Bump version to v0.8.0 and update docs

madeye · claude · madeye · commit 64738a7d5c39 · 2026-03-28T12:39:11.000+08:00
- Version bump to 0.8.0
- Add e2e testing feature to README, docs, and Chinese translations
- Update local traffic docs: fwmark/IP_BOUND_IF replaces UID-based approach
- Update script usage examples with new argument format
- Remove deprecated --proxy-user from CLI table, add --fwmark

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -3,7 +3,7 @@ members = [".", "test_servers", "e2e"]
 
 [package]
 name = "trans_proxy"
-version = "0.7.0"
+version = "0.8.0"
 edition = "2021"
 description = "Transparent proxy with upstream HTTP CONNECT and SOCKS5 proxy support (macOS pf, Linux nftables)"
 license = "MIT"
diff --git a/README.md b/README.md
@@ -27,6 +27,7 @@ Designed to run on a machine acting as a side router (gateway) for other devices
 - **Daemon mode** — Run as a background process with PID file and log file support
 - **Service install** — launchd on macOS, systemd on Linux. On Linux, nftables NAT rules are automatically managed via ExecStartPre/ExecStopPost
 - **Async I/O** — Built on tokio with per-connection task spawning
+- **End-to-end tested** — Full e2e test suite exercises the real nftables/pf + proxy pipeline on both Linux and macOS
 
 ## Requirements
 
@@ -184,7 +185,7 @@ sudo ./target/release/trans_proxy \
 | `--pid-file` | `/var/run/trans_proxy.pid` | PID file path (used with `--daemon`) |
 | `--log-file` | `/var/log/trans_proxy.log` (daemon) / stderr | Log file path |
 | `--local-traffic` | off | Also intercept traffic originating from the gateway itself (not just forwarded LAN traffic) |
-| `--proxy-user` | `trans_proxy` | System user for loop prevention when `--local-traffic` is enabled |
+| `--fwmark` | `1` | Firewall mark for loop prevention on Linux (used with `--local-traffic`) |
 | `--ports` | *(all TCP)* | Comma-separated list of TCP ports to redirect (e.g., `22,80,443`). When omitted, all TCP traffic is redirected |
 | `--install` | off | Install as a system service (launchd on macOS, systemd on Linux) |
 | `--uninstall` | off | Uninstall the system service |
@@ -196,9 +197,10 @@ sudo ./target/release/trans_proxy \
 The included scripts manage pf rules via an anchor (won't interfere with existing firewall rules).
 
 ```bash
-sudo scripts/pf_setup.sh <interface> [proxy_port] [proxy_user] [ports]
-sudo scripts/pf_setup.sh en0 8443                    # all TCP
-sudo scripts/pf_setup.sh en0 8443 "" 80,443           # only ports 80,443
+sudo scripts/pf_setup.sh <interface> [proxy_port] [upstream_proxy] [ports]
+sudo scripts/pf_setup.sh en0 8443                              # all TCP
+sudo scripts/pf_setup.sh en0 8443 "" 80,443                    # only ports 80,443
+sudo scripts/pf_setup.sh en0 8443 127.0.0.1:1082              # all TCP + local traffic
 
 # Tear down
 sudo scripts/pf_teardown.sh
@@ -209,9 +211,10 @@ sudo scripts/pf_teardown.sh
 The included scripts create a dedicated nftables table for trans_proxy.
 
 ```bash
-sudo scripts/nftables_setup.sh <interface> [proxy_port] [proxy_user] [ports]
-sudo scripts/nftables_setup.sh eth0 8443                    # all TCP
-sudo scripts/nftables_setup.sh eth0 8443 "" 80,443           # only ports 80,443
+sudo scripts/nftables_setup.sh <interface> [proxy_port] [fwmark] [upstream_proxy] [ports]
+sudo scripts/nftables_setup.sh eth0 8443                                  # all TCP
+sudo scripts/nftables_setup.sh eth0 8443 "" "" 80,443                     # only ports 80,443
+sudo scripts/nftables_setup.sh eth0 8443 1 127.0.0.1:7890                # all TCP + local traffic
 
 # Tear down
 sudo scripts/nftables_teardown.sh
@@ -281,30 +284,10 @@ sudo ./target/release/trans_proxy \
 
 #### How it works
 
-Loop prevention uses UID-based exclusion: the proxy runs as a dedicated system user, and firewall rules skip traffic from that user.
+Loop prevention is automatic — no dedicated system user required:
 
-- **Linux**: Adds an nftables OUTPUT chain with `meta skuid` exclusion
-- **macOS**: Adds `pass out route-to (lo0)` + `rdr on lo0` rules with `user !=` exclusion
-
-#### Creating the system user
-
-The proxy user must exist on the system before using `--local-traffic`.
-
-**Linux:**
-```bash
-sudo useradd --system --no-create-home --shell /usr/sbin/nologin trans_proxy
-```
-
-**macOS:**
-```bash
-# Find an unused UID (e.g., 499)
-sudo dscl . -create /Users/trans_proxy
-sudo dscl . -create /Users/trans_proxy UserShell /usr/bin/false
-sudo dscl . -create /Users/trans_proxy UniqueID 499
-sudo dscl . -create /Users/trans_proxy PrimaryGroupID 20
-```
-
-To use a different username, pass `--proxy-user <name>`.
+- **Linux**: Sets `SO_MARK` (fwmark) on outbound sockets; nftables OUTPUT chain skips marked packets
+- **macOS**: Sets `IP_BOUND_IF` to bind outbound sockets to `lo0` when the upstream is on localhost, plus a `pass out quick` pf rule to exclude the upstream proxy destination
 
 ### Client Setup
 
diff --git a/README_zh.md b/README_zh.md
@@ -27,6 +27,7 @@
 - **守护进程模式** — 作为后台进程运行，支持 PID 文件和日志文件
 - **系统服务** — macOS 使用 launchd，Linux 使用 systemd。Linux 上通过 ExecStartPre/ExecStopPost 自动管理 nftables NAT 规则
 - **异步 I/O** — 基于 tokio 构建，每个连接独立任务调度
+- **端到端测试** — 完整的端到端测试套件在 Linux 和 macOS 上运行真实的 nftables/pf + 代理流水线
 
 ## 系统要求
 
@@ -184,7 +185,7 @@ sudo ./target/release/trans_proxy \
 | `--pid-file` | `/var/run/trans_proxy.pid` | PID 文件路径（与 `--daemon` 配合使用） |
 | `--log-file` | `/var/log/trans_proxy.log`（守护进程）/ stderr | 日志文件路径 |
 | `--local-traffic` | 关闭 | 同时拦截网关本机发出的流量（不仅仅是转发的局域网流量） |
-| `--proxy-user` | `trans_proxy` | 启用 `--local-traffic` 时用于防止回环的系统用户 |
+| `--fwmark` | `1` | Linux 上用于防止回环的防火墙标记（与 `--local-traffic` 配合使用） |
 | `--ports` | *（所有 TCP）* | 要重定向的 TCP 端口列表，逗号分隔（例如 `22,80,443`）。未指定时重定向所有 TCP 流量 |
 | `--install` | 关闭 | 安装为系统服务（macOS 使用 launchd，Linux 使用 systemd） |
 | `--uninstall` | 关闭 | 卸载系统服务 |
@@ -194,9 +195,10 @@ sudo ./target/release/trans_proxy \
 #### macOS (pf)
 
 ```bash
-sudo scripts/pf_setup.sh <interface> [proxy_port] [proxy_user] [ports]
-sudo scripts/pf_setup.sh en0 8443                    # 所有 TCP
-sudo scripts/pf_setup.sh en0 8443 "" 80,443           # 仅端口 80,443
+sudo scripts/pf_setup.sh <interface> [proxy_port] [upstream_proxy] [ports]
+sudo scripts/pf_setup.sh en0 8443                              # 所有 TCP
+sudo scripts/pf_setup.sh en0 8443 "" 80,443                    # 仅端口 80,443
+sudo scripts/pf_setup.sh en0 8443 127.0.0.1:1082              # 所有 TCP + 本地流量
 
 # 拆除配置
 sudo scripts/pf_teardown.sh
@@ -205,9 +207,10 @@ sudo scripts/pf_teardown.sh
 #### Linux (nftables)
 
 ```bash
-sudo scripts/nftables_setup.sh <interface> [proxy_port] [proxy_user] [ports]
-sudo scripts/nftables_setup.sh eth0 8443                    # 所有 TCP
-sudo scripts/nftables_setup.sh eth0 8443 "" 80,443           # 仅端口 80,443
+sudo scripts/nftables_setup.sh <interface> [proxy_port] [fwmark] [upstream_proxy] [ports]
+sudo scripts/nftables_setup.sh eth0 8443                                  # 所有 TCP
+sudo scripts/nftables_setup.sh eth0 8443 "" "" 80,443                     # 仅端口 80,443
+sudo scripts/nftables_setup.sh eth0 8443 1 127.0.0.1:7890                # 所有 TCP + 本地流量
 
 # 拆除配置
 sudo scripts/nftables_teardown.sh
@@ -277,30 +280,10 @@ sudo ./target/release/trans_proxy \
 
 #### 工作原理
 
-通过基于 UID 的排除实现回环防护：代理以专用系统用户身份运行，防火墙规则跳过该用户的流量。
+回环防护是自动的，无需创建专用系统用户：
 
-- **Linux**：添加 nftables OUTPUT 链，使用 `meta skuid` 排除
-- **macOS**：添加 `pass out route-to (lo0)` + `rdr on lo0` 规则，使用 `user !=` 排除
-
-#### 创建系统用户
-
-使用 `--local-traffic` 前，代理用户必须已存在于系统中。
-
-**Linux：**
-```bash
-sudo useradd --system --no-create-home --shell /usr/sbin/nologin trans_proxy
-```
-
-**macOS：**
-```bash
-# 找一个未使用的 UID（例如 499）
-sudo dscl . -create /Users/trans_proxy
-sudo dscl . -create /Users/trans_proxy UserShell /usr/bin/false
-sudo dscl . -create /Users/trans_proxy UniqueID 499
-sudo dscl . -create /Users/trans_proxy PrimaryGroupID 20
-```
-
-如需使用其他用户名，请传递 `--proxy-user <name>`。
+- **Linux**：在出站 socket 上设置 `SO_MARK`（fwmark），nftables OUTPUT 链跳过带标记的数据包
+- **macOS**：当上游代理在本地时，设置 `IP_BOUND_IF` 将出站 socket 绑定到 `lo0`，并通过 `pass out quick` pf 规则排除上游代理目标地址
 
 ### 客户端设置
 
diff --git a/docs/index.html b/docs/index.html
@@ -859,6 +859,10 @@ <h3>System Service</h3>
           <h3>Async I/O</h3>
           <p>Built on tokio with per-connection task spawning. Handles many concurrent connections efficiently with bidirectional relay.</p>
         </div>
+        <div class="feature">
+          <h3>E2E Tested</h3>
+          <p>Full end-to-end test suite exercises the real nftables/pf + proxy pipeline on both Linux and macOS, covering SOCKS5, HTTP CONNECT, DNS forwarding, and port-selective redirect.</p>
+        </div>
       </div>
     </div>
   </section>
diff --git a/docs/index_zh.html b/docs/index_zh.html
@@ -859,6 +859,10 @@ <h3>系统服务</h3>
           <h3>异步 I/O</h3>
           <p>基于 tokio 构建，为每个连接生成独立任务。通过双向中继高效处理大量并发连接。</p>
         </div>
+        <div class="feature">
+          <h3>端到端测试</h3>
+          <p>完整的端到端测试套件在 Linux 和 macOS 上运行真实的 nftables/pf + 代理流水线，覆盖 SOCKS5、HTTP CONNECT、DNS 转发和端口选择性重定向。</p>
+        </div>
       </div>
     </div>
   </section>
