[dns] Add dual-stack fake IP rewriting with nftables maps

Support A and AAAA DNS answer rewriting, CNAME alias handling, and temporary IPv4/IPv6 NAT mappings backed by nftables sets/maps. Add example nftables rules and expand the README with usage, behavior, and setup notes.
2026-05-19 13:43:17 +08:00
parent 63c471be8e
commit b066e36770
3 changed files with 680 additions and 239 deletions
--- a/src/rules.nft
+++ b/src/rules.nft
@@ -0,0 +1,37 @@
+table inet dotp {
+    map nat_map {
+        type ipv4_addr : ipv4_addr
+    }
+
+    map nat_map6 {
+        type ipv6_addr : ipv6_addr
+    }
+
+    chain prerouting {
+        type nat hook prerouting priority dstnat; policy accept;
+        dnat ip to ip daddr map @nat_map
+        dnat ip6 to ip6 daddr map @nat_map6
+    }
+
+    set nat_addr {
+        type ipv4_addr
+    }
+
+    set nat_addr6 {
+        type ipv6_addr
+    }
+
+    chain proxy {
+        meta mark set 1
+        meta l4proto tcp counter tproxy ip to 127.0.0.1:2040 accept
+        meta l4proto udp counter tproxy ip to 127.0.0.1:2040 accept
+        meta l4proto tcp counter tproxy ip6 to [::1]:2040 accept
+        meta l4proto udp counter tproxy ip6 to [::1]:2040 accept
+    }
+
+    chain proxy_dst_check {
+        type filter hook prerouting priority dstnat + 1; policy accept;
+        ip daddr @nat_addr goto proxy
+        ip6 daddr @nat_addr6 goto proxy
+    }
+}