MHSanaei d7f47d8b6a fix(xray): allow private-IP destinations via freedom finalRules ... Xray-core v26.4.17 added a default policy that blocks private IPs in the freedom outbound for vless/vmess/trojan/hysteria/wireguard inbounds, even when the panel's routing rules send traffic to direct (#4420). The legacy ipsBlocked override was deprecated in the same release. Default template now seeds the direct outbound with a finalRules entry that explicitly allows geoip:private, so users who intentionally remove the geoip:private->blocked routing rule actually regain LAN access. Defense in depth is preserved: the routing rule still blocks private IPs by default, so unmodified configs keep the same behavior. OutboundFormModal exposes a Final Rules editor under the Freedom section: per-rule action (allow/block), network, port, IP/CIDR/geoip tags, and an optional blockDelay for block actions.		2026-05-19 15:42:16 +02:00
..
controller	Feat/multi inbound clients (#4469)	2026-05-19 12:20:24 +02:00
entity	Feat/multi inbound clients (#4469)	2026-05-19 12:20:24 +02:00
global	Feat/multi inbound clients (#4469)	2026-05-19 12:20:24 +02:00
job	Feat/multi inbound clients (#4469)	2026-05-19 12:20:24 +02:00
locale	v3	2026-05-10 02:13:42 +02:00
middleware	Security hardening: sessions, SSRF, CSP nonce, CSRF logout, trusted proxies (#4275)	2026-05-13 12:52:52 +02:00
network	docs: add comments for all functions	2025-09-20 09:35:50 +02:00
runtime	Feat/multi inbound clients (#4469)	2026-05-19 12:20:24 +02:00
service	fix(xray): allow private-IP destinations via freedom finalRules	2026-05-19 15:42:16 +02:00
session	Security hardening: sessions, SSRF, CSP nonce, CSRF logout, trusted proxies (#4275)	2026-05-13 12:52:52 +02:00
translation	Feat/multi inbound clients (#4469)	2026-05-19 12:20:24 +02:00
websocket	fix(websocket): order register/unregister via single ops channel	2026-05-19 12:34:53 +02:00
web.go	Make HSTS policy configurable if https is enabled (#4462)	2026-05-19 14:28:05 +02:00