From c110692e6e89d53097e80044c7190c0d240ddaf6 Mon Sep 17 00:00:00 2001 From: chn Date: Wed, 23 Apr 2025 12:11:19 +0800 Subject: [PATCH] modules.services.xray: use conntrack --- devices/srv1/node0/default.nix | 9 +-------- devices/srv2/node0/default.nix | 3 --- modules/services/nginx/default.nix | 1 - modules/services/nix-serve.nix | 7 ++----- modules/services/samba.nix | 5 ----- modules/services/sshd/default.nix | 1 - modules/services/xray.nix | 31 ++++++++++-------------------- modules/services/xrdp.nix | 1 - 8 files changed, 13 insertions(+), 45 deletions(-) diff --git a/devices/srv1/node0/default.nix b/devices/srv1/node0/default.nix index 7893d16d..921054c0 100644 --- a/devices/srv1/node0/default.nix +++ b/devices/srv1/node0/default.nix @@ -16,14 +16,7 @@ inputs: }; services = { - xray.client = - { - enable = true; - dnsmasq.extraInterfaces = [ "eno146" ]; - # TODO: remove after swith to conntrack - v2ray-forwarder.noproxyIps = let inherit (inputs.topInputs.self.config.dns."chn.moe") getAddress; in - [ (getAddress "srv2") (getAddress "office") ]; - }; + xray.client = { enable = true; dnsmasq.extraInterfaces = [ "eno146" ]; }; beesd."/" = { hashTableSizeMB = 128; threads = 4; }; xrdp = { enable = true; hostname = [ "srv1.chn.moe" ]; }; samba = { hostsAllowed = ""; shares = { home.path = "/home"; root.path = "/"; }; }; diff --git a/devices/srv2/node0/default.nix b/devices/srv2/node0/default.nix index 247eb30d..f5d09bf7 100644 --- a/devices/srv2/node0/default.nix +++ b/devices/srv2/node0/default.nix @@ -21,9 +21,6 @@ inputs: { enable = true; dnsmasq = { extraInterfaces = [ "eno2" ]; hosts."hpc.xmu.edu.cn" = "121.192.191.11"; }; - # TODO: remove after swith to conntrack - v2ray-forwarder.noproxyIps = let inherit (inputs.topInputs.self.config.dns."chn.moe") getAddress; in - [ (getAddress "srv2") (getAddress "office") ]; }; beesd."/" = { hashTableSizeMB = 16 * 128; loadAverage = 8; }; xrdp = { enable = true; hostname = [ "srv2.chn.moe" ]; }; diff --git a/modules/services/nginx/default.nix b/modules/services/nginx/default.nix index 3a2544d0..e1a02346 100644 --- a/modules/services/nginx/default.nix +++ b/modules/services/nginx/default.nix @@ -299,7 +299,6 @@ inputs: }; }; networking.firewall.allowedTCPPorts = [ 80 443 ]; - nixos.services.xray.client.v2ray-forwarder.noproxyTcpPorts = [ 80 443 ]; sops.secrets."nginx/maxmind-license" = { owner = inputs.config.users.users.nginx.name; diff --git a/modules/services/nix-serve.nix b/modules/services/nix-serve.nix index 176c1d5e..4e805f83 100644 --- a/modules/services/nix-serve.nix +++ b/modules/services/nix-serve.nix @@ -20,10 +20,7 @@ inputs: secretKeyFile = inputs.config.sops.secrets."store/signingKey".path; }; sops.secrets."store/signingKey" = {}; - nixos.services = - { - nginx = { enable = true; https.${nix-serve.hostname}.location."/".proxy.upstream = "http://127.0.0.1:5000"; }; - xray.client.v2ray-forwarder.noproxyTcpPorts = [ 5000 ]; - }; + nixos.services.nginx = + { enable = true; https.${nix-serve.hostname}.location."/".proxy.upstream = "http://127.0.0.1:5000"; }; }; } diff --git a/modules/services/samba.nix b/modules/services/samba.nix index 9d35fece..80bacaf1 100644 --- a/modules/services/samba.nix +++ b/modules/services/samba.nix @@ -51,10 +51,5 @@ inputs: (inputs.localLib.attrsToList samba.shares)); }; }; - nixos.services.xray.client.v2ray-forwarder = - { - noproxyTcpPorts = [ 139 445 ]; - noproxyUdpPorts = [ 137 138 ]; - }; }; } diff --git a/modules/services/sshd/default.nix b/modules/services/sshd/default.nix index 3baf6b6b..f43407b0 100644 --- a/modules/services/sshd/default.nix +++ b/modules/services/sshd/default.nix @@ -24,7 +24,6 @@ inputs: UsePAM = true; }; }; - nixos.services.xray.client.v2ray-forwarder.noproxyTcpPorts = [ 22 ]; } # 如果是服务器,那么启用 motd (inputs.lib.mkIf (inputs.config.nixos.model.type == "server") diff --git a/modules/services/xray.nix b/modules/services/xray.nix index cb0995c7..9d6c8205 100644 --- a/modules/services/xray.nix +++ b/modules/services/xray.nix @@ -19,13 +19,7 @@ inputs: }; hosts = mkOption { type = types.attrsOf types.nonEmptyStr; default = {}; }; }; - v2ray-forwarder = - { - noproxyUsers = mkOption { type = types.listOf types.nonEmptyStr; default = [ "gb" "xll" ]; }; - noproxyTcpPorts = mkOption { type = types.listOf types.ints.unsigned; default = []; }; - noproxyUdpPorts = mkOption { type = types.listOf types.ints.unsigned; default = []; }; - noproxyIps = mkOption { type = types.listOf types.nonEmptyStr; default = []; }; - }; + v2ray-forwarder.noproxyUsers = mkOption { type = types.listOf types.nonEmptyStr; default = [ "gb" "xll" ]; }; # 是否允许代理来自其它机器的流量(相关端口会被放行) allowForward = mkOption { type = types.bool; default = true; }; }; @@ -247,16 +241,9 @@ inputs: [ "0.0.0.0/8" "10.0.0.0/8" "100.64.0.0/10" "127.0.0.0/8" "169.254.0.0/16" "172.16.0.0/12" "192.0.0.0/24" "192.88.99.0/24" "192.168.0.0/16" "59.77.0.143" "198.18.0.0/15" - "198.51.100.0/24" "203.0.113.0/24" "224.0.0.0/4" "240.0.0.0/4" "255.255.255.255/32" + "198.51.100.0/24" "203.0.113.0/24" "224.0.0.0/4" "240.0.0.0/4" ]; loNetStr = builtins.concatStringsSep ", " loNet; - noproxyPortStr = builtins.concatStringsSep ", " (with xray.client.v2ray-forwarder; - ( - (builtins.map (p: "tcp . ${builtins.toString p}") noproxyTcpPorts) - ++ (builtins.map (p: "udp . ${builtins.toString p}") noproxyUdpPorts) - )); - noproxyNetStr = builtins.concatStringsSep ", " - ([ "223.5.5.5" "121.192.178.179" ] ++ xray.client.v2ray-forwarder.noproxyIps); noproxyUserStr = builtins.concatStringsSep ", " (builtins.map (user: builtins.toString inputs.config.nixos.user.uid.${user}) (xray.client.v2ray-forwarder.noproxyUsers ++ [ "v2ray" ])); @@ -265,34 +252,36 @@ inputs: table inet v2ray { set lo_net { type ipv4_addr; flags interval; elements = { ${loNetStr} }; } set xmu_net { type ipv4_addr; flags interval; } - set noproxy_net { type ipv4_addr; flags interval; elements = { ${noproxyNetStr} }; } + set noproxy_net { type ipv4_addr; flags interval; elements = { 223.5.5.5 }; } set noproxy_src_net { type ipv4_addr; flags interval; } - set noproxy_port { type inet_proto . inet_service; elements = { ${noproxyPortStr} }; } set proxy_net { type ipv4_addr; flags interval; elements = { 8.8.8.8 }; } chain prerouting { type filter hook prerouting priority mangle; policy accept; + meta l4proto != { tcp, udp } counter return + + # 对于目标地址为本机的新建的流,标记并永不代理 + fib daddr type local ct state new ct mark set 1 return + ct mark 1 return ip saddr @noproxy_src_net return ip daddr @noproxy_net return - meta l4proto . th sport @noproxy_port return ip saddr != 172.16.0.0/12 ip daddr @xmu_net meta l4proto { tcp, udp } \ tproxy ip to :${xmuPort} meta mark set 1 ip daddr @proxy_net meta l4proto { tcp, udp } tproxy ip to :${proxyPort} meta mark set 1 ip daddr @lo_net return - meta l4proto { tcp, udp } tproxy to ip :${autoPort} meta mark set 1 + meta l4proto { tcp, udp } tproxy ip to :${autoPort} meta mark set 1 return } chain output { type route hook output priority mangle; policy accept; - + ct mark 1 return meta skuid { ${noproxyUserStr} } return ip saddr @noproxy_src_net return ip daddr @noproxy_net return - meta l4proto . th sport @noproxy_port return ip daddr @xmu_net meta mark set 1 ip daddr @proxy_net meta mark set 1 ip daddr @lo_net return diff --git a/modules/services/xrdp.nix b/modules/services/xrdp.nix index 6347581d..e076da6f 100644 --- a/modules/services/xrdp.nix +++ b/modules/services/xrdp.nix @@ -17,7 +17,6 @@ inputs: openFirewall = true; defaultWindowManager = "${inputs.pkgs.plasma-workspace}/bin/startplasma-x11"; }; - nixos.services.xray.client.v2ray-forwarder.noproxyTcpPorts = [ xrdp.port ]; } ( inputs.lib.mkIf (xrdp.hostname != null)