13. Glossary#
This chapter explains terms that appear repeatedly in the Link1 documentation. It is intended for users without Clash/mihomo experience.
Basic Networking#
| Term | Explanation | Impact in Link1 |
|---|
| Client | The program or device that initiates a connection, such as a browser, mobile app, or LAN device | The client sends traffic to Link1, or the traffic is transparently taken over by the system/TUN/router |
| Destination | The domain name or IP the client actually wants to access | Rules determine the outbound path based on the destination |
| Upstream | The proxy/VPN/tunnel server that Link1 connects to | The server/port of an outbound node is usually the upstream address |
| Inbound | The entry point where traffic enters Link1 | mixed-port, tun, redir-port, etc. |
| Outbound | The exit where Link1 connects to the outside | Nodes in proxies or built-in DIRECT/REJECT |
| Explicit proxy | The client actively configures a proxy address | Easiest to verify; commonly uses mixed-port |
| Transparent proxy | The client is unaware of the proxy; traffic is redirected into Link1 by the system/router | Commonly uses redir-port, tproxy-port, tun |
| TUN | Virtual network interface | The system sends IP packets to Link1; suitable for global takeover |
| TCP | Connection-oriented transport protocol | Most web pages and SSH use TCP |
| UDP | Connectionless transport protocol | QUIC, DNS, and some games/voice apps rely on UDP |
| QUIC | Modern transport based on UDP | Used by HTTP/3, Hysteria2, TUIC, etc. |
| SNI | Domain name hint in the TLS handshake | Sniffer and TLS routing may depend on it |
| ALPN | TLS-negotiated application protocol | Affects HTTP/2, HTTP/3, and some proxy protocols |
DNS and Domains#
| Term | Explanation | Impact in Link1 |
|---|
| DNS | Domain Name System | Determines which IP a domain resolves to, and also affects domain rule matching |
| nameserver | Upstream DNS server | Link1 queries domains from it |
| fallback | Backup upstream DNS | Used when the primary upstream fails or a policy matches |
| nameserver-policy | Select DNS upstreams by domain | Split DNS resolution for domestic and overseas domains |
| Fake-IP | Virtual IP assigned to a domain by Link1 | Used under transparent proxying to look up the domain from the virtual IP |
| fake-ip-filter | Domains that do not use Fake-IP | LAN, NTP, and special services usually need to be excluded |
| hosts | Static domain mapping | Forces a domain to resolve to a specified IP |
| DNS hijack | DNS hijacking | Imports DNS queries sent by devices into Link1 |
| Sniffer | Sniffer | Supplements domain information from HTTP/TLS/QUIC traffic |
Routing and Policies#
| Term | Explanation | Impact in Link1 |
|---|
| Rule | A matching condition plus an action | The first matched rule determines where the connection goes |
| action | Result after a rule matches | Can be a node, policy group, DIRECT, or REJECT |
| MATCH | Final catch-all rule | Usually placed last |
| no-resolve | Do not perform extra DNS resolution for the rule | Prevents IP rules from triggering DNS queries |
| RULE-SET | References a rule set | Suitable for large domain/IP rule lists |
| SUB-RULE | Sub-rule flow | Splits complex rules into reusable fragments |
| Policy group | A group of nodes and a selection policy | Rules can send traffic to a policy group |
| select | Manual selection policy group | The user selects a node in the App |
| url-test | Latency test policy group | Automatically selects the node with the lowest test latency |
| fallback | Primary/backup policy group | Selects the first available node in order |
| load-balance | Load balancing policy group | Distributes connections among multiple available nodes |
| relay | Chained policy group | Multi-hop outbound; failure of any hop affects the link |
Providers and Subscriptions#
| Term | Explanation | Impact in Link1 |
|---|
| proxy provider | Node provider | Generates nodes from subscriptions, files, inline configuration, or WARP |
| rule provider | Rule provider | Loads rule sets from remote or local sources |
| health check | Health check | Uses a test URL to determine whether a node is available |
| filter | Node filtering | Keeps a subset of nodes by name |
| exclude-filter | Exclusion filter | Excludes a subset of nodes by name |
| override | Override | Bulk modifies fields of nodes generated by a provider |
| WARP provider | Cloudflare WARP dynamic node provider | Materializes WireGuard/MASQUE candidates |
Protocols and Security#
| Term | Explanation | Impact in Link1 |
|---|
| TLS | Encrypted transport layer | Many proxy protocols rely on the TLS handshake |
| fingerprint | TLS ClientHello fingerprint | Affects how some remotes identify client behavior |
| SNI override | Rewrites the TLS server name | Commonly used for remote certificates and disguised domains |
| skip-cert-verify | Skips certificate verification | Can solve self-signed certificate issues, but reduces security |
| UDP relay | UDP forwarding | Required for DNS, QUIC, games, and similar scenarios |
| SMUX | Multiplexing | Reuses one underlying connection for multiple logical connections |
| dialer-proxy | Front dial proxy | One node connects out through another node |
| interface-name | Bind network interface | Controls the exit path in multi-NIC or router scenarios |
| routing-mark | Linux routing mark | Used with policy routing |
Link1 App and HTTP Engine#
| Term | Explanation | Impact in Link1 |
|---|
| Link1 App | User interface | Manages profiles, connections, policy groups, Providers, logs, and HTTP capture |
| Profile | An applicable configuration | The App can import, validate, switch, and roll back profiles |
| Connection list | Current connection view | View destinations, rules, outbound paths, and errors |
| Rule test | Constructs a virtual connection to test rules | Troubleshoots rule order, metadata, and action |
| HTTP Engine | Layer 7 HTTP processing module | Used for MITM, rewrite, Mock, Capture, and Replay |
| MITM | Man-in-the-middle decryption | Requires the client to trust the CA; should be enabled only for necessary domains |
| CA | Certificate Authority | HTTP Engine MITM needs a CA to generate site certificates |
| Capture | Captures HTTP flow | Records request/response summaries and body previews |
| Replay | Replays HTTP flow | Reproduces captured requests to debug rewrites or Mock |
| Mock | Fakes responses | Returns configured responses directly without accessing the real upstream |
| JQ | JSON processing language | Filters and rewrites JSON body |
| QuickJS | JavaScript execution engine | Executes HTTP Engine script rules |
