lilendian0x00/xray-knife v10.0.0

Xray-knife v10.0.0

on GitHub

What's New

In short: Added TUN feature and also made proxy command cleaner and improved UX

🌐 Host-Wide TUN Capture (new mode)

• New proxy tun subcommand (Linux only, root). Creates a TUN interface, replaces the host's default route, and forwards every outbound packet through the rotating proxy.
• Captures everything leaving the host — not just apps wired through SOCKS or namespaced via proxy app.
• Safe defaults: TUN CIDR is 198.18.0.0/15 (RFC 2544, won't collide with LAN), RFC1918 private ranges are excluded by default (--tun-include-private to opt in), and --tun-deadman (60s default) auto-tears down the tunnel and restores the original route if you don't press ENTER in time.
• --bind <iface> is required — sing-box pins outbound dials to your physical NIC so the tunnel doesn't loop into itself.
• Catches SIGHUP so a dropped SSH session triggers cleanup before the process dies.

🧭 Subcommand-Based Proxy CLI

• proxy --mode X is gone. Pick one of proxy inbound, proxy system, proxy app, proxy tun.
• Each subcommand exposes only its own flags. proxy --help no longer dumps 33 flags from every mode at once.
• --shell and --namespace show only on proxy app. --tun-* flags show only on proxy tun.
• --bind is now marked required on proxy tun — bad invocations get rejected at parse time, not after half the tunnel is up.

✂️ host-tun → tun Rename

• Subcommand: proxy --mode host-tun → proxy tun.
• Flag prefix: --host-tun-deadman / --host-tun-exclude / --host-tun-name / --host-tun-addr / --host-tun-mtu / --host-tun-include-private → drop the host- prefix.

🪜 Persistent Parent Flags

• --core, --config, --file, --stdin, --addr, --port, --verbose, --insecure moved to the proxy parent.
• They work before or after the subcommand name. Mode-specific flags must come after the subcommand.

📚 Examples and Better Errors

• Every subcommand has an Examples: block.
• The "no configs in database" error now hints at both options: run xray-knife subs fetch --all, or pass --config / --file / --stdin.

🐛 Bug Fixes / Cleanups

• Cross-mode flag validation moved to parse time. Cobra's MarkFlagsMutuallyExclusive and MarkFlagRequired replace the runtime checks that used to live in cmd/proxy/proxy.go:97-145.
• Dangerous flags no longer leak into other modes. --shell, --namespace, and the --tun-* family are structurally scoped to their owning subcommand.

⚡ Improvements

• cmd/proxy/proxy.go shrank from 322 lines to ~56. Common rotation / chain / outbound-net flag wiring extracted into a single cmd/proxy/shared.go.
• --i-might-lose-ssh acknowledgement flag removed. Its job is already done by the deadman switch (--tun-deadman, 60s default), the RFC 2544 default TUN CIDR (198.18.0.0/15), and the default exclusion of RFC1918 ranges.

🔄 Module Path

• Module path bumped: github.com/lilendian0x00/xray-knife/v9 → .../v10 (Go semantic-import rule for v2+ majors).

Migration: swap any xray-knife proxy --mode X invocations for the matching subcommand form. Drop the host- prefix from any tun flag in scripts. The old --mode flag now produces a clear unknown flag: --mode error.