history-museum/clash
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Docs: new documentation site (#2723)

Browse Source 
This commit adds a VitePress build to the main repository,
aiming to ditch GitHub Wiki. Moving further, we're going to
host our own documentation site eithor on GitHub Pages or
something alike.
This commit is contained in:
Birkhoff Lee
2023-05-15 21:47:01 +08:00
committed by GitHub
parent 10dcb7a3ad
commit ca42ca2ca8
30 changed files with 2477 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
docs/premium/ebpf.md Normal file
View File

@ -0,0 +1,22 @@
---
sidebarTitle: "Feature: eBPF Redirect to TUN"
sidebarOrder: 3
---
# eBPF Redirect to TUN
eBPF redirect to TUN is a feature that intercepts all network traffic on a specific network interface and redirects it to the TUN interface.
::: warning
This feature conflicts with `tun.auto-route`.
:::
It requires [kernel support](https://github.com/iovisor/bcc/blob/master/INSTALL.md#kernel-configuration) and is less tested, however it would bring better performance compared to `tun.auto-redir` and `tun.auto-route`.
## Configuration
```yaml
ebpf:
redirect-to-tun:
- eth0
```

19
docs/premium/experimental-features.md Normal file
View File

@ -0,0 +1,19 @@
---
sidebarTitle: Experimental Features
sidebarOrder: 9
---
# Experimental Features
Occasionally we make new features that would require a fair amount of testing before having it in the main release. These features are marked as experimental and are disabled by default.
::: warning
Some features listed here can be unstable, and might get removed in any future version - we do not recommend using them unless you have a specific reason to do so.
:::
## Sniff TLS SNI
```yaml
experimental:
sniff-tls-sni: true
```

26
docs/premium/introduction.md Normal file
View File

@ -0,0 +1,26 @@
---
sidebarTitle: Introduction
sidebarOrder: 1
---
# Introduction
In the past, there was only one open-source version of Clash, until some [improper uses and redistributions](https://github.com/Dreamacro/clash/issues/541#issuecomment-672029110) of Clash arose. From that, we decided to fork Clash and develop the more advanced features in a private GitHub repository.
Don't worry just yet - the Premium core will stay free of charge, and the security is enforced with peer reviews from multiple credible developers.
## What's the difference?
The Premium core is a fork of the open-source Clash core with the addition of the following features:
- [TUN Device](/premium/tun-device) with the support of `auto-redir` and `auto-route`
- [eBPF Redirect to TUN](/premium/ebpf)
- [Rule Providers](/premium/rule-providers)
- [Script](/premium/script)
- [Script Shortcuts](/premium/script-shortcuts)
- [Userspace Wireguard](/premium/userspace-wireguard)
- [The Profiling Engine](/premium/the-profiling-engine)
## Obtaining a Copy
You can download the latest Clash Premium binaries from [GitHub Releases](https://github.com/Dreamacro/clash/releases/tag/premium).

100
docs/premium/rule-providers.md Normal file
View File

@ -0,0 +1,100 @@
---
sidebarTitle: "Feature: Rule Providers"
sidebarOrder: 4
---
# Rule Providers
Rule Providers are pretty much the same compared to Proxy Providers. It enables users to load rules from external sources and overall cleaner configuration. This feature is currently Premium core only.
To define a Rule Provider, add the `rule-providers` field to the main configuration:
```yaml
rule-providers:
apple:
behavior: "domain" # domain, ipcidr or classical (premium core only)
type: http
url: "url"
# format: 'yaml' # or 'text'
interval: 3600
path: ./apple.yaml
microsoft:
behavior: "domain"
type: file
path: /microsoft.yaml
rules:
- RULE-SET,apple,REJECT
- RULE-SET,microsoft,policy
```
There are three behavior types available:
## `domain`
yaml:
```yaml
payload:
- '.blogger.com'
- '*.*.microsoft.com'
- 'books.itunes.apple.com'
```
text:
```txt
# comment
.blogger.com
*.*.microsoft.com
books.itunes.apple.com
```
## `ipcidr`
yaml
```yaml
payload:
- '192.168.1.0/24'
- '10.0.0.0.1/32'
```
text:
```txt
# comment
192.168.1.0/24
10.0.0.0.1/32
```
## `classical`
yaml:
```yaml
payload:
- DOMAIN-SUFFIX,google.com
- DOMAIN-KEYWORD,google
- DOMAIN,ad.com
- SRC-IP-CIDR,192.168.1.201/32
- IP-CIDR,127.0.0.0/8
- GEOIP,CN
- DST-PORT,80
- SRC-PORT,7777
# MATCH is not necessary here
```
text:
```txt
# comment
DOMAIN-SUFFIX,google.com
DOMAIN-KEYWORD,google
DOMAIN,ad.com
SRC-IP-CIDR,192.168.1.201/32
IP-CIDR,127.0.0.0/8
GEOIP,CN
DST-PORT,80
SRC-PORT,7777
```

38
docs/premium/script-shortcuts.md Normal file
View File

@ -0,0 +1,38 @@
---
sidebarTitle: "Feature: Script Shortcuts"
sidebarOrder: 6
---
# Script Shortcuts
Clash Premium implements the Scripting feature powered by Python3, enableing users to programmatically select policies for the packets with dynamic flexibility.
You can either controll the entire rule-matching engine with a single Python script, or define a number of shortcuts and use them in companion with the regular rules. This page refers to the latter feature, for the former, see [Script](./script.md).
This feature enables the use of script in `rules` mode. By default, DNS resolution takes place for SCRIPT rules. `no-resolve` can be appended to the rule to prevent the resolution. (i.e.: `SCRIPT,quic,DIRECT,no-resolve`)
**NOTE: ****`src_port`**** and ****`dst_port`**** are number**
```yaml
mode: Rule
script:
shortcuts:
quic: network == 'udp' and dst_port == 443
curl: resolve_process_name() == 'curl'
# curl: resolve_process_path() == '/usr/bin/curl'
rules:
- SCRIPT,quic,REJECT
```
## Function Definitions
```ts
type resolve_ip = (host: string) => string // ip string
type in_cidr = (ip: string, cidr: string) => boolean // ip in cidr
type geoip = (ip: string) => string // country code
type match_provider = (name: string) => boolean // in rule provider
type resolve_process_name = () => string // find process name (curl .e.g)
type resolve_process_path = () => string // find process path (/usr/bin/curl .e.g)
```

70
docs/premium/script.md Normal file
View File

@ -0,0 +1,70 @@
---
sidebarTitle: "Feature: Script"
sidebarOrder: 5
---
# Script
Clash Premium implements the Scripting feature powered by Python3, enableing users to programmatically select policies for the packets with dynamic flexibility.
You can either controll the entire rule-matching engine with a single Python script, or define a number of shortcuts and use them in companion with the regular rules. This page refers to the first feature, for the latter, see [Script Shortcuts](./script-shortcuts.md).
## Scripting the entire rule-matching engine
```yaml
mode: Script
# https://lancellc.gitbook.io/clash/clash-config-file/script
script:
code: |
def main(ctx, metadata):
ip = metadata["dst_ip"] = ctx.resolve_ip(metadata["host"])
if ip == "":
return "DIRECT"
code = ctx.geoip(ip)
if code == "LAN" or code == "CN":
return "DIRECT"
return "Proxy" # default policy for requests which are not matched by any other script
```
If you want to use ip rules (i.e.: IP-CIDR, GEOIP, etc), you will first need to manually resolve IP addresses and assign them to metadata:
```python
def main(ctx, metadata):
# ctx.rule_providers["geoip"].match(metadata) return false
ip = ctx.resolve_ip(metadata["host"])
if ip == "":
return "DIRECT"
metadata["dst_ip"] = ip
# ctx.rule_providers["iprule"].match(metadata) return true
return "Proxy"
```
Interface definition for Metadata and Context:
```ts
interface Metadata {
type: string // socks5、http
network: string // tcp
host: string
src_ip: string
src_port: string
dst_ip: string
dst_port: string
}
interface Context {
resolve_ip: (host: string) => string // ip string
resolve_process_name: (metadata: Metadata) => string
resolve_process_path: (metadata: Metadata) => string
geoip: (ip: string) => string // country code
log: (log: string) => void
proxy_providers: Record<string, Array<{ name: string, alive: boolean, delay: number }>>
rule_providers: Record<string, { match: (metadata: Metadata) => boolean }>
}
```

13
docs/premium/the-profiling-engine.md Normal file
View File

@ -0,0 +1,13 @@
---
sidebarTitle: "Feature: The Profiling Engine"
sidebarOrder: 8
---
# The Profiling Engine
https://github.com/Dreamacro/clash-tracing
```yaml
profile:
tracing: true
```

65
docs/premium/tun-device.md Normal file
View File

@ -0,0 +1,65 @@
---
sidebarTitle: "Feature: TUN Device"
sidebarOrder: 2
---
# TUN Device
The Premium core has out-of-the-box support of TUN device. Being a Network layer device, it can be used to handle TCP, UDP, ICMP traffic. It has been extensively tested and used in production environments - you can even play competitive games with it.
One of the biggest advantage of using Clash TUN is the built-in support of the *automagic* management of the route table, routing rules and nftable. You can enable it with the options `tun.auto-route` and `tun.auto-redir`. It's a drop-in replacement of the ancient configuration option `redir-port` (TCP) for the sake of easier configuration and better stability.
::: tip
`tun.auto-route` and `tun.auto-redir` are only available on macOS, Windows, Linux and Android, and only receives IPv4 traffic.
:::
There are two options of TCP/IP stack available: `system` or `gvisor`. In order to get the best performance available, we recommend that you always use `system` stack unless you have a specific reason or compatibility issue to use `gvisor`. If that's the case, do not hesitate to [submit an issue](https://github.com/Dreamacro/clash/issues/new/choose).
## Technical Limitations
* For Android, the control device is at `/dev/tun` instead of `/dev/net/tun`, you will need to create a symbolic link first (i.e. `ln -sf /dev/tun /dev/net/tun`)
* DNS hijacking might result in a failure, if the system DNS is at a private IP address (since `auto-route` does not capture private network traffic).
## Linux, macOS or Android
This is an example configuration of the TUN feature:
```yaml
interface-name: en0 # conflict with `tun.auto-detect-interface`
tun:
enable: true
stack: system # or gvisor
# dns-hijack:
# - 8.8.8.8:53
# - tcp://8.8.8.8:53
# - any:53
# - tcp://any:53
auto-route: true # manage `ip route` and `ip rules`
auto-redir: true # manage nftable REDIRECT
auto-detect-interface: true # conflict with `interface-name`
```
Be advised, since the use of TUN device and manipulation of system route/nft settings, Clash will need superuser privileges to run.
```shell
sudo ./clash
```
If your device already has some TUN device, Clash TUN might not work - you will have to check the route table and routing rules manually. In this case, `fake-ip-filter` may helpful as well.
## Windows
You will need to visit the [WinTUN website](https://www.wintun.net) and download the latest release. After that, copy `wintun.dll` into Clash home directory. Example configuration:
```yaml
tun:
enable: true
stack: gvisor # or system
dns-hijack:
- 198.18.0.2:53 # when `fake-ip-range` is 198.18.0.1/16, should hijack 198.18.0.2:53
auto-route: true # auto set global route for Windows
# It is recommended to use `interface-name`
auto-detect-interface: true # auto detect interface, conflict with `interface-name`
```

25
docs/premium/userspace-wireguard.md Normal file
View File

@ -0,0 +1,25 @@
---
sidebarTitle: "Feature: Userspace Wireguard"
sidebarOrder: 7
---
# Userspace Wireguard
Due to the dependency on gvisor TCP/IP stack, Wireguard outbound is currently only available in the Premium core.
```yaml
proxies:
- name: "wg"
type: wireguard
server: 127.0.0.1
port: 443
ip: 172.16.0.2
# ipv6: your_ipv6
private-key: eCtXsJZ27+4PbhDkHnB923tkUn2Gj59wZw5wFA75MnU=
public-key: Cr8hWlKvtDt7nrvf+f0brNQQzabAqrjfBvas9pmowjo=
# preshared-key: base64
# remote-dns-resolve: true # remote resolve DNS with `dns` field, default is true
# dns: [1.1.1.1, 8.8.8.8]
# mtu: 1420
udp: true
```