v0.8.0

What's New

End-to-End Test Suite

Full e2e test infrastructure that exercises the real nftables/pf + proxy pipeline on both Linux and macOS:

• SOCKS5 tunneling — transparent intercept → SOCKS5 upstream → destination
• HTTP CONNECT tunneling — same flow via HTTP CONNECT
• DNS forwarding — DNS forwarder + IP-to-domain mapping verification
• Port-selective redirect — verifies --ports flag only intercepts specified ports

Tests run in CI on both platforms (GitHub Actions) and locally via Vagrant (Linux) or directly on macOS.

Improved Loop Prevention

Local traffic interception (--local-traffic) no longer requires a dedicated system user:

• Linux: Uses SO_MARK (fwmark) on outbound sockets — nftables OUTPUT chain skips marked packets
• macOS: Uses IP_BOUND_IF to bind outbound sockets to lo0 + pass out quick pf rule for upstream exclusion

The --proxy-user flag is deprecated and ignored. The --fwmark flag (default: 1) controls the mark value on Linux.

SSH Lockout Prevention

Firewall setup scripts now automatically bypass SSH (port 22) to the gateway interface IP, preventing accidental lockout when redirecting all TCP traffic.

Other Changes

• macOS LaunchDaemon wrapper script for pf lifecycle management
• Port-selective redirection via --ports flag
• Updated firewall script arguments (fwmark/upstream_proxy instead of proxy_user)

Downloads

File	Platform
trans_proxy-v0.8.0-darwin-arm64.zip	macOS (Apple Silicon)
trans_proxy-v0.8.0-linux-amd64.zip	Linux (x86_64)

v0.7.0

What's New

Local Traffic Interception

trans_proxy can now intercept traffic originating from the gateway machine itself, not just forwarded LAN traffic. Enable with --local-traffic.

Loop prevention uses UID-based exclusion: the proxy runs as a dedicated system user, and firewall rules skip that user's traffic to avoid loops.

• Linux: nftables OUTPUT chain with meta skuid exclusion
• macOS: pf pass out route-to (lo0) + rdr on lo0 with user != exclusion

Usage:

# Create the system user first
sudo useradd --system --no-create-home --shell /usr/sbin/nologin trans_proxy

# Install with local traffic interception
sudo trans_proxy --upstream-proxy 127.0.0.1:1082 --dns --local-traffic --install

# Or use a custom user
sudo trans_proxy --upstream-proxy 127.0.0.1:1082 --dns --local-traffic --proxy-user myuser --install

Other Changes

• macOS service install now deploys pf scripts to /usr/local/lib/trans_proxy/
• Shared extract_arg/has_flag helpers in service module
• macOS service uninstall now cleans up the scripts directory

Downloads

File	Platform
trans_proxy-v0.7.0-darwin-arm64.zip	macOS (Apple Silicon)
trans_proxy-v0.7.0-linux-amd64.zip	Linux (x86_64)

v0.6.0

What's New

SOCKS5 Upstream Proxy Support

trans_proxy now supports SOCKS5 (RFC 1928) as an alternative upstream proxy protocol alongside HTTP CONNECT.

Usage:

• --upstream-proxy socks5://127.0.0.1:1080 — SOCKS5 (no auth)
• --upstream-proxy socks5://user:pass@127.0.0.1:1080 — SOCKS5 with username/password auth (RFC 1929)
• --upstream-proxy 127.0.0.1:1082 — HTTP CONNECT (unchanged, backward-compatible)

Details

• Full SOCKS5 handshake implementation (method negotiation, optional username/password sub-negotiation, CONNECT with domain or IPv4 address types)
• DoH DNS queries are routed through the SOCKS5 proxy when configured
• All existing HTTP CONNECT behavior remains unchanged — bare host:port and http://host:port formats continue to work

Downloads

File	Platform
trans_proxy-v0.6.0-darwin-arm64.zip	macOS (Apple Silicon)
trans_proxy-v0.6.0-linux-arm64.zip	Linux (ARM64)

v0.5.0

What's New

• Route DoH requests through upstream proxy — DNS-over-HTTPS queries are now tunneled through the upstream HTTP CONNECT proxy, ensuring DNS traffic follows the same path as proxied connections
• Auto-manage nftables rules in systemd service — On Linux, the systemd unit now uses ExecStartPre/ExecStopPost to automatically set up and tear down nftables NAT redirect rules when the service starts and stops
• Validate nftables setup script inputs — The nftables_setup.sh script now validates that the interface exists and the port is numeric, preventing misconfiguration from swapped arguments
• Idempotent nftables setup — Running the setup script multiple times no longer creates duplicate rules; existing rules are cleaned up first

Downloads

• trans_proxy-v0.5.0-darwin-arm64.zip — macOS (Apple Silicon)
• trans_proxy-v0.5.0-linux-arm64.zip — Linux (aarch64)

v0.4.0

What's New

Linux Support

• nftables integration — Uses SO_ORIGINAL_DST getsockopt to recover original destinations from nftables redirect rules
• nftables scripts — scripts/nftables_setup.sh and scripts/nftables_teardown.sh for easy firewall configuration
• systemd service — --install / --uninstall now works on Linux via systemd

DoH DNS Performance

• HTTP/2 connection pooling — Persistent multiplexed connection to DoH server
• TTL-aware DNS cache — Cached responses served in ~0.2ms vs ~150ms for upstream round-trips (810x speedup)
• Query coalescing — Concurrent queries for the same domain share a single upstream request

Other Changes

• Switched from iptables to nftables for Linux NAT redirect
• Updated documentation and landing pages for cross-platform support

Downloads

Platform	File
macOS (Apple Silicon)	trans_proxy-v0.4.0-darwin-arm64.zip
Linux (aarch64)	trans_proxy-v0.4.0-linux-arm64.zip

v0.3.0

What's New

• Direct DNS on port 53 — DNS forwarder now listens directly on the gateway interface IP (port 53) instead of requiring pf to redirect DNS traffic. Use --dns to enable.
• Auto-detect interface IP — --dns auto-detects the IP of the specified interface (default en0). Override with --dns-listen.
• Improved logging — Proxy connections and DNS responses logged at info level. DNS queries, SNI extraction, and tunnel details at debug level.
• Debug logs compiled out in release — Zero runtime cost for debug logging in release builds.

Usage

# Start with DNS on the gateway interface (auto-detects en0 IP)
sudo trans_proxy --upstream-proxy 127.0.0.1:1082 --dns

# Set up pf (HTTP/HTTPS only — no DNS redirect needed)
sudo scripts/pf_setup.sh en0 8443

Downloads

• trans_proxy-v0.3.0-darwin-arm64.zip — macOS Apple Silicon binary

v0.2.0

What's New

• DNS-over-HTTPS (DoH) support — Upstream DNS queries can now be sent over HTTPS (RFC 8484). Cloudflare DoH (https://cloudflare-dns.com/dns-query) is the new default.
• Fix multi-client DNS collision — DNS transaction ID collisions between multiple clients no longer cause lost responses.

Usage

# DoH (default — Cloudflare)
sudo trans_proxy --upstream-proxy 127.0.0.1:1082 --dns-listen 0.0.0.0:5353

# Custom DoH provider
sudo trans_proxy --upstream-proxy 127.0.0.1:1082 --dns-listen 0.0.0.0:5353 \
  --dns-upstream https://dns.google/dns-query

# Traditional UDP DNS
sudo trans_proxy --upstream-proxy 127.0.0.1:1082 --dns-listen 0.0.0.0:5353 \
  --dns-upstream 8.8.8.8:53

Downloads

• trans_proxy-v0.2.0-darwin-arm64.zip — macOS Apple Silicon binary

v0.1.0

Initial Release

Transparent proxy for macOS that intercepts TCP traffic redirected by pf and forwards it through an upstream HTTP CONNECT proxy.

Features

• pf integration — DIOCNATLOOK ioctl for original destination recovery
• SNI extraction — Reads hostnames from TLS ClientHello
• DNS interception — Optional DNS forwarder with IP→domain mapping
• Daemon mode — Run in background with PID file and log file
• Anchor-based pf rules — Safe, non-destructive firewall setup

Quick Start

sudo ./trans_proxy --upstream-proxy 127.0.0.1:1082 --dns-listen 0.0.0.0:5353 -d
sudo scripts/pf_setup.sh en0 8443 5353

Binary

• trans_proxy-v0.1.0-darwin-arm64.zip — macOS ARM64 binary with setup/teardown scripts