modules.services.xray: fix firewall

devices/pc/default.nix

@@ -105,7 +105,6 @@ inputs:
             ++ [{ name = "4006024680.com"; value = "192.168.199.1"; }]
           );
         };
-        firewall.trustedInterfaces = [ "virbr0" "waydroid0" ];
         acme.cert."debug.mirism.one" = {};
         frpClient =
         {

devices/srv1/node0/default.nix

@@ -55,8 +55,5 @@ inputs:
         options = [ "rbind" ];
       };
     };
-    # without this, tproxy does not work
-    # TODO: why?
-    networking.firewall.trustedInterfaces = [ "eno146" ];
   };
 }

devices/surface/default.nix

@@ -43,7 +43,6 @@ inputs:
               "dispatchcnglobal.yuanshen.com"
             ]);
         };
-        firewall.trustedInterfaces = [ "virbr0" ];
         wireguard =
         {
           enable = true;

devices/xmupc1/default.nix

@@ -57,7 +57,6 @@ inputs:
         snapper.enable = true;
         sshd = { passwordAuthentication = true; groupBanner = true; };
         xray.client.enable = true;
-        firewall.trustedInterfaces = [ "virbr0" ];
         smartd.enable = true;
         beesd.instances =
         {

devices/xmupc2/default.nix

@@ -60,7 +60,6 @@ inputs:
         snapper.enable = true;
         sshd = { passwordAuthentication = true; groupBanner = true; };
         xray.client.enable = true;
-        firewall.trustedInterfaces = [ "virbr0" ];
         smartd.enable = true;
         beesd.instances.root = { device = "/"; hashTableSizeMB = 16384; threads = 4; };
         wireguard =

modules/services/default.nix

@@ -3,7 +3,6 @@ inputs:
   imports = inputs.localLib.findModules ./.;
   options.nixos.services = let inherit (inputs.lib) mkOption types; in
   {
-    firewall.trustedInterfaces = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
     smartd.enable = mkOption { type = types.bool; default = false; };
     wallabag.enable = mkOption { type = types.bool; default = false; };
     noisetorch.enable = mkOption { type = types.bool; default = inputs.config.nixos.system.gui.preferred; };
@@ -16,7 +15,6 @@ inputs:
       inherit (builtins) map listToAttrs toString;
     in mkMerge
     [
-      { networking.firewall.trustedInterfaces = services.firewall.trustedInterfaces; }
       (mkIf services.smartd.enable { services.smartd.enable = true; })
       (
         mkIf services.wallabag.enable

modules/services/docker.nix

@@ -33,7 +33,6 @@ inputs:
         storageDriver = "overlay2";
         daemon.settings.dns = [ "1.1.1.1" ];
       };
-      nixos.services.firewall.trustedInterfaces = [ "docker0" ];
     }
   ];
 }

modules/services/wireguard.nix

@@ -41,7 +41,6 @@ inputs:
           firewall =
           {
             allowedUDPPorts = inputs.lib.mkIf (!wireguard.behindNat) [ wireguard.listenPort ];
-            trustedInterfaces = [ "wireguard" ];
           };
           wireguard.interfaces.wireguard =
           {

modules/services/xray/default.nix

@@ -25,6 +25,8 @@ inputs:
         noproxyTcpPorts = mkOption { type = types.listOf types.ints.unsigned; default = []; };
         noproxyUdpPorts = mkOption { type = types.listOf types.ints.unsigned; default = []; };
       };
+      # 是否允许代理来自其它机器的流量（相关端口会被放行）
+      allowForward = mkOption { type = types.bool; default = true; };
     };
     server = mkOption
     {
@@ -329,6 +331,13 @@ inputs:
           groups.v2ray.gid = inputs.config.nixos.user.gid.v2ray;
         };
         environment.etc."resolv.conf".text = "nameserver 127.0.0.1";
+        networking.firewall =
+        {
+          allowedTCPPorts = [ 53 ];
+          allowedUDPPorts = [ 53 ];
+          allowedTCPPortRanges = [{ from = 10880; to = 10884; }];
+          allowedUDPPortRanges = [{ from = 10880; to = 10884; }];
+        };
       }
     )
     (

modules/system/security.nix

@@ -43,5 +43,7 @@ inputs:
       sudo.extraConfig = "Defaults pwfeedback";
     };
     systemd.user.extraConfig = "DefaultLimitNOFILE=65536:524288";
+    # needed by xray tproxy if we want to forward traffic from other machine
+    networking.firewall.checkReversePath = false;
   };
 }