snapshot

DataEraserC · DataEraserC · commit 9dab986f5415 · 2026-04-16T01:50:42.000+08:00
diff --git a/hosts/idols-ai/config.dae b/hosts/idols-ai/config.dae
@@ -351,7 +351,114 @@ routing {
 
     # Network managers in localhost should be direct to avoid false negative network connectivity check when binding to
     # WAN.
-    pname(git, telegram-desktop) -> proxy
+    pname(NetworkManager, systemd-resolved, dnsmasq, mihomo, netbird, zerotier-one, tailscaled, nekobox_core, sing-box, proxychains4, gg) -> must_direct
+
+    # Put it in the front to prevent broadcast, multicast and other packets that should be sent to the LAN from being
+    # forwarded by the proxy.
+    # "dip" means destination IP.
+    dip(224.0.0.0/3, 'ff00::/8') -> direct
+
+    # This line allows you to access private addresses directly instead of via your proxy. If you really want to access
+    # private addresses in your proxy host network, modify the below line.
+    dip(geoip:private) -> direct
+
+    ### Write your rules below.
+
+    # --- Core rules ---#
+
+    # Disable HTTP3(QUIC) because it usually consumes too much cpu/mem resources.
+    l4proto(udp) && dport(443) -> block
+
+    # Direct access to all Chinese mainland-related IP addresses
+    dip(geoip:cn) -> direct
+    domain(geosite:cn) -> direct
+
+    ### Direct
+    domain(regex:'.+\.edu\.cn$') -> direct
+    domain(keyword:'baidu') -> direct
+    domain(keyword:'bilibili') -> direct
+    domain(keyword:'taobao') -> direct
+    domain(keyword:'alibabadns') -> direct
+    domain(keyword:'alicdn') -> direct
+    domain(keyword:'tbcache') -> direct
+    domain(keyword:'zhihu') -> direct
+    domain(keyword:'douyu') -> direct
+    domain(geosite:cloudflare-cn) -> direct
+
+    # Block ads
+    domain(full:analytics.google.com) -> proxy  # do not block google analytics(console)
+    domain(geosite:category-ads) -> block
+    domain(geosite:category-ads-all) -> block
+
+    # DNS
+    dip(8.8.8.8, 8.8.4.4) -> proxy
+    dip(223.5.5.5, 223.6.6.6) -> direct
+    domain(full:dns.alidns.com) -> direct
+    domain(full:dns.googledns.com) -> proxy
+    domain(full:dns.opendns.com) -> proxy
+
+    # --- Rules for other commonly used sites ---#
+
+    # SSH - tcp port 22 is blocked by many proxy servers.
+    dport(22) && !dip(geoip:cn) && !domain(geosite:cn) -> ssh-proxy
+
+    ### GitHub / Docker Hub
+    ### randomly select a node from the group for every connection
+    ### to avoid the rate limit of GitHub API and Docker Hub API
+    domain(geosite:github) -> proxy-avoid-rate-limits
+    domain(geosite:docker) -> proxy-avoid-rate-limits
+
+    ### OpenAI
+    domain(geosite:openai) -> proxy
+    domain(regex:'.+\.openai$') -> proxy
+    #domain(geosite:openai) -> sg
+    #domain(regex:'.+\.openai$') -> sg
+
+    ### Gemini
+    domain(suffix: gemini.google.com, suffix: bard.google.com, suffix: ai.google.dev) -> gemini
+
+    # Steam
+    # from https://hky.moe/archives/471/
+    domain(suffix: steamserver.net) -> direct
+    domain(suffix: steamcontent.com) -> direct
+    domain(store.steampowered.com, api.steampowered.com) -> proxy
+    domain(suffix: steampowered.com) -> direct
+    domain(geosite:steam@cn) -> direct
+    domain(geosite:steam) -> proxy
+
+    ### Media
+    domain(geosite:netflix) -> media
+    domain(geosite:youtube) -> media
+
+    ### Proxy
+    domain(suffix: linkedin.com) -> proxy
+    domain(keyword:'linkedin') -> proxy
+    domain(regex:'.+\.linkedin\.com$') -> proxy
+    domain(regex:'.+\.quay\.io$') -> proxy
+    domain(regex:'.+\.notion\.so$') -> proxy
+    domain(regex:'.+\.amazon\.com$') -> proxy
+    domain(regex:'.+\.oracle\.com$') -> proxy
+    domain(regex:'.+\.docker\.com$') -> proxy
+    domain(regex:'.+\.kubernetes\.io$') -> proxy
+    domain(regex:'.+\.nixos\.org$') -> proxy
+
+    domain(geosite:microsoft) -> proxy
+    domain(bing.com) -> proxy
+    domain(geosite:linkedin) -> proxy
+    domain(geosite:twitter) -> proxy
+    domain(geosite:telegram) -> proxy
+    domain(geosite:google) -> proxy
+    domain(geosite:apple) -> proxy
+    domain(geosite:category-container) -> proxy
+    domain(geosite:category-dev) -> proxy
+    domain(geosite:google-scholar) -> proxy
+    domain(geosite:category-scholar-!cn) -> proxy
+
+    # --- Fallback rules ---#
+
+    # Access all other foreign sites
+    domain(geosite:geolocation-!cn) -> proxy
+    !dip(geoip:cn) -> proxy
 
     fallback: direct
 }
