Working directory of the OpenGFW service and home of opengfw.user.
(optionally newline-terminated) single-line string
"/var/lib/opengfw"Whether to enable OpenGFW, A flexible, easy-to-use, open source implementation of GFW on Linux .
boolean
falsetrueFile to write the output to instead of systemd.
null or path
null"/var/lib/opengfw/opengfw.log"Format of the logs. logFormatMap
one of "json", "console"
"json""console"Level of the logs. logLevelMap
one of "debug", "info", "warn", "error"
"info""warn"The opengfw package to use.
package
pkgs.opengfwPath to PCAP replay file. In pcap mode, none of the actions in the rules have any effect. This mode is mainly for debugging.
null or path
null"./opengfw.pcap"Rules passed to OpenGFW. Example rules
list of (submodule)
[ ][
{
action = "block";
expr = "string(http?.req?.headers?.host) endsWith \"v2ex.com\"";
name = "block v2ex http";
}
{
action = "block";
expr = "string(socks?.req?.addr) endsWith \"google.com\" && socks?.req?.port == 80";
name = "block google socks";
}
{
action = "modify";
expr = "dns != nil && dns.qr && any(dns.questions, {.name endsWith \"v2ex.com\"})";
modifier = {
args = {
a = "0.0.0.0";
aaaa = "::";
};
name = "dns";
};
name = "v2ex dns poisoning";
}
]Action of the rule. Supported actions
one of "allow", "block", "drop", "modify"
"allow""block"Expr Language expression using analyzers and functions.
string
"dns != nil && dns.qr && any(dns.questions, {.name endsWith \"google.com\"})"Whether to enable logging for the rule.
boolean
truefalseModification of specified packets when using the modify action. Available modifiers
null or (submodule)
nullArguments passed to the modifier.
attribute set
{
a = "0.0.0.0";
aaaa = "::";
}Name of the modifier.
(optionally newline-terminated) single-line string
"dns"Name of the rule.
(optionally newline-terminated) single-line string
"block google dns"Path to file containing OpenGFW rules.
null or path
nullSettings passed to OpenGFW. Example config
null or (submodule)
nullIO settings.
submodule
{ }connmark value for accepted connections
signed integer
1001connmark value for dropped connections
signed integer
1002Set to false if you want to run OpenGFW on FORWARD chain. (e.g. on a router)
boolean
truefalsenfqueue queue number.
signed integer
100200IO queue size.
signed integer
10242048Netlink receive buffer size.
signed integer
41943042097152Set to true if you want to send RST for blocked TCP connections, needs local = false.
boolean
"`!config.services.opengfw.settings.io.local`"falseNetlink send buffer size.
signed integer
41943042097152nftables table name.
string
"opengfw""opengfw2"PCAP replay settings.
submodule
{ }Whether the packets in the PCAP file should be replayed in "real time" (instead of as fast as possible).
boolean
falsetrueThe path to load specific local geoip/geosite db files. If not set, they will be automatically downloaded from Loyalsoldier/v2ray-rules-dat.
submodule
{ }Path to geoip.dat.
null or path
nullPath to geosite.dat.
null or path
nullWorker settings.
submodule
{ }Number of workers. Recommended to be no more than the number of CPU cores
signed integer
48Worker queue size.
signed integer
1632TCP max total bufferd pages per connection.
signed integer
64128TCP max total buffered pages.
signed integer
40968192How long a connection is considered dead when no data is being transferred. Dead connections are purged from TCP reassembly pools once per minute.
string
"10m""5m"UDP max streams.
signed integer
40968192Path to file containing OpenGFW settings.
null or path
nullUsername of the OpenGFW user.
(optionally newline-terminated) single-line string
"opengfw"