Move WFP manipulation to strict route

docs/changelog.md

@@ -3,6 +3,7 @@
 * Split bind_address into ipv4 and ipv6
 * Fix WireGuard outbound panic when close
 * Fix macOS Ventura process name match
+* Move WFP manipulation to strict route
 
 #### 1.1-beta12
 

docs/configuration/inbound/tun.md

@@ -93,16 +93,23 @@ Set the default route to the Tun.
 
 #### strict_route
 
-*In Linux*:
-
 Enforce strict routing rules when `auto_route` is enabled:
 
+*In Linux*:
+
 * Let unsupported network unreachable
 * Route all connections to tun
 
 It prevents address leaks and makes DNS hijacking work on Android and Linux with systemd-resolved, but your device will
 not be accessible by others.
 
+*In Windows*:
+
+* Add firewall rules to prevent DNS leak caused by
+  Windows' [ordinary multihomed DNS resolution behavior](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197552%28v%3Dws.10%29)
+
+It may prevent some applications (such as VirtualBox) from working properly in certain situations.
+
 #### inet4_route_address
 
 Use custom routes instead of default when `auto_route` is enabled.

docs/configuration/inbound/tun.zh.md

@@ -8,7 +8,6 @@
 {
   "type": "tun",
   "tag": "tun-in",
-
   "interface_name": "tun0",
   "inet4_address": "172.19.0.1/30",
   "inet6_address": "fdfe:dcba:9876::1/126",
@@ -47,8 +46,8 @@
   "exclude_package": [
     "com.android.captiveportallogin"
   ],
-
-  ... // 监听字段
+  ...
+  // 监听字段
 }
 ```
 
@@ -94,15 +93,23 @@ tun 接口的 IPv6 前缀。
 
 #### strict_route
 
-*在 Linux 中*:
-
 启用 `auto_route` 时执行严格的路由规则。
 
+*在 Linux 中*:
+
 * 让不支持的网络无法到达
 * 将所有连接路由到 tun
 
 它可以防止地址泄漏，并使 DNS 劫持在 Android 和使用 systemd-resolved 的 Linux 上工作，但你的设备将无法其他设备被访问。
 
+*在 Windows 中*:
+
+* 添加防火墙规则以阻止 Windows
+  的 [普通多宿主 DNS 解析行为](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197552%28v%3Dws.10%29)
+  造成的 DNS 泄露
+
+它可能会使某些应用程序（如 VirtualBox）在某些情况下无法正常工作。
+
 #### inet4_route_address
 
 启用 `auto_route` 时使用自定义路由而不是默认路由。