From 7ad848cb77fa96f08e0d5b39fe6b796bd196d5b8 Mon Sep 17 00:00:00 2001 From: Daniel Barlow Date: Fri, 1 Sep 2023 17:34:47 +0100 Subject: [PATCH] add service to enable packet forwarding might be worth looking into adding RA config to this --- examples/extneder.nix | 4 +++- examples/rotuer.nix | 17 +---------------- modules/network/default.nix | 14 ++++++++++++++ modules/network/forward.nix | 21 +++++++++++++++++++++ vanilla-configuration.nix | 11 +---------- 5 files changed, 40 insertions(+), 27 deletions(-) create mode 100644 modules/network/forward.nix diff --git a/examples/extneder.nix b/examples/extneder.nix index 7d25715..0e557ad 100644 --- a/examples/extneder.nix +++ b/examples/extneder.nix @@ -43,7 +43,9 @@ in rec { IP6_NF_IPTABLES = "y"; # do we still need these IP_NF_IPTABLES = "y"; # if using nftables directly - # these are copied from rotuer and need review + # these are copied from rotuer and need review. + # we're not running a firewall, so why do we need + # nftables config? IP_NF_NAT = "y"; IP_NF_TARGET_MASQUERADE = "y"; NETFILTER = "y"; diff --git a/examples/rotuer.nix b/examples/rotuer.nix index eef0748..1bbab7d 100644 --- a/examples/rotuer.nix +++ b/examples/rotuer.nix @@ -156,22 +156,7 @@ in rec { ruleset = import ./rotuer-firewall.nix; }; - services.packet_forwarding = - let - ip4 = "/proc/sys/net/ipv4/conf/all/forwarding"; - ip6 = "/proc/sys/net/ipv6/conf/all/forwarding"; - in oneshot { - name = "let-the-ip-flow"; - up = '' - echo 1 > ${ip4} - echo 1 > ${ip6} - ''; - down = '' - echo 0 > ${ip4}; - echo 0 > ${ip6}; - ''; - dependencies = [ services.firewall ]; - }; + services.packet_forwarding = svc.network.forward.build { }; services.dhcp6 = let diff --git a/modules/network/default.nix b/modules/network/default.nix index 81c4f08..ef3b95f 100644 --- a/modules/network/default.nix +++ b/modules/network/default.nix @@ -24,6 +24,9 @@ in { route = mkOption { type = liminix.lib.types.serviceDefn; }; + forward = mkOption { + type = liminix.lib.types.serviceDefn; + }; dhcp = { client = mkOption { # this needs to move to its own service as it has @@ -108,6 +111,17 @@ in { }; }; + forward = liminix.callService ./forward.nix { + enableIPv4 = mkOption { + type = types.bool; + default = true; + }; + enableIPv6 = mkOption { + type = types.bool; + default = true; + }; + }; + dhcp.client = liminix.callService ./dhcpc.nix { interface = mkOption { type = liminix.lib.types.service; diff --git a/modules/network/forward.nix b/modules/network/forward.nix new file mode 100644 index 0000000..e6eaa7e --- /dev/null +++ b/modules/network/forward.nix @@ -0,0 +1,21 @@ +{ + liminix +, ifwait +, serviceFns +, lib +}: +{ enableIPv4, enableIPv6 }: +let + inherit (liminix.services) oneshot; + ip4 = "/proc/sys/net/ipv4/conf/all/forwarding"; + ip6 = "/proc/sys/net/ipv6/conf/all/forwarding"; + opt = lib.optionalString; + sysctls = b : + "" + + opt enableIPv4 "echo ${b} > ${ip4}\n" + + opt enableIPv6 "echo ${b} > ${ip6}\n"; +in oneshot { + name = "forwarding${opt enableIPv4 "4"}${opt enableIPv6 "6"}"; + up = sysctls "1"; + down = sysctls "0"; +} diff --git a/vanilla-configuration.nix b/vanilla-configuration.nix index e1da819..d72e1a1 100644 --- a/vanilla-configuration.nix +++ b/vanilla-configuration.nix @@ -22,16 +22,7 @@ in rec { dependencies = [ services.dhcpv4 ]; }; - services.packet_forwarding = - let - iface = services.dhcpv4; - filename = "/proc/sys/net/ipv4/conf/$(output ${iface} ifname)/forwarding"; - in oneshot { - name = "let-the-ip-flow"; - up = "echo 1 > ${filename}"; - down = "echo 0 > ${filename}"; - dependencies = [iface]; - }; + services.packet_forwarding = svc.network.forward.build { }; services.ntp = config.system.service.ntp.build { pools = { "pool.ntp.org" = ["iburst"] ; };