rotuer: enable ipv6 forwarding

THOUGHTS.txt

@@ -1879,3 +1879,25 @@ abstraction - and we can't call it any name that nftables uses already
 Mon Jun 19 20:45:48 BST 2023
 
 why is chrony using libedit?
+
+Thu Jun 22 09:52:57 BST 2023
+
+- There is a lot more lua being installed (luac, docs, static
+  libraries etc) than we really need.
+
+- update User docs to include a list of supported  targets
+
+Thu Jun 22 23:43:06 BST 2023
+
+- is there a sysfs to enable ipv6 forwarding?
+- we haven't an ipv4 firewall yet
+
+
+PATH=`echo /nix/store/*nftables*/bin`:$PATH
+nft list ruleset
+
+Thu Jun 22 23:58:58 BST 2023
+
+Looks like we're missing at least one kernel config setting for
+nftables. Would this be a good time to do a derivation for building
+kernel modules?

examples/rotuer-firewall.nix

@@ -3,9 +3,12 @@ let
   accept = expr : "${expr} accept";
   mcast-scope = 8;
   allow-incoming = false;
+in {
   bogons-ip6 = {
     type = "filter";
     family = "ip6";
+    policy = "accept";
+    hook = "prerouting";
     rules = [
       (drop "ip6 saddr ff00::/8") # multicast saddr is illegal
 
@@ -38,7 +41,6 @@ let
     policy = "drop";
     hook = "forward";
     rules = [
-      "jump bogons-ip6"
       (drop "ip6 saddr ::1/128") # loopback address [RFC4291]
       (drop "ip6 daddr ::1/128")
       (drop "ip6 saddr ::FFFF:0:0/96")# IPv4-mapped addresses
@@ -69,7 +71,7 @@ let
       # does this ever get used or does the preceding general udp accept
       # already grab anything that might get here?
       (accept "oifname \"ppp0\" udp dport 500") # IKE Protocol [RFC5996]. haha zyxel
-      (accept "ip6 nexthdr hip")
+      (accept "ip6 nexthdr 139") #  Host Identity Protocol
 
       ## FIXME no support yet for recs 27-30 Mobility Header
 
@@ -95,18 +97,28 @@ let
       (accept "iifname \"int\" oifname \"ppp0\" ")
     ];
   };
+  input-lan = {
+    type = "filter";
+    family = "ip6";
+
+    rules = [
+      (accept "udp dport 547") # dhcp, could restrict to daddr ff02::1:2
+      (accept "tcp dport 22")
+    ];
+  };
   input-ip6 = {
     type = "filter";
     family = "ip6";
     policy = "drop";
     hook = "input";
     rules = [
-      "jump bogons-ip6"
       (accept "meta l4proto icmpv6")
+      "iifname int jump input-lan"
       (if allow-incoming
        then accept "oifname \"int\" iifname \"ppp0\""
        else "oifname \"int\" iifname \"ppp0\" jump incoming-allowed-ip6"
       )
+      # how does this even make sense in an input chain?
       (accept "oifname \"int\" iifname \"ppp0\"  ct state established,related")
       (accept "iifname \"int\" oifname \"ppp0\" ")
     ];
@@ -116,9 +128,8 @@ let
     type = "filter";
     family = "ip6";
     rules = [
-      "oifname \"int\" ip6 daddr 2001:8b0:de3a:40de::e9d tcp dport 22"
+      # this is where you put permitted incoming connections
+      # "oifname \"int\" ip6 daddr 2001:8b0:de3a:40de::e9d tcp dport 22"
     ];
   };
-in {
-  inherit input-ip6 forward-ip6 bogons-ip6 incoming-allowed-ip6;
 }

examples/rotuer.nix

@@ -227,21 +227,49 @@ in rec {
   };
 
   services.firewall =
-    let config = pkgs.firewallgen "firewall.nft" (import ./rotuer-firewall.nix);
+    let
+      script= pkgs.firewallgen "firewall.nft" (import ./rotuer-firewall.nix);
+      kmodules = pkgs.kernel-modules.override {
+        kernelSrc  = config.outputs.kernel.src;
+        modulesupport = config.outputs.kernel.modulesupport;
+        kconfig = {
+          NFT_FIB_IPV4 = "m";
+          NFT_FIB_IPV6 = "m";
+          NF_TABLES = "m";
+          NF_CT_PROTO_DCCP = "y";
+          NF_CT_PROTO_SCTP = "y";
+          NF_CT_PROTO_UDPLITE = "y";
+          #          NF_CONNTRACK_FTP = "m";
+          NFT_CT = "m";
+        };
+        targets = [
+          "nft_fib_ipv4"
+          "nft_fib_ipv6"
+        ];
+      };
     in oneshot {
       name = "firewall";
-      up = config;
+      up = ''
+        sh ${kmodules}/load.sh
+        ${script};
+      '';
       down = "${pkgs.nftables}/bin/nft flush ruleset";
     };
 
   services.packet_forwarding =
-    let filename = "/proc/sys/net/ipv4/conf/all/forwarding";
+    let
+      ip4 = "/proc/sys/net/ipv4/conf/all/forwarding";
+      ip6 = "/proc/sys/net/ipv6/conf/all/forwarding";
     in oneshot {
       name = "let-the-ip-flow";
       up = ''
-        echo 1 > ${filename}
+        echo 1 > ${ip4}
+        echo 1 > ${ip6}
+      '';
+      down = ''
+        echo 0 > ${ip4};
+        echo 0 > ${ip6};
       '';
-      down = "echo 0 > ${filename}";
       dependencies = [ services.firewall ];
     };
 

pkgs/default.nix

@@ -54,4 +54,5 @@
   min-copy-closure = callPackage ./min-copy-closure {};
   hi = callPackage ./hi {};
   firewallgen  = callPackage ./firewallgen {};
+  kernel-modules  = callPackage ./kernel-modules {};
 }

pkgs/firewallgen/default.nix

@@ -53,7 +53,7 @@ let
       ({ family, ... } : family)
       (mapAttrsToList (n : v : v // { name = n; }) chains);
 in writeScript name ''
-#!${nftables}/sbin/nft -cf
+#!${nftables}/sbin/nft -f
 
 flush ruleset
 

pkgs/kernel-modules/Makefile

@@ -0,0 +1,3 @@
+
+
+# obj-m += net/ipv4/netfilter/nft_fib_ipv4.o

pkgs/kernel-modules/default.nix

@@ -0,0 +1,50 @@
+{
+  stdenv
+, buildPackages
+, kernelSrc  ? null
+, modulesupport ? null
+, targets ? []
+, kconfig ? {}
+, openssl
+, writeText
+, lib
+}:
+let
+  writeConfig = import ../kernel/write-kconfig.nix { inherit lib writeText; };
+in stdenv.mkDerivation {
+  name = "kernel-modules";
+
+  nativeBuildInputs = [buildPackages.stdenv.cc] ++
+                      (with buildPackages.pkgs; [
+                        bc bison flex
+                        openssl
+                        cpio
+                        kmod
+                      ]);
+  CC = "${stdenv.cc.bintools.targetPrefix}gcc";
+  HOST_EXTRACFLAGS = with buildPackages.pkgs;
+    "-I${buildPackages.openssl.dev}/include -L${buildPackages.openssl.out}/lib";
+  CROSS_COMPILE = stdenv.cc.bintools.targetPrefix;
+  ARCH = "mips";  # kernel uses "mips" here for both mips and mipsel
+  KBUILD_BUILD_HOST = "liminix.builder";
+
+  buildPhase = ''
+    cat ${writeConfig "kconfig" kconfig}  > .more-config
+    cat .more-config >> .config
+    make olddefconfig
+    for v in $(cat .more-config) ; do grep $v .config || (echo Missing $v && exit 1);done
+    # grep =m .config
+    make modules
+  '';
+  src =  modulesupport;
+  installPhase = ''
+    mkdir -p $out/lib/modules/0.0
+    find . -name \*.ko | cpio --verbose --make-directories -p $out/lib/modules/0.0
+    depmod -b $out -v 0.0
+    touch $out/load.sh
+    for i in ${lib.concatStringsSep " " targets}; do
+      modprobe -S 0.0 -d $out --show-depends $i >> $out/load.sh
+    done
+    tac < $out/load.sh | sed 's/^insmod/rmmod/g' > $out/unload.sh
+  '';
+}

pkgs/kernel/default.nix

@@ -8,15 +8,10 @@
  , src
  , extraPatchPhase ? "echo"
 } :
-let writeConfig = name : config: writeText name
-        (builtins.concatStringsSep
-          "\n"
-          (lib.mapAttrsToList
-            (name: value: (if value == "n" then "# CONFIG_${name} is not set" else "CONFIG_${name}=${value}"))
-            config
-          ));
-    kconfigFile = writeConfig "kconfig" config;
-    inherit lib; in
+let
+  writeConfig = import ./write-kconfig.nix { inherit lib writeText; };
+  kconfigFile = writeConfig "kconfig" config;
+  inherit lib; in
 stdenv.mkDerivation rec {
   name = "kernel";
   inherit src extraPatchPhase;
@@ -101,6 +96,8 @@ stdenv.mkDerivation rec {
     cp vmlinux $out
     mkdir -p $headers
     cp -a include .config $headers/
+    mkdir -p $modulesupport
+    cp modules.* $modulesupport
     make clean modules_prepare
     cp -a . $modulesupport
   '';

pkgs/kernel/write-kconfig.nix

@@ -0,0 +1,11 @@
+{
+  lib
+, writeText
+}:
+name : config: writeText name
+  (builtins.concatStringsSep
+    "\n"
+    (lib.mapAttrsToList
+      (name: value: (if value == "n" then "# CONFIG_${name} is not set" else "CONFIG_${name}=${value}"))
+      config
+    ))