From a543394fa8c4882b349d6aeb5943d9dbb53ea2e9 Mon Sep 17 00:00:00 2001 From: oddlama Date: Thu, 11 May 2023 18:18:52 +0200 Subject: [PATCH] feat: enable ipv6 RA --- hosts/common/core/net.nix | 11 +++--- hosts/common/laptop.nix | 2 ++ hosts/nom/net.nix | 4 +-- hosts/ward/net.nix | 72 ++++++++++++++++++++++++++++----------- hosts/zackbiene/net.nix | 6 ++-- modules/microvms.nix | 7 ++-- 6 files changed, 67 insertions(+), 35 deletions(-) diff --git a/hosts/common/core/net.nix b/hosts/common/core/net.nix index 3035f0e..a65fe79 100644 --- a/hosts/common/core/net.nix +++ b/hosts/common/core/net.nix @@ -57,9 +57,9 @@ in { from = "all"; to = ["local"]; extraLines = [ - "ip6 nexthdr icmpv6 icmpv6 type { echo-request, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept" - "ip protocol icmp icmp type { echo-request, router-advertisement } accept" - #"ip6 saddr fe80::/10 ip6 daddr fe80::/10 udp dport 546 accept" + "ip6 nexthdr icmpv6 icmpv6 type { echo-request, destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept" + "ip protocol icmp icmp type { echo-request, destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept" + #"ip6 saddr fe80::/10 ip6 daddr fe80::/10 udp dport 546 accept" # (dhcpv6) ]; }; @@ -74,10 +74,7 @@ in { }; }; - systemd.network = { - enable = true; - wait-online.anyInterface = true; - }; + systemd.network.enable = true; # Rename known network interfaces extra.networking.renameInterfacesByMac = lib.mapAttrs (_: v: v.mac) (nodeSecrets.networking.interfaces or {}); diff --git a/hosts/common/laptop.nix b/hosts/common/laptop.nix index 84587b5..c471824 100644 --- a/hosts/common/laptop.nix +++ b/hosts/common/laptop.nix @@ -1,4 +1,6 @@ {pkgs, ...}: { + systemd.network.wait-online.anyInterface = true; + services = { tlp.enable = true; physlock.enable = true; diff --git a/hosts/nom/net.nix b/hosts/nom/net.nix index 32b38fa..bdaeeea 100644 --- a/hosts/nom/net.nix +++ b/hosts/nom/net.nix @@ -17,14 +17,14 @@ "10-lan1" = { DHCP = "yes"; matchConfig.MACAddress = nodeSecrets.networking.interfaces.lan1.mac; - networkConfig.IPv6PrivacyExtensions = "kernel"; + networkConfig.IPv6PrivacyExtensions = "yes"; dhcpV4Config.RouteMetric = 10; dhcpV6Config.RouteMetric = 10; }; "10-wlan1" = { DHCP = "yes"; matchConfig.MACAddress = nodeSecrets.networking.interfaces.wlan1.mac; - networkConfig.IPv6PrivacyExtensions = "kernel"; + networkConfig.IPv6PrivacyExtensions = "yes"; dhcpV4Config.RouteMetric = 40; dhcpV6Config.RouteMetric = 40; }; diff --git a/hosts/ward/net.nix b/hosts/ward/net.nix index 2acefcd..fb7224e 100644 --- a/hosts/ward/net.nix +++ b/hosts/ward/net.nix @@ -7,7 +7,7 @@ inherit (config.lib.net) cidr; net.lan.ipv4cidr = "192.168.100.1/24"; - net.lan.ipv6cidr = "fd01::1/64"; + net.lan.ipv6cidr = "fd00::1/64"; in { networking.hostId = nodeSecrets.networking.hostId; @@ -16,6 +16,8 @@ in { networks = {inherit (config.systemd.network.networks) "10-wan";}; }; + # Create a MACVTAP for ourselves too, so that we can communicate with + # other taps on the same interface. systemd.network.netdevs."10-lan-self" = { netdevConfig = { Name = "lan-self"; @@ -30,6 +32,11 @@ in { systemd.network.networks = { "10-lan" = { matchConfig.MACAddress = nodeSecrets.networking.interfaces.lan.mac; + # This interface should only be used from attached macvtaps. + # So don't acquire a link local address and only wait for + # this interface to gain a carrier. + networkConfig.LinkLocalAddressing = "no"; + linkConfig.RequiredForOnline = "carrier"; extraConfig = '' [Network] MACVTAP=lan-self @@ -39,35 +46,61 @@ in { DHCP = "yes"; #address = [ # "192.168.178.2/24" - # "fd00::1/64" + # "fdee::1/64" #]; #gateway = [ #]; matchConfig.MACAddress = nodeSecrets.networking.interfaces.wan.mac; - networkConfig.IPv6PrivacyExtensions = "kernel"; - dhcpV4Config.RouteMetric = 20; - dhcpV6Config.RouteMetric = 20; + networkConfig.IPv6PrivacyExtensions = "yes"; + linkConfig.RequiredForOnline = "routable"; }; - "11-lan-self" = { + "20-lan-self" = { address = [net.lan.ipv4cidr net.lan.ipv6cidr]; matchConfig.Name = "lan-self"; networkConfig = { IPForward = "yes"; - IPv6PrivacyExtensions = "kernel"; - ConfigureWithoutCarrier = true; + IPv6PrivacyExtensions = "yes"; + IPv6SendRA = true; }; - dhcpV4Config.RouteMetric = 10; - dhcpV6Config.RouteMetric = 10; + # Announce a static prefix + ipv6Prefixes = [ + {ipv6PrefixConfig.Prefix = cidr.canonicalize net.lan.ipv6cidr;} + ]; + # Delegate prefix from wan + #dhcpPrefixDelegationConfig = { + # UplinkInterface = "wan"; + # Announce = true; + # SubnetId = "auto"; + #}; + # Provide a DNS resolver + ipv6SendRAConfig = { + EmitDNS = true; + # TODO change to self later + #DNS = cidr.ip net.lan.ipv6cidr; + DNS = ["2606:4700:4700::1111" "2001:4860:4860::8888"]; + }; + linkConfig.RequiredForOnline = "routable"; + }; + # Remaining macvtap interfaces should not be touched. + "90-macvtap-no-ll" = { + matchConfig.Kind = "macvtap"; + networkConfig.LinkLocalAddressing = "no"; + linkConfig.ActivationPolicy = "manual"; }; }; networking.nftables.firewall = { zones = lib.mkForce { - lan.interfaces = ["lan"]; + lan.interfaces = ["lan-self"]; wan.interfaces = ["wan"]; }; rules = lib.mkForce { + icmp = { + # accept ipv6 router solicit and multicast listener discovery query + extraLines = ["ip6 nexthdr icmpv6 icmpv6 type { mld-listener-query, nd-router-solicit } accept"]; + }; + masquerade-wan = { from = ["lan"]; to = ["wan"]; @@ -99,6 +132,7 @@ in { }; }; + # TODO to microvm! services.kea = { dhcp4 = { enable = true; @@ -112,19 +146,22 @@ in { renew-timer = 1000; rebind-timer = 2000; interfaces-config = { - interfaces = ["lan"]; + interfaces = ["lan-self"]; service-sockets-max-retries = -1; }; option-data = [ { name = "domain-name-servers"; + # TODO pihole self data = "1.1.1.1, 8.8.8.8"; } ]; subnet4 = [ { - interface = "lan"; + interface = "lan-self"; subnet = cidr.canonicalize net.lan.ipv4cidr; + # TODO calculate this automatically, start at 40 or so + # to have enough for reservations pools = [ {pool = "192.168.100.20 - 192.168.100.250";} ]; @@ -134,6 +171,7 @@ in { data = cidr.ip net.lan.ipv4cidr; } ]; + # TODO reserve addresses for each VM #reservations = [ # { # duid = "aa:bb:cc:dd:ee:ff"; @@ -144,13 +182,9 @@ in { ]; }; }; - #dhcp6 = { - # enable = true; - #}; }; - systemd.services.kea-dhcp4-server.after = [ - "sys-subsystem-net-devices-lan.device" - ]; + + systemd.services.kea-dhcp4-server.after = ["sys-subsystem-net-devices-lan.device"]; #extra.wireguard.vms = { # server = { diff --git a/hosts/zackbiene/net.nix b/hosts/zackbiene/net.nix index 886b790..627a75c 100644 --- a/hosts/zackbiene/net.nix +++ b/hosts/zackbiene/net.nix @@ -20,13 +20,13 @@ in { "10-lan1" = { DHCP = "yes"; matchConfig.MACAddress = nodeSecrets.networking.interfaces.lan1.mac; - networkConfig.IPv6PrivacyExtensions = "kernel"; - dhcpV4Config.RouteMetric = 10; - dhcpV6Config.RouteMetric = 10; + networkConfig.IPv6PrivacyExtensions = "yes"; + linkConfig.RequiredForOnline = "routable"; }; "10-wlan1" = { address = [net.iot.ipv4cidr net.iot.ipv6cidr]; matchConfig.MACAddress = nodeSecrets.networking.interfaces.wlan1.mac; + linkConfig.RequiredForOnline = "no"; }; }; diff --git a/modules/microvms.nix b/modules/microvms.nix index 1b7adbe..12d87ec 100644 --- a/modules/microvms.nix +++ b/modules/microvms.nix @@ -79,11 +79,10 @@ matchConfig.Name = vmCfg.linkName; DHCP = "yes"; networkConfig = { - IPv6PrivacyExtensions = "kernel"; - ConfigureWithoutCarrier = true; + IPv6PrivacyExtensions = "yes"; + IPv6AcceptRA = true; }; - dhcpV4Config.RouteMetric = 20; - dhcpV6Config.RouteMetric = 20; + linkConfig.RequiredForOnline = "routable"; }; };