How xray-core handles routing from tun2socks and netfilter DNAT ?

[NBogos]

Hello guys! Just want to know some theory.
My xray-core client setup on openwrt router is:

1. tun2socks using tun adapter with 172.16.0.0/30 network, ip of tun interface is 172.16.0.1.
2. all tcp 80 and 443 traffic redirects by iptables DNAT rule to 172.16.0.2 for tun2socks to handle it.
3. tun2socks acts as socks5 client and send data to xray-core 10808 port, so xray-core view all socks request to connect to 172.16.0.2 only.
   But still xray-core routes all web traffic absolutely correct even if it doesn't see destination ips of servers. The question is: how ? Does xray-core look into TLS SNI that clients in lan's generating or it splice https header and look at request header or how ? And how xray handles plain http traffic with such setup ?

[us254]

This is possible because Xray-core uses a feature called "sniffing".

"Sniffing" is a feature that allows Xray-core to examine or "sniff" the data passing through it, and extract useful information such as the true destination of the data. Specifically, Xray-core can sniff out the domain names from the traffic data.

For HTTPS traffic, Xray-core can look into the Server Name Indication (SNI) field which is part of the TLS handshake, and this field contains the hostname of the server that the client is trying to connect to.

For HTTP traffic, Xray-core can look into the HTTP headers to determine the true destination of the traffic. Specifically, it can look at the "Host" header field, which specifies the domain name of the server that the client is trying to connect to.

This sniffing feature allows Xray-core to route the traffic correctly, even if all incoming connections appear to be destined for 172.16.0.2.