modules.services.xray: use conntrack

2026-01-11 17:29:30 +08:00 · 2025-04-23 12:11:19 +08:00
parent fdf6f791d2
commit c110692e6e
8 changed files with 13 additions and 45 deletions
--- a/devices/srv1/node0/default.nix
+++ b/devices/srv1/node0/default.nix
@@ -16,14 +16,7 @@ inputs:
      };
      services =
      {
-        xray.client =
-        {
-          enable = true;
-          dnsmasq.extraInterfaces = [ "eno146" ];
-          # TODO: remove after swith to conntrack
-          v2ray-forwarder.noproxyIps = let inherit (inputs.topInputs.self.config.dns."chn.moe") getAddress; in
-            [ (getAddress "srv2") (getAddress "office") ];
-        };
+        xray.client = { enable = true; dnsmasq.extraInterfaces = [ "eno146" ]; };
        beesd."/" = { hashTableSizeMB = 128; threads = 4; };
        xrdp = { enable = true; hostname = [ "srv1.chn.moe" ]; };
        samba = { hostsAllowed = ""; shares = { home.path = "/home"; root.path = "/"; }; };
--- a/devices/srv2/node0/default.nix
+++ b/devices/srv2/node0/default.nix
@@ -21,9 +21,6 @@ inputs:
        {
          enable = true;
          dnsmasq = { extraInterfaces = [ "eno2" ]; hosts."hpc.xmu.edu.cn" = "121.192.191.11"; };
-          # TODO: remove after swith to conntrack
-          v2ray-forwarder.noproxyIps = let inherit (inputs.topInputs.self.config.dns."chn.moe") getAddress; in
-            [ (getAddress "srv2") (getAddress "office") ];
        };
        beesd."/" = { hashTableSizeMB = 16 * 128; loadAverage = 8; };
        xrdp = { enable = true; hostname = [ "srv2.chn.moe" ]; };
--- a/modules/services/nginx/default.nix
+++ b/modules/services/nginx/default.nix
@@ -299,7 +299,6 @@ inputs:
          };
        };
        networking.firewall.allowedTCPPorts = [ 80 443 ];
-        nixos.services.xray.client.v2ray-forwarder.noproxyTcpPorts = [ 80 443 ];
        sops.secrets."nginx/maxmind-license" =
        {
          owner = inputs.config.users.users.nginx.name;
--- a/modules/services/nix-serve.nix
+++ b/modules/services/nix-serve.nix
@@ -20,10 +20,7 @@ inputs:
        secretKeyFile = inputs.config.sops.secrets."store/signingKey".path;
      };
      sops.secrets."store/signingKey" = {};
-      nixos.services =
-      {
-        nginx = { enable = true; https.${nix-serve.hostname}.location."/".proxy.upstream = "http://127.0.0.1:5000"; };
-        xray.client.v2ray-forwarder.noproxyTcpPorts = [ 5000 ];
-      };
+      nixos.services.nginx =
+        { enable = true; https.${nix-serve.hostname}.location."/".proxy.upstream = "http://127.0.0.1:5000"; };
    };
 }
--- a/modules/services/samba.nix
+++ b/modules/services/samba.nix
@@ -51,10 +51,5 @@ inputs:
            (inputs.localLib.attrsToList samba.shares));
      };
    };
-    nixos.services.xray.client.v2ray-forwarder =
-    {
-      noproxyTcpPorts = [ 139 445 ];
-      noproxyUdpPorts = [ 137 138 ];
-    };
  };
 }
--- a/modules/services/sshd/default.nix
+++ b/modules/services/sshd/default.nix
@@ -24,7 +24,6 @@ inputs:
          UsePAM = true;
        };
      };
-      nixos.services.xray.client.v2ray-forwarder.noproxyTcpPorts = [ 22 ];
    }
    # 如果是服务器，那么启用 motd
    (inputs.lib.mkIf (inputs.config.nixos.model.type == "server")
--- a/modules/services/xray.nix
+++ b/modules/services/xray.nix
@@ -19,13 +19,7 @@ inputs:
        };
        hosts = mkOption { type = types.attrsOf types.nonEmptyStr; default = {}; };
      };
-      v2ray-forwarder =
-      {
-        noproxyUsers = mkOption { type = types.listOf types.nonEmptyStr; default = [ "gb" "xll" ]; };
-        noproxyTcpPorts = mkOption { type = types.listOf types.ints.unsigned; default = []; };
-        noproxyUdpPorts = mkOption { type = types.listOf types.ints.unsigned; default = []; };
-        noproxyIps = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
-      };
+      v2ray-forwarder.noproxyUsers = mkOption { type = types.listOf types.nonEmptyStr; default = [ "gb" "xll" ]; };
      # 是否允许代理来自其它机器的流量（相关端口会被放行）
      allowForward = mkOption { type = types.bool; default = true; };
    };
@@ -247,16 +241,9 @@ inputs:
                    [
                      "0.0.0.0/8" "10.0.0.0/8" "100.64.0.0/10" "127.0.0.0/8" "169.254.0.0/16" "172.16.0.0/12"
                      "192.0.0.0/24" "192.88.99.0/24" "192.168.0.0/16" "59.77.0.143" "198.18.0.0/15"
-                      "198.51.100.0/24" "203.0.113.0/24" "224.0.0.0/4" "240.0.0.0/4" "255.255.255.255/32"
+                      "198.51.100.0/24" "203.0.113.0/24" "224.0.0.0/4" "240.0.0.0/4"
                    ];
                    loNetStr = builtins.concatStringsSep ", " loNet;
-                    noproxyPortStr = builtins.concatStringsSep ", " (with xray.client.v2ray-forwarder;
-                    (
-                      (builtins.map (p: "tcp . ${builtins.toString p}") noproxyTcpPorts)
-                        ++ (builtins.map (p: "udp . ${builtins.toString p}") noproxyUdpPorts)
-                    ));
-                    noproxyNetStr =  builtins.concatStringsSep ", "
-                      ([ "223.5.5.5" "121.192.178.179" ] ++ xray.client.v2ray-forwarder.noproxyIps);
                    noproxyUserStr = builtins.concatStringsSep ", " (builtins.map
                      (user: builtins.toString inputs.config.nixos.user.uid.${user})
                      (xray.client.v2ray-forwarder.noproxyUsers ++ [ "v2ray" ]));
@@ -265,34 +252,36 @@ inputs:
                      table inet v2ray {
                        set lo_net { type ipv4_addr; flags interval; elements = { ${loNetStr} }; }
                        set xmu_net { type ipv4_addr; flags interval; }
-                        set noproxy_net { type ipv4_addr; flags interval; elements = { ${noproxyNetStr} }; }
+                        set noproxy_net { type ipv4_addr; flags interval; elements = { 223.5.5.5 }; }
                        set noproxy_src_net { type ipv4_addr; flags interval; }
-                        set noproxy_port { type inet_proto . inet_service; elements = { ${noproxyPortStr} }; }
                        set proxy_net { type ipv4_addr; flags interval; elements = { 8.8.8.8 }; }

                        chain prerouting {
                          type filter hook prerouting priority mangle; policy accept;
+                          meta l4proto != { tcp, udp } counter return
+
+                          # 对于目标地址为本机的新建的流，标记并永不代理
+                          fib daddr type local ct state new ct mark set 1 return
+                          ct mark 1 return

                          ip saddr @noproxy_src_net return
                          ip daddr @noproxy_net return
-                          meta l4proto . th sport @noproxy_port return
                          ip saddr != 172.16.0.0/12 ip daddr @xmu_net meta l4proto { tcp, udp } \
                            tproxy ip to :${xmuPort} meta mark set 1
                          ip daddr @proxy_net meta l4proto { tcp, udp } tproxy ip to :${proxyPort} meta mark set 1
                          ip daddr @lo_net return
-                          meta l4proto { tcp, udp } tproxy to ip :${autoPort} meta mark set 1
+                          meta l4proto { tcp, udp } tproxy ip to :${autoPort} meta mark set 1

                          return
                        }

                        chain output {
                          type route hook output priority mangle; policy accept;
-
+                          ct mark 1 return
                          meta skuid { ${noproxyUserStr} } return

                          ip saddr @noproxy_src_net return
                          ip daddr @noproxy_net return
-                          meta l4proto . th sport @noproxy_port return
                          ip daddr @xmu_net meta mark set 1
                          ip daddr @proxy_net meta mark set 1
                          ip daddr @lo_net return
--- a/modules/services/xrdp.nix
+++ b/modules/services/xrdp.nix
@@ -17,7 +17,6 @@ inputs:
          openFirewall = true;
          defaultWindowManager = "${inputs.pkgs.plasma-workspace}/bin/startplasma-x11";
        };
-        nixos.services.xray.client.v2ray-forwarder.noproxyTcpPorts = [ xrdp.port ];
      }
      (
        inputs.lib.mkIf (xrdp.hostname != null)