1.12.0 中的更改"
@@ -40,6 +41,39 @@ icon: material/new-box

 参阅下方的 `route-options` 字段。

+### bypass
+
+!!! question "自 sing-box 1.13.0 起"
+
+!!! quote ""
+
+    仅支持 Linux，且需要启用 `auto_redirect`。
+
+```json
+{
+  "action": "bypass",
+  "outbound": "",
+
+  ... // route-options 字段
+}
+```
+
+`bypass` 将连接路由到指定出站。
+
+对于[预匹配](/configuration/shared/pre-match/)中的 tun 连接，连接将在内核层面绕过 sing-box 直接连接。
+
+对于非 tun 连接和已建立的连接，行为与 `route` 相同。
+
+#### outbound
+
+==必填==
+
+目标出站的标签。
+
+#### route-options 字段
+
+参阅下方的 `route-options` 字段。
+
 ### reject

 !!! quote "sing-box 1.13.0 中的更改"
--- a/docs/configuration/shared/pre-match.md
+++ b/docs/configuration/shared/pre-match.md
@@ -0,0 +1,39 @@
+---
+icon: material/new-box
+---
+
+# Pre-match
+
+!!! quote "Changes in sing-box 1.13.0"
+
+    :material-plus: [bypass](#bypass)
+
+Pre-match is rule matching that runs before the connection is established.
+
+### How it works
+
+When TUN receives a connection request, the connection has not yet been established,
+so no connection data can be read. In this phase, sing-box runs the routing rules in pre-match mode.
+
+Since connection data is unavailable, only actions that do not require connection data can be executed.
+When a rule matches an action that requires an established connection, pre-match stops at that rule.
+
+### Supported actions
+
+#### reject
+
+Reject with TCP RST / ICMP unreachable.
+
+#### route
+
+Route ICMP connections to the specified outbound for direct reply.
+
+#### bypass
+
+!!! question "Since sing-box 1.13.0"
+
+!!! quote ""
+
+    Only supported on Linux with `auto_redirect` enabled.
+
+Bypass sing-box and connect directly at kernel level.
--- a/docs/configuration/shared/pre-match.zh.md
+++ b/docs/configuration/shared/pre-match.zh.md
@@ -0,0 +1,37 @@
+---
+icon: material/new-box
+---
+
+# 预匹配
+
+!!! quote "sing-box 1.13.0 中的更改"
+
+    :material-plus: [bypass](#bypass)
+
+预匹配是在连接建立之前运行的规则匹配。
+
+### 工作原理
+
+当 TUN 收到连接请求时，连接尚未建立，因此无法读取连接数据。在此阶段，sing-box 在预匹配模式下运行路由规则。
+
+由于连接数据不可用，只有不需要连接数据的动作才能执行。当规则匹配到需要已建立连接的动作时，预匹配将在该规则处停止。
+
+### 支持的动作
+
+#### reject
+
+以 TCP RST / ICMP 不可达拒绝。
+
+#### route
+
+将 ICMP 连接路由到指定出站以直接回复。
+
+#### bypass
+
+!!! question "自 sing-box 1.13.0 起"
+
+!!! quote ""
+
+    仅支持 Linux，且需要启用 `auto_redirect`。
+
+在内核层面绕过 sing-box 直接连接。