Direct/Freedom outbound: Add finalRules (matches network, port and ip, then action) with default safe policies (#6027)

Document: https://xtls.github.io/config/outbounds/freedom.html#finalruleobject https://github.com/XTLS/Xray-core/pull/6027#issuecomment-4335790980 https://github.com/XTLS/Xray-core/pull/6027#issuecomment-4336309055 https://github.com/XTLS/Xray-core/pull/6027#issuecomment-4338269638 Closes https://github.com/XTLS/Xray-core/issues/6018#issuecomment-4329273637 --------- Co-authored-by: RPRX <63339210+RPRX@users.noreply.github.com>
2026-05-08 14:13:22 +00:00 · 2026-05-02 09:54:34 +08:00
parent 7ab0a3ccb7
commit 4e87f59628
26 changed files with 538 additions and 225 deletions
--- a/proxy/freedom/config.pb.go
+++ b/proxy/freedom/config.pb.go
@@ -8,6 +8,7 @@ package freedom

 import (
 	geodata "github.com/xtls/xray-core/common/geodata"
+	net "github.com/xtls/xray-core/common/net"
 	protocol "github.com/xtls/xray-core/common/protocol"
 	internet "github.com/xtls/xray-core/transport/internet"
 	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
@@ -24,6 +25,52 @@ const (
 	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
 )

+type RuleAction int32
+
+const (
+	RuleAction_Allow RuleAction = 0
+	RuleAction_Block RuleAction = 1
+)
+
+// Enum value maps for RuleAction.
+var (
+	RuleAction_name = map[int32]string{
+		0: "Allow",
+		1: "Block",
+	}
+	RuleAction_value = map[string]int32{
+		"Allow": 0,
+		"Block": 1,
+	}
+)
+
+func (x RuleAction) Enum() *RuleAction {
+	p := new(RuleAction)
+	*p = x
+	return p
+}
+
+func (x RuleAction) String() string {
+	return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x))
+}
+
+func (RuleAction) Descriptor() protoreflect.EnumDescriptor {
+	return file_proxy_freedom_config_proto_enumTypes[0].Descriptor()
+}
+
+func (RuleAction) Type() protoreflect.EnumType {
+	return &file_proxy_freedom_config_proto_enumTypes[0]
+}
+
+func (x RuleAction) Number() protoreflect.EnumNumber {
+	return protoreflect.EnumNumber(x)
+}
+
+// Deprecated: Use RuleAction.Descriptor instead.
+func (RuleAction) EnumDescriptor() ([]byte, []int) {
+	return file_proxy_freedom_config_proto_rawDescGZIP(), []int{0}
+}
+
 type DestinationOverride struct {
 	state         protoimpl.MessageState   `protogen:"open.v1"`
 	Server        *protocol.ServerEndpoint `protobuf:"bytes,1,opt,name=server,proto3" json:"server,omitempty"`
@@ -252,27 +299,30 @@ func (x *Noise) GetApplyTo() string {
 	return ""
 }

-type IPRules struct {
+type FinalRuleConfig struct {
 	state         protoimpl.MessageState `protogen:"open.v1"`
-	Rules         []*geodata.IPRule      `protobuf:"bytes,1,rep,name=rules,proto3" json:"rules,omitempty"`
+	Action        RuleAction             `protobuf:"varint,1,opt,name=action,proto3,enum=xray.proxy.freedom.RuleAction" json:"action,omitempty"`
+	Networks      []net.Network          `protobuf:"varint,2,rep,packed,name=networks,proto3,enum=xray.common.net.Network" json:"networks,omitempty"`
+	PortList      *net.PortList          `protobuf:"bytes,3,opt,name=port_list,json=portList,proto3" json:"port_list,omitempty"`
+	Ip            []*geodata.IPRule      `protobuf:"bytes,4,rep,name=ip,proto3" json:"ip,omitempty"`
 	unknownFields protoimpl.UnknownFields
 	sizeCache     protoimpl.SizeCache
 }

-func (x *IPRules) Reset() {
-	*x = IPRules{}
+func (x *FinalRuleConfig) Reset() {
+	*x = FinalRuleConfig{}
 	mi := &file_proxy_freedom_config_proto_msgTypes[3]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }

-func (x *IPRules) String() string {
+func (x *FinalRuleConfig) String() string {
 	return protoimpl.X.MessageStringOf(x)
 }

-func (*IPRules) ProtoMessage() {}
+func (*FinalRuleConfig) ProtoMessage() {}

-func (x *IPRules) ProtoReflect() protoreflect.Message {
+func (x *FinalRuleConfig) ProtoReflect() protoreflect.Message {
 	mi := &file_proxy_freedom_config_proto_msgTypes[3]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
@@ -284,14 +334,35 @@ func (x *IPRules) ProtoReflect() protoreflect.Message {
 	return mi.MessageOf(x)
 }

-// Deprecated: Use IPRules.ProtoReflect.Descriptor instead.
-func (*IPRules) Descriptor() ([]byte, []int) {
+// Deprecated: Use FinalRuleConfig.ProtoReflect.Descriptor instead.
+func (*FinalRuleConfig) Descriptor() ([]byte, []int) {
 	return file_proxy_freedom_config_proto_rawDescGZIP(), []int{3}
 }

-func (x *IPRules) GetRules() []*geodata.IPRule {
+func (x *FinalRuleConfig) GetAction() RuleAction {
 	if x != nil {
-		return x.Rules
+		return x.Action
+	}
+	return RuleAction_Allow
+}
+
+func (x *FinalRuleConfig) GetNetworks() []net.Network {
+	if x != nil {
+		return x.Networks
+	}
+	return nil
+}
+
+func (x *FinalRuleConfig) GetPortList() *net.PortList {
+	if x != nil {
+		return x.PortList
+	}
+	return nil
+}
+
+func (x *FinalRuleConfig) GetIp() []*geodata.IPRule {
+	if x != nil {
+		return x.Ip
 	}
 	return nil
 }
@@ -304,7 +375,7 @@ type Config struct {
 	Fragment            *Fragment               `protobuf:"bytes,5,opt,name=fragment,proto3" json:"fragment,omitempty"`
 	ProxyProtocol       uint32                  `protobuf:"varint,6,opt,name=proxy_protocol,json=proxyProtocol,proto3" json:"proxy_protocol,omitempty"`
 	Noises              []*Noise                `protobuf:"bytes,7,rep,name=noises,proto3" json:"noises,omitempty"`
-	IpsBlocked          *IPRules                `protobuf:"bytes,8,opt,name=ips_blocked,json=ipsBlocked,proto3,oneof" json:"ips_blocked,omitempty"`
+	FinalRules          []*FinalRuleConfig      `protobuf:"bytes,8,rep,name=final_rules,json=finalRules,proto3" json:"final_rules,omitempty"`
 	unknownFields       protoimpl.UnknownFields
 	sizeCache           protoimpl.SizeCache
 }
@@ -381,9 +452,9 @@ func (x *Config) GetNoises() []*Noise {
 	return nil
 }

-func (x *Config) GetIpsBlocked() *IPRules {
+func (x *Config) GetFinalRules() []*FinalRuleConfig {
 	if x != nil {
-		return x.IpsBlocked
+		return x.FinalRules
 	}
 	return nil
 }
@@ -392,7 +463,7 @@ var File_proxy_freedom_config_proto protoreflect.FileDescriptor

 const file_proxy_freedom_config_proto_rawDesc = "" +
 	"\n" +
-	"\x1aproxy/freedom/config.proto\x12\x12xray.proxy.freedom\x1a!common/protocol/server_spec.proto\x1a\x1ftransport/internet/config.proto\x1a\x1bcommon/geodata/geodat.proto\"S\n" +
+	"\x1aproxy/freedom/config.proto\x12\x12xray.proxy.freedom\x1a!common/protocol/server_spec.proto\x1a\x1ftransport/internet/config.proto\x1a\x15common/net/port.proto\x1a\x18common/net/network.proto\x1a\x1bcommon/geodata/geodat.proto\"S\n" +
 	"\x13DestinationOverride\x12<\n" +
 	"\x06server\x18\x01 \x01(\v2$.xray.common.protocol.ServerEndpointR\x06server\"\x98\x02\n" +
 	"\bFragment\x12!\n" +
@@ -415,9 +486,12 @@ const file_proxy_freedom_config_proto_rawDesc = "" +
 	"\tdelay_min\x18\x03 \x01(\x04R\bdelayMin\x12\x1b\n" +
 	"\tdelay_max\x18\x04 \x01(\x04R\bdelayMax\x12\x16\n" +
 	"\x06packet\x18\x05 \x01(\fR\x06packet\x12\x19\n" +
-	"\bapply_to\x18\x06 \x01(\tR\aapplyTo\"<\n" +
-	"\aIPRules\x121\n" +
-	"\x05rules\x18\x01 \x03(\v2\x1b.xray.common.geodata.IPRuleR\x05rules\"\xbc\x03\n" +
+	"\bapply_to\x18\x06 \x01(\tR\aapplyTo\"\xe4\x01\n" +
+	"\x0fFinalRuleConfig\x126\n" +
+	"\x06action\x18\x01 \x01(\x0e2\x1e.xray.proxy.freedom.RuleActionR\x06action\x124\n" +
+	"\bnetworks\x18\x02 \x03(\x0e2\x18.xray.common.net.NetworkR\bnetworks\x126\n" +
+	"\tport_list\x18\x03 \x01(\v2\x19.xray.common.net.PortListR\bportList\x12+\n" +
+	"\x02ip\x18\x04 \x03(\v2\x1b.xray.common.geodata.IPRuleR\x02ip\"\xaf\x03\n" +
 	"\x06Config\x12P\n" +
 	"\x0fdomain_strategy\x18\x01 \x01(\x0e2'.xray.transport.internet.DomainStrategyR\x0edomainStrategy\x12Z\n" +
 	"\x14destination_override\x18\x03 \x01(\v2'.xray.proxy.freedom.DestinationOverrideR\x13destinationOverride\x12\x1d\n" +
@@ -425,10 +499,13 @@ const file_proxy_freedom_config_proto_rawDesc = "" +
 	"user_level\x18\x04 \x01(\rR\tuserLevel\x128\n" +
 	"\bfragment\x18\x05 \x01(\v2\x1c.xray.proxy.freedom.FragmentR\bfragment\x12%\n" +
 	"\x0eproxy_protocol\x18\x06 \x01(\rR\rproxyProtocol\x121\n" +
-	"\x06noises\x18\a \x03(\v2\x19.xray.proxy.freedom.NoiseR\x06noises\x12A\n" +
-	"\vips_blocked\x18\b \x01(\v2\x1b.xray.proxy.freedom.IPRulesH\x00R\n" +
-	"ipsBlocked\x88\x01\x01B\x0e\n" +
-	"\f_ips_blockedBX\n" +
+	"\x06noises\x18\a \x03(\v2\x19.xray.proxy.freedom.NoiseR\x06noises\x12D\n" +
+	"\vfinal_rules\x18\b \x03(\v2#.xray.proxy.freedom.FinalRuleConfigR\n" +
+	"finalRules*\"\n" +
+	"\n" +
+	"RuleAction\x12\t\n" +
+	"\x05Allow\x10\x00\x12\t\n" +
+	"\x05Block\x10\x01BX\n" +
 	"\x16com.xray.proxy.freedomP\x01Z'github.com/xtls/xray-core/proxy/freedom\xaa\x02\x12Xray.Proxy.Freedomb\x06proto3"

 var (
@@ -443,30 +520,37 @@ func file_proxy_freedom_config_proto_rawDescGZIP() []byte {
 	return file_proxy_freedom_config_proto_rawDescData
 }

+var file_proxy_freedom_config_proto_enumTypes = make([]protoimpl.EnumInfo, 1)
 var file_proxy_freedom_config_proto_msgTypes = make([]protoimpl.MessageInfo, 5)
 var file_proxy_freedom_config_proto_goTypes = []any{
-	(*DestinationOverride)(nil),     // 0: xray.proxy.freedom.DestinationOverride
-	(*Fragment)(nil),                // 1: xray.proxy.freedom.Fragment
-	(*Noise)(nil),                   // 2: xray.proxy.freedom.Noise
-	(*IPRules)(nil),                 // 3: xray.proxy.freedom.IPRules
-	(*Config)(nil),                  // 4: xray.proxy.freedom.Config
-	(*protocol.ServerEndpoint)(nil), // 5: xray.common.protocol.ServerEndpoint
-	(*geodata.IPRule)(nil),          // 6: xray.common.geodata.IPRule
-	(internet.DomainStrategy)(0),    // 7: xray.transport.internet.DomainStrategy
+	(RuleAction)(0),                 // 0: xray.proxy.freedom.RuleAction
+	(*DestinationOverride)(nil),     // 1: xray.proxy.freedom.DestinationOverride
+	(*Fragment)(nil),                // 2: xray.proxy.freedom.Fragment
+	(*Noise)(nil),                   // 3: xray.proxy.freedom.Noise
+	(*FinalRuleConfig)(nil),         // 4: xray.proxy.freedom.FinalRuleConfig
+	(*Config)(nil),                  // 5: xray.proxy.freedom.Config
+	(*protocol.ServerEndpoint)(nil), // 6: xray.common.protocol.ServerEndpoint
+	(net.Network)(0),                // 7: xray.common.net.Network
+	(*net.PortList)(nil),            // 8: xray.common.net.PortList
+	(*geodata.IPRule)(nil),          // 9: xray.common.geodata.IPRule
+	(internet.DomainStrategy)(0),    // 10: xray.transport.internet.DomainStrategy
 }
 var file_proxy_freedom_config_proto_depIdxs = []int32{
-	5, // 0: xray.proxy.freedom.DestinationOverride.server:type_name -> xray.common.protocol.ServerEndpoint
-	6, // 1: xray.proxy.freedom.IPRules.rules:type_name -> xray.common.geodata.IPRule
-	7, // 2: xray.proxy.freedom.Config.domain_strategy:type_name -> xray.transport.internet.DomainStrategy
-	0, // 3: xray.proxy.freedom.Config.destination_override:type_name -> xray.proxy.freedom.DestinationOverride
-	1, // 4: xray.proxy.freedom.Config.fragment:type_name -> xray.proxy.freedom.Fragment
-	2, // 5: xray.proxy.freedom.Config.noises:type_name -> xray.proxy.freedom.Noise
-	3, // 6: xray.proxy.freedom.Config.ips_blocked:type_name -> xray.proxy.freedom.IPRules
-	7, // [7:7] is the sub-list for method output_type
-	7, // [7:7] is the sub-list for method input_type
-	7, // [7:7] is the sub-list for extension type_name
-	7, // [7:7] is the sub-list for extension extendee
-	0, // [0:7] is the sub-list for field type_name
+	6,  // 0: xray.proxy.freedom.DestinationOverride.server:type_name -> xray.common.protocol.ServerEndpoint
+	0,  // 1: xray.proxy.freedom.FinalRuleConfig.action:type_name -> xray.proxy.freedom.RuleAction
+	7,  // 2: xray.proxy.freedom.FinalRuleConfig.networks:type_name -> xray.common.net.Network
+	8,  // 3: xray.proxy.freedom.FinalRuleConfig.port_list:type_name -> xray.common.net.PortList
+	9,  // 4: xray.proxy.freedom.FinalRuleConfig.ip:type_name -> xray.common.geodata.IPRule
+	10, // 5: xray.proxy.freedom.Config.domain_strategy:type_name -> xray.transport.internet.DomainStrategy
+	1,  // 6: xray.proxy.freedom.Config.destination_override:type_name -> xray.proxy.freedom.DestinationOverride
+	2,  // 7: xray.proxy.freedom.Config.fragment:type_name -> xray.proxy.freedom.Fragment
+	3,  // 8: xray.proxy.freedom.Config.noises:type_name -> xray.proxy.freedom.Noise
+	4,  // 9: xray.proxy.freedom.Config.final_rules:type_name -> xray.proxy.freedom.FinalRuleConfig
+	10, // [10:10] is the sub-list for method output_type
+	10, // [10:10] is the sub-list for method input_type
+	10, // [10:10] is the sub-list for extension type_name
+	10, // [10:10] is the sub-list for extension extendee
+	0,  // [0:10] is the sub-list for field type_name
 }

 func init() { file_proxy_freedom_config_proto_init() }
@@ -474,19 +558,19 @@ func file_proxy_freedom_config_proto_init() {
 	if File_proxy_freedom_config_proto != nil {
 		return
 	}
-	file_proxy_freedom_config_proto_msgTypes[4].OneofWrappers = []any{}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: unsafe.Slice(unsafe.StringData(file_proxy_freedom_config_proto_rawDesc), len(file_proxy_freedom_config_proto_rawDesc)),
-			NumEnums:      0,
+			NumEnums:      1,
 			NumMessages:   5,
 			NumExtensions: 0,
 			NumServices:   0,
 		},
 		GoTypes:           file_proxy_freedom_config_proto_goTypes,
 		DependencyIndexes: file_proxy_freedom_config_proto_depIdxs,
+		EnumInfos:         file_proxy_freedom_config_proto_enumTypes,
 		MessageInfos:      file_proxy_freedom_config_proto_msgTypes,
 	}.Build()
 	File_proxy_freedom_config_proto = out.File