From b7459ffbaa38424d952ab8474ce3089d4cf78d24 Mon Sep 17 00:00:00 2001 From: Dmitry Voronin Date: Wed, 22 Jan 2025 15:36:34 +0300 Subject: [PATCH] Home: Better dpi params. --- config/Dpi.nix | 77 ++++-------------------------- host/x86_64-linux/home/default.nix | 11 ++--- 2 files changed, 12 insertions(+), 76 deletions(-) diff --git a/config/Dpi.nix b/config/Dpi.nix index 19a9e6c..c4cb789 100644 --- a/config/Dpi.nix +++ b/config/Dpi.nix @@ -1,81 +1,20 @@ { config, + inputs, lib, - pkgs, ... }: let cfg = config.module.dpi.bypass; - - whitelist = lib.optionalString ( - (builtins.length cfg.whitelist) != 0 - ) "--hostlist ${pkgs.writeText "zapret-whitelist" (lib.concatStringsSep "\n" cfg.whitelist)}"; - - blacklist = - lib.optionalString ((builtins.length cfg.blacklist) != 0) - "--hostlist-exclude ${pkgs.writeText "zapret-blacklist" (lib.concatStringsSep "\n" cfg.blacklist)}"; - - params = lib.concatStringsSep " " cfg.params; - - qnum = toString cfg.qnum; in { disabledModules = [ "services/networking/zapret.nix" ]; - # imports = [ "${inputs.nixpkgsMaster}/nixos/modules/services/networking/zapret.nix" ]; + imports = [ "${inputs.nixpkgsMaster}/nixos/modules/services/networking/zapret.nix" ]; - config = lib.mkIf cfg.enable ( - lib.mkMerge [ - { - systemd.services.zapret = { - description = "DPI bypass service"; - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; - serviceConfig = { - ExecStart = "${cfg.package}/bin/nfqws --pidfile=/run/nfqws.pid ${params} ${whitelist} ${blacklist} --qnum=${qnum}"; - Type = "simple"; - PIDFile = "/run/nfqws.pid"; - Restart = "always"; - RuntimeMaxSec = "1h"; # This service loves to crash silently or cause network slowdowns. It also restarts instantly. Restarting it at least hourly provided the best experience. - - # Hardening. - DevicePolicy = "closed"; - KeyringMode = "private"; - PrivateTmp = true; - PrivateMounts = true; - ProtectHome = true; - ProtectHostname = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - ProtectSystem = "strict"; - ProtectProc = "invisible"; - RemoveIPC = true; - RestrictNamespaces = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - SystemCallArchitectures = "native"; - }; - }; - } - # Route system traffic via service for specified ports. - (lib.mkIf cfg.configureFirewall { - networking.firewall.extraCommands = - let - httpParams = lib.optionalString ( - cfg.httpMode == "first" - ) "-m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:6"; - - udpPorts = lib.concatStringsSep "," cfg.udpPorts; - in - '' - ip46tables -t mangle -I POSTROUTING -p tcp --dport 443 -m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:6 -m mark ! --mark 0x40000000/0x40000000 -j NFQUEUE --queue-num ${qnum} --queue-bypass - '' - + lib.optionalString (cfg.httpSupport) '' - ip46tables -t mangle -I POSTROUTING -p tcp --dport 80 ${httpParams} -m mark ! --mark 0x40000000/0x40000000 -j NFQUEUE --queue-num ${qnum} --queue-bypass - '' - + lib.optionalString (cfg.udpSupport) '' - ip46tables -t mangle -A POSTROUTING -p udp -m multiport --dports ${udpPorts} -m mark ! --mark 0x40000000/0x40000000 -j NFQUEUE --queue-num ${qnum} --queue-bypass - ''; - }) - ] - ); + config = lib.mkIf cfg.enable { + services.zapret = { + enable = true; + inherit (cfg) package params whitelist blacklist qnum configureFirewall httpSupport httpMode udpSupport udpPorts; + }; + }; } diff --git a/host/x86_64-linux/home/default.nix b/host/x86_64-linux/home/default.nix index 534cc10..2bb6d20 100644 --- a/host/x86_64-linux/home/default.nix +++ b/host/x86_64-linux/home/default.nix @@ -22,19 +22,16 @@ enable = true; udpSupport = true; params = [ - "--dpi-desync=fake,disorder2" - - "--dpi-desync-ttl=1" - "--dpi-desync-autottl=2" - - "--dpi-desync-ttl6=1" - "--dpi-desync-autottl6=2" + "--dpi-desync=multisplit" + "--dpi-desync-split-pos=10,midsld" + "--dpi-desync-split-seqovl=1" "--dpi-desync-any-protocol" ]; whitelist = [ "youtube.com" "googlevideo.com" + "google.com" "ytimg.com" "youtu.be" "m.youtube.com"