# Traffic rules

## Traffic proxy Rules (Hydra transport)

Its possible to configure how Hydra will operate with DNS and other traffic. To configure it, use `addDnsRule` and `addProxyRule` of `SessionConfig.Builder` when starting a VPN session.

### DNS

Whenever a DNS resolution takes place, it's intercepted by Hydra VPN and domain-based rules might be applied.

Domain-based rules affect how DNS resolution proceeds as well as how further connections to a particular domain will be routed.

Domains might be classified according to types below:

| type     | dns resolution                                                                                                                |
| -------- | ----------------------------------------------------------------------------------------------------------------------------- |
| bypass   | DNS request will proceed in bypass of Hydra VPN. DNS server is a system-wide one or the one specified in hydra configuration. |
| proxy    | No dns resolution will take place on client-side. Real IP resolved on server-side is returned to application.                 |
| vpn      | No dns resolution will take place on client-side. Real IP resolved on server-side is returned to application.                 |
| blockDns | No DNS resolution takes place. Connections to this domain never happen. By default 127.0.0.1 returned                         |

These rules can be created and added to `SessionConfig.Builder#addDnsRule`with the following methods.

* TrafficRule.Builder.bypass
* TrafficRule.Builder.proxy
* TrafficRule.Builder.blockDns
* TrafficRule.Builder.vpn

{% code overflow="wrap" %}

```
TrafficRule.Builder.blockPkt - should not be used for addDnsRule - its for addProxyRule
```

{% endcode %}

**Data sources**

* fromAssets - read list of domains stored in application assets
* fromFile - read list of domains from file
* fromDomains - direct pass list of domains
* fromResource - read list of domains from application resources

**Domain matching algorithm:**

Domains are searched using longest prefix matching approach, meaning that the most specific match has the highest priority.

Wildcard "\*" might be used to match any character occurring any number of times.

Character "?" might be used to match any character occurring one time.

| key                                     | entries                                                                                                       | match                                   |
| --------------------------------------- | ------------------------------------------------------------------------------------------------------------- | --------------------------------------- |
| [www.google.com](http://www.google.com) | <p>[www.google.com](http://www.google.com)<br>[www.yahoo.com](http://www.yahoo.com)</p>                       | [www.google.com](http://www.google.com) |
| [www.google.com](http://www.google.com) | <p>[www](http://www).*.com<br>[www.goog](http://www.goog)*.com<br>[www.google.com](http://www.google.com)</p> | [www.google.com](http://www.google.com) |
| [www.google.com](http://www.google.com) | <p>*.google.com<br>*.com</p>                                                                                  | \*.google.com                           |

If no match for a domain is found default domain rule is applied.

### Other

Whenever traffic other than DNS reaches Hydra VPN, domain-based rules are the first ones to be considered in order to route content through a correct data path.

In case no domain rule was associated to this IP (e.g. application is using directly IP, no DNS resolution took place previously) or domain default rule was applied to respective domain (no particular match for this domain was found by the time of dns resolution) generic rules are applied. This might be interpreted as domain based rules always taking precedence over generic rules unless they were not applied or default domain rule was applied.

Generic rules are based on any combination of destination IP, destination port and protocol.

These rules can be created and added to `SessionConfig.Builder#addProxyRule`with the following methods:

* TrafficRule.Builder.bypass
* TrafficRule.Builder.proxy
* TrafficRule.Builder.blockPkt
* TrafficRule.Builder.vpn

```
TrafficRule.Builder.blockDns - should not be used for addProxyRule - its for addDnsRule
```

**Data sources:**

* fromIp
* udp
* tcp
* tcpFromIp
* udpFromIp
* any

**Valid combinations for searching. (port or/and protocol)**

| prio | ip | proto | port | Example                                         |
| ---- | -- | ----- | ---- | ----------------------------------------------- |
| 1    |    |       | X    | <p>bypass().any(0)<br>bypass().any(1, 1024)</p> |
| 2    |    | X     |      | bypass().udp(0)                                 |
| 3    |    | X     | X    | <p>bypass().tcp(23)<br>bypass().tcp(20,30)</p>  |

**Valid combinations for searching. (IP longest prefix match)**

| prio | ip | proto | port | Example                                                                                         |
| ---- | -- | ----- | ---- | ----------------------------------------------------------------------------------------------- |
| 4    | X  |       |      | bypass().fromIp("100.96.0.0",12)                                                                |
| 5    | X  |       | X    | <p>vpn().fromIp("100.64.0.0",10,22)<br>bypass().fromIp("100.64.0.0",10, 25, 30)</p>             |
| 6    | X  | X     |      | bypass().udpFromIp("100.100.0.0",16)                                                            |
| 7    | X  | X     | X    | <p>proxy().tcpFromIp("100.100.0.0", 16, 23)<br>proxy().tcpFromIp("100.100.0.0", 16, 23, 40)</p> |

**Port Ranges**

Port ranges might be specified wherever port is allowed

Just one port range per rule is allowed, but multiple ranges for same combination of ip, proto and type might be considered by adding multiple rules (one per port range):

* Using one rule for each range since port ranges don't overlap:

```
bypass().tcp(15, 30)
bypass().tcp(40, 50)
```

* Port range which overlaps existing port range for same combination of ip and proto will NOT be added:

```
bypass().tcp(15,30)
bypass().tcp(25,50) <- NOT valid ! (port range overlaps 1st one)
```

**Method of Blocking**

* blockPkt for TCP: send RST message when SYN packet is first seen
* blockPkt for UDP: send ICMP message HOST UNREACHABLE->PORT UNREACHABLE when udp packet is first seen
* blockPkt for Non-TCP/UDP: Drop packet

### Examples

To bypass local network traffic and make local network resource accessible, you can configure an IP mask rule:

```
final SessionConfig.Builder builder = new SessionConfig.Builder();
builder.addProxyRule(TrafficRule.Builder.bypass().fromIp("192.168.1.0", 24)); //all traffic to net 192.168.1.0 will go outside vpn tunnel
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://pango.gitbook.io/paas/sdk/vpn-sdk-for-android/features/traffic-rules.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.