Rules - FrankoonG/hy2scale GitHub Wiki
π English | δΈζ | νκ΅μ΄
Routing rules let you steer traffic to specific IPs or domains through a chosen exit node. Typical uses:
- send
netflix.comthrough your US exit - send
spotify.comthrough your DE exit - force
8.8.8.8through a different node than the default route
Routing rules require host network mode with
NET_ADMIN(full mode). In bridge mode the Rules tab renders a red banner β use per-userexit_viaon the Users page instead.
The page has two tabs; each tab is a flat list of rules.
Match by destination IP or CIDR.
| Field | Example |
|---|---|
| Targets |
8.8.8.8, 1.1.1.1, 203.0.113.0/24 (one or more, comma-separated) |
| Exit via |
us β routes traffic to these IPs through the us exit |
| Name | optional label |
| Enabled | toggle |
Implementation: iptables DNAT pins destination traffic to a transparent proxy socket on the host; the socket then hands the connection off to the relay plane which dials the chosen exit.
Match by hostname (hostname matches are resolved every 60 s).
| Field | Example |
|---|---|
| Targets |
netflix.com, music.apple.com, bilibili.com
|
| Exit via |
us, de, jp, β¦ |
The node periodically resolves each domain to a set of IPs and programs the same DNAT pipeline as IP rules; if a domain's IPs change, the rule follows.
Same knobs as per-user exit routing:
| Mode | Behaviour |
|---|---|
| Direct | single path |
| Quality | failover across several paths |
| Aggregate | load-balance across paths |
The Rules page follows the same select-then-act pattern as Nodes / Users / TLS:
- Single-click a rule row to select it β a green Edit button appears at the top right of the rule card, between Import and + New Rule.
- The leading checkbox cell is enlarged: clicking anywhere in its padded area toggles the row checkbox (no need to aim at the small input). The body click selects exclusively (single-row replace); checkbox clicks add to multi-select.
- A click on any blank area outside the card body β page heading, the card header strip itself β clears a single-row selection. Multi-select stays sticky; clicks on buttons / inputs / open modals never deselect.
Editing is driven by selection β there's no per-row Edit pencil to aim at.
Check multiple rules to expose the bulk action bar:
- Enable / Disable
- Delete
Like the Users page, the bar collapses into an overflow menu on narrow viewports.
- Export β download the current rule list as JSON.
-
Import β bulk-create rules from JSON; matching
idvalues overwrite existing rules.
Useful for migrating policy between deployments or keeping a version-controlled backup.
On router distributions where iptables is stripped down (iKuai, OpenWrt, etc.) HY2 SCALE falls back to TUN mode: a gvisor-backed TUN device captures raw IP packets, applies the same matching logic in userspace, then forwards through the mesh.
TUN mode preserves end-to-end TCP / UDP sessions β useful for latency-sensitive traffic such as Moonlight game streaming that breaks when re-NATed at each hop.
See Router Systems for deployment details.
- Enable
DEBUG=trueto see iptables rule insertion / deletion logs. -
docker exec <container> iptables -t nat -Lshows the live rule set (host mode). - Rules are removed cleanly on container stop or when an individual rule is disabled β no stale rules left behind.