#!name= Enable iCloud Private Relay on gateway
#!desc=为终端设备启用iCloud专用代理，需要Surge for macOS启用网关模式。
#!system=mac

[Rule]
# > iCloud Private Relay
# https://developer.apple.com/cn/support/prepare-your-network-for-icloud-private-relay/
# https://mask-api.icloud.com/egress-ip-ranges.csv

# Optimize for Private Relay connections
AND,((PROTOCOL,UDP),(USER-AGENT,Transparent%20network%20proxy%20for%20Apple%20system%20services*),(DEST-PORT,443)), DIRECT, interface=en0, allow-other-interface=true
AND,((PROTOCOL,UDP),(DOMAIN,mask-api.icloud.com),(DEST-PORT,443)), DIRECT, interface=en0, allow-other-interface=true
AND,((PROTOCOL,UDP),(DOMAIN,mask-api.fe.apple-dns.net),(DEST-PORT,443)), DIRECT, interface=en0, allow-other-interface=true
AND,((PROTOCOL,UDP),(DOMAIN,mask.icloud.com),(DEST-PORT,443)), DIRECT, interface=en0, allow-other-interface=true
AND,((PROTOCOL,UDP),(DOMAIN,mask.apple-dns.net),(DEST-PORT,443)), DIRECT, interface=en0, allow-other-interface=true
AND,((PROTOCOL,UDP),(DOMAIN,mask-h2.icloud.com)),(DEST-PORT,443), DIRECT, interface=en0, allow-other-interface=true
AND,((PROTOCOL,UDP),(DOMAIN,mask-t.apple-dns.net),(DEST-PORT,443)), DIRECT, interface=en0, allow-other-interface=true
AND,((PROTOCOL,UDP),(IP-CIDR,17.0.0.0/8,no-resolve),(DEST-PORT,443)), DIRECT, interface=en0, allow-other-interface=true

# Allow for network traffic audits
AND,((PROTOCOL,TCP),(USER-AGENT,Transparent%20network%20proxy%20for%20Apple%20system%20services*),(DEST-PORT,443)), Apple
DOMAIN,mask-api.icloud.com, Apple
DOMAIN,mask-api.fe.apple-dns.net, Apple
AND,((PROTOCOL,TCP),(DOMAIN,mask.icloud.com),(DEST-PORT,443)), Apple
AND,((PROTOCOL,TCP),(DOMAIN,mask.apple-dns.net),(DEST-PORT,443)), Apple
AND,((PROTOCOL,TCP),(DOMAIN,mask-h2.icloud.com),(DEST-PORT,443)), Apple
AND,((PROTOCOL,TCP),(DOMAIN,mask-t.apple-dns.net),(DEST-PORT,443)), Apple

[Header Rewrite]
^https?:\/\/p[\d]{1,3}-acsegateway\.icloud\.com header-replace X-MMe-Country TW

[MITM]
hostname = %APPEND% mask-api.icloud.com, mask-api.fe.apple-dns.net, mask.icloud.com, mask.apple-dns.net, p*-acsegateway.icloud.com