2024-11-16 06:38:48 +03:00
{
config ,
inputs ,
lib ,
pkgsMaster ,
. . .
} : let
2024-12-16 06:44:20 +03:00
cfg = config . module . dpi . bypass ;
2024-11-16 06:38:48 +03:00
in {
disabledModules = [ " s e r v i c e s / n e t w o r k i n g / z a p r e t . n i x " ] ;
2024-12-16 06:44:20 +03:00
# imports = [ "${inputs.nixpkgsMaster}/nixos/modules/services/networking/zapret.nix" ];
2024-11-16 06:38:48 +03:00
2024-12-16 06:44:20 +03:00
config = lib . mkIf cfg . enable ( lib . mkMerge [
systemd . services . zapret = {
description = " D P I b y p a s s s e r v i c e " ;
wantedBy = [ " m u l t i - u s e r . t a r g e t " ] ;
after = [ " n e t w o r k . t a r g e t " ] ;
serviceConfig = {
ExecStart = " ${ cfg . package } / b i n / n f q w s - - p i d f i l e = / r u n / n f q w s . p i d ${ params } ${ whitelist } ${ blacklist } - - q n u m = ${ qnum } " ;
Type = " s i m p l e " ;
PIDFile = " / r u n / n f q w s . p i d " ;
Restart = " a l w a y s " ;
RuntimeMaxSec = " 1 h " ; # This service loves to crash silently or cause network slowdowns. It also restarts instantly. Restarting it at least hourly provided the best experience.
# Hardening.
DevicePolicy = " c l o s e d " ;
KeyringMode = " p r i v a t e " ;
PrivateTmp = true ;
PrivateMounts = true ;
ProtectHome = true ;
ProtectHostname = true ;
ProtectKernelModules = true ;
ProtectKernelTunables = true ;
ProtectSystem = " s t r i c t " ;
ProtectProc = " i n v i s i b l e " ;
RemoveIPC = true ;
RestrictNamespaces = true ;
RestrictRealtime = true ;
RestrictSUIDSGID = true ;
SystemCallArchitectures = " n a t i v e " ;
} ;
2024-11-16 06:38:48 +03:00
} ;
2024-12-16 06:44:20 +03:00
# Route system traffic via service for specified ports.
( lib . mkIf cfg . configureFirewall {
networking . firewall . extraCommands =
let
httpParams = lib . optionalString (
cfg . httpMode == " f i r s t "
) " - m c o n n b y t e s - - c o n n b y t e s - d i r = o r i g i n a l - - c o n n b y t e s - m o d e = p a c k e t s - - c o n n b y t e s 1 : 6 " ;
udpPorts = lib . concatStringsSep " , " cfg . udpPorts ;
in
''
iptables - t mangle - I POSTROUTING - p tcp - - dport 443 - m connbytes - - connbytes-dir = original - - connbytes-mode = packets - - connbytes 1 : 6 - m mark ! - - mark 0x40000000/0x40000000 - j NFQUEUE - - queue-num $ { qnum } - - queue-bypass
''
+ lib . optionalString ( cfg . httpSupport ) ''
iptables - t mangle - I POSTROUTING - p tcp - - dport 80 $ { httpParams } - m mark ! - - mark 0x40000000/0x40000000 - j NFQUEUE - - queue-num $ { qnum } - - queue-bypass
''
+ lib . optionalString ( cfg . udpSupport ) ''
iptables - t mangle - A POSTROUTING - p udp - m multiport - - dports $ { udpPorts } - m mark ! - - mark 0x40000000/0x40000000 - j NFQUEUE - - queue-num $ { qnum } - - queue-bypass
'' ;
} )
] ; ) ;
2024-11-16 06:38:48 +03:00
}