docs: add SOCKS5

README.md

@@ -20,7 +20,7 @@ Linux that's in many ways more powerful than the real thing. It's cyber sovereig
 ## Features
 
 - Full IP/TCP reassembly, various protocol analyzers
-    - HTTP, TLS, DNS, SSH, and many more to come
+    - HTTP, TLS, DNS, SSH, SOCKS5, and many more to come
     - "Fully encrypted traffic" detection for Shadowsocks,
       etc. (https://gfw.report/publications/usenixsecurity23/data/paper/paper.pdf)
     - Trojan (proxy protocol) detection based on Trojan-killer (https://github.com/XTLS/Trojan-killer)
@@ -103,6 +103,10 @@ to [Expr Language Definition](https://expr-lang.org/docs/language-definition).
       a: "0.0.0.0"
       aaaa: "::"
   expr: dns != nil && dns.qr && any(dns.questions, {.name endsWith "v2ex.com"})
+
+- name: block google.com:80 via SOCKS5
+  action: block
+  expr: string(socks5?.req?.addr) endsWith "google.com" && socks5?.req?.port == 80
 ```
 
 #### Supported actions

README.zh.md

@@ -18,7 +18,7 @@ OpenGFW 是一个 Linux 上灵活、易用、开源的 [GFW](https://zh.wikipedi
 ## 功能
 
 - 完整的 IP/TCP 重组，各种协议解析器
-    - HTTP, TLS, DNS, SSH, 更多协议正在开发中
+    - HTTP, TLS, DNS, SSH, SOCKS5, 更多协议正在开发中
     - Shadowsocks 等 "全加密流量" 检测 (https://gfw.report/publications/usenixsecurity23/data/paper/paper.pdf)
     - 基于 Trojan-killer 的 Trojan 检测 (https://github.com/XTLS/Trojan-killer)
     - [开发中] 基于机器学习的流量分类
@@ -99,6 +99,10 @@ workers:
       a: "0.0.0.0"
       aaaa: "::"
   expr: dns != nil && dns.qr && any(dns.questions, {.name endsWith "v2ex.com"})
+
+- name: block google.com:80 via SOCKS5
+  action: block
+  expr: string(socks5?.req?.addr) endsWith "google.com" && socks5?.req?.port == 80
 ```
 
 #### 支持的 action